From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Ilya Dryomov <idryomov@gmail.com>,
Xiubo Li <xiubli@redhat.com>, Jeff Layton <jlayton@kernel.org>
Subject: [PATCH 5.17 062/158] libceph: fix potential use-after-free on linger ping and resends
Date: Mon, 23 May 2022 19:03:39 +0200 [thread overview]
Message-ID: <20220523165841.123651841@linuxfoundation.org> (raw)
In-Reply-To: <20220523165830.581652127@linuxfoundation.org>
From: Ilya Dryomov <idryomov@gmail.com>
commit 75dbb685f4e8786c33ddef8279bab0eadfb0731f upstream.
request_reinit() is not only ugly as the comment rightfully suggests,
but also unsafe. Even though it is called with osdc->lock held for
write in all cases, resetting the OSD request refcount can still race
with handle_reply() and result in use-after-free. Taking linger ping
as an example:
handle_timeout thread handle_reply thread
down_read(&osdc->lock)
req = lookup_request(...)
...
finish_request(req) # unregisters
up_read(&osdc->lock)
__complete_request(req)
linger_ping_cb(req)
# req->r_kref == 2 because handle_reply still holds its ref
down_write(&osdc->lock)
send_linger_ping(lreq)
req = lreq->ping_req # same req
# cancel_linger_request is NOT
# called - handle_reply already
# unregistered
request_reinit(req)
WARN_ON(req->r_kref != 1) # fires
request_init(req)
kref_init(req->r_kref)
# req->r_kref == 1 after kref_init
ceph_osdc_put_request(req)
kref_put(req->r_kref)
# req->r_kref == 0 after kref_put, req is freed
<further req initialization/use> !!!
This happens because send_linger_ping() always (re)uses the same OSD
request for watch ping requests, relying on cancel_linger_request() to
unregister it from the OSD client and rip its messages out from the
messenger. send_linger() does the same for watch/notify registration
and watch reconnect requests. Unfortunately cancel_request() doesn't
guarantee that after it returns the OSD client would be completely done
with the OSD request -- a ref could still be held and the callback (if
specified) could still be invoked too.
The original motivation for request_reinit() was inability to deal with
allocation failures in send_linger() and send_linger_ping(). Switching
to using osdc->req_mempool (currently only used by CephFS) respects that
and allows us to get rid of request_reinit().
Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Acked-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/ceph/osd_client.h | 3
net/ceph/osd_client.c | 302 +++++++++++++++-------------------------
2 files changed, 122 insertions(+), 183 deletions(-)
--- a/include/linux/ceph/osd_client.h
+++ b/include/linux/ceph/osd_client.h
@@ -287,6 +287,9 @@ struct ceph_osd_linger_request {
rados_watcherrcb_t errcb;
void *data;
+ struct ceph_pagelist *request_pl;
+ struct page **notify_id_pages;
+
struct page ***preply_pages;
size_t *preply_len;
};
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -537,43 +537,6 @@ static void request_init(struct ceph_osd
target_init(&req->r_t);
}
-/*
- * This is ugly, but it allows us to reuse linger registration and ping
- * requests, keeping the structure of the code around send_linger{_ping}()
- * reasonable. Setting up a min_nr=2 mempool for each linger request
- * and dealing with copying ops (this blasts req only, watch op remains
- * intact) isn't any better.
