From: Greg Kroah-Hartman Date: Tue, 11 Jul 2023 20:40:12 +0000 (+0200) Subject: 6.4-stable patches X-Git-Tag: v6.1.39~112 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7213dd22e1faf1ce7e954c9668592f59e91dc7d3;p=thirdparty%2Fkernel%2Fstable-queue.git 6.4-stable patches added patches: alsa-hda-realtek-add-quirk-for-clevo-npx0snx.patch alsa-hda-realtek-enable-mute-micmute-leds-and-limit-mic-boost-on-elitebook.patch alsa-jack-fix-mutex-call-in-snd_jack_report.patch alsa-pcm-fix-potential-data-race-at-pcm-memory-allocation-helpers.patch apparmor-fix-kzalloc-perms-tables-for-shared-dfas.patch block-add-overflow-checks-for-amiga-partition-support.patch block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch block-fix-signed-int-overflow-in-amiga-partition-support.patch block-increment-diskseq-on-all-media-change-events.patch btrfs-do-not-bug_on-on-tree-mod-log-failure-at-balance_level.patch btrfs-fix-race-when-deleting-free-space-root-from-the-dirty-cow-roots-list.patch mmc-block-ioctl-do-write-error-check-for-spi.patch sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch --- diff --git a/queue-6.4/alsa-hda-realtek-add-quirk-for-clevo-npx0snx.patch b/queue-6.4/alsa-hda-realtek-add-quirk-for-clevo-npx0snx.patch new file mode 100644 index 00000000000..e4e014644d8 --- /dev/null +++ b/queue-6.4/alsa-hda-realtek-add-quirk-for-clevo-npx0snx.patch @@ -0,0 +1,31 @@ +From 22065e4214c1196b54fc164892c2e193a743caf3 Mon Sep 17 00:00:00 2001 +From: Werner Sembach +Date: Wed, 28 Jun 2023 17:54:34 +0200 +Subject: ALSA: hda/realtek: Add quirk for Clevo NPx0SNx + +From: Werner Sembach + +commit 22065e4214c1196b54fc164892c2e193a743caf3 upstream. + +This applies a SND_PCI_QUIRK(...) to the Clevo NPx0SNx barebones fixing the +microphone not being detected on the headset combo port. + +Signed-off-by: Werner Sembach +Cc: +Link: https://lore.kernel.org/r/20230628155434.584159-1-wse@tuxedocomputers.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9682,6 +9682,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1558, 0x971d, "Clevo N970T[CDF]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xa500, "Clevo NL5[03]RU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xa600, "Clevo NL50NU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0xa650, "Clevo NP[567]0SN[CD]", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xa671, "Clevo NP70SN[CDE]", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xb018, "Clevo NP50D[BE]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xb019, "Clevo NH77D[BE]Q", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), diff --git a/queue-6.4/alsa-hda-realtek-enable-mute-micmute-leds-and-limit-mic-boost-on-elitebook.patch b/queue-6.4/alsa-hda-realtek-enable-mute-micmute-leds-and-limit-mic-boost-on-elitebook.patch new file mode 100644 index 00000000000..e61b937d249 --- /dev/null +++ b/queue-6.4/alsa-hda-realtek-enable-mute-micmute-leds-and-limit-mic-boost-on-elitebook.patch @@ -0,0 +1,37 @@ +From e94f1f96f108ba96c0ed8bf3fbdd8ee6a6703880 Mon Sep 17 00:00:00 2001 +From: Andy Chi +Date: Mon, 26 Jun 2023 21:03:00 +0800 +Subject: ALSA: hda/realtek: Enable mute/micmute LEDs and limit mic boost on EliteBook + +From: Andy Chi + +commit e94f1f96f108ba96c0ed8bf3fbdd8ee6a6703880 upstream. + +On HP EliteBook 835/845/845W G10, the audio LEDs can be enabled by +ALC285_FIXUP_HP_MUTE_LED. So use it accordingly. + +Signed-off-by: Andy Chi +Cc: +Fixes: 3e10f6ca76c4 ("ALSA: hda/realtek: Add quirk for HP EliteBook G10 laptops") +Link: https://lore.kernel.org/r/20230626130301.301712-1-andy.chi@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9490,9 +9490,9 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8b63, "HP Elite Dragonfly 13.5 inch G4", ALC245_FIXUP_CS35L41_SPI_4_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b65, "HP ProBook 455 15.6 inch G10 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8b66, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), +- SND_PCI_QUIRK(0x103c, 0x8b70, "HP EliteBook 835 G10", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x103c, 0x8b72, "HP EliteBook 845 G10", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x103c, 0x8b74, "HP EliteBook 845W G10", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x103c, 0x8b70, "HP EliteBook 835 G10", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8b72, "HP EliteBook 845 G10", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8b74, "HP EliteBook 845W G10", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b77, "HP ElieBook 865 G10", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8b7a, "HP", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b7d, "HP", ALC236_FIXUP_HP_GPIO_LED), diff --git a/queue-6.4/alsa-jack-fix-mutex-call-in-snd_jack_report.patch b/queue-6.4/alsa-jack-fix-mutex-call-in-snd_jack_report.patch new file mode 100644 index 00000000000..b27f4b9dd2e --- /dev/null +++ b/queue-6.4/alsa-jack-fix-mutex-call-in-snd_jack_report.patch @@ -0,0 +1,87 @@ +From 89dbb335cb6a627a4067bc42caa09c8bc3326d40 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 6 Jul 2023 17:53:57 +0200 +Subject: ALSA: jack: Fix mutex call in snd_jack_report() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +commit 89dbb335cb6a627a4067bc42caa09c8bc3326d40 upstream. + +snd_jack_report() is supposed to be callable from an IRQ context, too, +and it's indeed used in that way from virtsnd driver. The fix for +input_dev race in commit 1b6a6fc5280e ("ALSA: jack: Access input_dev +under mutex"), however, introduced a mutex lock in snd_jack_report(), +and this resulted in a potential sleep-in-atomic. + +For addressing that problem, this patch changes the relevant code to +use the object get/put and removes the mutex usage. That is, +snd_jack_report(), it takes input_get_device() and leaves with +input_put_device() for assuring the input_dev being assigned. + +Although the whole mutex could be reduced, we keep it because it can +be still a protection for potential races between creation and +deletion. + +Fixes: 1b6a6fc5280e ("ALSA: jack: Access input_dev under mutex") +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/cf95f7fe-a748-4990-8378-000491b40329@moroto.mountain +Tested-by: Amadeusz Sławiński +Cc: +Link: https://lore.kernel.org/r/20230706155357.3470-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/jack.