From: Greg Kroah-Hartman Date: Mon, 2 Dec 2024 09:58:23 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v4.19.325~109 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b2cc975827345831db4827b4e76d879485e81d00;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: fs-ntfs3-fixed-overflow-check-in-mi_enum_attr.patch mailbox-mtk-cmdq-move-devm_mbox_controller_register-after-devm_pm_runtime_enable.patch ntfs3-add-bounds-checking-to-mi_enum_attr.patch scsi-lpfc-validate-hdwq-pointers-before-dereferencing-in-reset-errata-paths.patch xfs-add-bounds-checking-to-xlog_recover_process_data.patch --- diff --git a/queue-6.1/fs-ntfs3-fixed-overflow-check-in-mi_enum_attr.patch b/queue-6.1/fs-ntfs3-fixed-overflow-check-in-mi_enum_attr.patch new file mode 100644 index 00000000000..d8456d2221d --- /dev/null +++ b/queue-6.1/fs-ntfs3-fixed-overflow-check-in-mi_enum_attr.patch @@ -0,0 +1,27 @@ +From 652cfeb43d6b9aba5c7c4902bed7a7340df131fb Mon Sep 17 00:00:00 2001 +From: Konstantin Komarov +Date: Fri, 26 Jan 2024 11:14:31 +0300 +Subject: fs/ntfs3: Fixed overflow check in mi_enum_attr() + +From: Konstantin Komarov + +commit 652cfeb43d6b9aba5c7c4902bed7a7340df131fb upstream. + +Reported-by: Robert Morris +Signed-off-by: Konstantin Komarov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/record.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ntfs3/record.c ++++ b/fs/ntfs3/record.c +@@ -273,7 +273,7 @@ struct ATTRIB *mi_enum_attr(struct mft_i + if (t16 > asize) + return NULL; + +- if (t16 + le32_to_cpu(attr->res.data_size) > asize) ++ if (le32_to_cpu(attr->res.data_size) > asize - t16) + return NULL; + + if (attr->name_len && diff --git a/queue-6.1/mailbox-mtk-cmdq-move-devm_mbox_controller_register-after-devm_pm_runtime_enable.patch b/queue-6.1/mailbox-mtk-cmdq-move-devm_mbox_controller_register-after-devm_pm_runtime_enable.patch new file mode 100644 index 00000000000..8f2bee54305 --- /dev/null +++ b/queue-6.1/mailbox-mtk-cmdq-move-devm_mbox_controller_register-after-devm_pm_runtime_enable.patch @@ -0,0 +1,74 @@ +From a8bd68e4329f9a0ad1b878733e0f80be6a971649 Mon Sep 17 00:00:00 2001 +From: "Jason-JH.Lin" +Date: Thu, 18 Jul 2024 22:17:04 +0800 +Subject: mailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable() + +From: Jason-JH.Lin + +commit a8bd68e4329f9a0ad1b878733e0f80be6a971649 upstream. + +When mtk-cmdq unbinds, a WARN_ON message with condition +pm_runtime_get_sync() < 0 occurs. + +According to the call tracei below: + cmdq_mbox_shutdown + mbox_free_channel + mbox_controller_unregister + __devm_mbox_controller_unregister + ... + +The root cause can be deduced to be calling pm_runtime_get_sync() after +calling pm_runtime_disable() as observed below: +1. CMDQ driver uses devm_mbox_controller_register() in cmdq_probe() + to bind the cmdq device to the mbox_controller, so + devm_mbox_controller_unregister() will automatically unregister + the device bound to the mailbox controller when the device-managed + resource is removed. That means devm_mbox_controller_unregister() + and cmdq_mbox_shoutdown() will be called after cmdq_remove(). +2. CMDQ driver also uses devm_pm_runtime_enable() in cmdq_probe() after + devm_mbox_controller_register(), so that devm_pm_runtime_disable() + will be called after cmdq_remove(), but before + devm_mbox_controller_unregister(). + +To fix this problem, cmdq_probe() needs to move +devm_mbox_controller_register() after devm_pm_runtime_enable() to make +devm_pm_runtime_disable() be called after +devm_mbox_controller_unregister(). + +Fixes: 623a6143a845 ("mailbox: mediatek: Add Mediatek CMDQ driver") +Signed-off-by: Jason-JH.Lin +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Jassi Brar +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mailbox/mtk-cmdq-mailbox.