4.19-stable patches

added patches:
	acpi-sysfs-validate-return-type-of-_str-method.patch
	drbd-add-null-check-for-net_conf-to-prevent-dereference-in-state-validation.patch
	drbd-fix-atomicity-violation-in-drbd_uuid_set_bm.patch

diff --git a/queue-4.19/acpi-sysfs-validate-return-type-of-_str-method.patch b/queue-4.19/acpi-sysfs-validate-return-type-of-_str-method.patch
new file mode 100644 (file)
index 0000000..f60930a
--- /dev/null
+++ b/queue-4.19/acpi-sysfs-validate-return-type-of-_str-method.patch
@@ -0,0 +1,41 @@
+From 4bb1e7d027413835b086aed35bc3f0713bc0f72b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <linux@weissschuh.net>
+Date: Tue, 9 Jul 2024 22:37:24 +0200
+Subject: ACPI: sysfs: validate return type of _STR method
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+commit 4bb1e7d027413835b086aed35bc3f0713bc0f72b upstream.
+
+Only buffer objects are valid return values of _STR.
+
+If something else is returned description_show() will access invalid
+memory.
+
+Fixes: d1efe3c324ea ("ACPI: Add new sysfs interface to export device description")
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Link: https://patch.msgid.link/20240709-acpi-sysfs-groups-v2-1-058ab0667fa8@weissschuh.net
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/device_sysfs.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/acpi/device_sysfs.c
++++ b/drivers/acpi/device_sysfs.c
+@@ -539,8 +539,9 @@ int acpi_device_setup_files(struct acpi_
+        * If device has _STR, 'description' file is created
+        */
+       if (acpi_has_method(dev->handle, "_STR")) {
+-              status = acpi_evaluate_object(dev->handle, "_STR",
+-                                      NULL, &buffer);
++              status = acpi_evaluate_object_typed(dev->handle, "_STR",
++                                                  NULL, &buffer,
++                                                  ACPI_TYPE_BUFFER);
+               if (ACPI_FAILURE(status))
+                       buffer.pointer = NULL;
+               dev->pnp.str_obj = buffer.pointer;

diff --git a/queue-4.19/drbd-add-null-check-for-net_conf-to-prevent-dereference-in-state-validation.patch b/queue-4.19/drbd-add-null-check-for-net_conf-to-prevent-dereference-in-state-validation.patch
new file mode 100644 (file)
index 0000000..377c984
--- /dev/null
+++ b/queue-4.19/drbd-add-null-check-for-net_conf-to-prevent-dereference-in-state-validation.patch
@@ -0,0 +1,36 @@
+From a5e61b50c9f44c5edb6e134ede6fee8806ffafa9 Mon Sep 17 00:00:00 2001
+From: Mikhail Lobanov <m.lobanov@rosalinux.ru>
+Date: Mon, 9 Sep 2024 09:37:36 -0400
+Subject: drbd: Add NULL check for net_conf to prevent dereference in state validation
+
+From: Mikhail Lobanov <m.lobanov@rosalinux.ru>
+
+commit a5e61b50c9f44c5edb6e134ede6fee8806ffafa9 upstream.
+
+If the net_conf pointer is NULL and the code attempts to access its
+fields without a check, it will lead to a null pointer dereference.
+Add a NULL check before dereferencing the pointer.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 44ed167da748 ("drbd: rcu_read_lock() and rcu_dereference() for tconn->net_conf")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikhail Lobanov <m.lobanov@rosalinux.ru>
+Link: https://lore.kernel.org/r/20240909133740.84297-1-m.lobanov@rosalinux.ru
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/drbd/drbd_state.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/block/drbd/drbd_state.c
++++ b/drivers/block/drbd/drbd_state.c
+@@ -888,7 +888,7 @@ is_valid_state(struct drbd_device *devic
+                 ns.disk == D_OUTDATED)
+               rv = SS_CONNECTED_OUTDATES;
+ 
+-      else if ((ns.conn == C_VERIFY_S || ns.conn == C_VERIFY_T) &&
++      else if (nc && (ns.conn == C_VERIFY_S || ns.conn == C_VERIFY_T) &&
+                (nc->verify_alg[0] == 0))
+               rv = SS_NO_VERIFY_ALG;
+ 

