December 2021 - Linux-stable-mirror

[PATCH] f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr()

by Chao Yu

As Wenqing Liu reported in bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215235 - Overview page fault in f2fs_setxattr() when mount and operate on corrupted image - Reproduce tested on kernel 5.16-rc3, 5.15.X under root 1. unzip tmp7.zip 2. ./single.sh f2fs 7 Sometimes need to run the script several times - Kernel dump loop0: detected capacity change from 0 to 131072 F2FS-fs (loop0): Found nat_bits in checkpoint F2FS-fs (loop0): Mounted with checkpoint version = 7548c2ee BUG: unable to handle page fault for address: ffffe47bc7123f48 RIP: 0010:kfree+0x66/0x320 Call Trace: __f2fs_setxattr+0x2aa/0xc00 [f2fs] f2fs_setxattr+0xfa/0x480 [f2fs] __f2fs_set_acl+0x19b/0x330 [f2fs] __vfs_removexattr+0x52/0x70 __vfs_removexattr_locked+0xb1/0x140 vfs_removexattr+0x56/0x100 removexattr+0x57/0x80 path_removexattr+0xa3/0xc0 __x64_sys_removexattr+0x17/0x20 do_syscall_64+0x37/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae The root cause is in __f2fs_setxattr(), we missed to do sanity check on last xattr entry, result in out-of-bound memory access during updating inconsistent xattr data of target inode. After the fix, it can detect such xattr inconsistency as below: F2FS-fs (loop11): inode (7) has invalid last xattr entry, entry_size: 60676 F2FS-fs (loop11): inode (8) has corrupted xattr F2FS-fs (loop11): inode (8) has corrupted xattr F2FS-fs (loop11): inode (8) has invalid last xattr entry, entry_size: 47736 Cc: stable(a)vger.kernel.org Reported-by: Wenqing Liu <wenqingliu0120(a)gmail.com> Signed-off-by: Chao Yu <chao(a)kernel.org> --- fs/f2fs/xattr.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c index e348f33bcb2b..c544100643c8 100644 --- a/fs/f2fs/xattr.c +++ b/fs/f2fs/xattr.c @@ -684,8 +684,17 @@ static int __f2fs_setxattr(struct inode *inode, int index, } last = here; - while (!IS_XATTR_LAST_ENTRY(last)) + while (!IS_XATTR_LAST_ENTRY(last)) { + if ((void *)(last) + sizeof(__u32) > last_base_addr || + (void *)XATTR_NEXT_ENTRY(last) > last_base_addr) { + f2fs_err(F2FS_I_SB(inode), "inode (%lu) has invalid last xattr entry, entry_size: %lu", + inode->i_ino, ENTRY_SIZE(last)); + set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK); + error = -EFSCORRUPTED; + goto exit; + } last = XATTR_NEXT_ENTRY(last); + } newsize = XATTR_ALIGN(sizeof(struct f2fs_xattr_entry) + len + size); -- 2.32.0

3 years, 1 month

1
0
0 0

[PATCH] ARM: entry: fix Thumb2 bug in iWMMXt exception handling

by Ard Biesheuvel

The Thumb2 version of the FP exception handling entry code treats the register holding the CP number (R8) differently, resulting in the iWMMXT CP number check to be incorrect. Fix this by unifying the ARM and Thumb2 code paths, by switching the order of the additions of the TI_USED_CP offset and the shifted CP index. Cc: <stable(a)vger.kernel.org> Fixes: b86040a59feb ("Thumb-2: Implementation of the unified start-up and exceptions code") Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> --- arch/arm/kernel/entry-armv.S | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) Found through inspection, while I was looking at the entry code for the IRQ and vmap'ed stacks work. Not sure whether/how this affects the Thumb2 kernel running on PJ4 based systems. diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S index ef7f58596f77..9721e2da7dbc 100644 --- a/arch/arm/kernel/entry-armv.S +++ b/arch/arm/kernel/entry-armv.S @@ -629,24 +629,22 @@ call_fpe: #endif tst r0, #0x08000000 @ only CDP/CPRT/LDC/STC have bit 27 tstne r0, #0x04000000 @ bit 26 set on both ARM and Thumb-2 reteq lr and r8, r0, #0x00000f00 @ mask out CP number - THUMB( lsr r8, r8, #8 ) mov r7, #1 - add r6, r10, #TI_USED_CP - ARM( strb r7, [r6, r8, lsr #8] ) @ set appropriate used_cp[] - THUMB( strb r7, [r6, r8] ) @ set appropriate used_cp[] + add r6, r10, r8, lsr #8 @ add used_cp[] array offset first + strb r7, [r6, #TI_USED_CP] @ set appropriate used_cp[] #ifdef CONFIG_IWMMXT @ Test if we need to give access to iWMMXt coprocessors ldr r5, [r10, #TI_FLAGS] rsbs r7, r8, #(1 << 8) @ CP 0 or 1 only movscs r7, r5, lsr #(TIF_USING_IWMMXT + 1) bcs iwmmxt_task_enable #endif ARM( add pc, pc, r8, lsr #6 ) - THUMB( lsl r8, r8, #2 ) + THUMB( lsr r8, r8, #6 ) THUMB( add pc, r8 ) nop ret.w lr @ CP#0 W(b) do_fpe @ CP#1 (FPE) -- 2.30.2

3 years, 1 month

1
0
0 0

stable-rc/queue/4.9 baseline: 125 runs, 3 regressions (v4.9.292-10-g8eabbb4fb693)

by kernelci.org bot

stable-rc/queue/4.9 baseline: 125 runs, 3 regressions (v4.9.292-10-g8eabbb4fb693) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions -------------------------+--------+---------------+----------+------------------------------+------------ minnowboard-turbot-E3826 | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 minnowboard-turbot-E3826 | x86_64 | lab-collabora | gcc-10 | x86_64_defconfig | 1 panda | arm | lab-collabora | gcc-10 | omap2plus_defconfig | 1 Details: https://kernelci.org/test/job/stable-rc/branch/queue%2F4.9/kernel/v4.9.292-… Test: baseline Tree: stable-rc Branch: queue/4.9 Describe: v4.9.292-10-g8eabbb4fb693 URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git SHA: 8eabbb4fb6931f52575953d33ac3276dc9e4ee0c Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions -------------------------+--------+---------------+----------+------------------------------+------------ minnowboard-turbot-E3826 | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 Details: https://kernelci.org/test/plan/id/61b3ba62924bd6b71839713a Results: 0 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/queue-4.9/v4.9.292-10-g8eabbb4fb693… HTML log: https://storage.kernelci.org//stable-rc/queue-4.9/v4.9.292-10-g8eabbb4fb693… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-6-g8983f3b7… * baseline.login: https://kernelci.org/test/case/id/61b3ba62924bd6b71839713b new failure (last pass: v4.9.292-9-g6988c513714d) platform | arch | lab | compiler | defconfig | regressions -------------------------+--------+---------------+----------+------------------------------+------------ minnowboard-turbot-E3826 | x86_64 | lab-collabora | gcc-10 | x86_64_defconfig | 1 Details: https://kernelci.org/test/plan/id/61b3bbb69dd931ec4b397124 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/queue-4.9/v4.9.292-10-g8eabbb4fb693… HTML log: https://storage.kernelci.org//stable-rc/queue-4.9/v4.9.292-10-g8eabbb4fb693… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-6-g8983f3b7… * baseline.login: https://kernelci.org/test/case/id/61b3bbb69dd931ec4b397125 failing since 0 day (last pass: v4.9.291-70-gd8115b0fbf8b, first fail: v4.9.292-9-g6988c513714d) platform | arch | lab | compiler | defconfig | regressions -------------------------+--------+---------------+----------+------------------------------+------------ panda | arm | lab-collabora | gcc-10 | omap2plus_defconfig | 1 Details: https://kernelci.org/test/plan/id/61b3ba0a157b9d3d9439711e Results: 4 PASS, 1 FAIL, 1 SKIP Full config: omap2plus_defconfig Compiler: gcc-10 (arm-linux-gnueabihf-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/queue-4.9/v4.9.292-10-g8eabbb4fb693… HTML log: https://storage.kernelci.org//stable-rc/queue-4.9/v4.9.292-10-g8eabbb4fb693… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-6-g8983f3b7… * baseline.dmesg.emerg: https://kernelci.org/test/case/id/61b3ba0a157b9d3d94397121 failing since 0 day (last pass: v4.9.292-8-g267327cffca6, first fail: v4.9.292-9-g6988c513714d) 2 lines 2021-12-10T20:35:04.430202 [ 20.306823] <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=alert RESULT=pass UNITS=lines MEASUREMENT=0> 2021-12-10T20:35:04.474786 kern :emerg : BUG: spinlock bad magic on CPU#0, udevd/118 2021-12-10T20:35:04.484102 kern :emerg : lock: emif_lock+0x0/0xfffff230 [emif], .magic: dead4ead, .owner: <none>/-1, .owner_cpu: -1

