From: Sasha Levin Date: Mon, 2 Jan 2023 03:25:57 +0000 (-0500) Subject: Fixes for 5.15 X-Git-Tag: v6.0.17~33 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=93e00bc963e2445498cd5c8e2b68e1b82ae647a0;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/acpi-resource-do-irq-override-on-lenovo-14alc7.patch b/queue-5.15/acpi-resource-do-irq-override-on-lenovo-14alc7.patch new file mode 100644 index 00000000000..375f4855107 --- /dev/null +++ b/queue-5.15/acpi-resource-do-irq-override-on-lenovo-14alc7.patch @@ -0,0 +1,56 @@ +From 5b4a056f5c4df51e1462c40d80a7973bbccb53cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Dec 2022 21:13:11 +0100 +Subject: ACPI: resource: do IRQ override on Lenovo 14ALC7 + +From: Adrian Freund + +[ Upstream commit f3cb9b740869712d448edf3b9ef5952b847caf8b ] + +Commit bfcdf58380b1 ("ACPI: resource: do IRQ override on LENOVO IdeaPad") +added an override for Lenovo IdeaPad 5 16ALC7. The 14ALC7 variant also +suffers from a broken touchscreen and trackpad. + +Fixes: 9946e39fe8d0 ("ACPI: resource: skip IRQ override on AMD Zen platforms") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216804 +Signed-off-by: Adrian Freund +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/resource.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c +index d0bed7e66a33..33921949bd8f 100644 +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -417,7 +417,14 @@ static const struct dmi_system_id asus_laptop[] = { + { } + }; + +-static const struct dmi_system_id lenovo_82ra[] = { ++static const struct dmi_system_id lenovo_laptop[] = { ++ { ++ .ident = "LENOVO IdeaPad Flex 5 14ALC7", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "82R9"), ++ }, ++ }, + { + .ident = "LENOVO IdeaPad Flex 5 16ALC7", + .matches = { +@@ -451,8 +458,8 @@ struct irq_override_cmp { + static const struct irq_override_cmp override_table[] = { + { medion_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false }, + { asus_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false }, +- { lenovo_82ra, 6, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, +- { lenovo_82ra, 10, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, ++ { lenovo_laptop, 6, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, ++ { lenovo_laptop, 10, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, + { schenker_gm_rg, 1, ACPI_EDGE_SENSITIVE, ACPI_ACTIVE_LOW, 1, true }, + }; + +-- +2.35.1 + diff --git a/queue-5.15/acpi-resource-do-irq-override-on-lenovo-ideapad.patch b/queue-5.15/acpi-resource-do-irq-override-on-lenovo-ideapad.patch new file mode 100644 index 00000000000..771001f9306 --- /dev/null +++ b/queue-5.15/acpi-resource-do-irq-override-on-lenovo-ideapad.patch @@ -0,0 +1,111 @@ +From cb256c03348bba9ad63c9ac6319dba06fe732997 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Oct 2022 12:33:40 +0200 +Subject: ACPI: resource: do IRQ override on LENOVO IdeaPad + +From: Jiri Slaby (SUSE) + +[ Upstream commit bfcdf58380b1d9be564a78a9370da722ed1a9965 ] + +LENOVO IdeaPad Flex 5 is ryzen-5 based and the commit below removed IRQ +overriding for those. This broke touchscreen and trackpad: + i2c_designware AMDI0010:00: controller timed out + i2c_designware AMDI0010:03: controller timed out + i2c_hid_acpi i2c-MSFT0001:00: failed to reset device: -61 + i2c_designware AMDI0010:03: controller timed out + ... + i2c_hid_acpi i2c-MSFT0001:00: can't add hid device: -61 + i2c_hid_acpi: probe of i2c-MSFT0001:00 failed with error -61 + +White-list this specific model in the override_table. + +For this to work, the ZEN test needs to be put below the table walk. + +Fixes: 37c81d9f1d1b (ACPI: resource: skip IRQ override on AMD Zen platforms) +Link: https://bugzilla.suse.com/show_bug.cgi?id=1203794 +Signed-off-by: Jiri Slaby (SUSE) +Signed-off-by: Rafael J. Wysocki +Stable-dep-of: f3cb9b740869 ("ACPI: resource: do IRQ override on Lenovo 14ALC7") +Signed-off-by: Sasha Levin +--- + drivers/acpi/resource.c | 42 +++++++++++++++++++++++++++-------------- + 1 file changed, 28 insertions(+), 14 deletions(-) + +diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c +index 596ca9fae389..5154c9861ece 100644 +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -417,17 +417,31 @@ static const struct dmi_system_id asus_laptop[] = { + { } + }; + ++static const struct dmi_system_id lenovo_82ra[] = { ++ { ++ .ident = "LENOVO IdeaPad Flex 5 16ALC7", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "82RA"), ++ }, ++ }, ++ { } ++}; ++ + struct irq_override_cmp { + const struct dmi_system_id *system; + unsigned char irq; + unsigned char triggering; + unsigned char polarity; + unsigned char shareable; ++ bool override; + }; + +-static const struct irq_override_cmp skip_override_table[] = { +- { medion_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0 }, +- { asus_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0 }, ++static const struct irq_override_cmp override_table[] = { ++ { medion_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false }, ++ { asus_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false }, ++ { lenovo_82ra, 6, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, ++ { lenovo_82ra, 10, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, + }; + + static bool acpi_dev_irq_override(u32 gsi, u8 triggering, u8 polarity, +@@ -435,6 +449,17 @@ static bool acpi_dev_irq_override(u32 gsi, u8 triggering, u8 polarity, + { + int i; + ++ for (i = 0; i < ARRAY_SIZE(override_table); i++) { ++ const struct irq_override_cmp *entry = &override_table[i]; ++ ++ if (dmi_check_system(entry->system) && ++ entry->irq == gsi && ++ entry->triggering == triggering && ++ entry->polarity == polarity && ++ entry->shareable == shareable) ++ return entry->override; ++ } ++ + #ifdef CONFIG_X86 + /* + * IRQ override isn't needed on modern AMD Zen systems and +@@ -445,17 +470,6 @@ static bool acpi_dev_irq_override(u32 gsi, u8 triggering, u8 polarity, + return false; + #endif + +- for (i = 0; i < ARRAY_SIZE(skip_override_table); i++) { +- const struct irq_override_cmp *entry = &skip_override_table[i]; +- +- if (dmi_check_system(entry->system) && +- entry->irq == gsi && +- entry->triggering == triggering && +- entry->polarity == polarity && +- entry->shareable == shareable) +- return false; +- } +- + return true; + } + +-- +2.35.1 + diff --git a/queue-5.15/acpi-resource-do-irq-override-on-xmg-core-15.patch b/queue-5.15/acpi-resource-do-irq-override-on-xmg-core-15.patch new file mode 100644 index 00000000000..ec7999f58c6 --- /dev/null +++ b/queue-5.15/acpi-resource-do-irq-override-on-xmg-core-15.patch @@ -0,0 +1,54 @@ +From 869fbebd35b0272bd69b679190ad43a6c49b31ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Dec 2022 14:33:22 +0100 +Subject: ACPI: resource: do IRQ override on XMG Core 15 + +From: Erik Schumacher + +[ Upstream commit 7592b79ba4a91350b38469e05238308bcfe1019b ] + +The Schenker XMG CORE 15 (M22) is Ryzen-6 based and needs IRQ overriding +for the keyboard to work. Adding an entry for this laptop to the +override_table makes the internal keyboard functional again. + +Signed-off-by: Erik Schumacher +Signed-off-by: Rafael J. Wysocki +Stable-dep-of: f3cb9b740869 ("ACPI: resource: do IRQ override on Lenovo 14ALC7") +Signed-off-by: Sasha Levin +--- + drivers/acpi/resource.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c +index 5154c9861ece..d0bed7e66a33 100644 +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -428,6 +428,17 @@ static const struct dmi_system_id lenovo_82ra[] = { + { } + }; + ++static const struct dmi_system_id schenker_gm_rg[] = { ++ { ++ .ident = "XMG CORE 15 (M22)", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "SchenkerTechnologiesGmbH"), ++ DMI_MATCH(DMI_BOARD_NAME, "GMxRGxx"), ++ }, ++ }, ++ { } ++}; ++ + struct irq_override_cmp { + const struct dmi_system_id *system; + unsigned char irq; +@@ -442,6 +453,7 @@ static const struct irq_override_cmp override_table[] = { + { asus_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false }, + { lenovo_82ra, 6, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, + { lenovo_82ra, 10, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, ++ { schenker_gm_rg, 1, ACPI_EDGE_SENSITIVE, ACPI_ACTIVE_LOW, 1, true }, + }; + + static bool acpi_dev_irq_override(u32 gsi, u8 triggering, u8 polarity, +-- +2.35.1 + diff --git a/queue-5.15/acpi-resource-skip-irq-override-on-asus-vivobook-k34.patch b/queue-5.15/acpi-resource-skip-irq-override-on-asus-vivobook-k34.patch new file mode 100644 index 00000000000..9f9b8f1384b --- /dev/null +++ b/queue-5.15/acpi-resource-skip-irq-override-on-asus-vivobook-k34.patch @@ -0,0 +1,68 @@ +From 24c46f3901bc96e4922b91ea7cb68dcafb0495a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Aug 2022 23:04:19 -0400 +Subject: ACPI: resource: Skip IRQ override on Asus Vivobook K3402ZA/K3502ZA + +From: Tamim Khan + +[ Upstream commit e12dee3736731e24b1e7367f87d66ac0fcd73ce7 ] + +In the ACPI DSDT table for Asus VivoBook K3402ZA/K3502ZA +IRQ 1 is described as ActiveLow; however, the kernel overrides +it to Edge_High. This prevents the internal keyboard from working +on these laptops. In order to fix this add these laptops to the +skip_override_table so that the kernel does not override IRQ 1 to +Edge_High. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216158 +Reviewed-by: Hui Wang +Tested-by: Tamim Khan +Tested-by: Sunand +Signed-off-by: Tamim Khan +Signed-off-by: Rafael J. Wysocki +Stable-dep-of: f3cb9b740869 ("ACPI: resource: do IRQ override on Lenovo 14ALC7") +Signed-off-by: Sasha Levin +--- + drivers/acpi/resource.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c +index 19358a641610..596ca9fae389 100644 +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -399,6 +399,24 @@ static const struct dmi_system_id medion_laptop[] = { + { } + }; + ++static const struct dmi_system_id asus_laptop[] = { ++ { ++ .ident = "Asus Vivobook K3402ZA", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "K3402ZA"), ++ }, ++ }, ++ { ++ .ident = "Asus Vivobook K3502ZA", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "K3502ZA"), ++ }, ++ }, ++ { } ++}; ++ + struct irq_override_cmp { + const struct dmi_system_id *system; + unsigned char irq; +@@ -409,6 +427,7 @@ struct irq_override_cmp { + + static const struct irq_override_cmp skip_override_table[] = { + { medion_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0 }, ++ { asus_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0 }, + }; + + static bool acpi_dev_irq_override(u32 gsi, u8 triggering, u8 polarity, +-- +2.35.1 + diff --git a/queue-5.15/ata-ahci-fix-pcs-quirk-application-for-suspend.patch b/queue-5.15/ata-ahci-fix-pcs-quirk-application-for-suspend.patch new file mode 100644 index 00000000000..574cae616d2 --- /dev/null +++ b/queue-5.15/ata-ahci-fix-pcs-quirk-application-for-suspend.patch @@ -0,0 +1,148 @@ +From b427d14ec06d8f83185f206dc9edc07f19f616be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Dec 2022 09:26:34 +0000 +Subject: ata: ahci: Fix PCS quirk application for suspend + +From: Adam Vodopjan + +[ Upstream commit 37e14e4f3715428b809e4df9a9958baa64c77d51 ] + +Since kernel 5.3.4 my laptop (ICH8M controller) does not see Kingston +SV300S37A60G SSD disk connected into a SATA connector on wake from +suspend. The problem was introduced in c312ef176399 ("libata/ahci: Drop +PCS quirk for Denverton and beyond"): the quirk is not applied on wake +from suspend as it originally was. + +It is worth to mention the commit contained another bug: the quirk is +not applied at all to controllers which require it. The fix commit +09d6ac8dc51a ("libata/ahci: Fix PCS quirk application") landed in 5.3.8. +So testing my patch anywhere between commits c312ef176399 and +09d6ac8dc51a is pointless. + +Not all disks trigger the problem. For example nothing bad happens with +Western Digital WD5000LPCX HDD. + +Test hardware: +- Acer 5920G with ICH8M SATA controller +- sda: some SATA HDD connnected into the DVD drive IDE port with a + SATA-IDE caddy. It is a boot disk +- sdb: Kingston SV300S37A60G SSD connected into the only SATA port + +Sample "dmesg --notime | grep -E '^(sd |ata)'" output on wake: + +sd 0:0:0:0: [sda] Starting disk +sd 2:0:0:0: [sdb] Starting disk +ata4: SATA link down (SStatus 4 SControl 300) +ata3: SATA link down (SStatus 4 SControl 300) +ata1.00: ACPI cmd ef/03:0c:00:00:00:a0 (SET FEATURES) filtered out +ata1.00: ACPI cmd ef/03:42:00:00:00:a0 (SET FEATURES) filtered out +ata1: FORCE: cable set to 80c +ata5: SATA link down (SStatus 0 SControl 300) +ata3: SATA link down (SStatus 4 SControl 300) +ata3: SATA link down (SStatus 4 SControl 300) +ata3.00: disabled +sd 2:0:0:0: rejecting I/O to offline device +ata3.00: detaching (SCSI 2:0:0:0) +sd 2:0:0:0: [sdb] Start/Stop Unit failed: Result: hostbyte=DID_NO_CONNECT + driverbyte=DRIVER_OK +sd 2:0:0:0: [sdb] Synchronizing SCSI cache +sd 2:0:0:0: [sdb] Synchronize Cache(10) failed: Result: + hostbyte=DID_BAD_TARGET driverbyte=DRIVER_OK +sd 2:0:0:0: [sdb] Stopping disk +sd 2:0:0:0: [sdb] Start/Stop Unit failed: Result: hostbyte=DID_BAD_TARGET + driverbyte=DRIVER_OK + +Commit c312ef176399 dropped ahci_pci_reset_controller() which internally +calls ahci_reset_controller() and applies the PCS quirk if needed after +that. It was called each time a reset was required instead of just +ahci_reset_controller(). This patch puts the function back in place. + +Fixes: c312ef176399 ("libata/ahci: Drop PCS quirk for Denverton and beyond") +Signed-off-by: Adam Vodopjan +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci.c | 32 +++++++++++++++++++++++--------- + 1 file changed, 23 insertions(+), 9 deletions(-) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index c1bf7117a9ff..149ee16fd022 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -83,6 +83,7 @@ enum board_ids { + static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent); + static void ahci_remove_one(struct pci_dev *dev); + static void ahci_shutdown_one(struct pci_dev *dev); ++static void ahci_intel_pcs_quirk(struct pci_dev *pdev, struct ahci_host_priv *hpriv); + static int ahci_vt8251_hardreset(struct ata_link *link, unsigned int *class, + unsigned long deadline); + static int ahci_avn_hardreset(struct ata_link *link, unsigned int *class, +@@ -668,6 +669,25 @@ static void ahci_pci_save_initial_config(struct pci_dev *pdev, + ahci_save_initial_config(&pdev->dev, hpriv); + } + ++static int ahci_pci_reset_controller(struct ata_host *host) ++{ ++ struct pci_dev *pdev = to_pci_dev(host->dev); ++ struct ahci_host_priv *hpriv = host->private_data; ++ int rc; ++ ++ rc = ahci_reset_controller(host); ++ if (rc) ++ return rc; ++ ++ /* ++ * If platform firmware failed to enable ports, try to enable ++ * them here. ++ */ ++ ahci_intel_pcs_quirk(pdev, hpriv); ++ ++ return 0; ++} ++ + static void ahci_pci_init_controller(struct ata_host *host) + { + struct ahci_host_priv *hpriv = host->private_data; +@@ -869,7 +889,7 @@ static int ahci_pci_device_runtime_resume(struct device *dev) + struct ata_host *host = pci_get_drvdata(pdev); + int rc; + +- rc = ahci_reset_controller(host); ++ rc = ahci_pci_reset_controller(host); + if (rc) + return rc; + ahci_pci_init_controller(host); +@@ -904,7 +924,7 @@ static int ahci_pci_device_resume(struct device *dev) + ahci_mcp89_apple_enable(pdev); + + if (pdev->dev.power.power_state.event == PM_EVENT_SUSPEND) { +- rc = ahci_reset_controller(host); ++ rc = ahci_pci_reset_controller(host); + if (rc) + return rc; + +@@ -1789,12 +1809,6 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + /* save initial config */ + ahci_pci_save_initial_config(pdev, hpriv); + +- /* +- * If platform firmware failed to enable ports, try to enable +- * them here. +- */ +- ahci_intel_pcs_quirk(pdev, hpriv); +- + /* prepare host */ + if (hpriv->cap & HOST_CAP_NCQ) { + pi.flags |= ATA_FLAG_NCQ; +@@ -1904,7 +1918,7 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + if (rc) + return rc; + +- rc = ahci_reset_controller(host); ++ rc = ahci_pci_reset_controller(host); + if (rc) + return rc; + +-- +2.35.1 + diff --git a/queue-5.15/block-bfq-fix-uaf-for-bfqq-in-bfq_exit_icq_bfqq.patch b/queue-5.15/block-bfq-fix-uaf-for-bfqq-in-bfq_exit_icq_bfqq.patch new file mode 100644 index 00000000000..84dd082fdf3 --- /dev/null +++ b/queue-5.15/block-bfq-fix-uaf-for-bfqq-in-bfq_exit_icq_bfqq.patch @@ -0,0 +1,42 @@ +From 2a7b5eafdcb56a4e1140101a85beb40fffed67f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Dec 2022 11:06:05 +0800 +Subject: block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq + +From: Yu Kuai + +[ Upstream commit 246cf66e300b76099b5dbd3fdd39e9a5dbc53f02 ] + +Commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'") +will access 'bic->bfqq' in bic_set_bfqq(), however, bfq_exit_icq_bfqq() +can free bfqq first, and then call bic_set_bfqq(), which will cause uaf. + +Fix the problem by moving bfq_exit_bfqq() behind bic_set_bfqq(). + +Fixes: 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'") +Reported-by: Yi Zhang +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20221226030605.1437081-1-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index b8b6e9eae94b..85120d7b5cf0 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -5251,8 +5251,8 @@ static void bfq_exit_icq_bfqq(struct bfq_io_cq *bic, bool is_sync) + unsigned long flags; + + spin_lock_irqsave(&bfqd->lock, flags); +- bfq_exit_bfqq(bfqd, bfqq); + bic_set_bfqq(bic, NULL, is_sync); ++ bfq_exit_bfqq(bfqd, bfqq); + spin_unlock_irqrestore(&bfqd->lock, flags); + } + } +-- +2.35.1 + diff --git a/queue-5.15/fs-ntfs3-add-null-pointer-check-for-inode-operations.patch b/queue-5.15/fs-ntfs3-add-null-pointer-check-for-inode-operations.patch new file mode 100644 index 00000000000..a8298fe1921 --- /dev/null +++ b/queue-5.15/fs-ntfs3-add-null-pointer-check-for-inode-operations.patch @@ -0,0 +1,108 @@ +From 3330a3b2095de62d1c8682153b05154556194c99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 09:03:10 +0800 +Subject: fs/ntfs3: Add null pointer check for inode operations + +From: Edward Lo + +[ Upstream commit c1ca8ef0262b25493631ecbd9cb8c9893e1481a1 ] + +This adds a sanity check for the i_op pointer of the inode which is +returned after reading Root directory MFT record. We should check the +i_op is valid before trying to create the root dentry, otherwise we may +encounter a NPD while mounting a image with a funny Root directory MFT +record. + +[ 114.484325] BUG: kernel NULL pointer dereference, address: 0000000000000008 +[ 114.484811] #PF: supervisor read access in kernel mode +[ 114.485084] #PF: error_code(0x0000) - not-present page +[ 114.485606] PGD 0 P4D 0 +[ 114.485975] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI +[ 114.486570] CPU: 0 PID: 237 Comm: mount Tainted: G B 6.0.0-rc4 #28 +[ 114.486977] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 114.488169] RIP: 0010:d_flags_for_inode+0xe0/0x110 +[ 114.488816] Code: 24 f7 ff 49 83 3e 00 74 41 41 83 cd 02 66 44 89 6b 02 eb 92 48 8d 7b 20 e8 6d 24 f7 ff 4c 8b 73 20 49 8d 7e 08 e8 60 241 +[ 114.490326] RSP: 0018:ffff8880065e7aa8 EFLAGS: 00000296 +[ 114.490695] RAX: 0000000000000001 RBX: ffff888008ccd750 RCX: ffffffff84af2aea +[ 114.490986] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff87abd020 +[ 114.491364] RBP: ffff8880065e7ac8 R08: 0000000000000001 R09: fffffbfff0f57a05 +[ 114.491675] R10: ffffffff87abd027 R11: fffffbfff0f57a04 R12: 0000000000000000 +[ 114.491954] R13: 0000000000000008 R14: 0000000000000000 R15: ffff888008ccd750 +[ 114.492397] FS: 00007fdc8a627e40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000 +[ 114.492797] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 114.493150] CR2: 0000000000000008 CR3: 00000000013ba000 CR4: 00000000000006f0 +[ 114.493671] Call Trace: +[ 114.493890] +[ 114.494075] __d_instantiate+0x24/0x1c0 +[ 114.494505] d_instantiate.part.0+0x35/0x50 +[ 114.494754] d_make_root+0x53/0x80 +[ 114.494998] ntfs_fill_super+0x1232/0x1b50 +[ 114.495260] ? put_ntfs+0x1d0/0x1d0 +[ 114.495499] ? vsprintf+0x20/0x20 +[ 114.495723] ? set_blocksize+0x95/0x150 +[ 114.495964] get_tree_bdev+0x232/0x370 +[ 114.496272] ? put_ntfs+0x1d0/0x1d0 +[ 114.496502] ntfs_fs_get_tree+0x15/0x20 +[ 114.496859] vfs_get_tree+0x4c/0x130 +[ 114.497099] path_mount+0x654/0xfe0 +[ 114.497507] ? putname+0x80/0xa0 +[ 114.497933] ? finish_automount+0x2e0/0x2e0 +[ 114.498362] ? putname+0x80/0xa0 +[ 114.498571] ? kmem_cache_free+0x1c4/0x440 +[ 114.498819] ? putname+0x80/0xa0 +[ 114.499069] do_mount+0xd6/0xf0 +[ 114.499343] ? path_mount+0xfe0/0xfe0 +[ 114.499683] ? __kasan_check_write+0x14/0x20 +[ 114.500133] __x64_sys_mount+0xca/0x110 +[ 114.500592] do_syscall_64+0x3b/0x90 +[ 114.500930] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 114.501294] RIP: 0033:0x7fdc898e948a +[ 114.501542] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 114.502716] RSP: 002b:00007ffd793e58f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +[ 114.503175] RAX: ffffffffffffffda RBX: 0000564b2228f060 RCX: 00007fdc898e948a +[ 114.503588] RDX: 0000564b2228f260 RSI: 0000564b2228f2e0 RDI: 0000564b22297ce0 +[ 114.504925] RBP: 0000000000000000 R08: 0000564b2228f280 R09: 0000000000000020 +[ 114.505484] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564b22297ce0 +[ 114.505823] R13: 0000564b2228f260 R14: 0000000000000000 R15: 00000000ffffffff +[ 114.506562] +[ 114.506887] Modules linked in: +[ 114.507648] CR2: 0000000000000008 +[ 114.508884] ---[ end trace 0000000000000000 ]--- +[ 114.509675] RIP: 0010:d_flags_for_inode+0xe0/0x110 +[ 114.510140] Code: 24 f7 ff 49 83 3e 00 74 41 41 83 cd 02 66 44 89 6b 02 eb 92 48 8d 7b 20 e8 6d 24 f7 ff 4c 8b 73 20 49 8d 7e 08 e8 60 241 +[ 114.511762] RSP: 0018:ffff8880065e7aa8 EFLAGS: 00000296 +[ 114.512401] RAX: 0000000000000001 RBX: ffff888008ccd750 RCX: ffffffff84af2aea +[ 114.513103] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff87abd020 +[ 114.513512] RBP: ffff8880065e7ac8 R08: 0000000000000001 R09: fffffbfff0f57a05 +[ 114.513831] R10: ffffffff87abd027 R11: fffffbfff0f57a04 R12: 0000000000000000 +[ 114.514757] R13: 0000000000000008 R14: 0000000000000000 R15: ffff888008ccd750 +[ 114.515411] FS: 00007fdc8a627e40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000 +[ 114.515794] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 114.516208] CR2: 0000000000000008 CR3: 00000000013ba000 CR4: 00000000000006f0 + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/super.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c +index 4ff0d2c9507c..a18fb431abbe 100644 +--- a/fs/ntfs3/super.c ++++ b/fs/ntfs3/super.c +@@ -1255,9 +1255,9 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc) + ref.low = cpu_to_le32(MFT_REC_ROOT); + ref.seq = cpu_to_le16(MFT_REC_ROOT); + inode = ntfs_iget5(sb, &ref, &NAME_ROOT); +- if (IS_ERR(inode)) { ++ if (IS_ERR(inode) || !inode->i_op) { + ntfs_err(sb, "Failed to load root."); +- err = PTR_ERR(inode); ++ err = IS_ERR(inode) ? PTR_ERR(inode) : -EINVAL; + goto out; + } + +-- +2.35.1 + diff --git a/queue-5.15/fs-ntfs3-add-null-pointer-check-to-attr_load_runs_vc.patch b/queue-5.15/fs-ntfs3-add-null-pointer-check-to-attr_load_runs_vc.patch new file mode 100644 index 00000000000..cc3aa282e6e --- /dev/null +++ b/queue-5.15/fs-ntfs3-add-null-pointer-check-to-attr_load_runs_vc.patch @@ -0,0 +1,121 @@ +From b803fe1ed5a66a3d5b2ca2388be0abce9d6e3f45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Aug 2022 01:05:18 +0800 +Subject: fs/ntfs3: Add null pointer check to attr_load_runs_vcn + +From: Edward Lo + +[ Upstream commit 2681631c29739509eec59cc0b34e977bb04c6cf1 ] + +Some metadata files are handled before MFT. This adds a null pointer +check for some corner cases that could lead to NPD while reading these +metadata files for a malformed NTFS image. + +[ 240.190827] BUG: kernel NULL pointer dereference, address: 0000000000000158 +[ 240.191583] #PF: supervisor read access in kernel mode +[ 240.191956] #PF: error_code(0x0000) - not-present page +[ 240.192391] PGD 0 P4D 0 +[ 240.192897] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI +[ 240.193805] CPU: 0 PID: 242 Comm: mount Tainted: G B 5.19.0+ #17 +[ 240.194477] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 240.195152] RIP: 0010:ni_find_attr+0xae/0x300 +[ 240.195679] Code: c8 48 c7 45 88 c0 4e 5e 86 c7 00 f1 f1 f1 f1 c7 40 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 e2 d9f +[ 240.196642] RSP: 0018:ffff88800812f690 EFLAGS: 00000286 +[ 240.197019] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff85ef037a +[ 240.197523] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff88e95f60 +[ 240.197877] RBP: ffff88800812f738 R08: 0000000000000001 R09: fffffbfff11d2bed +[ 240.198292] R10: ffffffff88e95f67 R11: fffffbfff11d2bec R12: 0000000000000000 +[ 240.198647] R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000 +[ 240.199410] FS: 00007f233c33be40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000 +[ 240.199895] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 240.200314] CR2: 0000000000000158 CR3: 0000000004d32000 CR4: 00000000000006f0 +[ 240.200839] Call Trace: +[ 240.201104] +[ 240.201502] ? ni_load_mi+0x80/0x80 +[ 240.202297] ? ___slab_alloc+0x465/0x830 +[ 240.202614] attr_load_runs_vcn+0x8c/0x1a0 +[ 240.202886] ? __kasan_slab_alloc+0x32/0x90 +[ 240.203157] ? attr_data_write_resident+0x250/0x250 +[ 240.203543] mi_read+0x133/0x2c0 +[ 240.203785] mi_get+0x70/0x140 +[ 240.204012] ni_load_mi_ex+0xfa/0x190 +[ 240.204346] ? ni_std5+0x90/0x90 +[ 240.204588] ? __kasan_kmalloc+0x88/0xb0 +[ 240.204859] ni_enum_attr_ex+0xf1/0x1c0 +[ 240.205107] ? ni_fname_type.part.0+0xd0/0xd0 +[ 240.205600] ? ntfs_load_attr_list+0xbe/0x300 +[ 240.205864] ? ntfs_cmp_names_cpu+0x125/0x180 +[ 240.206157] ntfs_iget5+0x56c/0x1870 +[ 240.206510] ? ntfs_get_block_bmap+0x70/0x70 +[ 240.206776] ? __kasan_kmalloc+0x88/0xb0 +[ 240.207030] ? set_blocksize+0x95/0x150 +[ 240.207545] ntfs_fill_super+0xb8f/0x1e20 +[ 240.207839] ? put_ntfs+0x1d0/0x1d0 +[ 240.208069] ? vsprintf+0x20/0x20 +[ 240.208467] ? mutex_unlock+0x81/0xd0 +[ 240.208846] ? set_blocksize+0x95/0x150 +[ 240.209221] get_tree_bdev+0x232/0x370 +[ 240.209804] ? put_ntfs+0x1d0/0x1d0 +[ 240.210519] ntfs_fs_get_tree+0x15/0x20 +[ 240.210991] vfs_get_tree+0x4c/0x130 +[ 240.211455] path_mount+0x645/0xfd0 +[ 240.211806] ? putname+0x80/0xa0 +[ 240.212112] ? finish_automount+0x2e0/0x2e0 +[ 240.212559] ? kmem_cache_free+0x110/0x390 +[ 240.212906] ? putname+0x80/0xa0 +[ 240.213329] do_mount+0xd6/0xf0 +[ 240.213829] ? path_mount+0xfd0/0xfd0 +[ 240.214246] ? __kasan_check_write+0x14/0x20 +[ 240.214774] __x64_sys_mount+0xca/0x110 +[ 240.215080] do_syscall_64+0x3b/0x90 +[ 240.215442] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 240.215811] RIP: 0033:0x7f233b4e948a +[ 240.216104] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 240.217615] RSP: 002b:00007fff02211ec8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +[ 240.218718] RAX: ffffffffffffffda RBX: 0000561cdc35b060 RCX: 00007f233b4e948a +[ 240.219556] RDX: 0000561cdc35b260 RSI: 0000561cdc35b2e0 RDI: 0000561cdc363af0 +[ 240.219975] RBP: 0000000000000000 R08: 0000561cdc35b280 R09: 0000000000000020 +[ 240.220403] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000561cdc363af0 +[ 240.220803] R13: 0000561cdc35b260 R14: 0000000000000000 R15: 00000000ffffffff +[ 240.221256] +[ 240.221567] Modules linked in: +[ 240.222028] CR2: 0000000000000158 +[ 240.223291] ---[ end trace 0000000000000000 ]--- +[ 240.223669] RIP: 0010:ni_find_attr+0xae/0x300 +[ 240.224058] Code: c8 48 c7 45 88 c0 4e 5e 86 c7 00 f1 f1 f1 f1 c7 40 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 e2 d9f +[ 240.225033] RSP: 0018:ffff88800812f690 EFLAGS: 00000286 +[ 240.225968] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff85ef037a +[ 240.226624] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff88e95f60 +[ 240.227307] RBP: ffff88800812f738 R08: 0000000000000001 R09: fffffbfff11d2bed +[ 240.227816] R10: ffffffff88e95f67 R11: fffffbfff11d2bec R12: 0000000000000000 +[ 240.228330] R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000 +[ 240.228729] FS: 00007f233c33be40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000 +[ 240.229281] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 240.230298] CR2: 0000000000000158 CR3: 0000000004d32000 CR4: 00000000000006f0 + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/attrib.