From: Sasha Levin Date: Mon, 2 Jan 2023 03:25:55 +0000 (-0500) Subject: Fixes for 6.1 X-Git-Tag: v6.0.17~35 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=74e35e2a7d1115a291093797dd7e75b9cbadd1b4;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/acpi-resource-add-asus-expertbook-b2502-to-asus-quir.patch b/queue-6.1/acpi-resource-add-asus-expertbook-b2502-to-asus-quir.patch new file mode 100644 index 00000000000..1aade0443f8 --- /dev/null +++ b/queue-6.1/acpi-resource-add-asus-expertbook-b2502-to-asus-quir.patch @@ -0,0 +1,46 @@ +From a5734f5375206a995c881d69a1c2c35cc88380f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Dec 2022 10:44:43 +0100 +Subject: ACPI: resource: Add Asus ExpertBook B2502 to Asus quirks + +From: Hans de Goede + +[ Upstream commit 7203481fd12b1257938519efb2460ea02b9236ee ] + +The Asus ExpertBook B2502 has the same keyboard issue as Asus Vivobook +K3402ZA/K3502ZA. The kernel overrides IRQ 1 to Edge_High when it +should be Active_Low. + +This patch adds the ExpertBook B2502 model to the existing +quirk list of Asus laptops with this issue. + +Fixes: b5f9223a105d ("ACPI: resource: Skip IRQ override on Asus Vivobook S5602ZA") +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2142574 +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/resource.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c +index d0c92422e206..16dcd31d124f 100644 +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -432,6 +432,13 @@ static const struct dmi_system_id asus_laptop[] = { + DMI_MATCH(DMI_BOARD_NAME, "S5602ZA"), + }, + }, ++ { ++ .ident = "Asus ExpertBook B2502", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "B2502CBA"), ++ }, ++ }, + { } + }; + +-- +2.35.1 + diff --git a/queue-6.1/acpi-resource-do-irq-override-on-lenovo-14alc7.patch b/queue-6.1/acpi-resource-do-irq-override-on-lenovo-14alc7.patch new file mode 100644 index 00000000000..53a4901ec1f --- /dev/null +++ b/queue-6.1/acpi-resource-do-irq-override-on-lenovo-14alc7.patch @@ -0,0 +1,56 @@ +From 98a8184f2d384f00a0d277f807ee85d648e3621f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Dec 2022 21:13:11 +0100 +Subject: ACPI: resource: do IRQ override on Lenovo 14ALC7 + +From: Adrian Freund + +[ Upstream commit f3cb9b740869712d448edf3b9ef5952b847caf8b ] + +Commit bfcdf58380b1 ("ACPI: resource: do IRQ override on LENOVO IdeaPad") +added an override for Lenovo IdeaPad 5 16ALC7. The 14ALC7 variant also +suffers from a broken touchscreen and trackpad. + +Fixes: 9946e39fe8d0 ("ACPI: resource: skip IRQ override on AMD Zen platforms") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216804 +Signed-off-by: Adrian Freund +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/resource.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c +index 037d1aa10357..d0c92422e206 100644 +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -435,7 +435,14 @@ static const struct dmi_system_id asus_laptop[] = { + { } + }; + +-static const struct dmi_system_id lenovo_82ra[] = { ++static const struct dmi_system_id lenovo_laptop[] = { ++ { ++ .ident = "LENOVO IdeaPad Flex 5 14ALC7", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "82R9"), ++ }, ++ }, + { + .ident = "LENOVO IdeaPad Flex 5 16ALC7", + .matches = { +@@ -469,8 +476,8 @@ struct irq_override_cmp { + static const struct irq_override_cmp override_table[] = { + { medion_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false }, + { asus_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false }, +- { lenovo_82ra, 6, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, +- { lenovo_82ra, 10, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, ++ { lenovo_laptop, 6, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, ++ { lenovo_laptop, 10, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, + { schenker_gm_rg, 1, ACPI_EDGE_SENSITIVE, ACPI_ACTIVE_LOW, 1, true }, + }; + +-- +2.35.1 + diff --git a/queue-6.1/acpi-resource-do-irq-override-on-xmg-core-15.patch b/queue-6.1/acpi-resource-do-irq-override-on-xmg-core-15.patch new file mode 100644 index 00000000000..3936db32ba4 --- /dev/null +++ b/queue-6.1/acpi-resource-do-irq-override-on-xmg-core-15.patch @@ -0,0 +1,54 @@ +From a18422428947a27d746320d303cb7c80e4179a6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Dec 2022 14:33:22 +0100 +Subject: ACPI: resource: do IRQ override on XMG Core 15 + +From: Erik Schumacher + +[ Upstream commit 7592b79ba4a91350b38469e05238308bcfe1019b ] + +The Schenker XMG CORE 15 (M22) is Ryzen-6 based and needs IRQ overriding +for the keyboard to work. Adding an entry for this laptop to the +override_table makes the internal keyboard functional again. + +Signed-off-by: Erik Schumacher +Signed-off-by: Rafael J. Wysocki +Stable-dep-of: f3cb9b740869 ("ACPI: resource: do IRQ override on Lenovo 14ALC7") +Signed-off-by: Sasha Levin +--- + drivers/acpi/resource.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c +index f27914aedbd5..037d1aa10357 100644 +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -446,6 +446,17 @@ static const struct dmi_system_id lenovo_82ra[] = { + { } + }; + ++static const struct dmi_system_id schenker_gm_rg[] = { ++ { ++ .ident = "XMG CORE 15 (M22)", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "SchenkerTechnologiesGmbH"), ++ DMI_MATCH(DMI_BOARD_NAME, "GMxRGxx"), ++ }, ++ }, ++ { } ++}; ++ + struct irq_override_cmp { + const struct dmi_system_id *system; + unsigned char irq; +@@ -460,6 +471,7 @@ static const struct irq_override_cmp override_table[] = { + { asus_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false }, + { lenovo_82ra, 6, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, + { lenovo_82ra, 10, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, ++ { schenker_gm_rg, 1, ACPI_EDGE_SENSITIVE, ACPI_ACTIVE_LOW, 1, true }, + }; + + static bool acpi_dev_irq_override(u32 gsi, u8 triggering, u8 polarity, +-- +2.35.1 + diff --git a/queue-6.1/acpi-video-fix-apple-gmux-backlight-detection.patch b/queue-6.1/acpi-video-fix-apple-gmux-backlight-detection.patch new file mode 100644 index 00000000000..73565004838 --- /dev/null +++ b/queue-6.1/acpi-video-fix-apple-gmux-backlight-detection.patch @@ -0,0 +1,96 @@ +From 39dffa157c4c787e8bf8919cb8bb0b056e21a5dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Dec 2022 10:41:38 +0100 +Subject: ACPI: video: Fix Apple GMUX backlight detection + +From: Hans de Goede + +[ Upstream commit 3cf3b7f012f3ea8bdc56196e367cf07c10424855 ] + +The apple-gmux driver only binds to old GMUX devices which have an +IORESOURCE_IO resource (using inb()/outb()) rather then memory-mapped +IO (IORESOURCE_MEM). + +T2 MacBooks use the new style GMUX devices (with IORESOURCE_MEM access), +so these are not supported by the apple-gmux driver. This is not a problem +since they have working ACPI video backlight support. + +But the apple_gmux_present() helper only checks if an ACPI device with +the "APP000B" HID is present, causing acpi_video_get_backlight_type() +to return acpi_backlight_apple_gmux disabling the acpi_video backlight +device. + +Add a new apple_gmux_backlight_present() helper which checks that +the "APP000B" device actually is an old GMUX device with an IORESOURCE_IO +resource. + +This fixes the acpi_video0 backlight no longer registering on T2 MacBooks. + +Note people are working to add support for the new style GMUX to Linux: +https://github.com/kekrby/linux-t2/commits/wip/hybrid-graphics + +Once this lands this patch should be reverted so that +acpi_video_get_backlight_type() also prefers the gmux on new style GMUX +MacBooks, but for now this is necessary to avoid regressing backlight +control on T2 Macs. + +Fixes: 21245df307cb ("ACPI: video: Add Apple GMUX brightness control detection") +Reported-and-tested-by: Aditya Garg +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index ffa19d418847..13f10fbcd7f0 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -105,6 +106,26 @@ static bool nvidia_wmi_ec_supported(void) + } + #endif + ++static bool apple_gmux_backlight_present(void) ++{ ++ struct acpi_device *adev; ++ struct device *dev; ++ ++ adev = acpi_dev_get_first_match_dev(GMUX_ACPI_HID, NULL, -1); ++ if (!adev) ++ return false; ++ ++ dev = acpi_get_first_physical_node(adev); ++ if (!dev) ++ return false; ++ ++ /* ++ * drivers/platform/x86/apple-gmux.c only supports old style ++ * Apple GMUX with an IO-resource. ++ */ ++ return pnp_get_resource(to_pnp_dev(dev), IORESOURCE_IO, 0) != NULL; ++} ++ + /* Force to use vendor driver when the ACPI device is known to be + * buggy */ + static int video_detect_force_vendor(const struct dmi_system_id *d) +@@ -755,7 +776,7 @@ static enum acpi_backlight_type __acpi_video_get_backlight_type(bool native) + if (nvidia_wmi_ec_present) + return acpi_backlight_nvidia_wmi_ec; + +- if (apple_gmux_present()) ++ if (apple_gmux_backlight_present()) + return acpi_backlight_apple_gmux; + + /* Chromebooks should always prefer native backlight control. */ +-- +2.35.1 + diff --git a/queue-6.1/ata-ahci-fix-pcs-quirk-application-for-suspend.patch b/queue-6.1/ata-ahci-fix-pcs-quirk-application-for-suspend.patch new file mode 100644 index 00000000000..b1d9641aaf3 --- /dev/null +++ b/queue-6.1/ata-ahci-fix-pcs-quirk-application-for-suspend.patch @@ -0,0 +1,148 @@ +From 80b6c0f79eb2d4e95095296d4b1c09e9c59e5faa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Dec 2022 09:26:34 +0000 +Subject: ata: ahci: Fix PCS quirk application for suspend + +From: Adam Vodopjan + +[ Upstream commit 37e14e4f3715428b809e4df9a9958baa64c77d51 ] + +Since kernel 5.3.4 my laptop (ICH8M controller) does not see Kingston +SV300S37A60G SSD disk connected into a SATA connector on wake from +suspend. The problem was introduced in c312ef176399 ("libata/ahci: Drop +PCS quirk for Denverton and beyond"): the quirk is not applied on wake +from suspend as it originally was. + +It is worth to mention the commit contained another bug: the quirk is +not applied at all to controllers which require it. The fix commit +09d6ac8dc51a ("libata/ahci: Fix PCS quirk application") landed in 5.3.8. +So testing my patch anywhere between commits c312ef176399 and +09d6ac8dc51a is pointless. + +Not all disks trigger the problem. For example nothing bad happens with +Western Digital WD5000LPCX HDD. + +Test hardware: +- Acer 5920G with ICH8M SATA controller +- sda: some SATA HDD connnected into the DVD drive IDE port with a + SATA-IDE caddy. It is a boot disk +- sdb: Kingston SV300S37A60G SSD connected into the only SATA port + +Sample "dmesg --notime | grep -E '^(sd |ata)'" output on wake: + +sd 0:0:0:0: [sda] Starting disk +sd 2:0:0:0: [sdb] Starting disk +ata4: SATA link down (SStatus 4 SControl 300) +ata3: SATA link down (SStatus 4 SControl 300) +ata1.00: ACPI cmd ef/03:0c:00:00:00:a0 (SET FEATURES) filtered out +ata1.00: ACPI cmd ef/03:42:00:00:00:a0 (SET FEATURES) filtered out +ata1: FORCE: cable set to 80c +ata5: SATA link down (SStatus 0 SControl 300) +ata3: SATA link down (SStatus 4 SControl 300) +ata3: SATA link down (SStatus 4 SControl 300) +ata3.00: disabled +sd 2:0:0:0: rejecting I/O to offline device +ata3.00: detaching (SCSI 2:0:0:0) +sd 2:0:0:0: [sdb] Start/Stop Unit failed: Result: hostbyte=DID_NO_CONNECT + driverbyte=DRIVER_OK +sd 2:0:0:0: [sdb] Synchronizing SCSI cache +sd 2:0:0:0: [sdb] Synchronize Cache(10) failed: Result: + hostbyte=DID_BAD_TARGET driverbyte=DRIVER_OK +sd 2:0:0:0: [sdb] Stopping disk +sd 2:0:0:0: [sdb] Start/Stop Unit failed: Result: hostbyte=DID_BAD_TARGET + driverbyte=DRIVER_OK + +Commit c312ef176399 dropped ahci_pci_reset_controller() which internally +calls ahci_reset_controller() and applies the PCS quirk if needed after +that. It was called each time a reset was required instead of just +ahci_reset_controller(). This patch puts the function back in place. + +Fixes: c312ef176399 ("libata/ahci: Drop PCS quirk for Denverton and beyond") +Signed-off-by: Adam Vodopjan +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci.c | 32 +++++++++++++++++++++++--------- + 1 file changed, 23 insertions(+), 9 deletions(-) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 639de2d75d63..53ab2306da00 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -84,6 +84,7 @@ enum board_ids { + static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent); + static void ahci_remove_one(struct pci_dev *dev); + static void ahci_shutdown_one(struct pci_dev *dev); ++static void ahci_intel_pcs_quirk(struct pci_dev *pdev, struct ahci_host_priv *hpriv); + static int ahci_vt8251_hardreset(struct ata_link *link, unsigned int *class, + unsigned long deadline); + static int ahci_avn_hardreset(struct ata_link *link, unsigned int *class, +@@ -677,6 +678,25 @@ static void ahci_pci_save_initial_config(struct pci_dev *pdev, + ahci_save_initial_config(&pdev->dev, hpriv); + } + ++static int ahci_pci_reset_controller(struct ata_host *host) ++{ ++ struct pci_dev *pdev = to_pci_dev(host->dev); ++ struct ahci_host_priv *hpriv = host->private_data; ++ int rc; ++ ++ rc = ahci_reset_controller(host); ++ if (rc) ++ return rc; ++ ++ /* ++ * If platform firmware failed to enable ports, try to enable ++ * them here. ++ */ ++ ahci_intel_pcs_quirk(pdev, hpriv); ++ ++ return 0; ++} ++ + static void ahci_pci_init_controller(struct ata_host *host) + { + struct ahci_host_priv *hpriv = host->private_data; +@@ -871,7 +891,7 @@ static int ahci_pci_device_runtime_resume(struct device *dev) + struct ata_host *host = pci_get_drvdata(pdev); + int rc; + +- rc = ahci_reset_controller(host); ++ rc = ahci_pci_reset_controller(host); + if (rc) + return rc; + ahci_pci_init_controller(host); +@@ -907,7 +927,7 @@ static int ahci_pci_device_resume(struct device *dev) + ahci_mcp89_apple_enable(pdev); + + if (pdev->dev.power.power_state.event == PM_EVENT_SUSPEND) { +- rc = ahci_reset_controller(host); ++ rc = ahci_pci_reset_controller(host); + if (rc) + return rc; + +@@ -1785,12 +1805,6 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + /* save initial config */ + ahci_pci_save_initial_config(pdev, hpriv); + +- /* +- * If platform firmware failed to enable ports, try to enable +- * them here. +- */ +- ahci_intel_pcs_quirk(pdev, hpriv); +- + /* prepare host */ + if (hpriv->cap & HOST_CAP_NCQ) { + pi.flags |= ATA_FLAG_NCQ; +@@ -1900,7 +1914,7 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + if (rc) + return rc; + +- rc = ahci_reset_controller(host); ++ rc = ahci_pci_reset_controller(host); + if (rc) + return rc; + +-- +2.35.1 + diff --git a/queue-6.1/block-bfq-fix-uaf-for-bfqq-in-bfq_exit_icq_bfqq.patch b/queue-6.1/block-bfq-fix-uaf-for-bfqq-in-bfq_exit_icq_bfqq.patch new file mode 100644 index 00000000000..ec33e548192 --- /dev/null +++ b/queue-6.1/block-bfq-fix-uaf-for-bfqq-in-bfq_exit_icq_bfqq.patch @@ -0,0 +1,42 @@ +From 7845ea3d0a08bae94dca4f0c22b1664dd73d538d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Dec 2022 11:06:05 +0800 +Subject: block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq + +From: Yu Kuai + +[ Upstream commit 246cf66e300b76099b5dbd3fdd39e9a5dbc53f02 ] + +Commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'") +will access 'bic->bfqq' in bic_set_bfqq(), however, bfq_exit_icq_bfqq() +can free bfqq first, and then call bic_set_bfqq(), which will cause uaf. + +Fix the problem by moving bfq_exit_bfqq() behind bic_set_bfqq(). + +Fixes: 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'") +Reported-by: Yi Zhang +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20221226030605.1437081-1-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 3e3bd1a46646..7b894df32e32 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -5383,8 +5383,8 @@ static void bfq_exit_icq_bfqq(struct bfq_io_cq *bic, bool is_sync) + unsigned long flags; + + spin_lock_irqsave(&bfqd->lock, flags); +- bfq_exit_bfqq(bfqd, bfqq); + bic_set_bfqq(bic, NULL, is_sync); ++ bfq_exit_bfqq(bfqd, bfqq); + spin_unlock_irqrestore(&bfqd->lock, flags); + } + } +-- +2.35.1 + diff --git a/queue-6.1/fs-ntfs3-add-null-pointer-check-for-inode-operations.patch b/queue-6.1/fs-ntfs3-add-null-pointer-check-for-inode-operations.patch new file mode 100644 index 00000000000..0193d3fcdd4 --- /dev/null +++ b/queue-6.1/fs-ntfs3-add-null-pointer-check-for-inode-operations.patch @@ -0,0 +1,108 @@ +From 6a9c1ba656823348bb20d1971a26f0228cb9b5b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 09:03:10 +0800 +Subject: fs/ntfs3: Add null pointer check for inode operations + +From: Edward Lo + +[ Upstream commit c1ca8ef0262b25493631ecbd9cb8c9893e1481a1 ] + +This adds a sanity check for the i_op pointer of the inode which is +returned after reading