From: Greg Kroah-Hartman Date: Mon, 4 Oct 2021 10:14:52 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.4.286~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d58e7e0bcb5a1f91edd69064dbc987f92ee124ca;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: debugfs-debugfs_create_file_size-use-is_err-to-check-for-error.patch elf-don-t-use-map_fixed_noreplace-for-elf-interpreter-mappings.patch ext4-add-error-checking-to-ext4_ext_replay_set_iblocks.patch ext4-fix-loff_t-overflow-in-ext4_max_bitmap_size.patch ext4-fix-potential-infinite-loop-in-ext4_dx_readdir.patch ext4-fix-reserved-space-counter-leakage.patch ext4-limit-the-number-of-blocks-in-one-add_range-tlv.patch hid-u2fzero-ignore-incomplete-packets-without-data.patch ipack-ipoctal-fix-missing-allocation-failure-check.patch ipack-ipoctal-fix-module-reference-leak.patch ipack-ipoctal-fix-stack-information-leak.patch ipack-ipoctal-fix-tty-registration-error-handling.patch ipack-ipoctal-fix-tty-registration-race.patch net-udp-annotate-data-race-around-udp_sk-sk-corkflag.patch nvme-add-command-id-quirk-for-apple-controllers.patch --- diff --git a/queue-5.10/debugfs-debugfs_create_file_size-use-is_err-to-check-for-error.patch b/queue-5.10/debugfs-debugfs_create_file_size-use-is_err-to-check-for-error.patch new file mode 100644 index 00000000000..b3400129c2d --- /dev/null +++ b/queue-5.10/debugfs-debugfs_create_file_size-use-is_err-to-check-for-error.patch @@ -0,0 +1,37 @@ +From af505cad9567f7a500d34bf183696d570d7f6810 Mon Sep 17 00:00:00 2001 +From: Nirmoy Das +Date: Thu, 2 Sep 2021 12:29:17 +0200 +Subject: debugfs: debugfs_create_file_size(): use IS_ERR to check for error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nirmoy Das + +commit af505cad9567f7a500d34bf183696d570d7f6810 upstream. + +debugfs_create_file() returns encoded error so use IS_ERR for checking +return value. + +Reviewed-by: Christian König +Signed-off-by: Nirmoy Das +Fixes: ff9fb72bc077 ("debugfs: return error values, not NULL") +Cc: stable +References: https://gitlab.freedesktop.org/drm/amd/-/issues/1686 +Link: https://lore.kernel.org/r/20210902102917.2233-1-nirmoy.das@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/debugfs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/debugfs/inode.c ++++ b/fs/debugfs/inode.c +@@ -524,7 +524,7 @@ void debugfs_create_file_size(const char + { + struct dentry *de = debugfs_create_file(name, mode, parent, data, fops); + +- if (de) ++ if (!IS_ERR(de)) + d_inode(de)->i_size = file_size; + } + EXPORT_SYMBOL_GPL(debugfs_create_file_size); diff --git a/queue-5.10/elf-don-t-use-map_fixed_noreplace-for-elf-interpreter-mappings.patch b/queue-5.10/elf-don-t-use-map_fixed_noreplace-for-elf-interpreter-mappings.patch new file mode 100644 index 00000000000..25074dd09c1 --- /dev/null +++ b/queue-5.10/elf-don-t-use-map_fixed_noreplace-for-elf-interpreter-mappings.patch @@ -0,0 +1,60 @@ +From 9b2f72cc0aa4bb444541bb87581c35b7508b37d3 Mon Sep 17 00:00:00 2001 +From: Chen Jingwen +Date: Tue, 28 Sep 2021 20:56:57 +0800 +Subject: elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings + +From: Chen Jingwen + +commit 9b2f72cc0aa4bb444541bb87581c35b7508b37d3 upstream. + +In commit b212921b13bd ("elf: don't use MAP_FIXED_NOREPLACE for elf +executable mappings") we still leave MAP_FIXED_NOREPLACE in place for +load_elf_interp. + +Unfortunately, this will cause kernel to fail to start with: + + 1 (init): Uhuuh, elf segment at 00003ffff7ffd000 requested but the memory is mapped already + Failed to execute /init (error -17) + +The reason is that the elf interpreter (ld.so) has overlapping segments. + + readelf -l ld-2.31.so + Program Headers: + Type Offset VirtAddr PhysAddr + FileSiz MemSiz Flags Align + LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000 + 0x000000000002c94c 0x000000000002c94c R E 0x10000 + LOAD 0x000000000002dae0 0x000000000003dae0 0x000000000003dae0 + 0x00000000000021e8 0x0000000000002320 RW 0x10000 + LOAD 0x000000000002fe00 0x000000000003fe00 0x000000000003fe00 + 0x00000000000011ac 0x0000000000001328 RW 0x10000 + +The reason for this problem is the same as described in commit +ad55eac74f20 ("elf: enforce MAP_FIXED on overlaying elf segments"). + +Not only executable binaries, elf interpreters (e.g. ld.so) can have +overlapping elf segments, so we better drop MAP_FIXED_NOREPLACE and go +back to MAP_FIXED in load_elf_interp. + +Fixes: 4ed28639519c ("fs, elf: drop MAP_FIXED usage from elf_map") +Cc: # v4.19 +Cc: Andrew Morton +Cc: Michal Hocko +Signed-off-by: Chen Jingwen +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/binfmt_elf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -627,7 +627,7 @@ static unsigned long