From: Greg Kroah-Hartman Date: Mon, 10 Mar 2025 16:34:43 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v5.4.291~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7c9e0308870d72353891735ca4dd4375fccb13b8;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: bpf-vsock-invoke-proto-close-on-close.patch fs-ntfs3-add-rough-attr-alloc_size-check.patch media-mediatek-vcodec-handle-invalid-decoder-vsi.patch nilfs2-eliminate-staggered-calls-to-kunmap-in-nilfs_rename.patch nilfs2-handle-errors-that-nilfs_prepare_chunk-may-return.patch nilfs2-move-page-release-outside-of-nilfs_delete_entry-and-nilfs_set_link.patch scsi-lpfc-fix-a-possible-data-race-in-lpfc_unregister_fcf_rescan.patch spi-mxs-fix-chipselect-glitch.patch vsock-keep-the-binding-until-socket-destruction.patch vsock-orphan-socket-after-transport-release.patch --- diff --git a/queue-6.1/bpf-vsock-invoke-proto-close-on-close.patch b/queue-6.1/bpf-vsock-invoke-proto-close-on-close.patch new file mode 100644 index 0000000000..ad86c1a23c --- /dev/null +++ b/queue-6.1/bpf-vsock-invoke-proto-close-on-close.patch @@ -0,0 +1,140 @@ +From 135ffc7becc82cfb84936ae133da7969220b43b2 Mon Sep 17 00:00:00 2001 +From: Michal Luczaj +Date: Mon, 18 Nov 2024 22:03:43 +0100 +Subject: bpf, vsock: Invoke proto::close on close() + +From: Michal Luczaj + +commit 135ffc7becc82cfb84936ae133da7969220b43b2 upstream. + +vsock defines a BPF callback to be invoked when close() is called. However, +this callback is never actually executed. As a result, a closed vsock +socket is not automatically removed from the sockmap/sockhash. + +Introduce a dummy vsock_close() and make vsock_release() call proto::close. + +Note: changes in __vsock_release() look messy, but it's only due to indent +level reduction and variables xmas tree reorder. + +Fixes: 634f1a7110b4 ("vsock: support sockmap") +Signed-off-by: Michal Luczaj +Reviewed-by: Stefano Garzarella +Reviewed-by: Luigi Leonardi +Link: https://lore.kernel.org/r/20241118-vsock-bpf-poll-close-v1-3-f1b9669cacdc@rbox.co +Signed-off-by: Alexei Starovoitov +Acked-by: John Fastabend +[LL: There is no sockmap support for this kernel version. This patch has +been backported because it helps reduce conflicts on future backports] +Signed-off-by: Luigi Leonardi +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 71 +++++++++++++++++++++++++++-------------------- + 1 file changed, 42 insertions(+), 29 deletions(-) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -116,12 +116,14 @@ + static int __vsock_bind(struct sock *sk, struct sockaddr_vm *addr); + static void vsock_sk_destruct(struct sock *sk); + static int vsock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb); ++static void vsock_close(struct sock *sk, long timeout); + + /* Protocol family. */ + static struct proto vsock_proto = { + .name = "AF_VSOCK", + .owner = THIS_MODULE, + .obj_size = sizeof(struct vsock_sock), ++ .close = vsock_close, + }; + + /* The default peer timeout indicates how long we will wait for a peer response +@@ -803,39 +805,37 @@ static bool sock_type_connectible(u16 ty + + static void __vsock_release(struct sock *sk, int level) + { +- if (sk) { +- struct sock *pending; +- struct vsock_sock *vsk; ++ struct vsock_sock *vsk; ++ struct sock *pending; + +- vsk = vsock_sk(sk); +- pending = NULL; /* Compiler warning. */ ++ vsk = vsock_sk(sk); ++ pending = NULL; /* Compiler warning. */ + +- /* When "level" is SINGLE_DEPTH_NESTING, use the nested +- * version to avoid the warning "possible recursive locking +- * detected". When "level" is 0, lock_sock_nested(sk, level) +- * is the same as lock_sock(sk). +- */ +- lock_sock_nested(sk, level); ++ /* When "level" is SINGLE_DEPTH_NESTING, use the nested ++ * version to avoid the warning "possible recursive locking ++ * detected". When "level" is 0, lock_sock_nested(sk, level) ++ * is the same as lock_sock(sk). ++ */ ++ lock_sock_nested(sk, level); + +- if (vsk->transport) +- vsk->transport->release(vsk); +- else if (sock_type_connectible(sk->sk_type)) +- vsock_remove_sock(vsk); +- +- sock_orphan(sk); +- sk->sk_shutdown = SHUTDOWN_MASK; +- +- skb_queue_purge(&sk->sk_receive_queue); +- +- /* Clean up any sockets that never were accepted. */ +- while ((pending = vsock_dequeue_accept(sk)) != NULL) { +- __vsock_release(pending, SINGLE_DEPTH_NESTING); +- sock_put(pending); +- } ++ if (vsk->transport) ++ vsk->transport->release(vsk); ++ else if (sock_type_connectible(sk->sk_type)) ++ vsock_remove_sock(vsk); + +- release_sock(sk); +- sock_put(sk); ++ sock_orphan(sk); ++ sk->sk_shutdown = SHUTDOWN_MASK; ++ ++ skb_queue_purge(&sk->sk_receive_queue); ++ ++ /* Clean up any sockets that never were accepted. */ ++ while ((pending = vsock_dequeue_accept(sk)) != NULL) { ++ __vsock_release(pending, SINGLE_DEPTH_NESTING); ++ sock_put(pending); + } ++ ++ release_sock(sk); ++ sock_put(sk); + } + + static void vsock_sk_destruct(struct sock *sk) +@@ -912,9 +912,22 @@ void vsock_data_ready(struct sock *sk) + } + EXPORT_SYMBOL_GPL(vsock_data_ready); + ++/* Dummy callback required by sockmap. ++ * See unconditional call of saved_close() in sock_map_close(). ++ */ ++static void vsock_close(struct sock *sk, long timeout) ++{ ++} ++ + static int vsock_release(struct socket *sock) + { +- __vsock_release(sock->sk, 0); ++ struct sock *sk = sock->sk; ++ ++ if (!sk) ++ return 0; ++ ++ sk->sk_prot->close(sk, 0); ++ __vsock_release(sk, 0); + sock->sk = NULL; + sock->state = SS_FREE; + diff --git a/queue-6.1/fs-ntfs3-add-rough-attr-alloc_size-check.patch b/queue-6.1/fs-ntfs3-add-rough-attr-alloc_size-check.patch new file mode 100644 index 0000000000..ca07dd2a3a --- /dev/null +++ b/queue-6.1/fs-ntfs3-add-rough-attr-alloc_size-check.patch @@ -0,0 +1,30 @@ +From c4a8ba334262e9a5c158d618a4820e1b9c12495c Mon Sep 17 00:00:00 2001 +From: Konstantin Komarov +Date: Mon, 19 Aug 2024 16:26:59 +0300 +Subject: fs/ntfs3: Add rough attr alloc_size check + +From: Konstantin Komarov + +commit c4a8ba334262e9a5c158d618a4820e1b9c12495c upstream. + +Reported-by: syzbot+c6d94bedd910a8216d25@syzkaller.appspotmail.com +Signed-off-by: Konstantin Komarov +Signed-off-by: Bin Lan +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/record.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/ntfs3/record.c ++++ b/fs/ntfs3/record.c +@@ -325,6 +325,9 @@ struct ATTRIB *mi_enum_attr(struct mft_i + } else { + if (attr->nres.c_unit) + return NULL; ++ ++ if (alloc_size > mi->sbi->volume.size) ++ return NULL; + } + + return attr; diff --git a/queue-6.1/media-mediatek-vcodec-handle-invalid-decoder-vsi.patch b/queue-6.1/media-mediatek-vcodec-handle-invalid-decoder-vsi.patch new file mode 100644 index 0000000000..9ff33126d0 --- /dev/null +++ b/queue-6.1/media-mediatek-vcodec-handle-invalid-decoder-vsi.patch @@ -0,0 +1,40 @@ +From 59d438f8e02ca641c58d77e1feffa000ff809e9f Mon Sep 17 00:00:00 2001 +From: Irui Wang +Date: Thu, 21 Mar 2024 09:47:54 +0800 +Subject: media: mediatek: vcodec: Handle invalid decoder vsi + +From: Irui Wang + +commit 59d438f8e02ca641c58d77e1feffa000ff809e9f upstream. + +Handle an invalid decoder vsi in vpu_dec_init to ensure the decoder vsi +is valid for future use. + +Fixes: 590577a4e525 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Decoder Driver") + +Signed-off-by: Irui Wang +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Sebastian Fricke +Signed-off-by: Hans Verkuil +[ Replace mtk_vdec_err with mtk_vcodec_err to make it work on 6.1.y ] +Signed-off-by: Alva Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/mediatek/vcodec/vdec_vpu_if.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/media/platform/mediatek/vcodec/vdec_vpu_if.c ++++ b/drivers/media/platform/mediatek/vcodec/vdec_vpu_if.c +@@ -213,6 +213,12 @@ int vpu_dec_init(struct vdec_vpu_inst *v + mtk_vcodec_debug(vpu, "vdec_inst=%p", vpu); + + err = vcodec_vpu_send_msg(vpu, (void *)&msg, sizeof(msg)); ++ ++ if (IS_ERR_OR_NULL(vpu->vsi)) { ++ mtk_vcodec_err(vpu, "invalid vdec vsi, status=%d", err); ++ return -EINVAL; ++ } ++ + mtk_vcodec_debug(vpu, "- ret=%d", err); + return err; + } diff --git a/queue-6.1/nilfs2-eliminate-staggered-calls-to-kunmap-in-nilfs_rename.patch