1. 12 May, 2023 12 commits
  2. 11 May, 2023 19 commits
  3. 10 May, 2023 9 commits
    • Linus Torvalds's avatar
      Merge tag 'fsnotify_for_v6.4-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs · d295b66a
      Linus Torvalds authored
      Pull inotify fix from Jan Kara:
       "A fix for possibly reporting invalid watch descriptor with inotify
        event"
      
      * tag 'fsnotify_for_v6.4-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
        inotify: Avoid reporting event with invalid wd
      d295b66a
    • Linus Torvalds's avatar
      Merge tag 'gfs2-v6.3-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 · 2a78769d
      Linus Torvalds authored
      Pull gfs2 fix from Andreas Gruenbacher:
      
       - Fix a NULL pointer dereference when mounting corrupted filesystems
      
      * tag 'gfs2-v6.3-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2:
        gfs2: Don't deref jdesc in evict
      2a78769d
    • Bob Peterson's avatar
      gfs2: Don't deref jdesc in evict · 504a10d9
      Bob Peterson authored
      On corrupt gfs2 file systems the evict code can try to reference the
      journal descriptor structure, jdesc, after it has been freed and set to
      NULL. The sequence of events is:
      
      init_journal()
      ...
      fail_jindex:
         gfs2_jindex_free(sdp); <------frees journals, sets jdesc = NULL
            if (gfs2_holder_initialized(&ji_gh))
               gfs2_glock_dq_uninit(&ji_gh);
      fail:
         iput(sdp->sd_jindex); <--references jdesc in evict_linked_inode
            evict()
               gfs2_evict_inode()
                  evict_linked_inode()
                     ret = gfs2_trans_begin(sdp, 0, sdp->sd_jdesc->jd_blocks);
      <------references the now freed/zeroed sd_jdesc pointer.
      
      The call to gfs2_trans_begin is done because the truncate_inode_pages
      call can cause gfs2 events that require a transaction, such as removing
      journaled data (jdata) blocks from the journal.
      
      This patch fixes the problem by adding a check for sdp->sd_jdesc to
      function gfs2_evict_inode. In theory, this should only happen to corrupt
      gfs2 file systems, when gfs2 detects the problem, reports it, then tries
      to evict all the system inodes it has read in up to that point.
      Reported-by: default avatarYang Lan <lanyang0908@gmail.com>
      Signed-off-by: default avatarBob Peterson <rpeterso@redhat.com>
      Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      504a10d9
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v6.4-2' of... · ad2fd53a
      Linus Torvalds authored
      Merge tag 'platform-drivers-x86-v6.4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
      
      Pull x86 platform driver fixes from Hans de Goede:
       "Nothing special to report just various small fixes:
      
         - thinkpad_acpi: Fix profile (performance/bal/low-power) regression
           on T490
      
         - misc other small fixes / hw-id additions"
      
      * tag 'platform-drivers-x86-v6.4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
        platform/mellanox: fix potential race in mlxbf-tmfifo driver
        platform/x86: touchscreen_dmi: Add info for the Dexp Ursus KX210i
        platform/x86: touchscreen_dmi: Add upside-down quirk for GDIX1002 ts on the Juno Tablet
        platform/x86: thinkpad_acpi: Add profile force ability
        platform/x86: thinkpad_acpi: Fix platform profiles on T490
        platform/x86: hp-wmi: add micmute to hp_wmi_keymap struct
        platform/x86/intel-uncore-freq: Return error on write frequency
        platform/x86: intel_scu_pcidrv: Add back PCI ID for Medfield
      ad2fd53a
    • Colin Foster's avatar
      net: mscc: ocelot: fix stat counter register values · cdc2e28e
      Colin Foster authored
      Commit d4c36765 ("net: mscc: ocelot: keep ocelot_stat_layout by reg
      address, not offset") organized the stats counters for Ocelot chips, namely
      the VSC7512 and VSC7514. A few of the counter offsets were incorrect, and
      were caught by this warning:
      
      WARNING: CPU: 0 PID: 24 at drivers/net/ethernet/mscc/ocelot_stats.c:909
      ocelot_stats_init+0x1fc/0x2d8
      reg 0x5000078 had address 0x220 but reg 0x5000079 has address 0x214,
      bulking broken!
      
      Fix these register offsets.
      
      Fixes: d4c36765 ("net: mscc: ocelot: keep ocelot_stat_layout by reg address, not offset")
      Signed-off-by: default avatarColin Foster <colin.foster@in-advantage.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cdc2e28e
    • Ilia.Gavrilov's avatar
      sctp: fix a potential OOB access in sctp_sched_set_sched() · 059fa492
      Ilia.Gavrilov authored
      The 'sched' index value must be checked before accessing an element
      of the 'sctp_sched_ops' array. Otherwise, it can lead to OOB access.
      
