From e6c10d10ddc0b7cb814b41718baedaf1da64022f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 11 Jul 2023 22:39:50 +0200 Subject: [PATCH] 5.15-stable patches added patches: alsa-hda-realtek-add-quirk-for-clevo-npx0snx.patch alsa-jack-fix-mutex-call-in-snd_jack_report.patch block-add-overflow-checks-for-amiga-partition-support.patch block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch block-fix-signed-int-overflow-in-amiga-partition-support.patch block-increment-diskseq-on-all-media-change-events.patch sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch --- ...-realtek-add-quirk-for-clevo-npx0snx.patch | 31 +++ ...ck-fix-mutex-call-in-snd_jack_report.patch | 87 ++++++++ ...w-checks-for-amiga-partition-support.patch | 202 ++++++++++++++++++ ...tions-to-__be32-in-affs_hardblocks.h.patch | 142 ++++++++++++ ...-overflow-in-amiga-partition-support.patch | 68 ++++++ ...t-diskseq-on-all-media-change-events.patch | 60 ++++++ queue-5.15/series | 7 + ...fix-uaf-in-svc_tcp_listen_data_ready.patch | 138 ++++++++++++ 8 files changed, 735 insertions(+) create mode 100644 queue-5.15/alsa-hda-realtek-add-quirk-for-clevo-npx0snx.patch create mode 100644 queue-5.15/alsa-jack-fix-mutex-call-in-snd_jack_report.patch create mode 100644 queue-5.15/block-add-overflow-checks-for-amiga-partition-support.patch create mode 100644 queue-5.15/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch create mode 100644 queue-5.15/block-fix-signed-int-overflow-in-amiga-partition-support.patch create mode 100644 queue-5.15/block-increment-diskseq-on-all-media-change-events.patch create mode 100644 queue-5.15/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch diff --git a/queue-5.15/alsa-hda-realtek-add-quirk-for-clevo-npx0snx.patch b/queue-5.15/alsa-hda-realtek-add-quirk-for-clevo-npx0snx.patch new file mode 100644 index 00000000000..e8ae49e4af5 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-quirk-for-clevo-npx0snx.patch @@ -0,0 +1,31 @@ +From 22065e4214c1196b54fc164892c2e193a743caf3 Mon Sep 17 00:00:00 2001 +From: Werner Sembach +Date: Wed, 28 Jun 2023 17:54:34 +0200 +Subject: ALSA: hda/realtek: Add quirk for Clevo NPx0SNx + +From: Werner Sembach + +commit 22065e4214c1196b54fc164892c2e193a743caf3 upstream. + +This applies a SND_PCI_QUIRK(...) to the Clevo NPx0SNx barebones fixing the +microphone not being detected on the headset combo port. + +Signed-off-by: Werner Sembach +Cc: +Link: https://lore.kernel.org/r/20230628155434.584159-1-wse@tuxedocomputers.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9242,6 +9242,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1558, 0x971d, "Clevo N970T[CDF]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xa500, "Clevo NL5[03]RU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xa600, "Clevo NL50NU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0xa650, "Clevo NP[567]0SN[CD]", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xa671, "Clevo NP70SN[CDE]", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xb018, "Clevo NP50D[BE]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xb019, "Clevo NH77D[BE]Q", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), diff --git a/queue-5.15/alsa-jack-fix-mutex-call-in-snd_jack_report.patch b/queue-5.15/alsa-jack-fix-mutex-call-in-snd_jack_report.patch new file mode 100644 index 00000000000..b27f4b9dd2e --- /dev/null +++ b/queue-5.15/alsa-jack-fix-mutex-call-in-snd_jack_report.patch @@ -0,0 +1,87 @@ +From 89dbb335cb6a627a4067bc42caa09c8bc3326d40 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 6 Jul 2023 17:53:57 +0200 +Subject: ALSA: jack: Fix mutex call in snd_jack_report() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +commit 89dbb335cb6a627a4067bc42caa09c8bc3326d40 upstream. + +snd_jack_report() is supposed to be callable from an IRQ context, too, +and it's indeed used in that way from virtsnd driver. The fix for +input_dev race in commit 1b6a6fc5280e ("ALSA: jack: Access input_dev +under mutex"), however, introduced a mutex lock in snd_jack_report(), +and this resulted in a potential sleep-in-atomic. + +For addressing that problem, this patch changes the relevant code to +use the object get/put and removes the mutex usage. That is, +snd_jack_report(), it takes input_get_device() and leaves with +input_put_device() for assuring the input_dev being assigned. + +Although the whole mutex could be reduced, we keep it because it can +be still a protection for potential races between creation and +deletion. + +Fixes: 1b6a6fc5280e ("ALSA: jack: Access input_dev under mutex") +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/cf95f7fe-a748-4990-8378-000491b40329@moroto.mountain +Tested-by: Amadeusz Sławiński +Cc: +Link: https://lore.kernel.org/r/20230706155357.3470-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/jack.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/sound/core/jack.c ++++ b/sound/core/jack.c +@@ -654,6 +654,7 @@ void snd_jack_report(struct snd_jack *ja + struct snd_jack_kctl *jack_kctl; + unsigned int mask_bits = 0; + #ifdef CONFIG_SND_JACK_INPUT_DEV ++ struct input_dev *idev; + int i; + #endif + +@@ -670,17 +671,15 @@ void snd_jack_report(struct snd_jack *ja + status & jack_kctl->mask_bits); + + #ifdef CONFIG_SND_JACK_INPUT_DEV +- mutex_lock(&jack->input_dev_lock); +- if (!jack->input_dev) { +- mutex_unlock(&jack->input_dev_lock); ++ idev = input_get_device(jack->input_dev); ++ if (!idev) + return; +- } + + for (i = 0; i < ARRAY_SIZE(jack->key); i++) { + int testbit = ((SND_JACK_BTN_0 >> i) & ~mask_bits); + + if (jack->type & testbit) +- input_report_key(jack->input_dev, jack->key[i], ++ input_report_key(idev, jack->key[i], + status & testbit); + } + +@@ -688,13 +687,13 @@ void snd_jack_report(struct snd_jack *ja + int testbit = ((1 << i) & ~mask_bits); + + if (jack->type & testbit) +- input_report_switch(jack->input_dev, ++ input_report_switch(idev, + jack_switch_types[i], + status & testbit); + } + +- input_sync(jack->input_dev); +- mutex_unlock(&jack->input_dev_lock); ++ input_sync(idev); ++ input_put_device(idev); + #endif /* CONFIG_SND_JACK_INPUT_DEV */ + } + EXPORT_SYMBOL(snd_jack_report); diff --git a/queue-5.15/block-add-overflow-checks-for-amiga-partition-support.patch b/queue-5.15/block-add-overflow-checks-for-amiga-partition-support.patch new file mode 100644 index 00000000000..2114e10d039 --- /dev/null +++ b/queue-5.15/block-add-overflow-checks-for-amiga-partition-support.patch @@ -0,0 +1,202 @@ +From b6f3f28f604ba3de4724ad82bea6adb1300c0b5f Mon Sep 17 00:00:00 2001 +From: Michael Schmitz +Date: Wed, 21 Jun 2023 08:17:25 +1200 +Subject: block: add overflow checks for Amiga partition support + +From: Michael Schmitz + +commit b6f3f28f604ba3de4724ad82bea6adb1300c0b5f upstream. + +The Amiga partition parser module uses signed int for partition sector +address and count, which will overflow for disks larger than 1 TB. + +Use u64 as type for sector address and size to allow using disks up to +2 TB without LBD support, and disks larger than 2 TB with LBD. The RBD +format allows to specify disk sizes up to 2^128 bytes (though native +OS limitations reduce this somewhat, to max 2^68 bytes), so check