From: Greg Kroah-Hartman Date: Mon, 23 Dec 2024 12:27:09 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v6.1.122~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2d7b5152f00a000b75a3d8a866c8775ad4485660;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: ceph-fix-memory-leaks-in-__ceph_sync_read.patch ceph-improve-error-handling-and-short-overflow-read-logic-in-__ceph_sync_read.patch ceph-validate-snapdirname-option-length-when-mounting.patch nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch nilfs2-fix-buffer-head-leaks-in-calls-to-truncate_inode_pages.patch nilfs2-prevent-use-of-deleted-inode.patch of-fix-error-path-in-of_parse_phandle_with_args_map.patch of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch of-irq-fix-interrupt-map-cell-length-check-in-of_irq_parse_imap_parent.patch of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch udmabuf-also-check-for-f_seal_future_write.patch --- diff --git a/queue-6.6/ceph-fix-memory-leaks-in-__ceph_sync_read.patch b/queue-6.6/ceph-fix-memory-leaks-in-__ceph_sync_read.patch new file mode 100644 index 00000000000..ae0cb878c4f --- /dev/null +++ b/queue-6.6/ceph-fix-memory-leaks-in-__ceph_sync_read.patch @@ -0,0 +1,60 @@ +From d6fd6f8280f0257ba93f16900a0d3d3912f32c79 Mon Sep 17 00:00:00 2001 +From: Max Kellermann +Date: Thu, 5 Dec 2024 16:49:51 +0100 +Subject: ceph: fix memory leaks in __ceph_sync_read() + +From: Max Kellermann + +commit d6fd6f8280f0257ba93f16900a0d3d3912f32c79 upstream. + +In two `break` statements, the call to ceph_release_page_vector() was +missing, leaking the allocation from ceph_alloc_page_vector(). + +Instead of adding the missing ceph_release_page_vector() calls, the +Ceph maintainers preferred to transfer page ownership to the +`ceph_osd_request` by passing `own_pages=true` to +osd_req_op_extent_osd_data_pages(). This requires postponing the +ceph_osdc_put_request() call until after the block that accesses the +`pages`. + +Cc: stable@vger.kernel.org +Fixes: 03bc06c7b0bd ("ceph: add new mount option to enable sparse reads") +Fixes: f0fe1e54cfcf ("ceph: plumb in decryption during reads") +Signed-off-by: Max Kellermann +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/file.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/fs/ceph/file.c ++++ b/fs/ceph/file.c +@@ -1036,7 +1036,7 @@ ssize_t __ceph_sync_read(struct inode *i + + osd_req_op_extent_osd_data_pages(req, 0, pages, read_len, + offset_in_page(read_off), +- false, false); ++ false, true); + + op = &req->r_ops[0]; + if (sparse) { +@@ -1101,8 +1101,6 @@ ssize_t __ceph_sync_read(struct inode *i + ret = min_t(ssize_t, fret, len); + } + +- ceph_osdc_put_request(req); +- + /* Short read but not EOF? Zero out the remainder. */ + if (ret < len && (off + ret < i_size)) { + int zlen = min(len - ret, i_size - off - ret); +@@ -1134,7 +1132,8 @@ ssize_t __ceph_sync_read(struct inode *i + break; + } + } +- ceph_release_page_vector(pages, num_pages); ++ ++ ceph_osdc_put_request(req); + + if (off >= i_size || !more) + break; diff --git a/queue-6.6/ceph-improve-error-handling-and-short-overflow-read-logic-in-__ceph_sync_read.patch b/queue-6.6/ceph-improve-error-handling-and-short-overflow-read-logic-in-__ceph_sync_read.patch new file mode 100644 index 00000000000..e0d8ba1dc44 --- /dev/null +++ b/queue-6.6/ceph-improve-error-handling-and-short-overflow-read-logic-in-__ceph_sync_read.patch @@ -0,0 +1,115 @@ +From 9abee475803fab6ad59d4f4fc59c6a75374a7d9d Mon Sep 17 00:00:00 2001 +From: Alex Markuze +Date: Wed, 27 Nov 2024 15:34:10 +0200 +Subject: ceph: improve error handling and short/overflow-read logic in __ceph_sync_read() + +From: Alex Markuze + +commit 9abee475803fab6ad59d4f4fc59c6a75374a7d9d upstream. + +This patch refines the read logic