From: Greg Kroah-Hartman Date: Sun, 11 Dec 2022 09:57:33 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.9.336~22 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1066e592ce3696573e67c1a564195ccce7f5c41d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: drm-shmem-helper-remove-errant-put-in-error-path.patch hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch hid-hid-lg4ff-add-check-for-empty-lbuf.patch hid-usbhid-add-always_poll-quirk-for-some-mice.patch kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch mm-gup-fix-gup_pud_range-for-dax.patch --- diff --git a/queue-5.4/drm-shmem-helper-remove-errant-put-in-error-path.patch b/queue-5.4/drm-shmem-helper-remove-errant-put-in-error-path.patch new file mode 100644 index 00000000000..4daa755f479 --- /dev/null +++ b/queue-5.4/drm-shmem-helper-remove-errant-put-in-error-path.patch @@ -0,0 +1,39 @@ +From 24013314be6ee4ee456114a671e9fa3461323de8 Mon Sep 17 00:00:00 2001 +From: Rob Clark +Date: Wed, 30 Nov 2022 10:57:47 -0800 +Subject: drm/shmem-helper: Remove errant put in error path + +From: Rob Clark + +commit 24013314be6ee4ee456114a671e9fa3461323de8 upstream. + +drm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM +object getting prematurely freed leading to a later use-after-free. + +Link: https://syzkaller.appspot.com/bug?extid=c8ae65286134dd1b800d +Reported-by: syzbot+c8ae65286134dd1b800d@syzkaller.appspotmail.com +Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects") +Cc: stable@vger.kernel.org +Signed-off-by: Rob Clark +Reviewed-by: Daniel Vetter +Signed-off-by: Javier Martinez Canillas +Link: https://patchwork.freedesktop.org/patch/msgid/20221130185748.357410-2-robdclark@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_gem_shmem_helper.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_gem_shmem_helper.c ++++ b/drivers/gpu/drm/drm_gem_shmem_helper.c +@@ -554,10 +554,8 @@ int drm_gem_shmem_mmap(struct file *filp + shmem = to_drm_gem_shmem_obj(vma->vm_private_data); + + ret = drm_gem_shmem_get_pages(shmem); +- if (ret) { +- drm_gem_vm_close(vma); ++ if (ret) + return ret; +- } + + /* VM_PFNMAP was set by drm_gem_mmap() */ + vma->vm_flags &= ~VM_PFNMAP; diff --git a/queue-5.4/hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch b/queue-5.4/hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch new file mode 100644 index 00000000000..5c480f34c42 --- /dev/null +++ b/queue-5.4/hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch @@ -0,0 +1,72 @@ +From ec61b41918587be530398b0d1c9a0d16619397e5 Mon Sep 17 00:00:00 2001 +From: ZhangPeng +Date: Wed, 16 Nov 2022 07:14:28 +0000 +Subject: HID: core: fix shift-out-of-bounds in hid_report_raw_event + +From: ZhangPeng + +commit ec61b41918587be530398b0d1c9a0d16619397e5 upstream. + +Syzbot reported shift-out-of-bounds in hid_report_raw_event. + +microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) > +32! (swapper/0) +====================================================================== +UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20 +shift exponent 127 is too large for 32-bit type 'int' +CPU: 0 PID: 0 Comm: swapper/0 Not tainted +6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0 +Hardware name: Google Compute Engine/Google Compute Engine, BIOS +Google 10/26/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:151 [inline] + __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322 + snto32 drivers/hid/hid-core.c:1323 [inline] + hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline] + hid_process_report drivers/hid/hid-core.c:1665 [inline] + hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998 + hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066 + hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284 + __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671 + dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988 + call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474 + expire_timers kernel/time/timer.c:1519 [inline] + __run_timers+0x76a/0x980 kernel/time/timer.c:1790 + run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803 + __do_softirq+0x277/0x75b kernel/softirq.c:571 + __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650 + irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 + sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107 +====================================================================== + +If the size of the integer (unsigned n) is bigger than 32 in snto32(), +shift exponent will be too large for 32-bit type 'int', resulting in a +shift-out-of-bounds bug. +Fix this by adding a check on the size of the integer (unsigned n) in +snto32(). To add support for n greater than 32 bits, set n to 32, if n +is greater than 32. + +Reported-by: syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com +Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split") +Signed-off-by: ZhangPeng +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1303,6 +1303,9 @@ static s32 snto32(__u32 value, unsigned + if (!value || !n) + return 0; + ++ if (n > 32) ++ n = 32; ++ + switch (n) { + case 8: return ((__s8)value); + case 16: return ((__s16)value); diff --git a/queue-5.4/hid-hid-lg4ff-add-check-for-empty-lbuf.patch b/queue-5.4/hid-hid-lg4ff-add-check-for-empty-lbuf.patch new file mode 100644 index 00000000000..837eea2a7f0 --- /dev/null +++ b/queue-5.4/hid-hid-lg4ff-add-check-for-empty-lbuf.patch @@ -0,0 +1,37 @@ +From d180b6496143cd360c5d5f58ae4b9a8229c1f344 Mon Sep 17 00:00:00 2001 +From: Anastasia Belova +Date: Fri, 11 Nov 2022 15:55:11 +0300 +Subject: HID: hid-lg4ff: Add check for empty lbuf + +From: Anastasia Belova + +commit d180b6496143cd360c5d5f58ae4b9a8229c1f344 upstream. + +If an empty buf is received, lbuf is also empty. So lbuf is +accessed by index -1. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: f31a2de3fe36 ("HID: hid-lg4ff: Allow switching of Logitech gaming wheels between compatibility modes") +Signed-off-by: Anastasia Belova +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-lg4ff.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/hid/hid-lg4ff.c ++++ b/drivers/hid/hid-lg4ff.c +@@ -872,6 +872,12 @@ static ssize_t lg4ff_alternate_modes_sto + return -ENOMEM; + + i = strlen(lbuf); ++ ++ if (i == 0) { ++ kfree(lbuf); ++ return -EINVAL; ++ } ++ + if (lbuf[i-1] == '\n') { + if (i == 1) { + kfree(lbuf); diff --git a/queue-5.4/hid-usbhid-add-always_poll-quirk-for-some-mice.patch b/queue-5.4/hid-usbhid-add-always_poll-quirk-for-some-mice.patch new file mode 100644 index 00000000000..e1a59529aa3 --- /dev/null +++ b/queue-5.4/hid-usbhid-add-always_poll-quirk-for-some-mice.patch @@ -0,0 +1,78 @@ +From f6d910a89a2391e5ce1f275d205023880a33d3f8 Mon Sep 17 00:00:00 2001 +From: Ankit Patel +Date: Tue, 22 Nov 2022 15:35:20 +0800 +Subject: HID: usbhid: Add ALWAYS_POLL quirk for some mice + +From: Ankit Patel + +commit f6d910a89a2391e5ce1f275d205023880a33d3f8 upstream. + +Some additional USB mouse devices are needing ALWAYS_POLL quirk without +which they disconnect and reconnect every 60s. + +Add below devices to the known quirk list. +CHERRY VID 0x046a, PID 0x000c +MICROSOFT VID 0x045e, PID 0x0783 +PRIMAX VID 0x0461, PID 0x4e2a + +Signed-off-by: Ankit Patel +Signed-off-by: Haotien Hsu +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-quirks.c | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -259,6 +259,7 @@ + #define USB_DEVICE_ID_CH_AXIS_295 0x001c + + #define USB_VENDOR_ID_CHERRY 0x046a ++#define USB_DEVICE_ID_CHERRY_MOUSE_000C 0x000c + #define USB_DEVICE_ID_CHERRY_CYMOTION 0x0023 + #define USB_DEVICE_ID_CHERRY_CYMOTION_SOLAR 