<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs/9p, branch linux-4.9.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>9p: missing chunk of "fs/9p: Don't update file type when updating file attributes"</title>
<updated>2022-06-25T09:44:57+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2021-01-31T19:37:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fe7cde423488c55ef9dfe1ac8c87ed9af62aca2b'/>
<id>fe7cde423488c55ef9dfe1ac8c87ed9af62aca2b</id>
<content type='text'>
commit b577d0cd2104fdfcf0ded3707540a12be8ddd8b0 upstream.

In commit 45089142b149 Aneesh had missed one (admittedly, very unlikely
to hit) case in v9fs_stat2inode_dotl().  However, the same considerations
apply there as well - we have no business whatsoever to change -&gt;i_rdev
or the file type.

Cc: Tadeusz Struk &lt;tadeusz.struk@linaro.org&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b577d0cd2104fdfcf0ded3707540a12be8ddd8b0 upstream.

In commit 45089142b149 Aneesh had missed one (admittedly, very unlikely
to hit) case in v9fs_stat2inode_dotl().  However, the same considerations
apply there as well - we have no business whatsoever to change -&gt;i_rdev
or the file type.

Cc: Tadeusz Struk &lt;tadeusz.struk@linaro.org&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>9P: Cast to loff_t before multiplying</title>
<updated>2020-11-10T09:23:59+00:00</updated>
<author>
<name>Matthew Wilcox (Oracle)</name>
<email>willy@infradead.org</email>
</author>
<published>2020-10-04T18:04:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ddfff3b4c98ed328ab7298eec948968623c322ab'/>
<id>ddfff3b4c98ed328ab7298eec948968623c322ab</id>
<content type='text'>
commit f5f7ab168b9a60e12a4b8f2bb6fcc91321dc23c1 upstream.

On 32-bit systems, this multiplication will overflow for files larger
than 4GB.

Link: http://lkml.kernel.org/r/20201004180428.14494-2-willy@infradead.org
Cc: stable@vger.kernel.org
Fixes: fb89b45cdfdc ("9P: introduction of a new cache=mmap model.")
Signed-off-by: Matthew Wilcox (Oracle) &lt;willy@infradead.org&gt;
Signed-off-by: Dominique Martinet &lt;asmadeus@codewreck.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f5f7ab168b9a60e12a4b8f2bb6fcc91321dc23c1 upstream.

On 32-bit systems, this multiplication will overflow for files larger
than 4GB.

Link: http://lkml.kernel.org/r/20201004180428.14494-2-willy@infradead.org
Cc: stable@vger.kernel.org
Fixes: fb89b45cdfdc ("9P: introduction of a new cache=mmap model.")
Signed-off-by: Matthew Wilcox (Oracle) &lt;willy@infradead.org&gt;
Signed-off-by: Dominique Martinet &lt;asmadeus@codewreck.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>9p: Fix memory leak in v9fs_mount</title>
<updated>2020-08-21T09:02:06+00:00</updated>
<author>
<name>Zheng Bin</name>
<email>zhengbin13@huawei.com</email>
</author>
<published>2020-06-15T01:21:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3ce4ded54c8b43f5d3f63d3f6dc498dee548f57c'/>
<id>3ce4ded54c8b43f5d3f63d3f6dc498dee548f57c</id>
<content type='text'>
commit cb0aae0e31c632c407a2cab4307be85a001d4d98 upstream.

v9fs_mount
  v9fs_session_init
    v9fs_cache_session_get_cookie
      v9fs_random_cachetag                     --&gt;alloc cachetag
      v9ses-&gt;fscache = fscache_acquire_cookie  --&gt;maybe NULL
  sb = sget                                    --&gt;fail, goto clunk
clunk_fid:
  v9fs_session_close
    if (v9ses-&gt;fscache)                        --&gt;NULL
      kfree(v9ses-&gt;cachetag)

Thus memleak happens.

