]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
6.12-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 17 Apr 2025 17:38:37 +0000 (19:38 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 17 Apr 2025 17:38:37 +0000 (19:38 +0200)
added patches:
bluetooth-hci_uart-fix-another-race-during-initialization.patch
s390-cpumf-fix-double-free-on-error-in-cpumf_pmu_event_init.patch

queue-6.12/bluetooth-hci_uart-fix-another-race-during-initialization.patch [new file with mode: 0644]
queue-6.12/s390-cpumf-fix-double-free-on-error-in-cpumf_pmu_event_init.patch [new file with mode: 0644]
queue-6.12/series

diff --git a/queue-6.12/bluetooth-hci_uart-fix-another-race-during-initialization.patch b/queue-6.12/bluetooth-hci_uart-fix-another-race-during-initialization.patch
new file mode 100644 (file)
index 0000000..1cda9fc
--- /dev/null
@@ -0,0 +1,134 @@
+From 5df5dafc171b90d0b8d51547a82657cd5a1986c7 Mon Sep 17 00:00:00 2001
+From: Arseniy Krasnov <avkrasnov@salutedevices.com>
+Date: Wed, 12 Feb 2025 18:59:46 +0300
+Subject: Bluetooth: hci_uart: Fix another race during initialization
+
+From: Arseniy Krasnov <avkrasnov@salutedevices.com>
+
+commit 5df5dafc171b90d0b8d51547a82657cd5a1986c7 upstream.
+
+Do not set 'HCI_UART_PROTO_READY' before call 'hci_uart_register_dev()'.
+Possible race is when someone calls 'hci_tty_uart_close()' after this bit
+is set, but 'hci_uart_register_dev()' wasn't done. This leads to access
+to uninitialized fields. To fix it let's set this bit after device was
+registered (as before patch c411c62cc133) and to fix previous problem let's
+add one more bit in addition to 'HCI_UART_PROTO_READY' which allows to
+perform power up without original bit set (pls see commit c411c62cc133).
+
+Crash backtrace from syzbot report:
+
+RIP: 0010:skb_queue_empty_lockless include/linux/skbuff.h:1887 [inline]
+RIP: 0010:skb_queue_purge_reason+0x6d/0x140 net/core/skbuff.c:3936
+
+Call Trace:
+ <TASK>
+ skb_queue_purge include/linux/skbuff.h:3364 [inline]
+ mrvl_close+0x2f/0x90 drivers/bluetooth/hci_mrvl.c:100
+ hci_uart_tty_close+0xb6/0x120 drivers/bluetooth/hci_ldisc.c:557
+ tty_ldisc_close drivers/tty/tty_ldisc.c:455 [inline]
+ tty_ldisc_kill+0x66/0xc0 drivers/tty/tty_ldisc.c:613
+ tty_ldisc_release+0xc9/0x120 drivers/tty/tty_ldisc.c:781
+ tty_release_struct+0x10/0x80 drivers/tty/tty_io.c:1690
+ tty_release+0x4ef/0x640 drivers/tty/tty_io.c:1861
+ __fput+0x86/0x2a0 fs/file_table.c:450
+ task_work_run+0x82/0xb0 kernel/task_work.c:239
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
+ exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
+ syscall_exit_to_user_mode+0xa3/0x1b0 kernel/entry/common.c:218
+ do_syscall_64+0x9a/0x190 arch/x86/entry/common.c:89
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
+Reported-by: syzbot+683f8cb11b94b1824c77@syzkaller.appspotmail.com
+Tested-by: syzbot+683f8cb11b94b1824c77@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-bluetooth/d159c57f-8490-4c26-79da-6ad3612c4a14@salutedevices.com/
+Fixes: 366ceff495f9 ("Bluetooth: hci_uart: fix race during initialization")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/hci_ldisc.c |   20 ++++++++++++++------
+ drivers/bluetooth/hci_uart.h  |    1 +
+ 2 files changed, 15 insertions(+), 6 deletions(-)
+
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -102,7 +102,8 @@ static inline struct sk_buff *hci_uart_d
+       if (!skb) {
+               percpu_down_read(&hu->proto_lock);
+-              if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
++              if (test_bit(HCI_UART_PROTO_READY, &hu->flags) ||
++                  test_bit(HCI_UART_PROTO_INIT, &hu->flags))
+                       skb = hu->proto->dequeue(hu);
+               percpu_up_read(&hu->proto_lock);
+@@ -124,7 +125,8 @@ int hci_uart_tx_wakeup(struct hci_uart *