- */
-static void request_reinit(struct ceph_osd_request *req)
-{
- struct ceph_osd_client *osdc = req->r_osdc;
- bool mempool = req->r_mempool;
- unsigned int num_ops = req->r_num_ops;
- u64 snapid = req->r_snapid;
- struct ceph_snap_context *snapc = req->r_snapc;
- bool linger = req->r_linger;
- struct ceph_msg *request_msg = req->r_request;
- struct ceph_msg *reply_msg = req->r_reply;
-
- dout("%s req %p\n", __func__, req);
- WARN_ON(kref_read(&req->r_kref) != 1);
- request_release_checks(req);
-
- WARN_ON(kref_read(&request_msg->kref) != 1);
- WARN_ON(kref_read(&reply_msg->kref) != 1);
- target_destroy(&req->r_t);
-
- request_init(req);
- req->r_osdc = osdc;
- req->r_mempool = mempool;
- req->r_num_ops = num_ops;
- req->r_snapid = snapid;
- req->r_snapc = snapc;
- req->r_linger = linger;
- req->r_request = request_msg;
- req->r_reply = reply_msg;
-}
-
struct ceph_osd_request *ceph_osdc_alloc_request(struct ceph_osd_client *osdc,
struct ceph_snap_context *snapc,
unsigned int num_ops,
@@ -918,14 +881,30 @@ EXPORT_SYMBOL(osd_req_op_xattr_init);
* @watch_opcode: CEPH_OSD_WATCH_OP_*
*/
static void osd_req_op_watch_init(struct ceph_osd_request *req, int which,
- u64 cookie, u8 watch_opcode)
+ u8 watch_opcode, u64 cookie, u32 gen)
{
struct ceph_osd_req_op *op;
op = osd_req_op_init(req, which, CEPH_OSD_OP_WATCH, 0);
op->watch.cookie = cookie;
op->watch.op = watch_opcode;
- op->watch.gen = 0;
+ op->watch.gen = gen;
+}
+
+/*
+ * prot_ver, timeout and notify payload (may be empty) should already be
+ * encoded in @request_pl
+ */
+static void osd_req_op_notify_init(struct ceph_osd_request *req, int which,
+ u64 cookie, struct ceph_pagelist *request_pl)
+{
+ struct ceph_osd_req_op *op;
+
+ op = osd_req_op_init(req, which, CEPH_OSD_OP_NOTIFY, 0);
+ op->notify.cookie = cookie;
+
+ ceph_osd_data_pagelist_init(&op->notify.request_data, request_pl);
+ op->indata_len = request_pl->length;
}
/*
@@ -2727,10 +2706,13 @@ static void linger_release(struct kref *
WARN_ON(!list_empty(&lreq->pending_lworks));
WARN_ON(lreq->osd);
- if (lreq->reg_req)
- ceph_osdc_put_request(lreq->reg_req);
- if (lreq->ping_req)
- ceph_osdc_put_request(lreq->ping_req);
+ if (lreq->request_pl)
+ ceph_pagelist_release(lreq->request_pl);
+ if (lreq->notify_id_pages)
+ ceph_release_page_vector(lreq->notify_id_pages, 1);
+
+ ceph_osdc_put_request(lreq->reg_req);
+ ceph_osdc_put_request(lreq->ping_req);
target_destroy(&lreq->t);
kfree(lreq);
}
@@ -2999,6 +2981,12 @@ static void linger_commit_cb(struct ceph
struct ceph_osd_linger_request *lreq = req->r_priv;
mutex_lock(&lreq->lock);
+ if (req != lreq->reg_req) {
+ dout("%s lreq %p linger_id %llu unknown req (%p != %p)\n",
+ __func__, lreq, lreq->linger_id, req, lreq->reg_req);
+ goto out;
+ }
+
dout("%s lreq %p linger_id %llu result %d\n", __func__, lreq,
lreq->linger_id, req->r_result);
linger_reg_commit_complete(lreq, req->r_result);
@@ -3022,6 +3010,7 @@ static void linger_commit_cb(struct ceph
}
}
+out:
mutex_unlock(&lreq->lock);
linger_put(lreq);
}
@@ -3044,6 +3033,12 @@ static void linger_reconnect_cb(struct c
struct ceph_osd_linger_request *lreq = req->r_priv;
mutex_lock(&lreq->lock);
+ if (req != lreq->reg_req) {
+ dout("%s lreq %p linger_id %llu unknown req (%p != %p)\n",
+ __func__, lreq, lreq->linger_id, req, lreq->reg_req);
+ goto out;
+ }
+
dout("%s lreq %p linger_id %llu result %d last_error %d\n", __func__,
lreq, lreq->linger_id, req->r_result, lreq->last_error);
if (req->r_result < 0) {
@@ -3053,46 +3048,64 @@ static void linger_reconnect_cb(struct c
}
}
+out:
mutex_unlock(&lreq->lock);
linger_put(lreq);
}
static void send_linger(struct ceph_osd_linger_request *lreq)
{
- struct ceph_osd_request *req = lreq->reg_req;
- struct ceph_osd_req_op *op = &req->r_ops[0];
+ struct ceph_osd_client *osdc = lreq->osdc;
+ struct ceph_osd_request *req;
+ int ret;
- verify_osdc_wrlocked(req->r_osdc);
+ verify_osdc_wrlocked(osdc);
+ mutex_lock(&lreq->lock);
dout("%s lreq %p linger_id %llu\n", __func__, lreq, lreq->linger_id);
- if (req->r_osd)
- cancel_linger_request(req);
+ if (lreq->reg_req) {
+ if (lreq->reg_req->r_osd)
+ cancel_linger_request(lreq->reg_req);
+ ceph_osdc_put_request(lreq->reg_req);
+ }
+
+ req = ceph_osdc_alloc_request(osdc, NULL, 1, true, GFP_NOIO);
+ BUG_ON(!req);
- request_reinit(req);
target_copy(&req->r_t, &lreq->t);
req->r_mtime = lreq->mtime;
- mutex_lock(&lreq->lock);
if (lreq->is_watch && lreq->committed) {
- WARN_ON(op->op != CEPH_OSD_OP_WATCH ||
- op->watch.cookie != lreq->linger_id);
- op->watch.op = CEPH_OSD_WATCH_OP_RECONNECT;
- op->watch.gen = ++lreq->register_gen;
+ osd_req_op_watch_init(req, 0, CEPH_OSD_WATCH_OP_RECONNECT,
+ lreq->linger_id, ++lreq->register_gen);
