From: Sasha Levin Date: Sun, 19 Jan 2025 23:10:09 +0000 (-0500) Subject: Fixes for 5.10 X-Git-Tag: v6.6.73~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=06ab2f3270484cb6d0adb1006574b874ef19a72a;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/fs-fix-missing-declaration-of-init_files.patch b/queue-5.10/fs-fix-missing-declaration-of-init_files.patch new file mode 100644 index 0000000000..0855faee00 --- /dev/null +++ b/queue-5.10/fs-fix-missing-declaration-of-init_files.patch @@ -0,0 +1,37 @@ +From 3548ee19f169bf1fef43132321944cd2840aee48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2024 07:18:36 +0000 +Subject: fs: fix missing declaration of init_files + +From: Zhang Kunbo + +[ Upstream commit 2b2fc0be98a828cf33a88a28e9745e8599fb05cf ] + +fs/file.c should include include/linux/init_task.h for + declaration of init_files. This fixes the sparse warning: + +fs/file.c:501:21: warning: symbol 'init_files' was not declared. Should it be static? + +Signed-off-by: Zhang Kunbo +Link: https://lore.kernel.org/r/20241217071836.2634868-1-zhangkunbo@huawei.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/file.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/file.c b/fs/file.c +index 40a7fc127f37a..975b1227a2f6d 100644 +--- a/fs/file.c ++++ b/fs/file.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + #include "internal.h" + +-- +2.39.5 + diff --git a/queue-5.10/hfs-sanity-check-the-root-record.patch b/queue-5.10/hfs-sanity-check-the-root-record.patch new file mode 100644 index 0000000000..4db9c521d4 --- /dev/null +++ b/queue-5.10/hfs-sanity-check-the-root-record.patch @@ -0,0 +1,56 @@ +From ba4e87508a34f922cba016496f465da3772740a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Nov 2024 21:14:19 -0800 +Subject: hfs: Sanity check the root record + +From: Leo Stone + +[ Upstream commit b905bafdea21a75d75a96855edd9e0b6051eee30 ] + +In the syzbot reproducer, the hfs_cat_rec for the root dir has type +HFS_CDR_FIL after being read with hfs_bnode_read() in hfs_super_fill(). +This indicates it should be used as an hfs_cat_file, which is 102 bytes. +Only the first 70 bytes of that struct are initialized, however, +because the entrylength passed into hfs_bnode_read() is still the length of +a directory record. This causes uninitialized values to be used later on, +when the hfs_cat_rec union is treated as the larger hfs_cat_file struct. + +Add a check to make sure the retrieved record has the correct type +for the root directory (HFS_CDR_DIR), and make sure we load the correct +number of bytes for a directory record. + +Reported-by: syzbot+2db3c7526ba68f4ea776@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2db3c7526ba68f4ea776 +Tested-by: syzbot+2db3c7526ba68f4ea776@syzkaller.appspotmail.com +Tested-by: Leo Stone +Signed-off-by: Leo Stone +Link: https://lore.kernel.org/r/20241201051420.77858-1-leocstone@gmail.com +Reviewed-by: Jan Kara +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/hfs/super.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/hfs/super.c b/fs/hfs/super.c +index 12d9bae393631..699dd94b1a864 100644 +--- a/fs/hfs/super.c ++++ b/fs/hfs/super.c +@@ -418,11 +418,13 @@ static int hfs_fill_super(struct super_block *sb, void *data, int silent) + goto bail_no_root; + res = hfs_cat_find_brec(sb, HFS_ROOT_CNID, &fd); + if (!res) { +- if (fd.entrylength > sizeof(rec) || fd.entrylength < 0) { ++ if (fd.entrylength != sizeof(rec.dir)) { + res = -EIO; + goto bail_hfs_find; + } + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, fd.entrylength); ++ if (rec.type != HFS_CDR_DIR) ++ res = -EIO; + } + if (res) + goto bail_hfs_find; +-- +2.39.5 + diff --git a/queue-5.10/kheaders-ignore-silly-rename-files.patch b/queue-5.10/kheaders-ignore-silly-rename-files.patch new file mode 100644 index 0000000000..877c62d122 --- /dev/null +++ b/queue-5.10/kheaders-ignore-silly-rename-files.patch @@ -0,0 +1,60 @@ +From ef45ae319079a3bbcfbf4be694be6f358cf56e73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2024 13:50:01 +0000 +Subject: kheaders: Ignore silly-rename files + +From: David Howells + +[ Upstream commit 973b710b8821c3401ad7a25360c89e94b26884ac ] + +Tell tar to ignore silly-rename files (".__afs*" and ".nfs*") when building +the header archive. These occur when a file that is open is unlinked +locally, but hasn't yet been closed. Such files are visible to the user +via the getdents() syscall and so programs may want to do things with them. + +During the kernel build, such files may be made during the processing of +header files and the cleanup may get deferred by fput() which may result in +tar seeing these files when it reads the directory, but they may have +disappeared by the time it tries to open them, causing tar to fail with an +error. Further, we don't want to include them in the tarball if they still +exist. + +With CONFIG_HEADERS_INSTALL=y, something like the following may be seen: + + find: './kernel/.tmp_cpio_dir/include/dt-bindings/reset/.__afs2080': No such file or directory + tar: ./include/linux/greybus/.__afs3C95: File removed before we read it + +The find warning doesn't seem to cause a problem. + +Fix this by telling tar when called from in gen_kheaders.sh to exclude such +files. This only affects afs and nfs; cifs uses the Windows Hidden +attribute to prevent the file from being seen. + +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/20241213135013.2964079-2-dhowells@redhat.com +cc: Masahiro Yamada +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +cc: linux-nfs@vger.kernel.org +cc: linux-kernel@vger.kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + kernel/gen_kheaders.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/gen_kheaders.sh b/kernel/gen_kheaders.sh +index 206ab3d41ee76..7fc44d8da2052 100755 +--- a/kernel/gen_kheaders.sh ++++ b/kernel/gen_kheaders.sh +@@ -84,6 +84,7 @@ find $cpio_dir -type f -print0 | + + # Create archive and try to normalize metadata for reproducibility. + tar "${KBUILD_BUILD_TIMESTAMP:+--mtime=$KBUILD_BUILD_TIMESTAMP}" \ ++ --exclude=".__afs*" --exclude=".nfs*" \ + --owner=0 --group=0 --sort=name --numeric-owner --mode=u=rw,go=r,a+X \ + -I $XZ -cf $tarfile -C $cpio_dir/ . > /dev/null + +-- +2.39.5 + diff --git a/queue-5.10/mac802154-check-local-interfaces-before-deleting-sda.patch b/queue-5.10/mac802154-check-local-interfaces-before-deleting-sda.patch new file mode 100644 index 0000000000..64a25beba6 --- /dev/null +++ b/queue-5.10/mac802154-check-local-interfaces-before-deleting-sda.patch @@ -0,0 +1,100 @@ +From 91c7f9c5055e313d65a683b897e9462f7bc036c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2024 17:51:29 +0800 +Subject: mac802154: check local interfaces before deleting sdata list + +From: Lizhi Xu + +[ Upstream commit eb09fbeb48709fe66c0d708aed81e910a577a30a ] + +syzkaller reported a corrupted list in ieee802154_if_remove. [1] + +Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4 +hardware device from the system. + +CPU0 CPU1 +==== ==== +genl_family_rcv_msg_doit ieee802154_unregister_hw +ieee802154_del_iface ieee802154_remove_interfaces +rdev_del_virtual_intf_deprecated list_del(&sdata->list) +ieee802154_if_remove +list_del_rcu + +The net device has been unregistered, since the rcu grace period, +unregistration must be run before ieee802154_if_remove. + +To avoid this issue, add a check for local->interfaces before deleting +sdata list. + +[1] +kernel BUG at lib/list_debug.c:58! +Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56 +Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7 +RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246 +RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00 +RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 +RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d +R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000 +R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0 +FS: 0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + __list_del_entry_valid