in __ceph_sync_read() to ensure more +predictable and efficient behavior in various edge cases. + +- Return early if the requested read length is zero or if the file size + (`i_size`) is zero. +- Initialize the index variable (`idx`) where needed and reorder some + code to ensure it is always set before use. +- Improve error handling by checking for negative return values earlier. +- Remove redundant encrypted file checks after failures. Only attempt + filesystem-level decryption if the read succeeded. +- Simplify leftover calculations to correctly handle cases where the + read extends beyond the end of the file or stops short. This can be + hit by continuously reading a file while, on another client, we keep + truncating and writing new data into it. +- This resolves multiple issues caused by integer and consequent buffer + overflow (`pages` array being accessed beyond `num_pages`): + - https://tracker.ceph.com/issues/67524 + - https://tracker.ceph.com/issues/68980 + - https://tracker.ceph.com/issues/68981 + +Cc: stable@vger.kernel.org +Fixes: 1065da21e5df ("ceph: stop copying to iter at EOF on sync reads") +Reported-by: Luis Henriques (SUSE) +Signed-off-by: Alex Markuze +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/file.c | 29 ++++++++++++++--------------- + 1 file changed, 14 insertions(+), 15 deletions(-) + +--- a/fs/ceph/file.c ++++ b/fs/ceph/file.c +@@ -976,7 +976,7 @@ ssize_t __ceph_sync_read(struct inode *i + if (ceph_inode_is_shutdown(inode)) + return -EIO; + +- if (!len) ++ if (!len || !i_size) + return 0; + /* + * flush any page cache pages in this range. this +@@ -996,7 +996,7 @@ ssize_t __ceph_sync_read(struct inode *i + int num_pages; + size_t page_off; + bool more; +- int idx; ++ int idx = 0; + size_t left; + struct ceph_osd_req_op *op; + u64 read_off = off; +@@ -1068,7 +1068,14 @@ ssize_t __ceph_sync_read(struct inode *i + else if (ret == -ENOENT) + ret = 0; + +- if (ret > 0 && IS_ENCRYPTED(inode)) { ++ if (ret < 0) { ++ ceph_osdc_put_request(req); ++ if (ret == -EBLOCKLISTED) ++ fsc->blocklisted = true; ++ break; ++ } ++ ++ if (IS_ENCRYPTED(inode)) { + int fret; + + fret = ceph_fscrypt_decrypt_extents(inode, pages, +@@ -1097,7 +1104,7 @@ ssize_t __ceph_sync_read(struct inode *i + ceph_osdc_put_request(req); + + /* Short read but not EOF? Zero out the remainder. */ +- if (ret >= 0 && ret < len && (off + ret < i_size)) { ++ if (ret < len && (off + ret < i_size)) { + int zlen = min(len - ret, i_size - off - ret); + int zoff = page_off + ret; + +@@ -1107,13 +1114,11 @@ ssize_t __ceph_sync_read(struct inode *i + ret += zlen; + } + +- idx = 0; +- if (ret <= 0) +- left = 0; +- else if (off + ret > i_size) +- left = i_size - off; ++ if (off + ret > i_size) ++ left = (i_size > off) ? i_size - off : 0; + else + left = ret; ++ + while (left > 0) { + size_t plen, copied; + +@@ -1131,12 +1136,6 @@ ssize_t __ceph_sync_read(struct inode *i + } + ceph_release_page_vector(pages, num_pages); + +- if (ret < 0) { +- if (ret == -EBLOCKLISTED) +- fsc->blocklisted = true; +- break; +- } +- + if (off >= i_size || !more) + break; + } diff --git a/queue-6.6/ceph-validate-snapdirname-option-length-when-mounting.patch b/queue-6.6/ceph-validate-snapdirname-option-length-when-mounting.patch new file mode 100644 index 00000000000..aab2f2ee23b --- /dev/null +++ b/queue-6.6/ceph-validate-snapdirname-option-length-when-mounting.patch @@ -0,0 +1,33 @@ +From 12eb22a5a609421b380c3c6ca887474fb2089b2c Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Wed, 20 Nov 2024 16:43:51 +0100 +Subject: ceph: validate snapdirname option length when mounting + +From: Ilya Dryomov + +commit 12eb22a5a609421b380c3c6ca887474fb2089b2c upstream. + +It becomes a path component, so it shouldn't exceed NAME_MAX +characters. This was hardened in commit c152737be22b ("ceph: Use +strscpy() instead of strcpy() in __get_snap_name()"), but no actual +check was put in place. + +Cc: stable@vger.kernel.org +Signed-off-by: Ilya Dryomov +Reviewed-by: Alex Markuze +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/super.