From 5396267d5bd3f7ea9845f1b61bcdd941db8a6473 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 10 Dec 2024 10:48:23 +0100 Subject: [PATCH] 6.6-stable patches added patches: kasan-make-report_lock-a-raw-spinlock.patch lib-stackinit-hide-never-taken-branch-from-compiler.patch ocfs2-update-seq_file-index-in-ocfs2_dlm_seq_next.patch x86-mm-add-_page_noptishadow-bit-to-avoid-updating-userspace-page-tables.patch --- ...asan-make-report_lock-a-raw-spinlock.patch | 66 ++++++++++ ...ide-never-taken-branch-from-compiler.patch | 40 ++++++ ...seq_file-index-in-ocfs2_dlm_seq_next.patch | 43 +++++++ queue-6.6/series | 4 + ...avoid-updating-userspace-page-tables.patch | 114 ++++++++++++++++++ 5 files changed, 267 insertions(+) create mode 100644 queue-6.6/kasan-make-report_lock-a-raw-spinlock.patch create mode 100644 queue-6.6/lib-stackinit-hide-never-taken-branch-from-compiler.patch create mode 100644 queue-6.6/ocfs2-update-seq_file-index-in-ocfs2_dlm_seq_next.patch create mode 100644 queue-6.6/x86-mm-add-_page_noptishadow-bit-to-avoid-updating-userspace-page-tables.patch diff --git a/queue-6.6/kasan-make-report_lock-a-raw-spinlock.patch b/queue-6.6/kasan-make-report_lock-a-raw-spinlock.patch new file mode 100644 index 00000000000..ccb8e8e9589 --- /dev/null +++ b/queue-6.6/kasan-make-report_lock-a-raw-spinlock.patch @@ -0,0 +1,66 @@ +From e30a0361b8515d424c73c67de1a43e45a13b8ba2 Mon Sep 17 00:00:00 2001 +From: Jared Kangas +Date: Tue, 19 Nov 2024 13:02:34 -0800 +Subject: kasan: make report_lock a raw spinlock + +From: Jared Kangas + +commit e30a0361b8515d424c73c67de1a43e45a13b8ba2 upstream. + +If PREEMPT_RT is enabled, report_lock is a sleeping spinlock and must not +be locked when IRQs are disabled. However, KASAN reports may be triggered +in such contexts. For example: + + char *s = kzalloc(1, GFP_KERNEL); + kfree(s); + local_irq_disable(); + char c = *s; /* KASAN report here leads to spin_lock() */ + local_irq_enable(); + +Make report_spinlock a raw spinlock to prevent rescheduling when +PREEMPT_RT is enabled. + +Link: https://lkml.kernel.org/r/20241119210234.1602529-1-jkangas@redhat.com +Fixes: 342a93247e08 ("locking/spinlock: Provide RT variant header: ") +Signed-off-by: Jared Kangas +Cc: Alexander Potapenko +Cc: Andrey Konovalov +Cc: Andrey Ryabinin +Cc: Dmitry Vyukov +Cc: Vincenzo Frascino +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kasan/report.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/mm/kasan/report.c ++++ b/mm/kasan/report.c +@@ -199,7 +199,7 @@ static inline void fail_non_kasan_kunit_ + + #endif /* CONFIG_KUNIT */ + +-static DEFINE_SPINLOCK(report_lock); ++static DEFINE_RAW_SPINLOCK(report_lock); + + static void start_report(unsigned long *flags, bool sync) + { +@@ -210,7 +210,7 @@ static void start_report(unsigned long * + lockdep_off(); + /* Make sure we don't end up in loop. */ + report_suppress_start(); +- spin_lock_irqsave(&report_lock, *flags); ++ raw_spin_lock_irqsave(&report_lock, *flags); + pr_err("==================================================================\n"); + } + +@@ -220,7 +220,7 @@ static void end_report(unsigned long *fl + trace_error_report_end(ERROR_DETECTOR_KASAN, + (unsigned long)addr); + pr_err("==================================================================\n"); +- spin_unlock_irqrestore(&report_lock, *flags); ++ raw_spin_unlock_irqrestore(&report_lock, *flags); + if (!test_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags)) + check_panic_on_warn("KASAN"); + switch (kasan_arg_fault) { diff --git a/queue-6.6/lib-stackinit-hide-never-taken-branch-from-compiler.patch b/queue-6.6/lib-stackinit-hide-never-taken-branch-from-compiler.patch new file mode 100644 index 00000000000..fb17dc7d10c --- /dev/null +++ b/queue-6.6/lib-stackinit-hide-never-taken-branch-from-compiler.patch @@ -0,0 +1,40 @@ +From 5c3793604f91123bf49bc792ce697a0bef4c173c Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Sun, 17 Nov 2024 03:38:13 -0800 +Subject: lib: stackinit: hide never-taken branch from compiler + +From: Kees Cook + +commit 