From: Greg Kroah-Hartman Date: Mon, 18 Dec 2023 07:10:43 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v5.15.144~37 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=84e400e51c088ef41959eec87f6259621fee5306;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: btrfs-do-not-allow-non-subvolume-root-targets-for-snapshot.patch cxl-hdm-fix-dpa-translation-locking.patch ext4-prevent-the-normalized-size-from-exceeding-ext_max_blocks.patch perf-fix-perf_event_validate_size-lockdep-splat.patch soundwire-stream-fix-null-pointer-dereference-for-multi_link.patch --- diff --git a/queue-6.6/btrfs-do-not-allow-non-subvolume-root-targets-for-snapshot.patch b/queue-6.6/btrfs-do-not-allow-non-subvolume-root-targets-for-snapshot.patch new file mode 100644 index 00000000000..f40b8010c76 --- /dev/null +++ b/queue-6.6/btrfs-do-not-allow-non-subvolume-root-targets-for-snapshot.patch @@ -0,0 +1,44 @@ +From a8892fd71933126ebae3d60aec5918d4dceaae76 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Fri, 15 Dec 2023 10:01:44 -0500 +Subject: btrfs: do not allow non subvolume root targets for snapshot + +From: Josef Bacik + +commit a8892fd71933126ebae3d60aec5918d4dceaae76 upstream. + +Our btrfs subvolume snapshot utility enforces +that is the root of the subvolume, however this isn't enforced +in the kernel. Update the kernel to also enforce this limitation to +avoid problems with other users of this ioctl that don't have the +appropriate checks in place. + +Reported-by: Martin Michaelis +CC: stable@vger.kernel.org # 4.14+ +Reviewed-by: Neal Gompa +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ioctl.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -1290,6 +1290,15 @@ static noinline int __btrfs_ioctl_snap_c + * are limited to own subvolumes only + */ + ret = -EPERM; ++ } else if (btrfs_ino(BTRFS_I(src_inode)) != BTRFS_FIRST_FREE_OBJECTID) { ++ /* ++ * Snapshots must be made with the src_inode referring ++ * to the subvolume inode, otherwise the permission ++ * checking above is useless because we may have ++ * permission on a lower directory but not the subvol ++ * itself. ++ */ ++ ret = -EINVAL; + } else { + ret = btrfs_mksnapshot(&file->f_path, idmap, + name, namelen, diff --git a/queue-6.6/cxl-hdm-fix-dpa-translation-locking.patch b/queue-6.6/cxl-hdm-fix-dpa-translation-locking.patch new file mode 100644 index 00000000000..189d2f9cc5c --- /dev/null +++ b/queue-6.6/cxl-hdm-fix-dpa-translation-locking.patch @@ -0,0 +1,100 @@ +From 6f5c4eca48ffe18307b4e1d375817691c9005c87 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Wed, 6 Dec 2023 19:11:14 -0800 +Subject: cxl/hdm: Fix dpa translation locking + +From: Dan Williams + +commit 6f5c4eca48ffe18307b4e1d375817691c9005c87 upstream. + +The helper, cxl_dpa_resource_start(), snapshots the dpa-address of an +endpoint-decoder after acquiring the cxl_dpa_rwsem. However, it is +sufficient to assert that cxl_dpa_rwsem is held rather than acquire it +in the helper. Otherwise, it triggers multiple lockdep reports: + +1/ Tracing callbacks are in an atomic context that can not acquire sleeping +locks: + + BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1525 + in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1288, name: bash + preempt_count: 2, expected: 0 + RCU nest depth: 0, expected: 0 + [..] + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc38 05/24/2023 + Call Trace: + + dump_stack_lvl+0x71/0x90 + __might_resched+0x1b2/0x2c0 + down_read+0x1a/0x190 + cxl_dpa_resource_start+0x15/0x50 [cxl_core] + cxl_trace_hpa+0x122/0x300 [cxl_core] + trace_event_raw_event_cxl_poison+0x1c9/0x2d0 [cxl_core] + +2/ The rwsem is already held in the inject poison path: + + WARNING: possible recursive locking detected + 6.7.0-rc2+ #12 Tainted: G W