- Mar 29, 2021
-
-
Piotr Krysiuk authoredstable inclusion from linux-4.19.182 commit bc49612a0e2c379a0d997375901c5371ba015518 CVE: CVE-2020-27170 -------------------------------- commit f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 upstream. The purpose of this patch is to streamline error propagation and in particular to propagate retrieve_ptr_limit() errors for pointer types that are not defining a ptr_limit such that register-based alu ops against these types can be rejected. The main rationale is that a gap has been identified by Piotr in the existing protection against speculatively out-of-bounds loads, for example, in case of ctx pointers, unprivileged programs can still perform pointer arithmetic. This can be abused to execute speculatively out-of-bounds loads without restrictions and thus extract contents of kernel memory. Fix this by rejecting unprivileged programs that attempt any pointer arithmetic on unprotected pointer types. The two affected ones are pointer to ctx as well as pointer to map. Field access to a modified ctx' pointer is rejected at a later point in time in the verifier, and 7c696732 ("bpf: Permit map_ptr arithmetic with opcode add and offset 0") only relevant for root-only use cases. Risk of unprivileged program breakage is considered very low. Fixes: 7c696732 ("bpf: Permit map_ptr arithmetic with opcode add and offset 0") Fixes: b2157399 ("bpf: prevent out-of-bounds speculation") Signed-off-by:
Piotr Krysiuk <piotras@gmail.com>
Co-developed-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Jian Cheng <cj.chengjian@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Dan Carpenter authored
stable inclusion from linux-4.19.162 commit 304c080fc33258e3b177b6f0736b97d54e6fea3b CVE: CVE-2020-35519 -------------------------------- [ Upstream commit 6ee50c8e ] The .x25_addr[] address comes from the user and is not necessarily NUL terminated. This leads to a couple problems. The first problem is that the strlen() in x25_bind() can read beyond the end of the buffer. The second problem is more subtle and could result in memory corruption. The call tree is: x25_connect() --> x25_write_internal() --> x25_addr_aton() The .x25_addr[] buffers are copied to the "addresses" buffer from x25_write_internal() so it will lead to stack corruption. Verify that the strings are NUL terminated and return -EINVAL if they are not. Fixes: 1da177e4 ("Linux-2.6.12-rc2") Fixes: a9288525 ("X25: Dont let x25_bind use addresses containing characters") Reported-by:
"kiyin(尹亮)" <kiyin@tencent.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Martin Schiller <ms@dev.tdt.de>
Link: https://lore.kernel.org/r/X8ZeAKm8FnFpN//B@mwanda
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Yue Haibing <yuehaibing@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Dave Airlie authored
stable inclusion from linux-4.19.140 commit 10c8a526b2db1fcdf9e2d59d4885377b91939c55 CVE: CVE-2021-20292 -------------------------------- commit 5de5b6ec upstream. This is confusing, and from my reading of all the drivers only nouveau got this right. Just make the API act under driver control of it's own allocation failing, and don't call destroy, if the page table fails to create there is nothing to cleanup here. (I'm willing to believe I've missed something here, so please review deeply). Reviewed-by:
Christian König <christian.koenig@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20200728041736.20689-1-airlied@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
卢佳琳 authored
hulk inclusion category: feature/cgroups bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=7 CVE: NA -------- The patch adds ifndef(__GENKSYMS__) into cgroup_subsys.h, and this change is more nasty than it looks. It hides the fact that that we change the layout of "struct cgroup" and "struct css_set", they both have the subsys[CGROUP_SUBSYS_COUNT] member. I hope this is fine, the modular code has no reasons to access the private members after ->subsys[], and the helpers like cgroup_sane_behavior() shouldn't be used by external modules. The patch also fixes the following compile warning caused by the fix kabi broken. Signed-off-by:
Lu Jialin <lujialin4@huawei.com>
Reviewed-by: Chen Zhou <chenzhou10@huawei.com>
Reviewed-by: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
张明 authored
openEuler inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I3D58V CVE: NA ---------------------------------- No unlock operation is performed on the mpam_devices_lock before the return statement, which may lead to a deadlock. Signed-off-by:
Zhang Ming <154842638@qq.com>
Reported-by: Cheng Jian <cj.chengjian@huawei.com>
Suggested-by: Cheng Jian <cj.chengjian@huawei.com>
