May 2020 - Linux-stable-mirror

[PATCH 0/4] [backports] fix l2tp use-after-free in pppol2tp_sendmsg

by Giuliano Procida

Hi Greg. This is for 4.14. We received a PoC (code to run as root with a KASAN kernel) demonstrating the existence of a use-after-free in pppol2tp_sendmsg. This was accompanied by a patch to resolve it, consisting mostly of parts of patch 3 plus a little of 4. The following patches all apply cleanly and compile with allmodconfig. However, I lack the hardware to test them. The changes are already in 4.19. I'll post the changes for 4.9 next. Regards, Giuliano. Guillaume Nault (4): l2tp: don't register sessions in l2tp_session_create() l2tp: initialise l2tp_eth sessions before registering them l2tp: protect sock pointer of struct pppol2tp_session with RCU l2tp: initialise PPP sessions before registering them net/l2tp/l2tp_core.c | 21 ++-- net/l2tp/l2tp_core.h | 3 + net/l2tp/l2tp_eth.c | 99 +++++++++++++----- net/l2tp/l2tp_ppp.c | 238 +++++++++++++++++++++++++++---------------- 4 files changed, 238 insertions(+), 123 deletions(-) -- 2.26.2.761.g0e0b3e54be-goog

4 years, 7 months

2
5
0 0

[stable] i2c: dev: Fix the race between the release of i2c_dev and cdev

by Ben Hutchings

Please pick this fix for all stable branches: commit 1413ef638abae4ab5621901cf4d8ef08a4a48ba6 Author: Kevin Hao <haokexin(a)gmail.com> Date: Fri Oct 11 23:00:14 2019 +0800 i2c: dev: Fix the race between the release of i2c_dev and cdev I don't know whether it will apply cleanly to all of them; I can deal with those where it doesn't. Ben. -- Ben Hutchings, Software Developer Codethink Ltd https://www.codethink.co.uk/ Dale House, 35 Dale Street Manchester, M1 2HF, United Kingdom

4 years, 7 months

3
4
0 0

patch "misc: rtsx: Add short delay after exit from ASPM" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled misc: rtsx: Add short delay after exit from ASPM to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. >From 7a839dbab1be59f5ed3b3b046de29e166784c9b4 Mon Sep 17 00:00:00 2001 From: Klaus Doth <kdlnx(a)doth.eu> Date: Fri, 22 May 2020 12:56:04 +0200 Subject: misc: rtsx: Add short delay after exit from ASPM DMA transfers to and from the SD card stall for 10 seconds and run into timeout on RTS5260 card readers after ASPM was enabled. Adding a short msleep after disabling ASPM fixes the issue on several Dell Precision 7530/7540 systems I tested. This function is only called when waking up after the chip went into power-save after not transferring data for a few seconds. The added msleep does therefore not change anything in data transfer speed or induce any excessive waiting while data transfers are running, or the chip is sleeping. Only the transition from sleep to active is affected. Signed-off-by: Klaus Doth <kdlnx(a)doth.eu> Cc: stable <stable(a)vger.kernel.org> Link: https://lore.kernel.org/r/4434eaa7-2ee3-a560-faee-6cee63ebd6d4@doth.eu Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/misc/cardreader/rtsx_pcr.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/misc/cardreader/rtsx_pcr.c b/drivers/misc/cardreader/rtsx_pcr.c index 06038b325b02..55da6428ceb0 100644 --- a/drivers/misc/cardreader/rtsx_pcr.c +++ b/drivers/misc/cardreader/rtsx_pcr.c @@ -142,6 +142,9 @@ static void rtsx_comm_pm_full_on(struct rtsx_pcr *pcr) rtsx_disable_aspm(pcr); + /* Fixes DMA transfer timout issue after disabling ASPM on RTS5260 */ + msleep(1); + if (option->ltr_enabled) rtsx_set_ltr_latency(pcr, option->ltr_active_latency); -- 2.26.2

