From: Greg Kroah-Hartman Date: Sun, 24 Oct 2021 11:47:17 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.4.290~58 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=300f4d94fa2b18be3856d3b8475616facd237582;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: alsa-hda-realtek-add-quirk-for-clevo-pc50hs.patch alsa-usb-audio-provide-quirk-for-sennheiser-gsp670-headset.patch asoc-dapm-fix-missing-kctl-change-notifications.patch audit-fix-possible-null-pointer-dereference-in-audit_filter_rules.patch can-j1939-j1939_netdev_start-fix-uaf-for-rx_kref-of-j1939_priv.patch can-j1939-j1939_tp_rxtimer-fix-errant-alert-in-j1939_tp_rxtimer.patch can-j1939-j1939_xtp_rx_dat_one-cancel-session-if-receive-tp.dt-with-error-length.patch can-j1939-j1939_xtp_rx_rts_session_new-abort-tp-less-than-9-bytes.patch can-peak_pci-peak_pci_remove-fix-uaf.patch can-peak_usb-pcan_usb_fd_decode_status-fix-back-to-error_active-state-notification.patch can-rcar_can-fix-suspend-resume.patch ceph-fix-handling-of-meta-errors.patch elfcore-correct-reference-to-config_uml.patch ocfs2-fix-data-corruption-after-conversion-from-inline-format.patch ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch --- diff --git a/queue-5.4/alsa-hda-realtek-add-quirk-for-clevo-pc50hs.patch b/queue-5.4/alsa-hda-realtek-add-quirk-for-clevo-pc50hs.patch new file mode 100644 index 00000000000..c7b0570df67 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-add-quirk-for-clevo-pc50hs.patch @@ -0,0 +1,31 @@ +From aef454b40288158b850aab13e3d2a8c406779401 Mon Sep 17 00:00:00 2001 +From: Steven Clarkson +Date: Thu, 14 Oct 2021 06:35:54 -0700 +Subject: ALSA: hda/realtek: Add quirk for Clevo PC50HS + +From: Steven Clarkson + +commit aef454b40288158b850aab13e3d2a8c406779401 upstream. + +Apply existing PCI quirk to the Clevo PC50HS and related models to fix +audio output on the built in speakers. + +Signed-off-by: Steven Clarkson +Cc: +Link: https://lore.kernel.org/r/20211014133554.1326741-1-sc@lambdal.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2537,6 +2537,7 @@ static const struct snd_pci_quirk alc882 + SND_PCI_QUIRK(0x1558, 0x65d2, "Clevo PB51R[CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x65e1, "Clevo PB51[ED][DF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x65e5, "Clevo PC50D[PRS](?:-D|-G)?", ALC1220_FIXUP_CLEVO_PB51ED_PINS), ++ SND_PCI_QUIRK(0x1558, 0x65f1, "Clevo PC50HS", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x67d1, "Clevo PB71[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x67e1, "Clevo PB71[DE][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x67e5, "Clevo PC70D[PRS](?:-D|-G)?", ALC1220_FIXUP_CLEVO_PB51ED_PINS), diff --git a/queue-5.4/alsa-usb-audio-provide-quirk-for-sennheiser-gsp670-headset.patch b/queue-5.4/alsa-usb-audio-provide-quirk-for-sennheiser-gsp670-headset.patch new file mode 100644 index 00000000000..7fbf0a92667 --- /dev/null +++ b/queue-5.4/alsa-usb-audio-provide-quirk-for-sennheiser-gsp670-headset.patch @@ -0,0 +1,67 @@ +From 3c414eb65c294719a91a746260085363413f91c1 Mon Sep 17 00:00:00 2001 +From: Brendan Grieve +Date: Fri, 15 Oct 2021 10:53:35 +0800 +Subject: ALSA: usb-audio: Provide quirk for Sennheiser GSP670 Headset + +From: Brendan Grieve + +commit 3c414eb65c294719a91a746260085363413f91c1 upstream. + +As per discussion at: https://github.com/szszoke/sennheiser-gsp670-pulseaudio-profile/issues/13 + +The GSP670 has 2 playback and 1 recording device that by default are +detected in an incompatible order for alsa. This may have been done to make +it compatible for the console by the manufacturer and only affects the +latest firmware which uses its own ID. + +This quirk will resolve this by reordering the channels. + +Signed-off-by: Brendan Grieve +Cc: +Link: https://lore.kernel.org/r/20211015025335.196592-1-brendan@grieve.com.au +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks-table.h | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3806,5 +3806,37 @@ ALC1220_VB_DESKTOP(0x26ce, 0x0a01), /* A + } + } + }, ++{ ++ /* ++ * Sennheiser GSP670 ++ * Change order of interfaces loaded ++ */ ++ USB_DEVICE(0x1395, 0x0300), ++ .bInterfaceClass = USB_CLASS_PER_INTERFACE, ++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { ++ .ifnum = QUIRK_ANY_INTERFACE, ++ .type = QUIRK_COMPOSITE, ++ .data = &(const struct snd_usb_audio_quirk[]) { ++ // Communication ++ { ++ .ifnum = 3, ++ .type = QUIRK_AUDIO_STANDARD_INTERFACE ++ }, ++ // Recording ++ { ++ .ifnum = 4, ++ .type = QUIRK_AUDIO_STANDARD_INTERFACE ++ }, ++ // Main ++ { ++ .ifnum = 1, ++ .type = QUIRK_AUDIO_STANDARD_INTERFACE ++ }, ++ { ++ .ifnum = -1 ++ } ++ } ++ } ++}, + + #undef USB_DEVICE_VENDOR_SPEC diff --git a/queue-5.4/asoc-dapm-fix-missing-kctl-change-notifications.patch b/queue-5.4/asoc-dapm-fix-missing-kctl-change-notifications.patch new file mode 100644 index 00000000000..285edd094f7 --- /dev/null +++ b/queue-5.4/asoc-dapm-fix-missing-kctl-change-notifications.patch @@ -0,0 +1,81 @@ +From 5af82c81b2c49cfb1cad84d9eb6eab0e3d1c4842 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 6 Oct 2021 16:17:12 +0200 +Subject: ASoC: DAPM: Fix missing kctl change notifications + +From: Takashi Iwai + +commit 5af82c81b2c49cfb1cad84d9eb6eab0e3d1c4842 upstream. + +The put callback of a kcontrol is supposed to return 1 when the value +is changed, and this will be notified to user-space. However, some +DAPM kcontrols always return 0 (except for errors), hence the +user-space misses the update of a control value. + +This patch corrects the behavior by properly returning 1 when the +value gets updated. + +Reported-and-tested-by: Hans de Goede +Cc: +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20211006141712.2439-1-tiwai@suse.