From: Greg Kroah-Hartman Date: Wed, 28 Dec 2022 09:18:33 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v5.15.86~41 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=918fc5a3f50ded90cdfbb77134e7df362540594c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: 9p-set-req-refcount-to-zero-to-avoid-uninitialized-usage.patch hid-wacom-ensure-bootloader-pid-is-usable-in-hidraw-mode.patch iio-adc-ad_sigma_delta-do-not-use-internal-iio_dev-lock.patch reiserfs-add-missing-calls-to-reiserfs_security_free.patch --- diff --git a/queue-4.19/9p-set-req-refcount-to-zero-to-avoid-uninitialized-usage.patch b/queue-4.19/9p-set-req-refcount-to-zero-to-avoid-uninitialized-usage.patch new file mode 100644 index 00000000000..c6e523ca2e4 --- /dev/null +++ b/queue-4.19/9p-set-req-refcount-to-zero-to-avoid-uninitialized-usage.patch @@ -0,0 +1,96 @@ +From 26273ade77f54716e30dfd40ac6e85ceb54ac0f9 Mon Sep 17 00:00:00 2001 +From: Schspa Shi +Date: Thu, 1 Dec 2022 11:33:10 +0800 +Subject: 9p: set req refcount to zero to avoid uninitialized usage + +From: Schspa Shi + +commit 26273ade77f54716e30dfd40ac6e85ceb54ac0f9 upstream. + +When a new request is allocated, the refcount will be zero if it is +reused, but if the request is newly allocated from slab, it is not fully +initialized before being added to idr. + +If the p9_read_work got a response before the refcount initiated. It will +use a uninitialized req, which will result in a bad request data struct. + +Here is the logs from syzbot. + +Corrupted memory at 0xffff88807eade00b [ 0xff 0x07 0x00 0x00 0x00 0x00 +0x00 0x00 . . . . . . . . ] (in kfence-#110): + p9_fcall_fini net/9p/client.c:248 [inline] + p9_req_put net/9p/client.c:396 [inline] + p9_req_put+0x208/0x250 net/9p/client.c:390 + p9_client_walk+0x247/0x540 net/9p/client.c:1165 + clone_fid fs/9p/fid.h:21 [inline] + v9fs_fid_xattr_set+0xe4/0x2b0 fs/9p/xattr.c:118 + v9fs_xattr_set fs/9p/xattr.c:100 [inline] + v9fs_xattr_handler_set+0x6f/0x120 fs/9p/xattr.c:159 + __vfs_setxattr+0x119/0x180 fs/xattr.c:182 + __vfs_setxattr_noperm+0x129/0x5f0 fs/xattr.c:216 + __vfs_setxattr_locked+0x1d3/0x260 fs/xattr.c:277 + vfs_setxattr+0x143/0x340 fs/xattr.c:309 + setxattr+0x146/0x160 fs/xattr.c:617 + path_setxattr+0x197/0x1c0 fs/xattr.c:636 + __do_sys_setxattr fs/xattr.c:652 [inline] + __se_sys_setxattr fs/xattr.c:648 [inline] + __ia32_sys_setxattr+0xc0/0x160 fs/xattr.c:648 + do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] + __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 + do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 + entry_SYSENTER_compat_after_hwframe+0x70/0x82 + +Below is a similar scenario, the scenario in the syzbot log looks more +complicated than this one, but this patch can fix it. + + T21124 p9_read_work +======================== second trans ================================= +p9_client_walk + p9_client_rpc + p9_client_prepare_req + p9_tag_alloc + req = kmem_cache_alloc(p9_req_cache, GFP_NOFS); + tag = idr_alloc + << preempted >> + req->tc.tag = tag; + /* req->[refcount/tag] == uninitialized */ + m->rreq = p9_tag_lookup(m->client, m->rc.tag); + /* increments uninitalized refcount */ + + refcount_set(&req->refcount, 2); + /* cb drops one ref */ + p9_client_cb(req) + /* reader thread drops its ref: + request is incorrectly freed */ + p9_req_put(req) + /* use after free and ref underflow */ + p9_req_put(req) + +To fix it, we can initialize the refcount to zero before add to idr. + +Link: https://lkml.kernel.org/r/20221201033310.18589-1-schspa@gmail.com +Cc: stable@vger.kernel.org # 6.0+ due to 6cda12864cb0 ("9p: Drop kref usage") +Fixes: 728356dedeff ("9p: Add refcount to p9_req_t") +Reported-by: syzbot+8f1060e2aaf8ca55220b@syzkaller.appspotmail.com +Signed-off-by: Schspa Shi +Reviewed-by: Christian Schoenebeck +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman +--- + net/9p/client.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -298,6 +298,11 @@ p9_tag_alloc(struct p9_client *c, int8_t + p9pdu_reset(&req->rc); + req->t_err = 0; + req->status = REQ_STATUS_ALLOC; ++ /* refcount needs to be set to 0 before inserting into the idr ++ * so p9_tag_lookup does not accept a request that is not fully ++ * initialized. refcount_set to 2 below will mark request ready. ++ */ ++ refcount_set(&req->refcount, 0); + init_waitqueue_head(&req->wq); + INIT_LIST_HEAD(&req->req_list); + diff --git a/queue-4.19/hid-wacom-ensure-bootloader-pid-is-usable-in-hidraw-mode.patch b/queue-4.19/hid-wacom-ensure-bootloader-pid-is-usable-in-hidraw-mode.patch new file mode 100644 index 00000000000..1f5fa9bd637 --- /dev/null +++ b/queue-4.19/hid-wacom-ensure-bootloader-pid-is-usable-in-hidraw-mode.patch @@ -0,0 +1,89 @@ +From 1db1f392591aff13fd643f0ec7c1d5e27391d700 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Thu, 1 Dec 2022 15:11:41 -0800 +Subject: HID: wacom: Ensure bootloader PID is usable in hidraw mode + +From: Jason Gerecke + +commit 1db1f392591aff13fd643f0ec7c1d5e27391d700 upstream. + +Some Wacom devices have a special "bootloader" mode that is used for +firmware flashing. When operating in this mode, the device cannot be +used for input, and the HID descriptor is not able to be processed by +the driver. The driver generates an "Unknown device_type" warning and +then returns an error code from wacom_probe(). This is a problem because +userspace still needs to be able to interact with the device via hidraw +to perform the firmware flash. + +This commit adds a non-generic device definition for 056a:0094 which +is used when devices are in "bootloader" mode. It marks the devices +with a special BOOTLOADER type that is recognized by wacom_probe() and +wacom_raw_event(). When we see this type we ensure a hidraw device is +created and otherwise keep our hands off so that userspace is in full +control. + +Signed-off-by: Jason Gerecke +Tested-by: Tatsunosuke Tobita +Cc: +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_sys.c | 8 ++++++++ + drivers/hid/wacom_wac.c | 4 ++++ + drivers/hid/wacom_wac.h | 1 + + 3 files changed, 13 insertions(+) + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -163,6 +163,9 @@ static int wacom_raw_event(struct hid_de + { + struct wacom *wacom = hid_get_drvdata(hdev); + ++ if (wacom->wacom_wac.features.type == BOOTLOADER) ++ return 0; ++ + if (size > WACOM_PKGLEN_MAX) + return 1; + +@@ -2759,6 +2762,11 @@ static int wacom_probe(struct hid_device + goto fail; + } + ++ if (features->type == BOOTLOADER) { ++ hid_warn(hdev, "Using device in hidraw-only mode"); ++ return hid_hw_start(hdev, HID_CONNECT_HIDRAW); ++ } ++ + error = wacom_parse_and_register(wacom, false); + if (error) + goto fail; +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -4680,6 +4680,9 @@ static const struct wacom_features wacom + static const struct wacom_features wacom_features_HID_ANY_ID = + { "Wacom HID", .type = HID_GENERIC, .oVid = HID_ANY_ID, .oPid = HID_ANY_ID }; + ++static const struct wacom_features wacom_features_0x94 = ++ { "Wacom Bootloader", .type = BOOTLOADER }; ++ + #define USB_DEVICE_WACOM(prod) \ + HID_DEVICE(BUS_USB, HID_GROUP_WACOM, USB_VENDOR_ID_WACOM, prod),\ + .driver_data = (kernel_ulong_t)&wacom_features_##prod +@@ -4753,6 +4756,7 @@ const struct hid_device_id wacom_ids[] = + { USB_DEVICE_WACOM(0x84) }, + { USB_DEVICE_WACOM(0x90) }, + { USB_DEVICE_WACOM(0x93) }, ++ { USB_DEVICE_WACOM(0x94) }, + { USB_DEVICE_WACOM(0x97) }, + { USB_DEVICE_WACOM(0x9A) }, + { USB_DEVICE_WACOM(0x9F) }, +--- a/drivers/hid/wacom_wac.h ++++ b/drivers/hid/wacom_wac.h +@@ -244,6 +244,7 @@ enum { + MTTPC, + MTTPC_B, + HID_GENERIC, ++ BOOTLOADER, + MAX_TYPE + }; + diff --git a/queue-4.19/iio-adc-ad_sigma_delta-do-not-use-internal-iio_dev-lock.patch b/queue-4.19/iio-adc-ad_sigma_delta-do-not-use-internal-iio_dev-lock.patch new file mode 100644 index 00000000000..0850450cf3e --- /dev/null +++ b/queue-4.19/iio-adc-ad_sigma_delta-do-not-use-internal-iio_dev-lock.patch @@ -0,0 +1,54 @@ +From 20228a1d5a55e7db0c6720840f2c7d2b48c55f69 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nuno=20S=C3=A1?= +Date: Tue, 20 Sep 2022 13:28:07 +0200 +Subject: iio: adc: ad_sigma_delta: do not use internal iio_dev lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +commit 20228a1d5a55e7db0c6720840f2c7d2b48c55f69 upstream. + +Drop 'mlock' usage by making use of iio_device_claim_direct_mode(). +This change actually makes sure we cannot do a single conversion while +buffering is enable. Note there was a potential race in the previous +code since we were only acquiring the lock after checking if the bus is +enabled. + +Fixes: af3008485ea0 ("iio:adc: Add common code for ADI Sigma Delta devices") +Signed-off-by: Nuno Sá +Reviewed-by: Miquel Raynal +Cc: #No rush as race is very old. +Link: https://lore.kernel.org/r/20220920112821.975359-2-nuno.sa@analog.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad_sigma_delta.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/iio/adc/ad_sigma_delta.c ++++ b/drivers/iio/adc/ad_sigma_delta.c +@@ -283,10 +283,10 @@ int ad_sigma_delta_single_conversion(str + unsigned int sample, raw_sample; + int ret = 0; + +- if (iio_buffer_enabled(indio_dev)) +- return -EBUSY; ++ ret = iio_device_claim_direct_mode(indio_dev); ++ if (ret) ++ return ret; + +- mutex_lock(&indio_dev->mlock); + ad_sigma_delta_set_channel(sigma_delta, chan->address); + + spi_bus_lock(sigma_delta->spi->master); +@@ -320,7 +320,7 @@ out: + ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE); + sigma_delta->bus_locked = false; + spi_bus_unlock(sigma_delta->spi->master); +- mutex_unlock(&indio_dev->mlock); ++ iio_device_release_direct_mode(indio_dev); + + if (ret) + return ret; diff --git a/queue-4.19/reiserfs-add-missing-calls-to-reiserfs_security_free.patch b/queue-4.19/reiserfs-add-missing-calls-to-reiserfs_security_free.patch new file mode 100644 index 00000000000..aa48b3d4baa --- /dev/null +++ b/queue-4.19/reiserfs-add-missing-calls-to-reiserfs_security_free.patch @@ -0,0 +1,89 @@ +From 572302af1258459e124437b8f3369357447afac7 Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Thu, 10 Nov 2022 10:46:35 +0100 +Subject: reiserfs: Add missing calls to reiserfs_security_free() + +From: Roberto Sassu + +commit 572302af1258459e124437b8f3369357447afac7 upstream. + +Commit 57fe60df6241 ("reiserfs: add atomic addition of selinux attributes +during inode creation") defined reiserfs_security_free() to free the name +and value of a security xattr allocated by the active LSM through +security_old_inode_init_security(). However, this function is not called +in the reiserfs code. + +Thus, add a call to reiserfs_security_free() whenever +reiserfs_security_init() is called, and initialize value to NULL, to avoid +to call kfree() on an uninitialized pointer. + +Finally, remove the kfree() for the xattr name, as it is not allocated +anymore. + +Fixes: 57fe60df6241 ("reiserfs: add atomic addition of selinux attributes during inode creation") +Cc: stable@vger.kernel.org +Cc: Jeff Mahoney +Cc: Tetsuo Handa +Reported-by: Mimi Zohar +Reported-by: Tetsuo Handa +Signed-off-by: Roberto Sassu +Reviewed-by: Mimi Zohar +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + fs/reiserfs/namei.c | 4 ++++ + fs/reiserfs/xattr_security.c | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/reiserfs/namei.c ++++ b/fs/reiserfs/namei.c +@@ -695,6 +695,7 @@ static int reiserfs_create(struct inode + + out_failed: + reiserfs_write_unlock(dir->i_sb); ++ reiserfs_security_free(&security); + return retval; + } + +@@ -778,6 +779,7 @@ static int reiserfs_mknod(struct inode * + + out_failed: + reiserfs_write_unlock(dir->i_sb); ++ reiserfs_security_free(&security); + return retval; + } + +@@ -876,6 +878,7 @@ static int reiserfs_mkdir(struct inode * + retval = journal_end(&th); + out_failed: + reiserfs_write_unlock(dir->i_sb); ++ reiserfs_security_free(&security); + return retval; + } + +@@ -1191,6 +1194,7 @@ static int reiserfs_symlink(struct inode + retval = journal_end(&th); + out_failed: + reiserfs_write_unlock(parent_dir->i_sb); ++ reiserfs_security_free(&security); + return retval; + } + +--- a/fs/reiserfs/xattr_security.c ++++ b/fs/reiserfs/xattr_security.c +@@ -49,6 +49,7 @@ int reiserfs_security_init(struct inode + int error; + + sec->name = NULL; ++ sec->value = NULL; + + /* Don't add selinux attributes on xattrs - they'll never get used */ + if (IS_PRIVATE(dir)) +@@ -94,7 +95,6 @@ int reiserfs_security_write(struct reise + + void reiserfs_security_free(struct reiserfs_security_handle *sec) + { +- kfree(sec->name); + kfree(sec->value); + sec->name = NULL; + sec->value = NULL; diff --git a/queue-4.19/series b/queue-4.19/series index f399b3b55d5..344c5a3ce01 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -359,3 +359,7 @@ pstore-switch-pmsg_lock-to-an-rt_mutex-to-avoid-prio.patch perf-debug-set-debug_peo_args-and-redirect_to_stderr.patch pstore-make-sure-config_pstore_pmsg-selects-config_r.patch usb-dwc3-core-defer-probe-on-ulpi_read_id-timeout.patch +hid-wacom-ensure-bootloader-pid-is-usable-in-hidraw-mode.patch +9p-set-req-refcount-to-zero-to-avoid-uninitialized-usage.patch +reiserfs-add-missing-calls-to-reiserfs_security_free.patch +iio-adc-ad_sigma_delta-do-not-use-internal-iio_dev-lock.patch