September 2024 - Linux-stable-mirror

[PATCH v2 1/2] drm/xe/vm: move xa_alloc to prevent UAF

by Matthew Auld

Evil user can guess the next id of the vm before the ioctl completes and then call vm destroy ioctl to trigger UAF since create ioctl is still referencing the same vm. Move the xa_alloc all the way to the end to prevent this. v2: - Rebase Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/xe/xe_vm.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c index 31fe31db3fdc..ce9dca4d4e87 100644 --- a/drivers/gpu/drm/xe/xe_vm.c +++ b/drivers/gpu/drm/xe/xe_vm.c @@ -1765,10 +1765,6 @@ int xe_vm_create_ioctl(struct drm_device *dev, void *data, if (IS_ERR(vm)) return PTR_ERR(vm); - err = xa_alloc(&xef->vm.xa, &id, vm, xa_limit_32b, GFP_KERNEL); - if (err) - goto err_close_and_put; - if (xe->info.has_asid) { down_write(&xe->usm.lock); err = xa_alloc_cyclic(&xe->usm.asid_to_vm, &asid, vm, @@ -1776,12 +1772,11 @@ int xe_vm_create_ioctl(struct drm_device *dev, void *data, &xe->usm.next_asid, GFP_KERNEL); up_write(&xe->usm.lock); if (err < 0) - goto err_free_id; + goto err_close_and_put; vm->usm.asid = asid; } - args->vm_id = id; vm->xef = xe_file_get(xef); /* Record BO memory for VM pagetable created against client */ @@ -1794,10 +1789,15 @@ int xe_vm_create_ioctl(struct drm_device *dev, void *data, args->reserved[0] = xe_bo_main_addr(vm->pt_root[0]->bo, XE_PAGE_SIZE); #endif + /* user id alloc must always be last in ioctl to prevent UAF */ + err = xa_alloc(&xef->vm.xa, &id, vm, xa_limit_32b, GFP_KERNEL); + if (err) + goto err_close_and_put; + + args->vm_id = id; + return 0; -err_free_id: - xa_erase(&xef->vm.xa, id); err_close_and_put: xe_vm_close_and_put(vm); -- 2.46.1

3 months

3
2
0 0

[PATCH V2] rpmsg: glink: Add abort_tx check in intent wait

by Deepak Kumar Singh

From: Sarannya S <quic_sarannya(a)quicinc.com> On remote susbsystem restart rproc will stop glink subdev which will trigger qcom_glink_native_remove, any ongoing intent wait should be aborted from there otherwise this wait delays glink send which potentially delays glink channel removal as well. This further introduces delay in ssr notification to other remote subsystems from rproc. Currently qcom_glink_native_remove is not setting channel->intent_received, so any ongoing intent wait is not aborted on remote susbsystem restart. abort_tx flag can be used as a condition to abort in such cases. Adding abort_tx flag check in intent wait, to abort intent wait from qcom_glink_native_remove. Fixes: c05dfce0b89e ("rpmsg: glink: Wait for intent, not just request ack") Cc: stable(a)vger.kernel.org Signed-off-by: Sarannya S <quic_sarannya(a)quicinc.com> Signed-off-by: Deepak Kumar Singh <quic_deesin(a)quicinc.com> --- drivers/rpmsg/qcom_glink_native.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c index 82d460ff4777..ff828531c36f 100644 --- a/drivers/rpmsg/qcom_glink_native.c +++ b/drivers/rpmsg/qcom_glink_native.c @@ -438,7 +438,6 @@ static void qcom_glink_handle_intent_req_ack(struct qcom_glink *glink, static void qcom_glink_intent_req_abort(struct glink_channel *channel) { - WRITE_ONCE(channel->intent_req_result, 0); wake_up_all(&channel->intent_req_wq); } @@ -1354,8 +1353,9 @@ static int qcom_glink_request_intent(struct qcom_glink *glink, goto unlock; ret = wait_event_timeout(channel->intent_req_wq, - READ_ONCE(channel->intent_req_result) >= 0 && - READ_ONCE(channel->intent_received), + (READ_ONCE(channel->intent_req_result) >= 0 && + READ_ONCE(channel->intent_received)) || + glink->abort_tx, 10 * HZ); if (!ret) { dev_err(glink->dev, "intent request timed out\n"); -- 2.34.1

3 months

2
1
0 0

nfsv41: stale file handles after VM shutdown/poweron - but works during warm reboot

