From: Greg Kroah-Hartman Date: Mon, 20 Jun 2022 09:54:17 +0000 (+0200) Subject: 5.18-stable patches X-Git-Tag: v5.4.200~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=46cfb0650932342c7ae765a582f7d9773369691a;p=thirdparty%2Fkernel%2Fstable-queue.git 5.18-stable patches added patches: audit-free-module-name.patch cfi-fix-__cfi_slowpath_diag-rcu-usage-with-cpuidle.patch dm-fix-race-in-dm_start_io_acct.patch dm-mirror-log-round-up-region-bitmap-size-to-bits_per_long.patch drm-amd-display-cap-oled-brightness-per-max-frame-average-luminance.patch drm-amdgpu-fix-gtt-size-reporting-in-amdgpu_ioctl.patch ext4-add-reserved-gdt-blocks-check.patch ext4-fix-bug_on-ext4_mb_use_inode_pa.patch ext4-fix-super-block-checksum-incorrect-after-mount.patch ext4-make-variable-count-signed.patch fs-account-for-group-membership.patch kvm-arm64-always-start-with-clearing-sve-flag-on-load.patch kvm-arm64-don-t-read-a-hw-interrupt-pending-state-in-user-context.patch selinux-free-contexts-previously-transferred-in-selinux_add_opt.patch --- diff --git a/queue-5.18/audit-free-module-name.patch b/queue-5.18/audit-free-module-name.patch new file mode 100644 index 00000000000..cf1c19be9e1 --- /dev/null +++ b/queue-5.18/audit-free-module-name.patch @@ -0,0 +1,50 @@ +From ef79c396c664be99d0c5660dc75fe863c1e20315 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Wed, 15 Jun 2022 17:44:31 +0200 +Subject: audit: free module name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian Göttsche + +commit ef79c396c664be99d0c5660dc75fe863c1e20315 upstream. + +Reset the type of the record last as the helper `audit_free_module()` +depends on it. + + unreferenced object 0xffff888153b707f0 (size 16): + comm "modprobe", pid 1319, jiffies 4295110033 (age 1083.016s) + hex dump (first 16 bytes): + 62 69 6e 66 6d 74 5f 6d 69 73 63 00 6b 6b 6b a5 binfmt_misc.kkk. + backtrace: + [] kstrdup+0x2b/0x50 + [] __audit_log_kern_module+0x4d/0xf0 + [] load_module+0x9d4/0x2e10 + [] __do_sys_finit_module+0x114/0x1b0 + [] do_syscall_64+0x34/0x80 + [] entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Cc: stable@vger.kernel.org +Fixes: 12c5e81d3fd0 ("audit: prepare audit_context for use in calling contexts beyond syscalls") +Signed-off-by: Christian Göttsche +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + kernel/auditsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -1014,10 +1014,10 @@ static void audit_reset_context(struct a + ctx->target_comm[0] = '\0'; + unroll_tree_refs(ctx, NULL, 0); + WARN_ON(!list_empty(&ctx->killed_trees)); +- ctx->type = 0; + audit_free_module(ctx); + ctx->fds[0] = -1; + audit_proctitle_free(ctx); ++ ctx->type = 0; /* reset last for audit_free_*() */ + } + + static inline struct audit_context *audit_alloc_context(enum audit_state state) diff --git a/queue-5.18/cfi-fix-__cfi_slowpath_diag-rcu-usage-with-cpuidle.patch b/queue-5.18/cfi-fix-__cfi_slowpath_diag-rcu-usage-with-cpuidle.patch new file mode 100644 index 00000000000..385beef6dae --- /dev/null +++ b/queue-5.18/cfi-fix-__cfi_slowpath_diag-rcu-usage-with-cpuidle.patch @@ -0,0 +1,76 @@ +From 57cd6d157eb479f0a8e820fd36b7240845c8a937 Mon Sep 17 00:00:00 2001 +From: Sami Tolvanen +Date: Tue, 31 May 2022 10:59:10 -0700 +Subject: cfi: Fix __cfi_slowpath_diag RCU usage with cpuidle + +From: Sami Tolvanen + +commit 57cd6d157eb479f0a8e820fd36b7240845c8a937 upstream. + +RCU_NONIDLE usage during __cfi_slowpath_diag can result in an invalid +RCU state in the cpuidle code path: + + WARNING: CPU: 1 PID: 0 at kernel/rcu/tree.c:613 rcu_eqs_enter+0xe4/0x138 + ... + Call trace: + rcu_eqs_enter+0xe4/0x138 + rcu_idle_enter+0xa8/0x100 + cpuidle_enter_state+0x154/0x3a8 + cpuidle_enter+0x3c/0x58 + do_idle.llvm.6590768638138871020+0x1f4/0x2ec + cpu_startup_entry+0x28/0x2c + secondary_start_kernel+0x1b8/0x220 + __secondary_switched+0x94/0x98 + +Instead, call rcu_irq_enter/exit to wake up RCU only when needed and +disable interrupts for the entire CFI shadow/module check when we do. + +Signed-off-by: Sami Tolvanen +Link: https://lore.kernel.org/r/20220531175910.890307-1-samitolvanen@google.com +Fixes: cf68fffb66d6 ("add support for Clang CFI") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cfi.