--- /dev/null
+From dde91ccfa25fd58f64c397d91b81a4b393100ffa Mon Sep 17 00:00:00 2001
+From: Antoine Tenart <atenart@kernel.org>
+Date: Fri, 3 Dec 2021 11:13:18 +0100
+Subject: ethtool: do not perform operations on net devices being unregistered
+
+From: Antoine Tenart <atenart@kernel.org>
+
+commit dde91ccfa25fd58f64c397d91b81a4b393100ffa upstream.
+
+There is a short period between a net device starts to be unregistered
+and when it is actually gone. In that time frame ethtool operations
+could still be performed, which might end up in unwanted or undefined
+behaviours[1].
+
+Do not allow ethtool operations after a net device starts its
+unregistration. This patch targets the netlink part as the ioctl one
+isn't affected: the reference to the net device is taken and the
+operation is executed within an rtnl lock section and the net device
+won't be found after unregister.
+
+[1] For example adding Tx queues after unregister ends up in NULL
+ pointer exceptions and UaFs, such as:
+
+ BUG: KASAN: use-after-free in kobject_get+0x14/0x90
+ Read of size 1 at addr ffff88801961248c by task ethtool/755
+
+ CPU: 0 PID: 755 Comm: ethtool Not tainted 5.15.0-rc6+ #778
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/014
+ Call Trace:
+ dump_stack_lvl+0x57/0x72
+ print_address_description.constprop.0+0x1f/0x140
+ kasan_report.cold+0x7f/0x11b
+ kobject_get+0x14/0x90
+ kobject_add_internal+0x3d1/0x450
+ kobject_init_and_add+0xba/0xf0
+ netdev_queue_update_kobjects+0xcf/0x200
+ netif_set_real_num_tx_queues+0xb4/0x310
+ veth_set_channels+0x1c3/0x550
+ ethnl_set_channels+0x524/0x610
+
+Fixes: 041b1c5d4a53 ("ethtool: helper functions for netlink interface")
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Antoine Tenart <atenart@kernel.org>
+Link: https://lore.kernel.org/r/20211203101318.435618-1-atenart@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ethtool/netlink.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ethtool/netlink.h
++++ b/net/ethtool/netlink.h
+@@ -249,6 +249,9 @@ struct ethnl_reply_data {
+
+ static inline int ethnl_ops_begin(struct net_device *dev)
+ {
++ if (dev && dev->reg_state == NETREG_UNREGISTERING)
++ return -ENODEV;
++
+ if (dev && dev->ethtool_ops->begin)
+ return dev->ethtool_ops->begin(dev);
+ else
--- /dev/null
+From 5c791fe1e2a4f401f819065ea4fc0450849f1818 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Fri, 22 Oct 2021 17:03:01 +0200
+Subject: fuse: make sure reclaim doesn't write the inode
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 5c791fe1e2a4f401f819065ea4fc0450849f1818 upstream.
+
+In writeback cache mode mtime/ctime updates are cached, and flushed to the
+server using the ->write_inode() callback.
+
+Closing the file will result in a dirty inode being immediately written,
+but in other cases the inode can remain dirty after all references are
+dropped. This result in the inode being written back from reclaim, which
+can deadlock on a regular allocation while the request is being served.
+
+The usual mechanisms (GFP_NOFS/PF_MEMALLOC*) don't work for FUSE, because
+serving a request involves unrelated userspace process(es).
+
+Instead do the same as for dirty pages: make sure the inode is written
+before the last reference is gone.
+
+ - fallocate(2)/copy_file_range(2): these call file_update_time() or
+ file_modified(), so flush the inode before returning from the call
+
+ - unlink(2), link(2) and rename(2): these call fuse_update_ctime(), so
+ flush the ctime directly from this helper
+
+Reported-by: chenguanyou <chenguanyou@xiaomi.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Cc: Ed Tsai <ed.tsai@mediatek.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/dir.c | 8 ++++++++
+ fs/fuse/file.c | 15 +++++++++++++++
+ fs/fuse/fuse_i.h | 1 +
+ fs/fuse/inode.c | 3 +++
+ 4 files changed, 27 insertions(+)
+
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -791,11 +791,19 @@ static int fuse_symlink(struct inode *di
+ return create_new_entry(fm, &args, dir, entry, S_IFLNK);
+ }
+
++void fuse_flush_time_update(struct inode *inode)
++{
++ int err = sync_inode_metadata(inode, 1);
++
++ mapping_set_error(inode->i_mapping, err);
++}
++
+ void fuse_update_ctime(struct inode *inode)
+ {
+ if (!IS_NOCMTIME(inode)) {
+ inode->i_ctime = current_time(inode);
+ mark_inode_dirty_sync(inode);
++ fuse_flush_time_update(inode);
+ }
+ }
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -1849,6 +1849,17 @@ int fuse_write_inode(struct inode *inode
+ struct fuse_file *ff;
+ int err;
+
++ /*
++ * Inode is always written before the last reference is dropped and
++ * hence this should not be reached from reclaim.
