From: Greg Kroah-Hartman Date: Mon, 7 Oct 2024 15:36:51 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.6.55~88 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4c0e7bb708c9cacb41b0a8b9e4535cb4b3367a40;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: drm-omapdrm-add-missing-check-for-alloc_ordered_workqueue.patch jbd2-correctly-compare-tids-with-tid_geq-function-in-jbd2_fc_begin_commit.patch jbd2-stop-waiting-for-space-when-jbd2_cleanup_journal_tail-returns-error.patch mm-krealloc-consider-spare-memory-for-__gfp_zero.patch ocfs2-cancel-dqi_sync_work-before-freeing-oinfo.patch ocfs2-fix-null-ptr-deref-when-journal-load-failed.patch ocfs2-fix-possible-null-ptr-deref-in-ocfs2_set_buffer_uptodate.patch ocfs2-fix-the-la-space-leak-when-unmounting-an-ocfs2-volume.patch ocfs2-fix-uninit-value-in-ocfs2_get_block.patch ocfs2-remove-unreasonable-unlock-in-ocfs2_read_blocks.patch ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree.patch of-irq-support-msi-cells-0-in-of_msi_get_domain.patch parisc-fix-64-bit-userspace-syscall-path.patch parisc-fix-stack-start-for-addr_no_randomize-personality.patch --- diff --git a/queue-5.10/drm-omapdrm-add-missing-check-for-alloc_ordered_workqueue.patch b/queue-5.10/drm-omapdrm-add-missing-check-for-alloc_ordered_workqueue.patch new file mode 100644 index 00000000000..29a81d408b6 --- /dev/null +++ b/queue-5.10/drm-omapdrm-add-missing-check-for-alloc_ordered_workqueue.patch @@ -0,0 +1,43 @@ +From e794b7b9b92977365c693760a259f8eef940c536 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Thu, 8 Aug 2024 14:13:36 +0800 +Subject: drm: omapdrm: Add missing check for alloc_ordered_workqueue + +From: Ma Ke + +commit e794b7b9b92977365c693760a259f8eef940c536 upstream. + +As it may return NULL pointer and cause NULL pointer dereference. Add check +for the return value of alloc_ordered_workqueue. + +Cc: stable@vger.kernel.org +Fixes: 2f95bc6d324a ("drm: omapdrm: Perform initialization/cleanup at probe/remove time") +Signed-off-by: Ma Ke +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20240808061336.2796729-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/omap_drv.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/omapdrm/omap_drv.c ++++ b/drivers/gpu/drm/omapdrm/omap_drv.c +@@ -600,6 +600,10 @@ static int omapdrm_init(struct omap_drm_ + soc = soc_device_match(omapdrm_soc_devices); + priv->omaprev = soc ? (unsigned int)soc->data : 0; + priv->wq = alloc_ordered_workqueue("omapdrm", 0); ++ if (!priv->wq) { ++ ret = -ENOMEM; ++ goto err_alloc_workqueue; ++ } + + mutex_init(&priv->list_lock); + INIT_LIST_HEAD(&priv->obj_list); +@@ -649,6 +653,7 @@ err_cleanup_modeset: + err_gem_deinit: + omap_gem_deinit(ddev); + destroy_workqueue(priv->wq); ++err_alloc_workqueue: + omap_disconnect_pipelines(ddev); + omap_crtc_pre_uninit(priv); + drm_dev_put(ddev); diff --git a/queue-5.10/jbd2-correctly-compare-tids-with-tid_geq-function-in-jbd2_fc_begin_commit.patch b/queue-5.10/jbd2-correctly-compare-tids-with-tid_geq-function-in-jbd2_fc_begin_commit.patch new file mode 100644 index 00000000000..f02327c7612 --- /dev/null +++ b/queue-5.10/jbd2-correctly-compare-tids-with-tid_geq-function-in-jbd2_fc_begin_commit.patch @@ -0,0 +1,33 @@ +From f0e3c14802515f60a47e6ef347ea59c2733402aa Mon Sep 17 00:00:00 2001 +From: Kemeng Shi +Date: Thu, 1 Aug 2024 09:38:08 +0800 +Subject: jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit + +From: Kemeng Shi + +commit f0e3c14802515f60a47e6ef347ea59c2733402aa upstream. + +Use tid_geq to compare tids to work over sequence number wraps. + +Signed-off-by: Kemeng Shi +Reviewed-by: Jan Kara +Reviewed-by: Zhang Yi +Cc: stable@kernel.org +Link: https://patch.msgid.link/20240801013815.2393869-2-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/journal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -740,7 +740,7 @@ int jbd2_fc_begin_commit(journal_t *jour + return -EINVAL; + + write_lock(&journal->j_state_lock); +- if (tid <= journal->j_commit_sequence) { ++ if (tid_geq(journal->j_commit_sequence, tid)) { + write_unlock(&journal->j_state_lock); + return -EALREADY; + } diff --git a/queue-5.10/jbd2-stop-waiting-for-space-when-jbd2_cleanup_journal_tail-returns-error.patch b/queue-5.10/jbd2-stop-waiting-for-space-when-jbd2_cleanup_journal_tail-returns-error.patch new file mode 100644 index 00000000000..af842599acc --- /dev/null +++ b/queue-5.10/jbd2-stop-waiting-for-space-when-jbd2_cleanup_journal_tail-returns-error.patch @@ -0,0 +1,69 @@ +From f5cacdc6f2bb2a9bf214469dd7112b43dd2dd68a Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Thu, 18 Jul 2024 19:53:36 +0800 +Subject: jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error + +From: Baokun Li + +commit f5cacdc6f2bb2a9bf214469dd7112b43dd2dd68a upstream. + +In __jbd2_log_wait_for_space(), we might call jbd2_cleanup_journal_tail() +to recover some journal space. But if an error occurs while executing +jbd2_cleanup_journal_tail() (e.g., an EIO), we don't stop waiting for free +space right away, we try other branches, and