From: Greg Kroah-Hartman Date: Sun, 16 Oct 2022 12:31:20 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.4.219~130 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b32dc11a2794ae516c686179d7d10969e068e2dd;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: btrfs-fix-race-between-quota-enable-and-quota-rescan-ioctl.patch btrfs-set-generation-before-calling-btrfs_clean_tree_block-in-btrfs_init_new_buffer.patch fbdev-smscufx-fix-use-after-free-in-ufx_ops_open.patch fs-record-i_dirty_time-even-if-inode-already-has-i_dirty_inode.patch gpio-rockchip-request-gpio-mux-to-pinctrl-when-setting-direction.patch ksmbd-fix-endless-loop-when-encryption-for-response-fails.patch ksmbd-fix-user-namespace-mapping.patch ksmbd-fix-wrong-return-value-and-message-length-check-in-smb2_ioctl.patch pinctrl-rockchip-add-pinmux_ops.gpio_set_direction-callback.patch --- diff --git a/queue-5.15/btrfs-fix-race-between-quota-enable-and-quota-rescan-ioctl.patch b/queue-5.15/btrfs-fix-race-between-quota-enable-and-quota-rescan-ioctl.patch new file mode 100644 index 00000000000..d79e4b90333 --- /dev/null +++ b/queue-5.15/btrfs-fix-race-between-quota-enable-and-quota-rescan-ioctl.patch @@ -0,0 +1,60 @@ +From 331cd9461412e103d07595a10289de90004ac890 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Tue, 23 Aug 2022 12:45:42 +0100 +Subject: btrfs: fix race between quota enable and quota rescan ioctl + +From: Filipe Manana + +commit 331cd9461412e103d07595a10289de90004ac890 upstream. + +When enabling quotas, at btrfs_quota_enable(), after committing the +transaction, we change fs_info->quota_root to point to the quota root we +created and set BTRFS_FS_QUOTA_ENABLED at fs_info->flags. Then we try +to start the qgroup rescan worker, first by initializing it with a call +to qgroup_rescan_init() - however if that fails we end up freeing the +quota root but we leave fs_info->quota_root still pointing to it, this +can later result in a use-after-free somewhere else. + +We have previously set the flags BTRFS_FS_QUOTA_ENABLED and +BTRFS_QGROUP_STATUS_FLAG_ON, so we can only fail with -EINPROGRESS at +btrfs_quota_enable(), which is possible if someone already called the +quota rescan ioctl, and therefore started the rescan worker. + +So fix this by ignoring an -EINPROGRESS and asserting we can't get any +other error. + +Reported-by: Ye Bin +Link: https://lore.kernel.org/linux-btrfs/20220823015931.421355-1-yebin10@huawei.com/ +CC: stable@vger.kernel.org # 4.19+ +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -1157,6 +1157,21 @@ out_add_root: + fs_info->qgroup_rescan_running = true; + btrfs_queue_work(fs_info->qgroup_rescan_workers, + &fs_info->qgroup_rescan_work); ++ } else { ++ /* ++ * We have set both BTRFS_FS_QUOTA_ENABLED and ++ * BTRFS_QGROUP_STATUS_FLAG_ON, so we can only fail with ++ * -EINPROGRESS. That can happen because someone started the ++ * rescan worker by calling quota rescan ioctl before we ++ * attempted to initialize the rescan worker. Failure due to ++ * quotas disabled in the meanwhile is not possible, because ++ * we are holding a write lock on fs_info->subvol_sem, which ++ * is also acquired when disabling quotas. ++ * Ignore such error, and any other error would need to undo ++ * everything we did in the transaction we just committed. ++ */ ++ ASSERT(ret == -EINPROGRESS); ++ ret = 0; + } + + out_free_path: diff --git a/queue-5.15/btrfs-set-generation-before-calling-btrfs_clean_tree_block-in-btrfs_init_new_buffer.patch b/queue-5.15/btrfs-set-generation-before-calling-btrfs_clean_tree_block-in-btrfs_init_new_buffer.patch new file mode 100644 index 00000000000..03f30f3ab51 --- /dev/null +++ b/queue-5.15/btrfs-set-generation-before-calling-btrfs_clean_tree_block-in-btrfs_init_new_buffer.patch @@ -0,0 +1,43 @@ +From cbddcc4fa3443fe8cfb2ff8e210deb1f6a0eea38 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Tue, 20 Sep 2022 22:43:51 +0900 +Subject: btrfs: set generation before calling btrfs_clean_tree_block in btrfs_init_new_buffer + +From: Tetsuo Handa + +commit cbddcc4fa3443fe8cfb2ff8e210deb1f6a0eea38 upstream. + +syzbot is reporting uninit-value in btrfs_clean_tree_block() [1], for +commit bc877d285ca3dba2 ("btrfs: Deduplicate extent_buffer init code") +missed that btrfs_set_header_generation() in btrfs_init_new_buffer() must +not be moved to after clean_tree_block() because clean_tree_block() is +calling btrfs_header_generation() since commit 55c69072d6bd5be1 ("Btrfs: +Fix extent_buffer usage when nodesize != leafsize"). + +Since memzero_extent_buffer() will reset "struct btrfs_header" part, we +can't move btrfs_set_header_generation() to before memzero_extent_buffer(). +Just re-add btrfs_set_header_generation() before btrfs_clean_tree_block(). + +Link: https://syzkaller.appspot.com/bug?extid=fba8e2116a12609b6c59 [1] +Reported-by: syzbot +Fixes: bc877d285ca3dba2 ("btrfs: Deduplicate extent_buffer init code") +CC: stable@vger.kernel.org # 4.19+ +Signed-off-by: Tetsuo Handa +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent-tree.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -4802,6 +4802,9 @@ btrfs_init_new_buffer(struct btrfs_trans + !test_bit(BTRFS_ROOT_RESET_LOCKDEP_CLASS, &root->state)) + lockdep_owner = BTRFS_FS_TREE_OBJECTID; + ++ /* btrfs_clean_tree_block() accesses generation field. */ ++ btrfs_set_header_generation(buf, trans->transid); ++ + /* + * This needs to stay, because we could allocate a freed block from an + * old tree into a new tree, so we need to make sure this new block is diff --git a/queue-5.15/fbdev-smscufx-fix-use-after-free-in-ufx_ops_open.patch b/queue-5.15/fbdev-smscufx-fix-use-after-free-in-ufx_ops_open.patch new file mode 100644 index 00000000000..0078c9575b4 --- /dev/null +++ b/queue-5.15/fbdev-smscufx-fix-use-after-free-in-ufx_ops_open.patch @@ -0,0 +1,79 @@ +From 5610bcfe8693c02e2e4c8b31427f1bdbdecc839c Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Sun, 25 Sep 2022 06:32:43 -0700 +Subject: fbdev: smscufx: Fix use-after-free in ufx_ops_open() + +From: Hyunwoo Kim + +commit 5610bcfe8693c02e2e4c8b31427f1bdbdecc839c upstream. + +A race condition may occur if the user physically removes the +USB device while calling open() for this device node. + +This is a race condition between the ufx_ops_open() function and +the ufx_usb_disconnect() function, which may eventually result in UAF. + +So, add a mutex to the ufx_ops_open() and ufx_usb_disconnect() functions +to avoid race contidion of krefs. + +Signed-off-by: Hyunwoo Kim +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/smscufx.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/video/fbdev/smscufx.c ++++ b/drivers/video/fbdev/smscufx.c +@@ -137,6 +137,8 @@ static int ufx_submit_urb(struct ufx_dat + static int ufx_alloc_urb_list(struct ufx_data *dev, int count, size_t size); + static void ufx_free_urb_list(struct ufx_data *dev); + ++static DEFINE_MUTEX(disconnect_mutex); ++ + /* reads a control register */ + static int ufx_reg_read(struct ufx_data *dev, u32 index, u32 *data) + { +@@ -1070,9 +1072,13 @@ static int ufx_ops_open(struct fb_info * + if (user == 0 && !console) + return -EBUSY; + ++ mutex_lock(&disconnect_mutex); ++ + /* If the USB device is gone, we don't accept new opens */ +- if (dev->virtualized) ++ if (dev->virtualized) { ++ mutex_unlock(&disconnect_mutex); + return -ENODEV; ++ } + + dev->fb_count++; + +@@ -1096,6 +1102,8 @@ static int ufx_ops_open(struct fb_info * + pr_debug("open /dev/fb%d user=%d