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/sound/core/jack.c ++++ b/sound/core/jack.c +@@ -654,6 +654,7 @@ void snd_jack_report(struct snd_jack *ja + struct snd_jack_kctl *jack_kctl; + unsigned int mask_bits = 0; + #ifdef CONFIG_SND_JACK_INPUT_DEV ++ struct input_dev *idev; + int i; + #endif + +@@ -670,17 +671,15 @@ void snd_jack_report(struct snd_jack *ja + status & jack_kctl->mask_bits); + + #ifdef CONFIG_SND_JACK_INPUT_DEV +- mutex_lock(&jack->input_dev_lock); +- if (!jack->input_dev) { +- mutex_unlock(&jack->input_dev_lock); ++ idev = input_get_device(jack->input_dev); ++ if (!idev) + return; +- } + + for (i = 0; i < ARRAY_SIZE(jack->key); i++) { + int testbit = ((SND_JACK_BTN_0 >> i) & ~mask_bits); + + if (jack->type & testbit) +- input_report_key(jack->input_dev, jack->key[i], ++ input_report_key(idev, jack->key[i], + status & testbit); + } + +@@ -688,13 +687,13 @@ void snd_jack_report(struct snd_jack *ja + int testbit = ((1 << i) & ~mask_bits); + + if (jack->type & testbit) +- input_report_switch(jack->input_dev, ++ input_report_switch(idev, + jack_switch_types[i], + status & testbit); + } + +- input_sync(jack->input_dev); +- mutex_unlock(&jack->input_dev_lock); ++ input_sync(idev); ++ input_put_device(idev); + #endif /* CONFIG_SND_JACK_INPUT_DEV */ + } + EXPORT_SYMBOL(snd_jack_report); diff --git a/queue-6.4/alsa-pcm-fix-potential-data-race-at-pcm-memory-allocation-helpers.patch b/queue-6.4/alsa-pcm-fix-potential-data-race-at-pcm-memory-allocation-helpers.patch new file mode 100644 index 00000000000..1532243db6a --- /dev/null +++ b/queue-6.4/alsa-pcm-fix-potential-data-race-at-pcm-memory-allocation-helpers.patch @@ -0,0 +1,111 @@ +From bd55842ed998a622ba6611fe59b3358c9f76773d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 3 Jul 2023 13:24:30 +0200 +Subject: ALSA: pcm: Fix potential data race at PCM memory allocation helpers + +From: Takashi Iwai + +commit bd55842ed998a622ba6611fe59b3358c9f76773d upstream. + +The PCM memory allocation helpers have a sanity check against too many +buffer allocations. However, the check is performed without a proper +lock and the allocation isn't serialized; this allows user to allocate +more memories than predefined max size. + +Practically seen, this isn't really a big problem, as it's more or +less some "soft limit" as a sanity check, and it's not possible to +allocate unlimitedly. But it's still better to address this for more +consistent behavior. + +The patch covers the size check in do_alloc_pages() with the +card->memory_mutex, and increases the allocated size there for +preventing the further overflow. When the actual allocation fails, +the size is decreased accordingly. + +Reported-by: BassCheck +Reported-by: Tuo Li +Link: https://lore.kernel.org/r/CADm8Tek6t0WedK+3Y6rbE5YEt19tML8BUL45N2ji4ZAz1KcN_A@mail.gmail.com +Reviewed-by: Jaroslav Kysela +Cc: +Link: https://lore.kernel.org/r/20230703112430.30634-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/pcm_memory.c | 44 ++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 36 insertions(+), 8 deletions(-) + +--- a/sound/core/pcm_memory.c ++++ b/sound/core/pcm_memory.c +@@ -31,15 +31,41 @@ static unsigned long max_alloc_per_card + module_param(max_alloc_per_card, ulong, 0644); + MODULE_PARM_DESC(max_alloc_per_card, "Max total allocation bytes per card."); + ++static void __update_allocated_size(struct snd_card *card, ssize_t bytes) ++{ ++ card->total_pcm_alloc_bytes += bytes; ++} ++ ++static void update_allocated_size(struct snd_card *card, ssize_t bytes) ++{ ++ mutex_lock(&card->memory_mutex); ++ __update_allocated_size(card, bytes); ++ mutex_unlock(&card->memory_mutex); ++} ++ ++static void decrease_allocated_size(struct snd_card *card, size_t bytes) ++{ ++ mutex_lock(&card->memory_mutex); ++ WARN_ON(card->total_pcm_alloc_bytes < bytes); ++ __update_allocated_size(card, -(ssize_t)bytes); ++ mutex_unlock(&card->memory_mutex); ++} ++ + static int do_alloc_pages(struct snd_card *card, int type, struct device *dev, + int str, size_t size, struct snd_dma_buffer *dmab) + { + enum dma_data_direction dir; + int err; + ++ /* check and reserve the requested size */ ++ mutex_lock(&card->memory_mutex); + if (max_alloc_per_card && +- card->total_pcm_alloc_bytes + size > max_alloc_per_card) ++ card->total_pcm_alloc_bytes + size > max_alloc_per_card) { ++ mutex_unlock(&card->memory_mutex); + return -ENOMEM; ++ } ++ __update_allocated_size(card, size); ++ mutex_unlock(&card->memory_mutex); + + if (str == SNDRV_PCM_STREAM_PLAYBACK) + dir = DMA_TO_DEVICE; +@@ -47,9 +73,14 @@ static int do_alloc_pages(struct snd_car + dir = DMA_FROM_DEVICE; + err = snd_dma_alloc_dir_pages(type, dev, dir, size, dmab); + if (!err) { +- mutex_lock(&card->memory_mutex); +- card->total_pcm_alloc_bytes += dmab->bytes; +- mutex_unlock(&card->memory_mutex); ++ /* the actual allocation size might be bigger than requested, ++ * and we need to correct the account ++ */ ++ if (dmab->bytes != size) ++ update_allocated_size(card, dmab->bytes - size); ++ } else { ++ /* take back on allocation failure */ ++ decrease_allocated_size(card, size); + } + return err; + } +@@ -58,10 +89,7 @@ static void do_free_pages(struct snd_car + { + if (!dmab->area) + return; +- mutex_lock(&card->memory_mutex); +- WARN_ON(card->total_pcm_alloc_bytes < dmab->bytes); +- card->total_pcm_alloc_bytes -= dmab->bytes; +- mutex_unlock(&card->memory_mutex); ++ decrease_allocated_size(card, dmab->bytes); + snd_dma_free_pages(dmab); + dmab->area = NULL; + } diff --git a/queue-6.4/apparmor-fix-kzalloc-perms-tables-for-shared-dfas.patch b/queue-6.4/apparmor-fix-kzalloc-perms-tables-for-shared-dfas.patch new file mode 100644 index 00000000000..889325ee986 --- /dev/null +++ b/queue-6.4/apparmor-fix-kzalloc-perms-tables-for-shared-dfas.patch @@ -0,0 +1,98 @@ +From ec6851ae0ab4587e610e260ddda75f92f3389f91 Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Sat, 15 Apr 2023 00:50:32 -0700 +Subject: apparmor: fix: kzalloc perms tables for shared dfas + +From: John Johansen + +commit ec6851ae0ab4587e610e260ddda75f92f3389f91 upstream. + +Currently the permstables of the shared dfas are not shared, and need +to be allocated and copied. In the future this should be addressed +with a larger rework on dfa and pdb ref counts and structure sharing. + +BugLink: http://bugs.launchpad.net/bugs/2017903 +Fixes: 217af7e2f4de ("apparmor: refactor profile rules and attachments") +Cc: stable@vger.kernel.org +Signed-off-by: John Johansen +Reviewed-by: Jon Tourville +Signed-off-by: Greg Kroah-Hartman +--- + security/apparmor/policy.c | 13 +++++++++++++ + security/apparmor/policy_unpack.c | 26 ++++++++++++++++++++++---- + 2 files changed, 35 insertions(+), 4 deletions(-) + +--- a/security/apparmor/policy.c ++++ b/security/apparmor/policy.c +@@ -591,7 +591,15 @@ struct aa_profile *aa_alloc_null(struct + profile->label.flags |= FLAG_NULL; + rules = list_first_entry(&profile->rules, typeof(*rules), list); + rules->file.dfa = aa_get_dfa(nulldfa); ++ rules->file.perms = kcalloc(2, sizeof(struct aa_perms), GFP_KERNEL); ++ if (!rules->file.perms) ++ goto fail; ++ rules->file.size = 2; + rules->policy.dfa = aa_get_dfa(nulldfa); ++ rules->policy.perms = kcalloc(2, sizeof(struct aa_perms), GFP_KERNEL); ++ if (!rules->policy.perms) ++ goto fail; ++ rules->policy.size = 2; + + if (parent) { + profile->path_flags = parent->path_flags; +@@ -602,6 +610,11 @@ struct aa_profile *aa_alloc_null(struct + } + + return profile; ++ ++fail: ++ aa_free_profile(profile); ++ ++ return NULL; + } + + /** +--- a/security/apparmor/policy_unpack.c ++++ b/security/apparmor/policy_unpack.c +@@ -988,9 +988,14 @@ static struct aa_profile *unpack_profile + info = "failed to remap policydb permission table"; + goto fail; + } +- } else ++ } else { + rules->policy.dfa = aa_get_dfa(nulldfa); +- ++ rules->policy.perms = kcalloc(2, sizeof(struct aa_perms), ++ GFP_KERNEL); ++ if (!rules->policy.perms) ++ goto fail; ++ rules->policy.size = 2; ++ } + /* get file rules */ + error = unpack_pdb(e, &rules->file, false, true, &info); + if (error) { +@@ -1005,9 +1010,22 @@ static struct aa_profile *unpack_profile + rules->policy.start[AA_CLASS_FILE]) { + rules->file.dfa = aa_get_dfa(rules->policy.dfa); + rules->file.start[AA_CLASS_FILE] = rules->policy.start[AA_CLASS_FILE]; +- } else ++ rules->file.perms = kcalloc(rules->policy.size, ++ sizeof(struct aa_perms), ++ GFP_KERNEL); ++ if (!rules->file.perms) ++ goto fail; ++ memcpy(rules->file.perms, rules->policy.perms, ++ rules->policy.size * sizeof(struct aa_perms)); ++ rules->file.size = rules->policy.size; ++ } else { + rules->file.dfa = aa_get_dfa(nulldfa); +- ++ rules->file.perms = kcalloc(2, sizeof(struct aa_perms), ++ GFP_KERNEL); ++ if (!rules->file.perms) ++ goto fail; ++ rules->file.size = 2; ++ } + error = -EPROTO; + if (aa_unpack_nameX(e, AA_STRUCT, "data")) { + info = "out of memory"; diff --git a/queue-6.4/block-add-overflow-checks-for-amiga-partition-support.patch b/queue-6.4/block-add-overflow-checks-for-amiga-partition-support.patch new file mode 100644 index 00000000000..2114e10d039 --- /dev/null +++ b/queue-6.4/block-add-overflow-checks-for-amiga-partition-support.patch @@ -0,0 +1,202 @@ +From b6f3f28f604ba3de4724ad82bea6adb1300c0b5f Mon Sep 17 00:00:00 2001 +From: Michael Schmitz +Date: Wed, 21 Jun 2023 08:17:25 +1200 +Subject: block: add overflow checks for Amiga partition support + +From: Michael Schmitz + +commit b6f3f28f604ba3de4724ad82bea6adb1300c0b5f upstream. + +The Amiga partition parser module uses signed int for partition sector +address and count, which will overflow for disks larger than 1 TB. + +Use u64 as type for sector address and size to allow using disks up to +2 TB without LBD support, and disks larger than 2 TB with LBD. The RBD +format allows to specify disk sizes up to 2^128 bytes (though native +OS limitations reduce this somewhat, to max 2^68 bytes), so check for +u64 overflow carefully to protect against overflowing sector_t. + +Bail out if sector addresses overflow 32 bits on kernels without LBD +support. + +This bug was reported originally in 2012, and the fix was created by +the RDB author, Joanne Dow . A patch had been +discussed and reviewed on linux-m68k at that time but never officially +submitted (now resubmitted as patch 1 in this series). +This patch adds additional error checking and warning messages. + +Reported-by: Martin Steigerwald +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511 +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Message-ID: <201206192146.09327.Martin@lichtvoll.de> +Cc: # 5.2 +Signed-off-by: Michael Schmitz +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230620201725.7020-4-schmitzmic@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/partitions/amiga.c | 103 ++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 85 insertions(+), 18 deletions(-) + +--- a/block/partitions/amiga.c ++++ b/block/partitions/amiga.c +@@ -11,10 +11,18 @@ + #define pr_fmt(fmt) fmt + + #include ++#include ++#include + #include + + #include "check.h" + ++/* magic offsets in partition DosEnvVec */ ++#define NR_HD 3 ++#define NR_SECT 5 ++#define LO_CYL 9 ++#define HI_CYL 10 ++ + static __inline__ u32 + checksum_block(__be32 *m, int size) + { +@@ -31,9 +39,12 @@ int amiga_partition(struct parsed_partit + unsigned char *data; + struct RigidDiskBlock *rdb; + struct PartitionBlock *pb; +- sector_t start_sect, nr_sects; +- int blk, part, res = 0; +- int blksize = 1; /* Multiplier for disk block size */ ++ u64 start_sect, nr_sects; ++ sector_t blk, end_sect; ++ u32 cylblk; /* rdb_CylBlocks = nr_heads*sect_per_track */ ++ u32 nr_hd, nr_sect, lo_cyl, hi_cyl; ++ int part, res = 0; ++ unsigned int blksize = 1; /* Multiplier for disk block size */ + int slot = 1; + + for (blk = 0; ; blk++, put_dev_sector(sect)) { +@@ -41,7 +52,7 @@ int amiga_partition(struct parsed_partit + goto rdb_done; + data = read_part_sector(state, blk, §); + if (!data) { +- pr_err("Dev %s: unable to read RDB block %d\n", ++ pr_err("Dev %s: unable to read RDB block %llu\n", + state->disk->disk_name, blk); + res = -1; + goto rdb_done; +@@ -58,12 +69,12 @@ int amiga_partition(struct parsed_partit + *(__be32 *)(data+0xdc) = 0; + if (checksum_block((__be32 *)data, + be32_to_cpu(rdb->rdb_SummedLongs) & 0x7F)==0) { +- pr_err("Trashed word at 0xd0 in block %d ignored in checksum calculation\n", ++ pr_err("Trashed word at 0xd0 in block %llu ignored in checksum calculation\n", + blk); + break; + } + +- pr_err("Dev %s: RDB in block %d has bad checksum\n", ++ pr_err("Dev %s: RDB in block %llu has bad checksum\n", + state->disk->disk_name, blk); + } + +@@ -80,10 +91,15 @@ int amiga_partition(struct parsed_partit + blk = be32_to_cpu(rdb->rdb_PartitionList); + put_dev_sector(sect); + for (part = 1; blk>0 && part<=16; part++, put_dev_sector(sect)) { +- blk *= blksize; /* Read in terms partition table understands */ ++ /* Read in terms partition table understands */ ++ if (check_mul_overflow(blk, (sector_t) blksize, &blk)) { ++ pr_err("Dev %s: overflow calculating partition block %llu! Skipping partitions %u and beyond\n", ++ state->disk->disk_name, blk, part); ++ break; ++ } + data = read_part_sector(state, blk, §); + if (!data) { +- pr_err("Dev %s: unable to read partition block %d\n", ++ pr_err("Dev %s: unable to read partition block %llu\n", + state->disk->disk_name, blk); + res = -1; + goto rdb_done; +@@ -95,19 +111,70 @@ int amiga_partition(struct parsed_partit + if (checksum_block((__be32 *)pb, be32_to_cpu(pb->pb_SummedLongs) & 0x7F) != 0 ) + continue; + +- /* Tell Kernel about it */ ++ /* RDB gives us more than enough rope to hang ourselves with, ++ * many times over (2^128 bytes if all fields max out). ++ * Some careful checks are in order, so check for potential ++ * overflows. ++ * We are multiplying four 32 bit numbers to one sector_t! ++ */ ++ ++ nr_hd = be32_to_cpu(pb->pb_Environment[NR_HD]); ++ nr_sect = be32_to_cpu(pb->pb_Environment[NR_SECT]); ++ ++ /* CylBlocks is total number of blocks per cylinder */ ++ if (check_mul_overflow(nr_hd, nr_sect, &cylblk)) { ++ pr_err("Dev %s: heads*sects %u overflows u32, skipping partition!\n", ++ state->disk->disk_name, cylblk); ++ continue; ++ } ++ ++ /* check for consistency with RDB defined CylBlocks */ ++ if (cylblk > be32_to_cpu(rdb->rdb_CylBlocks)) { ++ pr_warn("Dev %s: cylblk %u > rdb_CylBlocks %u!\n", ++ state->disk->disk_name, cylblk, ++ be32_to_cpu(rdb->rdb_CylBlocks)); ++ } ++ ++ /* RDB allows for variable logical block size - ++ * normalize to 512 byte blocks and check result. ++ */ ++ ++ if (check_mul_overflow(cylblk, blksize, &cylblk)) { ++ pr_err("Dev %s: partition %u bytes per cyl. overflows u32, skipping partition!\n", ++ state->disk->disk_name, part); ++ continue; ++ } ++ ++ /* Calculate partition start and end. Limit of 32 bit on cylblk ++ * guarantees no overflow occurs if LBD support is enabled. ++ */ ++ ++ lo_cyl = be32_to_cpu(pb->pb_Environment[LO_CYL]); ++ start_sect = ((u64) lo_cyl * cylblk); ++ ++ hi_cyl = be32_to_cpu(pb->pb_Environment[HI_CYL]); ++ nr_sects = (((u64) hi_cyl - lo_cyl + 1) * cylblk); + +- nr_sects = ((sector_t)be32_to_cpu(pb->pb_Environment[10]) + 1 - +- be32_to_cpu(pb->pb_Environment[9])) * +- be32_to_cpu(pb->pb_Environment[3]) * +- be32_to_cpu(pb->pb_Environment[5]) * +- blksize; + if (!nr_sects) + continue; +- start_sect = (sector_t)be32_to_cpu(pb->pb_Environment[9]) * +- be32_to_cpu(pb->pb_Environment[3]) * +- be32_to_cpu(pb->pb_Environment[5]) * +- blksize; ++ ++ /* Warn user if partition end overflows u32 (AmigaDOS limit) */ ++ ++ if ((start_sect + nr_sects) > UINT_MAX) { ++ pr_warn("Dev %s: partition %u (%llu-%llu) needs 64 bit device support!\n", ++ state->disk->disk_name, part, ++ start_sect, start_sect + nr_sects); ++ } ++ ++ if (check_add_overflow(start_sect, nr_sects, &end_sect)) { ++ pr_err("Dev %s: partition %u (%llu-%llu) needs LBD device support, skipping partition!\n", ++ state->disk->disk_name, part, ++ start_sect, end_sect); ++ continue; ++ } ++ ++ /* Tell Kernel about it */ ++ + put_partition(state,slot++,start_sect,nr_sects); + { + /* Be even more informative to aid mounting */ diff --git a/queue-6.4/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch b/queue-6.4/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch new file mode 100644 index 00000000000..ca54e71c9d2 --- /dev/null +++ b/queue-6.4/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch @@ -0,0 +1,142 @@ +From 95a55437dc49fb3342c82e61f5472a71c63d9ed0 Mon Sep 17 00:00:00 2001 +From: Michael Schmitz +Date: Wed, 21 Jun 2023 08:17:24 +1200 +Subject: block: change all __u32 annotations to __be32 in affs_hardblocks.h + +From: Michael Schmitz + +commit 95a55437dc49fb3342c82e61f5472a71c63d9ed0 upstream. + +The Amiga partition parser module uses signed int for partition