From: Greg Kroah-Hartman Date: Mon, 13 Sep 2021 09:44:55 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.4.146~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8620e1ce99692237cdc1ca079da008515c8fd538;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: bio-fix-page-leak-bio_add_hw_page-failure.patch io_uring-ioring_op_write-needs-hash_reg_file-set.patch time-handle-negative-seconds-correctly-in-timespec64_to_ns.patch tty-fix-data-race-between-tiocsti-and-flush_to_ldisc.patch --- diff --git a/queue-5.10/bio-fix-page-leak-bio_add_hw_page-failure.patch b/queue-5.10/bio-fix-page-leak-bio_add_hw_page-failure.patch new file mode 100644 index 00000000000..9efaa945fe6 --- /dev/null +++ b/queue-5.10/bio-fix-page-leak-bio_add_hw_page-failure.patch @@ -0,0 +1,62 @@ +From d9cf3bd531844ffbfe94b16e417037a16efc988d Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Mon, 19 Jul 2021 11:53:00 +0100 +Subject: bio: fix page leak bio_add_hw_page failure + +From: Pavel Begunkov + +commit d9cf3bd531844ffbfe94b16e417037a16efc988d upstream. + +__bio_iov_append_get_pages() doesn't put not appended pages on +bio_add_hw_page() failure, so potentially leaking them, fix it. Also, do +the same for __bio_iov_iter_get_pages(), even though it looks like it +can't be triggered by userspace in this case. + +Fixes: 0512a75b98f8 ("block: Introduce REQ_OP_ZONE_APPEND") +Cc: stable@vger.kernel.org # 5.8+ +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/1edfa6a2ffd66d55e6345a477df5387d2c1415d0.1626653825.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/bio.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/block/bio.c ++++ b/block/bio.c +@@ -978,6 +978,14 @@ static int __bio_iov_bvec_add_pages(stru + return 0; + } + ++static void bio_put_pages(struct page **pages, size_t size, size_t off) ++{ ++ size_t i, nr = DIV_ROUND_UP(size + (off & ~PAGE_MASK), PAGE_SIZE); ++ ++ for (i = 0; i < nr; i++) ++ put_page(pages[i]); ++} ++ + #define PAGE_PTRS_PER_BVEC (sizeof(struct bio_vec) / sizeof(struct page *)) + + /** +@@ -1022,8 +1030,10 @@ static int __bio_iov_iter_get_pages(stru + if (same_page) + put_page(page); + } else { +- if (WARN_ON_ONCE(bio_full(bio, len))) +- return -EINVAL; ++ if (WARN_ON_ONCE(bio_full(bio, len))) { ++ bio_put_pages(pages + i, left, offset); ++ return -EINVAL; ++ } + __bio_add_page(bio, page, len, offset); + } + offset = 0; +@@ -1068,6 +1078,7 @@ static int __bio_iov_append_get_pages(st + len = min_t(size_t, PAGE_SIZE - offset, left); + if (bio_add_hw_page(q, bio, page, len, offset, + max_append_sectors, &same_page) != len) { ++ bio_put_pages(pages + i, left, offset); + ret = -EINVAL; + break; + } diff --git a/queue-5.10/io_uring-ioring_op_write-needs-hash_reg_file-set.patch b/queue-5.10/io_uring-ioring_op_write-needs-hash_reg_file-set.patch new file mode 100644 index 00000000000..ef93b0bb370 --- /dev/null +++ b/queue-5.10/io_uring-ioring_op_write-needs-hash_reg_file-set.patch @@ -0,0 +1,35 @@ +From 7b3188e7ed54102a5dcc73d07727f41fb528f7c8 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 30 Aug 2021 19:37:41 -0600 +Subject: io_uring: IORING_OP_WRITE needs hash_reg_file set + +From: Jens Axboe + +commit 7b3188e7ed54102a5dcc73d07727f41fb528f7c8 upstream. + +During some testing, it became evident that using IORING_OP_WRITE doesn't +hash buffered writes like the other writes commands do. That's simply +an oversight, and can cause performance regressions when doing buffered +writes with this command. + +Correct that and add the flag, so that buffered writes are correctly +hashed when using the non-iovec based write command. + +Cc: stable@vger.kernel.org +Fixes: 3a6820f2bb8a ("io_uring: add non-vectored read/write commands") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -889,6 +889,7 @@ static const struct io_op_def io_op_defs + }, + [IORING_OP_WRITE] = { + .needs_file = 1, ++ .hash_reg_file = 1, + .unbound_nonreg_file = 1, + .pollout = 1, + .async_size = sizeof(struct io_async_rw), diff --git a/queue-5.10/series b/queue-5.10/series index 824beeade07..5534409430a 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -215,3 +215,7 @@ ipv4-fix-endianness-issue-in-inet_rtm_getroute_build.patch asoc-rt5682-remove-unused-variable-in-rt5682_i2c_remove.patch iwlwifi-add-support-for-ax201-in-samsung-galaxy-book-flex2-alpha.patch f2fs-guarantee-to-write-dirty-data-when-enabling-checkpoint-back.patch +time-handle-negative-seconds-correctly-in-timespec64_to_ns.patch +io_uring-ioring_op_write-needs-hash_reg_file-set.patch +bio-fix-page-leak-bio_add_hw_page-failure.patch +tty-fix-data-race-between-tiocsti-and-flush_to_ldisc.patch