From: Greg Kroah-Hartman Date: Mon, 2 Dec 2024 15:28:55 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.19.325~81 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b14010d0c412d67ebcec0fe310a6c23e2aa9c82e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: alsa-usb-audio-fix-potential-out-of-bound-accesses-for-extigy-and-mbox-devices.patch asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch ext4-fix-fs_ioc_getfsmap-handling.patch ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch jfs-xattr-check-invalid-xattr-size-more-strictly.patch pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch --- diff --git a/queue-4.19/alsa-usb-audio-fix-potential-out-of-bound-accesses-for-extigy-and-mbox-devices.patch b/queue-4.19/alsa-usb-audio-fix-potential-out-of-bound-accesses-for-extigy-and-mbox-devices.patch new file mode 100644 index 00000000000..7e16854555f --- /dev/null +++ b/queue-4.19/alsa-usb-audio-fix-potential-out-of-bound-accesses-for-extigy-and-mbox-devices.patch @@ -0,0 +1,80 @@ +From b909df18ce2a998afef81d58bbd1a05dc0788c40 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Sevens?= +Date: Wed, 20 Nov 2024 12:41:44 +0000 +Subject: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benoît Sevens + +commit b909df18ce2a998afef81d58bbd1a05dc0788c40 upstream. + +A bogus device can provide a bNumConfigurations value that exceeds the +initial value used in usb_get_configuration for allocating dev->config. + +This can lead to out-of-bounds accesses later, e.g. in +usb_destroy_configuration. + +Signed-off-by: Benoît Sevens +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@kernel.org +Link: https://patch.msgid.link/20241120124144.3814457-1-bsevens@google.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -596,6 +596,7 @@ int snd_usb_create_quirk(struct snd_usb_ + static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf) + { + struct usb_host_config *config = dev->actconfig; ++ struct usb_device_descriptor new_device_descriptor; + int err; + + if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD || +@@ -607,10 +608,14 @@ static int snd_usb_extigy_boot_quirk(str + if (err < 0) + dev_dbg(&dev->dev, "error sending boot message: %d\n", err); + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, +- &dev->descriptor, sizeof(dev->descriptor)); +- config = dev->actconfig; ++ &new_device_descriptor, sizeof(new_device_descriptor)); + if (err < 0) + dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); ++ if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) ++ dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", ++ new_device_descriptor.bNumConfigurations); ++ else ++ memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + err = usb_reset_configuration(dev); + if (err < 0) + dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err); +@@ -826,6 +831,7 @@ static void mbox2_setup_48_24_magic(stru + static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) + { + struct usb_host_config *config = dev->actconfig; ++ struct usb_device_descriptor new_device_descriptor; + int err; + u8 bootresponse[0x12]; + int fwsize; +@@ -861,10 +867,14 @@ static int snd_usb_mbox2_boot_quirk(stru + dev_dbg(&dev->dev, "device initialised!