From: Sasha Levin Date: Fri, 4 Jun 2021 18:20:28 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.4.272~95 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=769ccdbbcf8c662b4baa61e977f7c7294e2fe8c7;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/alsa-usb-update-old-style-static-const-declaration.patch b/queue-5.4/alsa-usb-update-old-style-static-const-declaration.patch new file mode 100644 index 00000000000..e0a9144cf05 --- /dev/null +++ b/queue-5.4/alsa-usb-update-old-style-static-const-declaration.patch @@ -0,0 +1,46 @@ +From ec2c7d7097b5fd9c253a064b06300e0acec0b851 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Jan 2020 15:47:36 -0600 +Subject: ALSA: usb: update old-style static const declaration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierre-Louis Bossart + +[ Upstream commit ff40e0d41af19e36b43693fcb9241b4a6795bb44 ] + +GCC reports the following warning with W=1 + +sound/usb/mixer_quirks.c: In function ‘snd_microii_controls_create’: +sound/usb/mixer_quirks.c:1694:2: warning: ‘static’ is not at beginning +of declaration [-Wold-style-declaration] + 1694 | const static usb_mixer_elem_resume_func_t resume_funcs[] = { + | ^~~~~ + +Move static to the beginning of declaration + +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20200111214736.3002-3-pierre-louis.bossart@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer_quirks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c +index 5251818e10d3..d926869c031b 100644 +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -1697,7 +1697,7 @@ static struct snd_kcontrol_new snd_microii_mixer_spdif[] = { + static int snd_microii_controls_create(struct usb_mixer_interface *mixer) + { + int err, i; +- const static usb_mixer_elem_resume_func_t resume_funcs[] = { ++ static const usb_mixer_elem_resume_func_t resume_funcs[] = { + snd_microii_spdif_default_update, + NULL, + snd_microii_spdif_switch_update +-- +2.30.2 + diff --git a/queue-5.4/btrfs-tree-checker-do-not-error-out-if-extent-ref-ha.patch b/queue-5.4/btrfs-tree-checker-do-not-error-out-if-extent-ref-ha.patch new file mode 100644 index 00000000000..ed30b388d26 --- /dev/null +++ b/queue-5.4/btrfs-tree-checker-do-not-error-out-if-extent-ref-ha.patch @@ -0,0 +1,97 @@ +From fe8d04f4d4a4ae0fda502035e4dd00d0b7098426 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jun 2021 17:53:04 +0200 +Subject: btrfs: tree-checker: do not error out if extent ref hash doesn't + match +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Josef Bacik + +commit 1119a72e223f3073a604f8fccb3a470ccd8a4416 upstream. + +The tree checker checks the extent ref hash at read and write time to +make sure we do not corrupt the file system. Generally extent +references go inline, but if we have enough of them we need to make an +item, which looks like + +key.objectid = +key.type = +key.offset = hash(tree, owner, offset) + +However if key.offset collide with an unrelated extent reference we'll +simply key.offset++ until we get something that doesn't collide. +Obviously this doesn't match at tree checker time, and thus we error +while writing out the transaction. This is relatively easy to +reproduce, simply do something like the following + + xfs_io -f -c "pwrite 0 1M" file + offset=2 + + for i in {0..10000} + do + xfs_io -c "reflink file 0 ${offset}M 1M" file + offset=$(( offset + 2 )) + done + + xfs_io -c "reflink file 0 17999258914816 1M" file + xfs_io -c "reflink file 0 35998517829632 1M" file + xfs_io -c "reflink file 0 53752752058368 1M" file + + btrfs filesystem sync + +And the sync will error out because we'll abort the transaction. The +magic values above are used because they generate hash collisions with +the first file in the main subvol. + +The fix for this is to remove the hash value check from tree checker, as +we have no idea which offset ours should belong to. + +Reported-by: Tuomas Lähdekorpi +Fixes: 0785a9aacf9d ("btrfs: tree-checker: Add EXTENT_DATA_REF check") +CC: stable@vger.kernel.org # 5.4+ +Reviewed-by: Filipe Manana +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +[ add comment] +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-checker.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +index 7d06842a3d74..368c43c6cbd0 100644 +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -1285,22 +1285,14 @@ static int check_extent_data_ref(struct extent_buffer *leaf, + return -EUCLEAN; + } + for (; ptr < end; ptr += sizeof(*dref)) { +- u64 root_objectid; +- u64 owner; + u64 offset; +- u64 hash; + ++ /* ++ * We cannot check the extent_data_ref hash due to possible ++ * overflow from the leaf due to hash collisions. ++ */ + dref = (struct btrfs_extent_data_ref *)ptr; +- root_objectid = btrfs_extent_data_ref_root(leaf, dref); +- owner = btrfs_extent_data_ref_objectid(leaf, dref); + offset = btrfs_extent_data_ref_offset(leaf, dref); +- hash = hash_extent_data_ref(root_objectid, owner, offset); +- if (hash != key->offset) { +- extent_err(leaf, slot, +- "invalid extent data ref hash, item has 0x%016llx key has 0x%016llx", +- hash, key->offset); +- return -EUCLEAN; +- } + if (!IS_ALIGNED(offset, leaf->fs_info->sectorsize)) { + extent_err(leaf, slot, + "invalid extent data backref offset, have %llu expect aligned to %u", +-- +2.30.2 + diff --git a/queue-5.4/net-usb-cdc_ncm-don-t-spew-notifications.patch b/queue-5.4/net-usb-cdc_ncm-don-t-spew-notifications.patch new file mode 100644 index 00000000000..f072fb311c2 --- /dev/null +++ b/queue-5.4/net-usb-cdc_ncm-don-t-spew-notifications.patch @@ -0,0 +1,112 @@ +From 647c5c8f6c23aac842894f59bf318e88e73da177 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jan 2021 17:12:08 -0800 +Subject: net: usb: cdc_ncm: don't spew notifications + +From: Grant Grundler + +[ Upstream commit de658a195ee23ca6aaffe197d1d2ea040beea0a2 ] + +RTL8156 sends notifications about every 32ms. +Only display/log notifications when something changes. + +This issue has been reported by others: + https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1832472 + https://lkml.org/lkml/2020/8/27/1083 + +... +[785962.779840] usb 1-1: new high-speed USB device number 5 using xhci_hcd +[785962.929944] usb 1-1: New USB device found, idVendor=0bda, idProduct=8156, bcdDevice=30.00 +[785962.929949] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=6 +[785962.929952] usb 1-1: Product: USB 10/100/1G/2.5G LAN +[785962.929954] usb 1-1: Manufacturer: Realtek +[785962.929956] usb 1-1: SerialNumber: 000000001 +[785962.991755] usbcore: registered new interface driver cdc_ether +[785963.017068] cdc_ncm 1-1:2.0: MAC-Address: 00:24:27:88:08:15 +[785963.017072] cdc_ncm 1-1:2.0: setting rx_max = 16384 +[785963.017169] cdc_ncm 1-1:2.0: setting tx_max = 16384 +[785963.017682] cdc_ncm 1-1:2.0 usb0: register 'cdc_ncm' at usb-0000:00:14.0-1, CDC NCM, 00:24:27:88:08:15 +[785963.019211] usbcore: registered new interface driver cdc_ncm +[785963.023856] usbcore: registered new interface driver cdc_wdm +[785963.025461] usbcore: registered new interface driver cdc_mbim +[785963.038824] cdc_ncm 1-1:2.0 enx002427880815: renamed from usb0 +[785963.089586] cdc_ncm 1-1:2.0 enx002427880815: network connection: disconnected +[785963.121673] cdc_ncm 1-1:2.0 enx002427880815: network connection: disconnected +[785963.153682] cdc_ncm 1-1:2.0 enx002427880815: network connection: disconnected +... + +This is about 2KB per second and will overwrite all contents of a 1MB +dmesg buffer in under 10 minutes rendering them useless for debugging +many kernel problems. + +This is also