From: Greg Kroah-Hartman Date: Tue, 1 Oct 2024 11:27:21 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v6.6.54~68 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d149ba3fb19fe5ee68c0dfe496f15343d1c4a33b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: acpi-sysfs-validate-return-type-of-_str-method.patch drbd-add-null-check-for-net_conf-to-prevent-dereference-in-state-validation.patch drbd-fix-atomicity-violation-in-drbd_uuid_set_bm.patch --- diff --git a/queue-4.19/acpi-sysfs-validate-return-type-of-_str-method.patch b/queue-4.19/acpi-sysfs-validate-return-type-of-_str-method.patch new file mode 100644 index 00000000000..f60930a0a4f --- /dev/null +++ b/queue-4.19/acpi-sysfs-validate-return-type-of-_str-method.patch @@ -0,0 +1,41 @@ +From 4bb1e7d027413835b086aed35bc3f0713bc0f72b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Tue, 9 Jul 2024 22:37:24 +0200 +Subject: ACPI: sysfs: validate return type of _STR method +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit 4bb1e7d027413835b086aed35bc3f0713bc0f72b upstream. + +Only buffer objects are valid return values of _STR. + +If something else is returned description_show() will access invalid +memory. + +Fixes: d1efe3c324ea ("ACPI: Add new sysfs interface to export device description") +Cc: All applicable +Signed-off-by: Thomas Weißschuh +Link: https://patch.msgid.link/20240709-acpi-sysfs-groups-v2-1-058ab0667fa8@weissschuh.net +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/device_sysfs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/acpi/device_sysfs.c ++++ b/drivers/acpi/device_sysfs.c +@@ -539,8 +539,9 @@ int acpi_device_setup_files(struct acpi_ + * If device has _STR, 'description' file is created + */ + if (acpi_has_method(dev->handle, "_STR")) { +- status = acpi_evaluate_object(dev->handle, "_STR", +- NULL, &buffer); ++ status = acpi_evaluate_object_typed(dev->handle, "_STR", ++ NULL, &buffer, ++ ACPI_TYPE_BUFFER); + if (ACPI_FAILURE(status)) + buffer.pointer = NULL; + dev->pnp.str_obj = buffer.pointer; diff --git a/queue-4.19/drbd-add-null-check-for-net_conf-to-prevent-dereference-in-state-validation.patch b/queue-4.19/drbd-add-null-check-for-net_conf-to-prevent-dereference-in-state-validation.patch new file mode 100644 index 00000000000..377c984e2ea --- /dev/null +++ b/queue-4.19/drbd-add-null-check-for-net_conf-to-prevent-dereference-in-state-validation.patch @@ -0,0 +1,36 @@ +From a5e61b50c9f44c5edb6e134ede6fee8806ffafa9 Mon Sep 17 00:00:00 2001 +From: Mikhail Lobanov +Date: Mon, 9 Sep 2024 09:37:36 -0400 +Subject: drbd: Add NULL check for net_conf to prevent dereference in state validation + +From: Mikhail Lobanov + +commit a5e61b50c9f44c5edb6e134ede6fee8806ffafa9 upstream. + +If the net_conf pointer is NULL and the code attempts to access its +fields without a check, it will lead to a null pointer dereference. +Add a NULL check before dereferencing the pointer. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 44ed167da748 ("drbd: rcu_read_lock() and rcu_dereference() for tconn->net_conf") +Cc: stable@vger.kernel.org +Signed-off-by: Mikhail Lobanov +Link: https://lore.kernel.org/r/20240909133740.84297-1-m.lobanov@rosalinux.ru +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/drbd/drbd_state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/block/drbd/drbd_state.c ++++ b/drivers/block/drbd/drbd_state.c +@@ -888,7 +888,7 @@ is_valid_state(struct drbd_device *devic + ns.disk == D_OUTDATED) + rv = SS_CONNECTED_OUTDATES; + +- else if ((ns.conn == C_VERIFY_S || ns.conn == C_VERIFY_T) && ++ else if (nc && (ns.conn == C_VERIFY_S || ns.conn == C_VERIFY_T) && + (nc->verify_alg[0] == 0)) + rv = SS_NO_VERIFY_ALG; + diff --git a/queue-4.19/drbd-fix-atomicity-violation-in-drbd_uuid_set_bm.patch b/queue-4.19/drbd-fix-atomicity-violation-in-drbd_uuid_set_bm.patch new file mode 100644 index 00000000000..45bcb7b53ec --- /dev/null +++ b/queue-4.19/drbd-fix-atomicity-violation-in-drbd_uuid_set_bm.patch @@ -0,0 +1,58 @@ +From 2f02b5af3a4482b216e6a466edecf6ba8450fa45 Mon Sep 17 00:00:00 2001 +From: Qiu-ji Chen +Date: Fri, 13 Sep 2024 16:35:04 +0800 +Subject: drbd: Fix atomicity violation in drbd_uuid_set_bm() + +From: Qiu-ji Chen + +commit 2f02b5af3a4482b216e6a466edecf6ba8450fa45 upstream. + +The violation of atomicity occurs when the drbd_uuid_set_bm function is +executed simultaneously with modifying the value of +device->ldev->md.uuid[UI_BITMAP]. Consider a scenario where, while +device->ldev->md.uuid[UI_BITMAP] passes the validity check when its +value is not zero, the value of device->ldev->md.uuid[UI_BITMAP] is +written to zero. In this case, the check in drbd_uuid_set_bm might refer +to the old value of device->ldev->md.uuid[UI_BITMAP] (before locking), +which allows an invalid value to pass the validity check, resulting in +inconsistency. + +To address this issue, it is recommended to include the data validity +check within the locked section of the function. This modification +ensures that the value of device->ldev->md.uuid[UI_BITMAP] does not +change during the validation process, thereby maintaining its integrity. + +This possible bug is found by an experimental static analysis tool +developed by our team. This tool analyzes the locking APIs to extract +function pairs that can be concurrently executed, and then analyzes the +instructions in the paired functions to identify possible concurrency +bugs including data races and atomicity violations. + +Fixes: 9f2247bb9b75 ("drbd: Protect accesses to the uuid set with a spinlock") +Cc: stable@vger.kernel.org +Signed-off-by: Qiu-ji Chen +Reviewed-by: Philipp Reisner +Link: https://lore.kernel.org/r/20240913083504.10549-1-chenqiuji666@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/drbd/drbd_main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/block/drbd/drbd_main.c ++++ b/drivers/block/drbd/drbd_main.c +@@ -3499,10 +3499,12 @@ void drbd_uuid_new_current(struct drbd_d + void drbd_uuid_set_bm(struct drbd_device *device, u64 val) __must_hold(local) + { + unsigned long flags; +- if (device->ldev->md.uuid[UI_BITMAP] == 0 && val == 0) ++ spin_lock_irqsave(&device->ldev->md.uuid_lock, flags); ++ if (device->ldev->md.uuid[UI_BITMAP] == 0 && val == 0) { ++ spin_unlock_irqrestore(&device->ldev->md.uuid_lock, flags); + return; ++ } + +- spin_lock_irqsave(&device->ldev->md.uuid_lock, flags); + if (val == 0) { + drbd_uuid_move_history(device); + device->ldev->md.uuid[UI_HISTORY_START] = device->ldev->md.uuid[UI_BITMAP]; diff --git a/queue-4.19/series b/queue-4.19/series index d68c4d6b829..fc98b7693b6 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -116,3 +116,6 @@ usb-appledisplay-close-race-between-probe-and-completion-handler.patch usb-misc-cypress_cy7c63-check-for-short-transfer.patch firmware_loader-block-path-traversal.patch tty-rp2-fix-reset-with-non-forgiving-pcie-host-bridges.patch +drbd-fix-atomicity-violation-in-drbd_uuid_set_bm.patch +drbd-add-null-check-for-net_conf-to-prevent-dereference-in-state-validation.patch +acpi-sysfs-validate-return-type-of-_str-method.patch