From: Greg Kroah-Hartman Date: Mon, 17 Jun 2024 12:18:36 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v6.1.95~126 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ddc0eab4e796d2ee3d03f21d42b41635a27b0b8e;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: jfs-xattr-fix-buffer-overflow-for-invalid-xattr.patch scsi-mpt3sas-avoid-test-set_bit-operating-in-non-allocated-memory.patch xhci-apply-broken-streams-quirk-to-etron-ej188-xhci-host.patch xhci-apply-reset-resume-quirk-to-etron-ej188-xhci-host.patch xhci-set-correct-transferred-length-for-cancelled-bulk-transfers.patch --- diff --git a/queue-5.4/jfs-xattr-fix-buffer-overflow-for-invalid-xattr.patch b/queue-5.4/jfs-xattr-fix-buffer-overflow-for-invalid-xattr.patch new file mode 100644 index 00000000000..fec2ab49ea6 --- /dev/null +++ b/queue-5.4/jfs-xattr-fix-buffer-overflow-for-invalid-xattr.patch @@ -0,0 +1,40 @@ +From 7c55b78818cfb732680c4a72ab270cc2d2ee3d0f Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 14 May 2024 12:06:34 +0200 +Subject: jfs: xattr: fix buffer overflow for invalid xattr + +From: Greg Kroah-Hartman + +commit 7c55b78818cfb732680c4a72ab270cc2d2ee3d0f upstream. + +When an xattr size is not what is expected, it is printed out to the +kernel log in hex format as a form of debugging. But when that xattr +size is bigger than the expected size, printing it out can cause an +access off the end of the buffer. + +Fix this all up by properly restricting the size of the debug hex dump +in the kernel log. + +Reported-by: syzbot+9dfe490c8176301c1d06@syzkaller.appspotmail.com +Cc: Dave Kleikamp +Link: https://lore.kernel.org/r/2024051433-slider-cloning-98f9@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/xattr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/jfs/xattr.c ++++ b/fs/jfs/xattr.c +@@ -557,9 +557,11 @@ static int ea_get(struct inode *inode, s + + size_check: + if (EALIST_SIZE(ea_buf->xattr) != ea_size) { ++ int size = min_t(int, EALIST_SIZE(ea_buf->xattr), ea_size); ++ + printk(KERN_ERR "ea_get: invalid extended attribute\n"); + print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1, +- ea_buf->xattr, ea_size, 1); ++ ea_buf->xattr, size, 1); + ea_release(inode, ea_buf); + rc = -EIO; + goto clean_up; diff --git a/queue-5.4/scsi-mpt3sas-avoid-test-set_bit-operating-in-non-allocated-memory.patch b/queue-5.4/scsi-mpt3sas-avoid-test-set_bit-operating-in-non-allocated-memory.patch new file mode 100644 index 00000000000..9233cad33d2 --- /dev/null +++ b/queue-5.4/scsi-mpt3sas-avoid-test-set_bit-operating-in-non-allocated-memory.patch @@ -0,0 +1,80 @@ +From 4254dfeda82f20844299dca6c38cbffcfd499f41 Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Wed, 5 Jun 2024 01:55:29 -0700 +Subject: scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory + +From: Breno Leitao + +commit 4254dfeda82f20844299dca6c38cbffcfd499f41 upstream. + +There is a potential out-of-bounds access when using test_bit() on a single +word. The test_bit() and set_bit() functions operate on long values, and +when testing or setting a single word, they can exceed the word +boundary. KASAN detects this issue and produces a dump: + + BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas + + Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965 + +For full log, please look at [1]. + +Make the allocation at least the size of sizeof(unsigned long) so that +set_bit() and test_bit() have sufficient room for read/write operations +without overwriting unallocated memory. + +[1] Link: https://lore.kernel.org/all/ZkNcALr3W3KGYYJG@gmail.com/ + +Fixes: c696f7b83ede ("scsi: mpt3sas: Implement device_remove_in_progress check in IOCTL path") +Cc: stable@vger.kernel.org +Suggested-by: Keith Busch +Signed-off-by: Breno Leitao +Link: https://lore.kernel.org/r/20240605085530.499432-1-leitao@debian.org +Reviewed-by: Keith Busch +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mpt3sas/mpt3sas_base.