1. 17 May, 2022 1 commit
    • Steve French's avatar
      SMB3: EBADF/EIO errors in rename/open caused by race condition in smb2_compound_op · 0a55cf74
      Steve French authored
      There is  a race condition in smb2_compound_op:
      
      after_close:
      	num_rqst++;
      
      	if (cfile) {
      		cifsFileInfo_put(cfile); // sends SMB2_CLOSE to the server
      		cfile = NULL;
      
      This is triggered by smb2_query_path_info operation that happens during
      revalidate_dentry. In smb2_query_path_info, get_readable_path is called to
      load the cfile, increasing the reference counter. If in the meantime, this
      reference becomes the very last, this call to cifsFileInfo_put(cfile) will
      trigger a SMB2_CLOSE request sent to the server just before sending this compound
      request – and so then the compound request fails either with EBADF/EIO depending
      on the timing at the server, because the handle is already closed.
      
      In the first scenario, the race seems to be happening between smb2_query_path_info
      triggered by the rename operation, and between “cleanup” of asynchronous writes – while
      fsync(fd) likely waits for the asynchronous writes to complete, releasing the writeback
      structures can happen after the close(fd) call. So the EBADF/EIO errors will pop up if
      the timing is such that:
      1) There are still outstanding references after close(fd) in the writeback structures
      2) smb2_query_path_info successfully fetches the cfile, increasing the refcounter by 1
      3) All writeback structures release the same cfile, reducing refcounter to 1
      4) smb2_compound_op is called with that cfile
      
      In the second scenario, the race seems to be similar – here open triggers the
      smb2_query_path_info operation, and if all other threads in the meantime decrease the
      refcounter to 1 similarly to the first scenario, again SMB2_CLOSE will be sent to the
      server just before issuing the compound request. This case is harder to reproduce.
      
      See https://bugzilla.samba.org/show_bug.cgi?id=15051
      
      Cc: stable@vger.kernel.org
      Fixes: 8de9e86c ("cifs: create a helper to find a writeable handle by path name")
      Signed-off-by: default avatarOndrej Hubsch <ohubsch@purestorage.com>
      Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Reviewed-by: default avatarPaulo Alcantara (SUSE) <pc@cjr.nz>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      0a55cf74
  2. 16 May, 2022 1 commit
  3. 15 May, 2022 8 commits
    • Linus Torvalds's avatar
      Merge tag 'driver-core-5.18-rc7' of... · 0cdd776e
      Linus Torvalds authored
      Merge tag 'driver-core-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
      
      Pull driver core fixes from Greg KH:
       "Here is one fix, and three documentation updates for 5.18-rc7.
      
        The fix is for the firmware loader which resolves a long-reported
        problem where the credentials of the firmware loader could be set to a
        userspace process without enough permissions to actually load the
        firmware image. Many Android vendors have been reporting this for
        quite some time.
      
        The documentation updates are for the embargoed-hardware-issues.rst
        file to add a new entry, change an existing one, and sort the list to
        make changes easier in the future.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'driver-core-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        Documentation/process: Update ARM contact for embargoed hardware issues
        Documentation/process: Add embargoed HW contact for Ampere Computing
        Documentation/process: Make groups alphabetical and use tabs consistently
        firmware_loader: use kernel credentials when reading firmware
      0cdd776e
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 5becde60
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are two small driver fixes for 5.18-rc7 that resolve reported
        problems:
      
         - slimbus driver irq bugfix
      
         - interconnect sync state bugfix
      
        Both of these have been in linux-next with no reported problems"
      
      * tag 'char-misc-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        slimbus: qcom: Fix IRQ check in qcom_slim_probe
        interconnect: Restore sync state by ignoring ipa-virt in provider count
      5becde60
    • Linus Torvalds's avatar
      Merge tag 'tty-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 6811a466
      Linus Torvalds authored
      Pull tty/serial driver fixes from Greg KH:
       "Here are some small tty n_gsm and serial driver fixes for 5.18-rc7
        that resolve reported problems. They include:
      
         - n_gsm fixes for reported issues
      
         - 8250_mtk driver fixes for some platforms
      
         - fsl_lpuart driver fix for reported problem.
      
         - digicolor driver fix for reported problem.
      
