From: Greg Kroah-Hartman Date: Mon, 28 Oct 2024 00:35:34 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v5.15.170~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8fd813632da26fed3d9d77829180b543adf5bf57;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: acpi-button-add-dmi-quirk-for-samsung-galaxy-book2-to-fix-initial-lid-detection-issue.patch acpi-resource-add-lg-16t90sp-to-irq1_level_low_skip_override.patch alsa-hda-realtek-add-subwoofer-quirk-for-acer-predator-g9-593.patch btrfs-zoned-fix-zone-unusable-accounting-for-freed-reserved-extent.patch drm-amd-guard-against-bad-data-for-atif-acpi-method.patch hv_netvsc-fix-vf-namespace-also-in-synthetic-nic-netdev_register-event.patch kvm-nsvm-ignore-ncr3-when-loading-pdptes-from-memory.patch nilfs2-fix-kernel-bug-due-to-missing-clearing-of-buffer-delay-flag.patch openat2-explicitly-return-e2big-for-usize-page_size.patch xfrm-fix-one-more-kernel-infoleak-in-algo-dumping.patch --- diff --git a/queue-5.15/acpi-button-add-dmi-quirk-for-samsung-galaxy-book2-to-fix-initial-lid-detection-issue.patch b/queue-5.15/acpi-button-add-dmi-quirk-for-samsung-galaxy-book2-to-fix-initial-lid-detection-issue.patch new file mode 100644 index 00000000000..76d54e63f49 --- /dev/null +++ b/queue-5.15/acpi-button-add-dmi-quirk-for-samsung-galaxy-book2-to-fix-initial-lid-detection-issue.patch @@ -0,0 +1,50 @@ +From 8fa73ee44daefc884c53a25158c25a4107eb5a94 Mon Sep 17 00:00:00 2001 +From: Shubham Panwar +Date: Sun, 20 Oct 2024 15:20:46 +0530 +Subject: ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue + +From: Shubham Panwar + +commit 8fa73ee44daefc884c53a25158c25a4107eb5a94 upstream. + +Add a DMI quirk for Samsung Galaxy Book2 to fix an initial lid state +detection issue. + +The _LID device incorrectly returns the lid status as "closed" during +boot, causing the system to enter a suspend loop right after booting. + +The quirk ensures that the correct lid state is reported initially, +preventing the system from immediately suspending after startup. It +only addresses the initial lid state detection and ensures proper +system behavior upon boot. + +Signed-off-by: Shubham Panwar +Link: https://patch.msgid.link/20241020095045.6036-2-shubiisp8@gmail.com +[ rjw: Changelog edits ] +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/button.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/acpi/button.c ++++ b/drivers/acpi/button.c +@@ -130,6 +130,17 @@ static const struct dmi_system_id dmi_li + }, + .driver_data = (void *)(long)ACPI_BUTTON_LID_INIT_OPEN, + }, ++ { ++ /* ++ * Samsung galaxybook2 ,initial _LID device notification returns ++ * lid closed. ++ */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "SAMSUNG ELECTRONICS CO., LTD."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "750XED"), ++ }, ++ .driver_data = (void *)(long)ACPI_BUTTON_LID_INIT_OPEN, ++ }, + {} + }; + diff --git a/queue-5.15/acpi-resource-add-lg-16t90sp-to-irq1_level_low_skip_override.patch b/queue-5.15/acpi-resource-add-lg-16t90sp-to-irq1_level_low_skip_override.patch new file mode 100644 index 00000000000..132e7cebb3a --- /dev/null +++ b/queue-5.15/acpi-resource-add-lg-16t90sp-to-irq1_level_low_skip_override.patch @@ -0,0 +1,44 @@ +From 53f1a907d36fb3aa02a4d34073bcec25823a6c74 Mon Sep 17 00:00:00 2001 +From: Christian Heusel +Date: Thu, 17 Oct 2024 13:16:26 +0200 +Subject: ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[] + +From: Christian Heusel + +commit 53f1a907d36fb3aa02a4d34073bcec25823a6c74 upstream. + +The LG Gram Pro 16 2-in-1 (2024) the 16T90SP has its keybopard IRQ (1) +described as ActiveLow in the DSDT, which the kernel overrides to EdgeHigh +which breaks the keyboard. + +Add the 16T90SP to the irq1_level_low_skip_override[] quirk table to fix +this. + +Reported-by: Dirk Holten +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219382 +Cc: All applicable +Suggested-by: Dirk Holten +Signed-off-by: Christian Heusel +Link: https://patch.msgid.link/20241017-lg-gram-pro-keyboard-v2-1-7c8fbf6ff718@heusel.eu +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/resource.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -505,6 +505,13 @@ static const struct dmi_system_id tongfa + DMI_MATCH(DMI_BOARD_NAME, "GMxRGxx"), + }, + }, ++ { ++ /* LG Electronics 16T90SP */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LG Electronics"), ++ DMI_MATCH(DMI_BOARD_NAME, "16T90SP"), ++ }, ++ }, + { } + }; + diff --git a/queue-5.15/alsa-hda-realtek-add-subwoofer-quirk-for-acer-predator-g9-593.patch b/queue-5.15/alsa-hda-realtek-add-subwoofer-quirk-for-acer-predator-g9-593.patch new file mode 100644 index 00000000000..0489a8acccb --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-subwoofer-quirk-for-acer-predator-g9-593.patch @@ -0,0 +1,71 @@ +From 35fdc6e1c16099078bcbd73a6c8f1733ae7f1909 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Relvas?= +Date: Sun, 20 Oct 2024 11:27:56 +0100 +Subject: ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Relvas + +commit 35fdc6e1c16099078bcbd73a6c8f1733ae7f1909 upstream. + +The Acer Predator G9-593 has a 2+1 speaker system which isn't probed +correctly. +This patch adds a quirk with the proper pin connections. + +Note that I do not own this laptop, so I cannot guarantee that this +fixes the issue. +Testing was done by other users here: +https://discussion.fedoraproject.org/t/-/118482 + +This model appears to have two different dev IDs... + +- 0x1177 (as seen on the forum link above) +- 0x1178 (as seen on https://linux-hardware.org/?probe=127df9999f) + +I don't think the audio system was changed between model revisions, so +the patch applies for both IDs. + +Signed-off-by: José Relvas +Link: https://patch.msgid.link/20241020102756.225258-1-josemonsantorelvas@gmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7024,6 +7024,7 @@ enum { + ALC286_FIXUP_ACER_AIO_HEADSET_MIC, + ALC256_FIXUP_ASUS_HEADSET_MIC, + ALC256_FIXUP_ASUS_MIC_NO_PRESENCE, ++ ALC255_FIXUP_PREDATOR_SUBWOOFER, + ALC299_FIXUP_PREDATOR_SPK, + ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE, + ALC289_FIXUP_DELL_SPK2, +@@ -8259,6 +8260,13 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC256_FIXUP_ASUS_HEADSET_MODE + }, ++ [ALC255_FIXUP_PREDATOR_SUBWOOFER] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x17, 0x90170151 }, /* use as internal speaker (LFE) */ ++ { 0x1b, 0x90170152 } /* use as internal speaker (back) */ ++ } ++ }, + [ALC299_FIXUP_PREDATOR_SPK] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +@@ -8997,6 +9005,8 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1025, 0x110e, "Acer Aspire ES1-432", ALC255_FIXUP_ACER_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1025, 0x1166, "Acer Veriton N4640G", ALC269_FIXUP_LIFEBOOK), + SND_PCI_QUIRK(0x1025, 0x1167, "Acer Veriton N6640G", ALC269_FIXUP_LIFEBOOK), ++ SND_PCI_QUIRK(0x1025, 0x1177, "Acer Predator G9-593", ALC255_FIXUP_PREDATOR_SUBWOOFER), ++ SND_PCI_QUIRK(0x1025, 0x1178, "Acer Predator G9-593", ALC255_FIXUP_PREDATOR_SUBWOOFER), + SND_PCI_QUIRK(0x1025, 0x1246, "Acer Predator Helios 500", ALC299_FIXUP_PREDATOR_SPK), + SND_PCI_QUIRK(0x1025, 0x1247, "Acer vCopperbox", ALC269VC_FIXUP_ACER_VCOPPERBOX_PINS), + SND_PCI_QUIRK(0x1025, 0x1248, "Acer Veriton N4660G", ALC269VC_FIXUP_ACER_MIC_NO_PRESENCE), diff --git a/queue-5.15/btrfs-zoned-fix-zone-unusable-accounting-for-freed-reserved-extent.patch b/queue-5.15/btrfs-zoned-fix-zone-unusable-accounting-for-freed-reserved-extent.patch