--- /dev/null
+From harshit.m.mogalapalli@oracle.com Mon Jan 29 08:14:10 2024
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Date: Sun, 28 Jan 2024 21:43:42 -0800
+Subject: cifs: fix off-by-one in SMB2_query_info_init()
+To: stable@vger.kernel.org
+Cc: kovalev@altlinux.org, abuehaze@amazon.com, smfrench@gmail.com, greg@kroah.com, linux-cifs@vger.kernel.org, keescook@chromium.org, darren.kenny@oracle.com, pc@manguebit.com, nspmangalore@gmail.com, vegard.nossum@oracle.com, Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Message-ID: <20240129054342.2472454-1-harshit.m.mogalapalli@oracle.com>
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+Bug: After mounting the cifs fs, it complains with Resource temporarily
+unavailable messages.
+
+[root@vm1 xfstests-dev]# ./check -g quick -s smb3
+TEST_DEV=//<SERVER_IP>/TEST is mounted but not a type cifs filesystem
+[root@vm1 xfstests-dev]# df
+df: /mnt/test: Resource temporarily unavailable
+
+Paul's analysis of the bug:
+
+ Bug is related to an off-by-one in smb2_set_next_command() when
+ the client attempts to pad SMB2_QUERY_INFO request -- since it isn't
+ 8 byte aligned -- even though smb2_query_info_compound() doesn't
+ provide an extra iov for such padding.
+
+ v5.10.y doesn't have
+
+ eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays")
+
+ and the commit does
+
+ if (unlikely(check_add_overflow(input_len, sizeof(*req), &len) ||
+ len > CIFSMaxBufSize))
+ return -EINVAL;
+
+ so sizeof(*req) will wrongly include the extra byte from
+ smb2_query_info_req::Buffer making @len unaligned and therefore causing
+ OOB in smb2_set_next_command().
+
+Fixes: 203a412e52b5 ("smb: client: fix OOB in SMB2_query_info_init()")
+Suggested-by: Paulo Alcantara <pc@manguebit.com>
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2pdu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -3378,7 +3378,7 @@ SMB2_query_info_init(struct cifs_tcon *t
+
+ iov[0].iov_base = (char *)req;
+ /* 1 for Buffer */
+- iov[0].iov_len = len;
++ iov[0].iov_len = len - 1;
+ return 0;
+ }
+
--- /dev/null
+From 59be5c35850171e307ca5d3d703ee9ff4096b948 Mon Sep 17 00:00:00 2001
+From: Xi Ruoyao <xry111@xry111.site>
+Date: Sat, 27 Jan 2024 05:05:57 +0800
+Subject: mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan
+
+From: Xi Ruoyao <xry111@xry111.site>
+
+commit 59be5c35850171e307ca5d3d703ee9ff4096b948 upstream.
+
+If we still own the FPU after initializing fcr31, when we are preempted
+the dirty value in the FPU will be read out and stored into fcr31,
+clobbering our setting. This can cause an improper floating-point
+environment after execve(). For example:
+
+ zsh% cat measure.c
+ #include <fenv.h>
+ int main() { return fetestexcept(FE_INEXACT); }
+ zsh% cc measure.c -o measure -lm
+ zsh% echo $((1.0/3)) # raising FE_INEXACT
+ 0.33333333333333331
+ zsh% while ./measure; do ; done
+ (stopped in seconds)
+
+Call lose_fpu(0) before setting fcr31 to prevent this.
+
+Closes: https://lore.kernel.org/linux-mips/7a6aa1bbdbbe2e63ae96ff163fab0349f58f1b9e.camel@xry111.site/
+Fixes: 9b26616c8d9d ("MIPS: Respect the ISA level in FCSR handling")
+Cc: stable@vger.kernel.org
+Signed-off-by: Xi Ruoyao <xry111@xry111.site>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/kernel/elf.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/mips/kernel/elf.c
++++ b/arch/mips/kernel/elf.c
+@@ -11,6 +11,7 @@
+
+ #include <asm/cpu-features.h>
+ #include <asm/cpu-info.h>
++#include <asm/fpu.h>
+
+ #ifdef CONFIG_MIPS_FP_SUPPORT
+
+@@ -309,6 +310,11 @@ void mips_set_personality_nan(struct arc
+ struct cpuinfo_mips *c = &boot_cpu_data;
+ struct task_struct *t = current;
+
++ /* Do this early so t->thread.fpu.fcr31 won't be clobbered in case
++ * we are preempted before the lose_fpu(0) in start_thread.
++ */
++ lose_fpu(0);
++
+ t->thread.fpu.fcr31 = c->fpu_csr31;
+ switch (state->nan_2008) {
+ case 0:
drm-exynos-gsc-minor-fix-for-loop-iteration-in-gsc_r.patch
gpio-eic-sprd-clear-interrupt-after-set-the-interrup.patch
spi-bcm-qspi-fix-sfdp-bfpt-read-by-usig-mspi-read.patch
+mips-call-lose_fpu-0-before-initializing-fcr31-in-mips_set_personality_nan.patch
+tick-sched-preserve-number-of-idle-sleeps-across-cpu-hotplug-events.patch
+x86-entry-ia32-ensure-s32-is-sign-extended-to-s64.patch
+cifs-fix-off-by-one-in-smb2_query_info_init.patch
--- /dev/null
+From 9a574ea9069be30b835a3da772c039993c43369b Mon Sep 17 00:00:00 2001
+From: Tim Chen <tim.c.chen@linux.intel.com>
+Date: Mon, 22 Jan 2024 15:35:34 -0800
+Subject: tick/sched: Preserve number of idle sleeps across CPU hotplug events
+
+From: Tim Chen <tim.c.chen@linux.intel.com>
+
+commit 9a574ea9069be30b835a3da772c039993c43369b upstream.
+
+Commit 71fee48f ("tick-sched: Fix idle and iowait sleeptime accounting vs
+CPU hotplug") preserved total idle sleep time and iowait sleeptime across
+CPU hotplug events.
+
+Similar reasoning applies to the number of idle calls and idle sleeps to
+get the proper average of sleep time per idle invocation.
+
+Preserve those fields too.
+
+Fixes: 71fee48f ("tick-sched: Fix idle and iowait sleeptime accounting vs CPU hotplug")
+Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240122233534.3094238-1-tim.c.chen@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/time/tick-sched.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/kernel/time/tick-sched.c
++++ b/kernel/time/tick-sched.c
+@@ -1440,6 +1440,7 @@ void tick_cancel_sched_timer(int cpu)
+ {
+ struct tick_sched *ts = &per_cpu(tick_cpu_sched, cpu);
+ ktime_t idle_sleeptime, iowait_sleeptime;
++ unsigned long idle_calls, idle_sleeps;
+
+ # ifdef CONFIG_HIGH_RES_TIMERS
+ if (ts->sched_timer.base)
+@@ -1448,9 +1449,13 @@ void tick_cancel_sched_timer(int cpu)
+
+ idle_sleeptime = ts->idle_sleeptime;
+ iowait_sleeptime = ts->iowait_sleeptime;
++ idle_calls = ts->idle_calls;
++ idle_sleeps = ts->idle_sleeps;
+ memset(ts, 0, sizeof(*ts));
+ ts->idle_sleeptime = idle_sleeptime;
+ ts->iowait_sleeptime = iowait_sleeptime;
++ ts->idle_calls = idle_calls;
++ ts->idle_sleeps = idle_sleeps;
+ }
+ #endif
+
--- /dev/null
+From 56062d60f117dccfb5281869e0ab61e090baf864 Mon Sep 17 00:00:00 2001
+From: Richard Palethorpe <rpalethorpe@suse.com>
+Date: Wed, 10 Jan 2024 15:01:22 +0200
+Subject: x86/entry/ia32: Ensure s32 is sign extended to s64
+
+From: Richard Palethorpe <rpalethorpe@suse.com>
+
+commit 56062d60f117dccfb5281869e0ab61e090baf864 upstream.
+
+Presently ia32 registers stored in ptregs are unconditionally cast to
+unsigned int by the ia32 stub. They are then cast to long when passed to
+__se_sys*, but will not be sign extended.
+
+This takes the sign of the syscall argument into account in the ia32
+stub. It still casts to unsigned int to avoid implementation specific
+behavior. However then casts to int or unsigned int as necessary. So that
+the following cast to long sign extends the value.
