From: Sasha Levin Date: Mon, 6 Feb 2023 13:35:51 +0000 (-0500) Subject: Fixes for 4.19 X-Git-Tag: v5.15.93~54 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=13cc78bfad2a36fbbba3e8651805df9ce7e728fc;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch b/queue-4.19/alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch new file mode 100644 index 00000000000..676d7ca9923 --- /dev/null +++ b/queue-4.19/alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch @@ -0,0 +1,41 @@ +From 15d3d08af3cf93b5d22dee01a397a7efd1b9f37d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 00:22:59 -0800 +Subject: ALSA: hda/via: Avoid potential array out-of-bound in + add_secret_dac_path() + +From: Artemii Karasev + +[ Upstream commit b9cee506da2b7920b5ea02ccd8e78a907d0ee7aa ] + +snd_hda_get_connections() can return a negative error code. +It may lead to accessing 'conn' array at a negative index. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Artemii Karasev +Fixes: 30b4503378c9 ("ALSA: hda - Expose secret DAC-AA connection of some VIA codecs") +Link: https://lore.kernel.org/r/20230119082259.3634-1-karasev@ispras.ru +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_via.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/pci/hda/patch_via.c b/sound/pci/hda/patch_via.c +index 937155b1fae0..9e2252eee626 100644 +--- a/sound/pci/hda/patch_via.c ++++ b/sound/pci/hda/patch_via.c +@@ -834,6 +834,9 @@ static int add_secret_dac_path(struct hda_codec *codec) + return 0; + nums = snd_hda_get_connections(codec, spec->gen.mixer_nid, conn, + ARRAY_SIZE(conn) - 1); ++ if (nums < 0) ++ return nums; ++ + for (i = 0; i < nums; i++) { + if (get_wcaps_type(get_wcaps(codec, conn[i])) == AC_WID_AUD_OUT) + return 0; +-- +2.39.0 + diff --git a/queue-4.19/ata-libata-fix-sata_down_spd_limit-when-no-link-spee.patch b/queue-4.19/ata-libata-fix-sata_down_spd_limit-when-no-link-spee.patch new file mode 100644 index 00000000000..16faf5d429e --- /dev/null +++ b/queue-4.19/ata-libata-fix-sata_down_spd_limit-when-no-link-spee.patch @@ -0,0 +1,57 @@ +From 741ea6d7a92ea974924910bf485d1a1721d93627 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 12:27:41 +0900 +Subject: ata: libata: Fix sata_down_spd_limit() when no link speed is reported + +From: Damien Le Moal + +[ Upstream commit 69f2c9346313ba3d3dfa4091ff99df26c67c9021 ] + +Commit 2dc0b46b5ea3 ("libata: sata_down_spd_limit should return if +driver has not recorded sstatus speed") changed the behavior of +sata_down_spd_limit() to return doing nothing if a drive does not report +a current link speed, to avoid reducing the link speed to the lowest 1.5 +Gbps speed. + +However, the change assumed that a speed was recorded before probing +(e.g. before a suspend/resume) and set in link->sata_spd. This causes +problems with adapters/drives combination failing to establish a link +speed during probe autonegotiation. One example reported of this problem +is an mvebu adapter with a 3Gbps port-multiplier box: autonegotiation +fails, leaving no recorded link speed and no reported current link +speed. Probe retries also fail as no action is taken by sata_set_spd() +after each retry. + +Fix this by returning early in sata_down_spd_limit() only if we do have +a recorded link speed, that is, if link->sata_spd is not 0. With this +fix, a failed probe not leading to a recorded link speed is retried at +the lower 1.5 Gbps speed, with the link speed potentially increased +later on the second revalidate of the device if the device reports +that it supports higher link speeds. + +Reported-by: Marius Dinu +Fixes: 2dc0b46b5ea3 ("libata: sata_down_spd_limit should return if driver has not recorded sstatus speed") +Reviewed-by: Niklas Cassel +Tested-by: Marius Dinu +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 6d110a1c090d..4a7da8f744e0 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -3112,7 +3112,7 @@ int sata_down_spd_limit(struct ata_link *link, u32 spd_limit) + */ + if (spd > 1) + mask &= (1 << (spd - 1)) - 1; +- else ++ else if (link->sata_spd) + return -EINVAL; + + /* were we already at the bottom? */ +-- +2.39.0 + diff --git