October 2023 - Linux-stable-mirror

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.19.282 release. There are 29 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 26 Apr 2023 13:11:11 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.282-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.19.282-rc1 Ekaterina Orlova <vorobushek.ok(a)gmail.com> ASN.1: Fix check for strdup() success Dan Carpenter <error27(a)gmail.com> iio: adc: at91-sama5d2_adc: fix an error code in at91_adc_allocate_trigger() William Breathitt Gray <william.gray(a)linaro.org> counter: 104-quad-8: Fix race condition between FLAG and CNTR reads Kuniyuki Iwashima <kuniyu(a)amazon.com> sctp: Call inet6_destroy_sock() via sk->sk_destruct(). Kuniyuki Iwashima <kuniyu(a)amazon.com> dccp: Call inet6_destroy_sock() via sk->sk_destruct(). Kuniyuki Iwashima <kuniyu(a)amazon.com> inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy(). Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct(). Kuniyuki Iwashima <kuniyu(a)amazon.com> udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM). Baokun Li <libaokun1(a)huawei.com> ext4: fix use-after-free in ext4_xattr_set_entry Ritesh Harjani <riteshh(a)linux.ibm.com> ext4: remove duplicate definition of ext4_xattr_ibody_inline_set() Tudor Ambarus <tudor.ambarus(a)linaro.org> Revert "ext4: fix use-after-free in ext4_xattr_set_entry" Pingfan Liu <kernelfans(a)gmail.com> x86/purgatory: Don't generate debug info for purgatory.ro Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> memstick: fix memory leak if card device is never registered Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: initialize unused bytes in segment summary blocks Juergen Gross <jgross(a)suse.com> xen/netback: use same error messages for same errors Heiko Carstens <hca(a)linux.ibm.com> s390/ptrace: fix PTRACE_GET_LAST_BREAK error handling Álvaro Fernández Rojas <noltari(a)gmail.com> net: dsa: b53: mmap: add phy ops Damien Le Moal <damien.lemoal(a)opensource.wdc.com> scsi: core: Improve scsi_vpd_inquiry() checks Tomas Henzl <thenzl(a)redhat.com> scsi: megaraid_sas: Fix fw_crash_buffer_show() Nick Desaulniers <ndesaulniers(a)google.com> selftests: sigaltstack: fix -Wuninitialized Jonathan Denose <jdenose(a)chromium.org> Input: i8042 - add quirk for Fujitsu Lifebook A574/H Douglas Raillard <douglas.raillard(a)arm.com> f2fs: Fix f2fs_truncate_partial_nodes ftrace event Sebastian Basierski <sebastianx.basierski(a)intel.com> e1000e: Disable TSO on i219-LM card to increase speed Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next() Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> i40e: fix i40e_setup_misc_vector() error handling Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> i40e: fix accessing vsi->active_filters without holding lock Xuan Zhuo <xuanzhuo(a)linux.alibaba.com> virtio_net: bugfix overflow inside xdp_linearize_page() Gwangun Jung <exsociety(a)gmail.com> net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg Jianqun Xu <jay.xu(a)rock-chips.com> ARM: dts: rockchip: fix a typo error for rk3288 spdif node ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/rk3288.dtsi | 2 +- arch/s390/kernel/ptrace.c | 8 +--- arch/x86/purgatory/Makefile | 5 ++- drivers/iio/adc/at91-sama5d2_adc.c | 2 +- drivers/iio/counter/104-quad-8.c | 14 +----- drivers/input/serio/i8042-x86ia64io.h | 8 ++++ drivers/memstick/core/memstick.c | 5 ++- drivers/net/dsa/b53/b53_mmap.c | 14 ++++++ drivers/net/ethernet/intel/e1000e/netdev.c | 51 +++++++++++----------- drivers/net/ethernet/intel/i40e/i40e_main.c | 9 ++-- .../ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c | 2 + drivers/net/virtio_net.c | 8 +++- drivers/net/xen-netback/netback.c | 6 +-- drivers/scsi/megaraid/megaraid_sas_base.c | 2 +- drivers/scsi/scsi.c | 11 ++++- fs/ext4/inline.c | 11 +++-- fs/ext4/xattr.c | 26 +---------- fs/ext4/xattr.h | 6 +-- fs/nilfs2/segment.c | 20 +++++++++ include/net/ipv6.h | 2 + include/net/udp.h | 2 +- include/net/udplite.h | 8 ---- include/trace/events/f2fs.h | 2 +- net/dccp/dccp.h | 1 + net/dccp/ipv6.c | 15 ++++--- net/dccp/proto.c | 8 +++- net/ipv4/udp.c | 9 ++-- net/ipv4/udplite.c | 8 ++++ net/ipv6/af_inet6.c | 15 ++++++- net/ipv6/ipv6_sockglue.c | 20 ++++----- net/ipv6/ping.c | 6 --- net/ipv6/raw.c | 2 - net/ipv6/tcp_ipv6.c | 8 +--- net/ipv6/udp.c | 17 ++++++-- net/ipv6/udp_impl.h | 1 + net/ipv6/udplite.c | 9 +++- net/l2tp/l2tp_ip6.c | 2 - net/sched/sch_qfq.c | 13 +++--- net/sctp/socket.c | 29 ++++++++---- scripts/asn1_compiler.c | 2 +- .../selftests/sigaltstack/current_stack_pointer.h | 23 ++++++++++ tools/testing/selftests/sigaltstack/sas.c | 7 +-- 43 files changed, 251 insertions(+), 172 deletions(-)

