--- /dev/null
+From b854b4ee66437e6e1622fda90529c814978cb4ca Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@cjr.nz>
+Date: Fri, 14 Oct 2022 17:14:54 -0300
+Subject: cifs: fix double-fault crash during ntlmssp
+
+From: Paulo Alcantara <pc@cjr.nz>
+
+commit b854b4ee66437e6e1622fda90529c814978cb4ca upstream.
+
+The crash occurred because we were calling memzero_explicit() on an
+already freed sess_data::iov[1] (ntlmsspblob) in sess_free_buffer().
+
+Fix this by not calling memzero_explicit() on sess_data::iov[1] as
+it's already by handled by callers.
+
+Fixes: a4e430c8c8ba ("cifs: replace kfree() with kfree_sensitive() for sensitive data")
+Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/sess.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/fs/cifs/sess.c
++++ b/fs/cifs/sess.c
+@@ -1214,16 +1214,18 @@ out_free_smb_buf:
+ static void
+ sess_free_buffer(struct sess_data *sess_data)
+ {
+- int i;
++ struct kvec *iov = sess_data->iov;
+
+- /* zero the session data before freeing, as it might contain sensitive info (keys, etc) */
+- for (i = 0; i < 3; i++)
+- if (sess_data->iov[i].iov_base)
+- memzero_explicit(sess_data->iov[i].iov_base, sess_data->iov[i].iov_len);
++ /*
++ * Zero the session data before freeing, as it might contain sensitive info (keys, etc).
++ * Note that iov[1] is already freed by caller.
++ */
++ if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base)
++ memzero_explicit(iov[0].iov_base, iov[0].iov_len);
+
+- free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base);
++ free_rsp_buf(sess_data->buf0_type, iov[0].iov_base);
+ sess_data->buf0_type = CIFS_NO_BUFFER;
+- kfree(sess_data->iov[2].iov_base);
++ kfree_sensitive(iov[2].iov_base);
+ }
+
+ static int
--- /dev/null
+From 01f2ee7e325611524078009d70392a5d5eca0945 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@cjr.nz>
+Date: Wed, 19 Oct 2022 11:25:37 -0300
+Subject: cifs: fix memory leaks in session setup
+
+From: Paulo Alcantara <pc@cjr.nz>
+
+commit 01f2ee7e325611524078009d70392a5d5eca0945 upstream.
+
+We were only zeroing out the ntlmssp blob but forgot to free the
+allocated buffer in the end of SMB2_sess_auth_rawntlmssp_negotiate()
+and SMB2_sess_auth_rawntlmssp_authenticate() functions.
+
+This fixes below kmemleak reports:
+
+unreferenced object 0xffff88800ddcfc60 (size 96):
+ comm "mount.cifs", pid 758, jiffies 4294696066 (age 42.967s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000d0beeb29>] __kmalloc+0x39/0xa0
+ [<00000000e3834047>] build_ntlmssp_smb3_negotiate_blob+0x2c/0x110 [cifs]
+ [<00000000e85f5ab2>] SMB2_sess_auth_rawntlmssp_negotiate+0xd3/0x230 [cifs]
+ [<0000000080fdb897>] SMB2_sess_setup+0x16c/0x2a0 [cifs]
+ [<000000009af320a8>] cifs_setup_session+0x13b/0x370 [cifs]
+ [<00000000f15d5982>] cifs_get_smb_ses+0x643/0xb90 [cifs]
+ [<00000000fe15eb90>] mount_get_conns+0x63/0x3e0 [cifs]
+ [<00000000768aba03>] mount_get_dfs_conns+0x16/0xa0 [cifs]
+ [<00000000cf1cf146>] cifs_mount+0x1c2/0x9a0 [cifs]
+ [<000000000d66b51e>] cifs_smb3_do_mount+0x10e/0x710 [cifs]
+ [<0000000077a996c5>] smb3_get_tree+0xf4/0x200 [cifs]
