From: Greg Kroah-Hartman Date: Tue, 7 Feb 2023 09:20:45 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v5.15.93~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b6291fad3ea795998c8bdd6af3497277e66d6c4a;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: drm-i915-fix-potential-bit_17-double-free.patch fpga-stratix10-soc-fix-return-value-check-in-s10_ops_write_init.patch mm-swapfile-add-cond_resched-in-get_swap_pages.patch squashfs-fix-handling-and-sanity-checking-of-xattr_ids-count.patch --- diff --git a/queue-5.10/drm-i915-fix-potential-bit_17-double-free.patch b/queue-5.10/drm-i915-fix-potential-bit_17-double-free.patch new file mode 100644 index 00000000000..35c8176efe8 --- /dev/null +++ b/queue-5.10/drm-i915-fix-potential-bit_17-double-free.patch @@ -0,0 +1,54 @@ +From 7057a8f126f14f14b040faecfa220fd27c6c2f85 Mon Sep 17 00:00:00 2001 +From: Rob Clark +Date: Fri, 27 Jan 2023 12:05:31 -0800 +Subject: drm/i915: Fix potential bit_17 double-free + +From: Rob Clark + +commit 7057a8f126f14f14b040faecfa220fd27c6c2f85 upstream. + +A userspace with multiple threads racing I915_GEM_SET_TILING to set the +tiling to I915_TILING_NONE could trigger a double free of the bit_17 +bitmask. (Or conversely leak memory on the transition to tiled.) Move +allocation/free'ing of the bitmask within the section protected by the +obj lock. + +Signed-off-by: Rob Clark +Fixes: 2850748ef876 ("drm/i915: Pull i915_vma_pin under the vm->mutex") +Cc: # v5.5+ +[tursulin: Correct fixes tag and added cc stable.] +Reviewed-by: Tvrtko Ursulin +Signed-off-by: Tvrtko Ursulin +Link: https://patchwork.freedesktop.org/patch/msgid/20230127200550.3531984-1-robdclark@gmail.com +(cherry picked from commit 10e0cbaaf1104f449d695c80bcacf930dcd3c42e) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gem/i915_gem_tiling.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_tiling.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_tiling.c +@@ -296,10 +296,6 @@ i915_gem_object_set_tiling(struct drm_i9 + spin_unlock(&obj->vma.lock); + + obj->tiling_and_stride = tiling | stride; +- i915_gem_object_unlock(obj); +- +- /* Force the fence to be reacquired for GTT access */ +- i915_gem_object_release_mmap_gtt(obj); + + /* Try to preallocate memory required to save swizzling on put-pages */ + if (i915_gem_object_needs_bit17_swizzle(obj)) { +@@ -312,6 +308,11 @@ i915_gem_object_set_tiling(struct drm_i9 + obj->bit_17 = NULL; + } + ++ i915_gem_object_unlock(obj); ++ ++ /* Force the fence to be reacquired for GTT access */ ++ i915_gem_object_release_mmap_gtt(obj); ++ + return 0; + } + diff --git a/queue-5.10/fpga-stratix10-soc-fix-return-value-check-in-s10_ops_write_init.patch b/queue-5.10/fpga-stratix10-soc-fix-return-value-check-in-s10_ops_write_init.patch new file mode 100644 index 00000000000..3ae48364e1a --- /dev/null +++ b/queue-5.10/fpga-stratix10-soc-fix-return-value-check-in-s10_ops_write_init.patch @@ -0,0 +1,39 @@ +From 65ea840afd508194b0ee903256162aa87e46ec30 Mon Sep 17 00:00:00 2001 +From: Zheng Yongjun +Date: Sat, 26 Nov 2022 07:14:30 +0000 +Subject: fpga: stratix10-soc: Fix return value check in s10_ops_write_init() + +From: Zheng Yongjun + +commit 65ea840afd508194b0ee903256162aa87e46ec30 upstream. + +In case of error, the function stratix10_svc_allocate_memory() +returns ERR_PTR() and never returns NULL. The NULL test in the +return value check should be replaced with IS_ERR(). + +Fixes: e7eef1d7633a ("fpga: add intel stratix10 soc fpga manager driver") +Signed-off-by: Zheng Yongjun +Reviewed-by: Russ Weight +Cc: stable@vger.kernel.org +Acked-by: Xu Yilun +Link: https://lore.kernel.org/r/20221126071430.19540-1-zhengyongjun3@huawei.com +Signed-off-by: Xu Yilun +Signed-off-by: Greg Kroah-Hartman +--- + drivers/fpga/stratix10-soc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/fpga/stratix10-soc.c ++++ b/drivers/fpga/stratix10-soc.c +@@ -213,9 +213,9 @@ static int s10_ops_write_init(struct fpg + /* Allocate buffers from the service layer's pool. */ + for (i = 0; i < NUM_SVC_BUFS; i++) { + kbuf = stratix10_svc_allocate_memory(priv->chan, SVC_BUF_SIZE); +- if (!kbuf) { ++ if (IS_ERR(kbuf)) { + s10_free_buffers(mgr); +- ret = -ENOMEM; ++ ret = PTR_ERR(kbuf); + goto init_done; + } + diff --git a/queue-5.10/mm-swapfile-add-cond_resched-in-get_swap_pages.patch b/queue-5.10/mm-swapfile-add-cond_resched-in-get_swap_pages.patch new file mode 100644 index 00000000000..cbbc420425b --- /dev/null +++ b/queue-5.10/mm-swapfile-add-cond_resched-in-get_swap_pages.patch @@ -0,0 +1,45 @@ +From 7717fc1a12f88701573f9ed897cc4f6699c661e3 Mon Sep 17 00:00:00 2001 +From: Longlong Xia +Date: Sat, 28 Jan 2023 09:47:57 +0000 +Subject: mm/swapfile: add cond_resched() in get_swap_pages() + +From: Longlong Xia + +commit 7717fc1a12f88701573f9ed897cc4f6699c661e3 upstream. + +The softlockup still occurs in get_swap_pages() under memory pressure. 64 +CPU cores, 64GB memory, and 28 zram devices, the disksize of each zram +device is 50MB with same priority as si. Use the stress-ng tool to +increase memory pressure, causing the system to oom frequently. + +The plist_for_each_entry_safe() loops in get_swap_pages() could reach tens +of thousands of times to find available space (extreme case: +cond_resched() is not called in scan_swap_map_slots()). Let's add +cond_resched() into get_swap_pages() when failed to find available space +to avoid softlockup. + +Link: https://lkml.kernel.org/r/20230128094757.1060525-1-xialonglong1@huawei.com +Signed-off-by: Longlong Xia +Reviewed-by: "Huang, Ying" +Cc: Chen Wandun +Cc: Huang Ying +Cc: Kefeng Wang +Cc: Nanyong Sun +Cc: Hugh Dickins +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/swapfile.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -1104,6 +1104,7 @@ start_over: + goto check_out; + pr_debug("scan_swap_map of si %d failed to find offset\n", + si->type); ++ cond_resched(); + + spin_lock(&swap_avail_lock); + nextsi: diff --git a/queue-5.10/series b/queue-5.10/series index 943f7256c1b..69e5acf19dd 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -73,3 +73,7 @@ parisc-wire-up-ptrace_getregs-ptrace_setregs-for-compat-case.patch riscv-disable-generation-of-unwind-tables.patch mm-hugetlb-proc-check-for-hugetlb-shared-pmd-in-proc-pid-smaps.patch x86-debug-fix-stack-recursion-caused-by-wrongly-ordered-dr7-accesses.patch +fpga-stratix10-soc-fix-return-value-check-in-s10_ops_write_init.patch +mm-swapfile-add-cond_resched-in-get_swap_pages.patch +squashfs-fix-handling-and-sanity-checking-of-xattr_ids-count.patch +drm-i915-fix-potential-bit_17-double-free.patch diff --git a/queue-5.10/squashfs-fix-handling-and-sanity-checking-of-xattr_ids-count.patch b/queue-5.10/squashfs-fix-handling-and-sanity-checking-of-xattr_ids-count.patch new file mode 100644 index 00000000000..f4121cc3f7e --- /dev/null +++ b/queue-5.10/squashfs-fix-handling-and-sanity-checking-of-xattr_ids-count.patch @@ -0,0 +1,143 @@ +From f65c4bbbd682b0877b669828b4e033b8d5d0a2dc Mon Sep 17 00:00:00 2001 +From: Phillip Lougher +Date: Fri, 27 Jan 2023 06:18:42 +0000 +Subject: Squashfs: fix handling and sanity checking of xattr_ids count + +From: Phillip Lougher + +commit f65c4bbbd682b0877b669828b4e033b8d5d0a2dc upstream. + +A Sysbot [1] corrupted filesystem exposes two flaws in the handling and +sanity checking of the xattr_ids count in the filesystem. Both of these +flaws cause computation overflow due to incorrect typing. + +In the corrupted filesystem the xattr_ids value is 4294967071, which +stored in a signed variable becomes the negative number -225. + +Flaw 1 (64-bit systems only): + +The signed integer xattr_ids variable causes sign extension. + +This causes variable overflow in the SQUASHFS_XATTR_*(A) macros. The +variable is first multiplied by sizeof(struct squashfs_xattr_id) where the +type of the sizeof operator is "unsigned long". + +On a 64-bit system this is 64-bits in size, and causes the negative number +to be sign extended and widened to 64-bits and then become unsigned. This +produces the very large number 18446744073709548016 or 2^64 - 3600. This +number when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and +divided by SQUASHFS_METADATA_SIZE overflows