sector +address and count, which will overflow for disks larger than 1 TB. + +Use u64 as type for sector address and size to allow using disks up to +2 TB without LBD support, and disks larger than 2 TB with LBD. The RBD +format allows to specify disk sizes up to 2^128 bytes (though native +OS limitations reduce this somewhat, to max 2^68 bytes), so check for +u64 overflow carefully to protect against overflowing sector_t. + +This bug was reported originally in 2012, and the fix was created by +the RDB author, Joanne Dow . A patch had been +discussed and reviewed on linux-m68k at that time but never officially +submitted (now resubmitted as patch 1 of this series). + +Patch 3 (this series) adds additional error checking and warning +messages. One of the error checks now makes use of the previously +unused rdb_CylBlocks field, which causes a 'sparse' warning +(cast to restricted __be32). + +Annotate all 32 bit fields in affs_hardblocks.h as __be32, as the +on-disk format of RDB and partition blocks is always big endian. + +Reported-by: Martin Steigerwald +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511 +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Message-ID: <201206192146.09327.Martin@lichtvoll.de> +Cc: # 5.2 +Signed-off-by: Michael Schmitz +Reviewed-by: Christoph Hellwig +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230620201725.7020-3-schmitzmic@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/affs_hardblocks.h | 68 +++++++++++++++++------------------ + 1 file changed, 34 insertions(+), 34 deletions(-) + +--- a/include/uapi/linux/affs_hardblocks.h ++++ b/include/uapi/linux/affs_hardblocks.h +@@ -7,42 +7,42 @@ + /* Just the needed definitions for the RDB of an Amiga HD. */ + + struct RigidDiskBlock { +- __u32 rdb_ID; ++ __be32 rdb_ID; + __be32 rdb_SummedLongs; +- __s32 rdb_ChkSum; +- __u32 rdb_HostID; ++ __be32 rdb_ChkSum; ++ __be32 rdb_HostID; + __be32 rdb_BlockBytes; +- __u32 rdb_Flags; +- __u32 rdb_BadBlockList; ++ __be32 rdb_Flags; ++ __be32 rdb_BadBlockList; + __be32 rdb_PartitionList; +- __u32 rdb_FileSysHeaderList; +- __u32 rdb_DriveInit; +- __u32 rdb_Reserved1[6]; +- __u32 rdb_Cylinders; +- __u32 rdb_Sectors; +- __u32 rdb_Heads; +- __u32 rdb_Interleave; +- __u32 rdb_Park; +- __u32 rdb_Reserved2[3]; +- __u32 rdb_WritePreComp; +- __u32 rdb_ReducedWrite; +- __u32 rdb_StepRate; +- __u32 rdb_Reserved3[5]; +- __u32 rdb_RDBBlocksLo; +- __u32 rdb_RDBBlocksHi; +- __u32 rdb_LoCylinder; +- __u32 rdb_HiCylinder; +- __u32 rdb_CylBlocks; +- __u32 rdb_AutoParkSeconds; +- __u32 rdb_HighRDSKBlock; +- __u32 rdb_Reserved4; ++ __be32 rdb_FileSysHeaderList; ++ __be32 rdb_DriveInit; ++ __be32 rdb_Reserved1[6]; ++ __be32 rdb_Cylinders; ++ __be32 rdb_Sectors; ++ __be32 rdb_Heads; ++ __be32 rdb_Interleave; ++ __be32 rdb_Park; ++ __be32 rdb_Reserved2[3]; ++ __be32 rdb_WritePreComp; ++ __be32 rdb_ReducedWrite; ++ __be32 rdb_StepRate; ++ __be32 rdb_Reserved3[5]; ++ __be32 rdb_RDBBlocksLo; ++ __be32 rdb_RDBBlocksHi; ++ __be32 rdb_LoCylinder; ++ __be32 rdb_HiCylinder; ++ __be32 rdb_CylBlocks; ++ __be32 rdb_AutoParkSeconds; ++ __be32 rdb_HighRDSKBlock; ++ __be32 rdb_Reserved4; + char rdb_DiskVendor[8]; + char rdb_DiskProduct[16]; + char rdb_DiskRevision[4]; + char rdb_ControllerVendor[8]; + char rdb_ControllerProduct[16]; + char rdb_ControllerRevision[4]; +- __u32 rdb_Reserved5[10]; ++ __be32 rdb_Reserved5[10]; + }; + + #define IDNAME_RIGIDDISK 0x5244534B /* "RDSK" */ +@@ -50,16 +50,16 @@ struct RigidDiskBlock { + struct PartitionBlock { + __be32 pb_ID; + __be32 pb_SummedLongs; +- __s32 pb_ChkSum; +- __u32 pb_HostID; ++ __be32 pb_ChkSum; ++ __be32 pb_HostID; + __be32 pb_Next; +- __u32 pb_Flags; +- __u32 pb_Reserved1[2]; +- __u32 pb_DevFlags; ++ __be32 pb_Flags; ++ __be32 pb_Reserved1[2]; ++ __be32 pb_DevFlags; + __u8 pb_DriveName[32]; +- __u32 pb_Reserved2[15]; ++ __be32 pb_Reserved2[15]; + __be32 pb_Environment[17]; +- __u32 pb_EReserved[15]; ++ __be32 pb_EReserved[15]; + }; + + #define IDNAME_PARTITION 0x50415254 /* "PART" */ diff --git a/queue-6.4/block-fix-signed-int-overflow-in-amiga-partition-support.patch b/queue-6.4/block-fix-signed-int-overflow-in-amiga-partition-support.patch new file mode 100644 index 00000000000..d0df6038a91 --- /dev/null +++ b/queue-6.4/block-fix-signed-int-overflow-in-amiga-partition-support.patch @@ -0,0 +1,68 @@ +From fc3d092c6bb48d5865fec15ed5b333c12f36288c Mon Sep 17 00:00:00 2001 +From: Michael Schmitz +Date: Wed, 21 Jun 2023 08:17:23 +1200 +Subject: block: fix signed int overflow in Amiga partition support + +From: Michael Schmitz + +commit fc3d092c6bb48d5865fec15ed5b333c12f36288c upstream. + +The Amiga partition parser module uses signed int for partition sector +address and count, which will overflow for disks larger than 1 TB. + +Use sector_t as type for sector address and size to allow using disks +up to 2 TB without LBD support, and disks larger than 2 TB with LBD. + +This bug was reported originally in 2012, and the fix was created by +the RDB author, Joanne Dow . A patch had been +discussed and reviewed on linux-m68k at that time but never officially +submitted. This patch differs from Joanne's patch only in its use of +sector_t instead of unsigned int. No checking for overflows is done +(see patch 3 of this series for that). + +Reported-by: Martin Steigerwald +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511 +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Message-ID: <201206192146.09327.Martin@lichtvoll.de> +Cc: # 5.2 +Signed-off-by: Michael Schmitz +Tested-by: Martin Steigerwald +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230620201725.7020-2-schmitzmic@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/partitions/amiga.