From: Sasha Levin Date: Tue, 19 Sep 2023 17:29:08 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v5.10.196~32 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cf19f35f6896a43c0459a3e0717a321d255c9daf;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch b/queue-4.14/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch new file mode 100644 index 00000000000..77535d938a6 --- /dev/null +++ b/queue-4.14/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch @@ -0,0 +1,47 @@ +From 22a7ed16c995faa9b0ae0e55eafd7a6fee7e3c04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 08:42:00 +0200 +Subject: ACPI: video: Add backlight=native DMI quirk for Lenovo Ideapad Z470 + +From: Jiri Slaby (SUSE) + +[ Upstream commit 96b709be183c56293933ef45b8b75f8af268c6de ] + +The Lenovo Ideapad Z470 predates Windows 8, so it defaults to using +acpi_video for backlight control. But this is not functional on this +model. + +Add a DMI quirk to use the native backlight interface which works. + +Link: https://bugzilla.suse.com/show_bug.cgi?id=1208724 +Signed-off-by: Jiri Slaby (SUSE) +Reviewed-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index b4f16073ef432..866bc20c82397 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -294,6 +294,15 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_BOARD_NAME, "Lenovo IdeaPad S405"), + }, + }, ++ { ++ /* https://bugzilla.suse.com/show_bug.cgi?id=1208724 */ ++ .callback = video_detect_force_native, ++ /* Lenovo Ideapad Z470 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "IdeaPad Z470"), ++ }, ++ }, + { + /* https://bugzilla.redhat.com/show_bug.cgi?id=1187004 */ + .callback = video_detect_force_native, +-- +2.40.1 + diff --git a/queue-4.14/acpica-add-aml_no_operand_resolve-flag-to-timer.patch b/queue-4.14/acpica-add-aml_no_operand_resolve-flag-to-timer.patch new file mode 100644 index 00000000000..5158ed85e91 --- /dev/null +++ b/queue-4.14/acpica-add-aml_no_operand_resolve-flag-to-timer.patch @@ -0,0 +1,60 @@ +From c3e69da745a96fe6348245b5dd71cce1abe89dbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 22:26:06 +0000 +Subject: ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer + +From: Abhishek Mainkar + +[ Upstream commit 3a21ffdbc825e0919db9da0e27ee5ff2cc8a863e ] + +ACPICA commit 90310989a0790032f5a0140741ff09b545af4bc5 + +According to the ACPI specification 19.6.134, no argument is required to be passed for ASL Timer instruction. For taking care of no argument, AML_NO_OPERAND_RESOLVE flag is added to ASL Timer instruction opcode. + +When ASL timer instruction interpreted by ACPI interpreter, getting error. After adding AML_NO_OPERAND_RESOLVE flag to ASL Timer instruction opcode, issue is not observed. + +============================================================= +UBSAN: array-index-out-of-bounds in acpica/dswexec.c:401:12 index -1 is out of range for type 'union acpi_operand_object *[9]' +CPU: 37 PID: 1678 Comm: cat Not tainted +6.0.0-dev-th500-6.0.y-1+bcf8c46459e407-generic-64k +HW name: NVIDIA BIOS v1.1.1-d7acbfc-dirty 12/19/2022 Call trace: + dump_backtrace+0xe0/0x130 + show_stack+0x20/0x60 + dump_stack_lvl+0x68/0x84 + dump_stack+0x18/0x34 + ubsan_epilogue+0x10/0x50 + __ubsan_handle_out_of_bounds+0x80/0x90 + acpi_ds_exec_end_op+0x1bc/0x6d8 + acpi_ps_parse_loop+0x57c/0x618 + acpi_ps_parse_aml+0x1e0/0x4b4 + acpi_ps_execute_method+0x24c/0x2b8 + acpi_ns_evaluate+0x3a8/0x4bc + acpi_evaluate_object+0x15c/0x37c + acpi_evaluate_integer+0x54/0x15c + show_power+0x8c/0x12c [acpi_power_meter] + +Link: https://github.com/acpica/acpica/commit/90310989 +Signed-off-by: Abhishek Mainkar +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/psopcode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpica/psopcode.c b/drivers/acpi/acpica/psopcode.c +index a402ad772a1e5..c561d35d441bb 100644 +--- a/drivers/acpi/acpica/psopcode.c ++++ b/drivers/acpi/acpica/psopcode.c +@@ -637,7 +637,7 @@ const struct acpi_opcode_info acpi_gbl_aml_op_info[AML_NUM_OPCODES] = { + + /* 7E */ ACPI_OP("Timer", ARGP_TIMER_OP, ARGI_TIMER_OP, ACPI_TYPE_ANY, + AML_CLASS_EXECUTE, AML_TYPE_EXEC_0A_0T_1R, +- AML_FLAGS_EXEC_0A_0T_1R), ++ AML_FLAGS_EXEC_0A_0T_1R | AML_NO_OPERAND_RESOLVE), + + /* ACPI 5.0 opcodes */ + +-- +2.40.1 + diff --git a/queue-4.14/alx-fix-oob-read-compiler-warning.patch b/queue-4.14/alx-fix-oob-read-compiler-warning.patch new file mode 100644 index 00000000000..104464bcfc2 --- /dev/null +++ b/queue-4.14/alx-fix-oob-read-compiler-warning.patch @@ -0,0 +1,54 @@ +From 2de821bf3569eed33947e9884f88ca37ce28577e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Aug 2023 09:32:18 +0800 +Subject: alx: fix OOB-read compiler warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: GONG, Ruiqi + +[ Upstream commit 3a198c95c95da10ad844cbeade2fe40bdf14c411 ] + +The following message shows up when compiling with W=1: + +In function ‘fortify_memcpy_chk’, + inlined from ‘alx_get_ethtool_stats’ at drivers/net/ethernet/atheros/alx/ethtool.c:297:2: +./include/linux/fortify-string.h:592:4: error: call to ‘__read_overflow2_field’ +declared with attribute warning: detected read beyond size of field (2nd parameter); +maybe use struct_group()? [-Werror=attribute-warning] + 592 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In order to get alx stats altogether, alx_get_ethtool_stats() reads +beyond hw->stats.rx_ok. Fix this warning by directly copying hw->stats, +and refactor the unnecessarily complicated BUILD_BUG_ON btw. + +Signed-off-by: GONG, Ruiqi +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230821013218.1614265-1-gongruiqi@huaweicloud.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/alx/ethtool.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/atheros/alx/ethtool.c b/drivers/net/ethernet/atheros/alx/ethtool.c +index 2f4eabf652e80..51e5aa2c74b34 100644 +--- a/drivers/net/ethernet/atheros/alx/ethtool.c ++++ b/drivers/net/ethernet/atheros/alx/ethtool.c +@@ -281,9 +281,8 @@ static void alx_get_ethtool_stats(struct net_device *netdev, + spin_lock(&alx->stats_lock); + + alx_update_hw_stats(hw); +- BUILD_BUG_ON(sizeof(hw->stats) - offsetof(struct alx_hw_stats, rx_ok) < +- ALX_NUM_STATS * sizeof(u64)); +- memcpy(data, &hw->stats.rx_ok, ALX_NUM_STATS * sizeof(u64)); ++ BUILD_BUG_ON(sizeof(hw->stats) != ALX_NUM_STATS * sizeof(u64)); ++ memcpy(data, &hw->stats, sizeof(hw->stats)); + + spin_unlock(&alx->stats_lock); + } +-- +2.40.1 + diff --git a/queue-4.14/autofs-fix-memory-leak-of-waitqueues-in-autofs_catat.patch b/queue-4.14/autofs-fix-memory-leak-of-waitqueues-in-autofs_catat.patch new file mode 100644 index 00000000000..b8da9f494c6 --- /dev/null +++ b/queue-4.14/autofs-fix-memory-leak-of-waitqueues-in-autofs_catat.patch @@ -0,0 +1,106 @@ +From 70cfd9d06d0719d10a44898b9154162fc890e2fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 13:33:12 +0800 +Subject: autofs: fix memory leak of waitqueues in autofs_catatonic_mode + +From: Fedor Pchelkin + +[ Upstream commit ccbe77f7e45dfb4420f7f531b650c00c6e9c7507 ] + +Syzkaller reports a memory leak: + +BUG: memory leak +unreferenced object 0xffff88810b279e00 (size 96): + comm "syz-executor399", pid 3631, jiffies 4294964921 (age 23.870s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff ..........'..... + 08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ..'............. + backtrace: + [] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046 + [] kmalloc include/linux/slab.h:576 [inline] + [] autofs_wait+0x3fa/0x9a0 fs/autofs/waitq.c:378 + [] autofs_do_expire_multi+0xa7/0x3e0 fs/autofs/expire.c:593 + [] autofs_expire_multi+0x53/0x80 fs/autofs/expire.c:619 + [] autofs_root_ioctl_unlocked+0x322/0x3b0 fs/autofs/root.c:897 + [] autofs_root_ioctl+0x25/0x30 fs/autofs/root.c:910 + [] vfs_ioctl fs/ioctl.c:51 [inline] + [] __do_sys_ioctl fs/ioctl.c:870 [inline] + [] __se_sys_ioctl fs/ioctl.c:856 [inline] + [] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:856 + [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + [] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +autofs_wait_queue structs should be freed if their wait_ctr becomes zero. +Otherwise they will be lost. + +In this case an AUTOFS_IOC_EXPIRE_MULTI ioctl is done, then a new +waitqueue struct is allocated in autofs_wait(), its initial wait_ctr +equals 2. After that wait_event_killable() is interrupted (it returns +-ERESTARTSYS), so that 'wq->name.name == NULL' condition may be not +satisfied. Actually, this condition can be satisfied when +autofs_wait_release() or autofs_catatonic_mode() is called and, what is +also important, wait_ctr is decremented in those places. Upon the exit of +autofs_wait(), wait_ctr is decremented to 1. Then the unmounting process +begins: kill_sb calls autofs_catatonic_mode(), which should have freed the +waitqueues, but it only decrements its usage counter to zero which is not +a correct behaviour. + +edit:imk +This description is of course not correct. The umount performed as a result +of an expire is a umount of a mount that has been automounted, it's not the +autofs mount itself. They happen independently, usually after everything +mounted within the autofs file system has been expired away. If everything +hasn't been expired away the automount daemon can still exit leaving mounts +in place. But expires done in both cases will result in a notification that +calls autofs_wait_release() with a result status. The problem case is the +summary execution of of the automount daemon. In this case any waiting +processes won't be woken up until either they are terminated or the mount +is umounted. +end edit: imk + +So in catatonic mode we should free waitqueues which counter becomes zero. + +edit: imk +Initially I was concerned that the calling of autofs_wait_release() and +autofs_catatonic_mode() was not mutually exclusive but that can't be the +case (obviously) because the queue entry (or entries) is removed from the +list when either of these two functions are called. Consequently the wait +entry will be freed by only one of these functions or by the woken process +in autofs_wait() depending on the order of the calls. +end edit: imk + +Reported-by: syzbot+5e53f70e69ff0c0a1c0c@syzkaller.appspotmail.com +Suggested-by: Takeshi Misawa +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Signed-off-by: Ian Kent +Cc: Matthew Wilcox +Cc: Andrei Vagin +Cc: autofs@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Message-Id: <169112719161.7590.6700123246297365841.stgit@donald.themaw.net> +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/autofs4/waitq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c +index 961a12dc6dc81..5863532675e3c 100644 +--- a/fs/autofs4/waitq.c ++++ b/fs/autofs4/waitq.c +@@ -42,8 +42,9 @@ void autofs4_catatonic_mode(struct autofs_sb_info *sbi) + wq->status = -ENOENT; /* Magic is gone - report failure */ + kfree(wq->name.name); + wq->name.name = NULL; +- wq->wait_ctr--; + wake_up_interruptible(&wq->queue); ++ if (!--wq->wait_ctr) ++ kfree(wq); + wq = nwq; + } + fput(sbi->pipe); /* Close the pipe */ +-- +2.40.1 + diff --git a/queue-4.14/btrfs-output-extra-debug-info-if-we-failed-to-find-a.patch b/queue-4.14/btrfs-output-extra-debug-info-if-we-failed-to-find-a.patch new file mode 100644 index 00000000000..3972bfb1395 --- /dev/null +++ b/queue-4.14/btrfs-output-extra-debug-info-if-we-failed-to-find-a.patch @@ -0,0 +1,52 @@ +From 52c00129c24e8085ee52cfa18e6df554a6cfe34e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 19:02:28 +0800 +Subject: btrfs: output extra debug info if we failed to find an inline backref + +From: Qu Wenruo + +[ Upstream commit 7f72f50547b7af4ddf985b07fc56600a4deba281 ] + +[BUG] +Syzbot reported several warning triggered inside +lookup_inline_extent_backref(). + +[CAUSE] +As usual, the reproducer doesn't reliably trigger locally here, but at +least we know the WARN_ON() is triggered when an inline backref can not +be found, and it can only be triggered when @insert is true. (I.e. +inserting a new inline backref, which means the backref should already +exist) + +[ENHANCEMENT] +After the WARN_ON(), dump all the parameters and the extent tree +leaf to help debug. + +Link: https://syzkaller.appspot.com/bug?extid=d6f9ff86c1d804ba2bc6 +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent-tree.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index e59987385673f..deb01e59da027 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -1703,6 +1703,11 @@ int lookup_inline_extent_backref(struct btrfs_trans_handle *trans, + err = -ENOENT; + goto out; + } else if (WARN_ON(ret)) { ++ btrfs_print_leaf(path->nodes[0]); ++ btrfs_err(fs_info, ++"extent item not found for insert, bytenr %llu num_bytes %llu parent %llu root_objectid %llu owner %llu offset %llu", ++ bytenr, num_bytes, parent, root_objectid, owner, ++ offset); + err = -EIO; + goto out; + } +-- +2.40.1 + diff --git a/queue-4.14/crypto-lib-mpi-avoid-null-pointer-deref-in-mpi_cmp_u.patch b/queue-4.14/crypto-lib-mpi-avoid-null-pointer-deref-in-mpi_cmp_u.patch new file mode 100644 index 00000000000..d202a189c84 --- /dev/null +++ b/queue-4.14/crypto-lib-mpi-avoid-null-pointer-deref-in-mpi_cmp_u.patch @@ -0,0 +1,45 @@ +From e776d46813fe9c995cc76832cb7ac37de6346297 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 09:32:18 +0000 +Subject: crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui() + +From: Mark O'Donovan + +[ Upstream commit 9e47a758b70167c9301d2b44d2569f86c7796f2d ] + +During NVMeTCP Authentication a controller can trigger a kernel +oops by specifying the 8192 bit Diffie Hellman group and passing +a correctly sized, but zeroed Diffie Hellamn value. +mpi_cmp_ui() was detecting this if the second parameter was 0, +but 1 is passed from dh_is_pubkey_valid(). This causes the null +pointer u->d to be dereferenced towards the end of mpi_cmp_ui() + +Signed-off-by: Mark O'Donovan +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + lib/mpi/mpi-cmp.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/mpi/mpi-cmp.c b/lib/mpi/mpi-cmp.c +index d25e9e96c310f..ceaebe181cd70 100644 +--- a/lib/mpi/mpi-cmp.c ++++ b/lib/mpi/mpi-cmp.c +@@ -25,8 +25,12 @@ int mpi_cmp_ui(MPI u, unsigned long v) + mpi_limb_t limb = v; + + mpi_normalize(u); +- if (!u->nlimbs && !limb) +- return 0; ++ if (u->nlimbs == 0) { ++ if (v == 0) ++ return 0; ++ else ++ return -1; ++ } + if (u->sign) + return -1; + if (u->nlimbs > 1) +-- +2.40.1 + diff --git a/queue-4.14/drm-exynos-fix-a-possible-null-pointer-dereference-d.patch b/queue-4.14/drm-exynos-fix-a-possible-null-pointer-dereference-d.patch new file mode 100644 index 00000000000..92848ccb17d --- /dev/null +++ b/queue-4.14/drm-exynos-fix-a-possible-null-pointer-dereference-d.patch @@ -0,0 +1,61 @@ +From eafff6ffe831d55c4ba4948016958779b3e59d6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 10:19:06 +0800 +Subject: drm/exynos: fix a possible null-pointer dereference due to data race + in exynos_drm_crtc_atomic_disable() + +From: Tuo Li + +[ Upstream commit 2e63972a2de14482d0eae1a03a73e379f1c3f44c ] + +The variable crtc->state->event is often protected by the lock +crtc->dev->event_lock when is accessed. However, it is accessed as a +condition of an if statement in exynos_drm_crtc_atomic_disable() without +holding the lock: + + if (crtc->state->event && !crtc->state->active) + +However, if crtc->state->event is changed to NULL by another thread right +after the conditions of the if statement is checked to be true, a +null-pointer dereference can occur in drm_crtc_send_vblank_event(): + + e->pipe = pipe; + +To fix this possible null-pointer dereference caused by data race, the +spin lock coverage is extended to protect the if statement as well as the +function call to drm_crtc_send_vblank_event(). + +Reported-by: BassCheck +Link: https://sites.google.com/view/basscheck/home +Signed-off-by: Tuo Li +Reviewed-by: Krzysztof Kozlowski +Added relevant link. +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_drm_crtc.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c b/drivers/gpu/drm/exynos/exynos_drm_crtc.c +index 4787560bf93e7..e1aa518ea0ba1 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c +@@ -43,13 +43,12 @@ static void exynos_drm_crtc_atomic_disable(struct drm_crtc *crtc, + if (exynos_crtc->ops->disable) + exynos_crtc->ops->disable(exynos_crtc); + ++ spin_lock_irq(&crtc->dev->event_lock); + if (crtc->state->event && !crtc->state->active) { +- spin_lock_irq(&crtc->dev->event_lock); + drm_crtc_send_vblank_event(crtc, crtc->state->event); +- spin_unlock_irq(&crtc->dev->event_lock); +- + crtc->state->event = NULL; + } ++ spin_unlock_irq(&crtc->dev->event_lock); + } + + static int exynos_crtc_atomic_check(struct drm_crtc *crtc, +-- +2.40.1 + diff --git a/queue-4.14/ext2-fix-datatype-of-block-number-in-ext2_xattr_set2.patch b/queue-4.14/ext2-fix-datatype-of-block-number-in-ext2_xattr_set2.patch new file mode 100644 index 00000000000..45e995f4754 --- /dev/null +++ b/queue-4.14/ext2-fix-datatype-of-block-number-in-ext2_xattr_set2.patch @@ -0,0 +1,55 @@ +From fef16fa54c1aee787521184987cec31324c8c7e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 12:03:40 +0200 +Subject: ext2: fix datatype of block number in ext2_xattr_set2() + +From: Georg Ottinger + +[ Upstream commit e88076348425b7d0491c8c98d8732a7df8de7aa3 ] + +I run a small server that uses external hard drives for backups. The +backup software I use uses ext2 filesystems with 4KiB block size and +the server is running SELinux and therefore relies on xattr. I recently +upgraded the hard drives from 4TB to 12TB models. I noticed that after +transferring some TBs I got a filesystem error "Freeing blocks not in +datazone - block = 18446744071529317386, count = 1" and the backup +process stopped. Trying to fix the fs with e2fsck resulted in a +completely corrupted fs. The error probably came from ext2_free_blocks(), +and because of the large number 18e19 this problem immediately looked +like some kind of integer overflow. Whereas the 4TB fs was about 1e9 +blocks, the new 12TB is about 3e9 blocks. So, searching the ext2 code, +I came across the line in fs/ext2/xattr.c:745 where ext2_new_block() +is called and the resulting block number is stored in the variable block +as an int datatype. If a block with a block number greater than +INT32_MAX is returned, this variable overflows and the call to +sb_getblk() at line fs/ext2/xattr.c:750 fails, then the call to +ext2_free_blocks() produces the error. + +Signed-off-by: Georg Ottinger +Signed-off-by: Jan Kara +Message-Id: <20230815100340.22121-1-g.ottinger@gmx.at> +Signed-off-by: Sasha Levin +--- + fs/ext2/xattr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c +index bd1d68ff3a9f8..437175bce22e8 100644 +--- a/fs/ext2/xattr.c ++++ b/fs/ext2/xattr.c +@@ -664,10 +664,10 @@ ext2_xattr_set2(struct inode *inode, struct buffer_head *old_bh, + /* We need to allocate a new block */ + ext2_fsblk_t goal = ext2_group_first_block_no(sb, + EXT2_I(inode)->i_block_group); +- int block = ext2_new_block(inode, goal, &error); ++ ext2_fsblk_t block = ext2_new_block(inode, goal, &error); + if (error) + goto cleanup; +- ea_idebug(inode, "creating block %d", block); ++ ea_idebug(inode, "creating block %lu", block); + + new_bh = sb_getblk(sb, block); + if (unlikely(!new_bh)) { +-- +2.40.1 + diff --git a/queue-4.14/fs-jfs-prevent-double-free-in-dbunmount-after-failed.patch b/queue-4.14/fs-jfs-prevent-double-free-in-dbunmount-after-failed.patch new file mode 100644 index 00000000000..8b37c890191 --- /dev/null +++ b/queue-4.14/fs-jfs-prevent-double-free-in-dbunmount-after-failed.patch @@ -0,0 +1,121 @@ +From 67da5db956f8ae554c58665b0e7639b88657c298 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Jul 2023 17:05:42 +0300 +Subject: fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount() + +From: Andrew Kanner + +[ Upstream commit cade5397e5461295f3cb87880534b6a07cafa427 ] + +Syzkaller reported the following issue: +================================================================== +BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline] +BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800 +Free of addr ffff888086408000 by task syz-executor.4/12750 +[...] +Call Trace: + +[...] + kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482 + ____kasan_slab_free+0xfb/0x120 + kasan_slab_free include/linux/kasan.h:177 [inline] + slab_free_hook mm/slub.c:1781 [inline] + slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 + slab_free mm/slub.c:3787 [inline] + __kmem_cache_free+0x71/0x110 mm/slub.c:3800 + dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 + jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87 + jfs_put_super+0x86/0x190 fs/jfs/super.c:194 + generic_shutdown_super+0x130/0x310 fs/super.c:492 + kill_block_super+0x79/0xd0 fs/super.c:1386 + deactivate_locked_super+0xa7/0xf0 fs/super.c:332 + cleanup_mnt+0x494/0x520 fs/namespace.c:1291 + task_work_run+0x243/0x300 kernel/task_work.c:179 + resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] + exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171 + exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203 + __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] + syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296 + do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +[...] + + +Allocated by task 13352: + kasan_save_stack mm/kasan/common.c:45 [inline] + kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 + ____kasan_kmalloc mm/kasan/common.c:371 [inline] + __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 + kmalloc include/linux/slab.h:580 [inline] + dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164 + jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121 + jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556 + mount_bdev+0x26c/0x3a0 fs/super.c:1359 + legacy_get_tree+0xea/0x180 fs/fs_context.c:610 + vfs_get_tree+0x88/0x270 fs/super.c:1489 + do_new_mount+0x289/0xad0 fs/namespace.c:3145 + do_mount fs/namespace.c:3488 [inline] + __do_sys_mount fs/namespace.c:3697 [inline] + __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 13352: + kasan_save_stack mm/kasan/common.c:45 [inline] + kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 + kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518 + ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 + kasan_slab_free include/linux/kasan.h:177 [inline] + slab_free_hook mm/slub.c:1781 [inline] + slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 + slab_free mm/slub.c:3787 [inline] + __kmem_cache_free+0x71/0x110 mm/slub.c:3800 + dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 + jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247 + jfs_remount+0x3db/0x710 fs/jfs/super.c:454 + reconfigure_super+0x3bc/0x7b0 fs/super.c:935 + vfs_fsconfig_locked fs/fsopen.c:254 [inline] + __do_sys_fsconfig fs/fsopen.c:439 [inline] + __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +[...] + +JFS_SBI(ipbmap->i_sb)->bmap wasn't set to NULL after kfree() in +dbUnmount(). + +Syzkaller uses faultinject to reproduce this KASAN double-free +warning. The issue is triggered if either diMount() or dbMount() fail +in jfs_remount(), since diUnmount() or dbUnmount() already happened in +such a case - they will do double-free on next execution: jfs_umount +or jfs_remount. + +Tested on both upstream and jfs-next by syzkaller. + +Reported-and-tested-by: syzbot+6a93efb725385bc4b2e9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/000000000000471f2d05f1ce8bad@google.com/T/ +Link: https://syzkaller.appspot.com/bug?extid=6a93efb725385bc4b2e9 +Signed-off-by: Andrew Kanner +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 464ddaf8ebd10..95e8f031c3f11 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -282,6 +282,7 @@ int dbUnmount(struct inode *ipbmap, int mounterror) + + /* free the memory for the in-memory bmap. */ + kfree(bmp); ++ JFS_SBI(ipbmap->i_sb)->bmap = NULL; + + return (0); + } +-- +2.40.1 + diff --git a/queue-4.14/hw_breakpoint-fix-single-stepping-when-using-bpf_ove.patch b/queue-4.14/hw_breakpoint-fix-single-stepping-when-using-bpf_ove.patch new file mode 100644 index 00000000000..123befcfe1e --- /dev/null +++ b/queue-4.14/hw_breakpoint-fix-single-stepping-when-using-bpf_ove.patch @@ -0,0 +1,150 @@ +From 45341579da900de245b4f09cc42e32f3d6213742 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 12:19:23 -0700 +Subject: hw_breakpoint: fix single-stepping when using bpf_overflow_handler + +From: Tomislav Novak + +[ Upstream commit d11a69873d9a7435fe6a48531e165ab80a8b1221 ] + +Arm platforms use is_default_overflow_handler() to determine if the +hw_breakpoint code should single-step over the breakpoint trigger or +let the custom handler deal with it. + +Since bpf_overflow_handler() currently isn't recognized as a default +handler, attaching a BPF program to a PERF_TYPE_BREAKPOINT event causes +it to keep firing (the instruction triggering the data abort exception +is never skipped). For example: + + # bpftrace -e 'watchpoint:0x10000:4:w { print("hit") }' -c ./test + Attaching 1 probe... + hit + hit + [...] + ^C + +(./test performs a single 4-byte store to 0x10000) + +This patch replaces the check with uses_default_overflow_handler(), +which accounts for the bpf_overflow_handler() case by also testing +if one of the perf_event_output functions gets invoked indirectly, +via orig_default_handler. + +Signed-off-by: Tomislav Novak +Tested-by: Samuel Gosselin # arm64 +Reviewed-by: Catalin Marinas +Acked-by: Alexei Starovoitov +Link: https://lore.kernel.org/linux-arm-kernel/20220923203644.2731604-1-tnovak@fb.com/ +Link: https://lore.kernel.org/r/20230605191923.1219974-1-tnovak@meta.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/hw_breakpoint.c | 8 ++++---- + arch/arm64/kernel/hw_breakpoint.c | 4 ++-- + include/linux/perf_event.h | 22 +++++++++++++++++++--- + 3 files changed, 25 insertions(+), 9 deletions(-) + +diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c +index a8783964ebde9..6f5907970143f 100644 +--- a/arch/arm/kernel/hw_breakpoint.c ++++ b/arch/arm/kernel/hw_breakpoint.c +@@ -631,7 +631,7 @@ int arch_validate_hwbkpt_settings(struct perf_event *bp) + info->address &= ~alignment_mask; + info->ctrl.len <<= offset; + +- if (is_default_overflow_handler(bp)) { ++ if (uses_default_overflow_handler(bp)) { + /* + * Mismatch breakpoints are required for single-stepping + * breakpoints. +@@ -803,7 +803,7 @@ static void watchpoint_handler(unsigned long addr, unsigned int fsr, + * Otherwise, insert a temporary mismatch breakpoint so that + * we can single-step over the watchpoint trigger. + */ +- if (!is_default_overflow_handler(wp)) ++ if (!uses_default_overflow_handler(wp)) + continue; + step: + enable_single_step(wp, instruction_pointer(regs)); +@@ -816,7 +816,7 @@ static void watchpoint_handler(unsigned long addr, unsigned int fsr, + info->trigger = addr; + pr_debug("watchpoint fired: address = 0x%x\n", info->trigger); + perf_bp_event(wp, regs); +- if (is_default_overflow_handler(wp)) ++ if (uses_default_overflow_handler(wp)) + enable_single_step(wp, instruction_pointer(regs)); + } + +@@ -891,7 +891,7 @@ static void breakpoint_handler(unsigned long unknown, struct pt_regs *regs) + info->trigger = addr; + pr_debug("breakpoint fired: address = 0x%x\n", addr); + perf_bp_event(bp, regs); +- if (is_default_overflow_handler(bp)) ++ if (uses_default_overflow_handler(bp)) + enable_single_step(bp, addr); + goto unlock; + } +diff --git a/arch/arm64/kernel/hw_breakpoint.c b/arch/arm64/kernel/hw_breakpoint.c +index 6e96cea99a4ec..7f608a8d43860 100644 +--- a/arch/arm64/kernel/hw_breakpoint.c ++++ b/arch/arm64/kernel/hw_breakpoint.c +@@ -662,7 +662,7 @@ static int breakpoint_handler(unsigned long unused, unsigned int esr, + perf_bp_event(bp, regs); + + /* Do we need to handle the stepping? */ +- if (is_default_overflow_handler(bp)) ++ if (uses_default_overflow_handler(bp)) + step = 1; + unlock: + rcu_read_unlock(); +@@ -741,7 +741,7 @@ static u64 get_distance_from_watchpoint(unsigned long addr, u64 val, + static int watchpoint_report(struct perf_event *wp, unsigned long addr, + struct pt_regs *regs) + { +- int step = is_default_overflow_handler(wp); ++ int step = uses_default_overflow_handler(wp); + struct arch_hw_breakpoint *info = counter_arch_bp(wp); + + info->trigger = addr; +diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h +index 5efd8109ad0ab..e175d5e3acd68 100644 +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -985,15 +985,31 @@ extern void perf_event_output(struct perf_event *event, + struct pt_regs *regs); + + static inline bool +-is_default_overflow_handler(struct perf_event *event) ++__is_default_overflow_handler(perf_overflow_handler_t overflow_handler) + { +- if (likely(event->overflow_handler == perf_event_output_forward)) ++ if (likely(overflow_handler == perf_event_output_forward)) + return true; +- if (unlikely(event->overflow_handler == perf_event_output_backward)) ++ if (unlikely(overflow_handler == perf_event_output_backward)) + return true; + return false; + } + ++#define is_default_overflow_handler(event) \ ++ __is_default_overflow_handler((event)->overflow_handler) ++ ++#ifdef CONFIG_BPF_SYSCALL ++static inline bool uses_default_overflow_handler(struct perf_event *event) ++{ ++ if (likely(is_default_overflow_handler(event))) ++ return true; ++ ++ return __is_default_overflow_handler(event->orig_overflow_handler); ++} ++#else ++#define uses_default_overflow_handler(event) \ ++ is_default_overflow_handler(event) ++#endif ++ + extern void + perf_event_header__init_id(struct perf_event_header *header, + struct perf_sample_data *data, +-- +2.40.1 + diff --git a/queue-4.14/iio-core-use-min-instead-of-min_t-to-make-code-more-.patch b/queue-4.14/iio-core-use-min-instead-of-min_t-to-make-code-more-.patch new file mode 100644 index 00000000000..566b85e0602 --- /dev/null +++ b/queue-4.14/iio-core-use-min-instead-of-min_t-to-make-code-more-.patch @@ -0,0 +1,39 @@ +From 6cbedc7a064589f33b1b01074157be62f133f738 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 20:00:18 +0300 +Subject: iio: core: Use min() instead of min_t() to make code more robust + +From: Andy Shevchenko + +[ Upstream commit cb1d17535061ca295903f97f5cb0af9db719c02c ] + +min() has strict type checking and preferred over min_t() for +unsigned types to avoid overflow. Here it's unclear why min_t() +was chosen since both variables are of the same type. In any +case update to use min(). + +Signed-off-by: Andy Shevchenko +Reviewed-by: Nuno Sa +Link: https://lore.kernel.org/r/20230721170022.3461-5-andriy.shevchenko@linux.intel.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/industrialio-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c +index 97b7266ee0ffa..12d73ebcadfa3 100644 +--- a/drivers/iio/industrialio-core.c ++++ b/drivers/iio/industrialio-core.c +@@ -328,7 +328,7 @@ static ssize_t iio_debugfs_write_reg(struct file *file, + char buf[80]; + int ret; + +- count = min_t(size_t, count, (sizeof(buf)-1)); ++ count = min(count, sizeof(buf) - 1); + if (copy_from_user(buf, userbuf, count)) + return -EFAULT; + +-- +2.40.1 + diff --git a/queue-4.14/jfs-fix-invalid-free-of-jfs_ip-ipimap-i_imap-in-diun.patch b/queue-4.14/jfs-fix-invalid-free-of-jfs_ip-ipimap-i_imap-in-diun.patch new file mode 100644 index 00000000000..9f1bc5237a6 --- /dev/null +++ b/queue-4.14/jfs-fix-invalid-free-of-jfs_ip-ipimap-i_imap-in-diun.patch @@ -0,0 +1,77 @@ +From 149fab06ece970f1aa8439f6d07cedc4b5508bc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 20:46:28 +0800 +Subject: jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount + +From: Liu Shixin via Jfs-discussion + +[ Upstream commit 6e2bda2c192d0244b5a78b787ef20aa10cb319b7 ] + +syzbot found an invalid-free in diUnmount: + +BUG: KASAN: double-free in slab_free mm/slub.c:3661 [inline] +BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3674 +Free of addr ffff88806f410000 by task syz-executor131/3632 + + CPU: 0 PID: 3632 Comm: syz-executor131 Not tainted 6.1.0-rc7-syzkaller-00012-gca57f02295f1 #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 + Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 + print_address_description+0x74/0x340 mm/kasan/report.c:284 + print_report+0x107/0x1f0 mm/kasan/report.c:395 + kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:460 + ____kasan_slab_free+0xfb/0x120 + kasan_slab_free include/linux/kasan.h:177 [inline] + slab_free_hook mm/slub.c:1724 [inline] + slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1750 + slab_free mm/slub.c:3661 [inline] + __kmem_cache_free+0x71/0x110 mm/slub.c:3674 + diUnmount+0xef/0x100 fs/jfs/jfs_imap.c:195 + jfs_umount+0x108/0x370 fs/jfs/jfs_umount.c:63 + jfs_put_super+0x86/0x190 fs/jfs/super.c:194 + generic_shutdown_super+0x130/0x310 fs/super.c:492 + kill_block_super+0x79/0xd0 fs/super.c:1428 + deactivate_locked_super+0xa7/0xf0 fs/super.c:332 + cleanup_mnt+0x494/0x520 fs/namespace.c:1186 + task_work_run+0x243/0x300 kernel/task_work.c:179 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0x664/0x2070 kernel/exit.c:820 + do_group_exit+0x1fd/0x2b0 kernel/exit.c:950 + __do_sys_exit_group kernel/exit.c:961 [inline] + __se_sys_exit_group kernel/exit.c:959 [inline] + __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:959 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +[...] + +JFS_IP(ipimap)->i_imap is not setting to NULL after free in diUnmount. +If jfs_remount() free JFS_IP(ipimap)->i_imap but then failed at diMount(). +JFS_IP(ipimap)->i_imap will be freed once again. +Fix this problem by setting JFS_IP(ipimap)->i_imap to NULL after free. + +Reported-by: syzbot+90a11e6b1e810785c6ff@syzkaller.appspotmail.com +Signed-off-by: Liu Shixin +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_imap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c +index f36ef68905a74..12fc016244581 100644 +--- a/fs/jfs/jfs_imap.c ++++ b/fs/jfs/jfs_imap.c +@@ -208,6 +208,7 @@ int diUnmount(struct inode *ipimap, int mounterror) + * free in-memory control structure + */ + kfree(imap); ++ JFS_IP(ipimap)->i_imap = NULL; + + return (0); + } +-- +2.40.1 + diff --git a/queue-4.14/kobject-add-sanity-check-for-kset-kobj.ktype-in-kset.patch b/queue-4.14/kobject-add-sanity-check-for-kset-kobj.ktype-in-kset.patch new file mode 100644 index 00000000000..805b7df969a --- /dev/null +++ b/queue-4.14/kobject-add-sanity-check-for-kset-kobj.ktype-in-kset.patch @@ -0,0 +1,60 @@ +From 436a2203628051ead981ded4cda386b4441107de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Aug 2023 16:41:13 +0800 +Subject: kobject: Add sanity check for kset->kobj.ktype in kset_register() + +From: Zhen Lei + +[ Upstream commit 4d0fe8c52bb3029d83e323c961221156ab98680b ] + +When I register a kset in the following way: + static struct kset my_kset; + kobject_set_name(&my_kset.kobj, "my_kset"); + ret = kset_register(&my_kset); + +A null pointer dereference exception is occurred: +[ 4453.568337] Unable to handle kernel NULL pointer dereference at \ +virtual address 0000000000000028 +... ... +[ 4453.810361] Call trace: +[ 4453.813062] kobject_get_ownership+0xc/0x34 +[ 4453.817493] kobject_add_internal+0x98/0x274 +[ 4453.822005] kset_register+0x5c/0xb4 +[ 4453.825820] my_kobj_init+0x44/0x1000 [my_kset] +... ... + +Because I didn't initialize my_kset.kobj.ktype. + +According to the description in Documentation/core-api/kobject.rst: + - A ktype is the type of object that embeds a kobject. Every structure + that embeds a kobject needs a corresponding ktype. + +So add sanity check to make sure kset->kobj.ktype is not NULL. + +Signed-off-by: Zhen Lei +Link: https://lore.kernel.org/r/20230805084114.1298-2-thunder.leizhen@huaweicloud.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + lib/kobject.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/kobject.c b/lib/kobject.c +index bbbb067de8ecd..b908655c58123 100644 +--- a/lib/kobject.c ++++ b/lib/kobject.c +@@ -814,6 +814,11 @@ int kset_register(struct kset *k) + if (!k) + return -EINVAL; + ++ if (!k->kobj.ktype) { ++ pr_err("must have a ktype to be initialized properly!\n"); ++ return -EINVAL; ++ } ++ + kset_init(k); + err = kobject_add_internal(&k->kobj); + if (err) +-- +2.40.1 + diff --git a/queue-4.14/md-raid1-fix-error-iso-c90-forbids-mixed-declaration.patch b/queue-4.14/md-raid1-fix-error-iso-c90-forbids-mixed-declaration.patch new file mode 100644 index 00000000000..abd47e04aaa --- /dev/null +++ b/queue-4.14/md-raid1-fix-error-iso-c90-forbids-mixed-declaration.patch @@ -0,0 +1,54 @@ +From a64e2f9d7bae66f808cee3bd020c8d6061f6af98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Sep 2023 14:25:23 -0700 +Subject: md/raid1: fix error: ISO C90 forbids mixed declarations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nigel Croxon + +[ Upstream commit df203da47f4428bc286fc99318936416253a321c ] + +There is a compile error when this commit is added: +md: raid1: fix potential OOB in raid1_remove_disk() + +drivers/md/raid1.c: In function 'raid1_remove_disk': +drivers/md/raid1.c:1844:9: error: ISO C90 forbids mixed declarations +and code [-Werror=declaration-after-statement] +1844 |         struct raid1_info *p = conf->mirrors + number; +     |         ^~~~~~ + +That's because the new code was inserted before the struct. +The change is move the struct command above this commit. + +Fixes: 8b0472b50bcf ("md: raid1: fix potential OOB in raid1_remove_disk()") +Signed-off-by: Nigel Croxon +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/46d929d0-2aab-4cf2-b2bf-338963e8ba5a@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid1.