--- /dev/null
+From 74b8b80f0cd39c7157b13e2fdaef224434244f03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2024 14:44:10 +0100
+Subject: cifs: Fix buffer overflow when parsing NFS reparse points
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+commit e2a8910af01653c1c268984855629d71fb81f404 upstream.
+
+ReparseDataLength is sum of the InodeType size and DataBuffer size.
+So to get DataBuffer size it is needed to subtract InodeType's size from
+ReparseDataLength.
+
+Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer
+at position after the end of the buffer because it does not subtract
+InodeType size from the length. Fix this problem and correctly subtract
+variable len.
+
+Member InodeType is present only when reparse buffer is large enough. Check
+for ReparseDataLength before accessing InodeType to prevent another invalid
+memory access.
+
+Major and minor rdev values are present also only when reparse buffer is
+large enough. Check for reparse buffer size before calling reparse_mkdev().
+
+Fixes: d5ecebc4900d ("smb3: Allow query of symlinks stored as reparse points")
+Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+[use variable name symlink_buf, the other buf->InodeType accesses are
+not used in current version so skip]
+Signed-off-by: Mahmoud Adam <mngyadam@amazon.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/smb2ops.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
+index d1e5ff9a3cd39..fcfbc096924a8 100644
+--- a/fs/smb/client/smb2ops.c
++++ b/fs/smb/client/smb2ops.c
+@@ -2897,6 +2897,12 @@ parse_reparse_posix(struct reparse_posix_data *symlink_buf,
+
+ /* See MS-FSCC 2.1.2.6 for the 'NFS' style reparse tags */
+ len = le16_to_cpu(symlink_buf->ReparseDataLength);
++ if (len < sizeof(symlink_buf->InodeType)) {
++ cifs_dbg(VFS, "srv returned malformed nfs buffer\n");
++ return -EIO;
++ }
++
++ len -= sizeof(symlink_buf->InodeType);
+
+ if (le64_to_cpu(symlink_buf->InodeType) != NFS_SPECFILE_LNK) {
+ cifs_dbg(VFS, "%lld not a supported symlink type\n",
+--
+2.43.0
+
--- /dev/null
+From 6d6c38022f4268dc0ad9121718c768690110c2a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2024 14:46:07 +0800
+Subject: closures: Change BUG_ON() to WARN_ON()
+
+From: Kent Overstreet <kent.overstreet@linux.dev>
+
+[ Upstream commit 339b84ab6b1d66900c27bd999271cb2ae40ce812 ]
+
+If a BUG_ON() can be hit in the wild, it shouldn't be a BUG_ON()
+
+For reference, this has popped up once in the CI, and we'll need more
+info to debug it:
+
+03240 ------------[ cut here ]------------
+03240 kernel BUG at lib/closure.c:21!
+03240 kernel BUG at lib/closure.c:21!
+03240 Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
+03240 Modules linked in:
+03240 CPU: 15 PID: 40534 Comm: kworker/u80:1 Not tainted 6.10.0-rc4-ktest-ga56da69799bd #25570
+03240 Hardware name: linux,dummy-virt (DT)
+03240 Workqueue: btree_update btree_interior_update_work
+03240 pstate: 00001005 (nzcv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--)
+03240 pc : closure_put+0x224/0x2a0
+03240 lr : closure_put+0x24/0x2a0
+03240 sp : ffff0000d12071c0
+03240 x29: ffff0000d12071c0 x28: dfff800000000000 x27: ffff0000d1207360
+03240 x26: 0000000000000040 x25: 0000000000000040 x24: 0000000000000040
+03240 x23: ffff0000c1f20180 x22: 0000000000000000 x21: ffff0000c1f20168
+03240 x20: 0000000040000000 x19: ffff0000c1f20140 x18: 0000000000000001
+03240 x17: 0000000000003aa0 x16: 0000000000003ad0 x15: 1fffe0001c326974
+03240 x14: 0000000000000a1e x13: 0000000000000000 x12: 1fffe000183e402d
+03240 x11: ffff6000183e402d x10: dfff800000000000 x9 : ffff6000183e402e
+03240 x8 : 0000000000000001 x7 : 00009fffe7c1bfd3 x6 : ffff0000c1f2016b
+03240 x5 : ffff0000c1f20168 x4 : ffff6000183e402e x3 : ffff800081391954
+03240 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 00000000a8000000
+03240 Call trace:
+03240 closure_put+0x224/0x2a0
+03240 bch2_check_for_deadlock+0x910/0x1028
+03240 bch2_six_check_for_deadlock+0x1c/0x30
+03240 six_lock_slowpath.isra.0+0x29c/0xed0
+03240 six_lock_ip_waiter+0xa8/0xf8
+03240 __bch2_btree_node_lock_write+0x14c/0x298
+03240 bch2_trans_lock_write+0x6d4/0xb10
+03240 __bch2_trans_commit+0x135c/0x5520
+03240 btree_interior_update_work+0x1248/0x1c10
+03240 process_scheduled_works+0x53c/0xd90
