From: Greg Kroah-Hartman Date: Mon, 23 Dec 2024 12:25:53 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v6.1.122~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4702744a7954282d683cfd20fd137c3e254e8892;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch nilfs2-prevent-use-of-deleted-inode.patch of-fix-error-path-in-of_parse_phandle_with_args_map.patch of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch udmabuf-also-check-for-f_seal_future_write.patch --- diff --git a/queue-5.4/nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch b/queue-5.4/nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch new file mode 100644 index 00000000000..e10e65da98c --- /dev/null +++ b/queue-5.4/nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch @@ -0,0 +1,35 @@ +From 62e2a47ceab8f3f7d2e3f0e03fdd1c5e0059fd8b Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 16 Dec 2024 19:28:06 -0500 +Subject: NFS/pnfs: Fix a live lock between recalled layouts and layoutget + +From: Trond Myklebust + +commit 62e2a47ceab8f3f7d2e3f0e03fdd1c5e0059fd8b upstream. + +When the server is recalling a layout, we should ignore the count of +outstanding layoutget calls, since the server is expected to return +either NFS4ERR_RECALLCONFLICT or NFS4ERR_RETURNCONFLICT for as long as +the recall is outstanding. +Currently, we may end up livelocking, causing the layout to eventually +be forcibly revoked. + +Fixes: bf0291dd2267 ("pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised") +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/pnfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1165,7 +1165,7 @@ pnfs_prepare_layoutreturn(struct pnfs_la + enum pnfs_iomode *iomode) + { + /* Serialise LAYOUTGET/LAYOUTRETURN */ +- if (atomic_read(&lo->plh_outstanding) != 0) ++ if (atomic_read(&lo->plh_outstanding) != 0 && lo->plh_return_seq == 0) + return false; + if (test_and_set_bit(NFS_LAYOUT_RETURN_LOCK, &lo->plh_flags)) + return false; diff --git a/queue-5.4/nilfs2-prevent-use-of-deleted-inode.patch b/queue-5.4/nilfs2-prevent-use-of-deleted-inode.patch new file mode 100644 index 00000000000..dcebeff39fc --- /dev/null +++ b/queue-5.4/nilfs2-prevent-use-of-deleted-inode.patch @@ -0,0 +1,84 @@ +From 901ce9705fbb9f330ff1f19600e5daf9770b0175 Mon Sep 17 00:00:00 2001 +From: Edward Adam Davis +Date: Mon, 9 Dec 2024 15:56:52 +0900 +Subject: nilfs2: prevent use of deleted inode + +From: Edward Adam Davis + +commit 901ce9705fbb9f330ff1f19600e5daf9770b0175 upstream. + +syzbot reported a WARNING in nilfs_rmdir. [1] + +Because the inode bitmap is corrupted, an inode with an inode number that +should exist as a ".nilfs" file was reassigned by nilfs_mkdir for "file0", +causing an inode duplication during execution. And this causes an +underflow of i_nlink in rmdir operations. + +The inode is used twice by the same task to unmount and remove directories +".nilfs" and "file0", it trigger warning in nilfs_rmdir. + +Avoid to this issue, check i_nlink in nilfs_iget(), if it is 0, it means +that this inode has been deleted, and iput is executed to reclaim it. + +[1] +WARNING: CPU: 1 PID: 5824 at fs/inode.c:407 drop_nlink+0xc4/0x110 fs/inode.c:407 +... +Call Trace: + + nilfs_rmdir+0x1b0/0x250 fs/nilfs2/namei.c:342 + vfs_rmdir+0x3a3/0x510 fs/namei.c:4394 + do_rmdir+0x3b5/0x580 fs/namei.c:4453 + __do_sys_rmdir fs/namei.c:4472 [inline] + __se_sys_rmdir fs/namei.c:4470 [inline] + __x64_sys_rmdir+0x47/0x50 fs/namei.c:4470 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Link: https://lkml.kernel.org/r/20241209065759.6781-1-konishi.ryusuke@gmail.com +Fixes: d25006523d0b ("nilfs2: pathname operations") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+9260555647a5132edd48@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=9260555647a5132edd48 +Tested-by: syzbot+9260555647a5132edd48@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/inode.c | 8 +++++++- + fs/nilfs2/namei.c | 5 +++++ + 2 files changed, 12 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -626,8 +626,14 @@ struct inode *nilfs_iget(struct super_bl + inode = nilfs_iget_locked(sb, root, ino); + if (unlikely(!inode)) + return ERR_PTR(-ENOMEM); +- if (!