dout("lreq %p reconnect register_gen %u\n", lreq,
- op->watch.gen);
+ req->r_ops[0].watch.gen);
req->r_callback = linger_reconnect_cb;
} else {
- if (!lreq->is_watch)
+ if (lreq->is_watch) {
+ osd_req_op_watch_init(req, 0, CEPH_OSD_WATCH_OP_WATCH,
+ lreq->linger_id, 0);
+ } else {
lreq->notify_id = 0;
- else
- WARN_ON(op->watch.op != CEPH_OSD_WATCH_OP_WATCH);
+
+ refcount_inc(&lreq->request_pl->refcnt);
+ osd_req_op_notify_init(req, 0, lreq->linger_id,
+ lreq->request_pl);
+ ceph_osd_data_pages_init(
+ osd_req_op_data(req, 0, notify, response_data),
+ lreq->notify_id_pages, PAGE_SIZE, 0, false, false);
+ }
dout("lreq %p register\n", lreq);
req->r_callback = linger_commit_cb;
}
- mutex_unlock(&lreq->lock);
+
+ ret = ceph_osdc_alloc_messages(req, GFP_NOIO);
+ BUG_ON(ret);
req->r_priv = linger_get(lreq);
req->r_linger = true;
+ lreq->reg_req = req;
+ mutex_unlock(&lreq->lock);
submit_request(req, true);
}
@@ -3102,6 +3115,12 @@ static void linger_ping_cb(struct ceph_o
struct ceph_osd_linger_request *lreq = req->r_priv;
mutex_lock(&lreq->lock);
+ if (req != lreq->ping_req) {
+ dout("%s lreq %p linger_id %llu unknown req (%p != %p)\n",
+ __func__, lreq, lreq->linger_id, req, lreq->ping_req);
+ goto out;
+ }
+
dout("%s lreq %p linger_id %llu result %d ping_sent %lu last_error %d\n",
__func__, lreq, lreq->linger_id, req->r_result, lreq->ping_sent,
lreq->last_error);
@@ -3117,6 +3136,7 @@ static void linger_ping_cb(struct ceph_o
lreq->register_gen, req->r_ops[0].watch.gen);
}
+out:
mutex_unlock(&lreq->lock);
linger_put(lreq);
}
@@ -3124,8 +3144,8 @@ static void linger_ping_cb(struct ceph_o
static void send_linger_ping(struct ceph_osd_linger_request *lreq)
{
struct ceph_osd_client *osdc = lreq->osdc;
- struct ceph_osd_request *req = lreq->ping_req;
- struct ceph_osd_req_op *op = &req->r_ops[0];
+ struct ceph_osd_request *req;
+ int ret;
if (ceph_osdmap_flag(osdc, CEPH_OSDMAP_PAUSERD)) {
dout("%s PAUSERD\n", __func__);
@@ -3137,19 +3157,26 @@ static void send_linger_ping(struct ceph
__func__, lreq, lreq->linger_id, lreq->ping_sent,
lreq->register_gen);
- if (req->r_osd)
- cancel_linger_request(req);
+ if (lreq->ping_req) {
+ if (lreq->ping_req->r_osd)
+ cancel_linger_request(lreq->ping_req);
+ ceph_osdc_put_request(lreq->ping_req);
+ }
- request_reinit(req);
- target_copy(&req->r_t, &lreq->t);
+ req = ceph_osdc_alloc_request(osdc, NULL, 1, true, GFP_NOIO);
+ BUG_ON(!req);
- WARN_ON(op->op != CEPH_OSD_OP_WATCH ||
- op->watch.cookie != lreq->linger_id ||
- op->watch.op != CEPH_OSD_WATCH_OP_PING);
- op->watch.gen = lreq->register_gen;
+ target_copy(&req->r_t, &lreq->t);
+ osd_req_op_watch_init(req, 0, CEPH_OSD_WATCH_OP_PING, lreq->linger_id,
+ lreq->register_gen);
req->r_callback = linger_ping_cb;
+
+ ret = ceph_osdc_alloc_messages(req, GFP_NOIO);
+ BUG_ON(ret);
+
req->r_priv = linger_get(lreq);
req->r_linger = true;
+ lreq->ping_req = req;
ceph_osdc_get_request(req);
account_request(req);
@@ -3165,12 +3192,6 @@ static void linger_submit(struct ceph_os
down_write(&osdc->lock);
linger_register(lreq);
- if (lreq->is_watch) {
- lreq->reg_req->r_ops[0].watch.cookie = lreq->linger_id;
- lreq->ping_req->r_ops[0].watch.cookie = lreq->linger_id;
- } else {
- lreq->reg_req->r_ops[0].notify.cookie = lreq->linger_id;
- }
calc_target(osdc, &lreq->t, false);
osd = lookup_create_osd(osdc, lreq->t.osd, true);
@@ -3202,9 +3223,9 @@ static void cancel_linger_map_check(stru
*/
static void __linger_cancel(struct ceph_osd_linger_request *lreq)
{
- if (lreq->is_watch && lreq->ping_req->r_osd)
+ if (lreq->ping_req && lreq->ping_req->r_osd)
cancel_linger_request(lreq->ping_req);
- if (lreq->reg_req->r_osd)
+ if (lreq->reg_req && lreq->reg_req->r_osd)
cancel_linger_request(lreq->reg_req);
cancel_linger_map_check(lreq);
unlink_linger(lreq->osd, lreq);
@@ -4653,43 +4674,6 @@ again:
}
EXPORT_SYMBOL(ceph_osdc_sync);
-static struct ceph_osd_request *
-alloc_linger_request(struct ceph_osd_linger_request *lreq)
-{
- struct ceph_osd_request *req;
-
- req = ceph_osdc_alloc_request(lreq->osdc, NULL, 1, false, GFP_NOIO);
- if (!req)
- return NULL;
-
- ceph_oid_copy(&req->r_base_oid, &lreq->t.base_oid);
- ceph_oloc_copy(&req->r_base_oloc, &lreq->t.base_oloc);
- return req;
-}
-
-static struct ceph_osd_request *
-alloc_watch_request(struct ceph_osd_linger_request *lreq, u8 watch_opcode)
-{
- struct ceph_osd_request *req;
-
- req = alloc_linger_request(lreq);
- if (!req)
- return NULL;
-
- /*
- * Pass 0 for cookie because we don't know it yet, it will be
- * filled in by linger_submit().
- */
- osd_req_op_watch_init(req, 0, 0, watch_opcode);
-
- if (ceph_osdc_alloc_messages(req, GFP_NOIO)) {
- ceph_osdc_put_request(req);
- return NULL;
- }
-
