From: Greg Kroah-Hartman Date: Wed, 21 Jun 2023 20:07:13 +0000 (+0200) Subject: 6.3-stable patches X-Git-Tag: v4.14.320~64 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f50fe91f86ab70cf9034286264b6bb618845a225;p=thirdparty%2Fkernel%2Fstable-queue.git 6.3-stable patches added patches: afs-fix-dangling-folio-ref-counts-in-writeback.patch afs-fix-waiting-for-writeback-then-skipping-folio.patch ksmbd-fix-out-of-bound-read-in-smb2_write.patch ksmbd-validate-command-payload-size.patch ksmbd-validate-session-id-and-tree-id-in-the-compound-request.patch revert-efi-random-refresh-non-volatile-random-seed-when-rng-is-initialized.patch tick-common-align-tick-period-during-sched_timer-setup.patch udmabuf-revert-add-support-for-mapping-hugepages-v4.patch --- diff --git a/queue-6.3/afs-fix-dangling-folio-ref-counts-in-writeback.patch b/queue-6.3/afs-fix-dangling-folio-ref-counts-in-writeback.patch new file mode 100644 index 00000000000..c752623a781 --- /dev/null +++ b/queue-6.3/afs-fix-dangling-folio-ref-counts-in-writeback.patch @@ -0,0 +1,41 @@ +From a2b6f2ab3e144f8e23666aafeba0e4d9ea4b7975 Mon Sep 17 00:00:00 2001 +From: "Vishal Moola (Oracle)" +Date: Wed, 7 Jun 2023 13:41:19 -0700 +Subject: afs: Fix dangling folio ref counts in writeback + +From: Vishal Moola (Oracle) + +commit a2b6f2ab3e144f8e23666aafeba0e4d9ea4b7975 upstream. + +Commit acc8d8588cb7 converted afs_writepages_region() to write back a +folio batch. If writeback needs rescheduling, the function exits without +dropping the references to the folios in fbatch. This patch fixes that. + +[DH: Moved the added line before the _leave()] + +Fixes: acc8d8588cb7 ("afs: convert afs_writepages_region() to use filemap_get_folios_tag()") +Signed-off-by: Vishal Moola (Oracle) +Signed-off-by: David Howells +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/20230607204120.89416-1-vishal.moola@gmail.com/ +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/write.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/afs/write.c b/fs/afs/write.c +index c822d6006033..fd433024070e 100644 +--- a/fs/afs/write.c ++++ b/fs/afs/write.c +@@ -763,6 +763,7 @@ static int afs_writepages_region(struct address_space *mapping, + if (wbc->sync_mode == WB_SYNC_NONE) { + if (skips >= 5 || need_resched()) { + *_next = start; ++ folio_batch_release(&fbatch); + _leave(" = 0 [%llx]", *_next); + return 0; + } +-- +2.41.0 + diff --git a/queue-6.3/afs-fix-waiting-for-writeback-then-skipping-folio.patch b/queue-6.3/afs-fix-waiting-for-writeback-then-skipping-folio.patch new file mode 100644 index 00000000000..5328e2978c1 --- /dev/null +++ b/queue-6.3/afs-fix-waiting-for-writeback-then-skipping-folio.patch @@ -0,0 +1,55 @@ +From 819da022dd007398d0c42ebcd8dbb1b681acea53 Mon Sep 17 00:00:00 2001 +From: "Vishal Moola (Oracle)" +Date: Wed, 7 Jun 2023 13:41:20 -0700 +Subject: afs: Fix waiting for writeback then skipping folio + +From: Vishal Moola (Oracle) + +commit 819da022dd007398d0c42ebcd8dbb1b681acea53 upstream. + +Commit acc8d8588cb7 converted afs_writepages_region() to write back a +folio batch. The function waits for writeback to a folio, but then +proceeds to the rest of the batch without trying to write that folio +again. This patch fixes has it attempt to write the folio again. + +[DH: Also remove an 'else' that adding a goto makes redundant] + +Fixes: acc8d8588cb7 ("afs: convert afs_writepages_region() to use filemap_get_folios_tag()") +Signed-off-by: Vishal Moola (Oracle) +Signed-off-by: David Howells +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/20230607204120.89416-2-vishal.moola@gmail.com/ +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/write.