--- /dev/null
+From ea4c990fa9e19ffef0648e40c566b94ba5ab31be Mon Sep 17 00:00:00 2001
+From: Zhu Yanjun <yanjun.zhu@linux.dev>
+Date: Fri, 25 Oct 2024 17:20:36 +0200
+Subject: RDMA/rxe: Fix the qp flush warnings in req
+
+From: Zhu Yanjun <yanjun.zhu@linux.dev>
+
+commit ea4c990fa9e19ffef0648e40c566b94ba5ab31be upstream.
+
+When the qp is in error state, the status of WQEs in the queue should be
+set to error. Or else the following will appear.
+
+[ 920.617269] WARNING: CPU: 1 PID: 21 at drivers/infiniband/sw/rxe/rxe_comp.c:756 rxe_completer+0x989/0xcc0 [rdma_rxe]
+[ 920.617744] Modules linked in: rnbd_client(O) rtrs_client(O) rtrs_core(O) rdma_ucm rdma_cm iw_cm ib_cm crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel ib_uverbs ib_core loop brd null_blk ipv6
+[ 920.618516] CPU: 1 PID: 21 Comm: ksoftirqd/1 Tainted: G O 6.1.113-storage+ #65
+[ 920.618986] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+[ 920.619396] RIP: 0010:rxe_completer+0x989/0xcc0 [rdma_rxe]
+[ 920.619658] Code: 0f b6 84 24 3a 02 00 00 41 89 84 24 44 04 00 00 e9 2a f7 ff ff 39 ca bb 03 00 00 00 b8 0e 00 00 00 48 0f 45 d8 e9 15 f7 ff ff <0f> 0b e9 cb f8 ff ff 41 bf f5 ff ff ff e9 08 f8 ff ff 49 8d bc 24
+[ 920.620482] RSP: 0018:ffff97b7c00bbc38 EFLAGS: 00010246
+[ 920.620817] RAX: 0000000000000000 RBX: 000000000000000c RCX: 0000000000000008
+[ 920.621183] RDX: ffff960dc396ebc0 RSI: 0000000000005400 RDI: ffff960dc4e2fbac
+[ 920.621548] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffffac406450
+[ 920.621884] R10: ffffffffac4060c0 R11: 0000000000000001 R12: ffff960dc4e2f800
+[ 920.622254] R13: ffff960dc4e2f928 R14: ffff97b7c029c580 R15: 0000000000000000
+[ 920.622609] FS: 0000000000000000(0000) GS:ffff960ef7d00000(0000) knlGS:0000000000000000
+[ 920.622979] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 920.623245] CR2: 00007fa056965e90 CR3: 00000001107f1000 CR4: 00000000000006e0
+[ 920.623680] Call Trace:
+[ 920.623815] <TASK>
+[ 920.623933] ? __warn+0x79/0xc0
+[ 920.624116] ? rxe_completer+0x989/0xcc0 [rdma_rxe]
+[ 920.624356] ? report_bug+0xfb/0x150
+[ 920.624594] ? handle_bug+0x3c/0x60
+[ 920.624796] ? exc_invalid_op+0x14/0x70
+[ 920.624976] ? asm_exc_invalid_op+0x16/0x20
+[ 920.625203] ? rxe_completer+0x989/0xcc0 [rdma_rxe]
+[ 920.625474] ? rxe_completer+0x329/0xcc0 [rdma_rxe]
+[ 920.625749] rxe_do_task+0x80/0x110 [rdma_rxe]
+[ 920.626037] rxe_requester+0x625/0xde0 [rdma_rxe]
+[ 920.626310] ? rxe_cq_post+0xe2/0x180 [rdma_rxe]
+[ 920.626583] ? do_complete+0x18d/0x220 [rdma_rxe]
+[ 920.626812] ? rxe_completer+0x1a3/0xcc0 [rdma_rxe]
+[ 920.627050] rxe_do_task+0x80/0x110 [rdma_rxe]
+[ 920.627285] tasklet_action_common.constprop.0+0xa4/0x120
+[ 920.627522] handle_softirqs+0xc2/0x250
+[ 920.627728] ? sort_range+0x20/0x20
+[ 920.627942] run_ksoftirqd+0x1f/0x30
+[ 920.628158] smpboot_thread_fn+0xc7/0x1b0
+[ 920.628334] kthread+0xd6/0x100
+[ 920.628504] ? kthread_complete_and_exit+0x20/0x20
+[ 920.628709] ret_from_fork+0x1f/0x30
+[ 920.628892] </TASK>
+
+Fixes: ae720bdb703b ("RDMA/rxe: Generate error completion for error requester QP state")
+Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Link: https://patch.msgid.link/20241025152036.121417-1-yanjun.zhu@linux.dev
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Bin Lan <lanbincn@qq.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/sw/rxe/rxe_req.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/sw/rxe/rxe_req.c
++++ b/drivers/infiniband/sw/rxe/rxe_req.c
+@@ -643,13 +643,15 @@ int rxe_requester(void *arg)
+
+ if (unlikely(qp->req.state == QP_STATE_ERROR)) {
+ wqe = req_next_wqe(qp);
+- if (wqe)
++ if (wqe) {
+ /*
+ * Generate an error completion for error qp state
+ */
++ wqe->status = IB_WC_WR_FLUSH_ERR;
+ goto err;
+- else
++ } else {
+ goto exit;
++ }
+ }
+
+ if (unlikely(qp->req.state == QP_STATE_RESET)) {
--- /dev/null
+From f4adb02ebeb4d9d2f23a0dc6b52c8ad3d750e433 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 21 Jan 2025 14:24:18 +0100
+Subject: Revert "regmap: detach regmap from dev on regmap_exit"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+This reverts commit 48dc44f3c1afa29390cb2fbc8badad1b1111cea4 which is
+commit 3061e170381af96d1e66799d34264e6414d428a7 upstream.
+
+It was backported incorrectly, a fixed version will be applied later.
+
+Cc: Cosmin Tanislav <demonsingur@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20250115033244.2540522-1-tzungbi@kernel.org
+Reported-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/regmap/regmap.c | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+--- a/drivers/base/regmap/regmap.c
++++ b/drivers/base/regmap/regmap.c
+@@ -652,17 +652,6 @@ int regmap_attach_dev(struct device *dev
+ }
+ EXPORT_SYMBOL_GPL(regmap_attach_dev);
+
+-static int dev_get_regmap_match(struct device *dev, void *res, void *data);
+-
+-static int regmap_detach_dev(struct device *dev, struct regmap *map)
+-{
+- if (!dev)
+- return 0;
+-
+- return devres_release(dev, dev_get_regmap_release,
+- dev_get_regmap_match, (void *)map->name);
+-}
+-
+ static enum regmap_endian regmap_get_reg_endian(const struct regmap_bus *bus,
+ const struct regmap_config *config)
+ {
+@@ -1513,7 +1502,6 @@ int regmap_reinit_cache(struct regmap *m
+ {
+ int ret;
+
+- regmap_detach_dev(map->dev, map);
+ regcache_exit(map);
+ regmap_debugfs_exit(map);
+
--- /dev/null
+From f10593ad9bc36921f623361c9e3dd96bd52d85ee Mon Sep 17 00:00:00 2001
+From: Suraj Sonawane <surajsonawane0215@gmail.com>
+Date: Wed, 20 Nov 2024 18:29:44 +0530
+Subject: scsi: sg: Fix slab-use-after-free read in sg_release()
+
+From: Suraj Sonawane <surajsonawane0215@gmail.com>
+
+commit f10593ad9bc36921f623361c9e3dd96bd52d85ee upstream.
+
+Fix a use-after-free bug in sg_release(), detected by syzbot with KASAN:
+
+BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30
+kernel/locking/lockdep.c:5838
+__mutex_unlock_slowpath+0xe2/0x750 kernel/locking/mutex.c:912
+sg_release+0x1f4/0x2e0 drivers/scsi/sg.c:407
+
+In sg_release(), the function kref_put(&sfp->f_ref, sg_remove_sfp) is
+called before releasing the open_rel_lock mutex. The kref_put() call may
+decrement the reference count of sfp to zero, triggering its cleanup
+through sg_remove_sfp(). This cleanup includes scheduling deferred work
+via sg_remove_sfp_usercontext(), which ultimately frees sfp.
+
+After kref_put(), sg_release() continues to unlock open_rel_lock and may
+reference sfp or sdp. If sfp has already been freed, this results in a
+slab-use-after-free error.
+
+Move the kref_put(&sfp->f_ref, sg_remove_sfp) call after unlocking the
+open_rel_lock mutex. This ensures:
+
+ - No references to sfp or sdp occur after the reference count is
+ decremented.
+
+ - Cleanup functions such as sg_remove_sfp() and
+ sg_remove_sfp_usercontext() can safely execute without impacting the
+ mutex handling in sg_release().
+
+The fix has been tested and validated by syzbot. This patch closes the
+bug reported at the following syzkaller link and ensures proper
+sequencing of resource cleanup and mutex operations, eliminating the
+risk of use-after-free errors in sg_release().
+
+Reported-by: syzbot+7efb5850a17ba6ce098b@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=7efb5850a17ba6ce098b
+Tested-by: syzbot+7efb5850a17ba6ce098b@syzkaller.appspotmail.com
+Fixes: cc833acbee9d ("sg: O_EXCL and other lock handling")
+Signed-off-by: Suraj Sonawane <surajsonawane0215@gmail.com>
+Link: https://lore.kernel.org/r/20241120125944.88095-1-surajsonawane0215@gmail.com
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Alva Lan <alvalan9@foxmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -390,7 +390,6 @@ sg_release(struct inode *inode, struct f
+
+ mutex_lock(&sdp->open_rel_lock);
+ scsi_autopm_put_device(sdp->device);
+- kref_put(&sfp->f_ref, sg_remove_sfp);
+ sdp->open_cnt--;
+
+ /* possibly many open()s waiting on exlude clearing, start many;
+@@ -402,6 +401,7 @@ sg_release(struct inode *inode, struct f
+ wake_up_interruptible(&sdp->open_wait);
+ }
+ mutex_unlock(&sdp->open_rel_lock);
++ kref_put(&sfp->f_ref, sg_remove_sfp);
+ return 0;
+ }
+
drm-amdgpu-fix-usage-slab-after-free.patch
block-fix-uaf-for-flush-rq-while-iterating-tags.patch
revert-drm-amdgpu-rework-resume-handling-for-display-v2.patch
+rdma-rxe-fix-the-qp-flush-warnings-in-req.patch
+scsi-sg-fix-slab-use-after-free-read-in-sg_release.patch
+revert-regmap-detach-regmap-from-dev-on-regmap_exit.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
