The checkpoint is the top priority thread which can stop all the filesystem
operations. Let's make it RT priority.
Reviewed-by: Daeho Jeong <daehojeong@google.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 8a2d9f00d502e6ef68c6d52f0863856040ddd2db)
Change-Id: I7ab430a7294fa9644512f0a32245646944446213
Signed-off-by: zhaoyuenan <amktiao030215@gmail.com>
We should update age extent in f2fs_do_zero_range() like we
did in f2fs_truncate_data_blocks_range().
Fixes: dfcfcc6d16 ("f2fs: add block_age-based extent cache")
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit a84153f939808102dfa10904aa0f743e734a3e1d)
Change-Id: Iab59f94f792dbab8da7ab597d5a219476370a646
Signed-off-by: zhaoyuenan <amktiao030215@gmail.com>
nr_free may be less than len, we should update age extent cache
w/ range [fofs, len] rather than [fofs, nr_free].
Fixes: dfcfcc6d16 ("f2fs: add block_age-based extent cache")
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 8c0ed062ce27f6b7f0a568cb241e2b4dd2d9e6a6)
Change-Id: I0a4546f84fd75db2f13857e4922520ab5885e845
Signed-off-by: zhaoyuenan <amktiao030215@gmail.com>
Currently we wrongly calculate the new block age to
old * LAST_AGE_WEIGHT / 100.
Fix it to new * (100 - LAST_AGE_WEIGHT) / 100
+ old * LAST_AGE_WEIGHT / 100.
Signed-off-by: qixiaoyu1 <qixiaoyu1@xiaomi.com>
Signed-off-by: xiongping1 <xiongping1@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit b03a41a495df35f8e8d25220878bd6b8472d9396)
Change-Id: I989877caf2517245750e7ed809b2af71f8943f96
Signed-off-by: zhaoyuenan <amktiao030215@gmail.com>
Otherwise, __lookup_extent_tree() will override the given extent_info which will
be used by caller.
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 22a341b43036415718f2d50f5f98b2f891fe17e9)
Change-Id: I5ddc08dd3d299f222b4b9b1334f2e675e37956b6
Signed-off-by: zhaoyuenan <amktiao030215@gmail.com>
Let's explicitly use the defined values in block_age case only.
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit ed2724765e58e3310d3de48f4a1761631b3dd640)
Change-Id: Ibbed9907e98c54a7fc807f5deb9300aeb2d35e70
Signed-off-by: zhaoyuenan <amktiao030215@gmail.com>
This can avoid confusing tracepoint values.
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit fe59109ae5c0b34a8c7c07f693fc501b12b57787)
Change-Id: I64d127fed283cfe93579a031b1b8762d35069f98
Signed-off-by: zhaoyuenan <amktiao030215@gmail.com>
commit e61b11a737 ("ANDROID: fuse: Allocate zeroed memory for canonical path")
fixes the deadlock that this patch tries to fix.
This reverts commit aeb761e164.
Change-Id: I7137a93cf83b4d2a3cecb2b2de6f9fa14e6a2702
5.18-rc1 has many merge issues and the block io path has been rewritten,
so the tracepoints added here do not work properly anymore (and break
the build.)
If this is really still needed (hint, I strongly doubt it), it can be
redesigned and added back after 5.18-rc1 is released.
Cc: Mohan Srinivasan <srmohan@google.com>
Cc: Amit Pundir <amit.pundir@linaro.org>
Cc: Alistair Strachan <astrachan@google.com>
Fixes: f2fe7bac26dc ("ANDROID: fs: FS tracepoints to track IO.")
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[Jaegeuk Kim: remove fsync tracepoints as well]
Change-Id: I64981f2f692a434b976e50677d3414037d5ee409
* 'upstream-f2fs-stable-linux-4.19.y' of https://android.googlesource.com/kernel/common: (560 commits)
f2fs: reset wait_ms to default if any of the victims have been selected
f2fs: fix some format WARNING in debug.c and sysfs.c
f2fs: don't call f2fs_issue_discard_timeout() when discard_cmd_cnt is 0 in f2fs_put_super()
f2fs: fix iostat parameter for discard
f2fs: Fix spelling mistake in label: free_bio_enrty_cache -> free_bio_entry_cache
f2fs: avoid build warnining in extent_cache
f2fs: add block_age-based extent cache
f2fs: allocate the extent_cache by default
f2fs: refactor extent_cache to support for read and more
f2fs: remove unnecessary __init_extent_tree
f2fs: move internal functions into extent_cache.c
f2fs: specify extent cache for read explicitly
f2fs: introduce f2fs_is_readonly() for readability
f2fs: remove F2FS_SET_FEATURE() and F2FS_CLEAR_FEATURE() macro
f2fs: do some cleanup for f2fs module init
MAINTAINERS: Add f2fs bug tracker link
f2fs: remove the unused flush argument to change_curseg
f2fs: open code allocate_segment_by_default
f2fs: remove struct segment_allocation default_salloc_ops
f2fs: introduce discard_urgent_util sysfs node
...
Conflicts:
fs/crypto/hooks.c
fs/ext4/ioctl.c
fs/ext4/namei.c
fs/f2fs/checkpoint.c
fs/f2fs/data.c
fs/f2fs/dir.c
fs/f2fs/f2fs.h
fs/f2fs/file.c
fs/f2fs/gc.c
fs/f2fs/hash.c
fs/f2fs/inline.c
fs/f2fs/namei.c
fs/f2fs/node.c
fs/f2fs/node.h
fs/f2fs/recovery.c
fs/f2fs/segment.c
fs/f2fs/segment.h
fs/f2fs/super.c
fs/f2fs/sysfs.c
fs/f2fs/xattr.c
fs/libfs.c
fs/ubifs/dir.c
fs/unicode/utf8-core.c
fs/verity/enable.c
fs/verity/signature.c
include/linux/fs.h
include/linux/fscrypt.h
include/uapi/linux/fsverity.h
Change-Id: I555b2ac03d0bc864b8993a006994c68c0f4f8c41
if2fs_fill_super
-> f2fs_build_segment_manager
-> create_discard_cmd_control
-> f2fs_start_discard_thread
It invokes kthread_run to create a thread and run issue_discard_thread.
However, if f2fs_build_node_manager fails, the control flow goes to
free_nm and calls f2fs_destroy_node_manager. This function will free
sbi->nm_info. However, if issue_discard_thread accesses sbi->nm_info
after the deallocation, but before the f2fs_stop_discard_thread, it will
cause UAF(Use-after-free).
-> f2fs_destroy_segment_manager
-> destroy_discard_cmd_control
-> f2fs_stop_discard_thread
Fix this by stopping discard thread before f2fs_destroy_node_manager.
Note that, the commit d6d2b491a82e1 introduces the call of
f2fs_available_free_memory into issue_discard_thread.
