ia2...@gmail.com>
Signed-off-by: Michael S. Tsirkin
Reviewed-by: Stefano Garzarella
[Ajay: This is a security fix as per CVE-2024-0340]
Signed-off-by: Ajay Kaher
---
drivers/vhost/vhost.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/v
> On 23-Nov-2023, at 4:55 PM, Heiko Carstens wrote:
>
> !! External Email
>
> On Fri, Nov 17, 2023 at 03:38:29PM +0100, Heiko Carstens wrote:
>> On Fri, Nov 17, 2023 at 03:23:35PM +0100, Heiko Carstens wrote:
>>> I think this patch causes from time to time crashes when running ftrace
>>> self
testing if the parent was freed after
> we released the mutex. If so, the function returns NULL. However, all
> callers expect it to either return a valid pointer or an error pointer,
> at least since commit 5264a2f4bb3b ("tracing: Fix a NULL vs IS_ERR() bug
> in event_subsystem_dir()"). Returning NULL will therefore fail the error
> condition check in the caller.
>
> Fix this by substituting the NULL return value with a fitting error
> pointer.
>
> Fixes: 77a06c33a22d ("eventfs: Test for ei->is_freed when accessing
> ei->dentry")
> Cc: Dan Carpenter
> Signed-off-by: Mathias Krause
> ---
> fs/tracefs/event_inode.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/tracefs/event_inode.c b/fs/tracefs/event_inode.c
> index 5d88c184f0fc..a9c28a1d5dc8 100644
> --- a/fs/tracefs/event_inode.c
> +++ b/fs/tracefs/event_inode.c
> @@ -736,7 +736,7 @@ struct eventfs_inode *eventfs_create_dir(const char
> *name, struct eventfs_inode
> /* Was the parent freed? */
> if (list_empty(&ei->list)) {
> cleanup_ei(ei);
> - ei = NULL;
> + ei = ERR_PTR(-EBUSY);
> }
> return ei;
> }
Must have. LGTM. Thanks.
Reviewed-by: Ajay Kaher
- Ajay
On Mon, Jul 22, 2024 at 5:38 PM Mathias Krause wrote:
>
> On 22.07.24 13:13, Ajay Kaher wrote:
> > On Sat, Jul 20, 2024 at 2:17 AM Mathias Krause
> > wrote:
> >>
> >> I noticed, the user events ftrace selftest is crashing every now and
> >> then
On Mon, Jul 22, 2024 at 5:38 PM Mathias Krause wrote:
>
> On 22.07.24 13:13, Ajay Kaher wrote:
> > On Sat, Jul 20, 2024 at 2:17 AM Mathias Krause
> > wrote:
> >>
> >> I noticed, the user events ftrace selftest is crashing every now and
> >> then
On Thu, Jul 25, 2024 at 9:45 PM Ajay Kaher wrote:
>
> On Mon, Jul 22, 2024 at 5:38 PM Mathias Krause wrote:
> >
> > On 22.07.24 13:13, Ajay Kaher wrote:
> > > On Sat, Jul 20, 2024 at 2:17 AM Mathias Krause
> > > wrote:
> > >>
> > >>
On Fri, Jul 26, 2024 at 5:45 AM Steven Rostedt wrote:
>
> From: Steven Rostedt
>
> When eventfs was introduced, special care had to be done to coordinate the
> freeing of the file meta data with the files that are exposed to user
> space. The file meta data would have a ref count that is set when
On Fri, Jul 26, 2024 at 9:33 PM Steven Rostedt wrote:
>
> On Fri, 26 Jul 2024 18:00:18 +0530
> Ajay Kaher wrote:
>
> > Some doubt:
> > Because of the same race condition, it may happen that kmem_cache_free(file)
> > was executed while f_start() is waiting to get
These patches include few backported fixes for the 4.4 stable
tree.
I would appreciate if you could kindly consider including them in the
next release.