load_elf_interp(str + + vaddr = eppnt->p_vaddr; + if (interp_elf_ex->e_type == ET_EXEC || load_addr_set) +- elf_type |= MAP_FIXED_NOREPLACE; ++ elf_type |= MAP_FIXED; + else if (no_base && interp_elf_ex->e_type == ET_DYN) + load_addr = -vaddr; + diff --git a/queue-5.10/ext4-add-error-checking-to-ext4_ext_replay_set_iblocks.patch b/queue-5.10/ext4-add-error-checking-to-ext4_ext_replay_set_iblocks.patch new file mode 100644 index 00000000000..9ace5229686 --- /dev/null +++ b/queue-5.10/ext4-add-error-checking-to-ext4_ext_replay_set_iblocks.patch @@ -0,0 +1,99 @@ +From 1fd95c05d8f742abfe906620780aee4dbe1a2db0 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 2 Sep 2021 11:36:01 -0400 +Subject: ext4: add error checking to ext4_ext_replay_set_iblocks() + +From: Theodore Ts'o + +commit 1fd95c05d8f742abfe906620780aee4dbe1a2db0 upstream. + +If the call to ext4_map_blocks() fails due to an corrupted file +system, ext4_ext_replay_set_iblocks() can get stuck in an infinite +loop. This could be reproduced by running generic/526 with a file +system that has inline_data and fast_commit enabled. The system will +repeatedly log to the console: + +EXT4-fs warning (device dm-3): ext4_block_to_path:105: block 1074800922 > max in inode 131076 + +and the stack that it gets stuck in is: + + ext4_block_to_path+0xe3/0x130 + ext4_ind_map_blocks+0x93/0x690 + ext4_map_blocks+0x100/0x660 + skip_hole+0x47/0x70 + ext4_ext_replay_set_iblocks+0x223/0x440 + ext4_fc_replay_inode+0x29e/0x3b0 + ext4_fc_replay+0x278/0x550 + do_one_pass+0x646/0xc10 + jbd2_journal_recover+0x14a/0x270 + jbd2_journal_load+0xc4/0x150 + ext4_load_journal+0x1f3/0x490 + ext4_fill_super+0x22d4/0x2c00 + +With this patch, generic/526 still fails, but system is no longer +locking up in a tight loop. It's likely the root casue is that +fast_commit replay is corrupting file systems with inline_data, and we +probably need to add better error handling in the fast commit replay +code path beyond what is done here, which essentially just breaks the +infinite loop without reporting the to the higher levels of the code. + +Fixes: 8016E29F4362 ("ext4: fast commit recovery path") +Cc: stable@kernel.org +Cc: Harshad Shirwadkar +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/extents.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -5907,7 +5907,7 @@ void ext4_ext_replay_shrink_inode(struct + } + + /* Check if *cur is a hole and if it is, skip it */ +-static void skip_hole(struct inode *inode, ext4_lblk_t *cur) ++static int skip_hole(struct inode *inode, ext4_lblk_t *cur) + { + int ret; + struct ext4_map_blocks map; +@@ -5916,9 +5916,12 @@ static void skip_hole(struct inode *inod + map.m_len = ((inode->i_size) >> inode->i_sb->s_blocksize_bits) - *cur; + + ret = ext4_map_blocks(NULL, inode, &map, 0); ++ if (ret < 0) ++ return ret; + if (ret != 0) +- return; ++ return 0; + *cur = *cur + map.m_len; ++ return 0; + } + + /* Count number of blocks used by this inode and update i_blocks */ +@@ -5967,7 +5970,9 @@ int ext4_ext_replay_set_iblocks(struct i + * iblocks by total number of differences found. + */ + cur = 0; +- skip_hole(inode, &cur); ++ ret = skip_hole(inode, &cur); ++ if (ret < 0) ++ goto out; + path = ext4_find_extent(inode, cur, NULL, 0); + if (IS_ERR(path)) + goto out; +@@ -5986,8 +5991,12 @@ int ext4_ext_replay_set_iblocks(struct i + } + cur = max(cur + 1, le32_to_cpu(ex->ee_block) + + ext4_ext_get_actual_len(ex)); +- skip_hole(inode, &cur); +- ++ ret = skip_hole(inode, &cur); ++ if (ret < 0) { ++ ext4_ext_drop_refs(path); ++ kfree(path); ++ break; ++ } + path2 = ext4_find_extent(inode, cur, NULL, 0); + if (IS_ERR(path2)) { + ext4_ext_drop_refs(path); diff --git a/queue-5.10/ext4-fix-loff_t-overflow-in-ext4_max_bitmap_size.patch b/queue-5.10/ext4-fix-loff_t-overflow-in-ext4_max_bitmap_size.patch new file mode 100644 index 00000000000..c356eb198b7 --- /dev/null +++ b/queue-5.10/ext4-fix-loff_t-overflow-in-ext4_max_bitmap_size.patch @@ -0,0 +1,65 @@ +From 75ca6ad408f459f00b09a64f04c774559848c097 Mon Sep 17 00:00:00 2001 +From: Ritesh Harjani +Date: Sat, 5 Jun 2021 10:39:32 +0530 +Subject: ext4: fix loff_t overflow in ext4_max_bitmap_size() + +From: Ritesh Harjani + +commit 75ca6ad408f459f00b09a64f04c774559848c097 upstream. + +We should use unsigned long long rather than loff_t to avoid +overflow in ext4_max_bitmap_size() for comparison before returning. +w/o this patch sbi->s_bitmap_maxbytes was becoming a negative +value due to overflow of upper_limit (with has_huge_files as true) + +Below is a quick test to trigger it on a 64KB pagesize system. + +sudo mkfs.ext4 -b 65536 -O ^has_extents,^64bit /dev/loop2 +sudo mount /dev/loop2 /mnt +sudo echo "hello" > /mnt/hello -> This will error out with + "echo: write error: File too large" + +Signed-off-by: Ritesh Harjani +Reviewed-by: Jan Kara +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/594f409e2c543e90fd836b78188dfa5c575065ba.1622867594.git.riteshh@linux.ibm.