From: Greg Kroah-Hartman Date: Sun, 24 Oct 2021 11:44:14 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.4.290~60 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5a423c16a81cf480787d8049a89cf8e0f9e2f54f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: alsa-usb-audio-provide-quirk-for-sennheiser-gsp670-headset.patch asoc-dapm-fix-missing-kctl-change-notifications.patch can-peak_pci-peak_pci_remove-fix-uaf.patch can-peak_usb-pcan_usb_fd_decode_status-fix-back-to-error_active-state-notification.patch can-rcar_can-fix-suspend-resume.patch elfcore-correct-reference-to-config_uml.patch ocfs2-fix-data-corruption-after-conversion-from-inline-format.patch ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch --- diff --git a/queue-4.14/alsa-usb-audio-provide-quirk-for-sennheiser-gsp670-headset.patch b/queue-4.14/alsa-usb-audio-provide-quirk-for-sennheiser-gsp670-headset.patch new file mode 100644 index 00000000000..a14d976b6c8 --- /dev/null +++ b/queue-4.14/alsa-usb-audio-provide-quirk-for-sennheiser-gsp670-headset.patch @@ -0,0 +1,67 @@ +From 3c414eb65c294719a91a746260085363413f91c1 Mon Sep 17 00:00:00 2001 +From: Brendan Grieve +Date: Fri, 15 Oct 2021 10:53:35 +0800 +Subject: ALSA: usb-audio: Provide quirk for Sennheiser GSP670 Headset + +From: Brendan Grieve + +commit 3c414eb65c294719a91a746260085363413f91c1 upstream. + +As per discussion at: https://github.com/szszoke/sennheiser-gsp670-pulseaudio-profile/issues/13 + +The GSP670 has 2 playback and 1 recording device that by default are +detected in an incompatible order for alsa. This may have been done to make +it compatible for the console by the manufacturer and only affects the +latest firmware which uses its own ID. + +This quirk will resolve this by reordering the channels. + +Signed-off-by: Brendan Grieve +Cc: +Link: https://lore.kernel.org/r/20211015025335.196592-1-brendan@grieve.com.au +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks-table.h | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3446,5 +3446,37 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge + } + } + }, ++{ ++ /* ++ * Sennheiser GSP670 ++ * Change order of interfaces loaded ++ */ ++ USB_DEVICE(0x1395, 0x0300), ++ .bInterfaceClass = USB_CLASS_PER_INTERFACE, ++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { ++ .ifnum = QUIRK_ANY_INTERFACE, ++ .type = QUIRK_COMPOSITE, ++ .data = &(const struct snd_usb_audio_quirk[]) { ++ // Communication ++ { ++ .ifnum = 3, ++ .type = QUIRK_AUDIO_STANDARD_INTERFACE ++ }, ++ // Recording ++ { ++ .ifnum = 4, ++ .type = QUIRK_AUDIO_STANDARD_INTERFACE ++ }, ++ // Main ++ { ++ .ifnum = 1, ++ .type = QUIRK_AUDIO_STANDARD_INTERFACE ++ }, ++ { ++ .ifnum = -1 ++ } ++ } ++ } ++}, + + #undef USB_DEVICE_VENDOR_SPEC diff --git a/queue-4.14/asoc-dapm-fix-missing-kctl-change-notifications.patch b/queue-4.14/asoc-dapm-fix-missing-kctl-change-notifications.patch new file mode 100644 index 00000000000..200e51f38e8 --- /dev/null +++ b/queue-4.14/asoc-dapm-fix-missing-kctl-change-notifications.patch @@ -0,0 +1,81 @@ +From 5af82c81b2c49cfb1cad84d9eb6eab0e3d1c4842 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 6 Oct 2021 16:17:12 +0200 +Subject: ASoC: DAPM: Fix missing kctl change notifications + +From: Takashi Iwai + +commit 5af82c81b2c49cfb1cad84d9eb6eab0e3d1c4842 upstream. + +The put callback of a kcontrol is supposed to return 1 when the value +is changed, and this will be notified to user-space. However, some +DAPM kcontrols always return 0 (except for errors), hence the +user-space misses the update of a control value. + +This patch corrects the behavior by properly returning 1 when the +value gets updated. + +Reported-and-tested-by: Hans de Goede +Cc: +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20211006141712.2439-1-tiwai@suse.