Ajay
---
[Changes from v1]: No changes, only answering Greg's below queries:
>> Why are these needed? From what I remember, the last patch her
d
Cc: Hillf Danton
Cc: Michal Hocko
Cc: Mike Kravetz
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Srivatsa S. Bhat (VMware)
Signed-off-by: Ajay Kaher
---
mm/gup.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/mm/gup.c b/mm/gup.c
index 45c544b..6e7cfaa 100644
ted code. ]
Signed-off-by: Srivatsa S. Bhat (VMware)
Signed-off-by: Ajay Kaher
---
include/linux/mm.h | 6 +-
mm/internal.h | 5 +++--
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index ed653ba..701088e 100644
--- a/include/linux/mm.h
From: Miklos Szeredi
commit 7bf2d1df80822ec056363627e2014990f068f7aa upstream.
Signed-off-by: Miklos Szeredi
Signed-off-by: Al Viro
Signed-off-by: Ajay Kaher
Reviewed-by: Srivatsa S. Bhat (VMware)
---
fs/fuse/dev.c | 2 +-
fs/splice.c | 4 ++--
include/linux
einer
Cc: Michal Hocko
Cc: Christoph Lameter
Cc: David Rientjes
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Ajay Kaher
---
mm/gup.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/mm/gup.c b/mm/gup.c
index 2cd3b31..45c544b 100644
--- a/
acon
Cc: Naoya Horiguchi
Cc: Mark Rutland
Cc: Hillf Danton
Cc: Mike Kravetz
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Ajay Kaher
Reviewed-by: Srivatsa S. Bhat (VMware)
---
mm/gup.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --g
s:
Srivatsa:
- Adapted try_get_page() to match the get_page()
implementation in 4.4.y, except for the refcount check.
- Added try_get_page_foll() which will be needed
in a subsequent patch. ]
Signed-off-by: Srivatsa S. Bhat (VMware)
Signed-off-by: Ajay Kaher
---
include/lin
local variable 'err' with-in follow_hugetlb_page()
from 2be7cfed995e, to resolve compilation error
Srivatsa: Replaced call to get_page_foll() with try_get_page_foll() ]
Signed-off-by: Srivatsa S. Bhat (VMware)
Signed-off-by: Ajay Kaher
---
mm/gup.
09cbfeaf1a5a6 "mm, fs: get rid of PAGE_CACHE_* and
page_cache_{get,release} macros" for context. ]
Signed-off-by: Ajay Kaher
Reviewed-by: Srivatsa S. Bhat (VMware)
---
fs/fuse/dev.c | 12 ++--
fs/pipe.c | 4 ++--
fs/splice.c
Cc: David S. Miller
Cc: Greg Kroah-Hartman
Signed-off-by: Ajay Kaher
---
net/ipv6/sit.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 47ca2a2..16eba7b 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -1856,7 +1856,6 @@ static int __net_init
n follow_hugetlb_page()
>> from 2be7cfed995e, to resolve compilation error
>> Srivatsa: Replaced call to get_page_foll() with try_get_page_foll() ]
>> Signed-off-by: Srivatsa S. Bhat (VMware)
>> Signed-off-by: Ajay Kaher
>> ---
>> mm/gup.c | 43 ++
Hyper-V vPCI offers different protocol versions. Add the infra for
negotiating the one to use.
Signed-off-by: Jork Loeser
Signed-off-by: Bjorn Helgaas
Reviewed-by: K. Y. Srinivasan
Acked-by: K. Y. Srinivasan
Signed-off-by: Ajay Kaher
---
drivers/pci/host/pci-hyperv.c | 72
For now, please consider these patches for review and suggest if these can be
merged to mainline kernel v4.9.
These patches add support for vPCI protocol version 1.2, by baqkpotring from
v4.14 to v4.9. Individual patches are summarised below:
Patch 1: PCI: hv: Allocate physically contiguous hy
. Y. Srinivasan
Signed-off-by: Ajay Kaher
---
drivers/pci/host/pci-hyperv.c | 29 +++--
1 file changed, 19 insertions(+), 10 deletions(-)
diff --git a/drivers/pci/host/pci-hyperv.c b/drivers/pci/host/pci-hyperv.c
index b4d8ccf..9e44adf 100644
--- a/drivers/pci/host/pci
Helgaas
Reviewed-by: K. Y. Srinivasan
Acked-by: K. Y. Srinivasan
Signed-off-by: Ajay Kaher
---
drivers/pci/host/pci-hyperv.c | 300 ++
1 file changed, 246 insertions(+), 54 deletions(-)
diff --git a/drivers/pci/host/pci-hyperv.c b/drivers/pci/host/pci
> On 17/01/19, 8:37 PM, "Bjorn Helgaas" wrote:
>
> > On Fri, Jan 18, 2019 at 02:17:18AM +0530, Ajay Kaher wrote:
> > Update the Hyper-V vPCI driver to use the Server-2016 version of the vPCI
> > protocol, fixing MSI creation and retargeting issues.
