From: Greg Kroah-Hartman Date: Thu, 25 Jul 2024 12:47:18 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.19.319~29 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=877f96670caee992e1dcb95cd9e46f457ad1a589;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: add-gitignore-file-for-samples-fanotify-subdirectory.patch alsa-hda-realtek-enable-headset-mic-on-positivo-su-c1400.patch alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch docs-fix-formatting-of-literal-sections-in-fanotify-docs.patch drm-amdgpu-fix-signedness-bug-in-sdma_v4_0_process_trap_irq.patch fs-ntfs3-validate-ff-offset.patch jfs-don-t-walk-off-the-end-of-ealist.patch net-relax-socket-state-check-at-accept-time.patch ocfs2-add-bounds-checking-to-ocfs2_check_dir_entry.patch samples-add-fs-error-monitoring-example.patch samples-make-fs-monitor-depend-on-libc-and-headers.patch --- diff --git a/queue-5.15/add-gitignore-file-for-samples-fanotify-subdirectory.patch b/queue-5.15/add-gitignore-file-for-samples-fanotify-subdirectory.patch new file mode 100644 index 00000000000..7eed81eeade --- /dev/null +++ b/queue-5.15/add-gitignore-file-for-samples-fanotify-subdirectory.patch @@ -0,0 +1,31 @@ +From cel@kernel.org Wed Jul 24 21:07:12 2024 +From: cel@kernel.org +Date: Wed, 24 Jul 2024 15:06:23 -0400 +Subject: Add gitignore file for samples/fanotify/ subdirectory +To: amir73il@gmail.com, krisman@collabora.com +Cc: gregkh@linuxfoundation.org, jack@suse.cz, sashal@kernel.org, stable@vger.kernel.org, adilger.kernel@dilger.ca, linux-ext4@vger.kernel.org, tytso@mit.edu, alexey.makhalov@broadcom.com, vasavi.sirnapalli@broadcom.com, florian.fainelli@broadcom.com, Linus Torvalds +Message-ID: <20240724190623.8948-5-cel@kernel.org> + +From: Linus Torvalds + +[ Upstream commit c107fb9b4f8338375b3e865c3d2c1d98ccb3a95a ] + +Commit 5451093081db ("samples: Add fs error monitoring example") added a +new sample program, but didn't teach git to ignore the new generated +files, causing unnecessary noise from 'git status' after a full build. + +Add the 'fs-monitor' sample executable to the .gitignore for this +subdirectory to silence it all again. + +Signed-off-by: Linus Torvalds +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + samples/fanotify/.gitignore | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 samples/fanotify/.gitignore + +--- /dev/null ++++ b/samples/fanotify/.gitignore +@@ -0,0 +1 @@ ++fs-monitor diff --git a/queue-5.15/alsa-hda-realtek-enable-headset-mic-on-positivo-su-c1400.patch b/queue-5.15/alsa-hda-realtek-enable-headset-mic-on-positivo-su-c1400.patch new file mode 100644 index 00000000000..988558d2fb1 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-enable-headset-mic-on-positivo-su-c1400.patch @@ -0,0 +1,31 @@ +From 8fc1e8b230771442133d5cf5fa4313277aa2bb8b Mon Sep 17 00:00:00 2001 +From: Edson Juliano Drosdeck +Date: Fri, 12 Jul 2024 15:06:42 -0300 +Subject: ALSA: hda/realtek: Enable headset mic on Positivo SU C1400 + +From: Edson Juliano Drosdeck + +commit 8fc1e8b230771442133d5cf5fa4313277aa2bb8b upstream. + +Positivo SU C1400 is equipped with ALC256, and it needs +ALC269_FIXUP_ASPIRE_HEADSET_MIC quirk to make its headset mic work. + +Signed-off-by: Edson Juliano Drosdeck +Cc: +Link: https://patch.msgid.link/20240712180642.22564-1-edson.drosdeck@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9273,6 +9273,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x10cf, 0x1845, "Lifebook U904", ALC269_FIXUP_LIFEBOOK_EXTMIC), + SND_PCI_QUIRK(0x10ec, 0x10f2, "Intel Reference board", ALC700_FIXUP_INTEL_REFERENCE), + SND_PCI_QUIRK(0x10ec, 0x118c, "Medion EE4254 MD62100", ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE), ++ SND_PCI_QUIRK(0x10ec, 0x119e, "Positivo SU C1400", ALC269_FIXUP_ASPIRE_HEADSET_MIC), + SND_PCI_QUIRK(0x10ec, 0x11bc, "VAIO VJFE-IL", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x10ec, 0x1230, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK), + SND_PCI_QUIRK(0x10ec, 