From: Greg Kroah-Hartman Date: Sun, 8 Sep 2024 11:32:38 +0000 (+0200) Subject: 6.10-stable patches X-Git-Tag: v4.19.322~103 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=59d94caf57ac8825a37926fa5189570c6ede0685;p=thirdparty%2Fkernel%2Fstable-queue.git 6.10-stable patches added patches: asoc-intel-boards-fix-null-pointer-deref-in-byt-cht-boards-harder.patch bluetooth-mgmt-ignore-keys-being-loaded-with-invalid-type.patch fuse-check-aborted-connection-before-adding-requests-to-pending-list-for-resending.patch fuse-clear-pg_uptodate-when-using-a-stolen-page.patch fuse-disable-the-combination-of-passthrough-and-writeback-cache.patch fuse-fix-memory-leak-in-fuse_create_open.patch fuse-update-stats-for-pages-in-dropped-aux-writeback-list.patch fuse-use-unsigned-type-for-getxattr-listxattr-size-truncation.patch mmc-core-apply-sd-quirks-earlier-during-probe.patch mmc-cqhci-fix-checking-of-cqhci_halt-state.patch mmc-dw_mmc-fix-idmac-operation-with-pages-bigger-than-4k.patch mmc-sdhci-of-aspeed-fix-module-autoloading.patch parisc-delay-write-protection-until-mark_rodata_ro-call.patch riscv-misaligned-restrict-user-access-to-kernel-memory.patch selftests-mm-fix-build-errors-on-armhf.patch --- diff --git a/queue-6.10/asoc-intel-boards-fix-null-pointer-deref-in-byt-cht-boards-harder.patch b/queue-6.10/asoc-intel-boards-fix-null-pointer-deref-in-byt-cht-boards-harder.patch new file mode 100644 index 00000000000..ac5e0e97a71 --- /dev/null +++ b/queue-6.10/asoc-intel-boards-fix-null-pointer-deref-in-byt-cht-boards-harder.patch @@ -0,0 +1,186 @@ +From 0cc65482f5b03ac2b1c240bc34665e43ea2d71bb Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 23 Aug 2024 09:42:17 +0200 +Subject: ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder + +From: Hans de Goede + +commit 0cc65482f5b03ac2b1c240bc34665e43ea2d71bb upstream. + +Since commit 13f58267cda3 ("ASoC: soc.h: don't create dummy Component +via COMP_DUMMY()") dummy codecs declared like this: + +SND_SOC_DAILINK_DEF(dummy, + DAILINK_COMP_ARRAY(COMP_DUMMY())); + +expand to: + +static struct snd_soc_dai_link_component dummy[] = { +}; + +Which means that dummy is a zero sized array and thus dais[i].codecs should +not be dereferenced *at all* since it points to the address of the next +variable stored in the data section as the "dummy" variable has an address +but no size, so even dereferencing dais[0] is already an out of bounds +array reference. + +Which means that the if (dais[i].codecs->name) check added in +commit 7d99a70b6595 ("ASoC: Intel: Boards: Fix NULL pointer deref +in BYT/CHT boards") relies on that the part of the next variable which +the name member maps to just happens to be NULL. + +Which apparently so far it usually is, except when it isn't +and then it results in crashes like this one: + +[ 28.795659] BUG: unable to handle page fault for address: 0000000000030011 +... +[ 28.795780] Call Trace: +[ 28.795787] +... +[ 28.795862] ? strcmp+0x18/0x40 +[ 28.795872] 0xffffffffc150c605 +[ 28.795887] platform_probe+0x40/0xa0 +... +[ 28.795979] ? __pfx_init_module+0x10/0x10 [snd_soc_sst_bytcr_wm5102] + +Really fix things this time around by checking dais.num_codecs != 0. + +Fixes: 7d99a70b6595 ("ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards") +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Reviewed-by: Pierre-Louis Bossart +Link: https://patch.msgid.link/20240823074217.14653-1-hdegoede@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/intel/boards/bxt_rt298.c | 2 +- + sound/soc/intel/boards/bytcht_cx2072x.c | 2 +- + sound/soc/intel/boards/bytcht_da7213.c | 2 +- + sound/soc/intel/boards/bytcht_es8316.c | 2 +- + sound/soc/intel/boards/bytcr_rt5640.c | 2 +- + sound/soc/intel/boards/bytcr_rt5651.c | 2 +- + sound/soc/intel/boards/bytcr_wm5102.c | 2 +- + sound/soc/intel/boards/cht_bsw_rt5645.c | 2 +- + sound/soc/intel/boards/cht_bsw_rt5672.c | 2 +- + 9 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/sound/soc/intel/boards/bxt_rt298.c b/sound/soc/intel/boards/bxt_rt298.c +index dce6a2086f2a..6da1517c53c6 100644 +--- a/sound/soc/intel/boards/bxt_rt298.c ++++ b/sound/soc/intel/boards/bxt_rt298.c +@@ -605,7 +605,7 @@ static int broxton_audio_probe(struct platform_device *pdev) + int i; + + for (i = 0; i < ARRAY_SIZE(broxton_rt298_dais); i++) { +- if (card->dai_link[i].codecs->name && ++ if (card->dai_link[i].num_codecs && + !strncmp(card->dai_link[i].codecs->name, "i2c-INT343A:00", + I2C_NAME_SIZE)) { + if (!strncmp(card->name, "broxton-rt298", +diff --git a/sound/soc/intel/boards/bytcht_cx2072x.c b/sound/soc/intel/boards/bytcht_cx2072x.c +index c014d85a08b2..df3c2a7b64d2 100644 +--- a/sound/soc/intel/boards/bytcht_cx2072x.c ++++ b/sound/soc/intel/boards/bytcht_cx2072x.c +@@ -241,7 +241,7 @@ static int snd_byt_cht_cx2072x_probe(struct platform_device *pdev) + + /* fix index of codec dai */ + for (i = 0; i < ARRAY_SIZE(byt_cht_cx2072x_dais); i++) { +- if (byt_cht_cx2072x_dais[i].codecs->name && ++ if (byt_cht_cx2072x_dais[i].num_codecs && + !strcmp(byt_cht_cx2072x_dais[i].codecs->name, + "i2c-14F10720:00")) { + dai_index = i; +diff --git a/sound/soc/intel/boards/bytcht_da7213.c b/sound/soc/intel/boards/bytcht_da7213.c +index f4ac3ddd148b..08c598b7e1ee 100644 +--- a/sound/soc/intel/boards/bytcht_da7213.c ++++ b/sound/soc/intel/boards/bytcht_da7213.c +@@ -245,7 +245,7 @@ static int bytcht_da7213_probe(struct platform_device *pdev) + + /* fix index of codec dai */ + for (i = 0; i < ARRAY_SIZE(dailink); i++) { +- if (dailink[i].codecs->name && ++ if (dailink[i].num_codecs && + !strcmp(dailink[i].codecs->name, "i2c-DLGS7213:00")) { + dai_index = i; + break; +diff --git a/sound/soc/intel/boards/bytcht_es8316.c b/sound/soc/intel/boards/bytcht_es8316.c +index 2fcec2e02bb5..77b91ea4dc32 100644 +--- a/sound/soc/intel/boards/bytcht_es8316.c ++++ b/sound/soc/intel/boards/bytcht_es8316.c +@@ -546,7 +546,7 @@ static int snd_byt_cht_es8316_mc_probe(struct platform_device *pdev) + + /* fix index of codec dai */ + for (i = 0; i < ARRAY_SIZE(byt_cht_es8316_dais); i++) { +- if (byt_cht_es8316_dais[i].codecs->name && ++ if (byt_cht_es8316_dais[i].num_codecs && + !strcmp(byt_cht_es8316_dais[i].codecs->name, + "i2c-ESSX8316:00")) { + dai_index = i; +diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c +index a64d1989e28a..db4a33680d94 100644 +--- a/sound/soc/intel/boards/bytcr_rt5640.c ++++ b/sound/soc/intel/boards/bytcr_rt5640.c +@@ -1677,7 +1677,7 @@ static int snd_byt_rt5640_mc_probe(struct platform_device *pdev) + + /* fix index of codec dai */ + for (i = 0; i < ARRAY_SIZE(byt_rt5640_dais); i++) { +- if (byt_rt5640_dais[i].codecs->name && ++ if (byt_rt5640_dais[i].num_codecs && + !strcmp(byt_rt5640_dais[i].codecs->name, + "i2c-10EC5640:00")) { + dai_index = i; +diff --git a/sound/soc/intel/boards/bytcr_rt5651.c b/sound/soc/intel/boards/bytcr_rt5651.c +index 80c841b000a3..8514b79f389b 100644 +--- a/sound/soc/intel/boards/bytcr_rt5651.c ++++ b/sound/soc/intel/boards/bytcr_rt5651.c +@@ -910,7 +910,7 @@ static int snd_byt_rt5651_mc_probe(struct platform_device *pdev) + + /* fix index of codec dai */ + for (i = 0; i < ARRAY_SIZE(byt_rt5651_dais); i++) { +- if (byt_rt5651_dais[i].codecs->name && ++ if (byt_rt5651_dais[i].num_codecs && + !strcmp(byt_rt5651_dais[i].codecs->name, + "i2c-10EC5651:00")) { + dai_index = i; +diff --git a/sound/soc/intel/boards/bytcr_wm5102.c b/sound/soc/intel/boards/bytcr_wm5102.c +index cccb5e90c0fe..e5a7cc606aa9 100644 +--- a/sound/soc/intel/boards/bytcr_wm5102.c ++++ b/sound/soc/intel/boards/bytcr_wm5102.c +@@ -605,7 +605,7 @@ static int snd_byt_wm5102_mc_probe(struct platform_device *pdev) + + /* find index of codec dai */ + for (i = 0; i < ARRAY_SIZE(byt_wm5102_dais); i++) { +- if (byt_wm5102_dais[i].codecs->name && ++ if (byt_wm5102_dais[i].num_codecs && + !strcmp(byt_wm5102_dais[i].codecs->name, + "wm5102-codec")) { + dai_index = i; +diff --git a/sound/soc/intel/boards/cht_bsw_rt5645.c b/sound/soc/intel/boards/cht_bsw_rt5645.c +index eb41b7115d01..1da9ceee4d59 100644 +--- a/sound/soc/intel/boards/cht_bsw_rt5645.c ++++ b/sound/soc/intel/boards/cht_bsw_rt5645.c +@@ -569,7 +569,7 @@ static int snd_cht_mc_probe(struct platform_device *pdev) + + /* set correct codec name */ + for (i = 0; i < ARRAY_SIZE(cht_dailink); i++) +- if (cht_dailink[i].codecs->name && ++ if (cht_dailink[i].num_codecs && + !strcmp(cht_dailink[i].codecs->name, + "i2c-10EC5645:00")) { + dai_index = i; +diff --git a/sound/soc/intel/boards/cht_bsw_rt5672.c b/sound/soc/intel/boards/cht_bsw_rt5672.c +index be2d1a8dbca8..d68e5bc755de 100644 +--- a/sound/soc/intel/boards/cht_bsw_rt5672.c ++++ b/sound/soc/intel/boards/cht_bsw_rt5672.c +@@ -466,7 +466,7 @@ static int snd_cht_mc_probe(struct platform_device *pdev) + + /* find index of codec dai */ + for (i = 0; i < ARRAY_SIZE(cht_dailink); i++) { +- if (cht_dailink[i].codecs->name && ++ if (cht_dailink[i].num_codecs && + !strcmp(cht_dailink[i].codecs->name, RT5672_I2C_DEFAULT)) { + dai_index = i; + break; +-- +2.46.0 + diff --git a/queue-6.10/bluetooth-mgmt-ignore-keys-being-loaded-with-invalid-type.patch b/queue-6.10/bluetooth-mgmt-ignore-keys-being-loaded-with-invalid-type.patch new file mode 100644 index 00000000000..f239a14bfcf --- /dev/null +++ b/queue-6.10/bluetooth-mgmt-ignore-keys-being-loaded-with-invalid-type.patch @@ -0,0 +1,89 @@ +From 1e9683c9b6ca88cc9340cdca85edd6134c8cffe3 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Tue, 27 Aug 2024 15:01:34 -0400 +Subject: Bluetooth: MGMT: Ignore keys being loaded with invalid type + +From: Luiz Augusto von Dentz + +commit 1e9683c9b6ca88cc9340cdca85edd6134c8cffe3 upstream. + +Due to 59b047bc98084f8af2c41483e4d68a5adf2fa7f7 there could be keys stored +with the wrong address type so this attempt to detect it and ignore them +instead of just failing to load all keys. + +Cc: stable@vger.kernel.org +Link: https://github.com/bluez/bluez/issues/875 +Fixes: 59b047bc9808 ("Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/mgmt.c | 37 +++++++++++++++++++------------------ + 1 file changed, 19 insertions(+), 18 deletions(-) + +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -2831,15 +2831,6 @@ static int load_link_keys(struct sock *s + bt_dev_dbg(hdev, "debug_keys %u key_count %u", cp->debug_keys, + key_count); + +- for (i = 0; i < key_count; i++) { +- struct mgmt_link_key_info *key = &cp->keys[i]; +- +- if (key->addr.type != BDADDR_BREDR || key->type > 0x08) +- return mgmt_cmd_status(sk, hdev->id, +- MGMT_OP_LOAD_LINK_KEYS, +- MGMT_STATUS_INVALID_PARAMS); +- } +- + hci_dev_lock(hdev); + + hci_link_keys_clear(hdev); +@@ -2864,6 +2855,19 @@ static int load_link_keys(struct sock *s + continue; + } + ++ if (key->addr.type != BDADDR_BREDR) { ++ bt_dev_warn(hdev, ++ "Invalid link address type %u for %pMR", ++ key->addr.type, &key->addr.bdaddr); ++ continue; ++ } ++ ++ if (key->type > 0x08) { ++ bt_dev_warn(hdev, "Invalid link key type %u for %pMR", ++ key->type, &key->addr.bdaddr); ++ continue; ++ } ++ + /* Always ignore debug keys and require a new pairing if + * the user wants to use them. + */ +@@ -7147,15 +7151,6 @@ static int load_long_term_keys(struct so + + bt_dev_dbg(hdev, "key_count %u", key_count); + +- for (i = 0; i < key_count; i++) { +- struct mgmt_ltk_info *key = &cp->keys[i]; +- +- if (!ltk_is_valid(key)) +- return mgmt_cmd_status(sk, hdev->id, +- MGMT_OP_LOAD_LONG_TERM_KEYS, +- MGMT_STATUS_INVALID_PARAMS); +- } +- + hci_dev_lock(hdev); + + hci_smp_ltks_clear(hdev); +@@ -7171,6 +7166,12 @@ static int load_long_term_keys(struct so + &key->addr.bdaddr); + continue; + } ++ ++ if (!ltk_is_valid(key)) { ++ bt_dev_warn(hdev, "Invalid LTK for %pMR", ++ &key->addr.bdaddr); ++ continue; ++ } + + switch (key->type) { + case MGMT_LTK_UNAUTHENTICATED: diff --git a/queue-6.10/fuse-check-aborted-connection-before-adding-requests-to-pending-list-for-resending.patch b/queue-6.10/fuse-check-aborted-connection-before-adding-requests-to-pending-list-for-resending.patch new file mode 100644 index 00000000000..cd31b5941b2 --- /dev/null +++ b/queue-6.10/fuse-check-aborted-connection-before-adding-requests-to-pending-list-for-resending.patch @@ -0,0 +1,53 @@ +From 97f30876c94382d1b01d45c2c76be8911b196527 Mon Sep 17 00:00:00 2001 +From: Joanne Koong +Date: Thu, 25 Jul 2024 10:53:34 -0700 +Subject: fuse: check aborted connection before adding requests to pending list for resending + +From: Joanne Koong + +commit 97f30876c94382d1b01d45c2c76be8911b196527 upstream. + +There is a race condition where inflight requests will not be aborted if +they are in the middle of being re-sent when the connection is aborted. + +If fuse_resend has already moved all the requests in the fpq->processing +lists to its private queue ("to_queue") and then the connection starts +and finishes aborting, these requests will be added to the pending queue +and remain on it indefinitely. + +Fixes: 760eac73f9f6 ("fuse: Introduce a new notification type for resend pending requests") +Signed-off-by: Joanne Koong +Reviewed-by: Josef Bacik +Reviewed-by: Jingbo Xu +Cc: # v6.9 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dev.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -31,6 +31,8 @@ MODULE_ALIAS("devname:fuse"); + + static struct kmem_cache *fuse_req_cachep; + ++static void end_requests(struct list_head *head); ++ + static struct fuse_dev *fuse_get_dev(struct file *file) + { + /* +@@ -1822,6 +1824,13 @@ static void fuse_resend(struct fuse_conn + } + + spin_lock(&fiq->lock); ++ if (!fiq->connected) { ++ spin_unlock(&fiq->lock); ++ list_for_each_entry(req, &to_queue, list) ++ clear_bit(FR_PENDING, &req->flags); ++ end_requests(&to_queue); ++ return; ++ } + /* iq and pq requests are both oldest to newest */ + list_splice(&to_queue, &fiq->pending); + fiq->ops->wake_pending_and_unlock(fiq); diff --git a/queue-6.10/fuse-clear-pg_uptodate-when-using-a-stolen-page.patch b/queue-6.10/fuse-clear-pg_uptodate-when-using-a-stolen-page.patch new file mode 100644 index 00000000000..3d51a3e7f47 --- /dev/null +++ b/queue-6.10/fuse-clear-pg_uptodate-when-using-a-stolen-page.patch @@ -0,0 +1,63 @@ +From 76a51ac00ca2a72fe3e168b7fb0e70f75ba6f512 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 28 Aug 2024 15:55:17 +0200 +Subject: fuse: clear PG_uptodate when using a stolen page +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Miklos Szeredi + +commit 76a51ac00ca2a72fe3e168b7fb0e70f75ba6f512 upstream. + +Originally when a stolen page was inserted into fuse's page cache by +fuse_try_move_page(), it would be marked uptodate. Then +fuse_readpages_end() would call SetPageUptodate() again on the already +uptodate page. + +Commit 413e8f014c8b ("fuse: Convert fuse_readpages_end() to use +folio_end_read()") changed that by replacing the SetPageUptodate() + +unlock_page() combination with folio_end_read(), which does mostly the +same, except it sets the uptodate flag with an xor operation, which in the +above scenario resulted in the uptodate flag being cleared, which in turn +resulted in EIO being returned on the read. + +Fix by clearing PG_uptodate instead of setting it in fuse_try_move_page(), +conforming to the expectation of folio_end_read(). + +Reported-by: Jürg Billeter +Debugged-by: Matthew Wilcox +Fixes: 413e8f014c8b ("fuse: Convert fuse_readpages_end() to use folio_end_read()") +Cc: # v6.10 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dev.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c +index a11461ef6022..67443ef07285 100644 +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -775,7 +775,6 @@ static int fuse_check_folio(struct folio *folio) + (folio->flags & PAGE_FLAGS_CHECK_AT_PREP & + ~(1 << PG_locked | + 1 << PG_referenced | +- 1 << PG_uptodate | + 1 << PG_lru | + 1 << PG_active | + 1 << PG_workingset | +@@ -820,9 +819,7 @@ static int fuse_try_move_page(struct fuse_copy_state *cs, struct page **pagep) + + newfolio = page_folio(buf->page); + +- if (!folio_test_uptodate(newfolio)) +- folio_mark_uptodate(newfolio); +- ++ folio_clear_uptodate(newfolio); + folio_clear_mappedtodisk(newfolio); + + if (fuse_check_folio(newfolio) != 0) +-- +2.46.0 + diff --git a/queue-6.10/fuse-disable-the-combination-of-passthrough-and-writeback-cache.patch b/queue-6.10/fuse-disable-the-combination-of-passthrough-and-writeback-cache.patch new file mode 100644 index 00000000000..ceebe086375 --- /dev/null +++ b/queue-6.10/fuse-disable-the-combination-of-passthrough-and-writeback-cache.patch @@ -0,0 +1,43 @@ +From 3ab394b363c5fd14b231e335fb6746ddfb93aaaa Mon Sep 17 00:00:00 2001 +From: Bernd Schubert +Date: Wed, 3 Jul 2024 19:30:20 +0200 +Subject: fuse: disable the combination of passthrough and writeback cache + +From: Bernd Schubert + +commit 3ab394b363c5fd14b231e335fb6746ddfb93aaaa upstream. + +Current design and handling of passthrough is without fuse +caching and with that FUSE_WRITEBACK_CACHE is conflicting. + +Fixes: 7dc4e97a4f9a ("fuse: introduce FUSE_PASSTHROUGH capability") +Cc: stable@kernel.org # v6.9 +Signed-off-by: Bernd Schubert +Acked-by: Amir Goldstein +Reviewed-by: Josef Bacik +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/inode.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -1336,11 +1336,16 @@ static void process_init_reply(struct fu + * on a stacked fs (e.g. overlayfs) themselves and with + * max_stack_depth == 1, FUSE fs can be stacked as the + * underlying fs of a stacked fs (e.g. overlayfs). ++ * ++ * Also don't allow the combination of FUSE_PASSTHROUGH ++ * and FUSE_WRITEBACK_CACHE, current design doesn't handle ++ * them together. + */ + if (IS_ENABLED(CONFIG_FUSE_PASSTHROUGH) && + (flags & FUSE_PASSTHROUGH) && + arg->max_stack_depth > 0 && +- arg->max_stack_depth <= FILESYSTEM_MAX_STACK_DEPTH) { ++ arg->max_stack_depth <= FILESYSTEM_MAX_STACK_DEPTH && ++ !(flags & FUSE_WRITEBACK_CACHE)) { + fc->passthrough = 1; + fc->max_stack_depth = arg->max_stack_depth; + fm->sb->s_stack_depth = arg->max_stack_depth; diff --git a/queue-6.10/fuse-fix-memory-leak-in-fuse_create_open.patch b/queue-6.10/fuse-fix-memory-leak-in-fuse_create_open.patch new file mode 100644 index 00000000000..aba56fd13c9 --- /dev/null +++ b/queue-6.10/fuse-fix-memory-leak-in-fuse_create_open.patch @@ -0,0 +1,32 @@ +From 3002240d16494d798add0575e8ba1f284258ab34 Mon Sep 17 00:00:00 2001 +From: yangyun +Date: Fri, 23 Aug 2024 16:51:46 +0800 +Subject: fuse: fix memory leak in fuse_create_open + +From: yangyun + +commit 3002240d16494d798add0575e8ba1f284258ab34 upstream. + +The memory of struct fuse_file is allocated but not freed +when get_create_ext return error. + +Fixes: 3e2b6fdbdc9a ("fuse: send security context of inode on file") +Cc: stable@vger.kernel.org # v5.17 +Signed-off-by: yangyun +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -670,7 +670,7 @@ static int fuse_create_open(struct inode + + err = get_create_ext(&args, dir, entry, mode); + if (err) +- goto out_put_forget_req; ++ goto out_free_ff; + + err = fuse_simple_request(fm, &args); + free_ext_value(&args); diff --git a/queue-6.10/fuse-update-stats-for-pages-in-dropped-aux-writeback-list.patch b/queue-6.10/fuse-update-stats-for-pages-in-dropped-aux-writeback-list.patch new file mode 100644 index 00000000000..edc04f8ee00 --- /dev/null +++ b/queue-6.10/fuse-update-stats-for-pages-in-dropped-aux-writeback-list.patch @@ -0,0 +1,43 @@ +From f7790d67785302b3116bbbfda62a5a44524601a3 Mon Sep 17 00:00:00 2001 +From: Joanne Koong +Date: Mon, 26 Aug 2024 14:19:04 -0700 +Subject: fuse: update stats for pages in dropped aux writeback list + +From: Joanne Koong + +commit f7790d67785302b3116bbbfda62a5a44524601a3 upstream. + +In the case where the aux writeback list is dropped (e.g. the pages +have been truncated or the connection is broken), the stats for +its pages and backing device info need to be updated as well. + +Fixes: e2653bd53a98 ("fuse: fix leaked aux requests") +Signed-off-by: Joanne Koong +Reviewed-by: Josef Bacik +Cc: # v5.1 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/file.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -1832,10 +1832,16 @@ __acquires(fi->lock) + fuse_writepage_finish(fm, wpa); + spin_unlock(&fi->lock); + +- /* After fuse_writepage_finish() aux request list is private */ ++ /* After rb_erase() aux request list is private */ + for (aux = wpa->next; aux; aux = next) { ++ struct backing_dev_info *bdi = inode_to_bdi(aux->inode); ++ + next = aux->next; + aux->next = NULL; ++ ++ dec_wb_stat(&bdi->wb, WB_WRITEBACK); ++ dec_node_page_state(aux->ia.ap.pages[0], NR_WRITEBACK_TEMP); ++ wb_writeout_inc(&bdi->wb); + fuse_writepage_free(aux); + } + diff --git a/queue-6.10/fuse-use-unsigned-type-for-getxattr-listxattr-size-truncation.patch b/queue-6.10/fuse-use-unsigned-type-for-getxattr-listxattr-size-truncation.patch new file mode 100644 index 00000000000..5e17e9c223e --- /dev/null +++ b/queue-6.10/fuse-use-unsigned-type-for-getxattr-listxattr-size-truncation.patch @@ -0,0 +1,68 @@ +From b18915248a15eae7d901262f108d6ff0ffb4ffc1 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Mon, 19 Aug 2024 19:52:30 +0200 +Subject: fuse: use unsigned type for getxattr/listxattr size truncation + +From: Jann Horn + +commit b18915248a15eae7d901262f108d6ff0ffb4ffc1 upstream. + +The existing code uses min_t(ssize_t, outarg.size, XATTR_LIST_MAX) when +parsing the FUSE daemon's response to a zero-length getxattr/listxattr +request. +On 32-bit kernels, where ssize_t and outarg.size are the same size, this is +wrong: The min_t() will pass through any size values that are negative when +interpreted as signed. +fuse_listxattr() will then return this userspace-supplied negative value, +which callers will treat as an error value. + +This kind of bug pattern can lead to fairly bad security bugs because of +how error codes are used in the Linux kernel. If a caller were to convert +the numeric error into an error pointer, like so: + + struct foo *func(...) { + int len = fuse_getxattr(..., NULL, 0); + if (len < 0) + return ERR_PTR(len); + ... + } + +then it would end up returning this userspace-supplied negative value cast +to a pointer - but the caller of this function wouldn't recognize it as an +error pointer (IS_ERR_VALUE() only detects values in the narrow range in +which legitimate errno values are), and so it would just be treated as a +kernel pointer. + +I think there is at least one theoretical codepath where this could happen, +but that path would involve virtio-fs with submounts plus some weird +SELinux configuration, so I think it's probably not a concern in practice. + +Cc: stable@vger.kernel.org # v4.9 +Fixes: 63401ccdb2ca ("fuse: limit xattr returned size") +Signed-off-by: Jann Horn +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/xattr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/fuse/xattr.c ++++ b/fs/fuse/xattr.c +@@ -81,7 +81,7 @@ ssize_t fuse_getxattr(struct inode *inod + } + ret = fuse_simple_request(fm, &args); + if (!ret && !size) +- ret = min_t(ssize_t, outarg.size, XATTR_SIZE_MAX); ++ ret = min_t(size_t, outarg.size, XATTR_SIZE_MAX); + if (ret == -ENOSYS) { + fm->fc->no_getxattr = 1; + ret = -EOPNOTSUPP; +@@ -143,7 +143,7 @@ ssize_t fuse_listxattr(struct dentry *en + } + ret = fuse_simple_request(fm, &args); + if (!ret && !size) +- ret = min_t(ssize_t, outarg.size, XATTR_LIST_MAX); ++ ret = min_t(size_t, outarg.size, XATTR_LIST_MAX); + if (ret > 0 && size) + ret = fuse_verify_xattr_list(list, ret); + if (ret == -ENOSYS) { diff --git a/queue-6.10/mmc-core-apply-sd-quirks-earlier-during-probe.patch b/queue-6.10/mmc-core-apply-sd-quirks-earlier-during-probe.patch new file mode 100644 index 00000000000..eeb4031e3b8 --- /dev/null +++ b/queue-6.10/mmc-core-apply-sd-quirks-earlier-during-probe.patch @@ -0,0 +1,92 @@ +From 469e5e4713989fdd5e3e502b922e7be0da2464b9 Mon Sep 17 00:00:00 2001 +From: Jonathan Bell +Date: Wed, 21 Aug 2024 08:06:31 +0900 +Subject: mmc: core: apply SD quirks earlier during probe + +From: Jonathan Bell + +commit 469e5e4713989fdd5e3e502b922e7be0da2464b9 upstream. + +Applying MMC_QUIRK_BROKEN_SD_CACHE is broken, as the card's SD quirks are +referenced in sd_parse_ext_reg_perf() prior to the quirks being initialized +in mmc_blk_probe(). + +To fix this problem, let's split out an SD-specific list of quirks and +apply in mmc_sd_init_card() instead. In this way, sd_read_ext_regs() to has +the available information for not assigning the SD_EXT_PERF_CACHE as one of +the (un)supported features, which in turn allows mmc_sd_init_card() to +properly skip execution of sd_enable_cache(). + +Fixes: c467c8f08185 ("mmc: Add MMC_QUIRK_BROKEN_SD_CACHE for Kingston Canvas Go Plus from 11/2019") +Signed-off-by: Jonathan Bell +Co-developed-by: Keita Aihara +Signed-off-by: Keita Aihara +Reviewed-by: Dragan Simic +Reviewed-by: Avri Altman +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240820230631.GA436523@sony.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/quirks.h | 22 +++++++++++++--------- + drivers/mmc/core/sd.c | 4 ++++ + 2 files changed, 17 insertions(+), 9 deletions(-) + +--- a/drivers/mmc/core/quirks.h ++++ b/drivers/mmc/core/quirks.h +@@ -15,6 +15,19 @@ + + #include "card.h" + ++static const struct mmc_fixup __maybe_unused mmc_sd_fixups[] = { ++ /* ++ * Kingston Canvas Go! Plus microSD cards never finish SD cache flush. ++ * This has so far only been observed on cards from 11/2019, while new ++ * cards from 2023/05 do not exhibit this behavior. ++ */ ++ _FIXUP_EXT("SD64G", CID_MANFID_KINGSTON_SD, 0x5449, 2019, 11, ++ 0, -1ull, SDIO_ANY_ID, SDIO_ANY_ID, add_quirk_sd, ++ MMC_QUIRK_BROKEN_SD_CACHE, EXT_CSD_REV_ANY), ++ ++ END_FIXUP ++}; ++ + static const struct mmc_fixup __maybe_unused mmc_blk_fixups[] = { + #define INAND_CMD38_ARG_EXT_CSD 113 + #define INAND_CMD38_ARG_ERASE 0x00 +@@ -54,15 +67,6 @@ static const struct mmc_fixup __maybe_un + MMC_QUIRK_BLK_NO_CMD23), + + /* +- * Kingston Canvas Go! Plus microSD cards never finish SD cache flush. +- * This has so far only been observed on cards from 11/2019, while new +- * cards from 2023/05 do not exhibit this behavior. +- */ +- _FIXUP_EXT("SD64G", CID_MANFID_KINGSTON_SD, 0x5449, 2019, 11, +- 0, -1ull, SDIO_ANY_ID, SDIO_ANY_ID, add_quirk_sd, +- MMC_QUIRK_BROKEN_SD_CACHE, EXT_CSD_REV_ANY), +- +- /* + * Some SD cards lockup while using CMD23 multiblock transfers. + */ + MMC_FIXUP("AF SD", CID_MANFID_ATP, CID_OEMID_ANY, add_quirk_sd, +--- a/drivers/mmc/core/sd.c ++++ b/drivers/mmc/core/sd.c +@@ -26,6 +26,7 @@ + #include "host.h" + #include "bus.h" + #include "mmc_ops.h" ++#include "quirks.h" + #include "sd.h" + #include "sd_ops.h" + +@@ -1475,6 +1476,9 @@ retry: + goto free_card; + } + ++ /* Apply quirks prior to card setup */ ++ mmc_fixup_device(card, mmc_sd_fixups); ++ + err = mmc_sd_setup_card(host, card, oldcard != NULL); + if (err) + goto free_card; diff --git a/queue-6.10/mmc-cqhci-fix-checking-of-cqhci_halt-state.patch b/queue-6.10/mmc-cqhci-fix-checking-of-cqhci_halt-state.patch new file mode 100644 index 00000000000..b78b2234a36 --- /dev/null +++ b/queue-6.10/mmc-cqhci-fix-checking-of-cqhci_halt-state.patch @@ -0,0 +1,35 @@ +From aea62c744a9ae2a8247c54ec42138405216414da Mon Sep 17 00:00:00 2001 +From: Seunghwan Baek +Date: Thu, 29 Aug 2024 15:18:22 +0900 +Subject: mmc: cqhci: Fix checking of CQHCI_HALT state + +From: Seunghwan Baek + +commit aea62c744a9ae2a8247c54ec42138405216414da upstream. + +To check if mmc cqe is in halt state, need to check set/clear of CQHCI_HALT +bit. At this time, we need to check with &, not &&. + +Fixes: a4080225f51d ("mmc: cqhci: support for command queue enabled host") +Cc: stable@vger.kernel.org +Signed-off-by: Seunghwan Baek +Reviewed-by: Ritesh Harjani +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20240829061823.3718-2-sh8267.baek@samsung.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/cqhci-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/cqhci-core.c ++++ b/drivers/mmc/host/cqhci-core.c +@@ -617,7 +617,7 @@ static int cqhci_request(struct mmc_host + cqhci_writel(cq_host, 0, CQHCI_CTL); + mmc->cqe_on = true; + pr_debug("%s: cqhci: CQE on\n", mmc_hostname(mmc)); +- if (cqhci_readl(cq_host, CQHCI_CTL) && CQHCI_HALT) { ++ if (cqhci_readl(cq_host, CQHCI_CTL) & CQHCI_HALT) { + pr_err("%s: cqhci: CQE failed to exit halt state\n", + mmc_hostname(mmc)); + } diff --git a/queue-6.10/mmc-dw_mmc-fix-idmac-operation-with-pages-bigger-than-4k.patch b/queue-6.10/mmc-dw_mmc-fix-idmac-operation-with-pages-bigger-than-4k.patch new file mode 100644 index 00000000000..b644f20bbc1 --- /dev/null +++ b/queue-6.10/mmc-dw_mmc-fix-idmac-operation-with-pages-bigger-than-4k.patch @@ -0,0 +1,96 @@ +From 8396c793ffdf28bb8aee7cfe0891080f8cab7890 Mon Sep 17 00:00:00 2001 +From: Sam Protsenko +Date: Wed, 6 Mar 2024 17:20:52 -0600 +Subject: mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K + +From: Sam Protsenko + +commit 8396c793ffdf28bb8aee7cfe0891080f8cab7890 upstream. + +Commit 616f87661792 ("mmc: pass queue_limits to blk_mq_alloc_disk") [1] +revealed the long living issue in dw_mmc.c driver, existing since the +time when it was first introduced in commit f95f3850f7a9 ("mmc: dw_mmc: +Add Synopsys DesignWare mmc host driver."), also making kernel boot +broken on platforms using dw_mmc driver with 16K or 64K pages enabled, +with this message in dmesg: + + mmcblk: probe of mmc0:0001 failed with error -22 + +That's happening because mmc_blk_probe() fails when it calls +blk_validate_limits() consequently, which returns the error due to +failed max_segment_size check in this code: + + /* + * The maximum segment size has an odd historic 64k default that + * drivers probably should override. Just like the I/O size we + * require drivers to at least handle a full page per segment. + */ + ... + if (WARN_ON_ONCE(lim->max_segment_size < PAGE_SIZE)) + return -EINVAL; + +In case when IDMAC (Internal DMA Controller) is used, dw_mmc.c always +sets .max_seg_size to 4 KiB: + + mmc->max_seg_size = 0x1000; + +The comment in the code above explains why it's incorrect. Arnd +suggested setting .max_seg_size to .max_req_size to fix it, which is +also what some other drivers are doing: + + $ grep -rl 'max_seg_size.*=.*max_req_size' drivers/mmc/host/ | \ + wc -l + 18 + +This change is not only fixing the boot with 16K/64K pages, but also +leads to a better MMC performance. The linear write performance was +tested on E850-96 board (eMMC only), before commit [1] (where it's +possible to boot with 16K/64K pages without this fix, to be able to do +a comparison). It was tested with this command: + + # dd if=/dev/zero of=somefile bs=1M count=500 oflag=sync + +Test results are as follows: + + - 4K pages, .max_seg_size = 4 KiB: 94.2 MB/s + - 4K pages, .max_seg_size = .max_req_size = 512 KiB: 96.9 MB/s + - 16K pages, .max_seg_size = 4 KiB: 126 MB/s + - 16K pages, .max_seg_size = .max_req_size = 2 MiB: 128 MB/s + - 64K pages, .max_seg_size = 4 KiB: 138 MB/s + - 64K pages, .max_seg_size = .max_req_size = 8 MiB: 138 MB/s + +Unfortunately, SD card controller is not enabled in E850-96 yet, so it +wasn't possible for me to run the test on some cheap SD cards to check +this patch's impact on those. But it's possible that this change might +also reduce the writes count, thus improving SD/eMMC longevity. + +All credit for the analysis and the suggested solution goes to Arnd. + +[1] https://lore.kernel.org/all/20240215070300.2200308-18-hch@lst.de/ + +Fixes: f95f3850f7a9 ("mmc: dw_mmc: Add Synopsys DesignWare mmc host driver.") +Suggested-by: Arnd Bergmann +Reported-by: Linux Kernel Functional Testing +Closes: https://lore.kernel.org/all/CA+G9fYtddf2Fd3be+YShHP6CmSDNcn0ptW8qg+stUKW+Cn0rjQ@mail.gmail.com/ +Signed-off-by: Sam Protsenko +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240306232052.21317-1-semen.protsenko@linaro.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/dw_mmc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/dw_mmc.c ++++ b/drivers/mmc/host/dw_mmc.c +@@ -2951,8 +2951,8 @@ static int dw_mci_init_slot(struct dw_mc + if (host->use_dma == TRANS_MODE_IDMAC) { + mmc->max_segs = host->ring_size; + mmc->max_blk_size = 65535; +- mmc->max_seg_size = 0x1000; +- mmc->max_req_size = mmc->max_seg_size * host->ring_size; ++ mmc->max_req_size = DW_MCI_DESC_DATA_LENGTH * host->ring_size; ++ mmc->max_seg_size = mmc->max_req_size; + mmc->max_blk_count = mmc->max_req_size / 512; + } else if (host->use_dma == TRANS_MODE_EDMAC) { + mmc->max_segs = 64; diff --git a/queue-6.10/mmc-sdhci-of-aspeed-fix-module-autoloading.patch b/queue-6.10/mmc-sdhci-of-aspeed-fix-module-autoloading.patch new file mode 100644 index 00000000000..9bee3bf8da8 --- /dev/null +++ b/queue-6.10/mmc-sdhci-of-aspeed-fix-module-autoloading.patch @@ -0,0 +1,33 @@ +From 6e540da4c1db7b840e347c4dfe48359b18b7e376 Mon Sep 17 00:00:00 2001 +From: Liao Chen +Date: Mon, 26 Aug 2024 12:48:51 +0000 +Subject: mmc: sdhci-of-aspeed: fix module autoloading + +From: Liao Chen + +commit 6e540da4c1db7b840e347c4dfe48359b18b7e376 upstream. + +Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded +based on the alias from of_device_id table. + +Signed-off-by: Liao Chen +Acked-by: Andrew Jeffery +Fixes: bb7b8ec62dfb ("mmc: sdhci-of-aspeed: Add support for the ASPEED SD controller") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240826124851.379759-1-liaochen4@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-of-aspeed.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mmc/host/sdhci-of-aspeed.c ++++ b/drivers/mmc/host/sdhci-of-aspeed.c +@@ -510,6 +510,7 @@ static const struct of_device_id aspeed_ + { .compatible = "aspeed,ast2600-sdhci", .data = &ast2600_sdhci_pdata, }, + { } + }; ++MODULE_DEVICE_TABLE(of, aspeed_sdhci_of_match); + + static struct platform_driver aspeed_sdhci_driver = { + .driver = { diff --git a/queue-6.10/parisc-delay-write-protection-until-mark_rodata_ro-call.patch b/queue-6.10/parisc-delay-write-protection-until-mark_rodata_ro-call.patch new file mode 100644 index 00000000000..335dac42e74 --- /dev/null +++ b/queue-6.10/parisc-delay-write-protection-until-mark_rodata_ro-call.patch @@ -0,0 +1,66 @@ +From 213aa670153ed675a007c1f35c5db544b0fefc94 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 31 Aug 2024 14:02:06 +0200 +Subject: parisc: Delay write-protection until mark_rodata_ro() call + +From: Helge Deller + +commit 213aa670153ed675a007c1f35c5db544b0fefc94 upstream. + +Do not write-protect the kernel read-only and __ro_after_init sections +earlier than before mark_rodata_ro() is called. This fixes a boot issue on +parisc which is triggered by commit 91a1d97ef482 ("jump_label,module: Don't +alloc static_key_mod for __ro_after_init keys"). That commit may modify +static key contents in the __ro_after_init section at bootup, so this +section needs to be writable at least until mark_rodata_ro() is called. + +Signed-off-by: Helge Deller +Reported-by: matoro +Reported-by: Christoph Biedl +Tested-by: Christoph Biedl +Link: https://lore.kernel.org/linux-parisc/096cad5aada514255cd7b0b9dbafc768@matoro.tk/#r +Fixes: 91a1d97ef482 ("jump_label,module: Don't alloc static_key_mod for __ro_after_init keys") +Cc: stable@vger.kernel.org # v6.10+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/mm/init.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/arch/parisc/mm/init.c b/arch/parisc/mm/init.c +index 34d91cb8b259..96970fa75e4a 100644 +--- a/arch/parisc/mm/init.c ++++ b/arch/parisc/mm/init.c +@@ -459,7 +459,6 @@ void free_initmem(void) + unsigned long kernel_end = (unsigned long)&_end; + + /* Remap kernel text and data, but do not touch init section yet. */ +- kernel_set_to_readonly = true; + map_pages(init_end, __pa(init_end), kernel_end - init_end, + PAGE_KERNEL, 0); + +@@ -493,11 +492,18 @@ void free_initmem(void) + #ifdef CONFIG_STRICT_KERNEL_RWX + void mark_rodata_ro(void) + { +- /* rodata memory was already mapped with KERNEL_RO access rights by +- pagetable_init() and map_pages(). No need to do additional stuff here */ +- unsigned long roai_size = __end_ro_after_init - __start_ro_after_init; ++ unsigned long start = (unsigned long) &__start_rodata; ++ unsigned long end = (unsigned long) &__end_rodata; + +- pr_info("Write protected read-only-after-init data: %luk\n", roai_size >> 10); ++ pr_info("Write protecting the kernel read-only data: %luk\n", ++ (end - start) >> 10); ++ ++ kernel_set_to_readonly = true; ++ map_pages(start, __pa(start), end - start, PAGE_KERNEL, 0); ++ ++ /* force the kernel to see the new page table entries */ ++ flush_cache_all(); ++ flush_tlb_all(); + } + #endif + +-- +2.46.0 + diff --git a/queue-6.10/riscv-misaligned-restrict-user-access-to-kernel-memory.patch b/queue-6.10/riscv-misaligned-restrict-user-access-to-kernel-memory.patch new file mode 100644 index 00000000000..e11b1ac06fc --- /dev/null +++ b/queue-6.10/riscv-misaligned-restrict-user-access-to-kernel-memory.patch @@ -0,0 +1,49 @@ +From b686ecdeacf6658e1348c1a32a08e2e72f7c0f00 Mon Sep 17 00:00:00 2001 +From: Samuel Holland +Date: Wed, 14 Aug 2024 17:57:03 -0700 +Subject: riscv: misaligned: Restrict user access to kernel memory + +From: Samuel Holland + +commit b686ecdeacf6658e1348c1a32a08e2e72f7c0f00 upstream. + +raw_copy_{to,from}_user() do not call access_ok(), so this code allowed +userspace to access any virtual memory address. + +Cc: stable@vger.kernel.org +Fixes: 7c83232161f6 ("riscv: add support for misaligned trap handling in S-mode") +Fixes: 441381506ba7 ("riscv: misaligned: remove CONFIG_RISCV_M_MODE specific code") +Signed-off-by: Samuel Holland +Reviewed-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20240815005714.1163136-1-samuel.holland@sifive.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/traps_misaligned.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/kernel/traps_misaligned.c b/arch/riscv/kernel/traps_misaligned.c +index 192cd5603e95..d4fd8af7aaf5 100644 +--- a/arch/riscv/kernel/traps_misaligned.c ++++ b/arch/riscv/kernel/traps_misaligned.c +@@ -417,7 +417,7 @@ int handle_misaligned_load(struct pt_regs *regs) + + val.data_u64 = 0; + if (user_mode(regs)) { +- if (raw_copy_from_user(&val, (u8 __user *)addr, len)) ++ if (copy_from_user(&val, (u8 __user *)addr, len)) + return -1; + } else { + memcpy(&val, (u8 *)addr, len); +@@ -515,7 +515,7 @@ int handle_misaligned_store(struct pt_regs *regs) + return -EOPNOTSUPP; + + if (user_mode(regs)) { +- if (raw_copy_to_user((u8 __user *)addr, &val, len)) ++ if (copy_to_user((u8 __user *)addr, &val, len)) + return -1; + } else { + memcpy((u8 *)addr, &val, len); +-- +2.46.0 + diff --git a/queue-6.10/selftests-mm-fix-build-errors-on-armhf.patch b/queue-6.10/selftests-mm-fix-build-errors-on-armhf.patch new file mode 100644 index 00000000000..6062d048eca --- /dev/null +++ b/queue-6.10/selftests-mm-fix-build-errors-on-armhf.patch @@ -0,0 +1,184 @@ +From b808f629215685c1941b1cd567c7b7ccb3c90278 Mon Sep 17 00:00:00 2001 +From: Muhammad Usama Anjum +Date: Fri, 9 Aug 2024 13:25:11 +0500 +Subject: selftests: mm: fix build errors on armhf + +From: Muhammad Usama Anjum + +commit b808f629215685c1941b1cd567c7b7ccb3c90278 upstream. + +The __NR_mmap isn't found on armhf. The mmap() is commonly available +system call and its wrapper is present on all architectures. So it should +be used directly. It solves problem for armhf and doesn't create problem +for other architectures. + +Remove sys_mmap() functions as they aren't doing anything else other than +calling mmap(). There is no need to set errno = 0 manually as glibc +always resets it. + +For reference errors are as following: + + CC seal_elf +seal_elf.c: In function 'sys_mmap': +seal_elf.c:39:33: error: '__NR_mmap' undeclared (first use in this function) + 39 | sret = (void *) syscall(__NR_mmap, addr, len, prot, + | ^~~~~~~~~ + +mseal_test.c: In function 'sys_mmap': +mseal_test.c:90:33: error: '__NR_mmap' undeclared (first use in this function) + 90 | sret = (void *) syscall(__NR_mmap, addr, len, prot, + | ^~~~~~~~~ + +Link: https://lkml.kernel.org/r/20240809082511.497266-1-usama.anjum@collabora.com +Fixes: 4926c7a52de7 ("selftest mm/mseal memory sealing") +Signed-off-by: Muhammad Usama Anjum +Cc: Jeff Xu +Cc: Kees Cook +Cc: Liam R. Howlett +Cc: Shuah Khan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/mm/mseal_test.c | 37 +++++++++++--------------------- + tools/testing/selftests/mm/seal_elf.c | 13 ----------- + 2 files changed, 14 insertions(+), 36 deletions(-) + +--- a/tools/testing/selftests/mm/mseal_test.c ++++ b/tools/testing/selftests/mm/mseal_test.c +@@ -128,17 +128,6 @@ static int sys_mprotect_pkey(void *ptr, + return sret; + } + +-static void *sys_mmap(void *addr, unsigned long len, unsigned long prot, +- unsigned long flags, unsigned long fd, unsigned long offset) +-{ +- void *sret; +- +- errno = 0; +- sret = (void *) syscall(__NR_mmap, addr, len, prot, +- flags, fd, offset); +- return sret; +-} +- + static int sys_munmap(void *ptr, size_t size) + { + int sret; +@@ -219,7 +208,7 @@ static void setup_single_address(int siz + { + void *ptr; + +- ptr = sys_mmap(NULL, size, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); ++ ptr = mmap(NULL, size, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); + *ptrOut = ptr; + } + +@@ -228,7 +217,7 @@ static void setup_single_address_rw(int + void *ptr; + unsigned long mapflags = MAP_ANONYMOUS | MAP_PRIVATE; + +- ptr = sys_mmap(NULL, size, PROT_READ | PROT_WRITE, mapflags, -1, 0); ++ ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, mapflags, -1, 0); + *ptrOut = ptr; + } + +@@ -252,7 +241,7 @@ bool seal_support(void) + void *ptr; + unsigned long page_size = getpagesize(); + +- ptr = sys_mmap(NULL, page_size, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); ++ ptr = mmap(NULL, page_size, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); + if (ptr == (void *) -1) + return false; + +@@ -528,8 +517,8 @@ static void test_seal_zero_address(void) + int prot; + + /* use mmap to change protection. */ +- ptr = sys_mmap(0, size, PROT_NONE, +- MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); ++ ptr = mmap(0, size, PROT_NONE, ++ MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); + FAIL_TEST_IF_FALSE(ptr == 0); + + size = get_vma_size(ptr, &prot); +@@ -1256,8 +1245,8 @@ static void test_seal_mmap_overwrite_pro + } + + /* use mmap to change protection. */ +- ret2 = sys_mmap(ptr, size, PROT_NONE, +- MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); ++ ret2 = mmap(ptr, size, PROT_NONE, ++ MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); + if (seal) { + FAIL_TEST_IF_FALSE(ret2 == MAP_FAILED); + FAIL_TEST_IF_FALSE(errno == EPERM); +@@ -1287,8 +1276,8 @@ static void test_seal_mmap_expand(bool s + } + + /* use mmap to expand. */ +- ret2 = sys_mmap(ptr, size, PROT_READ, +- MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); ++ ret2 = mmap(ptr, size, PROT_READ, ++ MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); + if (seal) { + FAIL_TEST_IF_FALSE(ret2 == MAP_FAILED); + FAIL_TEST_IF_FALSE(errno == EPERM); +@@ -1315,8 +1304,8 @@ static void test_seal_mmap_shrink(bool s + } + + /* use mmap to shrink. */ +- ret2 = sys_mmap(ptr, 8 * page_size, PROT_READ, +- MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); ++ ret2 = mmap(ptr, 8 * page_size, PROT_READ, ++ MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); + if (seal) { + FAIL_TEST_IF_FALSE(ret2 == MAP_FAILED); + FAIL_TEST_IF_FALSE(errno == EPERM); +@@ -1697,7 +1686,7 @@ static void test_seal_discard_ro_anon_on + ret = fallocate(fd, 0, 0, size); + FAIL_TEST_IF_FALSE(!ret); + +- ptr = sys_mmap(NULL, size, PROT_READ, mapflags, fd, 0); ++ ptr = mmap(NULL, size, PROT_READ, mapflags, fd, 0); + FAIL_TEST_IF_FALSE(ptr != MAP_FAILED); + + if (seal) { +@@ -1727,7 +1716,7 @@ static void test_seal_discard_ro_anon_on + int ret; + unsigned long mapflags = MAP_ANONYMOUS | MAP_SHARED; + +- ptr = sys_mmap(NULL, size, PROT_READ, mapflags, -1, 0); ++ ptr = mmap(NULL, size, PROT_READ, mapflags, -1, 0); + FAIL_TEST_IF_FALSE(ptr != (void *)-1); + + if (seal) { +--- a/tools/testing/selftests/mm/seal_elf.c ++++ b/tools/testing/selftests/mm/seal_elf.c +@@ -61,17 +61,6 @@ static int sys_mseal(void *start, size_t + return sret; + } + +-static void *sys_mmap(void *addr, unsigned long len, unsigned long prot, +- unsigned long flags, unsigned long fd, unsigned long offset) +-{ +- void *sret; +- +- errno = 0; +- sret = (void *) syscall(__NR_mmap, addr, len, prot, +- flags, fd, offset); +- return sret; +-} +- + static inline int sys_mprotect(void *ptr, size_t size, unsigned long prot) + { + int sret; +@@ -87,7 +76,7 @@ static bool seal_support(void) + void *ptr; + unsigned long page_size = getpagesize(); + +- ptr = sys_mmap(NULL, page_size, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); ++ ptr = mmap(NULL, page_size, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); + if (ptr == (void *) -1) + return false; + diff --git a/queue-6.10/series b/queue-6.10/series index c38bda9c997..c3f5f667dee 100644 --- a/queue-6.10/series +++ b/queue-6.10/series @@ -28,3 +28,18 @@ irqchip-riscv-aplic-fix-an-is_err-vs-null-bug-in-probe.patch nvme-pci-add-sleep-quirk-for-samsung-990-evo.patch rust-macros-provide-correct-provenance-when-constructing-this_module.patch revert-bluetooth-mgmt-smp-fix-address-type-when-using-smp-over-bredr-le.patch +bluetooth-mgmt-ignore-keys-being-loaded-with-invalid-type.patch +selftests-mm-fix-build-errors-on-armhf.patch +mmc-core-apply-sd-quirks-earlier-during-probe.patch +mmc-dw_mmc-fix-idmac-operation-with-pages-bigger-than-4k.patch +mmc-sdhci-of-aspeed-fix-module-autoloading.patch +mmc-cqhci-fix-checking-of-cqhci_halt-state.patch +fuse-update-stats-for-pages-in-dropped-aux-writeback-list.patch +fuse-disable-the-combination-of-passthrough-and-writeback-cache.patch +fuse-check-aborted-connection-before-adding-requests-to-pending-list-for-resending.patch +fuse-use-unsigned-type-for-getxattr-listxattr-size-truncation.patch +fuse-fix-memory-leak-in-fuse_create_open.patch +fuse-clear-pg_uptodate-when-using-a-stolen-page.patch +asoc-intel-boards-fix-null-pointer-deref-in-byt-cht-boards-harder.patch +riscv-misaligned-restrict-user-access-to-kernel-memory.patch +parisc-delay-write-protection-until-mark_rodata_ro-call.patch