From: Sasha Levin Date: Sun, 24 Nov 2024 14:13:04 +0000 (-0500) Subject: Fixes for 6.1 X-Git-Tag: v4.19.325~136 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cb65c069be7dc8b90f99076dc6b69a2033792fbd;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/cifs-fix-buffer-overflow-when-parsing-nfs-reparse-po.patch b/queue-6.1/cifs-fix-buffer-overflow-when-parsing-nfs-reparse-po.patch new file mode 100644 index 00000000000..abf709e35e2 --- /dev/null +++ b/queue-6.1/cifs-fix-buffer-overflow-when-parsing-nfs-reparse-po.patch @@ -0,0 +1,60 @@ +From 74b8b80f0cd39c7157b13e2fdaef224434244f03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 14:44:10 +0100 +Subject: cifs: Fix buffer overflow when parsing NFS reparse points +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +commit e2a8910af01653c1c268984855629d71fb81f404 upstream. + +ReparseDataLength is sum of the InodeType size and DataBuffer size. +So to get DataBuffer size it is needed to subtract InodeType's size from +ReparseDataLength. + +Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer +at position after the end of the buffer because it does not subtract +InodeType size from the length. Fix this problem and correctly subtract +variable len. + +Member InodeType is present only when reparse buffer is large enough. Check +for ReparseDataLength before accessing InodeType to prevent another invalid +memory access. + +Major and minor rdev values are present also only when reparse buffer is +large enough. Check for reparse buffer size before calling reparse_mkdev(). + +Fixes: d5ecebc4900d ("smb3: Allow query of symlinks stored as reparse points") +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: Pali Rohár +Signed-off-by: Steve French +[use variable name symlink_buf, the other buf->InodeType accesses are +not used in current version so skip] +Signed-off-by: Mahmoud Adam +Signed-off-by: Sasha Levin +--- + fs/smb/client/smb2ops.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c +index d1e5ff9a3cd39..fcfbc096924a8 100644 +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -2897,6 +2897,12 @@ parse_reparse_posix(struct reparse_posix_data *symlink_buf, + + /* See MS-FSCC 2.1.2.6 for the 'NFS' style reparse tags */ + len = le16_to_cpu(symlink_buf->ReparseDataLength); ++ if (len < sizeof(symlink_buf->InodeType)) { ++ cifs_dbg(VFS, "srv returned malformed nfs buffer\n"); ++ return -EIO; ++ } ++ ++ len -= sizeof(symlink_buf->InodeType); + + if (le64_to_cpu(symlink_buf->InodeType) != NFS_SPECFILE_LNK) { + cifs_dbg(VFS, "%lld not a supported symlink type\n", +-- +2.43.0 + diff --git a/queue-6.1/closures-change-bug_on-to-warn_on.patch b/queue-6.1/closures-change-bug_on-to-warn_on.patch new file mode 100644 index 00000000000..1319fa3b94b --- /dev/null +++ b/queue-6.1/closures-change-bug_on-to-warn_on.patch @@ -0,0 +1,95 @@ +From 6d6c38022f4268dc0ad9121718c768690110c2a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2024 14:46:07 +0800 +Subject: closures: Change BUG_ON() to WARN_ON() + +From: Kent Overstreet + +[ Upstream commit 339b84ab6b1d66900c27bd999271cb2ae40ce812 ] + +If a BUG_ON() can be hit in the wild, it shouldn't be a BUG_ON() + +For reference, this has popped up once in the CI, and we'll need more +info to debug it: + +03240 ------------[ cut here ]------------ +03240 kernel BUG at lib/closure.c:21! +03240 kernel BUG at lib/closure.c:21! +03240 Internal error: Oops - BUG: 00000000f2000800 [#1] SMP +03240 Modules linked in: +03240 CPU: 15 PID: 40534 Comm: kworker/u80:1 Not tainted 6.10.0-rc4-ktest-ga56da69799bd #25570 +03240 Hardware name: linux,dummy-virt (DT) +03240 Workqueue: btree_update btree_interior_update_work +03240 pstate: 00001005 (nzcv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--) +03240 pc : closure_put+0x224/0x2a0 +03240 lr : closure_put+0x24/0x2a0 +03240 sp : ffff0000d12071c0 +03240 x29: ffff0000d12071c0 x28: dfff800000000000 x27: ffff0000d1207360 +03240 x26: 0000000000000040 x25: 0000000000000040 x24: 0000000000000040 +03240 x23: ffff0000c1f20180 x22: 0000000000000000 x21: ffff0000c1f20168 +03240 x20: 0000000040000000 x19: ffff0000c1f20140 x18: 0000000000000001 +03240 x17: 0000000000003aa0 x16: 0000000000003ad0 x15: 1fffe0001c326974 +03240 x14: 0000000000000a1e x13: 0000000000000000 x12: 1fffe000183e402d +03240 x11: ffff6000183e402d x10: dfff800000000000 x9 : ffff6000183e402e +03240 x8 : 0000000000000001 x7 : 00009fffe7c1bfd3 x6 : ffff0000c1f2016b +03240 x5 : ffff0000c1f20168 x4 : ffff6000183e402e x3 : ffff800081391954 +03240 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 00000000a8000000 +03240 Call trace: +03240 closure_put+0x224/0x2a0 +03240 bch2_check_for_deadlock+0x910/0x1028 +03240 bch2_six_check_for_deadlock+0x1c/0x30 +03240 six_lock_slowpath.isra.0+0x29c/0xed0 +03240 six_lock_ip_waiter+0xa8/0xf8 +03240 __bch2_btree_node_lock_write+0x14c/0x298 +03240 bch2_trans_lock_write+0x6d4/0xb10 +03240 __bch2_trans_commit+0x135c/0x5520 +03240 btree_interior_update_work+0x1248/0x1c10 +03240 process_scheduled_works+0x53c/0xd90 +03240 worker_thread+0x370/0x8c8 +03240 kthread+0x258/0x2e8 +03240 ret_from_fork+0x10/0x20 +03240 Code: aa1303e0 d63f0020 a94363f7 17ffff8c (d4210000) +03240 ---[ end trace 0000000000000000 ]--- +03240 Kernel panic - not syncing: Oops - BUG: Fatal exception +03240 SMP: stopping secondary CPUs +03241 SMP: failed to stop secondary CPUs 13,15 +03241 Kernel Offset: disabled +03241 CPU features: 0x00,00000003,80000008,4240500b +03241 Memory Limit: none +03241 ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception ]--- +03246 ========= FAILED TIMEOUT copygc_torture_no_checksum in 7200s + +Signed-off-by: Kent Overstreet +[ Resolve minor conflicts to fix CVE-2024-42252 ] +Signed-off-by: Bin Lan +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/closure.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/bcache/closure.c b/drivers/md/bcache/closure.c +index d8d9394a6beb1..18f21d4e9aaae 100644 +--- a/drivers/md/bcache/closure.c ++++ b/drivers/md/bcache/closure.c +@@ -17,10 +17,16 @@ static inline void closure_put_after_sub(struct closure *cl, int flags) + { + int r = flags & CLOSURE_REMAINING_MASK; + +- BUG_ON(flags & CLOSURE_GUARD_MASK); +- BUG_ON(!r && (flags & ~CLOSURE_DESTRUCTOR)); ++ if (WARN(flags & CLOSURE_GUARD_MASK, ++ "closure has guard bits set: %x (%u)", ++ flags & CLOSURE_GUARD_MASK, (unsigned) __fls(r))) ++ r &= ~CLOSURE_GUARD_MASK; + + if (!r) { ++ WARN(flags & ~CLOSURE_DESTRUCTOR, ++ "closure ref hit 0 with incorrect flags set: %x (%u)", ++ flags & ~CLOSURE_DESTRUCTOR, (unsigned) __fls(flags)); ++ + if (cl->fn && !(flags & CLOSURE_DESTRUCTOR)) { + atomic_set(&cl->remaining, + CLOSURE_REMAINING_INITIALIZER); +-- +2.43.0 + diff --git a/queue-6.1/net-fix-crash-when-config-small-gso_max_size-gso_ipv.patch b/queue-6.1/net-fix-crash-when-config-small-gso_max_size-gso_ipv.patch new file mode 100644 index 00000000000..701559ddbdf --- /dev/null +++ b/queue-6.1/net-fix-crash-when-config-small-gso_max_size-gso_ipv.patch @@ -0,0 +1,52 @@ +From 6e31b2052149fbe09a55f66293e3a5436f5c9815 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 11:18:09 +0800 +Subject: net: fix crash when config small gso_max_size/gso_ipv4_max_size + +From: Wang Liang + +[ Upstream commit 9ab5cf19fb0e4680f95e506d6c544259bf1111c4 ] + +Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow +in sk_dst_gso_max_size(), which may trigger a BUG_ON crash, +because sk->sk_gso_max_size would be much bigger than device limits. +Call Trace: +tcp_write_xmit + tso_segs = tcp_init_tso_segs(skb, mss_now); + tcp_set_skb_tso_segs + tcp_skb_pcount_set + // skb->len = 524288, mss_now = 8 + // u16 tso_segs = 524288/8 = 65535 -> 0 + tso_segs = DIV_ROUND_UP(skb->len, mss_now) + BUG_ON(!tso_segs) +Add check for the minimum value of gso_max_size and gso_ipv4_max_size. + +Fixes: 46e6b992c250 ("rtnetlink: allow GSO maximums to be set on device creation") +Fixes: 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device") +Signed-off-by: Wang Liang +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241023035213.517386-1-wangliang74@huawei.com +Signed-off-by: Jakub Kicinski +[ Resolve minor conflicts to fix CVE-2024-50258 ] +Signed-off-by: Bin Lan +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index afb52254a47ec..45c54fb9ad03f 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1939,7 +1939,7 @@ static const struct nla_policy ifla_policy[IFLA_MAX+1] = { + [IFLA_NUM_TX_QUEUES] = { .type = NLA_U32 }, + [IFLA_NUM_RX_QUEUES] = { .type = NLA_U32 }, + [IFLA_GSO_MAX_SEGS] = { .type = NLA_U32 }, +- [IFLA_GSO_MAX_SIZE] = { .type = NLA_U32 }, ++ [IFLA_GSO_MAX_SIZE] = NLA_POLICY_MIN(NLA_U32, MAX_TCP_HEADER + 1), + [IFLA_PHYS_PORT_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN }, + [IFLA_CARRIER_CHANGES] = { .type = NLA_U32 }, /* ignored */ + [IFLA_PHYS_SWITCH_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN }, +-- +2.43.0 + diff --git a/queue-6.1/serial-sc16is7xx-fix-invalid-fifo-access-with-specia.patch b/queue-6.1/serial-sc16is7xx-fix-invalid-fifo-access-with-specia.patch new file mode 100644 index 00000000000..621fca0bb1e --- /dev/null +++ b/queue-6.1/serial-sc16is7xx-fix-invalid-fifo-access-with-specia.patch @@ -0,0 +1,66 @@ +From a586978923fb006d6cc0ae553779172bb6092c7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 15:16:56 +0800 +Subject: serial: sc16is7xx: fix invalid FIFO access with special register set + +From: Hugo Villeneuve + +[ Upstream commit 7d3b793faaab1305994ce568b59d61927235f57b ] + +When enabling access to the special register set, Receiver time-out and +RHR interrupts can happen. In this case, the IRQ handler will try to read +from the FIFO thru the RHR register at address 0x00, but address 0x00 is +mapped to DLL register, resulting in erroneous FIFO reading. + +Call graph example: + sc16is7xx_startup(): entry + sc16is7xx_ms_proc(): entry + sc16is7xx_set_termios(): entry + sc16is7xx_set_baud(): DLH/DLL = $009C --> access special register set + sc16is7xx_port_irq() entry --> IIR is 0x0C + sc16is7xx_handle_rx() entry + sc16is7xx_fifo_read(): --> unable to access FIFO (RHR) because it is + mapped to DLL (LCR=LCR_CONF_MODE_A) + sc16is7xx_set_baud(): exit --> Restore access to general register set + +Fix the problem by claiming the efr_lock mutex when accessing the Special +register set. + +Fixes: dfeae619d781 ("serial: sc16is7xx") +Cc: stable@vger.kernel.org +Signed-off-by: Hugo Villeneuve +Link: https://lore.kernel.org/r/20240723125302.1305372-3-hugo@hugovil.com +Signed-off-by: Greg Kroah-Hartman +[ Resolve minor conflicts ] +Signed-off-by: Bin Lan +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sc16is7xx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c +index a723df9b37dd9..c07baf5d5a9ce 100644 +--- a/drivers/tty/serial/sc16is7xx.c ++++ b/drivers/tty/serial/sc16is7xx.c +@@ -545,6 +545,9 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) + SC16IS7XX_MCR_CLKSEL_BIT, + prescaler == 1 ? 0 : SC16IS7XX_MCR_CLKSEL_BIT); + ++ ++ mutex_lock(&one->efr_lock); ++ + /* Open the LCR divisors for configuration */ + sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, + SC16IS7XX_LCR_CONF_MODE_A); +@@ -558,6 +561,8 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) + /* Put LCR back to the normal mode */ + sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, lcr); + ++ mutex_unlock(&one->efr_lock); ++ + return DIV_ROUND_CLOSEST((clk / prescaler) / 16, div); + } + +-- +2.43.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 3cbb0fc4e7a..6587f8c2d55 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -26,3 +26,8 @@ loongarch-define-a-default-value-for-vm_data_default.patch alsa-usb-audio-fix-yamaha-p-125-quirk-entry.patch arm-9420-1-smp-fix-smp-for-xip-kernels.patch ipmr-fix-access-to-mfc_cache_list-without-lock-held.patch +closures-change-bug_on-to-warn_on.patch +net-fix-crash-when-config-small-gso_max_size-gso_ipv.patch +serial-sc16is7xx-fix-invalid-fifo-access-with-specia.patch +x86-stackprotector-work-around-strict-clang-tls-symb.patch +cifs-fix-buffer-overflow-when-parsing-nfs-reparse-po.patch diff --git a/queue-6.1/x86-stackprotector-work-around-strict-clang-tls-symb.patch b/queue-6.1/x86-stackprotector-work-around-strict-clang-tls-symb.patch new file mode 100644 index 00000000000..be95ed25342 --- /dev/null +++ b/queue-6.1/x86-stackprotector-work-around-strict-clang-tls-symb.patch @@ -0,0 +1,138 @@ +From 0836f330b1ed3535ee119cb7a29b5dc3666e1fb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2024 10:03:37 -0500 +Subject: x86/stackprotector: Work around strict Clang TLS symbol requirements + +From: Ard Biesheuvel + +[ Upstream commit 577c134d311b9b94598d7a0c86be1f431f823003 ] + +GCC and Clang both implement stack protector support based on Thread Local +Storage (TLS) variables, and this is used in the kernel to implement per-task +stack cookies, by copying a task's stack cookie into a per-CPU variable every +time it is scheduled in. + +Both now also implement -mstack-protector-guard-symbol=, which permits the TLS +variable to be specified directly. This is useful because it will allow to +move away from using a fixed offset of 40 bytes into the per-CPU area on +x86_64, which requires a lot of special handling in the per-CPU code and the +runtime relocation code. + +However, while GCC is rather lax in its implementation of this command line +option, Clang actually requires that the provided symbol name refers to a TLS +variable (i.e., one declared with __thread), although it also permits the +variable to be undeclared entirely, in which case it will use an implicit +declaration of the right type. + +The upshot of this is that Clang will emit the correct references to the stack +cookie variable in most cases, e.g., + + 10d: 64 a1 00 00 00 00 mov %fs:0x0,%eax + 10f: R_386_32 __stack_chk_guard + +However, if a non-TLS definition of the symbol in question is visible in the +same compilation unit (which amounts to the whole of vmlinux if LTO is +enabled), it will drop the per-CPU prefix and emit a load from a bogus +address. + +Work around this by using a symbol name that never occurs in C code, and emit +it as an alias in the linker script. + +Fixes: 3fb0fdb3bbe7 ("x86/stackprotector/32: Make the canary into a regular percpu variable") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Brian Gerst +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Nathan Chancellor +Tested-by: Nathan Chancellor +Cc: stable@vger.kernel.org +Link: https://github.com/ClangBuiltLinux/linux/issues/1854 +Link: https://lore.kernel.org/r/20241105155801.1779119-2-brgerst@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/Makefile | 3 ++- + arch/x86/entry/entry.S | 15 +++++++++++++++ + arch/x86/include/asm/asm-prototypes.h | 3 +++ + arch/x86/kernel/cpu/common.c | 2 ++ + arch/x86/kernel/vmlinux.lds.S | 3 +++ + 5 files changed, 25 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/Makefile b/arch/x86/Makefile +index 3419ffa2a3507..a88eede6e7db4 100644 +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -113,7 +113,8 @@ ifeq ($(CONFIG_X86_32),y) + + ifeq ($(CONFIG_STACKPROTECTOR),y) + ifeq ($(CONFIG_SMP),y) +- KBUILD_CFLAGS += -mstack-protector-guard-reg=fs -mstack-protector-guard-symbol=__stack_chk_guard ++ KBUILD_CFLAGS += -mstack-protector-guard-reg=fs \ ++ -mstack-protector-guard-symbol=__ref_stack_chk_guard + else + KBUILD_CFLAGS += -mstack-protector-guard=global + endif +diff --git a/arch/x86/entry/entry.S b/arch/x86/entry/entry.S +index f4419afc7147d..23f9efbe9d705 100644 +--- a/arch/x86/entry/entry.S ++++ b/arch/x86/entry/entry.S +@@ -48,3 +48,18 @@ EXPORT_SYMBOL_GPL(mds_verw_sel); + + .popsection + ++#ifndef CONFIG_X86_64 ++/* ++ * Clang's implementation of TLS stack cookies requires the variable in ++ * question to be a TLS variable. If the variable happens to be defined as an ++ * ordinary variable with external linkage in the same compilation unit (which ++ * amounts to the whole of vmlinux with LTO enabled), Clang will drop the ++ * segment register prefix from the references, resulting in broken code. Work ++ * around this by avoiding the symbol used in -mstack-protector-guard-symbol= ++ * entirely in the C code, and use an alias emitted by the linker script ++ * instead. ++ */ ++#ifdef CONFIG_STACKPROTECTOR ++EXPORT_SYMBOL(__ref_stack_chk_guard); ++#endif ++#endif +diff --git a/arch/x86/include/asm/asm-prototypes.h b/arch/x86/include/asm/asm-prototypes.h +index 5cdccea455544..390b13db24b81 100644 +--- a/arch/x86/include/asm/asm-prototypes.h ++++ b/arch/x86/include/asm/asm-prototypes.h +@@ -18,3 +18,6 @@ + extern void cmpxchg8b_emu(void); + #endif + ++#if defined(__GENKSYMS__) && defined(CONFIG_STACKPROTECTOR) ++extern unsigned long __ref_stack_chk_guard; ++#endif +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 7f922a359ccc5..b4e999048e9a4 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -2158,8 +2158,10 @@ EXPORT_PER_CPU_SYMBOL(cpu_current_top_of_stack); + + #ifdef CONFIG_STACKPROTECTOR + DEFINE_PER_CPU(unsigned long, __stack_chk_guard); ++#ifndef CONFIG_SMP + EXPORT_PER_CPU_SYMBOL(__stack_chk_guard); + #endif ++#endif + + #endif /* CONFIG_X86_64 */ + +diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S +index 78ccb5ec3c0e7..c1e776ed71b06 100644 +--- a/arch/x86/kernel/vmlinux.lds.S ++++ b/arch/x86/kernel/vmlinux.lds.S +@@ -486,6 +486,9 @@ SECTIONS + ASSERT(SIZEOF(.rela.dyn) == 0, "Unexpected run-time relocations (.rela) detected!") + } + ++/* needed for Clang - see arch/x86/entry/entry.S */ ++PROVIDE(__ref_stack_chk_guard = __stack_chk_guard); ++ + /* + * The ASSERT() sink to . is intentional, for binutils 2.14 compatibility: + */ +-- +2.43.0 +