fb_info=%p count=%d", + info->node, user, info, dev->fb_count); + ++ mutex_unlock(&disconnect_mutex); ++ + return 0; + } + +@@ -1740,6 +1748,8 @@ static void ufx_usb_disconnect(struct us + { + struct ufx_data *dev; + ++ mutex_lock(&disconnect_mutex); ++ + dev = usb_get_intfdata(interface); + + pr_debug("USB disconnect starting\n"); +@@ -1760,6 +1770,8 @@ static void ufx_usb_disconnect(struct us + kref_put(&dev->kref, ufx_free); + + /* consider ufx_data freed */ ++ ++ mutex_unlock(&disconnect_mutex); + } + + static struct usb_driver ufx_driver = { diff --git a/queue-5.15/fs-record-i_dirty_time-even-if-inode-already-has-i_dirty_inode.patch b/queue-5.15/fs-record-i_dirty_time-even-if-inode-already-has-i_dirty_inode.patch new file mode 100644 index 00000000000..4e6c378e6a1 --- /dev/null +++ b/queue-5.15/fs-record-i_dirty_time-even-if-inode-already-has-i_dirty_inode.patch @@ -0,0 +1,185 @@ +From cbfecb927f429a6fa613d74b998496bd71e4438a Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Thu, 25 Aug 2022 12:06:57 +0200 +Subject: fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE + +From: Lukas Czerner + +commit cbfecb927f429a6fa613d74b998496bd71e4438a upstream. + +Currently the I_DIRTY_TIME will never get set if the inode already has +I_DIRTY_INODE with assumption that it supersedes I_DIRTY_TIME. That's +true, however ext4 will only update the on-disk inode in +->dirty_inode(), not on actual writeback. As a result if the inode +already has I_DIRTY_INODE state by the time we get to +__mark_inode_dirty() only with I_DIRTY_TIME, the time was already filled +into on-disk inode and will not get updated until the next I_DIRTY_INODE +update, which might never come if we crash or get a power failure. + +The problem can be reproduced on ext4 by running xfstest generic/622 +with -o iversion mount option. + +Fix it by allowing I_DIRTY_TIME to be set even if the inode already has +I_DIRTY_INODE. Also make sure that the case is properly handled in +writeback_single_inode() as well. Additionally changes in +xfs_fs_dirty_inode() was made to accommodate for I_DIRTY_TIME in flag. + +Thanks Jan Kara for suggestions on how to make this work properly. + +Cc: Dave Chinner +Cc: Christoph Hellwig +Cc: stable@kernel.org +Signed-off-by: Lukas Czerner +Suggested-by: Jan Kara +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20220825100657.44217-1-lczerner@redhat.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/filesystems/vfs.rst | 3 +++ + fs/fs-writeback.c | 37 +++++++++++++++++++++++++------------ + fs/xfs/xfs_super.c | 10 ++++++++-- + include/linux/fs.h | 9 +++++---- + 4 files changed, 41 insertions(+), 18 deletions(-) + +--- a/Documentation/filesystems/vfs.rst ++++ b/Documentation/filesystems/vfs.rst +@@ -274,6 +274,9 @@ or bottom half). + This is specifically for the inode itself being marked dirty, + not its data. If the update needs to be persisted by fdatasync(), + then I_DIRTY_DATASYNC will be set in the flags argument. ++ I_DIRTY_TIME will be set in the flags in case lazytime is enabled ++ and struct inode has times updated since the last ->dirty_inode ++ call. + + ``write_inode`` + this method is called when the VFS needs to write an inode to +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -1745,9 +1745,14 @@ static int writeback_single_inode(struct + */ + if (!(inode->i_state & I_DIRTY_ALL)) + inode_cgwb_move_to_attached(inode, wb); +- else if (!(inode->i_state & I_SYNC_QUEUED) && +- (inode->i_state & I_DIRTY)) +- redirty_tail_locked(inode, wb); ++ else if (!