From: Greg Kroah-Hartman Date: Sat, 9 Nov 2024 15:34:35 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v5.15.172~49 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cee8c7a2b16201d0cd462821fbc2d6e53fe6d59f;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: arm64-kconfig-make-sme-depend-on-broken-for-now.patch btrfs-reinitialize-delayed-ref-list-after-deleting-it-from-the-list.patch mptcp-use-sock_kfree_s-instead-of-kfree.patch net-vertexcom-mse102x-fix-possible-double-free-of-tx-skb.patch net-wwan-t7xx-fix-off-by-one-error-in-t7xx_dpmaif_rx_buf_alloc.patch nfs-fix-kmsan-warning-in-decode_getfattr_attrs.patch --- diff --git a/queue-6.1/arm64-kconfig-make-sme-depend-on-broken-for-now.patch b/queue-6.1/arm64-kconfig-make-sme-depend-on-broken-for-now.patch new file mode 100644 index 00000000000..7e5208f13bd --- /dev/null +++ b/queue-6.1/arm64-kconfig-make-sme-depend-on-broken-for-now.patch @@ -0,0 +1,46 @@ +From 81235ae0c846e1fb46a2c6fe9283fe2b2b24f7dc Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Wed, 6 Nov 2024 16:42:20 +0000 +Subject: arm64: Kconfig: Make SME depend on BROKEN for now + +From: Mark Rutland + +commit 81235ae0c846e1fb46a2c6fe9283fe2b2b24f7dc upstream. + +Although support for SME was merged in v5.19, we've since uncovered a +number of issues with the implementation, including issues which might +corrupt the FPSIMD/SVE/SME state of arbitrary tasks. While there are +patches to address some of these issues, ongoing review has highlighted +additional functional problems, and more time is necessary to analyse +and fix these. + +For now, mark SME as BROKEN in the hope that we can fix things properly +in the near future. As SME is an OPTIONAL part of ARMv9.2+, and there is +very little extant hardware, this should not adversely affect the vast +majority of users. + +Signed-off-by: Mark Rutland +Cc: Ard Biesheuvel +Cc: Catalin Marinas +Cc: Marc Zyngier +Cc: Mark Brown +Cc: Will Deacon +Cc: stable@vger.kernel.org # 5.19 +Acked-by: Catalin Marinas +Link: https://lore.kernel.org/r/20241106164220.2789279-1-mark.rutland@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -2113,6 +2113,7 @@ config ARM64_SME + bool "ARM Scalable Matrix Extension support" + default y + depends on ARM64_SVE ++ depends on BROKEN + help + The Scalable Matrix Extension (SME) is an extension to the AArch64 + execution state which utilises a substantial subset of the SVE diff --git a/queue-6.1/btrfs-reinitialize-delayed-ref-list-after-deleting-it-from-the-list.patch b/queue-6.1/btrfs-reinitialize-delayed-ref-list-after-deleting-it-from-the-list.patch new file mode 100644 index 00000000000..aad3e64ee80 --- /dev/null +++ b/queue-6.1/btrfs-reinitialize-delayed-ref-list-after-deleting-it-from-the-list.patch @@ -0,0 +1,50 @@ +From c9a75ec45f1111ef530ab186c2a7684d0a0c9245 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 4 Nov 2024 12:11:15 +0000 +Subject: btrfs: reinitialize delayed ref list after deleting it from the list + +From: Filipe Manana + +commit c9a75ec45f1111ef530ab186c2a7684d0a0c9245 upstream. + +At insert_delayed_ref() if we need to update the action of an existing +ref to BTRFS_DROP_DELAYED_REF, we delete the ref from its ref head's +ref_add_list using list_del(), which leaves the ref's add_list member +not reinitialized, as list_del() sets the next and prev members of the +list to LIST_POISON1 and LIST_POISON2, respectively. + +If later we end up calling drop_delayed_ref() against the ref, which can +happen during merging or when destroying delayed refs due to a transaction +abort, we can trigger a crash since at drop_delayed_ref() we