Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=linux-6.0.y 2021-08-09T14:56:00+00:00 2021-08-09T14:56:00+00:00 Bart Van Assche bvanassche@acm.org 2021-08-05T04:35:01+00:00 urn:sha1:769f52676756b8c5feb302d2d95af59577fc69ec Instead of appending new text attribute data at the offset specified by the write() system call, only pass the newly written data to the .store() callback. Reported-by: Bodo Stroesser <bostroesser@gmail.com> Tested-by: Bodo Stroesser <bostroesser@gmail.com> Signed-off-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Christoph Hellwig <hch@lst.de> 2021-07-13T18:56:24+00:00 Bart Van Assche bvanassche@acm.org 2021-07-13T17:49:26+00:00 urn:sha1:420405ecde061fde76d67bd3a67577a563ea758e Commit 7fe1e79b59ba ("configfs: implement the .read_iter and .write_iter methods") changed the simple_read_from_buffer() calls into copy_to_iter() calls and the simple_write_to_buffer() calls into copy_from_iter() calls. The simple*buffer() methods update the file offset (*ppos) but the read and write iterators not yet. Make the read and write iterators update the file offset (iocb->ki_pos). This patch has been tested as follows: # modprobe target_core_user # dd if=/sys/kernel/config/target/dbroot bs=1 /var/target 12+0 records in 12+0 records out 12 bytes copied, 9.5539e-05 s, 126 kB/s # cd /sys/kernel/config/acpi/table # mkdir test # cd test # dmesg -c >/dev/null; printf 'SSDT\x8\0\0\0abcdefghijklmnopqrstuvwxyz' | dd of=aml bs=1; dmesg -c 34+0 records in 34+0 records out 34 bytes copied, 0.010627 s, 3.2 kB/s [ 261.056551] ACPI configfs: invalid table length Reported-by: Yanko Kaneti <yaneti@declera.com> Cc: Yanko Kaneti <yaneti@declera.com> Fixes: 7fe1e79b59ba ("configfs: implement the .read_iter and .write_iter methods") Signed-off-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Christoph Hellwig <hch@lst.de> 2021-06-22T07:46:28+00:00 Christoph Hellwig hch@lst.de 2021-06-22T07:43:56+00:00 urn:sha1:c886fa3cf6ffbe13006053ceb27c93d41928de30 Remove the clearing of various fields just before freeing the buffer structure. Signed-off-by: Christoph Hellwig <hch@lst.de> 2021-06-22T07:46:26+00:00 Chung-Chiang Cheng shepjeng@gmail.com 2021-06-18T07:59:25+00:00 urn:sha1:3c252b087de08d3cb32468b54a158bd7ad0ae2f7 When reading binary attributes in progress, buffer->bin_buffer is setup in configfs_read_bin_file() but never freed. Fixes: 03607ace807b4 ("configfs: implement binary attributes") Signed-off-by: Chung-Chiang Cheng <cccheng@synology.com> [hch: move the vfree rather than duplicating it] Signed-off-by: Christoph Hellwig <hch@lst.de> 2021-05-25T08:30:56+00:00 Bart Van Assche bvanassche@acm.org 2021-05-25T08:30:21+00:00 urn:sha1:7fe1e79b59ba02fb6bdc45d324f88f1ba97d3ab4 Configfs is one of the few filesystems that does not yet support the .read_iter and .write_iter callbacks. This patch adds support for these methods in configfs. Signed-off-by: Bart Van Assche <bvanassche@acm.org> [hch: split out a separate fix] Signed-off-by: Christoph Hellwig <hch@lst.de> 2021-05-25T08:30:31+00:00 Christoph Hellwig hch@lst.de 2021-05-25T08:28:54+00:00 urn:sha1:44b9a000df5cc144c262a0da0d092dc04b93abca file.c has a bunch of kerneldoc comments for static functions that do not document any API but just list what is done. Drop them. Signed-off-by: Christoph Hellwig <hch@lst.de> 2021-05-25T08:30:31+00:00 Bart Van Assche bvanassche@acm.org 2021-05-25T08:24:23+00:00 urn:sha1:dd33f1f7aaf0ce4d0b5ca139019ffbe3510238eb Mention the correct argument name. Signed-off-by: Bart Van Assche <bvanassche@acm.org> [hch: split from a larger patch] Signed-off-by: Christoph Hellwig <hch@lst.de> 2021-05-07T07:26:34+00:00 Masahiro Yamada masahiroy@kernel.org 2021-05-07T01:06:44+00:00 urn:sha1:fa60ce2cb4506701c43bd4cf3ca23d970daf1b9c The section "19) Editor modelines and other cruft" in Documentation/process/coding-style.rst clearly says, "Do not include any of these in source files." I recently receive a patch to explicitly add a new one. Let's do treewide cleanups, otherwise some people follow the existing code and attempt to upstream their favoriate editor setups. It is even nicer if scripts/checkpatch.pl can check it. If we like to impose coding style in an editor-independent manner, I think editorconfig (patch [1]) is a saner solution. [1] https://lore.kernel.org/lkml/20200703073143.423557-1-danny@kdrag0n.dev/ Link: https://lkml.kernel.org/r/20210324054457.1477489-1-masahiroy@kernel.org Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Acked-by: Geert Uytterhoeven <geert@linux-m68k.org> Reviewed-by: Miguel Ojeda <ojeda@kernel.org> [auxdisplay] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2021-03-11T11:13:48+00:00 Daiyue Zhang zhangdaiyue1@huawei.com 2021-03-01T06:10:53+00:00 urn:sha1:14fbbc8297728e880070f7b077b3301a8c698ef9 Commit b0841eefd969 ("configfs: provide exclusion between IO and removals") uses ->frag_dead to mark the fragment state, thus no bothering with extra refcount on config_item when opening a file. The configfs_get_config_item was removed in __configfs_open_file, but not with config_item_put. So the refcount on config_item will lost its balance, causing use-after-free issues in some occasions like this: Test: 1. Mount configfs on /config with read-only items: drwxrwx--- 289 root root 0 2021-04-01 11:55 /config drwxr-xr-x 2 root root 0 2021-04-01 11:54 /config/a --w--w--w- 1 root root 4096 2021-04-01 11:53 /config/a/1.txt ...... 2. Then run: for file in /config do echo $file grep -R 'key' $file done 3. __configfs_open_file will be called in parallel, the first one got called will do: if (file->f_mode & FMODE_READ) { if (!(inode->i_mode & S_IRUGO)) goto out_put_module; config_item_put(buffer->item); kref_put() package_details_release() kfree() the other one will run into use-after-free issues like this: BUG: KASAN: use-after-free in __configfs_open_file+0x1bc/0x3b0 Read of size 8 at addr fffffff155f02480 by task grep/13096 CPU: 0 PID: 13096 Comm: grep VIP: 00 Tainted: G W 4.14.116-kasan #1 TGID: 13096 Comm: grep Call trace: dump_stack+0x118/0x160 kasan_report+0x22c/0x294 __asan_load8+0x80/0x88 __configfs_open_file+0x1bc/0x3b0 configfs_open_file+0x28/0x34 do_dentry_open+0x2cc/0x5c0 vfs_open+0x80/0xe0 path_openat+0xd8c/0x2988 do_filp_open+0x1c4/0x2fc do_sys_open+0x23c/0x404 SyS_openat+0x38/0x48 Allocated by task 2138: kasan_kmalloc+0xe0/0x1ac kmem_cache_alloc_trace+0x334/0x394 packages_make_item+0x4c/0x180 configfs_mkdir+0x358/0x740 vfs_mkdir2+0x1bc/0x2e8 SyS_mkdirat+0x154/0x23c el0_svc_naked+0x34/0x38 Freed by task 13096: kasan_slab_free+0xb8/0x194 kfree+0x13c/0x910 package_details_release+0x524/0x56c kref_put+0xc4/0x104 config_item_put+0x24/0x34 __configfs_open_file+0x35c/0x3b0 configfs_open_file+0x28/0x34 do_dentry_open+0x2cc/0x5c0 vfs_open+0x80/0xe0 path_openat+0xd8c/0x2988 do_filp_open+0x1c4/0x2fc do_sys_open+0x23c/0x404 SyS_openat+0x38/0x48 el0_svc_naked+0x34/0x38 To fix this issue, remove the config_item_put in __configfs_open_file to balance the refcount of config_item. Fixes: b0841eefd969 ("configfs: provide exclusion between IO and removals") Signed-off-by: Daiyue Zhang <zhangdaiyue1@huawei.com> Signed-off-by: Yi Chen <chenyi77@huawei.com> Signed-off-by: Ge Qiu <qiuge@huawei.com> Reviewed-by: Chao Yu <yuchao0@huawei.com> Acked-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Christoph Hellwig <hch@lst.de> 2020-10-16T18:11:19+00:00 Randy Dunlap rdunlap@infradead.org 2020-10-16T03:10:18+00:00 urn:sha1:ce9bebe683a131b86be986c3b6a741a520327679 Drop duplicated words {the, that} in comments. Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Cc: Joel Becker <jlbec@evilplan.org> Cc: Christoph Hellwig <hch@lst.de> Link: https://lkml.kernel.org/r/20200811021826.25032-1-rdunlap@infradead.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>