January 2024 - Linux-stable-mirror

[PATCH v2] usb: mon: Fix atomicity violation in mon_bin_vma_fault

by Gui-Dong Han

In mon_bin_vma_fault(): offset = vmf->pgoff << PAGE_SHIFT; if (offset >= rp->b_size) return VM_FAULT_SIGBUS; chunk_idx = offset / CHUNK_SIZE; pageptr = rp->b_vec[chunk_idx].pg; The code is executed without holding any lock. In mon_bin_vma_close(): spin_lock_irqsave(&rp->b_lock, flags); rp->mmap_active--; spin_unlock_irqrestore(&rp->b_lock, flags); In mon_bin_ioctl(): spin_lock_irqsave(&rp->b_lock, flags); if (rp->mmap_active) { ... } else { ... kfree(rp->b_vec); rp->b_vec = vec; rp->b_size = size; ... } spin_unlock_irqrestore(&rp->b_lock, flags); Concurrent execution of mon_bin_vma_fault() with mon_bin_vma_close() and mon_bin_ioctl() could lead to atomicity violations. mon_bin_vma_fault() accesses rp->b_size and rp->b_vec without locking, risking array out-of-bounds access or use-after-free bugs due to possible modifications in mon_bin_ioctl(). This possible bug is found by an experimental static analysis tool developed by our team, BassCheck[1]. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. The above possible bug is reported when our tool analyzes the source code of Linux 6.2. To address this issue, it is proposed to add a spin lock pair in mon_bin_vma_fault() to ensure atomicity. With this patch applied, our tool never reports the possible bug, with the kernel configuration allyesconfig for x86_64. Due to the lack of associated hardware, we cannot test the patch in runtime testing, and just verify it according to the code logic. [1] https://sites.google.com/view/basscheck/ Fixes: 19e6317d24c25 ("usb: mon: Fix a deadlock in usbmon between ...") Cc: stable(a)vger.kernel.org Reported-by: BassCheck <bass(a)buaa.edu.cn> Signed-off-by: Gui-Dong Han <2045gemini(a)gmail.com> --- v2: * In this patch v2, we've added some information of the static analysis tool used, as per the researcher guidelines. Also, we've added a cc in the signed-off-by area, according to the stable-kernel-rules. Thank Greg KH for helpful advice. --- drivers/usb/mon/mon_bin.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/usb/mon/mon_bin.c b/drivers/usb/mon/mon_bin.c index 9ca9305243fe..509cd1b8ff13 100644 --- a/drivers/usb/mon/mon_bin.c +++ b/drivers/usb/mon/mon_bin.c @@ -1250,12 +1250,16 @@ static vm_fault_t mon_bin_vma_fault(struct vm_fault *vmf) struct mon_reader_bin *rp = vmf->vma->vm_private_data; unsigned long offset, chunk_idx; struct page *pageptr; - + unsigned long flags; + spin_lock_irqsave(&rp->b_lock, flags); offset = vmf->pgoff << PAGE_SHIFT; - if (offset >= rp->b_size) + if (offset >= rp->b_size) { + spin_unlock_irqrestore(&rp->b_lock, flags); return VM_FAULT_SIGBUS; + } chunk_idx = offset / CHUNK_SIZE; pageptr = rp->b_vec[chunk_idx].pg; + spin_unlock_irqrestore(&rp->b_lock, flags); get_page(pageptr); vmf->page = pageptr; return 0; -- 2.34.1

