Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.10.257 2023-03-11T15:39:26+00:00 2023-03-11T15:39:26+00:00 Pietro Borrello borrello@diag.uniroma1.it 2023-02-09T12:26:23+00:00 urn:sha1:eb209a35d3627b6345bea0f07020c99897a2ca87 [ Upstream commit 68762148d1b011d47bc2ceed7321739b5aea1e63 ] rds_rm_zerocopy_callback() uses list_add_tail() with swapped arguments. This links the list head with the new entry, losing the references to the remaining part of the list. Fixes: 9426bbc6de99 ("rds: use list structure to track information for zerocopy completion notification") Suggested-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> 2023-02-15T16:22:25+00:00 Pietro Borrello borrello@diag.uniroma1.it 2023-02-07T18:26:34+00:00 urn:sha1:c53f34ec3fbf3e9f67574118a6bb35ae1146f7ca [ Upstream commit f753a68980cf4b59a80fe677619da2b1804f526d ] rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Use list_first_entry() to actually access the first element of the rs_zcookie_queue list. Fixes: 9426bbc6de99 ("rds: use list structure to track information for zerocopy completion notification") Reviewed-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it> Link: https://lore.kernel.org/r/20230202-rds-zerocopy-v3-1-83b0df974f9a@diag.uniroma1.it Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2021-04-14T06:42:09+00:00 Lv Yunlong lyl2019@mail.ustc.edu.cn 2021-03-31T01:59:59+00:00 urn:sha1:4cfae7b23889fd7e6af2e371c3d2f5eb7e49de0b [ Upstream commit bdc2ab5c61a5c07388f4820ff21e787b4dfd1ced ] In rds_message_map_pages, the rm is freed by rds_message_put(rm). But rm is still used by rm->data.op_sg in return value. My patch assigns ERR_CAST(rm->data.op_sg) to err before the rm is freed to avoid the uaf. Fixes: 7dba92037baf3 ("net/rds: Use ERR_PTR for rds_message_alloc_sgs()") Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn> Reviewed-by: Håkon Bugge <haakon.bugge@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-04-15T19:33:29+00:00 Jason Gunthorpe jgg@mellanox.com 2020-04-14T23:02:07+00:00 urn:sha1:7dba92037baf3fa00b4880a31fd532542264994c Returning the error code via a 'int *ret' when the function returns a pointer is very un-kernely and causes gcc 10's static analysis to choke: net/rds/message.c: In function ‘rds_message_map_pages’: net/rds/message.c:358:10: warning: ‘ret’ may be used uninitialized in this function [-Wmaybe-uninitialized] 358 | return ERR_PTR(ret); Use a typical ERR_PTR return instead. Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2020-04-09T17:22:00+00:00 Ka-Cheong Poon ka-cheong.poon@oracle.com 2020-04-08T10:21:01+00:00 urn:sha1:e228a5d05e9ee25878e9a40de96e7ceb579d4893 And removed rds_mr_put(). Signed-off-by: Ka-Cheong Poon <ka-cheong.poon@oracle.com> Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2019-01-07T15:22:36+00:00 Jacob Wen jian.w.wen@oracle.com 2019-01-07T01:59:59+00:00 urn:sha1:eeb2c4fb6a3d0ebed35fbc13a255f691c8b8d7e5 Yes indeed, DIV_ROUND_UP is in kernel.h. Signed-off-by: Jacob Wen <jian.w.wen@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-12-19T18:27:58+00:00 shamir rabinovitch shamir.rabinovitch@oracle.com 2018-12-16T07:01:09+00:00 urn:sha1:c75ab8a55ac1083c232e4407f52b0cadae6c1e0e per comment from Leon in rdma mailing list https://lkml.org/lkml/2018/10/31/312 : Please don't forget to remove user triggered WARN_ON. https://lwn.net/Articles/769365/ "Greg Kroah-Hartman raised the problem of core kernel API code that will use WARN_ON_ONCE() to complain about bad usage; that will not generate the desired result if WARN_ON_ONCE() is configured to crash the machine. He was told that the code should just call pr_warn() instead, and that the called function should return an error in such situations. It was generally agreed that any WARN_ON() or WARN_ON_ONCE() calls that can be triggered from user space need to be fixed." in addition harden rds_sendmsg to detect and overcome issues with invalid sg count and fail the sendmsg. Suggested-by: Leon Romanovsky <leon@kernel.org> Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by: shamir rabinovitch <shamir.rabinovitch@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-07-24T21:10:42+00:00 Stephen Hemminger stephen@networkplumber.org 2018-07-24T19:29:03+00:00 urn:sha1:1cb1d977b41ad9fbcbd57ba24b203d6cb2f79952 Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-03-12T15:12:38+00:00 Colin Ian King colin.king@canonical.com 2018-03-11T16:27:56+00:00 urn:sha1:bdf08fc5412045f7648a49791d98cd04f72c1c1f Variable sg_off is assigned a value but it is never read, hence it is redundant and can be removed. Cleans up clang warning: net/rds/message.c:373:2: warning: Value stored to 'sg_off' is never read Signed-off-by: Colin Ian King <colin.king@canonical.com> Acked-by: Sowmini Varadhan <sowmini.varadhan@oracle.com> Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-03-09T02:54:00+00:00 kbuild test robot fengguang.wu@intel.com 2018-03-08T11:37:30+00:00 urn:sha1:571e6776add4f499661e761e03e46ec0f6d66243 Fixes: 9426bbc6de99 ("rds: use list structure to track information for zerocopy completion notification") Signed-off-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>