From 2c476d315d5647c8cb0d34be417fd4d0fcb16747 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 17 Apr 2025 16:30:37 +0200 Subject: [PATCH] 6.13-stable patches added patches: acpi-platform-profile-fix-cfi-violation-when-accessing-sysfs-files.patch nfsd-don-t-ignore-the-return-code-of-svc_proc_register.patch nfsd-fix-cb_getattr-status-fix.patch nfsd-fix-decoding-in-nfs4_xdr_dec_cb_getattr.patch x86-paravirt-move-halt-paravirt-calls-under-config_paravirt.patch --- ...violation-when-accessing-sysfs-files.patch | 105 ++++++++++ ...the-return-code-of-svc_proc_register.patch | 96 +++++++++ .../nfsd-fix-cb_getattr-status-fix.patch | 44 ++++ ...-decoding-in-nfs4_xdr_dec_cb_getattr.patch | 35 ++++ queue-6.13/series | 5 + ...paravirt-calls-under-config_paravirt.patch | 196 ++++++++++++++++++ 6 files changed, 481 insertions(+) create mode 100644 queue-6.13/acpi-platform-profile-fix-cfi-violation-when-accessing-sysfs-files.patch create mode 100644 queue-6.13/nfsd-don-t-ignore-the-return-code-of-svc_proc_register.patch create mode 100644 queue-6.13/nfsd-fix-cb_getattr-status-fix.patch create mode 100644 queue-6.13/nfsd-fix-decoding-in-nfs4_xdr_dec_cb_getattr.patch create mode 100644 queue-6.13/x86-paravirt-move-halt-paravirt-calls-under-config_paravirt.patch diff --git a/queue-6.13/acpi-platform-profile-fix-cfi-violation-when-accessing-sysfs-files.patch b/queue-6.13/acpi-platform-profile-fix-cfi-violation-when-accessing-sysfs-files.patch new file mode 100644 index 0000000000..cfe32b10b7 --- /dev/null +++ b/queue-6.13/acpi-platform-profile-fix-cfi-violation-when-accessing-sysfs-files.patch @@ -0,0 +1,105 @@ +From dd4f730b557ce701a2cd4f604bf1e57667bd8b6e Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 10 Feb 2025 21:28:25 -0500 +Subject: ACPI: platform-profile: Fix CFI violation when accessing sysfs files + +From: Nathan Chancellor + +commit dd4f730b557ce701a2cd4f604bf1e57667bd8b6e upstream. + +When an attribute group is created with sysfs_create_group(), the +->sysfs_ops() callback is set to kobj_sysfs_ops, which sets the ->show() +and ->store() callbacks to kobj_attr_show() and kobj_attr_store() +respectively. These functions use container_of() to get the respective +callback from the passed attribute, meaning that these callbacks need to +be of the same type as the callbacks in 'struct kobj_attribute'. + +However, ->show() and ->store() in the platform_profile driver are +defined for struct device_attribute with the help of DEVICE_ATTR_RO() +and DEVICE_ATTR_RW(), which results in a CFI violation when accessing +platform_profile or platform_profile_choices under /sys/firmware/acpi +because the types do not match: + + CFI failure at kobj_attr_show+0x19/0x30 (target: platform_profile_choices_show+0x0/0x140; expected type: 0x7a69590c) + +There is no functional issue from the type mismatch because the layout +of 'struct kobj_attribute' and 'struct device_attribute' are the same, +so the container_of() cast does not break anything aside from CFI. + +Change the type of platform_profile_choices_show() and +platform_profile_{show,store}() to match the callbacks in +'struct kobj_attribute' and update the attribute variables to +match, which resolves the CFI violation. + +Cc: All applicable +Fixes: a2ff95e018f1 ("ACPI: platform: Add platform profile support") +Reported-by: John Rowley +Closes: https://github.com/ClangBuiltLinux/linux/issues/2047 +Tested-by: John Rowley +Reviewed-by: Sami Tolvanen +Signed-off-by: Nathan Chancellor +Acked-by: Greg Kroah-Hartman +Reviewed-by: Mark Pearson +Tested-by: Mark Pearson +Link: https://patch.msgid.link/20250210-acpi-platform_profile-fix-cfi-violation-v3-1-ed9e9901c33a@kernel.org +[ rjw: Changelog edits ] +Signed-off-by: Rafael J. Wysocki +[nathan: Fix conflicts in older stable branches] +Signed-off-by: Nathan Chancellor +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/platform_profile.