- return req;
-}
-
/*
* Returns a handle, caller owns a ref.
*/
@@ -4719,18 +4703,6 @@ ceph_osdc_watch(struct ceph_osd_client *
lreq->t.flags = CEPH_OSD_FLAG_WRITE;
ktime_get_real_ts64(&lreq->mtime);
- lreq->reg_req = alloc_watch_request(lreq, CEPH_OSD_WATCH_OP_WATCH);
- if (!lreq->reg_req) {
- ret = -ENOMEM;
- goto err_put_lreq;
- }
-
- lreq->ping_req = alloc_watch_request(lreq, CEPH_OSD_WATCH_OP_PING);
- if (!lreq->ping_req) {
- ret = -ENOMEM;
- goto err_put_lreq;
- }
-
linger_submit(lreq);
ret = linger_reg_commit_wait(lreq);
if (ret) {
@@ -4768,8 +4740,8 @@ int ceph_osdc_unwatch(struct ceph_osd_cl
ceph_oloc_copy(&req->r_base_oloc, &lreq->t.base_oloc);
req->r_flags = CEPH_OSD_FLAG_WRITE;
ktime_get_real_ts64(&req->r_mtime);
- osd_req_op_watch_init(req, 0, lreq->linger_id,
- CEPH_OSD_WATCH_OP_UNWATCH);
+ osd_req_op_watch_init(req, 0, CEPH_OSD_WATCH_OP_UNWATCH,
+ lreq->linger_id, 0);
ret = ceph_osdc_alloc_messages(req, GFP_NOIO);
if (ret)
@@ -4855,35 +4827,6 @@ out_put_req:
}
EXPORT_SYMBOL(ceph_osdc_notify_ack);
-static int osd_req_op_notify_init(struct ceph_osd_request *req, int which,
- u64 cookie, u32 prot_ver, u32 timeout,
- void *payload, u32 payload_len)
-{
- struct ceph_osd_req_op *op;
- struct ceph_pagelist *pl;
- int ret;
-
- op = osd_req_op_init(req, which, CEPH_OSD_OP_NOTIFY, 0);
- op->notify.cookie = cookie;
-
- pl = ceph_pagelist_alloc(GFP_NOIO);
- if (!pl)
- return -ENOMEM;
-
- ret = ceph_pagelist_encode_32(pl, 1); /* prot_ver */
- ret |= ceph_pagelist_encode_32(pl, timeout);
- ret |= ceph_pagelist_encode_32(pl, payload_len);
- ret |= ceph_pagelist_append(pl, payload, payload_len);
- if (ret) {
- ceph_pagelist_release(pl);
- return -ENOMEM;
- }
-
- ceph_osd_data_pagelist_init(&op->notify.request_data, pl);
- op->indata_len = pl->length;
- return 0;
-}
-
/*
* @timeout: in seconds
*
@@ -4902,7 +4845,6 @@ int ceph_osdc_notify(struct ceph_osd_cli
size_t *preply_len)
{
struct ceph_osd_linger_request *lreq;
- struct page **pages;
int ret;
WARN_ON(!timeout);
@@ -4915,41 +4857,35 @@ int ceph_osdc_notify(struct ceph_osd_cli
if (!lreq)
return -ENOMEM;
- lreq->preply_pages = preply_pages;
- lreq->preply_len = preply_len;
-
- ceph_oid_copy(&lreq->t.base_oid, oid);
- ceph_oloc_copy(&lreq->t.base_oloc, oloc);
- lreq->t.flags = CEPH_OSD_FLAG_READ;
-
- lreq->reg_req = alloc_linger_request(lreq);
- if (!lreq->reg_req) {
+ lreq->request_pl = ceph_pagelist_alloc(GFP_NOIO);
+ if (!lreq->request_pl) {
ret = -ENOMEM;
goto out_put_lreq;
}
- /*
- * Pass 0 for cookie because we don't know it yet, it will be
- * filled in by linger_submit().
- */
- ret = osd_req_op_notify_init(lreq->reg_req, 0, 0, 1, timeout,
- payload, payload_len);
- if (ret)
+ ret = ceph_pagelist_encode_32(lreq->request_pl, 1); /* prot_ver */
+ ret |= ceph_pagelist_encode_32(lreq->request_pl, timeout);
+ ret |= ceph_pagelist_encode_32(lreq->request_pl, payload_len);
+ ret |= ceph_pagelist_append(lreq->request_pl, payload, payload_len);
+ if (ret) {
+ ret = -ENOMEM;
goto out_put_lreq;
+ }
/* for notify_id */
- pages = ceph_alloc_page_vector(1, GFP_NOIO);
- if (IS_ERR(pages)) {
- ret = PTR_ERR(pages);
+ lreq->notify_id_pages = ceph_alloc_page_vector(1, GFP_NOIO);
+ if (IS_ERR(lreq->notify_id_pages)) {
+ ret = PTR_ERR(lreq->notify_id_pages);
+ lreq->notify_id_pages = NULL;
goto out_put_lreq;
}
- ceph_osd_data_pages_init(osd_req_op_data(lreq->reg_req, 0, notify,
- response_data),
- pages, PAGE_SIZE, 0, false, true);
- ret = ceph_osdc_alloc_messages(lreq->reg_req, GFP_NOIO);
- if (ret)
- goto out_put_lreq;
+ lreq->preply_pages = preply_pages;
+ lreq->preply_len = preply_len;
+
+ ceph_oid_copy(&lreq->t.base_oid, oid);
+ ceph_oloc_copy(&lreq->t.base_oloc, oloc);
+ lreq->t.flags = CEPH_OSD_FLAG_READ;
linger_submit(lreq);
ret = linger_reg_commit_wait(lreq);
next prev parent reply other threads:[~2022-05-23 18:03 UTC|newest]
Thread overview: 172+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-23 17:02 [PATCH 5.17 000/158] 5.17.10-rc1 review Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 001/158] usb: gadget: fix race when gadget driver register via ioctl Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 002/158] floppy: use a statically allocated error counter Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 003/158] kernel/resource: Introduce request_mem_region_muxed() Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 004/158] i2c: piix4: Replace hardcoded memory map size with a #define Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 005/158] i2c: piix4: Move port I/O region request/release code into functions Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 006/158] i2c: piix4: Move SMBus controller base address detect into function Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 007/158] i2c: piix4: Move SMBus port selection " Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 008/158] i2c: piix4: Add EFCH MMIO support to region request and release Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 009/158] i2c: piix4: Add EFCH MMIO support to SMBus base address detect Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 010/158] i2c: piix4: Add EFCH MMIO support for SMBus port select Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 011/158] i2c: piix4: Enable EFCH MMIO for Family 17h+ Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 012/158] Watchdog: sp5100_tco: Move timer initialization into function Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 013/158] Watchdog: sp5100_tco: Refactor MMIO base address initialization Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 014/158] Watchdog: sp5100_tco: Add initialization using EFCH MMIO Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 015/158] Watchdog: sp5100_tco: Enable Family 17h+ CPUs Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 016/158] Revert "drm/i915/opregion: check port number bounds for SWSCI display power state" Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 017/158] gfs2: cancel timed-out glock requests Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 018/158] gfs2: Switch lock order of inode and iopen glock Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 019/158] rtc: fix use-after-free on device removal Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 020/158] rtc: pcf2127: fix bug when reading alarm registers Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 021/158] kconfig: add fflush() before ferror() check Greg Kroah-Hartman
2022-05-23 17:02 ` [PATCH 5.17 022/158] um: Cleanup syscall_handler_t definition/cast, fix warning Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 023/158] Input: add bounds checking to input_set_capability() Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 024/158] Input: stmfts - fix reference leak in stmfts_input_open Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 025/158] nvme-pci: add quirks for Samsung X5 SSDs Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 026/158] gfs2: Disable page faults during lockless buffered reads Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 027/158] rtc: sun6i: Fix time overflow handling Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 028/158] crypto: stm32 - fix reference leak in stm32_crc_remove Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 029/158] crypto: x86/chacha20 - Avoid spurious jumps to other functions Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 030/158] ALSA: hda/realtek: Enable headset mic on Lenovo P360 Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 031/158] s390/traps: improve panic message for translation-specification exception Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 032/158] s390/pci: improve zpci_dev reference counting Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 033/158] vhost_vdpa: dont setup irq offloading when irq_num < 0 Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 034/158] tools/virtio: compile with -pthread Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 035/158] smb3: cleanup and clarify status of tree connections Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 036/158] nvmet: use a private workqueue instead of the system workqueue Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 037/158] nvme-multipath: fix hang when disk goes live over reconnect Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 038/158] rtc: mc146818-lib: Fix the AltCentury for AMD platforms Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 039/158] fs: fix an infinite loop in iomap_fiemap Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 040/158] MIPS: lantiq: check the return value of kzalloc() Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 041/158] drbd: remove usage of list iterator variable after loop Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 042/158] platform/chrome: cros_ec_debugfs: detach log reader wq from devm Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 043/158] ARM: 9191/1: arm/stacktrace, kasan: Silence KASAN warnings in unwind_frame() Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 044/158] nilfs2: fix lockdep warnings in page operations for btree nodes Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 045/158] nilfs2: fix lockdep warnings during disk space reclamation Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 046/158] ALSA: usb-audio: Restore Rane SL-1 