From: Greg Kroah-Hartman Date: Sat, 5 Feb 2022 13:36:30 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v5.10.98~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2c456f019af6864bd2cd404615c4c7bfc1d561b5;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw.patch asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw_sx.patch asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_xr_sx.patch audit-improve-audit-queue-handling-when-audit-1-on-cmdline.patch block-bio-integrity-advance-seed-correctly-for-larger-interval-sizes.patch drm-nouveau-fix-off-by-one-in-bios-boundary-checking.patch --- diff --git a/queue-4.14/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw.patch b/queue-4.14/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw.patch new file mode 100644 index 00000000000..cab52d712ae --- /dev/null +++ b/queue-4.14/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw.patch @@ -0,0 +1,54 @@ +From 817f7c9335ec01e0f5e8caffc4f1dcd5e458a4c0 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Mon, 24 Jan 2022 15:32:51 +0000 +Subject: ASoC: ops: Reject out of bounds values in snd_soc_put_volsw() + +From: Mark Brown + +commit 817f7c9335ec01e0f5e8caffc4f1dcd5e458a4c0 upstream. + +We don't currently validate that the values being set are within the range +we advertised to userspace as being valid, do so and reject any values +that are out of range. + +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220124153253.3548853-2-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-ops.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -327,13 +327,27 @@ int snd_soc_put_volsw(struct snd_kcontro + if (sign_bit) + mask = BIT(sign_bit + 1) - 1; + +- val = ((ucontrol->value.integer.value[0] + min) & mask); ++ val = ucontrol->value.integer.value[0]; ++ if (mc->platform_max && val > mc->platform_max) ++ return -EINVAL; ++ if (val > max - min) ++ return -EINVAL; ++ if (val < 0) ++ return -EINVAL; ++ val = (val + min) & mask; + if (invert) + val = max - val; + val_mask = mask << shift; + val = val << shift; + if (snd_soc_volsw_is_stereo(mc)) { +- val2 = ((ucontrol->value.integer.value[1] + min) & mask); ++ val2 = ucontrol->value.integer.value[1]; ++ if (mc->platform_max && val2 > mc->platform_max) ++ return -EINVAL; ++ if (val2 > max - min) ++ return -EINVAL; ++ if (val2 < 0) ++ return -EINVAL; ++ val2 = (val2 + min) & mask; + if (invert) + val2 = max - val2; + if (reg == reg2) { diff --git a/queue-4.14/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw_sx.patch b/queue-4.14/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw_sx.patch new file mode 100644 index 00000000000..07b72acdae6 --- /dev/null +++ b/queue-4.14/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw_sx.patch @@ -0,0 +1,41 @@ +From 4f1e50d6a9cf9c1b8c859d449b5031cacfa8404e Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Mon, 24 Jan 2022 15:32:52 +0000 +Subject: ASoC: ops: Reject out of bounds values in snd_soc_put_volsw_sx() + +From: Mark Brown + +commit 4f1e50d6a9cf9c1b8c859d449b5031cacfa8404e upstream. + +We don't currently validate that the values being set are within the range +we advertised to userspace as being valid, do so and reject any values +that are out of range. + +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220124153253.3548853-3-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-ops.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -441,8 +441,15 @@ int snd_soc_put_volsw_sx(struct snd_kcon + int err = 0; + unsigned int val, val_mask, val2 = 0; + ++ val = ucontrol->value.integer.value[0]; ++ if (mc->platform_max && val > mc->platform_max) ++ return -EINVAL; ++ if (val > max - min) ++ return -EINVAL; ++ if (val < 0) ++ return -EINVAL; + val_mask = mask << shift; +- val = (ucontrol->value.integer.value[0] + min) & mask; ++ val = (val + min) & mask; + val = val << shift; + + err = snd_soc_component_update_bits(component, reg, val_mask, val); diff --git a/queue-4.14/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_xr_sx.patch b/queue-4.14/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_xr_sx.patch new file mode 100644 index 00000000000..61f7fdf5092 --- /dev/null +++ b/queue-4.14/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_xr_sx.patch @@ -0,0 +1,33 @@ +From 4cf28e9ae6e2e11a044be1bcbcfa1b0d8675fe4d Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Mon, 24 Jan 2022 15:32:53 +0000 +Subject: ASoC: ops: Reject out of bounds values in snd_soc_put_xr_sx() + +From: Mark Brown + +commit 4cf28e9ae6e2e11a044be1bcbcfa1b0d8675fe4d upstream. + +We don't currently validate that the values being set are within the range +we advertised to userspace as being valid, do so and reject any values +that are out of range. + +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220124153253.3548853-4-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-ops.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -915,6 +915,8 @@ int snd_soc_put_xr_sx(struct snd_kcontro + unsigned int i, regval, regmask; + int err; + ++ if (val < mc->min || val > mc->max) ++ return -EINVAL; + if (invert) + val = max - val; + val &= mask; diff --git a/queue-4.14/audit-improve-audit-queue-handling-when-audit-1-on-cmdline.patch b/queue-4.14/audit-improve-audit-queue-handling-when-audit-1-on-cmdline.patch new file mode 100644 index 00000000000..4eed5031313 --- /dev/null +++ b/queue-4.14/audit-improve-audit-queue-handling-when-audit-1-on-cmdline.patch @@ -0,0 +1,207 @@ +From f26d04331360d42dbd6b58448bd98e4edbfbe1c5 Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Thu, 13 Jan 2022 18:54:38 -0500 +Subject: audit: improve audit queue handling when "audit=1" on cmdline + +From: Paul Moore + +commit f26d04331360d42dbd6b58448bd98e4edbfbe1c5 upstream. + +When an admin enables audit at early boot via the "audit=1" kernel +command line the audit queue behavior is slightly different; the +audit subsystem goes to greater lengths to avoid dropping records, +which unfortunately can result in problems when the audit daemon is +forcibly stopped for an extended period of time. + +This patch makes a number of changes designed to improve the audit +queuing behavior so that leaving the audit daemon in a stopped state +for an extended period does not cause a significant impact to the +system. + +- kauditd_send_queue() is now limited to looping through the + passed queue only once per call. This not only prevents the + function from looping indefinitely when records are returned + to the current queue, it also allows any recovery handling in + kauditd_thread() to take place when kauditd_send_queue() + returns. + +- Transient netlink send errors seen as -EAGAIN now cause the + record to be returned to the retry queue instead of going to + the hold queue. The intention of the hold queue is to store, + perhaps for an extended period of time, the events which led + up to the audit daemon going offline. The retry queue remains + a temporary queue intended to protect against transient issues + between the kernel and the audit daemon. + +- The retry queue is now limited by the audit_backlog_limit + setting, the same as the other queues. This allows admins + to bound the size of all of the audit queues on the system. + +- kauditd_rehold_skb() now returns records to the end of the + hold queue to ensure ordering is preserved in the face of + recent changes to kauditd_send_queue(). + +Cc: stable@vger.kernel.org +Fixes: 5b52330bbfe63 ("audit: fix auditd/kernel connection state tracking") +Fixes: f4b3ee3c85551 ("audit: improve robustness of the audit queue handling") +Reported-by: Gaosheng Cui +Tested-by: Gaosheng Cui +Reviewed-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + kernel/audit.c | 62 +++++++++++++++++++++++++++++++++++++++------------------ + 1 file changed, 43 insertions(+), 19 deletions(-) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -509,20 +509,22 @@ static void kauditd_printk_skb(struct sk + /** + * kauditd_rehold_skb - Handle a audit record send failure in the hold queue + * @skb: audit record ++ * @error: error code (unused) + * + * Description: + * This should only be used by the kauditd_thread when it fails to flush the + * hold queue. + */ +-static void kauditd_rehold_skb(struct sk_buff *skb) ++static void kauditd_rehold_skb(struct sk_buff *skb, __always_unused int error) + { +- /* put the record back in the queue at the same place */ +- skb_queue_head(&audit_hold_queue, skb); ++ /* put the record back in the queue */ ++ skb_queue_tail(&audit_hold_queue, skb); + } + + /** + * kauditd_hold_skb - Queue an audit record, waiting for auditd + * @skb: audit record ++ * @error: error code + * + * Description: + * Queue the audit record, waiting