From: Greg Kroah-Hartman Date: Mon, 2 Dec 2024 15:31:50 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.19.325~80 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9314334007e104cf69c621cc4de050ed02a046e2;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch comedi-flush-partial-mappings-in-error-case.patch ext4-fix-fs_ioc_getfsmap-handling.patch ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch jfs-xattr-check-invalid-xattr-size-more-strictly.patch pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch --- diff --git a/queue-5.4/asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch b/queue-5.4/asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch new file mode 100644 index 00000000000..9c0e2735fc4 --- /dev/null +++ b/queue-5.4/asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch @@ -0,0 +1,61 @@ +From 1157733344651ca505e259d6554591ff156922fa Mon Sep 17 00:00:00 2001 +From: Qiu-ji Chen +Date: Mon, 30 Sep 2024 18:12:16 +0800 +Subject: ASoC: codecs: Fix atomicity violation in snd_soc_component_get_drvdata() + +From: Qiu-ji Chen + +commit 1157733344651ca505e259d6554591ff156922fa upstream. + +An atomicity violation occurs when the validity of the variables +da7219->clk_src and da7219->mclk_rate is being assessed. Since the entire +assessment is not protected by a lock, the da7219 variable might still be +in flux during the assessment, rendering this check invalid. + +To fix this issue, we recommend adding a lock before the block +if ((da7219->clk_src == clk_id) && (da7219->mclk_rate == freq)) so that +the legitimacy check for da7219->clk_src and da7219->mclk_rate is +protected by the lock, ensuring the validity of the check. + +This possible bug is found by an experimental static analysis tool +developed by our team. This tool analyzes the locking APIs +to extract function pairs that can be concurrently executed, and then +analyzes the instructions in the paired functions to identify possible +concurrency bugs including data races and atomicity violations. + +Fixes: 6d817c0e9fd7 ("ASoC: codecs: Add da7219 codec driver") +Cc: stable@vger.kernel.org +Signed-off-by: Qiu-ji Chen +Link: https://patch.msgid.link/20240930101216.23723-1-chenqiuji666@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/da7219.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/sound/soc/codecs/da7219.c ++++ b/sound/soc/codecs/da7219.c +@@ -1167,17 +1167,20 @@ static int da7219_set_dai_sysclk(struct + struct da7219_priv *da7219 = snd_soc_component_get_drvdata(component); + int ret = 0; + +- if ((da7219->clk_src == clk_id) && (da7219->mclk_rate == freq)) ++ mutex_lock(&da7219->pll_lock); ++ ++ if ((da7219->clk_src == clk_id) && (da7219->mclk_rate == freq)) { ++ mutex_unlock(&da7219->pll_lock); + return 0; ++ } + + if ((freq < 2000000) || (freq > 54000000)) { ++ mutex_unlock(&da7219->pll_lock); + dev_err(codec_dai->dev, "Unsupported MCLK value %d\n", + freq); + return -EINVAL; + } + +- mutex_lock(&da7219->pll_lock); +- + switch (clk_id) { + case DA7219_CLKSRC_MCLK_SQR: + snd_soc_component_update_bits(component, DA7219_PLL_CTRL, diff --git a/queue-5.4/bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch b/queue-5.4/bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch new file mode 100644 index 00000000000..976e0b1a2ae --- /dev/null +++ b/queue-5.4/bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch @@ -0,0 +1,83 @@ +From 5fe6caa62b07fd39cd6a28acc8f92ba2955e11a6 Mon Sep 17 00:00:00 2001 +From: Andrej Shadura +Date: Wed, 9 Oct 2024 14:14:24 +0200 +Subject: Bluetooth: Fix type of len in rfcomm_sock_getsockopt{,_old}() + +From: Andrej Shadura + +commit 5fe6caa62b07fd39cd6a28acc8f92ba2955e11a6 upstream. + +Commit 9bf4e919ccad worked around an issue introduced after an innocuous +optimisation change in LLVM main: + +> len is defined as an 'int' because it is assigned from +> '__user int *optlen'. However, it is clamped against the result of +> sizeof(), which has a type of 'size_t' ('unsigned long' for 64-bit +> platforms). This is done with min_t() because min() requires compatible +> types, which results in both len and the result of sizeof() being casted +> to 'unsigned int', meaning len changes signs and the result of sizeof() +> is truncated. From there, len is passed to copy_to_user(), which has a +> third parameter type of 'unsigned long', so it is widened and changes +> signs again. This excessive casting in combination with the KCSAN +> instrumentation causes LLVM to fail to eliminate the __bad_copy_from() +> call, failing the build. + +The same issue occurs in rfcomm in functions rfcomm_sock_getsockopt and +rfcomm_sock_getsockopt_old. + +Change the type of len to size_t in both rfcomm_sock_getsockopt and +rfcomm_sock_getsockopt_old and replace min_t() with min(). + +Cc: stable@vger.kernel.org +Co-authored-by: Aleksei Vetrov +Improves: 9bf4e919ccad ("Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()") +Link: https://github.com/ClangBuiltLinux/linux/issues/2007 +Link: https://github.com/llvm/llvm-project/issues/85647 +Signed-off-by: Andrej Shadura +Reviewed-by: Nathan Chancellor +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/rfcomm/sock.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -736,7 +736,8 @@ static int rfcomm_sock_getsockopt_old(st + struct sock *l2cap_sk; + struct l2cap_conn *conn; + struct rfcomm_conninfo cinfo; +- int len, err = 0; ++ int err = 0; ++ size_t len; + u32 opt; + + BT_DBG("sk %p", sk); +@@ -790,7 +791,7 @@ static int rfcomm_sock_getsockopt_old(st + cinfo.hci_handle = conn->hcon->handle; + memcpy(cinfo.dev_class, conn->hcon->dev_class, 3); + +- len = min_t(unsigned int, len, sizeof(cinfo)); ++ len = min(len, sizeof(cinfo)); + if (copy_to_user(optval, (char *) &cinfo, len)) + err = -EFAULT; + +@@ -809,7 +810,8 @@ static int rfcomm_sock_getsockopt(struct + { + struct sock *sk = sock->sk; + struct bt_security sec; +- int len, err = 0; ++ int err = 0; ++ size_t len; + + BT_DBG("sk %p", sk); + +@@ -834,7 +836,7 @@ static int rfcomm_sock_getsockopt(struct + sec.level = rfcomm_pi(sk)->sec_level; + sec.key_size = 0; + +- len = min_t(unsigned int, len, sizeof(sec)); ++ len = min(len, sizeof(sec)); + if (copy_to_user(optval, (char *) &sec, len)) + err = -EFAULT; + diff --git a/queue-5.4/comedi-flush-partial-mappings-in-error-case.patch b/queue-5.4/comedi-flush-partial-mappings-in-error-case.patch new file mode 100644 index 00000000000..0a87a417005 --- /dev/null +++ b/queue-5.4/comedi-flush-partial-mappings-in-error-case.patch @@ -0,0 +1,49 @@ +From ce8f9fb651fac95dd41f69afe54d935420b945bd Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Thu, 17 Oct 2024 21:07:45 +0200 +Subject: comedi: Flush partial mappings in error case + +From: Jann Horn + +commit ce8f9fb651fac95dd41f69afe54d935420b945bd upstream. + +If some remap_pfn_range() calls succeeded before one failed, we still have +buffer pages mapped into the userspace page tables when we drop the buffer +reference with comedi_buf_map_put(bm). The userspace mappings are only +cleaned up later in the mmap error path. + +Fix it by explicitly flushing all mappings in our VMA on the error path. + +See commit 79a61cc3fc04 ("mm: avoid leaving partial pfn mappings around in +error case"). + +Cc: stable@vger.kernel.org +Fixes: ed9eccbe8970 ("Staging: add comedi core") +Signed-off-by: Jann Horn +Link: https://lore.kernel.org/r/20241017-comedi-tlb-v3-1-16b82f9372ce@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/comedi_fops.