From b09c6ca6406e08d1d4300d381868061ac7329aee Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 9 May 2025 10:54:53 +0200 Subject: [PATCH] drop some broken patches --- ...bd-fix-uaf-in-__close_file_table_ids.patch | 79 ------------------- queue-6.1/series | 1 - ...i-fix-timeout-checks-on-polling-path.patch | 73 ----------------- queue-6.6/series | 1 - 4 files changed, 154 deletions(-) delete mode 100644 queue-6.1/ksmbd-fix-uaf-in-__close_file_table_ids.patch delete mode 100644 queue-6.6/firmware-arm_scmi-fix-timeout-checks-on-polling-path.patch diff --git a/queue-6.1/ksmbd-fix-uaf-in-__close_file_table_ids.patch b/queue-6.1/ksmbd-fix-uaf-in-__close_file_table_ids.patch deleted file mode 100644 index e0b2ef6403..0000000000 --- a/queue-6.1/ksmbd-fix-uaf-in-__close_file_table_ids.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 36991c1ccde2d5a521577c448ffe07fcccfe104d Mon Sep 17 00:00:00 2001 -From: Sean Heelan -Date: Tue, 6 May 2025 22:04:52 +0900 -Subject: ksmbd: Fix UAF in __close_file_table_ids - -From: Sean Heelan - -commit 36991c1ccde2d5a521577c448ffe07fcccfe104d upstream. - -A use-after-free is possible if one thread destroys the file -via __ksmbd_close_fd while another thread holds a reference to -it. The existing checks on fp->refcount are not sufficient to -prevent this. - -The fix takes ft->lock around the section which removes the -file from the file table. This prevents two threads acquiring the -same file pointer via __close_file_table_ids, as well as the other -functions which retrieve a file from the IDR and which already use -this same lock. - -Cc: stable@vger.kernel.org -Signed-off-by: Sean Heelan -Acked-by: Namjae Jeon -Signed-off-by: Steve French -Signed-off-by: Greg Kroah-Hartman ---- - fs/smb/server/vfs_cache.c | 33 ++++++++++++++++++++++++++------- - 1 file changed, 26 insertions(+), 7 deletions(-) - ---- a/fs/smb/server/vfs_cache.c -+++ b/fs/smb/server/vfs_cache.c -@@ -620,21 +620,40 @@ __close_file_table_ids(struct ksmbd_file - bool (*skip)(struct ksmbd_tree_connect *tcon, - struct ksmbd_file *fp)) - { -- unsigned int id; -- struct ksmbd_file *fp; -- int num = 0; -+ struct ksmbd_file *fp; -+ unsigned int id = 0; -+ int num = 0; - -- idr_for_each_entry(ft->idr, fp, id) { -- if (skip(tcon, fp)) -+ while (1) { -+ write_lock(&ft->lock); -+ fp = idr_get_next(ft->idr, &id); -+ if (!fp) { -+ write_unlock(&ft->lock); -+ break; -+ } -+ -+ if (skip(tcon, fp) || -+ !atomic_dec_and_test(&fp->refcount)) { -+ id++; -+ write_unlock(&ft->lock); - continue; -+ } - - set_close_state_blocked_works(fp); -+ idr_remove(ft->idr, fp->volatile_id); -+ fp->volatile_id = KSMBD_NO_FID; -+ write_unlock(&ft->lock); -+ -+ down_write(&fp->f_ci->m_lock); -+ list_del_init(&fp->node); -+ up_write(&fp->f_ci->m_lock); - -- if (!atomic_dec_and_test(&fp->refcount)) -- continue; - __ksmbd_close_fd(ft, fp); -+ - num++; -+ id++; - } -+ - return num; - } - diff --git a/queue-6.1/series b/queue-6.1/series index 0ca5d2ebaa..b0a1472c14 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -3,4 +3,3 @@ arm64-dts-imx8mm-verdin-link-reg_usdhc2_vqmmc-to-usdhc2.patch can-mcan-m_can_class_unregister-fix-order-of-unregistration-calls.patch can-mcp251xfd-mcp251xfd_remove-fix-order-of-unregistration-calls.patch ksmbd-prevent-out-of-bounds-stream-writes-by-validating-pos.patch -ksmbd-fix-uaf-in-__close_file_table_ids.patch diff --git a/queue-6.6/firmware-arm_scmi-fix-timeout-checks-on-polling-path.patch