From: Greg Kroah-Hartman Date: Sat, 13 Sep 2025 12:30:19 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v6.1.153~68 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=482d023b05c998ce722d43dcefe17f217a9e6428;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: edac-altera-delete-an-inappropriate-dma_free_coherent-call.patch fuse-check-if-copy_file_range-returns-larger-than-requested-size.patch fuse-prevent-overflow-in-copy_file_range-return-value.patch mtd-rawnand-stm32_fmc2-fix-ecc-overwrite.patch ocfs2-fix-recursive-semaphore-deadlock-in-fiemap-call.patch --- diff --git a/queue-5.4/edac-altera-delete-an-inappropriate-dma_free_coherent-call.patch b/queue-5.4/edac-altera-delete-an-inappropriate-dma_free_coherent-call.patch new file mode 100644 index 0000000000..204269cc4a --- /dev/null +++ b/queue-5.4/edac-altera-delete-an-inappropriate-dma_free_coherent-call.patch @@ -0,0 +1,38 @@ +From ff2a66d21fd2364ed9396d151115eec59612b200 Mon Sep 17 00:00:00 2001 +From: Salah Triki +Date: Thu, 31 Jul 2025 04:15:27 +0100 +Subject: EDAC/altera: Delete an inappropriate dma_free_coherent() call + +From: Salah Triki + +commit ff2a66d21fd2364ed9396d151115eec59612b200 upstream. + +dma_free_coherent() must only be called if the corresponding +dma_alloc_coherent() call has succeeded. Calling it when the allocation fails +leads to undefined behavior. + +Delete the wrong call. + + [ bp: Massage commit message. ] + +Fixes: 71bcada88b0f3 ("edac: altera: Add Altera SDRAM EDAC support") +Signed-off-by: Salah Triki +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Dinh Nguyen +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/aIrfzzqh4IzYtDVC@pc +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/altera_edac.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/edac/altera_edac.c ++++ b/drivers/edac/altera_edac.c +@@ -125,7 +125,6 @@ static ssize_t altr_sdr_mc_err_inject_wr + + ptemp = dma_alloc_coherent(mci->pdev, 16, &dma_handle, GFP_KERNEL); + if (!ptemp) { +- dma_free_coherent(mci->pdev, 16, ptemp, dma_handle); + edac_printk(KERN_ERR, EDAC_MC, + "Inject: Buffer Allocation error\n"); + return -ENOMEM; diff --git a/queue-5.4/fuse-check-if-copy_file_range-returns-larger-than-requested-size.patch b/queue-5.4/fuse-check-if-copy_file_range-returns-larger-than-requested-size.patch new file mode 100644 index 0000000000..4915359a01 --- /dev/null +++ b/queue-5.4/fuse-check-if-copy_file_range-returns-larger-than-requested-size.patch @@ -0,0 +1,34 @@ +From e5203209b3935041dac541bc5b37efb44220cc0b Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Tue, 12 Aug 2025 14:07:54 +0200 +Subject: fuse: check if copy_file_range() returns larger than requested size + +From: Miklos Szeredi + +commit e5203209b3935041dac541bc5b37efb44220cc0b upstream. + +Just like write(), copy_file_range() should check if the return value is +less or equal to the requested number of bytes. + +Reported-by: Chunsheng Luo +Closes: https://lore.kernel.org/all/20250807062425.694-1-luochunsheng@ustc.edu/ +Fixes: 88bc7d5097a1 ("fuse: add support for copy_file_range()") +Cc: # v4.20 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/file.