4 years, 7 months

1
0
0 0

[PATCH] xen/events: avoid NULL pointer dereference in evtchn_from_irq()

by Juergen Gross

There have been reports of races in evtchn_from_irq() where the info pointer has been NULL. Avoid that case by testing info before dereferencing it. In order to avoid accessing a just freed info structure do the kfree() via kfree_rcu(). Cc: Marek Marczykowski-Górecki <marmarek(a)invisiblethingslab.com> Cc: stable(a)vger.kernel.org Reported-by: Marek Marczykowski-Górecki <marmarek(a)invisiblethingslab.com> Signed-off-by: Juergen Gross <jgross(a)suse.com> --- drivers/xen/events/events_base.c | 10 ++++++++-- drivers/xen/events/events_internal.h | 3 +++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c index 499eff7d3f65..838762fe3d6e 100644 --- a/drivers/xen/events/events_base.c +++ b/drivers/xen/events/events_base.c @@ -247,10 +247,16 @@ static void xen_irq_info_cleanup(struct irq_info *info) */ unsigned int evtchn_from_irq(unsigned irq) { + struct irq_info *info; + if (WARN(irq >= nr_irqs, "Invalid irq %d!\n", irq)) return 0; - return info_for_irq(irq)->evtchn; + info = info_for_irq(irq); + if (info == NULL) + return 0; + + return info->evtchn; } unsigned irq_from_evtchn(unsigned int evtchn) @@ -436,7 +442,7 @@ static void xen_free_irq(unsigned irq) WARN_ON(info->refcnt > 0); - kfree(info); + kfree_rcu(info, rcu); /* Legacy IRQ descriptors are managed by the arch. */ if (irq < nr_legacy_irqs()) diff --git a/drivers/xen/events/events_internal.h b/drivers/xen/events/events_internal.h index 82938cff6c7a..c421055843c8 100644 --- a/drivers/xen/events/events_internal.h +++ b/drivers/xen/events/events_internal.h @@ -7,6 +7,8 @@ #ifndef __EVENTS_INTERNAL_H__ #define __EVENTS_INTERNAL_H__ +#include <linux/rcupdate.h> + /* Interrupt types. */ enum xen_irq_type { IRQT_UNBOUND = 0, @@ -30,6 +32,7 @@ enum xen_irq_type { */ struct irq_info { struct list_head list; + struct rcu_head rcu; int refcnt; enum xen_irq_type type; /* type */ unsigned irq; -- 2.16.4

4 years, 7 months

4
5
0 0

Offer

by Mazer

I hope you are doing great? This is Felix from Toronto-Canada. I have a lucrative business offer that will benefit us both immensely within a very short period of time. However, I need your initial approval of interest prior to further and complete details regarding the deal. Thanks, Felix.

4 years, 7 months

1
0
0 0

[PATCH] ext4: fix race between ext4_sync_parent() and rename()

by Eric Biggers

From: Eric Biggers <ebiggers(a)google.com> 'igrab(d_inode(dentry->d_parent))' without holding dentry->d_lock is broken because without d_lock, d_parent can be concurrently changed due to a rename(). Then if the old directory is immediately deleted, old d_parent->inode can be NULL. That causes a NULL dereference in igrab(). To fix this, use dget_parent() to safely grab a reference to the parent dentry, which pins the inode. This also eliminates the need to use d_find_any_alias() other than for the initial inode, as we no longer throw away the dentry at each step. This is an extremely hard race to hit, but it is possible. Adding a udelay() in between the reads of ->d_parent and its ->d_inode makes it reproducible on a no-journal filesystem using the following program: #include <fcntl.h> #include <unistd.h> int main() { if (fork()) { for (;;) { mkdir("dir1", 0700); int fd = open("dir1/file", O_RDWR|O_CREAT|O_SYNC); write(fd, "X", 1); close(fd); } } else { mkdir("dir2", 0700); for (;;) { rename("dir1/file", "dir2/file"); rmdir("dir1"); } } } Fixes: d59729f4e794 ("ext4: fix races in ext4_sync_parent()") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)google.com> --- fs/ext4/fsync.c | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/fs/ext4/fsync.c b/fs/ext4/fsync.c index e10206e7f4bbe7..093c359952cdba 100644 --- a/fs/ext4/fsync.c +++ b/fs/ext4/fsync.c @@ -44,30 +44,28 @@ */ static int ext4_sync_parent(struct inode *inode) { - struct dentry *dentry = NULL; - struct inode *next; + struct dentry *dentry, *next; int ret = 0; if (!ext4_test_inode_state(inode, EXT4_STATE_NEWENTRY)) return 0; - inode = igrab(inode); + dentry = d_find_any_alias(inode); + if (!dentry) + return 0; while (ext4_test_inode_state(inode, EXT4_STATE_NEWENTRY)) { ext4_clear_inode_state(inode, EXT4_STATE_NEWENTRY); - dentry = d_find_any_alias(inode); - if (!dentry) - break; - next = igrab(d_inode(dentry->d_parent)); + + next = dget_parent(dentry); dput(dentry); - if (!next) - break; - iput(inode); - inode = next; + dentry = next; + inode = dentry->d_inode; + /* * The directory inode may have gone through rmdir by now. But * the inode itself and its blocks are still allocated (we hold - * a reference to the inode so it didn't go through - * ext4_evict_inode()) and so we are safe to flush metadata - * blocks and the inode. + * a reference to the inode via its dentry), so it didn't go + * through ext4_evict_inode()) and so we are safe to flush + * metadata blocks and the inode. */ ret = sync_mapping_buffers(inode->i_mapping); if (ret) @@ -76,7 +74,7 @@ static int ext4_sync_parent(struct inode *inode) if (ret) break; } - iput(inode); + dput(dentry); return ret; } -- 2.26.2