(inode->i_state & I_SYNC_QUEUED)) { ++ if ((inode->i_state & I_DIRTY)) ++ redirty_tail_locked(inode, wb); ++ else if (inode->i_state & I_DIRTY_TIME) { ++ inode->dirtied_when = jiffies; ++ inode_io_list_move_locked(inode, wb, &wb->b_dirty_time); ++ } ++ } + + spin_unlock(&wb->list_lock); + inode_sync_complete(inode); +@@ -2401,6 +2406,20 @@ void __mark_inode_dirty(struct inode *in + + if (flags & I_DIRTY_INODE) { + /* ++ * Inode timestamp update will piggback on this dirtying. ++ * We tell ->dirty_inode callback that timestamps need to ++ * be updated by setting I_DIRTY_TIME in flags. ++ */ ++ if (inode->i_state & I_DIRTY_TIME) { ++ spin_lock(&inode->i_lock); ++ if (inode->i_state & I_DIRTY_TIME) { ++ inode->i_state &= ~I_DIRTY_TIME; ++ flags |= I_DIRTY_TIME; ++ } ++ spin_unlock(&inode->i_lock); ++ } ++ ++ /* + * Notify the filesystem about the inode being dirtied, so that + * (if needed) it can update on-disk fields and journal the + * inode. This is only needed when the inode itself is being +@@ -2409,7 +2428,8 @@ void __mark_inode_dirty(struct inode *in + */ + trace_writeback_dirty_inode_start(inode, flags); + if (sb->s_op->dirty_inode) +- sb->s_op->dirty_inode(inode, flags & I_DIRTY_INODE); ++ sb->s_op->dirty_inode(inode, ++ flags & (I_DIRTY_INODE | I_DIRTY_TIME)); + trace_writeback_dirty_inode(inode, flags); + + /* I_DIRTY_INODE supersedes I_DIRTY_TIME. */ +@@ -2430,21 +2450,15 @@ void __mark_inode_dirty(struct inode *in + */ + smp_mb(); + +- if (((inode->i_state & flags) == flags) || +- (dirtytime && (inode->i_state & I_DIRTY_INODE))) ++ if ((inode->i_state & flags) == flags) + return; + + spin_lock(&inode->i_lock); +- if (dirtytime && (inode->i_state & I_DIRTY_INODE)) +- goto out_unlock_inode; + if ((inode->i_state & flags) != flags) { + const int was_dirty = inode->i_state & I_DIRTY; + + inode_attach_wb(inode, NULL); + +- /* I_DIRTY_INODE supersedes I_DIRTY_TIME. */ +- if (flags & I_DIRTY_INODE) +- inode->i_state &= ~I_DIRTY_TIME; + inode->i_state |= flags; + + /* +@@ -2517,7 +2531,6 @@ void __mark_inode_dirty(struct inode *in + out_unlock: + if (wb) + spin_unlock(&wb->list_lock); +-out_unlock_inode: + spin_unlock(&inode->i_lock); + } + EXPORT_SYMBOL(__mark_inode_dirty); +--- a/fs/xfs/xfs_super.c ++++ b/fs/xfs/xfs_super.c +@@ -642,7 +642,7 @@ xfs_fs_destroy_inode( + static void + xfs_fs_dirty_inode( + struct inode *inode, +- int flag) ++ int flags) + { + struct xfs_inode *ip = XFS_I(inode); + struct xfs_mount *mp = ip->i_mount; +@@ -650,7 +650,13 @@ xfs_fs_dirty_inode( + + if (!(inode->i_sb->s_flags & SB_LAZYTIME)) + return; +- if (flag != I_DIRTY_SYNC || !(inode->i_state & I_DIRTY_TIME)) ++ ++ /* ++ * Only do the timestamp update if the inode is dirty (I_DIRTY_SYNC) ++ * and has dirty timestamp (I_DIRTY_TIME). I_DIRTY_TIME can be passed ++ * in flags possibly together with I_DIRTY_SYNC. ++ */ ++ if ((flags & ~I_DIRTY_TIME) != I_DIRTY_SYNC || !(flags & I_DIRTY_TIME)) + return; + + if (xfs_trans_alloc(mp, &M_RES(mp)->tr_fsyncts, 0, 0, 0, &tp)) +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -2288,13 +2288,14 @@ static inline void kiocb_clone(struct ki + * don't have to write inode on fdatasync() when only + * e.g. the timestamps have changed. + * I_DIRTY_PAGES Inode has dirty pages. Inode itself may be clean. +- * I_DIRTY_TIME The inode itself only has dirty timestamps, and the ++ * I_DIRTY_TIME The inode itself has dirty timestamps, and the + * lazytime mount option is enabled. We keep track of this + * separately from I_DIRTY_SYNC in order to implement + * lazytime. This gets cleared if I_DIRTY_INODE +- * (I_DIRTY_SYNC and/or I_DIRTY_DATASYNC) gets set. I.e. +- * either I_DIRTY_TIME *or* I_DIRTY_INODE can be set in +- * i_state, but not both. I_DIRTY_PAGES may still be set. ++ * (I_DIRTY_SYNC and/or I_DIRTY_DATASYNC) gets set. But ++ * I_DIRTY_TIME can still be set if I_DIRTY_SYNC is already ++ * in place because writeback might already be in