Cc: stable@vger.kernel.org
Fixes: d6d2b491a82e ("f2fs: allow to change discard policy based on cached discard cmds")
Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 5429c9dbc9025f9a166f64e22e3a69c94fd5b29b)
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: If121b453455b11b2aded8ba8a3899faad431dbd3
https://source.android.com/docs/security/bulletin/2025-01-01
* tag 'ASB-2025-01-05_4.19-stable' of https://android.googlesource.com/kernel/common: (132 commits)
Revert "UPSTREAM: unicode: Don't special case ignorable code points"
Reapply "UPSTREAM: unicode: Don't special case ignorable code points"
Revert "UPSTREAM: unicode: Don't special case ignorable code points"
Linux 4.19.325
sh: intc: Fix use-after-free bug in register_intc_controller()
modpost: remove incorrect code in do_eisa_entry()
9p/xen: fix release of IRQ
9p/xen: fix init sequence
block: return unsigned int from bdev_io_min
jffs2: fix use of uninitialized variable
ubi: fastmap: Fix duplicate slab cache names while attaching
ubifs: Correct the total block count by deducting journal reservation
rtc: check if __rtc_read_time was successful in rtc_timer_do_work()
NFSv4.0: Fix a use-after-free problem in the asynchronous open()
um: Fix the return value of elf_core_copy_task_fpregs
rpmsg: glink: Propagate TX failures in intentless mode as well
NFSD: Prevent a potential integer overflow
lib: string_helpers: silence snprintf() output truncation warning
usb: dwc3: gadget: Fix checking for number of TRBs left
media: wl128x: Fix atomicity violation in fmc_send_cmd()
...
Conflicts:
arch/arm64/boot/dts/vendor/bindings/clock/adi,axi-clkgen.yaml
arch/arm64/boot/dts/vendor/bindings/clock/axi-clkgen.txt
drivers/rpmsg/qcom_glink_native.c
Change-Id: Iea6ddf20dfaa4419f6e0b2efcee1890bfa8e2554
https://source.android.com/docs/security/bulletin/2024-12-01
* tag 'ASB-2024-12-05_4.19-stable' of https://android.googlesource.com/kernel/common: (401 commits)
Linux 4.19.324
9p: fix slab cache name creation for real
net: usb: qmi_wwan: add Fibocom FG132 0x0112 composition
fs: Fix uninitialized value issue in from_kuid and from_kgid
powerpc/powernv: Free name on error in opal_event_init()
sound: Make CONFIG_SND depend on INDIRECT_IOMEM instead of UML
bpf: use kvzmalloc to allocate BPF verifier environment
HID: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad
9p: Avoid creating multiple slab caches with the same name
ALSA: usb-audio: Add endianness annotations
vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans
hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
ALSA: usb-audio: Add quirks for Dell WD19 dock
ALSA: usb-audio: Support jack detection on Dell dock
ALSA: usb-audio: Add custom mixer status quirks for RME CC devices
ALSA: pcm: Return 0 when size < start_threshold in capture
ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()
irqchip/gic-v3: Force propagation of the active state with a read-back
USB: serial: option: add Quectel RG650V
USB: serial: option: add Fibocom FG132 0x0112 composition
...
Conflicts:
drivers/usb/dwc3/core.c
drivers/usb/dwc3/core.h
net/qrtr/qrtr.c
Change-Id: I328847813eb875d25c4aa35dcc7ba58ad09b53ae
This reverts commit 62bbb08add179b68e2ce0ede59f3c4b37d6c92a8.
Reason for revert: b/382800956
Bug: 382800956
Change-Id: Ic7a0cdbb060c12c1628a5859d795e78cd6b9341d
Signed-off-by: Todd Kjos <tkjos@google.com>
(cherry picked from commit c376628415656f16d398aad95c218a06805038bd)
Signed-off-by: Lee Jones <joneslee@google.com>
This reverts commit e1ba90026d98e53f5736131f3363424e83315f00.
Reapplying only to re-revert with the correct Change-Id
Bug: 382800956
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: Icdd08040f04ed7e85d31b7f8551ee2ef1d0b95b0
Changes in 4.19.325
netlink: terminate outstanding dump on socket close
ocfs2: uncache inode which has failed entering the group
nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint
ocfs2: fix UBSAN warning in ocfs2_verify_volume()
nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint
Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K"
media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set
kbuild: Use uname for LINUX_COMPILE_HOST detection
mm: revert "mm: shmem: fix data-race in shmem_getattr()"
ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet
mac80211: fix user-power when emulating chanctx
selftests/watchdog-test: Fix system accidentally reset after watchdog-test
x86/amd_nb: Fix compile-testing without CONFIG_AMD_NB
net: usb: qmi_wwan: add Quectel RG650V
proc/softirqs: replace seq_printf with seq_put_decimal_ull_width
nvme: fix metadata handling in nvme-passthrough
initramfs: avoid filename buffer overrun
m68k: mvme147: Fix SCSI controller IRQ numbers
m68k: mvme16x: Add and use "mvme16x.h"
m68k: mvme147: Reinstate early console
acpi/arm64: Adjust error handling procedure in gtdt_parse_timer_block()
s390/syscalls: Avoid creation of arch/arch/ directory
hfsplus: don't query the device logical block size multiple times
EDAC/fsl_ddr: Fix bad bit shift operations
crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY
crypto: cavium - Fix the if condition to exit loop after timeout
crypto: bcm - add error check in the ahash_hmac_init function
crypto: cavium - Fix an error handling path in cpt_ucode_load_fw()
time: Fix references to _msecs_to_jiffies() handling of values
soc: qcom: geni-se: fix array underflow in geni_se_clk_tbl_get()
mmc: mmc_spi: drop buggy snprintf()
ARM: dts: cubieboard4: Fix DCDC5 regulator constraints
regmap: irq: Set lockdep class for hierarchical IRQ domains
firmware: arm_scpi: Check the DVFS OPP count returned by the firmware
drm/mm: Mark drm_mm_interval_tree*() functions with __maybe_unused
wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()
drm/omap: Fix locking in omap_gem_new_dmabuf()
bpf: Fix the xdp_adjust_tail sample prog issue
wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan()
drm/etnaviv: consolidate hardware fence handling in etnaviv_gpu
drm/etnaviv: dump: fix sparse warnings
drm/etnaviv: fix power register offset on GC300
drm/etnaviv: hold GPU lock across perfmon sampling
net: rfkill: gpio: Add check for clk_enable()
ALSA: us122l: Use snd_card_free_when_closed() at disconnection
ALSA: caiaq: Use snd_card_free_when_closed() at disconnection
ALSA: 6fire: Release resources at card release
netpoll: Use rcu_access_pointer() in netpoll_poll_lock
trace/trace_event_perf: remove duplicate samples on the first tracepoint event
powerpc/vdso: Flag VDSO64 entry points as functions
mfd: da9052-spi: Change read-mask to write-mask
cpufreq: loongson2: Unregister platform_driver on failure
mtd: rawnand: atmel: Fix possible memory leak
RDMA/bnxt_re: Check cqe flags to know imm_data vs inv_irkey
mfd: rt5033: Fix missing regmap_del_irq_chip()
scsi: bfa: Fix use-after-free in bfad_im_module_exit()
