From: Greg Kroah-Hartman Date: Tue, 1 Oct 2024 14:06:16 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.6.54~58 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=93e528ef6bcde0320dd81fff0e7036df1a36b31b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: arm64-dts-rockchip-correct-the-pinebook-pro-battery-design-capacity.patch arm64-dts-rockchip-raise-pinebook-pro-s-panel-backlight-pwm-frequency.patch f2fs-avoid-potential-int-overflow-in-sanity_check_area_boundary.patch f2fs-prevent-possible-int-overflow-in-dir_block_index.patch fs-fix-file_set_fowner-lsm-hook-inconsistencies.patch hwrng-cctrng-add-missing-clk_disable_unprepare-in-cctrng_resume.patch hwrng-mtk-use-devm_pm_runtime_enable.patch nfs-fix-memory-leak-in-error-path-of-nfs4_do_reclaim.patch padata-use-integer-wrap-around-to-prevent-deadlock-on-seq_nr-overflow.patch vfs-fix-race-between-evice_inodes-and-find_inode-iput.patch --- diff --git a/queue-5.10/arm64-dts-rockchip-correct-the-pinebook-pro-battery-design-capacity.patch b/queue-5.10/arm64-dts-rockchip-correct-the-pinebook-pro-battery-design-capacity.patch new file mode 100644 index 00000000000..e04b7a984f9 --- /dev/null +++ b/queue-5.10/arm64-dts-rockchip-correct-the-pinebook-pro-battery-design-capacity.patch @@ -0,0 +1,55 @@ +From def33fb1191207f5afa6dcb681d71fef2a6c1293 Mon Sep 17 00:00:00 2001 +From: Dragan Simic +Date: Mon, 15 Jul 2024 19:44:20 +0200 +Subject: arm64: dts: rockchip: Correct the Pinebook Pro battery design capacity + +From: Dragan Simic + +commit def33fb1191207f5afa6dcb681d71fef2a6c1293 upstream. + +All batches of the Pine64 Pinebook Pro, except the latest batch (as of 2024) +whose hardware design was revised due to the component shortage, use a 1S +lithium battery whose nominal/design capacity is 10,000 mAh, according to the +battery datasheet. [1][2] Let's correct the design full-charge value in the +Pinebook Pro board dts, to improve the accuracy of the hardware description, +and to hopefully improve the accuracy of the fuel gauge a bit on all units +that don't belong to the latest batch. + +The above-mentioned latest batch uses a different 1S lithium battery with +a slightly lower capacity, more precisely 9,600 mAh. To make the fuel gauge +work reliably on the latest batch, a sample battery would need to be sent to +CellWise, to obtain its proprietary battery profile, whose data goes into +"cellwise,battery-profile" in the Pinebook Pro board dts. Without that data, +the fuel gauge reportedly works unreliably, so changing the design capacity +won't have any negative effects on the already unreliable operation of the +fuel gauge in the Pinebook Pros that belong to the latest batch. + +According to the battery datasheet, its voltage can go as low as 2.75 V while +discharging, but it's better to leave the current 3.0 V value in the dts file, +because of the associated Pinebook Pro's voltage regulation issues. + +[1] https://wiki.pine64.org/index.php/Pinebook_Pro#Battery +[2] https://files.pine64.org/doc/datasheet/pinebook/40110175P%203.8V%2010000mAh%E8%A7%84%E6%A0%BC%E4%B9%A6-14.pdf + +Fixes: c7c4d698cd28 ("arm64: dts: rockchip: add fuel gauge to Pinebook Pro dts") +Cc: stable@vger.kernel.org +Cc: Marek Kraus +Signed-off-by: Dragan Simic +Link: https://lore.kernel.org/r/731f8ef9b1a867bcc730d19ed277c8c0534c0842.1721065172.git.dsimic@manjaro.org +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts +@@ -30,7 +30,7 @@ + + bat: battery { + compatible = "simple-battery"; +- charge-full-design-microamp-hours = <9800000>; ++ charge-full-design-microamp-hours = <10000000>; + voltage-max-design-microvolt = <4350000>; + voltage-min-design-microvolt = <3000000>; + }; diff --git a/queue-5.10/arm64-dts-rockchip-raise-pinebook-pro-s-panel-backlight-pwm-frequency.patch b/queue-5.10/arm64-dts-rockchip-raise-pinebook-pro-s-panel-backlight-pwm-frequency.patch new file mode 100644 index 00000000000..9fc4ad7a618 --- /dev/null +++ b/queue-5.10/arm64-dts-rockchip-raise-pinebook-pro-s-panel-backlight-pwm-frequency.patch @@ -0,0 +1,60 @@ +From 8c51521de18755d4112a77a598a348b38d0af370 Mon Sep 17 00:00:00 2001 +From: Dragan Simic +Date: Sun, 4 Aug 2024 23:10:24 +0200 +Subject: arm64: dts: rockchip: Raise Pinebook Pro's panel backlight PWM frequency +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dragan Simic + +commit 8c51521de18755d4112a77a598a348b38d0af370 upstream. + +Increase the frequency of the PWM signal that drives the LED backlight of +the Pinebook Pro's panel, from about 1.35 KHz (which equals to the PWM +period of 740,740 ns), to exactly 8 kHz (which equals to the PWM period of +125,000 ns). Using a higher PWM frequency for the panel backlight, which +reduces the flicker, can only be beneficial to the end users' eyes. + +On top of that, increasing the backlight PWM signal frequency reportedly +eliminates the buzzing emitted from the Pinebook Pro's built-in speakers +when certain backlight levels are set, which cause some weird interference +with some of the components of the Pinebook Pro's audio chain. + +The old value for the backlight PWM period, i.e. 740,740 ns, is pretty much +an arbitrary value that was selected during the very early bring-up of the +Pinebook Pro, only because that value seemed to minimize horizontal line +distortion on the display, which resulted from the old X.org drivers causing +screen tearing when dragging windows around. That's no longer an issue, so +there are no reasons to stick with the old PWM period value. + +The lower and the upper backlight PWM frequency limits for the Pinebook Pro's +panel, according to its datasheet, are 200 Hz and 10 kHz, respectively. [1] +These changes still leave some headroom, which may have some positive effects +on the lifetime expectancy of the panel's backlight LEDs. + +[1] https://files.pine64.org/doc/datasheet/PinebookPro/NV140FHM-N49_Rev.P0_20160804_201710235838.pdf + +Fixes: 5a65505a6988 ("arm64: dts: rockchip: Add initial support for Pinebook Pro") +Cc: stable@vger.kernel.org +Reported-by: Nikola Radojevic +Signed-off-by: Dragan Simic +Tested-by: Nikola Radojević +Link: https://lore.kernel.org/r/2a23b6cfd8c0513e5b233b4006ee3d3ed09b824f.1722805655.git.dsimic@manjaro.org +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts +@@ -25,7 +25,7 @@ + backlight: edp-backlight { + compatible = "pwm-backlight"; + power-supply = <&vcc_12v>; +- pwms = <&pwm0 0 740740 0>; ++ pwms = <&pwm0 0 125000 0>; + }; + + bat: battery { diff --git a/queue-5.10/f2fs-avoid-potential-int-overflow-in-sanity_check_area_boundary.patch b/queue-5.10/f2fs-avoid-potential-int-overflow-in-sanity_check_area_boundary.patch new file mode 100644 index 00000000000..1cea214293e --- /dev/null +++ b/queue-5.10/f2fs-avoid-potential-int-overflow-in-sanity_check_area_boundary.patch @@ -0,0 +1,43 @@ +From 50438dbc483ca6a133d2bce9d5d6747bcee38371 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Wed, 24 Jul 2024 10:51:58 -0700 +Subject: f2fs: avoid potential int overflow in sanity_check_area_boundary() + +From: Nikita Zhandarovich + +commit 50438dbc483ca6a133d2bce9d5d6747bcee38371 upstream. + +While calculating the end addresses of main area and segment 0, u32 +may be not enough to hold the result without the danger of int +overflow. + +Just in case, play it safe and cast one of the operands to a +wider type (u64). + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: fd694733d523 ("f2fs: cover large section in sanity check of super") +Cc: stable@vger.kernel.org +Signed-off-by: Nikita Zhandarovich +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/super.