if j_committing_transaction +is NULL (i.e., the tid is 0), we will get the following complain: + +============================================ +JBD2: I/O error when updating journal superblock for sdd-8. +__jbd2_log_wait_for_space: needed 256 blocks and only had 217 space available +__jbd2_log_wait_for_space: no way to get more journal space in sdd-8 +------------[ cut here ]------------ +WARNING: CPU: 2 PID: 139804 at fs/jbd2/checkpoint.c:109 __jbd2_log_wait_for_space+0x251/0x2e0 +Modules linked in: +CPU: 2 PID: 139804 Comm: kworker/u8:3 Not tainted 6.6.0+ #1 +RIP: 0010:__jbd2_log_wait_for_space+0x251/0x2e0 +Call Trace: + + add_transaction_credits+0x5d1/0x5e0 + start_this_handle+0x1ef/0x6a0 + jbd2__journal_start+0x18b/0x340 + ext4_dirty_inode+0x5d/0xb0 + __mark_inode_dirty+0xe4/0x5d0 + generic_update_time+0x60/0x70 +[...] +============================================ + +So only if jbd2_cleanup_journal_tail() returns 1, i.e., there is nothing to +clean up at the moment, continue to try to reclaim free space in other ways. + +Note that this fix relies on commit 6f6a6fda2945 ("jbd2: fix ocfs2 corrupt +when updating journal superblock fails") to make jbd2_cleanup_journal_tail +return the correct error code. + +Fixes: 8c3f25d8950c ("jbd2: don't give up looking for space so easily in __jbd2_log_wait_for_space") +Cc: stable@kernel.org +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://patch.msgid.link/20240718115336.2554501-1-libaokun@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/checkpoint.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -125,8 +125,11 @@ __releases(&journal->j_state_lock) + write_unlock(&journal->j_state_lock); + if (chkpt) { + jbd2_log_do_checkpoint(journal); +- } else if (jbd2_cleanup_journal_tail(journal) == 0) { +- /* We were able to recover space; yay! */ ++ } else if (jbd2_cleanup_journal_tail(journal) <= 0) { ++ /* ++ * We were able to recover space or the ++ * journal was aborted due to an error. ++ */ + ; + } else if (has_transaction) { + /* diff --git a/queue-5.10/mm-krealloc-consider-spare-memory-for-__gfp_zero.patch b/queue-5.10/mm-krealloc-consider-spare-memory-for-__gfp_zero.patch new file mode 100644 index 00000000000..a606a94a600 --- /dev/null +++ b/queue-5.10/mm-krealloc-consider-spare-memory-for-__gfp_zero.patch @@ -0,0 +1,63 @@ +From 1a83a716ec233990e1fd5b6fbb1200ade63bf450 Mon Sep 17 00:00:00 2001 +From: Danilo Krummrich +Date: Tue, 13 Aug 2024 00:34:34 +0200 +Subject: mm: krealloc: consider spare memory for __GFP_ZERO + +From: Danilo Krummrich + +commit 1a83a716ec233990e1fd5b6fbb1200ade63bf450 upstream. + +As long as krealloc() is called with __GFP_ZERO consistently, starting +with the initial memory allocation, __GFP_ZERO should be fully honored. + +However, if for an existing allocation krealloc() is called with a +decreased size, it is not ensured that the spare portion the allocation is +zeroed. Thus, if krealloc() is subsequently called with a larger size +again, __GFP_ZERO can't be fully honored, since we don't know the previous +size, but only the bucket size. + +Example: + + buf = kzalloc(64, GFP_KERNEL); + memset(buf, 0xff, 64); + + buf = krealloc(buf, 48, GFP_KERNEL | __GFP_ZERO); + + /* After this call the last 16 bytes are still 0xff. */ + buf = krealloc(buf, 64, GFP_KERNEL | __GFP_ZERO); + +Fix this, by explicitly setting spare memory to zero, when shrinking an +allocation with __GFP_ZERO flag set or init_on_alloc enabled. + +Link: https://lkml.kernel.org/r/20240812223707.32049-1-dakr@kernel.org +Signed-off-by: Danilo Krummrich +Acked-by: Vlastimil Babka +Acked-by: David Rientjes +Cc: Christoph Lameter +Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com> +Cc: Joonsoo Kim +Cc: Pekka Enberg +Cc: Roman Gushchin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/slab_common.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -1072,6 +1072,13 @@ static __always_inline void *__do_kreall + ks = ksize(p); + + if (ks >= new_size) { ++ /* Zero out spare memory. */ ++ if (want_init_on_alloc(flags)) { ++ kasan_disable_current(); ++ memset((void *)p + new_size, 0, ks - new_size); ++ kasan_enable_current(); ++ } ++ + p = kasan_krealloc((void *)p, new_size, flags); + return (void *)p; + } diff --git a/queue-5.10/ocfs2-cancel-dqi_sync_work-before-freeing-oinfo.patch b/queue-5.10/ocfs2-cancel-dqi_sync_work-before-freeing-oinfo.patch new file mode 100644 index 00000000000..12ad59ee5c2 --- /dev/null +++ b/queue-5.10/ocfs2-cancel-dqi_sync_work-before-freeing-oinfo.patch @@ -0,0 +1,80 @@ +From 35fccce29feb3706f649726d410122dd81b92c18 Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Wed, 4 Sep 2024 15:10:03 +0800 +Subject: ocfs2: cancel dqi_sync_work before freeing oinfo + +From: Joseph Qi + +commit 35fccce29feb3706f649726d410122dd81b92c18 upstream. + +ocfs2_global_read_info() will initialize and schedule dqi_sync_work at the +end, if error occurs after successfully reading global quota, it will +trigger the following warning with CONFIG_DEBUG_OBJECTS_* enabled: + +ODEBUG: free active (active state 0) object: 00000000d8b0ce28 object type: timer_list hint: qsync_work_fn+0x0/0x16c + +This reports that there is an active delayed work when freeing oinfo in +error handling, so cancel dqi_sync_work first. BTW, return status instead +of -1 when .read_file_info fails. + +Link: https://syzkaller.appspot.com/bug?extid=f7af59df5d6b25f0febd +Link: https://lkml.kernel.org/r/20240904071004.2067695-1-joseph.qi@linux.alibaba.com +Fixes: 171bf93ce11f ("ocfs2: Periodic quota syncing") +Signed-off-by: Joseph Qi +Reviewed-by: Heming Zhao +Reported-by: syzbot+f7af59df5d6b25f0febd@syzkaller.appspotmail.com +Tested-by: syzbot+f7af59df5d6b25f0febd@syzkaller.appspotmail.com +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/quota_local.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/quota_local.c ++++ b/fs/ocfs2/quota_local.c +@@ -689,7 +689,7 @@ static int ocfs2_local_read_info(struct + int status; + struct buffer_head *bh = NULL; + struct ocfs2_quota_recovery *rec; +- int locked = 0; ++ int locked = 0, global_read = 0; + + info->dqi_max_spc_limit = 0x7fffffffffffffffLL; + info->dqi_max_ino_limit = 0x7fffffffffffffffLL; +@@ -697,6 +697,7 @@ static int ocfs2_local_read_info(struct + if (!oinfo) { + mlog(ML_ERROR, "failed to allocate memory for ocfs2 quota" + " info."); ++ status = -ENOMEM; + goto out_err; + } + info->dqi_priv = oinfo; +@@ -709,6 +710,7 @@ static int ocfs2_local_read_info(struct + status = ocfs2_global_read_info(sb, type); + if (status < 0) + goto out_err; ++ global_read = 1; + + status = ocfs2_inode_lock(lqinode, &oinfo->dqi_lqi_bh, 1); + if (status < 0) { +@@ -779,10 +781,12 @@ out_err: + if (locked) + ocfs2_inode_unlock(lqinode, 1); + ocfs2_release_local_quota_bitmaps(&oinfo->dqi_chunk); ++ if (global_read) ++ cancel_delayed_work_sync(&oinfo->dqi_sync_work); + kfree(oinfo); + } + brelse(bh); +- return -1; ++ return status; + } + + /* Write local info to quota file */ diff --git a/queue-5.10/ocfs2-fix-null-ptr-deref-when-journal-load-failed.patch b/queue-5.10/ocfs2-fix-null-ptr-deref-when-journal-load-failed.patch new file mode 100644 index 00000000000..7691bb598a2 --- /dev/null +++ b/queue-5.10/ocfs2-fix-null-ptr-deref-when-journal-load-failed.patch @@ -0,0 +1,65 @@ +From 5784d9fcfd43bd853654bb80c87ef293b9e8e80a Mon Sep 17 00:00:00 2001 +From: Julian Sun +Date: Mon, 2 Sep 2024 11:08:44 +0800 +Subject: ocfs2: fix null-ptr-deref when journal load failed. + +From: Julian Sun + +commit 5784d9fcfd43bd853654bb80c87ef293b9e8e80a upstream. + +During the mounting process, if journal_reset() fails because of too short +journal, then lead to jbd2_journal_load() fails with NULL j_sb_buffer. +Subsequently, ocfs2_journal_shutdown() calls +jbd2_journal_flush()->jbd2_cleanup_journal_tail()-> +__jbd2_update_log_tail()->jbd2_journal_update_sb_log_tail() +->lock_buffer(journal->j_sb_buffer), resulting in a null-pointer +dereference error. + +To resolve this issue, we should check the JBD2_LOADED flag to ensure the +journal was properly loaded. Additionally, use journal instead of +osb->journal directly to simplify the code. + +Link: https://syzkaller.appspot.com/bug?extid=05b9b39d8bdfe1a0861f +Link: https://lkml.kernel.org/r/20240902030844.422725-1-sunjunchao2870@gmail.com +Fixes: f6f50e28f0cb ("jbd2: Fail to load a journal if it is too short") +Signed-off-by: Julian Sun +Reported-by: syzbot+05b9b39d8bdfe1a0861f@syzkaller.appspotmail.com +Suggested-by: Joseph Qi +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/journal.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/ocfs2/journal.c ++++ b/fs/ocfs2/journal.c +@@ -996,7 +996,7 @@ void ocfs2_journal_shutdown(struct ocfs2 + if (!igrab(inode)) + BUG(); + +- num_running_trans = atomic_read(&(osb->journal->j_num_trans)); ++ num_running_trans = atomic_read(&(journal->j_num_trans)); + trace_ocfs2_journal_shutdown(num_running_trans); + + /* Do a commit_cache here. It will flush our journal, *and* +@@ -1015,9 +1015,10 @@ void ocfs2_journal_shutdown(struct ocfs2 + osb->commit_task = NULL; + } + +- BUG_ON(atomic_read(&(osb->journal->j_num_trans)) != 0); ++ BUG_ON(atomic_read(&(journal->j_num_trans)) != 0); + +- if (ocfs2_mount_local(osb)) { ++ if (ocfs2_mount_local(osb) && ++ (journal->j_journal->j_flags & JBD2_LOADED)) { + jbd2_journal_lock_updates(journal->j_journal); + status = jbd2_journal_flush(journal->j_journal); + jbd2_journal_unlock_updates(journal->j_journal); diff --git a/queue-5.10/ocfs2-fix-possible-null-ptr-deref-in-ocfs2_set_buffer_uptodate.patch b/queue-5.10/ocfs2-fix-possible-null-ptr-deref-in-ocfs2_set_buffer_uptodate.patch new file mode 100644 index 00000000000..ccecb38a20e --- /dev/null +++ b/queue-5.10/ocfs2-fix-possible-null-ptr-deref-in-ocfs2_set_buffer_uptodate.patch @@ -0,0 +1,45 @@ +From 33b525cef4cff49e216e4133cc48452e11c0391e Mon Sep 17 00:00:00 2001 +From: Lizhi Xu +Date: Mon, 2 Sep 2024 10:36:36 +0800 +Subject: ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate + +From: Lizhi Xu + +commit 33b525cef4cff49e216e4133cc48452e11c0391e upstream. + +When doing cleanup, if flags without OCFS2_BH_READAHEAD, it may trigger +NULL pointer dereference in the following ocfs2_set_buffer_uptodate() if +bh is NULL. + +Link: https://lkml.kernel.org/r/20240902023636.1843422-3-joseph.qi@linux.alibaba.com +Fixes: cf76c78595ca ("ocfs2: don't put and assigning null to bh allocated outside") +Signed-off-by: Lizhi Xu +Signed-off-by: Joseph Qi +Reviewed-by: Joseph Qi +Reported-by: Heming Zhao +Suggested-by: Heming Zhao +Cc: [4.20+] +Cc: Changwei Ge +Cc: Gang He +Cc: Joel Becker +Cc: Jun Piao +Cc: Junxiao Bi +Cc: Mark Fasheh +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/buffer_head_io.