From: Greg Kroah-Hartman Date: Fri, 30 Aug 2024 13:03:19 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.19.321~62 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bf52d4ea6d7bcbba58661638e0e335c0ab709ee7;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: ata-libata-core-fix-null-pointer-dereference-on-error.patch cgroup-cpuset-prevent-uaf-in-proc_cpuset_show.patch fbcon-prevent-that-screen-size-is-smaller-than-font-size.patch fbmem-check-virtual-screen-sizes-in-fb_set_var.patch media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch memcg-enable-accounting-of-ipc-resources.patch net-rds-fix-possible-deadlock-in-rds_message_put.patch --- diff --git a/queue-4.19/ata-libata-core-fix-null-pointer-dereference-on-error.patch b/queue-4.19/ata-libata-core-fix-null-pointer-dereference-on-error.patch new file mode 100644 index 00000000000..0a8ae63484d --- /dev/null +++ b/queue-4.19/ata-libata-core-fix-null-pointer-dereference-on-error.patch @@ -0,0 +1,73 @@ +From 5d92c7c566dc76d96e0e19e481d926bbe6631c1e Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Sat, 29 Jun 2024 14:42:11 +0200 +Subject: ata: libata-core: Fix null pointer dereference on error + +From: Niklas Cassel + +commit 5d92c7c566dc76d96e0e19e481d926bbe6631c1e upstream. + +If the ata_port_alloc() call in ata_host_alloc() fails, +ata_host_release() will get called. + +However, the code in ata_host_release() tries to free ata_port struct +members unconditionally, which can lead to the following: + +BUG: unable to handle page fault for address: 0000000000003990 +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI +CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 +RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata] +Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41 +RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246 +RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0 +RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68 +R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004 +R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006 +FS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0 +PKRU: 55555554 +Call Trace: + + ? __die_body.cold+0x19/0x27 + ? page_fault_oops+0x15a/0x2f0 + ? exc_page_fault+0x7e/0x180 + ? asm_exc_page_fault+0x26/0x30 + ? ata_host_release.cold+0x2f/0x6e [libata] + ? ata_host_release.cold+0x2f/0x6e [libata] + release_nodes+0x35/0xb0 + devres_release_group+0x113/0x140 + ata_host_alloc+0xed/0x120 [libata] + ata_host_alloc_pinfo+0x14/0xa0 [libata] + ahci_init_one+0x6c9/0xd20 [ahci] + +Do not access ata_port struct members unconditionally. + +Fixes: 633273a3ed1c ("libata-pmp: hook PMP support and enable it") +Cc: stable@vger.kernel.org +Reviewed-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Reviewed-by: John Garry +Link: https://lore.kernel.org/r/20240629124210.181537-7-cassel@kernel.org +Signed-off-by: Niklas Cassel +Signed-off-by: Oleksandr Tymoshenko +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -6159,6 +6159,9 @@ static void ata_host_release(struct kref + for (i = 0; i < host->n_ports; i++) { + struct ata_port *ap = host->ports[i]; + ++ if (!ap) ++ continue; ++ + kfree(ap->pmp_link); + kfree(ap->slave_link); + kfree(ap); diff --git a/queue-4.19/cgroup-cpuset-prevent-uaf-in-proc_cpuset_show.patch b/queue-4.19/cgroup-cpuset-prevent-uaf-in-proc_cpuset_show.patch