Root directory MFT record. We should check the +i_op is valid before trying to create the root dentry, otherwise we may +encounter a NPD while mounting a image with a funny Root directory MFT +record. + +[ 114.484325] BUG: kernel NULL pointer dereference, address: 0000000000000008 +[ 114.484811] #PF: supervisor read access in kernel mode +[ 114.485084] #PF: error_code(0x0000) - not-present page +[ 114.485606] PGD 0 P4D 0 +[ 114.485975] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI +[ 114.486570] CPU: 0 PID: 237 Comm: mount Tainted: G B 6.0.0-rc4 #28 +[ 114.486977] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 114.488169] RIP: 0010:d_flags_for_inode+0xe0/0x110 +[ 114.488816] Code: 24 f7 ff 49 83 3e 00 74 41 41 83 cd 02 66 44 89 6b 02 eb 92 48 8d 7b 20 e8 6d 24 f7 ff 4c 8b 73 20 49 8d 7e 08 e8 60 241 +[ 114.490326] RSP: 0018:ffff8880065e7aa8 EFLAGS: 00000296 +[ 114.490695] RAX: 0000000000000001 RBX: ffff888008ccd750 RCX: ffffffff84af2aea +[ 114.490986] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff87abd020 +[ 114.491364] RBP: ffff8880065e7ac8 R08: 0000000000000001 R09: fffffbfff0f57a05 +[ 114.491675] R10: ffffffff87abd027 R11: fffffbfff0f57a04 R12: 0000000000000000 +[ 114.491954] R13: 0000000000000008 R14: 0000000000000000 R15: ffff888008ccd750 +[ 114.492397] FS: 00007fdc8a627e40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000 +[ 114.492797] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 114.493150] CR2: 0000000000000008 CR3: 00000000013ba000 CR4: 00000000000006f0 +[ 114.493671] Call Trace: +[ 114.493890] +[ 114.494075] __d_instantiate+0x24/0x1c0 +[ 114.494505] d_instantiate.part.0+0x35/0x50 +[ 114.494754] d_make_root+0x53/0x80 +[ 114.494998] ntfs_fill_super+0x1232/0x1b50 +[ 114.495260] ? put_ntfs+0x1d0/0x1d0 +[ 114.495499] ? vsprintf+0x20/0x20 +[ 114.495723] ? set_blocksize+0x95/0x150 +[ 114.495964] get_tree_bdev+0x232/0x370 +[ 114.496272] ? put_ntfs+0x1d0/0x1d0 +[ 114.496502] ntfs_fs_get_tree+0x15/0x20 +[ 114.496859] vfs_get_tree+0x4c/0x130 +[ 114.497099] path_mount+0x654/0xfe0 +[ 114.497507] ? putname+0x80/0xa0 +[ 114.497933] ? finish_automount+0x2e0/0x2e0 +[ 114.498362] ? putname+0x80/0xa0 +[ 114.498571] ? kmem_cache_free+0x1c4/0x440 +[ 114.498819] ? putname+0x80/0xa0 +[ 114.499069] do_mount+0xd6/0xf0 +[ 114.499343] ? path_mount+0xfe0/0xfe0 +[ 114.499683] ? __kasan_check_write+0x14/0x20 +[ 114.500133] __x64_sys_mount+0xca/0x110 +[ 114.500592] do_syscall_64+0x3b/0x90 +[ 114.500930] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 114.501294] RIP: 0033:0x7fdc898e948a +[ 114.501542] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 114.502716] RSP: 002b:00007ffd793e58f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +[ 114.503175] RAX: ffffffffffffffda RBX: 0000564b2228f060 RCX: 00007fdc898e948a +[ 114.503588] RDX: 0000564b2228f260 RSI: 0000564b2228f2e0 RDI: 0000564b22297ce0 +[ 114.504925] RBP: 0000000000000000 R08: 0000564b2228f280 R09: 0000000000000020 +[ 114.505484] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564b22297ce0 +[ 114.505823] R13: 0000564b2228f260 R14: 0000000000000000 R15: 00000000ffffffff +[ 114.506562] +[ 114.506887] Modules linked in: +[ 114.507648] CR2: 0000000000000008 +[ 114.508884] ---[ end trace 0000000000000000 ]--- +[ 114.509675] RIP: 0010:d_flags_for_inode+0xe0/0x110 +[ 114.510140] Code: 24 f7 ff 49 83 3e 00 74 41 41 83 cd 02 66 44 89 6b 02 eb 92 48 8d 7b 20 e8 6d 24 f7 ff 4c 8b 73 20 49 8d 7e 08 e8 60 241 +[ 114.511762] RSP: 0018:ffff8880065e7aa8 EFLAGS: 00000296 +[ 114.512401] RAX: 0000000000000001 RBX: ffff888008ccd750 RCX: ffffffff84af2aea +[ 114.513103] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff87abd020 +[ 114.513512] RBP: ffff8880065e7ac8 R08: 0000000000000001 R09: fffffbfff0f57a05 +[ 114.513831] R10: ffffffff87abd027 R11: fffffbfff0f57a04 R12: 0000000000000000 +[ 114.514757] R13: 0000000000000008 R14: 0000000000000000 R15: ffff888008ccd750 +[ 114.515411] FS: 00007fdc8a627e40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000 +[ 114.515794] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 114.516208] CR2: 0000000000000008 CR3: 00000000013ba000 CR4: 00000000000006f0 + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/super.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c +index 170682c2bf67..94f9e4b775a7 100644 +--- a/fs/ntfs3/super.c ++++ b/fs/ntfs3/super.c +@@ -1260,9 +1260,9 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc) + ref.low = cpu_to_le32(MFT_REC_ROOT); + ref.seq = cpu_to_le16(MFT_REC_ROOT); + inode = ntfs_iget5(sb, &ref, &NAME_ROOT); +- if (IS_ERR(inode)) { ++ if (IS_ERR(inode) || !inode->i_op) { + ntfs_err(sb, "Failed to load root."); +- err = PTR_ERR(inode); ++ err = IS_ERR(inode) ? PTR_ERR(inode) : -EINVAL; + goto out; + } + +-- +2.35.1 + diff --git a/queue-6.1/fs-ntfs3-add-null-pointer-check-to-attr_load_runs_vc.patch b/queue-6.1/fs-ntfs3-add-null-pointer-check-to-attr_load_runs_vc.patch new file mode 100644 index 00000000000..87b38671f4b --- /dev/null +++ b/queue-6.1/fs-ntfs3-add-null-pointer-check-to-attr_load_runs_vc.patch @@ -0,0 +1,121 @@ +From 7712386635bf21ad1036760fdb0aa2d8384d7944 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Aug 2022 01:05:18 +0800 +Subject: fs/ntfs3: Add null pointer check to attr_load_runs_vcn + +From: Edward Lo + +[ Upstream commit 2681631c29739509eec59cc0b34e977bb04c6cf1 ] + +Some metadata files are handled before MFT. This adds a null pointer +check for some corner cases that could lead to NPD while reading these +metadata files for a malformed NTFS image. + +[ 240.190827] BUG: kernel NULL pointer dereference, address: 0000000000000158 +[ 240.191583] #PF: supervisor read access in kernel mode +[ 240.191956] #PF: error_code(0x0000) - not-present page +[ 240.192391] PGD 0 P4D 0 +[ 240.192897] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI +[ 240.193805] CPU: 0 PID: 242 Comm: mount Tainted: G B 5.19.0+ #17 +[ 240.194477] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 240.195152] RIP: 0010:ni_find_attr+0xae/0x300 +[ 240.195679] Code: c8 48 c7 45 88 c0 4e 5e 86 c7 00 f1 f1 f1 f1 c7 40 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 e2 d9f +[ 240.196642] RSP: 0018:ffff88800812f690 EFLAGS: 00000286 +[ 240.197019] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff85ef037a +[ 240.197523] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff88e95f60 +[ 240.197877] RBP: ffff88800812f738 R08: 0000000000000001 R09: fffffbfff11d2bed +[ 240.198292] R10: ffffffff88e95f67 R11: fffffbfff11d2bec R12: 0000000000000000 +[ 240.198647] R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000 +[ 240.199410] FS: 00007f233c33be40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000 +[ 240.199895] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 240.200314] CR2: 0000000000000158 CR3: 0000000004d32000 CR4: 00000000000006f0 +[ 240.200839] Call Trace: +[ 240.201104] +[ 240.201502] ? ni_load_mi+0x80/0x80 +[ 240.202297] ? ___slab_alloc+0x465/0x830 +[ 240.202614] attr_load_runs_vcn+0x8c/0x1a0 +[ 240.202886] ? __kasan_slab_alloc+0x32/0x90 +[ 240.203157] ? attr_data_write_resident+0x250/0x250 +[ 240.203543] mi_read+0x133/0x2c0 +[ 240.203785] mi_get+0x70/0x140 +[ 240.204012] ni_load_mi_ex+0xfa/0x190 +[ 240.204346] ? ni_std5+0x90/0x90 +[ 240.204588] ? __kasan_kmalloc+0x88/0xb0 +[ 240.204859] ni_enum_attr_ex+0xf1/0x1c0 +[ 240.205107] ? ni_fname_type.part.0+0xd0/0xd0 +[ 240.205600] ? ntfs_load_attr_list+0xbe/0x300 +[ 240.205864] ? ntfs_cmp_names_cpu+0x125/0x180 +[ 240.206157] ntfs_iget5+0x56c/0x1870 +[ 240.206510] ? ntfs_get_block_bmap+0x70/0x70 +[ 240.206776] ? __kasan_kmalloc+0x88/0xb0 +[ 240.207030] ? set_blocksize+0x95/0x150 +[ 240.207545] ntfs_fill_super+0xb8f/0x1e20 +[ 240.207839] ? put_ntfs+0x1d0/0x1d0 +[ 240.208069] ? vsprintf+0x20/0x20 +[ 240.208467] ? mutex_unlock+0x81/0xd0 +[ 240.208846] ? set_blocksize+0x95/0x150 +[ 240.209221] get_tree_bdev+0x232/0x370 +[ 240.209804] ? put_ntfs+0x1d0/0x1d0 +[ 240.210519] ntfs_fs_get_tree+0x15/0x20 +[ 240.210991] vfs_get_tree+0x4c/0x130 +[ 240.211455] path_mount+0x645/0xfd0 +[ 240.211806] ? putname+0x80/0xa0 +[ 240.212112] ? finish_automount+0x2e0/0x2e0 +[ 240.212559] ? kmem_cache_free+0x110/0x390 +[ 240.212906] ? putname+0x80/0xa0 +[ 240.213329] do_mount+0xd6/0xf0 +[ 240.213829] ? path_mount+0xfd0/0xfd0 +[ 240.214246] ? __kasan_check_write+0x14/0x20 +[ 240.214774] __x64_sys_mount+0xca/0x110 +[ 240.215080] do_syscall_64+0x3b/0x90 +[ 240.215442] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 240.215811] RIP: 0033:0x7f233b4e948a +[ 240.216104] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 240.217615] RSP: 002b:00007fff02211ec8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +[ 240.218718] RAX: ffffffffffffffda RBX: 0000561cdc35b060 RCX: 00007f233b4e948a +[ 240.219556] RDX: 0000561cdc35b260 RSI: 0000561cdc35b2e0 RDI: 0000561cdc363af0 +[ 240.219975] RBP: 0000000000000000 R08: 0000561cdc35b280 R09: 0000000000000020 +[ 240.220403] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000561cdc363af0 +[ 240.220803] R13: 0000561cdc35b260 R14: 0000000000000000 R15: 00000000ffffffff +[ 240.221256] +[ 240.221567] Modules linked in: +[ 240.222028] CR2: 0000000000000158 +[ 240.223291] ---[ end trace 0000000000000000 ]--- +[ 240.223669] RIP: 0010:ni_find_attr+0xae/0x300 +[ 240.224058] Code: c8 48 c7 45 88 c0 4e 5e 86 c7 00 f1 f1 f1 f1 c7 40 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 e2 d9f +[ 240.225033] RSP: 0018:ffff88800812f690 EFLAGS: 00000286 +[ 240.225968] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff85ef037a +[ 240.226624] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff88e95f60 +[ 240.227307] RBP: ffff88800812f738 R08: 0000000000000001 R09: fffffbfff11d2bed +[ 240.227816] R10: ffffffff88e95f67 R11: fffffbfff11d2bec R12: 0000000000000000 +[ 240.228330] R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000 +[ 240.228729] FS: 00007f233c33be40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000 +[ 240.229281] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 240.230298] CR2: 0000000000000158 CR3: 0000000004d32000 CR4: 00000000000006f0 + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/attrib.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/ntfs3/attrib.c b/fs/ntfs3/attrib.c +index 0d354560d323..578c2bcfb1d9 100644 +--- a/fs/ntfs3/attrib.c ++++ b/fs/ntfs3/attrib.c +@@ -1221,6 +1221,11 @@ int attr_load_runs_vcn(struct ntfs_inode *ni, enum ATTR_TYPE type, + CLST svcn, evcn; + u16 ro; + ++ if (!ni) { ++ /* Is record corrupted? */ ++ return -ENOENT; ++ } ++ + attr = ni_find_attr(ni, NULL, NULL, type, name, name_len, &vcn, NULL); + if (!attr) { + /* Is record corrupted? */ +-- +2.35.1 + diff --git a/queue-6.1/fs-ntfs3-add-overflow-check-for-attribute-size.patch b/queue-6.1/fs-ntfs3-add-overflow-check-for-attribute-size.patch new file mode 100644 index 00000000000..57c61a99827 --- /dev/null +++ b/queue-6.1/fs-ntfs3-add-overflow-check-for-attribute-size.patch @@ -0,0 +1,102 @@ +From cd4d9126f0300f4c22edb72020555737e1657a25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 18:20:51 +0800 +Subject: fs/ntfs3: Add overflow check for attribute size + +From: edward lo + +[ Upstream commit e19c6277652efba203af4ecd8eed4bd30a0054c9 ] + +The offset addition could overflow and pass the used size check given an +attribute with very large size (e.g., 0xffffff7f) while parsing MFT +attributes. This could lead to out-of-bound memory R/W if we try to +access the next attribute derived by Add2Ptr(attr, asize) + +[ 32.963847] BUG: unable to handle page fault for address: ffff956a83c76067 +[ 32.964301] #PF: supervisor read access in kernel mode +[ 32.964526] #PF: error_code(0x0000) - not-present page +[ 32.964893] PGD 4dc01067 P4D 4dc01067 PUD 0 +[ 32.965316] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ 32.965727] CPU: 0 PID: 243 Comm: mount Not tainted 5.19.0+ #6 +[ 32.966050] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 32.966628] RIP: 0010:mi_enum_attr+0x44/0x110 +[ 32.967239] Code: 89 f0 48 29 c8 48 89 c1 39 c7 0f 86 94 00 00 00 8b 56 04 83 fa 17 0f 86 88 00 00 00 89 d0 01 ca 48 01 f0 8d 4a 08 39 f9a +[ 32.968101] RSP: 0018:ffffba15c06a7c38 EFLAGS: 00000283 +[ 32.968364] RAX: ffff956a83c76067 RBX: ffff956983c76050 RCX: 000000000000006f +[ 32.968651] RDX: 0000000000000067 RSI: ffff956983c760e8 RDI: 00000000000001c8 +[ 32.968963] RBP: ffffba15c06a7c38 R08: 0000000000000064 R09: 00000000ffffff7f +[ 32.969249] R10: 0000000000000007 R11: ffff956983c760e8 R12: ffff95698225e000 +[ 32.969870] R13: 0000000000000000 R14: ffffba15c06a7cd8 R15: ffff95698225e170 +[ 32.970655] FS: 00007fdab8189e40(0000) GS:ffff9569fdc00000(0000) knlGS:0000000000000000 +[ 32.971098] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 32.971378] CR2: ffff956a83c76067 CR3: 0000000002c58000 CR4: 00000000000006f0 +[ 32.972098] Call Trace: +[ 32.972842] +[ 32.973341] ni_enum_attr_ex+0xda/0xf0 +[ 32.974087] ntfs_iget5+0x1db/0xde0 +[ 32.974386] ? slab_post_alloc_hook+0x53/0x270 +[ 32.974778] ? ntfs_fill_super+0x4c7/0x12a0 +[ 32.975115] ntfs_fill_super+0x5d6/0x12a0 +[ 32.975336] get_tree_bdev+0x175/0x270 +[ 32.975709] ? put_ntfs+0x150/0x150 +[ 32.975956] ntfs_fs_get_tree+0x15/0x20 +[ 32.976191] vfs_get_tree+0x2a/0xc0 +[ 32.976374] ? capable+0x19/0x20 +[ 32.976572] path_mount+0x484/0xaa0 +[ 32.977025] ? putname+0x57/0x70 +[ 32.977380] do_mount+0x80/0xa0 +[ 32.977555] __x64_sys_mount+0x8b/0xe0 +[ 32.978105] do_syscall_64+0x3b/0x90 +[ 32.978830] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 32.979311] RIP: 0033:0x7fdab72e948a +[ 32.980015] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 32.981251] RSP: 002b:00007ffd15b87588 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 32.981832] RAX: ffffffffffffffda RBX: 0000557de0aaf060 RCX: 00007fdab72e948a +[ 32.982234] RDX: 0000557de0aaf260 RSI: 0000557de0aaf2e0 RDI: 0000557de0ab7ce0 +[ 32.982714] RBP: 0000000000000000 R08: 0000557de0aaf280 R09: 0000000000000020 +[ 32.983046] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000557de0ab7ce0 +[ 32.983494] R13: 0000557de0aaf260 R14: 0000000000000000 R15: 00000000ffffffff +[ 32.984094] +[ 32.984352] Modules linked in: +[ 32.984753] CR2: ffff956a83c76067 +[ 32.985911] ---[ end trace 0000000000000000 ]--- +[ 32.986555] RIP: 0010:mi_enum_attr+0x44/0x110 +[ 32.987217] Code: 89 f0 48 29 c8 48 89 c1 39 c7 0f 86 94 00 00 00 8b 56 04 83 fa 17 0f 86 88 00 00 00 89 d0 01 ca 48 01 f0 8d 4a 08 39 f9a +[ 32.988232] RSP: 0018:ffffba15c06a7c38 EFLAGS: 00000283 +[ 32.988532] RAX: ffff956a83c76067 RBX: ffff956983c76050 RCX: 000000000000006f +[ 32.988916] RDX: 0000000000000067 RSI: ffff956983c760e8 RDI: 00000000000001c8 +[ 32.989356] RBP: ffffba15c06a7c38 R08: 0000000000000064 R09: 00000000ffffff7f +[ 32.989994] R10: 0000000000000007 R11: ffff956983c760e8 R12: ffff95698225e000 +[ 32.990415] R13: 0000000000000000 R14: ffffba15c06a7cd8 R15: ffff95698225e170 +[ 32.991011] FS: 00007fdab8189e40(0000) GS:ffff9569fdc00000(0000) knlGS:0000000000000000 +[ 32.991524] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 32.991936] CR2: ffff956a83c76067 CR3: 0000000002c58000 CR4: 00000000000006f0 + +This patch adds an overflow check + +Signed-off-by: edward lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/record.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c +index 7d2fac5ee215..9f81944441ae 100644 +--- a/fs/ntfs3/record.c ++++ b/fs/ntfs3/record.c +@@ -220,6 +220,11 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) + return NULL; + } + ++ if (off + asize < off) { ++ /* overflow check */ ++ return NULL; ++ } ++ + attr = Add2Ptr(attr, asize); + off += asize; + } +-- +2.35.1 + diff --git a/queue-6.1/fs-ntfs3-delete-duplicate-condition-in-ntfs_read_mft.patch b/queue-6.1/fs-ntfs3-delete-duplicate-condition-in-ntfs_read_mft.patch new file mode 100644 index 00000000000..0f329da610f --- /dev/null +++ b/queue-6.1/fs-ntfs3-delete-duplicate-condition-in-ntfs_read_mft.patch @@ -0,0 +1,44 @@ +From c33b3a1283a1930809f5c08123864f36ec92cce6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Oct 2022 11:28:55 +0300 +Subject: fs/ntfs3: Delete duplicate condition in ntfs_read_mft() + +From: Dan Carpenter + +[ Upstream commit 658015167a8432b88f5d032e9d85d8fd50e5bf2c ] + +There were two patches which addressed the same bug and added the same +condition: + +commit 6db620863f85 ("fs/ntfs3: Validate data run offset") +commit 887bfc546097 ("fs/ntfs3: Fix slab-out-of-bounds read in run_unpack") + +Delete one condition. + +Signed-off-by: Dan Carpenter +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/inode.