+ [<0000000094dbd041>] vfs_get_tree+0x23/0xc0
+ [<000000003a8561de>] path_mount+0x2d3/0xb50
+ [<00000000ed5c86d6>] __x64_sys_mount+0x102/0x140
+ [<00000000142142f3>] do_syscall_64+0x3b/0x90
+ [<00000000e2b89731>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+unreferenced object 0xffff88801437f000 (size 512):
+ comm "mount.cifs", pid 758, jiffies 4294696067 (age 42.970s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000d0beeb29>] __kmalloc+0x39/0xa0
+ [<00000000004f53d2>] build_ntlmssp_auth_blob+0x4f/0x340 [cifs]
+ [<000000005f333084>] SMB2_sess_auth_rawntlmssp_authenticate+0xd4/0x250 [cifs]
+ [<0000000080fdb897>] SMB2_sess_setup+0x16c/0x2a0 [cifs]
+ [<000000009af320a8>] cifs_setup_session+0x13b/0x370 [cifs]
+ [<00000000f15d5982>] cifs_get_smb_ses+0x643/0xb90 [cifs]
+ [<00000000fe15eb90>] mount_get_conns+0x63/0x3e0 [cifs]
+ [<00000000768aba03>] mount_get_dfs_conns+0x16/0xa0 [cifs]
+ [<00000000cf1cf146>] cifs_mount+0x1c2/0x9a0 [cifs]
+ [<000000000d66b51e>] cifs_smb3_do_mount+0x10e/0x710 [cifs]
+ [<0000000077a996c5>] smb3_get_tree+0xf4/0x200 [cifs]
+ [<0000000094dbd041>] vfs_get_tree+0x23/0xc0
+ [<000000003a8561de>] path_mount+0x2d3/0xb50
+ [<00000000ed5c86d6>] __x64_sys_mount+0x102/0x140
+ [<00000000142142f3>] do_syscall_64+0x3b/0x90
+ [<00000000e2b89731>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Fixes: a4e430c8c8ba ("cifs: replace kfree() with kfree_sensitive() for sensitive data")
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2pdu.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -1345,14 +1345,13 @@ SMB2_sess_alloc_buffer(struct SMB2_sess_
+ static void
+ SMB2_sess_free_buffer(struct SMB2_sess_data *sess_data)
+ {
+- int i;
++ struct kvec *iov = sess_data->iov;
+
+- /* zero the session data before freeing, as it might contain sensitive info (keys, etc) */
+- for (i = 0; i < 2; i++)
+- if (sess_data->iov[i].iov_base)
+- memzero_explicit(sess_data->iov[i].iov_base, sess_data->iov[i].iov_len);
++ /* iov[1] is already freed by caller */
++ if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base)
++ memzero_explicit(iov[0].iov_base, iov[0].iov_len);
+
+- free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base);
++ free_rsp_buf(sess_data->buf0_type, iov[0].iov_base);
+ sess_data->buf0_type = CIFS_NO_BUFFER;
+ }
+
+@@ -1582,7 +1581,7 @@ SMB2_sess_auth_rawntlmssp_negotiate(stru
+ }
+
+ out:
+- memzero_explicit(ntlmssp_blob, blob_length);
++ kfree_sensitive(ntlmssp_blob);
+ SMB2_sess_free_buffer(sess_data);
+ if (!rc) {
+ sess_data->result = 0;
+@@ -1666,7 +1665,7 @@ SMB2_sess_auth_rawntlmssp_authenticate(s
+ }
+ #endif
+ out:
+- memzero_explicit(ntlmssp_blob, blob_length);
++ kfree_sensitive(ntlmssp_blob);
+ SMB2_sess_free_buffer(sess_data);
+ kfree_sensitive(ses->ntlmssp);
+ ses->ntlmssp = NULL;
--- /dev/null
+From 542228db2f28fdf775b301f2843e1fe486e7c797 Mon Sep 17 00:00:00 2001
+From: ChenXiaoSong <chenxiaosong2@huawei.com>
+Date: Fri, 4 Nov 2022 15:44:41 +0800
+Subject: cifs: fix use-after-free on the link name
+
+From: ChenXiaoSong <chenxiaosong2@huawei.com>
+
+commit 542228db2f28fdf775b301f2843e1fe486e7c797 upstream.
