From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 17 Apr 2025 17:36:48 +0000 (+0200)
Subject: 6.13-stable patches
X-Git-Tag: v6.12.24~18
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d500e3fc5952d7329a7c1140f6294e7c1a431ad0;p=thirdparty%2Fkernel%2Fstable-queue.git

6.13-stable patches

added patches:
	bluetooth-hci_uart-fix-another-race-during-initialization.patch
	s390-cpumf-fix-double-free-on-error-in-cpumf_pmu_event_init.patch
---

diff --git a/queue-6.13/bluetooth-hci_uart-fix-another-race-during-initialization.patch b/queue-6.13/bluetooth-hci_uart-fix-another-race-during-initialization.patch
new file mode 100644
index 0000000000..1cda9fcf58
--- /dev/null
+++ b/queue-6.13/bluetooth-hci_uart-fix-another-race-during-initialization.patch
@@ -0,0 +1,134 @@
+From 5df5dafc171b90d0b8d51547a82657cd5a1986c7 Mon Sep 17 00:00:00 2001
+From: Arseniy Krasnov <avkrasnov@salutedevices.com>
+Date: Wed, 12 Feb 2025 18:59:46 +0300
+Subject: Bluetooth: hci_uart: Fix another race during initialization
+
+From: Arseniy Krasnov <avkrasnov@salutedevices.com>
+
+commit 5df5dafc171b90d0b8d51547a82657cd5a1986c7 upstream.
+
+Do not set 'HCI_UART_PROTO_READY' before call 'hci_uart_register_dev()'.
+Possible race is when someone calls 'hci_tty_uart_close()' after this bit
+is set, but 'hci_uart_register_dev()' wasn't done. This leads to access
+to uninitialized fields. To fix it let's set this bit after device was
+registered (as before patch c411c62cc133) and to fix previous problem let's
+add one more bit in addition to 'HCI_UART_PROTO_READY' which allows to
+perform power up without original bit set (pls see commit c411c62cc133).
+
+Crash backtrace from syzbot report:
+
+RIP: 0010:skb_queue_empty_lockless include/linux/skbuff.h:1887 [inline]
+RIP: 0010:skb_queue_purge_reason+0x6d/0x140 net/core/skbuff.c:3936
+
+Call Trace:
+ <TASK>
+ skb_queue_purge include/linux/skbuff.h:3364 [inline]
+ mrvl_close+0x2f/0x90 drivers/bluetooth/hci_mrvl.c:100
+ hci_uart_tty_close+0xb6/0x120 drivers/bluetooth/hci_ldisc.c:557
+ tty_ldisc_close drivers/tty/tty_ldisc.c:455 [inline]
+ tty_ldisc_kill+0x66/0xc0 drivers/tty/tty_ldisc.c:613
+ tty_ldisc_release+0xc9/0x120 drivers/tty/tty_ldisc.c:781
+ tty_release_struct+0x10/0x80 drivers/tty/tty_io.c:1690
+ tty_release+0x4ef/0x640 drivers/tty/tty_io.c:1861
+ __fput+0x86/0x2a0 fs/file_table.c:450
+ task_work_run+0x82/0xb0 kernel/task_work.c:239
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
+ exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
+ syscall_exit_to_user_mode+0xa3/0x1b0 kernel/entry/common.c:218
+ do_syscall_64+0x9a/0x190 arch/x86/entry/common.c:89
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
+Reported-by: syzbot+683f8cb11b94b1824c77@syzkaller.appspotmail.com
+Tested-by: syzbot+683f8cb11b94b1824c77@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-bluetooth/d159c57f-8490-4c26-79da-6ad3612c4a14@salutedevices.com/
+Fixes: 366ceff495f9 ("Bluetooth: hci_uart: fix race during initialization")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/hci_ldisc.c |   20 ++++++++++++++------
+ drivers/bluetooth/hci_uart.h  |    1 +
+ 2 files changed, 15 insertions(+), 6 deletions(-)
+
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -102,7 +102,8 @@ static inline struct sk_buff *hci_uart_d
+ 	if (!skb) {
+ 		percpu_down_read(&hu->proto_lock);
+ 
+-		if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
++		if (test_bit(HCI_UART_PROTO_READY, &hu->flags) ||
++		    test_bit(HCI_UART_PROTO_INIT, &hu->flags))
+ 			skb = hu->proto->dequeue(hu);
+ 
+ 		percpu_up_read(&hu->proto_lock);
+@@ -124,7 +125,8 @@ int hci_uart_tx_wakeup(struct hci_uart *