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -3365,6 +3365,9 @@ static ssize_t __fuse_copy_file_range(st + fc->no_copy_file_range = 1; + err = -EOPNOTSUPP; + } ++ if (!err && outarg.size > len) ++ err = -EIO; ++ + if (err) + goto out; + diff --git a/queue-5.4/fuse-prevent-overflow-in-copy_file_range-return-value.patch b/queue-5.4/fuse-prevent-overflow-in-copy_file_range-return-value.patch new file mode 100644 index 0000000000..eeff827800 --- /dev/null +++ b/queue-5.4/fuse-prevent-overflow-in-copy_file_range-return-value.patch @@ -0,0 +1,38 @@ +From 1e08938c3694f707bb165535df352ac97a8c75c9 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Tue, 12 Aug 2025 14:46:34 +0200 +Subject: fuse: prevent overflow in copy_file_range return value + +From: Miklos Szeredi + +commit 1e08938c3694f707bb165535df352ac97a8c75c9 upstream. + +The FUSE protocol uses struct fuse_write_out to convey the return value of +copy_file_range, which is restricted to uint32_t. But the COPY_FILE_RANGE +interface supports a 64-bit size copies. + +Currently the number of bytes copied is silently truncated to 32-bit, which +may result in poor performance or even failure to copy in case of +truncation to zero. + +Reported-by: Florian Weimer +Closes: https://lore.kernel.org/all/lhuh5ynl8z5.fsf@oldenburg.str.redhat.com/ +Fixes: 88bc7d5097a1 ("fuse: add support for copy_file_range()") +Cc: # v4.20 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -3299,7 +3299,7 @@ static ssize_t __fuse_copy_file_range(st + .nodeid_out = ff_out->nodeid, + .fh_out = ff_out->fh, + .off_out = pos_out, +- .len = len, ++ .len = min_t(size_t, len, UINT_MAX & PAGE_MASK), + .flags = flags + }; + struct fuse_write_out outarg; diff --git a/queue-5.4/mtd-rawnand-stm32_fmc2-fix-ecc-overwrite.patch b/queue-5.4/mtd-rawnand-stm32_fmc2-fix-ecc-overwrite.patch new file mode 100644 index 0000000000..3b3a36390e --- /dev/null +++ b/queue-5.4/mtd-rawnand-stm32_fmc2-fix-ecc-overwrite.patch @@ -0,0 +1,49 @@ +From 811c0da4542df3c065f6cb843ced68780e27bb44 Mon Sep 17 00:00:00 2001 +From: Christophe Kerello +Date: Tue, 12 Aug 2025 09:30:08 +0200 +Subject: mtd: rawnand: stm32_fmc2: fix ECC overwrite + +From: Christophe Kerello + +commit 811c0da4542df3c065f6cb843ced68780e27bb44 upstream. + +In case OOB write is requested during a data write, ECC is currently +lost. Avoid this issue by only writing in the free spare area. +This issue has been seen with a YAFFS2 file system. + +Signed-off-by: Christophe Kerello +Cc: stable@vger.kernel.org +Fixes: 2cd457f328c1 ("mtd: rawnand: stm32_fmc2: add STM32 FMC2 NAND flash controller driver") +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/stm32_fmc2_nand.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/nand/raw/stm32_fmc2_nand.c ++++ b/drivers/mtd/nand/raw/stm32_fmc2_nand.c +@@ -1037,9 +1037,21 @@ static int stm32_fmc2_sequencer_write(st + + /* Write oob */ + if (oob_required) { +- ret = nand_change_write_column_op(chip, mtd->writesize, +- chip->oob_poi, mtd->oobsize, +- false); ++ unsigned int offset_in_page = mtd->writesize; ++ const void *buf = chip->oob_poi; ++ unsigned int len = mtd->oobsize; ++ ++ if (!raw) { ++ struct mtd_oob_region oob_free; ++ ++ mtd_ooblayout_free(mtd, 0, &oob_free); ++ offset_in_page += oob_free.offset; ++ buf += oob_free.offset; ++ len = oob_free.length; ++ } ++ ++ ret = nand_change_write_column_op(chip, offset_in_page, ++ buf, len, false); + if (ret) + return ret; + } diff --git a/queue-5.4/ocfs2-fix-recursive-semaphore-deadlock-in-fiemap-call.patch b/queue-5.4/ocfs2-fix-recursive-semaphore-deadlock-in-fiemap-call.patch