0x124c, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK), diff --git a/queue-5.15/alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch b/queue-5.15/alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch new file mode 100644 index 00000000000..dea1a3b5bf9 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch @@ -0,0 +1,32 @@ +From d7063c08738573fc2f3296da6d31a22fa8aa843a Mon Sep 17 00:00:00 2001 +From: Seunghun Han +Date: Thu, 18 Jul 2024 17:09:08 +0900 +Subject: ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 + +From: Seunghun Han + +commit d7063c08738573fc2f3296da6d31a22fa8aa843a upstream. + +Samsung Galaxy Book Pro 360 (13" 2022 NT935QDB-KC71S) with codec SSID +144d:c1a4 requires the same workaround to enable the speaker amp +as other Samsung models with the ALC298 codec. + +Signed-off-by: Seunghun Han +Cc: +Link: https://patch.msgid.link/20240718080908.8677-1-kkamagui@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9286,6 +9286,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Flex Book (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc1a3, "Samsung Galaxy Book Pro (NP935XDB-KC1SE)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xc1a4, "Samsung Galaxy Book Pro 360 (NT935QBD)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc1a6, "Samsung Galaxy Book Pro 360 (NP930QBD)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc740, "Samsung Ativ book 8 (NP870Z5G)", ALC269_FIXUP_ATIV_BOOK_8), + SND_PCI_QUIRK(0x144d, 0xc812, "Samsung Notebook Pen S (NT950SBE-X58)", ALC298_FIXUP_SAMSUNG_AMP), diff --git a/queue-5.15/docs-fix-formatting-of-literal-sections-in-fanotify-docs.patch b/queue-5.15/docs-fix-formatting-of-literal-sections-in-fanotify-docs.patch new file mode 100644 index 00000000000..8c0ec2de7d5 --- /dev/null +++ b/queue-5.15/docs-fix-formatting-of-literal-sections-in-fanotify-docs.patch @@ -0,0 +1,64 @@ +From stable+bounces-61324-greg=kroah.com@vger.kernel.org Wed Jul 24 21:07:10 2024 +From: cel@kernel.org +Date: Wed, 24 Jul 2024 15:06:22 -0400 +Subject: docs: Fix formatting of literal sections in fanotify docs +To: amir73il@gmail.com, krisman@collabora.com +Cc: gregkh@linuxfoundation.org, jack@suse.cz, sashal@kernel.org, stable@vger.kernel.org, adilger.kernel@dilger.ca, linux-ext4@vger.kernel.org, tytso@mit.edu, alexey.makhalov@broadcom.com, vasavi.sirnapalli@broadcom.com, florian.fainelli@broadcom.com, Stephen Rothwell +Message-ID: <20240724190623.8948-4-cel@kernel.org> + +From: Gabriel Krisman Bertazi + +[ Upstream commit 9abeae5d4458326e16df7ea237104b58c27dfd77 ] + +Stephen Rothwell reported the following warning was introduced by commit +c0baf9ac0b05 ("docs: Document the FAN_FS_ERROR event"). + +Documentation/admin-guide/filesystem-monitoring.rst:60: WARNING: + Definition list ends without a blank line; unexpected unindent. + +Link: https://lore.kernel.org/r/87y26camhe.fsf@collabora.com +Reported-by: Stephen Rothwell +Signed-off-by: Gabriel Krisman Bertazi +Signed-off-by: Jan Kara +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/filesystem-monitoring.rst | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/Documentation/admin-guide/filesystem-monitoring.rst ++++ b/Documentation/admin-guide/filesystem-monitoring.rst +@@ -35,9 +35,11 @@ notifications is Ext4. + + A FAN_FS_ERROR Notification has the following format:: + +- [ Notification Metadata (Mandatory) ] +- [ Generic Error Record (Mandatory) ] +- [ FID record (Mandatory) ] ++ :: ++ ++ [ Notification Metadata (Mandatory) ] ++ [ Generic Error Record (Mandatory) ] ++ [ FID record (Mandatory) ] + + The order of records is not guaranteed, and new records might be added + in the future. Therefore, applications must not rely on the order and +@@ -53,11 +55,13 @@ providing any additional details about t + identified by ``struct fanotify_event_info_header.info_type`` being set + to FAN_EVENT_INFO_TYPE_ERROR. + +- struct fanotify_event_info_error { +- struct fanotify_event_info_header hdr; +- __s32 error; +- __u32 error_count; +- }; ++ :: ++ ++ struct fanotify_event_info_error { ++ struct fanotify_event_info_header hdr; ++ __s32 error; ++ __u32 error_count; ++ }; + + The `error` field identifies the type of error using errno values. + `error_count` tracks the number of errors that occurred and were diff --git a/queue-5.15/drm-amdgpu-fix-signedness-bug-in-sdma_v4_0_process_trap_irq.patch b/queue-5.15/drm-amdgpu-fix-signedness-bug-in-sdma_v4_0_process_trap_irq.patch new file mode 100644 index 00000000000..c96872de099 --- /dev/null +++ b/queue-5.15/drm-amdgpu-fix-signedness-bug-in-sdma_v4_0_process_trap_irq.patch @@ -0,0 +1,32 @@ +From 6769a23697f17f9bf9365ca8ed62fe37e361a05a Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sun, 28 Apr 2024 15:57:00 +0300 +Subject: drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() + +From: Dan Carpenter + +commit 6769a23697f17f9bf9365ca8ed62fe37e361a05a upstream. + +The "instance" variable needs to be signed for the error handling to work. + +Fixes: 8b2faf1a4f3b ("drm/amdgpu: add error handle to avoid out-of-bounds") +Reviewed-by: Bob Zhou +Signed-off-by: Dan Carpenter +Signed-off-by: Alex Deucher +Cc: Siddh Raman Pant +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c +@@ -2148,7 +2148,7 @@ static int sdma_v4_0_process_trap_irq(st + struct amdgpu_irq_src *source, + struct amdgpu_iv_entry *entry) + { +- uint32_t instance; ++ int instance; + + DRM_DEBUG("IH: SDMA trap\n"); + instance = sdma_v4_0_irq_id_to_seq(entry->client_id); diff --git a/queue-5.15/fs-ntfs3-validate-ff-offset.patch b/queue-5.15/fs-ntfs3-validate-ff-offset.patch new file mode 100644 index 00000000000..c66523f89d5 --- /dev/null +++ b/queue-5.15/fs-ntfs3-validate-ff-offset.patch @@ -0,0 +1,43 @@ +From 50c47879650b4c97836a0086632b3a2e300b0f06 Mon Sep 17 00:00:00 2001 +From: lei lu +Date: Wed, 29 May 2024 02:52:22 +0800 +Subject: fs/ntfs3: Validate ff offset + +From: lei lu + +commit 50c47879650b4c97836a0086632b3a2e300b0f06 upstream. + +This adds sanity checks for ff offset. There is a check +on rt->first_free at first, but walking through by ff +without any check. If the second ff is a large offset. +We may encounter an out-of-bound read. + +Signed-off-by: lei lu +Signed-off-by: Konstantin Komarov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/fslog.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/ntfs3/fslog.c ++++ b/fs/ntfs3/fslog.c +@@ -724,7 +724,8 @@ static bool check_rstbl(const struct RES + + if (!rsize || rsize > bytes || + rsize + sizeof(struct RESTART_TABLE) > bytes || bytes < ts || +- le16_to_cpu(rt->total) > ne || ff > ts || lf > ts || ++ le16_to_cpu(rt->total) > ne || ++ ff > ts - sizeof(__le32) || lf > ts - sizeof(__le32) || + (ff && ff < sizeof(struct RESTART_TABLE)) || + (lf && lf < sizeof(struct RESTART_TABLE))) { + return false; +@@ -754,6 +755,9 @@ static bool check_rstbl(const struct RES + return false; + + off = le32_to_cpu(*(__le32 *)Add2Ptr(rt, off)); ++ ++ if (off > ts - sizeof(__le32)) ++ return false; + } + + return true; diff --git a/queue-5.15/jfs-don-t-walk-off-the-end-of-ealist.patch b/queue-5.15/jfs-don-t-walk-off-the-end-of-ealist.patch new file mode 100644 index 00000000000..c7266f95fef --- /dev/null +++ b/queue-5.15/jfs-don-t-walk-off-the-end-of-ealist.patch @@ -0,0 +1,83 @@ +From d0fa70aca54c8643248e89061da23752506ec0d4 Mon Sep 17 00:00:00 2001 +From: lei lu +Date: Wed, 29 May 2024 02:30:40 +0800 +Subject: jfs: don't walk off the end of ealist + +From: lei lu + +commit d0fa70aca54c8643248e89061da23752506ec0d4 upstream. + +Add a check before visiting the members of ea to +make sure each ea stays within the ealist. + +Signed-off-by: lei lu +Signed-off-by: Dave Kleikamp +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/xattr.