by Christian Theune

Hi, we're experiencing a weird NFS (client?) issue when we cold restart a Linux virtual machine running an NFS server. The client will reconnect when the server comes back but we end up with stale file handles and have to unmount/remount. Initially I thought we did something stupid running the `soft` option and wanted to convert to `hard,timeo=6,retrans=10` but noticed that our original problems that caused me to investigate did not go away when changing the mount options. The issue seems to be (surprisingly!) caused when restarting the NFS server VM using a "cold boot" approach: calling shutdown and then having the VM started with a fresh Qemu process. When restarting the NFS server VM using a warm reboot we do not see stale file handles. This appears not to be a race condition or timeouts happening as its reliably reproducable in either direction - I've tried dozens of times and it always works with a reboot and always ends up with stale file handles when shutting down/starting a fresh VM. I've played around with shutting off the NFS server service and introducing delays before cold and warm restarts but the symptoms remain the same. I've tried reading through man pages, kernel documentation, and kernel code but haven't found anything that points to me doing something wrong. The nfsd and client settings are all at their defaults in /proc (at least I didn't find any config management modifying them and peeking at a few of them they ran at their defaults). The issue can be observed on 5.15.164 as well as 6.11. We've been running identical setups for many years and haven't observed this issue until a few months ago. We’ve been running with 5.15 for a while now and I think this might have been introduced somewhere along the way. I've added the client side kernel traces here. Network traffic was not enlightening. I tried chopping the traces into parts that reflect what happens on the server. Setup ===== Server and client are both Qemu/KVM VMs running NixOS with a (for practical purposes) vanilla kernel (two one line patches that change the `bridge-stp` and `request-key` helper paths). Mount: <server>:/srv/nfs/shared on /mnt/nfs/shared type nfs4 (rw,relatime,vers=4.2,rsize=8192,wsize=8192,namlen=255,hard,proto=tcp6,timeo=100,retrans=30,sec=sys,clientaddr=<v6network>::1137,local_lock=none,addr=<v6network>::1136) Export: /srv/nfs/shared <server>(rw,sync,root_squash,no_subtree_check) <client>(rw,sync,root_squash,no_subtree_check) Case 1 (cold reboot - ends up broken) ===================================== We're stopping the server, waiting for a bit and then poweroff. Basically: server> systemctl stop nfs-server; sleep 30; poweroff The poweroff causes the VM to be automatically restarted after a few seconds with a fresh Qemu process - but with all identical settings from the previous instance. The client sees the following rpc and nfs trace: server> systemctl stop nfs-server client kernel log> [ 4965.503048] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 4965.503975] RPC: state 8 conn 1 dead 0 zapped 1 sk_shutdown 1 [ 4965.505105] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 4965.505930] RPC: state 9 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 4965.506712] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 4965.507469] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 4965.508261] RPC: xs_close xprt 000000004f6bb8b0 [ 4965.509108] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 4965.509916] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 server> sleep 30 client kernel log> [ 4998.558930] nfs4_renew_state: start [ 4998.559497] <-- nfs41_proc_async_sequence status=0 [ 4998.560074] nfs4_renew_state: done [ 4998.560473] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 4998.561379] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 4998.562442] encode_sequence: sessionid=1727262693:2026340752:2:0 seqid=47 slotid=0 max_slotid=0 cache_this=0 [ 4998.563650] RPC: xs_connect scheduled xprt 000000004f6bb8b0 [ 4998.564385] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:788: ok (0) [ 4998.565372] RPC: worker connecting xprt 000000004f6bb8b0 via tcp to <v6network>::1136 (port 2049) [ 4998.566606] RPC: 000000004f6bb8b0 connect status 115 connected 0 sock state 2 [ 4998.567594] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 4998.567596] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 4998.567600] RPC: xs_error_report client 000000004f6bb8b0, error=111... [ 4998.569979] RPC: xs_close xprt 000000004f6bb8b0 [ 4998.570565] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 4998.571276] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5001.630875] RPC: xs_connect scheduled xprt 000000004f6bb8b0 [ 5001.631969] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:745: ok (0) [ 5001.632890] RPC: worker connecting xprt 000000004f6bb8b0 via tcp to <v6network>::1136 (port 2049) [ 5001.634262] RPC: 000000004f6bb8b0 connect status 115 connected 0 sock state 2 [ 5001.635306] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 5001.635308] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5001.635312] RPC: xs_error_report client 000000004f6bb8b0, error=111... [ 5001.637871] RPC: xs_close xprt 000000004f6bb8b0 [ 5001.638465] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 5001.639237] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5004.702871] RPC: xs_connect scheduled xprt 000000004f6bb8b0 [ 5004.703851] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:1012: ok (0) [ 5004.704995] RPC: worker connecting xprt 000000004f6bb8b0 via tcp to <v6network>::1136 (port 2049) [ 5004.706752] RPC: 000000004f6bb8b0 connect status 115 connected 0 sock state 2 [ 5004.708103] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 5004.708106] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5004.708110] RPC: xs_error_report client 000000004f6bb8b0, error=111... [ 5004.711656] RPC: xs_close xprt 000000004f6bb8b0 [ 5004.712489] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 5004.713521] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5007.774811] RPC: xs_connect scheduled xprt 000000004f6bb8b0 [ 5007.775819] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:811: ok (0) [ 5007.776749] RPC: worker connecting xprt 000000004f6bb8b0 via tcp to <v6network>::1136 (port 2049) [ 5007.778362] RPC: 000000004f6bb8b0 connect status 115 connected 0 sock state 2 [ 5007.779413] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 5007.779416] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5007.779420] RPC: xs_error_report client 000000004f6bb8b0, error=111... [ 5007.782197] RPC: xs_close xprt 000000004f6bb8b0 [ 5007.782884] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 5007.783757] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5010.846776] RPC: xs_connect scheduled xprt 000000004f6bb8b0 [ 5010.847884] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:920: ok (0) [ 5010.848923] RPC: worker connecting xprt 000000004f6bb8b0 via tcp to <v6network>::1136 (port 2049) [ 5010.850346] RPC: 000000004f6bb8b0 connect status 115 connected 0 sock state 2 [ 5010.851478] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 5010.851480] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5010.851484] RPC: xs_error_report client 000000004f6bb8b0, error=111... [ 5010.854398] RPC: xs_close xprt 000000004f6bb8b0 [ 5010.855067] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 5010.855829] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5013.918740] RPC: xs_connect scheduled xprt 000000004f6bb8b0 [ 5013.919802] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:691: ok (0) [ 5013.920747] RPC: worker connecting xprt 000000004f6bb8b0 via tcp to <v6network>::1136 (port 2049) [ 5013.922364] RPC: 000000004f6bb8b0 connect status 115 connected 0 sock state 2 server> poweroff (server powers off and gets restarted) client kernel log> [ 5082.014329] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 5082.015431] RPC: state 1 conn 0 dead 0 zapped 1 sk_shutdown 0 [ 5082.016693] RPC: xs_tcp_send_request(116) = 0 [ 5082.032137] nfs41_sequence_process ERROR: -10052 Reset session [ 5082.033051] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5082.033883] nfs41_sequence_process: Error -10052 free the slot [ 5082.034713] nfs41_sequence_call_done ERROR -10052 [ 5082.035406] nfs4_schedule_lease_recovery: scheduling