new file mode 100644 index 00000000000..f4b70722ef2 --- /dev/null +++ b/queue-4.19/cgroup-cpuset-prevent-uaf-in-proc_cpuset_show.patch @@ -0,0 +1,92 @@ +From 1be59c97c83ccd67a519d8a49486b3a8a73ca28a Mon Sep 17 00:00:00 2001 +From: Chen Ridong +Date: Fri, 28 Jun 2024 01:36:04 +0000 +Subject: cgroup/cpuset: Prevent UAF in proc_cpuset_show() + +From: Chen Ridong + +commit 1be59c97c83ccd67a519d8a49486b3a8a73ca28a upstream. + +An UAF can happen when /proc/cpuset is read as reported in [1]. + +This can be reproduced by the following methods: +1.add an mdelay(1000) before acquiring the cgroup_lock In the + cgroup_path_ns function. +2.$cat /proc//cpuset repeatly. +3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/ +$umount /sys/fs/cgroup/cpuset/ repeatly. + +The race that cause this bug can be shown as below: + +(umount) | (cat /proc//cpuset) +css_release | proc_cpuset_show +css_release_work_fn | css = task_get_css(tsk, cpuset_cgrp_id); +css_free_rwork_fn | cgroup_path_ns(css->cgroup, ...); +cgroup_destroy_root | mutex_lock(&cgroup_mutex); +rebind_subsystems | +cgroup_free_root | + | // cgrp was freed, UAF + | cgroup_path_ns_locked(cgrp,..); + +When the cpuset is initialized, the root node top_cpuset.css.cgrp +will point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will +allocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated +&cgroup_root.cgrp. When the umount operation is executed, +top_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp. + +The problem is that when rebinding to cgrp_dfl_root, there are cases +where the cgroup_root allocated by setting up the root for cgroup v1 +is cached. This could lead to a Use-After-Free (UAF) if it is +subsequently freed. The descendant cgroups of cgroup v1 can only be +freed after the css is released. However, the css of the root will never +be released, yet the cgroup_root should be freed when it is unmounted. +This means that obtaining a reference to the css of the root does +not guarantee that css.cgrp->root will not be freed. + +Fix this problem by using rcu_read_lock in proc_cpuset_show(). +As cgroup_root is kfree_rcu after commit d23b5c577715 +("cgroup: Make operations on the cgroup root_list RCU safe"), +css->cgroup won't be freed during the critical section. +To call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to +replace task_get_css with task_css. + +[1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd + +Fixes: a79a908fd2b0 ("cgroup: introduce cgroup namespaces") +Signed-off-by: Chen Ridong +Signed-off-by: Tejun Heo +Signed-off-by: Shivani Agarwal +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cpuset.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -22,6 +22,7 @@ + * distribution for more details. + */ + ++#include "cgroup-internal.h" + #include + #include + #include +@@ -2758,10 +2759,14 @@ int proc_cpuset_show(struct seq_file *m, + if (!buf) + goto out; + +- css = task_get_css(tsk, cpuset_cgrp_id); +- retval = cgroup_path_ns(css->cgroup, buf, PATH_MAX, +- current->nsproxy->cgroup_ns); +- css_put(css); ++ rcu_read_lock(); ++ spin_lock_irq(&css_set_lock); ++ css = task_css(tsk, cpuset_cgrp_id); ++ retval = cgroup_path_ns_locked(css->cgroup, buf, PATH_MAX, ++ current->nsproxy->cgroup_ns); ++ spin_unlock_irq(&css_set_lock); ++ rcu_read_unlock(); ++ + if (retval >= PATH_MAX) + retval = -ENAMETOOLONG; + if (retval < 0) diff --git a/queue-4.19/fbcon-prevent-that-screen-size-is-smaller-than-font-size.patch b/queue-4.19/fbcon-prevent-that-screen-size-is-smaller-than-font-size.patch new file mode 100644 index 00000000000..dc8d300f318 --- /dev/null +++ b/queue-4.19/fbcon-prevent-that-screen-size-is-smaller-than-font-size.patch @@ -0,0 +1,104 @@ +From stable+bounces-71527-greg=kroah.com@vger.kernel.org Thu Aug 29 18:16:01 2024 +From: hsimeliere.opensource@witekio.com +Date: Thu, 29 Aug 2024 18:14:03 +0200 +Subject: fbcon: Prevent that screen size is smaller than font size +To: stable@vger.kernel.org +Cc: Helge Deller , Geert Uytterhoeven , Hugo SIMELIERE +Message-ID: <20240829161419.17800-2-hsimeliere.opensource@witekio.com> + +From: Helge Deller + +commit e64242caef18b4a5840b0e7a9bff37abd4f4f933 upstream. + +We need to prevent that users configure a screen size which is smaller than the +currently selected font size. Otherwise rendering chars on the screen will +access memory outside the graphics memory region. + +This patch adds a new function fbcon_modechange_possible() which +implements this check and which later may be extended with other checks +if necessary. The new function is called from the FBIOPUT_VSCREENINFO +ioctl handler in fbmem.c, which will return -EINVAL if userspace asked +for a too small screen size. + +Signed-off-by: Helge Deller +Reviewed-by: Geert Uytterhoeven +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Hugo SIMELIERE +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbcon.c | 28 ++++++++++++++++++++++++++++ + drivers/video/fbdev/core/fbmem.c | 9 ++++++--- + include/linux/fbcon.h | 4 ++++ + 3 files changed, 38 insertions(+), 3 deletions(-) + +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -2734,6 +2734,34 @@ static void fbcon_set_all_vcs(struct fb_ + fbcon_modechanged(info); + } + ++/* let fbcon check if it supports a new screen resolution */ ++int fbcon_modechange_possible(struct fb_info *info, struct fb_var_screeninfo *var) ++{ ++ struct fbcon_ops *ops = info->fbcon_par; ++ struct vc_data *vc; ++ unsigned int i; ++ ++ WARN_CONSOLE_UNLOCKED(); ++ ++ if (!ops) ++ return 0; ++ ++ /* prevent setting a screen size which is smaller than font size */ ++ for (i = first_fb_vc; i <= last_fb_vc; i++) { ++ vc = vc_cons[i].d; ++ if (!vc || vc->vc_mode != KD_TEXT || ++ registered_fb[con2fb_map[i]] != info) ++ continue; ++ ++ if (vc->vc_font.width > FBCON_SWAP(var->rotate, var->xres, var->yres) || ++ vc->vc_font.height > FBCON_SWAP(var->rotate, var->yres, var->xres)) ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++EXPORT_SYMBOL_GPL(fbcon_modechange_possible); ++ + static int fbcon_mode_deleted(struct fb_info *info, + struct fb_videomode *mode) + { +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -1121,9 +1121,12 @@ static long do_fb_ioctl(struct fb_info * + console_unlock(); + return -ENODEV; + } +- info->flags |= FBINFO_MISC_USEREVENT; +- ret = fb_set_var(info, &var); +- info->flags &= ~FBINFO_MISC_USEREVENT; ++ ret = fbcon_modechange_possible(info, &var); ++ if (!ret) { ++ info->flags |= FBINFO_MISC_USEREVENT; ++ ret = fb_set_var(info, &var); ++ info->flags &= ~FBINFO_MISC_USEREVENT; ++ } + unlock_fb_info(info); + console_unlock(); + if (!ret && copy_to_user(argp, &var, sizeof(var))) +--- a/include/linux/fbcon.h ++++ b/include/linux/fbcon.h +@@ -4,9 +4,13 @@ + #ifdef CONFIG_FRAMEBUFFER_CONSOLE + void __init fb_console_init(void); + void __exit fb_console_exit(void); ++int fbcon_modechange_possible(struct fb_info *info, ++ struct fb_var_screeninfo *var); + #else + static inline void fb_console_init(void) {} + static inline void fb_console_exit(void) {} ++static inline int fbcon_modechange_possible(struct fb_info *info, ++ struct fb_var_screeninfo *var) { return 0; } + #endif + + #endif /* _LINUX_FBCON_H */ diff --git a/queue-4.19/fbmem-check-virtual-screen-sizes-in-fb_set_var.patch b/queue-4.19/fbmem-check-virtual-screen-sizes-in-fb_set_var.patch new file mode 100644 index 00000000000..844e7f17bf5 --- /dev/null +++ b/queue-4.19/fbmem-check-virtual-screen-sizes-in-fb_set_var.patch @@ -0,0 +1,45 @@ +From stable+bounces-71526-greg=kroah.com@vger.kernel.org Thu Aug 29 18:16:02 2024 +From: hsimeliere.opensource@witekio.com +Date: Thu, 29 Aug 2024 18:14:04 +0200 +Subject: fbmem: Check virtual screen sizes in fb_set_var() +To: stable@vger.kernel.org +Cc: Helge Deller , Geert Uytterhoeven , Hugo SIMELIERE +Message-ID: <20240829161419.17800-3-hsimeliere.opensource@witekio.com> + +From: Helge Deller + +commit 6c11df58fd1ac0aefcb3b227f72769272b939e56 upstream. + +Verify that the fbdev or drm driver correctly adjusted the virtual +screen sizes. On failure report the failing driver and reject the screen +size change. + +Signed-off-by: Helge Deller +Reviewed-by: Geert Uytterhoeven +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Hugo SIMELIERE +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbmem.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -1006,6 +1006,17 @@ fb_set_var(struct fb_info *info, struct + if (ret) + goto done; + ++ /* verify that virtual resolution >= physical resolution */ ++ if (var->xres_virtual < var->xres || ++ var->yres_virtual < var->yres) { ++ pr_warn("WARNING: fbcon: Driver '%s' missed to adjust virtual screen size (%ux%u vs. %ux%u)\n", ++ info->fix.id, ++ var->xres_virtual, var->yres_virtual, ++ var->xres, var->yres); ++ ret = -EINVAL; ++ goto done; ++ } ++ + if ((var->activate & FB_ACTIVATE_MASK) == FB_ACTIVATE_NOW) { + struct fb_var_screeninfo old_var; + struct fb_videomode mode; diff --git a/queue-4.19/media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch b/queue-4.19/media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch new file mode 100644 index 00000000000..9708c91fce8 --- /dev/null +++ b/queue-4.19/media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch @@ -0,0 +1,137 @@ +From 8676a5e796fa18f55897ca36a94b2adf7f73ebd1 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Mon, 10 Jun 2024 19:17:49 +0000 +Subject: media: uvcvideo: Fix integer overflow calculating timestamp + +From: Ricardo Ribalda + +commit 8676a5e796fa18f55897ca36a94b2adf7f73ebd1 upstream. + +The function uvc_video_clock_update() supports a single SOF overflow. Or +in other words, the maximum difference between the first ant the last +timestamp can be 4096 ticks or 4.096 seconds. + +This results in a maximum value for y2 of: 0x12FBECA00, that overflows +32bits. +y2 = (u32)ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1; + +Extend the size of y2 to u64 to support all its values. + +Without this patch: + # yavta -s 1920x1080 -f YUYV -t 1/5 -c /dev/video0 +Device /dev/v4l/by-id/usb-Shine-Optics_Integrated_Camera_0001-video-index0 opened. +Device `Integrated Camera: Integrated C' on `usb-0000:00:14.0-6' (driver 'uvcvideo') supports video, capture, without mplanes. +Video format set: YUYV (56595559) 1920x1080 (stride 3840) field none buffer size 4147200 +Video format: YUYV (56595559) 1920x1080 (stride 3840) field none buffer size 4147200 +Current frame rate: 1/5 +Setting frame rate to: 1/5 +Frame rate set: 1/5 +8 buffers requested. +length: 4147200 offset: 0 timestamp type/source: mono/SoE +Buffer 0/0 mapped at address 0x7947ea94c000. +length: 4147200 offset: 4149248 timestamp type/source: mono/SoE +Buffer 1/0 mapped at address 0x7947ea557000. +length: 4147200 offset: 8298496 timestamp type/source: mono/SoE +Buffer 2/0 mapped at address 0x7947ea162000. +length: 4147200 offset: 12447744 timestamp type/source: mono/SoE +Buffer 3/0 mapped at address 0x7947e9d6d000. +length: 4147200 offset: 16596992 timestamp type/source: mono/SoE +Buffer 4/0 mapped at address 0x7947e9978000. +length: 4147200 offset: 20746240 timestamp type/source: mono/SoE +Buffer 5/0 mapped at address 0x7947e9583000. +length: 4147200 offset: 24895488 timestamp type/source: mono/SoE +Buffer 6/0 mapped at address 0x7947e918e000. +length: 4147200 offset: 29044736 timestamp type/source: mono/SoE +Buffer 7/0 mapped at address 0x7947e8d99000. +0 (0) [-] none 0 4147200 B 507.554210 508.874282 242.836 fps ts mono/SoE +1 (1) [-] none 2 4147200 B 508.886298 509.074289 0.751 fps ts mono/SoE +2 (2) [-] none 3 4147200 B 509.076362 509.274307 5.261 fps ts mono/SoE +3 (3) [-] none 4 4147200 B 509.276371 509.474336 5.000 fps ts mono/SoE +4 (4) [-] none 5 4147200 B 509.476394 509.674394 4.999 fps ts mono/SoE +5 (5) [-] none 6 4147200 B 509.676506 509.874345 4.997 fps ts mono/SoE +6 (6) [-] none 7 4147200 B 509.876430 510.074370 5.002 fps ts mono/SoE +7 (7) [-] none 8 4147200 B 510.076434 510.274365 5.000 fps ts mono/SoE +8 (0) [-] none 9 4147200 B 510.276421 510.474333 5.000 fps ts mono/SoE +9 (1) [-] none 10 4147200 B 510.476391 510.674429 5.001 fps ts mono/SoE +10 (2) [-] none 11 4147200 B 510.676434 510.874283 4.999 fps ts mono/SoE +11 (3) [-] none 12 4147200 B 510.886264 511.074349 4.766 fps ts mono/SoE +12 (4) [-] none 13 4147200 B 511.070577 511.274304 5.426 fps ts mono/SoE +13 (5) [-] none 14 4147200 B 511.286249 511.474301 4.637 fps ts mono/SoE +14 (6) [-] none 15 4147200 B 511.470542 511.674251 5.426 fps ts mono/SoE +15 (7) [-] none 16 4147200 B 511.672651 511.874337 4.948 fps ts mono/SoE +16 (0) [-] none 17 4147200 B 511.873988 512.074462 4.967 fps ts mono/SoE +17 (1) [-] none 18 4147200 B 512.075982 512.278296 4.951 fps ts mono/SoE +18 (2) [-] none 19 4147200 B 512.282631 512.482423 4.839 fps ts mono/SoE +19 (3) [-] none 20 4147200 B 518.986637 512.686333 0.149 fps ts mono/SoE +20 (4) [-] none 21 4147200 B 518.342709 512.886386 -1.553 fps ts mono/SoE +21 (5) [-] none 22 4147200 B 517.909812 513.090360 -2.310 fps ts mono/SoE +22 (6) [-] none 23 4147200 B 517.590775 513.294454 -3.134 fps ts mono/SoE +23 (7) [-] none 24 4147200 B 513.298465 513.494335 -0.233 fps ts mono/SoE +24 (0) [-] none 25 4147200 B 513.510273 513.698375 4.721 fps ts mono/SoE +25 (1) [-] none 26 4147200 B 513.698904 513.902327 5.301 fps ts mono/SoE +26 (2) [-] none 27 4147200 B 513.895971 514.102348 5.074 fps ts mono/SoE +27 (3) [-] none 28 4147200 B 514.099091 514.306337 4.923 fps ts mono/SoE +28 (4) [-] none 29 4147200 B 514.310348 514.510567 4.734 fps ts mono/SoE +29 (5) [-] none 30 4147200 B 514.509295 514.710367 5.026 fps ts mono/SoE +30 (6) [-] none 31 4147200 B 521.532513 514.914398 0.142 fps ts mono/SoE +31 (7) [-] none 32 4147200 B 520.885277 515.118385 -1.545 fps ts mono/SoE +32 (0) [-] none 33 4147200 B 520.411140 515.318336 -2.109 fps ts mono/SoE +33 (1) [-] none 34 4147200 B 515.325425 515.522278 -0.197 fps ts mono/SoE +34 (2) [-] none 35 4147200 B 515.538276 515.726423 4.698 fps ts mono/SoE +35 (3) [-] none 36 4147200 B 515.720767 515.930373 5.480 fps ts mono/SoE + +Cc: stable@vger.kernel.org +Fixes: 66847ef013cc ("[media] uvcvideo: Add UVC timestamps support") +Signed-off-by: Ricardo Ribalda +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20240610-hwtimestamp-followup-v1-2-f9eaed7be7f0@chromium.org +Signed-off-by: Laurent Pinchart +Signed-off-by: Ricardo Ribalda +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_video.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -728,11 +728,11 @@ void uvc_video_clock_update(struct uvc_s + unsigned long flags; + u64 timestamp; + u32 delta_stc; +- u32 y1, y2; ++ u32 y1; + u32 x1, x2; + u32 mean; + u32 sof; +- u64 y; ++ u64 y, y2; + + if (!uvc_hw_timestamps_param) + return; +@@ -772,7 +772,7 @@ void uvc_video_clock_update(struct uvc_s + sof = y; + + uvc_trace(UVC_TRACE_CLOCK, "%s: PTS %u y %llu.%06llu SOF %u.%06llu " +- "(x1 %u x2 %u y1 %u y2 %u SOF offset %u)\n", ++ "(x1 %u x2 %u y1 %u y2 %llu SOF offset %u)\n", + stream->dev->name, buf->pts, + y >> 16, div_u64((y & 0xffff) * 1000000, 65536), + sof >> 16, div_u64(((u64)sof & 0xffff) * 1000000LLU, 65536), +@@ -787,7 +787,7 @@ void uvc_video_clock_update(struct uvc_s + goto done; + + y1 = NSEC_PER_SEC; +- y2 = (u32)ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1; ++ y2 = ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1; + + /* Interpolated and host SOF timestamps can wrap around at slightly + * different times. Handle this by adding or removing 2048 to or from +@@ -807,7 +807,7 @@ void uvc_video_clock_update(struct uvc_s + timestamp = ktime_to_ns(first->host_time) + y - y1; + + uvc_trace(UVC_TRACE_CLOCK, "%s: SOF %u.%06llu y %llu ts %llu " +- "buf ts %llu (x1 %u/%u/%u x2 %u/%u/%u y1 %u y2 %u)\n", ++ "buf ts %llu (x1 %u/%u/%u x2 %u/%u/%u y1 %u y2 %llu)\n", + stream->dev->name, + sof >> 16, div_u64(((u64)sof & 0xffff) * 1000000LLU, 65536), + y, timestamp, vbuf->vb2_buf.timestamp, diff --git a/queue-4.19/memcg-enable-accounting-of-ipc-resources.patch b/queue-4.19/memcg-enable-accounting-of-ipc-resources.patch new file mode 100644 index 00000000000..cdad406c0ee --- /dev/null +++ b/queue-4.19/memcg-enable-accounting-of-ipc-resources.patch @@ -0,0 +1,119 @@ +From 18319498fdd4cdf8c1c2c48cd432863b1f915d6f Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Thu, 2 Sep 2021 14:55:31 -0700 +Subject: memcg: enable accounting of ipc resources + +From: Vasily Averin + +commit 18319498fdd4cdf8c1c2c48cd432863b1f915d6f upstream. + +When user creates IPC objects it forces kernel to allocate memory for +these long-living objects. + +It makes sense to account them to restrict the host's memory consumption +from inside the memcg-limited container. + +This patch enables accounting for IPC shared memory segments, messages +semaphores and semaphore's undo lists. + +Link: https://lkml.kernel.org/r/d6507b06-4df6-78f8-6c54-3ae86e3b5339@virtuozzo.com +Signed-off-by: Vasily Averin +Reviewed-by: Shakeel Butt +Cc: Alexander Viro +Cc: Alexey Dobriyan +Cc: Andrei Vagin +Cc: Borislav Petkov +Cc: Borislav Petkov +Cc: Christian Brauner +Cc: Dmitry Safonov <0x7f454c46@gmail.com> +Cc: "Eric W. Biederman" +Cc: Greg Kroah-Hartman +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: "J. Bruce Fields" +Cc: Jeff Layton +Cc: Jens Axboe +Cc: Jiri Slaby +Cc: Johannes Weiner +Cc: Kirill Tkhai +Cc: Michal Hocko +Cc: Oleg Nesterov +Cc: Roman Gushchin +Cc: Serge Hallyn +Cc: Tejun Heo +Cc: Thomas Gleixner +Cc: Vladimir Davydov +Cc: Yutian Yang +Cc: Zefan Li +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Hugo SIMELIERE +Signed-off-by: Greg Kroah-Hartman +--- + ipc/msg.c | 2 +- + ipc/sem.c | 10 ++++++---- + ipc/shm.c | 2 +- + 3 files changed, 8 insertions(+), 6 deletions(-) + +--- a/ipc/msg.c ++++ b/ipc/msg.c +@@ -137,7 +137,7 @@ static int newque(struct ipc_namespace * + key_t key = params->key; + int msgflg = params->flg; + +- msq = kvmalloc(sizeof(*msq), GFP_KERNEL); ++ msq = kvmalloc(sizeof(*msq), GFP_KERNEL_ACCOUNT); + if (unlikely(!msq)) + return -ENOMEM; + +--- a/ipc/sem.c ++++ b/ipc/sem.c +@@ -494,7 +494,7 @@ static struct sem_array *sem_alloc(size_ + return NULL; + + size = sizeof(*sma) + nsems * sizeof(sma->sems[0]); +- sma = kvmalloc(size, GFP_KERNEL); ++ sma = kvmalloc(size, GFP_KERNEL_ACCOUNT); + if (unlikely(!sma)) + return NULL; + +@@ -1813,7 +1813,7 @@ static inline int get_undo_list(struct s + + undo_list = current->sysvsem.undo_list; + if (!undo_list) { +- undo_list = kzalloc(sizeof(*undo_list), GFP_KERNEL); ++ undo_list = kzalloc(sizeof(*undo_list), GFP_KERNEL_ACCOUNT); + if (undo_list == NULL) + return -ENOMEM; + spin_lock_init(&undo_list->lock); +@@ -1897,7 +1897,8 @@ static struct sem_undo *find_alloc_undo( + rcu_read_unlock(); + + /* step 2: allocate new undo structure */ +- new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, GFP_KERNEL); ++ new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, ++ GFP_KERNEL_ACCOUNT); + if (!new) { + ipc_rcu_putref(&sma->sem_perm, sem_rcu_free); + return ERR_PTR(-ENOMEM); +@@ -1961,7 +1962,8 @@ static long do_semtimedop(int semid, str + if (nsops > ns->sc_semopm) + return -E2BIG; + if (nsops > SEMOPM_FAST) { +- sops = kvmalloc_array(nsops, sizeof(*sops), GFP_KERNEL); ++ sops = kvmalloc_array(nsops, sizeof(*sops), ++ GFP_KERNEL_ACCOUNT); + if (sops == NULL) + return -ENOMEM; + } +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -711,7 +711,7 @@ static int newseg(struct ipc_namespace * + ns->shm_tot + numpages > ns->shm_ctlall) + return -ENOSPC; + +- shp = kvmalloc(sizeof(*shp), GFP_KERNEL); ++ shp = kvmalloc(sizeof(*shp), GFP_KERNEL_ACCOUNT); + if (unlikely(!shp)) + return -ENOMEM; + diff --git a/queue-4.19/net-rds-fix-possible-deadlock-in-rds_message_put.patch b/queue-4.19/net-rds-fix-possible-deadlock-in-rds_message_put.patch new file mode 100644 index 00000000000..205e23cf866 --- /dev/null +++ b/queue-4.19/net-rds-fix-possible-deadlock-in-rds_message_put.patch @@ -0,0 +1,79 @@ +From f1acf1ac84d2ae97b7889b87223c1064df850069 Mon Sep 17 00:00:00 2001 +From: Allison Henderson +Date: Thu, 8 Feb 2024 19:28:54 -0700 +Subject: net:rds: Fix possible deadlock in rds_message_put + +From: Allison Henderson + +commit f1acf1ac84d2ae97b7889b87223c1064df850069 upstream. + +Functions rds_still_queued and rds_clear_recv_queue lock a given socket +in order to safely iterate over the incoming rds messages. However +calling rds_inc_put while under this lock creates a potential deadlock. +rds_inc_put may eventually call rds_message_purge, which will lock +m_rs_lock. This is the incorrect locking order since m_rs_lock is +meant to be locked before the socket. To fix this, we move the message +item to a local list or variable that wont need rs_recv_lock protection. +Then we can safely call rds_inc_put on any item stored locally after +rs_recv_lock is released. + +Fixes: bdbe6fbc6a2f ("RDS: recv.c") +Reported-by: syzbot+f9db6ff27b9bfdcfeca0@syzkaller.appspotmail.com +Reported-by: syzbot+dcd73ff9291e6d34b3ab@syzkaller.appspotmail.com +Signed-off-by: Allison Henderson +Link: https://lore.kernel.org/r/20240209022854.200292-1-allison.henderson@oracle.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/recv.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/net/rds/recv.c ++++ b/net/rds/recv.c +@@ -429,6 +429,7 @@ static int rds_still_queued(struct rds_s + struct sock *sk = rds_rs_to_sk(rs); + int ret = 0; + unsigned long flags; ++ struct rds_incoming *to_drop = NULL; + + write_lock_irqsave(&rs->rs_recv_lock, flags); + if (!list_empty(&inc->i_item)) { +@@ -439,11 +440,14 @@ static int rds_still_queued(struct rds_s + -be32_to_cpu(inc->i_hdr.h_len), + inc->i_hdr.h_dport); + list_del_init(&inc->i_item); +- rds_inc_put(inc); ++ to_drop = inc; + } + } + write_unlock_irqrestore(&rs->rs_recv_lock, flags); + ++ if (to_drop) ++ rds_inc_put(to_drop); ++ + rdsdebug("inc %p rs %p still %d dropped %d\n", inc, rs, ret, drop); + return ret; + } +@@ -752,16 +756,21 @@ void rds_clear_recv_queue(struct rds_soc + struct sock *sk = rds_rs_to_sk(rs); + struct rds_incoming *inc, *tmp; + unsigned long flags; ++ LIST_HEAD(to_drop); + + write_lock_irqsave(&rs->rs_recv_lock, flags); + list_for_each_entry_safe(inc, tmp, &rs->rs_recv_queue, i_item) { + rds_recv_rcvbuf_delta(rs, sk, inc->i_conn->c_lcong, + -be32_to_cpu(inc->i_hdr.h_len), + inc->i_hdr.h_dport); ++ list_move(&inc->i_item, &to_drop); ++ } ++ write_unlock_irqrestore(&rs->rs_recv_lock, flags); ++ ++ list_for_each_entry_safe(inc, tmp, &to_drop, i_item) { + list_del_init(&inc->i_item); + rds_inc_put(inc); + } +- write_unlock_irqrestore(&rs->rs_recv_lock, flags); + } + + /* diff --git a/queue-4.19/series b/queue-4.19/series index 073a53349dc..0e5e1726325 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -76,3 +76,10 @@ wifi-mwifiex-duplicate-static-structs-used-in-driver-instances.patch dm-suspend-return-erestartsys-instead-of-eintr.patch scsi-mpt3sas-avoid-iommu-page-faults-on-report-zones.patch filelock-correct-the-filelock-owner-in-fcntl_setlk-fcntl_setlk64.patch +media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch +ata-libata-core-fix-null-pointer-dereference-on-error.patch +cgroup-cpuset-prevent-uaf-in-proc_cpuset_show.patch +memcg-enable-accounting-of-ipc-resources.patch +fbcon-prevent-that-screen-size-is-smaller-than-font-size.patch +fbmem-check-virtual-screen-sizes-in-fb_set_var.patch +net-rds-fix-possible-deadlock-in-rds_message_put.patch