call +list_empty() against the ref's add_list, which returns false since +the list was not reinitialized after the list_del() and as a consequence +we call list_del() again at drop_delayed_ref(). This results in an +invalid list access since the next and prev members are set to poison +pointers, resulting in a splat if CONFIG_LIST_HARDENED and +CONFIG_DEBUG_LIST are set or invalid poison pointer dereferences +otherwise. + +So fix this by deleting from the list with list_del_init() instead. + +Fixes: 1d57ee941692 ("btrfs: improve delayed refs iterations") +CC: stable@vger.kernel.org # 4.19+ +Reviewed-by: Johannes Thumshirn +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/delayed-ref.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/delayed-ref.c ++++ b/fs/btrfs/delayed-ref.c +@@ -622,7 +622,7 @@ static int insert_delayed_ref(struct btr + &href->ref_add_list); + else if (ref->action == BTRFS_DROP_DELAYED_REF) { + ASSERT(!list_empty(&exist->add_list)); +- list_del(&exist->add_list); ++ list_del_init(&exist->add_list); + } else { + ASSERT(0); + } diff --git a/queue-6.1/mptcp-use-sock_kfree_s-instead-of-kfree.patch b/queue-6.1/mptcp-use-sock_kfree_s-instead-of-kfree.patch new file mode 100644 index 00000000000..4c9be451356 --- /dev/null +++ b/queue-6.1/mptcp-use-sock_kfree_s-instead-of-kfree.patch @@ -0,0 +1,46 @@ +From 99635c91fb8b860a6404b9bc8b769df7bdaa2ae3 Mon Sep 17 00:00:00 2001 +From: Geliang Tang +Date: Mon, 4 Nov 2024 13:31:42 +0100 +Subject: mptcp: use sock_kfree_s instead of kfree + +From: Geliang Tang + +commit 99635c91fb8b860a6404b9bc8b769df7bdaa2ae3 upstream. + +The local address entries on userspace_pm_local_addr_list are allocated +by sock_kmalloc(). + +It's then required to use sock_kfree_s() instead of kfree() to free +these entries in order to adjust the allocated size on the sk side. + +Fixes: 24430f8bf516 ("mptcp: add address into userspace pm list") +Cc: stable@vger.kernel.org +Signed-off-by: Geliang Tang +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20241104-net-mptcp-misc-6-12-v1-2-c13f2ff1656f@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_userspace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/mptcp/pm_userspace.c ++++ b/net/mptcp/pm_userspace.c +@@ -89,6 +89,7 @@ static int mptcp_userspace_pm_delete_loc + struct mptcp_pm_addr_entry *addr) + { + struct mptcp_pm_addr_entry *entry, *tmp; ++ struct sock *sk = (struct sock *)msk; + + list_for_each_entry_safe(entry, tmp, &msk->pm.userspace_pm_local_addr_list, list) { + if (mptcp_addresses_equal(&entry->addr, &addr->addr, false)) { +@@ -96,7 +97,7 @@ static int mptcp_userspace_pm_delete_loc + * be used multiple times (e.g. fullmesh mode). + */ + list_del_rcu(&entry->list); +- kfree(entry); ++ sock_kfree_s(sk, entry, sizeof(*entry)); + msk->pm.local_addr_used--; + return 0; + } diff --git a/queue-6.1/net-vertexcom-mse102x-fix-possible-double-free-of-tx-skb.patch b/queue-6.1/net-vertexcom-mse102x-fix-possible-double-free-of-tx-skb.patch new file mode 100644 index 00000000000..18bb0002234 --- /dev/null +++ b/queue-6.1/net-vertexcom-mse102x-fix-possible-double-free-of-tx-skb.patch @@ -0,0 +1,82 @@ +From 1f26339b2ed63d1e8e18a18674fb73a392f3660e Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Tue, 5 Nov 2024 17:31:01 +0100 +Subject: net: vertexcom: mse102x: Fix possible double free of TX skb + +From: Stefan Wahren + +commit 1f26339b2ed63d1e8e18a18674fb73a392f3660e upstream. + +The scope of the TX skb is wider than just mse102x_tx_frame_spi(), +so in case the TX skb room needs to be expanded, we should free the +the temporary skb