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -2754,9 +2754,9 @@ static inline bool sanity_check_area_bou + u32 segment_count = le32_to_cpu(raw_super->segment_count); + u32 log_blocks_per_seg = le32_to_cpu(raw_super->log_blocks_per_seg); + u64 main_end_blkaddr = main_blkaddr + +- (segment_count_main << log_blocks_per_seg); ++ ((u64)segment_count_main << log_blocks_per_seg); + u64 seg_end_blkaddr = segment0_blkaddr + +- (segment_count << log_blocks_per_seg); ++ ((u64)segment_count << log_blocks_per_seg); + + if (segment0_blkaddr != cp_blkaddr) { + f2fs_info(sbi, "Mismatch start address, segment0(%u) cp_blkaddr(%u)", diff --git a/queue-5.10/f2fs-prevent-possible-int-overflow-in-dir_block_index.patch b/queue-5.10/f2fs-prevent-possible-int-overflow-in-dir_block_index.patch new file mode 100644 index 00000000000..ac524ed0839 --- /dev/null +++ b/queue-5.10/f2fs-prevent-possible-int-overflow-in-dir_block_index.patch @@ -0,0 +1,42 @@ +From 47f268f33dff4a5e31541a990dc09f116f80e61c Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Wed, 24 Jul 2024 10:05:44 -0700 +Subject: f2fs: prevent possible int overflow in dir_block_index() + +From: Nikita Zhandarovich + +commit 47f268f33dff4a5e31541a990dc09f116f80e61c upstream. + +The result of multiplication between values derived from functions +dir_buckets() and bucket_blocks() *could* technically reach +2^30 * 2^2 = 2^32. + +While unlikely to happen, it is prudent to ensure that it will not +lead to integer overflow. Thus, use mul_u32_u32() as it's more +appropriate to mitigate the issue. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 3843154598a0 ("f2fs: introduce large directory support") +Cc: stable@vger.kernel.org +Signed-off-by: Nikita Zhandarovich +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/dir.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/f2fs/dir.c ++++ b/fs/f2fs/dir.c +@@ -183,7 +183,8 @@ static unsigned long dir_block_index(uns + unsigned long bidx = 0; + + for (i = 0; i < level; i++) +- bidx += dir_buckets(i, dir_level) * bucket_blocks(i); ++ bidx += mul_u32_u32(dir_buckets(i, dir_level), ++ bucket_blocks(i)); + bidx += idx * bucket_blocks(level); + return bidx; + } diff --git a/queue-5.10/fs-fix-file_set_fowner-lsm-hook-inconsistencies.patch b/queue-5.10/fs-fix-file_set_fowner-lsm-hook-inconsistencies.patch new file mode 100644 index 00000000000..7e1437d0589 --- /dev/null +++ b/queue-5.10/fs-fix-file_set_fowner-lsm-hook-inconsistencies.patch @@ -0,0 +1,90 @@ +From 26f204380a3c182e5adf1a798db0724d6111b597 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Wed, 21 Aug 2024 11:56:05 +0200 +Subject: fs: Fix file_set_fowner LSM hook inconsistencies +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +commit 26f204380a3c182e5adf1a798db0724d6111b597 upstream. + +The fcntl's F_SETOWN command sets the process that handle SIGIO/SIGURG +for the related file descriptor. Before this change, the +file_set_fowner LSM hook was always called, ignoring the VFS logic which +may not actually change the process that handles SIGIO (e.g. TUN, TTY, +dnotify), nor update the related UID/EUID. + +Moreover, because security_file_set_fowner() was called without lock +(e.g. f_owner.lock), concurrent F_SETOWN commands could result to a race +condition and inconsistent LSM states (e.g. SELinux's fown_sid) compared +to struct fown_struct's UID/EUID. + +This change makes sure the LSM states are always in sync with the VFS +state by moving the security_file_set_fowner() call close to the +UID/EUID updates and using the same f_owner.lock . + +Rename f_modown() to __f_setown() to simplify code. + +Cc: stable@vger.kernel.org +Cc: Al Viro +Cc: Casey Schaufler +Cc: Christian Brauner +Cc: James Morris +Cc: Jann Horn +Cc: Ondrej Mosnacek +Cc: Paul Moore +Cc: Serge E. Hallyn +Cc: Stephen Smalley +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Mickaël Salaün +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + fs/fcntl.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +--- a/fs/fcntl.c ++++ b/fs/fcntl.c +@@ -84,8 +84,8 @@ static int setfl(int fd, struct file * f + return error; + } + +-static void f_modown(struct file *filp, struct pid *pid, enum pid_type type, +- int force) ++void __f_setown(struct file *filp, struct pid *pid, enum pid_type type, ++ int force) + { + write_lock_irq(&filp->f_owner.lock); + if (force || !filp->f_owner.pid) { +@@ -95,19 +95,13 @@ static void f_modown(struct file *filp, + + if (pid) { + const struct cred *cred = current_cred(); ++ security_file_set_fowner(filp); + filp->f_owner.uid = cred->uid; + filp->f_owner.euid = cred->euid; + } + } + write_unlock_irq(&filp->f_owner.lock); + } +- +-void __f_setown(struct file *filp, struct pid *pid, enum pid_type type, +- int force) +-{ +- security_file_set_fowner(filp); +- f_modown(filp, pid, type, force); +-} + EXPORT_SYMBOL(__f_setown); + + int f_setown(struct file *filp, unsigned long arg, int force) +@@ -143,7 +137,7 @@ EXPORT_SYMBOL(f_setown); + + void f_delown(struct file *filp) + { +- f_modown(filp, NULL, PIDTYPE_TGID, 1); ++ __f_setown(filp, NULL, PIDTYPE_TGID, 1); + } + + pid_t f_getown(struct file *filp) diff --git a/queue-5.10/hwrng-cctrng-add-missing-clk_disable_unprepare-in-cctrng_resume.patch b/queue-5.10/hwrng-cctrng-add-missing-clk_disable_unprepare-in-cctrng_resume.patch new file mode 100644 index 00000000000..4efbd5ee128 --- /dev/null +++ b/queue-5.10/hwrng-cctrng-add-missing-clk_disable_unprepare-in-cctrng_resume.patch @@ -0,0 +1,31 @@ +From 4b7acc85de14ee8a2236f54445dc635d47eceac0 Mon Sep 17 00:00:00 2001 +From: Gaosheng Cui +Date: Sat, 3 Aug 2024 14:49:23 +0800 +Subject: hwrng: cctrng - Add missing clk_disable_unprepare in cctrng_resume + +From: Gaosheng Cui + +commit 4b7acc85de14ee8a2236f54445dc635d47eceac0 upstream. + +Add the missing clk_disable_unprepare() before return in +cctrng_resume(). + +Fixes: a583ed310bb6 ("hwrng: cctrng - introduce Arm CryptoCell driver") +Cc: +Signed-off-by: Gaosheng Cui +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/hw_random/cctrng.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/char/hw_random/cctrng.c ++++ b/drivers/char/hw_random/cctrng.c +@@ -679,6 +679,7 @@ static int __maybe_unused cctrng_resume( + /* wait for Cryptocell reset completion */ + if (!cctrng_wait_for_reset_completion(drvdata)) { + dev_err(dev, "Cryptocell reset not completed"); ++ clk_disable_unprepare(drvdata->clk); + return -EBUSY; + } + diff --git a/queue-5.10/hwrng-mtk-use-devm_pm_runtime_enable.patch b/queue-5.10/hwrng-mtk-use-devm_pm_runtime_enable.patch new file mode 100644 index 00000000000..baef892eeae --- /dev/null +++ b/queue-5.10/hwrng-mtk-use-devm_pm_runtime_enable.patch @@ -0,0 +1,37 @@ +From 78cb66caa6ab5385ac2090f1aae5f3c19e08f522 Mon Sep 17 00:00:00 2001 +From: Guoqing Jiang +Date: Mon, 26 Aug 2024 15:04:15 +0800 +Subject: hwrng: mtk - Use devm_pm_runtime_enable + +From: Guoqing Jiang + +commit 78cb66caa6ab5385ac2090f1aae5f3c19e08f522 upstream. + +Replace pm_runtime_enable with the devres-enabled version which +can trigger pm_runtime_disable. + +Otherwise, the below appears during reload driver. + +mtk_rng 1020f000.rng: Unbalanced pm_runtime_enable! + +Fixes: 81d2b34508c6 ("hwrng: mtk - add runtime PM support") +Cc: +Suggested-by: Chen-Yu Tsai +Signed-off-by: Guoqing Jiang +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/hw_random/mtk-rng.