From: Greg Kroah-Hartman Date: Wed, 4 Jan 2023 14:47:01 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v6.1.4~45 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9cbf2a295d7ae94e6d4dad90244d4bf00c59648c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: crypto-n2-add-missing-hash-statesize.patch device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch drm-connector-send-hotplug-uevent-on-connector-cleanup.patch drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch ima-fix-a-potential-null-pointer-access-in-ima_restore_measurement_list.patch iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch ipmi-fix-long-wait-in-unload-when-ipmi-disconnect.patch ipmi-fix-use-after-free-in-_ipmi_destroy_user.patch md-bitmap-fix-bitmap-chunk-size-overflow-issues.patch parisc-led-fix-potential-null-ptr-deref-in-start_task.patch pci-fix-pci_device_is_present-for-vfs-by-checking-pf.patch pci-sysfs-fix-double-free-in-error-path.patch --- diff --git a/queue-4.19/crypto-n2-add-missing-hash-statesize.patch b/queue-4.19/crypto-n2-add-missing-hash-statesize.patch new file mode 100644 index 00000000000..e0e306524c6 --- /dev/null +++ b/queue-4.19/crypto-n2-add-missing-hash-statesize.patch @@ -0,0 +1,74 @@ +From 76a4e874593543a2dff91d249c95bac728df2774 Mon Sep 17 00:00:00 2001 +From: Corentin Labbe +Date: Thu, 6 Oct 2022 04:34:19 +0000 +Subject: crypto: n2 - add missing hash statesize + +From: Corentin Labbe + +commit 76a4e874593543a2dff91d249c95bac728df2774 upstream. + +Add missing statesize to hash templates. +This is mandatory otherwise no algorithms can be registered as the core +requires statesize to be set. + +CC: stable@kernel.org # 4.3+ +Reported-by: Rolf Eike Beer +Tested-by: Rolf Eike Beer +Fixes: 0a625fd2abaa ("crypto: n2 - Add Niagara2 crypto driver") +Signed-off-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/n2_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/crypto/n2_core.c ++++ b/drivers/crypto/n2_core.c +@@ -1286,6 +1286,7 @@ struct n2_hash_tmpl { + const u32 *hash_init; + u8 hw_op_hashsz; + u8 digest_size; ++ u8 statesize; + u8 block_size; + u8 auth_type; + u8 hmac_type; +@@ -1317,6 +1318,7 @@ static const struct n2_hash_tmpl hash_tm + .hmac_type = AUTH_TYPE_HMAC_MD5, + .hw_op_hashsz = MD5_DIGEST_SIZE, + .digest_size = MD5_DIGEST_SIZE, ++ .statesize = sizeof(struct md5_state), + .block_size = MD5_HMAC_BLOCK_SIZE }, + { .name = "sha1", + .hash_zero = sha1_zero_message_hash, +@@ -1325,6 +1327,7 @@ static const struct n2_hash_tmpl hash_tm + .hmac_type = AUTH_TYPE_HMAC_SHA1, + .hw_op_hashsz = SHA1_DIGEST_SIZE, + .digest_size = SHA1_DIGEST_SIZE, ++ .statesize = sizeof(struct sha1_state), + .block_size = SHA1_BLOCK_SIZE }, + { .name = "sha256", + .hash_zero = sha256_zero_message_hash, +@@ -1333,6 +1336,7 @@ static const struct n2_hash_tmpl hash_tm + .hmac_type = AUTH_TYPE_HMAC_SHA256, + .hw_op_hashsz = SHA256_DIGEST_SIZE, + .digest_size = SHA256_DIGEST_SIZE, ++ .statesize = sizeof(struct sha256_state), + .block_size = SHA256_BLOCK_SIZE }, + { .name = "sha224", + .hash_zero = sha224_zero_message_hash, +@@ -1341,6 +1345,7 @@ static const struct n2_hash_tmpl hash_tm + .hmac_type = AUTH_TYPE_RESERVED, + .hw_op_hashsz = SHA256_DIGEST_SIZE, + .digest_size = SHA224_DIGEST_SIZE, ++ .statesize = sizeof(struct sha256_state), + .block_size = SHA224_BLOCK_SIZE }, + }; + #define NUM_HASH_TMPLS ARRAY_SIZE(hash_tmpls) +@@ -1482,6 +1487,7 @@ static int __n2_register_one_ahash(const + + halg = &ahash->halg; + halg->digestsize = tmpl->digest_size; ++ halg->statesize = tmpl->statesize; + + base = &halg->base; + snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "%s", tmpl->name); diff --git a/queue-4.19/device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch b/queue-4.19/device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch new file mode 100644 index 00000000000..c3f4e97d525 --- /dev/null +++ b/queue-4.19/device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch @@ -0,0 +1,95 @@ +From e68bfbd3b3c3a0ec3cf8c230996ad8cabe90322f Mon Sep 17 00:00:00 2001 +From: Wang Weiyang +Date: Tue, 25 Oct 2022 19:31:01 +0800 +Subject: device_cgroup: Roll back to original exceptions after copy failure + +From: Wang Weiyang + +commit e68bfbd3b3c3a0ec3cf8c230996ad8cabe90322f upstream. + +When add the 'a *:* rwm' entry to devcgroup A's whitelist, at first A's +exceptions will be cleaned and A's behavior is changed to +DEVCG_DEFAULT_ALLOW. Then parent's exceptions will be copyed to A's +whitelist. If copy failure occurs, just return leaving A to grant +permissions to all devices. And A may grant more permissions than +parent. + +Backup A's whitelist and recover original exceptions after copy +failure. + +Cc: stable@vger.kernel.org +Fixes: 4cef7299b478 ("device_cgroup: add proper checking when changing default behavior") +Signed-off-by: Wang Weiyang +Reviewed-by: Aristeu Rozanski +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/device_cgroup.c | 33 +++++++++++++++++++++++++++++---- + 1 file changed, 29 insertions(+), 4 deletions(-) + +--- a/security/device_cgroup.c ++++ b/security/device_cgroup.c +@@ -79,6 +79,17 @@ free_and_exit: + return -ENOMEM; + } + ++static void dev_exceptions_move(struct list_head *dest, struct list_head *orig) ++{ ++ struct dev_exception_item *ex, *tmp; ++ ++ lockdep_assert_held(&devcgroup_mutex); ++ ++ list_for_each_entry_safe(ex, tmp, orig, list) { ++ list_move_tail(&ex->list, dest); ++ } ++} ++ + /* + * called under devcgroup_mutex + */ +@@ -600,11 +611,13 @@ static int devcgroup_update_access(struc + int count, rc = 0; + struct dev_exception_item ex; + struct dev_cgroup *parent = css_to_devcgroup(devcgroup->css.parent); ++ struct dev_cgroup tmp_devcgrp; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + + memset(&ex, 0, sizeof(ex)); ++ memset(&tmp_devcgrp, 0, sizeof(tmp_devcgrp)); + b = buffer; + + switch (*b) { +@@ -616,15 +629,27 @@ static int devcgroup_update_access(struc + + if (!may_allow_all(parent)) + return -EPERM; +- dev_exception_clean(devcgroup); +- devcgroup->behavior = DEVCG_DEFAULT_ALLOW; +- if (!parent) ++ if (!parent) { ++ devcgroup->behavior = DEVCG_DEFAULT_ALLOW; ++ dev_exception_clean(devcgroup); + break; ++ } + ++ INIT_LIST_HEAD(&tmp_devcgrp.exceptions); ++ rc = dev_exceptions_copy(&tmp_devcgrp.exceptions, ++ &devcgroup->exceptions); ++ if (rc) ++ return rc; ++ dev_exception_clean(devcgroup); + rc = dev_exceptions_copy(&devcgroup->exceptions, + &parent->exceptions); +- if (rc) ++ if (rc) { ++ dev_exceptions_move(&devcgroup->exceptions, ++ &tmp_devcgrp.exceptions); + return rc; ++ } ++ devcgroup->behavior = DEVCG_DEFAULT_ALLOW; ++ dev_exception_clean(&tmp_devcgrp); + break; + case DEVCG_DENY: + if (css_has_online_children(&devcgroup->css)) diff --git a/queue-4.19/drm-connector-send-hotplug-uevent-on-connector-cleanup.patch b/queue-4.19/drm-connector-send-hotplug-uevent-on-connector-cleanup.patch new file mode 100644 index 00000000000..c8f83edec5d --- /dev/null +++ b/queue-4.19/drm-connector-send-hotplug-uevent-on-connector-cleanup.patch @@ -0,0 +1,59 @@ +From 6fdc2d490ea1369d17afd7e6eb66fecc5b7209bc Mon Sep 17 00:00:00 2001 +From: Simon Ser +Date: Mon, 17 Oct 2022 15:32:01 +0000 +Subject: drm/connector: send hotplug uevent on connector cleanup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Simon Ser + +commit 6fdc2d490ea1369d17afd7e6eb66fecc5b7209bc upstream. + +A typical DP-MST unplug removes a KMS connector. However care must +be taken to properly