From a587118ea3c00881d2f3829b4efbed58fcd8b864 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 3 Aug 2022 13:56:54 +0200 Subject: [PATCH] 5.10-stable patches added patches: ath9k_htc-fix-null-pointer-dereference-at-ath9k_htc_rxep.patch ath9k_htc-fix-null-pointer-dereference-at-ath9k_htc_tx_get_packet.patch x86-speculation-make-all-retbleed-mitigations-64-bit-only.patch --- ...ointer-dereference-at-ath9k_htc_rxep.patch | 71 +++++++++++++++++ ...reference-at-ath9k_htc_tx_get_packet.patch | 76 +++++++++++++++++++ queue-5.10/series | 3 + ...all-retbleed-mitigations-64-bit-only.patch | 66 ++++++++++++++++ 4 files changed, 216 insertions(+) create mode 100644 queue-5.10/ath9k_htc-fix-null-pointer-dereference-at-ath9k_htc_rxep.patch create mode 100644 queue-5.10/ath9k_htc-fix-null-pointer-dereference-at-ath9k_htc_tx_get_packet.patch create mode 100644 queue-5.10/series create mode 100644 queue-5.10/x86-speculation-make-all-retbleed-mitigations-64-bit-only.patch diff --git a/queue-5.10/ath9k_htc-fix-null-pointer-dereference-at-ath9k_htc_rxep.patch b/queue-5.10/ath9k_htc-fix-null-pointer-dereference-at-ath9k_htc_rxep.patch new file mode 100644 index 00000000000..a1c4d65bd75 --- /dev/null +++ b/queue-5.10/ath9k_htc-fix-null-pointer-dereference-at-ath9k_htc_rxep.patch @@ -0,0 +1,71 @@ +From foo@baz Wed Aug 3 01:49:25 PM CEST 2022 +From: Fedor Pchelkin +Date: Mon, 1 Aug 2022 18:59:07 +0300 +Subject: ath9k_htc: fix NULL pointer dereference at ath9k_htc_rxep() +To: stable@vger.kernel.org, Greg Kroah-Hartman +Cc: Tetsuo Handa , Kalle Valo , Alexey Khoroshilov , ldv-project@linuxtesting.org, syzbot , Fedor Pchelkin +Message-ID: <20220801155908.1539833-2-pchelkin@ispras.ru> + +From: Tetsuo Handa + +commit b0ec7e55fce65f125bd1d7f02e2dc4de62abee34 upstream. + +syzbot is reporting lockdep warning followed by kernel panic at +ath9k_htc_rxep() [1], for ath9k_htc_rxep() depends on ath9k_rx_init() +being already completed. + +Since ath9k_htc_rxep() is set by ath9k_htc_connect_svc(WMI_BEACON_SVC) + from ath9k_init_htc_services(), it is possible that ath9k_htc_rxep() is +called via timer interrupt before ath9k_rx_init() from ath9k_init_device() +is called. + +Since we can't call ath9k_init_device() before ath9k_init_htc_services(), +let's hold ath9k_htc_rxep() no-op until ath9k_rx_init() completes. + +Link: https://syzkaller.appspot.com/bug?extid=4d2d56175b934b9a7bf9 [1] +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Tested-by: syzbot +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/2b88f416-b2cb-7a18-d688-951e6dc3fe92@i-love.sakura.ne.jp +Signed-off-by: Fedor Pchelkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath9k/htc.h | 1 + + drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 8 ++++++++ + 2 files changed, 9 insertions(+) + +--- a/drivers/net/wireless/ath/ath9k/htc.h ++++ b/drivers/net/wireless/ath/ath9k/htc.h +@@ -281,6 +281,7 @@ struct ath9k_htc_rxbuf { + struct ath9k_htc_rx { + struct list_head rxbuf; + spinlock_t rxbuflock; ++ bool initialized; + }; + + #define ATH9K_HTC_TX_CLEANUP_INTERVAL 50 /* ms */ +--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +@@ -1133,6 +1133,10 @@ void ath9k_htc_rxep(void *drv_priv, stru + struct ath9k_htc_rxbuf *rxbuf = NULL, *tmp_buf = NULL; + unsigned long flags; + ++ /* Check if ath9k_rx_init() completed. */ ++ if (!data_race(priv->rx.initialized)) ++ goto err; ++ + spin_lock_irqsave(&priv->rx.rxbuflock, flags); + list_for_each_entry(tmp_buf, &priv->rx.rxbuf, list) { + if (!tmp_buf->in_process) { +@@ -1188,6 +1192,10 @@ int ath9k_rx_init(struct ath9k_htc_priv + list_add_tail(&rxbuf->list, &priv->rx.rxbuf); + } + ++ /* Allow ath9k_htc_rxep() to operate. */ ++ smp_wmb(); ++ priv->rx.initialized = true; ++ + return 0; + + err: diff --git a/queue-5.10/ath9k_htc-fix-null-pointer-dereference-at-ath9k_htc_tx_get_packet.patch b/queue-5.10/ath9k_htc-fix-null-pointer-dereference-at-ath9k_htc_tx_get_packet.patch new file mode 100644 index 00000000000..ebe2e0d4951 --- /dev/null +++ b/queue-5.10/ath9k_htc-fix-null-pointer-dereference-at-ath9k_htc_tx_get_packet.patch @@ -0,0 +1,76 @@ +From foo@baz Wed Aug 3 01:49:25 PM CEST 2022 +From: Fedor Pchelkin +Date: Mon, 1 Aug 2022 18:59:08 +0300 +Subject: ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet() +To: stable@vger.kernel.org, Greg Kroah-Hartman +Cc: Tetsuo Handa , Kalle Valo , Alexey Khoroshilov , ldv-project@linuxtesting.org, syzbot , Fedor Pchelkin +Message-ID: <20220801155908.1539833-3-pchelkin@ispras.ru> + +From: Tetsuo Handa + +commit 8b3046abc99eefe11438090bcc4ec3a3994b55d0 upstream. + +syzbot is reporting lockdep warning at ath9k_wmi_event_tasklet() followed +by kernel panic at get_htc_epid_queue() from ath9k_htc_tx_get_packet() from +ath9k_htc_txstatus() [1], for ath9k_wmi_event_tasklet(WMI_TXSTATUS_EVENTID) +depends on spin_lock_init() from ath9k_init_priv() being already completed. + +Since ath9k_wmi_event_tasklet() is set by ath9k_init_wmi() from +ath9k_htc_probe_device(), it is possible that ath9k_wmi_event_tasklet() is +called via tasklet interrupt before spin_lock_init() from ath9k_init_priv() + from ath9k_init_device() from ath9k_htc_probe_device() is called. + +Let's hold ath9k_wmi_event_tasklet(WMI_TXSTATUS_EVENTID) no-op until +ath9k_tx_init() completes. + +Link: https://syzkaller.appspot.com/bug?extid=31d54c60c5b254d6f75b [1] +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Tested-by: syzbot +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/77b76ac8-2bee-6444-d26c-8c30858b8daa@i-love.sakura.ne.jp +Signed-off-by: Fedor Pchelkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath9k/htc.h | 1 + + drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 5 +++++ + drivers/net/wireless/ath/ath9k/wmi.c | 4 ++++ + 3 files changed, 10 insertions(+) + +--- a/drivers/net/wireless/ath/ath9k/htc.h ++++ b/drivers/net/wireless/ath/ath9k/htc.h +@@ -306,6 +306,7 @@ struct ath9k_htc_tx { + DECLARE_BITMAP(tx_slot, MAX_TX_BUF_NUM); + struct timer_list cleanup_timer; + spinlock_t tx_lock; ++ bool initialized; + }; + + struct ath9k_htc_tx_ctl { +--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +@@ -808,6 +808,11 @@ int ath9k_tx_init(struct ath9k_htc_priv + skb_queue_head_init(&priv->tx.data_vi_queue); + skb_queue_head_init(&priv->tx.data_vo_queue); + skb_queue_head_init(&priv->tx.tx_failed); ++ ++ /* Allow ath9k_wmi_event_tasklet(WMI_TXSTATUS_EVENTID) to operate. */ ++ smp_wmb(); ++ priv->tx.initialized = true; ++ + return 0; + } + +--- a/drivers/net/wireless/ath/ath9k/wmi.c ++++ b/drivers/net/wireless/ath/ath9k/wmi.c +@@ -169,6 +169,10 @@ void ath9k_wmi_event_tasklet(struct task + &wmi->drv_priv->fatal_work); + break; + case WMI_TXSTATUS_EVENTID: ++ /* Check if ath9k_tx_init() completed. */ ++ if (!data_race(priv->tx.initialized)) ++ break; ++ + spin_lock_bh(&priv->tx.tx_lock); + if (priv->tx.flags & ATH9K_HTC_OP_TX_DRAIN) { + spin_unlock_bh(&priv->tx.tx_lock); diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 00000000000..196c6b731c8 --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,3 @@ +x86-speculation-make-all-retbleed-mitigations-64-bit-only.patch +ath9k_htc-fix-null-pointer-dereference-at-ath9k_htc_rxep.patch +ath9k_htc-fix-null-pointer-dereference-at-ath9k_htc_tx_get_packet.patch diff --git a/queue-5.10/x86-speculation-make-all-retbleed-mitigations-64-bit-only.patch b/queue-5.10/x86-speculation-make-all-retbleed-mitigations-64-bit-only.patch new file mode 100644 index 00000000000..1de0ab0c056 --- /dev/null +++ b/queue-5.10/x86-speculation-make-all-retbleed-mitigations-64-bit-only.patch @@ -0,0 +1,66 @@ +From b648ab487f31bc4c38941bc770ea97fe394304bb Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Sat, 23 Jul 2022 17:22:47 +0200 +Subject: x86/speculation: Make all RETbleed mitigations 64-bit only + +From: Ben Hutchings + +commit b648ab487f31bc4c38941bc770ea97fe394304bb upstream. + +The mitigations for RETBleed are currently ineffective on x86_32 since +entry_32.S does not use the required macros. However, for an x86_32 +target, the kconfig symbols for them are still enabled by default and +/sys/devices/system/cpu/vulnerabilities/retbleed will wrongly report +that mitigations are in place. + +Make all of these symbols depend on X86_64, and only enable RETHUNK by +default on X86_64. + +Fixes: f43b9876e857 ("x86/retbleed: Add fine grained Kconfig knobs") +Signed-off-by: Ben Hutchings +Signed-off-by: Borislav Petkov +Cc: +Link: https://lore.kernel.org/r/YtwSR3NNsWp1ohfV@decadent.org.uk +[bwh: Backported to 5.10/5.15/5.18: adjust context] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/Kconfig | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2447,7 +2447,7 @@ config RETPOLINE + config RETHUNK + bool "Enable return-thunks" + depends on RETPOLINE && CC_HAS_RETURN_THUNK +- default y ++ default y if X86_64 + help + Compile the kernel with the return-thunks compiler option to guard + against kernel-to-user data leaks by avoiding return speculation. +@@ -2456,21 +2456,21 @@ config RETHUNK + + config CPU_UNRET_ENTRY + bool "Enable UNRET on kernel entry" +- depends on CPU_SUP_AMD && RETHUNK ++ depends on CPU_SUP_AMD && RETHUNK && X86_64 + default y + help + Compile the kernel with support for the retbleed=unret mitigation. + + config CPU_IBPB_ENTRY + bool "Enable IBPB on kernel entry" +- depends on CPU_SUP_AMD ++ depends on CPU_SUP_AMD && X86_64 + default y + help + Compile the kernel with support for the retbleed=ibpb mitigation. + + config CPU_IBRS_ENTRY + bool "Enable IBRS on kernel entry" +- depends on CPU_SUP_INTEL ++ depends on CPU_SUP_INTEL && X86_64 + default y + help + Compile the kernel with support for the spectre_v2=ibrs mitigation. -- 2.47.3