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3194,17 +3194,17 @@ static loff_t ext4_max_size(int blkbits, + */ + static loff_t ext4_max_bitmap_size(int bits, int has_huge_files) + { +- loff_t res = EXT4_NDIR_BLOCKS; ++ unsigned long long upper_limit, res = EXT4_NDIR_BLOCKS; + int meta_blocks; +- loff_t upper_limit; +- /* This is calculated to be the largest file size for a dense, block ++ ++ /* ++ * This is calculated to be the largest file size for a dense, block + * mapped file such that the file's total number of 512-byte sectors, + * including data and all indirect blocks, does not exceed (2^48 - 1). + * + * __u32 i_blocks_lo and _u16 i_blocks_high represent the total + * number of 512-byte sectors of the file. + */ +- + if (!has_huge_files) { + /* + * !has_huge_files or implies that the inode i_block field +@@ -3247,7 +3247,7 @@ static loff_t ext4_max_bitmap_size(int b + if (res > MAX_LFS_FILESIZE) + res = MAX_LFS_FILESIZE; + +- return res; ++ return (loff_t)res; + } + + static ext4_fsblk_t descriptor_loc(struct super_block *sb, diff --git a/queue-5.10/ext4-fix-potential-infinite-loop-in-ext4_dx_readdir.patch b/queue-5.10/ext4-fix-potential-infinite-loop-in-ext4_dx_readdir.patch new file mode 100644 index 00000000000..3bbc2d3652b --- /dev/null +++ b/queue-5.10/ext4-fix-potential-infinite-loop-in-ext4_dx_readdir.patch @@ -0,0 +1,68 @@ +From 42cb447410d024e9d54139ae9c21ea132a8c384c Mon Sep 17 00:00:00 2001 +From: yangerkun +Date: Tue, 14 Sep 2021 19:14:15 +0800 +Subject: ext4: fix potential infinite loop in ext4_dx_readdir() + +From: yangerkun + +commit 42cb447410d024e9d54139ae9c21ea132a8c384c upstream. + +When ext4_htree_fill_tree() fails, ext4_dx_readdir() can run into an +infinite loop since if info->last_pos != ctx->pos this will reset the +directory scan and reread the failing entry. For example: + +1. a dx_dir which has 3 block, block 0 as dx_root block, block 1/2 as + leaf block which own the ext4_dir_entry_2 +2. block 1 read ok and call_filldir which will fill the dirent and update + the ctx->pos +3. block 2 read fail, but we has already fill some dirent, so we will + return back to userspace will a positive return val(see ksys_getdents64) +4. the second ext4_dx_readdir will reset the world since info->last_pos + != ctx->pos, and will also init the curr_hash which pos to block 1 +5. So we will read block1 too, and once block2 still read fail, we can + only fill one dirent because the hash of the entry in block1(besides + the last one) won't greater than curr_hash +6. this time, we forget update last_pos too since the read for block2 + will fail, and since we has got the one entry, ksys_getdents64 can + return success +7. Latter we will trapped in a loop with step 4~6 + +Cc: stable@kernel.org +Signed-off-by: yangerkun +Reviewed-by: Jan Kara +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/20210914111415.3921954-1-yangerkun@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/dir.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/ext4/dir.c ++++ b/fs/ext4/dir.c +@@ -534,7 +534,7 @@ static int ext4_dx_readdir(struct file * + struct dir_private_info *info = file->private_data; + struct inode *inode = file_inode(file); + struct fname *fname; +- int ret; ++ int ret = 0; + + if (!info) { + info = ext4_htree_create_dir_info(file, ctx->pos); +@@ -582,7 +582,7 @@ static int ext4_dx_readdir(struct file * + info->curr_minor_hash, + &info->next_hash); + if (ret < 0) +- return ret; ++ goto finished; + if (ret == 0) { + ctx->pos = ext4_get_htree_eof(file); + break; +@@ -613,7 +613,7 @@ static int ext4_dx_readdir(struct file * + } + finished: + info->last_pos = ctx->pos; +- return 0; ++ return ret < 0 ? ret : 0; + } + + static int ext4_dir_open(struct inode * inode, struct file * filp) diff --git a/queue-5.10/ext4-fix-reserved-space-counter-leakage.patch b/queue-5.10/ext4-fix-reserved-space-counter-leakage.patch new file mode 100644 index 00000000000..721a78bfdfc --- /dev/null +++ b/queue-5.10/ext4-fix-reserved-space-counter-leakage.patch @@ -0,0 +1,89 @@ +From 6fed83957f21eff11c8496e9f24253b03d2bc1dc Mon Sep 17 00:00:00 2001 +From: Jeffle Xu +Date: Mon, 23 Aug 2021 14:13:58 +0800 +Subject: ext4: fix reserved space counter leakage + +From: Jeffle Xu + +commit 6fed83957f21eff11c8496e9f24253b03d2bc1dc upstream. + +When ext4_insert_delayed block receives and recovers from an error from +ext4_es_insert_delayed_block(), e.g., ENOMEM, it does not release the +space it has reserved for that block insertion as it should. One effect +of this bug is that s_dirtyclusters_counter is not decremented and +remains incorrectly elevated until the file system has been unmounted. +This can result in premature ENOSPC returns and apparent loss of free +space. + +Another effect of this bug is that +/sys/fs/ext4//delayed_allocation_blocks can remain non-zero even +after syncfs has been executed on the filesystem. + +Besides, add check for s_dirtyclusters_counter when inode is going to be +evicted and freed. s_dirtyclusters_counter can still keep non-zero until +inode is written back in .evict_inode(), and thus the check is delayed +to .destroy_inode(). + +Fixes: 51865fda28e5 ("ext4: let ext4 maintain extent status tree") +Cc: stable@kernel.org +Suggested-by: Gao Xiang +Signed-off-by: Jeffle Xu +Reviewed-by: Eric Whitney +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/20210823061358.84473-1-jefflexu@linux.alibaba.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inode.c | 5 +++++ + fs/ext4/super.c | 6 ++++++ + 2 files changed, 11 insertions(+) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -1641,6 +1641,7 @@ static int ext4_insert_delayed_block(str + struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); + int ret; + bool allocated = false; ++ bool reserved = false; + + /* + * If the cluster containing lblk is shared with a delayed, +@@ -1657,6 +1658,7 @@ static int ext4_insert_delayed_block(str + ret = ext4_da_reserve_space(inode); + if (ret != 0) /* ENOSPC */ + goto errout; ++ reserved = true; + } else { /* bigalloc */ + if (!ext4_es_scan_clu(inode, &ext4_es_is_delonly, lblk)) { + if (!ext4_es_scan_clu(inode, +@@ -1669,6 +1671,7 @@ static int ext4_insert_delayed_block(str + ret = ext4_da_reserve_space(inode); + if (ret != 0) /* ENOSPC */ + goto errout; ++ reserved = true; + } else { + allocated = true; + } +@@ -1679,6 +1682,8 @@ static int ext4_insert_delayed_block(str + } + + ret = ext4_es_insert_delayed_block(inode, lblk, allocated); ++ if (ret && reserved) ++ ext4_da_release_space(inode, 1); + + errout: + return ret; +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1356,6 +1356,12 @@ static void ext4_destroy_inode(struct in + true); + dump_stack(); + } ++ ++ if (EXT4_I(inode)->i_reserved_data_blocks) ++ ext4_msg(inode->i_sb, KERN_ERR, ++ "Inode %lu (%p): i_reserved_data_blocks (%u) not cleared!", ++ inode->i_ino, EXT4_I(inode), ++ EXT4_I(inode)->i_reserved_data_blocks); + } + + static void init_once(void *foo) diff --git a/queue-5.10/ext4-limit-the-number-of-blocks-in-one-add_range-tlv.patch b/queue-5.10/ext4-limit-the-number-of-blocks-in-one-add_range-tlv.patch new file mode 100644 index 00000000000..61a98213030 --- /dev/null +++ b/queue-5.10/ext4-limit-the-number-of-blocks-in-one-add_range-tlv.patch @@ -0,0 +1,60 @@ +From a2c2f0826e2b75560b31daf1cd9a755ab93cf4c6 Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Fri, 20 Aug 2021 12:45:05 +0800 +Subject: ext4: limit the number of blocks in one ADD_RANGE TLV + +From: Hou Tao + +commit a2c2f0826e2b75560b31daf1cd9a755ab93cf4c6 upstream. + +Now EXT4_FC_TAG_ADD_RANGE uses ext4_extent to track the +newly-added blocks, but the limit on the max value of +ee_len field is ignored, and it can lead to BUG_ON as +shown below when running command "fallocate -l 128M file" +on a fast_commit-enabled fs: + + kernel BUG at fs/ext4/ext4_extents.h:199! + invalid opcode: 0000 [#1] SMP PTI + CPU: 3 PID: 624 Comm: fallocate Not tainted 5.14.0-rc6+ #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) + RIP: 0010:ext4_fc_write_inode_data+0x1f3/0x200 + Call Trace: + ? ext4_fc_write_inode+0xf2/0x150 + ext4_fc_commit+0x93b/0xa00 + ? ext4_fallocate+0x1ad/0x10d0 + ext4_sync_file+0x157/0x340 + ? ext4_sync_file+0x157/0x340 + vfs_fsync_range+0x49/0x80 + do_fsync+0x3d/0x70 + __x64_sys_fsync+0x14/0x20 + do_syscall_64+0x3b/0xc0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Simply fixing it by limiting the number of blocks +in one EXT4_FC_TAG_ADD_RANGE TLV. + +Fixes: aa75f4d3daae ("ext4: main fast-commit commit path") +Cc: stable@kernel.org +Signed-off-by: Hou Tao +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/20210820044505.474318-1-houtao1@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/fast_commit.