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +--- a/kernel/cfi.c ++++ b/kernel/cfi.c +@@ -281,6 +281,8 @@ static inline cfi_check_fn find_module_c + static inline cfi_check_fn find_check_fn(unsigned long ptr) + { + cfi_check_fn fn = NULL; ++ unsigned long flags; ++ bool rcu_idle; + + if (is_kernel_text(ptr)) + return __cfi_check; +@@ -290,13 +292,21 @@ static inline cfi_check_fn find_check_fn + * the shadow and __module_address use RCU, so we need to wake it + * up if necessary. + */ +- RCU_NONIDLE({ +- if (IS_ENABLED(CONFIG_CFI_CLANG_SHADOW)) +- fn = find_shadow_check_fn(ptr); ++ rcu_idle = !rcu_is_watching(); ++ if (rcu_idle) { ++ local_irq_save(flags); ++ rcu_irq_enter(); ++ } + +- if (!fn) +- fn = find_module_check_fn(ptr); +- }); ++ if (IS_ENABLED(CONFIG_CFI_CLANG_SHADOW)) ++ fn = find_shadow_check_fn(ptr); ++ if (!fn) ++ fn = find_module_check_fn(ptr); ++ ++ if (rcu_idle) { ++ rcu_irq_exit(); ++ local_irq_restore(flags); ++ } + + return fn; + } diff --git a/queue-5.18/dm-fix-race-in-dm_start_io_acct.patch b/queue-5.18/dm-fix-race-in-dm_start_io_acct.patch new file mode 100644 index 00000000000..f8a31284b83 --- /dev/null +++ b/queue-5.18/dm-fix-race-in-dm_start_io_acct.patch @@ -0,0 +1,38 @@ +From 10eb3a0d517fcc83eeea4242c149461205675eb4 Mon Sep 17 00:00:00 2001 +From: Benjamin Marzinski +Date: Tue, 14 Jun 2022 11:10:28 -0500 +Subject: dm: fix race in dm_start_io_acct + +From: Benjamin Marzinski + +commit 10eb3a0d517fcc83eeea4242c149461205675eb4 upstream. + +After commit 82f6cdcc3676c ("dm: switch dm_io booleans over to proper +flags") dm_start_io_acct stopped atomically checking and setting +was_accounted, which turned into the DM_IO_ACCOUNTED flag. This opened +the possibility for a race where IO accounting is started twice for +duplicate bios. To remove the race, check the flag while holding the +io->lock. + +Fixes: 82f6cdcc3676c ("dm: switch dm_io booleans over to proper flags") +Cc: stable@vger.kernel.org +Signed-off-by: Benjamin Marzinski +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -551,6 +551,10 @@ static void dm_start_io_acct(struct dm_i + return; + /* Can afford locking given DM_TIO_IS_DUPLICATE_BIO */ + spin_lock_irqsave(&io->lock, flags); ++ if (dm_io_flagged(io, DM_IO_ACCOUNTED)) { ++ spin_unlock_irqrestore(&io->lock, flags); ++ return; ++ } + dm_io_set_flag(io, DM_IO_ACCOUNTED); + spin_unlock_irqrestore(&io->lock, flags); + } diff --git a/queue-5.18/dm-mirror-log-round-up-region-bitmap-size-to-bits_per_long.patch b/queue-5.18/dm-mirror-log-round-up-region-bitmap-size-to-bits_per_long.patch new file mode 100644 index 00000000000..a9552a7bd19 --- /dev/null +++ b/queue-5.18/dm-mirror-log-round-up-region-bitmap-size-to-bits_per_long.patch @@ -0,0 +1,39 @@ +From 85e123c27d5cbc22cfdc01de1e2ca1d9003a02d0 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Thu, 16 Jun 2022 13:28:57 -0400 +Subject: dm mirror log: round up region bitmap size to BITS_PER_LONG + +From: Mikulas Patocka + +commit 85e123c27d5cbc22cfdc01de1e2ca1d9003a02d0 upstream. + +The code in dm-log rounds up bitset_size to 32 bits. It then uses +find_next_zero_bit_le on the allocated region. find_next_zero_bit_le +accesses the bitmap using unsigned long pointers. So, on 64-bit +architectures, it may access 4 bytes beyond the allocated size. + +Fix this bug by rounding up bitset_size to BITS_PER_LONG. + +This bug was found by running the lvm2 testsuite with kasan. + +Fixes: 29121bd0b00e ("[PATCH] dm mirror log: bitset_size fix") +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-log.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/md/dm-log.c ++++ b/drivers/md/dm-log.c +@@ -415,8 +415,7 @@ static int create_log_context(struct dm_ + /* + * Work out how many "unsigned long"s we need to hold the bitset. + */ +- bitset_size = dm_round_up(region_count, +- sizeof(*lc->clean_bits) << BYTE_SHIFT); ++ bitset_size = dm_round_up(region_count, BITS_PER_LONG); + bitset_size >>= BYTE_SHIFT; + + lc->bitset_uint32_count = bitset_size / sizeof(*lc->clean_bits); diff --git a/queue-5.18/drm-amd-display-cap-oled-brightness-per-max-frame-average-luminance.patch b/queue-5.18/drm-amd-display-cap-oled-brightness-per-max-frame-average-luminance.patch new file mode 100644 index 00000000000..9353986b284 --- /dev/null +++ b/queue-5.18/drm-amd-display-cap-oled-brightness-per-max-frame-average-luminance.patch @@ -0,0 +1,63 @@ +From 4fd17f2ac0aa4e48823ac2ede5b050fb70300bf4 Mon Sep 17 00:00:00 2001 +From: Roman Li +Date: Thu, 19 May 2022 14:41:16 -0400 +Subject: drm/amd/display: Cap OLED brightness per max frame-average luminance + +From: Roman Li + +commit 4fd17f2ac0aa4e48823ac2ede5b050fb70300bf4 upstream. + +[Why] +For OLED eDP the Display Manager uses max_cll value as a limit +for brightness control. +max_cll defines the content light luminance for individual pixel. +Whereas max_fall defines frame-average level luminance. +The user may not observe the difference in brightness in between +max_fall and max_cll. +That negatively impacts