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/mailbox/mtk-cmdq-mailbox.c ++++ b/drivers/mailbox/mtk-cmdq-mailbox.c +@@ -605,18 +605,18 @@ static int cmdq_probe(struct platform_de + cmdq->mbox.chans[i].con_priv = (void *)&cmdq->thread[i]; + } + +- err = devm_mbox_controller_register(dev, &cmdq->mbox); +- if (err < 0) { +- dev_err(dev, "failed to register mailbox: %d\n", err); +- return err; +- } +- + platform_set_drvdata(pdev, cmdq); + + WARN_ON(clk_bulk_prepare(cmdq->gce_num, cmdq->clocks)); + + cmdq_init(cmdq); + ++ err = devm_mbox_controller_register(dev, &cmdq->mbox); ++ if (err < 0) { ++ dev_err(dev, "failed to register mailbox: %d\n", err); ++ return err; ++ } ++ + return 0; + } + diff --git a/queue-6.1/ntfs3-add-bounds-checking-to-mi_enum_attr.patch b/queue-6.1/ntfs3-add-bounds-checking-to-mi_enum_attr.patch new file mode 100644 index 00000000000..c9e409423c7 --- /dev/null +++ b/queue-6.1/ntfs3-add-bounds-checking-to-mi_enum_attr.patch @@ -0,0 +1,68 @@ +From 556bdf27c2dd5c74a9caacbe524b943a6cd42d99 Mon Sep 17 00:00:00 2001 +From: lei lu +Date: Fri, 23 Aug 2024 21:39:44 +0800 +Subject: ntfs3: Add bounds checking to mi_enum_attr() + +From: lei lu + +commit 556bdf27c2dd5c74a9caacbe524b943a6cd42d99 upstream. + +Added bounds checking to make sure that every attr don't stray beyond +valid memory region. + +Signed-off-by: lei lu +Signed-off-by: Konstantin Komarov +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/record.c | 23 ++++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +--- a/fs/ntfs3/record.c ++++ b/fs/ntfs3/record.c +@@ -217,28 +217,19 @@ struct ATTRIB *mi_enum_attr(struct mft_i + prev_type = 0; + attr = Add2Ptr(rec, off); + } else { +- /* Check if input attr inside record. */ ++ /* ++ * We don't need to check previous attr here. There is ++ * a bounds checking in the previous round. ++ */ + off = PtrOffset(rec, attr); +- if (off >= used) +- return NULL; + + asize = le32_to_cpu(attr->size); +- if (asize < SIZEOF_RESIDENT) { +- /* Impossible 'cause we should not return such attribute. */ +- return NULL; +- } +- +- /* Overflow check. */ +- if (off + asize < off) +- return NULL; + + prev_type = le32_to_cpu(attr->type); + attr = Add2Ptr(attr, asize); + off += asize; + } + +- asize = le32_to_cpu(attr->size); +- + /* Can we use the first field (attr->type). */ + if (off + 8 > used) { + static_assert(ALIGN(sizeof(enum ATTR_TYPE), 8) == 8); +@@ -259,6 +250,12 @@ struct ATTRIB *mi_enum_attr(struct mft_i + if (t32 < prev_type) + return NULL; + ++ asize = le32_to_cpu(attr->size); ++ if (asize < SIZEOF_RESIDENT) { ++ /* Impossible 'cause we should not return such attribute. */ ++ return NULL; ++ } ++ + /* Check overflow and boundary. */ + if (off + asize < off || off + asize > used) + return NULL; diff --git a/queue-6.1/scsi-lpfc-validate-hdwq-pointers-before-dereferencing-in-reset-errata-paths.patch b/queue-6.1/scsi-lpfc-validate-hdwq-pointers-before-dereferencing-in-reset-errata-paths.patch new file mode 100644 index 00000000000..9b5839ecd4c --- /dev/null +++ b/queue-6.1/scsi-lpfc-validate-hdwq-pointers-before-dereferencing-in-reset-errata-paths.patch @@ -0,0 +1,86 @@ +From 2be1d4f11944cd6283cb97268b3e17c4424945ca Mon Sep 17 00:00:00 2001 +From: Justin Tee +Date: Fri, 26 Jul 2024 16:15:07 -0700 +Subject: scsi: lpfc: Validate hdwq pointers before dereferencing in reset/errata paths + +From: Justin Tee + +commit 2be1d4f11944cd6283cb97268b3e17c4424945ca upstream. + +When the HBA is undergoing a reset or is handling an errata event, NULL ptr +dereference crashes may occur in routines such as +lpfc_sli_flush_io_rings(), lpfc_dev_loss_tmo_callbk(), or +lpfc_abort_handler(). + +Add NULL ptr checks before dereferencing hdwq pointers that may have been +freed due to operations colliding with a reset or errata event handler. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20240726231512.92867-4-justintee8345@gmail.com +Signed-off-by: Martin K. Petersen +[Xiangyu: BP to fix CVE: CVE-2024-49891, no test_bit() conflict resolution] +Signed-off-by: Xiangyu Chen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_hbadisc.c | 3 ++- + drivers/scsi/lpfc/lpfc_scsi.c | 13 +++++++++++-- + drivers/scsi/lpfc/lpfc_sli.c | 11 +++++++++++ + 3 files changed, 24 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -177,7 +177,8 @@ lpfc_dev_loss_tmo_callbk(struct fc_rport + /* Don't schedule a worker thread event if the vport is going down. + * The teardown process cleans up the node via lpfc_drop_node. + */ +- if (vport->load_flag & FC_UNLOADING) { ++ if ((vport->load_flag & FC_UNLOADING) || ++ !