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-dapm.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -2546,6 +2546,7 @@ static int snd_soc_dapm_set_pin(struct s + const char *pin, int status) + { + struct snd_soc_dapm_widget *w = dapm_find_widget(dapm, pin, true); ++ int ret = 0; + + dapm_assert_locked(dapm); + +@@ -2558,13 +2559,14 @@ static int snd_soc_dapm_set_pin(struct s + dapm_mark_dirty(w, "pin configuration"); + dapm_widget_invalidate_input_paths(w); + dapm_widget_invalidate_output_paths(w); ++ ret = 1; + } + + w->connected = status; + if (status == 0) + w->force = 0; + +- return 0; ++ return ret; + } + + /** +@@ -3580,14 +3582,15 @@ int snd_soc_dapm_put_pin_switch(struct s + { + struct snd_soc_card *card = snd_kcontrol_chip(kcontrol); + const char *pin = (const char *)kcontrol->private_value; ++ int ret; + + if (ucontrol->value.integer.value[0]) +- snd_soc_dapm_enable_pin(&card->dapm, pin); ++ ret = snd_soc_dapm_enable_pin(&card->dapm, pin); + else +- snd_soc_dapm_disable_pin(&card->dapm, pin); ++ ret = snd_soc_dapm_disable_pin(&card->dapm, pin); + + snd_soc_dapm_sync(&card->dapm); +- return 0; ++ return ret; + } + EXPORT_SYMBOL_GPL(snd_soc_dapm_put_pin_switch); + +@@ -4029,7 +4032,7 @@ static int snd_soc_dapm_dai_link_put(str + + rtd->params_select = ucontrol->value.enumerated.item[0]; + +- return 0; ++ return 1; + } + + static void diff --git a/queue-5.4/audit-fix-possible-null-pointer-dereference-in-audit_filter_rules.patch b/queue-5.4/audit-fix-possible-null-pointer-dereference-in-audit_filter_rules.patch new file mode 100644 index 00000000000..c09bda1feb1 --- /dev/null +++ b/queue-5.4/audit-fix-possible-null-pointer-dereference-in-audit_filter_rules.patch @@ -0,0 +1,35 @@ +From 6e3ee990c90494561921c756481d0e2125d8b895 Mon Sep 17 00:00:00 2001 +From: Gaosheng Cui +Date: Sat, 16 Oct 2021 15:23:50 +0800 +Subject: audit: fix possible null-pointer dereference in audit_filter_rules + +From: Gaosheng Cui + +commit 6e3ee990c90494561921c756481d0e2125d8b895 upstream. + +Fix possible null-pointer dereference in audit_filter_rules. + +audit_filter_rules() error: we previously assumed 'ctx' could be null + +Cc: stable@vger.kernel.org +Fixes: bf361231c295 ("audit: add saddr_fam filter field") +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Gaosheng Cui +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + kernel/auditsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -624,7 +624,7 @@ static int audit_filter_rules(struct tas + result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val); + break; + case AUDIT_SADDR_FAM: +- if (ctx->sockaddr) ++ if (ctx && ctx->sockaddr) + result = audit_comparator(ctx->sockaddr->ss_family, + f->op, f->val); + break; diff --git a/queue-5.4/can-j1939-j1939_netdev_start-fix-uaf-for-rx_kref-of-j1939_priv.patch b/queue-5.4/can-j1939-j1939_netdev_start-fix-uaf-for-rx_kref-of-j1939_priv.patch new file mode 100644 index 00000000000..4c4487f5f6c --- /dev/null +++ b/queue-5.4/can-j1939-j1939_netdev_start-fix-uaf-for-rx_kref-of-j1939_priv.patch @@ -0,0 +1,79 @@ +From d9d52a3ebd284882f5562c88e55991add5d01586 Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Sun, 26 Sep 2021 18:47:57 +0800 +Subject: can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv + +From: Ziyang Xuan + +commit d9d52a3ebd284882f5562c88e55991add5d01586 upstream. + +It will trigger UAF for rx_kref of j1939_priv as following. + + cpu0 cpu1 +j1939_sk_bind(socket0, ndev0, ...) +j1939_netdev_start + j1939_sk_bind(socket1, ndev0, ...) + j1939_netdev_start +j1939_priv_set + j1939_priv_get_by_ndev_locked +j1939_jsk_add +..... +j1939_netdev_stop +kref_put_lock(&priv->rx_kref, ...) + kref_get(&priv->rx_kref, ...) + REFCOUNT_WARN("addition on 0;...") + +==================================================== +refcount_t: addition on 0; use-after-free. +WARNING: CPU: 1 PID: 20874 at lib/refcount.c:25 refcount_warn_saturate+0x169/0x1e0 +RIP: 0010:refcount_warn_saturate+0x169/0x1e0 +Call Trace: + j1939_netdev_start+0x68b/0x920 + j1939_sk_bind+0x426/0xeb0 + ? security_socket_bind+0x83/0xb0 + +The rx_kref's kref_get() and kref_put() should use j1939_netdev_lock to +protect. + +Fixes: 9d71dd0c70099 ("can: add support of SAE J1939 protocol") +Link: https://lore.kernel.org/all/20210926104757.2021540-1-william.xuanziyang@huawei.com +Cc: stable@vger.kernel.org +Reported-by: syzbot+85d9878b19c94f9019ad@syzkaller.appspotmail.com +Signed-off-by: Ziyang Xuan +Acked-by: Oleksij Rempel +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/can/j1939/main.c ++++ b/net/can/j1939/main.c +@@ -249,11 +249,14 @@ struct j1939_priv *j1939_netdev_start(st + struct j1939_priv *priv, *priv_new; + int ret; + +- priv = j1939_priv_get_by_ndev(ndev); ++ spin_lock(&j1939_netdev_lock); ++ priv = j1939_priv_get_by_ndev_locked(ndev); + if (priv) { + kref_get(&priv->rx_kref); ++ spin_unlock(&j1939_netdev_lock); + return priv; + } ++ spin_unlock(&j1939_netdev_lock); + + priv = j1939_priv_create(ndev); + if (!priv) +@@ -269,10 +272,10 @@ struct j1939_priv *j1939_netdev_start(st + /* Someone was faster than us, use their priv and roll + * back our's. + */ ++ kref_get(&priv_new->rx_kref); + spin_unlock(&j1939_netdev_lock); + dev_put(ndev); + kfree(priv); +- kref_get(&priv_new->rx_kref); + return priv_new; + } + j1939_priv_set(ndev, priv); diff --git a/queue-5.4/can-j1939-j1939_tp_rxtimer-fix-errant-alert-in-j1939_tp_rxtimer.patch b/queue-5.4/can-j1939-j1939_tp_rxtimer-fix-errant-alert-in-j1939_tp_rxtimer.patch new file mode 100644 index 00000000000..ada71ba1c22 --- /dev/null +++ b/queue-5.4/can-j1939-j1939_tp_rxtimer-fix-errant-alert-in-j1939_tp_rxtimer.patch @@ -0,0 +1,46 @@ +From b504a884f6b5a77dac7d580ffa08e482f70d1a30 Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Mon, 6 Sep 2021 17:42:19 +0800 +Subject: can: j1939: j1939_tp_rxtimer(): fix errant alert in j1939_tp_rxtimer + +From: Ziyang Xuan + +commit b504a884f6b5a77dac7d580ffa08e482f70d1a30 upstream. + +When the session state is J1939_SESSION_DONE, j1939_tp_rxtimer() will +give an alert "rx timeout, send abort", but do nothing actually. Move +the alert into session active judgment condition, it is more +reasonable. + +One of the scenarios is that j1939_tp_rxtimer() execute followed by +j1939_xtp_rx_abort_one(). After j1939_xtp_rx_abort_one(), the session +state is J1939_SESSION_DONE, then j1939_tp_rxtimer() give an alert. + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Link: https://lore.kernel.org/all/20210906094219.95924-1-william.xuanziyang@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Ziyang Xuan +Acked-by: Oleksij Rempel +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/transport.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1230,12 +1230,11 @@ static enum hrtimer_restart j1939_tp_rxt + session->err = -ETIME; + j1939_session_deactivate(session); + } else { +- netdev_alert(priv->ndev, "%s: 0x%p: rx timeout, send abort\n", +- __func__, session); +- + j1939_session_list_lock(session->priv); + if (session->state >= J1939_SESSION_ACTIVE && + session->state < J1939_SESSION_ACTIVE_MAX) { ++ netdev_alert(priv->ndev, "%s: 0x%p: rx timeout, send abort\n", ++ __func__, session); + j1939_session_get(session); + hrtimer_start(&session->rxtimer, + ms_to_ktime(J1939_XTP_ABORT_TIMEOUT_MS), diff --git a/queue-5.4/can-j1939-j1939_xtp_rx_dat_one-cancel-session-if-receive-tp.dt-with-error-length.patch b/queue-5.4/can-j1939-j1939_xtp_rx_dat_one-cancel-session-if-receive-tp.dt-with-error-length.patch new file mode 100644 index 00000000000..313cfb84211 --- /dev/null +++ b/queue-5.4/can-j1939-j1939_xtp_rx_dat_one-cancel-session-if-receive-tp.dt-with-error-length.patch @@ -0,0 +1,55 @@ +From 379743985ab6cfe2cbd32067cf4ed497baca6d06 Mon Sep 17 00:00:00 2001 +From: Zhang Changzhong +Date: Thu, 30 Sep 2021 11:33:20 +0800 +Subject: can: j1939: j1939_xtp_rx_dat_one(): cancel session if receive TP.DT with error length + +From: Zhang Changzhong + +commit 379743985ab6cfe2cbd32067cf4ed497baca6d06 upstream. + +According to SAE-J1939-21, the data length of TP.DT must be 8 bytes, so +cancel session when receive unexpected TP.DT message. + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Link: https://lore.kernel.org/all/1632972800-45091-1-git-send-email-zhangchangzhong@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Zhang Changzhong +Acked-by: Oleksij Rempel +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/transport.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1770,6 +1770,7 @@ static void j1939_xtp_rx_dpo(struct j193 + static void j1939_xtp_rx_dat_one(struct j1939_session *session, + struct sk_buff *skb) + { ++ enum j1939_xtp_abort abort = J1939_XTP_ABORT_FAULT; + struct j1939_priv *priv = session->priv; + struct j1939_sk_buff_cb *skcb; + struct sk_buff *se_skb = NULL; +@@ -1784,9 +1785,11 @@ static void j1939_xtp_rx_dat_one(struct + + skcb = j1939_skb_to_cb(skb); + dat = skb->data; +- if (skb->len <= 1) ++ if (skb->len != 8) { + /* makes no sense */ ++ abort = J1939_XTP_ABORT_UNEXPECTED_DATA; + goto out_session_cancel; ++ } + + switch (session->last_cmd) { + case 0xff: +@@ -1884,7 +1887,7 @@ static void j1939_xtp_rx_dat_one(struct + out_session_cancel: + kfree_skb(se_skb); + j1939_session_timers_cancel(session); +- j1939_session_cancel(session, J1939_XTP_ABORT_FAULT); ++ j1939_session_cancel(session, abort); + j1939_session_put(session); + } + diff --git a/queue-5.4/can-j1939-j1939_xtp_rx_rts_session_new-abort-tp-less-than-9-bytes.patch b/queue-5.4/can-j1939-j1939_xtp_rx_rts_session_new-abort-tp-less-than-9-bytes.patch new file mode 100644 index 00000000000..2a35b64a095 --- /dev/null +++ b/queue-5.4/can-j1939-j1939_xtp_rx_rts_session_new-abort-tp-less-than-9-bytes.patch @@ -0,0 +1,55 @@ +From a4fbe70c5cb746441d56b28cf88161d9e0e25378 Mon Sep 17 00:00:00 2001 +From: Zhang Changzhong +Date: Thu, 14 Oct 2021 17:26:40 +0800 +Subject: can: j1939: j1939_xtp_rx_rts_session_new(): abort TP less than 9 bytes + +From: Zhang Changzhong + +commit a4fbe70c5cb746441d56b28cf88161d9e0e25378 upstream. + +The receiver should abort TP if 'total message size' in TP.CM_RTS and +TP.CM_BAM is less than 9 or greater than 1785 [1], but currently the +j1939 stack only checks the upper bound and the receiver will accept +the following broadcast message: + + vcan1 18ECFF00 [8] 20 08 00 02 FF 00 23 01 + vcan1 18EBFF00 [8] 01 00 00 00 00 00 00 00 + vcan1 18EBFF00 [8] 02 00 FF FF FF FF FF FF + +This patch adds check for the lower bound and abort illegal TP. + +[1] SAE-J1939-82 A.3.4 Row 2 and A.3.6 Row 6. + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Link: https://lore.kernel.org/all/1634203601-3460-1-git-send-email-zhangchangzhong@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Zhang Changzhong +Acked-by: Oleksij Rempel +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/j1939-priv.h | 1 + + net/can/j1939/transport.c | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/net/can/j1939/j1939-priv.h ++++ b/net/can/j1939/j1939-priv.h +@@ -326,6 +326,7 @@ int j1939_session_activate(struct j1939_ + void j1939_tp_schedule_txtimer(struct j1939_session *session, int msec); + void j1939_session_timers_cancel(struct j1939_session *session); + ++#define J1939_MIN_TP_PACKET_SIZE 9 + #define J1939_MAX_TP_PACKET_SIZE (7 * 0xff) + #define J1939_MAX_ETP_PACKET_SIZE (7 * 0x00ffffff) + +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1596,6 +1596,8 @@ j1939_session *j1939_xtp_rx_rts_session_ + abort = J1939_XTP_ABORT_FAULT; + else if (len > priv->tp_max_packet_size) + abort = J1939_XTP_ABORT_RESOURCE; ++ else if (len < J1939_MIN_TP_PACKET_SIZE) ++ abort = J1939_XTP_ABORT_FAULT; + } + + if (abort != J1939_XTP_NO_ABORT) { diff --git a/queue-5.4/can-peak_pci-peak_pci_remove-fix-uaf.patch b/queue-5.4/can-peak_pci-peak_pci_remove-fix-uaf.patch new file mode 100644 index 00000000000..1c4fe3e987f --- /dev/null +++ b/queue-5.4/can-peak_pci-peak_pci_remove-fix-uaf.patch @@ -0,0 +1,62 @@ +From 949fe9b35570361bc6ee2652f89a0561b26eec98 Mon Sep 17 00:00:00 2001 +From: Zheyu Ma +Date: Thu, 14 Oct 2021 06:28:33 +0000 +Subject: can: peak_pci: peak_pci_remove(): fix UAF + +From: Zheyu Ma + +commit 949fe9b35570361bc6ee2652f89a0561b26eec98 upstream. + +When remove the module peek_pci, referencing 'chan' again after +releasing 'dev' will cause UAF. + +Fix this by releasing 'dev' later. + +The following log reveals it: + +[ 35.961814 ] BUG: KASAN: use-after-free in peak_pci_remove+0x16f/0x270 [peak_pci] +[ 35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537 +[ 35.965513 ] Call Trace: +[ 35.965718 ] dump_stack_lvl+0xa8/0xd1 +[ 35.966028 ] print_address_description+0x87/0x3b0 +[ 35.966420 ] kasan_report+0x172/0x1c0 +[ 35.966725 ] ? peak_pci_remove+0x16f/0x270 [peak_pci] +[ 35.967137 ] ? trace_irq_enable_rcuidle+0x10/0x170 +[ 35.967529 ] ? peak_pci_remove+0x16f/0x270 [peak_pci] +[ 35.967945 ] __asan_report_load8_noabort+0x14/0x20 +[ 35.968346 ] peak_pci_remove+0x16f/0x270 [peak_pci] +[ 35.968752 ] pci_device_remove+0xa9/0x250 + +Fixes: e6d9c80b7ca1 ("can: peak_pci: add support of some new PEAK-System PCI cards") +Link: https://lore.kernel.org/all/1634192913-15639-1-git-send-email-zheyuma97@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Zheyu Ma +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/sja1000/peak_pci.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/net/can/sja1000/peak_pci.c ++++ b/drivers/net/can/sja1000/peak_pci.c +@@ -731,16 +731,15 @@ static void peak_pci_remove(struct pci_d + struct net_device *prev_dev = chan->prev_dev; + + dev_info(&pdev->dev, "removing device %s\n", dev->name); ++ /* do that only for first channel */ ++ if (!prev_dev && chan->pciec_card) ++ peak_pciec_remove(chan->pciec_card); + unregister_sja1000dev(dev); + free_sja1000dev(dev); + dev = prev_dev; + +- if (!dev) { +- /* do that only for first channel */ +- if (chan->pciec_card) +- peak_pciec_remove(chan->pciec_card); ++ if (!dev) + break; +- } + priv = netdev_priv(dev); + chan = priv->priv; + } diff --git a/queue-5.4/can-peak_usb-pcan_usb_fd_decode_status-fix-back-to-error_active-state-notification.patch b/queue-5.4/can-peak_usb-pcan_usb_fd_decode_status-fix-back-to-error_active-state-notification.patch new file mode 100644 index 00000000000..2b73a0129ac --- /dev/null +++ b/queue-5.4/can-peak_usb-pcan_usb_fd_decode_status-fix-back-to-error_active-state-notification.patch @@ -0,0 +1,38 @@ +From 3d031abc7e7249573148871180c28ecedb5e27df Mon Sep 17 00:00:00 2001 +From: Stephane Grosjean +Date: Wed, 29 Sep 2021 16:21:10 +0200 +Subject: can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE state notification + +From: Stephane Grosjean + +commit 3d031abc7e7249573148871180c28ecedb5e27df upstream. + +This corrects the lack of notification of a return to ERROR_ACTIVE +state for USB - CANFD devices from PEAK-System. + +Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters") +Link: https://lore.kernel.org/all/20210929142111.55757-1-s.grosjean@peak-system.com +Cc: stable@vger.kernel.org +Signed-off-by: Stephane Grosjean +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +@@ -551,11 +551,10 @@ static int pcan_usb_fd_decode_status(str + } else if (sm->channel_p_w_b & PUCAN_BUS_WARNING) { + new_state = CAN_STATE_ERROR_WARNING; + } else { +- /* no error bit (so, no error skb, back to active state) */ +- dev->can.state = CAN_STATE_ERROR_ACTIVE; ++ /* back to (or still in) ERROR_ACTIVE