November 2022 - Linux-stable-mirror

backport "wifi: mac80211: fix memory free error when registering wiphy fail"

by Nick

I think the patch 50b2e8711462409cd368c41067405aa446dfa2af ("wifi: mac80211: fix memory free error when registering wiphy fail") should be backported to 5.15 as its fixing memory handling. Already run-tested with OpenWrt on 5.15 kernel. Bests Nick

3 years

2
1
0 0

[PATCH 2/5] pwm: jz4740: Fix pin level of disabled TCU2 channels, part 2

by Paul Cercueil

After commit a020f22a4ff5 ("pwm: jz4740: Make PWM start with the active part"), the trick to set duty > period to properly shut down TCU2 channels did not work anymore, because of the polarity inversion. Address this issue by restoring the proper polarity before disabling the channels. Fixes: a020f22a4ff5 ("pwm: jz4740: Make PWM start with the active part") Signed-off-by: Paul Cercueil <paul(a)crapouillou.net> Cc: stable(a)vger.kernel.org --- drivers/pwm/pwm-jz4740.c | 62 ++++++++++++++++++++++++++-------------- 1 file changed, 40 insertions(+), 22 deletions(-) diff --git a/drivers/pwm/pwm-jz4740.c b/drivers/pwm/pwm-jz4740.c index 228eb104bf1e..65462a0052af 100644 --- a/drivers/pwm/pwm-jz4740.c +++ b/drivers/pwm/pwm-jz4740.c @@ -97,6 +97,19 @@ static int jz4740_pwm_enable(struct pwm_chip *chip, struct pwm_device *pwm) return 0; } +static void jz4740_pwm_set_polarity(struct jz4740_pwm_chip *jz, + unsigned int hwpwm, + enum pwm_polarity polarity) +{ + unsigned int value = 0; + + if (polarity == PWM_POLARITY_INVERSED) + value = TCU_TCSR_PWM_INITL_HIGH; + + regmap_update_bits(jz->map, TCU_REG_TCSRc(hwpwm), + TCU_TCSR_PWM_INITL_HIGH, value); +} + static void jz4740_pwm_disable(struct pwm_chip *chip, struct pwm_device *pwm) { struct jz4740_pwm_chip *jz = to_jz4740(chip); @@ -130,6 +143,7 @@ static int jz4740_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm, unsigned long long tmp = 0xffffull * NSEC_PER_SEC; struct clk *clk = pwm_get_chip_data(pwm); unsigned long period, duty; + enum pwm_polarity polarity; long rate; int err; @@ -169,6 +183,9 @@ static int jz4740_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm, if (duty >= period) duty = period - 1; + /* Restore regular polarity before disabling the channel. */ + jz4740_pwm_set_polarity(jz4740, pwm->hwpwm, state->polarity); + jz4740_pwm_disable(chip, pwm); err = clk_set_rate(clk, rate); @@ -190,29 +207,30 @@ static int jz4740_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm, regmap_update_bits(jz4740->map, TCU_REG_TCSRc(pwm->hwpwm), TCU_TCSR_PWM_SD, TCU_TCSR_PWM_SD); - /* - * Set polarity. - * - * The PWM starts in inactive state until the internal timer reaches the - * duty value, then becomes active until the timer reaches the period - * value. In theory, we should then use (period - duty) as the real duty - * value, as a high duty value would otherwise result in the PWM pin - * being inactive most of the time. - * - * Here, we don't do that, and instead invert the polarity of the PWM - * when it is active. This trick makes the PWM start with its active - * state instead of its inactive state. - */ - if ((state->polarity == PWM_POLARITY_NORMAL) ^ state->enabled) - regmap_update_bits(jz4740->map, TCU_REG_TCSRc(pwm->hwpwm), - TCU_TCSR_PWM_INITL_HIGH, 0); - else - regmap_update_bits(jz4740->map, TCU_REG_TCSRc(pwm->hwpwm), - TCU_TCSR_PWM_INITL_HIGH, - TCU_TCSR_PWM_INITL_HIGH); - - if (state->enabled) + if (state->enabled) { + /* + * Set polarity. + * + * The PWM starts in inactive state until the internal timer + * reaches the duty value, then becomes active until the timer + * reaches the period value. In theory, we should then use + * (period - duty) as the real duty value, as a high duty value + * would otherwise result in the PWM pin being inactive most of + * the time. + * + * Here, we don't do that, and instead invert the polarity of + * the PWM when it is active. This trick makes the PWM start + * with its active state instead of its inactive state. + */ + if (state->polarity == PWM_POLARITY_NORMAL) + polarity = PWM_POLARITY_INVERSED; + else + polarity = PWM_POLARITY_NORMAL; + + jz4740_pwm_set_polarity(jz4740, pwm->hwpwm, polarity); + jz4740_pwm_enable(chip, pwm); + } return 0; } -- 2.35.1

3 years

3
9
0 0

FAILED: patch "[PATCH] ext4: fix use-after-free in ext4_ext_shift_extents" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: f6b1a1cf1c3e ("ext4: fix use-after-free in ext4_ext_shift_extents") 1811bc401aa5 ("ext4: refresh the ext4_ext_path struct after dropping i_data_sem.") 4268496e48dc ("ext4: ensure enough credits in ext4_ext_shift_path_extents") 4756ee183f25 ("ext4: use true,false for bool variable") 83448bdfb597 ("ext4: Reserve revoke credits for freed blocks") fdc3ef882a5d ("jbd2: Reserve space for revoke descriptor blocks") ec8b6f600e49 ("jbd2: Factor out common parts of stopping and restarting a handle") 5559b2d81b51 ("jbd2: Drop pointless wakeup from jbd2_journal_stop()") dfaf5ffda227 ("jbd2: Reorganize jbd2_journal_stop()") a9a8344ee171 ("ext4, jbd2: Provide accessor function for handle credits") a413036791d0 ("ext4: Provide function to handle transaction restarts") 6cb367c2d1f8 ("ext4: Use ext4_journal_extend() instead of jbd2_journal_extend()") 538bcaa6261b ("jbd2: fix race when writing superblock") 32ea275008d8 ("jbd2: update locking documentation for transaction_t") fb265c9cb49e ("ext4: add ext4_sb_bread() to disambiguate ENOMEM cases") 53692ec074d0 ("ext4: fix buffer leak in ext4_expand_extra_isize_ea() on error path") 4f32c38b4662 ("ext4: avoid possible double brelse() in add_new_gdb() on error path") 0b02f4c0d6d9 ("ext4: fix reserved cluster accounting at delayed write time") 1dc0aa46e74a ("ext4: add new pending reservation mechanism") ad431025aecd ("ext4: generalize extents status tree search functions") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f6b1a1cf1c3ee430d3f5e47847047ce789a690aa Mon Sep 17 00:00:00 2001 From: Baokun Li <libaokun1(a)huawei.com> Date: Thu, 22 Sep 2022 20:04:34 +0800 Subject: [PATCH] ext4: fix use-after-free in ext4_ext_shift_extents MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the starting position of our insert range happens to be in the hole between the two ext4_extent_idx, because the lblk of the ext4_extent in the previous ext4_extent_idx is always less than the start, which leads to the "extent" variable access across the boundary, the following UAF is triggered: ================================================================== BUG: KASAN: use-after-free in ext4_ext_shift_extents+0x257/0x790 Read of size 4 at addr ffff88819807a008 by task fallocate/8010 CPU: 3 PID: 8010 Comm: fallocate Tainted: G E 5.10.0+ #492 Call Trace: dump_stack+0x7d/0xa3 print_address_description.constprop.0+0x1e/0x220 kasan_report.cold+0x67/0x7f ext4_ext_shift_extents+0x257/0x790 ext4_insert_range+0x5b6/0x700 ext4_fallocate+0x39e/0x3d0 vfs_fallocate+0x26f/0x470 ksys_fallocate+0x3a/0x70 __x64_sys_fallocate+0x4f/0x60 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 ================================================================== For right shifts, we can divide them into the following situations： 1. When the first ee_block of ext4_extent_idx is greater than or equal to start, make right shifts directly from the first ee_block. 1) If it is greater than start, we need to continue searching in the previous ext4_extent_idx. 2) If it is equal to start, we can exit the loop (iterator=NULL). 2. When the first ee_block of ext4_extent_idx is less than start, then traverse from the last extent to find the first extent whose ee_block is less than start. 1) If extent is still the last extent after traversal, it means that the last ee_block of ext4_extent_idx is less than start, that is, start is located in the hole between idx and (idx+1), so we can exit the loop directly (break) without right shifts. 2) Otherwise, make right shifts at the corresponding position of the found extent, and then exit the loop (iterator=NULL). Fixes: 331573febb6a ("ext4: Add support FALLOC_FL_INSERT_RANGE for fallocate") Cc: stable(a)vger.kernel.org # v4.2+ Signed-off-by: Zhihao Cheng <chengzhihao1(a)huawei.com> Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Link: https://lore.kernel.org/r/20220922120434.1294789-1-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index f1956288307f..6c399a8b22b3 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -5184,6 +5184,7 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle, * and it is decreased till we reach start. */ again: + ret = 0; if (SHIFT == SHIFT_LEFT) iterator = &start; else @@ -5227,14 +5228,21 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle, ext4_ext_get_actual_len(extent); } else { extent = EXT_FIRST_EXTENT(path[depth].p_hdr); - if (le32_to_cpu(extent->ee_block) > 0) + if (le32_to_cpu(extent->ee_block) > start) *iterator = le32_to_cpu(extent->ee_block) - 1; - else - /* Beginning is reached, end of the loop */ + else if (le32_to_cpu(extent->ee_block) == start) iterator = NULL; - /* Update path extent in case we need to stop */ - while (le32_to_cpu(extent->ee_block) < start) + else { + extent = EXT_LAST_EXTENT(path[depth].p_hdr); + while (le32_to_cpu(extent->ee_block) >= start) + extent--; + + if (extent == EXT_LAST_EXTENT(path[depth].p_hdr)) + break; + extent++; + iterator = NULL; + } path[depth].p_ext = extent; } ret = ext4_ext_shift_path_extents(path, shift, inode,