quirk Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 047/158] ALSA: wavefront: Proper check of get_user() error Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 048/158] ALSA: hda/realtek: Add quirk for TongFang devices with pop noise Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 049/158] perf: Fix sys_perf_event_open() race against self Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 050/158] selinux: fix bad cleanup on error in hashtab_duplicate() Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 051/158] audit,io_uring,io-wq: call __audit_uring_exit for dummy contexts Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 052/158] Fix double fget() in vhost_net_set_backend() Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 053/158] PCI/PM: Avoid putting Elo i2 PCIe Ports in D3cold Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 054/158] Revert "can: m_can: pci: use custom bit timings for Elkhart Lake" Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 055/158] KVM: arm64: vgic-v3: Consistently populate ID_AA64PFR0_EL1.GIC Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 056/158] KVM: x86/mmu: Update number of zapped pages even if page list is stable Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 057/158] KVM: Free new dirty bitmap if creating a new memslot fails Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 058/158] arm64: paravirt: Use RCU read locks to guard stolen_time Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 059/158] arm64: mte: Ensure the cleared tags are visible before setting the PTE Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 060/158] crypto: qcom-rng - fix infinite loop on requests not multiple of WORD_SZ Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 061/158] mmc: core: Fix busy polling for MMC_SEND_OP_COND again Greg Kroah-Hartman
2022-05-23 17:03 ` Greg Kroah-Hartman [this message]
2022-05-23 17:03 ` [PATCH 5.17 063/158] drm/amd: Dont reset dGPUs if the system is going to s2idle Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 064/158] drm/i915/dmc: Add MMIO range restrictions Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 065/158] drm/dp/mst: fix a possible memory leak in fetch_monitor_name() Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 066/158] dma-buf: fix use of DMA_BUF_SET_NAME_{A,B} in userspace Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 067/158] dma-buf: ensure unique directory name for dmabuf stats Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 068/158] arm64: dts: qcom: sm8250: dont enable rx/tx macro by default Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 069/158] ARM: dts: aspeed-g6: remove FWQSPID group in pinctrl dtsi Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 070/158] pinctrl: pinctrl-aspeed-g6: remove FWQSPID group in pinctrl Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 071/158] ARM: dts: aspeed-g6: fix SPI1/SPI2 quad pin group Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 072/158] ARM: dts: aspeed: Add video engine to g6 Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 073/158] pinctrl: ocelot: Fix for lan966x alt mode Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 074/158] pinctrl: mediatek: mt8365: fix IES control pins Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 075/158] ALSA: hda - fix unused Realtek function when PM is not enabled Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 076/158] net: ipa: certain dropped packets arent accounted for Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 077/158] net: ipa: record proper RX transaction count Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 078/158] block/mq-deadline: Set the fifo_time member also if inserting at head Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 079/158] mptcp: fix subflow accounting on close Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 080/158] net: macb: Increment rx bd head after allocating skb and buffer Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 081/158] i915/guc/reset: Make __guc_reset_context aware of guilty engines Greg Kroah-Hartman
2022-05-23 17:03 ` [PATCH 5.17 082/158] xfrm: rework default policy structure Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 083/158] xfrm: fix "disable_policy" flag use when arriving from different devices Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 084/158] net/sched: act_pedit: sanitize shift argument before usage Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 085/158] netfilter: flowtable: fix excessive hw offload attempts after failure Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 086/158] netfilter: nft_flow_offload: skip dst neigh lookup for ppp devices Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 087/158] net: fix dev_fill_forward_path with pppoe + bridge Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 088/158] netfilter: nft_flow_offload: fix offload with pppoe + vlan Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 089/158] ptp: ocp: have adjtime handle negative delta_ns correctly Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 090/158] Revert "PCI: aardvark: Rewrite IRQ code to chained IRQ handler" Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 091/158] net: lan966x: Fix assignment of the MAC address Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 092/158] net: systemport: Fix an error handling path in bcm_sysport_probe() Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 093/158] net: vmxnet3: fix possible use-after-free bugs in vmxnet3_rq_alloc_rx_buf() Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 094/158] net: vmxnet3: fix possible NULL pointer dereference in vmxnet3_rq_cleanup() Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 095/158] arm64: kexec: load from kimage prior to clobbering Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 096/158] ice: fix crash when writing timestamp on RX rings Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 097/158] ice: fix possible under reporting of ethtool Tx and Rx statistics Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 098/158] ice: Fix interrupt moderation settings getting cleared Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 099/158] clk: at91: generated: consider range when calculating best rate Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 100/158] net/qla3xxx: Fix a test in ql_reset_work() Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 101/158] NFC: nci: fix sleep in atomic context bugs caused by nci_skb_alloc Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 102/158] net/mlx5: DR, Fix missing flow_source when creating multi-destination FW table Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 103/158] net/mlx5: Initialize flow steering during driver probe Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 104/158] net/mlx5: DR, Ignore modify TTL on RX if device doesnt support it Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 105/158] net/mlx5e: Block rx-gro-hw feature in switchdev mode Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 106/158] net/mlx5e: Properly block LRO when XDP is enabled Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 107/158] net/mlx5e: Properly block HW GRO " Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 108/158] net/mlx5e: Remove HW-GRO from reported features Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 109/158] net/mlx5: Drain fw_reset when removing device Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 110/158] net: af_key: add check for pfkey_broadcast in function pfkey_process Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 111/158] ARM: 9196/1: spectre-bhb: enable for Cortex-A15 Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 112/158] ARM: 9197/1: spectre-bhb: fix loop8 sequence for Thumb2 Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 113/158] mptcp: fix checksum byte order Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 114/158] mptcp: strict local address ID selection Greg Kroah-Hartman
2022-05-24 3:51 ` Mat Martineau
2022-05-25 7:51 ` Greg Kroah-Hartman
2022-05-25 10:17 ` Matthieu Baerts
2022-05-23 17:04 ` [PATCH 5.17 115/158] mptcp: Do TCP fallback on early DSS checksum failure Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 116/158] igb: skip phy status check where unavailable Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 117/158] netfilter: flowtable: fix TCP flow teardown Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 118/158] netfilter: flowtable: pass flowtable to nf_flow_table_iterate() Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 119/158] netfilter: flowtable: move dst_check to packet path Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 120/158] vdpa/mlx5: Use consistent RQT size Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 121/158] net: bridge: Clear offload_fwd_mark when passing frame up bridge interface Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 122/158] riscv: dts: sifive: fu540-c000: align dma node name with dtschema Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 123/158] scsi: ufs: core: Fix referencing invalid rsp field Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 124/158] kvm: x86/pmu: Fix the compare function used by the pmu event filter Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 125/158] perf build: Fix check for btf__load_from_kernel_by_id() in libbpf Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 126/158] perf stat: Fix and validate CPU map inputs in synthetic PERF_RECORD_STAT events Greg Kroah-Hartman
