From: Greg Kroah-Hartman Date: Sun, 9 Mar 2025 19:03:50 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v5.4.291~102 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=05ca2c78ef17d3c04429deb8c761d3898b269559;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: mm-page_alloc-fix-uninitialized-variable.patch rapidio-add-check-for-rio_add_net-in-rio_scan_alloc_net.patch rapidio-fix-an-api-misues-when-rio_add_net-fails.patch wifi-cfg80211-regulatory-improve-invalid-hints-checking.patch wifi-nl80211-reject-cooked-mode-if-it-is-set-along-with-other-flags.patch --- diff --git a/queue-5.4/mm-page_alloc-fix-uninitialized-variable.patch b/queue-5.4/mm-page_alloc-fix-uninitialized-variable.patch new file mode 100644 index 0000000000..a77bc9f446 --- /dev/null +++ b/queue-5.4/mm-page_alloc-fix-uninitialized-variable.patch @@ -0,0 +1,78 @@ +From 8fe9ed44dc29fba0786b7e956d2e87179e407582 Mon Sep 17 00:00:00 2001 +From: Hao Zhang +Date: Thu, 27 Feb 2025 11:41:29 +0800 +Subject: mm/page_alloc: fix uninitialized variable + +From: Hao Zhang + +commit 8fe9ed44dc29fba0786b7e956d2e87179e407582 upstream. + +The variable "compact_result" is not initialized in function +__alloc_pages_slowpath(). It causes should_compact_retry() to use an +uninitialized value. + +Initialize variable "compact_result" with the value COMPACT_SKIPPED. + +BUG: KMSAN: uninit-value in __alloc_pages_slowpath+0xee8/0x16c0 mm/page_alloc.c:4416 + __alloc_pages_slowpath+0xee8/0x16c0 mm/page_alloc.c:4416 + __alloc_frozen_pages_noprof+0xa4c/0xe00 mm/page_alloc.c:4752 + alloc_pages_mpol+0x4cd/0x890 mm/mempolicy.c:2270 + alloc_frozen_pages_noprof mm/mempolicy.c:2341 [inline] + alloc_pages_noprof mm/mempolicy.c:2361 [inline] + folio_alloc_noprof+0x1dc/0x350 mm/mempolicy.c:2371 + filemap_alloc_folio_noprof+0xa6/0x440 mm/filemap.c:1019 + __filemap_get_folio+0xb9a/0x1840 mm/filemap.c:1970 + grow_dev_folio fs/buffer.c:1039 [inline] + grow_buffers fs/buffer.c:1105 [inline] + __getblk_slow fs/buffer.c:1131 [inline] + bdev_getblk+0x2c9/0xab0 fs/buffer.c:1431 + getblk_unmovable include/linux/buffer_head.h:369 [inline] + ext4_getblk+0x3b7/0xe50 fs/ext4/inode.c:864 + ext4_bread_batch+0x9f/0x7d0 fs/ext4/inode.c:933 + __ext4_find_entry+0x1ebb/0x36c0 fs/ext4/namei.c:1627 + ext4_lookup_entry fs/ext4/namei.c:1729 [inline] + ext4_lookup+0x189/0xb40 fs/ext4/namei.c:1797 + __lookup_slow+0x538/0x710 fs/namei.c:1793 + lookup_slow+0x6a/0xd0 fs/namei.c:1810 + walk_component fs/namei.c:2114 [inline] + link_path_walk+0xf29/0x1420 fs/namei.c:2479 + path_openat+0x30f/0x6250 fs/namei.c:3985 + do_filp_open+0x268/0x600 fs/namei.c:4016 + do_sys_openat2+0x1bf/0x2f0 fs/open.c:1428 + do_sys_open fs/open.c:1443 [inline] + __do_sys_openat fs/open.c:1459 [inline] + __se_sys_openat fs/open.c:1454 [inline] + __x64_sys_openat+0x2a1/0x310 fs/open.c:1454 + x64_sys_call+0x36f5/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:258 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Local variable compact_result created at: + __alloc_pages_slowpath+0x66/0x16c0 mm/page_alloc.c:4218 + __alloc_frozen_pages_noprof+0xa4c/0xe00 mm/page_alloc.c:4752 + +Link: https://lkml.kernel.org/r/tencent_ED1032321D6510B145CDBA8CBA0093178E09@qq.com +Reported-by: syzbot+0cfd5e38e96a5596f2b6@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0cfd5e38e96a5596f2b6 +Signed-off-by: Hao Zhang +Reviewed-by: Vlastimil Babka +Cc: Michal Hocko +Cc: Mel Gorman +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_alloc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -4469,6 +4469,7 @@ __alloc_pages_slowpath(gfp_t gfp_mask, u + restart: + compaction_retries = 0; + no_progress_loops = 0; ++ compact_result = COMPACT_SKIPPED; + compact_priority = DEF_COMPACT_PRIORITY; + cpuset_mems_cookie = read_mems_allowed_begin(); + zonelist_iter_cookie = zonelist_iter_begin(); diff --git a/queue-5.4/rapidio-add-check-for-rio_add_net-in-rio_scan_alloc_net.patch b/queue-5.4/rapidio-add-check-for-rio_add_net-in-rio_scan_alloc_net.patch new file mode 100644 index 0000000000..d7a5e9490f --- /dev/null +++ b/queue-5.4/rapidio-add-check-for-rio_add_net-in-rio_scan_alloc_net.patch @@ -0,0 +1,41 @@ +From e842f9a1edf306bf36fe2a4d847a0b0d458770de Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Thu, 27 Feb 2025 12:11:31 +0800 +Subject: rapidio: add check for rio_add_net() in rio_scan_alloc_net() + +From: Haoxiang Li + +commit e842f9a1edf306bf36fe2a4d847a0b0d458770de upstream. + +The return value of rio_add_net() should be checked. If it fails, +put_device() should be called to free the memory and give up the reference +initialized in rio_add_net(). + +Link: https://lkml.kernel.org/r/20250227041131.3680761-1-haoxiang_li2024@163.com +Fixes: e6b585ca6e81 ("rapidio: move net allocation into core code") +Signed-off-by: Yang Yingliang +Signed-off-by: Haoxiang Li +Cc: Alexandre Bounine +Cc: Matt Porter +Cc: Dan Carpenter +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rapidio/rio-scan.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/rapidio/rio-scan.c ++++ b/drivers/rapidio/rio-scan.c +@@ -873,7 +873,10 @@ static struct rio_net *rio_scan_alloc_ne + dev_set_name(&net->dev, "rnet_%d", net->id); + net->dev.parent = &mport->dev; + net->dev.release = rio_scan_release_dev; +- rio_add_net(net); ++ if (rio_add_net(net)) { ++ put_device(&net->dev); ++ net = NULL; ++ } + } + + return net; diff --git a/queue-5.4/rapidio-fix-an-api-misues-when-rio_add_net-fails.patch b/queue-5.4/rapidio-fix-an-api-misues-when-rio_add_net-fails.patch new file mode 100644 index 0000000000..49377423c9 --- /dev/null +++ b/queue-5.4/rapidio-fix-an-api-misues-when-rio_add_net-fails.patch @@ -0,0 +1,39 @@ +From b2ef51c74b0171fde7eb69b6152d3d2f743ef269 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Thu, 27 Feb 2025 15:34:09 +0800 +Subject: rapidio: fix an API misues when rio_add_net() fails + +From: Haoxiang Li + +commit b2ef51c74b0171fde7eb69b6152d3d2f743ef269 upstream. + +rio_add_net() calls device_register() and fails when device_register() +fails. Thus, put_device() should be used rather than kfree(). Add +"mport->net = NULL;" to avoid a use after free issue. + +Link: https://lkml.kernel.org/r/20250227073409.3696854-1-haoxiang_li2024@163.com +Fixes: e8de370188d0 ("rapidio: add mport char device driver") +Signed-off-by: Haoxiang Li +Reviewed-by: Dan Carpenter +Cc: Alexandre Bounine +Cc: Matt Porter +Cc: Yang Yingliang +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rapidio/devices/rio_mport_cdev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/rapidio/devices/rio_mport_cdev.c ++++ b/drivers/rapidio/devices/rio_mport_cdev.c +@@ -1743,7 +1743,8 @@ static int rio_mport_add_riodev(struct m + err = rio_add_net(net); + if (err) { + rmcd_debug(RDEV, "failed to register net, err=%d", err); +- kfree(net); ++ put_device(&net->dev); ++ mport->net = NULL; + goto cleanup; + } + } diff --git a/queue-5.4/series b/queue-5.4/series index 341382d1ad..985f6658bf 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -284,3 +284,8 @@ platform-x86-thinkpad_acpi-add-battery-quirk-for-thinkpad-x131e.patch x86-cacheinfo-validate-cpuid-leaf-0x2-edx-output.patch x86-cpu-validate-cpuid-leaf-0x2-edx-output.patch x86-cpu-properly-parse-cpuid-leaf-0x2-tlb-descriptor-0x63.patch +wifi-cfg80211-regulatory-improve-invalid-hints-checking.patch +wifi-nl80211-reject-cooked-mode-if-it-is-set-along-with-other-flags.patch +rapidio-add-check-for-rio_add_net-in-rio_scan_alloc_net.patch +rapidio-fix-an-api-misues-when-rio_add_net-fails.patch +mm-page_alloc-fix-uninitialized-variable.patch diff --git a/queue-5.4/wifi-cfg80211-regulatory-improve-invalid-hints-checking.patch b/queue-5.4/wifi-cfg80211-regulatory-improve-invalid-hints-checking.patch new file mode 100644 index 0000000000..ec33d9cd34 --- /dev/null +++ b/queue-5.4/wifi-cfg80211-regulatory-improve-invalid-hints-checking.patch @@ -0,0 +1,90 @@ +From 59b348be7597c4a9903cb003c69e37df20c04a30 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Fri, 28 Feb 2025 16:46:57 +0300 +Subject: wifi: cfg80211: regulatory: improve invalid hints checking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nikita Zhandarovich + +commit 59b348be7597c4a9903cb003c69e37df20c04a30 upstream. + +Syzbot keeps reporting an issue [1] that occurs when erroneous symbols +sent from userspace get through into user_alpha2[] via +regulatory_hint_user() call. Such invalid regulatory hints should be +rejected. + +While a sanity check from commit 47caf685a685 ("cfg80211: regulatory: +reject invalid hints") looks to be enough to deter these very cases, +there is a way to get around it due to 2 reasons. + +1) The way isalpha() works, symbols other than latin lower and +upper letters may be used to determine a country/domain. +For instance, greek letters will also be considered upper/lower +letters and for such characters isalpha() will return true as well. +However, ISO-3166-1 alpha2 codes should only hold latin +characters. + +2) While processing a user regulatory request, between +reg_process_hint_user() and regulatory_hint_user() there happens to +be a call to queue_regulatory_request() which modifies letters in +request->alpha2[] with toupper(). This works fine for latin symbols, +less so for weird letter characters from the second part of _ctype[]. + +Syzbot triggers a warning in is_user_regdom_saved() by first sending +over an unexpected non-latin letter that gets malformed by toupper() +into a character that ends up failing isalpha() check. + +Prevent this by enhancing is_an_alpha2() to ensure that incoming +symbols are latin letters and nothing else. + +[1] Syzbot report: +------------[ cut here ]------------ +Unexpected user alpha2: A� +WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 is_user_regdom_saved net/wireless/reg.c:440 [inline] +WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_alpha2 net/wireless/reg.c:3424 [inline] +WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516 +Modules linked in: +CPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +Workqueue: events_power_efficient crda_timeout_work +RIP: 0010:is_user_regdom_saved net/wireless/reg.c:440 [inline] +RIP: 0010:restore_alpha2 net/wireless/reg.c:3424 [inline] +RIP: 0010:restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516 +... +Call Trace: + + crda_timeout_work+0x27/0x50 net/wireless/reg.c:542 + process_one_work kernel/workqueue.c:3229 [inline] + process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 + worker_thread+0x870/0xd30 kernel/workqueue.c:3391 + kthread+0x2f2/0x390 kernel/kthread.c:389 + ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + + +Reported-by: syzbot+e10709ac3c44f3d4e800@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=e10709ac3c44f3d4e800 +Fixes: 09d989d179d0 ("cfg80211: add regulatory hint disconnect support") +Cc: stable@kernel.org +Signed-off-by: Nikita Zhandarovich +Link: https://patch.msgid.link/20250228134659.1577656-1-n.zhandarovich@fintech.ru +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/reg.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -385,7 +385,8 @@ static bool is_an_alpha2(const char *alp + { + if (!alpha2) + return false; +- return isalpha(alpha2[0]) && isalpha(alpha2[1]); ++ return isascii(alpha2[0]) && isalpha(alpha2[0]) && ++ isascii(alpha2[1]) && isalpha(alpha2[1]); + } + + static bool alpha2_equal(const char *alpha2_x, const char *alpha2_y) diff --git a/queue-5.4/wifi-nl80211-reject-cooked-mode-if-it-is-set-along-with-other-flags.patch b/queue-5.4/wifi-nl80211-reject-cooked-mode-if-it-is-set-along-with-other-flags.patch new file mode 100644 index 0000000000..7e3841305c --- /dev/null +++ b/queue-5.4/wifi-nl80211-reject-cooked-mode-if-it-is-set-along-with-other-flags.patch @@ -0,0 +1,48 @@ +From 49f27f29446a5bfe633dd2cc0cfebd48a1a5e77f Mon Sep 17 00:00:00 2001 +From: Vitaliy Shevtsov +Date: Fri, 31 Jan 2025 20:26:55 +0500 +Subject: wifi: nl80211: reject cooked mode if it is set along with other flags + +From: Vitaliy Shevtsov + +commit 49f27f29446a5bfe633dd2cc0cfebd48a1a5e77f upstream. + +It is possible to set both MONITOR_FLAG_COOK_FRAMES and MONITOR_FLAG_ACTIVE +flags simultaneously on the same monitor interface from the userspace. This +causes a sub-interface to be created with no IEEE80211_SDATA_IN_DRIVER bit +set because the monitor interface is in the cooked state and it takes +precedence over all other states. When the interface is then being deleted +the kernel calls WARN_ONCE() from check_sdata_in_driver() because of missing +that bit. + +Fix this by rejecting MONITOR_FLAG_COOK_FRAMES if it is set along with +other flags. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 66f7ac50ed7c ("nl80211: Add monitor interface configuration flags") +Cc: stable@vger.kernel.org +Reported-by: syzbot+2e5c1e55b9e5c28a3da7@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2e5c1e55b9e5c28a3da7 +Signed-off-by: Vitaliy Shevtsov +Link: https://patch.msgid.link/20250131152657.5606-1-v.shevtsov@mt-integration.ru +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/nl80211.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -3409,6 +3409,11 @@ static int parse_monitor_flags(struct nl + if (flags[flag]) + *mntrflags |= (1<