state */ ++ new_state = CAN_STATE_ERROR_ACTIVE; + pdev->bec.txerr = 0; + pdev->bec.rxerr = 0; +- return 0; + } + + /* state hasn't changed */ diff --git a/queue-5.4/can-rcar_can-fix-suspend-resume.patch b/queue-5.4/can-rcar_can-fix-suspend-resume.patch new file mode 100644 index 00000000000..c3cf2e3bd70 --- /dev/null +++ b/queue-5.4/can-rcar_can-fix-suspend-resume.patch @@ -0,0 +1,68 @@ +From f7c05c3987dcfde9a4e8c2d533db013fabebca0d Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Fri, 24 Sep 2021 16:55:56 +0900 +Subject: can: rcar_can: fix suspend/resume + +From: Yoshihiro Shimoda + +commit f7c05c3987dcfde9a4e8c2d533db013fabebca0d upstream. + +If the driver was not opened, rcar_can_suspend() should not call +clk_disable() because the clock was not enabled. + +Fixes: fd1159318e55 ("can: add Renesas R-Car CAN driver") +Link: https://lore.kernel.org/all/20210924075556.223685-1-yoshihiro.shimoda.uh@renesas.com +Cc: stable@vger.kernel.org +Signed-off-by: Yoshihiro Shimoda +Tested-by: Ayumi Nakamichi +Reviewed-by: Ulrich Hecht +Tested-by: Biju Das +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/rcar/rcar_can.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/drivers/net/can/rcar/rcar_can.c ++++ b/drivers/net/can/rcar/rcar_can.c +@@ -848,10 +848,12 @@ static int __maybe_unused rcar_can_suspe + struct rcar_can_priv *priv = netdev_priv(ndev); + u16 ctlr; + +- if (netif_running(ndev)) { +- netif_stop_queue(ndev); +- netif_device_detach(ndev); +- } ++ if (!netif_running(ndev)) ++ return 0; ++ ++ netif_stop_queue(ndev); ++ netif_device_detach(ndev); ++ + ctlr = readw(&priv->regs->ctlr); + ctlr |= RCAR_CAN_CTLR_CANM_HALT; + writew(ctlr, &priv->regs->ctlr); +@@ -870,6 +872,9 @@ static int __maybe_unused rcar_can_resum + u16 ctlr; + int err; + ++ if (!netif_running(ndev)) ++ return 0; ++ + err = clk_enable(priv->clk); + if (err) { + netdev_err(ndev, "clk_enable() failed, error %d\n", err); +@@ -883,10 +888,9 @@ static int __maybe_unused rcar_can_resum + writew(ctlr, &priv->regs->ctlr); + priv->can.state = CAN_STATE_ERROR_ACTIVE; + +- if (netif_running(ndev)) { +- netif_device_attach(ndev); +- netif_start_queue(ndev); +- } ++ netif_device_attach(ndev); ++ netif_start_queue(ndev); ++ + return 0; + } + diff --git a/queue-5.4/ceph-fix-handling-of-meta-errors.patch b/queue-5.4/ceph-fix-handling-of-meta-errors.patch new file mode 100644 index 00000000000..767ddf76cdc --- /dev/null +++ b/queue-5.4/ceph-fix-handling-of-meta-errors.patch @@ -0,0 +1,150 @@ +From 1bd85aa65d0e7b5e4d09240f492f37c569fdd431 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Thu, 7 Oct 2021 14:19:49 -0400 +Subject: ceph: fix handling of "meta" errors + +From: Jeff Layton + +commit 1bd85aa65d0e7b5e4d09240f492f37c569fdd431 upstream. + +Currently, we check the wb_err too early for directories, before all of +the unsafe child requests have been waited on. In order to fix that we +need to check the mapping->wb_err later nearer to the end of ceph_fsync. + +We also have an overly-complex method for tracking errors after +blocklisting. The errors recorded in cleanup_session_requests go to a +completely separate field in the inode, but we end up reporting them the +same way we would for any other error (in fsync). + +There's no real benefit to tracking these errors in two different +places, since the only reporting mechanism for them is in fsync, and +we'd need to advance them both every time. + +Given that, we can just remove i_meta_err, and convert the places that +used it to instead just use mapping->wb_err instead. That also fixes +the original problem by ensuring that we do a check_and_advance of the +wb_err at the end of the fsync op. + +Cc: stable@vger.kernel.org +URL: https://tracker.ceph.com/issues/52864 +Reported-by: Patrick Donnelly +Signed-off-by: Jeff Layton +Reviewed-by: Xiubo Li +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/caps.c | 12 +++--------- + fs/ceph/file.c | 1 - + fs/ceph/inode.c | 2 -- + fs/ceph/mds_client.c | 17 +++++------------ + fs/ceph/super.h | 3 --- + 5 files changed, 8 insertions(+), 27 deletions(-) + +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -2249,7 +2249,6 @@ static int unsafe_request_wait(struct in + + int ceph_fsync(struct file *file, loff_t start, loff_t end, int datasync) + { +- struct ceph_file_info *fi = file->private_data; + struct inode *inode = file->f_mapping->host; + struct ceph_inode_info *ci = ceph_inode(inode); + u64 flush_tid; +@@ -2280,14 +2279,9 @@ int ceph_fsync(struct file *file, loff_t + if (err < 0) + ret = err; + +- if (errseq_check(&ci->i_meta_err, READ_ONCE(fi->meta_err))) { +- spin_lock(&file->f_lock); +- err = errseq_check_and_advance(&ci->i_meta_err, +- &fi->meta_err); +- spin_unlock(&file->f_lock); +- if (err < 0) +- ret = err; +- } ++ err = file_check_and_advance_wb_err(file); ++ if (err < 0) ++ ret = err; + out: + dout("fsync %p%s result=%d\n", inode, datasync ? " datasync" : "", ret); + return ret; +--- a/fs/ceph/file.c ++++ b/fs/ceph/file.c +@@ -234,7 +234,6 @@ static int ceph_init_file_info(struct in + fi->fmode = fmode; + spin_lock_init(&fi->rw_contexts_lock); + INIT_LIST_HEAD(&fi->rw_contexts); +- fi->meta_err = errseq_sample(&ci->i_meta_err); + fi->filp_gen = READ_ONCE(ceph_inode_to_client(inode)->filp_gen); + + return 