diff --git a/queue-5.10/time-handle-negative-seconds-correctly-in-timespec64_to_ns.patch b/queue-5.10/time-handle-negative-seconds-correctly-in-timespec64_to_ns.patch new file mode 100644 index 00000000000..72f5b06819e --- /dev/null +++ b/queue-5.10/time-handle-negative-seconds-correctly-in-timespec64_to_ns.patch @@ -0,0 +1,61 @@ +From 39ff83f2f6cc5cc1458dfcea9697f96338210beb Mon Sep 17 00:00:00 2001 +From: Lukas Hannen +Date: Wed, 25 Aug 2021 10:12:43 +0000 +Subject: time: Handle negative seconds correctly in timespec64_to_ns() + +From: Lukas Hannen + +commit 39ff83f2f6cc5cc1458dfcea9697f96338210beb upstream. + +timespec64_ns() prevents multiplication overflows by comparing the seconds +value of the timespec to KTIME_SEC_MAX. If the value is greater or equal it +returns KTIME_MAX. + +But that check casts the signed seconds value to unsigned which makes the +comparision true for all negative values and therefore return wrongly +KTIME_MAX. + +Negative second values are perfectly valid and required in some places, +e.g. ptp_clock_adjtime(). + +Remove the cast and add a check for the negative boundary which is required +to prevent undefined behaviour due to multiplication underflow. + +Fixes: cb47755725da ("time: Prevent undefined behaviour in timespec64_to_ns()")' +Signed-off-by: Lukas Hannen +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/AM6PR01MB541637BD6F336B8FFB72AF80EEC69@AM6PR01MB5416.eurprd01.prod.exchangelabs.com +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/time64.h | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/include/linux/time64.h ++++ b/include/linux/time64.h +@@ -25,7 +25,9 @@ struct itimerspec64 { + #define TIME64_MIN (-TIME64_MAX - 1) + + #define KTIME_MAX ((s64)~((u64)1 << 63)) ++#define KTIME_MIN (-KTIME_MAX - 1) + #define KTIME_SEC_MAX (KTIME_MAX / NSEC_PER_SEC) ++#define KTIME_SEC_MIN (KTIME_MIN / NSEC_PER_SEC) + + /* + * Limits for settimeofday(): +@@ -124,10 +126,13 @@ static inline bool timespec64_valid_sett + */ + static inline s64 timespec64_to_ns(const struct timespec64 *ts) + { +- /* Prevent multiplication overflow */ +- if ((unsigned long long)ts->tv_sec >= KTIME_SEC_MAX) ++ /* Prevent multiplication overflow / underflow */ ++ if (ts->tv_sec >= KTIME_SEC_MAX) + return KTIME_MAX; + ++ if (ts->tv_sec <= KTIME_SEC_MIN) ++ return KTIME_MIN; ++ + return ((s64) ts->tv_sec * NSEC_PER_SEC) + ts->tv_nsec; + } + diff --git a/queue-5.10/tty-fix-data-race-between-tiocsti-and-flush_to_ldisc.patch b/queue-5.10/tty-fix-data-race-between-tiocsti-and-flush_to_ldisc.patch new file mode 100644 index 00000000000..8c6663c69d6 --- /dev/null +++ b/queue-5.10/tty-fix-data-race-between-tiocsti-and-flush_to_ldisc.patch @@ -0,0 +1,59 @@ +From bb2853a6a421a052268eee00fd5d3f6b3504b2b1 Mon Sep 17 00:00:00 2001 +From: Nguyen Dinh Phi +Date: Mon, 23 Aug 2021 08:06:41 +0800 +Subject: tty: Fix data race between tiocsti() and flush_to_ldisc() + +From: Nguyen Dinh Phi + +commit bb2853a6a421a052268eee00fd5d3f6b3504b2b1 upstream. + +The ops->receive_buf() may be accessed concurrently from these two +functions. If the driver flushes data to the line discipline +receive_buf() method while tiocsti() is waiting for the +ops->receive_buf() to finish its work, the data race will happen. + +For example: +tty_ioctl |tty_ldisc_receive_buf + ->tioctsi | ->tty_port_default_receive_buf + | ->tty_ldisc_receive_buf + ->hci_uart_tty_receive | ->hci_uart_tty_receive + ->h4_recv | ->h4_recv + +In this case, the h4 receive buffer will be overwritten by the +latecomer, and we will lost the data. + +Hence, change tioctsi() function to use the exclusive lock interface +from tty_buffer to avoid the data race. + +Reported-by: syzbot+97388eb9d31b997fe1d0@syzkaller.appspotmail.com +Reviewed-by: Jiri Slaby +Signed-off-by: Nguyen Dinh Phi +Link: https://lore.kernel.org/r/20210823000641.2082292-1-phind.uet@gmail.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/tty_io.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2257,8 +2257,6 @@ static int tty_fasync(int fd, struct fil + * Locking: + * Called functions take tty_ldiscs_lock + * current->signal->tty check is safe without locks +- * +- * FIXME: may race normal receive processing + */ + + static int tiocsti(struct tty_struct *tty, char __user *p) +@@ -2274,8 +2272,10 @@ static int tiocsti(struct tty_struct *tt + ld = tty_ldisc_ref_wait(tty); + if (!ld) + return -EIO; ++ tty_buffer_lock_exclusive(tty->port); + if (ld->ops->receive_buf) + ld->ops->receive_buf(tty, &ch, &mbz, 1); ++ tty_buffer_unlock_exclusive(tty->port); + tty_ldisc_deref(ld); + return 0; + }