1 year, 6 months

2
2
0 0

[PATCH v3] usb: mon: Fix atomicity violation in mon_bin_vma_fault

by Gui-Dong Han

In mon_bin_vma_fault(): offset = vmf->pgoff << PAGE_SHIFT; if (offset >= rp->b_size) return VM_FAULT_SIGBUS; chunk_idx = offset / CHUNK_SIZE; pageptr = rp->b_vec[chunk_idx].pg; The code is executed without holding any lock. In mon_bin_vma_close(): spin_lock_irqsave(&rp->b_lock, flags); rp->mmap_active--; spin_unlock_irqrestore(&rp->b_lock, flags); In mon_bin_ioctl(): spin_lock_irqsave(&rp->b_lock, flags); if (rp->mmap_active) { ... } else { ... kfree(rp->b_vec); rp->b_vec = vec; rp->b_size = size; ... } spin_unlock_irqrestore(&rp->b_lock, flags); Concurrent execution of mon_bin_vma_fault() with mon_bin_vma_close() and mon_bin_ioctl() could lead to atomicity violations. mon_bin_vma_fault() accesses rp->b_size and rp->b_vec without locking, risking array out-of-bounds access or use-after-free bugs due to possible modifications in mon_bin_ioctl(). This possible bug is found by an experimental static analysis tool developed by our team, BassCheck[1]. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. The above possible bug is reported when our tool analyzes the source code of Linux 6.2. To address this issue, it is proposed to add a spin lock pair in mon_bin_vma_fault() to ensure atomicity. With this patch applied, our tool never reports the possible bug, with the kernel configuration allyesconfig for x86_64. Due to the lack of associated hardware, we cannot test the patch in runtime testing, and just verify it according to the code logic. [1] https://sites.google.com/view/basscheck/ Fixes: 19e6317d24c2 ("usb: mon: Fix a deadlock in usbmon between ...") Cc: stable(a)vger.kernel.org Signed-off-by: Gui-Dong Han <2045gemini(a)gmail.com> --- v2: * In this patch v2, we've added some information of the static analysis tool used, as per the researcher guidelines. Also, we've added a cc in the signed-off-by area, according to the stable-kernel-rules. Thank Greg KH for helpful advice. --- v3: * In this patch v3, we've added a necessary blank line and adjusted the position of spin_unlock_irqrestore() following Greg KH's suggestions. Thank Greg KH for helpful advice. --- drivers/usb/mon/mon_bin.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/usb/mon/mon_bin.c b/drivers/usb/mon/mon_bin.c index 9ca9305243fe..fbc1a9c0b345 100644 --- a/drivers/usb/mon/mon_bin.c +++ b/drivers/usb/mon/mon_bin.c @@ -1250,14 +1250,19 @@ static vm_fault_t mon_bin_vma_fault(struct vm_fault *vmf) struct mon_reader_bin *rp = vmf->vma->vm_private_data; unsigned long offset, chunk_idx; struct page *pageptr; - + unsigned long flags; + + spin_lock_irqsave(&rp->b_lock, flags); offset = vmf->pgoff << PAGE_SHIFT; - if (offset >= rp->b_size) + if (offset >= rp->b_size) { + spin_unlock_irqrestore(&rp->b_lock, flags); return VM_FAULT_SIGBUS; + } chunk_idx = offset / CHUNK_SIZE; pageptr = rp->b_vec[chunk_idx].pg; get_page(pageptr); vmf->page = pageptr; + spin_unlock_irqrestore(&rp->b_lock, flags); return 0; } -- 2.34.1