the user experience. + +[How] +Use max_fall value instead of max_cll as a limit for brightness control. + +Reviewed-by: Rodrigo Siqueira +Acked-by: Hamza Mahfooz +Signed-off-by: Roman Li +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -2835,7 +2835,7 @@ static struct drm_mode_config_helper_fun + + static void update_connector_ext_caps(struct amdgpu_dm_connector *aconnector) + { +- u32 max_cll, min_cll, max, min, q, r; ++ u32 max_avg, min_cll, max, min, q, r; + struct amdgpu_dm_backlight_caps *caps; + struct amdgpu_display_manager *dm; + struct drm_connector *conn_base; +@@ -2865,7 +2865,7 @@ static void update_connector_ext_caps(st + caps = &dm->backlight_caps[i]; + caps->ext_caps = &aconnector->dc_link->dpcd_sink_ext_caps; + caps->aux_support = false; +- max_cll = conn_base->hdr_sink_metadata.hdmi_type1.max_cll; ++ max_avg = conn_base->hdr_sink_metadata.hdmi_type1.max_fall; + min_cll = conn_base->hdr_sink_metadata.hdmi_type1.min_cll; + + if (caps->ext_caps->bits.oled == 1 /*|| +@@ -2893,8 +2893,8 @@ static void update_connector_ext_caps(st + * The results of the above expressions can be verified at + * pre_computed_values. + */ +- q = max_cll >> 5; +- r = max_cll % 32; ++ q = max_avg >> 5; ++ r = max_avg % 32; + max = (1 << q) * pre_computed_values[r]; + + // min luminance: maxLum * (CV/255)^2 / 100 diff --git a/queue-5.18/drm-amdgpu-fix-gtt-size-reporting-in-amdgpu_ioctl.patch b/queue-5.18/drm-amdgpu-fix-gtt-size-reporting-in-amdgpu_ioctl.patch new file mode 100644 index 00000000000..a2a25cefe16 --- /dev/null +++ b/queue-5.18/drm-amdgpu-fix-gtt-size-reporting-in-amdgpu_ioctl.patch @@ -0,0 +1,48 @@ +From c904e3acbab3fd97649cd4ab1ff7f1521ad3a255 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michel=20D=C3=A4nzer?= +Date: Fri, 10 Jun 2022 15:54:26 +0200 +Subject: drm/amdgpu: Fix GTT size reporting in amdgpu_ioctl +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michel Dänzer + +commit c904e3acbab3fd97649cd4ab1ff7f1521ad3a255 upstream. + +The commit below changed the TTM manager size unit from pages to +bytes, but failed to adjust the corresponding calculations in +amdgpu_ioctl. + +Fixes: dfa714b88eb0 ("drm/amdgpu: remove GTT accounting v2") +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1930 +Bug: https://gitlab.freedesktop.org/mesa/mesa/-/issues/6642 +Tested-by: Martin Roukala +Tested-by: Mike Lothian +Reviewed-by: Christian König +Signed-off-by: Michel Dänzer +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 5.18.x +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +@@ -634,7 +634,6 @@ int amdgpu_info_ioctl(struct drm_device + atomic64_read(&adev->visible_pin_size), + vram_gtt.vram_size); + vram_gtt.gtt_size = ttm_manager_type(&adev->mman.bdev, TTM_PL_TT)->size; +- vram_gtt.gtt_size *= PAGE_SIZE; + vram_gtt.gtt_size -= atomic64_read(&adev->gart_pin_size); + return copy_to_user(out, &vram_gtt, + min((size_t)size, sizeof(vram_gtt))) ? -EFAULT : 0; +@@ -667,7 +666,6 @@ int amdgpu_info_ioctl(struct drm_device + mem.cpu_accessible_vram.usable_heap_size * 3 / 4; + + mem.gtt.total_heap_size = gtt_man->size; +- mem.gtt.total_heap_size *= PAGE_SIZE; + mem.gtt.usable_heap_size = mem.gtt.total_heap_size - + atomic64_read(&adev->gart_pin_size); + mem.gtt.heap_usage = ttm_resource_manager_usage(gtt_man); diff --git a/queue-5.18/ext4-add-reserved-gdt-blocks-check.patch b/queue-5.18/ext4-add-reserved-gdt-blocks-check.patch new file mode 100644 index 00000000000..6e49e526133 --- /dev/null +++ b/queue-5.18/ext4-add-reserved-gdt-blocks-check.patch @@ -0,0 +1,74 @@ +From b55c3cd102a6f48b90e61c44f7f3dda8c290c694 Mon Sep 17 00:00:00 2001 +From: Zhang Yi +Date: Wed, 1 Jun 2022 17:27:17 +0800 +Subject: ext4: add reserved GDT blocks check + +From: Zhang Yi + +commit b55c3cd102a6f48b90e61c44f7f3dda8c290c694 upstream. + +We capture a NULL pointer issue when resizing a corrupt ext4 image which +is freshly clear resize_inode feature (not run e2fsck). It could be +simply reproduced by following steps. The problem is because of the +resize_inode feature was cleared, and it will convert the filesystem to +meta_bg mode in ext4_resize_fs(), but the es->s_reserved_gdt_blocks was +not reduced to zero, so could we mistakenly call reserve_backup_gdb() +and passing an uninitialized resize_inode to it when adding new group +descriptors. + + mkfs.ext4 /dev/sda 3G + tune2fs -O ^resize_inode /dev/sda #forget to run requested e2fsck + mount /dev/sda /mnt + resize2fs /dev/sda 8G + + ======== + BUG: kernel NULL pointer dereference, address: 0000000000000028 + CPU: 19 PID: 3243 Comm: resize2fs Not tainted 5.18.0-rc7-00001-gfde086c5ebfd #748 + ... + RIP: 0010:ext4_flex_group_add+0xe08/0x2570 + ... + Call Trace: + + ext4_resize_fs+0xbec/0x1660 + __ext4_ioctl+0x1749/0x24e0 + ext4_ioctl+0x12/0x20 + __x64_sys_ioctl+0xa6/0x110 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x7f2dd739617b + ======== + +The fix is simple, add a check in ext4_resize_begin() to make sure that +the es->s_reserved_gdt_blocks is zero when the resize_inode feature is +disabled. + +Cc: stable@kernel.org +Signed-off-by: Zhang Yi +Reviewed-by: Ritesh Harjani +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20220601092717.763694-1-yi.zhang@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/resize.