From: Greg Kroah-Hartman Date: Sun, 3 Dec 2023 13:58:27 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.14.332~30 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c0a0407f09c6a1ca85b7dae2c17b773ed8fb69af;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: bcache-revert-replacing-is_err_or_null-with-is_err.patch btrfs-add-dmesg-output-for-first-mount-and-last-unmount-of-a-filesystem.patch btrfs-fix-off-by-one-when-checking-chunk-map-includes-logical-address.patch btrfs-make-error-messages-more-clear-when-getting-a-chunk-map.patch btrfs-ref-verify-fix-memory-leaks-in-btrfs_ref_tree_mod.patch btrfs-send-ensure-send_fd-is-writable.patch input-xpad-add-hyperx-clutch-gladiate-support.patch iommu-vt-d-add-mtl-to-quirk-list-to-skip-te-disabling.patch parisc-drop-the-hp-ux-enosym-and-eremoterelease-error-codes.patch powerpc-don-t-clobber-f0-vs0-during-fp-altivec-register-save.patch rcu-avoid-tracing-a-few-functions-executed-in-stop-machine.patch vlan-introduce-vlan_dev_free_egress_priority.patch vlan-move-dev_put-into-vlan_dev_uninit.patch --- diff --git a/queue-5.15/bcache-revert-replacing-is_err_or_null-with-is_err.patch b/queue-5.15/bcache-revert-replacing-is_err_or_null-with-is_err.patch new file mode 100644 index 00000000000..ac6eb7ee753 --- /dev/null +++ b/queue-5.15/bcache-revert-replacing-is_err_or_null-with-is_err.patch @@ -0,0 +1,72 @@ +From bb6cc253861bd5a7cf8439e2118659696df9619f Mon Sep 17 00:00:00 2001 +From: Markus Weippert +Date: Fri, 24 Nov 2023 16:14:37 +0100 +Subject: bcache: revert replacing IS_ERR_OR_NULL with IS_ERR + +From: Markus Weippert + +commit bb6cc253861bd5a7cf8439e2118659696df9619f upstream. + +Commit 028ddcac477b ("bcache: Remove unnecessary NULL point check in +node allocations") replaced IS_ERR_OR_NULL by IS_ERR. This leads to a +NULL pointer dereference. + +BUG: kernel NULL pointer dereference, address: 0000000000000080 +Call Trace: + ? __die_body.cold+0x1a/0x1f + ? page_fault_oops+0xd2/0x2b0 + ? exc_page_fault+0x70/0x170 + ? asm_exc_page_fault+0x22/0x30 + ? btree_node_free+0xf/0x160 [bcache] + ? up_write+0x32/0x60 + btree_gc_coalesce+0x2aa/0x890 [bcache] + ? bch_extent_bad+0x70/0x170 [bcache] + btree_gc_recurse+0x130/0x390 [bcache] + ? btree_gc_mark_node+0x72/0x230 [bcache] + bch_btree_gc+0x5da/0x600 [bcache] + ? cpuusage_read+0x10/0x10 + ? bch_btree_gc+0x600/0x600 [bcache] + bch_gc_thread+0x135/0x180 [bcache] + +The relevant code starts with: + + new_nodes[0] = NULL; + + for (i = 0; i < nodes; i++) { + if (__bch_keylist_realloc(&keylist, bkey_u64s(&r[i].b->key))) + goto out_nocoalesce; + // ... +out_nocoalesce: + // ... + for (i = 0; i < nodes; i++) + if (!IS_ERR(new_nodes[i])) { // IS_ERR_OR_NULL before +028ddcac477b + btree_node_free(new_nodes[i]); // new_nodes[0] is NULL + rw_unlock(true, new_nodes[i]); + } + +This patch replaces IS_ERR() by IS_ERR_OR_NULL() to fix this. + +Fixes: 028ddcac477b ("bcache: Remove unnecessary NULL point check in node allocations") +Link: https://lore.kernel.org/all/3DF4A87A-2AC1-4893-AE5F-E921478419A9@suse.de/ +Cc: stable@vger.kernel.org +Cc: Zheng Wang +Cc: Coly Li +Signed-off-by: Markus Weippert +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/btree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -1489,7 +1489,7 @@ out_nocoalesce: + bch_keylist_free(&keylist); + + for (i = 0; i < nodes; i++) +- if (!IS_ERR(new_nodes[i])) { ++ if (!IS_ERR_OR_NULL(new_nodes[i])) { + btree_node_free(new_nodes[i]); + rw_unlock(true, new_nodes[i]); + } diff --git a/queue-5.15/btrfs-add-dmesg-output-for-first-mount-and-last-unmount-of-a-filesystem.patch b/queue-5.15/btrfs-add-dmesg-output-for-first-mount-and-last-unmount-of-a-filesystem.patch new file mode 100644 index 00000000000..78b67008d68 --- /dev/null +++ b/queue-5.15/btrfs-add-dmesg-output-for-first-mount-and-last-unmount-of-a-filesystem.patch @@ -0,0 +1,74 @@ +From 2db313205f8b96eea467691917138d646bb50aef Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Thu, 2 Nov 2023 07:54:50 +1030 +Subject: btrfs: add dmesg output for first mount and last unmount of a filesystem + +From: Qu Wenruo + +commit 2db313205f8b96eea467691917138d646bb50aef upstream. + +There is a feature request to add dmesg output when unmounting a btrfs. +There are several alternative methods to do the same thing, but with +their own problems: + +- Use eBPF to watch btrfs_put_super()/open_ctree() + Not end user friendly, they have to dip their head into the source + code. + +- Watch for directory /sys/fs// + This is way more simple, but still requires some simple device -> uuid + lookups. And a script needs to use inotify to watch /sys/fs/. + +Compared to all these, directly outputting the information into dmesg +would be the most simple one, with both device and UUID included. + +And since we're here, also