From 360bb37d935097da471e22265b9d1417f942aad3 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 17 Dec 2021 16:08:36 +0100 Subject: [PATCH] 5.4-stable patches added patches: audit-improve-robustness-of-the-audit-queue-handling.patch dm-btree-remove-fix-use-after-free-in-rebalance_children.patch iio-adc-stm32-fix-a-current-leak-by-resetting-pcsel-before-disabling-vdda.patch nfsd-fix-use-after-free-due-to-delegation-race.patch recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch virtio_ring-fix-querying-of-maximum-dma-mapping-size-for-virtio-device.patch --- ...bustness-of-the-audit-queue-handling.patch | 109 ++++++++++++++++++ ...use-after-free-in-rebalance_children.patch | 32 +++++ ...esetting-pcsel-before-disabling-vdda.patch | 42 +++++++ ...se-after-free-due-to-delegation-race.patch | 66 +++++++++++ ...-instruction-as-well-as-bcrl-on-s390.patch | 36 ++++++ queue-5.4/series | 6 + ...m-dma-mapping-size-for-virtio-device.patch | 56 +++++++++ 7 files changed, 347 insertions(+) create mode 100644 queue-5.4/audit-improve-robustness-of-the-audit-queue-handling.patch create mode 100644 queue-5.4/dm-btree-remove-fix-use-after-free-in-rebalance_children.patch create mode 100644 queue-5.4/iio-adc-stm32-fix-a-current-leak-by-resetting-pcsel-before-disabling-vdda.patch create mode 100644 queue-5.4/nfsd-fix-use-after-free-due-to-delegation-race.patch create mode 100644 queue-5.4/recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch create mode 100644 queue-5.4/virtio_ring-fix-querying-of-maximum-dma-mapping-size-for-virtio-device.patch diff --git a/queue-5.4/audit-improve-robustness-of-the-audit-queue-handling.patch b/queue-5.4/audit-improve-robustness-of-the-audit-queue-handling.patch new file mode 100644 index 00000000000..d7314cef4ca --- /dev/null +++ b/queue-5.4/audit-improve-robustness-of-the-audit-queue-handling.patch @@ -0,0 +1,109 @@ +From f4b3ee3c85551d2d343a3ba159304066523f730f Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Thu, 9 Dec 2021 11:46:07 -0500 +Subject: audit: improve robustness of the audit queue handling + +From: Paul Moore + +commit f4b3ee3c85551d2d343a3ba159304066523f730f upstream. + +If the audit daemon were ever to get stuck in a stopped state the +kernel's kauditd_thread() could get blocked attempting to send audit +records to the userspace audit daemon. With the kernel thread +blocked it is possible that the audit queue could grow unbounded as +certain audit record generating events must be exempt from the queue +limits else the system enter a deadlock state. + +This patch resolves this problem by lowering the kernel thread's +socket sending timeout from MAX_SCHEDULE_TIMEOUT to HZ/10 and tweaks +the kauditd_send_queue() function to better manage the various audit +queues when connection problems occur between the kernel and the +audit daemon. With this patch, the backlog may temporarily grow +beyond the defined limits when the audit daemon is stopped and the +system is under heavy audit pressure, but kauditd_thread() will +continue to make progress and drain the queues as it would for other +connection problems. For example, with the audit daemon put into a +stopped state and the system configured to audit every syscall it +was still possible to shutdown the system without a kernel panic, +deadlock, etc.; granted, the system was slow to shutdown but that is +to be expected given the extreme pressure of recording every syscall. + +The timeout value of HZ/10 was chosen primarily through +experimentation and this developer's "gut feeling". There is likely +no one perfect value, but as this scenario is limited in scope (root +privileges would be needed to send SIGSTOP to the audit daemon), it +is likely not worth exposing this as a tunable at present. This can +always be done at a later date if it proves necessary. + +Cc: stable@vger.kernel.org +Fixes: 5b52330bbfe63 ("audit: fix auditd/kernel connection state tracking") +Reported-by: Gaosheng Cui +Tested-by: Gaosheng Cui +Reviewed-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + kernel/audit.