From: Greg Kroah-Hartman Date: Thu, 29 Aug 2024 16:26:43 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v4.19.321~79 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=43dfc78c9bf10bc631e9eda326b5e86430e01fde;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: alsa-seq-skip-event-type-filtering-for-ump-events.patch btrfs-fix-a-use-after-free-when-hitting-errors-inside-btrfs_submit_chunk.patch btrfs-run-delayed-iputs-when-flushing-delalloc.patch loongarch-remove-the-unused-dma-direct.h.patch pinctrl-rockchip-correct-rk3328-iomux-width-flag-for-gpio2-b-pins.patch pinctrl-single-fix-potential-null-dereference-in-pcs_get_function.patch series smb-client-avoid-dereferencing-rdata-null-in-smb2_new_read_req.patch --- diff --git a/queue-6.6/alsa-seq-skip-event-type-filtering-for-ump-events.patch b/queue-6.6/alsa-seq-skip-event-type-filtering-for-ump-events.patch new file mode 100644 index 00000000000..43b0b19a3c0 --- /dev/null +++ b/queue-6.6/alsa-seq-skip-event-type-filtering-for-ump-events.patch @@ -0,0 +1,34 @@ +From 32108c22ac619c32dd6db594319e259b63bfb387 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 19 Aug 2024 10:41:53 +0200 +Subject: ALSA: seq: Skip event type filtering for UMP events + +From: Takashi Iwai + +commit 32108c22ac619c32dd6db594319e259b63bfb387 upstream. + +UMP events don't use the event type field, hence it's invalid to apply +the filter, which may drop the events unexpectedly. +Skip the event filtering for UMP events, instead. + +Fixes: 46397622a3fa ("ALSA: seq: Add UMP support") +Cc: +Link: https://patch.msgid.link/20240819084156.10286-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/seq/seq_clientmgr.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -537,6 +537,9 @@ static struct snd_seq_client *get_event_ + return NULL; + if (! dest->accept_input) + goto __not_avail; ++ if (snd_seq_ev_is_ump(event)) ++ return dest; /* ok - no filter checks */ ++ + if ((dest->filter & SNDRV_SEQ_FILTER_USE_EVENT) && + ! test_bit(event->type, dest->event_filter)) + goto __not_avail; diff --git a/queue-6.6/btrfs-fix-a-use-after-free-when-hitting-errors-inside-btrfs_submit_chunk.patch b/queue-6.6/btrfs-fix-a-use-after-free-when-hitting-errors-inside-btrfs_submit_chunk.patch new file mode 100644 index 00000000000..299ee1071f6 --- /dev/null +++ b/queue-6.6/btrfs-fix-a-use-after-free-when-hitting-errors-inside-btrfs_submit_chunk.patch @@ -0,0 +1,200 @@ +From 10d9d8c3512f16cad47b2ff81ec6fc4b27d8ee10 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Sat, 17 Aug 2024 18:34:30 +0930 +Subject: btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk() + +From: Qu Wenruo + +commit 10d9d8c3512f16cad47b2ff81ec6fc4b27d8ee10 upstream. + +[BUG] +There is an internal report that KASAN is reporting use-after-free, with +the following backtrace: + + BUG: KASAN: slab-use-after-free in btrfs_check_read_bio+0xa68/0xb70 [btrfs] + Read of size 4 at addr ffff8881117cec28 by task kworker/u16:2/45 + CPU: 1 UID: 0 PID: 45 Comm: kworker/u16:2 Not tainted 6.11.0-rc2-next-20240805-default+ #76 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 + Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] + Call Trace: + dump_stack_lvl+0x61/0x80 + print_address_description.constprop.0+0x5e/0x2f0 + print_report+0x118/0x216 + kasan_report+0x11d/0x1f0 + btrfs_check_read_bio+0xa68/0xb70 [btrfs] + process_one_work+0xce0/0x12a0 + worker_thread+0x717/0x1250 + kthread+0x2e3/0x3c0 + ret_from_fork+0x2d/0x70 + ret_from_fork_asm+0x11/0x20 + + Allocated by task 20917: + kasan_save_stack+0x37/0x60 + kasan_save_track+0x10/0x30 + __kasan_slab_alloc+0x7d/0x80 + kmem_cache_alloc_noprof+0x16e/0x3e0 + mempool_alloc_noprof+0x12e/0x310 + bio_alloc_bioset+0x3f0/0x7a0 + btrfs_bio_alloc+0x2e/0x50 [btrfs] + submit_extent_page+0x4d1/0xdb0 [btrfs] + btrfs_do_readpage+0x8b4/0x12a0 [btrfs] + btrfs_readahead+0x29a/0x430 [btrfs] + read_pages+0x1a7/0xc60 + page_cache_ra_unbounded+0x2ad/0x560 + filemap_get_pages+0x629/0xa20 + filemap_read+0x335/0xbf0 + vfs_read+0x790/0xcb0 + ksys_read+0xfd/0x1d0 + do_syscall_64+0x6d/0x140 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + + Freed by task 20917: + kasan_save_stack+0x37/0x60 + kasan_save_track+0x10/0x30 + kasan_save_free_info+0x37/0x50 + __kasan_slab_free+0x4b/0x60 + kmem_cache_free+0x214/0x5d0 + bio_free+0xed/0x180 + end_bbio_data_read+0x1cc/0x580 [btrfs] + btrfs_submit_chunk+0x98d/0x1880 [btrfs] + btrfs_submit_bio+0x33/0x70 [btrfs] + submit_one_bio+0xd4/0x130 [btrfs] + submit_extent_page+0x3ea/0xdb0 [btrfs] + btrfs_do_readpage+0x8b4/0x12a0 [btrfs] + btrfs_readahead+0x29a/0x430 [btrfs] + read_pages+0x1a7/0xc60 + page_cache_ra_unbounded+0x2ad/0x560 + filemap_get_pages+0x629/0xa20 + filemap_read+0x335/0xbf0 + vfs_read+0x790/0xcb0 + ksys_read+0xfd/0x1d0 + do_syscall_64+0x6d/0x140 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +[CAUSE] +Although I cannot reproduce the error, the report itself is good enough +to pin down the cause. + +The call trace is the regular endio workqueue context, but the +free-by-task trace is showing that during btrfs_submit_chunk() we +already hit a critical error, and is calling btrfs_bio_end_io() to error +out. And the original endio function called bio_put() to free the whole +bio. + +This means a double freeing thus causing use-after-free, e.g.: + +1. Enter btrfs_submit_bio() with a read bio + The read bio length is 128K, crossing two 64K stripes. + +2. The first run of btrfs_submit_chunk() + +2.1 Call btrfs_map_block(), which returns 64K +2.2 Call btrfs_split_bio() + Now there are two bios, one referring to the first 64K, the other + referring to the second 64K. +2.3 The first half is submitted. + +3. The second run of btrfs_submit_chunk() + +3.1 Call btrfs_map_block(), which by somehow failed + Now we call btrfs_bio_end_io() to handle the error + +3.2 btrfs_bio_end_io() calls the original endio function + Which is end_bbio_data_read(), and it calls bio_put() for the + original bio. + + Now the original bio is freed. + +4. The submitted first 64K bio finished + Now we call into btrfs_check_read_bio() and tries to advance the bio + iter. + But since the original bio (thus its iter) is already freed, we + trigger the above use-after free. + + And even if the memory is not poisoned/corrupted, we will later call + the original endio function, causing a double freeing. + +[FIX] +Instead of calling btrfs_bio_end_io(), call btrfs_orig_bbio_end_io(), +which has the extra check on split bios and do the proper refcounting +for cloned bios. + +Furthermore there is already one extra btrfs_cleanup_bio() call, but +that is duplicated to btrfs_orig_bbio_end_io() call, so remove that +label completely. + +Reported-by: David Sterba +Fixes: 852eee62d31a ("btrfs: allow btrfs_submit_bio to split bios") +CC: stable@vger.kernel.org # 6.6+ +Reviewed-by: Josef Bacik +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/bio.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +--- a/fs/btrfs/bio.c ++++ b/fs/btrfs/bio.c +@@ -646,7 +646,6 @@ static bool btrfs_submit_chunk(struct bt + { + struct btrfs_inode *inode = bbio->inode; + struct btrfs_fs_info *fs_info = bbio->fs_info; +- struct btrfs_bio *orig_bbio = bbio; + struct bio *bio = &bbio->bio; + u64 logical = bio->bi_iter.bi_sector << SECTOR_SHIFT; + u64 length = bio->bi_iter.bi_size; +@@ -682,7 +681,7 @@ static bool btrfs_submit_chunk(struct bt + bbio->saved_iter = bio->bi_iter; + ret = btrfs_lookup_bio_sums(bbio); + if (ret) +- goto fail_put_bio; ++ goto fail; + } + + if (btrfs_op(bio) == BTRFS_MAP_WRITE) { +@@ -704,13 +703,13 @@ static bool btrfs_submit_chunk(struct bt + + ret = btrfs_bio_csum(bbio); + if (ret) +- goto fail_put_bio; ++ goto fail; + } else if (use_append || + (btrfs_is_zoned(fs_info) && inode && + inode->flags & BTRFS_INODE_NODATASUM)) { + ret = btrfs_alloc_dummy_sum(bbio); + if (ret) +- goto fail_put_bio; ++ goto fail; + } + } + +@@ -718,12 +717,23 @@ static bool btrfs_submit_chunk(struct bt + done: + return map_length == length; + +-fail_put_bio: +- if (map_length < length) +- btrfs_cleanup_bio(bbio); + fail: + btrfs_bio_counter_dec(fs_info); +- btrfs_bio_end_io(orig_bbio, ret); ++ /* ++ * We have split the original bbio, now we have to end both the current ++ * @bbio and remaining one, as the remaining one will never be submitted. ++ */ ++ if (map_length < length) { ++ struct btrfs_bio *remaining = bbio->private; ++ ++ ASSERT(bbio->bio.bi_pool == &btrfs_clone_bioset); ++ ASSERT(remaining); ++ ++ remaining->bio.bi_status = ret; ++ btrfs_orig_bbio_end_io(remaining); ++ } ++ bbio->bio.bi_status = ret; ++ btrfs_orig_bbio_end_io(bbio); + /* Do not submit another chunk */ + return true; + } diff --git a/queue-6.6/btrfs-run-delayed-iputs-when-flushing-delalloc.patch b/queue-6.6/btrfs-run-delayed-iputs-when-flushing-delalloc.patch new file mode 100644 index 00000000000..d72a1635943 --- /dev/null +++ b/queue-6.6/btrfs-run-delayed-iputs-when-flushing-delalloc.patch @@ -0,0 +1,45 @@ +From 2d3447261031503b181dacc549fe65ffe2d93d65 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Wed, 21 Aug 2024 15:53:18 -0400 +Subject: btrfs: run delayed iputs when flushing delalloc + +From: Josef Bacik + +commit 2d3447261031503b181dacc549fe65ffe2d93d65 upstream. + +We have transient failures with btrfs/301, specifically in the part +where we do + + for i in $(seq 0 10); do + write 50m to file + rm -f file + done + +Sometimes this will result in a transient quota error, and it's because +sometimes we start writeback on the file which results in a delayed +iput, and thus the rm doesn't actually clean the file up. When we're +flushing the quota space we need to run the delayed iputs to make sure +all the unlinks that we think have completed have actually completed. +This removes the small window where we could fail to find enough space +in our quota. + +CC: stable@vger.kernel.org # 5.15+ +Reviewed-by: Qu Wenruo +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -3762,6 +3762,8 @@ static int try_flush_qgroup(struct btrfs + return 0; + } + ++ btrfs_run_delayed_iputs(root->fs_info); ++ btrfs_wait_on_delayed_iputs(root->fs_info); + ret = btrfs_start_delalloc_snapshot(root, true); + if (ret < 0) + goto out; diff --git a/queue-6.6/loongarch-remove-the-unused-dma-direct.h.patch b/queue-6.6/loongarch-remove-the-unused-dma-direct.h.patch new file mode 100644 index 00000000000..d887411168a --- /dev/null +++ b/queue-6.6/loongarch-remove-the-unused-dma-direct.h.patch @@ -0,0 +1,40 @@ +From 58aec91efb93338d1cc7acc0a93242613a2a4e5f Mon Sep 17 00:00:00 2001 +From: Miao Wang +Date: Sun, 25 Aug 2024 22:17:39 +0800 +Subject: LoongArch: Remove the unused dma-direct.h + +From: Miao Wang + +commit 58aec91efb93338d1cc7acc0a93242613a2a4e5f upstream. + +dma-direct.h is introduced in commit d4b6f1562a3c3284 ("LoongArch: Add +Non-Uniform Memory Access (NUMA) support"). In commit c78c43fe7d42524c +("LoongArch: Use acpi_arch_dma_setup() and remove ARCH_HAS_PHYS_TO_DMA"), +ARCH_HAS_PHYS_TO_DMA was deselected and the coresponding phys_to_dma()/ +dma_to_phys() functions were removed. However, the unused dma-direct.h +was left behind, which is removed by this patch. + +Cc: +Fixes: c78c43fe7d42 ("LoongArch: Use acpi_arch_dma_setup() and remove ARCH_HAS_PHYS_TO_DMA") +Signed-off-by: Miao Wang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/include/asm/dma-direct.h | 11 ----------- + 1 file changed, 11 deletions(-) + delete mode 100644 arch/loongarch/include/asm/dma-direct.h + +--- a/arch/loongarch/include/asm/dma-direct.h ++++ /dev/null +@@ -1,11 +0,0 @@ +-/* SPDX-License-Identifier: GPL-2.0 */ +-/* +- * Copyright (C) 2020-2022 Loongson Technology Corporation Limited +- */ +-#ifndef _LOONGARCH_DMA_DIRECT_H +-#define _LOONGARCH_DMA_DIRECT_H +- +-dma_addr_t phys_to_dma(struct device *dev, phys_addr_t paddr); +-phys_addr_t dma_to_phys(struct device *dev, dma_addr_t daddr); +- +-#endif /* _LOONGARCH_DMA_DIRECT_H */ diff --git a/queue-6.6/pinctrl-rockchip-correct-rk3328-iomux-width-flag-for-gpio2-b-pins.patch b/queue-6.6/pinctrl-rockchip-correct-rk3328-iomux-width-flag-for-gpio2-b-pins.patch new file mode 100644 index 00000000000..d85ba4a34d4 --- /dev/null +++ b/queue-6.6/pinctrl-rockchip-correct-rk3328-iomux-width-flag-for-gpio2-b-pins.patch @@ -0,0 +1,52 @@ +From 128f71fe014fc91efa1407ce549f94a9a9f1072c Mon Sep 17 00:00:00 2001 +From: Huang-Huang Bao +Date: Tue, 9 Jul 2024 18:54:28 +0800 +Subject: pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins + +From: Huang-Huang Bao + +commit 128f71fe014fc91efa1407ce549f94a9a9f1072c upstream. + +The base iomux offsets for each GPIO pin line are accumulatively +calculated based off iomux width flag in rockchip_pinctrl_get_soc_data. +If the iomux width flag is one of IOMUX_WIDTH_4BIT, IOMUX_WIDTH_3BIT or +IOMUX_WIDTH_2BIT, the base offset for next pin line would increase by 8 +bytes, otherwise it would increase by 4 bytes. + +Despite most of GPIO2-B iomux have 2-bit data width, which can be fit +into 4 bytes space with write mask, it actually take 8 bytes width for +whole GPIO2-B line. + +Commit e8448a6c817c ("pinctrl: rockchip: fix pinmux bits for RK3328 +GPIO2-B pins") wrongly set iomux width flag to 0, causing all base +iomux offset for line after GPIO2-B to be calculated wrong. Fix the +iomux width flag to IOMUX_WIDTH_2BIT so the offset after GPIO2-B is +correctly increased by 8, matching the actual width of GPIO2-B iomux. + +Fixes: e8448a6c817c ("pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins") +Cc: stable@vger.kernel.org +Reported-by: Richard Kojedzinszky +Closes: https://lore.kernel.org/linux-rockchip/4f29b743202397d60edfb3c725537415@kojedz.in/ +Tested-by: Richard Kojedzinszky +Signed-off-by: Huang-Huang Bao +Reviewed-by: Heiko Stuebner +Tested-by: Daniel Golle +Tested-by: Trevor Woerner +Link: https://lore.kernel.org/20240709105428.1176375-1-i@eh5.me +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-rockchip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/pinctrl-rockchip.c ++++ b/drivers/pinctrl/pinctrl-rockchip.c +@@ -3802,7 +3802,7 @@ static struct rockchip_pin_bank rk3328_p + PIN_BANK_IOMUX_FLAGS(0, 32, "gpio0", 0, 0, 0, 0), + PIN_BANK_IOMUX_FLAGS(1, 32, "gpio1", 0, 0, 0, 0), + PIN_BANK_IOMUX_FLAGS(2, 32, "gpio2", 0, +- 0, ++ IOMUX_WIDTH_2BIT, + IOMUX_WIDTH_3BIT, + 0), + PIN_BANK_IOMUX_FLAGS(3, 32, "gpio3", diff --git a/queue-6.6/pinctrl-single-fix-potential-null-dereference-in-pcs_get_function.patch b/queue-6.6/pinctrl-single-fix-potential-null-dereference-in-pcs_get_function.patch new file mode 100644 index 00000000000..58127154a19 --- /dev/null +++ b/queue-6.6/pinctrl-single-fix-potential-null-dereference-in-pcs_get_function.patch @@ -0,0 +1,36 @@ +From 1c38a62f15e595346a1106025722869e87ffe044 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Thu, 8 Aug 2024 12:13:55 +0800 +Subject: pinctrl: single: fix potential NULL dereference in pcs_get_function() + +From: Ma Ke + +commit 1c38a62f15e595346a1106025722869e87ffe044 upstream. + +pinmux_generic_get_function() can return NULL and the pointer 'function' +was dereferenced without checking against NULL. Add checking of pointer +'function' in pcs_get_function(). + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: 571aec4df5b7 ("pinctrl: single: Use generic pinmux helpers for managing functions") +Signed-off-by: Ma Ke +Link: https://lore.kernel.org/20240808041355.2766009-1-make24@iscas.ac.cn +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-single.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -349,6 +349,8 @@ static int pcs_get_function(struct pinct + return -ENOTSUPP; + fselector = setting->func; + function = pinmux_generic_get_function(pctldev, fselector); ++ if (!function) ++ return -EINVAL; + *func = function->data; + if (!(*func)) { + dev_err(pcs->dev, "%s could not find function%i\n", diff --git a/queue-6.6/series b/queue-6.6/series new file mode 100644 index 00000000000..c66b4a65023 --- /dev/null +++ b/queue-6.6/series @@ -0,0 +1,7 @@ +alsa-seq-skip-event-type-filtering-for-ump-events.patch +loongarch-remove-the-unused-dma-direct.h.patch +btrfs-fix-a-use-after-free-when-hitting-errors-inside-btrfs_submit_chunk.patch +btrfs-run-delayed-iputs-when-flushing-delalloc.patch +smb-client-avoid-dereferencing-rdata-null-in-smb2_new_read_req.patch +pinctrl-rockchip-correct-rk3328-iomux-width-flag-for-gpio2-b-pins.patch +pinctrl-single-fix-potential-null-dereference-in-pcs_get_function.patch diff --git a/queue-6.6/smb-client-avoid-dereferencing-rdata-null-in-smb2_new_read_req.patch b/queue-6.6/smb-client-avoid-dereferencing-rdata-null-in-smb2_new_read_req.patch new file mode 100644 index 00000000000..e9b6c731fa5 --- /dev/null +++ b/queue-6.6/smb-client-avoid-dereferencing-rdata-null-in-smb2_new_read_req.patch @@ -0,0 +1,33 @@ +From c724b2ab6a46435b4e7d58ad2fbbdb7a318823cf Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 21 Aug 2024 17:18:23 +0200 +Subject: smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req() + +From: Stefan Metzmacher + +commit c724b2ab6a46435b4e7d58ad2fbbdb7a318823cf upstream. + +This happens when called from SMB2_read() while using rdma +and reaching the rdma_readwrite_threshold. + +Cc: stable@vger.kernel.org +Fixes: a6559cc1d35d ("cifs: split out smb3_use_rdma_offload() helper") +Reviewed-by: David Howells +Signed-off-by: Stefan Metzmacher +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -4431,7 +4431,7 @@ smb2_new_read_req(void **buf, unsigned i + * If we want to do a RDMA write, fill in and append + * smbd_buffer_descriptor_v1 to the end of read request + */ +- if (smb3_use_rdma_offload(io_parms)) { ++ if (rdata && smb3_use_rdma_offload(io_parms)) { + struct smbd_buffer_descriptor_v1 *v1; + bool need_invalidate = server->dialect == SMB30_PROT_ID; +