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/block/partitions/amiga.c ++++ b/block/partitions/amiga.c +@@ -31,7 +31,8 @@ int amiga_partition(struct parsed_partit + unsigned char *data; + struct RigidDiskBlock *rdb; + struct PartitionBlock *pb; +- int start_sect, nr_sects, blk, part, res = 0; ++ sector_t start_sect, nr_sects; ++ int blk, part, res = 0; + int blksize = 1; /* Multiplier for disk block size */ + int slot = 1; + +@@ -96,14 +97,14 @@ int amiga_partition(struct parsed_partit + + /* Tell Kernel about it */ + +- nr_sects = (be32_to_cpu(pb->pb_Environment[10]) + 1 - +- be32_to_cpu(pb->pb_Environment[9])) * ++ nr_sects = ((sector_t)be32_to_cpu(pb->pb_Environment[10]) + 1 - ++ be32_to_cpu(pb->pb_Environment[9])) * + be32_to_cpu(pb->pb_Environment[3]) * + be32_to_cpu(pb->pb_Environment[5]) * + blksize; + if (!nr_sects) + continue; +- start_sect = be32_to_cpu(pb->pb_Environment[9]) * ++ start_sect = (sector_t)be32_to_cpu(pb->pb_Environment[9]) * + be32_to_cpu(pb->pb_Environment[3]) * + be32_to_cpu(pb->pb_Environment[5]) * + blksize; diff --git a/queue-6.4/block-increment-diskseq-on-all-media-change-events.patch b/queue-6.4/block-increment-diskseq-on-all-media-change-events.patch new file mode 100644 index 00000000000..cadfa466c79 --- /dev/null +++ b/queue-6.4/block-increment-diskseq-on-all-media-change-events.patch @@ -0,0 +1,55 @@ +From b90ecc0379eb7bbe79337b0c7289390a98752646 Mon Sep 17 00:00:00 2001 +From: Demi Marie Obenour +Date: Wed, 7 Jun 2023 13:08:37 -0400 +Subject: block: increment diskseq on all media change events + +From: Demi Marie Obenour + +commit b90ecc0379eb7bbe79337b0c7289390a98752646 upstream. + +Currently, associating a loop device with a different file descriptor +does not increment its diskseq. This allows the following race +condition: + +1. Program X opens a loop device +2. Program X gets the diskseq of the loop device. +3. Program X associates a file with the loop device. +4. Program X passes the loop device major, minor, and diskseq to + something. +5. Program X exits. +6. Program Y detaches the file from the loop device. +7. Program Y attaches a different file to the loop device. +8. The opener finally gets around to opening the loop device and checks + that the diskseq is what it expects it to be. Even though the + diskseq is the expected value, the result is that the opener is + accessing the wrong file. + +From discussions with Christoph Hellwig, it appears that +disk_force_media_change() was supposed to call inc_diskseq(), but in +fact it does not. Adding a Fixes: tag to indicate this. Christoph's +Reported-by is because he stated that disk_force_media_change() +calls inc_diskseq(), which is what led me to discover that it should but +does not. + +Reported-by: Christoph Hellwig +Signed-off-by: Demi Marie Obenour +Fixes: e6138dc12de9 ("block: add a helper to raise a media changed event") +Cc: stable@vger.kernel.org # 5.15+ +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230607170837.1559-1-demi@invisiblethingslab.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/disk-events.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/block/disk-events.c ++++ b/block/disk-events.c +@@ -307,6 +307,7 @@ bool disk_force_media_change(struct gend + if (!(events & DISK_EVENT_MEDIA_CHANGE)) + return false; + ++ inc_diskseq(disk); + if (__invalidate_device(disk->part0, true)) + pr_warn("VFS: busy inodes on changed media %s\n", + disk->disk_name); diff --git a/queue-6.4/btrfs-do-not-bug_on-on-tree-mod-log-failure-at-balance_level.patch b/queue-6.4/btrfs-do-not-bug_on-on-tree-mod-log-failure-at-balance_level.patch new file mode 100644 index 00000000000..991154e224c --- /dev/null +++ b/queue-6.4/btrfs-do-not-bug_on-on-tree-mod-log-failure-at-balance_level.patch @@ -0,0 +1,67 @@ +From 39020d8abc7ec62c4de9b260e3d10d4a1c2478ce Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Thu, 8 Jun 2023 11:27:41 +0100 +Subject: btrfs: do not BUG_ON() on tree mod log failure at balance_level() + +From: Filipe Manana + +commit 39020d8abc7ec62c4de9b260e3d10d4a1c2478ce upstream. + +At balance_level(), instead of doing a BUG_ON() in case we fail to record +tree mod log operations, do a transaction abort and return the error to +the callers. There's really no need for the BUG_ON() as we can release +all resources in this context, and we have to abort because other future +tree searches that use the tree mod log (btrfs_search_old_slot()) may get +inconsistent results if other operations modify the tree after that +failure and before the tree mod log based search. + +CC: stable@vger.kernel.org # 5.4+ +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ctree.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -1042,7 +1042,12 @@ static noinline int balance_level(struct + } + + ret = btrfs_tree_mod_log_insert_root(root->node, child, true); +- BUG_ON(ret < 0); ++ if (ret < 0) { ++ btrfs_tree_unlock(child); ++ free_extent_buffer(child); ++ btrfs_abort_transaction(trans, ret); ++ goto enospc; ++ } + rcu_assign_pointer(root->node, child); + + add_root_to_dirty_list(root); +@@ -1130,7 +1135,10 @@ static noinline int balance_level(struct + btrfs_node_key(right, &right_key, 0); + ret = btrfs_tree_mod_log_insert_key(parent, pslot + 1, + BTRFS_MOD_LOG_KEY_REPLACE); +- BUG_ON(ret < 0); ++ if (ret < 0) { ++ btrfs_abort_transaction(trans, ret); ++ goto enospc; ++ } + btrfs_set_node_key(parent, &right_key, pslot + 1); + btrfs_mark_buffer_dirty(parent); + } +@@ -1176,7 +1184,10 @@ static noinline int balance_level(struct + btrfs_node_key(mid, &mid_key, 0); + ret = btrfs_tree_mod_log_insert_key(parent, pslot, + BTRFS_MOD_LOG_KEY_REPLACE); +- BUG_ON(ret < 0); ++ if (ret < 0) { ++ btrfs_abort_transaction(trans, ret); ++ goto enospc; ++ } + btrfs_set_node_key(parent, &mid_key, pslot); + btrfs_mark_buffer_dirty(parent); + } diff --git a/queue-6.4/btrfs-fix-race-when-deleting-free-space-root-from-the-dirty-cow-roots-list.patch b/queue-6.4/btrfs-fix-race-when-deleting-free-space-root-from-the-dirty-cow-roots-list.patch new file mode 100644 index 00000000000..bded2b9b517 --- /dev/null +++ b/queue-6.4/btrfs-fix-race-when-deleting-free-space-root-from-the-dirty-cow-roots-list.patch @@ -0,0 +1,85 @@ +From babebf023e661b90b1c78b2baa384fb03a226879 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 19 Jun 2023 17:21:48 +0100 +Subject: btrfs: fix race when deleting free space root from the dirty cow roots list + +From: Filipe Manana + +commit babebf023e661b90b1c78b2baa384fb03a226879 upstream. + +When deleting the free space tree we are deleting the free space root +from the list fs_info->dirty_cowonly_roots without taking the lock that +protects it, which is struct btrfs_fs_info::trans_lock. +This unsynchronized list manipulation may cause chaos if there's another +concurrent manipulation of this list, such as when adding a root to it +with ctree.c:add_root_to_dirty_list(). + +This can result in all sorts of weird failures caused by a race, such as +the following crash: + + [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI + [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 + [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 + [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs] + [337571.279928] Code: 85 38 06 00 (...) + [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206 + [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000 + [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070 + [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b + [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600 + [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48 + [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000 + [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0 + [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [337571.282874] Call Trace: + [337571.283101] + [337571.283327] ? __die_body+0x1b/0x60 + [337571.283570] ? die_addr+0x39/0x60 + [337571.283796] ? exc_general_protection+0x22e/0x430 + [337571.284022] ? asm_exc_general_protection+0x22/0x30 + [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs] + [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs] + [337571.284803] ? _raw_spin_unlock+0x15/0x30 + [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs] + [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs] + [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs] + [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410 + [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs] + [337571.286358] ? mod_objcg_state+0xd2/0x360 + [337571.286577] ? refill_obj_stock+0xb0/0x160 + [337571.286798] ? seq_release+0x25/0x30 + [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0 + [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0 + [337571.287455] ? __x64_sys_ioctl+0x88/0xc0 + [337571.287675] __x64_sys_ioctl+0x88/0xc0 + [337571.287901] do_syscall_64+0x38/0x90 + [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc + [337571.288352] RIP: 0033:0x7f478aaffe9b + +So fix this by locking struct btrfs_fs_info::trans_lock before deleting +the free space root from that list. + +Fixes: a5ed91828518 ("Btrfs: implement the free space B-tree") +CC: stable@vger.kernel.org # 4.14+ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/free-space-tree.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/btrfs/free-space-tree.c ++++ b/fs/btrfs/free-space-tree.c +@@ -1280,7 +1280,10 @@ int btrfs_delete_free_space_tree(struct + goto abort; + + btrfs_global_root_delete(free_space_root); ++ ++ spin_lock(&fs_info->trans_lock); + list_del(&free_space_root->dirty_list); ++ spin_unlock(&fs_info->trans_lock); + + btrfs_tree_lock(free_space_root->node); + btrfs_clear_buffer_dirty(trans, free_space_root->node); diff --git a/queue-6.4/mmc-block-ioctl-do-write-error-check-for-spi.patch b/queue-6.4/mmc-block-ioctl-do-write-error-check-for-spi.patch new file mode 100644 index 00000000000..8fb73a1aee7 --- /dev/null +++ b/queue-6.4/mmc-block-ioctl-do-write-error-check-for-spi.patch @@ -0,0 +1,46 @@ +From 568898cbc8b570311b3b94a3202b8233f4168144 Mon Sep 17 00:00:00 2001 +From: Christian Loehle +Date: Thu, 25 May 2023 09:56:04 +0000 +Subject: mmc: block: ioctl: do write error check for spi + +From: Christian Loehle + +commit 568898cbc8b570311b3b94a3202b8233f4168144 upstream. + +SPI doesn't have the usual PROG path we can check for error bits +after moving back to TRAN. Instead it holds the line LOW until +completion. We can then check if the card shows any errors or +is in IDLE state, indicating the line is no longer LOW because +the card was reset. + +Signed-off-by: Christian Loehle +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/55920f880c9742f486f64aa44e25508e@hyperstone.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/block.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/mmc/core/block.c ++++ b/drivers/mmc/core/block.c +@@ -178,6 +178,7 @@ static void mmc_blk_rw_rq_prep(struct mm + int recovery_mode, + struct mmc_queue *mq); + static void mmc_blk_hsq_req_done(struct mmc_request *mrq); ++static int mmc_spi_err_check(struct mmc_card *card); + + static struct mmc_blk_data *mmc_blk_get(struct gendisk *disk) + { +@@ -608,6 +609,11 @@ static int __mmc_blk_ioctl_cmd(struct mm + if ((card->host->caps & MMC_CAP_WAIT_WHILE_BUSY) && use_r1b_resp) + return 0; + ++ if (mmc_host_is_spi(card->host)) { ++ if (idata->ic.write_flag || r1b_resp || cmd.flags & MMC_RSP_SPI_BUSY) ++ return mmc_spi_err_check(card); ++ return err; ++ } + /* Ensure RPMB/R1B command has completed by polling with CMD13. */ + if (idata->rpmb || r1b_resp) + err = mmc_poll_for_busy(card, busy_timeout_ms, false, diff --git