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -712,7 +712,7 @@ static int kauditd_send_queue(struct soc + { + int rc = 0; + struct sk_buff *skb; +- static unsigned int failed = 0; ++ unsigned int failed = 0; + + /* NOTE: kauditd_thread takes care of all our locking, we just use + * the netlink info passed to us (e.g. sk and portid) */ +@@ -729,32 +729,30 @@ static int kauditd_send_queue(struct soc + continue; + } + ++retry: + /* grab an extra skb reference in case of error */ + skb_get(skb); + rc = netlink_unicast(sk, skb, portid, 0); + if (rc < 0) { +- /* fatal failure for our queue flush attempt? */ ++ /* send failed - try a few times unless fatal error */ + if (++failed >= retry_limit || + rc == -ECONNREFUSED || rc == -EPERM) { +- /* yes - error processing for the queue */ + sk = NULL; + if (err_hook) + (*err_hook)(skb); +- if (!skb_hook) +- goto out; +- /* keep processing with the skb_hook */ ++ if (rc == -EAGAIN) ++ rc = 0; ++ /* continue to drain the queue */ + continue; + } else +- /* no - requeue to preserve ordering */ +- skb_queue_head(queue, skb); ++ goto retry; + } else { +- /* it worked - drop the extra reference and continue */ ++ /* skb sent - drop the extra reference and continue */ + consume_skb(skb); + failed = 0; + } + } + +-out: + return (rc >= 0 ? 0 : rc); + } + +@@ -1557,7 +1555,8 @@ static int __net_init audit_net_init(str + audit_panic("cannot initialize netlink socket in namespace"); + return -ENOMEM; + } +- aunet->sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT; ++ /* limit the timeout in case auditd is blocked/stopped */ ++ aunet->sk->sk_sndtimeo = HZ / 10; + + return 0; + } diff --git a/queue-5.4/dm-btree-remove-fix-use-after-free-in-rebalance_children.patch b/queue-5.4/dm-btree-remove-fix-use-after-free-in-rebalance_children.patch new file mode 100644 index 00000000000..f2a9f377284 --- /dev/null +++ b/queue-5.4/dm-btree-remove-fix-use-after-free-in-rebalance_children.patch @@ -0,0 +1,32 @@ +From 1b8d2789dad0005fd5e7d35dab26a8e1203fb6da Mon Sep 17 00:00:00 2001 +From: Joe Thornber +Date: Wed, 24 Nov 2021 12:07:39 -0500 +Subject: dm btree remove: fix use after free in rebalance_children() + +From: Joe Thornber + +commit 1b8d2789dad0005fd5e7d35dab26a8e1203fb6da upstream. + +Move dm_tm_unlock() after dm_tm_dec(). + +Cc: stable@vger.kernel.org +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/persistent-data/dm-btree-remove.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/persistent-data/dm-btree-remove.c ++++ b/drivers/md/persistent-data/dm-btree-remove.c +@@ -423,9 +423,9 @@ static int rebalance_children(struct sha + + memcpy(n, dm_block_data(child), + dm_bm_block_size(dm_tm_get_bm(info->tm))); +- dm_tm_unlock(info->tm, child); + + dm_tm_dec(info->tm, dm_block_location(child)); ++ dm_tm_unlock(info->tm, child); + return 0; + } + diff --git a/queue-5.4/iio-adc-stm32-fix-a-current-leak-by-resetting-pcsel-before-disabling-vdda.patch b/queue-5.4/iio-adc-stm32-fix-a-current-leak-by-resetting-pcsel-before-disabling-vdda.patch new file mode 100644 index 00000000000..648d90d09a1 --- /dev/null +++ b/queue-5.4/iio-adc-stm32-fix-a-current-leak-by-resetting-pcsel-before-disabling-vdda.patch @@ -0,0 +1,42 @@ +From f711f28e71e965c0d1141c830fa7131b41abbe75 Mon Sep 17 00:00:00 2001 +From: Fabrice Gasnier +Date: Fri, 22 Oct 2021 14:19:29 +0200 +Subject: iio: adc: stm32: fix a current leak by resetting pcsel before disabling vdda + +From: Fabrice Gasnier + +commit f711f28e71e965c0d1141c830fa7131b41abbe75 upstream. + +Some I/Os are connected to ADC input channels, when the corresponding bit +in PCSEL register are set on STM32H7 and STM32MP15. This is done in the +prepare routine of stm32-adc driver. +There are constraints here, as PCSEL shouldn't be set when VDDA supply +is disabled. Enabling/disabling of VDDA supply in done via stm32-adc-core +runtime PM routines (before/after ADC is enabled/disabled). + +Currently, PCSEL remains set when disabling ADC. Later on, PM runtime +can disable the VDDA supply. This creates some conditions on I/Os that +can start to leak current. +So PCSEL needs to be cleared when disabling the ADC. + +Fixes: 95e339b6e85d ("iio: adc: stm32: add support for STM32H7") +Signed-off-by: Fabrice Gasnier +Reviewed-by: Olivier Moysan +Link: https://lore.kernel.org/r/1634905169-23762-1-git-send-email-fabrice.gasnier@foss.st.