Link: http://lkml.kernel.org/r/20200615012153.89538-1-zhengbin13@huawei.com
Fixes: 60e78d2c993e ("9p: Add fscache support to 9p")
Cc: &lt;stable@vger.kernel.org&gt; # v2.6.32+
Signed-off-by: Zheng Bin &lt;zhengbin13@huawei.com&gt;
Signed-off-by: Dominique Martinet &lt;asmadeus@codewreck.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit cb0aae0e31c632c407a2cab4307be85a001d4d98 upstream.

v9fs_mount
  v9fs_session_init
    v9fs_cache_session_get_cookie
      v9fs_random_cachetag                     --&gt;alloc cachetag
      v9ses-&gt;fscache = fscache_acquire_cookie  --&gt;maybe NULL
  sb = sget                                    --&gt;fail, goto clunk
clunk_fid:
  v9fs_session_close
    if (v9ses-&gt;fscache)                        --&gt;NULL
      kfree(v9ses-&gt;cachetag)

Thus memleak happens.

Link: http://lkml.kernel.org/r/20200615012153.89538-1-zhengbin13@huawei.com
Fixes: 60e78d2c993e ("9p: Add fscache support to 9p")
Cc: &lt;stable@vger.kernel.org&gt; # v2.6.32+
Signed-off-by: Zheng Bin &lt;zhengbin13@huawei.com&gt;
Signed-off-by: Dominique Martinet &lt;asmadeus@codewreck.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>9p: avoid attaching writeback_fid on mmap with type PRIVATE</title>
<updated>2019-10-17T20:42:10+00:00</updated>
<author>
<name>Chengguang Xu</name>
<email>cgxu519@zoho.com.cn</email>
</author>
<published>2019-08-20T10:03:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=16a56a80c71720a055a815d4cb078955dec025ec'/>
<id>16a56a80c71720a055a815d4cb078955dec025ec</id>
<content type='text'>
[ Upstream commit c87a37ebd40b889178664c2c09cc187334146292 ]

Currently on mmap cache policy, we always attach writeback_fid
whether mmap type is SHARED or PRIVATE. However, in the use case
of kata-container which combines 9p(Guest OS) with overlayfs(Host OS),
this behavior will trigger overlayfs' copy-up when excute command
inside container.

Link: http://lkml.kernel.org/r/20190820100325.10313-1-cgxu519@zoho.com.cn
Signed-off-by: Chengguang Xu &lt;cgxu519@zoho.com.cn&gt;
Signed-off-by: Dominique Martinet &lt;dominique.martinet@cea.fr&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit c87a37ebd40b889178664c2c09cc187334146292 ]

Currently on mmap cache policy, we always attach writeback_fid
whether mmap type is SHARED or PRIVATE. However, in the use case
of kata-container which combines 9p(Guest OS) with overlayfs(Host OS),
this behavior will trigger overlayfs' copy-up when excute command
inside container.

Link: http://lkml.kernel.org/r/20190820100325.10313-1-cgxu519@zoho.com.cn
Signed-off-by: Chengguang Xu &lt;cgxu519@zoho.com.cn&gt;
Signed-off-by: Dominique Martinet &lt;dominique.martinet@cea.fr&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>9p: pass the correct prototype to read_cache_page</title>
<updated>2019-08-04T07:33:42+00:00</updated>
<author>
<name>Christoph Hellwig</name>
<email>hch@lst.de</email>
</author>
<published>2019-07-12T03:55:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=42297534a4cf5a0c0bc91613e7b8eb76672c17d4'/>
<id>42297534a4cf5a0c0bc91613e7b8eb76672c17d4</id>
<content type='text'>
[ Upstream commit f053cbd4366051d7eb6ba1b8d529d20f719c2963 ]

Fix the callback 9p passes to read_cache_page to actually have the
proper type expected.  Casting around function pointers can easily
hide typing bugs, and defeats control flow protection.

Link: http://lkml.kernel.org/r/20190520055731.24538-5-hch@lst.de
Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Cc: Sami Tolvanen &lt;samitolvanen@google.com&gt;
Cc: Nick Desaulniers &lt;ndesaulniers@google.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit f053cbd4366051d7eb6ba1b8d529d20f719c2963 ]

Fix the callback 9p passes to read_cache_page to actually have the
proper type expected.  Casting around function pointers can easily
hide typing bugs, and defeats control flow protection.