lease recovery for server <server> [ 5082.036710] nfs41_sequence_call_done rpc_cred 000000001946c07d [ 5082.037565] RPC: xs_tcp_send_request(100) = 0 [ 5082.038660] NFS: Got error -10052 from the server on DESTROY_SESSION. Session has been destroyed regardless... [ 5082.040040] --> nfs4_proc_create_session clp=00000000872dbfe2 session=00000000b29d3016 [ 5082.041071] nfs4_init_channel_attrs: Fore Channel : max_rqst_sz=1049620 max_resp_sz=1049480 max_ops=8 max_reqs=64 [ 5082.042467] nfs4_init_channel_attrs: Back Channel : max_rqst_sz=4096 max_resp_sz=4096 max_resp_sz_cached=0 max_ops=2 max_reqs=16 [ 5082.044069] nfs4_schedule_state_renewal: requeueing work. Lease period = 5 [ 5082.045066] RPC: xs_tcp_send_request(196) = 0 [ 5082.046099] nfs4_reset_session: session reset failed with status -10022 for server <server>! [ 5082.047361] nfs4_handle_reclaim_lease_error: handled error -10022 for server <server> [ 5082.048601] RPC: xs_tcp_send_request(244) = 0 [ 5082.049712] --> nfs4_proc_create_session clp=00000000872dbfe2 session=00000000b29d3016 [ 5082.050852] nfs4_init_channel_attrs: Fore Channel : max_rqst_sz=1049620 max_resp_sz=1049480 max_ops=8 max_reqs=64 [ 5082.052201] nfs4_init_channel_attrs: Back Channel : max_rqst_sz=4096 max_resp_sz=4096 max_resp_sz_cached=0 max_ops=2 max_reqs=16 [ 5082.053763] RPC: xs_tcp_send_request(196) = 0 [ 5082.055159] --> nfs4_setup_session_slot_tables [ 5082.055770] --> nfs4_realloc_slot_table: max_reqs=30, tbl->max_slots 30 [ 5082.056681] nfs4_realloc_slot_table: tbl=00000000cf1ff1fa slots=0000000002cd9cdc max_slots=30 [ 5082.057752] <-- nfs4_realloc_slot_table: return 0 [ 5082.058328] --> nfs4_realloc_slot_table: max_reqs=16, tbl->max_slots 16 [ 5082.059207] nfs4_realloc_slot_table: tbl=000000005982b642 slots=0000000017686be5 max_slots=16 [ 5082.060307] <-- nfs4_realloc_slot_table: return 0 [ 5082.060912] slot table setup returned 0 [ 5082.061403] nfs4_proc_create_session client>seqid 2 sessionid 1727263096:1126483273:1:0 [ 5082.062737] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5082.063857] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5082.064781] encode_sequence: sessionid=1727263096:1126483273:1:0 seqid=1 slotid=0 max_slotid=0 cache_this=0 [ 5082.066063] RPC: xs_tcp_send_request(132) = 0 [ 5082.068110] decode_attr_lease_time: lease time=90 [ 5082.068780] decode_attr_maxfilesize: maxfilesize=0 [ 5082.069411] decode_attr_maxread: maxread=1024 [ 5082.070006] decode_attr_maxwrite: maxwrite=1024 [ 5082.070612] decode_attr_time_delta: time_delta=0 0 [ 5082.071227] decode_attr_pnfstype: bitmap is 0 [ 5082.071810] decode_attr_layout_blksize: bitmap is 0 [ 5082.072452] decode_attr_clone_blksize: bitmap is 0 [ 5082.073090] decode_attr_change_attr_type: bitmap is 0 [ 5082.073735] decode_attr_xattrsupport: XATTR support=false [ 5082.074414] decode_fsinfo: xdr returned 0! [ 5082.075357] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5082.076299] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5082.077212] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5082.077909] nfs41_sequence_process: Error 0 free the slot [ 5082.078569] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5082.079571] nfs4_schedule_state_renewal: requeueing work. Lease period = 60 [ 5082.080520] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5082.081506] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5082.082376] encode_sequence: sessionid=1727263096:1126483273:1:0 seqid=2 slotid=0 max_slotid=0 cache_this=0 [ 5082.083612] RPC: xs_tcp_send_request(124) = 0 [ 5082.113634] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5082.114614] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5082.115482] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5082.116142] nfs41_sequence_process: Error 0 free the slot [ 5082.116772] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5082.117766] <-- nfs41_proc_reclaim_complete status=0 [ 5082.118379] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=16 [ 5082.119308] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5082.120110] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5082.120805] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5082.121690] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5082.122438] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 The client now shows the following error when trying to access files on the NFS mountpoint (shared is a directory in /mnt/nfs that is the mountpoint): client> ls /mnt/nfs/ ls: cannot access '/mnt/nfs/shared': Stale file handle shared While doing that, the client kernel log continues: [ 5121.788081] NFS: nfs_weak_revalidate: inode 33681408 is valid [ 5121.788941] NFS: revalidating (0:50/33681408) [ 5121.789816] --> nfs41_call_sync_prepare data->seq_server 00000000862cf9f3 [ 5121.790950] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5121.791958] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5121.792904] encode_sequence: sessionid=1727263096:1126483273:1:0 seqid=3 slotid=0 max_slotid=0 cache_this=0 [ 5121.794289] RPC: xs_tcp_send_request(172) = 0 [ 5121.799020] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5121.800014] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5121.800876] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5121.801562] nfs41_sequence_process: Error 0 free the slot [ 5121.802232] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5121.803240] nfs_revalidate_inode: (0:50/33681408) getattr failed, error=-116 [ 5121.804471] NFS: revalidating (0:50/33681408) [ 5121.805080] --> nfs41_call_sync_prepare data->seq_server 00000000862cf9f3 [ 5121.805968] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5121.806955] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5121.807885] encode_sequence: sessionid=1727263096:1126483273:1:0 seqid=4 slotid=0 max_slotid=0 cache_this=0 [ 5121.809522] RPC: xs_tcp_send_request(172) = 0 [ 5121.810845] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5121.811864] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5121.812791] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5121.813501] nfs41_sequence_process: Error 0 free the slot [ 5121.814207] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5121.815242] nfs_revalidate_inode: (0:50/33681408) getattr failed, error=-116 [ 5121.816279] NFS: nfs_weak_revalidate: inode 33681408 is invalid [ 5121.817311] NFS: revalidating (0:50/33681408) [ 5121.828500] NFS: nfs_weak_revalidate: inode 33681408 is invalid [ 5146.013099] nfs4_renew_state: start [ 5146.013647] nfs4_renew_state: failed to call renewd. Reason: lease not expired [ 5146.014510] nfs4_schedule_state_renewal: requeueing work. Lease period = 36 [ 5146.015356] nfs4_renew_state: done [ 5155.718411] NFS: nfs_weak_revalidate: inode 33681408 is valid [ 5155.719976] NFS: revalidating (0:50/33681408) [ 5155.720628] --> nfs41_call_sync_prepare data->seq_server 00000000862cf9f3 [ 5155.721545] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5155.722519] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5155.726973] encode_sequence: sessionid=1727263096:1126483273:1:0 seqid=6 slotid=0 max_slotid=0 cache_this=0 [ 5155.728990] RPC: xs_tcp_send_request(172) = 0 [ 5155.731070] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5155.732292] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5155.733384] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5155.734088] nfs41_sequence_process: Error 0 free the slot [ 5155.734867] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5155.741211] nfs_revalidate_inode: (0:50/33681408) getattr failed, error=-116 [ 5155.742647] NFS: revalidating (0:50/33681408) [ 5155.748003] --> nfs41_call_sync_prepare data->seq_server 00000000862cf9f3 [ 5155.748977] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5155.750066] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5155.754045] encode_sequence: sessionid=1727263096:1126483273:1:0 seqid=7 slotid=0 max_slotid=0 cache_this=0 [ 5155.757104] RPC: xs_tcp_send_request(172) = 0 [ 5155.759310] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5155.760383] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5155.761233] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5155.761870] nfs41_sequence_process: Error 0 free the slot [ 5155.762585] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5155.768250] nfs_revalidate_inode: (0:50/33681408) getattr