a/queue-4.19/bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch b/queue-4.19/bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch new file mode 100644 index 00000000000..268282c0117 --- /dev/null +++ b/queue-4.19/bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch @@ -0,0 +1,46 @@ +From 30d5aee8e09a51233efd0de3e7727b715487b4e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 09:42:00 +0000 +Subject: bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() + +From: Yuan Can + +[ Upstream commit f71eaf2708be7831428eacae7db25d8ec6b8b4c5 ] + +The sunxi_rsb_init() returns the platform_driver_register() directly +without checking its return value, if platform_driver_register() failed, +the sunxi_rsb_bus is not unregistered. +Fix by unregister sunxi_rsb_bus when platform_driver_register() failed. + +Fixes: d787dcdb9c8f ("bus: sunxi-rsb: Add driver for Allwinner Reduced Serial Bus") +Signed-off-by: Yuan Can +Reviewed-by: Jernej Skrabec +Link: https://lore.kernel.org/r/20221123094200.12036-1-yuancan@huawei.com +Signed-off-by: Jernej Skrabec +Signed-off-by: Sasha Levin +--- + drivers/bus/sunxi-rsb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/bus/sunxi-rsb.c b/drivers/bus/sunxi-rsb.c +index d3fb350dc9ee..bf4db708f0bd 100644 +--- a/drivers/bus/sunxi-rsb.c ++++ b/drivers/bus/sunxi-rsb.c +@@ -783,7 +783,13 @@ static int __init sunxi_rsb_init(void) + return ret; + } + +- return platform_driver_register(&sunxi_rsb_driver); ++ ret = platform_driver_register(&sunxi_rsb_driver); ++ if (ret) { ++ bus_unregister(&sunxi_rsb_bus); ++ return ret; ++ } ++ ++ return 0; + } + module_init(sunxi_rsb_init); + +-- +2.39.0 + diff --git a/queue-4.19/i2c-rk3x-fix-a-bunch-of-kernel-doc-warnings.patch b/queue-4.19/i2c-rk3x-fix-a-bunch-of-kernel-doc-warnings.patch new file mode 100644 index 00000000000..7aa24882cc4 --- /dev/null +++ b/queue-4.19/i2c-rk3x-fix-a-bunch-of-kernel-doc-warnings.patch @@ -0,0 +1,180 @@ +From 02864590a7989d7bf0096a6fa28102328f066386 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jan 2023 22:38:05 -0800 +Subject: i2c: rk3x: fix a bunch of kernel-doc warnings + +From: Randy Dunlap + +[ Upstream commit 0582d984793d30442da88fe458674502bad1ad29 ] + +Fix multiple W=1 kernel-doc warnings in i2c-rk3x.c: + +drivers/i2c/busses/i2c-rk3x.c:83: warning: missing initial short description on line: + * struct i2c_spec_values: +drivers/i2c/busses/i2c-rk3x.c:139: warning: missing initial short description on line: + * struct rk3x_i2c_calced_timings: +drivers/i2c/busses/i2c-rk3x.c:162: warning: missing initial short description on line: + * struct rk3x_i2c_soc_data: +drivers/i2c/busses/i2c-rk3x.c:242: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Generate a START condition, which triggers a REG_INT_START interrupt. +drivers/i2c/busses/i2c-rk3x.c:261: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Generate a STOP condition, which triggers a REG_INT_STOP interrupt. +drivers/i2c/busses/i2c-rk3x.c:304: warning: expecting prototype for Setup a read according to i2c(). Prototype was for rk3x_i2c_prepare_read() instead +drivers/i2c/busses/i2c-rk3x.c:335: warning: expecting prototype for Fill the transmit buffer with data from i2c(). Prototype was for rk3x_i2c_fill_transmit_buf() instead +drivers/i2c/busses/i2c-rk3x.c:535: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Get timing values of I2C specification +drivers/i2c/busses/i2c-rk3x.c:552: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Calculate divider values for desired SCL frequency +drivers/i2c/busses/i2c-rk3x.c:713: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Calculate timing values for desired SCL frequency +drivers/i2c/busses/i2c-rk3x.c:963: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Setup I2C registers for an I2C operation specified by msgs, num. + +Signed-off-by: Randy Dunlap +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-rk3x.c | 44 +++++++++++++++++------------------ + 1 file changed, 22 insertions(+), 22 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-rk3x.c b/drivers/i2c/busses/i2c-rk3x.c +index e76ad020a542..61ab462fd94c 100644 +--- a/drivers/i2c/busses/i2c-rk3x.c ++++ b/drivers/i2c/busses/i2c-rk3x.c +@@ -82,7 +82,7 @@ enum { + #define DEFAULT_SCL_RATE (100 * 1000) /* Hz */ + + /** +- * struct i2c_spec_values: ++ * struct i2c_spec_values - I2C specification values for various modes + * @min_hold_start_ns: min hold time (repeated) START condition + * @min_low_ns: min LOW period of the SCL clock + * @min_high_ns: min HIGH period of the SCL cloc +@@ -138,7 +138,7 @@ static const struct i2c_spec_values fast_mode_plus_spec = { + }; + + /** +- * struct rk3x_i2c_calced_timings: ++ * struct rk3x_i2c_calced_timings - calculated V1 timings + * @div_low: Divider output for low + * @div_high: Divider output for high + * @tuning: Used to adjust setup/hold data time, +@@ -161,7 +161,7 @@ enum rk3x_i2c_state { + }; + + /** +- * struct rk3x_i2c_soc_data: ++ * struct rk3x_i2c_soc_data - SOC-specific data + * @grf_offset: offset inside the grf regmap for setting the i2c type + * @calc_timings: Callback function for i2c timing information calculated + */ +@@ -241,7 +241,8 @@ static inline void rk3x_i2c_clean_ipd(struct rk3x_i2c *i2c) + } + + /** +- * Generate a START condition, which triggers a REG_INT_START interrupt. ++ * rk3x_i2c_start - Generate a START condition, which triggers a REG_INT_START interrupt. ++ * @i2c: target controller data + */ + static void rk3x_i2c_start(struct rk3x_i2c *i2c) + { +@@ -260,8 +261,8 @@ static void rk3x_i2c_start(struct rk3x_i2c *i2c) + } + + /** +- * Generate a STOP condition, which triggers a REG_INT_STOP interrupt. +- * ++ * rk3x_i2c_stop - Generate a STOP condition, which triggers a REG_INT_STOP interrupt. ++ * @i2c: target controller data + * @error: Error code to return in rk3x_i2c_xfer + */ + static void rk3x_i2c_stop(struct rk3x_i2c *i2c, int error) +@@ -300,7 +301,8 @@ static void rk3x_i2c_stop(struct rk3x_i2c *i2c, int error) + } + + /** +- * Setup a read according to i2c->msg ++ * rk3x_i2c_prepare_read - Setup a read according to i2c->msg ++ * @i2c: target controller data + */ + static void rk3x_i2c_prepare_read(struct rk3x_i2c *i2c) + { +@@ -331,7 +333,8 @@ static void rk3x_i2c_prepare_read(struct rk3x_i2c *i2c) + } + + /** +- * Fill the transmit buffer with data from i2c->msg ++ * rk3x_i2c_fill_transmit_buf - Fill the transmit buffer with data from i2c->msg ++ * @i2c: target controller data + */ + static void rk3x_i2c_fill_transmit_buf(struct rk3x_i2c *i2c) + { +@@ -534,11 +537,10 @@ static irqreturn_t rk3x_i2c_irq(int irqno, void *dev_id) + } + + /** +- * Get timing values of I2C specification +- * ++ * rk3x_i2c_get_spec - Get timing values of I2C specification + * @speed: Desired SCL frequency + * +- * Returns: Matched i2c spec values. ++ * Return: Matched i2c_spec_values. + */ + static const struct i2c_spec_values *rk3x_i2c_get_spec(unsigned int speed) + { +@@ -551,13 +553,12 @@ static const struct i2c_spec_values *rk3x_i2c_get_spec(unsigned int speed) + } + + /** +- * Calculate divider values for desired SCL frequency +- * ++ * rk3x_i2c_v0_calc_timings - Calculate divider values for desired SCL frequency + * @clk_rate: I2C input clock rate + * @t: Known I2C timing information + * @t_calc: Caculated rk3x private timings that would be written into regs + * +- * Returns: 0 on success, -EINVAL if the goal SCL rate is too slow. In that case ++ * Return: %0 on success, -%EINVAL if the goal SCL rate is too slow. In that case + * a best-effort divider value is returned in divs. If the target rate is + * too high, we silently use the highest possible rate. + */ +@@ -712,13 +713,12 @@ static int rk3x_i2c_v0_calc_timings(unsigned long clk_rate, + } + + /** +- * Calculate timing values for desired SCL frequency +- * ++ * rk3x_i2c_v1_calc_timings - Calculate timing values for desired SCL frequency + * @clk_rate: I2C input clock rate + * @t: Known I2C timing information + * @t_calc: Caculated rk3x private timings that would be written into regs + * +- * Returns: 0 on success, -EINVAL if the goal SCL rate is too slow. In that case ++ * Return: %0 on success, -%EINVAL if the goal SCL rate is too slow. In that case + * a best-effort divider value is returned in divs. If the target rate is + * too high, we