--- /dev/null
+From 26273ade77f54716e30dfd40ac6e85ceb54ac0f9 Mon Sep 17 00:00:00 2001
+From: Schspa Shi <schspa@gmail.com>
+Date: Thu, 1 Dec 2022 11:33:10 +0800
+Subject: 9p: set req refcount to zero to avoid uninitialized usage
+
+From: Schspa Shi <schspa@gmail.com>
+
+commit 26273ade77f54716e30dfd40ac6e85ceb54ac0f9 upstream.
+
+When a new request is allocated, the refcount will be zero if it is
+reused, but if the request is newly allocated from slab, it is not fully
+initialized before being added to idr.
+
+If the p9_read_work got a response before the refcount initiated. It will
+use a uninitialized req, which will result in a bad request data struct.
+
+Here is the logs from syzbot.
+
+Corrupted memory at 0xffff88807eade00b [ 0xff 0x07 0x00 0x00 0x00 0x00
+0x00 0x00 . . . . . . . . ] (in kfence-#110):
+ p9_fcall_fini net/9p/client.c:248 [inline]
+ p9_req_put net/9p/client.c:396 [inline]
+ p9_req_put+0x208/0x250 net/9p/client.c:390
+ p9_client_walk+0x247/0x540 net/9p/client.c:1165
+ clone_fid fs/9p/fid.h:21 [inline]
+ v9fs_fid_xattr_set+0xe4/0x2b0 fs/9p/xattr.c:118
+ v9fs_xattr_set fs/9p/xattr.c:100 [inline]
+ v9fs_xattr_handler_set+0x6f/0x120 fs/9p/xattr.c:159
+ __vfs_setxattr+0x119/0x180 fs/xattr.c:182
+ __vfs_setxattr_noperm+0x129/0x5f0 fs/xattr.c:216
+ __vfs_setxattr_locked+0x1d3/0x260 fs/xattr.c:277
+ vfs_setxattr+0x143/0x340 fs/xattr.c:309
+ setxattr+0x146/0x160 fs/xattr.c:617
+ path_setxattr+0x197/0x1c0 fs/xattr.c:636
+ __do_sys_setxattr fs/xattr.c:652 [inline]
+ __se_sys_setxattr fs/xattr.c:648 [inline]
+ __ia32_sys_setxattr+0xc0/0x160 fs/xattr.c:648
+ do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
+ __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
+ do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
+ entry_SYSENTER_compat_after_hwframe+0x70/0x82
+
+Below is a similar scenario, the scenario in the syzbot log looks more
+complicated than this one, but this patch can fix it.
+
+ T21124 p9_read_work
+======================== second trans =================================
+p9_client_walk
+ p9_client_rpc
+ p9_client_prepare_req
+ p9_tag_alloc
+ req = kmem_cache_alloc(p9_req_cache, GFP_NOFS);
+ tag = idr_alloc
+ << preempted >>
+ req->tc.tag = tag;
+ /* req->[refcount/tag] == uninitialized */
+ m->rreq = p9_tag_lookup(m->client, m->rc.tag);
+ /* increments uninitalized refcount */
+
+ refcount_set(&req->refcount, 2);
+ /* cb drops one ref */
+ p9_client_cb(req)
+ /* reader thread drops its ref:
+ request is incorrectly freed */
+ p9_req_put(req)
+ /* use after free and ref underflow */
+ p9_req_put(req)
+
+To fix it, we can initialize the refcount to zero before add to idr.
+
+Link: https://lkml.kernel.org/r/20221201033310.18589-1-schspa@gmail.com
+Cc: stable@vger.kernel.org # 6.0+ due to 6cda12864cb0 ("9p: Drop kref usage")
+Fixes: 728356dedeff ("9p: Add refcount to p9_req_t")
+Reported-by: syzbot+8f1060e2aaf8ca55220b@syzkaller.appspotmail.com
+Signed-off-by: Schspa Shi <schspa@gmail.com>
+Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com>
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/9p/client.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/9p/client.c
++++ b/net/9p/client.c
+@@ -298,6 +298,11 @@ p9_tag_alloc(struct p9_client *c, int8_t
+ p9pdu_reset(&req->rc);
+ req->t_err = 0;
+ req->status = REQ_STATUS_ALLOC;
++ /* refcount needs to be set to 0 before inserting into the idr
++ * so p9_tag_lookup does not accept a request that is not fully
++ * initialized. refcount_set to 2 below will mark request ready.
