From 785cda9ed6fa04e9ef0c45567254db228fe92e29 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 7 Oct 2023 14:35:44 +0200 Subject: [PATCH] 4.14-stable patches added patches: btrfs-reject-unknown-mount-options-early.patch scsi-zfcp-fix-a-double-put-in-zfcp_port_enqueue.patch wifi-mwifiex-fix-tlv_buf_left-calculation.patch --- ...s-reject-unknown-mount-options-early.patch | 55 ++++++++++ ...ix-a-double-put-in-zfcp_port_enqueue.patch | 64 +++++++++++ queue-4.14/series | 3 + ...mwifiex-fix-tlv_buf_left-calculation.patch | 103 ++++++++++++++++++ 4 files changed, 225 insertions(+) create mode 100644 queue-4.14/btrfs-reject-unknown-mount-options-early.patch create mode 100644 queue-4.14/scsi-zfcp-fix-a-double-put-in-zfcp_port_enqueue.patch create mode 100644 queue-4.14/wifi-mwifiex-fix-tlv_buf_left-calculation.patch diff --git a/queue-4.14/btrfs-reject-unknown-mount-options-early.patch b/queue-4.14/btrfs-reject-unknown-mount-options-early.patch new file mode 100644 index 00000000000..fc24211016e --- /dev/null +++ b/queue-4.14/btrfs-reject-unknown-mount-options-early.patch @@ -0,0 +1,55 @@ +From 5f521494cc73520ffac18ede0758883b9aedd018 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 27 Sep 2023 10:43:15 +0930 +Subject: btrfs: reject unknown mount options early + +From: Qu Wenruo + +commit 5f521494cc73520ffac18ede0758883b9aedd018 upstream. + +[BUG] +The following script would allow invalid mount options to be specified +(although such invalid options would just be ignored): + + # mkfs.btrfs -f $dev + # mount $dev $mnt1 <<< Successful mount expected + # mount $dev $mnt2 -o junk <<< Failed mount expected + # echo $? + 0 + +[CAUSE] +For the 2nd mount, since the fs is already mounted, we won't go through +open_ctree() thus no btrfs_parse_options(), but only through +btrfs_parse_subvol_options(). + +However we do not treat unrecognized options from valid but irrelevant +options, thus those invalid options would just be ignored by +btrfs_parse_subvol_options(). + +[FIX] +Add the handling for Opt_err to handle invalid options and error out, +while still ignore other valid options inside btrfs_parse_subvol_options(). + +Reported-by: Anand Jain +CC: stable@vger.kernel.org # 4.14+ +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/super.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -929,6 +929,10 @@ static int btrfs_parse_early_options(con + if (error) + goto out; + break; ++ case Opt_err: ++ btrfs_err(NULL, "unrecognized mount option '%s'", p); ++ error = -EINVAL; ++ goto out; + default: + break; + } diff --git a/queue-4.14/scsi-zfcp-fix-a-double-put-in-zfcp_port_enqueue.patch b/queue-4.14/scsi-zfcp-fix-a-double-put-in-zfcp_port_enqueue.patch new file mode 100644 index 00000000000..5454f8b8378 --- /dev/null +++ b/queue-4.14/scsi-zfcp-fix-a-double-put-in-zfcp_port_enqueue.patch @@ -0,0 +1,64 @@ +From b481f644d9174670b385c3a699617052cd2a79d3 Mon Sep 17 00:00:00 2001 +From: Dinghao Liu +Date: Sat, 23 Sep 2023 18:37:23 +0800 +Subject: scsi: zfcp: Fix a double put in zfcp_port_enqueue() + +From: Dinghao Liu + +commit b481f644d9174670b385c3a699617052cd2a79d3 upstream. + +When device_register() fails, zfcp_port_release() will be called after +put_device(). As a result, zfcp_ccw_adapter_put() will be called twice: one +in zfcp_port_release() and one in the error path after device_register(). +So the reference on the adapter object is doubly put, which may lead to a +premature free. Fix this by adjusting the error tag after +device_register(). + +Fixes: f3450c7b9172 ("[SCSI] zfcp: Replace local reference counting with common kref") +Signed-off-by: Dinghao Liu +Link: https://lore.kernel.org/r/20230923103723.10320-1-dinghao.liu@zju.edu.cn +Acked-by: Benjamin Block +Cc: stable@vger.kernel.org # v2.6.33+ +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/scsi/zfcp_aux.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/s390/scsi/zfcp_aux.c ++++ b/drivers/s390/scsi/zfcp_aux.c +@@ -492,12 +492,12 @@ struct zfcp_port *zfcp_port_enqueue(stru + if (port) { + put_device(&port->dev); + retval = -EEXIST; +- goto err_out; ++ goto err_put; + } + + port = kzalloc(sizeof(struct zfcp_port), GFP_KERNEL); + if (!port) +- goto err_out; ++ goto err_put; + + rwlock_init(&port->unit_list_lock); + INIT_LIST_HEAD(&port->unit_list); +@@ -520,7 +520,7 @@ struct zfcp_port *zfcp_port_enqueue(stru + + if (dev_set_name(&port->dev, "0x%016llx", (unsigned long long)wwpn)) { + kfree(port); +- goto err_out; ++ goto err_put; + } + retval = -EINVAL; + +@@ -537,8 +537,9 @@ struct zfcp_port *zfcp_port_enqueue(stru + + return port; + +-err_out: ++err_put: + zfcp_ccw_adapter_put(adapter); ++err_out: + return ERR_PTR(retval); + } + diff --git a/queue-4.14/series b/queue-4.14/series index a4f5c140f06..e6b32f47a02 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -33,3 +33,6 @@ ext4-fix-rec_len-verify-error.patch net-sched-sch_hfsc-ensure-inner-classes-have-fsc-curve.patch ata-libata-disallow-dev-initiated-lpm-transitions-to-unsupported-states.patch media-dvb-symbol-fixup-for-dvb_attach-again.patch +scsi-zfcp-fix-a-double-put-in-zfcp_port_enqueue.patch +wifi-mwifiex-fix-tlv_buf_left-calculation.patch +btrfs-reject-unknown-mount-options-early.patch diff --git a/queue-4.14/wifi-mwifiex-fix-tlv_buf_left-calculation.patch b/queue-4.14/wifi-mwifiex-fix-tlv_buf_left-calculation.patch new file mode 100644 index 00000000000..cb84f1b0f54 --- /dev/null +++ b/queue-4.14/wifi-mwifiex-fix-tlv_buf_left-calculation.patch @@ -0,0 +1,103 @@ +From eec679e4ac5f47507774956fb3479c206e761af7 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 24 Aug 2023 21:06:51 -0600 +Subject: wifi: mwifiex: Fix tlv_buf_left calculation + +From: Gustavo A. R. Silva + +commit eec679e4ac5f47507774956fb3479c206e761af7 upstream. + +In a TLV encoding scheme, the Length part represents the length after +the header containing the values for type and length. In this case, +`tlv_len` should be: + +tlv_len == (sizeof(*tlv_rxba) - 1) - sizeof(tlv_rxba->header) + tlv_bitmap_len + +Notice that the `- 1` accounts for the one-element array `bitmap`, which +1-byte size is already included in `sizeof(*tlv_rxba)`. + +So, if the above is correct, there is a double-counting of some members +in `struct mwifiex_ie_types_rxba_sync`, when `tlv_buf_left` and `tmp` +are calculated: + +968 tlv_buf_left -= (sizeof(*tlv_rxba) + tlv_len); +969 tmp = (u8 *)tlv_rxba + tlv_len + sizeof(*tlv_rxba); + +in specific, members: + +drivers/net/wireless/marvell/mwifiex/fw.h:777 + 777 u8 mac[ETH_ALEN]; + 778 u8 tid; + 779 u8 reserved; + 780 __le16 seq_num; + 781 __le16 bitmap_len; + +This is clearly wrong, and affects the subsequent decoding of data in +`event_buf` through `tlv_rxba`: + +970 tlv_rxba = (struct mwifiex_ie_types_rxba_sync *)tmp; + +Fix this by using `sizeof(tlv_rxba->header)` instead of `sizeof(*tlv_rxba)` +in the calculation of `tlv_buf_left` and `tmp`. + +This results in the following binary differences before/after changes: + +| drivers/net/wireless/marvell/mwifiex/11n_rxreorder.o +| @@ -4698,11 +4698,11 @@ +| drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c:968 +| tlv_buf_left -= (sizeof(tlv_rxba->header) + tlv_len); +| - 1da7: lea -0x11(%rbx),%edx +| + 1da7: lea -0x4(%rbx),%edx +| 1daa: movzwl %bp,%eax +| drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c:969 +| tmp = (u8 *)tlv_rxba + sizeof(tlv_rxba->header) + tlv_len; +| - 1dad: lea 0x11(%r15,%rbp,1),%r15 +| + 1dad: lea 0x4(%r15,%rbp,1),%r15 + +The above reflects the desired change: avoid counting 13 too many bytes; +which is the total size of the double-counted members in +`struct mwifiex_ie_types_rxba_sync`: + +$ pahole -C mwifiex_ie_types_rxba_sync drivers/net/wireless/marvell/mwifiex/11n_rxreorder.o +struct mwifiex_ie_types_rxba_sync { + struct mwifiex_ie_types_header header; /* 0 4 */ + + |----------------------------------------------------------------------- + | u8 mac[6]; /* 4 6 */ | + | u8 tid; /* 10 1 */ | + | u8 reserved; /* 11 1 */ | + | __le16 seq_num; /* 12 2 */ | + | __le16 bitmap_len; /* 14 2 */ | + | u8 bitmap[1]; /* 16 1 */ | + |----------------------------------------------------------------------| + | 13 bytes| + ----------- + + /* size: 17, cachelines: 1, members: 7 */ + /* last cacheline: 17 bytes */ +} __attribute__((__packed__)); + +Fixes: 99ffe72cdae4 ("mwifiex: process rxba_sync event") +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Kees Cook +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/06668edd68e7a26bbfeebd1201ae077a2a7a8bce.1692931954.git.gustavoars@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c ++++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c +@@ -992,8 +992,8 @@ void mwifiex_11n_rxba_sync_event(struct + } + } + +- tlv_buf_left -= (sizeof(*tlv_rxba) + tlv_len); +- tmp = (u8 *)tlv_rxba + tlv_len + sizeof(*tlv_rxba); ++ tlv_buf_left -= (sizeof(tlv_rxba->header) + tlv_len); ++ tmp = (u8 *)tlv_rxba + sizeof(tlv_rxba->header) + tlv_len; + tlv_rxba = (struct mwifiex_ie_types_rxba_sync *)tmp; + } + } -- 2.47.3