      Note that it's harmless since the 'sched' parameter is checked before
      calling 'sctp_sched_set_sched'.
      
      Found by InfoTeCS on behalf of Linux Verification Center
      (linuxtesting.org) with SVACE.
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarIlia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      059fa492
    • wuych's avatar
      net: liquidio: lio_vf_main: Remove unnecessary (void*) conversions · 6096bc05
      wuych authored
      Pointer variables of void * type do not require type cast.
      Signed-off-by: default avatarwuych <yunchuan@nfschina.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6096bc05
    • Subbaraya Sundeep's avatar
      macsec: Use helper macsec_netdev_priv for offload drivers · bd9424ef
      Subbaraya Sundeep authored
      Now macsec on top of vlan can be offloaded to macsec offloading
      devices so that VLAN tag is sent in clear text on wire i.e,
      packet structure is DMAC|SMAC|VLAN|SECTAG. Offloading devices can
      simply enable NETIF_F_HW_MACSEC feature in netdev->vlan_features for
      this to work. But the logic in offloading drivers to retrieve the
      private structure from netdev needs to be changed to check whether
      the netdev received is real device or a vlan device and get private
      structure accordingly. This patch changes the offloading drivers to
      use helper macsec_netdev_priv instead of netdev_priv.
      Signed-off-by: default avatarSubbaraya Sundeep <sbhatta@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bd9424ef
    • t.feng's avatar
      ipvlan:Fix out-of-bounds caused by unclear skb->cb · 90cbed52
      t.feng authored
      If skb enqueue the qdisc, fq_skb_cb(skb)->time_to_send is changed which
      is actually skb->cb, and IPCB(skb_in)->opt will be used in
      __ip_options_echo. It is possible that memcpy is out of bounds and lead
      to stack overflow.
      We should clear skb->cb before ip_local_out or ip6_local_out.
      
      v2:
      1. clean the stack info
      2. use IPCB/IP6CB instead of skb->cb
      
      crash on stable-5.10(reproduce in kasan kernel).
      Stack info:
      [ 2203.651571] BUG: KASAN: stack-out-of-bounds in
      __ip_options_echo+0x589/0x800
      [ 2203.653327] Write of size 4 at addr ffff88811a388f27 by task
      swapper/3/0
      [ 2203.655460] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted
      5.10.0-60.18.0.50.h856.kasan.eulerosv2r11.x86_64 #1
      [ 2203.655466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
      BIOS rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014
      [ 2203.655475] Call Trace:
      [ 2203.655481]  <IRQ>
      [ 2203.655501]  dump_stack+0x9c/0xd3
      [ 2203.655514]  print_address_description.constprop.0+0x19/0x170
      [ 2203.655530]  __kasan_report.cold+0x6c/0x84
      [ 2203.655586]  kasan_report+0x3a/0x50
      [ 2203.655594]  check_memory_region+0xfd/0x1f0
      [ 2203.655601]  memcpy+0x39/0x60
      [ 2203.655608]  __ip_options_echo+0x589/0x800
      [ 2203.655654]  __icmp_send+0x59a/0x960
      [ 2203.655755]  nf_send_unreach+0x129/0x3d0 [nf_reject_ipv4]
      [ 2203.655763]  reject_tg+0x77/0x1bf [ipt_REJECT]
      [ 2203.655772]  ipt_do_table+0x691/0xa40 [ip_tables]
      [ 2203.655821]  nf_hook_slow+0x69/0x100
      [ 2203.655828]  __ip_local_out+0x21e/0x2b0
      [ 2203.655857]  ip_local_out+0x28/0x90
      [ 2203.655868]  ipvlan_process_v4_outbound+0x21e/0x260 [ipvlan]
      [ 2203.655931]  ipvlan_xmit_mode_l3+0x3bd/0x400 [ipvlan]
      [ 2203.655967]  ipvlan_queue_xmit+0xb3/0x190 [ipvlan]
      [ 2203.655977]  ipvlan_start_xmit+0x2e/0xb0 [ipvlan]
      [ 2203.655984]  xmit_one.constprop.0+0xe1/0x280
      [ 2203.655992]  dev_hard_start_xmit+0x62/0x100
      [ 2203.656000]  sch_direct_xmit+0x215/0x640
      [ 2203.656028]  __qdisc_run+0x153/0x1f0
      [ 2203.656069]  __dev_queue_xmit+0x77f/0x1030
      [ 2203.656173]  ip_finish_output2+0x59b/0xc20
      [ 2203.656244]  __ip_finish_output.part.0+0x318/0x3d0
      [ 2203.656312]  ip_finish_output+0x168/0x190
      [ 2203.656320]  ip_output+0x12d/0x220
      [ 2203.656357]  __ip_queue_xmit+0x392/0x880
      [ 2203.656380]  __tcp_transmit_skb+0x1088/0x11c0
      [ 2203.656436]  __tcp_retransmit_skb+0x475/0xa30
      [ 2203.656505]  tcp_retransmit_skb+0x2d/0x190
      [ 2203.656512]  tcp_retransmit_timer+0x3af/0x9a0
      [ 2203.656519]  tcp_write_timer_handler+0x3ba/0x510
      [ 2203.656529]  tcp_write_timer+0x55/0x180
      [ 2203.656542]  call_timer_fn+0x3f/0x1d0
      [ 2203.656555]  expire_timers+0x160/0x200
      [ 2203.656562]  run_timer_softirq+0x1f4/0x480
      [ 2203.656606]  __do_softirq+0xfd/0x402
      [ 2203.656613]  asm_call_irq_on_stack+0x12/0x20
      [ 2203.656617]  </IRQ>
      [ 2203.656623]  do_softirq_own_stack+0x37/0x50
      [ 2203.656631]  irq_exit_rcu+0x134/0x1a0
      [ 2203.656639]  sysvec_apic_timer_interrupt+0x36/0x80
      [ 2203.656646]  asm_sysvec_apic_timer_interrupt+0x12/0x20
      [ 2203.656654] RIP: 0010:default_idle+0x13/0x20
      [ 2203.656663] Code: 89 f0 5d 41 5c 41 5d 41 5e c3 cc cc cc cc cc cc cc
      cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 44 00 00 0f 00 2d 9f 32 57 00 fb
      f4 <c3> cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 be 08
      [ 2203.656668] RSP: 0018:ffff88810036fe78 EFLAGS: 00000256
      [ 2203.656676] RAX: ffffffffaf2a87f0 RBX: ffff888100360000 RCX:
      ffffffffaf290191
      [ 2203.656681] RDX: 0000000000098b5e RSI: 0000000000000004 RDI:
      ffff88811a3c4f60
      [ 2203.656686] RBP: 0000000000000000 R08: 0000000000000001 R09:
      ffff88811a3c4f63
      [ 2203.656690] R10: ffffed10234789ec R11: 0000000000000001 R12:
      0000000000000003
      [ 2203.656695] R13: ffff888100360000 R14: 0000000000000000 R15:
      0000000000000000
      [ 2203.656729]  default_idle_call+0x5a/0x150
      [ 2203.656735]  cpuidle_idle_call+0x1c6/0x220
      [ 2203.656780]  do_idle+0xab/0x100
      [ 2203.656786]  cpu_startup_entry+0x19/0x20
      [ 2203.656793]  secondary_startup_64_no_verify+0xc2/0xcb
      