add the output when mounting a filesystem for +the first time for parity. A more fine grained monitoring of subvolume +mounts should be done by another layer, like audit. + +Now mounting a btrfs with all default mkfs options would look like this: + + [81.906566] BTRFS info (device dm-8): first mount of filesystem 633b5c16-afe3-4b79-b195-138fe145e4f2 + [81.907494] BTRFS info (device dm-8): using crc32c (crc32c-intel) checksum algorithm + [81.908258] BTRFS info (device dm-8): using free space tree + [81.912644] BTRFS info (device dm-8): auto enabling async discard + [81.913277] BTRFS info (device dm-8): checking UUID tree + [91.668256] BTRFS info (device dm-8): last unmount of filesystem 633b5c16-afe3-4b79-b195-138fe145e4f2 + +CC: stable@vger.kernel.org # 5.4+ +Link: https://github.com/kdave/btrfs-progs/issues/689 +Reviewed-by: Anand Jain +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +[ update changelog ] +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/disk-io.c | 1 + + fs/btrfs/super.c | 5 ++++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -3204,6 +3204,7 @@ int __cold open_ctree(struct super_block + goto fail_alloc; + } + ++ btrfs_info(fs_info, "first mount of filesystem %pU", disk_super->fsid); + /* + * Verify the type first, if that or the checksum value are + * corrupted, we'll find out +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -337,7 +337,10 @@ void __btrfs_panic(struct btrfs_fs_info + + static void btrfs_put_super(struct super_block *sb) + { +- close_ctree(btrfs_sb(sb)); ++ struct btrfs_fs_info *fs_info = btrfs_sb(sb); ++ ++ btrfs_info(fs_info, "last unmount of filesystem %pU", fs_info->fs_devices->fsid); ++ close_ctree(fs_info); + } + + enum { diff --git a/queue-5.15/btrfs-fix-off-by-one-when-checking-chunk-map-includes-logical-address.patch b/queue-5.15/btrfs-fix-off-by-one-when-checking-chunk-map-includes-logical-address.patch new file mode 100644 index 00000000000..0f267e962da --- /dev/null +++ b/queue-5.15/btrfs-fix-off-by-one-when-checking-chunk-map-includes-logical-address.patch @@ -0,0 +1,43 @@ +From 5fba5a571858ce2d787fdaf55814e42725bfa895 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Tue, 21 Nov 2023 13:38:32 +0000 +Subject: btrfs: fix off-by-one when checking chunk map includes logical address + +From: Filipe Manana + +commit 5fba5a571858ce2d787fdaf55814e42725bfa895 upstream. + +At btrfs_get_chunk_map() we get the extent map for the chunk that contains +the given logical address stored in the 'logical' argument. Then we do +sanity checks to verify the extent map contains the logical address. One +of these checks verifies if the extent map covers a range with an end +offset behind the target logical address - however this check has an +off-by-one error since it will consider an extent map whose start offset +plus its length matches the target logical address as inclusive, while +the fact is that the last byte it covers is behind the target logical +address (by 1). + +So fix this condition by using '<=' rather than '<' when comparing the +extent map's "start + length" against the target logical address. + +CC: stable@vger.kernel.org # 4.14+ +Reviewed-by: Josef Bacik +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -3069,7 +3069,7 @@ struct extent_map *btrfs_get_chunk_map(s + return ERR_PTR(-EINVAL); + } + +- if (em->start > logical || em->start + em->len < logical) { ++ if (em->start > logical || em->start + em->len <= logical) { + btrfs_crit(fs_info, + "found a bad mapping, wanted %llu-%llu, found %llu-%llu", + logical, length, em->start, em->start + em->len); diff --git a/queue-5.15/btrfs-make-error-messages-more-clear-when-getting-a-chunk-map.patch b/queue-5.15/btrfs-make-error-messages-more-clear-when-getting-a-chunk-map.patch new file mode 100644 index 00000000000..44ddc266e24 --- /dev/null +++ b/queue-5.15/btrfs-make-error-messages-more-clear-when-getting-a-chunk-map.patch @@ -0,0 +1,50 @@ +From 7d410d5efe04e42a6cd959bfe6d59d559fdf8b25 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Tue, 21 Nov 2023 13:38:33 +0000 +Subject: btrfs: make error messages more clear when getting a chunk map + +From: Filipe Manana + +commit 7d410d5efe04e42a6cd959bfe6d59d559fdf8b25 upstream. + +When getting a chunk map, at btrfs_get_chunk_map(), we do some sanity +checks to verify we found a chunk map and that map found covers the +logical address the caller passed in. However the messages aren't very +clear in the sense that don't mention the issue is with a chunk map and +one of them prints the 'length' argument as if it were the end offset of +the requested range (while the in the string format we use %llu-%llu +which suggests a range, and the second %llu-%llu is actually a range for +the chunk map). So improve these two details in the error