From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 3 Dec 2023 13:48:49 +0000 (+0100)
Subject: 4.19-stable patches
X-Git-Tag: v4.14.332~37
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e41efdb5faceeae56d4ed81eb7056cf1a7052124;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	bcache-revert-replacing-is_err_or_null-with-is_err.patch
	btrfs-fix-off-by-one-when-checking-chunk-map-includes-logical-address.patch
	btrfs-send-ensure-send_fd-is-writable.patch
	powerpc-don-t-clobber-f0-vs0-during-fp-altivec-register-save.patch
---

diff --git a/queue-4.19/bcache-revert-replacing-is_err_or_null-with-is_err.patch b/queue-4.19/bcache-revert-replacing-is_err_or_null-with-is_err.patch
new file mode 100644
index 00000000000..1614023d728
--- /dev/null
+++ b/queue-4.19/bcache-revert-replacing-is_err_or_null-with-is_err.patch
@@ -0,0 +1,72 @@
+From bb6cc253861bd5a7cf8439e2118659696df9619f Mon Sep 17 00:00:00 2001
+From: Markus Weippert <markus@gekmihesg.de>
+Date: Fri, 24 Nov 2023 16:14:37 +0100
+Subject: bcache: revert replacing IS_ERR_OR_NULL with IS_ERR
+
+From: Markus Weippert <markus@gekmihesg.de>
+
+commit bb6cc253861bd5a7cf8439e2118659696df9619f upstream.
+
+Commit 028ddcac477b ("bcache: Remove unnecessary NULL point check in
+node allocations") replaced IS_ERR_OR_NULL by IS_ERR. This leads to a
+NULL pointer dereference.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000080
+Call Trace:
+ ? __die_body.cold+0x1a/0x1f
+ ? page_fault_oops+0xd2/0x2b0
+ ? exc_page_fault+0x70/0x170
+ ? asm_exc_page_fault+0x22/0x30
+ ? btree_node_free+0xf/0x160 [bcache]
+ ? up_write+0x32/0x60
+ btree_gc_coalesce+0x2aa/0x890 [bcache]
+ ? bch_extent_bad+0x70/0x170 [bcache]
+ btree_gc_recurse+0x130/0x390 [bcache]
+ ? btree_gc_mark_node+0x72/0x230 [bcache]
+ bch_btree_gc+0x5da/0x600 [bcache]
+ ? cpuusage_read+0x10/0x10
+ ? bch_btree_gc+0x600/0x600 [bcache]
+ bch_gc_thread+0x135/0x180 [bcache]
+
+The relevant code starts with:
+
+    new_nodes[0] = NULL;
+
+    for (i = 0; i < nodes; i++) {
+        if (__bch_keylist_realloc(&keylist, bkey_u64s(&r[i].b->key)))
+            goto out_nocoalesce;
+    // ...
+out_nocoalesce:
+    // ...
+    for (i = 0; i < nodes; i++)
+        if (!IS_ERR(new_nodes[i])) {  // IS_ERR_OR_NULL before
+028ddcac477b
+            btree_node_free(new_nodes[i]);  // new_nodes[0] is NULL
+            rw_unlock(true, new_nodes[i]);
+        }
+
+This patch replaces IS_ERR() by IS_ERR_OR_NULL() to fix this.
+
+Fixes: 028ddcac477b ("bcache: Remove unnecessary NULL point check in node allocations")
+Link: https://lore.kernel.org/all/3DF4A87A-2AC1-4893-AE5F-E921478419A9@suse.de/
+Cc: stable@vger.kernel.org
+Cc: Zheng Wang <zyytlz.wz@163.com>
+Cc: Coly Li <colyli@suse.de>
+Signed-off-by: Markus Weippert <markus@gekmihesg.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/btree.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/btree.c
++++ b/drivers/md/bcache/btree.c
+@@ -1526,7 +1526,7 @@ out_nocoalesce:
+ 			atomic_dec(&b->c->prio_blocked);
+ 
+ 	for (i = 0; i < nodes; i++)
+-		if (!IS_ERR(new_nodes[i])) {
++		if (!IS_ERR_OR_NULL(new_nodes[i])) {
+ 			btree_node_free(new_nodes[i]);
+ 			rw_unlock(true, new_nodes[i]);
+ 		}
diff --git a/queue-4.19/btrfs-fix-off-by-one-when-checking-chunk-map-includes-logical-address.patch b/queue-4.19/btrfs-fix-off-by-one-when-checking-chunk-map-includes-logical-address.patch
new file mode 100644
index 00000000000..156118dd903
--- /dev/null
+++ b/queue-4.19/btrfs-fix-off-by-one-when-checking-chunk-map-includes-logical-address.patch
@@ -0,0 +1,43 @@
+From 5fba5a571858ce2d787fdaf55814e42725bfa895 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Tue, 21 Nov 2023 13:38:32 +0000
+Subject: btrfs: fix off-by-one when checking chunk map includes logical address
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 5fba5a571858ce2d787fdaf55814e42725bfa895 upstream.
+
+At btrfs_get_chunk_map() we get the extent map for the chunk that contains
+the given logical address stored in the 'logical' argument. Then we do
+sanity checks to verify the extent map contains the logical address. One
+of these checks verifies if the extent map covers a range with an end
+offset behind the target logical address - however this check has an
+off-by-one error since it will consider an extent map whose start offset
+plus its length matches the target logical address as inclusive, while
+the fact is that the last byte it covers is behind the target logical
+address (by 1).
+
+So fix this condition by using '<=' rather than '<' when comparing the
+extent map's "start + length" against the target logical address.
+
+CC: stable@vger.kernel.org # 4.14+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -2760,7 +2760,7 @@ static struct extent_map *get_chunk_map(
+ 		return ERR_PTR(-EINVAL);
+ 	}
+ 
+-	if (em->start > logical || em->start + em->len < logical) {
++	if (em->start > logical || em->start + em->len <= logical) {
+ 		btrfs_crit(fs_info,
+ 			   "found a bad mapping, wanted %llu-%llu, found %llu-%llu",
+ 			   logical, length, em->start, em->start + em->len);
diff --git a/queue-4.19/btrfs-send-ensure-send_fd-is-writable.patch b/queue-4.19/btrfs-send-ensure-send_fd-is-writable.patch
new file mode 100644
index 00000000000..284def559f6
--- /dev/null
+++ b/queue-4.19/btrfs-send-ensure-send_fd-is-writable.patch
@@ -0,0 +1,44 @@
+From 0ac1d13a55eb37d398b63e6ff6db4a09a2c9128c Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 24 Nov 2023 17:48:31 +0100
+Subject: btrfs: send: ensure send_fd is writable
+
+From: Jann Horn <jannh@google.com>
+
+commit 0ac1d13a55eb37d398b63e6ff6db4a09a2c9128c upstream.
+
+kernel_write() requires the caller to ensure that the file is writable.
+Let's do that directly after looking up the ->send_fd.
+
+We don't need a separate bailout path because the "out" path already
+does fput() if ->send_filp is non-NULL.
+
+This has no security impact for two reasons:
+
+ - the ioctl requires CAP_SYS_ADMIN
+ - __kernel_write() bails out on read-only files - but only since 5.8,
+   see commit a01ac27be472 ("fs: check FMODE_WRITE in __kernel_write")
+
+Reported-and-tested-by: syzbot+12e098239d20385264d3@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=12e098239d20385264d3
+Fixes: 31db9f7c23fb ("Btrfs: introduce BTRFS_IOC_SEND for btrfs send/receive")
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: Jann Horn <jannh@google.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/send.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -6860,7 +6860,7 @@ long btrfs_ioctl_send(struct file *mnt_f
+ 	sctx->flags = arg->flags;
+ 
+ 	sctx->send_filp = fget(arg->send_fd);
+-	if (!sctx->send_filp) {
++	if (!sctx->send_filp || !(sctx->send_filp->f_mode & FMODE_WRITE)) {
+ 		ret = -EBADF;
+ 		goto out;
+ 	}
diff --git a/queue-4.19/powerpc-don-t-clobber-f0-vs0-during-fp-altivec-register-save.patch b/queue-4.19/powerpc-don-t-clobber-f0-vs0-during-fp-altivec-register-save.patch
new file mode 100644
index 00000000000..5c4f89762f2
--- /dev/null
+++ b/queue-4.19/powerpc-don-t-clobber-f0-vs0-during-fp-altivec-register-save.patch
@@ -0,0 +1,155 @@
+From 5e1d824f9a283cbf90f25241b66d1f69adb3835b Mon Sep 17 00:00:00 2001
+From: Timothy Pearson <tpearson@raptorengineering.com>
+Date: Sun, 19 Nov 2023 09:18:02 -0600
+Subject: powerpc: Don't clobber f0/vs0 during fp|altivec register save
+
+From: Timothy Pearson <tpearson@raptorengineering.com>
+
+commit 5e1d824f9a283cbf90f25241b66d1f69adb3835b upstream.