\n"); + + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, +- &dev->descriptor, sizeof(dev->descriptor)); +- config = dev->actconfig; ++ &new_device_descriptor, sizeof(new_device_descriptor)); + if (err < 0) + dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); ++ if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) ++ dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", ++ new_device_descriptor.bNumConfigurations); ++ else ++ memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + + err = usb_reset_configuration(dev); + if (err < 0) diff --git a/queue-4.19/asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch b/queue-4.19/asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch new file mode 100644 index 00000000000..5722ce5f5c0 --- /dev/null +++ b/queue-4.19/asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch @@ -0,0 +1,61 @@ +From 1157733344651ca505e259d6554591ff156922fa Mon Sep 17 00:00:00 2001 +From: Qiu-ji Chen +Date: Mon, 30 Sep 2024 18:12:16 +0800 +Subject: ASoC: codecs: Fix atomicity violation in snd_soc_component_get_drvdata() + +From: Qiu-ji Chen + +commit 1157733344651ca505e259d6554591ff156922fa upstream. + +An atomicity violation occurs when the validity of the variables +da7219->clk_src and da7219->mclk_rate is being assessed. Since the entire +assessment is not protected by a lock, the da7219 variable might still be +in flux during the assessment, rendering this check invalid. + +To fix this issue, we recommend adding a lock before the block +if ((da7219->clk_src == clk_id) && (da7219->mclk_rate == freq)) so that +the legitimacy check for da7219->clk_src and da7219->mclk_rate is +protected by the lock, ensuring the validity of the check. + +This possible bug is found by an experimental static analysis tool +developed by our team. This tool analyzes the locking APIs +to extract function pairs that can be concurrently executed, and then +analyzes the instructions in the paired functions to identify possible +concurrency bugs including data races and atomicity violations. + +Fixes: 6d817c0e9fd7 ("ASoC: codecs: Add da7219 codec driver") +Cc: stable@vger.kernel.org +Signed-off-by: Qiu-ji Chen +Link: https://patch.msgid.link/20240930101216.23723-1-chenqiuji666@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/da7219.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/sound/soc/codecs/da7219.c ++++ b/sound/soc/codecs/da7219.c +@@ -1164,17 +1164,20 @@ static int da7219_set_dai_sysclk(struct + struct da7219_priv *da7219 = snd_soc_component_get_drvdata(component); + int ret = 0; + +- if ((da7219->clk_src == clk_id) && (da7219->mclk_rate == freq)) ++ mutex_lock(&da7219->pll_lock); ++ ++ if ((da7219->clk_src == clk_id) && (da7219->mclk_rate == freq)) { ++ mutex_unlock(&da7219->pll_lock); + return 0; ++ } + + if ((freq < 2000000) || (freq > 54000000)) { ++ mutex_unlock(&da7219->pll_lock); + dev_err(codec_dai->dev, "Unsupported MCLK value %d\n", + freq); + return -EINVAL; + } + +- mutex_lock(&da7219->pll_lock); +- + switch (clk_id) { + case DA7219_CLKSRC_MCLK_SQR: + snd_soc_component_update_bits(component, DA7219_PLL_CTRL, diff --git a/queue-4.19/bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch b/queue-4.19/bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch new file mode 100644 index 00000000000..976e0b1a2ae --- /dev/null +++ b/queue-4.19/bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch @@ -0,0 +1,83 @@ +From 5fe6caa62b07fd39cd6a28acc8f92ba2955e11a6 Mon Sep 17 00:00:00 2001 +From: Andrej Shadura +Date: Wed, 9 Oct 2024 14:14:24 +0200 +Subject: Bluetooth: Fix type of len in rfcomm_sock_getsockopt{,_old}() + +From: Andrej Shadura + +commit 5fe6caa62b07fd39cd6a28acc8f92ba2955e11a6 upstream. + +Commit 9bf4e919ccad worked around an issue introduced after an innocuous +optimisation change in LLVM main: + +> len is defined as an 'int' because it is assigned from +> '__user int *optlen'. However, it is clamped against the result of +> sizeof(), which has a type of 'size_t' ('unsigned long' for 64-bit +> platforms). This is done with min_t() because min() requires compatible +> types, which results in both len and the