b/queue-6.1/nilfs2-eliminate-staggered-calls-to-kunmap-in-nilfs_rename.patch new file mode 100644 index 0000000000..a9fab98258 --- /dev/null +++ b/queue-6.1/nilfs2-eliminate-staggered-calls-to-kunmap-in-nilfs_rename.patch @@ -0,0 +1,52 @@ +From 8cf57c6df818f58fdad16a909506be213623a88e Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Mon, 27 Nov 2023 23:30:21 +0900 +Subject: nilfs2: eliminate staggered calls to kunmap in nilfs_rename + +From: Ryusuke Konishi + +commit 8cf57c6df818f58fdad16a909506be213623a88e upstream. + +In nilfs_rename(), calls to nilfs_put_page() to release pages obtained +with nilfs_find_entry() or nilfs_dotdot() are alternated in the normal +path. + +When replacing the kernel memory mapping method from kmap to +kmap_local_{page,folio}, this violates the constraint on the calling order +of kunmap_local(). + +Swap the order of nilfs_put_page calls where the kmap sections of multiple +pages overlap so that they are nested, allowing direct replacement of +nilfs_put_page() -> unmap_and_put_page(). + +Without this reordering, that replacement will cause a kernel WARNING in +kunmap_local_indexed() on architectures with high memory mapping. + +Link: https://lkml.kernel.org/r/20231127143036.2425-3-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reviewed-by: Matthew Wilcox (Oracle) +Signed-off-by: Andrew Morton +Stable-dep-of: ee70999a988b ("nilfs2: handle errors that nilfs_prepare_chunk() may return") +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/namei.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/namei.c ++++ b/fs/nilfs2/namei.c +@@ -431,13 +431,14 @@ static int nilfs_rename(struct user_name + old_inode->i_ctime = current_time(old_inode); + + nilfs_delete_entry(old_de, old_page); +- nilfs_put_page(old_page); + + if (dir_de) { + nilfs_set_link(old_inode, dir_de, dir_page, new_dir); + nilfs_put_page(dir_page); + drop_nlink(old_dir); + } ++ nilfs_put_page(old_page); ++ + nilfs_mark_inode_dirty(old_dir); + nilfs_mark_inode_dirty(old_inode); + diff --git a/queue-6.1/nilfs2-handle-errors-that-nilfs_prepare_chunk-may-return.patch b/queue-6.1/nilfs2-handle-errors-that-nilfs_prepare_chunk-may-return.patch new file mode 100644 index 0000000000..a3dacb08db --- /dev/null +++ b/queue-6.1/nilfs2-handle-errors-that-nilfs_prepare_chunk-may-return.patch @@ -0,0 +1,158 @@ +From ee70999a988b8abc3490609142f50ebaa8344432 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Sat, 11 Jan 2025 23:26:35 +0900 +Subject: nilfs2: handle errors that nilfs_prepare_chunk() may return + +From: Ryusuke Konishi + +commit ee70999a988b8abc3490609142f50ebaa8344432 upstream. + +Patch series "nilfs2: fix issues with rename operations". + +This series fixes BUG_ON check failures reported by syzbot around rename +operations, and a minor behavioral issue where the mtime of a child +directory changes when it is renamed instead of moved. + + +This patch (of 2): + +The directory manipulation routines nilfs_set_link() and +nilfs_delete_entry() rewrite the directory entry in the folio/page +previously read by nilfs_find_entry(), so error handling is omitted on the +assumption that nilfs_prepare_chunk(), which prepares the buffer for +rewriting, will always succeed for these. And if an error is returned, it +triggers the legacy BUG_ON() checks in each routine. + +This assumption is wrong, as proven by syzbot: the buffer layer called by +nilfs_prepare_chunk() may call nilfs_get_block() if necessary, which may +fail due to metadata corruption or other reasons. This has been there all +along, but improved sanity checks and error handling may have made it more +reproducible in fuzzing tests. + +Fix this issue by adding missing error paths in nilfs_set_link(), +nilfs_delete_entry(), and their caller nilfs_rename(). + +Link: https://lkml.kernel.org/r/20250111143518.7901-1-konishi.ryusuke@gmail.com +Link: https://lkml.kernel.org/r/20250111143518.7901-2-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+32c3706ebf5d95046ea1@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=32c3706ebf5d95046ea1 +Reported-by: syzbot+1097e95f134f37d9395c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=1097e95f134f37d9395c +Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations") +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/dir.c | 13 ++++++++++--- + fs/nilfs2/namei.c | 29 +++++++++++++++-------------- + fs/nilfs2/nilfs.h | 4 ++-- + 3 files changed, 27 insertions(+), 19 deletions(-) + +--- a/fs/nilfs2/dir.c ++++ b/fs/nilfs2/dir.c +@@ -444,7 +444,7 @@ int nilfs_inode_by_name(struct inode *di + return 0; + } + +-void nilfs_set_link(struct inode *dir, struct nilfs_dir_entry *de, ++int nilfs_set_link(struct inode *dir, struct nilfs_dir_entry *de, + struct page *page, struct inode *inode) + { + unsigned int from = (char *)de - (char *)page_address(page); +@@ -454,11 +454,15 @@ void nilfs_set_link(struct inode *dir, s + + lock_page(page); + err = nilfs_prepare_chunk(page, from, to); +- BUG_ON(err); ++ if (unlikely(err)) { ++ unlock_page(page); ++ return err; ++ } + de->inode = cpu_to_le64(inode->i_ino); + nilfs_set_de_type(de, inode); + nilfs_commit_chunk(page, mapping, from, to); + dir->i_mtime = dir->i_ctime = current_time(dir); ++ return 0; + } + + /* +@@ -590,7 +594,10 @@ int nilfs_delete_entry(struct nilfs_dir_ + from = (char *)pde - (char *)page_address(page); + lock_page(page); + err = nilfs_prepare_chunk(page, from, to); +- BUG_ON(err); ++ if (unlikely(err)) { ++ unlock_page(page); ++ goto out; ++ } + if (pde) + pde->rec_len = nilfs_rec_len_to_disk(to - from); + dir->inode = 0; +--- a/fs/nilfs2/namei.c ++++ b/fs/nilfs2/namei.c +@@ -406,8 +406,10 @@ static int nilfs_rename(struct user_name + err = PTR_ERR(new_de); + goto out_dir; + } +- nilfs_set_link(new_dir, new_de, new_page, old_inode); ++ err = nilfs_set_link(new_dir, new_de, new_page, old_inode); + nilfs_put_page(new_page); ++ if (unlikely(err)) ++ goto out_dir; + nilfs_mark_inode_dirty(new_dir); + new_inode->i_ctime = current_time(new_inode); + if (dir_de) +@@ -430,28 +432,27 @@ static int nilfs_rename(struct user_name + */ + old_inode->i_ctime = current_time(old_inode); + +- nilfs_delete_entry(old_de, old_page); +- +- if (dir_de) { +- nilfs_set_link(old_inode, dir_de, dir_page, new_dir); +- nilfs_put_page(dir_page); +- drop_nlink(old_dir); ++ err = nilfs_delete_entry(old_de, old_page); ++ if (likely(!err)) { ++ if (dir_de) { ++ err = nilfs_set_link(old_inode, dir_de, dir_page, ++ new_dir); ++ drop_nlink(old_dir); ++ } ++ nilfs_mark_inode_dirty(old_dir); + } +- nilfs_put_page(old_page); +- +- nilfs_mark_inode_dirty(old_dir); + nilfs_mark_inode_dirty(old_inode); + +- err = nilfs_transaction_commit(old_dir->i_sb); +- return err; +- + out_dir: + if (dir_de) + nilfs_put_page(dir_page); + out_old: + nilfs_put_page(old_page); + out: +- nilfs_transaction_abort(old_dir->i_sb); ++ if (likely(!err)) ++ err = nilfs_transaction_commit(old_dir->i_sb); ++ else ++ nilfs_transaction_abort(old_dir->i_sb); + return err; + } + +--- a/fs/nilfs2/nilfs.h ++++ b/fs/nilfs2/nilfs.h +@@ -240,8 +240,8 @@ nilfs_find_entry(struct inode *, const s + extern int nilfs_delete_entry(struct nilfs_dir_entry *, struct page *); + extern int nilfs_empty_dir(struct inode *); + extern struct nilfs_dir_entry *nilfs_dotdot(struct inode *, struct page **); +-extern void nilfs_set_link(struct inode *, struct nilfs_dir_entry *, +- struct page *, struct inode *); ++int nilfs_set_link(struct inode *dir, struct nilfs_dir_entry *de, ++ struct page *page, struct inode *inode); + + static inline void nilfs_put_page(struct page *page) + { diff --git a/queue-6.1/nilfs2-move-page-release-outside-of-nilfs_delete_entry-and-nilfs_set_link.patch b/queue-6.1/nilfs2-move-page-release-outside-of-nilfs_delete_entry-and-nilfs_set_link.patch new file mode 100644 index 0000000000..7e05924da0 --- /dev/null +++ b/queue-6.1/nilfs2-move-page-release-outside-of-nilfs_delete_entry-and-nilfs_set_link.patch @@ -0,0 +1,174 @@ +From 584db20c181f5e28c0386d7987406ace7fbd3e49 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Mon, 27 Nov 2023 23:30:20 +0900 +Subject: nilfs2: move page release outside of nilfs_delete_entry and nilfs_set_link + +From: Ryusuke Konishi + +commit 584db20c181f5e28c0386d7987406ace7fbd3e49 upstream. + +Patch series "nilfs2: Folio conversions for directory paths". + +This series applies page->folio conversions to nilfs2 directory +operations. This reduces hidden compound_head() calls and also converts +deprecated kmap calls to kmap_local in the directory code. + +Although nilfs2 does not yet support large folios, Matthew has done his +best here to include support for large folios, which will be needed for +devices with large block sizes. + +This series corresponds to the second half of the original post [1], but +with two complementary patches inserted at the beginning and some +adjustments, to prevent a kmap_local constraint violation found during +testing with highmem mapping. + +[1] https://lkml.kernel.org/r/20231106173903.1734114-1-willy@infradead.org + +I have reviewed all changes and tested this for regular and small block +sizes, both on machines with and without highmem mapping. No issues +found. + + +This patch (of 17): + +In a few directory operations, the call to nilfs_put_page() for a page +obtained using nilfs_find_entry() or nilfs_dotdot() is hidden in +nilfs_set_link() and nilfs_delete_entry(), making it difficult to track +page release and preventing change of its call position. + +By moving nilfs_put_page() out of these functions, this makes the page +get/put correspondence clearer and makes it easier to swap +nilfs_put_page() calls (and kunmap calls within them) when modifying +multiple directory entries simultaneously in nilfs_rename(). + +Also, update comments for nilfs_set_link() and nilfs_delete_entry() to +reflect changes in their behavior. + +To make nilfs_put_page() visible from namei.c, this moves its definition +to nilfs.h and replaces existing equivalents to use it, but the exposure +of that definition is temporary and will be removed on a later kmap -> +kmap_local conversion. + +Link: https://lkml.kernel.org/r/20231127143036.2425-1-konishi.ryusuke@gmail.com +Link: https://lkml.kernel.org/r/20231127143036.2425-2-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reviewed-by: Matthew Wilcox (Oracle) +Signed-off-by: Andrew Morton +Stable-dep-of: ee70999a988b ("nilfs2: handle errors that nilfs_prepare_chunk() may return") +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/dir.c | 11 +---------- + fs/nilfs2/namei.c | 13 +++++++------ + fs/nilfs2/nilfs.h | 6 ++++++ + 3 files changed, 14 insertions(+), 16 deletions(-) + +--- a/fs/nilfs2/dir.c ++++ b/fs/nilfs2/dir.c +@@ -64,12 +64,6 @@ static inline unsigned int nilfs_chunk_s + return inode->i_sb->s_blocksize; + } + +-static inline void nilfs_put_page(struct page *page) +-{ +- kunmap(page); +- put_page(page); +-} +- + /* + * Return the offset into page `page_nr' of the last valid + * byte in that page, plus one. +@@ -450,7 +444,6 @@ int nilfs_inode_by_name(struct inode *di + return 0; + } + +-/* Releases the page */ + void nilfs_set_link(struct inode *dir, struct nilfs_dir_entry *de, + struct page *page, struct inode *inode) + { +@@ -465,7 +458,6 @@ void nilfs_set_link(struct inode *dir, s + de->inode = cpu_to_le64(inode->i_ino); + nilfs_set_de_type(de, inode); + nilfs_commit_chunk(page, mapping, from, to); +- nilfs_put_page(page); + dir->i_mtime = dir->i_ctime = current_time(dir); + } + +@@ -569,7 +561,7 @@ out_unlock: + + /* + * nilfs_delete_entry deletes a directory entry by merging it with the +- * previous entry. Page is up-to-date. Releases the page. ++ * previous entry. Page is up-to-date. + */ + int nilfs_delete_entry(struct nilfs_dir_entry *dir, struct page *page) + { +@@ -605,7 +597,6 @@ int nilfs_delete_entry(struct nilfs_dir_ + nilfs_commit_chunk(page, mapping, from, to); + inode->i_ctime = inode->i_mtime = current_time(inode); + out: +- nilfs_put_page(page); + return err; + } + +--- a/fs/nilfs2/namei.c ++++ b/fs/nilfs2/namei.c +@@ -297,6 +297,7 @@ static int nilfs_do_unlink(struct inode + set_nlink(inode, 1); + } + err = nilfs_delete_entry(de, page); ++ nilfs_put_page(page); + if (err) + goto out; + +@@ -406,6 +407,7 @@ static int nilfs_rename(struct user_name + goto out_dir; + } + nilfs_set_link(new_dir, new_de, new_page, old_inode); ++ nilfs_put_page(new_page); + nilfs_mark_inode_dirty(new_dir); + new_inode->i_ctime = current_time(new_inode); + if (dir_de) +@@ -429,9 +431,11 @@ static int nilfs_rename(struct user_name + old_inode->i_ctime = current_time(old_inode); + + nilfs_delete_entry(old_de, old_page); ++ nilfs_put_page(old_page); + + if (dir_de) { + nilfs_set_link(old_inode, dir_de, dir_page, new_dir); ++ nilfs_put_page(dir_page); + drop_nlink(old_dir); + } + nilfs_mark_inode_dirty(old_dir); +@@ -441,13 +445,10 @@ static int nilfs_rename(struct user_name + return err; + + out_dir: +- if (dir_de) { +- kunmap(dir_page); +- put_page(dir_page); +- } ++ if (dir_de) ++ nilfs_put_page(dir_page); + out_old: +- kunmap(old_page); +- put_page(old_page); ++ nilfs_put_page(old_page); + out: + nilfs_transaction_abort(old_dir->i_sb); + return err; +--- a/fs/nilfs2/nilfs.h ++++ b/fs/nilfs2/nilfs.h +@@ -243,6 +243,12 @@ extern struct nilfs_dir_entry *nilfs_dot + extern void nilfs_set_link(struct inode *, struct nilfs_dir_entry *, + struct page *, struct inode *); + ++static inline void nilfs_put_page(struct page *page) ++{ ++ kunmap(page); ++ put_page(page); ++} ++ + /* file.c */ + extern int nilfs_sync_file(struct file *, loff_t, loff_t, int); + diff --git a/queue-6.1/scsi-lpfc-fix-a-possible-data-race-in-lpfc_unregister_fcf_rescan.patch b/queue-6.1/scsi-lpfc-fix-a-possible-data-race-in-lpfc_unregister_fcf_rescan.patch new file mode 100644 index 0000000000..d006b675b1 --- /dev/null +++ b/queue-6.1/scsi-lpfc-fix-a-possible-data-race-in-lpfc_unregister_fcf_rescan.patch @@ -0,0 +1,49 @@ +From 0e881c0a4b6146b7e856735226208f48251facd8 Mon Sep 17 00:00:00 2001 +From: Tuo Li +Date: Fri, 30 Jun 2023 10:47:48 +0800 +Subject: scsi: lpfc: Fix a possible data race in lpfc_unregister_fcf_rescan() + +From: Tuo Li + +commit 0e881c0a4b6146b7e856735226208f48251facd8 upstream. + +The variable phba->fcf.fcf_flag is often protected by the lock +phba->hbalock() when is accessed. Here is an example in +lpfc_unregister_fcf_rescan(): + + spin_lock_irq(&phba->hbalock); + phba->fcf.fcf_flag |= FCF_INIT_DISC; + spin_unlock_irq(&phba->hbalock); + +However, in the same function, phba->fcf.fcf_flag is assigned with 0 +without holding the lock, and thus can cause a data race: + + phba->fcf.fcf_flag = 0; + +To fix this possible data race, a lock and unlock pair is added when +accessing the variable phba->fcf.fcf_flag. + +Reported-by: BassCheck +Signed-off-by: Tuo Li +Link: https://lore.kernel.org/r/20230630024748.1035993-1-islituo@gmail.com +Reviewed-by: Justin Tee +Reviewed-by: Laurence Oberman +Signed-off-by: Martin K. Petersen +Signed-off-by: Wenshan Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_hbadisc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -6942,7 +6942,9 @@ lpfc_unregister_fcf_rescan(struct lpfc_h + if (rc) + return; + /* Reset HBA FCF states after successful unregister FCF */ ++ spin_lock_irq(&phba->hbalock); + phba->fcf.fcf_flag = 0; ++ spin_unlock_irq(&phba->hbalock); + phba->fcf.current_rec.flag = 0; + + /* diff --git a/queue-6.1/series b/queue-6.1/series index 4de674f841..9180dd3a1a 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -96,3 +96,13 @@ revert-kvm-ppc-e500-mark-struct-page-pfn-accessed-before-dropping-mmu_lock.patch revert-kvm-ppc-e500-mark-struct-page-dirty-in-kvmppc_e500_shadow_map.patch uprobes-fix-race-in-uprobe_free_utask.patch x86-mm-don-t-disable-pcid-when-invlpg-has-been-fixed-by-microcode.patch +spi-mxs-fix-chipselect-glitch.patch +nilfs2-move-page-release-outside-of-nilfs_delete_entry-and-nilfs_set_link.patch +nilfs2-eliminate-staggered-calls-to-kunmap-in-nilfs_rename.patch +nilfs2-handle-errors-that-nilfs_prepare_chunk-may-return.patch +scsi-lpfc-fix-a-possible-data-race-in-lpfc_unregister_fcf_rescan.patch +media-mediatek-vcodec-handle-invalid-decoder-vsi.patch +fs-ntfs3-add-rough-attr-alloc_size-check.patch +bpf-vsock-invoke-proto-close-on-close.patch +vsock-keep-the-binding-until-socket-destruction.patch +vsock-orphan-socket-after-transport-release.patch diff --git