--- /dev/null
+From 44361e8cf9ddb23f17bdcc40ca944abf32e83e79 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 23 Nov 2022 09:10:42 +0100
+Subject: fuse: lock inode unconditionally in fuse_fallocate()
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 44361e8cf9ddb23f17bdcc40ca944abf32e83e79 upstream.
+
+file_modified() must be called with inode lock held. fuse_fallocate()
+didn't lock the inode in case of just FALLOC_KEEP_SIZE flags value, which
+resulted in a kernel Warning in notify_change().
+
+Lock the inode unconditionally, like all other fallocate implementations
+do.
+
+Reported-by: Pengfei Xu <pengfei.xu@intel.com>
+Reported-and-tested-by: syzbot+462da39f0667b357c4b6@syzkaller.appspotmail.com
+Fixes: 4a6f278d4827 ("fuse: add file_modified() to fallocate")
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/file.c | 41 ++++++++++++++++++-----------------------
+ 1 file changed, 18 insertions(+), 23 deletions(-)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -2963,11 +2963,9 @@ static long fuse_file_fallocate(struct f
+ .mode = mode
+ };
+ int err;
+- bool lock_inode = !(mode & FALLOC_FL_KEEP_SIZE) ||
+- (mode & (FALLOC_FL_PUNCH_HOLE |
+- FALLOC_FL_ZERO_RANGE));
+-
+- bool block_faults = FUSE_IS_DAX(inode) && lock_inode;
++ bool block_faults = FUSE_IS_DAX(inode) &&
++ (!(mode & FALLOC_FL_KEEP_SIZE) ||
++ (mode & (FALLOC_FL_PUNCH_HOLE | FALLOC_FL_ZERO_RANGE)));
+
+ if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE |
+ FALLOC_FL_ZERO_RANGE))
+@@ -2976,22 +2974,20 @@ static long fuse_file_fallocate(struct f
+ if (fm->fc->no_fallocate)
+ return -EOPNOTSUPP;
+
+- if (lock_inode) {
+- inode_lock(inode);
+- if (block_faults) {
+- filemap_invalidate_lock(inode->i_mapping);
+- err = fuse_dax_break_layouts(inode, 0, 0);
+- if (err)
+- goto out;
+- }
+-
+- if (mode & (FALLOC_FL_PUNCH_HOLE | FALLOC_FL_ZERO_RANGE)) {
+- loff_t endbyte = offset + length - 1;
+-
+- err = fuse_writeback_range(inode, offset, endbyte);
+- if (err)
+- goto out;
+- }
++ inode_lock(inode);
++ if (block_faults) {
++ filemap_invalidate_lock(inode->i_mapping);
++ err = fuse_dax_break_layouts(inode, 0, 0);
++ if (err)
++ goto out;
++ }
++
++ if (mode & (FALLOC_FL_PUNCH_HOLE | FALLOC_FL_ZERO_RANGE)) {
++ loff_t endbyte = offset + length - 1;
++
++ err = fuse_writeback_range(inode, offset, endbyte);
++ if (err)
++ goto out;
+ }
+
+ if (!(mode & FALLOC_FL_KEEP_SIZE) &&
+@@ -3039,8 +3035,7 @@ out:
+ if (block_faults)
+ filemap_invalidate_unlock(inode->i_mapping);
+
+- if (lock_inode)
+- inode_unlock(inode);
++ inode_unlock(inode);
+
+ fuse_flush_time_update(inode);
+
gpu-host1x-avoid-trying-to-use-gart-on-tegra20.patch
dm-integrity-flush-the-journal-on-suspend.patch
dm-integrity-clear-the-journal-on-suspend.patch
+fuse-lock-inode-unconditionally-in-fuse_fallocate.patch
+wifi-wilc1000-validate-pairwise-and-authentication-suite-offsets.patch
+wifi-wilc1000-validate-length-of-ieee80211_p2p_attr_oper_channel-attribute.patch
+wifi-wilc1000-validate-length-of-ieee80211_p2p_attr_channel_list-attribute.patch
+wifi-wilc1000-validate-number-of-channels.patch
--- /dev/null
+From f9b62f9843c7b0afdaecabbcebf1dbba18599408 Mon Sep 17 00:00:00 2001
+From: Phil Turnbull <philipturnbull@github.com>
+Date: Wed, 23 Nov 2022 10:35:42 -0500
+Subject: wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_CHANNEL_LIST attribute
+
+From: Phil Turnbull <philipturnbull@github.com>
+
+commit f9b62f9843c7b0afdaecabbcebf1dbba18599408 upstream.