synchronize with user-space. The expected +sequence of events is the following: + +1. The kernel notices that the DP-MST port is gone. +2. The kernel marks the connector as disconnected, then sends a + uevent to make user-space re-scan the connector list. +3. User-space notices the connector goes from connected to disconnected, + disables it. +4. Kernel handles the IOCTL disabling the connector. On success, + the very last reference to the struct drm_connector is dropped and + drm_connector_cleanup() is called. +5. The connector is removed from the list, and a uevent is sent to tell + user-space that the connector disappeared. + +The very last step was missing. As a result, user-space thought the +connector still existed and could try to disable it again. Since the +kernel no longer knows about the connector, that would end up with +EINVAL and confused user-space. + +Fix this by sending a hotplug uevent from drm_connector_cleanup(). + +Signed-off-by: Simon Ser +Cc: stable@vger.kernel.org +Cc: Daniel Vetter +Cc: Lyude Paul +Cc: Jonas Ådahl +Tested-by: Jonas Ådahl +Reviewed-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20221017153150.60675-2-contact@emersion.fr +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_connector.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/drm_connector.c ++++ b/drivers/gpu/drm/drm_connector.c +@@ -413,6 +413,9 @@ void drm_connector_cleanup(struct drm_co + mutex_destroy(&connector->mutex); + + memset(connector, 0, sizeof(*connector)); ++ ++ if (dev->registered) ++ drm_sysfs_hotplug_event(dev); + } + EXPORT_SYMBOL(drm_connector_cleanup); + diff --git a/queue-4.19/drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch b/queue-4.19/drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch new file mode 100644 index 00000000000..50d0568e01f --- /dev/null +++ b/queue-4.19/drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch @@ -0,0 +1,37 @@ +From 4cf949c7fafe21e085a4ee386bb2dade9067316e Mon Sep 17 00:00:00 2001 +From: Zack Rusin +Date: Tue, 25 Oct 2022 23:19:35 -0400 +Subject: drm/vmwgfx: Validate the box size for the snooped cursor + +From: Zack Rusin + +commit 4cf949c7fafe21e085a4ee386bb2dade9067316e upstream. + +Invalid userspace dma surface copies could potentially overflow +the memcpy from the surface to the snooped image leading to crashes. +To fix it the dimensions of the copybox have to be validated +against the expected size of the snooped cursor. + +Signed-off-by: Zack Rusin +Fixes: 2ac863719e51 ("vmwgfx: Snoop DMA transfers with non-covering sizes") +Cc: # v3.2+ +Reviewed-by: Michael Banack +Reviewed-by: Martin Krastev +Link: https://patchwork.freedesktop.org/patch/msgid/20221026031936.1004280-1-zack@kde.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -179,7 +179,8 @@ void vmw_kms_cursor_snoop(struct vmw_sur + if (cmd->dma.guest.ptr.offset % PAGE_SIZE || + box->x != 0 || box->y != 0 || box->z != 0 || + box->srcx != 0 || box->srcy != 0 || box->srcz != 0 || +- box->d != 1 || box_count != 1) { ++ box->d != 1 || box_count != 1 || ++ box->w > 64 || box->h > 64) { + /* TODO handle none page aligned offsets */ + /* TODO handle more dst & src != 0 */ + /* TODO handle more then one copy */ diff --git a/queue-4.19/ima-fix-a-potential-null-pointer-access-in-ima_restore_measurement_list.patch b/queue-4.19/ima-fix-a-potential-null-pointer-access-in-ima_restore_measurement_list.patch new file mode 100644 index 00000000000..1ff6e2d19c1 --- /dev/null +++ b/queue-4.19/ima-fix-a-potential-null-pointer-access-in-ima_restore_measurement_list.patch @@ -0,0 +1,39 @@ +From 11220db412edae8dba58853238f53258268bdb88 Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Thu, 3 Nov 2022 00:09:49 +0800 +Subject: ima: Fix a