+03240 worker_thread+0x370/0x8c8
+03240 kthread+0x258/0x2e8
+03240 ret_from_fork+0x10/0x20
+03240 Code: aa1303e0 d63f0020 a94363f7 17ffff8c (d4210000)
+03240 ---[ end trace 0000000000000000 ]---
+03240 Kernel panic - not syncing: Oops - BUG: Fatal exception
+03240 SMP: stopping secondary CPUs
+03241 SMP: failed to stop secondary CPUs 13,15
+03241 Kernel Offset: disabled
+03241 CPU features: 0x00,00000003,80000008,4240500b
+03241 Memory Limit: none
+03241 ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception ]---
+03246 ========= FAILED TIMEOUT copygc_torture_no_checksum in 7200s
+
+Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
+[ Resolve minor conflicts to fix CVE-2024-42252 ]
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/closure.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/bcache/closure.c b/drivers/md/bcache/closure.c
+index d8d9394a6beb1..18f21d4e9aaae 100644
+--- a/drivers/md/bcache/closure.c
++++ b/drivers/md/bcache/closure.c
+@@ -17,10 +17,16 @@ static inline void closure_put_after_sub(struct closure *cl, int flags)
+ {
+ int r = flags & CLOSURE_REMAINING_MASK;
+
+- BUG_ON(flags & CLOSURE_GUARD_MASK);
+- BUG_ON(!r && (flags & ~CLOSURE_DESTRUCTOR));
++ if (WARN(flags & CLOSURE_GUARD_MASK,
++ "closure has guard bits set: %x (%u)",
++ flags & CLOSURE_GUARD_MASK, (unsigned) __fls(r)))
++ r &= ~CLOSURE_GUARD_MASK;
+
+ if (!r) {
++ WARN(flags & ~CLOSURE_DESTRUCTOR,
++ "closure ref hit 0 with incorrect flags set: %x (%u)",
++ flags & ~CLOSURE_DESTRUCTOR, (unsigned) __fls(flags));
++
+ if (cl->fn && !(flags & CLOSURE_DESTRUCTOR)) {
+ atomic_set(&cl->remaining,
+ CLOSURE_REMAINING_INITIALIZER);
+--
+2.43.0
+
--- /dev/null
+From 6e31b2052149fbe09a55f66293e3a5436f5c9815 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2024 11:18:09 +0800
+Subject: net: fix crash when config small gso_max_size/gso_ipv4_max_size
+
+From: Wang Liang <wangliang74@huawei.com>
+
+[ Upstream commit 9ab5cf19fb0e4680f95e506d6c544259bf1111c4 ]
+
+Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow
+in sk_dst_gso_max_size(), which may trigger a BUG_ON crash,
+because sk->sk_gso_max_size would be much bigger than device limits.
+Call Trace:
+tcp_write_xmit
+ tso_segs = tcp_init_tso_segs(skb, mss_now);
+ tcp_set_skb_tso_segs
+ tcp_skb_pcount_set
+ // skb->len = 524288, mss_now = 8
+ // u16 tso_segs = 524288/8 = 65535 -> 0
+ tso_segs = DIV_ROUND_UP(skb->len, mss_now)
+ BUG_ON(!tso_segs)
+Add check for the minimum value of gso_max_size and gso_ipv4_max_size.
+
+Fixes: 46e6b992c250 ("rtnetlink: allow GSO maximums to be set on device creation")
+Fixes: 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device")
+Signed-off-by: Wang Liang <wangliang74@huawei.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20241023035213.517386-1-wangliang74@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Resolve minor conflicts to fix CVE-2024-50258 ]
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/rtnetlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index afb52254a47ec..45c54fb9ad03f 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1939,7 +1939,7 @@ static const struct nla_policy ifla_policy[IFLA_MAX+1] = {
+ [IFLA_NUM_TX_QUEUES] = { .type = NLA_U32 },
+ [IFLA_NUM_RX_QUEUES] = { .type = NLA_U32 },
+ [IFLA_GSO_MAX_SEGS] = { .type = NLA_U32 },
+- [IFLA_GSO_MAX_SIZE] = { .type = NLA_U32 },
++ [IFLA_GSO_MAX_SIZE] = NLA_POLICY_MIN(NLA_U32, MAX_TCP_HEADER + 1),
+ [IFLA_PHYS_PORT_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN },
+ [IFLA_CARRIER_CHANGES] = { .type = NLA_U32 }, /* ignored */
+ [IFLA_PHYS_SWITCH_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN },
+--
+2.43.0
+
--- /dev/null
+From a586978923fb006d6cc0ae553779172bb6092c7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2024 15:16:56 +0800
+Subject: serial: sc16is7xx: fix invalid FIFO access with special register set
+
+From: Hugo Villeneuve <hvilleneuve@dimonoff.com>
+
+[ Upstream commit 7d3b793faaab1305994ce568b59d61927235f57b ]
+
+When enabling access to the special register set, Receiver time-out and
+RHR interrupts can happen. In this case, the IRQ handler will try to read
+from the FIFO thru the RHR register at address 0x00, but address 0x00 is
+mapped to DLL register, resulting in erroneous FIFO reading.