> &
Greg, I hope you would like to include these patches in next release.
In case any review comment please let me know.
- Ajay
On 01/07/19, 4:03 PM, "Ajay Kaher" wrote:
> coredump: fix race condition between mmget_not_zero()/get_task_mm()
> and core dumping
> [PATCH v5
Signed-off-by: Greg Kroah-Hartman
[Ajay: Just adjusted to apply on v4.9]
Signed-off-by: Ajay Kaher
---
include/linux/mm.h | 4
mm/khugepaged.c| 3 +++
2 files changed, 7 insertions(+)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index c239984..8852158 100644
--- a/include/l
to Jason for pointing this.
Signed-off-by: Ajay Kaher
Reviewed-by: Jason Gunthorpe
---
drivers/infiniband/hw/mlx4/main.c | 4 +++-
drivers/infiniband/hw/mlx5/main.c | 3 +++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/mlx4/main.c
b/drivers/infiniband
coredump: fix race condition between mmget_not_zero()/get_task_mm()
and core dumping
[PATCH v5 1/3]:
Backporting of commit 04f5866e41fb70690e28397487d8bd8eea7d712a upstream.
[PATCH v5 2/3]:
Extension of commit 04f5866e41fb to fix the race condition between
get_task_mm() and core dumping for IB->m
by: Peter Xu
Reviewed-by: Mike Rapoport
Reviewed-by: Oleg Nesterov
Reviewed-by: Jann Horn
Acked-by: Jason Gunthorpe
Acked-by: Michal Hocko
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman
[aka...@vmware.com: stable 4.9 backport
- handle bi
ted code. ]
Signed-off-by: Srivatsa S. Bhat (VMware)
Signed-off-by: Ajay Kaher
---
include/linux/mm.h | 6 +-
mm/internal.h | 5 +++--
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index ed653ba..701088e 100644
--- a/include/linux/mm.h
These patches include few backported fixes for the 4.4 stable
tree.
I would appreciate if you could kindly consider including them in the
next release.
Ajay
---
[PATCH 1/8]:
Backporting of upstream commit f958d7b528b1:
mm: make page ref count overflow check tighter and more explicit
[PATCH 2/8]:
s:
Srivatsa:
- Adapted try_get_page() to match the get_page()
implementation in 4.4.y, except for the refcount check.
- Added try_get_page_foll() which will be needed
in a subsequent patch. ]
Signed-off-by: Srivatsa S. Bhat (VMware)
Signed-off-by: Ajay Kaher
---
include/lin
d
Cc: Hillf Danton
Cc: Michal Hocko
Cc: Mike Kravetz
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Srivatsa S. Bhat (VMware)
Signed-off-by: Ajay Kaher
---
mm/gup.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/mm/gup.c b/mm/gup.c
index 45c544b..6e7cfaa 100644
acon
Cc: Naoya Horiguchi
Cc: Mark Rutland
Cc: Hillf Danton
Cc: Mike Kravetz
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Ajay Kaher
Reviewed-by: Srivatsa S. Bhat (VMware)
---
mm/gup.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --g
einer
Cc: Michal Hocko
Cc: Christoph Lameter
Cc: David Rientjes
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Ajay Kaher
---
mm/gup.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/mm/gup.c b/mm/gup.c
index 2cd3b31..45c544b 100644
--- a/
local variable 'err' with-in follow_hugetlb_page()
from 2be7cfed995e, to resolve compilation error
Srivatsa: Replaced call to get_page_foll() with try_get_page_foll() ]
Signed-off-by: Srivatsa S. Bhat (VMware)
Signed-off-by: Ajay Kaher
---
mm/gup.