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ocfs2/buffer_head_io.c ++++ b/fs/ocfs2/buffer_head_io.c +@@ -390,7 +390,8 @@ read_failure: + /* Always set the buffer in the cache, even if it was + * a forced read, or read-ahead which hasn't yet + * completed. */ +- ocfs2_set_buffer_uptodate(ci, bh); ++ if (bh) ++ ocfs2_set_buffer_uptodate(ci, bh); + } + ocfs2_metadata_cache_io_unlock(ci); + diff --git a/queue-5.10/ocfs2-fix-the-la-space-leak-when-unmounting-an-ocfs2-volume.patch b/queue-5.10/ocfs2-fix-the-la-space-leak-when-unmounting-an-ocfs2-volume.patch new file mode 100644 index 00000000000..3edc13640f6 --- /dev/null +++ b/queue-5.10/ocfs2-fix-the-la-space-leak-when-unmounting-an-ocfs2-volume.patch @@ -0,0 +1,60 @@ +From dfe6c5692fb525e5e90cefe306ee0dffae13d35f Mon Sep 17 00:00:00 2001 +From: Heming Zhao +Date: Fri, 19 Jul 2024 19:43:10 +0800 +Subject: ocfs2: fix the la space leak when unmounting an ocfs2 volume + +From: Heming Zhao + +commit dfe6c5692fb525e5e90cefe306ee0dffae13d35f upstream. + +This bug has existed since the initial OCFS2 code. The code logic in +ocfs2_sync_local_to_main() is wrong, as it ignores the last contiguous +free bits, which causes an OCFS2 volume to lose the last free clusters of +LA window on each umount command. + +Link: https://lkml.kernel.org/r/20240719114310.14245-1-heming.zhao@suse.com +Signed-off-by: Heming Zhao +Reviewed-by: Su Yue +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: Heming Zhao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/localalloc.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/fs/ocfs2/localalloc.c ++++ b/fs/ocfs2/localalloc.c +@@ -1010,6 +1010,25 @@ static int ocfs2_sync_local_to_main(stru + start = bit_off + 1; + } + ++ /* clear the contiguous bits until the end boundary */ ++ if (count) { ++ blkno = la_start_blk + ++ ocfs2_clusters_to_blocks(osb->sb, ++ start - count); ++ ++ trace_ocfs2_sync_local_to_main_free( ++ count, start - count, ++ (unsigned long long)la_start_blk, ++ (unsigned long long)blkno); ++ ++ status = ocfs2_release_clusters(handle, ++ main_bm_inode, ++ main_bm_bh, blkno, ++ count); ++ if (status < 0) ++ mlog_errno(status); ++ } ++ + bail: + if (status) + mlog_errno(status); diff --git a/queue-5.10/ocfs2-fix-uninit-value-in-ocfs2_get_block.patch b/queue-5.10/ocfs2-fix-uninit-value-in-ocfs2_get_block.patch new file mode 100644 index 00000000000..a148f36b220 --- /dev/null +++ b/queue-5.10/ocfs2-fix-uninit-value-in-ocfs2_get_block.patch @@ -0,0 +1,75 @@ +From 2af148ef8549a12f8025286b8825c2833ee6bcb8 Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Wed, 25 Sep 2024 17:06:00 +0800 +Subject: ocfs2: fix uninit-value in ocfs2_get_block() + +From: Joseph Qi + +commit 2af148ef8549a12f8025286b8825c2833ee6bcb8 upstream. + +syzbot reported an uninit-value BUG: + +BUG: KMSAN: uninit-value in ocfs2_get_block+0xed2/0x2710 fs/ocfs2/aops.c:159 +ocfs2_get_block+0xed2/0x2710 fs/ocfs2/aops.c:159 +do_mpage_readpage+0xc45/0x2780 fs/mpage.c:225 +mpage_readahead+0x43f/0x840 fs/mpage.c:374 +ocfs2_readahead+0x269/0x320 fs/ocfs2/aops.c:381 +read_pages+0x193/0x1110 mm/readahead.c:160 +page_cache_ra_unbounded+0x901/0x9f0 mm/readahead.c:273 +do_page_cache_ra mm/readahead.c:303 [inline] +force_page_cache_ra+0x3b1/0x4b0 mm/readahead.c:332 +force_page_cache_readahead mm/internal.h:347 [inline] +generic_fadvise+0x6b0/0xa90 mm/fadvise.c:106 +vfs_fadvise mm/fadvise.c:185 [inline] +ksys_fadvise64_64 mm/fadvise.c:199 [inline] +__do_sys_fadvise64 mm/fadvise.c:214 [inline] +__se_sys_fadvise64 mm/fadvise.c:212 [inline] +__x64_sys_fadvise64+0x1fb/0x3a0 mm/fadvise.c:212 +x64_sys_call+0xe11/0x3ba0 +arch/x86/include/generated/asm/syscalls_64.h:222 +do_syscall_x64 arch/x86/entry/common.c:52 [inline] +do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 +entry_SYSCALL_64_after_hwframe+0x77/0x7f + +This is because when ocfs2_extent_map_get_blocks() fails, p_blkno is +uninitialized. So the error log will trigger the above uninit-value +access. + +The error log is out-of-date since get_blocks() was removed long time ago. +And the error code will be logged in ocfs2_extent_map_get_blocks() once +ocfs2_get_cluster() fails, so fix this by only logging inode and block. + +Link: https://syzkaller.appspot.com/bug?extid=9709e73bae885b05314b +Link: https://lkml.kernel.org/r/20240925090600.3643376-1-joseph.qi@linux.alibaba.com +Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem") +Signed-off-by: Joseph Qi +Reported-by: syzbot+9709e73bae885b05314b@syzkaller.appspotmail.com +Tested-by: syzbot+9709e73bae885b05314b@syzkaller.appspotmail.com +Cc: Heming Zhao +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/aops.