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -832,6 +832,12 @@ static int ext4_fc_write_inode_data(stru + sizeof(lrange), (u8 *)&lrange, crc)) + return -ENOSPC; + } else { ++ unsigned int max = (map.m_flags & EXT4_MAP_UNWRITTEN) ? ++ EXT_UNWRITTEN_MAX_LEN : EXT_INIT_MAX_LEN; ++ ++ /* Limit the number of blocks in one extent */ ++ map.m_len = min(max, map.m_len); ++ + fc_ext.fc_ino = cpu_to_le32(inode->i_ino); + ex = (struct ext4_extent *)&fc_ext.fc_ex; + ex->ee_block = cpu_to_le32(map.m_lblk); diff --git a/queue-5.10/hid-u2fzero-ignore-incomplete-packets-without-data.patch b/queue-5.10/hid-u2fzero-ignore-incomplete-packets-without-data.patch new file mode 100644 index 00000000000..c18e0123d56 --- /dev/null +++ b/queue-5.10/hid-u2fzero-ignore-incomplete-packets-without-data.patch @@ -0,0 +1,35 @@ +From 22d65765f211cc83186fd8b87521159f354c0da9 Mon Sep 17 00:00:00 2001 +From: Andrej Shadura +Date: Thu, 16 Sep 2021 17:33:11 +0100 +Subject: HID: u2fzero: ignore incomplete packets without data + +From: Andrej Shadura + +commit 22d65765f211cc83186fd8b87521159f354c0da9 upstream. + +Since the actual_length calculation is performed unsigned, packets +shorter than 7 bytes (e.g. packets without data or otherwise truncated) +or non-received packets ("zero" bytes) can cause buffer overflow. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=214437 +Fixes: 42337b9d4d958("HID: add driver for U2F Zero built-in LED and RNG") +Signed-off-by: Andrej Shadura +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-u2fzero.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-u2fzero.c ++++ b/drivers/hid/hid-u2fzero.c +@@ -198,7 +198,9 @@ static int u2fzero_rng_read(struct hwrng + } + + ret = u2fzero_recv(dev, &req, &resp); +- if (ret < 0) ++ ++ /* ignore errors or packets without data */ ++ if (ret < offsetof(struct u2f_hid_msg, init.data)) + return 0; + + /* only take the minimum amount of data it is safe to take */ diff --git a/queue-5.10/ipack-ipoctal-fix-missing-allocation-failure-check.patch b/queue-5.10/ipack-ipoctal-fix-missing-allocation-failure-check.patch new file mode 100644 index 00000000000..53a491d7cf9 --- /dev/null +++ b/queue-5.10/ipack-ipoctal-fix-missing-allocation-failure-check.patch @@ -0,0 +1,36 @@ +From 445c8132727728dc297492a7d9fc074af3e94ba3 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Sep 2021 13:46:20 +0200 +Subject: ipack: ipoctal: fix missing allocation-failure check + +From: Johan Hovold + +commit 445c8132727728dc297492a7d9fc074af3e94ba3 upstream. + +Add the missing error handling when allocating the transmit buffer to +avoid dereferencing a NULL pointer in write() should the allocation +ever fail. + +Fixes: ba4dc61fe8c5 ("Staging: ipack: add support for IP-OCTAL mezzanine board") +Cc: stable@vger.kernel.org # 3.5 +Acked-by: Samuel Iglesias Gonsalvez +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210917114622.5412-5-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ipack/devices/ipoctal.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/ipack/devices/ipoctal.c ++++ b/drivers/ipack/devices/ipoctal.c +@@ -388,7 +388,9 @@ static int ipoctal_inst_slot(struct ipoc + + channel = &ipoctal->channel[i]; + tty_port_init(&channel->tty_port); +- tty_port_alloc_xmit_buf(&channel->tty_port); ++ res = tty_port_alloc_xmit_buf(&channel->tty_port); ++ if (res) ++ continue; + channel->tty_port.ops = &ipoctal_tty_port_ops; + + ipoctal_reset_stats(&channel->stats); diff --git a/queue-5.10/ipack-ipoctal-fix-module-reference-leak.patch b/queue-5.10/ipack-ipoctal-fix-module-reference-leak.patch new file mode 100644 index 00000000000..b9d316022e8 --- /dev/null +++ b/queue-5.10/ipack-ipoctal-fix-module-reference-leak.patch @@ -0,0 +1,79 @@ +From bb8a4fcb2136508224c596a7e665bdba1d7c3c27 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Sep 2021 13:46:21 +0200 +Subject: ipack: ipoctal: fix module reference leak + +From: Johan Hovold + +commit bb8a4fcb2136508224c596a7e665bdba1d7c3c27 upstream. + +A reference to the carrier module was taken on every open but was only +released once when the final reference to the tty struct was dropped. + +Fix this by taking the module reference and initialising the tty driver +data when installing the tty. + +Fixes: 82a82340bab6 ("ipoctal: get carrier driver to avoid rmmod") +Cc: stable@vger.kernel.org # 3.18 +Cc: Federico Vaga +Acked-by: Samuel Iglesias Gonsalvez +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210917114622.5412-6-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ipack/devices/ipoctal.