Reviewed-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
Reviewed-by: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
Zhen Lei authored
driver inclusion category: feature bugzilla: 50797 CVE: NA ------------------------------------------------------------------------- Set CONFIG_GMJS_TCM_CORE=m and CONFIG_GMJS_TCM_SPI=m, so that its ko can be distributed in ISO on arm64. Signed-off-by:
Zhen Lei <thunder.leizhen@huawei.com>
Acked-by: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Li ZhiGang authored
driver inclusion category: feature bugzilla: 50797 CVE: NA ------------------------------------------------------------------------- Nationz Tech TCM are used for trusted computing, the chip attached via SPI or LPC. We have a brief verify/test with this driver on KunPeng920 + openEuler system, with externally compiled module. Signed-off-by:
Li ZhiGang <lizhigang@kylinos.cn>
Acked-by: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Yang Yingliang authored
driver inclusion category: feature bugzilla: 50777 CVE: NA ------------------------------------------------------------------------- enable config TXGBE by default on arm64 for compile test. Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
zhenpengzheng authored
driver inclusion category: feature bugzilla: 50777 CVE: NA ------------------------------------------------------------------------- Set CONFIG_TXGBE=m, so that its ko can be distributed in ISO on X86. Signed-off-by:
zhenpengzheng <zhenpengzheng@net-swift.com>
Acked-by: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
zhenpengzheng authored
driver inclusion category: feature bugzilla: 50777 CVE: NA ------------------------------------------------------------------------- This driver is based on drivers/net/ethernet/intel/ixgbe/. Signed-off-by:
zhenpengzheng <zhenpengzheng@net-swift.com>
Acked-by: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com>
-
- Mar 22, 2021
-
-
张明 authored
openEuler inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I3BPPX CVE: NA ----------------------------------------------------------- The default branch in switch will not run at present, but there may be related extensions in the future, which may lead to memory leakage. Signed-off-by:
Zhang Ming <154842638@qq.com>
Reported-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
Suggested-by: Jian Cheng <cj.chengjian@huawei.com>
Reviewed-by: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Jason Yan authored
hulk inclusion category: bugfix bugzilla: NA CVE: NA ----------------------------------------------- When the scsi device status is offline, mode sense command will return a result with only DID_NO_CONNECT set. Then in sd_read_write_protect_flag(), only status byte of the result is checked, we still consider the command returned good, and read sdkp->write_prot from the buffer. And because of bug [1], garbage data is copied to the buffer, the disk sometimes be set readonly. When the scsi device is set running again, users cannot write data to the disk. Fix this by check the whole result returned by the driver. [1] https://patchwork.kernel.org/project/linux-block/patch/20210318122621.330010-1-yanaijie@huawei.com/ Signed-off-by:
Jason Yan <yanaijie@huawei.com>
Reviewed-by: Yufen Yu <yuyufen@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Ye Bin authored
hulk inclusion category: bugfix bugzilla: 50785 CVE: NA ----------------------------------------------- We got follow bug_on: [130747.323114] kernel BUG at fs/ext4/extents_status.c:762! [130747.323117] Internal error: Oops - BUG: 0 [#1] SMP ...... [130747.334329] Call trace: [130747.334553] ext4_es_cache_extent+0x150/0x168 [ext4] [130747.334975] ext4_cache_extents+0x64/0xe8 [ext4] [130747.335368] ext4_find_extent+0x300/0x330 [ext4] [130747.335759] ext4_ext_map_blocks+0x74/0x1178 [ext4] [130747.336179] ext4_map_blocks+0x2f4/0x5f0 [ext4] [130747.336567] ext4_mpage_readpages+0x4a8/0x7a8 [ext4] [130747.336995] ext4_readpage+0x54/0x100 [ext4] [130747.337359] generic_file_buffered_read+0x410/0xae8 [130747.337767] generic_file_read_iter+0x114/0x190 [130747.338152] ext4_file_read_iter+0x5c/0x140 [ext4] [130747.338556] __vfs_read+0x11c/0x188 [130747.338851] vfs_read+0x94/0x150 [130747.339110] ksys_read+0x74/0xf0 If call ext4_ext_insert_extent failed but new extent already inserted, we just update "ex->ee_len = orig_ex.ee_len", this will lead to extent overlap, then cause bug on when cache extent. Signed-off-by:
Ye Bin <yebin10@huawei.com>
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Guoqing Jiang authored