4 years, 7 months

2
3
0 0

[stable-4.4 1/5] padata: set cpu_index of unused CPUs to -1

by Daniel Jordan

From: Mathias Krause <minipli(a)googlemail.com> [ Upstream commit 1bd845bcb41d5b7f83745e0cb99273eb376f2ec5 ] The parallel queue per-cpu data structure gets initialized only for CPUs in the 'pcpu' CPU mask set. This is not sufficient as the reorder timer may run on a different CPU and might wrongly decide it's the target CPU for the next reorder item as per-cpu memory gets memset(0) and we might be waiting for the first CPU in cpumask.pcpu, i.e. cpu_index 0. Make the '__this_cpu_read(pd->pqueue->cpu_index) == next_queue->cpu_index' compare in padata_get_next() fail in this case by initializing the cpu_index member of all per-cpu parallel queues. Use -1 for unused ones. Signed-off-by: Mathias Krause <minipli(a)googlemail.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Daniel Jordan <daniel.m.jordan(a)oracle.com> --- kernel/padata.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/kernel/padata.c b/kernel/padata.c index 8aef48c3267b..4f860043a8e5 100644 --- a/kernel/padata.c +++ b/kernel/padata.c @@ -461,8 +461,14 @@ static void padata_init_pqueues(struct parallel_data *pd) struct padata_parallel_queue *pqueue; cpu_index = 0; - for_each_cpu(cpu, pd->cpumask.pcpu) { + for_each_possible_cpu(cpu) { pqueue = per_cpu_ptr(pd->pqueue, cpu); + + if (!cpumask_test_cpu(cpu, pd->cpumask.pcpu)) { + pqueue->cpu_index = -1; + continue; + } + pqueue->pd = pd; pqueue->cpu_index = cpu_index; cpu_index++; -- 2.26.2

