--- /dev/null
+From 80f6e3080bfcf865062a926817b3ca6c4a137a57 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 16 Sep 2021 13:34:24 -0700
+Subject: fs-verity: fix signed integer overflow with i_size near S64_MAX
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 80f6e3080bfcf865062a926817b3ca6c4a137a57 upstream.
+
+If the file size is almost S64_MAX, the calculated number of Merkle tree
+levels exceeds FS_VERITY_MAX_LEVELS, causing FS_IOC_ENABLE_VERITY to
+fail. This is unintentional, since as the comment above the definition
+of FS_VERITY_MAX_LEVELS states, it is enough for over U64_MAX bytes of
+data using SHA-256 and 4K blocks. (Specifically, 4096*128**8 >= 2**64.)
+
+The bug is actually that when the number of blocks in the first level is
+calculated from i_size, there is a signed integer overflow due to i_size
+being signed. Fix this by treating i_size as unsigned.
+
+This was found by the new test "generic: test fs-verity EFBIG scenarios"
+(https://lkml.kernel.org/r/b1d116cd4d0ea74b9cd86f349c672021e005a75c.1631558495.git.boris@bur.io).
+
+This didn't affect ext4 or f2fs since those have a smaller maximum file
+size, but it did affect btrfs which allows files up to S64_MAX bytes.
+
+Reported-by: Boris Burkov <boris@bur.io>
+Fixes: 3fda4c617e84 ("fs-verity: implement FS_IOC_ENABLE_VERITY ioctl")
+Fixes: fd2d1acfcadf ("fs-verity: add the hook for file ->open()")
+Cc: <stable@vger.kernel.org> # v5.4+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Link: https://lore.kernel.org/r/20210916203424.113376-1-ebiggers@kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/verity/enable.c | 2 +-
+ fs/verity/open.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/verity/enable.c
++++ b/fs/verity/enable.c
+@@ -136,7 +136,7 @@ static int build_merkle_tree(struct inod
+ * (level 0) and ascending to the root node (level 'num_levels - 1').
+ * Then at the end (level 'num_levels'), calculate the root hash.
+ */
+- blocks = (inode->i_size + params->block_size - 1) >>
++ blocks = ((u64)inode->i_size + params->block_size - 1) >>
+ params->log_blocksize;
+ for (level = 0; level <= params->num_levels; level++) {
+ err = build_merkle_tree_level(inode, level, blocks, params,
+--- a/fs/verity/open.c
++++ b/fs/verity/open.c
+@@ -89,7 +89,7 @@ int fsverity_init_merkle_tree_params(str
+ */
+
+ /* Compute number of levels and the number of blocks in each level */
+- blocks = (inode->i_size + params->block_size - 1) >> log_blocksize;
++ blocks = ((u64)inode->i_size + params->block_size - 1) >> log_blocksize;
+ pr_debug("Data is %lld bytes (%llu blocks)\n", inode->i_size, blocks);
+ while (blocks > 1) {
+ if (params->num_levels >= FS_VERITY_MAX_LEVELS) {
--- /dev/null
+From 943c15ac1b84d378da26bba41c83c67e16499ac4 Mon Sep 17 00:00:00 2001
+From: Nadezda Lutovinova <lutovinova@ispras.ru>
+Date: Tue, 21 Sep 2021 18:51:51 +0300
+Subject: hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary structure field
+
+From: Nadezda Lutovinova <lutovinova@ispras.ru>
+
+commit 943c15ac1b84d378da26bba41c83c67e16499ac4 upstream.
+
+If driver read val value sufficient for
+(val & 0x08) && (!(val & 0x80)) && ((val & 0x7) == ((val >> 4) & 0x7))
+from device then Null pointer dereference occurs.
+(It is possible if tmp = 0b0xyz1xyz, where same literals mean same numbers)
+Also lm75[] does not serve a purpose anymore after switching to
+devm_i2c_new_dummy_device() in w83791d_detect_subclients().
+
+The patch fixes possible NULL pointer dereference by removing lm75[].