+
+xfstests generic/011 reported use-after-free bug as follows:
+
+ BUG: KASAN: use-after-free in __d_alloc+0x269/0x859
+ Read of size 15 at addr ffff8880078933a0 by task dirstress/952
+
+ CPU: 1 PID: 952 Comm: dirstress Not tainted 6.1.0-rc3+ #77
+ Call Trace:
+ __dump_stack+0x23/0x29
+ dump_stack_lvl+0x51/0x73
+ print_address_description+0x67/0x27f
+ print_report+0x3e/0x5c
+ kasan_report+0x7b/0xa8
+ kasan_check_range+0x1b2/0x1c1
+ memcpy+0x22/0x5d
+ __d_alloc+0x269/0x859
+ d_alloc+0x45/0x20c
+ d_alloc_parallel+0xb2/0x8b2
+ lookup_open+0x3b8/0x9f9
+ open_last_lookups+0x63d/0xc26
+ path_openat+0x11a/0x261
+ do_filp_open+0xcc/0x168
+ do_sys_openat2+0x13b/0x3f7
+ do_sys_open+0x10f/0x146
+ __se_sys_creat+0x27/0x2e
+ __x64_sys_creat+0x55/0x6a
+ do_syscall_64+0x40/0x96
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+ Allocated by task 952:
+ kasan_save_stack+0x1f/0x42
+ kasan_set_track+0x21/0x2a
+ kasan_save_alloc_info+0x17/0x1d
+ __kasan_kmalloc+0x7e/0x87
+ __kmalloc_node_track_caller+0x59/0x155
+ kstrndup+0x60/0xe6
+ parse_mf_symlink+0x215/0x30b
+ check_mf_symlink+0x260/0x36a
+ cifs_get_inode_info+0x14e1/0x1690
+ cifs_revalidate_dentry_attr+0x70d/0x964
+ cifs_revalidate_dentry+0x36/0x62
+ cifs_d_revalidate+0x162/0x446
+ lookup_open+0x36f/0x9f9
+ open_last_lookups+0x63d/0xc26
+ path_openat+0x11a/0x261
+ do_filp_open+0xcc/0x168
+ do_sys_openat2+0x13b/0x3f7
+ do_sys_open+0x10f/0x146
+ __se_sys_creat+0x27/0x2e
+ __x64_sys_creat+0x55/0x6a
+ do_syscall_64+0x40/0x96
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+ Freed by task 950:
+ kasan_save_stack+0x1f/0x42
+ kasan_set_track+0x21/0x2a
+ kasan_save_free_info+0x1c/0x34
+ ____kasan_slab_free+0x1c1/0x1d5
+ __kasan_slab_free+0xe/0x13
+ __kmem_cache_free+0x29a/0x387
+ kfree+0xd3/0x10e
+ cifs_fattr_to_inode+0xb6a/0xc8c
+ cifs_get_inode_info+0x3cb/0x1690
+ cifs_revalidate_dentry_attr+0x70d/0x964
+ cifs_revalidate_dentry+0x36/0x62
+ cifs_d_revalidate+0x162/0x446
+ lookup_open+0x36f/0x9f9
+ open_last_lookups+0x63d/0xc26
+ path_openat+0x11a/0x261
+ do_filp_open+0xcc/0x168
+ do_sys_openat2+0x13b/0x3f7
+ do_sys_open+0x10f/0x146
+ __se_sys_creat+0x27/0x2e
+ __x64_sys_creat+0x55/0x6a
+ do_syscall_64+0x40/0x96
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+When opened a symlink, link name is from 'inode->i_link', but it may be
+reset to a new value when revalidate the dentry. If some processes get the
+link name on the race scenario, then UAF will happen on link name.