scsi: fusion: Remove unused variable 'rc'
scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb()
ocfs2: fix uninitialized value in ocfs2_file_read_iter()
powerpc/sstep: make emulate_vsx_load and emulate_vsx_store static
fbdev/sh7760fb: Alloc DMA memory from hardware device
fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem()
dt-bindings: clock: adi,axi-clkgen: convert old binding to yaml format
dt-bindings: clock: axi-clkgen: include AXI clk
clk: axi-clkgen: use devm_platform_ioremap_resource() short-hand
clk: clk-axi-clkgen: make sure to enable the AXI bus clock
perf probe: Correct demangled symbols in C++ program
PCI: cpqphp: Use PCI_POSSIBLE_ERROR() to check config reads
PCI: cpqphp: Fix PCIBIOS_* return value confusion
m68k: mcfgpio: Fix incorrect register offset for CONFIG_M5441x
m68k: coldfire/device.c: only build FEC when HW macros are defined
rpmsg: glink: Add TX_DATA_CONT command while sending
rpmsg: glink: Send READ_NOTIFY command in FIFO full case
rpmsg: glink: Fix GLINK command prefix
rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name length
NFSD: Prevent NULL dereference in nfsd4_process_cb_update()
NFSD: Cap the number of bytes copied by nfs4_reset_recoverydir()
vfio/pci: Properly hide first-in-list PCIe extended capability
power: supply: core: Remove might_sleep() from power_supply_put()
net: usb: lan78xx: Fix memory leak on device unplug by freeing PHY device
tg3: Set coherent DMA mask bits to 31 for BCM57766 chipsets
net: usb: lan78xx: Fix refcounting and autosuspend on invalid WoL configuration
marvell: pxa168_eth: fix call balance of pep->clk handling routines
net: stmmac: dwmac-socfpga: Set RX watchdog interrupt as broken
usb: using mutex lock and supporting O_NONBLOCK flag in iowarrior_read()
USB: chaoskey: fail open after removal
USB: chaoskey: Fix possible deadlock chaoskey_list_lock
misc: apds990x: Fix missing pm_runtime_disable()
apparmor: fix 'Do simple duplicate message elimination'
usb: ehci-spear: fix call balance of sehci clk handling routines
ext4: supress data-race warnings in ext4_free_inodes_{count,set}()
ext4: fix FS_IOC_GETFSMAP handling
jfs: xattr: check invalid xattr size more strictly
ASoC: codecs: Fix atomicity violation in snd_soc_component_get_drvdata()
PCI: Fix use-after-free of slot->bus on hot remove
tty: ldsic: fix tty_ldisc_autoload sysctl's proc_handler
Bluetooth: Fix type of len in rfcomm_sock_getsockopt{,_old}()
ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices
Revert "usb: gadget: composite: fix OS descriptors w_value logic"
serial: sh-sci: Clean sci_ports[0] after at earlycon exit
Revert "serial: sh-sci: Clean sci_ports[0] after at earlycon exit"
netfilter: ipset: add missing range check in bitmap_ip_uadt
spi: Fix acpi deferred irq probe
ubi: wl: Put source PEB into correct list if trying locking LEB failed
um: ubd: Do not use drvdata in release
um: net: Do not use drvdata in release
serial: 8250: omap: Move pm_runtime_get_sync
um: vector: Do not use drvdata in release
sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled
block: fix ordering between checking BLK_MQ_S_STOPPED request adding
HID: wacom: Interpret tilt data from Intuos Pro BT as signed values
media: wl128x: Fix atomicity violation in fmc_send_cmd()
usb: dwc3: gadget: Fix checking for number of TRBs left
lib: string_helpers: silence snprintf() output truncation warning
NFSD: Prevent a potential integer overflow
rpmsg: glink: Propagate TX failures in intentless mode as well
um: Fix the return value of elf_core_copy_task_fpregs
NFSv4.0: Fix a use-after-free problem in the asynchronous open()
rtc: check if __rtc_read_time was successful in rtc_timer_do_work()
ubifs: Correct the total block count by deducting journal reservation
ubi: fastmap: Fix duplicate slab cache names while attaching
jffs2: fix use of uninitialized variable
block: return unsigned int from bdev_io_min
9p/xen: fix init sequence
9p/xen: fix release of IRQ
modpost: remove incorrect code in do_eisa_entry()
sh: intc: Fix use-after-free bug in register_intc_controller()
Linux 4.19.325
Change-Id: I50250c8bd11f9ff4b40da75225c1cfb060e0c258
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 3ba44ee966bc3c41dd8a944f963466c8fcc60dc8 ]
When building the kernel with -Wmaybe-uninitialized, the compiler
reports this warning:
In function 'jffs2_mark_erased_block',
inlined from 'jffs2_erase_pending_blocks' at fs/jffs2/erase.c:116:4:
fs/jffs2/erase.c:474:9: warning: 'bad_offset' may be used uninitialized [-Wmaybe-uninitialized]
474 | jffs2_erase_failed(c, jeb, bad_offset);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/jffs2/erase.c: In function 'jffs2_erase_pending_blocks':
fs/jffs2/erase.c:402:18: note: 'bad_offset' was declared here
402 | uint32_t bad_offset;
| ^~~~~~~~~~
When mtd->point() is used, jffs2_erase_pending_blocks can return -EIO
without initializing bad_offset, which is later used at the filebad
label in jffs2_mark_erased_block.
Fix it by initializing this variable.
Fixes: 8a0f572397 ("[JFFS2] Return values of jffs2_block_check_erase error paths")
Signed-off-by: Qingfang Deng <qingfang.deng@siflower.com.cn>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 84a2bee9c49769310efa19601157ef50a1df1267 ]
Since commit e874dcde1cbf ("ubifs: Reserve one leb for each journal
head while doing budget"), available space is calulated by deducting
reservation for all journal heads. However, the total block count (
which is only used by statfs) is not updated yet, which will cause
the wrong displaying for used space(total - available).
Fix it by deducting reservation for all journal heads from total
block count.
Fixes: e874dcde1cbf ("ubifs: Reserve one leb for each journal head while doing budget")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 2fdb05dc0931250574f0cb0ebeb5ed8e20f4a889 ]
Yang Erkun reports that when two threads are opening files at the same
time, and are forced to abort before a reply is seen, then the call to
nfs_release_seqid() in nfs4_opendata_free() can result in a
use-after-free of the pointer to the defunct rpc task of the other
thread.
The fix is to ensure that if the RPC call is aborted before the call to
nfs_wait_on_sequence() is complete, then we must call nfs_release_seqid()
in nfs4_open_release() before the rpc_task is freed.
Reported-by: Yang Erkun <yangerkun@huawei.com>
Fixes: 24ac23ab88 ("NFSv4: Convert open() into an asynchronous RPC call")
Reviewed-by: Yang Erkun <yangerkun@huawei.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 7f33b92e5b18e904a481e6e208486da43e4dc841 upstream.
If the tag length is >= U32_MAX - 3 then the "length + 4" addition
can result in an integer overflow. Address this by splitting the
decoding into several steps so that decode_cb_compound4res() does
not have to perform arithmetic on the unsafe length value.