+       if (!percpu_down_read_trylock(&hu->proto_lock))
+               return 0;
+-      if (!test_bit(HCI_UART_PROTO_READY, &hu->flags))
++      if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) &&
++          !test_bit(HCI_UART_PROTO_INIT, &hu->flags))
+               goto no_schedule;
+       set_bit(HCI_UART_TX_WAKEUP, &hu->tx_state);
+@@ -278,7 +280,8 @@ static int hci_uart_send_frame(struct hc
+       percpu_down_read(&hu->proto_lock);
+-      if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) {
++      if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) &&
++          !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) {
+               percpu_up_read(&hu->proto_lock);
+               return -EUNATCH;
+       }
+@@ -585,7 +588,8 @@ static void hci_uart_tty_wakeup(struct t
+       if (tty != hu->tty)
+               return;
+-      if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
++      if (test_bit(HCI_UART_PROTO_READY, &hu->flags) ||
++          test_bit(HCI_UART_PROTO_INIT, &hu->flags))
+               hci_uart_tx_wakeup(hu);
+ }
+@@ -611,7 +615,8 @@ static void hci_uart_tty_receive(struct
+       percpu_down_read(&hu->proto_lock);
+-      if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) {
++      if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) &&
++          !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) {
+               percpu_up_read(&hu->proto_lock);
+               return;
+       }
+@@ -707,13 +712,16 @@ static int hci_uart_set_proto(struct hci
+       hu->proto = p;
+-      set_bit(HCI_UART_PROTO_READY, &hu->flags);
++      set_bit(HCI_UART_PROTO_INIT, &hu->flags);
+       err = hci_uart_register_dev(hu);
+       if (err) {
+               return err;
+       }
++      set_bit(HCI_UART_PROTO_READY, &hu->flags);
++      clear_bit(HCI_UART_PROTO_INIT, &hu->flags);
++
+       return 0;
+ }
+--- a/drivers/bluetooth/hci_uart.h
++++ b/drivers/bluetooth/hci_uart.h
+@@ -90,6 +90,7 @@ struct hci_uart {
+ #define HCI_UART_REGISTERED           1
+ #define HCI_UART_PROTO_READY          2
+ #define HCI_UART_NO_SUSPEND_NOTIFIER  3
++#define HCI_UART_PROTO_INIT           4
+ /* TX states  */
+ #define HCI_UART_SENDING      1
diff --git a/queue-6.12/s390-cpumf-fix-double-free-on-error-in-cpumf_pmu_event_init.patch b/queue-6.12/s390-cpumf-fix-double-free-on-error-in-cpumf_pmu_event_init.patch
new file mode 100644 (file)
index 0000000..65259b8
--- /dev/null
@@ -0,0 +1,119 @@
+From aa1ac98268cd1f380c713f07e39b1fa1d5c7650c Mon Sep 17 00:00:00 2001
+From: Thomas Richter <tmricht@linux.ibm.com>
+Date: Wed, 9 Apr 2025 10:03:53 +0200
+Subject: s390/cpumf: Fix double free on error in cpumf_pmu_event_init()
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+commit aa1ac98268cd1f380c713f07e39b1fa1d5c7650c upstream.
+
+In PMU event initialization functions
+ - cpumsf_pmu_event_init()
+ - cpumf_pmu_event_init()
+ - cfdiag_event_init()
+the partially created event had to be removed when an error was detected.
+The event::event_init() member function had to release all resources
+it allocated in case of error. event::destroy() had to be called
+on freeing an event after it was successfully created and
+event::event_init() returned success.
+
+With
+
+commit c70ca298036c ("perf/core: Simplify the perf_event_alloc() error path")
+
+this is not necessary anymore. The performance subsystem common
+code now always calls event::destroy() to clean up the allocated
+resources created during event initialization.
+
+Remove the event::destroy() invocation in PMU event initialization
+or that function is called twice for each event that runs into an
+error condition in event creation.
+
+This is the kernel log entry which shows up without the fix:
+
+------------[ cut here ]------------
+refcount_t: underflow; use-after-free.
