From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 15 May 2024 07:40:50 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Tag: v4.19.314~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1d82af00f7eebd55d08f98d7c2231fa2a25e6831;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	keys-fix-overwrite-of-key-expiration-on-instantiation.patch
	md-fix-kmemleak-of-rdev-serial.patch
---

diff --git a/queue-5.15/keys-fix-overwrite-of-key-expiration-on-instantiation.patch b/queue-5.15/keys-fix-overwrite-of-key-expiration-on-instantiation.patch
new file mode 100644
index 00000000000..35b558d1646
--- /dev/null
+++ b/queue-5.15/keys-fix-overwrite-of-key-expiration-on-instantiation.patch
@@ -0,0 +1,44 @@
+From 9da27fb65a14c18efd4473e2e82b76b53ba60252 Mon Sep 17 00:00:00 2001
+From: Silvio Gissi <sifonsec@amazon.com>
+Date: Fri, 15 Mar 2024 15:05:39 -0400
+Subject: keys: Fix overwrite of key expiration on instantiation
+
+From: Silvio Gissi <sifonsec@amazon.com>
+
+commit 9da27fb65a14c18efd4473e2e82b76b53ba60252 upstream.
+
+The expiry time of a key is unconditionally overwritten during
+instantiation, defaulting to turn it permanent. This causes a problem
+for DNS resolution as the expiration set by user-space is overwritten to
+TIME64_MAX, disabling further DNS updates. Fix this by restoring the
+condition that key_set_expiry is only called when the pre-parser sets a
+specific expiry.
+
+Fixes: 39299bdd2546 ("keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry")
+Signed-off-by: Silvio Gissi <sifonsec@amazon.com>
+cc: David Howells <dhowells@redhat.com>
+cc: Hazem Mohamed Abuelfotoh <abuehaze@amazon.com>
+cc: linux-afs@lists.infradead.org
+cc: linux-cifs@vger.kernel.org
+cc: keyrings@vger.kernel.org
+cc: netdev@vger.kernel.org
+cc: stable@vger.kernel.org
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/keys/key.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -464,7 +464,8 @@ static int __key_instantiate_and_link(st
+ 			if (authkey)
+ 				key_invalidate(authkey);
+ 
+-			key_set_expiry(key, prep->expiry);
++			if (prep->expiry != TIME64_MAX)
++				key_set_expiry(key, prep->expiry);
+ 		}
+ 	}
+ 
diff --git a/queue-5.15/md-fix-kmemleak-of-rdev-serial.patch b/queue-5.15/md-fix-kmemleak-of-rdev-serial.patch
new file mode 100644
index 00000000000..af0dc80c6d9
--- /dev/null
+++ b/queue-5.15/md-fix-kmemleak-of-rdev-serial.patch
@@ -0,0 +1,55 @@
+From 6cf350658736681b9d6b0b6e58c5c76b235bb4c4 Mon Sep 17 00:00:00 2001
+From: Li Nan <linan122@huawei.com>
+Date: Thu, 8 Feb 2024 16:55:56 +0800
+Subject: md: fix kmemleak of rdev->serial
+
+From: Li Nan <linan122@huawei.com>
+
+commit 6cf350658736681b9d6b0b6e58c5c76b235bb4c4 upstream.
+
+If kobject_add() is fail in bind_rdev_to_array(), 'rdev->serial' will be
+alloc not be freed, and kmemleak occurs.
+
+unreferenced object 0xffff88815a350000 (size 49152):
+  comm "mdadm", pid 789, jiffies 4294716910
+  hex dump (first 32 bytes):
+    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  backtrace (crc f773277a):
+    [<0000000058b0a453>] kmemleak_alloc+0x61/0xe0
+    [<00000000366adf14>] __kmalloc_large_node+0x15e/0x270
+    [<000000002e82961b>] __kmalloc_node.cold+0x11/0x7f
+    [<00000000f206d60a>] kvmalloc_node+0x74/0x150
+    [<0000000034bf3363>] rdev_init_serial+0x67/0x170
+    [<0000000010e08fe9>] mddev_create_serial_pool+0x62/0x220
+    [<00000000c3837bf0>] bind_rdev_to_array+0x2af/0x630
+    [<0000000073c28560>] md_add_new_disk+0x400/0x9f0
+    [<00000000770e30ff>] md_ioctl+0x15bf/0x1c10
+    [<000000006cfab718>] blkdev_ioctl+0x191/0x3f0
+    [<0000000085086a11>] vfs_ioctl+0x22/0x60
+    [<0000000018b656fe>] __x64_sys_ioctl+0xba/0xe0
+    [<00000000e54e675e>] do_syscall_64+0x71/0x150
+    [<000000008b0ad622>] entry_SYSCALL_64_after_hwframe+0x6c/0x74
+
+Fixes: 963c555e75b0 ("md: introduce mddev_create/destroy_wb_pool for the change of member device")
+Signed-off-by: Li Nan <linan122@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20240208085556.2412922-1-linan666@huaweicloud.com
+[ mddev_destroy_serial_pool third parameter was removed in mainline,
+  where there is no need to suspend within this function anymore. ]
+Signed-off-by: Jeremy Bongio <jbongio@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -2526,6 +2526,7 @@ static int bind_rdev_to_array(struct md_
+  fail:
+ 	pr_warn("md: failed to register dev-%s for %s\n",
+ 		b, mdname(mddev));
++	mddev_destroy_serial_pool(mddev, rdev, false);
+ 	return err;
+ }
+ 
diff --git a/queue-5.15/series b/queue-5.15/series
index c5c06491a00..b42b7d54713 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -166,3 +166,5 @@ regulator-core-fix-debugfs-creation-regression.patch
 bluetooth-qca-add-missing-firmware-sanity-checks.patch
 bluetooth-qca-fix-nvm-configuration-parsing.patch
 bluetooth-qca-fix-firmware-check-error-path.patch
+keys-fix-overwrite-of-key-expiration-on-instantiation.patch
+md-fix-kmemleak-of-rdev-serial.patch