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/acpi/platform_profile.c ++++ b/drivers/acpi/platform_profile.c +@@ -22,8 +22,8 @@ static const char * const profile_names[ + }; + static_assert(ARRAY_SIZE(profile_names) == PLATFORM_PROFILE_LAST); + +-static ssize_t platform_profile_choices_show(struct device *dev, +- struct device_attribute *attr, ++static ssize_t platform_profile_choices_show(struct kobject *kobj, ++ struct kobj_attribute *attr, + char *buf) + { + int len = 0; +@@ -49,8 +49,8 @@ static ssize_t platform_profile_choices_ + return len; + } + +-static ssize_t platform_profile_show(struct device *dev, +- struct device_attribute *attr, ++static ssize_t platform_profile_show(struct kobject *kobj, ++ struct kobj_attribute *attr, + char *buf) + { + enum platform_profile_option profile = PLATFORM_PROFILE_BALANCED; +@@ -77,8 +77,8 @@ static ssize_t platform_profile_show(str + return sysfs_emit(buf, "%s\n", profile_names[profile]); + } + +-static ssize_t platform_profile_store(struct device *dev, +- struct device_attribute *attr, ++static ssize_t platform_profile_store(struct kobject *kobj, ++ struct kobj_attribute *attr, + const char *buf, size_t count) + { + int err, i; +@@ -115,12 +115,12 @@ static ssize_t platform_profile_store(st + return count; + } + +-static DEVICE_ATTR_RO(platform_profile_choices); +-static DEVICE_ATTR_RW(platform_profile); ++static struct kobj_attribute attr_platform_profile_choices = __ATTR_RO(platform_profile_choices); ++static struct kobj_attribute attr_platform_profile = __ATTR_RW(platform_profile); + + static struct attribute *platform_profile_attrs[] = { +- &dev_attr_platform_profile_choices.attr, +- &dev_attr_platform_profile.attr, ++ &attr_platform_profile_choices.attr, ++ &attr_platform_profile.attr, + NULL + }; + diff --git a/queue-6.13/nfsd-don-t-ignore-the-return-code-of-svc_proc_register.patch b/queue-6.13/nfsd-don-t-ignore-the-return-code-of-svc_proc_register.patch new file mode 100644 index 0000000000..3126bf7c2f --- /dev/null +++ b/queue-6.13/nfsd-don-t-ignore-the-return-code-of-svc_proc_register.patch @@ -0,0 +1,96 @@ +From 930b64ca0c511521f0abdd1d57ce52b2a6e3476b Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Thu, 6 Feb 2025 13:12:13 -0500 +Subject: nfsd: don't ignore the return code of svc_proc_register() + +From: Jeff Layton + +commit 930b64ca0c511521f0abdd1d57ce52b2a6e3476b upstream. + +Currently, nfsd_proc_stat_init() ignores the return value of +svc_proc_register(). If the procfile creation fails, then the kernel +will WARN when it tries to remove the entry later. + +Fix nfsd_proc_stat_init() to return the same type of pointer as +svc_proc_register(), and fix up nfsd_net_init() to check that and fail +the nfsd_net construction if it occurs. + +svc_proc_register() can fail if the dentry can't be allocated, or if an +identical dentry already exists. The second case is pretty unlikely in +the nfsd_net construction codepath, so if this happens, return -ENOMEM. + +Reported-by: syzbot+e34ad04f27991521104c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-nfs/67a47501.050a0220.19061f.05f9.GAE@google.com/ +Cc: stable@vger.kernel.org # v6.9 +Signed-off-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfsctl.c | 9 ++++++++- + fs/nfsd/stats.c | 4 ++-- + fs/nfsd/stats.h | 2 +- + 3 files changed, 11 insertions(+), 4 deletions(-) + +I did not have any problem cherry-picking 930b64 onto v6.13.11. This +built and ran some simple NFSD tests in my lab. + + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -2244,8 +2244,14 @@ static __net_init int nfsd_net_init(stru + NFSD_STATS_COUNTERS_NUM); + if (retval) + goto out_repcache_error; ++ + memset(&nn->nfsd_svcstats, 0, sizeof(nn->nfsd_svcstats)); + nn->nfsd_svcstats.program = &nfsd_programs[0]; ++ if (!nfsd_proc_stat_init(net)) { ++ retval = -ENOMEM; ++ goto out_proc_error; ++ } ++ + for (i = 0; i < sizeof(nn->nfsd_versions); i++) + nn->nfsd_versions[i] = nfsd_support_version(i); + for (i = 0; i < sizeof(nn->nfsd4_minorversions); i++) +@@ -2255,12 +2261,13 @@ static __net_init int nfsd_net_init(stru + nfsd4_init_leases_net(nn); + get_random_bytes(&nn->siphash_key, sizeof(nn->siphash_key)); + seqlock_init(&nn->writeverf_lock); +- nfsd_proc_stat_init(net); + #if IS_ENABLED(CONFIG_NFS_LOCALIO) + INIT_LIST_HEAD(&nn->local_clients); + #endif + return 0; + ++out_proc_error: ++ percpu_counter_destroy_many(nn->counter, NFSD_STATS_COUNTERS_NUM); + out_repcache_error: + nfsd_idmap_shutdown(net); + out_idmap_error: +--- a/fs/nfsd/stats.c ++++ b/fs/nfsd/stats.c +@@ -73,11 +73,11 @@ static int nfsd_show(struct seq_file *se + + DEFINE_PROC_SHOW_ATTRIBUTE(nfsd); + +-void nfsd_proc_stat_init(struct net *net) ++struct proc_dir_entry *nfsd_proc_stat_init(struct net *net) + { + struct nfsd_net *nn = net_generic(net, nfsd_net_id); + +- svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops); ++ return svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops); + } + + void nfsd_proc_stat_shutdown(struct net *net) +--- a/fs/nfsd/stats.h ++++ b/fs/nfsd/stats.h +@@ -10,7 +10,7 @@ + #include + #include + +-void nfsd_proc_stat_init(struct net *net); ++struct proc_dir_entry *nfsd_proc_stat_init(struct net *net); + void nfsd_proc_stat_shutdown(struct net *net); + + static inline void nfsd_stats_rc_hits_inc(struct nfsd_net *nn) diff --git a/queue-6.13/nfsd-fix-cb_getattr-status-fix.patch b/queue-6.13/nfsd-fix-cb_getattr-status-fix.patch new file mode 100644 index 0000000000..d0b07525b2 --- /dev/null +++ b/queue-6.13/nfsd-fix-cb_getattr-status-fix.patch @@ -0,0 +1,44 @@ +From 4990d098433db18c854e75fb0f90d941eb7d479e Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Mon, 10 Feb 2025 11:43:31 -0500 +Subject: NFSD: Fix CB_GETATTR status fix + +From: Chuck Lever + +commit 4990d098433db18c854e75fb0f90d941eb7d479e upstream. + +Jeff says: + +Now that I look, 1b3e26a5ccbf is wrong. The patch on the ml was correct, but +the one that got committed is different. It should be: + + status = decode_cb_op_status(xdr, OP_CB_GETATTR, &cb->cb_status); + if (unlikely(status || cb->cb_status)) + +If "status" is non-zero, decoding failed (usu. BADXDR), but we also want to +bail out and not decode the rest of the call if the decoded cb_status is +non-zero. That's not happening here, cb_seq_status has already been checked and +is non-zero, so this ends up trying to decode the rest of the CB_GETATTR reply +when it doesn't exist. + +Reported-by: Jeff Layton +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219737 +Fixes: 1b3e26a5ccbf ("NFSD: fix decoding in nfs4_xdr_dec_cb_getattr") +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4callback.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4callback.c ++++ b/fs/nfsd/nfs4callback.c +@@ -647,7 +647,7 @@ static int nfs4_xdr_dec_cb_getattr(struc + return status; + + status = decode_cb_op_status(xdr, OP_CB_GETATTR, &cb->cb_status); +- if (unlikely(status || cb->cb_seq_status)) ++ if (unlikely(status || cb->cb_status)) + return status; + if (xdr_stream_decode_uint32_array(xdr, bitmap, 3) < 0) + return -NFSERR_BAD_XDR; diff --git a/queue-6.13/nfsd-fix-decoding-in-nfs4_xdr_dec_cb_getattr.patch b/queue-6.13/nfsd-fix-decoding-in-nfs4_xdr_dec_cb_getattr.patch new file mode 100644 index 0000000000..226da1880e --- /dev/null +++ b/queue-6.13/nfsd-fix-decoding-in-nfs4_xdr_dec_cb_getattr.patch @@ -0,0 +1,35 @@ +From 1b3e26a5ccbfc2f85bda1930cc278e313165e353 Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia +Date: Thu, 19 Dec 2024 15:12:04 -0500 +Subject: NFSD: fix decoding in nfs4_xdr_dec_cb_getattr + +From: Olga Kornievskaia + +commit 1b3e26a5ccbfc2f85bda1930cc278e313165e353 upstream. + +If a client were to send an error to a CB_GETATTR call, the code +erronously continues to try decode past the error code. It ends +up returning BAD_XDR error to the rpc layer and then in turn +trigger a WARN_ONCE in nfsd4_cb_done() function. + +Fixes: 6487a13b5c6b ("NFSD: add support for CB_GETATTR callback") +Signed-off-by: Olga Kornievskaia +Reviewed-by: Jeff Layton +Reviewed-by: Benjamin Coddington +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4callback.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4callback.c ++++ b/fs/nfsd/nfs4callback.c +@@ -647,7 +647,7 @@ static int nfs4_xdr_dec_cb_getattr(struc + return status; + + status = decode_cb_op_status(xdr, OP_CB_GETATTR, &cb->cb_status); +- if (status) ++ if (unlikely(status || cb->cb_seq_status)) + return status; + if (xdr_stream_decode_uint32_array(xdr, bitmap, 3) < 0) + return -NFSERR_BAD_XDR; diff --git a/queue-6.13/series b/queue-6.13/series index 7290819347..529012d8f1 100644 --- a/queue-6.13/series +++ b/queue-6.13/series @@ -404,3 +404,8 @@ thermal-drivers-mediatek-lvts-disable-stage-3-thermal-threshold.patch arm64-errata-add-newer-arm-cores-to-the-spectre_bhb_loop_affected-lists.patch iommufd-make-attach_handle-generic-than-fault-specific.patch iommufd-fail-replace-if-device-has-not-been-attached.patch +x86-paravirt-move-halt-paravirt-calls-under-config_paravirt.patch +acpi-platform-profile-fix-cfi-violation-when-accessing-sysfs-files.patch +nfsd-fix-decoding-in-nfs4_xdr_dec_cb_getattr.patch +nfsd-fix-cb_getattr-status-fix.patch +nfsd-don-t-ignore-the-return-code-of-svc_proc_register.patch diff --git a/queue-6.13/x86-paravirt-move-halt-paravirt-calls-under-config_paravirt.patch b/queue-6.13/x86-paravirt-move-halt-paravirt-calls-under-config_paravirt.patch new file mode 100644 index 0000000000..8ecc530a7d --- /dev/null +++ b/queue-6.13/x86-paravirt-move-halt-paravirt-calls-under-config_paravirt.patch @@ -0,0 +1,196 @@ +From 22cc5ca5de52bbfc36a7d4a55323f91fb4492264 Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Fri, 28 Feb 2025 01:44:14 +0000 +Subject: x86/paravirt: Move halt paravirt calls under CONFIG_PARAVIRT + +From: Kirill A. Shutemov + +commit 22cc5ca5de52bbfc36a7d4a55323f91fb4492264 upstream. + +CONFIG_PARAVIRT_XXL is mainly defined/used by XEN PV guests. For +other VM guest types, features supported under CONFIG_PARAVIRT +are self sufficient. CONFIG_PARAVIRT mainly provides support for +TLB flush operations and time related operations. + +For TDX guest as well, paravirt calls under CONFIG_PARVIRT meets +most of its requirement except the need of HLT and SAFE_HLT +paravirt calls, which is currently defined under +CONFIG_PARAVIRT_XXL. + +Since enabling CONFIG_PARAVIRT_XXL is too bloated for TDX guest +like platforms, move HLT and SAFE_HLT paravirt calls under +CONFIG_PARAVIRT. + +Moving HLT and SAFE_HLT paravirt calls are not fatal and should not +break any functionality for current users of CONFIG_PARAVIRT. + +Fixes: bfe6ed0c6727 ("x86/tdx: Add HLT support for TDX guests") +Co-developed-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Vishal Annapurve +Signed-off-by: Ingo Molnar +Reviewed-by: Andi Kleen +Reviewed-by: Tony Luck +Reviewed-by: Juergen Gross +Tested-by: Ryan Afranji +Cc: Andy Lutomirski +Cc: Brian Gerst +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Josh Poimboeuf +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20250228014416.3925664-2-vannapurve@google.