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +--- a/fs/jfs/xattr.c ++++ b/fs/jfs/xattr.c +@@ -797,7 +797,7 @@ ssize_t __jfs_getxattr(struct inode *ino + size_t buf_size) + { + struct jfs_ea_list *ealist; +- struct jfs_ea *ea; ++ struct jfs_ea *ea, *ealist_end; + struct ea_buffer ea_buf; + int xattr_size; + ssize_t size; +@@ -817,9 +817,16 @@ ssize_t __jfs_getxattr(struct inode *ino + goto not_found; + + ealist = (struct jfs_ea_list *) ea_buf.xattr; ++ ealist_end = END_EALIST(ealist); + + /* Find the named attribute */ +- for (ea = FIRST_EA(ealist); ea < END_EALIST(ealist); ea = NEXT_EA(ea)) ++ for (ea = FIRST_EA(ealist); ea < ealist_end; ea = NEXT_EA(ea)) { ++ if (unlikely(ea + 1 > ealist_end) || ++ unlikely(NEXT_EA(ea) > ealist_end)) { ++ size = -EUCLEAN; ++ goto release; ++ } ++ + if ((namelen == ea->namelen) && + memcmp(name, ea->name, namelen) == 0) { + /* Found it */ +@@ -834,6 +841,7 @@ ssize_t __jfs_getxattr(struct inode *ino + memcpy(data, value, size); + goto release; + } ++ } + not_found: + size = -ENODATA; + release: +@@ -861,7 +869,7 @@ ssize_t jfs_listxattr(struct dentry * de + ssize_t size = 0; + int xattr_size; + struct jfs_ea_list *ealist; +- struct jfs_ea *ea; ++ struct jfs_ea *ea, *ealist_end; + struct ea_buffer ea_buf; + + down_read(&JFS_IP(inode)->xattr_sem); +@@ -876,9 +884,16 @@ ssize_t jfs_listxattr(struct dentry * de + goto release; + + ealist = (struct jfs_ea_list *) ea_buf.xattr; ++ ealist_end = END_EALIST(ealist); + + /* compute required size of list */ +- for (ea = FIRST_EA(ealist); ea < END_EALIST(ealist); ea = NEXT_EA(ea)) { ++ for (ea = FIRST_EA(ealist); ea < ealist_end; ea = NEXT_EA(ea)) { ++ if (unlikely(ea + 1 > ealist_end) || ++ unlikely(NEXT_EA(ea) > ealist_end)) { ++ size = -EUCLEAN; ++ goto release; ++ } ++ + if (can_list(ea)) + size += name_size(ea) + 1; + } diff --git a/queue-5.15/net-relax-socket-state-check-at-accept-time.patch b/queue-5.15/net-relax-socket-state-check-at-accept-time.patch new file mode 100644 index 00000000000..058be564ff0 --- /dev/null +++ b/queue-5.15/net-relax-socket-state-check-at-accept-time.patch @@ -0,0 +1,84 @@ +From 26afda78cda3da974fd4c287962c169e9462c495 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 21 May 2024 16:01:00 +0200 +Subject: net: relax socket state check at accept time. + +From: Paolo Abeni + +commit 26afda78cda3da974fd4c287962c169e9462c495 upstream. + +Christoph reported the following splat: + +WARNING: CPU: 1 PID: 772 at net/ipv4/af_inet.c:761 __inet_accept+0x1f4/0x4a0 +Modules linked in: +CPU: 1 PID: 772 Comm: syz-executor510 Not tainted 6.9.0-rc7-g7da7119fe22b #56 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 +RIP: 0010:__inet_accept+0x1f4/0x4a0 net/ipv4/af_inet.c:759 +Code: 04 38 84 c0 0f 85 87 00 00 00 41 c7 04 24 03 00 00 00 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ec b7 da fd <0f> 0b e9 7f fe ff ff e8 e0 b7 da fd 0f 0b e9 fe fe ff ff 89 d9 80 +RSP: 0018:ffffc90000c2fc58 EFLAGS: 00010293 +RAX: ffffffff836bdd14 RBX: 0000000000000000 RCX: ffff888104668000 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: dffffc0000000000 R08: ffffffff836bdb89 R09: fffff52000185f64 +R10: dffffc0000000000 R11: fffff52000185f64 R12: dffffc0000000000 +R13: 1ffff92000185f98 R14: ffff88810754d880 R15: ffff8881007b7800 +FS: 000000001c772880(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fb9fcf2e178 CR3: 00000001045d2002 CR4: 0000000000770ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + + inet_accept+0x138/0x1d0 net/ipv4/af_inet.c:786 + do_accept+0x435/0x620 net/socket.c:1929 + __sys_accept4_file net/socket.c:1969 [inline] + __sys_accept4+0x9b/0x110 net/socket.c:1999 + __do_sys_accept net/socket.c:2016 [inline] + __se_sys_accept net/socket.c:2013 [inline] + __x64_sys_accept+0x7d/0x90 net/socket.c:2013 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x58/0x100 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x76/0x7e +RIP: 0033:0x4315f9 +Code: fd ff 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab b4 fd ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007ffdb26d9c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002b +RAX: ffffffffffffffda RBX: 0000000000400300 RCX: 00000000004315f9 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 +RBP: 00000000006e1018 R08: 0000000000400300 R09: 0000000000400300 +R10: 0000000000400300 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000040cdf0 R14: 000000000040ce80 R15: 0000000000000055 + + +The reproducer invokes shutdown() before entering the listener status. +After commit 94062790aedb ("tcp: defer shutdown(SEND_SHUTDOWN) for +TCP_SYN_RECV sockets"), the above causes the child to reach the accept +syscall in FIN_WAIT1 status. + +Eric noted we can relax the existing assertion in __inet_accept() + +Reported-by: Christoph Paasch +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/490 +Suggested-by: Eric Dumazet +Fixes: 94062790aedb ("tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets") +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/23ab880a44d8cfd967e84de8b93dbf48848e3d8c.1716299669.git.pabeni@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Nikolay Kuratov +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/af_inet.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -761,7 +761,9 @@ int inet_accept(struct socket *sock, str + sock_rps_record_flow(sk2); + WARN_ON(!((1 << sk2->sk_state) & + (TCPF_ESTABLISHED | TCPF_SYN_RECV | +- TCPF_CLOSE_WAIT | TCPF_CLOSE))); ++ TCPF_FIN_WAIT1 | TCPF_FIN_WAIT2 | ++ TCPF_CLOSING | TCPF_CLOSE_WAIT | ++ TCPF_CLOSE))); + + sock_graft(sk2, newsock); + diff --git a/queue-5.15/ocfs2-add-bounds-checking-to-ocfs2_check_dir_entry.patch b/queue-5.15/ocfs2-add-bounds-checking-to-ocfs2_check_dir_entry.patch new file mode 100644 index 00000000000..37bfceab095 --- /dev/null +++ b/queue-5.15/ocfs2-add-bounds-checking-to-ocfs2_check_dir_entry.patch @@ -0,0 +1,163 @@ +From 255547c6bb8940a97eea94ef9d464ea5967763fb Mon Sep 17 00:00:00 2001 +From: lei lu +Date: Wed, 26 Jun 2024 18:44:33 +0800 +Subject: ocfs2: add bounds checking to ocfs2_check_dir_entry() + +From: lei lu + +commit 255547c6bb8940a97eea94ef9d464ea5967763fb upstream. + +This adds sanity checks for ocfs2_dir_entry to make sure all members of +ocfs2_dir_entry don't stray beyond valid memory region. + +Link: https://lkml.kernel.org/r/20240626104433.163270-1-llfamsec@gmail.com +Signed-off-by: lei lu +Reviewed-by: Heming Zhao +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/dir.c | 46 +++++++++++++++++++++++++++++----------------- + 1 file changed, 29 insertions(+), 17 deletions(-) + +--- a/fs/ocfs2/dir.c ++++ b/fs/ocfs2/dir.c +@@ -294,13 +294,16 @@ out: + * bh passed here can be an inode block or a dir data block, depending + * on the inode inline data flag. + */ +-static int ocfs2_check_dir_entry(struct inode * dir, +- struct ocfs2_dir_entry * de, +- struct buffer_head * bh, ++static int ocfs2_check_dir_entry(struct inode *dir, ++ struct ocfs2_dir_entry *de, ++ struct buffer_head *bh, ++ char *buf, ++ unsigned int size, + unsigned long offset) + { + const char *error_msg = NULL; + const int rlen = le16_to_cpu(de->rec_len); ++ const unsigned long next_offset = ((char *) de - buf) + rlen; + + if (unlikely(rlen < OCFS2_DIR_REC_LEN(1))) + error_msg = "rec_len is smaller than minimal"; +@@ -308,9 +311,11 @@ static int ocfs2_check_dir_entry(struct + error_msg = "rec_len % 4 != 0"; + else if (unlikely(rlen < OCFS2_DIR_REC_LEN(de->name_len))) + error_msg = "rec_len is too small for name_len"; +- else if (unlikely( +- ((char *) de - bh->b_data) + rlen > dir->i_sb->s_blocksize)) +- error_msg = "directory entry across blocks"; ++ else if (unlikely(next_offset > size)) ++ error_msg = "directory entry overrun"; ++ else if (unlikely(next_offset > size - OCFS2_DIR_REC_LEN(1)) && ++ next_offset != size) ++ error_msg = "directory entry too close to end"; + + if (unlikely(error_msg != NULL)) + mlog(ML_ERROR, "bad entry in directory #%llu: %s - " +@@ -352,16 +357,17 @@ static inline int ocfs2_search_dirblock( + de_buf = first_de; + dlimit = de_buf + bytes; + +- while (de_buf < dlimit) { ++ while (de_buf < dlimit - OCFS2_DIR_MEMBER_LEN) { + /* this code is executed quadratically often */ + /* do minimal