From c8b5af7e5ab9f9380f9cba24f947da8db9f884cf Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 24 Nov 2024 09:13:04 -0500 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- ...overflow-when-parsing-nfs-reparse-po.patch | 60 ++++++++ ...asks-on-offline-cpus-are-in-quiescen.patch | 43 ++++++ queue-5.15/series | 3 + ...or-work-around-strict-clang-tls-symb.patch | 138 ++++++++++++++++++ 4 files changed, 244 insertions(+) create mode 100644 queue-5.15/cifs-fix-buffer-overflow-when-parsing-nfs-reparse-po.patch create mode 100644 queue-5.15/rcu-tasks-idle-tasks-on-offline-cpus-are-in-quiescen.patch create mode 100644 queue-5.15/x86-stackprotector-work-around-strict-clang-tls-symb.patch diff --git a/queue-5.15/cifs-fix-buffer-overflow-when-parsing-nfs-reparse-po.patch b/queue-5.15/cifs-fix-buffer-overflow-when-parsing-nfs-reparse-po.patch new file mode 100644 index 00000000000..867270c5d07 --- /dev/null +++ b/queue-5.15/cifs-fix-buffer-overflow-when-parsing-nfs-reparse-po.patch @@ -0,0 +1,60 @@ +From 14ec6423cb139d7f09fd496ef332cf51e1771c1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 16:29:43 +0100 +Subject: cifs: Fix buffer overflow when parsing NFS reparse points +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +commit e2a8910af01653c1c268984855629d71fb81f404 upstream. + +ReparseDataLength is sum of the InodeType size and DataBuffer size. +So to get DataBuffer size it is needed to subtract InodeType's size from +ReparseDataLength. + +Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer +at position after the end of the buffer because it does not subtract +InodeType size from the length. Fix this problem and correctly subtract +variable len. + +Member InodeType is present only when reparse buffer is large enough. Check +for ReparseDataLength before accessing InodeType to prevent another invalid +memory access. + +Major and minor rdev values are present also only when reparse buffer is +large enough. Check for reparse buffer size before calling reparse_mkdev(). + +Fixes: d5ecebc4900d ("smb3: Allow query of symlinks stored as reparse points") +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: Pali Rohár +Signed-off-by: Steve French +[use variable name symlink_buf, the other buf->InodeType accesses are +not used in current version so skip] +Signed-off-by: Mahmoud Adam +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2ops.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index 6c30fff8a029e..ee9a1e6550e3c 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -2971,6 +2971,12 @@ parse_reparse_posix(struct reparse_posix_data *symlink_buf, + + /* See MS-FSCC 2.1.2.6 for the 'NFS' style reparse tags */ + len = le16_to_cpu(symlink_buf->ReparseDataLength); ++ if (len < sizeof(symlink_buf->InodeType)) { ++ cifs_dbg(VFS, "srv returned malformed nfs buffer\n"); ++ return -EIO; ++ } ++ ++ len -= sizeof(symlink_buf->InodeType); + + if (le64_to_cpu(symlink_buf->InodeType) != NFS_SPECFILE_LNK) { + cifs_dbg(VFS, "%lld not a supported symlink type\n", +-- +2.43.0 + diff --git a/queue-5.15/rcu-tasks-idle-tasks-on-offline-cpus-are-in-quiescen.patch b/queue-5.15/rcu-tasks-idle-tasks-on-offline-cpus-are-in-quiescen.patch new file mode 100644 index 00000000000..d8c979bb14c --- /dev/null +++ b/queue-5.15/rcu-tasks-idle-tasks-on-offline-cpus-are-in-quiescen.patch @@ -0,0 +1,43 @@ +From fd16278784372c0c7830055ad0784d32199d5c53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 00:47:08 -0800 +Subject: rcu-tasks: Idle tasks on offline CPUs are in quiescent states + +From: Paul E. McKenney + +commit 5c9a9ca44fda41c5e82f50efced5297a9c19760d upstream. + +Any idle task corresponding to an offline CPU is in an RCU Tasks Trace +quiescent state. This commit causes rcu_tasks_trace_postscan() to ignore +idle tasks for offline CPUs, which it can do safely due to CPU-hotplug +operations being disabled. + +Signed-off-by: Paul E. McKenney +Cc: Neeraj Upadhyay +Cc: Eric Dumazet +Cc: Alexei Starovoitov +Cc: Andrii Nakryiko +Cc: Martin KaFai Lau +Cc: KP Singh +Signed-off-by: Krister Johansen +Signed-off-by: Sasha Levin +--- + kernel/rcu/tasks.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h +index 0e50ec9ded86e..0a83d0ce46d78 100644 +--- a/kernel/rcu/tasks.h ++++ b/kernel/rcu/tasks.h +@@ -1090,7 +1090,7 @@ static void rcu_tasks_trace_postscan(struct list_head *hop) + { + int cpu; + +- for_each_possible_cpu(cpu) ++ for_each_online_cpu(cpu) + rcu_tasks_trace_pertask(idle_task(cpu), hop); + + // Re-enable CPU hotplug now that the tasklist scan has completed. +-- +2.43.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 9e0c6043eb0..8168964c0ab 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -53,3 +53,6 @@ proc-softirqs-replace-seq_printf-with-seq_put_decima.patch alsa-usb-audio-fix-yamaha-p-125-quirk-entry.patch arm-9420-1-smp-fix-smp-for-xip-kernels.patch ipmr-fix-access-to-mfc_cache_list-without-lock-held.patch +rcu-tasks-idle-tasks-on-offline-cpus-are-in-quiescen.patch +x86-stackprotector-work-around-strict-clang-tls-symb.patch +cifs-fix-buffer-overflow-when-parsing-nfs-reparse-po.patch diff --git a/queue-5.15/x86-stackprotector-work-around-strict-clang-tls-symb.patch b/queue-5.15/x86-stackprotector-work-around-strict-clang-tls-symb.patch new file mode 100644 index 00000000000..2a8f100ccee --- /dev/null +++ b/queue-5.15/x86-stackprotector-work-around-strict-clang-tls-symb.patch @@ -0,0 +1,138 @@ +From e4ce1ed17940e830e150996ef3b08f47b4acd592 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2024 09:44:14 -0500 +Subject: x86/stackprotector: Work around strict Clang TLS symbol requirements + +From: Ard Biesheuvel + +[ Upstream commit 577c134d311b9b94598d7a0c86be1f431f823003 ] + +GCC and Clang both implement stack protector support based on Thread Local +Storage (TLS) variables, and this is used in the kernel to implement per-task +stack cookies, by copying a task's stack cookie into a per-CPU variable every +time it is scheduled in. + +Both now also implement -mstack-protector-guard-symbol=, which permits the TLS +variable to be specified directly. This is useful because it will allow to +move away from using a fixed offset of 40 bytes into the per-CPU area on +x86_64, which requires a lot of special handling in the per-CPU code and the +runtime relocation code. + +However, while GCC is rather lax in its implementation of this command line +option, Clang actually requires that the provided symbol name refers to a TLS +variable (i.e., one declared with __thread), although it also permits the +variable to be undeclared entirely, in which case it will use an implicit +declaration of the right type. + +The upshot of this is that Clang will emit the correct references to the stack +cookie variable in most cases, e.g., + + 10d: 64 a1 00 00 00 00 mov %fs:0x0,%eax + 10f: R_386_32 __stack_chk_guard + +However, if a non-TLS definition of the symbol in question is visible in the +same compilation unit (which amounts to the whole of vmlinux if LTO is +enabled), it will drop the per-CPU prefix and emit a load from a bogus +address. + +Work around this by using a symbol name that never occurs