From: Greg Kroah-Hartman Date: Fri, 15 Nov 2024 05:24:11 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.19.324~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e3bb89f6b7e3c3e4b3fbcd79e43b56d67a2f72d2;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: io_uring-fix-possible-deadlock-in-io_register_iowq_max_workers.patch md-raid10-improve-code-of-mrdev-in-raid10_sync_request.patch mm-krealloc-fix-mte-false-alarm-in-__do_krealloc.patch mm-memory-add-non-anonymous-page-check-in-the-copy_present_page.patch udf-allocate-name-buffer-in-directory-iterator-on-heap.patch udf-avoid-directory-type-conversion-failure-due-to-enomem.patch --- diff --git a/queue-5.15/io_uring-fix-possible-deadlock-in-io_register_iowq_max_workers.patch b/queue-5.15/io_uring-fix-possible-deadlock-in-io_register_iowq_max_workers.patch new file mode 100644 index 00000000000..f0584e71653 --- /dev/null +++ b/queue-5.15/io_uring-fix-possible-deadlock-in-io_register_iowq_max_workers.patch @@ -0,0 +1,55 @@ +From 73254a297c2dd094abec7c9efee32455ae875bdf Mon Sep 17 00:00:00 2001 +From: Hagar Hemdan +Date: Tue, 4 Jun 2024 13:05:27 +0000 +Subject: io_uring: fix possible deadlock in io_register_iowq_max_workers() + +From: Hagar Hemdan + +commit 73254a297c2dd094abec7c9efee32455ae875bdf upstream. + +The io_register_iowq_max_workers() function calls io_put_sq_data(), +which acquires the sqd->lock without releasing the uring_lock. +Similar to the commit 009ad9f0c6ee ("io_uring: drop ctx->uring_lock +before acquiring sqd->lock"), this can lead to a potential deadlock +situation. + +To resolve this issue, the uring_lock is released before calling +io_put_sq_data(), and then it is re-acquired after the function call. + +This change ensures that the locks are acquired in the correct +order, preventing the possibility of a deadlock. + +Suggested-by: Maximilian Heyne +Signed-off-by: Hagar Hemdan +Link: https://lore.kernel.org/r/20240604130527.3597-1-hagarhem@amazon.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -10822,8 +10822,10 @@ static int io_register_iowq_max_workers( + } + + if (sqd) { ++ mutex_unlock(&ctx->uring_lock); + mutex_unlock(&sqd->lock); + io_put_sq_data(sqd); ++ mutex_lock(&ctx->uring_lock); + } + + if (copy_to_user(arg, new_count, sizeof(new_count))) +@@ -10848,8 +10850,11 @@ static int io_register_iowq_max_workers( + return 0; + err: + if (sqd) { ++ mutex_unlock(&ctx->uring_lock); + mutex_unlock(&sqd->lock); + io_put_sq_data(sqd); ++ mutex_lock(&ctx->uring_lock); ++ + } + return ret; + } diff --git a/queue-5.15/md-raid10-improve-code-of-mrdev-in-raid10_sync_request.patch b/queue-5.15/md-raid10-improve-code-of-mrdev-in-raid10_sync_request.patch new file mode 100644 index 00000000000..53e23c61319 --- /dev/null +++ b/queue-5.15/md-raid10-improve-code-of-mrdev-in-raid10_sync_request.patch @@ -0,0 +1,97 @@ +From 59f8f0b54c8ffb4521f6bbd1cb6f4dfa5022e75e Mon Sep 17 00:00:00 2001 +From: Li Nan +Date: Sat, 27 May 2023 15:22:16 +0800 +Subject: md/raid10: improve code of mrdev in raid10_sync_request + +From: Li Nan + +commit 59f8f0b54c8ffb4521f6bbd1cb6f4dfa5022e75e upstream. + +'need_recover' and 'mrdev' are equivalent in raid10_sync_request(), and +inc mrdev->nr_pending is unreasonable if don't need recovery. Replace +'need_recover' with 'mrdev', and only inc nr_pending when needed. + +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230527072218.2365857-3-linan666@huaweicloud.com +Cc: Hagar Gamal Halim +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid10.