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/irqflags.h | 40 ++++++++++++++++++---------------- + arch/x86/include/asm/paravirt.h | 20 ++++++++--------- + arch/x86/include/asm/paravirt_types.h | 3 -- + arch/x86/kernel/paravirt.c | 14 ++++++----- + 4 files changed, 41 insertions(+), 36 deletions(-) + +--- a/arch/x86/include/asm/irqflags.h ++++ b/arch/x86/include/asm/irqflags.h +@@ -76,6 +76,28 @@ static __always_inline void native_local + + #endif + ++#ifndef CONFIG_PARAVIRT ++#ifndef __ASSEMBLY__ ++/* ++ * Used in the idle loop; sti takes one instruction cycle ++ * to complete: ++ */ ++static __always_inline void arch_safe_halt(void) ++{ ++ native_safe_halt(); ++} ++ ++/* ++ * Used when interrupts are already enabled or to ++ * shutdown the processor: ++ */ ++static __always_inline void halt(void) ++{ ++ native_halt(); ++} ++#endif /* __ASSEMBLY__ */ ++#endif /* CONFIG_PARAVIRT */ ++ + #ifdef CONFIG_PARAVIRT_XXL + #include + #else +@@ -98,24 +120,6 @@ static __always_inline void arch_local_i + } + + /* +- * Used in the idle loop; sti takes one instruction cycle +- * to complete: +- */ +-static __always_inline void arch_safe_halt(void) +-{ +- native_safe_halt(); +-} +- +-/* +- * Used when interrupts are already enabled or to +- * shutdown the processor: +- */ +-static __always_inline void halt(void) +-{ +- native_halt(); +-} +- +-/* + * For spinlocks, etc: + */ + static __always_inline unsigned long arch_local_irq_save(void) +--- a/arch/x86/include/asm/paravirt.h ++++ b/arch/x86/include/asm/paravirt.h +@@ -107,6 +107,16 @@ static inline void notify_page_enc_statu + PVOP_VCALL3(mmu.notify_page_enc_status_changed, pfn, npages, enc); + } + ++static __always_inline void arch_safe_halt(void) ++{ ++ PVOP_VCALL0(irq.safe_halt); ++} ++ ++static inline void halt(void) ++{ ++ PVOP_VCALL0(irq.halt); ++} ++ + #ifdef CONFIG_PARAVIRT_XXL + static inline void load_sp0(unsigned long sp0) + { +@@ -170,16 +180,6 @@ static inline void __write_cr4(unsigned + PVOP_VCALL1(cpu.write_cr4, x); + } + +-static __always_inline void arch_safe_halt(void) +-{ +- PVOP_VCALL0(irq.safe_halt); +-} +- +-static inline void halt(void) +-{ +- PVOP_VCALL0(irq.halt); +-} +- + extern noinstr void pv_native_wbinvd(void); + + static __always_inline void wbinvd(void) +--- a/arch/x86/include/asm/paravirt_types.h ++++ b/arch/x86/include/asm/paravirt_types.h +@@ -122,10 +122,9 @@ struct pv_irq_ops { + struct paravirt_callee_save save_fl; + struct paravirt_callee_save irq_disable; + struct paravirt_callee_save irq_enable; +- ++#endif + void (*safe_halt)(void); + void (*halt)(void); +-#endif + } __no_randomize_layout; + + struct pv_mmu_ops { +--- a/arch/x86/kernel/paravirt.c ++++ b/arch/x86/kernel/paravirt.c +@@ -100,6 +100,11 @@ int paravirt_disable_iospace(void) + return request_resource(&ioport_resource, &reserve_ioports); + } + ++static noinstr void pv_native_safe_halt(void) ++{ ++ native_safe_halt(); ++} ++ + #ifdef CONFIG_PARAVIRT_XXL + static noinstr void pv_native_write_cr2(unsigned long val) + { +@@ -120,11 +125,6 @@ noinstr void pv_native_wbinvd(void) + { + native_wbinvd(); + } +- +-static noinstr void pv_native_safe_halt(void) +-{ +- native_safe_halt(); +-} + #endif + + struct pv_info pv_info = { +@@ -182,9 +182,11 @@ struct paravirt_patch_template pv_ops = + .irq.save_fl = __PV_IS_CALLEE_SAVE(pv_native_save_fl), + .irq.irq_disable = __PV_IS_CALLEE_SAVE(pv_native_irq_disable), + .irq.irq_enable = __PV_IS_CALLEE_SAVE(pv_native_irq_enable), ++#endif /* CONFIG_PARAVIRT_XXL */ ++ ++ /* Irq HLT ops. */ + .irq.safe_halt = pv_native_safe_halt, + .irq.halt = native_halt, +-#endif /* CONFIG_PARAVIRT_XXL */ + + /* Mmu ops. */ + .mmu.flush_tlb_user = native_flush_tlb_local, -- 2.47.3