mainline inclusion from mainline-5.8-rc1 commit 21e0958e category: bugfix bugzilla: 35792 CVE: NA --------------------------- Coly reported possible circular locking dependencyi with LOCKDEP enabled, quote the below info from the detailed report [1]. [ 1607.673903] Chain exists of: [ 1607.673903] kn->count#256 --> (wq_completion)md_misc --> (work_completion)(&rdev->del_work) [ 1607.673903] [ 1607.827946] Possible unsafe locking scenario: [ 1607.827946] [ 1607.898780] CPU0 CPU1 [ 1607.952980] ---- ---- [ 1608.007173] lock((work_completion)(&rdev->del_work)); [ 1608.069690] lock((wq_completion)md_misc); [ 1608.149887] lock((work_completion)(&rdev->del_work)); [ 1608.242563] lock(kn->count#256); [ 1608.283238] [ 1608.283238] *** DEADLOCK *** [ 1608.283238] [ 1608.354078] 2 locks held by kworker/5:0/843: [ 1608.405152] #0: ffff8889eecc9948 ((wq_completion)md_misc){+.+.}, at: process_one_work+0x42b/0xb30 [ 1608.512399] #1: ffff888a1d3b7e10 ((work_completion)(&rdev->del_work)){+.+.}, at: process_one_work+0x42b/0xb30 [ 1608.632130] Since works (rdev->del_work and mddev->del_work) are queued in md_misc_wq, then lockdep_map lock is held if either of them are running, then both of them try to hold kernfs lock by call kobject_del. Then if new_dev_store or array_state_store are triggered by write to the related sysfs node, so the write operation gets kernfs lock, but need the lockdep_map because all of them would trigger flush_workqueue(md_misc_wq) finally, then the same lockdep_map lock is needed. To suppress the lockdep warnning, we should flush the workqueue in case the related work is pending. And several works are attached to md_misc_wq, so we need to check which work should be checked: 1. for __md_stop_writes, the purpose of call flush workqueue is ensure sync thread is started if it was starting, so check mddev->del_work is pending or not since md_start_sync is attached to mddev->del_work. 2. __md_stop flushes md_misc_wq to ensure event_work is done, check the event_work is enough. Assume raid_{ctr,dtr} -> md_stop -> __md_stop doesn't need the kernfs lock. 3. both new_dev_store (holds kernfs lock) and ADD_NEW_DISK ioctl (holds the bdev->bd_mutex) call flush_workqueue to ensure md_delayed_delete has completed, this case will be handled in next patch. 4. md_open flushes workqueue to ensure the previous md is disappeared, but it holds bdev->bd_mutex then try to flush workqueue, so it is better to check mddev->del_work as well to avoid potential lock issue, this will be done in another patch. [1]: https://marc.info/?l=linux-raid&m=158518958031584&w=2 Cc: Coly Li <colyli@suse.de> Reported-by:
Coly Li <colyli@suse.de>
Signed-off-by: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
Signed-off-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Mikulas Patocka authored
stable inclusion from linux-4.19.133 commit 35a9af8ddb6271fb20b9f4fa07c26fec1e6c52df Bugzilla: 38833 -------------------------------- commit 6958c1c6 upstream. kobject_uevent may allocate memory and it may be called while there are dm devices suspended. The allocation may recurse into a suspended device, causing a deadlock. We must set the noio flag when sending a uevent. The observed deadlock was reported here: https://www.redhat.com/archives/dm-devel/2020-March/msg00025.html Reported-by:
Khazhismel Kumykov <khazhy@google.com>
Reported-by: Tahsin Erdogan <tahsin@google.com>
Reported-by: Gabriel Krisman Bertazi <krisman@collabora.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Theodore Ts'o authored
mainline inclusion from mainline-5.12-rc1 commit b5776e7524af category: bugfix bugzilla: 50217 CVE: NA ------------------------------------------------- In the case where we need to do an interior node split, and immediately afterwards, we are unable to allocate a new directory leaf block due to ENOSPC, the directory index checksum's will not be filled in correctly (and indeed, will not be correctly journalled). This looks like a bug that was introduced when we added largedir support. The original code doesn't make any sense (and should have been caught in code review), but it was hidden because most of the time, the index node checksum will be set by do_split(). But if do_split bails out due to ENOSPC, then ext4_handle_dirty_dx_node() won't get called, and so the directory index checksum field will not get set, leading to: EXT4-fs error (device sdb): dx_probe:858: inode #6635543: block 4022: comm nfsd: Directory index failed checksum Google-Bug-Id: 176345532 Fixes: e08ac99f ("ext4: add largedir feature") Cc: Artem Blagodarenko <artem.blagodarenko@gmail.com> Signed-off-by:
Theodore Ts'o <tytso@mit.edu>
Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
Reviewed-by: Yang Erkun <yangerkun@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Jan Kara authored
