From 4203da9b264b5cba5ea0c16b9ee3d87c44f3a37c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 27 Dec 2021 15:57:41 +0100 Subject: [PATCH] 5.4-stable patches added patches: ax25-npd-bug-when-detaching-ax25-device.patch hamradio-defer-ax25-kfree-after-unregister_netdev.patch hamradio-improve-the-incomplete-fix-to-avoid-npd.patch hwmom-lm90-fix-citical-alarm-status-for-max6680-max6681.patch hwmon-lm90-do-not-report-busy-status-bit-as-alarm.patch phonet-pep-refuse-to-enable-an-unbound-pipe.patch pinctrl-mediatek-fix-global-out-of-bounds-issue.patch --- ...5-npd-bug-when-detaching-ax25-device.patch | 58 +++++++++++++++ ...r-ax25-kfree-after-unregister_netdev.patch | 66 +++++++++++++++++ ...rove-the-incomplete-fix-to-avoid-npd.patch | 74 +++++++++++++++++++ ...cal-alarm-status-for-max6680-max6681.patch | 59 +++++++++++++++ ...-not-report-busy-status-bit-as-alarm.patch | 38 ++++++++++ ...pep-refuse-to-enable-an-unbound-pipe.patch | 39 ++++++++++ ...iatek-fix-global-out-of-bounds-issue.patch | 39 ++++++++++ queue-5.4/series | 7 ++ 8 files changed, 380 insertions(+) create mode 100644 queue-5.4/ax25-npd-bug-when-detaching-ax25-device.patch create mode 100644 queue-5.4/hamradio-defer-ax25-kfree-after-unregister_netdev.patch create mode 100644 queue-5.4/hamradio-improve-the-incomplete-fix-to-avoid-npd.patch create mode 100644 queue-5.4/hwmom-lm90-fix-citical-alarm-status-for-max6680-max6681.patch create mode 100644 queue-5.4/hwmon-lm90-do-not-report-busy-status-bit-as-alarm.patch create mode 100644 queue-5.4/phonet-pep-refuse-to-enable-an-unbound-pipe.patch create mode 100644 queue-5.4/pinctrl-mediatek-fix-global-out-of-bounds-issue.patch diff --git a/queue-5.4/ax25-npd-bug-when-detaching-ax25-device.patch b/queue-5.4/ax25-npd-bug-when-detaching-ax25-device.patch new file mode 100644 index 00000000000..94c2c41a253 --- /dev/null +++ b/queue-5.4/ax25-npd-bug-when-detaching-ax25-device.patch @@ -0,0 +1,58 @@ +From 1ade48d0c27d5da1ccf4b583d8c5fc8b534a3ac8 Mon Sep 17 00:00:00 2001 +From: Lin Ma +Date: Fri, 17 Dec 2021 10:29:41 +0800 +Subject: ax25: NPD bug when detaching AX25 device + +From: Lin Ma + +commit 1ade48d0c27d5da1ccf4b583d8c5fc8b534a3ac8 upstream. + +The existing cleanup routine implementation is not well synchronized +with the syscall routine. When a device is detaching, below race could +occur. + +static int ax25_sendmsg(...) { + ... + lock_sock() + ax25 = sk_to_ax25(sk); + if (ax25->ax25_dev == NULL) // CHECK + ... + ax25_queue_xmit(skb, ax25->ax25_dev->dev); // USE + ... +} + +static void ax25_kill_by_device(...) { + ... + if (s->ax25_dev == ax25_dev) { + s->ax25_dev = NULL; + ... +} + +Other syscall functions like ax25_getsockopt, ax25_getname, +ax25_info_show also suffer from similar races. To fix them, this patch +introduce lock_sock() into ax25_kill_by_device in order to guarantee +that the nullify action in cleanup routine cannot proceed when another +socket request is pending. + +Signed-off-by: Hanjie Wu +Signed-off-by: Lin Ma +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ax25/af_ax25.