From: Greg Kroah-Hartman Date: Wed, 20 Nov 2024 12:36:42 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.12.1~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b314a5ea3d618a2ecf9c22b61b22f56de61ec5b3;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: char-xillybus-prevent-use-after-free-due-to-race-condition.patch drm-amd-check-num-of-link-levels-when-update-pcie-param.patch null_blk-fix-null-ptr-dereference-while-configuring-power-and-submit_queues.patch null_blk-fix-return-value-of-nullb_device_power_store.patch null_blk-remove-usage-of-the-deprecated-ida_simple_xx-api.patch parisc-fix-a-possible-dma-corruption.patch --- diff --git a/queue-6.1/char-xillybus-prevent-use-after-free-due-to-race-condition.patch b/queue-6.1/char-xillybus-prevent-use-after-free-due-to-race-condition.patch new file mode 100644 index 00000000000..51d2f648fe0 --- /dev/null +++ b/queue-6.1/char-xillybus-prevent-use-after-free-due-to-race-condition.patch @@ -0,0 +1,119 @@ +From 282a4b71816b6076029017a7bab3a9dcee12a920 Mon Sep 17 00:00:00 2001 +From: Eli Billauer +Date: Sun, 30 Oct 2022 11:42:09 +0200 +Subject: char: xillybus: Prevent use-after-free due to race condition + +From: Eli Billauer + +commit 282a4b71816b6076029017a7bab3a9dcee12a920 upstream. + +The driver for XillyUSB devices maintains a kref reference count on each +xillyusb_dev structure, which represents a physical device. This reference +count reaches zero when the device has been disconnected and there are no +open file descriptors that are related to the device. When this occurs, +kref_put() calls cleanup_dev(), which clears up the device's data, +including the structure itself. + +However, when xillyusb_open() is called, this reference count becomes +tricky: This function needs to obtain the xillyusb_dev structure that +relates to the inode's major and minor (as there can be several such). +xillybus_find_inode() (which is defined in xillybus_class.c) is called +for this purpose. xillybus_find_inode() holds a mutex that is global in +xillybus_class.c to protect the list of devices, and releases this +mutex before returning. As a result, nothing protects the xillyusb_dev's +reference counter from being decremented to zero before xillyusb_open() +increments it on its own behalf. Hence the structure can be freed +due to a rare race condition. + +To solve this, a mutex is added. It is locked by xillyusb_open() before +the call to xillybus_find_inode() and is released only after the kref +counter has been incremented on behalf of the newly opened inode. This +protects the kref reference counters of all xillyusb_dev structs from +being decremented by xillyusb_disconnect() during this time segment, as +the call to kref_put() in this function is done with the same lock held. + +There is no need to hold the lock on other calls to kref_put(), because +if xillybus_find_inode() finds a struct, xillyusb_disconnect() has not +made the call to remove it, and hence not made its call to kref_put(), +which takes place afterwards. Hence preventing xillyusb_disconnect's +call to kref_put() is enough to ensure that the reference doesn't reach +zero before it's incremented by xillyusb_open(). + +It would have been more natural to increment the reference count in +xillybus_find_inode() of course, however this function is also called by +Xillybus' driver for PCIe / OF, which registers a completely different +structure. Therefore, xillybus_find_inode() treats these structures as +void pointers, and accordingly can't make any changes. + +Reported-by: Hyunwoo Kim +Suggested-by: Alan Stern +Signed-off-by: Eli Billauer +Link: https://lore.kernel.org/r/20221030094209.65916-1-eli.billauer@gmail.com +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/xillybus/xillyusb.c | 22 +++++++++++++++++++--- + 1 file changed, 19 insertions(+), 3 deletions(-) + +--- a/drivers/char/xillybus/xillyusb.c ++++ b/drivers/char/xillybus/xillyusb.c +@@ -185,6 +185,14 @@ struct xillyusb_dev { + struct mutex process_in_mutex; /* synchronize wakeup_all() */ + }; + ++/* ++ * kref_mutex is used in xillyusb_open() to prevent the xillyusb_dev ++ * struct from being freed during the gap between being found by ++ * xillybus_find_inode() and having its reference count incremented. ++ */ ++ ++static DEFINE_MUTEX(kref_mutex); ++ + /* FPGA to host opcodes */ + enum { + OPCODE_DATA = 0, +@@ -1234,9 +1242,16 @@ static int xillyusb_open(struct inode *i + int rc; + int index; + ++ mutex_lock(&kref_mutex); ++ + rc = xillybus_find_inode(inode, (void **)&xdev, &index); +- if (rc) ++ if (rc) { ++ mutex_unlock(&kref_mutex); + return rc; ++ } ++ ++ kref_get(&xdev->kref); ++ mutex_unlock(&kref_mutex); + + chan = &xdev->channels[index]; + filp->private_data = chan; +@@ -1272,8 +1287,6 @@ static int xillyusb_open(struct inode *i + ((filp->f_mode & FMODE_WRITE) && chan->open_for_write)) + goto unmutex_fail; + +- kref_get(&xdev->kref); +- + if (filp->f_mode & FMODE_READ) + chan->open_for_read = 1; + +@@ -1410,6 +1423,7 @@ unopen: + return rc; + + unmutex_fail: ++ kref_put(&xdev->kref, cleanup_dev); + mutex_unlock(&chan->lock); + return rc; + } +@@ -2244,7 +2258,9 @@ static void xillyusb_disconnect(struct u + + xdev->dev = NULL; + ++ mutex_lock(&kref_mutex); + kref_put(&xdev->kref, cleanup_dev); ++ mutex_unlock(&kref_mutex); + } + + static struct usb_driver xillyusb_driver = { diff --git a/queue-6.1/drm-amd-check-num-of-link-levels-when-update-pcie-param.patch b/queue-6.1/drm-amd-check-num-of-link-levels-when-update-pcie-param.patch new file mode 100644 index 00000000000..acbe2840094 --- /dev/null +++ b/queue-6.1/drm-amd-check-num-of-link-levels-when-update-pcie-param.patch @@ -0,0 +1,34 @@ +From 406e8845356d18bdf3d3a23b347faf67706472ec Mon Sep 17 00:00:00 2001 +From: "Lin.Cao" +Date: Wed, 25 Oct 2023 11:32:41 +0800 +Subject: drm/amd: check num of link levels when update pcie param + +From: Lin.Cao + +commit 406e8845356d18bdf3d3a23b347faf67706472ec upstream. + +In SR-IOV environment, the value of pcie_table->num_of_link_levels will +be 0, and num_of_levels - 1 will cause array index out of bounds + +Signed-off-by: Lin.Cao +Acked-by: Jingwen Chen +Signed-off-by: Alex Deucher +[ Resolve minor conflicts to fix CVE-2023-52812 ] +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c +@@ -2498,6 +2498,9 @@ int smu_v13_0_update_pcie_parameters(str + uint32_t smu_pcie_arg; + int ret, i; + ++ if (!num_of_levels) ++ return 0; ++ + if (!amdgpu_device_pcie_dynamic_switching_supported()) { + if (pcie_table->pcie_gen[num_of_levels - 1] < pcie_gen_cap) + pcie_gen_cap = pcie_table->pcie_gen[num_of_levels - 1]; diff --git a/queue-6.1/null_blk-fix-null-ptr-dereference-while-configuring-power-and-submit_queues.patch b/queue-6.1/null_blk-fix-null-ptr-dereference-while-configuring-power-and-submit_queues.patch new file mode 100644 index 00000000000..a7f441e190b --- /dev/null +++ b/queue-6.1/null_blk-fix-null-ptr-dereference-while-configuring-power-and-submit_queues.patch @@ -0,0 +1,172 @@ +From a2db328b0839312c169eb42746ec46fc1ab53ed2 Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Thu, 23 May 2024 23:39:34 +0800 +Subject: null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues' + +From: Yu Kuai + +commit a2db328b0839312c169eb42746ec46fc1ab53ed2 upstream. + +Writing 