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -2383,6 +2383,18 @@ static int comedi_mmap(struct file *file + + start += PAGE_SIZE; + } ++ ++#ifdef CONFIG_MMU ++ /* ++ * Leaving behind a partial mapping of a buffer we're about to ++ * drop is unsafe, see remap_pfn_range_notrack(). ++ * We need to zap the range here ourselves instead of relying ++ * on the automatic zapping in remap_pfn_range() because we call ++ * remap_pfn_range() in a loop. ++ */ ++ if (retval) ++ zap_vma_ptes(vma, vma->vm_start, size); ++#endif + } + + if (retval == 0) { diff --git a/queue-5.4/ext4-fix-fs_ioc_getfsmap-handling.patch b/queue-5.4/ext4-fix-fs_ioc_getfsmap-handling.patch new file mode 100644 index 00000000000..7131bd76f39 --- /dev/null +++ b/queue-5.4/ext4-fix-fs_ioc_getfsmap-handling.patch @@ -0,0 +1,158 @@ +From 4a622e4d477bb12ad5ed4abbc7ad1365de1fa347 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 23 Oct 2024 00:25:37 -0400 +Subject: ext4: fix FS_IOC_GETFSMAP handling + +From: Theodore Ts'o + +commit 4a622e4d477bb12ad5ed4abbc7ad1365de1fa347 upstream. + +The original implementation ext4's FS_IOC_GETFSMAP handling only +worked when the range of queried blocks included at least one free +(unallocated) block range. This is because how the metadata blocks +were emitted was as a side effect of ext4_mballoc_query_range() +calling ext4_getfsmap_datadev_helper(), and that function was only +called when a free block range was identified. As a result, this +caused generic/365 to fail. + +Fix this by creating a new function ext4_getfsmap_meta_helper() which +gets called so that blocks before the first free block range in a +block group can get properly reported. + +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/fsmap.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++++++++- + fs/ext4/mballoc.c | 18 ++++++++++++++---- + fs/ext4/mballoc.h | 1 + + 3 files changed, 68 insertions(+), 5 deletions(-) + +--- a/fs/ext4/fsmap.c ++++ b/fs/ext4/fsmap.c +@@ -185,6 +185,56 @@ static inline ext4_fsblk_t ext4_fsmap_ne + return fmr->fmr_physical + fmr->fmr_length; + } + ++static int ext4_getfsmap_meta_helper(struct super_block *sb, ++ ext4_group_t agno, ext4_grpblk_t start, ++ ext4_grpblk_t len, void *priv) ++{ ++ struct ext4_getfsmap_info *info = priv; ++ struct ext4_fsmap *p; ++ struct ext4_fsmap *tmp; ++ struct ext4_sb_info *sbi = EXT4_SB(sb); ++ ext4_fsblk_t fsb, fs_start, fs_end; ++ int error; ++ ++ fs_start = fsb = (EXT4_C2B(sbi, start) + ++ ext4_group_first_block_no(sb, agno)); ++ fs_end = fs_start + EXT4_C2B(sbi, len); ++ ++ /* Return relevant extents from the meta_list */ ++ list_for_each_entry_safe(p, tmp, &info->gfi_meta_list, fmr_list) { ++ if (p->fmr_physical < info->gfi_next_fsblk) { ++ list_del(&p->fmr_list); ++ kfree(p); ++ continue; ++ } ++ if (p->fmr_physical <= fs_start || ++ p->fmr_physical + p->fmr_length <= fs_end) { ++ /* Emit the retained free extent record if present */ ++ if (info->gfi_lastfree.fmr_owner) { ++ error = ext4_getfsmap_helper(sb, info, ++ &info->gfi_lastfree); ++ if (error) ++ return error; ++ info->gfi_lastfree.fmr_owner = 0; ++ } ++ error = ext4_getfsmap_helper(sb, info, p); ++ if (error) ++ return error; ++ fsb = p->fmr_physical + p->fmr_length; ++ if (info->gfi_next_fsblk < fsb) ++ info->gfi_next_fsblk = fsb; ++ list_del(&p->fmr_list); ++ kfree(p); ++ continue; ++ } ++ } ++ if (info->gfi_next_fsblk < fsb) ++ info->gfi_next_fsblk = fsb; ++ ++ return 0; ++} ++ ++ + /* Transform a blockgroup's free record into a fsmap */ + static int ext4_getfsmap_datadev_helper(struct super_block *sb, + ext4_group_t agno, ext4_grpblk_t start, +@@ -539,6 +589,7 @@ static int ext4_getfsmap_datadev(struct + error = ext4_mballoc_query_range(sb, info->gfi_agno, + EXT4_B2C(sbi, info->gfi_low.fmr_physical), + EXT4_B2C(sbi, info->gfi_high.fmr_physical), ++ ext4_getfsmap_meta_helper, + ext4_getfsmap_datadev_helper, info); + if (error) + goto err; +@@ -560,7 +611,8 @@ static int ext4_getfsmap_datadev(struct + + /* Report any gaps at the end of the bg */ + info->gfi_last = true; +- error = ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster, 0, info); ++ error = ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster + 1, ++ 0, info); + if (error) + goto err; + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5432,13 +5432,14 @@ int + ext4_mballoc_query_range( + struct super_block *sb, + ext4_group_t group, +- ext4_grpblk_t start, ++ ext4_grpblk_t first, + ext4_grpblk_t end, ++ ext4_mballoc_query_range_fn meta_formatter, + ext4_mballoc_query_range_fn formatter, + void *priv) + { + void *bitmap; +- ext4_grpblk_t next; ++ ext4_grpblk_t start, next; + struct ext4_buddy e4b; + int error; + +@@ -5449,10 +5450,19 @@ ext4_mballoc_query_range( + + ext4_lock_group(sb, group); + +- start = max(e4b.bd_info->bb_first_free, start); ++ start = max(e4b.bd_info->bb_first_free, first); + if (end >= EXT4_CLUSTERS_PER_GROUP(sb)) + end = EXT4_CLUSTERS_PER_GROUP(sb) - 1; +- ++ if (meta_formatter && start != first) { ++ if (start > end) ++ start = end; ++ ext4_unlock_group(sb, group); ++ error = meta_formatter(sb, group, first, start - first, ++ priv); ++ if (error) ++ goto out_unload; ++ ext4_lock_group(sb, group); ++ } + while (start <= end) { + start = mb_find_next_zero_bit(bitmap, end + 1, start); + if (start > end) +--- a/fs/ext4/mballoc.h ++++ b/fs/ext4/mballoc.h +@@ -226,6 +226,7 @@ ext4_mballoc_query_range( + ext4_group_t agno, + ext4_grpblk_t start, + ext4_grpblk_t end, ++ ext4_mballoc_query_range_fn meta_formatter, + ext4_mballoc_query_range_fn formatter, + void *priv); + diff --git a/queue-5.4/ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch b/queue-5.4/ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch new file mode 100644 index 00000000000..2067b62c1ef --- /dev/null +++ b/queue-5.4/ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch @@ -0,0 +1,83 @@ +From 902cc179c931a033cd7f4242353aa2733bf8524c Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Thu, 3 Oct 2024 21:53:37 +0900 +Subject: ext4: supress data-race warnings in ext4_free_inodes_{count,set}() + +From: Jeongjun Park + +commit 902cc179c931a033cd7f4242353aa2733bf8524c upstream. + +find_group_other() and find_group_orlov() read *_lo, *_hi with +ext4_free_inodes_count without additional locking. This can cause +data-race warning, but since the lock is held for most writes and free +inodes value is generally not a problem even if it is incorrect, it is +more appropriate to use READ_ONCE()/WRITE_ONCE() than to add