1 year, 3 months

7
43
0 0

[PATCH] media: mtk-jpeg: Fix use after free bug due to uncanceled work

by Zheng Wang

This is a security bug that has been reported to google. It affected all platforms on chrome-os. Please apply this patch to 5.10. Due to the directory structure change, the file path to be patched is different from that in upstream. [ Upstream commit c677d7ae83141d390d1253abebafa49c962afb52 ] In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run and mtk_jpeg_enc_device_run may be called to start the work. If we remove the module which will call mtk_jpeg_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the work before cleanup in the mtk_jpeg_remove CPU0 CPU1 |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver") Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Reviewed-by: Alexandre Mergnat <amergnat(a)baylibre.com> Reviewed-by: Chen-Yu Tsai <wenst(a)chromium.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Cc: stable(a)vger.kernel.org --- drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c index 227245ccaedc..753c7c7be358 100644 --- a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c @@ -1447,6 +1447,7 @@ static int mtk_jpeg_remove(struct platform_device *pdev) { struct mtk_jpeg_dev *jpeg = platform_get_drvdata(pdev); + cancel_delayed_work_sync(&jpeg->job_timeout_work); pm_runtime_disable(&pdev->dev); video_unregister_device(jpeg->vdev); video_device_release(jpeg->vdev); -- 2.25.1

1 year, 3 months

2
1
0 0

Re: [PATCH] riscv: signal: fix sigaltstack frame size checking

by Aurelien Jarno

Hi, The patch below is an important fix, as it is necessary to run rustc on riscv. It has been merged as commit 14a270bfab7ab1c4b605c01eeca5557447ad5a2b. I have seen that other commits from the same pull request have already been queued for 6.5, but not this one. Would it be possible to queue it for stable 6.5? Thanks Aurelien On 2023-08-22 16:49, Andy Chiu wrote: > The alternative stack checking in get_sigframe introduced by the Vector > support is not needed and has a problem. It is not needed as we have > already validate it at the beginning of the function if we are already > on an altstack. If not, the size of an altstack is always validated at > its allocation stage with sigaltstack_size_valid(). > > Besides, we must only regard the size of an altstack if the handler of a > signal is registered with SA_ONSTACK. So, blindly checking overflow of > an altstack if sas_ss_size not equals to zero will check against wrong > signal handlers if only a subset of signals are registered with > SA_ONSTACK. > > Fixes: 8ee0b41898fa ("riscv: signal: Add sigcontext save/restore for vector") > Reported-by: Prashanth Swaminathan <prashanthsw(a)google.com> > Signed-off-by: Andy Chiu <andy.chiu(a)sifive.com> > --- > arch/riscv/kernel/signal.c | 7 ------- > 1 file changed, 7 deletions(-) > > diff --git a/arch/riscv/kernel/signal.c b/arch/riscv/kernel/signal.c > index 180d951d3624..21a4d0e111bc 100644 > --- a/arch/riscv/kernel/signal.c > +++ b/arch/riscv/kernel/signal.c > @@ -311,13 +311,6 @@ static inline void __user *get_sigframe(struct ksignal *ksig, > /* Align the stack frame. */ > sp &= ~0xfUL; > > - /* > - * Fail if the size of the altstack is not large enough for the > - * sigframe construction. > - */ > - if (current->sas_ss_size && sp < current->sas_ss_sp) > - return (void __user __force *)-1UL; > - > return (void __user *)sp; > } > > -- > 2.17.1 > > > _______________________________________________ > linux-riscv mailing list > linux-riscv(a)lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-riscv > -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurelien(a)aurel32.net http://aurel32.net