+
+Validate that the IEEE80211_P2P_ATTR_CHANNEL_LIST attribute contains
+enough space for a 'struct wilc_attr_oper_ch'. If the attribute is too
+small then it can trigger an out-of-bounds write later in the function.
+
+'struct wilc_attr_oper_ch' is variable sized so also check 'attr_len'
+does not extend beyond the end of 'buf'.
+
+Signed-off-by: Phil Turnbull <philipturnbull@github.com>
+Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
+Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221123153543.8568-4-philipturnbull@github.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/microchip/wilc1000/cfg80211.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c
++++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c
+@@ -964,7 +964,8 @@ static inline void wilc_wfi_cfg_parse_ch
+ if (index + sizeof(*e) + attr_size > len)
+ return;
+
+- if (e->attr_type == IEEE80211_P2P_ATTR_CHANNEL_LIST)
++ if (e->attr_type == IEEE80211_P2P_ATTR_CHANNEL_LIST &&
++ attr_size >= (sizeof(struct wilc_attr_ch_list) - sizeof(*e)))
+ ch_list_idx = index;
+ else if (e->attr_type == IEEE80211_P2P_ATTR_OPER_CHANNEL &&
+ attr_size == (sizeof(struct wilc_attr_oper_ch) - sizeof(*e)))
--- /dev/null
+From 051ae669e4505abbe05165bebf6be7922de11f41 Mon Sep 17 00:00:00 2001
+From: Phil Turnbull <philipturnbull@github.com>
+Date: Wed, 23 Nov 2022 10:35:41 -0500
+Subject: wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_OPER_CHANNEL attribute
+
+From: Phil Turnbull <philipturnbull@github.com>
+
+commit 051ae669e4505abbe05165bebf6be7922de11f41 upstream.
+
+Validate that the IEEE80211_P2P_ATTR_OPER_CHANNEL attribute contains
+enough space for a 'struct struct wilc_attr_oper_ch'. If the attribute is
+too small then it triggers an out-of-bounds write later in the function.
+
+Signed-off-by: Phil Turnbull <philipturnbull@github.com>
+Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
+Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221123153543.8568-3-philipturnbull@github.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/microchip/wilc1000/cfg80211.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c
++++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c
+@@ -956,14 +956,24 @@ static inline void wilc_wfi_cfg_parse_ch
+ return;
+
+ while (index + sizeof(*e) <= len) {
++ u16 attr_size;
++
+ e = (struct wilc_attr_entry *)&buf[index];
++ attr_size = le16_to_cpu(e->attr_len);
++
++ if (index + sizeof(*e) + attr_size > len)
++ return;
++
+ if (e->attr_type == IEEE80211_P2P_ATTR_CHANNEL_LIST)
+ ch_list_idx = index;
+- else if (e->attr_type == IEEE80211_P2P_ATTR_OPER_CHANNEL)
++ else if (e->attr_type == IEEE80211_P2P_ATTR_OPER_CHANNEL &&
++ attr_size == (sizeof(struct wilc_attr_oper_ch) - sizeof(*e)))
+ op_ch_idx = index;
++
+ if (ch_list_idx && op_ch_idx)
+ break;
+- index += le16_to_cpu(e->attr_len) + sizeof(*e);
++
++ index += sizeof(*e) + attr_size;
+ }
+
+ if (ch_list_idx) {
--- /dev/null
+From 0cdfa9e6f0915e3d243e2393bfa8a22e12d553b0 Mon Sep 17 00:00:00 2001
+From: Phil Turnbull <philipturnbull@github.com>
+Date: Wed, 23 Nov 2022 10:35:43 -0500
+Subject: wifi: wilc1000: validate number of channels
+
+From: Phil Turnbull <philipturnbull@github.com>
+
+commit 0cdfa9e6f0915e3d243e2393bfa8a22e12d553b0 upstream.