+
+During floating point and vector save to thread data f0/vs0 are
+clobbered by the FPSCR/VSCR store routine. This has been obvserved to
+lead to userspace register corruption and application data corruption
+with io-uring.
+
+Fix it by restoring f0/vs0 after FPSCR/VSCR store has completed for
+all the FP, altivec, VMX register save paths.
+
+Tested under QEMU in kvm mode, running on a Talos II workstation with
+dual POWER9 DD2.2 CPUs.
+
+Additional detail (mpe):
+
+Typically save_fpu() is called from __giveup_fpu() which saves the FP
+regs and also *turns off FP* in the tasks MSR, meaning the kernel will
+reload the FP regs from the thread struct before letting the task use FP
+again. So in that case save_fpu() is free to clobber f0 because the FP
+regs no longer hold live values for the task.
+
+There is another case though, which is the path via:
+  sys_clone()
+    ...
+    copy_process()
+      dup_task_struct()
+        arch_dup_task_struct()
+          flush_all_to_thread()
+            save_all()
+
+That path saves the FP regs but leaves them live. That's meant as an
+optimisation for a process that's using FP/VSX and then calls fork(),
+leaving the regs live means the parent process doesn't have to take a
+fault after the fork to get its FP regs back. The optimisation was added
+in commit 8792468da5e1 ("powerpc: Add the ability to save FPU without
+giving it up").
+
+That path does clobber f0, but f0 is volatile across function calls,
+and typically programs reach copy_process() from userspace via a syscall
+wrapper function. So in normal usage f0 being clobbered across a
+syscall doesn't cause visible data corruption.
+
+But there is now a new path, because io-uring can call copy_process()
+via create_io_thread() from the signal handling path. That's OK if the
+signal is handled as part of syscall return, but it's not OK if the
+signal is handled due to some other interrupt.
+
+That path is:
+
+interrupt_return_srr_user()
+  interrupt_exit_user_prepare()
+    interrupt_exit_user_prepare_main()
+      do_notify_resume()
+        get_signal()
+          task_work_run()
+            create_worker_cb()
+              create_io_worker()
+                copy_process()
+                  dup_task_struct()
+                    arch_dup_task_struct()
+                      flush_all_to_thread()
+                        save_all()
+                          if (tsk->thread.regs->msr & MSR_FP)
+                            save_fpu()
+                            # f0 is clobbered and potentially live in userspace
+
+Note the above discussion applies equally to save_altivec().