new file mode 100644 index 0000000000..369d8a5fad --- /dev/null +++ b/queue-5.4/ocfs2-fix-recursive-semaphore-deadlock-in-fiemap-call.patch @@ -0,0 +1,138 @@ +From 04100f775c2ea501927f508f17ad824ad1f23c8d Mon Sep 17 00:00:00 2001 +From: Mark Tinguely +Date: Fri, 29 Aug 2025 10:18:15 -0500 +Subject: ocfs2: fix recursive semaphore deadlock in fiemap call + +From: Mark Tinguely + +commit 04100f775c2ea501927f508f17ad824ad1f23c8d upstream. + +syzbot detected a OCFS2 hang due to a recursive semaphore on a +FS_IOC_FIEMAP of the extent list on a specially crafted mmap file. + +context_switch kernel/sched/core.c:5357 [inline] + __schedule+0x1798/0x4cc0 kernel/sched/core.c:6961 + __schedule_loop kernel/sched/core.c:7043 [inline] + schedule+0x165/0x360 kernel/sched/core.c:7058 + schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7115 + rwsem_down_write_slowpath+0x872/0xfe0 kernel/locking/rwsem.c:1185 + __down_write_common kernel/locking/rwsem.c:1317 [inline] + __down_write kernel/locking/rwsem.c:1326 [inline] + down_write+0x1ab/0x1f0 kernel/locking/rwsem.c:1591 + ocfs2_page_mkwrite+0x2ff/0xc40 fs/ocfs2/mmap.c:142 + do_page_mkwrite+0x14d/0x310 mm/memory.c:3361 + wp_page_shared mm/memory.c:3762 [inline] + do_wp_page+0x268d/0x5800 mm/memory.c:3981 + handle_pte_fault mm/memory.c:6068 [inline] + __handle_mm_fault+0x1033/0x5440 mm/memory.c:6195 + handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364 + do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387 + handle_page_fault arch/x86/mm/fault.c:1476 [inline] + exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532 + asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 +RIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline] +RIP: 0010:raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline] +RIP: 0010:_inline_copy_to_user include/linux/uaccess.h:197 [inline] +RIP: 0010:_copy_to_user+0x85/0xb0 lib/usercopy.c:26 +Code: e8 00 bc f7 fc 4d 39 fc 72 3d 4d 39 ec 77 38 e8 91 b9 f7 fc 4c 89 +f7 89 de e8 47 25 5b fd 0f 01 cb 4c 89 ff 48 89 d9 4c 89 f6 a4 0f +1f 00 48 89 cb 0f 01 ca 48 89 d8 5b 41 5c 41 5d 41 5e 41 +RSP: 0018:ffffc9000403f950 EFLAGS: 00050256 +RAX: ffffffff84c7f101 RBX: 0000000000000038 RCX: 0000000000000038 +RDX: 0000000000000000 RSI: ffffc9000403f9e0 RDI: 0000200000000060 +RBP: ffffc9000403fa90 R08: ffffc9000403fa17 R09: 1ffff92000807f42 +R10: dffffc0000000000 R11: fffff52000807f43 R12: 0000200000000098 +R13: 00007ffffffff000 R14: ffffc9000403f9e0 R15: 0000200000000060 + copy_to_user include/linux/uaccess.h:225 [inline] + fiemap_fill_next_extent+0x1c0/0x390 fs/ioctl.c:145 + ocfs2_fiemap+0x888/0xc90 fs/ocfs2/extent_map.c:806 + ioctl_fiemap fs/ioctl.c:220 [inline] + do_vfs_ioctl+0x1173/0x1430 fs/ioctl.c:532 + __do_sys_ioctl fs/ioctl.c:596 [inline] + __se_sys_ioctl+0x82/0x170 fs/ioctl.c:584 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f5f13850fd9 +RSP: 002b:00007ffe3b3518b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 0000200000000000 RCX: 00007f5f13850fd9 +RDX: 0000200000000040 RSI: 00000000c020660b RDI: 0000000000000004 +RBP: 6165627472616568 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3b3518f0 +R13: 00007ffe3b351b18 R14: 431bde82d7b634db R15: 00007f5f1389a03b + +ocfs2_fiemap() takes a read lock of the ip_alloc_sem semaphore (since +v2.6.22-527-g7307de80510a) and calls fiemap_fill_next_extent() to read