b/queue-6.6/firmware-arm_scmi-fix-timeout-checks-on-polling-path.patch deleted file mode 100644 index 037bdf31cc..0000000000 --- a/queue-6.6/firmware-arm_scmi-fix-timeout-checks-on-polling-path.patch +++ /dev/null @@ -1,73 +0,0 @@ -From c23c03bf1faa1e76be1eba35bad6da6a2a7c95ee Mon Sep 17 00:00:00 2001 -From: Cristian Marussi -Date: Mon, 10 Mar 2025 17:58:00 +0000 -Subject: firmware: arm_scmi: Fix timeout checks on polling path - -From: Cristian Marussi - -commit c23c03bf1faa1e76be1eba35bad6da6a2a7c95ee upstream. - -Polling mode transactions wait for a reply busy-looping without holding a -spinlock, but currently the timeout checks are based only on elapsed time: -as a result we could hit a false positive whenever our busy-looping thread -is pre-empted and scheduled out for a time greater than the polling -timeout. - -Change the checks at the end of the busy-loop to make sure that the polling -wasn't indeed successful or an out-of-order reply caused the polling to be -forcibly terminated. - -Fixes: 31d2f803c19c ("firmware: arm_scmi: Add sync_cmds_completed_on_ret transport flag") -Reported-by: Huangjie -Closes: https://lore.kernel.org/arm-scmi/20250123083323.2363749-1-jackhuang021@gmail.com/ -Signed-off-by: Cristian Marussi -Cc: stable@vger.kernel.org # 5.18.x -Message-Id: <20250310175800.1444293-1-cristian.marussi@arm.com> -Signed-off-by: Sudeep Holla -Signed-off-by: Greg Kroah-Hartman ---- - drivers/firmware/arm_scmi/driver.c | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - ---- a/drivers/firmware/arm_scmi/driver.c -+++ b/drivers/firmware/arm_scmi/driver.c -@@ -1017,7 +1017,8 @@ static void xfer_put(const struct scmi_p - } - - static bool scmi_xfer_done_no_timeout(struct scmi_chan_info *cinfo, -- struct scmi_xfer *xfer, ktime_t stop) -+ struct scmi_xfer *xfer, ktime_t stop, -+ bool *ooo) - { - struct scmi_info *info = handle_to_scmi_info(cinfo->handle); - -@@ -1026,7 +1027,7 @@ static bool scmi_xfer_done_no_timeout(st - * in case of out-of-order receptions of delayed responses - */ - return info->desc->ops->poll_done(cinfo, xfer) || -- try_wait_for_completion(&xfer->done) || -+ (*ooo = try_wait_for_completion(&xfer->done)) || - ktime_after(ktime_get(), stop); - } - -@@ -1042,15 +1043,17 @@ static int scmi_wait_for_reply(struct de - * itself to support synchronous commands replies. - */ - if (!desc->sync_cmds_completed_on_ret) { -+ bool ooo = false; -+ - /* - * Poll on xfer using transport provided .poll_done(); - * assumes no completion interrupt was available. - */ - ktime_t stop = ktime_add_ms(ktime_get(), timeout_ms); - -- spin_until_cond(scmi_xfer_done_no_timeout(cinfo, -- xfer, stop)); -- if (ktime_after(ktime_get(), stop)) { -+ spin_until_cond(scmi_xfer_done_no_timeout(cinfo, xfer, -+ stop, &ooo)); -+ if (!ooo && !info->desc->ops->poll_done(cinfo, xfer)) { - dev_err(dev, - "timed out in resp(caller: %pS) - polling\n", - (void *)_RET_IP_); diff --git a/queue-6.6/series b/queue-6.6/series index b622f12fc0..843cabccca 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -1,6 +1,5 @@ dm-add-missing-unlock-on-in-dm_keyslot_evict.patch arm64-dts-imx8mm-verdin-link-reg_usdhc2_vqmmc-to-usdhc2.patch -firmware-arm_scmi-fix-timeout-checks-on-polling-path.patch can-mcan-m_can_class_unregister-fix-order-of-unregistration-calls.patch wifi-cfg80211-fix-out-of-bounds-access-during-multi-link-element-defragmentation.patch can-mcp251xfd-mcp251xfd_remove-fix-order-of-unregistration-calls.patch -- 2.47.3