- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()
by Ziyang Xuan 30 May '24

30 May '24

From: Sungwoo Kim <iam(a)sung-woo.kim> mainline inclusion from mainline-v6.9 commit 4d7b41c0e43995b0e992b9f8903109275744b658 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RMPS CVE: CVE-2024-36013 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Extend a critical section to prevent chan from early freeing. Also make the l2cap_connect() return type void. Nothing is using the returned value but it is ugly to return a potentially freed pointer. Making it void will help with backports because earlier kernels did use the return value. Now the compile will break for kernels where this patch is not a complete fix. Call stack summary: [use] l2cap_bredr_sig_cmd l2cap_connect ┌ mutex_lock(&conn->chan_lock); │ chan = pchan->ops->new_connection(pchan); <- alloc chan │ __l2cap_chan_add(conn, chan); │ l2cap_chan_hold(chan); │ list_add(&chan->list, &conn->chan_l); ... (1) └ mutex_unlock(&conn->chan_lock); chan->conf_state ... (4) <- use after free [free] l2cap_conn_del ┌ mutex_lock(&conn->chan_lock); │ foreach chan in conn->chan_l: ... (2) │ l2cap_chan_put(chan); │ l2cap_chan_destroy │ kfree(chan) ... (3) <- chan freed └ mutex_unlock(&conn->chan_lock); ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: slab-use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0 net/bluetooth/l2cap_core.c:4260 Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311 Fixes: 73ffa904b782 ("Bluetooth: Move conf_{req,rsp} stuff to struct l2cap_chan") Signed-off-by: Sungwoo Kim <iam(a)sung-woo.kim> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Conflicts: net/bluetooth/l2cap_core.c [The version does not include commit e7b02296fb40, so the return value of l2cap_connect() is still used in l2cap_create_channel_req().] Signed-off-by: Ziyang Xuan <william.xuanziyang(a)huawei.com> --- net/bluetooth/l2cap_core.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index cf78a48085ed..b450f1736c7b 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -4129,7 +4129,7 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, { struct l2cap_conn_req *req = (struct l2cap_conn_req *) data; struct l2cap_conn_rsp rsp; - struct l2cap_chan *chan = NULL, *pchan; + struct l2cap_chan *chan = NULL, *pchan = NULL; int result, status = L2CAP_CS_NO_INFO; u16 dcid = 0, scid = __le16_to_cpu(req->scid); @@ -4142,7 +4142,7 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, &conn->hcon->dst, ACL_LINK); if (!pchan) { result = L2CAP_CR_BAD_PSM; - goto sendresp; + goto response; } mutex_lock(&conn->chan_lock); @@ -4230,17 +4230,15 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, } response: - l2cap_chan_unlock(pchan); - mutex_unlock(&conn->chan_lock); - l2cap_chan_put(pchan); - -sendresp: rsp.scid = cpu_to_le16(scid); rsp.dcid = cpu_to_le16(dcid); rsp.result = cpu_to_le16(result); rsp.status = cpu_to_le16(status); l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp); + if (!pchan) + return NULL; + if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) { struct l2cap_info_req info; info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK); @@ -4263,6 +4261,10 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, chan->num_conf_req++; } + l2cap_chan_unlock(pchan); + mutex_unlock(&conn->chan_lock); + l2cap_chan_put(pchan); + return chan; } -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] tcp: fix page frag corruption on page fault
by Liu Jian 30 May '24

