From: Greg Kroah-Hartman Date: Wed, 15 Dec 2021 13:58:15 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v5.4.167~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=77abc91a7ca374abf048246ef49753bb436cac2c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: ethtool-do-not-perform-operations-on-net-devices-being-unregistered.patch fuse-make-sure-reclaim-doesn-t-write-the-inode.patch hwmon-dell-smm-fix-warning-on-proc-i8k-creation-error.patch --- diff --git a/queue-5.10/ethtool-do-not-perform-operations-on-net-devices-being-unregistered.patch b/queue-5.10/ethtool-do-not-perform-operations-on-net-devices-being-unregistered.patch new file mode 100644 index 00000000000..bcffbcbc552 --- /dev/null +++ b/queue-5.10/ethtool-do-not-perform-operations-on-net-devices-being-unregistered.patch @@ -0,0 +1,62 @@ +From dde91ccfa25fd58f64c397d91b81a4b393100ffa Mon Sep 17 00:00:00 2001 +From: Antoine Tenart +Date: Fri, 3 Dec 2021 11:13:18 +0100 +Subject: ethtool: do not perform operations on net devices being unregistered + +From: Antoine Tenart + +commit dde91ccfa25fd58f64c397d91b81a4b393100ffa upstream. + +There is a short period between a net device starts to be unregistered +and when it is actually gone. In that time frame ethtool operations +could still be performed, which might end up in unwanted or undefined +behaviours[1]. + +Do not allow ethtool operations after a net device starts its +unregistration. This patch targets the netlink part as the ioctl one +isn't affected: the reference to the net device is taken and the +operation is executed within an rtnl lock section and the net device +won't be found after unregister. + +[1] For example adding Tx queues after unregister ends up in NULL + pointer exceptions and UaFs, such as: + + BUG: KASAN: use-after-free in kobject_get+0x14/0x90 + Read of size 1 at addr ffff88801961248c by task ethtool/755 + + CPU: 0 PID: 755 Comm: ethtool Not tainted 5.15.0-rc6+ #778 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/014 + Call Trace: + dump_stack_lvl+0x57/0x72 + print_address_description.constprop.0+0x1f/0x140 + kasan_report.cold+0x7f/0x11b + kobject_get+0x14/0x90 + kobject_add_internal+0x3d1/0x450 + kobject_init_and_add+0xba/0xf0 + netdev_queue_update_kobjects+0xcf/0x200 + netif_set_real_num_tx_queues+0xb4/0x310 + veth_set_channels+0x1c3/0x550 + ethnl_set_channels+0x524/0x610 + +Fixes: 041b1c5d4a53 ("ethtool: helper functions for netlink interface") +Suggested-by: Jakub Kicinski +Signed-off-by: Antoine Tenart +Link: https://lore.kernel.org/r/20211203101318.435618-1-atenart@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ethtool/netlink.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ethtool/netlink.h ++++ b/net/ethtool/netlink.h +@@ -249,6 +249,9 @@ struct ethnl_reply_data { + + static inline int ethnl_ops_begin(struct net_device *dev) + { ++ if (dev && dev->reg_state == NETREG_UNREGISTERING) ++ return -ENODEV; ++ + if (dev && dev->ethtool_ops->begin) + return dev->ethtool_ops->begin(dev); + else diff --git a/queue-5.10/fuse-make-sure-reclaim-doesn-t-write-the-inode.patch b/queue-5.10/fuse-make-sure-reclaim-doesn-t-write-the-inode.patch new file mode 100644 index 00000000000..55ccbe5198a --- /dev/null +++ b/queue-5.10/fuse-make-sure-reclaim-doesn-t-write-the-inode.patch @@ -0,0 +1,122 @@ +From 5c791fe1e2a4f401f819065ea4fc0450849f1818 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Fri, 22 Oct 2021 17:03:01 +0200 +Subject: fuse: make sure reclaim doesn't write the inode + +From: Miklos Szeredi + +commit 5c791fe1e2a4f401f819065ea4fc0450849f1818 upstream. + +In writeback cache mode mtime/ctime updates are cached, and flushed to the +server using the ->write_inode() callback. + +Closing the file will result in a dirty inode being immediately written, +but in other cases the inode can remain dirty after all references are +dropped. This result in the inode being written back from reclaim, which +can deadlock on a regular allocation while the request is being served. + +The usual mechanisms (GFP_NOFS/PF_MEMALLOC*) don't work for FUSE, because +serving a request involves unrelated userspace process(es). + +Instead do the same as for dirty pages: make sure the inode is written +before the last reference is gone. + + - fallocate(2)/copy_file_range(2): these call file_update_time() or + file_modified(), so flush the inode before returning from the call + + - unlink(2), link(2) and rename(2): these call fuse_update_ctime(), so + flush the ctime directly from this helper + +Reported-by: chenguanyou +Signed-off-by: Miklos Szeredi +Cc: Ed Tsai +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dir.c | 8 ++++++++ + fs/fuse/file.c | 15 +++++++++++++++ + fs/fuse/fuse_i.h | 1 + + fs/fuse/inode.c | 3 +++ + 4 files changed, 27 insertions(+) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -791,11 +791,19 @@ static int fuse_symlink(struct inode *di + return create_new_entry(fm, &args, dir, entry, S_IFLNK); + } + ++void fuse_flush_time_update(struct inode *inode) ++{ ++ int err = sync_inode_metadata(inode, 1); ++ ++ mapping_set_error(inode->i_mapping, err); ++} ++ + void fuse_update_ctime(struct inode *inode) + { + if (!IS_NOCMTIME(inode)) { + inode->i_ctime = current_time(inode); + mark_inode_dirty_sync(inode); ++ fuse_flush_time_update(inode); + } + } + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -1849,6 +1849,17 @@ int fuse_write_inode(struct inode *inode + struct fuse_file *ff; + int err; + ++ /* ++ * Inode is always written before the last reference is dropped and ++ * hence this should not be reached from reclaim. ++ * ++ * Writing back the inode from reclaim can deadlock if the request ++ * processing itself needs an allocation. Allocations triggering ++ * reclaim while serving a request can't be prevented, because it can ++ * involve any number of unrelated userspace processes. ++ */ ++ WARN_ON(wbc->for_reclaim); ++ + ff = __fuse_write_file_get(fc, fi); + err = fuse_flush_times(inode, ff); + if (ff) +@@ -3338,6 +3349,8 @@ out: + if (lock_inode) + inode_unlock(inode); + ++ fuse_flush_time_update(inode); ++ + return err; + } + +@@ -3447,6 +3460,8 @@ out: + inode_unlock(inode_out); + file_accessed(file_in); + ++ fuse_flush_time_update(inode_out); ++ + return err; + } + +--- a/fs/fuse/fuse_i.h ++++ b/fs/fuse/fuse_i.h +@@ -1113,6 +1113,7 @@ int fuse_allow_current_process(struct fu + + u64 fuse_lock_owner_id(struct fuse_conn *fc, fl_owner_t id); + ++void fuse_flush_time_update(struct inode *inode); + void fuse_update_ctime(struct inode *inode); + + int fuse_update_attributes(struct inode *inode, struct file *file); +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -119,6 +119,9 @@ static void fuse_evict_inode(struct inod + { + struct fuse_inode *fi = get_fuse_inode(inode); + ++ /* Will write inode on close/munmap and in all other dirtiers */ ++ WARN_ON(inode->i_state & I_DIRTY_INODE); ++ + truncate_inode_pages_final(&inode->i_data); + clear_inode(inode); + if (inode->i_sb->s_flags & SB_ACTIVE) { diff --git a/queue-5.10/hwmon-dell-smm-fix-warning-on-proc-i8k-creation-error.patch b/queue-5.10/hwmon-dell-smm-fix-warning-on-proc-i8k-creation-error.patch new file mode 100644 index 00000000000..b1ffb2dafac --- /dev/null +++ b/queue-5.10/hwmon-dell-smm-fix-warning-on-proc-i8k-creation-error.patch @@ -0,0 +1,53 @@ +From dbd3e6eaf3d813939b28e8a66e29d81cdc836445 Mon Sep 17 00:00:00 2001 +From: Armin Wolf +Date: Fri, 12 Nov 2021 18:14:40 +0100 +Subject: hwmon: (dell-smm) Fix warning on /proc/i8k creation error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +commit dbd3e6eaf3d813939b28e8a66e29d81cdc836445 upstream. + +The removal function is called regardless of whether +/proc/i8k was created successfully or not, the later +causing a WARN() on module removal. +Fix that by only registering the removal function +if /proc/i8k was created successfully. + +Tested on a Inspiron 3505. + +Fixes: 039ae58503f3 ("hwmon: Allow to compile dell-smm-hwmon driver without /proc/i8k") +Signed-off-by: Armin Wolf +Acked-by: Pali Rohár +Link: https://lore.kernel.org/r/20211112171440.59006-1-W_Armin@gmx.de +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/dell-smm-hwmon.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/hwmon/dell-smm-hwmon.c ++++ b/drivers/hwmon/dell-smm-hwmon.c +@@ -603,15 +603,18 @@ static const struct proc_ops i8k_proc_op + .proc_ioctl = i8k_ioctl, + }; + ++static struct proc_dir_entry *entry; ++ + static void __init i8k_init_procfs(void) + { + /* Register the proc entry */ +- proc_create("i8k", 0, NULL, &i8k_proc_ops); ++ entry = proc_create("i8k", 0, NULL, &i8k_proc_ops); + } + + static void __exit i8k_exit_procfs(void) + { +- remove_proc_entry("i8k", NULL); ++ if (entry) ++ remove_proc_entry("i8k", NULL); + } + + #else diff --git a/queue-5.10/series b/queue-5.10/series index 0dbf6026bf7..97195d451e0 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -15,3 +15,6 @@ tracing-fix-a-kmemleak-false-positive-in-tracing_map.patch kvm-x86-ignore-sparse-banks-size-for-an-all-cpus-non-sparse-ipi-req.patch staging-most-dim2-use-device-release-method.patch bpf-fix-integer-overflow-in-argument-calculation-for-bpf_map_area_alloc.patch +fuse-make-sure-reclaim-doesn-t-write-the-inode.patch +hwmon-dell-smm-fix-warning-on-proc-i8k-creation-error.patch +ethtool-do-not-perform-operations-on-net-devices-being-unregistered.patch