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -54,6 +54,16 @@ int ext4_resize_begin(struct super_block + return -EPERM; + + /* ++ * If the reserved GDT blocks is non-zero, the resize_inode feature ++ * should always be set. ++ */ ++ if (EXT4_SB(sb)->s_es->s_reserved_gdt_blocks && ++ !ext4_has_feature_resize_inode(sb)) { ++ ext4_error(sb, "resize_inode disabled but reserved GDT blocks non-zero"); ++ return -EFSCORRUPTED; ++ } ++ ++ /* + * If we are not using the primary superblock/GDT copy don't resize, + * because the user tools have no way of handling this. Probably a + * bad time to do it anyways. diff --git a/queue-5.18/ext4-fix-bug_on-ext4_mb_use_inode_pa.patch b/queue-5.18/ext4-fix-bug_on-ext4_mb_use_inode_pa.patch new file mode 100644 index 00000000000..a29120182af --- /dev/null +++ b/queue-5.18/ext4-fix-bug_on-ext4_mb_use_inode_pa.patch @@ -0,0 +1,97 @@ +From a08f789d2ab5242c07e716baf9a835725046be89 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Sat, 28 May 2022 19:00:15 +0800 +Subject: ext4: fix bug_on ext4_mb_use_inode_pa + +From: Baokun Li + +commit a08f789d2ab5242c07e716baf9a835725046be89 upstream. + +Hulk Robot reported a BUG_ON: +================================================================== +kernel BUG at fs/ext4/mballoc.c:3211! +[...] +RIP: 0010:ext4_mb_mark_diskspace_used.cold+0x85/0x136f +[...] +Call Trace: + ext4_mb_new_blocks+0x9df/0x5d30 + ext4_ext_map_blocks+0x1803/0x4d80 + ext4_map_blocks+0x3a4/0x1a10 + ext4_writepages+0x126d/0x2c30 + do_writepages+0x7f/0x1b0 + __filemap_fdatawrite_range+0x285/0x3b0 + file_write_and_wait_range+0xb1/0x140 + ext4_sync_file+0x1aa/0xca0 + vfs_fsync_range+0xfb/0x260 + do_fsync+0x48/0xa0 +[...] +================================================================== + +Above issue may happen as follows: +------------------------------------- +do_fsync + vfs_fsync_range + ext4_sync_file + file_write_and_wait_range + __filemap_fdatawrite_range + do_writepages + ext4_writepages + mpage_map_and_submit_extent + mpage_map_one_extent + ext4_map_blocks + ext4_mb_new_blocks + ext4_mb_normalize_request + >>> start + size <= ac->ac_o_ex.fe_logical + ext4_mb_regular_allocator + ext4_mb_simple_scan_group + ext4_mb_use_best_found + ext4_mb_new_preallocation + ext4_mb_new_inode_pa + ext4_mb_use_inode_pa + >>> set ac->ac_b_ex.fe_len <= 0 + ext4_mb_mark_diskspace_used + >>> BUG_ON(ac->ac_b_ex.fe_len <= 0); + +we can easily reproduce this problem with the following commands: + `fallocate -l100M disk` + `mkfs.ext4 -b 1024 -g 256 disk` + `mount disk /mnt` + `fsstress -d /mnt -l 0 -n 1000 -p 1` + +The size must be smaller than or equal to EXT4_BLOCKS_PER_GROUP. +Therefore, "start + size <= ac->ac_o_ex.fe_logical" may occur +when the size is truncated. So start should be the start position of +the group where ac_o_ex.fe_logical is located after alignment. +In addition, when the value of fe_logical or EXT4_BLOCKS_PER_GROUP +is very large, the value calculated by start_off is more accurate. + +Cc: stable@kernel.org +Fixes: cd648b8a8fd5 ("ext4: trim allocation requests to group size") +Reported-by: Hulk Robot +Signed-off-by: Baokun Li +Reviewed-by: Ritesh Harjani +Link: https://lore.kernel.org/r/20220528110017.354175-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mballoc.