From: Greg Kroah-Hartman Date: Tue, 20 May 2025 10:56:45 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.15.184~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=56362dc216baf3a51d3926361c78ce81af972cac;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: btrfs-do-not-clean-up-repair-bio-if-submit-fails.patch btrfs-don-t-bug_on-when-0-reference-count-at-btrfs_lookup_extent_info.patch sctp-add-mutual-exclusion-in-proc_sctp_do_udp_port.patch selftests-mm-compaction_test-support-platform-with-huge-mount-of-memory.patch --- diff --git a/queue-5.15/btrfs-do-not-clean-up-repair-bio-if-submit-fails.patch b/queue-5.15/btrfs-do-not-clean-up-repair-bio-if-submit-fails.patch new file mode 100644 index 0000000000..322f043829 --- /dev/null +++ b/queue-5.15/btrfs-do-not-clean-up-repair-bio-if-submit-fails.patch @@ -0,0 +1,59 @@ +From 8cbc3001a3264d998d6b6db3e23f935c158abd4d Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Fri, 18 Feb 2022 10:03:29 -0500 +Subject: btrfs: do not clean up repair bio if submit fails + +From: Josef Bacik + +commit 8cbc3001a3264d998d6b6db3e23f935c158abd4d upstream. + +The submit helper will always run bio_endio() on the bio if it fails to +submit, so cleaning up the bio just leads to a variety of use-after-free +and NULL pointer dereference bugs because we race with the endio +function that is cleaning up the bio. Instead just return BLK_STS_OK as +the repair function has to continue to process the rest of the pages, +and the endio for the repair bio will do the appropriate cleanup for the +page that it was given. + +Reviewed-by: Boris Burkov +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +[Minor context change fixed.] +Signed-off-by: Bin Lan +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent_io.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -2624,7 +2624,6 @@ int btrfs_repair_one_sector(struct inode + const int icsum = bio_offset >> fs_info->sectorsize_bits; + struct bio *repair_bio; + struct btrfs_io_bio *repair_io_bio; +- blk_status_t status; + + btrfs_debug(fs_info, + "repair read error: read error at %llu", start); +@@ -2664,13 +2663,13 @@ int btrfs_repair_one_sector(struct inode + "repair read error: submitting new read to mirror %d", + failrec->this_mirror); + +- status = submit_bio_hook(inode, repair_bio, failrec->this_mirror, +- failrec->bio_flags); +- if (status) { +- free_io_failure(failure_tree, tree, failrec); +- bio_put(repair_bio); +- } +- return blk_status_to_errno(status); ++ /* ++ * At this point we have a bio, so any errors from submit_bio_hook() ++ * will be handled by the endio on the repair_bio, so we can't return an ++ * error here. ++ */ ++ submit_bio_hook(inode, repair_bio, failrec->this_mirror, failrec->bio_flags); ++ return BLK_STS_OK; + } + + static void end_page_read(struct page *page, bool uptodate, u64 start, u32 len) diff --git a/queue-5.15/btrfs-don-t-bug_on-when-0-reference-count-at-btrfs_lookup_extent_info.patch b/queue-5.15/btrfs-don-t-bug_on-when-0-reference-count-at-btrfs_lookup_extent_info.patch new file mode 100644 index 0000000000..b7c123f641 --- /dev/null +++ b/queue-5.15/btrfs-don-t-bug_on-when-0-reference-count-at-btrfs_lookup_extent_info.patch @@ -0,0 +1,72 @@ +From 28cb13f29faf6290597b24b728dc3100c019356f Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Tue, 18 Jun 2024 12:15:01 +0100 +Subject: btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info() + +From: Filipe Manana + +commit 28cb13f29faf6290597b24b728dc3100c019356f upstream. + +Instead of doing a BUG_ON() handle the error by returning -EUCLEAN, +aborting the transaction and logging an error message. + +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +[Minor conflict resolved due to code context change.] +Signed-off-by: Jianqi Ren +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent-tree.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -176,6 +176,14 @@ search_again: + ei = btrfs_item_ptr(leaf, path->slots[0], + struct btrfs_extent_item); + num_refs = btrfs_extent_refs(leaf, ei); ++ if (unlikely(num_refs == 0)) { ++ ret = -EUCLEAN; ++ btrfs_err(fs_info, ++ "unexpected zero reference count for extent item (%llu %u %llu)", ++ key.objectid, key.type, key.offset); ++ btrfs_abort_transaction(trans, ret); ++ goto out_free; ++ } + extent_flags = btrfs_extent_flags(leaf, ei); + } else { + ret = -EINVAL; +@@ -187,8 +195,6 @@ search_again: + + goto out_free; + } +- +- BUG_ON(num_refs == 0); + } else { + num_refs = 0; + extent_flags = 0; +@@ -218,10 +224,19 @@ search_again: + goto search_again; + } + spin_lock(&head->lock); +- if (head->extent_op && head->extent_op->update_flags) ++ if (head->extent_op && head->extent_op->update_flags) { + extent_flags |= head->extent_op->flags_to_set; +- else +- BUG_ON(num_refs == 0); ++ } else if (unlikely(num_refs == 0)) { ++ spin_unlock(&head->lock); ++ mutex_unlock(&head->mutex); ++ spin_unlock(&delayed_refs->lock); ++ ret = -EUCLEAN; ++ btrfs_err(fs_info, ++ "unexpected zero reference count for extent %llu (%s)", ++ bytenr, metadata ? "metadata" : "data"); ++ btrfs_abort_transaction(trans, ret); ++ goto out_free; ++ } + + num_refs += head->ref_mod; + spin_unlock(&head->lock); diff --git a/queue-5.15/sctp-add-mutual-exclusion-in-proc_sctp_do_udp_port.patch b/queue-5.15/sctp-add-mutual-exclusion-in-proc_sctp_do_udp_port.patch new file mode 100644 index 0000000000..e27354a4c1 --- /dev/null +++ b/queue-5.15/sctp-add-mutual-exclusion-in-proc_sctp_do_udp_port.patch @@ -0,0 +1,78 @@ +From 10206302af856791fbcc27a33ed3c3eb09b2793d Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 31 Mar 2025 09:15:32 +0000 +Subject: sctp: add mutual exclusion in proc_sctp_do_udp_port() + +From: Eric Dumazet + +commit 10206302af856791fbcc27a33ed3c3eb09b2793d upstream. + +We must serialize calls to sctp_udp_sock_stop() and sctp_udp_sock_start() +or risk a crash as syzbot reported: + +Oops: general protection fault, probably for non-canonical address 0xdffffc000000000d: 0000 [#1] SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f] +CPU: 1 UID: 0 PID: 6551 Comm: syz.1.44 Not tainted 6.14.0-syzkaller-g7f2ff7b62617 #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 + RIP: 0010:kernel_sock_shutdown+0x47/0x70 net/socket.c:3653 +Call Trace: + + udp_tunnel_sock_release+0x68/0x80 net/ipv4/udp_tunnel_core.c:181 + sctp_udp_sock_stop+0x71/0x160 net/sctp/protocol.c:930 + proc_sctp_do_udp_port+0x264/0x450 net/sctp/sysctl.c:553 + proc_sys_call_handler+0x3d0/0x5b0 fs/proc/proc_sysctl.c:601 + iter_file_splice_write+0x91c/0x1150 fs/splice.c:738 + do_splice_from fs/splice.c:935 [inline] + direct_splice_actor+0x18f/0x6c0 fs/splice.c:1158 + splice_direct_to_actor+0x342/0xa30 fs/splice.c:1102 + do_splice_direct_actor fs/splice.c:1201 [inline] + do_splice_direct+0x174/0x240 fs/splice.c:1227 + do_sendfile+0xafd/0xe50 fs/read_write.c:1368 + __do_sys_sendfile64 fs/read_write.c:1429 [inline] + __se_sys_sendfile64 fs/read_write.c:1415 [inline] + __x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1415 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + +Fixes: 046c052b475e ("sctp: enable udp tunneling socks") +Reported-by: syzbot+fae49d997eb56fa7c74d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/67ea5c01.050a0220.1547ec.012b.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Marcelo Ricardo Leitner +Acked-by: Xin Long +Link: https://patch.msgid.link/20250331091532.224982-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +[Minor conflict resolved due to code context change.] +Signed-off-by: Jianqi Ren +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sysctl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -518,6 +518,8 @@ static int proc_sctp_do_auth(struct ctl_ + return ret; + } + ++static DEFINE_MUTEX(sctp_sysctl_mutex); ++ + static int proc_sctp_do_udp_port(struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +@@ -542,6 +544,7 @@ static int proc_sctp_do_udp_port(struct + if (new_value > max || new_value < min) + return -EINVAL; + ++ mutex_lock(&sctp_sysctl_mutex); + net->sctp.udp_port = new_value; + sctp_udp_sock_stop(net); + if (new_value) { +@@ -554,6 +557,7 @@ static int proc_sctp_do_udp_port(struct + lock_sock(sk); + sctp_sk(sk)->udp_port = htons(net->sctp.udp_port); + release_sock(sk); ++ mutex_unlock(&sctp_sysctl_mutex); + } + + return ret; diff --git a/queue-5.15/selftests-mm-compaction_test-support-platform-with-huge-mount-of-memory.patch b/queue-5.15/selftests-mm-compaction_test-support-platform-with-huge-mount-of-memory.patch new file mode 100644 index 0000000000..489b9bff38 --- /dev/null +++ b/queue-5.15/selftests-mm-compaction_test-support-platform-with-huge-mount-of-memory.patch @@ -0,0 +1,72 @@ +From ab00ddd802f80e31fc9639c652d736fe3913feae Mon Sep 17 00:00:00 2001 +From: Feng Tang +Date: Wed, 23 Apr 2025 18:36:45 +0800 +Subject: selftests/mm: compaction_test: support platform with huge mount of memory + +From: Feng Tang + +commit ab00ddd802f80e31fc9639c652d736fe3913feae upstream. + +When running mm selftest to verify mm patches, 'compaction_test' case +failed on an x86 server with 1TB memory. And the root cause is that it +has too much free memory than what the test supports. + +The test case tries to allocate 100000 huge pages, which is about 200 GB +for that x86 server, and when it succeeds, it expects it's large than 1/3 +of 80% of the free memory in system. This logic only works for platform +with 750 GB ( 200 / (1/3) / 80% ) or less free memory, and may raise false +alarm for others. + +Fix it by changing the fixed page number to self-adjustable number +according to the real number of free memory. + +Link: https://lkml.kernel.org/r/20250423103645.2758-1-feng.tang@linux.alibaba.com +Fixes: bd67d5c15cc1 ("Test compaction of mlocked memory") +Signed-off-by: Feng Tang +Acked-by: Dev Jain +Reviewed-by: Baolin Wang +Tested-by: Baolin Wang +Cc: Shuah Khan +Cc: Sri Jayaramappa +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/vm/compaction_test.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/tools/testing/selftests/vm/compaction_test.c ++++ b/tools/testing/selftests/vm/compaction_test.c +@@ -89,6 +89,8 @@ int check_compaction(unsigned long mem_f + int compaction_index = 0; + char initial_nr_hugepages[20] = {0}; + char nr_hugepages[20] = {0}; ++ char target_nr_hugepages[24] = {0}; ++ int slen; + + /* We want to test with 80% of available memory. Else, OOM killer comes + in to play */ +@@ -118,11 +120,18 @@ int check_compaction(unsigned long mem_f + + lseek(fd, 0, SEEK_SET); + +- /* Request a large number of huge pages. The Kernel will allocate +- as much as it can */ +- if (write(fd, "100000", (6*sizeof(char))) != (6*sizeof(char))) { +- ksft_test_result_fail("Failed to write 100000 to /proc/sys/vm/nr_hugepages: %s\n", +- strerror(errno)); ++ /* ++ * Request huge pages for about half of the free memory. The Kernel ++ * will allocate as much as it can, and we expect it will get at least 1/3 ++ */ ++ nr_hugepages_ul = mem_free / hugepage_size / 2; ++ snprintf(target_nr_hugepages, sizeof(target_nr_hugepages), ++ "%lu", nr_hugepages_ul); ++ ++ slen = strlen(target_nr_hugepages); ++ if (write(fd, target_nr_hugepages, slen) != slen) { ++ ksft_test_result_fail("Failed to write %lu to /proc/sys/vm/nr_hugepages: %s\n", ++ nr_hugepages_ul, strerror(errno)); + goto close_fd; + } + diff --git a/queue-5.15/series b/queue-5.15/series index c116745ca4..e6d5a4b556 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -49,3 +49,7 @@ usb-typec-ucsi-displayport-fix-deadlock.patch usb-typec-altmodes-displayport-create-sysfs-nodes-as-driver-s-default-device-attribute-group.patch usb-typec-fix-potential-array-underflow-in-ucsi_ccg_sync_control.patch usb-typec-fix-pm-usage-counter-imbalance-in-ucsi_ccg_sync_control.patch +selftests-mm-compaction_test-support-platform-with-huge-mount-of-memory.patch +sctp-add-mutual-exclusion-in-proc_sctp_do_udp_port.patch +btrfs-don-t-bug_on-when-0-reference-count-at-btrfs_lookup_extent_info.patch +btrfs-do-not-clean-up-repair-bio-if-submit-fails.patch