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/ntfs3/attrib.c b/fs/ntfs3/attrib.c +index 43e85c493c05..42af83bcaf13 100644 +--- a/fs/ntfs3/attrib.c ++++ b/fs/ntfs3/attrib.c +@@ -1146,6 +1146,11 @@ int attr_load_runs_vcn(struct ntfs_inode *ni, enum ATTR_TYPE type, + CLST svcn, evcn; + u16 ro; + ++ if (!ni) { ++ /* Is record corrupted? */ ++ return -ENOENT; ++ } ++ + attr = ni_find_attr(ni, NULL, NULL, type, name, name_len, &vcn, NULL); + if (!attr) { + /* Is record corrupted? */ +-- +2.35.1 + diff --git a/queue-5.15/fs-ntfs3-add-overflow-check-for-attribute-size.patch b/queue-5.15/fs-ntfs3-add-overflow-check-for-attribute-size.patch new file mode 100644 index 00000000000..ae76398d164 --- /dev/null +++ b/queue-5.15/fs-ntfs3-add-overflow-check-for-attribute-size.patch @@ -0,0 +1,102 @@ +From 7100b1c42641153fa725d47b35e60addf39ea7d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 18:20:51 +0800 +Subject: fs/ntfs3: Add overflow check for attribute size + +From: edward lo + +[ Upstream commit e19c6277652efba203af4ecd8eed4bd30a0054c9 ] + +The offset addition could overflow and pass the used size check given an +attribute with very large size (e.g., 0xffffff7f) while parsing MFT +attributes. This could lead to out-of-bound memory R/W if we try to +access the next attribute derived by Add2Ptr(attr, asize) + +[ 32.963847] BUG: unable to handle page fault for address: ffff956a83c76067 +[ 32.964301] #PF: supervisor read access in kernel mode +[ 32.964526] #PF: error_code(0x0000) - not-present page +[ 32.964893] PGD 4dc01067 P4D 4dc01067 PUD 0 +[ 32.965316] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ 32.965727] CPU: 0 PID: 243 Comm: mount Not tainted 5.19.0+ #6 +[ 32.966050] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 32.966628] RIP: 0010:mi_enum_attr+0x44/0x110 +[ 32.967239] Code: 89 f0 48 29 c8 48 89 c1 39 c7 0f 86 94 00 00 00 8b 56 04 83 fa 17 0f 86 88 00 00 00 89 d0 01 ca 48 01 f0 8d 4a 08 39 f9a +[ 32.968101] RSP: 0018:ffffba15c06a7c38 EFLAGS: 00000283 +[ 32.968364] RAX: ffff956a83c76067 RBX: ffff956983c76050 RCX: 000000000000006f +[ 32.968651] RDX: 0000000000000067 RSI: ffff956983c760e8 RDI: 00000000000001c8 +[ 32.968963] RBP: ffffba15c06a7c38 R08: 0000000000000064 R09: 00000000ffffff7f +[ 32.969249] R10: 0000000000000007 R11: ffff956983c760e8 R12: ffff95698225e000 +[ 32.969870] R13: 0000000000000000 R14: ffffba15c06a7cd8 R15: ffff95698225e170 +[ 32.970655] FS: 00007fdab8189e40(0000) GS:ffff9569fdc00000(0000) knlGS:0000000000000000 +[ 32.971098] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 32.971378] CR2: ffff956a83c76067 CR3: 0000000002c58000 CR4: 00000000000006f0 +[ 32.972098] Call Trace: +[ 32.972842] +[ 32.973341] ni_enum_attr_ex+0xda/0xf0 +[ 32.974087] ntfs_iget5+0x1db/0xde0 +[ 32.974386] ? slab_post_alloc_hook+0x53/0x270 +[ 32.974778] ? ntfs_fill_super+0x4c7/0x12a0 +[ 32.975115] ntfs_fill_super+0x5d6/0x12a0 +[ 32.975336] get_tree_bdev+0x175/0x270 +[ 32.975709] ? put_ntfs+0x150/0x150 +[ 32.975956] ntfs_fs_get_tree+0x15/0x20 +[ 32.976191] vfs_get_tree+0x2a/0xc0 +[ 32.976374] ? capable+0x19/0x20 +[ 32.976572] path_mount+0x484/0xaa0 +[ 32.977025] ? putname+0x57/0x70 +[ 32.977380] do_mount+0x80/0xa0 +[ 32.977555] __x64_sys_mount+0x8b/0xe0 +[ 32.978105] do_syscall_64+0x3b/0x90 +[ 32.978830] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 32.979311] RIP: 0033:0x7fdab72e948a +[ 32.980015] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 32.981251] RSP: 002b:00007ffd15b87588 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 32.981832] RAX: ffffffffffffffda RBX: 0000557de0aaf060 RCX: 00007fdab72e948a +[ 32.982234] RDX: 0000557de0aaf260 RSI: 0000557de0aaf2e0 RDI: 0000557de0ab7ce0 +[ 32.982714] RBP: 0000000000000000 R08: 0000557de0aaf280 R09: 0000000000000020 +[ 32.983046] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000557de0ab7ce0 +[ 32.983494] R13: 0000557de0aaf260 R14: 0000000000000000 R15: 00000000ffffffff +[ 32.984094] +[ 32.984352] Modules linked in: +[ 32.984753] CR2: ffff956a83c76067 +[ 32.985911] ---[ end trace 0000000000000000 ]--- +[ 32.986555] RIP: 0010:mi_enum_attr+0x44/0x110 +[ 32.987217] Code: 89 f0 48 29 c8 48 89 c1 39 c7 0f 86 94 00 00 00 8b 56 04 83 fa 17 0f 86 88 00 00 00 89 d0 01 ca 48 01 f0 8d 4a 08 39 f9a +[ 32.988232] RSP: 0018:ffffba15c06a7c38 EFLAGS: 00000283 +[ 32.988532] RAX: ffff956a83c76067 RBX: ffff956983c76050 RCX: 000000000000006f +[ 32.988916] RDX: 0000000000000067 RSI: ffff956983c760e8 RDI: 00000000000001c8 +[ 32.989356] RBP: ffffba15c06a7c38 R08: 0000000000000064 R09: 00000000ffffff7f +[ 32.989994] R10: 0000000000000007 R11: ffff956983c760e8 R12: ffff95698225e000 +[ 32.990415] R13: 0000000000000000 R14: ffffba15c06a7cd8 R15: ffff95698225e170 +[ 32.991011] FS: 00007fdab8189e40(0000) GS:ffff9569fdc00000(0000) knlGS:0000000000000000 +[ 32.991524] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 32.991936] CR2: ffff956a83c76067 CR3: 0000000002c58000 CR4: 00000000000006f0 + +This patch adds an overflow check + +Signed-off-by: edward lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/record.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c +index 861e35791506..30751fd618df 100644 +--- a/fs/ntfs3/record.c ++++ b/fs/ntfs3/record.c +@@ -220,6 +220,11 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) + return NULL; + } + ++ if (off + asize < off) { ++ /* overflow check */ ++ return NULL; ++ } ++ + attr = Add2Ptr(attr, asize); + off += asize; + } +-- +2.35.1 + diff --git a/queue-5.15/fs-ntfs3-delete-duplicate-condition-in-ntfs_read_mft.patch b/queue-5.15/fs-ntfs3-delete-duplicate-condition-in-ntfs_read_mft.patch new file mode 100644 index 00000000000..9d859e28f4a --- /dev/null +++ b/queue-5.15/fs-ntfs3-delete-duplicate-condition-in-ntfs_read_mft.patch @@ -0,0 +1,44 @@ +From 0d1683fd4e89c5cb99e8e109e77bb08db866f6b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Oct 2022 11:28:55 +0300 +Subject: fs/ntfs3: Delete duplicate condition in ntfs_read_mft() + +From: Dan Carpenter + +[ Upstream commit 658015167a8432b88f5d032e9d85d8fd50e5bf2c ] + +There were two patches which addressed the same bug and added the same +condition: + +commit 6db620863f85 ("fs/ntfs3: Validate data run offset") +commit 887bfc546097 ("fs/ntfs3: Fix slab-out-of-bounds read in run_unpack") + +Delete one condition. + +Signed-off-by: Dan Carpenter +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/inode.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c +index 00fd368e7b4a..ed640e4e3fac 100644 +--- a/fs/ntfs3/inode.c ++++ b/fs/ntfs3/inode.c +@@ -374,12 +374,6 @@ static struct inode *ntfs_read_mft(struct inode *inode, + + t64 = le64_to_cpu(attr->nres.svcn); + +- /* offset to packed runs is out-of-bounds */ +- if (roff > asize) { +- err = -EINVAL; +- goto out; +- } +- + err = run_unpack_ex(run, sbi, ino, t64, le64_to_cpu(attr->nres.evcn), + t64, Add2Ptr(attr, roff), asize - roff); + if (err < 0) +-- +2.35.1 + diff --git a/queue-5.15/fs-ntfs3-fix-memory-leak-on-ntfs_fill_super-error-pa.patch b/queue-5.15/fs-ntfs3-fix-memory-leak-on-ntfs_fill_super-error-pa.patch new file mode 100644 index 00000000000..0647b028fbf --- /dev/null +++ b/queue-5.15/fs-ntfs3-fix-memory-leak-on-ntfs_fill_super-error-pa.patch @@ -0,0 +1,51 @@ +From 2c224b6435e8ff7a562e5a63843ee03f7add60a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 19:32:05 +0900 +Subject: fs/ntfs3: Fix memory leak on ntfs_fill_super() error path + +From: Shigeru Yoshida + +[ Upstream commit 51e76a232f8c037f1d9e9922edc25b003d5f3414 ] + +syzbot reported kmemleak as below: + +BUG: memory leak +unreferenced object 0xffff8880122f1540 (size 32): + comm "a.out", pid 6664, jiffies 4294939771 (age 25.500s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 ed ff ed ff 00 00 00 00 ................ + backtrace: + [] ntfs_init_fs_context+0x22/0x1c0 + [] alloc_fs_context+0x217/0x430 + [] path_mount+0x704/0x1080 + [] __x64_sys_mount+0x18c/0x1d0 + [] do_syscall_64+0x34/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +This patch fixes this issue by freeing mount options on error path of +ntfs_fill_super(). + +Reported-by: syzbot+9d67170b20e8f94351c8@syzkaller.appspotmail.com +Signed-off-by: Shigeru Yoshida +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/super.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c +index c321f621464b..4ff0d2c9507c 100644 +--- a/fs/ntfs3/super.c ++++ b/fs/ntfs3/super.c +@@ -1276,6 +1276,7 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc) + * Free resources here. + * ntfs_fs_free will be called with fc->s_fs_info = NULL + */ ++ put_mount_options(sbi->options); + put_ntfs(sbi); + sb->s_fs_info = NULL; + +-- +2.35.1 + diff --git a/queue-5.15/fs-ntfs3-fix-slab-out-of-bounds-in-r_page.patch b/queue-5.15/fs-ntfs3-fix-slab-out-of-bounds-in-r_page.patch new file mode 100644 index 00000000000..a949ee58623 --- /dev/null +++ b/queue-5.15/fs-ntfs3-fix-slab-out-of-bounds-in-r_page.patch @@ -0,0 +1,99 @@ +From ce05c3ed4dc63abefac01c11383e4ba6f045f48a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Dec 2021 10:40:45 +0800 +Subject: fs/ntfs3: Fix slab-out-of-bounds in r_page + +From: Yin Xiujiang + +[ Upstream commit ecfbd57cf9c5ca225184ae266ce44ae473792132 ] + +When PAGE_SIZE is 64K, if read_log_page is called by log_read_rst for +the first time, the size of *buffer would be equal to +DefaultLogPageSize(4K).But for *buffer operations like memcpy, +if the memory area size(n) which being assigned to buffer is larger +than 4K (log->page_size(64K) or bytes(64K-page_off)), it will cause +an out of boundary error. + Call trace: + [...] + kasan_report+0x44/0x130 + check_memory_region+0xf8/0x1a0 + memcpy+0xc8/0x100 + ntfs_read_run_nb+0x20c/0x460 + read_log_page+0xd0/0x1f4 + log_read_rst+0x110/0x75c + log_replay+0x1e8/0x4aa0 + ntfs_loadlog_and_replay+0x290/0x2d0 + ntfs_fill_super+0x508/0xec0 + get_tree_bdev+0x1fc/0x34c + [...] + +Fix this by setting variable r_page to NULL in log_read_rst. + +Signed-off-by: Yin Xiujiang +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/fslog.c | 26 ++------------------------ + 1 file changed, 2 insertions(+), 24 deletions(-) + +diff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c +index bcdddcd7bc79..20abdb268286 100644 +--- a/fs/ntfs3/fslog.c ++++ b/fs/ntfs3/fslog.c +@@ -1132,7 +1132,7 @@ static int read_log_page(struct ntfs_log *log, u32 vbo, + return -EINVAL; + + if (!*buffer) { +- to_free = kmalloc(bytes, GFP_NOFS); ++ to_free = kmalloc(log->page_size, GFP_NOFS); + if (!to_free) + return -ENOMEM; + *buffer = to_free; +@@ -1180,10 +1180,7 @@ static int log_read_rst(struct ntfs_log *log, u32 l_size, bool first, + struct restart_info *info) + { + u32 skip, vbo; +- struct RESTART_HDR *r_page = kmalloc(DefaultLogPageSize, GFP_NOFS); +- +- if (!r_page) +- return -ENOMEM; ++ struct RESTART_HDR *r_page = NULL; + + /* Determine which restart area we are looking for. */ + if (first) { +@@ -1197,7 +1194,6 @@ static int log_read_rst(struct ntfs_log *log, u32 l_size, bool first, + /* Loop continuously until we succeed. */ + for (; vbo < l_size; vbo = 2 * vbo + skip, skip = 0) { + bool usa_error; +- u32 sys_page_size; + bool brst, bchk; + struct RESTART_AREA *ra; + +@@ -1251,24 +1247,6 @@ static int log_read_rst(struct ntfs_log *log, u32 l_size, bool first, + goto check_result; + } + +- /* Read the entire restart area. */ +- sys_page_size = le32_to_cpu(r_page->sys_page_size); +- if (DefaultLogPageSize != sys_page_size) { +- kfree(r_page); +- r_page = kzalloc(sys_page_size, GFP_NOFS); +- if (!r_page) +- return -ENOMEM; +- +- if (read_log_page(log, vbo, +- (struct RECORD_PAGE_HDR **)&r_page, +- &usa_error)) { +- /* Ignore any errors. */ +- kfree(r_page); +- r_page = NULL; +- continue; +- } +- } +- + if (is_client_area_valid(r_page, usa_error)) { + info->valid_page = true; + ra = Add2Ptr(r_page, le16_to_cpu(r_page->ra_off)); +-- +2.35.1 + diff --git a/queue-5.15/fs-ntfs3-fix-slab-out-of-bounds-read-in-run_unpack.patch b/queue-5.15/fs-ntfs3-fix-slab-out-of-bounds-read-in-run_unpack.patch new file mode 100644 index 00000000000..eb6311facbc --- /dev/null +++ b/queue-5.15/fs-ntfs3-fix-slab-out-of-bounds-read-in-run_unpack.patch @@ -0,0 +1,102 @@ +From 4d4341c2c1014bdd39586d16147aabbca7caf6f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Sep 2022 19:09:04 +0800 +Subject: fs/ntfs3: Fix slab-out-of-bounds read in run_unpack + +From: Hawkins Jiawei + +[ Upstream commit 887bfc546097fbe8071dac13b2fef73b77920899 ] + +Syzkaller reports slab-out-of-bounds bug as follows: +================================================================== +BUG: KASAN: slab-out-of-bounds in run_unpack+0x8b7/0x970 fs/ntfs3/run.c:944 +Read of size 1 at addr ffff88801bbdff02 by task syz-executor131/3611 + +[...] +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:317 [inline] + print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 + kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 + run_unpack+0x8b7/0x970 fs/ntfs3/run.c:944 + run_unpack_ex+0xb0/0x7c0 fs/ntfs3/run.c:1057 + ntfs_read_mft fs/ntfs3/inode.c:368 [inline] + ntfs_iget5+0xc20/0x3280 fs/ntfs3/inode.c:501 + ntfs_loadlog_and_replay+0x124/0x5d0 fs/ntfs3/fsntfs.c:272 + ntfs_fill_super+0x1eff/0x37f0 fs/ntfs3/super.c:1018 + get_tree_bdev+0x440/0x760 fs/super.c:1323 + vfs_get_tree+0x89/0x2f0 fs/super.c:1530 + do_new_mount fs/namespace.c:3040 [inline] + path_mount+0x1326/0x1e20 fs/namespace.c:3370 + do_mount fs/namespace.c:3383 [inline] + __do_sys_mount fs/namespace.c:3591 [inline] + __se_sys_mount fs/namespace.c:3568 [inline] + __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + [...] + + +The buggy address belongs to the physical page: +page:ffffea00006ef600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bbd8 +head:ffffea00006ef600 order:3 compound_mapcount:0 compound_pincount:0 +flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88801bbdfe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88801bbdfe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff88801bbdff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff88801bbdff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88801bbe0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Kernel will tries to read record and parse MFT from disk in +ntfs_read_mft(). + +Yet the problem is that during enumerating attributes in record, +kernel doesn't check whether run_off field loading from the disk +is a valid value. + +To be more specific, if attr->nres.run_off is larger than attr->size, +kernel will passes an invalid argument run_buf_size in +run_unpack_ex(), which having an integer overflow. Then this invalid +argument will triggers the slab-out-of-bounds Read bug as above. + +This patch solves it by adding the sanity check between +the offset to packed runs and attribute size. + +link: https://lore.kernel.org/all/0000000000009145fc05e94bd5c3@google.com/#t +Reported-and-tested-by: syzbot+8d6fbb27a6aded64b25b@syzkaller.appspotmail.com +Signed-off-by: Hawkins Jiawei +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/inode.