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -4107,6 +4107,15 @@ ext4_mb_normalize_request(struct ext4_al + size = size >> bsbits; + start = start_off >> bsbits; + ++ /* ++ * For tiny groups (smaller than 8MB) the chosen allocation ++ * alignment may be larger than group size. Make sure the ++ * alignment does not move allocation to a different group which ++ * makes mballoc fail assertions later. ++ */ ++ start = max(start, rounddown(ac->ac_o_ex.fe_logical, ++ (ext4_lblk_t)EXT4_BLOCKS_PER_GROUP(ac->ac_sb))); ++ + /* don't cover already allocated blocks in selected range */ + if (ar->pleft && start <= ar->lleft) { + size -= ar->lleft + 1 - start; diff --git a/queue-5.18/ext4-fix-super-block-checksum-incorrect-after-mount.patch b/queue-5.18/ext4-fix-super-block-checksum-incorrect-after-mount.patch new file mode 100644 index 00000000000..3ec7a2fab7b --- /dev/null +++ b/queue-5.18/ext4-fix-super-block-checksum-incorrect-after-mount.patch @@ -0,0 +1,73 @@ +From 9b6641dd95a0c441b277dd72ba22fed8d61f76ad Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Wed, 25 May 2022 09:29:04 +0800 +Subject: ext4: fix super block checksum incorrect after mount +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ye Bin + +commit 9b6641dd95a0c441b277dd72ba22fed8d61f76ad upstream. + +We got issue as follows: +[home]# mount /dev/sda test +EXT4-fs (sda): warning: mounting fs with errors, running e2fsck is recommended +[home]# dmesg +EXT4-fs (sda): warning: mounting fs with errors, running e2fsck is recommended +EXT4-fs (sda): Errors on filesystem, clearing orphan list. +EXT4-fs (sda): recovery complete +EXT4-fs (sda): mounted filesystem with ordered data mode. Quota mode: none. +[home]# debugfs /dev/sda +debugfs 1.46.5 (30-Dec-2021) +Checksum errors in superblock! Retrying... + +Reason is ext4_orphan_cleanup will reset ‘s_last_orphan’ but not update +super block checksum. + +To solve above issue, defer update super block checksum after +ext4_orphan_cleanup. + +Signed-off-by: Ye Bin +Cc: stable@kernel.org +Reviewed-by: Jan Kara +Reviewed-by: Ritesh Harjani +Link: https://lore.kernel.org/r/20220525012904.1604737-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5422,14 +5422,6 @@ no_journal: + err = percpu_counter_init(&sbi->s_freeinodes_counter, freei, + GFP_KERNEL); + } +- /* +- * Update the checksum after updating free space/inode +- * counters. Otherwise the superblock can have an incorrect +- * checksum in the buffer cache until it is written out and +- * e2fsprogs programs trying to open a file system immediately +- * after it is mounted can fail. +- */ +- ext4_superblock_csum_set(sb); + if (!err) + err = percpu_counter_init(&sbi->s_dirs_counter, + ext4_count_dirs(sb), GFP_KERNEL); +@@ -5487,6 +5479,14 @@ no_journal: + EXT4_SB(sb)->s_mount_state |= EXT4_ORPHAN_FS; + ext4_orphan_cleanup(sb, es); + EXT4_SB(sb)->s_mount_state &= ~EXT4_ORPHAN_FS; ++ /* ++ * Update the checksum after updating free space/inode counters and ++ * ext4_orphan_cleanup. Otherwise the superblock can have an incorrect ++ * checksum in the buffer cache until it is written out and ++ * e2fsprogs programs trying to open a file system immediately ++ * after it is mounted can fail. ++ */ ++ ext4_superblock_csum_set(sb); + if (needs_recovery) { + ext4_msg(sb, KERN_INFO, "recovery complete"); + err = ext4_mark_recovery_complete(sb, es); diff --git a/queue-5.18/ext4-make-variable-count-signed.patch b/queue-5.18/ext4-make-variable-count-signed.patch new file mode 100644 index 00000000000..5040c363c93 --- /dev/null +++ b/queue-5.18/ext4-make-variable-count-signed.patch @@ -0,0 +1,35 @@ +From bc75a6eb856cb1507fa907bf6c1eda91b3fef52f Mon Sep 17 00:00:00 2001 +From: Ding Xiang +Date: Mon, 30 May 2022 18:00:47 +0800 +Subject: ext4: make variable "count" signed + +From: Ding Xiang + +commit bc75a6eb856cb1507fa907bf6c1eda91b3fef52f upstream. + +Since dx_make_map() may return -EFSCORRUPTED now, so change "count" to +be a signed integer so we can correctly check for an error code returned +by dx_make_map(). + +Fixes: 46c116b920eb ("ext4: verify dir block before splitting it") +Cc: stable@kernel.org +Signed-off-by: Ding Xiang +Link: https://lore.kernel.org/r/20220530100047.537598-1-dingxiang@cmss.chinamobile.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/namei.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1929,7 +1929,8 @@ static struct ext4_dir_entry_2 *do_split + struct dx_hash_info *hinfo) + { + unsigned blocksize = dir->i_sb->s_blocksize; +- unsigned count, continued; ++ unsigned continued; ++ int count; + struct buffer_head *bh2; + ext4_lblk_t newblock; + u32 hash2; diff --git a/queue-5.18/fs-account-for-group-membership.patch b/queue-5.18/fs-account-for-group-membership.patch new file mode 100644 index 00000000000..9dc205b4b14 --- /dev/null +++ b/queue-5.18/fs-account-for-group-membership.patch @@ -0,0 +1,110 @@ +From 168f912893407a5acb798a4a58613b5f1f98c717 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Mon, 13 Jun 2022 13:15:17 +0200 +Subject: fs: account for group membership + +From: Christian Brauner + +commit 168f912893407a5acb798a4a58613b5f1f98c717 upstream. + +When calling setattr_prepare() to determine the validity of the +attributes the ia_{g,u}id fields contain the value