for an instance of auditd. When this +@@ -532,19 +534,31 @@ static void kauditd_rehold_skb(struct sk + * and queue it, if we have room. If we want to hold on to the record, but we + * don't have room, record a record lost message. + */ +-static void kauditd_hold_skb(struct sk_buff *skb) ++static void kauditd_hold_skb(struct sk_buff *skb, int error) + { + /* at this point it is uncertain if we will ever send this to auditd so + * try to send the message via printk before we go any further */ + kauditd_printk_skb(skb); + + /* can we just silently drop the message? */ +- if (!audit_default) { +- kfree_skb(skb); +- return; ++ if (!audit_default) ++ goto drop; ++ ++ /* the hold queue is only for when the daemon goes away completely, ++ * not -EAGAIN failures; if we are in a -EAGAIN state requeue the ++ * record on the retry queue unless it's full, in which case drop it ++ */ ++ if (error == -EAGAIN) { ++ if (!audit_backlog_limit || ++ skb_queue_len(&audit_retry_queue) < audit_backlog_limit) { ++ skb_queue_tail(&audit_retry_queue, skb); ++ return; ++ } ++ audit_log_lost("kauditd retry queue overflow"); ++ goto drop; + } + +- /* if we have room, queue the message */ ++ /* if we have room in the hold queue, queue the message */ + if (!audit_backlog_limit || + skb_queue_len(&audit_hold_queue) < audit_backlog_limit) { + skb_queue_tail(&audit_hold_queue, skb); +@@ -553,24 +567,32 @@ static void kauditd_hold_skb(struct sk_b + + /* we have no other options - drop the message */ + audit_log_lost("kauditd hold queue overflow"); ++drop: + kfree_skb(skb); + } + + /** + * kauditd_retry_skb - Queue an audit record, attempt to send again to auditd + * @skb: audit record ++ * @error: error code (unused) + * + * Description: + * Not as serious as kauditd_hold_skb() as we still have a connected auditd, + * but for some reason we are having problems sending it audit records so + * queue the given record and attempt to resend. + */ +-static void kauditd_retry_skb(struct sk_buff *skb) ++static void kauditd_retry_skb(struct sk_buff *skb, __always_unused int error) + { +- /* NOTE: because records should only live in the retry queue for a +- * short period of time, before either being sent or moved to the hold +- * queue, we don't currently enforce a limit on this queue */ +- skb_queue_tail(&audit_retry_queue, skb); ++ if (!audit_backlog_limit || ++ skb_queue_len(&audit_retry_queue) < audit_backlog_limit) { ++ skb_queue_tail(&audit_retry_queue, skb); ++ return; ++ } ++ ++ /* we have to drop the record, send it via printk as a last effort */ ++ kauditd_printk_skb(skb); ++ audit_log_lost("kauditd retry queue overflow"); ++ kfree_skb(skb); + } + + /** +@@ -608,7 +630,7 @@ static void auditd_reset(const struct au + /* flush the retry queue to the hold queue, but don't touch the main + * queue since we need to process that normally for multicast */ + while ((skb = skb_dequeue(&audit_retry_queue))) +- kauditd_hold_skb(skb); ++ kauditd_hold_skb(skb, -ECONNREFUSED); + } + + /** +@@ -682,16 +704,18 @@ static int kauditd_send_queue(struct soc + struct sk_buff_head *queue, + unsigned int retry_limit, + void (*skb_hook)(struct sk_buff *skb), +- void (*err_hook)(struct sk_buff *skb)) ++ void (*err_hook)(struct sk_buff *skb, int error)) + { + int rc = 0; +- struct sk_buff *skb; ++ struct sk_buff *skb = NULL; ++ struct sk_buff *skb_tail; + unsigned int failed = 0; + + /* NOTE: kauditd_thread takes care of all our locking, we just use + * the netlink info passed to us (e.g. sk and portid) */ + +- while ((skb = skb_dequeue(queue))) { ++ skb_tail = skb_peek_tail(queue); ++ while ((skb != skb_tail) && (skb = skb_dequeue(queue))) { + /* call the skb_hook for each skb we touch */ + if (skb_hook) + (*skb_hook)(skb); +@@ -699,7 +723,7 @@ static int kauditd_send_queue(struct soc + /* can we send to anyone via unicast? */ + if (!sk) { + if (err_hook) +- (*err_hook)(skb); ++ (*err_hook)(skb, -ECONNREFUSED); + continue; + } + +@@ -713,7 +737,7 @@ retry: + rc == -ECONNREFUSED || rc == -EPERM) { + sk = NULL; + if (err_hook) +- (*err_hook)(skb); ++ (*err_hook)(skb, rc); + if (rc == -EAGAIN) + rc = 0; + /* continue to drain the queue */ diff --git a/queue-4.14/block-bio-integrity-advance-seed-correctly-for-larger-interval-sizes.patch b/queue-4.14/block-bio-integrity-advance-seed-correctly-for-larger-interval-sizes.patch new file mode 100644 index 00000000000..f50452c14bc --- /dev/null +++ b/queue-4.14/block-bio-integrity-advance-seed-correctly-for-larger-interval-sizes.patch @@ -0,0 +1,43 @@ +From b13e0c71856817fca67159b11abac350e41289f5 Mon Sep 17 00:00:00 2001 +From: "Martin K. Petersen" +Date: Thu, 3 Feb 2022 22:42:09 -0500 +Subject: block: bio-integrity: Advance seed correctly for larger interval sizes + +From: Martin K. Petersen + +commit b13e0c71856817fca67159b11abac350e41289f5 upstream. + +Commit 309a62fa3a9e ("bio-integrity: bio_integrity_advance must update +integrity seed") added code to update the integrity seed value when +advancing a bio. However, it failed to take into account that the +integrity interval might be larger than the 512-byte block layer +sector size. This broke bio splitting on PI devices with 4KB logical +blocks. + +The seed value should be advanced by bio_integrity_intervals() and not +the number of sectors. + +Cc: Dmitry Monakhov +Cc: stable@vger.kernel.org +Fixes: 309a62fa3a9e ("bio-integrity: bio_integrity_advance must update integrity seed") +Tested-by: Dmitry Ivanov +Reported-by: Alexey Lyashkov +Signed-off-by: Martin K. Petersen +Link: https://lore.kernel.org/r/20220204034209.4193-1-martin.petersen@oracle.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/bio-integrity.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/bio-integrity.c ++++ b/block/bio-integrity.c +@@ -417,7 +417,7 @@ void bio_integrity_advance(struct bio *b + struct blk_integrity *bi = blk_get_integrity(bio->bi_disk); + unsigned bytes = bio_integrity_bytes(bi, bytes_done >> 9); + +- bip->bip_iter.bi_sector += bytes_done >> 9; ++ bip->bip_iter.bi_sector += bio_integrity_intervals(bi, bytes_done >> 9); + bvec_iter_advance(bip->bip_vec, &bip->bip_iter, bytes); + } + EXPORT_SYMBOL(bio_integrity_advance); diff --git a/queue-4.14/drm-nouveau-fix-off-by-one-in-bios-boundary-checking.patch b/queue-4.14/drm-nouveau-fix-off-by-one-in-bios-boundary-checking.patch new file mode 100644 index 00000000000..7c0f03776fc --- /dev/null +++ b/queue-4.14/drm-nouveau-fix-off-by-one-in-bios-boundary-checking.patch @@ -0,0 +1,42 @@ +From 1b777d4d9e383d2744fc9b3a09af6ec1893c8b1a Mon Sep 17 00:00:00 2001 +From: Nick Lopez +Date: Sat, 22 Jan 2022 01:19:06 -0700 +Subject: drm/nouveau: fix off by one in BIOS boundary checking + +From: Nick Lopez + +commit 1b777d4d9e383d2744fc9b3a09af6ec1893c8b1a upstream. + +Bounds checking when parsing init scripts embedded in the BIOS reject +access to the last byte. This causes driver initialization to fail on +Apple eMac's with GeForce 2 MX GPUs, leaving the system with no working +console. + +This is probably only seen on OpenFirmware machines like PowerPC Macs +because the BIOS image provided by OF is only the used parts of the ROM, +not a power-of-two blocks read from PCI directly so PCs always have +empty bytes at the end that are never accessed. + +Signed-off-by: Nick Lopez +Fixes: 4d4e9907ff572 ("drm/nouveau/bios: guard against out-of-bounds accesses to image") +Cc: # v4.10+ +Reviewed-by: Ilia Mirkin +Reviewed-by: Karol Herbst +Signed-off-by: Karol Herbst +Link: https://patchwork.freedesktop.org/patch/msgid/20220122081906.2633061-1-github@glowingmonkey.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c +@@ -38,7 +38,7 @@ nvbios_addr(struct nvkm_bios *bios, u32 + *addr += bios->imaged_addr; + } + +- if (unlikely(*addr + size >= bios->size)) { ++ if (unlikely(*addr + size > bios->size)) { + nvkm_error(&bios->subdev, "OOB %d %08x %08x\n", size, p, *addr); + return false; + } diff --git a/queue-4.14/series b/queue-4.14/series index 0eb8a56cc35..9232690a9b5 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -43,3 +43,9 @@ net-amd-xgbe-ensure-to-reset-the-tx_timer_active-flag.patch net-amd-xgbe-fix-skb-data-length-underflow.patch rtnetlink-make-sure-to-refresh-master_dev-m_ops-in-__rtnl_newlink.patch af_packet-fix-data-race-in-packet_setsockopt-packet_setsockopt.patch +audit-improve-audit-queue-handling-when-audit-1-on-cmdline.patch +asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw.patch +asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw_sx.patch +asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_xr_sx.patch +drm-nouveau-fix-off-by-one-in-bios-boundary-checking.patch +block-bio-integrity-advance-seed-correctly-for-larger-interval-sizes.patch