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c +index 66afa3db753a..00fd368e7b4a 100644 +--- a/fs/ntfs3/inode.c ++++ b/fs/ntfs3/inode.c +@@ -373,6 +373,13 @@ static struct inode *ntfs_read_mft(struct inode *inode, + } + + t64 = le64_to_cpu(attr->nres.svcn); ++ ++ /* offset to packed runs is out-of-bounds */ ++ if (roff > asize) { ++ err = -EINVAL; ++ goto out; ++ } ++ + err = run_unpack_ex(run, sbi, ino, t64, le64_to_cpu(attr->nres.evcn), + t64, Add2Ptr(attr, roff), asize - roff); + if (err < 0) +-- +2.35.1 + diff --git a/queue-5.15/fs-ntfs3-use-__gfp_nowarn-allocation-at-ntfs_fill_su.patch b/queue-5.15/fs-ntfs3-use-__gfp_nowarn-allocation-at-ntfs_fill_su.patch new file mode 100644 index 00000000000..00c2d1428f8 --- /dev/null +++ b/queue-5.15/fs-ntfs3-use-__gfp_nowarn-allocation-at-ntfs_fill_su.patch @@ -0,0 +1,39 @@ +From e994aedcb88f13fe99ef73ee3c5ff595d58c59ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Oct 2022 23:54:11 +0900 +Subject: fs/ntfs3: Use __GFP_NOWARN allocation at ntfs_fill_super() + +From: Tetsuo Handa + +[ Upstream commit 59bfd7a483da36bd202532a3d9ea1f14f3bf3aaf ] + +syzbot is reporting too large allocation at ntfs_fill_super() [1], for a +crafted filesystem can contain bogus inode->i_size. Add __GFP_NOWARN in +order to avoid too large allocation warning, than exhausting memory by +using kvmalloc(). + +Link: https://syzkaller.appspot.com/bug?extid=33f3faaa0c08744f7d40 [1] +Reported-by: syzot +Signed-off-by: Tetsuo Handa +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c +index a18fb431abbe..33b1833ad525 100644 +--- a/fs/ntfs3/super.c ++++ b/fs/ntfs3/super.c +@@ -1136,7 +1136,7 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc) + goto put_inode_out; + } + bytes = inode->i_size; +- sbi->def_table = t = kmalloc(bytes, GFP_NOFS); ++ sbi->def_table = t = kmalloc(bytes, GFP_NOFS | __GFP_NOWARN); + if (!t) { + err = -ENOMEM; + goto put_inode_out; +-- +2.35.1 + diff --git a/queue-5.15/fs-ntfs3-use-__gfp_nowarn-allocation-at-wnd_init.patch b/queue-5.15/fs-ntfs3-use-__gfp_nowarn-allocation-at-wnd_init.patch new file mode 100644 index 00000000000..ddaf580022f --- /dev/null +++ b/queue-5.15/fs-ntfs3-use-__gfp_nowarn-allocation-at-wnd_init.patch @@ -0,0 +1,39 @@ +From 8448327fb565365fb90b72b44202c3124e2a593f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Oct 2022 23:39:15 +0900 +Subject: fs/ntfs3: Use __GFP_NOWARN allocation at wnd_init() + +From: Tetsuo Handa + +[ Upstream commit 0d0f659bf713662fabed973f9996b8f23c59ca51 ] + +syzbot is reporting too large allocation at wnd_init() [1], for a crafted +filesystem can become wnd->nwnd close to UINT_MAX. Add __GFP_NOWARN in +order to avoid too large allocation warning, than exhausting memory by +using kvcalloc(). + +Link: https://syzkaller.appspot.com/bug?extid=fa4648a5446460b7b963 [1] +Reported-by: syzot +Signed-off-by: Tetsuo Handa +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/bitmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ntfs3/bitmap.c b/fs/ntfs3/bitmap.c +index 7f2055b7427a..2a63793f522d 100644 +--- a/fs/ntfs3/bitmap.c ++++ b/fs/ntfs3/bitmap.c +@@ -666,7 +666,7 @@ int wnd_init(struct wnd_bitmap *wnd, struct super_block *sb, size_t nbits) + if (!wnd->bits_last) + wnd->bits_last = wbits; + +- wnd->free_bits = kcalloc(wnd->nwnd, sizeof(u16), GFP_NOFS); ++ wnd->free_bits = kcalloc(wnd->nwnd, sizeof(u16), GFP_NOFS | __GFP_NOWARN); + if (!wnd->free_bits) + return -ENOMEM; + +-- +2.35.1 + diff --git a/queue-5.15/fs-ntfs3-validate-attribute-name-offset.patch b/queue-5.15/fs-ntfs3-validate-attribute-name-offset.patch new file mode 100644 index 00000000000..3cb1a7141b5 --- /dev/null +++ b/queue-5.15/fs-ntfs3-validate-attribute-name-offset.patch @@ -0,0 +1,115 @@ +From d83288f8bdffbbaf9bfbcc38dd5a827621e08900 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 09:04:00 +0800 +Subject: fs/ntfs3: Validate attribute name offset + +From: Edward Lo + +[ Upstream commit 4f1dc7d9756e66f3f876839ea174df2e656b7f79 ] + +Although the attribute name length is checked before comparing it to +some common names (e.g., $I30), the offset isn't. This adds a sanity +check for the attribute name offset, guarantee the validity and prevent +possible out-of-bound memory accesses. + +[ 191.720056] BUG: unable to handle page fault for address: ffffebde00000008 +[ 191.721060] #PF: supervisor read access in kernel mode +[ 191.721586] #PF: error_code(0x0000) - not-present page +[ 191.722079] PGD 0 P4D 0 +[ 191.722571] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI +[ 191.723179] CPU: 0 PID: 244 Comm: mount Not tainted 6.0.0-rc4 #28 +[ 191.723749] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 191.724832] RIP: 0010:kfree+0x56/0x3b0 +[ 191.725870] Code: 80 48 01 d8 0f 82 65 03 00 00 48 c7 c2 00 00 00 80 48 2b 15 2c 06 dd 01 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 0a 069 +[ 191.727375] RSP: 0018:ffff8880076f7878 EFLAGS: 00000286 +[ 191.727897] RAX: ffffebde00000000 RBX: 0000000000000040 RCX: ffffffff8528d5b9 +[ 191.728531] RDX: 0000777f80000000 RSI: ffffffff8522d49c RDI: 0000000000000040 +[ 191.729183] RBP: ffff8880076f78a0 R08: 0000000000000000 R09: 0000000000000000 +[ 191.729628] R10: ffff888008949fd8 R11: ffffed10011293fd R12: 0000000000000040 +[ 191.730158] R13: ffff888008949f98 R14: ffff888008949ec0 R15: ffff888008949fb0 +[ 191.730645] FS: 00007f3520cd7e40(0000) GS:ffff88805ba00000(0000) knlGS:0000000000000000 +[ 191.731328] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 191.731667] CR2: ffffebde00000008 CR3: 0000000009704000 CR4: 00000000000006f0 +[ 191.732568] Call Trace: +[ 191.733231] +[ 191.733860] kvfree+0x2c/0x40 +[ 191.734632] ni_clear+0x180/0x290 +[ 191.735085] ntfs_evict_inode+0x45/0x70 +[ 191.735495] evict+0x199/0x280 +[ 191.735996] iput.part.0+0x286/0x320 +[ 191.736438] iput+0x32/0x50 +[ 191.736811] iget_failed+0x23/0x30 +[ 191.737270] ntfs_iget5+0x337/0x1890 +[ 191.737629] ? ntfs_clear_mft_tail+0x20/0x260 +[ 191.738201] ? ntfs_get_block_bmap+0x70/0x70 +[ 191.738482] ? ntfs_objid_init+0xf6/0x140 +[ 191.738779] ? ntfs_reparse_init+0x140/0x140 +[ 191.739266] ntfs_fill_super+0x121b/0x1b50 +[ 191.739623] ? put_ntfs+0x1d0/0x1d0 +[ 191.739984] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20 +[ 191.740466] ? put_ntfs+0x1d0/0x1d0 +[ 191.740787] ? sb_set_blocksize+0x6a/0x80 +[ 191.741272] get_tree_bdev+0x232/0x370 +[ 191.741829] ? put_ntfs+0x1d0/0x1d0 +[ 191.742669] ntfs_fs_get_tree+0x15/0x20 +[ 191.743132] vfs_get_tree+0x4c/0x130 +[ 191.743457] path_mount+0x654/0xfe0 +[ 191.743938] ? putname+0x80/0xa0 +[ 191.744271] ? finish_automount+0x2e0/0x2e0 +[ 191.744582] ? putname+0x80/0xa0 +[ 191.745053] ? kmem_cache_free+0x1c4/0x440 +[ 191.745403] ? putname+0x80/0xa0 +[ 191.745616] do_mount+0xd6/0xf0 +[ 191.745887] ? path_mount+0xfe0/0xfe0 +[ 191.746287] ? __kasan_check_write+0x14/0x20 +[ 191.746582] __x64_sys_mount+0xca/0x110 +[ 191.746850] do_syscall_64+0x3b/0x90 +[ 191.747122] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 191.747517] RIP: 0033:0x7f351fee948a +[ 191.748332] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 191.749341] RSP: 002b:00007ffd51cf3af8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +[ 191.749960] RAX: ffffffffffffffda RBX: 000055b903733060 RCX: 00007f351fee948a +[ 191.750589] RDX: 000055b903733260 RSI: 000055b9037332e0 RDI: 000055b90373bce0 +[ 191.751115] RBP: 0000000000000000 R08: 000055b903733280 R09: 0000000000000020 +[ 191.751537] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 000055b90373bce0 +[ 191.751946] R13: 000055b903733260 R14: 0000000000000000 R15: 00000000ffffffff +[ 191.752519] +[ 191.752782] Modules linked in: +[ 191.753785] CR2: ffffebde00000008 +[ 191.754937] ---[ end trace 0000000000000000 ]--- +[ 191.755429] RIP: 0010:kfree+0x56/0x3b0 +[ 191.755725] Code: 80 48 01 d8 0f 82 65 03 00 00 48 c7 c2 00 00 00 80 48 2b 15 2c 06 dd 01 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 0a 069 +[ 191.756744] RSP: 0018:ffff8880076f7878 EFLAGS: 00000286 +[ 191.757218] RAX: ffffebde00000000 RBX: 0000000000000040 RCX: ffffffff8528d5b9 +[ 191.757580] RDX: 0000777f80000000 RSI: ffffffff8522d49c RDI: 0000000000000040 +[ 191.758016] RBP: ffff8880076f78a0 R08: 0000000000000000 R09: 0000000000000000 +[ 191.758570] R10: ffff888008949fd8 R11: ffffed10011293fd R12: 0000000000000040 +[ 191.758957] R13: ffff888008949f98 R14: ffff888008949ec0 R15: ffff888008949fb0 +[ 191.759317] FS: 00007f3520cd7e40(0000) GS:ffff88805ba00000(0000) knlGS:0000000000000000 +[ 191.759711] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 191.760118] CR2: ffffebde00000008 CR3: 0000000009704000 CR4: 00000000000006f0 + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c +index 83d4c9f42d9c..66afa3db753a 100644 +--- a/fs/ntfs3/inode.c ++++ b/fs/ntfs3/inode.c +@@ -129,6 +129,9 @@ static struct inode *ntfs_read_mft(struct inode *inode, + rsize = attr->non_res ? 0 : le32_to_cpu(attr->res.data_size); + asize = le32_to_cpu(attr->size); + ++ if (le16_to_cpu(attr->name_off) + attr->name_len > asize) ++ goto out; ++ + switch (attr->type) { + case ATTR_STD: + if (attr->non_res || +-- +2.35.1 + diff --git a/queue-5.15/fs-ntfs3-validate-boot-record_size.patch b/queue-5.15/fs-ntfs3-validate-boot-record_size.patch new file mode 100644 index 00000000000..d9650a3e907 --- /dev/null +++ b/queue-5.15/fs-ntfs3-validate-boot-record_size.patch @@ -0,0 +1,100 @@ +From 57e3d384744280c9eb3c35b10d24f27a98c54cd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 15:37:31 +0800 +Subject: fs/ntfs3: Validate BOOT record_size + +From: edward lo + +[ Upstream commit 0b66046266690454dc04e6307bcff4a5605b42a1 ] + +When the NTFS BOOT record_size field < 0, it represents a +shift value. However, there is no sanity check on the shift result +and the sbi->record_bits calculation through blksize_bits() assumes +the size always > 256, which could lead to NPD while mounting a +malformed NTFS image. + +[ 318.675159] BUG: kernel NULL pointer dereference, address: 0000000000000158 +[ 318.675682] #PF: supervisor read access in kernel mode +[ 318.675869] #PF: error_code(0x0000) - not-present page +[ 318.676246] PGD 0 P4D 0 +[ 318.676502] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ 318.676934] CPU: 0 PID: 259 Comm: mount Not tainted 5.19.0 #5 +[ 318.677289] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 318.678136] RIP: 0010:ni_find_attr+0x2d/0x1c0 +[ 318.678656] Code: 89 ca 4d 89 c7 41 56 41 55 41 54 41 89 cc 55 48 89 fd 53 48 89 d3 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 180 +[ 318.679848] RSP: 0018:ffffa6c8c0297bd8 EFLAGS: 00000246 +[ 318.680104] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000080 +[ 318.680790] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 318.681679] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +[ 318.682577] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000080 +[ 318.683015] R13: ffff8d5582e68400 R14: 0000000000000100 R15: 0000000000000000 +[ 318.683618] FS: 00007fd9e1c81e40(0000) GS:ffff8d55fdc00000(0000) knlGS:0000000000000000 +[ 318.684280] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 318.684651] CR2: 0000000000000158 CR3: 0000000002e1a000 CR4: 00000000000006f0 +[ 318.685623] Call Trace: +[ 318.686607] +[ 318.686872] ? ntfs_alloc_inode+0x1a/0x60 +[ 318.687235] attr_load_runs_vcn+0x2b/0xa0 +[ 318.687468] mi_read+0xbb/0x250 +[ 318.687576] ntfs_iget5+0x114/0xd90 +[ 318.687750] ntfs_fill_super+0x588/0x11b0 +[ 318.687953] ? put_ntfs+0x130/0x130 +[ 318.688065] ? snprintf+0x49/0x70 +[ 318.688164] ? put_ntfs+0x130/0x130 +[ 318.688256] get_tree_bdev+0x16a/0x260 +[ 318.688407] vfs_get_tree+0x20/0xb0 +[ 318.688519] path_mount+0x2dc/0x9b0 +[ 318.688877] do_mount+0x74/0x90 +[ 318.689142] __x64_sys_mount+0x89/0xd0 +[ 318.689636] do_syscall_64+0x3b/0x90 +[ 318.689998] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 318.690318] RIP: 0033:0x7fd9e133c48a +[ 318.690687] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 318.691357] RSP: 002b:00007ffd374406c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +[ 318.691632] RAX: ffffffffffffffda RBX: 0000564d0b051080 RCX: 00007fd9e133c48a +[ 318.691920] RDX: 0000564d0b051280 RSI: 0000564d0b051300 RDI: 0000564d0b0596a0 +[ 318.692123] RBP: 0000000000000000 R08: 0000564d0b0512a0 R09: 0000000000000020 +[ 318.692349] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564d0b0596a0 +[ 318.692673] R13: 0000564d0b051280 R14: 0000000000000000 R15: 00000000ffffffff +[ 318.693007] +[ 318.693271] Modules linked in: +[ 318.693614] CR2: 0000000000000158 +[ 318.694446] ---[ end trace 0000000000000000 ]--- +[ 318.694779] RIP: 0010:ni_find_attr+0x2d/0x1c0 +[ 318.694952] Code: 89 ca 4d 89 c7 41 56 41 55 41 54 41 89 cc 55 48 89 fd 53 48 89 d3 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 180 +[ 318.696042] RSP: 0018:ffffa6c8c0297bd8 EFLAGS: 00000246 +[ 318.696531] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000080 +[ 318.698114] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 318.699286] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +[ 318.699795] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000080 +[ 318.700236] R13: ffff8d5582e68400 R14: 0000000000000100 R15: 0000000000000000 +[ 318.700973] FS: 00007fd9e1c81e40(0000) GS:ffff8d55fdc00000(0000) knlGS:0000000000000000 +[ 318.701688] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 318.702190] CR2: 0000000000000158 CR3: 0000000002e1a000 CR4: 00000000000006f0 +[ 318.726510] mount (259) used greatest stack depth: 13320 bytes left + +This patch adds a sanity check. + +Signed-off-by: edward lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c +index 39b09f32f4db..c321f621464b 100644 +--- a/fs/ntfs3/super.c ++++ b/fs/ntfs3/super.c +@@ -789,7 +789,7 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, + : (u32)boot->record_size + << sbi->cluster_bits; + +- if (record_size > MAXIMUM_BYTES_PER_MFT) ++ if (record_size > MAXIMUM_BYTES_PER_MFT || record_size < SECTOR_SIZE) + goto out; + + sbi->record_bits = blksize_bits(record_size); +-- +2.35.1 + diff --git a/queue-5.15/fs-ntfs3-validate-buffer-length-while-parsing-index.patch b/queue-5.15/fs-ntfs3-validate-buffer-length-while-parsing-index.patch new file mode 100644 index 00000000000..c6d856c4bdc --- /dev/null +++ b/queue-5.15/fs-ntfs3-validate-buffer-length-while-parsing-index.patch @@ -0,0 +1,161 @@ +From 5a45e1d684914b92622ddc4de014cc3f3916dbff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 15:30:44 +0800 +Subject: fs/ntfs3: Validate buffer length while parsing index + +From: Edward Lo + +[ Upstream commit 4d42ecda239cc13738d6fd84d098a32e67b368b9 ] + +indx_read is called when we have some NTFS directory operations that +need more information from the index buffers. This adds a sanity check +to make sure the returned index buffer length is legit, or we may have +some out-of-bound memory accesses. + +[ 560.897595] BUG: KASAN: slab-out-of-bounds in hdr_find_e.isra.0+0x10c/0x320 +[ 560.898321] Read of size 2 at addr ffff888009497238 by task exp/245 +[ 560.898760] +[ 560.899129] CPU: 0 PID: 245 Comm: exp Not tainted 6.0.0-rc6 #37 +[ 560.899505] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 560.900170] Call Trace: +[ 560.900407] +[ 560.900732] dump_stack_lvl+0x49/0x63 +[ 560.901108] print_report.cold+0xf5/0x689 +[ 560.901395] ? hdr_find_e.isra.0+0x10c/0x320 +[ 560.901716] kasan_report+0xa7/0x130 +[ 560.901950] ? hdr_find_e.isra.0+0x10c/0x320 +[ 560.902208] __asan_load2+0x68/0x90 +[ 560.902427] hdr_find_e.isra.0+0x10c/0x320 +[ 560.902846] ? cmp_uints+0xe0/0xe0 +[ 560.903363] ? cmp_sdh+0x90/0x90 +[ 560.903883] ? ntfs_bread_run+0x190/0x190 +[ 560.904196] ? rwsem_down_read_slowpath+0x750/0x750 +[ 560.904969] ? ntfs_fix_post_read+0xe0/0x130 +[ 560.905259] ? __kasan_check_write+0x14/0x20 +[ 560.905599] ? up_read+0x1a/0x90 +[ 560.905853] ? indx_read+0x22c/0x380 +[ 560.906096] indx_find+0x2ef/0x470 +[ 560.906352] ? indx_find_buffer+0x2d0/0x2d0 +[ 560.906692] ? __kasan_kmalloc+0x88/0xb0 +[ 560.906977] dir_search_u+0x196/0x2f0 +[ 560.907220] ? ntfs_nls_to_utf16+0x450/0x450 +[ 560.907464] ? __kasan_check_write+0x14/0x20 +[ 560.907747] ? mutex_lock+0x8f/0xe0 +[ 560.907970] ? __mutex_lock_slowpath+0x20/0x20 +[ 560.908214] ? kmem_cache_alloc+0x143/0x4b0 +[ 560.908459] ntfs_lookup+0xe0/0x100 +[ 560.908788] __lookup_slow+0x116/0x220 +[ 560.909050] ? lookup_fast+0x1b0/0x1b0 +[ 560.909309] ? lookup_fast+0x13f/0x1b0 +[ 560.909601] walk_component+0x187/0x230 +[ 560.909944] link_path_walk.part.0+0x3f0/0x660 +[ 560.910285] ? handle_lookup_down+0x90/0x90 +[ 560.910618] ? path_init+0x642/0x6e0 +[ 560.911084] ? percpu_counter_add_batch+0x6e/0xf0 +[ 560.912559] ? __alloc_file+0x114/0x170 +[ 560.913008] path_openat+0x19c/0x1d10 +[ 560.913419] ? getname_flags+0x73/0x2b0 +[ 560.913815] ? kasan_save_stack+0x3a/0x50 +[ 560.914125] ? kasan_save_stack+0x26/0x50 +[ 560.914542] ? __kasan_slab_alloc+0x6d/0x90 +[ 560.914924] ? kmem_cache_alloc+0x143/0x4b0 +[ 560.915339] ? getname_flags+0x73/0x2b0 +[ 560.915647] ? getname+0x12/0x20 +[ 560.916114] ? __x64_sys_open+0x4c/0x60 +[ 560.916460] ? path_lookupat.isra.0+0x230/0x230 +[ 560.916867] ? __isolate_free_page+0x2e0/0x2e0 +[ 560.917194] do_filp_open+0x15c/0x1f0 +[ 560.917448] ? may_open_dev+0x60/0x60 +[ 560.917696] ? expand_files+0xa4/0x3a0 +[ 560.917923] ? __kasan_check_write+0x14/0x20 +[ 560.918185] ? _raw_spin_lock+0x88/0xdb +[ 560.918409] ? _raw_spin_lock_irqsave+0x100/0x100 +[ 560.918783] ? _find_next_bit+0x4a/0x130 +[ 560.919026] ? _raw_spin_unlock+0x19/0x40 +[ 560.919276] ? alloc_fd+0x14b/0x2d0 +[ 560.919635] do_sys_openat2+0x32a/0x4b0 +[ 560.920035] ? file_open_root+0x230/0x230 +[ 560.920336] ? __rcu_read_unlock+0x5b/0x280 +[ 560.920813] do_sys_open+0x99/0xf0 +[ 560.921208] ? filp_open+0x60/0x60 +[ 560.921482] ? exit_to_user_mode_prepare+0x49/0x180 +[ 560.921867] __x64_sys_open+0x4c/0x60 +[ 560.922128] do_syscall_64+0x3b/0x90 +[ 560.922369] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 560.923030] RIP: 0033:0x7f7dff2e4469 +[ 560.923681] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088 +[ 560.924451] RSP: 002b:00007ffd41a210b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000002 +[ 560.925168] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7dff2e4469 +[ 560.925655] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00007ffd41a211f0 +[ 560.926085] RBP: 00007ffd41a252a0 R08: 00007f7dff60fba0 R09: 00007ffd41a25388 +[ 560.926405] R10: 0000000000400b80 R11: 0000000000000206 R12: 00000000004004e0 +[ 560.926867] R13: 00007ffd41a25380 R14: 0000000000000000 R15: 0000000000000000 +[ 560.927241] +[ 560.927491] +[ 560.927755] Allocated by task 245: +[ 560.928409] kasan_save_stack+0x26/0x50 +[ 560.929271] __kasan_kmalloc+0x88/0xb0 +[ 560.929778] __kmalloc+0x192/0x320 +[ 560.930023] indx_read+0x249/0x380 +[ 560.930224] indx_find+0x2a2/0x470 +[ 560.930695] dir_search_u+0x196/0x2f0 +[ 560.930892] ntfs_lookup+0xe0/0x100 +[ 560.931115] __lookup_slow+0x116/0x220 +[ 560.931323] walk_component+0x187/0x230 +[ 560.931570] link_path_walk.part.0+0x3f0/0x660 +[ 560.931791] path_openat+0x19c/0x1d10 +[ 560.932008] do_filp_open+0x15c/0x1f0 +[ 560.932226] do_sys_openat2+0x32a/0x4b0 +[ 560.932413] do_sys_open+0x99/0xf0 +[ 560.932709] __x64_sys_open+0x4c/0x60 +[ 560.933417] do_syscall_64+0x3b/0x90 +[ 560.933776] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 560.934235] +[ 560.934486] The buggy address belongs to the object at ffff888009497000 +[ 560.934486] which belongs to the cache kmalloc-512 of size 512 +[ 560.935239] The buggy address is located 56 bytes to the right of +[ 560.935239] 512-byte region [ffff888009497000, ffff888009497200) +[ 560.936153] +[ 560.937326] The buggy address belongs to the physical page: +[ 560.938228] page:0000000062a3dfae refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9496 +[ 560.939616] head:0000000062a3dfae order:1 compound_mapcount:0 compound_pincount:0 +[ 560.940219] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) +[ 560.942702] raw: 000fffffc0010200 ffffea0000164f80 dead000000000005 ffff888001041c80 +[ 560.943932] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 +[ 560.944568] page dumped because: kasan: bad access detected +[ 560.945735] +[ 560.946112] Memory state around the buggy address: +[ 560.946870] ffff888009497100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 560.947242] ffff888009497180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 560.947611] >ffff888009497200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 560.947915] ^ +[ 560.948249] ffff888009497280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 560.948687] ffff888009497300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/index.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c +index 76ebea253fa2..99f8a57e9f7a 100644 +--- a/fs/ntfs3/index.c ++++ b/fs/ntfs3/index.c +@@ -1017,6 +1017,12 @@ int indx_read(struct ntfs_index *indx, struct ntfs_inode *ni, CLST vbn, + err = 0; + } + ++ /* check for index header length */ ++ if (offsetof(struct INDEX_BUFFER, ihdr) + ib->ihdr.used > bytes) { ++ err = -EINVAL; ++ goto out; ++ } ++ + in->index = ib; + *node = in; + +-- +2.35.1 + diff --git a/queue-5.15/fs-ntfs3-validate-data-run-offset.patch b/queue-5.15/fs-ntfs3-validate-data-run-offset.patch new file mode 100644 index 00000000000..a3d86add298 --- /dev/null +++ b/queue-5.15/fs-ntfs3-validate-data-run-offset.patch @@ -0,0 +1,220 @@ +From 31d45a3f29d1ffd62366bde259114cb67190e8d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Aug 2022 00:47:27 +0800 +Subject: fs/ntfs3: Validate data run offset + +From: Edward Lo + +[ Upstream commit 6db620863f8528ed9a9aa5ad323b26554a17881d ] + +This adds sanity checks for data run offset. We should make sure data +run offset is legit before trying to unpack them, otherwise we may +encounter use-after-free or some unexpected memory access behaviors. + +[ 82.940342] BUG: KASAN: use-after-free in run_unpack+0x2e3/0x570 +[ 82.941180] Read of size 1 at addr ffff888008a8487f by task mount/240 +[ 82.941670] +[ 82.942069] CPU: 0 PID: 240 Comm: mount Not tainted 5.19.0+ #15 +[ 82.942482] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 82.943720] Call Trace: +[ 82.944204] +[ 82.944471] dump_stack_lvl+0x49/0x63 +[ 82.944908] print_report.cold+0xf5/0x67b +[ 82.945141] ? __wait_on_bit+0x106/0x120 +[ 82.945750] ? run_unpack+0x2e3/0x570 +[ 82.946626] kasan_report+0xa7/0x120 +[ 82.947046] ? run_unpack+0x2e3/0x570 +[ 82.947280] __asan_load1+0x51/0x60 +[ 82.947483] run_unpack+0x2e3/0x570 +[ 82.947709] ? memcpy+0x4e/0x70 +[ 82.947927] ? run_pack+0x7a0/0x7a0 +[ 82.948158] run_unpack_ex+0xad/0x3f0 +[ 82.948399] ? mi_enum_attr+0x14a/0x200 +[ 82.948717] ? run_unpack+0x570/0x570 +[ 82.949072] ? ni_enum_attr_ex+0x1b2/0x1c0 +[ 82.949332] ? ni_fname_type.part.0+0xd0/0xd0 +[ 82.949611] ? mi_read+0x262/0x2c0 +[ 82.949970] ? ntfs_cmp_names_cpu+0x125/0x180 +[ 82.950249] ntfs_iget5+0x632/0x1870 +[ 82.950621] ? ntfs_get_block_bmap+0x70/0x70 +[ 82.951192] ? evict+0x223/0x280 +[ 82.951525] ? iput.part.0+0x286/0x320 +[ 82.951969] ntfs_fill_super+0x1321/0x1e20 +[ 82.952436] ? put_ntfs+0x1d0/0x1d0 +[ 82.952822] ? vsprintf+0x20/0x20 +[ 82.953188] ? mutex_unlock+0x81/0xd0 +[ 82.953379] ? set_blocksize+0x95/0x150 +[ 82.954001] get_tree_bdev+0x232/0x370 +[ 82.954438] ? put_ntfs+0x1d0/0x1d0 +[ 82.954700] ntfs_fs_get_tree+0x15/0x20 +[ 82.955049] vfs_get_tree+0x4c/0x130 +[ 82.955292] path_mount+0x645/0xfd0 +[ 82.955615] ? putname+0x80/0xa0 +[ 82.955955] ? finish_automount+0x2e0/0x2e0 +[ 82.956310] ? kmem_cache_free+0x110/0x390 +[ 82.956723] ? putname+0x80/0xa0 +[ 82.957023] do_mount+0xd6/0xf0 +[ 82.957411] ? path_mount+0xfd0/0xfd0 +[ 82.957638] ? __kasan_check_write+0x14/0x20 +[ 82.957948] __x64_sys_mount+0xca/0x110 +[ 82.958310] do_syscall_64+0x3b/0x90 +[ 82.958719] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 82.959341] RIP: 0033:0x7fd0d1ce948a +[ 82.960193] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 82.961532] RSP: 002b:00007ffe59ff69a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +[ 82.962527] RAX: ffffffffffffffda RBX: 0000564dcc107060 RCX: 00007fd0d1ce948a +[ 82.963266] RDX: 0000564dcc107260 RSI: 0000564dcc1072e0 RDI: 0000564dcc10fce0 +[ 82.963686] RBP: 0000000000000000 R08: 0000564dcc107280 R09: 0000000000000020 +[ 82.964272] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564dcc10fce0 +[ 82.964785] R13: 0000564dcc107260 R14: 0000000000000000 R15: 00000000ffffffff + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/attrib.c | 13 +++++++++++++ + fs/ntfs3/attrlist.c | 5 +++++ + fs/ntfs3/frecord.c | 14 ++++++++++++++ + fs/ntfs3/fslog.c | 9 +++++++++ + fs/ntfs3/inode.c | 5 +++++ + 5 files changed, 46 insertions(+) + +diff --git a/fs/ntfs3/attrib.c b/fs/ntfs3/attrib.c +index e8c00dda42ad..43e85c493c05 100644 +--- a/fs/ntfs3/attrib.c ++++ b/fs/ntfs3/attrib.c +@@ -101,6 +101,10 @@ int attr_load_runs(struct ATTRIB *attr, struct ntfs_inode *ni, + + asize = le32_to_cpu(attr->size); + run_off = le16_to_cpu(attr->nres.run_off); ++ ++ if (run_off > asize) ++ return -EINVAL; ++ + err = run_unpack_ex(run, ni->mi.sbi, ni->mi.rno, svcn, evcn, + vcn ? *vcn : svcn, Add2Ptr(attr, run_off), + asize - run_off); +@@ -1157,6 +1161,10 @@ int attr_load_runs_vcn(struct ntfs_inode *ni, enum ATTR_TYPE type, + } + + ro = le16_to_cpu(attr->nres.run_off); ++ ++ if (ro > le32_to_cpu(attr->size)) ++ return -EINVAL; ++ + err = run_unpack_ex(run, ni->mi.sbi, ni->mi.rno, svcn, evcn, svcn, + Add2Ptr(attr, ro), le32_to_cpu(attr->size) - ro); + if (err < 0) +@@ -1832,6 +1840,11 @@ int attr_collapse_range(struct ntfs_inode *ni, u64 vbo, u64 bytes) + u16 le_sz; + u16 roff = le16_to_cpu(attr->nres.run_off); + ++ if (roff > le32_to_cpu(attr->size)) { ++ err = -EINVAL; ++ goto out; ++ } ++ + run_unpack_ex(RUN_DEALLOCATE, sbi, ni->mi.rno, svcn, + evcn1 - 1, svcn, Add2Ptr(attr, roff), + le32_to_cpu(attr->size) - roff); +diff --git a/fs/ntfs3/attrlist.c b/fs/ntfs3/attrlist.c +index bad6d8a849a2..c0c6bcbc8c05 100644 +--- a/fs/ntfs3/attrlist.c ++++ b/fs/ntfs3/attrlist.c +@@ -68,6 +68,11 @@ int ntfs_load_attr_list(struct ntfs_inode *ni, struct ATTRIB *attr) + + run_init(&ni->attr_list.run); + ++ if (run_off > le32_to_cpu(attr->size)) { ++ err = -EINVAL; ++ goto out; ++ } ++ + err = run_unpack_ex(&ni->attr_list.run, ni->mi.sbi, ni->mi.rno, + 0, le64_to_cpu(attr->nres.evcn), 0, + Add2Ptr(attr, run_off), +diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c +index 18842998c8fa..cdeb0b51f0ba 100644 +--- a/fs/ntfs3/frecord.c ++++ b/fs/ntfs3/frecord.c +@@ -567,6 +567,12 @@ static int ni_repack(struct ntfs_inode *ni) + } + + roff = le16_to_cpu(attr->nres.run_off); ++ ++ if (roff > le32_to_cpu(attr->size)) { ++ err = -EINVAL; ++ break; ++ } ++ + err = run_unpack(&run, sbi, ni->mi.rno, svcn, evcn, svcn, + Add2Ptr(attr, roff), + le32_to_cpu(attr->size) - roff); +@@ -1541,6 +1547,9 @@ int ni_delete_all(struct ntfs_inode *ni) + asize = le32_to_cpu(attr->size); + roff = le16_to_cpu(attr->nres.run_off); + ++ if (roff > asize) ++ return -EINVAL; ++ + /* run==1 means unpack and deallocate. */ + run_unpack_ex(RUN_DEALLOCATE, sbi, ni->mi.rno, svcn, evcn, svcn, + Add2Ptr(attr, roff), asize - roff); +@@ -2242,6 +2251,11 @@ int ni_decompress_file(struct ntfs_inode *ni) + asize = le32_to_cpu(attr->size); + roff = le16_to_cpu(attr->nres.run_off); + ++ if (roff > asize) { ++ err = -EINVAL; ++ goto out; ++ } ++ + /*run==1 Means unpack and deallocate. */ + run_unpack_ex(RUN_DEALLOCATE, sbi, ni->mi.rno, svcn, evcn, svcn, + Add2Ptr(attr, roff), asize - roff); +diff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c +index 614513460b8e..bcdddcd7bc79 100644 +--- a/fs/ntfs3/fslog.c ++++ b/fs/ntfs3/fslog.c +@@ -2727,6 +2727,9 @@ static inline bool check_attr(const struct MFT_REC *rec, + return false; + } + ++ if (run_off > asize) ++ return false; ++ + if (run_unpack(NULL, sbi, 0, svcn, evcn, svcn, + Add2Ptr(attr, run_off), asize - run_off) < 0) { + return false; +@@ -4769,6 +4772,12 @@ int log_replay(struct ntfs_inode *ni, bool *initialized) + u16 roff = le16_to_cpu(attr->nres.run_off); + CLST svcn = le64_to_cpu(attr->nres.svcn); + ++ if (roff > t32) { ++ kfree(oa->attr); ++ oa->attr = NULL; ++ goto fake_attr; ++ } ++ + err = run_unpack(&oa->run0, sbi, inode->i_ino, svcn, + le64_to_cpu(attr->nres.evcn), svcn, + Add2Ptr(attr, roff), t32 - roff); +diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c +index 64b4a3c29878..83d4c9f42d9c 100644 +--- a/fs/ntfs3/inode.c ++++ b/fs/ntfs3/inode.c +@@ -364,6 +364,11 @@ static struct inode *ntfs_read_mft(struct inode *inode, + attr_unpack_run: + roff = le16_to_cpu(attr->nres.run_off); + ++ if (roff > asize) { ++ err = -EINVAL; ++ goto out; ++ } ++ + t64 = le64_to_cpu(attr->nres.svcn); + err = run_unpack_ex(run, sbi, ino, t64, le64_to_cpu(attr->nres.evcn), + t64, Add2Ptr(attr, roff), asize - roff); +-- +2.35.1 + diff --git a/queue-5.15/fs-ntfs3-validate-index-root-when-initialize-ntfs-se.patch b/queue-5.15/fs-ntfs3-validate-index-root-when-initialize-ntfs-se.patch new file mode 100644 index 00000000000..b7a358e1bd3 --- /dev/null +++ b/queue-5.15/fs-ntfs3-validate-index-root-when-initialize-ntfs-se.patch @@ -0,0 +1,135 @@ +From 1ddb583e4bc97fd9f1c9cf894cb630acce9fc8a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 09:58:40 +0800 +Subject: fs/ntfs3: Validate index root when initialize NTFS security + +From: Edward Lo + +[ Upstream commit bfcdbae0523bd95eb75a739ffb6221a37109881e ] + +This enhances the sanity check for $SDH and $SII while initializing NTFS +security, guarantees these index root are legit. + +[ 162.459513] BUG: KASAN: use-after-free in hdr_find_e.isra.0+0x10c/0x320 +[ 162.460176] Read of size 2 at addr ffff8880037bca99 by task mount/243 +[ 162.460851] +[ 162.461252] CPU: 0 PID: 243 Comm: mount Not tainted 6.0.0-rc7 #42 +[ 162.461744] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 162.462609] Call Trace: +[ 162.462954] +[ 162.463276] dump_stack_lvl+0x49/0x63 +[ 162.463822] print_report.cold+0xf5/0x689 +[ 162.464608] ? unwind_get_return_address+0x3a/0x60 +[ 162.465766] ? hdr_find_e.isra.0+0x10c/0x320 +[ 162.466975] kasan_report+0xa7/0x130 +[ 162.467506] ? _raw_spin_lock_irq+0xc0/0xf0 +[ 162.467998] ? hdr_find_e.isra.0+0x10c/0x320 +[ 162.468536] __asan_load2+0x68/0x90 +[ 162.468923] hdr_find_e.isra.0+0x10c/0x320 +[ 162.469282] ? cmp_uints+0xe0/0xe0 +[ 162.469557] ? cmp_sdh+0x90/0x90 +[ 162.469864] ? ni_find_attr+0x214/0x300 +[ 162.470217] ? ni_load_mi+0x80/0x80 +[ 162.470479] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 162.470931] ? ntfs_bread_run+0x190/0x190 +[ 162.471307] ? indx_get_root+0xe4/0x190 +[ 162.471556] ? indx_get_root+0x140/0x190 +[ 162.471833] ? indx_init+0x1e0/0x1e0 +[ 162.472069] ? fnd_clear+0x115/0x140 +[ 162.472363] ? _raw_spin_lock_irqsave+0x100/0x100 +[ 162.472731] indx_find+0x184/0x470 +[ 162.473461] ? sysvec_apic_timer_interrupt+0x57/0xc0 +[ 162.474429] ? indx_find_buffer+0x2d0/0x2d0 +[ 162.474704] ? do_syscall_64+0x3b/0x90 +[ 162.474962] dir_search_u+0x196/0x2f0 +[ 162.475381] ? ntfs_nls_to_utf16+0x450/0x450 +[ 162.475661] ? ntfs_security_init+0x3d6/0x440 +[ 162.475906] ? is_sd_valid+0x180/0x180 +[ 162.476191] ntfs_extend_init+0x13f/0x2c0 +[ 162.476496] ? ntfs_fix_post_read+0x130/0x130 +[ 162.476861] ? iput.part.0+0x286/0x320 +[ 162.477325] ntfs_fill_super+0x11e0/0x1b50 +[ 162.477709] ? put_ntfs+0x1d0/0x1d0 +[ 162.477970] ? vsprintf+0x20/0x20 +[ 162.478258] ? set_blocksize+0x95/0x150 +[ 162.478538] get_tree_bdev+0x232/0x370 +[ 162.478789] ? put_ntfs+0x1d0/0x1d0 +[ 162.479038] ntfs_fs_get_tree+0x15/0x20 +[ 162.479374] vfs_get_tree+0x4c/0x130 +[ 162.479729] path_mount+0x654/0xfe0 +[ 162.480124] ? putname+0x80/0xa0 +[ 162.480484] ? finish_automount+0x2e0/0x2e0 +[ 162.480894] ? putname+0x80/0xa0 +[ 162.481467] ? kmem_cache_free+0x1c4/0x440 +[ 162.482280] ? putname+0x80/0xa0 +[ 162.482714] do_mount+0xd6/0xf0 +[ 162.483264] ? path_mount+0xfe0/0xfe0 +[ 162.484782] ? __kasan_check_write+0x14/0x20 +[ 162.485593] __x64_sys_mount+0xca/0x110 +[ 162.486024] do_syscall_64+0x3b/0x90 +[ 162.486543] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 162.487141] RIP: 0033:0x7f9d374e948a +[ 162.488324] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 162.489728] RSP: 002b:00007ffe30e73d18 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 162.490971] RAX: ffffffffffffffda RBX: 0000561cdb43a060 RCX: 00007f9d374e948a +[ 162.491669] RDX: 0000561cdb43a260 RSI: 0000561cdb43a2e0 RDI: 0000561cdb442af0 +[ 162.492050] RBP: 0000000000000000 R08: 0000561cdb43a280 R09: 0000000000000020 +[ 162.492459] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000561cdb442af0 +[ 162.493183] R13: 0000561cdb43a260 R14: 0000000000000000 R15: 00000000ffffffff +[ 162.493644] +[ 162.493908] +[ 162.494214] The buggy address belongs to the physical page: +[ 162.494761] page:000000003e38a3d5 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37bc +[ 162.496064] flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff) +[ 162.497278] raw: 000fffffc0000000 ffffea00000df1c8 ffffea00000df008 0000000000000000 +[ 162.498928] raw: 0000000000000000 0000000000240000 00000000ffffffff 0000000000000000 +[ 162.500542] page dumped because: kasan: bad access detected +[ 162.501057] +[ 162.501242] Memory state around the buggy address: +[ 162.502230] ffff8880037bc980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 162.502977] ffff8880037bca00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 162.503522] >ffff8880037bca80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 162.503963] ^ +[ 162.504370] ffff8880037bcb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 162.504766] ffff8880037bcb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/fsntfs.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/ntfs3/fsntfs.c b/fs/ntfs3/fsntfs.c +index 24b57c3cc625..4a97a28cb8f2 100644 +--- a/fs/ntfs3/fsntfs.c ++++ b/fs/ntfs3/fsntfs.c +@@ -1878,9 +1878,10 @@ int ntfs_security_init(struct ntfs_sb_info *sbi) + goto out; + } + +- root_sdh = resident_data(attr); ++ root_sdh = resident_data_ex(attr, sizeof(struct INDEX_ROOT)); + if (root_sdh->type != ATTR_ZERO || +- root_sdh->rule != NTFS_COLLATION_TYPE_SECURITY_HASH) { ++ root_sdh->rule != NTFS_COLLATION_TYPE_SECURITY_HASH || ++ offsetof(struct INDEX_ROOT, ihdr) + root_sdh->ihdr.used > attr->res.data_size) { + err = -EINVAL; + goto out; + } +@@ -1896,9 +1897,10 @@ int ntfs_security_init(struct ntfs_sb_info *sbi) + goto out; + } + +- root_sii = resident_data(attr); ++ root_sii = resident_data_ex(attr, sizeof(struct INDEX_ROOT)); + if (root_sii->type != ATTR_ZERO || +- root_sii->rule != NTFS_COLLATION_TYPE_UINT) { ++ root_sii->rule != NTFS_COLLATION_TYPE_UINT || ++ offsetof(struct INDEX_ROOT, ihdr) + root_sii->ihdr.used > attr->res.data_size) { + err = -EINVAL; + goto out; + } +-- +2.35.1 + diff --git a/queue-5.15/fs-ntfs3-validate-resident-attribute-name.patch b/queue-5.15/fs-ntfs3-validate-resident-attribute-name.patch new file mode 100644 index 00000000000..8bf5fedf144 --- /dev/null +++ b/queue-5.15/fs-ntfs3-validate-resident-attribute-name.patch @@ -0,0 +1,173 @@ +From 8e834bf9df95f7db2164ca92026fab582b865d31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Sep 2022 00:50:23 +0800 +Subject: fs/ntfs3: Validate resident attribute name + +From: Edward Lo + +[ Upstream commit 54e45702b648b7c0000e90b3e9b890e367e16ea8 ] + +Though we already have some sanity checks while enumerating attributes, +resident attribute names aren't included. This patch checks the resident +attribute names are in the valid ranges. + +[ 259.209031] BUG: KASAN: slab-out-of-bounds in ni_create_attr_list+0x1e1/0x850 +[ 259.210770] Write of size 426 at addr ffff88800632f2b2 by task exp/255 +[ 259.211551] +[ 259.212035] CPU: 0 PID: 255 Comm: exp Not tainted 6.0.0-rc6 #37 +[ 259.212955] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 259.214387] Call Trace: +[ 259.214640] +[ 259.214895] dump_stack_lvl+0x49/0x63 +[ 259.215284] print_report.cold+0xf5/0x689 +[ 259.215565] ? kasan_poison+0x3c/0x50 +[ 259.215778] ? kasan_unpoison+0x28/0x60 +[ 259.215991] ? ni_create_attr_list+0x1e1/0x850 +[ 259.216270] kasan_report+0xa7/0x130 +[ 259.216481] ? ni_create_attr_list+0x1e1/0x850 +[ 259.216719] kasan_check_range+0x15a/0x1d0 +[ 259.216939] memcpy+0x3c/0x70 +[ 259.217136] ni_create_attr_list+0x1e1/0x850 +[ 259.217945] ? __rcu_read_unlock+0x5b/0x280 +[ 259.218384] ? ni_remove_attr+0x2e0/0x2e0 +[ 259.218712] ? kernel_text_address+0xcf/0xe0 +[ 259.219064] ? __kernel_text_address+0x12/0x40 +[ 259.219434] ? arch_stack_walk+0x9e/0xf0 +[ 259.219668] ? __this_cpu_preempt_check+0x13/0x20 +[ 259.219904] ? sysvec_apic_timer_interrupt+0x57/0xc0 +[ 259.220140] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20 +[ 259.220561] ni_ins_attr_ext+0x52c/0x5c0 +[ 259.220984] ? ni_create_attr_list+0x850/0x850 +[ 259.221532] ? run_deallocate+0x120/0x120 +[ 259.221972] ? vfs_setxattr+0x128/0x300 +[ 259.222688] ? setxattr+0x126/0x140 +[ 259.222921] ? path_setxattr+0x164/0x180 +[ 259.223431] ? __x64_sys_setxattr+0x6d/0x80 +[ 259.223828] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 259.224417] ? mi_find_attr+0x3c/0xf0 +[ 259.224772] ni_insert_attr+0x1ba/0x420 +[ 259.225216] ? ni_ins_attr_ext+0x5c0/0x5c0 +[ 259.225504] ? ntfs_read_ea+0x119/0x450 +[ 259.225775] ni_insert_resident+0xc0/0x1c0 +[ 259.226316] ? ni_insert_nonresident+0x400/0x400 +[ 259.227001] ? __kasan_kmalloc+0x88/0xb0 +[ 259.227468] ? __kmalloc+0x192/0x320 +[ 259.227773] ntfs_set_ea+0x6bf/0xb30 +[ 259.228216] ? ftrace_graph_ret_addr+0x2a/0xb0 +[ 259.228494] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 259.228838] ? ntfs_read_ea+0x450/0x450 +[ 259.229098] ? is_bpf_text_address+0x24/0x40 +[ 259.229418] ? kernel_text_address+0xcf/0xe0 +[ 259.229681] ? __kernel_text_address+0x12/0x40 +[ 259.229948] ? unwind_get_return_address+0x3a/0x60 +[ 259.230271] ? write_profile+0x270/0x270 +[ 259.230537] ? arch_stack_walk+0x9e/0xf0 +[ 259.230836] ntfs_setxattr+0x114/0x5c0 +[ 259.231099] ? ntfs_set_acl_ex+0x2e0/0x2e0 +[ 259.231529] ? evm_protected_xattr_common+0x6d/0x100 +[ 259.231817] ? posix_xattr_acl+0x13/0x80 +[ 259.232073] ? evm_protect_xattr+0x1f7/0x440 +[ 259.232351] __vfs_setxattr+0xda/0x120 +[ 259.232635] ? xattr_resolve_name+0x180/0x180 +[ 259.232912] __vfs_setxattr_noperm+0x93/0x300 +[ 259.233219] __vfs_setxattr_locked+0x141/0x160 +[ 259.233492] ? kasan_poison+0x3c/0x50 +[ 259.233744] vfs_setxattr+0x128/0x300 +[ 259.234002] ? __vfs_setxattr_locked+0x160/0x160 +[ 259.234837] do_setxattr+0xb8/0x170 +[ 259.235567] ? vmemdup_user+0x53/0x90 +[ 259.236212] setxattr+0x126/0x140 +[ 259.236491] ? do_setxattr+0x170/0x170 +[ 259.236791] ? debug_smp_processor_id+0x17/0x20 +[ 259.237232] ? kasan_quarantine_put+0x57/0x180 +[ 259.237605] ? putname+0x80/0xa0 +[ 259.237870] ? __kasan_slab_free+0x11c/0x1b0 +[ 259.238234] ? putname+0x80/0xa0 +[ 259.238500] ? preempt_count_sub+0x18/0xc0 +[ 259.238775] ? __mnt_want_write+0xaa/0x100 +[ 259.238990] ? mnt_want_write+0x8b/0x150 +[ 259.239290] path_setxattr+0x164/0x180 +[ 259.239605] ? setxattr+0x140/0x140 +[ 259.239849] ? debug_smp_processor_id+0x17/0x20 +[ 259.240174] ? fpregs_assert_state_consistent+0x67/0x80 +[ 259.240411] __x64_sys_setxattr+0x6d/0x80 +[ 259.240715] do_syscall_64+0x3b/0x90 +[ 259.240934] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 259.241697] RIP: 0033:0x7fc6b26e4469 +[ 259.242647] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088 +[ 259.244512] RSP: 002b:00007ffc3c7841f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000bc +[ 259.245086] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc6b26e4469 +[ 259.246025] RDX: 00007ffc3c784380 RSI: 00007ffc3c7842e0 RDI: 00007ffc3c784238 +[ 259.246961] RBP: 00007ffc3c788410 R08: 0000000000000001 R09: 00007ffc3c7884f8 +[ 259.247775] R10: 000000000000007f R11: 0000000000000217 R12: 00000000004004e0 +[ 259.248534] R13: 00007ffc3c7884f0 R14: 0000000000000000 R15: 0000000000000000 +[ 259.249368] +[ 259.249644] +[ 259.249888] Allocated by task 255: +[ 259.250283] kasan_save_stack+0x26/0x50 +[ 259.250957] __kasan_kmalloc+0x88/0xb0 +[ 259.251826] __kmalloc+0x192/0x320 +[ 259.252745] ni_create_attr_list+0x11e/0x850 +[ 259.253298] ni_ins_attr_ext+0x52c/0x5c0 +[ 259.253685] ni_insert_attr+0x1ba/0x420 +[ 259.253974] ni_insert_resident+0xc0/0x1c0 +[ 259.254311] ntfs_set_ea+0x6bf/0xb30 +[ 259.254629] ntfs_setxattr+0x114/0x5c0 +[ 259.254859] __vfs_setxattr+0xda/0x120 +[ 259.255155] __vfs_setxattr_noperm+0x93/0x300 +[ 259.255445] __vfs_setxattr_locked+0x141/0x160 +[ 259.255862] vfs_setxattr+0x128/0x300 +[ 259.256251] do_setxattr+0xb8/0x170 +[ 259.256522] setxattr+0x126/0x140 +[ 259.256911] path_setxattr+0x164/0x180 +[ 259.257308] __x64_sys_setxattr+0x6d/0x80 +[ 259.257637] do_syscall_64+0x3b/0x90 +[ 259.257970] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 259.258550] +[ 259.258772] The buggy address belongs to the object at ffff88800632f000 +[ 259.258772] which belongs to the cache kmalloc-1k of size 1024 +[ 259.260190] The buggy address is located 690 bytes inside of +[ 259.260190] 1024-byte region [ffff88800632f000, ffff88800632f400) +[ 259.261412] +[ 259.261743] The buggy address belongs to the physical page: +[ 259.262354] page:0000000081e8cac9 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632c +[ 259.263722] head:0000000081e8cac9 order:2 compound_mapcount:0 compound_pincount:0 +[ 259.264284] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) +[ 259.265312] raw: 000fffffc0010200 ffffea0000060d00 dead000000000004 ffff888001041dc0 +[ 259.265772] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 +[ 259.266305] page dumped because: kasan: bad access detected +[ 259.266588] +[ 259.266728] Memory state around the buggy address: +[ 259.267225] ffff88800632f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 259.267841] ffff88800632f380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 259.269111] >ffff88800632f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 259.269626] ^ +[ 259.270162] ffff88800632f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 259.270810] ffff88800632f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/record.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c +index 30751fd618df..fd342da398be 100644 +--- a/fs/ntfs3/record.c ++++ b/fs/ntfs3/record.c +@@ -265,6 +265,11 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) + if (t16 + t32 > asize) + return NULL; + ++ if (attr->name_len && ++ le16_to_cpu(attr->name_off) + sizeof(short) * attr->name_len > t16) { ++ return NULL; ++ } ++ + return attr; + } + +-- +2.35.1 + diff --git a/queue-5.15/hid-multitouch-fix-asus-expertbook-p2-p2451fa-trackp.patch b/queue-5.15/hid-multitouch-fix-asus-expertbook-p2-p2451fa-trackp.patch new file mode 100644 index 00000000000..c63b1973f2d --- /dev/null +++ b/queue-5.15/hid-multitouch-fix-asus-expertbook-p2-p2451fa-trackp.patch @@ -0,0 +1,53 @@ +From f896480649e04f64a7d5b8e3e8dc21872708fd2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 17:57:05 +0100 +Subject: HID: multitouch: fix Asus ExpertBook P2 P2451FA trackpoint +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +[ Upstream commit 4eab1c2fe06c98a4dff258dd64800b6986c101e9 ] + +The HID descriptor of this device contains two mouse collections, one +for mouse emulation and the other for the trackpoint. + +Both collections get merged and, because the first one defines X and Y, +the movemenent events reported by the trackpoint collection are +ignored. + +Set the MT_CLS_WIN_8_FORCE_MULTI_INPUT class for this device to be able +to receive its reports. + +This fix is similar to/based on commit 40d5bb87377a ("HID: multitouch: +enable multi-input as a quirk for some devices"). + +Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/825 +Reported-by: Akito +Tested-by: Akito +Signed-off-by: José Expósito +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-multitouch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 08462ac72b89..6b86d368d5e7 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -1965,6 +1965,10 @@ static const struct hid_device_id mt_devices[] = { + HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8, + USB_VENDOR_ID_ELAN, 0x313a) }, + ++ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT, ++ HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8, ++ USB_VENDOR_ID_ELAN, 0x3148) }, ++ + /* Elitegroup panel */ + { .driver_data = MT_CLS_SERIAL, + MT_USB_DEVICE(USB_VENDOR_ID_ELITEGROUP, +-- +2.35.1 + diff --git a/queue-5.15/hid-plantronics-additional-pids-for-double-volume-ke.patch