failed, error=-116 [ 5155.769224] NFS: nfs_weak_revalidate: inode 33681408 is invalid [ 5155.771968] NFS: revalidating (0:50/33681408) [ 5155.772574] --> nfs41_call_sync_prepare data->seq_server 00000000862cf9f3 [ 5155.773522] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5155.774379] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5155.779036] encode_sequence: sessionid=1727263096:1126483273:1:0 seqid=8 slotid=0 max_slotid=0 cache_this=0 [ 5155.780960] RPC: xs_tcp_send_request(172) = 0 [ 5155.781797] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5155.782721] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5155.783734] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5155.784485] nfs41_sequence_process: Error 0 free the slot [ 5155.785084] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5155.789037] nfs_revalidate_inode: (0:50/33681408) getattr failed, error=-116 [ 5155.789873] NFS: nfs_weak_revalidate: inode 33681408 is invalid Unmounting and remounting the mountpoint puts the client into a working state again. Case 2 (ends up in a working state) =================================== Here, we also shutdown the NFS server, wait for a bit, but then perform a "warm" reboot. server> systemctl stop nfs-server ; sleep 30 seconds; reboot system The individual steps as seen from the client: server> systemctl stop nfs-server client kernel log> [ 5511.593152] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5511.593997] RPC: state 8 conn 1 dead 0 zapped 1 sk_shutdown 1 [ 5511.594763] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5511.595581] RPC: state 9 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5511.596371] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5511.597131] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5511.597957] RPC: xs_close xprt 0000000005eb3fd3 [ 5511.599868] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5511.600621] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 server> sleep 30; reboot [ 5526.935766] nfs4_renew_state: start [ 5526.936259] nfs4_renew_state: failed to call renewd. Reason: lease not expired [ 5526.937164] nfs4_schedule_state_renewal: requeueing work. Lease period = 36 [ 5526.938060] nfs4_renew_state: done [ 5563.799229] nfs4_renew_state: start [ 5563.799869] <-- nfs41_proc_async_sequence status=0 [ 5563.800512] nfs4_renew_state: done [ 5563.800990] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5563.802030] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5563.803244] encode_sequence: sessionid=1727263096:1126483275:2:0 seqid=43 slotid=0 max_slotid=0 cache_this=0 [ 5563.804487] RPC: xs_connect scheduled xprt 0000000005eb3fd3 [ 5563.805269] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:914: ok (0) [ 5563.806376] RPC: worker connecting xprt 0000000005eb3fd3 via tcp to 2a02:238:f030:1c3::1136 (port 2049) [ 5563.807676] RPC: 0000000005eb3fd3 connect status 115 connected 0 sock state 2 [ 5578.071084] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5578.072089] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5578.072898] RPC: xs_error_report client 0000000005eb3fd3, error=113... [ 5578.074168] RPC: xs_close xprt 0000000005eb3fd3 [ 5578.074806] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5578.075629] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5578.076533] RPC: xs_connect scheduled xprt 0000000005eb3fd3 [ 5578.077353] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:791: ok (0) [ 5578.078422] RPC: worker connecting xprt 0000000005eb3fd3 via tcp to 2a02:238:f030:1c3::1136 (port 2049) [ 5578.079767] RPC: 0000000005eb3fd3 connect status 115 connected 0 sock state 2 [ 5581.143007] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5581.144027] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5581.144804] RPC: xs_error_report client 0000000005eb3fd3, error=113... [ 5581.146013] RPC: xs_close xprt 0000000005eb3fd3 [ 5581.146667] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5581.147475] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5584.150918] RPC: xs_connect scheduled xprt 0000000005eb3fd3 [ 5584.151952] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:842: ok (0) [ 5584.153297] RPC: worker connecting xprt 0000000005eb3fd3 via tcp to 2a02:238:f030:1c3::1136 (port 2049) [ 5584.154840] RPC: 0000000005eb3fd3 connect status 115 connected 0 sock state 2 [ 5587.223096] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5587.224119] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5587.224971] RPC: xs_error_report client 0000000005eb3fd3, error=113... [ 5587.226296] RPC: xs_close xprt 0000000005eb3fd3 [ 5587.227011] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5587.227878] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5590.230822] RPC: xs_connect scheduled xprt 0000000005eb3fd3 [ 5590.231841] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:893: ok (0) [ 5590.232897] RPC: worker connecting xprt 0000000005eb3fd3 via tcp to 2a02:238:f030:1c3::1136 (port 2049) [ 5590.234566] RPC: 0000000005eb3fd3 connect status 115 connected 0 sock state 2 [ 5593.302883] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5593.303910] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5593.304850] RPC: xs_error_report client 0000000005eb3fd3, error=113... [ 5593.306104] RPC: xs_close xprt 0000000005eb3fd3 [ 5593.306799] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5593.307585] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5596.310840] RPC: xs_connect scheduled xprt 0000000005eb3fd3 [ 5596.311711] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:925: ok (0) [ 5596.312594] RPC: worker connecting xprt 0000000005eb3fd3 via tcp to 2a02:238:f030:1c3::1136 (port 2049) [ 5596.314192] RPC: 0000000005eb3fd3 connect status 115 connected 0 sock state 2 The server is booting and the client recovers while logging this: [ 5602.390691] RPC: xs_connect scheduled xprt 0000000005eb3fd3 [ 5602.391719] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:980: ok (0) [ 5602.392668] RPC: worker connecting xprt 0000000005eb3fd3 via tcp to 2a02:238:f030:1c3::1136 (port 2049) [ 5602.394223] RPC: 0000000005eb3fd3 connect status 115 connected 0 sock state 2 [ 5605.462614] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5605.463527] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5605.464312] RPC: xs_error_report client 0000000005eb3fd3, error=113... [ 5605.465430] RPC: xs_close xprt 0000000005eb3fd3 [ 5605.466074] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5605.466903] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5608.470590] RPC: xs_connect scheduled xprt 0000000005eb3fd3 [ 5608.471618] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:1015: ok (0) [ 5608.472730] RPC: worker connecting xprt 0000000005eb3fd3 via tcp to 2a02:238:f030:1c3::1136 (port 2049) [ 5608.474014] RPC: 0000000005eb3fd3 connect status 115 connected 0 sock state 2 [ 5609.495200] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5609.496171] RPC: state 1 conn 0 dead 0 zapped 1 sk_shutdown 0 [ 5609.497356] RPC: xs_tcp_send_request(116) = 0 [ 5609.511115] nfs41_sequence_process ERROR: -10052 Reset session [ 5609.512033] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5609.512809] nfs41_sequence_process: Error -10052 free the slot [ 5609.513589] nfs41_sequence_call_done ERROR -10052 [ 5609.514246] nfs4_schedule_lease_recovery: scheduling lease recovery for server <server> [ 5609.515446] nfs41_sequence_call_done rpc_cred 000000001946c07d [ 5609.516272] RPC: xs_tcp_send_request(100) = 0 [ 5609.517198] NFS: Got error -10052 from the server on DESTROY_SESSION. Session has been destroyed regardless... [ 5609.518645] --> nfs4_proc_create_session clp=0000000002fc3705 session=000000009488146a [ 5609.519601] nfs4_init_channel_attrs: Fore Channel : max_rqst_sz=1049620 max_resp_sz=1049480 max_ops=8 max_reqs=64 [ 5609.520801] nfs4_init_channel_attrs: Back Channel : max_rqst_sz=4096 max_resp_sz=4096 max_resp_sz_cached=0 max_ops=2 max_reqs=16 [ 5609.523115] nfs4_schedule_state_renewal: requeueing work. Lease period = 5 [ 5609.524103] RPC: xs_tcp_send_request(196) = 0 [ 5609.525090] nfs4_reset_session: session reset failed with status -10022 for server <server>! [ 5609.526350] nfs4_handle_reclaim_lease_error: handled error -10022 for server <server> [ 5609.527548] RPC: xs_tcp_send_request(244) = 0 [ 5609.528414] --> nfs4_proc_create_session clp=0000000002fc3705 session=000000009488146a [ 5609.529500] nfs4_init_channel_attrs: Fore Channel : max_rqst_sz=1049620 max_resp_sz=1049480 max_ops=8 max_reqs=64 [ 5609.530905] nfs4_init_channel_attrs: Back Channel : max_rqst_sz=4096 max_resp_sz=4096 max_resp_sz_cached=0 max_ops=2 max_reqs=16 [ 5609.532526] RPC: xs_tcp_send_request(196) = 0 [ 5609.533669] --> nfs4_setup_session_slot_tables [ 5609.534365] --> nfs4_realloc_slot_table: max_reqs=30, tbl->max_slots 30 [ 5609.535199] nfs4_realloc_slot_table: tbl=000000009c22d728 slots=0000000025e05bce max_slots=30 [ 5609.536186] <-- nfs4_realloc_slot_table: return 0 [ 5609.536744] --> nfs4_realloc_slot_table: max_reqs=16, tbl->max_slots 16 [ 5609.537734] nfs4_realloc_slot_table: tbl=0000000002a05f6b slots=000000009aa80389 max_slots=16 [ 5609.538775] <-- nfs4_realloc_slot_table: return 0 [ 5609.539446] slot table setup returned 0 [ 5609.539994] nfs4_proc_create_session client>seqid 2 sessionid 1727263639:3068450331:1:0 [ 5609.541129] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5609.542047] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5609.543029] encode_sequence: sessionid=1727263639:3068450331:1:0 seqid=1 slotid=0 max_slotid=0 cache_this=0 [ 5609.544295] RPC: xs_tcp_send_request(132) = 0 [ 5609.545479] decode_attr_lease_time: lease time=90 [ 5609.546158] decode_attr_maxfilesize: maxfilesize=0 [ 5609.546798] decode_attr_maxread: maxread=1024 [ 5609.547357] decode_attr_maxwrite: maxwrite=1024 [ 5609.547943] decode_attr_time_delta: time_delta=0 0 [ 5609.548482] decode_attr_pnfstype: bitmap is 0 [ 5609.549005] decode_attr_layout_blksize: bitmap is 0 [ 5609.549534] decode_attr_clone_blksize: bitmap is 0 [ 5609.550125] decode_attr_change_attr_type: bitmap is 0 [ 5609.550766] decode_attr_xattrsupport: XATTR support=false [ 5609.551413] decode_fsinfo: xdr returned 0! [ 5609.552242] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5609.553039] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5609.553917] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5609.554541] nfs41_sequence_process: Error 0 free the slot [ 5609.555273] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5609.560764] nfs4_schedule_state_renewal: requeueing work. Lease period = 60 [ 5609.562070] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5609.563074] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5609.563980] encode_sequence: sessionid=1727263639:3068450331:1:0 seqid=2 slotid=0 max_slotid=0 cache_this=0 [ 5609.565352] RPC: xs_tcp_send_request(124) = 0 [ 5609.644135] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5609.645214] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5609.646049] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5609.646722] nfs41_sequence_process: Error 0 free the slot [ 5609.647369] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5609.648352] <-- nfs41_proc_reclaim_complete status=0 [ 5609.648964] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=16 [ 5609.649813] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5609.650544] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5609.651237] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5609.652134] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5609.652874] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5632.396766] NFS: permission(0:50/33681408), mask=0x81, res=-10 [ 5632.397471] NFS: revalidating (0:50/33681408) [ 5632.397973] --> nfs41_call_sync_prepare data->seq_server 000000001a362fd8 [ 5632.398705] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5632.399547] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5632.400600] encode_sequence: sessionid=1727263639:3068450331:1:0 seqid=3 slotid=0 max_slotid=0 cache_this=0 [ 5632.401933] RPC: xs_tcp_send_request(172) = 0 [ 5632.406551] decode_attr_type: type=040000 [ 5632.407276] decode_attr_change: change attribute=7 [ 5632.407922] decode_attr_size: file size=18 [ 5632.408428] decode_attr_fsid: fsid=(0x7de545f823d44d4e/0xadabff1eec0b0f80) [ 5632.409210] decode_attr_fileid: fileid=33681408 [ 5632.409752] decode_attr_fs_locations: fs_locations done, error = 0 [ 5632.410441] decode_attr_mode: file mode=0775 [ 5632.410944] decode_attr_nlink: nlink=3 [ 5632.411464] decode_attr_owner: uid=0 [ 5632.411953] decode_attr_group: gid=900 [ 5632.412473] decode_attr_rdev: rdev=(0x0:0x0) [ 5632.412982] decode_attr_space_used: space used=0 [ 5632.413558] decode_attr_time_access: atime=1727245731 [ 5632.414115] decode_attr_time_metadata: ctime=1727245730 [ 5632.414746] decode_attr_time_modify: mtime=1727245730 [ 5632.415336] decode_attr_mounted_on_fileid: fileid=33681408 [ 5632.416084] decode_getfattr_attrs: xdr returned 0 [ 5632.416712] decode_getfattr_generic: xdr returned 0 [ 5632.417833] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5632.418779] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5632.419659] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5632.420315] nfs41_sequence_process: Error 0 free the slot [ 5632.421024] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5632.422037] NFS: nfs_update_inode(0:50/33681408 fh_crc=0xd3a763c6 ct=2 info=0x427e7f) [ 5632.423110] NFS: (0:50/33681408) revalidation complete [ 5632.423890] NFS: permission(0:50/33681408), mask=0x1, res=0 [ 5632.424892] NFS: nfs_weak_revalidate: inode 33681408 is valid [ 5632.428895] NFS: permission(0:50/33681408), mask=0x81, res=0 [ 5632.429693] NFS: revalidating (0:50/33681408) [ 5632.430402] --> nfs41_call_sync_prepare data->seq_server 000000001a362fd8 [ 5632.431191] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5632.432112] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5632.433025] encode_sequence: sessionid=1727263639:3068450331:1:0 seqid=4 slotid=0 max_slotid=0 cache_this=0 [ 5632.434228] RPC: xs_tcp_send_request(172) = 0 [ 5632.435149] decode_attr_type: type=040000 [ 5632.435692] decode_attr_change: change attribute=7 [ 5632.436237] decode_attr_size: file size=18 [ 5632.436738] decode_attr_fsid: fsid=(0x7de545f823d44d4e/0xadabff1eec0b0f80) [ 5632.437518] decode_attr_fileid: fileid=33681408 [ 5632.438052] decode_attr_fs_locations: fs_locations done, error = 0 [ 5632.438796] decode_attr_mode: file mode=0775 [ 5632.439312] decode_attr_nlink: nlink=3 [ 5632.439772] decode_attr_owner: uid=0 [ 5632.440147] decode_attr_group: gid=900 [ 5632.440582] decode_attr_rdev: rdev=(0x0:0x0) [ 5632.441272] decode_attr_space_used: space used=0 [ 5632.441998] decode_attr_time_access: atime=1727245731 [ 5632.442796] decode_attr_time_metadata: ctime=1727245730 [ 5632.443613] decode_attr_time_modify: mtime=1727245730 [ 5632.444374] decode_attr_mounted_on_fileid: fileid=33681408 [ 5632.445216] decode_getfattr_attrs: xdr returned 0 [ 5632.445948] decode_getfattr_generic: xdr returned 0 [ 5632.447188] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5632.448043] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5632.448876] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5632.449551] nfs41_sequence_process: Error 0 free the slot [ 5632.450206] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5632.451060] NFS: nfs_update_inode(0:50/33681408 fh_crc=0xd3a763c6 ct=2 info=0x427e7f) [ 5632.451966] NFS: (0:50/33681408) revalidation complete [ 5632.452663] NFS: nfs_weak_revalidate: inode 33681408 is valid [ 5632.453284] NFS: permission(0:50/33681408), mask=0x24, res=0 [ 5632.454370] NFS: open dir(/) [ 5632.454787] NFS: readdir(/) starting at cookie 0 [ 5632.455619] NFS: nfs_do_filldir() filling ended @ cookie 512 [ 5632.456475] NFS: readdir(/) returns 0 [ 5632.457038] NFS: permission(0:50/33681408), mask=0x81, res=0 [ 5632.457862] NFS: revalidating (0:50/1677168) [ 5632.458536] --> nfs41_call_sync_prepare data->seq_server 000000001a362fd8 [ 5632.459514] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5632.460527] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5632.461465] encode_sequence: sessionid=1727263639:3068450331:1:0 seqid=5 slotid=0 max_slotid=0 cache_this=0 [ 5632.462847] RPC: xs_tcp_send_request(184) = 0 I’m at the point where I’m considering that this might be a bug. Hugs, Christian -- Christian Theune · ct(a)flyingcircus.io · +49 345 219401 0 Flying Circus Internet Operations GmbH · https://flyingcircus.io Leipziger Str. 70/71 · 06108 Halle (Saale) · Deutschland HR Stendal HRB 21169 · Geschäftsführer: Christian Theune, Christian Zagrodnick

