From: Greg Kroah-Hartman Date: Sun, 11 Dec 2022 09:57:27 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.9.336~23 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c70cd346dd0a521796c00a932fdf4221e2cf28d5;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch hid-hid-lg4ff-add-check-for-empty-lbuf.patch kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch --- diff --git a/queue-4.19/hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch b/queue-4.19/hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch new file mode 100644 index 00000000000..131c8459426 --- /dev/null +++ b/queue-4.19/hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch @@ -0,0 +1,72 @@ +From ec61b41918587be530398b0d1c9a0d16619397e5 Mon Sep 17 00:00:00 2001 +From: ZhangPeng +Date: Wed, 16 Nov 2022 07:14:28 +0000 +Subject: HID: core: fix shift-out-of-bounds in hid_report_raw_event + +From: ZhangPeng + +commit ec61b41918587be530398b0d1c9a0d16619397e5 upstream. + +Syzbot reported shift-out-of-bounds in hid_report_raw_event. + +microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) > +32! (swapper/0) +====================================================================== +UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20 +shift exponent 127 is too large for 32-bit type 'int' +CPU: 0 PID: 0 Comm: swapper/0 Not tainted +6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0 +Hardware name: Google Compute Engine/Google Compute Engine, BIOS +Google 10/26/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:151 [inline] + __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322 + snto32 drivers/hid/hid-core.c:1323 [inline] + hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline] + hid_process_report drivers/hid/hid-core.c:1665 [inline] + hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998 + hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066 + hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284 + __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671 + dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988 + call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474 + expire_timers kernel/time/timer.c:1519 [inline] + __run_timers+0x76a/0x980 kernel/time/timer.c:1790 + run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803 + __do_softirq+0x277/0x75b kernel/softirq.c:571 + __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650 + irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 + sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107 +====================================================================== + +If the size of the integer (unsigned n) is bigger than 32 in snto32(), +shift exponent will be too large for 32-bit type 'int', resulting in a +shift-out-of-bounds bug. +Fix this by adding a check on the size of the integer (unsigned n) in +snto32(). To add support for n greater than 32 bits, set n to 32, if n +is greater than 32. + +Reported-by: syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com +Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split") +Signed-off-by: ZhangPeng +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1131,6 +1131,9 @@ static s32 snto32(__u32 value, unsigned + if (!value || !n) + return 0; + ++ if (n > 32) ++ n = 32; ++ + switch (n) { + case 8: return ((__s8)value); + case 16: return ((__s16)value); diff --git a/queue-4.19/hid-hid-lg4ff-add-check-for-empty-lbuf.patch b/queue-4.19/hid-hid-lg4ff-add-check-for-empty-lbuf.patch new file mode 100644 index 00000000000..797c426fd54 --- /dev/null +++ b/queue-4.19/hid-hid-lg4ff-add-check-for-empty-lbuf.patch @@ -0,0 +1,37 @@ +From d180b6496143cd360c5d5f58ae4b9a8229c1f344 Mon Sep 17 00:00:00 2001 +From: Anastasia Belova +Date: Fri, 11 Nov 2022 15:55:11 +0300 +Subject: HID: hid-lg4ff: Add check for empty lbuf + +From: Anastasia Belova + +commit d180b6496143cd360c5d5f58ae4b9a8229c1f344 upstream. + +If an empty buf is received, lbuf is also empty. So lbuf is +accessed by index -1. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: f31a2de3fe36 ("HID: hid-lg4ff: Allow switching of Logitech gaming wheels between compatibility modes") +Signed-off-by: Anastasia Belova +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-lg4ff.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/hid/hid-lg4ff.c ++++ b/drivers/hid/hid-lg4ff.c +@@ -878,6 +878,12 @@ static ssize_t lg4ff_alternate_modes_sto + return -ENOMEM; + + i = strlen(lbuf); ++ ++ if (i == 0) { ++ kfree(lbuf); ++ return -EINVAL; ++ } ++ + if (lbuf[i-1] == '\n') { + if (i == 1) { + kfree(lbuf); diff --git a/queue-4.19/kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch b/queue-4.19/kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch new file mode 100644 index 00000000000..8a14f9f26f0 --- /dev/null +++ b/queue-4.19/kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch @@ -0,0 +1,48 @@ +From 0dd4cdccdab3d74bd86b868768a7dca216bcce7e Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Wed, 23 Nov 2022 10:08:33 +0100 +Subject: KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field + +From: Thomas Huth + +commit 0dd4cdccdab3d74bd86b868768a7dca216bcce7e upstream. + +We recently experienced some weird huge time jumps in nested guests when +rebooting them in certain cases. After adding some debug code to the epoch +handling in vsie.c (thanks to David Hildenbrand for the idea!), it was +obvious that the "epdx" field (the multi-epoch extension) did not get set +to 0xff in case the "epoch" field was negative. +Seems like the code misses to copy the value from the epdx field from +the guest to the shadow control block. By doing so, the weird time +jumps are gone in our scenarios. + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2140899 +Fixes: 8fa1696ea781 ("KVM: s390: Multiple Epoch Facility support") +Signed-off-by: Thomas Huth +Reviewed-by: Christian Borntraeger +Acked-by: David Hildenbrand +Reviewed-by: Claudio Imbrenda +Reviewed-by: Janosch Frank +Cc: stable@vger.kernel.org # 4.19+ +Link: https://lore.kernel.org/r/20221123090833.292938-1-thuth@redhat.com +Message-Id: <20221123090833.292938-1-thuth@redhat.com> +Signed-off-by: Janosch Frank +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kvm/vsie.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/s390/kvm/vsie.c ++++ b/arch/s390/kvm/vsie.c +@@ -376,8 +376,10 @@ static int shadow_scb(struct kvm_vcpu *v + if (test_kvm_cpu_feat(vcpu->kvm, KVM_S390_VM_CPU_FEAT_CEI)) + scb_s->eca |= scb_o->eca & ECA_CEI; + /* Epoch Extension */ +- if (test_kvm_facility(vcpu->kvm, 139)) ++ if (test_kvm_facility(vcpu->kvm, 139)) { + scb_s->ecd |= scb_o->ecd & ECD_MEF; ++ scb_s->epdx = scb_o->epdx; ++ } + + /* etoken */ + if (test_kvm_facility(vcpu->kvm, 156)) diff --git a/queue-4.19/media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch b/queue-4.19/media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch new file mode 100644 index 00000000000..22f3b1c3246 --- /dev/null +++ b/queue-4.19/media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch @@ -0,0 +1,70 @@ +From 5eef2141776da02772c44ec406d6871a790761ee Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Wed, 16 Nov 2022 15:07:22 +0000 +Subject: media: v4l2-dv-timings.c: fix too strict blanking sanity checks + +From: Hans Verkuil + +commit 5eef2141776da02772c44ec406d6871a790761ee upstream. + +Sanity checks were added to verify the v4l2_bt_timings blanking fields +in order to avoid integer overflows when userspace passes weird values. + +But that assumed that userspace would correctly fill in the front porch, +backporch and sync values, but sometimes all you know is the total +blanking, which is then assigned to just one of these fields. + +And that can fail with these checks. + +So instead set a maximum for the total horizontal and vertical +blanking and check that each field remains below that. + +That is still sufficient to avoid integer overflows, but it also +allows for more flexibility in how userspace fills in these fields. + +Signed-off-by: Hans Verkuil +Fixes: 4b6d66a45ed3 ("media: v4l2-dv-timings: add sanity checks for blanking values") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-dv-timings.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-dv-timings.c ++++ b/drivers/media/v4l2-core/v4l2-dv-timings.c +@@ -145,6 +145,8 @@ bool v4l2_valid_dv_timings(const struct + const struct v4l2_bt_timings *bt = &t->bt; + const struct v4l2_bt_timings_cap *cap = &dvcap->bt; + u32 caps = cap->capabilities; ++ const u32 max_vert = 10240; ++ u32 max_hor = 3 * bt->width; + + if (t->type != V4L2_DV_BT_656_1120) + return false; +@@ -166,14 +168,20 @@ bool v4l2_valid_dv_timings(const struct + if (!bt->interlaced && + (bt->il_vbackporch || bt->il_vsync || bt->il_vfrontporch)) + return false; +- if (bt->hfrontporch > 2 * bt->width || +- bt->hsync > 1024 || bt->hbackporch > 1024) ++ /* ++ * Some video receivers cannot properly separate the frontporch, ++ * backporch and sync values, and instead they only have the total ++ * blanking. That can be assigned to any of these three fields. ++ * So just check that none of these are way out of range. ++ */ ++ if (bt->hfrontporch > max_hor || ++ bt->hsync > max_hor || bt->hbackporch > max_hor) + return false; +- if (bt->vfrontporch > 4096 || +- bt->vsync > 128 || bt->vbackporch > 4096) ++ if (bt->vfrontporch > max_vert || ++ bt->vsync > max_vert || bt->vbackporch > max_vert) + return false; +- if (bt->interlaced && (bt->il_vfrontporch > 4096 || +- bt->il_vsync > 128 || bt->il_vbackporch > 4096)) ++ if (bt->interlaced && (bt->il_vfrontporch > max_vert || ++ bt->il_vsync > max_vert || bt->il_vbackporch > max_vert)) + return false; + return fnc == NULL || fnc(t, fnc_handle); + } diff --git a/queue-4.19/memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch b/queue-4.19/memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch new file mode 100644 index 00000000000..97aa5a679b3 --- /dev/null +++ b/queue-4.19/memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch @@ -0,0 +1,112 @@ +From 4a7ba45b1a435e7097ca0f79a847d0949d0eb088 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Wed, 7 Dec 2022 16:53:15 -1000 +Subject: memcg: fix possible use-after-free in memcg_write_event_control() + +From: Tejun Heo + +commit 4a7ba45b1a435e7097ca0f79a847d0949d0eb088 upstream. + +memcg_write_event_control() accesses the dentry->d_name of the specified +control fd to route the write call. As a cgroup interface file can't be +renamed, it's safe to access d_name as long as the specified file is a +regular cgroup file. Also, as these cgroup interface files can't be +removed before the directory, it's safe to access the parent too. + +Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a +call to __file_cft() which verified that the specified file is a regular +cgroupfs file before further accesses. The cftype pointer returned from +__file_cft() was no longer necessary and the commit inadvertently dropped +the file type check with it allowing any file to slip through. With the +invarients broken, the d_name and parent accesses can now race against +renames and removals of arbitrary files and cause use-after-free's. + +Fix the bug by resurrecting the file type check in __file_cft(). Now that +cgroupfs is implemented through kernfs, checking the file operations needs +to go through a layer of indirection. Instead, let's check the superblock +and dentry type. + +Link: https://lkml.kernel.org/r/Y5FRm/cfcKPGzWwl@slm.duckdns.org +Fixes: 347c4a874710 ("memcg: remove cgroup_event->cft") +Signed-off-by: Tejun Heo +Reported-by: Jann Horn +Acked-by: Roman Gushchin +Acked-by: Johannes Weiner +Cc: Linus Torvalds +Cc: Michal Hocko +Cc: Muchun Song +Cc: Shakeel Butt +Cc: [3.14+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/cgroup.h | 1 + + kernel/cgroup/cgroup-internal.h | 1 - + mm/memcontrol.c | 15 +++++++++++++-- + 3 files changed, 14 insertions(+), 3 deletions(-) + +--- a/include/linux/cgroup.h ++++ b/include/linux/cgroup.h +@@ -69,6 +69,7 @@ struct css_task_iter { + struct list_head iters_node; /* css_set->task_iters */ + }; + ++extern struct file_system_type cgroup_fs_type; + extern struct cgroup_root cgrp_dfl_root; + extern struct css_set init_css_set; + +--- a/kernel/cgroup/cgroup-internal.h ++++ b/kernel/cgroup/cgroup-internal.h +@@ -148,7 +148,6 @@ extern struct mutex cgroup_mutex; + extern spinlock_t css_set_lock; + extern struct cgroup_subsys *cgroup_subsys[]; + extern struct list_head cgroup_roots; +-extern struct file_system_type cgroup_fs_type; + + /* iterate across the hierarchies */ + #define for_each_root(root) \ +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -4120,6 +4120,7 @@ static ssize_t memcg_write_event_control + unsigned int efd, cfd; + struct fd efile; + struct fd cfile; ++ struct dentry *cdentry; + const char *name; + char *endp; + int ret; +@@ -4171,6 +4172,16 @@ static ssize_t memcg_write_event_control + goto out_put_cfile; + + /* ++ * The control file must be a regular cgroup1 file. As a regular cgroup ++ * file can't be renamed, it's safe to access its name afterwards. ++ */ ++ cdentry = cfile.file->f_path.dentry; ++ if (cdentry->d_sb->s_type != &cgroup_fs_type || !d_is_reg(cdentry)) { ++ ret = -EINVAL; ++ goto out_put_cfile; ++ } ++ ++ /* + * Determine the event callbacks and set them in @event. This used + * to be done via struct cftype but cgroup core no longer knows + * about these events. The following is crude but the whole thing +@@ -4178,7 +4189,7 @@ static ssize_t memcg_write_event_control + * + * DO NOT ADD NEW FILES. + */ +- name = cfile.file->f_path.dentry->d_name.name; ++ name = cdentry->d_name.name; + + if (!strcmp(name, "memory.usage_in_bytes")) { + event->register_event = mem_cgroup_usage_register_event; +@@ -4202,7 +4213,7 @@ static ssize_t memcg_write_event_control + * automatically removed on cgroup destruction but the removal is + * asynchronous, so take an extra ref on @css. + */ +- cfile_css = css_tryget_online_from_dir(cfile.file->f_path.dentry->d_parent, ++ cfile_css = css_tryget_online_from_dir(cdentry->d_parent, + &memory_cgrp_subsys); + ret = -EINVAL; + if (IS_ERR(cfile_css)) diff --git a/queue-4.19/series b/queue-4.19/series index 68975ff23ff..3489f792493 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -16,3 +16,8 @@ xen-netback-ensure-protocol-headers-don-t-fall-in-th.patch xen-netback-do-some-code-cleanup.patch xen-netback-don-t-call-kfree_skb-with-interrupts-dis.patch rcutorture-automatically-create-initrd-directory.patch +media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch +memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch +kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch +hid-hid-lg4ff-add-check-for-empty-lbuf.patch +hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch