From: Greg Kroah-Hartman Date: Mon, 18 Dec 2023 07:10:14 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v5.15.144~40 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1c28ce04319c88e1471a0c197a4a5a38c1a8df4a;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: ext4-prevent-the-normalized-size-from-exceeding-ext_max_blocks.patch perf-fix-perf_event_validate_size-lockdep-splat.patch soundwire-stream-fix-null-pointer-dereference-for-multi_link.patch --- diff --git a/queue-5.10/ext4-prevent-the-normalized-size-from-exceeding-ext_max_blocks.patch b/queue-5.10/ext4-prevent-the-normalized-size-from-exceeding-ext_max_blocks.patch new file mode 100644 index 00000000000..7143e3116fa --- /dev/null +++ b/queue-5.10/ext4-prevent-the-normalized-size-from-exceeding-ext_max_blocks.patch @@ -0,0 +1,75 @@ +From 2dcf5fde6dffb312a4bfb8ef940cea2d1f402e32 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Mon, 27 Nov 2023 14:33:13 +0800 +Subject: ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS + +From: Baokun Li + +commit 2dcf5fde6dffb312a4bfb8ef940cea2d1f402e32 upstream. + +For files with logical blocks close to EXT_MAX_BLOCKS, the file size +predicted in ext4_mb_normalize_request() may exceed EXT_MAX_BLOCKS. +This can cause some blocks to be preallocated that will not be used. +And after [Fixes], the following issue may be triggered: + +========================================================= + kernel BUG at fs/ext4/mballoc.c:4653! + Internal error: Oops - BUG: 00000000f2000800 [#1] SMP + CPU: 1 PID: 2357 Comm: xfs_io 6.7.0-rc2-00195-g0f5cc96c367f + Hardware name: linux,dummy-virt (DT) + pc : ext4_mb_use_inode_pa+0x148/0x208 + lr : ext4_mb_use_inode_pa+0x98/0x208 + Call trace: + ext4_mb_use_inode_pa+0x148/0x208 + ext4_mb_new_inode_pa+0x240/0x4a8 + ext4_mb_use_best_found+0x1d4/0x208 + ext4_mb_try_best_found+0xc8/0x110 + ext4_mb_regular_allocator+0x11c/0xf48 + ext4_mb_new_blocks+0x790/0xaa8 + ext4_ext_map_blocks+0x7cc/0xd20 + ext4_map_blocks+0x170/0x600 + ext4_iomap_begin+0x1c0/0x348 +========================================================= + +Here is a calculation when adjusting ac_b_ex in ext4_mb_new_inode_pa(): + + ex.fe_logical = orig_goal_end - EXT4_C2B(sbi, ex.fe_len); + if (ac->ac_o_ex.fe_logical >= ex.fe_logical) + goto adjust_bex; + +The problem is that when orig_goal_end is subtracted from ac_b_ex.fe_len +it is still greater than EXT_MAX_BLOCKS, which causes ex.fe_logical to +overflow to a very small value, which ultimately triggers a BUG_ON in +ext4_mb_new_inode_pa() because pa->pa_free < len. + +The last logical block of an actual write request does not exceed +EXT_MAX_BLOCKS, so in ext4_mb_normalize_request() also avoids normalizing +the last logical block to exceed EXT_MAX_BLOCKS to avoid the above issue. + +The test case in [Link] can reproduce the above issue with 64k block size. + +Link: https://patchwork.kernel.org/project/fstests/list/?series=804003 +Cc: # 6.4 +Fixes: 93cdf49f6eca ("ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()") +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20231127063313.3734294-1-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mballoc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -3603,6 +3603,10 @@ ext4_mb_normalize_request(struct ext4_al + start = max(start, rounddown(ac->ac_o_ex.fe_logical, + (ext4_lblk_t)EXT4_BLOCKS_PER_GROUP(ac->ac_sb))); + ++ /* avoid unnecessary preallocation that may trigger assertions */ ++ if (start + size > EXT_MAX_BLOCKS) ++ size = EXT_MAX_BLOCKS - start; ++ + /* don't cover already allocated blocks in selected range */ + if (ar->pleft && start <= ar->lleft) { + size -= ar->lleft + 1 - start; diff --git a/queue-5.10/perf-fix-perf_event_validate_size-lockdep-splat.patch b/queue-5.10/perf-fix-perf_event_validate_size-lockdep-splat.patch new file mode 100644 index 00000000000..aa2aff56cb9 --- /dev/null +++ b/queue-5.10/perf-fix-perf_event_validate_size-lockdep-splat.patch @@ -0,0 +1,58 @@ +From 7e2c1e4b34f07d9aa8937fab88359d4a0fce468e Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Fri, 15 Dec 2023 11:24:50 +0000 +Subject: perf: Fix perf_event_validate_size() lockdep splat + +From: Mark Rutland + +commit 7e2c1e4b34f07d9aa8937fab88359d4a0fce468e upstream. + +When lockdep is enabled, the for_each_sibling_event(sibling, event) +macro checks that event->ctx->mutex is held. When creating a new group +leader event, we call perf_event_validate_size() on a partially +initialized event where event->ctx is NULL, and so when +for_each_sibling_event() attempts to check event->ctx->mutex, we get a +splat, as reported by Lucas De Marchi: + + WARNING: CPU: 8 PID: 1471 at kernel/events/core.c:1950 __do_sys_perf_event_open+0xf37/0x1080 + +This only happens for a new event which is its own group_leader, and in +this case there cannot be any sibling events. Thus it's safe to skip the +check for siblings, which avoids having to make invasive and ugly +changes to for_each_sibling_event(). + +Avoid the splat by bailing out early when the new event is its own +group_leader. + +Fixes: 382c27f4ed28f803 ("perf: Fix perf_event_validate_size()") +Closes: https://lore.kernel.org/lkml/20231214000620.3081018-1-lucas.demarchi@intel.com/ +Closes: https://lore.kernel.org/lkml/ZXpm6gQ%2Fd59jGsuW@xpf.sh.intel.com/ +Reported-by: Lucas De Marchi +Reported-by: Pengfei Xu +Signed-off-by: Mark Rutland +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20231215112450.3972309-1-mark.rutland@arm.