++ *
++ * Writing back the inode from reclaim can deadlock if the request
++ * processing itself needs an allocation. Allocations triggering
++ * reclaim while serving a request can't be prevented, because it can
++ * involve any number of unrelated userspace processes.
++ */
++ WARN_ON(wbc->for_reclaim);
++
+ ff = __fuse_write_file_get(fc, fi);
+ err = fuse_flush_times(inode, ff);
+ if (ff)
+@@ -3338,6 +3349,8 @@ out:
+ if (lock_inode)
+ inode_unlock(inode);
+
++ fuse_flush_time_update(inode);
++
+ return err;
+ }
+
+@@ -3447,6 +3460,8 @@ out:
+ inode_unlock(inode_out);
+ file_accessed(file_in);
+
++ fuse_flush_time_update(inode_out);
++
+ return err;
+ }
+
+--- a/fs/fuse/fuse_i.h
++++ b/fs/fuse/fuse_i.h
+@@ -1113,6 +1113,7 @@ int fuse_allow_current_process(struct fu
+
+ u64 fuse_lock_owner_id(struct fuse_conn *fc, fl_owner_t id);
+
++void fuse_flush_time_update(struct inode *inode);
+ void fuse_update_ctime(struct inode *inode);
+
+ int fuse_update_attributes(struct inode *inode, struct file *file);
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -119,6 +119,9 @@ static void fuse_evict_inode(struct inod
+ {
+ struct fuse_inode *fi = get_fuse_inode(inode);
+
++ /* Will write inode on close/munmap and in all other dirtiers */
++ WARN_ON(inode->i_state & I_DIRTY_INODE);
++
+ truncate_inode_pages_final(&inode->i_data);
+ clear_inode(inode);
+ if (inode->i_sb->s_flags & SB_ACTIVE) {
--- /dev/null
+From dbd3e6eaf3d813939b28e8a66e29d81cdc836445 Mon Sep 17 00:00:00 2001
+From: Armin Wolf <W_Armin@gmx.de>
+Date: Fri, 12 Nov 2021 18:14:40 +0100
+Subject: hwmon: (dell-smm) Fix warning on /proc/i8k creation error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+commit dbd3e6eaf3d813939b28e8a66e29d81cdc836445 upstream.
+
+The removal function is called regardless of whether
+/proc/i8k was created successfully or not, the later
+causing a WARN() on module removal.
+Fix that by only registering the removal function
+if /proc/i8k was created successfully.
+
+Tested on a Inspiron 3505.
+
+Fixes: 039ae58503f3 ("hwmon: Allow to compile dell-smm-hwmon driver without /proc/i8k")
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Acked-by: Pali Rohár <pali@kernel.org>
+Link: https://lore.kernel.org/r/20211112171440.59006-1-W_Armin@gmx.de
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/dell-smm-hwmon.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/hwmon/dell-smm-hwmon.c
++++ b/drivers/hwmon/dell-smm-hwmon.c
+@@ -603,15 +603,18 @@ static const struct proc_ops i8k_proc_op
+ .proc_ioctl = i8k_ioctl,
+ };
+
++static struct proc_dir_entry *entry;
++
+ static void __init i8k_init_procfs(void)
+ {
+ /* Register the proc entry */
+- proc_create("i8k", 0, NULL, &i8k_proc_ops);
++ entry = proc_create("i8k", 0, NULL, &i8k_proc_ops);
+ }
+
+ static void __exit i8k_exit_procfs(void)
+ {
+- remove_proc_entry("i8k", NULL);
++ if (entry)
++ remove_proc_entry("i8k", NULL);
+ }
+
+ #else
kvm-x86-ignore-sparse-banks-size-for-an-all-cpus-non-sparse-ipi-req.patch
staging-most-dim2-use-device-release-method.patch
bpf-fix-integer-overflow-in-argument-calculation-for-bpf_map_area_alloc.patch
+fuse-make-sure-reclaim-doesn-t-write-the-inode.patch
+hwmon-dell-smm-fix-warning-on-proc-i8k-creation-error.patch
+ethtool-do-not-perform-operations-on-net-devices-being-unregistered.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
