4.19-stable patches

added patches:
	cred-switch-to-using-atomic_long_t.patch
	revert-pci-acpiphp-reassign-resources-on-bridge-if-necessary.patch

diff --git a/queue-4.19/appletalk-fix-use-after-free-in-atalk_ioctl.patch b/queue-4.19/appletalk-fix-use-after-free-in-atalk_ioctl.patch
index 80061412717609e096bed29caa32e2a98cf73d11..6448937df9a0ba32c8a4e825504630bdc5b822a4 100644 (file)
--- a/queue-4.19/appletalk-fix-use-after-free-in-atalk_ioctl.patch
+++ b/queue-4.19/appletalk-fix-use-after-free-in-atalk_ioctl.patch
@@ -23,14 +23,12 @@ Link: https://lore.kernel.org/r/20231213041056.GA519680@v4bel-B760M-AORUS-ELITE-
 Signed-off-by: Paolo Abeni <pabeni@redhat.com>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
- net/appletalk/ddp.c | 9 ++++-----
+ net/appletalk/ddp.c |    9 ++++-----
  1 file changed, 4 insertions(+), 5 deletions(-)
 
-diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
-index 20ec8e7f94236..c4f1bfe6e0402 100644
 --- a/net/appletalk/ddp.c
 +++ b/net/appletalk/ddp.c
-@@ -1808,15 +1808,14 @@ static int atalk_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
+@@ -1808,15 +1808,14 @@ static int atalk_ioctl(struct socket *so
                break;
        }
        case TIOCINQ: {
@@ -50,6 +48,3 @@ index 20ec8e7f94236..c4f1bfe6e0402 100644
                rc = put_user(amount, (int __user *)argp);
                break;
        }
--- 
-2.43.0
-

diff --git a/queue-4.19/cred-switch-to-using-atomic_long_t.patch b/queue-4.19/cred-switch-to-using-atomic_long_t.patch
new file mode 100644 (file)
index 0000000..bdf0845
--- /dev/null
+++ b/queue-4.19/cred-switch-to-using-atomic_long_t.patch
@@ -0,0 +1,246 @@
+From f8fa5d76925991976b3e7076f9d1052515ec1fca Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Fri, 15 Dec 2023 13:24:10 -0700
+Subject: cred: switch to using atomic_long_t
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit f8fa5d76925991976b3e7076f9d1052515ec1fca upstream.
+
+There are multiple ways to grab references to credentials, and the only
+protection we have against overflowing it is the memory required to do
+so.
+
+With memory sizes only moving in one direction, let's bump the reference
+count to 64-bit and move it outside the realm of feasibly overflowing.
+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/cred.h |    8 +++---
+ kernel/cred.c        |   64 +++++++++++++++++++++++++--------------------------
+ 2 files changed, 36 insertions(+), 36 deletions(-)
+
+--- a/include/linux/cred.h
++++ b/include/linux/cred.h
+@@ -108,7 +108,7 @@ static inline int groups_search(const st
+  * same context as task->real_cred.
+  */
+ struct cred {
+-      atomic_t        usage;
++      atomic_long_t   usage;
+ #ifdef CONFIG_DEBUG_CREDENTIALS
+       atomic_t        subscribers;    /* number of processes subscribed */
+       void            *put_addr;
+@@ -228,7 +228,7 @@ static inline bool cap_ambient_invariant
+  */
+ static inline struct cred *get_new_cred(struct cred *cred)
+ {
+-      atomic_inc(&cred->usage);
++      atomic_long_inc(&cred->usage);
+       return cred;
+ }
+ 
+@@ -260,7 +260,7 @@ static inline const struct cred *get_cre
+       struct cred *nonconst_cred = (struct cred *) cred;
+       if (!cred)
+               return NULL;
+-      if (!atomic_inc_not_zero(&nonconst_cred->usage))
++      if (!atomic_long_inc_not_zero(&nonconst_cred->usage))
+               return NULL;
+       validate_creds(cred);
+       nonconst_cred->non_rcu = 0;
+@@ -284,7 +284,7 @@ static inline void put_cred(const struct
+ 
+       if (cred) {
+               validate_creds(cred);
+-              if (atomic_dec_and_test(&(cred)->usage))
++              if (atomic_long_dec_and_test(&(cred)->usage))
+                       __put_cred(cred);
+       }
+ }
+--- a/kernel/cred.c
++++ b/kernel/cred.c
+@@ -99,17 +99,17 @@ static void put_cred_rcu(struct rcu_head
+ 
