From: Greg Kroah-Hartman Date: Mon, 6 Mar 2023 10:58:26 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v6.2.3~104 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1694f07fb44a74b7e1b95362f37106d9d346c5e7;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: cifs-fix-uninitialized-memory-read-in-smb3_qfs_tcon.patch s390-discard-.interp-section.patch s390-extmem-return-correct-segment-type-in-__segment_load.patch s390-kprobes-fix-current_kprobe-never-cleared-after-kprobes-reenter.patch s390-kprobes-fix-irq-mask-clobbering-on-kprobe-reenter-from-post_handler.patch --- diff --git a/queue-5.15/cifs-fix-uninitialized-memory-read-in-smb3_qfs_tcon.patch b/queue-5.15/cifs-fix-uninitialized-memory-read-in-smb3_qfs_tcon.patch new file mode 100644 index 00000000000..6b40d6231bb --- /dev/null +++ b/queue-5.15/cifs-fix-uninitialized-memory-read-in-smb3_qfs_tcon.patch @@ -0,0 +1,42 @@ +From d447e794a37288ec7a080aa1b044a8d9deebbab7 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Wed, 11 Jan 2023 12:37:58 +0100 +Subject: cifs: Fix uninitialized memory read in smb3_qfs_tcon() + +From: Volker Lendecke + +commit d447e794a37288ec7a080aa1b044a8d9deebbab7 upstream. + +oparms was not fully initialized + +Signed-off-by: Volker Lendecke +Reviewed-by: Paulo Alcantara (SUSE) +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2ops.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -966,12 +966,13 @@ smb3_qfs_tcon(const unsigned int xid, st + struct cifs_fid fid; + struct cached_fid *cfid = NULL; + +- oparms.tcon = tcon; +- oparms.desired_access = FILE_READ_ATTRIBUTES; +- oparms.disposition = FILE_OPEN; +- oparms.create_options = cifs_create_options(cifs_sb, 0); +- oparms.fid = &fid; +- oparms.reconnect = false; ++ oparms = (struct cifs_open_parms) { ++ .tcon = tcon, ++ .desired_access = FILE_READ_ATTRIBUTES, ++ .disposition = FILE_OPEN, ++ .create_options = cifs_create_options(cifs_sb, 0), ++ .fid = &fid, ++ }; + + rc = open_cached_dir(xid, tcon, "", cifs_sb, &cfid); + if (rc == 0) diff --git a/queue-5.15/s390-discard-.interp-section.patch b/queue-5.15/s390-discard-.interp-section.patch new file mode 100644 index 00000000000..682e365bb1d --- /dev/null +++ b/queue-5.15/s390-discard-.interp-section.patch @@ -0,0 +1,48 @@ +From e9c9cb90e76ffaabcc7ca8f275d9e82195fd6367 Mon Sep 17 00:00:00 2001 +From: Ilya Leoshkevich +Date: Mon, 23 Jan 2023 22:50:32 +0100 +Subject: s390: discard .interp section + +From: Ilya Leoshkevich + +commit e9c9cb90e76ffaabcc7ca8f275d9e82195fd6367 upstream. + +When debugging vmlinux with QEMU + GDB, the following GDB error may +occur: + + (gdb) c + Continuing. + Warning: + Cannot insert breakpoint -1. + Cannot access memory at address 0xffffffffffff95c0 + + Command aborted. + (gdb) + +The reason is that, when .interp section is present, GDB tries to +locate the file specified in it in memory and put a number of +breakpoints there (see enable_break() function in gdb/solib-svr4.c). +Sometimes GDB finds a bogus location that matches its heuristics, +fails to set a breakpoint and stops. This makes further debugging +impossible. + +The .interp section contains misleading information anyway (vmlinux +does not need ld.so), so fix by discarding it. + +Signed-off-by: Ilya Leoshkevich +Cc: +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/vmlinux.lds.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/s390/kernel/vmlinux.lds.S ++++ b/arch/s390/kernel/vmlinux.lds.S +@@ -227,5 +227,6 @@ SECTIONS + DISCARDS + /DISCARD/ : { + *(.eh_frame) ++ *(.interp) + } + } diff --git a/queue-5.15/s390-extmem-return-correct-segment-type-in-__segment_load.patch b/queue-5.15/s390-extmem-return-correct-segment-type-in-__segment_load.patch new file mode 100644 index 00000000000..ac526d021e2 --- /dev/null +++ b/queue-5.15/s390-extmem-return-correct-segment-type-in-__segment_load.patch @@ -0,0 +1,76 @@ +From 8c42dd78df148c90e48efff204cce38743906a79 Mon Sep 17 00:00:00 2001 +From: Gerald Schaefer +Date: Mon, 27 Feb 2023 20:03:00 +0100 +Subject: s390/extmem: return correct segment type in __segment_load() + +From: Gerald Schaefer + +commit 8c42dd78df148c90e48efff204cce38743906a79 upstream. + +Commit f05f62d04271f ("s390/vmem: get rid of memory segment list") +reshuffled the call to vmem_add_mapping() in __segment_load(), which now +overwrites rc after it was set to contain the segment type code. + +As result, __segment_load() will now always return 0 on