3 months

2
3
0 0

[PATCH] r8169: Potential divizion by zero in rtl_set_coalesce()

by George Rurikov

Variable 'scale', whose possible value set allows a zero value in a check at r8169_main.c:2014, is used as a denominator at r8169_main.c:2040 and r8169_main.c:2042. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 2815b30535a0 ("r8169: merge scale for tx and rx irq coalescing") Cc: stable(a)vger.kernel.org Signed-off-by: George Rurikov <g.ryurikov(a)securitycode.ru> --- drivers/net/ethernet/realtek/r8169_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c index 45ac8befba29..b97e68cfcfad 100644 --- a/drivers/net/ethernet/realtek/r8169_main.c +++ b/drivers/net/ethernet/realtek/r8169_main.c @@ -2011,7 +2011,7 @@ static int rtl_set_coalesce(struct net_device *dev, coal_usec_max = max(ec->rx_coalesce_usecs, ec->tx_coalesce_usecs); scale = rtl_coalesce_choose_scale(tp, coal_usec_max, &cp01); - if (scale < 0) + if (scale <= 0) return scale; /* Accept max_frames=1 we returned in rtl_get_coalesce. Accept it -- 2.34.1 Заявление о конфиденциальности Данное электронное письмо и любые приложения к нему являются конфиденциальными и предназначены исключительно для адресата. Если Вы не являетесь адресатом данного письма, пожалуйста, уведомите немедленно отправителя, не раскрывайте содержание другим лицам, не используйте его в каких-либо целях, не храните и не копируйте информацию любым способом.

3 months

2
1
0 0

[PATCH 5.10.y 5.15.y] gpiolib: cdev: Ignore reconfiguration without direction

by Kent Gibson

[ Upstream commit b440396387418fe2feaacd41ca16080e7a8bc9ad ] linereq_set_config() behaves badly when direction is not set. The configuration validation is borrowed from linereq_create(), where, to verify the intent of the user, the direction must be set to in order to effect a change to the electrical configuration of a line. But, when applied to reconfiguration, that validation does not allow for the unset direction case, making it possible to clear flags set previously without specifying the line direction. Adding to the inconsistency, those changes are not immediately applied by linereq_set_config(), but will take effect when the line value is next get or set. For example, by requesting a configuration with no flags set, an output line with GPIO_V2_LINE_FLAG_ACTIVE_LOW and GPIO_V2_LINE_FLAG_OPEN_DRAIN set could have those flags cleared, inverting the sense of the line and changing the line drive to push-pull on the next line value set. Skip the reconfiguration of lines for which the direction is not set, and only reconfigure the lines for which direction is set. Fixes: a54756cb24ea ("gpiolib: cdev: support GPIO_V2_LINE_SET_CONFIG_IOCTL") Signed-off-by: Kent Gibson <warthog618(a)gmail.com> Link: https://lore.kernel.org/r/20240626052925.174272-3-warthog618@gmail.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> --- drivers/gpio/gpiolib-cdev.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c index c2f9d95d1086..fe0926ce0068 100644 --- a/drivers/gpio/gpiolib-cdev.c +++ b/drivers/gpio/gpiolib-cdev.c @@ -1186,15 +1186,18 @@ static long linereq_set_config_unlocked(struct linereq *lr, for (i = 0; i < lr->num_lines; i++) { desc = lr->lines[i].desc; flags = gpio_v2_line_config_flags(lc, i); + /* + * Lines not explicitly reconfigured as input or output + * are left unchanged. + */ + if (!(flags & GPIO_V2_LINE_DIRECTION_FLAGS)) + continue; + polarity_change = (!!test_bit(FLAG_ACTIVE_LOW, &desc->flags) != ((flags & GPIO_V2_LINE_FLAG_ACTIVE_LOW) != 0)); gpio_v2_line_config_flags_to_desc_flags(flags, &desc->flags); - /* - * Lines have to be requested explicitly for input - * or output, else the line will be treated "as is". - */ if (flags & GPIO_V2_LINE_FLAG_OUTPUT) { int val = gpio_v2_line_config_output_value(lc, i); @@ -1202,7 +1205,7 @@ static long linereq_set_config_unlocked(struct linereq *lr, ret = gpiod_direction_output(desc, val); if (ret) return ret; - } else if (flags & GPIO_V2_LINE_FLAG_INPUT) { + } else { ret = gpiod_direction_input(desc); if (ret) return ret; -- 2.39.5