new file mode 100644 index 00000000000..a8e2db4267c --- /dev/null +++ b/queue-5.15/btrfs-zoned-fix-zone-unusable-accounting-for-freed-reserved-extent.patch @@ -0,0 +1,51 @@ +From bf9821ba4792a0d9a2e72803ae7b4341faf3d532 Mon Sep 17 00:00:00 2001 +From: Naohiro Aota +Date: Tue, 1 Oct 2024 17:03:32 +0900 +Subject: btrfs: zoned: fix zone unusable accounting for freed reserved extent + +From: Naohiro Aota + +commit bf9821ba4792a0d9a2e72803ae7b4341faf3d532 upstream. + +When btrfs reserves an extent and does not use it (e.g, by an error), it +calls btrfs_free_reserved_extent() to free the reserved extent. In the +process, it calls btrfs_add_free_space() and then it accounts the region +bytes as block_group->zone_unusable. + +However, it leaves the space_info->bytes_zone_unusable side not updated. As +a result, ENOSPC can happen while a space_info reservation succeeded. The +reservation is fine because the freed region is not added in +space_info->bytes_zone_unusable, leaving that space as "free". OTOH, +corresponding block group counts it as zone_unusable and its allocation +pointer is not rewound, we cannot allocate an extent from that block group. +That will also negate space_info's async/sync reclaim process, and cause an +ENOSPC error from the extent allocation process. + +Fix that by returning the space to space_info->bytes_zone_unusable. +Ideally, since a bio is not submitted for this reserved region, we should +return the space to free space and rewind the allocation pointer. But, it +needs rework on extent allocation handling, so let it work in this way for +now. + +Fixes: 169e0da91a21 ("btrfs: zoned: track unusable bytes for zones") +CC: stable@vger.kernel.org # 5.15+ +Reviewed-by: Johannes Thumshirn +Signed-off-by: Naohiro Aota +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/block-group.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -3386,6 +3386,8 @@ void btrfs_free_reserved_bytes(struct bt + spin_lock(&cache->lock); + if (cache->ro) + space_info->bytes_readonly += num_bytes; ++ else if (btrfs_is_zoned(cache->fs_info)) ++ space_info->bytes_zone_unusable += num_bytes; + cache->reserved -= num_bytes; + space_info->bytes_reserved -= num_bytes; + space_info->max_extent_size = 0; diff --git a/queue-5.15/drm-amd-guard-against-bad-data-for-atif-acpi-method.patch b/queue-5.15/drm-amd-guard-against-bad-data-for-atif-acpi-method.patch new file mode 100644 index 00000000000..15de8c15d0e --- /dev/null +++ b/queue-5.15/drm-amd-guard-against-bad-data-for-atif-acpi-method.patch @@ -0,0 +1,75 @@ +From bf58f03931fdcf7b3c45cb76ac13244477a60f44 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Fri, 11 Oct 2024 12:23:15 -0500 +Subject: drm/amd: Guard against bad data for ATIF ACPI method + +From: Mario Limonciello + +commit bf58f03931fdcf7b3c45cb76ac13244477a60f44 upstream. + +If a BIOS provides bad data in response to an ATIF method call +this causes a NULL pointer dereference in the caller. + +``` +? show_regs (arch/x86/kernel/dumpstack.c:478 (discriminator 1)) +? __die (arch/x86/kernel/dumpstack.c:423 arch/x86/kernel/dumpstack.c:434) +? page_fault_oops (arch/x86/mm/fault.c:544 (discriminator 2) arch/x86/mm/fault.c:705 (discriminator 2)) +? do_user_addr_fault (arch/x86/mm/fault.c:440 (discriminator 1) arch/x86/mm/fault.c:1232 (discriminator 1)) +? acpi_ut_update_object_reference (drivers/acpi/acpica/utdelete.c:642) +? exc_page_fault (arch/x86/mm/fault.c:1542) +? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623) +? amdgpu_atif_query_backlight_caps.constprop.0 (drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c:387 (discriminator 2)) amdgpu +? amdgpu_atif_query_backlight_caps.constprop.0 (drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c:386 (discriminator 1)) amdgpu +``` + +It has been encountered on at least one system, so guard for it. + +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Acked-by: Alex Deucher +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +(cherry picked from commit c9b7c809b89f24e9372a4e7f02d64c950b07fdee) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +@@ -108,6 +108,7 @@ static union acpi_object *amdgpu_atif_ca + struct acpi_buffer *params) + { + acpi_status status; ++ union acpi_object *obj; + union acpi_object atif_arg_elements[2]; + struct acpi_object_list atif_arg; + struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL }; +@@ -130,16 +131,24 @@ static union acpi_object *amdgpu_atif_ca + + status = acpi_evaluate_object(atif->handle, NULL, &atif_arg, + &buffer); ++ obj = (union acpi_object *)buffer.pointer; + +- /* Fail only if calling the method fails and ATIF is supported */ ++ /* Fail if calling the method fails and ATIF is supported */ + if (ACPI_FAILURE(status) && status != AE_NOT_FOUND) { + DRM_DEBUG_DRIVER("failed to evaluate ATIF got %s\n", + acpi_format_exception(status)); +- kfree(buffer.pointer); ++ kfree(obj); + return NULL; + } + +- return buffer.pointer; ++ if (obj->type != ACPI_TYPE_BUFFER) { ++ DRM_DEBUG_DRIVER("bad object returned from ATIF: %d\n", ++ obj->type); ++ kfree(obj); ++ return NULL; ++ } ++ ++ return obj; + } + + /** diff --git a/queue-5.15/hv_netvsc-fix-vf-namespace-also-in-synthetic-nic-netdev_register-event.patch b/queue-5.15/hv_netvsc-fix-vf-namespace-also-in-synthetic-nic-netdev_register-event.patch new file mode 100644 index 00000000000..f19d3dc990b --- /dev/null +++ b/queue-5.15/hv_netvsc-fix-vf-namespace-also-in-synthetic-nic-netdev_register-event.patch @@ -0,0 +1,75 @@ +From 4c262801ea60c518b5bebc22a09f5b78b3147da2 Mon Sep 17 00:00:00 2001 +From: Haiyang Zhang +Date: Fri, 18 Oct 2024 11:25:22 -0700 +Subject: hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event + +From: Haiyang Zhang + +commit 4c262801ea60c518b5bebc22a09f5b78b3147da2 upstream. + +The existing code moves VF to the same namespace as the synthetic NIC +during netvsc_register_vf(). But, if the synthetic device is moved to a +new namespace after the VF registration, the VF won't be moved together. + +To make the behavior more consistent, add a namespace check for synthetic +NIC's NETDEV_REGISTER event (generated during its move), and move the VF +if it is not in the same namespace. + +Cc: stable@vger.kernel.org +Fixes: c0a41b887ce6 ("hv_netvsc: move VF to same namespace as netvsc device") +Suggested-by: Stephen Hemminger +Signed-off-by: Haiyang Zhang +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1729275922-17595-1-git-send-email-haiyangz@microsoft.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc_drv.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -2813,6 +2813,31 @@ static struct hv_driver netvsc_drv = { + }, + }; + ++/* Set VF's namespace same as the synthetic NIC */ ++static void netvsc_event_set_vf_ns(struct net_device *ndev) ++{ ++ struct net_device_context *ndev_ctx = netdev_priv(ndev); ++ struct net_device *vf_netdev; ++ int ret; ++ ++ vf_netdev = rtnl_dereference(ndev_ctx->vf_netdev); ++ if (!vf_netdev) ++ return; ++ ++ if (!net_eq(dev_net(ndev), dev_net(vf_netdev))) { ++ ret = dev_change_net_namespace(vf_netdev, dev_net(ndev), ++ "eth%d"); ++ if (ret) ++ netdev_err(vf_netdev, ++ "Cannot move to same namespace as %s: %d\n", ++ ndev->name, ret); ++ else ++ netdev_info(vf_netdev, ++ "Moved VF to namespace with: %s\n", ++ ndev->name); ++ } ++} ++ + /* + * On Hyper-V, every VF interface is matched with a corresponding + * synthetic interface. The