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/afs/write.c b/fs/afs/write.c +index fd433024070e..8750b99c3f56 100644 +--- a/fs/afs/write.c ++++ b/fs/afs/write.c +@@ -731,6 +731,7 @@ static int afs_writepages_region(struct address_space *mapping, + * (changing page->mapping to NULL), or even swizzled + * back from swapper_space to tmpfs file mapping + */ ++try_again: + if (wbc->sync_mode != WB_SYNC_NONE) { + ret = folio_lock_killable(folio); + if (ret < 0) { +@@ -757,9 +758,10 @@ static int afs_writepages_region(struct address_space *mapping, + #ifdef CONFIG_AFS_FSCACHE + folio_wait_fscache(folio); + #endif +- } else { +- start += folio_size(folio); ++ goto try_again; + } ++ ++ start += folio_size(folio); + if (wbc->sync_mode == WB_SYNC_NONE) { + if (skips >= 5 || need_resched()) { + *_next = start; +-- +2.41.0 + diff --git a/queue-6.3/ksmbd-fix-out-of-bound-read-in-smb2_write.patch b/queue-6.3/ksmbd-fix-out-of-bound-read-in-smb2_write.patch new file mode 100644 index 00000000000..f41a8c22273 --- /dev/null +++ b/queue-6.3/ksmbd-fix-out-of-bound-read-in-smb2_write.patch @@ -0,0 +1,44 @@ +From 5fe7f7b78290638806211046a99f031ff26164e1 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Thu, 15 Jun 2023 22:04:40 +0900 +Subject: ksmbd: fix out-of-bound read in smb2_write + +From: Namjae Jeon + +commit 5fe7f7b78290638806211046a99f031ff26164e1 upstream. + +ksmbd_smb2_check_message doesn't validate hdr->NextCommand. If +->NextCommand is bigger than Offset + Length of smb2 write, It will +allow oversized smb2 write length. It will cause OOB read in smb2_write. + +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21164 +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2misc.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/fs/ksmbd/smb2misc.c ++++ b/fs/ksmbd/smb2misc.c +@@ -351,10 +351,16 @@ int ksmbd_smb2_check_message(struct ksmb + int command; + __u32 clc_len; /* calculated length */ + __u32 len = get_rfc1002_len(work->request_buf); +- __u32 req_struct_size; ++ __u32 req_struct_size, next_cmd = le32_to_cpu(hdr->NextCommand); + +- if (le32_to_cpu(hdr->NextCommand) > 0) +- len = le32_to_cpu(hdr->NextCommand); ++ if ((u64)work->next_smb2_rcv_hdr_off + next_cmd > len) { ++ pr_err("next command(%u) offset exceeds smb msg size\n", ++ next_cmd); ++ return 1; ++ } ++ ++ if (next_cmd > 0) ++ len = next_cmd; + else if (work->next_smb2_rcv_hdr_off) + len -= work->next_smb2_rcv_hdr_off; + diff --git a/queue-6.3/ksmbd-validate-command-payload-size.patch b/queue-6.3/ksmbd-validate-command-payload-size.patch new file mode 100644 index 00000000000..385070a8181 --- /dev/null +++ b/queue-6.3/ksmbd-validate-command-payload-size.patch @@ -0,0 +1,86 @@ +From 2b9b8f3b68edb3d67d79962f02e26dbb5ae3808d Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Mon, 5 Jun 2023 01:57:34 +0900 +Subject: ksmbd: validate command payload size + +From: Namjae Jeon + +commit 2b9b8f3b68edb3d67d79962f02e26dbb5ae3808d upstream. + +->StructureSize2 indicates command payload size. ksmbd should validate +this size with rfc1002 length before accessing it. +This patch remove unneeded check and add the validation for this. + +[ 8.912583] BUG: KASAN: slab-out-of-bounds in ksmbd_smb2_check_message+0x12a/0xc50 +[ 8.913051] Read of size 2 at addr ffff88800ac7d92c by task kworker/0:0/7 +... +[ 8.914967] Call Trace: +[ 8.915126] +[ 8.915267] dump_stack_lvl+0x33/0x50 +[ 8.915506] print_report+0xcc/0x620 +[ 8.916558] kasan_report+0xae/0xe0 +[ 8.917080] kasan_check_range+0x35/0x1b0 +[ 8.917334] ksmbd_smb2_check_message+0x12a/0xc50 +[ 8.917935] ksmbd_verify_smb_message+0xae/0xd0 +[ 8.918223] handle_ksmbd_work+0x192/0x820 +[ 8.918478] process_one_work+0x419/0x760 +[ 8.918727] worker_thread+0x2a2/0x6f0 +[ 8.919222] kthread+0x187/0x1d0 +[ 8.919723] ret_from_fork+0x1f/0x30 +[ 8.919954] + +Cc: stable@vger.kernel.org +Reported-by: Chih-Yen Chang +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2misc.