+
+Call graph example:
+ sc16is7xx_startup(): entry
+ sc16is7xx_ms_proc(): entry
+ sc16is7xx_set_termios(): entry
+ sc16is7xx_set_baud(): DLH/DLL = $009C --> access special register set
+ sc16is7xx_port_irq() entry --> IIR is 0x0C
+ sc16is7xx_handle_rx() entry
+ sc16is7xx_fifo_read(): --> unable to access FIFO (RHR) because it is
+ mapped to DLL (LCR=LCR_CONF_MODE_A)
+ sc16is7xx_set_baud(): exit --> Restore access to general register set
+
+Fix the problem by claiming the efr_lock mutex when accessing the Special
+register set.
+
+Fixes: dfeae619d781 ("serial: sc16is7xx")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hugo Villeneuve <hvilleneuve@dimonoff.com>
+Link: https://lore.kernel.org/r/20240723125302.1305372-3-hugo@hugovil.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[ Resolve minor conflicts ]
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/sc16is7xx.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c
+index a723df9b37dd9..c07baf5d5a9ce 100644
+--- a/drivers/tty/serial/sc16is7xx.c
++++ b/drivers/tty/serial/sc16is7xx.c
+@@ -545,6 +545,9 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud)
+ SC16IS7XX_MCR_CLKSEL_BIT,
+ prescaler == 1 ? 0 : SC16IS7XX_MCR_CLKSEL_BIT);
+
++
++ mutex_lock(&one->efr_lock);
++
+ /* Open the LCR divisors for configuration */
+ sc16is7xx_port_write(port, SC16IS7XX_LCR_REG,
+ SC16IS7XX_LCR_CONF_MODE_A);
+@@ -558,6 +561,8 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud)
+ /* Put LCR back to the normal mode */
+ sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, lcr);
+
++ mutex_unlock(&one->efr_lock);
++
+ return DIV_ROUND_CLOSEST((clk / prescaler) / 16, div);
+ }
+
+--
+2.43.0
+
alsa-usb-audio-fix-yamaha-p-125-quirk-entry.patch
arm-9420-1-smp-fix-smp-for-xip-kernels.patch
ipmr-fix-access-to-mfc_cache_list-without-lock-held.patch
+closures-change-bug_on-to-warn_on.patch
+net-fix-crash-when-config-small-gso_max_size-gso_ipv.patch
+serial-sc16is7xx-fix-invalid-fifo-access-with-specia.patch
+x86-stackprotector-work-around-strict-clang-tls-symb.patch
+cifs-fix-buffer-overflow-when-parsing-nfs-reparse-po.patch
--- /dev/null
+From 0836f330b1ed3535ee119cb7a29b5dc3666e1fb2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2024 10:03:37 -0500
+Subject: x86/stackprotector: Work around strict Clang TLS symbol requirements
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit 577c134d311b9b94598d7a0c86be1f431f823003 ]
+
+GCC and Clang both implement stack protector support based on Thread Local
+Storage (TLS) variables, and this is used in the kernel to implement per-task
+stack cookies, by copying a task's stack cookie into a per-CPU variable every
+time it is scheduled in.
+
+Both now also implement -mstack-protector-guard-symbol=, which permits the TLS
+variable to be specified directly. This is useful because it will allow to
+move away from using a fixed offset of 40 bytes into the per-CPU area on
+x86_64, which requires a lot of special handling in the per-CPU code and the
+runtime relocation code.
+
+However, while GCC is rather lax in its implementation of this command line
+option, Clang actually requires that the provided symbol name refers to a TLS
+variable (i.e., one declared with __thread), although it also permits the
+variable to be undeclared entirely, in which case it will use an implicit
+declaration of the right type.
+
+The upshot of this is that Clang will emit the correct references to the stack
+cookie variable in most cases, e.g.,
+
+ 10d: 64 a1 00 00 00 00 mov %fs:0x0,%eax
+ 10f: R_386_32 __stack_chk_guard
+
+However, if a non-TLS definition of the symbol in question is visible in the
+same compilation unit (which amounts to the whole of vmlinux if LTO is
+enabled), it will drop the per-CPU prefix and emit a load from a bogus
+address.