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +--- a/drivers/ipack/devices/ipoctal.c ++++ b/drivers/ipack/devices/ipoctal.c +@@ -84,22 +84,34 @@ static int ipoctal_port_activate(struct + return 0; + } + +-static int ipoctal_open(struct tty_struct *tty, struct file *file) ++static int ipoctal_install(struct tty_driver *driver, struct tty_struct *tty) + { + struct ipoctal_channel *channel = dev_get_drvdata(tty->dev); + struct ipoctal *ipoctal = chan_to_ipoctal(channel, tty->index); +- int err; +- +- tty->driver_data = channel; ++ int res; + + if (!ipack_get_carrier(ipoctal->dev)) + return -EBUSY; + +- err = tty_port_open(&channel->tty_port, tty, file); +- if (err) +- ipack_put_carrier(ipoctal->dev); ++ res = tty_standard_install(driver, tty); ++ if (res) ++ goto err_put_carrier; ++ ++ tty->driver_data = channel; ++ ++ return 0; ++ ++err_put_carrier: ++ ipack_put_carrier(ipoctal->dev); ++ ++ return res; ++} ++ ++static int ipoctal_open(struct tty_struct *tty, struct file *file) ++{ ++ struct ipoctal_channel *channel = tty->driver_data; + +- return err; ++ return tty_port_open(&channel->tty_port, tty, file); + } + + static void ipoctal_reset_stats(struct ipoctal_stats *stats) +@@ -665,6 +677,7 @@ static void ipoctal_cleanup(struct tty_s + + static const struct tty_operations ipoctal_fops = { + .ioctl = NULL, ++ .install = ipoctal_install, + .open = ipoctal_open, + .close = ipoctal_close, + .write = ipoctal_write_tty, diff --git a/queue-5.10/ipack-ipoctal-fix-stack-information-leak.patch b/queue-5.10/ipack-ipoctal-fix-stack-information-leak.patch new file mode 100644 index 00000000000..df8c3dd1e69 --- /dev/null +++ b/queue-5.10/ipack-ipoctal-fix-stack-information-leak.patch @@ -0,0 +1,86 @@ +From a89936cce87d60766a75732a9e7e25c51164f47c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Sep 2021 13:46:17 +0200 +Subject: ipack: ipoctal: fix stack information leak + +From: Johan Hovold + +commit a89936cce87d60766a75732a9e7e25c51164f47c upstream. + +The tty driver name is used also after registering the driver and must +specifically not be allocated on the stack to avoid leaking information +to user space (or triggering an oops). + +Drivers should not try to encode topology information in the tty device +name but this one snuck in through staging without anyone noticing and +another driver has since copied this malpractice. + +Fixing the ABI is a separate issue, but this at least plugs the security +hole. + +Fixes: ba4dc61fe8c5 ("Staging: ipack: add support for IP-OCTAL mezzanine board") +Cc: stable@vger.kernel.org # 3.5 +Acked-by: Samuel Iglesias Gonsalvez +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210917114622.5412-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ipack/devices/ipoctal.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/ipack/devices/ipoctal.c ++++ b/drivers/ipack/devices/ipoctal.c +@@ -266,7 +266,6 @@ static int ipoctal_inst_slot(struct ipoc + int res; + int i; + struct tty_driver *tty; +- char name[20]; + struct ipoctal_channel *channel; + struct ipack_region *region; + void __iomem *addr; +@@ -357,8 +356,11 @@ static int ipoctal_inst_slot(struct ipoc + /* Fill struct tty_driver with ipoctal data */ + tty->owner = THIS_MODULE; + tty->driver_name = KBUILD_MODNAME; +- sprintf(name, KBUILD_MODNAME ".%d.%d.", bus_nr, slot); +- tty->name = name; ++ tty->name = kasprintf(GFP_KERNEL, KBUILD_MODNAME ".%d.%d.", bus_nr, slot); ++ if (!tty->name) { ++ res = -ENOMEM; ++ goto err_put_driver; ++ } + tty->major = 0; + + tty->minor_start = 0; +@@ -374,8 +376,7 @@ static int ipoctal_inst_slot(struct ipoc + res = tty_register_driver(tty); + if (res) { + dev_err(&ipoctal->dev->dev, "Can't register tty driver.\n"); +- put_tty_driver(tty); +- return res; ++ goto err_free_name; + } + + /* Save struct tty_driver for use it when uninstalling the device */ +@@ -412,6 +413,13 @@ static int ipoctal_inst_slot(struct ipoc + ipoctal_irq_handler, ipoctal); + + return 0; ++ ++err_free_name: ++ kfree(tty->name); ++err_put_driver: ++ put_tty_driver(tty); ++ ++ return res; + } + + static inline int ipoctal_copy_write_buffer(struct ipoctal_channel *channel, +@@ -700,6 +708,7 @@ static void __ipoctal_remove(struct ipoc + } + + tty_unregister_driver(ipoctal->tty_drv); ++ kfree(ipoctal->tty_drv->name); + put_tty_driver(ipoctal->tty_drv); + kfree(ipoctal); + } diff --git a/queue-5.10/ipack-ipoctal-fix-tty-registration-error-handling.patch b/queue-5.10/ipack-ipoctal-fix-tty-registration-error-handling.patch new file mode 100644 index 00000000000..ba333704e65 --- /dev/null +++ b/queue-5.10/ipack-ipoctal-fix-tty-registration-error-handling.patch @@ -0,0 +1,56 @@ +From cd20d59291d1790dc74248476e928f57fc455189 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Sep 2021 13:46:19 +0200 +Subject: ipack: ipoctal: fix tty-registration error handling + +From: Johan Hovold + +commit cd20d59291d1790dc74248476e928f57fc455189 upstream. + +Registration of the ipoctal tty devices is unlikely to fail, but if it +ever does, make sure not to deregister a never registered tty device +(and dereference a NULL pointer) when the driver is later unbound. + +Fixes: 2afb41d9d30d ("Staging: ipack/devices/ipoctal: Check tty_register_device return value.") +Cc: stable@vger.kernel.org # 3.7 +Acked-by: Samuel Iglesias Gonsalvez +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210917114622.5412-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ipack/devices/ipoctal.