      [ 2203.657409] The buggy address belongs to the page:
      [ 2203.658648] page:0000000027a9842f refcount:1 mapcount:0
      mapping:0000000000000000 index:0x0 pfn:0x11a388
      [ 2203.658665] flags:
      0x17ffffc0001000(reserved|node=0|zone=2|lastcpupid=0x1fffff)
      [ 2203.658675] raw: 0017ffffc0001000 ffffea000468e208 ffffea000468e208
      0000000000000000
      [ 2203.658682] raw: 0000000000000000 0000000000000000 00000001ffffffff
      0000000000000000
      [ 2203.658686] page dumped because: kasan: bad access detected
      
      To reproduce(ipvlan with IPVLAN_MODE_L3):
      Env setting:
      =======================================================
      modprobe ipvlan ipvlan_default_mode=1
      sysctl net.ipv4.conf.eth0.forwarding=1
      iptables -t nat -A POSTROUTING -s 20.0.0.0/255.255.255.0 -o eth0 -j
      MASQUERADE
      ip link add gw link eth0 type ipvlan
      ip -4 addr add 20.0.0.254/24 dev gw
      ip netns add net1
      ip link add ipv1 link eth0 type ipvlan
      ip link set ipv1 netns net1
      ip netns exec net1 ip link set ipv1 up
      ip netns exec net1 ip -4 addr add 20.0.0.4/24 dev ipv1
      ip netns exec net1 route add default gw 20.0.0.254
      ip netns exec net1 tc qdisc add dev ipv1 root netem loss 10%
      ifconfig gw up
      iptables -t filter -A OUTPUT -p tcp --dport 8888 -j REJECT --reject-with
      icmp-port-unreachable
      =======================================================
      And then excute the shell(curl any address of eth0 can reach):
      
      for((i=1;i<=100000;i++))
      do
              ip netns exec net1 curl x.x.x.x:8888
      done
      =======================================================
      
      Fixes: 2ad7bf36 ("ipvlan: Initial check-in of the IPVLAN driver.")
      Signed-off-by: default avatar"t.feng" <fengtao40@huawei.com>
      Suggested-by: default avatarFlorian Westphal <fw@strlen.de>
      Reviewed-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      90cbed52