From: Greg Kroah-Hartman Date: Mon, 8 Jul 2024 13:05:54 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.6.38~19 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=482b6844b2221820f766860d9eb94f379a9297c3;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: bnx2x-fix-multiple-ubsan-array-index-out-of-bounds.patch bpf-sockmap-fix-sk-sk_forward_alloc-warn_on-in-sk_stream_kill_queues.patch drm-amdgpu-atomfirmware-silence-ubsan-warning.patch drm-nouveau-fix-null-pointer-dereference-in-nouveau_connector_get_modes.patch ima-avoid-blocking-in-rcu-read-side-critical-section.patch mtd-rawnand-bypass-a-couple-of-sanity-checks-during-nand-identification.patch revert-mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch --- diff --git a/queue-5.10/bnx2x-fix-multiple-ubsan-array-index-out-of-bounds.patch b/queue-5.10/bnx2x-fix-multiple-ubsan-array-index-out-of-bounds.patch new file mode 100644 index 00000000000..0a7d28b95ad --- /dev/null +++ b/queue-5.10/bnx2x-fix-multiple-ubsan-array-index-out-of-bounds.patch @@ -0,0 +1,185 @@ +From 134061163ee5ca4759de5c24ca3bd71608891ba7 Mon Sep 17 00:00:00 2001 +From: Ghadi Elie Rahme +Date: Thu, 27 Jun 2024 14:14:05 +0300 +Subject: bnx2x: Fix multiple UBSAN array-index-out-of-bounds + +From: Ghadi Elie Rahme + +commit 134061163ee5ca4759de5c24ca3bd71608891ba7 upstream. + +Fix UBSAN warnings that occur when using a system with 32 physical +cpu cores or more, or when the user defines a number of Ethernet +queues greater than or equal to FP_SB_MAX_E1x using the num_queues +module parameter. + +Currently there is a read/write out of bounds that occurs on the array +"struct stats_query_entry query" present inside the "bnx2x_fw_stats_req" +struct in "drivers/net/ethernet/broadcom/bnx2x/bnx2x.h". +Looking at the definition of the "struct stats_query_entry query" array: + +struct stats_query_entry query[FP_SB_MAX_E1x+ + BNX2X_FIRST_QUEUE_QUERY_IDX]; + +FP_SB_MAX_E1x is defined as the maximum number of fast path interrupts and +has a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3 +meaning the array has a total size of 19. +Since accesses to "struct stats_query_entry query" are offset-ted by +BNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernet +queues should not exceed FP_SB_MAX_E1x (16). However one of these queues +is reserved for FCOE and thus the number of Ethernet queues should be set +to [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) if +it is not. + +This is also described in a comment in the source code in +drivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definition +of FP_SB_MAX_E1x. Below is the part of this explanation that it important +for this patch + +/* + * The total number of L2 queues, MSIX vectors and HW contexts (CIDs) is + * control by the number of fast-path status blocks supported by the + * device (HW/FW). Each fast-path status block (FP-SB) aka non-default + * status block represents an independent interrupts context that can + * serve a regular L2 networking queue. However special L2 queues such + * as the FCoE queue do not require a FP-SB and other components like + * the CNIC may consume FP-SB reducing the number of possible L2 queues + * + * If the maximum number of FP-SB available is X then: + * a. If CNIC is supported it consumes 1 FP-SB thus the max number of + * regular L2 queues is Y=X-1 + * b. In MF mode the actual number of L2 queues is Y= (X-1/MF_factor) + * c. If the FCoE L2 queue is supported the actual number of L2 queues + * is Y+1 + * d. The number of irqs (MSIX vectors) is either Y+1 (one extra for + * slow-path interrupts) or Y+2 if CNIC is supported (one additional + * FP interrupt context for the CNIC). + * e. The number of HW context (CID count) is always X or X+1 if FCoE + * L2 queue is supported. The cid for the FCoE L2 queue is always X. + */ + +However this driver also supports NICs that use the E2 controller which can +handle more queues due to having more FP-SB represented by FP_SB_MAX_E2. +Looking at the commits when the E2 support was added, it was originally +using the E1x parameters: commit f2e0899f0f27 ("bnx2x: Add 57712 support"). +Back then FP_SB_MAX_E2 was set to 16 the same as E1x. However the driver +was later updated to take full advantage of the E2 instead of having it be +limited to the capabilities of the E1x. But as far as we can tell, the +array "stats_query_entry query" was still limited to using the FP-SB +available to the E1x cards as part of an oversignt when the driver was +updated to take full advantage of the E2, and now with the driver being +aware of the greater queue size supported by E2 NICs, it causes the UBSAN +warnings seen in the stack traces below. + +This patch increases the size of the "stats_query_entry query" array by +replacing FP_SB_MAX_E1x with FP_SB_MAX_E2 to be large enough to handle +both types of NICs. + +Stack traces: + +UBSAN: array-index-out-of-bounds in + drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11 +index 20 is out of range for type 'stats_query_entry [19]' +CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic + #202405052133 +Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, + BIOS P89 10/21/2019 +Call Trace: + + dump_stack_lvl+0x76/0xa0 + dump_stack+0x10/0x20 + __ubsan_handle_out_of_bounds+0xcb/0x110 + bnx2x_prep_fw_stats_req+0x2e1/0x310 [bnx2x] + bnx2x_stats_init+0x156/0x320 [bnx2x] + bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x] + bnx2x_nic_load+0x8e8/0x19e0 [bnx2x] + bnx2x_open+0x16b/0x290 [bnx2x] + __dev_open+0x10e/0x1d0 +RIP: 0033:0x736223927a0a +Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca + 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 + f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 +RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a +RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003 +RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0 +R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00 + +---[ end trace ]--- +------------[ cut here ]------------ +UBSAN: array-index-out-of-bounds in + drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1546:11 +index 28 is out of range for type 'stats_query_entry [19]' +CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic + #202405052133 +Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, + BIOS P89 10/21/2019 +Call Trace: + +dump_stack_lvl+0x76/0xa0 +dump_stack+0x10/0x20 +__ubsan_handle_out_of_bounds+0xcb/0x110 +bnx2x_prep_fw_stats_req+0x2fd/0x310 [bnx2x] +bnx2x_stats_init+0x156/0x320 [bnx2x] +bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x] +bnx2x_nic_load+0x8e8/0x19e0 [bnx2x] +bnx2x_open+0x16b/0x290 [bnx2x] +__dev_open+0x10e/0x1d0 +RIP: 0033:0x736223927a0a +Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca + 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 + f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 +RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a +RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003 +RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0 +R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00 + +---[ end trace ]--- +------------[ cut here ]------------ +UBSAN: array-index-out-of-bounds in + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:1895:8 +index 29 is out of range for type 'stats_query_entry [19]' +CPU: 13 PID: 163 Comm: kworker/u96:1 Not tainted 6.9.0-060900rc7-generic + #202405052133 +Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, + BIOS P89 10/21/2019 +Workqueue: bnx2x bnx2x_sp_task [bnx2x] +Call Trace: + + dump_stack_lvl+0x76/0xa0 + dump_stack+0x10/0x20 + __ubsan_handle_out_of_bounds+0xcb/0x110 + bnx2x_iov_adjust_stats_req+0x3c4/0x3d0 [bnx2x] + bnx2x_storm_stats_post.part.0+0x4a/0x330 [bnx2x] + ? bnx2x_hw_stats_post+0x231/0x250 [bnx2x] + bnx2x_stats_start+0x44/0x70 [bnx2x] + bnx2x_stats_handle+0x149/0x350 [bnx2x] + bnx2x_attn_int_asserted+0x998/0x9b0 [bnx2x] + bnx2x_sp_task+0x491/0x5c0 [bnx2x] + process_one_work+0x18d/0x3f0 + +---[ end trace ]--- + +Fixes: 50f0a562f8cc ("bnx2x: add fcoe statistics") +Signed-off-by: Ghadi Elie Rahme +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20240627111405.1037812-1-ghadi.rahme@canonical.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h +@@ -1262,7 +1262,7 @@ enum { + + struct bnx2x_fw_stats_req { + struct stats_query_header hdr; +- struct stats_query_entry query[FP_SB_MAX_E1x+ ++ struct stats_query_entry query[FP_SB_MAX_E2 + + BNX2X_FIRST_QUEUE_QUERY_IDX]; + }; + diff --git a/queue-5.10/bpf-sockmap-fix-sk-sk_forward_alloc-warn_on-in-sk_stream_kill_queues.patch b/queue-5.10/bpf-sockmap-fix-sk-sk_forward_alloc-warn_on-in-sk_stream_kill_queues.patch new file mode 100644 index 00000000000..7e50649633d --- /dev/null +++ b/queue-5.10/bpf-sockmap-fix-sk-sk_forward_alloc-warn_on-in-sk_stream_kill_queues.patch @@ -0,0 +1,124 @@ +From d8616ee2affcff37c5d315310da557a694a3303d Mon Sep 17 00:00:00 2001 +From: Wang Yufen +Date: Tue, 24 May 2022 15:53:11 +0800 +Subject: bpf, sockmap: Fix sk->sk_forward_alloc warn_on in sk_stream_kill_queues + +From: Wang Yufen + +commit d8616ee2affcff37c5d315310da557a694a3303d upstream. + +During TCP sockmap redirect pressure test, the following warning is triggered: + +WARNING: CPU: 3 PID: 2145 at net/core/stream.c:205 sk_stream_kill_queues+0xbc/0xd0 +CPU: 3 PID: 2145 Comm: iperf Kdump: loaded Tainted: G W 5.10.0+ #9 +Call Trace: + inet_csk_destroy_sock+0x55/0x110 + inet_csk_listen_stop+0xbb/0x380 + tcp_close+0x41b/0x480 + inet_release+0x42/0x80 + __sock_release+0x3d/0xa0 + sock_close+0x11/0x20 + __fput+0x9d/0x240 + task_work_run+0x62/0x90 + exit_to_user_mode_prepare+0x110/0x120 + syscall_exit_to_user_mode+0x27/0x190 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The reason we observed is that: + +When the listener is closing, a connection may have completed the three-way +handshake but not accepted, and the client has sent some packets. The child +sks in accept queue release by inet_child_forget()->inet_csk_destroy_sock(), +but psocks of child sks have not released. + +To fix, add sock_map_destroy to release psocks. + +Signed-off-by: Wang Yufen +Signed-off-by: Daniel Borkmann +Signed-off-by: Andrii Nakryiko +Acked-by: Jakub Sitnicki +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20220524075311.649153-1-wangyufen@huawei.com +[ Conflict in include/linux/bpf.h due to function declaration position + and remove non-existed sk_psock_stop helper from sock_map_destroy. ] +Signed-off-by: Wen Gu +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/bpf.h | 1 + + include/linux/skmsg.h | 1 + + net/core/skmsg.c | 1 + + net/core/sock_map.c | 22 ++++++++++++++++++++++ + net/ipv4/tcp_bpf.c | 1 + + 5 files changed, 26 insertions(+) + +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -1800,6 +1800,7 @@ int sock_map_get_from_fd(const union bpf + int sock_map_prog_detach(const union bpf_attr *attr, enum bpf_prog_type ptype); + int sock_map_update_elem_sys(struct bpf_map *map, void *key, void *value, u64 flags); + void sock_map_unhash(struct sock *sk); ++void sock_map_destroy(struct sock *sk); + void sock_map_close(struct sock *sk, long timeout); + #else + static inline int sock_map_prog_update(struct bpf_map *map, +--- a/include/linux/skmsg.h ++++ b/include/linux/skmsg.h +@@ -98,6 +98,7 @@ struct sk_psock { + spinlock_t link_lock; + refcount_t refcnt; + void (*saved_unhash)(struct sock *sk); ++ void (*saved_destroy)(struct sock *sk); + void (*saved_close)(struct sock *sk, long timeout); + void (*saved_write_space)(struct sock *sk); + struct proto *sk_proto; +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -599,6 +599,7 @@ struct sk_psock *sk_psock_init(struct so + psock->eval = __SK_NONE; + psock->sk_proto = prot; + psock->saved_unhash = prot->unhash; ++ psock->saved_destroy = prot->destroy; + psock->saved_close = prot->close; + psock->saved_write_space = sk->sk_write_space; + +--- a/net/core/sock_map.c ++++ b/net/core/sock_map.c +@@ -1566,6 +1566,28 @@ void sock_map_unhash(struct sock *sk) + saved_unhash(sk); + } + ++void sock_map_destroy(struct sock *sk) ++{ ++ void (*saved_destroy)(struct sock *sk); ++ struct sk_psock *psock; ++ ++ rcu_read_lock(); ++ psock = sk_psock_get(sk); ++ if (unlikely(!psock)) { ++ rcu_read_unlock(); ++ if (sk->sk_prot->destroy) ++ sk->sk_prot->destroy(sk); ++ return; ++ } ++ ++ saved_destroy = psock->saved_destroy; ++ sock_map_remove_links(sk, psock); ++ rcu_read_unlock(); ++ sk_psock_put(sk, psock); ++ saved_destroy(sk); ++} ++EXPORT_SYMBOL_GPL(sock_map_destroy); ++ + void sock_map_close(struct sock *sk, long timeout) + { + void (*saved_close)(struct sock *sk, long timeout); +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -582,6 +582,7 @@ static void tcp_bpf_rebuild_protos(struc + struct proto *base) + { + prot[TCP_BPF_BASE] = *base; ++ prot[TCP_BPF_BASE].destroy = sock_map_destroy; + prot[TCP_BPF_BASE].close = sock_map_close; + prot[TCP_BPF_BASE].recvmsg = tcp_bpf_recvmsg; + prot[TCP_BPF_BASE].stream_memory_read = tcp_bpf_stream_read; diff --git a/queue-5.10/drm-amdgpu-atomfirmware-silence-ubsan-warning.patch b/queue-5.10/drm-amdgpu-atomfirmware-silence-ubsan-warning.patch new file mode 100644 index 00000000000..6de6e8dfd4a --- /dev/null +++ b/queue-5.10/drm-amdgpu-atomfirmware-silence-ubsan-warning.patch @@ -0,0 +1,31 @@ +From d0417264437a8fa05f894cabba5a26715b32d78e Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 1 Jul 2024 12:50:10 -0400 +Subject: drm/amdgpu/atomfirmware: silence UBSAN warning + +From: Alex Deucher + +commit d0417264437a8fa05f894cabba5a26715b32d78e upstream. + +This is a variable sized array. + +Link: https://lists.freedesktop.org/archives/amd-gfx/2024-June/110420.html +Tested-by: Jeff Layton +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/include/atomfirmware.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/include/atomfirmware.h ++++ b/drivers/gpu/drm/amd/include/atomfirmware.h +@@ -690,7 +690,7 @@ struct atom_gpio_pin_lut_v2_1 + { + struct atom_common_table_header table_header; + /*the real number of this included in the structure is calcualted by using the (whole structure size - the header size)/size of atom_gpio_pin_lut */ +- struct atom_gpio_pin_assignment gpio_pin[8]; ++ struct atom_gpio_pin_assignment gpio_pin[]; + }; + + diff --git a/queue-5.10/drm-nouveau-fix-null-pointer-dereference-in-nouveau_connector_get_modes.patch b/queue-5.10/drm-nouveau-fix-null-pointer-dereference-in-nouveau_connector_get_modes.patch new file mode 100644 index 00000000000..35aff5946ff --- /dev/null +++ b/queue-5.10/drm-nouveau-fix-null-pointer-dereference-in-nouveau_connector_get_modes.patch @@ -0,0 +1,35 @@ +From 80bec6825b19d95ccdfd3393cf8ec15ff2a749b4 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Thu, 27 Jun 2024 15:42:04 +0800 +Subject: drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes + +From: Ma Ke + +commit 80bec6825b19d95ccdfd3393cf8ec15ff2a749b4 upstream. + +In nouveau_connector_get_modes(), the return value of drm_mode_duplicate() +is assigned to mode, which will lead to a possible NULL pointer +dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. + +Cc: stable@vger.kernel.org +Fixes: 6ee738610f41 ("drm/nouveau: Add DRM driver for NVIDIA GPUs") +Signed-off-by: Ma Ke +Signed-off-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20240627074204.3023776-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -960,6 +960,9 @@ nouveau_connector_get_modes(struct drm_c + struct drm_display_mode *mode; + + mode = drm_mode_duplicate(dev, nv_connector->native_mode); ++ if (!mode) ++ return 0; ++ + drm_mode_probed_add(connector, mode); + ret = 1; + } diff --git a/queue-5.10/ima-avoid-blocking-in-rcu-read-side-critical-section.patch b/queue-5.10/ima-avoid-blocking-in-rcu-read-side-critical-section.patch new file mode 100644 index 00000000000..5a8cd392e92 --- /dev/null +++ b/queue-5.10/ima-avoid-blocking-in-rcu-read-side-critical-section.patch @@ -0,0 +1,341 @@ +From 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 Mon Sep 17 00:00:00 2001 +From: GUO Zihua +Date: Tue, 7 May 2024 01:25:41 +0000 +Subject: ima: Avoid blocking in RCU read-side critical section + +From: GUO Zihua + +commit 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 upstream. + +A panic happens in ima_match_policy: + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 +PGD 42f873067 P4D 0 +Oops: 0000 [#1] SMP NOPTI +CPU: 5 PID: 1286325 Comm: kubeletmonit.sh +Kdump: loaded Tainted: P +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), + BIOS 0.0.0 02/06/2015 +RIP: 0010:ima_match_policy+0x84/0x450 +Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 + 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d + f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea + 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f +RSP: 0018:ff71570009e07a80 EFLAGS: 00010207 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200 +RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000 +RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739 +R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970 +R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001 +FS: 00007f5195b51740(0000) +GS:ff3e278b12d40000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + ima_get_action+0x22/0x30 + process_measurement+0xb0/0x830 + ? page_add_file_rmap+0x15/0x170 + ? alloc_set_pte+0x269/0x4c0 + ? prep_new_page+0x81/0x140 + ? simple_xattr_get+0x75/0xa0 + ? selinux_file_open+0x9d/0xf0 + ima_file_check+0x64/0x90 + path_openat+0x571/0x1720 + do_filp_open+0x9b/0x110 + ? page_counter_try_charge+0x57/0xc0 + ? files_cgroup_alloc_fd+0x38/0x60 + ? __alloc_fd+0xd4/0x250 + ? do_sys_open+0x1bd/0x250 + do_sys_open+0x1bd/0x250 + do_syscall_64+0x5d/0x1d0 + entry_SYSCALL_64_after_hwframe+0x65/0xca + +Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by +ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a +RCU read-side critical section which contains kmalloc with GFP_KERNEL. +This implies a possible sleep and violates limitations of RCU read-side +critical sections on non-PREEMPT systems. + +Sleeping within RCU read-side critical section might cause +synchronize_rcu() returning early and break RCU protection, allowing a +UAF to happen. + +The root cause of this issue could be described as follows: +| Thread A | Thread B | +| |ima_match_policy | +| | rcu_read_lock | +|ima_lsm_update_rule | | +| synchronize_rcu | | +| | kmalloc(GFP_KERNEL)| +| | sleep | +==> synchronize_rcu returns early +| kfree(entry) | | +| | entry = entry->next| +==> UAF happens and entry now becomes NULL (or could be anything). +| | entry->action | +==> Accessing entry might cause panic. + +To fix this issue, we are converting all kmalloc that is called within +RCU read-side critical section to use GFP_ATOMIC. + +Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") +Cc: stable@vger.kernel.org +Signed-off-by: GUO Zihua +Acked-by: John Johansen +Reviewed-by: Mimi Zohar +Reviewed-by: Casey Schaufler +[PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case] +Signed-off-by: Paul Moore +Signed-off-by: Roberto Sassu +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/lsm_hook_defs.h | 2 +- + include/linux/security.h | 5 +++-- + kernel/auditfilter.c | 5 +++-- + security/apparmor/audit.c | 6 +++--- + security/apparmor/include/audit.h | 2 +- + security/integrity/ima/ima.h | 2 +- + security/integrity/ima/ima_policy.c | 15 +++++++++------ + security/security.c | 6 ++++-- + security/selinux/include/audit.h | 4 +++- + security/selinux/ss/services.c | 5 +++-- + security/smack/smack_lsm.c | 4 +++- + 11 files changed, 34 insertions(+), 22 deletions(-) + +--- a/include/linux/lsm_hook_defs.h ++++ b/include/linux/lsm_hook_defs.h +@@ -370,7 +370,7 @@ LSM_HOOK(int, 0, key_getsecurity, struct + + #ifdef CONFIG_AUDIT + LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr, +- void **lsmrule) ++ void **lsmrule, gfp_t gfp) + LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule) + LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule) + LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule) +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -1856,7 +1856,8 @@ static inline int security_key_getsecuri + + #ifdef CONFIG_AUDIT + #ifdef CONFIG_SECURITY +-int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); ++int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, ++ gfp_t gfp); + int security_audit_rule_known(struct audit_krule *krule); + int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); + void security_audit_rule_free(void *lsmrule); +@@ -1864,7 +1865,7 @@ void security_audit_rule_free(void *lsmr + #else + + static inline int security_audit_rule_init(u32 field, u32 op, char *rulestr, +- void **lsmrule) ++ void **lsmrule, gfp_t gfp) + { + return 0; + } +--- a/kernel/auditfilter.c ++++ b/kernel/auditfilter.c +@@ -521,7 +521,8 @@ static struct audit_entry *audit_data_to + entry->rule.buflen += f_val; + f->lsm_str = str; + err = security_audit_rule_init(f->type, f->op, str, +- (void **)&f->lsm_rule); ++ (void **)&f->lsm_rule, ++ GFP_KERNEL); + /* Keep currently invalid fields around in case they + * become valid after a policy reload. */ + if (err == -EINVAL) { +@@ -790,7 +791,7 @@ static inline int audit_dupe_lsm_field(s + + /* our own (refreshed) copy of lsm_rule */ + ret = security_audit_rule_init(df->type, df->op, df->lsm_str, +- (void **)&df->lsm_rule); ++ (void **)&df->lsm_rule, GFP_KERNEL); + /* Keep currently invalid fields around in case they + * become valid after a policy reload. */ + if (ret == -EINVAL) { +--- a/security/apparmor/audit.c ++++ b/security/apparmor/audit.c +@@ -173,7 +173,7 @@ void aa_audit_rule_free(void *vrule) + } + } + +-int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) ++int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp) + { + struct aa_audit_rule *rule; + +@@ -186,14 +186,14 @@ int aa_audit_rule_init(u32 field, u32 op + return -EINVAL; + } + +- rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL); ++ rule = kzalloc(sizeof(struct aa_audit_rule), gfp); + + if (!rule) + return -ENOMEM; + + /* Currently rules are treated as coming from the root ns */ + rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr, +- GFP_KERNEL, true, false); ++ gfp, true, false); + if (IS_ERR(rule->label)) { + int err = PTR_ERR(rule->label); + aa_audit_rule_free(rule); +--- a/security/apparmor/include/audit.h ++++ b/security/apparmor/include/audit.h +@@ -186,7 +186,7 @@ static inline int complain_error(int err + } + + void aa_audit_rule_free(void *vrule); +-int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule); ++int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp); + int aa_audit_rule_known(struct audit_krule *rule); + int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule); + +--- a/security/integrity/ima/ima.h ++++ b/security/integrity/ima/ima.h +@@ -420,7 +420,7 @@ static inline void ima_free_modsig(struc + #else + + static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, +- void **lsmrule) ++ void **lsmrule, gfp_t gfp) + { + return -EINVAL; + } +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -349,7 +349,8 @@ static void ima_free_rule(struct ima_rul + kfree(entry); + } + +-static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) ++static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry, ++ gfp_t gfp) + { + struct ima_rule_entry *nentry; + int i; +@@ -358,7 +359,7 @@ static struct ima_rule_entry *ima_lsm_co + * Immutable elements are copied over as pointers and data; only + * lsm rules can change + */ +- nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); ++ nentry = kmemdup(entry, sizeof(*nentry), gfp); + if (!nentry) + return NULL; + +@@ -373,7 +374,8 @@ static struct ima_rule_entry *ima_lsm_co + + ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, + nentry->lsm[i].args_p, +- &nentry->lsm[i].rule); ++ &nentry->lsm[i].rule, ++ gfp); + if (!nentry->lsm[i].rule) + pr_warn("rule for LSM \'%s\' is undefined\n", + nentry->lsm[i].args_p); +@@ -386,7 +388,7 @@ static int ima_lsm_update_rule(struct im + int i; + struct ima_rule_entry *nentry; + +- nentry = ima_lsm_copy_rule(entry); ++ nentry = ima_lsm_copy_rule(entry, GFP_KERNEL); + if (!nentry) + return -ENOMEM; + +@@ -573,7 +575,7 @@ retry: + } + + if (rc == -ESTALE && !rule_reinitialized) { +- lsm_rule = ima_lsm_copy_rule(rule); ++ lsm_rule = ima_lsm_copy_rule(rule, GFP_ATOMIC); + if (lsm_rule) { + rule_reinitialized = true; + goto retry; +@@ -990,7 +992,8 @@ static int ima_lsm_rule_init(struct ima_ + entry->lsm[lsm_rule].type = audit_type; + result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, + entry->lsm[lsm_rule].args_p, +- &entry->lsm[lsm_rule].rule); ++ &entry->lsm[lsm_rule].rule, ++ GFP_KERNEL); + if (!entry->lsm[lsm_rule].rule) { + pr_warn("rule for LSM \'%s\' is undefined\n", + entry->lsm[lsm_rule].args_p); +--- a/security/security.c ++++ b/security/security.c +@@ -2545,9 +2545,11 @@ int security_key_getsecurity(struct key + + #ifdef CONFIG_AUDIT + +-int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) ++int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, ++ gfp_t gfp) + { +- return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule); ++ return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule, ++ gfp); + } + + int security_audit_rule_known(struct audit_krule *krule) +--- a/security/selinux/include/audit.h ++++ b/security/selinux/include/audit.h +@@ -18,12 +18,14 @@ + * @op: the operater the rule uses + * @rulestr: the text "target" of the rule + * @rule: pointer to the new rule structure returned via this ++ * @gfp: GFP flag used for kmalloc + * + * Returns 0 if successful, -errno if not. On success, the rule structure + * will be allocated internally. The caller must free this structure with + * selinux_audit_rule_free() after use. + */ +-int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule); ++int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule, ++ gfp_t gfp); + + /** + * selinux_audit_rule_free - free an selinux audit rule structure. +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -3542,7 +3542,8 @@ void selinux_audit_rule_free(void *vrule + } + } + +-int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) ++int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, ++ gfp_t gfp) + { + struct selinux_state *state = &selinux_state; + struct selinux_policy *policy; +@@ -3583,7 +3584,7 @@ int selinux_audit_rule_init(u32 field, u + return -EINVAL; + } + +- tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); ++ tmprule = kzalloc(sizeof(struct selinux_audit_rule), gfp); + if (!tmprule) + return -ENOMEM; + +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -4490,11 +4490,13 @@ static int smack_post_notification(const + * @op: required testing operator (=, !=, >, <, ...) + * @rulestr: smack label to be audited + * @vrule: pointer to save our own audit rule representation ++ * @gfp: type of the memory for the allocation + * + * Prepare to audit cases where (@field @op @rulestr) is true. + * The label to be audited is created if necessay. + */ +-static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) ++static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, ++ gfp_t gfp) + { + struct smack_known *skp; + char **rule = (char **)vrule; diff --git a/queue-5.10/mtd-rawnand-bypass-a-couple-of-sanity-checks-during-nand-identification.patch b/queue-5.10/mtd-rawnand-bypass-a-couple-of-sanity-checks-during-nand-identification.patch new file mode 100644 index 00000000000..0337c3ef672 --- /dev/null +++ b/queue-5.10/mtd-rawnand-bypass-a-couple-of-sanity-checks-during-nand-identification.patch @@ -0,0 +1,130 @@ +From 8754d9835683e8fab9a8305acdb38a3aeb9d20bd Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Thu, 16 May 2024 15:13:20 +0200 +Subject: mtd: rawnand: Bypass a couple of sanity checks during NAND identification + +From: Miquel Raynal + +commit 8754d9835683e8fab9a8305acdb38a3aeb9d20bd upstream. + +Early during NAND identification, mtd_info fields have not yet been +initialized (namely, writesize and oobsize) and thus cannot be used for +sanity checks yet. Of course if there is a misuse of +nand_change_read_column_op() so early we won't be warned, but there is +anyway no actual check to perform at this stage as we do not yet know +the NAND geometry. + +So, if the fields are empty, especially mtd->writesize which is *always* +set quite rapidly after identification, let's skip the sanity checks. + +nand_change_read_column_op() is subject to be used early for ONFI/JEDEC +identification in the very unlikely case of: +- bitflips appearing in the parameter page, +- the controller driver not supporting simple DATA_IN cycles. + +As nand_change_read_column_op() uses nand_fill_column_cycles() the logic +explaind above also applies in this secondary helper. + +Fixes: c27842e7e11f ("mtd: rawnand: onfi: Adapt the parameter page read to constraint controllers") +Fixes: daca31765e8b ("mtd: rawnand: jedec: Adapt the parameter page read to constraint controllers") +Cc: stable@vger.kernel.org +Reported-by: Alexander Dahl +Closes: https://lore.kernel.org/linux-mtd/20240306-shaky-bunion-d28b65ea97d7@thorsis.com/ +Reported-by: Steven Seeger +Closes: https://lore.kernel.org/linux-mtd/DM6PR05MB4506554457CF95191A670BDEF7062@DM6PR05MB4506.namprd05.prod.outlook.com/ +Signed-off-by: Miquel Raynal +Tested-by: Sascha Hauer +Link: https://lore.kernel.org/linux-mtd/20240516131320.579822-3-miquel.raynal@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/nand_base.c | 57 +++++++++++++++++++++------------------ + 1 file changed, 32 insertions(+), 25 deletions(-) + +--- a/drivers/mtd/nand/raw/nand_base.c ++++ b/drivers/mtd/nand/raw/nand_base.c +@@ -964,28 +964,32 @@ static int nand_fill_column_cycles(struc + unsigned int offset_in_page) + { + struct mtd_info *mtd = nand_to_mtd(chip); ++ bool ident_stage = !mtd->writesize; + +- /* Make sure the offset is less than the actual page size. */ +- if (offset_in_page > mtd->writesize + mtd->oobsize) +- return -EINVAL; +- +- /* +- * On small page NANDs, there's a dedicated command to access the OOB +- * area, and the column address is relative to the start of the OOB +- * area, not the start of the page. Asjust the address accordingly. +- */ +- if (mtd->writesize <= 512 && offset_in_page >= mtd->writesize) +- offset_in_page -= mtd->writesize; +- +- /* +- * The offset in page is expressed in bytes, if the NAND bus is 16-bit +- * wide, then it must be divided by 2. +- */ +- if (chip->options & NAND_BUSWIDTH_16) { +- if (WARN_ON(offset_in_page % 2)) ++ /* Bypass all checks during NAND identification */ ++ if (likely(!ident_stage)) { ++ /* Make sure the offset is less than the actual page size. */ ++ if (offset_in_page > mtd->writesize + mtd->oobsize) + return -EINVAL; + +- offset_in_page /= 2; ++ /* ++ * On small page NANDs, there's a dedicated command to access the OOB ++ * area, and the column address is relative to the start of the OOB ++ * area, not the start of the page. Asjust the address accordingly. ++ */ ++ if (mtd->writesize <= 512 && offset_in_page >= mtd->writesize) ++ offset_in_page -= mtd->writesize; ++ ++ /* ++ * The offset in page is expressed in bytes, if the NAND bus is 16-bit ++ * wide, then it must be divided by 2. ++ */ ++ if (chip->options & NAND_BUSWIDTH_16) { ++ if (WARN_ON(offset_in_page % 2)) ++ return -EINVAL; ++ ++ offset_in_page /= 2; ++ } + } + + addrs[0] = offset_in_page; +@@ -994,7 +998,7 @@ static int nand_fill_column_cycles(struc + * Small page NANDs use 1 cycle for the columns, while large page NANDs + * need 2 + */ +- if (mtd->writesize <= 512) ++ if (!ident_stage && mtd->writesize <= 512) + return 1; + + addrs[1] = offset_in_page >> 8; +@@ -1189,16 +1193,19 @@ int nand_change_read_column_op(struct na + unsigned int len, bool force_8bit) + { + struct mtd_info *mtd = nand_to_mtd(chip); ++ bool ident_stage = !mtd->writesize; + + if (len && !buf) + return -EINVAL; + +- if (offset_in_page + len > mtd->writesize + mtd->oobsize) +- return -EINVAL; ++ if (!ident_stage) { ++ if (offset_in_page + len > mtd->writesize + mtd->oobsize) ++ return -EINVAL; + +- /* Small page NANDs do not support column change. */ +- if (mtd->writesize <= 512) +- return -ENOTSUPP; ++ /* Small page NANDs do not support column change. */ ++ if (mtd->writesize <= 512) ++ return -ENOTSUPP; ++ } + + if (nand_has_exec_op(chip)) { + const struct nand_sdr_timings *sdr = diff --git a/queue-5.10/revert-mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch b/queue-5.10/revert-mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch new file mode 100644 index 00000000000..298ce8cc997 --- /dev/null +++ b/queue-5.10/revert-mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch @@ -0,0 +1,53 @@ +From 30139c702048f1097342a31302cbd3d478f50c63 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 21 Jun 2024 16:42:37 +0200 +Subject: Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again" + +From: Jan Kara + +commit 30139c702048f1097342a31302cbd3d478f50c63 upstream. + +Patch series "mm: Avoid possible overflows in dirty throttling". + +Dirty throttling logic assumes dirty limits in page units fit into +32-bits. This patch series makes sure this is true (see patch 2/2 for +more details). + + +This patch (of 2): + +This reverts commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78. + +The commit is broken in several ways. Firstly, the removed (u64) cast +from the multiplication will introduce a multiplication overflow on 32-bit +archs if wb_thresh * bg_thresh >= 1<<32 (which is actually common - the +default settings with 4GB of RAM will trigger this). Secondly, the +div64_u64() is unnecessarily expensive on 32-bit archs. We have +div64_ul() in case we want to be safe & cheap. Thirdly, if dirty +thresholds are larger than 1<<32 pages, then dirty balancing is going to +blow up in many other spectacular ways anyway so trying to fix one +possible overflow is just moot. + +Link: https://lkml.kernel.org/r/20240621144017.30993-1-jack@suse.cz +Link: https://lkml.kernel.org/r/20240621144246.11148-1-jack@suse.cz +Fixes: 9319b647902c ("mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again") +Signed-off-by: Jan Kara +Reviewed-By: Zach O'Keefe +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/page-writeback.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/page-writeback.c ++++ b/mm/page-writeback.c +@@ -1546,7 +1546,7 @@ static inline void wb_dirty_limits(struc + */ + dtc->wb_thresh = __wb_calc_thresh(dtc); + dtc->wb_bg_thresh = dtc->thresh ? +- div64_u64(dtc->wb_thresh * dtc->bg_thresh, dtc->thresh) : 0; ++ div_u64((u64)dtc->wb_thresh * dtc->bg_thresh, dtc->thresh) : 0; + + /* + * In order to avoid the stacked BDI deadlock we need diff --git a/queue-5.10/series b/queue-5.10/series index 64d1cf1ac47..60bb6fc2c0a 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -41,3 +41,10 @@ mm-avoid-overflows-in-dirty-throttling-logic.patch bluetooth-qca-fix-bt-enable-failure-again-for-qca6390-after-warm-reboot.patch can-kvaser_usb-explicitly-initialize-family-in-leafimx-driver_info-struct.patch fsnotify-do-not-generate-events-for-o_path-file-descriptors.patch +revert-mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch +drm-nouveau-fix-null-pointer-dereference-in-nouveau_connector_get_modes.patch +drm-amdgpu-atomfirmware-silence-ubsan-warning.patch +mtd-rawnand-bypass-a-couple-of-sanity-checks-during-nand-identification.patch +bnx2x-fix-multiple-ubsan-array-index-out-of-bounds.patch +bpf-sockmap-fix-sk-sk_forward_alloc-warn_on-in-sk_stream_kill_queues.patch +ima-avoid-blocking-in-rcu-read-side-critical-section.patch