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
+Link: https://lore.kernel.org/r/20210921155153.28098-1-lutovinova@ispras.ru
+[groeck: Dropped unnecessary continuation lines, fixed multi-line alignment]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/w83791d.c | 29 +++++++++++------------------
+ 1 file changed, 11 insertions(+), 18 deletions(-)
+
+--- a/drivers/hwmon/w83791d.c
++++ b/drivers/hwmon/w83791d.c
+@@ -273,9 +273,6 @@ struct w83791d_data {
+ char valid; /* !=0 if following fields are valid */
+ unsigned long last_updated; /* In jiffies */
+
+- /* array of 2 pointers to subclients */
+- struct i2c_client *lm75[2];
+-
+ /* volts */
+ u8 in[NUMBER_OF_VIN]; /* Register value */
+ u8 in_max[NUMBER_OF_VIN]; /* Register value */
+@@ -1258,7 +1255,6 @@ static const struct attribute_group w837
+ static int w83791d_detect_subclients(struct i2c_client *client)
+ {
+ struct i2c_adapter *adapter = client->adapter;
+- struct w83791d_data *data = i2c_get_clientdata(client);
+ int address = client->addr;
+ int i, id;
+ u8 val;
+@@ -1281,22 +1277,19 @@ static int w83791d_detect_subclients(str
+ }
+
+ val = w83791d_read(client, W83791D_REG_I2C_SUBADDR);
+- if (!(val & 0x08))
+- data->lm75[0] = devm_i2c_new_dummy_device(&client->dev, adapter,
+- 0x48 + (val & 0x7));
+- if (!(val & 0x80)) {
+- if (!IS_ERR(data->lm75[0]) &&
+- ((val & 0x7) == ((val >> 4) & 0x7))) {
+- dev_err(&client->dev,
+- "duplicate addresses 0x%x, "
+- "use force_subclient\n",
+- data->lm75[0]->addr);
+- return -ENODEV;
+- }
+- data->lm75[1] = devm_i2c_new_dummy_device(&client->dev, adapter,
+- 0x48 + ((val >> 4) & 0x7));
++
++ if (!(val & 0x88) && (val & 0x7) == ((val >> 4) & 0x7)) {
++ dev_err(&client->dev,
++ "duplicate addresses 0x%x, use force_subclient\n", 0x48 + (val & 0x7));
++ return -ENODEV;
+ }
+
++ if (!(val & 0x08))
++ devm_i2c_new_dummy_device(&client->dev, adapter, 0x48 + (val & 0x7));
++
++ if (!(val & 0x80))
++ devm_i2c_new_dummy_device(&client->dev, adapter, 0x48 + ((val >> 4) & 0x7));
++
+ return 0;
+ }
+
--- /dev/null
+From 0f36b88173f028e372668ae040ab1a496834d278 Mon Sep 17 00:00:00 2001
+From: Nadezda Lutovinova <lutovinova@ispras.ru>
+Date: Tue, 21 Sep 2021 18:51:52 +0300
+Subject: hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field
+
+From: Nadezda Lutovinova <lutovinova@ispras.ru>
+
+commit 0f36b88173f028e372668ae040ab1a496834d278 upstream.
+
+If driver read val value sufficient for
+(val & 0x08) && (!(val & 0x80)) && ((val & 0x7) == ((val >> 4) & 0x7))
+from device then Null pointer dereference occurs.
+(It is possible if tmp = 0b0xyz1xyz, where same literals mean same numbers)
+Also lm75[] does not serve a purpose anymore after switching to
+devm_i2c_new_dummy_device() in w83791d_detect_subclients().
+
+The patch fixes possible NULL pointer dereference by removing lm75[].
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
+Link: https://lore.kernel.org/r/20210921155153.28098-2-lutovinova@ispras.ru
+[groeck: Dropped unnecessary continuation lines, fixed multipline alignment]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/w83792d.c | 28 +++++++++++-----------------
+ 1 file changed, 11 insertions(+), 17 deletions(-)
+
+--- a/drivers/hwmon/w83792d.c
++++ b/drivers/hwmon/w83792d.c
+@@ -264,9 +264,6 @@ struct w83792d_data {
+ char valid; /* !=0 if following fields are valid */
+ unsigned long last_updated; /* In jiffies */
+
+- /* array of 2 pointers to subclients */
+- struct i2c_client *lm75[2];
+-
+ u8 in[9]; /* Register value */
+ u8 in_max[9]; /* Register value */
+ u8 in_min[9]; /* Register value */
+@@ -928,7 +925,6 @@ w83792d_detect_subclients(struct i2c_cli
+ int address = new_client->addr;
+ u8 val;
+ struct i2c_adapter *adapter = new_client->adapter;
+- struct w83792d_data *data = i2c_get_clientdata(new_client);
+
+ id = i2c_adapter_id(adapter);
+ if (force_subclients[0] == id && force_subclients[1] == address) {
+@@ -947,21 +943,19 @@ w83792d_detect_subclients(struct i2c_cli
+ }
+