(phba->hba_flag & HBA_SETUP)) { + ((struct lpfc_rport_data *)rport->dd_data)->pnode = NULL; + ndlp->rport = NULL; + +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -5554,11 +5554,20 @@ lpfc_abort_handler(struct scsi_cmnd *cmn + + iocb = &lpfc_cmd->cur_iocbq; + if (phba->sli_rev == LPFC_SLI_REV4) { +- pring_s4 = phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring; +- if (!pring_s4) { ++ /* if the io_wq & pring are gone, the port was reset. */ ++ if (!phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq || ++ !phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring) { ++ lpfc_printf_vlog(vport, KERN_WARNING, LOG_FCP, ++ "2877 SCSI Layer I/O Abort Request " ++ "IO CMPL Status x%x ID %d LUN %llu " ++ "HBA_SETUP %d\n", FAILED, ++ cmnd->device->id, ++ (u64)cmnd->device->lun, ++ (HBA_SETUP & phba->hba_flag)); + ret = FAILED; + goto out_unlock_hba; + } ++ pring_s4 = phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring; + spin_lock(&pring_s4->ring_lock); + } + /* the command is in process of being cancelled */ +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -4668,6 +4668,17 @@ lpfc_sli_flush_io_rings(struct lpfc_hba + /* Look on all the FCP Rings for the iotag */ + if (phba->sli_rev >= LPFC_SLI_REV4) { + for (i = 0; i < phba->cfg_hdw_queue; i++) { ++ if (!phba->sli4_hba.hdwq || ++ !phba->sli4_hba.hdwq[i].io_wq) { ++ lpfc_printf_log(phba, KERN_ERR, LOG_SLI, ++ "7777 hdwq's deleted %lx " ++ "%lx %x %x\n", ++ (unsigned long)phba->pport->load_flag, ++ (unsigned long)phba->hba_flag, ++ phba->link_state, ++ phba->sli.sli_flag); ++ return; ++ } + pring = phba->sli4_hba.hdwq[i].io_wq->pring; + + spin_lock_irq(&pring->ring_lock); diff --git a/queue-6.1/series b/queue-6.1/series index ec93b3ae119..a01f4fbe9a7 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -342,3 +342,8 @@ staging-greybus-uart-fix-atomicity-violation-in-get_.patch alsa-hda-realtek-update-alc256-depop-procedure.patch apparmor-fix-do-simple-duplicate-message-elimination.patch asoc-amd-yc-fix-for-enabling-dmic-on-acp6x-via-_dsd-.patch +mailbox-mtk-cmdq-move-devm_mbox_controller_register-after-devm_pm_runtime_enable.patch +fs-ntfs3-fixed-overflow-check-in-mi_enum_attr.patch +ntfs3-add-bounds-checking-to-mi_enum_attr.patch +scsi-lpfc-validate-hdwq-pointers-before-dereferencing-in-reset-errata-paths.patch +xfs-add-bounds-checking-to-xlog_recover_process_data.patch diff --git a/queue-6.1/xfs-add-bounds-checking-to-xlog_recover_process_data.patch b/queue-6.1/xfs-add-bounds-checking-to-xlog_recover_process_data.patch new file mode 100644 index 00000000000..a88fed276f7 --- /dev/null +++ b/queue-6.1/xfs-add-bounds-checking-to-xlog_recover_process_data.patch @@ -0,0 +1,53 @@ +From fb63435b7c7dc112b1ae1baea5486e0a6e27b196 Mon Sep 17 00:00:00 2001 +From: lei lu +Date: Mon, 3 Jun 2024 17:46:08 +0800 +Subject: xfs: add bounds checking to xlog_recover_process_data + +From: lei lu + +commit fb63435b7c7dc112b1ae1baea5486e0a6e27b196 upstream. + +There is a lack of verification of the space occupied by fixed members +of xlog_op_header in the xlog_recover_process_data. + +We can create a crafted image to trigger an out of bounds read by +following these steps: + 1) Mount an image of xfs, and do some file operations to leave records + 2) Before umounting, copy the image for subsequent steps to simulate + abnormal exit. Because umount will ensure that tail_blk and + head_blk are the same, which will result in the inability to enter + xlog_recover_process_data + 3) Write a tool to parse and modify the copied image in step 2 + 4) Make the end of the xlog_op_header entries only 1 byte away from + xlog_rec_header->h_size + 5) xlog_rec_header->h_num_logops++ + 6) Modify xlog_rec_header->h_crc + +Fix: +Add a check to make sure there is sufficient space to access fixed members +of xlog_op_header. + +Signed-off-by: lei lu +Reviewed-by: Dave Chinner +Reviewed-by: Darrick J. Wong +Signed-off-by: Chandan Babu R +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_log_recover.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/xfs/xfs_log_recover.c ++++ b/fs/xfs/xfs_log_recover.c +@@ -2439,7 +2439,10 @@ xlog_recover_process_data( + + ohead = (struct xlog_op_header *)dp; + dp += sizeof(*ohead); +- ASSERT(dp <= end); ++ if (dp > end) { ++ xfs_warn(log->l_mp, "%s: op header overrun", __func__); ++ return -EFSCORRUPTED; ++ } + + /* errors will abort recovery */ + error = xlog_recover_process_ophdr(log, rhash, rhead, ohead,