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d9f9d96136cba8fedd647d2c024342ce090133c2 upstream.
Commit 7c55b78818cf ("jfs: xattr: fix buffer overflow for invalid xattr")
also addresses this issue but it only fixes it for positive values, while
ea_size is an integer type and can take negative values, e.g. in case of
a corrupted filesystem. This still breaks validation and would overflow
because of implicit conversion from int to size_t in print_hex_dump().
Fix this issue by clamping the ea_size value instead.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Cc: stable@vger.kernel.org
Signed-off-by: Artem Sadovnikov <ancowi69@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4a622e4d477bb12ad5ed4abbc7ad1365de1fa347 upstream.
The original implementation ext4's FS_IOC_GETFSMAP handling only
worked when the range of queried blocks included at least one free
(unallocated) block range. This is because how the metadata blocks
were emitted was as a side effect of ext4_mballoc_query_range()
calling ext4_getfsmap_datadev_helper(), and that function was only
called when a free block range was identified. As a result, this
caused generic/365 to fail.
Fix this by creating a new function ext4_getfsmap_meta_helper() which
gets called so that blocks before the first free block range in a
block group can get properly reported.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 902cc179c931a033cd7f4242353aa2733bf8524c upstream.
find_group_other() and find_group_orlov() read *_lo, *_hi with
ext4_free_inodes_count without additional locking. This can cause
data-race warning, but since the lock is held for most writes and free
inodes value is generally not a problem even if it is incorrect, it is
more appropriate to use READ_ONCE()/WRITE_ONCE() than to add locking.
==================================================================
BUG: KCSAN: data-race in ext4_free_inodes_count / ext4_free_inodes_set
write to 0xffff88810404300e of 2 bytes by task 6254 on cpu 1:
ext4_free_inodes_set+0x1f/0x80 fs/ext4/super.c:405
__ext4_new_inode+0x15ca/0x2200 fs/ext4/ialloc.c:1216
ext4_symlink+0x242/0x5a0 fs/ext4/namei.c:3391
vfs_symlink+0xca/0x1d0 fs/namei.c:4615
do_symlinkat+0xe3/0x340 fs/namei.c:4641
__do_sys_symlinkat fs/namei.c:4657 [inline]
__se_sys_symlinkat fs/namei.c:4654 [inline]
__x64_sys_symlinkat+0x5e/0x70 fs/namei.c:4654
x64_sys_call+0x1dda/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:267
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x76/0x7e
read to 0xffff88810404300e of 2 bytes by task 6257 on cpu 0:
ext4_free_inodes_count+0x1c/0x80 fs/ext4/super.c:349
find_group_other fs/ext4/ialloc.c:594 [inline]
__ext4_new_inode+0x6ec/0x2200 fs/ext4/ialloc.c:1017
ext4_symlink+0x242/0x5a0 fs/ext4/namei.c:3391
vfs_symlink+0xca/0x1d0 fs/namei.c:4615
do_symlinkat+0xe3/0x340 fs/namei.c:4641
__do_sys_symlinkat fs/namei.c:4657 [inline]
__se_sys_symlinkat fs/namei.c:4654 [inline]
__x64_sys_symlinkat+0x5e/0x70 fs/namei.c:4654
x64_sys_call+0x1dda/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:267
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Cc: stable@vger.kernel.org
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Link: https://patch.msgid.link/20241003125337.47283-1-aha310510@gmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 1e02c641c3a43c88cecc08402000418e15578d38 ]
@ses is initialized to NULL. If __nfsd4_find_backchannel() finds no
available backchannel session, setup_callback_client() will try to
dereference @ses and segfault.
Fixes: dcbeaa68db ("nfsd4: allow backchannel recovery")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit adc77b19f62d7e80f98400b2fca9d700d2afdd6f ]
Syzbot has reported the following KMSAN splat:
BUG: KMSAN: uninit-value in ocfs2_file_read_iter+0x9a4/0xf80
ocfs2_file_read_iter+0x9a4/0xf80
__io_read+0x8d4/0x20f0
io_read+0x3e/0xf0
io_issue_sqe+0x42b/0x22c0
io_wq_submit_work+0xaf9/0xdc0
io_worker_handle_work+0xd13/0x2110
io_wq_worker+0x447/0x1410
ret_from_fork+0x6f/0x90
ret_from_fork_asm+0x1a/0x30
Uninit was created at:
__alloc_pages_noprof+0x9a7/0xe00
alloc_pages_mpol_noprof+0x299/0x990
alloc_pages_noprof+0x1bf/0x1e0
allocate_slab+0x33a/0x1250
___slab_alloc+0x12ef/0x35e0
kmem_cache_alloc_bulk_noprof+0x486/0x1330
__io_alloc_req_refill+0x84/0x560
io_submit_sqes+0x172f/0x2f30
__se_sys_io_uring_enter+0x406/0x41c0
__x64_sys_io_uring_enter+0x11f/0x1a0
x64_sys_call+0x2b54/0x3ba0
do_syscall_64+0xcd/0x1e0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Since an instance of 'struct kiocb' may be passed from the block layer
with 'private' field uninitialized, introduce 'ocfs2_iocb_init_rw_locked()'
and use it from where 'ocfs2_dio_end_io()' might take care, i.e. in
'ocfs2_file_read_iter()' and 'ocfs2_file_write_iter()'.
Link: https://lkml.kernel.org/r/20241029091736.1501946-1-dmantipov@yandex.ru
Fixes: 7cdfc3a1c3 ("ocfs2: Remember rw lock level during direct io")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Reported-by: syzbot+a73e253cca4f0230a5a5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a73e253cca4f0230a5a5
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Joseph Qi <jiangqi903@gmail.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 84b9749a3a704dcc824a88aa8267247c801d51e4 ]
seq_printf is costy, on a system with n CPUs, reading /proc/softirqs
would yield 10*n decimal values, and the extra cost parsing format string
grows linearly with number of cpus. Replace seq_printf with
seq_put_decimal_ull_width have significant performance improvement.
On an 8CPUs system, reading /proc/softirqs show ~40% performance
gain with this patch.
Signed-off-by: David Wang <00107082@163.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 2026559a6c4ce34db117d2db8f710fe2a9420d5a upstream.
When using the "block:block_dirty_buffer" tracepoint, mark_buffer_dirty()
may cause a NULL pointer dereference, or a general protection fault when
KASAN is enabled.
This happens because, since the tracepoint was added in
mark_buffer_dirty(), it references the dev_t member bh->b_bdev->bd_dev
regardless of whether the buffer head has a pointer to a block_device
structure.
In the current implementation, nilfs_grab_buffer(), which grabs a buffer
to read (or create) a block of metadata, including b-tree node blocks,
does not set the block device, but instead does so only if the buffer is
not in the "uptodate" state for each of its caller block reading
functions. However, if the uptodate flag is set on a folio/page, and the
buffer heads are detached from it by try_to_free_buffers(), and new buffer
heads are then attached by create_empty_buffers(), the uptodate flag may
be restored to each buffer without the block device being set to
bh->b_bdev, and mark_buffer_dirty() may be called later in that state,
resulting in the bug mentioned above.
