From: Greg Kroah-Hartman Date: Mon, 23 Dec 2024 12:26:56 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.1.122~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ba7543f4b3d09e9af6a89ea135c26f045b304577;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: ceph-validate-snapdirname-option-length-when-mounting.patch nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch nilfs2-fix-buffer-head-leaks-in-calls-to-truncate_inode_pages.patch nilfs2-prevent-use-of-deleted-inode.patch of-fix-error-path-in-of_parse_phandle_with_args_map.patch of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch of-irq-fix-interrupt-map-cell-length-check-in-of_irq_parse_imap_parent.patch of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch udmabuf-also-check-for-f_seal_future_write.patch --- diff --git a/queue-6.1/ceph-validate-snapdirname-option-length-when-mounting.patch b/queue-6.1/ceph-validate-snapdirname-option-length-when-mounting.patch new file mode 100644 index 00000000000..ce9b4f2e6f1 --- /dev/null +++ b/queue-6.1/ceph-validate-snapdirname-option-length-when-mounting.patch @@ -0,0 +1,33 @@ +From 12eb22a5a609421b380c3c6ca887474fb2089b2c Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Wed, 20 Nov 2024 16:43:51 +0100 +Subject: ceph: validate snapdirname option length when mounting + +From: Ilya Dryomov + +commit 12eb22a5a609421b380c3c6ca887474fb2089b2c upstream. + +It becomes a path component, so it shouldn't exceed NAME_MAX +characters. This was hardened in commit c152737be22b ("ceph: Use +strscpy() instead of strcpy() in __get_snap_name()"), but no actual +check was put in place. + +Cc: stable@vger.kernel.org +Signed-off-by: Ilya Dryomov +Reviewed-by: Alex Markuze +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/super.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ceph/super.c ++++ b/fs/ceph/super.c +@@ -420,6 +420,8 @@ static int ceph_parse_mount_param(struct + + switch (token) { + case Opt_snapdirname: ++ if (strlen(param->string) > NAME_MAX) ++ return invalfc(fc, "snapdirname too long"); + kfree(fsopt->snapdir_name); + fsopt->snapdir_name = param->string; + param->string = NULL; diff --git a/queue-6.1/nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch b/queue-6.1/nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch new file mode 100644 index 00000000000..729b1eea665 --- /dev/null +++ b/queue-6.1/nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch @@ -0,0 +1,35 @@ +From 62e2a47ceab8f3f7d2e3f0e03fdd1c5e0059fd8b Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 16 Dec 2024 19:28:06 -0500 +Subject: NFS/pnfs: Fix a live lock between recalled layouts and layoutget + +From: Trond Myklebust + +commit 62e2a47ceab8f3f7d2e3f0e03fdd1c5e0059fd8b upstream. + +When the server is recalling a layout, we should ignore the count of +outstanding layoutget calls, since the server is expected to return +either NFS4ERR_RECALLCONFLICT or NFS4ERR_RETURNCONFLICT for as long as +the recall is outstanding. +Currently, we may end up livelocking, causing the layout to eventually +be forcibly revoked. + +Fixes: bf0291dd2267 ("pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised") +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/pnfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1196,7 +1196,7 @@ pnfs_prepare_layoutreturn(struct pnfs_la + enum pnfs_iomode *iomode) + { + /* Serialise LAYOUTGET/LAYOUTRETURN */ +- if (atomic_read(&lo->plh_outstanding) != 0) ++ if (atomic_read(&lo->plh_outstanding) != 0 && lo->plh_return_seq == 0) + return false; + if (test_and_set_bit(NFS_LAYOUT_RETURN_LOCK, &lo->plh_flags)) + return false; diff --git a/queue-6.1/nilfs2-fix-buffer-head-leaks-in-calls-to-truncate_inode_pages.patch b/queue-6.1/nilfs2-fix-buffer-head-leaks-in-calls-to-truncate_inode_pages.patch new file mode 100644 index 00000000000..6ef1cd0513b --- /dev/null +++ b/queue-6.1/nilfs2-fix-buffer-head-leaks-in-calls-to-truncate_inode_pages.patch @@ -0,0 +1,99 @@ +From 6309b8ce98e9a18390b9fd8f03fc412f3c17aee9 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Fri, 