From: Greg Kroah-Hartman Date: Mon, 23 Dec 2024 12:26:08 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v6.1.122~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8f16cdbf0796fa2890d5d76a874f528c71e16f74;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: ceph-validate-snapdirname-option-length-when-mounting.patch nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch nilfs2-prevent-use-of-deleted-inode.patch of-fix-error-path-in-of_parse_phandle_with_args_map.patch of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch udmabuf-also-check-for-f_seal_future_write.patch --- diff --git a/queue-5.15/ceph-validate-snapdirname-option-length-when-mounting.patch b/queue-5.15/ceph-validate-snapdirname-option-length-when-mounting.patch new file mode 100644 index 00000000000..9e063a8f76e --- /dev/null +++ b/queue-5.15/ceph-validate-snapdirname-option-length-when-mounting.patch @@ -0,0 +1,33 @@ +From 12eb22a5a609421b380c3c6ca887474fb2089b2c Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Wed, 20 Nov 2024 16:43:51 +0100 +Subject: ceph: validate snapdirname option length when mounting + +From: Ilya Dryomov + +commit 12eb22a5a609421b380c3c6ca887474fb2089b2c upstream. + +It becomes a path component, so it shouldn't exceed NAME_MAX +characters. This was hardened in commit c152737be22b ("ceph: Use +strscpy() instead of strcpy() in __get_snap_name()"), but no actual +check was put in place. + +Cc: stable@vger.kernel.org +Signed-off-by: Ilya Dryomov +Reviewed-by: Alex Markuze +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/super.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ceph/super.c ++++ b/fs/ceph/super.c +@@ -301,6 +301,8 @@ static int ceph_parse_mount_param(struct + + switch (token) { + case Opt_snapdirname: ++ if (strlen(param->string) > NAME_MAX) ++ return invalfc(fc, "snapdirname too long"); + kfree(fsopt->snapdir_name); + fsopt->snapdir_name = param->string; + param->string = NULL; diff --git a/queue-5.15/nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch b/queue-5.15/nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch new file mode 100644 index 00000000000..d301b5f7516 --- /dev/null +++ b/queue-5.15/nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch @@ -0,0 +1,35 @@ +From 62e2a47ceab8f3f7d2e3f0e03fdd1c5e0059fd8b Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 16 Dec 2024 19:28:06 -0500 +Subject: NFS/pnfs: Fix a live lock between recalled layouts and layoutget + +From: Trond Myklebust + +commit 62e2a47ceab8f3f7d2e3f0e03fdd1c5e0059fd8b upstream. + +When the server is recalling a layout, we should ignore the count of +outstanding layoutget calls, since the server is expected to return +either NFS4ERR_RECALLCONFLICT or NFS4ERR_RETURNCONFLICT for as long as +the recall is outstanding. +Currently, we may end up livelocking, causing the layout to eventually +be forcibly revoked. + +Fixes: bf0291dd2267 ("pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised") +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/pnfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1193,7 +1193,7 @@ pnfs_prepare_layoutreturn(struct pnfs_la + enum pnfs_iomode *iomode) + { + /* Serialise LAYOUTGET/LAYOUTRETURN */ +- if (atomic_read(&lo->plh_outstanding) != 0) ++ if (atomic_read(&lo->plh_outstanding) != 0 && lo->plh_return_seq == 0) + return false; + if (test_and_set_bit(NFS_LAYOUT_RETURN_LOCK, &lo->plh_flags)) + return false; diff --git a/queue-5.15/nilfs2-prevent-use-of-deleted-inode.patch b/queue-5.15/nilfs2-prevent-use-of-deleted-inode.patch new file mode 100644 index 00000000000..5b64b2dc437 --- /dev/null +++ b/queue-5.15/nilfs2-prevent-use-of-deleted-inode.patch @@ -0,0 +1,84 @@ +From 901ce9705fbb9f330ff1f19600e5daf9770b0175 Mon Sep 17 00:00:00 2001 +From: Edward Adam Davis +Date: Mon, 9 Dec 2024 15:56:52 +0900 +Subject: nilfs2: prevent use of deleted inode + +From: Edward Adam Davis + +commit 901ce9705fbb9f330ff1f19600e5daf9770b0175 upstream. + +syzbot reported a WARNING in nilfs_rmdir. [1] + +Because the inode bitmap is corrupted, an inode with an inode number that +should exist as a ".nilfs" file was reassigned by