4 years, 7 months

2
5
0 0

[PATCH v3 0/2] Renovate memcpy_mcsafe with copy_mc_to_{user, kernel}

by Dan Williams

Changes since v2 [1]: - Replace the non-descriptive copy_safe() with copy_mc_to_user() and copy_mc_to_kernel() several code organization cleanups resulted from this rename, which further proves the point that the name deeply matters for maintainability in this case. (Linus) - Do not use copy_user_generic() as the generic x86 backend for copy_mc_to_user() since the #MC handler explicitly wants the exception to be trapped by a _ASM_EXTABLE_FAULT handler. (Vivek). - Rename copy_safe_slow() to copy_mc_fragile() to better indicate what the implementation is handling. copy_safe_fast() is replaced with copy_mc_generic(). --- The primary motivation to go touch memcpy_mcsafe() is that the existing benefit of doing slow "handle with care" copies is obviated on newer CPUs. With that concern lifted it also obviates the need to continue to update the MCA-recovery capability detection code currently gated by "mcsafe_key". Now the old "mcsafe_key" opt-in to perform the copy with concerns for recovery fragility can instead be made an opt-out from the default fast copy implementation (enable_copy_mc_fragile()). The discussion with Linus on the first iteration of this patch identified that memcpy_mcsafe() was misnamed relative to its usage. The new names copy_mc_to_user() and copy_mc_to_kernel() clearly indicate the intended use case and lets the architecture organize the implementation accordingly. For both powerpc and x86 a copy_mc_generic() implementation is added as the backend for these interfaces. Patches are relative to tip/master. --- Dan Williams (2): x86, powerpc: Rename memcpy_mcsafe() to copy_mc_to_{user,kernel}() x86/copy_mc: Introduce copy_mc_generic() arch/powerpc/Kconfig | 2 arch/powerpc/include/asm/string.h | 2 arch/powerpc/include/asm/uaccess.h | 40 +++-- arch/powerpc/lib/Makefile | 2 arch/powerpc/lib/copy_mc_64.S | 4 arch/x86/Kconfig | 2 arch/x86/Kconfig.debug | 2 arch/x86/include/asm/copy_mc_test.h | 75 +++++++++ arch/x86/include/asm/mcsafe_test.h | 75 --------- arch/x86/include/asm/string_64.h | 32 ---- arch/x86/include/asm/uaccess_64.h | 35 ++-- arch/x86/kernel/cpu/mce/core.c | 8 - arch/x86/kernel/quirks.c | 9 - arch/x86/lib/Makefile | 1 arch/x86/lib/copy_mc.c | 64 ++++++++ arch/x86/lib/copy_mc_64.S | 165 ++++++++++++++++++++ arch/x86/lib/memcpy_64.S | 115 -------------- arch/x86/lib/usercopy_64.c | 21 --- drivers/md/dm-writecache.c | 15 +- drivers/nvdimm/claim.c | 2 drivers/nvdimm/pmem.c | 6 - include/linux/string.h | 9 - include/linux/uaccess.h | 9 + include/linux/uio.h | 10 + lib/Kconfig | 7 + lib/iov_iter.c | 43 +++-- tools/arch/x86/include/asm/copy_safe_test.h | 13 ++ tools/arch/x86/include/asm/mcsafe_test.h | 13 -- tools/arch/x86/lib/memcpy_64.S | 115 -------------- tools/objtool/check.c | 5 - tools/perf/bench/Build | 1 tools/perf/bench/mem-memcpy-x86-64-lib.c | 24 --- tools/testing/nvdimm/test/nfit.c | 48 +++--- .../testing/selftests/powerpc/copyloops/.gitignore | 2 tools/testing/selftests/powerpc/copyloops/Makefile | 6 - .../testing/selftests/powerpc/copyloops/copy_mc.S | 0 36 files changed, 460 insertions(+), 522 deletions(-) rename arch/powerpc/lib/{memcpy_mcsafe_64.S => copy_mc_64.S} (98%) create mode 100644 arch/x86/include/asm/copy_mc_test.h delete mode 100644 arch/x86/include/asm/mcsafe_test.h create mode 100644 arch/x86/lib/copy_mc.c create mode 100644 arch/x86/lib/copy_mc_64.S create mode 100644 tools/arch/x86/include/asm/copy_safe_test.h delete mode 100644 tools/arch/x86/include/asm/mcsafe_test.h delete mode 100644 tools/perf/bench/mem-memcpy-x86-64-lib.c rename tools/testing/selftests/powerpc/copyloops/{memcpy_mcsafe_64.S => copy_mc.S} (100%) base-commit: bba413deb1065f1291cb1f366247513f11215520