potential NULL pointer access in ima_restore_measurement_list + +From: Huaxin Lu + +commit 11220db412edae8dba58853238f53258268bdb88 upstream. + +In restore_template_fmt, when kstrdup fails, a non-NULL value will still be +returned, which causes a NULL pointer access in template_desc_init_fields. + +Fixes: c7d09367702e ("ima: support restoring multiple template formats") +Cc: stable@kernel.org +Co-developed-by: Jiaming Li +Signed-off-by: Jiaming Li +Signed-off-by: Huaxin Lu +Reviewed-by: Stefan Berger +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/ima_template.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/security/integrity/ima/ima_template.c ++++ b/security/integrity/ima/ima_template.c +@@ -266,8 +266,11 @@ static struct ima_template_desc *restore + + template_desc->name = ""; + template_desc->fmt = kstrdup(template_name, GFP_KERNEL); +- if (!template_desc->fmt) ++ if (!template_desc->fmt) { ++ kfree(template_desc); ++ template_desc = NULL; + goto out; ++ } + + spin_lock(&template_list); + list_add_tail_rcu(&template_desc->list, &defined_templates); diff --git a/queue-4.19/iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch b/queue-4.19/iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch new file mode 100644 index 00000000000..594bd4fe46b --- /dev/null +++ b/queue-4.19/iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch @@ -0,0 +1,45 @@ +From 5f18e9f8868c6d4eae71678e7ebd4977b7d8c8cf Mon Sep 17 00:00:00 2001 +From: Kim Phillips +Date: Mon, 19 Sep 2022 10:56:37 -0500 +Subject: iommu/amd: Fix ivrs_acpihid cmdline parsing code + +From: Kim Phillips + +commit 5f18e9f8868c6d4eae71678e7ebd4977b7d8c8cf upstream. + +The second (UID) strcmp in acpi_dev_hid_uid_match considers +"0" and "00" different, which can prevent device registration. + +Have the AMD IOMMU driver's ivrs_acpihid parsing code remove +any leading zeroes to make the UID strcmp succeed. Now users +can safely specify "AMDxxxxx:00" or "AMDxxxxx:0" and expect +the same behaviour. + +Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter") +Signed-off-by: Kim Phillips +Cc: stable@vger.kernel.org +Cc: Suravee Suthikulpanit +Cc: Joerg Roedel +Link: https://lore.kernel.org/r/20220919155638.391481-1-kim.phillips@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/amd_iommu_init.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -2946,6 +2946,13 @@ static int __init parse_ivrs_acpihid(cha + return 1; + } + ++ /* ++ * Ignore leading zeroes after ':', so e.g., AMDI0095:00 ++ * will match AMDI0095:0 in the second strcmp in acpi_dev_hid_uid_match ++ */ ++ while (*uid == '0' && *(uid + 1)) ++ uid++; ++ + i = early_acpihid_map_size++; + memcpy(early_acpihid_map[i].hid, hid, strlen(hid)); + memcpy(early_acpihid_map[i].uid, uid, strlen(uid)); diff --git a/queue-4.19/ipmi-fix-long-wait-in-unload-when-ipmi-disconnect.patch b/queue-4.19/ipmi-fix-long-wait-in-unload-when-ipmi-disconnect.patch new file mode 100644 index 00000000000..b5ba7e11caf --- /dev/null +++ b/queue-4.19/ipmi-fix-long-wait-in-unload-when-ipmi-disconnect.patch @@ -0,0 +1,94 @@ +From f6f1234d98cce69578bfac79df147a1f6660596c Mon Sep 17 00:00:00 2001 +From: Zhang Yuchen +Date: Fri, 7 Oct 2022 17:26:16 +0800 +Subject: ipmi: fix long wait in unload when IPMI disconnect + +From: Zhang Yuchen + +commit f6f1234d98cce69578bfac79df147a1f6660596c upstream. + +When fixing the problem mentioned in PATCH1, we also found +the following problem: + +If the IPMI is disconnected and in the sending process, the +uninstallation driver will be stuck for a long time. + +The main problem is that uninstalling the driver waits for curr_msg to +be sent or HOSED. After stopping tasklet, the only place to trigger the +timeout mechanism is the circular