From: Sasha Levin Date: Sat, 9 Nov 2024 02:46:12 +0000 (-0500) Subject: Fixes for 4.19 X-Git-Tag: v5.15.172~84 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0e311e5ae85763d964c7c5c7ac875fff69d6edfb;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/arm-dts-rockchip-drop-grf-reference-from-rk3036-hdmi.patch b/queue-4.19/arm-dts-rockchip-drop-grf-reference-from-rk3036-hdmi.patch new file mode 100644 index 00000000000..ecb1212cbc0 --- /dev/null +++ b/queue-4.19/arm-dts-rockchip-drop-grf-reference-from-rk3036-hdmi.patch @@ -0,0 +1,39 @@ +From f7406415556568d708f9a24230f4687267b1719e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 22:39:38 +0200 +Subject: ARM: dts: rockchip: drop grf reference from rk3036 hdmi + +From: Heiko Stuebner + +[ Upstream commit 1580ccb6ed9dc76b8ff3e2d8912e8215c8b0fa6d ] + +Neither the binding nor the driver implementation specify/use the grf +reference provided in the rk3036. And neither does the newer rk3128 +user of the hdmi controller. So drop the rockchip,grf property. + +Fixes: b7217cf19c63 ("ARM: dts: rockchip: add hdmi device node for rk3036") +Cc: Caesar Wang +Reviewed-by: Dragan Simic +Signed-off-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20241008203940.2573684-13-heiko@sntech.de +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3036.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/boot/dts/rk3036.dtsi b/arch/arm/boot/dts/rk3036.dtsi +index f7b5853aeb79f..9e30c726b7082 100644 +--- a/arch/arm/boot/dts/rk3036.dtsi ++++ b/arch/arm/boot/dts/rk3036.dtsi +@@ -332,7 +332,6 @@ + interrupts = ; + clocks = <&cru PCLK_HDMI>; + clock-names = "pclk"; +- rockchip,grf = <&grf>; + pinctrl-names = "default"; + pinctrl-0 = <&hdmi_ctl>; + status = "disabled"; +-- +2.43.0 + diff --git a/queue-4.19/arm-dts-rockchip-fix-rk3036-acodec-node.patch b/queue-4.19/arm-dts-rockchip-fix-rk3036-acodec-node.patch new file mode 100644 index 00000000000..c03ef7b5fe9 --- /dev/null +++ b/queue-4.19/arm-dts-rockchip-fix-rk3036-acodec-node.patch @@ -0,0 +1,49 @@ +From d41e2a5123bc6ad5fe02dd6db94c164c352a3947 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 22:39:37 +0200 +Subject: ARM: dts: rockchip: fix rk3036 acodec node + +From: Heiko Stuebner + +[ Upstream commit c7206853cd7d31c52575fb1dc7616b4398f3bc8f ] + +The acodec node is not conformant to the binding. + +Set the correct nodename, use the correct compatible, add the needed +#sound-dai-cells and sort the rockchip,grf below clocks properties +as expected. + +Fixes: faea098e1808 ("ARM: dts: rockchip: add core rk3036 dtsi") +Reviewed-by: Dragan Simic +Signed-off-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20241008203940.2573684-12-heiko@sntech.de +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3036.dtsi | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/rk3036.dtsi b/arch/arm/boot/dts/rk3036.dtsi +index c5144f06c3e70..f7b5853aeb79f 100644 +--- a/arch/arm/boot/dts/rk3036.dtsi ++++ b/arch/arm/boot/dts/rk3036.dtsi +@@ -316,12 +316,13 @@ + }; + }; + +- acodec: acodec-ana@20030000 { +- compatible = "rk3036-codec"; ++ acodec: audio-codec@20030000 { ++ compatible = "rockchip,rk3036-codec"; + reg = <0x20030000 0x4000>; +- rockchip,grf = <&grf>; + clock-names = "acodec_pclk"; + clocks = <&cru PCLK_ACODEC>; ++ rockchip,grf = <&grf>; ++ #sound-dai-cells = <0>; + status = "disabled"; + }; + +-- +2.43.0 + diff --git a/queue-4.19/arm-dts-rockchip-fix-the-realtek-audio-codec-on-rk30.patch b/queue-4.19/arm-dts-rockchip-fix-the-realtek-audio-codec-on-rk30.patch new file mode 100644 index 00000000000..306877ffb7f --- /dev/null +++ b/queue-4.19/arm-dts-rockchip-fix-the-realtek-audio-codec-on-rk30.patch @@ -0,0 +1,41 @@ +From d434893981966b0128a5f72a84eb3a535893f7a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 22:39:40 +0200 +Subject: ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin + +From: Heiko Stuebner + +[ Upstream commit 77a9a7f2d3b94d29d13d71b851114d593a2147cf ] + +Both the node name as well as the compatible were not named +according to the binding expectations, fix that. + +Fixes: 47bf3a5c9e2a ("ARM: dts: rockchip: add the sound setup for rk3036-kylin board") +Cc: Caesar Wang +Reviewed-by: Dragan Simic +Signed-off-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20241008203940.2573684-15-heiko@sntech.de +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3036-kylin.