--- /dev/null
+From 652cfeb43d6b9aba5c7c4902bed7a7340df131fb Mon Sep 17 00:00:00 2001
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Date: Fri, 26 Jan 2024 11:14:31 +0300
+Subject: fs/ntfs3: Fixed overflow check in mi_enum_attr()
+
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+
+commit 652cfeb43d6b9aba5c7c4902bed7a7340df131fb upstream.
+
+Reported-by: Robert Morris <rtm@csail.mit.edu>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ntfs3/record.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ntfs3/record.c
++++ b/fs/ntfs3/record.c
+@@ -273,7 +273,7 @@ struct ATTRIB *mi_enum_attr(struct mft_i
+ if (t16 > asize)
+ return NULL;
+
+- if (t16 + le32_to_cpu(attr->res.data_size) > asize)
++ if (le32_to_cpu(attr->res.data_size) > asize - t16)
+ return NULL;
+
+ if (attr->name_len &&
--- /dev/null
+From a8bd68e4329f9a0ad1b878733e0f80be6a971649 Mon Sep 17 00:00:00 2001
+From: "Jason-JH.Lin" <jason-jh.lin@mediatek.com>
+Date: Thu, 18 Jul 2024 22:17:04 +0800
+Subject: mailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable()
+
+From: Jason-JH.Lin <jason-jh.lin@mediatek.com>
+
+commit a8bd68e4329f9a0ad1b878733e0f80be6a971649 upstream.
+
+When mtk-cmdq unbinds, a WARN_ON message with condition
+pm_runtime_get_sync() < 0 occurs.
+
+According to the call tracei below:
+ cmdq_mbox_shutdown
+ mbox_free_channel
+ mbox_controller_unregister
+ __devm_mbox_controller_unregister
+ ...
+
+The root cause can be deduced to be calling pm_runtime_get_sync() after
+calling pm_runtime_disable() as observed below:
+1. CMDQ driver uses devm_mbox_controller_register() in cmdq_probe()
+ to bind the cmdq device to the mbox_controller, so
+ devm_mbox_controller_unregister() will automatically unregister
+ the device bound to the mailbox controller when the device-managed
+ resource is removed. That means devm_mbox_controller_unregister()
+ and cmdq_mbox_shoutdown() will be called after cmdq_remove().
+2. CMDQ driver also uses devm_pm_runtime_enable() in cmdq_probe() after
+ devm_mbox_controller_register(), so that devm_pm_runtime_disable()
+ will be called after cmdq_remove(), but before
+ devm_mbox_controller_unregister().
+
+To fix this problem, cmdq_probe() needs to move
+devm_mbox_controller_register() after devm_pm_runtime_enable() to make
+devm_pm_runtime_disable() be called after
+devm_mbox_controller_unregister().
+
+Fixes: 623a6143a845 ("mailbox: mediatek: Add Mediatek CMDQ driver")
+Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mailbox/mtk-cmdq-mailbox.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/mailbox/mtk-cmdq-mailbox.c
++++ b/drivers/mailbox/mtk-cmdq-mailbox.c
+@@ -605,18 +605,18 @@ static int cmdq_probe(struct platform_de
+ cmdq->mbox.chans[i].con_priv = (void *)&cmdq->thread[i];
+ }
+
+- err = devm_mbox_controller_register(dev, &cmdq->mbox);
+- if (err < 0) {
+- dev_err(dev, "failed to register mailbox: %d\n", err);
+- return err;
+- }
+-
+ platform_set_drvdata(pdev, cmdq);
+
+ WARN_ON(clk_bulk_prepare(cmdq->gce_num, cmdq->clocks));
+
+ cmdq_init(cmdq);
+
++ err = devm_mbox_controller_register(dev, &cmdq->mbox);
++ if (err < 0) {
++ dev_err(dev, "failed to register mailbox: %d\n", err);
++ return err;
++ }
++
+ return 0;
+ }
+
--- /dev/null
+From 556bdf27c2dd5c74a9caacbe524b943a6cd42d99 Mon Sep 17 00:00:00 2001
+From: lei lu <llfamsec@gmail.com>
+Date: Fri, 23 Aug 2024 21:39:44 +0800
+Subject: ntfs3: Add bounds checking to mi_enum_attr()
+
+From: lei lu <llfamsec@gmail.com>
+
+commit 556bdf27c2dd5c74a9caacbe524b943a6cd42d99 upstream.