result of sizeof() being casted +> to 'unsigned int', meaning len changes signs and the result of sizeof() +> is truncated. From there, len is passed to copy_to_user(), which has a +> third parameter type of 'unsigned long', so it is widened and changes +> signs again. This excessive casting in combination with the KCSAN +> instrumentation causes LLVM to fail to eliminate the __bad_copy_from() +> call, failing the build. + +The same issue occurs in rfcomm in functions rfcomm_sock_getsockopt and +rfcomm_sock_getsockopt_old. + +Change the type of len to size_t in both rfcomm_sock_getsockopt and +rfcomm_sock_getsockopt_old and replace min_t() with min(). + +Cc: stable@vger.kernel.org +Co-authored-by: Aleksei Vetrov +Improves: 9bf4e919ccad ("Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()") +Link: https://github.com/ClangBuiltLinux/linux/issues/2007 +Link: https://github.com/llvm/llvm-project/issues/85647 +Signed-off-by: Andrej Shadura +Reviewed-by: Nathan Chancellor +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/rfcomm/sock.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -736,7 +736,8 @@ static int rfcomm_sock_getsockopt_old(st + struct sock *l2cap_sk; + struct l2cap_conn *conn; + struct rfcomm_conninfo cinfo; +- int len, err = 0; ++ int err = 0; ++ size_t len; + u32 opt; + + BT_DBG("sk %p", sk); +@@ -790,7 +791,7 @@ static int rfcomm_sock_getsockopt_old(st + cinfo.hci_handle = conn->hcon->handle; + memcpy(cinfo.dev_class, conn->hcon->dev_class, 3); + +- len = min_t(unsigned int, len, sizeof(cinfo)); ++ len = min(len, sizeof(cinfo)); + if (copy_to_user(optval, (char *) &cinfo, len)) + err = -EFAULT; + +@@ -809,7 +810,8 @@ static int rfcomm_sock_getsockopt(struct + { + struct sock *sk = sock->sk; + struct bt_security sec; +- int len, err = 0; ++ int err = 0; ++ size_t len; + + BT_DBG("sk %p", sk); + +@@ -834,7 +836,7 @@ static int rfcomm_sock_getsockopt(struct + sec.level = rfcomm_pi(sk)->sec_level; + sec.key_size = 0; + +- len = min_t(unsigned int, len, sizeof(sec)); ++ len = min(len, sizeof(sec)); + if (copy_to_user(optval, (char *) &sec, len)) + err = -EFAULT; + diff --git a/queue-4.19/ext4-fix-fs_ioc_getfsmap-handling.patch b/queue-4.19/ext4-fix-fs_ioc_getfsmap-handling.patch new file mode 100644 index 00000000000..01c5ad065ab --- /dev/null +++ b/queue-4.19/ext4-fix-fs_ioc_getfsmap-handling.patch @@ -0,0 +1,158 @@ +From 4a622e4d477bb12ad5ed4abbc7ad1365de1fa347 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 23 Oct 2024 00:25:37 -0400 +Subject: ext4: fix FS_IOC_GETFSMAP handling + +From: Theodore Ts'o + +commit 4a622e4d477bb12ad5ed4abbc7ad1365de1fa347 upstream. + +The original implementation ext4's FS_IOC_GETFSMAP handling only +worked when the range of queried blocks included at least one free +(unallocated) block range. This is because how the metadata blocks +were emitted was as a side effect of ext4_mballoc_query_range() +calling ext4_getfsmap_datadev_helper(), and that function was only +called when a free block range was identified. As a result, this +caused generic/365 to fail. + +Fix this by creating a new function ext4_getfsmap_meta_helper() which +gets called so that blocks before the first free block range in a +block group can get properly reported. + +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/fsmap.