0x0027 + +@@ -864,6 +865,7 @@ + #define USB_DEVICE_ID_MS_XBOX_ONE_S_CONTROLLER 0x02fd + #define USB_DEVICE_ID_MS_PIXART_MOUSE 0x00cb + #define USB_DEVICE_ID_8BITDO_SN30_PRO_PLUS 0x02e0 ++#define USB_DEVICE_ID_MS_MOUSE_0783 0x0783 + + #define USB_VENDOR_ID_MOJO 0x8282 + #define USB_DEVICE_ID_RETRO_ADAPTER 0x3201 +@@ -1292,6 +1294,7 @@ + + #define USB_VENDOR_ID_PRIMAX 0x0461 + #define USB_DEVICE_ID_PRIMAX_MOUSE_4D22 0x4d22 ++#define USB_DEVICE_ID_PRIMAX_MOUSE_4E2A 0x4e2a + #define USB_DEVICE_ID_PRIMAX_KEYBOARD 0x4e05 + #define USB_DEVICE_ID_PRIMAX_REZEL 0x4e72 + #define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F 0x4d0f +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -54,6 +54,7 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_FLIGHT_SIM_YOKE), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_PRO_PEDALS), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_PRO_THROTTLE), HID_QUIRK_NOGET }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_CHERRY, USB_DEVICE_ID_CHERRY_MOUSE_000C), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB_RAPIDFIRE), HID_QUIRK_NO_INIT_REPORTS | HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K70RGB), HID_QUIRK_NO_INIT_REPORTS }, +@@ -122,6 +123,7 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C05A), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C06A), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_MCS, USB_DEVICE_ID_MCS_GAMEPADBLOCK), HID_QUIRK_MULTI_INPUT }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_MOUSE_0783), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_PIXART_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_POWER_COVER), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_SURFACE3_COVER), HID_QUIRK_NO_INIT_REPORTS }, +@@ -146,6 +148,7 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4D22), HID_QUIRK_ALWAYS_POLL }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4E2A), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D65), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22), HID_QUIRK_ALWAYS_POLL }, diff --git a/queue-5.4/kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch b/queue-5.4/kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch new file mode 100644 index 00000000000..4e810f447ec --- /dev/null +++ b/queue-5.4/kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch @@ -0,0 +1,48 @@ +From 0dd4cdccdab3d74bd86b868768a7dca216bcce7e Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Wed, 23 Nov 2022 10:08:33 +0100 +Subject: KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field + +From: Thomas Huth + +commit 0dd4cdccdab3d74bd86b868768a7dca216bcce7e upstream. + +We recently experienced some weird huge time jumps in nested guests when +rebooting them in certain cases. After adding some debug code to the epoch +handling in vsie.c (thanks to David Hildenbrand for the idea!), it was +obvious that the "epdx" field (the multi-epoch extension) did not get set +to 0xff in case the "epoch" field was negative. +Seems like the code misses to copy the value from the epdx field from +the guest to the shadow control block. By doing so, the weird time +jumps are gone in our scenarios. + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2140899 +Fixes: 8fa1696ea781 ("KVM: s390: Multiple Epoch Facility support") +Signed-off-by: Thomas Huth +Reviewed-by: Christian Borntraeger +Acked-by: David Hildenbrand +Reviewed-by: Claudio Imbrenda +Reviewed-by: Janosch Frank +Cc: stable@vger.kernel.org # 4.19+ +Link: https://lore.kernel.org/r/20221123090833.292938-1-thuth@redhat.com +Message-Id: <20221123090833.292938-1-thuth@redhat.com> +Signed-off-by: Janosch Frank +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kvm/vsie.