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ceph/super.c ++++ b/fs/ceph/super.c +@@ -427,6 +427,8 @@ static int ceph_parse_mount_param(struct + + switch (token) { + case Opt_snapdirname: ++ if (strlen(param->string) > NAME_MAX) ++ return invalfc(fc, "snapdirname too long"); + kfree(fsopt->snapdir_name); + fsopt->snapdir_name = param->string; + param->string = NULL; diff --git a/queue-6.6/nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch b/queue-6.6/nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch new file mode 100644 index 00000000000..729b1eea665 --- /dev/null +++ b/queue-6.6/nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch @@ -0,0 +1,35 @@ +From 62e2a47ceab8f3f7d2e3f0e03fdd1c5e0059fd8b Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 16 Dec 2024 19:28:06 -0500 +Subject: NFS/pnfs: Fix a live lock between recalled layouts and layoutget + +From: Trond Myklebust + +commit 62e2a47ceab8f3f7d2e3f0e03fdd1c5e0059fd8b upstream. + +When the server is recalling a layout, we should ignore the count of +outstanding layoutget calls, since the server is expected to return +either NFS4ERR_RECALLCONFLICT or NFS4ERR_RETURNCONFLICT for as long as +the recall is outstanding. +Currently, we may end up livelocking, causing the layout to eventually +be forcibly revoked. + +Fixes: bf0291dd2267 ("pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised") +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/pnfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1196,7 +1196,7 @@ pnfs_prepare_layoutreturn(struct pnfs_la + enum pnfs_iomode *iomode) + { + /* Serialise LAYOUTGET/LAYOUTRETURN */ +- if (atomic_read(&lo->plh_outstanding) != 0) ++ if (atomic_read(&lo->plh_outstanding) != 0 && lo->plh_return_seq == 0) + return false; + if (test_and_set_bit(NFS_LAYOUT_RETURN_LOCK, &lo->plh_flags)) + return false; diff --git a/queue-6.6/nilfs2-fix-buffer-head-leaks-in-calls-to-truncate_inode_pages.patch b/queue-6.6/nilfs2-fix-buffer-head-leaks-in-calls-to-truncate_inode_pages.patch new file mode 100644 index 00000000000..6ef1cd0513b --- /dev/null +++ b/queue-6.6/nilfs2-fix-buffer-head-leaks-in-calls-to-truncate_inode_pages.patch @@ -0,0 +1,99 @@ +From 6309b8ce98e9a18390b9fd8f03fc412f3c17aee9 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Fri, 13 Dec 2024 01:43:28 +0900 +Subject: nilfs2: fix buffer head leaks in calls to truncate_inode_pages() + +From: Ryusuke Konishi + +commit 6309b8ce98e9a18390b9fd8f03fc412f3c17aee9 upstream. + +When block_invalidatepage was converted to block_invalidate_folio, the +fallback to block_invalidatepage in folio_invalidate() if the +address_space_operations method invalidatepage (currently +invalidate_folio) was not set, was removed. + +Unfortunately, some pseudo-inodes in nilfs2 use empty_aops set by +inode_init_always_gfp() as is, or explicitly set it to +address_space_operations. Therefore, with this change, +block_invalidatepage() is no longer called from folio_invalidate(), and as +a result, the buffer_head structures attached to these pages/folios are no +longer freed via try_to_free_buffers(). + +Thus, these buffer heads are now leaked by truncate_inode_pages(), which +cleans up the page cache from inode evict(), etc. + +Three types of caches use empty_aops: gc inode caches and the DAT shadow +inode used by GC, and b-tree node caches. Of these, b-tree node caches +explicitly call invalidate_mapping_pages() during cleanup, which