From: Greg Kroah-Hartman Date: Sat, 11 Jan 2025 16:33:00 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v6.1.125~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fc5c5f61d4fc7bccb468e6ef1dc47a20168d7c3a;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: dm-ebs-don-t-set-the-flag-dm_target_passes_integrity.patch dm-thin-make-get_first_thin-use-rcu-safe-list-first-function.patch drm-amd-display-add-check-for-granularity-in-dml-ceil-floor-helpers.patch sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch sctp-sysctl-plpmtud_probe_interval-avoid-using-current-nsproxy.patch sctp-sysctl-rto_min-max-avoid-using-current-nsproxy.patch sctp-sysctl-udp_port-avoid-using-current-nsproxy.patch --- diff --git a/queue-5.15/dm-ebs-don-t-set-the-flag-dm_target_passes_integrity.patch b/queue-5.15/dm-ebs-don-t-set-the-flag-dm_target_passes_integrity.patch new file mode 100644 index 00000000000..eb2b0a181e4 --- /dev/null +++ b/queue-5.15/dm-ebs-don-t-set-the-flag-dm_target_passes_integrity.patch @@ -0,0 +1,33 @@ +From 47f33c27fc9565fb0bc7dfb76be08d445cd3d236 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 7 Jan 2025 17:47:01 +0100 +Subject: dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY + +From: Mikulas Patocka + +commit 47f33c27fc9565fb0bc7dfb76be08d445cd3d236 upstream. + +dm-ebs uses dm-bufio to process requests that are not aligned on logical +sector size. dm-bufio doesn't support passing integrity data (and it is +unclear how should it do it), so we shouldn't set the +DM_TARGET_PASSES_INTEGRITY flag. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Fixes: d3c7b35c20d6 ("dm: add emulated block size target") +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-ebs-target.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-ebs-target.c ++++ b/drivers/md/dm-ebs-target.c +@@ -440,7 +440,7 @@ static int ebs_iterate_devices(struct dm + static struct target_type ebs_target = { + .name = "ebs", + .version = {1, 0, 1}, +- .features = DM_TARGET_PASSES_INTEGRITY, ++ .features = 0, + .module = THIS_MODULE, + .ctr = ebs_ctr, + .dtr = ebs_dtr, diff --git a/queue-5.15/dm-thin-make-get_first_thin-use-rcu-safe-list-first-function.patch b/queue-5.15/dm-thin-make-get_first_thin-use-rcu-safe-list-first-function.patch new file mode 100644 index 00000000000..4f4376b815a --- /dev/null +++ b/queue-5.15/dm-thin-make-get_first_thin-use-rcu-safe-list-first-function.patch @@ -0,0 +1,64 @@ +From 80f130bfad1dab93b95683fc39b87235682b8f72 Mon Sep 17 00:00:00 2001 +From: Krister Johansen +Date: Tue, 7 Jan 2025 15:24:58 -0800 +Subject: dm thin: make get_first_thin use rcu-safe list first function + +From: Krister Johansen + +commit 80f130bfad1dab93b95683fc39b87235682b8f72 upstream. + +The documentation in rculist.h explains the absence of list_empty_rcu() +and cautions programmers against relying on a list_empty() -> +list_first() sequence in RCU safe code. This is because each of these +functions performs its own READ_ONCE() of the list head. This can lead +to a situation where the list_empty() sees a valid list entry, but the +subsequent list_first() sees a different view of list head state after a +modification. + +In the case of dm-thin, this author had a production box crash from a GP +fault in the process_deferred_bios path. This function saw a valid list +head in get_first_thin() but when it subsequently dereferenced that and +turned it into a thin_c, it got the inside of the struct pool, since the +list was now empty and referring to itself. The kernel on which this +occurred printed both a warning about a refcount_t being saturated, and +a UBSAN error for an out-of-bounds cpuid access in the queued spinlock, +prior to the fault itself. When the resulting kdump was examined, it +was possible to see another thread patiently waiting in thin_dtr's +synchronize_rcu. + +The thin_dtr call managed to pull the thin_c out of the active thins +list (and have it be the last entry in the active_thins list) at just +the wrong moment which lead to this crash. + +Fortunately, the fix here is straight forward. Switch get_first_thin() +function to use list_first_or_null_rcu() which performs just a single +READ_ONCE() and returns NULL if the list is already empty. + +This was run against the devicemapper test suite's thin-provisioning +suites for delete and suspend and no regressions were observed. + +Signed-off-by: Krister Johansen +Fixes: b10ebd34ccca ("dm thin: fix rcu_read_lock being held in code that can sleep") +Cc: stable@vger.kernel.org +Acked-by: Ming-Hung Tsai +Signed-off-by: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-thin.