checking `by hand' */ + + de = (struct ocfs2_dir_entry *) de_buf; + +- if (de_buf + namelen <= dlimit && ++ if (de->name + namelen <= dlimit && + ocfs2_match(namelen, name, de)) { + /* found a match - just to be sure, do a full check */ +- if (!ocfs2_check_dir_entry(dir, de, bh, offset)) { ++ if (!ocfs2_check_dir_entry(dir, de, bh, first_de, ++ bytes, offset)) { + ret = -1; + goto bail; + } +@@ -1138,7 +1144,7 @@ static int __ocfs2_delete_entry(handle_t + pde = NULL; + de = (struct ocfs2_dir_entry *) first_de; + while (i < bytes) { +- if (!ocfs2_check_dir_entry(dir, de, bh, i)) { ++ if (!ocfs2_check_dir_entry(dir, de, bh, first_de, bytes, i)) { + status = -EIO; + mlog_errno(status); + goto bail; +@@ -1638,7 +1644,8 @@ int __ocfs2_add_entry(handle_t *handle, + /* These checks should've already been passed by the + * prepare function, but I guess we can leave them + * here anyway. */ +- if (!ocfs2_check_dir_entry(dir, de, insert_bh, offset)) { ++ if (!ocfs2_check_dir_entry(dir, de, insert_bh, data_start, ++ size, offset)) { + retval = -ENOENT; + goto bail; + } +@@ -1776,7 +1783,8 @@ static int ocfs2_dir_foreach_blk_id(stru + } + + de = (struct ocfs2_dir_entry *) (data->id_data + ctx->pos); +- if (!ocfs2_check_dir_entry(inode, de, di_bh, ctx->pos)) { ++ if (!ocfs2_check_dir_entry(inode, de, di_bh, (char *)data->id_data, ++ i_size_read(inode), ctx->pos)) { + /* On error, skip the f_pos to the end. */ + ctx->pos = i_size_read(inode); + break; +@@ -1869,7 +1877,8 @@ static int ocfs2_dir_foreach_blk_el(stru + while (ctx->pos < i_size_read(inode) + && offset < sb->s_blocksize) { + de = (struct ocfs2_dir_entry *) (bh->b_data + offset); +- if (!ocfs2_check_dir_entry(inode, de, bh, offset)) { ++ if (!ocfs2_check_dir_entry(inode, de, bh, bh->b_data, ++ sb->s_blocksize, offset)) { + /* On error, skip the f_pos to the + next block. */ + ctx->pos = (ctx->pos | (sb->s_blocksize - 1)) + 1; +@@ -3341,7 +3350,7 @@ static int ocfs2_find_dir_space_id(struc + struct super_block *sb = dir->i_sb; + struct ocfs2_dinode *di = (struct ocfs2_dinode *)di_bh->b_data; + struct ocfs2_dir_entry *de, *last_de = NULL; +- char *de_buf, *limit; ++ char *first_de, *de_buf, *limit; + unsigned long offset = 0; + unsigned int rec_len, new_rec_len, free_space = dir->i_sb->s_blocksize; + +@@ -3354,14 +3363,16 @@ static int ocfs2_find_dir_space_id(struc + else + free_space = dir->i_sb->s_blocksize - i_size_read(dir); + +- de_buf = di->id2.i_data.id_data; ++ first_de = di->id2.i_data.id_data; ++ de_buf = first_de; + limit = de_buf + i_size_read(dir); + rec_len = OCFS2_DIR_REC_LEN(namelen); + + while (de_buf < limit) { + de = (struct ocfs2_dir_entry *)de_buf; + +- if (!ocfs2_check_dir_entry(dir, de, di_bh, offset)) { ++ if (!ocfs2_check_dir_entry(dir, de, di_bh, first_de, ++ i_size_read(dir), offset)) { + ret = -ENOENT; + goto out; + } +@@ -3443,7 +3454,8 @@ static int ocfs2_find_dir_space_el(struc + /* move to next block */ + de = (struct ocfs2_dir_entry *) bh->b_data; + } +- if (!ocfs2_check_dir_entry(dir, de, bh, offset)) { ++ if (!ocfs2_check_dir_entry(dir, de, bh, bh->b_data, blocksize, ++ offset)) { + status = -ENOENT; + goto bail; + } diff --git a/queue-5.15/samples-add-fs-error-monitoring-example.patch b/queue-5.15/samples-add-fs-error-monitoring-example.patch new file mode 100644 index 00000000000..79b96f3af2f --- /dev/null +++ b/queue-5.15/samples-add-fs-error-monitoring-example.patch @@ -0,0 +1,212 @@ +From stable+bounces-61322-greg=kroah.com@vger.kernel.org Wed Jul 24 21:06:57 2024 +From: cel@kernel.org +Date: Wed, 24 Jul 2024 15:06:20 -0400 +Subject: samples: Add fs error monitoring example +To: amir73il@gmail.com, krisman@collabora.com +Cc: gregkh@linuxfoundation.org, jack@suse.cz, sashal@kernel.org, stable@vger.kernel.org, adilger.kernel@dilger.ca, linux-ext4@vger.kernel.org, tytso@mit.edu, alexey.makhalov@broadcom.com, vasavi.sirnapalli@broadcom.com, florian.fainelli@broadcom.com +Message-ID: <20240724190623.8948-2-cel@kernel.org> + +From: Gabriel Krisman Bertazi + +[ Upstream commit 5451093081db6ca1a708d149e11cfd219800bc4c ] + +Introduce an example of a FAN_FS_ERROR fanotify user to track filesystem +errors. + +Link: https://lore.kernel.org/r/20211025192746.66445-31-krisman@collabora.com +Reviewed-by: Amir Goldstein +Reviewed-by: Jan Kara +Signed-off-by: Gabriel Krisman Bertazi +Signed-off-by: Jan Kara +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + samples/Kconfig | 9 ++ + samples/Makefile | 1 + samples/fanotify/Makefile | 5 + + samples/fanotify/fs-monitor.c | 142 ++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 157 insertions(+) + create mode 100644 samples/fanotify/Makefile + create mode 100644 samples/fanotify/fs-monitor.c + +--- a/samples/Kconfig ++++ b/samples/Kconfig +@@ -120,6 +120,15 @@ config SAMPLE_CONNECTOR + with it. + See also Documentation/driver-api/connector.rst + ++config SAMPLE_FANOTIFY_ERROR ++ bool "Build fanotify error monitoring sample" ++ depends on FANOTIFY ++ help ++ When enabled, this builds an example code that uses the ++ FAN_FS_ERROR fanotify mechanism to monitor filesystem ++ errors. ++ See also Documentation/admin-guide/filesystem-monitoring.rst. ++ + config SAMPLE_HIDRAW + bool "hidraw sample" + depends on CC_CAN_LINK && HEADERS_INSTALL +--- a/samples/Makefile ++++ b/samples/Makefile +@@ -5,6 +5,7 @@ subdir-$(CONFIG_SAMPLE_AUXDISPLAY) += au + subdir-$(CONFIG_SAMPLE_ANDROID_BINDERFS) += binderfs + obj-$(CONFIG_SAMPLE_CONFIGFS) += configfs/ + obj-$(CONFIG_SAMPLE_CONNECTOR) += connector/ ++obj-$(CONFIG_SAMPLE_FANOTIFY_ERROR) += fanotify/ + subdir-$(CONFIG_SAMPLE_HIDRAW) += hidraw + obj-$(CONFIG_SAMPLE_HW_BREAKPOINT) += hw_breakpoint/ + obj-$(CONFIG_SAMPLE_KDB) += kdb/ +--- /dev/null ++++ b/samples/fanotify/Makefile +@@ -0,0 +1,5 @@ ++# SPDX-License-Identifier: GPL-2.0-only ++userprogs-always-y += fs-monitor ++ ++userccflags += -I usr/include -Wall ++ +--- /dev/null ++++ b/samples/fanotify/fs-monitor.c +@@ -0,0 +1,142 @@ ++// SPDX-License-Identifier: GPL-2.0 ++/* ++ * Copyright 2021, Collabora Ltd. ++ */ ++ ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#ifndef FAN_FS_ERROR ++#define FAN_FS_ERROR 0x00008000 ++#define FAN_EVENT_INFO_TYPE_ERROR 5 ++ ++struct fanotify_event_info_error { ++ struct fanotify_event_info_header hdr; ++ __s32 error; ++ __u32 error_count; ++}; ++#endif ++ ++#ifndef FILEID_INO32_GEN ++#define FILEID_INO32_GEN 1 ++#endif ++ ++#ifndef FILEID_INVALID ++#define FILEID_INVALID 0xff ++#endif ++ ++static void print_fh(struct file_handle *fh) ++{ ++ int i; ++ uint32_t *h = (uint32_t *) fh->f_handle; ++ ++ printf("\tfh: "); ++ for (i = 0; i < fh->handle_bytes; i++) ++ printf("%hhx", fh->f_handle[i]); ++ printf("\n"); ++ ++ printf("\tdecoded fh: "); ++ if (fh->handle_type == FILEID_INO32_GEN) ++ printf("inode=%u gen=%u\n", h[0], h[1]); ++ else if (fh->handle_type == FILEID_INVALID && !fh->handle_bytes) ++ printf("Type %d (Superblock error)\n", fh->handle_type); ++ else ++ printf("Type %d (Unknown)\n", fh->handle_type); ++ ++} ++ ++static void handle_notifications(char *buffer, int len) ++{ ++ struct fanotify_event_metadata *event = ++ (struct fanotify_event_metadata *) buffer; ++ struct fanotify_event_info_header *info; ++ struct fanotify_event_info_error *err; ++ struct fanotify_event_info_fid *fid; ++ int off; ++ ++ for (; FAN_EVENT_OK(event, len); event = FAN_EVENT_NEXT(event, len)) { ++ ++ if (event->mask != FAN_FS_ERROR) { ++ printf("unexpected FAN MARK: %llx\n", event->mask); ++ goto next_event; ++ } ++ ++ if (event->fd != FAN_NOFD) { ++ printf("Unexpected fd (!