progress ++ * and we don't want to lose the time update + * I_NEW Serves as both a mutex and completion notification. + * New inodes set I_NEW. If two processes both create + * the same inode, one of them will release its inode and diff --git a/queue-5.15/gpio-rockchip-request-gpio-mux-to-pinctrl-when-setting-direction.patch b/queue-5.15/gpio-rockchip-request-gpio-mux-to-pinctrl-when-setting-direction.patch new file mode 100644 index 00000000000..33f9377fb26 --- /dev/null +++ b/queue-5.15/gpio-rockchip-request-gpio-mux-to-pinctrl-when-setting-direction.patch @@ -0,0 +1,57 @@ +From 8ea8af6c8469156ac2042d83d73f6b74eb4b4b45 Mon Sep 17 00:00:00 2001 +From: Quentin Schulz +Date: Fri, 30 Sep 2022 15:20:33 +0200 +Subject: gpio: rockchip: request GPIO mux to pinctrl when setting direction + +From: Quentin Schulz + +commit 8ea8af6c8469156ac2042d83d73f6b74eb4b4b45 upstream. + +Before the split of gpio and pinctrl sections in their own driver, +rockchip_set_mux was called in pinmux_ops.gpio_set_direction for +configuring a pin in its GPIO function. + +This is essential for cases where pinctrl is "bypassed" by gpio +consumers otherwise the GPIO function is not configured for the pin and +it does not work. Such was the case for the sysfs/libgpiod userspace +GPIO handling. + +Let's call pinctrl_gpio_direction_input/output when setting the +direction of a GPIO so that the pinctrl core requests from the rockchip +pinctrl driver to put the pin in its GPIO function. + +Fixes: 9ce9a02039de ("pinctrl/rockchip: drop the gpio related codes") +Fixes: 936ee2675eee ("gpio/rockchip: add driver for rockchip gpio") +Cc: stable@vger.kernel.org +Reviewed-by: Heiko Stuebner +Signed-off-by: Quentin Schulz +Link: https://lore.kernel.org/r/20220930132033.4003377-3-foss+kernel@0leil.net +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-rockchip.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/gpio/gpio-rockchip.c ++++ b/drivers/gpio/gpio-rockchip.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -155,6 +156,12 @@ static int rockchip_gpio_set_direction(s + unsigned long flags; + u32 data = input ? 0 : 1; + ++ ++ if (input) ++ pinctrl_gpio_direction_input(bank->pin_base + offset); ++ else ++ pinctrl_gpio_direction_output(bank->pin_base + offset); ++ + raw_spin_lock_irqsave(&bank->slock, flags); + rockchip_gpio_writel_bit(bank, offset, data, bank->gpio_regs->port_ddr); + raw_spin_unlock_irqrestore(&bank->slock, flags); diff --git a/queue-5.15/ksmbd-fix-endless-loop-when-encryption-for-response-fails.patch b/queue-5.15/ksmbd-fix-endless-loop-when-encryption-for-response-fails.patch new file mode 100644 index 00000000000..b3ee7a2a8f8 --- /dev/null +++ b/queue-5.15/ksmbd-fix-endless-loop-when-encryption-for-response-fails.patch @@ -0,0 +1,35 @@ +From 360c8ee6fefdb496fffd2c18bb9a96a376a1a804 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Thu, 22 Sep 2022 23:35:43 +0900 +Subject: ksmbd: fix endless loop when encryption for response fails + +From: Namjae Jeon + +commit 360c8ee6fefdb496fffd2c18bb9a96a376a1a804 upstream. + +If ->encrypt_resp return error, goto statement cause endless loop. +It send an error response immediately after removing it. + +Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers") +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/server.