        All have been in linux-next for a while with no reported problems"
      
      * tag 'tty-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        fsl_lpuart: Don't enable interrupts too early
        tty: n_gsm: fix invalid gsmtty_write_room() result
        tty: n_gsm: fix mux activation issues in gsm_config()
        tty: n_gsm: fix buffer over-read in gsm_dlci_data()
        serial: 8250_mtk: Fix register address for XON/XOFF character
        serial: 8250_mtk: Make sure to select the right FEATURE_SEL
        serial: 8250_mtk: Fix UART_EFR register address
        tty/serial: digicolor: fix possible null-ptr-deref in digicolor_uart_probe()
      6811a466
    • Linus Torvalds's avatar
      Merge tag 'usb-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · fc49583c
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are some small fixes for reported issues with some USB drivers.
        They include:
      
         - xhci fixes for xhci-mtk platform driver
      
         - typec driver fixes for reported problems.
      
         - cdc-wdm read-stuck fix
      
         - gadget driver fix for reported race condition
      
         - new usb-serial driver ids
      
        All of these have been in linux-next with no reported problems"
      
      * tag 'usb-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: xhci-mtk: remove bandwidth budget table
        usb: xhci-mtk: fix fs isoc's transfer error
        usb: gadget: fix race when gadget driver register via ioctl
        usb: typec: tcpci_mt6360: Update for BMC PHY setting
        usb: gadget: uvc: allow for application to cleanly shutdown
        usb: typec: tcpci: Don't skip cleanup in .remove() on error
        usb: cdc-wdm: fix reading stuck on device close
        USB: serial: qcserial: add support for Sierra Wireless EM7590
        USB: serial: option: add Fibocom MA510 modem
        USB: serial: option: add Fibocom L610 modem
        USB: serial: pl2303: add device id for HP LM930 Display
      fc49583c
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.18-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · bc403203
      Linus Torvalds authored
      Pull powerpc fix from Michael Ellerman:
      
       - Fix KVM PR on 32-bit, which was broken by some MMU code refactoring.
      
      Thanks to: Alexander Graf, and Matt Evans.
      
      * tag 'powerpc-5.18-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        KVM: PPC: Book3S PR: Enable MSR_DR for switch_mmu_context()
      bc403203
    • Linus Torvalds's avatar
      Merge tag 'x86-urgent-2022-05-15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 79dc4fc2
      Linus Torvalds authored
      Pull x86 fix from Thomas Gleixner:
       "A single fix for the handling of unpopulated sub-pmd spaces.
      
        The copy & pasta from the corresponding s390 code screwed up the
        address calculation for marking the sub-pmd ranges via memset by
        omitting the ALIGN_DOWN() to calculate the proper start address.
      
        It's a mystery why this code is not generic and shared because there
        is nothing architecture specific in there, but that's too intrusive
        for a backportable fix"
      
      * tag 'x86-urgent-2022-05-15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/mm: Fix marking of unused sub-pmd ranges
      79dc4fc2
    • Linus Torvalds's avatar
      Merge tag 'sched-urgent-2022-05-15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 990e798d
      Linus Torvalds authored
      Pull scheduler fix from Thomas Gleixner:
       "The recent expansion of the sched switch tracepoint inserted a new
        argument in the middle of the arguments. This reordering broke BPF
        programs which relied on the old argument list.
      
        While tracepoints are not considered stable ABI, it's not trivial to
        make BPF cope with such a change, but it's being worked on. For now
        restore the original argument order and move the new argument to the
        end of the argument list"
      
      * tag 'sched-urgent-2022-05-15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/tracing: Append prev_state to tp args instead
      990e798d
    • Linus Torvalds's avatar
      Merge tag 'irq-urgent-2022-05-15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · fb756280
      Linus Torvalds authored
      Pull irq fix from Thomas Gleixner:
       "A single fix for a recent (introduced in 5.16) regression in the core
        interrupt code.
      
        The consolidation of the interrupt handler invocation code added an
        unconditional warning when generic_handle_domain_irq() is invoked from
        outside hard interrupt context. That's overbroad as the requirement
        for invoking these handlers in hard interrupt context is only required
        for certain interrupt types. The subsequently called code already
        contains a warning which triggers conditionally for interrupt chips
        which indicate this requirement in their properties.
      
        Remove the overbroad one"
      
      * tag 'irq-urgent-2022-05-15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        genirq: Remove WARN_ON_ONCE() in generic_handle_domain_irq()
      fb756280
  4. 14 May, 2022 1 commit
  5. 13 May, 2022 25 commits
  6. 12 May, 2022 4 commits
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2022-05-12' of... · c8f0c2d4
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2022-05-12' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      Fix for #5732: (Cc stable) kernel memory corruption when running a lot of OpenCL tests in parallel
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/YnykW6L4e7vD3yl3@jlahtine-mobl.ger.corp.intel.com
      c8f0c2d4
    • Linus Torvalds's avatar
      Merge tag 'net-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · f3f19f93
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from wireless, and bluetooth.
      