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++++++++- + fs/ext4/mballoc.c | 18 ++++++++++++++---- + fs/ext4/mballoc.h | 1 + + 3 files changed, 68 insertions(+), 5 deletions(-) + +--- a/fs/ext4/fsmap.c ++++ b/fs/ext4/fsmap.c +@@ -185,6 +185,56 @@ static inline ext4_fsblk_t ext4_fsmap_ne + return fmr->fmr_physical + fmr->fmr_length; + } + ++static int ext4_getfsmap_meta_helper(struct super_block *sb, ++ ext4_group_t agno, ext4_grpblk_t start, ++ ext4_grpblk_t len, void *priv) ++{ ++ struct ext4_getfsmap_info *info = priv; ++ struct ext4_fsmap *p; ++ struct ext4_fsmap *tmp; ++ struct ext4_sb_info *sbi = EXT4_SB(sb); ++ ext4_fsblk_t fsb, fs_start, fs_end; ++ int error; ++ ++ fs_start = fsb = (EXT4_C2B(sbi, start) + ++ ext4_group_first_block_no(sb, agno)); ++ fs_end = fs_start + EXT4_C2B(sbi, len); ++ ++ /* Return relevant extents from the meta_list */ ++ list_for_each_entry_safe(p, tmp, &info->gfi_meta_list, fmr_list) { ++ if (p->fmr_physical < info->gfi_next_fsblk) { ++ list_del(&p->fmr_list); ++ kfree(p); ++ continue; ++ } ++ if (p->fmr_physical <= fs_start || ++ p->fmr_physical + p->fmr_length <= fs_end) { ++ /* Emit the retained free extent record if present */ ++ if (info->gfi_lastfree.fmr_owner) { ++ error = ext4_getfsmap_helper(sb, info, ++ &info->gfi_lastfree); ++ if (error) ++ return error; ++ info->gfi_lastfree.fmr_owner = 0; ++ } ++ error = ext4_getfsmap_helper(sb, info, p); ++ if (error) ++ return error; ++ fsb = p->fmr_physical + p->fmr_length; ++ if (info->gfi_next_fsblk < fsb) ++ info->gfi_next_fsblk = fsb; ++ list_del(&p->fmr_list); ++ kfree(p); ++ continue; ++ } ++ } ++ if (info->gfi_next_fsblk < fsb) ++ info->gfi_next_fsblk = fsb; ++ ++ return 0; ++} ++ ++ + /* Transform a blockgroup's free record into a fsmap */ + static int ext4_getfsmap_datadev_helper(struct super_block *sb, + ext4_group_t agno, ext4_grpblk_t start, +@@ -539,6 +589,7 @@ static int ext4_getfsmap_datadev(struct + error = ext4_mballoc_query_range(sb, info->gfi_agno, + EXT4_B2C(sbi, info->gfi_low.fmr_physical), + EXT4_B2C(sbi, info->gfi_high.fmr_physical), ++ ext4_getfsmap_meta_helper, + ext4_getfsmap_datadev_helper, info); + if (error) + goto err; +@@ -560,7 +611,8 @@ static int ext4_getfsmap_datadev(struct + + /* Report any gaps at the end of the bg */ + info->gfi_last = true; +- error = ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster, 0, info); ++ error = ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster + 1, ++ 0, info); + if (error) + goto err; + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5424,13 +5424,14 @@ int + ext4_mballoc_query_range( + struct super_block *sb, + ext4_group_t group, +- ext4_grpblk_t start, ++ ext4_grpblk_t first, + ext4_grpblk_t end, ++ ext4_mballoc_query_range_fn meta_formatter, + ext4_mballoc_query_range_fn formatter, + void *priv) + { + void *bitmap; +- ext4_grpblk_t next; ++ ext4_grpblk_t start, next; + struct ext4_buddy e4b; + int error; + +@@ -5441,10 +5442,19 @@ ext4_mballoc_query_range( + + ext4_lock_group(sb, group); + +- start = max(e4b.bd_info->bb_first_free, start); ++ start = max(e4b.bd_info->bb_first_free, first); + if (end >= EXT4_CLUSTERS_PER_GROUP(sb)) + end = EXT4_CLUSTERS_PER_GROUP(sb) - 1; +- ++ if (meta_formatter && start != first) { ++ if (start > end) ++ start = end; ++ ext4_unlock_group(sb, group); ++ error = meta_formatter(sb, group, first, start - first, ++ priv); ++ if (error) ++ goto out_unload; ++ ext4_lock_group(sb, group); ++ } + while (start <= end) { + start = mb_find_next_zero_bit(bitmap, end + 1, start); + if (start > end) +--- a/fs/ext4/mballoc.h ++++ b/fs/ext4/mballoc.h +@@ -212,6 +212,7 @@ ext4_mballoc_query_range( + ext4_group_t agno, + ext4_grpblk_t start, + ext4_grpblk_t end, ++ ext4_mballoc_query_range_fn meta_formatter, + ext4_mballoc_query_range_fn formatter, + void *priv); + diff --git a/queue-4.19/ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch b/queue-4.19/ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch new file mode 100644 index 00000000000..0df017bcdb0 --- /dev/null +++ b/queue-4.19/ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch @@ -0,0 +1,83 @@ +From 902cc179c931a033cd7f4242353aa2733bf8524c Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Thu, 3 Oct 2024 21:53:37 +0900 +Subject: ext4: supress data-race warnings in ext4_free_inodes_{count,set}() + +From: Jeongjun Park + +commit 902cc179c931a033cd7f4242353aa2733bf8524c upstream. + +find_group_other() and find_group_orlov() read *_lo, *_hi with +ext4_free_inodes_count without additional locking. This can cause +data-race warning, but since the lock is held for most writes and free +inodes value is generally not a problem even if it is incorrect, it is +more appropriate to use READ_ONCE()/WRITE_ONCE() than to add locking. + +================================================================== +BUG: KCSAN: data-race in ext4_free_inodes_count / ext4_free_inodes_set + +write to 0xffff88810404300e of 2 bytes by task 6254 on cpu 1: + ext4_free_inodes_set+0x1f/0x80 fs/ext4/super.c:405 + __ext4_new_inode+0x15ca/0x2200 fs/ext4/ialloc.c:1216 + ext4_symlink+0x242/0x5a0 fs/ext4/namei.c:3391 + vfs_symlink+0xca/0x1d0 fs/namei.c:4615 + do_symlinkat+0xe3/0x340 fs/namei.c:4641 + __do_sys_symlinkat fs/namei.c:4657 [inline] + __se_sys_symlinkat fs/namei.c:4654 [inline] + __x64_sys_symlinkat+0x5e/0x70 fs/namei.c:4654 + x64_sys_call+0x1dda/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:267 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +read to 0xffff88810404300e of 2 bytes by task 6257 on cpu 0: + ext4_free_inodes_count+0x1c/0x80 fs/ext4/super.c:349 + find_group_other fs/ext4/ialloc.c:594 [inline] + __ext4_new_inode+0x6ec/0x2200 fs/ext4/ialloc.c:1017 + ext4_symlink+0x242/0x5a0 fs/ext4/namei.c:3391 + vfs_symlink+0xca/0x1d0 fs/namei.c:4615 + do_symlinkat+0xe3/0x340 fs/namei.c:4641 + __do_sys_symlinkat fs/namei.c:4657 [inline] + __se_sys_symlinkat fs/namei.c:4654 [inline] + __x64_sys_symlinkat+0x5e/0x70 fs/namei.c:4654 + x64_sys_call+0x1dda/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:267 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Cc: stable@vger.kernel.org +Signed-off-by: Jeongjun Park +Reviewed-by: Andreas Dilger +Link: https://patch.msgid.link/20241003125337.47283-1-aha310510@gmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -258,9 +258,9 @@ __u32 ext4_free_group_clusters(struct su + __u32 ext4_free_inodes_count(struct super_block *sb, + struct ext4_group_desc *bg) + { +- return le16_to_cpu(bg->bg_free_inodes_count_lo) | ++ return le16_to_cpu(READ_ONCE(bg->bg_free_inodes_count_lo)) | + (EXT4_DESC_SIZE(sb) >= EXT4_MIN_DESC_SIZE_64BIT ? +- (__u32)le16_to_cpu(bg->bg_free_inodes_count_hi) << 16 : 0); ++ (__u32)le16_to_cpu(READ_ONCE(bg->bg_free_inodes_count_hi)) << 16 : 0); + } + + __u32 ext4_used_dirs_count(struct super_block *sb, +@@ -314,9 +314,9 @@ void ext4_free_group_clusters_set(struct + void ext4_free_inodes_set(struct super_block *sb, + struct ext4_group_desc *bg, __u32 count) + { +- bg->bg_free_inodes_count_lo = cpu_to_le16((__u16)count); ++ WRITE_ONCE(bg->bg_free_inodes_count_lo, cpu_to_le16((__u16)count)); + if (EXT4_DESC_SIZE(sb) >= EXT4_MIN_DESC_SIZE_64BIT) +- bg->bg_free_inodes_count_hi = cpu_to_le16(count >> 16); ++ WRITE_ONCE(bg->bg_free_inodes_count_hi, cpu_to_le16(count >> 16)); + } + + void ext4_used_dirs_set(struct super_block *sb, diff --git a/queue-4.19/jfs-xattr-check-invalid-xattr-size-more-strictly.patch b/queue-4.19/jfs-xattr-check-invalid-xattr-size-more-strictly.patch new file mode 100644 index 00000000000..9055da77a4b --- /dev/null +++ b/queue-4.19/jfs-xattr-check-invalid-xattr-size-more-strictly.patch @@ -0,0 +1,38 @@ +From d9f9d96136cba8fedd647d2c024342ce090133c2 