+WARNING: CPU: 0 PID: 43388 at lib/refcount.c:87        refcount_dec_not_one+0x74/0x90
+CPU: 0 UID: 0 PID: 43388 Comm: perf Not tainted 6.15.0-20250407.rc1.git0.300.fc41.s390x+git #1 NONE
+Hardware name: IBM 3931 A01 704 (LPAR)
+Krnl PSW : 0704c00180000000 00000209cb2c1b88 (refcount_dec_not_one+0x78/0x90)
+           R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3
+Krnl GPRS: 0000020900000027 0000020900000023 0000000000000026 0000018900000000
+           00000004a2200a00 0000000000000000 0000000000000057 ffffffffffffffea
+           00000002b386c600 00000002b3f5b3e0 00000209cc51f140 00000209cc7fc550
+           0000000001449d38 ffffffffffffffff 00000209cb2c1b84 00000189d67dfb80
+Krnl Code: 00000209cb2c1b78: c02000506727      larl    %r2,00000209cbcce9c6
+           00000209cb2c1b7e: c0e5ffbd4431      brasl   %r14,00000209caa6a3e0
+          #00000209cb2c1b84: af000000          mc      0,0
+          >00000209cb2c1b88: a7480001          lhi     %r4,1
+           00000209cb2c1b8c: ebeff0a00004      lmg     %r14,%r15,160(%r15)
+           00000209cb2c1b92: ec243fbf0055      risbg   %r2,%r4,63,191,0
+           00000209cb2c1b98: 07fe              bcr     15,%r14
+           00000209cb2c1b9a: 47000700          bc      0,1792
+Call Trace:
+ [<00000209cb2c1b88>] refcount_dec_not_one+0x78/0x90
+ [<00000209cb2c1dc4>] refcount_dec_and_mutex_lock+0x24/0x90
+ [<00000209caa3c29e>] hw_perf_event_destroy+0x2e/0x80
+ [<00000209cacaf8b4>] __free_event+0x74/0x270
+ [<00000209cacb47c4>] perf_event_alloc.part.0+0x4a4/0x730
+ [<00000209cacbf3e8>] __do_sys_perf_event_open+0x248/0xc20
+ [<00000209cacc14a4>] __s390x_sys_perf_event_open+0x44/0x50
+ [<00000209cb8114de>] __do_syscall+0x12e/0x260
+ [<00000209cb81ce34>] system_call+0x74/0x98
+Last Breaking-Event-Address:
+ [<00000209caa6a4d2>] __warn_printk+0xf2/0x100
+---[ end trace 0000000000000000 ]---
+
+Fixes: c70ca298036c ("perf/core: Simplify the perf_event_alloc() error path")
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Reviewed-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/perf_cpum_cf.c |    9 +--------
+ arch/s390/kernel/perf_cpum_sf.c |    3 ---
+ 2 files changed, 1 insertion(+), 11 deletions(-)
+
+--- a/arch/s390/kernel/perf_cpum_cf.c
++++ b/arch/s390/kernel/perf_cpum_cf.c
+@@ -858,18 +858,13 @@ static int cpumf_pmu_event_type(struct p
+ static int cpumf_pmu_event_init(struct perf_event *event)
+ {
+       unsigned int type = event->attr.type;
+-      int err;
++      int err = -ENOENT;
+       if (type == PERF_TYPE_HARDWARE || type == PERF_TYPE_RAW)
+               err = __hw_perf_event_init(event, type);
+       else if (event->pmu->type == type)
+               /* Registered as unknown PMU */
+               err = __hw_perf_event_init(event, cpumf_pmu_event_type(event));
+-      else
+-              return -ENOENT;
+-
+-      if (unlikely(err) && event->destroy)
+-              event->destroy(event);
+       return err;
+ }
+@@ -1819,8 +1814,6 @@ static int cfdiag_event_init(struct perf
+       event->destroy = hw_perf_event_destroy;
+       err = cfdiag_event_init2(event);
+-      if (unlikely(err))
+-              event->destroy(event);
+ out:
+       return err;
+ }
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -898,9 +898,6 @@ static int cpumsf_pmu_event_init(struct
+               event->attr.exclude_idle = 0;
+       err = __hw_perf_event_init(event);
+-      if (unlikely(err))
+-              if (event->destroy)
+-                      event->destroy(event);
+       return err;
+ }
index f753b66e7af91b61d0c582b29162cf70f0349b22..c458ac7cac1df5ad1707048ebff2b4800518e80f 100644 (file)
@@ -389,3 +389,5 @@ x86-e820-fix-handling-of-subpage-regions-when-calculating-nosave-ranges-in-e820_
 libbpf-prevent-compiler-warnings-errors.patch
 kbuild-add-fno-builtin-wcslen.patch
 media-mediatek-vcodec-mark-vdec_vp9_slice_map_counts_eob_coef-noinline.patch
+bluetooth-hci_uart-fix-another-race-during-initialization.patch
+s390-cpumf-fix-double-free-on-error-in-cpumf_pmu_event_init.patch