From: Greg Kroah-Hartman Date: Tue, 5 Nov 2024 16:40:04 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v4.19.323~70 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=eae11d2ad10811a6fbaf84ef14ec796485d9101a;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: mm-shmem-fix-data-race-in-shmem_getattr.patch tools-mm-werror-fixes-in-page-types-slabinfo.patch --- diff --git a/queue-6.6/mm-shmem-fix-data-race-in-shmem_getattr.patch b/queue-6.6/mm-shmem-fix-data-race-in-shmem_getattr.patch new file mode 100644 index 00000000000..a60a7e3b0b6 --- /dev/null +++ b/queue-6.6/mm-shmem-fix-data-race-in-shmem_getattr.patch @@ -0,0 +1,96 @@ +From d949d1d14fa281ace388b1de978e8f2cd52875cf Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Mon, 9 Sep 2024 21:35:58 +0900 +Subject: mm: shmem: fix data-race in shmem_getattr() + +From: Jeongjun Park + +commit d949d1d14fa281ace388b1de978e8f2cd52875cf upstream. + +I got the following KCSAN report during syzbot testing: + +================================================================== +BUG: KCSAN: data-race in generic_fillattr / inode_set_ctime_current + +write to 0xffff888102eb3260 of 4 bytes by task 6565 on cpu 1: + inode_set_ctime_to_ts include/linux/fs.h:1638 [inline] + inode_set_ctime_current+0x169/0x1d0 fs/inode.c:2626 + shmem_mknod+0x117/0x180 mm/shmem.c:3443 + shmem_create+0x34/0x40 mm/shmem.c:3497 + lookup_open fs/namei.c:3578 [inline] + open_last_lookups fs/namei.c:3647 [inline] + path_openat+0xdbc/0x1f00 fs/namei.c:3883 + do_filp_open+0xf7/0x200 fs/namei.c:3913 + do_sys_openat2+0xab/0x120 fs/open.c:1416 + do_sys_open fs/open.c:1431 [inline] + __do_sys_openat fs/open.c:1447 [inline] + __se_sys_openat fs/open.c:1442 [inline] + __x64_sys_openat+0xf3/0x120 fs/open.c:1442 + x64_sys_call+0x1025/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:258 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +read to 0xffff888102eb3260 of 4 bytes by task 3498 on cpu 0: + inode_get_ctime_nsec include/linux/fs.h:1623 [inline] + inode_get_ctime include/linux/fs.h:1629 [inline] + generic_fillattr+0x1dd/0x2f0 fs/stat.c:62 + shmem_getattr+0x17b/0x200 mm/shmem.c:1157 + vfs_getattr_nosec fs/stat.c:166 [inline] + vfs_getattr+0x19b/0x1e0 fs/stat.c:207 + vfs_statx_path fs/stat.c:251 [inline] + vfs_statx+0x134/0x2f0 fs/stat.c:315 + vfs_fstatat+0xec/0x110 fs/stat.c:341 + __do_sys_newfstatat fs/stat.c:505 [inline] + __se_sys_newfstatat+0x58/0x260 fs/stat.c:499 + __x64_sys_newfstatat+0x55/0x70 fs/stat.c:499 + x64_sys_call+0x141f/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:263 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +value changed: 0x2755ae53 -> 0x27ee44d3 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 UID: 0 PID: 3498 Comm: udevd Not tainted 6.11.0-rc6-syzkaller-00326-gd1f2d51b711a-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 +================================================================== + +When calling generic_fillattr(), if you don't hold read lock, data-race +will occur in inode member variables, which can cause unexpected +behavior. + +Since there is no special protection when shmem_getattr() calls +generic_fillattr(), data-race occurs by functions such as shmem_unlink() +or shmem_mknod(). This can cause unexpected results, so commenting it out +is not enough. + +Therefore, when calling generic_fillattr() from shmem_getattr(), it is +appropriate to protect the inode using inode_lock_shared() and +inode_unlock_shared() to prevent data-race. + +Link: https://lkml.kernel.org/r/20240909123558.70229-1-aha310510@gmail.com +Fixes: 44a30220bc0a ("shmem: recalculate file inode when fstat") +Signed-off-by: Jeongjun Park +Reported-by: syzbot +Cc: Hugh Dickins +Cc: Yu Zhao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/shmem.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -1158,7 +1158,9 @@ static int shmem_getattr(struct mnt_idma + stat->attributes_mask |= (STATX_ATTR_APPEND | + STATX_ATTR_IMMUTABLE | + STATX_ATTR_NODUMP); ++ inode_lock_shared(inode); + generic_fillattr(idmap, request_mask, inode, stat); ++ inode_unlock_shared(inode); + + if (shmem_is_huge(inode, 0, false, NULL, 0)) + stat->blksize = HPAGE_PMD_SIZE; diff --git a/queue-6.6/series b/queue-6.6/series index 2013db5d78d..ccef71bb3ea 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -100,3 +100,5 @@ iio-gts-helper-fix-memory-leaks-in-iio_gts_build_avail_scale_table.patch iio-light-veml6030-fix-microlux-value-calculation.patch nilfs2-fix-potential-deadlock-with-newly-created-symlinks.patch risc-v-acpi-fix-early_ioremap-to-early_memremap.patch +mm-shmem-fix-data-race-in-shmem_getattr.patch +tools-mm-werror-fixes-in-page-types-slabinfo.patch diff --git a/queue-6.6/tools-mm-werror-fixes-in-page-types-slabinfo.patch b/queue-6.6/tools-mm-werror-fixes-in-page-types-slabinfo.patch new file mode 100644 index 00000000000..8833df8f7ac --- /dev/null +++ b/queue-6.6/tools-mm-werror-fixes-in-page-types-slabinfo.patch @@ -0,0 +1,90 @@ +From ece5897e5a10fcd56a317e32f2dc7219f366a5a8 Mon Sep 17 00:00:00 2001 +From: Wladislav Wiebe +Date: Tue, 22 Oct 2024 19:21:13 +0200 +Subject: tools/mm: -Werror fixes in page-types/slabinfo +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wladislav Wiebe + +commit ece5897e5a10fcd56a317e32f2dc7219f366a5a8 upstream. + +Commit e6d2c436ff693 ("tools/mm: allow users to provide additional +cflags/ldflags") passes now CFLAGS to Makefile. With this, build systems +with default -Werror enabled found: + +slabinfo.c:1300:25: error: ignoring return value of 'chdir' +declared with attribute 'warn_unused_result' [-Werror=unused-result] +                         chdir(".."); +                         ^~~~~~~~~~~ +page-types.c:397:35: error: format '%lu' expects argument of type +'long unsigned int', but argument 2 has type 'uint64_t' +{aka 'long long unsigned int'} [-Werror=format=] +                         printf("%lu\t", mapcnt0); +                                 ~~^     ~~~~~~~ +.. + +Fix page-types by using PRIu64 for uint64_t prints and check in slabinfo +for return code on chdir(".."). + +Link: https://lkml.kernel.org/r/c1ceb507-94bc-461c-934d-c19b77edd825@gmail.com +Fixes: e6d2c436ff69 ("tools/mm: allow users to provide additional cflags/ldflags") +Signed-off-by: Wladislav Wiebe +Cc: Vlastimil Babka +Cc: Herton R. Krzesinski +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/mm/page-types.c | 9 +++++---- + tools/mm/slabinfo.c | 4 +++- + 2 files changed, 8 insertions(+), 5 deletions(-) + +--- a/tools/mm/page-types.c ++++ b/tools/mm/page-types.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -392,9 +393,9 @@ static void show_page_range(unsigned lon + if (opt_file) + printf("%lx\t", voff); + if (opt_list_cgroup) +- printf("@%llu\t", (unsigned long long)cgroup0); ++ printf("@%" PRIu64 "\t", cgroup0); + if (opt_list_mapcnt) +- printf("%lu\t", mapcnt0); ++ printf("%" PRIu64 "\t", mapcnt0); + printf("%lx\t%lx\t%s\n", + index, count, page_flag_name(flags0)); + } +@@ -420,9 +421,9 @@ static void show_page(unsigned long voff + if (opt_file) + printf("%lx\t", voffset); + if (opt_list_cgroup) +- printf("@%llu\t", (unsigned long long)cgroup); ++ printf("@%" PRIu64 "\t", cgroup) + if (opt_list_mapcnt) +- printf("%lu\t", mapcnt); ++ printf("%" PRIu64 "\t", mapcnt); + + printf("%lx\t%s\n", offset, page_flag_name(flags)); + } +--- a/tools/mm/slabinfo.c ++++ b/tools/mm/slabinfo.c +@@ -1297,7 +1297,9 @@ static void read_slab_dir(void) + slab->cpu_partial_free = get_obj("cpu_partial_free"); + slab->alloc_node_mismatch = get_obj("alloc_node_mismatch"); + slab->deactivate_bypass = get_obj("deactivate_bypass"); +- chdir(".."); ++ if (chdir("..")) ++ fatal("Unable to chdir from slab ../%s\n", ++ slab->name); + if (slab->name[0] == ':') + alias_targets++; + slab++;