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/rk3036-kylin.dts b/arch/arm/boot/dts/rk3036-kylin.dts +index cd109aebb7831..c7fda457e5a81 100644 +--- a/arch/arm/boot/dts/rk3036-kylin.dts ++++ b/arch/arm/boot/dts/rk3036-kylin.dts +@@ -300,8 +300,8 @@ + &i2c2 { + status = "okay"; + +- rt5616: rt5616@1b { +- compatible = "rt5616"; ++ rt5616: audio-codec@1b { ++ compatible = "realtek,rt5616"; + reg = <0x1b>; + clocks = <&cru SCLK_I2S_OUT>; + clock-names = "mclk"; +-- +2.43.0 + diff --git a/queue-4.19/arm64-dts-rockchip-fix-rt5651-compatible-value-on-rk.patch b/queue-4.19/arm64-dts-rockchip-fix-rt5651-compatible-value-on-rk.patch new file mode 100644 index 00000000000..8423a14c316 --- /dev/null +++ b/queue-4.19/arm64-dts-rockchip-fix-rt5651-compatible-value-on-rk.patch @@ -0,0 +1,39 @@ +From 3b7721882d70fd71b584592db30eb37836dd15f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Sep 2024 15:48:41 +0200 +Subject: arm64: dts: rockchip: Fix rt5651 compatible value on + rk3399-sapphire-excavator + +From: Geert Uytterhoeven + +[ Upstream commit 577b5761679da90e691acc939ebbe7879fff5f31 ] + +There are no DT bindings and driver support for a "rockchip,rt5651" +codec. Replace "rockchip,rt5651" by "realtek,rt5651", which matches the +"simple-audio-card,name" property in the "rt5651-sound" node. + +Fixes: 0a3c78e251b3a266 ("arm64: dts: rockchip: Add support for rk3399 excavator main board") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/abc6c89811b3911785601d6d590483eacb145102.1727358193.git.geert+renesas@glider.be +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts b/arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts +index b14d83919f14c..dacb1331ae9cd 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts +@@ -123,7 +123,7 @@ + status = "okay"; + + rt5651: rt5651@1a { +- compatible = "rockchip,rt5651"; ++ compatible = "realtek,rt5651"; + reg = <0x1a>; + clocks = <&cru SCLK_I2S_8CH_OUT>; + clock-names = "mclk"; +-- +2.43.0 + diff --git a/queue-4.19/can-c_can-fix-rx-tx-_errors-statistics.patch b/queue-4.19/can-c_can-fix-rx-tx-_errors-statistics.patch new file mode 100644 index 00000000000..975049fba45 --- /dev/null +++ b/queue-4.19/can-c_can-fix-rx-tx-_errors-statistics.patch @@ -0,0 +1,71 @@ +From 7ad76cf670c0ac6fc5160c65daefcc735d1fdb64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 15:53:13 +0200 +Subject: can: c_can: fix {rx,tx}_errors statistics + +From: Dario Binacchi + +[ Upstream commit 4d6d26537940f3b3e17138987ed9e4a334780bf7 ] + +The c_can_handle_bus_err() function was incorrectly incrementing only the +receive error counter, even in cases of bit or acknowledgment errors that +occur during transmission. The patch fixes the issue by incrementing the +appropriate counter based on the type of error. + +Fixes: 881ff67ad450 ("can: c_can: Added support for Bosch C_CAN controller") +Signed-off-by: Dario Binacchi +Link: https://patch.msgid.link/20241014135319.2009782-1-dario.binacchi@amarulasolutions.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/c_can/c_can.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/c_can/c_can.c b/drivers/net/can/c_can/c_can.c +index 2278c5fff5c69..8e72c379740c7 100644 +--- a/drivers/net/can/c_can/c_can.c ++++ b/drivers/net/can/c_can/c_can.c +@@ -991,7 +991,6 @@ static int c_can_handle_bus_err(struct net_device *dev, + + /* common for all type of bus errors */ + priv->can.can_stats.bus_error++; +- stats->rx_errors++; + + /* propagate the error condition to the CAN stack */ + skb = alloc_can_err_skb(dev, &cf); +@@ -1008,26 +1007,32 @@ static int c_can_handle_bus_err(struct net_device *dev, + case LEC_STUFF_ERROR: + netdev_dbg(dev, "stuff error\n"); + cf->data[2] |= CAN_ERR_PROT_STUFF; ++ stats->rx_errors++; + break; + case LEC_FORM_ERROR: + netdev_dbg(dev, "form error\n"); + cf->data[2] |= CAN_ERR_PROT_FORM; ++ stats->rx_errors++; + break; + case LEC_ACK_ERROR: + netdev_dbg(dev, "ack error\n"); + cf->data[3] = CAN_ERR_PROT_LOC_ACK; ++ stats->tx_errors++; + break; + case LEC_BIT1_ERROR: + netdev_dbg(dev, "bit1 error\n"); + cf->data[2] |= CAN_ERR_PROT_BIT1; ++ stats->tx_errors++; + break; + case LEC_BIT0_ERROR: + netdev_dbg(dev, "bit0 error\n"); + cf->data[2] |= CAN_ERR_PROT_BIT0; ++ stats->tx_errors++; + break; + case LEC_CRC_ERROR: + netdev_dbg(dev, "CRC error\n"); + cf->data[3] = CAN_ERR_PROT_LOC_CRC_SEQ; ++ stats->rx_errors++; + break; + default: + break; +-- +2.43.0 + diff --git a/queue-4.19/hid-core-zero-initialize-the-report-buffer.patch b/queue-4.19/hid-core-zero-initialize-the-report-buffer.patch new file mode 100644 index 00000000000..c72a0d7af82 --- /dev/null +++ b/queue-4.19/hid-core-zero-initialize-the-report-buffer.patch @@ -0,0 +1,41 @@ +From 0b385f38ed644237087e45d052a209dc2b15d3be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2024 15:44:35 +0100 +Subject: HID: core: zero-initialize the report buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jiri Kosina + +[ Upstream commit 177f25d1292c7e16e1199b39c85480f7f8815552 ] + +Since the report buffer is used by all kinds of drivers in various ways, let's +zero-initialize it during allocation to make sure that it can't be ever used +to leak kernel memory via specially-crafted report. + +Fixes: 27ce405039bf ("HID: fix data access in implement()") +Reported-by: Benoît Sevens +Acked-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 0757097d25507..3387e64d84412 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1482,7 +1482,7 @@ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags) + + u32 len = hid_report_len(report) + 7; + +- return kmalloc(len, flags); ++ return kzalloc(len, flags); + } + EXPORT_SYMBOL_GPL(hid_alloc_report_buf); + +-- +2.43.0 + diff --git a/queue-4.19/net-hns3-fix-kernel-crash-when-uninstalling-driver.patch b/queue-4.19/net-hns3-fix-kernel-crash-when-uninstalling-driver.patch new file mode 100644 index 00000000000..89d29bf3c79 --- /dev/null +++ b/queue-4.19/net-hns3-fix-kernel-crash-when-uninstalling-driver.patch @@ -0,0 +1,89 @@ +From f04755318c9a22e7e3a6201c378675c7588c58c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Nov 2024 17:15:07 +0800 +Subject: net: hns3: fix kernel crash when uninstalling driver + +From: Peiyang Wang + +[ Upstream commit df3dff8ab6d79edc942464999d06fbaedf8cdd18 ] + +When the driver is uninstalled and the VF is disabled concurrently, a +kernel crash occurs. The reason is that the two actions call function +pci_disable_sriov(). The num_VFs is checked to determine whether to +release the corresponding resources. During the second calling, num_VFs +is not 0 and the resource release function is called. However, the +corresponding resource has been released during the first invoking. +Therefore, the problem occurs: + +[15277.839633][T50670] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 +... +[15278.131557][T50670] Call trace: +[15278.134686][T50670] klist_put+0x28/0x12c +[15278.138682][T50670] klist_del+0x14/0x20 +[15278.142592][T50670] device_del+0xbc/0x3c0 +[15278.146676][T50670] pci_remove_bus_device+0x84/0x120 +[15278.151714][T50670] pci_stop_and_remove_bus_device+0x6c/0x80 +[15278.157447][T50670] pci_iov_remove_virtfn+0xb4/0x12c +[15278.162485][T50670] sriov_disable+0x50/0x11c +[15278.166829][T50670] pci_disable_sriov+0x24/0x30 +[15278.171433][T50670] hnae3_unregister_ae_algo_prepare+0x60/0x90 [hnae3] +[15278.178039][T50670] hclge_exit+0x28/0xd0 [hclge] +[15278.182730][T50670] __se_sys_delete_module.isra.0+0x164/0x230 +[15278.188550][T50670] __arm64_sys_delete_module+0x1c/0x30 +[15278.193848][T50670] invoke_syscall+0x50/0x11c +[15278.198278][T50670] el0_svc_common.constprop.0+0x158/0x164 +[15278.203837][T50670] do_el0_svc+0x34/0xcc +[15278.207834][T50670] el0_svc+0x20/0x30 + +For details, see the following figure. + + rmmod hclge disable VFs +---------------------------------------------------- +hclge_exit() sriov_numvfs_store() + ... device_lock() + pci_disable_sriov() hns3_pci_sriov_configure() + pci_disable_sriov() + sriov_disable() + sriov_disable() if !num_VFs : + if !num_VFs : return; + return; sriov_del_vfs() + sriov_del_vfs() ... + ... klist_put() + klist_put() ... + ... num_VFs = 0; + num_VFs = 0; device_unlock(); + +In this patch, when driver is removing, we get the device_lock() +to protect num_VFs, just like sriov_numvfs_store(). + +Fixes: 0dd8a25f355b ("net: hns3: disable sriov before unload hclge layer") +Signed-off-by: Peiyang Wang +Signed-off-by: Jijie Shao +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241101091507.3644584-1-shaojijie@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hnae3.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hnae3.c b/drivers/net/ethernet/hisilicon/hns3/hnae3.c +index b250d0fe9ac50..1265010f063fe 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.c +@@ -25,8 +25,11 @@ void hnae3_unregister_ae_algo_prepare(struct hnae3_ae_algo *ae_algo) + pci_id = pci_match_id(ae_algo->pdev_id_table, ae_dev->pdev); + if (!pci_id) + continue; +- if (IS_ENABLED(CONFIG_PCI_IOV)) ++ if (IS_ENABLED(CONFIG_PCI_IOV)) { ++ device_lock(&ae_dev->pdev->dev); + pci_disable_sriov(ae_dev->pdev); ++ device_unlock(&ae_dev->pdev->dev); ++ } + } + } + EXPORT_SYMBOL(hnae3_unregister_ae_algo_prepare); +-- +2.43.0 + diff --git a/queue-4.19/sctp-properly-validate-chunk-size-in-sctp_sf_ootb.patch b/queue-4.19/sctp-properly-validate-chunk-size-in-sctp_sf_ootb.patch new file mode 100644 index 00000000000..334bcb2fb85 --- /dev/null +++ b/queue-4.19/sctp-properly-validate-chunk-size-in-sctp_sf_ootb.patch @@ -0,0 +1,49 @@ +From dd28630790d48a386cbbeff9f91d86a5697e2b00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2024 13:46:21 -0400 +Subject: sctp: properly validate chunk size in sctp_sf_ootb() + +From: Xin Long + +[ Upstream commit 0ead60804b64f5bd6999eec88e503c6a1a242d41 ] + +A size validation fix similar to that in Commit 50619dbf8db7 ("sctp: add +size validation when walking chunks") is also required in sctp_sf_ootb() +to address a crash reported by syzbot: + + BUG: KMSAN: uninit-value in sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712 + sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712 + sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166 + sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407 + sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 + sctp_rcv+0x3831/0x3b20 net/sctp/input.c:243 + sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159 + ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205 + ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233 + +Reported-by: syzbot+f0cbb34d39392f2746ca@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xin Long +Link: https://patch.msgid.link/a29ebb6d8b9f8affd0f9abb296faafafe10c17d8.1730223981.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index 8298f27e8de0d..0b44ad00dbb69 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -3652,7 +3652,7 @@ enum sctp_disposition sctp_sf_ootb(struct net *net, + } + + ch = (struct sctp_chunkhdr *)ch_end; +- } while (ch_end < skb_tail_pointer(skb)); ++ } while (ch_end + sizeof(*ch) < skb_tail_pointer(skb)); + + if (ootb_shut_ack) + return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands); +-- +2.43.0 + diff --git a/queue-4.19/security-keys-fix-slab-out-of-bounds-in-key_task_per.patch b/queue-4.19/security-keys-fix-slab-out-of-bounds-in-key_task_per.patch new file mode 100644 index 00000000000..7de95b4515f --- /dev/null +++ b/queue-4.19/security-keys-fix-slab-out-of-bounds-in-key_task_per.patch @@ -0,0 +1,110 @@ +From 7517e362d7ee189ebb425444f69711b0cc9f02f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 12:46:39 +0000 +Subject: security/keys: fix slab-out-of-bounds in key_task_permission + +From: Chen Ridong + +[ Upstream commit 4a74da044ec9ec8679e6beccc4306b936b62873f ] + +KASAN reports an out of bounds read: +BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 +BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] +BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 +security/keys/permission.c:54 +Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 + +CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 +Call Trace: + __dump_stack lib/dump_stack.c:82 [inline] + dump_stack+0x107/0x167 lib/dump_stack.c:123 + print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 + __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 + kasan_report+0x3a/0x50 mm/kasan/report.c:585 + __kuid_val include/linux/uidgid.h:36 [inline] + uid_eq include/linux/uidgid.h:63 [inline] + key_task_permission+0x394/0x410 security/keys/permission.c:54 + search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 + +This issue was also reported by syzbot. + +It can be reproduced by following these steps(more details [1]): +1. Obtain more than 32 inputs that have similar hashes, which ends with the + pattern '0xxxxxxxe6'. +2. Reboot and add the keys obtained in step 1. + +The reproducer demonstrates how this issue happened: +1. In the search_nested_keyrings function, when it iterates through the + slots in a node(below tag ascend_to_node), if the slot pointer is meta + and node->back_pointer != NULL(it means a root), it will proceed to + descend_to_node. However, there is an exception. If node is the root, + and one of the slots points to a shortcut, it will be treated as a + keyring. +2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function. + However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as + ASSOC_ARRAY_PTR_SUBTYPE_MASK. +3. When 32 keys with the similar hashes are added to the tree, the ROOT + has keys with hashes that are not similar (e.g. slot 0) and it splits + NODE A without using a shortcut. When NODE A is filled with keys that + all hashes are xxe6, the keys are similar, NODE A will split with a + shortcut. Finally, it forms the tree as shown below, where slot 6 points + to a shortcut. + + NODE A + +------>+---+ + ROOT | | 0 | xxe6 + +---+ | +---+ + xxxx | 0 | shortcut : : xxe6 + +---+ | +---+ + xxe6 : : | | | xxe6 + +---+ | +---+ + | 6 |---+ : : xxe6 + +---+ +---+ + xxe6 : : | f | xxe6 + +---+ +---+ + xxe6 | f | + +---+ + +4. As mentioned above, If a slot(slot 6) of the root points to a shortcut, + it may be mistakenly transferred to a key*, leading to a read + out-of-bounds read. + +To fix this issue, one should jump to descend_to_node if the ptr is a +shortcut, regardless of whether the node is root or not. + +[1] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@huaweicloud.com/ + +[jarkko: tweaked the commit message a bit to have an appropriate closes + tag.] +Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring") +Reported-by: syzbot+5b415c07907a2990d1a3@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/000000000000cbb7860611f61147@google.com/T/ +Signed-off-by: Chen Ridong +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + security/keys/keyring.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/security/keys/keyring.c b/security/keys/keyring.c +index e8f2366021ea3..0f414a114729a 100644 +--- a/security/keys/keyring.c ++++ b/security/keys/keyring.c +@@ -739,8 +739,11 @@ static bool search_nested_keyrings(struct key *keyring, + for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) { + ptr = READ_ONCE(node->slots[slot]); + +- if (assoc_array_ptr_is_meta(ptr) && node->back_pointer) +- goto descend_to_node; ++ if (assoc_array_ptr_is_meta(ptr)) { ++ if (node->back_pointer || ++ assoc_array_ptr_is_shortcut(ptr)) ++ goto descend_to_node; ++ } + + if (!keyring_ptr_is_keyring(ptr)) + continue; +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index e69de29bb2d..424ba581404 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -0,0 +1,9 @@ +arm64-dts-rockchip-fix-rt5651-compatible-value-on-rk.patch +arm-dts-rockchip-fix-rk3036-acodec-node.patch +arm-dts-rockchip-drop-grf-reference-from-rk3036-hdmi.patch +arm-dts-rockchip-fix-the-realtek-audio-codec-on-rk30.patch +hid-core-zero-initialize-the-report-buffer.patch +security-keys-fix-slab-out-of-bounds-in-key_task_per.patch +sctp-properly-validate-chunk-size-in-sctp_sf_ootb.patch +can-c_can-fix-rx-tx-_errors-statistics.patch +net-hns3-fix-kernel-crash-when-uninstalling-driver.patch