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -2317,10 +2317,9 @@ static struct thin_c *get_first_thin(str + struct thin_c *tc = NULL; + + rcu_read_lock(); +- if (!list_empty(&pool->active_thins)) { +- tc = list_entry_rcu(pool->active_thins.next, struct thin_c, list); ++ tc = list_first_or_null_rcu(&pool->active_thins, struct thin_c, list); ++ if (tc) + thin_get(tc); +- } + rcu_read_unlock(); + + return tc; diff --git a/queue-5.15/drm-amd-display-add-check-for-granularity-in-dml-ceil-floor-helpers.patch b/queue-5.15/drm-amd-display-add-check-for-granularity-in-dml-ceil-floor-helpers.patch new file mode 100644 index 00000000000..47c4154fdc8 --- /dev/null +++ b/queue-5.15/drm-amd-display-add-check-for-granularity-in-dml-ceil-floor-helpers.patch @@ -0,0 +1,63 @@ +From 0881fbc4fd62e00a2b8e102725f76d10351b2ea8 Mon Sep 17 00:00:00 2001 +From: Roman Li +Date: Fri, 13 Dec 2024 13:51:07 -0500 +Subject: drm/amd/display: Add check for granularity in dml ceil/floor helpers + +From: Roman Li + +commit 0881fbc4fd62e00a2b8e102725f76d10351b2ea8 upstream. + +[Why] +Wrapper functions for dcn_bw_ceil2() and dcn_bw_floor2() +should check for granularity is non zero to avoid assert and +divide-by-zero error in dcn_bw_ functions. + +[How] +Add check for granularity 0. + +Cc: Mario Limonciello +Reviewed-by: Alvin Lee +Signed-off-by: Roman Li +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit f6e09701c3eb2ccb8cb0518e0b67f1c69742a4ec) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dml/dml_inline_defs.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/dml/dml_inline_defs.h ++++ b/drivers/gpu/drm/amd/display/dc/dml/dml_inline_defs.h +@@ -66,11 +66,15 @@ static inline double dml_max5(double a, + + static inline double dml_ceil(double a, double granularity) + { ++ if (granularity == 0) ++ return 0; + return (double) dcn_bw_ceil2(a, granularity); + } + + static inline double dml_floor(double a, double granularity) + { ++ if (granularity == 0) ++ return 0; + return (double) dcn_bw_floor2(a, granularity); + } + +@@ -119,11 +123,15 @@ static inline double dml_ceil_2(double f + + static inline double dml_ceil_ex(double x, double granularity) + { ++ if (granularity == 0) ++ return 0; + return (double) dcn_bw_ceil2(x, granularity); + } + + static inline double dml_floor_ex(double x, double granularity) + { ++ if (granularity == 0) ++ return 0; + return (double) dcn_bw_floor2(x, granularity); + } + diff --git a/queue-5.15/sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch b/queue-5.15/sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch new file mode 100644 index 00000000000..13e81119f49 --- /dev/null +++ b/queue-5.15/sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch @@ -0,0 +1,49 @@ +From 15649fd5415eda664ef35780c2013adeb5d9c695 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 8 Jan 2025 16:34:34 +0100 +Subject: sctp: sysctl: auth_enable: avoid using current->nsproxy + +From: Matthieu Baerts (NGI0) + +commit 15649fd5415eda664ef35780c2013adeb5d9c695 upstream. + +As mentioned in a previous commit of this series, using the 'net' +structure via 'current' is not recommended for different reasons: + +- Inconsistency: getting info from the reader's/writer's netns vs only + from the opener's netns. + +- current->nsproxy can be NULL in some cases, resulting in an 'Oops' + (null-ptr-deref), e.g. when the current task is exiting, as spotted by + syzbot [1] using acct(2). + +The 'net' structure can be obtained from the table->data using +container_of(). + +Note that table->data could also be used directly, but that would +increase the size of this fix, while 'sctp.ctl_sock' still needs to be +retrieved from 'net' structure. + +Fixes: b14878ccb7fa ("net: sctp: cache auth_enable per endpoint") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] +Suggested-by: Al Viro +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-6-5df34b2083e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sysctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -492,7 +492,7 @@ static int proc_sctp_do_alpha_beta(struc + static int proc_sctp_do_auth(struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- struct net *net = current->nsproxy->net_ns; ++ struct net *net = container_of(ctl->data, struct net, sctp.auth_enable); + struct ctl_table tbl; + int new_value, ret; + diff --git a/queue-5.15/sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch b/queue-5.15/sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch new file mode 100644 index 00000000000..45e6c4e38e6 --- /dev/null +++ b/queue-5.15/sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch @@ -0,0 +1,51 @@ +From ea62dd1383913b5999f3d16ae99d411f41b528d4 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 8 Jan 2025 16:34:32 +0100 +Subject: sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy + +From: Matthieu Baerts (NGI0) + +commit ea62dd1383913b5999f3d16ae99d411f41b528d4 upstream. + +As mentioned in a previous commit of this series, using the 'net' +structure via 'current' is not recommended for different reasons: + +- Inconsistency: getting info from the reader's/writer's netns vs only + from the opener's netns. + +- current->nsproxy can be NULL in some cases, resulting in an 'Oops' + (null-ptr-deref), e.g. when the current task is exiting, as spotted by + syzbot [1] using acct(2). + +The 'net' structure can be obtained from the table->data using +container_of(). + +Note that table->data could also be used directly, as this is the only +member needed from the 'net' structure, but that would increase the size +of this fix, to use '*data' everywhere 'net->sctp.sctp_hmac_alg' is +used. + +Fixes: 3c68198e7511 ("sctp: Make hmac algorithm selection for cookie generation dynamic") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] +Suggested-by: Al Viro +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-4-5df34b2083e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sysctl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -380,7 +380,8 @@ static struct ctl_table sctp_net_table[] + static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- struct net *net = current->nsproxy->net_ns; ++ struct net *net = container_of(ctl->data, struct net, ++ sctp.sctp_hmac_alg); + struct ctl_table tbl; + bool changed = false; + char *none = "none"; diff --git a/queue-5.15/sctp-sysctl-plpmtud_probe_interval-avoid-using-current-nsproxy.patch b/queue-5.15/sctp-sysctl-plpmtud_probe_interval-avoid-using-current-nsproxy.patch new file mode 100644 index 00000000000..333042e83bd --- /dev/null +++ b/queue-5.15/sctp-sysctl-plpmtud_probe_interval-avoid-using-current-nsproxy.patch @@ -0,0 +1,51 @@ +From 6259d2484d0ceff42245d1f09cc8cb6ee72d847a Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 8 Jan 2025 16:34:36 +0100 +Subject: sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy + +From: Matthieu Baerts (NGI0) + +commit 6259d2484d0ceff42245d1f09cc8cb6ee72d847a upstream. + +As mentioned in a previous commit of this series, using the 'net' +structure via 'current' is not recommended for different reasons: + +- Inconsistency: getting info from the reader's/writer's netns vs only + from the opener's netns. + +- current->nsproxy can be NULL in some cases, resulting in an 'Oops' + (null-ptr-deref), e.g. when the current task is exiting, as spotted by + syzbot [1] using acct(2). + +The 'net' structure can be obtained from the table->data using +container_of(). + +Note that table->data could also be used directly, as this is the only +member needed from the 'net' structure, but that would increase the size +of this fix, to use '*data' everywhere 'net->sctp.probe_interval' is +used. + +Fixes: d1e462a7a5f3 ("sctp: add probe_interval in sysctl and sock/asoc/transport") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] +Suggested-by: Al Viro +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-8-5df34b2083e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sysctl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -562,7 +562,8 @@ static int proc_sctp_do_udp_port(struct + static int proc_sctp_do_probe_interval(struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- struct net *net = current->nsproxy->net_ns; ++ struct net *net = container_of(ctl->data, struct net, ++ sctp.probe_interval); + struct ctl_table tbl; + int ret, new_value; + diff --git a/queue-5.15/sctp-sysctl-rto_min-max-avoid-using-current-nsproxy.patch b/queue-5.15/sctp-sysctl-rto_min-max-avoid-using-current-nsproxy.patch new file mode 100644 index 00000000000..57135059d38 --- /dev/null +++ b/queue-5.15/sctp-sysctl-rto_min-max-avoid-using-current-nsproxy.patch @@ -0,0 +1,58 @@ +From 9fc17b76fc70763780aa78b38fcf4742384044a5 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 8 Jan 2025 16:34:33 +0100 +Subject: sctp: sysctl: rto_min/max: avoid using current->nsproxy + +From: Matthieu Baerts (NGI0) + +commit 9fc17b76fc70763780aa78b38fcf4742384044a5 upstream. + +As mentioned in a previous commit of this series, using the 'net' +structure via 'current' is not recommended