(inode->i_state & I_NEW)) ++ ++ if (!(inode->i_state & I_NEW)) { ++ if (!inode->i_nlink) { ++ iput(inode); ++ return ERR_PTR(-ESTALE); ++ } + return inode; ++ } + + err = __nilfs_read_inode(sb, root, ino, inode); + if (unlikely(err)) { +--- a/fs/nilfs2/namei.c ++++ b/fs/nilfs2/namei.c +@@ -67,6 +67,11 @@ nilfs_lookup(struct inode *dir, struct d + inode = NULL; + } else { + inode = nilfs_iget(dir->i_sb, NILFS_I(dir)->i_root, ino); ++ if (inode == ERR_PTR(-ESTALE)) { ++ nilfs_error(dir->i_sb, ++ "deleted inode referenced: %lu", ino); ++ return ERR_PTR(-EIO); ++ } + } + + return d_splice_alias(inode, dentry); diff --git a/queue-5.4/of-fix-error-path-in-of_parse_phandle_with_args_map.patch b/queue-5.4/of-fix-error-path-in-of_parse_phandle_with_args_map.patch new file mode 100644 index 00000000000..3f11245469c --- /dev/null +++ b/queue-5.4/of-fix-error-path-in-of_parse_phandle_with_args_map.patch @@ -0,0 +1,72 @@ +From d7dfa7fde63dde4d2ec0083133efe2c6686c03ff Mon Sep 17 00:00:00 2001 +From: Herve Codina +Date: Mon, 2 Dec 2024 17:58:19 +0100 +Subject: of: Fix error path in of_parse_phandle_with_args_map() + +From: Herve Codina + +commit d7dfa7fde63dde4d2ec0083133efe2c6686c03ff upstream. + +The current code uses some 'goto put;' to cancel the parsing operation +and can lead to a return code value of 0 even on error cases. + +Indeed, some goto calls are done from a loop without setting the ret +value explicitly before the goto call and so the ret value can be set to +0 due to operation done in previous loop iteration. For instance match +can be set to 0 in the previous loop iteration (leading to a new +iteration) but ret can also be set to 0 it the of_property_read_u32() +call succeed. In that case if no match are found or if an error is +detected the new iteration, the return value can be wrongly 0. + +Avoid those cases setting the ret value explicitly before the goto +calls. + +Fixes: bd6f2fd5a1d5 ("of: Support parsing phandle argument lists through a nexus node") +Cc: stable@vger.kernel.org +Signed-off-by: Herve Codina +Link: https://lore.kernel.org/r/20241202165819.158681-1-herve.codina@bootlin.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/base.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -1695,8 +1695,10 @@ int of_parse_phandle_with_args_map(const + map_len--; + + /* Check if not found */ +- if (!new) ++ if (!new) { ++ ret = -EINVAL; + goto put; ++ } + + if (!of_device_is_available(new)) + match = 0; +@@ -1706,17 +1708,20 @@ int of_parse_phandle_with_args_map(const + goto put; + + /* Check for malformed properties */ +- if (WARN_ON(new_size > MAX_PHANDLE_ARGS)) +- goto put; +- if (map_len < new_size) ++ if (WARN_ON(new_size > MAX_PHANDLE_ARGS) || ++ map_len < new_size) { ++ ret = -EINVAL; + goto put; ++ } + + /* Move forward by new node's #-cells amount */ + map += new_size; + map_len -= new_size; + } +- if (!match) ++ if (!match) { ++ ret = -ENOENT; + goto put; ++ } + + /* Get the -map-pass-thru property (optional) */ + pass = of_get_property(cur, pass_name, NULL); diff --git a/queue-5.4/of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch b/queue-5.4/of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch new file mode 100644 index 00000000000..83f4c7b9756 --- /dev/null +++ b/queue-5.4/of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch @@ -0,0 +1,36 @@ +From 5d009e024056ded20c5bb1583146b833b23bbd5a Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Fri, 6 Dec 2024 08:52:30 +0800 +Subject: of: Fix refcount leakage for OF node returned by __of_get_dma_parent() + +From: Zijun Hu + +commit 5d009e024056ded20c5bb1583146b833b23bbd5a upstream. + +__of_get_dma_parent() returns OF device node @args.np, but the node's +refcount is increased twice, by both of_parse_phandle_with_args() and +of_node_get(), so causes refcount leakage for the node. + +Fix by directly returning the node got by of_parse_phandle_with_args(). + +Fixes: f83a6e5dea6c ("of: address: Add support for the parent DMA bus") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20241206-of_core_fix-v1-4-dc28ed56bec3@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/address.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -692,7 +692,7 @@ static struct device_node *__of_get_dma_ + if (ret < 0) + return of_get_parent(np); + +- return of_node_get(args.np); ++ return args.np; + } + + u64 of_translate_dma_address(struct device_node *dev, const __be32 *in_addr) diff --git a/queue-5.4/of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch b/queue-5.4/of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch new file mode 100644 index 00000000000..079228592a9 --- /dev/null +++ b/queue-5.4/of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch @@ -0,0 +1,47 @@ +From 0f7ca6f69354e0c3923bbc28c92d0ecab4d50a3e Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Mon, 9 Dec 2024 21:25:02 +0800 +Subject: of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one() + +From: Zijun Hu + +commit 0f7ca6f69354e0c3923bbc28c92d0ecab4d50a3e upstream. + +of_irq_parse_one() may use uninitialized variable @addr_len as shown below: + +// @addr_len is uninitialized +int addr_len; + +// This operation does not touch @addr_len if it fails. +addr = of_get_property(device, "reg", &addr_len); + +// Use uninitialized @addr_len if the operation fails. +if (addr_len > sizeof(addr_buf)) + addr_len = sizeof(addr_buf); + +// Check the operation result here. +if (addr) + memcpy(addr_buf, addr, addr_len); + +Fix by initializing @addr_len before the operation. + +Fixes: b739dffa5d57 ("of/irq: Prevent device address out-of-bounds read in interrupt map walk") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20241209-of_irq_fix-v1-4-782f1419c8a1@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -298,6 +298,7 @@ int of_irq_parse_one(struct device_node + return of_irq_parse_oldworld(device, index, out_irq); + + /* Get the reg property (if any) */ ++ addr_len = 0; + addr = of_get_property(device, "reg", &addr_len); + + /* Prevent out-of-bounds read in case of longer interrupt parent address size */ diff --git a/queue-5.4/series b/queue-5.4/series index cc0b2e68620..f4208f9642c 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -24,3 +24,9 @@ usb-serial-option-add-telit-fe910c04-rmnet-compositions.patch sh-clk-fix-clk_enable-to-return-0-on-null-clk.patch zram-refuse-to-use-zero-sized-block-device-as-backing-device.patch btrfs-tree-checker-reject-inline-extent-items-with-0-ref-count.patch +nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch +of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch +nilfs2-prevent-use-of-deleted-inode.patch +udmabuf-also-check-for-f_seal_future_write.patch +of-fix-error-path-in-of_parse_phandle_with_args_map.patch +of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch diff --git a/queue-5.4/udmabuf-also-check-for-f_seal_future_write.patch b/queue-5.4/udmabuf-also-check-for-f_seal_future_write.patch new file mode 100644 index 00000000000..c93d1cb1bb4 --- /dev/null +++ b/queue-5.4/udmabuf-also-check-for-f_seal_future_write.patch @@ -0,0 +1,36 @@ +From 0a16e24e34f28210f68195259456c73462518597 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 4 Dec 2024 17:26:20 +0100 +Subject: udmabuf: also check for F_SEAL_FUTURE_WRITE + +From: Jann Horn + +commit 0a16e24e34f28210f68195259456c73462518597 upstream. + +When F_SEAL_FUTURE_WRITE was introduced, it was overlooked that udmabuf +must reject memfds with this flag, just like ones with F_SEAL_WRITE. +Fix it by adding F_SEAL_FUTURE_WRITE to SEALS_DENIED. + +Fixes: ab3948f58ff8 ("mm/memfd: add an F_SEAL_FUTURE_WRITE seal to memfd") +Cc: stable@vger.kernel.org +Acked-by: Vivek Kasireddy +Signed-off-by: Jann Horn +Reviewed-by: Joel Fernandes (Google) +Signed-off-by: Vivek Kasireddy +Link: https://patchwork.freedesktop.org/patch/msgid/20241204-udmabuf-fixes-v2-2-23887289de1c@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma-buf/udmabuf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma-buf/udmabuf.c ++++ b/drivers/dma-buf/udmabuf.c +@@ -120,7 +120,7 @@ static const struct dma_buf_ops udmabuf_ + }; + + #define SEALS_WANTED (F_SEAL_SHRINK) +-#define SEALS_DENIED (F_SEAL_WRITE) ++#define SEALS_DENIED (F_SEAL_WRITE|F_SEAL_FUTURE_WRITE) + + static long udmabuf_create(const struct udmabuf_create_list *head, + const struct udmabuf_create_item *list)