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/ipack/devices/ipoctal.c ++++ b/drivers/ipack/devices/ipoctal.c +@@ -35,6 +35,7 @@ struct ipoctal_channel { + unsigned int pointer_read; + unsigned int pointer_write; + struct tty_port tty_port; ++ bool tty_registered; + union scc2698_channel __iomem *regs; + union scc2698_block __iomem *block_regs; + unsigned int board_id; +@@ -399,9 +400,11 @@ static int ipoctal_inst_slot(struct ipoc + i, NULL, channel, NULL); + if (IS_ERR(tty_dev)) { + dev_err(&ipoctal->dev->dev, "Failed to register tty device.\n"); ++ tty_port_free_xmit_buf(&channel->tty_port); + tty_port_destroy(&channel->tty_port); + continue; + } ++ channel->tty_registered = true; + } + + /* +@@ -702,6 +705,10 @@ static void __ipoctal_remove(struct ipoc + + for (i = 0; i < NR_CHANNELS; i++) { + struct ipoctal_channel *channel = &ipoctal->channel[i]; ++ ++ if (!channel->tty_registered) ++ continue; ++ + tty_unregister_device(ipoctal->tty_drv, i); + tty_port_free_xmit_buf(&channel->tty_port); + tty_port_destroy(&channel->tty_port); diff --git a/queue-5.10/ipack-ipoctal-fix-tty-registration-race.patch b/queue-5.10/ipack-ipoctal-fix-tty-registration-race.patch new file mode 100644 index 00000000000..10b392e1025 --- /dev/null +++ b/queue-5.10/ipack-ipoctal-fix-tty-registration-race.patch @@ -0,0 +1,40 @@ +From 65c001df517a7bf9be8621b53d43c89f426ce8d6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Sep 2021 13:46:18 +0200 +Subject: ipack: ipoctal: fix tty registration race + +From: Johan Hovold + +commit 65c001df517a7bf9be8621b53d43c89f426ce8d6 upstream. + +Make sure to set the tty class-device driver data before registering the +tty to avoid having a racing open() dereference a NULL pointer. + +Fixes: 9c1d784afc6f ("Staging: ipack/devices/ipoctal: Get rid of ipoctal_list.") +Cc: stable@vger.kernel.org # 3.7 +Acked-by: Samuel Iglesias Gonsalvez +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210917114622.5412-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ipack/devices/ipoctal.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/ipack/devices/ipoctal.c ++++ b/drivers/ipack/devices/ipoctal.c +@@ -395,13 +395,13 @@ static int ipoctal_inst_slot(struct ipoc + spin_lock_init(&channel->lock); + channel->pointer_read = 0; + channel->pointer_write = 0; +- tty_dev = tty_port_register_device(&channel->tty_port, tty, i, NULL); ++ tty_dev = tty_port_register_device_attr(&channel->tty_port, tty, ++ i, NULL, channel, NULL); + if (IS_ERR(tty_dev)) { + dev_err(&ipoctal->dev->dev, "Failed to register tty device.\n"); + tty_port_destroy(&channel->tty_port); + continue; + } +- dev_set_drvdata(tty_dev, channel); + } + + /* diff --git a/queue-5.10/net-udp-annotate-data-race-around-udp_sk-sk-corkflag.patch b/queue-5.10/net-udp-annotate-data-race-around-udp_sk-sk-corkflag.patch new file mode 100644 index 00000000000..5de856a5c10 --- /dev/null +++ b/queue-5.10/net-udp-annotate-data-race-around-udp_sk-sk-corkflag.patch @@ -0,0 +1,73 @@ +From a9f5970767d11eadc805d5283f202612c7ba1f59 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 27 Sep 2021 17:29:24 -0700 +Subject: net: udp: annotate data race around udp_sk(sk)->corkflag + +From: Eric Dumazet + +commit a9f5970767d11eadc805d5283f202612c7ba1f59 upstream. + +up->corkflag field can be read or written without any lock. +Annotate accesses to avoid possible syzbot/KCSAN reports. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp.c | 10 +++++----- + net/ipv6/udp.c | 2 +- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1035,7 +1035,7 @@ int udp_sendmsg(struct sock *sk, struct + __be16 dport; + u8 tos; + int err, is_udplite = IS_UDPLITE(sk); +- int corkreq = up->corkflag || msg->msg_flags&MSG_MORE; ++ int corkreq = READ_ONCE(up->corkflag) || msg->msg_flags&MSG_MORE; + int (*getfrag)(void *, char *, int, int, int, struct sk_buff *); + struct sk_buff *skb; + struct ip_options_data opt_copy; +@@ -1343,7 +1343,7 @@ int udp_sendpage(struct sock *sk, struct + } + + up->len += size; +- if (!(up->corkflag || (flags&MSG_MORE))) ++ if (!