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c +index d98d047c778c..e352aa37330c 100644 +--- a/fs/ntfs3/inode.c ++++ b/fs/ntfs3/inode.c +@@ -374,12 +374,6 @@ static struct inode *ntfs_read_mft(struct inode *inode, + + t64 = le64_to_cpu(attr->nres.svcn); + +- /* offset to packed runs is out-of-bounds */ +- if (roff > asize) { +- err = -EINVAL; +- goto out; +- } +- + err = run_unpack_ex(run, sbi, ino, t64, le64_to_cpu(attr->nres.evcn), + t64, Add2Ptr(attr, roff), asize - roff); + if (err < 0) +-- +2.35.1 + diff --git a/queue-6.1/fs-ntfs3-fix-memory-leak-on-ntfs_fill_super-error-pa.patch b/queue-6.1/fs-ntfs3-fix-memory-leak-on-ntfs_fill_super-error-pa.patch new file mode 100644 index 00000000000..0bd293b7618 --- /dev/null +++ b/queue-6.1/fs-ntfs3-fix-memory-leak-on-ntfs_fill_super-error-pa.patch @@ -0,0 +1,51 @@ +From 2442bff16553b4c1a234af3713d081f4458720be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 19:32:05 +0900 +Subject: fs/ntfs3: Fix memory leak on ntfs_fill_super() error path + +From: Shigeru Yoshida + +[ Upstream commit 51e76a232f8c037f1d9e9922edc25b003d5f3414 ] + +syzbot reported kmemleak as below: + +BUG: memory leak +unreferenced object 0xffff8880122f1540 (size 32): + comm "a.out", pid 6664, jiffies 4294939771 (age 25.500s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 ed ff ed ff 00 00 00 00 ................ + backtrace: + [] ntfs_init_fs_context+0x22/0x1c0 + [] alloc_fs_context+0x217/0x430 + [] path_mount+0x704/0x1080 + [] __x64_sys_mount+0x18c/0x1d0 + [] do_syscall_64+0x34/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +This patch fixes this issue by freeing mount options on error path of +ntfs_fill_super(). + +Reported-by: syzbot+9d67170b20e8f94351c8@syzkaller.appspotmail.com +Signed-off-by: Shigeru Yoshida +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/super.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c +index a0cea3b7526e..170682c2bf67 100644 +--- a/fs/ntfs3/super.c ++++ b/fs/ntfs3/super.c +@@ -1281,6 +1281,7 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc) + * Free resources here. + * ntfs_fs_free will be called with fc->s_fs_info = NULL + */ ++ put_mount_options(sbi->options); + put_ntfs(sbi); + sb->s_fs_info = NULL; + +-- +2.35.1 + diff --git a/queue-6.1/fs-ntfs3-fix-slab-out-of-bounds-in-r_page.patch b/queue-6.1/fs-ntfs3-fix-slab-out-of-bounds-in-r_page.patch new file mode 100644 index 00000000000..b5cd411b4ad --- /dev/null +++ b/queue-6.1/fs-ntfs3-fix-slab-out-of-bounds-in-r_page.patch @@ -0,0 +1,99 @@ +From aa70156771fe74c36c40ced3732b4c919b81d3e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Dec 2021 10:40:45 +0800 +Subject: fs/ntfs3: Fix slab-out-of-bounds in r_page + +From: Yin Xiujiang + +[ Upstream commit ecfbd57cf9c5ca225184ae266ce44ae473792132 ] + +When PAGE_SIZE is 64K, if read_log_page is called by log_read_rst for +the first time, the size of *buffer would be equal to +DefaultLogPageSize(4K).But for *buffer operations like memcpy, +if the memory area size(n) which being assigned to buffer is larger +than 4K (log->page_size(64K) or bytes(64K-page_off)), it will cause +an out of boundary error. + Call trace: + [...] + kasan_report+0x44/0x130 + check_memory_region+0xf8/0x1a0 + memcpy+0xc8/0x100 + ntfs_read_run_nb+0x20c/0x460 + read_log_page+0xd0/0x1f4 + log_read_rst+0x110/0x75c + log_replay+0x1e8/0x4aa0 + ntfs_loadlog_and_replay+0x290/0x2d0 + ntfs_fill_super+0x508/0xec0 + get_tree_bdev+0x1fc/0x34c + [...] + +Fix this by setting variable r_page to NULL in log_read_rst. + +Signed-off-by: Yin Xiujiang +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/fslog.c | 26 ++------------------------ + 1 file changed, 2 insertions(+), 24 deletions(-) + +diff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c +index a85f5411aa74..c662d2a51907 100644 +--- a/fs/ntfs3/fslog.c ++++ b/fs/ntfs3/fslog.c +@@ -1132,7 +1132,7 @@ static int read_log_page(struct ntfs_log *log, u32 vbo, + return -EINVAL; + + if (!*buffer) { +- to_free = kmalloc(bytes, GFP_NOFS); ++ to_free = kmalloc(log->page_size, GFP_NOFS); + if (!to_free) + return -ENOMEM; + *buffer = to_free; +@@ -1180,10 +1180,7 @@ static int log_read_rst(struct ntfs_log *log, u32 l_size, bool first, + struct restart_info *info) + { + u32 skip, vbo; +- struct RESTART_HDR *r_page = kmalloc(DefaultLogPageSize, GFP_NOFS); +- +- if (!r_page) +- return -ENOMEM; ++ struct RESTART_HDR *r_page = NULL; + + /* Determine which restart area we are looking for. */ + if (first) { +@@ -1197,7 +1194,6 @@ static int log_read_rst(struct ntfs_log *log, u32 l_size, bool first, + /* Loop continuously until we succeed. */ + for (; vbo < l_size; vbo = 2 * vbo + skip, skip = 0) { + bool usa_error; +- u32 sys_page_size; + bool brst, bchk; + struct RESTART_AREA *ra; + +@@ -1251,24 +1247,6 @@ static int log_read_rst(struct ntfs_log *log, u32 l_size, bool first, + goto check_result; + } + +- /* Read the entire restart area. */ +- sys_page_size = le32_to_cpu(r_page->sys_page_size); +- if (DefaultLogPageSize != sys_page_size) { +- kfree(r_page); +- r_page = kzalloc(sys_page_size, GFP_NOFS); +- if (!r_page) +- return -ENOMEM; +- +- if (read_log_page(log, vbo, +- (struct RECORD_PAGE_HDR **)&r_page, +- &usa_error)) { +- /* Ignore any errors. */ +- kfree(r_page); +- r_page = NULL; +- continue; +- } +- } +- + if (is_client_area_valid(r_page, usa_error)) { + info->valid_page = true; + ra = Add2Ptr(r_page, le16_to_cpu(r_page->ra_off)); +-- +2.35.1 + diff --git a/queue-6.1/fs-ntfs3-fix-slab-out-of-bounds-read-in-run_unpack.patch b/queue-6.1/fs-ntfs3-fix-slab-out-of-bounds-read-in-run_unpack.patch new file mode 100644 index 00000000000..491a6770428 --- /dev/null +++ b/queue-6.1/fs-ntfs3-fix-slab-out-of-bounds-read-in-run_unpack.patch @@ -0,0 +1,102 @@ +From a9b7a46e8cd1367fe27276e33c9a2454444e08f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Sep 2022 19:09:04 +0800 +Subject: fs/ntfs3: Fix slab-out-of-bounds read in run_unpack + +From: Hawkins Jiawei + +[ Upstream commit 887bfc546097fbe8071dac13b2fef73b77920899 ] + +Syzkaller reports slab-out-of-bounds bug as follows: +================================================================== +BUG: KASAN: slab-out-of-bounds in run_unpack+0x8b7/0x970 fs/ntfs3/run.c:944 +Read of size 1 at addr ffff88801bbdff02 by task syz-executor131/3611 + +[...] +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:317 [inline] + print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 + kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 + run_unpack+0x8b7/0x970 fs/ntfs3/run.c:944 + run_unpack_ex+0xb0/0x7c0 fs/ntfs3/run.c:1057 + ntfs_read_mft fs/ntfs3/inode.c:368 [inline] + ntfs_iget5+0xc20/0x3280 fs/ntfs3/inode.c:501 + ntfs_loadlog_and_replay+0x124/0x5d0 fs/ntfs3/fsntfs.c:272 + ntfs_fill_super+0x1eff/0x37f0 fs/ntfs3/super.c:1018 + get_tree_bdev+0x440/0x760 fs/super.c:1323 + vfs_get_tree+0x89/0x2f0 fs/super.c:1530 + do_new_mount fs/namespace.c:3040 [inline] + path_mount+0x1326/0x1e20 fs/namespace.c:3370 + do_mount fs/namespace.c:3383 [inline] + __do_sys_mount fs/namespace.c:3591 [inline] + __se_sys_mount fs/namespace.c:3568 [inline] + __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + [...] + + +The buggy address belongs to the physical page: +page:ffffea00006ef600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bbd8 +head:ffffea00006ef600 order:3 compound_mapcount:0 compound_pincount:0 +flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88801bbdfe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88801bbdfe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff88801bbdff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff88801bbdff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88801bbe0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Kernel will tries to read record and parse MFT from disk in +ntfs_read_mft(). + +Yet the problem is that during enumerating attributes in record, +kernel doesn't check whether run_off field loading from the disk +is a valid value. + +To be more specific, if attr->nres.run_off is larger than attr->size, +kernel will passes an invalid argument run_buf_size in +run_unpack_ex(), which having an integer overflow. Then this invalid +argument will triggers the slab-out-of-bounds Read bug as above. + +This patch solves it by adding the sanity check between +the offset to packed runs and attribute size. + +link: https://lore.kernel.org/all/0000000000009145fc05e94bd5c3@google.com/#t +Reported-and-tested-by: syzbot+8d6fbb27a6aded64b25b@syzkaller.appspotmail.com +Signed-off-by: Hawkins Jiawei +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/inode.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c +index c18bedaf228d..d98d047c778c 100644 +--- a/fs/ntfs3/inode.c ++++ b/fs/ntfs3/inode.c +@@ -373,6 +373,13 @@ static struct inode *ntfs_read_mft(struct inode *inode, + } + + t64 = le64_to_cpu(attr->nres.svcn); ++ ++ /* offset to packed runs is out-of-bounds */ ++ if (roff > asize) { ++ err = -EINVAL; ++ goto out; ++ } ++ + err = run_unpack_ex(run, sbi, ino, t64, le64_to_cpu(attr->nres.evcn), + t64, Add2Ptr(attr, roff), asize - roff); + if (err < 0) +-- +2.35.1 + diff --git a/queue-6.1/fs-ntfs3-use-__gfp_nowarn-allocation-at-ntfs_fill_su.patch b/queue-6.1/fs-ntfs3-use-__gfp_nowarn-allocation-at-ntfs_fill_su.patch new file mode 100644 index 00000000000..2f6d3f810f4 --- /dev/null +++ b/queue-6.1/fs-ntfs3-use-__gfp_nowarn-allocation-at-ntfs_fill_su.patch @@ -0,0 +1,39 @@ +From 6c62bd45d17c117b2b94ce0f6c38774bed77457c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Oct 2022 23:54:11 +0900 +Subject: fs/ntfs3: Use __GFP_NOWARN allocation at ntfs_fill_super() + +From: Tetsuo Handa + +[ Upstream commit 59bfd7a483da36bd202532a3d9ea1f14f3bf3aaf ] + +syzbot is reporting too large allocation at ntfs_fill_super() [1], for a +crafted filesystem can contain bogus inode->i_size. Add __GFP_NOWARN in +order to avoid too large allocation warning, than exhausting memory by +using kvmalloc(). + +Link: https://syzkaller.appspot.com/bug?extid=33f3faaa0c08744f7d40 [1] +Reported-by: syzot +Signed-off-by: Tetsuo Handa +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c +index 94f9e4b775a7..8e2fe0f69203 100644 +--- a/fs/ntfs3/super.c ++++ b/fs/ntfs3/super.c +@@ -1141,7 +1141,7 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc) + goto put_inode_out; + } + bytes = inode->i_size; +- sbi->def_table = t = kmalloc(bytes, GFP_NOFS); ++ sbi->def_table = t = kmalloc(bytes, GFP_NOFS | __GFP_NOWARN); + if (!t) { + err = -ENOMEM; + goto put_inode_out; +-- +2.35.1 + diff --git a/queue-6.1/fs-ntfs3-use-__gfp_nowarn-allocation-at-wnd_init.patch b/queue-6.1/fs-ntfs3-use-__gfp_nowarn-allocation-at-wnd_init.patch new file mode 100644 index 00000000000..176a45debdf --- /dev/null +++ b/queue-6.1/fs-ntfs3-use-__gfp_nowarn-allocation-at-wnd_init.patch @@ -0,0 +1,39 @@ +From a20d88e199f076f2efdd1263f561c607cd6e63b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Oct 2022 23:39:15 +0900 +Subject: fs/ntfs3: Use __GFP_NOWARN allocation at wnd_init() + +From: Tetsuo Handa + +[ Upstream commit 0d0f659bf713662fabed973f9996b8f23c59ca51 ] + +syzbot is reporting too large allocation at wnd_init() [1], for a crafted +filesystem can become wnd->nwnd close to UINT_MAX. Add __GFP_NOWARN in +order to avoid too large allocation warning, than exhausting memory by +using kvcalloc(). + +Link: https://syzkaller.appspot.com/bug?extid=fa4648a5446460b7b963 [1] +Reported-by: syzot +Signed-off-by: Tetsuo Handa +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/bitmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ntfs3/bitmap.c b/fs/ntfs3/bitmap.c +index 1930640be31a..45f95c1cb258 100644 +--- a/fs/ntfs3/bitmap.c ++++ b/fs/ntfs3/bitmap.c +@@ -661,7 +661,7 @@ int wnd_init(struct wnd_bitmap *wnd, struct super_block *sb, size_t nbits) + if (!wnd->bits_last) + wnd->bits_last = wbits; + +- wnd->free_bits = kcalloc(wnd->nwnd, sizeof(u16), GFP_NOFS); ++ wnd->free_bits = kcalloc(wnd->nwnd, sizeof(u16), GFP_NOFS | __GFP_NOWARN); + if (!wnd->free_bits) + return -ENOMEM; + +-- +2.35.1 + diff --git a/queue-6.1/fs-ntfs3-validate-attribute-name-offset.patch b/queue-6.1/fs-ntfs3-validate-attribute-name-offset.patch new file mode 100644 index 00000000000..33a714ed7b4 --- /dev/null +++ b/queue-6.1/fs-ntfs3-validate-attribute-name-offset.patch @@ -0,0 +1,115 @@ +From b8b7d58dfa2bf0ce4de8525cd77ebe93a67cedfc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 09:04:00 +0800 +Subject: fs/ntfs3: Validate attribute name offset + +From: Edward Lo + +[ Upstream commit 4f1dc7d9756e66f3f876839ea174df2e656b7f79 ] + +Although the attribute name length is checked before comparing it to +some common names (e.g., $I30), the offset isn't. This adds a sanity +check for the attribute name offset, guarantee the validity and prevent +possible out-of-bound memory accesses. + +[ 191.720056] BUG: unable to handle page fault for address: ffffebde00000008 +[ 191.721060] #PF: supervisor read access in kernel mode +[ 191.721586] #PF: error_code(0x0000) - not-present page +[ 191.722079] PGD 0 P4D 0 +[ 191.722571] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI +[ 191.723179] CPU: 0 PID: 244 Comm: mount Not tainted 6.0.0-rc4 #28 +[ 191.723749] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 191.724832] RIP: 0010:kfree+0x56/0x3b0 +[ 191.725870] Code: 80 48 01 d8 0f 82 65 03 00 00 48 c7 c2 00 00 00 80 48 2b 15 2c 06 dd 01 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 0a 069 +[ 191.727375] RSP: 0018:ffff8880076f7878 EFLAGS: 00000286 +[ 191.727897] RAX: ffffebde00000000 RBX: 0000000000000040 RCX: ffffffff8528d5b9 +[ 191.728531] RDX: 0000777f80000000 RSI: ffffffff8522d49c RDI: 0000000000000040 +[ 191.729183] RBP: ffff8880076f78a0 R08: 0000000000000000 R09: 0000000000000000 +[ 191.729628] R10: ffff888008949fd8 R11: ffffed10011293fd R12: 0000000000000040 +[ 191.730158] R13: ffff888008949f98 R14: ffff888008949ec0 R15: ffff888008949fb0 +[ 191.730645] FS: 00007f3520cd7e40(0000) GS:ffff88805ba00000(0000) knlGS:0000000000000000 +[ 191.731328] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 191.731667] CR2: ffffebde00000008 CR3: 0000000009704000 CR4: 00000000000006f0 +[ 191.732568] Call Trace: +[ 191.733231] +[ 191.733860] kvfree+0x2c/0x40 +[ 191.734632] ni_clear+0x180/0x290 +[ 191.735085] ntfs_evict_inode+0x45/0x70 +[ 191.735495] evict+0x199/0x280 +[ 191.735996] iput.part.0+0x286/0x320 +[ 191.736438] iput+0x32/0x50 +[ 191.736811] iget_failed+0x23/0x30 +[ 191.737270] ntfs_iget5+0x337/0x1890 +[ 191.737629] ? ntfs_clear_mft_tail+0x20/0x260 +[ 191.738201] ? ntfs_get_block_bmap+0x70/0x70 +[ 191.738482] ? ntfs_objid_init+0xf6/0x140 +[ 191.738779] ? ntfs_reparse_init+0x140/0x140 +[ 191.739266] ntfs_fill_super+0x121b/0x1b50 +[ 191.739623] ? put_ntfs+0x1d0/0x1d0 +[ 191.739984] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20 +[ 191.740466] ? put_ntfs+0x1d0/0x1d0 +[ 191.740787] ? sb_set_blocksize+0x6a/0x80 +[ 191.741272] get_tree_bdev+0x232/0x370 +[ 191.741829] ? put_ntfs+0x1d0/0x1d0 +[ 191.742669] ntfs_fs_get_tree+0x15/0x20 +[ 191.743132] vfs_get_tree+0x4c/0x130 +[ 191.743457] path_mount+0x654/0xfe0 +[ 191.743938] ? putname+0x80/0xa0 +[ 191.744271] ? finish_automount+0x2e0/0x2e0 +[ 191.744582] ? putname+0x80/0xa0 +[ 191.745053] ? kmem_cache_free+0x1c4/0x440 +[ 191.745403] ? putname+0x80/0xa0 +[ 191.745616] do_mount+0xd6/0xf0 +[ 191.745887] ? path_mount+0xfe0/0xfe0 +[ 191.746287] ? __kasan_check_write+0x14/0x20 +[ 191.746582] __x64_sys_mount+0xca/0x110 +[ 191.746850] do_syscall_64+0x3b/0x90 +[ 191.747122] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 191.747517] RIP: 0033:0x7f351fee948a +[ 191.748332] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 191.749341] RSP: 002b:00007ffd51cf3af8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +[ 191.749960] RAX: ffffffffffffffda RBX: 000055b903733060 RCX: 00007f351fee948a +[ 191.750589] RDX: 000055b903733260 RSI: 000055b9037332e0 RDI: 000055b90373bce0 +[ 191.751115] RBP: 0000000000000000 R08: 000055b903733280 R09: 0000000000000020 +[ 191.751537] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 000055b90373bce0 +[ 191.751946] R13: 000055b903733260 R14: 0000000000000000 R15: 00000000ffffffff +[ 191.752519] +[ 191.752782] Modules linked in: +[ 191.753785] CR2: ffffebde00000008 +[ 191.754937] ---[ end trace 0000000000000000 ]--- +[ 191.755429] RIP: 0010:kfree+0x56/0x3b0 +[ 191.755725] Code: 80 48 01 d8 0f 82 65 03 00 00 48 c7 c2 00 00 00 80 48 2b 15 2c 06 dd 01 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 0a 069 +[ 191.756744] RSP: 0018:ffff8880076f7878 EFLAGS: 00000286 +[ 191.757218] RAX: ffffebde00000000 RBX: 0000000000000040 RCX: ffffffff8528d5b9 +[ 191.757580] RDX: 0000777f80000000 RSI: ffffffff8522d49c RDI: 0000000000000040 +[ 191.758016] RBP: ffff8880076f78a0 R08: 0000000000000000 R09: 0000000000000000 +[ 191.758570] R10: ffff888008949fd8 R11: ffffed10011293fd R12: 0000000000000040 +[ 191.758957] R13: ffff888008949f98 R14: ffff888008949ec0 R15: ffff888008949fb0 +[ 191.759317] FS: 00007f3520cd7e40(0000) GS:ffff88805ba00000(0000) knlGS:0000000000000000 +[ 191.759711] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 191.760118] CR2: ffffebde00000008 CR3: 0000000009704000 CR4: 00000000000006f0 + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c +index b0bc9dee2e2b..c18bedaf228d 100644 +--- a/fs/ntfs3/inode.c ++++ b/fs/ntfs3/inode.c +@@ -129,6 +129,9 @@ static struct inode *ntfs_read_mft(struct inode *inode, + rsize = attr->non_res ? 