From: Sasha Levin Date: Sun, 19 Jan 2025 23:10:10 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v6.6.73~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=34068026ebc59b0d722adfa5dc325a3b51046499;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/hfs-sanity-check-the-root-record.patch b/queue-5.4/hfs-sanity-check-the-root-record.patch new file mode 100644 index 0000000000..4bca6145ca --- /dev/null +++ b/queue-5.4/hfs-sanity-check-the-root-record.patch @@ -0,0 +1,56 @@ +From c81bbd0d37e59fde8de0febba3086e8548296984 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Nov 2024 21:14:19 -0800 +Subject: hfs: Sanity check the root record + +From: Leo Stone + +[ Upstream commit b905bafdea21a75d75a96855edd9e0b6051eee30 ] + +In the syzbot reproducer, the hfs_cat_rec for the root dir has type +HFS_CDR_FIL after being read with hfs_bnode_read() in hfs_super_fill(). +This indicates it should be used as an hfs_cat_file, which is 102 bytes. +Only the first 70 bytes of that struct are initialized, however, +because the entrylength passed into hfs_bnode_read() is still the length of +a directory record. This causes uninitialized values to be used later on, +when the hfs_cat_rec union is treated as the larger hfs_cat_file struct. + +Add a check to make sure the retrieved record has the correct type +for the root directory (HFS_CDR_DIR), and make sure we load the correct +number of bytes for a directory record. + +Reported-by: syzbot+2db3c7526ba68f4ea776@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2db3c7526ba68f4ea776 +Tested-by: syzbot+2db3c7526ba68f4ea776@syzkaller.appspotmail.com +Tested-by: Leo Stone +Signed-off-by: Leo Stone +Link: https://lore.kernel.org/r/20241201051420.77858-1-leocstone@gmail.com +Reviewed-by: Jan Kara +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/hfs/super.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/hfs/super.c b/fs/hfs/super.c +index bcf820ce0e02e..f82444fbbedcb 100644 +--- a/fs/hfs/super.c ++++ b/fs/hfs/super.c +@@ -419,11 +419,13 @@ static int hfs_fill_super(struct super_block *sb, void *data, int silent) + goto bail_no_root; + res = hfs_cat_find_brec(sb, HFS_ROOT_CNID, &fd); + if (!res) { +- if (fd.entrylength > sizeof(rec) || fd.entrylength < 0) { ++ if (fd.entrylength != sizeof(rec.dir)) { + res = -EIO; + goto bail_hfs_find; + } + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, fd.entrylength); ++ if (rec.type != HFS_CDR_DIR) ++ res = -EIO; + } + if (res) + goto bail_hfs_find; +-- +2.39.5 + diff --git a/queue-5.4/kheaders-ignore-silly-rename-files.patch b/queue-5.4/kheaders-ignore-silly-rename-files.patch new file mode 100644 index 0000000000..3bd1f1a4fb --- /dev/null +++ b/queue-5.4/kheaders-ignore-silly-rename-files.patch @@ -0,0 +1,60 @@ +From 355f8d95a8e389466df6de7e7a5d1858676c5f88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2024 13:50:01 +0000 +Subject: kheaders: Ignore silly-rename files + +From: David Howells + +[ Upstream commit 973b710b8821c3401ad7a25360c89e94b26884ac ] + +Tell tar to ignore silly-rename files (".__afs*" and ".nfs*") when building +the header archive. These occur when a file that is open is unlinked +locally, but hasn't yet been closed. Such files are visible to the user +via the getdents() syscall and so programs may want to do things with them. + +During the kernel build, such files may be made during the processing of +header files and the cleanup may get deferred by fput() which may result in +tar seeing these files when it reads the directory, but they may have +disappeared by the time it tries to open them, causing tar to fail with an +error. Further, we don't want to include them in the tarball if they still +exist. + +With CONFIG_HEADERS_INSTALL=y, something like the following may be seen: + + find: './kernel/.tmp_cpio_dir/include/dt-bindings/reset/.__afs2080': No such file or directory + tar: ./include/linux/greybus/.__afs3C95: File removed before we read it + +The find warning doesn't seem to cause a problem. + +Fix this by telling tar when called from in gen_kheaders.sh to exclude such +files. This only affects afs and nfs; cifs uses the Windows Hidden +attribute to prevent the file from being seen. + +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/20241213135013.2964079-2-dhowells@redhat.com +cc: Masahiro Yamada +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +cc: linux-nfs@vger.kernel.org +cc: linux-kernel@vger.kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + kernel/gen_kheaders.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/gen_kheaders.sh b/kernel/gen_kheaders.sh +index 206ab3d41ee76..7fc44d8da2052 100755 +--- a/kernel/gen_kheaders.sh ++++ b/kernel/gen_kheaders.sh +@@ -84,6 +84,7 @@ find $cpio_dir -type f -print0 | + + # Create archive and try to normalize metadata for reproducibility. + tar "${KBUILD_BUILD_TIMESTAMP:+--mtime=$KBUILD_BUILD_TIMESTAMP}" \ ++ --exclude=".__afs*" --exclude=".nfs*" \ + --owner=0 --group=0 --sort=name --numeric-owner --mode=u=rw,go=r,a+X \ + -I $XZ -cf $tarfile -C $cpio_dir/ . > /dev/null + +-- +2.39.5 + diff --git a/queue-5.4/mac802154-check-local-interfaces-before-deleting-sda.patch b/queue-5.4/mac802154-check-local-interfaces-before-deleting-sda.patch new file mode 100644 index 0000000000..571c369646 --- /dev/null +++ b/queue-5.4/mac802154-check-local-interfaces-before-deleting-sda.patch @@ -0,0 +1,100 @@ +From c610a15b6ec2fdf50e8afb678b87dbc7deaa5add Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2024 17:51:29 +0800 +Subject: mac802154: check local interfaces before deleting sdata list + +From: Lizhi Xu + +[ Upstream commit eb09fbeb48709fe66c0d708aed81e910a577a30a ] + +syzkaller reported a corrupted list in ieee802154_if_remove. [1] + +Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4 +hardware device from the system. + +CPU0 CPU1 +==== ==== +genl_family_rcv_msg_doit ieee802154_unregister_hw +ieee802154_del_iface ieee802154_remove_interfaces +rdev_del_virtual_intf_deprecated list_del(&sdata->list) +ieee802154_if_remove +list_del_rcu + +The net device has been unregistered, since the rcu grace period, +unregistration must be run before ieee802154_if_remove. + +To avoid this issue, add a check for local->interfaces before deleting +sdata list. + +[1] +kernel BUG at lib/list_debug.c:58! +Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56 +Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7 +RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246 +RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00 +RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 +RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d +R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000 +R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0 +FS: 0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + __list_del_entry_valid include/linux/list.h:124 [inline] + __list_del_entry include/linux/list.h:215 [inline] + list_del_rcu include/linux/rculist.h:157 [inline] + ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687 + rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline] + ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323 + genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] + genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] + genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210 + netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 + netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] + netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357 + netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901 + sock_sendmsg_nosec net/socket.c:729 [inline] + __sock_sendmsg+0x221/0x270 net/socket.c:744 + ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607 + ___sys_sendmsg net/socket.c:2661 [inline] + __sys_sendmsg+0x292/0x380 net/socket.c:2690 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Reported-and-tested-by: syzbot+985f827280dc3a6e7e92@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92 +Signed-off-by: Lizhi Xu +Reviewed-by: Miquel Raynal +Link: https://lore.kernel.org/20241113095129.1457225-1-lizhi.xu@windriver.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + net/mac802154/iface.