an extra 180 MB/day in /var/logs (or 1GB per week) rendering +the majority of those logs useless too. + +When the link is up (expected state), spew amount is >2x higher: +... +[786139.600992] cdc_ncm 2-1:2.0 enx002427880815: network connection: connected +[786139.632997] cdc_ncm 2-1:2.0 enx002427880815: 2500 mbit/s downlink 2500 mbit/s uplink +[786139.665097] cdc_ncm 2-1:2.0 enx002427880815: network connection: connected +[786139.697100] cdc_ncm 2-1:2.0 enx002427880815: 2500 mbit/s downlink 2500 mbit/s uplink +[786139.729094] cdc_ncm 2-1:2.0 enx002427880815: network connection: connected +[786139.761108] cdc_ncm 2-1:2.0 enx002427880815: 2500 mbit/s downlink 2500 mbit/s uplink +... + +Chrome OS cannot support RTL8156 until this is fixed. + +Signed-off-by: Grant Grundler +Reviewed-by: Hayes Wang +Link: https://lore.kernel.org/r/20210120011208.3768105-1-grundler@chromium.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_ncm.c | 12 +++++++++++- + include/linux/usb/usbnet.h | 2 ++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index cbe7f35eac98..0646bcd26968 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1589,6 +1589,15 @@ cdc_ncm_speed_change(struct usbnet *dev, + uint32_t rx_speed = le32_to_cpu(data->DLBitRRate); + uint32_t tx_speed = le32_to_cpu(data->ULBitRate); + ++ /* if the speed hasn't changed, don't report it. ++ * RTL8156 shipped before 2021 sends notification about every 32ms. ++ */ ++ if (dev->rx_speed == rx_speed && dev->tx_speed == tx_speed) ++ return; ++ ++ dev->rx_speed = rx_speed; ++ dev->tx_speed = tx_speed; ++ + /* + * Currently the USB-NET API does not support reporting the actual + * device speed. Do print it instead. +@@ -1629,7 +1638,8 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb) + * USB_CDC_NOTIFY_NETWORK_CONNECTION notification shall be + * sent by device after USB_CDC_NOTIFY_SPEED_CHANGE. + */ +- usbnet_link_change(dev, !!event->wValue, 0); ++ if (netif_carrier_ok(dev->net) != !!event->wValue) ++ usbnet_link_change(dev, !!event->wValue, 0); + break; + + case USB_CDC_NOTIFY_SPEED_CHANGE: +diff --git a/include/linux/usb/usbnet.h b/include/linux/usb/usbnet.h +index d8860f2d0976..fc6ed1311589 100644 +--- a/include/linux/usb/usbnet.h ++++ b/include/linux/usb/usbnet.h +@@ -83,6 +83,8 @@ struct usbnet { + # define EVENT_LINK_CHANGE 11 + # define EVENT_SET_RX_MODE 12 + # define EVENT_NO_IP_ALIGN 13 ++ u32 rx_speed; /* in bps - NOT Mbps */ ++ u32 tx_speed; /* in bps - NOT Mbps */ + }; + + static inline struct usb_driver *driver_of(struct usb_interface *intf) +-- +2.30.2 + diff --git a/queue-5.4/nl80211-validate-key-indexes-for-cfg80211_registered.patch b/queue-5.4/nl80211-validate-key-indexes-for-cfg80211_registered.patch new file mode 100644 index 00000000000..83afe908b20 --- /dev/null +++ b/queue-5.4/nl80211-validate-key-indexes-for-cfg80211_registered.patch @@ -0,0 +1,133 @@ +From ffabb14e19c58ced11393dcd98d1a61f6c37958b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jun 2021 09:28:52 -0700 +Subject: nl80211: validate key indexes for cfg80211_registered_device + +From: Anant Thazhemadam + +commit 2d9463083ce92636a1bdd3e30d1236e3e95d859e upstream + +syzbot discovered a bug in which an OOB access was being made because +an unsuitable key_idx value was wrongly considered to be acceptable +while deleting a key in nl80211_del_key(). + +Since we don't know the cipher at the time of deletion, if +cfg80211_validate_key_settings() were to be called directly in +nl80211_del_key(), even valid keys would be wrongly determined invalid, +and deletion wouldn't occur correctly. +For this reason, a new function - cfg80211_valid_key_idx(), has been +created, to determine if the key_idx value provided is valid or not. +cfg80211_valid_key_idx() is directly called in 