linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-05 00:20:32 +00:00

History

Coly Li 4cf6bb23ac bcache: fix stack corruption by PRECEDING_KEY() commit `31b90956b1` upstream. Recently people report bcache code compiled with gcc9 is broken, one of the buggy behavior I observe is that two adjacent 4KB I/Os should merge into one but they don't. Finally it turns out to be a stack corruption caused by macro PRECEDING_KEY(). See how PRECEDING_KEY() is defined in bset.h, 437 #define PRECEDING_KEY(_k) \ 438 ({ \ 439 struct bkey *_ret = NULL; \ 440 \ 441 if (KEY_INODE(_k) \|\| KEY_OFFSET(_k)) { \ 442 _ret = &KEY(KEY_INODE(_k), KEY_OFFSET(_k), 0); \ 443 \ 444 if (!_ret->low) \ 445 _ret->high--; \ 446 _ret->low--; \ 447 } \ 448 \ 449 _ret; \ 450 }) At line 442, _ret points to address of a on-stack variable combined by KEY(), the life range of this on-stack variable is in line 442-446, once _ret is returned to bch_btree_insert_key(), the returned address points to an invalid stack address and this address is overwritten in the following called bch_btree_iter_init(). Then argument 'search' of bch_btree_iter_init() points to some address inside stackframe of bch_btree_iter_init(), exact address depends on how the compiler allocates stack space. Now the stack is corrupted. Fixes: `0eacac2203` ("bcache: PRECEDING_KEY()") Signed-off-by: Coly Li <colyli@suse.de> Reviewed-by: Rolf Fokkens <rolf@rolffokkens.nl> Reviewed-by: Pierre JUHEN <pierre.juhen@orange.fr> Tested-by: Shenghui Wang <shhuiw@foxmail.com> Tested-by: Pierre JUHEN <pierre.juhen@orange.fr> Cc: Kent Overstreet <kent.overstreet@gmail.com> Cc: Nix <nix@esperi.org.uk> Cc: stable@vger.kernel.org Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2019-06-22 08:17:19 +02:00
..
accessibility
acpi	x86/cpu: Sanitize FAM6_ATOM naming	2019-05-14 19:19:34 +02:00
amba
android	binder: replace "%p" with "%pK"	2019-06-11 12:22:44 +02:00
ata	libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk	2019-06-22 08:17:18 +02:00
atm	atm: he: fix sign-extension overflow on large shift	2019-02-27 10:06:59 +01:00
auxdisplay
base	PM / core: Propagate dev->power.wakeup_path when no callbacks	2019-05-31 06:48:26 -07:00
bcma
block	virtio-blk: limit number of hw queues by nr_cpu_ids	2019-05-10 17:52:09 +02:00
bluetooth	Revert "Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV"	2018-11-27 16:09:40 +01:00
bus	bus: arm-cci: remove unnecessary unreachable()	2018-12-05 19:42:41 +01:00
cdrom	cdrom: Fix race condition in cdrom_sysctl_register	2019-04-05 22:29:12 +02:00
char	virtio_console: initialize vtermno value for ports	2019-05-31 06:48:29 -07:00
clk	clk: rockchip: Turn on "aclk_dmac1" for suspend on rk3288	2019-06-22 08:17:15 +02:00
clocksource	clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown	2019-03-23 13:19:46 +01:00
connector
cpufreq	cpufreq: pmac32: fix possible object reference leak	2019-05-31 06:48:27 -07:00
cpuidle	cpuidle: big.LITTLE: fix refcount leak	2019-02-12 19:44:55 +01:00
crypto	crypto: vmx - ghash: do nosimd fallback manually	2019-06-11 12:22:35 +02:00
dax
dca
devfreq
dio
dma	dmaengine: idma64: Use actual device for DMA transfers	2019-06-22 08:17:17 +02:00
dma-buf
edac	EDAC, skx_edac: Fix logical channel intermediate decoding	2018-11-13 11:16:56 -08:00
eisa
extcon	extcon: arizona: Disable mic detect if running when driver is removed	2019-05-31 06:48:26 -07:00
firewire
firmware	efi/libstub: Unify command line param parsing	2019-06-11 12:22:45 +02:00
fmc
fpga
gpio	gpio: gpio-omap: add check for off wake capable gpios	2019-06-22 08:17:17 +02:00
gpu	drm/bridge: adv7511: Fix low refresh rate selection	2019-06-22 08:17:13 +02:00
hid	HID: core: move Usage Page concatenation to Main item	2019-05-31 06:48:29 -07:00
hsi
hv	Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels	2018-12-29 13:40:15 +01:00
hwmon	hwmon: (f71805f) Use request_muxed_region for Super-IO accesses	2019-05-31 06:48:24 -07:00
hwspinlock
hwtracing	intel_th: msu: Fix single mode with IOMMU	2019-05-25 18:26:46 +02:00
i2c	i2c: acorn: fix i2c warning	2019-06-22 08:17:18 +02:00
ide	ide: pmac: add of_node_put()	2018-12-21 14:11:37 +01:00
idle	x86/cpu: Sanitize FAM6_ATOM naming	2019-05-14 19:19:34 +02:00
iio	iio: common: ssp_sensors: Initialize calculated_time in ssp_common_process_data	2019-05-31 06:48:27 -07:00
infiniband	RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure	2019-05-31 06:48:23 -07:00
input	Input: synaptics-rmi4 - fix possible double free	2019-05-16 19:43:44 +02:00
iommu	iommu/vt-d: Set intel_iommu_gfx_mapped correctly	2019-06-22 08:17:14 +02:00
ipack
irqchip	Revert "MIPS: perf: ath79: Fix perfcount IRQ assignment"	2019-06-11 12:22:48 +02:00
isdn	mISDN: Check address length before reading address family	2019-05-16 19:43:42 +02:00