3 years

1
0
0 0

FAILED: patch "[PATCH] ext4: fix use-after-free in ext4_ext_shift_extents" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: f6b1a1cf1c3e ("ext4: fix use-after-free in ext4_ext_shift_extents") 1811bc401aa5 ("ext4: refresh the ext4_ext_path struct after dropping i_data_sem.") 4268496e48dc ("ext4: ensure enough credits in ext4_ext_shift_path_extents") 4756ee183f25 ("ext4: use true,false for bool variable") 83448bdfb597 ("ext4: Reserve revoke credits for freed blocks") fdc3ef882a5d ("jbd2: Reserve space for revoke descriptor blocks") ec8b6f600e49 ("jbd2: Factor out common parts of stopping and restarting a handle") 5559b2d81b51 ("jbd2: Drop pointless wakeup from jbd2_journal_stop()") dfaf5ffda227 ("jbd2: Reorganize jbd2_journal_stop()") a9a8344ee171 ("ext4, jbd2: Provide accessor function for handle credits") a413036791d0 ("ext4: Provide function to handle transaction restarts") 6cb367c2d1f8 ("ext4: Use ext4_journal_extend() instead of jbd2_journal_extend()") 538bcaa6261b ("jbd2: fix race when writing superblock") 32ea275008d8 ("jbd2: update locking documentation for transaction_t") fb265c9cb49e ("ext4: add ext4_sb_bread() to disambiguate ENOMEM cases") 53692ec074d0 ("ext4: fix buffer leak in ext4_expand_extra_isize_ea() on error path") 4f32c38b4662 ("ext4: avoid possible double brelse() in add_new_gdb() on error path") 0b02f4c0d6d9 ("ext4: fix reserved cluster accounting at delayed write time") 1dc0aa46e74a ("ext4: add new pending reservation mechanism") ad431025aecd ("ext4: generalize extents status tree search functions") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f6b1a1cf1c3ee430d3f5e47847047ce789a690aa Mon Sep 17 00:00:00 2001 From: Baokun Li <libaokun1(a)huawei.com> Date: Thu, 22 Sep 2022 20:04:34 +0800 Subject: [PATCH] ext4: fix use-after-free in ext4_ext_shift_extents MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the starting position of our insert range happens to be in the hole between the two ext4_extent_idx, because the lblk of the ext4_extent in the previous ext4_extent_idx is always less than the start, which leads to the "extent" variable access across the boundary, the following UAF is triggered: ================================================================== BUG: KASAN: use-after-free in ext4_ext_shift_extents+0x257/0x790 Read of size 4 at addr ffff88819807a008 by task fallocate/8010 CPU: 3 PID: 8010 Comm: fallocate Tainted: G E 5.10.0+ #492 Call Trace: dump_stack+0x7d/0xa3 print_address_description.constprop.0+0x1e/0x220 kasan_report.cold+0x67/0x7f ext4_ext_shift_extents+0x257/0x790 ext4_insert_range+0x5b6/0x700 ext4_fallocate+0x39e/0x3d0 vfs_fallocate+0x26f/0x470 ksys_fallocate+0x3a/0x70 __x64_sys_fallocate+0x4f/0x60 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 ================================================================== For right shifts, we can divide them into the following situations： 1. When the first ee_block of ext4_extent_idx is greater than or equal to start, make right shifts directly from the first ee_block. 1) If it is greater than start, we need to continue searching in the previous ext4_extent_idx. 2) If it is equal to start, we can exit the loop (iterator=NULL). 2. When the first ee_block of ext4_extent_idx is less than start, then traverse from the last extent to find the first extent whose ee_block is less than start. 1) If extent is still the last extent after traversal, it means that the last ee_block of ext4_extent_idx is less than start, that is, start is located in the hole between idx and (idx+1), so we can exit the loop directly (break) without right shifts. 2) Otherwise, make right shifts at the corresponding position of the found extent, and then exit the loop (iterator=NULL). Fixes: 331573febb6a ("ext4: Add support FALLOC_FL_INSERT_RANGE for fallocate") Cc: stable(a)vger.kernel.org # v4.2+ Signed-off-by: Zhihao Cheng <chengzhihao1(a)huawei.com> Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Link: https://lore.kernel.org/r/20220922120434.1294789-1-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index f1956288307f..6c399a8b22b3 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -5184,6 +5184,7 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle, * and it is decreased till we reach start. */ again: + ret = 0; if (SHIFT == SHIFT_LEFT) iterator = &start; else @@ -5227,14 +5228,21 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle, ext4_ext_get_actual_len(extent); } else { extent = EXT_FIRST_EXTENT(path[depth].p_hdr); - if (le32_to_cpu(extent->ee_block) > 0) + if (le32_to_cpu(extent->ee_block) > start) *iterator = le32_to_cpu(extent->ee_block) - 1; - else - /* Beginning is reached, end of the loop */ + else if (le32_to_cpu(extent->ee_block) == start) iterator = NULL; - /* Update path extent in case we need to stop */ - while (le32_to_cpu(extent->ee_block) < start) + else { + extent = EXT_LAST_EXTENT(path[depth].p_hdr); + while (le32_to_cpu(extent->ee_block) >= start) + extent--; + + if (extent == EXT_LAST_EXTENT(path[depth].p_hdr)) + break; + extent++; + iterator = NULL; + } path[depth].p_ext = extent; } ret = ext4_ext_shift_path_extents(path, shift, inode,