3 months

1
0
0 0

[PATCH 6.1.y 6.6.y] gpiolib: cdev: Ignore reconfiguration without direction

by Kent Gibson

[ Upstream commit b440396387418fe2feaacd41ca16080e7a8bc9ad ] linereq_set_config() behaves badly when direction is not set. The configuration validation is borrowed from linereq_create(), where, to verify the intent of the user, the direction must be set to in order to effect a change to the electrical configuration of a line. But, when applied to reconfiguration, that validation does not allow for the unset direction case, making it possible to clear flags set previously without specifying the line direction. Adding to the inconsistency, those changes are not immediately applied by linereq_set_config(), but will take effect when the line value is next get or set. For example, by requesting a configuration with no flags set, an output line with GPIO_V2_LINE_FLAG_ACTIVE_LOW and GPIO_V2_LINE_FLAG_OPEN_DRAIN set could have those flags cleared, inverting the sense of the line and changing the line drive to push-pull on the next line value set. Skip the reconfiguration of lines for which the direction is not set, and only reconfigure the lines for which direction is set. Fixes: a54756cb24ea ("gpiolib: cdev: support GPIO_V2_LINE_SET_CONFIG_IOCTL") Signed-off-by: Kent Gibson <warthog618(a)gmail.com> Link: https://lore.kernel.org/r/20240626052925.174272-3-warthog618@gmail.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> --- drivers/gpio/gpiolib-cdev.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c index d526a4c91e82..545998e9f6ad 100644 --- a/drivers/gpio/gpiolib-cdev.c +++ b/drivers/gpio/gpiolib-cdev.c @@ -1565,12 +1565,14 @@ static long linereq_set_config_unlocked(struct linereq *lr, line = &lr->lines[i]; desc = lr->lines[i].desc; flags = gpio_v2_line_config_flags(lc, i); - gpio_v2_line_config_flags_to_desc_flags(flags, &desc->flags); - edflags = flags & GPIO_V2_LINE_EDGE_DETECTOR_FLAGS; /* - * Lines have to be requested explicitly for input - * or output, else the line will be treated "as is". + * Lines not explicitly reconfigured as input or output + * are left unchanged. */ + if (!(flags & GPIO_V2_LINE_DIRECTION_FLAGS)) + continue; + gpio_v2_line_config_flags_to_desc_flags(flags, &desc->flags); + edflags = flags & GPIO_V2_LINE_EDGE_DETECTOR_FLAGS; if (flags & GPIO_V2_LINE_FLAG_OUTPUT) { int val = gpio_v2_line_config_output_value(lc, i); @@ -1578,7 +1580,7 @@ static long linereq_set_config_unlocked(struct linereq *lr, ret = gpiod_direction_output(desc, val); if (ret) return ret; - } else if (flags & GPIO_V2_LINE_FLAG_INPUT) { + } else { ret = gpiod_direction_input(desc); if (ret) return ret; -- 2.39.5

3 months

1
0
0 0

[PATCH -next 0/2] Fix memory leaks for kobject

by Gaosheng Cui

Fix two memory leaks for kobject name, thanks! Gaosheng Cui (2): kobject: fix memory leak in kset_register() due to uninitialized kset->kobj.ktype kobject: fix memory leak when kobject_add_varg() returns error lib/kobject.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) -- 2.25.1

3 months

3
6
0 0

[PATCH v9 1/3] ufs: core: fix the issue of ICU failure

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> When setting the ICU bit without using read-modify-write, SQRTCy will restart SQ again and receive an RTC return error code 2 (Failure - SQ not stopped). Additionally, the error log has been modified so that this type of error can be observed. Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode") Cc: stable(a)vger.kernel.org Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> Reviewed-by: Bao D. Nguyen <quic_nguyenb(a)quicinc.com> Reviewed-by: Bart Van Assche <bvanassche(a)acm.org> --- drivers/ufs/core/ufs-mcq.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/drivers/ufs/core/ufs-mcq.c b/drivers/ufs/core/ufs-mcq.c index 5891cdacd0b3..3903947dbed1 100644 --- a/drivers/ufs/core/ufs-mcq.c +++ b/drivers/ufs/core/ufs-mcq.c @@ -539,7 +539,7 @@ int ufshcd_mcq_sq_cleanup(struct ufs_hba *hba, int task_tag) struct scsi_cmnd *cmd = lrbp->cmd; struct ufs_hw_queue *hwq; void __iomem *reg, *opr_sqd_base; - u32 nexus, id, val; + u32 nexus, id, val, rtc; int err; if (hba->quirks & UFSHCD_QUIRK_MCQ_BROKEN_RTC) @@ -569,17 +569,18 @@ int ufshcd_mcq_sq_cleanup(struct ufs_hba *hba, int task_tag) opr_sqd_base = mcq_opr_base(hba, OPR_SQD, id); writel(nexus, opr_sqd_base + REG_SQCTI); - /* SQRTCy.ICU = 1 */ - writel(SQ_ICU, opr_sqd_base + REG_SQRTC); + /* Initiate Cleanup */ + writel(readl(opr_sqd_base + REG_SQRTC) | SQ_ICU, + opr_sqd_base + REG_SQRTC); /* Poll SQRTSy.CUS = 1. Return result from SQRTSy.RTC */ reg = opr_sqd_base + REG_SQRTS; err = read_poll_timeout(readl, val, val & SQ_CUS, 20, MCQ_POLL_US, false, reg); - if (err) - dev_err(hba->dev, "%s: failed. hwq=%d, tag=%d err=%ld\n", - __func__, id, task_tag, - FIELD_GET(SQ_ICU_ERR_CODE_MASK, readl(reg))); + rtc = FIELD_GET(SQ_ICU_ERR_CODE_MASK, readl(reg)); + if (err || rtc) + dev_err(hba->dev, "%s: failed. hwq=%d, tag=%d err=%d RTC=%d\n", + __func__, id, task_tag, err, rtc); if (ufshcd_mcq_sq_start(hba, hwq)) err = -ETIMEDOUT; -- 2.45.2