+ val = w83792d_read_value(new_client, W83792D_REG_I2C_SUBADDR);
+- if (!(val & 0x08))
+- data->lm75[0] = devm_i2c_new_dummy_device(&new_client->dev, adapter,
+- 0x48 + (val & 0x7));
+- if (!(val & 0x80)) {
+- if (!IS_ERR(data->lm75[0]) &&
+- ((val & 0x7) == ((val >> 4) & 0x7))) {
+- dev_err(&new_client->dev,
+- "duplicate addresses 0x%x, use force_subclient\n",
+- data->lm75[0]->addr);
+- return -ENODEV;
+- }
+- data->lm75[1] = devm_i2c_new_dummy_device(&new_client->dev, adapter,
+- 0x48 + ((val >> 4) & 0x7));
++
++ if (!(val & 0x88) && (val & 0x7) == ((val >> 4) & 0x7)) {
++ dev_err(&new_client->dev,
++ "duplicate addresses 0x%x, use force_subclient\n", 0x48 + (val & 0x7));
++ return -ENODEV;
+ }
+
++ if (!(val & 0x08))
++ devm_i2c_new_dummy_device(&new_client->dev, adapter, 0x48 + (val & 0x7));
++
++ if (!(val & 0x80))
++ devm_i2c_new_dummy_device(&new_client->dev, adapter, 0x48 + ((val >> 4) & 0x7));
++
+ return 0;
+ }
+
--- /dev/null
+From dd4d747ef05addab887dc8ff0d6ab9860bbcd783 Mon Sep 17 00:00:00 2001
+From: Nadezda Lutovinova <lutovinova@ispras.ru>
+Date: Tue, 21 Sep 2021 18:51:53 +0300
+Subject: hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field
+
+From: Nadezda Lutovinova <lutovinova@ispras.ru>
+
+commit dd4d747ef05addab887dc8ff0d6ab9860bbcd783 upstream.
+
+If driver read tmp value sufficient for
+(tmp & 0x08) && (!(tmp & 0x80)) && ((tmp & 0x7) == ((tmp >> 4) & 0x7))
+from device then Null pointer dereference occurs.
+(It is possible if tmp = 0b0xyz1xyz, where same literals mean same numbers)
+Also lm75[] does not serve a purpose anymore after switching to
+devm_i2c_new_dummy_device() in w83791d_detect_subclients().
+
+The patch fixes possible NULL pointer dereference by removing lm75[].
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
+Link: https://lore.kernel.org/r/20210921155153.28098-3-lutovinova@ispras.ru
+[groeck: Dropped unnecessary continuation lines, fixed multi-line alignments]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/w83793.c | 26 +++++++++++---------------
+ 1 file changed, 11 insertions(+), 15 deletions(-)
+
+--- a/drivers/hwmon/w83793.c
++++ b/drivers/hwmon/w83793.c
+@@ -202,7 +202,6 @@ static inline s8 TEMP_TO_REG(long val, s
+ }
+
+ struct w83793_data {
+- struct i2c_client *lm75[2];
+ struct device *hwmon_dev;
+ struct mutex update_lock;
+ char valid; /* !=0 if following fields are valid */
+@@ -1566,7 +1565,6 @@ w83793_detect_subclients(struct i2c_clie
+ int address = client->addr;
+ u8 tmp;
+ struct i2c_adapter *adapter = client->adapter;
+- struct w83793_data *data = i2c_get_clientdata(client);
+
+ id = i2c_adapter_id(adapter);
+ if (force_subclients[0] == id && force_subclients[1] == address) {
+@@ -1586,21 +1584,19 @@ w83793_detect_subclients(struct i2c_clie
+ }
+
+ tmp = w83793_read_value(client, W83793_REG_I2C_SUBADDR);
+- if (!(tmp & 0x08))
+- data->lm75[0] = devm_i2c_new_dummy_device(&client->dev, adapter,
+- 0x48 + (tmp & 0x7));
+- if (!(tmp & 0x80)) {
+- if (!IS_ERR(data->lm75[0])
+- && ((tmp & 0x7) == ((tmp >> 4) & 0x7))) {
+- dev_err(&client->dev,
+- "duplicate addresses 0x%x, "
+- "use force_subclients\n", data->lm75[0]->addr);
+- return -ENODEV;
+- }
+- data->lm75[1] = devm_i2c_new_dummy_device(&client->dev, adapter,
+- 0x48 + ((tmp >> 4) & 0x7));
++
++ if (!(tmp & 0x88) && (tmp & 0x7) == ((tmp >> 4) & 0x7)) {
++ dev_err(&client->dev,
++ "duplicate addresses 0x%x, use force_subclient\n", 0x48 + (tmp & 0x7));
++ return -ENODEV;
+ }
+
++ if (!(tmp & 0x08))
++ devm_i2c_new_dummy_device(&client->dev, adapter, 0x48 + (tmp & 0x7));
++
++ if (!(tmp & 0x80))
++ devm_i2c_new_dummy_device(&client->dev, adapter, 0x48 + ((tmp >> 4) & 0x7));
++
+ return 0;
+ }
+
--- /dev/null
+From 94513069eb549737bcfc3d988d6ed4da948a2de8 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 27 Sep 2021 11:58:39 +0200
+Subject: mac80211: fix use-after-free in CCMP/GCMP RX
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 94513069eb549737bcfc3d988d6ed4da948a2de8 upstream.
