From 5f81af600210364f2fdddd73752fcc1e33fa7599 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 25 Oct 2024 06:20:38 -0400 Subject: [PATCH] Fixes for 6.11 Signed-off-by: Sasha Levin --- .../jfs-fix-sanity-check-in-dbmount.patch | 35 +++++ ...crash-in-stack_top-for-tasks-without.patch | 67 +++++++++ ...choosing-allocation-for-percpu-slots.patch | 62 ++++++++ queue-6.11/series | 5 + ...-the-null-character-when-validating-.patch | 42 ++++++ ...es-fix-max_trace_args-limit-handling.patch | 140 ++++++++++++++++++ 6 files changed, 351 insertions(+) create mode 100644 queue-6.11/jfs-fix-sanity-check-in-dbmount.patch create mode 100644 queue-6.11/loongarch-don-t-crash-in-stack_top-for-tasks-without.patch create mode 100644 queue-6.11/objpool-fix-choosing-allocation-for-percpu-slots.patch create mode 100644 queue-6.11/tracing-consider-the-null-character-when-validating-.patch create mode 100644 queue-6.11/tracing-probes-fix-max_trace_args-limit-handling.patch diff --git a/queue-6.11/jfs-fix-sanity-check-in-dbmount.patch b/queue-6.11/jfs-fix-sanity-check-in-dbmount.patch new file mode 100644 index 00000000000..a91436d26d0 --- /dev/null +++ b/queue-6.11/jfs-fix-sanity-check-in-dbmount.patch @@ -0,0 +1,35 @@ +From 88969e53ef162c185e16d446b3fcb3772cf6e912 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2024 09:40:37 -0500 +Subject: jfs: Fix sanity check in dbMount + +From: Dave Kleikamp + +[ Upstream commit 67373ca8404fe57eb1bb4b57f314cff77ce54932 ] + +MAXAG is a legitimate value for bmp->db_numag + +Fixes: e63866a47556 ("jfs: fix out-of-bounds in dbNextAG() and diAlloc()") + +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 974ecf5e0d952..3ab410059dc20 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -187,7 +187,7 @@ int dbMount(struct inode *ipbmap) + } + + bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag); +- if (!bmp->db_numag || bmp->db_numag >= MAXAG) { ++ if (!bmp->db_numag || bmp->db_numag > MAXAG) { + err = -EINVAL; + goto err_release_metapage; + } +-- +2.43.0 + diff --git a/queue-6.11/loongarch-don-t-crash-in-stack_top-for-tasks-without.patch b/queue-6.11/loongarch-don-t-crash-in-stack_top-for-tasks-without.patch new file mode 100644 index 00000000000..c9c17e7eb63 --- /dev/null +++ b/queue-6.11/loongarch-don-t-crash-in-stack_top-for-tasks-without.patch @@ -0,0 +1,67 @@ +From 6bc3edf81a7f585405d4a37221bb17f5182999ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2024 22:11:19 +0800 +Subject: LoongArch: Don't crash in stack_top() for tasks without vDSO +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 134475a9ab8487527238d270639a8cb74c10aab2 ] + +Not all tasks have a vDSO mapped, for example kthreads never do. If such +a task ever ends up calling stack_top(), it will derefence the NULL vdso +pointer and crash. + +This can for example happen when using kunit: + + [<9000000000203874>] stack_top+0x58/0xa8 + [<90000000002956cc>] arch_pick_mmap_layout+0x164/0x220 + [<90000000003c284c>] kunit_vm_mmap_init+0x108/0x12c + [<90000000003c1fbc>] __kunit_add_resource+0x38/0x8c + [<90000000003c2704>] kunit_vm_mmap+0x88/0xc8 + [<9000000000410b14>] usercopy_test_init+0xbc/0x25c + [<90000000003c1db4>] kunit_try_run_case+0x5c/0x184 + [<90000000003c3d54>] kunit_generic_run_threadfn_adapter+0x24/0x48 + [<900000000022e4bc>] kthread+0xc8/0xd4 + [<9000000000200ce8>] ret_from_kernel_thread+0xc/0xa4 + +Fixes: 803b0fc5c3f2 ("LoongArch: Add process management") +Signed-off-by: Thomas Weißschuh +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/kernel/process.