From: Greg Kroah-Hartman Date: Mon, 2 Dec 2024 15:53:51 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.19.325~78 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b839aba07785b841bfbb36e8f8af063ec3de8fd8;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: apparmor-test-fix-memory-leak-for-aa_unpack_strdup.patch asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch comedi-flush-partial-mappings-in-error-case.patch crypto-x86-aegis128-access-32-bit-arguments-as-32-bit.patch exfat-fix-uninit-value-in-__exfat_get_dentry_set.patch ext4-fix-fs_ioc_getfsmap-handling.patch ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch fsnotify-fix-sending-inotify-event-with-unexpected-filename.patch jfs-xattr-check-invalid-xattr-size-more-strictly.patch kvm-arm64-ignore-pmcntenset_el0-while-checking-for-overflow-status.patch kvm-arm64-vgic-its-clear-dte-when-mapd-unmaps-a-device.patch kvm-arm64-vgic-its-clear-ite-when-discard-frees-an-ite.patch locking-lockdep-avoid-creating-new-name-string-literals-in-lockdep_set_subclass.patch pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch perf-x86-intel-pt-fix-buffer-full-but-size-is-0-case.patch tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch --- diff --git a/queue-5.10/apparmor-test-fix-memory-leak-for-aa_unpack_strdup.patch b/queue-5.10/apparmor-test-fix-memory-leak-for-aa_unpack_strdup.patch new file mode 100644 index 00000000000..55882bf3b1e --- /dev/null +++ b/queue-5.10/apparmor-test-fix-memory-leak-for-aa_unpack_strdup.patch @@ -0,0 +1,79 @@ +From 7290f59231910ccba427d441a6e8b8c6f6112448 Mon Sep 17 00:00:00 2001 +From: Jinjie Ruan +Date: Fri, 11 Oct 2024 09:22:41 +0800 +Subject: apparmor: test: Fix memory leak for aa_unpack_strdup() + +From: Jinjie Ruan + +commit 7290f59231910ccba427d441a6e8b8c6f6112448 upstream. + +The string allocated by kmemdup() in aa_unpack_strdup() is not +freed and cause following memory leaks, free them to fix it. + + unreferenced object 0xffffff80c6af8a50 (size 8): + comm "kunit_try_catch", pid 225, jiffies 4294894407 + hex dump (first 8 bytes): + 74 65 73 74 69 6e 67 00 testing. + backtrace (crc 5eab668b): + [<0000000001e3714d>] kmemleak_alloc+0x34/0x40 + [<000000006e6c7776>] __kmalloc_node_track_caller_noprof+0x300/0x3e0 + [<000000006870467c>] kmemdup_noprof+0x34/0x60 + [<000000001176bb03>] aa_unpack_strdup+0xd0/0x18c + [<000000008ecde918>] policy_unpack_test_unpack_strdup_with_null_name+0xf8/0x3ec + [<0000000032ef8f77>] kunit_try_run_case+0x13c/0x3ac + [<00000000f3edea23>] kunit_generic_run_threadfn_adapter+0x80/0xec + [<00000000adf936cf>] kthread+0x2e8/0x374 + [<0000000041bb1628>] ret_from_fork+0x10/0x20 + unreferenced object 0xffffff80c2a29090 (size 8): + comm "kunit_try_catch", pid 227, jiffies 4294894409 + hex dump (first 8 bytes): + 74 65 73 74 69 6e 67 00 testing. + backtrace (crc 5eab668b): + [<0000000001e3714d>] kmemleak_alloc+0x34/0x40 + [<000000006e6c7776>] __kmalloc_node_track_caller_noprof+0x300/0x3e0 + [<000000006870467c>] kmemdup_noprof+0x34/0x60 + [<000000001176bb03>] aa_unpack_strdup+0xd0/0x18c + [<0000000046a45c1a>] policy_unpack_test_unpack_strdup_with_name+0xd0/0x3c4 + [<0000000032ef8f77>] kunit_try_run_case+0x13c/0x3ac + [<00000000f3edea23>] kunit_generic_run_threadfn_adapter+0x80/0xec + [<00000000adf936cf>] kthread+0x2e8/0x374 + [<0000000041bb1628>] ret_from_fork+0x10/0x20 + +Cc: stable@vger.kernel.org +Fixes: 4d944bcd4e73 ("apparmor: add AppArmor KUnit tests for policy unpack") +Signed-off-by: Jinjie Ruan +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman +--- + security/apparmor/policy_unpack_test.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/security/apparmor/policy_unpack_test.c ++++ b/security/apparmor/policy_unpack_test.c +@@ -283,6 +283,8 @@ static void policy_unpack_test_unpack_st + ((uintptr_t)puf->e->start <= (uintptr_t)string) + && ((uintptr_t)string <= (uintptr_t)puf->e->end)); + KUNIT_EXPECT_STREQ(test, string, TEST_STRING_DATA); ++ ++ kfree(string); + } + + static void policy_unpack_test_unpack_strdup_with_name(struct kunit *test) +@@ -298,6 +300,8 @@ static void policy_unpack_test_unpack_st + ((uintptr_t)puf->e->start <= (uintptr_t)string) + && ((uintptr_t)string <= (uintptr_t)puf->e->end)); + KUNIT_EXPECT_STREQ(test, string, TEST_STRING_DATA); ++ ++ kfree(string); + } + + static void policy_unpack_test_unpack_strdup_out_of_bounds(struct kunit *test) +@@ -315,6 +319,8 @@ static void policy_unpack_test_unpack_st + KUNIT_EXPECT_EQ(test, size, 0); + KUNIT_EXPECT_PTR_EQ(test, string, (char *)NULL); + KUNIT_EXPECT_PTR_EQ(test, puf->e->pos, start); ++ ++ kfree(string); + } + + static void policy_unpack_test_unpack_nameX_with_null_name(struct kunit *test) diff --git a/queue-5.10/asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch b/queue-5.10/asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch new file mode 100644 index 00000000000..9c0e2735fc4 --- /dev/null +++ b/queue-5.10/asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch @@ -0,0 +1,61 @@ +From 1157733344651ca505e259d6554591ff156922fa Mon Sep 17 00:00:00 2001 +From: Qiu-ji Chen +Date: Mon, 30 Sep 2024 18:12:16 +0800 +Subject: ASoC: codecs: Fix atomicity violation in snd_soc_component_get_drvdata() + +From: Qiu-ji Chen + +commit 1157733344651ca505e259d6554591ff156922fa upstream. + +An atomicity violation occurs when the validity of the variables +da7219->clk_src and da7219->mclk_rate is being assessed. Since the entire +assessment is not protected by a lock, the da7219 variable might still be +in flux during the assessment, rendering this check invalid. + +To fix this issue, we recommend adding a lock before the block +if ((da7219->clk_src == clk_id) && (da7219->mclk_rate == freq)) so that +the legitimacy check for da7219->clk_src and da7219->mclk_rate is +protected by the lock, ensuring the validity of the check. + +This possible bug is found by an experimental static analysis tool +developed by our team. This tool analyzes the locking APIs +to extract function pairs that can be concurrently executed, and then +analyzes the instructions in the paired functions to identify possible +concurrency bugs including data races and atomicity violations. + +Fixes: 6d817c0e9fd7 ("ASoC: codecs: Add da7219 codec driver") +Cc: stable@vger.kernel.org +Signed-off-by: Qiu-ji Chen +Link: https://patch.msgid.link/20240930101216.23723-1-chenqiuji666@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/da7219.