1 year, 6 months

1
0
0 0

[PATCH 6.6 00/49] 6.6.10-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.10 release. There are 49 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 05 Jan 2024 16:47:49 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.10-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.10-rc1 Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: skip set commit for deleted/destroyed sets Léo Lam <leo(a)leolam.fr> wifi: nl80211: fix deadlock in nl80211_set_cqm_rssi (6.6.x) Johannes Berg <johannes.berg(a)intel.com> wifi: cfg80211: fix CQM for non-range use Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing: Fix blocked reader of snapshot buffer Steven Rostedt (Google) <rostedt(a)goodmis.org> ftrace: Fix modification of direct_function hash while in use Steven Rostedt (Google) <rostedt(a)goodmis.org> ring-buffer: Fix wake ups when buffer_percent is set to 100 Keith Busch <kbusch(a)kernel.org> Revert "nvme-fc: fix race between error recovery and creating association" Matthew Wilcox (Oracle) <willy(a)infradead.org> mm/memory-failure: check the mapcount of the precise page Matthew Wilcox (Oracle) <willy(a)infradead.org> mm/memory-failure: cast index to loff_t before shifting it Charan Teja Kalla <quic_charante(a)quicinc.com> mm: migrate high-order folios in swap cache correctly Baokun Li <libaokun1(a)huawei.com> mm/filemap: avoid buffered read/write race to read inconsistent data Muhammad Usama Anjum <usama.anjum(a)collabora.com> selftests: secretmem: floor the memory size to the multiple of page_size Sidhartha Kumar <sidhartha.kumar(a)oracle.com> maple_tree: do not preallocate nodes for slot stores Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> platform/x86: p2sb: Allow p2sb_bar() calls during PCI device probe Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16() David E. Box <david.e.box(a)linux.intel.com> platform/x86/intel/pmc: Move GBE LTR ignore to suspend callback David E. Box <david.e.box(a)linux.intel.com> platform/x86/intel/pmc: Allow reenabling LTRs David E. Box <david.e.box(a)linux.intel.com> platform/x86/intel/pmc: Add suspend callback Christoph Hellwig <hch(a)lst.de> block: renumber QUEUE_FLAG_HW_WC Paolo Abeni <pabeni(a)redhat.com> mptcp: fix inconsistent state on fastopen race Paolo Abeni <pabeni(a)redhat.com> mptcp: fix possible NULL pointer dereference on close Paolo Abeni <pabeni(a)redhat.com> mptcp: refactor sndbuf auto-tuning Helge Deller <deller(a)gmx.de> linux/export: Ensure natural alignment of kcrctab array Helge Deller <deller(a)gmx.de> linux/export: Fix alignment for 64-bit ksymtab entries Arnd Bergmann <arnd(a)arndb.de> kexec: select CRYPTO from KEXEC_FILE instead of depending on it Arnd Bergmann <arnd(a)arndb.de> kexec: fix KEXEC_FILE dependencies Xuan Zhuo <xuanzhuo(a)linux.alibaba.com> virtio_ring: fix syncs DMA memory with different direction Zizhi Wo <wozizhi(a)huawei.com> fs: cifs: Fix atime update check Jeff Layton <jlayton(a)kernel.org> client: convert to new timestamp accessors Jeff Layton <jlayton(a)kernel.org> fs: new accessor methods for atime and mtime Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: avoid duplicate opinfo_put() call on error of smb21_lease_break_ack() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: lazy v2 lease break on smb2_write() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: send v2 lease break notification for directory Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: downgrade RWH lease caching state to RH for directory Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: set v2 lease capability Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: set epoch in create context v2 lease Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: don't update ->op_state as OPLOCK_STATE_NONE on error Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: move setting SMB2_FLAGS_ASYNC_COMMAND and AsyncId Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: release interim response after sending status pending response Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: move oplock handling after unlock parent dir Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: separately allocate ci per dentry Zongmin Zhou <zhouzongmin(a)kylinos.cn> ksmbd: prevent memory leak on error return Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix kernel-doc comment of ksmbd_vfs_kern_path_locked() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: no need to wait for binded connection termination at logoff Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: add support for surrogate pair conversion Kangjing Huang <huangkangjing(a)gmail.com> ksmbd: fix missing RDMA-capable flag for IPoIB device in ksmbd_rdma_capable_netdev() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix kernel-doc comment of ksmbd_vfs_setxattr() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: reorganize ksmbd_iov_pin_rsp() Cheng-Han Wu <hank20010209(a)gmail.com> ksmbd: Remove unused field in ksmbd_user struct ------------- Diffstat: Makefile | 4 +- arch/powerpc/Kconfig | 4 +- arch/riscv/Kconfig | 4 +- arch/s390/Kconfig | 4 +- arch/x86/Kconfig | 4 +- drivers/nvme/host/fc.c | 21 +-- drivers/platform/x86/intel/pmc/adl.c | 9 +- drivers/platform/x86/intel/pmc/cnp.c | 26 ++- drivers/platform/x86/intel/pmc/core.c | 12 +- drivers/platform/x86/intel/pmc/core.h | 7 +- drivers/platform/x86/intel/pmc/mtl.c | 9 +- drivers/platform/x86/intel/pmc/tgl.c | 9 +- drivers/platform/x86/p2sb.c | 178 ++++++++++++++++----- drivers/virtio/virtio_ring.c | 6 +- fs/libfs.c | 41 +++-- fs/smb/client/file.c | 18 ++- fs/smb/client/fscache.h | 6 +- fs/smb/client/inode.c | 17 +- fs/smb/client/smb2ops.c | 6 +- fs/smb/common/smb2pdu.h | 1 + fs/smb/server/connection.c | 16 -- fs/smb/server/ksmbd_work.c | 51 +++--- fs/smb/server/mgmt/user_config.h | 1 - fs/smb/server/oplock.c | 118 ++++++++++++-- fs/smb/server/oplock.h | 8 +- fs/smb/server/smb2misc.c | 15 +- fs/smb/server/smb2ops.c | 9 +- fs/smb/server/smb2pdu.c | 258 ++++++++++++++++-------------- fs/smb/server/transport_rdma.c | 40 +++-- fs/smb/server/unicode.c | 187 ++++++++++++++++------ fs/smb/server/vfs.c | 14 +- fs/smb/server/vfs_cache.c | 30 ++-- fs/smb/server/vfs_cache.h | 9 +- include/linux/blkdev.h | 2 +- include/linux/export-internal.h | 6 +- include/linux/fs.h | 85 ++++++++-- kernel/Kconfig.kexec | 2 + kernel/trace/ftrace.c | 100 ++++++------ kernel/trace/ring_buffer.c | 12 +- kernel/trace/trace.c | 20 ++- lib/maple_tree.c | 11 ++ mm/filemap.c | 9 ++ mm/memory-failure.c | 8 +- mm/migrate.c | 9 +- net/mptcp/protocol.c | 27 +++- net/mptcp/protocol.h | 63 +++++++- net/mptcp/sockopt.c | 5 +- net/mptcp/subflow.c | 29 ++-- net/netfilter/nf_tables_api.c | 2 +- net/wireless/core.h | 1 + net/wireless/nl80211.c | 56 ++++--- tools/testing/radix-tree/maple.c | 2 +- tools/testing/selftests/mm/memfd_secret.c | 3 + 53 files changed, 1070 insertions(+), 524 deletions(-)