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/stm32-adc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/adc/stm32-adc.c ++++ b/drivers/iio/adc/stm32-adc.c +@@ -933,6 +933,7 @@ pwr_dwn: + + static void stm32h7_adc_unprepare(struct stm32_adc *adc) + { ++ stm32_adc_writel(adc, STM32H7_ADC_PCSEL, 0); + stm32h7_adc_disable(adc); + stm32h7_adc_enter_pwr_down(adc); + } diff --git a/queue-5.4/nfsd-fix-use-after-free-due-to-delegation-race.patch b/queue-5.4/nfsd-fix-use-after-free-due-to-delegation-race.patch new file mode 100644 index 00000000000..7a3c0c6bc75 --- /dev/null +++ b/queue-5.4/nfsd-fix-use-after-free-due-to-delegation-race.patch @@ -0,0 +1,66 @@ +From 548ec0805c399c65ed66c6641be467f717833ab5 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Mon, 29 Nov 2021 15:08:00 -0500 +Subject: nfsd: fix use-after-free due to delegation race + +From: J. Bruce Fields + +commit 548ec0805c399c65ed66c6641be467f717833ab5 upstream. + +A delegation break could arrive as soon as we've called vfs_setlease. A +delegation break runs a callback which immediately (in +nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we +then exit nfs4_set_delegation without hashing the delegation, it will be +freed as soon as the callback is done with it, without ever being +removed from del_recall_lru. + +Symptoms show up later as use-after-free or list corruption warnings, +usually in the laundromat thread. + +I suspect aba2072f4523 "nfsd: grant read delegations to clients holding +writes" made this bug easier to hit, but I looked as far back as v3.0 +and it looks to me it already had the same problem. So I'm not sure +where the bug was introduced; it may have been there from the beginning. + +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +[Salvatore Bonaccorso: Backport for context changes to versions which do +not have 20b7d86f29d3 ("nfsd: use boottime for lease expiry calculation")] +Signed-off-by: Salvatore Bonaccorso +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1041,6 +1041,11 @@ hash_delegation_locked(struct nfs4_deleg + return 0; + } + ++static bool delegation_hashed(struct nfs4_delegation *dp) ++{ ++ return !(list_empty(&dp->dl_perfile)); ++} ++ + static bool + unhash_delegation_locked(struct nfs4_delegation *dp) + { +@@ -1048,7 +1053,7 @@ unhash_delegation_locked(struct nfs4_del + + lockdep_assert_held(&state_lock); + +- if (list_empty(&dp->dl_perfile)) ++ if (!delegation_hashed(dp)) + return false; + + dp->dl_stid.sc_type = NFS4_CLOSED_DELEG_STID; +@@ -4406,7 +4411,7 @@ static void nfsd4_cb_recall_prepare(stru + * queued for a lease break. Don't queue it again. + */ + spin_lock(&state_lock); +- if (dp->dl_time == 0) { ++ if (delegation_hashed(dp) && dp->dl_time == 0) { + dp->dl_time = get_seconds(); + list_add_tail(&dp->dl_recall_lru, &nn->del_recall_lru); + } diff --git a/queue-5.4/recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch b/queue-5.4/recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch new file mode 100644 index 00000000000..425644c9e38 --- /dev/null +++ b/queue-5.4/recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch @@ -0,0 +1,36 @@ +From 85bf17b28f97ca2749968d8786dc423db320d9c2 Mon Sep 17 00:00:00 2001 +From: Jerome Marchand +Date: Fri, 10 Dec 2021 10:38:27 +0100 +Subject: recordmcount.pl: look for jgnop instruction as well as bcrl on s390 + +From: Jerome Marchand + +commit 85bf17b28f97ca2749968d8786dc423db320d9c2 upstream. + +On s390, recordmcount.pl is looking for "bcrl 0," instructions in +the objdump -d outpout. However since binutils 2.37, objdump -d +display "jgnop " for the same instruction. Update the +mcount_regex so that it accepts both. + +Signed-off-by: Jerome Marchand +Reviewed-by: Miroslav Benes +Acked-by: Steven Rostedt (VMware) +Cc: +Link: https://lore.kernel.org/r/20211210093827.1623286-1-jmarchan@redhat.com +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + scripts/recordmcount.