--- /dev/null
+From bc8f5921cd69188627c08041276238de222ab466 Mon Sep 17 00:00:00 2001
+From: Ma Wupeng <mawupeng1@huawei.com>
+Date: Wed, 23 Oct 2024 17:31:29 +0800
+Subject: ipc: fix memleak if msg_init_ns failed in create_ipc_ns
+
+From: Ma Wupeng <mawupeng1@huawei.com>
+
+commit bc8f5921cd69188627c08041276238de222ab466 upstream.
+
+Percpu memory allocation may failed during create_ipc_ns however this
+fail is not handled properly since ipc sysctls and mq sysctls is not
+released properly. Fix this by release these two resource when failure.
+
+Here is the kmemleak stack when percpu failed:
+
+unreferenced object 0xffff88819de2a600 (size 512):
+ comm "shmem_2nstest", pid 120711, jiffies 4300542254
+ hex dump (first 32 bytes):
+ 60 aa 9d 84 ff ff ff ff fc 18 48 b2 84 88 ff ff `.........H.....
+ 04 00 00 00 a4 01 00 00 20 e4 56 81 ff ff ff ff ........ .V.....
+ backtrace (crc be7cba35):
+ [<ffffffff81b43f83>] __kmalloc_node_track_caller_noprof+0x333/0x420
+ [<ffffffff81a52e56>] kmemdup_noprof+0x26/0x50
+ [<ffffffff821b2f37>] setup_mq_sysctls+0x57/0x1d0
+ [<ffffffff821b29cc>] copy_ipcs+0x29c/0x3b0
+ [<ffffffff815d6a10>] create_new_namespaces+0x1d0/0x920
+ [<ffffffff815d7449>] copy_namespaces+0x2e9/0x3e0
+ [<ffffffff815458f3>] copy_process+0x29f3/0x7ff0
+ [<ffffffff8154b080>] kernel_clone+0xc0/0x650
+ [<ffffffff8154b6b1>] __do_sys_clone+0xa1/0xe0
+ [<ffffffff843df8ff>] do_syscall_64+0xbf/0x1c0
+ [<ffffffff846000b0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Link: https://lkml.kernel.org/r/20241023093129.3074301-1-mawupeng1@huawei.com
+Fixes: 72d1e611082e ("ipc/msg: mitigate the lock contention with percpu counter")
+Signed-off-by: Ma Wupeng <mawupeng1@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ ipc/namespace.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/ipc/namespace.c
++++ b/ipc/namespace.c
+@@ -68,13 +68,15 @@ static struct ipc_namespace *create_ipc_
+
+ err = msg_init_ns(ns);
+ if (err)
+- goto fail_put;
++ goto fail_ipc;
+
+ sem_init_ns(ns);
+ shm_init_ns(ns);
+
+ return ns;
+
++fail_ipc:
++ retire_ipc_sysctls(ns);
+ fail_mq:
+ retire_mq_sysctls(ns);
+
--- /dev/null
+From a508ef4b1dcc82227edc594ffae583874dd425d7 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Fri, 1 Nov 2024 21:54:53 +0100
+Subject: lib: string_helpers: silence snprintf() output truncation warning
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit a508ef4b1dcc82227edc594ffae583874dd425d7 upstream.
+
+The output of ".%03u" with the unsigned int in range [0, 4294966295] may
+get truncated if the target buffer is not 12 bytes. This can't really
+happen here as the 'remainder' variable cannot exceed 999 but the
+compiler doesn't know it. To make it happy just increase the buffer to
+where the warning goes away.
+
+Fixes: 3c9f3681d0b4 ("[SCSI] lib: add generic helper to print sizes rounded to the correct SI range")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Reviewed-by: Andy Shevchenko <andy@kernel.org>
+Cc: James E.J. Bottomley <James.Bottomley@HansenPartnership.com>
+Cc: Kees Cook <kees@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Link: https://lore.kernel.org/r/20241101205453.9353-1-brgl@bgdev.pl
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/string_helpers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/string_helpers.c
++++ b/lib/string_helpers.c
+@@ -52,7 +52,7 @@ void string_get_size(u64 size, u64 blk_s
+ static const unsigned int rounding[] = { 500, 50, 5 };
+ int i = 0, j;
+ u32 remainder = 0, sf_cap;
+- char tmp[8];
++ char tmp[12];
+ const char *unit;
+
+ tmp[0] = '\0';
--- /dev/null
+From 7f33b92e5b18e904a481e6e208486da43e4dc841 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Tue, 17 Sep 2024 12:15:23 -0400
+Subject: NFSD: Prevent a potential integer overflow
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 7f33b92e5b18e904a481e6e208486da43e4dc841 upstream.
+
+If the tag length is >= U32_MAX - 3 then the "length + 4" addition
+can result in an integer overflow. Address this by splitting the
+decoding into several steps so that decode_cb_compound4res() does
+not have to perform arithmetic on the unsafe length value.
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4callback.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/fs/nfsd/nfs4callback.c
++++ b/fs/nfsd/nfs4callback.c
+@@ -297,17 +297,17 @@ static int decode_cb_compound4res(struct
+ u32 length;
+ __be32 *p;
+
+- p = xdr_inline_decode(xdr, 4 + 4);
++ p = xdr_inline_decode(xdr, XDR_UNIT);
+ if (unlikely(p == NULL))
+ goto out_overflow;
+- hdr->status = be32_to_cpup(p++);
++ hdr->status = be32_to_cpup(p);
+ /* Ignore the tag */
+- length = be32_to_cpup(p++);
+- p = xdr_inline_decode(xdr, length + 4);
+- if (unlikely(p == NULL))
++ if (xdr_stream_decode_u32(xdr, &length) < 0)
++ goto out_overflow;
++ if (xdr_inline_decode(xdr, length) == NULL)
++ goto out_overflow;
++ if (xdr_stream_decode_u32(xdr, &hdr->nops) < 0)
+ goto out_overflow;
+- p += XDR_QUADLEN(length);
+- hdr->nops = be32_to_cpup(p);
+ return 0;
+ out_overflow:
+ return -EIO;
usb-musb-fix-hardware-lockup-on-first-rx-endpoint-request.patch
usb-dwc3-gadget-fix-checking-for-number-of-trbs-left.patch
usb-dwc3-gadget-fix-looping-of-queued-sg-entries.patch
+ublk-fix-error-code-for-unsupported-command.patch
+lib-string_helpers-silence-snprintf-output-truncation-warning.patch
+ipc-fix-memleak-if-msg_init_ns-failed-in-create_ipc_ns.patch
+nfsd-prevent-a-potential-integer-overflow.patch
+sunrpc-make-sure-cache-entry-active-before-cache_show.patch
--- /dev/null
+From 2862eee078a4d2d1f584e7f24fa50dddfa5f3471 Mon Sep 17 00:00:00 2001
+From: Yang Erkun <yangerkun@huawei.com>
+Date: Mon, 21 Oct 2024 22:23:42 +0800
+Subject: SUNRPC: make sure cache entry active before cache_show
+
+From: Yang Erkun <yangerkun@huawei.com>
+
+commit 2862eee078a4d2d1f584e7f24fa50dddfa5f3471 upstream.
+
+The function `c_show` was called with protection from RCU. This only
+ensures that `cp` will not be freed. Therefore, the reference count for
+`cp` can drop to zero, which will trigger a refcount use-after-free
+warning when `cache_get` is called. To resolve this issue, use
+`cache_get_rcu` to ensure that `cp` remains active.
+
+------------[ cut here ]------------
+refcount_t: addition on 0; use-after-free.
+WARNING: CPU: 7 PID: 822 at lib/refcount.c:25
+refcount_warn_saturate+0xb1/0x120
+CPU: 7 UID: 0 PID: 822 Comm: cat Not tainted 6.12.0-rc3+ #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+1.16.1-2.fc37 04/01/2014
+RIP: 0010:refcount_warn_saturate+0xb1/0x120
+
+Call Trace:
+ <TASK>
+ c_show+0x2fc/0x380 [sunrpc]
+ seq_read_iter+0x589/0x770
+ seq_read+0x1e5/0x270
+ proc_reg_read+0xe1/0x140
+ vfs_read+0x125/0x530
+ ksys_read+0xc1/0x160
+ do_syscall_64+0x5f/0x170
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Cc: stable@vger.kernel.org # v4.20+
+Signed-off-by: Yang Erkun <yangerkun@huawei.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/cache.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/sunrpc/cache.c
++++ b/net/sunrpc/cache.c
+@@ -1431,7 +1431,9 @@ static int c_show(struct seq_file *m, vo
+ seq_printf(m, "# expiry=%lld refcnt=%d flags=%lx\n",
+ convert_to_wallclock(cp->expiry_time),
+ kref_read(&cp->ref), cp->flags);
+- cache_get(cp);
++ if (!cache_get_rcu(cp))
++ return 0;
++
+ if (cache_check(cd, cp, NULL))
+ /* cache_check does a cache_put on failure */
+ seq_puts(m, "# ");
--- /dev/null
+From 34c1227035b3ab930a1ae6ab6f22fec1af8ab09e Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Tue, 19 Nov 2024 11:06:46 +0800
+Subject: ublk: fix error code for unsupported command
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit 34c1227035b3ab930a1ae6ab6f22fec1af8ab09e upstream.
+
+ENOTSUPP is for kernel use only, and shouldn't be sent to userspace.
+
+Fix it by replacing it with EOPNOTSUPP.
+
+Cc: stable@vger.kernel.org
+Fixes: bfbcef036396 ("ublk_drv: move ublk_get_device_from_id into ublk_ctrl_uring_cmd")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20241119030646.2319030-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/ublk_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -2055,7 +2055,7 @@ static int ublk_ctrl_uring_cmd(struct io
+ ret = ublk_ctrl_end_recovery(ub, cmd);
+ break;
+ default:
+- ret = -ENOTSUPP;
++ ret = -EOPNOTSUPP;
+ break;
+ }
+ if (ub)
projects / thirdparty / kernel / stable-queue.git / commitdiff
