From ed3f1a58aa3cdcaea68c7956b55f5fc28dce834b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 30 Aug 2024 15:03:37 +0200 Subject: [PATCH] 5.4-stable patches added patches: ata-libata-core-fix-null-pointer-dereference-on-error.patch cgroup-cpuset-prevent-uaf-in-proc_cpuset_show.patch media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch net-rds-fix-possible-deadlock-in-rds_message_put.patch --- ...ix-null-pointer-dereference-on-error.patch | 73 ++++++++++ ...uset-prevent-uaf-in-proc_cpuset_show.patch | 92 ++++++++++++ ...teger-overflow-calculating-timestamp.patch | 137 ++++++++++++++++++ ...possible-deadlock-in-rds_message_put.patch | 79 ++++++++++ queue-5.4/series | 4 + 5 files changed, 385 insertions(+) create mode 100644 queue-5.4/ata-libata-core-fix-null-pointer-dereference-on-error.patch create mode 100644 queue-5.4/cgroup-cpuset-prevent-uaf-in-proc_cpuset_show.patch create mode 100644 queue-5.4/media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch create mode 100644 queue-5.4/net-rds-fix-possible-deadlock-in-rds_message_put.patch diff --git a/queue-5.4/ata-libata-core-fix-null-pointer-dereference-on-error.patch b/queue-5.4/ata-libata-core-fix-null-pointer-dereference-on-error.patch new file mode 100644 index 00000000000..2bee00a1c87 --- /dev/null +++ b/queue-5.4/ata-libata-core-fix-null-pointer-dereference-on-error.patch @@ -0,0 +1,73 @@ +From 5d92c7c566dc76d96e0e19e481d926bbe6631c1e Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Sat, 29 Jun 2024 14:42:11 +0200 +Subject: ata: libata-core: Fix null pointer dereference on error + +From: Niklas Cassel + +commit 5d92c7c566dc76d96e0e19e481d926bbe6631c1e upstream. + +If the ata_port_alloc() call in ata_host_alloc() fails, +ata_host_release() will get called. + +However, the code in ata_host_release() tries to free ata_port struct +members unconditionally, which can lead to the following: + +BUG: unable to handle page fault for address: 0000000000003990 +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI +CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 +RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata] +Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41 +RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246 +RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0 +RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68 +R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004 +R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006 +FS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0 +PKRU: 55555554 +Call Trace: + + ? __die_body.cold+0x19/0x27 + ? page_fault_oops+0x15a/0x2f0 + ? exc_page_fault+0x7e/0x180 + ? asm_exc_page_fault+0x26/0x30 + ? ata_host_release.cold+0x2f/0x6e [libata] + ? ata_host_release.cold+0x2f/0x6e [libata] + release_nodes+0x35/0xb0 + devres_release_group+0x113/0x140 + ata_host_alloc+0xed/0x120 [libata] + ata_host_alloc_pinfo+0x14/0xa0 [libata] + ahci_init_one+0x6c9/0xd20 [ahci] + +Do not access ata_port struct members unconditionally. + +Fixes: 633273a3ed1c ("libata-pmp: hook PMP support and enable it") +Cc: stable@vger.kernel.org +Reviewed-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Reviewed-by: John Garry +Link: https://lore.kernel.org/r/20240629124210.181537-7-cassel@kernel.org +Signed-off-by: Niklas Cassel +Signed-off-by: Oleksandr Tymoshenko +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -6141,6 +6141,9 @@ static void ata_host_release(struct kref + for (i = 0; i < host->n_ports; i++) { + struct ata_port *ap = host->ports[i]; + ++ if (!ap) ++ continue; ++ + kfree(ap->pmp_link); + kfree(ap->slave_link); + kfree(ap); diff --git a/queue-5.4/cgroup-cpuset-prevent-uaf-in-proc_cpuset_show.patch b/queue-5.4/cgroup-cpuset-prevent-uaf-in-proc_cpuset_show.patch new file mode 100644 index 00000000000..323d2c99f7c --- /dev/null +++ b/queue-5.4/cgroup-cpuset-prevent-uaf-in-proc_cpuset_show.patch @@ -0,0 +1,92 @@ +From 1be59c97c83ccd67a519d8a49486b3a8a73ca28a Mon Sep 17 00:00:00 2001 +From: Chen Ridong +Date: Fri, 28 Jun 2024 01:36:04 +0000 +Subject: cgroup/cpuset: Prevent UAF in proc_cpuset_show() + +From: Chen Ridong + +commit 1be59c97c83ccd67a519d8a49486b3a8a73ca28a upstream. + +An UAF can happen when /proc/cpuset is read as reported in [1]. + +This can be reproduced by the following methods: +1.add an mdelay(1000) before acquiring the cgroup_lock In the + cgroup_path_ns function. +2.$cat /proc//cpuset repeatly. +3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/ +$umount /sys/fs/cgroup/cpuset/ repeatly. + +The race that cause this bug can be shown as below: + +(umount) | (cat /proc//cpuset) +css_release | proc_cpuset_show +css_release_work_fn | css = task_get_css(tsk, cpuset_cgrp_id); +css_free_rwork_fn | cgroup_path_ns(css->cgroup, ...); +cgroup_destroy_root | mutex_lock(&cgroup_mutex); +rebind_subsystems | +cgroup_free_root | + | // cgrp was freed, UAF + | cgroup_path_ns_locked(cgrp,..); + +When the cpuset is initialized, the root node top_cpuset.css.cgrp +will point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will +allocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated +&cgroup_root.cgrp. When the umount operation is executed, +top_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp. + +The problem is that when rebinding to cgrp_dfl_root, there are cases +where the cgroup_root allocated by setting up the root for cgroup v1 +is cached. This could lead to a Use-After-Free (UAF) if it is +subsequently freed. The descendant cgroups of cgroup v1 can only be +freed after the css is released. However, the css of the root will never +be released, yet the cgroup_root should be freed when it is unmounted. +This means that obtaining a reference to the css of the root does +not guarantee that css.cgrp->root will not be freed. + +Fix this problem by using rcu_read_lock in proc_cpuset_show(). +As cgroup_root is kfree_rcu after commit d23b5c577715 +("cgroup: Make operations on the cgroup root_list RCU safe"), +css->cgroup won't be freed during the critical section. +To call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to +replace task_get_css with task_css. + +[1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd + +Fixes: a79a908fd2b0 ("cgroup: introduce cgroup namespaces") +Signed-off-by: Chen Ridong +Signed-off-by: Tejun Heo +Signed-off-by: Shivani Agarwal +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cpuset.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -22,6 +22,7 @@ + * distribution for more details. + */ + ++#include "cgroup-internal.h" + #include + #include + #include +@@ -3644,10 +3645,14 @@ int proc_cpuset_show(struct seq_file *m, + if (!buf) + goto out; + +- css = task_get_css(tsk, cpuset_cgrp_id); +- retval = cgroup_path_ns(css->cgroup, buf, PATH_MAX, +- current->nsproxy->cgroup_ns); +- css_put(css); ++ rcu_read_lock(); ++ spin_lock_irq(&css_set_lock); ++ css = task_css(tsk, cpuset_cgrp_id); ++ retval = cgroup_path_ns_locked(css->cgroup, buf, PATH_MAX, ++ current->nsproxy->cgroup_ns); ++ spin_unlock_irq(&css_set_lock); ++ rcu_read_unlock(); ++ + if (retval >= PATH_MAX) + retval = -ENAMETOOLONG; + if (retval < 0) diff --git a/queue-5.4/media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch b/queue-5.4/media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch new file mode 100644 index 00000000000..a9a9c60f395 --- /dev/null +++ b/queue-5.4/media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch @@ -0,0 +1,137 @@ +From 8676a5e796fa18f55897ca36a94b2adf7f73ebd1 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Mon, 10 Jun 2024 19:17:49 +0000 +Subject: media: uvcvideo: Fix integer overflow calculating timestamp + +From: Ricardo Ribalda + +commit 8676a5e796fa18f55897ca36a94b2adf7f73ebd1 upstream. + +The function uvc_video_clock_update() supports a single SOF overflow. Or +in other words, the maximum difference between the first ant the last +timestamp can be 4096 ticks or 4.096 seconds. + +This results in a maximum value for y2 of: 0x12FBECA00, that overflows +32bits. +y2 = (u32)ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1; + +Extend the size of y2 to u64 to support all its values. + +Without this patch: + # yavta -s 1920x1080 -f YUYV -t 1/5 -c /dev/video0 +Device /dev/v4l/by-id/usb-Shine-Optics_Integrated_Camera_0001-video-index0 opened. +Device `Integrated Camera: Integrated C' on `usb-0000:00:14.0-6' (driver 'uvcvideo') supports video, capture, without mplanes. +Video format set: YUYV (56595559) 1920x1080 (stride 3840) field none buffer size 4147200 +Video format: YUYV (56595559) 1920x1080 (stride 3840) field none buffer size 4147200 +Current frame rate: 1/5 +Setting frame rate to: 1/5 +Frame rate set: 1/5 +8 buffers requested. +length: 4147200 offset: 0 timestamp type/source: mono/SoE +Buffer 0/0 mapped at address 0x7947ea94c000. +length: 4147200 offset: 4149248 timestamp type/source: mono/SoE +Buffer 1/0 mapped at address 0x7947ea557000. +length: 4147200 offset: 8298496 timestamp type/source: mono/SoE +Buffer 2/0 mapped at address 0x7947ea162000. +length: 4147200 offset: 12447744 timestamp type/source: mono/SoE +Buffer 3/0 mapped at address 0x7947e9d6d000. +length: 4147200 offset: 16596992 timestamp type/source: mono/SoE +Buffer 4/0 mapped at address 0x7947e9978000. +length: 4147200 offset: 20746240 timestamp type/source: mono/SoE +Buffer 5/0 mapped at address 0x7947e9583000. +length: 4147200 offset: 24895488 timestamp type/source: mono/SoE +Buffer 6/0 mapped at address 0x7947e918e000. +length: 4147200 offset: 29044736 timestamp type/source: mono/SoE +Buffer 7/0 mapped at address 0x7947e8d99000. +0 (0) [-] none 0 4147200 B 507.554210 508.874282 242.836 fps ts mono/SoE +1 (1) [-] none 2 4147200 B 508.886298 509.074289 0.751 fps ts mono/SoE +2 (2) [-] none 3 4147200 B 509.076362 509.274307 5.261 fps ts mono/SoE +3 (3) [-] none 4 4147200 B 509.276371 509.474336 5.000 fps ts mono/SoE +4 (4) [-] none 5 4147200 B 509.476394 509.674394 4.999 fps ts mono/SoE +5 (5) [-] none 6 4147200 B 509.676506 509.874345 4.997 fps ts mono/SoE +6 (6) [-] none 7 4147200 B 509.876430 510.074370 5.002 fps ts mono/SoE +7 (7) [-] none 8 4147200 B 510.076434 510.274365 5.000 fps ts mono/SoE +8 (0) [-] none 9 4147200 B 510.276421 510.474333 5.000 fps ts mono/SoE +9 (1) [-] none 10 4147200 B 510.476391 510.674429 5.001 fps ts mono/SoE +10 (2) [-] none 11 4147200 B 510.676434 510.874283 4.999 fps ts mono/SoE +11 (3) [-] none 12 4147200 B 510.886264 511.074349 4.766 fps ts mono/SoE +12 (4) [-] none 13 4147200 B 511.070577 511.274304 5.426 fps ts mono/SoE +13 (5) [-] none 14 4147200 B 511.286249 511.474301 4.637 fps ts mono/SoE +14 (6) [-] none 15 4147200 