        No outstanding fires.
      
        Current release - regressions:
      
         - eth: atlantic: always deep reset on pm op, fix null-deref
      
        Current release - new code bugs:
      
         - rds: use maybe_get_net() when acquiring refcount on TCP sockets
           [refinement of a previous fix]
      
         - eth: ocelot: mark traps with a bool instead of guessing type based
           on list membership
      
        Previous releases - regressions:
      
         - net: fix skipping features in for_each_netdev_feature()
      
         - phy: micrel: fix null-derefs on suspend/resume and probe
      
         - bcmgenet: check for Wake-on-LAN interrupt probe deferral
      
        Previous releases - always broken:
      
         - ipv4: drop dst in multicast routing path, prevent leaks
      
         - ping: fix address binding wrt vrf
      
         - net: fix wrong network header length when BPF protocol translation
           is used on skbs with a fraglist
      
         - bluetooth: fix the creation of hdev->name
      
         - rfkill: uapi: fix RFKILL_IOCTL_MAX_SIZE ioctl request definition
      
         - wifi: iwlwifi: iwl-dbg: use del_timer_sync() before freeing
      
         - wifi: ath11k: reduce the wait time of 11d scan and hw scan while
           adding an interface
      
         - mac80211: fix rx reordering with non explicit / psmp ack policy
      
         - mac80211: reset MBSSID parameters upon connection
      
         - nl80211: fix races in nl80211_set_tx_bitrate_mask()
      
         - tls: fix context leak on tls_device_down
      
         - sched: act_pedit: really ensure the skb is writable
      
         - batman-adv: don't skb_split skbuffs with frag_list
      
         - eth: ocelot: fix various issues with TC actions (null-deref; bad
           stats; ineffective drops; ineffective filter removal)"
      
      * tag 'net-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (61 commits)
        tls: Fix context leak on tls_device_down
        net: sfc: ef10: fix memory leak in efx_ef10_mtd_probe()
        net/smc: non blocking recvmsg() return -EAGAIN when no data and signal_pending
        net: dsa: bcm_sf2: Fix Wake-on-LAN with mac_link_down()
        mlxsw: Avoid warning during ip6gre device removal
        net: bcmgenet: Check for Wake-on-LAN interrupt probe deferral
        net: ethernet: mediatek: ppe: fix wrong size passed to memset()
        Bluetooth: Fix the creation of hdev->name
        i40e: i40e_main: fix a missing check on list iterator
        net/sched: act_pedit: really ensure the skb is writable
        s390/lcs: fix variable dereferenced before check
        s390/ctcm: fix potential memory leak
        s390/ctcm: fix variable dereferenced before check
        net: atlantic: verify hw_head_ lies within TX buffer ring
        net: atlantic: add check for MAX_SKB_FRAGS
        net: atlantic: reduce scope of is_rsc_complete
        net: atlantic: fix "frag[0] not initialized"
        net: stmmac: fix missing pci_disable_device() on error in stmmac_pci_probe()
        net: phy: micrel: Fix incorrect variable type in micrel
        decnet: Use container_of() for struct dn_neigh casts
        ...
      f3f19f93
    • Linus Torvalds's avatar
      Merge branch 'for-5.18-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup · 0ac824f3
      Linus Torvalds authored
      Pull cgroup fix from Tejun Heo:
       "Waiman's fix for a cgroup2 cpuset bug where it could miss nodes which
        were hot-added"
      
      * 'for-5.18-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
        cgroup/cpuset: Remove cpus_allowed/mems_allowed setup in cpuset_init_smp()
      0ac824f3
    • Linus Torvalds's avatar
      Merge tag 'fixes_for_v5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs · c37dba6a
      Linus Torvalds authored
      Pull fs fixes from Jan Kara:
       "Three fixes that I'd still like to get to 5.18:
      
         - add a missing sanity check in the fanotify FAN_RENAME feature
           (added in 5.17, let's fix it before it gets wider usage in
           userspace)
      
         - udf fix for recently introduced filesystem corruption issue
      
         - writeback fix for a race in inode list handling that can lead to
           delayed writeback and possible dirty throttling stalls"
      
      * tag 'fixes_for_v5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
        udf: Avoid using stale lengthOfImpUse
        writeback: Avoid skipping inode writeback
        fanotify: do not allow setting dirent events in mask of non-dir
      c37dba6a