nilfs_mkdir for "file0", +causing an inode duplication during execution. And this causes an +underflow of i_nlink in rmdir operations. + +The inode is used twice by the same task to unmount and remove directories +".nilfs" and "file0", it trigger warning in nilfs_rmdir. + +Avoid to this issue, check i_nlink in nilfs_iget(), if it is 0, it means +that this inode has been deleted, and iput is executed to reclaim it. + +[1] +WARNING: CPU: 1 PID: 5824 at fs/inode.c:407 drop_nlink+0xc4/0x110 fs/inode.c:407 +... +Call Trace: + + nilfs_rmdir+0x1b0/0x250 fs/nilfs2/namei.c:342 + vfs_rmdir+0x3a3/0x510 fs/namei.c:4394 + do_rmdir+0x3b5/0x580 fs/namei.c:4453 + __do_sys_rmdir fs/namei.c:4472 [inline] + __se_sys_rmdir fs/namei.c:4470 [inline] + __x64_sys_rmdir+0x47/0x50 fs/namei.c:4470 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Link: https://lkml.kernel.org/r/20241209065759.6781-1-konishi.ryusuke@gmail.com +Fixes: d25006523d0b ("nilfs2: pathname operations") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+9260555647a5132edd48@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=9260555647a5132edd48 +Tested-by: syzbot+9260555647a5132edd48@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/inode.c | 8 +++++++- + fs/nilfs2/namei.c | 5 +++++ + 2 files changed, 12 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -618,8 +618,14 @@ struct inode *nilfs_iget(struct super_bl + inode = nilfs_iget_locked(sb, root, ino); + if (unlikely(!inode)) + return ERR_PTR(-ENOMEM); +- if (!(inode->i_state & I_NEW)) ++ ++ if (!(inode->i_state & I_NEW)) { ++ if (!inode->i_nlink) { ++ iput(inode); ++ return ERR_PTR(-ESTALE); ++ } + return inode; ++ } + + err = __nilfs_read_inode(sb, root, ino, inode); + if (unlikely(err)) { +--- a/fs/nilfs2/namei.c ++++ b/fs/nilfs2/namei.c +@@ -67,6 +67,11 @@ nilfs_lookup(struct inode *dir, struct d + inode = NULL; + } else { + inode = nilfs_iget(dir->i_sb, NILFS_I(dir)->i_root, ino); ++ if (inode == ERR_PTR(-ESTALE)) { ++ nilfs_error(dir->i_sb, ++ "deleted inode referenced: %lu", ino); ++ return ERR_PTR(-EIO); ++ } + } + + return d_splice_alias(inode, dentry); diff --git a/queue-5.15/of-fix-error-path-in-of_parse_phandle_with_args_map.patch b/queue-5.15/of-fix-error-path-in-of_parse_phandle_with_args_map.patch new file mode 100644 index 00000000000..e740ef7a712 --- /dev/null +++ b/queue-5.15/of-fix-error-path-in-of_parse_phandle_with_args_map.patch @@ -0,0 +1,72 @@ +From d7dfa7fde63dde4d2ec0083133efe2c6686c03ff Mon Sep 17 00:00:00 2001 +From: Herve Codina +Date: Mon, 2 Dec 2024 17:58:19 +0100 +Subject: of: Fix error path in of_parse_phandle_with_args_map() + +From: Herve Codina + +commit d7dfa7fde63dde4d2ec0083133efe2c6686c03ff upstream. + +The current code uses some 'goto put;' to cancel the parsing operation +and can lead to a return code value of 0 even on error cases. + +Indeed, some goto calls are done from a loop without setting the ret +value explicitly before the goto call and so the ret value can be set to +0 due to operation done in previous loop iteration. For instance match +can be set to 0 in the previous loop iteration (leading to a new +iteration) but ret can also be set to 0 it the of_property_read_u32() +call succeed. In that case if no match are found or if an error is +detected the new iteration, the return value can be wrongly 0. + +Avoid those cases setting the ret value explicitly before the goto +calls. + +Fixes: bd6f2fd5a1d5 ("of: Support parsing phandle argument lists through a nexus node") +Cc: stable@vger.kernel.org +Signed-off-by: Herve Codina +Link: https://lore.kernel.org/r/20241202165819.158681-1-herve.codina@bootlin.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/base.