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/sound/soc/codecs/da7219.c ++++ b/sound/soc/codecs/da7219.c +@@ -1167,17 +1167,20 @@ static int da7219_set_dai_sysclk(struct + struct da7219_priv *da7219 = snd_soc_component_get_drvdata(component); + int ret = 0; + +- if ((da7219->clk_src == clk_id) && (da7219->mclk_rate == freq)) ++ mutex_lock(&da7219->pll_lock); ++ ++ if ((da7219->clk_src == clk_id) && (da7219->mclk_rate == freq)) { ++ mutex_unlock(&da7219->pll_lock); + return 0; ++ } + + if ((freq < 2000000) || (freq > 54000000)) { ++ mutex_unlock(&da7219->pll_lock); + dev_err(codec_dai->dev, "Unsupported MCLK value %d\n", + freq); + return -EINVAL; + } + +- mutex_lock(&da7219->pll_lock); +- + switch (clk_id) { + case DA7219_CLKSRC_MCLK_SQR: + snd_soc_component_update_bits(component, DA7219_PLL_CTRL, diff --git a/queue-5.10/bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch b/queue-5.10/bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch new file mode 100644 index 00000000000..ac727dff0ce --- /dev/null +++ b/queue-5.10/bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch @@ -0,0 +1,83 @@ +From 5fe6caa62b07fd39cd6a28acc8f92ba2955e11a6 Mon Sep 17 00:00:00 2001 +From: Andrej Shadura +Date: Wed, 9 Oct 2024 14:14:24 +0200 +Subject: Bluetooth: Fix type of len in rfcomm_sock_getsockopt{,_old}() + +From: Andrej Shadura + +commit 5fe6caa62b07fd39cd6a28acc8f92ba2955e11a6 upstream. + +Commit 9bf4e919ccad worked around an issue introduced after an innocuous +optimisation change in LLVM main: + +> len is defined as an 'int' because it is assigned from +> '__user int *optlen'. However, it is clamped against the result of +> sizeof(), which has a type of 'size_t' ('unsigned long' for 64-bit +> platforms). This is done with min_t() because min() requires compatible +> types, which results in both len and the result of sizeof() being casted +> to 'unsigned int', meaning len changes signs and the result of sizeof() +> is truncated. From there, len is passed to copy_to_user(), which has a +> third parameter type of 'unsigned long', so it is widened and changes +> signs again. This excessive casting in combination with the KCSAN +> instrumentation causes LLVM to fail to eliminate the __bad_copy_from() +> call, failing the build. + +The same issue occurs in rfcomm in functions rfcomm_sock_getsockopt and +rfcomm_sock_getsockopt_old. + +Change the type of len to size_t in both rfcomm_sock_getsockopt and +rfcomm_sock_getsockopt_old and replace min_t() with min(). + +Cc: stable@vger.kernel.org +Co-authored-by: Aleksei Vetrov +Improves: 9bf4e919ccad ("Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()") +Link: https://github.com/ClangBuiltLinux/linux/issues/2007 +Link: https://github.com/llvm/llvm-project/issues/85647 +Signed-off-by: Andrej Shadura +Reviewed-by: Nathan Chancellor +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/rfcomm/sock.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -735,7 +735,8 @@ static int rfcomm_sock_getsockopt_old(st + struct sock *l2cap_sk; + struct l2cap_conn *conn; + struct rfcomm_conninfo cinfo; +- int len, err = 0; ++ int err = 0; ++ size_t len; + u32 opt; + + BT_DBG("sk %p", sk); +@@ -789,7 +790,7 @@ static int rfcomm_sock_getsockopt_old(st + cinfo.hci_handle = conn->hcon->handle; + memcpy(cinfo.dev_class, conn->hcon->dev_class, 3); + +- len = min_t(unsigned int, len, sizeof(cinfo)); ++ len = min(len, sizeof(cinfo)); + if (copy_to_user(optval, (char *) &cinfo, len)) + err = -EFAULT; + +@@ -808,7 +809,8 @@ static int rfcomm_sock_getsockopt(struct + { + struct sock *sk = sock->sk; + struct bt_security sec; +- int len, err = 0; ++ int err = 0; ++ size_t len; + + BT_DBG("sk %p", sk); + +@@ -833,7 +835,7 @@ static int rfcomm_sock_getsockopt(struct + sec.level = rfcomm_pi(sk)->sec_level; + sec.key_size = 0; + +- len = min_t(unsigned int, len, sizeof(sec)); ++ len = min(len, sizeof(sec)); + if (copy_to_user(optval, (char *) &sec, len)) + err = -EFAULT; + diff --git a/queue-5.10/comedi-flush-partial-mappings-in-error-case.patch b/queue-5.10/comedi-flush-partial-mappings-in-error-case.patch new file mode 100644 index 00000000000..76870a2ec8f --- /dev/null +++ b/queue-5.10/comedi-flush-partial-mappings-in-error-case.patch @@ -0,0 +1,49 @@ +From ce8f9fb651fac95dd41f69afe54d935420b945bd Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Thu, 17 Oct 2024 21:07:45 +0200 +Subject: comedi: Flush partial mappings in error case + +From: Jann Horn + +commit ce8f9fb651fac95dd41f69afe54d935420b945bd upstream. + +If some remap_pfn_range() calls succeeded before one failed, we still have +buffer pages mapped into the userspace page tables when we drop the buffer +reference with comedi_buf_map_put(bm). The userspace mappings are only +cleaned up later in the mmap error path. + +Fix it by explicitly flushing all mappings in our VMA on the error path. + +See commit 79a61cc3fc04 ("mm: avoid leaving partial pfn mappings around in +error case"). + +Cc: stable@vger.kernel.org +Fixes: ed9eccbe8970 ("Staging: add comedi core") +Signed-off-by: Jann Horn +Link: https://lore.kernel.org/r/20241017-comedi-tlb-v3-1-16b82f9372ce@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/comedi_fops.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -2402,6 +2402,18 @@ static int comedi_mmap(struct file *file + + start += PAGE_SIZE; + } ++ ++#ifdef CONFIG_MMU ++ /* ++ * Leaving behind a partial mapping of a buffer we're about to ++ * drop is unsafe, see remap_pfn_range_notrack(). ++ * We need to zap the range here ourselves instead of relying ++ * on the automatic zapping in remap_pfn_range() because we call ++ * remap_pfn_range() in a loop. ++ */ ++ if (retval) ++ zap_vma_ptes(vma, vma->vm_start, size); ++#endif + } + + if (retval == 0) { diff --git a/queue-5.10/crypto-x86-aegis128-access-32-bit-arguments-as-32-bit.patch b/queue-5.10/crypto-x86-aegis128-access-32-bit-arguments-as-32-bit.patch new file mode 100644 index 00000000000..fd65c37975d --- /dev/null +++ b/queue-5.10/crypto-x86-aegis128-access-32-bit-arguments-as-32-bit.patch @@ -0,0 +1,131 @@ +From 3b2f2d22fb424e9bebda4dbf6676cbfc7f9f62cd Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 16 Oct 2024 17:00:42 -0700 +Subject: crypto: x86/aegis128 - access 32-bit arguments as 32-bit + +From: Eric Biggers + +commit 3b2f2d22fb424e9bebda4dbf6676cbfc7f9f62cd upstream. + +Fix the AEGIS assembly code to access 'unsigned int' arguments as 32-bit +values instead of 64-bit, since the upper bits of the corresponding +64-bit registers are not guaranteed to be zero. + +Note: there haven't been any reports of this bug actually causing +incorrect behavior. Neither gcc nor clang guarantee zero-extension to +64 bits, but zero-extension is likely to happen in practice because most +instructions that operate on 32-bit registers zero-extend to 64 bits. + +Fixes: 1d373d4e8e15 ("crypto: x86 - Add optimized AEGIS implementations") +Cc: stable@vger.kernel.org +Reviewed-by: Ondrej Mosnacek +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/crypto/aegis128-aesni-asm.S | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +--- a/arch/x86/crypto/aegis128-aesni-asm.S ++++ b/arch/x86/crypto/aegis128-aesni-asm.S +@@ -20,7 +20,7 @@ + #define T1 %xmm7 + + #define STATEP %rdi +-#define LEN %rsi ++#define LEN %esi + #define SRC %rdx + #define DST %rcx + +@@ -75,32 +75,32 @@ SYM_FUNC_START_LOCAL(__load_partial) + xor %r9d, %r9d + pxor MSG, MSG + +- mov LEN, %r8 ++ mov LEN, %r8d + and $0x1, %r8 + jz .Lld_partial_1 + +- mov LEN, %r8 ++ mov LEN, %r8d + and $0x1E, %r8 + add SRC, %r8 + mov (%r8), %r9b + + .Lld_partial_1: +- mov LEN, %r8 ++ mov LEN, %r8d + and $0x2, %r8 + jz .Lld_partial_2 + +- mov LEN, %r8 ++ mov LEN, %r8d + and $0x1C, %r8 + add SRC, %r8 + shl $0x10, %r9 + mov (%r8), %r9w + + .Lld_partial_2: +- mov LEN, %r8 ++ mov LEN, %r8d + and $0x4, %r8 + jz .Lld_partial_4 + +- mov LEN, %r8 ++ mov LEN, %r8d + and $0x18, %r8 + add SRC, %r8 + shl $32, %r9 +@@ -110,11 +110,11 @@ SYM_FUNC_START_LOCAL(__load_partial) + .Lld_partial_4: + movq %r9, MSG + +- mov LEN, %r8 ++ mov LEN, %r8d + and $0x8, %r8 + jz .Lld_partial_8 + +- mov LEN, %r8 ++ mov LEN, %r8d + and $0x10, %r8 + add SRC, %r8 + pslldq $8, MSG +@@ -138,7 +138,7 @@ SYM_FUNC_END(__load_partial) + * %r10 + */ + SYM_FUNC_START_LOCAL(__store_partial) +- mov LEN, %r8 ++ mov LEN, %r8d + mov DST, %r9 + + movq T0, %r10 +@@ -676,7 +676,7 @@ SYM_FUNC_START(crypto_aegis128_aesni_dec + call __store_partial + + /* mask with byte count: */ +- movq LEN, T0 ++ movd LEN, T0 + punpcklbw T0, T0 + punpcklbw T0, T0 + punpcklbw T0, T0 +@@ -701,7 +701,8 @@ SYM_FUNC_END(crypto_aegis128_aesni_dec_t + + /* + * void crypto_aegis128_aesni_final(void *state, void *tag_xor, +- * u64 assoclen, u64 cryptlen); ++ * unsigned int assoclen, ++ * unsigned int cryptlen); + */ + SYM_FUNC_START(crypto_aegis128_aesni_final) + FRAME_BEGIN +@@ -714,8 +715,8 @@ SYM_FUNC_START(crypto_aegis128_aesni_fin + movdqu 0x40(STATEP), STATE4 + + /* prepare length block: */ +- movq %rdx, MSG +- movq %rcx, T0 ++ movd %edx, MSG ++ movd %ecx, T0 + pslldq $8, T0 + pxor T0, MSG + psllq $3, MSG /* multiply by 8 (to get bit count) */ diff --git a/queue-5.10/exfat-fix-uninit-value-in-__exfat_get_dentry_set.patch b/queue-5.10/exfat-fix-uninit-value-in-__exfat_get_dentry_set.patch new file mode 100644 index 00000000000..fc4a4d17b51 --- /dev/null +++ b/queue-5.10/exfat-fix-uninit-value-in-__exfat_get_dentry_set.patch @@ -0,0 +1,38 @@ +From 02dffe9ab092fc4c8800aee68cb7eafd37a980c4 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sat, 26 Oct 2024 13:06:15 +0900 +Subject: exfat: fix uninit-value in __exfat_get_dentry_set + +From: Namjae Jeon + +commit 02dffe9ab092fc4c8800aee68cb7eafd37a980c4 upstream. + +There is no check if stream size and start_clu are invalid. +If start_clu is EOF cluster and stream size is 4096, It will +cause uninit value access. because ei->hint_femp.eidx could +be 128(if cluster size is 4K) and wrong hint will allocate +next cluster. and this cluster will be same with the cluster +that is allocated by exfat_extend_valid_size(). The previous +patch will check invalid start_clu, but for clarity, initialize +hint_femp.eidx to zero. + +Cc: stable@vger.kernel.org +Reported-by: syzbot+01218003be74b5e1213a@syzkaller.appspotmail.com +Tested-by: syzbot+01218003be74b5e1213a@syzkaller.appspotmail.com +Reviewed-by: Yuezhang Mo +Signed-off-by: Namjae Jeon +Signed-off-by: Greg Kroah-Hartman +--- + fs/exfat/namei.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/exfat/namei.c ++++ b/fs/exfat/namei.c +@@ -356,6 +356,7 @@ static int exfat_find_empty_entry(struct + if (ei->start_clu == EXFAT_EOF_CLUSTER) { + ei->start_clu = clu.dir; + p_dir->dir = clu.dir; ++ hint_femp.eidx = 0; + } + + /* append to the FAT chain */ diff --git a/queue-5.10/ext4-fix-fs_ioc_getfsmap-handling.patch b/queue-5.10/ext4-fix-fs_ioc_getfsmap-handling.patch new file mode 100644 index 00000000000..bbab6dbc505 --- /dev/null +++ b/queue-5.10/ext4-fix-fs_ioc_getfsmap-handling.patch @@ -0,0 +1,158 @@ +From 4a622e4d477bb12ad5ed4abbc7ad1365de1fa347 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 23 Oct 2024 00:25:37 -0400 +Subject: ext4: fix FS_IOC_GETFSMAP handling + +From: Theodore Ts'o + +commit 4a622e4d477bb12ad5ed4abbc7ad1365de1fa347 upstream. + +The original implementation ext4's FS_IOC_GETFSMAP handling only +worked when the range of queried blocks included at least one free +(unallocated) block range. This is because how the metadata blocks +were emitted was as a side effect of ext4_mballoc_query_range() +calling ext4_getfsmap_datadev_helper(), and that function was only +called when a free block range was identified. As a result, this +caused generic/365 to fail. + +Fix this by creating a new function ext4_getfsmap_meta_helper() which +gets called so that blocks before the first free block range in a +block group can get properly reported. + +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/fsmap.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++++++++- + fs/ext4/mballoc.c | 18 ++++++++++++++---- + fs/ext4/mballoc.h | 1 + + 3 files changed, 68 insertions(+), 5 deletions(-) + +--- a/fs/ext4/fsmap.c ++++ b/fs/ext4/fsmap.c +@@ -185,6 +185,56 @@ static inline ext4_fsblk_t ext4_fsmap_ne + return fmr->fmr_physical + fmr->fmr_length; + } + ++static int ext4_getfsmap_meta_helper(struct super_block *sb, ++ ext4_group_t agno, ext4_grpblk_t start, ++ ext4_grpblk_t len, void *priv) ++{ ++ struct ext4_getfsmap_info *info = priv; ++ struct ext4_fsmap *p; ++ struct ext4_fsmap *tmp; ++ struct ext4_sb_info *sbi = EXT4_SB(sb); ++ ext4_fsblk_t fsb, fs_start, fs_end; ++ int error; ++ ++ fs_start = fsb = (EXT4_C2B(sbi, start) + ++ ext4_group_first_block_no(sb, agno)); ++ fs_end = fs_start + EXT4_C2B(sbi, len); ++ ++ /* Return relevant extents from the meta_list */ ++ list_for_each_entry_safe(p, tmp, &info->gfi_meta_list, fmr_list) { ++ if (p->fmr_physical < info->gfi_next_fsblk) { ++ list_del(&p->fmr_list); ++ kfree(p); ++ continue; ++ } ++ if (p->fmr_physical <= fs_start || ++ p->fmr_physical + p->fmr_length <= fs_end) { ++ /* Emit the retained free extent record if present */ ++ if (info->gfi_lastfree.fmr_owner) { ++ error = ext4_getfsmap_helper(sb, info, ++ &info->gfi_lastfree); ++ if (error) ++ return error; ++ info->gfi_lastfree.fmr_owner = 0; ++ } ++ error = ext4_getfsmap_helper(sb, info, p); ++ if (error) ++ return error; ++ fsb = p->fmr_physical + p->fmr_length; ++ if (info->gfi_next_fsblk < fsb) ++ info->gfi_next_fsblk = fsb; ++ list_del(&p->fmr_list); ++ kfree(p); ++ continue; ++ } ++ } ++ if (info->gfi_next_fsblk < fsb) ++ info->gfi_next_fsblk = fsb; ++ ++ return 0; ++} ++ ++ + /* Transform a blockgroup's free record into a fsmap */ + static int ext4_getfsmap_datadev_helper(struct super_block *sb, + ext4_group_t agno, ext4_grpblk_t start, +@@ -539,6 +589,7 @@ static int ext4_getfsmap_datadev(struct + error = ext4_mballoc_query_range(sb, info->gfi_agno, + EXT4_B2C(sbi, info->gfi_low.fmr_physical), + EXT4_B2C(sbi, info->gfi_high.fmr_physical), ++ ext4_getfsmap_meta_helper, + ext4_getfsmap_datadev_helper, info); + if (error) + goto err; +@@ -560,7 +611,8 @@ static int ext4_getfsmap_datadev(struct + + /* Report any gaps at the end of the bg */ + info->gfi_last = true; +- error = ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster, 0, info); ++ error = ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster + 1, ++ 0, info); + if (error) + goto err; + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -6162,13 +6162,14 @@ int + ext4_mballoc_query_range( + struct super_block *sb, + ext4_group_t group, +- ext4_grpblk_t start, ++ ext4_grpblk_t first, + ext4_grpblk_t end, ++ ext4_mballoc_query_range_fn meta_formatter, + ext4_mballoc_query_range_fn formatter, + void *priv) + { + void *bitmap; +- ext4_grpblk_t next; ++ ext4_grpblk_t start, next; + struct ext4_buddy e4b; + int error; + +@@ -6179,10 +6180,19 @@ ext4_mballoc_query_range( + + ext4_lock_group(sb, group); + +- start = max(e4b.bd_info->bb_first_free, start); ++ start = max(e4b.bd_info->bb_first_free, first); + if (end >= EXT4_CLUSTERS_PER_GROUP(sb)) + end = EXT4_CLUSTERS_PER_GROUP(sb) - 1; +- ++ if (meta_formatter && start != first) { ++ if (start > end) ++ start = end; ++ ext4_unlock_group(sb, group); ++ error = meta_formatter(sb, group, first, start - first, ++ priv); ++ if (error) ++ goto out_unload; ++ ext4_lock_group(sb, group); ++ } + while (start <= end) { + start = mb_find_next_zero_bit(bitmap, end + 1, start); + if (start > end) +--- a/fs/ext4/mballoc.h ++++ b/fs/ext4/mballoc.h +@@ -226,6 +226,7 @@ ext4_mballoc_query_range( + ext4_group_t agno, + ext4_grpblk_t start, + ext4_grpblk_t end, ++ ext4_mballoc_query_range_fn meta_formatter, + ext4_mballoc_query_range_fn formatter, + void *priv); + diff --git a/queue-5.10/ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch b/queue-5.10/ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch new file mode 100644 index 00000000000..cdb1a047bc3 --- /dev/null +++ b/queue-5.10/ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch @@ -0,0 +1,83 @@ +From 902cc179c931a033cd7f4242353aa2733bf8524c Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Thu, 3 Oct 2024 21:53:37 +0900 +Subject: ext4: supress data-race warnings in ext4_free_inodes_{count,set}() + +From: Jeongjun Park + +commit 902cc179c931a033cd7f4242353aa2733bf8524c upstream. + +find_group_other() and find_group_orlov() read *_lo, *_hi with +ext4_free_inodes_count without additional locking. This can cause +data-race warning, but since the lock is held for most writes and free +inodes value is generally not a problem even if it is incorrect, it is +more appropriate to use READ_ONCE()/WRITE_ONCE() than to add locking. + +================================================================== +BUG: KCSAN: data-race in ext4_free_inodes_count / ext4_free_inodes_set + +write to 0xffff88810404300e of 2 bytes by task 6254 on cpu 1: + ext4_free_inodes_set+0x1f/0x80 fs/ext4/super.c:405 + __ext4_new_inode+0x15ca/0x2200 fs/ext4/ialloc.c:1216 + ext4_symlink+0x242/0x5a0 fs/ext4/namei.c:3391 + vfs_symlink+0xca/0x1d0 fs/namei.c:4615 + do_symlinkat+0xe3/0x340 fs/namei.c:4641 + __do_sys_symlinkat fs/namei.c:4657 [inline] + __se_sys_symlinkat fs/namei.c:4654 [inline] + __x64_sys_symlinkat+0x5e/0x70 fs/namei.c:4654 + x64_sys_call+0x1dda/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:267 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +read to 0xffff88810404300e of 2 bytes by task 6257 on cpu 0: + ext4_free_inodes_count+0x1c/0x80 fs/ext4/super.c:349 + find_group_other fs/ext4/ialloc.c:594 [inline] + __ext4_new_inode+0x6ec/0x2200 fs/ext4/ialloc.c:1017 + ext4_symlink+0x242/0x5a0 fs/ext4/namei.c:3391 + vfs_symlink+0xca/0x1d0 fs/namei.c:4615 + do_symlinkat+0xe3/0x340 fs/namei.c:4641 + __do_sys_symlinkat fs/namei.c:4657 [inline] + __se_sys_symlinkat fs/namei.c:4654 [inline] + __x64_sys_symlinkat+0x5e/0x70 fs/namei.c:4654 + x64_sys_call+0x1dda/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:267 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Cc: stable@vger.kernel.org +Signed-off-by: Jeongjun Park +Reviewed-by: Andreas Dilger +Link: https://patch.msgid.link/20241003125337.47283-1-aha310510@gmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -322,9 +322,9 @@ __u32 ext4_free_group_clusters(struct su + __u32 ext4_free_inodes_count(struct super_block *sb, + struct ext4_group_desc *bg) + { +- return le16_to_cpu(bg->bg_free_inodes_count_lo) | ++ return le16_to_cpu(READ_ONCE(bg->bg_free_inodes_count_lo)) | + (EXT4_DESC_SIZE(sb) >= EXT4_MIN_DESC_SIZE_64BIT ? +- (__u32)le16_to_cpu(bg->bg_free_inodes_count_hi) << 16 : 0); ++ (__u32)le16_to_cpu(READ_ONCE(bg->bg_free_inodes_count_hi)) << 16 : 0); + } + + __u32 ext4_used_dirs_count(struct super_block *sb, +@@ -378,9 +378,9 @@ void ext4_free_group_clusters_set(struct + void ext4_free_inodes_set(struct super_block *sb, + struct ext4_group_desc *bg, __u32 count) + { +- bg->bg_free_inodes_count_lo = cpu_to_le16((__u16)count); ++ WRITE_ONCE(bg->bg_free_inodes_count_lo, cpu_to_le16((__u16)count)); + if (EXT4_DESC_SIZE(sb) >= EXT4_MIN_DESC_SIZE_64BIT) +- bg->bg_free_inodes_count_hi = cpu_to_le16(count >> 16); ++ WRITE_ONCE(bg->bg_free_inodes_count_hi, cpu_to_le16(count >> 16)); + } + + void ext4_used_dirs_set(struct super_block *sb, diff --git a/queue-5.10/fsnotify-fix-sending-inotify-event-with-unexpected-filename.patch b/queue-5.10/fsnotify-fix-sending-inotify-event-with-unexpected-filename.patch new file mode 100644 index 00000000000..afb2e310a92 --- /dev/null +++ b/queue-5.10/fsnotify-fix-sending-inotify-event-with-unexpected-filename.patch @@ -0,0 +1,90 @@ +From aa52c54da40d9eee3ba87c05cdcb0cd07c04fa13 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Wed, 13 Nov 2024 16:40:34 +0100 +Subject: fsnotify: fix sending inotify event with unexpected filename + +From: Amir Goldstein + +commit aa52c54da40d9eee3ba87c05cdcb0cd07c04fa13 upstream. + +We got a report that adding a fanotify filsystem watch prevents tail -f +from receiving events. + +Reproducer: + +1. Create 3 windows / login sessions. Become root in each session. +2. Choose a mounted filesystem that is pretty quiet; I picked /boot. +3. In the first window, run: fsnotifywait -S -m /boot +4. In the second window, run: echo data >> /boot/foo +5. In the third window, run: tail -f /boot/foo +6. Go back to the second window and run: echo more data >> /boot/foo +7. Observe that the tail command doesn't show the new data. +8. In the first window, hit control-C to interrupt fsnotifywait. +9. In the second window, run: echo still more data >> /boot/foo +10. Observe that the tail command in the third window has now printed +the missing data. + +When stracing tail, we observed that when fanotify filesystem mark is +set, tail does get the inotify event, but the event is receieved with +the filename: + +read(4, "\1\0\0\0\2\0\0\0\0\0\0\0\20\0\0\0foo\0\0\0\0\0\0\0\0\0\0\0\0\0", +50) = 32 + +This is unexpected, because tail is watching the file itself and not its +parent and is inconsistent with the inotify event received by tail when +fanotify filesystem mark is not set: + +read(4, "\1\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0", 50) = 16 + +The inteference between different fsnotify groups was caused by the fact +that the mark on the sb requires the filename, so the filename is passed +to fsnotify(). Later on, fsnotify_handle_event() tries to take care of +not passing the filename to groups (such as inotify) that are interested +in the filename only when the parent is watching. + +But the logic was incorrect for the case that no group is watching the +parent, some groups are watching the sb and some watching the inode. + +Reported-by: Miklos Szeredi +Fixes: 7372e79c9eb9 ("fanotify: fix logic of reporting name info with watched parent") +Cc: stable@vger.kernel.org # 5.10+ +Signed-off-by: Amir Goldstein +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/notify/fsnotify.