From: Greg Kroah-Hartman Date: Thu, 11 Sep 2025 12:34:16 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v5.10.244~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6b7a7b231a436bde5b7095bc0faf3552a5c99c47;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: ima-limit-the-number-of-tomtou-integrity-violations.patch kasan-fix-gcc-mem-intrinsic-prefix-with-sw-tags.patch media-i2c-imx214-fix-link-frequency-validation.patch net-fix-null-ptr-deref-by-sock_lock_init_class_and_name-and-rmmod.patch nfsd-fix-a-regression-in-nfsd_setattr.patch nfsd-nfsd_unlink-clobbers-non-zero-status-returned-from-fh_fill_pre_attrs.patch --- diff --git a/queue-6.6/ima-limit-the-number-of-tomtou-integrity-violations.patch b/queue-6.6/ima-limit-the-number-of-tomtou-integrity-violations.patch new file mode 100644 index 0000000000..21070f4b64 --- /dev/null +++ b/queue-6.6/ima-limit-the-number-of-tomtou-integrity-violations.patch @@ -0,0 +1,83 @@ +From stable+bounces-178946-greg=kroah.com@vger.kernel.org Mon Sep 8 20:02:00 2025 +From: Sasha Levin +Date: Mon, 8 Sep 2025 14:01:51 -0400 +Subject: ima: limit the number of ToMToU integrity violations +To: stable@vger.kernel.org +Cc: Mimi Zohar , Stefan Berger , Petr Vorel , Roberto Sassu , Sasha Levin +Message-ID: <20250908180151.1333407-1-sashal@kernel.org> + +From: Mimi Zohar + +[ Upstream commit a414016218ca97140171aa3bb926b02e1f68c2cc ] + +Each time a file in policy, that is already opened for read, is opened +for write, a Time-of-Measure-Time-of-Use (ToMToU) integrity violation +audit message is emitted and a violation record is added to the IMA +measurement list. This occurs even if a ToMToU violation has already +been recorded. + +Limit the number of ToMToU integrity violations per file open for read. + +Note: The IMA_MAY_EMIT_TOMTOU atomic flag must be set from the reader +side based on policy. This may result in a per file open for read +ToMToU violation. + +Since IMA_MUST_MEASURE is only used for violations, rename the atomic +IMA_MUST_MEASURE flag to IMA_MAY_EMIT_TOMTOU. + +Cc: stable@vger.kernel.org # applies cleanly up to linux-6.6 +Tested-by: Stefan Berger +Reviewed-by: Petr Vorel +Tested-by: Petr Vorel +Reviewed-by: Roberto Sassu +Signed-off-by: Mimi Zohar +[ adapted IMA flag definitions location from ima.h to integrity.h ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/ima_main.c | 16 +++++++++++----- + security/integrity/integrity.h | 3 ++- + 2 files changed, 13 insertions(+), 6 deletions(-) + +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -128,16 +128,22 @@ static void ima_rdwr_violation_check(str + if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) { + if (!iint) + iint = integrity_iint_find(inode); ++ + /* IMA_MEASURE is set from reader side */ +- if (iint && test_bit(IMA_MUST_MEASURE, +- &iint->atomic_flags)) ++ if (iint && test_and_clear_bit(IMA_MAY_EMIT_TOMTOU, ++ &iint->atomic_flags)) + send_tomtou = true; + } + } else { + if (must_measure) +- set_bit(IMA_MUST_MEASURE, &iint->atomic_flags); +- if (inode_is_open_for_write(inode) && must_measure) +- send_writers = true; ++ set_bit(IMA_MAY_EMIT_TOMTOU, &iint->atomic_flags); ++ ++ /* Limit number of open_writers violations */ ++ if (inode_is_open_for_write(inode) && must_measure) { ++ if (!test_and_set_bit(IMA_EMITTED_OPENWRITERS, ++ &iint->atomic_flags)) ++ send_writers = true; ++ } + } + + if (!send_tomtou && !send_writers) +--- a/security/integrity/integrity.h ++++ b/security/integrity/integrity.h +@@ -74,7 +74,8 @@ + #define IMA_UPDATE_XATTR 1 + #define IMA_CHANGE_ATTR 2 + #define IMA_DIGSIG 3 +-#define IMA_MUST_MEASURE 4 ++#define IMA_MAY_EMIT_TOMTOU 4 ++#define IMA_EMITTED_OPENWRITERS 5 + + enum evm_ima_xattr_type { + IMA_XATTR_DIGEST = 0x01, diff --git a/queue-6.6/kasan-fix-gcc-mem-intrinsic-prefix-with-sw-tags.patch b/queue-6.6/kasan-fix-gcc-mem-intrinsic-prefix-with-sw-tags.patch new file mode 100644 index 0000000000..487aa00b16 --- /dev/null +++ b/queue-6.6/kasan-fix-gcc-mem-intrinsic-prefix-with-sw-tags.patch @@ -0,0 +1,79 @@ +From stable+bounces-179196-greg=kroah.com@vger.kernel.org Wed Sep 10 13:53:55 2025 +From: Sasha Levin +Date: Wed, 10 Sep 2025 07:53:46 -0400 +Subject: kasan: fix GCC mem-intrinsic prefix with sw tags +To: stable@vger.kernel.org +Cc: Ada Couprie Diaz , Yeoreum Yun , Alexander Potapenko , Andrey Konovalov , Andrey Ryabinin , Dmitriy Vyukov , Marco Elver , Marc Rutland , Michael Ellerman , Nathan Chancellor , Vincenzo Frascino , Andrew Morton , Sasha Levin +Message-ID: <20250910115346.3588109-1-sashal@kernel.org> + +From: Ada Couprie Diaz + +[ Upstream commit 51337a9a3a404fde0f5337662ffc7699793dfeb5 ] + +GCC doesn't support "hwasan-kernel-mem-intrinsic-prefix", only +"asan-kernel-mem-intrinsic-prefix"[0], while LLVM supports both. This is +already taken into account when checking +"CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX", but not in the KASAN Makefile +adding those parameters when "CONFIG_KASAN_SW_TAGS" is enabled. + +Replace the version check with "CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX", +which already validates that mem-intrinsic prefix parameter can be used, +and choose the correct name depending on compiler. + +GCC 13 and above trigger "CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX" which +prevents `mem{cpy,move,set}()` being redefined in "mm/kasan/shadow.c" +since commit 36be5cba99f6 ("kasan: treat meminstrinsic as builtins in +uninstrumented files"), as we expect the compiler to prefix those calls +with `__(hw)asan_` instead. But as the option passed to GCC has been +incorrect, the compiler has not been emitting those prefixes, effectively +never calling the instrumented versions of `mem{cpy,move,set}()` with +"CONFIG_KASAN_SW_TAGS" enabled. + +If "CONFIG_FORTIFY_SOURCES" is enabled, this issue would be mitigated as +it redefines `mem{cpy,move,set}()` and properly aliases the +`__underlying_mem*()` that will be called to the instrumented versions. + +Link: https://lkml.kernel.org/r/20250821120735.156244-1-ada.coupriediaz@arm.com +Link: https://gcc.gnu.org/onlinedocs/gcc-13.4.0/gcc/Optimize-Options.html [0] +Signed-off-by: Ada Couprie Diaz +Fixes: 36be5cba99f6 ("kasan: treat meminstrinsic as builtins in uninstrumented files") +Reviewed-by: Yeoreum Yun +Cc: Alexander Potapenko +Cc: Andrey Konovalov +Cc: Andrey Ryabinin +Cc: Dmitriy Vyukov +Cc: Marco Elver +Cc: Marc Rutland +Cc: Michael Ellerman +Cc: Nathan Chancellor +Cc: Vincenzo Frascino +Cc: +Signed-off-by: Andrew Morton +[ kasan_params => CFLAGS_KASAN ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/Makefile.kasan | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/scripts/Makefile.kasan ++++ b/scripts/Makefile.kasan +@@ -68,10 +68,14 @@ CFLAGS_KASAN := -fsanitize=kernel-hwaddr + $(call cc-param,hwasan-inline-all-checks=0) \ + $(instrumentation_flags) + +-# Instrument memcpy/memset/memmove calls by using instrumented __hwasan_mem*(). +-ifeq ($(call clang-min-version, 150000)$(call gcc-min-version, 130000),y) +-CFLAGS_KASAN += $(call cc-param,hwasan-kernel-mem-intrinsic-prefix=1) +-endif ++# Instrument memcpy/memset/memmove calls by using instrumented __(hw)asan_mem*(). ++ifdef CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX ++ ifdef CONFIG_CC_IS_GCC ++ CFLAGS_KASAN += $(call cc-param,asan-kernel-mem-intrinsic-prefix=1) ++ else ++ CFLAGS_KASAN += $(call cc-param,hwasan-kernel-mem-intrinsic-prefix=1) ++ endif ++endif # CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX + + endif # CONFIG_KASAN_SW_TAGS + diff --git a/queue-6.6/media-i2c-imx214-fix-link-frequency-validation.patch b/queue-6.6/media-i2c-imx214-fix-link-frequency-validation.patch new file mode 100644 index 0000000000..90baa6b86e --- /dev/null +++ b/queue-6.6/media-i2c-imx214-fix-link-frequency-validation.patch @@ -0,0 +1,90 @@ +From stable+bounces-178960-greg=kroah.com@vger.kernel.org Mon Sep 8 21:49:41 2025 +From: Sasha Levin +Date: Mon, 8 Sep 2025 15:49:31 -0400 +Subject: media: i2c: imx214: Fix link frequency validation +To: stable@vger.kernel.org +Cc: "André Apitzsch" , "Ricardo Ribalda" , "Sakari Ailus" , "Hans Verkuil" , "Sasha Levin" +Message-ID: <20250908194931.2306968-1-sashal@kernel.org> + +From: André Apitzsch + +[ Upstream commit acc294519f1749041e1b8c74d46bbf6c57d8b061 ] + +The driver defines IMX214_DEFAULT_LINK_FREQ 480000000, and then +IMX214_DEFAULT_PIXEL_RATE ((IMX214_DEFAULT_LINK_FREQ * 8LL) / 10), +which works out as 384MPix/s. (The 8 is 4 lanes and DDR.) + +Parsing the PLL registers with the defined 24MHz input. We're in single +PLL mode, so MIPI frequency is directly linked to pixel rate. VTCK ends +up being 1200MHz, and VTPXCK and OPPXCK both are 120MHz. Section 5.3 +"Frame rate calculation formula" says "Pixel rate +[pixels/s] = VTPXCK [MHz] * 4", so 120 * 4 = 480MPix/s, which basically +agrees with my number above. + +3.1.4. MIPI global timing setting says "Output bitrate = OPPXCK * reg +0x113[7:0]", so 120MHz * 10, or 1200Mbit/s. That would be a link +frequency of 600MHz due to DDR. +That also matches to 480MPix/s * 10bpp / 4 lanes / 2 for DDR. + +Keep the previous link frequency for backward compatibility. + +Acked-by: Ricardo Ribalda +Signed-off-by: André Apitzsch +Fixes: 436190596241 ("media: imx214: Add imx214 camera sensor driver") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +[ changed dev_err() to dev_err_probe() for the final error case ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/imx214.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +--- a/drivers/media/i2c/imx214.c ++++ b/drivers/media/i2c/imx214.c +@@ -20,7 +20,9 @@ + #include + + #define IMX214_DEFAULT_CLK_FREQ 24000000 +-#define IMX214_DEFAULT_LINK_FREQ 480000000 ++#define IMX214_DEFAULT_LINK_FREQ 600000000 ++/* Keep wrong link frequency for backward compatibility */ ++#define IMX214_DEFAULT_LINK_FREQ_LEGACY 480000000 + #define IMX214_DEFAULT_PIXEL_RATE ((IMX214_DEFAULT_LINK_FREQ * 8LL) / 10) + #define IMX214_FPS 30 + #define IMX214_MBUS_CODE MEDIA_BUS_FMT_SRGGB10_1X10 +@@ -892,17 +894,26 @@ static int imx214_parse_fwnode(struct de + goto done; + } + +- for (i = 0; i < bus_cfg.nr_of_link_frequencies; i++) ++ if (bus_cfg.nr_of_link_frequencies != 1) ++ dev_warn(dev, "Only one link-frequency supported, please review your DT. Continuing anyway\n"); ++ ++ for (i = 0; i < bus_cfg.nr_of_link_frequencies; i++) { + if (bus_cfg.link_frequencies[i] == IMX214_DEFAULT_LINK_FREQ) + break; +- +- if (i == bus_cfg.nr_of_link_frequencies) { +- dev_err(dev, "link-frequencies %d not supported, Please review your DT\n", +- IMX214_DEFAULT_LINK_FREQ); +- ret = -EINVAL; +- goto done; ++ if (bus_cfg.link_frequencies[i] == ++ IMX214_DEFAULT_LINK_FREQ_LEGACY) { ++ dev_warn(dev, ++ "link-frequencies %d not supported, please review your DT. Continuing anyway\n", ++ IMX214_DEFAULT_LINK_FREQ); ++ break; ++ } + } + ++ if (i == bus_cfg.nr_of_link_frequencies) ++ ret = dev_err_probe(dev, -EINVAL, ++ "link-frequencies %d not supported, please review your DT\n", ++ IMX214_DEFAULT_LINK_FREQ); ++ + done: + v4l2_fwnode_endpoint_free(&bus_cfg); + fwnode_handle_put(endpoint); diff --git a/queue-6.6/net-fix-null-ptr-deref-by-sock_lock_init_class_and_name-and-rmmod.patch b/queue-6.6/net-fix-null-ptr-deref-by-sock_lock_init_class_and_name-and-rmmod.patch new file mode 100644 index 0000000000..60c0848453 --- /dev/null +++ b/queue-6.6/net-fix-null-ptr-deref-by-sock_lock_init_class_and_name-and-rmmod.patch @@ -0,0 +1,275 @@ +From stable+bounces-178948-greg=kroah.com@vger.kernel.org Mon Sep 8 20:17:03 2025 +From: Sasha Levin +Date: Mon, 8 Sep 2025 14:16:00 -0400 +Subject: net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. +To: stable@vger.kernel.org +Cc: Kuniyuki Iwashima , Jakub Kicinski , Sasha Levin +Message-ID: <20250908181600.1342061-1-sashal@kernel.org> + +From: Kuniyuki Iwashima + +[ Upstream commit 0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569 ] + +When I ran the repro [0] and waited a few seconds, I observed two +LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1] + +Reproduction Steps: + + 1) Mount CIFS + 2) Add an iptables rule to drop incoming FIN packets for CIFS + 3) Unmount CIFS + 4) Unload the CIFS module + 5) Remove the iptables rule + +At step 3), the CIFS module calls sock_release() for the underlying +TCP socket, and it returns quickly. However, the socket remains in +FIN_WAIT_1 because incoming FIN packets are dropped. + +At this point, the module's refcnt is 0 while the socket is still +alive, so the following rmmod command succeeds. + + # ss -tan + State Recv-Q Send-Q Local Address:Port Peer Address:Port + FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445 + + # lsmod | grep cifs + cifs 1159168 0 + +This highlights a discrepancy between the lifetime of the CIFS module +and the underlying TCP socket. Even after CIFS calls sock_release() +and it returns, the TCP socket does not die immediately in order to +close the connection gracefully. + +While this is generally fine, it causes an issue with LOCKDEP because +CIFS assigns a different lock class to the TCP socket's sk->sk_lock +using sock_lock_init_class_and_name(). + +Once an incoming packet is processed for the socket or a timer fires, +sk->sk_lock is acquired. + +Then, LOCKDEP checks the lock context in check_wait_context(), where +hlock_class() is called to retrieve the lock class. However, since +the module has already been unloaded, hlock_class() logs a warning +and returns NULL, triggering the null-ptr-deref. + +If LOCKDEP is enabled, we must ensure that a module calling +sock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded +while such a socket is still alive to prevent this issue. + +Let's hold the module reference in sock_lock_init_class_and_name() +and release it when the socket is freed in sk_prot_free(). + +Note that sock_lock_init() clears sk->sk_owner for svc_create_socket() +that calls sock_lock_init_class_and_name() for a listening socket, +which clones a socket by sk_clone_lock() without GFP_ZERO. + +[0]: +CIFS_SERVER="10.0.0.137" +CIFS_PATH="//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST" +DEV="enp0s3" +CRED="/root/WindowsCredential.txt" + +MNT=$(mktemp -d /tmp/XXXXXX) +mount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1 + +iptables -A INPUT -s ${CIFS_SERVER} -j DROP + +for i in $(seq 10); +do + umount ${MNT} + rmmod cifs + sleep 1 +done + +rm -r ${MNT} + +iptables -D INPUT -s ${CIFS_SERVER} -j DROP + +[1]: +DEBUG_LOCKS_WARN_ON(1) +WARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) +Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] +CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) +... +Call Trace: + + __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178) + lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) + _raw_spin_lock_nested (kernel/locking/spinlock.c:379) + tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) +... + +BUG: kernel NULL pointer dereference, address: 00000000000000c4 + PF: supervisor read access in kernel mode + PF: error_code(0x0000) - not-present page +PGD 0 +Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI +CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36 +Tainted: [W]=WARN +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:__lock_acquire (kernel/locking/lockdep.c:4852 kernel/locking/lockdep.c:5178) +Code: 15 41 09 c7 41 8b 44 24 20 25 ff 1f 00 00 41 09 c7 8b 84 24 a0 00 00 00 45 89 7c 24 20 41 89 44 24 24 e8 e1 bc ff ff 4c 89 e7 <44> 0f b6 b8 c4 00 00 00 e8 d1 bc ff ff 0f b6 80 c5 00 00 00 88 44 +RSP: 0018:ffa0000000468a10 EFLAGS: 00010046 +RAX: 0000000000000000 RBX: ff1100010091cc38 RCX: 0000000000000027 +RDX: ff1100081f09ca48 RSI: 0000000000000001 RDI: ff1100010091cc88 +RBP: ff1100010091c200 R08: ff1100083fe6e228 R09: 00000000ffffbfff +R10: ff1100081eca0000 R11: ff1100083fe10dc0 R12: ff1100010091cc88 +R13: 0000000000000001 R14: 0000000000000000 R15: 00000000000424b1 +FS: 0000000000000000(0000) GS:ff1100081f080000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000000000c4 CR3: 0000000002c4a003 CR4: 0000000000771ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + + lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) + _raw_spin_lock_nested (kernel/locking/spinlock.c:379) + tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) + ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1)) + ip_local_deliver_finish (./include/linux/rcupdate.h:878 net/ipv4/ip_input.c:234) + ip_sublist_rcv_finish (net/ipv4/ip_input.c:576) + ip_list_rcv_finish (net/ipv4/ip_input.c:628) + ip_list_rcv (net/ipv4/ip_input.c:670) + __netif_receive_skb_list_core (net/core/dev.c:5939 net/core/dev.c:5986) + netif_receive_skb_list_internal (net/core/dev.c:6040 net/core/dev.c:6129) + napi_complete_done (./include/linux/list.h:37 ./include/net/gro.h:519 ./include/net/gro.h:514 net/core/dev.c:6496) + e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3815) + __napi_poll.constprop.0 (net/core/dev.c:7191) + net_rx_action (net/core/dev.c:7262 net/core/dev.c:7382) + handle_softirqs (kernel/softirq.c:561) + __irq_exit_rcu (kernel/softirq.c:596 kernel/softirq.c:435 kernel/softirq.c:662) + irq_exit_rcu (kernel/softirq.c:680) + common_interrupt (arch/x86/kernel/irq.c:280 (discriminator 14)) + + + asm_common_interrupt (./arch/x86/include/asm/idtentry.h:693) +RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:744) +Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d c3 2b 15 00 fb f4 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 +RSP: 0018:ffa00000000ffee8 EFLAGS: 00000202 +RAX: 000000000000640b RBX: ff1100010091c200 RCX: 0000000000061aa4 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff812f30c5 +RBP: 000000000000000a R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + ? do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325) + default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) + do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325) + cpu_startup_entry (kernel/sched/idle.c:422 (discriminator 1)) + start_secondary (arch/x86/kernel/smpboot.c:315) + common_startup_64 (arch/x86/kernel/head_64.S:421) + +Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] +CR2: 00000000000000c4 + +Fixes: ed07536ed673 ("[PATCH] lockdep: annotate nfs/nfsd in-kernel sockets") +Signed-off-by: Kuniyuki Iwashima +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250407163313.22682-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sock.h | 40 ++++++++++++++++++++++++++++++++++++++-- + net/core/sock.c | 5 +++++ + 2 files changed, 43 insertions(+), 2 deletions(-) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -353,6 +353,8 @@ struct sk_filter; + * @sk_txtime_unused: unused txtime flags + * @ns_tracker: tracker for netns reference + * @sk_bind2_node: bind node in the bhash2 table ++ * @sk_owner: reference to the real owner of the socket that calls ++ * sock_lock_init_class_and_name(). + */ + struct sock { + /* +@@ -545,6 +547,10 @@ struct sock { + struct rcu_head sk_rcu; + netns_tracker ns_tracker; + struct hlist_node sk_bind2_node; ++ ++#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES) ++ struct module *sk_owner; ++#endif + }; + + enum sk_pacing { +@@ -1699,6 +1705,35 @@ static inline void sk_mem_uncharge(struc + sk_mem_reclaim(sk); + } + ++#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES) ++static inline void sk_owner_set(struct sock *sk, struct module *owner) ++{ ++ __module_get(owner); ++ sk->sk_owner = owner; ++} ++ ++static inline void sk_owner_clear(struct sock *sk) ++{ ++ sk->sk_owner = NULL; ++} ++ ++static inline void sk_owner_put(struct sock *sk) ++{ ++ module_put(sk->sk_owner); ++} ++#else ++static inline void sk_owner_set(struct sock *sk, struct