a/queue-6.1/spi-mxs-fix-chipselect-glitch.patch b/queue-6.1/spi-mxs-fix-chipselect-glitch.patch new file mode 100644 index 0000000000..4cad1c4d56 --- /dev/null +++ b/queue-6.1/spi-mxs-fix-chipselect-glitch.patch @@ -0,0 +1,44 @@ +From 269e31aecdd0b70f53a05def79480f15cbcc0fd6 Mon Sep 17 00:00:00 2001 +From: Ralf Schlatterbeck +Date: Fri, 2 Feb 2024 12:53:30 +0100 +Subject: spi-mxs: Fix chipselect glitch + +From: Ralf Schlatterbeck + +commit 269e31aecdd0b70f53a05def79480f15cbcc0fd6 upstream. + +There was a change in the mxs-dma engine that uses a new custom flag. +The change was not applied to the mxs spi driver. +This results in chipselect being deasserted too early. +This fixes the chipselect problem by using the new flag in the mxs-spi +driver. + +Fixes: ceeeb99cd821 ("dmaengine: mxs: rename custom flag") +Signed-off-by: Ralf Schlatterbeck +Link: https://msgid.link/r/20240202115330.wxkbfmvd76sy3a6a@runtux.com +Signed-off-by: Mark Brown +Cc: Stefan Wahren +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-mxs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-mxs.c ++++ b/drivers/spi/spi-mxs.c +@@ -39,6 +39,7 @@ + #include + #include + #include ++#include + + #define DRIVER_NAME "mxs-spi" + +@@ -252,7 +253,7 @@ static int mxs_spi_txrx_dma(struct mxs_s + desc = dmaengine_prep_slave_sg(ssp->dmach, + &dma_xfer[sg_count].sg, 1, + (flags & TXRX_WRITE) ? DMA_MEM_TO_DEV : DMA_DEV_TO_MEM, +- DMA_PREP_INTERRUPT | DMA_CTRL_ACK); ++ DMA_PREP_INTERRUPT | MXS_DMA_CTRL_WAIT4END); + + if (!desc) { + dev_err(ssp->dev, diff --git a/queue-6.1/vsock-keep-the-binding-until-socket-destruction.patch b/queue-6.1/vsock-keep-the-binding-until-socket-destruction.patch new file mode 100644 index 0000000000..173c9b5d9f --- /dev/null +++ b/queue-6.1/vsock-keep-the-binding-until-socket-destruction.patch @@ -0,0 +1,132 @@ +From fcdd2242c0231032fc84e1404315c245ae56322a Mon Sep 17 00:00:00 2001 +From: Michal Luczaj +Date: Tue, 28 Jan 2025 14:15:27 +0100 +Subject: vsock: Keep the binding until socket destruction + +From: Michal Luczaj + +commit fcdd2242c0231032fc84e1404315c245ae56322a upstream. + +Preserve sockets bindings; this includes both resulting from an explicit +bind() and those implicitly bound through autobind during connect(). + +Prevents socket unbinding during a transport reassignment, which fixes a +use-after-free: + + 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) + 2. transport->release() calls vsock_remove_bound() without checking if + sk was bound and moved to bound list (refcnt=1) + 3. vsock_bind() assumes sk is in unbound list and before + __vsock_insert_bound(vsock_bound_sockets()) calls + __vsock_remove_bound() which does: + list_del_init(&vsk->bound_table); // nop + sock_put(&vsk->sk); // refcnt=0 + +BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 +Read of size 4 at addr ffff88816b46a74c by task a.out/2057 + dump_stack_lvl+0x68/0x90 + print_report+0x174/0x4f6 + kasan_report+0xb9/0x190 + __vsock_bind+0x62e/0x730 + vsock_bind+0x97/0xe0 + __sys_bind+0x154/0x1f0 + __x64_sys_bind+0x6e/0xb0 + do_syscall_64+0x93/0x1b0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Allocated by task 2057: + kasan_save_stack+0x1e/0x40 + kasan_save_track+0x10/0x30 + __kasan_slab_alloc+0x85/0x90 + kmem_cache_alloc_noprof+0x131/0x450 + sk_prot_alloc+0x5b/0x220 + sk_alloc+0x2c/0x870 + __vsock_create.constprop.0+0x2e/0xb60 + vsock_create+0xe4/0x420 + __sock_create+0x241/0x650 + __sys_socket+0xf2/0x1a0 + __x64_sys_socket+0x6e/0xb0 + do_syscall_64+0x93/0x1b0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Freed by task 2057: + kasan_save_stack+0x1e/0x40 + kasan_save_track+0x10/0x30 + kasan_save_free_info+0x37/0x60 + __kasan_slab_free+0x4b/0x70 + kmem_cache_free+0x1a1/0x590 + __sk_destruct+0x388/0x5a0 + __vsock_bind+0x5e1/0x730 + vsock_bind+0x97/0xe0 + __sys_bind+0x154/0x1f0 + __x64_sys_bind+0x6e/0xb0 + do_syscall_64+0x93/0x1b0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +refcount_t: addition on 0; use-after-free. +WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 +RIP: 0010:refcount_warn_saturate+0xce/0x150 + __vsock_bind+0x66d/0x730 + vsock_bind+0x97/0xe0 + __sys_bind+0x154/0x1f0 + __x64_sys_bind+0x6e/0xb0 + do_syscall_64+0x93/0x1b0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +refcount_t: underflow; use-after-free. +WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 +RIP: 0010:refcount_warn_saturate+0xee/0x150 + vsock_remove_bound+0x187/0x1e0 + __vsock_release+0x383/0x4a0 + vsock_release+0x90/0x120 + __sock_release+0xa3/0x250 + sock_close+0x14/0x20 + __fput+0x359/0xa80 + task_work_run+0x107/0x1d0 + do_exit+0x847/0x2560 + do_group_exit+0xb8/0x250 + __x64_sys_exit_group+0x3a/0x50 + x64_sys_call+0xfec/0x14f0 + do_syscall_64+0x93/0x1b0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") +Reviewed-by: Stefano Garzarella +Signed-off-by: Michal Luczaj +Link: https://patch.msgid.link/20250128-vsock-transport-vs-autobind-v3-1-1cf57065b770@rbox.co +Signed-off-by: Jakub Kicinski +Signed-off-by: Luigi Leonardi +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -333,7 +333,10 @@ EXPORT_SYMBOL_GPL(vsock_find_connected_s + + void vsock_remove_sock(struct vsock_sock *vsk) + { +- vsock_remove_bound(vsk); ++ /* Transport reassignment must not remove the binding. */ ++ if (sock_flag(sk_vsock(vsk), SOCK_DEAD)) ++ vsock_remove_bound(vsk); ++ + vsock_remove_connected(vsk); + } + EXPORT_SYMBOL_GPL(vsock_remove_sock); +@@ -818,12 +821,13 @@ static void __vsock_release(struct sock + */ + lock_sock_nested(sk, level); + ++ sock_orphan(sk); ++ + if (vsk->transport) + vsk->transport->release(vsk); + else if (sock_type_connectible(sk->sk_type)) + vsock_remove_sock(vsk); + +- sock_orphan(sk); + sk->sk_shutdown = SHUTDOWN_MASK; + + skb_queue_purge(&sk->sk_receive_queue); diff --git a/queue-6.1/vsock-orphan-socket-after-transport-release.patch b/queue-6.1/vsock-orphan-socket-after-transport-release.patch new file mode 100644 index 0000000000..951b3ec421 --- /dev/null +++ b/queue-6.1/vsock-orphan-socket-after-transport-release.patch @@ -0,0 +1,68 @@ +From 78dafe1cf3afa02ed71084b350713b07e72a18fb Mon Sep 17 00:00:00 2001 +From: Michal Luczaj +Date: Mon, 10 Feb 2025 13:15:00 +0100 +Subject: vsock: Orphan socket after transport release + +From: Michal Luczaj + +commit 78dafe1cf3afa02ed71084b350713b07e72a18fb upstream. + +During socket release, sock_orphan() is called without considering that it +sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a +null pointer dereferenced in virtio_transport_wait_close(). + +Orphan the socket only after transport release. + +Partially reverts the 'Fixes:' commit. + +KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] + lock_acquire+0x19e/0x500 + _raw_spin_lock_irqsave+0x47/0x70 + add_wait_queue+0x46/0x230 + virtio_transport_release+0x4e7/0x7f0 + __vsock_release+0xfd/0x490 + vsock_release+0x90/0x120 + __sock_release+0xa3/0x250 + sock_close+0x14/0x20 + __fput+0x35e/0xa90 + __x64_sys_close+0x78/0xd0 + do_syscall_64+0x93/0x1b0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Reported-by: syzbot+9d55b199192a4be7d02c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=9d55b199192a4be7d02c +Fixes: fcdd2242c023 ("vsock: Keep the binding until socket destruction") +Tested-by: Luigi Leonardi +Reviewed-by: Luigi Leonardi +Signed-off-by: Michal Luczaj +Link: https://patch.msgid.link/20250210-vsock-linger-nullderef-v3-1-ef6244d02b54@rbox.co +Signed-off-by: Jakub Kicinski +Signed-off-by: Luigi Leonardi +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -821,13 +821,19 @@ static void __vsock_release(struct sock + */ + lock_sock_nested(sk, level); + +- sock_orphan(sk); ++ /* Indicate to vsock_remove_sock() that the socket is being released and ++ * can be removed from the bound_table. Unlike transport reassignment ++ * case, where the socket must remain bound despite vsock_remove_sock() ++ * being called from the transport release() callback. ++ */ ++ sock_set_flag(sk, SOCK_DEAD); + + if (vsk->transport) + vsk->transport->release(vsk); + else if (sock_type_connectible(sk->sk_type)) + vsock_remove_sock(vsk); + ++ sock_orphan(sk); + sk->sk_shutdown = SHUTDOWN_MASK; + + skb_queue_purge(&sk->sk_receive_queue);