5c3793604f91123bf49bc792ce697a0bef4c173c upstream. + +The never-taken branch leads to an invalid bounds condition, which is by +design. To avoid the unwanted warning from the compiler, hide the +variable from the optimizer. + +../lib/stackinit_kunit.c: In function 'do_nothing_u16_zero': +../lib/stackinit_kunit.c:51:49: error: array subscript 1 is outside array bounds of 'u16[0]' {aka 'short unsigned int[]'} [-Werror=array-bounds=] + 51 | #define DO_NOTHING_RETURN_SCALAR(ptr) *(ptr) + | ^~~~~~ +../lib/stackinit_kunit.c:219:24: note: in expansion of macro 'DO_NOTHING_RETURN_SCALAR' + 219 | return DO_NOTHING_RETURN_ ## which(ptr + 1); \ + | ^~~~~~~~~~~~~~~~~~ + +Link: https://lkml.kernel.org/r/20241117113813.work.735-kees@kernel.org +Signed-off-by: Kees Cook +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/stackinit_kunit.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/lib/stackinit_kunit.c ++++ b/lib/stackinit_kunit.c +@@ -199,6 +199,7 @@ static noinline void test_ ## name (stru + static noinline DO_NOTHING_TYPE_ ## which(var_type) \ + do_nothing_ ## name(var_type *ptr) \ + { \ ++ OPTIMIZER_HIDE_VAR(ptr); \ + /* Will always be true, but compiler doesn't know. */ \ + if ((unsigned long)ptr > 0x2) \ + return DO_NOTHING_RETURN_ ## which(ptr); \ diff --git a/queue-6.6/ocfs2-update-seq_file-index-in-ocfs2_dlm_seq_next.patch b/queue-6.6/ocfs2-update-seq_file-index-in-ocfs2_dlm_seq_next.patch new file mode 100644 index 00000000000..21abce5fbc6 --- /dev/null +++ b/queue-6.6/ocfs2-update-seq_file-index-in-ocfs2_dlm_seq_next.patch @@ -0,0 +1,43 @@ +From 914eec5e980171bc128e7e24f7a22aa1d803570e Mon Sep 17 00:00:00 2001 +From: Wengang Wang +Date: Tue, 19 Nov 2024 09:45:00 -0800 +Subject: ocfs2: update seq_file index in ocfs2_dlm_seq_next + +From: Wengang Wang + +commit 914eec5e980171bc128e7e24f7a22aa1d803570e upstream. + +The following INFO level message was seen: + +seq_file: buggy .next function ocfs2_dlm_seq_next [ocfs2] did not +update position index + +Fix: +Update *pos (so m->index) to make seq_read_iter happy though the index its +self makes no sense to ocfs2_dlm_seq_next. + +Link: https://lkml.kernel.org/r/20241119174500.9198-1-wen.gang.wang@oracle.com +Signed-off-by: Wengang Wang +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/dlmglue.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ocfs2/dlmglue.c ++++ b/fs/ocfs2/dlmglue.c +@@ -3110,6 +3110,7 @@ static void *ocfs2_dlm_seq_next(struct s + struct ocfs2_lock_res *iter = v; + struct ocfs2_lock_res *dummy = &priv->p_iter_res; + ++ (*pos)++; + spin_lock(&ocfs2_dlm_tracking_lock); + iter = ocfs2_dlm_next_res(iter, priv); + list_del_init(&dummy->l_debug_list); diff --git a/queue-6.6/series b/queue-6.6/series index 7ad2d9f866e..eec25523d0d 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -189,3 +189,7 @@ xsk-fix-oob-map-writes-when-deleting-elements.patch regmap-detach-regmap-from-dev-on-regmap_exit.patch mmc-sdhci-pci-add-dmi-quirk-for-missing-cd-gpio-on-vexia-edu-atla-10-tablet.patch mmc-core-further-prevent-card-detect-during-shutdown.patch +ocfs2-update-seq_file-index-in-ocfs2_dlm_seq_next.patch +lib-stackinit-hide-never-taken-branch-from-compiler.patch +kasan-make-report_lock-a-raw-spinlock.patch +x86-mm-add-_page_noptishadow-bit-to-avoid-updating-userspace-page-tables.patch diff --git a/queue-6.6/x86-mm-add-_page_noptishadow-bit-to-avoid-updating-userspace-page-tables.patch b/queue-6.6/x86-mm-add-_page_noptishadow-bit-to-avoid-updating-userspace-page-tables.patch new file mode 100644 index 00000000000..fa48f99f616 --- /dev/null +++ b/queue-6.6/x86-mm-add-_page_noptishadow-bit-to-avoid-updating-userspace-page-tables.patch @@ -0,0 +1,114 @@ +From d0ceea662d459726487030237689835fcc0483e5 Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Wed, 4 Dec 2024 11:27:14 +0000 +Subject: x86/mm: Add _PAGE_NOPTISHADOW bit to avoid updating userspace page tables + +From: David Woodhouse + +commit d0ceea662d459726487030237689835fcc0483e5 upstream. + +The set_p4d() and set_pgd() functions (in 4-level or 5-level page table setups +respectively) assume that the root page table is actually a 8KiB allocation, +with the userspace root immediately after the kernel root page table (so that +the former can enforce NX on on all the subordinate page tables, which are +actually shared). + +However, users of the kernel_ident_mapping_init() code do not give it an 8KiB +allocation for its PGD. Both swsusp_arch_resume() and acpi_mp_setup_reset() +allocate only a single 4KiB page. The kexec code on x86_64 currently gets +away with it purely by chance, because it allocates 8KiB for its "control +code page" and then actually uses the first half for the PGD, then copies the +actual trampoline code into the second half only after the identmap code has +finished scribbling over it. + +Fix this by defining a _PAGE_NOPTISHADOW bit (which can use the same bit as +_PAGE_SAVED_DIRTY since one is only for the PGD/P4D root and the other is +exclusively for leaf PTEs.). This instructs __pti_set_user_pgtbl() not to +write to the userspace 'shadow' PGD. + +Strictly, the _PAGE_NOPTISHADOW bit doesn't need to be written out to the +actual page tables; since __pti_set_user_pgtbl() returns the value to be +written to the kernel page table, it could be filtered out. But there seems +to be no benefit to actually doing so. + +Suggested-by: Dave Hansen +Signed-off-by: David Woodhouse +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/412c90a4df7aef077141d9f68d19cbe5602d6c6d.camel@infradead.org +Cc: stable@kernel.org +Cc: Linus Torvalds +Cc: Andy Lutomirski +Cc: Peter Zijlstra +Cc: Rik van Riel +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/pgtable_types.h | 8 ++++++-- + arch/x86/mm/ident_map.c | 6 +++--- + arch/x86/mm/pti.c | 2 +- + 3 files changed, 10 insertions(+), 6 deletions(-) + +--- a/arch/x86/include/asm/pgtable_types.h ++++ b/arch/x86/include/asm/pgtable_types.h +@@ -36,10 +36,12 @@ + #define _PAGE_BIT_DEVMAP _PAGE_BIT_SOFTW4 + + #ifdef CONFIG_X86_64 +-#define _PAGE_BIT_SAVED_DIRTY _PAGE_BIT_SOFTW5 /* Saved Dirty bit */ ++#define _PAGE_BIT_SAVED_DIRTY _PAGE_BIT_SOFTW5 /* Saved Dirty bit (leaf) */ ++#define _PAGE_BIT_NOPTISHADOW _PAGE_BIT_SOFTW5 /* No PTI shadow (root PGD) */ + #else + /* Shared with _PAGE_BIT_UFFD_WP which is not supported on 32 bit */ +-#define _PAGE_BIT_SAVED_DIRTY _PAGE_BIT_SOFTW2 /* Saved Dirty bit */ ++#define _PAGE_BIT_SAVED_DIRTY _PAGE_BIT_SOFTW2 /* Saved Dirty bit (leaf) */ ++#define _PAGE_BIT_NOPTISHADOW _PAGE_BIT_SOFTW2 /* No PTI shadow (root PGD) */ + #endif + + /* If _PAGE_BIT_PRESENT is clear, we use these: */ +@@ -139,6 +141,8 @@ + + #define _PAGE_PROTNONE (_AT(pteval_t, 1) << _PAGE_BIT_PROTNONE) + ++#define _PAGE_NOPTISHADOW (_AT(pteval_t, 1) << _PAGE_BIT_NOPTISHADOW) ++ + /* + * Set of bits not changed in pte_modify. The pte's + * protection key is treated like _PAGE_RW, for +--- a/arch/x86/mm/ident_map.c ++++ b/arch/x86/mm/ident_map.c +@@ -88,7 +88,7 @@ static int ident_p4d_init(struct x86_map + if (result) + return result; + +- set_p4d(p4d, __p4d(__pa(pud) | info->kernpg_flag)); ++ set_p4d(p4d, __p4d(__pa(pud) | info->kernpg_flag | _PAGE_NOPTISHADOW)); + } + + return 0; +@@ -132,14 +132,14 @@ int kernel_ident_mapping_init(struct x86 + if (result) + return result; + if (pgtable_l5_enabled()) { +- set_pgd(pgd, __pgd(__pa(p4d) | info->kernpg_flag)); ++ set_pgd(pgd, __pgd(__pa(p4d) | info->kernpg_flag | _PAGE_NOPTISHADOW)); + } else { + /* + * With p4d folded, pgd is equal to p4d. + * The pgd entry has to point to the pud page table in this case. + */ + pud_t *pud = pud_offset(p4d, 0); +- set_pgd(pgd, __pgd(__pa(pud) | info->kernpg_flag)); ++ set_pgd(pgd, __pgd(__pa(pud) | info->kernpg_flag | _PAGE_NOPTISHADOW)); + } + } + +--- a/arch/x86/mm/pti.c ++++ b/arch/x86/mm/pti.c +@@ -132,7 +132,7 @@ pgd_t __pti_set_user_pgtbl(pgd_t *pgdp, + * Top-level entries added to init_mm's usermode pgd after boot + * will not be automatically propagated to other mms. + */ +- if (!pgdp_maps_userspace(pgdp)) ++ if (!pgdp_maps_userspace(pgdp) || (pgd.pgd & _PAGE_NOPTISHADOW)) + return pgd; + + /* -- 2.47.2