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c +index a08240fe68a74..22514ab060f83 100644 +--- a/net/mac802154/iface.c ++++ b/net/mac802154/iface.c +@@ -688,6 +688,10 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata) + ASSERT_RTNL(); + + mutex_lock(&sdata->local->iflist_mtx); ++ if (list_empty(&sdata->local->interfaces)) { ++ mutex_unlock(&sdata->local->iflist_mtx); ++ return; ++ } + list_del_rcu(&sdata->list); + mutex_unlock(&sdata->local->iflist_mtx); + +-- +2.39.5 + diff --git a/queue-5.4/nvmet-propagate-npwg-topology.patch b/queue-5.4/nvmet-propagate-npwg-topology.patch new file mode 100644 index 0000000000..b16a7efc74 --- /dev/null +++ b/queue-5.4/nvmet-propagate-npwg-topology.patch @@ -0,0 +1,39 @@ +From 7db127b011b47fcdad7042e1f44692069b315cf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2024 18:33:25 -0800 +Subject: nvmet: propagate npwg topology + +From: Luis Chamberlain + +[ Upstream commit b579d6fdc3a9149bb4d2b3133cc0767130ed13e6 ] + +Ensure we propagate npwg to the target as well instead +of assuming its the same logical blocks per physical block. + +This ensures devices with large IUs information properly +propagated on the target. + +Signed-off-by: Luis Chamberlain +Reviewed-by: Sagi Grimberg +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/io-cmd-bdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/io-cmd-bdev.c b/drivers/nvme/target/io-cmd-bdev.c +index 32008d85172bc..40afe3d0599d5 100644 +--- a/drivers/nvme/target/io-cmd-bdev.c ++++ b/drivers/nvme/target/io-cmd-bdev.c +@@ -36,7 +36,7 @@ void nvmet_bdev_set_limits(struct block_device *bdev, struct nvme_id_ns *id) + */ + id->nsfeat |= 1 << 4; + /* NPWG = Namespace Preferred Write Granularity. 0's based */ +- id->npwg = lpp0b; ++ id->npwg = to0based(bdev_io_min(bdev) / bdev_logical_block_size(bdev)); + /* NPWA = Namespace Preferred Write Alignment. 0's based */ + id->npwa = id->npwg; + /* NPDG = Namespace Preferred Deallocate Granularity. 0's based */ +-- +2.39.5 + diff --git a/queue-5.4/poll_wait-add-mb-to-fix-theoretical-race-between-wai.patch b/queue-5.4/poll_wait-add-mb-to-fix-theoretical-race-between-wai.patch new file mode 100644 index 0000000000..03affb77a6 --- /dev/null +++ b/queue-5.4/poll_wait-add-mb-to-fix-theoretical-race-between-wai.patch @@ -0,0 +1,67 @@ +From c6a55e2a87a75864335ec04c2864b760cc6167a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2025 17:27:17 +0100 +Subject: poll_wait: add mb() to fix theoretical race between + waitqueue_active() and .poll() + +From: Oleg Nesterov + +[ Upstream commit cacd9ae4bf801ff4125d8961bb9a3ba955e51680 ] + +As the comment above waitqueue_active() explains, it can only be used +if both waker and waiter have mb()'s that pair with each other. However +__pollwait() is broken in this respect. + +This is not pipe-specific, but let's look at pipe_poll() for example: + + poll_wait(...); // -> __pollwait() -> add_wait_queue() + + LOAD(pipe->head); + LOAD(pipe->head); + +In theory these LOAD()'s can leak into the critical section inside +add_wait_queue() and can happen before list_add(entry, wq_head), in this +case pipe_poll() can race with wakeup_pipe_readers/writers which do + + smp_mb(); + if (waitqueue_active(wq_head)) + wake_up_interruptible(wq_head); + +There are more __pollwait()-like functions (grep init_poll_funcptr), and +it seems that at least ep_ptable_queue_proc() has the same problem, so the +patch adds smp_mb() into poll_wait(). + +Link: https://lore.kernel.org/all/20250102163320.GA17691@redhat.com/ +Signed-off-by: Oleg Nesterov +Link: https://lore.kernel.org/r/20250107162717.GA18922@redhat.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + include/linux/poll.h | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/include/linux/poll.h b/include/linux/poll.h +index 7e0fdcf905d2e..a4af5e14dffed 100644 +--- a/include/linux/poll.h ++++ b/include/linux/poll.h +@@ -43,8 +43,16 @@ typedef struct poll_table_struct { + + static inline void poll_wait(struct file * filp, wait_queue_head_t * wait_address, poll_table *p) + { +- if (p && p->_qproc && wait_address) ++ if (p && p->_qproc && wait_address) { + p->_qproc(filp, wait_address, p); ++ /* ++ * This memory barrier is paired in the wq_has_sleeper(). ++ * See the comment above prepare_to_wait(), we need to ++ * ensure that subsequent tests in this thread can't be ++ * reordered with __add_wait_queue() in _qproc() paths. ++ */ ++ smp_mb(); ++ } + } + + /* +-- +2.39.5 + diff --git a/queue-5.4/series b/queue-5.4/series index 93094437e9..73b171feb1 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -60,3 +60,8 @@ gtp-destroy-device-along-with-udp-socket-s-netns-dis.patch nfp-bpf-prevent-integer-overflow-in-nfp_bpf_event_ou.patch drm-v3d-ensure-job-pointer-is-set-to-null-after-job-.patch i2c-mux-demux-pinctrl-check-initial-mux-selection-to.patch +mac802154-check-local-interfaces-before-deleting-sda.patch +hfs-sanity-check-the-root-record.patch +kheaders-ignore-silly-rename-files.patch +poll_wait-add-mb-to-fix-theoretical-race-between-wai.patch +nvmet-propagate-npwg-topology.patch