+
+This fixes the io_pgetevents02 LTP test when compiled with -m32. Presently
+the systemcall io_pgetevents_time64() unexpectedly accepts -1 for the
+maximum number of events.
+
+It doesn't appear other systemcalls with signed arguments are effected
+because they all have compat variants defined and wired up.
+
+Fixes: ebeb8c82ffaf ("syscalls/x86: Use 'struct pt_regs' based syscall calling for IA32_EMULATION and x32")
+Suggested-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
+Signed-off-by: Nikolay Borisov <nik.borisov@suse.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240110130122.3836513-1-nik.borisov@suse.com
+Link: https://lore.kernel.org/ltp/20210921130127.24131-1-rpalethorpe@suse.com/
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/syscall_wrapper.h | 25 +++++++++++++++++++++----
+ include/linux/syscalls.h | 1 +
+ 2 files changed, 22 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/include/asm/syscall_wrapper.h
++++ b/arch/x86/include/asm/syscall_wrapper.h
+@@ -58,12 +58,29 @@ extern long __ia32_sys_ni_syscall(const
+ ,,regs->di,,regs->si,,regs->dx \
+ ,,regs->r10,,regs->r8,,regs->r9) \
+
++
++/* SYSCALL_PT_ARGS is Adapted from s390x */
++#define SYSCALL_PT_ARG6(m, t1, t2, t3, t4, t5, t6) \
++ SYSCALL_PT_ARG5(m, t1, t2, t3, t4, t5), m(t6, (regs->bp))
++#define SYSCALL_PT_ARG5(m, t1, t2, t3, t4, t5) \
++ SYSCALL_PT_ARG4(m, t1, t2, t3, t4), m(t5, (regs->di))
++#define SYSCALL_PT_ARG4(m, t1, t2, t3, t4) \
++ SYSCALL_PT_ARG3(m, t1, t2, t3), m(t4, (regs->si))
++#define SYSCALL_PT_ARG3(m, t1, t2, t3) \
++ SYSCALL_PT_ARG2(m, t1, t2), m(t3, (regs->dx))
++#define SYSCALL_PT_ARG2(m, t1, t2) \
++ SYSCALL_PT_ARG1(m, t1), m(t2, (regs->cx))
++#define SYSCALL_PT_ARG1(m, t1) m(t1, (regs->bx))
++#define SYSCALL_PT_ARGS(x, ...) SYSCALL_PT_ARG##x(__VA_ARGS__)
++
++#define __SC_COMPAT_CAST(t, a) \
++ (__typeof(__builtin_choose_expr(__TYPE_IS_L(t), 0, 0U))) \
++ (unsigned int)a
++
+ /* Mapping of registers to parameters for syscalls on i386 */
+ #define SC_IA32_REGS_TO_ARGS(x, ...) \
+- __MAP(x,__SC_ARGS \
+- ,,(unsigned int)regs->bx,,(unsigned int)regs->cx \
+- ,,(unsigned int)regs->dx,,(unsigned int)regs->si \
+- ,,(unsigned int)regs->di,,(unsigned int)regs->bp)
++ SYSCALL_PT_ARGS(x, __SC_COMPAT_CAST, \
++ __MAP(x, __SC_TYPE, __VA_ARGS__)) \
+
+ #define __SYS_STUB0(abi, name) \
+ long __##abi##_##name(const struct pt_regs *regs); \
+--- a/include/linux/syscalls.h
++++ b/include/linux/syscalls.h
+@@ -119,6 +119,7 @@ struct open_how;
+ #define __TYPE_IS_LL(t) (__TYPE_AS(t, 0LL) || __TYPE_AS(t, 0ULL))
+ #define __SC_LONG(t, a) __typeof(__builtin_choose_expr(__TYPE_IS_LL(t), 0LL, 0L)) a
+ #define __SC_CAST(t, a) (__force t) a
++#define __SC_TYPE(t, a) t
+ #define __SC_ARGS(t, a) a
+ #define __SC_TEST(t, a) (void)BUILD_BUG_ON_ZERO(!__TYPE_IS_LL(t) && sizeof(t) > sizeof(long))
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