a/queue-6.4/series b/queue-6.4/series index 916359c496c..dd842639c21 100644 --- a/queue-6.4/series +++ b/queue-6.4/series @@ -516,6 +516,19 @@ dax-fix-dax_mapping_release-use-after-free.patch dax-introduce-alloc_dev_dax_id.patch dax-kmem-pass-valid-argument-to-memory_group_registe.patch hwrng-st-keep-clock-enabled-while-hwrng-is-registere.patch +alsa-hda-realtek-enable-mute-micmute-leds-and-limit-mic-boost-on-elitebook.patch +alsa-hda-realtek-add-quirk-for-clevo-npx0snx.patch +alsa-jack-fix-mutex-call-in-snd_jack_report.patch +alsa-pcm-fix-potential-data-race-at-pcm-memory-allocation-helpers.patch +apparmor-fix-kzalloc-perms-tables-for-shared-dfas.patch +block-fix-signed-int-overflow-in-amiga-partition-support.patch +block-add-overflow-checks-for-amiga-partition-support.patch +block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch +block-increment-diskseq-on-all-media-change-events.patch +mmc-block-ioctl-do-write-error-check-for-spi.patch +btrfs-fix-race-when-deleting-free-space-root-from-the-dirty-cow-roots-list.patch +btrfs-do-not-bug_on-on-tree-mod-log-failure-at-balance_level.patch +sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch kbuild-fix-cfi-failures-with-gcov.patch kbuild-disable-gcov-for-.mod.o.patch cxl-region-move-cache-invalidation-before-region-tea.patch diff --git a/queue-6.4/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch b/queue-6.4/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch new file mode 100644 index 00000000000..25cd296c641 --- /dev/null +++ b/queue-6.4/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch @@ -0,0 +1,138 @@ +From fc80fc2d4e39137869da3150ee169b40bf879287 Mon Sep 17 00:00:00 2001 +From: Ding Hui +Date: Mon, 15 May 2023 10:13:07 +0800 +Subject: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() + +From: Ding Hui + +commit fc80fc2d4e39137869da3150ee169b40bf879287 upstream. + +After the listener svc_sock is freed, and before invoking svc_tcp_accept() +for the established child sock, there is a window that the newsock +retaining a freed listener svc_sock in sk_user_data which cloning from +parent. In the race window, if data is received on the newsock, we will +observe use-after-free report in svc_tcp_listen_data_ready(). + +Reproduce by two tasks: + +1. while :; do rpc.nfsd 0 ; rpc.nfsd; done +2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done + +KASAN report: + + ================================================================== + BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] + Read of size 8 at addr ffff888139d96228 by task nc/102553 + CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18 + Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 + Call Trace: + + dump_stack_lvl+0x33/0x50 + print_address_description.constprop.0+0x27/0x310 + print_report+0x3e/0x70 + kasan_report+0xae/0xe0 + svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] + tcp_data_queue+0x9f4/0x20e0 + tcp_rcv_established+0x666/0x1f60 + tcp_v4_do_rcv+0x51c/0x850 + tcp_v4_rcv+0x23fc/0x2e80 + ip_protocol_deliver_rcu+0x62/0x300 + ip_local_deliver_finish+0x267/0x350 + ip_local_deliver+0x18b/0x2d0 + ip_rcv+0x2fb/0x370 + __netif_receive_skb_one_core+0x166/0x1b0 + process_backlog+0x24c/0x5e0 + __napi_poll+0xa2/0x500 + net_rx_action+0x854/0xc90 + __do_softirq+0x1bb/0x5de + do_softirq+0xcb/0x100 + + + ... + + + Allocated by task 102371: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + __kasan_kmalloc+0x7b/0x90 + svc_setup_socket+0x52/0x4f0 [sunrpc] + svc_addsock+0x20d/0x400 [sunrpc] + __write_ports_addfd+0x209/0x390 [nfsd] + write_ports+0x239/0x2c0 [nfsd] + nfsctl_transaction_write+0xac/0x110 [nfsd] + vfs_write+0x1c3/0xae0 + ksys_write+0xed/0x1c0 + do_syscall_64+0x38/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + + Freed by task 102551: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x2a/0x50 + __kasan_slab_free+0x106/0x190 + __kmem_cache_free+0x133/0x270 + svc_xprt_free+0x1e2/0x350 [sunrpc] + svc_xprt_destroy_all+0x25a/0x440 [sunrpc] + nfsd_put+0x125/0x240 [nfsd] + nfsd_svc+0x2cb/0x3c0 [nfsd] + write_threads+0x1ac/0x2a0 [nfsd] + nfsctl_transaction_write+0xac/0x110 [nfsd] + vfs_write+0x1c3/0xae0 + ksys_write+0xed/0x1c0 + do_syscall_64+0x38/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready() +if state != TCP_LISTEN, that will avoid dereferencing svsk for all +child socket. + +Link: https://lore.kernel.org/lkml/20230507091131.23540-1-dinghui@sangfor.com.cn/ +Fixes: fa9251afc33c ("SUNRPC: Call the default socket callbacks instead of open coding") +Signed-off-by: Ding Hui +Cc: +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/svcsock.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +--- a/net/sunrpc/svcsock.c ++++ b/net/sunrpc/svcsock.c +@@ -826,12 +826,6 @@ static void svc_tcp_listen_data_ready(st + + trace_sk_data_ready(sk); + +- if (svsk) { +- /* Refer to svc_setup_socket() for details. */ +- rmb(); +- svsk->sk_odata(sk); +- } +- + /* + * This callback may called twice when a new connection + * is established as a child socket inherits everything +@@ -840,13 +834,18 @@ static void svc_tcp_listen_data_ready(st + * when one of child sockets become ESTABLISHED. + * 2) data_ready method of the child socket may be called + * when it receives data before the socket is accepted. +- * In case of 2, we should ignore it silently. ++ * In case of 2, we should ignore it silently and DO NOT ++ * dereference svsk. + */ +- if (sk->sk_state == TCP_LISTEN) { +- if (svsk) { +- set_bit(XPT_CONN, &svsk->sk_xprt.xpt_flags); +- svc_xprt_enqueue(&svsk->sk_xprt); +- } ++ if (sk->sk_state != TCP_LISTEN) ++ return; ++ ++ if (svsk) { ++ /* Refer to svc_setup_socket() for details. */ ++ rmb(); ++ svsk->sk_odata(sk); ++ set_bit(XPT_CONN, &svsk->sk_xprt.xpt_flags); ++ svc_xprt_enqueue(&svsk->sk_xprt); + } + } +