messages. + +CC: stable@vger.kernel.org # 5.4+ +Reviewed-by: Josef Bacik +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -3064,15 +3064,16 @@ struct extent_map *btrfs_get_chunk_map(s + read_unlock(&em_tree->lock); + + if (!em) { +- btrfs_crit(fs_info, "unable to find logical %llu length %llu", ++ btrfs_crit(fs_info, ++ "unable to find chunk map for logical %llu length %llu", + logical, length); + return ERR_PTR(-EINVAL); + } + + if (em->start > logical || em->start + em->len <= logical) { + btrfs_crit(fs_info, +- "found a bad mapping, wanted %llu-%llu, found %llu-%llu", +- logical, length, em->start, em->start + em->len); ++ "found a bad chunk map, wanted %llu-%llu, found %llu-%llu", ++ logical, logical + length, em->start, em->start + em->len); + free_extent_map(em); + return ERR_PTR(-EINVAL); + } diff --git a/queue-5.15/btrfs-ref-verify-fix-memory-leaks-in-btrfs_ref_tree_mod.patch b/queue-5.15/btrfs-ref-verify-fix-memory-leaks-in-btrfs_ref_tree_mod.patch new file mode 100644 index 00000000000..195f59465ac --- /dev/null +++ b/queue-5.15/btrfs-ref-verify-fix-memory-leaks-in-btrfs_ref_tree_mod.patch @@ -0,0 +1,48 @@ +From f91192cd68591c6b037da345bc9fcd5e50540358 Mon Sep 17 00:00:00 2001 +From: Bragatheswaran Manickavel +Date: Sat, 18 Nov 2023 14:40:12 +0530 +Subject: btrfs: ref-verify: fix memory leaks in btrfs_ref_tree_mod() + +From: Bragatheswaran Manickavel + +commit f91192cd68591c6b037da345bc9fcd5e50540358 upstream. + +In btrfs_ref_tree_mod(), when !parent 're' was allocated through +kmalloc(). In the following code, if an error occurs, the execution will +be redirected to 'out' or 'out_unlock' and the function will be exited. +However, on some of the paths, 're' are not deallocated and may lead to +memory leaks. + +For example: lookup_block_entry() for 'be' returns NULL, the out label +will be invoked. During that flow ref and 'ra' are freed but not 're', +which can potentially lead to a memory leak. + +CC: stable@vger.kernel.org # 5.10+ +Reported-and-tested-by: syzbot+d66de4cbf532749df35f@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=d66de4cbf532749df35f +Signed-off-by: Bragatheswaran Manickavel +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ref-verify.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/ref-verify.c ++++ b/fs/btrfs/ref-verify.c +@@ -788,6 +788,7 @@ int btrfs_ref_tree_mod(struct btrfs_fs_i + dump_ref_action(fs_info, ra); + kfree(ref); + kfree(ra); ++ kfree(re); + goto out_unlock; + } else if (be->num_refs == 0) { + btrfs_err(fs_info, +@@ -797,6 +798,7 @@ int btrfs_ref_tree_mod(struct btrfs_fs_i + dump_ref_action(fs_info, ra); + kfree(ref); + kfree(ra); ++ kfree(re); + goto out_unlock; + } + diff --git a/queue-5.15/btrfs-send-ensure-send_fd-is-writable.patch b/queue-5.15/btrfs-send-ensure-send_fd-is-writable.patch new file mode 100644 index 00000000000..df4bf227f4b --- /dev/null +++ b/queue-5.15/btrfs-send-ensure-send_fd-is-writable.patch @@ -0,0 +1,44 @@ +From 0ac1d13a55eb37d398b63e6ff6db4a09a2c9128c Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Fri, 24 Nov 2023 17:48:31 +0100 +Subject: btrfs: send: ensure send_fd is writable + +From: Jann Horn + +commit 0ac1d13a55eb37d398b63e6ff6db4a09a2c9128c upstream. + +kernel_write() requires the caller to ensure that the file is writable. +Let's do that directly after looking up the ->send_fd. + +We don't need a separate bailout path because the "out" path already +does fput() if ->send_filp is non-NULL. + +This has no security impact for two reasons: + + - the ioctl requires CAP_SYS_ADMIN + - __kernel_write() bails out on read-only files - but only since 5.8, + see commit a01ac27be472 ("fs: check FMODE_WRITE in __kernel_write") + +Reported-and-tested-by: syzbot+12e098239d20385264d3@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=12e098239d20385264d3 +Fixes: 31db9f7c23fb ("Btrfs: introduce BTRFS_IOC_SEND for btrfs send/receive") +CC: stable@vger.kernel.org # 4.14+ +Signed-off-by: Jann Horn +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/send.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -7576,7 +7576,7 @@ long btrfs_ioctl_send(struct file *mnt_f + sctx->flags = arg->flags; + + sctx->send_filp = fget(arg->send_fd); +- if (!sctx->send_filp) { ++ if (!sctx->send_filp || !(sctx->send_filp->f_mode & FMODE_WRITE)) { + ret = -EBADF; + goto out; + } diff --git a/queue-5.15/input-xpad-add-hyperx-clutch-gladiate-support.patch b/queue-5.15/input-xpad-add-hyperx-clutch-gladiate-support.patch new file mode 100644 index 00000000000..3bdcb9e7c2a --- /dev/null +++ b/queue-5.15/input-xpad-add-hyperx-clutch-gladiate-support.patch @@ -0,0 +1,40 @@ +From e28a0974d749e5105d77233c0a84d35c37da047e Mon Sep 17 00:00:00 2001 +From: Max Nguyen +Date: Sun, 17 Sep 2023 22:21:53 -0700 +Subject: Input: xpad - add HyperX Clutch Gladiate Support + +From: Max Nguyen + +commit e28a0974d749e5105d77233c0a84d35c37da047e upstream. + +Add HyperX controller support to xpad_device and xpad_table. + +Suggested-by: Chris Toledanes +Reviewed-by: Carl Ng +Signed-off-by: Max Nguyen +Reviewed-by: Rahul Rameshbabu +Link: https://lore.kernel.org/r/20230906231514.4291-1-hphyperxdev@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joystick/xpad.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -120,6 +120,7 @@ static const struct xpad_device { + { 0x044f, 0x0f07, "Thrustmaster, Inc. Controller", 0, XTYPE_XBOX }, + { 0x044f, 0x0f10, "Thrustmaster Modena GT Wheel", 0, XTYPE_XBOX }, + { 0x044f, 0xb326, "Thrustmaster Gamepad GP XID", 0, XTYPE_XBOX360 }, ++ { 0x03f0, 0x0495, "HyperX Clutch Gladiate", 0, XTYPE_XBOXONE }, + { 0x045e, 0x0202, "Microsoft X-Box pad v1 (US)", 0, XTYPE_XBOX }, + { 0x045e, 0x0285, "Microsoft X-Box pad (Japan)", 0, XTYPE_XBOX }, + { 0x045e, 0x0287, "Microsoft Xbox Controller S", 0, XTYPE_XBOX }, +@@ -434,6 +435,7 @@ static const struct usb_device_id xpad_t + XPAD_XBOX360_VENDOR(0x0079), /* GPD Win 2 Controller */ + XPAD_XBOX360_VENDOR(0x03eb), /* Wooting Keyboards (Legacy) */ + XPAD_XBOX360_VENDOR(0x044f), /* Thrustmaster X-Box 360 controllers */ ++ XPAD_XBOXONE_VENDOR(0x03f0), /* HP HyperX Xbox One Controllers */ + XPAD_XBOX360_VENDOR(0x045e), /* Microsoft X-Box 360 controllers */ + XPAD_XBOXONE_VENDOR(0x045e), /* Microsoft X-Box One controllers */ + XPAD_XBOX360_VENDOR(0x046d), /* Logitech X-Box 360 style controllers */ diff --git a/queue-5.15/iommu-vt-d-add-mtl-to-quirk-list-to-skip-te-disabling.patch b/queue-5.15/iommu-vt-d-add-mtl-to-quirk-list-to-skip-te-disabling.patch new file mode 100644 index 00000000000..4bae3ea475c --- /dev/null +++ b/queue-5.15/iommu-vt-d-add-mtl-to-quirk-list-to-skip-te-disabling.patch @@ -0,0 +1,45 @@ +From 85b80fdffa867d75dfb9084a839e7949e29064e8 Mon Sep 17 00:00:00 2001 +From: "Abdul Halim, Mohd Syazwan" +Date: Wed, 22 Nov 2023 11:26:06 +0800 +Subject: iommu/vt-d: Add MTL to quirk list to skip TE disabling + +From: Abdul Halim, Mohd Syazwan + +commit 85b80fdffa867d75dfb9084a839e7949e29064e8 upstream. + +The VT-d spec requires (10.4.4 Global Command Register, TE field) that: + +Hardware implementations supporting DMA draining must drain any in-flight +DMA read/write requests queued within the Root-Complex before switching +address translation on or off and reflecting the status of the command +through the TES field in the Global Status register. + +Unfortunately, some integrated graphic devices fail to do so after some +kind of power state transition. As the result, the system might stuck in +iommu_disable_translation(), waiting for the completion of TE transition. + +Add MTL to the quirk list for those devices and skips TE disabling if the +qurik hits. + +Fixes: b1012ca8dc4f ("iommu/vt-d: Skip TE disabling on quirky gfx dedicated iommu") +Cc: stable@vger.kernel.org +Signed-off-by: Abdul Halim, Mohd Syazwan +Signed-off-by: Lu Baolu +Link: https://lore.kernel.org/r/20231116022324.30120-1-baolu.lu@linux.intel.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/intel/iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/intel/iommu.c ++++ b/drivers/iommu/intel/iommu.c +@@ -5749,7 +5749,7 @@ static void quirk_igfx_skip_te_disable(s + ver = (dev->device >> 8) & 0xff; + if (ver != 0x45 && ver != 0x46 && ver != 0x4c && + ver != 0x4e && ver != 0x8a && ver != 0x98 && +- ver != 0x9a && ver != 0xa7) ++ ver != 0x9a && ver != 0xa7 && ver != 0x7d) + return; + + if (risky_device(dev)) diff --git a/queue-5.15/parisc-drop-the-hp-ux-enosym-and-eremoterelease-error-codes.patch b/queue-5.15/parisc-drop-the-hp-ux-enosym-and-eremoterelease-error-codes.patch new file mode 100644 index 00000000000..f20743ecf44 --- /dev/null +++ b/queue-5.15/parisc-drop-the-hp-ux-enosym-and-eremoterelease-error-codes.patch @@ -0,0 +1,87 @@ +From e5f3e299a2b1e9c3ece24a38adfc089aef307e8a Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Thu, 23 Nov 2023 20:28:27 +0100 +Subject: parisc: Drop the HP-UX ENOSYM and EREMOTERELEASE error codes + +From: Helge Deller + +commit e5f3e299a2b1e9c3ece24a38adfc089aef307e8a upstream. + +Those return codes are only defined for the parisc architecture and +are leftovers from when we wanted to be HP-UX compatible. + +They are not returned by any Linux kernel syscall but do trigger +problems with the glibc strerrorname_np() and strerror() functions as +reported in glibc issue #31080. + +There is no need to keep them, so simply remove them. + +Signed-off-by: Helge Deller +Reported-by: Bruno Haible +Closes: https://sourceware.org/bugzilla/show_bug.cgi?id=31080 +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/uapi/asm/errno.h | 2 -- + lib/errname.c | 6 ------ + tools/arch/parisc/include/uapi/asm/errno.h | 2 -- + 3 files changed, 10 deletions(-) + +--- a/arch/parisc/include/uapi/asm/errno.h ++++ b/arch/parisc/include/uapi/asm/errno.h +@@ -75,7 +75,6 @@ + + /* We now return you to your regularly scheduled HPUX. */ + +-#define ENOSYM 215 /* symbol does not exist in executable */ + #define ENOTSOCK 216 /* Socket operation on non-socket */ + #define EDESTADDRREQ 217 /* Destination address required */ + #define EMSGSIZE 218 /* Message too long */ +@@ -101,7 +100,6 @@ + #define ETIMEDOUT 238 /* Connection timed out */ + #define ECONNREFUSED 239 /* Connection refused */ + #define EREFUSED ECONNREFUSED /* for HP's NFS apparently */ +-#define EREMOTERELEASE 240 /* Remote peer released connection */ + #define EHOSTDOWN 241 /* Host is down */ + #define EHOSTUNREACH 242 /* No route to host */ + +--- a/lib/errname.c ++++ b/lib/errname.c +@@ -111,9 +111,6 @@ static const char *names_0[] = { + E(ENOSPC), + E(ENOSR), + E(ENOSTR), +-#ifdef ENOSYM +- E(ENOSYM), +-#endif + E(ENOSYS), + E(ENOTBLK), + E(ENOTCONN), +@@ -144,9 +141,6 @@ static const char *names_0[] = { + #endif + E(EREMOTE), + E(EREMOTEIO), +-#ifdef EREMOTERELEASE +- E(EREMOTERELEASE), +-#endif + E(ERESTART), + E(ERFKILL), + E(EROFS), +--- a/tools/arch/parisc/include/uapi/asm/errno.h ++++ b/tools/arch/parisc/include/uapi/asm/errno.h +@@ -75,7 +75,6 @@ + + /* We now return you to your regularly scheduled HPUX. */ + +-#define ENOSYM 215 /* symbol does not exist in executable */ + #define ENOTSOCK 216 /* Socket operation on non-socket */ + #define EDESTADDRREQ 217 /* Destination address required */ + #define EMSGSIZE 218 /* Message too long */ +@@ -101,7 +100,6 @@ + #define ETIMEDOUT 238 /* Connection timed out */ + #define ECONNREFUSED 239 /* Connection refused */ + #define EREFUSED ECONNREFUSED /* for HP's NFS apparently */ +-#define EREMOTERELEASE 240 /* Remote peer released connection */ + #define EHOSTDOWN 241 /* Host is down */ + #define EHOSTUNREACH 242 /* No route to host */ + diff --git a/queue-5.15/powerpc-don-t-clobber-f0-vs0-during-fp-altivec-register-save.patch b/queue-5.15/powerpc-don-t-clobber-f0-vs0-during-fp-altivec-register-save.patch new file mode 100644 index 00000000000..cc51d0f1e32 --- /dev/null +++ b/queue-5.15/powerpc-don-t-clobber-f0-vs0-during-fp-altivec-register-save.patch @@ -0,0 +1,153 @@ +From 5e1d824f9a283cbf90f25241b66d1f69adb3835b Mon Sep 17 00:00:00 2001 +From: Timothy Pearson +Date: Sun, 19 Nov 2023 09:18:02 -0600 +Subject: powerpc: Don't clobber f0/vs0 during fp|altivec register save + +From: Timothy Pearson + +commit 5e1d824f9a283cbf90f25241b66d1f69adb3835b upstream. + +During floating point and vector save to thread data f0/vs0 are +clobbered by the FPSCR/VSCR store routine. This has been obvserved to +lead to userspace register corruption and application data corruption +with io-uring. + +Fix it by restoring f0/vs0 after FPSCR/VSCR store has completed for +all the FP, altivec, VMX register save paths. + +Tested under QEMU in kvm mode, running on a Talos II workstation with +dual POWER9 DD2.2 CPUs. + +Additional detail (mpe): + +Typically save_fpu() is called from __giveup_fpu() which saves the FP +regs and also *turns off FP* in the tasks MSR, meaning the kernel will +reload the FP regs from the thread struct before letting the task use FP +again. So in that case save_fpu() is free to clobber f0 because the FP +regs no longer hold live values for the task. + +There is another case though, which is the path via: + sys_clone() + ... + copy_process() + dup_task_struct() + arch_dup_task_struct() + flush_all_to_thread() + save_all() + +That path saves the FP regs but leaves them live. That's meant as an +optimisation for a process that's using FP/VSX and then calls fork(), +leaving the regs live means the parent process doesn't have to take a +fault after the fork to get its FP regs back. The optimisation was added +in commit 8792468da5e1 ("powerpc: Add the ability to save FPU without +giving it up"). + +That path does clobber f0, but f0 is volatile across function calls, +and typically programs reach copy_process() from userspace via a syscall +wrapper function. So in normal usage f0 being clobbered across a +syscall doesn't cause visible data corruption. + +But there is now a new path, because io-uring can call copy_process() +via create_io_thread() from the signal handling path. That's OK if the +signal is handled as part of syscall return, but it's not OK if the +signal is handled due to some other interrupt. + +That path is: + +interrupt_return_srr_user() + interrupt_exit_user_prepare() + interrupt_exit_user_prepare_main() + do_notify_resume() + get_signal() + task_work_run() + create_worker_cb() + create_io_worker() + copy_process() + dup_task_struct() + arch_dup_task_struct() + flush_all_to_thread() + save_all() + if (tsk->thread.regs->msr & MSR_FP) + save_fpu() + # f0 is clobbered and potentially live in userspace + +Note the above discussion applies equally to save_altivec(). + +Fixes: 8792468da5e1 ("powerpc: Add the ability to save FPU without giving it up") +Cc: stable@vger.kernel.org # v4.6+ +Closes: https://lore.kernel.org/all/480932026.45576726.1699374859845.JavaMail.zimbra@raptorengineeringinc.com/ +Closes: https://lore.kernel.org/linuxppc-dev/480221078.47953493.1700206777956.JavaMail.zimbra@raptorengineeringinc.com/ +Tested-by: Timothy Pearson +Tested-by: Jens Axboe +Signed-off-by: Timothy Pearson +[mpe: Reword change log to describe exact path of corruption & other minor tweaks] +Signed-off-by: Michael Ellerman +Link: https://msgid.link/1921539696.48534988.1700407082933.JavaMail.zimbra@raptorengineeringinc.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/fpu.S | 13 +++++++++++++ + arch/powerpc/kernel/vector.S | 2 ++ + 2 files changed, 15 insertions(+) + +--- a/arch/powerpc/kernel/fpu.S ++++ b/arch/powerpc/kernel/fpu.S +@@ -23,6 +23,15 @@ + #include + + #ifdef CONFIG_VSX ++#define __REST_1FPVSR(n,c,base) \ ++BEGIN_FTR_SECTION \ ++ b 2f; \ ++END_FTR_SECTION_IFSET(CPU_FTR_VSX); \ ++ REST_FPR(n,base); \ ++ b 3f; \ ++2: REST_VSR(n,c,base); \ ++3: ++ + #define __REST_32FPVSRS(n,c,base) \ + BEGIN_FTR_SECTION \ + b 2f; \ +@@ -41,9 +50,11 @@ END_FTR_SECTION_IFSET(CPU_FTR_VSX); + 2: SAVE_32VSRS(n,c,base); \ + 3: + #else ++#define __REST_1FPVSR(n,b,base) REST_FPR(n, base) + #define __REST_32FPVSRS(n,b,base) REST_32FPRS(n, base) + #define __SAVE_32FPVSRS(n,b,base) SAVE_32FPRS(n, base) + #endif ++#define REST_1FPVSR(n,c,base) __REST_1FPVSR(n,__REG_##c,__REG_##base) + #define REST_32FPVSRS(n,c,base) __REST_32FPVSRS(n,__REG_##c,__REG_##base) + #define SAVE_32FPVSRS(n,c,base) __SAVE_32FPVSRS(n,__REG_##c,__REG_##base) + +@@ -67,6 +78,7 @@ _GLOBAL(store_fp_state) + SAVE_32FPVSRS(0, R4, R3) + mffs fr0 + stfd fr0,FPSTATE_FPSCR(r3) ++ REST_1FPVSR(0, R4, R3) + blr + EXPORT_SYMBOL(store_fp_state) + +@@ -133,4 +145,5 @@ _GLOBAL(save_fpu) + 2: SAVE_32FPVSRS(0, R4, R6) + mffs fr0 + stfd fr0,FPSTATE_FPSCR(r6) ++ REST_1FPVSR(0, R4, R6) + blr +--- a/arch/powerpc/kernel/vector.S ++++ b/arch/powerpc/kernel/vector.S +@@ -32,6 +32,7 @@ _GLOBAL(store_vr_state) + mfvscr v0 + li r4, VRSTATE_VSCR + stvx v0, r4, r3 ++ lvx v0, 0, r3 + blr + EXPORT_SYMBOL(store_vr_state) + +@@ -104,6 +105,7 @@ _GLOBAL(save_altivec) + mfvscr v0 + li r4,VRSTATE_VSCR + stvx v0,r4,r7 ++ lvx v0,0,r7 + blr + + #ifdef CONFIG_VSX diff --git a/queue-5.15/rcu-avoid-tracing-a-few-functions-executed-in-stop-machine.patch b/queue-5.15/rcu-avoid-tracing-a-few-functions-executed-in-stop-machine.patch new file mode 100644 index 00000000000..ced1620a757 --- /dev/null +++ b/queue-5.15/rcu-avoid-tracing-a-few-functions-executed-in-stop-machine.patch @@ -0,0 +1,118 @@ +From 48f8070f5dd8e13148ae4647780a452d53c457a2 Mon Sep 17 00:00:00 2001 +From: Patrick Wang +Date: Tue, 26 Apr 2022 18:45:02 +0800 +Subject: rcu: Avoid tracing a few functions executed in stop machine + +From: Patrick Wang + +commit 48f8070f5dd8e13148ae4647780a452d53c457a2 upstream. + +Stop-machine recently started calling additional functions while waiting: + +---------------------------------------------------------------- +Former stop machine wait loop: +do { + cpu_relax(); => macro + ... +} while (curstate != STOPMACHINE_EXIT); +----------------------------------------------------------------- +Current stop machine wait loop: +do { + stop_machine_yield(cpumask); => function (notraced) + ... + touch_nmi_watchdog(); => function (notraced, inside calls also notraced) + ... + rcu_momentary_dyntick_idle(); => function (notraced, inside calls traced) +} while (curstate != MULTI_STOP_EXIT); +------------------------------------------------------------------ + +These functions (and the functions that they call) must be marked +notrace to prevent them from being updated while they are executing. +The consequences of failing to mark these functions can be severe: + + rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: + rcu: 1-...!: (0 ticks this GP) idle=14f/1/0x4000000000000000 softirq=3397/3397 fqs=0 + rcu: 3-...!: (0 ticks this GP) idle=ee9/1/0x4000000000000000 softirq=5168/5168 fqs=0 + (detected by 0, t=8137 jiffies, g=5889, q=2 ncpus=4) + Task dump for CPU 1: + task:migration/1 state:R running task stack: 0 pid: 19 ppid: 2 flags:0x00000000 + Stopper: multi_cpu_stop+0x0/0x18c <- stop_machine_cpuslocked+0x128/0x174 + Call Trace: + Task dump for CPU 3: + task:migration/3 state:R running task stack: 0 pid: 29 ppid: 2 flags:0x00000000 + Stopper: multi_cpu_stop+0x0/0x18c <- stop_machine_cpuslocked+0x128/0x174 + Call Trace: + rcu: rcu_preempt kthread timer wakeup didn't happen for 8136 jiffies! g5889 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x402 + rcu: Possible timer handling issue on cpu=2 timer-softirq=594 + rcu: rcu_preempt kthread starved for 8137 jiffies! g5889 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x402 ->cpu=2 + rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior. + rcu: RCU grace-period kthread stack dump: + task:rcu_preempt state:I stack: 0 pid: 14 ppid: 2 flags:0x00000000 + Call Trace: + schedule+0x56/0xc2 + schedule_timeout+0x82/0x184 + rcu_gp_fqs_loop+0x19a/0x318 + rcu_gp_kthread+0x11a/0x140 + kthread+0xee/0x118 + ret_from_exception+0x0/0x14 + rcu: Stack dump where RCU GP kthread last ran: + Task dump for CPU 2: + task:migration/2 state:R running task stack: 0 pid: 24 ppid: 2 flags:0x00000000 + Stopper: multi_cpu_stop+0x0/0x18c <- stop_machine_cpuslocked+0x128/0x174 + Call Trace: + +This commit therefore marks these functions notrace: + rcu_preempt_deferred_qs() + rcu_preempt_need_deferred_qs() + rcu_preempt_deferred_qs_irqrestore() + +[ paulmck: Apply feedback from Neeraj Upadhyay. ] + +Signed-off-by: Patrick Wang +Acked-by: Steven Rostedt (Google) +Signed-off-by: Paul E. McKenney +Reviewed-by: Neeraj Upadhyay +Signed-off-by: Ronald Monthero +Signed-off-by: Greg Kroah-Hartman +--- + kernel/rcu/tree_plugin.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -458,7 +458,7 @@ static bool rcu_preempt_has_tasks(struct + * be quite short, for example, in the case of the call from + * rcu_read_unlock_special(). + */ +-static void ++static notrace void + rcu_preempt_deferred_qs_irqrestore(struct task_struct *t, unsigned long flags) + { + bool empty_exp; +@@ -578,7 +578,7 @@ rcu_preempt_deferred_qs_irqrestore(struc + * is disabled. This function cannot be expected to understand these + * nuances, so the caller must handle them. + */ +-static bool rcu_preempt_need_deferred_qs(struct task_struct *t) ++static notrace bool rcu_preempt_need_deferred_qs(struct task_struct *t) + { + return (__this_cpu_read(rcu_data.exp_deferred_qs) || + READ_ONCE(t->rcu_read_unlock_special.s)) && +@@ -592,7 +592,7 @@ static bool rcu_preempt_need_deferred_qs + * evaluate safety in terms of interrupt, softirq, and preemption + * disabling. + */ +-static void rcu_preempt_deferred_qs(struct task_struct *t) ++static notrace void rcu_preempt_deferred_qs(struct task_struct *t) + { + unsigned long flags; + +@@ -923,7 +923,7 @@ static bool rcu_preempt_has_tasks(struct + * Because there is no preemptible RCU, there can be no deferred quiescent + * states. + */ +-static bool rcu_preempt_need_deferred_qs(struct task_struct *t) ++static notrace bool rcu_preempt_need_deferred_qs(struct task_struct *t) + { + return false; + } diff --git a/queue-5.15/series b/queue-5.15/series index 9b88b032af1..15499200817 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -12,3 +12,16 @@ alsa-hda-realtek-headset-mic-vref-to-100.patch alsa-hda-realtek-add-supported-alc257-for-chromeos.patch dm-verity-align-struct-dm_verity_fec_io-properly.patch dm-verity-don-t-perform-fec-for-failed-readahead-io.patch +bcache-revert-replacing-is_err_or_null-with-is_err.patch +iommu-vt-d-add-mtl-to-quirk-list-to-skip-te-disabling.patch +powerpc-don-t-clobber-f0-vs0-during-fp-altivec-register-save.patch +parisc-drop-the-hp-ux-enosym-and-eremoterelease-error-codes.patch +btrfs-add-dmesg-output-for-first-mount-and-last-unmount-of-a-filesystem.patch +btrfs-ref-verify-fix-memory-leaks-in-btrfs_ref_tree_mod.patch +btrfs-fix-off-by-one-when-checking-chunk-map-includes-logical-address.patch +btrfs-send-ensure-send_fd-is-writable.patch +btrfs-make-error-messages-more-clear-when-getting-a-chunk-map.patch +input-xpad-add-hyperx-clutch-gladiate-support.patch +vlan-introduce-vlan_dev_free_egress_priority.patch +vlan-move-dev_put-into-vlan_dev_uninit.patch +rcu-avoid-tracing-a-few-functions-executed-in-stop-machine.patch diff --git a/queue-5.15/vlan-introduce-vlan_dev_free_egress_priority.patch b/queue-5.15/vlan-introduce-vlan_dev_free_egress_priority.patch new file mode 100644 index 00000000000..ad08290848f --- /dev/null +++ b/queue-5.15/vlan-introduce-vlan_dev_free_egress_priority.patch @@ -0,0 +1,82 @@ +From 37aa50c539bcbcc01767e515bd170787fcfc0f33 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Wed, 9 Feb 2022 03:19:55 -0500 +Subject: vlan: introduce vlan_dev_free_egress_priority + +From: Xin Long + +commit 37aa50c539bcbcc01767e515bd170787fcfc0f33 upstream. + +This patch is to introduce vlan_dev_free_egress_priority() to +free egress priority for vlan dev, and keep vlan_dev_uninit() +static as .ndo_uninit. It makes the code more clear and safer +when adding new code in vlan_dev_uninit() in the future. + +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Olivier Matz +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan.h | 2 +- + net/8021q/vlan_dev.c | 7 ++++++- + net/8021q/vlan_netlink.c | 7 ++++--- + 3 files changed, 11 insertions(+), 5 deletions(-) + +--- a/net/8021q/vlan.h ++++ b/net/8021q/vlan.h +@@ -129,6 +129,7 @@ void vlan_dev_set_ingress_priority(const + u32 skb_prio, u16 vlan_prio); + int vlan_dev_set_egress_priority(const struct net_device *dev, + u32 skb_prio, u16 vlan_prio); ++void vlan_dev_free_egress_priority(const struct net_device *dev); + int vlan_dev_change_flags(const struct net_device *dev, u32 flag, u32 mask); + void vlan_dev_get_realdev_name(const struct net_device *dev, char *result, + size_t size); +@@ -139,7 +140,6 @@ int vlan_check_real_dev(struct net_devic + void vlan_setup(struct net_device *dev); + int register_vlan_dev(struct net_device *dev, struct netlink_ext_ack *extack); + void unregister_vlan_dev(struct net_device *dev, struct list_head *head); +-void vlan_dev_uninit(struct net_device *dev); + bool vlan_dev_inherit_address(struct net_device *dev, + struct net_device *real_dev); + +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -622,7 +622,7 @@ static int vlan_dev_init(struct net_devi + } + + /* Note: this function might be called multiple times for the same device. */ +-void vlan_dev_uninit(struct net_device *dev) ++void vlan_dev_free_egress_priority(const struct net_device *dev) + { + struct vlan_priority_tci_mapping *pm; + struct vlan_dev_priv *vlan = vlan_dev_priv(dev); +@@ -636,6 +636,11 @@ void vlan_dev_uninit(struct net_device * + } + } + ++static void vlan_dev_uninit(struct net_device *dev) ++{ ++ vlan_dev_free_egress_priority(dev); ++} ++ + static netdev_features_t vlan_dev_fix_features(struct net_device *dev, + netdev_features_t features) + { +--- a/net/8021q/vlan_netlink.c ++++ b/net/8021q/vlan_netlink.c +@@ -183,10 +183,11 @@ static int vlan_newlink(struct net *src_ + return -EINVAL; + + err = vlan_changelink(dev, tb, data, extack); +- if (!err) +- err = register_vlan_dev(dev, extack); + if (err) +- vlan_dev_uninit(dev); ++ return err; ++ err = register_vlan_dev(dev, extack); ++ if (err) ++ vlan_dev_free_egress_priority(dev); + return err; + } + diff --git a/queue-5.15/vlan-move-dev_put-into-vlan_dev_uninit.patch b/queue-5.15/vlan-move-dev_put-into-vlan_dev_uninit.patch new file mode 100644 index 00000000000..afe940e7f8a --- /dev/null +++ b/queue-5.15/vlan-move-dev_put-into-vlan_dev_uninit.patch @@ -0,0 +1,69 @@ +From d6ff94afd90b0ce8d1715f8ef77d4347d7a7f2c0 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Wed, 9 Feb 2022 03:19:56 -0500 +Subject: vlan: move dev_put into vlan_dev_uninit + +From: Xin Long + +commit d6ff94afd90b0ce8d1715f8ef77d4347d7a7f2c0 upstream. + +Shuang Li reported an QinQ issue by simply doing: + + # ip link add dummy0 type dummy + # ip link add link dummy0 name dummy0.1 type vlan id 1 + # ip link add link dummy0.1 name dummy0.1.2 type vlan id 2 + # rmmod 8021q + + unregister_netdevice: waiting for dummy0.1 to become free. Usage count = 1 + +When rmmods 8021q, all vlan devs are deleted from their real_dev's vlan grp +and added into list_kill by unregister_vlan_dev(). dummy0.1 is unregistered +before dummy0.1.2, as it's using for_each_netdev() in __rtnl_kill_links(). + +When unregisters dummy0.1, dummy0.1.2 is not unregistered in the event of +NETDEV_UNREGISTER, as it's been deleted from dummy0.1's vlan grp. However, +due to dummy0.1.2 still holding dummy0.1, dummy0.1 will keep waiting in +netdev_wait_allrefs(), while dummy0.1.2 will never get unregistered and +release dummy0.1, as it delays dev_put until calling dev->priv_destructor, +vlan_dev_free(). + +This issue was introduced by Commit 563bcbae3ba2 ("net: vlan: fix a UAF in +vlan_dev_real_dev()"), and this patch is to fix it by moving dev_put() into +vlan_dev_uninit(), which is called after NETDEV_UNREGISTER event but before +netdev_wait_allrefs(). + +Fixes: 563bcbae3ba2 ("net: vlan: fix a UAF in vlan_dev_real_dev()") +Reported-by: Shuang Li +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Olivier Matz +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan_dev.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -638,7 +638,12 @@ void vlan_dev_free_egress_priority(const + + static void vlan_dev_uninit(struct net_device *dev) + { ++ struct vlan_dev_priv *vlan = vlan_dev_priv(dev); ++ + vlan_dev_free_egress_priority(dev); ++ ++ /* Get rid of the vlan's reference to real_dev */ ++ dev_put(vlan->real_dev); + } + + static netdev_features_t vlan_dev_fix_features(struct net_device *dev, +@@ -851,9 +856,6 @@ static void vlan_dev_free(struct net_dev + + free_percpu(vlan->vlan_pcpu_stats); + vlan->vlan_pcpu_stats = NULL; +- +- /* Get rid of the vlan's reference to real_dev */ +- dev_put(vlan->real_dev); + } + + void vlan_setup(struct net_device *dev)