for +u64 overflow carefully to protect against overflowing sector_t. + +Bail out if sector addresses overflow 32 bits on kernels without LBD +support. + +This bug was reported originally in 2012, and the fix was created by +the RDB author, Joanne Dow . A patch had been +discussed and reviewed on linux-m68k at that time but never officially +submitted (now resubmitted as patch 1 in this series). +This patch adds additional error checking and warning messages. + +Reported-by: Martin Steigerwald +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511 +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Message-ID: <201206192146.09327.Martin@lichtvoll.de> +Cc: # 5.2 +Signed-off-by: Michael Schmitz +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230620201725.7020-4-schmitzmic@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/partitions/amiga.c | 103 ++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 85 insertions(+), 18 deletions(-) + +--- a/block/partitions/amiga.c ++++ b/block/partitions/amiga.c +@@ -11,10 +11,18 @@ + #define pr_fmt(fmt) fmt + + #include ++#include ++#include + #include + + #include "check.h" + ++/* magic offsets in partition DosEnvVec */ ++#define NR_HD 3 ++#define NR_SECT 5 ++#define LO_CYL 9 ++#define HI_CYL 10 ++ + static __inline__ u32 + checksum_block(__be32 *m, int size) + { +@@ -31,9 +39,12 @@ int amiga_partition(struct parsed_partit + unsigned char *data; + struct RigidDiskBlock *rdb; + struct PartitionBlock *pb; +- sector_t start_sect, nr_sects; +- int blk, part, res = 0; +- int blksize = 1; /* Multiplier for disk block size */ ++ u64 start_sect, nr_sects; ++ sector_t blk, end_sect; ++ u32 cylblk; /* rdb_CylBlocks = nr_heads*sect_per_track */ ++ u32 nr_hd, nr_sect, lo_cyl, hi_cyl; ++ int part, res = 0; ++ unsigned int blksize = 1; /* Multiplier for disk block size */ + int slot = 1; + + for (blk = 0; ; blk++, put_dev_sector(sect)) { +@@ -41,7 +52,7 @@ int amiga_partition(struct parsed_partit + goto rdb_done; + data = read_part_sector(state, blk, §); + if (!data) { +- pr_err("Dev %s: unable to read RDB block %d\n", ++ pr_err("Dev %s: unable to read RDB block %llu\n", + state->disk->disk_name, blk); + res = -1; + goto rdb_done; +@@ -58,12 +69,12 @@ int amiga_partition(struct parsed_partit + *(__be32 *)(data+0xdc) = 0; + if (checksum_block((__be32 *)data, + be32_to_cpu(rdb->rdb_SummedLongs) & 0x7F)==0) { +- pr_err("Trashed word at 0xd0 in block %d ignored in checksum calculation\n", ++ pr_err("Trashed word at 0xd0 in block %llu ignored in checksum calculation\n", + blk); + break; + } + +- pr_err("Dev %s: RDB in block %d has bad checksum\n", ++ pr_err("Dev %s: RDB in block %llu has bad checksum\n", + state->disk->disk_name, blk); + } + +@@ -80,10 +91,15 @@ int amiga_partition(struct parsed_partit + blk = be32_to_cpu(rdb->rdb_PartitionList); + put_dev_sector(sect); + for (part = 1; blk>0 && part<=16; part++, put_dev_sector(sect)) { +- blk *= blksize; /* Read in terms partition table understands */ ++ /* Read in terms partition table understands */ ++ if (check_mul_overflow(blk, (sector_t) blksize, &blk)) { ++ pr_err("Dev %s: overflow calculating partition block %llu! Skipping partitions %u and beyond\n", ++ state->disk->disk_name, blk, part); ++ break; ++ } + data = read_part_sector(state, blk, §); + if (!data) { +- pr_err("Dev %s: unable to read partition block %d\n", ++ pr_err("Dev %s: unable to read partition block %llu\n", + state->disk->disk_name, blk); + res = -1; + goto rdb_done; +@@ -95,19 +111,70 @@ int amiga_partition(struct parsed_partit + if (checksum_block((__be32 *)pb, be32_to_cpu(pb->pb_SummedLongs) & 0x7F) != 0 ) + continue; + +- /* Tell Kernel about it */ ++ /* RDB gives us more than enough rope to hang ourselves with, ++ * many times over (2^128 bytes if all fields max out). ++ * Some careful checks are in order, so check for potential ++ * overflows. ++ * We are multiplying four 32 bit numbers to one sector_t! ++ */ ++ ++ nr_hd = be32_to_cpu(pb->pb_Environment[NR_HD]); ++ nr_sect = be32_to_cpu(pb->pb_Environment[NR_SECT]); ++ ++ /* CylBlocks is total number of blocks per cylinder */ ++ if (check_mul_overflow(nr_hd, nr_sect, &cylblk)) { ++ pr_err("Dev %s: heads*sects %u overflows u32, skipping partition!\n", ++ state->disk->disk_name, cylblk); ++ continue; ++ } ++ ++ /* check for consistency with RDB defined CylBlocks */ ++ if (cylblk > be32_to_cpu(rdb->rdb_CylBlocks)) { ++ pr_warn("Dev %s: cylblk %u > rdb_CylBlocks %u!\n", ++ state->disk->disk_name, cylblk, ++ be32_to_cpu(rdb->rdb_CylBlocks)); ++ } ++ ++ /* RDB allows for variable logical block size - ++ * normalize to 512 byte blocks and check result. ++ */ ++ ++ if (check_mul_overflow(cylblk, blksize, &cylblk)) { ++ pr_err("Dev %s: partition %u bytes per cyl. overflows u32, skipping partition!\n", ++ state->disk->disk_name, part); ++ continue; ++ } ++ ++ /* Calculate partition start and end. Limit of 32 bit on cylblk ++ * guarantees no overflow occurs if LBD support is enabled. ++ */ ++ ++ lo_cyl = be32_to_cpu(pb->pb_Environment[LO_CYL]); ++ start_sect = ((u64) lo_cyl * cylblk); ++ ++ hi_cyl = be32_to_cpu(pb->pb_Environment[HI_CYL]); ++ nr_sects = (((u64) hi_cyl - lo_cyl + 1) * cylblk); + +- nr_sects = ((sector_t)be32_to_cpu(pb->pb_Environment[10]) + 1 - +- be32_to_cpu(pb->pb_Environment[9])) * +- be32_to_cpu(pb->pb_Environment[3]) * +- be32_to_cpu(pb->pb_Environment[5]) * +- blksize; + if (!nr_sects) + continue; +- start_sect = (sector_t)be32_to_cpu(pb->pb_Environment[9]) * +- be32_to_cpu(pb->pb_Environment[3]) * +- be32_to_cpu(pb->pb_Environment[5]) * +- blksize; ++ ++ /* Warn user if partition end overflows u32 (AmigaDOS limit) */ ++ ++ if ((start_sect + nr_sects) > UINT_MAX) { ++ pr_warn("Dev %s: partition %u (%llu-%llu) needs 64 bit device support!\n", ++ state->disk->disk_name, part, ++ start_sect, start_sect + nr_sects); ++ } ++ ++ if (check_add_overflow(start_sect, nr_sects, &end_sect)) { ++ pr_err("Dev %s: partition %u (%llu-%llu) needs LBD device support, skipping partition!\n", ++ state->disk->disk_name, part, ++ start_sect, end_sect); ++ continue; ++ } ++ ++ /* Tell Kernel about it */ ++ + put_partition(state,slot++,start_sect,nr_sects); + { + /* Be even more informative to aid mounting */ diff --git a/queue-5.15/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch b/queue-5.15/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch new file mode 100644 index 00000000000..ca54e71c9d2 --- /dev/null +++ b/queue-5.15/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch @@ -0,0 +1,142 @@ +From 95a55437dc49fb3342c82e61f5472a71c63d9ed0 Mon Sep 17 00:00:00 2001 +From: Michael Schmitz +Date: Wed, 21 Jun 2023 08:17:24 +1200 +Subject: block: change all __u32 annotations to __be32 in affs_hardblocks.h + +From: Michael Schmitz + +commit 95a55437dc49fb3342c82e61f5472a71c63d9ed0 upstream. + +The Amiga partition parser module uses signed int for partition sector +address and count, which will overflow for disks larger than 1 TB. + +Use u64 as type for sector address and size to allow using disks up to +2 TB without LBD support, and disks larger than 2 TB with LBD. The RBD +format allows to specify disk sizes up to 2^128 bytes (though native +OS limitations reduce this somewhat, to max 2^68 bytes), so check for +u64 overflow carefully to protect against overflowing sector_t. + +This bug was reported originally in 2012, and the fix was created by +the RDB author, Joanne Dow . A patch had been +discussed and reviewed on linux-m68k at that time but never officially +submitted (now resubmitted as patch 1 of this series). + +Patch 3 (this series) adds additional error checking and warning +messages. One of the error checks now makes use of the previously +unused rdb_CylBlocks field, which causes a 'sparse' warning +(cast to restricted __be32). + +Annotate all 32 bit fields in affs_hardblocks.h as __be32, as the +on-disk format of RDB and partition blocks is always big endian. + +Reported-by: Martin Steigerwald +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511 +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Message-ID: <201206192146.09327.Martin@lichtvoll.de> +Cc: # 5.2 +Signed-off-by: Michael Schmitz +Reviewed-by: Christoph Hellwig +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230620201725.7020-3-schmitzmic@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/affs_hardblocks.h | 68 +++++++++++++++++------------------ + 1 file changed, 34 insertions(+), 34 deletions(-) + +--- a/include/uapi/linux/affs_hardblocks.h ++++ b/include/uapi/linux/affs_hardblocks.h +@@ -7,42 +7,42 @@ + /* Just the needed definitions for the RDB of an Amiga HD. */ + + struct RigidDiskBlock { +- __u32 rdb_ID; ++ __be32 rdb_ID; + __be32 rdb_SummedLongs; +- __s32 rdb_ChkSum; +- __u32 rdb_HostID; ++ __be32 rdb_ChkSum; ++ __be32 rdb_HostID; + __be32 rdb_BlockBytes; +- __u32 rdb_Flags; +- __u32 rdb_BadBlockList; ++ __be32 rdb_Flags; ++ __be32 rdb_BadBlockList; + __be32 rdb_PartitionList; +- __u32 rdb_FileSysHeaderList; +- __u32 rdb_DriveInit; +- __u32 rdb_Reserved1[6]; +- __u32 rdb_Cylinders; +- __u32 rdb_Sectors; +- __u32 rdb_Heads; +- __u32 rdb_Interleave; +- __u32 rdb_Park; +- __u32 rdb_Reserved2[3]; +- __u32 rdb_WritePreComp; +- __u32 rdb_ReducedWrite; +- __u32 rdb_StepRate; +- __u32 rdb_Reserved3[5]; +- __u32 rdb_RDBBlocksLo; +- __u32 rdb_RDBBlocksHi; +- __u32 rdb_LoCylinder; +- __u32 rdb_HiCylinder; +- __u32 rdb_CylBlocks; +- __u32 rdb_AutoParkSeconds; +- __u32 rdb_HighRDSKBlock; +- __u32 rdb_Reserved4; ++ __be32 rdb_FileSysHeaderList; ++ __be32 rdb_DriveInit; ++ __be32 rdb_Reserved1[6]; ++ __be32 rdb_Cylinders; ++ __be32 rdb_Sectors; ++ __be32 rdb_Heads; ++ __be32 rdb_Interleave; ++ __be32 rdb_Park; ++ __be32 rdb_Reserved2[3]; ++ __be32 rdb_WritePreComp; ++ __be32 rdb_ReducedWrite; ++ __be32 rdb_StepRate; ++ __be32 rdb_Reserved3[5]; ++ __be32 rdb_RDBBlocksLo; ++ __be32 rdb_RDBBlocksHi; ++ __be32 rdb_LoCylinder; ++ __be32 rdb_HiCylinder; ++ __be32 rdb_CylBlocks; ++ __be32 rdb_AutoParkSeconds; ++ __be32 rdb_HighRDSKBlock; ++ __be32 rdb_Reserved4; + char rdb_DiskVendor[8]; + char rdb_DiskProduct[16]; + char rdb_DiskRevision[4]; + char rdb_ControllerVendor[8]; + char rdb_ControllerProduct[16]; + char rdb_ControllerRevision[4]; +- __u32 rdb_Reserved5[10]; ++ __be32 rdb_Reserved5[10]; + }; + + #define IDNAME_RIGIDDISK 0x5244534B /* "RDSK" */ +@@ -50,16 +50,16 @@ struct RigidDiskBlock { + struct PartitionBlock { + __be32 pb_ID; + __be32 pb_SummedLongs; +- __s32 pb_ChkSum; +- __u32 pb_HostID; ++ __be32 pb_ChkSum; ++ __be32 pb_HostID; + __be32 pb_Next; +- __u32 pb_Flags; +- __u32 pb_Reserved1[2]; +- __u32 pb_DevFlags; ++ __be32 pb_Flags; ++ __be32 pb_Reserved1[2]; ++ __be32 pb_DevFlags; + __u8 pb_DriveName[32]; +- __u32 pb_Reserved2[15]; ++ __be32 