instead of the original skb. Otherwise the original +TX skb pointer would be freed again in mse102x_tx_work(), which leads +to crashes: + + Internal error: Oops: 0000000096000004 [#2] PREEMPT SMP + CPU: 0 PID: 712 Comm: kworker/0:1 Tainted: G D 6.6.23 + Hardware name: chargebyte Charge SOM DC-ONE (DT) + Workqueue: events mse102x_tx_work [mse102x] + pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : skb_release_data+0xb8/0x1d8 + lr : skb_release_data+0x1ac/0x1d8 + sp : ffff8000819a3cc0 + x29: ffff8000819a3cc0 x28: ffff0000046daa60 x27: ffff0000057f2dc0 + x26: ffff000005386c00 x25: 0000000000000002 x24: 00000000ffffffff + x23: 0000000000000000 x22: 0000000000000001 x21: ffff0000057f2e50 + x20: 0000000000000006 x19: 0000000000000000 x18: ffff00003fdacfcc + x17: e69ad452d0c49def x16: 84a005feff870102 x15: 0000000000000000 + x14: 000000000000024a x13: 0000000000000002 x12: 0000000000000000 + x11: 0000000000000400 x10: 0000000000000930 x9 : ffff00003fd913e8 + x8 : fffffc00001bc008 + x7 : 0000000000000000 x6 : 0000000000000008 + x5 : ffff00003fd91340 x4 : 0000000000000000 x3 : 0000000000000009 + x2 : 00000000fffffffe x1 : 0000000000000000 x0 : 0000000000000000 + Call trace: + skb_release_data+0xb8/0x1d8 + kfree_skb_reason+0x48/0xb0 + mse102x_tx_work+0x164/0x35c [mse102x] + process_one_work+0x138/0x260 + worker_thread+0x32c/0x438 + kthread+0x118/0x11c + ret_from_fork+0x10/0x20 + Code: aa1303e0 97fffab6 72001c1f 54000141 (f9400660) + +Cc: stable@vger.kernel.org +Fixes: 2f207cbf0dd4 ("net: vertexcom: Add MSE102x SPI support") +Signed-off-by: Stefan Wahren +Link: https://patch.msgid.link/20241105163101.33216-1-wahrenst@gmx.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/vertexcom/mse102x.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/vertexcom/mse102x.c ++++ b/drivers/net/ethernet/vertexcom/mse102x.c +@@ -222,7 +222,7 @@ static int mse102x_tx_frame_spi(struct m + struct mse102x_net_spi *mses = to_mse102x_spi(mse); + struct spi_transfer *xfer = &mses->spi_xfer; + struct spi_message *msg = &mses->spi_msg; +- struct sk_buff *tskb; ++ struct sk_buff *tskb = NULL; + int ret; + + netif_dbg(mse, tx_queued, mse->ndev, "%s: skb %p, %d@%p\n", +@@ -235,7 +235,6 @@ static int mse102x_tx_frame_spi(struct m + if (!tskb) + return -ENOMEM; + +- dev_kfree_skb(txp); + txp = tskb; + } + +@@ -257,6 +256,8 @@ static int mse102x_tx_frame_spi(struct m + mse->stats.xfer_err++; + } + ++ dev_kfree_skb(tskb); ++ + return ret; + } + diff --git a/queue-6.1/net-wwan-t7xx-fix-off-by-one-error-in-t7xx_dpmaif_rx_buf_alloc.patch b/queue-6.1/net-wwan-t7xx-fix-off-by-one-error-in-t7xx_dpmaif_rx_buf_alloc.patch new file mode 100644 index 00000000000..410f2cd55ae --- /dev/null +++ b/queue-6.1/net-wwan-t7xx-fix-off-by-one-error-in-t7xx_dpmaif_rx_buf_alloc.patch @@ -0,0 +1,42 @@ +From 3b557be89fc688dbd9ccf704a70f7600a094f13a Mon Sep 17 00:00:00 2001 +From: Jinjie Ruan +Date: Fri, 1 Nov 2024 10:53:16 +0800 +Subject: net: wwan: t7xx: Fix off-by-one error in t7xx_dpmaif_rx_buf_alloc() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jinjie Ruan + +commit 3b557be89fc688dbd9ccf704a70f7600a094f13a upstream. + +The error path in t7xx_dpmaif_rx_buf_alloc(), free and unmap the already +allocated and mapped skb in a loop, but the loop condition terminates when +the index reaches zero, which fails to free the first allocated skb at +index zero. + +Check with i-- so that skb at index 0 is freed as well. + +Cc: stable@vger.kernel.org +Fixes: d642b012df70 ("net: wwan: t7xx: Add data path interface") +Acked-by: Sergey Ryazanov +Signed-off-by: Jinjie Ruan +Reviewed-by: Ilpo