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/drivers/scsi/mpt3sas/mpt3sas_base.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c +@@ -7089,6 +7089,12 @@ mpt3sas_base_attach(struct MPT3SAS_ADAPT + ioc->pd_handles_sz = (ioc->facts.MaxDevHandle / 8); + if (ioc->facts.MaxDevHandle % 8) + ioc->pd_handles_sz++; ++ /* ++ * pd_handles_sz should have, at least, the minimal room for ++ * set_bit()/test_bit(), otherwise out-of-memory touch may occur. ++ */ ++ ioc->pd_handles_sz = ALIGN(ioc->pd_handles_sz, sizeof(unsigned long)); ++ + ioc->pd_handles = kzalloc(ioc->pd_handles_sz, + GFP_KERNEL); + if (!ioc->pd_handles) { +@@ -7106,6 +7112,13 @@ mpt3sas_base_attach(struct MPT3SAS_ADAPT + ioc->pend_os_device_add_sz = (ioc->facts.MaxDevHandle / 8); + if (ioc->facts.MaxDevHandle % 8) + ioc->pend_os_device_add_sz++; ++ ++ /* ++ * pend_os_device_add_sz should have, at least, the minimal room for ++ * set_bit()/test_bit(), otherwise out-of-memory may occur. ++ */ ++ ioc->pend_os_device_add_sz = ALIGN(ioc->pend_os_device_add_sz, ++ sizeof(unsigned long)); + ioc->pend_os_device_add = kzalloc(ioc->pend_os_device_add_sz, + GFP_KERNEL); + if (!ioc->pend_os_device_add) { +@@ -7384,6 +7397,12 @@ _base_check_ioc_facts_changes(struct MPT + if (ioc->facts.MaxDevHandle % 8) + pd_handles_sz++; + ++ /* ++ * pd_handles should have, at least, the minimal room for ++ * set_bit()/test_bit(), otherwise out-of-memory touch may ++ * occur. ++ */ ++ pd_handles_sz = ALIGN(pd_handles_sz, sizeof(unsigned long)); + pd_handles = krealloc(ioc->pd_handles, pd_handles_sz, + GFP_KERNEL); + if (!pd_handles) { diff --git a/queue-5.4/series b/queue-5.4/series index 82352df7999..3a37b8a9b65 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -49,3 +49,8 @@ nilfs2-return-the-mapped-address-from-nilfs_get_page.patch nilfs2-fix-nilfs_empty_dir-misjudgment-and-long-loop.patch usb-class-cdc-wdm-fix-cpu-lockup-caused-by-excessive-log-messages.patch mei-me-release-irq-in-mei_me_pci_resume-error-path.patch +jfs-xattr-fix-buffer-overflow-for-invalid-xattr.patch +xhci-set-correct-transferred-length-for-cancelled-bulk-transfers.patch +xhci-apply-reset-resume-quirk-to-etron-ej188-xhci-host.patch +xhci-apply-broken-streams-quirk-to-etron-ej188-xhci-host.patch +scsi-mpt3sas-avoid-test-set_bit-operating-in-non-allocated-memory.patch diff --git a/queue-5.4/xhci-apply-broken-streams-quirk-to-etron-ej188-xhci-host.patch b/queue-5.4/xhci-apply-broken-streams-quirk-to-etron-ej188-xhci-host.patch new file mode 100644 index 00000000000..c2c80f38159 --- /dev/null +++ b/queue-5.4/xhci-apply-broken-streams-quirk-to-etron-ej188-xhci-host.patch @@ -0,0 +1,37 @@ +From 91f7a1524a92c70ffe264db8bdfa075f15bbbeb9 Mon Sep 17 00:00:00 2001 +From: Kuangyi Chiang +Date: Tue, 11 Jun 2024 15:06:09 +0300 +Subject: xhci: Apply broken streams quirk to Etron EJ188 xHCI host + +From: Kuangyi Chiang + +commit 91f7a1524a92c70ffe264db8bdfa075f15bbbeb9 upstream. + +As described in commit 8f873c1ff4ca ("xhci: Blacklist using streams on the +Etron EJ168 controller"), EJ188 have the same issue as EJ168, where Streams +do not work reliable on EJ188. So apply XHCI_BROKEN_STREAMS quirk to EJ188 +as well. + +Cc: stable@vger.kernel.org +Signed-off-by: Kuangyi Chiang +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20240611120610.3264502-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -258,8 +258,10 @@ static void xhci_pci_quirks(struct devic + xhci->quirks |= XHCI_BROKEN_STREAMS; + } + if (pdev->vendor == PCI_VENDOR_ID_ETRON && +- pdev->device == PCI_DEVICE_ID_EJ188) ++ pdev->device == PCI_DEVICE_ID_EJ188) { + xhci->quirks |= XHCI_RESET_ON_RESUME; ++ xhci->quirks |= XHCI_BROKEN_STREAMS; ++ } + + if (pdev->vendor == PCI_VENDOR_ID_RENESAS && + pdev->device == 0x0014) { diff --git a/queue-5.4/xhci-apply-reset-resume-quirk-to-etron-ej188-xhci-host.patch b/queue-5.4/xhci-apply-reset-resume-quirk-to-etron-ej188-xhci-host.patch new file mode 100644 index 00000000000..2135e8fa44d --- /dev/null +++ b/queue-5.4/xhci-apply-reset-resume-quirk-to-etron-ej188-xhci-host.patch @@ -0,0 +1,43 @@ +From 17bd54555c2aaecfdb38e2734149f684a73fa584 Mon Sep 17 00:00:00 2001 +From: Kuangyi Chiang +Date: Tue, 11 Jun 2024 15:06:08 +0300 +Subject: xhci: Apply reset resume quirk to Etron EJ188 xHCI host + +From: Kuangyi Chiang + +commit 17bd54555c2aaecfdb38e2734149f684a73fa584 upstream. + +As described in commit c877b3b2ad5c ("xhci: Add reset on resume quirk for +asrock p67 host"), EJ188 have the same issue as EJ168, where completely +dies on resume. So apply XHCI_RESET_ON_RESUME quirk to EJ188 as well. + +Cc: stable@vger.kernel.org +Signed-off-by: Kuangyi Chiang +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20240611120610.3264502-3-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -33,6 +33,7 @@ + + #define PCI_VENDOR_ID_ETRON 0x1b6f + #define PCI_DEVICE_ID_EJ168 0x7023 ++#define PCI_DEVICE_ID_EJ188 0x7052 + + #define PCI_DEVICE_ID_INTEL_LYNXPOINT_XHCI 0x8c31 + #define PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_XHCI 0x9c31 +@@ -256,6 +257,10 @@ static void xhci_pci_quirks(struct devic + xhci->quirks |= XHCI_TRUST_TX_LENGTH; + xhci->quirks |= XHCI_BROKEN_STREAMS; + } ++ if (pdev->vendor == PCI_VENDOR_ID_ETRON && ++ pdev->device == PCI_DEVICE_ID_EJ188) ++ xhci->quirks |= XHCI_RESET_ON_RESUME; ++ + if (pdev->vendor == PCI_VENDOR_ID_RENESAS && + pdev->device == 0x0014) { + xhci->quirks |= XHCI_TRUST_TX_LENGTH; diff --git a/queue-5.4/xhci-set-correct-transferred-length-for-cancelled-bulk-transfers.patch b/queue-5.4/xhci-set-correct-transferred-length-for-cancelled-bulk-transfers.patch new file mode 100644 index 00000000000..0dd70c4b812 --- /dev/null +++ b/queue-5.4/xhci-set-correct-transferred-length-for-cancelled-bulk-transfers.patch @@ -0,0 +1,52 @@ +From f0260589b439e2637ad54a2b25f00a516ef28a57 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Tue, 11 Jun 2024 15:06:07 +0300 +Subject: xhci: Set correct transferred length for cancelled bulk transfers + +From: Mathias Nyman + +commit f0260589b439e2637ad54a2b25f00a516ef28a57 upstream. + +The transferred length is set incorrectly for cancelled bulk +transfer TDs in case the bulk transfer ring stops on the last transfer +block with a 'Stop - Length Invalid' completion code. + +length essentially ends up being set to the requested length: +urb->actual_length = urb->transfer_buffer_length + +Length for 'Stop - Length Invalid' cases should be the sum of all +TRB transfer block lengths up to the one the ring stopped on, +_excluding_ the one stopped on. + +Fix this by always summing up TRB lengths for 'Stop - Length Invalid' +bulk cases. + +This issue was discovered by Alan Stern while debugging +https://bugzilla.kernel.org/show_bug.cgi?id=218890, but does not +solve that bug. Issue is older than 4.10 kernel but fix won't apply +to those due to major reworks in that area. + +Tested-by: Pierre Tomon +Cc: stable@vger.kernel.org # v4.10+ +Cc: Alan Stern +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20240611120610.3264502-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-ring.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -2343,9 +2343,8 @@ static int process_bulk_intr_td(struct x + goto finish_td; + case COMP_STOPPED_LENGTH_INVALID: + /* stopped on ep trb with invalid length, exclude it */ +- ep_trb_len = 0; +- remaining = 0; +- break; ++ td->urb->actual_length = sum_trb_lengths(xhci, ep_ring, ep_trb); ++ goto finish_td; + case COMP_USB_TRANSACTION_ERROR: + if (xhci->quirks & XHCI_NO_SOFT_RETRY || + (ep_ring->err_count++ > MAX_SOFT_RETRY) ||