From: Greg Kroah-Hartman Date: Sun, 9 Mar 2025 19:04:31 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v5.4.291~98 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=972a3bca867bb0f39e18a3f1bcbbaeee110ad8c5;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: block-fix-conversion-of-gpt-partition-name-to-7-bit.patch bluetooth-add-check-for-mgmt_alloc_skb-in-mgmt_device_connected.patch bluetooth-add-check-for-mgmt_alloc_skb-in-mgmt_remote_name.patch dma-kmsan-export-kmsan_handle_dma-for-modules.patch mm-don-t-skip-arch_sync_kernel_mappings-in-error-paths.patch mm-page_alloc-fix-uninitialized-variable.patch nfs-fix-nfs_release_folio-to-not-deadlock-via-kcompactd-writeback.patch rapidio-add-check-for-rio_add_net-in-rio_scan_alloc_net.patch rapidio-fix-an-api-misues-when-rio_add_net-fails.patch s390-traps-fix-test_monitor_call-inline-assembly.patch wifi-cfg80211-regulatory-improve-invalid-hints-checking.patch wifi-nl80211-reject-cooked-mode-if-it-is-set-along-with-other-flags.patch --- diff --git a/queue-6.6/block-fix-conversion-of-gpt-partition-name-to-7-bit.patch b/queue-6.6/block-fix-conversion-of-gpt-partition-name-to-7-bit.patch new file mode 100644 index 0000000000..510d7d2518 --- /dev/null +++ b/queue-6.6/block-fix-conversion-of-gpt-partition-name-to-7-bit.patch @@ -0,0 +1,74 @@ +From e06472bab2a5393430cc2fbc3211cd3602422c1e Mon Sep 17 00:00:00 2001 +From: Olivier Gayot +Date: Wed, 5 Mar 2025 10:21:54 +0800 +Subject: block: fix conversion of GPT partition name to 7-bit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Olivier Gayot + +commit e06472bab2a5393430cc2fbc3211cd3602422c1e upstream. + +The utf16_le_to_7bit function claims to, naively, convert a UTF-16 +string to a 7-bit ASCII string. By naively, we mean that it: + * drops the first byte of every character in the original UTF-16 string + * checks if all characters are printable, and otherwise replaces them + by exclamation mark "!". + +This means that theoretically, all characters outside the 7-bit ASCII +range should be replaced by another character. Examples: + + * lower-case alpha (ɒ) 0x0252 becomes 0x52 (R) + * ligature OE (œ) 0x0153 becomes 0x53 (S) + * hangul letter pieup (ㅂ) 0x3142 becomes 0x42 (B) + * upper-case gamma (Ɣ) 0x0194 becomes 0x94 (not printable) so gets + replaced by "!" + +The result of this conversion for the GPT partition name is passed to +user-space as PARTNAME via udev, which is confusing and feels questionable. + +However, there is a flaw in the conversion function itself. By dropping +one byte of each character and using isprint() to check if the remaining +byte corresponds to a printable character, we do not actually guarantee +that the resulting character is 7-bit ASCII. + +This happens because we pass 8-bit characters to isprint(), which +in the kernel returns 1 for many values > 0x7f - as defined in ctype.c. + +This results in many values which should be replaced by "!" to be kept +as-is, despite not being valid 7-bit ASCII. Examples: + + * e with acute accent (é) 0x00E9 becomes 0xE9 - kept as-is because + isprint(0xE9) returns 1. + * euro sign (€) 0x20AC becomes 0xAC - kept as-is because isprint(0xAC) + returns 1. + +This way has broken pyudev utility[1], fixes it by using a mask of 7 bits +instead of 8 bits before calling isprint. + +Link: https://github.com/pyudev/pyudev/issues/490#issuecomment-2685794648 [1] +Link: https://lore.kernel.org/linux-block/4cac90c2-e414-4ebb-ae62-2a4589d9dc6e@canonical.com/ +Cc: Mulhern +Cc: Davidlohr Bueso +Cc: stable@vger.kernel.org +Signed-off-by: Olivier Gayot +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20250305022154.3903128-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/partitions/efi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/partitions/efi.c ++++ b/block/partitions/efi.c +@@ -682,7 +682,7 @@ static void utf16_le_to_7bit(const __le1 + out[size] = 0; + + while (i < size) { +- u8 c = le16_to_cpu(in[i]) & 0xff; ++ u8 c = le16_to_cpu(in[i]) & 0x7f; + + if (c && !isprint(c)) + c = '!'; diff --git a/queue-6.6/bluetooth-add-check-for-mgmt_alloc_skb-in-mgmt_device_connected.patch b/queue-6.6/bluetooth-add-check-for-mgmt_alloc_skb-in-mgmt_device_connected.patch new file mode 100644 index 0000000000..5b50796741 --- /dev/null +++ b/queue-6.6/bluetooth-add-check-for-mgmt_alloc_skb-in-mgmt_device_connected.patch @@ -0,0 +1,33 @@ +From d8df010f72b8a32aaea393e36121738bb53ed905 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Fri, 21 Feb 2025 16:58:01 +0800 +Subject: Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected() + +From: Haoxiang Li + +commit d8df010f72b8a32aaea393e36121738bb53ed905 upstream. + +Add check for the return value of mgmt_alloc_skb() in +mgmt_device_connected() to prevent null pointer dereference. + +Fixes: e96741437ef0 ("Bluetooth: mgmt: Make use of mgmt_send_event_skb in MGMT_EV_DEVICE_CONNECTED") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/mgmt.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -9679,6 +9679,9 @@ void mgmt_device_connected(struct hci_de + sizeof(*ev) + (name ? eir_precalc_len(name_len) : 0) + + eir_precalc_len(sizeof(conn->dev_class))); + ++ if (!skb) ++ return; ++ + ev = skb_put(skb, sizeof(*ev)); + bacpy(&ev->addr.bdaddr, &conn->dst); + ev->addr.type = link_to_bdaddr(conn->type, conn->dst_type); diff --git a/queue-6.6/bluetooth-add-check-for-mgmt_alloc_skb-in-mgmt_remote_name.patch b/queue-6.6/bluetooth-add-check-for-mgmt_alloc_skb-in-mgmt_remote_name.patch new file mode 100644 index 0000000000..387931813c --- /dev/null +++ b/queue-6.6/bluetooth-add-check-for-mgmt_alloc_skb-in-mgmt_remote_name.patch @@ -0,0 +1,32 @@ +From f2176a07e7b19f73e05c805cf3d130a2999154cb Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Fri, 21 Feb 2025 16:49:47 +0800 +Subject: Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name() + +From: Haoxiang Li + +commit f2176a07e7b19f73e05c805cf3d130a2999154cb upstream. + +Add check for the return value of mgmt_alloc_skb() in +mgmt_remote_name() to prevent null pointer dereference. + +Fixes: ba17bb62ce41 ("Bluetooth: Fix skb allocation in mgmt_remote_name() & mgmt_device_connected()") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/mgmt.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -10443,6 +10443,8 @@ void mgmt_remote_name(struct hci_dev *hd + + skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_FOUND, + sizeof(*ev) + (name ? eir_precalc_len(name_len) : 0)); ++ if (!skb) ++ return; + + ev = skb_put(skb, sizeof(*ev)); + bacpy(&ev->addr.bdaddr, bdaddr); diff --git a/queue-6.6/dma-kmsan-export-kmsan_handle_dma-for-modules.patch b/queue-6.6/dma-kmsan-export-kmsan_handle_dma-for-modules.patch new file mode 100644 index 0000000000..26db794096 --- /dev/null +++ b/queue-6.6/dma-kmsan-export-kmsan_handle_dma-for-modules.patch @@ -0,0 +1,42 @@ +From 19fac3c93991502a22c5132824c40b6a2e64b136 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Tue, 18 Feb 2025 10:14:11 +0100 +Subject: dma: kmsan: export kmsan_handle_dma() for modules + +From: Sebastian Andrzej Siewior + +commit 19fac3c93991502a22c5132824c40b6a2e64b136 upstream. + +kmsan_handle_dma() is used by virtio_ring() which can be built as a +module. kmsan_handle_dma() needs to be exported otherwise building