--- /dev/null
+From 64b7f674c292207624b3d788eda2dde3dc1415df Mon Sep 17 00:00:00 2001
+From: Vladimir Zapolskiy <vladimir@tuxera.com>
+Date: Sat, 10 Oct 2020 21:25:54 +0300
+Subject: cifs: Fix incomplete memory allocation on setxattr path
+
+From: Vladimir Zapolskiy <vladimir@tuxera.com>
+
+commit 64b7f674c292207624b3d788eda2dde3dc1415df upstream.
+
+On setxattr() syscall path due to an apprent typo the size of a dynamically
+allocated memory chunk for storing struct smb2_file_full_ea_info object is
+computed incorrectly, to be more precise the first addend is the size of
+a pointer instead of the wanted object size. Coincidentally it makes no
+difference on 64-bit platforms, however on 32-bit targets the following
+memcpy() writes 4 bytes of data outside of the dynamically allocated memory.
+
+ =============================================================================
+ BUG kmalloc-16 (Not tainted): Redzone overwritten
+ -----------------------------------------------------------------------------
+
+ Disabling lock debugging due to kernel taint
+ INFO: 0x79e69a6f-0x9e5cdecf @offset=368. First byte 0x73 instead of 0xcc
+ INFO: Slab 0xd36d2454 objects=85 used=51 fp=0xf7d0fc7a flags=0x35000201
+ INFO: Object 0x6f171df3 @offset=352 fp=0x00000000
+
+ Redzone 5d4ff02d: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
+ Object 6f171df3: 00 00 00 00 00 05 06 00 73 6e 72 75 62 00 66 69 ........snrub.fi
+ Redzone 79e69a6f: 73 68 32 0a sh2.
+ Padding 56254d82: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
+ CPU: 0 PID: 8196 Comm: attr Tainted: G B 5.9.0-rc8+ #3
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014
+ Call Trace:
+ dump_stack+0x54/0x6e
+ print_trailer+0x12c/0x134
+ check_bytes_and_report.cold+0x3e/0x69
+ check_object+0x18c/0x250
+ free_debug_processing+0xfe/0x230
+ __slab_free+0x1c0/0x300
+ kfree+0x1d3/0x220
+ smb2_set_ea+0x27d/0x540
+ cifs_xattr_set+0x57f/0x620
+ __vfs_setxattr+0x4e/0x60
+ __vfs_setxattr_noperm+0x4e/0x100
+ __vfs_setxattr_locked+0xae/0xd0
+ vfs_setxattr+0x4e/0xe0
+ setxattr+0x12c/0x1a0
+ path_setxattr+0xa4/0xc0
+ __ia32_sys_lsetxattr+0x1d/0x20
+ __do_fast_syscall_32+0x40/0x70
+ do_fast_syscall_32+0x29/0x60
+ do_SYSENTER_32+0x15/0x20
+ entry_SYSENTER_32+0x9f/0xf2
+
+Fixes: 5517554e4313 ("cifs: Add support for writing attributes on SMB2+")
+Signed-off-by: Vladimir Zapolskiy <vladimir@tuxera.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2ops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -652,7 +652,7 @@ smb2_set_ea(const unsigned int xid, stru
+ return rc;
+ }
+
+- len = sizeof(ea) + ea_name_len + ea_value_len + 1;
++ len = sizeof(*ea) + ea_name_len + ea_value_len + 1;
+ ea = kzalloc(len, GFP_KERNEL);
+ if (ea == NULL) {
+ SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid);
--- /dev/null
+From 28683e847e2f20eed22cdd24f185d7783db396d3 Mon Sep 17 00:00:00 2001
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Wed, 7 Oct 2020 10:07:49 +0200
+Subject: i2c: meson: fix clock setting overwrite
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+commit 28683e847e2f20eed22cdd24f185d7783db396d3 upstream.
+
+When the slave address is written in do_start(), SLAVE_ADDR is written
+completely. This may overwrite some setting related to the clock rate
+or signal filtering.
+
+Fix this by writing only the bits related to slave address. To avoid
+causing unexpected changed, explicitly disable filtering or high/low
+clock mode which may have been left over by the bootloader.
+
+Fixes: 30021e3707a7 ("i2c: add support for Amlogic Meson I2C controller")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-meson.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-meson.c
++++ b/drivers/i2c/busses/i2c-meson.c
+@@ -8,6 +8,7 @@
+ * published by the Free Software Foundation.
+ */
+
++#include <linux/bitfield.h>
+ #include <linux/clk.h>
+ #include <linux/completion.h>
+ #include <linux/i2c.h>
+@@ -39,6 +40,12 @@
+ #define REG_CTRL_CLKDIVEXT_SHIFT 28
+ #define REG_CTRL_CLKDIVEXT_MASK GENMASK(29, 28)
+
++#define REG_SLV_ADDR GENMASK(7, 0)
++#define REG_SLV_SDA_FILTER GENMASK(10, 8)
++#define REG_SLV_SCL_FILTER GENMASK(13, 11)
++#define REG_SLV_SCL_LOW GENMASK(27, 16)
++#define REG_SLV_SCL_LOW_EN BIT(28)
++
+ #define I2C_TIMEOUT_MS 500
+
+ enum {
+@@ -142,6 +149,9 @@ static void meson_i2c_set_clk_div(struct
+ meson_i2c_set_mask(i2c, REG_CTRL, REG_CTRL_CLKDIVEXT_MASK,
+ (div >> 10) << REG_CTRL_CLKDIVEXT_SHIFT);
+
++ /* Disable HIGH/LOW mode */
++ meson_i2c_set_mask(i2c, REG_SLAVE_ADDR, REG_SLV_SCL_LOW_EN, 0);
++
+ dev_dbg(i2c->dev, "%s: clk %lu, freq %u, div %u\n", __func__,
+ clk_rate, freq, div);
+ }
+@@ -269,7 +279,10 @@ static void meson_i2c_do_start(struct me
+ token = (msg->flags & I2C_M_RD) ? TOKEN_SLAVE_ADDR_READ :
+ TOKEN_SLAVE_ADDR_WRITE;
+
+- writel(msg->addr << 1, i2c->regs + REG_SLAVE_ADDR);
++
++ meson_i2c_set_mask(i2c, REG_SLAVE_ADDR, REG_SLV_ADDR,
++ FIELD_PREP(REG_SLV_ADDR, msg->addr << 1));
++
+ meson_i2c_add_token(i2c, TOKEN_START);
+ meson_i2c_add_token(i2c, token);
+ }
+@@ -425,6 +438,10 @@ static int meson_i2c_probe(struct platfo
+ return ret;
+ }
+
++ /* Disable filtering */
++ meson_i2c_set_mask(i2c, REG_SLAVE_ADDR,
++ REG_SLV_SDA_FILTER | REG_SLV_SCL_FILTER, 0);
++
+ meson_i2c_set_clk_div(i2c, timings.bus_freq_hz);
+
+ return 0;
--- /dev/null
+From d42ee76ecb6c49d499fc5eb32ca34468d95dbc3e Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 8 Oct 2020 01:38:31 -0700
+Subject: sctp: fix sctp_auth_init_hmacs() error path
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit d42ee76ecb6c49d499fc5eb32ca34468d95dbc3e upstream.
+
+After freeing ep->auth_hmacs we have to clear the pointer
+or risk use-after-free as reported by syzbot:
+
+BUG: KASAN: use-after-free in sctp_auth_destroy_hmacs net/sctp/auth.c:509 [inline]
+BUG: KASAN: use-after-free in sctp_auth_destroy_hmacs net/sctp/auth.c:501 [inline]
+BUG: KASAN: use-after-free in sctp_auth_free+0x17e/0x1d0 net/sctp/auth.c:1070
+Read of size 8 at addr ffff8880a8ff52c0 by task syz-executor941/6874
+
+CPU: 0 PID: 6874 Comm: syz-executor941 Not tainted 5.9.0-rc8-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x198/0x1fd lib/dump_stack.c:118
+ print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
+ __kasan_report mm/kasan/report.c:513 [inline]
+ kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
+ sctp_auth_destroy_hmacs net/sctp/auth.c:509 [inline]
+ sctp_auth_destroy_hmacs net/sctp/auth.c:501 [inline]
+ sctp_auth_free+0x17e/0x1d0 net/sctp/auth.c:1070
+ sctp_endpoint_destroy+0x95/0x240 net/sctp/endpointola.c:203
+ sctp_endpoint_put net/sctp/endpointola.c:236 [inline]
+ sctp_endpoint_free+0xd6/0x110 net/sctp/endpointola.c:183
+ sctp_destroy_sock+0x9c/0x3c0 net/sctp/socket.c:4981
+ sctp_v6_destroy_sock+0x11/0x20 net/sctp/socket.c:9415
+ sk_common_release+0x64/0x390 net/core/sock.c:3254
+ sctp_close+0x4ce/0x8b0 net/sctp/socket.c:1533
+ inet_release+0x12e/0x280 net/ipv4/af_inet.c:431
+ inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:475
+ __sock_release+0xcd/0x280 net/socket.c:596
+ sock_close+0x18/0x20 net/socket.c:1277
+ __fput+0x285/0x920 fs/file_table.c:281
+ task_work_run+0xdd/0x190 kernel/task_work.c:141
+ exit_task_work include/linux/task_work.h:25 [inline]
+ do_exit+0xb7d/0x29f0 kernel/exit.c:806
+ do_group_exit+0x125/0x310 kernel/exit.c:903
+ __do_sys_exit_group kernel/exit.c:914 [inline]
+ __se_sys_exit_group kernel/exit.c:912 [inline]
+ __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:912
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x43f278
+Code: Bad RIP value.