leds	leds: pca9532: fix a potential NULL pointer dereference	2019-05-04 08:49:10 +02:00
lguest
lightnvm
macintosh	macintosh/rack-meter: Convert cputime64_t use to u64	2018-10-20 09:51:32 +02:00
mailbox
mcb
md	bcache: fix stack corruption by PRECEDING_KEY()	2019-06-22 08:17:19 +02:00
media	media: v4l2-ioctl: clear fields in s_parm	2019-06-22 08:17:18 +02:00
memory	memory: tegra: Fix integer overflow on tick value calculation	2019-05-25 18:26:49 +02:00
memstick	memstick: Prevent memstick host from getting runtime suspended during card detection	2019-02-12 19:44:55 +01:00
message
mfd	mfd: twl6040: Fix device init errors for ACCCTL register	2019-06-22 08:17:13 +02:00
misc	genwqe: Prevent an integer overflow in the ioctl	2019-06-11 12:22:48 +02:00
mmc	mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support	2019-05-31 06:48:25 -07:00
mtd	mtd: rawnand: gpmi: fix MX28 bus master lockup problem	2019-02-15 08:07:37 +01:00
net	net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query	2019-06-11 12:22:46 +02:00
nfc	spi: ST ST95HF NFC: declare missing of table	2019-05-16 19:43:43 +02:00
ntb
nubus
nvdimm	libnvdimm/namespace: Fix label tracking error	2019-05-31 06:48:11 -07:00
nvme	nvme-loop: init nvmet_ctrl fatal_err_work when allocate	2019-05-08 07:19:08 +02:00
nvmem	nvmem: core: fix read buffer in place	2019-06-22 08:17:15 +02:00
of	of: add helper to lookup compatible child node	2018-12-01 09:44:21 +01:00
oprofile
parisc	parisc: Use implicit space register selection for loading the coherence index of I/O pdirs	2019-06-11 12:22:47 +02:00
parport	parport_pc: fix find_superio io compare code, should use equal test.	2019-03-23 13:19:50 +01:00
pci	PCI: xilinx: Check for __get_free_pages() failure	2019-06-22 08:17:17 +02:00
pcmcia	pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges	2018-11-13 11:16:46 -08:00
perf
phy	phy: tegra: remove redundant self assignment of 'map'	2019-02-27 10:07:03 +01:00
pinctrl	pinctrl: pistachio: fix leaked of_node references	2019-05-31 06:48:18 -07:00
platform	platform/x86: intel_pmc_ipc: adding error handling	2019-06-22 08:17:16 +02:00
pnp
power	power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG	2019-05-25 18:26:56 +02:00
powercap	x86/cpu: Sanitize FAM6_ATOM naming	2019-05-14 19:19:34 +02:00
pps
ps3
ptp	ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl	2019-02-12 19:44:52 +01:00
pwm	pwm: Fix deadlock warning when removing PWM device	2019-06-22 08:17:17 +02:00
rapidio	rapidio: fix a NULL pointer dereference when create_workqueue() fails	2019-06-22 08:17:11 +02:00
ras
regulator	regulator: act8865: Fix act8600_sudcdc_voltage_ranges setting	2019-04-05 22:29:14 +02:00
remoteproc
reset	reset: make device_reset_optional() really optional	2018-12-08 13:05:08 +01:00
rpmsg	rpmsg: smd: fix memory leak on channel create	2018-11-13 11:17:03 -08:00
rtc	rtc: 88pm860x: prevent use-after-free on device remove	2019-05-31 06:48:15 -07:00
s390	scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs)	2019-06-11 12:22:40 +02:00
sbus	drivers/sbus/char: add of_node_put()	2018-12-21 14:11:36 +01:00
scsi	scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices	2019-05-31 06:48:31 -07:00
sfi
sh
sn
soc	soc: mediatek: pwrap: Zero initialize rdata in pwrap_init_cipher	2019-06-22 08:17:15 +02:00
spi	dmaengine: idma64: Use actual device for DMA transfers	2019-06-22 08:17:17 +02:00
spmi
ssb	ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit	2019-05-31 06:48:12 -07:00
staging	staging: vc04_services: prevent integer overflow in create_pagelist()	2019-06-11 12:22:43 +02:00
target	scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock	2019-03-23 13:19:47 +01:00
tc	TC: Set DMA masks for devices	2018-11-13 11:17:02 -08:00
thermal	drivers: thermal: tsens: Don't print error message on -EPROBE_DEFER	2019-06-22 08:17:13 +02:00
thunderbolt
tty	dmaengine: idma64: Use actual device for DMA transfers	2019-06-22 08:17:17 +02:00
uio	uio: Fix an Oops on load	2018-11-27 16:09:41 +01:00
usb	USB: rio500: fix memory leak in close after disconnect	2019-06-11 12:22:39 +02:00
uwb
vfio	vfio/pci: use correct format characters	2019-05-08 07:19:10 +02:00
vhost	vhost: reject zero size iova range	2019-04-27 09:34:40 +02:00
video	video: imsttfb: fix potential NULL pointer dereferences	2019-06-22 08:17:17 +02:00
virt	drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl	2019-05-16 19:43:47 +02:00
virtio	virtio: Honour 'may_reduce_num' in vring_create_virtqueue	2019-04-17 08:36:47 +02:00
vlynq
vme
w1	w1: fix the resume command API	2019-05-31 06:48:15 -07:00
watchdog	watchdog: fix compile time error of pretimeout governors	2019-06-22 08:17:14 +02:00
xen	fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock	2019-06-11 12:22:49 +02:00
zorro
Kconfig
Makefile