for different reasons: + +- Inconsistency: getting info from the reader's/writer's netns vs only + from the opener's netns. + +- current->nsproxy can be NULL in some cases, resulting in an 'Oops' + (null-ptr-deref), e.g. when the current task is exiting, as spotted by + syzbot [1] using acct(2). + +The 'net' structure can be obtained from the table->data using +container_of(). + +Note that table->data could also be used directly, as this is the only +member needed from the 'net' structure, but that would increase the size +of this fix, to use '*data' everywhere 'net->sctp.rto_min/max' is used. + +Fixes: 4f3fdf3bc59c ("sctp: add check rto_min and rto_max in sysctl") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] +Suggested-by: Al Viro +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-5-5df34b2083e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sysctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -426,7 +426,7 @@ static int proc_sctp_do_hmac_alg(struct + static int proc_sctp_do_rto_min(struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- struct net *net = current->nsproxy->net_ns; ++ struct net *net = container_of(ctl->data, struct net, sctp.rto_min); + unsigned int min = *(unsigned int *) ctl->extra1; + unsigned int max = *(unsigned int *) ctl->extra2; + struct ctl_table tbl; +@@ -454,7 +454,7 @@ static int proc_sctp_do_rto_min(struct c + static int proc_sctp_do_rto_max(struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- struct net *net = current->nsproxy->net_ns; ++ struct net *net = container_of(ctl->data, struct net, sctp.rto_max); + unsigned int min = *(unsigned int *) ctl->extra1; + unsigned int max = *(unsigned int *) ctl->extra2; + struct ctl_table tbl; diff --git a/queue-5.15/sctp-sysctl-udp_port-avoid-using-current-nsproxy.patch b/queue-5.15/sctp-sysctl-udp_port-avoid-using-current-nsproxy.patch new file mode 100644 index 00000000000..09f8c28abba --- /dev/null +++ b/queue-5.15/sctp-sysctl-udp_port-avoid-using-current-nsproxy.patch @@ -0,0 +1,49 @@ +From c10377bbc1972d858eaf0ab366a311b39f8ef1b6 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 8 Jan 2025 16:34:35 +0100 +Subject: sctp: sysctl: udp_port: avoid using current->nsproxy + +From: Matthieu Baerts (NGI0) + +commit c10377bbc1972d858eaf0ab366a311b39f8ef1b6 upstream. + +As mentioned in a previous commit of this series, using the 'net' +structure via 'current' is not recommended for different reasons: + +- Inconsistency: getting info from the reader's/writer's netns vs only + from the opener's netns. + +- current->nsproxy can be NULL in some cases, resulting in an 'Oops' + (null-ptr-deref), e.g. when the current task is exiting, as spotted by + syzbot [1] using acct(2). + +The 'net' structure can be obtained from the table->data using +container_of(). + +Note that table->data could also be used directly, but that would +increase the size of this fix, while 'sctp.ctl_sock' still needs to be +retrieved from 'net' structure. + +Fixes: 046c052b475e ("sctp: enable udp tunneling socks") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] +Suggested-by: Al Viro +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-7-5df34b2083e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sysctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -521,7 +521,7 @@ static int proc_sctp_do_auth(struct ctl_ + static int proc_sctp_do_udp_port(struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- struct net *net = current->nsproxy->net_ns; ++ struct net *net = container_of(ctl->data, struct net, sctp.udp_port); + unsigned int min = *(unsigned int *)ctl->extra1; + unsigned int max = *(unsigned int *)ctl->extra2; + struct ctl_table tbl; diff --git a/queue-5.15/series b/queue-5.15/series index eedb454be57..45dcd4d5a9a 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -23,3 +23,11 @@ netfilter-conntrack-clamp-maximum-hashtable-size-to-.patch drm-mediatek-add-support-for-180-degree-rotation-in-.patch ksmbd-fix-a-missing-return-value-check-bug.patch afs-fix-the-maximum-cell-name-length.patch +dm-thin-make-get_first_thin-use-rcu-safe-list-first-function.patch +dm-ebs-don-t-set-the-flag-dm_target_passes_integrity.patch +sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch +sctp-sysctl-rto_min-max-avoid-using-current-nsproxy.patch +sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch +sctp-sysctl-udp_port-avoid-using-current-nsproxy.patch +sctp-sysctl-plpmtud_probe_interval-avoid-using-current-nsproxy.patch +drm-amd-display-add-check-for-granularity-in-dml-ceil-floor-helpers.patch