1 year, 3 months

2
1
0 0

[PATCH] media: mtk-jpeg: Fix use after free bug due to uncanceled work

by Zheng Wang

This is a security bug that has been reported to google. It affected all platforms on chrome-os. Please apply this patch to 5.10. Due to the directory structure change, the file path to be be patched is different from that in upstream. [ Upstream commit c677d7ae83141d390d1253abebafa49c962afb52 ] In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run and mtk_jpeg_enc_device_run may be called to start the work. If we remove the module which will call mtk_jpeg_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the work before cleanup in the mtk_jpeg_remove CPU0 CPU1 |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver") Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Reviewed-by: Alexandre Mergnat <amergnat(a)baylibre.com> Reviewed-by: Chen-Yu Tsai <wenst(a)chromium.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Cc: stable(a)vger.kernel.org --- drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c index ee802fc3bcdf..67c9ca4cfcd2 100644 --- a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c @@ -1189,6 +1189,7 @@ static int mtk_jpeg_remove(struct platform_device *pdev) { struct mtk_jpeg_dev *jpeg = platform_get_drvdata(pdev); + ancel_delayed_work_sync(&jpeg->job_timeout_work); pm_runtime_disable(&pdev->dev); video_unregister_device(jpeg->dec_vdev); video_device_release(jpeg->dec_vdev); -- 2.25.1

1 year, 3 months

2
1
0 0

[PATCH] media: mtk-jpeg: Fix use after free bug due to uncanceled work

by Zheng Wang

This is a security bug that has been reported to google. It affected all platforms on chrome-os. Please apply this patch to 5.15. Due to the directory structure change, the file path to be patched is different from that in upstream. [ Upstream commit c677d7ae83141d390d1253abebafa49c962afb52 ] In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run and mtk_jpeg_enc_device_run may be called to start the work. If we remove the module which will call mtk_jpeg_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the work before cleanup in the mtk_jpeg_remove CPU0 CPU1 |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver") Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Reviewed-by: Alexandre Mergnat <amergnat(a)baylibre.com> Reviewed-by: Chen-Yu Tsai <wenst(a)chromium.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Cc: stable(a)vger.kernel.org --- drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c index a89c7b206eef..d3af699ad72f 100644 --- a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c @@ -1455,6 +1455,7 @@ static int mtk_jpeg_remove(struct platform_device *pdev) { struct mtk_jpeg_dev *jpeg = platform_get_drvdata(pdev); + cancel_delayed_work_sync(&jpeg->job_timeout_work); pm_runtime_disable(&pdev->dev); video_unregister_device(jpeg->vdev); video_device_release(jpeg->vdev); -- 2.25.1

1 year, 3 months

1
0
0 0

[PATCH AUTOSEL 6.5 1/7] x86/reboot: VMCLEAR active VMCSes before emergency reboot