silently use the highest possible rate. + * The following formulas are v1's method to calculate timings. +@@ -962,14 +962,14 @@ static int rk3x_i2c_clk_notifier_cb(struct notifier_block *nb, unsigned long + } + + /** +- * Setup I2C registers for an I2C operation specified by msgs, num. +- * +- * Must be called with i2c->lock held. +- * ++ * rk3x_i2c_setup - Setup I2C registers for an I2C operation specified by msgs, num. ++ * @i2c: target controller data + * @msgs: I2C msgs to process + * @num: Number of msgs + * +- * returns: Number of I2C msgs processed or negative in case of error ++ * Must be called with i2c->lock held. ++ * ++ * Return: Number of I2C msgs processed or negative in case of error + */ + static int rk3x_i2c_setup(struct rk3x_i2c *i2c, struct i2c_msg *msgs, int num) + { +-- +2.39.0 + diff --git a/queue-4.19/net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch b/queue-4.19/net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch new file mode 100644 index 00000000000..8fa5f372ea4 --- /dev/null +++ b/queue-4.19/net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch @@ -0,0 +1,110 @@ +From 7fc69d011070817406a4e968b0da8e8dd7ae906e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Feb 2023 00:02:18 +0300 +Subject: net: openvswitch: fix flow memory leak in ovs_flow_cmd_new + +From: Fedor Pchelkin + +[ Upstream commit 0c598aed445eb45b0ee7ba405f7ece99ee349c30 ] + +Syzkaller reports a memory leak of new_flow in ovs_flow_cmd_new() as it is +not freed when an allocation of a key fails. + +BUG: memory leak +unreferenced object 0xffff888116668000 (size 632): + comm "syz-executor231", pid 1090, jiffies 4294844701 (age 18.871s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000defa3494>] kmem_cache_zalloc include/linux/slab.h:654 [inline] + [<00000000defa3494>] ovs_flow_alloc+0x19/0x180 net/openvswitch/flow_table.c:77 + [<00000000c67d8873>] ovs_flow_cmd_new+0x1de/0xd40 net/openvswitch/datapath.c:957 + [<0000000010a539a8>] genl_family_rcv_msg_doit+0x22d/0x330 net/netlink/genetlink.c:739 + [<00000000dff3302d>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] + [<00000000dff3302d>] genl_rcv_msg+0x328/0x590 net/netlink/genetlink.c:800 + [<000000000286dd87>] netlink_rcv_skb+0x153/0x430 net/netlink/af_netlink.c:2515 + [<0000000061fed410>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 + [<000000009dc0f111>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] + [<000000009dc0f111>] netlink_unicast+0x545/0x7f0 net/netlink/af_netlink.c:1339 + [<000000004a5ee816>] netlink_sendmsg+0x8e7/0xde0 net/netlink/af_netlink.c:1934 + [<00000000482b476f>] sock_sendmsg_nosec net/socket.c:651 [inline] + [<00000000482b476f>] sock_sendmsg+0x152/0x190 net/socket.c:671 + [<00000000698574ba>] ____sys_sendmsg+0x70a/0x870 net/socket.c:2356 + [<00000000d28d9e11>] ___sys_sendmsg+0xf3/0x170 net/socket.c:2410 + [<0000000083ba9120>] __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439 + [<00000000c00628f8>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 + [<000000004abfdcf4>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +To fix this the patch rearranges the goto labels to reflect the order of +object allocations and adds appropriate goto statements on the error +paths. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 68bb10101e6b ("openvswitch: Fix flow lookup to use unmasked key") +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Acked-by: Eelco Chaudron +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230201210218.361970-1-pchelkin@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/datapath.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c +index fbc575247268..0551915519d9 100644 +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -934,14 +934,14 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + key = kzalloc(sizeof(*key), GFP_KERNEL); + if (!key) { + error = -ENOMEM; +- goto err_kfree_key; ++ goto err_kfree_flow; + } + + ovs_match_init(&match, key, false, &mask); + error = ovs_nla_get_match(net, &match, a[OVS_FLOW_ATTR_KEY], + a[OVS_FLOW_ATTR_MASK], log); + if (error) +- goto err_kfree_flow; ++ goto err_kfree_key; + + ovs_flow_mask_key(&new_flow->key, key, true, &mask); + +@@ -949,14 +949,14 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + error = ovs_nla_get_identifier(&new_flow->id, a[OVS_FLOW_ATTR_UFID], + key, log); + if (error) +- goto err_kfree_flow; ++ goto err_kfree_key; + + /* Validate actions. */ + error = ovs_nla_copy_actions(net, a[OVS_FLOW_ATTR_ACTIONS], + &new_flow->key, &acts, log); + if (error) { + OVS_NLERR(log, "Flow actions may not be safe on all matching packets."); +- goto err_kfree_flow; ++ goto err_kfree_key; + } + + reply = ovs_flow_cmd_alloc_info(acts, &new_flow->id, info, false, +@@ -1056,10 +1056,10 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + kfree_skb(reply); + err_kfree_acts: + ovs_nla_free_flow_actions(acts); +-err_kfree_flow: +- ovs_flow_free(new_flow, false); + err_kfree_key: + kfree(key); ++err_kfree_flow: ++ ovs_flow_free(new_flow, false); + error: + return error; + } +-- +2.39.0 + diff --git a/queue-4.19/net-x25-fix-to-not-accept-on-connected-socket.patch b/queue-4.19/net-x25-fix-to-not-accept-on-connected-socket.patch new file mode 100644 index 00000000000..8f52d4894c4 --- /dev/null +++ b/queue-4.19/net-x25-fix-to-not-accept-on-connected-socket.patch @@ -0,0 +1,47 @@ +From 33e4d9121c9efec5190028907350c8d0ddb4994c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 11:43:23 -0800 +Subject: net/x25: Fix to not accept on connected socket + +From: Hyunwoo Kim + +[ Upstream commit f2b0b5210f67c56a3bcdf92ff665fb285d6e0067 ] + +When listen() and accept() are called on an x25 socket +that connect() succeeds, accept() succeeds immediately. +This is because x25_connect() queues the skb to +sk->sk_receive_queue, and x25_accept() dequeues it. + +This creates a child socket with the sk of the parent +x25 socket, which can cause confusion. + +Fix x25_listen() to return -EINVAL if the socket has +already been successfully connect()ed to avoid this issue. + +Signed-off-by: Hyunwoo Kim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/x25/af_x25.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index 77d8adb27ec7..9d0328bb30ca 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -497,6 +497,12 @@ static int x25_listen(struct socket *sock, int backlog) + int rc = -EOPNOTSUPP; + + lock_sock(sk); ++ if (sock->state != SS_UNCONNECTED) { ++ rc = -EINVAL; ++ release_sock(sk); ++ return rc; ++ } ++ + if (sk->sk_state != TCP_LISTEN) { + memset(&x25_sk(sk)->dest_addr, 0, X25_ADDR_LEN); + sk->sk_max_ack_backlog = backlog; +-- +2.39.0 + diff --git a/queue-4.19/netrom-fix-use-after-free-caused-by-accept-on-alread.patch b/queue-4.19/netrom-fix-use-after-free-caused-by-accept-on-alread.patch new file mode 100644 index 00000000000..78dea1953d3 --- /dev/null +++ b/queue-4.19/netrom-fix-use-after-free-caused-by-accept-on-alread.patch @@ -0,0 +1,211 @@ +From 83e6cb0a89487938c3af80f8daa893670b07a76e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 18:32:50 -0800 +Subject: netrom: Fix use-after-free caused by accept on already connected + socket + +From: Hyunwoo Kim + +[ Upstream commit 611792920925fb088ddccbe2783c7f92fdfb6b64 ] + +If you call listen() and accept() on an already connect()ed +AF_NETROM socket, accept() can successfully connect. +This is because when the peer socket sends data to sendmsg, +the skb with its own sk stored in the connected socket's +sk->sk_receive_queue is connected, and nr_accept() dequeues +the skb waiting in the sk->sk_receive_queue. + +As a result, nr_accept() allocates and returns a sock with +the sk of the parent AF_NETROM socket. + +And here use-after-free can happen through complex race conditions: +``` + cpu0 cpu1 + 1. socket_2 = socket(AF_NETROM) + . + . + listen(socket_2) + accepted_socket = accept(socket_2) + 2. socket_1 = socket(AF_NETROM) + nr_create() // sk refcount : 1 + connect(socket_1) + 3. write(accepted_socket) + nr_sendmsg() + nr_output() + nr_kick() + nr_send_iframe() + nr_transmit_buffer() + nr_route_frame() + nr_loopback_queue() + nr_loopback_timer() + nr_rx_frame() + nr_process_rx_frame(sk, skb); // sk : socket_1's sk + nr_state3_machine() + nr_queue_rx_frame() + sock_queue_rcv_skb() + sock_queue_rcv_skb_reason() + __sock_queue_rcv_skb() + __skb_queue_tail(list, skb); // list : socket_1's sk->sk_receive_queue + 4. listen(socket_1) + nr_listen() + uaf_socket = accept(socket_1) + nr_accept() + skb_dequeue(&sk->sk_receive_queue); + 5. close(accepted_socket) + nr_release() + nr_write_internal(sk, NR_DISCREQ) + nr_transmit_buffer() // NR_DISCREQ + nr_route_frame() + nr_loopback_queue() + nr_loopback_timer() + nr_rx_frame() // sk : socket_1's sk + nr_process_rx_frame() // NR_STATE_3 + nr_state3_machine() // NR_DISCREQ + nr_disconnect() + nr_sk(sk)->state = NR_STATE_0; + 6. close(socket_1) // sk refcount : 3 + nr_release() // NR_STATE_0 + sock_put(sk); // sk refcount : 0 + sk_free(sk); + close(uaf_socket) + nr_release() + sock_hold(sk); // UAF +``` + +KASAN report by syzbot: +``` +BUG: KASAN: use-after-free in nr_release+0x66/0x460 net/netrom/af_netrom.c:520 +Write of size 4 at addr ffff8880235d8080 by task syz-executor564/5128 + +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:306 [inline] + print_report+0x15e/0x461 mm/kasan/report.c:417 + kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 + check_region_inline mm/kasan/generic.c:183 [inline] + kasan_check_range+0x141/0x190 mm/kasan/generic.c:189 + instrument_atomic_read_write include/linux/instrumented.h:102 [inline] + atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline] + __refcount_add include/linux/refcount.h:193 [inline] + __refcount_inc include/linux/refcount.h:250 [inline] + refcount_inc include/linux/refcount.h:267 [inline] + sock_hold include/net/sock.h:775 [inline] + nr_release+0x66/0x460 net/netrom/af_netrom.c:520 + __sock_release+0xcd/0x280 net/socket.c:650 + sock_close+0x1c/0x20 net/socket.c:1365 + __fput+0x27c/0xa90 fs/file_table.c:320 + task_work_run+0x16f/0x270 kernel/task_work.c:179 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0xaa8/0x2950 kernel/exit.c:867 + do_group_exit+0xd4/0x2a0 kernel/exit.c:1012 + get_signal+0x21c3/0x2450 kernel/signal.c:2859 + arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306 + exit_to_user_mode_loop kernel/entry/common.c:168 [inline] + exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 + __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] + syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 + do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f6c19e3c9b9 +Code: Unable to access opcode bytes at 0x7f6c19e3c98f. +RSP: 002b:00007fffd4ba2ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 +RAX: 0000000000000116 RBX: 0000000000000003 RCX: 00007f6c19e3c9b9 +RDX: 0000000000000318 RSI: 00000000200bd000 RDI: 0000000000000006 +RBP: 0000000000000003 R08: 000000000000000d R09: 000000000000000d +R10: 0000000000000000 R11: 0000000000000246 R12: 000055555566a2c0 +R13: 0000000000000011 R14: 0000000000000000 R15: 0000000000000000 + + +Allocated by task 5128: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + ____kasan_kmalloc mm/kasan/common.c:371 [inline] + ____kasan_kmalloc mm/kasan/common.c:330 [inline] + __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380 + kasan_kmalloc include/linux/kasan.h:211 [inline] + __do_kmalloc_node mm/slab_common.c:968 [inline] + __kmalloc+0x5a/0xd0 mm/slab_common.c:981 + kmalloc include/linux/slab.h:584 [inline] + sk_prot_alloc+0x140/0x290 net/core/sock.c:2038 + sk_alloc+0x3a/0x7a0 net/core/sock.c:2091 + nr_create+0xb6/0x5f0 net/netrom/af_netrom.c:433 + __sock_create+0x359/0x790 net/socket.c:1515 + sock_create net/socket.c:1566 [inline] + __sys_socket_create net/socket.c:1603 [inline] + __sys_socket_create net/socket.c:1588 [inline] + __sys_socket+0x133/0x250 net/socket.c:1636 + __do_sys_socket net/socket.c:1649 [inline] + __se_sys_socket net/socket.c:1647 [inline] + __x64_sys_socket+0x73/0xb0 net/socket.c:1647 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 5128: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:518 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200 + kasan_slab_free include/linux/kasan.h:177 [inline] + __cache_free mm/slab.c:3394 [inline] + __do_kmem_cache_free mm/slab.c:3580 [inline] + __kmem_cache_free+0xcd/0x3b0 mm/slab.c:3587 + sk_prot_free net/core/sock.c:2074 [inline] + __sk_destruct+0x5df/0x750 net/core/sock.c:2166 + sk_destruct net/core/sock.c:2181 [inline] + __sk_free+0x175/0x460 net/core/sock.c:2192 + sk_free+0x7c/0xa0 net/core/sock.c:2203 + sock_put include/net/sock.h:1991 [inline] + nr_release+0x39e/0x460 net/netrom/af_netrom.c:554 + __sock_release+0xcd/0x280 net/socket.c:650 + sock_close+0x1c/0x20 net/socket.c:1365 + __fput+0x27c/0xa90 fs/file_table.c:320 + task_work_run+0x16f/0x270 kernel/task_work.c:179 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0xaa8/0x2950 kernel/exit.c:867 + do_group_exit+0xd4/0x2a0 kernel/exit.c:1012 + get_signal+0x21c3/0x2450 kernel/signal.c:2859 + arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306 + exit_to_user_mode_loop kernel/entry/common.c:168 [inline] + exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 + __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] + syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 + do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +``` + +To fix this issue, nr_listen() returns -EINVAL for sockets that +successfully nr_connect(). + +Reported-by: syzbot+caa188bdfc1eeafeb418@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Hyunwoo Kim +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netrom/af_netrom.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index 43910e50752c..a5d819fa7c89 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -403,6 +403,11 @@ static int nr_listen(struct socket *sock, int backlog) + struct sock *sk = sock->sk; + + lock_sock(sk); ++ if (sock->state != SS_UNCONNECTED) { ++ release_sock(sk); ++ return -EINVAL; ++ } ++ + if (sk->sk_state != TCP_LISTEN) { + memset(&nr_sk(sk)->user_addr, 0, AX25_ADDR_LEN); + sk->sk_max_ack_backlog = backlog; +-- +2.39.0 + diff --git a/queue-4.19/scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch b/queue-4.19/scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch new file mode 100644 index 00000000000..a6feaa53097 --- /dev/null +++ b/queue-4.19/scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch @@ -0,0 +1,69 @@ +From aee250cc3c49605cfdbde39e364ef572e6a8a5cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 13:39:37 -0600 +Subject: scsi: iscsi_tcp: Fix UAF during login when accessing the shost + ipaddress + +From: Mike Christie + +[ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ] + +If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails, +userspace could be accessing the host's ipaddress attr. If we then free the +session via iscsi_session_teardown() while userspace is still accessing the +session we will hit a use after free bug. + +Set the tcp_sw_host->session after we have completed session creation and +can no longer fail. + +Link: https://lore.kernel.org/r/20230117193937.21244-3-michael.christie@oracle.com +Signed-off-by: Mike Christie +Reviewed-by: Lee Duncan +Acked-by: Ding Hui +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/iscsi_tcp.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c +index 7212e3a13fe6..33fb111e2e19 100644 +--- a/drivers/scsi/iscsi_tcp.c ++++ b/drivers/scsi/iscsi_tcp.c +@@ -775,7 +775,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost, + enum iscsi_host_param param, char *buf) + { + struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost); +- struct iscsi_session *session = tcp_sw_host->session; ++ struct iscsi_session *session; + struct iscsi_conn *conn; + struct iscsi_tcp_conn *tcp_conn; + struct iscsi_sw_tcp_conn *tcp_sw_conn; +@@ -784,6 +784,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost, + + switch (param) { + case ISCSI_HOST_PARAM_IPADDRESS: ++ session = tcp_sw_host->session; + if (!session) + return -ENOTCONN; + +@@ -872,12 +873,14 @@ iscsi_sw_tcp_session_create(struct iscsi_endpoint *ep, uint16_t cmds_max, + if (!cls_session) + goto remove_host; + session = cls_session->dd_data; +- tcp_sw_host = iscsi_host_priv(shost); +- tcp_sw_host->session = session; + + shost->can_queue = session->scsi_cmds_max; + if (iscsi_tcp_r2tpool_alloc(session)) + goto remove_session; ++ ++ /* We are now fully setup so expose the session to sysfs. */ ++ tcp_sw_host = iscsi_host_priv(shost); ++ tcp_sw_host->session = session; + return cls_session; + + remove_session: +-- +2.39.0 + diff --git a/queue-4.19/scsi-target-core-fix-warning-on-rt-kernels.patch b/queue-4.19/scsi-target-core-fix-warning-on-rt-kernels.patch new file mode 100644 index 00000000000..a8d09d7b6cf --- /dev/null +++ b/queue-4.19/scsi-target-core-fix-warning-on-rt-kernels.patch @@ -0,0 +1,40 @@ +From 6a7e92bffeec114dd5f24bb460434d62e35bd93d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jan 2023 13:53:10 +0100 +Subject: scsi: target: core: Fix warning on RT kernels + +From: Maurizio Lombardi + +[ Upstream commit 84ed64b1a7a7fcd507598dee7708c1f225123711 ] + +Calling spin_lock_irqsave() does not disable the interrupts on realtime +kernels, remove the warning and replace assert_spin_locked() with +lockdep_assert_held(). + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230110125310.55884-1-mlombard@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_tmr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c +index 6d1179a7f043..bba24eaea2ce 100644 +--- a/drivers/target/target_core_tmr.c ++++ b/drivers/target/target_core_tmr.c +@@ -95,8 +95,8 @@ static bool __target_check_io_state(struct se_cmd *se_cmd, + { + struct se_session *sess = se_cmd->se_sess; + +- assert_spin_locked(&sess->sess_cmd_lock); +- WARN_ON_ONCE(!irqs_disabled()); ++ lockdep_assert_held(&sess->sess_cmd_lock); ++ + /* + * If command already reached CMD_T_COMPLETE state within + * target_complete_cmd() or CMD_T_FABRIC_STOP due to shutdown, +-- +2.39.0 + diff --git a/queue-4.19/series b/queue-4.19/series index e8e31cc7adc..3ce93b0054c 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -1 +1,11 @@ firewire-fix-memory-leak-for-payload-of-request-subaction-to-iec-61883-1-fcp-region.patch +bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch +alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch +netrom-fix-use-after-free-caused-by-accept-on-alread.patch +squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch +ata-libata-fix-sata_down_spd_limit-when-no-link-spee.patch +net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch +scsi-target-core-fix-warning-on-rt-kernels.patch +scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch +i2c-rk3x-fix-a-bunch-of-kernel-doc-warnings.patch +net-x25-fix-to-not-accept-on-connected-socket.patch diff --git a/queue-4.19/squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch b/queue-4.19/squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch new file mode 100644 index 00000000000..fedfb18e79a --- /dev/null +++ b/queue-4.19/squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch @@ -0,0 +1,45 @@ +From d8fc05de34a223638e72b8b0e7107dee7cf00d01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 13:52:26 +0300 +Subject: squashfs: harden sanity check in squashfs_read_xattr_id_table + +From: Fedor Pchelkin + +[ Upstream commit 72e544b1b28325fe78a4687b980871a7e4101f76 ] + +While mounting a corrupted filesystem, a signed integer '*xattr_ids' can +become less than zero. This leads to the incorrect computation of 'len' +and 'indexes' values which can cause null-ptr-deref in copy_bio_to_actor() +or out-of-bounds accesses in the next sanity checks inside +squashfs_read_xattr_id_table(). + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Link: https://lkml.kernel.org/r/20230117105226.329303-2-pchelkin@ispras.ru +Fixes: 506220d2ba21 ("squashfs: add more sanity checks in xattr id lookup") +Reported-by: +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Cc: Phillip Lougher +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/squashfs/xattr_id.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/squashfs/xattr_id.c b/fs/squashfs/xattr_id.c +index 7f718d2bf357..0c0d7882bcca 100644 +--- a/fs/squashfs/xattr_id.c ++++ b/fs/squashfs/xattr_id.c +@@ -89,7 +89,7 @@ __le64 *squashfs_read_xattr_id_table(struct super_block *sb, u64 table_start, + /* Sanity check values */ + + /* there is always at least one xattr id */ +- if (*xattr_ids == 0) ++ if (*xattr_ids <= 0) + return ERR_PTR(-EINVAL); + + len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids); +-- +2.39.0 +