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -85,8 +85,10 @@ static void ax25_kill_by_device(struct n + again: + ax25_for_each(s, &ax25_list) { + if (s->ax25_dev == ax25_dev) { +- s->ax25_dev = NULL; + spin_unlock_bh(&ax25_list_lock); ++ lock_sock(s->sk); ++ s->ax25_dev = NULL; ++ release_sock(s->sk); + ax25_disconnect(s, ENETUNREACH); + spin_lock_bh(&ax25_list_lock); + diff --git a/queue-5.4/hamradio-defer-ax25-kfree-after-unregister_netdev.patch b/queue-5.4/hamradio-defer-ax25-kfree-after-unregister_netdev.patch new file mode 100644 index 00000000000..11762cf342e --- /dev/null +++ b/queue-5.4/hamradio-defer-ax25-kfree-after-unregister_netdev.patch @@ -0,0 +1,66 @@ +From 3e0588c291d6ce225f2b891753ca41d45ba42469 Mon Sep 17 00:00:00 2001 +From: Lin Ma +Date: Mon, 8 Nov 2021 18:37:21 +0800 +Subject: hamradio: defer ax25 kfree after unregister_netdev + +From: Lin Ma + +commit 3e0588c291d6ce225f2b891753ca41d45ba42469 upstream. + +There is a possible race condition (use-after-free) like below + + (USE) | (FREE) +ax25_sendmsg | + ax25_queue_xmit | + dev_queue_xmit | + __dev_queue_xmit | + __dev_xmit_skb | + sch_direct_xmit | ... + xmit_one | + netdev_start_xmit | tty_ldisc_kill + __netdev_start_xmit | mkiss_close + ax_xmit | kfree + ax_encaps | + | + +Even though there are two synchronization primitives before the kfree: +1. wait_for_completion(&ax->dead). This can prevent the race with +routines from mkiss_ioctl. However, it cannot stop the routine coming +from upper layer, i.e., the ax25_sendmsg. + +2. netif_stop_queue(ax->dev). It seems that this line of code aims to +halt the transmit queue but it fails to stop the routine that already +being xmit. + +This patch reorder the kfree after the unregister_netdev to avoid the +possible UAF as the unregister_netdev() is well synchronized and won't +return if there is a running routine. + +Signed-off-by: Lin Ma +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hamradio/mkiss.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/net/hamradio/mkiss.c ++++ b/drivers/net/hamradio/mkiss.c +@@ -793,13 +793,14 @@ static void mkiss_close(struct tty_struc + */ + netif_stop_queue(ax->dev); + +- /* Free all AX25 frame buffers. */ +- kfree(ax->rbuff); +- kfree(ax->xbuff); +- + ax->tty = NULL; + + unregister_netdev(ax->dev); ++ ++ /* Free all AX25 frame buffers after unreg. */ ++ kfree(ax->rbuff); ++ kfree(ax->xbuff); ++ + free_netdev(ax->dev); + } + diff --git a/queue-5.4/hamradio-improve-the-incomplete-fix-to-avoid-npd.patch b/queue-5.4/hamradio-improve-the-incomplete-fix-to-avoid-npd.patch new file mode 100644 index 00000000000..654fc4f98da --- /dev/null +++ b/queue-5.4/hamradio-improve-the-incomplete-fix-to-avoid-npd.patch @@ -0,0 +1,74 @@ +From b2f37aead1b82a770c48b5d583f35ec22aabb61e Mon Sep 17 00:00:00 2001 +From: Lin Ma +Date: Fri, 17 Dec 2021 10:13:56 +0800 +Subject: hamradio: improve the incomplete fix to avoid NPD + +From: Lin Ma + +commit b2f37aead1b82a770c48b5d583f35ec22aabb61e upstream. + +The previous commit 3e0588c291d6 ("hamradio: defer ax25 kfree after +unregister_netdev") reorder the kfree operations and unregister_netdev +operation to prevent UAF. + +This commit improves the previous one by also deferring the nullify of +the ax->tty pointer. Otherwise, a NULL pointer dereference bug occurs. +Partial of the stack trace is shown below. + +BUG: kernel NULL pointer dereference, address: 0000000000000538 +RIP: 0010:ax_xmit+0x1f9/0x400 +... +Call Trace: + dev_hard_start_xmit+0xec/0x320 + sch_direct_xmit+0xea/0x240 + __qdisc_run+0x166/0x5c0 + __dev_queue_xmit+0x2c7/0xaf0 + ax25_std_establish_data_link+0x59/0x60 + ax25_connect+0x3a0/0x500 + ? security_socket_connect+0x2b/0x40 + __sys_connect+0x96/0xc0 + ? __hrtimer_init+0xc0/0xc0 + ? common_nsleep+0x2e/0x50 + ? switch_fpu_return+0x139/0x1a0 + __x64_sys_connect+0x11/0x20 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The crash point is shown as below + +static void ax_encaps(...) { + ... + set_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags); // ax->tty = NULL! + ... +} + +By placing the nullify action after the unregister_netdev, the ax->tty +pointer won't be assigned as NULL net_device framework layer is well +synchronized. + +Signed-off-by: Lin Ma +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hamradio/mkiss.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/hamradio/mkiss.c ++++ b/drivers/net/hamradio/mkiss.c +@@ -793,14 +793,14 @@ static void mkiss_close(struct tty_struc + */ + netif_stop_queue(ax->dev); + +- ax->tty = NULL; +- + unregister_netdev(ax->dev); + + /* Free all AX25 frame buffers after unreg. */ + kfree(ax->rbuff); + kfree(ax->xbuff); + ++ ax->tty = NULL; ++ + free_netdev(ax->dev); + } + diff --git a/queue-5.4/hwmom-lm90-fix-citical-alarm-status-for-max6680-max6681.patch b/queue-5.4/hwmom-lm90-fix-citical-alarm-status-for-max6680-max6681.patch new file mode 100644 index 00000000000..dac3d35e53c --- /dev/null +++ b/queue-5.4/hwmom-lm90-fix-citical-alarm-status-for-max6680-max6681.patch @@ -0,0 +1,59 @@ +From da7dc0568491104c7acb632e9d41ddce9aaabbb1 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Fri, 26 Nov 2021 22:43:39 -0800 +Subject: hwmom: (lm90) Fix citical alarm status for MAX6680/MAX6681 + +From: Guenter Roeck + +commit da7dc0568491104c7acb632e9d41ddce9aaabbb1 upstream. + +Tests with a real chip and a closer look into the datasheet reveals +that the local and remote critical alarm status bits are swapped for +MAX6680/MAX6681. + +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/lm90.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/hwmon/lm90.c ++++ b/drivers/hwmon/lm90.c +@@ -190,6 +190,7 @@ enum chips { lm90, adm1032, lm99, lm86, + #define LM90_HAVE_EXTENDED_TEMP (1 << 8) /* extended temperature support*/ + #define LM90_PAUSE_FOR_CONFIG (1 << 9) /* Pause conversion for config */ + #define LM90_HAVE_CRIT (1 << 10)/* Chip supports CRIT/OVERT register */ ++#define LM90_HAVE_CRIT_ALRM_SWP (1 << 11)/* critical alarm bits swapped */ + + /* LM90 status */ + #define LM90_STATUS_LTHRM (1 << 0) /* local THERM limit tripped */ +@@ -415,7 +416,8 @@ static const struct lm90_params lm90_par + .reg_local_ext = MAX6657_REG_R_LOCAL_TEMPL, + }, + [max6680] = { +- .flags = LM90_HAVE_OFFSET | LM90_HAVE_CRIT, ++ .flags = LM90_HAVE_OFFSET | LM90_HAVE_CRIT ++ | LM90_HAVE_CRIT_ALRM_SWP, + .alert_alarms = 0x7c, + .max_convrate = 7, + }, +@@ -1191,6 +1193,7 @@ static const u8 lm90_temp_emerg_index[3] + static const u8 lm90_min_alarm_bits[3] = { 