From d3063ecf06d78cad509dfdeba7aca47ca76f05c3 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 17 Aug 2023 10:52:50 -0400 Subject: [PATCH] Fixes for 4.14 Signed-off-by: Sasha Levin --- ...l-up-loops-in-dsp-setup-code-for-aud.patch | 153 ++++++++++++++++++ .../bluetooth-l2cap-fix-use-after-free.patch | 41 +++++ ...ix-potential-fence-use-after-free-v2.patch | 43 +++++ ...nteger-overflow-in-radeon_cs_parser_.patch | 41 +++++ ...-read-only-mounted-filesystem-in-txb.patch | 39 +++++ ...s-fix-null-ptr-deref-read-in-txbegin.patch | 44 +++++ ...-array-index-out-of-bounds-in-dballo.patch | 86 ++++++++++ ...ible-data-races-in-gfs2_show_options.patch | 86 ++++++++++ ...ediatek-vpu-fix-null-ptr-dereference.patch | 51 ++++++ ...em-add-lock-to-protect-parameter-num.patch | 69 ++++++++ ...c-prom-address-warray-bounds-warning.patch | 54 +++++++ ...tatic-fix-memory-leak-in-nonstatic_r.patch | 66 ++++++++ queue-4.14/quota-fix-warning-in-dqgrab.patch | 104 ++++++++++++ ...isable-quotas-when-add_dquot_ref-fai.patch | 43 +++++ queue-4.14/series | 15 ++ ...lized-array-access-for-some-pathname.patch | 39 +++++ 16 files changed, 974 insertions(+) create mode 100644 queue-4.14/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch create mode 100644 queue-4.14/bluetooth-l2cap-fix-use-after-free.patch create mode 100644 queue-4.14/drm-amdgpu-fix-potential-fence-use-after-free-v2.patch create mode 100644 queue-4.14/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch create mode 100644 queue-4.14/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch create mode 100644 queue-4.14/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch create mode 100644 queue-4.14/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch create mode 100644 queue-4.14/gfs2-fix-possible-data-races-in-gfs2_show_options.patch create mode 100644 queue-4.14/media-platform-mediatek-vpu-fix-null-ptr-dereference.patch create mode 100644 queue-4.14/media-v4l2-mem2mem-add-lock-to-protect-parameter-num.patch create mode 100644 queue-4.14/mips-dec-prom-address-warray-bounds-warning.patch create mode 100644 queue-4.14/pcmcia-rsrc_nonstatic-fix-memory-leak-in-nonstatic_r.patch create mode 100644 queue-4.14/quota-fix-warning-in-dqgrab.patch create mode 100644 queue-4.14/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch create mode 100644 queue-4.14/udf-fix-uninitialized-array-access-for-some-pathname.patch diff --git a/queue-4.14/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch b/queue-4.14/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch new file mode 100644 index 00000000000..8c149270c34 --- /dev/null +++ b/queue-4.14/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch @@ -0,0 +1,153 @@ +From f1d424f1f1db23f3fcb7828b408c90caf59bd4f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 19:39:05 +0200 +Subject: ALSA: emu10k1: roll up loops in DSP setup code for Audigy + +From: Oswald Buddenhagen + +[ Upstream commit 8cabf83c7aa54530e699be56249fb44f9505c4f3 ] + +There is no apparent reason for the massive code duplication. + +Signed-off-by: Oswald Buddenhagen +Link: https://lore.kernel.org/r/20230510173917.3073107-3-oswald.buddenhagen@gmx.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/emu10k1/emufx.c | 112 +++----------------------------------- + 1 file changed, 9 insertions(+), 103 deletions(-) + +diff --git a/sound/pci/emu10k1/emufx.c b/sound/pci/emu10k1/emufx.c +index 5c00e35367675..dc4b30d1b7168 100644 +--- a/sound/pci/emu10k1/emufx.c ++++ b/sound/pci/emu10k1/emufx.c +@@ -1557,14 +1557,8 @@ A_OP(icode, &ptr, iMAC0, A_GPR(var), A_GPR(var), A_GPR(vol), A_EXTIN(input)) + gpr += 2; + + /* Master volume (will be renamed later) */ +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+0+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+0+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+1+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+1+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+2+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+2+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+3+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+3+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+4+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+4+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+5+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+5+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+6+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+6+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+7+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+7+SND_EMU10K1_PLAYBACK_CHANNELS)); ++ for (z = 