synthetic interface is presented first +@@ -2825,6 +2850,11 @@ static int netvsc_netdev_event(struct no + struct net_device *event_dev = netdev_notifier_info_to_dev(ptr); + int ret = 0; + ++ if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) { ++ netvsc_event_set_vf_ns(event_dev); ++ return NOTIFY_DONE; ++ } ++ + ret = check_dev_is_matching_vf(event_dev); + if (ret != 0) + return NOTIFY_DONE; diff --git a/queue-5.15/kvm-nsvm-ignore-ncr3-when-loading-pdptes-from-memory.patch b/queue-5.15/kvm-nsvm-ignore-ncr3-when-loading-pdptes-from-memory.patch new file mode 100644 index 00000000000..e4c76ab623c --- /dev/null +++ b/queue-5.15/kvm-nsvm-ignore-ncr3-when-loading-pdptes-from-memory.patch @@ -0,0 +1,59 @@ +From f559b2e9c5c5308850544ab59396b7d53cfc67bd Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 9 Oct 2024 07:08:38 -0700 +Subject: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory + +From: Sean Christopherson + +commit f559b2e9c5c5308850544ab59396b7d53cfc67bd upstream. + +Ignore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits +4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn't +enforce 32-byte alignment of nCR3. + +In the absolute worst case scenario, failure to ignore bits 4:0 can result +in an out-of-bounds read, e.g. if the target page is at the end of a +memslot, and the VMM isn't using guard pages. + +Per the APM: + + The CR3 register points to the base address of the page-directory-pointer + table. The page-directory-pointer table is aligned on a 32-byte boundary, + with the low 5 address bits 4:0 assumed to be 0. + +And the SDM's much more explicit: + + 4:0 Ignored + +Note, KVM gets this right when loading PDPTRs, it's only the nSVM flow +that is broken. + +Fixes: e4e517b4be01 ("KVM: MMU: Do not unconditionally read PDPTE from guest memory") +Reported-by: Kirk Swidowski +Cc: Andy Nguyen +Cc: 3pvd <3pvd@google.com> +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-ID: <20241009140838.1036226-1-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/nested.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/svm/nested.c ++++ b/arch/x86/kvm/svm/nested.c +@@ -77,8 +77,12 @@ static u64 nested_svm_get_tdp_pdptr(stru + u64 pdpte; + int ret; + ++ /* ++ * Note, nCR3 is "assumed" to be 32-byte aligned, i.e. the CPU ignores ++ * nCR3[4:0] when loading PDPTEs from memory. ++ */ + ret = kvm_vcpu_read_guest_page(vcpu, gpa_to_gfn(cr3), &pdpte, +- offset_in_page(cr3) + index * 8, 8); ++ (cr3 & GENMASK(11, 5)) + index * 8, 8); + if (ret) + return 0; + return pdpte; diff --git a/queue-5.15/nilfs2-fix-kernel-bug-due-to-missing-clearing-of-buffer-delay-flag.patch b/queue-5.15/nilfs2-fix-kernel-bug-due-to-missing-clearing-of-buffer-delay-flag.patch new file mode 100644 index 00000000000..d138c91ff70 --- /dev/null +++ b/queue-5.15/nilfs2-fix-kernel-bug-due-to-missing-clearing-of-buffer-delay-flag.patch @@ -0,0 +1,55 @@ +From 6ed469df0bfbef3e4b44fca954a781919db9f7ab Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Wed, 16 Oct 2024 06:32:07 +0900 +Subject: nilfs2: fix kernel bug due to missing clearing of buffer delay flag + +From: Ryusuke Konishi + +commit 6ed469df0bfbef3e4b44fca954a781919db9f7ab upstream. + +Syzbot reported that after nilfs2 reads a corrupted file system image +and degrades to read-only, the BUG_ON check for the buffer delay flag +in submit_bh_wbc() may fail, causing a kernel bug. + +This is because the buffer delay flag is not cleared when clearing the +buffer state flags to discard a page/folio or a buffer head. So, fix +this. + +This became necessary when the use of nilfs2's own page clear routine +was expanded. This state inconsistency does not occur if the buffer +is written normally by log writing. + +Signed-off-by: Ryusuke Konishi +Link: https://lore.kernel.org/r/20241015213300.7114-1-konishi.ryusuke@gmail.com +Fixes: 8c26c4e2694a ("nilfs2: fix issue with flush kernel thread after remount in RO mode because of driver's internal error or metadata corruption") +Reported-by: syzbot+985ada84bf055a575c07@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=985ada84bf055a575c07 +Cc: stable@vger.kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/page.