the +virtio_ring fails. + +Export kmsan_handle_dma for modules. + +Link: https://lkml.kernel.org/r/20250218091411.MMS3wBN9@linutronix.de +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202502150634.qjxwSeJR-lkp@intel.com/ +Fixes: 7ade4f10779c ("dma: kmsan: unpoison DMA mappings") +Signed-off-by: Sebastian Andrzej Siewior +Cc: Alexander Potapenko +Cc: Dmitriy Vyukov +Cc: Macro Elver +Cc: Peter Zijlstra (Intel) +Cc: Thomas Gleixner +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmsan/hooks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/kmsan/hooks.c ++++ b/mm/kmsan/hooks.c +@@ -346,6 +346,7 @@ void kmsan_handle_dma(struct page *page, + size -= to_go; + } + } ++EXPORT_SYMBOL_GPL(kmsan_handle_dma); + + void kmsan_handle_dma_sg(struct scatterlist *sg, int nents, + enum dma_data_direction dir) diff --git a/queue-6.6/mm-don-t-skip-arch_sync_kernel_mappings-in-error-paths.patch b/queue-6.6/mm-don-t-skip-arch_sync_kernel_mappings-in-error-paths.patch new file mode 100644 index 0000000000..8d2b4ae848 --- /dev/null +++ b/queue-6.6/mm-don-t-skip-arch_sync_kernel_mappings-in-error-paths.patch @@ -0,0 +1,65 @@ +From 3685024edd270f7c791f993157d65d3c928f3d6e Mon Sep 17 00:00:00 2001 +From: Ryan Roberts +Date: Wed, 26 Feb 2025 12:16:09 +0000 +Subject: mm: don't skip arch_sync_kernel_mappings() in error paths + +From: Ryan Roberts + +commit 3685024edd270f7c791f993157d65d3c928f3d6e upstream. + +Fix callers that previously skipped calling arch_sync_kernel_mappings() if +an error occurred during a pgtable update. The call is still required to +sync any pgtable updates that may have occurred prior to hitting the error +condition. + +These are theoretical bugs discovered during code review. + +Link: https://lkml.kernel.org/r/20250226121610.2401743-1-ryan.roberts@arm.com +Fixes: 2ba3e6947aed ("mm/vmalloc: track which page-table levels were modified") +Fixes: 0c95cba49255 ("mm: apply_to_pte_range warn and fail if a large pte is encountered") +Signed-off-by: Ryan Roberts +Reviewed-by: Anshuman Khandual +Reviewed-by: Catalin Marinas +Cc: Christop Hellwig +Cc: "Uladzislau Rezki (Sony)" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory.c | 6 ++++-- + mm/vmalloc.c | 4 ++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -2746,8 +2746,10 @@ static int __apply_to_page_range(struct + next = pgd_addr_end(addr, end); + if (pgd_none(*pgd) && !create) + continue; +- if (WARN_ON_ONCE(pgd_leaf(*pgd))) +- return -EINVAL; ++ if (WARN_ON_ONCE(pgd_leaf(*pgd))) { ++ err = -EINVAL; ++ break; ++ } + if (!pgd_none(*pgd) && WARN_ON_ONCE(pgd_bad(*pgd))) { + if (!create) + continue; +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -558,13 +558,13 @@ static int vmap_small_pages_range_noflus + mask |= PGTBL_PGD_MODIFIED; + err = vmap_pages_p4d_range(pgd, addr, next, prot, pages, &nr, &mask); + if (err) +- return err; ++ break; + } while (pgd++, addr = next, addr != end); + + if (mask & ARCH_PAGE_TABLE_SYNC_MASK) + arch_sync_kernel_mappings(start, end); + +- return 0; ++ return err; + } + + /* diff --git a/queue-6.6/mm-page_alloc-fix-uninitialized-variable.patch b/queue-6.6/mm-page_alloc-fix-uninitialized-variable.patch new file mode 100644 index 0000000000..76fc837f96 --- /dev/null +++ b/queue-6.6/mm-page_alloc-fix-uninitialized-variable.patch @@ -0,0 +1,78 @@ +From 8fe9ed44dc29fba0786b7e956d2e87179e407582 Mon Sep 17 00:00:00 2001 +From: Hao Zhang +Date: Thu, 27 Feb 2025 11:41:29 +0800 +Subject: mm/page_alloc: fix uninitialized variable + +From: Hao Zhang + +commit 8fe9ed44dc29fba0786b7e956d2e87179e407582 upstream. + +The variable "compact_result" is not initialized in function +__alloc_pages_slowpath(). It causes should_compact_retry() to use an +uninitialized value. + +Initialize variable "compact_result" with the value COMPACT_SKIPPED. + +BUG: KMSAN: uninit-value in __alloc_pages_slowpath+0xee8/0x16c0 mm/page_alloc.c:4416 + __alloc_pages_slowpath+0xee8/0x16c0 mm/page_alloc.c:4416 + __alloc_frozen_pages_noprof+0xa4c/0xe00 mm/page_alloc.c:4752 + alloc_pages_mpol+0x4cd/0x890 mm/mempolicy.c:2270 + alloc_frozen_pages_noprof mm/mempolicy.c:2341 [inline] + alloc_pages_noprof mm/mempolicy.c:2361 [inline] + folio_alloc_noprof+0x1dc/0x350 mm/mempolicy.c:2371 + filemap_alloc_folio_noprof+0xa6/0x440 mm/filemap.c:1019 + __filemap_get_folio+0xb9a/0x1840 mm/filemap.c:1970 + grow_dev_folio fs/buffer.c:1039 [inline] + grow_buffers fs/buffer.c:1105 [inline] + __getblk_slow fs/buffer.c:1131 [inline] + bdev_getblk+0x2c9/0xab0 fs/buffer.c:1431 + getblk_unmovable include/linux/buffer_head.h:369 [inline] + ext4_getblk+0x3b7/0xe50 fs/ext4/inode.c:864 + ext4_bread_batch+0x9f/0x7d0 fs/ext4/inode.c:933 + __ext4_find_entry+0x1ebb/0x36c0 fs/ext4/namei.c:1627 + ext4_lookup_entry fs/ext4/namei.c:1729 [inline] + ext4_lookup+0x189/0xb40 fs/ext4/namei.c:1797 + __lookup_slow+0x538/0x710 fs/namei.c:1793 + lookup_slow+0x6a/0xd0 fs/namei.c:1810 + walk_component fs/namei.c:2114 [inline] + link_path_walk+0xf29/0x1420 fs/namei.c:2479 + path_openat+0x30f/0x6250 fs/namei.c:3985 + do_filp_open+0x268/0x600 fs/namei.c:4016 + do_sys_openat2+0x1bf/0x2f0 fs/open.c:1428 + do_sys_open fs/open.c:1443 [inline] + __do_sys_openat fs/open.c:1459 [inline] + __se_sys_openat fs/open.c:1454 [inline] + __x64_sys_openat+0x2a1/0x310 fs/open.c:1454 + x64_sys_call+0x36f5/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:258 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Local variable compact_result created at: + __alloc_pages_slowpath+0x66/0x16c0 mm/page_alloc.c:4218 + __alloc_frozen_pages_noprof+0xa4c/0xe00 mm/page_alloc.c:4752 + +Link: https://lkml.kernel.org/r/tencent_ED1032321D6510B145CDBA8CBA0093178E09@qq.com +Reported-by: syzbot+0cfd5e38e96a5596f2b6@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0cfd5e38e96a5596f2b6 +Signed-off-by: Hao Zhang +Reviewed-by: Vlastimil Babka +Cc: Michal Hocko +Cc: Mel Gorman +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_alloc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -3936,6 +3936,7 @@ __alloc_pages_slowpath(gfp_t gfp_mask, u + restart: + compaction_retries = 0; + no_progress_loops = 0; ++ compact_result = COMPACT_SKIPPED; + compact_priority = DEF_COMPACT_PRIORITY; + cpuset_mems_cookie = read_mems_allowed_begin(); + zonelist_iter_cookie = zonelist_iter_begin(); diff --git a/queue-6.6/nfs-fix-nfs_release_folio-to-not-deadlock-via-kcompactd-writeback.patch b/queue-6.6/nfs-fix-nfs_release_folio-to-not-deadlock-via-kcompactd-writeback.patch new file mode 100644 index 0000000000..ea27ec5d26 --- /dev/null +++ b/queue-6.6/nfs-fix-nfs_release_folio-to-not-deadlock-via-kcompactd-writeback.patch @@ -0,0 +1,116 @@ +From ce6d9c1c2b5cc785016faa11b48b6cd317eb367e Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Mon, 24 Feb 2025 21:20:02 -0500 +Subject: NFS: fix nfs_release_folio() to not deadlock via kcompactd writeback + +From: Mike Snitzer + +commit ce6d9c1c2b5cc785016faa11b48b6cd317eb367e upstream. + +Add PF_KCOMPACTD flag and current_is_kcompactd() helper to check for it so +nfs_release_folio() can skip calling nfs_wb_folio() from kcompactd. + +Otherwise NFS can deadlock waiting for kcompactd enduced writeback which +recurses back to NFS (which triggers writeback to NFSD via NFS loopback +mount on the same host, NFSD blocks