B 511.470542 511.674251 5.426 fps ts mono/SoE +15 (7) [-] none 16 4147200 B 511.672651 511.874337 4.948 fps ts mono/SoE +16 (0) [-] none 17 4147200 B 511.873988 512.074462 4.967 fps ts mono/SoE +17 (1) [-] none 18 4147200 B 512.075982 512.278296 4.951 fps ts mono/SoE +18 (2) [-] none 19 4147200 B 512.282631 512.482423 4.839 fps ts mono/SoE +19 (3) [-] none 20 4147200 B 518.986637 512.686333 0.149 fps ts mono/SoE +20 (4) [-] none 21 4147200 B 518.342709 512.886386 -1.553 fps ts mono/SoE +21 (5) [-] none 22 4147200 B 517.909812 513.090360 -2.310 fps ts mono/SoE +22 (6) [-] none 23 4147200 B 517.590775 513.294454 -3.134 fps ts mono/SoE +23 (7) [-] none 24 4147200 B 513.298465 513.494335 -0.233 fps ts mono/SoE +24 (0) [-] none 25 4147200 B 513.510273 513.698375 4.721 fps ts mono/SoE +25 (1) [-] none 26 4147200 B 513.698904 513.902327 5.301 fps ts mono/SoE +26 (2) [-] none 27 4147200 B 513.895971 514.102348 5.074 fps ts mono/SoE +27 (3) [-] none 28 4147200 B 514.099091 514.306337 4.923 fps ts mono/SoE +28 (4) [-] none 29 4147200 B 514.310348 514.510567 4.734 fps ts mono/SoE +29 (5) [-] none 30 4147200 B 514.509295 514.710367 5.026 fps ts mono/SoE +30 (6) [-] none 31 4147200 B 521.532513 514.914398 0.142 fps ts mono/SoE +31 (7) [-] none 32 4147200 B 520.885277 515.118385 -1.545 fps ts mono/SoE +32 (0) [-] none 33 4147200 B 520.411140 515.318336 -2.109 fps ts mono/SoE +33 (1) [-] none 34 4147200 B 515.325425 515.522278 -0.197 fps ts mono/SoE +34 (2) [-] none 35 4147200 B 515.538276 515.726423 4.698 fps ts mono/SoE +35 (3) [-] none 36 4147200 B 515.720767 515.930373 5.480 fps ts mono/SoE + +Cc: stable@vger.kernel.org +Fixes: 66847ef013cc ("[media] uvcvideo: Add UVC timestamps support") +Signed-off-by: Ricardo Ribalda +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20240610-hwtimestamp-followup-v1-2-f9eaed7be7f0@chromium.org +Signed-off-by: Laurent Pinchart +Signed-off-by: Ricardo Ribalda +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_video.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -723,11 +723,11 @@ void uvc_video_clock_update(struct uvc_s + unsigned long flags; + u64 timestamp; + u32 delta_stc; +- u32 y1, y2; ++ u32 y1; + u32 x1, x2; + u32 mean; + u32 sof; +- u64 y; ++ u64 y, y2; + + if (!uvc_hw_timestamps_param) + return; +@@ -767,7 +767,7 @@ void uvc_video_clock_update(struct uvc_s + sof = y; + + uvc_trace(UVC_TRACE_CLOCK, "%s: PTS %u y %llu.%06llu SOF %u.%06llu " +- "(x1 %u x2 %u y1 %u y2 %u SOF offset %u)\n", ++ "(x1 %u x2 %u y1 %u y2 %llu SOF offset %u)\n", + stream->dev->name, buf->pts, + y >> 16, div_u64((y & 0xffff) * 1000000, 65536), + sof >> 16, div_u64(((u64)sof & 0xffff) * 1000000LLU, 65536), +@@ -782,7 +782,7 @@ void uvc_video_clock_update(struct uvc_s + goto done; + + y1 = NSEC_PER_SEC; +- y2 = (u32)ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1; ++ y2 = ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1; + + /* Interpolated and host SOF timestamps can wrap around at slightly + * different times. Handle this by adding or removing 2048 to or from +@@ -802,7 +802,7 @@ void uvc_video_clock_update(struct uvc_s + timestamp = ktime_to_ns(first->host_time) + y - y1; + + uvc_trace(UVC_TRACE_CLOCK, "%s: SOF %u.