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/hw_random/mtk-rng.c ++++ b/drivers/char/hw_random/mtk-rng.c +@@ -142,7 +142,7 @@ static int mtk_rng_probe(struct platform + dev_set_drvdata(&pdev->dev, priv); + pm_runtime_set_autosuspend_delay(&pdev->dev, RNG_AUTOSUSPEND_TIMEOUT); + pm_runtime_use_autosuspend(&pdev->dev); +- pm_runtime_enable(&pdev->dev); ++ devm_pm_runtime_enable(&pdev->dev); + + dev_info(&pdev->dev, "registered RNG driver\n"); + diff --git a/queue-5.10/nfs-fix-memory-leak-in-error-path-of-nfs4_do_reclaim.patch b/queue-5.10/nfs-fix-memory-leak-in-error-path-of-nfs4_do_reclaim.patch new file mode 100644 index 00000000000..7ad38f0d04c --- /dev/null +++ b/queue-5.10/nfs-fix-memory-leak-in-error-path-of-nfs4_do_reclaim.patch @@ -0,0 +1,35 @@ +From 8f6a7c9467eaf39da4c14e5474e46190ab3fb529 Mon Sep 17 00:00:00 2001 +From: Li Lingfeng +Date: Wed, 4 Sep 2024 20:34:57 +0800 +Subject: nfs: fix memory leak in error path of nfs4_do_reclaim + +From: Li Lingfeng + +commit 8f6a7c9467eaf39da4c14e5474e46190ab3fb529 upstream. + +Commit c77e22834ae9 ("NFSv4: Fix a potential sleep while atomic in +nfs4_do_reclaim()") separate out the freeing of the state owners from +nfs4_purge_state_owners() and finish it outside the rcu lock. +However, the error path is omitted. As a result, the state owners in +"freeme" will not be released. +Fix it by adding freeing in the error path. + +Fixes: c77e22834ae9 ("NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()") +Signed-off-by: Li Lingfeng +Cc: stable@vger.kernel.org # v5.3+ +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4state.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1948,6 +1948,7 @@ restart: + set_bit(ops->owner_flag_bit, &sp->so_flags); + nfs4_put_state_owner(sp); + status = nfs4_recovery_handle_error(clp, status); ++ nfs4_free_state_owners(&freeme); + return (status != 0) ? status : -EAGAIN; + } + diff --git a/queue-5.10/padata-use-integer-wrap-around-to-prevent-deadlock-on-seq_nr-overflow.patch b/queue-5.10/padata-use-integer-wrap-around-to-prevent-deadlock-on-seq_nr-overflow.patch new file mode 100644 index 00000000000..181c7203e13 --- /dev/null +++ b/queue-5.10/padata-use-integer-wrap-around-to-prevent-deadlock-on-seq_nr-overflow.patch @@ -0,0 +1,46 @@ +From 9a22b2812393d93d84358a760c347c21939029a6 Mon Sep 17 00:00:00 2001 +From: VanGiang Nguyen +Date: Fri, 9 Aug 2024 06:21:42 +0000 +Subject: padata: use integer wrap around to prevent deadlock on seq_nr overflow + +From: VanGiang Nguyen + +commit 9a22b2812393d93d84358a760c347c21939029a6 upstream. + +When submitting more than 2^32 padata objects to padata_do_serial, the +current sorting implementation incorrectly sorts padata objects with +overflowed seq_nr, causing them to be placed before existing objects in +the reorder list. This leads to a deadlock in the serialization process +as padata_find_next cannot match padata->seq_nr and pd->processed +because the padata instance with overflowed seq_nr will be selected +next. + +To fix this, we use an unsigned integer wrap around to correctly sort +padata objects in scenarios with integer overflow. + +Fixes: bfde23ce200e ("padata: unbind parallel jobs from specific CPUs") +Cc: +Co-developed-by: Christian Gafert +Signed-off-by: Christian Gafert +Co-developed-by: Max Ferger +Signed-off-by: Max Ferger +Signed-off-by: Van Giang Nguyen +Acked-by: Daniel Jordan +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + kernel/padata.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -409,7 +409,8 @@ void padata_do_serial(struct padata_priv + /* Sort in ascending order of sequence number. */ + list_for_each_prev(pos, &reorder->list) { + cur = list_entry(pos, struct padata_priv, list); +- if (cur->seq_nr < padata->seq_nr) ++ /* Compare by difference to consider integer wrap around */ ++ if ((signed int)(cur->seq_nr - padata->seq_nr) < 0) + break; + } + list_add(&padata->list, pos); diff --git a/queue-5.10/series b/queue-5.10/series index dff30e3334b..98ea2aa275f 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -248,3 +248,13 @@ efistub-tpm-use-acpi-reclaim-memory-for-event-log-to-avoid-corruption.patch perf-x86-intel-pt-fix-sampling-synchronization.patch wifi-rtw88-8822c-fix-reported-rx-band-width.patch debugobjects-fix-conditions-in-fill_pool.patch +f2fs-prevent-possible-int-overflow-in-dir_block_index.patch +f2fs-avoid-potential-int-overflow-in-sanity_check_area_boundary.patch +hwrng-mtk-use-devm_pm_runtime_enable.patch +hwrng-cctrng-add-missing-clk_disable_unprepare-in-cctrng_resume.patch +arm64-dts-rockchip-raise-pinebook-pro-s-panel-backlight-pwm-frequency.patch +arm64-dts-rockchip-correct-the-pinebook-pro-battery-design-capacity.patch +vfs-fix-race-between-evice_inodes-and-find_inode-iput.patch +fs-fix-file_set_fowner-lsm-hook-inconsistencies.patch +nfs-fix-memory-leak-in-error-path-of-nfs4_do_reclaim.patch +padata-use-integer-wrap-around-to-prevent-deadlock-on-seq_nr-overflow.patch diff --git a/queue-5.10/vfs-fix-race-between-evice_inodes-and-find_inode-iput.patch b/queue-5.10/vfs-fix-race-between-evice_inodes-and-find_inode-iput.patch new file mode 100644 index 00000000000..f65c1e91a87 --- /dev/null +++ b/queue-5.10/vfs-fix-race-between-evice_inodes-and-find_inode-iput.patch @@ -0,0 +1,91 @@ +From 88b1afbf0f6b221f6c5bb66cc80cd3b38d696687 Mon Sep 17 00:00:00 2001 +From: Julian Sun +Date: Fri, 23 Aug 2024 21:07:30 +0800 +Subject: vfs: fix race between evice_inodes() and find_inode()&iput() + +From: Julian Sun + +commit 88b1afbf0f6b221f6c5bb66cc80cd3b38d696687 upstream. + +Hi, all + +Recently I noticed a bug[1] in btrfs, after digged it into +and I believe it'a race in vfs. + +Let's assume there's a inode (ie ino 261) with i_count 1 is +called by iput(), and there's a concurrent thread calling +generic_shutdown_super(). + +cpu0: cpu1: +iput() // i_count is 1 + ->spin_lock(inode) + ->dec i_count to 0 + ->iput_final() generic_shutdown_super() + ->__inode_add_lru() ->evict_inodes() + // cause some reason[2] ->if (atomic_read(inode->i_count)) continue; + // return before // inode 261 passed the above check + // list_lru_add_obj() // and then schedule out + ->spin_unlock() +// note here: the inode 261 +// was still at sb list and hash list, +// and I_FREEING|I_WILL_FREE was not been set + +btrfs_iget() + // after some function calls + ->find_inode() + // found the above inode 261 + ->spin_lock(inode) + // check I_FREEING|I_WILL_FREE + // and passed + ->__iget() + ->spin_unlock(inode) // schedule back + ->spin_lock(inode) + // check (I_NEW|I_FREEING|I_WILL_FREE) flags, + // passed and set I_FREEING +iput() ->spin_unlock(inode) + ->spin_lock(inode) ->evict() + // dec i_count to 0 + ->iput_final() + ->spin_unlock() + ->evict() + +Now, we have two threads simultaneously evicting +the same inode, which may trigger the BUG(inode->i_state & I_CLEAR) +statement both within clear_inode() and iput(). + +To fix the bug, recheck the inode->i_count after holding i_lock. +Because in the most scenarios, the first check is valid, and +the overhead of spin_lock() can be reduced. + +If there is any misunderstanding, please let me know, thanks. + +[1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/ +[2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable() +return false when I reproduced the bug. + +Reported-by: syzbot+67ba3c42bcbb4665d3ad@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=67ba3c42bcbb4665d3ad +CC: stable@vger.kernel.org +Fixes: 63997e98a3be ("split invalidate_inodes()") +Signed-off-by: Julian Sun +Link: https://lore.kernel.org/r/20240823130730.658881-1-sunjunchao2870@gmail.com +Reviewed-by: Jan Kara +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/inode.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -670,6 +670,10 @@ again: + continue; + + spin_lock(&inode->i_lock); ++ if (atomic_read(&inode->i_count)) { ++ spin_unlock(&inode->i_lock); ++ continue; ++ } + if (inode->i_state & (I_NEW | I_FREEING | I_WILL_FREE)) { + spin_unlock(&inode->i_lock); + continue;