by Sasha Levin

From: Sean Christopherson <seanjc(a)google.com> [ Upstream commit b23c83ad2c638420ec0608a9de354507c41bec29 ] VMCLEAR active VMCSes before any emergency reboot, not just if the kernel may kexec into a new kernel after a crash. Per Intel's SDM, the VMX architecture doesn't require the CPU to flush the VMCS cache on INIT. If an emergency reboot doesn't RESET CPUs, cached VMCSes could theoretically be kept and only be written back to memory after the new kernel is booted, i.e. could effectively corrupt memory after reboot. Opportunistically remove the setting of the global pointer to NULL to make checkpatch happy. Cc: Andrew Cooper <Andrew.Cooper3(a)citrix.com> Link: https://lore.kernel.org/r/20230721201859.2307736-2-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/x86/include/asm/kexec.h | 2 -- arch/x86/include/asm/reboot.h | 2 ++ arch/x86/kernel/crash.c | 31 ------------------------------- arch/x86/kernel/reboot.c | 22 ++++++++++++++++++++++ arch/x86/kvm/vmx/vmx.c | 10 +++------- 5 files changed, 27 insertions(+), 40 deletions(-) diff --git a/arch/x86/include/asm/kexec.h b/arch/x86/include/asm/kexec.h index 5b77bbc28f969..819046974b997 100644 --- a/arch/x86/include/asm/kexec.h +++ b/arch/x86/include/asm/kexec.h @@ -205,8 +205,6 @@ int arch_kimage_file_post_load_cleanup(struct kimage *image); #endif #endif -typedef void crash_vmclear_fn(void); -extern crash_vmclear_fn __rcu *crash_vmclear_loaded_vmcss; extern void kdump_nmi_shootdown_cpus(void); #endif /* __ASSEMBLY__ */ diff --git a/arch/x86/include/asm/reboot.h b/arch/x86/include/asm/reboot.h index 9177b4354c3f5..dc201724a6433 100644 --- a/arch/x86/include/asm/reboot.h +++ b/arch/x86/include/asm/reboot.h @@ -25,6 +25,8 @@ void __noreturn machine_real_restart(unsigned int type); #define MRR_BIOS 0 #define MRR_APM 1 +typedef void crash_vmclear_fn(void); +extern crash_vmclear_fn __rcu *crash_vmclear_loaded_vmcss; void cpu_emergency_disable_virtualization(void); typedef void (*nmi_shootdown_cb)(int, struct pt_regs*); diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c index cdd92ab43cda4..54cd959cb3160 100644 --- a/arch/x86/kernel/crash.c +++ b/arch/x86/kernel/crash.c @@ -48,38 +48,12 @@ struct crash_memmap_data { unsigned int type; }; -/* - * This is used to VMCLEAR all VMCSs loaded on the - * processor. And when loading kvm_intel module, the - * callback function pointer will be assigned. - * - * protected by rcu. - */ -crash_vmclear_fn __rcu *crash_vmclear_loaded_vmcss = NULL; -EXPORT_SYMBOL_GPL(crash_vmclear_loaded_vmcss); - -static inline void cpu_crash_vmclear_loaded_vmcss(void) -{ - crash_vmclear_fn *do_vmclear_operation = NULL; - - rcu_read_lock(); - do_vmclear_operation = rcu_dereference(crash_vmclear_loaded_vmcss); - if (do_vmclear_operation) - do_vmclear_operation(); - rcu_read_unlock(); -} - #if defined(CONFIG_SMP) && defined(CONFIG_X86_LOCAL_APIC) static void kdump_nmi_callback(int cpu, struct pt_regs *regs) { crash_save_cpu(regs, cpu); - /* - * VMCLEAR VMCSs loaded on all cpus if needed. - */ - cpu_crash_vmclear_loaded_vmcss(); - /* * Disable Intel PT to stop its logging */ @@ -133,11 +107,6 @@ void native_machine_crash_shutdown(struct pt_regs *regs) crash_smp_send_stop(); - /* - * VMCLEAR VMCSs loaded on this cpu if needed. - */ - cpu_crash_vmclear_loaded_vmcss(); - cpu_emergency_disable_virtualization(); /* diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c index 3adbe97015c13..3fa4c6717a1db 100644 --- a/arch/x86/kernel/reboot.c +++ b/arch/x86/kernel/reboot.c @@ -787,6 +787,26 @@ void machine_crash_shutdown(struct pt_regs *regs) } #endif +/* + * This is used to VMCLEAR all VMCSs loaded on the + * processor. And when loading kvm_intel module, the + * callback function pointer will be assigned. + * + * protected by rcu. + */ +crash_vmclear_fn __rcu *crash_vmclear_loaded_vmcss; +EXPORT_SYMBOL_GPL(crash_vmclear_loaded_vmcss); + +static inline void cpu_crash_vmclear_loaded_vmcss(void) +{ + crash_vmclear_fn *do_vmclear_operation = NULL; + + rcu_read_lock(); + do_vmclear_operation = rcu_dereference(crash_vmclear_loaded_vmcss); + if (do_vmclear_operation) + do_vmclear_operation(); + rcu_read_unlock(); +} /* This is the CPU performing the emergency shutdown work. */ int crashing_cpu = -1; @@ -798,6 +818,8 @@ int crashing_cpu = -1; */ void cpu_emergency_disable_virtualization(void) { + cpu_crash_vmclear_loaded_vmcss(); + cpu_emergency_vmxoff(); cpu_emergency_svm_disable(); } diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index df461f387e20d..f60fb79fea881 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -41,7 +41,7 @@ #include <asm/idtentry.h> #include <asm/io.h> #include <asm/irq_remapping.h> -#include <asm/kexec.h> +#include <asm/reboot.h> #include <asm/perf_event.h> #include <asm/mmu_context.h> #include <asm/mshyperv.h> @@ -754,7 +754,6 @@ static int vmx_set_guest_uret_msr(struct vcpu_vmx *vmx, return ret; } -#ifdef CONFIG_KEXEC_CORE static void crash_vmclear_local_loaded_vmcss(void) { int cpu = raw_smp_processor_id(); @@ -764,7 +763,6 @@ static void crash_vmclear_local_loaded_vmcss(void) loaded_vmcss_on_cpu_link) vmcs_clear(v->vmcs); } -#endif /* CONFIG_KEXEC_CORE */ static void __loaded_vmcs_clear(void *arg) { @@ -8622,10 +8620,9 @@ static void __vmx_exit(void) { allow_smaller_maxphyaddr = false; -#ifdef CONFIG_KEXEC_CORE RCU_INIT_POINTER(crash_vmclear_loaded_vmcss, NULL); synchronize_rcu(); -#endif + vmx_cleanup_l1d_flush(); } @@ -8674,10 +8671,9 @@ static int __init vmx_init(void) pi_init_cpu(cpu); } -#ifdef CONFIG_KEXEC_CORE rcu_assign_pointer(crash_vmclear_loaded_vmcss, crash_vmclear_local_loaded_vmcss); -#endif + vmx_check_vmcs12_offsets(); /* -- 2.40.1

1 year, 3 months

2
7
0 0

[RESEND PATCH v2] media: mtk-jpeg: Fix use after free bug due to uncanceled work

by Zheng Wang

This is a security bug that has been reported to google. It affected all platforms on chrome-os. Please apply this patch to 4.14 4.19 5.4 5.10 and 5.15. [ Upstream commit c677d7ae83141d390d1253abebafa49c962afb52 ] In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run and mtk_jpeg_enc_device_run may be called to start the work. If we remove the module which will call mtk_jpeg_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the work before cleanup in the mtk_jpeg_remove CPU0 CPU1 |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver") Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Reviewed-by: Alexandre Mergnat <amergnat(a)baylibre.com> Reviewed-by: Chen-Yu Tsai <wenst(a)chromium.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Cc: stable(a)vger.kernel.org --- - v2: use cancel_delayed_work_sync instead of cancel_delayed_work suggested by Kyrie. --- drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index 0051f372a66c..6069ecf420b0 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1816,6 +1816,7 @@ static void mtk_jpeg_remove(struct platform_device *pdev) { struct mtk_jpeg_dev *jpeg = platform_get_drvdata(pdev); + cancel_delayed_work_sync(&jpeg->job_timeout_work); pm_runtime_disable(&pdev->dev); video_unregister_device(jpeg->vdev); v4l2_m2m_release(jpeg->m2m_dev); -- 2.25.1

1 year, 3 months

3
2
0 0

[PATCH 1/2] powerpc/platforms/pseries: Fix STK_PARAM access in the hcall tracing code

by Athira Rajeev

In powerpc pseries system, below behaviour is observed while enabling tracing on hcall: # cd /sys/kernel/debug/tracing/ # cat events/powerpc/hcall_exit/enable 0 # echo 1 > events/powerpc/hcall_exit/enable # ls -bash: fork: Bad address Above is from power9 lpar with latest kernel. Past this, softlockup is observed. Initially while attempting via perf_event_open to use "PERF_TYPE_TRACEPOINT", kernel panic was observed. perf config used: ================ memset(&pe[1],0,sizeof(struct perf_event_attr)); pe[1].type=PERF_TYPE_TRACEPOINT; pe[1].size=96; pe[1].config=0x26ULL; /* 38 raw_syscalls/sys_exit */ pe[1].sample_type=0; /* 0 */ pe[1].read_format=PERF_FORMAT_TOTAL_TIME_ENABLED|PERF_FORMAT_TOTAL_TIME_RUNNING|PERF_FORMAT_ID|PERF_FORMAT_GROUP|0x10ULL; /* 1f */ pe[1].inherit=1; pe[1].precise_ip=0; /* arbitrary skid */ pe[1].wakeup_events=0; pe[1].bp_type=HW_BREAKPOINT_EMPTY; pe[1].config1=0x1ULL; Kernel panic logs: ================== Kernel attempted to read user page (8) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000008 Faulting instruction address: 0xc0000000004c2814 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: nfnetlink bonding tls rfkill sunrpc dm_service_time dm_multipath pseries_rng xts vmx_crypto xfs libcrc32c sd_mod t10_pi crc64_rocksoft crc64 sg ibmvfc scsi_transport_fc ibmveth dm_mirror dm_region_hash dm_log dm_mod fuse CPU: 0 PID: 1431 Comm: login Not tainted 6.4.0+ #1 Hardware name: IBM,8375-42A POWER9 (raw) 0x4e0202 0xf000005 of:IBM,FW950.30 (VL950_892) hv:phyp pSeries NIP [c0000000004c2814] page_remove_rmap+0x44/0x320 LR [c00000000049c2a4] wp_page_copy+0x384/0xec0 Call Trace: [c0000000098c7ad0] [c00000001416e400] 0xc00000001416e400 (unreliable) [c0000000098c7b20] [c00000000049c2a4] wp_page_copy+0x384/0xec0 [c0000000098c7bf0] [c0000000004a4f64] __handle_mm_fault+0x9d4/0xfb0 [c0000000098c7cf0] [c0000000004a5630] handle_mm_fault+0xf0/0x350 [c0000000098c7d40] [c000000000094e8c] ___do_page_fault+0x48c/0xc90 [c0000000098c7df0] [c0000000000958a0] hash__do_page_fault+0x30/0x70 [c0000000098c7e20] [c00000000009e244] do_hash_fault+0x1a4/0x330 [c0000000098c7e50] [c000000000008918] data_access_common_virt+0x198/0x1f0 --- interrupt: 300 at 0x7fffae971abc git bisect tracked this down to below commit: 'commit baa49d81a94b ("powerpc/pseries: hvcall stack frame overhead")' This commit changed STACK_FRAME_OVERHEAD (112 ) to STACK_FRAME_MIN_SIZE (32 ) since 32 bytes is the minimum size for ELFv2 stack. With the latest kernel, when running on ELFv2, STACK_FRAME_MIN_SIZE is used to allocate stack size. During plpar_hcall_trace, first call is made to HCALL_INST_PRECALL which saves the registers and allocates new stack frame. In the plpar_hcall_trace code, STK_PARAM is accessed at two places. 1. To save r4: std r4,STK_PARAM(R4)(r1) 2. To access r4 back: ld r12,STK_PARAM(R4)(r1) HCALL_INST_PRECALL precall allocates a new stack frame. So all the stack parameter access after the precall, needs to be accessed with +STACK_FRAME_MIN_SIZE. So the store instruction should be: std r4,STACK_FRAME_MIN_SIZE+STK_PARAM(R4)(r1) If the "std" is not updated with STACK_FRAME_MIN_SIZE, we will end up with overwriting stack contents and cause corruption. But instead of updating 'std', we can instead remove it since HCALL_INST_PRECALL already saves it to the correct location. similarly load instruction should be: ld r12,STACK_FRAME_MIN_SIZE+STK_PARAM(R4)(r1) Fix the load instruction to correctly access the stack parameter with +STACK_FRAME_MIN_SIZE and remove the store of r4 since the precall saves it correctly. Cc: stable(a)vger.kernel.org Fixes: baa49d81a94b ("powerpc/pseries: hvcall stack frame overhead") Co-developed-by: Naveen N Rao <naveen(a)kernel.org> Signed-off-by: Naveen N Rao <naveen(a)kernel.org> Signed-off-by: Athira Rajeev <atrajeev(a)linux.vnet.ibm.com> --- arch/powerpc/platforms/pseries/hvCall.S | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/arch/powerpc/platforms/pseries/hvCall.S b/arch/powerpc/platforms/pseries/hvCall.S index bae45b358a09..2addf2ea03f0 100644 --- a/arch/powerpc/platforms/pseries/hvCall.S +++ b/arch/powerpc/platforms/pseries/hvCall.S @@ -184,7 +184,6 @@ _GLOBAL_TOC(plpar_hcall) plpar_hcall_trace: HCALL_INST_PRECALL(R5) - std r4,STK_PARAM(R4)(r1) mr r0,r4 mr r4,r5 @@ -196,7 +195,7 @@ plpar_hcall_trace: HVSC - ld r12,STK_PARAM(R4)(r1) + ld r12,STACK_FRAME_MIN_SIZE+STK_PARAM(R4)(r1) std r4,0(r12) std r5,8(r12) std r6,16(r12) @@ -296,7 +295,6 @@ _GLOBAL_TOC(plpar_hcall9) plpar_hcall9_trace: HCALL_INST_PRECALL(R5) - std r4,STK_PARAM(R4)(r1) mr r0,r4 mr r4,r5 -- 2.39.3