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-dapm.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -2495,6 +2495,7 @@ static int snd_soc_dapm_set_pin(struct s + const char *pin, int status) + { + struct snd_soc_dapm_widget *w = dapm_find_widget(dapm, pin, true); ++ int ret = 0; + + dapm_assert_locked(dapm); + +@@ -2507,13 +2508,14 @@ static int snd_soc_dapm_set_pin(struct s + dapm_mark_dirty(w, "pin configuration"); + dapm_widget_invalidate_input_paths(w); + dapm_widget_invalidate_output_paths(w); ++ ret = 1; + } + + w->connected = status; + if (status == 0) + w->force = 0; + +- return 0; ++ return ret; + } + + /** +@@ -3441,14 +3443,15 @@ int snd_soc_dapm_put_pin_switch(struct s + { + struct snd_soc_card *card = snd_kcontrol_chip(kcontrol); + const char *pin = (const char *)kcontrol->private_value; ++ int ret; + + if (ucontrol->value.integer.value[0]) +- snd_soc_dapm_enable_pin(&card->dapm, pin); ++ ret = snd_soc_dapm_enable_pin(&card->dapm, pin); + else +- snd_soc_dapm_disable_pin(&card->dapm, pin); ++ ret = snd_soc_dapm_disable_pin(&card->dapm, pin); + + snd_soc_dapm_sync(&card->dapm); +- return 0; ++ return ret; + } + EXPORT_SYMBOL_GPL(snd_soc_dapm_put_pin_switch); + +@@ -3824,7 +3827,7 @@ static int snd_soc_dapm_dai_link_put(str + + w->params_select = ucontrol->value.enumerated.item[0]; + +- return 0; ++ return 1; + } + + int snd_soc_dapm_new_pcm(struct snd_soc_card *card, diff --git a/queue-4.14/can-peak_pci-peak_pci_remove-fix-uaf.patch b/queue-4.14/can-peak_pci-peak_pci_remove-fix-uaf.patch new file mode 100644 index 00000000000..685199cb6f8 --- /dev/null +++ b/queue-4.14/can-peak_pci-peak_pci_remove-fix-uaf.patch @@ -0,0 +1,62 @@ +From 949fe9b35570361bc6ee2652f89a0561b26eec98 Mon Sep 17 00:00:00 2001 +From: Zheyu Ma +Date: Thu, 14 Oct 2021 06:28:33 +0000 +Subject: can: peak_pci: peak_pci_remove(): fix UAF + +From: Zheyu Ma + +commit 949fe9b35570361bc6ee2652f89a0561b26eec98 upstream. + +When remove the module peek_pci, referencing 'chan' again after +releasing 'dev' will cause UAF. + +Fix this by releasing 'dev' later. + +The following log reveals it: + +[ 35.961814 ] BUG: KASAN: use-after-free in peak_pci_remove+0x16f/0x270 [peak_pci] +[ 35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537 +[ 35.965513 ] Call Trace: +[ 35.965718 ] dump_stack_lvl+0xa8/0xd1 +[ 35.966028 ] print_address_description+0x87/0x3b0 +[ 35.966420 ] kasan_report+0x172/0x1c0 +[ 35.966725 ] ? peak_pci_remove+0x16f/0x270 [peak_pci] +[ 35.967137 ] ? trace_irq_enable_rcuidle+0x10/0x170 +[ 35.967529 ] ? peak_pci_remove+0x16f/0x270 [peak_pci] +[ 35.967945 ] __asan_report_load8_noabort+0x14/0x20 +[ 35.968346 ] peak_pci_remove+0x16f/0x270 [peak_pci] +[ 35.968752 ] pci_device_remove+0xa9/0x250 + +Fixes: e6d9c80b7ca1 ("can: peak_pci: add support of some new PEAK-System PCI cards") +Link: https://lore.kernel.org/all/1634192913-15639-1-git-send-email-zheyuma97@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Zheyu Ma +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/sja1000/peak_pci.