Mon Sep 17 00:00:00 2001 +From: Artem Sadovnikov +Date: Sat, 5 Oct 2024 10:06:57 +0000 +Subject: jfs: xattr: check invalid xattr size more strictly + +From: Artem Sadovnikov + +commit d9f9d96136cba8fedd647d2c024342ce090133c2 upstream. + +Commit 7c55b78818cf ("jfs: xattr: fix buffer overflow for invalid xattr") +also addresses this issue but it only fixes it for positive values, while +ea_size is an integer type and can take negative values, e.g. in case of +a corrupted filesystem. This still breaks validation and would overflow +because of implicit conversion from int to size_t in print_hex_dump(). + +Fix this issue by clamping the ea_size value instead. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Cc: stable@vger.kernel.org +Signed-off-by: Artem Sadovnikov +Signed-off-by: Dave Kleikamp +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/jfs/xattr.c ++++ b/fs/jfs/xattr.c +@@ -572,7 +572,7 @@ static int ea_get(struct inode *inode, s + + size_check: + if (EALIST_SIZE(ea_buf->xattr) != ea_size) { +- int size = min_t(int, EALIST_SIZE(ea_buf->xattr), ea_size); ++ int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr)); + + printk(KERN_ERR "ea_get: invalid extended attribute\n"); + print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1, diff --git a/queue-4.19/pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch b/queue-4.19/pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch new file mode 100644 index 00000000000..63da91d1ccf --- /dev/null +++ b/queue-4.19/pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch @@ -0,0 +1,129 @@ +From c7acef99642b763ba585f4a43af999fcdbcc3dc4 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Thu, 10 Oct 2024 19:10:34 +0200 +Subject: PCI: Fix use-after-free of slot->bus on hot remove + +From: Lukas Wunner + +commit c7acef99642b763ba585f4a43af999fcdbcc3dc4 upstream. + +Dennis reports a boot crash on recent Lenovo laptops with a USB4 dock. + +Since commit 0fc70886569c ("thunderbolt: Reset USB4 v2 host router") and +commit 59a54c5f3dbd ("thunderbolt: Reset topology created by the boot +firmware"), USB4 v2 and v1 Host Routers are reset on probe of the +thunderbolt driver. + +The reset clears the Presence Detect State and Data Link Layer Link Active +bits at the USB4 Host Router's Root Port and thus causes hot removal of the +dock. + +The crash occurs when pciehp is unbound from one of the dock's Downstream +Ports: pciehp creates a pci_slot on bind and destroys it on unbind. The +pci_slot contains a pointer to the pci_bus below the Downstream Port, but +a reference on that pci_bus is never acquired. The pci_bus is destroyed +before the pci_slot, so a use-after-free ensues when pci_slot_release() +accesses slot->bus. + +In principle this should not happen because pci_stop_bus_device() unbinds +pciehp (and therefore destroys the pci_slot) before the pci_bus is +destroyed by pci_remove_bus_device(). + +However the stacktrace provided by Dennis shows that pciehp is unbound from +pci_remove_bus_device() instead of pci_stop_bus_device(). To understand +the significance of this, one needs to know that the PCI core uses a two +step process to remove a portion of the hierarchy: It first unbinds all +drivers in the sub-hierarchy in pci_stop_bus_device() and then actually +removes the devices in pci_remove_bus_device(). There is no precaution to +prevent driver binding in-between pci_stop_bus_device() and +pci_remove_bus_device(). + +In Dennis' case, it seems removal of the hierarchy by pciehp races with +driver binding by pci_bus_add_devices(). pciehp is bound to the +Downstream Port after pci_stop_bus_device() has run, so it is unbound by +pci_remove_bus_device() instead