From: Greg Kroah-Hartman Date: Thu, 23 May 2024 12:09:43 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.19.315~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eeb49e301dd6f10e1609ad2e210a3a57eb735a3d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: arm64-dts-qcom-fix-interrupt-map-parent-address-cells.patch btrfs-add-missing-mutex_unlock-in-btrfs_relocate_sys_chunks.patch drm-amdgpu-fix-possible-null-dereference-in-amdgpu_ras_query_error_status_helper.patch firmware-arm_scmi-harden-accesses-to-the-reset-domains.patch smb-client-fix-potential-oobs-in-smb2_parse_contexts.patch --- diff --git a/queue-5.4/arm64-dts-qcom-fix-interrupt-map-parent-address-cells.patch b/queue-5.4/arm64-dts-qcom-fix-interrupt-map-parent-address-cells.patch new file mode 100644 index 00000000000..0e065f7164b --- /dev/null +++ b/queue-5.4/arm64-dts-qcom-fix-interrupt-map-parent-address-cells.patch @@ -0,0 +1,41 @@ +From 0ac10b291bee84b00bf9fb2afda444e77e7f88f4 Mon Sep 17 00:00:00 2001 +From: Rob Herring +Date: Tue, 28 Sep 2021 14:22:09 -0500 +Subject: arm64: dts: qcom: Fix 'interrupt-map' parent address cells + +From: Rob Herring + +commit 0ac10b291bee84b00bf9fb2afda444e77e7f88f4 upstream. + +The 'interrupt-map' in several QCom SoCs is malformed. The '#address-cells' +size of the parent interrupt controller (the GIC) is not accounted for. + +Cc: Andy Gross +Cc: Bjorn Andersson +Cc: linux-arm-msm@vger.kernel.org +Signed-off-by: Rob Herring +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20210928192210.1842377-1-robh@kernel.org +Signed-off-by: Alex Elder +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/msm8998.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/msm8998.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8998.dtsi +@@ -872,10 +872,10 @@ + interrupts = ; + interrupt-names = "msi"; + interrupt-map-mask = <0 0 0 0x7>; +- interrupt-map = <0 0 0 1 &intc 0 135 IRQ_TYPE_LEVEL_HIGH>, +- <0 0 0 2 &intc 0 136 IRQ_TYPE_LEVEL_HIGH>, +- <0 0 0 3 &intc 0 138 IRQ_TYPE_LEVEL_HIGH>, +- <0 0 0 4 &intc 0 139 IRQ_TYPE_LEVEL_HIGH>; ++ interrupt-map = <0 0 0 1 &intc 0 0 135 IRQ_TYPE_LEVEL_HIGH>, ++ <0 0 0 2 &intc 0 0 136 IRQ_TYPE_LEVEL_HIGH>, ++ <0 0 0 3 &intc 0 0 138 IRQ_TYPE_LEVEL_HIGH>, ++ <0 0 0 4 &intc 0 0 139 IRQ_TYPE_LEVEL_HIGH>; + + clocks = <&gcc GCC_PCIE_0_PIPE_CLK>, + <&gcc GCC_PCIE_0_MSTR_AXI_CLK>, diff --git a/queue-5.4/btrfs-add-missing-mutex_unlock-in-btrfs_relocate_sys_chunks.patch b/queue-5.4/btrfs-add-missing-mutex_unlock-in-btrfs_relocate_sys_chunks.patch new file mode 100644 index 00000000000..7d462dbf570 --- /dev/null +++ b/queue-5.4/btrfs-add-missing-mutex_unlock-in-btrfs_relocate_sys_chunks.patch @@ -0,0 +1,36 @@ +From 9af503d91298c3f2945e73703f0e00995be08c30 Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Fri, 19 Apr 2024 11:22:48 +0900 +Subject: btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks() + +From: Dominique Martinet + +commit 9af503d91298c3f2945e73703f0e00995be08c30 upstream. + +The previous patch that replaced BUG_ON by error handling forgot to +unlock the mutex in the error path. + +Link: https://lore.kernel.org/all/Zh%2fHpAGFqa7YAFuM@duo.ucw.cz +Reported-by: Pavel Machek +Fixes: 7411055db5ce ("btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()") +CC: stable@vger.kernel.org +Reviewed-by: Pavel Machek +Signed-off-by: Dominique Martinet +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -3277,6 +3277,7 @@ again: + * alignment and size). + */ + ret = -EUCLEAN; ++ mutex_unlock(&fs_info->delete_unused_bgs_mutex); + goto error; + } + diff --git a/queue-5.4/drm-amdgpu-fix-possible-null-dereference-in-amdgpu_ras_query_error_status_helper.patch b/queue-5.4/drm-amdgpu-fix-possible-null-dereference-in-amdgpu_ras_query_error_status_helper.patch new file mode 100644 index 00000000000..e99f4c61a57 --- /dev/null +++ b/queue-5.4/drm-amdgpu-fix-possible-null-dereference-in-amdgpu_ras_query_error_status_helper.patch @@ -0,0 +1,47 @@ +From b8d55a90fd55b767c25687747e2b24abd1ef8680 Mon Sep 17 00:00:00 2001 +From: Srinivasan Shanmugam +Date: Tue, 26 Dec 2023 15:32:19 +0530 +Subject: drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivasan Shanmugam + +commit b8d55a90fd55b767c25687747e2b24abd1ef8680 upstream. + +Return invalid error code -EINVAL for invalid block id. + +Fixes the below: + +drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:1183 amdgpu_ras_query_error_status_helper() error: we previously assumed 'info' could be null (see line 1176) + +Suggested-by: Hawking Zhang +Cc: Tao Zhou +Cc: Hawking Zhang +Cc: Christian König +Cc: Alex Deucher +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +[Ajay: applied AMDGPU_RAS_BLOCK_COUNT condition to amdgpu_ras_error_query() + as amdgpu_ras_query_error_status_helper() not present in v5.10, v5.4 + amdgpu_ras_query_error_status_helper() was introduced in 8cc0f5669eb6] +Signed-off-by: Ajay Kaher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c +@@ -594,6 +594,9 @@ int amdgpu_ras_error_query(struct amdgpu + if (!obj) + return -EINVAL; + ++ if (!info || info->head.block == AMDGPU_RAS_BLOCK_COUNT) ++ return -EINVAL; ++ + switch (info->head.block) { + case AMDGPU_RAS_BLOCK__UMC: + if (adev->umc.funcs->query_ras_error_count) diff --git a/queue-5.4/firmware-arm_scmi-harden-accesses-to-the-reset-domains.patch b/queue-5.4/firmware-arm_scmi-harden-accesses-to-the-reset-domains.patch new file mode 100644 index 00000000000..7e08b40df0e --- /dev/null +++ b/queue-5.4/firmware-arm_scmi-harden-accesses-to-the-reset-domains.patch @@ -0,0 +1,41 @@ +From e9076ffbcaed5da6c182b144ef9f6e24554af268 Mon Sep 17 00:00:00 2001 +From: Cristian Marussi +Date: Wed, 17 Aug 2022 18:27:29 +0100 +Subject: firmware: arm_scmi: Harden accesses to the reset domains + +From: Cristian Marussi + +commit e9076ffbcaed5da6c182b144ef9f6e24554af268 upstream. + +Accessing reset domains descriptors by the index upon the SCMI drivers +requests through the SCMI reset operations interface can potentially +lead to out-of-bound violations if the SCMI driver misbehave. + +Add an internal consistency check before any such domains descriptors +accesses. + +Link: https://lore.kernel.org/r/20220817172731.1185305-5-cristian.marussi@arm.com +Signed-off-by: Cristian Marussi +Signed-off-by: Sudeep Holla +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/arm_scmi/reset.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/firmware/arm_scmi/reset.c ++++ b/drivers/firmware/arm_scmi/reset.c +@@ -135,8 +135,12 @@ static int scmi_domain_reset(const struc + struct scmi_xfer *t; + struct scmi_msg_reset_domain_reset *dom; + struct scmi_reset_info *pi = handle->reset_priv; +- struct reset_dom_info *rdom = pi->dom_info + domain; ++ struct reset_dom_info *rdom; + ++ if (domain >= pi->num_domains) ++ return -EINVAL; ++ ++ rdom = pi->dom_info + domain; + if (rdom->async_reset) + flags |= ASYNCHRONOUS_RESET; + diff --git a/queue-5.4/series b/queue-5.4/series index ec7df25a17d..68b2148448b 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -6,3 +6,8 @@ net-bcmgenet-keep-mac-in-reset-until-phy-is-up.patch net-bcmgenet-synchronize-ext_rgmii_oob_ctrl-access.patch net-bcmgenet-synchronize-use-of-bcmgenet_set_rx_mode.patch net-bcmgenet-synchronize-umac_cmd-access.patch +smb-client-fix-potential-oobs-in-smb2_parse_contexts.patch +firmware-arm_scmi-harden-accesses-to-the-reset-domains.patch +arm64-dts-qcom-fix-interrupt-map-parent-address-cells.patch +btrfs-add-missing-mutex_unlock-in-btrfs_relocate_sys_chunks.patch +drm-amdgpu-fix-possible-null-dereference-in-amdgpu_ras_query_error_status_helper.patch diff --git a/queue-5.4/smb-client-fix-potential-oobs-in-smb2_parse_contexts.patch b/queue-5.4/smb-client-fix-potential-oobs-in-smb2_parse_contexts.patch new file mode 100644 index 00000000000..8b4bb7df819 --- /dev/null +++ b/queue-5.4/smb-client-fix-potential-oobs-in-smb2_parse_contexts.patch @@ -0,0 +1,227 @@ +From af1689a9b7701d9907dfc84d2a4b57c4bc907144 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Mon, 11 Dec 2023 10:26:41 -0300 +Subject: smb: client: fix potential OOBs in smb2_parse_contexts() + +From: Paulo Alcantara + +commit af1689a9b7701d9907dfc84d2a4b57c4bc907144 upstream. + +Validate offsets and lengths before dereferencing create contexts in +smb2_parse_contexts(). + +This fixes following oops when accessing invalid create contexts from +server: + + BUG: unable to handle page fault for address: ffff8881178d8cc3 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 4a01067 P4D 4a01067 PUD 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 3 PID: 1736 Comm: mount.cifs Not tainted 6.7.0-rc4 #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS + rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 + RIP: 0010:smb2_parse_contexts+0xa0/0x3a0 [cifs] + Code: f8 10 75 13 48 b8 93 ad 25 50 9c b4 11 e7 49 39 06 0f 84 d2 00 + 00 00 8b 45 00 85 c0 74 61 41 29 c5 48 01 c5 41 83 fd 0f 76 55 <0f> b7 + 7d 04 0f b7 45 06 4c 8d 74 3d 00 66 83 f8 04 75 bc ba 04 00 + RSP: 0018:ffffc900007939e0 EFLAGS: 00010216 + RAX: ffffc90000793c78 RBX: ffff8880180cc000 RCX: ffffc90000793c90 + RDX: ffffc90000793cc0 RSI: ffff8880178d8cc0 RDI: ffff8880180cc000 + RBP: ffff8881178d8cbf R08: ffffc90000793c22 R09: 0000000000000000 + R10: ffff8880180cc000 R11: 0000000000000024 R12: 0000000000000000 + R13: 0000000000000020 R14: 0000000000000000 R15: ffffc90000793c22 + FS: 00007f873753cbc0(0000) GS:ffff88806bc00000(0000) + knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffff8881178d8cc3 CR3: 00000000181ca000 CR4: 0000000000750ef0 + PKRU: 55555554 + Call Trace: + + ? __die+0x23/0x70 + ? page_fault_oops+0x181/0x480 + ? search_module_extables+0x19/0x60 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? exc_page_fault+0x1b6/0x1c0 + ? asm_exc_page_fault+0x26/0x30 + ? smb2_parse_contexts+0xa0/0x3a0 [cifs] + SMB2_open+0x38d/0x5f0 [cifs] + ? smb2_is_path_accessible+0x138/0x260 [cifs] + smb2_is_path_accessible+0x138/0x260 [cifs] + cifs_is_path_remote+0x8d/0x230 [cifs] + cifs_mount+0x7e/0x350 [cifs] + cifs_smb3_do_mount+0x128/0x780 [cifs] + smb3_get_tree+0xd9/0x290 [cifs] + vfs_get_tree+0x2c/0x100 + ? capable+0x37/0x70 + path_mount+0x2d7/0xb80 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? _raw_spin_unlock_irqrestore+0x44/0x60 + __x64_sys_mount+0x11a/0x150 + do_syscall_64+0x47/0xf0 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 + RIP: 0033:0x7f8737657b1e + +Reported-by: Robert Morris +Cc: stable@vger.kernel.org +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +[Guru: Removed changes to cached_dir.c and checking return value +of smb2_parse_contexts in smb2ops.c] +Signed-off-by: Guruswamy Basavaiah +[v5.4: Fixed merge-conflicts in smb2_parse_contexts for +missing parameter POSIX response] +Signed-off-by: Shaoying Xu +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2ops.c | 4 +- + fs/cifs/smb2pdu.c | 79 ++++++++++++++++++++++++++++++++++------------------ + fs/cifs/smb2proto.h | 10 +++--- + 3 files changed, 61 insertions(+), 32 deletions(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -787,9 +787,11 @@ int open_shroot(unsigned int xid, struct + /* BB TBD check to see if oplock level check can be removed below */ + if (o_rsp->OplockLevel == SMB2_OPLOCK_LEVEL_LEASE) { + kref_get(&tcon->crfid.refcount); +- smb2_parse_contexts(server, o_rsp, ++ rc = smb2_parse_contexts(server, rsp_iov, + &oparms.fid->epoch, + oparms.fid->lease_key, &oplock, NULL); ++ if (rc) ++ goto oshr_exit; + } else + goto oshr_exit; + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -1929,48 +1929,73 @@ parse_query_id_ctxt(struct create_contex + buf->IndexNumber = pdisk_id->DiskFileId; + } + +-void +-smb2_parse_contexts(struct TCP_Server_Info *server, +- struct smb2_create_rsp *rsp, +- unsigned int *epoch, char *lease_key, __u8 *oplock, +- struct smb2_file_all_info *buf) ++int smb2_parse_contexts(struct TCP_Server_Info *server, ++ struct kvec *rsp_iov, ++ unsigned int *epoch, ++ char *lease_key, __u8 *oplock, ++ struct smb2_file_all_info *buf) + { +- char *data_offset; ++ struct smb2_create_rsp *rsp = rsp_iov->iov_base; + struct create_context *cc; +- unsigned int next; +- unsigned int remaining; ++ size_t rem, off, len; ++ size_t doff, dlen; ++ size_t noff, nlen; + char *name; + + *oplock = 0; +- data_offset = (char *)rsp + le32_to_cpu(rsp->CreateContextsOffset); +- remaining = le32_to_cpu(rsp->CreateContextsLength); +- cc = (struct create_context *)data_offset; ++ ++ off = le32_to_cpu(rsp->CreateContextsOffset); ++ rem = le32_to_cpu(rsp->CreateContextsLength); ++ if (check_add_overflow(off, rem, &len) || len > rsp_iov->iov_len) ++ return -EINVAL; ++ cc = (struct create_context *)((u8 *)rsp + off); + + /* Initialize inode number to 0 in case no valid data in qfid context */ + if (buf) + buf->IndexNumber = 0; + +- while (remaining >= sizeof(struct create_context)) { +- name = le16_to_cpu(cc->NameOffset) + (char *)cc; +- if (le16_to_cpu(cc->NameLength) == 4 && +- strncmp(name, SMB2_CREATE_REQUEST_LEASE, 4) == 0) +- *oplock = server->ops->parse_lease_buf(cc, epoch, +- lease_key); +- else if (buf && (le16_to_cpu(cc->NameLength) == 4) && +- strncmp(name, SMB2_CREATE_QUERY_ON_DISK_ID, 4) == 0) +- parse_query_id_ctxt(cc, buf); ++ while (rem >= sizeof(*cc)) { ++ doff = le16_to_cpu(cc->DataOffset); ++ dlen = le32_to_cpu(cc->DataLength); ++ if (check_add_overflow(doff, dlen, &len) || len > rem) ++ return -EINVAL; ++ ++ noff = le16_to_cpu(cc->NameOffset); ++ nlen = le16_to_cpu(cc->NameLength); ++ if (noff + nlen >= doff) ++ return -EINVAL; ++ ++ name = (char *)cc + noff; ++ switch (nlen) { ++ case 4: ++ if (!strncmp(name, SMB2_CREATE_REQUEST_LEASE, 4)) { ++ *oplock = server->ops->parse_lease_buf(cc, epoch, ++ lease_key); ++ } else if (buf && ++ !strncmp(name, SMB2_CREATE_QUERY_ON_DISK_ID, 4)) { ++ parse_query_id_ctxt(cc, buf); ++ } ++ break; ++ default: ++ cifs_dbg(FYI, "%s: unhandled context (nlen=%zu dlen=%zu)\n", ++ __func__, nlen, dlen); ++ if (IS_ENABLED(CONFIG_CIFS_DEBUG2)) ++ cifs_dump_mem("context data: ", cc, dlen); ++ break; ++ } + +- next = le32_to_cpu(cc->Next); +- if (!next) ++ off = le32_to_cpu(cc->Next); ++ if (!off) + break; +- remaining -= next; +- cc = (struct create_context *)((char *)cc + next); ++ if (check_sub_overflow(rem, off, &rem)) ++ return -EINVAL; ++ cc = (struct create_context *)((u8 *)cc + off); + } + + if (rsp->OplockLevel != SMB2_OPLOCK_LEVEL_LEASE) + *oplock = rsp->OplockLevel; + +- return; ++ return 0; + } + + static int +@@ -2680,8 +2705,8 @@ SMB2_open(const unsigned int xid, struct + } + + +- smb2_parse_contexts(server, rsp, &oparms->fid->epoch, +- oparms->fid->lease_key, oplock, buf); ++ rc = smb2_parse_contexts(server, &rsp_iov, &oparms->fid->epoch, ++ oparms->fid->lease_key, oplock, buf); + creat_exit: + SMB2_open_free(&rqst); + free_rsp_buf(resp_buftype, rsp); +--- a/fs/cifs/smb2proto.h ++++ b/fs/cifs/smb2proto.h +@@ -238,10 +238,12 @@ extern int smb3_validate_negotiate(const + + extern enum securityEnum smb2_select_sectype(struct TCP_Server_Info *, + enum securityEnum); +-extern void smb2_parse_contexts(struct TCP_Server_Info *server, +- struct smb2_create_rsp *rsp, +- unsigned int *epoch, char *lease_key, +- __u8 *oplock, struct smb2_file_all_info *buf); ++int smb2_parse_contexts(struct TCP_Server_Info *server, ++ struct kvec *rsp_iov, ++ unsigned int *epoch, ++ char *lease_key, __u8 *oplock, ++ struct smb2_file_all_info *buf); ++ + extern int smb3_encryption_required(const struct cifs_tcon *tcon); + extern int smb2_validate_iov(unsigned int offset, unsigned int buffer_length, + struct kvec *iov, unsigned int min_buf_size);