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/net/can/sja1000/peak_pci.c ++++ b/drivers/net/can/sja1000/peak_pci.c +@@ -739,16 +739,15 @@ static void peak_pci_remove(struct pci_d + struct net_device *prev_dev = chan->prev_dev; + + dev_info(&pdev->dev, "removing device %s\n", dev->name); ++ /* do that only for first channel */ ++ if (!prev_dev && chan->pciec_card) ++ peak_pciec_remove(chan->pciec_card); + unregister_sja1000dev(dev); + free_sja1000dev(dev); + dev = prev_dev; + +- if (!dev) { +- /* do that only for first channel */ +- if (chan->pciec_card) +- peak_pciec_remove(chan->pciec_card); ++ if (!dev) + break; +- } + priv = netdev_priv(dev); + chan = priv->priv; + } diff --git a/queue-4.14/can-peak_usb-pcan_usb_fd_decode_status-fix-back-to-error_active-state-notification.patch b/queue-4.14/can-peak_usb-pcan_usb_fd_decode_status-fix-back-to-error_active-state-notification.patch new file mode 100644 index 00000000000..263c67b30c6 --- /dev/null +++ b/queue-4.14/can-peak_usb-pcan_usb_fd_decode_status-fix-back-to-error_active-state-notification.patch @@ -0,0 +1,38 @@ +From 3d031abc7e7249573148871180c28ecedb5e27df Mon Sep 17 00:00:00 2001 +From: Stephane Grosjean +Date: Wed, 29 Sep 2021 16:21:10 +0200 +Subject: can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE state notification + +From: Stephane Grosjean + +commit 3d031abc7e7249573148871180c28ecedb5e27df upstream. + +This corrects the lack of notification of a return to ERROR_ACTIVE +state for USB - CANFD devices from PEAK-System. + +Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters") +Link: https://lore.kernel.org/all/20210929142111.55757-1-s.grosjean@peak-system.com +Cc: stable@vger.kernel.org +Signed-off-by: Stephane Grosjean +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +@@ -560,11 +560,10 @@ static int pcan_usb_fd_decode_status(str + } else if (sm->channel_p_w_b & PUCAN_BUS_WARNING) { + new_state = CAN_STATE_ERROR_WARNING; + } else { +- /* no error bit (so, no error skb, back to active state) */ +- dev->can.state = CAN_STATE_ERROR_ACTIVE; ++ /* back to (or still in) ERROR_ACTIVE state */ ++ new_state = CAN_STATE_ERROR_ACTIVE; + pdev->bec.txerr = 0; + pdev->bec.rxerr = 0; +- return 0; + } + + /* state hasn't changed */ diff --git a/queue-4.14/can-rcar_can-fix-suspend-resume.patch b/queue-4.14/can-rcar_can-fix-suspend-resume.patch new file mode 100644 index 00000000000..bdbdf0abbf0 --- /dev/null +++ b/queue-4.14/can-rcar_can-fix-suspend-resume.patch @@ -0,0 +1,68 @@ +From f7c05c3987dcfde9a4e8c2d533db013fabebca0d Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Fri, 24 Sep 2021 16:55:56 +0900 +Subject: can: rcar_can: fix suspend/resume + +From: Yoshihiro Shimoda + +commit f7c05c3987dcfde9a4e8c2d533db013fabebca0d upstream. + +If the driver was not opened, rcar_can_suspend() should not call +clk_disable() because the clock was not enabled. + +Fixes: fd1159318e55 ("can: add Renesas R-Car CAN driver") +Link: https://lore.kernel.org/all/20210924075556.223685-1-yoshihiro.shimoda.uh@renesas.com +Cc: stable@vger.kernel.org +Signed-off-by: Yoshihiro Shimoda +Tested-by: Ayumi Nakamichi +Reviewed-by: Ulrich Hecht +Tested-by: Biju Das +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/rcar/rcar_can.