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/fs/ksmbd/smb2misc.c ++++ b/fs/ksmbd/smb2misc.c +@@ -351,6 +351,7 @@ int ksmbd_smb2_check_message(struct ksmb + int command; + __u32 clc_len; /* calculated length */ + __u32 len = get_rfc1002_len(work->request_buf); ++ __u32 req_struct_size; + + if (le32_to_cpu(hdr->NextCommand) > 0) + len = le32_to_cpu(hdr->NextCommand); +@@ -373,17 +374,9 @@ int ksmbd_smb2_check_message(struct ksmb + } + + if (smb2_req_struct_sizes[command] != pdu->StructureSize2) { +- if (command != SMB2_OPLOCK_BREAK_HE && +- (hdr->Status == 0 || pdu->StructureSize2 != SMB2_ERROR_STRUCTURE_SIZE2_LE)) { +- /* error packets have 9 byte structure size */ +- ksmbd_debug(SMB, +- "Illegal request size %u for command %d\n", +- le16_to_cpu(pdu->StructureSize2), command); +- return 1; +- } else if (command == SMB2_OPLOCK_BREAK_HE && +- hdr->Status == 0 && +- le16_to_cpu(pdu->StructureSize2) != OP_BREAK_STRUCT_SIZE_20 && +- le16_to_cpu(pdu->StructureSize2) != OP_BREAK_STRUCT_SIZE_21) { ++ if (command == SMB2_OPLOCK_BREAK_HE && ++ le16_to_cpu(pdu->StructureSize2) != OP_BREAK_STRUCT_SIZE_20 && ++ le16_to_cpu(pdu->StructureSize2) != OP_BREAK_STRUCT_SIZE_21) { + /* special case for SMB2.1 lease break message */ + ksmbd_debug(SMB, + "Illegal request size %d for oplock break\n", +@@ -392,6 +385,14 @@ int ksmbd_smb2_check_message(struct ksmb + } + } + ++ req_struct_size = le16_to_cpu(pdu->StructureSize2) + ++ __SMB2_HEADER_STRUCTURE_SIZE; ++ if (command == SMB2_LOCK_HE) ++ req_struct_size -= sizeof(struct smb2_lock_element); ++ ++ if (req_struct_size > len + 1) ++ return 1; ++ + if (smb2_calc_size(hdr, &clc_len)) + return 1; + diff --git a/queue-6.3/ksmbd-validate-session-id-and-tree-id-in-the-compound-request.patch b/queue-6.3/ksmbd-validate-session-id-and-tree-id-in-the-compound-request.patch new file mode 100644 index 00000000000..ca6b7f3c002 --- /dev/null +++ b/queue-6.3/ksmbd-validate-session-id-and-tree-id-in-the-compound-request.patch @@ -0,0 +1,156 @@ +From 5005bcb4219156f1bf7587b185080ec1da08518e Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Thu, 15 Jun 2023 22:05:29 +0900 +Subject: ksmbd: validate session id and tree id in the compound request + +From: Namjae Jeon + +commit 5005bcb4219156f1bf7587b185080ec1da08518e upstream. + +This patch validate session id and tree id in compound request. +If first operation in the compound is SMB2 ECHO request, ksmbd bypass +session and tree validation. So work->sess and work->tcon could be NULL. +If secound request in the compound access work->sess or tcon, It cause +NULL pointer dereferecing error. + +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21165 +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/server.c | 33 ++++++++++++++++++++------------- + fs/ksmbd/smb2pdu.c | 44 +++++++++++++++++++++++++++++++++++++++----- + 2 files changed, 59 insertions(+), 18 deletions(-) + +--- a/fs/ksmbd/server.c ++++ b/fs/ksmbd/server.c +@@ -185,24 +185,31 @@ static void __handle_ksmbd_work(struct k + goto send; + } + +- if (conn->ops->check_user_session) { +- rc = conn->ops->check_user_session(work); +- if (rc < 0) { +- command = conn->ops->get_cmd_val(work); +- conn->ops->set_rsp_status(work, +- STATUS_USER_SESSION_DELETED); +- goto send; +- } else if (rc > 0) { +- rc = conn->ops->get_ksmbd_tcon(work); ++ do { ++ if (conn->ops->check_user_session) { ++ rc = conn->ops->check_user_session(work); + if (rc < 0) { +- conn->ops->set_rsp_status(work, +- STATUS_NETWORK_NAME_DELETED); ++ if (rc == -EINVAL) ++ conn->ops->set_rsp_status(work, ++ STATUS_INVALID_PARAMETER); ++ else ++ conn->ops->set_rsp_status(work, ++ STATUS_USER_SESSION_DELETED); + goto send; ++ } else if (rc > 0) { ++ rc = conn->ops->get_ksmbd_tcon(work); ++ if (rc < 0) { ++ if (rc == -EINVAL) ++ conn->ops->set_rsp_status(work, ++ STATUS_INVALID_PARAMETER); ++ else ++ conn->ops->set_rsp_status(work, ++ STATUS_NETWORK_NAME_DELETED); ++ goto send; ++ } + } + } +- } + +- do { + rc = __process_request(work, conn, &command); + if (rc == SERVER_HANDLER_ABORT) + break; +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -91,7 +91,6 @@ int smb2_get_ksmbd_tcon(struct ksmbd_wor + unsigned int cmd = le16_to_cpu(req_hdr->Command); + int tree_id; + +- work->tcon = NULL; + if (cmd == SMB2_TREE_CONNECT_HE || + cmd == SMB2_CANCEL_HE || + cmd == SMB2_LOGOFF_HE) { +@@ -105,10 +104,28 @@ int smb2_get_ksmbd_tcon(struct ksmbd_wor + } + + tree_id = le32_to_cpu(req_hdr->Id.SyncId.TreeId); ++ ++ /* ++ * If request is not the first in Compound request, ++ * Just validate tree id in header with work->tcon->id. ++ */ ++ if (work->next_smb2_rcv_hdr_off) { ++ if (!work->tcon) { ++ pr_err("The first operation in the compound does not have tcon\n"); ++ return -EINVAL; ++ } ++ if (work->tcon->id != tree_id) { ++ pr_err("tree id(%u) is different with id(%u) in first operation\n", ++ tree_id, work->tcon->id); ++ return -EINVAL; ++ } ++ return 1; ++ } ++ + work->tcon = ksmbd_tree_conn_lookup(work->sess, tree_id); + if (!work->tcon) { + pr_err("Invalid tid %d\n", tree_id); +- return -EINVAL; ++ return -ENOENT; + } + + return 1; +@@ -547,7 +564,6 @@ int smb2_check_user_session(struct ksmbd + unsigned int cmd = conn->ops->get_cmd_val(work); + unsigned long long sess_id; + +- work->sess = NULL; + /* + * SMB2_ECHO, SMB2_NEGOTIATE, SMB2_SESSION_SETUP command do not + * require a session id, so no need to validate user session's for +@@ -558,15 +574,33 @@ int smb2_check_user_session(struct ksmbd + return 0; + + if (!ksmbd_conn_good(conn)) +- return -EINVAL; ++ return -EIO; + + sess_id = le64_to_cpu(req_hdr->SessionId); ++ ++ /* ++ * If request is not the first in Compound request, ++ * Just validate session id in header with work->sess->id. ++ */ ++ if (work->next_smb2_rcv_hdr_off) { ++ if (!work->sess) { ++ pr_err("The first operation in the compound does not have sess\n"); ++ return -EINVAL; ++ } ++ if (work->sess->id != sess_id) { ++ pr_err("session id(%llu) is different with the first operation(%lld)\n", ++ sess_id, work->sess->id); ++ return -EINVAL; ++ } ++ return 1; ++ } ++ + /* Check for validity of user session */ + work->sess = ksmbd_session_lookup_all(conn, sess_id); + if (work->sess) + return 1; + ksmbd_debug(SMB, "Invalid user session, Uid %llu\n", sess_id); +- return -EINVAL; ++ return -ENOENT; + } + + static void destroy_previous_session(struct ksmbd_conn *conn, diff --git a/queue-6.3/revert-efi-random-refresh-non-volatile-random-seed-when-rng-is-initialized.patch b/queue-6.3/revert-efi-random-refresh-non-volatile-random-seed-when-rng-is-initialized.patch new file mode 100644 index 00000000000..b18016a7b75 --- /dev/null +++ b/queue-6.3/revert-efi-random-refresh-non-volatile-random-seed-when-rng-is-initialized.patch @@ -0,0 +1,64 @@ +From 69cbeb61ff9093a9155cb19a36d633033f71093a Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 21 Jun 2023 10:58:46 -0700 +Subject: Revert "efi: random: refresh non-volatile random seed when RNG is initialized" + +From: Linus Torvalds + +commit 69cbeb61ff9093a9155cb19a36d633033f71093a upstream. + +This reverts commit e7b813b32a42a3a6281a4fd9ae7700a0257c1d50 (and the +subsequent fix for it: 41a15855c1ee "efi: random: fix NULL-deref when +refreshing seed"). + +It turns otu to cause non-deterministic boot stalls on at least a HP +6730b laptop. + +Reported-and-bisected-by: Sami Korkalainen +Link: https://lore.kernel.org/all/GQUnKz2al3yke5mB2i1kp3SzNHjK8vi6KJEh7rnLrOQ24OrlljeCyeWveLW9pICEmB9Qc8PKdNt3w1t_g3-Uvxq1l8Wj67PpoMeWDoH8PKk=@proton.me/ +Cc: Jason A. Donenfeld +Cc: Bagas Sanjaya +Cc: stable@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/efi.c | 21 --------------------- + 1 file changed, 21 deletions(-) + +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -361,24 +361,6 @@ static void __init efi_debugfs_init(void + static inline void efi_debugfs_init(void) {} + #endif + +-static void refresh_nv_rng_seed(struct work_struct *work) +-{ +- u8 seed[EFI_RANDOM_SEED_SIZE]; +- +- get_random_bytes(seed, sizeof(seed)); +- efi.set_variable(L"RandomSeed", &LINUX_EFI_RANDOM_SEED_TABLE_GUID, +- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | +- EFI_VARIABLE_RUNTIME_ACCESS, sizeof(seed), seed); +- memzero_explicit(seed, sizeof(seed)); +-} +-static int refresh_nv_rng_seed_notification(struct notifier_block *nb, unsigned long action, void *data) +-{ +- static DECLARE_WORK(work, refresh_nv_rng_seed); +- schedule_work(&work); +- return NOTIFY_DONE; +-} +-static struct notifier_block refresh_nv_rng_seed_nb = { .notifier_call = refresh_nv_rng_seed_notification }; +- + /* + * We register the efi subsystem with the firmware subsystem and the + * efivars subsystem with the efi subsystem, if the system was booted with +@@ -451,9 +433,6 @@ static int __init efisubsys_init(void) + platform_device_register_simple("efi_secret", 0, NULL, 0); + #endif + +- if (efi_rt_services_supported(EFI_RT_SUPPORTED_SET_VARIABLE)) +- execute_with_initialized_rng(&refresh_nv_rng_seed_nb); +- + return 0; + + err_remove_group: diff --git a/queue-6.3/series b/queue-6.3/series index 0f9ba3423d2..d9e6630efae 100644 --- a/queue-6.3/series +++ b/queue-6.3/series @@ -5,3 +5,11 @@ drm-amd-display-fix-the-system-hang-while-disable-ps.patch ata-libata-scsi-avoid-deadlock-on-rescan-after-devic.patch mm-fix-copy_from_user_nofault.patch tpm-tpm_tis-claim-locality-in-interrupt-handler.patch +ksmbd-validate-command-payload-size.patch +ksmbd-fix-out-of-bound-read-in-smb2_write.patch +ksmbd-validate-session-id-and-tree-id-in-the-compound-request.patch +udmabuf-revert-add-support-for-mapping-hugepages-v4.patch +revert-efi-random-refresh-non-volatile-random-seed-when-rng-is-initialized.patch +afs-fix-dangling-folio-ref-counts-in-writeback.patch +afs-fix-waiting-for-writeback-then-skipping-folio.patch +tick-common-align-tick-period-during-sched_timer-setup.patch diff --git a/queue-6.3/tick-common-align-tick-period-during-sched_timer-setup.patch b/queue-6.3/tick-common-align-tick-period-during-sched_timer-setup.patch new file mode 100644 index 00000000000..26b077ef595 --- /dev/null +++ b/queue-6.3/tick-common-align-tick-period-during-sched_timer-setup.patch @@ -0,0 +1,95 @@ +From 13bb06f8dd42071cb9a49f6e21099eea05d4b856 