pb_Reserved2[15]; + __be32 pb_Environment[17]; +- __u32 pb_EReserved[15]; ++ __be32 pb_EReserved[15]; + }; + + #define IDNAME_PARTITION 0x50415254 /* "PART" */ diff --git a/queue-5.15/block-fix-signed-int-overflow-in-amiga-partition-support.patch b/queue-5.15/block-fix-signed-int-overflow-in-amiga-partition-support.patch new file mode 100644 index 00000000000..d0df6038a91 --- /dev/null +++ b/queue-5.15/block-fix-signed-int-overflow-in-amiga-partition-support.patch @@ -0,0 +1,68 @@ +From fc3d092c6bb48d5865fec15ed5b333c12f36288c Mon Sep 17 00:00:00 2001 +From: Michael Schmitz +Date: Wed, 21 Jun 2023 08:17:23 +1200 +Subject: block: fix signed int overflow in Amiga partition support + +From: Michael Schmitz + +commit fc3d092c6bb48d5865fec15ed5b333c12f36288c upstream. + +The Amiga partition parser module uses signed int for partition sector +address and count, which will overflow for disks larger than 1 TB. + +Use sector_t as type for sector address and size to allow using disks +up to 2 TB without LBD support, and disks larger than 2 TB with LBD. + +This bug was reported originally in 2012, and the fix was created by +the RDB author, Joanne Dow . A patch had been +discussed and reviewed on linux-m68k at that time but never officially +submitted. This patch differs from Joanne's patch only in its use of +sector_t instead of unsigned int. No checking for overflows is done +(see patch 3 of this series for that). + +Reported-by: Martin Steigerwald +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511 +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Message-ID: <201206192146.09327.Martin@lichtvoll.de> +Cc: # 5.2 +Signed-off-by: Michael Schmitz +Tested-by: Martin Steigerwald +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230620201725.7020-2-schmitzmic@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/partitions/amiga.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/block/partitions/amiga.c ++++ b/block/partitions/amiga.c +@@ -31,7 +31,8 @@ int amiga_partition(struct parsed_partit + unsigned char *data; + struct RigidDiskBlock *rdb; + struct PartitionBlock *pb; +- int start_sect, nr_sects, blk, part, res = 0; ++ sector_t start_sect, nr_sects; ++ int blk, part, res = 0; + int blksize = 1; /* Multiplier for disk block size */ + int slot = 1; + +@@ -96,14 +97,14 @@ int amiga_partition(struct parsed_partit + + /* Tell Kernel about it */ + +- nr_sects = (be32_to_cpu(pb->pb_Environment[10]) + 1 - +- be32_to_cpu(pb->pb_Environment[9])) * ++ nr_sects = ((sector_t)be32_to_cpu(pb->pb_Environment[10]) + 1 - ++ be32_to_cpu(pb->pb_Environment[9])) * + be32_to_cpu(pb->pb_Environment[3]) * + be32_to_cpu(pb->pb_Environment[5]) * + blksize; + if (!nr_sects) + continue; +- start_sect = be32_to_cpu(pb->pb_Environment[9]) * ++ start_sect = (sector_t)be32_to_cpu(pb->pb_Environment[9]) * + be32_to_cpu(pb->pb_Environment[3]) * + be32_to_cpu(pb->pb_Environment[5]) * + blksize; diff --git a/queue-5.15/block-increment-diskseq-on-all-media-change-events.patch b/queue-5.15/block-increment-diskseq-on-all-media-change-events.patch new file mode 100644 index 00000000000..4350e254094 --- /dev/null +++ b/queue-5.15/block-increment-diskseq-on-all-media-change-events.patch @@ -0,0 +1,60 @@ +From b90ecc0379eb7bbe79337b0c7289390a98752646 Mon Sep 17 00:00:00 2001 +From: Demi Marie Obenour +Date: Wed, 7 Jun 2023 13:08:37 -0400 +Subject: block: increment diskseq on all media change events + +From: Demi Marie Obenour + +commit b90ecc0379eb7bbe79337b0c7289390a98752646 upstream. + +Currently, associating a loop device with a different file descriptor +does