0; +--- a/fs/ceph/inode.c ++++ b/fs/ceph/inode.c +@@ -515,8 +515,6 @@ struct inode *ceph_alloc_inode(struct su + + ceph_fscache_inode_init(ci); + +- ci->i_meta_err = 0; +- + return &ci->vfs_inode; + } + +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -1272,7 +1272,6 @@ static void cleanup_session_requests(str + { + struct ceph_mds_request *req; + struct rb_node *p; +- struct ceph_inode_info *ci; + + dout("cleanup_session_requests mds%d\n", session->s_mds); + mutex_lock(&mdsc->mutex); +@@ -1281,16 +1280,10 @@ static void cleanup_session_requests(str + struct ceph_mds_request, r_unsafe_item); + pr_warn_ratelimited(" dropping unsafe request %llu\n", + req->r_tid); +- if (req->r_target_inode) { +- /* dropping unsafe change of inode's attributes */ +- ci = ceph_inode(req->r_target_inode); +- errseq_set(&ci->i_meta_err, -EIO); +- } +- if (req->r_unsafe_dir) { +- /* dropping unsafe directory operation */ +- ci = ceph_inode(req->r_unsafe_dir); +- errseq_set(&ci->i_meta_err, -EIO); +- } ++ if (req->r_target_inode) ++ mapping_set_error(req->r_target_inode->i_mapping, -EIO); ++ if (req->r_unsafe_dir) ++ mapping_set_error(req->r_unsafe_dir->i_mapping, -EIO); + __unregister_request(mdsc, req); + } + /* zero r_attempts, so kick_requests() will re-send requests */ +@@ -1436,7 +1429,7 @@ static int remove_session_caps_cb(struct + spin_unlock(&mdsc->cap_dirty_lock); + + if (dirty_dropped) { +- errseq_set(&ci->i_meta_err, -EIO); ++ mapping_set_error(inode->i_mapping, -EIO); + + if (ci->i_wrbuffer_ref_head == 0 && + ci->i_wr_ref == 0 && +--- a/fs/ceph/super.h ++++ b/fs/ceph/super.h +@@ -402,8 +402,6 @@ struct ceph_inode_info { + struct fscache_cookie *fscache; + u32 i_fscache_gen; + #endif +- errseq_t i_meta_err; +- + struct inode vfs_inode; /* at end */ + }; + +@@ -712,7 +710,6 @@ struct ceph_file_info { + spinlock_t rw_contexts_lock; + struct list_head rw_contexts; + +- errseq_t meta_err; + u32 filp_gen; + atomic_t num_locks; + }; diff --git a/queue-5.4/elfcore-correct-reference-to-config_uml.patch b/queue-5.4/elfcore-correct-reference-to-config_uml.patch new file mode 100644 index 00000000000..368c25fd389 --- /dev/null +++ b/queue-5.4/elfcore-correct-reference-to-config_uml.patch @@ -0,0 +1,56 @@ +From b0e901280d9860a0a35055f220e8e457f300f40a Mon Sep 17 00:00:00 2001 +From: Lukas Bulwahn +Date: Mon, 18 Oct 2021 15:16:09 -0700 +Subject: elfcore: correct reference to CONFIG_UML + +From: Lukas Bulwahn + +commit b0e901280d9860a0a35055f220e8e457f300f40a upstream. + +Commit 6e7b64b9dd6d ("elfcore: fix building with clang") introduces +special handling for two architectures, ia64 and User Mode Linux. +However, the wrong name, i.e., CONFIG_UM, for the intended Kconfig +symbol for User-Mode Linux was used. + +Although the directory for User Mode Linux is ./arch/um; the Kconfig +symbol for this architecture is called CONFIG_UML. + +Luckily, ./scripts/checkkconfigsymbols.py warns on non-existing configs: + + UM + Referencing files: include/linux/elfcore.h + Similar symbols: UML, NUMA + +Correct the name of the config to the intended one. + +[akpm@linux-foundation.org: fix um/x86_64, per Catalin] + Link: https://lkml.kernel.org/r/20211006181119.2851441-1-catalin.marinas@arm.com + Link: https://lkml.kernel.org/r/YV6pejGzLy5ppEpt@arm.com + +Link: https://lkml.kernel.org/r/20211006082209.417-1-lukas.bulwahn@gmail.com +Fixes: 6e7b64b9dd6d ("elfcore: fix building with clang") +Signed-off-by: Lukas Bulwahn +Cc: Arnd Bergmann +Cc: Nathan Chancellor +Cc: Nick Desaulniers +Cc: Catalin Marinas +Cc: Barret Rhoden +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/elfcore.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/elfcore.h ++++ b/include/linux/elfcore.h +@@ -58,7 +58,7 @@ static inline int elf_core_copy_task_xfp + } + #endif + +-#if defined(CONFIG_UM) || defined(CONFIG_IA64) ++#if (defined(CONFIG_UML) && defined(CONFIG_X86_32)) || defined(CONFIG_IA64) + /* + * These functions parameterize elf_core_dump in fs/binfmt_elf.c to write out + * extra segments containing the gate DSO contents. Dumping its diff --git a/queue-5.4/ocfs2-fix-data-corruption-after-conversion-from-inline-format.patch b/queue-5.4/ocfs2-fix-data-corruption-after-conversion-from-inline-format.patch new file mode 100644 index 00000000000..bf8882c77c2 --- /dev/null +++ b/queue-5.4/ocfs2-fix-data-corruption-after-conversion-from-inline-format.patch @@ -0,0 +1,179 @@ +From 5314454ea3ff6fc746eaf71b9a7ceebed52888fa Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 18 Oct 2021 15:15:39 -0700 +Subject: ocfs2: fix data corruption after conversion from inline format + +From: Jan Kara + +commit 5314454ea3ff6fc746eaf71b9a7ceebed52888fa upstream. + +Commit 6dbf7bb55598 ("fs: Don't invalidate page buffers in +block_write_full_page()") uncovered a latent bug in ocfs2 conversion +from inline inode format to a normal inode format. + +The code in ocfs2_convert_inline_data_to_extents() attempts to zero out +the whole cluster allocated for file data by grabbing, zeroing, and +dirtying all pages covering this cluster. However these pages are +beyond i_size, thus writeback code generally ignores these dirty pages +and no blocks were ever actually zeroed on the disk. + +This oversight was fixed by commit 693c241a5f6a ("ocfs2: No need to zero +pages past i_size.") for standard ocfs2 write path, inline conversion +path was apparently forgotten; the commit log also has a reasoning why +the zeroing actually is not needed. + +After commit 6dbf7bb55598, things became worse as writeback code stopped +invalidating buffers on pages beyond i_size and thus these pages end up +with clean PageDirty bit but with buffers attached to these pages being +still dirty. So when a file is converted from inline format, then +writeback triggers, and then the file is grown so that these pages +become valid, the invalid dirtiness state is preserved, +mark_buffer_dirty() does nothing on these pages (buffers are already +dirty) but page is never written back because it is clean. So data +written to these pages is lost once pages are reclaimed. + +Simple reproducer for the problem is: + + xfs_io -f -c "pwrite 0 2000" -c "pwrite 2000 2000" -c "fsync" \ + -c "pwrite 4000 2000" ocfs2_file + +After unmounting and mounting the fs again, you can observe that end of +'ocfs2_file' has lost its contents. + +Fix the problem by not doing the pointless zeroing during conversion +from inline format similarly as in the standard write path. + +[akpm@linux-foundation.org: fix whitespace, per Joseph] + +Link: https://lkml.kernel.org/r/20210930095405.21433-1-jack@suse.cz +Fixes: 6dbf7bb55598 ("fs: Don't invalidate page buffers in block_write_full_page()") +Signed-off-by: Jan Kara +Reviewed-by: Joseph Qi +Tested-by: Joseph Qi +Acked-by: Gang He +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: "Markov, Andrey" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/alloc.c | 46 ++++++++++++---------------------------------- + 1 file changed, 12 insertions(+), 34 deletions(-) + +--- a/fs/ocfs2/alloc.c ++++ b/fs/ocfs2/alloc.c +@@ -7048,7 +7048,7 @@ void ocfs2_set_inode_data_inline(struct + int ocfs2_convert_inline_data_to_extents(struct inode *inode, + struct buffer_head *di_bh) + { +- int ret, i, has_data, num_pages = 0; ++ int ret, has_data, num_pages = 0; + int need_free = 0; + u32 bit_off, num; + handle_t *handle; +@@ -7057,26 +7057,17 @@ int ocfs2_convert_inline_data_to_extents + struct ocfs2_super *osb = OCFS2_SB(inode->i_sb); + struct ocfs2_dinode *di = (struct ocfs2_dinode *)di_bh->b_data; + struct ocfs2_alloc_context *data_ac = NULL; +- struct page **pages = NULL; +- loff_t end = osb->s_clustersize; ++ struct page *page = NULL; + struct ocfs2_extent_tree et; + int did_quota = 0; + + has_data = i_size_read(inode) ? 1 : 0; + + if (has_data) { +- pages = kcalloc(ocfs2_pages_per_cluster(osb->sb), +- sizeof(struct page *), GFP_NOFS); +- if (pages == NULL) { +- ret = -ENOMEM; +- mlog_errno(ret); +- return ret; +- } +- + ret = ocfs2_reserve_clusters(osb, 1, &data_ac); + if (ret) { + mlog_errno(ret); +- goto free_pages; ++ goto out; + } + } + +@@ -7096,7 +7087,8 @@ int ocfs2_convert_inline_data_to_extents + } + + if (has_data) { +- unsigned int page_end; ++ unsigned int page_end = min_t(unsigned, PAGE_SIZE, ++ osb->s_clustersize); + u64 phys; + + ret = dquot_alloc_space_nodirty(inode, +@@ -7120,15 +7112,8 @@ int ocfs2_convert_inline_data_to_extents + */ + block = phys = ocfs2_clusters_to_blocks(inode->i_sb, bit_off); + +- /* +- * Non sparse file systems zero on extend, so no need +- * to do that now. +- */ +- if (!ocfs2_sparse_alloc(osb) && +- PAGE_SIZE < osb->s_clustersize) +- end = PAGE_SIZE; +- +- ret = ocfs2_grab_eof_pages(inode, 0, end, pages, &num_pages); ++ ret = ocfs2_grab_eof_pages(inode, 0, page_end, &page, ++ &num_pages); + if (ret) { + mlog_errno(ret); + need_free = 1; +@@ -7139,20 +7124,15 @@ int ocfs2_convert_inline_data_to_extents + * This should populate the 1st page for us and mark + * it up to date. + */ +- ret = ocfs2_read_inline_data(inode, pages[0], di_bh); ++ ret = ocfs2_read_inline_data(inode, page, di_bh); + if (ret) { + mlog_errno(ret); + need_free = 1; + goto out_unlock; + } + +- page_end = PAGE_SIZE; +- if (PAGE_SIZE > osb->s_clustersize) +- page_end = osb->s_clustersize; +- +- for (i = 0; i < num_pages; i++) +- ocfs2_map_and_dirty_page(inode, handle, 0, page_end, +- pages[i], i > 0, &phys); ++ ocfs2_map_and_dirty_page(inode, handle, 0, page_end, page, 0, ++ &phys); + } + + spin_lock(&oi->ip_lock); +@@ -7183,8 +7163,8 @@ int ocfs2_convert_inline_data_to_extents + } + + out_unlock: +- if (pages) +- ocfs2_unlock_and_free_pages(pages, num_pages); ++ if (page) ++ ocfs2_unlock_and_free_pages(&page, num_pages); + + out_commit: + if (ret < 0 && did_quota) +@@ -7208,8 +7188,6 @@ out_commit: + out: + if (data_ac) + ocfs2_free_alloc_context(data_ac); +-free_pages: +- kfree(pages); + return ret; + } + diff --git a/queue-5.4/ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch b/queue-5.4/ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch new file mode 100644 index 00000000000..5f4b0ce2b37 --- /dev/null +++ b/queue-5.4/ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch @@ -0,0 +1,87 @@ +From b15fa9224e6e1239414525d8d556d824701849fc Mon Sep 17 00:00:00 2001 +From: Valentin Vidic +Date: Mon, 18 Oct 2021 15:15:42 -0700 +Subject: ocfs2: mount fails with buffer overflow in strlen + +From: Valentin Vidic + +commit b15fa9224e6e1239414525d8d556d824701849fc upstream. + +Starting with kernel 5.11 built with CONFIG_FORTIFY_SOURCE mouting