+ #ifdef CONFIG_DEBUG_CREDENTIALS
+       if (cred->magic != CRED_MAGIC_DEAD ||
+-          atomic_read(&cred->usage) != 0 ||
++          atomic_long_read(&cred->usage) != 0 ||
+           read_cred_subscribers(cred) != 0)
+               panic("CRED: put_cred_rcu() sees %p with"
+-                    " mag %x, put %p, usage %d, subscr %d\n",
++                    " mag %x, put %p, usage %ld, subscr %d\n",
+                     cred, cred->magic, cred->put_addr,
+-                    atomic_read(&cred->usage),
++                    atomic_long_read(&cred->usage),
+                     read_cred_subscribers(cred));
+ #else
+-      if (atomic_read(&cred->usage) != 0)
+-              panic("CRED: put_cred_rcu() sees %p with usage %d\n",
+-                    cred, atomic_read(&cred->usage));
++      if (atomic_long_read(&cred->usage) != 0)
++              panic("CRED: put_cred_rcu() sees %p with usage %ld\n",
++                    cred, atomic_long_read(&cred->usage));
+ #endif
+ 
+       security_cred_free(cred);
+@@ -134,11 +134,11 @@ static void put_cred_rcu(struct rcu_head
+  */
+ void __put_cred(struct cred *cred)
+ {
+-      kdebug("__put_cred(%p{%d,%d})", cred,
+-             atomic_read(&cred->usage),
++      kdebug("__put_cred(%p{%ld,%d})", cred,
++             atomic_long_read(&cred->usage),
+              read_cred_subscribers(cred));
+ 
+-      BUG_ON(atomic_read(&cred->usage) != 0);
++      BUG_ON(atomic_long_read(&cred->usage) != 0);
+ #ifdef CONFIG_DEBUG_CREDENTIALS
+       BUG_ON(read_cred_subscribers(cred) != 0);
+       cred->magic = CRED_MAGIC_DEAD;
+@@ -161,8 +161,8 @@ void exit_creds(struct task_struct *tsk)
+ {
+       struct cred *cred;
+ 
+-      kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
+-             atomic_read(&tsk->cred->usage),
++      kdebug("exit_creds(%u,%p,%p,{%ld,%d})", tsk->pid, tsk->real_cred, tsk->cred,
++             atomic_long_read(&tsk->cred->usage),
+              read_cred_subscribers(tsk->cred));
+ 
+       cred = (struct cred *) tsk->real_cred;
+@@ -221,7 +221,7 @@ struct cred *cred_alloc_blank(void)
+       if (!new)
+               return NULL;
+ 
+-      atomic_set(&new->usage, 1);
++      atomic_long_set(&new->usage, 1);
+ #ifdef CONFIG_DEBUG_CREDENTIALS
+       new->magic = CRED_MAGIC;
+ #endif
+@@ -267,7 +267,7 @@ struct cred *prepare_creds(void)
+       memcpy(new, old, sizeof(struct cred));
+ 
+       new->non_rcu = 0;
+-      atomic_set(&new->usage, 1);
++      atomic_long_set(&new->usage, 1);
+       set_cred_subscribers(new, 0);
+       get_group_info(new->group_info);
+       get_uid(new->user);
+@@ -355,8 +355,8 @@ int copy_creds(struct task_struct *p, un
+               p->real_cred = get_cred(p->cred);
+               get_cred(p->cred);
+               alter_cred_subscribers(p->cred, 2);
+-              kdebug("share_creds(%p{%d,%d})",
+-                     p->cred, atomic_read(&p->cred->usage),
++              kdebug("share_creds(%p{%ld,%d})",
++                     p->cred, atomic_long_read(&p->cred->usage),
+                      read_cred_subscribers(p->cred));
+               inc_rlimit_ucounts(task_ucounts(p), UCOUNT_RLIMIT_NPROC, 1);
+               return 0;
+@@ -449,8 +449,8 @@ int commit_creds(struct cred *new)
+       struct task_struct *task = current;
+       const struct cred *old = task->real_cred;
+ 
+-      kdebug("commit_creds(%p{%d,%d})", new,
+-             atomic_read(&new->usage),
++      kdebug("commit_creds(%p{%ld,%d})", new,
++             atomic_long_read(&new->usage),
+              read_cred_subscribers(new));
+ 
+       BUG_ON(task->cred != old);
+@@ -459,7 +459,7 @@ int commit_creds(struct cred *new)
+       validate_creds(old);
+       validate_creds(new);
+ #endif
+-      BUG_ON(atomic_read(&new->usage) < 1);
++      BUG_ON(atomic_long_read(&new->usage) < 1);
+ 
+       get_cred(new); /* we will require a ref for the subj creds too */
+ 
+@@ -532,14 +532,14 @@ EXPORT_SYMBOL(commit_creds);
+  */
+ void abort_creds(struct cred *new)
+ {
+-      kdebug("abort_creds(%p{%d,%d})", new,
+-             atomic_read(&new->usage),
++      kdebug("abort_creds(%p{%ld,%d})", new,
++             atomic_long_read(&new->usage),
+              read_cred_subscribers(new));
+ 
+ #ifdef CONFIG_DEBUG_CREDENTIALS
+       BUG_ON(read_cred_subscribers(new) != 0);
+ #endif
+-      BUG_ON(atomic_read(&new->usage) < 1);
++      BUG_ON(atomic_long_read(&new->usage) < 1);
+       put_cred(new);
+ }
+ EXPORT_SYMBOL(abort_creds);
+@@ -555,8 +555,8 @@ const struct cred *override_creds(const
+ {
+       const struct cred *old = current->cred;
+ 
+-      kdebug("override_creds(%p{%d,%d})", new,
+-             atomic_read(&new->usage),
++      kdebug("override_creds(%p{%ld,%d})", new,
++             atomic_long_read(&new->usage),
+              read_cred_subscribers(new));
+ 
+       validate_creds(old);
+@@ -578,8 +578,8 @@ const struct cred *override_creds(const
+       rcu_assign_pointer(current->cred, new);
+       alter_cred_subscribers(old, -1);
+ 
+-      kdebug("override_creds() = %p{%d,%d}", old,
+-             atomic_read(&old->usage),
++      kdebug("override_creds() = %p{%ld,%d}", old,
++             atomic_long_read(&old->usage),
+              read_cred_subscribers(old));
+       return old;
+ }
+@@ -596,8 +596,8 @@ void revert_creds(const struct cred *old
+ {
+       const struct cred *override = current->cred;
+ 
+-      kdebug("revert_creds(%p{%d,%d})", old,
+-             atomic_read(&old->usage),
++      kdebug("revert_creds(%p{%ld,%d})", old,
++             atomic_long_read(&old->usage),
+              read_cred_subscribers(old));
+ 
+       validate_creds(old);
+@@ -729,7 +729,7 @@ struct cred *prepare_kernel_cred(struct
+ 
+       *new = *old;
+       new->non_rcu = 0;
+-      atomic_set(&new->usage, 1);
++      atomic_long_set(&new->usage, 1);
+       set_cred_subscribers(new, 0);
+       get_uid(new->user);
+       get_user_ns(new->user_ns);
+@@ -843,8 +843,8 @@ static void dump_invalid_creds(const str
+              cred == tsk->cred ? "[eff]" : "");
+       printk(KERN_ERR "CRED: ->magic=%x, put_addr=%p\n",
+              cred->magic, cred->put_addr);
+-      printk(KERN_ERR "CRED: ->usage=%d, subscr=%d\n",
+-             atomic_read(&cred->usage),
++      printk(KERN_ERR "CRED: ->usage=%ld, subscr=%d\n",
++             atomic_long_read(&cred->usage),
+              read_cred_subscribers(cred));
+       printk(KERN_ERR "CRED: ->*uid = { %d,%d,%d,%d }\n",
+               from_kuid_munged(&init_user_ns, cred->uid),
+@@ -916,9 +916,9 @@ EXPORT_SYMBOL(__validate_process_creds);
+  */
+ void validate_creds_for_do_exit(struct task_struct *tsk)
+ {
+-      kdebug("validate_creds_for_do_exit(%p,%p{%d,%d})",
++      kdebug("validate_creds_for_do_exit(%p,%p{%ld,%d})",
+              tsk->real_cred, tsk->cred,
+-             atomic_read(&tsk->cred->usage),
++             atomic_long_read(&tsk->cred->usage),
+              read_cred_subscribers(tsk->cred));
+ 
+       __validate_process_creds(tsk, __FILE__, __LINE__);

diff --git a/queue-4.19/revert-pci-acpiphp-reassign-resources-on-bridge-if-necessary.patch b/queue-4.19/revert-pci-acpiphp-reassign-resources-on-bridge-if-necessary.patch
new file mode 100644 (file)
index 0000000..f8c6212
--- /dev/null
+++ b/queue-4.19/revert-pci-acpiphp-reassign-resources-on-bridge-if-necessary.patch
@@ -0,0 +1,77 @@
+From 5df12742b7e3aae2594a30a9d14d5d6e9e7699f4 Mon Sep 17 00:00:00 2001
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Thu, 14 Dec 2023 09:08:56 -0600
+Subject: Revert "PCI: acpiphp: Reassign resources on bridge if necessary"
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+commit 5df12742b7e3aae2594a30a9d14d5d6e9e7699f4 upstream.
+
+This reverts commit 40613da52b13fb21c5566f10b287e0ca8c12c4e9 and the
+subsequent fix to it:
+
+  cc22522fd55e ("PCI: acpiphp: Use pci_assign_unassigned_bridge_resources() only for non-root bus")
+
+40613da52b13 fixed a problem where hot-adding a device with large BARs
+failed if the bridge windows programmed by firmware were not large enough.
+
+cc22522fd55e ("PCI: acpiphp: Use pci_assign_unassigned_bridge_resources()
+only for non-root bus") fixed a problem with 40613da52b13: an ACPI hot-add
+of a device on a PCI root bus (common in the virt world) or firmware
+sending ACPI Bus Check to non-existent Root Ports (e.g., on Dell Inspiron
+7352/0W6WV0) caused a NULL pointer dereference and suspend/resume hangs.
+
+Unfortunately the combination of 40613da52b13 and cc22522fd55e caused other
+problems:
+
+  - Fiona reported that hot-add of SCSI disks in QEMU virtual machine fails
+    sometimes.
+
+  - Dongli reported a similar problem with hot-add of SCSI disks.
+
+  - Jonathan reported a console freeze during boot on bare metal due to an
+    error in radeon GPU initialization.
+
+Revert both patches to avoid adding these problems.  This means we will
+again see the problems with hot-adding devices with large BARs and the NULL
+pointer dereferences and suspend/resume issues that 40613da52b13 and
+cc22522fd55e were intended to fix.
+
+Fixes: 40613da52b13 ("PCI: acpiphp: Reassign resources on bridge if necessary")
+Fixes: cc22522fd55e ("PCI: acpiphp: Use pci_assign_unassigned_bridge_resources() only for non-root bus")
+Reported-by: Fiona Ebner <f.ebner@proxmox.com>
+Closes: https://lore.kernel.org/r/9eb669c0-d8f2-431d-a700-6da13053ae54@proxmox.com
+Reported-by: Dongli Zhang <dongli.zhang@oracle.com>
+Closes: https://lore.kernel.org/r/3c4a446a-b167-11b8-f36f-d3c1b49b42e9@oracle.com
+Reported-by: Jonathan Woithe <jwoithe@just42.net>
+Closes: https://lore.kernel.org/r/ZXpaNCLiDM+Kv38H@marvin.atrad.com.au
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Igor Mammedov <imammedo@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/hotplug/acpiphp_glue.c |    9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/pci/hotplug/acpiphp_glue.c
++++ b/drivers/pci/hotplug/acpiphp_glue.c
+@@ -510,15 +510,12 @@ static void enable_slot(struct acpiphp_s
+                               if (pass && dev->subordinate) {
+                                       check_hotplug_bridge(slot, dev);
+                                       pcibios_resource_survey_bus(dev->subordinate);
+-                                      if (pci_is_root_bus(bus))
+-                                              __pci_bus_size_bridges(dev->subordinate, &add_list);
++                                      __pci_bus_size_bridges(dev->subordinate,
++                                                             &add_list);
+                               }
+                       }
+               }
+-              if (pci_is_root_bus(bus))
+-                      __pci_bus_assign_resources(bus, &add_list, NULL);
+-              else
+-                      pci_assign_unassigned_bridge_resources(bus->self);
++              __pci_bus_assign_resources(bus, &add_list, NULL);
+       }
+ 
+       acpiphp_sanitize_bus(bus);

diff --git a/queue-4.19/series b/queue-4.19/series
index 7c226c5acd8ae6f2e0ac1e5e0afe738d62decb61..b6cc3e0c7632643fafe2f31cf9e4527128a8fd8f 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -14,3 +14,5 @@ driver-core-add-device-probe-log-helper.patch
 net-stmmac-use-dev_err_probe-for-reporting-mdio-bus-.patch
 net-stmmac-handle-disabled-mdio-busses-from-devicetr.patch
 appletalk-fix-use-after-free-in-atalk_ioctl.patch
+revert-pci-acpiphp-reassign-resources-on-bridge-if-necessary.patch
+cred-switch-to-using-atomic_long_t.patch