that will be written +to inode->i_{g,u}id. This is exactly the same for idmapped and +non-idmapped mounts and allows callers to pass in the values they want +to see written to inode->i_{g,u}id. + +When group ownership is changed a caller whose fsuid owns the inode can +change the group of the inode to any group they are a member of. When +searching through the caller's groups we need to use the gid mapped +according to the idmapped mount otherwise we will fail to change +ownership for unprivileged users. + +Consider a caller running with fsuid and fsgid 1000 using an idmapped +mount that maps id 65534 to 1000 and 65535 to 1001. Consequently, a file +owned by 65534:65535 in the filesystem will be owned by 1000:1001 in the +idmapped mount. + +The caller now requests the gid of the file to be changed to 1000 going +through the idmapped mount. In the vfs we will immediately map the +requested gid to the value that will need to be written to inode->i_gid +and place it in attr->ia_gid. Since this idmapped mount maps 65534 to +1000 we place 65534 in attr->ia_gid. + +When we check whether the caller is allowed to change group ownership we +first validate that their fsuid matches the inode's uid. The +inode->i_uid is 65534 which is mapped to uid 1000 in the idmapped mount. +Since the caller's fsuid is 1000 we pass the check. + +We now check whether the caller is allowed to change inode->i_gid to the +requested gid by calling in_group_p(). This will compare the passed in +gid to the caller's fsgid and search the caller's additional groups. + +Since we're dealing with an idmapped mount we need to pass in the gid +mapped according to the idmapped mount. This is akin to checking whether +a caller is privileged over the future group the inode is owned by. And +that needs to take the idmapped mount into account. Note, all helpers +are nops without idmapped mounts. + +New regression test sent to xfstests. + +Link: https://github.com/lxc/lxd/issues/10537 +Link: https://lore.kernel.org/r/20220613111517.2186646-1-brauner@kernel.org +Fixes: 2f221d6f7b88 ("attr: handle idmapped mounts") +Cc: Seth Forshee +Cc: Christoph Hellwig +Cc: Aleksa Sarai +Cc: Al Viro +Cc: stable@vger.kernel.org # 5.15+ +CC: linux-fsdevel@vger.kernel.org +Reviewed-by: Seth Forshee +Signed-off-by: Christian Brauner (Microsoft) +Signed-off-by: Greg Kroah-Hartman +--- + fs/attr.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +--- a/fs/attr.c ++++ b/fs/attr.c +@@ -61,9 +61,15 @@ static bool chgrp_ok(struct user_namespa + const struct inode *inode, kgid_t gid) + { + kgid_t kgid = i_gid_into_mnt(mnt_userns, inode); +- if (uid_eq(current_fsuid(), i_uid_into_mnt(mnt_userns, inode)) && +- (in_group_p(gid) || gid_eq(gid, inode->i_gid))) +- return true; ++ if (uid_eq(current_fsuid(), i_uid_into_mnt(mnt_userns, inode))) { ++ kgid_t mapped_gid; ++ ++ if (gid_eq(gid, inode->i_gid)) ++ return true; ++ mapped_gid = mapped_kgid_fs(mnt_userns, i_user_ns(inode), gid); ++ if (in_group_p(mapped_gid)) ++ return true; ++ } + if (capable_wrt_inode_uidgid(mnt_userns, inode, CAP_CHOWN)) + return true; + if (gid_eq(kgid, INVALID_GID) && +@@ -123,12 +129,20 @@ int setattr_prepare(struct user_namespac + + /* Make sure a caller can chmod. */ + if (ia_valid & ATTR_MODE) { ++ kgid_t mapped_gid; ++ + if (!inode_owner_or_capable(mnt_userns, inode)) + return -EPERM; ++ ++ if (ia_valid & ATTR_GID) ++ mapped_gid = mapped_kgid_fs(mnt_userns, ++ i_user_ns(inode), attr->ia_gid); ++ else ++ mapped_gid = i_gid_into_mnt(mnt_userns, inode); ++ + /* Also check the setgid bit! */ +- if (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid : +- i_gid_into_mnt(mnt_userns, inode)) && +- !capable_wrt_inode_uidgid(mnt_userns, inode, CAP_FSETID)) ++ if (!in_group_p(mapped_gid) && ++ !capable_wrt_inode_uidgid(mnt_userns, inode, CAP_FSETID)) + attr->ia_mode &= ~S_ISGID; + } + diff --git a/queue-5.18/kvm-arm64-always-start-with-clearing-sve-flag-on-load.patch b/queue-5.18/kvm-arm64-always-start-with-clearing-sve-flag-on-load.patch new file mode 100644 index 00000000000..4c6128e8732 --- /dev/null +++ b/queue-5.18/kvm-arm64-always-start-with-clearing-sve-flag-on-load.patch @@ -0,0 +1,41 @@ +From d52d165d67c5aa26c8c89909003c94a66492d23d Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Sat, 28 May 2022 12:38:11 +0100 +Subject: KVM: arm64: Always start with clearing SVE flag on load + +From: Marc Zyngier + +commit d52d165d67c5aa26c8c89909003c94a66492d23d upstream. + +On each vcpu load, we set the KVM_ARM64_HOST_SVE_ENABLED +flag if SVE is enabled for EL0 on the host. This is used to restore +the correct state