3 months

1
0
0 0

+ ocfs2-fix-uninit-value-in-ocfs2_get_block.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: ocfs2: fix uninit-value in ocfs2_get_block() has been added to the -mm mm-hotfixes-unstable branch. Its filename is ocfs2-fix-uninit-value-in-ocfs2_get_block.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Joseph Qi <joseph.qi(a)linux.alibaba.com> Subject: ocfs2: fix uninit-value in ocfs2_get_block() Date: Wed, 25 Sep 2024 17:06:00 +0800 syzbot reported an uninit-value BUG: BUG: KMSAN: uninit-value in ocfs2_get_block+0xed2/0x2710 fs/ocfs2/aops.c:159 ocfs2_get_block+0xed2/0x2710 fs/ocfs2/aops.c:159 do_mpage_readpage+0xc45/0x2780 fs/mpage.c:225 mpage_readahead+0x43f/0x840 fs/mpage.c:374 ocfs2_readahead+0x269/0x320 fs/ocfs2/aops.c:381 read_pages+0x193/0x1110 mm/readahead.c:160 page_cache_ra_unbounded+0x901/0x9f0 mm/readahead.c:273 do_page_cache_ra mm/readahead.c:303 [inline] force_page_cache_ra+0x3b1/0x4b0 mm/readahead.c:332 force_page_cache_readahead mm/internal.h:347 [inline] generic_fadvise+0x6b0/0xa90 mm/fadvise.c:106 vfs_fadvise mm/fadvise.c:185 [inline] ksys_fadvise64_64 mm/fadvise.c:199 [inline] __do_sys_fadvise64 mm/fadvise.c:214 [inline] __se_sys_fadvise64 mm/fadvise.c:212 [inline] __x64_sys_fadvise64+0x1fb/0x3a0 mm/fadvise.c:212 x64_sys_call+0xe11/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:222 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f This is because when ocfs2_extent_map_get_blocks() fails, p_blkno is uninitialized. So the error log will trigger the above uninit-value access. The error log is out-of-date since get_blocks() was removed long time ago. And the error code will be logged in ocfs2_extent_map_get_blocks() once ocfs2_get_cluster() fails, so fix this by only logging inode and block. Link: https://syzkaller.appspot.com/bug?extid=9709e73bae885b05314b Link: https://lkml.kernel.org/r/20240925090600.3643376-1-joseph.qi@linux.alibaba.… Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem") Signed-off-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Reported-by: syzbot+9709e73bae885b05314b(a)syzkaller.appspotmail.com Tested-by: syzbot+9709e73bae885b05314b(a)syzkaller.appspotmail.com Cc: Heming Zhao <heming.zhao(a)suse.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/aops.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- a/fs/ocfs2/aops.c~ocfs2-fix-uninit-value-in-ocfs2_get_block +++ a/fs/ocfs2/aops.c @@ -156,9 +156,8 @@ int ocfs2_get_block(struct inode *inode, err = ocfs2_extent_map_get_blocks(inode, iblock, &p_blkno, &count, &ext_flags); if (err) { - mlog(ML_ERROR, "Error %d from get_blocks(0x%p, %llu, 1, " - "%llu, NULL)\n", err, inode, (unsigned long long)iblock, - (unsigned long long)p_blkno); + mlog(ML_ERROR, "get_blocks() failed, inode: 0x%p, " + "block: %llu\n", inode, (unsigned long long)iblock); goto bail; } _ Patches currently in -mm which might be from joseph.qi(a)linux.alibaba.com are ocfs2-fix-uninit-value-in-ocfs2_get_block.patch

3 months

1
0
0 0

[PATCH v5 5/5] tpm: flush the auth session only when /dev/tpm0 is open

by Jarkko Sakkinen

Instead of flushing and reloading the auth session for every single transaction, keep the session open unless /dev/tpm0 is used. In practice this means applying TPM2_SA_CONTINUE_SESSION to the session attributes. Flush the session always when /dev/tpm0 is written. Reported-by: Pengyu Ma <mapengyu(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219229 Cc: stable(a)vger.kernel.org # v6.10+ Fixes: 7ca110f2679b ("tpm: Address !chip->auth in tpm_buf_append_hmac_session*()") Tested-by: Pengyu Ma <mapengyu(a)gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v5: - No changes. v4: - Changed as bug. v3: - Refined the commit message. - Removed the conditional for applying TPM2_SA_CONTINUE_SESSION only when /dev/tpm0 is open. It is not required as the auth session is flushed, not saved. v2: - A new patch. --- drivers/char/tpm/tpm-chip.c | 1 + drivers/char/tpm/tpm-dev-common.c | 1 + drivers/char/tpm/tpm-interface.c | 1 + drivers/char/tpm/tpm2-sessions.c | 3 +++ 4 files changed, 6 insertions(+) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 0ea00e32f575..7a6bb30d1f32 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -680,6 +680,7 @@ void tpm_chip_unregister(struct tpm_chip *chip) rc = tpm_try_get_ops(chip); if (!rc) { if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; } diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c index 4eaa8e05c291..a3ed7a99a394 100644 --- a/drivers/char/tpm/tpm-dev-common.c +++ b/drivers/char/tpm/tpm-dev-common.c @@ -29,6 +29,7 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space, #ifdef CONFIG_TCG_TPM2_HMAC if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; } diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index bfa47d48b0f2..2363018fa8fb 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -381,6 +381,7 @@ int tpm_pm_suspend(struct device *dev) if (!rc) { if (chip->flags & TPM_CHIP_FLAG_TPM2) { #ifdef CONFIG_TCG_TPM2_HMAC + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; #endif diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index a8d3d5d52178..38b92ad9e75f 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -333,6 +333,9 @@ void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, } #ifdef CONFIG_TCG_TPM2_HMAC + /* The first write to /dev/tpm{rm0} will flush the session. */ + attributes |= TPM2_SA_CONTINUE_SESSION; + /* * The Architecture Guide requires us to strip trailing zeros * before computing the HMAC -- 2.46.1

3 months

2
9
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror September 2024