Fix this issue by making nilfs_grab_buffer() always set the block device
of the super block structure to the buffer head, regardless of the state
of the buffer's uptodate flag.
Link: https://lkml.kernel.org/r/20241106160811.3316-3-konishi.ryusuke@gmail.com
Fixes: 5305cb8308 ("block: add block_{touch|dirty}_buffer tracepoint")
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Ubisectech Sirius <bugreport@valiantsec.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 737f34137844d6572ab7d473c998c7f977ff30eb upstream.
Syzbot has reported the following BUG:
kernel BUG at fs/ocfs2/uptodate.c:509!
...
Call Trace:
<TASK>
? __die_body+0x5f/0xb0
? die+0x9e/0xc0
? do_trap+0x15a/0x3a0
? ocfs2_set_new_buffer_uptodate+0x145/0x160
? do_error_trap+0x1dc/0x2c0
? ocfs2_set_new_buffer_uptodate+0x145/0x160
? __pfx_do_error_trap+0x10/0x10
? handle_invalid_op+0x34/0x40
? ocfs2_set_new_buffer_uptodate+0x145/0x160
? exc_invalid_op+0x38/0x50
? asm_exc_invalid_op+0x1a/0x20
? ocfs2_set_new_buffer_uptodate+0x2e/0x160
? ocfs2_set_new_buffer_uptodate+0x144/0x160
? ocfs2_set_new_buffer_uptodate+0x145/0x160
ocfs2_group_add+0x39f/0x15a0
? __pfx_ocfs2_group_add+0x10/0x10
? __pfx_lock_acquire+0x10/0x10
? mnt_get_write_access+0x68/0x2b0
? __pfx_lock_release+0x10/0x10
? rcu_read_lock_any_held+0xb7/0x160
? __pfx_rcu_read_lock_any_held+0x10/0x10
? smack_log+0x123/0x540
? mnt_get_write_access+0x68/0x2b0
? mnt_get_write_access+0x68/0x2b0
? mnt_get_write_access+0x226/0x2b0
ocfs2_ioctl+0x65e/0x7d0
? __pfx_ocfs2_ioctl+0x10/0x10
? smack_file_ioctl+0x29e/0x3a0
? __pfx_smack_file_ioctl+0x10/0x10
? lockdep_hardirqs_on_prepare+0x43d/0x780
? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
? __pfx_ocfs2_ioctl+0x10/0x10
__se_sys_ioctl+0xfb/0x170
do_syscall_64+0xf3/0x230
entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
</TASK>
When 'ioctl(OCFS2_IOC_GROUP_ADD, ...)' has failed for the particular
inode in 'ocfs2_verify_group_and_input()', corresponding buffer head
remains cached and subsequent call to the same 'ioctl()' for the same
inode issues the BUG() in 'ocfs2_set_new_buffer_uptodate()' (trying
to cache the same buffer head of that inode). Fix this by uncaching
the buffer head with 'ocfs2_remove_from_cache()' on error path in
'ocfs2_group_add()'.
Link: https://lkml.kernel.org/r/20241114043844.111847-1-dmantipov@yandex.ru
Fixes: 7909f2bf83 ("[PATCH 2/2] ocfs2: Implement group add for online resize")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Reported-by: syzbot+453873f1588c2d75b447@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=453873f1588c2d75b447
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Dmitry Antipov <dmantipov@yandex.ru>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Changes in 4.19.324
arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-sapphire-excavator
ARM: dts: rockchip: fix rk3036 acodec node
ARM: dts: rockchip: drop grf reference from rk3036 hdmi
ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin
HID: core: zero-initialize the report buffer
security/keys: fix slab-out-of-bounds in key_task_permission
sctp: properly validate chunk size in sctp_sf_ootb()
can: c_can: fix {rx,tx}_errors statistics
net: hns3: fix kernel crash when uninstalling driver
media: stb0899_algo: initialize cfr before using it
media: dvbdev: prevent the risk of out of memory access
media: dvb_frontend: don't play tricks with underflow values
media: adv7604: prevent underflow condition when reporting colorspace
ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init()
media: s5p-jpeg: prevent buffer overflows
media: cx24116: prevent overflows on SNR calculus
media: v4l2-tpg: prevent the risk of a division by zero
drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()
drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported
dm cache: correct the number of origin blocks to match the target length
dm cache: fix out-of-bounds access to the dirty bitset when resizing
dm cache: optimize dirty bit checking with find_next_bit when resizing
dm cache: fix potential out-of-bounds access on the first resume
dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow
nfs: Fix KMSAN warning in decode_getfattr_attrs()
btrfs: reinitialize delayed ref list after deleting it from the list
bonding (gcc13): synchronize bond_{a,t}lb_xmit() types
net: bridge: xmit: make sure we have at least eth header len bytes
media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format
fs/proc: fix compile warning about variable 'vmcore_mmap_ops'
usb: musb: sunxi: Fix accessing an released usb phy
USB: serial: io_edgeport: fix use after free in debug printk
USB: serial: qcserial: add support for Sierra Wireless EM86xx
USB: serial: option: add Fibocom FG132 0x0112 composition
USB: serial: option: add Quectel RG650V
irqchip/gic-v3: Force propagation of the active state with a read-back
ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()
ALSA: pcm: Return 0 when size < start_threshold in capture
ALSA: usb-audio: Add custom mixer status quirks for RME CC devices
ALSA: usb-audio: Support jack detection on Dell dock
ALSA: usb-audio: Add quirks for Dell WD19 dock
hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans
ALSA: usb-audio: Add endianness annotations
9p: Avoid creating multiple slab caches with the same name
HID: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad
bpf: use kvzmalloc to allocate BPF verifier environment
sound: Make CONFIG_SND depend on INDIRECT_IOMEM instead of UML
powerpc/powernv: Free name on error in opal_event_init()
fs: Fix uninitialized value issue in from_kuid and from_kgid
net: usb: qmi_wwan: add Fibocom FG132 0x0112 composition
9p: fix slab cache name creation for real
Linux 4.19.324
Change-Id: Ib8e7c89304d2c2cc72aea03446ea40a8704b41ec
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit c9a75ec45f1111ef530ab186c2a7684d0a0c9245 upstream.
At insert_delayed_ref() if we need to update the action of an existing
ref to BTRFS_DROP_DELAYED_REF, we delete the ref from its ref head's
ref_add_list using list_del(), which leaves the ref's add_list member
not reinitialized, as list_del() sets the next and prev members of the
list to LIST_POISON1 and LIST_POISON2, respectively.
If later we end up calling drop_delayed_ref() against the ref, which can
happen during merging or when destroying delayed refs due to a transaction
abort, we can trigger a crash since at drop_delayed_ref() we call
list_empty() against the ref's add_list, which returns false since
the list was not reinitialized after the list_del() and as a consequence
we call list_del() again at drop_delayed_ref(). This results in an
invalid list access since the next and prev members are set to poison
pointers, resulting in a splat if CONFIG_LIST_HARDENED and
CONFIG_DEBUG_LIST are set or invalid poison pointer dereferences
otherwise.
So fix this by deleting from the list with list_del_init() instead.
Fixes: 1d57ee9416 ("btrfs: improve delayed refs iterations")
CC: stable@vger.kernel.org # 4.19+
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Changes in 4.19.323
staging: iio: frequency: ad9833: Get frequency value statically
staging: iio: frequency: ad9833: Load clock using clock framework
staging: iio: frequency: ad9834: Validate frequency parameter value
usbnet: ipheth: fix carrier detection in modes 1 and 4
net: ethernet: use ip_hdrlen() instead of bit shift
net: phy: vitesse: repair vsc73xx autonegotiation
scripts: kconfig: merge_config: config files: add a trailing newline
arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma
net/mlx5: Update the list of the PCI supported devices
net: ftgmac100: Enable TX interrupt to avoid TX timeout
net: dpaa: Pad packets to ETH_ZLEN
soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps"
selftests/vm: remove call to ksft_set_plan()
selftests/kcmp: remove call to ksft_set_plan()
ASoC: allow module autoloading for table db1200_pids
pinctrl: at91: make it work with current gpiolib
microblaze: don't treat zero reserved memory regions as error
net: ftgmac100: Ensure tx descriptor updates are visible
wifi: iwlwifi: mvm: fix iwl_mvm_max_scan_ie_fw_cmd_room()
wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead
ASoC: tda7419: fix module autoloading
spi: bcm63xx: Enable module autoloading
x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency
ocfs2: add bounds checking to ocfs2_xattr_find_entry()
ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()
gpio: prevent potential speculation leaks in gpio_device_get_desc()
USB: serial: pl2303: add device id for Macrosilicon MS3020
ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe()
wifi: ath9k: fix parameter check in ath9k_init_debug()
wifi: ath9k: Remove error checks when creating debugfs entries
netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire
wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan()
wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors
wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()
can: bcm: Clear bo->bcm_proc_read after remove_proc_entry().
Bluetooth: btusb: Fix not handling ZPL/short-transfer
block, bfq: fix possible UAF for bfqq->bic with merge chain
block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator()
block, bfq: don't break merge chain in bfq_split_bfqq()
spi: ppc4xx: handle irq_of_parse_and_map() errors
spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ
ARM: versatile: fix OF node leak in CPUs prepare
reset: berlin: fix OF node leak in probe() error path
clocksource/drivers/qcom: Add missing iounmap() on errors in msm_dt_timer_init()
hwmon: (max16065) Fix overflows seen when writing limits
mtd: slram: insert break after errors in parsing the map
hwmon: (ntc_thermistor) fix module autoloading
power: supply: max17042_battery: Fix SOC threshold calc w/ no current sense
fbdev: hpfb: Fix an error handling path in hpfb_dio_probe()
drm/stm: Fix an error handling path in stm_drm_platform_probe()
drm/amd: fix typo
drm/amdgpu: Replace one-element array with flexible-array member
drm/amdgpu: properly handle vbios fake edid sizing
drm/radeon: Replace one-element array with flexible-array member
drm/radeon: properly handle vbios fake edid sizing
drm/rockchip: vop: Allow 4096px width scaling
drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets
jfs: fix out-of-bounds in dbNextAG() and diAlloc()
drm/msm/a5xx: properly clear preemption records on resume
drm/msm/a5xx: fix races in preemption evaluation stage
ipmi: docs: don't advertise deprecated sysfs entries
drm/msm: fix %s null argument error
xen: use correct end address of kernel for conflict checking
xen/swiotlb: simplify range_straddles_page_boundary()
xen/swiotlb: add alignment check for dma buffers
selftests/bpf: Fix error compiling test_lru_map.c
xz: cleanup CRC32 edits from 2018
kthread: add kthread_work tracepoints
kthread: fix task state in kthread worker if being frozen
jbd2: introduce/export functions jbd2_journal_submit|finish_inode_data_buffers()
ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard
smackfs: Use rcu_assign_pointer() to ensure safe assignment in smk_set_cipso
ext4: avoid negative min_clusters in find_group_orlov()
ext4: return error on ext4_find_inline_entry
ext4: avoid OOB when system.data xattr changes underneath the filesystem
nilfs2: fix potential null-ptr-deref in nilfs_btree_insert()
nilfs2: determine empty node blocks as corrupted
nilfs2: fix potential oob read in nilfs_btree_check_delete()
perf sched timehist: Fix missing free of session in perf_sched__timehist()
perf sched timehist: Fixed timestamp error when unable to confirm event sched_in time
perf time-utils: Fix 32-bit nsec parsing
clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228
drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error
drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error
PCI: xilinx-nwl: Fix register misspelling
RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency
pinctrl: single: fix missing error code in pcs_probe()
clk: ti: dra7-atl: Fix leak of of_nodes
pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function
RDMA/cxgb4: Added NULL check for lookup_atid
ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir()
nfsd: call cache_put if xdr_reserve_space returns NULL
f2fs: enhance to update i_mode and acl atomically in f2fs_setattr()
f2fs: fix typo
f2fs: fix to update i_ctime in __f2fs_setxattr()
f2fs: remove unneeded check condition in __f2fs_setxattr()
f2fs: reduce expensive checkpoint trigger frequency
coresight: tmc: sg: Do not leak sg_table
netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()
net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition
tcp: introduce tcp_skb_timestamp_us() helper
tcp: check skb is non-NULL in tcp_rto_delta_us()
net: qrtr: Update packets cloning when broadcasting
netfilter: ctnetlink: compile ctnetlink_label_size with CONFIG_NF_CONNTRACK_EVENTS
crypto: aead,cipher - zeroize key buffer after use
Remove *.orig pattern from .gitignore
soc: versatile: integrator: fix OF node leak in probe() error path
USB: appledisplay: close race between probe and completion handler
USB: misc: cypress_cy7c63: check for short transfer
firmware_loader: Block path traversal
tty: rp2: Fix reset with non forgiving PCIe host bridges
drbd: Fix atomicity violation in drbd_uuid_set_bm()
drbd: Add NULL check for net_conf to prevent dereference in state validation
ACPI: sysfs: validate return type of _STR method
f2fs: prevent possible int overflow in dir_block_index()
f2fs: avoid potential int overflow in sanity_check_area_boundary()
vfs: fix race between evice_inodes() and find_inode()&iput()
fs: Fix file_set_fowner LSM hook inconsistencies
nfs: fix memory leak in error path of nfs4_do_reclaim
PCI: xilinx-nwl: Use irq_data_get_irq_chip_data()
PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler
soc: versatile: realview: fix memory leak during device remove
soc: versatile: realview: fix soc_dev leak during device remove
usb: yurex: Replace snprintf() with the safer scnprintf() variant
USB: misc: yurex: fix race between read and write
pps: remove usage of the deprecated ida_simple_xx() API
pps: add an error check in parport_attach
i2c: aspeed: Update the stop sw state when the bus recovery occurs
i2c: isch: Add missed 'else'
usb: yurex: Fix inconsistent locking bug in yurex_read()
mailbox: rockchip: fix a typo in module autoloading
mailbox: bcm2835: Fix timeout during suspend mode
ceph: remove the incorrect Fw reference check when dirtying pages
netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED
netfilter: nf_tables: prevent nf_skb_duplicated corruption
r8152: Factor out OOB link list waits
net: ethernet: lantiq_etop: fix memory disclosure
net: avoid potential underflow in qdisc_pkt_len_init() with UFO
net: add more sanity checks to qdisc_pkt_len_init()
ipv4: ip_gre: Fix drops of small packets in ipgre_xmit
sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start
ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs
ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin
f2fs: Require FMODE_WRITE for atomic write ioctls
wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats()
wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit
net: hisilicon: hip04: fix OF node leak in probe()
net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info()
net: hisilicon: hns_mdio: fix OF node leak in probe()
ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails
ACPICA: Fix memory leak if acpi_ps_get_next_field() fails
ACPI: EC: Do not release locks during operation region accesses
ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package()
tipc: guard against string buffer overrun
net: mvpp2: Increase size of queue_name buffer
ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR).
ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family
tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process
ACPICA: iasl: handle empty connection_node
wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext()
signal: Replace BUG_ON()s
ALSA: asihpi: Fix potential OOB array access
ALSA: hdsp: Break infinite MIDI input flush loop
fbdev: pxafb: Fix possible use after free in pxafb_task()
power: reset: brcmstb: Do not go into infinite loop if reset fails
ata: sata_sil: Rename sil_blacklist to sil_quirks
jfs: UBSAN: shift-out-of-bounds in dbFindBits
jfs: Fix uaf in dbFreeBits
jfs: check if leafidx greater than num leaves per dmap tree
jfs: Fix uninit-value access of new_ea in ea_buffer
drm/amd/display: Check stream before comparing them
drm/amd/display: Fix index out of bounds in degamma hardware format translation
drm/printer: Allow NULL data in devcoredump printer
scsi: aacraid: Rearrange order of struct aac_srb_unit
drm/radeon/r100: Handle unknown family in r100_cp_init_microcode()
of/irq: Refer to actual buffer size in of_irq_parse_one()
ext4: ext4_search_dir should return a proper error
ext4: fix i_data_sem unlock order in ext4_ind_migrate()
spi: s3c64xx: fix timeout counters in flush_fifo
selftests: breakpoints: use remaining time to check if suspend succeed
selftests: vDSO: fix vDSO symbols lookup for powerpc64
i2c: xiic: Wait for TX empty to avoid missed TX NAKs
spi: bcm63xx: Fix module autoloading
perf/core: Fix small negative period being ignored
parisc: Fix itlb miss handler for 64-bit programs
ALSA: core: add isascii() check to card ID generator
ext4: no need to continue when the number of entries is 1
ext4: propagate errors from ext4_find_extent() in ext4_insert_range()
ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space()
ext4: aovid use-after-free in ext4_ext_insert_extent()
ext4: fix double brelse() the buffer of the extents path
ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit()
parisc: Fix 64-bit userspace syscall path
of/irq: Support #msi-cells=<0> in of_msi_get_domain
jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error
ocfs2: fix the la space leak when unmounting an ocfs2 volume
ocfs2: fix uninit-value in ocfs2_get_block()
ocfs2: reserve space for inline xattr before attaching reflink tree
ocfs2: cancel dqi_sync_work before freeing oinfo
ocfs2: remove unreasonable unlock in ocfs2_read_blocks
ocfs2: fix null-ptr-deref when journal load failed.
ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate
riscv: define ILLEGAL_POINTER_VALUE for 64bit
aoe: fix the potential use-after-free problem in more places
clk: rockchip: fix error for unknown clocks
media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags
media: venus: fix use after free bug in venus_remove due to race condition
iio: magnetometer: ak8975: Fix reading for ak099xx sensors
tomoyo: fallback to realpath if symlink's pathname does not exist
Input: adp5589-keys - fix adp5589_gpio_get_value()
btrfs: wait for fixup workers before stopping cleaner kthread during umount
gpio: davinci: fix lazy disable
ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path
ext4: fix slab-use-after-free in ext4_split_extent_at()
ext4: update orig_path in ext4_find_extent()
arm64: Add Cortex-715 CPU part definition
arm64: cputype: Add Neoverse-N3 definitions
arm64: errata: Expand speculative SSBS workaround once more
uprobes: fix kernel info leak via "[uprobes]" vma
nfsd: use ktime_get_seconds() for timestamps
nfsd: fix delegation_blocked() to block correctly for at least 30 seconds
rtc: at91sam9: drop platform_data support
rtc: at91sam9: fix OF node leak in probe() error path
ACPI: battery: Simplify battery hook locking
ACPI: battery: Fix possible crash when unregistering a battery hook
ext4: fix inode tree inconsistency caused by ENOMEM
net: ethernet: cortina: Drop TSO support
tracing: Remove precision vsnprintf() check from print event
drm: Move drm_mode_setcrtc() local re-init to failure path
drm/crtc: fix uninitialized variable use even harder
virtio_console: fix misc probe bugs
Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal
bpf: Check percpu map value size first
s390/facility: Disable compile time optimization for decompressor code
s390/mm: Add cond_resched() to cmm_alloc/free_pages()
ext4: nested locking for xattr inode
s390/cpum_sf: Remove WARN_ON_ONCE statements
ktest.pl: Avoid false positives with grub2 skip regex
clk: bcm: bcm53573: fix OF node leak in init
i2c: i801: Use a different adapter-name for IDF adapters
PCI: Mark Creative Labs EMU20k2 INTx masking as broken
media: videobuf2-core: clear memory related fields in __vb2_plane_dmabuf_put()
usb: chipidea: udc: enable suspend interrupt after usb reset
tools/iio: Add memory allocation failure check for trigger_name
driver core: bus: Return -EIO instead of 0 when show/store invalid bus attribute
fbdev: sisfb: Fix strbuf array overflow
NFS: Remove print_overflow_msg()
SUNRPC: Fix integer overflow in decode_rc_list()
tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe
netfilter: br_netfilter: fix panic with metadata_dst skb
Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change
gpio: aspeed: Add the flush write to ensure the write complete.