not increment its diskseq. This allows the following race +condition: + +1. Program X opens a loop device +2. Program X gets the diskseq of the loop device. +3. Program X associates a file with the loop device. +4. Program X passes the loop device major, minor, and diskseq to + something. +5. Program X exits. +6. Program Y detaches the file from the loop device. +7. Program Y attaches a different file to the loop device. +8. The opener finally gets around to opening the loop device and checks + that the diskseq is what it expects it to be. Even though the + diskseq is the expected value, the result is that the opener is + accessing the wrong file. + +From discussions with Christoph Hellwig, it appears that +disk_force_media_change() was supposed to call inc_diskseq(), but in +fact it does not. Adding a Fixes: tag to indicate this. Christoph's +Reported-by is because he stated that disk_force_media_change() +calls inc_diskseq(), which is what led me to discover that it should but +does not. + +Reported-by: Christoph Hellwig +Signed-off-by: Demi Marie Obenour +Fixes: e6138dc12de9 ("block: add a helper to raise a media changed event") +Cc: stable@vger.kernel.org # 5.15+ +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230607170837.1559-1-demi@invisiblethingslab.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/disk-events.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/block/disk-events.c b/block/disk-events.c +index 8b1b63225738..0cfac464e6d1 100644 +--- a/block/disk-events.c ++++ b/block/disk-events.c +@@ -307,6 +307,7 @@ bool disk_force_media_change(struct gendisk *disk, unsigned int events) + if (!(events & DISK_EVENT_MEDIA_CHANGE)) + return false; + ++ inc_diskseq(disk); + if (__invalidate_device(disk->part0, true)) + pr_warn("VFS: busy inodes on changed media %s\n", + disk->disk_name); +-- +2.41.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 9eb55f87889..188f51355ad 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -264,3 +264,10 @@ iio-adc-ad7192-fix-null-ad7192_state-pointer-access.patch iio-adc-ad7192-fix-internal-external-clock-selection.patch iio-accel-fxls8962af-errata-bug-only-applicable-for-fxls8962af.patch iio-accel-fxls8962af-fixup-buffer-scan-element-type.patch +alsa-hda-realtek-add-quirk-for-clevo-npx0snx.patch +alsa-jack-fix-mutex-call-in-snd_jack_report.patch +block-fix-signed-int-overflow-in-amiga-partition-support.patch +block-add-overflow-checks-for-amiga-partition-support.patch +block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch +block-increment-diskseq-on-all-media-change-events.patch +sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch diff --git a/queue-5.15/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch b/queue-5.15/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch new file mode 100644 index 00000000000..1eaa8471302 --- /dev/null +++ b/queue-5.15/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch @@ -0,0 +1,138 @@ +From fc80fc2d4e39137869da3150ee169b40bf879287 Mon Sep 17 00:00:00 2001 +From: Ding Hui +Date: Mon, 15 May 2023 10:13:07 +0800 +Subject: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() + +From: Ding Hui + +commit fc80fc2d4e39137869da3150ee169b40bf879287 upstream. + +After the listener svc_sock is freed, and before invoking svc_tcp_accept() +for the established child sock, there is a window that the newsock +retaining a freed listener svc_sock in sk_user_data which cloning from +parent. In the race window, if data is received on the newsock, we will +observe use-after-free report in svc_tcp_listen_data_ready(). + +Reproduce