09cbfeaf1a5a6 "mm, fs: get rid of PAGE_CACHE_* and
page_cache_{get,release} macros" for context. ]
Signed-off-by: Ajay Kaher
Reviewed-by: Srivatsa S. Bhat (VMware)
---
fs/fuse/dev.c | 12 ++--
fs/pipe.c | 4 ++--
fs/splice.c
From: Miklos Szeredi
commit 7bf2d1df80822ec056363627e2014990f068f7aa upstream.
Signed-off-by: Miklos Szeredi
Signed-off-by: Al Viro
Signed-off-by: Ajay Kaher
Reviewed-by: Srivatsa S. Bhat (VMware)
---
fs/fuse/dev.c | 2 +-
fs/splice.c | 4 ++--
include/linux
to Jason for pointing this.
Signed-off-by: Ajay Kaher
---
drivers/infiniband/hw/mlx4/main.c | 4 +++-
drivers/infiniband/hw/mlx5/main.c | 3 +++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/mlx4/main.c
b/drivers/infiniband/hw/mlx4/main.c
index 8d59a59.
by: Peter Xu
Reviewed-by: Mike Rapoport
Reviewed-by: Oleg Nesterov
Reviewed-by: Jann Horn
Acked-by: Jason Gunthorpe
Acked-by: Michal Hocko
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman
[aka...@vmware.com: stable 4.9 backport
- handle bi
coredump: fix race condition between mmget_not_zero()/get_task_mm()
and core dumping
[PATCH v3 1/2]:
Backporting of commit 04f5866e41fb70690e28397487d8bd8eea7d712a upstream.
[PATCH v3 2/2]:
Extension of commit 04f5866e41fb to fix the race condition between
get_task_mm() and core dumping for IB->m
> On Mon, Jun 17, 2019 at 08:58:24AM +0200, Michal Hocko wrote:
> > From: Andrea Arcangeli
> >
> > Upstream 04f5866e41fb70690e28397487d8bd8eea7d712a commit.
> >
> > Signed-off-by: Michal Hocko
> > ---
> > drivers/android/binder.c | 6 ++
> > drivers/infiniband/hw/mlx4/main.c |
by: Peter Xu
Reviewed-by: Mike Rapoport
Reviewed-by: Oleg Nesterov
Reviewed-by: Jann Horn
Acked-by: Jason Gunthorpe
Acked-by: Michal Hocko
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman
[aka...@vmware.com: stable 4.9 backport
- handle bi
Signed-off-by: Greg Kroah-Hartman
[Ajay: Just adjusted to apply on v4.9]
Signed-off-by: Ajay Kaher
---
include/linux/mm.h | 4
mm/khugepaged.c| 3 +++
2 files changed, 7 insertions(+)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index c239984..8852158 100644
--- a/include/l
coredump: fix race condition between mmget_not_zero()/get_task_mm()
and core dumping
[PATCH v4 1/3]:
Backporting of commit 04f5866e41fb70690e28397487d8bd8eea7d712a upstream.
[PATCH v4 2/3]:
Extension of commit 04f5866e41fb to fix the race condition between
get_task_mm() and core dumping for IB->m
to Jason for pointing this.
Signed-off-by: Ajay Kaher
---
drivers/infiniband/hw/mlx4/main.c | 4 +++-
drivers/infiniband/hw/mlx5/main.c | 3 +++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/mlx4/main.c
b/drivers/infiniband/hw/mlx4/main.c
index 8d59a59.
On 25/06/19, 1:51 AM, "Sasha Levin" wrote:
> On Tue, Jun 25, 2019 at 02:33:06AM +0530, Ajay Kaher wrote:
> > coredump: fix race condition between mmget_not_zero()/get_task_mm()
> > and core dumping
> >
> > [PATCH v4 1/3]:
> > Backporting of comm
to Jason for pointing this.
Signed-off-by: Ajay Kaher
---
drivers/infiniband/hw/mlx4/main.c | 4 +++-
drivers/infiniband/hw/mlx5/main.c | 3 +++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/mlx4/main.c
b/drivers/infiniband/hw/mlx4/main.c
index e2beb18.
> From: Andrea Arcangeli
>
> Upstream 04f5866e41fb70690e28397487d8bd8eea7d712a commit.