2 places - +nl80211_del_key(), and cfg80211_validate_key_settings(). + +Reported-by: syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com +Tested-by: syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com +Suggested-by: Johannes Berg +Signed-off-by: Anant Thazhemadam +Link: https://lore.kernel.org/r/20201204215825.129879-1-anant.thazhemadam@gmail.com +Cc: stable@vger.kernel.org +[also disallow IGTK key IDs if no IGTK cipher is supported] +Signed-off-by: Johannes Berg +Signed-off-by: Zubin Mithra +Signed-off-by: Sasha Levin +--- + net/wireless/core.h | 2 ++ + net/wireless/nl80211.c | 7 ++++--- + net/wireless/util.c | 39 ++++++++++++++++++++++++++++++++++++++- + 3 files changed, 44 insertions(+), 4 deletions(-) + +diff --git a/net/wireless/core.h b/net/wireless/core.h +index d83c8e009448..17621d22fb17 100644 +--- a/net/wireless/core.h ++++ b/net/wireless/core.h +@@ -433,6 +433,8 @@ void cfg80211_sme_abandon_assoc(struct wireless_dev *wdev); + + /* internal helpers */ + bool cfg80211_supported_cipher_suite(struct wiphy *wiphy, u32 cipher); ++bool cfg80211_valid_key_idx(struct cfg80211_registered_device *rdev, ++ int key_idx, bool pairwise); + int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev, + struct key_params *params, int key_idx, + bool pairwise, const u8 *mac_addr); +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 5bb2316befb9..7b170ed6923e 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -3979,9 +3979,6 @@ static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info) + if (err) + return err; + +- if (key.idx < 0) +- return -EINVAL; +- + if (info->attrs[NL80211_ATTR_MAC]) + mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]); + +@@ -3997,6 +3994,10 @@ static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info) + key.type != NL80211_KEYTYPE_GROUP) + return -EINVAL; + ++ if (!cfg80211_valid_key_idx(rdev, key.idx, ++ key.type == NL80211_KEYTYPE_PAIRWISE)) ++ return -EINVAL; ++ + if (!rdev->ops->del_key) + return -EOPNOTSUPP; + +diff --git a/net/wireless/util.c b/net/wireless/util.c +index 82244e2fc1f5..4eae6ad32851 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -229,11 +229,48 @@ bool cfg80211_supported_cipher_suite(struct wiphy *wiphy, u32 cipher) + return false; + } + ++static bool ++cfg80211_igtk_cipher_supported(struct cfg80211_registered_device *rdev) ++{ ++ struct wiphy *wiphy = &rdev->wiphy; ++ int i; ++ ++ for (i = 0; i < wiphy->n_cipher_suites; i++) { ++ switch (wiphy->cipher_suites[i]) { ++ case WLAN_CIPHER_SUITE_AES_CMAC: ++ case WLAN_CIPHER_SUITE_BIP_CMAC_256: ++ case WLAN_CIPHER_SUITE_BIP_GMAC_128: ++ case WLAN_CIPHER_SUITE_BIP_GMAC_256: ++ return true; ++ } ++ } ++ ++ return false; ++} ++ ++bool cfg80211_valid_key_idx(struct cfg80211_registered_device *rdev, ++ int key_idx, bool pairwise) ++{ ++ int max_key_idx; ++ ++ if (pairwise) ++ max_key_idx = 3; ++ else if (cfg80211_igtk_cipher_supported(rdev)) ++ max_key_idx = 5; ++ else ++ max_key_idx = 3; ++ ++ if (key_idx < 0 || key_idx > max_key_idx) ++ return false; ++ ++ return true; ++} ++ + int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev, + struct key_params *params, int key_idx, + bool pairwise, const u8 *mac_addr) + { +- if (key_idx < 0 || key_idx > 5) ++ if (!cfg80211_valid_key_idx(rdev, key_idx, pairwise)) + return -EINVAL; + + if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN)) +-- +2.30.2 + diff --git a/queue-5.4/series b/queue-5.4/series new file mode 100644 index 00000000000..ae5f9577699 --- /dev/null +++ b/queue-5.4/series @@ -0,0 +1,4 @@ +btrfs-tree-checker-do-not-error-out-if-extent-ref-ha.patch +net-usb-cdc_ncm-don-t-spew-notifications.patch +alsa-usb-update-old-style-static-const-declaration.patch +nl80211-validate-key-indexes-for-cfg80211_registered.patch