From: Greg Kroah-Hartman Date: Wed, 21 Feb 2024 08:52:14 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.19.307~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=77b61e25e19185aab3ec6ab023968762e16575ff;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: dm-limit-the-number-of-targets-and-parameter-size-area.patch nilfs2-fix-potential-bug-in-end_buffer_async_write.patch nilfs2-replace-warn_ons-for-invalid-dat-metadata-block-requests.patch sched-membarrier-reduce-the-ability-to-hammer-on-sys_membarrier.patch --- diff --git a/queue-5.15/dm-limit-the-number-of-targets-and-parameter-size-area.patch b/queue-5.15/dm-limit-the-number-of-targets-and-parameter-size-area.patch new file mode 100644 index 00000000000..6340f7453fb --- /dev/null +++ b/queue-5.15/dm-limit-the-number-of-targets-and-parameter-size-area.patch @@ -0,0 +1,73 @@ +From bd504bcfec41a503b32054da5472904b404341a4 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 9 Jan 2024 15:57:56 +0100 +Subject: dm: limit the number of targets and parameter size area + +From: Mikulas Patocka + +commit bd504bcfec41a503b32054da5472904b404341a4 upstream. + +The kvmalloc function fails with a warning if the size is larger than +INT_MAX. The warning was triggered by a syscall testing robot. + +In order to avoid the warning, this commit limits the number of targets to +1048576 and the size of the parameter area to 1073741824. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: He Gao +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-core.h | 2 ++ + drivers/md/dm-ioctl.c | 3 ++- + drivers/md/dm-table.c | 9 +++++++-- + 3 files changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm-core.h ++++ b/drivers/md/dm-core.h +@@ -21,6 +21,8 @@ + #include "dm-ima.h" + + #define DM_RESERVED_MAX_IOS 1024 ++#define DM_MAX_TARGETS 1048576 ++#define DM_MAX_TARGET_PARAMS 1024 + + struct dm_kobject_holder { + struct kobject kobj; +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -1859,7 +1859,8 @@ static int copy_params(struct dm_ioctl _ + if (copy_from_user(param_kernel, user, minimum_data_size)) + return -EFAULT; + +- if (param_kernel->data_size < minimum_data_size) ++ if (unlikely(param_kernel->data_size < minimum_data_size) || ++ unlikely(param_kernel->data_size > DM_MAX_TARGETS * DM_MAX_TARGET_PARAMS)) + return -EINVAL; + + secure_data = param_kernel->flags & DM_SECURE_DATA_FLAG; +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -126,7 +126,12 @@ static int alloc_targets(struct dm_table + int dm_table_create(struct dm_table **result, fmode_t mode, + unsigned num_targets, struct mapped_device *md) + { +- struct dm_table *t = kzalloc(sizeof(*t), GFP_KERNEL); ++ struct dm_table *t; ++ ++ if (num_targets > DM_MAX_TARGETS) ++ return -EOVERFLOW; ++ ++ t = kzalloc(sizeof(*t), GFP_KERNEL); + + if (!t) + return -ENOMEM; +@@ -140,7 +145,7 @@ int dm_table_create(struct dm_table **re + + if (!num_targets) { + kfree(t); +- return -ENOMEM; ++ return -EOVERFLOW; + } + + if (alloc_targets(t, num_targets)) { diff --git a/queue-5.15/nilfs2-fix-potential-bug-in-end_buffer_async_write.patch b/queue-5.15/nilfs2-fix-potential-bug-in-end_buffer_async_write.patch new file mode 100644 index 00000000000..084cdb505f7 --- /dev/null +++ b/queue-5.15/nilfs2-fix-potential-bug-in-end_buffer_async_write.patch @@ -0,0 +1,99 @@ +From 5bc09b397cbf1221f8a8aacb1152650c9195b02b Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Sun, 