5, 3, 11 }; + static const u8 lm90_max_alarm_bits[3] = { 6, 4, 12 }; + static const u8 lm90_crit_alarm_bits[3] = { 0, 1, 9 }; ++static const u8 lm90_crit_alarm_bits_swapped[3] = { 1, 0, 9 }; + static const u8 lm90_emergency_alarm_bits[3] = { 15, 13, 14 }; + static const u8 lm90_fault_bits[3] = { 0, 2, 10 }; + +@@ -1216,7 +1219,10 @@ static int lm90_temp_read(struct device + *val = (data->alarms >> lm90_max_alarm_bits[channel]) & 1; + break; + case hwmon_temp_crit_alarm: +- *val = (data->alarms >> lm90_crit_alarm_bits[channel]) & 1; ++ if (data->flags & LM90_HAVE_CRIT_ALRM_SWP) ++ *val = (data->alarms >> lm90_crit_alarm_bits_swapped[channel]) & 1; ++ else ++ *val = (data->alarms >> lm90_crit_alarm_bits[channel]) & 1; + break; + case hwmon_temp_emergency_alarm: + *val = (data->alarms >> lm90_emergency_alarm_bits[channel]) & 1; diff --git a/queue-5.4/hwmon-lm90-do-not-report-busy-status-bit-as-alarm.patch b/queue-5.4/hwmon-lm90-do-not-report-busy-status-bit-as-alarm.patch new file mode 100644 index 00000000000..5acaead4865 --- /dev/null +++ b/queue-5.4/hwmon-lm90-do-not-report-busy-status-bit-as-alarm.patch @@ -0,0 +1,38 @@ +From cdc5287acad9ede121924a9c9313544b80d15842 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Fri, 3 Dec 2021 13:42:22 -0800 +Subject: hwmon: (lm90) Do not report 'busy' status bit as alarm + +From: Guenter Roeck + +commit cdc5287acad9ede121924a9c9313544b80d15842 upstream. + +Bit 7 of the status register indicates that the chip is busy +doing a conversion. It does not indicate an alarm status. +Stop reporting it as alarm status bit. + +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/lm90.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/hwmon/lm90.c ++++ b/drivers/hwmon/lm90.c +@@ -200,6 +200,7 @@ enum chips { lm90, adm1032, lm99, lm86, + #define LM90_STATUS_RHIGH (1 << 4) /* remote high temp limit tripped */ + #define LM90_STATUS_LLOW (1 << 5) /* local low temp limit tripped */ + #define LM90_STATUS_LHIGH (1 << 6) /* local high temp limit tripped */ ++#define LM90_STATUS_BUSY (1 << 7) /* conversion is ongoing */ + + #define MAX6696_STATUS2_R2THRM (1 << 1) /* remote2 THERM limit tripped */ + #define MAX6696_STATUS2_R2OPEN (1 << 2) /* remote2 is an open circuit */ +@@ -819,7 +820,7 @@ static int lm90_update_device(struct dev + val = lm90_read_reg(client, LM90_REG_R_STATUS); + if (val < 0) + return val; +- data->alarms = val; /* lower 8 bit of alarms */ ++ data->alarms = val & ~LM90_STATUS_BUSY; + + if (data->kind == max6696) { + val = lm90_select_remote_channel(data, 1); diff --git a/queue-5.4/phonet-pep-refuse-to-enable-an-unbound-pipe.patch b/queue-5.4/phonet-pep-refuse-to-enable-an-unbound-pipe.patch new file mode 100644 index 00000000000..794b3e5c5f1 --- /dev/null +++ b/queue-5.4/phonet-pep-refuse-to-enable-an-unbound-pipe.patch @@ -0,0 +1,39 @@ +From 75a2f31520095600f650597c0ac41f48b5ba0068 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= +Date: Sun, 19 Dec 2021 19:03:39 +0200 +Subject: phonet/pep: refuse to enable an unbound pipe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rémi Denis-Courmont + +commit 75a2f31520095600f650597c0ac41f48b5ba0068 upstream. + +This ioctl() implicitly