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/s390/kvm/vsie.c ++++ b/arch/s390/kvm/vsie.c +@@ -540,8 +540,10 @@ static int shadow_scb(struct kvm_vcpu *v + if (test_kvm_cpu_feat(vcpu->kvm, KVM_S390_VM_CPU_FEAT_CEI)) + scb_s->eca |= scb_o->eca & ECA_CEI; + /* Epoch Extension */ +- if (test_kvm_facility(vcpu->kvm, 139)) ++ if (test_kvm_facility(vcpu->kvm, 139)) { + scb_s->ecd |= scb_o->ecd & ECD_MEF; ++ scb_s->epdx = scb_o->epdx; ++ } + + /* etoken */ + if (test_kvm_facility(vcpu->kvm, 156)) diff --git a/queue-5.4/media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch b/queue-5.4/media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch new file mode 100644 index 00000000000..22f3b1c3246 --- /dev/null +++ b/queue-5.4/media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch @@ -0,0 +1,70 @@ +From 5eef2141776da02772c44ec406d6871a790761ee Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Wed, 16 Nov 2022 15:07:22 +0000 +Subject: media: v4l2-dv-timings.c: fix too strict blanking sanity checks + +From: Hans Verkuil + +commit 5eef2141776da02772c44ec406d6871a790761ee upstream. + +Sanity checks were added to verify the v4l2_bt_timings blanking fields +in order to avoid integer overflows when userspace passes weird values. + +But that assumed that userspace would correctly fill in the front porch, +backporch and sync values, but sometimes all you know is the total +blanking, which is then assigned to just one of these fields. + +And that can fail with these checks. + +So instead set a maximum for the total horizontal and vertical +blanking and check that each field remains below that. + +That is still sufficient to avoid integer overflows, but it also +allows for more flexibility in how userspace fills in these fields. + +Signed-off-by: Hans Verkuil +Fixes: 4b6d66a45ed3 ("media: v4l2-dv-timings: add sanity checks for blanking values") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-dv-timings.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-dv-timings.c ++++ b/drivers/media/v4l2-core/v4l2-dv-timings.c +@@ -145,6 +145,8 @@ bool v4l2_valid_dv_timings(const struct + const struct v4l2_bt_timings *bt = &t->bt; + const struct v4l2_bt_timings_cap *cap = &dvcap->bt; + u32 caps = cap->capabilities; ++ const u32 max_vert = 10240; ++ u32 max_hor = 3 * bt->width; + + if (t->type != V4L2_DV_BT_656_1120) + return false; +@@ -166,14 +168,20 @@ bool v4l2_valid_dv_timings(const struct + if (!bt->interlaced && + (bt->il_vbackporch || bt->il_vsync || bt->il_vfrontporch)) + return false; +- if (bt->hfrontporch > 2 * bt->width || +- bt->hsync > 1024 || bt->hbackporch > 1024) ++ /* ++ * Some video receivers cannot properly separate the frontporch, ++ * backporch and sync values, and instead they only have the total ++ * blanking. That can be assigned to any of these three fields. ++ * So just check that none of these are way out of range. ++ */ ++ if (bt->hfrontporch > max_hor || ++ bt->hsync > max_hor || bt->hbackporch > max_hor) + return false; +- if (bt->vfrontporch > 4096 || +- bt->vsync > 128 || bt->vbackporch > 4096) ++ if (bt->vfrontporch > max_vert || ++ bt->vsync > max_vert || bt->vbackporch > max_vert) + return false; +- if (bt->interlaced && (bt->il_vfrontporch > 4096 || +- bt->il_vsync > 128 || bt->il_vbackporch > 4096)) ++ if (bt->interlaced && (bt->il_vfrontporch > max_vert || ++ bt->il_vsync > max_vert || bt->il_vbackporch > max_vert)) + return false; + return fnc == NULL || fnc(t, fnc_handle); + } diff --git a/queue-5.4/memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch b/queue-5.4/memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch new file mode 100644 index 00000000000..144e4b842b4 --- /dev/null +++ b/queue-5.4/memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch @@ -0,0 +1,112 @@ +From 4a7ba45b1a435e7097ca0f79a847d0949d0eb088 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Wed, 