diff --git a/queue-4.19/drbd-fix-atomicity-violation-in-drbd_uuid_set_bm.patch b/queue-4.19/drbd-fix-atomicity-violation-in-drbd_uuid_set_bm.patch
new file mode 100644 (file)
index 0000000..45bcb7b
--- /dev/null
+++ b/queue-4.19/drbd-fix-atomicity-violation-in-drbd_uuid_set_bm.patch
@@ -0,0 +1,58 @@
+From 2f02b5af3a4482b216e6a466edecf6ba8450fa45 Mon Sep 17 00:00:00 2001
+From: Qiu-ji Chen <chenqiuji666@gmail.com>
+Date: Fri, 13 Sep 2024 16:35:04 +0800
+Subject: drbd: Fix atomicity violation in drbd_uuid_set_bm()
+
+From: Qiu-ji Chen <chenqiuji666@gmail.com>
+
+commit 2f02b5af3a4482b216e6a466edecf6ba8450fa45 upstream.
+
+The violation of atomicity occurs when the drbd_uuid_set_bm function is
+executed simultaneously with modifying the value of
+device->ldev->md.uuid[UI_BITMAP]. Consider a scenario where, while
+device->ldev->md.uuid[UI_BITMAP] passes the validity check when its
+value is not zero, the value of device->ldev->md.uuid[UI_BITMAP] is
+written to zero. In this case, the check in drbd_uuid_set_bm might refer
+to the old value of device->ldev->md.uuid[UI_BITMAP] (before locking),
+which allows an invalid value to pass the validity check, resulting in
+inconsistency.
+
+To address this issue, it is recommended to include the data validity
+check within the locked section of the function. This modification
+ensures that the value of device->ldev->md.uuid[UI_BITMAP] does not
+change during the validation process, thereby maintaining its integrity.
+
+This possible bug is found by an experimental static analysis tool
+developed by our team. This tool analyzes the locking APIs to extract
+function pairs that can be concurrently executed, and then analyzes the
+instructions in the paired functions to identify possible concurrency
+bugs including data races and atomicity violations.
+
+Fixes: 9f2247bb9b75 ("drbd: Protect accesses to the uuid set with a spinlock")
+Cc: stable@vger.kernel.org
+Signed-off-by: Qiu-ji Chen <chenqiuji666@gmail.com>
+Reviewed-by: Philipp Reisner <philipp.reisner@linbit.com>
+Link: https://lore.kernel.org/r/20240913083504.10549-1-chenqiuji666@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/drbd/drbd_main.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/block/drbd/drbd_main.c
++++ b/drivers/block/drbd/drbd_main.c
+@@ -3499,10 +3499,12 @@ void drbd_uuid_new_current(struct drbd_d
+ void drbd_uuid_set_bm(struct drbd_device *device, u64 val) __must_hold(local)
+ {
+       unsigned long flags;
+-      if (device->ldev->md.uuid[UI_BITMAP] == 0 && val == 0)
++      spin_lock_irqsave(&device->ldev->md.uuid_lock, flags);
++      if (device->ldev->md.uuid[UI_BITMAP] == 0 && val == 0) {
++              spin_unlock_irqrestore(&device->ldev->md.uuid_lock, flags);
+               return;
++      }
+ 
+-      spin_lock_irqsave(&device->ldev->md.uuid_lock, flags);
+       if (val == 0) {
+               drbd_uuid_move_history(device);
+               device->ldev->md.uuid[UI_HISTORY_START] = device->ldev->md.uuid[UI_BITMAP];

diff --git a/queue-4.19/series b/queue-4.19/series
index d68c4d6b829599dd02004a62932c7f28dc2214e8..fc98b7693b6c367dd756fb426e5f28417d3a95d7 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -116,3 +116,6 @@ usb-appledisplay-close-race-between-probe-and-completion-handler.patch
 usb-misc-cypress_cy7c63-check-for-short-transfer.patch
 firmware_loader-block-path-traversal.patch
 tty-rp2-fix-reset-with-non-forgiving-pcie-host-bridges.patch
+drbd-fix-atomicity-violation-in-drbd_uuid_set_bm.patch
+drbd-add-null-check-for-net_conf-to-prevent-dereference-in-state-validation.patch
+acpi-sysfs-validate-return-type-of-_str-method.patch