>
>
> Signed-off-by: Michal Hocko
> ---
> Hi,
> this is based on the backport I have done for out 4.4 based distribution
> kernel. Please double check that I haven't missed anything before
> applying to the st
by: Peter Xu
Reviewed-by: Mike Rapoport
Reviewed-by: Oleg Nesterov
Reviewed-by: Jann Horn
Acked-by: Jason Gunthorpe
Acked-by: Michal Hocko
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman
[aka...@vmware.com: stable 4.9 backport
- handle b
to Jason for pointing this.
Signed-off-by: Ajay Kaher
Reviewed-by: Jason Gunthorpe
---
drivers/infiniband/hw/mlx4/main.c | 4 +++-
drivers/infiniband/hw/mlx5/main.c | 3 +++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/mlx4/main.c
b/drivers/infiniband
Signed-off-by: Greg Kroah-Hartman
[Ajay: Just adjusted to apply on v4.9]
Signed-off-by: Ajay Kaher
---
include/linux/mm.h | 4
mm/khugepaged.c| 3 +++
2 files changed, 7 insertions(+)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index c239984..8852158 100644
--- a/include/l
coredump: fix race condition between mmget_not_zero()/get_task_mm()
and core dumping
[PATCH v5 1/3]:
Backporting of commit 04f5866e41fb70690e28397487d8bd8eea7d712a upstream.
[PATCH v5 2/3]:
Extension of commit 04f5866e41fb to fix the race condition between
get_task_mm() and core dumping for IB->m
At boot time, probe function of multiple connected devices
(proprietary devices) execute simultaneously. And because
of the following code path race condition happens:
probe->usb_register_dev->init_usb_class
Tested with these changes, and problem has been solved.
thanks,
ajay
his code has been around? What changed?
>
>> Tested with these changes, and problem has been solved.
>
>What changes?
Tested with my patch (i.e. locking with init_usb_class_mutex).
thanks,
ajay kaher
- Original Message -
Sender : gre...@linuxfoundation.org
Da
register_dev->init_usb_class
>
> To solve this, mutex locking has been added in init_usb_class() and
> destroy_usb_class().
>
> As pointed by Alan, removed "if (usb_class)" test from destroy_usb_class()
> because usb_class can never be NULL there.
Signed-off-by: Ajay Ka
ed "if (usb_class)" test from destroy_usb_class()
because usb_class can never be NULL there.
Signed-off-by: Ajay Kaher
Acked-by: Alan Stern
---
drivers/usb/core/file.c |9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/core/file.c b/drivers/usb/core/file
> On Fri, 3 Mar 2017, Ajay Kaher wrote:
>
> > > usb_class->kref is not accessible outside the file.c
> > > as usb_class is _static_ inside the file.c and
> > > pointer of usb_class->kref is not passed anywhere.
> > >
> > > Hence
From febeb10887d5026a489658fd9e911656e76038ac Mon Sep 17 00:00:00 2001
From: Ajay Kaher
Date: Thu, 9 Mar 2017 16:07:54 +0530
Subject: [PATCH v4] USB:Core: BugFix: Proper handling of Race Condition when two
USB class drivers try to call init_usb_class simultaneously
There is race condition when
> On Thr, 2 Mar 2017, Ajay Kaher wrote:
>> On Wed, 1 Mar 2017, Alan Stern wrote:
>>> On Wed, 1 Mar 2017, Ajay Kaher wrote:
>>>> On Mon, 22 Feb 2017, Ajay Kaher wrote:
>>>>
>>>>>
>>>>>> Alan, as per my understanding I
> On Mon, 22 Feb 2017, Ajay Kaher wrote:
>
>> On Mon, 20 Feb 2017, Ajay Kaher wrote:
>>
>>> Alan, as per my understanding I have shifted the lock from
>>> release_usb_class() to destroy_usb_class() in patch v3.
>>> If it is not right, please expl
> On Wed, 1 Mar 2017, Alan Stern wrote:
>> On Wed, 1 Mar 2017, Ajay Kaher wrote:
>>> On Mon, 22 Feb 2017, Ajay Kaher wrote:
>>>
>>>>
>>>>> Alan, as per my understanding I have shifted the lock from
>>>>> release_usb_class()
On Tue, 21 Feb 2017, Alan Stern wrote:
> On Mon, 20 Feb 2017, Ajay Kaher wrote:
>> Alan, as per my understanding I have shifted the lock from
>> release_usb_class() to destroy_usb_class() in patch v3.
