diff --git a/patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch b/patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch new file mode 100644 index 0000000..5b43760 --- /dev/null +++ b/patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch @@ -0,0 +1,50 @@ +From: Greg Kroah-Hartman +Date: Wed, 12 Jan 2022 19:27:11 +0100 +Subject: [PATCH] moxart: fix potential use-after-free on remove path +Patch-mainline: Not yet, will be fixed on the mainline soon +References: bsc#1194516 + +It was reported that the mmc host structure could be accessed after it +was freed in moxart_remove(), so fix this by saving the base register of +the device and using it instead of the pointer dereference. + +Cc: Ulf Hansson +Cc: Xiyu Yang +Cc: Xin Xiong +Cc: Xin Tan +Cc: Tony Lindgren +Cc: Yang Li +Cc: linux-mmc@vger.kernel.org +Cc: stable +Reported-by: whitehat002 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Vasant Karasulli +--- + drivers/mmc/host/moxart-mmc.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/mmc/host/moxart-mmc.c ++++ b/drivers/mmc/host/moxart-mmc.c +@@ -687,6 +687,7 @@ static int moxart_remove(struct platform + { + struct mmc_host *mmc = dev_get_drvdata(&pdev->dev); + struct moxart_host *host = mmc_priv(mmc); ++ void __iomem *base = host->base; + + dev_set_drvdata(&pdev->dev, NULL); + +@@ -698,10 +699,10 @@ static int moxart_remove(struct platform + mmc_remove_host(mmc); + mmc_free_host(mmc); + +- writel(0, host->base + REG_INTERRUPT_MASK); +- writel(0, host->base + REG_POWER_CONTROL); +- writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF, +- host->base + REG_CLOCK_CONTROL); ++ writel(0, base + REG_INTERRUPT_MASK); ++ writel(0, base + REG_POWER_CONTROL); ++ writel(readl(base + REG_CLOCK_CONTROL) | CLK_OFF, ++ base + REG_CLOCK_CONTROL); + } + return 0; + } diff --git a/patches.suse/fget-clarify-and-improve-__fget_files-implementation.patch b/patches.suse/fget-clarify-and-improve-__fget_files-implementation.patch new file mode 100644 index 0000000..f4237f5 --- /dev/null +++ b/patches.suse/fget-clarify-and-improve-__fget_files-implementation.patch @@ -0,0 +1,135 @@ +From e386dfc56f837da66d00a078e5314bc8382fab83 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Fri, 10 Dec 2021 14:00:15 -0800 +Subject: [PATCH] fget: clarify and improve __fget_files() implementation +Git-commit: e386dfc56f837da66d00a078e5314bc8382fab83 +Patch-mainline: v5.16-rc6 +References: bsc#1193727 + +Commit 054aa8d439b9 ("fget: check that the fd still exists after getting +a ref to it") fixed a race with getting a reference to a file just as it +was being closed. It was a fairly minimal patch, and I didn't think +re-checking the file pointer lookup would be a measurable overhead, +since it was all right there and cached. + +But I was wrong, as pointed out by the kernel test robot. + +The 'poll2' case of the will-it-scale.per_thread_ops benchmark regressed +quite noticeably. Admittedly it seems to be a very artificial test: +doing "poll()" system calls on regular files in a very tight loop in +multiple threads. + +That means that basically all the time is spent just looking up file +descriptors without ever doing anything useful with them (not that doing +'poll()' on a regular file is useful to begin with). And as a result it +shows the extra "re-check fd" cost as a sore thumb. + +Happily, the regression is fixable by just writing the code to loook up +the fd to be better and clearer. There's still a cost to verify the +file pointer, but now it's basically in the noise even for that +benchmark that does