+
+Work around this by using a symbol name that never occurs in C code, and emit
+it as an alias in the linker script.
+
+Fixes: 3fb0fdb3bbe7 ("x86/stackprotector/32: Make the canary into a regular percpu variable")
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Brian Gerst <brgerst@gmail.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Tested-by: Nathan Chancellor <nathan@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://github.com/ClangBuiltLinux/linux/issues/1854
+Link: https://lore.kernel.org/r/20241105155801.1779119-2-brgerst@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/Makefile | 3 ++-
+ arch/x86/entry/entry.S | 15 +++++++++++++++
+ arch/x86/include/asm/asm-prototypes.h | 3 +++
+ arch/x86/kernel/cpu/common.c | 2 ++
+ arch/x86/kernel/vmlinux.lds.S | 3 +++
+ 5 files changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/Makefile b/arch/x86/Makefile
+index 3419ffa2a3507..a88eede6e7db4 100644
+--- a/arch/x86/Makefile
++++ b/arch/x86/Makefile
+@@ -113,7 +113,8 @@ ifeq ($(CONFIG_X86_32),y)
+
+ ifeq ($(CONFIG_STACKPROTECTOR),y)
+ ifeq ($(CONFIG_SMP),y)
+- KBUILD_CFLAGS += -mstack-protector-guard-reg=fs -mstack-protector-guard-symbol=__stack_chk_guard
++ KBUILD_CFLAGS += -mstack-protector-guard-reg=fs \
++ -mstack-protector-guard-symbol=__ref_stack_chk_guard
+ else
+ KBUILD_CFLAGS += -mstack-protector-guard=global
+ endif
+diff --git a/arch/x86/entry/entry.S b/arch/x86/entry/entry.S
+index f4419afc7147d..23f9efbe9d705 100644
+--- a/arch/x86/entry/entry.S
++++ b/arch/x86/entry/entry.S
+@@ -48,3 +48,18 @@ EXPORT_SYMBOL_GPL(mds_verw_sel);
+
+ .popsection
+
++#ifndef CONFIG_X86_64
++/*
++ * Clang's implementation of TLS stack cookies requires the variable in
++ * question to be a TLS variable. If the variable happens to be defined as an
++ * ordinary variable with external linkage in the same compilation unit (which
++ * amounts to the whole of vmlinux with LTO enabled), Clang will drop the
++ * segment register prefix from the references, resulting in broken code. Work
++ * around this by avoiding the symbol used in -mstack-protector-guard-symbol=
++ * entirely in the C code, and use an alias emitted by the linker script
++ * instead.
++ */
++#ifdef CONFIG_STACKPROTECTOR
++EXPORT_SYMBOL(__ref_stack_chk_guard);
++#endif
++#endif
+diff --git a/arch/x86/include/asm/asm-prototypes.h b/arch/x86/include/asm/asm-prototypes.h
+index 5cdccea455544..390b13db24b81 100644
+--- a/arch/x86/include/asm/asm-prototypes.h
++++ b/arch/x86/include/asm/asm-prototypes.h
+@@ -18,3 +18,6 @@
+ extern void cmpxchg8b_emu(void);
+ #endif
+
++#if defined(__GENKSYMS__) && defined(CONFIG_STACKPROTECTOR)
++extern unsigned long __ref_stack_chk_guard;
++#endif
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index 7f922a359ccc5..b4e999048e9a4 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -2158,8 +2158,10 @@ EXPORT_PER_CPU_SYMBOL(cpu_current_top_of_stack);
+
+ #ifdef CONFIG_STACKPROTECTOR
+ DEFINE_PER_CPU(unsigned long, __stack_chk_guard);
++#ifndef CONFIG_SMP
+ EXPORT_PER_CPU_SYMBOL(__stack_chk_guard);
+ #endif
++#endif
+
+ #endif /* CONFIG_X86_64 */
+
+diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
+index 78ccb5ec3c0e7..c1e776ed71b06 100644
+--- a/arch/x86/kernel/vmlinux.lds.S
++++ b/arch/x86/kernel/vmlinux.lds.S
+@@ -486,6 +486,9 @@ SECTIONS
+ ASSERT(SIZEOF(.rela.dyn) == 0, "Unexpected run-time relocations (.rela) detected!")
+ }
+
++/* needed for Clang - see arch/x86/entry/entry.S */
++PROVIDE(__ref_stack_chk_guard = __stack_chk_guard);
++
+ /*
+ * The ASSERT() sink to . is intentional, for binutils 2.14 compatibility:
+ */
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