>> If it is not right, please explain in detail which race condition
protection using init_usb_class_mutex lock
>>requires.
>> Don't you think so?
>>
>> >>>> And because of the following code path race condition happens:
>> >>>> probe->usb_register_dev->init_usb_class
>> >>&
t;>
>>> Why is this just showing up now, and hasn't been an issue for the decade
>>> or so this code has been around? What changed?
>>>
>>>> Tested with these changes, and problem has been solved.
>>>
>>> What changes?
>>
>
On Thu, 16 Feb 2017, Alan Stern wrote:
> On Thu, 16 Feb 2017, Ajay Kaher wrote:
>
>> > On Thu, 14 Feb 2017, Alan Stern wrote:
>> >
>> > I think Ajay's argument is correct and a patch is needed. But this
>> > patch misses the race
> @@ -3378,7 +3054,6 @@ static const struct consw fb_con = {
> .con_font_default = fbcon_set_def_font,
> .con_font_copy = fbcon_copy_font,
> .con_set_palette= fbcon_set_palette,
> - .con_scrolldelta= fbcon_scrolldelta,
> .con_set_origin
Hi Fan,
Able to reproduce this issue on v4.19.y using your test program.
And as per commit message it fixes commit 5c7fb56e5e3f
("mm, dax: dax-pmd vs thp-pmd vs hugetlbfs-pm”) at kernel version v4.5.
So, v4.9.y should be vulnerable, however not able to reproduce on v4.9.y.
Does any specific scen
Thanks Fan, this scenario works to reproduce on v4.9.
And following fix works for v4.9:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=linux-4.9.y&id=44cb51d5b4a736446b728bbde8407844d71843ef
-Ajay
-off-by: Alex Williamson
Signed-off-by: Ajay Kaher
---
drivers/vfio/vfio_iommu_type1.c | 36 +---
1 file changed, 33 insertions(+), 3 deletions(-)
diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
index 6cc47af..d679996 100644
--- a
CVE-2020-12888 Kernel: vfio: access to disabled MMIO space of some
devices may lead to DoS scenario
The VFIO modules allow users (guest VMs) to enable or disable access to the
devices' MMIO memory address spaces. If a user attempts to access (read/write)
the devices' MMIO address space when it
-2020-12888
Reviewed-by: Peter Xu
Signed-off-by: Alex Williamson
Signed-off-by: Ajay Kaher
---
drivers/vfio/pci/vfio_pci.c | 291
drivers/vfio/pci/vfio_pci_config.c | 36 -
drivers/vfio/pci/vfio_pci_intrs.c | 14 ++
drivers/vfi
idate those mappings. The open callback
invalidates the vma range so that all tracking is inserted in the
fault handler and removed in the close handler.
Reviewed-by: Peter Xu
Signed-off-by: Alex Williamson
Signed-off-by: Ajay Kaher
---
drivers/vfio/pci/vfio_pci.c
e can later use to invalidate those mappings. The open callback
invalidates the vma range so that all tracking is inserted in the
fault handler and removed in the close handler.
Reviewed-by: Peter Xu
Signed-off-by: Alex Williamson
[Ajay: Regenerated the patch for v4.19]
Signed-off-by: Ajay
CVE-2020-12888 Kernel: vfio: access to disabled MMIO space of some
devices may lead to DoS scenario
The VFIO modules allow users (guest VMs) to enable or disable access to the
devices' MMIO memory address spaces. If a user attempts to access (read/write)
the devices' MMIO address space when it
().
Reviewed-by: Peter Xu
Signed-off-by: Alex Williamson
[Ajay: Regenerated the patch for v4.19]
Signed-off-by: Ajay Kaher
---
drivers/vfio/vfio_iommu_type1.c | 36 +---
1 file changed, 33 insertions(+), 3 deletions(-)
diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers
rwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu
Signed-off-by: Alex Williamson
[Ajay: Regenerated the patch for v4.19]
Signed-off-by: Ajay Kaher
---
drivers/vfio/pci/vfio_pci.c | 291
drivers/vfio/pci/vfio_pci_config.c | 36 -
drivers
rwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu
Signed-off-by: Alex Williamson
[Ajay: Regenerated the patch for v4.14]
Signed-off-by: Ajay Kaher
---
drivers/vfio/pci/vfio_pci.c | 294 +++-
drivers/vfio/pci/vfio_pci_config.c | 36 -
drivers
().
Reviewed-by: Peter Xu
Signed-off-by: Alex Williamson
[Ajay: Regenerated the patch for v4.14]
Signed-off-by: Ajay Kaher
---
drivers/vfio/vfio_iommu_type1.c | 36 +---
1 file changed, 33 insertions(+), 3 deletions(-)
diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers
CVE-2020-12888 Kernel: vfio: access to disabled MMIO space of some
devices may lead to DoS scenario
The VFIO modules allow users (guest VMs) to enable or disable access to the
devices' MMIO memory address spaces. If a user attempts to access (read/write)
the devices' MMIO address space when it
e can later use to invalidate those mappings. The open callback
invalidates the vma range so that all tracking is inserted in the
fault handler and removed in the close handler.
Reviewed-by: Peter Xu
Signed-off-by: Alex Williamson
[Ajay: Regenerated the patch for v4.14]
Signed-off-by: Ajay
rwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu
Signed-off-by: Alex Williamson
[Ajay: Regenerated the patch for v4.9]
Signed-off-by: Ajay Kaher
---
drivers/vfio/pci/vfio_pci.c | 294 +++-
drivers/vfio/pci/vfio_pci_config.c | 36 -
drivers
().
Reviewed-by: Peter Xu
Signed-off-by: Alex Williamson
[Ajay: Regenerated the patch for v4.9]
Signed-off-by: Ajay Kaher
---
drivers/vfio/vfio_iommu_type1.c | 36 +---
1 file changed, 33 insertions(+), 3 deletions(-)
diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers
e can later use to invalidate those mappings. The open callback
invalidates the vma range so that all tracking is inserted in the
fault handler and removed in the close handler.
Reviewed-by: Peter Xu
Signed-off-by: Alex Williamson
[Ajay: Regenerated the patch for v4.9]
Signed-off-by: Ajay
CVE-2020-12888 Kernel: vfio: access to disabled MMIO space of some
devices may lead to DoS scenario
The VFIO modules allow users (guest VMs) to enable or disable access to the
devices' MMIO memory address spaces. If a user attempts to access (read/write)
the devices' MMIO address space when it
rwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu
Signed-off-by: Alex Williamson
[Ajay: Regenerated the patch for v4.14]
Signed-off-by: Ajay Kaher
---
drivers/vfio/pci/vfio_pci.c | 294 +++-
drivers/vfio/pci/vfio_pci_config.c | 36 -
drivers
CVE-2020-12888 Kernel: vfio: access to disabled MMIO space of some
devices may lead to DoS scenario
The VFIO modules allow users (guest VMs) to enable or disable access to the
devices' MMIO memory address spaces. If a user attempts to access (read/write)
the devices' MMIO address space when it
e can later use to invalidate those mappings. The open callback
invalidates the vma range so that all tracking is inserted in the
fault handler and removed in the close handler.
Reviewed-by: Peter Xu
Signed-off-by: Alex Williamson
[Ajay: Regenerated the patch for v4.14]
Signed-off-by: Ajay
().
Reviewed-by: Peter Xu
Signed-off-by: Alex Williamson
[Ajay: Regenerated the patch for v4.14]
Signed-off-by: Ajay Kaher
---
drivers/vfio/vfio_iommu_type1.c | 36 +---
1 file changed, 33 insertions(+), 3 deletions(-)
diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers
On 10/06/19, 6:22 PM, "Ajay Kaher" wrote:
> This patch is the extension of following upstream commit to fix
> the race condition between get_task_mm() and core dumping
> for IB->mlx4 and IB->mlx5 drivers:
>
> commit 04f5866e41fb ("coredump: fix rac
ng has been added in init_usb_class() and
destroy_usb_class().
As pointed by Alan, removed "if (usb_class)" test from destroy_usb_class()
because usb_class can never be NULL there.
Signed-off-by: Ajay Kaher
Acked-by: Alan Stern
---
drivers/usb/core/file.c | 9 +++--
1 file changed, 7
91 matches
Mail list logo