++ */
++ refcount_set(&req->refcount, 0);
+ init_waitqueue_head(&req->wq);
+ INIT_LIST_HEAD(&req->req_list);
+
--- /dev/null
+From 1db1f392591aff13fd643f0ec7c1d5e27391d700 Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <killertofu@gmail.com>
+Date: Thu, 1 Dec 2022 15:11:41 -0800
+Subject: HID: wacom: Ensure bootloader PID is usable in hidraw mode
+
+From: Jason Gerecke <killertofu@gmail.com>
+
+commit 1db1f392591aff13fd643f0ec7c1d5e27391d700 upstream.
+
+Some Wacom devices have a special "bootloader" mode that is used for
+firmware flashing. When operating in this mode, the device cannot be
+used for input, and the HID descriptor is not able to be processed by
+the driver. The driver generates an "Unknown device_type" warning and
+then returns an error code from wacom_probe(). This is a problem because
+userspace still needs to be able to interact with the device via hidraw
+to perform the firmware flash.
+
+This commit adds a non-generic device definition for 056a:0094 which
+is used when devices are in "bootloader" mode. It marks the devices
+with a special BOOTLOADER type that is recognized by wacom_probe() and
+wacom_raw_event(). When we see this type we ensure a hidraw device is
+created and otherwise keep our hands off so that userspace is in full
+control.
+
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Tested-by: Tatsunosuke Tobita <tatsunosuke.tobita@wacom.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/wacom_sys.c | 8 ++++++++
+ drivers/hid/wacom_wac.c | 4 ++++
+ drivers/hid/wacom_wac.h | 1 +
+ 3 files changed, 13 insertions(+)
+
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -163,6 +163,9 @@ static int wacom_raw_event(struct hid_de
+ {
+ struct wacom *wacom = hid_get_drvdata(hdev);
+
++ if (wacom->wacom_wac.features.type == BOOTLOADER)
++ return 0;
++
+ if (size > WACOM_PKGLEN_MAX)
+ return 1;
+
+@@ -2759,6 +2762,11 @@ static int wacom_probe(struct hid_device
+ goto fail;
+ }
+
++ if (features->type == BOOTLOADER) {
++ hid_warn(hdev, "Using device in hidraw-only mode");
++ return hid_hw_start(hdev, HID_CONNECT_HIDRAW);
++ }
++
+ error = wacom_parse_and_register(wacom, false);
+ if (error)
+ goto fail;
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -4680,6 +4680,9 @@ static const struct wacom_features wacom
+ static const struct wacom_features wacom_features_HID_ANY_ID =
+ { "Wacom HID", .type = HID_GENERIC, .oVid = HID_ANY_ID, .oPid = HID_ANY_ID };
+
++static const struct wacom_features wacom_features_0x94 =
++ { "Wacom Bootloader", .type = BOOTLOADER };
++
+ #define USB_DEVICE_WACOM(prod) \
+ HID_DEVICE(BUS_USB, HID_GROUP_WACOM, USB_VENDOR_ID_WACOM, prod),\
+ .driver_data = (kernel_ulong_t)&wacom_features_##prod
+@@ -4753,6 +4756,7 @@ const struct hid_device_id wacom_ids[] =
+ { USB_DEVICE_WACOM(0x84) },
+ { USB_DEVICE_WACOM(0x90) },
+ { USB_DEVICE_WACOM(0x93) },
++ { USB_DEVICE_WACOM(0x94) },
+ { USB_DEVICE_WACOM(0x97) },
+ { USB_DEVICE_WACOM(0x9A) },
+ { USB_DEVICE_WACOM(0x9F) },
+--- a/drivers/hid/wacom_wac.h
++++ b/drivers/hid/wacom_wac.h
+@@ -244,6 +244,7 @@ enum {
+ MTTPC,
+ MTTPC_B,
+ HID_GENERIC,
++ BOOTLOADER,
+ MAX_TYPE
+ };
+
--- /dev/null
+From 20228a1d5a55e7db0c6720840f2c7d2b48c55f69 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nuno=20S=C3=A1?= <nuno.sa@analog.com>
+Date: Tue, 20 Sep 2022 13:28:07 +0200
+Subject: iio: adc: ad_sigma_delta: do not use internal iio_dev lock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nuno Sá <nuno.sa@analog.com>
+
+commit 20228a1d5a55e7db0c6720840f2c7d2b48c55f69 upstream.
+
+Drop 'mlock' usage by making use of iio_device_claim_direct_mode().
+This change actually makes sure we cannot do a single conversion while
+buffering is enable. Note there was a potential race in the previous
+code since we were only acquiring the lock after checking if the bus is
+enabled.
+
+Fixes: af3008485ea0 ("iio:adc: Add common code for ADI Sigma Delta devices")
+Signed-off-by: Nuno Sá <nuno.sa@analog.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Cc: <Stable@vger.kernel.org> #No rush as race is very old.