on vpcu put. + +However, it appears that nothing ever clears this flag. Once +set, it will stick until the vcpu is destroyed, which has the +potential to spuriously enable SVE for userspace. + +We probably never saw the issue because no VMM uses SVE, but +that's still pretty bad. Unconditionally clearing the flag +on vcpu load addresses the issue. + +Fixes: 8383741ab2e7 ("KVM: arm64: Get rid of host SVE tracking/saving") +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/r/20220528113829.1043361-2-maz@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/fpsimd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/kvm/fpsimd.c ++++ b/arch/arm64/kvm/fpsimd.c +@@ -80,6 +80,7 @@ void kvm_arch_vcpu_load_fp(struct kvm_vc + vcpu->arch.flags &= ~KVM_ARM64_FP_ENABLED; + vcpu->arch.flags |= KVM_ARM64_FP_HOST; + ++ vcpu->arch.flags &= ~KVM_ARM64_HOST_SVE_ENABLED; + if (read_sysreg(cpacr_el1) & CPACR_EL1_ZEN_EL0EN) + vcpu->arch.flags |= KVM_ARM64_HOST_SVE_ENABLED; + } diff --git a/queue-5.18/kvm-arm64-don-t-read-a-hw-interrupt-pending-state-in-user-context.patch b/queue-5.18/kvm-arm64-don-t-read-a-hw-interrupt-pending-state-in-user-context.patch new file mode 100644 index 00000000000..fabe936e136 --- /dev/null +++ b/queue-5.18/kvm-arm64-don-t-read-a-hw-interrupt-pending-state-in-user-context.patch @@ -0,0 +1,106 @@ +From 2cdea19a34c2340b3aa69508804efe4e3750fcec Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 7 Jun 2022 14:14:25 +0100 +Subject: KVM: arm64: Don't read a HW interrupt pending state in user context + +From: Marc Zyngier + +commit 2cdea19a34c2340b3aa69508804efe4e3750fcec upstream. + +Since 5bfa685e62e9 ("KVM: arm64: vgic: Read HW interrupt pending state +from the HW"), we're able to source the pending bit for an interrupt +that is stored either on the physical distributor or on a device. + +However, this state is only available when the vcpu is loaded, +and is not intended to be accessed from userspace. Unfortunately, +the GICv2 emulation doesn't provide specific userspace accessors, +and we fallback with the ones that are intended for the guest, +with fatal consequences. + +Add a new vgic_uaccess_read_pending() accessor for userspace +to use, build on top of the existing vgic_mmio_read_pending(). + +Reported-by: Eric Auger +Reviewed-by: Eric Auger +Tested-by: Eric Auger +Signed-off-by: Marc Zyngier +Fixes: 5bfa685e62e9 ("KVM: arm64: vgic: Read HW interrupt pending state from the HW") +Link: https://lore.kernel.org/r/20220607131427.1164881-2-maz@kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/vgic/vgic-mmio-v2.c | 4 ++-- + arch/arm64/kvm/vgic/vgic-mmio.c | 19 ++++++++++++++++--- + arch/arm64/kvm/vgic/vgic-mmio.h | 3 +++ + 3 files changed, 21 insertions(+), 5 deletions(-) + +--- a/arch/arm64/kvm/vgic/vgic-mmio-v2.c ++++ b/arch/arm64/kvm/vgic/vgic-mmio-v2.c +@@ -417,11 +417,11 @@ static const struct vgic_register_region + VGIC_ACCESS_32bit), + REGISTER_DESC_WITH_BITS_PER_IRQ(GIC_DIST_PENDING_SET, + vgic_mmio_read_pending, vgic_mmio_write_spending, +- NULL, vgic_uaccess_write_spending, 1, ++ vgic_uaccess_read_pending, vgic_uaccess_write_spending, 1, + VGIC_ACCESS_32bit), + REGISTER_DESC_WITH_BITS_PER_IRQ(GIC_DIST_PENDING_CLEAR, + vgic_mmio_read_pending, vgic_mmio_write_cpending, +- NULL, vgic_uaccess_write_cpending, 1, ++ vgic_uaccess_read_pending, vgic_uaccess_write_cpending, 1, + VGIC_ACCESS_32bit), + REGISTER_DESC_WITH_BITS_PER_IRQ(GIC_DIST_ACTIVE_SET, + vgic_mmio_read_active, vgic_mmio_write_sactive, +--- a/arch/arm64/kvm/vgic/vgic-mmio.c ++++ b/arch/arm64/kvm/vgic/vgic-mmio.c +@@ -226,8 +226,9 @@ int vgic_uaccess_write_cenable(struct kv + return 0; + } + +-unsigned long vgic_mmio_read_pending(struct kvm_vcpu *vcpu, +- gpa_t addr, unsigned int len) ++static unsigned long __read_pending(struct kvm_vcpu *vcpu, ++ gpa_t addr, unsigned int len, ++ bool is_user) + { + u32 intid = VGIC_ADDR_TO_INTID(addr, 1); + u32 value = 0; +@@ -248,7 +249,7 @@ unsigned long vgic_mmio_read_pending(str + IRQCHIP_STATE_PENDING, + &val); + WARN_RATELIMIT(err, "IRQ %d", irq->host_irq); +- } else if (vgic_irq_is_mapped_level(irq)) { ++ } else if (!is_user && vgic_irq_is_mapped_level(irq)) { + val = vgic_get_phys_line_level(irq); + } else { + val = irq_is_pending(irq); +@@ -263,6 +264,18 @@ unsigned long vgic_mmio_read_pending(str + return value; + } + ++unsigned long vgic_mmio_read_pending(struct kvm_vcpu *vcpu, ++ gpa_t addr, unsigned int len) ++{ ++ return __read_pending(vcpu, addr, len, false); ++} ++ ++unsigned long vgic_uaccess_read_pending(struct kvm_vcpu *vcpu, ++ gpa_t addr, unsigned int len) ++{ ++ return __read_pending(vcpu, addr, len, true); ++} ++ + static bool is_vgic_v2_sgi(struct kvm_vcpu *vcpu, struct vgic_irq *irq) + { + return (vgic_irq_is_sgi(irq->intid) && +--- a/arch/arm64/kvm/vgic/vgic-mmio.h ++++ b/arch/arm64/kvm/vgic/vgic-mmio.h +@@ -149,6 +149,9 @@ int vgic_uaccess_write_cenable(struct kv + unsigned long vgic_mmio_read_pending(struct kvm_vcpu *vcpu, + gpa_t addr, unsigned int len); + ++unsigned long vgic_uaccess_read_pending(struct kvm_vcpu *vcpu, ++ gpa_t addr, unsigned int len); ++ + void vgic_mmio_write_spending(struct kvm_vcpu *vcpu, + gpa_t addr, unsigned int len, + unsigned long val); diff --git a/queue-5.18/selinux-free-contexts-previously-transferred-in-selinux_add_opt.patch b/queue-5.18/selinux-free-contexts-previously-transferred-in-selinux_add_opt.patch new file mode 100644 index 00000000000..9ff1494068d --- /dev/null +++ b/queue-5.18/selinux-free-contexts-previously-transferred-in-selinux_add_opt.patch @@ -0,0 +1,85 @@ +From cad140d00899e7a9cb6fe93b282051df589e671c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Wed, 15 Jun 2022 17:38:39 +0200 +Subject: selinux: free contexts previously transferred in selinux_add_opt() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian Göttsche + +commit cad140d00899e7a9cb6fe93b282051df589e671c upstream. + +`selinux_add_opt()` stopped taking ownership of the passed context since +commit 70f4169ab421 ("selinux: parse contexts for mount options early"). + + unreferenced object 0xffff888114dfd140 (size 64): + comm "mount", pid 15182, jiffies 4295687028 (age 796.340s) + hex dump (first 32 bytes): + 73 79 73 74 65 6d 5f 75 3a 6f 62 6a 65 63 74 5f system_u:object_ + 72 3a 74 65 73 74 5f 66 69 6c 65 73 79 73 74 65 r:test_filesyste + backtrace: + [] kmemdup_nul+0x24/0x80 + [] selinux_sb_eat_lsm_opts+0x293/0x560 + [] security_sb_eat_lsm_opts+0x58/0x80 + [] generic_parse_monolithic+0x82/0x180 + [] do_new_mount+0x1f5/0x550 + [] path_mount+0x2ab/0x1570 + [] __x64_sys_mount+0x20e/0x280 + [] do_syscall_64+0x34/0x80 + [] entry_SYSCALL_64_after_hwframe+0x46/0xb0 + + unreferenced object 0xffff888108e71640 (size 64): + comm "fsmount", pid 7607, jiffies 4295044974 (age 1601.016s) + hex dump (first 32 bytes): + 73 79 73 74 65 6d 5f 75 3a 6f 62 6a 65 63 74 5f system_u:object_ + 72 3a 74 65 73 74 5f 66 69 6c 65 73 79 73 74 65 r:test_filesyste + backtrace: + [] memdup_user+0x21/0x90 + [] strndup_user+0x47/0xa0 + [] __do_sys_fsconfig+0x485/0x9f0 + [] do_syscall_64+0x34/0x80 + [] entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Cc: stable@vger.kernel.org +Fixes: 70f4169ab421 ("selinux: parse contexts for mount options early") +Signed-off-by: Christian Göttsche +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/hooks.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -2600,8 +2600,9 @@ static int selinux_sb_eat_lsm_opts(char + } + } + rc = selinux_add_opt(token, arg, mnt_opts); ++ kfree(arg); ++ arg = NULL; + if (unlikely(rc)) { +- kfree(arg); + goto free_opt; + } + } else { +@@ -2792,17 +2793,13 @@ static int selinux_fs_context_parse_para + struct fs_parameter *param) + { + struct fs_parse_result result; +- int opt, rc; ++ int opt; + + opt = fs_parse(fc, selinux_fs_parameters, param, &result); + if (opt < 0) + return opt; + +- rc = selinux_add_opt(opt, param->string, &fc->security); +- if (!rc) +- param->string = NULL; +- +- return rc; ++ return selinux_add_opt(opt, param->string, &fc->security); + } + + /* inode security operations */ diff --git a/queue-5.18/series b/queue-5.18/series index 46b4e15d483..94cdcea1548 100644 --- a/queue-5.18/series +++ b/queue-5.18/series @@ -116,3 +116,17 @@ tty-n_gsm-debug-output-allocation-must-use-gfp_atomic.patch serial-8250-store-to-lsr_save_flags-after-lsr-read.patch bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch md-raid5-ppl-fix-argument-order-in-bio_alloc_bioset.patch +dm-fix-race-in-dm_start_io_acct.patch +dm-mirror-log-round-up-region-bitmap-size-to-bits_per_long.patch +drm-amdgpu-fix-gtt-size-reporting-in-amdgpu_ioctl.patch +drm-amd-display-cap-oled-brightness-per-max-frame-average-luminance.patch +audit-free-module-name.patch +cfi-fix-__cfi_slowpath_diag-rcu-usage-with-cpuidle.patch +fs-account-for-group-membership.patch +selinux-free-contexts-previously-transferred-in-selinux_add_opt.patch +ext4-fix-super-block-checksum-incorrect-after-mount.patch +ext4-fix-bug_on-ext4_mb_use_inode_pa.patch +ext4-make-variable-count-signed.patch +ext4-add-reserved-gdt-blocks-check.patch +kvm-arm64-always-start-with-clearing-sve-flag-on-load.patch +kvm-arm64-don-t-read-a-hw-interrupt-pending-state-in-user-context.patch