From: Greg Kroah-Hartman Date: Sat, 21 Jan 2023 10:34:02 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.14.304~52 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0fc737d0657d7e4f545de0bcf3106865d7e01c66;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: add-exception-protection-processing-for-vd-in-axi_chan_handle_err-function.patch bluetooth-hci_qca-fix-driver-shutdown-on-closed-serdev.patch nilfs2-fix-general-protection-fault-in-nilfs_btree_insert.patch wifi-brcmfmac-fix-regression-for-broadcom-pcie-wifi-devices.patch wifi-mac80211-sdata-can-be-null-during-ampdu-start.patch zonefs-detect-append-writes-at-invalid-locations.patch --- diff --git a/queue-5.15/add-exception-protection-processing-for-vd-in-axi_chan_handle_err-function.patch b/queue-5.15/add-exception-protection-processing-for-vd-in-axi_chan_handle_err-function.patch new file mode 100644 index 00000000000..ce6749fb9c7 --- /dev/null +++ b/queue-5.15/add-exception-protection-processing-for-vd-in-axi_chan_handle_err-function.patch @@ -0,0 +1,99 @@ +From 57054fe516d59d03a7bcf1888e82479ccc244f87 Mon Sep 17 00:00:00 2001 +From: "Shawn.Shao" +Date: Thu, 12 Jan 2023 13:58:02 +0800 +Subject: Add exception protection processing for vd in axi_chan_handle_err function + +From: Shawn.Shao + +commit 57054fe516d59d03a7bcf1888e82479ccc244f87 upstream. + +Since there is no protection for vd, a kernel panic will be +triggered here in exceptional cases. + +You can refer to the processing of axi_chan_block_xfer_complete function + +The triggered kernel panic is as follows: + +[ 67.848444] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060 +[ 67.848447] Mem abort info: +[ 67.848449] ESR = 0x96000004 +[ 67.848451] EC = 0x25: DABT (current EL), IL = 32 bits +[ 67.848454] SET = 0, FnV = 0 +[ 67.848456] EA = 0, S1PTW = 0 +[ 67.848458] Data abort info: +[ 67.848460] ISV = 0, ISS = 0x00000004 +[ 67.848462] CM = 0, WnR = 0 +[ 67.848465] user pgtable: 4k pages, 48-bit VAs, pgdp=00000800c4c0b000 +[ 67.848468] [0000000000000060] pgd=0000000000000000, p4d=0000000000000000 +[ 67.848472] Internal error: Oops: 96000004 [#1] SMP +[ 67.848475] Modules linked in: dmatest +[ 67.848479] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.100-emu_x2rc+ #11 +[ 67.848483] pstate: 62000085 (nZCv daIf -PAN -UAO +TCO BTYPE=--) +[ 67.848487] pc : axi_chan_handle_err+0xc4/0x230 +[ 67.848491] lr : axi_chan_handle_err+0x30/0x230 +[ 67.848493] sp : ffff0803fe55ae50 +[ 67.848495] x29: ffff0803fe55ae50 x28: ffff800011212200 +[ 67.848500] x27: ffff0800c42c0080 x26: ffff0800c097c080 +[ 67.848504] x25: ffff800010d33880 x24: ffff80001139d850 +[ 67.848508] x23: ffff0800c097c168 x22: 0000000000000000 +[ 67.848512] x21: 0000000000000080 x20: 0000000000002000 +[ 67.848517] x19: ffff0800c097c080 x18: 0000000000000000 +[ 67.848521] x17: 0000000000000000 x16: 0000000000000000 +[ 67.848525] x15: 0000000000000000 x14: 0000000000000000 +[ 67.848529] x13: 0000000000000000 x12: 0000000000000040 +[ 67.848533] x11: ffff0800c0400248 x10: ffff0800c040024a +[ 67.848538] x9 : ffff800010576cd4 x8 : ffff0800c0400270 +[ 67.848542] x7 : 0000000000000000 x6 : ffff0800c04003e0 +[ 67.848546] x5 : ffff0800c0400248 x4 : ffff0800c4294480 +[ 67.848550] x3 : dead000000000100 x2 : dead000000000122 +[ 67.848555] x1 : 0000000000000100 x0 : ffff0800c097c168 +[ 67.848559] Call trace: +[ 67.848562] axi_chan_handle_err+0xc4/0x230 +[ 67.848566] dw_axi_dma_interrupt+0xf4/0x590 +[ 67.848569] __handle_irq_event_percpu+0x60/0x220 +[ 67.848573] handle_irq_event+0x64/0x120 +[ 67.848576] handle_fasteoi_irq+0xc4/0x220 +[ 67.848580] __handle_domain_irq+0x80/0xe0 +[ 67.848583] gic_handle_irq+0xc0/0x138 +[ 67.848585] el1_irq+0xc8/0x180 +[ 67.848588] arch_cpu_idle+0x14/0x2c +[ 67.848591] default_idle_call+0x40/0x16c +[ 67.848594] do_idle+0x1f0/0x250 +[ 67.848597] cpu_startup_entry+0x2c/0x60 +[ 67.848600] rest_init+0xc0/0xcc +[ 67.848603] arch_call_rest_init+0x14/0x1c +[ 67.848606] start_kernel+0x4cc/0x500 +[ 67.848610] Code: eb0002ff 9a9f12d6 f2fbd5a2 f2fbd5a3 (a94602c1) +[ 67.848613] ---[ end trace 585a97036f88203a ]--- + +Signed-off-by: Shawn.Shao +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230112055802.1764-1-shawn.shao@jaguarmicro.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c ++++ b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c +@@ -980,6 +980,11 @@ static noinline void axi_chan_handle_err + + /* The bad descriptor currently is in the head of vc list */ + vd = vchan_next_desc(&chan->vc); ++ if (!vd) { ++ dev_err(chan2dev(chan), "BUG: %s, IRQ with no descriptors\n", ++ axi_chan_name(chan)); ++ goto out; ++ } + /* Remove the completed descriptor from issued list */ + list_del(&vd->node); + +@@ -994,6 +999,7 @@ static noinline void axi_chan_handle_err + /* Try to restart the controller */ + axi_chan_start_first_queued(chan); + ++out: + spin_unlock_irqrestore(&chan->vc.lock, flags); + } + diff --git a/queue-5.15/bluetooth-hci_qca-fix-driver-shutdown-on-closed-serdev.patch b/queue-5.15/bluetooth-hci_qca-fix-driver-shutdown-on-closed-serdev.patch new file mode 100644 index 00000000000..2ba689ba881 --- /dev/null +++ b/queue-5.15/bluetooth-hci_qca-fix-driver-shutdown-on-closed-serdev.patch @@ -0,0 +1,90 @@ +From 272970be3dabd24cbe50e393ffee8f04aec3b9a8 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 29 Dec 2022 11:28:29 +0100 +Subject: Bluetooth: hci_qca: Fix driver shutdown on closed serdev + +From: Krzysztof Kozlowski + +commit 272970be3dabd24cbe50e393ffee8f04aec3b9a8 upstream. + +The driver shutdown callback (which sends EDL_SOC_RESET to the device +over serdev) should not be invoked when HCI device is not open (e.g. if +hci_dev_open_sync() failed), because the serdev and its TTY are not open +either. Also skip this step if device is powered off +(qca_power_shutdown()). + +The shutdown callback causes use-after-free during system reboot with +Qualcomm Atheros Bluetooth: + + Unable to handle kernel paging request at virtual address + 0072662f67726fd7 + ... + CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G W + 6.1.0-rt5-00325-g8a5f56bcfcca #8 + Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) + Call trace: + tty_driver_flush_buffer+0x4/0x30 + serdev_device_write_flush+0x24/0x34 + qca_serdev_shutdown+0x80/0x130 [hci_uart] + device_shutdown+0x15c/0x260 + kernel_restart+0x48/0xac + +KASAN report: + + BUG: KASAN: use-after-free in tty_driver_flush_buffer+0x1c/0x50 + Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1 + + CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted + 6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28 + Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) + Call trace: + dump_backtrace.part.0+0xdc/0xf0 + show_stack+0x18/0x30 + dump_stack_lvl+0x68/0x84 + print_report+0x188/0x488 + kasan_report+0xa4/0xf0 + __asan_load8+0x80/0xac + tty_driver_flush_buffer+0x1c/0x50 + ttyport_write_flush+0x34/0x44 + serdev_device_write_flush+0x48/0x60 + qca_serdev_shutdown+0x124/0x274 + device_shutdown+0x1e8/0x350 + kernel_restart+0x48/0xb0 + __do_sys_reboot+0x244/0x2d0 + __arm64_sys_reboot+0x54/0x70 + invoke_syscall+0x60/0x190 + el0_svc_common.constprop.0+0x7c/0x160 + do_el0_svc+0x44/0xf0 + el0_svc+0x2c/0x6c + el0t_64_sync_handler+0xbc/0x140 + el0t_64_sync+0x190/0x194 + +Fixes: 7e7bbddd029b ("Bluetooth: hci_qca: Fix qca6390 enable failure after warm reboot") +Cc: +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/hci_qca.