waiting for XFS's call to +__filemap_get_folio): + +6070.550357] INFO: task kcompactd0:58 blocked for more than 4435 seconds. + +{--- +[58] "kcompactd0" +[<0>] folio_wait_bit+0xe8/0x200 +[<0>] folio_wait_writeback+0x2b/0x80 +[<0>] nfs_wb_folio+0x80/0x1b0 [nfs] +[<0>] nfs_release_folio+0x68/0x130 [nfs] +[<0>] split_huge_page_to_list_to_order+0x362/0x840 +[<0>] migrate_pages_batch+0x43d/0xb90 +[<0>] migrate_pages_sync+0x9a/0x240 +[<0>] migrate_pages+0x93c/0x9f0 +[<0>] compact_zone+0x8e2/0x1030 +[<0>] compact_node+0xdb/0x120 +[<0>] kcompactd+0x121/0x2e0 +[<0>] kthread+0xcf/0x100 +[<0>] ret_from_fork+0x31/0x40 +[<0>] ret_from_fork_asm+0x1a/0x30 +---} + +[akpm@linux-foundation.org: fix build] +Link: https://lkml.kernel.org/r/20250225022002.26141-1-snitzer@kernel.org +Fixes: 96780ca55e3c ("NFS: fix up nfs_release_folio() to try to release the page") +Signed-off-by: Mike Snitzer +Cc: Anna Schumaker +Cc: Trond Myklebust +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/file.c | 3 ++- + include/linux/compaction.h | 5 +++++ + include/linux/sched.h | 2 +- + mm/compaction.c | 3 +++ + 4 files changed, 11 insertions(+), 2 deletions(-) + +--- a/fs/nfs/file.c ++++ b/fs/nfs/file.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -450,7 +451,7 @@ static bool nfs_release_folio(struct fol + /* If the private flag is set, then the folio is not freeable */ + if (folio_test_private(folio)) { + if ((current_gfp_context(gfp) & GFP_KERNEL) != GFP_KERNEL || +- current_is_kswapd()) ++ current_is_kswapd() || current_is_kcompactd()) + return false; + if (nfs_wb_folio(folio_file_mapping(folio)->host, folio) < 0) + return false; +--- a/include/linux/compaction.h ++++ b/include/linux/compaction.h +@@ -80,6 +80,11 @@ static inline unsigned long compact_gap( + return 2UL << order; + } + ++static inline int current_is_kcompactd(void) ++{ ++ return current->flags & PF_KCOMPACTD; ++} ++ + #ifdef CONFIG_COMPACTION + + extern unsigned int extfrag_for_order(struct zone *zone, unsigned int order); +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -1746,7 +1746,7 @@ extern struct pid *cad_pid; + #define PF_USED_MATH 0x00002000 /* If unset the fpu must be initialized before use */ + #define PF_USER_WORKER 0x00004000 /* Kernel thread cloned from userspace thread */ + #define PF_NOFREEZE 0x00008000 /* This thread should not be frozen */ +-#define PF__HOLE__00010000 0x00010000 ++#define PF_KCOMPACTD 0x00010000 /* I am kcompactd */ + #define PF_KSWAPD 0x00020000 /* I am kswapd */ + #define PF_MEMALLOC_NOFS 0x00040000 /* All allocation requests will inherit GFP_NOFS */ + #define PF_MEMALLOC_NOIO 0x00080000 /* All allocation requests will inherit GFP_NOIO */ +--- a/mm/compaction.c ++++ b/mm/compaction.c +@@ -3050,6 +3050,7 @@ static int kcompactd(void *p) + if (!cpumask_empty(cpumask)) + set_cpus_allowed_ptr(tsk, cpumask); + ++ current->flags |= PF_KCOMPACTD; + set_freezable(); + + pgdat->kcompactd_max_order = 0; +@@ -3106,6 +3107,8 @@ static int kcompactd(void *p) + pgdat->proactive_compact_trigger = false; + } + ++ current->flags &= ~PF_KCOMPACTD; ++ + return 0; + } + diff --git a/queue-6.6/rapidio-add-check-for-rio_add_net-in-rio_scan_alloc_net.patch b/queue-6.6/rapidio-add-check-for-rio_add_net-in-rio_scan_alloc_net.patch new file mode 100644 index 0000000000..f5b9bda718 --- /dev/null +++ b/queue-6.6/rapidio-add-check-for-rio_add_net-in-rio_scan_alloc_net.patch @@ -0,0 +1,41 @@ +From e842f9a1edf306bf36fe2a4d847a0b0d458770de Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Thu, 27 Feb 2025 12:11:31 +0800 +Subject: rapidio: add check for rio_add_net() in rio_scan_alloc_net() + +From: Haoxiang