mainline inclusion from mainline-v5.12-rc1 commit a4db1072e1a3bd7a8d9c356e1902b13ac5deb8ef category: bugfix bugzilla: 49668 CVE: NA --------------------------- When checking corrupted quota file we can bail out and leak allocated info structure. Properly free info structure on error return. Reported-by:
<syzbot+77779c9b52ab78154b08@syzkaller.appspotmail.com>
Fixes: 11c514a99bb9 ("quota: Sanity-check quota file headers on load")
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Jan Kara authored
mainline inclusion from mainline-5.11-rc1 commit 11c514a99bb960941535134f0587102855e8ddee category: bugfix bugzilla: 49668 CVE: NA --------------------------- Perform basic sanity checks of quota headers to avoid kernel crashes on corrupted quota files. CC: stable@vger.kernel.org Reported-by:
<syzbot+f816042a7ae2225f25ba@syzkaller.appspotmail.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Paolo Valente authored
mainline inclusion from mainline-5.7-rc1 commit 4d38a87f category: bugfix bugzilla: 50775 CVE: NA --------------------------- In bfq_pd_offline(), the function bfq_flush_idle_tree() is invoked to flush the rb tree that contains all idle entities belonging to the pd (cgroup) being destroyed. In particular, bfq_flush_idle_tree() is invoked before bfq_reparent_active_queues(). Yet the latter may happen to add some entities to the idle tree. It happens if, in some of the calls to bfq_bfqq_move() performed by bfq_reparent_active_queues(), the queue to move is empty and gets expired. This commit simply reverses the invocation order between bfq_flush_idle_tree() and bfq_reparent_active_queues(). Tested-by:
<cki-project@redhat.com>
Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Yufen Yu <yuyufen... -
Paolo Valente authored
mainline inclusion from mainline-5.7-rc1 commit 576682fa category: bugfix bugzilla: 50775 CVE: NA --------------------------- bfq_reparent_leaf_entity() reparents the input leaf entity (a leaf entity represents just a bfq_queue in an entity tree). Yet, the input entity is guaranteed to always be a leaf entity only in two-level entity trees. In this respect, because of the error fixed by commit 14afc593 ("block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group()"), all (wrongly collapsed) entity trees happened to actually have only two levels. After the latter commit, this does not hold any longer. This commit fixes this problem by modifying bfq_reparent_leaf_entity(), so that it searches an active leaf entity down the path that stems from the input entity. Such a leaf entity is guaranteed to exist when bfq_reparent_leaf_entity() is invoked. Tested-by:
<cki-project@redhat.com>
Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Yufen Yu <yuyufen@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Paolo Valente authored
mainline inclusion from mainline-5.7-rc1 commit c8997736 category: bugfix bugzilla: 50775 CVE: NA bfq_release_process_ref() was introduced by commit 478de338 ("block, bfq: deschedule empty bfq_queues not referred by any process"), however, this patch is not related to this issue and involved with other patches, thus we defined it here instead of backport the patch. --------------------------- A bfq_put_queue() may be invoked in __bfq_bic_change_cgroup(). The goal of this put is to release a process reference to a bfq_queue. But process-reference releases may trigger also some extra operation, and, to this goal, are handled through bfq_release_process_ref(). So, turn the invocation of bfq_put_queue() into an invocation of bfq_release_process_ref(). Tested-by:
<cki-project@redhat.com>
Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Yufen Yu <yuyufen@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Paolo Valente authored
mainline inclusion from mainline-5.7-rc1 commit fd1bb3ae category: bugfix bugzilla: 50775 CVE: NA --------------------------- Commit ecedd3d7 ("block, bfq: get extra ref to prevent a queue from being freed during a group move") gets an extra reference to a bfq_queue before possibly deactivating it (temporarily), in bfq_bfqq_move(). This prevents the bfq_queue from disappearing before being reactivated in its new group. Yet, the bfq_queue may also be expired (i.e., its service may be stopped) before the bfq_queue is deactivated. And also an expiration may lead to a premature freeing. This commit fixes this issue by simply moving forward the getting of the extra reference already introduced by commit ecedd3d7 ("block, bfq: get extra ref to prevent a queue from being freed during a group move"). Reported-by:
<cki-project@redhat.com>
Tested-by: <cki-project@redhat.com>
Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Yufen Yu <yuyufen@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Paolo Valente authored