+RSP: 002b:00007fffe0995c38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f278
+RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
+RBP: 00000000004bf068 R08: 00000000000000e7 R09: ffffffffffffffd0
+R10: 0000000020000000 R11: 0000000000000246 R12: 0000000000000001
+R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
+
+Allocated by task 6874:
+ kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
+ kasan_set_track mm/kasan/common.c:56 [inline]
+ __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
+ kmem_cache_alloc_trace+0x174/0x300 mm/slab.c:3554
+ kmalloc include/linux/slab.h:554 [inline]
+ kmalloc_array include/linux/slab.h:593 [inline]
+ kcalloc include/linux/slab.h:605 [inline]
+ sctp_auth_init_hmacs+0xdb/0x3b0 net/sctp/auth.c:464
+ sctp_auth_init+0x8a/0x4a0 net/sctp/auth.c:1049
+ sctp_setsockopt_auth_supported net/sctp/socket.c:4354 [inline]
+ sctp_setsockopt+0x477e/0x97f0 net/sctp/socket.c:4631
+ __sys_setsockopt+0x2db/0x610 net/socket.c:2132
+ __do_sys_setsockopt net/socket.c:2143 [inline]
+ __se_sys_setsockopt net/socket.c:2140 [inline]
+ __x64_sys_setsockopt+0xba/0x150 net/socket.c:2140
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Freed by task 6874:
+ kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
+ kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
+ kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
+ __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
+ __cache_free mm/slab.c:3422 [inline]
+ kfree+0x10e/0x2b0 mm/slab.c:3760
+ sctp_auth_destroy_hmacs net/sctp/auth.c:511 [inline]
+ sctp_auth_destroy_hmacs net/sctp/auth.c:501 [inline]
+ sctp_auth_init_hmacs net/sctp/auth.c:496 [inline]
+ sctp_auth_init_hmacs+0x2b7/0x3b0 net/sctp/auth.c:454
+ sctp_auth_init+0x8a/0x4a0 net/sctp/auth.c:1049
+ sctp_setsockopt_auth_supported net/sctp/socket.c:4354 [inline]
+ sctp_setsockopt+0x477e/0x97f0 net/sctp/socket.c:4631
+ __sys_setsockopt+0x2db/0x610 net/socket.c:2132
+ __do_sys_setsockopt net/socket.c:2143 [inline]
+ __se_sys_setsockopt net/socket.c:2140 [inline]
+ __x64_sys_setsockopt+0xba/0x150 net/socket.c:2140
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 1f485649f529 ("[SCTP]: Implement SCTP-AUTH internals")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Vlad Yasevich <vyasevich@gmail.com>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sctp/auth.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sctp/auth.c
++++ b/net/sctp/auth.c
+@@ -493,6 +493,7 @@ int sctp_auth_init_hmacs(struct sctp_end
+ out_err:
+ /* Clean up any successful allocations */
+ sctp_auth_destroy_hmacs(ep->auth_hmacs);
++ ep->auth_hmacs = NULL;
+ return -ENOMEM;
+ }
+
ftrace-move-rcu-is-watching-check-after-recursion-check.patch
macsec-avoid-use-after-free-in-macsec_handle_frame.patch
mm-khugepaged-fix-filemap-page_to_pgoff-page-offset.patch
+cifs-fix-incomplete-memory-allocation-on-setxattr-path.patch
+i2c-meson-fix-clock-setting-overwrite.patch
+sctp-fix-sctp_auth_init_hmacs-error-path.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