OE N + -------------------------------------------- + bash/1288 is trying to acquire lock: + ffffffffc05f73d0 (cxl_dpa_rwsem){++++}-{3:3}, at: cxl_dpa_resource_start+0x15/0x50 [cxl_core] + + but task is already holding lock: + ffffffffc05f73d0 (cxl_dpa_rwsem){++++}-{3:3}, at: cxl_inject_poison+0x7d/0x1e0 [cxl_core] + [..] + Call Trace: + + dump_stack_lvl+0x71/0x90 + __might_resched+0x1b2/0x2c0 + down_read+0x1a/0x190 + cxl_dpa_resource_start+0x15/0x50 [cxl_core] + cxl_trace_hpa+0x122/0x300 [cxl_core] + trace_event_raw_event_cxl_poison+0x1c9/0x2d0 [cxl_core] + __traceiter_cxl_poison+0x5c/0x80 [cxl_core] + cxl_inject_poison+0x1bc/0x1e0 [cxl_core] + +This appears to have been an issue since the initial implementation and +uncovered by the new cxl-poison.sh test [1]. That test is now passing with +these changes. + +Fixes: 28a3ae4ff66c ("cxl/trace: Add an HPA to cxl_poison trace events") +Link: http://lore.kernel.org/r/e4f2716646918135ddbadf4146e92abb659de734.1700615159.git.alison.schofield@intel.com [1] +Cc: +Cc: Alison Schofield +Cc: Jonathan Cameron +Cc: Dave Jiang +Cc: Ira Weiny +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cxl/core/hdm.c | 3 +-- + drivers/cxl/core/port.c | 4 ++-- + 2 files changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/cxl/core/hdm.c ++++ b/drivers/cxl/core/hdm.c +@@ -373,10 +373,9 @@ resource_size_t cxl_dpa_resource_start(s + { + resource_size_t base = -1; + +- down_read(&cxl_dpa_rwsem); ++ lockdep_assert_held(&cxl_dpa_rwsem); + if (cxled->dpa_res) + base = cxled->dpa_res->start; +- up_read(&cxl_dpa_rwsem); + + return base; + } +--- a/drivers/cxl/core/port.c ++++ b/drivers/cxl/core/port.c +@@ -219,9 +219,9 @@ static ssize_t dpa_resource_show(struct + char *buf) + { + struct cxl_endpoint_decoder *cxled = to_cxl_endpoint_decoder(dev); +- u64 base = cxl_dpa_resource_start(cxled); + +- return sysfs_emit(buf, "%#llx\n", base); ++ guard(rwsem_read)(&cxl_dpa_rwsem); ++ return sysfs_emit(buf, "%#llx\n", (u64)cxl_dpa_resource_start(cxled)); + } + static DEVICE_ATTR_RO(dpa_resource); + diff --git a/queue-6.6/ext4-prevent-the-normalized-size-from-exceeding-ext_max_blocks.patch b/queue-6.6/ext4-prevent-the-normalized-size-from-exceeding-ext_max_blocks.patch new file mode 100644 index 00000000000..b136c046f7b --- /dev/null +++ b/queue-6.6/ext4-prevent-the-normalized-size-from-exceeding-ext_max_blocks.patch @@ -0,0 +1,75 @@ +From 2dcf5fde6dffb312a4bfb8ef940cea2d1f402e32 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Mon, 27 Nov 2023 14:33:13 +0800 +Subject: ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS + +From: Baokun Li + +commit 2dcf5fde6dffb312a4bfb8ef940cea2d1f402e32 upstream. + +For files with logical blocks close to EXT_MAX_BLOCKS, the file size +predicted in ext4_mb_normalize_request() may exceed EXT_MAX_BLOCKS. +This can cause some blocks to be preallocated that will not be used. +And after [Fixes], the following issue may be triggered: + +========================================================= + kernel BUG at fs/ext4/mballoc.c:4653! + Internal error: Oops - BUG: 00000000f2000800 [#1] SMP + CPU: 1 PID: 2357 Comm: xfs_io 6.7.0-rc2-00195-g0f5cc96c367f + Hardware name: linux,dummy-virt (DT) + pc : ext4_mb_use_inode_pa+0x148/0x208 + lr : ext4_mb_use_inode_pa+0x98/0x208 + Call trace: + ext4_mb_use_inode_pa+0x148/0x208 + ext4_mb_new_inode_pa+0x240/0x4a8 + ext4_mb_use_best_found+0x1d4/0x208 + ext4_mb_try_best_found+0xc8/0x110 + ext4_mb_regular_allocator+0x11c/0xf48 + ext4_mb_new_blocks+0x790/0xaa8 + ext4_ext_map_blocks+0x7cc/0xd20 + ext4_map_blocks+0x170/0x600 + ext4_iomap_begin+0x1c0/0x348 +========================================================= + +Here is a calculation when adjusting ac_b_ex in ext4_mb_new_inode_pa(): + + ex.fe_logical = orig_goal_end - EXT4_C2B(sbi, ex.fe_len); + if (ac->ac_o_ex.fe_logical >= ex.fe_logical) + goto adjust_bex; + +The problem is that when orig_goal_end is subtracted from ac_b_ex.fe_len +it is still greater than EXT_MAX_BLOCKS, which causes ex.fe_logical to +overflow to a very small value, which ultimately triggers a BUG_ON in +ext4_mb_new_inode_pa() because pa->pa_free < len. + +The last logical block of an actual write request does not exceed +EXT_MAX_BLOCKS, so in ext4_mb_normalize_request() also avoids normalizing +the last logical block to exceed EXT_MAX_BLOCKS to avoid the above issue. + +The test case in [Link] can reproduce the above issue with 64k block size. + +Link: https://patchwork.kernel.org/project/fstests/list/?series=804003 +Cc: # 6.4 +Fixes: 93cdf49f6eca ("ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()") +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20231127063313.3734294-1-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mballoc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -4489,6 +4489,10 @@ ext4_mb_normalize_request(struct ext4_al + start = max(start, rounddown(ac->ac_o_ex.fe_logical, + (ext4_lblk_t)EXT4_BLOCKS_PER_GROUP(ac->ac_sb))); + ++ /* avoid unnecessary preallocation that may trigger assertions */ ++ if (start + size > EXT_MAX_BLOCKS) ++ size = EXT_MAX_BLOCKS - start; ++ + /* don't cover already allocated blocks in selected range */ + if (ar->pleft && start <= ar->lleft) { + size -= ar->lleft + 1 - start; diff --git a/queue-6.6/perf-fix-perf_event_validate_size-lockdep-splat.patch b/queue-6.6/perf-fix-perf_event_validate_size-lockdep-splat.patch new file mode 100644 index 00000000000..f9d4ee9142b --- /dev/null +++ b/queue-6.6/perf-fix-perf_event_validate_size-lockdep-splat.patch @@ -0,0 +1,58 @@ +From 7e2c1e4b34f07d9aa8937fab88359d4a0fce468e Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Fri, 15 Dec 2023 11:24:50 +0000 +Subject: perf: Fix perf_event_validate_size() lockdep splat + +From: Mark Rutland + +commit 7e2c1e4b34f07d9aa8937fab88359d4a0fce468e upstream. + +When lockdep is enabled, the for_each_sibling_event(sibling, event) +macro checks that event->ctx->mutex is held. When creating a new group +leader event, we call perf_event_validate_size() on a partially +initialized event where event->ctx is NULL, and so when +for_each_sibling_event() attempts to check event->ctx->mutex, we get a +splat, as reported by Lucas De Marchi: + + WARNING: CPU: 8 PID: 1471 at kernel/events/core.c:1950 __do_sys_perf_event_open+0xf37/0x1080 + +This only happens for a new event which is its own group_leader, and in +this case there cannot be any sibling events. Thus it's safe to skip the +check for siblings, which avoids having to make invasive and ugly +changes to for_each_sibling_event(). + +Avoid the splat by bailing out early when the new event is its own +group_leader. + +Fixes: 382c27f4ed28f803 ("perf: Fix perf_event_validate_size()") +Closes: https://lore.kernel.org/lkml/20231214000620.3081018-1-lucas.demarchi@intel.com/ +Closes: https://lore.kernel.org/lkml/ZXpm6gQ%2Fd59jGsuW@xpf.sh.intel.com/ +Reported-by: Lucas De Marchi +Reported-by: Pengfei Xu +Signed-off-by: Mark Rutland +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20231215112450.3972309-1-mark.rutland@arm.