involves +calling try_to_free_buffers(), so the leak was not visible during normal +operation but worsened when GC was performed. + +Fix this issue by using address_space_operations with invalidate_folio set +to block_invalidate_folio instead of empty_aops, which will ensure the +same behavior as before. + +Link: https://lkml.kernel.org/r/20241212164556.21338-1-konishi.ryusuke@gmail.com +Fixes: 7ba13abbd31e ("fs: Turn block_invalidatepage into block_invalidate_folio") +Signed-off-by: Ryusuke Konishi +Cc: [5.18+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/btnode.c | 1 + + fs/nilfs2/gcinode.c | 2 +- + fs/nilfs2/inode.c | 5 +++++ + fs/nilfs2/nilfs.h | 1 + + 4 files changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/btnode.c ++++ b/fs/nilfs2/btnode.c +@@ -35,6 +35,7 @@ void nilfs_init_btnc_inode(struct inode + ii->i_flags = 0; + memset(&ii->i_bmap_data, 0, sizeof(struct nilfs_bmap)); + mapping_set_gfp_mask(btnc_inode->i_mapping, GFP_NOFS); ++ btnc_inode->i_mapping->a_ops = &nilfs_buffer_cache_aops; + } + + void nilfs_btnode_cache_clear(struct address_space *btnc) +--- a/fs/nilfs2/gcinode.c ++++ b/fs/nilfs2/gcinode.c +@@ -163,7 +163,7 @@ int nilfs_init_gcinode(struct inode *ino + + inode->i_mode = S_IFREG; + mapping_set_gfp_mask(inode->i_mapping, GFP_NOFS); +- inode->i_mapping->a_ops = &empty_aops; ++ inode->i_mapping->a_ops = &nilfs_buffer_cache_aops; + + ii->i_flags = 0; + nilfs_bmap_init_gc(ii->i_bmap); +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -309,6 +309,10 @@ const struct address_space_operations ni + .is_partially_uptodate = block_is_partially_uptodate, + }; + ++const struct address_space_operations nilfs_buffer_cache_aops = { ++ .invalidate_folio = block_invalidate_folio, ++}; ++ + static int nilfs_insert_inode_locked(struct inode *inode, + struct nilfs_root *root, + unsigned long ino) +@@ -748,6 +752,7 @@ struct inode *nilfs_iget_for_shadow(stru + NILFS_I(s_inode)->i_flags = 0; + memset(NILFS_I(s_inode)->i_bmap, 0, sizeof(struct nilfs_bmap)); + mapping_set_gfp_mask(s_inode->i_mapping, GFP_NOFS); ++ s_inode->i_mapping->a_ops = &nilfs_buffer_cache_aops; + + err = nilfs_attach_btree_node_cache(s_inode); + if (unlikely(err)) { +--- a/fs/nilfs2/nilfs.h ++++ b/fs/nilfs2/nilfs.h +@@ -379,6 +379,7 @@ extern const struct file_operations nilf + extern const struct inode_operations nilfs_file_inode_operations; + extern const struct file_operations nilfs_file_operations; + extern const struct address_space_operations nilfs_aops; ++extern const struct address_space_operations nilfs_buffer_cache_aops; + extern const struct inode_operations nilfs_dir_inode_operations; + extern const struct inode_operations nilfs_special_inode_operations; + extern const struct inode_operations nilfs_symlink_inode_operations; diff --git a/queue-6.6/nilfs2-prevent-use-of-deleted-inode.patch b/queue-6.6/nilfs2-prevent-use-of-deleted-inode.patch new file mode 100644 index 00000000000..5b64b2dc437 --- /dev/null +++ b/queue-6.6/nilfs2-prevent-use-of-deleted-inode.patch @@ -0,0 +1,84 @@ +From 901ce9705fbb9f330ff1f19600e5daf9770b0175 Mon Sep 17 00:00:00 2001 +From: Edward Adam Davis +Date: Mon, 9 Dec 2024 15:56:52 +0900 +Subject: nilfs2: prevent use of deleted inode + +From: Edward Adam Davis + +commit 901ce9705fbb9f330ff1f19600e5daf9770b0175 upstream. + +syzbot reported a WARNING in nilfs_rmdir. [1] + +Because the inode bitmap is corrupted, an inode with an inode number that +should exist as a ".nilfs" file was reassigned by nilfs_mkdir for "file0", +causing an inode duplication during execution. And this causes an +underflow of i_nlink in rmdir operations. + +The inode is used twice by the same task to unmount and remove directories +".nilfs" and "file0", it trigger warning in