mainline inclusion from mainline-5.6-rc1 commit ecedd3d7 category: bugfix bugzilla: 50775 CVE: NA --------------------------- In bfq_bfqq_move(), the bfq_queue, say Q, to be moved to a new group may happen to be deactivated in the scheduling data structures of the source group (and then activated in the destination group). If Q is referred only by the data structures in the source group when the deactivation happens, then Q is freed upon the deactivation. This commit addresses this issue by getting an extra reference before the possible deactivation, and releasing this extra reference after Q has been moved. Tested-by:
Chris Evich <cevich@redhat.com>
Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Yufen Yu <yuyufen@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Li Huafei authored
hulk inclusion category: bugfix bugzilla: 50618 CVE: NA ------------------------------------------------- We got a use-after-free report when doing kernel fuzz tests with KSSAN turned on: [ 1367.884099] BUG: KASAN: use-after-free in ftrace_ops_list_func+0xf7/0x220 [ 1367.885153] Read of size 8 at addr ffff8884f81a47d0 by tasksyz-executor/99086 [ 1367.886517] CPU: 2 PID: 99086 Comm: syz-executor Kdump: loaded Tainted: G --------- -t -4.18.0-147.5.1.2.h379.kasan.eulerosv2r9.x86_64 #1 [ 1367.886522] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 [ 1367.886525] Call Trace: [ 1367.886534] dump_stack+0xc2/0x12e [ 1367.886542] ? orc_sort_cmp+0xb0/0xb0 [ 1367.886551] print_address_description+0x70/0x360 [ 1367.886558] ? orc_sort_cmp+0xb0/0xb0 [ 1367.886566] ? perf_trace_buf_alloc+0x190/0x190 [ 1367.886571] kasan_report+0x1b2/0x330 [ 1367.886578] ? ftrace_ops_list_func+0xf7/0x220 [ 1367.886585] ? orc_find+0x560/0x5a0 [ 1367.886597] ? ftrace_ops_list_func+0xf7/0x220 [ 1367.886603] ftrace_ops_list_func+0xf7/0x220 [ 1367.886609] ? __save_stack_trace+0x92/0x100 [ 1367.886616] ftrace_call+0x5/0x34 [ 1367.886623] ? do_syscall_64+0x98/0x2c0 [ 1367.886629] ? do_syscall_64+0x98/0x2c0 [ 1367.886635] ? deref_stack_reg+0xd0/0xd0 [ 1367.886644] ? unwind_get_return_address+0x5/0x50 [ 1367.886651] unwind_get_return_address+0x5/0x50 [ 1367.886656] __save_stack_trace+0x92/0x100 [ 1367.886665] ? do_syscall_64+0x98/0x2c0 [ 1367.886673] save_stack+0x47/0xd0 [ 1367.886680] ? __kasan_slab_free+0x130/0x180 [ 1367.886685] ? kfree+0xa5/0x1e0 [ 1367.886692] ? cgroup_show_path+0x1fd/0x250 [ 1367.886699] ? kernfs_sop_show_path+0xad/0xf0 [ 1367.886705] ? show_mountinfo+0x169/0x4c0 [ 1367.886712] ? seq_read+0x716/0x950 [ 1367.886718] ? __vfs_read+0x55/0xb0 [ 1367.886723] ? vfs_read+0xe7/0x210 [ 1367.886729] ? ksys_pread64+0x95/0xd0 [ 1367.886734] ? objects_show+0x10/0x10 [ 1367.886740] ? ftrace_ops_test+0xba/0x120 [ 1367.886746] ? ftrace_find_tramp_ops_next+0x90/0x90 [ 1367.886753] ? ftrace_find_tramp_ops_next+0x90/0x90 [ 1367.886760] ? ftrace_find_tramp_ops_next+0x90/0x90 [ 1367.886766] ? objects_show+0x10/0x10 [ 1367.886772] ? ftrace_ops_list_func+0x147/0x220 [ 1367.886778] ? __kasan_slab_free+0xac/0x180 [ 1367.886784] ? cgroup_show_path+0x1fd/0x250 [ 1367.886790] ? ftrace_call+0x5/0x34 [ 1367.886796] ? cgroup_show_path+0x1fd/0x250 [ 1367.886802] ? cgroup_show_path+0x1fd/0x250 [ 1367.886811] ? fixup_red_left+0x5/0x30 [ 1367.886817] ? cgroup_show_path+0x1fd/0x250 [ 1367.886824] __kasan_slab_free+0x130/0x180 [ 1367.886831] ? cgroup_show_path+0x1fd/0x250 [ 1367.886835] kfree+0xa5/0x1e0 [ 1367.886842] cgroup_show_path+0x1fd/0x250 [ 1367.886850] ? init_and_link_css+0x370/0x370 [ 1367.886856] kernfs_sop_show_path+0xad/0xf0 [ 1367.886863] show_mountinfo+0x169/0x4c0 [ 1367.886869] ? kernfs_test_super+0x80/0x80 [ 1367.886875] ? show_vfsmnt+0x270/0x270 [ 1367.886880] ? m_next+0x32/0x80 [ 1367.886886] ? show_vfsmnt+0x270/0x270 [ 1367.886891] ? m_show+0x31/0x50 [ 1367.886900] seq_read+0x716/0x950 [ 1367.886911] ? seq_lseek+0x1e0/0x1e0 [ 1367.886916] ? ftrace_call+0x5/0x34 [ 1367.886922] ? ftrace_call+0x5/0x34 [ 1367.886931] ? seq_lseek+0x1e0/0x1e0 [ 1367.886938] __vfs_read+0x55/0xb0 [ 1367.886945] vfs_read+0xe7/0x210 [ 1367.886954] ksys_pread64+0x95/0xd0 [ 1367.886961] do_syscall_64+0x98/0x2c0 [ 1367.886971] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 1367.886976] RIP: 0033:0x46436d [ 1367.886983] Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 [ 1367.886987] RSP: 002b:00007f83ffff4c28 EFLAGS: 00000246 ORIG_RAX: 0000000000000011 [ 1367.886999] RAX: ffffffffffffffda RBX: 000000000057cfa0 RCX: 000000000046436d [ 1367.887002] RDX: 0000000000001000 RSI: 0000000020000140 RDI: 0000000000000003 [ 1367.887006] RBP: 000000000057cfa0 R08: 0000000000000000 R09: 0000000000000000 [ 1367.887009] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000057cfac [ 1367.887013] R13: 00007f83ffff5700 R14: 00000000004d1e47 R15: 0000000000000fff [ 1367.887275] Allocated