Li + +commit e842f9a1edf306bf36fe2a4d847a0b0d458770de upstream. + +The return value of rio_add_net() should be checked. If it fails, +put_device() should be called to free the memory and give up the reference +initialized in rio_add_net(). + +Link: https://lkml.kernel.org/r/20250227041131.3680761-1-haoxiang_li2024@163.com +Fixes: e6b585ca6e81 ("rapidio: move net allocation into core code") +Signed-off-by: Yang Yingliang +Signed-off-by: Haoxiang Li +Cc: Alexandre Bounine +Cc: Matt Porter +Cc: Dan Carpenter +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rapidio/rio-scan.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/rapidio/rio-scan.c ++++ b/drivers/rapidio/rio-scan.c +@@ -871,7 +871,10 @@ static struct rio_net *rio_scan_alloc_ne + dev_set_name(&net->dev, "rnet_%d", net->id); + net->dev.parent = &mport->dev; + net->dev.release = rio_scan_release_dev; +- rio_add_net(net); ++ if (rio_add_net(net)) { ++ put_device(&net->dev); ++ net = NULL; ++ } + } + + return net; diff --git a/queue-6.6/rapidio-fix-an-api-misues-when-rio_add_net-fails.patch b/queue-6.6/rapidio-fix-an-api-misues-when-rio_add_net-fails.patch new file mode 100644 index 0000000000..2b5d976bb0 --- /dev/null +++ b/queue-6.6/rapidio-fix-an-api-misues-when-rio_add_net-fails.patch @@ -0,0 +1,39 @@ +From b2ef51c74b0171fde7eb69b6152d3d2f743ef269 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Thu, 27 Feb 2025 15:34:09 +0800 +Subject: rapidio: fix an API misues when rio_add_net() fails + +From: Haoxiang Li + +commit b2ef51c74b0171fde7eb69b6152d3d2f743ef269 upstream. + +rio_add_net() calls device_register() and fails when device_register() +fails. Thus, put_device() should be used rather than kfree(). Add +"mport->net = NULL;" to avoid a use after free issue. + +Link: https://lkml.kernel.org/r/20250227073409.3696854-1-haoxiang_li2024@163.com +Fixes: e8de370188d0 ("rapidio: add mport char device driver") +Signed-off-by: Haoxiang Li +Reviewed-by: Dan Carpenter +Cc: Alexandre Bounine +Cc: Matt Porter +Cc: Yang Yingliang +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rapidio/devices/rio_mport_cdev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/rapidio/devices/rio_mport_cdev.c ++++ b/drivers/rapidio/devices/rio_mport_cdev.c +@@ -1740,7 +1740,8 @@ static int rio_mport_add_riodev(struct m + err = rio_add_net(net); + if (err) { + rmcd_debug(RDEV, "failed to register net, err=%d", err); +- kfree(net); ++ put_device(&net->dev); ++ mport->net = NULL; + goto cleanup; + } + } diff --git a/queue-6.6/s390-traps-fix-test_monitor_call-inline-assembly.patch b/queue-6.6/s390-traps-fix-test_monitor_call-inline-assembly.patch new file mode 100644 index 0000000000..62ebed8326 --- /dev/null +++ b/queue-6.6/s390-traps-fix-test_monitor_call-inline-assembly.patch @@ -0,0 +1,44 @@ +From 5623bc23a1cb9f9a9470fa73b3a20321dc4c4870 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Tue, 25 Feb 2025 10:53:10 +0100 +Subject: s390/traps: Fix test_monitor_call() inline assembly + +From: Heiko Carstens + +commit 5623bc23a1cb9f9a9470fa73b3a20321dc4c4870 upstream. + +The test_monitor_call() inline assembly uses the xgr instruction, which +also modifies the condition code, to clear a register. However the clobber +list of the inline assembly does not specify that the condition code is +modified, which may lead to incorrect code generation. + +Use the lhi instruction instead to clear the register without that the +condition code is modified. Furthermore this limits clearing to the lower +32 bits of val, since its type is int. + +Fixes: 17248ea03674 ("s390: fix __EMIT_BUG() macro") +Cc: stable@vger.kernel.org +Reviewed-by: Juergen Christ +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/traps.