From: Greg Kroah-Hartman Date: Mon, 15 Aug 2022 11:53:12 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v5.15.61~68 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=78663e4dbd5a0ae821b72863dd5cd57db900a09a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: dm-raid-fix-address-sanitizer-warning-in-raid_resume.patch dm-raid-fix-address-sanitizer-warning-in-raid_status.patch intel_th-pci-add-meteor-lake-p-support.patch intel_th-pci-add-raptor-lake-s-cpu-support.patch intel_th-pci-add-raptor-lake-s-pch-support.patch net_sched-cls_route-remove-from-list-when-handle-is-0.patch --- diff --git a/queue-4.14/dm-raid-fix-address-sanitizer-warning-in-raid_resume.patch b/queue-4.14/dm-raid-fix-address-sanitizer-warning-in-raid_resume.patch new file mode 100644 index 00000000000..ea2d1606677 --- /dev/null +++ b/queue-4.14/dm-raid-fix-address-sanitizer-warning-in-raid_resume.patch @@ -0,0 +1,33 @@ +From 7dad24db59d2d2803576f2e3645728866a056dab Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 24 Jul 2022 14:33:52 -0400 +Subject: dm raid: fix address sanitizer warning in raid_resume + +From: Mikulas Patocka + +commit 7dad24db59d2d2803576f2e3645728866a056dab upstream. + +There is a KASAN warning in raid_resume when running the lvm test +lvconvert-raid.sh. The reason for the warning is that mddev->raid_disks +is greater than rs->raid_disks, so the loop touches one entry beyond +the allocated length. + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-raid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -3669,7 +3669,7 @@ static void attempt_restore_of_faulty_de + + memset(cleared_failed_devices, 0, sizeof(cleared_failed_devices)); + +- for (i = 0; i < mddev->raid_disks; i++) { ++ for (i = 0; i < rs->raid_disks; i++) { + r = &rs->dev[i].rdev; + /* HM FIXME: enhance journal device recovery processing */ + if (test_bit(Journal, &r->flags)) diff --git a/queue-4.14/dm-raid-fix-address-sanitizer-warning-in-raid_status.patch b/queue-4.14/dm-raid-fix-address-sanitizer-warning-in-raid_status.patch new file mode 100644 index 00000000000..a06c4e50fa1 --- /dev/null +++ b/queue-4.14/dm-raid-fix-address-sanitizer-warning-in-raid_status.patch @@ -0,0 +1,63 @@ +From 1fbeea217d8f297fe0e0956a1516d14ba97d0396 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 24 Jul 2022 14:31:35 -0400 +Subject: dm raid: fix address sanitizer warning in raid_status + +From: Mikulas Patocka + +commit 1fbeea217d8f297fe0e0956a1516d14ba97d0396 upstream. + +There is this warning when using a kernel with the address sanitizer +and running this testsuite: +https://gitlab.com/cki-project/kernel-tests/-/tree/main/storage/swraid/scsi_raid + +================================================================== +BUG: KASAN: slab-out-of-bounds in raid_status+0x1747/0x2820 [dm_raid] +Read of size 4 at addr ffff888079d2c7e8 by task lvcreate/13319 +CPU: 0 PID: 13319 Comm: lvcreate Not tainted 5.18.0-0.rc3. #1 +Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 +Call Trace: + + dump_stack_lvl+0x6a/0x9c + print_address_description.constprop.0+0x1f/0x1e0 + print_report.cold+0x55/0x244 + kasan_report+0xc9/0x100 + raid_status+0x1747/0x2820 [dm_raid] + dm_ima_measure_on_table_load+0x4b8/0xca0 [dm_mod] + table_load+0x35c/0x630 [dm_mod] + ctl_ioctl+0x411/0x630 [dm_mod] + dm_ctl_ioctl+0xa/0x10 [dm_mod] + __x64_sys_ioctl+0x12a/0x1a0 + do_syscall_64+0x5b/0x80 + +The warning is caused by reading conf->max_nr_stripes in raid_status. The +code in raid_status reads mddev->private, casts it to struct r5conf and +reads the entry max_nr_stripes. + +However, if we have different raid type than 4/5/6, mddev->private +doesn't point to struct r5conf; it may point to struct r0conf, struct +r1conf, struct r10conf or struct mpconf. If we cast a pointer to one +of these structs to struct r5conf, we will be reading invalid memory +and KASAN warns about it. + +Fix this bug by reading struct r5conf only if raid type is 4, 5 or 6. + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-raid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -3394,7 +3394,7 @@ static void raid_status(struct dm_target + { + struct raid_set *rs = ti->private; + struct mddev *mddev = &rs->md; +- struct r5conf *conf = mddev->private; ++ struct r5conf *conf = rs_is_raid456(rs) ? mddev->private : NULL; + int i, max_nr_stripes = conf ? conf->max_nr_stripes : 0; + bool array_in_sync; + unsigned int raid_param_cnt = 1; /* at least 1 for chunksize */ diff --git a/queue-4.14/intel_th-pci-add-meteor-lake-p-support.patch b/queue-4.14/intel_th-pci-add-meteor-lake-p-support.patch new file mode 100644 index 00000000000..0082074de5a --- /dev/null +++ b/queue-4.14/intel_th-pci-add-meteor-lake-p-support.patch @@ -0,0 +1,34 @@ +From 802a9a0b1d91274ef10d9fe429b4cc1e8c200aef Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 5 Jul 2022 11:26:35 +0300 +Subject: intel_th: pci: Add Meteor Lake-P support + +From: Alexander Shishkin + +commit 802a9a0b1d91274ef10d9fe429b4cc1e8c200aef upstream. + +Add support for the Trace Hub in Meteor Lake-P. + +Reviewed-by: Andy Shevchenko +Cc: stable +Signed-off-by: Alexander Shishkin +Link: https://lore.kernel.org/r/20220705082637.59979-5-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -264,6 +264,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, + { ++ /* Meteor Lake-P */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x7e24), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, ++ { + /* Rocket Lake CPU */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4c19), + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-4.14/intel_th-pci-add-raptor-lake-s-cpu-support.patch b/queue-4.14/intel_th-pci-add-raptor-lake-s-cpu-support.patch new file mode 100644 index 00000000000..e1a9d7ef2c4 --- /dev/null +++ b/queue-4.14/intel_th-pci-add-raptor-lake-s-cpu-support.patch @@ -0,0 +1,34 @@ +From ff46a601afc5a66a81c3945b83d0a2caeb88e8bc Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 5 Jul 2022 11:26:37 +0300 +Subject: intel_th: pci: Add Raptor Lake-S CPU support + +From: Alexander Shishkin + +commit ff46a601afc5a66a81c3945b83d0a2caeb88e8bc upstream. + +Add support for the Trace Hub in Raptor Lake-S CPU. + +Reviewed-by: Andy Shevchenko +Cc: stable +Signed-off-by: Alexander Shishkin +Link: https://lore.kernel.org/r/20220705082637.59979-7-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -254,6 +254,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, + { ++ /* Raptor Lake-S CPU */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa76f), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, ++ { + /* Rocket Lake CPU */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4c19), + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-4.14/intel_th-pci-add-raptor-lake-s-pch-support.patch b/queue-4.14/intel_th-pci-add-raptor-lake-s-pch-support.patch new file mode 100644 index 00000000000..75a2fa62314 --- /dev/null +++ b/queue-4.14/intel_th-pci-add-raptor-lake-s-pch-support.patch @@ -0,0 +1,34 @@ +From 23e2de5826e2fc4dd43e08bab3a2ea1a5338b063 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 5 Jul 2022 11:26:36 +0300 +Subject: intel_th: pci: Add Raptor Lake-S PCH support + +From: Alexander Shishkin + +commit 23e2de5826e2fc4dd43e08bab3a2ea1a5338b063 upstream. + +Add support for the Trace Hub in Raptor Lake-S PCH. + +Reviewed-by: Andy Shevchenko +Cc: stable +Signed-off-by: Alexander Shishkin +Link: https://lore.kernel.org/r/20220705082637.59979-6-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -259,6 +259,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, + { ++ /* Raptor Lake-S */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x7a26), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, ++ { + /* Rocket Lake CPU */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4c19), + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-4.14/net_sched-cls_route-remove-from-list-when-handle-is-0.patch b/queue-4.14/net_sched-cls_route-remove-from-list-when-handle-is-0.patch new file mode 100644 index 00000000000..5aaf2a8dc89 --- /dev/null +++ b/queue-4.14/net_sched-cls_route-remove-from-list-when-handle-is-0.patch @@ -0,0 +1,45 @@ +From 9ad36309e2719a884f946678e0296be10f0bb4c1 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Tue, 9 Aug 2022 14:05:18 -0300 +Subject: net_sched: cls_route: remove from list when handle is 0 + +From: Thadeu Lima de Souza Cascardo + +commit 9ad36309e2719a884f946678e0296be10f0bb4c1 upstream. + +When a route filter is replaced and the old filter has a 0 handle, the old +one won't be removed from the hashtable, while it will still be freed. + +The test was there since before commit 1109c00547fc ("net: sched: RCU +cls_route"), when a new filter was not allocated when there was an old one. +The old filter was reused and the reinserting would only be necessary if an +old filter was replaced. That was still wrong for the same case where the +old handle was 0. + +Remove the old filter from the list independently from its handle value. + +This fixes CVE-2022-2588, also reported as ZDI-CAN-17440. + +Reported-by: Zhenpeng Lin +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Kamal Mostafa +Cc: +Acked-by: Jamal Hadi Salim +Link: https://lore.kernel.org/r/20220809170518.164662-1-cascardo@canonical.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/cls_route.c ++++ b/net/sched/cls_route.c +@@ -531,7 +531,7 @@ static int route4_change(struct net *net + rcu_assign_pointer(f->next, f1); + rcu_assign_pointer(*fp, f); + +- if (fold && fold->handle && f->handle != fold->handle) { ++ if (fold) { + th = to_hash(fold->handle); + h = from_hash(fold->handle >> 16); + b = rtnl_dereference(head->table[th]); diff --git a/queue-4.14/series b/queue-4.14/series index a47e976ee40..aadb2eb6731 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -159,3 +159,9 @@ ext4-update-s_overhead_clusters-in-the-superblock-during-an-on-line-resize.patch ext4-fix-extent-status-tree-race-in-writeback-error-recovery-path.patch ext4-correct-max_inline_xattr_value_size-computing.patch ext4-correct-the-misjudgment-in-ext4_iget_extra_inode.patch +intel_th-pci-add-raptor-lake-s-cpu-support.patch +intel_th-pci-add-raptor-lake-s-pch-support.patch +intel_th-pci-add-meteor-lake-p-support.patch +dm-raid-fix-address-sanitizer-warning-in-raid_resume.patch +dm-raid-fix-address-sanitizer-warning-in-raid_status.patch +net_sched-cls_route-remove-from-list-when-handle-is-0.patch