locking. + +================================================================== +BUG: KCSAN: data-race in ext4_free_inodes_count / ext4_free_inodes_set + +write to 0xffff88810404300e of 2 bytes by task 6254 on cpu 1: + ext4_free_inodes_set+0x1f/0x80 fs/ext4/super.c:405 + __ext4_new_inode+0x15ca/0x2200 fs/ext4/ialloc.c:1216 + ext4_symlink+0x242/0x5a0 fs/ext4/namei.c:3391 + vfs_symlink+0xca/0x1d0 fs/namei.c:4615 + do_symlinkat+0xe3/0x340 fs/namei.c:4641 + __do_sys_symlinkat fs/namei.c:4657 [inline] + __se_sys_symlinkat fs/namei.c:4654 [inline] + __x64_sys_symlinkat+0x5e/0x70 fs/namei.c:4654 + x64_sys_call+0x1dda/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:267 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +read to 0xffff88810404300e of 2 bytes by task 6257 on cpu 0: + ext4_free_inodes_count+0x1c/0x80 fs/ext4/super.c:349 + find_group_other fs/ext4/ialloc.c:594 [inline] + __ext4_new_inode+0x6ec/0x2200 fs/ext4/ialloc.c:1017 + ext4_symlink+0x242/0x5a0 fs/ext4/namei.c:3391 + vfs_symlink+0xca/0x1d0 fs/namei.c:4615 + do_symlinkat+0xe3/0x340 fs/namei.c:4641 + __do_sys_symlinkat fs/namei.c:4657 [inline] + __se_sys_symlinkat fs/namei.c:4654 [inline] + __x64_sys_symlinkat+0x5e/0x70 fs/namei.c:4654 + x64_sys_call+0x1dda/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:267 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Cc: stable@vger.kernel.org +Signed-off-by: Jeongjun Park +Reviewed-by: Andreas Dilger +Link: https://patch.msgid.link/20241003125337.47283-1-aha310510@gmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -259,9 +259,9 @@ __u32 ext4_free_group_clusters(struct su + __u32 ext4_free_inodes_count(struct super_block *sb, + struct ext4_group_desc *bg) + { +- return le16_to_cpu(bg->bg_free_inodes_count_lo) | ++ return le16_to_cpu(READ_ONCE(bg->bg_free_inodes_count_lo)) | + (EXT4_DESC_SIZE(sb) >= EXT4_MIN_DESC_SIZE_64BIT ? +- (__u32)le16_to_cpu(bg->bg_free_inodes_count_hi) << 16 : 0); ++ (__u32)le16_to_cpu(READ_ONCE(bg->bg_free_inodes_count_hi)) << 16 : 0); + } + + __u32 ext4_used_dirs_count(struct super_block *sb, +@@ -315,9 +315,9 @@ void ext4_free_group_clusters_set(struct + void ext4_free_inodes_set(struct super_block *sb, + struct ext4_group_desc *bg, __u32 count) + { +- bg->bg_free_inodes_count_lo = cpu_to_le16((__u16)count); ++ WRITE_ONCE(bg->bg_free_inodes_count_lo, cpu_to_le16((__u16)count)); + if (EXT4_DESC_SIZE(sb) >= EXT4_MIN_DESC_SIZE_64BIT) +- bg->bg_free_inodes_count_hi = cpu_to_le16(count >> 16); ++ WRITE_ONCE(bg->bg_free_inodes_count_hi, cpu_to_le16(count >> 16)); + } + + void ext4_used_dirs_set(struct super_block *sb, diff --git a/queue-5.4/jfs-xattr-check-invalid-xattr-size-more-strictly.patch b/queue-5.4/jfs-xattr-check-invalid-xattr-size-more-strictly.patch new file mode 100644 index 00000000000..42289e27efe --- /dev/null +++ b/queue-5.4/jfs-xattr-check-invalid-xattr-size-more-strictly.patch @@ -0,0 +1,38 @@ +From d9f9d96136cba8fedd647d2c024342ce090133c2 Mon Sep 17 00:00:00 2001 +From: Artem Sadovnikov +Date: Sat, 5 Oct 2024 10:06:57 +0000 +Subject: jfs: xattr: check invalid xattr size more strictly + +From: Artem Sadovnikov + +commit d9f9d96136cba8fedd647d2c024342ce090133c2 upstream. + +Commit 7c55b78818cf ("jfs: xattr: fix buffer overflow for invalid xattr") +also addresses this issue but it only fixes it for positive values, while +ea_size is an integer type and can take negative values, e.g. in case of +a corrupted filesystem. This still breaks validation and would overflow +because of implicit conversion from int to size_t in print_hex_dump(). + +Fix this issue by clamping the ea_size value instead. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Cc: stable@vger.kernel.org +Signed-off-by: Artem Sadovnikov +Signed-off-by: Dave Kleikamp +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/jfs/xattr.c ++++ b/fs/jfs/xattr.c +@@ -559,7 +559,7 @@ static int ea_get(struct inode *inode, s + + size_check: + if (EALIST_SIZE(ea_buf->xattr) != ea_size) { +- int size = min_t(int, EALIST_SIZE(ea_buf->xattr), ea_size); ++ int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr)); + + printk(KERN_ERR "ea_get: invalid extended attribute\n"); + print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1, diff --git a/queue-5.4/pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch b/queue-5.4/pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch new file mode 100644 index 00000000000..63da91d1ccf --- /dev/null +++ b/queue-5.4/pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch @@ -0,0 +1,129 @@ +From c7acef99642b763ba585f4a43af999fcdbcc3dc4 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Thu, 10 Oct 2024 19:10:34 +0200 +Subject: PCI: Fix use-after-free of slot->bus on hot remove + +From: Lukas Wunner + +commit c7acef99642b763ba585f4a43af999fcdbcc3dc4 upstream. + +Dennis reports a boot crash on recent Lenovo laptops with a USB4 dock. + +Since commit 0fc70886569c ("thunderbolt: Reset USB4 v2 host router") and +commit 59a54c5f3dbd ("thunderbolt: Reset topology created by the boot +firmware"), USB4 v2 and v1 Host Routers are reset on probe of the +thunderbolt driver. + +The reset clears the Presence Detect State and Data Link Layer Link Active +bits at the USB4 Host Router's Root Port and thus causes hot removal of the +dock. + +The crash occurs when pciehp is unbound from one of the dock's Downstream +Ports: pciehp creates a pci_slot on bind and destroys it on unbind. The +pci_slot contains a pointer to the pci_bus below the Downstream Port, but +a reference on that pci_bus is never acquired. The pci_bus is destroyed +before the pci_slot, so a use-after-free ensues when pci_slot_release() +accesses slot->bus. + +In principle this should not happen because pci_stop_bus_device() unbinds +pciehp (and therefore destroys the pci_slot) before the pci_bus is +destroyed by pci_remove_bus_device(). + +However the stacktrace provided by Dennis shows that pciehp is unbound from +pci_remove_bus_device() instead of pci_stop_bus_device(). To understand +the significance of this, one needs to know that the PCI core uses a two +step process to remove a portion of the hierarchy: It first unbinds all +drivers in the sub-hierarchy in pci_stop_bus_device() and then actually +removes the devices in pci_remove_bus_device(). There is no precaution to +prevent driver binding in-between pci_stop_bus_device() and +pci_remove_bus_device(). + +In Dennis' case, it seems removal of the hierarchy by pciehp races with +driver binding by pci_bus_add_devices(). pciehp is bound to the +Downstream Port after pci_stop_bus_device() has run, so it is unbound by +pci_remove_bus_device() instead of pci_stop_bus_device(). Because the +pci_bus has already been destroyed at that point, accesses to it result in +a use-after-free. + +One might conclude that driver binding needs to be prevented after +pci_stop_bus_device() has run. However it seems risky that pci_slot points +to pci_bus without holding a reference. Solely relying on correct ordering +of driver unbind versus pci_bus destruction is certainly not defensive +programming. + +If pci_slot has a need to access data in pci_bus, it ought to acquire a +reference. Amend pci_create_slot() accordingly. Dennis reports that the +crash is not reproducible with this change. + +Abridged stacktrace: + + pcieport 0000:00:07.0: PME: Signaling with IRQ 156 + pcieport 0000:00:07.0: pciehp: Slot #12 AttnBtn- PwrCtrl- MRL- AttnInd- PwrInd- HotPlug+ Surprise+ Interlock- NoCompl+ IbPresDis- LLActRep+ + pci_bus 0000:20: dev 00, created physical slot 12 + pcieport 0000:00:07.0: pciehp: Slot(12): Card not present + ... + pcieport 0000:21:02.0: pciehp: pcie_disable_notification: SLOTCTRL d8 write cmd 0 + Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI + CPU: 13 UID: 0 PID: 134 Comm: irq/156-pciehp Not tainted 6.11.0-devel+ #1 + RIP: 0010:dev_driver_string+0x12/0x40 + pci_destroy_slot + pciehp_remove + pcie_port_remove_service + device_release_driver_internal + bus_remove_device + device_del + device_unregister + remove_iter + device_for_each_child + pcie_portdrv_remove + pci_device_remove + device_release_driver_internal + bus_remove_device + device_del + pci_remove_bus_device (recursive invocation) + pci_remove_bus_device + pciehp_unconfigure_device + pciehp_disable_slot + pciehp_handle_presence_or_link_change + pciehp_ist + +Link: https://lore.kernel.org/r/4bfd4c0e976c1776cd08e76603903b338cf25729.1728579288.git.lukas@wunner.de +Reported-by: Dennis Wassenberg +Closes: https://lore.kernel.org/r/6de4b45ff2b32dd91a805ec02ec8ec73ef411bf6.camel@secunet.com/ +Tested-by: Dennis Wassenberg +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Reviewed-by: Mika Westerberg +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/slot.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/pci/slot.c ++++ b/drivers/pci/slot.c +@@ -115,6 +115,7 @@ static void pci_slot_release(struct kobj + up_read(&pci_bus_sem); + + list_del(&slot->list); ++ pci_bus_put(slot->bus); + + kfree(slot); + } +@@ -296,7 +297,7 @@ placeholder: + goto err; + } + +- slot->bus = parent; ++ slot->bus = pci_bus_get(parent); + slot->number = slot_nr; + + slot->kobj.kset = pci_slots_kset; +@@ -304,6 +305,7 @@ placeholder: + slot_name = make_slot_name(name); + if (!slot_name) { + err = -ENOMEM; ++ pci_bus_put(slot->bus); + kfree(slot); + goto err; + } diff --git a/queue-5.4/series b/queue-5.4/series index d543d3580c6..56771c18029 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -146,3 +146,12 @@ cgroup-make-operations-on-the-cgroup-root_list-rcu-safe.patch cgroup-move-rcu_head-up-near-the-top-of-cgroup_root.patch soc-qcom-socinfo-fix-revision-check-in-qcom_socinfo_probe.patch alsa-usb-audio-fix-potential-out-of-bound-accesses-for-extigy-and-mbox-devices.patch +ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch +ext4-fix-fs_ioc_getfsmap-handling.patch +jfs-xattr-check-invalid-xattr-size-more-strictly.patch +asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch +pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch +comedi-flush-partial-mappings-in-error-case.patch +tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch +xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch +bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch diff --git a/queue-5.4/tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch b/queue-5.4/tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch new file mode 100644 index 00000000000..fd234192b2f --- /dev/null +++ b/queue-5.4/tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch @@ -0,0 +1,41 @@ +From 635a9fca54f4f4148be1ae1c7c6bd37af80f5773 Mon Sep 17 00:00:00 2001 +From: Nicolas Bouchinet +Date: Tue, 12 Nov 2024 14:13:31 +0100 +Subject: tty: ldsic: fix tty_ldisc_autoload sysctl's proc_handler + +From: Nicolas Bouchinet + +commit 635a9fca54f4f4148be1ae1c7c6bd37af80f5773 upstream. + +Commit 7c0cca7c847e ("tty: ldisc: add sysctl to prevent autoloading of +ldiscs") introduces the tty_ldisc_autoload sysctl with the wrong +proc_handler. .extra1 and .extra2 parameters are set to avoid other values +thant SYSCTL_ZERO or SYSCTL_ONE to be set but proc_dointvec do not uses +them. + +This commit fixes this by using proc_dointvec_minmax instead of +proc_dointvec. + +Fixes: 7c0cca7c847e ("tty: ldisc: add sysctl to prevent autoloading of ldiscs") +Cc: stable +Signed-off-by: Nicolas Bouchinet +Reviewed-by: Lin Feng +Reviewed-by: Jiri Slaby +Link: https://lore.kernel.org/r/20241112131357.49582-4-nicolas.bouchinet@clip-os.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/tty_ldisc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/tty_ldisc.c ++++ b/drivers/tty/tty_ldisc.c +@@ -861,7 +861,7 @@ static struct ctl_table tty_table[] = { + .data = &tty_ldisc_autoload, + .maxlen = sizeof(tty_ldisc_autoload), + .mode = 0644, +- .proc_handler = proc_dointvec, ++ .proc_handler = proc_dointvec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, diff --git a/queue-5.4/xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch b/queue-5.4/xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch new file mode 100644 index 00000000000..d52055e524d --- /dev/null +++ b/queue-5.4/xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch @@ -0,0 +1,46 @@ +From e735e957f2b9cfe4be486e0304732ec36928591f Mon Sep 17 00:00:00 2001 +From: Kuangyi Chiang +Date: Wed, 6 Nov 2024 12:14:46 +0200 +Subject: xhci: Don't perform Soft Retry for Etron xHCI host + +From: Kuangyi Chiang + +commit e735e957f2b9cfe4be486e0304732ec36928591f upstream. + +Since commit f8f80be501aa ("xhci: Use soft retry to recover faster from +transaction errors"), unplugging USB device while enumeration results in +errors like this: + +[ 364.855321] xhci_hcd 0000:0b:00.0: ERROR Transfer event for disabled endpoint slot 5 ep 2 +[ 364.864622] xhci_hcd 0000:0b:00.0: @0000002167656d70 67f03000 00000021 0c000000 05038001 +[ 374.934793] xhci_hcd 0000:0b:00.0: Abort failed to stop command ring: -110 +[ 374.958793] xhci_hcd 0000:0b:00.0: xHCI host controller not responding, assume dead +[ 374.967590] xhci_hcd 0000:0b:00.0: HC died; cleaning up +[ 374.973984] xhci_hcd 0000:0b:00.0: Timeout while waiting for configure endpoint command + +Seems that Etorn xHCI host can not perform Soft Retry correctly, apply +XHCI_NO_SOFT_RETRY quirk to disable Soft Retry and then issue is gone. + +This patch depends on commit a4a251f8c235 ("usb: xhci: do not perform +Soft Retry for some xHCI hosts"). + +Fixes: f8f80be501aa ("xhci: Use soft retry to recover faster from transaction errors") +Cc: stable@vger.kernel.org +Signed-off-by: Kuangyi Chiang +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20241106101459.775897-21-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -262,6 +262,7 @@ static void xhci_pci_quirks(struct devic + pdev->device == PCI_DEVICE_ID_EJ188) { + xhci->quirks |= XHCI_RESET_ON_RESUME; + xhci->quirks |= XHCI_BROKEN_STREAMS; ++ xhci->quirks |= XHCI_NO_SOFT_RETRY; + } + + if (pdev->vendor == PCI_VENDOR_ID_RENESAS &&