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index 3e54b6639e213..7e37e4b2ec6ae 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1775,12 +1775,11 @@ static int raid1_remove_disk(struct mddev *mddev, struct md_rdev *rdev) + struct r1conf *conf = mddev->private; + int err = 0; + int number = rdev->raid_disk; ++ struct raid1_info *p = conf->mirrors + number; + + if (unlikely(number >= conf->raid_disks)) + goto abort; + +- struct raid1_info *p = conf->mirrors + number; +- + if (rdev != p->rdev) + p = conf->mirrors + conf->raid_disks + number; + +-- +2.40.1 + diff --git a/queue-4.14/md-raid1-fix-potential-oob-in-raid1_remove_disk.patch b/queue-4.14/md-raid1-fix-potential-oob-in-raid1_remove_disk.patch new file mode 100644 index 00000000000..7c3d23ad39c --- /dev/null +++ b/queue-4.14/md-raid1-fix-potential-oob-in-raid1_remove_disk.patch @@ -0,0 +1,46 @@ +From 24a0f834f1223e1678f4fd09d93e46cb582d9926 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Jul 2023 15:53:53 +0800 +Subject: md: raid1: fix potential OOB in raid1_remove_disk() + +From: Zhang Shurong + +[ Upstream commit 8b0472b50bcf0f19a5119b00a53b63579c8e1e4d ] + +If rddev->raid_disk is greater than mddev->raid_disks, there will be +an out-of-bounds in raid1_remove_disk(). We have already found +similar reports as follows: + +1) commit d17f744e883b ("md-raid10: fix KASAN warning") +2) commit 1ebc2cec0b7d ("dm raid: fix KASAN warning in raid5_remove_disk") + +Fix this bug by checking whether the "number" variable is +valid. + +Signed-off-by: Zhang Shurong +Reviewed-by: Yu Kuai +Link: https://lore.kernel.org/r/tencent_0D24426FAC6A21B69AC0C03CE4143A508F09@qq.com +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid1.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index 28f78199de3ba..3e54b6639e213 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1775,6 +1775,10 @@ static int raid1_remove_disk(struct mddev *mddev, struct md_rdev *rdev) + struct r1conf *conf = mddev->private; + int err = 0; + int number = rdev->raid_disk; ++ ++ if (unlikely(number >= conf->raid_disks)) ++ goto abort; ++ + struct raid1_info *p = conf->mirrors + number; + + if (rdev != p->rdev) +-- +2.40.1 + diff --git a/queue-4.14/media-af9005-fix-null-ptr-deref-in-af9005_i2c_xfer.patch b/queue-4.14/media-af9005-fix-null-ptr-deref-in-af9005_i2c_xfer.patch new file mode 100644 index 00000000000..ee98635079f --- /dev/null +++ b/queue-4.14/media-af9005-fix-null-ptr-deref-in-af9005_i2c_xfer.patch @@ -0,0 +1,52 @@ +From 5eb486b8b3d2b01d02c61ac9b277c067faaf5de0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jul 2023 23:24:11 +0800 +Subject: media: af9005: Fix null-ptr-deref in af9005_i2c_xfer + +From: Zhang Shurong + +[ Upstream commit f4ee84f27625ce1fdf41e8483fa0561a1b837d10 ] + +In af9005_i2c_xfer, msg is controlled by user. When msg[i].buf +is null and msg[i].len is zero, former checks on msg[i].buf would be +passed. Malicious data finally reach af9005_i2c_xfer. If accessing +msg[i].buf[0] without sanity check, null ptr deref would happen. +We add check on msg[i].len to prevent crash. + +Similar commit: +commit 0ed554fd769a +("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Signed-off-by: Zhang Shurong +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/af9005.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb/af9005.c b/drivers/media/usb/dvb-usb/af9005.c +index 66990a193bc50..83971daa72506 100644 +--- a/drivers/media/usb/dvb-usb/af9005.c ++++ b/drivers/media/usb/dvb-usb/af9005.c +@@ -431,6 +431,10 @@ static int af9005_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + if (ret == 0) + ret = 2; + } else { ++ if (msg[0].len < 2) { ++ ret = -EOPNOTSUPP; ++ goto unlock; ++ } + /* write one or more registers */ + reg = msg[0].buf[0]; + addr = msg[0].addr; +@@ -440,6 +444,7 @@ static int af9005_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + ret = 1; + } + ++unlock: + mutex_unlock(&d->i2c_mutex); + return ret; + } +-- +2.40.1 + diff --git a/queue-4.14/media-anysee-fix-null-ptr-deref-in-anysee_master_xfe.patch b/queue-4.14/media-anysee-fix-null-ptr-deref-in-anysee_master_xfe.patch new file mode 100644 index 00000000000..77d68ac0021 --- /dev/null +++ b/queue-4.14/media-anysee-fix-null-ptr-deref-in-anysee_master_xfe.patch @@ -0,0 +1,43 @@ +From e774a73e41288ad00e19984c1481452203f36a4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jul 2023 00:02:20 +0800 +Subject: media: anysee: fix null-ptr-deref in anysee_master_xfer + +From: Zhang Shurong + +[ Upstream commit c30411266fd67ea3c02a05c157231654d5a3bdc9 ] + +In anysee_master_xfer, msg is controlled by user. When msg[i].buf +is null and msg[i].len is zero, former checks on msg[i].buf would be +passed. Malicious data finally reach anysee_master_xfer. If accessing +msg[i].buf[0] without sanity check, null ptr deref would happen. +We add check on msg[i].len to prevent crash. + +Similar commit: +commit 0ed554fd769a +("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Signed-off-by: Zhang Shurong +Signed-off-by: Hans Verkuil +[hverkuil: add spaces around +] +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/anysee.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/anysee.c b/drivers/media/usb/dvb-usb-v2/anysee.c +index 20ee7eea2a91e..83af86505363b 100644 +--- a/drivers/media/usb/dvb-usb-v2/anysee.c ++++ b/drivers/media/usb/dvb-usb-v2/anysee.c +@@ -211,7 +211,7 @@ static int anysee_master_xfer(struct i2c_adapter *adap, struct i2c_msg *msg, + + while (i < num) { + if (num > i + 1 && (msg[i+1].flags & I2C_M_RD)) { +- if (msg[i].len > 2 || msg[i+1].len > 60) { ++ if (msg[i].len != 2 || msg[i + 1].len > 60) { + ret = -EOPNOTSUPP; + break; + } +-- +2.40.1 + diff --git a/queue-4.14/media-az6007-fix-null-ptr-deref-in-az6007_i2c_xfer.patch b/queue-4.14/media-az6007-fix-null-ptr-deref-in-az6007_i2c_xfer.patch new file mode 100644 index 00000000000..2944b3bc9a9 --- /dev/null +++ b/queue-4.14/media-az6007-fix-null-ptr-deref-in-az6007_i2c_xfer.patch @@ -0,0 +1,55 @@ +From 606d66dee19a9c4dc57f6800143a84a2ef1a2387 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jul 2023 00:28:17 +0800 +Subject: media: az6007: Fix null-ptr-deref in az6007_i2c_xfer() + +From: Zhang Shurong + +[ Upstream commit 1047f9343011f2cedc73c64829686206a7e9fc3f ] + +In az6007_i2c_xfer, msg is controlled by user. When msg[i].buf +is null and msg[i].len is zero, former checks on msg[i].buf would be +passed. Malicious data finally reach az6007_i2c_xfer. If accessing +msg[i].buf[0] without sanity check, null ptr deref would happen. +We add check on msg[i].len to prevent crash. + +Similar commit: +commit 0ed554fd769a +("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Signed-off-by: Zhang Shurong +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/az6007.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c +index 1830badb180d8..668b6091b4423 100644 +--- a/drivers/media/usb/dvb-usb-v2/az6007.c ++++ b/drivers/media/usb/dvb-usb-v2/az6007.c +@@ -796,6 +796,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], + if (az6007_xfer_debug) + printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n", + addr, msgs[i].len); ++ if (msgs[i].len < 1) { ++ ret = -EIO; ++ goto err; ++ } + req = AZ6007_I2C_WR; + index = msgs[i].buf[0]; + value = addr | (1 << 8); +@@ -810,6 +814,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], + if (az6007_xfer_debug) + printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n", + addr, msgs[i].len); ++ if (msgs[i].len < 1) { ++ ret = -EIO; ++ goto err; ++ } + req = AZ6007_I2C_RD; + index = msgs[i].buf[0]; + value = addr; +-- +2.40.1 + diff --git a/queue-4.14/media-dvb-usb-v2-af9035-fix-null-ptr-deref-in-af9035.patch b/queue-4.14/media-dvb-usb-v2-af9035-fix-null-ptr-deref-in-af9035.patch new file mode 100644 index 00000000000..fa508484bf9 --- /dev/null +++ b/queue-4.14/media-dvb-usb-v2-af9035-fix-null-ptr-deref-in-af9035.patch @@ -0,0 +1,64 @@ +From 6657d7b29bbd5bb71bf00dcfac618511f1ec1127 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 00:06:54 +0800 +Subject: media: dvb-usb-v2: af9035: Fix null-ptr-deref in + af9035_i2c_master_xfer + +From: Zhang Shurong + +[ Upstream commit 7bf744f2de0a848fb1d717f5831b03db96feae89 ] + +In af9035_i2c_master_xfer, msg is controlled by user. When msg[i].buf +is null and msg[i].len is zero, former checks on msg[i].buf would be +passed. Malicious data finally reach af9035_i2c_master_xfer. If accessing +msg[i].buf[0] without sanity check, null ptr deref would happen. +We add check on msg[i].len to prevent crash. + +Similar commit: +commit 0ed554fd769a +("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Signed-off-by: Zhang Shurong +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/af9035.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/af9035.c b/drivers/media/usb/dvb-usb-v2/af9035.c +index 1f6c1eefe3892..55c7e7348869b 100644 +--- a/drivers/media/usb/dvb-usb-v2/af9035.c ++++ b/drivers/media/usb/dvb-usb-v2/af9035.c +@@ -336,6 +336,8 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap, + ret = -EOPNOTSUPP; + } else if ((msg[0].addr == state->af9033_i2c_addr[0]) || + (msg[0].addr == state->af9033_i2c_addr[1])) { ++ if (msg[0].len < 3 || msg[1].len < 1) ++ return -EOPNOTSUPP; + /* demod access via firmware interface */ + u32 reg = msg[0].buf[0] << 16 | msg[0].buf[1] << 8 | + msg[0].buf[2]; +@@ -395,6 +397,8 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap, + ret = -EOPNOTSUPP; + } else if ((msg[0].addr == state->af9033_i2c_addr[0]) || + (msg[0].addr == state->af9033_i2c_addr[1])) { ++ if (msg[0].len < 3) ++ return -EOPNOTSUPP; + /* demod access via firmware interface */ + u32 reg = msg[0].buf[0] << 16 | msg[0].buf[1] << 8 | + msg[0].buf[2]; +@@ -402,10 +406,7 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap, + if (msg[0].addr == state->af9033_i2c_addr[1]) + reg |= 0x100000; + +- ret = (msg[0].len >= 3) ? af9035_wr_regs(d, reg, +- &msg[0].buf[3], +- msg[0].len - 3) +- : -EOPNOTSUPP; ++ ret = af9035_wr_regs(d, reg, &msg[0].buf[3], msg[0].len - 3); + } else { + /* I2C write */ + u8 buf[MAX_XFER_SIZE]; +-- +2.40.1 + diff --git a/queue-4.14/media-dw2102-fix-null-ptr-deref-in-dw2102_i2c_transf.patch b/queue-4.14/media-dw2102-fix-null-ptr-deref-in-dw2102_i2c_transf.patch new file mode 100644 index 00000000000..c5de98cdad9 --- /dev/null +++ b/queue-4.14/media-dw2102-fix-null-ptr-deref-in-dw2102_i2c_transf.patch @@ -0,0 +1,98 @@ +From f3e2929e9aeb2a444ea24e09671f0517955b63c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jul 2023 18:22:52 +0800 +Subject: media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer() + +From: Zhang Shurong + +[ Upstream commit 5ae544d94abc8ff77b1b9bf8774def3fa5689b5b ] + +In dw2102_i2c_transfer, msg is controlled by user. When msg[i].buf +is null and msg[i].len is zero, former checks on msg[i].buf would be +passed. Malicious data finally reach dw2102_i2c_transfer. If accessing +msg[i].buf[0] without sanity check, null ptr deref would happen. +We add check on msg[i].len to prevent crash. + +Similar commit: +commit 950e252cb469 +("[media] dw2102: limit messages to buffer size") + +Signed-off-by: Zhang Shurong +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dw2102.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c +index 2c9c4432a0e65..ef22188104718 100644 +--- a/drivers/media/usb/dvb-usb/dw2102.c ++++ b/drivers/media/usb/dvb-usb/dw2102.c +@@ -133,6 +133,10 @@ static int dw2102_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], + + switch (num) { + case 2: ++ if (msg[0].len < 1) { ++ num = -EOPNOTSUPP; ++ break; ++ } + /* read stv0299 register */ + value = msg[0].buf[0];/* register */ + for (i = 0; i < msg[1].len; i++) { +@@ -144,6 +148,10 @@ static int dw2102_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], + case 1: + switch (msg[0].addr) { + case 0x68: ++ if (msg[0].len < 2) { ++ num = -EOPNOTSUPP; ++ break; ++ } + /* write to stv0299 register */ + buf6[0] = 0x2a; + buf6[1] = msg[0].buf[0]; +@@ -153,6 +161,10 @@ static int dw2102_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], + break; + case 0x60: + if (msg[0].flags == 0) { ++ if (msg[0].len < 4) { ++ num = -EOPNOTSUPP; ++ break; ++ } + /* write to tuner pll */ + buf6[0] = 0x2c; + buf6[1] = 5; +@@ -164,6 +176,10 @@ static int dw2102_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], + dw210x_op_rw(d->udev, 0xb2, 0, 0, + buf6, 7, DW210X_WRITE_MSG); + } else { ++ if (msg[0].len < 1) { ++ num = -EOPNOTSUPP; ++ break; ++ } + /* read from tuner */ + dw210x_op_rw(d->udev, 0xb5, 0, 0, + buf6, 1, DW210X_READ_MSG); +@@ -171,12 +187,20 @@ static int dw2102_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], + } + break; + case (DW2102_RC_QUERY): ++ if (msg[0].len < 2) { ++ num = -EOPNOTSUPP; ++ break; ++ } + dw210x_op_rw(d->udev, 0xb8, 0, 0, + buf6, 2, DW210X_READ_MSG); + msg[0].buf[0] = buf6[0]; + msg[0].buf[1] = buf6[1]; + break; + case (DW2102_VOLTAGE_CTRL): ++ if (msg[0].len < 1) { ++ num = -EOPNOTSUPP; ++ break; ++ } + buf6[0] = 0x30; + buf6[1] = msg[0].buf[0]; + dw210x_op_rw(d->udev, 0xb2, 0, 0, +-- +2.40.1 + diff --git a/queue-4.14/media-pci-cx23885-replace-bug-with-error-return.patch b/queue-4.14/media-pci-cx23885-replace-bug-with-error-return.patch new file mode 100644 index 00000000000..d7a0ae6fc5a --- /dev/null +++ b/queue-4.14/media-pci-cx23885-replace-bug-with-error-return.patch @@ -0,0 +1,36 @@ +From dc6a3f73a7cb0a0e2c91419df75f88c14c35a213 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 10:23:42 +0200 +Subject: media: pci: cx23885: replace BUG with error return + +From: Hans Verkuil + +[ Upstream commit 2e1796fd4904fdd6062a8e4589778ea899ea0c8d ] + +It was completely unnecessary to use BUG in buffer_prepare(). +Just replace it with an error return. This also fixes a smatch warning: + +drivers/media/pci/cx23885/cx23885-video.c:422 buffer_prepare() error: uninitialized symbol 'ret'. + +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cx23885/cx23885-video.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/pci/cx23885/cx23885-video.c b/drivers/media/pci/cx23885/cx23885-video.c +index ecc580af01481..1c4b3224cb0fb 100644 +--- a/drivers/media/pci/cx23885/cx23885-video.c ++++ b/drivers/media/pci/cx23885/cx23885-video.c +@@ -418,7 +418,7 @@ static int buffer_prepare(struct vb2_buffer *vb) + dev->height >> 1); + break; + default: +- BUG(); ++ return -EINVAL; /* should not happen */ + } + dprintk(2, "[%p/%d] buffer_init - %dx%d %dbpp \"%s\" - dma=0x%08lx\n", + buf, buf->vb.vb2_buf.index, +-- +2.40.1 + diff --git a/queue-4.14/media-tuners-qt1010-replace-bug_on-with-a-regular-er.patch b/queue-4.14/media-tuners-qt1010-replace-bug_on-with-a-regular-er.patch new file mode 100644 index 00000000000..4b009dc9e3e --- /dev/null +++ b/queue-4.14/media-tuners-qt1010-replace-bug_on-with-a-regular-er.patch @@ -0,0 +1,46 @@ +From a869ccd923ff8b46c15546eec90ee4d5c24a3a62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 08:20:51 +0200 +Subject: media: tuners: qt1010: replace BUG_ON with a regular error + +From: Hans Verkuil + +[ Upstream commit ee630b29ea44d1851bb6c903f400956604834463 ] + +BUG_ON is unnecessary here, and in addition it confuses smatch. +Replacing this with an error return help resolve this smatch +warning: + +drivers/media/tuners/qt1010.c:350 qt1010_init() error: buffer overflow 'i2c_data' 34 <= 34 + +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/tuners/qt1010.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/tuners/qt1010.c b/drivers/media/tuners/qt1010.c +index 31258749b27b7..37a1db02a3042 100644 +--- a/drivers/media/tuners/qt1010.c ++++ b/drivers/media/tuners/qt1010.c +@@ -351,11 +351,12 @@ static int qt1010_init(struct dvb_frontend *fe) + else + valptr = &tmpval; + +- BUG_ON(i >= ARRAY_SIZE(i2c_data) - 1); +- +- err = qt1010_init_meas1(priv, i2c_data[i+1].reg, +- i2c_data[i].reg, +- i2c_data[i].val, valptr); ++ if (i >= ARRAY_SIZE(i2c_data) - 1) ++ err = -EIO; ++ else ++ err = qt1010_init_meas1(priv, i2c_data[i + 1].reg, ++ i2c_data[i].reg, ++ i2c_data[i].val, valptr); + i++; + break; + } +-- +2.40.1 + diff --git a/queue-4.14/powerpc-pseries-fix-possible-memory-leak-in-ibmebus_.patch b/queue-4.14/powerpc-pseries-fix-possible-memory-leak-in-ibmebus_.patch new file mode 100644 index 00000000000..226baab88af --- /dev/null +++ b/queue-4.14/powerpc-pseries-fix-possible-memory-leak-in-ibmebus_.patch @@ -0,0 +1,39 @@ +From 6e1c42c4db465571b55cfb1ab63cf45b0d062acf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 09:19:29 +0800 +Subject: powerpc/pseries: fix possible memory leak in ibmebus_bus_init() + +From: ruanjinjie + +[ Upstream commit afda85b963c12947e298ad85d757e333aa40fd74 ] + +If device_register() returns error in ibmebus_bus_init(), name of kobject +which is allocated in dev_set_name() called in device_add() is leaked. + +As comment of device_add() says, it should call put_device() to drop +the reference count that was set in device_initialize() when it fails, +so the name can be freed in kobject_cleanup(). + +Signed-off-by: ruanjinjie +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20221110011929.3709774-1-ruanjinjie@huawei.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/ibmebus.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/pseries/ibmebus.c b/arch/powerpc/platforms/pseries/ibmebus.c +index 408a860441330..a3d6d064754e8 100644 +--- a/arch/powerpc/platforms/pseries/ibmebus.c ++++ b/arch/powerpc/platforms/pseries/ibmebus.c +@@ -452,6 +452,7 @@ static int __init ibmebus_bus_init(void) + if (err) { + printk(KERN_WARNING "%s: device_register returned %i\n", + __func__, err); ++ put_device(&ibmebus_bus_device); + bus_unregister(&ibmebus_bus_type); + + return err; +-- +2.40.1 + diff --git a/queue-4.14/scsi-target-iscsi-fix-buffer-overflow-in-lio_target_.patch b/queue-4.14/scsi-target-iscsi-fix-buffer-overflow-in-lio_target_.patch new file mode 100644 index 00000000000..169b5e252f8 --- /dev/null +++ b/queue-4.14/scsi-target-iscsi-fix-buffer-overflow-in-lio_target_.patch @@ -0,0 +1,163 @@ +From 122cb46d928ceec824969164715a355f291efc1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Jul 2023 18:26:37 +0300 +Subject: scsi: target: iscsi: Fix buffer overflow in + lio_target_nacl_info_show() + +From: Konstantin Shelekhin + +[ Upstream commit 801f287c93ff95582b0a2d2163f12870a2f076d4 ] + +The function lio_target_nacl_info_show() uses sprintf() in a loop to print +details for every iSCSI connection in a session without checking for the +buffer length. With enough iSCSI connections it's possible to overflow the +buffer provided by configfs and corrupt the memory. + +This patch replaces sprintf() with sysfs_emit_at() that checks for buffer +boundries. + +Signed-off-by: Konstantin Shelekhin +Link: https://lore.kernel.org/r/20230722152657.168859-2-k.shelekhin@yadro.