1 year, 6 months

19
71
0 0

FAILED: patch "[PATCH] block: Don't invalidate pagecache for invalid falloc modes" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 1364a3c391aedfeb32aa025303ead3d7c91cdf9d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023101511-outpost-crucial-c477@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 1364a3c391ae ("block: Don't invalidate pagecache for invalid falloc modes") 05bdb9965305 ("block: replace fmode_t with a block-specific type for block open flags") 5e4ea834676e ("block: remove unused fmode_t arguments from ioctl handlers") cfb425761c79 ("block: move a few internal definitions out of blkdev.h") 99b07780814e ("rnbd-srv: replace sess->open_flags with a "bool readonly"") 658afed19cee ("mtd: block: use a simple bool to track open for write") 7d9d7d59d44b ("nvme: replace the fmode_t argument to the nvme ioctl handlers with a simple bool") 2e80089c1824 ("scsi: replace the fmode_t argument to scsi_ioctl with a simple bool") 5f4eb9d5413f ("scsi: replace the fmode_t argument to scsi_cmd_allowed with a simple bool") 81b1fb7d17c0 ("fs: remove sb->s_mode") 3f0b3e785e8b ("block: add a sb_open_mode helper") 2736e8eeb0cc ("block: use the holder as indication for exclusive opens") 2ef789288afd ("btrfs: don't pass a holder for non-exclusive blkdev_get_by_path") 29499ab060fe ("bcache: don't pass a stack address to blkdev_get_by_path") c889d0793d9d ("swsusp: don't pass a stack address to blkdev_get_by_path") ae220766d87c ("block: remove the unused mode argument to ->release") d32e2bf83791 ("block: pass a gendisk to ->open") 444aa2c58cb3 ("block: pass a gendisk on bdev_check_media_change") 7ae24fcee992 ("cdrom: remove the unused mode argument to cdrom_release") 473399b50de1 ("cdrom: remove the unused mode argument to cdrom_ioctl") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1364a3c391aedfeb32aa025303ead3d7c91cdf9d Mon Sep 17 00:00:00 2001 From: Sarthak Kukreti <sarthakkukreti(a)chromium.org> Date: Wed, 11 Oct 2023 13:12:30 -0700 Subject: [PATCH] block: Don't invalidate pagecache for invalid falloc modes Only call truncate_bdev_range() if the fallocate mode is supported. This fixes a bug where data in the pagecache could be invalidated if the fallocate() was called on the block device with an invalid mode. Fixes: 25f4c41415e5 ("block: implement (some of) fallocate for block devices") Cc: stable(a)vger.kernel.org Reported-by: "Darrick J. Wong" <djwong(a)kernel.org> Signed-off-by: Sarthak Kukreti <sarthakkukreti(a)chromium.org> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: "Darrick J. Wong" <djwong(a)kernel.org> Signed-off-by: Mike Snitzer <snitzer(a)kernel.org> Fixes: line? I've never seen those wrapped. Link: https://lore.kernel.org/r/20231011201230.750105-1-sarthakkukreti@chromium.o… Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/block/fops.c b/block/fops.c index acff3d5d22d4..73e42742543f 100644 --- a/block/fops.c +++ b/block/fops.c @@ -772,24 +772,35 @@ static long blkdev_fallocate(struct file *file, int mode, loff_t start, filemap_invalidate_lock(inode->i_mapping); - /* Invalidate the page cache, including dirty pages. */ - error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); - if (error) - goto fail; - + /* + * Invalidate the page cache, including dirty pages, for valid + * de-allocate mode calls to fallocate(). + */ switch (mode) { case FALLOC_FL_ZERO_RANGE: case FALLOC_FL_ZERO_RANGE | FALLOC_FL_KEEP_SIZE: + error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); + if (error) + goto fail; + error = blkdev_issue_zeroout(bdev, start >> SECTOR_SHIFT, len >> SECTOR_SHIFT, GFP_KERNEL, BLKDEV_ZERO_NOUNMAP); break; case FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE: + error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); + if (error) + goto fail; + error = blkdev_issue_zeroout(bdev, start >> SECTOR_SHIFT, len >> SECTOR_SHIFT, GFP_KERNEL, BLKDEV_ZERO_NOFALLBACK); break; case FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE | FALLOC_FL_NO_HIDE_STALE: + error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); + if (error) + goto fail; + error = blkdev_issue_discard(bdev, start >> SECTOR_SHIFT, len >> SECTOR_SHIFT, GFP_KERNEL); break;

1 year, 6 months

2
1
0 0

[PATCH] input/vmmouse: Fix device name copies

by Zack Rusin

From: Zack Rusin <zackr(a)vmware.com> Make sure vmmouse_data::phys can hold serio::phys (which is 32 bytes) plus an extra string, extend it to 64. Fixes gcc13 warnings: drivers/input/mouse/vmmouse.c: In function ‘vmmouse_init’: drivers/input/mouse/vmmouse.c:455:53: warning: ‘/input1’ directive output may be truncated writing 7 bytes into a region of size between 1 and 32 [-Wformat-truncation=] 455 | snprintf(priv->phys, sizeof(priv->phys), "%s/input1", | ^~~~~~~ drivers/input/mouse/vmmouse.c:455:9: note: ‘snprintf’ output between 8 and 39 bytes into a destination of size 32 455 | snprintf(priv->phys, sizeof(priv->phys), "%s/input1", | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 456 | psmouse->ps2dev.serio->phys); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Zack Rusin <zackr(a)vmware.com> Fixes: 8b8be51b4fd3 ("Input: add vmmouse driver") Cc: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Cc: VMware Graphics Reviewers <linux-graphics-maintainer(a)vmware.com> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Robert Jarzmik <robert.jarzmik(a)free.fr> Cc: Raul Rangel <rrangel(a)chromium.org> Cc: linux-input(a)vger.kernel.org Cc: <stable(a)vger.kernel.org> # v4.1+ --- drivers/input/mouse/vmmouse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/input/mouse/vmmouse.c b/drivers/input/mouse/vmmouse.c index ea9eff7c8099..7248cada4c8c 100644 --- a/drivers/input/mouse/vmmouse.c +++ b/drivers/input/mouse/vmmouse.c @@ -72,7 +72,7 @@ */ struct vmmouse_data { struct input_dev *abs_dev; - char phys[32]; + char phys[64]; char dev_name[128]; }; -- 2.39.2

1 year, 6 months

6
11
0 0

FAILED: patch "[PATCH] block: Don't invalidate pagecache for invalid falloc modes" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 1364a3c391aedfeb32aa025303ead3d7c91cdf9d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023101512-hurt-guise-534b@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 1364a3c391ae ("block: Don't invalidate pagecache for invalid falloc modes") 05bdb9965305 ("block: replace fmode_t with a block-specific type for block open flags") 5e4ea834676e ("block: remove unused fmode_t arguments from ioctl handlers") cfb425761c79 ("block: move a few internal definitions out of blkdev.h") 99b07780814e ("rnbd-srv: replace sess->open_flags with a "bool readonly"") 658afed19cee ("mtd: block: use a simple bool to track open for write") 7d9d7d59d44b ("nvme: replace the fmode_t argument to the nvme ioctl handlers with a simple bool") 2e80089c1824 ("scsi: replace the fmode_t argument to scsi_ioctl with a simple bool") 5f4eb9d5413f ("scsi: replace the fmode_t argument to scsi_cmd_allowed with a simple bool") 81b1fb7d17c0 ("fs: remove sb->s_mode") 3f0b3e785e8b ("block: add a sb_open_mode helper") 2736e8eeb0cc ("block: use the holder as indication for exclusive opens") 2ef789288afd ("btrfs: don't pass a holder for non-exclusive blkdev_get_by_path") 29499ab060fe ("bcache: don't pass a stack address to blkdev_get_by_path") c889d0793d9d ("swsusp: don't pass a stack address to blkdev_get_by_path") ae220766d87c ("block: remove the unused mode argument to ->release") d32e2bf83791 ("block: pass a gendisk to ->open") 444aa2c58cb3 ("block: pass a gendisk on bdev_check_media_change") 7ae24fcee992 ("cdrom: remove the unused mode argument to cdrom_release") 473399b50de1 ("cdrom: remove the unused mode argument to cdrom_ioctl") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1364a3c391aedfeb32aa025303ead3d7c91cdf9d Mon Sep 17 00:00:00 2001 From: Sarthak Kukreti <sarthakkukreti(a)chromium.org> Date: Wed, 11 Oct 2023 13:12:30 -0700 Subject: [PATCH] block: Don't invalidate pagecache for invalid falloc modes Only call truncate_bdev_range() if the fallocate mode is supported. This fixes a bug where data in the pagecache could be invalidated if the fallocate() was called on the block device with an invalid mode. Fixes: 25f4c41415e5 ("block: implement (some of) fallocate for block devices") Cc: stable(a)vger.kernel.org Reported-by: "Darrick J. Wong" <djwong(a)kernel.org> Signed-off-by: Sarthak Kukreti <sarthakkukreti(a)chromium.org> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: "Darrick J. Wong" <djwong(a)kernel.org> Signed-off-by: Mike Snitzer <snitzer(a)kernel.org> Fixes: line? I've never seen those wrapped. Link: https://lore.kernel.org/r/20231011201230.750105-1-sarthakkukreti@chromium.o… Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/block/fops.c b/block/fops.c index acff3d5d22d4..73e42742543f 100644 --- a/block/fops.c +++ b/block/fops.c @@ -772,24 +772,35 @@ static long blkdev_fallocate(struct file *file, int mode, loff_t start, filemap_invalidate_lock(inode->i_mapping); - /* Invalidate the page cache, including dirty pages. */ - error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); - if (error) - goto fail; - + /* + * Invalidate the page cache, including dirty pages, for valid + * de-allocate mode calls to fallocate(). + */ switch (mode) { case FALLOC_FL_ZERO_RANGE: case FALLOC_FL_ZERO_RANGE | FALLOC_FL_KEEP_SIZE: + error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); + if (error) + goto fail; + error = blkdev_issue_zeroout(bdev, start >> SECTOR_SHIFT, len >> SECTOR_SHIFT, GFP_KERNEL, BLKDEV_ZERO_NOUNMAP); break; case FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE: + error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); + if (error) + goto fail; + error = blkdev_issue_zeroout(bdev, start >> SECTOR_SHIFT, len >> SECTOR_SHIFT, GFP_KERNEL, BLKDEV_ZERO_NOFALLBACK); break; case FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE | FALLOC_FL_NO_HIDE_STALE: + error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); + if (error) + goto fail; + error = blkdev_issue_discard(bdev, start >> SECTOR_SHIFT, len >> SECTOR_SHIFT, GFP_KERNEL); break;

1 year, 6 months

2
1
0 0

FAILED: patch "[PATCH] block: Don't invalidate pagecache for invalid falloc modes" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 1364a3c391aedfeb32aa025303ead3d7c91cdf9d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023101513-depraved-ecosphere-6b50@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: 1364a3c391ae ("block: Don't invalidate pagecache for invalid falloc modes") 05bdb9965305 ("block: replace fmode_t with a block-specific type for block open flags") 5e4ea834676e ("block: remove unused fmode_t arguments from ioctl handlers") cfb425761c79 ("block: move a few internal definitions out of blkdev.h") 99b07780814e ("rnbd-srv: replace sess->open_flags with a "bool readonly"") 658afed19cee ("mtd: block: use a simple bool to track open for write") 7d9d7d59d44b ("nvme: replace the fmode_t argument to the nvme ioctl handlers with a simple bool") 2e80089c1824 ("scsi: replace the fmode_t argument to scsi_ioctl with a simple bool") 5f4eb9d5413f ("scsi: replace the fmode_t argument to scsi_cmd_allowed with a simple bool") 81b1fb7d17c0 ("fs: remove sb->s_mode") 3f0b3e785e8b ("block: add a sb_open_mode helper") 2736e8eeb0cc ("block: use the holder as indication for exclusive opens") 2ef789288afd ("btrfs: don't pass a holder for non-exclusive blkdev_get_by_path") 29499ab060fe ("bcache: don't pass a stack address to blkdev_get_by_path") c889d0793d9d ("swsusp: don't pass a stack address to blkdev_get_by_path") ae220766d87c ("block: remove the unused mode argument to ->release") d32e2bf83791 ("block: pass a gendisk to ->open") 444aa2c58cb3 ("block: pass a gendisk on bdev_check_media_change") 7ae24fcee992 ("cdrom: remove the unused mode argument to cdrom_release") 473399b50de1 ("cdrom: remove the unused mode argument to cdrom_ioctl") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1364a3c391aedfeb32aa025303ead3d7c91cdf9d Mon Sep 17 00:00:00 2001 From: Sarthak Kukreti <sarthakkukreti(a)chromium.org> Date: Wed, 11 Oct 2023 13:12:30 -0700 Subject: [PATCH] block: Don't invalidate pagecache for invalid falloc modes Only call truncate_bdev_range() if the fallocate mode is supported. This fixes a bug where data in the pagecache could be invalidated if the fallocate() was called on the block device with an invalid mode. Fixes: 25f4c41415e5 ("block: implement (some of) fallocate for block devices") Cc: stable(a)vger.kernel.org Reported-by: "Darrick J. Wong" <djwong(a)kernel.org> Signed-off-by: Sarthak Kukreti <sarthakkukreti(a)chromium.org> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: "Darrick J. Wong" <djwong(a)kernel.org> Signed-off-by: Mike Snitzer <snitzer(a)kernel.org> Fixes: line? I've never seen those wrapped. Link: https://lore.kernel.org/r/20231011201230.750105-1-sarthakkukreti@chromium.o… Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/block/fops.c b/block/fops.c index acff3d5d22d4..73e42742543f 100644 --- a/block/fops.c +++ b/block/fops.c @@ -772,24 +772,35 @@ static long blkdev_fallocate(struct file *file, int mode, loff_t start, filemap_invalidate_lock(inode->i_mapping); - /* Invalidate the page cache, including dirty pages. */ - error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); - if (error) - goto fail; - + /* + * Invalidate the page cache, including dirty pages, for valid + * de-allocate mode calls to fallocate(). + */ switch (mode) { case FALLOC_FL_ZERO_RANGE: case FALLOC_FL_ZERO_RANGE | FALLOC_FL_KEEP_SIZE: + error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); + if (error) + goto fail; + error = blkdev_issue_zeroout(bdev, start >> SECTOR_SHIFT, len >> SECTOR_SHIFT, GFP_KERNEL, BLKDEV_ZERO_NOUNMAP); break; case FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE: + error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); + if (error) + goto fail; + error = blkdev_issue_zeroout(bdev, start >> SECTOR_SHIFT, len >> SECTOR_SHIFT, GFP_KERNEL, BLKDEV_ZERO_NOFALLBACK); break; case FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE | FALLOC_FL_NO_HIDE_STALE: + error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); + if (error) + goto fail; + error = blkdev_issue_discard(bdev, start >> SECTOR_SHIFT, len >> SECTOR_SHIFT, GFP_KERNEL); break;