%06llu y %llu ts %llu " +- "buf ts %llu (x1 %u/%u/%u x2 %u/%u/%u y1 %u y2 %u)\n", ++ "buf ts %llu (x1 %u/%u/%u x2 %u/%u/%u y1 %u y2 %llu)\n", + stream->dev->name, + sof >> 16, div_u64(((u64)sof & 0xffff) * 1000000LLU, 65536), + y, timestamp, vbuf->vb2_buf.timestamp, diff --git a/queue-5.4/net-rds-fix-possible-deadlock-in-rds_message_put.patch b/queue-5.4/net-rds-fix-possible-deadlock-in-rds_message_put.patch new file mode 100644 index 00000000000..77c9eb75d31 --- /dev/null +++ b/queue-5.4/net-rds-fix-possible-deadlock-in-rds_message_put.patch @@ -0,0 +1,79 @@ +From f1acf1ac84d2ae97b7889b87223c1064df850069 Mon Sep 17 00:00:00 2001 +From: Allison Henderson +Date: Thu, 8 Feb 2024 19:28:54 -0700 +Subject: net:rds: Fix possible deadlock in rds_message_put + +From: Allison Henderson + +commit f1acf1ac84d2ae97b7889b87223c1064df850069 upstream. + +Functions rds_still_queued and rds_clear_recv_queue lock a given socket +in order to safely iterate over the incoming rds messages. However +calling rds_inc_put while under this lock creates a potential deadlock. +rds_inc_put may eventually call rds_message_purge, which will lock +m_rs_lock. This is the incorrect locking order since m_rs_lock is +meant to be locked before the socket. To fix this, we move the message +item to a local list or variable that wont need rs_recv_lock protection. +Then we can safely call rds_inc_put on any item stored locally after +rs_recv_lock is released. + +Fixes: bdbe6fbc6a2f ("RDS: recv.c") +Reported-by: syzbot+f9db6ff27b9bfdcfeca0@syzkaller.appspotmail.com +Reported-by: syzbot+dcd73ff9291e6d34b3ab@syzkaller.appspotmail.com +Signed-off-by: Allison Henderson +Link: https://lore.kernel.org/r/20240209022854.200292-1-allison.henderson@oracle.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/recv.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/net/rds/recv.c ++++ b/net/rds/recv.c +@@ -424,6 +424,7 @@ static int rds_still_queued(struct rds_s + struct sock *sk = rds_rs_to_sk(rs); + int ret = 0; + unsigned long flags; ++ struct rds_incoming *to_drop = NULL; + + write_lock_irqsave(&rs->rs_recv_lock, flags); + if (!list_empty(&inc->i_item)) { +@@ -434,11 +435,14 @@ static int rds_still_queued(struct rds_s + -be32_to_cpu(inc->i_hdr.h_len), + inc->i_hdr.h_dport); + list_del_init(&inc->i_item); +- rds_inc_put(inc); ++ to_drop = inc; + } + } + write_unlock_irqrestore(&rs->rs_recv_lock, flags); + ++ if (to_drop) ++ rds_inc_put(to_drop); ++ + rdsdebug("inc %p rs %p still %d dropped %d\n", inc, rs, ret, drop); + return ret; + } +@@ -761,16 +765,21 @@ void rds_clear_recv_queue(struct rds_soc + struct sock *sk = rds_rs_to_sk(rs); + struct rds_incoming *inc, *tmp; + unsigned long flags; ++ LIST_HEAD(to_drop); + + write_lock_irqsave(&rs->rs_recv_lock, flags); + list_for_each_entry_safe(inc, tmp, &rs->rs_recv_queue, i_item) { + rds_recv_rcvbuf_delta(rs, sk, inc->i_conn->c_lcong, + -be32_to_cpu(inc->i_hdr.h_len), + inc->i_hdr.h_dport); ++ list_move(&inc->i_item, &to_drop); ++ } ++ write_unlock_irqrestore(&rs->rs_recv_lock, flags); ++ ++ list_for_each_entry_safe(inc, tmp, &to_drop, i_item) { + list_del_init(&inc->i_item); + rds_inc_put(inc); + } +- write_unlock_irqrestore(&rs->rs_recv_lock, flags); + } + + /* diff --git a/queue-5.4/series b/queue-5.4/series index 51c42397a26..1cbebe20664 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -113,3 +113,7 @@ wifi-mwifiex-duplicate-static-structs-used-in-driver-instances.patch ipc-replace-costly-bailout-check-in-sysvipc_find_ipc.patch drm-amdkfd-don-t-allow-mapping-the-mmio-hdp-page-with-large-pages.patch filelock-correct-the-filelock-owner-in-fcntl_setlk-fcntl_setlk64.patch +media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch +ata-libata-core-fix-null-pointer-dereference-on-error.patch +cgroup-cpuset-prevent-uaf-in-proc_cpuset_show.patch +net-rds-fix-possible-deadlock-in-rds_message_put.patch -- 2.47.3