nothing else - and the code is more understandable +and has better comments too. + +[ Side note: this patch is also a classic case of one that looks very + messy with the default greedy Myers diff - it's much more legible with + either the patience of histogram diff algorithm ] + +Link: https://lore.kernel.org/lkml/20211210053743.GA36420@xsang-OptiPlex-9020/ +Link: https://lore.kernel.org/lkml/20211213083154.GA20853@linux.intel.com/ +Reported-by: kernel test robot +Tested-by: Carel Si +Cc: Jann Horn +Cc: Miklos Szeredi +Signed-off-by: Linus Torvalds +Acked-by: Jan Kara + +--- + fs/file.c | 70 ++++++++++++++++++++++++++++++++++++++++++++++++-------------- + 1 file changed, 55 insertions(+), 15 deletions(-) + +--- a/fs/file.c ++++ b/fs/file.c +@@ -706,28 +706,68 @@ void do_close_on_exec(struct files_struc + spin_unlock(&files->file_lock); + } + +-static struct file *__fget(unsigned int fd, fmode_t mask, unsigned int refs) ++static struct file *__fget_rcu(unsigned int fd, fmode_t mask, unsigned int refs) + { + struct files_struct *files = current->files; +- struct file *file; + +- rcu_read_lock(); +-loop: +- file = fcheck_files(files, fd); +- if (file) { +- /* File object ref couldn't be taken. +- * dup2() atomicity guarantee is the reason +- * we loop to catch the new file (or NULL pointer) ++ for (;;) { ++ struct file *file; ++ struct fdtable *fdt = rcu_dereference_raw(files->fdt); ++ struct file __rcu **fdentry; ++ ++ if (unlikely(fd >= fdt->max_fds)) ++ return NULL; ++ ++ fdentry = fdt->fd + array_index_nospec(fd, fdt->max_fds); ++ file = rcu_dereference_raw(*fdentry); ++ if (unlikely(!file)) ++ return NULL; ++ ++ if (unlikely(file->f_mode & mask)) ++ return NULL; ++ ++ /* ++ * Ok, we have a file pointer. However, because we do ++ * this all locklessly under RCU, we may be racing with ++ * that file being closed. ++ * ++ * Such a race can take two forms: ++ * ++ * (a) the file ref already went down to zero, ++ * and get_file_rcu_many() fails. Just try ++ * again: ++ */ ++ if (unlikely(!get_file_rcu_many(file, refs))) ++ continue; ++ ++ /* ++ * (b) the file table entry has changed under us. ++ * Note that we don't need to re-check the 'fdt->fd' ++ * pointer having changed, because it always goes ++ * hand-in-hand with 'fdt'. ++ * ++ * If so, we need to put our refs and try again. + */ +- if (file->f_mode & mask) +- file = NULL; +- else if (!get_file_rcu_many(file, refs)) +- goto loop; +- else if (__fcheck_files(files, fd) != file) { ++ if (unlikely(rcu_dereference_raw(files->fdt) != fdt) || ++ unlikely(rcu_dereference_raw(*fdentry) != file)) { + fput_many(file, refs); +- goto loop; ++ continue; + } ++ ++ /* ++ * Ok, we have a ref to the file, and checked that it ++ * still exists. ++ */ ++ return file; + } ++} ++ ++static struct file *__fget(unsigned int fd, fmode_t mask, unsigned int refs) ++{ ++ struct file *file; ++ ++ rcu_read_lock(); ++ file = __fget_rcu(fd, mask, refs); + rcu_read_unlock(); + + return file; diff --git a/patches.suse/sctp-account-stream-padding-length-for-reconf-chunk.patch b/patches.suse/sctp-account-stream-padding-length-for-reconf-chunk.patch new file mode 100644 index 0000000..1fd3657 --- /dev/null +++ b/patches.suse/sctp-account-stream-padding-length-for-reconf-chunk.patch @@ -0,0 +1,42 @@ +From: Eiichi Tsukata +Date: Wed, 13 Oct 2021 17:27:29 -0300 +Subject: sctp: account stream padding length for reconf chunk +Patch-mainline: v5.15-rc6 +Git-commit: a2d859e3fc97e79d907761550dbc03ff1b36479c +References: bsc#1194985 CVE-2022-0322 + +sctp_make_strreset_req() makes repeated calls to sctp_addto_chunk() +which will automatically account for padding on each call. inreq and +outreq are already 4 bytes aligned, but the payload is not and doing +SCTP_PAD4(a + b) (which _sctp_make_chunk() did implicitly here) is +different from SCTP_PAD4(a) + SCTP_PAD4(b) and not enough. It led to +possible attempt to use more buffer than it was allocated and triggered +a BUG_ON. + +Cc: Vlad Yasevich +Cc: Neil Horman +Cc: Greg KH +Fixes: cc16f00f6529 ("sctp: add support for generating stream reconf ssn reset request chunk") +Reported-by: Eiichi Tsukata +Signed-off-by: Eiichi Tsukata +Signed-off-by: Marcelo Ricardo Leitner +Signed-off-by: Marcelo Ricardo Leitner +Reviewed-by: Xin Long +Link: https://lore.kernel.org/r/b97c1f8b0c7ff79ac4ed206fc2c49d3612e0850c.1634156849.git.mleitner@redhat.com +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + net/sctp/sm_make_chunk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -3647,7 +3647,7 @@ struct sctp_chunk *sctp_make_strreset_re + outlen = (sizeof(outreq) + stream_len) * out; + inlen = (sizeof(inreq) + stream_len) * in; + +- retval = sctp_make_reconf(asoc, outlen + inlen); ++ retval = sctp_make_reconf(asoc, SCTP_PAD4(outlen) + SCTP_PAD4(inlen)); + if (!retval) + return NULL; + diff --git a/patches.suse/vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch b/patches.suse/vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch new file mode 100644 index 0000000..1089523 --- /dev/null +++ b/patches.suse/vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch @@ -0,0 +1,46 @@ +From 032146cda85566abcd1c4884d9d23e4e30a07e9a Mon Sep 17 00:00:00 2001 +From: Matthew Wilcox (Oracle) +Date: Mon Oct 18 15:16:12 2021 -0700 +Subject: [PATCH] vfs: check fd has read access in kernel_read_file_from_fd() +Git-commit: 032146cda85566abcd1c4884d9d23e4e30a07e9a +References: bsc#1194888 +Patch-mainline: v5.15-rc7 + + +If we open a file without read access and then pass the fd to a syscall +whose implementation calls kernel_read_file_from_fd(), we get a warning +from __kernel_read(): + + if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ))) + +This currently affects both finit_module() and kexec_file_load(), but it +could affect other syscalls in the future. + +Link: https://lkml.kernel.org/r/20211007220110.600005-1-willy@infradead.org +Fixes: b844f0ecbc56 ("vfs: define kernel_copy_file_from_fd()") +Signed-off-by: Matthew Wilcox (Oracle) +Reported-by: Hao Sun +Reviewed-by: Kees Cook +Acked-by: Christian Brauner +Cc: Al Viro +Cc: Mimi Zohar +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Acked-by: Goldwyn Rodrigues + +--- + fs/exec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -988,7 +988,7 @@ + struct fd f = fdget(fd); + int ret = -EBADF; + +- if (!f.file) ++ if (!f.file || !(f.file->f_mode & FMODE_READ)) + goto out; + + ret = kernel_read_file(f.file, buf, size, max_size, id); diff --git a/patches.suse/vfs-fs_context-fix-up-param-length-parsing-in-legacy.patch b/patches.suse/vfs-fs_context-fix-up-param-length-parsing-in-legacy.patch new file mode 100644 index 0000000..dc6cb95 --- /dev/null +++ b/patches.suse/vfs-fs_context-fix-up-param-length-parsing-in-legacy.patch @@ -0,0 +1,43 @@ +From 722d94847de29310e8aa03fcbdb41fc92c521756 Mon Sep 17 00:00:00 2001 +From: Jamie Hill-Daniel +Date: Tue, 18 Jan 2022 08:06:04 +0100 +Subject: [PATCH] vfs: fs_context: fix up param length parsing in + legacy_parse_param +References: CVE-2022-0185 bsc#1194517 +Patch-mainline: v5.17-rc1 +Git-commit: 722d94847de29310e8aa03fcbdb41fc92c521756 + +The "PAGE_SIZE - 2 - size" calculation in legacy_parse_param() is an +unsigned type so a large value of "size" results in a high positive +value instead of a negative value as expected. Fix this by getting rid +of the subtraction. + +Signed-off-by: Jamie Hill-Daniel +Signed-off-by: William Liu +Tested-by: Salvatore Bonaccorso +Tested-by: Thadeu Lima de Souza Cascardo +Acked-by: Dan Carpenter +Acked-by: Al Viro +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Linus Torvalds +Acked-by: David Disseldorp +--- + fs/fs_context.