(READ_ONCE(up->corkflag) || (flags&MSG_MORE))) + ret = udp_push_pending_frames(sk); + if (!ret) + ret = size; +@@ -2609,9 +2609,9 @@ int udp_lib_setsockopt(struct sock *sk, + switch (optname) { + case UDP_CORK: + if (val != 0) { +- up->corkflag = 1; ++ WRITE_ONCE(up->corkflag, 1); + } else { +- up->corkflag = 0; ++ WRITE_ONCE(up->corkflag, 0); + lock_sock(sk); + push_pending_frames(sk); + release_sock(sk); +@@ -2734,7 +2734,7 @@ int udp_lib_getsockopt(struct sock *sk, + + switch (optname) { + case UDP_CORK: +- val = up->corkflag; ++ val = READ_ONCE(up->corkflag); + break; + + case UDP_ENCAP: +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1288,7 +1288,7 @@ int udpv6_sendmsg(struct sock *sk, struc + int addr_len = msg->msg_namelen; + bool connected = false; + int ulen = len; +- int corkreq = up->corkflag || msg->msg_flags&MSG_MORE; ++ int corkreq = READ_ONCE(up->corkflag) || msg->msg_flags&MSG_MORE; + int err; + int is_udplite = IS_UDPLITE(sk); + int (*getfrag)(void *, char *, int, int, int, struct sk_buff *); diff --git a/queue-5.10/nvme-add-command-id-quirk-for-apple-controllers.patch b/queue-5.10/nvme-add-command-id-quirk-for-apple-controllers.patch new file mode 100644 index 00000000000..dd8f298508a --- /dev/null +++ b/queue-5.10/nvme-add-command-id-quirk-for-apple-controllers.patch @@ -0,0 +1,83 @@ +From a2941f6aa71a72be2c82c0a168523a492d093530 Mon Sep 17 00:00:00 2001 +From: Keith Busch +Date: Mon, 27 Sep 2021 08:43:06 -0700 +Subject: nvme: add command id quirk for apple controllers + +From: Keith Busch + +commit a2941f6aa71a72be2c82c0a168523a492d093530 upstream. + +Some apple controllers use the command id as an index to implementation +specific data structures and will fail if the value is out of bounds. +The nvme driver's recently introduced command sequence number breaks +this controller. + +Provide a quirk so these spec incompliant controllers can function as +before. The driver will not have the ability to detect bad completions +when this quirk is used, but we weren't previously checking this anyway. + +The quirk bit was selected so that it can readily apply to stable. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=214509 +Cc: Sven Peter +Reported-by: Orlando Chamberlain +Reported-by: Aditya Garg +Signed-off-by: Keith Busch +Reviewed-by: Christoph Hellwig +Tested-by: Sven Peter +Link: https://lore.kernel.org/r/20210927154306.387437-1-kbusch@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/core.c | 4 +++- + drivers/nvme/host/nvme.h | 6 ++++++ + drivers/nvme/host/pci.c | 3 ++- + 3 files changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -831,6 +831,7 @@ EXPORT_SYMBOL_GPL(nvme_cleanup_cmd); + blk_status_t nvme_setup_cmd(struct nvme_ns *ns, struct request *req, + struct nvme_command *cmd) + { ++ struct nvme_ctrl *ctrl = nvme_req(req)->ctrl; + blk_status_t ret = BLK_STS_OK; + + nvme_clear_nvme_request(req); +@@ -877,7 +878,8 @@ blk_status_t nvme_setup_cmd(struct nvme_ + return BLK_STS_IOERR; + } + +- nvme_req(req)->genctr++; ++ if (!(ctrl->quirks & NVME_QUIRK_SKIP_CID_GEN)) ++ nvme_req(req)->genctr++; + cmd->common.command_id = nvme_cid(req); + trace_nvme_setup_cmd(req, cmd); + return ret; +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -144,6 +144,12 @@ enum nvme_quirks { + * NVMe 1.3 compliance. + */ + NVME_QUIRK_NO_NS_DESC_LIST = (1 << 15), ++ ++ /* ++ * The controller requires the command_id value be be limited, so skip ++ * encoding the generation sequence number. ++ */ ++ NVME_QUIRK_SKIP_CID_GEN = (1 << 17), + }; + + /* +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3259,7 +3259,8 @@ static const struct pci_device_id nvme_i + { PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2005), + .driver_data = NVME_QUIRK_SINGLE_VECTOR | + NVME_QUIRK_128_BYTES_SQES | +- NVME_QUIRK_SHARED_TAGS }, ++ NVME_QUIRK_SHARED_TAGS | ++ NVME_QUIRK_SKIP_CID_GEN }, + + { PCI_DEVICE_CLASS(PCI_CLASS_STORAGE_EXPRESS, 0xffffff) }, + { 0, } diff --git a/queue-5.10/series b/queue-5.10/series index f181b6d2a29..c3df123f54e 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -65,3 +65,18 @@ net-sched-flower-protect-fl_walk-with-rcu.patch af_unix-fix-races-in-sk_peer_pid-and-sk_peer_cred-ac.patch perf-x86-intel-update-event-constraints-for-icx.patch hwmon-pmbus-mp2975-add-missed-pout-attribute-for-pag.patch +nvme-add-command-id-quirk-for-apple-controllers.patch +elf-don-t-use-map_fixed_noreplace-for-elf-interpreter-mappings.patch +debugfs-debugfs_create_file_size-use-is_err-to-check-for-error.patch +ipack-ipoctal-fix-stack-information-leak.patch +ipack-ipoctal-fix-tty-registration-race.patch +ipack-ipoctal-fix-tty-registration-error-handling.patch +ipack-ipoctal-fix-missing-allocation-failure-check.patch +ipack-ipoctal-fix-module-reference-leak.patch +ext4-fix-loff_t-overflow-in-ext4_max_bitmap_size.patch +ext4-limit-the-number-of-blocks-in-one-add_range-tlv.patch +ext4-fix-reserved-space-counter-leakage.patch +ext4-add-error-checking-to-ext4_ext_replay_set_iblocks.patch +ext4-fix-potential-infinite-loop-in-ext4_dx_readdir.patch +hid-u2fzero-ignore-incomplete-packets-without-data.patch +net-udp-annotate-data-race-around-udp_sk-sk-corkflag.patch