and produces a length of 0 +(stored in len). + +Flaw 2 (32-bit systems only): + +On a 32-bit system the integer variable is not widened by the unsigned +long type of the sizeof operator (32-bits), and the signedness of the +variable has no effect due it always being treated as unsigned. + +The above corrupted xattr_ids value of 4294967071, when multiplied +overflows and produces the number 4294963696 or 2^32 - 3400. This number +when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and divided by +SQUASHFS_METADATA_SIZE overflows again and produces a length of 0. + +The effect of the 0 length computation: + +In conjunction with the corrupted xattr_ids field, the filesystem also has +a corrupted xattr_table_start value, where it matches the end of +filesystem value of 850. + +This causes the following sanity check code to fail because the +incorrectly computed len of 0 matches the incorrect size of the table +reported by the superblock (0 bytes). + + len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids); + indexes = SQUASHFS_XATTR_BLOCKS(*xattr_ids); + + /* + * The computed size of the index table (len bytes) should exactly + * match the table start and end points + */ + start = table_start + sizeof(*id_table); + end = msblk->bytes_used; + + if (len != (end - start)) + return ERR_PTR(-EINVAL); + +Changing the xattr_ids variable to be "usigned int" fixes the flaw on a +64-bit system. This relies on the fact the computation is widened by the +unsigned long type of the sizeof operator. + +Casting the variable to u64 in the above macro fixes this flaw on a 32-bit +system. + +It also means 64-bit systems do not implicitly rely on the type of the +sizeof operator to widen the computation. + +[1] https://lore.kernel.org/lkml/000000000000cd44f005f1a0f17f@google.com/ + +Link: https://lkml.kernel.org/r/20230127061842.10965-1-phillip@squashfs.org.uk +Fixes: 506220d2ba21 ("squashfs: add more sanity checks in xattr id lookup") +Signed-off-by: Phillip Lougher +Reported-by: +Cc: Alexey Khoroshilov +Cc: Fedor Pchelkin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/squashfs_fs.h | 2 +- + fs/squashfs/squashfs_fs_sb.h | 2 +- + fs/squashfs/xattr.h | 4 ++-- + fs/squashfs/xattr_id.c | 2 +- + 4 files changed, 5 insertions(+), 5 deletions(-) + +--- a/fs/squashfs/squashfs_fs.h ++++ b/fs/squashfs/squashfs_fs.h +@@ -183,7 +183,7 @@ static inline int squashfs_block_size(__ + #define SQUASHFS_ID_BLOCK_BYTES(A) (SQUASHFS_ID_BLOCKS(A) *\ + sizeof(u64)) + /* xattr id lookup table defines */ +-#define SQUASHFS_XATTR_BYTES(A) ((A) * sizeof(struct squashfs_xattr_id)) ++#define SQUASHFS_XATTR_BYTES(A) (((u64) (A)) * sizeof(struct squashfs_xattr_id)) + + #define SQUASHFS_XATTR_BLOCK(A) (SQUASHFS_XATTR_BYTES(A) / \ + SQUASHFS_METADATA_SIZE) +--- a/fs/squashfs/squashfs_fs_sb.h ++++ b/fs/squashfs/squashfs_fs_sb.h +@@ -63,7 +63,7 @@ struct squashfs_sb_info { + long long bytes_used; + unsigned int inodes; + unsigned int fragments; +- int xattr_ids; ++ unsigned int xattr_ids; + unsigned int ids; + }; + #endif +--- a/fs/squashfs/xattr.h ++++ b/fs/squashfs/xattr.h +@@ -10,12 +10,12 @@ + + #ifdef CONFIG_SQUASHFS_XATTR + extern __le64 *squashfs_read_xattr_id_table(struct super_block *, u64, +- u64 *, int *); ++ u64 *, unsigned int *); + extern int squashfs_xattr_lookup(struct super_block *, unsigned int, int *, + unsigned int *, unsigned long long *); + #else + static inline __le64 *squashfs_read_xattr_id_table(struct super_block *sb, +- u64 start, u64 *xattr_table_start, int *xattr_ids) ++ u64 start, u64 *xattr_table_start, unsigned int *xattr_ids) + { + struct squashfs_xattr_id_table *id_table; + +--- a/fs/squashfs/xattr_id.c ++++ b/fs/squashfs/xattr_id.c +@@ -56,7 +56,7 @@ int squashfs_xattr_lookup(struct super_b + * Read uncompressed xattr id lookup table indexes from disk into memory + */ + __le64 *squashfs_read_xattr_id_table(struct super_block *sb, u64 table_start, +- u64 *xattr_table_start, int *xattr_ids) ++ u64 *xattr_table_start, unsigned int *xattr_ids) + { + struct squashfs_sb_info *msblk = sb->s_fs_info; + unsigned int len, indexes;