nilfs_rmdir. + +Avoid to this issue, check i_nlink in nilfs_iget(), if it is 0, it means +that this inode has been deleted, and iput is executed to reclaim it. + +[1] +WARNING: CPU: 1 PID: 5824 at fs/inode.c:407 drop_nlink+0xc4/0x110 fs/inode.c:407 +... +Call Trace: + + nilfs_rmdir+0x1b0/0x250 fs/nilfs2/namei.c:342 + vfs_rmdir+0x3a3/0x510 fs/namei.c:4394 + do_rmdir+0x3b5/0x580 fs/namei.c:4453 + __do_sys_rmdir fs/namei.c:4472 [inline] + __se_sys_rmdir fs/namei.c:4470 [inline] + __x64_sys_rmdir+0x47/0x50 fs/namei.c:4470 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Link: https://lkml.kernel.org/r/20241209065759.6781-1-konishi.ryusuke@gmail.com +Fixes: d25006523d0b ("nilfs2: pathname operations") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+9260555647a5132edd48@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=9260555647a5132edd48 +Tested-by: syzbot+9260555647a5132edd48@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/inode.c | 8 +++++++- + fs/nilfs2/namei.c | 5 +++++ + 2 files changed, 12 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -618,8 +618,14 @@ struct inode *nilfs_iget(struct super_bl + inode = nilfs_iget_locked(sb, root, ino); + if (unlikely(!inode)) + return ERR_PTR(-ENOMEM); +- if (!(inode->i_state & I_NEW)) ++ ++ if (!(inode->i_state & I_NEW)) { ++ if (!inode->i_nlink) { ++ iput(inode); ++ return ERR_PTR(-ESTALE); ++ } + return inode; ++ } + + err = __nilfs_read_inode(sb, root, ino, inode); + if (unlikely(err)) { +--- a/fs/nilfs2/namei.c ++++ b/fs/nilfs2/namei.c +@@ -67,6 +67,11 @@ nilfs_lookup(struct inode *dir, struct d + inode = NULL; + } else { + inode = nilfs_iget(dir->i_sb, NILFS_I(dir)->i_root, ino); ++ if (inode == ERR_PTR(-ESTALE)) { ++ nilfs_error(dir->i_sb, ++ "deleted inode referenced: %lu", ino); ++ return ERR_PTR(-EIO); ++ } + } + + return d_splice_alias(inode, dentry); diff --git a/queue-6.6/of-fix-error-path-in-of_parse_phandle_with_args_map.patch b/queue-6.6/of-fix-error-path-in-of_parse_phandle_with_args_map.patch new file mode 100644 index 00000000000..d80a5f3b178 --- /dev/null +++ b/queue-6.6/of-fix-error-path-in-of_parse_phandle_with_args_map.patch @@ -0,0 +1,72 @@ +From d7dfa7fde63dde4d2ec0083133efe2c6686c03ff Mon Sep 17 00:00:00 2001 +From: Herve Codina +Date: Mon, 2 Dec 2024 17:58:19 +0100 +Subject: of: Fix error path in of_parse_phandle_with_args_map() + +From: Herve Codina + +commit d7dfa7fde63dde4d2ec0083133efe2c6686c03ff upstream. + +The current code uses some 'goto put;' to cancel the parsing operation +and can lead to a return code value of 0 even on error cases. + +Indeed, some goto calls are done from a loop without setting the ret +value explicitly before the goto call and so the ret value can be set to +0 due to operation done in previous loop iteration. For instance match +can be set to 0 in the previous loop iteration (leading to a new +iteration) but ret can also be set to 0 it the of_property_read_u32() +call succeed. In that case if no match are found or if an error is +detected the new iteration, the return value can be wrongly 0. + +Avoid those cases setting the ret value explicitly before the goto +calls. + +Fixes: bd6f2fd5a1d5 ("of: Support parsing phandle argument lists through a nexus node") +Cc: stable@vger.kernel.org +Signed-off-by: Herve Codina +Link: https://lore.kernel.org/r/20241202165819.158681-1-herve.codina@bootlin.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/base.