the +extent list of this running mmap executable. The user supplied buffer to +hold the fiemap information page faults calling ocfs2_page_mkwrite() which +will take a write lock (since v2.6.27-38-g00dc417fa3e7) of the same +semaphore. This recursive semaphore will hold filesystem locks and causes +a hang of the fileystem. + +The ip_alloc_sem protects the inode extent list and size. Release the +read semphore before calling fiemap_fill_next_extent() in ocfs2_fiemap() +and ocfs2_fiemap_inline(). This does an unnecessary semaphore lock/unlock +on the last extent but simplifies the error path. + +Link: https://lkml.kernel.org/r/61d1a62b-2631-4f12-81e2-cd689914360b@oracle.com +Fixes: 00dc417fa3e7 ("ocfs2: fiemap support") +Signed-off-by: Mark Tinguely +Reported-by: syzbot+541dcc6ee768f77103e7@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=541dcc6ee768f77103e7 +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/extent_map.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/ocfs2/extent_map.c ++++ b/fs/ocfs2/extent_map.c +@@ -698,6 +698,8 @@ out: + * it not only handles the fiemap for inlined files, but also deals + * with the fast symlink, cause they have no difference for extent + * mapping per se. ++ * ++ * Must be called with ip_alloc_sem semaphore held. + */ + static int ocfs2_fiemap_inline(struct inode *inode, struct buffer_head *di_bh, + struct fiemap_extent_info *fieinfo, +@@ -709,6 +711,7 @@ static int ocfs2_fiemap_inline(struct in + u64 phys; + u32 flags = FIEMAP_EXTENT_DATA_INLINE|FIEMAP_EXTENT_LAST; + struct ocfs2_inode_info *oi = OCFS2_I(inode); ++ lockdep_assert_held_read(&oi->ip_alloc_sem); + + di = (struct ocfs2_dinode *)di_bh->b_data; + if (ocfs2_inode_is_fast_symlink(inode)) +@@ -724,8 +727,11 @@ static int ocfs2_fiemap_inline(struct in + phys += offsetof(struct ocfs2_dinode, + id2.i_data.id_data); + ++ /* Release the ip_alloc_sem to prevent deadlock on page fault */ ++ up_read(&OCFS2_I(inode)->ip_alloc_sem); + ret = fiemap_fill_next_extent(fieinfo, 0, phys, id_count, + flags); ++ down_read(&OCFS2_I(inode)->ip_alloc_sem); + if (ret < 0) + return ret; + } +@@ -796,9 +802,11 @@ int ocfs2_fiemap(struct inode *inode, st + len_bytes = (u64)le16_to_cpu(rec.e_leaf_clusters) << osb->s_clustersize_bits; + phys_bytes = le64_to_cpu(rec.e_blkno) << osb->sb->s_blocksize_bits; + virt_bytes = (u64)le32_to_cpu(rec.e_cpos) << osb->s_clustersize_bits; +- ++ /* Release the ip_alloc_sem to prevent deadlock on page fault */ ++ up_read(&OCFS2_I(inode)->ip_alloc_sem); + ret = fiemap_fill_next_extent(fieinfo, virt_bytes, phys_bytes, + len_bytes, fe_flags); ++ down_read(&OCFS2_I(inode)->ip_alloc_sem); + if (ret) + break; + diff --git a/queue-5.4/series b/queue-5.4/series index 052f009eb0..2ec1207b71 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -3,3 +3,8 @@ net-fix-null-ptr-deref-by-sock_lock_init_class_and_name-and-rmmod.patch nfsv4-don-t-clear-capabilities-that-won-t-be-reset.patch s390-cpum_cf-deny-all-sampling-events-by-counter-pmu.patch tcp_bpf-call-sk_msg_free-when-tcp_bpf_send_verdict-f.patch +edac-altera-delete-an-inappropriate-dma_free_coherent-call.patch +ocfs2-fix-recursive-semaphore-deadlock-in-fiemap-call.patch +mtd-rawnand-stm32_fmc2-fix-ecc-overwrite.patch +fuse-check-if-copy_file_range-returns-larger-than-requested-size.patch +fuse-prevent-overflow-in-copy_file_range-return-value.patch