3 years, 1 month

1
0
0 0

[PATCH 4.4,4.9 0/3] POLLFREE fix for 4.4 and 4.9

by Eric Biggers

Please apply to 4.4 and 4.9. These kernel versions don't have aio poll, but the fix for POLLFREE with exclusive waiters is still applicable to them. This series resolves conflicts in all three patches, mostly due to POLLHUP and wait_queue_head_t having been renamed in more recent kernels. Eric Biggers (3): wait: add wake_up_pollfree() binder: use wake_up_pollfree() signalfd: use wake_up_pollfree() drivers/android/binder.c | 21 +++++++++------------ fs/signalfd.c | 12 +----------- include/linux/wait.h | 26 ++++++++++++++++++++++++++ kernel/sched/wait.c | 8 ++++++++ 4 files changed, 44 insertions(+), 23 deletions(-) -- 2.34.1

3 years, 1 month

1
3
0 0

[PATCH 4.14 v2 0/3] POLLFREE fix for 4.14

by Eric Biggers

This kernel version doesn't have aio poll, but the fix for POLLFREE with exclusive waiters is still applicable to it. This series resolves conflicts in all three patches, mostly due to POLLHUP having been renamed to EPOLLHUP in more recent kernels. v2: fix build break Eric Biggers (3): wait: add wake_up_pollfree() binder: use wake_up_pollfree() signalfd: use wake_up_pollfree() drivers/android/binder.c | 21 +++++++++------------ fs/signalfd.c | 12 +----------- include/linux/wait.h | 26 ++++++++++++++++++++++++++ kernel/sched/wait.c | 8 ++++++++ 4 files changed, 44 insertions(+), 23 deletions(-) -- 2.34.1

3 years, 1 month

1
3
0 0

stable-rc/queue/5.4 baseline: 147 runs, 1 regressions (v5.4.164-26-g9502d781e24f)

by kernelci.org bot

stable-rc/queue/5.4 baseline: 147 runs, 1 regressions (v5.4.164-26-g9502d781e24f) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions -------------------------+--------+---------------+----------+------------------------------+------------ minnowboard-turbot-E3826 | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 Details: https://kernelci.org/test/job/stable-rc/branch/queue%2F5.4/kernel/v5.4.164-… Test: baseline Tree: stable-rc Branch: queue/5.4 Describe: v5.4.164-26-g9502d781e24f URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git SHA: 9502d781e24fc4cf4d7eaf02de444ac37cc3d881 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions -------------------------+--------+---------------+----------+------------------------------+------------ minnowboard-turbot-E3826 | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 Details: https://kernelci.org/test/plan/id/61b3b70517d67fd397397167 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/queue-5.4/v5.4.164-26-g9502d781e24f… HTML log: https://storage.kernelci.org//stable-rc/queue-5.4/v5.4.164-26-g9502d781e24f… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-6-g8983f3b7… * baseline.login: https://kernelci.org/test/case/id/61b3b70517d67fd397397168 failing since 1 day (last pass: v5.4.163-72-gfda44f5f463a, first fail: v5.4.163-73-gf01a13d9c502)

3 years, 1 month

1
0
0 0

[PATCH 4.14 0/3] POLLFREE fix for 4.14

by Eric Biggers

This kernel version doesn't have aio poll, but the fix for POLLFREE with exclusive waiters is still applicable to it. This series resolves conflicts in all three patches, mostly due to POLLHUP having been renamed to EPOLLHUP in more recent kernels. Eric Biggers (3): wait: add wake_up_pollfree() binder: use wake_up_pollfree() signalfd: use wake_up_pollfree() drivers/android/binder.c | 21 +++++++++------------ fs/signalfd.c | 12 +----------- include/linux/wait.h | 26 ++++++++++++++++++++++++++ kernel/sched/wait.c | 7 +++++++ 4 files changed, 43 insertions(+), 23 deletions(-) -- 2.34.1