= FAN_NOFD)\n"); ++ goto next_event; ++ } ++ ++ printf("FAN_FS_ERROR (len=%d)\n", event->event_len); ++ ++ for (off = sizeof(*event) ; off < event->event_len; ++ off += info->len) { ++ info = (struct fanotify_event_info_header *) ++ ((char *) event + off); ++ ++ switch (info->info_type) { ++ case FAN_EVENT_INFO_TYPE_ERROR: ++ err = (struct fanotify_event_info_error *) info; ++ ++ printf("\tGeneric Error Record: len=%d\n", ++ err->hdr.len); ++ printf("\terror: %d\n", err->error); ++ printf("\terror_count: %d\n", err->error_count); ++ break; ++ ++ case FAN_EVENT_INFO_TYPE_FID: ++ fid = (struct fanotify_event_info_fid *) info; ++ ++ printf("\tfsid: %x%x\n", ++ fid->fsid.val[0], fid->fsid.val[1]); ++ print_fh((struct file_handle *) &fid->handle); ++ break; ++ ++ default: ++ printf("\tUnknown info type=%d len=%d:\n", ++ info->info_type, info->len); ++ } ++ } ++next_event: ++ printf("---\n\n"); ++ } ++} ++ ++int main(int argc, char **argv) ++{ ++ int fd; ++ ++ char buffer[BUFSIZ]; ++ ++ if (argc < 2) { ++ printf("Missing path argument\n"); ++ return 1; ++ } ++ ++ fd = fanotify_init(FAN_CLASS_NOTIF|FAN_REPORT_FID, O_RDONLY); ++ if (fd < 0) ++ errx(1, "fanotify_init"); ++ ++ if (fanotify_mark(fd, FAN_MARK_ADD|FAN_MARK_FILESYSTEM, ++ FAN_FS_ERROR, AT_FDCWD, argv[1])) { ++ errx(1, "fanotify_mark"); ++ } ++ ++ while (1) { ++ int n = read(fd, buffer, BUFSIZ); ++ ++ if (n < 0) ++ errx(1, "read"); ++ ++ handle_notifications(buffer, n); ++ } ++ ++ return 0; ++} diff --git a/queue-5.15/samples-make-fs-monitor-depend-on-libc-and-headers.patch b/queue-5.15/samples-make-fs-monitor-depend-on-libc-and-headers.patch new file mode 100644 index 00000000000..c202896dda7 --- /dev/null +++ b/queue-5.15/samples-make-fs-monitor-depend-on-libc-and-headers.patch @@ -0,0 +1,42 @@ +From stable+bounces-61323-greg=kroah.com@vger.kernel.org Wed Jul 24 21:07:02 2024 +From: cel@kernel.org +Date: Wed, 24 Jul 2024 15:06:21 -0400 +Subject: samples: Make fs-monitor depend on libc and headers +To: amir73il@gmail.com, krisman@collabora.com +Cc: gregkh@linuxfoundation.org, jack@suse.cz, sashal@kernel.org, stable@vger.kernel.org, adilger.kernel@dilger.ca, linux-ext4@vger.kernel.org, tytso@mit.edu, alexey.makhalov@broadcom.com, vasavi.sirnapalli@broadcom.com, florian.fainelli@broadcom.com, Guenter Roeck +Message-ID: <20240724190623.8948-3-cel@kernel.org> + +From: Gabriel Krisman Bertazi + +[ Upstream commit 8fc70b3a142f97f7859bf052151df896933d2586 ] + +Prevent build errors when headers or libc are not available, such as on +kernel build bots, like the below: + +samples/fanotify/fs-monitor.c:7:10: fatal error: errno.h: No such file +or directory + 7 | #include + | ^~~~~~~~~ + +Link: https://lore.kernel.org/r/87fsslasgz.fsf@collabora.com +Suggested-by: Guenter Roeck +Tested-by: Guenter Roeck +Signed-off-by: Gabriel Krisman Bertazi +Signed-off-by: Jan Kara +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + samples/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/samples/Kconfig ++++ b/samples/Kconfig +@@ -122,7 +122,7 @@ config SAMPLE_CONNECTOR + + config SAMPLE_FANOTIFY_ERROR + bool "Build fanotify error monitoring sample" +- depends on FANOTIFY ++ depends on FANOTIFY && CC_CAN_LINK && HEADERS_INSTALL + help + When enabled, this builds an example code that uses the + FAN_FS_ERROR fanotify mechanism to monitor filesystem diff --git a/queue-5.15/series b/queue-5.15/series index 67b83e6e6e2..d4b3d9c4aca 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -70,3 +70,14 @@ minmax-allow-comparisons-of-int-against-unsigned-char-short.patch minmax-relax-check-to-allow-comparison-between-unsigned-arguments-and-signed-constants.patch mm-damon-core-merge-regions-aggressively-when-max_nr_regions-is-unmet.patch wifi-mac80211-disable-softirqs-for-queued-frame-handling.patch +drm-amdgpu-fix-signedness-bug-in-sdma_v4_0_process_trap_irq.patch +samples-add-fs-error-monitoring-example.patch +samples-make-fs-monitor-depend-on-libc-and-headers.patch +docs-fix-formatting-of-literal-sections-in-fanotify-docs.patch +add-gitignore-file-for-samples-fanotify-subdirectory.patch +net-relax-socket-state-check-at-accept-time.patch +ocfs2-add-bounds-checking-to-ocfs2_check_dir_entry.patch +jfs-don-t-walk-off-the-end-of-ealist.patch +fs-ntfs3-validate-ff-offset.patch +alsa-hda-realtek-enable-headset-mic-on-positivo-su-c1400.patch +alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch