From: Greg Kroah-Hartman Date: Tue, 23 Jul 2024 11:23:53 +0000 (+0200) Subject: 6.10-stable patches X-Git-Tag: v6.10.1~31 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=69138def5df72e52cb75be3ea71e1bb0b91ee585;p=thirdparty%2Fkernel%2Fstable-queue.git 6.10-stable patches added patches: cifs-fix-missing-error-code-set.patch cifs-fix-missing-fscache-invalidation.patch cifs-fix-noisy-message-on-copy_file_range.patch cifs-fix-server-re-repick-on-subrequest-retry.patch cifs-fix-setting-of-zero_point-after-dio-write.patch ext4-use-memtostr_pad-for-s_volume_name.patch series tpm-use-auth-only-after-null-check-in-tpm_buf_check_hmac_response.patch --- diff --git a/queue-6.10/cifs-fix-missing-error-code-set.patch b/queue-6.10/cifs-fix-missing-error-code-set.patch new file mode 100644 index 00000000000..1bcc677fc81 --- /dev/null +++ b/queue-6.10/cifs-fix-missing-error-code-set.patch @@ -0,0 +1,52 @@ +From d2c5eb57b6da10f335c30356f9696bd667601e6a Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Thu, 18 Jul 2024 20:55:20 +0100 +Subject: cifs: Fix missing error code set + +From: David Howells + +commit d2c5eb57b6da10f335c30356f9696bd667601e6a upstream. + +In cifs_strict_readv(), the default rc (-EACCES) is accidentally cleared by +a successful return from netfs_start_io_direct(), such that if +cifs_find_lock_conflict() fails, we don't return an error. + +Fix this by resetting the default error code. + +Fixes: 14b1cd25346b ("cifs: Fix locking in cifs_strict_readv()") +Cc: stable@vger.kernel.org +Signed-off-by: David Howells +Reviewed-by: Paulo Alcantara (Red Hat) +cc: Jeff Layton +cc: linux-cifs@vger.kernel.org +cc: netfs@lists.linux.dev +cc: linux-fsdevel@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/file.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c +index 1374635e89fa..6178c6d8097d 100644 +--- a/fs/smb/client/file.c ++++ b/fs/smb/client/file.c +@@ -2877,6 +2877,7 @@ cifs_strict_readv(struct kiocb *iocb, struct iov_iter *to) + rc = netfs_start_io_direct(inode); + if (rc < 0) + goto out; ++ rc = -EACCES; + down_read(&cinode->lock_sem); + if (!cifs_find_lock_conflict( + cfile, iocb->ki_pos, iov_iter_count(to), +@@ -2889,6 +2890,7 @@ cifs_strict_readv(struct kiocb *iocb, struct iov_iter *to) + rc = netfs_start_io_read(inode); + if (rc < 0) + goto out; ++ rc = -EACCES; + down_read(&cinode->lock_sem); + if (!cifs_find_lock_conflict( + cfile, iocb->ki_pos, iov_iter_count(to), +-- +2.45.2 + diff --git a/queue-6.10/cifs-fix-missing-fscache-invalidation.patch b/queue-6.10/cifs-fix-missing-fscache-invalidation.patch new file mode 100644 index 00000000000..c4f99b89513 --- /dev/null +++ b/queue-6.10/cifs-fix-missing-fscache-invalidation.patch @@ -0,0 +1,50 @@ +From a07d38afd15281c42613943a9a715c3ba07c21e6 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Fri, 19 Jul 2024 16:01:48 +0100 +Subject: cifs: Fix missing fscache invalidation + +From: David Howells + +commit a07d38afd15281c42613943a9a715c3ba07c21e6 upstream. + +A network filesystem needs to implement a netfslib hook to invalidate +fscache if it's to be able to use the cache. + +Fix cifs to implement the cache invalidation hook. + +Signed-off-by: David Howells +Reviewed-by: Paulo Alcantara (Red Hat) +cc: Jeff Layton +cc: linux-cifs@vger.kernel.org +cc: netfs@lists.linux.dev +cc: linux-fsdevel@vger.kernel.org +Cc: stable@vger.kernel.org +Fixes: 3ee1a1fc3981 ("cifs: Cut over to using netfslib") +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/file.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/smb/client/file.c ++++ b/fs/smb/client/file.c +@@ -123,6 +123,11 @@ fail: + goto out; + } + ++static void cifs_netfs_invalidate_cache(struct netfs_io_request *wreq) ++{ ++ cifs_invalidate_cache(wreq->inode, 0); ++} ++ + /* + * Split the read up according to how many credits we can get for each piece. + * It's okay to sleep here if we need to wait for more credit to become +@@ -307,6 +312,7 @@ const struct netfs_request_ops cifs_req_ + .begin_writeback = cifs_begin_writeback, + .prepare_write = cifs_prepare_write, + .issue_write = cifs_issue_write, ++ .invalidate_cache = cifs_netfs_invalidate_cache, + }; + + /* diff --git a/queue-6.10/cifs-fix-noisy-message-on-copy_file_range.patch b/queue-6.10/cifs-fix-noisy-message-on-copy_file_range.patch new file mode 100644 index 00000000000..d8b7850878d --- /dev/null +++ b/queue-6.10/cifs-fix-noisy-message-on-copy_file_range.patch @@ -0,0 +1,36 @@ +From ae4ccca47195332c69176b8615c5ee17efd30c46 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Wed, 17 Jul 2024 00:42:22 -0500 +Subject: cifs: fix noisy message on copy_file_range + +From: Steve French + +commit ae4ccca47195332c69176b8615c5ee17efd30c46 upstream. + +There are common cases where copy_file_range can noisily +log "source and target of copy not on same server" +e.g. the mv command across mounts to two different server's shares. +Change this to informational rather than logging as an error. + +A followon patch will add dynamic trace points e.g. for +cifs_file_copychunk_range + +Cc: stable@vger.kernel.org +Reviewed-by: Shyam Prasad N +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/client/cifsfs.c ++++ b/fs/smb/client/cifsfs.c +@@ -1359,7 +1359,7 @@ ssize_t cifs_file_copychunk_range(unsign + target_tcon = tlink_tcon(smb_file_target->tlink); + + if (src_tcon->ses != target_tcon->ses) { +- cifs_dbg(VFS, "source and target of copy not on same server\n"); ++ cifs_dbg(FYI, "source and target of copy not on same server\n"); + goto out; + } + diff --git a/queue-6.10/cifs-fix-server-re-repick-on-subrequest-retry.patch b/queue-6.10/cifs-fix-server-re-repick-on-subrequest-retry.patch new file mode 100644 index 00000000000..07adf550883 --- /dev/null +++ b/queue-6.10/cifs-fix-server-re-repick-on-subrequest-retry.patch @@ -0,0 +1,73 @@ +From de40579b903883274fe203865f29d66b168b7236 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Thu, 18 Jul 2024 20:19:32 +0100 +Subject: cifs: Fix server re-repick on subrequest retry + +From: David Howells + +commit de40579b903883274fe203865f29d66b168b7236 upstream. + +When a subrequest is marked for needing retry, netfs will call +cifs_prepare_write() which will make cifs repick the server for the op +before renegotiating credits; it then calls cifs_issue_write() which +invokes smb2_async_writev() - which re-repicks the server. + +If a different server is then selected, this causes the increment of +server->in_flight to happen against one record and the decrement to happen +against another, leading to misaccounting. + +Fix this by just removing the repick code in smb2_async_writev(). As this +is only called from netfslib-driven code, cifs_prepare_write() should +always have been called first, and so server should never be NULL and the +preparatory step is repeated in the event that we do a retry. + +The problem manifests as a warning looking something like: + + WARNING: CPU: 4 PID: 72896 at fs/smb/client/smb2ops.c:97 smb2_add_credits+0x3f0/0x9e0 [cifs] + ... + RIP: 0010:smb2_add_credits+0x3f0/0x9e0 [cifs] + ... + smb2_writev_callback+0x334/0x560 [cifs] + cifs_demultiplex_thread+0x77a/0x11b0 [cifs] + kthread+0x187/0x1d0 + ret_from_fork+0x34/0x60 + ret_from_fork_asm+0x1a/0x30 + +Which may be triggered by a number of different xfstests running against an +Azure server in multichannel mode. generic/249 seems the most repeatable, +but generic/215, generic/249 and generic/308 may also show it. + +Fixes: 3ee1a1fc3981 ("cifs: Cut over to using netfslib") +Cc: stable@vger.kernel.org +Reported-by: Steve French +Reviewed-by: Paulo Alcantara (Red Hat) +Acked-by: Tom Talpey +Signed-off-by: David Howells +cc: Jeff Layton +cc: Aurelien Aptel +cc: linux-cifs@vger.kernel.org +cc: netfs@lists.linux.dev +cc: linux-fsdevel@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c +index 2ae2dbb6202b..bb84a89e5905 100644 +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -4859,9 +4859,6 @@ smb2_async_writev(struct cifs_io_subrequest *wdata) + struct cifs_io_parms *io_parms = NULL; + int credit_request; + +- if (!wdata->server || test_bit(NETFS_SREQ_RETRYING, &wdata->subreq.flags)) +- server = wdata->server = cifs_pick_channel(tcon->ses); +- + /* + * in future we may get cifs_io_parms passed in from the caller, + * but for now we construct it here... +-- +2.45.2 + diff --git a/queue-6.10/cifs-fix-setting-of-zero_point-after-dio-write.patch b/queue-6.10/cifs-fix-setting-of-zero_point-after-dio-write.patch new file mode 100644 index 00000000000..aa0b3186fb5 --- /dev/null +++ b/queue-6.10/cifs-fix-setting-of-zero_point-after-dio-write.patch @@ -0,0 +1,64 @@ +From 61ea6b3a3104fcd66364282391dd2152bc4c129a Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Fri, 19 Jul 2024 14:07:07 +0100 +Subject: cifs: Fix setting of zero_point after DIO write + +From: David Howells + +commit 61ea6b3a3104fcd66364282391dd2152bc4c129a upstream. + +At the moment, at the end of a DIO write, cifs calls netfs_resize_file() to +adjust the size of the file if it needs it. This will reduce the +zero_point (the point above which we assume a read will just return zeros) +if it's more than the new i_size, but won't increase it. + +With DIO writes, however, we definitely want to increase it as we have +clobbered the local pagecache and then written some data that's not +available locally. + +Fix cifs to make the zero_point above the end of a DIO or unbuffered write. + +This fixes corruption seen occasionally with the generic/708 xfs-test. In +that case, the read-back of some of the written data is being +short-circuited and replaced with zeroes. + +Fixes: 3ee1a1fc3981 ("cifs: Cut over to using netfslib") +Cc: stable@vger.kernel.org +Reported-by: Steve French +Signed-off-by: David Howells +Reviewed-by: Paulo Alcantara (Red Hat) +cc: Jeff Layton +cc: linux-cifs@vger.kernel.org +cc: netfs@lists.linux.dev +cc: linux-fsdevel@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/file.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/fs/smb/client/file.c ++++ b/fs/smb/client/file.c +@@ -2364,13 +2364,18 @@ void cifs_write_subrequest_terminated(st + bool was_async) + { + struct netfs_io_request *wreq = wdata->rreq; +- loff_t new_server_eof; ++ struct netfs_inode *ictx = netfs_inode(wreq->inode); ++ loff_t wrend; + + if (result > 0) { +- new_server_eof = wdata->subreq.start + wdata->subreq.transferred + result; ++ wrend = wdata->subreq.start + wdata->subreq.transferred + result; + +- if (new_server_eof > netfs_inode(wreq->inode)->remote_i_size) +- netfs_resize_file(netfs_inode(wreq->inode), new_server_eof, true); ++ if (wrend > ictx->zero_point && ++ (wdata->rreq->origin == NETFS_UNBUFFERED_WRITE || ++ wdata->rreq->origin == NETFS_DIO_WRITE)) ++ ictx->zero_point = wrend; ++ if (wrend > ictx->remote_i_size) ++ netfs_resize_file(ictx, wrend, true); + } + + netfs_write_subrequest_terminated(&wdata->subreq, result, was_async); diff --git a/queue-6.10/ext4-use-memtostr_pad-for-s_volume_name.patch b/queue-6.10/ext4-use-memtostr_pad-for-s_volume_name.patch new file mode 100644 index 00000000000..65deef911b0 --- /dev/null +++ b/queue-6.10/ext4-use-memtostr_pad-for-s_volume_name.patch @@ -0,0 +1,49 @@ +From be27cd64461c45a6088a91a04eba5cd44e1767ef Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 23 May 2024 15:54:12 -0700 +Subject: ext4: use memtostr_pad() for s_volume_name + +From: Kees Cook + +commit be27cd64461c45a6088a91a04eba5cd44e1767ef upstream. + +As with the other strings in struct ext4_super_block, s_volume_name is +not NUL terminated. The other strings were marked in commit 072ebb3bffe6 +("ext4: add nonstring annotations to ext4.h"). Using strscpy() isn't +the right replacement for strncpy(); it should use memtostr_pad() +instead. + +Reported-by: syzbot+50835f73143cc2905b9e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/00000000000019f4c00619192c05@google.com/ +Fixes: 744a56389f73 ("ext4: replace deprecated strncpy with alternatives") +Signed-off-by: Kees Cook +Link: https://patch.msgid.link/20240523225408.work.904-kees@kernel.org +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/ext4.h | 2 +- + fs/ext4/ioctl.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -1347,7 +1347,7 @@ struct ext4_super_block { + /*60*/ __le32 s_feature_incompat; /* incompatible feature set */ + __le32 s_feature_ro_compat; /* readonly-compatible feature set */ + /*68*/ __u8 s_uuid[16]; /* 128-bit uuid for volume */ +-/*78*/ char s_volume_name[EXT4_LABEL_MAX]; /* volume name */ ++/*78*/ char s_volume_name[EXT4_LABEL_MAX] __nonstring; /* volume name */ + /*88*/ char s_last_mounted[64] __nonstring; /* directory where last mounted */ + /*C8*/ __le32 s_algorithm_usage_bitmap; /* For compression */ + /* +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -1151,7 +1151,7 @@ static int ext4_ioctl_getlabel(struct ex + BUILD_BUG_ON(EXT4_LABEL_MAX >= FSLABEL_MAX); + + lock_buffer(sbi->s_sbh); +- strscpy_pad(label, sbi->s_es->s_volume_name); ++ memtostr_pad(label, sbi->s_es->s_volume_name); + unlock_buffer(sbi->s_sbh); + + if (copy_to_user(user_label, label, sizeof(label))) diff --git a/queue-6.10/series b/queue-6.10/series new file mode 100644 index 00000000000..c59428782da --- /dev/null +++ b/queue-6.10/series @@ -0,0 +1,7 @@ +ext4-use-memtostr_pad-for-s_volume_name.patch +cifs-fix-missing-error-code-set.patch +cifs-fix-missing-fscache-invalidation.patch +cifs-fix-noisy-message-on-copy_file_range.patch +cifs-fix-server-re-repick-on-subrequest-retry.patch +cifs-fix-setting-of-zero_point-after-dio-write.patch +tpm-use-auth-only-after-null-check-in-tpm_buf_check_hmac_response.patch diff --git a/queue-6.10/tpm-use-auth-only-after-null-check-in-tpm_buf_check_hmac_response.patch b/queue-6.10/tpm-use-auth-only-after-null-check-in-tpm_buf_check_hmac_response.patch new file mode 100644 index 00000000000..57530626f05 --- /dev/null +++ b/queue-6.10/tpm-use-auth-only-after-null-check-in-tpm_buf_check_hmac_response.patch @@ -0,0 +1,49 @@ +From 7dc357d343f134bf59815ff6098b93503ec8a23b Mon Sep 17 00:00:00 2001 +From: Hao Ge +Date: Tue, 9 Jul 2024 10:33:37 +0800 +Subject: tpm: Use auth only after NULL check in tpm_buf_check_hmac_response() + +From: Hao Ge + +commit 7dc357d343f134bf59815ff6098b93503ec8a23b upstream. + +Dereference auth after NULL check in tpm_buf_check_hmac_response(). +Otherwise, unless tpm2_sessions_init() was called, a call can cause NULL +dereference, when TCG_TPM2_HMAC is enabled. + +[jarkko: adjusted the commit message.] +Cc: stable@vger.kernel.org # v6.10+ +Fixes: 7ca110f2679b ("tpm: Address !chip->auth in tpm_buf_append_hmac_session*()") +Signed-off-by: Hao Ge +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm2-sessions.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c +index 2281d55df545..d3521aadd43e 100644 +--- a/drivers/char/tpm/tpm2-sessions.c ++++ b/drivers/char/tpm/tpm2-sessions.c +@@ -746,15 +746,16 @@ int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf, + struct tpm2_auth *auth = chip->auth; + off_t offset_s, offset_p; + u8 rphash[SHA256_DIGEST_SIZE]; +- u32 attrs; ++ u32 attrs, cc; + struct sha256_state sctx; + u16 tag = be16_to_cpu(head->tag); +- u32 cc = be32_to_cpu(auth->ordinal); + int parm_len, len, i, handles; + + if (!auth) + return rc; + ++ cc = be32_to_cpu(auth->ordinal); ++ + if (auth->session >= TPM_HEADER_SIZE) { + WARN(1, "tpm session not filled correctly\n"); + goto out; +-- +2.45.2 +