module *owner) ++{ ++} ++ ++static inline void sk_owner_clear(struct sock *sk) ++{ ++} ++ ++static inline void sk_owner_put(struct sock *sk) ++{ ++} ++#endif + /* + * Macro so as to not evaluate some arguments when + * lockdep is not enabled. +@@ -1708,13 +1743,14 @@ static inline void sk_mem_uncharge(struc + */ + #define sock_lock_init_class_and_name(sk, sname, skey, name, key) \ + do { \ ++ sk_owner_set(sk, THIS_MODULE); \ + sk->sk_lock.owned = 0; \ + init_waitqueue_head(&sk->sk_lock.wq); \ + spin_lock_init(&(sk)->sk_lock.slock); \ + debug_check_no_locks_freed((void *)&(sk)->sk_lock, \ +- sizeof((sk)->sk_lock)); \ ++ sizeof((sk)->sk_lock)); \ + lockdep_set_class_and_name(&(sk)->sk_lock.slock, \ +- (skey), (sname)); \ ++ (skey), (sname)); \ + lockdep_init_map(&(sk)->sk_lock.dep_map, (name), (key), 0); \ + } while (0) + +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2029,6 +2029,8 @@ lenout: + */ + static inline void sock_lock_init(struct sock *sk) + { ++ sk_owner_clear(sk); ++ + if (sk->sk_kern_sock) + sock_lock_init_class_and_name( + sk, +@@ -2124,6 +2126,9 @@ static void sk_prot_free(struct proto *p + cgroup_sk_free(&sk->sk_cgrp_data); + mem_cgroup_sk_free(sk); + security_sk_free(sk); ++ ++ sk_owner_put(sk); ++ + if (slab != NULL) + kmem_cache_free(slab, sk); + else diff --git a/queue-6.6/nfsd-fix-a-regression-in-nfsd_setattr.patch b/queue-6.6/nfsd-fix-a-regression-in-nfsd_setattr.patch new file mode 100644 index 0000000000..4b4ee37451 --- /dev/null +++ b/queue-6.6/nfsd-fix-a-regression-in-nfsd_setattr.patch @@ -0,0 +1,91 @@ +From stable+bounces-178998-greg=kroah.com@vger.kernel.org Tue Sep 9 02:36:51 2025 +From: Sasha Levin +Date: Mon, 8 Sep 2025 20:36:43 -0400 +Subject: nfsd: Fix a regression in nfsd_setattr() +To: stable@vger.kernel.org +Cc: Trond Myklebust , Jeff Layton , NeilBrown , Chuck Lever , Sasha Levin +Message-ID: <20250909003644.2495376-1-sashal@kernel.org> + +From: Trond Myklebust + +[ Upstream commit 6412e44c40aaf8f1d7320b2099c5bdd6cb9126ac ] + +Commit bb4d53d66e4b ("NFSD: use (un)lock_inode instead of +fh_(un)lock for file operations") broke the NFSv3 pre/post op +attributes behaviour when doing a SETATTR rpc call by stripping out +the calls to fh_fill_pre_attrs() and fh_fill_post_attrs(). + +Fixes: bb4d53d66e4b ("NFSD: use (un)lock_inode instead of fh_(un)lock for file operations") +Signed-off-by: Trond Myklebust +Reviewed-by: Jeff Layton +Reviewed-by: NeilBrown +Message-ID: <20240216012451.22725-1-trondmy@kernel.org> +Signed-off-by: Chuck Lever +Stable-dep-of: d7d8e3169b56 ("NFSD: nfsd_unlink() clobbers non-zero status returned from fh_fill_pre_attrs()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4proc.c | 4 ++++ + fs/nfsd/vfs.c | 9 +++++++-- + 2 files changed, 11 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1131,6 +1131,7 @@ nfsd4_setattr(struct svc_rqst *rqstp, st + }; + struct inode *inode; + __be32 status = nfs_ok; ++ bool save_no_wcc; + int err; + + if (setattr->sa_iattr.ia_valid & ATTR_SIZE) { +@@ -1156,8 +1157,11 @@ nfsd4_setattr(struct svc_rqst *rqstp, st + + if (status) + goto out; ++ save_no_wcc = cstate->current_fh.fh_no_wcc; ++ cstate->current_fh.fh_no_wcc = true; + status = nfsd_setattr(rqstp, &cstate->current_fh, &attrs, + 0, (time64_t)0); ++ cstate->current_fh.fh_no_wcc = save_no_wcc; + if (!status) + status = nfserrno(attrs.na_labelerr); + if (!status) +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -480,7 +480,7 @@ nfsd_setattr(struct svc_rqst *rqstp, str + int accmode = NFSD_MAY_SATTR; + umode_t ftype = 0; + __be32 err; +- int host_err; ++ int host_err = 0; + bool get_write_count; + bool size_change = (iap->ia_valid & ATTR_SIZE); + int retries; +@@ -538,6 +538,9 @@ nfsd_setattr(struct svc_rqst *rqstp, str + } + + inode_lock(inode); ++ err = fh_fill_pre_attrs(fhp); ++ if (err) ++ goto out_unlock; + for (retries = 1;;) { + struct iattr attrs; + +@@ -565,13 +568,15 @@ nfsd_setattr(struct svc_rqst *rqstp, str + attr->na_aclerr = set_posix_acl(&nop_mnt_idmap, + dentry, ACL_TYPE_DEFAULT, + attr->na_dpacl); ++ fh_fill_post_attrs(fhp); ++out_unlock: + inode_unlock(inode); + if (size_change) + put_write_access(inode); + out: + if (!host_err) + host_err = commit_metadata(fhp); +- return nfserrno(host_err); ++ return err != 0 ? err : nfserrno(host_err); + } + + #if defined(CONFIG_NFSD_V4) diff --git a/queue-6.6/nfsd-nfsd_unlink-clobbers-non-zero-status-returned-from-fh_fill_pre_attrs.patch b/queue-6.6/nfsd-nfsd_unlink-clobbers-non-zero-status-returned-from-fh_fill_pre_attrs.patch new file mode 100644 index 0000000000..b26d7cbc94 --- /dev/null +++ b/queue-6.6/nfsd-nfsd_unlink-clobbers-non-zero-status-returned-from-fh_fill_pre_attrs.patch @@ -0,0 +1,44 @@ +From stable+bounces-178999-greg=kroah.com@vger.kernel.org Tue Sep 9 02:36:52 2025 +From: Sasha Levin +Date: Mon, 8 Sep 2025 20:36:44 -0400 +Subject: NFSD: nfsd_unlink() clobbers non-zero status returned from fh_fill_pre_attrs() +To: stable@vger.kernel.org +Cc: Chuck Lever , Jeff Layton , Sasha Levin +Message-ID: <20250909003644.2495376-2-sashal@kernel.org> + +From: Chuck Lever + +[ Upstream commit d7d8e3169b56e7696559a2427c922c0d55debcec ] + +If fh_fill_pre_attrs() returns a non-zero status, the error flow +takes it through out_unlock, which then overwrites the returned +status code with + + err = nfserrno(host_err); + +Fixes: a332018a91c4 ("nfsd: handle failure to collect pre/post-op attrs more sanely") +Reviewed-by: Jeff Layton +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever +[ Slightly different error mapping ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/vfs.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -1970,11 +1970,9 @@ out_nfserr: + err = nfserr_file_open; + else + err = nfserr_acces; +- } else { +- err = nfserrno(host_err); + } + out: +- return err; ++ return err != nfs_ok ? err : nfserrno(host_err); + out_unlock: + inode_unlock(dirp); + goto out_drop_write; diff --git a/queue-6.6/series b/queue-6.6/series index db6474c27c..97e8dc1e5a 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -1,2 +1,8 @@ kunit-kasan_test-disable-fortify-string-checker-on-kasan_strings-test.patch mm-introduce-and-use-pgd-p4d-_populate_kernel.patch +kasan-fix-gcc-mem-intrinsic-prefix-with-sw-tags.patch +nfsd-fix-a-regression-in-nfsd_setattr.patch +nfsd-nfsd_unlink-clobbers-non-zero-status-returned-from-fh_fill_pre_attrs.patch +media-i2c-imx214-fix-link-frequency-validation.patch +net-fix-null-ptr-deref-by-sock_lock_init_class_and_name-and-rmmod.patch +ima-limit-the-number-of-tomtou-integrity-violations.patch