an +ocfs2 filesystem with either o2cb or pcmk cluster stack fails with the +trace below. Problem seems to be that strings for cluster stack and +cluster name are not guaranteed to be null terminated in the disk +representation, while strlcpy assumes that the source string is always +null terminated. This causes a read outside of the source string +triggering the buffer overflow detection. + + detected buffer overflow in strlen + ------------[ cut here ]------------ + kernel BUG at lib/string.c:1149! + invalid opcode: 0000 [#1] SMP PTI + CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1 + Debian 5.14.6-2 + RIP: 0010:fortify_panic+0xf/0x11 + ... + Call Trace: + ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2] + ocfs2_fill_super+0x359/0x19b0 [ocfs2] + mount_bdev+0x185/0x1b0 + legacy_get_tree+0x27/0x40 + vfs_get_tree+0x25/0xb0 + path_mount+0x454/0xa20 + __x64_sys_mount+0x103/0x140 + do_syscall_64+0x3b/0xc0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Link: https://lkml.kernel.org/r/20210929180654.32460-1-vvidic@valentin-vidic.from.hr +Signed-off-by: Valentin Vidic +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/super.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -2150,11 +2150,17 @@ static int ocfs2_initialize_super(struct + } + + if (ocfs2_clusterinfo_valid(osb)) { ++ /* ++ * ci_stack and ci_cluster in ocfs2_cluster_info may not be null ++ * terminated, so make sure no overflow happens here by using ++ * memcpy. Destination strings will always be null terminated ++ * because osb is allocated using kzalloc. ++ */ + osb->osb_stackflags = + OCFS2_RAW_SB(di)->s_cluster_info.ci_stackflags; +- strlcpy(osb->osb_cluster_stack, ++ memcpy(osb->osb_cluster_stack, + OCFS2_RAW_SB(di)->s_cluster_info.ci_stack, +- OCFS2_STACK_LABEL_LEN + 1); ++ OCFS2_STACK_LABEL_LEN); + if (strlen(osb->osb_cluster_stack) != OCFS2_STACK_LABEL_LEN) { + mlog(ML_ERROR, + "couldn't mount because of an invalid " +@@ -2163,9 +2169,9 @@ static int ocfs2_initialize_super(struct + status = -EINVAL; + goto bail; + } +- strlcpy(osb->osb_cluster_name, ++ memcpy(osb->osb_cluster_name, + OCFS2_RAW_SB(di)->s_cluster_info.ci_cluster, +- OCFS2_CLUSTER_NAME_LEN + 1); ++ OCFS2_CLUSTER_NAME_LEN); + } else { + /* The empty string is identical with classic tools that + * don't know about s_cluster_info. */ diff --git a/queue-5.4/series b/queue-5.4/series index e7053d54af1..50abfe36c1f 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -16,3 +16,19 @@ net-hns3-add-limit-ets-dwrr-bandwidth-cannot-be-0.patch net-hns3-disable-sriov-before-unload-hclge-layer.patch net-stmmac-fix-e2e-delay-mechanism.patch net-enetc-fix-ethtool-counter-name-for-pm0_terr.patch +can-rcar_can-fix-suspend-resume.patch +can-peak_usb-pcan_usb_fd_decode_status-fix-back-to-error_active-state-notification.patch +can-peak_pci-peak_pci_remove-fix-uaf.patch +can-j1939-j1939_tp_rxtimer-fix-errant-alert-in-j1939_tp_rxtimer.patch +can-j1939-j1939_netdev_start-fix-uaf-for-rx_kref-of-j1939_priv.patch +can-j1939-j1939_xtp_rx_dat_one-cancel-session-if-receive-tp.dt-with-error-length.patch +can-j1939-j1939_xtp_rx_rts_session_new-abort-tp-less-than-9-bytes.patch +ceph-fix-handling-of-meta-errors.patch +ocfs2-fix-data-corruption-after-conversion-from-inline-format.patch +ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch +elfcore-correct-reference-to-config_uml.patch +vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch +alsa-usb-audio-provide-quirk-for-sennheiser-gsp670-headset.patch +alsa-hda-realtek-add-quirk-for-clevo-pc50hs.patch +asoc-dapm-fix-missing-kctl-change-notifications.patch +audit-fix-possible-null-pointer-dereference-in-audit_filter_rules.patch diff --git a/queue-5.4/vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch b/queue-5.4/vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch new file mode 100644 index 00000000000..6f7186315ad --- /dev/null +++ b/queue-5.4/vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch @@ -0,0 +1,45 @@ +From 032146cda85566abcd1c4884d9d23e4e30a07e9a Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Mon, 18 Oct 2021 15:16:12 -0700 +Subject: vfs: check fd has read access in kernel_read_file_from_fd() + +From: Matthew Wilcox (Oracle) + +commit 032146cda85566abcd1c4884d9d23e4e30a07e9a upstream. + +If we open a file without read access and then pass the fd to a syscall +whose implementation calls kernel_read_file_from_fd(), we get a warning +from __kernel_read(): + + if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ))) + +This currently affects both finit_module() and kexec_file_load(), but it +could affect other syscalls in the future. + +Link: https://lkml.kernel.org/r/20211007220110.600005-1-willy@infradead.org +Fixes: b844f0ecbc56 ("vfs: define kernel_copy_file_from_fd()") +Signed-off-by: Matthew Wilcox (Oracle) +Reported-by: Hao Sun +Reviewed-by: Kees Cook +Acked-by: Christian Brauner +Cc: Al Viro +Cc: Mimi Zohar +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/exec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -988,7 +988,7 @@ int kernel_read_file_from_fd(int fd, voi + struct fd f = fdget(fd); + int ret = -EBADF; + +- if (!f.file) ++ if (!f.file || !(f.file->f_mode & FMODE_READ)) + goto out; + + ret = kernel_read_file(f.file, buf, size, max_size, id);