From: Greg Kroah-Hartman Date: Mon, 7 Nov 2022 08:59:55 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.9.333~64 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=503201545fdeac9bb336f81ec6d15e5f5ef5343d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: block-bfq-protect-bfqd-queued-by-bfqd-lock.patch bluetooth-l2cap-fix-attempting-to-access-uninitialized-memory.patch --- diff --git a/queue-5.4/block-bfq-protect-bfqd-queued-by-bfqd-lock.patch b/queue-5.4/block-bfq-protect-bfqd-queued-by-bfqd-lock.patch new file mode 100644 index 00000000000..6a5ef6579d8 --- /dev/null +++ b/queue-5.4/block-bfq-protect-bfqd-queued-by-bfqd-lock.patch @@ -0,0 +1,47 @@ +From 181490d5321806e537dc5386db5ea640b826bf78 Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Fri, 13 May 2022 10:35:06 +0800 +Subject: block, bfq: protect 'bfqd->queued' by 'bfqd->lock' + +From: Yu Kuai + +commit 181490d5321806e537dc5386db5ea640b826bf78 upstream. + +If bfq_schedule_dispatch() is called from bfq_idle_slice_timer_body(), +then 'bfqd->queued' is read without holding 'bfqd->lock'. This is +wrong since it can be wrote concurrently. + +Fix the problem by holding 'bfqd->lock' in such case. + +Signed-off-by: Yu Kuai +Reviewed-by: Jan Kara +Reviewed-by: Chaitanya Kulkarni +Link: https://lore.kernel.org/r/20220513023507.2625717-2-yukuai3@huawei.com +Signed-off-by: Jens Axboe +Cc: Khazhy Kumykov +Signed-off-by: Greg Kroah-Hartman +--- + block/bfq-iosched.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -420,6 +420,8 @@ static struct bfq_io_cq *bfq_bic_lookup( + */ + void bfq_schedule_dispatch(struct bfq_data *bfqd) + { ++ lockdep_assert_held(&bfqd->lock); ++ + if (bfqd->queued != 0) { + bfq_log(bfqd, "schedule dispatch"); + blk_mq_run_hw_queues(bfqd->queue, true); +@@ -6257,8 +6259,8 @@ bfq_idle_slice_timer_body(struct bfq_dat + bfq_bfqq_expire(bfqd, bfqq, true, reason); + + schedule_dispatch: +- spin_unlock_irqrestore(&bfqd->lock, flags); + bfq_schedule_dispatch(bfqd); ++ spin_unlock_irqrestore(&bfqd->lock, flags); + } + + /* diff --git a/queue-5.4/bluetooth-l2cap-fix-attempting-to-access-uninitialized-memory.patch b/queue-5.4/bluetooth-l2cap-fix-attempting-to-access-uninitialized-memory.patch new file mode 100644 index 00000000000..7a971b2e0b4 --- /dev/null +++ b/queue-5.4/bluetooth-l2cap-fix-attempting-to-access-uninitialized-memory.patch @@ -0,0 +1,37 @@ +From b1a2cd50c0357f243b7435a732b4e62ba3157a2e Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Mon, 31 Oct 2022 16:10:52 -0700 +Subject: Bluetooth: L2CAP: Fix attempting to access uninitialized memory +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luiz Augusto von Dentz + +commit b1a2cd50c0357f243b7435a732b4e62ba3157a2e upstream. + +On l2cap_parse_conf_req the variable efs is only initialized if +remote_efs has been set. + +CVE: CVE-2022-42895 +CC: stable@vger.kernel.org +Reported-by: Tamás Koczka +Signed-off-by: Luiz Augusto von Dentz +Reviewed-by: Tedd Ho-Jeong An +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -3560,7 +3560,8 @@ done: + l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, + sizeof(rfc), (unsigned long) &rfc, endptr - ptr); + +- if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) { ++ if (remote_efs && ++ test_bit(FLAG_EFS_ENABLE, &chan->flags)) { + chan->remote_id = efs.id; + chan->remote_stype = efs.stype; + chan->remote_msdu = le16_to_cpu(efs.msdu); diff --git a/queue-5.4/series b/queue-5.4/series index b41f8545768..adc0e4139ed 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -40,3 +40,5 @@ xfs-gut-error-handling-in-xfs_trans_unreserve_and_mod_sb.patch xfs-group-quota-should-return-edquot-when-prj-quota-enabled.patch xfs-don-t-fail-unwritten-extent-conversion-on-writeback-due-to-edquot.patch xfs-add-the-missed-xfs_perag_put-for-xfs_ifree_cluster.patch +bluetooth-l2cap-fix-attempting-to-access-uninitialized-memory.patch +block-bfq-protect-bfqd-queued-by-bfqd-lock.patch