0; z < 8; z++) ++ A_OP(icode, &ptr, iMAC0, A_GPR(playback+z+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+z+SND_EMU10K1_PLAYBACK_CHANNELS)); + snd_emu10k1_init_mono_control(&controls[nctl++], "Wave Master Playback Volume", gpr, 0); + gpr += 2; + +@@ -1648,102 +1642,14 @@ A_OP(icode, &ptr, iMAC0, A_GPR(var), A_GPR(var), A_GPR(vol), A_EXTIN(input)) + dev_dbg(emu->card->dev, "emufx.c: gpr=0x%x, tmp=0x%x\n", + gpr, tmp); + */ +- /* For the EMU1010: How to get 32bit values from the DSP. High 16bits into L, low 16bits into R. */ +- /* A_P16VIN(0) is delayed by one sample, +- * so all other A_P16VIN channels will need to also be delayed +- */ +- /* Left ADC in. 1 of 2 */ + snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_P16VIN(0x0), A_FXBUS2(0) ); +- /* Right ADC in 1 of 2 */ +- gpr_map[gpr++] = 0x00000000; +- /* Delaying by one sample: instead of copying the input +- * value A_P16VIN to output A_FXBUS2 as in the first channel, +- * we use an auxiliary register, delaying the value by one +- * sample +- */ +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(2) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x1), A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(4) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x2), A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(6) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x3), A_C_00000000, A_C_00000000); +- /* For 96kHz mode */ +- /* Left ADC in. 2 of 2 */ +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0x8) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x4), A_C_00000000, A_C_00000000); +- /* Right ADC in 2 of 2 */ +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xa) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x5), A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xc) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x6), A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xe) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x7), A_C_00000000, A_C_00000000); +- /* Pavel Hofman - we still have voices, A_FXBUS2s, and +- * A_P16VINs available - +- * let's add 8 more capture channels - total of 16 +- */ +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x10)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x8), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x12)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x9), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x14)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xa), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x16)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xb), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x18)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xc), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x1a)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xd), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x1c)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xe), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x1e)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xf), +- A_C_00000000, A_C_00000000); ++ /* A_P16VIN(0) is delayed by one sample, so all other A_P16VIN channels ++ * will need to also be delayed; we use an auxiliary register for that. */ ++ for (z = 1; z < 0x10; z++) { ++ snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr), A_FXBUS2(z * 2) ); ++ A_OP(icode, &ptr, iACC3, A_GPR(gpr), A_P16VIN(z), A_C_00000000, A_C_00000000); ++ gpr_map[gpr++] = 0x00000000; ++ } + } + + #if 0 +-- +2.40.1 + diff --git a/queue-4.14/bluetooth-l2cap-fix-use-after-free.patch b/queue-4.14/bluetooth-l2cap-fix-use-after-free.patch new file mode 100644 index 00000000000..0f50f5ffe61 --- /dev/null +++ b/queue-4.14/bluetooth-l2cap-fix-use-after-free.patch @@ -0,0 +1,41 @@ +From bd44ec9c4fc3a04ecb15b3ce9a458883a1acd0cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 May 2023 17:04:15 -0700 +Subject: Bluetooth: L2CAP: Fix use-after-free + +From: Zhengping Jiang + +[ Upstream commit f752a0b334bb95fe9b42ecb511e0864e2768046f ] + +Fix potential use-after-free in l2cap_le_command_rej. + +Signed-off-by: Zhengping Jiang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 25d88b8cfae97..6bae68b5d439c 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -5705,9 +5705,14 @@ static inline int l2cap_le_command_rej(struct l2cap_conn *conn, + if (!chan) + goto done; + ++ chan = l2cap_chan_hold_unless_zero(chan); ++ if (!chan) ++ goto done; ++ + l2cap_chan_lock(chan); + l2cap_chan_del(chan, ECONNREFUSED); + l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + + done: + mutex_unlock(&conn->chan_lock); +-- +2.40.1 + diff --git a/queue-4.14/drm-amdgpu-fix-potential-fence-use-after-free-v2.patch b/queue-4.14/drm-amdgpu-fix-potential-fence-use-after-free-v2.patch new file mode 100644 index 00000000000..96b9069b351 --- /dev/null +++ b/queue-4.14/drm-amdgpu-fix-potential-fence-use-after-free-v2.patch @@ -0,0 +1,43 @@ +From cc36d983b6a398728820a3d363c20ea38e227d03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jun 2023 18:10:47 -0700 +Subject: drm/amdgpu: Fix potential fence use-after-free v2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: shanzhulig + +[ Upstream commit 2e54154b9f27262efd0cb4f903cc7d5ad1fe9628 ] + +fence Decrements the reference count before exiting. +Avoid Race Vulnerabilities for fence use-after-free. + +v2 (chk): actually fix the use after free and not just move it. + +Signed-off-by: shanzhulig +Signed-off-by: Christian König +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +index 8a8b65b1b5a9a..7bad519aaae08 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +@@ -1343,6 +1343,9 @@ static int amdgpu_cs_wait_all_fences(struct amdgpu_device *adev, + continue; + + r = dma_fence_wait_timeout(fence, true, timeout); ++ if (r > 0 && fence->error) ++ r = fence->error; ++ + dma_fence_put(fence); + if (r < 0) + return r; +-- +2.40.1 + diff --git a/queue-4.14/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch b/queue-4.14/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch new file mode 100644 index 00000000000..402bff695eb --- /dev/null +++ b/queue-4.14/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch @@ -0,0 +1,41 @@ +From e504f9c24c4d5a0fa510892671fd5dc8b97a21eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Apr 2023 20:20:58 +0800 +Subject: drm/radeon: Fix integer overflow in radeon_cs_parser_init +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: hackyzh002 + +[ Upstream commit f828b681d0cd566f86351c0b913e6cb6ed8c7b9c ] + +The type of size is unsigned, if size is 0x40000000, there will be an +integer overflow, size will be zero after size *= sizeof(uint32_t), +will cause uninitialized memory to be referenced later + +Reviewed-by: Christian König +Signed-off-by: hackyzh002 +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_cs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c +index 1ae31dbc61c64..5e61abb3dce5c 100644 +--- a/drivers/gpu/drm/radeon/radeon_cs.c ++++ b/drivers/gpu/drm/radeon/radeon_cs.c +@@ -265,7 +265,8 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data) + { + struct drm_radeon_cs *cs = data; + uint64_t *chunk_array_ptr; +- unsigned size, i; ++ u64 size; ++ unsigned i; + u32 ring = RADEON_CS_RING_GFX; + s32 priority = 0; + +-- +2.40.1 + diff --git a/queue-4.14/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch b/queue-4.14/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch new file mode 100644 index 00000000000..809a616f7f4 --- /dev/null +++ b/queue-4.14/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch @@ -0,0 +1,39 @@ +From cddaca687560e7e20b9c946387b099d8adf0f620 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jun 2023 19:17:08 +0530 +Subject: FS: JFS: Check for read-only mounted filesystem in txBegin + +From: Immad Mir + +[ Upstream commit 95e2b352c03b0a86c5717ba1d24ea20969abcacc ] + + This patch adds a check for read-only mounted filesystem + in txBegin before starting a transaction potentially saving + from NULL pointer deref. + +Signed-off-by: Immad Mir +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_txnmgr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c +index 224ef034004b7..2cb460912468e 100644 +--- a/fs/jfs/jfs_txnmgr.c ++++ b/fs/jfs/jfs_txnmgr.c +@@ -367,6 +367,11 @@ tid_t txBegin(struct super_block *sb, int flag) + jfs_info("txBegin: flag = 0x%x", flag); + log = JFS_SBI(sb)->log; + ++ if (!log) { ++ jfs_error(sb, "read-only filesystem\n"); ++ return 0; ++ } ++ + TXN_LOCK(); + + INCREMENT(TxStat.txBegin); +-- +2.40.1 + diff --git a/queue-4.14/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch b/queue-4.14/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch new file mode 100644 index 00000000000..7b053642c22 --- /dev/null +++ b/queue-4.14/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch @@ -0,0 +1,44 @@ +From d26a25629f17d651ab37052d754e2c24adfa9522 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jun 2023 19:14:01 +0530 +Subject: FS: JFS: Fix null-ptr-deref Read in txBegin + +From: Immad Mir + +[ Upstream commit 47cfdc338d674d38f4b2f22b7612cc6a2763ba27 ] + + Syzkaller reported an issue where txBegin may be called + on a superblock in a read-only mounted filesystem which leads + to NULL pointer deref. This could be solved by checking if + the filesystem is read-only before calling txBegin, and returning + with appropiate error code. + +Reported-By: syzbot+f1faa20eec55e0c8644c@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=be7e52c50c5182cc09a09ea6fc456446b2039de3 + +Signed-off-by: Immad Mir +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/namei.