Link: http://lkml.kernel.org/r/20190520055731.24538-5-hch@lst.de
Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Cc: Sami Tolvanen &lt;samitolvanen@google.com&gt;
Cc: Nick Desaulniers &lt;ndesaulniers@google.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>9p: acl: fix uninitialized iattr access</title>
<updated>2019-07-10T07:55:37+00:00</updated>
<author>
<name>Dominique Martinet</name>
<email>dominique.martinet@cea.fr</email>
</author>
<published>2018-09-07T15:10:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f779172e370794291ea800f60ec2af391fbf2fa7'/>
<id>f779172e370794291ea800f60ec2af391fbf2fa7</id>
<content type='text'>
[ Upstream commit e02a53d92e197706cad1627bd84705d4aa20a145 ]

iattr is passed to v9fs_vfs_setattr_dotl which does send various
values from iattr over the wire, even if it tells the server to
only look at iattr.ia_valid fields this could leak some stack data.

Link: http://lkml.kernel.org/r/1536339057-21974-2-git-send-email-asmadeus@codewreck.org
Addresses-Coverity-ID: 1195601 ("Uninitalized scalar variable")
Signed-off-by: Dominique Martinet &lt;dominique.martinet@cea.fr&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit e02a53d92e197706cad1627bd84705d4aa20a145 ]

iattr is passed to v9fs_vfs_setattr_dotl which does send various
values from iattr over the wire, even if it tells the server to
only look at iattr.ia_valid fields this could leak some stack data.

Link: http://lkml.kernel.org/r/1536339057-21974-2-git-send-email-asmadeus@codewreck.org
Addresses-Coverity-ID: 1195601 ("Uninitalized scalar variable")
Signed-off-by: Dominique Martinet &lt;dominique.martinet@cea.fr&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>9p locks: add mount option for lock retry interval</title>
<updated>2019-04-20T07:07:51+00:00</updated>
<author>
<name>Dinu-Razvan Chis-Serban</name>
<email>justcsdr@gmail.com</email>
</author>
<published>2018-09-05T07:44:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3191224b905b05bf9ef1ddcd0dbf226ef6a35932'/>
<id>3191224b905b05bf9ef1ddcd0dbf226ef6a35932</id>
<content type='text'>
[ Upstream commit 5e172f75e51e3de1b4274146d9b990f803cb5c2a ]

The default P9_LOCK_TIMEOUT can be too long for some users exporting
a local file system to a guest VM (30s), make this configurable at
mount time.

Link: http://lkml.kernel.org/r/1536295827-3181-1-git-send-email-asmadeus@codewreck.org
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195727
Signed-off-by: Dinu-Razvan Chis-Serban &lt;justcsdr@gmail.com&gt;
Signed-off-by: Dominique Martinet &lt;dominique.martinet@cea.fr&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 5e172f75e51e3de1b4274146d9b990f803cb5c2a ]

The default P9_LOCK_TIMEOUT can be too long for some users exporting
a local file system to a guest VM (30s), make this configurable at
mount time.

Link: http://lkml.kernel.org/r/1536295827-3181-1-git-send-email-asmadeus@codewreck.org
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195727
Signed-off-by: Dinu-Razvan Chis-Serban &lt;justcsdr@gmail.com&gt;
Signed-off-by: Dominique Martinet &lt;dominique.martinet@cea.fr&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>9p: do not trust pdu content for stat item size</title>
<updated>2019-04-20T07:07:51+00:00</updated>
<author>
<name>Gertjan Halkes</name>
<email>gertjan@google.com</email>
</author>
<published>2018-09-05T06:41:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fea7d0d3125d518f9b2549a114614a9ef052f2c3'/>
<id>fea7d0d3125d518f9b2549a114614a9ef052f2c3</id>
<content type='text'>
[ Upstream commit 2803cf4379ed252894f046cb8812a48db35294e3 ]

v9fs_dir_readdir() could deadloop if a struct was sent with a size set
to -2

Link: http://lkml.kernel.org/r/1536134432-11997-1-git-send-email-asmadeus@codewreck.org
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88021
Signed-off-by: Gertjan Halkes &lt;gertjan@google.com&gt;
Signed-off-by: Dominique Martinet &lt;dominique.martinet@cea.fr&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 2803cf4379ed252894f046cb8812a48db35294e3 ]