30 May '24

From: Paolo Abeni <pabeni(a)redhat.com> mainline inclusion from mainline-v5.16-rc4 commit dacb5d8875cc6cd3a553363b4d6f06760fcbe70c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9S257 CVE: CVE-2021-47544 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- Steffen reported a TCP stream corruption for HTTP requests served by the apache web-server using a cifs mount-point and memory mapping the relevant file. The root cause is quite similar to the one addressed by commit 20eb4f29b602 ("net: fix sk_page_frag() recursion from memory reclaim"). Here the nested access to the task page frag is caused by a page fault on the (mmapped) user-space memory buffer coming from the cifs file. The page fault handler performs an smb transaction on a different socket, inside the same process context. Since sk->sk_allaction for such socket does not prevent the usage for the task_frag, the nested allocation modify "under the hood" the page frag in use by the outer sendmsg call, corrupting the stream. The overall relevant stack trace looks like the following: httpd 78268 [001] 3461630.850950: probe:tcp_sendmsg_locked: ffffffff91461d91 tcp_sendmsg_locked+0x1 ffffffff91462b57 tcp_sendmsg+0x27 ffffffff9139814e sock_sendmsg+0x3e ffffffffc06dfe1d smb_send_kvec+0x28 [...] ffffffffc06cfaf8 cifs_readpages+0x213 ffffffff90e83c4b read_pages+0x6b ffffffff90e83f31 __do_page_cache_readahead+0x1c1 ffffffff90e79e98 filemap_fault+0x788 ffffffff90eb0458 __do_fault+0x38 ffffffff90eb5280 do_fault+0x1a0 ffffffff90eb7c84 __handle_mm_fault+0x4d4 ffffffff90eb8093 handle_mm_fault+0xc3 ffffffff90c74f6d __do_page_fault+0x1ed ffffffff90c75277 do_page_fault+0x37 ffffffff9160111e page_fault+0x1e ffffffff9109e7b5 copyin+0x25 ffffffff9109eb40 _copy_from_iter_full+0xe0 ffffffff91462370 tcp_sendmsg_locked+0x5e0 ffffffff91462370 tcp_sendmsg_locked+0x5e0 ffffffff91462b57 tcp_sendmsg+0x27 ffffffff9139815c sock_sendmsg+0x4c ffffffff913981f7 sock_write_iter+0x97 ffffffff90f2cc56 do_iter_readv_writev+0x156 ffffffff90f2dff0 do_iter_write+0x80 ffffffff90f2e1c3 vfs_writev+0xa3 ffffffff90f2e27c do_writev+0x5c ffffffff90c042bb do_syscall_64+0x5b ffffffff916000ad entry_SYSCALL_64_after_hwframe+0x65 The cifs filesystem rightfully sets sk_allocations to GFP_NOFS, we can avoid the nesting using the sk page frag for allocation lacking the __GFP_FS flag. Do not define an additional mm-helper for that, as this is strictly tied to the sk page frag usage. v1 -> v2: - use a stricted sk_page_frag() check instead of reordering the code (Eric) Reported-by: Steffen Froemer <sfroemer(a)redhat.com> Fixes: 5640f7685831 ("net: use a per task frag allocator") Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Conflicts: include/net/sock.h [This is because we did not backport commit 66256e0b15bd.] Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- include/net/sock.h | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/include/net/sock.h b/include/net/sock.h index a1bfb777a1af..66e9c1060b13 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -2333,16 +2333,19 @@ struct sk_buff *sk_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp, * @sk: socket * * Use the per task page_frag instead of the per socket one for - * optimization when we know that we're in the normal context and owns + * optimization when we know that we're in process context and own * everything that's associated with %current. * - * gfpflags_allow_blocking() isn't enough here as direct reclaim may nest - * inside other socket operations and end up recursing into sk_page_frag() - * while it's already in use. + * Both direct reclaim and page faults can nest inside other + * socket operations and end up recursing into sk_page_frag() + * while it's already in use: explicitly avoid task page_frag + * usage if the caller is potentially doing any of them. + * This assumes that page fault handlers use the GFP_NOFS flags. */ static inline struct page_frag *sk_page_frag(struct sock *sk) { - if (gfpflags_normal_context(sk->sk_allocation)) + if ((sk->sk_allocation & (__GFP_DIRECT_RECLAIM | __GFP_MEMALLOC | __GFP_FS)) == + (__GFP_DIRECT_RECLAIM | __GFP_FS)) return &current->task_frag; return &sk->sk_frag; -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP2] wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
by Zheng Yejian 30 May '24