13 Dec 2024 01:43:28 +0900 +Subject: nilfs2: fix buffer head leaks in calls to truncate_inode_pages() + +From: Ryusuke Konishi + +commit 6309b8ce98e9a18390b9fd8f03fc412f3c17aee9 upstream. + +When block_invalidatepage was converted to block_invalidate_folio, the +fallback to block_invalidatepage in folio_invalidate() if the +address_space_operations method invalidatepage (currently +invalidate_folio) was not set, was removed. + +Unfortunately, some pseudo-inodes in nilfs2 use empty_aops set by +inode_init_always_gfp() as is, or explicitly set it to +address_space_operations. Therefore, with this change, +block_invalidatepage() is no longer called from folio_invalidate(), and as +a result, the buffer_head structures attached to these pages/folios are no +longer freed via try_to_free_buffers(). + +Thus, these buffer heads are now leaked by truncate_inode_pages(), which +cleans up the page cache from inode evict(), etc. + +Three types of caches use empty_aops: gc inode caches and the DAT shadow +inode used by GC, and b-tree node caches. Of these, b-tree node caches +explicitly call invalidate_mapping_pages() during cleanup, which involves +calling try_to_free_buffers(), so the leak was not visible during normal +operation but worsened when GC was performed. + +Fix this issue by using address_space_operations with invalidate_folio set +to block_invalidate_folio instead of empty_aops, which will ensure the +same behavior as before. + +Link: https://lkml.kernel.org/r/20241212164556.21338-1-konishi.ryusuke@gmail.com +Fixes: 7ba13abbd31e ("fs: Turn block_invalidatepage into block_invalidate_folio") +Signed-off-by: Ryusuke Konishi +Cc: [5.18+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/btnode.c | 1 + + fs/nilfs2/gcinode.c | 2 +- + fs/nilfs2/inode.c | 5 +++++ + fs/nilfs2/nilfs.h | 1 + + 4 files changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/btnode.c ++++ b/fs/nilfs2/btnode.c +@@ -35,6 +35,7 @@ void nilfs_init_btnc_inode(struct inode + ii->i_flags = 0; + memset(&ii->i_bmap_data, 0, sizeof(struct nilfs_bmap)); + mapping_set_gfp_mask(btnc_inode->i_mapping, GFP_NOFS); ++ btnc_inode->i_mapping->a_ops = &nilfs_buffer_cache_aops; + } + + void nilfs_btnode_cache_clear(struct address_space *btnc) +--- a/fs/nilfs2/gcinode.c ++++ b/fs/nilfs2/gcinode.c +@@ -163,7 +163,7 @@ int nilfs_init_gcinode(struct inode *ino + + inode->i_mode = S_IFREG; + mapping_set_gfp_mask(inode->i_mapping, GFP_NOFS); +- inode->i_mapping->a_ops = &empty_aops; ++ inode->i_mapping->a_ops = &nilfs_buffer_cache_aops; + + ii->i_flags = 0; + nilfs_bmap_init_gc(ii->i_bmap); +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -309,6 +309,10 @@ const struct address_space_operations ni + .is_partially_uptodate = block_is_partially_uptodate, + }; + ++const struct address_space_operations nilfs_buffer_cache_aops = { ++ .invalidate_folio = block_invalidate_folio, ++}; ++ + static int nilfs_insert_inode_locked(struct inode *inode, + struct nilfs_root *root, + unsigned long ino) +@@ -748,6 +752,7 @@ struct inode *nilfs_iget_for_shadow(stru + NILFS_I(s_inode)->i_flags = 0; + memset(NILFS_I(s_inode)->i_bmap, 0, sizeof(struct nilfs_bmap)); + mapping_set_gfp_mask(s_inode->i_mapping, GFP_NOFS); ++ s_inode->i_mapping->a_ops = &nilfs_buffer_cache_aops; + + err = nilfs_attach_btree_node_cache(s_inode); + if (unlikely(err)) { +--- a/fs/nilfs2/nilfs.h ++++ b/fs/nilfs2/nilfs.h +@@ -379,6 +379,7 @@ extern const struct file_operations nilf + extern const struct inode_operations nilfs_file_inode_operations; + extern const struct file_operations nilfs_file_operations; + extern const struct address_space_operations nilfs_aops; ++extern const struct address_space_operations nilfs_buffer_cache_aops; + extern const struct inode_operations nilfs_dir_inode_operations; + extern const struct inode_operations nilfs_special_inode_operations; + extern const struct inode_operations nilfs_symlink_inode_operations; diff --git a/queue-6.1/nilfs2-prevent-use-of-deleted-inode.patch b/queue-6.1/nilfs2-prevent-use-of-deleted-inode.patch new file mode 100644 index 00000000000..5b64b2dc437 --- /dev/null +++ b/queue-6.1/nilfs2-prevent-use-of-deleted-inode.patch @@ -0,0 +1,84 @@ +From 901ce9705fbb9f330ff1f19600e5daf9770b0175 Mon Sep 17 00:00:00 2001 +From: Edward Adam Davis +Date: Mon, 9 Dec 2024 15:56:52 +0900 +Subject: nilfs2: prevent use of deleted inode + +From: Edward Adam Davis + +commit 901ce9705fbb9f330ff1f19600e5daf9770b0175 upstream. + +syzbot reported a WARNING in nilfs_rmdir. [1] + +Because the inode bitmap is corrupted, an inode with an inode number that +should exist as a ".nilfs" file was reassigned by nilfs_mkdir for "file0", +causing an inode duplication during execution. And this causes an +underflow of i_nlink in rmdir operations. + +The inode is used twice by the same task to unmount and remove directories +".nilfs" and "file0", it trigger warning in nilfs_rmdir. + +Avoid to this issue, check i_nlink in nilfs_iget(), if it is 0, it means +that this inode has been deleted, and iput is executed to reclaim it. + +[1] +WARNING: CPU: 1 PID: 5824 at fs/inode.c:407 drop_nlink+0xc4/0x110 fs/inode.c:407 +... +Call Trace: + + nilfs_rmdir+0x1b0/0x250 fs/nilfs2/namei.c:342 + vfs_rmdir+0x3a3/0x510 fs/namei.c:4394 + do_rmdir+0x3b5/0x580 fs/namei.c:4453 + __do_sys_rmdir fs/namei.c:4472 [inline] + __se_sys_rmdir fs/namei.c:4470 [inline] + __x64_sys_rmdir+0x47/0x50 fs/namei.c:4470 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Link: https://lkml.kernel.org/r/20241209065759.6781-1-konishi.ryusuke@gmail.com +Fixes: d25006523d0b ("nilfs2: pathname operations") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+9260555647a5132edd48@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=9260555647a5132edd48 +Tested-by: syzbot+9260555647a5132edd48@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/inode.c | 8 +++++++- + fs/nilfs2/namei.c | 5 +++++ + 2 files changed, 12 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -618,8 +618,14 @@ struct inode *nilfs_iget(struct super_bl + inode = nilfs_iget_locked(sb, root, ino); + if (unlikely(!inode)) + return ERR_PTR(-ENOMEM); +- if (!(inode->i_state & I_NEW)) ++ ++ if (!(inode->i_state & I_NEW)) { ++ if (!inode->i_nlink) { ++ iput(inode); ++ return ERR_PTR(-ESTALE); ++ } + return inode; ++ } + + err = __nilfs_read_inode(sb, root, ino, inode); + if (unlikely(err)) { +--- a/fs/nilfs2/namei.c ++++ b/fs/nilfs2/namei.c +@@ -67,6 +67,11 @@ nilfs_lookup(struct inode *dir, struct d + inode = NULL; + } else { + inode = nilfs_iget(dir->i_sb, NILFS_I(dir)->i_root, ino); ++ if (inode == ERR_PTR(-ESTALE)) { ++ nilfs_error(dir->i_sb, ++ "deleted inode referenced: %lu", ino); ++ return ERR_PTR(-EIO); ++ } + } + + return d_splice_alias(inode, dentry); diff --git a/queue-6.1/of-fix-error-path-in-of_parse_phandle_with_args_map.patch b/queue-6.1/of-fix-error-path-in-of_parse_phandle_with_args_map.patch new file mode 100644 index 00000000000..e59853a9a94 --- /dev/null +++ b/queue-6.1/of-fix-error-path-in-of_parse_phandle_with_args_map.patch @@ -0,0 +1,72 @@ +From d7dfa7fde63dde4d2ec0083133efe2c6686c03ff Mon Sep 17 00:00:00 2001 +From: Herve Codina +Date: Mon, 2 Dec 2024 17:58:19 +0100 +Subject: of: Fix error path in of_parse_phandle_with_args_map() + +From: Herve Codina + +commit d7dfa7fde63dde4d2ec0083133efe2c6686c03ff upstream. + +The current code uses some 'goto put;' to cancel the parsing operation +and can lead to a return code value of 0 even on error cases. + +Indeed, some goto calls are done from a loop without setting the ret +value explicitly before the goto call and so the ret value can be set to +0 due to operation done in previous loop iteration. For instance match +can be set to 0 in the previous loop iteration (leading to a new +iteration) but ret can also be set to 0 it the of_property_read_u32() +call succeed. In that case if no match are found or if an error is +detected the new iteration, the return value can be wrongly 0. + +Avoid those cases setting the ret value explicitly before the goto +calls. + +Fixes: bd6f2fd5a1d5 ("of: Support parsing phandle argument lists through a nexus node") +Cc: stable@vger.kernel.org +Signed-off-by: Herve Codina +Link: https://lore.kernel.org/r/20241202165819.158681-1-herve.codina@bootlin.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/base.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -1597,8 +1597,10 @@ int of_parse_phandle_with_args_map(const + map_len--; + + /* Check if not found */ +- if (!new) ++ if (!new) { ++ ret = -EINVAL; + goto put; ++ } + + if (!of_device_is_available(new)) + match = 0; +@@ -1608,17 +1610,20 @@ int of_parse_phandle_with_args_map(const + goto put; + + /* Check for malformed properties */ +- if (WARN_ON(new_size > MAX_PHANDLE_ARGS)) +- goto put; +- if (map_len < new_size) ++ if (WARN_ON(new_size > MAX_PHANDLE_ARGS) || ++ map_len < new_size) { ++ ret = -EINVAL; + goto put; ++ } + + /* Move forward by new node's #-cells amount */ + map += new_size; + map_len -= new_size; + } +- if (!match) ++ if (!match) { ++ ret = -ENOENT; + goto put; ++ } + + /* Get the -map-pass-thru property (optional) */ + pass = of_get_property(cur, pass_name, NULL); diff --git a/queue-6.1/of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch b/queue-6.1/of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch new file mode 100644 index 00000000000..fac9fa5cb2a --- /dev/null +++ b/queue-6.1/of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch @@ -0,0 +1,36 @@ +From 5d009e024056ded20c5bb1583146b833b23bbd5a Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Fri, 6 Dec 2024 08:52:30 +0800 +Subject: of: Fix refcount leakage for OF node returned by __of_get_dma_parent() + +From: Zijun Hu + +commit 5d009e024056ded20c5bb1583146b833b23bbd5a upstream. + +__of_get_dma_parent() returns OF device node @args.np, but the node's +refcount is increased twice, by both of_parse_phandle_with_args() and +of_node_get(), so causes refcount leakage for the node. + +Fix by directly returning the node got by of_parse_phandle_with_args(). + +Fixes: f83a6e5dea6c ("of: address: Add support for the parent DMA bus") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20241206-of_core_fix-v1-4-dc28ed56bec3@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/address.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -595,7 +595,7 @@ struct device_node *__of_get_dma_parent( + if (ret < 0) + return of_get_parent(np); + +- return of_node_get(args.np); ++ return args.np; + } + #endif + diff --git a/queue-6.1/of-irq-fix-interrupt-map-cell-length-check-in-of_irq_parse_imap_parent.patch b/queue-6.1/of-irq-fix-interrupt-map-cell-length-check-in-of_irq_parse_imap_parent.patch new file mode 100644 index 00000000000..1137da21662 --- /dev/null +++ b/queue-6.1/of-irq-fix-interrupt-map-cell-length-check-in-of_irq_parse_imap_parent.patch @@ -0,0 +1,42 @@ +From fec3edc47d5cfc2dd296a5141df887bf567944db Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Mon, 9 Dec 2024 21:24:59 +0800 +Subject: of/irq: Fix interrupt-map cell length check in of_irq_parse_imap_parent() + +From: Zijun Hu + +commit fec3edc47d5cfc2dd296a5141df887bf567944db upstream. + +On a malformed interrupt-map property which is shorter than expected by +1 cell, we may read bogus data past the end of the property instead of +returning an error in of_irq_parse_imap_parent(). + +Decrement the remaining length when skipping over the interrupt parent +phandle cell. + +Fixes: 935df1bd40d4 ("of/irq: Factor out parsing of interrupt-map parent phandle+args from of_irq_parse_raw()") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20241209-of_irq_fix-v1-1-782f1419c8a1@quicinc.com +[rh: reword commit msg] +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/of/irq.c b/drivers/of/irq.c +index 67fc0ceaa5f5..43cf60479b9e 100644 +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -111,6 +111,7 @@ const __be32 *of_irq_parse_imap_parent(const __be32 *imap, int len, struct of_ph + else + np = of_find_node_by_phandle(be32_to_cpup(imap)); + imap++; ++ len--; + + /* Check if not found */ + if (!np) { +-- +2.47.1 + diff --git a/queue-6.1/of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch b/queue-6.1/of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch new file mode 100644 index 00000000000..f22d0de00ff --- /dev/null +++ b/queue-6.1/of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch @@ -0,0 +1,47 @@ +From 0f7ca6f69354e0c3923bbc28c92d0ecab4d50a3e Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Mon, 9 Dec 2024 21:25:02 +0800 +Subject: of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one() + +From: Zijun Hu + +commit 0f7ca6f69354e0c3923bbc28c92d0ecab4d50a3e upstream. + +of_irq_parse_one() may use uninitialized variable @addr_len as shown below: + +// @addr_len is uninitialized +int addr_len; + +// This operation does not touch @addr_len if it fails. +addr = of_get_property(device, "reg", &addr_len); + +// Use uninitialized @addr_len if the operation fails. +if (addr_len > sizeof(addr_buf)) + addr_len = sizeof(addr_buf); + +// Check the operation result here. +if (addr) + memcpy(addr_buf, addr, addr_len); + +Fix by initializing @addr_len before the operation. + +Fixes: b739dffa5d57 ("of/irq: Prevent device address out-of-bounds read in interrupt map walk") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20241209-of_irq_fix-v1-4-782f1419c8a1@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -355,6 +355,7 @@ int of_irq_parse_one(struct device_node + return of_irq_parse_oldworld(device, index, out_irq); + + /* Get the reg property (if any) */ ++ addr_len = 0; + addr = of_get_property(device, "reg", &addr_len); + + /* Prevent out-of-bounds read in case of longer interrupt parent address size */ diff --git a/queue-6.1/series b/queue-6.1/series index 258bfbf38ab..272e3db223d 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -65,3 +65,12 @@ tracing-add-s-check-in-test_event_printk.patch selftests-bpf-use-asm-constraint-m-for-loongarch.patch io_uring-fix-registered-ring-file-refcount-leak.patch io_uring-check-if-iowq-is-killed-before-queuing.patch +nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch +of-irq-fix-interrupt-map-cell-length-check-in-of_irq_parse_imap_parent.patch +of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch +nilfs2-fix-buffer-head-leaks-in-calls-to-truncate_inode_pages.patch +nilfs2-prevent-use-of-deleted-inode.patch +udmabuf-also-check-for-f_seal_future_write.patch +of-fix-error-path-in-of_parse_phandle_with_args_map.patch +of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch +ceph-validate-snapdirname-option-length-when-mounting.patch diff --git a/queue-6.1/udmabuf-also-check-for-f_seal_future_write.patch b/queue-6.1/udmabuf-also-check-for-f_seal_future_write.patch new file mode 100644 index 00000000000..3aab38dd6d7 --- /dev/null +++ b/queue-6.1/udmabuf-also-check-for-f_seal_future_write.patch @@ -0,0 +1,36 @@ +From 0a16e24e34f28210f68195259456c73462518597 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 4 Dec 2024 17:26:20 +0100 +Subject: udmabuf: also check for F_SEAL_FUTURE_WRITE + +From: Jann Horn + +commit 0a16e24e34f28210f68195259456c73462518597 upstream. + +When F_SEAL_FUTURE_WRITE was introduced, it was overlooked that udmabuf +must reject memfds with this flag, just like ones with F_SEAL_WRITE. +Fix it by adding F_SEAL_FUTURE_WRITE to SEALS_DENIED. + +Fixes: ab3948f58ff8 ("mm/memfd: add an F_SEAL_FUTURE_WRITE seal to memfd") +Cc: stable@vger.kernel.org +Acked-by: Vivek Kasireddy +Signed-off-by: Jann Horn +Reviewed-by: Joel Fernandes (Google) +Signed-off-by: Vivek Kasireddy +Link: https://patchwork.freedesktop.org/patch/msgid/20241204-udmabuf-fixes-v2-2-23887289de1c@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma-buf/udmabuf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma-buf/udmabuf.c ++++ b/drivers/dma-buf/udmabuf.c +@@ -164,7 +164,7 @@ static const struct dma_buf_ops udmabuf_ + }; + + #define SEALS_WANTED (F_SEAL_SHRINK) +-#define SEALS_DENIED (F_SEAL_WRITE) ++#define SEALS_DENIED (F_SEAL_WRITE|F_SEAL_FUTURE_WRITE) + + static long udmabuf_create(struct miscdevice *device, + struct udmabuf_create_list *head,