+
+Fixes: 8792468da5e1 ("powerpc: Add the ability to save FPU without giving it up")
+Cc: stable@vger.kernel.org # v4.6+
+Closes: https://lore.kernel.org/all/480932026.45576726.1699374859845.JavaMail.zimbra@raptorengineeringinc.com/
+Closes: https://lore.kernel.org/linuxppc-dev/480221078.47953493.1700206777956.JavaMail.zimbra@raptorengineeringinc.com/
+Tested-by: Timothy Pearson <tpearson@raptorengineering.com>
+Tested-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
+[mpe: Reword change log to describe exact path of corruption & other minor tweaks]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/1921539696.48534988.1700407082933.JavaMail.zimbra@raptorengineeringinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/fpu.S    |   13 +++++++++++++
+ arch/powerpc/kernel/vector.S |    2 ++
+ 2 files changed, 15 insertions(+)
+
+--- a/arch/powerpc/kernel/fpu.S
++++ b/arch/powerpc/kernel/fpu.S
+@@ -29,6 +29,15 @@
+ #include <asm/feature-fixups.h>
+ 
+ #ifdef CONFIG_VSX
++#define __REST_1FPVSR(n,c,base)						\
++BEGIN_FTR_SECTION							\
++	b	2f;							\
++END_FTR_SECTION_IFSET(CPU_FTR_VSX);					\
++	REST_FPR(n,base);						\
++	b	3f;							\
++2:	REST_VSR(n,c,base);						\
++3:
++
+ #define __REST_32FPVSRS(n,c,base)					\
+ BEGIN_FTR_SECTION							\
+ 	b	2f;							\
+@@ -47,9 +56,11 @@ END_FTR_SECTION_IFSET(CPU_FTR_VSX);
+ 2:	SAVE_32VSRS(n,c,base);						\
+ 3:
+ #else
++#define __REST_1FPVSR(n,b,base)		REST_FPR(n, base)
+ #define __REST_32FPVSRS(n,b,base)	REST_32FPRS(n, base)
+ #define __SAVE_32FPVSRS(n,b,base)	SAVE_32FPRS(n, base)
+ #endif
++#define REST_1FPVSR(n,c,base)   __REST_1FPVSR(n,__REG_##c,__REG_##base)
+ #define REST_32FPVSRS(n,c,base) __REST_32FPVSRS(n,__REG_##c,__REG_##base)
+ #define SAVE_32FPVSRS(n,c,base) __SAVE_32FPVSRS(n,__REG_##c,__REG_##base)
+ 
+@@ -72,6 +83,7 @@ _GLOBAL(store_fp_state)
+ 	SAVE_32FPVSRS(0, R4, R3)
+ 	mffs	fr0
+ 	stfd	fr0,FPSTATE_FPSCR(r3)
++	REST_1FPVSR(0, R4, R3)
+ 	blr
+ EXPORT_SYMBOL(store_fp_state)
+ 
+@@ -136,6 +148,7 @@ _GLOBAL(save_fpu)
+ 2:	SAVE_32FPVSRS(0, R4, R6)
+ 	mffs	fr0
+ 	stfd	fr0,FPSTATE_FPSCR(r6)
++	REST_1FPVSR(0, R4, R6)
+ 	blr
+ 
+ /*
+--- a/arch/powerpc/kernel/vector.S
++++ b/arch/powerpc/kernel/vector.S
+@@ -31,6 +31,7 @@ _GLOBAL(store_vr_state)
+ 	mfvscr	v0
+ 	li	r4, VRSTATE_VSCR
+ 	stvx	v0, r4, r3
++	lvx	v0, 0, r3
+ 	blr
+ EXPORT_SYMBOL(store_vr_state)
+ 
+@@ -101,6 +102,7 @@ _GLOBAL(save_altivec)
+ 	mfvscr	v0
+ 	li	r4,VRSTATE_VSCR
+ 	stvx	v0,r4,r7
++	lvx	v0,0,r7
+ 	blr
+ 
+ #ifdef CONFIG_VSX
diff --git a/queue-4.19/series b/queue-4.19/series
index be30e0f0d29..65aacd02b58 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -37,3 +37,7 @@ alsa-hda-disable-power-save-on-kontron-singlepc.patch
 alsa-hda-realtek-headset-mic-vref-to-100.patch
 dm-verity-align-struct-dm_verity_fec_io-properly.patch
 dm-verity-don-t-perform-fec-for-failed-readahead-io.patch
+bcache-revert-replacing-is_err_or_null-with-is_err.patch
+powerpc-don-t-clobber-f0-vs0-during-fp-altivec-register-save.patch
+btrfs-fix-off-by-one-when-checking-chunk-map-includes-logical-address.patch
+btrfs-send-ensure-send_fd-is-writable.patch