success, which +corresponds to the segment type code SEG_TYPE_SW, i.e. a writeable +segment. This results in a kernel crash when loading a read-only segment +as dcssblk block device, and trying to write to it. + +Instead of reshuffling code again, make sure to return the segment type +on success, and also describe this rather delicate and unexpected logic +in the function comment. Also initialize new segtype variable with +invalid value, to prevent possible future confusion. + +Fixes: f05f62d04271 ("s390/vmem: get rid of memory segment list") +Cc: # 5.9+ +Signed-off-by: Gerald Schaefer +Reviewed-by: Heiko Carstens +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/mm/extmem.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/arch/s390/mm/extmem.c ++++ b/arch/s390/mm/extmem.c +@@ -289,15 +289,17 @@ segment_overlaps_others (struct dcss_seg + + /* + * real segment loading function, called from segment_load ++ * Must return either an error code < 0, or the segment type code >= 0 + */ + static int + __segment_load (char *name, int do_nonshared, unsigned long *addr, unsigned long *end) + { + unsigned long start_addr, end_addr, dummy; + struct dcss_segment *seg; +- int rc, diag_cc; ++ int rc, diag_cc, segtype; + + start_addr = end_addr = 0; ++ segtype = -1; + seg = kmalloc(sizeof(*seg), GFP_KERNEL | GFP_DMA); + if (seg == NULL) { + rc = -ENOMEM; +@@ -326,9 +328,9 @@ __segment_load (char *name, int do_nonsh + seg->res_name[8] = '\0'; + strlcat(seg->res_name, " (DCSS)", sizeof(seg->res_name)); + seg->res->name = seg->res_name; +- rc = seg->vm_segtype; +- if (rc == SEG_TYPE_SC || +- ((rc == SEG_TYPE_SR || rc == SEG_TYPE_ER) && !do_nonshared)) ++ segtype = seg->vm_segtype; ++ if (segtype == SEG_TYPE_SC || ++ ((segtype == SEG_TYPE_SR || segtype == SEG_TYPE_ER) && !do_nonshared)) + seg->res->flags |= IORESOURCE_READONLY; + + /* Check for overlapping resources before adding the mapping. */ +@@ -386,7 +388,7 @@ __segment_load (char *name, int do_nonsh + out_free: + kfree(seg); + out: +- return rc; ++ return rc < 0 ? rc : segtype; + } + + /* diff --git a/queue-5.15/s390-kprobes-fix-current_kprobe-never-cleared-after-kprobes-reenter.patch b/queue-5.15/s390-kprobes-fix-current_kprobe-never-cleared-after-kprobes-reenter.patch new file mode 100644 index 00000000000..031d0811fe7 --- /dev/null +++ b/queue-5.15/s390-kprobes-fix-current_kprobe-never-cleared-after-kprobes-reenter.patch @@ -0,0 +1,54 @@ +From cd57953936f2213dfaccce10d20f396956222c7d Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Wed, 1 Mar 2023 17:58:06 +0100 +Subject: s390/kprobes: fix current_kprobe never cleared after kprobes reenter + +From: Vasily Gorbik + +commit cd57953936f2213dfaccce10d20f396956222c7d upstream. + +Recent test_kprobe_missed kprobes kunit test uncovers the following +problem. Once kprobe is triggered from another kprobe (kprobe reenter), +all future kprobes on this cpu are considered as kprobe reenter, thus +pre_handler and post_handler are not being called and kprobes are counted +as "missed". + +Commit b9599798f953 ("[S390] kprobes: activation and deactivation") +introduced a simpler scheme for kprobes (de)activation and status +tracking by using push_kprobe/pop_kprobe, which supposed to work for +both initial kprobe entry as well as kprobe reentry and helps to avoid +handling those two cases differently. The problem is that a sequence of +calls in case of kprobes reenter: +push_kprobe() <- NULL (current_kprobe) +push_kprobe() <- kprobe1 (current_kprobe) +pop_kprobe() -> kprobe1 (current_kprobe) +pop_kprobe() -> kprobe1 (current_kprobe) +leaves "kprobe1" as "current_kprobe" on this cpu, instead of setting it +to NULL. In fact push_kprobe/pop_kprobe can only store a single state +(there is just one prev_kprobe in kprobe_ctlblk). Which is a hack but +sufficient, there is no need to have another prev_kprobe just to store +NULL. To make a simple and backportable fix simply reset "prev_kprobe" +when kprobe is poped from this "stack". No need to worry about +"kprobe_status" in this case, because its value is only checked when +current_kprobe != NULL. + +Cc: stable@vger.kernel.org +Fixes: b9599798f953 ("[S390] kprobes: activation and deactivation") +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/kprobes.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/s390/kernel/kprobes.c ++++ b/arch/s390/kernel/kprobes.c +@@ -233,6 +233,7 @@ static void pop_kprobe(struct kprobe_ctl + { + __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp); + kcb->kprobe_status = kcb->prev_kprobe.status; ++ kcb->prev_kprobe.kp = NULL; + } + NOKPROBE_SYMBOL(pop_kprobe); + diff --git a/queue-5.15/s390-kprobes-fix-irq-mask-clobbering-on-kprobe-reenter-from-post_handler.patch b/queue-5.15/s390-kprobes-fix-irq-mask-clobbering-on-kprobe-reenter-from-post_handler.patch new file mode 100644 index 00000000000..f4ef9944226 --- /dev/null +++ b/queue-5.15/s390-kprobes-fix-irq-mask-clobbering-on-kprobe-reenter-from-post_handler.patch @@ -0,0 +1,80 @@ +From 42e19e6f04984088b6f9f0507c4c89a8152d9730 Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Wed, 1 Mar 2023 02:23:08 +0100 +Subject: s390/kprobes: fix irq mask clobbering on kprobe reenter from post_handler + +From: Vasily Gorbik + +commit 42e19e6f04984088b6f9f0507c4c89a8152d9730 upstream. + +Recent test_kprobe_missed kprobes kunit test uncovers the following error +(reported when CONFIG_DEBUG_ATOMIC_SLEEP is enabled): + +BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580 +in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 662, name: kunit_try_catch +preempt_count: 0, expected: 0 +RCU nest depth: 0, expected: 0 +no locks held by kunit_try_catch/662. +irq event stamp: 280 +hardirqs last enabled at (279): [<00000003e60a3d42>] __do_pgm_check+0x17a/0x1c0 +hardirqs last disabled at (280): [<00000003e3bd774a>] kprobe_exceptions_notify+0x27a/0x318 +softirqs last enabled at (0): [<00000003e3c5c890>] copy_process+0x14a8/0x4c80 +softirqs last disabled at (0): [<0000000000000000>] 0x0 +CPU: 46 PID: 662 Comm: kunit_try_catch Tainted: G N 6.2.0-173644-g44c18d77f0c0 #2 +Hardware name: IBM 3931 A01 704 (LPAR) +Call Trace: + [<00000003e60a3a00>] dump_stack_lvl+0x120/0x198 + [<00000003e3d02e82>] __might_resched+0x60a/0x668 + [<00000003e60b9908>] __mutex_lock+0xc0/0x14e0 + [<00000003e60bad5a>] mutex_lock_nested+0x32/0x40 + [<00000003e3f7b460>] unregister_kprobe+0x30/0xd8 + [<00000003e51b2602>] test_kprobe_missed+0xf2/0x268 + [<00000003e51b5406>] kunit_try_run_case+0x10e/0x290 + [<00000003e51b7dfa>] kunit_generic_run_threadfn_adapter+0x62/0xb8 + [<00000003e3ce30f8>] kthread+0x2d0/0x398 + [<00000003e3b96afa>] __ret_from_fork+0x8a/0xe8 + [<00000003e60ccada>] ret_from_fork+0xa/0x40 + +The reason for this error report is that kprobes handling code failed +to restore irqs. + +The problem is that when kprobe is triggered from another kprobe +post_handler current sequence of enable_singlestep / disable_singlestep +is the following: +enable_singlestep <- original kprobe (saves kprobe_saved_imask) +enable_singlestep <- kprobe triggered from post_handler (clobbers kprobe_saved_imask) +disable_singlestep <- kprobe triggered from post_handler (restores kprobe_saved_imask) +disable_singlestep <- original kprobe (restores wrong clobbered kprobe_saved_imask) + +There is just one kprobe_ctlblk per cpu and both calls saves and +loads irq mask to kprobe_saved_imask. To fix the problem simply move +resume_execution (which calls disable_singlestep) before calling +post_handler. This also fixes the problem that post_handler is called +with pt_regs which were not yet adjusted after single-stepping. + +Cc: stable@vger.kernel.org +Fixes: 4ba069b802c2 ("[S390] add kprobes support.") +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/kprobes.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/s390/kernel/kprobes.c ++++ b/arch/s390/kernel/kprobes.c +@@ -394,12 +394,11 @@ static int post_kprobe_handler(struct pt + if (!p) + return 0; + ++ resume_execution(p, regs); + if (kcb->kprobe_status != KPROBE_REENTER && p->post_handler) { + kcb->kprobe_status = KPROBE_HIT_SSDONE; + p->post_handler(p, regs, 0); + } +- +- resume_execution(p, regs); + pop_kprobe(kcb); + preempt_enable_no_resched(); + diff --git a/queue-5.15/series b/queue-5.15/series index 117d947a7d1..0f76f5d3fcd 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -434,3 +434,8 @@ block-don-t-allow-multiple-bios-for-iocb_nowait-issue.patch rtc-pm8xxx-fix-set-alarm-race.patch ipmi-ssif-resend_msg-cannot-fail.patch ipmi_ssif-rename-idle-state-and-check.patch +s390-extmem-return-correct-segment-type-in-__segment_load.patch +s390-discard-.interp-section.patch +s390-kprobes-fix-irq-mask-clobbering-on-kprobe-reenter-from-post_handler.patch +s390-kprobes-fix-current_kprobe-never-cleared-after-kprobes-reenter.patch +cifs-fix-uninitialized-memory-read-in-smb3_qfs_tcon.patch