4 years, 7 months

6
11
0 0

[PATCH 2/2] jbd2: Avoid leaking transaction credits when unreserving handle

by Jan Kara

When reserved transaction handle is unused, we subtract its reserved credits in __jbd2_journal_unreserve_handle() called from jbd2_journal_stop(). However this function forgets to remove reserved credits from transaction->t_outstanding_credits and thus the transaction space that was reserved remains effectively leaked. The leaked transaction space can be quite significant in some cases and leads to unnecessarily small transactions and thus reducing throughput of the journalling machinery. E.g. fsmark workload creating lots of 4k files was observed to have about 20% lower throughput due to this when ext4 is mounted with dioread_nolock mount option. Subtract reserved credits from t_outstanding_credits as well. CC: stable(a)vger.kernel.org Fixes: 8f7d89f36829 ("jbd2: transaction reservation support") Signed-off-by: Jan Kara <jack(a)suse.cz> --- fs/jbd2/transaction.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c index 3dccc23cf010..b49a103cff1f 100644 --- a/fs/jbd2/transaction.c +++ b/fs/jbd2/transaction.c @@ -541,17 +541,24 @@ handle_t *jbd2_journal_start(journal_t *journal, int nblocks) } EXPORT_SYMBOL(jbd2_journal_start); -static void __jbd2_journal_unreserve_handle(handle_t *handle) +static void __jbd2_journal_unreserve_handle(handle_t *handle, transaction_t *t) { journal_t *journal = handle->h_journal; WARN_ON(!handle->h_reserved); sub_reserved_credits(journal, handle->h_total_credits); + if (t) + atomic_sub(handle->h_total_credits, &t->t_outstanding_credits); } void jbd2_journal_free_reserved(handle_t *handle) { - __jbd2_journal_unreserve_handle(handle); + journal_t *journal = handle->h_journal; + + /* Get j_state_lock to pin running transaction if it exists */ + read_lock(&journal->j_state_lock); + __jbd2_journal_unreserve_handle(handle, journal->j_running_transaction); + read_unlock(&journal->j_state_lock); jbd2_free_handle(handle); } EXPORT_SYMBOL(jbd2_journal_free_reserved); @@ -721,8 +728,10 @@ static void stop_this_handle(handle_t *handle) } atomic_sub(handle->h_total_credits, &transaction->t_outstanding_credits); - if (handle->h_rsv_handle) - __jbd2_journal_unreserve_handle(handle->h_rsv_handle); + if (handle->h_rsv_handle) { + __jbd2_journal_unreserve_handle(handle->h_rsv_handle, + transaction); + } if (atomic_dec_and_test(&transaction->t_updates)) wake_up(&journal->j_wait_updates); -- 2.16.4

4 years, 7 months

3
3
0 0

[PATCH] drm/etnaviv: fix memory leak when mapping prime imported buffers

by Martin Fuzzey

When using mmap() on a prime imported buffer allocated by a different driver (such as imx-drm) the later munmap() does not correctly decrement the refcount of the original enaviv_gem_object, leading to a leak. Signed-off-by: Martin Fuzzey <martin.fuzzey(a)flowbird.group> Cc: stable(a)vger.kernel.org --- drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c b/drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c index f24dd21..28a01b8 100644 --- a/drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c +++ b/drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c @@ -93,7 +93,25 @@ static void *etnaviv_gem_prime_vmap_impl(struct etnaviv_gem_object *etnaviv_obj) static int etnaviv_gem_prime_mmap_obj(struct etnaviv_gem_object *etnaviv_obj, struct vm_area_struct *vma) { - return dma_buf_mmap(etnaviv_obj->base.dma_buf, vma, 0); + int ret; + + ret = dma_buf_mmap(etnaviv_obj->base.dma_buf, vma, 0); + + /* drm_gem_mmap_obj() has already been called before this function + * and has incremented our refcount, expecting it to be decremented + * on unmap() via drm_gem_vm_close(). + * However dma_buf_mmap() invokes drm_gem_cma_prime_mmap() + * that ends up updating the vma->vma_private_data to point to the + * dma_buf's gem object. + * Hence our gem object here will not have its refcount decremented + * when userspace does unmap(). + * So decrement the refcount here to avoid a memory leak if the dma + * buf mapping was successful. + */ + if (!ret) + drm_gem_object_put_unlocked(&etnaviv_obj->base); + + return ret; } static const struct etnaviv_gem_ops etnaviv_gem_prime_ops = { -- 1.9.1

4 years, 7 months

4
3
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror May 2020