--- /dev/null
+From 12eb22a5a609421b380c3c6ca887474fb2089b2c Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Wed, 20 Nov 2024 16:43:51 +0100
+Subject: ceph: validate snapdirname option length when mounting
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 12eb22a5a609421b380c3c6ca887474fb2089b2c upstream.
+
+It becomes a path component, so it shouldn't exceed NAME_MAX
+characters. This was hardened in commit c152737be22b ("ceph: Use
+strscpy() instead of strcpy() in __get_snap_name()"), but no actual
+check was put in place.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Alex Markuze <amarkuze@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/super.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/ceph/super.c
++++ b/fs/ceph/super.c
+@@ -301,6 +301,8 @@ static int ceph_parse_mount_param(struct
+
+ switch (token) {
+ case Opt_snapdirname:
++ if (strlen(param->string) > NAME_MAX)
++ return invalfc(fc, "snapdirname too long");
+ kfree(fsopt->snapdir_name);
+ fsopt->snapdir_name = param->string;
+ param->string = NULL;
--- /dev/null
+From 62e2a47ceab8f3f7d2e3f0e03fdd1c5e0059fd8b Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Mon, 16 Dec 2024 19:28:06 -0500
+Subject: NFS/pnfs: Fix a live lock between recalled layouts and layoutget
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 62e2a47ceab8f3f7d2e3f0e03fdd1c5e0059fd8b upstream.
+
+When the server is recalling a layout, we should ignore the count of
+outstanding layoutget calls, since the server is expected to return
+either NFS4ERR_RECALLCONFLICT or NFS4ERR_RETURNCONFLICT for as long as
+the recall is outstanding.
+Currently, we may end up livelocking, causing the layout to eventually
+be forcibly revoked.
+
+Fixes: bf0291dd2267 ("pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised")
+Cc: stable@vger.kernel.org
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/pnfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1193,7 +1193,7 @@ pnfs_prepare_layoutreturn(struct pnfs_la
+ enum pnfs_iomode *iomode)
+ {
+ /* Serialise LAYOUTGET/LAYOUTRETURN */
+- if (atomic_read(&lo->plh_outstanding) != 0)
++ if (atomic_read(&lo->plh_outstanding) != 0 && lo->plh_return_seq == 0)
+ return false;
+ if (test_and_set_bit(NFS_LAYOUT_RETURN_LOCK, &lo->plh_flags))
+ return false;
--- /dev/null
+From 901ce9705fbb9f330ff1f19600e5daf9770b0175 Mon Sep 17 00:00:00 2001
+From: Edward Adam Davis <eadavis@qq.com>
+Date: Mon, 9 Dec 2024 15:56:52 +0900
+Subject: nilfs2: prevent use of deleted inode
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+commit 901ce9705fbb9f330ff1f19600e5daf9770b0175 upstream.
+
+syzbot reported a WARNING in nilfs_rmdir. [1]
+
+Because the inode bitmap is corrupted, an inode with an inode number that
+should exist as a ".nilfs" file was reassigned by nilfs_mkdir for "file0",
+causing an inode duplication during execution. And this causes an
+underflow of i_nlink in rmdir operations.
+
+The inode is used twice by the same task to unmount and remove directories
+".nilfs" and "file0", it trigger warning in nilfs_rmdir.
+
+Avoid to this issue, check i_nlink in nilfs_iget(), if it is 0, it means
+that this inode has been deleted, and iput is executed to reclaim it.
+
+[1]
+WARNING: CPU: 1 PID: 5824 at fs/inode.c:407 drop_nlink+0xc4/0x110 fs/inode.c:407
+...
+Call Trace:
+ <TASK>
+ nilfs_rmdir+0x1b0/0x250 fs/nilfs2/namei.c:342
+ vfs_rmdir+0x3a3/0x510 fs/namei.c:4394
+ do_rmdir+0x3b5/0x580 fs/namei.c:4453
+ __do_sys_rmdir fs/namei.c:4472 [inline]
+ __se_sys_rmdir fs/namei.c:4470 [inline]
+ __x64_sys_rmdir+0x47/0x50 fs/namei.c:4470
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Link: https://lkml.kernel.org/r/20241209065759.6781-1-konishi.ryusuke@gmail.com
+Fixes: d25006523d0b ("nilfs2: pathname operations")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+9260555647a5132edd48@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=9260555647a5132edd48
+Tested-by: syzbot+9260555647a5132edd48@syzkaller.appspotmail.com
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/inode.c | 8 +++++++-
+ fs/nilfs2/namei.c | 5 +++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+--- a/fs/nilfs2/inode.c
++++ b/fs/nilfs2/inode.c
+@@ -618,8 +618,14 @@ struct inode *nilfs_iget(struct super_bl
+ inode = nilfs_iget_locked(sb, root, ino);
+ if (unlikely(!inode))
+ return ERR_PTR(-ENOMEM);
+- if (!(inode->i_state & I_NEW))
++
++ if (!(inode->i_state & I_NEW)) {
++ if (!inode->i_nlink) {
++ iput(inode);
++ return ERR_PTR(-ESTALE);
++ }
+ return inode;
++ }
+
+ err = __nilfs_read_inode(sb, root, ino, inode);
+ if (unlikely(err)) {
+--- a/fs/nilfs2/namei.c
++++ b/fs/nilfs2/namei.c
+@@ -67,6 +67,11 @@ nilfs_lookup(struct inode *dir, struct d
+ inode = NULL;
+ } else {
+ inode = nilfs_iget(dir->i_sb, NILFS_I(dir)->i_root, ino);
++ if (inode == ERR_PTR(-ESTALE)) {
++ nilfs_error(dir->i_sb,
++ "deleted inode referenced: %lu", ino);
++ return ERR_PTR(-EIO);
++ }
+ }
+
+ return d_splice_alias(inode, dentry);
--- /dev/null
+From d7dfa7fde63dde4d2ec0083133efe2c6686c03ff Mon Sep 17 00:00:00 2001
+From: Herve Codina <herve.codina@bootlin.com>
+Date: Mon, 2 Dec 2024 17:58:19 +0100
+Subject: of: Fix error path in of_parse_phandle_with_args_map()
+
+From: Herve Codina <herve.codina@bootlin.com>
+
+commit d7dfa7fde63dde4d2ec0083133efe2c6686c03ff upstream.
+
+The current code uses some 'goto put;' to cancel the parsing operation
+and can lead to a return code value of 0 even on error cases.
+
+Indeed, some goto calls are done from a loop without setting the ret
+value explicitly before the goto call and so the ret value can be set to
+0 due to operation done in previous loop iteration. For instance match
+can be set to 0 in the previous loop iteration (leading to a new
+iteration) but ret can also be set to 0 it the of_property_read_u32()
+call succeed. In that case if no match are found or if an error is
+detected the new iteration, the return value can be wrongly 0.
+
+Avoid those cases setting the ret value explicitly before the goto
+calls.
+
+Fixes: bd6f2fd5a1d5 ("of: Support parsing phandle argument lists through a nexus node")
+Cc: stable@vger.kernel.org
+Signed-off-by: Herve Codina <herve.codina@bootlin.com>
+Link: https://lore.kernel.org/r/20241202165819.158681-1-herve.codina@bootlin.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/base.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -1620,8 +1620,10 @@ int of_parse_phandle_with_args_map(const
+ map_len--;
+
+ /* Check if not found */
+- if (!new)
++ if (!new) {
++ ret = -EINVAL;
+ goto put;
++ }
+
+ if (!of_device_is_available(new))
+ match = 0;
+@@ -1631,17 +1633,20 @@ int of_parse_phandle_with_args_map(const
+ goto put;
+
+ /* Check for malformed properties */
+- if (WARN_ON(new_size > MAX_PHANDLE_ARGS))
+- goto put;
+- if (map_len < new_size)
++ if (WARN_ON(new_size > MAX_PHANDLE_ARGS) ||
++ map_len < new_size) {
++ ret = -EINVAL;
+ goto put;
++ }
+
+ /* Move forward by new node's #<list>-cells amount */
+ map += new_size;
+ map_len -= new_size;
+ }
+- if (!match)
++ if (!match) {
++ ret = -ENOENT;
+ goto put;
++ }
+
+ /* Get the <list>-map-pass-thru property (optional) */
+ pass = of_get_property(cur, pass_name, NULL);
--- /dev/null
+From 5d009e024056ded20c5bb1583146b833b23bbd5a Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Fri, 6 Dec 2024 08:52:30 +0800
+Subject: of: Fix refcount leakage for OF node returned by __of_get_dma_parent()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit 5d009e024056ded20c5bb1583146b833b23bbd5a upstream.
+
+__of_get_dma_parent() returns OF device node @args.np, but the node's
+refcount is increased twice, by both of_parse_phandle_with_args() and
+of_node_get(), so causes refcount leakage for the node.
+
+Fix by directly returning the node got by of_parse_phandle_with_args().
+
+Fixes: f83a6e5dea6c ("of: address: Add support for the parent DMA bus")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20241206-of_core_fix-v1-4-dc28ed56bec3@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/address.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/of/address.c
++++ b/drivers/of/address.c
+@@ -594,7 +594,7 @@ static struct device_node *__of_get_dma_
+ if (ret < 0)
+ return of_get_parent(np);
+
+- return of_node_get(args.np);
++ return args.np;
+ }
+
+ static struct device_node *of_get_next_dma_parent(struct device_node *np)
--- /dev/null
+From 0f7ca6f69354e0c3923bbc28c92d0ecab4d50a3e Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Mon, 9 Dec 2024 21:25:02 +0800
+Subject: of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit 0f7ca6f69354e0c3923bbc28c92d0ecab4d50a3e upstream.
+
+of_irq_parse_one() may use uninitialized variable @addr_len as shown below:
+
+// @addr_len is uninitialized
+int addr_len;
+
+// This operation does not touch @addr_len if it fails.
+addr = of_get_property(device, "reg", &addr_len);
+
+// Use uninitialized @addr_len if the operation fails.
+if (addr_len > sizeof(addr_buf))
+ addr_len = sizeof(addr_buf);
+
+// Check the operation result here.
+if (addr)
+ memcpy(addr_buf, addr, addr_len);
+
+Fix by initializing @addr_len before the operation.
+
+Fixes: b739dffa5d57 ("of/irq: Prevent device address out-of-bounds read in interrupt map walk")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20241209-of_irq_fix-v1-4-782f1419c8a1@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/irq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -298,6 +298,7 @@ int of_irq_parse_one(struct device_node
+ return of_irq_parse_oldworld(device, index, out_irq);
+
+ /* Get the reg property (if any) */
++ addr_len = 0;
+ addr = of_get_property(device, "reg", &addr_len);
+
+ /* Prevent out-of-bounds read in case of longer interrupt parent address size */
tracing-fix-test_event_printk-to-process-entire-print-argument.patch
tracing-add-missing-helper-functions-in-event-pointer-dereference-check.patch
tracing-add-s-check-in-test_event_printk.patch
+nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch
+of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch
+nilfs2-prevent-use-of-deleted-inode.patch
+udmabuf-also-check-for-f_seal_future_write.patch
+of-fix-error-path-in-of_parse_phandle_with_args_map.patch
+of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch
+ceph-validate-snapdirname-option-length-when-mounting.patch
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
- kernel/trace/trace_events.c | 104 +++++++++++++++++++++++++++++++++++++-------
- 1 file changed, 89 insertions(+), 15 deletions(-)
+ kernel/trace/trace_events.c | 106 +++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 91 insertions(+), 15 deletions(-)
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
}
/* Look for a string within an argument */
-@@ -300,6 +312,53 @@ static bool process_pointer(const char *
+@@ -300,6 +312,55 @@ static bool process_pointer(const char *
return false;
}
+ */
+ s = fmt;
+ do {
++ int i;
++
+ r = strstr(s, "(");
+ if (!r || r >= e)
+ break;
-+ for (int i = 1; r - i >= s; i++) {
++ for (i = 1; r - i >= s; i++) {
+ char ch = *(r - i);
+ if (isspace(ch))
+ continue;
/*
* Examine the print fmt of the event looking for unsafe dereference
* pointers using %p* that could be recorded in the trace event and
-@@ -309,6 +368,7 @@ static bool process_pointer(const char *
+@@ -309,6 +370,7 @@ static bool process_pointer(const char *
static void test_event_printk(struct trace_event_call *call)
{
u64 dereference_flags = 0;
bool first = true;
const char *fmt;
int parens = 0;
-@@ -399,8 +459,16 @@ static void test_event_printk(struct tra
+@@ -399,8 +461,16 @@ static void test_event_printk(struct tra
star = true;
continue;
}
break;
}
break;
-@@ -447,7 +515,10 @@ static void test_event_printk(struct tra
+@@ -447,7 +517,10 @@ static void test_event_printk(struct tra
}
if (dereference_flags & (1ULL << arg)) {
dereference_flags &= ~(1ULL << arg);
}
-@@ -459,7 +530,10 @@ static void test_event_printk(struct tra
+@@ -459,7 +532,10 @@ static void test_event_printk(struct tra
}
if (dereference_flags & (1ULL << arg)) {
--- /dev/null
+From 0a16e24e34f28210f68195259456c73462518597 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 4 Dec 2024 17:26:20 +0100
+Subject: udmabuf: also check for F_SEAL_FUTURE_WRITE
+
+From: Jann Horn <jannh@google.com>
+
+commit 0a16e24e34f28210f68195259456c73462518597 upstream.
+
+When F_SEAL_FUTURE_WRITE was introduced, it was overlooked that udmabuf
+must reject memfds with this flag, just like ones with F_SEAL_WRITE.
+Fix it by adding F_SEAL_FUTURE_WRITE to SEALS_DENIED.
+
+Fixes: ab3948f58ff8 ("mm/memfd: add an F_SEAL_FUTURE_WRITE seal to memfd")
+Cc: stable@vger.kernel.org
+Acked-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
+Signed-off-by: Jann Horn <jannh@google.com>
+Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241204-udmabuf-fixes-v2-2-23887289de1c@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma-buf/udmabuf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma-buf/udmabuf.c
++++ b/drivers/dma-buf/udmabuf.c
+@@ -164,7 +164,7 @@ static const struct dma_buf_ops udmabuf_
+ };
+
+ #define SEALS_WANTED (F_SEAL_SHRINK)
+-#define SEALS_DENIED (F_SEAL_WRITE)
++#define SEALS_DENIED (F_SEAL_WRITE|F_SEAL_FUTURE_WRITE)
+
+ static long udmabuf_create(struct miscdevice *device,
+ struct udmabuf_create_list *head,
projects / thirdparty / kernel / stable-queue.git / commitdiff