+
+Added bounds checking to make sure that every attr don't stray beyond
+valid memory region.
+
+Signed-off-by: lei lu <llfamsec@gmail.com>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ntfs3/record.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+--- a/fs/ntfs3/record.c
++++ b/fs/ntfs3/record.c
+@@ -217,28 +217,19 @@ struct ATTRIB *mi_enum_attr(struct mft_i
+ prev_type = 0;
+ attr = Add2Ptr(rec, off);
+ } else {
+- /* Check if input attr inside record. */
++ /*
++ * We don't need to check previous attr here. There is
++ * a bounds checking in the previous round.
++ */
+ off = PtrOffset(rec, attr);
+- if (off >= used)
+- return NULL;
+
+ asize = le32_to_cpu(attr->size);
+- if (asize < SIZEOF_RESIDENT) {
+- /* Impossible 'cause we should not return such attribute. */
+- return NULL;
+- }
+-
+- /* Overflow check. */
+- if (off + asize < off)
+- return NULL;
+
+ prev_type = le32_to_cpu(attr->type);
+ attr = Add2Ptr(attr, asize);
+ off += asize;
+ }
+
+- asize = le32_to_cpu(attr->size);
+-
+ /* Can we use the first field (attr->type). */
+ if (off + 8 > used) {
+ static_assert(ALIGN(sizeof(enum ATTR_TYPE), 8) == 8);
+@@ -259,6 +250,12 @@ struct ATTRIB *mi_enum_attr(struct mft_i
+ if (t32 < prev_type)
+ return NULL;
+
++ asize = le32_to_cpu(attr->size);
++ if (asize < SIZEOF_RESIDENT) {
++ /* Impossible 'cause we should not return such attribute. */
++ return NULL;
++ }
++
+ /* Check overflow and boundary. */
+ if (off + asize < off || off + asize > used)
+ return NULL;
--- /dev/null
+From 2be1d4f11944cd6283cb97268b3e17c4424945ca Mon Sep 17 00:00:00 2001
+From: Justin Tee <justin.tee@broadcom.com>
+Date: Fri, 26 Jul 2024 16:15:07 -0700
+Subject: scsi: lpfc: Validate hdwq pointers before dereferencing in reset/errata paths
+
+From: Justin Tee <justin.tee@broadcom.com>
+
+commit 2be1d4f11944cd6283cb97268b3e17c4424945ca upstream.
+
+When the HBA is undergoing a reset or is handling an errata event, NULL ptr
+dereference crashes may occur in routines such as
+lpfc_sli_flush_io_rings(), lpfc_dev_loss_tmo_callbk(), or
+lpfc_abort_handler().
+
+Add NULL ptr checks before dereferencing hdwq pointers that may have been
+freed due to operations colliding with a reset or errata event handler.
+
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Link: https://lore.kernel.org/r/20240726231512.92867-4-justintee8345@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[Xiangyu: BP to fix CVE: CVE-2024-49891, no test_bit() conflict resolution]
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_hbadisc.c | 3 ++-
+ drivers/scsi/lpfc/lpfc_scsi.c | 13 +++++++++++--
+ drivers/scsi/lpfc/lpfc_sli.c | 11 +++++++++++
+ 3 files changed, 24 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
+@@ -177,7 +177,8 @@ lpfc_dev_loss_tmo_callbk(struct fc_rport
+ /* Don't schedule a worker thread event if the vport is going down.
+ * The teardown process cleans up the node via lpfc_drop_node.
+ */
+- if (vport->load_flag & FC_UNLOADING) {
++ if ((vport->load_flag & FC_UNLOADING) ||
++ !(phba->hba_flag & HBA_SETUP)) {
+ ((struct lpfc_rport_data *)rport->dd_data)->pnode = NULL;
+ ndlp->rport = NULL;
+
+--- a/drivers/scsi/lpfc/lpfc_scsi.c
++++ b/drivers/scsi/lpfc/lpfc_scsi.c
+@@ -5554,11 +5554,20 @@ lpfc_abort_handler(struct scsi_cmnd *cmn
+
+ iocb = &lpfc_cmd->cur_iocbq;
+ if (phba->sli_rev == LPFC_SLI_REV4) {
+- pring_s4 = phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring;
+- if (!pring_s4) {
++ /* if the io_wq & pring are gone, the port was reset. */
++ if (!phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq ||
++ !phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring) {
++ lpfc_printf_vlog(vport, KERN_WARNING, LOG_FCP,
++ "2877 SCSI Layer I/O Abort Request "
++ "IO CMPL Status x%x ID %d LUN %llu "
++ "HBA_SETUP %d\n", FAILED,
++ cmnd->device->id,
++ (u64)cmnd->device->lun,
++ (HBA_SETUP & phba->hba_flag));
+ ret = FAILED;
+ goto out_unlock_hba;
+ }
++ pring_s4 = phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring;
+ spin_lock(&pring_s4->ring_lock);
+ }
+ /* the command is in process of being cancelled */
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -4668,6 +4668,17 @@ lpfc_sli_flush_io_rings(struct lpfc_hba
+ /* Look on all the FCP Rings for the iotag */
+ if (phba->sli_rev >= LPFC_SLI_REV4) {
+ for (i = 0; i < phba->cfg_hdw_queue; i++) {
++ if (!phba->sli4_hba.hdwq ||
++ !phba->sli4_hba.hdwq[i].io_wq) {
++ lpfc_printf_log(phba, KERN_ERR, LOG_SLI,
++ "7777 hdwq's deleted %lx "
++ "%lx %x %x\n",
++ (unsigned long)phba->pport->load_flag,
++ (unsigned long)phba->hba_flag,
++ phba->link_state,
++ phba->sli.sli_flag);
++ return;
++ }
+ pring = phba->sli4_hba.hdwq[i].io_wq->pring;
+
+ spin_lock_irq(&pring->ring_lock);
alsa-hda-realtek-update-alc256-depop-procedure.patch
apparmor-fix-do-simple-duplicate-message-elimination.patch
asoc-amd-yc-fix-for-enabling-dmic-on-acp6x-via-_dsd-.patch
+mailbox-mtk-cmdq-move-devm_mbox_controller_register-after-devm_pm_runtime_enable.patch
+fs-ntfs3-fixed-overflow-check-in-mi_enum_attr.patch
+ntfs3-add-bounds-checking-to-mi_enum_attr.patch
+scsi-lpfc-validate-hdwq-pointers-before-dereferencing-in-reset-errata-paths.patch
+xfs-add-bounds-checking-to-xlog_recover_process_data.patch
--- /dev/null
+From fb63435b7c7dc112b1ae1baea5486e0a6e27b196 Mon Sep 17 00:00:00 2001
+From: lei lu <llfamsec@gmail.com>
+Date: Mon, 3 Jun 2024 17:46:08 +0800
+Subject: xfs: add bounds checking to xlog_recover_process_data
+
+From: lei lu <llfamsec@gmail.com>
+
+commit fb63435b7c7dc112b1ae1baea5486e0a6e27b196 upstream.
+
+There is a lack of verification of the space occupied by fixed members
+of xlog_op_header in the xlog_recover_process_data.
+
+We can create a crafted image to trigger an out of bounds read by
+following these steps:
+ 1) Mount an image of xfs, and do some file operations to leave records
+ 2) Before umounting, copy the image for subsequent steps to simulate
+ abnormal exit. Because umount will ensure that tail_blk and
+ head_blk are the same, which will result in the inability to enter
+ xlog_recover_process_data
+ 3) Write a tool to parse and modify the copied image in step 2
+ 4) Make the end of the xlog_op_header entries only 1 byte away from
+ xlog_rec_header->h_size
+ 5) xlog_rec_header->h_num_logops++
+ 6) Modify xlog_rec_header->h_crc
+
+Fix:
+Add a check to make sure there is sufficient space to access fixed members
+of xlog_op_header.
+
+Signed-off-by: lei lu <llfamsec@gmail.com>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_log_recover.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_log_recover.c
++++ b/fs/xfs/xfs_log_recover.c
+@@ -2439,7 +2439,10 @@ xlog_recover_process_data(
+
+ ohead = (struct xlog_op_header *)dp;
+ dp += sizeof(*ohead);
+- ASSERT(dp <= end);
++ if (dp > end) {
++ xfs_warn(log->l_mp, "%s: op header overrun", __func__);
++ return -EFSCORRUPTED;
++ }
+
+ /* errors will abort recovery */
+ error = xlog_recover_process_ophdr(log, rhash, rhead, ohead,
projects / thirdparty / kernel / stable-queue.git / commitdiff
