Revision tags: v6.10-rc4 |
|
#
2ef5971f |
| 11-Jun-2024 |
Linus Torvalds <torvalds@linux-foundation.org> |
Merge tag 'vfs-6.10-rc4.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
Pull vfs fixes from Christian Brauner: "Misc: - Restore debugfs behavior of ignoring unknown mount options
Merge tag 'vfs-6.10-rc4.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
Pull vfs fixes from Christian Brauner: "Misc: - Restore debugfs behavior of ignoring unknown mount options - Fix kernel doc for netfs_wait_for_oustanding_io() - Fix struct statx comment after new addition for this cycle - Fix a check in find_next_fd()
iomap: - Fix data zeroing behavior when an extent spans the block that contains i_size - Restore i_size increasing in iomap_write_end() for now to avoid stale data exposure on xfs with a realtime device
Cachefiles: - Remove unneeded fdtable.h include - Improve trace output for cachefiles_obj_{get,put}_ondemand_fd() - Remove requests from the request list to prevent accessing already freed requests - Fix UAF when issuing restore command while the daemon is still alive by adding an additional reference count to requests - Fix UAF by grabbing a reference during xarray lookup with xa_lock() held - Simplify error handling in cachefiles_ondemand_daemon_read() - Add consistency checks read and open requests to avoid crashes - Add a spinlock to protect ondemand_id variable which is used to determine whether an anonymous cachefiles fd has already been closed - Make on-demand reads killable allowing to handle broken cachefiles daemon better - Flush all requests after the kernel has been marked dead via CACHEFILES_DEAD to avoid hung-tasks - Ensure that closed requests are marked as such to avoid reusing them with a reopen request - Defer fd_install() until after copy_to_user() succeeded and thereby get rid of having to use close_fd() - Ensure that anonymous cachefiles on-demand fds are reused while they are valid to avoid pinning already freed cookies"
* tag 'vfs-6.10-rc4.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: iomap: Fix iomap_adjust_read_range for plen calculation iomap: keep on increasing i_size in iomap_write_end() cachefiles: remove unneeded include of <linux/fdtable.h> fs/file: fix the check in find_next_fd() cachefiles: make on-demand read killable cachefiles: flush all requests after setting CACHEFILES_DEAD cachefiles: Set object to close if ondemand_id < 0 in copen cachefiles: defer exposing anon_fd until after copy_to_user() succeeds cachefiles: never get a new anonymous fd if ondemand_id is valid cachefiles: add spin_lock for cachefiles_ondemand_info cachefiles: add consistency check for copen/cread cachefiles: remove err_put_fd label in cachefiles_ondemand_daemon_read() cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read() cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd() cachefiles: remove requests from xarray during flushing requests cachefiles: add output string to cachefiles_obj_[get|put]_ondemand_fd statx: Update offset commentary for struct statx netfs: fix kernel doc for nets_wait_for_outstanding_io() debugfs: continue to ignore unknown mount options
show more ...
|
Revision tags: v6.10-rc3, v6.10-rc2 |
|
#
a82c13d2 |
| 29-May-2024 |
Christian Brauner <brauner@kernel.org> |
Merge patch series "cachefiles: some bugfixes and cleanups for ondemand requests"
libaokun@huaweicloud.com <libaokun@huaweicloud.com> says:
We've been testing ondemand mode for cachefiles since Jan
Merge patch series "cachefiles: some bugfixes and cleanups for ondemand requests"
libaokun@huaweicloud.com <libaokun@huaweicloud.com> says:
We've been testing ondemand mode for cachefiles since January, and we're almost done. We hit a lot of issues during the testing period, and this patch set fixes some of the issues related to ondemand requests. The patches have passed internal testing without regression.
The following is a brief overview of the patches, see the patches for more details.
Patch 1-5: Holding reference counts of reqs and objects on read requests to avoid malicious restore leading to use-after-free.
Patch 6-10: Add some consistency checks to copen/cread/get_fd to avoid malicious copen/cread/close fd injections causing use-after-free or hung.
Patch 11: When cache is marked as CACHEFILES_DEAD, flush all requests, otherwise the kernel may be hung. since this state is irreversible, the daemon can read open requests but cannot copen.
Patch 12: Allow interrupting a read request being processed by killing the read process as a way of avoiding hung in some special cases.
fs/cachefiles/daemon.c | 3 +- fs/cachefiles/internal.h | 5 + fs/cachefiles/ondemand.c | 217 ++++++++++++++++++++++-------- include/trace/events/cachefiles.h | 8 +- 4 files changed, 176 insertions(+), 57 deletions(-)
* patches from https://lore.kernel.org/r/20240522114308.2402121-1-libaokun@huaweicloud.com: cachefiles: make on-demand read killable cachefiles: flush all requests after setting CACHEFILES_DEAD cachefiles: Set object to close if ondemand_id < 0 in copen cachefiles: defer exposing anon_fd until after copy_to_user() succeeds cachefiles: never get a new anonymous fd if ondemand_id is valid cachefiles: add spin_lock for cachefiles_ondemand_info cachefiles: add consistency check for copen/cread cachefiles: remove err_put_fd label in cachefiles_ondemand_daemon_read() cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read() cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd() cachefiles: remove requests from xarray during flushing requests cachefiles: add output string to cachefiles_obj_[get|put]_ondemand_fd
Signed-off-by: Christian Brauner <brauner@kernel.org>
show more ...
|
Revision tags: v6.10-rc1 |
|
#
85e833cd |
| 22-May-2024 |
Baokun Li <libaokun1@huawei.com> |
cachefiles: flush all requests after setting CACHEFILES_DEAD
In ondemand mode, when the daemon is processing an open request, if the kernel flags the cache as CACHEFILES_DEAD, the cachefiles_daemon_
cachefiles: flush all requests after setting CACHEFILES_DEAD
In ondemand mode, when the daemon is processing an open request, if the kernel flags the cache as CACHEFILES_DEAD, the cachefiles_daemon_write() will always return -EIO, so the daemon can't pass the copen to the kernel. Then the kernel process that is waiting for the copen triggers a hung_task.
Since the DEAD state is irreversible, it can only be exited by closing /dev/cachefiles. Therefore, after calling cachefiles_io_error() to mark the cache as CACHEFILES_DEAD, if in ondemand mode, flush all requests to avoid the above hungtask. We may still be able to read some of the cached data before closing the fd of /dev/cachefiles.
Note that this relies on the patch that adds reference counting to the req, otherwise it may UAF.
Fixes: c8383054506c ("cachefiles: notify the user daemon when looking up cookie") Signed-off-by: Baokun Li <libaokun1@huawei.com> Link: https://lore.kernel.org/r/20240522114308.2402121-12-libaokun@huaweicloud.com Acked-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Christian Brauner <brauner@kernel.org>
show more ...
|
#
0fc75c59 |
| 22-May-2024 |
Baokun Li <libaokun1@huawei.com> |
cachefiles: remove requests from xarray during flushing requests
Even with CACHEFILES_DEAD set, we can still read the requests, so in the following concurrency the request may be used after it has b
cachefiles: remove requests from xarray during flushing requests
Even with CACHEFILES_DEAD set, we can still read the requests, so in the following concurrency the request may be used after it has been freed:
mount | daemon_thread1 | daemon_thread2 ------------------------------------------------------------ cachefiles_ondemand_init_object cachefiles_ondemand_send_req REQ_A = kzalloc(sizeof(*req) + data_len) wait_for_completion(&REQ_A->done) cachefiles_daemon_read cachefiles_ondemand_daemon_read // close dev fd cachefiles_flush_reqs complete(&REQ_A->done) kfree(REQ_A) xa_lock(&cache->reqs); cachefiles_ondemand_select_req req->msg.opcode != CACHEFILES_OP_READ // req use-after-free !!! xa_unlock(&cache->reqs); xa_destroy(&cache->reqs)
Hence remove requests from cache->reqs when flushing them to avoid accessing freed requests.
Fixes: c8383054506c ("cachefiles: notify the user daemon when looking up cookie") Signed-off-by: Baokun Li <libaokun1@huawei.com> Link: https://lore.kernel.org/r/20240522114308.2402121-3-libaokun@huaweicloud.com Acked-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: Jia Zhu <zhujia.zj@bytedance.com> Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com> Reviewed-by: Jingbo Xu <jefflexu@linux.alibaba.com> Signed-off-by: Christian Brauner <brauner@kernel.org>
show more ...
|
Revision tags: v6.9, v6.9-rc7, v6.9-rc6, v6.9-rc5, v6.9-rc4, v6.9-rc3, v6.9-rc2, v6.9-rc1 |
|
#
5e280611 |
| 18-Mar-2024 |
Andrew Morton <akpm@linux-foundation.org> |
Merge branch 'master' into mm-stable
|
#
79790b68 |
| 12-Apr-2024 |
Thomas Hellström <thomas.hellstrom@linux.intel.com> |
Merge drm/drm-next into drm-xe-next
Backmerging drm-next in order to get up-to-date and in particular to access commit 9ca5facd0400f610f3f7f71aeb7fc0b949a48c67.
Signed-off-by: Thomas Hellström <tho
Merge drm/drm-next into drm-xe-next
Backmerging drm-next in order to get up-to-date and in particular to access commit 9ca5facd0400f610f3f7f71aeb7fc0b949a48c67.
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
show more ...
|
Revision tags: v6.8, v6.8-rc7 |
|
#
06d07429 |
| 29-Feb-2024 |
Jani Nikula <jani.nikula@intel.com> |
Merge drm/drm-next into drm-intel-next
Sync to get the drm_printer changes to drm-intel-next.
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
|
#
a2e7496b |
| 13-Mar-2024 |
Thomas Zimmermann <tzimmermann@suse.de> |
Merge drm/drm-fixes into drm-misc-fixes
Backmerging to sync before merging the patchset at [1].
[1] https://lore.kernel.org/all/cover.1709913674.git.jani.nikula@intel.com/
Signed-off-by: Thomas Zi
Merge drm/drm-fixes into drm-misc-fixes
Backmerging to sync before merging the patchset at [1].
[1] https://lore.kernel.org/all/cover.1709913674.git.jani.nikula@intel.com/
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
show more ...
|
#
9f234784 |
| 21-Mar-2024 |
Takashi Iwai <tiwai@suse.de> |
Merge tag 'asoc-fix-v6.9-merge-window' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
ASoC: Fixes for v6.9
A bunch of fixes that came in during the merge window, pr
Merge tag 'asoc-fix-v6.9-merge-window' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
ASoC: Fixes for v6.9
A bunch of fixes that came in during the merge window, probably the most substantial thing is the DPCM locking fix for compressed audio which has been lurking for a while.
show more ...
|
#
5bd249ae |
| 18-Mar-2024 |
Mark Brown <broonie@kernel.org> |
spi: Merge up v6.8 release
An i.MX fix depends on other fixes that were sent to v6.8.
|
#
e25293d9 |
| 13-Mar-2024 |
Mark Brown <broonie@kernel.org> |
ASoC: Merge up release
In order to apply additional fixes that depend on the fixes merged for v6.8 merge up the final release.
|
#
13a44ba0 |
| 27-Feb-2024 |
Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
Merge 6.8-rc6 into tty-next
We need the tty/serial fixes in here as well.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
#
a560a567 |
| 26-Feb-2024 |
Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
Merge v6.8-rc6 into usb-next
We need it here for the USB fixes, and it resolves a merge conflict as reported in linux-next in drivers/usb/roles/class.c
Reported-by: Stephen Rothwell <sfr@canb.auug.
Merge v6.8-rc6 into usb-next
We need it here for the USB fixes, and it resolves a merge conflict as reported in linux-next in drivers/usb/roles/class.c
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
233d0bc4 |
| 11-Mar-2024 |
Paolo Bonzini <pbonzini@redhat.com> |
Merge tag 'loongarch-kvm-6.9' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson into HEAD
LoongArch KVM changes for v6.9
* Set reserved bits as zero in CPUCFG. * Start SW t
Merge tag 'loongarch-kvm-6.9' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson into HEAD
LoongArch KVM changes for v6.9
* Set reserved bits as zero in CPUCFG. * Start SW timer only when vcpu is blocking. * Do not restart SW timer when it is expired. * Remove unnecessary CSR register saving during enter guest.
show more ...
|
#
e9c717be |
| 05-Mar-2024 |
Bartosz Golaszewski <bartosz.golaszewski@linaro.org> |
Merge tag 'v6.8-rc7' into gpio/for-next
Linux 6.8-rc7
|
#
177bce60 |
| 04-Mar-2024 |
Rob Clark <robdclark@chromium.org> |
Merge tag 'drm-misc-next-2024-02-29' into msm-next
Merge to pick up commit 47f419e07111 ("drm/dp: move intel_dp_vsc_sdp_pack() to generic helper")
drm-misc-next for v6.9:
UAPI Changes:
Cross-subs
Merge tag 'drm-misc-next-2024-02-29' into msm-next
Merge to pick up commit 47f419e07111 ("drm/dp: move intel_dp_vsc_sdp_pack() to generic helper")
drm-misc-next for v6.9:
UAPI Changes:
Cross-subsystem Changes:
backlight: - corgi: include backlight header
fbdev: - Cleanup includes in public header file - fbtft: Include backlight header
Core Changes:
edid: - Remove built-in EDID data
dp: - Avoid AUX transfers on powered-down displays - Add VSC SDP helpers
modesetting: - Add sanity checks for polling - Cleanups
scheduler: - Cleanups
tests: - Add helpers for mode-setting tests
Driver Changes:
i915: - Use shared VSC SDP helper
mgag200: - Work around PCI write bursts
mxsfb: - Use managed mode config
nouveau: - Include backlight header where necessary
qiac: - Cleanups
sun4: - HDMI: updates to atomic mode setting
tegra: - Fix GEM refounting in error paths
tidss: - Fix multi display - Fix initial Z position
v3d: - Support display MMU page size
Signed-off-by: Rob Clark <robdclark@chromium.org>
show more ...
|
#
b0fda2fc |
| 26-Feb-2024 |
Thomas Zimmermann <tzimmermann@suse.de> |
Merge drm/drm-next into drm-misc-next-fixes
Backmerging from drm/drm-next to prepare drm-misc-next-fixes for the rest of the release cycle.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
|
#
04751849 |
| 26-Feb-2024 |
Thomas Zimmermann <tzimmermann@suse.de> |
Merge drm/drm-next into drm-misc-next
Backmerging to get drm-misc-next up to v6.8-rc6.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
|
#
f112b68f |
| 26-Feb-2024 |
Daniel Vetter <daniel.vetter@ffwll.ch> |
Merge v6.8-rc6 into drm-next
Thomas Zimmermann asked to backmerge -rc6 for drm-misc branches, there's a few same-area-changed conflicts (xe and amdgpu mostly) that are getting a bit too annoying.
S
Merge v6.8-rc6 into drm-next
Thomas Zimmermann asked to backmerge -rc6 for drm-misc branches, there's a few same-area-changed conflicts (xe and amdgpu mostly) that are getting a bit too annoying.
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
show more ...
|
Revision tags: v6.8-rc6, v6.8-rc5 |
|
#
41c177cf |
| 11-Feb-2024 |
Rob Clark <robdclark@chromium.org> |
Merge tag 'drm-misc-next-2024-02-08' into msm-next
Merge the drm-misc tree to uprev MSM CI.
Signed-off-by: Rob Clark <robdclark@chromium.org>
|
Revision tags: v6.8-rc4, v6.8-rc3 |
|
#
4db102dc |
| 29-Jan-2024 |
Maxime Ripard <mripard@kernel.org> |
Merge drm/drm-next into drm-misc-next
Kickstart 6.9 development cycle.
Signed-off-by: Maxime Ripard <mripard@kernel.org>
|
Revision tags: v6.8-rc2 |
|
#
be3382ec |
| 23-Jan-2024 |
Lucas De Marchi <lucas.demarchi@intel.com> |
Merge drm/drm-next into drm-xe-next
Sync to v6.8-rc1.
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
|
#
3c94ba52 |
| 04-Mar-2024 |
Ingo Molnar <mingo@kernel.org> |
Merge tag 'v6.8-rc7' into x86/cleanups, to pick up fixes
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
#
65f5dd4f |
| 29-Feb-2024 |
Jakub Kicinski <kuba@kernel.org> |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Cross-merge networking fixes after downstream PR.
Conflicts:
net/mptcp/protocol.c adf1bb78dab5 ("mptcp: fix snd_wnd initialization
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Cross-merge networking fixes after downstream PR.
Conflicts:
net/mptcp/protocol.c adf1bb78dab5 ("mptcp: fix snd_wnd initialization for passive socket") 9426ce476a70 ("mptcp: annotate lockless access for RX path fields") https://lore.kernel.org/all/20240228103048.19255709@canb.auug.org.au/
Adjacent changes:
drivers/dpll/dpll_core.c 0d60d8df6f49 ("dpll: rely on rcu for netdev_dpll_pin()") e7f8df0e81bf ("dpll: move xa_erase() call in to match dpll_pin_alloc() error path order")
drivers/net/veth.c 1ce7d306ea63 ("veth: try harder when allocating queue memory") 0bef512012b1 ("net: add netdev_lockdep_set_classes() to virtual drivers")
drivers/net/wireless/intel/iwlwifi/mvm/d3.c 8c9bef26e98b ("wifi: iwlwifi: mvm: d3: implement suspend with MLO") 78f65fbf421a ("wifi: iwlwifi: mvm: ensure offloading TID queue exists")
net/wireless/nl80211.c f78c1375339a ("wifi: nl80211: reject iftype change with mesh ID change") 414532d8aa89 ("wifi: cfg80211: use IEEE80211_MAX_MESH_ID_LEN appropriately")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
show more ...
|
#
29cd8555 |
| 26-Feb-2024 |
Ingo Molnar <mingo@kernel.org> |
Merge tag 'v6.8-rc6' into x86/boot, to pick up fixes
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|