0 : le32_to_cpu(attr->res.data_size); + asize = le32_to_cpu(attr->size); + ++ if (le16_to_cpu(attr->name_off) + attr->name_len > asize) ++ goto out; ++ + switch (attr->type) { + case ATTR_STD: + if (attr->non_res || +-- +2.35.1 + diff --git a/queue-6.1/fs-ntfs3-validate-boot-record_size.patch b/queue-6.1/fs-ntfs3-validate-boot-record_size.patch new file mode 100644 index 00000000000..f5cf4be6e32 --- /dev/null +++ b/queue-6.1/fs-ntfs3-validate-boot-record_size.patch @@ -0,0 +1,100 @@ +From 2ac7af12b3f5db9fa295ef8a13df6a65b897d370 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 15:37:31 +0800 +Subject: fs/ntfs3: Validate BOOT record_size + +From: edward lo + +[ Upstream commit 0b66046266690454dc04e6307bcff4a5605b42a1 ] + +When the NTFS BOOT record_size field < 0, it represents a +shift value. However, there is no sanity check on the shift result +and the sbi->record_bits calculation through blksize_bits() assumes +the size always > 256, which could lead to NPD while mounting a +malformed NTFS image. + +[ 318.675159] BUG: kernel NULL pointer dereference, address: 0000000000000158 +[ 318.675682] #PF: supervisor read access in kernel mode +[ 318.675869] #PF: error_code(0x0000) - not-present page +[ 318.676246] PGD 0 P4D 0 +[ 318.676502] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ 318.676934] CPU: 0 PID: 259 Comm: mount Not tainted 5.19.0 #5 +[ 318.677289] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 318.678136] RIP: 0010:ni_find_attr+0x2d/0x1c0 +[ 318.678656] Code: 89 ca 4d 89 c7 41 56 41 55 41 54 41 89 cc 55 48 89 fd 53 48 89 d3 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 180 +[ 318.679848] RSP: 0018:ffffa6c8c0297bd8 EFLAGS: 00000246 +[ 318.680104] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000080 +[ 318.680790] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 318.681679] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +[ 318.682577] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000080 +[ 318.683015] R13: ffff8d5582e68400 R14: 0000000000000100 R15: 0000000000000000 +[ 318.683618] FS: 00007fd9e1c81e40(0000) GS:ffff8d55fdc00000(0000) knlGS:0000000000000000 +[ 318.684280] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 318.684651] CR2: 0000000000000158 CR3: 0000000002e1a000 CR4: 00000000000006f0 +[ 318.685623] Call Trace: +[ 318.686607] +[ 318.686872] ? ntfs_alloc_inode+0x1a/0x60 +[ 318.687235] attr_load_runs_vcn+0x2b/0xa0 +[ 318.687468] mi_read+0xbb/0x250 +[ 318.687576] ntfs_iget5+0x114/0xd90 +[ 318.687750] ntfs_fill_super+0x588/0x11b0 +[ 318.687953] ? put_ntfs+0x130/0x130 +[ 318.688065] ? snprintf+0x49/0x70 +[ 318.688164] ? put_ntfs+0x130/0x130 +[ 318.688256] get_tree_bdev+0x16a/0x260 +[ 318.688407] vfs_get_tree+0x20/0xb0 +[ 318.688519] path_mount+0x2dc/0x9b0 +[ 318.688877] do_mount+0x74/0x90 +[ 318.689142] __x64_sys_mount+0x89/0xd0 +[ 318.689636] do_syscall_64+0x3b/0x90 +[ 318.689998] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 318.690318] RIP: 0033:0x7fd9e133c48a +[ 318.690687] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 318.691357] RSP: 002b:00007ffd374406c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +[ 318.691632] RAX: ffffffffffffffda RBX: 0000564d0b051080 RCX: 00007fd9e133c48a +[ 318.691920] RDX: 0000564d0b051280 RSI: 0000564d0b051300 RDI: 0000564d0b0596a0 +[ 318.692123] RBP: 0000000000000000 R08: 0000564d0b0512a0 R09: 0000000000000020 +[ 318.692349] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564d0b0596a0 +[ 318.692673] R13: 0000564d0b051280 R14: 0000000000000000 R15: 00000000ffffffff +[ 318.693007] +[ 318.693271] Modules linked in: +[ 318.693614] CR2: 0000000000000158 +[ 318.694446] ---[ end trace 0000000000000000 ]--- +[ 318.694779] RIP: 0010:ni_find_attr+0x2d/0x1c0 +[ 318.694952] Code: 89 ca 4d 89 c7 41 56 41 55 41 54 41 89 cc 55 48 89 fd 53 48 89 d3 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 180 +[ 318.696042] RSP: 0018:ffffa6c8c0297bd8 EFLAGS: 00000246 +[ 318.696531] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000080 +[ 318.698114] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 318.699286] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +[ 318.699795] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000080 +[ 318.700236] R13: ffff8d5582e68400 R14: 0000000000000100 R15: 0000000000000000 +[ 318.700973] FS: 00007fd9e1c81e40(0000) GS:ffff8d55fdc00000(0000) knlGS:0000000000000000 +[ 318.701688] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 318.702190] CR2: 0000000000000158 CR3: 0000000002e1a000 CR4: 00000000000006f0 +[ 318.726510] mount (259) used greatest stack depth: 13320 bytes left + +This patch adds a sanity check. + +Signed-off-by: edward lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c +index adc4f73722b7..a0cea3b7526e 100644 +--- a/fs/ntfs3/super.c ++++ b/fs/ntfs3/super.c +@@ -789,7 +789,7 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, + : (u32)boot->record_size + << sbi->cluster_bits; + +- if (record_size > MAXIMUM_BYTES_PER_MFT) ++ if (record_size > MAXIMUM_BYTES_PER_MFT || record_size < SECTOR_SIZE) + goto out; + + sbi->record_bits = blksize_bits(record_size); +-- +2.35.1 + diff --git a/queue-6.1/fs-ntfs3-validate-buffer-length-while-parsing-index.patch b/queue-6.1/fs-ntfs3-validate-buffer-length-while-parsing-index.patch new file mode 100644 index 00000000000..befe9190f72 --- /dev/null +++ b/queue-6.1/fs-ntfs3-validate-buffer-length-while-parsing-index.patch @@ -0,0 +1,161 @@ +From c055a8cde7fdcaa011625ca871995acebe7200c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 15:30:44 +0800 +Subject: fs/ntfs3: Validate buffer length while parsing index + +From: Edward Lo + +[ Upstream commit 4d42ecda239cc13738d6fd84d098a32e67b368b9 ] + +indx_read is called when we have some NTFS directory operations that +need more information from the index buffers. This adds a sanity check +to make sure the returned index buffer length is legit, or we may have +some out-of-bound memory accesses. + +[ 560.897595] BUG: KASAN: slab-out-of-bounds in hdr_find_e.isra.0+0x10c/0x320 +[ 560.898321] Read of size 2 at addr ffff888009497238 by task exp/245 +[ 560.898760] +[ 560.899129] CPU: 0 PID: 245 Comm: exp Not tainted 6.0.0-rc6 #37 +[ 560.899505] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 560.900170] Call Trace: +[ 560.900407] +[ 560.900732] dump_stack_lvl+0x49/0x63 +[ 560.901108] print_report.cold+0xf5/0x689 +[ 560.901395] ? hdr_find_e.isra.0+0x10c/0x320 +[ 560.901716] kasan_report+0xa7/0x130 +[ 560.901950] ? hdr_find_e.isra.0+0x10c/0x320 +[ 560.902208] __asan_load2+0x68/0x90 +[ 560.902427] hdr_find_e.isra.0+0x10c/0x320 +[ 560.902846] ? cmp_uints+0xe0/0xe0 +[ 560.903363] ? cmp_sdh+0x90/0x90 +[ 560.903883] ? ntfs_bread_run+0x190/0x190 +[ 560.904196] ? rwsem_down_read_slowpath+0x750/0x750 +[ 560.904969] ? ntfs_fix_post_read+0xe0/0x130 +[ 560.905259] ? __kasan_check_write+0x14/0x20 +[ 560.905599] ? up_read+0x1a/0x90 +[ 560.905853] ? indx_read+0x22c/0x380 +[ 560.906096] indx_find+0x2ef/0x470 +[ 560.906352] ? indx_find_buffer+0x2d0/0x2d0 +[ 560.906692] ? __kasan_kmalloc+0x88/0xb0 +[ 560.906977] dir_search_u+0x196/0x2f0 +[ 560.907220] ? ntfs_nls_to_utf16+0x450/0x450 +[ 560.907464] ? __kasan_check_write+0x14/0x20 +[ 560.907747] ? mutex_lock+0x8f/0xe0 +[ 560.907970] ? __mutex_lock_slowpath+0x20/0x20 +[ 560.908214] ? kmem_cache_alloc+0x143/0x4b0 +[ 560.908459] ntfs_lookup+0xe0/0x100 +[ 560.908788] __lookup_slow+0x116/0x220 +[ 560.909050] ? lookup_fast+0x1b0/0x1b0 +[ 560.909309] ? lookup_fast+0x13f/0x1b0 +[ 560.909601] walk_component+0x187/0x230 +[ 560.909944] link_path_walk.part.0+0x3f0/0x660 +[ 560.910285] ? handle_lookup_down+0x90/0x90 +[ 560.910618] ? path_init+0x642/0x6e0 +[ 560.911084] ? percpu_counter_add_batch+0x6e/0xf0 +[ 560.912559] ? __alloc_file+0x114/0x170 +[ 560.913008] path_openat+0x19c/0x1d10 +[ 560.913419] ? getname_flags+0x73/0x2b0 +[ 560.913815] ? kasan_save_stack+0x3a/0x50 +[ 560.914125] ? kasan_save_stack+0x26/0x50 +[ 560.914542] ? __kasan_slab_alloc+0x6d/0x90 +[ 560.914924] ? kmem_cache_alloc+0x143/0x4b0 +[ 560.915339] ? getname_flags+0x73/0x2b0 +[ 560.915647] ? getname+0x12/0x20 +[ 560.916114] ? __x64_sys_open+0x4c/0x60 +[ 560.916460] ? path_lookupat.isra.0+0x230/0x230 +[ 560.916867] ? __isolate_free_page+0x2e0/0x2e0 +[ 560.917194] do_filp_open+0x15c/0x1f0 +[ 560.917448] ? may_open_dev+0x60/0x60 +[ 560.917696] ? expand_files+0xa4/0x3a0 +[ 560.917923] ? __kasan_check_write+0x14/0x20 +[ 560.918185] ? _raw_spin_lock+0x88/0xdb +[ 560.918409] ? _raw_spin_lock_irqsave+0x100/0x100 +[ 560.918783] ? _find_next_bit+0x4a/0x130 +[ 560.919026] ? _raw_spin_unlock+0x19/0x40 +[ 560.919276] ? alloc_fd+0x14b/0x2d0 +[ 560.919635] do_sys_openat2+0x32a/0x4b0 +[ 560.920035] ? file_open_root+0x230/0x230 +[ 560.920336] ? __rcu_read_unlock+0x5b/0x280 +[ 560.920813] do_sys_open+0x99/0xf0 +[ 560.921208] ? filp_open+0x60/0x60 +[ 560.921482] ? exit_to_user_mode_prepare+0x49/0x180 +[ 560.921867] __x64_sys_open+0x4c/0x60 +[ 560.922128] do_syscall_64+0x3b/0x90 +[ 560.922369] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 560.923030] RIP: 0033:0x7f7dff2e4469 +[ 560.923681] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088 +[ 560.924451] RSP: 002b:00007ffd41a210b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000002 +[ 560.925168] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7dff2e4469 +[ 560.925655] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00007ffd41a211f0 +[ 560.926085] RBP: 00007ffd41a252a0 R08: 00007f7dff60fba0 R09: 00007ffd41a25388 +[ 560.926405] R10: 0000000000400b80 R11: 0000000000000206 R12: 00000000004004e0 +[ 560.926867] R13: 00007ffd41a25380 R14: 0000000000000000 R15: 0000000000000000 +[ 560.927241] +[ 560.927491] +[ 560.927755] Allocated by task 245: +[ 560.928409] kasan_save_stack+0x26/0x50 +[ 560.929271] __kasan_kmalloc+0x88/0xb0 +[ 560.929778] __kmalloc+0x192/0x320 +[ 560.930023] indx_read+0x249/0x380 +[ 560.930224] indx_find+0x2a2/0x470 +[ 560.930695] dir_search_u+0x196/0x2f0 +[ 560.930892] ntfs_lookup+0xe0/0x100 +[ 560.931115] __lookup_slow+0x116/0x220 +[ 560.931323] walk_component+0x187/0x230 +[ 560.931570] link_path_walk.part.0+0x3f0/0x660 +[ 560.931791] path_openat+0x19c/0x1d10 +[ 560.932008] do_filp_open+0x15c/0x1f0 +[ 560.932226] do_sys_openat2+0x32a/0x4b0 +[ 560.932413] do_sys_open+0x99/0xf0 +[ 560.932709] __x64_sys_open+0x4c/0x60 +[ 560.933417] do_syscall_64+0x3b/0x90 +[ 560.933776] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 560.934235] +[ 560.934486] The buggy address belongs to the object at ffff888009497000 +[ 560.934486] which belongs to the cache kmalloc-512 of size 512 +[ 560.935239] The buggy address is located 56 bytes to the right of +[ 560.935239] 512-byte region [ffff888009497000, ffff888009497200) +[ 560.936153] +[ 560.937326] The buggy address belongs to the physical page: +[ 560.938228] page:0000000062a3dfae refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9496 +[ 560.939616] head:0000000062a3dfae order:1 compound_mapcount:0 compound_pincount:0 +[ 560.940219] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) +[ 560.942702] raw: 000fffffc0010200 ffffea0000164f80 dead000000000005 ffff888001041c80 +[ 560.943932] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 +[ 560.944568] page dumped because: kasan: bad access detected +[ 560.945735] +[ 560.946112] Memory state around the buggy address: +[ 560.946870] ffff888009497100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 560.947242] ffff888009497180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 560.947611] >ffff888009497200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 560.947915] ^ +[ 560.948249] ffff888009497280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 560.948687] ffff888009497300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/index.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c +index 440328147e7e..c27b4fe57513 100644 +--- a/fs/ntfs3/index.c ++++ b/fs/ntfs3/index.c +@@ -1017,6 +1017,12 @@ int indx_read(struct ntfs_index *indx, struct ntfs_inode *ni, CLST vbn, + err = 0; + } + ++ /* check for index header length */ ++ if (offsetof(struct INDEX_BUFFER, ihdr) + ib->ihdr.used > bytes) { ++ err = -EINVAL; ++ goto out; ++ } ++ + in->index = ib; + *node = in; + +-- +2.35.1 + diff --git a/queue-6.1/fs-ntfs3-validate-data-run-offset.patch b/queue-6.1/fs-ntfs3-validate-data-run-offset.patch new file mode 100644 index 00000000000..5a080b2aac2 --- /dev/null +++ b/queue-6.1/fs-ntfs3-validate-data-run-offset.patch @@ -0,0 +1,220 @@ +From 1b3a62def8a2a18e197ea4cecee47757d6a99545 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Aug 2022 00:47:27 +0800 +Subject: fs/ntfs3: Validate data run offset + +From: Edward Lo + +[ Upstream commit 6db620863f8528ed9a9aa5ad323b26554a17881d ] + +This adds sanity checks for data run offset. We should make sure data +run offset is legit before trying to unpack them, otherwise we may +encounter use-after-free or some unexpected memory access behaviors. + +[ 82.940342] BUG: KASAN: use-after-free in run_unpack+0x2e3/0x570 +[ 82.941180] Read of size 1 at addr ffff888008a8487f by task mount/240 +[ 82.941670] +[ 82.942069] CPU: 0 PID: 240 Comm: mount Not tainted 5.19.0+ #15 +[ 82.942482] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 82.943720] Call Trace: +[ 82.944204] +[ 82.944471] dump_stack_lvl+0x49/0x63 +[ 82.944908] print_report.cold+0xf5/0x67b +[ 82.945141] ? __wait_on_bit+0x106/0x120 +[ 82.945750] ? run_unpack+0x2e3/0x570 +[ 82.946626] kasan_report+0xa7/0x120 +[ 82.947046] ? run_unpack+0x2e3/0x570 +[ 82.947280] __asan_load1+0x51/0x60 +[ 82.947483] run_unpack+0x2e3/0x570 +[ 82.947709] ? memcpy+0x4e/0x70 +[ 82.947927] ? run_pack+0x7a0/0x7a0 +[ 82.948158] run_unpack_ex+0xad/0x3f0 +[ 82.948399] ? mi_enum_attr+0x14a/0x200 +[ 82.948717] ? run_unpack+0x570/0x570 +[ 82.949072] ? ni_enum_attr_ex+0x1b2/0x1c0 +[ 82.949332] ? ni_fname_type.part.0+0xd0/0xd0 +[ 82.949611] ? mi_read+0x262/0x2c0 +[ 82.949970] ? ntfs_cmp_names_cpu+0x125/0x180 +[ 82.950249] ntfs_iget5+0x632/0x1870 +[ 82.950621] ? ntfs_get_block_bmap+0x70/0x70 +[ 82.951192] ? evict+0x223/0x280 +[ 82.951525] ? iput.part.0+0x286/0x320 +[ 82.951969] ntfs_fill_super+0x1321/0x1e20 +[ 82.952436] ? put_ntfs+0x1d0/0x1d0 +[ 82.952822] ? vsprintf+0x20/0x20 +[ 82.953188] ? mutex_unlock+0x81/0xd0 +[ 82.953379] ? set_blocksize+0x95/0x150 +[ 82.954001] get_tree_bdev+0x232/0x370 +[ 82.954438] ? put_ntfs+0x1d0/0x1d0 +[ 82.954700] ntfs_fs_get_tree+0x15/0x20 +[ 82.955049] vfs_get_tree+0x4c/0x130 +[ 82.955292] path_mount+0x645/0xfd0 +[ 82.955615] ? putname+0x80/0xa0 +[ 82.955955] ? finish_automount+0x2e0/0x2e0 +[ 82.956310] ? kmem_cache_free+0x110/0x390 +[ 82.956723] ? putname+0x80/0xa0 +[ 82.957023] do_mount+0xd6/0xf0 +[ 82.957411] ? path_mount+0xfd0/0xfd0 +[ 82.957638] ? __kasan_check_write+0x14/0x20 +[ 82.957948] __x64_sys_mount+0xca/0x110 +[ 82.958310] do_syscall_64+0x3b/0x90 +[ 82.958719] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 82.959341] RIP: 0033:0x7fd0d1ce948a +[ 82.960193] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 82.961532] RSP: 002b:00007ffe59ff69a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +[ 82.962527] RAX: ffffffffffffffda RBX: 0000564dcc107060 RCX: 00007fd0d1ce948a +[ 82.963266] RDX: 0000564dcc107260 RSI: 0000564dcc1072e0 RDI: 0000564dcc10fce0 +[ 82.963686] RBP: 0000000000000000 R08: 0000564dcc107280 R09: 0000000000000020 +[ 82.964272] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564dcc10fce0 +[ 82.964785] R13: 0000564dcc107260 R14: 0000000000000000 R15: 00000000ffffffff + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/attrib.c | 13 +++++++++++++ + fs/ntfs3/attrlist.c | 5 +++++ + fs/ntfs3/frecord.c | 14 ++++++++++++++ + fs/ntfs3/fslog.c | 9 +++++++++ + fs/ntfs3/inode.c | 5 +++++ + 5 files changed, 46 insertions(+) + +diff --git a/fs/ntfs3/attrib.c