From: Greg Kroah-Hartman Date: Tue, 3 Dec 2024 11:02:29 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v4.19.325~28 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6e7aa246588e0feee2822debff6c66634799874e;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: f2fs-fix-to-do-sanity-check-on-node-blkaddr-in-truncate_node.patch ipc-fix-memleak-if-msg_init_ns-failed-in-create_ipc_ns.patch lib-string_helpers-silence-snprintf-output-truncation-warning.patch nfsd-prevent-a-potential-integer-overflow.patch sunrpc-make-sure-cache-entry-active-before-cache_show.patch ublk-fix-error-code-for-unsupported-command.patch --- diff --git a/queue-6.6/f2fs-fix-to-do-sanity-check-on-node-blkaddr-in-truncate_node.patch b/queue-6.6/f2fs-fix-to-do-sanity-check-on-node-blkaddr-in-truncate_node.patch new file mode 100644 index 00000000000..79eca864dbb --- /dev/null +++ b/queue-6.6/f2fs-fix-to-do-sanity-check-on-node-blkaddr-in-truncate_node.patch @@ -0,0 +1,69 @@ +From 6babe00ccd34fc65b78ef8b99754e32b4385f23d Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Wed, 16 Oct 2024 16:13:37 +0800 +Subject: f2fs: fix to do sanity check on node blkaddr in truncate_node() + +From: Chao Yu + +commit 6babe00ccd34fc65b78ef8b99754e32b4385f23d upstream. + +syzbot reports a f2fs bug as below: + +------------[ cut here ]------------ +kernel BUG at fs/f2fs/segment.c:2534! +RIP: 0010:f2fs_invalidate_blocks+0x35f/0x370 fs/f2fs/segment.c:2534 +Call Trace: + truncate_node+0x1ae/0x8c0 fs/f2fs/node.c:909 + f2fs_remove_inode_page+0x5c2/0x870 fs/f2fs/node.c:1288 + f2fs_evict_inode+0x879/0x15c0 fs/f2fs/inode.c:856 + evict+0x4e8/0x9b0 fs/inode.c:723 + f2fs_handle_failed_inode+0x271/0x2e0 fs/f2fs/inode.c:986 + f2fs_create+0x357/0x530 fs/f2fs/namei.c:394 + lookup_open fs/namei.c:3595 [inline] + open_last_lookups fs/namei.c:3694 [inline] + path_openat+0x1c03/0x3590 fs/namei.c:3930 + do_filp_open+0x235/0x490 fs/namei.c:3960 + do_sys_openat2+0x13e/0x1d0 fs/open.c:1415 + do_sys_open fs/open.c:1430 [inline] + __do_sys_openat fs/open.c:1446 [inline] + __se_sys_openat fs/open.c:1441 [inline] + __x64_sys_openat+0x247/0x2a0 fs/open.c:1441 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0010:f2fs_invalidate_blocks+0x35f/0x370 fs/f2fs/segment.c:2534 + +The root cause is: on a fuzzed image, blkaddr in nat entry may be +corrupted, then it will cause system panic when using it in +f2fs_invalidate_blocks(), to avoid this, let's add sanity check on +nat blkaddr in truncate_node(). + +Reported-by: syzbot+33379ce4ac76acf7d0c7@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-f2fs-devel/0000000000009a6cd706224ca720@google.com/ +Cc: stable@vger.kernel.org +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/node.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -905,6 +905,16 @@ static int truncate_node(struct dnode_of + if (err) + return err; + ++ if (ni.blk_addr != NEW_ADDR && ++ !f2fs_is_valid_blkaddr(sbi, ni.blk_addr, DATA_GENERIC_ENHANCE)) { ++ f2fs_err_ratelimited(sbi, ++ "nat entry is corrupted, run fsck to fix it, ino:%u, " ++ "nid:%u, blkaddr:%u", ni.ino, ni.nid, ni.blk_addr); ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ f2fs_handle_error(sbi, ERROR_INCONSISTENT_NAT); ++ return -EFSCORRUPTED; ++ } ++ + /* Deallocate node address */ + f2fs_invalidate_blocks(sbi, ni.blk_addr); + dec_valid_node_count(sbi, dn->inode, dn->nid == dn->inode->i_ino); diff --git a/queue-6.6/ipc-fix-memleak-if-msg_init_ns-failed-in-create_ipc_ns.patch b/queue-6.6/ipc-fix-memleak-if-msg_init_ns-failed-in-create_ipc_ns.patch new file mode 100644 index 00000000000..b6817fd0581 --- /dev/null +++ b/queue-6.6/ipc-fix-memleak-if-msg_init_ns-failed-in-create_ipc_ns.patch @@ -0,0 +1,62 @@ +From bc8f5921cd69188627c08041276238de222ab466 Mon Sep 17 00:00:00 2001 +From: Ma Wupeng +Date: Wed, 23 Oct 2024 17:31:29 +0800 +Subject: ipc: fix memleak if msg_init_ns failed in create_ipc_ns + +From: Ma Wupeng + +commit bc8f5921cd69188627c08041276238de222ab466 upstream. + +Percpu memory allocation may failed during create_ipc_ns however this +fail is not handled properly since ipc sysctls and mq sysctls is not +released properly. Fix this by release these two resource when failure. + +Here is the kmemleak stack when percpu failed: + +unreferenced object 0xffff88819de2a600 (size 512): + comm "shmem_2nstest", pid 120711, jiffies 4300542254 + hex dump (first 32 bytes): + 60 aa 9d 84 ff ff ff ff fc 18 48 b2 84 88 ff ff `.........H..... + 04 00 00 00 a4 01 00 00 20 e4 56 81 ff ff ff ff ........ .V..... + backtrace (crc be7cba35): + [] __kmalloc_node_track_caller_noprof+0x333/0x420 + [] kmemdup_noprof+0x26/0x50 + [] setup_mq_sysctls+0x57/0x1d0 + [] copy_ipcs+0x29c/0x3b0 + [] create_new_namespaces+0x1d0/0x920 + [] copy_namespaces+0x2e9/0x3e0 + [] copy_process+0x29f3/0x7ff0 + [] kernel_clone+0xc0/0x650 + [] __do_sys_clone+0xa1/0xe0 + [] do_syscall_64+0xbf/0x1c0 + [] entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Link: https://lkml.kernel.org/r/20241023093129.3074301-1-mawupeng1@huawei.com +Fixes: 72d1e611082e ("ipc/msg: mitigate the lock contention with percpu counter") +Signed-off-by: Ma Wupeng +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + ipc/namespace.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/ipc/namespace.c ++++ b/ipc/namespace.c +@@ -83,13 +83,15 @@ static struct ipc_namespace *create_ipc_ + + err = msg_init_ns(ns); + if (err) +- goto fail_put; ++ goto fail_ipc; + + sem_init_ns(ns); + shm_init_ns(ns); + + return ns; + ++fail_ipc: ++ retire_ipc_sysctls(ns); + fail_mq: + retire_mq_sysctls(ns); + diff --git a/queue-6.6/lib-string_helpers-silence-snprintf-output-truncation-warning.patch b/queue-6.6/lib-string_helpers-silence-snprintf-output-truncation-warning.patch new file mode 100644 index 00000000000..07a7e6bc1f6 --- /dev/null +++ b/queue-6.6/lib-string_helpers-silence-snprintf-output-truncation-warning.patch @@ -0,0 +1,40 @@ +From a508ef4b1dcc82227edc594ffae583874dd425d7 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Fri, 1 Nov 2024 21:54:53 +0100 +Subject: lib: string_helpers: silence snprintf() output truncation warning + +From: Bartosz Golaszewski + +commit a508ef4b1dcc82227edc594ffae583874dd425d7 upstream. + +The output of ".%03u" with the unsigned int in range [0, 4294966295] may +get truncated if the target buffer is not 12 bytes. This can't really +happen here as the 'remainder' variable cannot exceed 999 but the +compiler doesn't know it. To make it happy just increase the buffer to +where the warning goes away. + +Fixes: 3c9f3681d0b4 ("[SCSI] lib: add generic helper to print sizes rounded to the correct SI range") +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Andy Shevchenko +Cc: James E.J. Bottomley +Cc: Kees Cook +Cc: stable@vger.kernel.org +Signed-off-by: Andrew Morton +Link: https://lore.kernel.org/r/20241101205453.9353-1-brgl@bgdev.pl +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman +--- + lib/string_helpers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/string_helpers.c ++++ b/lib/string_helpers.c +@@ -52,7 +52,7 @@ void string_get_size(u64 size, u64 blk_s + static const unsigned int rounding[] = { 500, 50, 5 }; + int i = 0, j; + u32 remainder = 0, sf_cap; +- char tmp[8]; ++ char tmp[12]; + const char *unit; + + tmp[0] = '\0'; diff --git a/queue-6.6/nfsd-prevent-a-potential-integer-overflow.patch b/queue-6.6/nfsd-prevent-a-potential-integer-overflow.patch new file mode 100644 index 00000000000..d294dd39023 --- /dev/null +++ b/queue-6.6/nfsd-prevent-a-potential-integer-overflow.patch @@ -0,0 +1,50 @@ +From 7f33b92e5b18e904a481e6e208486da43e4dc841 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Tue, 17 Sep 2024 12:15:23 -0400 +Subject: NFSD: Prevent a potential integer overflow + +From: Chuck Lever + +commit 7f33b92e5b18e904a481e6e208486da43e4dc841 upstream. + +If the tag length is >= U32_MAX - 3 then the "length + 4" addition +can result in an integer overflow. Address this by splitting the +decoding into several steps so that decode_cb_compound4res() does +not have to perform arithmetic on the unsafe length value. + +Reported-by: Dan Carpenter +Cc: stable@vger.kernel.org +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4callback.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/fs/nfsd/nfs4callback.c ++++ b/fs/nfsd/nfs4callback.c +@@ -297,17 +297,17 @@ static int decode_cb_compound4res(struct + u32 length; + __be32 *p; + +- p = xdr_inline_decode(xdr, 4 + 4); ++ p = xdr_inline_decode(xdr, XDR_UNIT); + if (unlikely(p == NULL)) + goto out_overflow; +- hdr->status = be32_to_cpup(p++); ++ hdr->status = be32_to_cpup(p); + /* Ignore the tag */ +- length = be32_to_cpup(p++); +- p = xdr_inline_decode(xdr, length + 4); +- if (unlikely(p == NULL)) ++ if (xdr_stream_decode_u32(xdr, &length) < 0) ++ goto out_overflow; ++ if (xdr_inline_decode(xdr, length) == NULL) ++ goto out_overflow; ++ if (xdr_stream_decode_u32(xdr, &hdr->nops) < 0) + goto out_overflow; +- p += XDR_QUADLEN(length); +- hdr->nops = be32_to_cpup(p); + return 0; + out_overflow: + return -EIO; diff --git a/queue-6.6/series b/queue-6.6/series index b528843aea0..cc3daf1d9fd 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -554,3 +554,9 @@ smb-during-unmount-ensure-all-cached-dir-instances-drop-their-dentry.patch usb-musb-fix-hardware-lockup-on-first-rx-endpoint-request.patch usb-dwc3-gadget-fix-checking-for-number-of-trbs-left.patch usb-dwc3-gadget-fix-looping-of-queued-sg-entries.patch +ublk-fix-error-code-for-unsupported-command.patch +lib-string_helpers-silence-snprintf-output-truncation-warning.patch +f2fs-fix-to-do-sanity-check-on-node-blkaddr-in-truncate_node.patch +ipc-fix-memleak-if-msg_init_ns-failed-in-create_ipc_ns.patch +nfsd-prevent-a-potential-integer-overflow.patch +sunrpc-make-sure-cache-entry-active-before-cache_show.patch diff --git a/queue-6.6/sunrpc-make-sure-cache-entry-active-before-cache_show.patch b/queue-6.6/sunrpc-make-sure-cache-entry-active-before-cache_show.patch new file mode 100644 index 00000000000..2e28fec423c --- /dev/null +++ b/queue-6.6/sunrpc-make-sure-cache-entry-active-before-cache_show.patch @@ -0,0 +1,57 @@ +From 2862eee078a4d2d1f584e7f24fa50dddfa5f3471 Mon Sep 17 00:00:00 2001 +From: Yang Erkun +Date: Mon, 21 Oct 2024 22:23:42 +0800 +Subject: SUNRPC: make sure cache entry active before cache_show + +From: Yang Erkun + +commit 2862eee078a4d2d1f584e7f24fa50dddfa5f3471 upstream. + +The function `c_show` was called with protection from RCU. This only +ensures that `cp` will not be freed. Therefore, the reference count for +`cp` can drop to zero, which will trigger a refcount use-after-free +warning when `cache_get` is called. To resolve this issue, use +`cache_get_rcu` to ensure that `cp` remains active. + +------------[ cut here ]------------ +refcount_t: addition on 0; use-after-free. +WARNING: CPU: 7 PID: 822 at lib/refcount.c:25 +refcount_warn_saturate+0xb1/0x120 +CPU: 7 UID: 0 PID: 822 Comm: cat Not tainted 6.12.0-rc3+ #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.16.1-2.fc37 04/01/2014 +RIP: 0010:refcount_warn_saturate+0xb1/0x120 + +Call Trace: + + c_show+0x2fc/0x380 [sunrpc] + seq_read_iter+0x589/0x770 + seq_read+0x1e5/0x270 + proc_reg_read+0xe1/0x140 + vfs_read+0x125/0x530 + ksys_read+0xc1/0x160 + do_syscall_64+0x5f/0x170 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Cc: stable@vger.kernel.org # v4.20+ +Signed-off-by: Yang Erkun +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/cache.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -1431,7 +1431,9 @@ static int c_show(struct seq_file *m, vo + seq_printf(m, "# expiry=%lld refcnt=%d flags=%lx\n", + convert_to_wallclock(cp->expiry_time), + kref_read(&cp->ref), cp->flags); +- cache_get(cp); ++ if (!cache_get_rcu(cp)) ++ return 0; ++ + if (cache_check(cd, cp, NULL)) + /* cache_check does a cache_put on failure */ + seq_puts(m, "# "); diff --git a/queue-6.6/ublk-fix-error-code-for-unsupported-command.patch b/queue-6.6/ublk-fix-error-code-for-unsupported-command.patch new file mode 100644 index 00000000000..3a51be14927 --- /dev/null +++ b/queue-6.6/ublk-fix-error-code-for-unsupported-command.patch @@ -0,0 +1,34 @@ +From 34c1227035b3ab930a1ae6ab6f22fec1af8ab09e Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Tue, 19 Nov 2024 11:06:46 +0800 +Subject: ublk: fix error code for unsupported command + +From: Ming Lei + +commit 34c1227035b3ab930a1ae6ab6f22fec1af8ab09e upstream. + +ENOTSUPP is for kernel use only, and shouldn't be sent to userspace. + +Fix it by replacing it with EOPNOTSUPP. + +Cc: stable@vger.kernel.org +Fixes: bfbcef036396 ("ublk_drv: move ublk_get_device_from_id into ublk_ctrl_uring_cmd") +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20241119030646.2319030-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/ublk_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/block/ublk_drv.c ++++ b/drivers/block/ublk_drv.c +@@ -2913,7 +2913,7 @@ static int ublk_ctrl_uring_cmd(struct io + ret = ublk_ctrl_end_recovery(ub, cmd); + break; + default: +- ret = -ENOTSUPP; ++ ret = -EOPNOTSUPP; + break; + } +