1 year, 6 months

2
1
0 0

FAILED: patch "[PATCH] block: Don't invalidate pagecache for invalid falloc modes" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 1364a3c391aedfeb32aa025303ead3d7c91cdf9d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023101515-buffing-copy-1686@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: 1364a3c391ae ("block: Don't invalidate pagecache for invalid falloc modes") 05bdb9965305 ("block: replace fmode_t with a block-specific type for block open flags") 5e4ea834676e ("block: remove unused fmode_t arguments from ioctl handlers") cfb425761c79 ("block: move a few internal definitions out of blkdev.h") 99b07780814e ("rnbd-srv: replace sess->open_flags with a "bool readonly"") 658afed19cee ("mtd: block: use a simple bool to track open for write") 7d9d7d59d44b ("nvme: replace the fmode_t argument to the nvme ioctl handlers with a simple bool") 2e80089c1824 ("scsi: replace the fmode_t argument to scsi_ioctl with a simple bool") 5f4eb9d5413f ("scsi: replace the fmode_t argument to scsi_cmd_allowed with a simple bool") 81b1fb7d17c0 ("fs: remove sb->s_mode") 3f0b3e785e8b ("block: add a sb_open_mode helper") 2736e8eeb0cc ("block: use the holder as indication for exclusive opens") 2ef789288afd ("btrfs: don't pass a holder for non-exclusive blkdev_get_by_path") 29499ab060fe ("bcache: don't pass a stack address to blkdev_get_by_path") c889d0793d9d ("swsusp: don't pass a stack address to blkdev_get_by_path") ae220766d87c ("block: remove the unused mode argument to ->release") d32e2bf83791 ("block: pass a gendisk to ->open") 444aa2c58cb3 ("block: pass a gendisk on bdev_check_media_change") 7ae24fcee992 ("cdrom: remove the unused mode argument to cdrom_release") 473399b50de1 ("cdrom: remove the unused mode argument to cdrom_ioctl") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1364a3c391aedfeb32aa025303ead3d7c91cdf9d Mon Sep 17 00:00:00 2001 From: Sarthak Kukreti <sarthakkukreti(a)chromium.org> Date: Wed, 11 Oct 2023 13:12:30 -0700 Subject: [PATCH] block: Don't invalidate pagecache for invalid falloc modes Only call truncate_bdev_range() if the fallocate mode is supported. This fixes a bug where data in the pagecache could be invalidated if the fallocate() was called on the block device with an invalid mode. Fixes: 25f4c41415e5 ("block: implement (some of) fallocate for block devices") Cc: stable(a)vger.kernel.org Reported-by: "Darrick J. Wong" <djwong(a)kernel.org> Signed-off-by: Sarthak Kukreti <sarthakkukreti(a)chromium.org> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: "Darrick J. Wong" <djwong(a)kernel.org> Signed-off-by: Mike Snitzer <snitzer(a)kernel.org> Fixes: line? I've never seen those wrapped. Link: https://lore.kernel.org/r/20231011201230.750105-1-sarthakkukreti@chromium.o… Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/block/fops.c b/block/fops.c index acff3d5d22d4..73e42742543f 100644 --- a/block/fops.c +++ b/block/fops.c @@ -772,24 +772,35 @@ static long blkdev_fallocate(struct file *file, int mode, loff_t start, filemap_invalidate_lock(inode->i_mapping); - /* Invalidate the page cache, including dirty pages. */ - error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); - if (error) - goto fail; - + /* + * Invalidate the page cache, including dirty pages, for valid + * de-allocate mode calls to fallocate(). + */ switch (mode) { case FALLOC_FL_ZERO_RANGE: case FALLOC_FL_ZERO_RANGE | FALLOC_FL_KEEP_SIZE: + error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); + if (error) + goto fail; + error = blkdev_issue_zeroout(bdev, start >> SECTOR_SHIFT, len >> SECTOR_SHIFT, GFP_KERNEL, BLKDEV_ZERO_NOUNMAP); break; case FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE: + error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); + if (error) + goto fail; + error = blkdev_issue_zeroout(bdev, start >> SECTOR_SHIFT, len >> SECTOR_SHIFT, GFP_KERNEL, BLKDEV_ZERO_NOFALLBACK); break; case FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE | FALLOC_FL_NO_HIDE_STALE: + error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); + if (error) + goto fail; + error = blkdev_issue_discard(bdev, start >> SECTOR_SHIFT, len >> SECTOR_SHIFT, GFP_KERNEL); break;