b/fs/ntfs3/attrib.c +index 71f870d497ae..0d354560d323 100644 +--- a/fs/ntfs3/attrib.c ++++ b/fs/ntfs3/attrib.c +@@ -101,6 +101,10 @@ static int attr_load_runs(struct ATTRIB *attr, struct ntfs_inode *ni, + + asize = le32_to_cpu(attr->size); + run_off = le16_to_cpu(attr->nres.run_off); ++ ++ if (run_off > asize) ++ return -EINVAL; ++ + err = run_unpack_ex(run, ni->mi.sbi, ni->mi.rno, svcn, evcn, + vcn ? *vcn : svcn, Add2Ptr(attr, run_off), + asize - run_off); +@@ -1232,6 +1236,10 @@ int attr_load_runs_vcn(struct ntfs_inode *ni, enum ATTR_TYPE type, + } + + ro = le16_to_cpu(attr->nres.run_off); ++ ++ if (ro > le32_to_cpu(attr->size)) ++ return -EINVAL; ++ + err = run_unpack_ex(run, ni->mi.sbi, ni->mi.rno, svcn, evcn, svcn, + Add2Ptr(attr, ro), le32_to_cpu(attr->size) - ro); + if (err < 0) +@@ -1901,6 +1909,11 @@ int attr_collapse_range(struct ntfs_inode *ni, u64 vbo, u64 bytes) + u16 le_sz; + u16 roff = le16_to_cpu(attr->nres.run_off); + ++ if (roff > le32_to_cpu(attr->size)) { ++ err = -EINVAL; ++ goto out; ++ } ++ + run_unpack_ex(RUN_DEALLOCATE, sbi, ni->mi.rno, svcn, + evcn1 - 1, svcn, Add2Ptr(attr, roff), + le32_to_cpu(attr->size) - roff); +diff --git a/fs/ntfs3/attrlist.c b/fs/ntfs3/attrlist.c +index bad6d8a849a2..c0c6bcbc8c05 100644 +--- a/fs/ntfs3/attrlist.c ++++ b/fs/ntfs3/attrlist.c +@@ -68,6 +68,11 @@ int ntfs_load_attr_list(struct ntfs_inode *ni, struct ATTRIB *attr) + + run_init(&ni->attr_list.run); + ++ if (run_off > le32_to_cpu(attr->size)) { ++ err = -EINVAL; ++ goto out; ++ } ++ + err = run_unpack_ex(&ni->attr_list.run, ni->mi.sbi, ni->mi.rno, + 0, le64_to_cpu(attr->nres.evcn), 0, + Add2Ptr(attr, run_off), +diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c +index 381a38a06ec2..b1b476fb7229 100644 +--- a/fs/ntfs3/frecord.c ++++ b/fs/ntfs3/frecord.c +@@ -568,6 +568,12 @@ static int ni_repack(struct ntfs_inode *ni) + } + + roff = le16_to_cpu(attr->nres.run_off); ++ ++ if (roff > le32_to_cpu(attr->size)) { ++ err = -EINVAL; ++ break; ++ } ++ + err = run_unpack(&run, sbi, ni->mi.rno, svcn, evcn, svcn, + Add2Ptr(attr, roff), + le32_to_cpu(attr->size) - roff); +@@ -1589,6 +1595,9 @@ int ni_delete_all(struct ntfs_inode *ni) + asize = le32_to_cpu(attr->size); + roff = le16_to_cpu(attr->nres.run_off); + ++ if (roff > asize) ++ return -EINVAL; ++ + /* run==1 means unpack and deallocate. */ + run_unpack_ex(RUN_DEALLOCATE, sbi, ni->mi.rno, svcn, evcn, svcn, + Add2Ptr(attr, roff), asize - roff); +@@ -2291,6 +2300,11 @@ int ni_decompress_file(struct ntfs_inode *ni) + asize = le32_to_cpu(attr->size); + roff = le16_to_cpu(attr->nres.run_off); + ++ if (roff > asize) { ++ err = -EINVAL; ++ goto out; ++ } ++ + /*run==1 Means unpack and deallocate. */ + run_unpack_ex(RUN_DEALLOCATE, sbi, ni->mi.rno, svcn, evcn, svcn, + Add2Ptr(attr, roff), asize - roff); +diff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c +index 0d611a6c5511..a85f5411aa74 100644 +--- a/fs/ntfs3/fslog.c ++++ b/fs/ntfs3/fslog.c +@@ -2727,6 +2727,9 @@ static inline bool check_attr(const struct MFT_REC *rec, + return false; + } + ++ if (run_off > asize) ++ return false; ++ + if (run_unpack(NULL, sbi, 0, svcn, evcn, svcn, + Add2Ptr(attr, run_off), asize - run_off) < 0) { + return false; +@@ -4771,6 +4774,12 @@ int log_replay(struct ntfs_inode *ni, bool *initialized) + u16 roff = le16_to_cpu(attr->nres.run_off); + CLST svcn = le64_to_cpu(attr->nres.svcn); + ++ if (roff > t32) { ++ kfree(oa->attr); ++ oa->attr = NULL; ++ goto fake_attr; ++ } ++ + err = run_unpack(&oa->run0, sbi, inode->i_ino, svcn, + le64_to_cpu(attr->nres.evcn), svcn, + Add2Ptr(attr, roff), t32 - roff); +diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c +index d5a3afbbbfd8..b0bc9dee2e2b 100644 +--- a/fs/ntfs3/inode.c ++++ b/fs/ntfs3/inode.c +@@ -364,6 +364,11 @@ static struct inode *ntfs_read_mft(struct inode *inode, + attr_unpack_run: + roff = le16_to_cpu(attr->nres.run_off); + ++ if (roff > asize) { ++ err = -EINVAL; ++ goto out; ++ } ++ + t64 = le64_to_cpu(attr->nres.svcn); + err = run_unpack_ex(run, sbi, ino, t64, le64_to_cpu(attr->nres.evcn), + t64, Add2Ptr(attr, roff), asize - roff); +-- +2.35.1 + diff --git a/queue-6.1/fs-ntfs3-validate-index-root-when-initialize-ntfs-se.patch b/queue-6.1/fs-ntfs3-validate-index-root-when-initialize-ntfs-se.patch new file mode 100644 index 00000000000..5bdcd1f93d9 --- /dev/null +++ b/queue-6.1/fs-ntfs3-validate-index-root-when-initialize-ntfs-se.patch @@ -0,0 +1,135 @@ +From e031b05c7103ea7ae0d9d1f08da40209b41934b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 09:58:40 +0800 +Subject: fs/ntfs3: Validate index root when initialize NTFS security + +From: Edward Lo + +[ Upstream commit bfcdbae0523bd95eb75a739ffb6221a37109881e ] + +This enhances the sanity check for $SDH and $SII while initializing NTFS +security, guarantees these index root are legit. + +[ 162.459513] BUG: KASAN: use-after-free in hdr_find_e.isra.0+0x10c/0x320 +[ 162.460176] Read of size 2 at addr ffff8880037bca99 by task mount/243 +[ 162.460851] +[ 162.461252] CPU: 0 PID: 243 Comm: mount Not tainted 6.0.0-rc7 #42 +[ 162.461744] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 162.462609] Call Trace: +[ 162.462954] +[ 162.463276] dump_stack_lvl+0x49/0x63 +[ 162.463822] print_report.cold+0xf5/0x689 +[ 162.464608] ? unwind_get_return_address+0x3a/0x60 +[ 162.465766] ? hdr_find_e.isra.0+0x10c/0x320 +[ 162.466975] kasan_report+0xa7/0x130 +[ 162.467506] ? _raw_spin_lock_irq+0xc0/0xf0 +[ 162.467998] ? hdr_find_e.isra.0+0x10c/0x320 +[ 162.468536] __asan_load2+0x68/0x90 +[ 162.468923] hdr_find_e.isra.0+0x10c/0x320 +[ 162.469282] ? cmp_uints+0xe0/0xe0 +[ 162.469557] ? cmp_sdh+0x90/0x90 +[ 162.469864] ? ni_find_attr+0x214/0x300 +[ 162.470217] ? ni_load_mi+0x80/0x80 +[ 162.470479] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 162.470931] ? ntfs_bread_run+0x190/0x190 +[ 162.471307] ? indx_get_root+0xe4/0x190 +[ 162.471556] ? indx_get_root+0x140/0x190 +[ 162.471833] ? indx_init+0x1e0/0x1e0 +[ 162.472069] ? fnd_clear+0x115/0x140 +[ 162.472363] ? _raw_spin_lock_irqsave+0x100/0x100 +[ 162.472731] indx_find+0x184/0x470 +[ 162.473461] ? sysvec_apic_timer_interrupt+0x57/0xc0 +[ 162.474429] ? indx_find_buffer+0x2d0/0x2d0 +[ 162.474704] ? do_syscall_64+0x3b/0x90 +[ 162.474962] dir_search_u+0x196/0x2f0 +[ 162.475381] ? ntfs_nls_to_utf16+0x450/0x450 +[ 162.475661] ? ntfs_security_init+0x3d6/0x440 +[ 162.475906] ? is_sd_valid+0x180/0x180 +[ 162.476191] ntfs_extend_init+0x13f/0x2c0 +[ 162.476496] ? ntfs_fix_post_read+0x130/0x130 +[ 162.476861] ? iput.part.0+0x286/0x320 +[ 162.477325] ntfs_fill_super+0x11e0/0x1b50 +[ 162.477709] ? put_ntfs+0x1d0/0x1d0 +[ 162.477970] ? vsprintf+0x20/0x20 +[ 162.478258] ? set_blocksize+0x95/0x150 +[ 162.478538] get_tree_bdev+0x232/0x370 +[ 162.478789] ? put_ntfs+0x1d0/0x1d0 +[ 162.479038] ntfs_fs_get_tree+0x15/0x20 +[ 162.479374] vfs_get_tree+0x4c/0x130 +[ 162.479729] path_mount+0x654/0xfe0 +[ 162.480124] ? putname+0x80/0xa0 +[ 162.480484] ? finish_automount+0x2e0/0x2e0 +[ 162.480894] ? putname+0x80/0xa0 +[ 162.481467] ? kmem_cache_free+0x1c4/0x440 +[ 162.482280] ? putname+0x80/0xa0 +[ 162.482714] do_mount+0xd6/0xf0 +[ 162.483264] ? path_mount+0xfe0/0xfe0 +[ 162.484782] ? __kasan_check_write+0x14/0x20 +[ 162.485593] __x64_sys_mount+0xca/0x110 +[ 162.486024] do_syscall_64+0x3b/0x90 +[ 162.486543] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 162.487141] RIP: 0033:0x7f9d374e948a +[ 162.488324] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 162.489728] RSP: 002b:00007ffe30e73d18 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 162.490971] RAX: ffffffffffffffda RBX: 0000561cdb43a060 RCX: 00007f9d374e948a +[ 162.491669] RDX: 0000561cdb43a260 RSI: 0000561cdb43a2e0 RDI: 0000561cdb442af0 +[ 162.492050] RBP: 0000000000000000 R08: 0000561cdb43a280 R09: 0000000000000020 +[ 162.492459] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000561cdb442af0 +[ 162.493183] R13: 0000561cdb43a260 R14: 0000000000000000 R15: 00000000ffffffff +[ 162.493644] +[ 162.493908] +[ 162.494214] The buggy address belongs to the physical page: +[ 162.494761] page:000000003e38a3d5 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37bc +[ 162.496064] flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff) +[ 162.497278] raw: 000fffffc0000000 ffffea00000df1c8 ffffea00000df008 0000000000000000 +[ 162.498928] raw: 0000000000000000 0000000000240000 00000000ffffffff 0000000000000000 +[ 162.500542] page dumped because: kasan: bad access detected +[ 162.501057] +[ 162.501242] Memory state around the buggy address: +[ 162.502230] ffff8880037bc980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 162.502977] ffff8880037bca00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 162.503522] >ffff8880037bca80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 162.503963] ^ +[ 162.504370] ffff8880037bcb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 162.504766] ffff8880037bcb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/fsntfs.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/ntfs3/fsntfs.c b/fs/ntfs3/fsntfs.c +index 4ed15f64b17f..b6e22bcb929b 100644 +--- a/fs/ntfs3/fsntfs.c ++++ b/fs/ntfs3/fsntfs.c +@@ -1849,9 +1849,10 @@ int ntfs_security_init(struct ntfs_sb_info *sbi) + goto out; + } + +- root_sdh = resident_data(attr); ++ root_sdh = resident_data_ex(attr, sizeof(struct INDEX_ROOT)); + if (root_sdh->type != ATTR_ZERO || +- root_sdh->rule != NTFS_COLLATION_TYPE_SECURITY_HASH) { ++ root_sdh->rule != NTFS_COLLATION_TYPE_SECURITY_HASH || ++ offsetof(struct INDEX_ROOT, ihdr) + root_sdh->ihdr.used > attr->res.data_size) { + err = -EINVAL; + goto out; + } +@@ -1867,9 +1868,10 @@ int ntfs_security_init(struct ntfs_sb_info *sbi) + goto out; + } + +- root_sii = resident_data(attr); ++ root_sii = resident_data_ex(attr, sizeof(struct INDEX_ROOT)); + if (root_sii->type != ATTR_ZERO || +- root_sii->rule != NTFS_COLLATION_TYPE_UINT) { ++ root_sii->rule != NTFS_COLLATION_TYPE_UINT || ++ offsetof(struct INDEX_ROOT, ihdr) + root_sii->ihdr.used > attr->res.data_size) { + err = -EINVAL; + goto out; + } +-- +2.35.1 + diff --git a/queue-6.1/fs-ntfs3-validate-resident-attribute-name.patch b/queue-6.1/fs-ntfs3-validate-resident-attribute-name.patch new file mode 100644 index 00000000000..853aaeefab3 --- /dev/null +++ b/queue-6.1/fs-ntfs3-validate-resident-attribute-name.patch @@ -0,0 +1,173 @@ +From 1a2c214b213a75a568e05dc8559658feb3d2eb6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Sep 2022 00:50:23 +0800 +Subject: fs/ntfs3: Validate resident attribute name + +From: Edward Lo + +[ Upstream commit 54e45702b648b7c0000e90b3e9b890e367e16ea8 ] + +Though we already have some sanity checks while enumerating attributes, +resident attribute names aren't included. This patch checks the resident +attribute names are in the valid ranges. + +[ 259.209031] BUG: KASAN: slab-out-of-bounds in ni_create_attr_list+0x1e1/0x850 +[ 259.210770] Write of size 426 at addr ffff88800632f2b2 by task exp/255 +[ 259.211551] +[ 259.212035] CPU: 0 PID: 255 Comm: exp Not tainted 6.0.0-rc6 #37 +[ 259.212955] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 259.214387] Call Trace: +[ 259.214640] +[ 259.214895] dump_stack_lvl+0x49/0x63 +[ 259.215284] print_report.cold+0xf5/0x689 +[ 259.215565] ? kasan_poison+0x3c/0x50 +[ 259.215778] ? kasan_unpoison+0x28/0x60 +[ 259.215991] ? ni_create_attr_list+0x1e1/0x850 +[ 259.216270] kasan_report+0xa7/0x130 +[ 259.216481] ? ni_create_attr_list+0x1e1/0x850 +[ 259.216719] kasan_check_range+0x15a/0x1d0 +[ 259.216939] memcpy+0x3c/0x70 +[ 259.217136] ni_create_attr_list+0x1e1/0x850 +[ 259.217945] ? __rcu_read_unlock+0x5b/0x280 +[ 259.218384] ? ni_remove_attr+0x2e0/0x2e0 +[ 259.218712] ? kernel_text_address+0xcf/0xe0 +[ 259.219064] ? __kernel_text_address+0x12/0x40 +[ 259.219434] ? arch_stack_walk+0x9e/0xf0 +[ 259.219668] ? __this_cpu_preempt_check+0x13/0x20 +[ 259.219904] ? sysvec_apic_timer_interrupt+0x57/0xc0 +[ 259.220140] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20 +[ 259.220561] ni_ins_attr_ext+0x52c/0x5c0 +[ 259.220984] ? ni_create_attr_list+0x850/0x850 +[ 259.221532] ? run_deallocate+0x120/0x120 +[ 259.221972] ? vfs_setxattr+0x128/0x300 +[ 259.222688] ? setxattr+0x126/0x140 +[ 259.222921] ? path_setxattr+0x164/0x180 +[ 259.223431] ? __x64_sys_setxattr+0x6d/0x80 +[ 259.223828] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 259.224417] ? mi_find_attr+0x3c/0xf0 +[ 259.224772] ni_insert_attr+0x1ba/0x420 +[ 259.225216] ? ni_ins_attr_ext+0x5c0/0x5c0 +[ 259.225504] ? ntfs_read_ea+0x119/0x450 +[ 259.225775] ni_insert_resident+0xc0/0x1c0 +[ 259.226316] ? ni_insert_nonresident+0x400/0x400 +[ 259.227001] ? __kasan_kmalloc+0x88/0xb0 +[ 259.227468] ? __kmalloc+0x192/0x320 +[ 259.227773] ntfs_set_ea+0x6bf/0xb30 +[ 259.228216] ? ftrace_graph_ret_addr+0x2a/0xb0 +[ 259.228494] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 259.228838] ? ntfs_read_ea+0x450/0x450 +[ 259.229098] ? is_bpf_text_address+0x24/0x40 +[ 259.229418] ? kernel_text_address+0xcf/0xe0 +[ 259.229681] ? __kernel_text_address+0x12/0x40 +[ 259.229948] ? unwind_get_return_address+0x3a/0x60 +[ 259.230271] ? write_profile+0x270/0x270 +[ 259.230537] ? arch_stack_walk+0x9e/0xf0 +[ 259.230836] ntfs_setxattr+0x114/0x5c0 +[ 259.231099] ? ntfs_set_acl_ex+0x2e0/0x2e0 +[ 259.231529] ? evm_protected_xattr_common+0x6d/0x100 +[ 259.231817] ? posix_xattr_acl+0x13/0x80 +[ 259.232073] ? evm_protect_xattr+0x1f7/0x440 +[ 259.232351] __vfs_setxattr+0xda/0x120 +[ 259.232635] ? xattr_resolve_name+0x180/0x180 +[ 259.232912] __vfs_setxattr_noperm+0x93/0x300 +[ 259.233219] __vfs_setxattr_locked+0x141/0x160 +[ 259.233492] ? kasan_poison+0x3c/0x50 +[ 259.233744] vfs_setxattr+0x128/0x300 +[ 259.234002] ? __vfs_setxattr_locked+0x160/0x160 +[ 259.234837] do_setxattr+0xb8/0x170 +[ 259.235567] ? vmemdup_user+0x53/0x90 +[ 259.236212] setxattr+0x126/0x140 +[ 259.236491] ? do_setxattr+0x170/0x170 +[ 259.236791] ? debug_smp_processor_id+0x17/0x20 +[ 259.237232] ? kasan_quarantine_put+0x57/0x180 +[ 259.237605] ? putname+0x80/0xa0 +[ 259.237870] ? __kasan_slab_free+0x11c/0x1b0 +[ 259.238234] ? putname+0x80/0xa0 +[ 259.238500] ? preempt_count_sub+0x18/0xc0 +[ 259.238775] ? __mnt_want_write+0xaa/0x100 +[ 259.238990] ? mnt_want_write+0x8b/0x150 +[ 259.239290] path_setxattr+0x164/0x180 +[ 259.239605] ? setxattr+0x140/0x140 +[ 259.239849] ? debug_smp_processor_id+0x17/0x20 +[ 259.240174] ? fpregs_assert_state_consistent+0x67/0x80 +[ 259.240411] __x64_sys_setxattr+0x6d/0x80 +[ 259.240715] do_syscall_64+0x3b/0x90 +[ 259.240934] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 259.241697] RIP: 0033:0x7fc6b26e4469 +[ 259.242647] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088 +[ 259.244512] RSP: 002b:00007ffc3c7841f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000bc +[ 259.245086] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc6b26e4469 +[ 259.246025] RDX: 00007ffc3c784380 RSI: 00007ffc3c7842e0 RDI: 00007ffc3c784238 +[ 259.246961] RBP: 00007ffc3c788410 R08: 0000000000000001 R09: 00007ffc3c7884f8 +[ 259.247775] R10: 000000000000007f R11: 0000000000000217 R12: 00000000004004e0 +[ 259.248534] R13: 00007ffc3c7884f0 R14: 0000000000000000 R15: 0000000000000000 +[ 259.249368] +[ 259.249644] +[ 259.249888] Allocated by task 255: +[ 259.250283] kasan_save_stack+0x26/0x50 +[ 259.250957] __kasan_kmalloc+0x88/0xb0 +[ 259.251826] __kmalloc+0x192/0x320 +[ 259.252745] ni_create_attr_list+0x11e/0x850 +[ 259.253298] ni_ins_attr_ext+0x52c/0x5c0 +[ 259.253685] ni_insert_attr+0x1ba/0x420 +[ 259.253974] ni_insert_resident+0xc0/0x1c0 +[ 259.254311] ntfs_set_ea+0x6bf/0xb30 +[ 259.254629] ntfs_setxattr+0x114/0x5c0 +[ 259.254859] __vfs_setxattr+0xda/0x120 +[ 259.255155] __vfs_setxattr_noperm+0x93/0x300 +[ 259.255445] __vfs_setxattr_locked+0x141/0x160 +[ 259.255862] vfs_setxattr+0x128/0x300 +[ 259.256251] do_setxattr+0xb8/0x170 +[ 259.256522] setxattr+0x126/0x140 +[ 259.256911] path_setxattr+0x164/0x180 +[ 259.257308] __x64_sys_setxattr+0x6d/0x80 +[ 259.257637] do_syscall_64+0x3b/0x90 +[ 259.257970] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 259.258550] +[ 259.258772] The buggy address belongs to the object at ffff88800632f000 +[ 259.258772] which belongs to the cache kmalloc-1k of size 1024 +[ 259.260190] The buggy address is located 690 bytes inside of +[ 259.260190] 1024-byte region [ffff88800632f000, ffff88800632f400) +[ 259.261412] +[ 259.261743] The buggy address belongs to the physical page: +[ 259.262354] page:0000000081e8cac9 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632c +[ 259.263722] head:0000000081e8cac9 order:2 compound_mapcount:0 compound_pincount:0 +[ 259.264284] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) +[ 259.265312] raw: 000fffffc0010200 ffffea0000060d00 dead000000000004 ffff888001041dc0 +[ 259.265772] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 +[ 259.266305] page dumped because: kasan: bad access detected +[ 259.266588] +[ 259.266728] Memory state around the buggy address: +[ 259.267225] ffff88800632f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 259.267841] ffff88800632f380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 259.269111] >ffff88800632f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 259.269626] ^ +[ 259.270162] ffff88800632f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 259.270810] ffff88800632f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/record.