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/jfs/namei.c b/fs/jfs/namei.c +index 56c3fcbfe80ed..6726dcddd6f86 100644 +--- a/fs/jfs/namei.c ++++ b/fs/jfs/namei.c +@@ -813,6 +813,11 @@ static int jfs_link(struct dentry *old_dentry, + if (rc) + goto out; + ++ if (isReadOnly(ip)) { ++ jfs_error(ip->i_sb, "read-only filesystem\n"); ++ return -EROFS; ++ } ++ + tid = txBegin(ip->i_sb, 0); + + mutex_lock_nested(&JFS_IP(dir)->commit_mutex, COMMIT_MUTEX_PARENT); +-- +2.40.1 + diff --git a/queue-4.14/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch b/queue-4.14/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch new file mode 100644 index 00000000000..ddf46942781 --- /dev/null +++ b/queue-4.14/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch @@ -0,0 +1,86 @@ +From a1bbea9519149e04ec62591f805a00f4c489dd69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jun 2023 00:07:03 +0530 +Subject: fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev + +From: Yogesh + +[ Upstream commit 4e302336d5ca1767a06beee7596a72d3bdc8d983 ] + +Syzkaller reported the following issue: + +UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:1965:6 +index -84 is out of range for type 's8[341]' (aka 'signed char[341]') +CPU: 1 PID: 4995 Comm: syz-executor146 Not tainted 6.4.0-rc6-syzkaller-00037-gb6dad5178cea #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:217 [inline] + __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348 + dbAllocDmapLev+0x3e5/0x430 fs/jfs/jfs_dmap.c:1965 + dbAllocCtl+0x113/0x920 fs/jfs/jfs_dmap.c:1809 + dbAllocAG+0x28f/0x10b0 fs/jfs/jfs_dmap.c:1350 + dbAlloc+0x658/0xca0 fs/jfs/jfs_dmap.c:874 + dtSplitUp fs/jfs/jfs_dtree.c:974 [inline] + dtInsert+0xda7/0x6b00 fs/jfs/jfs_dtree.c:863 + jfs_create+0x7b6/0xbb0 fs/jfs/namei.c:137 + lookup_open fs/namei.c:3492 [inline] + open_last_lookups fs/namei.c:3560 [inline] + path_openat+0x13df/0x3170 fs/namei.c:3788 + do_filp_open+0x234/0x490 fs/namei.c:3818 + do_sys_openat2+0x13f/0x500 fs/open.c:1356 + do_sys_open fs/open.c:1372 [inline] + __do_sys_openat fs/open.c:1388 [inline] + __se_sys_openat fs/open.c:1383 [inline] + __x64_sys_openat+0x247/0x290 fs/open.c:1383 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f1f4e33f7e9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffc21129578 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f4e33f7e9 +RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c +RBP: 00007f1f4e2ff080 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1f4e2ff110 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +The bug occurs when the dbAllocDmapLev()function attempts to access +dp->tree.stree[leafidx + LEAFIND] while the leafidx value is negative. + +To rectify this, the patch introduces a safeguard within the +dbAllocDmapLev() function. A check has been added to verify if leafidx is +negative. If it is, the function immediately returns an I/O error, preventing +any further execution that could potentially cause harm. + +Tested via syzbot. + +Reported-by: syzbot+853a6f4dfa3cf37d3aea@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=ae2f5a27a07ae44b0f17 +Signed-off-by: Yogesh +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index cc2ac1f324b08..464ddaf8ebd10 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -2040,6 +2040,9 @@ dbAllocDmapLev(struct bmap * bmp, + if (dbFindLeaf((dmtree_t *) & dp->tree, l2nb, &leafidx)) + return -ENOSPC; + ++ if (leafidx < 0) ++ return -EIO; ++ + /* determine the block number within the file system corresponding + * to the leaf at which free space was found. + */ +-- +2.40.1 + diff --git a/queue-4.14/gfs2-fix-possible-data-races-in-gfs2_show_options.patch b/queue-4.14/gfs2-fix-possible-data-races-in-gfs2_show_options.patch new file mode 100644 index 00000000000..19256d71464 --- /dev/null +++ b/queue-4.14/gfs2-fix-possible-data-races-in-gfs2_show_options.patch @@ -0,0 +1,86 @@ +From 2a97b02506103ae3056041bf4a64f062fddc5003 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jun 2023 11:06:37 +0800 +Subject: gfs2: Fix possible data races in gfs2_show_options() + +From: Tuo Li + +[ Upstream commit 6fa0a72cbbe45db4ed967a51f9e6f4e3afe61d20 ] + +Some fields such as gt_logd_secs of the struct gfs2_tune are accessed +without holding the lock gt_spin in gfs2_show_options(): + + val = sdp->sd_tune.gt_logd_secs; + if (val != 30) + seq_printf(s, ",commit=%d", val); + +And thus can cause data races when gfs2_show_options() and other functions +such as gfs2_reconfigure() are concurrently executed: + + spin_lock(>->gt_spin); + gt->gt_logd_secs = newargs->ar_commit; + +To fix these possible data races, the lock sdp->sd_tune.gt_spin is +acquired before accessing the fields of gfs2_tune and released after these +accesses. + +Further changes by Andreas: + +- Don't hold the spin lock over the seq_printf operations. + +Reported-by: BassCheck +Signed-off-by: Tuo Li +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/super.c | 26 +++++++++++++++----------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c +index 73290263402a3..2167503f17536 100644 +--- a/fs/gfs2/super.c ++++ b/fs/gfs2/super.c +@@ -1363,7 +1363,14 @@ static int gfs2_show_options(struct seq_file *s, struct dentry *root) + { + struct gfs2_sbd *sdp = root->d_sb->s_fs_info; + struct gfs2_args *args = &sdp->sd_args; +- int val; ++ unsigned int logd_secs, statfs_slow, statfs_quantum, quota_quantum; ++ ++ spin_lock(&sdp->sd_tune.gt_spin); ++ logd_secs = sdp->sd_tune.gt_logd_secs; ++ quota_quantum = sdp->sd_tune.gt_quota_quantum; ++ statfs_quantum = sdp->sd_tune.gt_statfs_quantum; ++ statfs_slow = sdp->sd_tune.gt_statfs_slow; ++ spin_unlock(&sdp->sd_tune.gt_spin); + + if (is_ancestor(root, sdp->sd_master_dir)) + seq_puts(s, ",meta"); +@@ -1418,17 +1425,14 @@ static int gfs2_show_options(struct seq_file *s, struct dentry *root) + } + if (args->ar_discard) + seq_puts(s, ",discard"); +- val = sdp->sd_tune.gt_logd_secs; +- if (val != 30) +- seq_printf(s, ",commit=%d", val); +- val = sdp->sd_tune.gt_statfs_quantum; +- if (val != 30) +- seq_printf(s, ",statfs_quantum=%d", val); +- else if (sdp->sd_tune.gt_statfs_slow) ++ if (logd_secs != 30) ++ seq_printf(s, ",commit=%d", logd_secs); ++ if (statfs_quantum != 30) ++ seq_printf(s, ",statfs_quantum=%d", statfs_quantum); ++ else if (statfs_slow) + seq_puts(s, ",statfs_quantum=0"); +- val = sdp->sd_tune.gt_quota_quantum; +- if (val != 60) +- seq_printf(s, ",quota_quantum=%d", val); ++ if (quota_quantum != 60) ++ seq_printf(s, ",quota_quantum=%d", quota_quantum); + if (args->ar_statfs_percent) + seq_printf(s, ",statfs_percent=%d", args->ar_statfs_percent); + if (args->ar_errors != GFS2_ERRORS_DEFAULT) { +-- +2.40.1 + diff --git a/queue-4.14/media-platform-mediatek-vpu-fix-null-ptr-dereference.patch b/queue-4.14/media-platform-mediatek-vpu-fix-null-ptr-dereference.patch new file mode 100644 index 00000000000..c7323940ad2 --- /dev/null +++ b/queue-4.14/media-platform-mediatek-vpu-fix-null-ptr-dereference.patch @@ -0,0 +1,51 @@ +From 59c9a0dbfefa46227524d1a5d3098ea7b8dfb2d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 May 2023 13:11:47 +0100 +Subject: media: platform: mediatek: vpu: fix NULL ptr dereference + +From: Hans Verkuil + +[ Upstream commit 3df55cd773e8603b623425cc97b05e542854ad27 ] + +If pdev is NULL, then it is still dereferenced. + +This fixes this smatch warning: + +drivers/media/platform/mediatek/vpu/mtk_vpu.c:570 vpu_load_firmware() warn: address of NULL pointer 'pdev' + +Signed-off-by: Hans Verkuil +Cc: Yunfei Dong +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mtk-vpu/mtk_vpu.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/mtk-vpu/mtk_vpu.c b/drivers/media/platform/mtk-vpu/mtk_vpu.c +index 019a5e7e1a402..de5e732b1f0b6 100644 +--- a/drivers/media/platform/mtk-vpu/mtk_vpu.c ++++ b/drivers/media/platform/mtk-vpu/mtk_vpu.c +@@ -536,16 +536,18 @@ static int load_requested_vpu(struct mtk_vpu *vpu, + int vpu_load_firmware(struct platform_device *pdev) + { + struct mtk_vpu *vpu; +- struct device *dev = &pdev->dev; ++ struct device *dev; + struct vpu_run *run; + const struct firmware *vpu_fw = NULL; + int ret; + + if (!pdev) { +- dev_err(dev, "VPU platform device is invalid\n"); ++ pr_err("VPU platform device is invalid\n"); + return -EINVAL; + } + ++ dev = &pdev->dev; ++ + vpu = platform_get_drvdata(pdev); + run = &vpu->run; + +-- +2.40.1 + diff --git a/queue-4.14/media-v4l2-mem2mem-add-lock-to-protect-parameter-num.patch b/queue-4.14/media-v4l2-mem2mem-add-lock-to-protect-parameter-num.patch new file mode 100644 index 00000000000..cf897f4ca5e --- /dev/null +++ b/queue-4.14/media-v4l2-mem2mem-add-lock-to-protect-parameter-num.patch @@ -0,0 +1,69 @@ +From 45f0eedc514084123af879de37f2b4339082db3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 16:17:40 +0800 +Subject: media: v4l2-mem2mem: add lock to protect parameter num_rdy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yunfei