+ 	if (!percpu_down_read_trylock(&hu->proto_lock))
+ 		return 0;
+ 
+-	if (!test_bit(HCI_UART_PROTO_READY, &hu->flags))
++	if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) &&
++	    !test_bit(HCI_UART_PROTO_INIT, &hu->flags))
+ 		goto no_schedule;
+ 
+ 	set_bit(HCI_UART_TX_WAKEUP, &hu->tx_state);
+@@ -278,7 +280,8 @@ static int hci_uart_send_frame(struct hc
+ 
+ 	percpu_down_read(&hu->proto_lock);
+ 
+-	if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) {
++	if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) &&
++	    !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) {
+ 		percpu_up_read(&hu->proto_lock);
+ 		return -EUNATCH;
+ 	}
+@@ -585,7 +588,8 @@ static void hci_uart_tty_wakeup(struct t
+ 	if (tty != hu->tty)
+ 		return;
+ 
+-	if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
++	if (test_bit(HCI_UART_PROTO_READY, &hu->flags) ||
++	    test_bit(HCI_UART_PROTO_INIT, &hu->flags))
+ 		hci_uart_tx_wakeup(hu);
+ }
+ 
+@@ -611,7 +615,8 @@ static void hci_uart_tty_receive(struct
+ 
+ 	percpu_down_read(&hu->proto_lock);
+ 
+-	if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) {
++	if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) &&
++	    !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) {
+ 		percpu_up_read(&hu->proto_lock);
+ 		return;
+ 	}
+@@ -707,13 +712,16 @@ static int hci_uart_set_proto(struct hci
+ 
+ 	hu->proto = p;
+ 
+-	set_bit(HCI_UART_PROTO_READY, &hu->flags);
++	set_bit(HCI_UART_PROTO_INIT, &hu->flags);
+ 
+ 	err = hci_uart_register_dev(hu);
+ 	if (err) {
+ 		return err;
+ 	}
+ 
++	set_bit(HCI_UART_PROTO_READY, &hu->flags);
++	clear_bit(HCI_UART_PROTO_INIT, &hu->flags);
++
+ 	return 0;
+ }
+ 
+--- a/drivers/bluetooth/hci_uart.h
++++ b/drivers/bluetooth/hci_uart.h
+@@ -90,6 +90,7 @@ struct hci_uart {
+ #define HCI_UART_REGISTERED		1
+ #define HCI_UART_PROTO_READY		2
+ #define HCI_UART_NO_SUSPEND_NOTIFIER	3
++#define HCI_UART_PROTO_INIT		4
+ 
+ /* TX states  */
+ #define HCI_UART_SENDING	1
diff --git a/queue-6.13/s390-cpumf-fix-double-free-on-error-in-cpumf_pmu_event_init.patch b/queue-6.13/s390-cpumf-fix-double-free-on-error-in-cpumf_pmu_event_init.patch
new file mode 100644
index 0000000000..4101e0d008
--- /dev/null
+++ b/queue-6.13/s390-cpumf-fix-double-free-on-error-in-cpumf_pmu_event_init.patch
@@ -0,0 +1,119 @@
+From aa1ac98268cd1f380c713f07e39b1fa1d5c7650c Mon Sep 17 00:00:00 2001
+From: Thomas Richter <tmricht@linux.ibm.com>
+Date: Wed, 9 Apr 2025 10:03:53 +0200
+Subject: s390/cpumf: Fix double free on error in cpumf_pmu_event_init()
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+commit aa1ac98268cd1f380c713f07e39b1fa1d5c7650c upstream.
+
+In PMU event initialization functions
+ - cpumsf_pmu_event_init()
+ - cpumf_pmu_event_init()
+ - cfdiag_event_init()
+the partially created event had to be removed when an error was detected.
+The event::event_init() member function had to release all resources
+it allocated in case of error. event::destroy() had to be called
+on freeing an event after it was successfully created and
+event::event_init() returned success.
+
+With
+
+commit c70ca298036c ("perf/core: Simplify the perf_event_alloc() error path")
+
+this is not necessary anymore. The performance subsystem common
+code now always calls event::destroy() to clean up the allocated
+resources created during event initialization.
+
+Remove the event::destroy() invocation in PMU event initialization
+or that function is called twice for each event that runs into an
+error condition in event creation.
+
+This is the kernel log entry which shows up without the fix:
+
+------------[ cut here ]------------
+refcount_t: underflow; use-after-free.