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Thu, 15 Jun 2023 11:18:30 +0200 +Subject: tick/common: Align tick period during sched_timer setup + +From: Thomas Gleixner + +commit 13bb06f8dd42071cb9a49f6e21099eea05d4b856 upstream. + +The tick period is aligned very early while the first clock_event_device is +registered. At that point the system runs in periodic mode and switches +later to one-shot mode if possible. + +The next wake-up event is programmed based on the aligned value +(tick_next_period) but the delta value, that is used to program the +clock_event_device, is computed based on ktime_get(). + +With the subtracted offset, the device fires earlier than the exact time +frame. With a large enough offset the system programs the timer for the +next wake-up and the remaining time left is too small to make any boot +progress. The system hangs. + +Move the alignment later to the setup of tick_sched timer. At this point +the system switches to oneshot mode and a high resolution clocksource is +available. At this point it is safe to align tick_next_period because +ktime_get() will now return accurate (not jiffies based) time. + +[bigeasy: Patch description + testing]. + +Fixes: e9523a0d81899 ("tick/common: Align tick period with the HZ tick.") +Reported-by: Mathias Krause +Reported-by: "Bhatnagar, Rishabh" +Suggested-by: Mathias Krause +Signed-off-by: Thomas Gleixner +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Thomas Gleixner +Tested-by: Richard W.M. Jones +Tested-by: Mathias Krause +Acked-by: SeongJae Park +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/5a56290d-806e-b9a5-f37c-f21958b5a8c0@grsecurity.net +Link: https://lore.kernel.org/12c6f9a3-d087-b824-0d05-0d18c9bc1bf3@amazon.com +Link: https://lore.kernel.org/r/20230615091830.RxMV2xf_@linutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/tick-common.c | 13 +------------ + kernel/time/tick-sched.c | 13 ++++++++++++- + 2 files changed, 13 insertions(+), 13 deletions(-) + +--- a/kernel/time/tick-common.c ++++ b/kernel/time/tick-common.c +@@ -218,19 +218,8 @@ static void tick_setup_device(struct tic + * this cpu: + */ + if (tick_do_timer_cpu == TICK_DO_TIMER_BOOT) { +- ktime_t next_p; +- u32 rem; +- + tick_do_timer_cpu = cpu; +- +- next_p = ktime_get(); +- div_u64_rem(next_p, TICK_NSEC, &rem); +- if (rem) { +- next_p -= rem; +- next_p += TICK_NSEC; +- } +- +- tick_next_period = next_p; ++ tick_next_period = ktime_get(); + #ifdef CONFIG_NO_HZ_FULL + /* + * The boot CPU may be nohz_full, in which case set +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -161,8 +161,19 @@ static ktime_t tick_init_jiffy_update(vo + raw_spin_lock(&jiffies_lock); + write_seqcount_begin(&jiffies_seq); + /* Did we start the jiffies update yet ? */ +- if (last_jiffies_update == 0) ++ if (last_jiffies_update == 0) { ++ u32 rem; ++ ++ /* ++ * Ensure that the tick is aligned to a multiple of ++ * TICK_NSEC. ++ */ ++ div_u64_rem(tick_next_period, TICK_NSEC, &rem); ++ if (rem) ++ tick_next_period += TICK_NSEC - rem; ++ + last_jiffies_update = tick_next_period; ++ } + period = last_jiffies_update; + write_seqcount_end(&jiffies_seq); + raw_spin_unlock(&jiffies_lock); diff --git a/queue-6.3/udmabuf-revert-add-support-for-mapping-hugepages-v4.patch b/queue-6.3/udmabuf-revert-add-support-for-mapping-hugepages-v4.patch new file mode 100644 index 00000000000..93d4c77fa6b --- /dev/null +++ b/queue-6.3/udmabuf-revert-add-support-for-mapping-hugepages-v4.patch @@ -0,0 +1,129 @@ +From b7cb3821905b79b6ed474fd5ba34d1e187649139 Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Thu, 8 Jun 2023 13:49:27 -0700 +Subject: udmabuf: revert 'Add support for mapping hugepages (v4)' + +From: Mike Kravetz + +commit b7cb3821905b79b6ed474fd5ba34d1e187649139 upstream. + +This effectively reverts commit 16c243e99d33 ("udmabuf: Add support for +mapping hugepages (v4)"). Recently, Junxiao Chang found a BUG with page +map counting as described here [1]. This issue pointed out that the +udmabuf driver was making direct use of subpages of hugetlb pages. This +is not a good idea, and no other mm code attempts such use. In addition +to the mapcount issue, this also causes issues with hugetlb vmemmap +optimization and page poisoning. + +For now, remove hugetlb support. + +If udmabuf wants to be used on hugetlb mappings, it should be changed to +only use complete hugetlb pages. This will require different alignment +and size requirements on the UDMABUF_CREATE API. + +[1] https://lore.kernel.org/linux-mm/20230512072036.1027784-1-junxiao.chang@intel.com/ + +Link: https://lkml.kernel.org/r/20230608204927.88711-1-mike.kravetz@oracle.com +Fixes: 16c243e99d33 ("udmabuf: Add support for mapping hugepages (v4)") +Signed-off-by: Mike Kravetz +Acked-by: Greg Kroah-Hartman +Acked-by: Vivek Kasireddy +Acked-by: Gerd Hoffmann +Cc: David Hildenbrand +Cc: Dongwon Kim +Cc: James Houghton +Cc: Jerome Marchand +Cc: Junxiao Chang +Cc: Kirill A. Shutemov +Cc: Michal Hocko +Cc: Muchun Song +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma-buf/udmabuf.c | 47 +++++----------------------------------------- + 1 file changed, 6 insertions(+), 41 deletions(-) + +--- a/drivers/dma-buf/udmabuf.c ++++ b/drivers/dma-buf/udmabuf.c +@@ -12,7 +12,6 @@ + #include + #include + #include +-#include + #include + #include + +@@ -207,9 +206,7 @@ static long udmabuf_create(struct miscde + struct udmabuf *ubuf; + struct dma_buf *buf; + pgoff_t pgoff, pgcnt, pgidx, pgbuf = 0, pglimit; +- struct page *page, *hpage = NULL; +- pgoff_t subpgoff, maxsubpgs; +- struct hstate *hpstate; ++ struct page *page; + int seals, ret = -EINVAL; + u32 i, flags; + +@@ -245,7 +242,7 @@ static long udmabuf_create(struct miscde + if (!memfd) + goto err; + mapping = memfd->f_mapping; +- if (!shmem_mapping(mapping) && !is_file_hugepages(memfd)) ++ if (!shmem_mapping(mapping)) + goto err; + seals = memfd_fcntl(memfd, F_GET_SEALS, 0); + if (seals == -EINVAL) +@@ -256,48 +253,16 @@ static long udmabuf_create(struct miscde + goto err; + pgoff = list[i].offset >> PAGE_SHIFT; + pgcnt = list[i].size >> PAGE_SHIFT; +- if (is_file_hugepages(memfd)) { +- hpstate = hstate_file(memfd); +- pgoff = list[i].offset >> huge_page_shift(hpstate); +- subpgoff = (list[i].offset & +- ~huge_page_mask(hpstate)) >> PAGE_SHIFT; +- maxsubpgs = huge_page_size(hpstate) >> PAGE_SHIFT; +- } + for (pgidx = 0; pgidx < pgcnt; pgidx++) { +- if (is_file_hugepages(memfd)) { +- if (!hpage) { +- hpage = find_get_page_flags(mapping, pgoff, +- FGP_ACCESSED); +- if (!hpage) { +- ret = -EINVAL; +- goto err; +- } +- } +- page = hpage + subpgoff; +- get_page(page); +- subpgoff++; +- if (subpgoff == maxsubpgs) { +- put_page(hpage); +- hpage = NULL; +- subpgoff = 0; +- pgoff++; +- } +- } else { +- page = shmem_read_mapping_page(mapping, +- pgoff + pgidx); +- if (IS_ERR(page)) { +- ret = PTR_ERR(page); +- goto err; +- } ++ page = shmem_read_mapping_page(mapping, pgoff + pgidx); ++ if (IS_ERR(page)) { ++ ret = PTR_ERR(page); ++ goto err; + } + ubuf->pages[pgbuf++] = page; + } + fput(memfd); + memfd = NULL; +- if (hpage) { +- put_page(hpage); +- hpage = NULL; +- } + } + + exp_info.ops = &udmabuf_ops;