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/recordmcount.pl ++++ b/scripts/recordmcount.pl +@@ -252,7 +252,7 @@ if ($arch eq "x86_64") { + + } elsif ($arch eq "s390" && $bits == 64) { + if ($cc =~ /-DCC_USING_HOTPATCH/) { +- $mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*c0 04 00 00 00 00\\s*brcl\\s*0,[0-9a-f]+ <([^\+]*)>\$"; ++ $mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*c0 04 00 00 00 00\\s*(bcrl\\s*0,|jgnop\\s*)[0-9a-f]+ <([^\+]*)>\$"; + $mcount_adjust = 0; + } else { + $mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*R_390_(PC|PLT)32DBL\\s+_mcount\\+0x2\$"; diff --git a/queue-5.4/series b/queue-5.4/series index 1cb176948a1..452827b44e5 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -2,3 +2,9 @@ kvm-selftests-make-sure-kvm_create_max_vcpus-test-wo.patch mac80211-mark-tx-during-stop-for-tx-in-in_reconfig.patch mac80211-send-addba-requests-using-the-tid-queue-of-the-aggregation-session.patch firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch +virtio_ring-fix-querying-of-maximum-dma-mapping-size-for-virtio-device.patch +recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch +dm-btree-remove-fix-use-after-free-in-rebalance_children.patch +audit-improve-robustness-of-the-audit-queue-handling.patch +iio-adc-stm32-fix-a-current-leak-by-resetting-pcsel-before-disabling-vdda.patch +nfsd-fix-use-after-free-due-to-delegation-race.patch diff --git a/queue-5.4/virtio_ring-fix-querying-of-maximum-dma-mapping-size-for-virtio-device.patch b/queue-5.4/virtio_ring-fix-querying-of-maximum-dma-mapping-size-for-virtio-device.patch new file mode 100644 index 00000000000..c21aac71ace --- /dev/null +++ b/queue-5.4/virtio_ring-fix-querying-of-maximum-dma-mapping-size-for-virtio-device.patch @@ -0,0 +1,56 @@ +From 817fc978b5a29b039db0418a91072b31c9aab152 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Wed, 1 Dec 2021 11:20:18 +0000 +Subject: virtio_ring: Fix querying of maximum DMA mapping size for virtio device + +From: Will Deacon + +commit 817fc978b5a29b039db0418a91072b31c9aab152 upstream. + +virtio_max_dma_size() returns the maximum DMA mapping size of the virtio +device by querying dma_max_mapping_size() for the device when the DMA +API is in use for the vring. Unfortunately, the device passed is +initialised by register_virtio_device() and does not inherit the DMA +configuration from its parent, resulting in SWIOTLB errors when bouncing +is enabled and the default 256K mapping limit (IO_TLB_SEGSIZE) is not +respected: + + | virtio-pci 0000:00:01.0: swiotlb buffer is full (sz: 294912 bytes), total 1024 (slots), used 725 (slots) + +Follow the pattern used elsewhere in the virtio_ring code when calling +into the DMA layer and pass the parent device to dma_max_mapping_size() +instead. + +Cc: Marc Zyngier +Cc: Quentin Perret +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Signed-off-by: Will Deacon +Link: https://lore.kernel.org/r/20211201112018.25276-1-will@kernel.org +Acked-by: Jason Wang +Tested-by: Suzuki K Poulose +Fixes: e6d6dd6c875e ("virtio: Introduce virtio_max_dma_size()") +Cc: Joerg Roedel +Cc: Konrad Rzeszutek Wilk +Cc: Christoph Hellwig +Cc: Robin Murphy +Signed-off-by: Steven Price +Signed-off-by: Suzuki K Poulose +Cc: stable@vger.kernel.org +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/virtio/virtio_ring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/virtio/virtio_ring.c ++++ b/drivers/virtio/virtio_ring.c +@@ -263,7 +263,7 @@ size_t virtio_max_dma_size(struct virtio + size_t max_segment_size = SIZE_MAX; + + if (vring_use_dma_api(vdev)) +- max_segment_size = dma_max_mapping_size(&vdev->dev); ++ max_segment_size = dma_max_mapping_size(vdev->dev.parent); + + return max_segment_size; + } -- 2.47.3