of pci_stop_bus_device(). Because the +pci_bus has already been destroyed at that point, accesses to it result in +a use-after-free. + +One might conclude that driver binding needs to be prevented after +pci_stop_bus_device() has run. However it seems risky that pci_slot points +to pci_bus without holding a reference. Solely relying on correct ordering +of driver unbind versus pci_bus destruction is certainly not defensive +programming. + +If pci_slot has a need to access data in pci_bus, it ought to acquire a +reference. Amend pci_create_slot() accordingly. Dennis reports that the +crash is not reproducible with this change. + +Abridged stacktrace: + + pcieport 0000:00:07.0: PME: Signaling with IRQ 156 + pcieport 0000:00:07.0: pciehp: Slot #12 AttnBtn- PwrCtrl- MRL- AttnInd- PwrInd- HotPlug+ Surprise+ Interlock- NoCompl+ IbPresDis- LLActRep+ + pci_bus 0000:20: dev 00, created physical slot 12 + pcieport 0000:00:07.0: pciehp: Slot(12): Card not present + ... + pcieport 0000:21:02.0: pciehp: pcie_disable_notification: SLOTCTRL d8 write cmd 0 + Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI + CPU: 13 UID: 0 PID: 134 Comm: irq/156-pciehp Not tainted 6.11.0-devel+ #1 + RIP: 0010:dev_driver_string+0x12/0x40 + pci_destroy_slot + pciehp_remove + pcie_port_remove_service + device_release_driver_internal + bus_remove_device + device_del + device_unregister + remove_iter + device_for_each_child + pcie_portdrv_remove + pci_device_remove + device_release_driver_internal + bus_remove_device + device_del + pci_remove_bus_device (recursive invocation) + pci_remove_bus_device + pciehp_unconfigure_device + pciehp_disable_slot + pciehp_handle_presence_or_link_change + pciehp_ist + +Link: https://lore.kernel.org/r/4bfd4c0e976c1776cd08e76603903b338cf25729.1728579288.git.lukas@wunner.de +Reported-by: Dennis Wassenberg +Closes: https://lore.kernel.org/r/6de4b45ff2b32dd91a805ec02ec8ec73ef411bf6.camel@secunet.com/ +Tested-by: Dennis Wassenberg +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Reviewed-by: Mika Westerberg +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/slot.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/pci/slot.c ++++ b/drivers/pci/slot.c +@@ -115,6 +115,7 @@ static void pci_slot_release(struct kobj + up_read(&pci_bus_sem); + + list_del(&slot->list); ++ pci_bus_put(slot->bus); + + kfree(slot); + } +@@ -296,7 +297,7 @@ placeholder: + goto err; + } + +- slot->bus = parent; ++ slot->bus = pci_bus_get(parent); + slot->number = slot_nr; + + slot->kobj.kset = pci_slots_kset; +@@ -304,6 +305,7 @@ placeholder: + slot_name = make_slot_name(name); + if (!slot_name) { + err = -ENOMEM; ++ pci_bus_put(slot->bus); + kfree(slot); + goto err; + } diff --git a/queue-4.19/series b/queue-4.19/series index dbe1023d0df..6d1b3324f89 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -97,3 +97,12 @@ usb-chaoskey-fix-possible-deadlock-chaoskey_list_loc.patch misc-apds990x-fix-missing-pm_runtime_disable.patch apparmor-fix-do-simple-duplicate-message-elimination.patch usb-ehci-spear-fix-call-balance-of-sehci-clk-handling-routines.patch +ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch +ext4-fix-fs_ioc_getfsmap-handling.patch +jfs-xattr-check-invalid-xattr-size-more-strictly.patch +asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch +pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch +tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch +xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch +bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch +alsa-usb-audio-fix-potential-out-of-bound-accesses-for-extigy-and-mbox-devices.patch diff --git a/queue-4.19/tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch b/queue-4.19/tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch new file mode 100644 index 00000000000..7c4112164e7 --- /dev/null +++ b/queue-4.19/tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch @@ -0,0 +1,41 @@ +From 635a9fca54f4f4148be1ae1c7c6bd37af80f5773 Mon Sep 17 00:00:00 2001 +From: Nicolas Bouchinet +Date: Tue, 12 Nov 2024 14:13:31 +0100 +Subject: tty: ldsic: fix tty_ldisc_autoload sysctl's proc_handler + +From: Nicolas Bouchinet + +commit 635a9fca54f4f4148be1ae1c7c6bd37af80f5773 upstream. + +Commit 7c0cca7c847e ("tty: ldisc: add sysctl to prevent autoloading of +ldiscs") introduces the tty_ldisc_autoload sysctl with the wrong +proc_handler. .extra1 and .extra2 parameters are set to avoid other values +thant SYSCTL_ZERO or SYSCTL_ONE to be set but proc_dointvec do not uses +them. + +This commit fixes this by using proc_dointvec_minmax instead of +proc_dointvec. + +Fixes: 7c0cca7c847e ("tty: ldisc: add sysctl to prevent autoloading of ldiscs") +Cc: stable +Signed-off-by: Nicolas Bouchinet +Reviewed-by: Lin Feng +Reviewed-by: Jiri Slaby +Link: https://lore.kernel.org/r/20241112131357.49582-4-nicolas.bouchinet@clip-os.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/tty_ldisc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/tty_ldisc.c ++++ b/drivers/tty/tty_ldisc.c +@@ -854,7 +854,7 @@ static struct ctl_table tty_table[] = { + .data = &tty_ldisc_autoload, + .maxlen = sizeof(tty_ldisc_autoload), + .mode = 0644, +- .proc_handler = proc_dointvec, ++ .proc_handler = proc_dointvec_minmax, + .extra1 = &zero, + .extra2 = &one, + }, diff --git a/queue-4.19/xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch b/queue-4.19/xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch new file mode 100644 index 00000000000..82a0c2c3f95 --- /dev/null +++ b/queue-4.19/xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch @@ -0,0 +1,46 @@ +From e735e957f2b9cfe4be486e0304732ec36928591f Mon Sep 17 00:00:00 2001 +From: Kuangyi Chiang +Date: Wed, 6 Nov 2024 12:14:46 +0200 +Subject: xhci: Don't perform Soft Retry for Etron xHCI host + +From: Kuangyi Chiang + +commit e735e957f2b9cfe4be486e0304732ec36928591f upstream. + +Since commit f8f80be501aa ("xhci: Use soft retry to recover faster from +transaction errors"), unplugging USB device while enumeration results in +errors like this: + +[ 364.855321] xhci_hcd 0000:0b:00.0: ERROR Transfer event for disabled endpoint slot 5 ep 2 +[ 364.864622] xhci_hcd 0000:0b:00.0: @0000002167656d70 67f03000 00000021 0c000000 05038001 +[ 374.934793] xhci_hcd 0000:0b:00.0: Abort failed to stop command ring: -110 +[ 374.958793] xhci_hcd 0000:0b:00.0: xHCI host controller not responding, assume dead +[ 374.967590] xhci_hcd 0000:0b:00.0: HC died; cleaning up +[ 374.973984] xhci_hcd 0000:0b:00.0: Timeout while waiting for configure endpoint command + +Seems that Etorn xHCI host can not perform Soft Retry correctly, apply +XHCI_NO_SOFT_RETRY quirk to disable Soft Retry and then issue is gone. + +This patch depends on commit a4a251f8c235 ("usb: xhci: do not perform +Soft Retry for some xHCI hosts"). + +Fixes: f8f80be501aa ("xhci: Use soft retry to recover faster from transaction errors") +Cc: stable@vger.kernel.org +Signed-off-by: Kuangyi Chiang +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20241106101459.775897-21-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -229,6 +229,7 @@ static void xhci_pci_quirks(struct devic + pdev->device == PCI_DEVICE_ID_EJ188) { + xhci->quirks |= XHCI_RESET_ON_RESUME; + xhci->quirks |= XHCI_BROKEN_STREAMS; ++ xhci->quirks |= XHCI_NO_SOFT_RETRY; + } + + if (pdev->vendor == PCI_VENDOR_ID_RENESAS &&