include/linux/list.h:124 [inline] + __list_del_entry include/linux/list.h:215 [inline] + list_del_rcu include/linux/rculist.h:157 [inline] + ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687 + rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline] + ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323 + genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] + genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] + genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210 + netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 + netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] + netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357 + netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901 + sock_sendmsg_nosec net/socket.c:729 [inline] + __sock_sendmsg+0x221/0x270 net/socket.c:744 + ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607 + ___sys_sendmsg net/socket.c:2661 [inline] + __sys_sendmsg+0x292/0x380 net/socket.c:2690 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Reported-and-tested-by: syzbot+985f827280dc3a6e7e92@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92 +Signed-off-by: Lizhi Xu +Reviewed-by: Miquel Raynal +Link: https://lore.kernel.org/20241113095129.1457225-1-lizhi.xu@windriver.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + net/mac802154/iface.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c +index a08240fe68a74..22514ab060f83 100644 +--- a/net/mac802154/iface.c ++++ b/net/mac802154/iface.c +@@ -688,6 +688,10 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata) + ASSERT_RTNL(); + + mutex_lock(&sdata->local->iflist_mtx); ++ if (list_empty(&sdata->local->interfaces)) { ++ mutex_unlock(&sdata->local->iflist_mtx); ++ return; ++ } + list_del_rcu(&sdata->list); + mutex_unlock(&sdata->local->iflist_mtx); + +-- +2.39.5 + diff --git a/queue-5.10/nvmet-propagate-npwg-topology.patch b/queue-5.10/nvmet-propagate-npwg-topology.patch new file mode 100644 index 0000000000..dfec181abe --- /dev/null +++ b/queue-5.10/nvmet-propagate-npwg-topology.patch @@ -0,0 +1,39 @@ +From d89131f7bc39492cfe3a6b517bfd76407a8ff394 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2024 18:33:25 -0800 +Subject: nvmet: propagate npwg topology + +From: Luis Chamberlain + +[ Upstream commit b579d6fdc3a9149bb4d2b3133cc0767130ed13e6 ] + +Ensure we propagate npwg to the target as well instead +of assuming its the same logical blocks per physical block. + +This ensures devices with large IUs information properly +propagated on the target. + +Signed-off-by: Luis Chamberlain +Reviewed-by: Sagi Grimberg +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/io-cmd-bdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/io-cmd-bdev.c b/drivers/nvme/target/io-cmd-bdev.c +index 6a9626ff07135..58dd91d2d71c8 100644 +--- a/drivers/nvme/target/io-cmd-bdev.c ++++ b/drivers/nvme/target/io-cmd-bdev.c +@@ -36,7 +36,7 @@ void nvmet_bdev_set_limits(struct block_device *bdev, struct nvme_id_ns *id) + */ + id->nsfeat |= 1 << 4; + /* NPWG = Namespace Preferred Write Granularity. 0's based */ +- id->npwg = lpp0b; ++ id->npwg = to0based(bdev_io_min(bdev) / bdev_logical_block_size(bdev)); + /* NPWA = Namespace Preferred Write Alignment. 0's based */ + id->npwa = id->npwg; + /* NPDG = Namespace Preferred Deallocate Granularity. 0's based */ +-- +2.39.5 + diff --git a/queue-5.10/poll_wait-add-mb-to-fix-theoretical-race-between-wai.patch b/queue-5.10/poll_wait-add-mb-to-fix-theoretical-race-between-wai.patch new file mode 100644 index 0000000000..66074cb770 --- /dev/null +++ b/queue-5.10/poll_wait-add-mb-to-fix-theoretical-race-between-wai.patch @@ -0,0 +1,67 @@ +From 523c70f79ae4aa9cbe1dc76d0d504ff3c78047f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2025 17:27:17 +0100 +Subject: poll_wait: add mb() to fix theoretical race between + waitqueue_active() and .poll() + +From: Oleg Nesterov + +[ Upstream commit cacd9ae4bf801ff4125d8961bb9a3ba955e51680 ] + +As