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c +index 9f81944441ae..af1e4b364ea8 100644 +--- a/fs/ntfs3/record.c ++++ b/fs/ntfs3/record.c +@@ -265,6 +265,11 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) + if (t16 + t32 > asize) + return NULL; + ++ if (attr->name_len && ++ le16_to_cpu(attr->name_off) + sizeof(short) * attr->name_len > t16) { ++ return NULL; ++ } ++ + return attr; + } + +-- +2.35.1 + diff --git a/queue-6.1/hid-multitouch-fix-asus-expertbook-p2-p2451fa-trackp.patch b/queue-6.1/hid-multitouch-fix-asus-expertbook-p2-p2451fa-trackp.patch new file mode 100644 index 00000000000..f0ce937eb9c --- /dev/null +++ b/queue-6.1/hid-multitouch-fix-asus-expertbook-p2-p2451fa-trackp.patch @@ -0,0 +1,53 @@ +From 8c2c30e08f94189a5086dcdfe182787ae04fbd01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 17:57:05 +0100 +Subject: HID: multitouch: fix Asus ExpertBook P2 P2451FA trackpoint +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +[ Upstream commit 4eab1c2fe06c98a4dff258dd64800b6986c101e9 ] + +The HID descriptor of this device contains two mouse collections, one +for mouse emulation and the other for the trackpoint. + +Both collections get merged and, because the first one defines X and Y, +the movemenent events reported by the trackpoint collection are +ignored. + +Set the MT_CLS_WIN_8_FORCE_MULTI_INPUT class for this device to be able +to receive its reports. + +This fix is similar to/based on commit 40d5bb87377a ("HID: multitouch: +enable multi-input as a quirk for some devices"). + +Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/825 +Reported-by: Akito +Tested-by: Akito +Signed-off-by: José Expósito +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-multitouch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 91a4d3fc30e0..372cbdd223e0 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -1967,6 +1967,10 @@ static const struct hid_device_id mt_devices[] = { + HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8, + USB_VENDOR_ID_ELAN, 0x313a) }, + ++ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT, ++ HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8, ++ USB_VENDOR_ID_ELAN, 0x3148) }, ++ + /* Elitegroup panel */ + { .driver_data = MT_CLS_SERIAL, + MT_USB_DEVICE(USB_VENDOR_ID_ELITEGROUP, +-- +2.35.1 + diff --git a/queue-6.1/hid-plantronics-additional-pids-for-double-volume-ke.patch b/queue-6.1/hid-plantronics-additional-pids-for-double-volume-ke.patch new file mode 100644 index 00000000000..497c8796880 --- /dev/null +++ b/queue-6.1/hid-plantronics-additional-pids-for-double-volume-ke.patch @@ -0,0 +1,81 @@ +From 68e48490f6b5755366185b5ead574e0f753886d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 15:05:06 -0800 +Subject: HID: plantronics: Additional PIDs for double volume key presses quirk + +From: Terry Junge + +[ Upstream commit 3d57f36c89d8ba32b2c312f397a37fd1a2dc7cfc ] + +I no longer work for Plantronics (aka Poly, aka HP) and do not have +access to the headsets in order to test. However, as noted by Maxim, +the other 32xx models that share the same base code set as the 3220 +would need the same quirk. This patch adds the PIDs for the rest of +the Blackwire 32XX product family that require the quirk. + +Plantronics Blackwire 3210 Series (047f:c055) +Plantronics Blackwire 3215 Series (047f:c057) +Plantronics Blackwire 3225 Series (047f:c058) + +Quote from previous patch by Maxim Mikityanskiy +Plantronics Blackwire 3220 Series (047f:c056) sends HID reports twice +for each volume key press. This patch adds a quirk to hid-plantronics +for this product ID, which will ignore the second volume key press if +it happens within 5 ms from the last one that was handled. + +The patch was tested on the mentioned model only, it shouldn't affect +other models, however, this quirk might be needed for them too. +Auto-repeat (when a key is held pressed) is not affected, because the +rate is about 3 times per second, which is far less frequent than once +in 5 ms. +End quote + +Signed-off-by: Terry Junge +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-plantronics.c | 9 +++++++++ + 2 files changed, 12 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 8f58c3c1bec3..e27fb27a36bf 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -995,7 +995,10 @@ + #define USB_DEVICE_ID_ORTEK_IHOME_IMAC_A210S 0x8003 + + #define USB_VENDOR_ID_PLANTRONICS 0x047f ++#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3210_SERIES 0xc055 + #define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES 0xc056 ++#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3215_SERIES 0xc057 ++#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES 0xc058 + + #define USB_VENDOR_ID_PANASONIC 0x04da + #define USB_DEVICE_ID_PANABOARD_UBT780 0x1044 +diff --git a/drivers/hid/hid-plantronics.c b/drivers/hid/hid-plantronics.c +index e81b7cec2d12..3d414ae194ac 100644 +--- a/drivers/hid/hid-plantronics.c ++++ b/drivers/hid/hid-plantronics.c +@@ -198,9 +198,18 @@ static int plantronics_probe(struct hid_device *hdev, + } + + static const struct hid_device_id plantronics_devices[] = { ++ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, ++ USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3210_SERIES), ++ .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, + { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, + USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES), + .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, ++ USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3215_SERIES), ++ .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, ++ USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES), ++ .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, + { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, HID_ANY_ID) }, + { } + }; +-- +2.35.1 + diff --git a/queue-6.1/iommu-mediatek-fix-crash-on-isr-after-kexec.patch b/queue-6.1/iommu-mediatek-fix-crash-on-isr-after-kexec.patch new file mode 100644 index 00000000000..4726c028f40 --- /dev/null +++ b/queue-6.1/iommu-mediatek-fix-crash-on-isr-after-kexec.patch @@ -0,0 +1,46 @@ +From 56d2a63c9091e0c839b166535c5b377e69d4be25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 23:16:48 +0100 +Subject: iommu/mediatek: Fix crash on isr after kexec() + +From: Ricardo Ribalda + +[ Upstream commit 00ef8885a945c37551547d8ac8361cacd20c4e42 ] + +If the system is rebooted via isr(), the IRQ handler might +be triggered before the domain is initialized. Resulting on +an invalid memory access error. + +Fix: +[ 0.500930] Unable to handle kernel read from unreadable memory at virtual address 0000000000000070 +[ 0.501166] Call trace: +[ 0.501174] report_iommu_fault+0x28/0xfc +[ 0.501180] mtk_iommu_isr+0x10c/0x1c0 + +Signed-off-by: Ricardo Ribalda +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Robin Murphy +Link: https://lore.kernel.org/r/20221125-mtk-iommu-v2-0-e168dff7d43e@chromium.org +[ joro: Fixed spelling in commit message ] +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/mtk_iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c +index dad2f238ffbf..56d007582b6f 100644 +--- a/drivers/iommu/mtk_iommu.c ++++ b/drivers/iommu/mtk_iommu.c +@@ -454,7 +454,7 @@ static irqreturn_t mtk_iommu_isr(int irq, void *dev_id) + fault_larb = data->plat_data->larbid_remap[fault_larb][sub_comm]; + } + +- if (report_iommu_fault(&dom->domain, bank->parent_dev, fault_iova, ++ if (!dom || report_iommu_fault(&dom->domain, bank->parent_dev, fault_iova, + write ? IOMMU_FAULT_WRITE : IOMMU_FAULT_READ)) { + dev_err_ratelimited( + bank->parent_dev, +-- +2.35.1 + diff --git a/queue-6.1/kprobes-kretprobe-events-missing-on-2-core-kvm-guest.patch b/queue-6.1/kprobes-kretprobe-events-missing-on-2-core-kvm-guest.patch new file mode 100644 index 00000000000..c81f1e50904 --- /dev/null +++ b/queue-6.1/kprobes-kretprobe-events-missing-on-2-core-kvm-guest.patch @@ -0,0 +1,80 @@ +From 0ef03bcbb1b8d23660a75bd7f2012a61dab1654a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 16:15:02 +0800 +Subject: kprobes: kretprobe events missing on 2-core KVM guest + +From: wuqiang + +[ Upstream commit 3b7ddab8a19aefc768f345fd3782af35b4a68d9b ] + +Default value of maxactive is set as num_possible_cpus() for nonpreemptable +systems. For a 2-core system, only 2 kretprobe instances would be allocated +in default, then these 2 instances for execve kretprobe are very likely to +be used up with a pipelined command. + +Here's the testcase: a shell script was added to crontab, and the content +of the script is: + + #!/bin/sh + do_something_magic `tr -dc a-z < /dev/urandom | head -c 10` + +cron will trigger a series of program executions (4 times every hour). Then +events loss would be noticed normally after 3-4 hours of testings. + +The issue is caused by a burst of series of execve requests. The best number +of kretprobe instances could be different case by case, and should be user's +duty to determine, but num_possible_cpus() as the default value is inadequate +especially for systems with small number of cpus. + +This patch enables the logic for preemption as default, thus increases the +minimum of maxactive to 10 for nonpreemptable systems. + +Link: https://lore.kernel.org/all/20221110081502.492289-1-wuqiang.matt@bytedance.com/ + +Signed-off-by: wuqiang +Reviewed-by: Solar Designer +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + Documentation/trace/kprobes.rst | 3 +-- + kernel/kprobes.c | 8 ++------ + 2 files changed, 3 insertions(+), 8 deletions(-) + +diff --git a/Documentation/trace/kprobes.rst b/Documentation/trace/kprobes.rst +index 48cf778a2468..fc7ce76eab65 100644 +--- a/Documentation/trace/kprobes.rst ++++ b/Documentation/trace/kprobes.rst +@@ -131,8 +131,7 @@ For example, if the function is non-recursive and is called with a + spinlock held, maxactive = 1 should be enough. If the function is + non-recursive and can never relinquish the CPU (e.g., via a semaphore + or preemption), NR_CPUS should be enough. If maxactive <= 0, it is +-set to a default value. If CONFIG_PREEMPT is enabled, the default +-is max(10, 2*NR_CPUS). Otherwise, the default is NR_CPUS. ++set to a default value: max(10, 2*NR_CPUS). + + It's not a disaster if you set maxactive too low; you'll just miss + some probes. In the kretprobe struct, the nmissed field is set to +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index a35074f0daa1..1c18ecf9f98b 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -2213,13 +2213,9 @@ int register_kretprobe(struct kretprobe *rp) + rp->kp.post_handler = NULL; + + /* Pre-allocate memory for max kretprobe instances */ +- if (rp->maxactive <= 0) { +-#ifdef CONFIG_PREEMPTION ++ if (rp->maxactive <= 0) + rp->maxactive = max_t(unsigned int, 10, 2*num_possible_cpus()); +-#else +- rp->maxactive = num_possible_cpus(); +-#endif +- } ++ + #ifdef CONFIG_KRETPROBE_ON_RETHOOK + rp->rh = rethook_alloc((void *)rp, kretprobe_rethook_handler); + if (!rp->rh) +-- +2.35.1 + diff --git a/queue-6.1/nfsd-fix-use-after-free-in-__nfs42_ssc_open.patch b/queue-6.1/nfsd-fix-use-after-free-in-__nfs42_ssc_open.patch new file mode 100644 index 00000000000..9b83adab596 --- /dev/null +++ b/queue-6.1/nfsd-fix-use-after-free-in-__nfs42_ssc_open.patch @@ -0,0 +1,86 @@ +From efbd664f44d31c5f8363b6709bd0f7612366be71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Dec 2022 14:50:11 -0800 +Subject: NFSD: fix use-after-free in __nfs42_ssc_open() + +From: Dai Ngo + +[ Upstream commit 75333d48f92256a0dec91dbf07835e804fc411c0 ] + +Problem caused by source's vfsmount being unmounted but remains +on the delayed unmount list. This happens when nfs42_ssc_open() +return errors. + +Fixed by removing nfsd4_interssc_connect(), leave the vfsmount +for the laundromat to unmount when idle time expires. + +We don't need to call nfs_do_sb_deactive when nfs42_ssc_open +return errors since the file was not opened so nfs_server->active +was not incremented. Same as in nfsd4_copy, if we fail to +launch nfsd4_do_async_copy thread then there's no need to +call nfs_do_sb_deactive + +Reported-by: Xingyuan Mo +Signed-off-by: Dai Ngo +Tested-by: Xingyuan Mo +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4proc.c | 20 +++++--------------- + 1 file changed, 5 insertions(+), 15 deletions(-) + +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c +index 32fe7cbfb28b..34d1cd5883fb 100644 +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1465,13 +1465,6 @@ nfsd4_interssc_connect(struct nl4_server *nss, struct svc_rqst *rqstp, + return status; + } + +-static void +-nfsd4_interssc_disconnect(struct vfsmount *ss_mnt) +-{ +- nfs_do_sb_deactive(ss_mnt->mnt_sb); +- mntput(ss_mnt); +-} +- + /* + * Verify COPY destination stateid. + * +@@ -1574,11 +1567,6 @@ nfsd4_cleanup_inter_ssc(struct vfsmount *ss_mnt, struct file *filp, + { + } + +-static void +-nfsd4_interssc_disconnect(struct vfsmount *ss_mnt) +-{ +-} +- + static struct file *nfs42_ssc_open(struct vfsmount *ss_mnt, + struct nfs_fh *src_fh, + nfs4_stateid *stateid) +@@ -1774,7 +1762,7 @@ static int nfsd4_do_async_copy(void *data) + default: + nfserr = nfserr_offload_denied; + } +- nfsd4_interssc_disconnect(copy->ss_mnt); ++ /* ss_mnt will be unmounted by the laundromat */ + goto do_callback; + } + nfserr = nfsd4_do_copy(copy, filp, copy->nf_dst->nf_file, +@@ -1855,8 +1843,10 @@ nfsd4_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + if (async_copy) + cleanup_async_copy(async_copy); + status = nfserrno(-ENOMEM); +- if (nfsd4_ssc_is_inter(copy)) +- nfsd4_interssc_disconnect(copy->ss_mnt); ++ /* ++ * source's vfsmount of inter-copy will be unmounted ++ * by the laundromat ++ */ + goto out; + } + +-- +2.35.1 + diff --git a/queue-6.1/nvme-fix-the-nvme_cmd_effects_cse_mask-definition.patch b/queue-6.1/nvme-fix-the-nvme_cmd_effects_cse_mask-definition.patch new file mode 100644 index 00000000000..b34dbc807e1 --- /dev/null +++ b/queue-6.1/nvme-fix-the-nvme_cmd_effects_cse_mask-definition.patch @@ -0,0 +1,46 @@ +From a83cb3e6cfe26d7beb51dfb87f4b13bcbc512590 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Dec 2022 10:30:45 +0100 +Subject: nvme: fix the NVME_CMD_EFFECTS_CSE_MASK definition + +From: Christoph Hellwig + +[ Upstream commit 685e6311637e46f3212439ce2789f8a300e5050f ] + +3 << 16 does not generate the correct mask for bits 16, 17 and 18. +Use the GENMASK macro to generate the correct mask instead. + +Fixes: 84fef62d135b ("nvme: check admin passthru command effects") +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Sagi Grimberg +Reviewed-by: Kanchan Joshi +Signed-off-by: Sasha Levin +--- + include/linux/nvme.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/nvme.h b/include/linux/nvme.h +index 050d7d0cd81b..d9fbc5afeaf7 100644 +--- a/include/linux/nvme.h ++++ b/include/linux/nvme.h +@@ -7,6 +7,7 @@ + #ifndef _LINUX_NVME_H + #define _LINUX_NVME_H + ++#include + #include + #include + +@@ -639,7 +640,7 @@ enum { + NVME_CMD_EFFECTS_NCC = 1 << 2, + NVME_CMD_EFFECTS_NIC = 1 << 3, + NVME_CMD_EFFECTS_CCC = 1 << 4, +- NVME_CMD_EFFECTS_CSE_MASK = 3 << 16, ++ NVME_CMD_EFFECTS_CSE_MASK = GENMASK(18, 16), + NVME_CMD_EFFECTS_UUID_SEL = 1 << 19, + }; + +-- +2.35.1 + diff --git a/queue-6.1/nvme-pci-fix-doorbell-buffer-value-endianness.patch b/queue-6.1/nvme-pci-fix-doorbell-buffer-value-endianness.patch new file mode 100644 index 00000000000..fb1ef2b163b --- /dev/null +++ b/queue-6.1/nvme-pci-fix-doorbell-buffer-value-endianness.patch @@ -0,0 +1,100 @@ +From 01220065a3493faf0176093f29688a05d4b7ffec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Dec 2022 09:58:07 +0100 +Subject: nvme-pci: fix doorbell buffer value endianness + +From: Klaus Jensen + +[ Upstream commit b5f96cb719d8ba220b565ddd3ba4ac0d8bcfb130 ] + +When using shadow doorbells, the event index and the doorbell values are +written to host memory. Prior to this patch, the values written would +erroneously be written in host endianness. This causes trouble on +big-endian platforms. Fix this by adding missing endian conversions. + +This issue was noticed by Guenter while testing various big-endian +platforms under QEMU[1]. A similar fix required for hw/nvme in QEMU is +up for review as well[2]. + + [1]: https://lore.kernel.org/qemu-devel/20221209110022.GA3396194@roeck-us.net/ + [2]: https://lore.kernel.org/qemu-devel/20221212114409.34972-4-its@irrelevant.dk/ + +Fixes: f9f38e33389c ("nvme: improve performance for virtual NVMe devices") +Reported-by: Guenter Roeck +Signed-off-by: Klaus Jensen +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 488ad7dabeb8..4ed8a14e2803 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -144,9 +144,9 @@ struct nvme_dev { + mempool_t *iod_mempool; + + /* shadow doorbell buffer support: */ +- u32 *dbbuf_dbs; ++ __le32 *dbbuf_dbs; + dma_addr_t dbbuf_dbs_dma_addr; +- u32 *dbbuf_eis; ++ __le32 *dbbuf_eis; + dma_addr_t dbbuf_eis_dma_addr; + + /* host memory buffer support: */ +@@ -210,10 +210,10 @@ struct nvme_queue { + #define NVMEQ_SQ_CMB 1 + #define NVMEQ_DELETE_ERROR 2 + #define NVMEQ_POLLED 3 +- u32 *dbbuf_sq_db; +- u32 *dbbuf_cq_db; +- u32 *dbbuf_sq_ei; +- u32 *dbbuf_cq_ei; ++ __le32 *dbbuf_sq_db; ++ __le32 *dbbuf_cq_db; ++ __le32 *dbbuf_sq_ei; ++ __le32 *dbbuf_cq_ei; + struct completion delete_done; + }; + +@@ -340,11 +340,11 @@ static inline int nvme_dbbuf_need_event(u16 event_idx, u16 new_idx, u16 old) + } + + /* Update dbbuf and return true if an MMIO is required */ +-static bool nvme_dbbuf_update_and_check_event(u16 value, u32 *dbbuf_db, +- volatile u32 *dbbuf_ei) ++static bool nvme_dbbuf_update_and_check_event(u16 value, __le32 *dbbuf_db, ++ volatile __le32 *dbbuf_ei) + { + if (dbbuf_db) { +- u16 old_value; ++ u16 old_value, event_idx; + + /* + * Ensure that the queue is written before updating +@@ -352,8 +352,8 @@ static bool nvme_dbbuf_update_and_check_event(u16 value, u32 *dbbuf_db, + */ + wmb(); + +- old_value = *dbbuf_db; +- *dbbuf_db = value; ++ old_value = le32_to_cpu(*dbbuf_db); ++ *dbbuf_db = cpu_to_le32(value); + + /* + * Ensure that the doorbell is updated before reading the event +@@ -363,7 +363,8 @@ static bool nvme_dbbuf_update_and_check_event(u16 value, u32 *dbbuf_db, + */ + mb(); + +- if (!nvme_dbbuf_need_event(*dbbuf_ei, value, old_value)) ++ event_idx = le32_to_cpu(*dbbuf_ei); ++ if (!nvme_dbbuf_need_event(event_idx, value, old_value)) + return false; + } + +-- +2.35.1 + diff --git a/queue-6.1/nvme-pci-fix-mempool-alloc-size.patch b/queue-6.1/nvme-pci-fix-mempool-alloc-size.patch new file mode 100644 index 00000000000..f614c99eb06 --- /dev/null +++ b/queue-6.1/nvme-pci-fix-mempool-alloc-size.patch @@ -0,0 +1,51 @@ +From 6db95eb4f8e6d2e9b113f5223697ed0a329ffcc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Dec 2022 10:59:06 -0800 +Subject: nvme-pci: fix mempool alloc size + +From: Keith Busch + +[ Upstream commit c89a529e823d51dd23c7ec0c047c7a454a428541 ] + +Convert the max size to bytes to match the units of the divisor that +calculates the worst-case number of PRP entries. + +The result is used to determine how many PRP Lists are required. The +code was previously rounding this to 1 list, but we can require 2 in the +worst case. In that scenario, the driver would corrupt memory beyond the +size provided by the mempool. + +While unlikely to occur (you'd need a 4MB in exactly 127 phys segments +on a queue that doesn't support SGLs), this memory corruption has been +observed by kfence. + +Cc: Jens Axboe +Fixes: 943e942e6266f ("nvme-pci: limit max IO size and segments to avoid high order allocations") +Signed-off-by: Keith Busch +Reviewed-by: Jens Axboe +Reviewed-by: Kanchan Joshi +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 4ed8a14e2803..3116a0e2ec27 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -378,8 +378,8 @@ static bool nvme_dbbuf_update_and_check_event(u16 value, __le32 *dbbuf_db, + */ + static int nvme_pci_npages_prp(void) + { +- unsigned nprps = DIV_ROUND_UP(NVME_MAX_KB_SZ + NVME_CTRL_PAGE_SIZE, +- NVME_CTRL_PAGE_SIZE); ++ unsigned max_bytes = (NVME_MAX_KB_SZ * 1024) + NVME_CTRL_PAGE_SIZE; ++ unsigned nprps = DIV_ROUND_UP(max_bytes, NVME_CTRL_PAGE_SIZE); + return DIV_ROUND_UP(8 * nprps, PAGE_SIZE - 8); + } + +-- +2.35.1 + diff --git a/queue-6.1/nvme-pci-fix-page-size-checks.patch b/queue-6.1/nvme-pci-fix-page-size-checks.patch new file mode 100644 index 00000000000..235d3ed1e40 --- /dev/null +++ b/queue-6.1/nvme-pci-fix-page-size-checks.patch @@ -0,0 +1,63 @@ +From 120eb04e72d73edd06fb46fa5e8e22944c347884 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Dec 2022 13:54:55 -0800 +Subject: nvme-pci: fix page size checks + +From: Keith Busch + +[ Upstream commit 841734234a28fd5cd0889b84bd4d93a0988fa11e ] + +The size allocated out of the dma pool is at most NVME_CTRL_PAGE_SIZE, +which may be smaller than the PAGE_SIZE. + +Fixes: c61b82c7b7134 ("nvme-pci: fix PRP pool size") +Signed-off-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 3116a0e2ec27..115d81def567 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -35,7 +35,7 @@ + #define SQ_SIZE(q) ((q)->q_depth << (q)->sqes) + #define CQ_SIZE(q) ((q)->q_depth * sizeof(struct nvme_completion)) + +-#define SGES_PER_PAGE (PAGE_SIZE / sizeof(struct nvme_sgl_desc)) ++#define SGES_PER_PAGE (NVME_CTRL_PAGE_SIZE / sizeof(struct nvme_sgl_desc)) + + /* + * These can be higher, but we need to ensure that any command doesn't +@@ -380,7 +380,7 @@ static int nvme_pci_npages_prp(void) + { + unsigned max_bytes = (NVME_MAX_KB_SZ * 1024) + NVME_CTRL_PAGE_SIZE; + unsigned nprps = DIV_ROUND_UP(max_bytes, NVME_CTRL_PAGE_SIZE); +- return DIV_ROUND_UP(8 * nprps, PAGE_SIZE - 8); ++ return DIV_ROUND_UP(8 * nprps, NVME_CTRL_PAGE_SIZE - 8); + } + + /* +@@ -390,7 +390,7 @@ static int nvme_pci_npages_prp(void) + static int nvme_pci_npages_sgl(void) + { + return DIV_ROUND_UP(NVME_MAX_SEGS * sizeof(struct nvme_sgl_desc), +- PAGE_SIZE); ++ NVME_CTRL_PAGE_SIZE); + } + + static size_t nvme_pci_iod_alloc_size(void) +@@ -714,7 +714,7 @@ static void nvme_pci_sgl_set_seg(struct nvme_sgl_desc *sge, + sge->length = cpu_to_le32(entries * sizeof(*sge)); + sge->type = NVME_SGL_FMT_LAST_SEG_DESC << 4; + } else { +- sge->length = cpu_to_le32(PAGE_SIZE); ++ sge->length = cpu_to_le32(NVME_CTRL_PAGE_SIZE); + sge->type = NVME_SGL_FMT_SEG_DESC << 4; + } + } +-- +2.35.1 + diff --git a/queue-6.1/nvmet-don-t-defer-passthrough-commands-with-trivial-.patch b/queue-6.1/nvmet-don-t-defer-passthrough-commands-with-trivial-.patch new file mode 100644 index 00000000000..8cf10babc1e --- /dev/null +++ b/queue-6.1/nvmet-don-t-defer-passthrough-commands-with-trivial-.patch @@ -0,0 +1,55 @@ +From a2ab8743b4a89172c641d1a718d425ab74c1e34b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Dec 2022 09:51:19 +0100 +Subject: nvmet: don't defer passthrough commands with trivial effects to the + workqueue + +From: Christoph Hellwig + +[ Upstream commit 2a459f6933e1c459bffb7cc73fd6c900edc714bd ] + +Mask out the "Command Supported" and "Logical Block Content Change" bits +and only defer execution of commands that have non-trivial effects to +the workqueue for synchronous execution. This allows to execute admin +commands asynchronously on controllers that provide a Command Supported +and Effects log page, and will keep allowing to execute Write commands +asynchronously once command effects on I/O commands are taken into +account. + +Fixes: c1fef73f793b ("nvmet: add passthru code to process commands") +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Sagi Grimberg +Reviewed-by: Kanchan Joshi +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/passthru.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/nvme/target/passthru.c b/drivers/nvme/target/passthru.c +index 79af5140af8b..adc0958755d6 100644 +--- a/drivers/nvme/target/passthru.c ++++ b/drivers/nvme/target/passthru.c +@@ -334,14 +334,13 @@ static void nvmet_passthru_execute_cmd(struct nvmet_req *req) + } + + /* +- * If there are effects for the command we are about to execute, or +- * an end_req function we need to use nvme_execute_passthru_rq() +- * synchronously in a work item seeing the end_req function and +- * nvme_passthru_end() can't be called in the request done callback +- * which is typically in interrupt context. ++ * If a command needs post-execution fixups, or there are any ++ * non-trivial effects, make sure to execute the command synchronously ++ * in a workqueue so that nvme_passthru_end gets called. + */ + effects = nvme_command_effects(ctrl, ns, req->cmd->common.opcode); +- if (req->p.use_workqueue || effects) { ++ if (req->p.use_workqueue || ++ (effects & ~(NVME_CMD_EFFECTS_CSUPP | NVME_CMD_EFFECTS_LBCC))) { + INIT_WORK(&req->p.work, nvmet_passthru_execute_cmd_work); + req->p.rq = rq; + queue_work(nvmet_wq, &req->p.work); +-- +2.35.1 + diff --git a/queue-6.1/objtool-fix-segfault.patch b/queue-6.1/objtool-fix-segfault.patch new file mode 100644 index 00000000000..ea7806d223b --- /dev/null +++ b/queue-6.1/objtool-fix-segfault.patch @@ -0,0 +1,40 @@ +From 1b754d80ee8be3440bcbdf9fc57c56a875a82613 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 23:27:46 +0530 +Subject: objtool: Fix SEGFAULT + +From: Christophe Leroy + +[ Upstream commit efb11fdb3e1a9f694fa12b70b21e69e55ec59c36 ] + +find_insn() will return NULL in case of failure. Check insn in order +to avoid a kernel Oops for NULL pointer dereference. + +Tested-by: Naveen N. Rao +Reviewed-by: Naveen N. Rao +Acked-by: Josh Poimboeuf +Acked-by: Peter Zijlstra (Intel) +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20221114175754.1131267-9-sv@linux.ibm.com +Signed-off-by: Sasha Levin +--- + tools/objtool/check.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/objtool/check.c b/tools/objtool/check.c +index a7f1e6c8bb0a..51494c3002d9 100644 +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -207,7 +207,7 @@ static bool __dead_end_function(struct objtool_file *file, struct symbol *func, + return false; + + insn = find_insn(file, func->sec, func->offset); +- if (!insn->func) ++ if (!insn || !insn->func) + return false; + + func_for_each_insn(file, func, insn) { +-- +2.35.1 + diff --git a/queue-6.1/phy-sun4i-usb-add-support-for-the-h616-usb-phy.patch b/queue-6.1/phy-sun4i-usb-add-support-for-the-h616-usb-phy.patch new file mode 100644 index 00000000000..adec16d2150 --- /dev/null +++ b/queue-6.1/phy-sun4i-usb-add-support-for-the-h616-usb-phy.patch @@ -0,0 +1,59 @@ +From e7f9e7320fa4b63900ab8f0ae29f6a838c3a9df0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 11:13:55 +0000 +Subject: phy: sun4i-usb: Add support for the H616 USB PHY + +From: Andre Przywara + +[ Upstream commit 0f607406525d25019dd9c498bcc0b42734fc59d5 ] + +The USB PHY used in the Allwinner H616 SoC inherits some traits from its +various predecessors: it has four full PHYs like the H3, needs some +extra bits to be set like the H6, and puts SIDDQ on a different bit like +the A100. Plus it needs this weird PHY2 quirk. + +Name all those properties in a new config struct and assign a new +compatible name to it. + +Signed-off-by: Andre Przywara +Reviewed-by: Samuel Holland +Link: https://lore.kernel.org/r/20221031111358.3387297-5-andre.przywara@arm.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/allwinner/phy-sun4i-usb.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/phy/allwinner/phy-sun4i-usb.c b/drivers/phy/allwinner/phy-sun4i-usb.c +index e39f5ad62cc1..5472db9e87ef 100644 +--- a/drivers/phy/allwinner/phy-sun4i-usb.c ++++ b/drivers/phy/allwinner/phy-sun4i-usb.c +@@ -1032,6 +1032,17 @@ static const struct sun4i_usb_phy_cfg sun50i_h6_cfg = { + .missing_phys = BIT(1) | BIT(2), + }; + ++static const struct sun4i_usb_phy_cfg sun50i_h616_cfg = { ++ .num_phys = 4, ++ .type = sun50i_h6_phy, ++ .disc_thresh = 3, ++ .phyctl_offset = REG_PHYCTL_A33, ++ .dedicated_clocks = true, ++ .phy0_dual_route = true, ++ .hci_phy_ctl_clear = PHY_CTL_SIDDQ, ++ .needs_phy2_siddq = true, ++}; ++ + static const struct of_device_id sun4i_usb_phy_of_match[] = { + { .compatible = "allwinner,sun4i-a10-usb-phy", .data = &sun4i_a10_cfg }, + { .compatible = "allwinner,sun5i-a13-usb-phy", .data = &sun5i_a13_cfg }, +@@ -1047,6 +1058,7 @@ static const struct of_device_id sun4i_usb_phy_of_match[] = { + { .compatible = "allwinner,sun50i-a64-usb-phy", + .data = &sun50i_a64_cfg}, + { .compatible = "allwinner,sun50i-h6-usb-phy", .data = &sun50i_h6_cfg }, ++ { .compatible = "allwinner,sun50i-h616-usb-phy", .data = &sun50i_h616_cfg }, + { }, + }; + MODULE_DEVICE_TABLE(of, sun4i_usb_phy_of_match); +-- +2.35.1 + diff --git a/queue-6.1/phy-sun4i-usb-introduce-port2-siddq-quirk.patch b/queue-6.1/phy-sun4i-usb-introduce-port2-siddq-quirk.patch new file mode 100644 index 00000000000..d593e9b3994 --- /dev/null +++ b/queue-6.1/phy-sun4i-usb-introduce-port2-siddq-quirk.patch @@ -0,0 +1,124 @@ +From 508544aa660a045499baeaabb02213bf6c8904f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 11:13:54 +0000 +Subject: phy: sun4i-usb: Introduce port2 SIDDQ quirk + +From: Andre Przywara + +[ Upstream commit b45c6d80325bec2b78c716629a518b6442d8bdc6 ] + +At least the Allwinner H616 SoC requires a weird quirk to make most +USB PHYs work: Only port2 works out of the box, but all other ports +need some help from this port2 to work correctly: The CLK_BUS_PHY2 and +RST_USB_PHY2 clock and reset need to be enabled, and the SIDDQ bit in +the PMU PHY control register needs to be cleared. For this register to +be accessible, CLK_BUS_ECHI2 needs to be ungated. Don't ask .... + +Instead of disguising this as some generic feature, treat it more like +a quirk (what it really is): +If the quirk bit is set, and we initialise a PHY other than PHY2, ungate +this one special clock, and clear the SIDDQ bit. We also pick the clock +and reset from PHY2 and enable them as well. + +Signed-off-by: Andre Przywara +Link: https://lore.kernel.org/r/20221031111358.3387297-4-andre.przywara@arm.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/allwinner/phy-sun4i-usb.c | 59 +++++++++++++++++++++++++++ + 1 file changed, 59 insertions(+) + +diff --git a/drivers/phy/allwinner/phy-sun4i-usb.c b/drivers/phy/allwinner/phy-sun4i-usb.c +index 3a3831f6059a..e39f5ad62cc1 100644 +--- a/drivers/phy/allwinner/phy-sun4i-usb.c ++++ b/drivers/phy/allwinner/phy-sun4i-usb.c +@@ -120,6 +120,7 @@ struct sun4i_usb_phy_cfg { + u8 phyctl_offset; + bool dedicated_clocks; + bool phy0_dual_route; ++ bool needs_phy2_siddq; + int missing_phys; + }; + +@@ -289,6 +290,50 @@ static int sun4i_usb_phy_init(struct phy *_phy) + return ret; + } + ++ /* Some PHYs on some SoCs need the help of PHY2 to work. */ ++ if (data->cfg->needs_phy2_siddq && phy->index != 2) { ++ struct sun4i_usb_phy *phy2 = &data->phys[2]; ++ ++ ret = clk_prepare_enable(phy2->clk); ++ if (ret) { ++ reset_control_assert(phy->reset); ++ clk_disable_unprepare(phy->clk2); ++ clk_disable_unprepare(phy->clk); ++ return ret; ++ } ++ ++ ret = reset_control_deassert(phy2->reset); ++ if (ret) { ++ clk_disable_unprepare(phy2->clk); ++ reset_control_assert(phy->reset); ++ clk_disable_unprepare(phy->clk2); ++ clk_disable_unprepare(phy->clk); ++ return ret; ++ } ++ ++ /* ++ * This extra clock is just needed to access the ++ * REG_HCI_PHY_CTL PMU register for PHY2. ++ */ ++ ret = clk_prepare_enable(phy2->clk2); ++ if (ret) { ++ reset_control_assert(phy2->reset); ++ clk_disable_unprepare(phy2->clk); ++ reset_control_assert(phy->reset); ++ clk_disable_unprepare(phy->clk2); ++ clk_disable_unprepare(phy->clk); ++ return ret; ++ } ++ ++ if (phy2->pmu && data->cfg->hci_phy_ctl_clear) { ++ val = readl(phy2->pmu + REG_HCI_PHY_CTL); ++ val &= ~data->cfg->hci_phy_ctl_clear; ++ writel(val, phy2->pmu + REG_HCI_PHY_CTL); ++ } ++ ++ clk_disable_unprepare(phy->clk2); ++ } ++ + if (phy->pmu && data->cfg->hci_phy_ctl_clear) { + val = readl(phy->pmu + REG_HCI_PHY_CTL); + val &= ~data->cfg->hci_phy_ctl_clear; +@@ -354,6 +399,13 @@ static int sun4i_usb_phy_exit(struct phy *_phy) + data->phy0_init = false; + } + ++ if (data->cfg->needs_phy2_siddq && phy->index != 2) { ++ struct sun4i_usb_phy *phy2 = &data->phys[2]; ++ ++ clk_disable_unprepare(phy2->clk); ++ reset_control_assert(phy2->reset); ++ } ++ + sun4i_usb_phy_passby(phy, 0); + reset_control_assert(phy->reset); + clk_disable_unprepare(phy->clk2); +@@ -785,6 +837,13 @@ static int sun4i_usb_phy_probe(struct platform_device *pdev) + dev_err(dev, "failed to get clock %s\n", name); + return PTR_ERR(phy->clk2); + } ++ } else { ++ snprintf(name, sizeof(name), "pmu%d_clk", i); ++ phy->clk2 = devm_clk_get_optional(dev, name); ++ if (IS_ERR(phy->clk2)) { ++ dev_err(dev, "failed to get clock %s\n", name); ++ return PTR_ERR(phy->clk2); ++ } + } + + snprintf(name, sizeof(name), "usb%d_reset", i); +-- +2.35.1 + diff --git a/queue-6.1/powerpc-msi-fix-deassociation-of-msi-descriptors.patch b/queue-6.1/powerpc-msi-fix-deassociation-of-msi-descriptors.patch new file mode 100644 index 00000000000..581303ffe19 --- /dev/null +++ b/queue-6.1/powerpc-msi-fix-deassociation-of-msi-descriptors.patch @@ -0,0 +1,100 @@ +From 22a6a7a0b24fc5c4457fea8ae21d4bdd5e53f528 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Dec 2022 10:46:44 +0000 +Subject: powerpc/msi: Fix deassociation of MSI descriptors + +From: Marc Zyngier + +[ Upstream commit 4545c6a3d6ba71747eaa984c338ddd745e56e23f ] + +Since 2f2940d16823 ("genirq/msi: Remove filter from +msi_free_descs_free_range()"), the core MSI code relies on the +msi_desc->irq field to have been cleared before the descriptor +can be freed, as it indicates that there is no association with +a device anymore. + +The irq domain code provides this guarantee, and so does s390, +which is one of the two architectures not using irq domains for +MSIs. + +Powerpc, however, is missing this particular requirements, +leading in a splat and leaked MSI descriptors. + +Adding the now required irq reset to the handful of powerpc backends +that implement MSIs fixes that particular problem. + +Reported-by: Guenter Roeck +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/70dab88e-6119-0c12-7c6a-61bcbe239f66@roeck-us.net +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/4xx/hsta_msi.c | 1 + + arch/powerpc/platforms/cell/axon_msi.c | 1 + + arch/powerpc/platforms/pasemi/msi.c | 1 + + arch/powerpc/sysdev/fsl_msi.c | 1 + + arch/powerpc/sysdev/mpic_u3msi.c | 1 + + 5 files changed, 5 insertions(+) + +diff --git a/arch/powerpc/platforms/4xx/hsta_msi.c b/arch/powerpc/platforms/4xx/hsta_msi.c +index d4f7fff1fc87..e11b57a62b05 100644 +--- a/arch/powerpc/platforms/4xx/hsta_msi.c ++++ b/arch/powerpc/platforms/4xx/hsta_msi.c +@@ -115,6 +115,7 @@ static void hsta_teardown_msi_irqs(struct pci_dev *dev) + msi_bitmap_free_hwirqs(&ppc4xx_hsta_msi.bmp, irq, 1); + pr_debug("%s: Teardown IRQ %u (index %u)\n", __func__, + entry->irq, irq); ++ entry->irq = 0; + } + } + +diff --git a/arch/powerpc/platforms/cell/axon_msi.c b/arch/powerpc/platforms/cell/axon_msi.c +index 5b012abca773..0c11aad896c7 100644 +--- a/arch/powerpc/platforms/cell/axon_msi.c ++++ b/arch/powerpc/platforms/cell/axon_msi.c +@@ -289,6 +289,7 @@ static void axon_msi_teardown_msi_irqs(struct pci_dev *dev) + msi_for_each_desc(entry, &dev->dev, MSI_DESC_ASSOCIATED) { + irq_set_msi_desc(entry->irq, NULL); + irq_dispose_mapping(entry->irq); ++ entry->irq = 0; + } + } + +diff --git a/arch/powerpc/platforms/pasemi/msi.c b/arch/powerpc/platforms/pasemi/msi.c +index dc1846660005..166c97fff16d 100644 +--- a/arch/powerpc/platforms/pasemi/msi.c ++++ b/arch/powerpc/platforms/pasemi/msi.c +@@ -66,6 +66,7 @@ static void pasemi_msi_teardown_msi_irqs(struct pci_dev *pdev) + hwirq = virq_to_hw(entry->irq); + irq_set_msi_desc(entry->irq, NULL); + irq_dispose_mapping(entry->irq); ++ entry->irq = 0; + msi_bitmap_free_hwirqs(&msi_mpic->msi_bitmap, hwirq, ALLOC_CHUNK); + } + } +diff --git a/arch/powerpc/sysdev/fsl_msi.c b/arch/powerpc/sysdev/fsl_msi.c +index 73c2d70706c0..57978a44d55b 100644 +--- a/arch/powerpc/sysdev/fsl_msi.c ++++ b/arch/powerpc/sysdev/fsl_msi.c +@@ -132,6 +132,7 @@ static void fsl_teardown_msi_irqs(struct pci_dev *pdev) + msi_data = irq_get_chip_data(entry->irq); + irq_set_msi_desc(entry->irq, NULL); + irq_dispose_mapping(entry->irq); ++ entry->irq = 0; + msi_bitmap_free_hwirqs(&msi_data->bitmap, hwirq, 1); + } + } +diff --git a/arch/powerpc/sysdev/mpic_u3msi.c b/arch/powerpc/sysdev/mpic_u3msi.c +index 1d8cfdfdf115..492cb03c0b62 100644 +--- a/arch/powerpc/sysdev/mpic_u3msi.c ++++ b/arch/powerpc/sysdev/mpic_u3msi.c +@@ -108,6 +108,7 @@ static void u3msi_teardown_msi_irqs(struct pci_dev *pdev) + hwirq = virq_to_hw(entry->irq); + irq_set_msi_desc(entry->irq, NULL); + irq_dispose_mapping(entry->irq); ++ entry->irq = 0; + msi_bitmap_free_hwirqs(&msi_mpic->msi_bitmap, hwirq, 1); + } + } +-- +2.35.1 + diff --git a/queue-6.1/powerpc-rtas-avoid-device-tree-lookups-in-rtas_os_te.patch b/queue-6.1/powerpc-rtas-avoid-device-tree-lookups-in-rtas_os_te.patch new file mode 100644 index 00000000000..5de5280eb7c --- /dev/null +++ b/queue-6.1/powerpc-rtas-avoid-device-tree-lookups-in-rtas_os_te.patch @@ -0,0 +1,77 @@ +From 1a8b1a7a7ba7e44d368d7115b845ed3eaf262544 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 09:07:41 -0600 +Subject: powerpc/rtas: avoid device tree lookups in rtas_os_term() + +From: Nathan Lynch + +[ Upstream commit ed2213bfb192ab51f09f12e9b49b5d482c6493f3 ] + +rtas_os_term() is called during panic. Its behavior depends on a couple +of conditions in the /rtas node of the device tree, the traversal of +which entails locking and local IRQ state changes. If the kernel panics +while devtree_lock is held, rtas_os_term() as currently written could +hang. + +Instead of discovering the relevant characteristics at panic time, +cache them in file-static variables at boot. Note the lookup for +"ibm,extended-os-term" is converted to of_property_read_bool() since it +is a boolean property, not an RTAS function token. + +Signed-off-by: Nathan Lynch +Reviewed-by: Nicholas Piggin +Reviewed-by: Andrew Donnellan +[mpe: Incorporate suggested change from Nick] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20221118150751.469393-4-nathanl@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/rtas.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c +index e847f9b1c5b9..6b5f49c9ad79 100644 +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -889,6 +889,7 @@ void __noreturn rtas_halt(void) + + /* Must be in the RMO region, so we place it here */ + static char rtas_os_term_buf[2048]; ++static s32 ibm_os_term_token = RTAS_UNKNOWN_SERVICE; + + void rtas_os_term(char *str) + { +@@ -900,14 +901,13 @@ void rtas_os_term(char *str) + * this property may terminate the partition which we want to avoid + * since it interferes with panic_timeout. + */ +- if (RTAS_UNKNOWN_SERVICE == rtas_token("ibm,os-term") || +- RTAS_UNKNOWN_SERVICE == rtas_token("ibm,extended-os-term")) ++ if (ibm_os_term_token == RTAS_UNKNOWN_SERVICE) + return; + + snprintf(rtas_os_term_buf, 2048, "OS panic: %s", str); + + do { +- status = rtas_call(rtas_token("ibm,os-term"), 1, 1, NULL, ++ status = rtas_call(ibm_os_term_token, 1, 1, NULL, + __pa(rtas_os_term_buf)); + } while (rtas_busy_delay(status)); + +@@ -1277,6 +1277,13 @@ void __init rtas_initialize(void) + no_entry = of_property_read_u32(rtas.dev, "linux,rtas-entry", &entry); + rtas.entry = no_entry ? rtas.base : entry; + ++ /* ++ * Discover these now to avoid device tree lookups in the ++ * panic path. ++ */ ++ if (of_property_read_bool(rtas.dev, "ibm,extended-os-term")) ++ ibm_os_term_token = rtas_token("ibm,os-term"); ++ + /* If RTAS was found, allocate the RMO buffer for it and look for + * the stop-self token if any + */ +-- +2.35.1 + diff --git a/queue-6.1/powerpc-rtas-avoid-scheduling-in-rtas_os_term.patch b/queue-6.1/powerpc-rtas-avoid-scheduling-in-rtas_os_term.patch new file mode 100644 index 00000000000..7c4dabcbb2e --- /dev/null +++ b/queue-6.1/powerpc-rtas-avoid-scheduling-in-rtas_os_term.patch @@ -0,0 +1,67 @@ +From 04ab0e2bb0cba637b81502a8a1d8b906f4123fb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 09:07:42 -0600 +Subject: powerpc/rtas: avoid scheduling in rtas_os_term() + +From: Nathan Lynch + +[ Upstream commit 6c606e57eecc37d6b36d732b1ff7e55b7dc32dd4 ] + +It's unsafe to use rtas_busy_delay() to handle a busy status from +the ibm,os-term RTAS function in rtas_os_term(): + +Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b +BUG: sleeping function called from invalid context at arch/powerpc/kernel/rtas.c:618 +in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0 +preempt_count: 2, expected: 0 +CPU: 7 PID: 1 Comm: swapper/0 Tainted: G D 6.0.0-rc5-02182-gf8553a572277-dirty #9 +Call Trace: +[c000000007b8f000] [c000000001337110] dump_stack_lvl+0xb4/0x110 (unreliable) +[c000000007b8f040] [c0000000002440e4] __might_resched+0x394/0x3c0 +[c000000007b8f0e0] [c00000000004f680] rtas_busy_delay+0x120/0x1b0 +[c000000007b8f100] [c000000000052d04] rtas_os_term+0xb8/0xf4 +[c000000007b8f180] [c0000000001150fc] pseries_panic+0x50/0x68 +[c000000007b8f1f0] [c000000000036354] ppc_panic_platform_handler+0x34/0x50 +[c000000007b8f210] [c0000000002303c4] notifier_call_chain+0xd4/0x1c0 +[c000000007b8f2b0] [c0000000002306cc] atomic_notifier_call_chain+0xac/0x1c0 +[c000000007b8f2f0] [c0000000001d62b8] panic+0x228/0x4d0 +[c000000007b8f390] [c0000000001e573c] do_exit+0x140c/0x1420 +[c000000007b8f480] [c0000000001e586c] make_task_dead+0xdc/0x200 + +Use rtas_busy_delay_time() instead, which signals without side effects +whether to attempt the ibm,os-term RTAS call again. + +Signed-off-by: Nathan Lynch +Reviewed-by: Nicholas Piggin +Reviewed-by: Andrew Donnellan +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20221118150751.469393-5-nathanl@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/rtas.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c +index 6b5f49c9ad79..767ab166933b 100644 +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -906,10 +906,15 @@ void rtas_os_term(char *str) + + snprintf(rtas_os_term_buf, 2048, "OS panic: %s", str); + ++ /* ++ * Keep calling as long as RTAS returns a "try again" status, ++ * but don't use rtas_busy_delay(), which potentially ++ * schedules. ++ */ + do { + status = rtas_call(ibm_os_term_token, 1, 1, NULL, + __pa(rtas_os_term_buf)); +- } while (rtas_busy_delay(status)); ++ } while (rtas_busy_delay_time(status)); + + if (status != 0) + printk(KERN_EMERG "ibm,os-term call failed %d\n", status); +-- +2.35.1 + diff --git a/queue-6.1/rtc-msc313-fix-function-prototype-mismatch-in-msc313.patch b/queue-6.1/rtc-msc313-fix-function-prototype-mismatch-in-msc313.patch new file mode 100644 index 00000000000..9055a07fca1 --- /dev/null +++ b/queue-6.1/rtc-msc313-fix-function-prototype-mismatch-in-msc313.patch @@ -0,0 +1,73 @@ +From d4cbc8a25e8b3992ada8694ede5a3c9db72ec8b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 10:45:30 -0800 +Subject: rtc: msc313: Fix function prototype mismatch in msc313_rtc_probe() + +From: Kees Cook + +[ Upstream commit 21b8a1dd56a163825e5749b303858fb902ebf198 ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. + +msc313_rtc_probe() was passing clk_disable_unprepare() directly, which +did not have matching prototypes for devm_add_action_or_reset()'s +callback argument. Refactor to use devm_clk_get_enabled() instead. + +This was found as a result of Clang's new -Wcast-function-type-strict +flag, which is more sensitive than the simpler -Wcast-function-type, +which only checks for type width mismatches. + +Reported-by: kernel test robot +Link: https://lore.kernel.org/lkml/202211041527.HD8TLSE1-lkp@intel.com +Suggested-by: Christophe JAILLET +Cc: Daniel Palmer +Cc: Romain Perier +Cc: Alessandro Zummo +Cc: Alexandre Belloni +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-rtc@vger.kernel.org +Signed-off-by: Kees Cook +Reviewed-by: Daniel Palmer +Tested-by: Daniel Palmer +Link: https://lore.kernel.org/r/20221202184525.gonna.423-kees@kernel.org +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-msc313.c | 12 +----------- + 1 file changed, 1 insertion(+), 11 deletions(-) + +diff --git a/drivers/rtc/rtc-msc313.c b/drivers/rtc/rtc-msc313.c +index f3fde013c4b8..8d7737e0e2e0 100644 +--- a/drivers/rtc/rtc-msc313.c ++++ b/drivers/rtc/rtc-msc313.c +@@ -212,22 +212,12 @@ static int msc313_rtc_probe(struct platform_device *pdev) + return ret; + } + +- clk = devm_clk_get(dev, NULL); ++ clk = devm_clk_get_enabled(dev, NULL); + if (IS_ERR(clk)) { + dev_err(dev, "No input reference clock\n"); + return PTR_ERR(clk); + } + +- ret = clk_prepare_enable(clk); +- if (ret) { +- dev_err(dev, "Failed to enable the reference clock, %d\n", ret); +- return ret; +- } +- +- ret = devm_add_action_or_reset(dev, (void (*) (void *))clk_disable_unprepare, clk); +- if (ret) +- return ret; +- + rate = clk_get_rate(clk); + writew(rate & 0xFFFF, priv->rtc_base + REG_RTC_FREQ_CW_L); + writew((rate >> 16) & 0xFFFF, priv->rtc_base + REG_RTC_FREQ_CW_H); +-- +2.35.1 + diff --git a/queue-6.1/series b/queue-6.1/series index c3de88faeea..b9e7adac539 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -2,3 +2,42 @@ eventpoll-add-epoll_uring_wake-poll-wakeup-flag.patch eventfd-provide-a-eventfd_signal_mask-helper.patch io_uring-pass-in-epoll_uring_wake-for-eventfd-signal.patch bpf-resolve-fext-program-type-when-checking-map-comp.patch +nvme-pci-fix-doorbell-buffer-value-endianness.patch +nvme-pci-fix-mempool-alloc-size.patch +nvme-pci-fix-page-size-checks.patch +acpi-resource-do-irq-override-on-xmg-core-15.patch +acpi-resource-do-irq-override-on-lenovo-14alc7.patch +acpi-resource-add-asus-expertbook-b2502-to-asus-quir.patch +acpi-video-fix-apple-gmux-backlight-detection.patch +block-bfq-fix-uaf-for-bfqq-in-bfq_exit_icq_bfqq.patch +ata-ahci-fix-pcs-quirk-application-for-suspend.patch +nvme-fix-the-nvme_cmd_effects_cse_mask-definition.patch +nvmet-don-t-defer-passthrough-commands-with-trivial-.patch +fs-ntfs3-validate-boot-record_size.patch +fs-ntfs3-add-overflow-check-for-attribute-size.patch +fs-ntfs3-validate-data-run-offset.patch +fs-ntfs3-add-null-pointer-check-to-attr_load_runs_vc.patch +fs-ntfs3-fix-memory-leak-on-ntfs_fill_super-error-pa.patch +fs-ntfs3-add-null-pointer-check-for-inode-operations.patch +fs-ntfs3-validate-attribute-name-offset.patch +fs-ntfs3-validate-buffer-length-while-parsing-index.patch +fs-ntfs3-validate-resident-attribute-name.patch +fs-ntfs3-fix-slab-out-of-bounds-read-in-run_unpack.patch +soundwire-dmi-quirks-add-quirk-variant-for-lapbc710-.patch +phy-sun4i-usb-introduce-port2-siddq-quirk.patch +phy-sun4i-usb-add-support-for-the-h616-usb-phy.patch +fs-ntfs3-validate-index-root-when-initialize-ntfs-se.patch +fs-ntfs3-use-__gfp_nowarn-allocation-at-wnd_init.patch +fs-ntfs3-use-__gfp_nowarn-allocation-at-ntfs_fill_su.patch +fs-ntfs3-delete-duplicate-condition-in-ntfs_read_mft.patch +fs-ntfs3-fix-slab-out-of-bounds-in-r_page.patch +objtool-fix-segfault.patch +iommu-mediatek-fix-crash-on-isr-after-kexec.patch +powerpc-rtas-avoid-device-tree-lookups-in-rtas_os_te.patch +powerpc-rtas-avoid-scheduling-in-rtas_os_term.patch +rtc-msc313-fix-function-prototype-mismatch-in-msc313.patch +nfsd-fix-use-after-free-in-__nfs42_ssc_open.patch +kprobes-kretprobe-events-missing-on-2-core-kvm-guest.patch +powerpc-msi-fix-deassociation-of-msi-descriptors.patch +hid-multitouch-fix-asus-expertbook-p2-p2451fa-trackp.patch +hid-plantronics-additional-pids-for-double-volume-ke.patch diff --git a/queue-6.1/soundwire-dmi-quirks-add-quirk-variant-for-lapbc710-.patch b/queue-6.1/soundwire-dmi-quirks-add-quirk-variant-for-lapbc710-.patch new file mode 100644 index 00000000000..a7eb1aa59f1 --- /dev/null +++ b/queue-6.1/soundwire-dmi-quirks-add-quirk-variant-for-lapbc710-.patch @@ -0,0 +1,45 @@ +From 0091dc6dd7befeea4f9345c2596a75affbba0029 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 09:25:00 +0800 +Subject: soundwire: dmi-quirks: add quirk variant for LAPBC710 NUC15 + +From: Pierre-Louis Bossart + +[ Upstream commit f74495761df10c25a98256d16ea7465191b6e2cd ] + +Some NUC15 LAPBC710 devices don't expose the same DMI information as +the Intel reference, add additional entry in the match table. + +BugLink: https://github.com/thesofproject/linux/issues/3885 +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Ranjani Sridharan +Signed-off-by: Bard Liao +Link: https://lore.kernel.org/r/20221018012500.1592994-1-yung-chuan.liao@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/dmi-quirks.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/soundwire/dmi-quirks.c b/drivers/soundwire/dmi-quirks.c +index f81cdd83ec26..7969881f126d 100644 +--- a/drivers/soundwire/dmi-quirks.c ++++ b/drivers/soundwire/dmi-quirks.c +@@ -90,6 +90,14 @@ static const struct dmi_system_id adr_remap_quirk_table[] = { + }, + .driver_data = (void *)intel_tgl_bios, + }, ++ { ++ /* quirk used for NUC15 LAPBC710 skew */ ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Intel Corporation"), ++ DMI_MATCH(DMI_BOARD_NAME, "LAPBC710"), ++ }, ++ .driver_data = (void *)intel_tgl_bios, ++ }, + { + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc"), +-- +2.35.1 +