+
+When PN checking is done in mac80211, for fragmentation we need
+to copy the PN to the RX struct so we can later use it to do a
+comparison, since commit bf30ca922a0c ("mac80211: check defrag
+PN against current frame").
+
+Unfortunately, in that commit I used the 'hdr' variable without
+it being necessarily valid, so use-after-free could occur if it
+was necessary to reallocate (parts of) the frame.
+
+Fix this by reloading the variable after the code that results
+in the reallocations, if any.
+
+This fixes https://bugzilla.kernel.org/show_bug.cgi?id=214401.
+
+Cc: stable@vger.kernel.org
+Fixes: bf30ca922a0c ("mac80211: check defrag PN against current frame")
+Link: https://lore.kernel.org/r/20210927115838.12b9ac6bb233.I1d066acd5408a662c3b6e828122cd314fcb28cdb@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/wpa.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/mac80211/wpa.c
++++ b/net/mac80211/wpa.c
+@@ -520,6 +520,9 @@ ieee80211_crypto_ccmp_decrypt(struct iee
+ return RX_DROP_UNUSABLE;
+ }
+
++ /* reload hdr - skb might have been reallocated */
++ hdr = (void *)rx->skb->data;
++
+ data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN - mic_len;
+ if (!rx->sta || data_len < 0)
+ return RX_DROP_UNUSABLE;
+@@ -749,6 +752,9 @@ ieee80211_crypto_gcmp_decrypt(struct iee
+ return RX_DROP_UNUSABLE;
+ }
+
++ /* reload hdr - skb might have been reallocated */
++ hdr = (void *)rx->skb->data;
++
+ data_len = skb->len - hdrlen - IEEE80211_GCMP_HDR_LEN - mic_len;
+ if (!rx->sta || data_len < 0)
+ return RX_DROP_UNUSABLE;
--- /dev/null
+From e8c2da7e329ce004fee748b921e4c765dc2fa338 Mon Sep 17 00:00:00 2001
+From: Jonathan Hsu <jonathan.hsu@mediatek.com>
+Date: Fri, 24 Sep 2021 16:58:48 +0800
+Subject: scsi: ufs: Fix illegal offset in UPIU event trace
+
+From: Jonathan Hsu <jonathan.hsu@mediatek.com>
+
+commit e8c2da7e329ce004fee748b921e4c765dc2fa338 upstream.
+
+Fix incorrect index for UTMRD reference in ufshcd_add_tm_upiu_trace().
+
+Link: https://lore.kernel.org/r/20210924085848.25500-1-jonathan.hsu@mediatek.com
+Fixes: 4b42d557a8ad ("scsi: ufs: core: Fix wrong Task Tag used in task management request UPIUs")
+Cc: stable@vger.kernel.org
+Reviewed-by: Stanley Chu <stanley.chu@mediatek.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Jonathan Hsu <jonathan.hsu@mediatek.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -320,8 +320,7 @@ static void ufshcd_add_query_upiu_trace(
+ static void ufshcd_add_tm_upiu_trace(struct ufs_hba *hba, unsigned int tag,
+ const char *str)
+ {
+- int off = (int)tag - hba->nutrs;
+- struct utp_task_req_desc *descp = &hba->utmrdl_base_addr[off];
++ struct utp_task_req_desc *descp = &hba->utmrdl_base_addr[tag];
+
+ trace_ufshcd_upiu(dev_name(hba->dev), str, &descp->req_header,
+ &descp->input_param1);
cpufreq-schedutil-use-kobject-release-method-to-free.patch
cpufreq-schedutil-destroy-mutex-before-kobject_put-f.patch
usb-cdns3-fix-race-condition-before-setting-doorbell.patch
+fs-verity-fix-signed-integer-overflow-with-i_size-near-s64_max.patch
+hwmon-w83793-fix-null-pointer-dereference-by-removing-unnecessary-structure-field.patch
+hwmon-w83792d-fix-null-pointer-dereference-by-removing-unnecessary-structure-field.patch
+hwmon-w83791d-fix-null-pointer-dereference-by-removing-unnecessary-structure-field.patch
+scsi-ufs-fix-illegal-offset-in-upiu-event-trace.patch
+mac80211-fix-use-after-free-in-ccmp-gcmp-rx.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