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/ksmbd/server.c ++++ b/fs/ksmbd/server.c +@@ -235,10 +235,8 @@ send: + if (work->sess && work->sess->enc && work->encrypted && + conn->ops->encrypt_resp) { + rc = conn->ops->encrypt_resp(work); +- if (rc < 0) { ++ if (rc < 0) + conn->ops->set_rsp_status(work, STATUS_DATA_ERROR); +- goto send; +- } + } + + ksmbd_conn_write(work); diff --git a/queue-5.15/ksmbd-fix-user-namespace-mapping.patch b/queue-5.15/ksmbd-fix-user-namespace-mapping.patch new file mode 100644 index 00000000000..3710711a7f2 --- /dev/null +++ b/queue-5.15/ksmbd-fix-user-namespace-mapping.patch @@ -0,0 +1,58 @@ +From 7c88c1e0ab1704bacb751341ee6431c3be34b834 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Thu, 29 Sep 2022 12:04:47 +0200 +Subject: ksmbd: Fix user namespace mapping +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +commit 7c88c1e0ab1704bacb751341ee6431c3be34b834 upstream. + +A kernel daemon should not rely on the current thread, which is unknown +and might be malicious. Before this security fix, +ksmbd_override_fsids() didn't correctly override FS UID/GID which means +that arbitrary user space threads could trick the kernel to impersonate +arbitrary users or groups for file system access checks, leading to +file system access bypass. + +This was found while investigating truncate support for Landlock: +https://lore.kernel.org/r/CAKYAXd8fpMJ7guizOjHgxEyyjoUwPsx3jLOPZP=wPYcbhkVXqA@mail.gmail.com + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Cc: Hyunchul Lee +Cc: Steve French +Cc: stable@vger.kernel.org +Signed-off-by: Mickaël Salaün +Link: https://lore.kernel.org/r/20220929100447.108468-1-mic@digikod.net +Acked-by: Christian Brauner (Microsoft) +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb_common.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/ksmbd/smb_common.c ++++ b/fs/ksmbd/smb_common.c +@@ -4,6 +4,8 @@ + * Copyright (C) 2018 Namjae Jeon + */ + ++#include ++ + #include "smb_common.h" + #include "server.h" + #include "misc.h" +@@ -624,8 +626,8 @@ int ksmbd_override_fsids(struct ksmbd_wo + if (!cred) + return -ENOMEM; + +- cred->fsuid = make_kuid(current_user_ns(), uid); +- cred->fsgid = make_kgid(current_user_ns(), gid); ++ cred->fsuid = make_kuid(&init_user_ns, uid); ++ cred->fsgid = make_kgid(&init_user_ns, gid); + + gi = groups_alloc(0); + if (!gi) { diff --git a/queue-5.15/ksmbd-fix-wrong-return-value-and-message-length-check-in-smb2_ioctl.patch b/queue-5.15/ksmbd-fix-wrong-return-value-and-message-length-check-in-smb2_ioctl.patch new file mode 100644 index 00000000000..afa7419322a --- /dev/null +++ b/queue-5.15/ksmbd-fix-wrong-return-value-and-message-length-check-in-smb2_ioctl.patch @@ -0,0 +1,56 @@ +From b1763d265af62800ec96eeb79803c4c537dcef3a Mon Sep 17 00:00:00 2001 +From: Zhang Xiaoxu +Date: Mon, 26 Sep 2022 11:36:30 +0800 +Subject: ksmbd: Fix wrong return value and message length check in smb2_ioctl() + +From: Zhang Xiaoxu + +commit b1763d265af62800ec96eeb79803c4c537dcef3a upstream. + +Commit c7803b05f74b ("smb3: fix ksmbd bigendian bug in oplock +break, and move its struct to smbfs_common") use the defination +of 'struct validate_negotiate_info_req' in smbfs_common, the +array length of 'Dialects' changed from 1 to 4, but the protocol +does not require the client to send all 4. This lead the request +which satisfied with protocol and server to fail. + +So just ensure the request payload has the 'DialectCount' in +smb2_ioctl(), then fsctl_validate_negotiate_info() will use it +to validate the payload length and each dialect. + +Also when the {in, out}_buf_len is less than the required, should +goto out to initialize the status in the response header. + +Fixes: f7db8fd03a4b ("ksmbd: add validation in smb2_ioctl") +Cc: stable@vger.kernel.org +Signed-off-by: Zhang Xiaoxu +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2pdu.