'power' and 'submit_queues' concurrently will trigger kernel +panic: + +Test script: + +modprobe null_blk nr_devices=0 +mkdir -p /sys/kernel/config/nullb/nullb0 +while true; do echo 1 > submit_queues; echo 4 > submit_queues; done & +while true; do echo 1 > power; echo 0 > power; done + +Test result: + +BUG: kernel NULL pointer dereference, address: 0000000000000148 +Oops: 0000 [#1] PREEMPT SMP +RIP: 0010:__lock_acquire+0x41d/0x28f0 +Call Trace: + + lock_acquire+0x121/0x450 + down_write+0x5f/0x1d0 + simple_recursive_removal+0x12f/0x5c0 + blk_mq_debugfs_unregister_hctxs+0x7c/0x100 + blk_mq_update_nr_hw_queues+0x4a3/0x720 + nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] + nullb_device_submit_queues_store+0x79/0xf0 [null_blk] + configfs_write_iter+0x119/0x1e0 + vfs_write+0x326/0x730 + ksys_write+0x74/0x150 + +This is because del_gendisk() can concurrent with +blk_mq_update_nr_hw_queues(): + +nullb_device_power_store nullb_apply_submit_queues + null_del_dev + del_gendisk + nullb_update_nr_hw_queues + if (!dev->nullb) + // still set while gendisk is deleted + return 0 + blk_mq_update_nr_hw_queues + dev->nullb = NULL + +Fix this problem by resuing the global mutex to protect +nullb_device_power_store() and nullb_update_nr_hw_queues() from configfs. + +Fixes: 45919fbfe1c4 ("null_blk: Enable modifying 'submit_queues' after an instance has been configured") +Reported-and-tested-by: Yi Zhang +Closes: https://lore.kernel.org/all/CAHj4cs9LgsHLnjg8z06LQ3Pr5cax-+Ps+xT7AP7TPnEjStuwZA@mail.gmail.com/ +Signed-off-by: Yu Kuai +Reviewed-by: Zhu Yanjun +Link: https://lore.kernel.org/r/20240523153934.1937851-1-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Xiangyu Chen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/null_blk/main.c | 40 ++++++++++++++++++++++++++-------------- + 1 file changed, 26 insertions(+), 14 deletions(-) + +--- a/drivers/block/null_blk/main.c ++++ b/drivers/block/null_blk/main.c +@@ -392,13 +392,25 @@ static int nullb_update_nr_hw_queues(str + static int nullb_apply_submit_queues(struct nullb_device *dev, + unsigned int submit_queues) + { +- return nullb_update_nr_hw_queues(dev, submit_queues, dev->poll_queues); ++ int ret; ++ ++ mutex_lock(&lock); ++ ret = nullb_update_nr_hw_queues(dev, submit_queues, dev->poll_queues); ++ mutex_unlock(&lock); ++ ++ return ret; + } + + static int nullb_apply_poll_queues(struct nullb_device *dev, + unsigned int poll_queues) + { +- return nullb_update_nr_hw_queues(dev, dev->submit_queues, poll_queues); ++ int ret; ++ ++ mutex_lock(&lock); ++ ret = nullb_update_nr_hw_queues(dev, dev->submit_queues, poll_queues); ++ mutex_unlock(&lock); ++ ++ return ret; + } + + NULLB_DEVICE_ATTR(size, ulong, NULL); +@@ -444,28 +456,31 @@ static ssize_t nullb_device_power_store( + if (ret < 0) + return ret; + ++ ret = count; ++ mutex_lock(&lock); + if (!dev->power && newp) { + if (test_and_set_bit(NULLB_DEV_FL_UP, &dev->flags)) +- return count; ++ goto out; ++ + ret = null_add_dev(dev); + if (ret) { + clear_bit(NULLB_DEV_FL_UP, &dev->flags); +- return ret; ++ goto out; + } + + set_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags); + dev->power = newp; + } else if (dev->power && !newp) { + if (test_and_clear_bit(NULLB_DEV_FL_UP, &dev->flags)) { +- mutex_lock(&lock); + dev->power = newp; + null_del_dev(dev->nullb); +- mutex_unlock(&lock); + } + clear_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags); + } + +- return count; ++out: ++ mutex_unlock(&lock); ++ return ret; + } + + CONFIGFS_ATTR(nullb_device_, power); +@@ -2102,15 +2117,12 @@ static int null_add_dev(struct nullb_dev + blk_queue_flag_set(QUEUE_FLAG_NONROT, nullb->q); + blk_queue_flag_clear(QUEUE_FLAG_ADD_RANDOM, nullb->q); + +- mutex_lock(&lock); + rv = ida_alloc(&nullb_indexes, GFP_KERNEL); +- if (rv < 0) { +- mutex_unlock(&lock); ++ if (rv < 0) + goto out_cleanup_zone; +- } ++ + nullb->index = rv; + dev->index = rv; +- mutex_unlock(&lock); + + blk_queue_logical_block_size(nullb->q, dev->blocksize); + blk_queue_physical_block_size(nullb->q, dev->blocksize); +@@ -2134,9 +2146,7 @@ static int null_add_dev(struct nullb_dev + if (rv) + goto out_ida_free; + +- mutex_lock(&lock); + list_add_tail(&nullb->list, &nullb_list); +- mutex_unlock(&lock); + + pr_info("disk %s created\n", nullb->disk_name); + +@@ -2185,7 +2195,9 @@ static int null_create_dev(void) + if (!dev) + return -ENOMEM; + ++ mutex_lock(&lock); + ret = null_add_dev(dev); ++ mutex_unlock(&lock); + if (ret) { + null_free_dev(dev); + return ret; diff --git a/queue-6.1/null_blk-fix-return-value-of-nullb_device_power_store.patch b/queue-6.1/null_blk-fix-return-value-of-nullb_device_power_store.patch new file mode 100644 index 00000000000..de4030d8d84 --- /dev/null +++ b/queue-6.1/null_blk-fix-return-value-of-nullb_device_power_store.patch @@ -0,0 +1,37 @@ +From d9ff882b54f99f96787fa3df7cd938966843c418 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Mon, 27 May 2024 13:34:45 +0900 +Subject: null_blk: Fix return value of nullb_device_power_store() + +From: Damien Le Moal + +commit d9ff882b54f99f96787fa3df7cd938966843c418 upstream. + +When powering on a null_blk device that is not already on, the return +value ret that is initialized to be count is reused to check the return +value of null_add_dev(), leading to nullb_device_power_store() to return +null_add_dev() return value (0 on success) instead of "count". +So make sure to set ret to be equal to count when there are no errors. + +Fixes: a2db328b0839 ("null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'") +Signed-off-by: Damien Le Moal +Reviewed-by: Yu Kuai +Reviewed-by: Kanchan Joshi +Link: https://lore.kernel.org/r/20240527043445.235267-1-dlemoal@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Xiangyu Chen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/null_blk/main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/block/null_blk/main.c ++++ b/drivers/block/null_blk/main.c +@@ -470,6 +470,7 @@ static ssize_t nullb_device_power_store( + + set_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags); + dev->power = newp; ++ ret = count; + } else if (dev->power && !newp) { + if (test_and_clear_bit(NULLB_DEV_FL_UP, &dev->flags)) { + dev->power = newp; diff --git a/queue-6.1/null_blk-remove-usage-of-the-deprecated-ida_simple_xx-api.patch b/queue-6.1/null_blk-remove-usage-of-the-deprecated-ida_simple_xx-api.patch new file mode 100644 index 00000000000..deb64486ab8 --- /dev/null +++ b/queue-6.1/null_blk-remove-usage-of-the-deprecated-ida_simple_xx-api.patch @@ -0,0 +1,43 @@ +From 95931a245b44ee04f3359ec432e73614d44d8b38 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sun, 14 Jan 2024 10:00:59 +0100 +Subject: null_blk: Remove usage of the deprecated ida_simple_xx() API + +From: Christophe JAILLET + +commit 95931a245b44ee04f3359ec432e73614d44d8b38 upstream. + +ida_alloc() and ida_free() should be preferred to the deprecated +ida_simple_get() and ida_simple_remove(). + +This is less verbose. + +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/bf257b1078475a415cdc3344c6a750842946e367.1705222845.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Jens Axboe +Signed-off-by: Xiangyu Chen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/null_blk/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/block/null_blk/main.c ++++ b/drivers/block/null_blk/main.c +@@ -1764,7 +1764,7 @@ static void null_del_dev(struct nullb *n + + dev = nullb->dev; + +- ida_simple_remove(&nullb_indexes, nullb->index); ++ ida_free(&nullb_indexes, nullb->index); + + list_del_init(&nullb->list); + +@@ -2103,7 +2103,7 @@ static int null_add_dev(struct nullb_dev + blk_queue_flag_clear(QUEUE_FLAG_ADD_RANDOM, nullb->q); + + mutex_lock(&lock); +- rv = ida_simple_get(&nullb_indexes, 0, 0, GFP_KERNEL); ++ rv = ida_alloc(&nullb_indexes, GFP_KERNEL); + if (rv < 0) { + mutex_unlock(&lock); + goto out_cleanup_zone; diff --git a/queue-6.1/parisc-fix-a-possible-dma-corruption.patch b/queue-6.1/parisc-fix-a-possible-dma-corruption.patch new file mode 100644 index 00000000000..fc186ffca39 --- /dev/null +++ b/queue-6.1/parisc-fix-a-possible-dma-corruption.patch @@ -0,0 +1,63 @@ +From 7ae04ba36b381bffe2471eff3a93edced843240f Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sat, 27 Jul 2024 20:22:52 +0200 +Subject: parisc: fix a possible DMA corruption + +From: Mikulas Patocka + +commit 7ae04ba36b381bffe2471eff3a93edced843240f upstream. + +ARCH_DMA_MINALIGN was defined as 16 - this is too small - it may be +possible that two unrelated 16-byte allocations share a cache line. If +one of these allocations is written using DMA and the other is written +using cached write, the value that was written with DMA may be +corrupted. + +This commit changes ARCH_DMA_MINALIGN to be 128 on PA20 and 32 on PA1.1 - +that's the largest possible cache line size. + +As different parisc microarchitectures have different cache line size, we +define arch_slab_minalign(), cache_line_size() and +dma_get_cache_alignment() so that the kernel may tune slab cache +parameters dynamically, based on the detected cache line size. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/Kconfig | 1 + + arch/parisc/include/asm/cache.h | 11 ++++++++++- + 2 files changed, 11 insertions(+), 1 deletion(-) + +--- a/arch/parisc/Kconfig ++++ b/arch/parisc/Kconfig +@@ -18,6 +18,7 @@ config PARISC + select ARCH_SUPPORTS_HUGETLBFS if PA20 + select ARCH_SUPPORTS_MEMORY_FAILURE + select ARCH_STACKWALK ++ select ARCH_HAS_CACHE_LINE_SIZE + select ARCH_HAS_DEBUG_VM_PGTABLE + select HAVE_RELIABLE_STACKTRACE + select DMA_OPS +--- a/arch/parisc/include/asm/cache.h ++++ b/arch/parisc/include/asm/cache.h +@@ -20,7 +20,16 @@ + + #define SMP_CACHE_BYTES L1_CACHE_BYTES + +-#define ARCH_DMA_MINALIGN L1_CACHE_BYTES ++#ifdef CONFIG_PA20 ++#define ARCH_DMA_MINALIGN 128 ++#else ++#define ARCH_DMA_MINALIGN 32 ++#endif ++#define ARCH_KMALLOC_MINALIGN 16 /* ldcw requires 16-byte alignment */ ++ ++#define arch_slab_minalign() ((unsigned)dcache_stride) ++#define cache_line_size() dcache_stride ++#define dma_get_cache_alignment cache_line_size + + #define __read_mostly __section(".data..read_mostly") + diff --git a/queue-6.1/series b/queue-6.1/series index 38a12565b83..6f3cc6ba76b 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -63,3 +63,9 @@ mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook.patch mm-unconditionally-close-vmas-on-error.patch mm-refactor-arch_calc_vm_flag_bits-and-arm64-mte-handling.patch mm-resolve-faulty-mmap_region-error-path-behaviour.patch +drm-amd-check-num-of-link-levels-when-update-pcie-param.patch +char-xillybus-prevent-use-after-free-due-to-race-condition.patch +null_blk-remove-usage-of-the-deprecated-ida_simple_xx-api.patch +null_blk-fix-null-ptr-dereference-while-configuring-power-and-submit_queues.patch +null_blk-fix-return-value-of-nullb_device_power_store.patch +parisc-fix-a-possible-dma-corruption.patch