b/queue-5.15/hid-plantronics-additional-pids-for-double-volume-ke.patch new file mode 100644 index 00000000000..87e442140ee --- /dev/null +++ b/queue-5.15/hid-plantronics-additional-pids-for-double-volume-ke.patch @@ -0,0 +1,81 @@ +From 300941435fc121be1db6062613bed22901d71154 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 15:05:06 -0800 +Subject: HID: plantronics: Additional PIDs for double volume key presses quirk + +From: Terry Junge + +[ Upstream commit 3d57f36c89d8ba32b2c312f397a37fd1a2dc7cfc ] + +I no longer work for Plantronics (aka Poly, aka HP) and do not have +access to the headsets in order to test. However, as noted by Maxim, +the other 32xx models that share the same base code set as the 3220 +would need the same quirk. This patch adds the PIDs for the rest of +the Blackwire 32XX product family that require the quirk. + +Plantronics Blackwire 3210 Series (047f:c055) +Plantronics Blackwire 3215 Series (047f:c057) +Plantronics Blackwire 3225 Series (047f:c058) + +Quote from previous patch by Maxim Mikityanskiy +Plantronics Blackwire 3220 Series (047f:c056) sends HID reports twice +for each volume key press. This patch adds a quirk to hid-plantronics +for this product ID, which will ignore the second volume key press if +it happens within 5 ms from the last one that was handled. + +The patch was tested on the mentioned model only, it shouldn't affect +other models, however, this quirk might be needed for them too. +Auto-repeat (when a key is held pressed) is not affected, because the +rate is about 3 times per second, which is far less frequent than once +in 5 ms. +End quote + +Signed-off-by: Terry Junge +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-plantronics.c | 9 +++++++++ + 2 files changed, 12 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 78b55f845d2d..8698d49edaa3 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -966,7 +966,10 @@ + #define USB_DEVICE_ID_ORTEK_IHOME_IMAC_A210S 0x8003 + + #define USB_VENDOR_ID_PLANTRONICS 0x047f ++#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3210_SERIES 0xc055 + #define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES 0xc056 ++#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3215_SERIES 0xc057 ++#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES 0xc058 + + #define USB_VENDOR_ID_PANASONIC 0x04da + #define USB_DEVICE_ID_PANABOARD_UBT780 0x1044 +diff --git a/drivers/hid/hid-plantronics.c b/drivers/hid/hid-plantronics.c +index e81b7cec2d12..3d414ae194ac 100644 +--- a/drivers/hid/hid-plantronics.c ++++ b/drivers/hid/hid-plantronics.c +@@ -198,9 +198,18 @@ static int plantronics_probe(struct hid_device *hdev, + } + + static const struct hid_device_id plantronics_devices[] = { ++ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, ++ USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3210_SERIES), ++ .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, + { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, + USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES), + .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, ++ USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3215_SERIES), ++ .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, ++ USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES), ++ .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, + { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, HID_ANY_ID) }, + { } + }; +-- +2.35.1 + diff --git a/queue-5.15/nvme-fix-the-nvme_cmd_effects_cse_mask-definition.patch b/queue-5.15/nvme-fix-the-nvme_cmd_effects_cse_mask-definition.patch new file mode 100644 index 00000000000..9960f806d6d --- /dev/null +++ b/queue-5.15/nvme-fix-the-nvme_cmd_effects_cse_mask-definition.patch @@ -0,0 +1,46 @@ +From b45d2fa44e40654e92758296177315f92d0773b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Dec 2022 10:30:45 +0100 +Subject: nvme: fix the NVME_CMD_EFFECTS_CSE_MASK definition + +From: Christoph Hellwig + +[ Upstream commit 685e6311637e46f3212439ce2789f8a300e5050f ] + +3 << 16 does not generate the correct mask for bits 16, 17 and 18. +Use the GENMASK macro to generate the correct mask instead. + +Fixes: 84fef62d135b ("nvme: check admin passthru command effects") +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Sagi Grimberg +Reviewed-by: Kanchan Joshi +Signed-off-by: Sasha Levin +--- + include/linux/nvme.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/nvme.h b/include/linux/nvme.h +index 039f59ee8f43..de235916c31c 100644 +--- a/include/linux/nvme.h ++++ b/include/linux/nvme.h +@@ -7,6 +7,7 @@ + #ifndef _LINUX_NVME_H + #define _LINUX_NVME_H + ++#include + #include + #include + +@@ -539,7 +540,7 @@ enum { + NVME_CMD_EFFECTS_NCC = 1 << 2, + NVME_CMD_EFFECTS_NIC = 1 << 3, + NVME_CMD_EFFECTS_CCC = 1 << 4, +- NVME_CMD_EFFECTS_CSE_MASK = 3 << 16, ++ NVME_CMD_EFFECTS_CSE_MASK = GENMASK(18, 16), + NVME_CMD_EFFECTS_UUID_SEL = 1 << 19, + }; + +-- +2.35.1 + diff --git a/queue-5.15/nvme-pci-fix-doorbell-buffer-value-endianness.patch b/queue-5.15/nvme-pci-fix-doorbell-buffer-value-endianness.patch new file mode 100644 index 00000000000..e94a64fbad4 --- /dev/null +++ b/queue-5.15/nvme-pci-fix-doorbell-buffer-value-endianness.patch @@ -0,0 +1,100 @@ +From b4e340a04b5d5b7c1bbe409ac1c1956bf093039e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Dec 2022 09:58:07 +0100 +Subject: nvme-pci: fix doorbell buffer value endianness + +From: Klaus Jensen + +[ Upstream commit b5f96cb719d8ba220b565ddd3ba4ac0d8bcfb130 ] + +When using shadow doorbells, the event index and the doorbell values are +written to host memory. Prior to this patch, the values written would +erroneously be written in host endianness. This causes trouble on +big-endian platforms. Fix this by adding missing endian conversions. + +This issue was noticed by Guenter while testing various big-endian +platforms under QEMU[1]. A similar fix required for hw/nvme in QEMU is +up for review as well[2]. + + [1]: https://lore.kernel.org/qemu-devel/20221209110022.GA3396194@roeck-us.net/ + [2]: https://lore.kernel.org/qemu-devel/20221212114409.34972-4-its@irrelevant.dk/ + +Fixes: f9f38e33389c ("nvme: improve performance for virtual NVMe devices") +Reported-by: Guenter Roeck +Signed-off-by: Klaus Jensen +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index d49df7123677..ab038dbafc06 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -142,9 +142,9 @@ struct nvme_dev { + mempool_t *iod_mempool; + + /* shadow doorbell buffer support: */ +- u32 *dbbuf_dbs; ++ __le32 *dbbuf_dbs; + dma_addr_t dbbuf_dbs_dma_addr; +- u32 *dbbuf_eis; ++ __le32 *dbbuf_eis; + dma_addr_t dbbuf_eis_dma_addr; + + /* host memory buffer support: */ +@@ -208,10 +208,10 @@ struct nvme_queue { + #define NVMEQ_SQ_CMB 1 + #define NVMEQ_DELETE_ERROR 2 + #define NVMEQ_POLLED 3 +- u32 *dbbuf_sq_db; +- u32 *dbbuf_cq_db; +- u32 *dbbuf_sq_ei; +- u32 *dbbuf_cq_ei; ++ __le32 *dbbuf_sq_db; ++ __le32 *dbbuf_cq_db; ++ __le32 *dbbuf_sq_ei; ++ __le32 *dbbuf_cq_ei; + struct completion delete_done; + }; + +@@ -332,11 +332,11 @@ static inline int nvme_dbbuf_need_event(u16 event_idx, u16 new_idx, u16 old) + } + + /* Update dbbuf and return true if an MMIO is required */ +-static bool nvme_dbbuf_update_and_check_event(u16 value, u32 *dbbuf_db, +- volatile u32 *dbbuf_ei) ++static bool nvme_dbbuf_update_and_check_event(u16 value, __le32 *dbbuf_db, ++ volatile __le32 *dbbuf_ei) + { + if (dbbuf_db) { +- u16 old_value; ++ u16 old_value, event_idx; + + /* + * Ensure that the queue is written before updating +@@ -344,8 +344,8 @@ static bool nvme_dbbuf_update_and_check_event(u16 value, u32 *dbbuf_db, + */ + wmb(); + +- old_value = *dbbuf_db; +- *dbbuf_db = value; ++ old_value = le32_to_cpu(*dbbuf_db); ++ *dbbuf_db = cpu_to_le32(value); + + /* + * Ensure that the doorbell is updated before reading the event +@@ -355,7 +355,8 @@ static bool nvme_dbbuf_update_and_check_event(u16 value, u32 *dbbuf_db, + */ + mb(); + +- if (!nvme_dbbuf_need_event(*dbbuf_ei, value, old_value)) ++ event_idx = le32_to_cpu(*dbbuf_ei); ++ if (!nvme_dbbuf_need_event(event_idx, value, old_value)) + return false; + } + +-- +2.35.1 + diff --git a/queue-5.15/nvme-pci-fix-mempool-alloc-size.patch b/queue-5.15/nvme-pci-fix-mempool-alloc-size.patch new file mode 100644 index 00000000000..ee73ca55447 --- /dev/null +++ b/queue-5.15/nvme-pci-fix-mempool-alloc-size.patch @@ -0,0 +1,51 @@ +From a6289990cad1edf8d1c989e248d435d169e8c8e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Dec 2022 10:59:06 -0800 +Subject: nvme-pci: fix mempool alloc size + +From: Keith Busch + +[ Upstream commit c89a529e823d51dd23c7ec0c047c7a454a428541 ] + +Convert the max size to bytes to match the units of the divisor that +calculates the worst-case number of PRP entries. + +The result is used to determine how many PRP Lists are required. The +code was previously rounding this to 1 list, but we can require 2 in the +worst case. In that scenario, the driver would corrupt memory beyond the +size provided by the mempool. + +While unlikely to occur (you'd need a 4MB in exactly 127 phys segments +on a queue that doesn't support SGLs), this memory corruption has been +observed by kfence. + +Cc: Jens Axboe +Fixes: 943e942e6266f ("nvme-pci: limit max IO size and segments to avoid high order allocations") +Signed-off-by: Keith Busch +Reviewed-by: Jens Axboe +Reviewed-by: Kanchan Joshi +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index ab038dbafc06..7a96cbbfdabb 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -370,8 +370,8 @@ static bool nvme_dbbuf_update_and_check_event(u16 value, __le32 *dbbuf_db, + */ + static int nvme_pci_npages_prp(void) + { +- unsigned nprps = DIV_ROUND_UP(NVME_MAX_KB_SZ + NVME_CTRL_PAGE_SIZE, +- NVME_CTRL_PAGE_SIZE); ++ unsigned max_bytes = (NVME_MAX_KB_SZ * 1024) + NVME_CTRL_PAGE_SIZE; ++ unsigned nprps = DIV_ROUND_UP(max_bytes, NVME_CTRL_PAGE_SIZE); + return DIV_ROUND_UP(8 * nprps, PAGE_SIZE - 8); + } + +-- +2.35.1 + diff --git a/queue-5.15/nvme-pci-fix-page-size-checks.patch b/queue-5.15/nvme-pci-fix-page-size-checks.patch new file mode 100644 index 00000000000..2cdc86bb088 --- /dev/null +++ b/queue-5.15/nvme-pci-fix-page-size-checks.patch @@ -0,0 +1,63 @@ +From 2a3f9747032b5035cf06abb0aaef8807bb15456d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Dec 2022 13:54:55 -0800 +Subject: nvme-pci: fix page size checks + +From: Keith Busch + +[ Upstream commit 841734234a28fd5cd0889b84bd4d93a0988fa11e ] + +The size allocated out of the dma pool is at most NVME_CTRL_PAGE_SIZE, +which may be smaller than the PAGE_SIZE. + +Fixes: c61b82c7b7134 ("nvme-pci: fix PRP pool size") +Signed-off-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 7a96cbbfdabb..0165e65cf548 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -33,7 +33,7 @@ + #define SQ_SIZE(q) ((q)->q_depth << (q)->sqes) + #define CQ_SIZE(q) ((q)->q_depth * sizeof(struct nvme_completion)) + +-#define SGES_PER_PAGE (PAGE_SIZE / sizeof(struct nvme_sgl_desc)) ++#define SGES_PER_PAGE (NVME_CTRL_PAGE_SIZE / sizeof(struct nvme_sgl_desc)) + + /* + * These can be higher, but we need to ensure that any command doesn't +@@ -372,7 +372,7 @@ static int nvme_pci_npages_prp(void) + { + unsigned max_bytes = (NVME_MAX_KB_SZ * 1024) + NVME_CTRL_PAGE_SIZE; + unsigned nprps = DIV_ROUND_UP(max_bytes, NVME_CTRL_PAGE_SIZE); +- return DIV_ROUND_UP(8 * nprps, PAGE_SIZE - 8); ++ return DIV_ROUND_UP(8 * nprps, NVME_CTRL_PAGE_SIZE - 8); + } + + /* +@@ -382,7 +382,7 @@ static int nvme_pci_npages_prp(void) + static int nvme_pci_npages_sgl(void) + { + return DIV_ROUND_UP(NVME_MAX_SEGS * sizeof(struct nvme_sgl_desc), +- PAGE_SIZE); ++ NVME_CTRL_PAGE_SIZE); + } + + static size_t nvme_pci_iod_alloc_size(void) +@@ -732,7 +732,7 @@ static void nvme_pci_sgl_set_seg(struct nvme_sgl_desc *sge, + sge->length = cpu_to_le32(entries * sizeof(*sge)); + sge->type = NVME_SGL_FMT_LAST_SEG_DESC << 4; + } else { +- sge->length = cpu_to_le32(PAGE_SIZE); ++ sge->length = cpu_to_le32(NVME_CTRL_PAGE_SIZE); + sge->type = NVME_SGL_FMT_SEG_DESC << 4; + } + } +-- +2.35.1 + diff --git a/queue-5.15/nvmet-don-t-defer-passthrough-commands-with-trivial-.patch b/queue-5.15/nvmet-don-t-defer-passthrough-commands-with-trivial-.patch new file mode 100644 index 00000000000..c96defc4f1f --- /dev/null +++ b/queue-5.15/nvmet-don-t-defer-passthrough-commands-with-trivial-.patch @@ -0,0 +1,55 @@ +From f17ad39a0b2f68cf4ab60c4efbcea859305fb497 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Dec 2022 09:51:19 +0100 +Subject: nvmet: don't defer passthrough commands with trivial effects to the + workqueue + +From: Christoph Hellwig + +[ Upstream commit 2a459f6933e1c459bffb7cc73fd6c900edc714bd ] + +Mask out the "Command Supported" and "Logical Block Content Change" bits +and only defer execution of commands that have non-trivial effects to +the workqueue for synchronous execution. This allows to execute admin +commands asynchronously on controllers that provide a Command Supported +and Effects log page, and will keep allowing to execute Write commands +asynchronously once command effects on I/O commands are taken into +account. + +Fixes: c1fef73f793b ("nvmet: add passthru code to process commands") +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Sagi Grimberg +Reviewed-by: Kanchan Joshi +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/passthru.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/nvme/target/passthru.c b/drivers/nvme/target/passthru.c +index 6220e1dd961a..9b5929754195 100644 +--- a/drivers/nvme/target/passthru.c ++++ b/drivers/nvme/target/passthru.c +@@ -271,14 +271,13 @@ static void nvmet_passthru_execute_cmd(struct nvmet_req *req) + } + + /* +- * If there are effects for the command we are about to execute, or +- * an end_req function we need to use nvme_execute_passthru_rq() +- * synchronously in a work item seeing the end_req function and +- * nvme_passthru_end() can't be called in the request done callback +- * which is typically in interrupt context. ++ * If a command needs post-execution fixups, or there are any ++ * non-trivial effects, make sure to execute the command synchronously ++ * in a workqueue so that nvme_passthru_end gets called. + */ + effects = nvme_command_effects(ctrl, ns, req->cmd->common.opcode); +- if (req->p.use_workqueue || effects) { ++ if (req->p.use_workqueue || ++ (effects & ~(NVME_CMD_EFFECTS_CSUPP | NVME_CMD_EFFECTS_LBCC))) { + INIT_WORK(&req->p.work, nvmet_passthru_execute_cmd_work); + req->p.rq = rq; + queue_work(nvmet_wq, &req->p.work); +-- +2.35.1 + diff --git a/queue-5.15/objtool-fix-segfault.patch b/queue-5.15/objtool-fix-segfault.patch new file mode 100644 index 00000000000..a303cbcf171 --- /dev/null +++ b/queue-5.15/objtool-fix-segfault.patch @@ -0,0 +1,40 @@ +From a972ec86529743aa9191d5884dec9fdf3e93a03d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 23:27:46 +0530 +Subject: objtool: Fix SEGFAULT + +From: Christophe Leroy + +[ Upstream commit efb11fdb3e1a9f694fa12b70b21e69e55ec59c36 ] + +find_insn() will return NULL in case of failure. Check insn in order +to avoid a kernel Oops for NULL pointer dereference. + +Tested-by: Naveen N. Rao +Reviewed-by: Naveen N. Rao +Acked-by: Josh Poimboeuf +Acked-by: Peter Zijlstra (Intel) +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20221114175754.1131267-9-sv@linux.ibm.com +Signed-off-by: Sasha Levin +--- + tools/objtool/check.