30 May '24

From: Ping-Ke Shih <pkshih(a)realtek.com> stable inclusion from stable-v5.10.202 commit 717de20abdcd1d4993fa450e28b8086a352620ea category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RE6D CVE: CVE-2023-52832 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e160ab85166e77347d0cbe5149045cb25e83937f ] We can get a UBSAN warning if ieee80211_get_tx_power() returns the INT_MIN value mac80211 internally uses for "unset power level". UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5 -2147483648 * 100 cannot be represented in type 'int' CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE Call Trace: dump_stack+0x74/0x92 ubsan_epilogue+0x9/0x50 handle_overflow+0x8d/0xd0 __ubsan_handle_mul_overflow+0xe/0x10 nl80211_send_iface+0x688/0x6b0 [cfg80211] [...] cfg80211_register_wdev+0x78/0xb0 [cfg80211] cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211] [...] ieee80211_if_add+0x60e/0x8f0 [mac80211] ieee80211_register_hw+0xda5/0x1170 [mac80211] In this case, simply return an error instead, to indicate that no data is available. Cc: Zong-Zhe Yang <kevin_yang(a)realtek.com> Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> Link: https://lore.kernel.org/r/20230203023636.4418-1-pkshih@realtek.com Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Fixes: 7643a2c3fcc1 ("cfg80211: move txpower wext from mac80211") Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- net/mac80211/cfg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index bede84209ecf..c8d2fe8fbc0a 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -2728,6 +2728,10 @@ static int ieee80211_get_tx_power(struct wiphy *wiphy, else *dbm = sdata->vif.bss_conf.txpower; + /* INT_MIN indicates no power level was set yet */ + if (*dbm == INT_MIN) + return -EINVAL; + return 0; } -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
by Zheng Yejian 30 May '24

30 May '24

From: Ping-Ke Shih <pkshih(a)realtek.com> stable inclusion from stable-v5.10.202 commit 717de20abdcd1d4993fa450e28b8086a352620ea category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RE6D CVE: CVE-2023-52832 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e160ab85166e77347d0cbe5149045cb25e83937f ] We can get a UBSAN warning if ieee80211_get_tx_power() returns the INT_MIN value mac80211 internally uses for "unset power level". UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5 -2147483648 * 100 cannot be represented in type 'int' CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE Call Trace: dump_stack+0x74/0x92 ubsan_epilogue+0x9/0x50 handle_overflow+0x8d/0xd0 __ubsan_handle_mul_overflow+0xe/0x10 nl80211_send_iface+0x688/0x6b0 [cfg80211] [...] cfg80211_register_wdev+0x78/0xb0 [cfg80211] cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211] [...] ieee80211_if_add+0x60e/0x8f0 [mac80211] ieee80211_register_hw+0xda5/0x1170 [mac80211] In this case, simply return an error instead, to indicate that no data is available. Cc: Zong-Zhe Yang <kevin_yang(a)realtek.com> Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> Link: https://lore.kernel.org/r/20230203023636.4418-1-pkshih@realtek.com Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Fixes: 7643a2c3fcc1 ("cfg80211: move txpower wext from mac80211") Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- net/mac80211/cfg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 70126518ad16..2a62d7d91519 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -2729,6 +2729,10 @@ static int ieee80211_get_tx_power(struct wiphy *wiphy, else *dbm = sdata->vif.bss_conf.txpower; + /* INT_MIN indicates no power level was set yet */ + if (*dbm == INT_MIN) + return -EINVAL; + return 0; } -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] soc: qcom: llcc: Handle a second device without data corruption
by Kaixiong Yu 30 May '24

30 May '24

From: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> stable inclusion from stable-v5.10.201 commit 5e5b85ea0f4bc484bfe4cc73ead51fa48d2366a0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RFK0 CVE: CVE-2023-52871 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit f1a1bc8775b26345aba2be278118999e7f661d3d ] Usually there is only one llcc device. But if there were a second, even a failed probe call would modify the global drv_data pointer. So check if drv_data is valid before overwriting it. Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> Fixes: a3134fb09e0b ("drivers: soc: Add LLCC driver") Link: https://lore.kernel.org/r/20230926083229.2073890-1-u.kleine-koenig@pengutro… Signed-off-by: Bjorn Andersson <andersson(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/soc/qcom/llcc-slice.c Signed-off-by: Kaixiong Yu <yukaixiong(a)huawei.com> --- drivers/soc/qcom/llcc-slice.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/soc/qcom/llcc-slice.c b/drivers/soc/qcom/llcc-slice.c index 54063a31132f..3f1cac3145a4 100644 --- a/drivers/soc/qcom/llcc-slice.c +++ b/drivers/soc/qcom/llcc-slice.c @@ -283,6 +283,9 @@ int qcom_llcc_probe(struct platform_device *pdev, void __iomem *base; int ret, i; + if (!IS_ERR(drv_data)) + return -EBUSY; + drv_data = devm_kzalloc(dev, sizeof(*drv_data), GFP_KERNEL); if (!drv_data) return -ENOMEM; -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
by Zheng Yejian 30 May '24

30 May '24

From: Ping-Ke Shih <pkshih(a)realtek.com> stable inclusion from stable-v4.19.300 commit 298e767362cade639b7121ecb3cc5345b6529f62 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RE6D CVE: CVE-2023-52832 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e160ab85166e77347d0cbe5149045cb25e83937f ] We can get a UBSAN warning if ieee80211_get_tx_power() returns the INT_MIN value mac80211 internally uses for "unset power level". UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5 -2147483648 * 100 cannot be represented in type 'int' CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE Call Trace: dump_stack+0x74/0x92 ubsan_epilogue+0x9/0x50 handle_overflow+0x8d/0xd0 __ubsan_handle_mul_overflow+0xe/0x10 nl80211_send_iface+0x688/0x6b0 [cfg80211] [...] cfg80211_register_wdev+0x78/0xb0 [cfg80211] cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211] [...] ieee80211_if_add+0x60e/0x8f0 [mac80211] ieee80211_register_hw+0xda5/0x1170 [mac80211] In this case, simply return an error instead, to indicate that no data is available. Cc: Zong-Zhe Yang <kevin_yang(a)realtek.com> Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> Link: https://lore.kernel.org/r/20230203023636.4418-1-pkshih@realtek.com Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Fixes: 7643a2c3fcc1 ("cfg80211: move txpower wext from mac80211") Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- net/mac80211/cfg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 93c6b50be818..d384fb85b8df 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -2459,6 +2459,10 @@ static int ieee80211_get_tx_power(struct wiphy *wiphy, else *dbm = sdata->vif.bss_conf.txpower; + /* INT_MIN indicates no power level was set yet */ + if (*dbm == INT_MIN) + return -EINVAL; + return 0; } -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS] wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
by Zheng Yejian 30 May '24

30 May '24

From: Ping-Ke Shih <pkshih(a)realtek.com> stable inclusion from stable-v5.10.202 commit 717de20abdcd1d4993fa450e28b8086a352620ea category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RE6D CVE: CVE-2023-52832 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e160ab85166e77347d0cbe5149045cb25e83937f ] We can get a UBSAN warning if ieee80211_get_tx_power() returns the INT_MIN value mac80211 internally uses for "unset power level". UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5 -2147483648 * 100 cannot be represented in type 'int' CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE Call Trace: dump_stack+0x74/0x92 ubsan_epilogue+0x9/0x50 handle_overflow+0x8d/0xd0 __ubsan_handle_mul_overflow+0xe/0x10 nl80211_send_iface+0x688/0x6b0 [cfg80211] [...] cfg80211_register_wdev+0x78/0xb0 [cfg80211] cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211] [...] ieee80211_if_add+0x60e/0x8f0 [mac80211] ieee80211_register_hw+0xda5/0x1170 [mac80211] In this case, simply return an error instead, to indicate that no data is available. Cc: Zong-Zhe Yang <kevin_yang(a)realtek.com> Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> Link: https://lore.kernel.org/r/20230203023636.4418-1-pkshih@realtek.com Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Fixes: 7643a2c3fcc1 ("cfg80211: move txpower wext from mac80211") Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- net/mac80211/cfg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index dd6f3d8b015e..aee27e4f761a 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -2729,6 +2729,10 @@ static int ieee80211_get_tx_power(struct wiphy *wiphy, else *dbm = sdata->vif.bss_conf.txpower; + /* INT_MIN indicates no power level was set yet */ + if (*dbm == INT_MIN) + return -EINVAL; + return 0; } -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] ocfs2: fix data corruption after conversion from inline format
by Long Li 30 May '24

30 May '24

From: Jan Kara <jack(a)suse.cz> stable inclusion from stable-v4.19.213 commit a3a089c241cd49b33a8cdd7fcb37cc87a086912a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RC18 CVE: CVE-2021-47460 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… -------------------------------- commit 5314454ea3ff6fc746eaf71b9a7ceebed52888fa upstream. Commit 6dbf7bb55598 ("fs: Don't invalidate page buffers in block_write_full_page()") uncovered a latent bug in ocfs2 conversion from inline inode format to a normal inode format. The code in ocfs2_convert_inline_data_to_extents() attempts to zero out the whole cluster allocated for file data by grabbing, zeroing, and dirtying all pages covering this cluster. However these pages are beyond i_size, thus writeback code generally ignores these dirty pages and no blocks were ever actually zeroed on the disk. This oversight was fixed by commit 693c241a5f6a ("ocfs2: No need to zero pages past i_size.") for standard ocfs2 write path, inline conversion path was apparently forgotten; the commit log also has a reasoning why the zeroing actually is not needed. After commit 6dbf7bb55598, things became worse as writeback code stopped invalidating buffers on pages beyond i_size and thus these pages end up with clean PageDirty bit but with buffers attached to these pages being still dirty. So when a file is converted from inline format, then writeback triggers, and then the file is grown so that these pages become valid, the invalid dirtiness state is preserved, mark_buffer_dirty() does nothing on these pages (buffers are already dirty) but page is never written back because it is clean. So data written to these pages is lost once pages are reclaimed. Simple reproducer for the problem is: xfs_io -f -c "pwrite 0 2000" -c "pwrite 2000 2000" -c "fsync" \ -c "pwrite 4000 2000" ocfs2_file After unmounting and mounting the fs again, you can observe that end of 'ocfs2_file' has lost its contents. Fix the problem by not doing the pointless zeroing during conversion from inline format similarly as in the standard write path. [akpm(a)linux-foundation.org: fix whitespace, per Joseph] Link: https://lkml.kernel.org/r/20210930095405.21433-1-jack@suse.cz Fixes: 6dbf7bb55598 ("fs: Don't invalidate page buffers in block_write_full_page()") Signed-off-by: Jan Kara <jack(a)suse.cz> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Tested-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Acked-by: Gang He <ghe(a)suse.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: "Markov, Andrey" <Markov.Andrey(a)Dell.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/ocfs2/alloc.c | 46 ++++++++++++---------------------------------- 1 file changed, 12 insertions(+), 34 deletions(-) diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c index 40842c409af1..9769114f0c5a 100644 --- a/fs/ocfs2/alloc.c +++ b/fs/ocfs2/alloc.c @@ -7048,7 +7048,7 @@ void ocfs2_set_inode_data_inline(struct inode *inode, struct ocfs2_dinode *di) int ocfs2_convert_inline_data_to_extents(struct inode *inode, struct buffer_head *di_bh) { - int ret, i, has_data, num_pages = 0; + int ret, has_data, num_pages = 0; int need_free = 0; u32 bit_off, num; handle_t *handle; @@ -7057,26 +7057,17 @@ int ocfs2_convert_inline_data_to_extents(struct inode *inode, struct ocfs2_super *osb = OCFS2_SB(inode->i_sb); struct ocfs2_dinode *di = (struct ocfs2_dinode *)di_bh->b_data; struct ocfs2_alloc_context *data_ac = NULL; - struct page **pages = NULL; - loff_t end = osb->s_clustersize; + struct page *page = NULL; struct ocfs2_extent_tree et; int did_quota = 0; has_data = i_size_read(inode) ? 1 : 0; if (has_data) { - pages = kcalloc(ocfs2_pages_per_cluster(osb->sb), - sizeof(struct page *), GFP_NOFS); - if (pages == NULL) { - ret = -ENOMEM; - mlog_errno(ret); - return ret; - } - ret = ocfs2_reserve_clusters(osb, 1, &data_ac); if (ret) { mlog_errno(ret); - goto free_pages; + goto out; } } @@ -7096,7 +7087,8 @@ int ocfs2_convert_inline_data_to_extents(struct inode *inode, } if (has_data) { - unsigned int page_end; + unsigned int page_end = min_t(unsigned, PAGE_SIZE, + osb->s_clustersize); u64 phys; ret = dquot_alloc_space_nodirty(inode, @@ -7120,15 +7112,8 @@ int ocfs2_convert_inline_data_to_extents(struct inode *inode, */ block = phys = ocfs2_clusters_to_blocks(inode->i_sb, bit_off); - /* - * Non sparse file systems zero on extend, so no need - * to do that now. - */ - if (!ocfs2_sparse_alloc(osb) && - PAGE_SIZE < osb->s_clustersize) - end = PAGE_SIZE; - - ret = ocfs2_grab_eof_pages(inode, 0, end, pages, &num_pages); + ret = ocfs2_grab_eof_pages(inode, 0, page_end, &page, + &num_pages); if (ret) { mlog_errno(ret); need_free = 1; @@ -7139,20 +7124,15 @@ int ocfs2_convert_inline_data_to_extents(struct inode *inode, * This should populate the 1st page for us and mark * it up to date. */ - ret = ocfs2_read_inline_data(inode, pages[0], di_bh); + ret = ocfs2_read_inline_data(inode, page, di_bh); if (ret) { mlog_errno(ret); need_free = 1; goto out_unlock; } - page_end = PAGE_SIZE; - if (PAGE_SIZE > osb->s_clustersize) - page_end = osb->s_clustersize; - - for (i = 0; i < num_pages; i++) - ocfs2_map_and_dirty_page(inode, handle, 0, page_end, - pages[i], i > 0, &phys); + ocfs2_map_and_dirty_page(inode, handle, 0, page_end, page, 0, + &phys); } spin_lock(&oi->ip_lock); @@ -7183,8 +7163,8 @@ int ocfs2_convert_inline_data_to_extents(struct inode *inode, } out_unlock: - if (pages) - ocfs2_unlock_and_free_pages(pages, num_pages); + if (page) + ocfs2_unlock_and_free_pages(&page, num_pages); out_commit: if (ret < 0 && did_quota) @@ -7208,8 +7188,6 @@ int ocfs2_convert_inline_data_to_extents(struct inode *inode, out: if (data_ac) ocfs2_free_alloc_context(data_ac); -free_pages: - kfree(pages); return ret; } -- 2.39.2

2 1

[openeuler:openEuler-1.0-LTS 19767/22580] fs/cifs/transport.c:108 _cifs_mid_q_entry_release() warn: always true condition '(((midEntry->command)) >= 0) => (0-u16max >= 0)'
by kernel test robot 30 May '24

30 May '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 001f12b6928e25e5551ad2fbae86556c280757a1 commit: 28b546c67ad5b05406ea31184515152c8b0abeba [19767/22580] CIFS: Fix retry mid list corruption on reconnects config: x86_64-randconfig-161-20240530 (https://download.01.org/0day-ci/archive/20240530/202405301643.qKz6P2N2-lkp@…) compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202405301643.qKz6P2N2-lkp@intel.com/ smatch warnings: fs/cifs/transport.c:108 _cifs_mid_q_entry_release() warn: always true condition '(((midEntry->command)) >= 0) => (0-u16max >= 0)' vim +108 fs/cifs/transport.c ^1da177e4c3f415 Linus Torvalds 2005-04-16 85 696e420bb2a6624 Lars Persson 2018-06-25 86 static void _cifs_mid_q_entry_release(struct kref *refcount) 696e420bb2a6624 Lars Persson 2018-06-25 87 { 28b546c67ad5b05 Pavel Shilovsky 2022-08-27 88 struct mid_q_entry *midEntry = 28b546c67ad5b05 Pavel Shilovsky 2022-08-27 89 container_of(refcount, struct mid_q_entry, refcount); 1047abc159b4eb4 Steve French 2005-10-11 90 #ifdef CONFIG_CIFS_STATS2 2dc7e1c03316940 Pavel Shilovsky 2011-12-26 91 __le16 command = midEntry->server->vals->lock_cmd; 1047abc159b4eb4 Steve French 2005-10-11 92 unsigned long now; 1047abc159b4eb4 Steve French 2005-10-11 93 #endif 7c9421e1a9ce8d1 Pavel Shilovsky 2012-03-23 94 midEntry->mid_state = MID_FREE; 8097531a5cb55c6 Jeff Layton 2011-01-11 95 atomic_dec(&midCount); 7c9421e1a9ce8d1 Pavel Shilovsky 2012-03-23 96 if (midEntry->large_buf) ^1da177e4c3f415 Linus Torvalds 2005-04-16 97 cifs_buf_release(midEntry->resp_buf); b8643e1b5253a6a Steve French 2005-04-28 98 else b8643e1b5253a6a Steve French 2005-04-28 99 cifs_small_buf_release(midEntry->resp_buf); 1047abc159b4eb4 Steve French 2005-10-11 100 #ifdef CONFIG_CIFS_STATS2 1047abc159b4eb4 Steve French 2005-10-11 101 now = jiffies; 1047abc159b4eb4 Steve French 2005-10-11 102 /* commands taking longer than one second are indications that 1047abc159b4eb4 Steve French 2005-10-11 103 something is wrong, unless it is quite a slow link or server */ 020eec5f712ffb4 Steve French 2018-08-01 104 if (time_after(now, midEntry->when_alloc + HZ) && 020eec5f712ffb4 Steve French 2018-08-01 105 (midEntry->command != command)) { 468d677954c0d94 Steve French 2018-08-04 106 /* smb2slowcmd[NUMBER_OF_SMB2_COMMANDS] counts by command */ 468d677954c0d94 Steve French 2018-08-04 107 if ((le16_to_cpu(midEntry->command) < NUMBER_OF_SMB2_COMMANDS) && 468d677954c0d94 Steve French 2018-08-04 @108 (le16_to_cpu(midEntry->command) >= 0)) 468d677954c0d94 Steve French 2018-08-04 109 cifs_stats_inc(&midEntry->server->smb2slowcmd[le16_to_cpu(midEntry->command)]); 468d677954c0d94 Steve French 2018-08-04 110 020eec5f712ffb4 Steve French 2018-08-01 111 trace_smb3_slow_rsp(le16_to_cpu(midEntry->command), 020eec5f712ffb4 Steve French 2018-08-01 112 midEntry->mid, midEntry->pid, 020eec5f712ffb4 Steve French 2018-08-01 113 midEntry->when_sent, midEntry->when_received); 020eec5f712ffb4 Steve French 2018-08-01 114 if (cifsFYI & CIFS_TIMER) { 0b456f04bcdf5b1 Andy Shevchenko 2014-08-27 115 pr_debug(" CIFS slow rsp: cmd %d mid %llu", 1047abc159b4eb4 Steve French 2005-10-11 116 midEntry->command, midEntry->mid); 0b456f04bcdf5b1 Andy Shevchenko 2014-08-27 117 pr_info(" A: 0x%lx S: 0x%lx R: 0x%lx\n", 1047abc159b4eb4 Steve French 2005-10-11 118 now - midEntry->when_alloc, 1047abc159b4eb4 Steve French 2005-10-11 119 now - midEntry->when_sent, 1047abc159b4eb4 Steve French 2005-10-11 120 now - midEntry->when_received); 1047abc159b4eb4 Steve French 2005-10-11 121 } 1047abc159b4eb4 Steve French 2005-10-11 122 } 1047abc159b4eb4 Steve French 2005-10-11 123 #endif 28b546c67ad5b05 Pavel Shilovsky 2022-08-27 124 28b546c67ad5b05 Pavel Shilovsky 2022-08-27 125 mempool_free(midEntry, cifs_mid_poolp); 28b546c67ad5b05 Pavel Shilovsky 2022-08-27 126 } 28b546c67ad5b05 Pavel Shilovsky 2022-08-27 127 :::::: The code at line 108 was first introduced by commit :::::: 468d677954c0d94fec59275d91222257fe8b4416 smb3: display stats counters for number of slow commands :::::: TO: Steve French <stfrench(a)microsoft.com> :::::: CC: Steve French <stfrench(a)microsoft.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga
by Wenyu Huang 30 May '24

30 May '24

From: Mario Limonciello <mario.limonciello(a)amd.com> stable inclusion from stable-v4.19.315 commit a63fd579e7b1c3a9ebd6e6c494d49b1b6cf5515e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RFE8 CVE: CVE-2023-52819 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… -------------------------------- [ Upstream commit 0f0e59075b5c22f1e871fbd508d6e4f495048356 ] For pptable structs that use flexible array sizes, use flexible arrays. Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2036742 Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Acked-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wenyu Huang <huangwenyu5(a)huawei.com> --- drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h b/drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h index 1e870f58dd12..153459262a7e 100644 --- a/drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h +++ b/drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h @@ -164,7 +164,7 @@ typedef struct _ATOM_Tonga_State { typedef struct _ATOM_Tonga_State_Array { UCHAR ucRevId; UCHAR ucNumEntries; /* Number of entries. */ - ATOM_Tonga_State entries[1]; /* Dynamically allocate entries. */ + ATOM_Tonga_State entries[]; /* Dynamically allocate entries. */ } ATOM_Tonga_State_Array; typedef struct _ATOM_Tonga_MCLK_Dependency_Record { @@ -210,7 +210,7 @@ typedef struct _ATOM_Polaris_SCLK_Dependency_Record { typedef struct _ATOM_Polaris_SCLK_Dependency_Table { UCHAR ucRevId; UCHAR ucNumEntries; /* Number of entries. */ - ATOM_Polaris_SCLK_Dependency_Record entries[1]; /* Dynamically allocate entries. */ + ATOM_Polaris_SCLK_Dependency_Record entries[]; /* Dynamically allocate entries. */ } ATOM_Polaris_SCLK_Dependency_Table; typedef struct _ATOM_Tonga_PCIE_Record { @@ -222,7 +222,7 @@ typedef struct _ATOM_Tonga_PCIE_Record { typedef struct _ATOM_Tonga_PCIE_Table { UCHAR ucRevId; UCHAR ucNumEntries; /* Number of entries. */ - ATOM_Tonga_PCIE_Record entries[1]; /* Dynamically allocate entries. */ + ATOM_Tonga_PCIE_Record entries[]; /* Dynamically allocate entries. */ } ATOM_Tonga_PCIE_Table; typedef struct _ATOM_Polaris10_PCIE_Record { @@ -235,7 +235,7 @@ typedef struct _ATOM_Polaris10_PCIE_Record { typedef struct _ATOM_Polaris10_PCIE_Table { UCHAR ucRevId; UCHAR ucNumEntries; /* Number of entries. */ - ATOM_Polaris10_PCIE_Record entries[1]; /* Dynamically allocate entries. */ + ATOM_Polaris10_PCIE_Record entries[]; /* Dynamically allocate entries. */ } ATOM_Polaris10_PCIE_Table; @@ -252,7 +252,7 @@ typedef struct _ATOM_Tonga_MM_Dependency_Record { typedef struct _ATOM_Tonga_MM_Dependency_Table { UCHAR ucRevId; UCHAR ucNumEntries; /* Number of entries. */ - ATOM_Tonga_MM_Dependency_Record entries[1]; /* Dynamically allocate entries. */ + ATOM_Tonga_MM_Dependency_Record entries[]; /* Dynamically allocate entries. */ } ATOM_Tonga_MM_Dependency_Table; typedef struct _ATOM_Tonga_Voltage_Lookup_Record { @@ -265,7 +265,7 @@ typedef struct _ATOM_Tonga_Voltage_Lookup_Record { typedef struct _ATOM_Tonga_Voltage_Lookup_Table { UCHAR ucRevId; UCHAR ucNumEntries; /* Number of entries. */ - ATOM_Tonga_Voltage_Lookup_Record entries[1]; /* Dynamically allocate entries. */ + ATOM_Tonga_Voltage_Lookup_Record entries[]; /* Dynamically allocate entries. */ } ATOM_Tonga_Voltage_Lookup_Table; typedef struct _ATOM_Tonga_Fan_Table { -- 2.34.1

2 1