Dong + +[ Upstream commit 56b5c3e67b0f9af3f45cf393be048ee8d8a92694 ] + +Getting below error when using KCSAN to check the driver. Adding lock to +protect parameter num_rdy when getting the value with function: +v4l2_m2m_num_src_bufs_ready/v4l2_m2m_num_dst_bufs_ready. + +kworker/u16:3: [name:report&]BUG: KCSAN: data-race in v4l2_m2m_buf_queue +kworker/u16:3: [name:report&] + +kworker/u16:3: [name:report&]read-write to 0xffffff8105f35b94 of 1 bytes by task 20865 on cpu 7: +kworker/u16:3:  v4l2_m2m_buf_queue+0xd8/0x10c + +Signed-off-by: Pina Chen +Signed-off-by: Yunfei Dong +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + include/media/v4l2-mem2mem.h | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/include/media/v4l2-mem2mem.h b/include/media/v4l2-mem2mem.h +index e157d5c9b224e..239bcc4b7e95a 100644 +--- a/include/media/v4l2-mem2mem.h ++++ b/include/media/v4l2-mem2mem.h +@@ -392,7 +392,14 @@ void v4l2_m2m_buf_queue(struct v4l2_m2m_ctx *m2m_ctx, + static inline + unsigned int v4l2_m2m_num_src_bufs_ready(struct v4l2_m2m_ctx *m2m_ctx) + { +- return m2m_ctx->out_q_ctx.num_rdy; ++ unsigned int num_buf_rdy; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&m2m_ctx->out_q_ctx.rdy_spinlock, flags); ++ num_buf_rdy = m2m_ctx->out_q_ctx.num_rdy; ++ spin_unlock_irqrestore(&m2m_ctx->out_q_ctx.rdy_spinlock, flags); ++ ++ return num_buf_rdy; + } + + /** +@@ -404,7 +411,14 @@ unsigned int v4l2_m2m_num_src_bufs_ready(struct v4l2_m2m_ctx *m2m_ctx) + static inline + unsigned int v4l2_m2m_num_dst_bufs_ready(struct v4l2_m2m_ctx *m2m_ctx) + { +- return m2m_ctx->cap_q_ctx.num_rdy; ++ unsigned int num_buf_rdy; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&m2m_ctx->cap_q_ctx.rdy_spinlock, flags); ++ num_buf_rdy = m2m_ctx->cap_q_ctx.num_rdy; ++ spin_unlock_irqrestore(&m2m_ctx->cap_q_ctx.rdy_spinlock, flags); ++ ++ return num_buf_rdy; + } + + /** +-- +2.40.1 + diff --git a/queue-4.14/mips-dec-prom-address-warray-bounds-warning.patch b/queue-4.14/mips-dec-prom-address-warray-bounds-warning.patch new file mode 100644 index 00000000000..05348a571d3 --- /dev/null +++ b/queue-4.14/mips-dec-prom-address-warray-bounds-warning.patch @@ -0,0 +1,54 @@ +From d038e7795f1fcae491c09809aee7ee581169db0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jun 2023 17:43:57 -0600 +Subject: MIPS: dec: prom: Address -Warray-bounds warning + +From: Gustavo A. R. Silva + +[ Upstream commit 7b191b9b55df2a844bd32d1d380f47a7df1c2896 ] + +Zero-length arrays are deprecated, and we are replacing them with flexible +array members instead. So, replace zero-length array with flexible-array +member in struct memmap. + +Address the following warning found after building (with GCC-13) mips64 +with decstation_64_defconfig: +In function 'rex_setup_memory_region', + inlined from 'prom_meminit' at arch/mips/dec/prom/memory.c:91:3: +arch/mips/dec/prom/memory.c:72:31: error: array subscript i is outside array bounds of 'unsigned char[0]' [-Werror=array-bounds=] + 72 | if (bm->bitmap[i] == 0xff) + | ~~~~~~~~~~^~~ +In file included from arch/mips/dec/prom/memory.c:16: +./arch/mips/include/asm/dec/prom.h: In function 'prom_meminit': +./arch/mips/include/asm/dec/prom.h:73:23: note: while referencing 'bitmap' + 73 | unsigned char bitmap[0]; + +This helps with the ongoing efforts to globally enable -Warray-bounds. + +This results in no differences in binary output. + +Link: https://github.com/KSPP/linux/issues/79 +Link: https://github.com/KSPP/linux/issues/323 +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/dec/prom.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/include/asm/dec/prom.h b/arch/mips/include/asm/dec/prom.h +index 09538ff5e9245..6f0405ba27d6d 100644 +--- a/arch/mips/include/asm/dec/prom.h ++++ b/arch/mips/include/asm/dec/prom.h +@@ -74,7 +74,7 @@ static inline bool prom_is_rex(u32 magic) + */ + typedef struct { + int pagesize; +- unsigned char bitmap[0]; ++ unsigned char bitmap[]; + } memmap; + + +-- +2.40.1 + diff --git a/queue-4.14/pcmcia-rsrc_nonstatic-fix-memory-leak-in-nonstatic_r.patch b/queue-4.14/pcmcia-rsrc_nonstatic-fix-memory-leak-in-nonstatic_r.patch new file mode 100644 index 00000000000..b07f89932c2 --- /dev/null +++ b/queue-4.14/pcmcia-rsrc_nonstatic-fix-memory-leak-in-nonstatic_r.patch @@ -0,0 +1,66 @@ +From 55506e4465a8c6195d46a379d263e77119577cdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 20:45:29 +0200 +Subject: pcmcia: rsrc_nonstatic: Fix memory leak in + nonstatic_release_resource_db() + +From: Armin Wolf + +[ Upstream commit c85fd9422fe0f5d667305efb27f56d09eab120b0 ] + +When nonstatic_release_resource_db() frees all resources associated +with an PCMCIA socket, it forgets to free socket_data too, causing +a memory leak observable with kmemleak: + +unreferenced object 0xc28d1000 (size 64): + comm "systemd-udevd", pid 297, jiffies 4294898478 (age 194.484s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 f0 85 0e c3 00 00 00 00 ................ + 00 00 00 00 0c 10 8d c2 00 00 00 00 00 00 00 00 ................ + backtrace: + [] __kmem_cache_alloc_node+0x2d7/0x4a0 + [<7e51f0c8>] kmalloc_trace+0x31/0xa4 + [] nonstatic_init+0x24/0x1a4 [pcmcia_rsrc] + [] pcmcia_register_socket+0x200/0x35c [pcmcia_core] + [] yenta_probe+0x4d8/0xa70 [yenta_socket] + [] pci_device_probe+0x99/0x194 + [<84b7c690>] really_probe+0x181/0x45c + [<8060fe6e>] __driver_probe_device+0x75/0x1f4 + [] driver_probe_device+0x28/0xac + [<648b766f>] __driver_attach+0xeb/0x1e4 + [<6e9659eb>] bus_for_each_dev+0x61/0xb4 + [<25a669f3>] driver_attach+0x1e/0x28 + [] bus_add_driver+0x102/0x20c + [] driver_register+0x5b/0x120 + [<942cd8a4>] __pci_register_driver+0x44/0x4c + [] __UNIQUE_ID___addressable_cleanup_module188+0x1c/0xfffff000 [iTCO_vendor_support] + +Fix this by freeing socket_data too. + +Tested on a Acer Travelmate 4002WLMi by manually binding/unbinding +the yenta_cardbus driver (yenta_socket). + +Signed-off-by: Armin Wolf +Message-ID: <20230512184529.5094-1-W_Armin@gmx.de> +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/rsrc_nonstatic.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pcmcia/rsrc_nonstatic.c b/drivers/pcmcia/rsrc_nonstatic.c +index 2e96d9273b780..e5ec8a2c022a2 100644 +--- a/drivers/pcmcia/rsrc_nonstatic.c ++++ b/drivers/pcmcia/rsrc_nonstatic.c +@@ -1056,6 +1056,8 @@ static void nonstatic_release_resource_db(struct pcmcia_socket *s) + q = p->next; + kfree(p); + } ++ ++ kfree(data); + } + + +-- +2.40.1 + diff --git a/queue-4.14/quota-fix-warning-in-dqgrab.patch b/queue-4.14/quota-fix-warning-in-dqgrab.patch new file mode 100644 index 00000000000..efcf24fc736 --- /dev/null +++ b/queue-4.14/quota-fix-warning-in-dqgrab.patch @@ -0,0 +1,104 @@ +From 45edd0ac33b8c9cfd52cea8030d84bfa6c4cb9ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 22:07:31 +0800 +Subject: quota: fix warning in dqgrab() + +From: Ye Bin + +[ Upstream commit d6a95db3c7ad160bc16b89e36449705309b52bcb ] + +There's issue as follows when do fault injection: +WARNING: CPU: 1 PID: 14870 at include/linux/quotaops.h:51 dquot_disable+0x13b7/0x18c0 +Modules linked in: +CPU: 1 PID: 14870 Comm: fsconfig Not tainted 6.3.0-next-20230505-00006-g5107a9c821af-dirty #541 +RIP: 0010:dquot_disable+0x13b7/0x18c0 +RSP: 0018:ffffc9000acc79e0 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88825e41b980 +RDX: 0000000000000000 RSI: ffff88825e41b980 RDI: 0000000000000002 +RBP: ffff888179f68000 R08: ffffffff82087ca7 R09: 0000000000000000 +R10: 0000000000000001 R11: ffffed102f3ed026 R12: ffff888179f68130 +R13: ffff888179f68110 R14: dffffc0000000000 R15: ffff888179f68118 +FS: 00007f450a073740(0000) GS:ffff88882fc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffe96f2efd8 CR3: 000000025c8ad000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + dquot_load_quota_sb+0xd53/0x1060 + dquot_resume+0x172/0x230 + ext4_reconfigure+0x1dc6/0x27b0 + reconfigure_super+0x515/0xa90 + __x64_sys_fsconfig+0xb19/0xd20 + do_syscall_64+0x39/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Above issue may happens as follows: +ProcessA ProcessB ProcessC +sys_fsconfig + vfs_fsconfig_locked + reconfigure_super + ext4_remount + dquot_suspend -> suspend all type quota + + sys_fsconfig + vfs_fsconfig_locked + reconfigure_super + ext4_remount + dquot_resume + ret = dquot_load_quota_sb + add_dquot_ref + do_open -> open file O_RDWR + vfs_open + do_dentry_open + get_write_access + atomic_inc_unless_negative(&inode->i_writecount) + ext4_file_open + dquot_file_open + dquot_initialize + __dquot_initialize + dqget + atomic_inc(&dquot->dq_count); + + __dquot_initialize + __dquot_initialize + dqget + if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) + ext4_acquire_dquot + -> Return error DQ_ACTIVE_B flag isn't set + dquot_disable + invalidate_dquots + if (atomic_read(&dquot->dq_count)) + dqgrab + WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) + -> Trigger warning + +In the above scenario, 'dquot->dq_flags' has no DQ_ACTIVE_B is normal when +dqgrab(). +To solve above issue just replace the dqgrab() use in invalidate_dquots() with +atomic_inc(&dquot->dq_count). + +Signed-off-by: Ye Bin +Signed-off-by: Jan Kara +Message-Id: <20230605140731.2427629-3-yebin10@huawei.com> +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 1cbec5dde5830..1629d50782bf9 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -540,7 +540,7 @@ static void invalidate_dquots(struct super_block *sb, int type) + continue; + /* Wait for dquot users */ + if (atomic_read(&dquot->dq_count)) { +- dqgrab(dquot); ++ atomic_inc(&dquot->dq_count); + spin_unlock(&dq_list_lock); + /* + * Once dqput() wakes us up, we know it's time to free +-- +2.40.1 + diff --git a/queue-4.14/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch b/queue-4.14/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch new file mode 100644 index 00000000000..7d0a22149c2 --- /dev/null +++ b/queue-4.14/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch @@ -0,0 +1,43 @@ +From d777f6d13e9b7ddac1fc15db7df6b962c50f29f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 22:07:30 +0800 +Subject: quota: Properly disable quotas when add_dquot_ref() fails + +From: Jan Kara + +[ Upstream commit 6a4e3363792e30177cc3965697e34ddcea8b900b ] + +When add_dquot_ref() fails (usually due to IO error or ENOMEM), we want +to disable quotas we are trying to enable. However dquot_disable() call +was passed just the flags we are enabling so in case flags == +DQUOT_USAGE_ENABLED dquot_disable() call will just fail with EINVAL +instead of properly disabling quotas. Fix the problem by always passing +DQUOT_LIMITS_ENABLED | DQUOT_USAGE_ENABLED to dquot_disable() in this +case. + +Reported-and-tested-by: Ye Bin +Reported-by: syzbot+e633c79ceaecbf479854@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Message-Id: <20230605140731.2427629-2-yebin10@huawei.com> +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 7c364cda8daac..1cbec5dde5830 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -2387,7 +2387,8 @@ static int vfs_load_quota_inode(struct inode *inode, int type, int format_id, + + error = add_dquot_ref(sb, type); + if (error) +- dquot_disable(sb, type, flags); ++ dquot_disable(sb, type, ++ DQUOT_USAGE_ENABLED | DQUOT_LIMITS_ENABLED); + + return error; + out_file_init: +-- +2.40.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 2a0e9374557..aa94a3d2b03 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -1 +1,16 @@ lib-mpi-eliminate-unused-umul_ppmm-definitions-for-mips.patch +drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch +alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch +quota-properly-disable-quotas-when-add_dquot_ref-fai.patch +quota-fix-warning-in-dqgrab.patch +udf-fix-uninitialized-array-access-for-some-pathname.patch +fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch +mips-dec-prom-address-warray-bounds-warning.patch +fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch +fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch +media-v4l2-mem2mem-add-lock-to-protect-parameter-num.patch +media-platform-mediatek-vpu-fix-null-ptr-dereference.patch +gfs2-fix-possible-data-races-in-gfs2_show_options.patch +pcmcia-rsrc_nonstatic-fix-memory-leak-in-nonstatic_r.patch +bluetooth-l2cap-fix-use-after-free.patch +drm-amdgpu-fix-potential-fence-use-after-free-v2.patch diff --git a/queue-4.14/udf-fix-uninitialized-array-access-for-some-pathname.patch b/queue-4.14/udf-fix-uninitialized-array-access-for-some-pathname.patch new file mode 100644 index 00000000000..e939c22765d --- /dev/null +++ b/queue-4.14/udf-fix-uninitialized-array-access-for-some-pathname.patch @@ -0,0 +1,39 @@ +From 7e8de5f40df7ff10fa7929d2d772c33f9f0a7434 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 11:32:35 +0200 +Subject: udf: Fix uninitialized array access for some pathnames + +From: Jan Kara + +[ Upstream commit 028f6055c912588e6f72722d89c30b401bbcf013 ] + +For filenames that begin with . and are between 2 and 5 characters long, +UDF charset conversion code would read uninitialized memory in the +output buffer. The only practical impact is that the name may be prepended a +"unification hash" when it is not actually needed but still it is good +to fix this. + +Reported-by: syzbot+cd311b1e43cc25f90d18@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/000000000000e2638a05fe9dc8f9@google.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/unicode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c +index 61a1738895b7a..ad04dc2278339 100644 +--- a/fs/udf/unicode.c ++++ b/fs/udf/unicode.c +@@ -268,7 +268,7 @@ static int udf_name_from_CS0(uint8_t *str_o, int str_max_len, + } + + if (translate) { +- if (str_o_len <= 2 && str_o[0] == '.' && ++ if (str_o_len > 0 && str_o_len <= 2 && str_o[0] == '.' && + (str_o_len == 1 || str_o[1] == '.')) + needsCRC = 1; + if (needsCRC) { +-- +2.40.1 + -- 2.47.2