+
+There is no validation of 'e->no_of_channels' which can trigger an
+out-of-bounds write in the following 'memset' call. Validate that the
+number of channels does not extends beyond the size of the channel list
+element.
+
+Signed-off-by: Phil Turnbull <philipturnbull@github.com>
+Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
+Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221123153543.8568-5-philipturnbull@github.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/microchip/wilc1000/cfg80211.c | 22 +++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c
++++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c
+@@ -978,19 +978,29 @@ static inline void wilc_wfi_cfg_parse_ch
+ }
+
+ if (ch_list_idx) {
+- u16 attr_size;
+- struct wilc_ch_list_elem *e;
+- int i;
++ u16 elem_size;
+
+ ch_list = (struct wilc_attr_ch_list *)&buf[ch_list_idx];
+- attr_size = le16_to_cpu(ch_list->attr_len);
+- for (i = 0; i < attr_size;) {
++ /* the number of bytes following the final 'elem' member */
++ elem_size = le16_to_cpu(ch_list->attr_len) -
++ (sizeof(*ch_list) - sizeof(struct wilc_attr_entry));
++ for (unsigned int i = 0; i < elem_size;) {
++ struct wilc_ch_list_elem *e;
++
+ e = (struct wilc_ch_list_elem *)(ch_list->elem + i);
++
++ i += sizeof(*e);
++ if (i > elem_size)
++ break;
++
++ i += e->no_of_channels;
++ if (i > elem_size)
++ break;
++
+ if (e->op_class == WILC_WLAN_OPERATING_CLASS_2_4GHZ) {
+ memset(e->ch_list, sta_ch, e->no_of_channels);
+ break;
+ }
+- i += e->no_of_channels;
+ }
+ }
+
--- /dev/null
+From cd21d99e595ec1d8721e1058dcdd4f1f7de1d793 Mon Sep 17 00:00:00 2001
+From: Phil Turnbull <philipturnbull@github.com>
+Date: Wed, 23 Nov 2022 10:35:40 -0500
+Subject: wifi: wilc1000: validate pairwise and authentication suite offsets
+
+From: Phil Turnbull <philipturnbull@github.com>
+
+commit cd21d99e595ec1d8721e1058dcdd4f1f7de1d793 upstream.
+
+There is no validation of 'offset' which can trigger an out-of-bounds
+read when extracting RSN capabilities.
+
+Signed-off-by: Phil Turnbull <philipturnbull@github.com>
+Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
+Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221123153543.8568-2-philipturnbull@github.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/microchip/wilc1000/hif.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/microchip/wilc1000/hif.c
++++ b/drivers/net/wireless/microchip/wilc1000/hif.c
+@@ -482,14 +482,25 @@ void *wilc_parse_join_bss_param(struct c
+
+ rsn_ie = cfg80211_find_ie(WLAN_EID_RSN, ies->data, ies->len);
+ if (rsn_ie) {
++ int rsn_ie_len = sizeof(struct element) + rsn_ie[1];
+ int offset = 8;
+
+- param->mode_802_11i = 2;
+- param->rsn_found = true;
+ /* extract RSN capabilities */
+- offset += (rsn_ie[offset] * 4) + 2;
+- offset += (rsn_ie[offset] * 4) + 2;
+- memcpy(param->rsn_cap, &rsn_ie[offset], 2);
++ if (offset < rsn_ie_len) {
++ /* skip over pairwise suites */
++ offset += (rsn_ie[offset] * 4) + 2;
++
++ if (offset < rsn_ie_len) {
++ /* skip over authentication suites */
++ offset += (rsn_ie[offset] * 4) + 2;
++
++ if (offset + 1 < rsn_ie_len) {
++ param->mode_802_11i = 2;
++ param->rsn_found = true;
++ memcpy(param->rsn_cap, &rsn_ie[offset], 2);
++ }
++ }
++ }
+ }
+
+ if (param->rsn_found) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
