From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 20 Jun 2025 05:45:57 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v5.4.295~177
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0a2691e48cd7cf6706dabadf240e31eef0e4e47a;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	configfs-do-not-override-creating-attribute-file-failure-in-populate_attrs.patch
	gfs2-move-msleep-to-sleepable-context.patch
	wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_readback.patch
---

diff --git a/queue-5.4/configfs-do-not-override-creating-attribute-file-failure-in-populate_attrs.patch b/queue-5.4/configfs-do-not-override-creating-attribute-file-failure-in-populate_attrs.patch
new file mode 100644
index 0000000000..b93e0a4844
--- /dev/null
+++ b/queue-5.4/configfs-do-not-override-creating-attribute-file-failure-in-populate_attrs.patch
@@ -0,0 +1,39 @@
+From f830edbae247b89228c3e09294151b21e0dc849c Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Wed, 7 May 2025 19:50:26 +0800
+Subject: configfs: Do not override creating attribute file failure in populate_attrs()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit f830edbae247b89228c3e09294151b21e0dc849c upstream.
+
+populate_attrs() may override failure for creating attribute files
+by success for creating subsequent bin attribute files, and have
+wrong return value.
+
+Fix by creating bin attribute files under successfully creating
+attribute files.
+
+Fixes: 03607ace807b ("configfs: implement binary attributes")
+Cc: stable@vger.kernel.org
+Reviewed-by: Joel Becker <jlbec@evilplan.org>
+Reviewed-by: Breno Leitao <leitao@debian.org>
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20250507-fix_configfs-v3-2-fe2d96de8dc4@quicinc.com
+Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/configfs/dir.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/configfs/dir.c
++++ b/fs/configfs/dir.c
+@@ -619,7 +619,7 @@ static int populate_attrs(struct config_
+ 				break;
+ 		}
+ 	}
+-	if (t->ct_bin_attrs) {
++	if (!error && t->ct_bin_attrs) {
+ 		for (i = 0; (bin_attr = t->ct_bin_attrs[i]) != NULL; i++) {
+ 			error = configfs_create_bin_file(item, bin_attr);
+ 			if (error)
diff --git a/queue-5.4/gfs2-move-msleep-to-sleepable-context.patch b/queue-5.4/gfs2-move-msleep-to-sleepable-context.patch
new file mode 100644
index 0000000000..de9764358c
--- /dev/null
+++ b/queue-5.4/gfs2-move-msleep-to-sleepable-context.patch
@@ -0,0 +1,42 @@
+From ac5ee087d31ed93b6e45d2968a66828c6f621d8c Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Mon, 31 Mar 2025 19:03:24 -0400
+Subject: gfs2: move msleep to sleepable context
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit ac5ee087d31ed93b6e45d2968a66828c6f621d8c upstream.
+
+This patch moves the msleep_interruptible() out of the non-sleepable
+context by moving the ls->ls_recover_spin spinlock around so
+msleep_interruptible() will be called in a sleepable context.
+
+Cc: stable@vger.kernel.org
+Fixes: 4a7727725dc7 ("GFS2: Fix recovery issues for spectators")
+Suggested-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/gfs2/lock_dlm.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/gfs2/lock_dlm.c
++++ b/fs/gfs2/lock_dlm.c
+@@ -905,14 +905,15 @@ locks_done:
+ 		if (sdp->sd_args.ar_spectator) {
+ 			fs_info(sdp, "Recovery is required. Waiting for a "
+ 				"non-spectator to mount.\n");
++			spin_unlock(&ls->ls_recover_spin);
+ 			msleep_interruptible(1000);
+ 		} else {
+ 			fs_info(sdp, "control_mount wait1 block %u start %u "
+ 				"mount %u lvb %u flags %lx\n", block_gen,
+ 				start_gen, mount_gen, lvb_gen,
+ 				ls->ls_recover_flags);
++			spin_unlock(&ls->ls_recover_spin);
+ 		}
+-		spin_unlock(&ls->ls_recover_spin);
+ 		goto restart;
+ 	}
+ 
diff --git a/queue-5.4/series b/queue-5.4/series
index d5b1760f1b..eeb64e06c1 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -99,3 +99,6 @@ usb-flush-altsetting-0-endpoints-before-reinitializating-them-after-reset.patch
 xen-arm-call-uaccess_ttbr0_enable-for-dm_op-hypercall.patch
 calipso-unlock-rcu-before-returning-eafnosupport.patch
 net-usb-aqc111-debug-info-before-sanitation.patch
+configfs-do-not-override-creating-attribute-file-failure-in-populate_attrs.patch
+gfs2-move-msleep-to-sleepable-context.patch
+wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_readback.patch
diff --git a/queue-5.4/wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_readback.patch b/queue-5.4/wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_readback.patch
new file mode 100644
index 0000000000..bb11e8a7b2
--- /dev/null
+++ b/queue-5.4/wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_readback.patch
@@ -0,0 +1,114 @@
+From da1b9a55ff116cb040528ef664c70a4eec03ae99 Mon Sep 17 00:00:00 2001
+From: Christian Lamparter <chunkeey@gmail.com>
+Date: Fri, 16 May 2025 20:41:06 +0200
+Subject: wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()
+
+From: Christian Lamparter <chunkeey@gmail.com>
+
+commit da1b9a55ff116cb040528ef664c70a4eec03ae99 upstream.