v9fs_dir_readdir() could deadloop if a struct was sent with a size set
to -2

Link: http://lkml.kernel.org/r/1536134432-11997-1-git-send-email-asmadeus@codewreck.org
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88021
Signed-off-by: Gertjan Halkes &lt;gertjan@google.com&gt;
Signed-off-by: Dominique Martinet &lt;dominique.martinet@cea.fr&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>9p: use inode-&gt;i_lock to protect i_size_write() under 32-bit</title>
<updated>2019-03-23T12:19:40+00:00</updated>
<author>
<name>Hou Tao</name>
<email>houtao1@huawei.com</email>
</author>
<published>2019-01-24T06:35:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0a97dbd82f40bcb888110a7d6860bac4a5819502'/>
<id>0a97dbd82f40bcb888110a7d6860bac4a5819502</id>
<content type='text'>
commit 5e3cc1ee1405a7eb3487ed24f786dec01b4cbe1f upstream.

Use inode-&gt;i_lock to protect i_size_write(), else i_size_read() in
generic_fillattr() may loop infinitely in read_seqcount_begin() when
multiple processes invoke v9fs_vfs_getattr() or v9fs_vfs_getattr_dotl()
simultaneously under 32-bit SMP environment, and a soft lockup will be
triggered as show below:

  watchdog: BUG: soft lockup - CPU#5 stuck for 22s! [stat:2217]
  Modules linked in:
  CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-00005-g7f702faf5a9e #4
  Hardware name: Generic DT based system
  PC is at generic_fillattr+0x104/0x108
  LR is at 0xec497f00
  pc : [&lt;802b8898&gt;]    lr : [&lt;ec497f00&gt;]    psr: 200c0013
  sp : ec497e20  ip : ed608030  fp : ec497e3c
  r10: 00000000  r9 : ec497f00  r8 : ed608030
  r7 : ec497ebc  r6 : ec497f00  r5 : ee5c1550  r4 : ee005780
  r3 : 0000052d  r2 : 00000000  r1 : ec497f00  r0 : ed608030
  Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
  Control: 10c5387d  Table: ac48006a  DAC: 00000051
  CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-00005-g7f702faf5a9e #4
  Hardware name: Generic DT based system
  Backtrace:
  [&lt;8010d974&gt;] (dump_backtrace) from [&lt;8010dc88&gt;] (show_stack+0x20/0x24)
  [&lt;8010dc68&gt;] (show_stack) from [&lt;80a1d194&gt;] (dump_stack+0xb0/0xdc)
  [&lt;80a1d0e4&gt;] (dump_stack) from [&lt;80109f34&gt;] (show_regs+0x1c/0x20)
  [&lt;80109f18&gt;] (show_regs) from [&lt;801d0a80&gt;] (watchdog_timer_fn+0x280/0x2f8)
  [&lt;801d0800&gt;] (watchdog_timer_fn) from [&lt;80198658&gt;] (__hrtimer_run_queues+0x18c/0x380)
  [&lt;801984cc&gt;] (__hrtimer_run_queues) from [&lt;80198e60&gt;] (hrtimer_run_queues+0xb8/0xf0)
  [&lt;80198da8&gt;] (hrtimer_run_queues) from [&lt;801973e8&gt;] (run_local_timers+0x28/0x64)
  [&lt;801973c0&gt;] (run_local_timers) from [&lt;80197460&gt;] (update_process_times+0x3c/0x6c)
  [&lt;80197424&gt;] (update_process_times) from [&lt;801ab2b8&gt;] (tick_nohz_handler+0xe0/0x1bc)
  [&lt;801ab1d8&gt;] (tick_nohz_handler) from [&lt;80843050&gt;] (arch_timer_handler_virt+0x38/0x48)
  [&lt;80843018&gt;] (arch_timer_handler_virt) from [&lt;80180a64&gt;] (handle_percpu_devid_irq+0x8c/0x240)
  [&lt;801809d8&gt;] (handle_percpu_devid_irq) from [&lt;8017ac20&gt;] (generic_handle_irq+0x34/0x44)
  [&lt;8017abec&gt;] (generic_handle_irq) from [&lt;8017b344&gt;] (__handle_domain_irq+0x6c/0xc4)
  [&lt;8017b2d8&gt;] (__handle_domain_irq) from [&lt;801022e0&gt;] (gic_handle_irq+0x4c/0x88)
  [&lt;80102294&gt;] (gic_handle_irq) from [&lt;80101a30&gt;] (__irq_svc+0x70/0x98)
  [&lt;802b8794&gt;] (generic_fillattr) from [&lt;8056b284&gt;] (v9fs_vfs_getattr_dotl+0x74/0xa4)
  [&lt;8056b210&gt;] (v9fs_vfs_getattr_dotl) from [&lt;802b8904&gt;] (vfs_getattr_nosec+0x68/0x7c)
  [&lt;802b889c&gt;] (vfs_getattr_nosec) from [&lt;802b895c&gt;] (vfs_getattr+0x44/0x48)
  [&lt;802b8918&gt;] (vfs_getattr) from [&lt;802b8a74&gt;] (vfs_statx+0x9c/0xec)
  [&lt;802b89d8&gt;] (vfs_statx) from [&lt;802b9428&gt;] (sys_lstat64+0x48/0x78)
  [&lt;802b93e0&gt;] (sys_lstat64) from [&lt;80101000&gt;] (ret_fast_syscall+0x0/0x28)

[dominique.martinet@cea.fr: updated comment to not refer to a function
in another subsystem]
Link: http://lkml.kernel.org/r/20190124063514.8571-2-houtao1@huawei.com
Cc: stable@vger.kernel.org
Fixes: 7549ae3e81cc ("9p: Use the i_size_[read, write]() macros instead of using inode-&gt;i_size directly.")
Reported-by: Xing Gaopeng &lt;xingaopeng@huawei.com&gt;
Signed-off-by: Hou Tao &lt;houtao1@huawei.com&gt;
Signed-off-by: Dominique Martinet &lt;dominique.martinet@cea.fr&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 5e3cc1ee1405a7eb3487ed24f786dec01b4cbe1f upstream.

Use inode-&gt;i_lock to protect i_size_write(), else i_size_read() in
generic_fillattr() may loop infinitely in read_seqcount_begin() when
multiple processes invoke v9fs_vfs_getattr() or v9fs_vfs_getattr_dotl()
simultaneously under 32-bit SMP environment, and a soft lockup will be
triggered as show below:

  watchdog: BUG: soft lockup - CPU#5 stuck for 22s! [stat:2217]
  Modules linked in:
  CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-00005-g7f702faf5a9e #4
  Hardware name: Generic DT based system
  PC is at generic_fillattr+0x104/0x108
  LR is at 0xec497f00
  pc : [&lt;802b8898&gt;]    lr : [&lt;ec497f00&gt;]    psr: 200c0013
  sp : ec497e20  ip : ed608030  fp : ec497e3c
  r10: 00000000  r9 : ec497f00  r8 : ed608030
  r7 : ec497ebc  r6 : ec497f00  r5 : ee5c1550  r4 : ee005780
  r3 : 0000052d  r2 : 00000000  r1 : ec497f00  r0 : ed608030
  Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
  Control: 10c5387d  Table: ac48006a  DAC: 00000051
  CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-00005-g7f702faf5a9e #4
  Hardware name: Generic DT based system
  Backtrace:
  [&lt;8010d974&gt;] (dump_backtrace) from [&lt;8010dc88&gt;] (show_stack+0x20/0x24)
  [&lt;8010dc68&gt;] (show_stack) from [&lt;80a1d194&gt;] (dump_stack+0xb0/0xdc)
  [&lt;80a1d0e4&gt;] (dump_stack) from [&lt;80109f34&gt;] (show_regs+0x1c/0x20)
  [&lt;80109f18&gt;] (show_regs) from [&lt;801d0a80&gt;] (watchdog_timer_fn+0x280/0x2f8)
  [&lt;801d0800&gt;] (watchdog_timer_fn) from [&lt;80198658&gt;] (__hrtimer_run_queues+0x18c/0x380)
  [&lt;801984cc&gt;] (__hrtimer_run_queues) from [&lt;80198e60&gt;] (hrtimer_run_queues+0xb8/0xf0)
  [&lt;80198da8&gt;] (hrtimer_run_queues) from [&lt;801973e8&gt;] (run_local_timers+0x28/0x64)
  [&lt;801973c0&gt;] (run_local_timers) from [&lt;80197460&gt;] (update_process_times+0x3c/0x6c)
  [&lt;80197424&gt;] (update_process_times) from [&lt;801ab2b8&gt;] (tick_nohz_handler+0xe0/0x1bc)
  [&lt;801ab1d8&gt;] (tick_nohz_handler) from [&lt;80843050&gt;] (arch_timer_handler_virt+0x38/0x48)
  [&lt;80843018&gt;] (arch_timer_handler_virt) from [&lt;80180a64&gt;] (handle_percpu_devid_irq+0x8c/0x240)
  [&lt;801809d8&gt;] (handle_percpu_devid_irq) from [&lt;8017ac20&gt;] (generic_handle_irq+0x34/0x44)
  [&lt;8017abec&gt;] (generic_handle_irq) from [&lt;8017b344&gt;] (__handle_domain_irq+0x6c/0xc4)
  [&lt;8017b2d8&gt;] (__handle_domain_irq) from [&lt;801022e0&gt;] (gic_handle_irq+0x4c/0x88)
  [&lt;80102294&gt;] (gic_handle_irq) from [&lt;80101a30&gt;] (__irq_svc+0x70/0x98)
  [&lt;802b8794&gt;] (generic_fillattr) from [&lt;8056b284&gt;] (v9fs_vfs_getattr_dotl+0x74/0xa4)
  [&lt;8056b210&gt;] (v9fs_vfs_getattr_dotl) from [&lt;802b8904&gt;] (vfs_getattr_nosec+0x68/0x7c)
  [&lt;802b889c&gt;] (vfs_getattr_nosec) from [&lt;802b895c&gt;] (vfs_getattr+0x44/0x48)
  [&lt;802b8918&gt;] (vfs_getattr) from [&lt;802b8a74&gt;] (vfs_statx+0x9c/0xec)
  [&lt;802b89d8&gt;] (vfs_statx) from [&lt;802b9428&gt;] (sys_lstat64+0x48/0x78)
  [&lt;802b93e0&gt;] (sys_lstat64) from [&lt;80101000&gt;] (ret_fast_syscall+0x0/0x28)

[dominique.martinet@cea.fr: updated comment to not refer to a function
in another subsystem]
Link: http://lkml.kernel.org/r/20190124063514.8571-2-houtao1@huawei.com
Cc: stable@vger.kernel.org
Fixes: 7549ae3e81cc ("9p: Use the i_size_[read, write]() macros instead of using inode-&gt;i_size directly.")
Reported-by: Xing Gaopeng &lt;xingaopeng@huawei.com&gt;
Signed-off-by: Hou Tao &lt;houtao1@huawei.com&gt;
Signed-off-by: Dominique Martinet &lt;dominique.martinet@cea.fr&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>v9fs_dir_readdir: fix double-free on p9stat_read error</title>
<updated>2018-12-01T08:44:18+00:00</updated>
<author>
<name>Dominique Martinet</name>
<email>dominique.martinet@cea.fr</email>
</author>
<published>2018-08-27T06:12:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3a0e8e3587454c5f1c02b8450a4b71e517a7a1be'/>
<id>3a0e8e3587454c5f1c02b8450a4b71e517a7a1be</id>
<content type='text'>
commit 81c99089bce693b94b775b6eb888115d2d540086 upstream.

p9stat_read will call p9stat_free on error, we should only free the
struct content on success.

There also is no need to "p9stat_init" st as the read function will
zero the whole struct for us anyway, so clean up the code a bit while
we are here.

Link: http://lkml.kernel.org/r/1535410108-20650-1-git-send-email-asmadeus@codewreck.org
Signed-off-by: Dominique Martinet &lt;dominique.martinet@cea.fr&gt;
Reported-by: syzbot+d4252148d198410b864f@syzkaller.appspotmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 81c99089bce693b94b775b6eb888115d2d540086 upstream.

p9stat_read will call p9stat_free on error, we should only free the
struct content on success.

There also is no need to "p9stat_init" st as the read function will
zero the whole struct for us anyway, so clean up the code a bit while
we are here.

Link: http://lkml.kernel.org/r/1535410108-20650-1-git-send-email-asmadeus@codewreck.org
Signed-off-by: Dominique Martinet &lt;dominique.martinet@cea.fr&gt;
Reported-by: syzbot+d4252148d198410b864f@syzkaller.appspotmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