1 year, 6 months

2
1
0 0

FAILED: patch "[PATCH] block: Don't invalidate pagecache for invalid falloc modes" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x 1364a3c391aedfeb32aa025303ead3d7c91cdf9d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023101516-genetics-gratify-225c@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: 1364a3c391ae ("block: Don't invalidate pagecache for invalid falloc modes") 05bdb9965305 ("block: replace fmode_t with a block-specific type for block open flags") 5e4ea834676e ("block: remove unused fmode_t arguments from ioctl handlers") cfb425761c79 ("block: move a few internal definitions out of blkdev.h") 99b07780814e ("rnbd-srv: replace sess->open_flags with a "bool readonly"") 658afed19cee ("mtd: block: use a simple bool to track open for write") 7d9d7d59d44b ("nvme: replace the fmode_t argument to the nvme ioctl handlers with a simple bool") 2e80089c1824 ("scsi: replace the fmode_t argument to scsi_ioctl with a simple bool") 5f4eb9d5413f ("scsi: replace the fmode_t argument to scsi_cmd_allowed with a simple bool") 81b1fb7d17c0 ("fs: remove sb->s_mode") 3f0b3e785e8b ("block: add a sb_open_mode helper") 2736e8eeb0cc ("block: use the holder as indication for exclusive opens") 2ef789288afd ("btrfs: don't pass a holder for non-exclusive blkdev_get_by_path") 29499ab060fe ("bcache: don't pass a stack address to blkdev_get_by_path") c889d0793d9d ("swsusp: don't pass a stack address to blkdev_get_by_path") ae220766d87c ("block: remove the unused mode argument to ->release") d32e2bf83791 ("block: pass a gendisk to ->open") 444aa2c58cb3 ("block: pass a gendisk on bdev_check_media_change") 7ae24fcee992 ("cdrom: remove the unused mode argument to cdrom_release") 473399b50de1 ("cdrom: remove the unused mode argument to cdrom_ioctl") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1364a3c391aedfeb32aa025303ead3d7c91cdf9d Mon Sep 17 00:00:00 2001 From: Sarthak Kukreti <sarthakkukreti(a)chromium.org> Date: Wed, 11 Oct 2023 13:12:30 -0700 Subject: [PATCH] block: Don't invalidate pagecache for invalid falloc modes Only call truncate_bdev_range() if the fallocate mode is supported. This fixes a bug where data in the pagecache could be invalidated if the fallocate() was called on the block device with an invalid mode. Fixes: 25f4c41415e5 ("block: implement (some of) fallocate for block devices") Cc: stable(a)vger.kernel.org Reported-by: "Darrick J. Wong" <djwong(a)kernel.org> Signed-off-by: Sarthak Kukreti <sarthakkukreti(a)chromium.org> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: "Darrick J. Wong" <djwong(a)kernel.org> Signed-off-by: Mike Snitzer <snitzer(a)kernel.org> Fixes: line? I've never seen those wrapped. Link: https://lore.kernel.org/r/20231011201230.750105-1-sarthakkukreti@chromium.o… Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/block/fops.c b/block/fops.c index acff3d5d22d4..73e42742543f 100644 --- a/block/fops.c +++ b/block/fops.c @@ -772,24 +772,35 @@ static long blkdev_fallocate(struct file *file, int mode, loff_t start, filemap_invalidate_lock(inode->i_mapping); - /* Invalidate the page cache, including dirty pages. */ - error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); - if (error) - goto fail; - + /* + * Invalidate the page cache, including dirty pages, for valid + * de-allocate mode calls to fallocate(). + */ switch (mode) { case FALLOC_FL_ZERO_RANGE: case FALLOC_FL_ZERO_RANGE | FALLOC_FL_KEEP_SIZE: + error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); + if (error) + goto fail; + error = blkdev_issue_zeroout(bdev, start >> SECTOR_SHIFT, len >> SECTOR_SHIFT, GFP_KERNEL, BLKDEV_ZERO_NOUNMAP); break; case FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE: + error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); + if (error) + goto fail; + error = blkdev_issue_zeroout(bdev, start >> SECTOR_SHIFT, len >> SECTOR_SHIFT, GFP_KERNEL, BLKDEV_ZERO_NOFALLBACK); break; case FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE | FALLOC_FL_NO_HIDE_STALE: + error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); + if (error) + goto fail; + error = blkdev_issue_discard(bdev, start >> SECTOR_SHIFT, len >> SECTOR_SHIFT, GFP_KERNEL); break;

1 year, 6 months

2
1
0 0

[PATCH] KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache

by Oliver Upton

There is a potential UAF scenario in the case of an LPI translation cache hit racing with an operation that invalidates the cache, such as a DISCARD ITS command. The root of the problem is that vgic_its_check_cache() does not elevate the refcount on the vgic_irq before dropping the lock that serializes refcount changes. Have vgic_its_check_cache() raise the refcount on the returned vgic_irq and add the corresponding decrement after queueing the interrupt. Cc: stable(a)vger.kernel.org Signed-off-by: Oliver Upton <oliver.upton(a)linux.dev> --- arch/arm64/kvm/vgic/vgic-its.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/arch/arm64/kvm/vgic/vgic-its.c b/arch/arm64/kvm/vgic/vgic-its.c index 2dad2d095160..e2764d0ffa9f 100644 --- a/arch/arm64/kvm/vgic/vgic-its.c +++ b/arch/arm64/kvm/vgic/vgic-its.c @@ -590,7 +590,11 @@ static struct vgic_irq *vgic_its_check_cache(struct kvm *kvm, phys_addr_t db, unsigned long flags; raw_spin_lock_irqsave(&dist->lpi_list_lock, flags); + irq = __vgic_its_check_cache(dist, db, devid, eventid); + if (irq) + vgic_get_irq_kref(irq); + raw_spin_unlock_irqrestore(&dist->lpi_list_lock, flags); return irq; @@ -769,6 +773,7 @@ int vgic_its_inject_cached_translation(struct kvm *kvm, struct kvm_msi *msi) raw_spin_lock_irqsave(&irq->irq_lock, flags); irq->pending_latch = true; vgic_queue_irq_unlock(kvm, irq, flags); + vgic_put_irq(kvm, irq); return 0; } base-commit: 33cc938e65a98f1d29d0a18403dbbee050dcad9a -- 2.43.0.472.g3155946c3a-goog

1 year, 6 months

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror January 2024