From: Greg Kroah-Hartman Date: Thu, 18 Jan 2024 10:31:58 +0000 (+0100) Subject: 6.7-stable patches X-Git-Tag: v6.1.74~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=50d0ed748c56afd4f57e6323b5833d5d91d53d23;p=thirdparty%2Fkernel%2Fstable-queue.git 6.7-stable patches added patches: binder-fix-comment-on-binder_alloc_new_buf-return-value.patch binder-fix-trivial-typo-of-binder_free_buf_locked.patch binder-fix-use-after-free-in-shinker-s-callback.patch binder-use-epollerr-from-eventpoll.h.patch coresight-etm4x-fix-width-of-ccitmin-field.patch docs-kernel_feat.py-fix-potential-command-injection.patch ksmbd-don-t-allow-o_trunc-open-on-read-only-share.patch ksmbd-free-ppace-array-on-error-in-parse_dacl.patch leds-ledtrig-tty-free-allocated-ttyname-buffer-on-deactivate.patch mm-memory_hotplug-fix-memmap_on_memory-sysfs-value-retrieval.patch parport-parport_serial-add-brainboxes-bar-details.patch parport-parport_serial-add-brainboxes-device-ids-and-geometry.patch pci-add-acs-quirk-for-more-zhaoxin-root-ports.patch revert-md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch scripts-decode_stacktrace.sh-optionally-use-llvm-utilities.patch uio-fix-use-after-free-in-uio_open.patch --- diff --git a/queue-6.7/binder-fix-comment-on-binder_alloc_new_buf-return-value.patch b/queue-6.7/binder-fix-comment-on-binder_alloc_new_buf-return-value.patch new file mode 100644 index 00000000000..f2e4ebe16e3 --- /dev/null +++ b/queue-6.7/binder-fix-comment-on-binder_alloc_new_buf-return-value.patch @@ -0,0 +1,35 @@ +From e1090371e02b601cbfcea175c2a6cc7c955fa830 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Fri, 1 Dec 2023 17:21:36 +0000 +Subject: binder: fix comment on binder_alloc_new_buf() return value + +From: Carlos Llamas + +commit e1090371e02b601cbfcea175c2a6cc7c955fa830 upstream. + +Update the comments of binder_alloc_new_buf() to reflect that the return +value of the function is now ERR_PTR(-errno) on failure. + +No functional changes in this patch. + +Cc: stable@vger.kernel.org +Fixes: 57ada2fb2250 ("binder: add log information for binder transaction failures") +Reviewed-by: Alice Ryhl +Signed-off-by: Carlos Llamas +Link: https://lore.kernel.org/r/20231201172212.1813387-8-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder_alloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -557,7 +557,7 @@ err_alloc_buf_struct_failed: + * is the sum of the three given sizes (each rounded up to + * pointer-sized boundary) + * +- * Return: The allocated buffer or %NULL if error ++ * Return: The allocated buffer or %ERR_PTR(-errno) if error + */ + struct binder_buffer *binder_alloc_new_buf(struct binder_alloc *alloc, + size_t data_size, diff --git a/queue-6.7/binder-fix-trivial-typo-of-binder_free_buf_locked.patch b/queue-6.7/binder-fix-trivial-typo-of-binder_free_buf_locked.patch new file mode 100644 index 00000000000..9287304afd5 --- /dev/null +++ b/queue-6.7/binder-fix-trivial-typo-of-binder_free_buf_locked.patch @@ -0,0 +1,34 @@ +From 122a3c1cb0ff304c2b8934584fcfea4edb2fe5e3 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Fri, 1 Dec 2023 17:21:35 +0000 +Subject: binder: fix trivial typo of binder_free_buf_locked() + +From: Carlos Llamas + +commit 122a3c1cb0ff304c2b8934584fcfea4edb2fe5e3 upstream. + +Fix minor misspelling of the function in the comment section. + +No functional changes in this patch. + +Cc: stable@vger.kernel.org +Fixes: 0f966cba95c7 ("binder: add flag to clear buffer on txn complete") +Reviewed-by: Alice Ryhl +Signed-off-by: Carlos Llamas +Link: https://lore.kernel.org/r/20231201172212.1813387-7-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder_alloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -706,7 +706,7 @@ void binder_alloc_free_buf(struct binder + /* + * We could eliminate the call to binder_alloc_clear_buf() + * from binder_alloc_deferred_release() by moving this to +- * binder_alloc_free_buf_locked(). However, that could ++ * binder_free_buf_locked(). However, that could + * increase contention for the alloc mutex if clear_on_free + * is used frequently for large buffers. The mutex is not + * needed for correctness here. diff --git a/queue-6.7/binder-fix-use-after-free-in-shinker-s-callback.patch b/queue-6.7/binder-fix-use-after-free-in-shinker-s-callback.patch new file mode 100644 index 00000000000..aefa7ef9921 --- /dev/null +++ b/queue-6.7/binder-fix-use-after-free-in-shinker-s-callback.patch @@ -0,0 +1,102 @@ +From 3f489c2067c5824528212b0fc18b28d51332d906 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Fri, 1 Dec 2023 17:21:31 +0000 +Subject: binder: fix use-after-free in shinker's callback + +From: Carlos Llamas + +commit 3f489c2067c5824528212b0fc18b28d51332d906 upstream. + +The mmap read lock is used during the shrinker's callback, which means +that using alloc->vma pointer isn't safe as it can race with munmap(). +As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in +munmap") the mmap lock is downgraded after the vma has been isolated. + +I was able to reproduce this issue by manually adding some delays and +triggering page reclaiming through the shrinker's debug sysfs. The +following KASAN report confirms the UAF: + + ================================================================== + BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8 + Read of size 8 at addr ffff356ed50e50f0 by task bash/478 + + CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70 + Hardware name: linux,dummy-virt (DT) + Call trace: + zap_page_range_single+0x470/0x4b8 + binder_alloc_free_page+0x608/0xadc + __list_lru_walk_one+0x130/0x3b0 + list_lru_walk_node+0xc4/0x22c + binder_shrink_scan+0x108/0x1dc + shrinker_debugfs_scan_write+0x2b4/0x500 + full_proxy_write+0xd4/0x140 + vfs_write+0x1ac/0x758 + ksys_write+0xf0/0x1dc + __arm64_sys_write+0x6c/0x9c + + Allocated by task 492: + kmem_cache_alloc+0x130/0x368 + vm_area_alloc+0x2c/0x190 + mmap_region+0x258/0x18bc + do_mmap+0x694/0xa60 + vm_mmap_pgoff+0x170/0x29c + ksys_mmap_pgoff+0x290/0x3a0 + __arm64_sys_mmap+0xcc/0x144 + + Freed by task 491: + kmem_cache_free+0x17c/0x3c8 + vm_area_free_rcu_cb+0x74/0x98 + rcu_core+0xa38/0x26d4 + rcu_core_si+0x10/0x1c + __do_softirq+0x2fc/0xd24 + + Last potentially related work creation: + __call_rcu_common.constprop.0+0x6c/0xba0 + call_rcu+0x10/0x1c + vm_area_free+0x18/0x24 + remove_vma+0xe4/0x118 + do_vmi_align_munmap.isra.0+0x718/0xb5c + do_vmi_munmap+0xdc/0x1fc + __vm_munmap+0x10c/0x278 + __arm64_sys_munmap+0x58/0x7c + +Fix this issue by performing instead a vma_lookup() which will fail to +find the vma that was isolated before the mmap lock downgrade. Note that +this option has better performance than upgrading to a mmap write lock +which would increase contention. Plus, mmap_write_trylock() has been +recently removed anyway. + +Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") +Cc: stable@vger.kernel.org +Cc: Liam Howlett +Cc: Minchan Kim +Reviewed-by: Alice Ryhl +Signed-off-by: Carlos Llamas +Link: https://lore.kernel.org/r/20231201172212.1813387-3-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder_alloc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -1005,7 +1005,9 @@ enum lru_status binder_alloc_free_page(s + goto err_mmget; + if (!mmap_read_trylock(mm)) + goto err_mmap_read_lock_failed; +- vma = binder_alloc_get_vma(alloc); ++ vma = vma_lookup(mm, page_addr); ++ if (vma && vma != binder_alloc_get_vma(alloc)) ++ goto err_invalid_vma; + + list_lru_isolate(lru, item); + spin_unlock(lock); +@@ -1031,6 +1033,8 @@ enum lru_status binder_alloc_free_page(s + mutex_unlock(&alloc->mutex); + return LRU_REMOVED_RETRY; + ++err_invalid_vma: ++ mmap_read_unlock(mm); + err_mmap_read_lock_failed: + mmput_async(mm); + err_mmget: diff --git a/queue-6.7/binder-use-epollerr-from-eventpoll.h.patch b/queue-6.7/binder-use-epollerr-from-eventpoll.h.patch new file mode 100644 index 00000000000..11f1abf90ef --- /dev/null +++ b/queue-6.7/binder-use-epollerr-from-eventpoll.h.patch @@ -0,0 +1,38 @@ +From 6ac061db9c58ca5b9270b1b3940d2464fb3ff183 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Fri, 1 Dec 2023 17:21:30 +0000 +Subject: binder: use EPOLLERR from eventpoll.h + +From: Carlos Llamas + +commit 6ac061db9c58ca5b9270b1b3940d2464fb3ff183 upstream. + +Use EPOLLERR instead of POLLERR to make sure it is cast to the correct +__poll_t type. This fixes the following sparse issue: + + drivers/android/binder.c:5030:24: warning: incorrect type in return expression (different base types) + drivers/android/binder.c:5030:24: expected restricted __poll_t + drivers/android/binder.c:5030:24: got int + +Fixes: f88982679f54 ("binder: check for binder_thread allocation failure in binder_poll()") +Cc: stable@vger.kernel.org +Cc: Eric Biggers +Reviewed-by: Alice Ryhl +Signed-off-by: Carlos Llamas +Link: https://lore.kernel.org/r/20231201172212.1813387-2-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -5030,7 +5030,7 @@ static __poll_t binder_poll(struct file + + thread = binder_get_thread(proc); + if (!thread) +- return POLLERR; ++ return EPOLLERR; + + binder_inner_proc_lock(thread->proc); + thread->looper |= BINDER_LOOPER_STATE_POLL; diff --git a/queue-6.7/coresight-etm4x-fix-width-of-ccitmin-field.patch b/queue-6.7/coresight-etm4x-fix-width-of-ccitmin-field.patch new file mode 100644 index 00000000000..479ebdfe604 --- /dev/null +++ b/queue-6.7/coresight-etm4x-fix-width-of-ccitmin-field.patch @@ -0,0 +1,47 @@ +From cc0271a339cc70cae914c3ec20edc2a8058407da Mon Sep 17 00:00:00 2001 +From: James Clark +Date: Wed, 1 Nov 2023 11:52:06 +0000 +Subject: coresight: etm4x: Fix width of CCITMIN field + +From: James Clark + +commit cc0271a339cc70cae914c3ec20edc2a8058407da upstream. + +CCITMIN is a 12 bit field and doesn't fit in a u8, so extend it to u16. +This probably wasn't an issue previously because values higher than 255 +never occurred. + +But since commit 4aff040bcc8d ("coresight: etm: Override TRCIDR3.CCITMIN +on errata affected cpus"), a comparison with 256 was done to enable the +errata, generating the following W=1 build error: + + coresight-etm4x-core.c:1188:24: error: result of comparison of + constant 256 with expression of type 'u8' (aka 'unsigned char') is + always false [-Werror,-Wtautological-constant-out-of-range-compare] + + if (drvdata->ccitmin == 256) + +Cc: stable@vger.kernel.org +Fixes: 2e1cdfe184b5 ("coresight-etm4x: Adding CoreSight ETM4x driver") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202310302043.as36UFED-lkp@intel.com/ +Reviewed-by: Mike Leach +Signed-off-by: James Clark +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20231101115206.70810-1-james.clark@arm.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-etm4x.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/coresight/coresight-etm4x.h ++++ b/drivers/hwtracing/coresight/coresight-etm4x.h +@@ -1036,7 +1036,7 @@ struct etmv4_drvdata { + u8 ctxid_size; + u8 vmid_size; + u8 ccsize; +- u8 ccitmin; ++ u16 ccitmin; + u8 s_ex_level; + u8 ns_ex_level; + u8 q_support; diff --git a/queue-6.7/docs-kernel_feat.py-fix-potential-command-injection.patch b/queue-6.7/docs-kernel_feat.py-fix-potential-command-injection.patch new file mode 100644 index 00000000000..9b681db1e58 --- /dev/null +++ b/queue-6.7/docs-kernel_feat.py-fix-potential-command-injection.patch @@ -0,0 +1,293 @@ +From c48a7c44a1d02516309015b6134c9bb982e17008 Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Wed, 10 Jan 2024 18:47:58 +0100 +Subject: docs: kernel_feat.py: fix potential command injection + +From: Vegard Nossum + +commit c48a7c44a1d02516309015b6134c9bb982e17008 upstream. + +The kernel-feat directive passes its argument straight to the shell. +This is unfortunate and unnecessary. + +Let's always use paths relative to $srctree/Documentation/ and use +subprocess.check_call() instead of subprocess.Popen(shell=True). + +This also makes the code shorter. + +This is analogous to commit 3231dd586277 ("docs: kernel_abi.py: fix +command injection") where we did exactly the same thing for +kernel_abi.py, somehow I completely missed this one. + +Link: https://fosstodon.org/@jani/111676532203641247 +Reported-by: Jani Nikula +Signed-off-by: Vegard Nossum +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Corbet +Link: https://lore.kernel.org/r/20240110174758.3680506-1-vegard.nossum@oracle.com +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/features.rst | 2 + Documentation/arch/arc/features.rst | 2 + Documentation/arch/arm/features.rst | 2 + Documentation/arch/arm64/features.rst | 2 + Documentation/arch/loongarch/features.rst | 2 + Documentation/arch/m68k/features.rst | 2 + Documentation/arch/mips/features.rst | 2 + Documentation/arch/nios2/features.rst | 2 + Documentation/arch/openrisc/features.rst | 2 + Documentation/arch/parisc/features.rst | 2 + Documentation/arch/powerpc/features.rst | 2 + Documentation/arch/riscv/features.rst | 2 + Documentation/arch/s390/features.rst | 2 + Documentation/arch/sh/features.rst | 2 + Documentation/arch/sparc/features.rst | 2 + Documentation/arch/x86/features.rst | 2 + Documentation/arch/xtensa/features.rst | 2 + Documentation/sphinx/kernel_feat.py | 55 ++--------- + Documentation/translations/zh_CN/arch/loongarch/features.rst | 2 + Documentation/translations/zh_CN/arch/mips/features.rst | 2 + Documentation/translations/zh_TW/arch/loongarch/features.rst | 2 + Documentation/translations/zh_TW/arch/mips/features.rst | 2 + 22 files changed, 32 insertions(+), 65 deletions(-) + +--- a/Documentation/admin-guide/features.rst ++++ b/Documentation/admin-guide/features.rst +@@ -1,3 +1,3 @@ + .. SPDX-License-Identifier: GPL-2.0 + +-.. kernel-feat:: $srctree/Documentation/features ++.. kernel-feat:: features +--- a/Documentation/arch/arc/features.rst ++++ b/Documentation/arch/arc/features.rst +@@ -1,3 +1,3 @@ + .. SPDX-License-Identifier: GPL-2.0 + +-.. kernel-feat:: $srctree/Documentation/features arc ++.. kernel-feat:: features arc +--- a/Documentation/arch/arm/features.rst ++++ b/Documentation/arch/arm/features.rst +@@ -1,3 +1,3 @@ + .. SPDX-License-Identifier: GPL-2.0 + +-.. kernel-feat:: $srctree/Documentation/features arm ++.. kernel-feat:: features arm +--- a/Documentation/arch/arm64/features.rst ++++ b/Documentation/arch/arm64/features.rst +@@ -1,3 +1,3 @@ + .. SPDX-License-Identifier: GPL-2.0 + +-.. kernel-feat:: $srctree/Documentation/features arm64 ++.. kernel-feat:: features arm64 +--- a/Documentation/arch/loongarch/features.rst ++++ b/Documentation/arch/loongarch/features.rst +@@ -1,3 +1,3 @@ + .. SPDX-License-Identifier: GPL-2.0 + +-.. kernel-feat:: $srctree/Documentation/features loongarch ++.. kernel-feat:: features loongarch +--- a/Documentation/arch/m68k/features.rst ++++ b/Documentation/arch/m68k/features.rst +@@ -1,3 +1,3 @@ + .. SPDX-License-Identifier: GPL-2.0 + +-.. kernel-feat:: $srctree/Documentation/features m68k ++.. kernel-feat:: features m68k +--- a/Documentation/arch/mips/features.rst ++++ b/Documentation/arch/mips/features.rst +@@ -1,3 +1,3 @@ + .. SPDX-License-Identifier: GPL-2.0 + +-.. kernel-feat:: $srctree/Documentation/features mips ++.. kernel-feat:: features mips +--- a/Documentation/arch/nios2/features.rst ++++ b/Documentation/arch/nios2/features.rst +@@ -1,3 +1,3 @@ + .. SPDX-License-Identifier: GPL-2.0 + +-.. kernel-feat:: $srctree/Documentation/features nios2 ++.. kernel-feat:: features nios2 +--- a/Documentation/arch/openrisc/features.rst ++++ b/Documentation/arch/openrisc/features.rst +@@ -1,3 +1,3 @@ + .. SPDX-License-Identifier: GPL-2.0 + +-.. kernel-feat:: $srctree/Documentation/features openrisc ++.. kernel-feat:: features openrisc +--- a/Documentation/arch/parisc/features.rst ++++ b/Documentation/arch/parisc/features.rst +@@ -1,3 +1,3 @@ + .. SPDX-License-Identifier: GPL-2.0 + +-.. kernel-feat:: $srctree/Documentation/features parisc ++.. kernel-feat:: features parisc +--- a/Documentation/arch/powerpc/features.rst ++++ b/Documentation/arch/powerpc/features.rst +@@ -1,3 +1,3 @@ + .. SPDX-License-Identifier: GPL-2.0 + +-.. kernel-feat:: $srctree/Documentation/features powerpc ++.. kernel-feat:: features powerpc +--- a/Documentation/arch/riscv/features.rst ++++ b/Documentation/arch/riscv/features.rst +@@ -1,3 +1,3 @@ + .. SPDX-License-Identifier: GPL-2.0 + +-.. kernel-feat:: $srctree/Documentation/features riscv ++.. kernel-feat:: features riscv +--- a/Documentation/arch/s390/features.rst ++++ b/Documentation/arch/s390/features.rst +@@ -1,3 +1,3 @@ + .. SPDX-License-Identifier: GPL-2.0 + +-.. kernel-feat:: $srctree/Documentation/features s390 ++.. kernel-feat:: features s390 +--- a/Documentation/arch/sh/features.rst ++++ b/Documentation/arch/sh/features.rst +@@ -1,3 +1,3 @@ + .. SPDX-License-Identifier: GPL-2.0 + +-.. kernel-feat:: $srctree/Documentation/features sh ++.. kernel-feat:: features sh +--- a/Documentation/arch/sparc/features.rst ++++ b/Documentation/arch/sparc/features.rst +@@ -1,3 +1,3 @@ + .. SPDX-License-Identifier: GPL-2.0 + +-.. kernel-feat:: $srctree/Documentation/features sparc ++.. kernel-feat:: features sparc +--- a/Documentation/arch/x86/features.rst ++++ b/Documentation/arch/x86/features.rst +@@ -1,3 +1,3 @@ + .. SPDX-License-Identifier: GPL-2.0 + +-.. kernel-feat:: $srctree/Documentation/features x86 ++.. kernel-feat:: features x86 +--- a/Documentation/arch/xtensa/features.rst ++++ b/Documentation/arch/xtensa/features.rst +@@ -1,3 +1,3 @@ + .. SPDX-License-Identifier: GPL-2.0 + +-.. kernel-feat:: $srctree/Documentation/features xtensa ++.. kernel-feat:: features xtensa +--- a/Documentation/sphinx/kernel_feat.py ++++ b/Documentation/sphinx/kernel_feat.py +@@ -37,8 +37,6 @@ import re + import subprocess + import sys + +-from os import path +- + from docutils import nodes, statemachine + from docutils.statemachine import ViewList + from docutils.parsers.rst import directives, Directive +@@ -76,33 +74,26 @@ class KernelFeat(Directive): + self.state.document.settings.env.app.warn(message, prefix="") + + def run(self): +- + doc = self.state.document + if not doc.settings.file_insertion_enabled: + raise self.warning("docutils: file insertion disabled") + + env = doc.settings.env +- cwd = path.dirname(doc.current_source) +- cmd = "get_feat.pl rest --enable-fname --dir " +- cmd += self.arguments[0] +- +- if len(self.arguments) > 1: +- cmd += " --arch " + self.arguments[1] + +- srctree = path.abspath(os.environ["srctree"]) ++ srctree = os.path.abspath(os.environ["srctree"]) + +- fname = cmd ++ args = [ ++ os.path.join(srctree, 'scripts/get_feat.pl'), ++ 'rest', ++ '--enable-fname', ++ '--dir', ++ os.path.join(srctree, 'Documentation', self.arguments[0]), ++ ] + +- # extend PATH with $(srctree)/scripts +- path_env = os.pathsep.join([ +- srctree + os.sep + "scripts", +- os.environ["PATH"] +- ]) +- shell_env = os.environ.copy() +- shell_env["PATH"] = path_env +- shell_env["srctree"] = srctree ++ if len(self.arguments) > 1: ++ args.extend(['--arch', self.arguments[1]]) + +- lines = self.runCmd(cmd, shell=True, cwd=cwd, env=shell_env) ++ lines = subprocess.check_output(args, cwd=os.path.dirname(doc.current_source)).decode('utf-8') + + line_regex = re.compile(r"^\.\. FILE (\S+)$") + +@@ -121,30 +112,6 @@ class KernelFeat(Directive): + nodeList = self.nestedParse(out_lines, fname) + return nodeList + +- def runCmd(self, cmd, **kwargs): +- u"""Run command ``cmd`` and return its stdout as unicode.""" +- +- try: +- proc = subprocess.Popen( +- cmd +- , stdout = subprocess.PIPE +- , stderr = subprocess.PIPE +- , **kwargs +- ) +- out, err = proc.communicate() +- +- out, err = codecs.decode(out, 'utf-8'), codecs.decode(err, 'utf-8') +- +- if proc.returncode != 0: +- raise self.severe( +- u"command '%s' failed with return code %d" +- % (cmd, proc.returncode) +- ) +- except OSError as exc: +- raise self.severe(u"problems with '%s' directive: %s." +- % (self.name, ErrorString(exc))) +- return out +- + def nestedParse(self, lines, fname): + content = ViewList() + node = nodes.section() +--- a/Documentation/translations/zh_CN/arch/loongarch/features.rst ++++ b/Documentation/translations/zh_CN/arch/loongarch/features.rst +@@ -5,4 +5,4 @@ + :Original: Documentation/arch/loongarch/features.rst + :Translator: Huacai Chen + +-.. kernel-feat:: $srctree/Documentation/features loongarch ++.. kernel-feat:: features loongarch +--- a/Documentation/translations/zh_CN/arch/mips/features.rst ++++ b/Documentation/translations/zh_CN/arch/mips/features.rst +@@ -10,4 +10,4 @@ + + .. _cn_features: + +-.. kernel-feat:: $srctree/Documentation/features mips ++.. kernel-feat:: features mips +--- a/Documentation/translations/zh_TW/arch/loongarch/features.rst ++++ b/Documentation/translations/zh_TW/arch/loongarch/features.rst +@@ -5,5 +5,5 @@ + :Original: Documentation/arch/loongarch/features.rst + :Translator: Huacai Chen + +-.. kernel-feat:: $srctree/Documentation/features loongarch ++.. kernel-feat:: features loongarch + +--- a/Documentation/translations/zh_TW/arch/mips/features.rst ++++ b/Documentation/translations/zh_TW/arch/mips/features.rst +@@ -10,5 +10,5 @@ + + .. _tw_features: + +-.. kernel-feat:: $srctree/Documentation/features mips ++.. kernel-feat:: features mips + diff --git a/queue-6.7/ksmbd-don-t-allow-o_trunc-open-on-read-only-share.patch b/queue-6.7/ksmbd-don-t-allow-o_trunc-open-on-read-only-share.patch new file mode 100644 index 00000000000..91cfe56f3cc --- /dev/null +++ b/queue-6.7/ksmbd-don-t-allow-o_trunc-open-on-read-only-share.patch @@ -0,0 +1,83 @@ +From d592a9158a112d419f341f035d18d02f8d232def Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sun, 7 Jan 2024 21:24:07 +0900 +Subject: ksmbd: don't allow O_TRUNC open on read-only share + +From: Namjae Jeon + +commit d592a9158a112d419f341f035d18d02f8d232def upstream. + +When file is changed using notepad on read-only share(read_only = yes in +ksmbd.conf), There is a problem where existing data is truncated. +notepad in windows try to O_TRUNC open(FILE_OVERWRITE_IF) and all data +in file is truncated. This patch don't allow O_TRUNC open on read-only +share and add KSMBD_TREE_CONN_FLAG_WRITABLE check in smb2_set_info(). + +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -2971,7 +2971,7 @@ int smb2_open(struct ksmbd_work *work) + &may_flags); + + if (!test_tree_conn_flag(tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { +- if (open_flags & O_CREAT) { ++ if (open_flags & (O_CREAT | O_TRUNC)) { + ksmbd_debug(SMB, + "User does not have write permission\n"); + rc = -EACCES; +@@ -5943,12 +5943,6 @@ static int smb2_set_info_file(struct ksm + } + case FILE_RENAME_INFORMATION: + { +- if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { +- ksmbd_debug(SMB, +- "User does not have write permission\n"); +- return -EACCES; +- } +- + if (buf_len < sizeof(struct smb2_file_rename_info)) + return -EINVAL; + +@@ -5968,12 +5962,6 @@ static int smb2_set_info_file(struct ksm + } + case FILE_DISPOSITION_INFORMATION: + { +- if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { +- ksmbd_debug(SMB, +- "User does not have write permission\n"); +- return -EACCES; +- } +- + if (buf_len < sizeof(struct smb2_file_disposition_info)) + return -EINVAL; + +@@ -6035,7 +6023,7 @@ int smb2_set_info(struct ksmbd_work *wor + { + struct smb2_set_info_req *req; + struct smb2_set_info_rsp *rsp; +- struct ksmbd_file *fp; ++ struct ksmbd_file *fp = NULL; + int rc = 0; + unsigned int id = KSMBD_NO_FID, pid = KSMBD_NO_FID; + +@@ -6055,6 +6043,13 @@ int smb2_set_info(struct ksmbd_work *wor + rsp = smb2_get_msg(work->response_buf); + } + ++ if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { ++ ksmbd_debug(SMB, "User does not have write permission\n"); ++ pr_err("User does not have write permission\n"); ++ rc = -EACCES; ++ goto err_out; ++ } ++ + if (!has_file_id(id)) { + id = req->VolatileFileId; + pid = req->PersistentFileId; diff --git a/queue-6.7/ksmbd-free-ppace-array-on-error-in-parse_dacl.patch b/queue-6.7/ksmbd-free-ppace-array-on-error-in-parse_dacl.patch new file mode 100644 index 00000000000..e7f7aad44c8 --- /dev/null +++ b/queue-6.7/ksmbd-free-ppace-array-on-error-in-parse_dacl.patch @@ -0,0 +1,56 @@ +From 8cf9bedfc3c47d24bb0de386f808f925dc52863e Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Tue, 9 Jan 2024 17:14:44 +0300 +Subject: ksmbd: free ppace array on error in parse_dacl + +From: Fedor Pchelkin + +commit 8cf9bedfc3c47d24bb0de386f808f925dc52863e upstream. + +The ppace array is not freed if one of the init_acl_state() calls inside +parse_dacl() fails. At the moment the function may fail only due to the +memory allocation errors so it's highly unlikely in this case but +nevertheless a fix is needed. + +Move ppace allocation after the init_acl_state() calls with proper error +handling. + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smbacl.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/fs/smb/server/smbacl.c ++++ b/fs/smb/server/smbacl.c +@@ -401,10 +401,6 @@ static void parse_dacl(struct mnt_idmap + if (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) + return; + +- ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *), GFP_KERNEL); +- if (!ppace) +- return; +- + ret = init_acl_state(&acl_state, num_aces); + if (ret) + return; +@@ -413,6 +409,13 @@ static void parse_dacl(struct mnt_idmap + free_acl_state(&acl_state); + return; + } ++ ++ ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *), GFP_KERNEL); ++ if (!ppace) { ++ free_acl_state(&default_acl_state); ++ free_acl_state(&acl_state); ++ return; ++ } + + /* + * reset rwx permissions for user/group/other. diff --git a/queue-6.7/leds-ledtrig-tty-free-allocated-ttyname-buffer-on-deactivate.patch b/queue-6.7/leds-ledtrig-tty-free-allocated-ttyname-buffer-on-deactivate.patch new file mode 100644 index 00000000000..fe92ed38025 --- /dev/null +++ b/queue-6.7/leds-ledtrig-tty-free-allocated-ttyname-buffer-on-deactivate.patch @@ -0,0 +1,44 @@ +From 25054b232681c286fca9c678854f56494d1352cc Mon Sep 17 00:00:00 2001 +From: Florian Eckert +Date: Mon, 27 Nov 2023 09:16:21 +0100 +Subject: leds: ledtrig-tty: Free allocated ttyname buffer on deactivate +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Florian Eckert + +commit 25054b232681c286fca9c678854f56494d1352cc upstream. + +The ttyname buffer for the ledtrig_tty_data struct is allocated in the +sysfs ttyname_store() function. This buffer must be released on trigger +deactivation. This was missing and is thus a memory leak. + +While we are at it, the TTY handler in the ledtrig_tty_data struct should +also be returned in case of the trigger deactivation call. + +Cc: stable@vger.kernel.org +Fixes: fd4a641ac88f ("leds: trigger: implement a tty trigger") +Signed-off-by: Florian Eckert +Reviewed-by: Uwe Kleine-König +Reviewed-by: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/20231127081621.774866-1-fe@dev.tdt.de +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/trigger/ledtrig-tty.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/leds/trigger/ledtrig-tty.c ++++ b/drivers/leds/trigger/ledtrig-tty.c +@@ -168,6 +168,10 @@ static void ledtrig_tty_deactivate(struc + + cancel_delayed_work_sync(&trigger_data->dwork); + ++ kfree(trigger_data->ttyname); ++ tty_kref_put(trigger_data->tty); ++ trigger_data->tty = NULL; ++ + kfree(trigger_data); + } + diff --git a/queue-6.7/mm-memory_hotplug-fix-memmap_on_memory-sysfs-value-retrieval.patch b/queue-6.7/mm-memory_hotplug-fix-memmap_on_memory-sysfs-value-retrieval.patch new file mode 100644 index 00000000000..bb7ffa15504 --- /dev/null +++ b/queue-6.7/mm-memory_hotplug-fix-memmap_on_memory-sysfs-value-retrieval.patch @@ -0,0 +1,55 @@ +From 11684134140bb708b6e6de969a060535630b1b53 Mon Sep 17 00:00:00 2001 +From: Sumanth Korikkar +Date: Wed, 10 Jan 2024 15:01:27 +0100 +Subject: mm/memory_hotplug: fix memmap_on_memory sysfs value retrieval + +From: Sumanth Korikkar + +commit 11684134140bb708b6e6de969a060535630b1b53 upstream. + +set_memmap_mode() stores the kernel parameter memmap mode as an integer. +However, the get_memmap_mode() function utilizes param_get_bool() to fetch +the value as a boolean, leading to potential endianness issue. On +Big-endian architectures, the memmap_on_memory is consistently displayed +as 'N' regardless of its actual status. + +To address this endianness problem, the solution involves obtaining the +mode as an integer. This adjustment ensures the proper display of the +memmap_on_memory parameter, presenting it as one of the following options: +Force, Y, or N. + +Link: https://lkml.kernel.org/r/20240110140127.241451-1-sumanthk@linux.ibm.com +Fixes: 2d1f649c7c08 ("mm/memory_hotplug: support memmap_on_memory when memmap is not aligned to pageblocks") +Signed-off-by: Sumanth Korikkar +Suggested-by: Gerald Schaefer +Acked-by: David Hildenbrand +Cc: Alexander Gordeev +Cc: Aneesh Kumar K.V +Cc: Heiko Carstens +Cc: Michal Hocko +Cc: Oscar Salvador +Cc: Vasily Gorbik +Cc: [6.6+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory_hotplug.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -101,9 +101,11 @@ static int set_memmap_mode(const char *v + + static int get_memmap_mode(char *buffer, const struct kernel_param *kp) + { +- if (*((int *)kp->arg) == MEMMAP_ON_MEMORY_FORCE) +- return sprintf(buffer, "force\n"); +- return param_get_bool(buffer, kp); ++ int mode = *((int *)kp->arg); ++ ++ if (mode == MEMMAP_ON_MEMORY_FORCE) ++ return sprintf(buffer, "force\n"); ++ return sprintf(buffer, "%c\n", mode ? 'Y' : 'N'); + } + + static const struct kernel_param_ops memmap_mode_ops = { diff --git a/queue-6.7/parport-parport_serial-add-brainboxes-bar-details.patch b/queue-6.7/parport-parport_serial-add-brainboxes-bar-details.patch new file mode 100644 index 00000000000..147862cef05 --- /dev/null +++ b/queue-6.7/parport-parport_serial-add-brainboxes-bar-details.patch @@ -0,0 +1,44 @@ +From 65fde134b0a4ffe838729f9ee11b459a2f6f2815 Mon Sep 17 00:00:00 2001 +From: Cameron Williams +Date: Thu, 2 Nov 2023 21:07:05 +0000 +Subject: parport: parport_serial: Add Brainboxes BAR details + +From: Cameron Williams + +commit 65fde134b0a4ffe838729f9ee11b459a2f6f2815 upstream. + +Add BAR/enum entries for Brainboxes serial/parallel cards. + +Cc: +Signed-off-by: Cameron Williams +Acked-by: Sudip Mukherjee +Link: https://lore.kernel.org/r/AS4PR02MB79035155C2D5C3333AE6FA52C4A6A@AS4PR02MB7903.eurprd02.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parport/parport_serial.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/parport/parport_serial.c ++++ b/drivers/parport/parport_serial.c +@@ -65,6 +65,10 @@ enum parport_pc_pci_cards { + sunix_5069a, + sunix_5079a, + sunix_5099a, ++ brainboxes_uc257, ++ brainboxes_is300, ++ brainboxes_uc414, ++ brainboxes_px263, + }; + + /* each element directly indexed from enum list, above */ +@@ -158,6 +162,10 @@ static struct parport_pc_pci cards[] = { + /* sunix_5069a */ { 1, { { 1, 2 }, } }, + /* sunix_5079a */ { 1, { { 1, 2 }, } }, + /* sunix_5099a */ { 1, { { 1, 2 }, } }, ++ /* brainboxes_uc257 */ { 1, { { 3, -1 }, } }, ++ /* brainboxes_is300 */ { 1, { { 3, -1 }, } }, ++ /* brainboxes_uc414 */ { 1, { { 3, -1 }, } }, ++ /* brainboxes_px263 */ { 1, { { 3, -1 }, } }, + }; + + static struct pci_device_id parport_serial_pci_tbl[] = { diff --git a/queue-6.7/parport-parport_serial-add-brainboxes-device-ids-and-geometry.patch b/queue-6.7/parport-parport_serial-add-brainboxes-device-ids-and-geometry.patch new file mode 100644 index 00000000000..beb476d3b5f --- /dev/null +++ b/queue-6.7/parport-parport_serial-add-brainboxes-device-ids-and-geometry.patch @@ -0,0 +1,95 @@ +From 6aa1fc5a8085bbc01687aa708dcf2dbe637a5ee3 Mon Sep 17 00:00:00 2001 +From: Cameron Williams +Date: Thu, 2 Nov 2023 21:07:06 +0000 +Subject: parport: parport_serial: Add Brainboxes device IDs and geometry + +From: Cameron Williams + +commit 6aa1fc5a8085bbc01687aa708dcf2dbe637a5ee3 upstream. + +Add device IDs for the Brainboxes UC-203, UC-257, UC-414, UC-475, +IS-300/IS-500 and PX-263/PX-295 and define the relevant "geometry" +for the cards. +This patch requires part 1 of this series. + +Cc: +Signed-off-by: Cameron Williams +Acked-by: Sudip Mukherjee +Link: https://lore.kernel.org/r/AS4PR02MB7903A4094564BE28F1F926A6C4A6A@AS4PR02MB7903.eurprd02.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parport/parport_serial.c | 56 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +--- a/drivers/parport/parport_serial.c ++++ b/drivers/parport/parport_serial.c +@@ -285,6 +285,38 @@ static struct pci_device_id parport_seri + { PCI_VENDOR_ID_SUNIX, PCI_DEVICE_ID_SUNIX_1999, PCI_VENDOR_ID_SUNIX, + 0x0104, 0, 0, sunix_5099a }, + ++ /* Brainboxes UC-203 */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0bc1, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ { PCI_VENDOR_ID_INTASHIELD, 0x0bc2, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ ++ /* Brainboxes UC-257 */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0861, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ { PCI_VENDOR_ID_INTASHIELD, 0x0862, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ { PCI_VENDOR_ID_INTASHIELD, 0x0863, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ ++ /* Brainboxes UC-414 */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0e61, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc414 }, ++ ++ /* Brainboxes UC-475 */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0981, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ { PCI_VENDOR_ID_INTASHIELD, 0x0982, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ ++ /* Brainboxes IS-300/IS-500 */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0da0, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_is300 }, ++ ++ /* Brainboxes PX-263/PX-295 */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x402c, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_px263 }, ++ + { 0, } /* terminate list */ + }; + MODULE_DEVICE_TABLE(pci,parport_serial_pci_tbl); +@@ -550,6 +582,30 @@ static struct pciserial_board pci_parpor + .base_baud = 921600, + .uart_offset = 0x8, + }, ++ [brainboxes_uc257] = { ++ .flags = FL_BASE2, ++ .num_ports = 2, ++ .base_baud = 115200, ++ .uart_offset = 8, ++ }, ++ [brainboxes_is300] = { ++ .flags = FL_BASE2, ++ .num_ports = 1, ++ .base_baud = 115200, ++ .uart_offset = 8, ++ }, ++ [brainboxes_uc414] = { ++ .flags = FL_BASE2, ++ .num_ports = 4, ++ .base_baud = 115200, ++ .uart_offset = 8, ++ }, ++ [brainboxes_px263] = { ++ .flags = FL_BASE2, ++ .num_ports = 4, ++ .base_baud = 921600, ++ .uart_offset = 8, ++ }, + }; + + struct parport_serial_private { diff --git a/queue-6.7/pci-add-acs-quirk-for-more-zhaoxin-root-ports.patch b/queue-6.7/pci-add-acs-quirk-for-more-zhaoxin-root-ports.patch new file mode 100644 index 00000000000..79f5dc5d3d4 --- /dev/null +++ b/queue-6.7/pci-add-acs-quirk-for-more-zhaoxin-root-ports.patch @@ -0,0 +1,50 @@ +From e367e3c765f5477b2e79da0f1399aed49e2d1e37 Mon Sep 17 00:00:00 2001 +From: LeoLiuoc +Date: Mon, 11 Dec 2023 17:15:43 +0800 +Subject: PCI: Add ACS quirk for more Zhaoxin Root Ports + +From: LeoLiuoc + +commit e367e3c765f5477b2e79da0f1399aed49e2d1e37 upstream. + +Add more Root Port Device IDs to pci_quirk_zhaoxin_pcie_ports_acs() for +some new Zhaoxin platforms. + +Fixes: 299bd044a6f3 ("PCI: Add ACS quirk for Zhaoxin Root/Downstream Ports") +Link: https://lore.kernel.org/r/20231211091543.735903-1-LeoLiu-oc@zhaoxin.com +Signed-off-by: LeoLiuoc +[bhelgaas: update subject, drop changelog, add Fixes, add stable tag, fix +whitespace, wrap code comment] +Signed-off-by: Bjorn Helgaas +Cc: # 5.7 +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4699,17 +4699,21 @@ static int pci_quirk_xgene_acs(struct pc + * But the implementation could block peer-to-peer transactions between them + * and provide ACS-like functionality. + */ +-static int pci_quirk_zhaoxin_pcie_ports_acs(struct pci_dev *dev, u16 acs_flags) ++static int pci_quirk_zhaoxin_pcie_ports_acs(struct pci_dev *dev, u16 acs_flags) + { + if (!pci_is_pcie(dev) || + ((pci_pcie_type(dev) != PCI_EXP_TYPE_ROOT_PORT) && + (pci_pcie_type(dev) != PCI_EXP_TYPE_DOWNSTREAM))) + return -ENOTTY; + ++ /* ++ * Future Zhaoxin Root Ports and Switch Downstream Ports will ++ * implement ACS capability in accordance with the PCIe Spec. ++ */ + switch (dev->device) { + case 0x0710 ... 0x071e: + case 0x0721: +- case 0x0723 ... 0x0732: ++ case 0x0723 ... 0x0752: + return pci_acs_ctrl_enabled(acs_flags, + PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF); + } diff --git a/queue-6.7/revert-md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch b/queue-6.7/revert-md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch new file mode 100644 index 00000000000..921019434b7 --- /dev/null +++ b/queue-6.7/revert-md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch @@ -0,0 +1,67 @@ +From bed9e27baf52a09b7ba2a3714f1e24e17ced386d Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Wed, 8 Nov 2023 10:22:16 -0800 +Subject: Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d" + +From: Junxiao Bi + +commit bed9e27baf52a09b7ba2a3714f1e24e17ced386d upstream. + +This reverts commit 5e2cf333b7bd5d3e62595a44d598a254c697cd74. + +That commit introduced the following race and can cause system hung. + + md_write_start: raid5d: + // mddev->in_sync == 1 + set "MD_SB_CHANGE_PENDING" + // running before md_write_start wakeup it + waiting "MD_SB_CHANGE_PENDING" cleared + >>>>>>>>> hung + wakeup mddev->thread + ... + waiting "MD_SB_CHANGE_PENDING" cleared + >>>> hung, raid5d should clear this flag + but get hung by same flag. + +The issue reverted commit fixing is fixed by last patch in a new way. + +Fixes: 5e2cf333b7bd ("md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d") +Cc: stable@vger.kernel.org # v5.19+ +Signed-off-by: Junxiao Bi +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20231108182216.73611-2-junxiao.bi@oracle.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid5.c | 12 ------------ + 1 file changed, 12 deletions(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -36,7 +36,6 @@ + */ + + #include +-#include + #include + #include + #include +@@ -6820,18 +6819,7 @@ static void raid5d(struct md_thread *thr + spin_unlock_irq(&conf->device_lock); + md_check_recovery(mddev); + spin_lock_irq(&conf->device_lock); +- +- /* +- * Waiting on MD_SB_CHANGE_PENDING below may deadlock +- * seeing md_check_recovery() is needed to clear +- * the flag when using mdmon. +- */ +- continue; + } +- +- wait_event_lock_irq(mddev->sb_wait, +- !test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags), +- conf->device_lock); + } + pr_debug("%d stripes handled\n", handled); + diff --git a/queue-6.7/scripts-decode_stacktrace.sh-optionally-use-llvm-utilities.patch b/queue-6.7/scripts-decode_stacktrace.sh-optionally-use-llvm-utilities.patch new file mode 100644 index 00000000000..951a9377fb0 --- /dev/null +++ b/queue-6.7/scripts-decode_stacktrace.sh-optionally-use-llvm-utilities.patch @@ -0,0 +1,97 @@ +From efbd6398353315b7018e6943e41fee9ec35e875f Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Fri, 29 Sep 2023 03:48:17 +0000 +Subject: scripts/decode_stacktrace.sh: optionally use LLVM utilities + +From: Carlos Llamas + +commit efbd6398353315b7018e6943e41fee9ec35e875f upstream. + +GNU's addr2line can have problems parsing a vmlinux built with LLVM, +particularly when LTO was used. In order to decode the traces correctly +this patch adds the ability to switch to LLVM's utilities readelf and +addr2line. The same approach is followed by Will in [1]. + +Before: + $ scripts/decode_stacktrace.sh vmlinux < kernel.log + [17716.240635] Call trace: + [17716.240646] skb_cow_data (??:?) + [17716.240654] esp6_input (ld-temp.o:?) + [17716.240666] xfrm_input (ld-temp.o:?) + [17716.240674] xfrm6_rcv (??:?) + [...] + +After: + $ LLVM=1 scripts/decode_stacktrace.sh vmlinux < kernel.log + [17716.240635] Call trace: + [17716.240646] skb_cow_data (include/linux/skbuff.h:2172 net/core/skbuff.c:4503) + [17716.240654] esp6_input (net/ipv6/esp6.c:977) + [17716.240666] xfrm_input (net/xfrm/xfrm_input.c:659) + [17716.240674] xfrm6_rcv (net/ipv6/xfrm6_input.c:172) + [...] + +Note that one could set CROSS_COMPILE=llvm- instead to hack around this +issue. However, doing so can break the decodecode routine as it will +force the selection of other LLVM utilities down the line e.g. llvm-as. + +[1] https://lore.kernel.org/all/20230914131225.13415-3-will@kernel.org/ + +Link: https://lkml.kernel.org/r/20230929034836.403735-1-cmllamas@google.com +Signed-off-by: Carlos Llamas +Reviewed-by: Nick Desaulniers +Reviewed-by: Elliot Berman +Tested-by: Justin Stitt +Cc: Will Deacon +Cc: John Stultz +Cc: Masahiro Yamada +Cc: Nathan Chancellor +Cc: Tom Rix +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + scripts/decode_stacktrace.sh | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/scripts/decode_stacktrace.sh ++++ b/scripts/decode_stacktrace.sh +@@ -16,6 +16,21 @@ elif type c++filt >/dev/null 2>&1 ; then + cppfilt_opts=-i + fi + ++UTIL_SUFFIX= ++if [[ -z ${LLVM:-} ]]; then ++ UTIL_PREFIX=${CROSS_COMPILE:-} ++else ++ UTIL_PREFIX=llvm- ++ if [[ ${LLVM} == */ ]]; then ++ UTIL_PREFIX=${LLVM}${UTIL_PREFIX} ++ elif [[ ${LLVM} == -* ]]; then ++ UTIL_SUFFIX=${LLVM} ++ fi ++fi ++ ++READELF=${UTIL_PREFIX}readelf${UTIL_SUFFIX} ++ADDR2LINE=${UTIL_PREFIX}addr2line${UTIL_SUFFIX} ++ + if [[ $1 == "-r" ]] ; then + vmlinux="" + basepath="auto" +@@ -75,7 +90,7 @@ find_module() { + + if [[ "$modpath" != "" ]] ; then + for fn in $(find "$modpath" -name "${module//_/[-_]}.ko*") ; do +- if readelf -WS "$fn" | grep -qwF .debug_line ; then ++ if ${READELF} -WS "$fn" | grep -qwF .debug_line ; then + echo $fn + return + fi +@@ -169,7 +184,7 @@ parse_symbol() { + if [[ $aarray_support == true && "${cache[$module,$address]+isset}" == "isset" ]]; then + local code=${cache[$module,$address]} + else +- local code=$(${CROSS_COMPILE}addr2line -i -e "$objfile" "$address" 2>/dev/null) ++ local code=$(${ADDR2LINE} -i -e "$objfile" "$address" 2>/dev/null) + if [[ $aarray_support == true ]]; then + cache[$module,$address]=$code + fi diff --git a/queue-6.7/series b/queue-6.7/series index d6fccee5f30..442d10fb38a 100644 --- a/queue-6.7/series +++ b/queue-6.7/series @@ -10,3 +10,19 @@ acpi-resource-add-another-dmi-match-for-the-tongfang-gmxxgxx.patch bus-moxtet-mark-the-irq-as-shared.patch bus-moxtet-add-spi-device-table.patch drm-amd-display-pass-pwrseq-inst-for-backlight-and-abm.patch +ksmbd-don-t-allow-o_trunc-open-on-read-only-share.patch +ksmbd-free-ppace-array-on-error-in-parse_dacl.patch +revert-md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch +binder-use-epollerr-from-eventpoll.h.patch +binder-fix-use-after-free-in-shinker-s-callback.patch +binder-fix-trivial-typo-of-binder_free_buf_locked.patch +binder-fix-comment-on-binder_alloc_new_buf-return-value.patch +uio-fix-use-after-free-in-uio_open.patch +parport-parport_serial-add-brainboxes-bar-details.patch +parport-parport_serial-add-brainboxes-device-ids-and-geometry.patch +leds-ledtrig-tty-free-allocated-ttyname-buffer-on-deactivate.patch +pci-add-acs-quirk-for-more-zhaoxin-root-ports.patch +coresight-etm4x-fix-width-of-ccitmin-field.patch +scripts-decode_stacktrace.sh-optionally-use-llvm-utilities.patch +docs-kernel_feat.py-fix-potential-command-injection.patch +mm-memory_hotplug-fix-memmap_on_memory-sysfs-value-retrieval.patch diff --git a/queue-6.7/uio-fix-use-after-free-in-uio_open.patch b/queue-6.7/uio-fix-use-after-free-in-uio_open.patch new file mode 100644 index 00000000000..bf39687bb48 --- /dev/null +++ b/queue-6.7/uio-fix-use-after-free-in-uio_open.patch @@ -0,0 +1,74 @@ +From 0c9ae0b8605078eafc3bea053cc78791e97ba2e2 Mon Sep 17 00:00:00 2001 +From: Guanghui Feng +Date: Thu, 21 Dec 2023 17:57:43 +0800 +Subject: uio: Fix use-after-free in uio_open + +From: Guanghui Feng + +commit 0c9ae0b8605078eafc3bea053cc78791e97ba2e2 upstream. + +core-1 core-2 +------------------------------------------------------- +uio_unregister_device uio_open + idev = idr_find() +device_unregister(&idev->dev) +put_device(&idev->dev) +uio_device_release + get_device(&idev->dev) +kfree(idev) +uio_free_minor(minor) + uio_release + put_device(&idev->dev) + kfree(idev) +------------------------------------------------------- + +In the core-1 uio_unregister_device(), the device_unregister will kfree +idev when the idev->dev kobject ref is 1. But after core-1 +device_unregister, put_device and before doing kfree, the core-2 may +get_device. Then: +1. After core-1 kfree idev, the core-2 will do use-after-free for idev. +2. When core-2 do uio_release and put_device, the idev will be double + freed. + +To address this issue, we can get idev atomic & inc idev reference with +minor_lock. + +Fixes: 57c5f4df0a5a ("uio: fix crash after the device is unregistered") +Cc: stable +Signed-off-by: Guanghui Feng +Reviewed-by: Baolin Wang +Link: https://lore.kernel.org/r/1703152663-59949-1-git-send-email-guanghuifeng@linux.alibaba.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/uio/uio.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/uio/uio.c ++++ b/drivers/uio/uio.c +@@ -466,13 +466,13 @@ static int uio_open(struct inode *inode, + + mutex_lock(&minor_lock); + idev = idr_find(&uio_idr, iminor(inode)); +- mutex_unlock(&minor_lock); + if (!idev) { + ret = -ENODEV; ++ mutex_unlock(&minor_lock); + goto out; + } +- + get_device(&idev->dev); ++ mutex_unlock(&minor_lock); + + if (!try_module_get(idev->owner)) { + ret = -ENODEV; +@@ -1064,9 +1064,8 @@ void uio_unregister_device(struct uio_in + wake_up_interruptible(&idev->wait); + kill_fasync(&idev->async_queue, SIGIO, POLL_HUP); + +- device_unregister(&idev->dev); +- + uio_free_minor(minor); ++ device_unregister(&idev->dev); + + return; + }