7 Dec 2022 16:53:15 -1000 +Subject: memcg: fix possible use-after-free in memcg_write_event_control() + +From: Tejun Heo + +commit 4a7ba45b1a435e7097ca0f79a847d0949d0eb088 upstream. + +memcg_write_event_control() accesses the dentry->d_name of the specified +control fd to route the write call. As a cgroup interface file can't be +renamed, it's safe to access d_name as long as the specified file is a +regular cgroup file. Also, as these cgroup interface files can't be +removed before the directory, it's safe to access the parent too. + +Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a +call to __file_cft() which verified that the specified file is a regular +cgroupfs file before further accesses. The cftype pointer returned from +__file_cft() was no longer necessary and the commit inadvertently dropped +the file type check with it allowing any file to slip through. With the +invarients broken, the d_name and parent accesses can now race against +renames and removals of arbitrary files and cause use-after-free's. + +Fix the bug by resurrecting the file type check in __file_cft(). Now that +cgroupfs is implemented through kernfs, checking the file operations needs +to go through a layer of indirection. Instead, let's check the superblock +and dentry type. + +Link: https://lkml.kernel.org/r/Y5FRm/cfcKPGzWwl@slm.duckdns.org +Fixes: 347c4a874710 ("memcg: remove cgroup_event->cft") +Signed-off-by: Tejun Heo +Reported-by: Jann Horn +Acked-by: Roman Gushchin +Acked-by: Johannes Weiner +Cc: Linus Torvalds +Cc: Michal Hocko +Cc: Muchun Song +Cc: Shakeel Butt +Cc: [3.14+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/cgroup.h | 1 + + kernel/cgroup/cgroup-internal.h | 1 - + mm/memcontrol.c | 15 +++++++++++++-- + 3 files changed, 14 insertions(+), 3 deletions(-) + +--- a/include/linux/cgroup.h ++++ b/include/linux/cgroup.h +@@ -69,6 +69,7 @@ struct css_task_iter { + struct list_head iters_node; /* css_set->task_iters */ + }; + ++extern struct file_system_type cgroup_fs_type; + extern struct cgroup_root cgrp_dfl_root; + extern struct css_set init_css_set; + +--- a/kernel/cgroup/cgroup-internal.h ++++ b/kernel/cgroup/cgroup-internal.h +@@ -169,7 +169,6 @@ extern struct mutex cgroup_mutex; + extern spinlock_t css_set_lock; + extern struct cgroup_subsys *cgroup_subsys[]; + extern struct list_head cgroup_roots; +-extern struct file_system_type cgroup_fs_type; + + /* iterate across the hierarchies */ + #define for_each_root(root) \ +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -4709,6 +4709,7 @@ static ssize_t memcg_write_event_control + unsigned int efd, cfd; + struct fd efile; + struct fd cfile; ++ struct dentry *cdentry; + const char *name; + char *endp; + int ret; +@@ -4760,6 +4761,16 @@ static ssize_t memcg_write_event_control + goto out_put_cfile; + + /* ++ * The control file must be a regular cgroup1 file. As a regular cgroup ++ * file can't be renamed, it's safe to access its name afterwards. ++ */ ++ cdentry = cfile.file->f_path.dentry; ++ if (cdentry->d_sb->s_type != &cgroup_fs_type || !d_is_reg(cdentry)) { ++ ret = -EINVAL; ++ goto out_put_cfile; ++ } ++ ++ /* + * Determine the event callbacks and set them in @event. This used + * to be done via struct cftype but cgroup core no longer knows + * about these events. The following is crude but the whole thing +@@ -4767,7 +4778,7 @@ static ssize_t memcg_write_event_control + * + * DO NOT ADD NEW FILES. + */ +- name = cfile.file->f_path.dentry->d_name.name; ++ name = cdentry->d_name.name; + + if (!strcmp(name, "memory.usage_in_bytes")) { + event->register_event = mem_cgroup_usage_register_event; +@@ -4791,7 +4802,7 @@ static ssize_t memcg_write_event_control + * automatically removed on cgroup destruction but the removal is + * asynchronous, so take an extra