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/drivers/net/can/rcar/rcar_can.c ++++ b/drivers/net/can/rcar/rcar_can.c +@@ -857,10 +857,12 @@ static int __maybe_unused rcar_can_suspe + struct rcar_can_priv *priv = netdev_priv(ndev); + u16 ctlr; + +- if (netif_running(ndev)) { +- netif_stop_queue(ndev); +- netif_device_detach(ndev); +- } ++ if (!netif_running(ndev)) ++ return 0; ++ ++ netif_stop_queue(ndev); ++ netif_device_detach(ndev); ++ + ctlr = readw(&priv->regs->ctlr); + ctlr |= RCAR_CAN_CTLR_CANM_HALT; + writew(ctlr, &priv->regs->ctlr); +@@ -879,6 +881,9 @@ static int __maybe_unused rcar_can_resum + u16 ctlr; + int err; + ++ if (!netif_running(ndev)) ++ return 0; ++ + err = clk_enable(priv->clk); + if (err) { + netdev_err(ndev, "clk_enable() failed, error %d\n", err); +@@ -892,10 +897,9 @@ static int __maybe_unused rcar_can_resum + writew(ctlr, &priv->regs->ctlr); + priv->can.state = CAN_STATE_ERROR_ACTIVE; + +- if (netif_running(ndev)) { +- netif_device_attach(ndev); +- netif_start_queue(ndev); +- } ++ netif_device_attach(ndev); ++ netif_start_queue(ndev); ++ + return 0; + } + diff --git a/queue-4.14/elfcore-correct-reference-to-config_uml.patch b/queue-4.14/elfcore-correct-reference-to-config_uml.patch new file mode 100644 index 00000000000..368c25fd389 --- /dev/null +++ b/queue-4.14/elfcore-correct-reference-to-config_uml.patch @@ -0,0 +1,56 @@ +From b0e901280d9860a0a35055f220e8e457f300f40a Mon Sep 17 00:00:00 2001 +From: Lukas Bulwahn +Date: Mon, 18 Oct 2021 15:16:09 -0700 +Subject: elfcore: correct reference to CONFIG_UML + +From: Lukas Bulwahn + +commit b0e901280d9860a0a35055f220e8e457f300f40a upstream. + +Commit 6e7b64b9dd6d ("elfcore: fix building with clang") introduces +special handling for two architectures, ia64 and User Mode Linux. +However, the wrong name, i.e., CONFIG_UM, for the intended Kconfig +symbol for User-Mode Linux was used. + +Although the directory for User Mode Linux is ./arch/um; the Kconfig +symbol for this architecture is called CONFIG_UML. + +Luckily, ./scripts/checkkconfigsymbols.py warns on non-existing configs: + + UM + Referencing files: include/linux/elfcore.h + Similar symbols: UML, NUMA + +Correct the name of the config to the intended one. + +[akpm@linux-foundation.org: fix um/x86_64, per Catalin] + Link: https://lkml.kernel.org/r/20211006181119.2851441-1-catalin.marinas@arm.com + Link: https://lkml.kernel.org/r/YV6pejGzLy5ppEpt@arm.com + +Link: https://lkml.kernel.org/r/20211006082209.417-1-lukas.bulwahn@gmail.com +Fixes: 6e7b64b9dd6d ("elfcore: fix building with clang") +Signed-off-by: Lukas Bulwahn +Cc: Arnd Bergmann +Cc: Nathan Chancellor +Cc: Nick Desaulniers +Cc: Catalin Marinas +Cc: Barret Rhoden +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/elfcore.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/elfcore.h ++++ b/include/linux/elfcore.h +@@ -58,7 +58,7 @@ static inline int elf_core_copy_task_xfp + } + #endif + +-#if defined(CONFIG_UM) || defined(CONFIG_IA64) ++#if (defined(CONFIG_UML) && defined(CONFIG_X86_32)) || defined(CONFIG_IA64) + /* + * These functions parameterize elf_core_dump in fs/binfmt_elf.c to write out + * extra segments containing the gate DSO contents. Dumping its diff --git a/queue-4.14/ocfs2-fix-data-corruption-after-conversion-from-inline-format.patch b/queue-4.14/ocfs2-fix-data-corruption-after-conversion-from-inline-format.patch new file mode 100644 index 00000000000..b7304ba2f08 --- /dev/null +++ b/queue-4.14/ocfs2-fix-data-corruption-after-conversion-from-inline-format.patch @@ -0,0 +1,179 @@ +From 5314454ea3ff6fc746eaf71b9a7ceebed52888fa Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 18 Oct 2021 15:15:39 -0700 +Subject: ocfs2: fix data corruption after conversion from inline format + +From: Jan Kara + +commit 5314454ea3ff6fc746eaf71b9a7ceebed52888fa upstream. + +Commit 6dbf7bb55598 ("fs: Don't invalidate page buffers in +block_write_full_page()") uncovered a latent bug in ocfs2 conversion +from inline inode format