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -2156,10 +2156,17 @@ static void qca_serdev_shutdown(struct d + int timeout = msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS); + struct serdev_device *serdev = to_serdev_device(dev); + struct qca_serdev *qcadev = serdev_device_get_drvdata(serdev); ++ struct hci_uart *hu = &qcadev->serdev_hu; ++ struct hci_dev *hdev = hu->hdev; ++ struct qca_data *qca = hu->priv; + const u8 ibs_wake_cmd[] = { 0xFD }; + const u8 edl_reset_soc_cmd[] = { 0x01, 0x00, 0xFC, 0x01, 0x05 }; + + if (qcadev->btsoc_type == QCA_QCA6390) { ++ if (test_bit(QCA_BT_OFF, &qca->flags) || ++ !test_bit(HCI_RUNNING, &hdev->flags)) ++ return; ++ + serdev_device_write_flush(serdev); + ret = serdev_device_write_buf(serdev, ibs_wake_cmd, + sizeof(ibs_wake_cmd)); diff --git a/queue-5.15/nilfs2-fix-general-protection-fault-in-nilfs_btree_insert.patch b/queue-5.15/nilfs2-fix-general-protection-fault-in-nilfs_btree_insert.patch new file mode 100644 index 00000000000..b0645fc0d4d --- /dev/null +++ b/queue-5.15/nilfs2-fix-general-protection-fault-in-nilfs_btree_insert.patch @@ -0,0 +1,102 @@ +From 7633355e5c7f29c049a9048e461427d1d8ed3051 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Thu, 5 Jan 2023 14:53:56 +0900 +Subject: nilfs2: fix general protection fault in nilfs_btree_insert() + +From: Ryusuke Konishi + +commit 7633355e5c7f29c049a9048e461427d1d8ed3051 upstream. + +If nilfs2 reads a corrupted disk image and tries to reads a b-tree node +block by calling __nilfs_btree_get_block() against an invalid virtual +block address, it returns -ENOENT because conversion of the virtual block +address to a disk block address fails. However, this return value is the +same as the internal code that b-tree lookup routines return to indicate +that the block being searched does not exist, so functions that operate on +that b-tree may misbehave. + +When nilfs_btree_insert() receives this spurious 'not found' code from +nilfs_btree_do_lookup(), it misunderstands that the 'not found' check was +successful and continues the insert operation using incomplete lookup path +data, causing the following crash: + + general protection fault, probably for non-canonical address + 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN + KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] + ... + RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline] + RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline] + RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238 + Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 + ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c + 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02 + ... + Call Trace: + + nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline] + nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147 + nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101 + __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991 + __block_write_begin fs/buffer.c:2041 [inline] + block_write_begin+0x93/0x1e0 fs/buffer.c:2102 + nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261 + generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772 + __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900 + generic_file_write_iter+0xab/0x310 mm/filemap.c:3932 + call_write_iter include/linux/fs.h:2186 [inline] + new_sync_write fs/read_write.c:491 [inline] + vfs_write+0x7dc/0xc50 fs/read_write.c:584 + ksys_write+0x177/0x2a0 fs/read_write.c:637 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + ... + + +This patch fixes the root cause of this problem by replacing the error +code that __nilfs_btree_get_block() returns on block address conversion +failure from -ENOENT to another internal code -EINVAL which means that the +b-tree metadata is corrupted. + +By returning -EINVAL, it propagates without glitches, and for all relevant +b-tree operations, functions in the upper bmap layer output an error +message indicating corrupted b-tree metadata via +nilfs_bmap_convert_error(), and code -EIO will be eventually returned as +it should be. + +Link: https://lkml.kernel.org/r/000000000000bd89e205f0e38355@google.com +Link: https://lkml.kernel.org/r/20230105055356.8811-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+ede796cecd5296353515@syzkaller.appspotmail.com +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/btree.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/fs/nilfs2/btree.c ++++ b/fs/nilfs2/btree.c +@@ -480,9 +480,18 @@ static int __nilfs_btree_get_block(const + ret = nilfs_btnode_submit_block(btnc, ptr, 0, REQ_OP_READ, 0, &bh, + &submit_ptr); + if (ret) { +- if (ret != -EEXIST) +- return ret; +- goto out_check; ++ if (likely(ret == -EEXIST)) ++ goto out_check; ++ if (ret == -ENOENT) { ++ /* ++ * Block address translation failed due to invalid ++ * value of 'ptr'. In this case, return internal code ++ * -EINVAL (broken bmap) to notify bmap layer of fatal ++ * metadata corruption. ++ */ ++ ret = -EINVAL; ++ } ++ return ret; + } + + if (ra) { diff --git a/queue-5.15/series b/queue-5.15/series index 6f05ebde471..9b18c26d059 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -12,3 +12,9 @@ x86-asm-fix-an-assembler-warning-with-current-binuti.patch f2fs-let-s-avoid-panic-if-extent_tree-is-not-created.patch perf-x86-rapl-treat-tigerlake-like-icelake.patch fbdev-omapfb-avoid-stack-overflow-warning.patch +bluetooth-hci_qca-fix-driver-shutdown-on-closed-serdev.patch +wifi-brcmfmac-fix-regression-for-broadcom-pcie-wifi-devices.patch +wifi-mac80211-sdata-can-be-null-during-ampdu-start.patch +add-exception-protection-processing-for-vd-in-axi_chan_handle_err-function.patch +zonefs-detect-append-writes-at-invalid-locations.patch +nilfs2-fix-general-protection-fault-in-nilfs_btree_insert.patch diff --git a/queue-5.15/wifi-brcmfmac-fix-regression-for-broadcom-pcie-wifi-devices.patch b/queue-5.15/wifi-brcmfmac-fix-regression-for-broadcom-pcie-wifi-devices.patch new file mode 100644 index 00000000000..4e148673753 --- /dev/null +++ b/queue-5.15/wifi-brcmfmac-fix-regression-for-broadcom-pcie-wifi-devices.patch @@ -0,0 +1,39 @@ +From ed05cb177ae5cd7f02f1d6e7706ba627d30f1696 Mon Sep 17 00:00:00 2001 +From: Arend van Spriel +Date: Wed, 11 Jan 2023 12:24:19 +0100 +Subject: wifi: brcmfmac: fix regression for Broadcom PCIe wifi devices + +From: Arend van Spriel + +commit ed05cb177ae5cd7f02f1d6e7706ba627d30f1696 upstream. + +A sanity check was introduced considering maximum flowrings above +256 as insane and effectively aborting the device probe. This +resulted in regression for number of users as the value turns out +to be sane after all. + +Fixes: 2aca4f3734bd ("brcmfmac: return error when getting invalid max_flowrings from dongle") +Reported-by: chainofflowers +Link: https://lore.kernel.org/all/4781984.GXAFRqVoOG@luna/ +Reported-by: Christian Marillat +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216894 +Cc: stable@vger.kernel.org +Signed-off-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230111112419.24185-1-arend.vanspriel@broadcom.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +@@ -1118,7 +1118,7 @@ static int brcmf_pcie_init_ringbuffers(s + BRCMF_NROF_H2D_COMMON_MSGRINGS; + max_completionrings = BRCMF_NROF_D2H_COMMON_MSGRINGS; + } +- if (max_flowrings > 256) { ++ if (max_flowrings > 512) { + brcmf_err(bus, "invalid max_flowrings(%d)\n", max_flowrings); + return -EIO; + } diff --git a/queue-5.15/wifi-mac80211-sdata-can-be-null-during-ampdu-start.patch b/queue-5.15/wifi-mac80211-sdata-can-be-null-during-ampdu-start.patch new file mode 100644 index 00000000000..7d60d67accc --- /dev/null +++ b/queue-5.15/wifi-mac80211-sdata-can-be-null-during-ampdu-start.patch @@ -0,0 +1,117 @@ +From 69403bad97aa0162e3d7911b27e25abe774093df Mon Sep 17 00:00:00 2001 +From: Alexander Wetzel +Date: Fri, 30 Dec 2022 13:18:50 +0100 +Subject: wifi: mac80211: sdata can be NULL during AMPDU start + +From: Alexander Wetzel + +commit 69403bad97aa0162e3d7911b27e25abe774093df upstream. + +ieee80211_tx_ba_session_handle_start() may get NULL for sdata when a +deauthentication is ongoing. + +Here a trace triggering the race with the hostapd test +multi_ap_fronthaul_on_ap: + +(gdb) list *drv_ampdu_action+0x46 +0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396). +391 int ret = -EOPNOTSUPP; +392 +393 might_sleep(); +394 +395 sdata = get_bss_sdata(sdata); +396 if (!check_sdata_in_driver(sdata)) +397 return -EIO; +398 +399 trace_drv_ampdu_action(local, sdata, params); +400 + +wlan0: moving STA 02:00:00:00:03:00 to state 3 +wlan0: associated +wlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING) +wlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0 +wlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port) +wlan0: moving STA 02:00:00:00:03:00 to state 2 +wlan0: moving STA 02:00:00:00:03:00 to state 1 +wlan0: Removed STA 02:00:00:00:03:00 +wlan0: Destroyed STA 02:00:00:00:03:00 +BUG: unable to handle page fault for address: fffffffffffffb48 +PGD 11814067 P4D 11814067 PUD 11816067 PMD 0 +Oops: 0000 [#1] PREEMPT SMP PTI +CPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014 +Workqueue: phy3 ieee80211_ba_session_work [mac80211] +RIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211] +Code: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85 +RSP: 0018:ffffc900025ebd20 EFLAGS: 00010287 +RAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240 +RDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40 +RBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001 +R10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0 +R13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8 +FS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0 +Call Trace: + + ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211] + ieee80211_ba_session_work+0xff/0x2e0 [mac80211] + process_one_work+0x29f/0x620 + worker_thread+0x4d/0x3d0 + ? process_one_work+0x620/0x620 + kthread+0xfb/0x120 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x22/0x30 + + +Signed-off-by: Alexander Wetzel +Link: https://lore.kernel.org/r/20221230121850.218810-2-alexander@wetzel-home.de +Cc: stable@vger.kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/agg-tx.c | 6 +++++- + net/mac80211/driver-ops.c | 3 +++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/net/mac80211/agg-tx.c ++++ b/net/mac80211/agg-tx.c +@@ -491,7 +491,7 @@ void ieee80211_tx_ba_session_handle_star + { + struct tid_ampdu_tx *tid_tx; + struct ieee80211_local *local = sta->local; +- struct ieee80211_sub_if_data *sdata = sta->sdata; ++ struct ieee80211_sub_if_data *sdata; + struct ieee80211_ampdu_params params = { + .sta = &sta->sta, + .action = IEEE80211_AMPDU_TX_START, +@@ -521,6 +521,7 @@ void ieee80211_tx_ba_session_handle_star + */ + synchronize_net(); + ++ sdata = sta->sdata; + params.ssn = sta->tid_seq[tid] >> 4; + ret = drv_ampdu_action(local, sdata, ¶ms); + tid_tx->ssn = params.ssn; +@@ -534,6 +535,9 @@ void ieee80211_tx_ba_session_handle_star + */ + set_bit(HT_AGG_STATE_DRV_READY, &tid_tx->state); + } else if (ret) { ++ if (!sdata) ++ return; ++ + ht_dbg(sdata, + "BA request denied - HW unavailable for %pM tid %d\n", + sta->sta.addr, tid); +--- a/net/mac80211/driver-ops.c ++++ b/net/mac80211/driver-ops.c +@@ -331,6 +331,9 @@ int drv_ampdu_action(struct ieee80211_lo + + might_sleep(); + ++ if (!sdata) ++ return -EIO; ++ + sdata = get_bss_sdata(sdata); + if (!check_sdata_in_driver(sdata)) + return -EIO; diff --git a/queue-5.15/zonefs-detect-append-writes-at-invalid-locations.patch b/queue-5.15/zonefs-detect-append-writes-at-invalid-locations.patch new file mode 100644 index 00000000000..d58a895a88f --- /dev/null +++ b/queue-5.15/zonefs-detect-append-writes-at-invalid-locations.patch @@ -0,0 +1,72 @@ +From a608da3bd730d718f2d3ebec1c26f9865f8f17ce Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Fri, 6 Jan 2023 17:43:06 +0900 +Subject: zonefs: Detect append writes at invalid locations + +From: Damien Le Moal + +commit a608da3bd730d718f2d3ebec1c26f9865f8f17ce upstream. + +Using REQ_OP_ZONE_APPEND operations for synchronous writes to sequential +files succeeds regardless of the zone write pointer position, as long as +the target zone is not full. This means that if an external (buggy) +application writes to the zone of a sequential file underneath the file +system, subsequent file write() operation will succeed but the file size +will not be correct and the file will contain invalid data written by +another application. + +Modify zonefs_file_dio_append() to check the written sector of an append +write (returned in bio->bi_iter.bi_sector) and return -EIO if there is a +mismatch with the file zone wp offset field. This change triggers a call +to zonefs_io_error() and a zone check. Modify zonefs_io_error_cb() to +not expose the unexpected data after the current inode size when the +errors=remount-ro mode is used. Other error modes are correctly handled +already. + +Fixes: 02ef12a663c7 ("zonefs: use REQ_OP_ZONE_APPEND for sync DIO") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Johannes Thumshirn +Signed-off-by: Greg Kroah-Hartman +--- + fs/zonefs/super.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/fs/zonefs/super.c ++++ b/fs/zonefs/super.c +@@ -402,6 +402,10 @@ static int zonefs_io_error_cb(struct blk + data_size = zonefs_check_zone_condition(inode, zone, + false, false); + } ++ } else if (sbi->s_mount_opts & ZONEFS_MNTOPT_ERRORS_RO && ++ data_size > isize) { ++ /* Do not expose garbage data */ ++ data_size = isize; + } + + /* +@@ -765,6 +769,24 @@ static ssize_t zonefs_file_dio_append(st + + ret = submit_bio_wait(bio); + ++ /* ++ * If the file zone was written underneath the file system, the zone ++ * write pointer may not be where we expect it to be, but the zone ++ * append write can still succeed. So check manually that we wrote where ++ * we intended to, that is, at zi->i_wpoffset. ++ */ ++ if (!ret) { ++ sector_t wpsector = ++ zi->i_zsector + (zi->i_wpoffset >> SECTOR_SHIFT); ++ ++ if (bio->bi_iter.bi_sector != wpsector) { ++ zonefs_warn(inode->i_sb, ++ "Corrupted write pointer %llu for zone at %llu\n", ++ wpsector, zi->i_zsector); ++ ret = -EIO; ++ } ++ } ++ + zonefs_file_write_dio_end_io(iocb, size, ret, 0); + trace_zonefs_file_dio_append(inode, size, ret); +