From: Greg Kroah-Hartman Date: Fri, 21 Jul 2023 05:40:33 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v5.15.121~73 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=92b0aa488e1f636594605c9dab9abcf732226731;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: erofs-fix-compact-4b-support-for-16k-block-size.patch misc-fastrpc-create-fastrpc-scalar-with-correct-buffer-count.patch powerpc-fail-build-if-using-recordmcount-with-binutils-v2.37.patch sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch --- diff --git a/queue-5.4/erofs-fix-compact-4b-support-for-16k-block-size.patch b/queue-5.4/erofs-fix-compact-4b-support-for-16k-block-size.patch new file mode 100644 index 00000000000..8782d8e163d --- /dev/null +++ b/queue-5.4/erofs-fix-compact-4b-support-for-16k-block-size.patch @@ -0,0 +1,66 @@ +From 001b8ccd0650727e54ec16ef72bf1b8eeab7168e Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Thu, 1 Jun 2023 19:23:41 +0800 +Subject: erofs: fix compact 4B support for 16k block size + +From: Gao Xiang + +commit 001b8ccd0650727e54ec16ef72bf1b8eeab7168e upstream. + +In compact 4B, two adjacent lclusters are packed together as a unit to +form on-disk indexes for effective random access, as below: + +(amortized = 4, vcnt = 2) + _____________________________________________ + |___@_____ encoded bits __________|_ blkaddr _| + 0 . amortized * vcnt = 8 + . . + . . amortized * vcnt - 4 = 4 + . . + .____________________________. + |_type (2 bits)_|_clusterofs_| + +Therefore, encoded bits for each pack are 32 bits (4 bytes). IOWs, +since each lcluster can get 16 bits for its type and clusterofs, the +maximum supported lclustersize for compact 4B format is 16k (14 bits). + +Fix this to enable compact 4B format for 16k lclusters (blocks), which +is tested on an arm64 server with 16k page size. + +Fixes: 152a333a5895 ("staging: erofs: add compacted compression indexes support") +Signed-off-by: Gao Xiang +Link: https://lore.kernel.org/r/20230601112341.56960-1-hsiangkao@linux.alibaba.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/zmap.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/fs/erofs/zmap.c ++++ b/fs/erofs/zmap.c +@@ -215,7 +215,7 @@ static int unpack_compacted_index(struct + int i; + u8 *in, type; + +- if (1 << amortizedshift == 4) ++ if (1 << amortizedshift == 4 && lclusterbits <= 14) + vcnt = 2; + else if (1 << amortizedshift == 2 && lclusterbits == 12) + vcnt = 16; +@@ -273,7 +273,6 @@ static int compacted_load_cluster_from_d + { + struct inode *const inode = m->inode; + struct erofs_inode *const vi = EROFS_I(inode); +- const unsigned int lclusterbits = vi->z_logical_clusterbits; + const erofs_off_t ebase = ALIGN(iloc(EROFS_I_SB(inode), vi->nid) + + vi->inode_isize + vi->xattr_isize, 8) + + sizeof(struct z_erofs_map_header); +@@ -283,9 +282,6 @@ static int compacted_load_cluster_from_d + erofs_off_t pos; + int err; + +- if (lclusterbits != 12) +- return -EOPNOTSUPP; +- + if (lcn >= totalidx) + return -EINVAL; + diff --git a/queue-5.4/misc-fastrpc-create-fastrpc-scalar-with-correct-buffer-count.patch b/queue-5.4/misc-fastrpc-create-fastrpc-scalar-with-correct-buffer-count.patch new file mode 100644 index 00000000000..d881dc9bd0c --- /dev/null +++ b/queue-5.4/misc-fastrpc-create-fastrpc-scalar-with-correct-buffer-count.patch @@ -0,0 +1,37 @@ +From 0b4e32df3e09406b835d8230b9331273f2805058 Mon Sep 17 00:00:00 2001 +From: Ekansh Gupta +Date: Wed, 14 Jun 2023 17:24:45 +0530 +Subject: misc: fastrpc: Create fastrpc scalar with correct buffer count + +From: Ekansh Gupta + +commit 0b4e32df3e09406b835d8230b9331273f2805058 upstream. + +A process can spawn a PD on DSP with some attributes that can be +associated with the PD during spawn and run. The invocation +corresponding to the create request with attributes has total +4 buffers at the DSP side implementation. If this number is not +correct, the invocation is expected to fail on DSP. Added change +to use correct number of buffer count for creating fastrpc scalar. + +Fixes: d73f71c7c6ee ("misc: fastrpc: Add support for create remote init process") +Cc: stable +Tested-by: Ekansh Gupta +Signed-off-by: Ekansh Gupta +Message-ID: <1686743685-21715-1-git-send-email-quic_ekangupt@quicinc.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -1074,7 +1074,7 @@ static int fastrpc_init_create_process(s + + sc = FASTRPC_SCALARS(FASTRPC_RMID_INIT_CREATE, 4, 0); + if (init.attrs) +- sc = FASTRPC_SCALARS(FASTRPC_RMID_INIT_CREATE_ATTR, 6, 0); ++ sc = FASTRPC_SCALARS(FASTRPC_RMID_INIT_CREATE_ATTR, 4, 0); + + err = fastrpc_internal_invoke(fl, true, FASTRPC_INIT_HANDLE, + sc, args); diff --git a/queue-5.4/powerpc-fail-build-if-using-recordmcount-with-binutils-v2.37.patch b/queue-5.4/powerpc-fail-build-if-using-recordmcount-with-binutils-v2.37.patch new file mode 100644 index 00000000000..8451a134647 --- /dev/null +++ b/queue-5.4/powerpc-fail-build-if-using-recordmcount-with-binutils-v2.37.patch @@ -0,0 +1,49 @@ +From 25ea739ea1d4d3de41acc4f4eb2d1a97eee0eb75 Mon Sep 17 00:00:00 2001 +From: Naveen N Rao +Date: Tue, 30 May 2023 11:44:36 +0530 +Subject: powerpc: Fail build if using recordmcount with binutils v2.37 + +From: Naveen N Rao + +commit 25ea739ea1d4d3de41acc4f4eb2d1a97eee0eb75 upstream. + +binutils v2.37 drops unused section symbols, which prevents recordmcount +from capturing mcount locations in sections that have no non-weak +symbols. This results in a build failure with a message such as: + Cannot find symbol for section 12: .text.perf_callchain_kernel. + kernel/events/callchain.o: failed + +The change to binutils was reverted for v2.38, so this behavior is +specific to binutils v2.37: +https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c09c8b42021180eee9495bd50d8b35e683d3901b + +Objtool is able to cope with such sections, so this issue is specific to +recordmcount. + +Fail the build and print a warning if binutils v2.37 is detected and if +we are using recordmcount. + +Cc: stable@vger.kernel.org +Suggested-by: Joel Stanley +Signed-off-by: Naveen N Rao +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230530061436.56925-1-naveen@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/Makefile | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/powerpc/Makefile ++++ b/arch/powerpc/Makefile +@@ -425,3 +425,11 @@ checkbin: + echo -n '*** Please use a different binutils version.' ; \ + false ; \ + fi ++ @if test "x${CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT}" = "xy" -a \ ++ "x${CONFIG_LD_IS_BFD}" = "xy" -a \ ++ "${CONFIG_LD_VERSION}" = "23700" ; then \ ++ echo -n '*** binutils 2.37 drops unused section symbols, which recordmcount ' ; \ ++ echo 'is unable to handle.' ; \ ++ echo '*** Please use a different binutils version.' ; \ ++ false ; \ ++ fi diff --git a/queue-5.4/series b/queue-5.4/series index 0a7f7236a95..665ae6296ce 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -232,3 +232,7 @@ pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch mtd-rawnand-meson-fix-unaligned-dma-buffers-handling.patch net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch +powerpc-fail-build-if-using-recordmcount-with-binutils-v2.37.patch +misc-fastrpc-create-fastrpc-scalar-with-correct-buffer-count.patch +sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch +erofs-fix-compact-4b-support-for-16k-block-size.patch diff --git a/queue-5.4/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch b/queue-5.4/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch new file mode 100644 index 00000000000..d3742a7e467 --- /dev/null +++ b/queue-5.4/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch @@ -0,0 +1,142 @@ +From fc80fc2d4e39137869da3150ee169b40bf879287 Mon Sep 17 00:00:00 2001 +From: Ding Hui +Date: Mon, 15 May 2023 10:13:07 +0800 +Subject: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() + +From: Ding Hui + +commit fc80fc2d4e39137869da3150ee169b40bf879287 upstream. + +After the listener svc_sock is freed, and before invoking svc_tcp_accept() +for the established child sock, there is a window that the newsock +retaining a freed listener svc_sock in sk_user_data which cloning from +parent. In the race window, if data is received on the newsock, we will +observe use-after-free report in svc_tcp_listen_data_ready(). + +Reproduce by two tasks: + +1. while :; do rpc.nfsd 0 ; rpc.nfsd; done +2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done + +KASAN report: + + ================================================================== + BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] + Read of size 8 at addr ffff888139d96228 by task nc/102553 + CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18 + Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 + Call Trace: + + dump_stack_lvl+0x33/0x50 + print_address_description.constprop.0+0x27/0x310 + print_report+0x3e/0x70 + kasan_report+0xae/0xe0 + svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] + tcp_data_queue+0x9f4/0x20e0 + tcp_rcv_established+0x666/0x1f60 + tcp_v4_do_rcv+0x51c/0x850 + tcp_v4_rcv+0x23fc/0x2e80 + ip_protocol_deliver_rcu+0x62/0x300 + ip_local_deliver_finish+0x267/0x350 + ip_local_deliver+0x18b/0x2d0 + ip_rcv+0x2fb/0x370 + __netif_receive_skb_one_core+0x166/0x1b0 + process_backlog+0x24c/0x5e0 + __napi_poll+0xa2/0x500 + net_rx_action+0x854/0xc90 + __do_softirq+0x1bb/0x5de + do_softirq+0xcb/0x100 + + + ... + + + Allocated by task 102371: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + __kasan_kmalloc+0x7b/0x90 + svc_setup_socket+0x52/0x4f0 [sunrpc] + svc_addsock+0x20d/0x400 [sunrpc] + __write_ports_addfd+0x209/0x390 [nfsd] + write_ports+0x239/0x2c0 [nfsd] + nfsctl_transaction_write+0xac/0x110 [nfsd] + vfs_write+0x1c3/0xae0 + ksys_write+0xed/0x1c0 + do_syscall_64+0x38/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + + Freed by task 102551: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x2a/0x50 + __kasan_slab_free+0x106/0x190 + __kmem_cache_free+0x133/0x270 + svc_xprt_free+0x1e2/0x350 [sunrpc] + svc_xprt_destroy_all+0x25a/0x440 [sunrpc] + nfsd_put+0x125/0x240 [nfsd] + nfsd_svc+0x2cb/0x3c0 [nfsd] + write_threads+0x1ac/0x2a0 [nfsd] + nfsctl_transaction_write+0xac/0x110 [nfsd] + vfs_write+0x1c3/0xae0 + ksys_write+0xed/0x1c0 + do_syscall_64+0x38/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready() +if state != TCP_LISTEN, that will avoid dereferencing svsk for all +child socket. + +Link: https://lore.kernel.org/lkml/20230507091131.23540-1-dinghui@sangfor.com.cn/ +Fixes: fa9251afc33c ("SUNRPC: Call the default socket callbacks instead of open coding") +Signed-off-by: Ding Hui +Cc: +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/svcsock.c | 27 +++++++++++++-------------- + 1 file changed, 13 insertions(+), 14 deletions(-) + +--- a/net/sunrpc/svcsock.c ++++ b/net/sunrpc/svcsock.c +@@ -728,12 +728,6 @@ static void svc_tcp_listen_data_ready(st + dprintk("svc: socket %p TCP (listen) state change %d\n", + sk, sk->sk_state); + +- if (svsk) { +- /* Refer to svc_setup_socket() for details. */ +- rmb(); +- svsk->sk_odata(sk); +- } +- + /* + * This callback may called twice when a new connection + * is established as a child socket inherits everything +@@ -742,15 +736,20 @@ static void svc_tcp_listen_data_ready(st + * when one of child sockets become ESTABLISHED. + * 2) data_ready method of the child socket may be called + * when it receives data before the socket is accepted. +- * In case of 2, we should ignore it silently. ++ * In case of 2, we should ignore it silently and DO NOT ++ * dereference svsk. + */ +- if (sk->sk_state == TCP_LISTEN) { +- if (svsk) { +- set_bit(XPT_CONN, &svsk->sk_xprt.xpt_flags); +- svc_xprt_enqueue(&svsk->sk_xprt); +- } else +- printk("svc: socket %p: no user data\n", sk); +- } ++ if (sk->sk_state != TCP_LISTEN) ++ return; ++ ++ if (svsk) { ++ /* Refer to svc_setup_socket() for details. */ ++ rmb(); ++ svsk->sk_odata(sk); ++ set_bit(XPT_CONN, &svsk->sk_xprt.xpt_flags); ++ svc_xprt_enqueue(&svsk->sk_xprt); ++ } else ++ printk("svc: socket %p: no user data\n", sk); + } + + /*