clk: Add (devm_)clk_get_optional() functions
clk: generalize devm_clk_get() a bit
clk: Provide new devm_clk helpers for prepared and enabled clocks
gpio: aspeed: Use devm_clk api to manage clock source
igb: Do not bring the device up after non-fatal error
net: ibm: emac: mal: fix wrong goto
ppp: fix ppp_async_encode() illegal access
net: ipv6: ensure we call ipv6_mc_down() at most once
CDC-NCM: avoid overflow in sanity checking
HID: plantronics: Workaround for an unexcepted opposite volume key
Revert "usb: yurex: Replace snprintf() with the safer scnprintf() variant"
usb: xhci: Fix problem with xhci resume from suspend
usb: storage: ignore bogus device raised by JieLi BR21 USB sound chip
net: Fix an unsafe loop on the list
posix-clock: Fix missing timespec64 check in pc_clock_settime()
arm64: probes: Remove broken LDR (literal) uprobe support
arm64: probes: Fix simulate_ldr*_literal()
PCI: Add function 0 DMA alias quirk for Glenfly Arise chip
fat: fix uninitialized variable
KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()
net: dsa: mv88e6xxx: Fix out-of-bound access
s390/sclp_vt220: Convert newlines to CRLF instead of LFCR
KVM: s390: Change virtual to physical address access in diag 0x258 handler
x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET
drm/vmwgfx: Handle surface check failure correctly
iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig
iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig
iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency()
iio: light: opt3001: add missing full-scale range value
Bluetooth: Remove debugfs directory on module init failure
Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001
xhci: Fix incorrect stream context type macro
USB: serial: option: add support for Quectel EG916Q-GL
USB: serial: option: add Telit FN920C04 MBIM compositions
parport: Proper fix for array out-of-bounds access
x86/apic: Always explicitly disarm TSC-deadline timer
nilfs2: propagate directory read errors from nilfs_find_entry()
clk: Fix pointer casting to prevent oops in devm_clk_release()
clk: Fix slab-out-of-bounds error in devm_clk_release()
RDMA/bnxt_re: Fix incorrect AVID type in WQE structure
RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP
RDMA/bnxt_re: Return more meaningful error
drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation
macsec: don't increment counters for an unrelated SA
net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit()
net: systemport: fix potential memory leak in bcm_sysport_xmit()
usb: typec: altmode should keep reference to parent
Bluetooth: bnep: fix wild-memory-access in proto_unregister
arm64:uprobe fix the uprobe SWBP_INSN in big-endian
arm64: probes: Fix uprobes for big-endian kernels
KVM: s390: gaccess: Refactor gpa and length calculation
KVM: s390: gaccess: Refactor access address range check
KVM: s390: gaccess: Cleanup access to guest pages
KVM: s390: gaccess: Check if guest address is in memslot
udf: fix uninit-value use in udf_get_fileshortad
jfs: Fix sanity check in dbMount
net/sun3_82586: fix potential memory leak in sun3_82586_send_packet()
be2net: fix potential memory leak in be_xmit()
net: usb: usbnet: fix name regression
posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime()
ALSA: hda/realtek: Update default depop procedure
drm/amd: Guard against bad data for ATIF ACPI method
ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue
nilfs2: fix kernel bug due to missing clearing of buffer delay flag
hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event
selinux: improve error checking in sel_write_load()
arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning
xfrm: validate new SA's prefixlen using SA family when sel.family is unset
usb: dwc3: remove generic PHY calibrate() calls
usb: dwc3: Add splitdisable quirk for Hisilicon Kirin Soc
usb: dwc3: core: Stop processing of pending events if controller is halted
cgroup: Fix potential overflow issue when checking max_depth
wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys
gtp: simplify error handling code in 'gtp_encap_enable()'
gtp: allow -1 to be specified as file description from userspace
net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
bpf: Fix out-of-bounds write in trie_get_next_key()
net: support ip generic csum processing in skb_csum_hwoffload_help
net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension
netfilter: nft_payload: sanitize offset and length before calling skb_checksum()
firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state()
net: amd: mvme147: Fix probe banner message
misc: sgi-gru: Don't disable preemption in GRU driver
usbip: tools: Fix detach_port() invalid port error path
usb: phy: Fix API devm_usb_put_phy() can not release the phy
xhci: Fix Link TRB DMA in command ring stopped completion event
Revert "driver core: Fix uevent_show() vs driver detach race"
wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower
wifi: ath10k: Fix memory leak in management tx
wifi: iwlegacy: Clear stale interrupts before resuming device
nilfs2: fix potential deadlock with newly created symlinks
ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow
nilfs2: fix kernel bug due to missing clearing of checked flag
mm: shmem: fix data-race in shmem_getattr()
vt: prevent kernel-infoleak in con_font_get()
Linux 4.19.323
Change-Id: I2348f834187153067ab46b3b48b8fe7da9cee1f1
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 41e192ad2779cae0102879612dfe46726e4396aa upstream.
Syzbot reported that in directory operations after nilfs2 detects
filesystem corruption and degrades to read-only,
__block_write_begin_int(), which is called to prepare block writes, may
fail the BUG_ON check for accesses exceeding the folio/page size,
triggering a kernel bug.
This was found to be because the "checked" flag of a page/folio was not
cleared when it was discarded by nilfs2's own routine, which causes the
sanity check of directory entries to be skipped when the directory
page/folio is reloaded. So, fix that.
This was necessary when the use of nilfs2's own page discard routine was
applied to more than just metadata files.
Link: https://lkml.kernel.org/r/20241017193359.5051-1-konishi.ryusuke@gmail.com
Fixes: 8c26c4e269 ("nilfs2: fix issue with flush kernel thread after remount in RO mode because of driver's internal error or metadata corruption")
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+d6ca2daf692c7a82f959@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d6ca2daf692c7a82f959
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b3a033e3ecd3471248d474ef263aadc0059e516a upstream.
Syzbot reported that page_symlink(), called by nilfs_symlink(), triggers
memory reclamation involving the filesystem layer, which can result in
circular lock dependencies among the reader/writer semaphore
nilfs->ns_segctor_sem, s_writers percpu_rwsem (intwrite) and the
fs_reclaim pseudo lock.
This is because after commit 21fc61c73c ("don't put symlink bodies in
pagecache into highmem"), the gfp flags of the page cache for symbolic
links are overwritten to GFP_KERNEL via inode_nohighmem().
This is not a problem for symlinks read from the backing device, because
the __GFP_FS flag is dropped after inode_nohighmem() is called. However,
when a new symlink is created with nilfs_symlink(), the gfp flags remain
overwritten to GFP_KERNEL. Then, memory allocation called from
page_symlink() etc. triggers memory reclamation including the FS layer,
which may call nilfs_evict_inode() or nilfs_dirty_inode(). And these can
cause a deadlock if they are called while nilfs->ns_segctor_sem is held:
Fix this issue by dropping the __GFP_FS flag from the page cache GFP flags
of newly created symlinks in the same way that nilfs_new_inode() and
__nilfs_read_inode() do, as a workaround until we adopt nofs allocation
scope consistently or improve the locking constraints.
Link: https://lkml.kernel.org/r/20241020050003.4308-1-konishi.ryusuke@gmail.com
Fixes: 21fc61c73c ("don't put symlink bodies in pagecache into highmem")
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+9ef37ac20608f4836256@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9ef37ac20608f4836256
Tested-by: syzbot+9ef37ac20608f4836256@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 67373ca8404fe57eb1bb4b57f314cff77ce54932 ]
MAXAG is a legitimate value for bmp->db_numag
Fixes: e63866a47556 ("jfs: fix out-of-bounds in dbNextAG() and diAlloc()")
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