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -1620,8 +1620,10 @@ int of_parse_phandle_with_args_map(const + map_len--; + + /* Check if not found */ +- if (!new) ++ if (!new) { ++ ret = -EINVAL; + goto put; ++ } + + if (!of_device_is_available(new)) + match = 0; +@@ -1631,17 +1633,20 @@ int of_parse_phandle_with_args_map(const + goto put; + + /* Check for malformed properties */ +- if (WARN_ON(new_size > MAX_PHANDLE_ARGS)) +- goto put; +- if (map_len < new_size) ++ if (WARN_ON(new_size > MAX_PHANDLE_ARGS) || ++ map_len < new_size) { ++ ret = -EINVAL; + goto put; ++ } + + /* Move forward by new node's #-cells amount */ + map += new_size; + map_len -= new_size; + } +- if (!match) ++ if (!match) { ++ ret = -ENOENT; + goto put; ++ } + + /* Get the -map-pass-thru property (optional) */ + pass = of_get_property(cur, pass_name, NULL); diff --git a/queue-5.15/of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch b/queue-5.15/of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch new file mode 100644 index 00000000000..0c0fac90472 --- /dev/null +++ b/queue-5.15/of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch @@ -0,0 +1,36 @@ +From 5d009e024056ded20c5bb1583146b833b23bbd5a Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Fri, 6 Dec 2024 08:52:30 +0800 +Subject: of: Fix refcount leakage for OF node returned by __of_get_dma_parent() + +From: Zijun Hu + +commit 5d009e024056ded20c5bb1583146b833b23bbd5a upstream. + +__of_get_dma_parent() returns OF device node @args.np, but the node's +refcount is increased twice, by both of_parse_phandle_with_args() and +of_node_get(), so causes refcount leakage for the node. + +Fix by directly returning the node got by of_parse_phandle_with_args(). + +Fixes: f83a6e5dea6c ("of: address: Add support for the parent DMA bus") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20241206-of_core_fix-v1-4-dc28ed56bec3@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/address.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -594,7 +594,7 @@ static struct device_node *__of_get_dma_ + if (ret < 0) + return of_get_parent(np); + +- return of_node_get(args.np); ++ return args.np; + } + + static struct device_node *of_get_next_dma_parent(struct device_node *np) diff --git a/queue-5.15/of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch b/queue-5.15/of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch new file mode 100644 index 00000000000..079228592a9 --- /dev/null +++ b/queue-5.15/of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch @@ -0,0 +1,47 @@ +From 0f7ca6f69354e0c3923bbc28c92d0ecab4d50a3e Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Mon, 9 Dec 2024 21:25:02 +0800 +Subject: of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one() + +From: Zijun Hu + +commit 0f7ca6f69354e0c3923bbc28c92d0ecab4d50a3e upstream. + +of_irq_parse_one() may use uninitialized variable @addr_len as shown below: + +// @addr_len is uninitialized +int addr_len; + +// This operation does not touch @addr_len if it fails. +addr = of_get_property(device, "reg", &addr_len); + +// Use uninitialized @addr_len if the operation fails. +if (addr_len > sizeof(addr_buf)) + addr_len = sizeof(addr_buf); + +// Check the operation result here. +if (addr) + memcpy(addr_buf, addr, addr_len); + +Fix by initializing @addr_len before the operation. + +Fixes: b739dffa5d57 ("of/irq: Prevent device address out-of-bounds read in interrupt map walk") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20241209-of_irq_fix-v1-4-782f1419c8a1@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -298,6 +298,7 @@ int of_irq_parse_one(struct device_node + return of_irq_parse_oldworld(device, index, out_irq); + + /* Get the reg property (if any) */ ++ addr_len = 0; + addr = of_get_property(device, "reg", &addr_len); + + /* Prevent out-of-bounds read in case of longer interrupt parent address size */ diff --git a/queue-5.15/series b/queue-5.15/series index 4d185080f0c..3ab401f7675 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -45,3 +45,10 @@ kvm-x86-play-nice-with-protected-guests-in-complete_hypercall_exit.patch tracing-fix-test_event_printk-to-process-entire-print-argument.patch tracing-add-missing-helper-functions-in-event-pointer-dereference-check.patch tracing-add-s-check-in-test_event_printk.patch +nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch +of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch +nilfs2-prevent-use-of-deleted-inode.patch +udmabuf-also-check-for-f_seal_future_write.patch +of-fix-error-path-in-of_parse_phandle_with_args_map.patch +of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch +ceph-validate-snapdirname-option-length-when-mounting.patch diff --git a/queue-5.15/tracing-add-s-check-in-test_event_printk.patch b/queue-5.15/tracing-add-s-check-in-test_event_printk.patch index 9d0199576a3..337af2300c4 100644 --- a/queue-5.15/tracing-add-s-check-in-test_event_printk.patch +++ b/queue-5.15/tracing-add-s-check-in-test_event_printk.patch @@ -39,8 +39,8 @@ Fixes: 5013f454a352c ("tracing: Add check of trace event print fmts for derefere Signed-off-by: Steven Rostedt (Google) Signed-off-by: Greg Kroah-Hartman --- - kernel/trace/trace_events.c | 104 +++++++++++++++++++++++++++++++++++++------- - 1 file changed, 89 insertions(+), 15 deletions(-) + kernel/trace/trace_events.c | 106 +++++++++++++++++++++++++++++++++++++------- + 1 file changed, 91 insertions(+), 15 deletions(-) --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c @@ -99,7 +99,7 @@ Signed-off-by: Greg Kroah-Hartman } /* Look for a string within an argument */ -@@ -300,6 +312,53 @@ static bool process_pointer(const char * +@@ -300,6 +312,55 @@ static bool process_pointer(const char * return false; } @@ -118,10 +118,12 @@ Signed-off-by: Greg Kroah-Hartman + */ + s = fmt; + do { ++ int i; ++ + r = strstr(s, "("); + if (!r || r >= e) + break; -+ for (int i = 1; r - i >= s; i++) { ++ for (i = 1; r - i >= s; i++) { + char ch = *(r - i); + if (isspace(ch)) + continue; @@ -153,7 +155,7 @@ Signed-off-by: Greg Kroah-Hartman /* * Examine the print fmt of the event looking for unsafe dereference * pointers using %p* that could be recorded in the trace event and -@@ -309,6 +368,7 @@ static bool process_pointer(const char * +@@ -309,6 +370,7 @@ static bool process_pointer(const char * static void test_event_printk(struct trace_event_call *call) { u64 dereference_flags = 0; @@ -161,7 +163,7 @@ Signed-off-by: Greg Kroah-Hartman bool first = true; const char *fmt; int parens = 0; -@@ -399,8 +459,16 @@ static void test_event_printk(struct tra +@@ -399,8 +461,16 @@ static void test_event_printk(struct tra star = true; continue; } @@ -180,7 +182,7 @@ Signed-off-by: Greg Kroah-Hartman break; } break; -@@ -447,7 +515,10 @@ static void test_event_printk(struct tra +@@ -447,7 +517,10 @@ static void test_event_printk(struct tra } if (dereference_flags & (1ULL << arg)) { @@ -192,7 +194,7 @@ Signed-off-by: Greg Kroah-Hartman dereference_flags &= ~(1ULL << arg); } -@@ -459,7 +530,10 @@ static void test_event_printk(struct tra +@@ -459,7 +532,10 @@ static void test_event_printk(struct tra } if (dereference_flags & (1ULL << arg)) { diff --git a/queue-5.15/udmabuf-also-check-for-f_seal_future_write.patch b/queue-5.15/udmabuf-also-check-for-f_seal_future_write.patch new file mode 100644 index 00000000000..3aab38dd6d7 --- /dev/null +++ b/queue-5.15/udmabuf-also-check-for-f_seal_future_write.patch @@ -0,0 +1,36 @@ +From 0a16e24e34f28210f68195259456c73462518597 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 4 Dec 2024 17:26:20 +0100 +Subject: udmabuf: also check for F_SEAL_FUTURE_WRITE + +From: Jann Horn + +commit 0a16e24e34f28210f68195259456c73462518597 upstream. + +When F_SEAL_FUTURE_WRITE was introduced, it was overlooked that udmabuf +must reject memfds with this flag, just like ones with F_SEAL_WRITE. +Fix it by adding F_SEAL_FUTURE_WRITE to SEALS_DENIED. + +Fixes: ab3948f58ff8 ("mm/memfd: add an F_SEAL_FUTURE_WRITE seal to memfd") +Cc: stable@vger.kernel.org +Acked-by: Vivek Kasireddy +Signed-off-by: Jann Horn +Reviewed-by: Joel Fernandes (Google) +Signed-off-by: Vivek Kasireddy +Link: https://patchwork.freedesktop.org/patch/msgid/20241204-udmabuf-fixes-v2-2-23887289de1c@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma-buf/udmabuf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma-buf/udmabuf.c ++++ b/drivers/dma-buf/udmabuf.c +@@ -164,7 +164,7 @@ static const struct dma_buf_ops udmabuf_ + }; + + #define SEALS_WANTED (F_SEAL_SHRINK) +-#define SEALS_DENIED (F_SEAL_WRITE) ++#define SEALS_DENIED (F_SEAL_WRITE|F_SEAL_FUTURE_WRITE) + + static long udmabuf_create(struct miscdevice *device, + struct udmabuf_create_list *head,