From: Sasha Levin Date: Fri, 1 Nov 2024 03:01:30 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v4.19.323~128 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f9cb50e96a85a662bb78497f473b57153aa462e4;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/cgroup-fix-potential-overflow-issue-when-checking-ma.patch b/queue-5.10/cgroup-fix-potential-overflow-issue-when-checking-ma.patch new file mode 100644 index 00000000000..6da9c005d53 --- /dev/null +++ b/queue-5.10/cgroup-fix-potential-overflow-issue-when-checking-ma.patch @@ -0,0 +1,59 @@ +From 37f1b6163ef999c056ec94d48e24d90098d2c438 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Oct 2024 07:22:46 +0000 +Subject: cgroup: Fix potential overflow issue when checking max_depth +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xiu Jianfeng + +[ Upstream commit 3cc4e13bb1617f6a13e5e6882465984148743cf4 ] + +cgroup.max.depth is the maximum allowed descent depth below the current +cgroup. If the actual descent depth is equal or larger, an attempt to +create a new child cgroup will fail. However due to the cgroup->max_depth +is of int type and having the default value INT_MAX, the condition +'level > cgroup->max_depth' will never be satisfied, and it will cause +an overflow of the level after it reaches to INT_MAX. + +Fix it by starting the level from 0 and using '>=' instead. + +It's worth mentioning that this issue is unlikely to occur in reality, +as it's impossible to have a depth of INT_MAX hierarchy, but should be +be avoided logically. + +Fixes: 1a926e0bbab8 ("cgroup: implement hierarchy limits") +Signed-off-by: Xiu Jianfeng +Reviewed-by: Michal Koutný +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cgroup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 66970b74106c8..e0fd62d56110a 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -5437,7 +5437,7 @@ static bool cgroup_check_hierarchy_limits(struct cgroup *parent) + { + struct cgroup *cgroup; + int ret = false; +- int level = 1; ++ int level = 0; + + lockdep_assert_held(&cgroup_mutex); + +@@ -5445,7 +5445,7 @@ static bool cgroup_check_hierarchy_limits(struct cgroup *parent) + if (cgroup->nr_descendants >= cgroup->max_descendants) + goto fail; + +- if (level > cgroup->max_depth) ++ if (level >= cgroup->max_depth) + goto fail; + + level++; +-- +2.43.0 + diff --git a/queue-5.10/selftests-mm-fix-incorrect-buffer-mirror-size-in-hmm.patch b/queue-5.10/selftests-mm-fix-incorrect-buffer-mirror-size-in-hmm.patch new file mode 100644 index 00000000000..cf11e6401fb --- /dev/null +++ b/queue-5.10/selftests-mm-fix-incorrect-buffer-mirror-size-in-hmm.patch @@ -0,0 +1,70 @@ +From 7ba2adbfc4baeaf145ac7eae6347cd59b64b8147 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2024 00:07:52 -0500 +Subject: selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map + test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Donet Tom + +[ Upstream commit 76503e1fa1a53ef041a120825d5ce81c7fe7bdd7 ] + +The hmm2 double_map test was failing due to an incorrect buffer->mirror +size. The buffer->mirror size was 6, while buffer->ptr size was 6 * +PAGE_SIZE. The test failed because the kernel's copy_to_user function was +attempting to copy a 6 * PAGE_SIZE buffer to buffer->mirror. Since the +size of buffer->mirror was incorrect, copy_to_user failed. + +This patch corrects the buffer->mirror size to 6 * PAGE_SIZE. + +Test Result without this patch +============================== + # RUN hmm2.hmm2_device_private.double_map ... + # hmm-tests.c:1680:double_map:Expected ret (-14) == 0 (0) + # double_map: Test terminated by assertion + # FAIL hmm2.hmm2_device_private.double_map + not ok 53 hmm2.hmm2_device_private.double_map + +Test Result with this patch +=========================== + # RUN hmm2.hmm2_device_private.double_map ... + # OK hmm2.hmm2_device_private.double_map + ok 53 hmm2.hmm2_device_private.double_map + +Link: https://lkml.kernel.org/r/20240927050752.51066-1-donettom@linux.ibm.com +Fixes: fee9f6d1b8df ("mm/hmm/test: add selftests for HMM") +Signed-off-by: Donet Tom +Reviewed-by: Muhammad Usama Anjum +Cc: Jérôme Glisse +Cc: Kees Cook +Cc: Mark Brown +Cc: Przemek Kitszel +Cc: Ritesh Harjani (IBM) +Cc: Shuah Khan +Cc: Ralph Campbell +Cc: Jason Gunthorpe +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vm/hmm-tests.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/vm/hmm-tests.c b/tools/testing/selftests/vm/hmm-tests.c +index 426dccc08f906..738c34eb50afc 100644 +--- a/tools/testing/selftests/vm/hmm-tests.c ++++ b/tools/testing/selftests/vm/hmm-tests.c +@@ -1474,7 +1474,7 @@ TEST_F(hmm2, double_map) + + buffer->fd = -1; + buffer->size = size; +- buffer->mirror = malloc(npages); ++ buffer->mirror = malloc(size); + ASSERT_NE(buffer->mirror, NULL); + + /* Reserve a range of addresses. */ +-- +2.43.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 00f753354af..e67e89ac7c8 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -54,3 +54,5 @@ net-phy-dp83822-fix-reset-pin-definitions.patch asoc-qcom-fix-null-dereference-in-asoc_qcom_lpass_cpu_platform_probe.patch arm64-uprobes-change-the-uprobe_opcode_t-typedef-to-fix-the-sparse-warning.patch xfrm-validate-new-sa-s-prefixlen-using-sa-family-whe.patch +selftests-mm-fix-incorrect-buffer-mirror-size-in-hmm.patch +cgroup-fix-potential-overflow-issue-when-checking-ma.patch