5.4-stable patches

added patches:
	configfs-do-not-override-creating-attribute-file-failure-in-populate_attrs.patch
	gfs2-move-msleep-to-sleepable-context.patch
	wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_readback.patch

diff --git a/queue-5.4/configfs-do-not-override-creating-attribute-file-failure-in-populate_attrs.patch b/queue-5.4/configfs-do-not-override-creating-attribute-file-failure-in-populate_attrs.patch
new file mode 100644 (file)
index 0000000..b93e0a4
--- /dev/null
+++ b/queue-5.4/configfs-do-not-override-creating-attribute-file-failure-in-populate_attrs.patch
@@ -0,0 +1,39 @@
+From f830edbae247b89228c3e09294151b21e0dc849c Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Wed, 7 May 2025 19:50:26 +0800
+Subject: configfs: Do not override creating attribute file failure in populate_attrs()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit f830edbae247b89228c3e09294151b21e0dc849c upstream.
+
+populate_attrs() may override failure for creating attribute files
+by success for creating subsequent bin attribute files, and have
+wrong return value.
+
+Fix by creating bin attribute files under successfully creating
+attribute files.
+
+Fixes: 03607ace807b ("configfs: implement binary attributes")
+Cc: stable@vger.kernel.org
+Reviewed-by: Joel Becker <jlbec@evilplan.org>
+Reviewed-by: Breno Leitao <leitao@debian.org>
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20250507-fix_configfs-v3-2-fe2d96de8dc4@quicinc.com
+Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/configfs/dir.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/configfs/dir.c
++++ b/fs/configfs/dir.c
+@@ -619,7 +619,7 @@ static int populate_attrs(struct config_
+                               break;
+               }
+       }
+-      if (t->ct_bin_attrs) {
++      if (!error && t->ct_bin_attrs) {
+               for (i = 0; (bin_attr = t->ct_bin_attrs[i]) != NULL; i++) {
+                       error = configfs_create_bin_file(item, bin_attr);
+                       if (error)

diff --git a/queue-5.4/gfs2-move-msleep-to-sleepable-context.patch b/queue-5.4/gfs2-move-msleep-to-sleepable-context.patch
new file mode 100644 (file)
index 0000000..de97643
--- /dev/null
+++ b/queue-5.4/gfs2-move-msleep-to-sleepable-context.patch
@@ -0,0 +1,42 @@
+From ac5ee087d31ed93b6e45d2968a66828c6f621d8c Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Mon, 31 Mar 2025 19:03:24 -0400
+Subject: gfs2: move msleep to sleepable context
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit ac5ee087d31ed93b6e45d2968a66828c6f621d8c upstream.
+
+This patch moves the msleep_interruptible() out of the non-sleepable
+context by moving the ls->ls_recover_spin spinlock around so
+msleep_interruptible() will be called in a sleepable context.
+
+Cc: stable@vger.kernel.org
+Fixes: 4a7727725dc7 ("GFS2: Fix recovery issues for spectators")
+Suggested-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/gfs2/lock_dlm.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/gfs2/lock_dlm.c
++++ b/fs/gfs2/lock_dlm.c
+@@ -905,14 +905,15 @@ locks_done:
+               if (sdp->sd_args.ar_spectator) {
+                       fs_info(sdp, "Recovery is required. Waiting for a "
+                               "non-spectator to mount.\n");
++                      spin_unlock(&ls->ls_recover_spin);
+                       msleep_interruptible(1000);
+               } else {
+                       fs_info(sdp, "control_mount wait1 block %u start %u "
+                               "mount %u lvb %u flags %lx\n", block_gen,
+                               start_gen, mount_gen, lvb_gen,
+                               ls->ls_recover_flags);
++                      spin_unlock(&ls->ls_recover_spin);
+               }
+-              spin_unlock(&ls->ls_recover_spin);
+               goto restart;
+       }
+ 

diff --git a/queue-5.4/series b/queue-5.4/series
index d5b1760f1b7d3ce93f79d4a5314b78bdd20f049f..eeb64e06c11daa2db1435d538063aac021b834ce 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -99,3 +99,6 @@ usb-flush-altsetting-0-endpoints-before-reinitializating-them-after-reset.patch
 xen-arm-call-uaccess_ttbr0_enable-for-dm_op-hypercall.patch
 calipso-unlock-rcu-before-returning-eafnosupport.patch
 net-usb-aqc111-debug-info-before-sanitation.patch
+configfs-do-not-override-creating-attribute-file-failure-in-populate_attrs.patch
+gfs2-move-msleep-to-sleepable-context.patch
+wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_readback.patch

diff --git a/queue-5.4/wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_readback.patch b/queue-5.4/wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_readback.patch
new file mode 100644 (file)
index 0000000..bb11e8a
--- /dev/null
+++ b/queue-5.4/wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_readback.patch
@@ -0,0 +1,114 @@
+From da1b9a55ff116cb040528ef664c70a4eec03ae99 Mon Sep 17 00:00:00 2001
+From: Christian Lamparter <chunkeey@gmail.com>
+Date: Fri, 16 May 2025 20:41:06 +0200
+Subject: wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()
+
+From: Christian Lamparter <chunkeey@gmail.com>
+
+commit da1b9a55ff116cb040528ef664c70a4eec03ae99 upstream.
+
+Robert Morris reported:
+
+|If a malicious USB device pretends to be an Intersil p54 wifi
+|interface and generates an eeprom_readback message with a large
+|eeprom->v1.len, p54_rx_eeprom_readback() will copy data from the
+|message beyond the end of priv->eeprom.
+|
+|static void p54_rx_eeprom_readback(struct p54_common *priv,
+|                                   struct sk_buff *skb)
+|{
+|        struct p54_hdr *hdr = (struct p54_hdr *) skb->data;
+|        struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr->data;
+|
+|        if (priv->fw_var >= 0x509) {
+|                memcpy(priv->eeprom, eeprom->v2.data,
+|                       le16_to_cpu(eeprom->v2.len));
+|        } else {
+|                memcpy(priv->eeprom, eeprom->v1.data,
+|                       le16_to_cpu(eeprom->v1.len));
+|        }
+| [...]
+
+The eeprom->v{1,2}.len is set by the driver in p54_download_eeprom().
+The device is supposed to provide the same length back to the driver.
+But yes, it's possible (like shown in the report) to alter the value
+to something that causes a crash/panic due to overrun.
+
+This patch addresses the issue by adding the size to the common device
+context, so p54_rx_eeprom_readback no longer relies on possibly tampered
+values... That said, it also checks if the "firmware" altered the value
+and no longer copies them.
+
+The one, small saving grace is: Before the driver tries to read the eeprom,
+it needs to upload >a< firmware. the vendor firmware has a proprietary
+license and as a reason, it is not present on most distributions by
+default.
+
+Cc: <stable@kernel.org>
+Reported-by: Robert Morris <rtm@mit.edu>
+Closes: https://lore.kernel.org/linux-wireless/28782.1747258414@localhost/
+Fixes: 7cb770729ba8 ("p54: move eeprom code into common library")
+Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
+Link: https://patch.msgid.link/20250516184107.47794-1-chunkeey@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intersil/p54/fwio.c |    2 ++
+ drivers/net/wireless/intersil/p54/p54.h  |    1 +
+ drivers/net/wireless/intersil/p54/txrx.c |   13 +++++++++----
+ 3 files changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/intersil/p54/fwio.c
++++ b/drivers/net/wireless/intersil/p54/fwio.c
+@@ -233,6 +233,7 @@ int p54_download_eeprom(struct p54_commo
+ 
+       mutex_lock(&priv->eeprom_mutex);
+       priv->eeprom = buf;
++      priv->eeprom_slice_size = len;
+       eeprom_hdr = skb_put(skb, eeprom_hdr_size + len);
+ 
+       if (priv->fw_var < 0x509) {
+@@ -255,6 +256,7 @@ int p54_download_eeprom(struct p54_commo
+               ret = -EBUSY;
+       }
+       priv->eeprom = NULL;
++      priv->eeprom_slice_size = 0;
+       mutex_unlock(&priv->eeprom_mutex);
+       return ret;
+ }
+--- a/drivers/net/wireless/intersil/p54/p54.h
++++ b/drivers/net/wireless/intersil/p54/p54.h
+@@ -258,6 +258,7 @@ struct p54_common {
+ 
+       /* eeprom handling */
+       void *eeprom;
++      size_t eeprom_slice_size;
+       struct completion eeprom_comp;
+       struct mutex eeprom_mutex;
+ };
+--- a/drivers/net/wireless/intersil/p54/txrx.c
++++ b/drivers/net/wireless/intersil/p54/txrx.c
+@@ -500,14 +500,19 @@ static void p54_rx_eeprom_readback(struc
+               return ;
+ 
+       if (priv->fw_var >= 0x509) {
+-              memcpy(priv->eeprom, eeprom->v2.data,
+-                     le16_to_cpu(eeprom->v2.len));
++              if (le16_to_cpu(eeprom->v2.len) != priv->eeprom_slice_size)
++                      return;
++
++              memcpy(priv->eeprom, eeprom->v2.data, priv->eeprom_slice_size);
+       } else {
+-              memcpy(priv->eeprom, eeprom->v1.data,
+-                     le16_to_cpu(eeprom->v1.len));
++              if (le16_to_cpu(eeprom->v1.len) != priv->eeprom_slice_size)
++                      return;
++
++              memcpy(priv->eeprom, eeprom->v1.data, priv->eeprom_slice_size);
+       }
+ 
+       priv->eeprom = NULL;
++      priv->eeprom_slice_size = 0;
+       tmp = p54_find_and_unlink_skb(priv, hdr->req_id);
+       dev_kfree_skb_any(tmp);
+       complete(&priv->eeprom_comp);