1 year, 3 months

2
1
0 0

[PATCH v1] usb: typec: tcpm: Add additional checks for contaminant

by Badhri Jagan Sridharan

When transitioning from SNK_DEBOUNCED to unattached, its worthwhile to check for contaminant to mitigate wakeups. ``` [81334.219571] Start toggling [81334.228220] CC1: 0 -> 0, CC2: 0 -> 0 [state TOGGLING, polarity 0, disconnected] [81334.305147] CC1: 0 -> 0, CC2: 0 -> 3 [state TOGGLING, polarity 0, connected] [81334.305162] state change TOGGLING -> SNK_ATTACH_WAIT [rev3 NONE_AMS] [81334.305187] pending state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED @ 170 ms [rev3 NONE_AMS] [81334.475515] state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED [delayed 170 ms] [81334.486480] CC1: 0 -> 0, CC2: 3 -> 0 [state SNK_DEBOUNCED, polarity 0, disconnected] [81334.486495] state change SNK_DEBOUNCED -> SNK_DEBOUNCED [rev3 NONE_AMS] [81334.486515] pending state change SNK_DEBOUNCED -> SNK_UNATTACHED @ 20 ms [rev3 NONE_AMS] [81334.506621] state change SNK_DEBOUNCED -> SNK_UNATTACHED [delayed 20 ms] [81334.506640] Start toggling [81334.516972] CC1: 0 -> 0, CC2: 0 -> 0 [state TOGGLING, polarity 0, disconnected] [81334.592759] CC1: 0 -> 0, CC2: 0 -> 3 [state TOGGLING, polarity 0, connected] [81334.592773] state change TOGGLING -> SNK_ATTACH_WAIT [rev3 NONE_AMS] [81334.592792] pending state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED @ 170 ms [rev3 NONE_AMS] [81334.762940] state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED [delayed 170 ms] [81334.773557] CC1: 0 -> 0, CC2: 3 -> 0 [state SNK_DEBOUNCED, polarity 0, disconnected] [81334.773570] state change SNK_DEBOUNCED -> SNK_DEBOUNCED [rev3 NONE_AMS] [81334.773588] pending state change SNK_DEBOUNCED -> SNK_UNATTACHED @ 20 ms [rev3 NONE_AMS] [81334.793672] state change SNK_DEBOUNCED -> SNK_UNATTACHED [delayed 20 ms] [81334.793681] Start toggling [81334.801840] CC1: 0 -> 0, CC2: 0 -> 0 [state TOGGLING, polarity 0, disconnected] [81334.878655] CC1: 0 -> 0, CC2: 0 -> 3 [state TOGGLING, polarity 0, connected] [81334.878672] state change TOGGLING -> SNK_ATTACH_WAIT [rev3 NONE_AMS] [81334.878696] pending state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED @ 170 ms [rev3 NONE_AMS] [81335.048968] state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED [delayed 170 ms] [81335.060684] CC1: 0 -> 0, CC2: 3 -> 0 [state SNK_DEBOUNCED, polarity 0, disconnected] [81335.060754] state change SNK_DEBOUNCED -> SNK_DEBOUNCED [rev3 NONE_AMS] [81335.060775] pending state change SNK_DEBOUNCED -> SNK_UNATTACHED @ 20 ms [rev3 NONE_AMS] [81335.080884] state change SNK_DEBOUNCED -> SNK_UNATTACHED [delayed 20 ms] [81335.080900] Start toggling ``` Cc: stable(a)vger.kernel.org Fixes: 00bdc7e4e0f56 ("usb: typec: tcpm: Add callbacks to mitigate wakeups due to contaminant") Signed-off-by: Badhri Jagan Sridharan <badhri(a)google.com> --- drivers/usb/typec/tcpm/tcpm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 6e843c511b85..3634f9092a84 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -3903,7 +3903,9 @@ static void run_state_machine(struct tcpm_port *port) port->potential_contaminant = ((port->enter_state == SRC_ATTACH_WAIT && port->state == SRC_UNATTACHED) || (port->enter_state == SNK_ATTACH_WAIT && - port->state == SNK_UNATTACHED)); + port->state == SNK_UNATTACHED) || + (port->enter_state == SNK_DEBOUNCED && + port->state == SNK_UNATTACHED)); port->enter_state = port->state; switch (port->state) { base-commit: 1034cc423f1b4a7a9a56d310ca980fcd2753e11d -- 2.42.0.655.g421f12c284-goog