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +--- a/fs/notify/fsnotify.c ++++ b/fs/notify/fsnotify.c +@@ -310,16 +310,19 @@ static int fsnotify_handle_event(struct + if (!inode_mark) + return 0; + +- if (mask & FS_EVENT_ON_CHILD) { +- /* +- * Some events can be sent on both parent dir and child marks +- * (e.g. FS_ATTRIB). If both parent dir and child are +- * watching, report the event once to parent dir with name (if +- * interested) and once to child without name (if interested). +- * The child watcher is expecting an event without a file name +- * and without the FS_EVENT_ON_CHILD flag. +- */ +- mask &= ~FS_EVENT_ON_CHILD; ++ /* ++ * Some events can be sent on both parent dir and child marks (e.g. ++ * FS_ATTRIB). If both parent dir and child are watching, report the ++ * event once to parent dir with name (if interested) and once to child ++ * without name (if interested). ++ * ++ * In any case regardless whether the parent is watching or not, the ++ * child watcher is expecting an event without the FS_EVENT_ON_CHILD ++ * flag. The file name is expected if and only if this is a directory ++ * event. ++ */ ++ mask &= ~FS_EVENT_ON_CHILD; ++ if (!(mask & ALL_FSNOTIFY_DIRENT_EVENTS)) { + dir = NULL; + name = NULL; + } diff --git a/queue-5.10/jfs-xattr-check-invalid-xattr-size-more-strictly.patch b/queue-5.10/jfs-xattr-check-invalid-xattr-size-more-strictly.patch new file mode 100644 index 00000000000..42289e27efe --- /dev/null +++ b/queue-5.10/jfs-xattr-check-invalid-xattr-size-more-strictly.patch @@ -0,0 +1,38 @@ +From d9f9d96136cba8fedd647d2c024342ce090133c2 Mon Sep 17 00:00:00 2001 +From: Artem Sadovnikov +Date: Sat, 5 Oct 2024 10:06:57 +0000 +Subject: jfs: xattr: check invalid xattr size more strictly + +From: Artem Sadovnikov + +commit d9f9d96136cba8fedd647d2c024342ce090133c2 upstream. + +Commit 7c55b78818cf ("jfs: xattr: fix buffer overflow for invalid xattr") +also addresses this issue but it only fixes it for positive values, while +ea_size is an integer type and can take negative values, e.g. in case of +a corrupted filesystem. This still breaks validation and would overflow +because of implicit conversion from int to size_t in print_hex_dump(). + +Fix this issue by clamping the ea_size value instead. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Cc: stable@vger.kernel.org +Signed-off-by: Artem Sadovnikov +Signed-off-by: Dave Kleikamp +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/jfs/xattr.c ++++ b/fs/jfs/xattr.c +@@ -559,7 +559,7 @@ static int ea_get(struct inode *inode, s + + size_check: + if (EALIST_SIZE(ea_buf->xattr) != ea_size) { +- int size = min_t(int, EALIST_SIZE(ea_buf->xattr), ea_size); ++ int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr)); + + printk(KERN_ERR "ea_get: invalid extended attribute\n"); + print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1, diff --git a/queue-5.10/kvm-arm64-ignore-pmcntenset_el0-while-checking-for-overflow-status.patch b/queue-5.10/kvm-arm64-ignore-pmcntenset_el0-while-checking-for-overflow-status.patch new file mode 100644 index 00000000000..248462b7f01 --- /dev/null +++ b/queue-5.10/kvm-arm64-ignore-pmcntenset_el0-while-checking-for-overflow-status.patch @@ -0,0 +1,43 @@ +From 54bbee190d42166209185d89070c58a343bf514b Mon Sep 17 00:00:00 2001 +From: Raghavendra Rao Ananta +Date: Tue, 19 Nov 2024 16:52:29 -0800 +Subject: KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status + +From: Raghavendra Rao Ananta + +commit 54bbee190d42166209185d89070c58a343bf514b upstream. + +DDI0487K.a D13.3.1 describes the PMU overflow condition, which evaluates +to true if any counter's global enable (PMCR_EL0.E), overflow flag +(PMOVSSET_EL0[n]), and interrupt enable (PMINTENSET_EL1[n]) are all 1. +Of note, this does not require a counter to be enabled +(i.e. PMCNTENSET_EL0[n] = 1) to generate an overflow. + +Align kvm_pmu_overflow_status() with the reality of the architecture +and stop using PMCNTENSET_EL0 as part of the overflow condition. The +bug was discovered while running an SBSA PMU test [*], which only sets +PMCR.E, PMOVSSET<0>, PMINTENSET<0>, and expects an overflow interrupt. + +Cc: stable@vger.kernel.org +Fixes: 76d883c4e640 ("arm64: KVM: Add access handler for PMOVSSET and PMOVSCLR register") +Link: https://github.com/ARM-software/sbsa-acs/blob/master/test_pool/pmu/operating_system/test_pmu001.c +Signed-off-by: Raghavendra Rao Ananta +[ oliver: massaged changelog ] +Reviewed-by: Marc Zyngier +Link: https://lore.kernel.org/r/20241120005230.2335682-2-oliver.upton@linux.dev +Signed-off-by: Oliver Upton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/pmu-emul.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/arm64/kvm/pmu-emul.c ++++ b/arch/arm64/kvm/pmu-emul.c +@@ -371,7 +371,6 @@ static u64 kvm_pmu_overflow_status(struc + + if ((__vcpu_sys_reg(vcpu, PMCR_EL0) & ARMV8_PMU_PMCR_E)) { + reg = __vcpu_sys_reg(vcpu, PMOVSSET_EL0); +- reg &= __vcpu_sys_reg(vcpu, PMCNTENSET_EL0); + reg &= __vcpu_sys_reg(vcpu, PMINTENSET_EL1); + reg &= kvm_pmu_valid_counter_mask(vcpu); + } diff --git a/queue-5.10/kvm-arm64-vgic-its-clear-dte-when-mapd-unmaps-a-device.patch b/queue-5.10/kvm-arm64-vgic-its-clear-dte-when-mapd-unmaps-a-device.patch new file mode 100644 index 00000000000..4aeb8d9138c --- /dev/null +++ b/queue-5.10/kvm-arm64-vgic-its-clear-dte-when-mapd-unmaps-a-device.patch @@ -0,0 +1,59 @@ +From e9649129d33dca561305fc590a7c4ba8c3e5675a Mon Sep 17 00:00:00 2001 +From: Kunkun Jiang +Date: Thu, 7 Nov 2024 13:41:36 -0800 +Subject: KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device + +From: Kunkun Jiang + +commit e9649129d33dca561305fc590a7c4ba8c3e5675a upstream. + +vgic_its_save_device_tables will traverse its->device_list to +save DTE for each device. vgic_its_restore_device_tables will +traverse each entry of device table and check if it is valid. +Restore if valid. + +But when MAPD unmaps a device, it does not invalidate the +corresponding DTE. In the scenario of continuous saves +and restores, there may be a situation where a device's DTE +is not saved but is restored. This is unreasonable and may +cause restore to fail. This patch clears the corresponding +DTE when MAPD unmaps a device. + +Cc: stable@vger.kernel.org +Fixes: 57a9a117154c ("KVM: arm64: vgic-its: Device table save/restore") +Co-developed-by: Shusen Li +Signed-off-by: Shusen Li +Signed-off-by: Kunkun Jiang +[Jing: Update with entry write helper] +Signed-off-by: Jing Zhang +Link: https://lore.kernel.org/r/20241107214137.428439-5-jingzhangos@google.com +Signed-off-by: Oliver Upton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/vgic/vgic-its.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kvm/vgic/vgic-its.c ++++ b/arch/arm64/kvm/vgic/vgic-its.c +@@ -1186,9 +1186,11 @@ static int vgic_its_cmd_handle_mapd(stru + bool valid = its_cmd_get_validbit(its_cmd); + u8 num_eventid_bits = its_cmd_get_size(its_cmd); + gpa_t itt_addr = its_cmd_get_ittaddr(its_cmd); ++ int dte_esz = vgic_its_get_abi(its)->dte_esz; + struct its_device *device; ++ gpa_t gpa; + +- if (!vgic_its_check_id(its, its->baser_device_table, device_id, NULL)) ++ if (!vgic_its_check_id(its, its->baser_device_table, device_id, &gpa)) + return E_ITS_MAPD_DEVICE_OOR; + + if (valid && num_eventid_bits > VITS_TYPER_IDBITS) +@@ -1209,7 +1211,7 @@ static int vgic_its_cmd_handle_mapd(stru + * is an error, so we are done in any case. + */ + if (!valid) +- return 0; ++ return vgic_its_write_entry_lock(its, gpa, 0, dte_esz); + + device = vgic_its_alloc_device(its, device_id, itt_addr, + num_eventid_bits); diff --git a/queue-5.10/kvm-arm64-vgic-its-clear-ite-when-discard-frees-an-ite.patch b/queue-5.10/kvm-arm64-vgic-its-clear-ite-when-discard-frees-an-ite.patch new file mode 100644 index 00000000000..d4879cab9b9 --- /dev/null +++ b/queue-5.10/kvm-arm64-vgic-its-clear-ite-when-discard-frees-an-ite.patch @@ -0,0 +1,50 @@ +From 7602ffd1d5e8927fadd5187cb4aed2fdc9c47143 Mon Sep 17 00:00:00 2001 +From: Kunkun Jiang +Date: Thu, 7 Nov 2024 13:41:37 -0800 +Subject: KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE + +From: Kunkun Jiang + +commit 7602ffd1d5e8927fadd5187cb4aed2fdc9c47143 upstream. + +When DISCARD frees an ITE, it does not invalidate the +corresponding ITE. In the scenario of continuous saves and +restores, there may be a situation where an ITE is not saved +but is restored. This is unreasonable and may cause restore +to fail. This patch clears the corresponding ITE when DISCARD +frees an ITE. + +Cc: stable@vger.kernel.org +Fixes: eff484e0298d ("KVM: arm64: vgic-its: ITT save and restore") +Signed-off-by: Kunkun Jiang +[Jing: Update with entry write helper] +Signed-off-by: Jing Zhang +Link: https://lore.kernel.org/r/20241107214137.428439-6-jingzhangos@google.com +Signed-off-by: Oliver Upton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/vgic/vgic-its.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kvm/vgic/vgic-its.c ++++ b/arch/arm64/kvm/vgic/vgic-its.c +@@ -855,6 +855,9 @@ static int vgic_its_cmd_handle_discard(s + + ite = find_ite(its, device_id, event_id); + if (ite && its_is_collection_mapped(ite->collection)) { ++ struct its_device *device = find_its_device(its, device_id); ++ int ite_esz = vgic_its_get_abi(its)->ite_esz; ++ gpa_t gpa = device->itt_addr + ite->event_id * ite_esz; + /* + * Though the spec talks about removing the pending state, we + * don't bother here since we clear the ITTE anyway and the +@@ -863,7 +866,8 @@ static int vgic_its_cmd_handle_discard(s + vgic_its_invalidate_cache(kvm); + + its_free_ite(kvm, ite); +- return 0; ++ ++ return vgic_its_write_entry_lock(its, gpa, 0, ite_esz); + } + + return E_ITS_DISCARD_UNMAPPED_INTERRUPT; diff --git a/queue-5.10/locking-lockdep-avoid-creating-new-name-string-literals-in-lockdep_set_subclass.patch b/queue-5.10/locking-lockdep-avoid-creating-new-name-string-literals-in-lockdep_set_subclass.patch new file mode 100644 index 00000000000..6bd62d70a02 --- /dev/null +++ b/queue-5.10/locking-lockdep-avoid-creating-new-name-string-literals-in-lockdep_set_subclass.patch @@ -0,0 +1,46 @@ +From d7fe143cb115076fed0126ad8cf5ba6c3e575e43 Mon Sep 17 00:00:00 2001 +From: Ahmed Ehab +Date: Sun, 25 Aug 2024 01:10:30 +0300 +Subject: locking/lockdep: Avoid creating new name string literals in lockdep_set_subclass() + +From: Ahmed Ehab + +commit d7fe143cb115076fed0126ad8cf5ba6c3e575e43 upstream. + +Syzbot reports a problem that a warning will be triggered while +searching a lock class in look_up_lock_class(). + +The cause of the issue is that a new name is created and used by +lockdep_set_subclass() instead of using the existing one. This results +in a lock instance has a different name pointer than previous registered +one stored in lock class, and WARN_ONCE() is triggered because of that +in look_up_lock_class(). + +To fix this, change lockdep_set_subclass() to use the existing name +instead of a new one. Hence, no new name will be created by +lockdep_set_subclass(). Hence, the warning is avoided. + +[boqun: Reword the commit log to state the correct issue] + +Reported-by: +Fixes: de8f5e4f2dc1f ("lockdep: Introduce wait-type checks") +Cc: stable@vger.kernel.org +Signed-off-by: Ahmed Ehab +Signed-off-by: Boqun Feng +Link: https://lore.kernel.org/lkml/20240824221031.7751-1-bottaawesome633@gmail.com/ +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/lockdep.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/lockdep.h ++++ b/include/linux/lockdep.h +@@ -233,7 +233,7 @@ static inline void lockdep_init_map(stru + (lock)->dep_map.lock_type) + + #define lockdep_set_subclass(lock, sub) \ +- lockdep_init_map_type(&(lock)->dep_map, #lock, (lock)->dep_map.key, sub,\ ++ lockdep_init_map_type(&(lock)->dep_map, (lock)->dep_map.name, (lock)->dep_map.key, sub,\ + (lock)->dep_map.wait_type_inner, \ + (lock)->dep_map.wait_type_outer, \ + (lock)->dep_map.lock_type) diff --git a/queue-5.10/pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch b/queue-5.10/pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch new file mode 100644 index 00000000000..93eb2359e68 --- /dev/null +++ b/queue-5.10/pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch @@ -0,0 +1,129 @@ +From c7acef99642b763ba585f4a43af999fcdbcc3dc4 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Thu, 10 Oct 2024 19:10:34 +0200 +Subject: PCI: Fix use-after-free of slot->bus on hot remove + +From: Lukas Wunner + +commit c7acef99642b763ba585f4a43af999fcdbcc3dc4 upstream. + +Dennis reports a boot crash on recent Lenovo laptops with a USB4 dock. + +Since commit 0fc70886569c ("thunderbolt: Reset USB4 v2 host router") and +commit 59a54c5f3dbd ("thunderbolt: Reset topology created by the boot +firmware"), USB4 v2 and v1 Host Routers are reset on probe of the +thunderbolt driver. + +The reset clears the Presence Detect State and Data Link Layer Link Active +bits at the USB4 Host Router's Root Port and thus causes hot removal of the +dock. + +The crash occurs when pciehp is unbound from one of the dock's Downstream +Ports: pciehp creates a pci_slot on bind and destroys it on unbind. The +pci_slot contains a pointer to the pci_bus below the Downstream Port, but +a reference on that pci_bus is never acquired. The pci_bus is destroyed +before the pci_slot, so a use-after-free ensues when pci_slot_release() +accesses slot->bus. + +In principle this should not happen because pci_stop_bus_device() unbinds +pciehp (and therefore destroys the pci_slot) before the pci_bus is +destroyed by pci_remove_bus_device(). + +However the stacktrace provided by Dennis shows that pciehp is unbound from +pci_remove_bus_device() instead of pci_stop_bus_device(). To understand +the significance of this, one needs to know that the PCI core uses a two +step process to remove a portion of the hierarchy: It first unbinds all +drivers in the sub-hierarchy in pci_stop_bus_device() and then actually +removes the devices in pci_remove_bus_device(). There is no precaution to +prevent driver binding in-between pci_stop_bus_device() and +pci_remove_bus_device(). + +In Dennis' case, it seems removal of the hierarchy by pciehp races with +driver binding by pci_bus_add_devices(). pciehp is bound to the +Downstream Port after pci_stop_bus_device() has run, so it is unbound by +pci_remove_bus_device() instead of pci_stop_bus_device(). Because the +pci_bus has already been destroyed at that point, accesses to it result in +a use-after-free. + +One might conclude that driver binding needs to be prevented after +pci_stop_bus_device() has run. However it seems risky that pci_slot points +to pci_bus without holding a reference. Solely relying on correct ordering +of driver unbind versus pci_bus destruction is certainly not defensive +programming. + +If pci_slot has a need to access data in pci_bus, it ought to acquire a +reference. Amend pci_create_slot() accordingly. Dennis reports that the +crash is not reproducible with this change. + +Abridged stacktrace: + + pcieport 0000:00:07.0: PME: Signaling with IRQ 156 + pcieport 0000:00:07.0: pciehp: Slot #12 AttnBtn- PwrCtrl- MRL- AttnInd- PwrInd- HotPlug+ Surprise+ Interlock- NoCompl+ IbPresDis- LLActRep+ + pci_bus 0000:20: dev 00, created physical slot 12 + pcieport 0000:00:07.0: pciehp: Slot(12): Card not present + ... + pcieport 0000:21:02.0: pciehp: pcie_disable_notification: SLOTCTRL d8 write cmd 0 + Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI + CPU: 13 UID: 0 PID: 134 Comm: irq/156-pciehp Not tainted 6.11.0-devel+ #1 + RIP: 0010:dev_driver_string+0x12/0x40 + pci_destroy_slot + pciehp_remove + pcie_port_remove_service + device_release_driver_internal + bus_remove_device + device_del + device_unregister + remove_iter + device_for_each_child + pcie_portdrv_remove + pci_device_remove + device_release_driver_internal + bus_remove_device + device_del + pci_remove_bus_device (recursive invocation) + pci_remove_bus_device + pciehp_unconfigure_device + pciehp_disable_slot + pciehp_handle_presence_or_link_change + pciehp_ist + +Link: https://lore.kernel.org/r/4bfd4c0e976c1776cd08e76603903b338cf25729.1728579288.git.lukas@wunner.de +Reported-by: Dennis Wassenberg +Closes: https://lore.kernel.org/r/6de4b45ff2b32dd91a805ec02ec8ec73ef411bf6.camel@secunet.com/ +Tested-by: Dennis Wassenberg +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Reviewed-by: Mika Westerberg +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/slot.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/pci/slot.c ++++ b/drivers/pci/slot.c +@@ -79,6 +79,7 @@ static void pci_slot_release(struct kobj + up_read(&pci_bus_sem); + + list_del(&slot->list); ++ pci_bus_put(slot->bus); + + kfree(slot); + } +@@ -260,7 +261,7 @@ placeholder: + goto err; + } + +- slot->bus = parent; ++ slot->bus = pci_bus_get(parent); + slot->number = slot_nr; + + slot->kobj.kset = pci_slots_kset; +@@ -268,6 +269,7 @@ placeholder: + slot_name = make_slot_name(name); + if (!slot_name) { + err = -ENOMEM; ++ pci_bus_put(slot->bus); + kfree(slot); + goto err; + } diff --git a/queue-5.10/perf-x86-intel-pt-fix-buffer-full-but-size-is-0-case.patch b/queue-5.10/perf-x86-intel-pt-fix-buffer-full-but-size-is-0-case.patch new file mode 100644 index 00000000000..cdb7ef96032 --- /dev/null +++ b/queue-5.10/perf-x86-intel-pt-fix-buffer-full-but-size-is-0-case.patch @@ -0,0 +1,121 @@ +From 5b590160d2cf776b304eb054afafea2bd55e3620 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Tue, 22 Oct 2024 18:59:07 +0300 +Subject: perf/x86/intel/pt: Fix buffer full but size is 0 case + +From: Adrian Hunter + +commit 5b590160d2cf776b304eb054afafea2bd55e3620 upstream. + +If the trace data buffer becomes full, a truncated flag [T] is reported +in PERF_RECORD_AUX. In some cases, the size reported is 0, even though +data must have been added to make the buffer full. + +That happens when the buffer fills up from empty to full before the +Intel PT driver has updated the buffer position. Then the driver +calculates the new buffer position before calculating the data size. +If the old and new positions are the same, the data size is reported +as 0, even though it is really the whole buffer size. + +Fix by detecting when the buffer position is wrapped, and adjust the +data size calculation accordingly. + +Example + + Use a very small buffer size (8K) and observe the size of truncated [T] + data. Before the fix, it is possible to see records of 0 size. + + Before: + + $ perf record -m,8K -e intel_pt// uname + Linux + [ perf record: Woken up 2 times to write data ] + [ perf record: Captured and wrote 0.105 MB perf.data ] + $ perf script -D --no-itrace | grep AUX | grep -F '[T]' + Warning: + AUX data lost 2 times out of 3! + + 5 19462712368111 0x19710 [0x40]: PERF_RECORD_AUX offset: 0 size: 0 flags: 0x1 [T] + 5 19462712700046 0x19ba8 [0x40]: PERF_RECORD_AUX offset: 0x170 size: 0xe90 flags: 0x1 [T] + + After: + + $ perf record -m,8K -e intel_pt// uname + Linux + [ perf record: Woken up 3 times to write data ] + [ perf record: Captured and wrote 0.040 MB perf.data ] + $ perf script -D --no-itrace | grep AUX | grep -F '[T]' + Warning: + AUX data lost 2 times out of 3! + + 1 113720802995 0x4948 [0x40]: PERF_RECORD_AUX offset: 0 size: 0x2000 flags: 0x1 [T] + 1 113720979812 0x6b10 [0x40]: PERF_RECORD_AUX offset: 0x2000 size: 0x2000 flags: 0x1 [T] + +Fixes: 52ca9ced3f70 ("perf/x86/intel/pt: Add Intel PT PMU driver") +Signed-off-by: Adrian Hunter +Signed-off-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20241022155920.17511-2-adrian.hunter@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/pt.c | 11 ++++++++--- + arch/x86/events/intel/pt.h | 2 ++ + 2 files changed, 10 insertions(+), 3 deletions(-) + +--- a/arch/x86/events/intel/pt.c ++++ b/arch/x86/events/intel/pt.c +@@ -811,11 +811,13 @@ static void pt_buffer_advance(struct pt_ + buf->cur_idx++; + + if (buf->cur_idx == buf->cur->last) { +- if (buf->cur == buf->last) ++ if (buf->cur == buf->last) { + buf->cur = buf->first; +- else ++ buf->wrapped = true; ++ } else { + buf->cur = list_entry(buf->cur->list.next, struct topa, + list); ++ } + buf->cur_idx = 0; + } + } +@@ -829,8 +831,11 @@ static void pt_buffer_advance(struct pt_ + static void pt_update_head(struct pt *pt) + { + struct pt_buffer *buf = perf_get_aux(&pt->handle); ++ bool wrapped = buf->wrapped; + u64 topa_idx, base, old; + ++ buf->wrapped = false; ++ + if (buf->single) { + local_set(&buf->data_size, buf->output_off); + return; +@@ -848,7 +853,7 @@ static void pt_update_head(struct pt *pt + } else { + old = (local64_xchg(&buf->head, base) & + ((buf->nr_pages << PAGE_SHIFT) - 1)); +- if (base < old) ++ if (base < old || (base == old && wrapped)) + base += buf->nr_pages << PAGE_SHIFT; + + local_add(base - old, &buf->data_size); +--- a/arch/x86/events/intel/pt.h ++++ b/arch/x86/events/intel/pt.h +@@ -65,6 +65,7 @@ struct pt_pmu { + * @head: logical write offset inside the buffer + * @snapshot: if this is for a snapshot/overwrite counter + * @single: use Single Range Output instead of ToPA ++ * @wrapped: buffer advance wrapped back to the first topa table + * @stop_pos: STOP topa entry index + * @intr_pos: INT topa entry index + * @stop_te: STOP topa entry pointer +@@ -82,6 +83,7 @@ struct pt_buffer { + local64_t head; + bool snapshot; + bool single; ++ bool wrapped; + long stop_pos, intr_pos; + struct topa_entry *stop_te, *intr_te; + void **data_pages; diff --git a/queue-5.10/series b/queue-5.10/series index 80a15425de6..4097d085a9b 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -235,3 +235,21 @@ xen-fix-the-issue-of-resource-not-being-properly-released-in-xenbus_dev_probe.pa usb-ehci-spear-fix-call-balance-of-sehci-clk-handling-routines.patch soc-qcom-socinfo-fix-revision-check-in-qcom_socinfo_probe.patch alsa-usb-audio-fix-potential-out-of-bound-accesses-for-extigy-and-mbox-devices.patch +ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch +ext4-fix-fs_ioc_getfsmap-handling.patch +jfs-xattr-check-invalid-xattr-size-more-strictly.patch +asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch +perf-x86-intel-pt-fix-buffer-full-but-size-is-0-case.patch +crypto-x86-aegis128-access-32-bit-arguments-as-32-bit.patch +kvm-arm64-ignore-pmcntenset_el0-while-checking-for-overflow-status.patch +kvm-arm64-vgic-its-clear-ite-when-discard-frees-an-ite.patch +kvm-arm64-vgic-its-clear-dte-when-mapd-unmaps-a-device.patch +pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch +fsnotify-fix-sending-inotify-event-with-unexpected-filename.patch +comedi-flush-partial-mappings-in-error-case.patch +apparmor-test-fix-memory-leak-for-aa_unpack_strdup.patch +tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch +locking-lockdep-avoid-creating-new-name-string-literals-in-lockdep_set_subclass.patch +exfat-fix-uninit-value-in-__exfat_get_dentry_set.patch +xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch +bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch diff --git a/queue-5.10/tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch b/queue-5.10/tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch new file mode 100644 index 00000000000..2e9b62d2cbd --- /dev/null +++ b/queue-5.10/tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch @@ -0,0 +1,41 @@ +From 635a9fca54f4f4148be1ae1c7c6bd37af80f5773 Mon Sep 17 00:00:00 2001 +From: Nicolas Bouchinet +Date: Tue, 12 Nov 2024 14:13:31 +0100 +Subject: tty: ldsic: fix tty_ldisc_autoload sysctl's proc_handler + +From: Nicolas Bouchinet + +commit 635a9fca54f4f4148be1ae1c7c6bd37af80f5773 upstream. + +Commit 7c0cca7c847e ("tty: ldisc: add sysctl to prevent autoloading of +ldiscs") introduces the tty_ldisc_autoload sysctl with the wrong +proc_handler. .extra1 and .extra2 parameters are set to avoid other values +thant SYSCTL_ZERO or SYSCTL_ONE to be set but proc_dointvec do not uses +them. + +This commit fixes this by using proc_dointvec_minmax instead of +proc_dointvec. + +Fixes: 7c0cca7c847e ("tty: ldisc: add sysctl to prevent autoloading of ldiscs") +Cc: stable +Signed-off-by: Nicolas Bouchinet +Reviewed-by: Lin Feng +Reviewed-by: Jiri Slaby +Link: https://lore.kernel.org/r/20241112131357.49582-4-nicolas.bouchinet@clip-os.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/tty_ldisc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/tty_ldisc.c ++++ b/drivers/tty/tty_ldisc.c +@@ -856,7 +856,7 @@ static struct ctl_table tty_table[] = { + .data = &tty_ldisc_autoload, + .maxlen = sizeof(tty_ldisc_autoload), + .mode = 0644, +- .proc_handler = proc_dointvec, ++ .proc_handler = proc_dointvec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, diff --git a/queue-5.10/xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch b/queue-5.10/xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch new file mode 100644 index 00000000000..7ae359d933e --- /dev/null +++ b/queue-5.10/xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch @@ -0,0 +1,46 @@ +From e735e957f2b9cfe4be486e0304732ec36928591f Mon Sep 17 00:00:00 2001 +From: Kuangyi Chiang +Date: Wed, 6 Nov 2024 12:14:46 +0200 +Subject: xhci: Don't perform Soft Retry for Etron xHCI host + +From: Kuangyi Chiang + +commit e735e957f2b9cfe4be486e0304732ec36928591f upstream. + +Since commit f8f80be501aa ("xhci: Use soft retry to recover faster from +transaction errors"), unplugging USB device while enumeration results in +errors like this: + +[ 364.855321] xhci_hcd 0000:0b:00.0: ERROR Transfer event for disabled endpoint slot 5 ep 2 +[ 364.864622] xhci_hcd 0000:0b:00.0: @0000002167656d70 67f03000 00000021 0c000000 05038001 +[ 374.934793] xhci_hcd 0000:0b:00.0: Abort failed to stop command ring: -110 +[ 374.958793] xhci_hcd 0000:0b:00.0: xHCI host controller not responding, assume dead +[ 374.967590] xhci_hcd 0000:0b:00.0: HC died; cleaning up +[ 374.973984] xhci_hcd 0000:0b:00.0: Timeout while waiting for configure endpoint command + +Seems that Etorn xHCI host can not perform Soft Retry correctly, apply +XHCI_NO_SOFT_RETRY quirk to disable Soft Retry and then issue is gone. + +This patch depends on commit a4a251f8c235 ("usb: xhci: do not perform +Soft Retry for some xHCI hosts"). + +Fixes: f8f80be501aa ("xhci: Use soft retry to recover faster from transaction errors") +Cc: stable@vger.kernel.org +Signed-off-by: Kuangyi Chiang +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20241106101459.775897-21-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -276,6 +276,7 @@ static void xhci_pci_quirks(struct devic + pdev->device == PCI_DEVICE_ID_EJ188) { + xhci->quirks |= XHCI_RESET_ON_RESUME; + xhci->quirks |= XHCI_BROKEN_STREAMS; ++ xhci->quirks |= XHCI_NO_SOFT_RETRY; + } + + if (pdev->vendor == PCI_VENDOR_ID_RENESAS &&