b907ffd...
by
Andreas Gruenbacher <email address hidden>
gfs2: Fix potential glock use-after-free on unmount
When a DLM lockspace is released and there ares still locks in that
lockspace, DLM will unlock those locks automatically. Commit
fb6791d100d1b started exploiting this behavior to speed up filesystem
unmount: gfs2 would simply free glocks it didn't want to unlock and then
release the lockspace. This didn't take the bast callbacks for
asynchronous lock contention notifications into account, which remain
active until until a lock is unlocked or its lockspace is released.
To prevent those callbacks from accessing deallocated objects, put the
glocks that should not be unlocked on the sd_dead_glocks list, release
the lockspace, and only then free those glocks.
As an additional measure, ignore unexpected ast and bast callbacks if
the receiving glock is dead.
Fixes: fb6791d100d1b ("GFS2: skip dlm_unlock calls in unmount")
Signed-off-by: Andreas Gruenbacher <email address hidden>
Cc: David Teigland <email address hidden>
(backported from commit d98779e687726d8f8860f1c54b5687eec5f63a73)
[bjamison: context conflicts with neighboring lines]
CVE-2024-38570
Signed-off-by: Bethany Jamison <email address hidden>
Acked-by: Aaron Jauregui <email address hidden>
Acked-by: Manuel Diewald <email address hidden>
Signed-off-by: Roxana Nicolescu <email address hidden>
ba6b460...
by
Andreas Gruenbacher <email address hidden>
gfs2: Rename sd_{ glock => kill }_wait
Rename sd_glock_wait to sd_kill_wait: we'll use it for other things
related to "killing" a filesystem on unmount soon (kill_sb).
drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc
Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001.
V2: To really improve the handling we would actually
need to have a separate value of 0xffffffff.(Christian)
Signed-off-by: Jesse Zhang <email address hidden>
Suggested-by: Christian König <email address hidden>
Reviewed-by: Christian König <email address hidden>
Signed-off-by: Alex Deucher <email address hidden>
(backported from commit 88a9a467c548d0b3c7761b4fd54a68e70f9c0944)
[cengizcan: commit f10984a353c8 ("drm/amd/amdgpu: Fix errors & warnings
in amdgpu _uvd, _vce.c") is missing from tree so adjust context]
CVE-2024-42228
Signed-off-by: Cengiz Can <email address hidden>
Acked-by: Manuel Diewald <email address hidden>
Acked-by: Kuan-Ying Lee <email address hidden>
Signed-off-by: Roxana Nicolescu <email address hidden>
It was found that with the default hierarchy, enabling cpuset in the
child cgroups can trigger a cpuset_attach() call in each of the child
cgroups that have tasks with no change in effective cpus and mems. If
there are many processes in those child cgroups, it will burn quite a
lot of cpu cycles iterating all the tasks without doing useful work.
Optimizing this case by comparing between the old and new cpusets and
skip useless update if there is no change in effective cpus and mems.
Also mems_allowed are less likely to be changed than cpus_allowed. So
skip changing mm if there is no change in effective_mems and
CS_MEMORY_MIGRATE is not set.
By inserting some instrumentation code and running a simple command in
a container 200 times in a cgroup v2 system, it was found that all the
cpuset_attach() calls are skipped (401 times in total) as there was no
change in effective cpus and mems.
(backported from commit 7fd4da9c1584be97ffbc40e600a19cb469fd4e78)
[mruffell: context adjustment to keep mutex_lock() instead of
percpu_down_write()]
Signed-off-by: Matthew Ruffell <email address hidden>
Acked-by: Aaron Jauregui <email address hidden>
Acked-by: Manuel Diewald <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
4d8ddf6...
by
Pablo Neira Ayuso <email address hidden>
netfilter: nf_tables: restore set elements when delete set fails
From abort path, nft_mapelem_activate() needs to restore refcounters to
the original state. Currently, it uses the set->ops->walk() to iterate
over these set elements. The existing set iterator skips inactive
elements in the next generation, this does not work from the abort path
to restore the original state since it has to skip active elements
instead (not inactive ones).
This patch moves the check for inactive elements to the set iterator
callback, then it reverses the logic for the .activate case which
needs to skip active elements.
Toggle next generation bit for elements when delete set command is
invoked and call nft_clear() from .activate (abort) path to restore the
next generation bit.
The splat below shows an object in mappings memleak:
Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase")
Signed-off-by: Pablo Neira Ayuso <email address hidden>
CVE-2024-27012
(backported from commit e79b47a8615d42c68aaeb68971593333667382ed linux-6.9.y)
[hannsofie: context adjustments in nf_tables_api.c and nft_set_pipapo.c]
Signed-off-by: Hannah Peuckmann <email address hidden>
Acked-by: Aaron Jauregui <email address hidden>
Acked-by: Manuel Diewald <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
rxrpc: Fix delayed ACKs to not set the reference serial number
Fix the construction of delayed ACKs to not set the reference serial number
as they can't be used as an RTT reference.
Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Signed-off-by: David Howells <email address hidden>
cc: Marc Dionne <email address hidden>
cc: "David S. Miller" <email address hidden>
cc: Eric Dumazet <email address hidden>
cc: Jakub Kicinski <email address hidden>
cc: Paolo Abeni <email address hidden>
cc: <email address hidden>
cc: <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(backported from e7870cf13d20f56bfc19f9c3e89707c69cf104ef)
[mpellizzer: removed the "ackr_serial" field from
the struct "rxrpc_call" and adjusted the code accordingly]
CVE-2024-26677
Signed-off-by: Massimiliano Pellizzer <email address hidden>
Acked-by: Manuel Diewald <email address hidden>
Acked-by: Roxana Nicolescu <email address hidden>
Signed-off-by: Roxana Nicolescu <email address hidden>
e048143...
by
Thomas Richter <email address hidden>
s390/cpum_cf: make crypto counters upward compatible across machine types
The CPU Measurement facility crypto counter set functionality
is defined by the Second Counter Version Number. This number
varies between machine types, but is upward compatible.
Lessen the checks to reflect this behavior.
Signed-off-by: Thomas Richter <email address hidden>
Acked-by: Sumanth Korikkar <email address hidden>
Signed-off-by: Alexander Gordeev <email address hidden>
(backported from commit f10933cbd2dfddf6273698a45f76db9bafd8150f)
Signed-off-by: Frank Heimes <email address hidden>
Acked-by: Kevin Becker <email address hidden>
Acked-by: Manuel Diewald <email address hidden>
Acked-by: Andrei Gherzan <email address hidden>
Signed-off-by: Roxana Nicolescu <email address hidden>
The cited commit missed to check against the validity of the frame length
in the tap_get_user_xdp() path, which could cause a corrupted skb to be
sent downstack. Even before the skb is transmitted, the
tap_get_user_xdp()-->skb_set_network_header() may assume the size is more
than ETH_HLEN. Once transmitted, this could either cause out-of-bound
access beyond the actual length, or confuse the underlayer with incorrect
or inconsistent header length in the skb metadata.
In the alternative path, tap_get_user() already prohibits short frame which
has the length less than Ethernet header size from being transmitted.
This is to drop any frame shorter than the Ethernet header size just like
how tap_get_user() does.
CVE: CVE-2024-41090
Link: https://lore<email address hidden>/
Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendmsg()")
Cc: <email address hidden>
Signed-off-by: Si-Wei Liu <email address hidden>
Signed-off-by: Dongli Zhang <email address hidden>
Reviewed-by: Willem de Bruijn <email address hidden>
Reviewed-by: Paolo Abeni <email address hidden>
Reviewed-by: Jason Wang <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Jakub Kicinski <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: Manuel Diewald <email address hidden>
Signed-off-by: Roxana Nicolescu <email address hidden>
1 branch
proposed for merging into this one.
