From: Chuck Lever <chuck.lever(a)oracle.com>
Address several bugs in v6.6's libfs/shmemfs, including
CVE-2024-46701.
Link: https://lore.kernel.org/stable/976C0DD5-4337-4C7D-92C6-A38C2EC335A4@oracle.…
I'm still running the usual set of regression tests, but so far this
set looks stable. I'm interested in hearing review comments and test
results.
Branch for testing: https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git/log/?h=nfsd-6…
Chuck Lever (5):
libfs: Define a minimum directory offset
libfs: Add simple_offset_empty()
libfs: Fix simple_offset_rename_exchange()
libfs: Add simple_offset_rename() API
shmem: Fix shmem_rename2()
yangerkun (1):
libfs: fix infinite directory reads for offset dir
fs/libfs.c | 135 +++++++++++++++++++++++++++++++++++++--------
include/linux/fs.h | 3 +
mm/shmem.c | 7 +--
3 files changed, 119 insertions(+), 26 deletions(-)
--
2.47.0
The patch titled
Subject: mm: revert "mm: shmem: fix data-race in shmem_getattr()"
has been added to the -mm mm-hotfixes-unstable branch. Its filename is
mm-revert-mm-shmem-fix-data-race-in-shmem_getattr.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche…
This patch will later appear in the mm-hotfixes-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days
------------------------------------------------------
From: Andrew Morton <akpm(a)linux-foundation.org>
Subject: mm: revert "mm: shmem: fix data-race in shmem_getattr()"
Date: Fri Nov 15 04:57:24 PM PST 2024
Revert d949d1d14fa2 ("mm: shmem: fix data-race in shmem_getattr()") as
suggested by Chuck [1]. It is causing deadlocks when accessing tmpfs over
NFS.
Link: https://lkml.kernel.org/r/ZzdxKF39VEmXSSyN@tissot.1015granger.net [1]
Fixes: https://lkml.kernel.org/r/ZzdxKF39VEmXSSyN@tissot.1015granger.net
Cc: Chuck Lever <chuck.lever(a)oracle.com>
Cc: Hugh Dickins <hughd(a)google.com>
Cc: Jeongjun Park <aha310510(a)gmail.com>
Cc: Yu Zhao <yuzhao(a)google.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
mm/shmem.c | 2 --
1 file changed, 2 deletions(-)
--- a/mm/shmem.c~mm-revert-mm-shmem-fix-data-race-in-shmem_getattr
+++ a/mm/shmem.c
@@ -1166,9 +1166,7 @@ static int shmem_getattr(struct mnt_idma
stat->attributes_mask |= (STATX_ATTR_APPEND |
STATX_ATTR_IMMUTABLE |
STATX_ATTR_NODUMP);
- inode_lock_shared(inode);
generic_fillattr(idmap, request_mask, inode, stat);
- inode_unlock_shared(inode);
if (shmem_huge_global_enabled(inode, 0, 0, false, NULL, 0))
stat->blksize = HPAGE_PMD_SIZE;
_
Patches currently in -mm which might be from akpm(a)linux-foundation.org are
fs-proc-vmcorec-fix-warning-when-config_mmu=n.patch
mm-revert-mm-shmem-fix-data-race-in-shmem_getattr.patch
Hold rcu_read_lock in netdev_nl_napi_get_doit, which calls napi_by_id
and is required to be called under rcu_read_lock.
Cc: stable(a)vger.kernel.org
Fixes: 27f91aaf49b3 ("netdev-genl: Add netlink framework functions for napi")
Signed-off-by: Joe Damato <jdamato(a)fastly.com>
---
v3:
- Separate the patches that were a series in v2 (and earlier) as
they target different trees.
v2:
- Simplified by removing the helper and calling rcu_read_lock /
unlock directly instead.
net/core/netdev-genl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/core/netdev-genl.c b/net/core/netdev-genl.c
index 1cb954f2d39e..d2baa1af9df0 100644
--- a/net/core/netdev-genl.c
+++ b/net/core/netdev-genl.c
@@ -215,6 +215,7 @@ int netdev_nl_napi_get_doit(struct sk_buff *skb, struct genl_info *info)
return -ENOMEM;
rtnl_lock();
+ rcu_read_lock();
napi = napi_by_id(napi_id);
if (napi) {
@@ -224,6 +225,7 @@ int netdev_nl_napi_get_doit(struct sk_buff *skb, struct genl_info *info)
err = -ENOENT;
}
+ rcu_read_unlock();
rtnl_unlock();
if (err)
base-commit: 5b366eae71937ae7412365340b431064625f9617
--
2.25.1
When commit 0cab68720598 ("cxl/pci: Fix disabling memory if DVSEC CXL
Range does not match a CFMWS window") was backported, this chunk moved
from the cxl_hdm_decode_init() function which returns negative error
codes to the __cxl_hdm_decode_init() function which returns false on
error. So the error code needs to be modified from -ENXIO to false.
This issue only exits in the 6.1.y kernels. In later kernels negative
error codes are correct and the driver didn't exist in earlier kernels.
Fixes: 031217128990 ("cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window")
Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org>
---
drivers/cxl/core/pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/cxl/core/pci.c b/drivers/cxl/core/pci.c
index 8d92a24fd73d..97adf9a7ea89 100644
--- a/drivers/cxl/core/pci.c
+++ b/drivers/cxl/core/pci.c
@@ -377,7 +377,7 @@ static bool __cxl_hdm_decode_init(struct cxl_dev_state *cxlds,
if (!allowed && info->mem_enabled) {
dev_err(dev, "Range register decodes outside platform defined CXL ranges.\n");
- return -ENXIO;
+ return false;
}
/*
--
2.45.2