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -7617,11 +7617,16 @@ int smb2_ioctl(struct ksmbd_work *work) + goto out; + } + +- if (in_buf_len < sizeof(struct validate_negotiate_info_req)) +- return -EINVAL; ++ if (in_buf_len < offsetof(struct validate_negotiate_info_req, ++ Dialects)) { ++ ret = -EINVAL; ++ goto out; ++ } + +- if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) +- return -EINVAL; ++ if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) { ++ ret = -EINVAL; ++ goto out; ++ } + + ret = fsctl_validate_negotiate_info(conn, + (struct validate_negotiate_info_req *)&req->Buffer[0], diff --git a/queue-5.15/pinctrl-rockchip-add-pinmux_ops.gpio_set_direction-callback.patch b/queue-5.15/pinctrl-rockchip-add-pinmux_ops.gpio_set_direction-callback.patch new file mode 100644 index 00000000000..815c654445a --- /dev/null +++ b/queue-5.15/pinctrl-rockchip-add-pinmux_ops.gpio_set_direction-callback.patch @@ -0,0 +1,60 @@ +From 4635c0e2a7f7f3568cbfccae70121f9835efa62c Mon Sep 17 00:00:00 2001 +From: Quentin Schulz +Date: Fri, 30 Sep 2022 15:20:32 +0200 +Subject: pinctrl: rockchip: add pinmux_ops.gpio_set_direction callback + +From: Quentin Schulz + +commit 4635c0e2a7f7f3568cbfccae70121f9835efa62c upstream. + +Before the split of gpio and pinctrl sections in their own driver, +rockchip_set_mux was called in pinmux_ops.gpio_set_direction for +configuring a pin in its GPIO function. + +This is essential for cases where pinctrl is "bypassed" by gpio +consumers otherwise the GPIO function is not configured for the pin and +it does not work. Such was the case for the sysfs/libgpiod userspace +GPIO handling. + +Let's re-implement the pinmux_ops.gpio_set_direction callback so that +the gpio subsystem can request from the pinctrl driver to put the pin in +its GPIO function. + +Fixes: 9ce9a02039de ("pinctrl/rockchip: drop the gpio related codes") +Cc: stable@vger.kernel.org +Reviewed-by: Heiko Stuebner +Signed-off-by: Quentin Schulz +Link: https://lore.kernel.org/r/20220930132033.4003377-2-foss+kernel@0leil.net +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-rockchip.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/pinctrl/pinctrl-rockchip.c ++++ b/drivers/pinctrl/pinctrl-rockchip.c +@@ -2072,11 +2072,24 @@ static int rockchip_pmx_set(struct pinct + return 0; + } + ++static int rockchip_pmx_gpio_set_direction(struct pinctrl_dev *pctldev, ++ struct pinctrl_gpio_range *range, ++ unsigned offset, ++ bool input) ++{ ++ struct rockchip_pinctrl *info = pinctrl_dev_get_drvdata(pctldev); ++ struct rockchip_pin_bank *bank; ++ ++ bank = pin_to_bank(info, offset); ++ return rockchip_set_mux(bank, offset - bank->pin_base, RK_FUNC_GPIO); ++} ++ + static const struct pinmux_ops rockchip_pmx_ops = { + .get_functions_count = rockchip_pmx_get_funcs_count, + .get_function_name = rockchip_pmx_get_func_name, + .get_function_groups = rockchip_pmx_get_groups, + .set_mux = rockchip_pmx_set, ++ .gpio_set_direction = rockchip_pmx_gpio_set_direction, + }; + + /* diff --git a/queue-5.15/series b/queue-5.15/series index 2d3854760f8..adaa52144aa 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -69,3 +69,12 @@ powerpc-boot-explicitly-disable-usage-of-spe-instructions.patch slimbus-qcom-ngd-use-correct-error-in-message-of-pdr_add_lookup-failure.patch slimbus-qcom-ngd-cleanup-in-probe-error-path.patch scsi-qedf-populate-sysfs-attributes-for-vport.patch +gpio-rockchip-request-gpio-mux-to-pinctrl-when-setting-direction.patch +pinctrl-rockchip-add-pinmux_ops.gpio_set_direction-callback.patch +fbdev-smscufx-fix-use-after-free-in-ufx_ops_open.patch +ksmbd-fix-endless-loop-when-encryption-for-response-fails.patch +ksmbd-fix-wrong-return-value-and-message-length-check-in-smb2_ioctl.patch +ksmbd-fix-user-namespace-mapping.patch +fs-record-i_dirty_time-even-if-inode-already-has-i_dirty_inode.patch +btrfs-fix-race-between-quota-enable-and-quota-rescan-ioctl.patch +btrfs-set-generation-before-calling-btrfs_clean_tree_block-in-btrfs_init_new_buffer.patch