3 years

1
0
0 0

FAILED: patch "[PATCH] ext4: fix use-after-free in ext4_ext_shift_extents" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: f6b1a1cf1c3e ("ext4: fix use-after-free in ext4_ext_shift_extents") 1811bc401aa5 ("ext4: refresh the ext4_ext_path struct after dropping i_data_sem.") 4268496e48dc ("ext4: ensure enough credits in ext4_ext_shift_path_extents") 4756ee183f25 ("ext4: use true,false for bool variable") 83448bdfb597 ("ext4: Reserve revoke credits for freed blocks") fdc3ef882a5d ("jbd2: Reserve space for revoke descriptor blocks") ec8b6f600e49 ("jbd2: Factor out common parts of stopping and restarting a handle") 5559b2d81b51 ("jbd2: Drop pointless wakeup from jbd2_journal_stop()") dfaf5ffda227 ("jbd2: Reorganize jbd2_journal_stop()") a9a8344ee171 ("ext4, jbd2: Provide accessor function for handle credits") a413036791d0 ("ext4: Provide function to handle transaction restarts") 6cb367c2d1f8 ("ext4: Use ext4_journal_extend() instead of jbd2_journal_extend()") 538bcaa6261b ("jbd2: fix race when writing superblock") 32ea275008d8 ("jbd2: update locking documentation for transaction_t") fb265c9cb49e ("ext4: add ext4_sb_bread() to disambiguate ENOMEM cases") 53692ec074d0 ("ext4: fix buffer leak in ext4_expand_extra_isize_ea() on error path") 4f32c38b4662 ("ext4: avoid possible double brelse() in add_new_gdb() on error path") 0b02f4c0d6d9 ("ext4: fix reserved cluster accounting at delayed write time") 1dc0aa46e74a ("ext4: add new pending reservation mechanism") ad431025aecd ("ext4: generalize extents status tree search functions") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f6b1a1cf1c3ee430d3f5e47847047ce789a690aa Mon Sep 17 00:00:00 2001 From: Baokun Li <libaokun1(a)huawei.com> Date: Thu, 22 Sep 2022 20:04:34 +0800 Subject: [PATCH] ext4: fix use-after-free in ext4_ext_shift_extents MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the starting position of our insert range happens to be in the hole between the two ext4_extent_idx, because the lblk of the ext4_extent in the previous ext4_extent_idx is always less than the start, which leads to the "extent" variable access across the boundary, the following UAF is triggered: ================================================================== BUG: KASAN: use-after-free in ext4_ext_shift_extents+0x257/0x790 Read of size 4 at addr ffff88819807a008 by task fallocate/8010 CPU: 3 PID: 8010 Comm: fallocate Tainted: G E 5.10.0+ #492 Call Trace: dump_stack+0x7d/0xa3 print_address_description.constprop.0+0x1e/0x220 kasan_report.cold+0x67/0x7f ext4_ext_shift_extents+0x257/0x790 ext4_insert_range+0x5b6/0x700 ext4_fallocate+0x39e/0x3d0 vfs_fallocate+0x26f/0x470 ksys_fallocate+0x3a/0x70 __x64_sys_fallocate+0x4f/0x60 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 ================================================================== For right shifts, we can divide them into the following situations： 1. When the first ee_block of ext4_extent_idx is greater than or equal to start, make right shifts directly from the first ee_block. 1) If it is greater than start, we need to continue searching in the previous ext4_extent_idx. 2) If it is equal to start, we can exit the loop (iterator=NULL). 2. When the first ee_block of ext4_extent_idx is less than start, then traverse from the last extent to find the first extent whose ee_block is less than start. 1) If extent is still the last extent after traversal, it means that the last ee_block of ext4_extent_idx is less than start, that is, start is located in the hole between idx and (idx+1), so we can exit the loop directly (break) without right shifts. 2) Otherwise, make right shifts at the corresponding position of the found extent, and then exit the loop (iterator=NULL). Fixes: 331573febb6a ("ext4: Add support FALLOC_FL_INSERT_RANGE for fallocate") Cc: stable(a)vger.kernel.org # v4.2+ Signed-off-by: Zhihao Cheng <chengzhihao1(a)huawei.com> Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Link: https://lore.kernel.org/r/20220922120434.1294789-1-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index f1956288307f..6c399a8b22b3 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -5184,6 +5184,7 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle, * and it is decreased till we reach start. */ again: + ret = 0; if (SHIFT == SHIFT_LEFT) iterator = &start; else @@ -5227,14 +5228,21 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle, ext4_ext_get_actual_len(extent); } else { extent = EXT_FIRST_EXTENT(path[depth].p_hdr); - if (le32_to_cpu(extent->ee_block) > 0) + if (le32_to_cpu(extent->ee_block) > start) *iterator = le32_to_cpu(extent->ee_block) - 1; - else - /* Beginning is reached, end of the loop */ + else if (le32_to_cpu(extent->ee_block) == start) iterator = NULL; - /* Update path extent in case we need to stop */ - while (le32_to_cpu(extent->ee_block) < start) + else { + extent = EXT_LAST_EXTENT(path[depth].p_hdr); + while (le32_to_cpu(extent->ee_block) >= start) + extent--; + + if (extent == EXT_LAST_EXTENT(path[depth].p_hdr)) + break; + extent++; + iterator = NULL; + } path[depth].p_ext = extent; } ret = ext4_ext_shift_path_extents(path, shift, inode,