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -3443,7 +3443,6 @@ static sector_t raid10_sync_request(stru + sector_t sect; + int must_sync; + int any_working; +- int need_recover = 0; + struct raid10_info *mirror = &conf->mirrors[i]; + struct md_rdev *mrdev, *mreplace; + +@@ -3451,14 +3450,13 @@ static sector_t raid10_sync_request(stru + mrdev = rcu_dereference(mirror->rdev); + mreplace = rcu_dereference(mirror->replacement); + +- if (mrdev != NULL && +- !test_bit(Faulty, &mrdev->flags) && +- !test_bit(In_sync, &mrdev->flags)) +- need_recover = 1; ++ if (mrdev && (test_bit(Faulty, &mrdev->flags) || ++ test_bit(In_sync, &mrdev->flags))) ++ mrdev = NULL; + if (mreplace && test_bit(Faulty, &mreplace->flags)) + mreplace = NULL; + +- if (!need_recover && !mreplace) { ++ if (!mrdev && !mreplace) { + rcu_read_unlock(); + continue; + } +@@ -3492,7 +3490,8 @@ static sector_t raid10_sync_request(stru + rcu_read_unlock(); + continue; + } +- atomic_inc(&mrdev->nr_pending); ++ if (mrdev) ++ atomic_inc(&mrdev->nr_pending); + if (mreplace) + atomic_inc(&mreplace->nr_pending); + rcu_read_unlock(); +@@ -3579,7 +3578,7 @@ static sector_t raid10_sync_request(stru + r10_bio->devs[1].devnum = i; + r10_bio->devs[1].addr = to_addr; + +- if (need_recover) { ++ if (mrdev) { + bio = r10_bio->devs[1].bio; + bio->bi_next = biolist; + biolist = bio; +@@ -3624,7 +3623,7 @@ static sector_t raid10_sync_request(stru + for (k = 0; k < conf->copies; k++) + if (r10_bio->devs[k].devnum == i) + break; +- if (!test_bit(In_sync, ++ if (mrdev && !test_bit(In_sync, + &mrdev->flags) + && !rdev_set_badblocks( + mrdev, +@@ -3650,12 +3649,14 @@ static sector_t raid10_sync_request(stru + if (rb2) + atomic_dec(&rb2->remaining); + r10_bio = rb2; +- rdev_dec_pending(mrdev, mddev); ++ if (mrdev) ++ rdev_dec_pending(mrdev, mddev); + if (mreplace) + rdev_dec_pending(mreplace, mddev); + break; + } +- rdev_dec_pending(mrdev, mddev); ++ if (mrdev) ++ rdev_dec_pending(mrdev, mddev); + if (mreplace) + rdev_dec_pending(mreplace, mddev); + if (r10_bio->devs[0].bio->bi_opf & MD_FAILFAST) { diff --git a/queue-5.15/mm-krealloc-fix-mte-false-alarm-in-__do_krealloc.patch b/queue-5.15/mm-krealloc-fix-mte-false-alarm-in-__do_krealloc.patch new file mode 100644 index 00000000000..1f86758dd06 --- /dev/null +++ b/queue-5.15/mm-krealloc-fix-mte-false-alarm-in-__do_krealloc.patch @@ -0,0 +1,75 @@ +From 704573851b51808b45dae2d62059d1d8189138a2 Mon Sep 17 00:00:00 2001 +From: Qun-Wei Lin +Date: Fri, 25 Oct 2024 16:58:11 +0800 +Subject: mm: krealloc: Fix MTE false alarm in __do_krealloc + +From: Qun-Wei Lin + +commit 704573851b51808b45dae2d62059d1d8189138a2 upstream. + +This patch addresses an issue introduced by commit 1a83a716ec233 ("mm: +krealloc: consider spare memory for __GFP_ZERO") which causes MTE +(Memory Tagging Extension) to falsely report a slab-out-of-bounds error. + +The problem occurs when zeroing out spare memory in __do_krealloc. The +original code only considered software-based KASAN and did not account +for MTE. It does not reset the KASAN tag before calling memset, leading +to a mismatch between the pointer tag and the memory tag, resulting +in a false positive. + +Example of the error: +================================================================== +swapper/0: BUG: KASAN: slab-out-of-bounds in __memset+0x84/0x188 +swapper/0: Write at addr f4ffff8005f0fdf0 by task swapper/0/1 +swapper/0: Pointer tag: [f4], memory tag: [fe] +swapper/0: +swapper/0: CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12. +swapper/0: Hardware name: MT6991(ENG) (DT) +swapper/0: Call trace: +swapper/0: dump_backtrace+0xfc/0x17c +swapper/0: show_stack+0x18/0x28 +swapper/0: dump_stack_lvl+0x40/0xa0 +swapper/0: print_report+0x1b8/0x71c +swapper/0: kasan_report+0xec/0x14c +swapper/0: __do_kernel_fault+0x60/0x29c +swapper/0: do_bad_area+0x30/0xdc +swapper/0: do_tag_check_fault+0x20/0x34 +swapper/0: do_mem_abort+0x58/0x104 +swapper/0: el1_abort+0x3c/0x5c +swapper/0: el1h_64_sync_handler+0x80/0xcc +swapper/0: el1h_64_sync+0x68/0x6c +swapper/0: __memset+0x84/0x188 +swapper/0: btf_populate_kfunc_set+0x280/0x3d8 +swapper/0: __register_btf_kfunc_id_set+0x43c/0x468 +swapper/0: register_btf_kfunc_id_set+0x48/0x60 +swapper/0: register_nf_nat_bpf+0x1c/0x40 +swapper/0: nf_nat_init+0xc0/0x128 +swapper/0: do_one_initcall+0x184/0x464 +swapper/0: do_initcall_level+0xdc/0x1b0 +swapper/0: do_initcalls+0x70/0xc0 +swapper/0: do_basic_setup+0x1c/0x28 +swapper/0: kernel_init_freeable+0x144/0x1b8 +swapper/0: kernel_init+0x20/0x1a8 +swapper/0: ret_from_fork+0x10/0x20 +================================================================== + +Fixes: 1a83a716ec233 ("mm: krealloc: consider spare memory for __GFP_ZERO") +Signed-off-by: Qun-Wei Lin +Acked-by: David Rientjes +Signed-off-by: Vlastimil Babka +Signed-off-by: Greg Kroah-Hartman +--- + mm/slab_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -1213,7 +1213,7 @@ static __always_inline void *__do_kreall + /* Zero out spare memory. */ + if (want_init_on_alloc(flags)) { + kasan_disable_current(); +- memset((void *)p + new_size, 0, ks - new_size); ++ memset(kasan_reset_tag(p) + new_size, 0, ks - new_size); + kasan_enable_current(); + } + diff --git a/queue-5.15/mm-memory-add-non-anonymous-page-check-in-the-copy_present_page.patch b/queue-5.15/mm-memory-add-non-anonymous-page-check-in-the-copy_present_page.patch new file mode 100644 index 00000000000..297ee04012c --- /dev/null +++ b/queue-5.15/mm-memory-add-non-anonymous-page-check-in-the-copy_present_page.patch @@ -0,0 +1,102 @@ +From vbabka@suse.cz Fri Nov 15 06:17:06 2024 +From: Vlastimil Babka +Date: Wed, 13 Nov 2024 17:31:19 +0100 +Subject: mm/memory: add non-anonymous page check in the copy_present_page() +To: stable@vger.kernel.org +Cc: David Hildenbrand , Peter Xu , linux-mm@kvack.org, Yuanzheng Song , Vlastimil Babka +Message-ID: <20241113163118.54834-2-vbabka@suse.cz> + +From: Yuanzheng Song + +The vma->anon_vma of the child process may be NULL because +the entire vma does not contain anonymous pages. In this +case, a BUG will occur when the copy_present_page() passes +a copy of a non-anonymous page of that vma to the +page_add_new_anon_rmap() to set up new anonymous rmap. + +------------[ cut here ]------------ +kernel BUG at mm/rmap.c:1052! +Internal error: Oops - BUG: 0 [#1] SMP +Modules linked in: +CPU: 4 PID: 4652 Comm: test Not tainted 5.15.75 #1 +Hardware name: linux,dummy-virt (DT) +pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : __page_set_anon_rmap+0xc0/0xe8 +lr : __page_set_anon_rmap+0xc0/0xe8 +sp : ffff80000e773860 +x29: ffff80000e773860 x28: fffffc13cf006ec0 x27: ffff04f3ccd68000 +x26: ffff04f3c5c33248 x25: 0000000010100073 x24: ffff04f3c53c0a80 +x23: 0000000020000000 x22: 0000000000000001 x21: 0000000020000000 +x20: fffffc13cf006ec0 x19: 0000000000000000 x18: 0000000000000000 +x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 +x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 +x11: 0000000000000000 x10: 0000000000000000 x9 : ffffdddc5581377c +x8 : 0000000000000000 x7 : 0000000000000011 x6 : ffff2717a8433000 +x5 : ffff80000e773810 x4 : ffffdddc55400000 x3 : 0000000000000000 +x2 : ffffdddc56b20000 x1 : ffff04f3c9a48040 x0 : 0000000000000000 +Call trace: + __page_set_anon_rmap+0xc0/0xe8 + page_add_new_anon_rmap+0x13c/0x200 + copy_pte_range+0x6b8/0x1018 + copy_page_range+0x3a8/0x5e0 + dup_mmap+0x3a0/0x6e8 + dup_mm+0x78/0x140 + copy_process+0x1528/0x1b08 + kernel_clone+0xac/0x610 + __do_sys_clone+0x78/0xb0 + __arm64_sys_clone+0x30/0x40 + invoke_syscall+0x68/0x170 + el0_svc_common.constprop.0+0x80/0x250 + do_el0_svc+0x48/0xb8 + el0_svc+0x48/0x1a8 + el0t_64_sync_handler+0xb0/0xb8 + el0t_64_sync+0x1a0/0x1a4 +Code: 97f899f4 f9400273 17ffffeb 97f899f1 (d4210000) +---[ end trace dc65e5edd0f362fa ]--- +Kernel panic - not syncing: Oops - BUG: Fatal exception +SMP: stopping secondary CPUs +Kernel Offset: 0x5ddc4d400000 from 0xffff800008000000 +PHYS_OFFSET: 0xfffffb0c80000000 +CPU features: 0x44000cf1,00000806 +Memory Limit: none +---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception ]--- + +This problem has been fixed by the commit +("mm/rmap: split page_dup_rmap() into page_dup_file_rmap() +and page_try_dup_anon_rmap()"), but still exists in the +linux-5.15.y branch. + +This patch is not applicable to this version because +of the large version differences. Therefore, fix it by +adding non-anonymous page check in the copy_present_page(). + +Cc: stable@vger.kernel.org +Fixes: 70e806e4e645 ("mm: Do early cow for pinned pages during fork() for ptes") +Signed-off-by: Yuanzheng Song +Signed-off-by: Vlastimil Babka +Reviewed-by: David Hildenbrand +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -903,6 +903,17 @@ copy_present_page(struct vm_area_struct + if (likely(!page_needs_cow_for_dma(src_vma, page))) + return 1; + ++ /* ++ * The vma->anon_vma of the child process may be NULL ++ * because the entire vma does not contain anonymous pages. ++ * A BUG will occur when the copy_present_page() passes ++ * a copy of a non-anonymous page of that vma to the ++ * page_add_new_anon_rmap() to set up new anonymous rmap. ++ * Return 1 if the page is not an anonymous page. ++ */ ++ if (!PageAnon(page)) ++ return 1; ++ + new_page = *prealloc; + if (!new_page) + return -EAGAIN; diff --git a/queue-5.15/series b/queue-5.15/series index b5b900df622..7b36ed2480b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -13,3 +13,9 @@ fs-fix-uninitialized-value-issue-in-from_kuid-and-fr.patch hid-multitouch-add-quirk-for-logitech-bolt-receiver-.patch hid-lenovo-add-support-for-thinkpad-x1-tablet-gen-3-.patch net-usb-qmi_wwan-add-fibocom-fg132-0x0112-compositio.patch +md-raid10-improve-code-of-mrdev-in-raid10_sync_request.patch +io_uring-fix-possible-deadlock-in-io_register_iowq_max_workers.patch +mm-krealloc-fix-mte-false-alarm-in-__do_krealloc.patch +mm-memory-add-non-anonymous-page-check-in-the-copy_present_page.patch +udf-allocate-name-buffer-in-directory-iterator-on-heap.patch +udf-avoid-directory-type-conversion-failure-due-to-enomem.patch diff --git a/queue-5.15/udf-allocate-name-buffer-in-directory-iterator-on-heap.patch b/queue-5.15/udf-allocate-name-buffer-in-directory-iterator-on-heap.patch new file mode 100644 index 00000000000..db031a16624 --- /dev/null +++ b/queue-5.15/udf-allocate-name-buffer-in-directory-iterator-on-heap.patch @@ -0,0 +1,98 @@ +From 0aba4860b0d0216a1a300484ff536171894d49d8 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 20 Dec 2022 12:38:45 +0100 +Subject: udf: Allocate name buffer in directory iterator on heap + +From: Jan Kara + +commit 0aba4860b0d0216a1a300484ff536171894d49d8 upstream. + +Currently we allocate name buffer in directory iterators (struct +udf_fileident_iter) on stack. These structures are relatively large +(some 360 bytes on 64-bit architectures). For udf_rename() which needs +to keep three of these structures in parallel the stack usage becomes +rather heavy - 1536 bytes in total. Allocate the name buffer in the +iterator from heap to avoid excessive stack usage. + +Link: https://lore.kernel.org/all/202212200558.lK9x1KW0-lkp@intel.com +Reported-by: kernel test robot +Signed-off-by: Jan Kara +[Add extra include linux/slab.h] +Signed-off-by: Hauke Mehrtens +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/directory.c | 24 ++++++++++++++++-------- + fs/udf/udfdecl.h | 2 +- + 2 files changed, 17 insertions(+), 9 deletions(-) + +--- a/fs/udf/directory.c ++++ b/fs/udf/directory.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + + static int udf_verify_fi(struct udf_fileident_iter *iter) + { +@@ -248,9 +249,14 @@ int udf_fiiter_init(struct udf_fileident + iter->elen = 0; + iter->epos.bh = NULL; + iter->name = NULL; ++ iter->namebuf = kmalloc(UDF_NAME_LEN_CS0, GFP_KERNEL); ++ if (!iter->namebuf) ++ return -ENOMEM; + +- if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) +- return udf_copy_fi(iter); ++ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { ++ err = udf_copy_fi(iter); ++ goto out; ++ } + + if (inode_bmap(dir, iter->pos >> dir->i_blkbits, &iter->epos, + &iter->eloc, &iter->elen, &iter->loffset) != +@@ -260,17 +266,17 @@ int udf_fiiter_init(struct udf_fileident + udf_err(dir->i_sb, + "position %llu not allocated in directory (ino %lu)\n", + (unsigned long long)pos, dir->i_ino); +- return -EFSCORRUPTED; ++ err = -EFSCORRUPTED; ++ goto out; + } + err = udf_fiiter_load_bhs(iter); + if (err < 0) +- return err; ++ goto out; + err = udf_copy_fi(iter); +- if (err < 0) { ++out: ++ if (err < 0) + udf_fiiter_release(iter); +- return err; +- } +- return 0; ++ return err; + } + + int udf_fiiter_advance(struct udf_fileident_iter *iter) +@@ -307,6 +313,8 @@ void udf_fiiter_release(struct udf_filei + brelse(iter->bh[0]); + brelse(iter->bh[1]); + iter->bh[0] = iter->bh[1] = NULL; ++ kfree(iter->namebuf); ++ iter->namebuf = NULL; + } + + static void udf_copy_to_bufs(void *buf1, int len1, void *buf2, int len2, +--- a/fs/udf/udfdecl.h ++++ b/fs/udf/udfdecl.h +@@ -99,7 +99,7 @@ struct udf_fileident_iter { + struct extent_position epos; /* Position after the above extent */ + struct fileIdentDesc fi; /* Copied directory entry */ + uint8_t *name; /* Pointer to entry name */ +- uint8_t namebuf[UDF_NAME_LEN_CS0]; /* Storage for entry name in case ++ uint8_t *namebuf; /* Storage for entry name in case + * the name is split between two blocks + */ + }; diff --git a/queue-5.15/udf-avoid-directory-type-conversion-failure-due-to-enomem.patch b/queue-5.15/udf-avoid-directory-type-conversion-failure-due-to-enomem.patch new file mode 100644 index 00000000000..83e645b9b7f --- /dev/null +++ b/queue-5.15/udf-avoid-directory-type-conversion-failure-due-to-enomem.patch @@ -0,0 +1,43 @@ +From df97f64dfa317a5485daf247b6c043a584ef95f9 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 9 Feb 2023 10:33:09 +0100 +Subject: udf: Avoid directory type conversion failure due to ENOMEM + +From: Jan Kara + +commit df97f64dfa317a5485daf247b6c043a584ef95f9 upstream. + +When converting directory from in-ICB to normal format, the last +iteration through the directory fixing up directory enteries can fail +due to ENOMEM. We do not expect this iteration to fail since the +directory is already verified to be correct and it is difficult to undo +the conversion at this point. So just use GFP_NOFAIL to make sure the +small allocation cannot fail. + +Reported-by: syzbot+111eaa994ff74f8d440f@syzkaller.appspotmail.com +Fixes: 0aba4860b0d0 ("udf: Allocate name buffer in directory iterator on heap") +Signed-off-by: Jan Kara +Signed-off-by: Hauke Mehrtens +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/directory.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/fs/udf/directory.c ++++ b/fs/udf/directory.c +@@ -249,9 +249,12 @@ int udf_fiiter_init(struct udf_fileident + iter->elen = 0; + iter->epos.bh = NULL; + iter->name = NULL; +- iter->namebuf = kmalloc(UDF_NAME_LEN_CS0, GFP_KERNEL); +- if (!iter->namebuf) +- return -ENOMEM; ++ /* ++ * When directory is verified, we don't expect directory iteration to ++ * fail and it can be difficult to undo without corrupting filesystem. ++ * So just do not allow memory allocation failures here. ++ */ ++ iter->namebuf = kmalloc(UDF_NAME_LEN_CS0, GFP_KERNEL | __GFP_NOFAIL); + + if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { + err = udf_copy_fi(iter);