by two tasks: + +1. while :; do rpc.nfsd 0 ; rpc.nfsd; done +2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done + +KASAN report: + + ================================================================== + BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] + Read of size 8 at addr ffff888139d96228 by task nc/102553 + CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18 + Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 + Call Trace: + + dump_stack_lvl+0x33/0x50 + print_address_description.constprop.0+0x27/0x310 + print_report+0x3e/0x70 + kasan_report+0xae/0xe0 + svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] + tcp_data_queue+0x9f4/0x20e0 + tcp_rcv_established+0x666/0x1f60 + tcp_v4_do_rcv+0x51c/0x850 + tcp_v4_rcv+0x23fc/0x2e80 + ip_protocol_deliver_rcu+0x62/0x300 + ip_local_deliver_finish+0x267/0x350 + ip_local_deliver+0x18b/0x2d0 + ip_rcv+0x2fb/0x370 + __netif_receive_skb_one_core+0x166/0x1b0 + process_backlog+0x24c/0x5e0 + __napi_poll+0xa2/0x500 + net_rx_action+0x854/0xc90 + __do_softirq+0x1bb/0x5de + do_softirq+0xcb/0x100 + + + ... + + + Allocated by task 102371: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + __kasan_kmalloc+0x7b/0x90 + svc_setup_socket+0x52/0x4f0 [sunrpc] + svc_addsock+0x20d/0x400 [sunrpc] + __write_ports_addfd+0x209/0x390 [nfsd] + write_ports+0x239/0x2c0 [nfsd] + nfsctl_transaction_write+0xac/0x110 [nfsd] + vfs_write+0x1c3/0xae0 + ksys_write+0xed/0x1c0 + do_syscall_64+0x38/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + + Freed by task 102551: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x2a/0x50 + __kasan_slab_free+0x106/0x190 + __kmem_cache_free+0x133/0x270 + svc_xprt_free+0x1e2/0x350 [sunrpc] + svc_xprt_destroy_all+0x25a/0x440 [sunrpc] + nfsd_put+0x125/0x240 [nfsd] + nfsd_svc+0x2cb/0x3c0 [nfsd] + write_threads+0x1ac/0x2a0 [nfsd] + nfsctl_transaction_write+0xac/0x110 [nfsd] + vfs_write+0x1c3/0xae0 + ksys_write+0xed/0x1c0 + do_syscall_64+0x38/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready() +if state != TCP_LISTEN, that will avoid dereferencing svsk for all +child socket. + +Link: https://lore.kernel.org/lkml/20230507091131.23540-1-dinghui@sangfor.com.cn/ +Fixes: fa9251afc33c ("SUNRPC: Call the default socket callbacks instead of open coding") +Signed-off-by: Ding Hui +Cc: +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/svcsock.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +--- a/net/sunrpc/svcsock.c ++++ b/net/sunrpc/svcsock.c +@@ -685,12 +685,6 @@ static void svc_tcp_listen_data_ready(st + { + struct svc_sock *svsk = (struct svc_sock *)sk->sk_user_data; + +- if (svsk) { +- /* Refer to svc_setup_socket() for details. */ +- rmb(); +- svsk->sk_odata(sk); +- } +- + /* + * This callback may called twice when a new connection + * is established as a child socket inherits everything +@@ -699,13 +693,18 @@ static void svc_tcp_listen_data_ready(st + * when one of child sockets become ESTABLISHED. + * 2) data_ready method of the child socket may be called + * when it receives data before the socket is accepted. +- * In case of 2, we should ignore it silently. ++ * In case of 2, we should ignore it silently and DO NOT ++ * dereference svsk. + */ +- if (sk->sk_state == TCP_LISTEN) { +- if (svsk) { +- set_bit(XPT_CONN, &svsk->sk_xprt.xpt_flags); +- svc_xprt_enqueue(&svsk->sk_xprt); +- } ++ if (sk->sk_state != TCP_LISTEN) ++ return; ++ ++ if (svsk) { ++ /* Refer to svc_setup_socket() for details. */ ++ rmb(); ++ svsk->sk_odata(sk); ++ set_bit(XPT_CONN, &svsk->sk_xprt.xpt_flags); ++ svc_xprt_enqueue(&svsk->sk_xprt); + } + } + -- 2.47.3