3 years

1
0
0 0

FAILED: patch "[PATCH] ext4: fix use-after-free in ext4_ext_shift_extents" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: f6b1a1cf1c3e ("ext4: fix use-after-free in ext4_ext_shift_extents") 1811bc401aa5 ("ext4: refresh the ext4_ext_path struct after dropping i_data_sem.") 4268496e48dc ("ext4: ensure enough credits in ext4_ext_shift_path_extents") 4756ee183f25 ("ext4: use true,false for bool variable") 83448bdfb597 ("ext4: Reserve revoke credits for freed blocks") fdc3ef882a5d ("jbd2: Reserve space for revoke descriptor blocks") ec8b6f600e49 ("jbd2: Factor out common parts of stopping and restarting a handle") 5559b2d81b51 ("jbd2: Drop pointless wakeup from jbd2_journal_stop()") dfaf5ffda227 ("jbd2: Reorganize jbd2_journal_stop()") a9a8344ee171 ("ext4, jbd2: Provide accessor function for handle credits") a413036791d0 ("ext4: Provide function to handle transaction restarts") 6cb367c2d1f8 ("ext4: Use ext4_journal_extend() instead of jbd2_journal_extend()") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f6b1a1cf1c3ee430d3f5e47847047ce789a690aa Mon Sep 17 00:00:00 2001 From: Baokun Li <libaokun1(a)huawei.com> Date: Thu, 22 Sep 2022 20:04:34 +0800 Subject: [PATCH] ext4: fix use-after-free in ext4_ext_shift_extents MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the starting position of our insert range happens to be in the hole between the two ext4_extent_idx, because the lblk of the ext4_extent in the previous ext4_extent_idx is always less than the start, which leads to the "extent" variable access across the boundary, the following UAF is triggered: ================================================================== BUG: KASAN: use-after-free in ext4_ext_shift_extents+0x257/0x790 Read of size 4 at addr ffff88819807a008 by task fallocate/8010 CPU: 3 PID: 8010 Comm: fallocate Tainted: G E 5.10.0+ #492 Call Trace: dump_stack+0x7d/0xa3 print_address_description.constprop.0+0x1e/0x220 kasan_report.cold+0x67/0x7f ext4_ext_shift_extents+0x257/0x790 ext4_insert_range+0x5b6/0x700 ext4_fallocate+0x39e/0x3d0 vfs_fallocate+0x26f/0x470 ksys_fallocate+0x3a/0x70 __x64_sys_fallocate+0x4f/0x60 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 ================================================================== For right shifts, we can divide them into the following situations： 1. When the first ee_block of ext4_extent_idx is greater than or equal to start, make right shifts directly from the first ee_block. 1) If it is greater than start, we need to continue searching in the previous ext4_extent_idx. 2) If it is equal to start, we can exit the loop (iterator=NULL). 2. When the first ee_block of ext4_extent_idx is less than start, then traverse from the last extent to find the first extent whose ee_block is less than start. 1) If extent is still the last extent after traversal, it means that the last ee_block of ext4_extent_idx is less than start, that is, start is located in the hole between idx and (idx+1), so we can exit the loop directly (break) without right shifts. 2) Otherwise, make right shifts at the corresponding position of the found extent, and then exit the loop (iterator=NULL). Fixes: 331573febb6a ("ext4: Add support FALLOC_FL_INSERT_RANGE for fallocate") Cc: stable(a)vger.kernel.org # v4.2+ Signed-off-by: Zhihao Cheng <chengzhihao1(a)huawei.com> Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Link: https://lore.kernel.org/r/20220922120434.1294789-1-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index f1956288307f..6c399a8b22b3 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -5184,6 +5184,7 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle, * and it is decreased till we reach start. */ again: + ret = 0; if (SHIFT == SHIFT_LEFT) iterator = &start; else @@ -5227,14 +5228,21 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle, ext4_ext_get_actual_len(extent); } else { extent = EXT_FIRST_EXTENT(path[depth].p_hdr); - if (le32_to_cpu(extent->ee_block) > 0) + if (le32_to_cpu(extent->ee_block) > start) *iterator = le32_to_cpu(extent->ee_block) - 1; - else - /* Beginning is reached, end of the loop */ + else if (le32_to_cpu(extent->ee_block) == start) iterator = NULL; - /* Update path extent in case we need to stop */ - while (le32_to_cpu(extent->ee_block) < start) + else { + extent = EXT_LAST_EXTENT(path[depth].p_hdr); + while (le32_to_cpu(extent->ee_block) >= start) + extent--; + + if (extent == EXT_LAST_EXTENT(path[depth].p_hdr)) + break; + extent++; + iterator = NULL; + } path[depth].p_ext = extent; } ret = ext4_ext_shift_path_extents(path, shift, inode,

3 years

1
0
0 0

FAILED: patch "[PATCH] usb: dwc3: gadget: Clear ep descriptor last" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: f90f5afd5083 ("usb: dwc3: gadget: Clear ep descriptor last") ffb9da4a04c6 ("usb: dwc3: gadget: Return -ESHUTDOWN on ep disable") b44c0e7fef51 ("usb: dwc3: gadget: conditionally remove requests") 5aef629704ad ("usb: dwc3: gadget: Clear DEP flags after stop transfers in ep disable") f09ddcfcb8c5 ("usb: dwc3: gadget: Prevent EP queuing while stopping transfers") a1383b3537a7 ("usb: dwc3: gadget: Restart DWC3 gadget when enabling pullup") ae7e86108b12 ("usb: dwc3: Stop active transfers before halting the controller") 140ca4cfea8a ("usb: dwc3: gadget: Handle stream transfers") e0d19563eb6c ("usb: dwc3: gadget: Wait for transfer completion") 3eaecd0c2333 ("usb: dwc3: gadget: Handle XferComplete for streams") da10bcdd6f70 ("usb: dwc3: gadget: Delay starting transfer") d3abda5a98a1 ("usb: dwc3: gadget: Clear started flag for non-IOC") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f90f5afd5083a7cb4aee13bd4cc0ae600bd381ca Mon Sep 17 00:00:00 2001 From: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Date: Tue, 15 Nov 2022 17:19:43 -0800 Subject: [PATCH] usb: dwc3: gadget: Clear ep descriptor last Until the endpoint is disabled, its descriptors should remain valid. When its requests are removed from ep disable, the request completion routine may attempt to access the endpoint's descriptor. Don't clear the descriptors before that. Fixes: f09ddcfcb8c5 ("usb: dwc3: gadget: Prevent EP queuing while stopping transfers") Cc: stable(a)vger.kernel.org Signed-off-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Link: https://lore.kernel.org/r/45db7c83b209259115bf652af210f8b2b3b1a383.16685613… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 8b4cfa07539d..6d524fa76443 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -1024,12 +1024,6 @@ static int __dwc3_gadget_ep_disable(struct dwc3_ep *dep) reg &= ~DWC3_DALEPENA_EP(dep->number); dwc3_writel(dwc->regs, DWC3_DALEPENA, reg); - /* Clear out the ep descriptors for non-ep0 */ - if (dep->number > 1) { - dep->endpoint.comp_desc = NULL; - dep->endpoint.desc = NULL; - } - dwc3_remove_requests(dwc, dep, -ESHUTDOWN); dep->stream_capable = false; @@ -1044,6 +1038,12 @@ static int __dwc3_gadget_ep_disable(struct dwc3_ep *dep) mask |= (DWC3_EP_DELAY_STOP | DWC3_EP_TRANSFER_STARTED); dep->flags &= mask; + /* Clear out the ep descriptors for non-ep0 */ + if (dep->number > 1) { + dep->endpoint.comp_desc = NULL; + dep->endpoint.desc = NULL; + } + return 0; }

3 years

1
0
0 0

FAILED: patch "[PATCH] usb: dwc3: gadget: Clear ep descriptor last" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: f90f5afd5083 ("usb: dwc3: gadget: Clear ep descriptor last") ffb9da4a04c6 ("usb: dwc3: gadget: Return -ESHUTDOWN on ep disable") b44c0e7fef51 ("usb: dwc3: gadget: conditionally remove requests") 5aef629704ad ("usb: dwc3: gadget: Clear DEP flags after stop transfers in ep disable") f09ddcfcb8c5 ("usb: dwc3: gadget: Prevent EP queuing while stopping transfers") a1383b3537a7 ("usb: dwc3: gadget: Restart DWC3 gadget when enabling pullup") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f90f5afd5083a7cb4aee13bd4cc0ae600bd381ca Mon Sep 17 00:00:00 2001 From: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Date: Tue, 15 Nov 2022 17:19:43 -0800 Subject: [PATCH] usb: dwc3: gadget: Clear ep descriptor last Until the endpoint is disabled, its descriptors should remain valid. When its requests are removed from ep disable, the request completion routine may attempt to access the endpoint's descriptor. Don't clear the descriptors before that. Fixes: f09ddcfcb8c5 ("usb: dwc3: gadget: Prevent EP queuing while stopping transfers") Cc: stable(a)vger.kernel.org Signed-off-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Link: https://lore.kernel.org/r/45db7c83b209259115bf652af210f8b2b3b1a383.16685613… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 8b4cfa07539d..6d524fa76443 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -1024,12 +1024,6 @@ static int __dwc3_gadget_ep_disable(struct dwc3_ep *dep) reg &= ~DWC3_DALEPENA_EP(dep->number); dwc3_writel(dwc->regs, DWC3_DALEPENA, reg); - /* Clear out the ep descriptors for non-ep0 */ - if (dep->number > 1) { - dep->endpoint.comp_desc = NULL; - dep->endpoint.desc = NULL; - } - dwc3_remove_requests(dwc, dep, -ESHUTDOWN); dep->stream_capable = false; @@ -1044,6 +1038,12 @@ static int __dwc3_gadget_ep_disable(struct dwc3_ep *dep) mask |= (DWC3_EP_DELAY_STOP | DWC3_EP_TRANSFER_STARTED); dep->flags &= mask; + /* Clear out the ep descriptors for non-ep0 */ + if (dep->number > 1) { + dep->endpoint.comp_desc = NULL; + dep->endpoint.desc = NULL; + } + return 0; }

3 years

1
0
0 0

FAILED: patch "[PATCH] usb: dwc3: gadget: Clear ep descriptor last" failed to apply to 6.0-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.0-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: f90f5afd5083 ("usb: dwc3: gadget: Clear ep descriptor last") ffb9da4a04c6 ("usb: dwc3: gadget: Return -ESHUTDOWN on ep disable") b44c0e7fef51 ("usb: dwc3: gadget: conditionally remove requests") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f90f5afd5083a7cb4aee13bd4cc0ae600bd381ca Mon Sep 17 00:00:00 2001 From: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Date: Tue, 15 Nov 2022 17:19:43 -0800 Subject: [PATCH] usb: dwc3: gadget: Clear ep descriptor last Until the endpoint is disabled, its descriptors should remain valid. When its requests are removed from ep disable, the request completion routine may attempt to access the endpoint's descriptor. Don't clear the descriptors before that. Fixes: f09ddcfcb8c5 ("usb: dwc3: gadget: Prevent EP queuing while stopping transfers") Cc: stable(a)vger.kernel.org Signed-off-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Link: https://lore.kernel.org/r/45db7c83b209259115bf652af210f8b2b3b1a383.16685613… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 8b4cfa07539d..6d524fa76443 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -1024,12 +1024,6 @@ static int __dwc3_gadget_ep_disable(struct dwc3_ep *dep) reg &= ~DWC3_DALEPENA_EP(dep->number); dwc3_writel(dwc->regs, DWC3_DALEPENA, reg); - /* Clear out the ep descriptors for non-ep0 */ - if (dep->number > 1) { - dep->endpoint.comp_desc = NULL; - dep->endpoint.desc = NULL; - } - dwc3_remove_requests(dwc, dep, -ESHUTDOWN); dep->stream_capable = false; @@ -1044,6 +1038,12 @@ static int __dwc3_gadget_ep_disable(struct dwc3_ep *dep) mask |= (DWC3_EP_DELAY_STOP | DWC3_EP_TRANSFER_STARTED); dep->flags &= mask; + /* Clear out the ep descriptors for non-ep0 */ + if (dep->number > 1) { + dep->endpoint.comp_desc = NULL; + dep->endpoint.desc = NULL; + } + return 0; }

3 years

1
0
0 0

FAILED: patch "[PATCH] usb: dwc3: gadget: Clear ep descriptor last" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: f90f5afd5083 ("usb: dwc3: gadget: Clear ep descriptor last") ffb9da4a04c6 ("usb: dwc3: gadget: Return -ESHUTDOWN on ep disable") b44c0e7fef51 ("usb: dwc3: gadget: conditionally remove requests") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f90f5afd5083a7cb4aee13bd4cc0ae600bd381ca Mon Sep 17 00:00:00 2001 From: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Date: Tue, 15 Nov 2022 17:19:43 -0800 Subject: [PATCH] usb: dwc3: gadget: Clear ep descriptor last Until the endpoint is disabled, its descriptors should remain valid. When its requests are removed from ep disable, the request completion routine may attempt to access the endpoint's descriptor. Don't clear the descriptors before that. Fixes: f09ddcfcb8c5 ("usb: dwc3: gadget: Prevent EP queuing while stopping transfers") Cc: stable(a)vger.kernel.org Signed-off-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Link: https://lore.kernel.org/r/45db7c83b209259115bf652af210f8b2b3b1a383.16685613… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 8b4cfa07539d..6d524fa76443 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -1024,12 +1024,6 @@ static int __dwc3_gadget_ep_disable(struct dwc3_ep *dep) reg &= ~DWC3_DALEPENA_EP(dep->number); dwc3_writel(dwc->regs, DWC3_DALEPENA, reg); - /* Clear out the ep descriptors for non-ep0 */ - if (dep->number > 1) { - dep->endpoint.comp_desc = NULL; - dep->endpoint.desc = NULL; - } - dwc3_remove_requests(dwc, dep, -ESHUTDOWN); dep->stream_capable = false; @@ -1044,6 +1038,12 @@ static int __dwc3_gadget_ep_disable(struct dwc3_ep *dep) mask |= (DWC3_EP_DELAY_STOP | DWC3_EP_TRANSFER_STARTED); dep->flags &= mask; + /* Clear out the ep descriptors for non-ep0 */ + if (dep->number > 1) { + dep->endpoint.comp_desc = NULL; + dep->endpoint.desc = NULL; + } + return 0; }

3 years

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror November 2022