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/fs/ocfs2/aops.c ++++ b/fs/ocfs2/aops.c +@@ -158,9 +158,8 @@ int ocfs2_get_block(struct inode *inode, + err = ocfs2_extent_map_get_blocks(inode, iblock, &p_blkno, &count, + &ext_flags); + if (err) { +- mlog(ML_ERROR, "Error %d from get_blocks(0x%p, %llu, 1, " +- "%llu, NULL)\n", err, inode, (unsigned long long)iblock, +- (unsigned long long)p_blkno); ++ mlog(ML_ERROR, "get_blocks() failed, inode: 0x%p, " ++ "block: %llu\n", inode, (unsigned long long)iblock); + goto bail; + } + diff --git a/queue-5.10/ocfs2-remove-unreasonable-unlock-in-ocfs2_read_blocks.patch b/queue-5.10/ocfs2-remove-unreasonable-unlock-in-ocfs2_read_blocks.patch new file mode 100644 index 00000000000..3e2091a0066 --- /dev/null +++ b/queue-5.10/ocfs2-remove-unreasonable-unlock-in-ocfs2_read_blocks.patch @@ -0,0 +1,54 @@ +From c03a82b4a0c935774afa01fd6d128b444fd930a1 Mon Sep 17 00:00:00 2001 +From: Lizhi Xu +Date: Mon, 2 Sep 2024 10:36:35 +0800 +Subject: ocfs2: remove unreasonable unlock in ocfs2_read_blocks + +From: Lizhi Xu + +commit c03a82b4a0c935774afa01fd6d128b444fd930a1 upstream. + +Patch series "Misc fixes for ocfs2_read_blocks", v5. + +This series contains 2 fixes for ocfs2_read_blocks(). The first patch fix +the issue reported by syzbot, which detects bad unlock balance in +ocfs2_read_blocks(). The second patch fixes an issue reported by Heming +Zhao when reviewing above fix. + + +This patch (of 2): + +There was a lock release before exiting, so remove the unreasonable unlock. + +Link: https://lkml.kernel.org/r/20240902023636.1843422-1-joseph.qi@linux.alibaba.com +Link: https://lkml.kernel.org/r/20240902023636.1843422-2-joseph.qi@linux.alibaba.com +Fixes: cf76c78595ca ("ocfs2: don't put and assigning null to bh allocated outside") +Signed-off-by: Lizhi Xu +Signed-off-by: Joseph Qi +Reviewed-by: Heming Zhao +Reviewed-by: Joseph Qi +Reported-by: syzbot+ab134185af9ef88dfed5@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=ab134185af9ef88dfed5 +Tested-by: syzbot+ab134185af9ef88dfed5@syzkaller.appspotmail.com +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: [4.20+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/buffer_head_io.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/ocfs2/buffer_head_io.c ++++ b/fs/ocfs2/buffer_head_io.c +@@ -237,7 +237,6 @@ int ocfs2_read_blocks(struct ocfs2_cachi + if (bhs[i] == NULL) { + bhs[i] = sb_getblk(sb, block++); + if (bhs[i] == NULL) { +- ocfs2_metadata_cache_io_unlock(ci); + status = -ENOMEM; + mlog_errno(status); + /* Don't forget to put previous bh! */ diff --git a/queue-5.10/ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree.patch b/queue-5.10/ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree.patch new file mode 100644 index 00000000000..95358404df4 --- /dev/null +++ b/queue-5.10/ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree.patch @@ -0,0 +1,154 @@ +From 5ca60b86f57a4d9648f68418a725b3a7de2816b0 Mon Sep 17 00:00:00 2001 +From: Gautham Ananthakrishna +Date: Wed, 18 Sep 2024 06:38:44 +0000 +Subject: ocfs2: reserve space for inline xattr before attaching reflink tree + +From: Gautham Ananthakrishna + +commit 5ca60b86f57a4d9648f68418a725b3a7de2816b0 upstream. + +One of our customers reported a crash and a corrupted ocfs2 filesystem. +The crash was due to the detection of corruption. Upon troubleshooting, +the fsck -fn output showed the below corruption + +[EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record, +but fsck believes the largest valid value is 227. Clamp the next record value? n + +The stat output from the debugfs.ocfs2 showed the following corruption +where the "Next Free Rec:" had overshot the "Count:" in the root metadata +block. + + Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856) + FS Generation: 904309833 (0x35e6ac49) + CRC32: 00000000 ECC: 0000 + Type: Regular Attr: 0x0 Flags: Valid + Dynamic Features: (0x16) HasXattr InlineXattr Refcounted + Extended Attributes Block: 0 Extended Attributes Inline Size: 256 + User: 0 (root) Group: 0 (root) Size: 281320357888 + Links: 1 Clusters: 141738 + ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024 + atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024 + mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024 + dtime: 0x0 -- Wed Dec 31 17:00:00 1969 + Refcount Block: 2777346 + Last Extblk: 2886943 Orphan Slot: 0 + Sub Alloc Slot: 0 Sub Alloc Bit: 14 + Tree Depth: 1 Count: 227 Next Free Rec: 230 + ## Offset Clusters Block# + 0 0 2310 2776351 + 1 2310 2139 2777375 + 2 4449 1221 2778399 + 3 5670 731 2779423 + 4 6401 566 2780447 + ....... .... ....... + ....... .... ....... + +The issue was in the reflink workfow while reserving space for inline +xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the +time this function is called the reflink tree is already recreated at the +destination inode from the source inode. At this point, this function +reserves space for inline xattrs at the destination inode without even +checking if there is space at the root metadata block. It simply reduces +the l_count from 243 to 227 thereby making space of 256 bytes for inline +xattr whereas the inode already has extents beyond this index (in this +case up to 230), thereby causing corruption. + +The fix for this is to reserve space for inline metadata at the destination +inode before the reflink tree gets recreated. The customer has verified the +fix. + +Link: https://lkml.kernel.org/r/20240918063844.1830332-1-gautham.ananthakrishna@oracle.com +Fixes: ef962df057aa ("ocfs2: xattr: fix inlined xattr reflink") +Signed-off-by: Gautham Ananthakrishna +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/refcounttree.c | 26 ++++++++++++++++++++++++-- + fs/ocfs2/xattr.c | 11 +---------- + 2 files changed, 25 insertions(+), 12 deletions(-) + +--- a/fs/ocfs2/refcounttree.c ++++ b/fs/ocfs2/refcounttree.c +@@ -27,6 +27,7 @@ + #include "namei.h" + #include "ocfs2_trace.h" + #include "file.h" ++#include "symlink.h" + + #include + #include +@@ -4184,8 +4185,9 @@ static int __ocfs2_reflink(struct dentry + int ret; + struct inode *inode = d_inode(old_dentry); + struct buffer_head *new_bh = NULL; ++ struct ocfs2_inode_info *oi = OCFS2_I(inode); + +- if (OCFS2_I(inode)->ip_flags & OCFS2_INODE_SYSTEM_FILE) { ++ if (oi->ip_flags & OCFS2_INODE_SYSTEM_FILE) { + ret = -EINVAL; + mlog_errno(ret); + goto out; +@@ -4211,6 +4213,26 @@ static int __ocfs2_reflink(struct dentry + goto out_unlock; + } + ++ if ((oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) && ++ (oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL)) { ++ /* ++ * Adjust extent record count to reserve space for extended attribute. ++ * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). ++ */ ++ struct ocfs2_inode_info *new_oi = OCFS2_I(new_inode); ++ ++ if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && ++ !(ocfs2_inode_is_fast_symlink(new_inode))) { ++ struct ocfs2_dinode *new_di = (struct ocfs2_dinode *)new_bh->b_data; ++ struct ocfs2_dinode *old_di = (struct ocfs2_dinode *)old_bh->b_data; ++ struct ocfs2_extent_list *el = &new_di->id2.i_list; ++ int inline_size = le16_to_cpu(old_di->i_xattr_inline_size); ++ ++ le16_add_cpu(&el->l_count, -(inline_size / ++ sizeof(struct ocfs2_extent_rec))); ++ } ++ } ++ + ret = ocfs2_create_reflink_node(inode, old_bh, + new_inode, new_bh, preserve); + if (ret) { +@@ -4218,7 +4240,7 @@ static int __ocfs2_reflink(struct dentry + goto inode_unlock; + } + +- if (OCFS2_I(inode)->ip_dyn_features & OCFS2_HAS_XATTR_FL) { ++ if (oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) { + ret = ocfs2_reflink_xattrs(inode, old_bh, + new_inode, new_bh, + preserve); +--- a/fs/ocfs2/xattr.c ++++ b/fs/ocfs2/xattr.c +@@ -6526,16 +6526,7 @@ static int ocfs2_reflink_xattr_inline(st + } + + new_oi = OCFS2_I(args->new_inode); +- /* +- * Adjust extent record count to reserve space for extended attribute. +- * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). +- */ +- if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && +- !(ocfs2_inode_is_fast_symlink(args->new_inode))) { +- struct ocfs2_extent_list *el = &new_di->id2.i_list; +- le16_add_cpu(&el->l_count, -(inline_size / +- sizeof(struct ocfs2_extent_rec))); +- } ++ + spin_lock(&new_oi->ip_lock); + new_oi->ip_dyn_features |= OCFS2_HAS_XATTR_FL | OCFS2_INLINE_XATTR_FL; + new_di->i_dyn_features = cpu_to_le16(new_oi->ip_dyn_features); diff --git a/queue-5.10/of-irq-support-msi-cells-0-in-of_msi_get_domain.patch b/queue-5.10/of-irq-support-msi-cells-0-in-of_msi_get_domain.patch new file mode 100644 index 00000000000..5a61961e0a9 --- /dev/null +++ b/queue-5.10/of-irq-support-msi-cells-0-in-of_msi_get_domain.patch @@ -0,0 +1,102 @@ +From db8e81132cf051843c9a59b46fa5a071c45baeb3 Mon Sep 17 00:00:00 2001 +From: Andrew Jones +Date: Sat, 17 Aug 2024 09:41:08 +0200 +Subject: of/irq: Support #msi-cells=<0> in of_msi_get_domain + +From: Andrew Jones + +commit db8e81132cf051843c9a59b46fa5a071c45baeb3 upstream. + +An 'msi-parent' property with a single entry and no accompanying +'#msi-cells' property is considered the legacy definition as opposed +to its definition after being expanded with commit 126b16e2ad98 +("Docs: dt: add generic MSI bindings"). However, the legacy +definition is completely compatible with the current definition and, +since of_phandle_iterator_next() tolerates missing and present-but- +zero *cells properties since commit e42ee61017f5 ("of: Let +of_for_each_phandle fallback to non-negative cell_count"), there's no +need anymore to special case the legacy definition in +of_msi_get_domain(). + +Indeed, special casing has turned out to be harmful, because, as of +commit 7c025238b47a ("dt-bindings: irqchip: Describe the IMX MU block +as a MSI controller"), MSI controller DT bindings have started +specifying '#msi-cells' as a required property (even when the value +must be zero) as an effort to make the bindings more explicit. But, +since the special casing of 'msi-parent' only uses the existence of +'#msi-cells' for its heuristic, and not whether or not it's also +nonzero, the legacy path is not taken. Furthermore, the path to +support the new, broader definition isn't taken either since that +path has been restricted to the platform-msi bus. + +But, neither the definition of 'msi-parent' nor the definition of +'#msi-cells' is platform-msi-specific (the platform-msi bus was just +the first bus that needed '#msi-cells'), so remove both the special +casing and the restriction. The code removal also requires changing +to of_parse_phandle_with_optional_args() in order to ensure the +legacy (but compatible) use of 'msi-parent' remains supported. This +not only simplifies the code but also resolves an issue with PCI +devices finding their MSI controllers on riscv, as the riscv,imsics +binding requires '#msi-cells=<0>'. + +Signed-off-by: Andrew Jones +Link: https://lore.kernel.org/r/20240817074107.31153-2-ajones@ventanamicro.com +Cc: stable@vger.kernel.org +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 34 +++++++--------------------------- + 1 file changed, 7 insertions(+), 27 deletions(-) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -642,8 +642,7 @@ struct irq_domain *of_msi_map_get_device + * @np: device node for @dev + * @token: bus type for this domain + * +- * Parse the msi-parent property (both the simple and the complex +- * versions), and returns the corresponding MSI domain. ++ * Parse the msi-parent property and returns the corresponding MSI domain. + * + * Returns: the MSI domain for this device (or NULL on failure). + */ +@@ -651,33 +650,14 @@ struct irq_domain *of_msi_get_domain(str + struct device_node *np, + enum irq_domain_bus_token token) + { +- struct device_node *msi_np; ++ struct of_phandle_iterator it; + struct irq_domain *d; ++ int err; + +- /* Check for a single msi-parent property */ +- msi_np = of_parse_phandle(np, "msi-parent", 0); +- if (msi_np && !of_property_read_bool(msi_np, "#msi-cells")) { +- d = irq_find_matching_host(msi_np, token); +- if (!d) +- of_node_put(msi_np); +- return d; +- } +- +- if (token == DOMAIN_BUS_PLATFORM_MSI) { +- /* Check for the complex msi-parent version */ +- struct of_phandle_args args; +- int index = 0; +- +- while (!of_parse_phandle_with_args(np, "msi-parent", +- "#msi-cells", +- index, &args)) { +- d = irq_find_matching_host(args.np, token); +- if (d) +- return d; +- +- of_node_put(args.np); +- index++; +- } ++ of_for_each_phandle(&it, err, np, "msi-parent", "#msi-cells", 0) { ++ d = irq_find_matching_host(it.node, token); ++ if (d) ++ return d; + } + + return NULL; diff --git a/queue-5.10/parisc-fix-64-bit-userspace-syscall-path.patch b/queue-5.10/parisc-fix-64-bit-userspace-syscall-path.patch new file mode 100644 index 00000000000..82e0f14d838 --- /dev/null +++ b/queue-5.10/parisc-fix-64-bit-userspace-syscall-path.patch @@ -0,0 +1,64 @@ +From d24449864da5838936669618356b0e30ca2999c3 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sun, 8 Sep 2024 00:40:38 +0200 +Subject: parisc: Fix 64-bit userspace syscall path + +From: Helge Deller + +commit d24449864da5838936669618356b0e30ca2999c3 upstream. + +Currently the glibc isn't yet ported to 64-bit for hppa, so +there is no usable userspace available yet. +But it's possible to manually build a static 64-bit binary +and run that for testing. One such 64-bit test program is +available at http://ftp.parisc-linux.org/src/64bit.tar.gz +and it shows various issues with the existing 64-bit syscall +path in the kernel. +This patch fixes those issues. + +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/syscall.S | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/arch/parisc/kernel/syscall.S ++++ b/arch/parisc/kernel/syscall.S +@@ -217,10 +217,10 @@ linux_gateway_entry: + + #ifdef CONFIG_64BIT + ldil L%sys_call_table, %r1 +- or,= %r2,%r2,%r2 +- addil L%(sys_call_table64-sys_call_table), %r1 ++ or,ev %r2,%r2,%r2 ++ ldil L%sys_call_table64, %r1 + ldo R%sys_call_table(%r1), %r19 +- or,= %r2,%r2,%r2 ++ or,ev %r2,%r2,%r2 + ldo R%sys_call_table64(%r1), %r19 + #else + load32 sys_call_table, %r19 +@@ -355,10 +355,10 @@ tracesys_next: + extrd,u %r19,63,1,%r2 /* W hidden in bottom bit */ + + ldil L%sys_call_table, %r1 +- or,= %r2,%r2,%r2 +- addil L%(sys_call_table64-sys_call_table), %r1 ++ or,ev %r2,%r2,%r2 ++ ldil L%sys_call_table64, %r1 + ldo R%sys_call_table(%r1), %r19 +- or,= %r2,%r2,%r2 ++ or,ev %r2,%r2,%r2 + ldo R%sys_call_table64(%r1), %r19 + #else + load32 sys_call_table, %r19 +@@ -931,6 +931,8 @@ ENTRY(sys_call_table) + END(sys_call_table) + + #ifdef CONFIG_64BIT ++#undef __SYSCALL_WITH_COMPAT ++#define __SYSCALL_WITH_COMPAT(nr, native, compat) __SYSCALL(nr, native) + .align 8 + ENTRY(sys_call_table64) + #include /* 64-bit native syscalls */ diff --git a/queue-5.10/parisc-fix-stack-start-for-addr_no_randomize-personality.patch b/queue-5.10/parisc-fix-stack-start-for-addr_no_randomize-personality.patch new file mode 100644 index 00000000000..2e141fc547f --- /dev/null +++ b/queue-5.10/parisc-fix-stack-start-for-addr_no_randomize-personality.patch @@ -0,0 +1,75 @@ +From f31b256994acec6929306dfa86ac29716e7503d6 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 7 Sep 2024 18:28:11 +0200 +Subject: parisc: Fix stack start for ADDR_NO_RANDOMIZE personality + +From: Helge Deller + +commit f31b256994acec6929306dfa86ac29716e7503d6 upstream. + +Fix the stack start address calculation for the parisc architecture in +setup_arg_pages() when address randomization is disabled. When the +ADDR_NO_RANDOMIZE process personality is disabled there is no need to add +additional space for the stack. +Note that this patch touches code inside an #ifdef CONFIG_STACK_GROWSUP hunk, +which is why only the parisc architecture is affected since it's the +only Linux architecture where the stack grows upwards. + +Without this patch you will find the stack in the middle of some +mapped libaries and suddenly limited to 6MB instead of 8MB: + +root@parisc:~# setarch -R /bin/bash -c "cat /proc/self/maps" +00010000-00019000 r-xp 00000000 08:05 1182034 /usr/bin/cat +00019000-0001a000 rwxp 00009000 08:05 1182034 /usr/bin/cat +0001a000-0003b000 rwxp 00000000 00:00 0 [heap] +f90c4000-f9283000 r-xp 00000000 08:05 1573004 /usr/lib/hppa-linux-gnu/libc.so.6 +f9283000-f9285000 r--p 001bf000 08:05 1573004 /usr/lib/hppa-linux-gnu/libc.so.6 +f9285000-f928a000 rwxp 001c1000 08:05 1573004 /usr/lib/hppa-linux-gnu/libc.so.6 +f928a000-f9294000 rwxp 00000000 00:00 0 +f9301000-f9323000 rwxp 00000000 00:00 0 [stack] +f98b4000-f98e4000 r-xp 00000000 08:05 1572869 /usr/lib/hppa-linux-gnu/ld.so.1 +f98e4000-f98e5000 r--p 00030000 08:05 1572869 /usr/lib/hppa-linux-gnu/ld.so.1 +f98e5000-f98e9000 rwxp 00031000 08:05 1572869 /usr/lib/hppa-linux-gnu/ld.so.1 +f9ad8000-f9b00000 rw-p 00000000 00:00 0 +f9b00000-f9b01000 r-xp 00000000 00:00 0 [vdso] + +With the patch the stack gets correctly mapped at the end +of the process memory map: + +root@panama:~# setarch -R /bin/bash -c "cat /proc/self/maps" +00010000-00019000 r-xp 00000000 08:13 16385582 /usr/bin/cat +00019000-0001a000 rwxp 00009000 08:13 16385582 /usr/bin/cat +0001a000-0003b000 rwxp 00000000 00:00 0 [heap] +fef29000-ff0eb000 r-xp 00000000 08:13 16122400 /usr/lib/hppa-linux-gnu/libc.so.6 +ff0eb000-ff0ed000 r--p 001c2000 08:13 16122400 /usr/lib/hppa-linux-gnu/libc.so.6 +ff0ed000-ff0f2000 rwxp 001c4000 08:13 16122400 /usr/lib/hppa-linux-gnu/libc.so.6 +ff0f2000-ff0fc000 rwxp 00000000 00:00 0 +ff4b4000-ff4e4000 r-xp 00000000 08:13 16121913 /usr/lib/hppa-linux-gnu/ld.so.1 +ff4e4000-ff4e6000 r--p 00030000 08:13 16121913 /usr/lib/hppa-linux-gnu/ld.so.1 +ff4e6000-ff4ea000 rwxp 00032000 08:13 16121913 /usr/lib/hppa-linux-gnu/ld.so.1 +ff6d7000-ff6ff000 rw-p 00000000 00:00 0 +ff6ff000-ff700000 r-xp 00000000 00:00 0 [vdso] +ff700000-ff722000 rwxp 00000000 00:00 0 [stack] + +Reported-by: Camm Maguire +Signed-off-by: Helge Deller +Fixes: d045c77c1a69 ("parisc,metag: Fix crashes due to stack randomization on stack-grows-upwards architectures") +Fixes: 17d9822d4b4c ("parisc: Consider stack randomization for mmap base only when necessary") +Cc: stable@vger.kernel.org # v5.2+ +Signed-off-by: Greg Kroah-Hartman +--- + fs/exec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -766,7 +766,8 @@ int setup_arg_pages(struct linux_binprm + stack_base = STACK_SIZE_MAX; + + /* Add space for stack randomization. */ +- stack_base += (STACK_RND_MASK << PAGE_SHIFT); ++ if (current->flags & PF_RANDOMIZE) ++ stack_base += (STACK_RND_MASK << PAGE_SHIFT); + + /* Make sure we didn't let the argument array grow too large. */ + if (vma->vm_end - vma->vm_start > stack_base) diff --git a/queue-5.10/series b/queue-5.10/series index 1e644aa75c4..a9191b0e3b5 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -387,3 +387,17 @@ ext4-aovid-use-after-free-in-ext4_ext_insert_extent.patch ext4-fix-double-brelse-the-buffer-of-the-extents-path.patch ext4-update-orig_path-in-ext4_find_extent.patch ext4-fix-incorrect-tid-assumption-in-ext4_wait_for_tail_page_commit.patch +parisc-fix-64-bit-userspace-syscall-path.patch +parisc-fix-stack-start-for-addr_no_randomize-personality.patch +of-irq-support-msi-cells-0-in-of_msi_get_domain.patch +drm-omapdrm-add-missing-check-for-alloc_ordered_workqueue.patch +jbd2-stop-waiting-for-space-when-jbd2_cleanup_journal_tail-returns-error.patch +jbd2-correctly-compare-tids-with-tid_geq-function-in-jbd2_fc_begin_commit.patch +mm-krealloc-consider-spare-memory-for-__gfp_zero.patch +ocfs2-fix-the-la-space-leak-when-unmounting-an-ocfs2-volume.patch +ocfs2-fix-uninit-value-in-ocfs2_get_block.patch +ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree.patch +ocfs2-cancel-dqi_sync_work-before-freeing-oinfo.patch +ocfs2-remove-unreasonable-unlock-in-ocfs2_read_blocks.patch +ocfs2-fix-null-ptr-deref-when-journal-load-failed.patch +ocfs2-fix-possible-null-ptr-deref-in-ocfs2_set_buffer_uptodate.patch