--- /dev/null
+From e4c4871a73944353ea23e319de27ef73ce546623 Mon Sep 17 00:00:00 2001
+From: Yu Kuai <yukuai3@huawei.com>
+Date: Tue, 2 Nov 2021 09:52:34 +0800
+Subject: nbd: fix max value for 'first_minor'
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+commit e4c4871a73944353ea23e319de27ef73ce546623 upstream.
+
+commit b1a811633f73 ("block: nbd: add sanity check for first_minor")
+checks that 'first_minor' should not be greater than 0xff, which is
+wrong. Whitout the commit, the details that when user pass 0x100000,
+it ends up create sysfs dir "/sys/block/43:0" are as follows:
+
+nbd_dev_add
+ disk->first_minor = index << part_shift
+ -> default part_shift is 5, first_minor is 0x2000000
+ device_add_disk
+ ddev->devt = MKDEV(disk->major, disk->first_minor)
+ -> (0x2b << 20) | (0x2000000) = 0x2b00000
+ device_add
+ device_create_sys_dev_entry
+ format_dev_t
+ sprintf(buffer, "%u:%u", MAJOR(dev), MINOR(dev));
+ -> got 43:0
+ sysfs_create_link -> /sys/block/43:0
+
+By the way, with the wrong fix, when part_shift is the default value,
+only 8 ndb devices can be created since 8 << 5 is greater than 0xff.
+
+Since the max bits for 'first_minor' should be the same as what
+MKDEV() does, which is 20. Change the upper bound of 'first_minor'
+from 0xff to 0xfffff.
+
+Fixes: b1a811633f73 ("block: nbd: add sanity check for first_minor")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Link: https://lore.kernel.org/r/20211102015237.2309763-2-yebin10@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Wen Yang <wenyang.linux@foxmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/nbd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -1773,11 +1773,11 @@ static int nbd_dev_add(int index)
+ disk->major = NBD_MAJOR;
+
+ /* Too big first_minor can cause duplicate creation of
+- * sysfs files/links, since first_minor will be truncated to
+- * byte in __device_add_disk().
++ * sysfs files/links, since MKDEV() expect that the max bits of
++ * first_minor is 20.
+ */
+ disk->first_minor = index << part_shift;
+- if (disk->first_minor > 0xff) {
++ if (disk->first_minor > MINORMASK) {
+ err = -EINVAL;
+ goto out_free_idr;
+ }
--- /dev/null
+From 940c264984fd1457918393c49674f6b39ee16506 Mon Sep 17 00:00:00 2001
+From: Yu Kuai <yukuai3@huawei.com>
+Date: Tue, 2 Nov 2021 09:52:35 +0800
+Subject: nbd: fix possible overflow for 'first_minor' in nbd_dev_add()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+commit 940c264984fd1457918393c49674f6b39ee16506 upstream.
+
+If 'part_shift' is not zero, then 'index << part_shift' might
+overflow to a value that is not greater than '0xfffff', then sysfs
+might complains about duplicate creation.
+
+Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Link: https://lore.kernel.org/r/20211102015237.2309763-3-yebin10@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Wen Yang <wenyang.linux@foxmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/nbd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -1773,11 +1773,11 @@ static int nbd_dev_add(int index)
+ disk->major = NBD_MAJOR;
+
+ /* Too big first_minor can cause duplicate creation of
+- * sysfs files/links, since MKDEV() expect that the max bits of
+- * first_minor is 20.
++ * sysfs files/links, since index << part_shift might overflow, or
++ * MKDEV() expect that the max bits of first_minor is 20.
+ */
+ disk->first_minor = index << part_shift;
+- if (disk->first_minor > MINORMASK) {
++ if (disk->first_minor < index || disk->first_minor > MINORMASK) {
+ err = -EINVAL;
+ goto out_free_idr;
+ }
--- /dev/null
+From 858f1bf65d3d9c00b5e2d8ca87dc79ed88267c98 Mon Sep 17 00:00:00 2001
+From: Zhang Wensheng <zhangwensheng5@huawei.com>
+Date: Sat, 21 May 2022 15:37:48 +0800
+Subject: nbd: fix possible overflow on 'first_minor' in nbd_dev_add()
+
+From: Zhang Wensheng <zhangwensheng5@huawei.com>
+
+commit 858f1bf65d3d9c00b5e2d8ca87dc79ed88267c98 upstream.
+
+When 'index' is a big numbers, it may become negative which forced
+to 'int'. then 'index << part_shift' might overflow to a positive
+value that is not greater than '0xfffff', then sysfs might complains
+about duplicate creation. Because of this, move the 'index' judgment
+to the front will fix it and be better.
+
+Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices")
+Fixes: 940c264984fd ("nbd: fix possible overflow for 'first_minor' in nbd_dev_add()")
+Signed-off-by: Zhang Wensheng <zhangwensheng5@huawei.com>
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Link: https://lore.kernel.org/r/20220521073749.3146892-6-yukuai3@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Wen Yang <wenyang.linux@foxmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/nbd.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -1771,17 +1771,7 @@ static int nbd_dev_add(int index)
+ refcount_set(&nbd->refs, 1);
+ INIT_LIST_HEAD(&nbd->list);
+ disk->major = NBD_MAJOR;
+-
+- /* Too big first_minor can cause duplicate creation of
+- * sysfs files/links, since index << part_shift might overflow, or
+- * MKDEV() expect that the max bits of first_minor is 20.
+- */
+ disk->first_minor = index << part_shift;
+- if (disk->first_minor < index || disk->first_minor > MINORMASK) {
+- err = -EINVAL;
+- goto out_free_idr;
+- }
+-
+ disk->fops = &nbd_fops;
+ disk->private_data = nbd;
+ sprintf(disk->disk_name, "nbd%d", index);
+@@ -1875,8 +1865,19 @@ static int nbd_genl_connect(struct sk_bu
+ if (!netlink_capable(skb, CAP_SYS_ADMIN))
+ return -EPERM;
+
+- if (info->attrs[NBD_ATTR_INDEX])
++ if (info->attrs[NBD_ATTR_INDEX]) {
+ index = nla_get_u32(info->attrs[NBD_ATTR_INDEX]);
++
++ /*
++ * Too big first_minor can cause duplicate creation of
++ * sysfs files/links, since index << part_shift might overflow, or
++ * MKDEV() expect that the max bits of first_minor is 20.
++ */
++ if (index < 0 || index > MINORMASK >> part_shift) {
++ printk(KERN_ERR "nbd: illegal input index %d\n", index);
++ return -EINVAL;
++ }
++ }
+ if (!info->attrs[NBD_ATTR_SOCKETS]) {
+ printk(KERN_ERR "nbd: must specify at least one socket\n");
+ return -EINVAL;
--- /dev/null
+From wenyang.linux@foxmail.com Thu Feb 23 10:40:14 2023
+From: wenyang.linux@foxmail.com
+Date: Tue, 21 Feb 2023 02:04:46 +0800
+Subject: Revert "Revert "block: nbd: add sanity check for first_minor""
+To: Sasha Levin <sashal@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Wen Yang <wenyang.linux@foxmail.com>, Joel Stanley <joel@jms.id.au>, Christoph Hellwig <hch@lst.de>, Pavel Skripkin <paskripkin@gmail.com>, Jens Axboe <axboe@kernel.dk>, stable@vger.kernel.org
+Message-ID: <tencent_B38279CA0FF1F9A0CA887A2B886A92209D05@qq.com>
+
+From: Wen Yang <wenyang.linux@foxmail.com>
+
+This reverts commit 0daa75bf750c400af0a0127fae37cd959d36dee7.
+
+These problems such as:
+https://lore.kernel.org/all/CACPK8XfUWoOHr-0RwRoYoskia4fbAbZ7DYf5wWBnv6qUnGq18w@mail.gmail.com/
+It was introduced by introduced by commit b1a811633f73 ("block: nbd: add sanity check for first_minor")
+and has been have been fixed by commit e4c4871a7394 ("nbd: fix max value for 'first_minor'").
+
+Cc: Joel Stanley <joel@jms.id.au>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Pavel Skripkin <paskripkin@gmail.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Sasha Levin <sashal@kernel.org>
+Cc: stable@vger.kernel.org # v5.10+
+Signed-off-by: Wen Yang <wenyang.linux@foxmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/nbd.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -1771,7 +1771,17 @@ static int nbd_dev_add(int index)
+ refcount_set(&nbd->refs, 1);
+ INIT_LIST_HEAD(&nbd->list);
+ disk->major = NBD_MAJOR;
++
++ /* Too big first_minor can cause duplicate creation of
++ * sysfs files/links, since first_minor will be truncated to
++ * byte in __device_add_disk().
++ */
+ disk->first_minor = index << part_shift;
++ if (disk->first_minor > 0xff) {
++ err = -EINVAL;
++ goto out_free_idr;
++ }
++
+ disk->fops = &nbd_fops;
+ disk->private_data = nbd;
+ sprintf(disk->disk_name, "nbd%d", index);
powerpc-dts-t208x-disable-10g-on-mac1-and-mac2.patch
drm-i915-gvt-fix-double-free-bug-in-split_2mb_gtt_entry.patch
mac80211-mesh-embedd-mesh_paths-and-mpp_paths-into-ieee80211_if_mesh.patch
+uaccess-add-speculation-barrier-to-copy_from_user.patch
+revert-revert-block-nbd-add-sanity-check-for-first_minor.patch
+nbd-fix-max-value-for-first_minor.patch
+nbd-fix-possible-overflow-for-first_minor-in-nbd_dev_add.patch
+nbd-fix-possible-overflow-on-first_minor-in-nbd_dev_add.patch
--- /dev/null
+From 74e19ef0ff8061ef55957c3abd71614ef0f42f47 Mon Sep 17 00:00:00 2001
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Tue, 21 Feb 2023 12:30:15 -0800
+Subject: uaccess: Add speculation barrier to copy_from_user()
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47 upstream.
+
+The results of "access_ok()" can be mis-speculated. The result is that
+you can end speculatively:
+
+ if (access_ok(from, size))
+ // Right here
+
+even for bad from/size combinations. On first glance, it would be ideal
+to just add a speculation barrier to "access_ok()" so that its results
+can never be mis-speculated.
+
+But there are lots of system calls just doing access_ok() via
+"copy_to_user()" and friends (example: fstat() and friends). Those are
+generally not problematic because they do not _consume_ data from
+userspace other than the pointer. They are also very quick and common
+system calls that should not be needlessly slowed down.
+
+"copy_from_user()" on the other hand uses a user-controller pointer and
+is frequently followed up with code that might affect caches. Take
+something like this:
+
+ if (!copy_from_user(&kernelvar, uptr, size))
+ do_something_with(kernelvar);
+
+If userspace passes in an evil 'uptr' that *actually* points to a kernel
+addresses, and then do_something_with() has cache (or other)
+side-effects, it could allow userspace to infer kernel data values.
+
+Add a barrier to the common copy_from_user() code to prevent
+mis-speculated values which happen after the copy.
+
+Also add a stub for architectures that do not define barrier_nospec().
+This makes the macro usable in generic code.
+
+Since the barrier is now usable in generic code, the x86 #ifdef in the
+BPF code can also go away.
+
+Reported-by: Jordy Zomer <jordyzomer@google.com>
+Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net> # BPF bits
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/nospec.h | 4 ++++
+ kernel/bpf/core.c | 2 --
+ lib/usercopy.c | 7 +++++++
+ 3 files changed, 11 insertions(+), 2 deletions(-)
+
+--- a/include/linux/nospec.h
++++ b/include/linux/nospec.h
+@@ -11,6 +11,10 @@
+
+ struct task_struct;
+
++#ifndef barrier_nospec
++# define barrier_nospec() do { } while (0)
++#endif
++
+ /**
+ * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise
+ * @index: array element index
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -1642,9 +1642,7 @@ out:
+ * reuse preexisting logic from Spectre v1 mitigation that
+ * happens to produce the required code on x86 for v4 as well.
+ */
+-#ifdef CONFIG_X86
+ barrier_nospec();
+-#endif
+ CONT;
+ #define LDST(SIZEOP, SIZE) \
+ STX_MEM_##SIZEOP: \
+--- a/lib/usercopy.c
++++ b/lib/usercopy.c
+@@ -3,6 +3,7 @@
+ #include <linux/fault-inject-usercopy.h>
+ #include <linux/instrumented.h>
+ #include <linux/uaccess.h>
++#include <linux/nospec.h>
+
+ /* out-of-line parts */
+
+@@ -12,6 +13,12 @@ unsigned long _copy_from_user(void *to,
+ unsigned long res = n;
+ might_fault();
+ if (!should_fail_usercopy() && likely(access_ok(from, n))) {
++ /*
++ * Ensure that bad access_ok() speculation will not
++ * lead to nasty side effects *after* the copy is
++ * finished:
++ */
++ barrier_nospec();
+ instrument_copy_from_user(to, from, n);
+ res = raw_copy_from_user(to, from, n);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