to a normal inode format. + +The code in ocfs2_convert_inline_data_to_extents() attempts to zero out +the whole cluster allocated for file data by grabbing, zeroing, and +dirtying all pages covering this cluster. However these pages are +beyond i_size, thus writeback code generally ignores these dirty pages +and no blocks were ever actually zeroed on the disk. + +This oversight was fixed by commit 693c241a5f6a ("ocfs2: No need to zero +pages past i_size.") for standard ocfs2 write path, inline conversion +path was apparently forgotten; the commit log also has a reasoning why +the zeroing actually is not needed. + +After commit 6dbf7bb55598, things became worse as writeback code stopped +invalidating buffers on pages beyond i_size and thus these pages end up +with clean PageDirty bit but with buffers attached to these pages being +still dirty. So when a file is converted from inline format, then +writeback triggers, and then the file is grown so that these pages +become valid, the invalid dirtiness state is preserved, +mark_buffer_dirty() does nothing on these pages (buffers are already +dirty) but page is never written back because it is clean. So data +written to these pages is lost once pages are reclaimed. + +Simple reproducer for the problem is: + + xfs_io -f -c "pwrite 0 2000" -c "pwrite 2000 2000" -c "fsync" \ + -c "pwrite 4000 2000" ocfs2_file + +After unmounting and mounting the fs again, you can observe that end of +'ocfs2_file' has lost its contents. + +Fix the problem by not doing the pointless zeroing during conversion +from inline format similarly as in the standard write path. + +[akpm@linux-foundation.org: fix whitespace, per Joseph] + +Link: https://lkml.kernel.org/r/20210930095405.21433-1-jack@suse.cz +Fixes: 6dbf7bb55598 ("fs: Don't invalidate page buffers in block_write_full_page()") +Signed-off-by: Jan Kara +Reviewed-by: Joseph Qi +Tested-by: Joseph Qi +Acked-by: Gang He +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: "Markov, Andrey" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/alloc.c | 46 ++++++++++++---------------------------------- + 1 file changed, 12 insertions(+), 34 deletions(-) + +--- a/fs/ocfs2/alloc.c ++++ b/fs/ocfs2/alloc.c +@@ -6885,7 +6885,7 @@ void ocfs2_set_inode_data_inline(struct + int ocfs2_convert_inline_data_to_extents(struct inode *inode, + struct buffer_head *di_bh) + { +- int ret, i, has_data, num_pages = 0; ++ int ret, has_data, num_pages = 0; + int need_free = 0; + u32 bit_off, num; + handle_t *handle; +@@ -6894,26 +6894,17 @@ int ocfs2_convert_inline_data_to_extents + struct ocfs2_super *osb = OCFS2_SB(inode->i_sb); + struct ocfs2_dinode *di = (struct ocfs2_dinode *)di_bh->b_data; + struct ocfs2_alloc_context *data_ac = NULL; +- struct page **pages = NULL; +- loff_t end = osb->s_clustersize; ++ struct page *page = NULL; + struct ocfs2_extent_tree et; + int did_quota = 0; + + has_data = i_size_read(inode) ? 1 : 0; + + if (has_data) { +- pages = kcalloc(ocfs2_pages_per_cluster(osb->sb), +- sizeof(struct page *), GFP_NOFS); +- if (pages == NULL) { +- ret = -ENOMEM; +- mlog_errno(ret); +- return ret; +- } +- + ret = ocfs2_reserve_clusters(osb, 1, &data_ac); + if (ret) { + mlog_errno(ret); +- goto free_pages; ++ goto out; + } + } + +@@ -6933,7 +6924,8 @@ int ocfs2_convert_inline_data_to_extents + } + + if (has_data) { +- unsigned int page_end; ++ unsigned int page_end = min_t(unsigned, PAGE_SIZE, ++ osb->s_clustersize); + u64 phys; + + ret = dquot_alloc_space_nodirty(inode, +@@ -6957,15 +6949,8 @@ int ocfs2_convert_inline_data_to_extents + */ + block = phys = ocfs2_clusters_to_blocks(inode->i_sb, bit_off); + +- /* +- * Non sparse file systems zero on extend, so no need +- * to do that now. +- */ +- if (!ocfs2_sparse_alloc(osb) && +- PAGE_SIZE < osb->s_clustersize) +- end = PAGE_SIZE; +- +- ret = ocfs2_grab_eof_pages(inode, 0, end, pages, &num_pages); ++ ret = ocfs2_grab_eof_pages(inode, 0, page_end, &page, ++ &num_pages); + if (ret) { + mlog_errno(ret); + need_free = 1; +@@ -6976,20 +6961,15 @@ int ocfs2_convert_inline_data_to_extents + * This should populate the 1st page for us and mark + * it up to date. + */ +- ret = ocfs2_read_inline_data(inode, pages[0], di_bh); ++ ret = ocfs2_read_inline_data(inode, page, di_bh); + if (ret) { + mlog_errno(ret); + need_free = 1; + goto out_unlock; + } + +- page_end = PAGE_SIZE; +- if (PAGE_SIZE > osb->s_clustersize) +- page_end = osb->s_clustersize; +- +- for (i = 0; i < num_pages; i++) +- ocfs2_map_and_dirty_page(inode, handle, 0, page_end, +- pages[i], i > 0, &phys); ++ ocfs2_map_and_dirty_page(inode, handle, 0, page_end, page, 0, ++ &phys); + } + + spin_lock(&oi->ip_lock); +@@ -7020,8 +7000,8 @@ int ocfs2_convert_inline_data_to_extents + } + + out_unlock: +- if (pages) +- ocfs2_unlock_and_free_pages(pages, num_pages); ++ if (page) ++ ocfs2_unlock_and_free_pages(&page, num_pages); + + out_commit: + if (ret < 0 && did_quota) +@@ -7045,8 +7025,6 @@ out_commit: + out: + if (data_ac) + ocfs2_free_alloc_context(data_ac); +-free_pages: +- kfree(pages); + return ret; + } + diff --git a/queue-4.14/ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch b/queue-4.14/ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch new file mode 100644 index 00000000000..dc45a9bed03 --- /dev/null +++ b/queue-4.14/ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch @@ -0,0 +1,87 @@ +From b15fa9224e6e1239414525d8d556d824701849fc Mon Sep 17 00:00:00 2001 +From: Valentin Vidic +Date: Mon, 18 Oct 2021 15:15:42 -0700 +Subject: ocfs2: mount fails with buffer overflow in strlen + +From: Valentin Vidic + +commit b15fa9224e6e1239414525d8d556d824701849fc upstream. + +Starting with kernel 5.11 built with CONFIG_FORTIFY_SOURCE mouting an +ocfs2 filesystem with either o2cb or pcmk cluster stack fails with the +trace below. Problem seems to be that strings for cluster stack and +cluster name are not guaranteed to be null terminated in the disk +representation, while strlcpy assumes that the source string is always +null terminated. This causes a read outside of the source string +triggering the buffer overflow detection. + + detected buffer overflow in strlen + ------------[ cut here ]------------ + kernel BUG at lib/string.c:1149! + invalid opcode: 0000 [#1] SMP PTI + CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1 + Debian 5.14.6-2 + RIP: 0010:fortify_panic+0xf/0x11 + ... + Call Trace: + ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2] + ocfs2_fill_super+0x359/0x19b0 [ocfs2] + mount_bdev+0x185/0x1b0 + legacy_get_tree+0x27/0x40 + vfs_get_tree+0x25/0xb0 + path_mount+0x454/0xa20 + __x64_sys_mount+0x103/0x140 + do_syscall_64+0x3b/0xc0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Link: https://lkml.kernel.org/r/20210929180654.32460-1-vvidic@valentin-vidic.from.hr +Signed-off-by: Valentin Vidic +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/super.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -2188,11 +2188,17 @@ static int ocfs2_initialize_super(struct + } + + if (ocfs2_clusterinfo_valid(osb)) { ++ /* ++ * ci_stack and ci_cluster in ocfs2_cluster_info may not be null ++ * terminated, so make sure no overflow happens here by using ++ * memcpy. Destination strings will always be null terminated ++ * because osb is allocated using kzalloc. ++ */ + osb->osb_stackflags = + OCFS2_RAW_SB(di)->s_cluster_info.ci_stackflags; +- strlcpy(osb->osb_cluster_stack, ++ memcpy(osb->osb_cluster_stack, + OCFS2_RAW_SB(di)->s_cluster_info.ci_stack, +- OCFS2_STACK_LABEL_LEN + 1); ++ OCFS2_STACK_LABEL_LEN); + if (strlen(osb->osb_cluster_stack) != OCFS2_STACK_LABEL_LEN) { + mlog(ML_ERROR, + "couldn't mount because of an invalid " +@@ -2201,9 +2207,9 @@ static int ocfs2_initialize_super(struct + status = -EINVAL; + goto bail; + } +- strlcpy(osb->osb_cluster_name, ++ memcpy(osb->osb_cluster_name, + OCFS2_RAW_SB(di)->s_cluster_info.ci_cluster, +- OCFS2_CLUSTER_NAME_LEN + 1); ++ OCFS2_CLUSTER_NAME_LEN); + } else { + /* The empty string is identical with classic tools that + * don't know about s_cluster_info. */ diff --git a/queue-4.14/series b/queue-4.14/series index 97c23f3e75b..3620866cfab 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -5,3 +5,12 @@ xtensa-xtfpga-try-software-restart-before-simulating.patch nfsd-keep-existing-listeners-on-portlist-error.patch netfilter-ipvs-make-global-sysctl-readonly-in-non-in.patch nios2-irqflags-rename-a-redefined-register-name.patch +can-rcar_can-fix-suspend-resume.patch +can-peak_usb-pcan_usb_fd_decode_status-fix-back-to-error_active-state-notification.patch +can-peak_pci-peak_pci_remove-fix-uaf.patch +ocfs2-fix-data-corruption-after-conversion-from-inline-format.patch +ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch +elfcore-correct-reference-to-config_uml.patch +vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch +alsa-usb-audio-provide-quirk-for-sennheiser-gsp670-headset.patch +asoc-dapm-fix-missing-kctl-change-notifications.patch diff --git a/queue-4.14/vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch b/queue-4.14/vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch new file mode 100644 index 00000000000..32d644466c4 --- /dev/null +++ b/queue-4.14/vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch @@ -0,0 +1,45 @@ +From 032146cda85566abcd1c4884d9d23e4e30a07e9a Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Mon, 18 Oct 2021 15:16:12 -0700 +Subject: vfs: check fd has read access in kernel_read_file_from_fd() + +From: Matthew Wilcox (Oracle) + +commit 032146cda85566abcd1c4884d9d23e4e30a07e9a upstream. + +If we open a file without read access and then pass the fd to a syscall +whose implementation calls kernel_read_file_from_fd(), we get a warning +from __kernel_read(): + + if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ))) + +This currently affects both finit_module() and kexec_file_load(), but it +could affect other syscalls in the future. + +Link: https://lkml.kernel.org/r/20211007220110.600005-1-willy@infradead.org +Fixes: b844f0ecbc56 ("vfs: define kernel_copy_file_from_fd()") +Signed-off-by: Matthew Wilcox (Oracle) +Reported-by: Hao Sun +Reviewed-by: Kees Cook +Acked-by: Christian Brauner +Cc: Al Viro +Cc: Mimi Zohar +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/exec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -980,7 +980,7 @@ int kernel_read_file_from_fd(int fd, voi + struct fd f = fdget(fd); + int ret = -EBADF; + +- if (!f.file) ++ if (!f.file || !(f.file->f_mode & FMODE_READ)) + goto out; + + ret = kernel_read_file(f.file, buf, size, max_size, id);