From: Sasha Levin Date: Sun, 1 Sep 2024 11:25:53 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v4.19.321~13 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8c182393989aac302400d9ce4c51d6a9d05ae3fd;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/apparmor-fix-policy_unpack_test-on-big-endian-system.patch b/queue-5.15/apparmor-fix-policy_unpack_test-on-big-endian-system.patch new file mode 100644 index 00000000000..a15717244e4 --- /dev/null +++ b/queue-5.15/apparmor-fix-policy_unpack_test-on-big-endian-system.patch @@ -0,0 +1,69 @@ +From 8d7ad74f30d30a533061e53b712e211e75919c73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Aug 2024 08:50:03 -0700 +Subject: apparmor: fix policy_unpack_test on big endian systems + +From: Guenter Roeck + +[ Upstream commit 98c0cc48e27e9d269a3e4db2acd72b486c88ec77 ] + +policy_unpack_test fails on big endian systems because data byte order +is expected to be little endian but is generated in host byte order. +This results in test failures such as: + + # policy_unpack_test_unpack_array_with_null_name: EXPECTATION FAILED at security/apparmor/policy_unpack_test.c:150 + Expected array_size == (u16)16, but + array_size == 4096 (0x1000) + (u16)16 == 16 (0x10) + # policy_unpack_test_unpack_array_with_null_name: pass:0 fail:1 skip:0 total:1 + not ok 3 policy_unpack_test_unpack_array_with_null_name + # policy_unpack_test_unpack_array_with_name: EXPECTATION FAILED at security/apparmor/policy_unpack_test.c:164 + Expected array_size == (u16)16, but + array_size == 4096 (0x1000) + (u16)16 == 16 (0x10) + # policy_unpack_test_unpack_array_with_name: pass:0 fail:1 skip:0 total:1 + +Add the missing endianness conversions when generating test data. + +Fixes: 4d944bcd4e73 ("apparmor: add AppArmor KUnit tests for policy unpack") +Cc: Brendan Higgins +Cc: Kees Cook +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + security/apparmor/policy_unpack_test.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/security/apparmor/policy_unpack_test.c b/security/apparmor/policy_unpack_test.c +index 533137f45361c..4951d9bef5794 100644 +--- a/security/apparmor/policy_unpack_test.c ++++ b/security/apparmor/policy_unpack_test.c +@@ -78,14 +78,14 @@ struct aa_ext *build_aa_ext_struct(struct policy_unpack_fixture *puf, + *(buf + 1) = strlen(TEST_U32_NAME) + 1; + strcpy(buf + 3, TEST_U32_NAME); + *(buf + 3 + strlen(TEST_U32_NAME) + 1) = AA_U32; +- *((u32 *)(buf + 3 + strlen(TEST_U32_NAME) + 2)) = TEST_U32_DATA; ++ *((__le32 *)(buf + 3 + strlen(TEST_U32_NAME) + 2)) = cpu_to_le32(TEST_U32_DATA); + + buf = e->start + TEST_NAMED_U64_BUF_OFFSET; + *buf = AA_NAME; + *(buf + 1) = strlen(TEST_U64_NAME) + 1; + strcpy(buf + 3, TEST_U64_NAME); + *(buf + 3 + strlen(TEST_U64_NAME) + 1) = AA_U64; +- *((u64 *)(buf + 3 + strlen(TEST_U64_NAME) + 2)) = TEST_U64_DATA; ++ *((__le64 *)(buf + 3 + strlen(TEST_U64_NAME) + 2)) = cpu_to_le64(TEST_U64_DATA); + + buf = e->start + TEST_NAMED_BLOB_BUF_OFFSET; + *buf = AA_NAME; +@@ -101,7 +101,7 @@ struct aa_ext *build_aa_ext_struct(struct policy_unpack_fixture *puf, + *(buf + 1) = strlen(TEST_ARRAY_NAME) + 1; + strcpy(buf + 3, TEST_ARRAY_NAME); + *(buf + 3 + strlen(TEST_ARRAY_NAME) + 1) = AA_ARRAY; +- *((u16 *)(buf + 3 + strlen(TEST_ARRAY_NAME) + 2)) = TEST_ARRAY_SIZE; ++ *((__le16 *)(buf + 3 + strlen(TEST_ARRAY_NAME) + 2)) = cpu_to_le16(TEST_ARRAY_SIZE); + + return e; + } +-- +2.43.0 + diff --git a/queue-5.15/scsi-aacraid-fix-double-free-on-probe-failure.patch b/queue-5.15/scsi-aacraid-fix-double-free-on-probe-failure.patch new file mode 100644 index 00000000000..28c8ee5806e --- /dev/null +++ b/queue-5.15/scsi-aacraid-fix-double-free-on-probe-failure.patch @@ -0,0 +1,54 @@ +From 461dbdf61d204db4a4c8aa75bee28d6857af09d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2024 00:51:42 +0200 +Subject: scsi: aacraid: Fix double-free on probe failure + +From: Ben Hutchings + +[ Upstream commit 919ddf8336f0b84c0453bac583808c9f165a85c2 ] + +aac_probe_one() calls hardware-specific init functions through the +aac_driver_ident::init pointer, all of which eventually call down to +aac_init_adapter(). + +If aac_init_adapter() fails after allocating memory for aac_dev::queues, +it frees the memory but does not clear that member. + +After the hardware-specific init function returns an error, +aac_probe_one() goes down an error path that frees the memory pointed to +by aac_dev::queues, resulting.in a double-free. + +Reported-by: Michael Gordon +Link: https://bugs.debian.org/1075855 +Fixes: 8e0c5ebde82b ("[SCSI] aacraid: Newer adapter communication iterface support") +Signed-off-by: Ben Hutchings +Link: https://lore.kernel.org/r/ZsZvfqlQMveoL5KQ@decadent.org.uk +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aacraid/comminit.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c +index 355b16f0b1456..34e45c87cae03 100644 +--- a/drivers/scsi/aacraid/comminit.c ++++ b/drivers/scsi/aacraid/comminit.c +@@ -642,6 +642,7 @@ struct aac_dev *aac_init_adapter(struct aac_dev *dev) + + if (aac_comm_init(dev)<0){ + kfree(dev->queues); ++ dev->queues = NULL; + return NULL; + } + /* +@@ -649,6 +650,7 @@ struct aac_dev *aac_init_adapter(struct aac_dev *dev) + */ + if (aac_fib_setup(dev) < 0) { + kfree(dev->queues); ++ dev->queues = NULL; + return NULL; + } + +-- +2.43.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 6c49af5f2c3..e99de7c5a1b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -211,3 +211,5 @@ usb-cdnsp-fix-for-link-trb-with-tc.patch phy-zynqmp-enable-reference-clock-correctly.patch igc-fix-reset-adapter-logics-when-tx-mode-change.patch igc-fix-qbv-tx-latency-by-setting-gtxoffset.patch +scsi-aacraid-fix-double-free-on-probe-failure.patch +apparmor-fix-policy_unpack_test-on-big-endian-system.patch