+
+Robert Morris reported:
+
+|If a malicious USB device pretends to be an Intersil p54 wifi
+|interface and generates an eeprom_readback message with a large
+|eeprom->v1.len, p54_rx_eeprom_readback() will copy data from the
+|message beyond the end of priv->eeprom.
+|
+|static void p54_rx_eeprom_readback(struct p54_common *priv,
+|                                   struct sk_buff *skb)
+|{
+|        struct p54_hdr *hdr = (struct p54_hdr *) skb->data;
+|        struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr->data;
+|
+|        if (priv->fw_var >= 0x509) {
+|                memcpy(priv->eeprom, eeprom->v2.data,
+|                       le16_to_cpu(eeprom->v2.len));
+|        } else {
+|                memcpy(priv->eeprom, eeprom->v1.data,
+|                       le16_to_cpu(eeprom->v1.len));
+|        }
+| [...]
+
+The eeprom->v{1,2}.len is set by the driver in p54_download_eeprom().
+The device is supposed to provide the same length back to the driver.
+But yes, it's possible (like shown in the report) to alter the value
+to something that causes a crash/panic due to overrun.
+
+This patch addresses the issue by adding the size to the common device
+context, so p54_rx_eeprom_readback no longer relies on possibly tampered
+values... That said, it also checks if the "firmware" altered the value
+and no longer copies them.
+
+The one, small saving grace is: Before the driver tries to read the eeprom,
+it needs to upload >a< firmware. the vendor firmware has a proprietary
+license and as a reason, it is not present on most distributions by
+default.
+
+Cc: <stable@kernel.org>
+Reported-by: Robert Morris <rtm@mit.edu>
+Closes: https://lore.kernel.org/linux-wireless/28782.1747258414@localhost/
+Fixes: 7cb770729ba8 ("p54: move eeprom code into common library")
+Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
+Link: https://patch.msgid.link/20250516184107.47794-1-chunkeey@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intersil/p54/fwio.c |    2 ++
+ drivers/net/wireless/intersil/p54/p54.h  |    1 +
+ drivers/net/wireless/intersil/p54/txrx.c |   13 +++++++++----
+ 3 files changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/intersil/p54/fwio.c
++++ b/drivers/net/wireless/intersil/p54/fwio.c
+@@ -233,6 +233,7 @@ int p54_download_eeprom(struct p54_commo
+ 
+ 	mutex_lock(&priv->eeprom_mutex);
+ 	priv->eeprom = buf;
++	priv->eeprom_slice_size = len;
+ 	eeprom_hdr = skb_put(skb, eeprom_hdr_size + len);
+ 
+ 	if (priv->fw_var < 0x509) {
+@@ -255,6 +256,7 @@ int p54_download_eeprom(struct p54_commo
+ 		ret = -EBUSY;
+ 	}
+ 	priv->eeprom = NULL;
++	priv->eeprom_slice_size = 0;
+ 	mutex_unlock(&priv->eeprom_mutex);
+ 	return ret;
+ }
+--- a/drivers/net/wireless/intersil/p54/p54.h
++++ b/drivers/net/wireless/intersil/p54/p54.h
+@@ -258,6 +258,7 @@ struct p54_common {
+ 
+ 	/* eeprom handling */
+ 	void *eeprom;
++	size_t eeprom_slice_size;
+ 	struct completion eeprom_comp;
+ 	struct mutex eeprom_mutex;
+ };
+--- a/drivers/net/wireless/intersil/p54/txrx.c
++++ b/drivers/net/wireless/intersil/p54/txrx.c
+@@ -500,14 +500,19 @@ static void p54_rx_eeprom_readback(struc
+ 		return ;
+ 
+ 	if (priv->fw_var >= 0x509) {
+-		memcpy(priv->eeprom, eeprom->v2.data,
+-		       le16_to_cpu(eeprom->v2.len));
++		if (le16_to_cpu(eeprom->v2.len) != priv->eeprom_slice_size)
++			return;
++
++		memcpy(priv->eeprom, eeprom->v2.data, priv->eeprom_slice_size);
+ 	} else {
+-		memcpy(priv->eeprom, eeprom->v1.data,
+-		       le16_to_cpu(eeprom->v1.len));
++		if (le16_to_cpu(eeprom->v1.len) != priv->eeprom_slice_size)
++			return;
++
++		memcpy(priv->eeprom, eeprom->v1.data, priv->eeprom_slice_size);
+ 	}
+ 
+ 	priv->eeprom = NULL;
++	priv->eeprom_slice_size = 0;
+ 	tmp = p54_find_and_unlink_skb(priv, hdr->req_id);
+ 	dev_kfree_skb_any(tmp);
+ 	complete(&priv->eeprom_comp);