in C code, and emit +it as an alias in the linker script. + +Fixes: 3fb0fdb3bbe7 ("x86/stackprotector/32: Make the canary into a regular percpu variable") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Brian Gerst +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Nathan Chancellor +Tested-by: Nathan Chancellor +Cc: stable@vger.kernel.org +Link: https://github.com/ClangBuiltLinux/linux/issues/1854 +Link: https://lore.kernel.org/r/20241105155801.1779119-2-brgerst@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/Makefile | 3 ++- + arch/x86/entry/entry.S | 15 +++++++++++++++ + arch/x86/include/asm/asm-prototypes.h | 3 +++ + arch/x86/kernel/cpu/common.c | 2 ++ + arch/x86/kernel/vmlinux.lds.S | 3 +++ + 5 files changed, 25 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/Makefile b/arch/x86/Makefile +index 9c09bbd390cec..f8a7d2a654347 100644 +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -81,7 +81,8 @@ ifeq ($(CONFIG_X86_32),y) + + ifeq ($(CONFIG_STACKPROTECTOR),y) + ifeq ($(CONFIG_SMP),y) +- KBUILD_CFLAGS += -mstack-protector-guard-reg=fs -mstack-protector-guard-symbol=__stack_chk_guard ++ KBUILD_CFLAGS += -mstack-protector-guard-reg=fs \ ++ -mstack-protector-guard-symbol=__ref_stack_chk_guard + else + KBUILD_CFLAGS += -mstack-protector-guard=global + endif +diff --git a/arch/x86/entry/entry.S b/arch/x86/entry/entry.S +index f4419afc7147d..23f9efbe9d705 100644 +--- a/arch/x86/entry/entry.S ++++ b/arch/x86/entry/entry.S +@@ -48,3 +48,18 @@ EXPORT_SYMBOL_GPL(mds_verw_sel); + + .popsection + ++#ifndef CONFIG_X86_64 ++/* ++ * Clang's implementation of TLS stack cookies requires the variable in ++ * question to be a TLS variable. If the variable happens to be defined as an ++ * ordinary variable with external linkage in the same compilation unit (which ++ * amounts to the whole of vmlinux with LTO enabled), Clang will drop the ++ * segment register prefix from the references, resulting in broken code. Work ++ * around this by avoiding the symbol used in -mstack-protector-guard-symbol= ++ * entirely in the C code, and use an alias emitted by the linker script ++ * instead. ++ */ ++#ifdef CONFIG_STACKPROTECTOR ++EXPORT_SYMBOL(__ref_stack_chk_guard); ++#endif ++#endif +diff --git a/arch/x86/include/asm/asm-prototypes.h b/arch/x86/include/asm/asm-prototypes.h +index 5cdccea455544..390b13db24b81 100644 +--- a/arch/x86/include/asm/asm-prototypes.h ++++ b/arch/x86/include/asm/asm-prototypes.h +@@ -18,3 +18,6 @@ + extern void cmpxchg8b_emu(void); + #endif + ++#if defined(__GENKSYMS__) && defined(CONFIG_STACKPROTECTOR) ++extern unsigned long __ref_stack_chk_guard; ++#endif +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index f0cc4c616ceb3..5db433cfaaa78 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -2000,8 +2000,10 @@ EXPORT_PER_CPU_SYMBOL(cpu_current_top_of_stack); + + #ifdef CONFIG_STACKPROTECTOR + DEFINE_PER_CPU(unsigned long, __stack_chk_guard); ++#ifndef CONFIG_SMP + EXPORT_PER_CPU_SYMBOL(__stack_chk_guard); + #endif ++#endif + + #endif /* CONFIG_X86_64 */ + +diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S +index 351c604de263a..ab36dacb4cc50 100644 +--- a/arch/x86/kernel/vmlinux.lds.S ++++ b/arch/x86/kernel/vmlinux.lds.S +@@ -490,6 +490,9 @@ SECTIONS + ASSERT(SIZEOF(.rela.dyn) == 0, "Unexpected run-time relocations (.rela) detected!") + } + ++/* needed for Clang - see arch/x86/entry/entry.S */ ++PROVIDE(__ref_stack_chk_guard = __stack_chk_guard); ++ + /* + * The ASSERT() sink to . is intentional, for binutils 2.14 compatibility: + */ +-- +2.43.0 + -- 2.47.3