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/arch/loongarch/kernel/process.c b/arch/loongarch/kernel/process.c +index f2ff8b5d591e4..6e58f65455c7c 100644 +--- a/arch/loongarch/kernel/process.c ++++ b/arch/loongarch/kernel/process.c +@@ -293,13 +293,15 @@ unsigned long stack_top(void) + { + unsigned long top = TASK_SIZE & PAGE_MASK; + +- /* Space for the VDSO & data page */ +- top -= PAGE_ALIGN(current->thread.vdso->size); +- top -= VVAR_SIZE; +- +- /* Space to randomize the VDSO base */ +- if (current->flags & PF_RANDOMIZE) +- top -= VDSO_RANDOMIZE_SIZE; ++ if (current->thread.vdso) { ++ /* Space for the VDSO & data page */ ++ top -= PAGE_ALIGN(current->thread.vdso->size); ++ top -= VVAR_SIZE; ++ ++ /* Space to randomize the VDSO base */ ++ if (current->flags & PF_RANDOMIZE) ++ top -= VDSO_RANDOMIZE_SIZE; ++ } + + return top; + } +-- +2.43.0 + diff --git a/queue-6.11/objpool-fix-choosing-allocation-for-percpu-slots.patch b/queue-6.11/objpool-fix-choosing-allocation-for-percpu-slots.patch new file mode 100644 index 00000000000..dafc23bbc3c --- /dev/null +++ b/queue-6.11/objpool-fix-choosing-allocation-for-percpu-slots.patch @@ -0,0 +1,62 @@ +From 09b446b6ded4d3801b680fba7d4edcc7ca4d2357 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2024 08:07:18 +0200 +Subject: objpool: fix choosing allocation for percpu slots + +From: Viktor Malik + +[ Upstream commit aff1871bfc81e9dffa7d2a77e67cc5441cc37f81 ] + +objpool intends to use vmalloc for default (non-atomic) allocations of +percpu slots and objects. However, the condition checking if GFP flags +set any bit of GFP_ATOMIC is wrong b/c GFP_ATOMIC is a combination of bits +(__GFP_HIGH|__GFP_KSWAPD_RECLAIM) and so `pool->gfp & GFP_ATOMIC` will +be true if either bit is set. Since GFP_ATOMIC and GFP_KERNEL share the +___GFP_KSWAPD_RECLAIM bit, kmalloc will be used in cases when GFP_KERNEL +is specified, i.e. in all current usages of objpool. + +This may lead to unexpected OOM errors since kmalloc cannot allocate +large amounts of memory. + +For instance, objpool is used by fprobe rethook which in turn is used by +BPF kretprobe.multi and kprobe.session probe types. Trying to attach +these to all kernel functions with libbpf using + + SEC("kprobe.session/*") + int kprobe(struct pt_regs *ctx) + { + [...] + } + +fails on objpool slot allocation with ENOMEM. + +Fix the condition to truly use vmalloc by default. + +Link: https://lore.kernel.org/all/20240826060718.267261-1-vmalik@redhat.com/ + +Fixes: b4edb8d2d464 ("lib: objpool added: ring-array based lockless MPMC") +Signed-off-by: Viktor Malik +Acked-by: Andrii Nakryiko +Reviewed-by: Matt Wu +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + lib/objpool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/objpool.c b/lib/objpool.c +index 234f9d0bd081a..fd108fe0d095a 100644 +--- a/lib/objpool.c ++++ b/lib/objpool.c +@@ -76,7 +76,7 @@ objpool_init_percpu_slots(struct objpool_head *pool, int nr_objs, + * mimimal size of vmalloc is one page since vmalloc would + * always align the requested size to page size + */ +- if (pool->gfp & GFP_ATOMIC) ++ if ((pool->gfp & GFP_ATOMIC) == GFP_ATOMIC) + slot = kmalloc_node(size, pool->gfp, cpu_to_node(i)); + else + slot = __vmalloc_node(size, sizeof(void *), pool->gfp, +-- +2.43.0 + diff --git a/queue-6.11/series b/queue-6.11/series index a15e3f09cbd..7575b0fec9e 100644 --- a/queue-6.11/series +++ b/queue-6.11/series @@ -134,3 +134,8 @@ fsnotify-avoid-data-race-between-fsnotify_recalc_mas.patch drm-xe-mcr-use-xe2_lpm-steering-tables-for-xe2_hpm.patch cifs-validate-content-of-nfs-reparse-point-buffer.patch platform-x86-dell-sysman-add-support-for-alienware-p.patch +loongarch-don-t-crash-in-stack_top-for-tasks-without.patch +objpool-fix-choosing-allocation-for-percpu-slots.patch +jfs-fix-sanity-check-in-dbmount.patch +tracing-probes-fix-max_trace_args-limit-handling.patch +tracing-consider-the-null-character-when-validating-.patch diff --git a/queue-6.11/tracing-consider-the-null-character-when-validating-.patch b/queue-6.11/tracing-consider-the-null-character-when-validating-.patch new file mode 100644 index 00000000000..d06c779315f --- /dev/null +++ b/queue-6.11/tracing-consider-the-null-character-when-validating-.patch @@ -0,0 +1,42 @@ +From 763c0f93bb840973f798d4ecfde63dbf1a9c8a66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 15:47:24 +0100 +Subject: tracing: Consider the NULL character when validating the event length + +From: Leo Yan + +[ Upstream commit 0b6e2e22cb23105fcb171ab92f0f7516c69c8471 ] + +strlen() returns a string length excluding the null byte. If the string +length equals to the maximum buffer length, the buffer will have no +space for the NULL terminating character. + +This commit checks this condition and returns failure for it. + +Link: https://lore.kernel.org/all/20241007144724.920954-1-leo.yan@arm.com/ + +Fixes: dec65d79fd26 ("tracing/probe: Check event name length correctly") +Signed-off-by: Leo Yan +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_probe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c +index 39877c80d6cb9..16a5e368e7b77 100644 +--- a/kernel/trace/trace_probe.c ++++ b/kernel/trace/trace_probe.c +@@ -276,7 +276,7 @@ int traceprobe_parse_event_name(const char **pevent, const char **pgroup, + } + trace_probe_log_err(offset, NO_EVENT_NAME); + return -EINVAL; +- } else if (len > MAX_EVENT_NAME_LEN) { ++ } else if (len >= MAX_EVENT_NAME_LEN) { + trace_probe_log_err(offset, EVENT_TOO_LONG); + return -EINVAL; + } +-- +2.43.0 + diff --git a/queue-6.11/tracing-probes-fix-max_trace_args-limit-handling.patch b/queue-6.11/tracing-probes-fix-max_trace_args-limit-handling.patch new file mode 100644 index 00000000000..e2550545914 --- /dev/null +++ b/queue-6.11/tracing-probes-fix-max_trace_args-limit-handling.patch @@ -0,0 +1,140 @@ +From ff6cb2537676cb3ff35de727ed1af05515a402a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2024 16:26:54 -0400 +Subject: tracing/probes: Fix MAX_TRACE_ARGS limit handling + +From: Mikel Rychliski + +[ Upstream commit 73f35080477e893aa6f4c8d388352b871b288fbc ] + +When creating a trace_probe we would set nr_args prior to truncating the +arguments to MAX_TRACE_ARGS. However, we would only initialize arguments +up to the limit. + +This caused invalid memory access when attempting to set up probes with +more than 128 fetchargs. + + BUG: kernel NULL pointer dereference, address: 0000000000000020 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: Oops: 0000 [#1] PREEMPT SMP PTI + CPU: 0 UID: 0 PID: 1769 Comm: cat Not tainted 6.11.0-rc7+ #8 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014 + RIP: 0010:__set_print_fmt+0x134/0x330 + +Resolve the issue by applying the MAX_TRACE_ARGS limit earlier. Return +an error when there are too many arguments instead of silently +truncating. + +Link: https://lore.kernel.org/all/20240930202656.292869-1-mikel@mikelr.com/ + +Fixes: 035ba76014c0 ("tracing/probes: cleanup: Set trace_probe::nr_args at trace_probe_init") +Signed-off-by: Mikel Rychliski +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_eprobe.c | 7 ++++++- + kernel/trace/trace_fprobe.c | 6 +++++- + kernel/trace/trace_kprobe.c | 6 +++++- + kernel/trace/trace_uprobe.c | 4 +++- + 4 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/kernel/trace/trace_eprobe.c b/kernel/trace/trace_eprobe.c +index b0e0ec85912e9..ebda68ee9abff 100644 +--- a/kernel/trace/trace_eprobe.c ++++ b/kernel/trace/trace_eprobe.c +@@ -912,6 +912,11 @@ static int __trace_eprobe_create(int argc, const char *argv[]) + } + } + ++ if (argc - 2 > MAX_TRACE_ARGS) { ++ ret = -E2BIG; ++ goto error; ++ } ++ + mutex_lock(&event_mutex); + event_call = find_and_get_event(sys_name, sys_event); + ep = alloc_event_probe(group, event, event_call, argc - 2); +@@ -937,7 +942,7 @@ static int __trace_eprobe_create(int argc, const char *argv[]) + + argc -= 2; argv += 2; + /* parse arguments */ +- for (i = 0; i < argc && i < MAX_TRACE_ARGS; i++) { ++ for (i = 0; i < argc; i++) { + trace_probe_log_set_index(i + 2); + ret = trace_eprobe_tp_update_arg(ep, argv, i); + if (ret) +diff --git a/kernel/trace/trace_fprobe.c b/kernel/trace/trace_fprobe.c +index 62e6a8f4aae9b..5107d466a1293 100644 +--- a/kernel/trace/trace_fprobe.c ++++ b/kernel/trace/trace_fprobe.c +@@ -1104,6 +1104,10 @@ static int __trace_fprobe_create(int argc, const char *argv[]) + argc = new_argc; + argv = new_argv; + } ++ if (argc > MAX_TRACE_ARGS) { ++ ret = -E2BIG; ++ goto out; ++ } + + ret = traceprobe_expand_dentry_args(argc, argv, &dbuf); + if (ret) +@@ -1124,7 +1128,7 @@ static int __trace_fprobe_create(int argc, const char *argv[]) + (unsigned long)tf->tpoint->probestub); + + /* parse arguments */ +- for (i = 0; i < argc && i < MAX_TRACE_ARGS; i++) { ++ for (i = 0; i < argc; i++) { + trace_probe_log_set_index(i + 2); + ctx.offset = 0; + ret = traceprobe_parse_probe_arg(&tf->tp, i, argv[i], &ctx); +diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c +index 61a6da808203e..263fac44d3ca3 100644 +--- a/kernel/trace/trace_kprobe.c ++++ b/kernel/trace/trace_kprobe.c +@@ -1013,6 +1013,10 @@ static int __trace_kprobe_create(int argc, const char *argv[]) + argc = new_argc; + argv = new_argv; + } ++ if (argc > MAX_TRACE_ARGS) { ++ ret = -E2BIG; ++ goto out; ++ } + + ret = traceprobe_expand_dentry_args(argc, argv, &dbuf); + if (ret) +@@ -1029,7 +1033,7 @@ static int __trace_kprobe_create(int argc, const char *argv[]) + } + + /* parse arguments */ +- for (i = 0; i < argc && i < MAX_TRACE_ARGS; i++) { ++ for (i = 0; i < argc; i++) { + trace_probe_log_set_index(i + 2); + ctx.offset = 0; + ret = traceprobe_parse_probe_arg(&tk->tp, i, argv[i], &ctx); +diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c +index 2c30d948e733c..6de07df05ed8c 100644 +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -556,6 +556,8 @@ static int __trace_uprobe_create(int argc, const char **argv) + + if (argc < 2) + return -ECANCELED; ++ if (argc - 2 > MAX_TRACE_ARGS) ++ return -E2BIG; + + if (argv[0][1] == ':') + event = &argv[0][2]; +@@ -681,7 +683,7 @@ static int __trace_uprobe_create(int argc, const char **argv) + tu->filename = filename; + + /* parse arguments */ +- for (i = 0; i < argc && i < MAX_TRACE_ARGS; i++) { ++ for (i = 0; i < argc; i++) { + struct traceprobe_parse_context ctx = { + .flags = (is_return ? TPARG_FL_RETURN : 0) | TPARG_FL_USER, + }; +-- +2.43.0 + -- 2.47.2