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -1947,6 +1947,16 @@ static bool perf_event_validate_size(str + group_leader->nr_siblings + 1) > 16*1024) + return false; + ++ /* ++ * When creating a new group leader, group_leader->ctx is initialized ++ * after the size has been validated, but we cannot safely use ++ * for_each_sibling_event() until group_leader->ctx is set. A new group ++ * leader cannot have any siblings yet, so we can safely skip checking ++ * the non-existent siblings. ++ */ ++ if (event == group_leader) ++ return true; ++ + for_each_sibling_event(sibling, group_leader) { + if (__perf_event_read_size(sibling->attr.read_format, + group_leader->nr_siblings + 1) > 16*1024) diff --git a/queue-6.6/series b/queue-6.6/series index 7eb46253f6e..778b35bc678 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -123,3 +123,8 @@ smb-client-introduce-parse_reparse_point.patch smb-client-set-correct-file-type-from-nfs-reparse-po.patch arm64-add-dependency-between-vmlinuz.efi-and-image.patch hid-hid-asus-add-const-to-read-only-outgoing-usb-buf.patch +perf-fix-perf_event_validate_size-lockdep-splat.patch +btrfs-do-not-allow-non-subvolume-root-targets-for-snapshot.patch +cxl-hdm-fix-dpa-translation-locking.patch +soundwire-stream-fix-null-pointer-dereference-for-multi_link.patch +ext4-prevent-the-normalized-size-from-exceeding-ext_max_blocks.patch diff --git a/queue-6.6/soundwire-stream-fix-null-pointer-dereference-for-multi_link.patch b/queue-6.6/soundwire-stream-fix-null-pointer-dereference-for-multi_link.patch new file mode 100644 index 00000000000..0da1b728fab --- /dev/null +++ b/queue-6.6/soundwire-stream-fix-null-pointer-dereference-for-multi_link.patch @@ -0,0 +1,76 @@ +From e199bf52ffda8f98f129728d57244a9cd9ad5623 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 24 Nov 2023 19:01:36 +0100 +Subject: soundwire: stream: fix NULL pointer dereference for multi_link + +From: Krzysztof Kozlowski + +commit e199bf52ffda8f98f129728d57244a9cd9ad5623 upstream. + +If bus is marked as multi_link, but number of masters in the stream is +not higher than bus->hw_sync_min_links (bus->multi_link && m_rt_count >= +bus->hw_sync_min_links), bank switching should not happen. The first +part of do_bank_switch() code properly takes these conditions into +account, but second part (sdw_ml_sync_bank_switch()) relies purely on +bus->multi_link property. This is not balanced and leads to NULL +pointer dereference: + + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 + ... + Call trace: + wait_for_completion_timeout+0x124/0x1f0 + do_bank_switch+0x370/0x6f8 + sdw_prepare_stream+0x2d0/0x438 + qcom_snd_sdw_prepare+0xa0/0x118 + sm8450_snd_prepare+0x128/0x148 + snd_soc_link_prepare+0x5c/0xe8 + __soc_pcm_prepare+0x28/0x1ec + dpcm_be_dai_prepare+0x1e0/0x2c0 + dpcm_fe_dai_prepare+0x108/0x28c + snd_pcm_do_prepare+0x44/0x68 + snd_pcm_action_single+0x54/0xc0 + snd_pcm_action_nonatomic+0xe4/0xec + snd_pcm_prepare+0xc4/0x114 + snd_pcm_common_ioctl+0x1154/0x1cc0 + snd_pcm_ioctl+0x54/0x74 + +Fixes: ce6e74d008ff ("soundwire: Add support for multi link bank switch") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20231124180136.390621-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soundwire/stream.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/soundwire/stream.c ++++ b/drivers/soundwire/stream.c +@@ -742,14 +742,15 @@ error_1: + * sdw_ml_sync_bank_switch: Multilink register bank switch + * + * @bus: SDW bus instance ++ * @multi_link: whether this is a multi-link stream with hardware-based sync + * + * Caller function should free the buffers on error + */ +-static int sdw_ml_sync_bank_switch(struct sdw_bus *bus) ++static int sdw_ml_sync_bank_switch(struct sdw_bus *bus, bool multi_link) + { + unsigned long time_left; + +- if (!bus->multi_link) ++ if (!multi_link) + return 0; + + /* Wait for completion of transfer */ +@@ -847,7 +848,7 @@ static int do_bank_switch(struct sdw_str + bus->bank_switch_timeout = DEFAULT_BANK_SWITCH_TIMEOUT; + + /* Check if bank switch was successful */ +- ret = sdw_ml_sync_bank_switch(bus); ++ ret = sdw_ml_sync_bank_switch(bus, multi_link); + if (ret < 0) { + dev_err(bus->dev, + "multi link bank switch failed: %d\n", ret);