4 Feb 2024 01:16:45 +0900 +Subject: nilfs2: fix potential bug in end_buffer_async_write + +From: Ryusuke Konishi + +commit 5bc09b397cbf1221f8a8aacb1152650c9195b02b upstream. + +According to a syzbot report, end_buffer_async_write(), which handles the +completion of block device writes, may detect abnormal condition of the +buffer async_write flag and cause a BUG_ON failure when using nilfs2. + +Nilfs2 itself does not use end_buffer_async_write(). But, the async_write +flag is now used as a marker by commit 7f42ec394156 ("nilfs2: fix issue +with race condition of competition between segments for dirty blocks") as +a means of resolving double list insertion of dirty blocks in +nilfs_lookup_dirty_data_buffers() and nilfs_lookup_node_buffers() and the +resulting crash. + +This modification is safe as long as it is used for file data and b-tree +node blocks where the page caches are independent. However, it was +irrelevant and redundant to also introduce async_write for segment summary +and super root blocks that share buffers with the backing device. This +led to the possibility that the BUG_ON check in end_buffer_async_write +would fail as described above, if independent writebacks of the backing +device occurred in parallel. + +The use of async_write for segment summary buffers has already been +removed in a previous change. + +Fix this issue by removing the manipulation of the async_write flag for +the remaining super root block buffer. + +Link: https://lkml.kernel.org/r/20240203161645.4992-1-konishi.ryusuke@gmail.com +Fixes: 7f42ec394156 ("nilfs2: fix issue with race condition of competition between segments for dirty blocks") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+5c04210f7c7f897c1e7f@syzkaller.appspotmail.com +Closes: https://lkml.kernel.org/r/00000000000019a97c05fd42f8c8@google.com +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/segment.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -1702,7 +1702,6 @@ static void nilfs_segctor_prepare_write( + + list_for_each_entry(bh, &segbuf->sb_payload_buffers, + b_assoc_buffers) { +- set_buffer_async_write(bh); + if (bh == segbuf->sb_super_root) { + if (bh->b_page != bd_page) { + lock_page(bd_page); +@@ -1713,6 +1712,7 @@ static void nilfs_segctor_prepare_write( + } + break; + } ++ set_buffer_async_write(bh); + if (bh->b_page != fs_page) { + nilfs_begin_page_io(fs_page); + fs_page = bh->b_page; +@@ -1798,7 +1798,6 @@ static void nilfs_abort_logs(struct list + + list_for_each_entry(bh, &segbuf->sb_payload_buffers, + b_assoc_buffers) { +- clear_buffer_async_write(bh); + if (bh == segbuf->sb_super_root) { + clear_buffer_uptodate(bh); + if (bh->b_page != bd_page) { +@@ -1807,6 +1806,7 @@ static void nilfs_abort_logs(struct list + } + break; + } ++ clear_buffer_async_write(bh); + if (bh->b_page != fs_page) { + nilfs_end_page_io(fs_page, err); + fs_page = bh->b_page; +@@ -1894,8 +1894,9 @@ static void nilfs_segctor_complete_write + BIT(BH_Delay) | BIT(BH_NILFS_Volatile) | + BIT(BH_NILFS_Redirected)); + +- set_mask_bits(&bh->b_state, clear_bits, set_bits); + if (bh == segbuf->sb_super_root) { ++ set_buffer_uptodate(bh); ++ clear_buffer_dirty(bh); + if (bh->b_page != bd_page) { + end_page_writeback(bd_page); + bd_page = bh->b_page; +@@ -1903,6 +1904,7 @@ static void nilfs_segctor_complete_write + update_sr = true; + break; + } ++ set_mask_bits(&bh->b_state, clear_bits, set_bits); + if (bh->b_page != fs_page) { + nilfs_end_page_io(fs_page, 0); + fs_page = bh->b_page; diff --git a/queue-5.15/nilfs2-replace-warn_ons-for-invalid-dat-metadata-block-requests.patch b/queue-5.15/nilfs2-replace-warn_ons-for-invalid-dat-metadata-block-requests.patch new file mode 100644 index 00000000000..90404dc64c9 --- /dev/null +++ b/queue-5.15/nilfs2-replace-warn_ons-for-invalid-dat-metadata-block-requests.patch @@ -0,0 +1,82 @@ +From 5124a0a549857c4b87173280e192eea24dea72ad Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Fri, 27 Jan 2023 01:41:14 +0900 +Subject: nilfs2: replace WARN_ONs for invalid DAT metadata block requests + +From: Ryusuke Konishi + +commit 5124a0a549857c4b87173280e192eea24dea72ad upstream. + +If DAT metadata file block access fails due to corruption of the DAT file +or abnormal virtual block numbers held by b-trees or inodes, a kernel +warning is generated. + +This replaces the WARN_ONs by error output, so that a kernel, booted with +panic_on_warn, does not panic. This patch also replaces the detected +return code -ENOENT with another internal code -EINVAL to notify the bmap +layer of metadata corruption. When the bmap layer sees -EINVAL, it +handles the abnormal situation with nilfs_bmap_convert_error() and finally +returns code -EIO as it should. + +Link: https://lkml.kernel.org/r/0000000000005cc3d205ea23ddcf@google.com +Link: https://lkml.kernel.org/r/20230126164114.6911-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: +Tested-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/dat.c | 27 +++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +--- a/fs/nilfs2/dat.c ++++ b/fs/nilfs2/dat.c +@@ -40,8 +40,21 @@ static inline struct nilfs_dat_info *NIL + static int nilfs_dat_prepare_entry(struct inode *dat, + struct nilfs_palloc_req *req, int create) + { +- return nilfs_palloc_get_entry_block(dat, req->pr_entry_nr, +- create, &req->pr_entry_bh); ++ int ret; ++ ++ ret = nilfs_palloc_get_entry_block(dat, req->pr_entry_nr, ++ create, &req->pr_entry_bh); ++ if (unlikely(ret == -ENOENT)) { ++ nilfs_err(dat->i_sb, ++ "DAT doesn't have a block to manage vblocknr = %llu", ++ (unsigned long long)req->pr_entry_nr); ++ /* ++ * Return internal code -EINVAL to notify bmap layer of ++ * metadata corruption. ++ */ ++ ret = -EINVAL; ++ } ++ return ret; + } + + static void nilfs_dat_commit_entry(struct inode *dat, +@@ -123,11 +136,7 @@ static void nilfs_dat_commit_free(struct + + int nilfs_dat_prepare_start(struct inode *dat, struct nilfs_palloc_req *req) + { +- int ret; +- +- ret = nilfs_dat_prepare_entry(dat, req, 0); +- WARN_ON(ret == -ENOENT); +- return ret; ++ return nilfs_dat_prepare_entry(dat, req, 0); + } + + void nilfs_dat_commit_start(struct inode *dat, struct nilfs_palloc_req *req, +@@ -154,10 +163,8 @@ int nilfs_dat_prepare_end(struct inode * + int ret; + + ret = nilfs_dat_prepare_entry(dat, req, 0); +- if (ret < 0) { +- WARN_ON(ret == -ENOENT); ++ if (ret < 0) + return ret; +- } + + kaddr = kmap_atomic(req->pr_entry_bh->b_page); + entry = nilfs_palloc_block_get_entry(dat, req->pr_entry_nr, diff --git a/queue-5.15/sched-membarrier-reduce-the-ability-to-hammer-on-sys_membarrier.patch b/queue-5.15/sched-membarrier-reduce-the-ability-to-hammer-on-sys_membarrier.patch new file mode 100644 index 00000000000..413397b409b --- /dev/null +++ b/queue-5.15/sched-membarrier-reduce-the-ability-to-hammer-on-sys_membarrier.patch @@ -0,0 +1,86 @@ +From 944d5fe50f3f03daacfea16300e656a1691c4a23 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Sun, 4 Feb 2024 15:25:12 +0000 +Subject: sched/membarrier: reduce the ability to hammer on sys_membarrier + +From: Linus Torvalds + +commit 944d5fe50f3f03daacfea16300e656a1691c4a23 upstream. + +On some systems, sys_membarrier can be very expensive, causing overall +slowdowns for everything. So put a lock on the path in order to +serialize the accesses to prevent the ability for this to be called at +too high of a frequency and saturate the machine. + +Reviewed-and-tested-by: Mathieu Desnoyers +Acked-by: Borislav Petkov +Fixes: 22e4ebb97582 ("membarrier: Provide expedited private command") +Fixes: c5f58bd58f43 ("membarrier: Provide GLOBAL_EXPEDITED command") +Signed-off-by: Linus Torvalds +[ converted to explicit mutex_*() calls - cleanup.h is not in this stable + branch - gregkh ] +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/membarrier.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/kernel/sched/membarrier.c ++++ b/kernel/sched/membarrier.c +@@ -162,6 +162,8 @@ + | MEMBARRIER_PRIVATE_EXPEDITED_SYNC_CORE_BITMASK \ + | MEMBARRIER_PRIVATE_EXPEDITED_RSEQ_BITMASK) + ++static DEFINE_MUTEX(membarrier_ipi_mutex); ++ + static void ipi_mb(void *info) + { + smp_mb(); /* IPIs should be serializing but paranoid. */ +@@ -259,6 +261,7 @@ static int membarrier_global_expedited(v + if (!zalloc_cpumask_var(&tmpmask, GFP_KERNEL)) + return -ENOMEM; + ++ mutex_lock(&membarrier_ipi_mutex); + cpus_read_lock(); + rcu_read_lock(); + for_each_online_cpu(cpu) { +@@ -304,6 +307,8 @@ static int membarrier_global_expedited(v + * rq->curr modification in scheduler. + */ + smp_mb(); /* exit from system call is not a mb */ ++ mutex_unlock(&membarrier_ipi_mutex); ++ + return 0; + } + +@@ -347,6 +352,7 @@ static int membarrier_private_expedited( + if (cpu_id < 0 && !zalloc_cpumask_var(&tmpmask, GFP_KERNEL)) + return -ENOMEM; + ++ mutex_lock(&membarrier_ipi_mutex); + cpus_read_lock(); + + if (cpu_id >= 0) { +@@ -419,6 +425,7 @@ out: + * rq->curr modification in scheduler. + */ + smp_mb(); /* exit from system call is not a mb */ ++ mutex_unlock(&membarrier_ipi_mutex); + + return 0; + } +@@ -460,6 +467,7 @@ static int sync_runqueues_membarrier_sta + * between threads which are users of @mm has its membarrier state + * updated. + */ ++ mutex_lock(&membarrier_ipi_mutex); + cpus_read_lock(); + rcu_read_lock(); + for_each_online_cpu(cpu) { +@@ -476,6 +484,7 @@ static int sync_runqueues_membarrier_sta + + free_cpumask_var(tmpmask); + cpus_read_unlock(); ++ mutex_unlock(&membarrier_ipi_mutex); + + return 0; + } diff --git a/queue-5.15/series b/queue-5.15/series index ea12b920ec3..46ace0fa816 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -461,3 +461,7 @@ netfilter-ipset-fix-performance-regression-in-swap-operation.patch hrtimer-ignore-slack-time-for-rt-tasks-in-schedule_hrtimeout_range.patch net-prevent-mss-overflow-in-skb_segment.patch netfilter-ipset-missing-gc-cancellations-fixed.patch +sched-membarrier-reduce-the-ability-to-hammer-on-sys_membarrier.patch +nilfs2-fix-potential-bug-in-end_buffer_async_write.patch +nilfs2-replace-warn_ons-for-invalid-dat-metadata-block-requests.patch +dm-limit-the-number-of-targets-and-parameter-size-area.patch