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/fs_context.c b/fs/fs_context.c +index b7e43a780a62..24ce12f0db32 100644 +--- a/fs/fs_context.c ++++ b/fs/fs_context.c +@@ -548,7 +548,7 @@ static int legacy_parse_param(struct fs_context *fc, struct fs_parameter *param) + param->key); + } + +- if (len > PAGE_SIZE - 2 - size) ++ if (size + len + 2 > PAGE_SIZE) + return invalf(fc, "VFS: Legacy: Cumulative options too large"); + if (strchr(param->key, ',') || + (param->type == fs_value_is_string && +-- +2.31.1 + diff --git a/series.conf b/series.conf index bbd0659..ab605dc 100644 --- a/series.conf +++ b/series.conf @@ -52729,6 +52729,7 @@ patches.suse/NFC-digital-fix-possible-memory-leak-in-digital_tg_l.patch patches.suse/NFC-digital-fix-possible-memory-leak-in-digital_in_s.patch patches.suse/mlxsw-thermal-Fix-out-of-bounds-memory-accesses.patch + patches.suse/sctp-account-stream-padding-length-for-reconf-chunk.patch patches.suse/drm-msm-Avoid-potential-overflow-in-timeout_to_jiffi.patch patches.suse/drm-msm-mdp5-fix-cursor-related-warnings.patch patches.suse/drm-msm-Fix-null-pointer-dereference-on-pointer-edp.patch @@ -52768,6 +52769,7 @@ patches.suse/ata-ahci_platform-fix-null-ptr-deref-in-ahci_platfor.patch patches.suse/ocfs2-fix-data-corruption-after-conversion-from-inli.patch patches.suse/elfcore-correct-reference-to-CONFIG_UML.patch + patches.suse/vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch patches.suse/audit-fix-possible-null-pointer-dereference-in-audit.patch patches.suse/ALSA-usb-audio-Add-Schiit-Hel-device-to-mixer-map-qu.patch patches.suse/ALSA-hda-realtek-Add-quirk-for-Clevo-PC50HS.patch @@ -53440,6 +53442,7 @@ patches.suse/USB-gadget-zero-allocate-endpoint-0-buffers.patch patches.suse/usb-core-config-fix-validation-of-wMaxPacketValue-en.patch patches.suse/usb-core-config-using-bit-mask-instead-of-individual.patch + patches.suse/fget-clarify-and-improve-__fget_files-implementation.patch patches.suse/recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch patches.suse/clk-Don-t-parent-clks-until-the-parent-is-fully-regi.patch patches.suse/firmware-tegra-Fix-error-application-of-sizeof-to-po.patch @@ -53740,6 +53743,7 @@ patches.suse/Input-ti_am335x_tsc-set-ADCREFM-for-X-configuration.patch patches.suse/Input-ti_am335x_tsc-fix-STEPCONFIG-setup-for-Z2.patch patches.suse/ACPI-APD-Check-for-NULL-pointer-after-calling-devm_i.patch + patches.suse/vfs-fs_context-fix-up-param-length-parsing-in-legacy.patch patches.suse/rpmsg-core-Clean-up-resources-on-announce_create-fai.patch patches.suse/Documentation-dmaengine-Correctly-describe-dmatest-w.patch patches.suse/dmaengine-at_xdmac-Don-t-start-transactions-at-tx_su.patch @@ -53787,6 +53791,7 @@ patches.suse/SUNRPC-improve-swap-handling-scheduling-and-PF_MEMAL.patch patches.suse/SUNRPC-remove-scheduling-boost-for-SWAPPER-tasks.patch patches.suse/SUNRPC-xprt-async-tasks-mustn-t-block-waiting-for-me.patch + patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch ######################################################## # kbuild/module infrastructure fixes