by task 99101: [ 1367.887848] kasan_kmalloc+0xa0/0xd0 [ 1367.887853] kmem_cache_alloc_trace+0xfc/0x220 [ 1367.887860] perf_event_alloc.part.19+0x50/0x14d0 [ 1367.887865] perf_event_alloc+0x67/0x90 [ 1367.887871] __do_sys_perf_event_open+0x20e/0x14c0 [ 1367.887876] do_syscall_64+0x98/0x2c0 [ 1367.887882] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 1367.888133] Freed by task 99101: [ 1367.888651] __kasan_slab_free+0x130/0x180 [ 1367.888655] kfree+0xa5/0x1e0 [ 1367.888661] perf_event_alloc.part.19+0xca4/0x14d0 [ 1367.888666] perf_event_alloc+0x67/0x90 [ 1367.888672] __do_sys_perf_event_open+0x20e/0x14c0 [ 1367.888677] do_syscall_64+0x98/0x2c0 [ 1367.888683] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 1367.888935] The buggy address belongs to the object at ffff8884f81a4400 which belongs to the cache kmalloc-2k of size 2048 [ 1367.890854] The buggy address is located 976 bytes inside of 2048-byte region [ffff8884f81a4400, ffff8884f81a4c00) [ 1367.892661] The buggy address belongs to the page: [ 1367.893404] page:ffffea0013e06800 count:1 mapcount:0 mapping:ffff888107c0cf00 index:0x0 compound_mapcount: 0 [ 1367.894915] flags: 0x17ffffc0008100(slab|head) [ 1367.895613] raw: 0017ffffc0008100 ffffea0014bda208 ffffea00140c4208 ffff888107c0cf00 [ 1367.896808] raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000 [ 1367.898000] page dumped because: kasan: bad access detected [ 1367.899107] Memory state around the buggy address: [ 1367.899880] ffff8884f81a4680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1367.900995] ffff8884f81a4700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1367.902106] >ffff8884f81a4780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1367.903218] [ 1367.904122] ffff8884f81a4800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1367.905234] ffff8884f81a4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb There is a race between perf_alloc_event() and __ftrace_ops_list_func() on 'event'. When adding a perf event, if the event needs to use the trace framework, it needs to register ftrace_ops with ftrace, which is a structural member of perf event. If perf_alloc_event() fails, it will release the event directly, but if ftrace_ops has been successfully registered, and the corresponding trace point is triggered, then __ftrace_ops_list_func() will still reference the ftrace_ops that perf just registered, but it has been released with the event is freed, so use-after-free happens. __ftrace_ops_list_func() uses rcu synchronization to access ftrace_ops, so in perf_alloc_event() we call synchronize_rcu() before releasing 'event' to make sure all 'event' references are complete. Signed-off-by:
Yang JiHong <yangjihong1@huawei.com>
Signed-off-by: Li Huafei <lihuafei1@huawei.com>
Reviewed-by: Kuohai Xu <xukuohai@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
余快 authored
hulk inclusion category: bugfix bugzilla: 50526 CVE: NA --------------------------- Inode atime/mtime is 64-bit, however xfs ondisk atime/mtime is 32-bit( supported range is from Dec 13 20:45:52 UTC 1901 to Jan 19 03:14:07 UTC 2038). Thus if in-memory atime/mtime overflow, after umount and mount, atime/mtime will be wrong. In order to fix it, truncate atime/ctime/mtime in xfs_vn_setattr(). This problem was fixed in commit 22b13969 ("fs: Fill in max and min timestamps in superblock") from mainline, which relied on commit 50e17c00 ("vfs: Add timestamp_truncate() api") and commit 188d20bc ("vfs: Add file timestamp range support"). However, kabi will be broken if we backport these patches, thus we do local adaptation for xfs instead. Signed-off-by:
Yu Kuai <yukuai3@huawei.com>
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Jason Yan authored
mainline inclusion from mainline-v5.7-rc2 commit 64881411 category: bugfix bugzilla: 46758 CVE: NA ----------------------------------------------- Fix the following gcc warning: fs/ext4/ext4_jbd2.c:341:30: warning: variable 'es' set but not used [-Wunused-but-set-variable] struct ext4_super_block *es; ^~ Fixes: 2ea2fc775321 ("ext4: save all error info in save_error_info() and drop ext4_set_errno()") Reported-by:
Hulk Robot <hulkci@huawei.com>
Signed-off-by: Jason Yan <yanaijie@huawei.com>
Link: https://lore.kernel.org/r/20200402034759.29957-1-yanaijie@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Jason Yan authored
mainline inclusion from mainline-v5.7-rc2 commit 05ca87c1 category: bugfix bugzilla: 46758 CVE: NA ----------------------------------------------- Fix the following gcc warning: fs/ext4/super.c:599:27: warning: variable 'es' set but not used [-Wunused-but-set-variable] struct ext4_super_block *es; ^~ Fixes: 2ea2fc775321 ("ext4: save all error info in save_error_info() and drop ext4_set_errno()") Reported-by:
Hulk Robot <hulkci@huawei.com>
Signed-off-by: Jason Yan <yanaijie@huawei.com>
Link: https://lore.kernel.org/r/20200402033939.25303-1-yanaijie@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Theodore Ts'o authored
mainline inclusion from mainline-v5.12-rc1 commit 027f14f5357279655c3ebc6d14daff8368d4f53f category: bugfix bugzilla: 46758 CVE: NA ----------------------------------------------- If we try to make any changes via the journal between when the journal is initialized, but before the multi-block allocated is initialized, we will end up deferencing a NULL pointer when the journal commit callback function calls ext4_process_freed_data(). The proximate cause of this failure was commit 2d01ddc86606 ("ext4: save error info to sb through journal if available") since file system corruption problems detected before the call to ext4_mb_init() would result in a journal commit before we aborted the mount of the file system.... and we would then trigger the NULL pointer deref. Link: https://lore.kernel.org/r/YAm8qH/0oo2ofSMR@mit.edu Reported-by:Murphy Zhou <jencce.kernel@gmail.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
conflicts:
fs/ext4/super.c
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Jan Kara authored
mainline inclusion from mainline-v5.11-rc4 commit a3f5cf14ff917d46a4d491cf86210fd639d1ff38 category: bugfix bugzilla: 46758 CVE: NA ----------------------------------------------- The wrapper is now useless since it does what ext4_handle_dirty_metadata() does. Just remove it. Signed-off-by:
Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20201216101844.22917-9-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Jan Kara authored
mainline inclusion from mainline-v5.11-rc4 commit e92ad03fa53498f12b3f5ecb8822adc3bf815b28 category: bugfix bugzilla: 46758 CVE: NA ----------------------------------------------- No behavioral change. Signed-off-by:
Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20201216101844.22917-6-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Jan Kara authored
mainline inclusion from mainline-v5.11-rc4 commit 2d01ddc86606564fb08c56e3bc93a0693895f710 category: bugfix bugzilla: 46758 CVE: NA ----------------------------------------------- If journalling is still working at the moment we get to writing error information to the superblock we cannot write directly to the superblock as such write could race with journalled update of the superblock and cause journal checksum failures, writing inconsistent information to the journal or other problems. We cannot journal the superblock directly from the error handling functions as we are running in uncertain context and could deadlock so just punt journalled superblock update to a workqueue. Signed-off-by:
Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20201216101844.22917-5-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
conflicts:
fs/ext4/super.c
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Jan Kara authored
mainline inclusion from mainline-v5.11-rc4 commit 05c2c00f3769abb9e323fcaca70d2de0b48af7ba category: bugfix bugzilla: 46758 CVE: NA ----------------------------------------------- Protect all superblock modifications (including checksum computation) with a superblock buffer lock. That way we are sure computed checksum matches current superblock contents (a mismatch could cause checksum failures in nojournal mode or if an unjournalled superblock update races with a journalled one). Also we avoid modifying superblock contents while it is being written out (which can cause DIF/DIX failures if we are running in nojournal mode). Signed-off-by:
Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20201216101844.22917-4-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Jan Kara authored
mainline inclusion from mainline-v5.11-rc4 commit 4392fbc4bab57db3760f0fb61258cb7089b37665 category: bugfix bugzilla: 46758 CVE: NA ----------------------------------------------- Everybody passes 1 as sync argument of ext4_commit_super(). Just drop it. Reviewed-by:
Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20201216101844.22917-3-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Jan Kara authored
mainline inclusion from mainline-v5.11-rc4 commit e789ca0cc1d51296832b8424fa4008ce6e9d1703 category: bugfix bugzilla: 46758 CVE: NA ----------------------------------------------- save_error_info() is always called together with ext4_handle_error(). Combine them into a single call and move unconditional bits out of save_error_info() into ext4_handle_error(). Signed-off-by:
Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20201216101844.22917-2-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
