From: Greg Kroah-Hartman Date: Wed, 4 Oct 2023 14:12:08 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v6.5.6~29 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1d1126085393c50fb1e3fe1e558220792f711d32;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: nilfs2-fix-potential-use-after-free-in-nilfs_gccache_submit_read_data.patch serial-8250_port-check-irq-data-before-use.patch --- diff --git a/queue-4.19/nilfs2-fix-potential-use-after-free-in-nilfs_gccache_submit_read_data.patch b/queue-4.19/nilfs2-fix-potential-use-after-free-in-nilfs_gccache_submit_read_data.patch new file mode 100644 index 00000000000..095d33a0d7a --- /dev/null +++ b/queue-4.19/nilfs2-fix-potential-use-after-free-in-nilfs_gccache_submit_read_data.patch @@ -0,0 +1,61 @@ +From 7ee29facd8a9c5a26079148e36bcf07141b3a6bc Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Thu, 21 Sep 2023 23:17:31 +0900 +Subject: nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() + +From: Pan Bian + +commit 7ee29facd8a9c5a26079148e36bcf07141b3a6bc upstream. + +In nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the +reference count of bh when the call to nilfs_dat_translate() fails. If +the reference count hits 0 and its owner page gets unlocked, bh may be +freed. However, bh->b_page is dereferenced to put the page after that, +which may result in a use-after-free bug. This patch moves the release +operation after unlocking and putting the page. + +NOTE: The function in question is only called in GC, and in combination +with current userland tools, address translation using DAT does not occur +in that function, so the code path that causes this issue will not be +executed. However, it is possible to run that code path by intentionally +modifying the userland GC library or by calling the GC ioctl directly. + +[konishi.ryusuke@gmail.com: NOTE added to the commit log] +Link: https://lkml.kernel.org/r/1543201709-53191-1-git-send-email-bianpan2016@163.com +Link: https://lkml.kernel.org/r/20230921141731.10073-1-konishi.ryusuke@gmail.com +Fixes: a3d93f709e89 ("nilfs2: block cache for garbage collection") +Signed-off-by: Pan Bian +Reported-by: Ferry Meng +Closes: https://lkml.kernel.org/r/20230818092022.111054-1-mengferry@linux.alibaba.com +Signed-off-by: Ryusuke Konishi +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/gcinode.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/nilfs2/gcinode.c ++++ b/fs/nilfs2/gcinode.c +@@ -73,10 +73,8 @@ int nilfs_gccache_submit_read_data(struc + struct the_nilfs *nilfs = inode->i_sb->s_fs_info; + + err = nilfs_dat_translate(nilfs->ns_dat, vbn, &pbn); +- if (unlikely(err)) { /* -EIO, -ENOMEM, -ENOENT */ +- brelse(bh); ++ if (unlikely(err)) /* -EIO, -ENOMEM, -ENOENT */ + goto failed; +- } + } + + lock_buffer(bh); +@@ -102,6 +100,8 @@ int nilfs_gccache_submit_read_data(struc + failed: + unlock_page(bh->b_page); + put_page(bh->b_page); ++ if (unlikely(err)) ++ brelse(bh); + return err; + } + diff --git a/queue-4.19/serial-8250_port-check-irq-data-before-use.patch b/queue-4.19/serial-8250_port-check-irq-data-before-use.patch new file mode 100644 index 00000000000..a68b37636c5 --- /dev/null +++ b/queue-4.19/serial-8250_port-check-irq-data-before-use.patch @@ -0,0 +1,49 @@ +From cce7fc8b29961b64fadb1ce398dc5ff32a79643b Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Fri, 1 Sep 2023 01:25:55 +0300 +Subject: serial: 8250_port: Check IRQ data before use + +From: Andy Shevchenko + +commit cce7fc8b29961b64fadb1ce398dc5ff32a79643b upstream. + +In case the leaf driver wants to use IRQ polling (irq = 0) and +IIR register shows that an interrupt happened in the 8250 hardware +the IRQ data can be NULL. In such a case we need to skip the wake +event as we came to this path from the timer interrupt and quite +likely system is already awake. + +Without this fix we have got an Oops: + + serial8250: ttyS0 at I/O 0x3f8 (irq = 0, base_baud = 115200) is a 16550A + ... + BUG: kernel NULL pointer dereference, address: 0000000000000010 + RIP: 0010:serial8250_handle_irq+0x7c/0x240 + Call Trace: + ? serial8250_handle_irq+0x7c/0x240 + ? __pfx_serial8250_timeout+0x10/0x10 + +Fixes: 0ba9e3a13c6a ("serial: 8250: Add missing wakeup event reporting") +Cc: stable +Signed-off-by: Andy Shevchenko +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20230831222555.614426-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_port.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1910,7 +1910,10 @@ int serial8250_handle_irq(struct uart_po + skip_rx = true; + + if (status & (UART_LSR_DR | UART_LSR_BI) && !skip_rx) { +- if (irqd_is_wakeup_set(irq_get_irq_data(port->irq))) ++ struct irq_data *d; ++ ++ d = irq_get_irq_data(port->irq); ++ if (d && irqd_is_wakeup_set(d)) + pm_wakeup_event(tport->tty->dev, 0); + if (!up->dma || handle_rx_dma(up, iir)) + status = serial8250_rx_chars(up, status); diff --git a/queue-4.19/series b/queue-4.19/series index e62527673e0..5393f081693 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -52,3 +52,5 @@ scsi-megaraid_sas-enable-msix_load_balance-for-invad.patch smack-use-overlay-inode-label-in-smack_inode_copy_up.patch smack-retrieve-transmuting-information-in-smack_inod.patch smack-record-transmuting-in-smk_transmuted.patch +serial-8250_port-check-irq-data-before-use.patch +nilfs2-fix-potential-use-after-free-in-nilfs_gccache_submit_read_data.patch