poll in shutdown_smi. + +The poll function delays 10us and calls smi_event_handler(smi_info,10). +Smi_event_handler deducts 10us from kcs->ibf_timeout. + +But the poll func is followed by schedule_timeout_uninterruptible(1). +The time consumed here is not counted in kcs->ibf_timeout. + +So when 10us is deducted from kcs->ibf_timeout, at least 1 jiffies has +actually passed. The waiting time has increased by more than a +hundredfold. + +Now instead of calling poll(). call smi_event_handler() directly and +calculate the elapsed time. + +For verification, you can directly use ebpf to check the kcs-> +ibf_timeout for each call to kcs_event() when IPMI is disconnected. +Decrement at normal rate before unloading. The decrement rate becomes +very slow after unloading. + + $ bpftrace -e 'kprobe:kcs_event {printf("kcs->ibftimeout : %d\n", + *(arg0+584));}' + +Signed-off-by: Zhang Yuchen +Message-Id: <20221007092617.87597-3-zhangyuchen.lcr@bytedance.com> +Signed-off-by: Corey Minyard +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_si_intf.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +--- a/drivers/char/ipmi/ipmi_si_intf.c ++++ b/drivers/char/ipmi/ipmi_si_intf.c +@@ -2187,6 +2187,20 @@ skip_fallback_noirq: + } + module_init(init_ipmi_si); + ++static void wait_msg_processed(struct smi_info *smi_info) ++{ ++ unsigned long jiffies_now; ++ long time_diff; ++ ++ while (smi_info->curr_msg || (smi_info->si_state != SI_NORMAL)) { ++ jiffies_now = jiffies; ++ time_diff = (((long)jiffies_now - (long)smi_info->last_timeout_jiffies) ++ * SI_USEC_PER_JIFFY); ++ smi_event_handler(smi_info, time_diff); ++ schedule_timeout_uninterruptible(1); ++ } ++} ++ + static void shutdown_smi(void *send_info) + { + struct smi_info *smi_info = send_info; +@@ -2221,16 +2235,13 @@ static void shutdown_smi(void *send_info + * in the BMC. Note that timers and CPU interrupts are off, + * so no need for locks. + */ +- while (smi_info->curr_msg || (smi_info->si_state != SI_NORMAL)) { +- poll(smi_info); +- schedule_timeout_uninterruptible(1); +- } ++ wait_msg_processed(smi_info); ++ + if (smi_info->handlers) + disable_si_irq(smi_info); +- while (smi_info->curr_msg || (smi_info->si_state != SI_NORMAL)) { +- poll(smi_info); +- schedule_timeout_uninterruptible(1); +- } ++ ++ wait_msg_processed(smi_info); ++ + if (smi_info->handlers) + smi_info->handlers->cleanup(smi_info->si_sm); + diff --git a/queue-4.19/ipmi-fix-use-after-free-in-_ipmi_destroy_user.patch b/queue-4.19/ipmi-fix-use-after-free-in-_ipmi_destroy_user.patch new file mode 100644 index 00000000000..64877420b7a --- /dev/null +++ b/queue-4.19/ipmi-fix-use-after-free-in-_ipmi_destroy_user.patch @@ -0,0 +1,43 @@ +From a92ce570c81dc0feaeb12a429b4bc65686d17967 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 15 Nov 2022 16:17:43 +0300 +Subject: ipmi: fix use after free in _ipmi_destroy_user() + +From: Dan Carpenter + +commit a92ce570c81dc0feaeb12a429b4bc65686d17967 upstream. + +The intf_free() function frees the "intf" pointer so we cannot +dereference it again on the next line. + +Fixes: cbb79863fc31 ("ipmi: Don't allow device module unload when in use") +Signed-off-by: Dan Carpenter +Message-Id: +Cc: # 5.5+ +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_msghandler.