1 year, 3 months

1
1
0 0

[PATCH v1] usb: typec: tcpm: Check for sink pdp op current only for pd

by Badhri Jagan Sridharan

TCPM checks for sink caps operational current even when PD is disabled. This incorrectly sets tcpm_set_charge() when PD is disabled. Check for sink caps only when PD is disabled. [ 97.572342] Start toggling [ 97.578949] CC1: 0 -> 0, CC2: 0 -> 0 [state TOGGLING, polarity 0, disconnected] [ 99.571648] CC1: 0 -> 0, CC2: 0 -> 4 [state TOGGLING, polarity 0, connected] [ 99.571658] state change TOGGLING -> SNK_ATTACH_WAIT [rev3 NONE_AMS] [ 99.571673] pending state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED @ 170 ms [rev3 NONE_AMS] [ 99.741778] state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED [delayed 170 ms] [ 99.789283] CC1: 0 -> 0, CC2: 4 -> 5 [state SNK_DEBOUNCED, polarity 0, connected] [ 99.789306] state change SNK_DEBOUNCED -> SNK_DEBOUNCED [rev3 NONE_AMS] [ 99.903584] VBUS on [ 99.903591] state change SNK_DEBOUNCED -> SNK_ATTACHED [rev3 NONE_AMS] [ 99.903600] polarity 1 [ 99.910155] enable vbus discharge ret:0 [ 99.910160] Requesting mux state 1, usb-role 2, orientation 2 [ 99.946791] state change SNK_ATTACHED -> SNK_STARTUP [rev3 NONE_AMS] [ 99.946798] state change SNK_STARTUP -> SNK_DISCOVERY [rev3 NONE_AMS] [ 99.946800] Setting voltage/current limit 5000 mV 500 mA [ 99.946803] vbus=0 charge:=1 [ 100.027139] state change SNK_DISCOVERY -> SNK_READY [rev3 NONE_AMS] [ 100.027145] Setting voltage/current limit 5000 mV 3000 mA [ 100.466830] VBUS on Cc: stable(a)vger.kernel.org Fixes: 34fde9ec08a3 ("FROMGIT: usb: typec: tcpm: not sink vbus if operational current is 0mA") Signed-off-by: Badhri Jagan Sridharan <badhri(a)google.com> --- drivers/usb/typec/tcpm/tcpm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 6e843c511b85..994493481c24 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -4268,7 +4268,8 @@ static void run_state_machine(struct tcpm_port *port) current_lim = PD_P_SNK_STDBY_MW / 5; tcpm_set_current_limit(port, current_lim, 5000); /* Not sink vbus if operational current is 0mA */ - tcpm_set_charge(port, !!pdo_max_current(port->snk_pdo[0])); + tcpm_set_charge(port, port->pd_supported ? + !!pdo_max_current(port->snk_pdo[0]) : true); if (!port->pd_supported) tcpm_set_state(port, SNK_READY, 0); base-commit: 1034cc423f1b4a7a9a56d310ca980fcd2753e11d -- 2.42.0.655.g421f12c284-goog

1 year, 3 months

2
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror October 2023