the comment above waitqueue_active() explains, it can only be used +if both waker and waiter have mb()'s that pair with each other. However +__pollwait() is broken in this respect. + +This is not pipe-specific, but let's look at pipe_poll() for example: + + poll_wait(...); // -> __pollwait() -> add_wait_queue() + + LOAD(pipe->head); + LOAD(pipe->head); + +In theory these LOAD()'s can leak into the critical section inside +add_wait_queue() and can happen before list_add(entry, wq_head), in this +case pipe_poll() can race with wakeup_pipe_readers/writers which do + + smp_mb(); + if (waitqueue_active(wq_head)) + wake_up_interruptible(wq_head); + +There are more __pollwait()-like functions (grep init_poll_funcptr), and +it seems that at least ep_ptable_queue_proc() has the same problem, so the +patch adds smp_mb() into poll_wait(). + +Link: https://lore.kernel.org/all/20250102163320.GA17691@redhat.com/ +Signed-off-by: Oleg Nesterov +Link: https://lore.kernel.org/r/20250107162717.GA18922@redhat.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + include/linux/poll.h | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/include/linux/poll.h b/include/linux/poll.h +index 7e0fdcf905d2e..a4af5e14dffed 100644 +--- a/include/linux/poll.h ++++ b/include/linux/poll.h +@@ -43,8 +43,16 @@ typedef struct poll_table_struct { + + static inline void poll_wait(struct file * filp, wait_queue_head_t * wait_address, poll_table *p) + { +- if (p && p->_qproc && wait_address) ++ if (p && p->_qproc && wait_address) { + p->_qproc(filp, wait_address, p); ++ /* ++ * This memory barrier is paired in the wq_has_sleeper(). ++ * See the comment above prepare_to_wait(), we need to ++ * ensure that subsequent tests in this thread can't be ++ * reordered with __add_wait_queue() in _qproc() paths. ++ */ ++ smp_mb(); ++ } + } + + /* +-- +2.39.5 + diff --git a/queue-5.10/series b/queue-5.10/series index e7ada9de1c..bbe87a5f5d 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -93,3 +93,10 @@ net-mlx5-fix-rdma-tx-steering-prio.patch drm-v3d-ensure-job-pointer-is-set-to-null-after-job-.patch i2c-mux-demux-pinctrl-check-initial-mux-selection-to.patch i2c-rcar-fix-nack-handling-when-being-a-target.patch +mac802154-check-local-interfaces-before-deleting-sda.patch +hfs-sanity-check-the-root-record.patch +fs-fix-missing-declaration-of-init_files.patch +kheaders-ignore-silly-rename-files.patch +poll_wait-add-mb-to-fix-theoretical-race-between-wai.patch +nvmet-propagate-npwg-topology.patch +zram-fix-potential-uaf-of-zram-table.patch diff --git a/queue-5.10/zram-fix-potential-uaf-of-zram-table.patch b/queue-5.10/zram-fix-potential-uaf-of-zram-table.patch new file mode 100644 index 0000000000..6a6de419e3 --- /dev/null +++ b/queue-5.10/zram-fix-potential-uaf-of-zram-table.patch @@ -0,0 +1,39 @@ +From 46bbd50b48a377def1d596d292299ba95ca67e64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2025 14:54:46 +0800 +Subject: zram: fix potential UAF of zram table + +From: Kairui Song + +[ Upstream commit 212fe1c0df4a150fb6298db2cfff267ceaba5402 ] + +If zram_meta_alloc failed early, it frees allocated zram->table without +setting it NULL. Which will potentially cause zram_meta_free to access +the table if user reset an failed and uninitialized device. + +Link: https://lkml.kernel.org/r/20250107065446.86928-1-ryncsn@gmail.com +Fixes: 74363ec674cb ("zram: fix uninitialized ZRAM not releasing backing device") +Signed-off-by: Kairui Song +Reviewed-by: Sergey Senozhatsky +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + drivers/block/zram/zram_drv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c +index 05a46fbe0ea98..6bd672a133344 100644 +--- a/drivers/block/zram/zram_drv.c ++++ b/drivers/block/zram/zram_drv.c +@@ -1170,6 +1170,7 @@ static bool zram_meta_alloc(struct zram *zram, u64 disksize) + zram->mem_pool = zs_create_pool(zram->disk->disk_name); + if (!zram->mem_pool) { + vfree(zram->table); ++ zram->table = NULL; + return false; + } + +-- +2.39.5 +