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/s390/kernel/traps.c ++++ b/arch/s390/kernel/traps.c +@@ -276,10 +276,10 @@ static void __init test_monitor_call(voi + return; + asm volatile( + " mc 0,0\n" +- "0: xgr %0,%0\n" ++ "0: lhi %[val],0\n" + "1:\n" +- EX_TABLE(0b,1b) +- : "+d" (val)); ++ EX_TABLE(0b, 1b) ++ : [val] "+d" (val)); + if (!val) + panic("Monitor call doesn't work!\n"); + } diff --git a/queue-6.6/series b/queue-6.6/series index a504acb66e..06e1e63160 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -44,3 +44,15 @@ x86-cacheinfo-validate-cpuid-leaf-0x2-edx-output.patch x86-cpu-validate-cpuid-leaf-0x2-edx-output.patch x86-cpu-properly-parse-cpuid-leaf-0x2-tlb-descriptor-0x63.patch mptcp-fix-scheduling-while-atomic-in-mptcp_pm_nl_append_new_local_addr.patch +bluetooth-add-check-for-mgmt_alloc_skb-in-mgmt_remote_name.patch +bluetooth-add-check-for-mgmt_alloc_skb-in-mgmt_device_connected.patch +wifi-cfg80211-regulatory-improve-invalid-hints-checking.patch +wifi-nl80211-reject-cooked-mode-if-it-is-set-along-with-other-flags.patch +rapidio-add-check-for-rio_add_net-in-rio_scan_alloc_net.patch +rapidio-fix-an-api-misues-when-rio_add_net-fails.patch +dma-kmsan-export-kmsan_handle_dma-for-modules.patch +s390-traps-fix-test_monitor_call-inline-assembly.patch +nfs-fix-nfs_release_folio-to-not-deadlock-via-kcompactd-writeback.patch +block-fix-conversion-of-gpt-partition-name-to-7-bit.patch +mm-page_alloc-fix-uninitialized-variable.patch +mm-don-t-skip-arch_sync_kernel_mappings-in-error-paths.patch diff --git a/queue-6.6/wifi-cfg80211-regulatory-improve-invalid-hints-checking.patch b/queue-6.6/wifi-cfg80211-regulatory-improve-invalid-hints-checking.patch new file mode 100644 index 0000000000..02330e7040 --- /dev/null +++ b/queue-6.6/wifi-cfg80211-regulatory-improve-invalid-hints-checking.patch @@ -0,0 +1,90 @@ +From 59b348be7597c4a9903cb003c69e37df20c04a30 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Fri, 28 Feb 2025 16:46:57 +0300 +Subject: wifi: cfg80211: regulatory: improve invalid hints checking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nikita Zhandarovich + +commit 59b348be7597c4a9903cb003c69e37df20c04a30 upstream. + +Syzbot keeps reporting an issue [1] that occurs when erroneous symbols +sent from userspace get through into user_alpha2[] via +regulatory_hint_user() call. Such invalid regulatory hints should be +rejected. + +While a sanity check from commit 47caf685a685 ("cfg80211: regulatory: +reject invalid hints") looks to be enough to deter these very cases, +there is a way to get around it due to 2 reasons. + +1) The way isalpha() works, symbols other than latin lower and +upper letters may be used to determine a country/domain. +For instance, greek letters will also be considered upper/lower +letters and for such characters isalpha() will return true as well. +However, ISO-3166-1 alpha2 codes should only hold latin +characters. + +2) While processing a user regulatory request, between +reg_process_hint_user() and regulatory_hint_user() there happens to +be a call to queue_regulatory_request() which modifies letters in +request->alpha2[] with toupper(). This works fine for latin symbols, +less so for weird letter characters from the second part of _ctype[]. + +Syzbot triggers a warning in is_user_regdom_saved() by first sending +over an unexpected non-latin letter that gets malformed by toupper() +into a character that ends up failing isalpha() check. + +Prevent this by enhancing is_an_alpha2() to ensure that incoming +symbols are latin letters and nothing else. + +[1] Syzbot report: +------------[ cut here ]------------ +Unexpected user alpha2: A� +WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 is_user_regdom_saved net/wireless/reg.c:440 [inline] +WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_alpha2 net/wireless/reg.c:3424 [inline] +WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516 +Modules linked in: +CPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +Workqueue: events_power_efficient crda_timeout_work +RIP: 0010:is_user_regdom_saved net/wireless/reg.c:440 [inline] +RIP: 0010:restore_alpha2 net/wireless/reg.c:3424 [inline] +RIP: 0010:restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516 +... +Call Trace: + + crda_timeout_work+0x27/0x50 net/wireless/reg.c:542 + process_one_work kernel/workqueue.c:3229 [inline] + process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 + worker_thread+0x870/0xd30 kernel/workqueue.c:3391 + kthread+0x2f2/0x390 kernel/kthread.c:389 + ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + + +Reported-by: syzbot+e10709ac3c44f3d4e800@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=e10709ac3c44f3d4e800 +Fixes: 09d989d179d0 ("cfg80211: add regulatory hint disconnect support") +Cc: stable@kernel.org +Signed-off-by: Nikita Zhandarovich +Link: https://patch.msgid.link/20250228134659.1577656-1-n.zhandarovich@fintech.ru +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/reg.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -405,7 +405,8 @@ static bool is_an_alpha2(const char *alp + { + if (!alpha2) + return false; +- return isalpha(alpha2[0]) && isalpha(alpha2[1]); ++ return isascii(alpha2[0]) && isalpha(alpha2[0]) && ++ isascii(alpha2[1]) && isalpha(alpha2[1]); + } + + static bool alpha2_equal(const char *alpha2_x, const char *alpha2_y) diff --git a/queue-6.6/wifi-nl80211-reject-cooked-mode-if-it-is-set-along-with-other-flags.patch b/queue-6.6/wifi-nl80211-reject-cooked-mode-if-it-is-set-along-with-other-flags.patch new file mode 100644 index 0000000000..a2feedc401 --- /dev/null +++ b/queue-6.6/wifi-nl80211-reject-cooked-mode-if-it-is-set-along-with-other-flags.patch @@ -0,0 +1,48 @@ +From 49f27f29446a5bfe633dd2cc0cfebd48a1a5e77f Mon Sep 17 00:00:00 2001 +From: Vitaliy Shevtsov +Date: Fri, 31 Jan 2025 20:26:55 +0500 +Subject: wifi: nl80211: reject cooked mode if it is set along with other flags + +From: Vitaliy Shevtsov + +commit 49f27f29446a5bfe633dd2cc0cfebd48a1a5e77f upstream. + +It is possible to set both MONITOR_FLAG_COOK_FRAMES and MONITOR_FLAG_ACTIVE +flags simultaneously on the same monitor interface from the userspace. This +causes a sub-interface to be created with no IEEE80211_SDATA_IN_DRIVER bit +set because the monitor interface is in the cooked state and it takes +precedence over all other states. When the interface is then being deleted +the kernel calls WARN_ONCE() from check_sdata_in_driver() because of missing +that bit. + +Fix this by rejecting MONITOR_FLAG_COOK_FRAMES if it is set along with +other flags. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 66f7ac50ed7c ("nl80211: Add monitor interface configuration flags") +Cc: stable@vger.kernel.org +Reported-by: syzbot+2e5c1e55b9e5c28a3da7@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2e5c1e55b9e5c28a3da7 +Signed-off-by: Vitaliy Shevtsov +Link: https://patch.msgid.link/20250131152657.5606-1-v.shevtsov@mt-integration.ru +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/nl80211.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -4102,6 +4102,11 @@ static int parse_monitor_flags(struct nl + if (flags[flag]) + *mntrflags |= (1<