conflicts:
fs/ext4/super.c
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Jan Kara authored
mainline inclusion from mainline-v5.11-rc1 commit c92dc856848f32781e37b88c1b7f875e274f5efb category: bugfix bugzilla: 46758 CVE: NA ----------------------------------------------- When filesystem inconsistency is detected with group locked, we currently try to modify superblock to store error there without blocking. However this can cause superblock checksum failures (or DIF/DIX failure) when the superblock is just being written out. Make error handling code just store error information in ext4_sb_info structure and copy it to on-disk superblock only in ext4_commit_super(). In case of error happening with group locked, we just postpone the superblock flushing to a workqueue. [ Added fixup so that s_first_error_* does not get updated after the file system is remounted. Also added fix for syzbot failure. - Ted ] Signed-off-by:
Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20201127113405.26867-8-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: Hillf Danton <hdanton@sina.com>
Reported-by: <syzbot+9043030c040ce1849a60@syzkaller.appspotmail.com>
conflicts:
fs/ext4/ext4.h
fs/ext4/super.c
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Jan Kara authored
mainline inclusion from mainline-v5.11-rc1 commit 02a7780e4d2fcf438ac6773bc469e7ada2af56be category: bugfix bugzilla: 46758 CVE: NA ----------------------------------------------- We convert errno's to ext4 on-disk format error codes in save_error_info(). Add a function and a bit of macro magic to make this simpler. Signed-off-by:
Jan Kara <jack@suse.cz>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Link: https://lore.kernel.org/r/20201127113405.26867-7-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
conflicts:
fs/ext4/super.c
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Jan Kara authored
mainline inclusion from mainline-v5.11-rc1 commit 4067662388f97d0f360e568820d9d5bac6a3c9fa category: bugfix bugzilla: 46758 CVE: NA ----------------------------------------------- Just move error info related functions in super.c close to ext4_handle_error(). We'll want to combine save_error_info() with ext4_handle_error() and this makes change more obvious and saves a forward declaration as well. No functional change. Signed-off-by:
Jan Kara <jack@suse.cz>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Link: https://lore.kernel.org/r/20201127113405.26867-6-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
conflicts:
fs/ext4/super.c
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Jan Kara authored
mainline inclusion from mainline-v5.11-rc1 commit 014c9caa29d3a44e0de695c99ef18bec3e887d52 category: bugfix bugzilla: 46758 CVE: NA ----------------------------------------------- The only difference between __ext4_abort() and __ext4_error() is that the former one ignores errors=continue mount option. Unify the code to reduce duplication. Signed-off-by:
Jan Kara <jack@suse.cz>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Link: https://lore.kernel.org/r/20201127113405.26867-5-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
conflicts:
fs/ext4/super.c
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Jan Kara authored
mainline inclusion from mainline-v5.11-rc1 commit 93c20bc3eafba52c134cf5183f18833b9bd22bf8 category: bugfix bugzilla: 46758 CVE: NA ----------------------------------------------- We use __ext4_error() when ext4_protect_reserved_inode() finds filesystem corruption. However EXT4_ERROR_INODE_ERR() is perfectly capable of reporting all the needed information. So just use that. Signed-off-by:
Jan Kara <jack@suse.cz>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Link: https://lore.kernel.org/r/20201127113405.26867-4-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
conflicts:
fs/ext4/block_validity.c
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> -
Theodore Ts'o authored
mainline inclusion from mainline-v5.7-rc1 commit 54d3adbc category: bugfix bugzilla: 46758 CVE: NA ----------------------------------------------- Using a separate function, ext4_set_errno() to set the errno is problematic because it doesn't do the right thing once s_last_error_errorcode is non-zero. It's also less racy to set all of the error information all at once. (Also, as a bonus, it shrinks code size slightly.) Link: https://lore.kernel.org/r/20200329020404.686965-1-tytso@mit.edu Fixes: 878520ac ("ext4: save the error code which triggered...") Signed-off-by:
Theodore Ts'o <tytso@mit.edu>
conflicts:
fs/ext4/balloc.c
fs/ext4/block_validity.c
fs/ext4/ialloc.c
fs/ext4/inode.c
fs/ext4/namei.c
fs/ext4/super.c
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com>
-