2022-05-25 20:05 ` patchwork-bot+netdevbpf
2022-05-23 17:04 ` [PATCH 5.17 127/158] gpio: gpio-vf610: do not touch other bits when set the target bit Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 128/158] gpio: mvebu/pwm: Refuse requests with inverted polarity Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 129/158] perf test: Fix "all PMU test" to skip hv_24x7/hv_gpci tests on powerpc Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 130/158] perf regs x86: Fix arch__intr_reg_mask() for the hybrid platform Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 131/158] perf bench numa: Address compiler error on s390 Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 132/158] perf test bpf: Skip test if clang is not present Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 133/158] scsi: scsi_dh_alua: Properly handle the ALUA transitioning state Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 134/158] scsi: qla2xxx: Fix missed DMA unmap for aborted commands Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 135/158] mac80211: fix rx reordering with non explicit / psmp ack policy Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 136/158] nl80211: validate S1G channel width Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 137/158] cfg80211: retrieve S1G operating channel number Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 138/158] selftests: add ping test with ping_group_range tuned Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 139/158] Revert "fbdev: Make fb_release() return -ENODEV if fbdev was unregistered" Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 140/158] fbdev: Prevent possible use-after-free in fb_release() Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 141/158] platform/x86: thinkpad_acpi: Convert btusb DMI list to quirks Greg Kroah-Hartman
2022-05-23 17:04 ` [PATCH 5.17 142/158] platform/x86: thinkpad_acpi: Correct dual fan probe Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.17 143/158] platform/x86/intel: Fix rmmod pmt_telemetry panic Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.17 144/158] platform/surface: gpe: Add support for Surface Pro 8 Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.17 145/158] drm/amd/display: undo clearing of z10 related function pointers Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.17 146/158] net: fix wrong network header length Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.17 147/158] nl80211: fix locking in nl80211_set_tx_bitrate_mask() Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.17 148/158] ethernet: tulip: fix missing pci_disable_device() on error in tulip_init_one() Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.17 149/158] net: stmmac: fix missing pci_disable_device() on error in stmmac_pci_probe() Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.17 150/158] net: atlantic: fix "frag[0] not initialized" Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.17 151/158] net: atlantic: reduce scope of is_rsc_complete Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.17 152/158] net: atlantic: add check for MAX_SKB_FRAGS Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.17 153/158] net: atlantic: verify hw_head_ lies within TX buffer ring Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.17 154/158] arm64: Enable repeat tlbi workaround on KRYO4XX gold CPUs Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.17 155/158] Input: ili210x - fix reset timing Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.17 156/158] dt-bindings: pinctrl: aspeed-g6: remove FWQSPID group Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.17 157/158] i2c: mt7621: fix missing clk_disable_unprepare() on error in mtk_i2c_probe() Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.17 158/158] afs: Fix afs_getattr() to refetch file status if callback break occurred Greg Kroah-Hartman
2022-05-23 18:59 ` [PATCH 5.17 000/158] 5.17.10-rc1 review Florian Fainelli
2022-05-23 22:55 ` Shuah Khan
2022-05-24 0:28 ` Zan Aziz
2022-05-24 2:03 ` Naresh Kamboju
2022-05-24 6:43 ` Ron Economos
2022-05-24 11:36 ` Fox Chen
2022-05-24 15:46 ` Justin Forbes
2022-05-24 20:05 ` Guenter Roeck
2022-05-25 0:16 ` Labnan Khalid Masum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220523165841.123651841@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=idryomov@gmail.com \
--cc=jlayton@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=xiubli@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).