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -2039,6 +2039,16 @@ static bool perf_event_validate_size(str + group_leader->nr_siblings + 1) > 16*1024) + return false; + ++ /* ++ * When creating a new group leader, group_leader->ctx is initialized ++ * after the size has been validated, but we cannot safely use ++ * for_each_sibling_event() until group_leader->ctx is set. A new group ++ * leader cannot have any siblings yet, so we can safely skip checking ++ * the non-existent siblings. ++ */ ++ if (event == group_leader) ++ return true; ++ + for_each_sibling_event(sibling, group_leader) { + if (__perf_event_read_size(sibling->attr.read_format, + group_leader->nr_siblings + 1) > 16*1024) diff --git a/queue-5.10/series b/queue-5.10/series index 7eabc353d32..8766f43441e 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -54,3 +54,6 @@ hid-multitouch-add-quirk-for-honor-glo-gxxx-touchpad.patch asm-generic-qspinlock-fix-queued_spin_value_unlocked.patch net-usb-qmi_wwan-claim-interface-4-for-zte-mf290.patch hid-hid-asus-add-const-to-read-only-outgoing-usb-buf.patch +perf-fix-perf_event_validate_size-lockdep-splat.patch +soundwire-stream-fix-null-pointer-dereference-for-multi_link.patch +ext4-prevent-the-normalized-size-from-exceeding-ext_max_blocks.patch diff --git a/queue-5.10/soundwire-stream-fix-null-pointer-dereference-for-multi_link.patch b/queue-5.10/soundwire-stream-fix-null-pointer-dereference-for-multi_link.patch new file mode 100644 index 00000000000..06e16a8122f --- /dev/null +++ b/queue-5.10/soundwire-stream-fix-null-pointer-dereference-for-multi_link.patch @@ -0,0 +1,76 @@ +From e199bf52ffda8f98f129728d57244a9cd9ad5623 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 24 Nov 2023 19:01:36 +0100 +Subject: soundwire: stream: fix NULL pointer dereference for multi_link + +From: Krzysztof Kozlowski + +commit e199bf52ffda8f98f129728d57244a9cd9ad5623 upstream. + +If bus is marked as multi_link, but number of masters in the stream is +not higher than bus->hw_sync_min_links (bus->multi_link && m_rt_count >= +bus->hw_sync_min_links), bank switching should not happen. The first +part of do_bank_switch() code properly takes these conditions into +account, but second part (sdw_ml_sync_bank_switch()) relies purely on +bus->multi_link property. This is not balanced and leads to NULL +pointer dereference: + + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 + ... + Call trace: + wait_for_completion_timeout+0x124/0x1f0 + do_bank_switch+0x370/0x6f8 + sdw_prepare_stream+0x2d0/0x438 + qcom_snd_sdw_prepare+0xa0/0x118 + sm8450_snd_prepare+0x128/0x148 + snd_soc_link_prepare+0x5c/0xe8 + __soc_pcm_prepare+0x28/0x1ec + dpcm_be_dai_prepare+0x1e0/0x2c0 + dpcm_fe_dai_prepare+0x108/0x28c + snd_pcm_do_prepare+0x44/0x68 + snd_pcm_action_single+0x54/0xc0 + snd_pcm_action_nonatomic+0xe4/0xec + snd_pcm_prepare+0xc4/0x114 + snd_pcm_common_ioctl+0x1154/0x1cc0 + snd_pcm_ioctl+0x54/0x74 + +Fixes: ce6e74d008ff ("soundwire: Add support for multi link bank switch") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20231124180136.390621-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soundwire/stream.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/soundwire/stream.c ++++ b/drivers/soundwire/stream.c +@@ -724,14 +724,15 @@ error_1: + * sdw_ml_sync_bank_switch: Multilink register bank switch + * + * @bus: SDW bus instance ++ * @multi_link: whether this is a multi-link stream with hardware-based sync + * + * Caller function should free the buffers on error + */ +-static int sdw_ml_sync_bank_switch(struct sdw_bus *bus) ++static int sdw_ml_sync_bank_switch(struct sdw_bus *bus, bool multi_link) + { + unsigned long time_left; + +- if (!bus->multi_link) ++ if (!multi_link) + return 0; + + /* Wait for completion of transfer */ +@@ -827,7 +828,7 @@ static int do_bank_switch(struct sdw_str + bus->bank_switch_timeout = DEFAULT_BANK_SWITCH_TIMEOUT; + + /* Check if bank switch was successful */ +- ret = sdw_ml_sync_bank_switch(bus); ++ ret = sdw_ml_sync_bank_switch(bus, multi_link); + if (ret < 0) { + dev_err(bus->dev, + "multi link bank switch failed: %d\n", ret);