Järvinen +Link: https://patch.msgid.link/20241101025316.3234023-1-ruanjinjie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c ++++ b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c +@@ -262,7 +262,7 @@ int t7xx_dpmaif_rx_buf_alloc(struct dpma + return 0; + + err_unmap_skbs: +- while (--i > 0) ++ while (i--) + t7xx_unmap_bat_skb(dpmaif_ctrl->dev, bat_req->bat_skb, i); + + return ret; diff --git a/queue-6.1/nfs-fix-kmsan-warning-in-decode_getfattr_attrs.patch b/queue-6.1/nfs-fix-kmsan-warning-in-decode_getfattr_attrs.patch new file mode 100644 index 00000000000..0006ddaa902 --- /dev/null +++ b/queue-6.1/nfs-fix-kmsan-warning-in-decode_getfattr_attrs.patch @@ -0,0 +1,69 @@ +From dc270d7159699ad6d11decadfce9633f0f71c1db Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Fri, 25 Oct 2024 16:03:27 +0200 +Subject: nfs: Fix KMSAN warning in decode_getfattr_attrs() + +From: Roberto Sassu + +commit dc270d7159699ad6d11decadfce9633f0f71c1db upstream. + +Fix the following KMSAN warning: + +CPU: 1 UID: 0 PID: 7651 Comm: cp Tainted: G B +Tainted: [B]=BAD_PAGE +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009) +===================================================== +===================================================== +BUG: KMSAN: uninit-value in decode_getfattr_attrs+0x2d6d/0x2f90 + decode_getfattr_attrs+0x2d6d/0x2f90 + decode_getfattr_generic+0x806/0xb00 + nfs4_xdr_dec_getattr+0x1de/0x240 + rpcauth_unwrap_resp_decode+0xab/0x100 + rpcauth_unwrap_resp+0x95/0xc0 + call_decode+0x4ff/0xb50 + __rpc_execute+0x57b/0x19d0 + rpc_execute+0x368/0x5e0 + rpc_run_task+0xcfe/0xee0 + nfs4_proc_getattr+0x5b5/0x990 + __nfs_revalidate_inode+0x477/0xd00 + nfs_access_get_cached+0x1021/0x1cc0 + nfs_do_access+0x9f/0xae0 + nfs_permission+0x1e4/0x8c0 + inode_permission+0x356/0x6c0 + link_path_walk+0x958/0x1330 + path_lookupat+0xce/0x6b0 + filename_lookup+0x23e/0x770 + vfs_statx+0xe7/0x970 + vfs_fstatat+0x1f2/0x2c0 + __se_sys_newfstatat+0x67/0x880 + __x64_sys_newfstatat+0xbd/0x120 + x64_sys_call+0x1826/0x3cf0 + do_syscall_64+0xd0/0x1b0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +The KMSAN warning is triggered in decode_getfattr_attrs(), when calling +decode_attr_mdsthreshold(). It appears that fattr->mdsthreshold is not +initialized. + +Fix the issue by initializing fattr->mdsthreshold to NULL in +nfs_fattr_init(). + +Cc: stable@vger.kernel.org # v3.5.x +Fixes: 88034c3d88c2 ("NFSv4.1 mdsthreshold attribute xdr") +Signed-off-by: Roberto Sassu +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/inode.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -1566,6 +1566,7 @@ void nfs_fattr_init(struct nfs_fattr *fa + fattr->gencount = nfs_inc_attr_generation_counter(); + fattr->owner_name = NULL; + fattr->group_name = NULL; ++ fattr->mdsthreshold = NULL; + } + EXPORT_SYMBOL_GPL(nfs_fattr_init); + diff --git a/queue-6.1/series b/queue-6.1/series index b1f842d9837..f76c97b40cb 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -66,3 +66,9 @@ dm-unstriped-cast-an-operand-to-sector_t-to-prevent-potential-uint32_t-overflow. alsa-usb-audio-add-quirk-for-hp-320-fhd-webcam.patch alsa-hda-realtek-fix-headset-mic-on-tuxedo-gemini-17-gen3.patch posix-cpu-timers-clear-tick_dep_bit_posix_timer-on-c.patch +nfs-fix-kmsan-warning-in-decode_getfattr_attrs.patch +net-wwan-t7xx-fix-off-by-one-error-in-t7xx_dpmaif_rx_buf_alloc.patch +net-vertexcom-mse102x-fix-possible-double-free-of-tx-skb.patch +mptcp-use-sock_kfree_s-instead-of-kfree.patch +arm64-kconfig-make-sme-depend-on-broken-for-now.patch +btrfs-reinitialize-delayed-ref-list-after-deleting-it-from-the-list.patch