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -1219,6 +1219,7 @@ static void _ipmi_destroy_user(struct ip + unsigned long flags; + struct cmd_rcvr *rcvr; + struct cmd_rcvr *rcvrs = NULL; ++ struct module *owner; + + if (!acquire_ipmi_user(user, &i)) { + /* +@@ -1278,8 +1279,9 @@ static void _ipmi_destroy_user(struct ip + kfree(rcvr); + } + ++ owner = intf->owner; + kref_put(&intf->refcount, intf_free); +- module_put(intf->owner); ++ module_put(owner); + } + + int ipmi_destroy_user(struct ipmi_user *user) diff --git a/queue-4.19/md-bitmap-fix-bitmap-chunk-size-overflow-issues.patch b/queue-4.19/md-bitmap-fix-bitmap-chunk-size-overflow-issues.patch new file mode 100644 index 00000000000..1b81b120f90 --- /dev/null +++ b/queue-4.19/md-bitmap-fix-bitmap-chunk-size-overflow-issues.patch @@ -0,0 +1,99 @@ +From 4555211190798b6b6fa2c37667d175bf67945c78 Mon Sep 17 00:00:00 2001 +From: Florian-Ewald Mueller +Date: Tue, 25 Oct 2022 09:37:05 +0200 +Subject: md/bitmap: Fix bitmap chunk size overflow issues + +From: Florian-Ewald Mueller + +commit 4555211190798b6b6fa2c37667d175bf67945c78 upstream. + +- limit bitmap chunk size internal u64 variable to values not overflowing + the u32 bitmap superblock structure variable stored on persistent media +- assign bitmap chunk size internal u64 variable from unsigned values to + avoid possible sign extension artifacts when assigning from a s32 value + +The bug has been there since at least kernel 4.0. +Steps to reproduce it: +1: mdadm -C /dev/mdx -l 1 --bitmap=internal --bitmap-chunk=256M -e 1.2 +-n2 /dev/rnbd1 /dev/rnbd2 +2 resize member device rnbd1 and rnbd2 to 8 TB +3 mdadm --grow /dev/mdx --size=max + +The bitmap_chunksize will overflow without patch. + +Cc: stable@vger.kernel.org + +Signed-off-by: Florian-Ewald Mueller +Signed-off-by: Jack Wang +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md-bitmap.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -488,7 +488,7 @@ void md_bitmap_print_sb(struct bitmap *b + sb = kmap_atomic(bitmap->storage.sb_page); + pr_debug("%s: bitmap file superblock:\n", bmname(bitmap)); + pr_debug(" magic: %08x\n", le32_to_cpu(sb->magic)); +- pr_debug(" version: %d\n", le32_to_cpu(sb->version)); ++ pr_debug(" version: %u\n", le32_to_cpu(sb->version)); + pr_debug(" uuid: %08x.%08x.%08x.%08x\n", + le32_to_cpu(*(__u32 *)(sb->uuid+0)), + le32_to_cpu(*(__u32 *)(sb->uuid+4)), +@@ -499,11 +499,11 @@ void md_bitmap_print_sb(struct bitmap *b + pr_debug("events cleared: %llu\n", + (unsigned long long) le64_to_cpu(sb->events_cleared)); + pr_debug(" state: %08x\n", le32_to_cpu(sb->state)); +- pr_debug(" chunksize: %d B\n", le32_to_cpu(sb->chunksize)); +- pr_debug(" daemon sleep: %ds\n", le32_to_cpu(sb->daemon_sleep)); ++ pr_debug(" chunksize: %u B\n", le32_to_cpu(sb->chunksize)); ++ pr_debug(" daemon sleep: %us\n", le32_to_cpu(sb->daemon_sleep)); + pr_debug(" sync size: %llu KB\n", + (unsigned long long)le64_to_cpu(sb->sync_size)/2); +- pr_debug("max write behind: %d\n", le32_to_cpu(sb->write_behind)); ++ pr_debug("max write behind: %u\n", le32_to_cpu(sb->write_behind)); + kunmap_atomic(sb); + } + +@@ -2101,7 +2101,8 @@ int md_bitmap_resize(struct bitmap *bitm + bytes = DIV_ROUND_UP(chunks, 8); + if (!bitmap->mddev->bitmap_info.external) + bytes += sizeof(bitmap_super_t); +- } while (bytes > (space << 9)); ++ } while (bytes > (space << 9) && (chunkshift + BITMAP_BLOCK_SHIFT) < ++ (BITS_PER_BYTE * sizeof(((bitmap_super_t *)0)->chunksize) - 1)); + } else + chunkshift = ffz(~chunksize) - BITMAP_BLOCK_SHIFT; + +@@ -2146,7 +2147,7 @@ int md_bitmap_resize(struct bitmap *bitm + bitmap->counts.missing_pages = pages; + bitmap->counts.chunkshift = chunkshift; + bitmap->counts.chunks = chunks; +- bitmap->mddev->bitmap_info.chunksize = 1 << (chunkshift + ++ bitmap->mddev->bitmap_info.chunksize = 1UL << (chunkshift + + BITMAP_BLOCK_SHIFT); + + blocks = min(old_counts.chunks << old_counts.chunkshift, +@@ -2172,8 +2173,8 @@ int md_bitmap_resize(struct bitmap *bitm + bitmap->counts.missing_pages = old_counts.pages; + bitmap->counts.chunkshift = old_counts.chunkshift; + bitmap->counts.chunks = old_counts.chunks; +- bitmap->mddev->bitmap_info.chunksize = 1 << (old_counts.chunkshift + +- BITMAP_BLOCK_SHIFT); ++ bitmap->mddev->bitmap_info.chunksize = ++ 1UL << (old_counts.chunkshift + BITMAP_BLOCK_SHIFT); + blocks = old_counts.chunks << old_counts.chunkshift; + pr_warn("Could not pre-allocate in-memory bitmap for cluster raid\n"); + break; +@@ -2499,6 +2500,9 @@ chunksize_store(struct mddev *mddev, con + if (csize < 512 || + !is_power_of_2(csize)) + return -EINVAL; ++ if (BITS_PER_LONG > 32 && csize >= (1ULL << (BITS_PER_BYTE * ++ sizeof(((bitmap_super_t *)0)->chunksize)))) ++ return -EOVERFLOW; + mddev->bitmap_info.chunksize = csize; + return len; + } diff --git a/queue-4.19/parisc-led-fix-potential-null-ptr-deref-in-start_task.patch b/queue-4.19/parisc-led-fix-potential-null-ptr-deref-in-start_task.patch new file mode 100644 index 00000000000..11cf32b5998 --- /dev/null +++ b/queue-4.19/parisc-led-fix-potential-null-ptr-deref-in-start_task.patch @@ -0,0 +1,42 @@ +From 41f563ab3c33698bdfc3403c7c2e6c94e73681e4 Mon Sep 17 00:00:00 2001 +From: Shang XiaoJing +Date: Thu, 17 Nov 2022 10:45:14 +0800 +Subject: parisc: led: Fix potential null-ptr-deref in start_task() + +From: Shang XiaoJing + +commit 41f563ab3c33698bdfc3403c7c2e6c94e73681e4 upstream. + +start_task() calls create_singlethread_workqueue() and not checked the +ret value, which may return NULL. And a null-ptr-deref may happen: + +start_task() + create_singlethread_workqueue() # failed, led_wq is NULL + queue_delayed_work() + queue_delayed_work_on() + __queue_delayed_work() # warning here, but continue + __queue_work() # access wq->flags, null-ptr-deref + +Check the ret value and return -ENOMEM if it is NULL. + +Fixes: 3499495205a6 ("[PARISC] Use work queue in LED/LCD driver instead of tasklet.") +Signed-off-by: Shang XiaoJing +Signed-off-by: Helge Deller +Cc: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parisc/led.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/parisc/led.c ++++ b/drivers/parisc/led.c +@@ -141,6 +141,9 @@ static int start_task(void) + + /* Create the work queue and queue the LED task */ + led_wq = create_singlethread_workqueue("led_wq"); ++ if (!led_wq) ++ return -ENOMEM; ++ + queue_delayed_work(led_wq, &led_task, 0); + + return 0; diff --git a/queue-4.19/pci-fix-pci_device_is_present-for-vfs-by-checking-pf.patch b/queue-4.19/pci-fix-pci_device_is_present-for-vfs-by-checking-pf.patch new file mode 100644 index 00000000000..457869e2d72 --- /dev/null +++ b/queue-4.19/pci-fix-pci_device_is_present-for-vfs-by-checking-pf.patch @@ -0,0 +1,59 @@ +From 98b04dd0b4577894520493d96bc4623387767445 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Wed, 26 Oct 2022 02:11:21 -0400 +Subject: PCI: Fix pci_device_is_present() for VFs by checking PF + +From: Michael S. Tsirkin + +commit 98b04dd0b4577894520493d96bc4623387767445 upstream. + +pci_device_is_present() previously didn't work for VFs because it reads the +Vendor and Device ID, which are 0xffff for VFs, which looks like they +aren't present. Check the PF instead. + +Wei Gong reported that if virtio I/O is in progress when the driver is +unbound or "0" is written to /sys/.../sriov_numvfs, the virtio I/O +operation hangs, which may result in output like this: + + task:bash state:D stack: 0 pid: 1773 ppid: 1241 flags:0x00004002 + Call Trace: + schedule+0x4f/0xc0 + blk_mq_freeze_queue_wait+0x69/0xa0 + blk_mq_freeze_queue+0x1b/0x20 + blk_cleanup_queue+0x3d/0xd0 + virtblk_remove+0x3c/0xb0 [virtio_blk] + virtio_dev_remove+0x4b/0x80 + ... + device_unregister+0x1b/0x60 + unregister_virtio_device+0x18/0x30 + virtio_pci_remove+0x41/0x80 + pci_device_remove+0x3e/0xb0 + +This happened because pci_device_is_present(VF) returned "false" in +virtio_pci_remove(), so it called virtio_break_device(). The broken vq +meant that vring_interrupt() skipped the vq.callback() that would have +completed the virtio I/O operation via virtblk_done(). + +[bhelgaas: commit log, simplify to always use pci_physfn(), add stable tag] +Link: https://lore.kernel.org/r/20221026060912.173250-1-mst@redhat.com +Reported-by: Wei Gong +Tested-by: Wei Gong +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -5815,6 +5815,8 @@ bool pci_device_is_present(struct pci_de + { + u32 v; + ++ /* Check PF if pdev is a VF, since VF Vendor/Device IDs are 0xffff */ ++ pdev = pci_physfn(pdev); + if (pci_dev_is_disconnected(pdev)) + return false; + return pci_bus_read_dev_vendor_id(pdev->bus, pdev->devfn, &v, 0); diff --git a/queue-4.19/pci-sysfs-fix-double-free-in-error-path.patch b/queue-4.19/pci-sysfs-fix-double-free-in-error-path.patch new file mode 100644 index 00000000000..d26f570fdd4 --- /dev/null +++ b/queue-4.19/pci-sysfs-fix-double-free-in-error-path.patch @@ -0,0 +1,58 @@ +From aa382ffa705bea9931ec92b6f3c70e1fdb372195 Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Tue, 8 Nov 2022 17:05:59 -0600 +Subject: PCI/sysfs: Fix double free in error path + +From: Sascha Hauer + +commit aa382ffa705bea9931ec92b6f3c70e1fdb372195 upstream. + +When pci_create_attr() fails, pci_remove_resource_files() is called which +will iterate over the res_attr[_wc] arrays and frees every non NULL entry. +To avoid a double free here set the array entry only after it's clear we +successfully initialized it. + +Fixes: b562ec8f74e4 ("PCI: Don't leak memory if sysfs_create_bin_file() fails") +Link: https://lore.kernel.org/r/20221007070735.GX986@pengutronix.de/ +Signed-off-by: Sascha Hauer +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-sysfs.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -1289,11 +1289,9 @@ static int pci_create_attr(struct pci_de + + sysfs_bin_attr_init(res_attr); + if (write_combine) { +- pdev->res_attr_wc[num] = res_attr; + sprintf(res_attr_name, "resource%d_wc", num); + res_attr->mmap = pci_mmap_resource_wc; + } else { +- pdev->res_attr[num] = res_attr; + sprintf(res_attr_name, "resource%d", num); + if (pci_resource_flags(pdev, num) & IORESOURCE_IO) { + res_attr->read = pci_read_resource_io; +@@ -1309,10 +1307,17 @@ static int pci_create_attr(struct pci_de + res_attr->size = pci_resource_len(pdev, num); + res_attr->private = (void *)(unsigned long)num; + retval = sysfs_create_bin_file(&pdev->dev.kobj, res_attr); +- if (retval) ++ if (retval) { + kfree(res_attr); ++ return retval; ++ } ++ ++ if (write_combine) ++ pdev->res_attr_wc[num] = res_attr; ++ else ++ pdev->res_attr[num] = res_attr; + +- return retval; ++ return 0; + } + + /** diff --git a/queue-4.19/series b/queue-4.19/series index 3ef6f98b018..4832ff00936 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -393,3 +393,15 @@ arm-9256-1-nwfpe-avoid-compiler-generated-__aeabi_uldivmod.patch media-dvb-core-fix-double-free-in-dvb_register_device.patch media-dvb-core-fix-uaf-due-to-refcount-races-at-releasing.patch cifs-fix-confusing-debug-message.patch +md-bitmap-fix-bitmap-chunk-size-overflow-issues.patch +ipmi-fix-long-wait-in-unload-when-ipmi-disconnect.patch +ima-fix-a-potential-null-pointer-access-in-ima_restore_measurement_list.patch +ipmi-fix-use-after-free-in-_ipmi_destroy_user.patch +pci-fix-pci_device_is_present-for-vfs-by-checking-pf.patch +pci-sysfs-fix-double-free-in-error-path.patch +crypto-n2-add-missing-hash-statesize.patch +iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch +parisc-led-fix-potential-null-ptr-deref-in-start_task.patch +device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch +drm-connector-send-hotplug-uevent-on-connector-cleanup.patch +drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch