From 64dc14f813dfaf899352fbdcd8254a4703b711b9 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 17 Dec 2023 18:55:46 +0100 Subject: [PATCH] 4.19-stable patches added patches: cred-switch-to-using-atomic_long_t.patch revert-pci-acpiphp-reassign-resources-on-bridge-if-necessary.patch --- ...lk-fix-use-after-free-in-atalk_ioctl.patch | 9 +- .../cred-switch-to-using-atomic_long_t.patch | 246 ++++++++++++++++++ ...ign-resources-on-bridge-if-necessary.patch | 77 ++++++ queue-4.19/series | 2 + 4 files changed, 327 insertions(+), 7 deletions(-) create mode 100644 queue-4.19/cred-switch-to-using-atomic_long_t.patch create mode 100644 queue-4.19/revert-pci-acpiphp-reassign-resources-on-bridge-if-necessary.patch diff --git a/queue-4.19/appletalk-fix-use-after-free-in-atalk_ioctl.patch b/queue-4.19/appletalk-fix-use-after-free-in-atalk_ioctl.patch index 80061412717..6448937df9a 100644 --- a/queue-4.19/appletalk-fix-use-after-free-in-atalk_ioctl.patch +++ b/queue-4.19/appletalk-fix-use-after-free-in-atalk_ioctl.patch @@ -23,14 +23,12 @@ Link: https://lore.kernel.org/r/20231213041056.GA519680@v4bel-B760M-AORUS-ELITE- Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin --- - net/appletalk/ddp.c | 9 ++++----- + net/appletalk/ddp.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) -diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c -index 20ec8e7f94236..c4f1bfe6e0402 100644 --- a/net/appletalk/ddp.c +++ b/net/appletalk/ddp.c -@@ -1808,15 +1808,14 @@ static int atalk_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) +@@ -1808,15 +1808,14 @@ static int atalk_ioctl(struct socket *so break; } case TIOCINQ: { @@ -50,6 +48,3 @@ index 20ec8e7f94236..c4f1bfe6e0402 100644 rc = put_user(amount, (int __user *)argp); break; } --- -2.43.0 - diff --git a/queue-4.19/cred-switch-to-using-atomic_long_t.patch b/queue-4.19/cred-switch-to-using-atomic_long_t.patch new file mode 100644 index 00000000000..bdf08459f83 --- /dev/null +++ b/queue-4.19/cred-switch-to-using-atomic_long_t.patch @@ -0,0 +1,246 @@ +From f8fa5d76925991976b3e7076f9d1052515ec1fca Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Fri, 15 Dec 2023 13:24:10 -0700 +Subject: cred: switch to using atomic_long_t + +From: Jens Axboe + +commit f8fa5d76925991976b3e7076f9d1052515ec1fca upstream. + +There are multiple ways to grab references to credentials, and the only +protection we have against overflowing it is the memory required to do +so. + +With memory sizes only moving in one direction, let's bump the reference +count to 64-bit and move it outside the realm of feasibly overflowing. + +Signed-off-by: Jens Axboe +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/cred.h | 8 +++--- + kernel/cred.c | 64 +++++++++++++++++++++++++-------------------------- + 2 files changed, 36 insertions(+), 36 deletions(-) + +--- a/include/linux/cred.h ++++ b/include/linux/cred.h +@@ -108,7 +108,7 @@ static inline int groups_search(const st + * same context as task->real_cred. + */ + struct cred { +- atomic_t usage; ++ atomic_long_t usage; + #ifdef CONFIG_DEBUG_CREDENTIALS + atomic_t subscribers; /* number of processes subscribed */ + void *put_addr; +@@ -228,7 +228,7 @@ static inline bool cap_ambient_invariant + */ + static inline struct cred *get_new_cred(struct cred *cred) + { +- atomic_inc(&cred->usage); ++ atomic_long_inc(&cred->usage); + return cred; + } + +@@ -260,7 +260,7 @@ static inline const struct cred *get_cre + struct cred *nonconst_cred = (struct cred *) cred; + if (!cred) + return NULL; +- if (!atomic_inc_not_zero(&nonconst_cred->usage)) ++ if (!atomic_long_inc_not_zero(&nonconst_cred->usage)) + return NULL; + validate_creds(cred); + nonconst_cred->non_rcu = 0; +@@ -284,7 +284,7 @@ static inline void put_cred(const struct + + if (cred) { + validate_creds(cred); +- if (atomic_dec_and_test(&(cred)->usage)) ++ if (atomic_long_dec_and_test(&(cred)->usage)) + __put_cred(cred); + } + } +--- a/kernel/cred.c ++++ b/kernel/cred.c +@@ -99,17 +99,17 @@ static void put_cred_rcu(struct rcu_head + + #ifdef CONFIG_DEBUG_CREDENTIALS + if (cred->magic != CRED_MAGIC_DEAD || +- atomic_read(&cred->usage) != 0 || ++ atomic_long_read(&cred->usage) != 0 || + read_cred_subscribers(cred) != 0) + panic("CRED: put_cred_rcu() sees %p with" +- " mag %x, put %p, usage %d, subscr %d\n", ++ " mag %x, put %p, usage %ld, subscr %d\n", + cred, cred->magic, cred->put_addr, +- atomic_read(&cred->usage), ++ atomic_long_read(&cred->usage), + read_cred_subscribers(cred)); + #else +- if (atomic_read(&cred->usage) != 0) +- panic("CRED: put_cred_rcu() sees %p with usage %d\n", +- cred, atomic_read(&cred->usage)); ++ if (atomic_long_read(&cred->usage) != 0) ++ panic("CRED: put_cred_rcu() sees %p with usage %ld\n", ++ cred, atomic_long_read(&cred->usage)); + #endif + + security_cred_free(cred); +@@ -134,11 +134,11 @@ static void put_cred_rcu(struct rcu_head + */ + void __put_cred(struct cred *cred) + { +- kdebug("__put_cred(%p{%d,%d})", cred, +- atomic_read(&cred->usage), ++ kdebug("__put_cred(%p{%ld,%d})", cred, ++ atomic_long_read(&cred->usage), + read_cred_subscribers(cred)); + +- BUG_ON(atomic_read(&cred->usage) != 0); ++ BUG_ON(atomic_long_read(&cred->usage) != 0); + #ifdef CONFIG_DEBUG_CREDENTIALS + BUG_ON(read_cred_subscribers(cred) != 0); + cred->magic = CRED_MAGIC_DEAD; +@@ -161,8 +161,8 @@ void exit_creds(struct task_struct *tsk) + { + struct cred *cred; + +- kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred, +- atomic_read(&tsk->cred->usage), ++ kdebug("exit_creds(%u,%p,%p,{%ld,%d})", tsk->pid, tsk->real_cred, tsk->cred, ++ atomic_long_read(&tsk->cred->usage), + read_cred_subscribers(tsk->cred)); + + cred = (struct cred *) tsk->real_cred; +@@ -221,7 +221,7 @@ struct cred *cred_alloc_blank(void) + if (!new) + return NULL; + +- atomic_set(&new->usage, 1); ++ atomic_long_set(&new->usage, 1); + #ifdef CONFIG_DEBUG_CREDENTIALS + new->magic = CRED_MAGIC; + #endif +@@ -267,7 +267,7 @@ struct cred *prepare_creds(void) + memcpy(new, old, sizeof(struct cred)); + + new->non_rcu = 0; +- atomic_set(&new->usage, 1); ++ atomic_long_set(&new->usage, 1); + set_cred_subscribers(new, 0); + get_group_info(new->group_info); + get_uid(new->user); +@@ -355,8 +355,8 @@ int copy_creds(struct task_struct *p, un + p->real_cred = get_cred(p->cred); + get_cred(p->cred); + alter_cred_subscribers(p->cred, 2); +- kdebug("share_creds(%p{%d,%d})", +- p->cred, atomic_read(&p->cred->usage), ++ kdebug("share_creds(%p{%ld,%d})", ++ p->cred, atomic_long_read(&p->cred->usage), + read_cred_subscribers(p->cred)); + inc_rlimit_ucounts(task_ucounts(p), UCOUNT_RLIMIT_NPROC, 1); + return 0; +@@ -449,8 +449,8 @@ int commit_creds(struct cred *new) + struct task_struct *task = current; + const struct cred *old = task->real_cred; + +- kdebug("commit_creds(%p{%d,%d})", new, +- atomic_read(&new->usage), ++ kdebug("commit_creds(%p{%ld,%d})", new, ++ atomic_long_read(&new->usage), + read_cred_subscribers(new)); + + BUG_ON(task->cred != old); +@@ -459,7 +459,7 @@ int commit_creds(struct cred *new) + validate_creds(old); + validate_creds(new); + #endif +- BUG_ON(atomic_read(&new->usage) < 1); ++ BUG_ON(atomic_long_read(&new->usage) < 1); + + get_cred(new); /* we will require a ref for the subj creds too */ + +@@ -532,14 +532,14 @@ EXPORT_SYMBOL(commit_creds); + */ + void abort_creds(struct cred *new) + { +- kdebug("abort_creds(%p{%d,%d})", new, +- atomic_read(&new->usage), ++ kdebug("abort_creds(%p{%ld,%d})", new, ++ atomic_long_read(&new->usage), + read_cred_subscribers(new)); + + #ifdef CONFIG_DEBUG_CREDENTIALS + BUG_ON(read_cred_subscribers(new) != 0); + #endif +- BUG_ON(atomic_read(&new->usage) < 1); ++ BUG_ON(atomic_long_read(&new->usage) < 1); + put_cred(new); + } + EXPORT_SYMBOL(abort_creds); +@@ -555,8 +555,8 @@ const struct cred *override_creds(const + { + const struct cred *old = current->cred; + +- kdebug("override_creds(%p{%d,%d})", new, +- atomic_read(&new->usage), ++ kdebug("override_creds(%p{%ld,%d})", new, ++ atomic_long_read(&new->usage), + read_cred_subscribers(new)); + + validate_creds(old); +@@ -578,8 +578,8 @@ const struct cred *override_creds(const + rcu_assign_pointer(current->cred, new); + alter_cred_subscribers(old, -1); + +- kdebug("override_creds() = %p{%d,%d}", old, +- atomic_read(&old->usage), ++ kdebug("override_creds() = %p{%ld,%d}", old, ++ atomic_long_read(&old->usage), + read_cred_subscribers(old)); + return old; + } +@@ -596,8 +596,8 @@ void revert_creds(const struct cred *old + { + const struct cred *override = current->cred; + +- kdebug("revert_creds(%p{%d,%d})", old, +- atomic_read(&old->usage), ++ kdebug("revert_creds(%p{%ld,%d})", old, ++ atomic_long_read(&old->usage), + read_cred_subscribers(old)); + + validate_creds(old); +@@ -729,7 +729,7 @@ struct cred *prepare_kernel_cred(struct + + *new = *old; + new->non_rcu = 0; +- atomic_set(&new->usage, 1); ++ atomic_long_set(&new->usage, 1); + set_cred_subscribers(new, 0); + get_uid(new->user); + get_user_ns(new->user_ns); +@@ -843,8 +843,8 @@ static void dump_invalid_creds(const str + cred == tsk->cred ? "[eff]" : ""); + printk(KERN_ERR "CRED: ->magic=%x, put_addr=%p\n", + cred->magic, cred->put_addr); +- printk(KERN_ERR "CRED: ->usage=%d, subscr=%d\n", +- atomic_read(&cred->usage), ++ printk(KERN_ERR "CRED: ->usage=%ld, subscr=%d\n", ++ atomic_long_read(&cred->usage), + read_cred_subscribers(cred)); + printk(KERN_ERR "CRED: ->*uid = { %d,%d,%d,%d }\n", + from_kuid_munged(&init_user_ns, cred->uid), +@@ -916,9 +916,9 @@ EXPORT_SYMBOL(__validate_process_creds); + */ + void validate_creds_for_do_exit(struct task_struct *tsk) + { +- kdebug("validate_creds_for_do_exit(%p,%p{%d,%d})", ++ kdebug("validate_creds_for_do_exit(%p,%p{%ld,%d})", + tsk->real_cred, tsk->cred, +- atomic_read(&tsk->cred->usage), ++ atomic_long_read(&tsk->cred->usage), + read_cred_subscribers(tsk->cred)); + + __validate_process_creds(tsk, __FILE__, __LINE__); diff --git a/queue-4.19/revert-pci-acpiphp-reassign-resources-on-bridge-if-necessary.patch b/queue-4.19/revert-pci-acpiphp-reassign-resources-on-bridge-if-necessary.patch new file mode 100644 index 00000000000..f8c62128165 --- /dev/null +++ b/queue-4.19/revert-pci-acpiphp-reassign-resources-on-bridge-if-necessary.patch @@ -0,0 +1,77 @@ +From 5df12742b7e3aae2594a30a9d14d5d6e9e7699f4 Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas +Date: Thu, 14 Dec 2023 09:08:56 -0600 +Subject: Revert "PCI: acpiphp: Reassign resources on bridge if necessary" + +From: Bjorn Helgaas + +commit 5df12742b7e3aae2594a30a9d14d5d6e9e7699f4 upstream. + +This reverts commit 40613da52b13fb21c5566f10b287e0ca8c12c4e9 and the +subsequent fix to it: + + cc22522fd55e ("PCI: acpiphp: Use pci_assign_unassigned_bridge_resources() only for non-root bus") + +40613da52b13 fixed a problem where hot-adding a device with large BARs +failed if the bridge windows programmed by firmware were not large enough. + +cc22522fd55e ("PCI: acpiphp: Use pci_assign_unassigned_bridge_resources() +only for non-root bus") fixed a problem with 40613da52b13: an ACPI hot-add +of a device on a PCI root bus (common in the virt world) or firmware +sending ACPI Bus Check to non-existent Root Ports (e.g., on Dell Inspiron +7352/0W6WV0) caused a NULL pointer dereference and suspend/resume hangs. + +Unfortunately the combination of 40613da52b13 and cc22522fd55e caused other +problems: + + - Fiona reported that hot-add of SCSI disks in QEMU virtual machine fails + sometimes. + + - Dongli reported a similar problem with hot-add of SCSI disks. + + - Jonathan reported a console freeze during boot on bare metal due to an + error in radeon GPU initialization. + +Revert both patches to avoid adding these problems. This means we will +again see the problems with hot-adding devices with large BARs and the NULL +pointer dereferences and suspend/resume issues that 40613da52b13 and +cc22522fd55e were intended to fix. + +Fixes: 40613da52b13 ("PCI: acpiphp: Reassign resources on bridge if necessary") +Fixes: cc22522fd55e ("PCI: acpiphp: Use pci_assign_unassigned_bridge_resources() only for non-root bus") +Reported-by: Fiona Ebner +Closes: https://lore.kernel.org/r/9eb669c0-d8f2-431d-a700-6da13053ae54@proxmox.com +Reported-by: Dongli Zhang +Closes: https://lore.kernel.org/r/3c4a446a-b167-11b8-f36f-d3c1b49b42e9@oracle.com +Reported-by: Jonathan Woithe +Closes: https://lore.kernel.org/r/ZXpaNCLiDM+Kv38H@marvin.atrad.com.au +Signed-off-by: Bjorn Helgaas +Acked-by: Michael S. Tsirkin +Acked-by: Igor Mammedov +Cc: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/hotplug/acpiphp_glue.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/pci/hotplug/acpiphp_glue.c ++++ b/drivers/pci/hotplug/acpiphp_glue.c +@@ -510,15 +510,12 @@ static void enable_slot(struct acpiphp_s + if (pass && dev->subordinate) { + check_hotplug_bridge(slot, dev); + pcibios_resource_survey_bus(dev->subordinate); +- if (pci_is_root_bus(bus)) +- __pci_bus_size_bridges(dev->subordinate, &add_list); ++ __pci_bus_size_bridges(dev->subordinate, ++ &add_list); + } + } + } +- if (pci_is_root_bus(bus)) +- __pci_bus_assign_resources(bus, &add_list, NULL); +- else +- pci_assign_unassigned_bridge_resources(bus->self); ++ __pci_bus_assign_resources(bus, &add_list, NULL); + } + + acpiphp_sanitize_bus(bus); diff --git a/queue-4.19/series b/queue-4.19/series index 7c226c5acd8..b6cc3e0c763 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -14,3 +14,5 @@ driver-core-add-device-probe-log-helper.patch net-stmmac-use-dev_err_probe-for-reporting-mdio-bus-.patch net-stmmac-handle-disabled-mdio-busses-from-devicetr.patch appletalk-fix-use-after-free-in-atalk_ioctl.patch +revert-pci-acpiphp-reassign-resources-on-bridge-if-necessary.patch +cred-switch-to-using-atomic_long_t.patch -- 2.47.3