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -1415,8 +1415,10 @@ int of_parse_phandle_with_args_map(const + map_len--; + + /* Check if not found */ +- if (!new) ++ if (!new) { ++ ret = -EINVAL; + goto put; ++ } + + if (!of_device_is_available(new)) + match = 0; +@@ -1426,17 +1428,20 @@ int of_parse_phandle_with_args_map(const + goto put; + + /* Check for malformed properties */ +- if (WARN_ON(new_size > MAX_PHANDLE_ARGS)) +- goto put; +- if (map_len < new_size) ++ if (WARN_ON(new_size > MAX_PHANDLE_ARGS) || ++ map_len < new_size) { ++ ret = -EINVAL; + goto put; ++ } + + /* Move forward by new node's #-cells amount */ + map += new_size; + map_len -= new_size; + } +- if (!match) ++ if (!match) { ++ ret = -ENOENT; + goto put; ++ } + + /* Get the -map-pass-thru property (optional) */ + pass = of_get_property(cur, pass_name, NULL); diff --git a/queue-6.6/of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch b/queue-6.6/of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch new file mode 100644 index 00000000000..6b634376775 --- /dev/null +++ b/queue-6.6/of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch @@ -0,0 +1,36 @@ +From 5d009e024056ded20c5bb1583146b833b23bbd5a Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Fri, 6 Dec 2024 08:52:30 +0800 +Subject: of: Fix refcount leakage for OF node returned by __of_get_dma_parent() + +From: Zijun Hu + +commit 5d009e024056ded20c5bb1583146b833b23bbd5a upstream. + +__of_get_dma_parent() returns OF device node @args.np, but the node's +refcount is increased twice, by both of_parse_phandle_with_args() and +of_node_get(), so causes refcount leakage for the node. + +Fix by directly returning the node got by of_parse_phandle_with_args(). + +Fixes: f83a6e5dea6c ("of: address: Add support for the parent DMA bus") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20241206-of_core_fix-v1-4-dc28ed56bec3@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/address.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -653,7 +653,7 @@ struct device_node *__of_get_dma_parent( + if (ret < 0) + return of_get_parent(np); + +- return of_node_get(args.np); ++ return args.np; + } + #endif + diff --git a/queue-6.6/of-irq-fix-interrupt-map-cell-length-check-in-of_irq_parse_imap_parent.patch b/queue-6.6/of-irq-fix-interrupt-map-cell-length-check-in-of_irq_parse_imap_parent.patch new file mode 100644 index 00000000000..ea8f8b54287 --- /dev/null +++ b/queue-6.6/of-irq-fix-interrupt-map-cell-length-check-in-of_irq_parse_imap_parent.patch @@ -0,0 +1,37 @@ +From fec3edc47d5cfc2dd296a5141df887bf567944db Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Mon, 9 Dec 2024 21:24:59 +0800 +Subject: of/irq: Fix interrupt-map cell length check in of_irq_parse_imap_parent() + +From: Zijun Hu + +commit fec3edc47d5cfc2dd296a5141df887bf567944db upstream. + +On a malformed interrupt-map property which is shorter than expected by +1 cell, we may read bogus data past the end of the property instead of +returning an error in of_irq_parse_imap_parent(). + +Decrement the remaining length when skipping over the interrupt parent +phandle cell. + +Fixes: 935df1bd40d4 ("of/irq: Factor out parsing of interrupt-map parent phandle+args from of_irq_parse_raw()") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20241209-of_irq_fix-v1-1-782f1419c8a1@quicinc.com +[rh: reword commit msg] +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -111,6 +111,7 @@ const __be32 *of_irq_parse_imap_parent(c + else + np = of_find_node_by_phandle(be32_to_cpup(imap)); + imap++; ++ len--; + + /* Check if not found */ + if (!np) { diff --git a/queue-6.6/of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch b/queue-6.6/of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch new file mode 100644 index 00000000000..f22d0de00ff --- /dev/null +++ b/queue-6.6/of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch @@ -0,0 +1,47 @@ +From 0f7ca6f69354e0c3923bbc28c92d0ecab4d50a3e Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Mon, 9 Dec 2024 21:25:02 +0800 +Subject: of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one() + +From: Zijun Hu + +commit 0f7ca6f69354e0c3923bbc28c92d0ecab4d50a3e upstream. + +of_irq_parse_one() may use uninitialized variable @addr_len as shown below: + +// @addr_len is uninitialized +int addr_len; + +// This operation does not touch @addr_len if it fails. +addr = of_get_property(device, "reg", &addr_len); + +// Use uninitialized @addr_len if the operation fails. +if (addr_len > sizeof(addr_buf)) + addr_len = sizeof(addr_buf); + +// Check the operation result here. +if (addr) + memcpy(addr_buf, addr, addr_len); + +Fix by initializing @addr_len before the operation. + +Fixes: b739dffa5d57 ("of/irq: Prevent device address out-of-bounds read in interrupt map walk") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20241209-of_irq_fix-v1-4-782f1419c8a1@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -355,6 +355,7 @@ int of_irq_parse_one(struct device_node + return of_irq_parse_oldworld(device, index, out_irq); + + /* Get the reg property (if any) */ ++ addr_len = 0; + addr = of_get_property(device, "reg", &addr_len); + + /* Prevent out-of-bounds read in case of longer interrupt parent address size */ diff --git a/queue-6.6/series b/queue-6.6/series index d6bc2b86e54..ba9acb183d3 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -96,3 +96,14 @@ selftests-memfd-run-sysctl-tests-when-pid-namespace-support-is-enabled.patch selftests-bpf-use-asm-constraint-m-for-loongarch.patch io_uring-fix-registered-ring-file-refcount-leak.patch io_uring-check-if-iowq-is-killed-before-queuing.patch +nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch +of-irq-fix-interrupt-map-cell-length-check-in-of_irq_parse_imap_parent.patch +of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch +nilfs2-fix-buffer-head-leaks-in-calls-to-truncate_inode_pages.patch +nilfs2-prevent-use-of-deleted-inode.patch +udmabuf-also-check-for-f_seal_future_write.patch +of-fix-error-path-in-of_parse_phandle_with_args_map.patch +of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch +ceph-validate-snapdirname-option-length-when-mounting.patch +ceph-improve-error-handling-and-short-overflow-read-logic-in-__ceph_sync_read.patch +ceph-fix-memory-leaks-in-__ceph_sync_read.patch diff --git a/queue-6.6/udmabuf-also-check-for-f_seal_future_write.patch b/queue-6.6/udmabuf-also-check-for-f_seal_future_write.patch new file mode 100644 index 00000000000..d8d9bdfcce6 --- /dev/null +++ b/queue-6.6/udmabuf-also-check-for-f_seal_future_write.patch @@ -0,0 +1,36 @@ +From 0a16e24e34f28210f68195259456c73462518597 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 4 Dec 2024 17:26:20 +0100 +Subject: udmabuf: also check for F_SEAL_FUTURE_WRITE + +From: Jann Horn + +commit 0a16e24e34f28210f68195259456c73462518597 upstream. + +When F_SEAL_FUTURE_WRITE was introduced, it was overlooked that udmabuf +must reject memfds with this flag, just like ones with F_SEAL_WRITE. +Fix it by adding F_SEAL_FUTURE_WRITE to SEALS_DENIED. + +Fixes: ab3948f58ff8 ("mm/memfd: add an F_SEAL_FUTURE_WRITE seal to memfd") +Cc: stable@vger.kernel.org +Acked-by: Vivek Kasireddy +Signed-off-by: Jann Horn +Reviewed-by: Joel Fernandes (Google) +Signed-off-by: Vivek Kasireddy +Link: https://patchwork.freedesktop.org/patch/msgid/20241204-udmabuf-fixes-v2-2-23887289de1c@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma-buf/udmabuf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma-buf/udmabuf.c ++++ b/drivers/dma-buf/udmabuf.c +@@ -194,7 +194,7 @@ static const struct dma_buf_ops udmabuf_ + }; + + #define SEALS_WANTED (F_SEAL_SHRINK) +-#define SEALS_DENIED (F_SEAL_WRITE) ++#define SEALS_DENIED (F_SEAL_WRITE|F_SEAL_FUTURE_WRITE) + + static long udmabuf_create(struct miscdevice *device, + struct udmabuf_create_list *head,