+
+Fix this by implementing 'get_link' interface to duplicate the link name.
+
+Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+")
+Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com>
+Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/cifsfs.c | 26 +++++++++++++++++++++++++-
+ fs/cifs/inode.c | 5 -----
+ 2 files changed, 25 insertions(+), 6 deletions(-)
+
+--- a/fs/cifs/cifsfs.c
++++ b/fs/cifs/cifsfs.c
+@@ -1143,8 +1143,32 @@ const struct inode_operations cifs_file_
+ .fiemap = cifs_fiemap,
+ };
+
++const char *cifs_get_link(struct dentry *dentry, struct inode *inode,
++ struct delayed_call *done)
++{
++ char *target_path;
++
++ target_path = kmalloc(PATH_MAX, GFP_KERNEL);
++ if (!target_path)
++ return ERR_PTR(-ENOMEM);
++
++ spin_lock(&inode->i_lock);
++ if (likely(CIFS_I(inode)->symlink_target)) {
++ strscpy(target_path, CIFS_I(inode)->symlink_target, PATH_MAX);
++ } else {
++ kfree(target_path);
++ target_path = ERR_PTR(-EOPNOTSUPP);
++ }
++ spin_unlock(&inode->i_lock);
++
++ if (!IS_ERR(target_path))
++ set_delayed_call(done, kfree_link, target_path);
++
++ return target_path;
++}
++
+ const struct inode_operations cifs_symlink_inode_ops = {
+- .get_link = simple_get_link,
++ .get_link = cifs_get_link,
+ .permission = cifs_permission,
+ .listxattr = cifs_listxattr,
+ };
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -215,11 +215,6 @@ cifs_fattr_to_inode(struct inode *inode,
+ kfree(cifs_i->symlink_target);
+ cifs_i->symlink_target = fattr->cf_symlink_target;
+ fattr->cf_symlink_target = NULL;
+-
+- if (unlikely(!cifs_i->symlink_target))
+- inode->i_link = ERR_PTR(-EOPNOTSUPP);
+- else
+- inode->i_link = cifs_i->symlink_target;
+ }
+ spin_unlock(&inode->i_lock);
+
--- /dev/null
+From 10269f13257d4eb6061d09ccce61666316df9838 Mon Sep 17 00:00:00 2001
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Date: Mon, 17 Oct 2022 22:45:25 +0800
+Subject: cifs: Fix xid leak in cifs_get_file_info_unix()
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+commit 10269f13257d4eb6061d09ccce61666316df9838 upstream.
+
+If stardup the symlink target failed, should free the xid,
+otherwise the xid will be leaked.
+
+Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+")
+Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/inode.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -368,8 +368,10 @@ cifs_get_file_info_unix(struct file *fil
+
+ if (cfile->symlink_target) {
+ fattr.cf_symlink_target = kstrdup(cfile->symlink_target, GFP_KERNEL);
+- if (!fattr.cf_symlink_target)
+- return -ENOMEM;
++ if (!fattr.cf_symlink_target) {
++ rc = -ENOMEM;
++ goto cifs_gfiunix_out;
++ }
+ }
+
+ rc = CIFSSMBUnixQFileInfo(xid, tcon, cfile->fid.netfid, &find_data);
--- /dev/null
+From 99c05a2b710f16ea592ccb63ef5fe5f1f6b15db9 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Wed, 12 Oct 2022 09:02:33 +0200
+Subject: clk: renesas: r8a779f0: Fix SD0H clock name
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 99c05a2b710f16ea592ccb63ef5fe5f1f6b15db9 upstream.
+
+Correct the misspelled textual name of the SD0H clock.
+
+Fixes: 9b5dd1ff705c6854 ("clk: renesas: r8a779f0: Add SDH0 clock")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://lore.kernel.org/r/1f682d338f133608f138ae87323707436ad8c748.1665558014.git.geert+renesas@glider.be
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/renesas/r8a779f0-cpg-mssr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/renesas/r8a779f0-cpg-mssr.c
++++ b/drivers/clk/renesas/r8a779f0-cpg-mssr.c
+@@ -113,7 +113,7 @@ static const struct cpg_core_clk r8a779f
+ DEF_FIXED("sasyncperd2", R8A779F0_CLK_SASYNCPERD2, R8A779F0_CLK_SASYNCPERD1, 2, 1),
+ DEF_FIXED("sasyncperd4", R8A779F0_CLK_SASYNCPERD4, R8A779F0_CLK_SASYNCPERD1, 4, 1),
+
+- DEF_GEN4_SDH("sdh0", R8A779F0_CLK_SD0H, CLK_SDSRC, 0x870),
++ DEF_GEN4_SDH("sd0h", R8A779F0_CLK_SD0H, CLK_SDSRC, 0x870),
+ DEF_GEN4_SD("sd0", R8A779F0_CLK_SD0, R8A779F0_CLK_SD0H, 0x870),
+
+ DEF_BASE("rpc", R8A779F0_CLK_RPC, CLK_TYPE_GEN4_RPC, CLK_RPCSRC),
--- /dev/null
+From 341fd15e2e18c24d5c738496cfc3d7a272241201 Mon Sep 17 00:00:00 2001
+From: Yassine Oudjana <y.oudjana@protonmail.com>
+Date: Mon, 7 Nov 2022 18:33:17 +0300
+Subject: extcon: usbc-tusb320: Call the Type-C IRQ handler only if a port is registered
+
+From: Yassine Oudjana <y.oudjana@protonmail.com>
+
+commit 341fd15e2e18c24d5c738496cfc3d7a272241201 upstream.
+
+Commit bf7571c00dca ("extcon: usbc-tusb320: Add USB TYPE-C support")
+added an optional Type-C interface to the driver but missed to check
+if it is in use when calling the IRQ handler. This causes an oops on
+devices currently using the old extcon interface. Check if a Type-C
+port is registered before calling the Type-C IRQ handler.
+
+Fixes: bf7571c00dca ("extcon: usbc-tusb320: Add USB TYPE-C support")
+Signed-off-by: Yassine Oudjana <y.oudjana@protonmail.com>
+Reviewed-by: Marek Vasut <marex@denx.de>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20221107153317.657803-1-y.oudjana@protonmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/extcon/extcon-usbc-tusb320.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/extcon/extcon-usbc-tusb320.c
++++ b/drivers/extcon/extcon-usbc-tusb320.c
+@@ -327,7 +327,13 @@ static irqreturn_t tusb320_state_update_
+ return IRQ_NONE;
+
+ tusb320_extcon_irq_handler(priv, reg);
+- tusb320_typec_irq_handler(priv, reg);
++
++ /*
++ * Type-C support is optional. Only call the Type-C handler if a
++ * port had been registered previously.
++ */
++ if (priv->port)
++ tusb320_typec_irq_handler(priv, reg);
+
+ regmap_write(priv->regmap, TUSB320_REG9, reg);
+
media-dvbdev-fix-build-warning-due-to-comments.patch
media-dvbdev-fix-refcnt-bug.patch
drm-amd-display-revert-disable-drr-actions-during-state-commit.patch
+clk-renesas-r8a779f0-fix-sd0h-clock-name.patch
+extcon-usbc-tusb320-call-the-type-c-irq-handler-only-if-a-port-is-registered.patch
+cifs-fix-double-fault-crash-during-ntlmssp.patch
+cifs-fix-xid-leak-in-cifs_get_file_info_unix.patch
+cifs-fix-memory-leaks-in-session-setup.patch
+cifs-fix-use-after-free-on-the-link-name.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