+WARNING: CPU: 0 PID: 43388 at lib/refcount.c:87	refcount_dec_not_one+0x74/0x90
+CPU: 0 UID: 0 PID: 43388 Comm: perf Not tainted 6.15.0-20250407.rc1.git0.300.fc41.s390x+git #1 NONE
+Hardware name: IBM 3931 A01 704 (LPAR)
+Krnl PSW : 0704c00180000000 00000209cb2c1b88 (refcount_dec_not_one+0x78/0x90)
+           R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3
+Krnl GPRS: 0000020900000027 0000020900000023 0000000000000026 0000018900000000
+           00000004a2200a00 0000000000000000 0000000000000057 ffffffffffffffea
+           00000002b386c600 00000002b3f5b3e0 00000209cc51f140 00000209cc7fc550
+           0000000001449d38 ffffffffffffffff 00000209cb2c1b84 00000189d67dfb80
+Krnl Code: 00000209cb2c1b78: c02000506727	larl	%r2,00000209cbcce9c6
+           00000209cb2c1b7e: c0e5ffbd4431	brasl	%r14,00000209caa6a3e0
+          #00000209cb2c1b84: af000000		mc	0,0
+          >00000209cb2c1b88: a7480001		lhi	%r4,1
+           00000209cb2c1b8c: ebeff0a00004	lmg	%r14,%r15,160(%r15)
+           00000209cb2c1b92: ec243fbf0055	risbg	%r2,%r4,63,191,0
+           00000209cb2c1b98: 07fe		bcr	15,%r14
+           00000209cb2c1b9a: 47000700		bc	0,1792
+Call Trace:
+ [<00000209cb2c1b88>] refcount_dec_not_one+0x78/0x90
+ [<00000209cb2c1dc4>] refcount_dec_and_mutex_lock+0x24/0x90
+ [<00000209caa3c29e>] hw_perf_event_destroy+0x2e/0x80
+ [<00000209cacaf8b4>] __free_event+0x74/0x270
+ [<00000209cacb47c4>] perf_event_alloc.part.0+0x4a4/0x730
+ [<00000209cacbf3e8>] __do_sys_perf_event_open+0x248/0xc20
+ [<00000209cacc14a4>] __s390x_sys_perf_event_open+0x44/0x50
+ [<00000209cb8114de>] __do_syscall+0x12e/0x260
+ [<00000209cb81ce34>] system_call+0x74/0x98
+Last Breaking-Event-Address:
+ [<00000209caa6a4d2>] __warn_printk+0xf2/0x100
+---[ end trace 0000000000000000 ]---
+
+Fixes: c70ca298036c ("perf/core: Simplify the perf_event_alloc() error path")
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Reviewed-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/perf_cpum_cf.c |    9 +--------
+ arch/s390/kernel/perf_cpum_sf.c |    3 ---
+ 2 files changed, 1 insertion(+), 11 deletions(-)
+
+--- a/arch/s390/kernel/perf_cpum_cf.c
++++ b/arch/s390/kernel/perf_cpum_cf.c
+@@ -858,18 +858,13 @@ static int cpumf_pmu_event_type(struct p
+ static int cpumf_pmu_event_init(struct perf_event *event)
+ {
+ 	unsigned int type = event->attr.type;
+-	int err;
++	int err = -ENOENT;
+ 
+ 	if (type == PERF_TYPE_HARDWARE || type == PERF_TYPE_RAW)
+ 		err = __hw_perf_event_init(event, type);
+ 	else if (event->pmu->type == type)
+ 		/* Registered as unknown PMU */
+ 		err = __hw_perf_event_init(event, cpumf_pmu_event_type(event));
+-	else
+-		return -ENOENT;
+-
+-	if (unlikely(err) && event->destroy)
+-		event->destroy(event);
+ 
+ 	return err;
+ }
+@@ -1819,8 +1814,6 @@ static int cfdiag_event_init(struct perf
+ 	event->destroy = hw_perf_event_destroy;
+ 
+ 	err = cfdiag_event_init2(event);
+-	if (unlikely(err))
+-		event->destroy(event);
+ out:
+ 	return err;
+ }
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -885,9 +885,6 @@ static int cpumsf_pmu_event_init(struct
+ 		event->attr.exclude_idle = 0;
+ 
+ 	err = __hw_perf_event_init(event);
+-	if (unlikely(err))
+-		if (event->destroy)
+-			event->destroy(event);
+ 	return err;
+ }
+ 
diff --git a/queue-6.13/series b/queue-6.13/series
index f4bb2739e0..436f98c552 100644
--- a/queue-6.13/series
+++ b/queue-6.13/series
@@ -410,3 +410,5 @@ nfsd-fix-decoding-in-nfs4_xdr_dec_cb_getattr.patch
 nfsd-fix-cb_getattr-status-fix.patch
 nfsd-don-t-ignore-the-return-code-of-svc_proc_register.patch
 x86-e820-fix-handling-of-subpage-regions-when-calculating-nosave-ranges-in-e820__register_nosave_regions.patch
+bluetooth-hci_uart-fix-another-race-during-initialization.patch
+s390-cpumf-fix-double-free-on-error-in-cpumf_pmu_event_init.patch