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/objtool/check.c b/tools/objtool/check.c +index edac5aaa2802..308c8806ad94 100644 +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -197,7 +197,7 @@ static bool __dead_end_function(struct objtool_file *file, struct symbol *func, + return false; + + insn = find_insn(file, func->sec, func->offset); +- if (!insn->func) ++ if (!insn || !insn->func) + return false; + + func_for_each_insn(file, func, insn) { +-- +2.35.1 + diff --git a/queue-5.15/powerpc-msi-fix-deassociation-of-msi-descriptors.patch b/queue-5.15/powerpc-msi-fix-deassociation-of-msi-descriptors.patch new file mode 100644 index 00000000000..7f430b6c288 --- /dev/null +++ b/queue-5.15/powerpc-msi-fix-deassociation-of-msi-descriptors.patch @@ -0,0 +1,100 @@ +From 4cf3d1ee046537cbcbcb6690c4913dd7406c3b8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Dec 2022 10:46:44 +0000 +Subject: powerpc/msi: Fix deassociation of MSI descriptors + +From: Marc Zyngier + +[ Upstream commit 4545c6a3d6ba71747eaa984c338ddd745e56e23f ] + +Since 2f2940d16823 ("genirq/msi: Remove filter from +msi_free_descs_free_range()"), the core MSI code relies on the +msi_desc->irq field to have been cleared before the descriptor +can be freed, as it indicates that there is no association with +a device anymore. + +The irq domain code provides this guarantee, and so does s390, +which is one of the two architectures not using irq domains for +MSIs. + +Powerpc, however, is missing this particular requirements, +leading in a splat and leaked MSI descriptors. + +Adding the now required irq reset to the handful of powerpc backends +that implement MSIs fixes that particular problem. + +Reported-by: Guenter Roeck +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/70dab88e-6119-0c12-7c6a-61bcbe239f66@roeck-us.net +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/4xx/hsta_msi.c | 1 + + arch/powerpc/platforms/cell/axon_msi.c | 1 + + arch/powerpc/platforms/pasemi/msi.c | 1 + + arch/powerpc/sysdev/fsl_msi.c | 1 + + arch/powerpc/sysdev/mpic_u3msi.c | 1 + + 5 files changed, 5 insertions(+) + +diff --git a/arch/powerpc/platforms/4xx/hsta_msi.c b/arch/powerpc/platforms/4xx/hsta_msi.c +index c950fed43b32..4f65bd0cf111 100644 +--- a/arch/powerpc/platforms/4xx/hsta_msi.c ++++ b/arch/powerpc/platforms/4xx/hsta_msi.c +@@ -117,6 +117,7 @@ static void hsta_teardown_msi_irqs(struct pci_dev *dev) + msi_bitmap_free_hwirqs(&ppc4xx_hsta_msi.bmp, irq, 1); + pr_debug("%s: Teardown IRQ %u (index %u)\n", __func__, + entry->irq, irq); ++ entry->irq = 0; + } + } + +diff --git a/arch/powerpc/platforms/cell/axon_msi.c b/arch/powerpc/platforms/cell/axon_msi.c +index f630693c8de7..2bcd9c54bce3 100644 +--- a/arch/powerpc/platforms/cell/axon_msi.c ++++ b/arch/powerpc/platforms/cell/axon_msi.c +@@ -295,6 +295,7 @@ static void axon_msi_teardown_msi_irqs(struct pci_dev *dev) + + irq_set_msi_desc(entry->irq, NULL); + irq_dispose_mapping(entry->irq); ++ entry->irq = 0; + } + } + +diff --git a/arch/powerpc/platforms/pasemi/msi.c b/arch/powerpc/platforms/pasemi/msi.c +index d38944a1e258..76393c158ada 100644 +--- a/arch/powerpc/platforms/pasemi/msi.c ++++ b/arch/powerpc/platforms/pasemi/msi.c +@@ -69,6 +69,7 @@ static void pasemi_msi_teardown_msi_irqs(struct pci_dev *pdev) + hwirq = virq_to_hw(entry->irq); + irq_set_msi_desc(entry->irq, NULL); + irq_dispose_mapping(entry->irq); ++ entry->irq = 0; + msi_bitmap_free_hwirqs(&msi_mpic->msi_bitmap, hwirq, ALLOC_CHUNK); + } + +diff --git a/arch/powerpc/sysdev/fsl_msi.c b/arch/powerpc/sysdev/fsl_msi.c +index c55ccec0a169..173d585c1be8 100644 +--- a/arch/powerpc/sysdev/fsl_msi.c ++++ b/arch/powerpc/sysdev/fsl_msi.c +@@ -132,6 +132,7 @@ static void fsl_teardown_msi_irqs(struct pci_dev *pdev) + msi_data = irq_get_chip_data(entry->irq); + irq_set_msi_desc(entry->irq, NULL); + irq_dispose_mapping(entry->irq); ++ entry->irq = 0; + msi_bitmap_free_hwirqs(&msi_data->bitmap, hwirq, 1); + } + +diff --git a/arch/powerpc/sysdev/mpic_u3msi.c b/arch/powerpc/sysdev/mpic_u3msi.c +index 3861023d378a..43686c82e483 100644 +--- a/arch/powerpc/sysdev/mpic_u3msi.c ++++ b/arch/powerpc/sysdev/mpic_u3msi.c +@@ -111,6 +111,7 @@ static void u3msi_teardown_msi_irqs(struct pci_dev *pdev) + hwirq = virq_to_hw(entry->irq); + irq_set_msi_desc(entry->irq, NULL); + irq_dispose_mapping(entry->irq); ++ entry->irq = 0; + msi_bitmap_free_hwirqs(&msi_mpic->msi_bitmap, hwirq, 1); + } + +-- +2.35.1 + diff --git a/queue-5.15/powerpc-rtas-avoid-device-tree-lookups-in-rtas_os_te.patch b/queue-5.15/powerpc-rtas-avoid-device-tree-lookups-in-rtas_os_te.patch new file mode 100644 index 00000000000..0708887cf06 --- /dev/null +++ b/queue-5.15/powerpc-rtas-avoid-device-tree-lookups-in-rtas_os_te.patch @@ -0,0 +1,77 @@ +From 8833390796102fb1905d1c1a1e4990a731dadbca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 09:07:41 -0600 +Subject: powerpc/rtas: avoid device tree lookups in rtas_os_term() + +From: Nathan Lynch + +[ Upstream commit ed2213bfb192ab51f09f12e9b49b5d482c6493f3 ] + +rtas_os_term() is called during panic. Its behavior depends on a couple +of conditions in the /rtas node of the device tree, the traversal of +which entails locking and local IRQ state changes. If the kernel panics +while devtree_lock is held, rtas_os_term() as currently written could +hang. + +Instead of discovering the relevant characteristics at panic time, +cache them in file-static variables at boot. Note the lookup for +"ibm,extended-os-term" is converted to of_property_read_bool() since it +is a boolean property, not an RTAS function token. + +Signed-off-by: Nathan Lynch +Reviewed-by: Nicholas Piggin +Reviewed-by: Andrew Donnellan +[mpe: Incorporate suggested change from Nick] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20221118150751.469393-4-nathanl@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/rtas.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c +index 7834ce3aa7f1..4d8de49c9d4b 100644 +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -788,6 +788,7 @@ void __noreturn rtas_halt(void) + + /* Must be in the RMO region, so we place it here */ + static char rtas_os_term_buf[2048]; ++static s32 ibm_os_term_token = RTAS_UNKNOWN_SERVICE; + + void rtas_os_term(char *str) + { +@@ -799,14 +800,13 @@ void rtas_os_term(char *str) + * this property may terminate the partition which we want to avoid + * since it interferes with panic_timeout. + */ +- if (RTAS_UNKNOWN_SERVICE == rtas_token("ibm,os-term") || +- RTAS_UNKNOWN_SERVICE == rtas_token("ibm,extended-os-term")) ++ if (ibm_os_term_token == RTAS_UNKNOWN_SERVICE) + return; + + snprintf(rtas_os_term_buf, 2048, "OS panic: %s", str); + + do { +- status = rtas_call(rtas_token("ibm,os-term"), 1, 1, NULL, ++ status = rtas_call(ibm_os_term_token, 1, 1, NULL, + __pa(rtas_os_term_buf)); + } while (rtas_busy_delay(status)); + +@@ -1167,6 +1167,13 @@ void __init rtas_initialize(void) + no_entry = of_property_read_u32(rtas.dev, "linux,rtas-entry", &entry); + rtas.entry = no_entry ? rtas.base : entry; + ++ /* ++ * Discover these now to avoid device tree lookups in the ++ * panic path. ++ */ ++ if (of_property_read_bool(rtas.dev, "ibm,extended-os-term")) ++ ibm_os_term_token = rtas_token("ibm,os-term"); ++ + /* If RTAS was found, allocate the RMO buffer for it and look for + * the stop-self token if any + */ +-- +2.35.1 + diff --git a/queue-5.15/powerpc-rtas-avoid-scheduling-in-rtas_os_term.patch b/queue-5.15/powerpc-rtas-avoid-scheduling-in-rtas_os_term.patch new file mode 100644 index 00000000000..f96dcce3c39 --- /dev/null +++ b/queue-5.15/powerpc-rtas-avoid-scheduling-in-rtas_os_term.patch @@ -0,0 +1,67 @@ +From 796afef8535ed498392cd5842a4fc85eb265b9a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 09:07:42 -0600 +Subject: powerpc/rtas: avoid scheduling in rtas_os_term() + +From: Nathan Lynch + +[ Upstream commit 6c606e57eecc37d6b36d732b1ff7e55b7dc32dd4 ] + +It's unsafe to use rtas_busy_delay() to handle a busy status from +the ibm,os-term RTAS function in rtas_os_term(): + +Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b +BUG: sleeping function called from invalid context at arch/powerpc/kernel/rtas.c:618 +in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0 +preempt_count: 2, expected: 0 +CPU: 7 PID: 1 Comm: swapper/0 Tainted: G D 6.0.0-rc5-02182-gf8553a572277-dirty #9 +Call Trace: +[c000000007b8f000] [c000000001337110] dump_stack_lvl+0xb4/0x110 (unreliable) +[c000000007b8f040] [c0000000002440e4] __might_resched+0x394/0x3c0 +[c000000007b8f0e0] [c00000000004f680] rtas_busy_delay+0x120/0x1b0 +[c000000007b8f100] [c000000000052d04] rtas_os_term+0xb8/0xf4 +[c000000007b8f180] [c0000000001150fc] pseries_panic+0x50/0x68 +[c000000007b8f1f0] [c000000000036354] ppc_panic_platform_handler+0x34/0x50 +[c000000007b8f210] [c0000000002303c4] notifier_call_chain+0xd4/0x1c0 +[c000000007b8f2b0] [c0000000002306cc] atomic_notifier_call_chain+0xac/0x1c0 +[c000000007b8f2f0] [c0000000001d62b8] panic+0x228/0x4d0 +[c000000007b8f390] [c0000000001e573c] do_exit+0x140c/0x1420 +[c000000007b8f480] [c0000000001e586c] make_task_dead+0xdc/0x200 + +Use rtas_busy_delay_time() instead, which signals without side effects +whether to attempt the ibm,os-term RTAS call again. + +Signed-off-by: Nathan Lynch +Reviewed-by: Nicholas Piggin +Reviewed-by: Andrew Donnellan +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20221118150751.469393-5-nathanl@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/rtas.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c +index 4d8de49c9d4b..2dae702e7a5a 100644 +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -805,10 +805,15 @@ void rtas_os_term(char *str) + + snprintf(rtas_os_term_buf, 2048, "OS panic: %s", str); + ++ /* ++ * Keep calling as long as RTAS returns a "try again" status, ++ * but don't use rtas_busy_delay(), which potentially ++ * schedules. ++ */ + do { + status = rtas_call(ibm_os_term_token, 1, 1, NULL, + __pa(rtas_os_term_buf)); +- } while (rtas_busy_delay(status)); ++ } while (rtas_busy_delay_time(status)); + + if (status != 0) + printk(KERN_EMERG "ibm,os-term call failed %d\n", status); +-- +2.35.1 + diff --git a/queue-5.15/series b/queue-5.15/series index c4473d3cd74..989c4e0bfc4 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -1,3 +1,36 @@ usb-dwc3-qcom-fix-memory-leak-in-dwc3_qcom_interconn.patch cifs-fix-oops-during-encryption.patch revert-selftests-bpf-add-test-for-unstable-ct-lookup.patch +nvme-pci-fix-doorbell-buffer-value-endianness.patch +nvme-pci-fix-mempool-alloc-size.patch +nvme-pci-fix-page-size-checks.patch +acpi-resource-skip-irq-override-on-asus-vivobook-k34.patch +acpi-resource-do-irq-override-on-lenovo-ideapad.patch +acpi-resource-do-irq-override-on-xmg-core-15.patch +acpi-resource-do-irq-override-on-lenovo-14alc7.patch +block-bfq-fix-uaf-for-bfqq-in-bfq_exit_icq_bfqq.patch +ata-ahci-fix-pcs-quirk-application-for-suspend.patch +nvme-fix-the-nvme_cmd_effects_cse_mask-definition.patch +nvmet-don-t-defer-passthrough-commands-with-trivial-.patch +fs-ntfs3-validate-boot-record_size.patch +fs-ntfs3-add-overflow-check-for-attribute-size.patch +fs-ntfs3-validate-data-run-offset.patch +fs-ntfs3-add-null-pointer-check-to-attr_load_runs_vc.patch +fs-ntfs3-fix-memory-leak-on-ntfs_fill_super-error-pa.patch +fs-ntfs3-add-null-pointer-check-for-inode-operations.patch +fs-ntfs3-validate-attribute-name-offset.patch +fs-ntfs3-validate-buffer-length-while-parsing-index.patch +fs-ntfs3-validate-resident-attribute-name.patch +fs-ntfs3-fix-slab-out-of-bounds-read-in-run_unpack.patch +soundwire-dmi-quirks-add-quirk-variant-for-lapbc710-.patch +fs-ntfs3-validate-index-root-when-initialize-ntfs-se.patch +fs-ntfs3-use-__gfp_nowarn-allocation-at-wnd_init.patch +fs-ntfs3-use-__gfp_nowarn-allocation-at-ntfs_fill_su.patch +fs-ntfs3-delete-duplicate-condition-in-ntfs_read_mft.patch +fs-ntfs3-fix-slab-out-of-bounds-in-r_page.patch +objtool-fix-segfault.patch +powerpc-rtas-avoid-device-tree-lookups-in-rtas_os_te.patch +powerpc-rtas-avoid-scheduling-in-rtas_os_term.patch +powerpc-msi-fix-deassociation-of-msi-descriptors.patch +hid-multitouch-fix-asus-expertbook-p2-p2451fa-trackp.patch +hid-plantronics-additional-pids-for-double-volume-ke.patch diff --git a/queue-5.15/soundwire-dmi-quirks-add-quirk-variant-for-lapbc710-.patch b/queue-5.15/soundwire-dmi-quirks-add-quirk-variant-for-lapbc710-.patch new file mode 100644 index 00000000000..f9a9b6940b8 --- /dev/null +++ b/queue-5.15/soundwire-dmi-quirks-add-quirk-variant-for-lapbc710-.patch @@ -0,0 +1,45 @@ +From 223d42f20c1088b6358d1959029cacf1d2a1dbfa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 09:25:00 +0800 +Subject: soundwire: dmi-quirks: add quirk variant for LAPBC710 NUC15 + +From: Pierre-Louis Bossart + +[ Upstream commit f74495761df10c25a98256d16ea7465191b6e2cd ] + +Some NUC15 LAPBC710 devices don't expose the same DMI information as +the Intel reference, add additional entry in the match table. + +BugLink: https://github.com/thesofproject/linux/issues/3885 +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Ranjani Sridharan +Signed-off-by: Bard Liao +Link: https://lore.kernel.org/r/20221018012500.1592994-1-yung-chuan.liao@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/dmi-quirks.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/soundwire/dmi-quirks.c b/drivers/soundwire/dmi-quirks.c +index 747983743a14..2bf534632f64 100644 +--- a/drivers/soundwire/dmi-quirks.c ++++ b/drivers/soundwire/dmi-quirks.c +@@ -71,6 +71,14 @@ static const struct dmi_system_id adr_remap_quirk_table[] = { + }, + .driver_data = (void *)intel_tgl_bios, + }, ++ { ++ /* quirk used for NUC15 LAPBC710 skew */ ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Intel Corporation"), ++ DMI_MATCH(DMI_BOARD_NAME, "LAPBC710"), ++ }, ++ .driver_data = (void *)intel_tgl_bios, ++ }, + { + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc"), +-- +2.35.1 +