+Link: https://lore.kernel.org/r/20220920112821.975359-2-nuno.sa@analog.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ad_sigma_delta.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/adc/ad_sigma_delta.c
++++ b/drivers/iio/adc/ad_sigma_delta.c
+@@ -283,10 +283,10 @@ int ad_sigma_delta_single_conversion(str
+ unsigned int sample, raw_sample;
+ int ret = 0;
+
+- if (iio_buffer_enabled(indio_dev))
+- return -EBUSY;
++ ret = iio_device_claim_direct_mode(indio_dev);
++ if (ret)
++ return ret;
+
+- mutex_lock(&indio_dev->mlock);
+ ad_sigma_delta_set_channel(sigma_delta, chan->address);
+
+ spi_bus_lock(sigma_delta->spi->master);
+@@ -320,7 +320,7 @@ out:
+ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
+ sigma_delta->bus_locked = false;
+ spi_bus_unlock(sigma_delta->spi->master);
+- mutex_unlock(&indio_dev->mlock);
++ iio_device_release_direct_mode(indio_dev);
+
+ if (ret)
+ return ret;
--- /dev/null
+From 572302af1258459e124437b8f3369357447afac7 Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Thu, 10 Nov 2022 10:46:35 +0100
+Subject: reiserfs: Add missing calls to reiserfs_security_free()
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+commit 572302af1258459e124437b8f3369357447afac7 upstream.
+
+Commit 57fe60df6241 ("reiserfs: add atomic addition of selinux attributes
+during inode creation") defined reiserfs_security_free() to free the name
+and value of a security xattr allocated by the active LSM through
+security_old_inode_init_security(). However, this function is not called
+in the reiserfs code.
+
+Thus, add a call to reiserfs_security_free() whenever
+reiserfs_security_init() is called, and initialize value to NULL, to avoid
+to call kfree() on an uninitialized pointer.
+
+Finally, remove the kfree() for the xattr name, as it is not allocated
+anymore.
+
+Fixes: 57fe60df6241 ("reiserfs: add atomic addition of selinux attributes during inode creation")
+Cc: stable@vger.kernel.org
+Cc: Jeff Mahoney <jeffm@suse.com>
+Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: Mimi Zohar <zohar@linux.ibm.com>
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/reiserfs/namei.c | 4 ++++
+ fs/reiserfs/xattr_security.c | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/reiserfs/namei.c
++++ b/fs/reiserfs/namei.c
+@@ -695,6 +695,7 @@ static int reiserfs_create(struct inode
+
+ out_failed:
+ reiserfs_write_unlock(dir->i_sb);
++ reiserfs_security_free(&security);
+ return retval;
+ }
+
+@@ -778,6 +779,7 @@ static int reiserfs_mknod(struct inode *
+
+ out_failed:
+ reiserfs_write_unlock(dir->i_sb);
++ reiserfs_security_free(&security);
+ return retval;
+ }
+
+@@ -876,6 +878,7 @@ static int reiserfs_mkdir(struct inode *
+ retval = journal_end(&th);
+ out_failed:
+ reiserfs_write_unlock(dir->i_sb);
++ reiserfs_security_free(&security);
+ return retval;
+ }
+
+@@ -1191,6 +1194,7 @@ static int reiserfs_symlink(struct inode
+ retval = journal_end(&th);
+ out_failed:
+ reiserfs_write_unlock(parent_dir->i_sb);
++ reiserfs_security_free(&security);
+ return retval;
+ }
+
+--- a/fs/reiserfs/xattr_security.c
++++ b/fs/reiserfs/xattr_security.c
+@@ -49,6 +49,7 @@ int reiserfs_security_init(struct inode
+ int error;
+
+ sec->name = NULL;
++ sec->value = NULL;
+
+ /* Don't add selinux attributes on xattrs - they'll never get used */
+ if (IS_PRIVATE(dir))
+@@ -94,7 +95,6 @@ int reiserfs_security_write(struct reise
+
+ void reiserfs_security_free(struct reiserfs_security_handle *sec)
+ {
+- kfree(sec->name);
+ kfree(sec->value);
+ sec->name = NULL;
+ sec->value = NULL;
perf-debug-set-debug_peo_args-and-redirect_to_stderr.patch
pstore-make-sure-config_pstore_pmsg-selects-config_r.patch
usb-dwc3-core-defer-probe-on-ulpi_read_id-timeout.patch
+hid-wacom-ensure-bootloader-pid-is-usable-in-hidraw-mode.patch
+9p-set-req-refcount-to-zero-to-avoid-uninitialized-usage.patch
+reiserfs-add-missing-calls-to-reiserfs_security_free.patch
+iio-adc-ad_sigma_delta-do-not-use-internal-iio_dev-lock.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