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/nilfs2/page.c ++++ b/fs/nilfs2/page.c +@@ -77,7 +77,8 @@ void nilfs_forget_buffer(struct buffer_h + const unsigned long clear_bits = + (BIT(BH_Uptodate) | BIT(BH_Dirty) | BIT(BH_Mapped) | + BIT(BH_Async_Write) | BIT(BH_NILFS_Volatile) | +- BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected)); ++ BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected) | ++ BIT(BH_Delay)); + + lock_buffer(bh); + set_mask_bits(&bh->b_state, clear_bits, 0); +@@ -409,7 +410,8 @@ void nilfs_clear_dirty_page(struct page + const unsigned long clear_bits = + (BIT(BH_Uptodate) | BIT(BH_Dirty) | BIT(BH_Mapped) | + BIT(BH_Async_Write) | BIT(BH_NILFS_Volatile) | +- BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected)); ++ BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected) | ++ BIT(BH_Delay)); + + bh = head = page_buffers(page); + do { diff --git a/queue-5.15/openat2-explicitly-return-e2big-for-usize-page_size.patch b/queue-5.15/openat2-explicitly-return-e2big-for-usize-page_size.patch new file mode 100644 index 00000000000..7e17506ce3d --- /dev/null +++ b/queue-5.15/openat2-explicitly-return-e2big-for-usize-page_size.patch @@ -0,0 +1,35 @@ +From f92f0a1b05698340836229d791b3ffecc71b265a Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Thu, 10 Oct 2024 07:40:36 +1100 +Subject: openat2: explicitly return -E2BIG for (usize > PAGE_SIZE) + +From: Aleksa Sarai + +commit f92f0a1b05698340836229d791b3ffecc71b265a upstream. + +While we do currently return -EFAULT in this case, it seems prudent to +follow the behaviour of other syscalls like clone3. It seems quite +unlikely that anyone depends on this error code being EFAULT, but we can +always revert this if it turns out to be an issue. + +Cc: stable@vger.kernel.org # v5.6+ +Fixes: fddb5d430ad9 ("open: introduce openat2(2) syscall") +Signed-off-by: Aleksa Sarai +Link: https://lore.kernel.org/r/20241010-extensible-structs-check_fields-v3-3-d2833dfe6edd@cyphar.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/open.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/open.c ++++ b/fs/open.c +@@ -1296,6 +1296,8 @@ SYSCALL_DEFINE4(openat2, int, dfd, const + + if (unlikely(usize < OPEN_HOW_SIZE_VER0)) + return -EINVAL; ++ if (unlikely(usize > PAGE_SIZE)) ++ return -E2BIG; + + err = copy_struct_from_user(&tmp, sizeof(tmp), how, usize); + if (err) diff --git a/queue-5.15/series b/queue-5.15/series index 903f8064422..d016d6a7f0b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -63,3 +63,13 @@ posix-clock-posix-clock-fix-unbalanced-locking-in-pc.patch bpf-perf-fix-perf_event_detach_bpf_prog-error-handli.patch alsa-firewire-lib-avoid-division-by-zero-in-apply_co.patch alsa-hda-realtek-update-default-depop-procedure.patch +btrfs-zoned-fix-zone-unusable-accounting-for-freed-reserved-extent.patch +drm-amd-guard-against-bad-data-for-atif-acpi-method.patch +acpi-resource-add-lg-16t90sp-to-irq1_level_low_skip_override.patch +acpi-button-add-dmi-quirk-for-samsung-galaxy-book2-to-fix-initial-lid-detection-issue.patch +nilfs2-fix-kernel-bug-due-to-missing-clearing-of-buffer-delay-flag.patch +openat2-explicitly-return-e2big-for-usize-page_size.patch +kvm-nsvm-ignore-ncr3-when-loading-pdptes-from-memory.patch +alsa-hda-realtek-add-subwoofer-quirk-for-acer-predator-g9-593.patch +xfrm-fix-one-more-kernel-infoleak-in-algo-dumping.patch +hv_netvsc-fix-vf-namespace-also-in-synthetic-nic-netdev_register-event.patch diff --git a/queue-5.15/xfrm-fix-one-more-kernel-infoleak-in-algo-dumping.patch b/queue-5.15/xfrm-fix-one-more-kernel-infoleak-in-algo-dumping.patch new file mode 100644 index 00000000000..030d037b72c --- /dev/null +++ b/queue-5.15/xfrm-fix-one-more-kernel-infoleak-in-algo-dumping.patch @@ -0,0 +1,101 @@ +From 6889cd2a93e1e3606b3f6e958aa0924e836de4d2 Mon Sep 17 00:00:00 2001 +From: Petr Vaganov +Date: Tue, 8 Oct 2024 14:02:58 +0500 +Subject: xfrm: fix one more kernel-infoleak in algo dumping + +From: Petr Vaganov + +commit 6889cd2a93e1e3606b3f6e958aa0924e836de4d2 upstream. + +During fuzz testing, the following issue was discovered: + +BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x598/0x2a30 + _copy_to_iter+0x598/0x2a30 + __skb_datagram_iter+0x168/0x1060 + skb_copy_datagram_iter+0x5b/0x220 + netlink_recvmsg+0x362/0x1700 + sock_recvmsg+0x2dc/0x390 + __sys_recvfrom+0x381/0x6d0 + __x64_sys_recvfrom+0x130/0x200 + x64_sys_call+0x32c8/0x3cc0 + do_syscall_64+0xd8/0x1c0 + entry_SYSCALL_64_after_hwframe+0x79/0x81 + +Uninit was stored to memory at: + copy_to_user_state_extra+0xcc1/0x1e00 + dump_one_state+0x28c/0x5f0 + xfrm_state_walk+0x548/0x11e0 + xfrm_dump_sa+0x1e0/0x840 + netlink_dump+0x943/0x1c40 + __netlink_dump_start+0x746/0xdb0 + xfrm_user_rcv_msg+0x429/0xc00 + netlink_rcv_skb+0x613/0x780 + xfrm_netlink_rcv+0x77/0xc0 + netlink_unicast+0xe90/0x1280 + netlink_sendmsg+0x126d/0x1490 + __sock_sendmsg+0x332/0x3d0 + ____sys_sendmsg+0x863/0xc30 + ___sys_sendmsg+0x285/0x3e0 + __x64_sys_sendmsg+0x2d6/0x560 + x64_sys_call+0x1316/0x3cc0 + do_syscall_64+0xd8/0x1c0 + entry_SYSCALL_64_after_hwframe+0x79/0x81 + +Uninit was created at: + __kmalloc+0x571/0xd30 + attach_auth+0x106/0x3e0 + xfrm_add_sa+0x2aa0/0x4230 + xfrm_user_rcv_msg+0x832/0xc00 + netlink_rcv_skb+0x613/0x780 + xfrm_netlink_rcv+0x77/0xc0 + netlink_unicast+0xe90/0x1280 + netlink_sendmsg+0x126d/0x1490 + __sock_sendmsg+0x332/0x3d0 + ____sys_sendmsg+0x863/0xc30 + ___sys_sendmsg+0x285/0x3e0 + __x64_sys_sendmsg+0x2d6/0x560 + x64_sys_call+0x1316/0x3cc0 + do_syscall_64+0xd8/0x1c0 + entry_SYSCALL_64_after_hwframe+0x79/0x81 + +Bytes 328-379 of 732 are uninitialized +Memory access of size 732 starts at ffff88800e18e000 +Data copied to user address 00007ff30f48aff0 + +CPU: 2 PID: 18167 Comm: syz-executor.0 Not tainted 6.8.11 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 + +Fixes copying of xfrm algorithms where some random +data of the structure fields can end up in userspace. +Padding in structures may be filled with random (possibly sensitve) +data and should never be given directly to user-space. + +A similar issue was resolved in the commit +8222d5910dae ("xfrm: Zero padding when dumping algos and encap") + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: c7a5899eb26e ("xfrm: redact SA secret with lockdown confidentiality") +Cc: stable@vger.kernel.org +Co-developed-by: Boris Tonofa +Signed-off-by: Boris Tonofa +Signed-off-by: Petr Vaganov +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_user.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -887,7 +887,9 @@ static int copy_to_user_auth(struct xfrm + if (!nla) + return -EMSGSIZE; + ap = nla_data(nla); +- memcpy(ap, auth, sizeof(struct xfrm_algo_auth)); ++ strscpy_pad(ap->alg_name, auth->alg_name, sizeof(ap->alg_name)); ++ ap->alg_key_len = auth->alg_key_len; ++ ap->alg_trunc_len = auth->alg_trunc_len; + if (redact_secret && auth->alg_key_len) + memset(ap->alg_key, 0, (auth->alg_key_len + 7) / 8); + else