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_configfs.c | 54 ++++++++++---------- + 1 file changed, 27 insertions(+), 27 deletions(-) + +diff --git a/drivers/target/iscsi/iscsi_target_configfs.c b/drivers/target/iscsi/iscsi_target_configfs.c +index 4191e4a8a9ed6..b3d445ef84237 100644 +--- a/drivers/target/iscsi/iscsi_target_configfs.c ++++ b/drivers/target/iscsi/iscsi_target_configfs.c +@@ -516,102 +516,102 @@ static ssize_t lio_target_nacl_info_show(struct config_item *item, char *page) + spin_lock_bh(&se_nacl->nacl_sess_lock); + se_sess = se_nacl->nacl_sess; + if (!se_sess) { +- rb += sprintf(page+rb, "No active iSCSI Session for Initiator" ++ rb += sysfs_emit_at(page, rb, "No active iSCSI Session for Initiator" + " Endpoint: %s\n", se_nacl->initiatorname); + } else { + sess = se_sess->fabric_sess_ptr; + +- rb += sprintf(page+rb, "InitiatorName: %s\n", ++ rb += sysfs_emit_at(page, rb, "InitiatorName: %s\n", + sess->sess_ops->InitiatorName); +- rb += sprintf(page+rb, "InitiatorAlias: %s\n", ++ rb += sysfs_emit_at(page, rb, "InitiatorAlias: %s\n", + sess->sess_ops->InitiatorAlias); + +- rb += sprintf(page+rb, ++ rb += sysfs_emit_at(page, rb, + "LIO Session ID: %u ISID: 0x%6ph TSIH: %hu ", + sess->sid, sess->isid, sess->tsih); +- rb += sprintf(page+rb, "SessionType: %s\n", ++ rb += sysfs_emit_at(page, rb, "SessionType: %s\n", + (sess->sess_ops->SessionType) ? + "Discovery" : "Normal"); +- rb += sprintf(page+rb, "Session State: "); ++ rb += sysfs_emit_at(page, rb, "Session State: "); + switch (sess->session_state) { + case TARG_SESS_STATE_FREE: +- rb += sprintf(page+rb, "TARG_SESS_FREE\n"); ++ rb += sysfs_emit_at(page, rb, "TARG_SESS_FREE\n"); + break; + case TARG_SESS_STATE_ACTIVE: +- rb += sprintf(page+rb, "TARG_SESS_STATE_ACTIVE\n"); ++ rb += sysfs_emit_at(page, rb, "TARG_SESS_STATE_ACTIVE\n"); + break; + case TARG_SESS_STATE_LOGGED_IN: +- rb += sprintf(page+rb, "TARG_SESS_STATE_LOGGED_IN\n"); ++ rb += sysfs_emit_at(page, rb, "TARG_SESS_STATE_LOGGED_IN\n"); + break; + case TARG_SESS_STATE_FAILED: +- rb += sprintf(page+rb, "TARG_SESS_STATE_FAILED\n"); ++ rb += sysfs_emit_at(page, rb, "TARG_SESS_STATE_FAILED\n"); + break; + case TARG_SESS_STATE_IN_CONTINUE: +- rb += sprintf(page+rb, "TARG_SESS_STATE_IN_CONTINUE\n"); ++ rb += sysfs_emit_at(page, rb, "TARG_SESS_STATE_IN_CONTINUE\n"); + break; + default: +- rb += sprintf(page+rb, "ERROR: Unknown Session" ++ rb += sysfs_emit_at(page, rb, "ERROR: Unknown Session" + " State!\n"); + break; + } + +- rb += sprintf(page+rb, "---------------------[iSCSI Session" ++ rb += sysfs_emit_at(page, rb, "---------------------[iSCSI Session" + " Values]-----------------------\n"); +- rb += sprintf(page+rb, " CmdSN/WR : CmdSN/WC : ExpCmdSN" ++ rb += sysfs_emit_at(page, rb, " CmdSN/WR : CmdSN/WC : ExpCmdSN" + " : MaxCmdSN : ITT : TTT\n"); + max_cmd_sn = (u32) atomic_read(&sess->max_cmd_sn); +- rb += sprintf(page+rb, " 0x%08x 0x%08x 0x%08x 0x%08x" ++ rb += sysfs_emit_at(page, rb, " 0x%08x 0x%08x 0x%08x 0x%08x" + " 0x%08x 0x%08x\n", + sess->cmdsn_window, + (max_cmd_sn - sess->exp_cmd_sn) + 1, + sess->exp_cmd_sn, max_cmd_sn, + sess->init_task_tag, sess->targ_xfer_tag); +- rb += sprintf(page+rb, "----------------------[iSCSI" ++ rb += sysfs_emit_at(page, rb, "----------------------[iSCSI" + " Connections]-------------------------\n"); + + spin_lock(&sess->conn_lock); + list_for_each_entry(conn, &sess->sess_conn_list, conn_list) { +- rb += sprintf(page+rb, "CID: %hu Connection" ++ rb += sysfs_emit_at(page, rb, "CID: %hu Connection" + " State: ", conn->cid); + switch (conn->conn_state) { + case TARG_CONN_STATE_FREE: +- rb += sprintf(page+rb, ++ rb += sysfs_emit_at(page, rb, + "TARG_CONN_STATE_FREE\n"); + break; + case TARG_CONN_STATE_XPT_UP: +- rb += sprintf(page+rb, ++ rb += sysfs_emit_at(page, rb, + "TARG_CONN_STATE_XPT_UP\n"); + break; + case TARG_CONN_STATE_IN_LOGIN: +- rb += sprintf(page+rb, ++ rb += sysfs_emit_at(page, rb, + "TARG_CONN_STATE_IN_LOGIN\n"); + break; + case TARG_CONN_STATE_LOGGED_IN: +- rb += sprintf(page+rb, ++ rb += sysfs_emit_at(page, rb, + "TARG_CONN_STATE_LOGGED_IN\n"); + break; + case TARG_CONN_STATE_IN_LOGOUT: +- rb += sprintf(page+rb, ++ rb += sysfs_emit_at(page, rb, + "TARG_CONN_STATE_IN_LOGOUT\n"); + break; + case TARG_CONN_STATE_LOGOUT_REQUESTED: +- rb += sprintf(page+rb, ++ rb += sysfs_emit_at(page, rb, + "TARG_CONN_STATE_LOGOUT_REQUESTED\n"); + break; + case TARG_CONN_STATE_CLEANUP_WAIT: +- rb += sprintf(page+rb, ++ rb += sysfs_emit_at(page, rb, + "TARG_CONN_STATE_CLEANUP_WAIT\n"); + break; + default: +- rb += sprintf(page+rb, ++ rb += sysfs_emit_at(page, rb, + "ERROR: Unknown Connection State!\n"); + break; + } + +- rb += sprintf(page+rb, " Address %pISc %s", &conn->login_sockaddr, ++ rb += sysfs_emit_at(page, rb, " Address %pISc %s", &conn->login_sockaddr, + (conn->network_transport == ISCSI_TCP) ? + "TCP" : "SCTP"); +- rb += sprintf(page+rb, " StatSN: 0x%08x\n", ++ rb += sysfs_emit_at(page, rb, " StatSN: 0x%08x\n", + conn->stat_sn); + } + spin_unlock(&sess->conn_lock); +-- +2.40.1 + diff --git a/queue-4.14/serial-cpm_uart-avoid-suspicious-locking.patch b/queue-4.14/serial-cpm_uart-avoid-suspicious-locking.patch new file mode 100644 index 00000000000..3a7e2c22335 --- /dev/null +++ b/queue-4.14/serial-cpm_uart-avoid-suspicious-locking.patch @@ -0,0 +1,80 @@ +From 15b4cbb82744dd026c6b7f39b63f6e29f8a842cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 15:56:42 +0200 +Subject: serial: cpm_uart: Avoid suspicious locking + +From: Christophe Leroy + +[ Upstream commit 36ef11d311f405e55ad8e848c19b212ff71ef536 ] + + CHECK drivers/tty/serial/cpm_uart/cpm_uart_core.c +drivers/tty/serial/cpm_uart/cpm_uart_core.c:1271:39: warning: context imbalance in 'cpm_uart_console_write' - unexpected unlock + +Allthough 'nolock' is not expected to change, sparse find the following +form suspicious: + + if (unlikely(nolock)) { + local_irq_save(flags); + } else { + spin_lock_irqsave(&pinfo->port.lock, flags); + } + + cpm_uart_early_write(pinfo, s, count, true); + + if (unlikely(nolock)) { + local_irq_restore(flags); + } else { + spin_unlock_irqrestore(&pinfo->port.lock, flags); + } + +Rewrite it a more obvious form: + + if (unlikely(oops_in_progress)) { + local_irq_save(flags); + cpm_uart_early_write(pinfo, s, count, true); + local_irq_restore(flags); + } else { + spin_lock_irqsave(&pinfo->port.lock, flags); + cpm_uart_early_write(pinfo, s, count, true); + spin_unlock_irqrestore(&pinfo->port.lock, flags); + } + +Signed-off-by: Christophe Leroy +Link: https://lore.kernel.org/r/f7da5cdc9287960185829cfef681a7d8614efa1f.1691068700.git.christophe.leroy@csgroup.eu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/cpm_uart/cpm_uart_core.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/drivers/tty/serial/cpm_uart/cpm_uart_core.c b/drivers/tty/serial/cpm_uart/cpm_uart_core.c +index 8f5a5a16cb3b2..f0af8a6de0aae 100644 +--- a/drivers/tty/serial/cpm_uart/cpm_uart_core.c ++++ b/drivers/tty/serial/cpm_uart/cpm_uart_core.c +@@ -1283,19 +1283,14 @@ static void cpm_uart_console_write(struct console *co, const char *s, + { + struct uart_cpm_port *pinfo = &cpm_uart_ports[co->index]; + unsigned long flags; +- int nolock = oops_in_progress; + +- if (unlikely(nolock)) { ++ if (unlikely(oops_in_progress)) { + local_irq_save(flags); +- } else { +- spin_lock_irqsave(&pinfo->port.lock, flags); +- } +- +- cpm_uart_early_write(pinfo, s, count, true); +- +- if (unlikely(nolock)) { ++ cpm_uart_early_write(pinfo, s, count, true); + local_irq_restore(flags); + } else { ++ spin_lock_irqsave(&pinfo->port.lock, flags); ++ cpm_uart_early_write(pinfo, s, count, true); + spin_unlock_irqrestore(&pinfo->port.lock, flags); + } + } +-- +2.40.1 + diff --git a/queue-4.14/series b/queue-4.14/series index f12a4b7a21d..896cc6e82cf 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -146,3 +146,32 @@ kcm-fix-memory-leak-in-error-path-of-kcm_sendmsg.patch ixgbe-fix-timestamp-configuration-code.patch kcm-fix-error-handling-for-sock_dgram-in-kcm_sendmsg.patch parisc-drop-loops_per_jiffy-from-per_cpu-struct.patch +autofs-fix-memory-leak-of-waitqueues-in-autofs_catat.patch +btrfs-output-extra-debug-info-if-we-failed-to-find-a.patch +acpica-add-aml_no_operand_resolve-flag-to-timer.patch +acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch +hw_breakpoint-fix-single-stepping-when-using-bpf_ove.patch +wifi-ath9k-fix-printk-specifier.patch +wifi-mwifiex-fix-fortify-warning.patch +crypto-lib-mpi-avoid-null-pointer-deref-in-mpi_cmp_u.patch +tpm_tis-resend-command-to-recover-from-data-transfer.patch +alx-fix-oob-read-compiler-warning.patch +drm-exynos-fix-a-possible-null-pointer-dereference-d.patch +md-raid1-fix-potential-oob-in-raid1_remove_disk.patch +ext2-fix-datatype-of-block-number-in-ext2_xattr_set2.patch +fs-jfs-prevent-double-free-in-dbunmount-after-failed.patch +jfs-fix-invalid-free-of-jfs_ip-ipimap-i_imap-in-diun.patch +powerpc-pseries-fix-possible-memory-leak-in-ibmebus_.patch +media-dvb-usb-v2-af9035-fix-null-ptr-deref-in-af9035.patch +media-dw2102-fix-null-ptr-deref-in-dw2102_i2c_transf.patch +media-af9005-fix-null-ptr-deref-in-af9005_i2c_xfer.patch +media-anysee-fix-null-ptr-deref-in-anysee_master_xfe.patch +media-az6007-fix-null-ptr-deref-in-az6007_i2c_xfer.patch +iio-core-use-min-instead-of-min_t-to-make-code-more-.patch +media-tuners-qt1010-replace-bug_on-with-a-regular-er.patch +media-pci-cx23885-replace-bug-with-error-return.patch +usb-gadget-fsl_qe_udc-validate-endpoint-index-for-ch.patch +scsi-target-iscsi-fix-buffer-overflow-in-lio_target_.patch +serial-cpm_uart-avoid-suspicious-locking.patch +kobject-add-sanity-check-for-kset-kobj.ktype-in-kset.patch +md-raid1-fix-error-iso-c90-forbids-mixed-declaration.patch diff --git a/queue-4.14/tpm_tis-resend-command-to-recover-from-data-transfer.patch b/queue-4.14/tpm_tis-resend-command-to-recover-from-data-transfer.patch new file mode 100644 index 00000000000..6ffea75c660 --- /dev/null +++ b/queue-4.14/tpm_tis-resend-command-to-recover-from-data-transfer.patch @@ -0,0 +1,50 @@ +From 245cffb2ca926d317d1330f3e8d11cf92ae804f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jun 2023 20:02:59 +0200 +Subject: tpm_tis: Resend command to recover from data transfer errors + +From: Alexander Steffen + +[ Upstream commit 280db21e153d8810ce3b93640c63ae922bcb9e8e ] + +Similar to the transmission of TPM responses, also the transmission of TPM +commands may become corrupted. Instead of aborting when detecting such +issues, try resending the command again. + +Signed-off-by: Alexander Steffen +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/tpm_tis_core.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c +index 3255815585096..9d731e2655949 100644 +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -364,10 +364,17 @@ static int tpm_tis_send_main(struct tpm_chip *chip, const u8 *buf, size_t len) + int rc; + u32 ordinal; + unsigned long dur; +- +- rc = tpm_tis_send_data(chip, buf, len); +- if (rc < 0) +- return rc; ++ unsigned int try; ++ ++ for (try = 0; try < TPM_RETRY; try++) { ++ rc = tpm_tis_send_data(chip, buf, len); ++ if (rc >= 0) ++ /* Data transfer done successfully */ ++ break; ++ else if (rc != -EIO) ++ /* Data transfer failed, not recoverable */ ++ return rc; ++ } + + /* go and do it */ + rc = tpm_tis_write8(priv, TPM_STS(priv->locality), TPM_STS_GO); +-- +2.40.1 + diff --git a/queue-4.14/usb-gadget-fsl_qe_udc-validate-endpoint-index-for-ch.patch b/queue-4.14/usb-gadget-fsl_qe_udc-validate-endpoint-index-for-ch.patch new file mode 100644 index 00000000000..45f7b90b7ee --- /dev/null +++ b/queue-4.14/usb-gadget-fsl_qe_udc-validate-endpoint-index-for-ch.patch @@ -0,0 +1,37 @@ +From 959bb80ec7ec44339b1801c05df51339eb5263ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 16:15:11 +0800 +Subject: usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc + +From: Ma Ke + +[ Upstream commit ce9daa2efc0872a9a68ea51dc8000df05893ef2e ] + +We should verify the bound of the array to assure that host +may not manipulate the index to point past endpoint array. + +Signed-off-by: Ma Ke +Acked-by: Li Yang +Link: https://lore.kernel.org/r/20230628081511.186850-1-make_ruc2021@163.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/fsl_qe_udc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/gadget/udc/fsl_qe_udc.c b/drivers/usb/gadget/udc/fsl_qe_udc.c +index a3e72d690eef9..962e3ea4dc147 100644 +--- a/drivers/usb/gadget/udc/fsl_qe_udc.c ++++ b/drivers/usb/gadget/udc/fsl_qe_udc.c +@@ -1954,6 +1954,8 @@ static void ch9getstatus(struct qe_udc *udc, u8 request_type, u16 value, + } else if ((request_type & USB_RECIP_MASK) == USB_RECIP_ENDPOINT) { + /* Get endpoint status */ + int pipe = index & USB_ENDPOINT_NUMBER_MASK; ++ if (pipe >= USB_MAX_ENDPOINTS) ++ goto stall; + struct qe_ep *target_ep = &udc->eps[pipe]; + u16 usep; + +-- +2.40.1 + diff --git a/queue-4.14/wifi-ath9k-fix-printk-specifier.patch b/queue-4.14/wifi-ath9k-fix-printk-specifier.patch new file mode 100644 index 00000000000..d30b1c9968a --- /dev/null +++ b/queue-4.14/wifi-ath9k-fix-printk-specifier.patch @@ -0,0 +1,68 @@ +From c9e675ce8ad29dfd844795aa8c6fc1108de79ba7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 12:04:02 +0800 +Subject: wifi: ath9k: fix printk specifier +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dongliang Mu + +[ Upstream commit 061115fbfb2ce5870c9a004d68dc63138c07c782 ] + +Smatch reports: + +ath_pci_probe() warn: argument 4 to %lx specifier is cast from pointer +ath_ahb_probe() warn: argument 4 to %lx specifier is cast from pointer + +Fix it by modifying %lx to %p in the printk format string. + +Note that with this change, the pointer address will be printed as a +hashed value by default. This is appropriate because the kernel +should not leak kernel pointers to user space in an informational +message. If someone wants to see the real address for debugging +purposes, this can be achieved with the no_hash_pointers kernel option. + +Signed-off-by: Dongliang Mu +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230723040403.296723-1-dzm91@hust.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/ahb.c | 4 ++-- + drivers/net/wireless/ath/ath9k/pci.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/ahb.c b/drivers/net/wireless/ath/ath9k/ahb.c +index 2bd982c3a479d..375628dc654e4 100644 +--- a/drivers/net/wireless/ath/ath9k/ahb.c ++++ b/drivers/net/wireless/ath/ath9k/ahb.c +@@ -135,8 +135,8 @@ static int ath_ahb_probe(struct platform_device *pdev) + + ah = sc->sc_ah; + ath9k_hw_name(ah, hw_name, sizeof(hw_name)); +- wiphy_info(hw->wiphy, "%s mem=0x%lx, irq=%d\n", +- hw_name, (unsigned long)mem, irq); ++ wiphy_info(hw->wiphy, "%s mem=0x%p, irq=%d\n", ++ hw_name, mem, irq); + + return 0; + +diff --git a/drivers/net/wireless/ath/ath9k/pci.c b/drivers/net/wireless/ath/ath9k/pci.c +index 2236063112613..7ab050cad4a20 100644 +--- a/drivers/net/wireless/ath/ath9k/pci.c ++++ b/drivers/net/wireless/ath/ath9k/pci.c +@@ -975,8 +975,8 @@ static int ath_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + } + + ath9k_hw_name(sc->sc_ah, hw_name, sizeof(hw_name)); +- wiphy_info(hw->wiphy, "%s mem=0x%lx, irq=%d\n", +- hw_name, (unsigned long)sc->mem, pdev->irq); ++ wiphy_info(hw->wiphy, "%s mem=0x%p, irq=%d\n", ++ hw_name, sc->mem, pdev->irq); + + return 0; + +-- +2.40.1 + diff --git a/queue-4.14/wifi-mwifiex-fix-fortify-warning.patch b/queue-4.14/wifi-mwifiex-fix-fortify-warning.patch new file mode 100644 index 00000000000..0882d822e37 --- /dev/null +++ b/queue-4.14/wifi-mwifiex-fix-fortify-warning.patch @@ -0,0 +1,87 @@ +From 7aa3c9ae367f61c33ee53b593e286405f79a2898 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 11:51:01 +0300 +Subject: wifi: mwifiex: fix fortify warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Antipov + +[ Upstream commit dcce94b80a954a8968ff29fafcfb066d6197fa9a ] + +When compiling with gcc 13.1 and CONFIG_FORTIFY_SOURCE=y, +I've noticed the following: + +In function ‘fortify_memcpy_chk’, + inlined from ‘mwifiex_construct_tdls_action_frame’ at drivers/net/wireless/marvell/mwifiex/tdls.c:765:3, + inlined from ‘mwifiex_send_tdls_action_frame’ at drivers/net/wireless/marvell/mwifiex/tdls.c:856:6: +./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’ +declared with attribute warning: detected read beyond size of field (2nd parameter); +maybe use struct_group()? [-Wattribute-warning] + 529 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The compiler actually complains on: + +memmove(pos + ETH_ALEN, &mgmt->u.action.category, + sizeof(mgmt->u.action.u.tdls_discover_resp)); + +and it happens because the fortification logic interprets this +as an attempt to overread 1-byte 'u.action.category' member of +'struct ieee80211_mgmt'. To silence this warning, it's enough +to pass an address of 'u.action' itself instead of an address +of its first member. + +This also fixes an improper usage of 'sizeof()'. Since 'skb' is +extended with 'sizeof(mgmt->u.action.u.tdls_discover_resp) + 1' +bytes (where 1 is actually 'sizeof(mgmt->u.action.category)'), +I assume that the same number of bytes should be copied. + +Suggested-by: Brian Norris +Signed-off-by: Dmitry Antipov +Reviewed-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230629085115.180499-2-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/tdls.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c +index 80d20fb6f3480..a69b4983747f3 100644 +--- a/drivers/net/wireless/marvell/mwifiex/tdls.c ++++ b/drivers/net/wireless/marvell/mwifiex/tdls.c +@@ -737,6 +737,7 @@ mwifiex_construct_tdls_action_frame(struct mwifiex_private *priv, + int ret; + u16 capab; + struct ieee80211_ht_cap *ht_cap; ++ unsigned int extra; + u8 radio, *pos; + + capab = priv->curr_bss_params.bss_descriptor.cap_info_bitmap; +@@ -755,7 +756,10 @@ mwifiex_construct_tdls_action_frame(struct mwifiex_private *priv, + + switch (action_code) { + case WLAN_PUB_ACTION_TDLS_DISCOVER_RES: +- skb_put(skb, sizeof(mgmt->u.action.u.tdls_discover_resp) + 1); ++ /* See the layout of 'struct ieee80211_mgmt'. */ ++ extra = sizeof(mgmt->u.action.u.tdls_discover_resp) + ++ sizeof(mgmt->u.action.category); ++ skb_put(skb, extra); + mgmt->u.action.category = WLAN_CATEGORY_PUBLIC; + mgmt->u.action.u.tdls_discover_resp.action_code = + WLAN_PUB_ACTION_TDLS_DISCOVER_RES; +@@ -764,8 +768,7 @@ mwifiex_construct_tdls_action_frame(struct mwifiex_private *priv, + mgmt->u.action.u.tdls_discover_resp.capability = + cpu_to_le16(capab); + /* move back for addr4 */ +- memmove(pos + ETH_ALEN, &mgmt->u.action.category, +- sizeof(mgmt->u.action.u.tdls_discover_resp)); ++ memmove(pos + ETH_ALEN, &mgmt->u.action, extra); + /* init address 4 */ + memcpy(pos, bc_addr, ETH_ALEN); + +-- +2.40.1 +