ref on @css. + */ +- cfile_css = css_tryget_online_from_dir(cfile.file->f_path.dentry->d_parent, ++ cfile_css = css_tryget_online_from_dir(cdentry->d_parent, + &memory_cgrp_subsys); + ret = -EINVAL; + if (IS_ERR(cfile_css)) diff --git a/queue-5.4/mm-gup-fix-gup_pud_range-for-dax.patch b/queue-5.4/mm-gup-fix-gup_pud_range-for-dax.patch new file mode 100644 index 00000000000..c423cd936fe --- /dev/null +++ b/queue-5.4/mm-gup-fix-gup_pud_range-for-dax.patch @@ -0,0 +1,87 @@ +From fcd0ccd836ffad73d98a66f6fea7b16f735ea920 Mon Sep 17 00:00:00 2001 +From: John Starks +Date: Tue, 6 Dec 2022 22:00:53 -0800 +Subject: mm/gup: fix gup_pud_range() for dax + +From: John Starks + +commit fcd0ccd836ffad73d98a66f6fea7b16f735ea920 upstream. + +For dax pud, pud_huge() returns true on x86. So the function works as long +as hugetlb is configured. However, dax doesn't depend on hugetlb. +Commit 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax") fixed +devmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as +well. + +This fixes the below kernel panic: + +general protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1] SMP + < snip > +Call Trace: + +get_user_pages_fast+0x1f/0x40 +iov_iter_get_pages+0xc6/0x3b0 +? mempool_alloc+0x5d/0x170 +bio_iov_iter_get_pages+0x82/0x4e0 +? bvec_alloc+0x91/0xc0 +? bio_alloc_bioset+0x19a/0x2a0 +blkdev_direct_IO+0x282/0x480 +? __io_complete_rw_common+0xc0/0xc0 +? filemap_range_has_page+0x82/0xc0 +generic_file_direct_write+0x9d/0x1a0 +? inode_update_time+0x24/0x30 +__generic_file_write_iter+0xbd/0x1e0 +blkdev_write_iter+0xb4/0x150 +? io_import_iovec+0x8d/0x340 +io_write+0xf9/0x300 +io_issue_sqe+0x3c3/0x1d30 +? sysvec_reschedule_ipi+0x6c/0x80 +__io_queue_sqe+0x33/0x240 +? fget+0x76/0xa0 +io_submit_sqes+0xe6a/0x18d0 +? __fget_light+0xd1/0x100 +__x64_sys_io_uring_enter+0x199/0x880 +? __context_tracking_enter+0x1f/0x70 +? irqentry_exit_to_user_mode+0x24/0x30 +? irqentry_exit+0x1d/0x30 +? __context_tracking_exit+0xe/0x70 +do_syscall_64+0x3b/0x90 +entry_SYSCALL_64_after_hwframe+0x61/0xcb +RIP: 0033:0x7fc97c11a7be + < snip > + +---[ end trace 48b2e0e67debcaeb ]--- +RIP: 0010:internal_get_user_pages_fast+0x340/0x990 + < snip > +Kernel panic - not syncing: Fatal exception +Kernel Offset: disabled + +Link: https://lkml.kernel.org/r/1670392853-28252-1-git-send-email-ssengar@linux.microsoft.com +Fixes: 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax") +Signed-off-by: John Starks +Signed-off-by: Saurabh Sengar +Cc: Jan Kara +Cc: Yu Zhao +Cc: Jason Gunthorpe +Cc: John Hubbard +Cc: David Hildenbrand +Cc: Dan Williams +Cc: Alistair Popple +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/gup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -2240,7 +2240,7 @@ static int gup_pud_range(p4d_t *p4dp, p4 + next = pud_addr_end(addr, end); + if (pud_none(pud)) + return 0; +- if (unlikely(pud_huge(pud))) { ++ if (unlikely(pud_huge(pud) || pud_devmap(pud))) { + if (!gup_huge_pud(pud, pudp, addr, next, flags, + pages, nr)) + return 0; diff --git a/queue-5.4/series b/queue-5.4/series index 82e7eae925a..a6b3832be86 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -21,3 +21,11 @@ xen-netback-ensure-protocol-headers-don-t-fall-in-th.patch xen-netback-do-some-code-cleanup.patch xen-netback-don-t-call-kfree_skb-with-interrupts-dis.patch revert-net-dsa-b53-fix-valid-setting-for-mdb-entries.patch +media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch +memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch +mm-gup-fix-gup_pud_range-for-dax.patch +kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch +drm-shmem-helper-remove-errant-put-in-error-path.patch +hid-usbhid-add-always_poll-quirk-for-some-mice.patch +hid-hid-lg4ff-add-check-for-empty-lbuf.patch +hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch