From: Greg Kroah-Hartman Date: Tue, 21 Jan 2025 13:27:23 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v5.15.177~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a36411a29382d271bbf671a0bf949c7049bcbbbf;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: rdma-rxe-fix-the-qp-flush-warnings-in-req.patch revert-regmap-detach-regmap-from-dev-on-regmap_exit.patch scsi-sg-fix-slab-use-after-free-read-in-sg_release.patch --- diff --git a/queue-6.1/rdma-rxe-fix-the-qp-flush-warnings-in-req.patch b/queue-6.1/rdma-rxe-fix-the-qp-flush-warnings-in-req.patch new file mode 100644 index 0000000000..eb8cb4655e --- /dev/null +++ b/queue-6.1/rdma-rxe-fix-the-qp-flush-warnings-in-req.patch @@ -0,0 +1,83 @@ +From ea4c990fa9e19ffef0648e40c566b94ba5ab31be Mon Sep 17 00:00:00 2001 +From: Zhu Yanjun +Date: Fri, 25 Oct 2024 17:20:36 +0200 +Subject: RDMA/rxe: Fix the qp flush warnings in req + +From: Zhu Yanjun + +commit ea4c990fa9e19ffef0648e40c566b94ba5ab31be upstream. + +When the qp is in error state, the status of WQEs in the queue should be +set to error. Or else the following will appear. + +[ 920.617269] WARNING: CPU: 1 PID: 21 at drivers/infiniband/sw/rxe/rxe_comp.c:756 rxe_completer+0x989/0xcc0 [rdma_rxe] +[ 920.617744] Modules linked in: rnbd_client(O) rtrs_client(O) rtrs_core(O) rdma_ucm rdma_cm iw_cm ib_cm crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel ib_uverbs ib_core loop brd null_blk ipv6 +[ 920.618516] CPU: 1 PID: 21 Comm: ksoftirqd/1 Tainted: G O 6.1.113-storage+ #65 +[ 920.618986] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +[ 920.619396] RIP: 0010:rxe_completer+0x989/0xcc0 [rdma_rxe] +[ 920.619658] Code: 0f b6 84 24 3a 02 00 00 41 89 84 24 44 04 00 00 e9 2a f7 ff ff 39 ca bb 03 00 00 00 b8 0e 00 00 00 48 0f 45 d8 e9 15 f7 ff ff <0f> 0b e9 cb f8 ff ff 41 bf f5 ff ff ff e9 08 f8 ff ff 49 8d bc 24 +[ 920.620482] RSP: 0018:ffff97b7c00bbc38 EFLAGS: 00010246 +[ 920.620817] RAX: 0000000000000000 RBX: 000000000000000c RCX: 0000000000000008 +[ 920.621183] RDX: ffff960dc396ebc0 RSI: 0000000000005400 RDI: ffff960dc4e2fbac +[ 920.621548] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffffac406450 +[ 920.621884] R10: ffffffffac4060c0 R11: 0000000000000001 R12: ffff960dc4e2f800 +[ 920.622254] R13: ffff960dc4e2f928 R14: ffff97b7c029c580 R15: 0000000000000000 +[ 920.622609] FS: 0000000000000000(0000) GS:ffff960ef7d00000(0000) knlGS:0000000000000000 +[ 920.622979] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 920.623245] CR2: 00007fa056965e90 CR3: 00000001107f1000 CR4: 00000000000006e0 +[ 920.623680] Call Trace: +[ 920.623815] +[ 920.623933] ? __warn+0x79/0xc0 +[ 920.624116] ? rxe_completer+0x989/0xcc0 [rdma_rxe] +[ 920.624356] ? report_bug+0xfb/0x150 +[ 920.624594] ? handle_bug+0x3c/0x60 +[ 920.624796] ? exc_invalid_op+0x14/0x70 +[ 920.624976] ? asm_exc_invalid_op+0x16/0x20 +[ 920.625203] ? rxe_completer+0x989/0xcc0 [rdma_rxe] +[ 920.625474] ? rxe_completer+0x329/0xcc0 [rdma_rxe] +[ 920.625749] rxe_do_task+0x80/0x110 [rdma_rxe] +[ 920.626037] rxe_requester+0x625/0xde0 [rdma_rxe] +[ 920.626310] ? rxe_cq_post+0xe2/0x180 [rdma_rxe] +[ 920.626583] ? do_complete+0x18d/0x220 [rdma_rxe] +[ 920.626812] ? rxe_completer+0x1a3/0xcc0 [rdma_rxe] +[ 920.627050] rxe_do_task+0x80/0x110 [rdma_rxe] +[ 920.627285] tasklet_action_common.constprop.0+0xa4/0x120 +[ 920.627522] handle_softirqs+0xc2/0x250 +[ 920.627728] ? sort_range+0x20/0x20 +[ 920.627942] run_ksoftirqd+0x1f/0x30 +[ 920.628158] smpboot_thread_fn+0xc7/0x1b0 +[ 920.628334] kthread+0xd6/0x100 +[ 920.628504] ? kthread_complete_and_exit+0x20/0x20 +[ 920.628709] ret_from_fork+0x1f/0x30 +[ 920.628892] + +Fixes: ae720bdb703b ("RDMA/rxe: Generate error completion for error requester QP state") +Signed-off-by: Zhu Yanjun +Link: https://patch.msgid.link/20241025152036.121417-1-yanjun.zhu@linux.dev +Signed-off-by: Leon Romanovsky +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/rxe/rxe_req.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/sw/rxe/rxe_req.c ++++ b/drivers/infiniband/sw/rxe/rxe_req.c +@@ -643,13 +643,15 @@ int rxe_requester(void *arg) + + if (unlikely(qp->req.state == QP_STATE_ERROR)) { + wqe = req_next_wqe(qp); +- if (wqe) ++ if (wqe) { + /* + * Generate an error completion for error qp state + */ ++ wqe->status = IB_WC_WR_FLUSH_ERR; + goto err; +- else ++ } else { + goto exit; ++ } + } + + if (unlikely(qp->req.state == QP_STATE_RESET)) { diff --git a/queue-6.1/revert-regmap-detach-regmap-from-dev-on-regmap_exit.patch b/queue-6.1/revert-regmap-detach-regmap-from-dev-on-regmap_exit.patch new file mode 100644 index 0000000000..b43844d5bb --- /dev/null +++ b/queue-6.1/revert-regmap-detach-regmap-from-dev-on-regmap_exit.patch @@ -0,0 +1,49 @@ +From f4adb02ebeb4d9d2f23a0dc6b52c8ad3d750e433 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 21 Jan 2025 14:24:18 +0100 +Subject: Revert "regmap: detach regmap from dev on regmap_exit" + +From: Greg Kroah-Hartman + +This reverts commit 48dc44f3c1afa29390cb2fbc8badad1b1111cea4 which is +commit 3061e170381af96d1e66799d34264e6414d428a7 upstream. + +It was backported incorrectly, a fixed version will be applied later. + +Cc: Cosmin Tanislav +Cc: Mark Brown +Link: https://lore.kernel.org/r/20250115033244.2540522-1-tzungbi@kernel.org +Reported-by: Tzung-Bi Shih +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regmap.c | 12 ------------ + 1 file changed, 12 deletions(-) + +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -652,17 +652,6 @@ int regmap_attach_dev(struct device *dev + } + EXPORT_SYMBOL_GPL(regmap_attach_dev); + +-static int dev_get_regmap_match(struct device *dev, void *res, void *data); +- +-static int regmap_detach_dev(struct device *dev, struct regmap *map) +-{ +- if (!dev) +- return 0; +- +- return devres_release(dev, dev_get_regmap_release, +- dev_get_regmap_match, (void *)map->name); +-} +- + static enum regmap_endian regmap_get_reg_endian(const struct regmap_bus *bus, + const struct regmap_config *config) + { +@@ -1513,7 +1502,6 @@ int regmap_reinit_cache(struct regmap *m + { + int ret; + +- regmap_detach_dev(map->dev, map); + regcache_exit(map); + regmap_debugfs_exit(map); + diff --git a/queue-6.1/scsi-sg-fix-slab-use-after-free-read-in-sg_release.patch b/queue-6.1/scsi-sg-fix-slab-use-after-free-read-in-sg_release.patch new file mode 100644 index 0000000000..892260cbbb --- /dev/null +++ b/queue-6.1/scsi-sg-fix-slab-use-after-free-read-in-sg_release.patch @@ -0,0 +1,73 @@ +From f10593ad9bc36921f623361c9e3dd96bd52d85ee Mon Sep 17 00:00:00 2001 +From: Suraj Sonawane +Date: Wed, 20 Nov 2024 18:29:44 +0530 +Subject: scsi: sg: Fix slab-use-after-free read in sg_release() + +From: Suraj Sonawane + +commit f10593ad9bc36921f623361c9e3dd96bd52d85ee upstream. + +Fix a use-after-free bug in sg_release(), detected by syzbot with KASAN: + +BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 +kernel/locking/lockdep.c:5838 +__mutex_unlock_slowpath+0xe2/0x750 kernel/locking/mutex.c:912 +sg_release+0x1f4/0x2e0 drivers/scsi/sg.c:407 + +In sg_release(), the function kref_put(&sfp->f_ref, sg_remove_sfp) is +called before releasing the open_rel_lock mutex. The kref_put() call may +decrement the reference count of sfp to zero, triggering its cleanup +through sg_remove_sfp(). This cleanup includes scheduling deferred work +via sg_remove_sfp_usercontext(), which ultimately frees sfp. + +After kref_put(), sg_release() continues to unlock open_rel_lock and may +reference sfp or sdp. If sfp has already been freed, this results in a +slab-use-after-free error. + +Move the kref_put(&sfp->f_ref, sg_remove_sfp) call after unlocking the +open_rel_lock mutex. This ensures: + + - No references to sfp or sdp occur after the reference count is + decremented. + + - Cleanup functions such as sg_remove_sfp() and + sg_remove_sfp_usercontext() can safely execute without impacting the + mutex handling in sg_release(). + +The fix has been tested and validated by syzbot. This patch closes the +bug reported at the following syzkaller link and ensures proper +sequencing of resource cleanup and mutex operations, eliminating the +risk of use-after-free errors in sg_release(). + +Reported-by: syzbot+7efb5850a17ba6ce098b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=7efb5850a17ba6ce098b +Tested-by: syzbot+7efb5850a17ba6ce098b@syzkaller.appspotmail.com +Fixes: cc833acbee9d ("sg: O_EXCL and other lock handling") +Signed-off-by: Suraj Sonawane +Link: https://lore.kernel.org/r/20241120125944.88095-1-surajsonawane0215@gmail.com +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Alva Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -390,7 +390,6 @@ sg_release(struct inode *inode, struct f + + mutex_lock(&sdp->open_rel_lock); + scsi_autopm_put_device(sdp->device); +- kref_put(&sfp->f_ref, sg_remove_sfp); + sdp->open_cnt--; + + /* possibly many open()s waiting on exlude clearing, start many; +@@ -402,6 +401,7 @@ sg_release(struct inode *inode, struct f + wake_up_interruptible(&sdp->open_wait); + } + mutex_unlock(&sdp->open_rel_lock); ++ kref_put(&sfp->f_ref, sg_remove_sfp); + return 0; + } + diff --git a/queue-6.1/series b/queue-6.1/series index 9fe792c2a1..443a1256a5 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -53,3 +53,6 @@ drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch drm-amdgpu-fix-usage-slab-after-free.patch block-fix-uaf-for-flush-rq-while-iterating-tags.patch revert-drm-amdgpu-rework-resume-handling-for-display-v2.patch +rdma-rxe-fix-the-qp-flush-warnings-in-req.patch +scsi-sg-fix-slab-use-after-free-read-in-sg_release.patch +revert-regmap-detach-regmap-from-dev-on-regmap_exit.patch