3 years, 1 month

1
4
0 0

stable-rc/queue/4.14 baseline: 149 runs, 2 regressions (v4.14.257-12-ga650c963d9c8)

by kernelci.org bot

stable-rc/queue/4.14 baseline: 149 runs, 2 regressions (v4.14.257-12-ga650c963d9c8) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions -------------------------+--------+---------------+----------+---------------------+------------ minnowboard-turbot-E3826 | x86_64 | lab-collabora | gcc-10 | x86_64_defconfig | 1 panda | arm | lab-collabora | gcc-10 | omap2plus_defconfig | 1 Details: https://kernelci.org/test/job/stable-rc/branch/queue%2F4.14/kernel/v4.14.25… Test: baseline Tree: stable-rc Branch: queue/4.14 Describe: v4.14.257-12-ga650c963d9c8 URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git SHA: a650c963d9c8247d3b4a9c32b5d25abfcd96b2e0 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions -------------------------+--------+---------------+----------+---------------------+------------ minnowboard-turbot-E3826 | x86_64 | lab-collabora | gcc-10 | x86_64_defconfig | 1 Details: https://kernelci.org/test/plan/id/61b3b218b5d65f6bdb397143 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/queue-4.14/v4.14.257-12-ga650c963d9… HTML log: https://storage.kernelci.org//stable-rc/queue-4.14/v4.14.257-12-ga650c963d9… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-6-g8983f3b7… * baseline.login: https://kernelci.org/test/case/id/61b3b218b5d65f6bdb397144 failing since 0 day (last pass: v4.14.256-106-gdcd74d7b3f01, first fail: v4.14.256-113-gb546adcd17c8) platform | arch | lab | compiler | defconfig | regressions -------------------------+--------+---------------+----------+---------------------+------------ panda | arm | lab-collabora | gcc-10 | omap2plus_defconfig | 1 Details: https://kernelci.org/test/plan/id/61b3b15c68deb5ff79397132 Results: 4 PASS, 1 FAIL, 1 SKIP Full config: omap2plus_defconfig Compiler: gcc-10 (arm-linux-gnueabihf-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/queue-4.14/v4.14.257-12-ga650c963d9… HTML log: https://storage.kernelci.org//stable-rc/queue-4.14/v4.14.257-12-ga650c963d9… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-6-g8983f3b7… * baseline.dmesg.emerg: https://kernelci.org/test/case/id/61b3b15c68deb5ff79397135 failing since 0 day (last pass: v4.14.256-106-g42fb555ea765, first fail: v4.14.257-7-gb7688924d160) 2 lines 2021-12-10T19:58:02.253991 [ 20.084289] <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=alert RESULT=pass UNITS=lines MEASUREMENT=0> 2021-12-10T19:58:02.298253 kern :emerg : BUG: spinlock bad magic on CPU#0, udevd/100 2021-12-10T19:58:02.307789 kern :emerg : lock: emif_lock+0x0/0xffffed3c [emif], .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0

3 years, 1 month

1
0
0 0

[PATCH 4.19 0/5] aio poll fixes for 4.19

by Eric Biggers

Backport the aio poll fixes to 4.19. This resolves conflicts in patches 1 and 4. They are "trivial" conflicts, but I'm sending this to make sure patches don't get dropped. Eric Biggers (5): wait: add wake_up_pollfree() binder: use wake_up_pollfree() signalfd: use wake_up_pollfree() aio: keep poll requests on waitqueue until completed aio: fix use-after-free due to missing POLLFREE handling drivers/android/binder.c | 21 ++-- fs/aio.c | 184 ++++++++++++++++++++++++++------ fs/signalfd.c | 12 +-- include/linux/wait.h | 26 +++++ include/uapi/asm-generic/poll.h | 2 +- kernel/sched/wait.c | 7 ++ 6 files changed, 195 insertions(+), 57 deletions(-) -- 2.34.1

3 years, 1 month

1
5
0 0

[PATCH 5.4 0/5] aio poll fixes for 5.4

by Eric Biggers

Backport the aio poll fixes to 5.4. This resolves conflicts in patches 1 and 4. They are "trivial" conflicts, but I'm sending this to make sure patches don't get dropped. Eric Biggers (5): wait: add wake_up_pollfree() binder: use wake_up_pollfree() signalfd: use wake_up_pollfree() aio: keep poll requests on waitqueue until completed aio: fix use-after-free due to missing POLLFREE handling drivers/android/binder.c | 21 ++-- fs/aio.c | 184 ++++++++++++++++++++++++++------ fs/signalfd.c | 12 +-- include/linux/wait.h | 26 +++++ include/uapi/asm-generic/poll.h | 2 +- kernel/sched/wait.c | 7 ++ 6 files changed, 195 insertions(+), 57 deletions(-) -- 2.34.1

3 years, 1 month

1
5
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror December 2021