assumed that the socket was already bound to +a valid local socket name, i.e. Phonet object. If the socket was not +bound, two separate problems would occur: + +1) We'd send an pipe enablement request with an invalid source object. +2) Later socket calls could BUG on the socket unexpectedly being + connected yet not bound to a valid object. + +Reported-by: syzbot+2dc91e7fc3dea88b1e8a@syzkaller.appspotmail.com +Signed-off-by: Rémi Denis-Courmont +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/phonet/pep.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/phonet/pep.c ++++ b/net/phonet/pep.c +@@ -946,6 +946,8 @@ static int pep_ioctl(struct sock *sk, in + ret = -EBUSY; + else if (sk->sk_state == TCP_ESTABLISHED) + ret = -EISCONN; ++ else if (!pn->pn_sk.sobject) ++ ret = -EADDRNOTAVAIL; + else + ret = pep_sock_enable(sk, NULL, 0); + release_sock(sk); diff --git a/queue-5.4/pinctrl-mediatek-fix-global-out-of-bounds-issue.patch b/queue-5.4/pinctrl-mediatek-fix-global-out-of-bounds-issue.patch new file mode 100644 index 00000000000..b2ae9bf16e7 --- /dev/null +++ b/queue-5.4/pinctrl-mediatek-fix-global-out-of-bounds-issue.patch @@ -0,0 +1,39 @@ +From 2d5446da5acecf9c67db1c9d55ae2c3e5de01f8d Mon Sep 17 00:00:00 2001 +From: Guodong Liu +Date: Wed, 10 Nov 2021 15:19:00 +0800 +Subject: pinctrl: mediatek: fix global-out-of-bounds issue + +From: Guodong Liu + +commit 2d5446da5acecf9c67db1c9d55ae2c3e5de01f8d upstream. + +When eint virtual eint number is greater than gpio number, +it maybe produce 'desc[eint_n]' size globle-out-of-bounds issue. + +Signed-off-by: Guodong Liu +Signed-off-by: Zhiyong Tao +Reviewed-by: Chen-Yu Tsai +Link: https://lore.kernel.org/r/20211110071900.4490-2-zhiyong.tao@mediatek.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c ++++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c +@@ -236,8 +236,12 @@ static int mtk_xt_get_gpio_n(void *data, + desc = (const struct mtk_pin_desc *)hw->soc->pins; + *gpio_chip = &hw->chip; + +- /* Be greedy to guess first gpio_n is equal to eint_n */ +- if (desc[eint_n].eint.eint_n == eint_n) ++ /* ++ * Be greedy to guess first gpio_n is equal to eint_n. ++ * Only eint virtual eint number is greater than gpio number. ++ */ ++ if (hw->soc->npins > eint_n && ++ desc[eint_n].eint.eint_n == eint_n) + *gpio_n = eint_n; + else + *gpio_n = mtk_xt_find_eint_num(hw, eint_n); diff --git a/queue-5.4/series b/queue-5.4/series index e8e21b8692e..385528820be 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -38,3 +38,10 @@ usb-gadget-u_ether-fix-race-in-setting-mac-address-in-setup-phase.patch kvm-vmx-fix-stale-docs-for-kvm-intel.emulate_invalid_guest_state.patch mm-mempolicy-fix-thp-allocations-escaping-mempolicy-restrictions.patch input-i8042-enable-deferred-probe-quirk-for-asus-um325ua.patch +pinctrl-mediatek-fix-global-out-of-bounds-issue.patch +hwmom-lm90-fix-citical-alarm-status-for-max6680-max6681.patch +hwmon-lm90-do-not-report-busy-status-bit-as-alarm.patch +ax25-npd-bug-when-detaching-ax25-device.patch +hamradio-defer-ax25-kfree-after-unregister_netdev.patch +hamradio-improve-the-incomplete-fix-to-avoid-npd.patch +phonet-pep-refuse-to-enable-an-unbound-pipe.patch -- 2.47.2