diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-29 13:32:37 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-29 13:32:37 +0200 |
commit | 261385bdf5d803038f637583a3f63080f41b7fd2 (patch) | |
tree | c3690f66911dba82ca7f6e45d50e64ac0582dda8 | |
parent | d83522c258c6f89a2f8a8949b76ce10e0219c272 (diff) | |
download | stable-queue-261385bdf5d803038f637583a3f63080f41b7fd2.tar.gz |
5.10-stable patches
added patches:
bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch
bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch
btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch
cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch
5 files changed, 404 insertions, 0 deletions
diff --git a/queue-5.10/bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch b/queue-5.10/bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch new file mode 100644 index 0000000000..134fa5e902 --- /dev/null +++ b/queue-5.10/bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch @@ -0,0 +1,69 @@ +From d1a5a7eede2977da3d2002d5ea3b519019cc1a98 Mon Sep 17 00:00:00 2001 +From: WangYuli <wangyuli@uniontech.com> +Date: Fri, 29 Mar 2024 10:34:39 +0800 +Subject: Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853 + +From: WangYuli <wangyuli@uniontech.com> + +commit d1a5a7eede2977da3d2002d5ea3b519019cc1a98 upstream. + +Add the support ID(0x0bda, 0x4853) to usb_device_id table for +Realtek RTL8852BE. + +Without this change the device utilizes an obsolete version of +the firmware that is encoded in it rather than the updated Realtek +firmware and config files from the firmware directory. The latter +files implement many new features. + +The device table is as follows: + +T: Bus=03 Lev=01 Prnt=01 Port=09 Cnt=03 Dev#= 4 Spd=12 MxCh= 0 +D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0bda ProdID=4853 Rev= 0.00 +S: Manufacturer=Realtek +S: Product=Bluetooth Radio +S: SerialNumber=00e04c000001 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Cc: stable@vger.kernel.org +Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> +Signed-off-by: WangYuli <wangyuli@uniontech.com> +Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/bluetooth/btusb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -418,6 +418,8 @@ static const struct usb_device_id blackl + /* Realtek 8852BE Bluetooth devices */ + { USB_DEVICE(0x0cb8, 0xc559), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, ++ { USB_DEVICE(0x0bda, 0x4853), .driver_info = BTUSB_REALTEK | ++ BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0bda, 0x887b), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0bda, 0xb85b), .driver_info = BTUSB_REALTEK | diff --git a/queue-5.10/bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch b/queue-5.10/bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch new file mode 100644 index 0000000000..1b309997f4 --- /dev/null +++ b/queue-5.10/bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch @@ -0,0 +1,128 @@ +From 9bf4e919ccad613b3596eebf1ff37b05b6405307 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor <nathan@kernel.org> +Date: Mon, 1 Apr 2024 11:24:17 -0700 +Subject: Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old() + +From: Nathan Chancellor <nathan@kernel.org> + +commit 9bf4e919ccad613b3596eebf1ff37b05b6405307 upstream. + +After an innocuous optimization change in LLVM main (19.0.0), x86_64 +allmodconfig (which enables CONFIG_KCSAN / -fsanitize=thread) fails to +build due to the checks in check_copy_size(): + + In file included from net/bluetooth/sco.c:27: + In file included from include/linux/module.h:13: + In file included from include/linux/stat.h:19: + In file included from include/linux/time.h:60: + In file included from include/linux/time32.h:13: + In file included from include/linux/timex.h:67: + In file included from arch/x86/include/asm/timex.h:6: + In file included from arch/x86/include/asm/tsc.h:10: + In file included from arch/x86/include/asm/msr.h:15: + In file included from include/linux/percpu.h:7: + In file included from include/linux/smp.h:118: + include/linux/thread_info.h:244:4: error: call to '__bad_copy_from' + declared with 'error' attribute: copy source size is too small + 244 | __bad_copy_from(); + | ^ + +The same exact error occurs in l2cap_sock.c. The copy_to_user() +statements that are failing come from l2cap_sock_getsockopt_old() and +sco_sock_getsockopt_old(). This does not occur with GCC with or without +KCSAN or Clang without KCSAN enabled. + +len is defined as an 'int' because it is assigned from +'__user int *optlen'. However, it is clamped against the result of +sizeof(), which has a type of 'size_t' ('unsigned long' for 64-bit +platforms). This is done with min_t() because min() requires compatible +types, which results in both len and the result of sizeof() being casted +to 'unsigned int', meaning len changes signs and the result of sizeof() +is truncated. From there, len is passed to copy_to_user(), which has a +third parameter type of 'unsigned long', so it is widened and changes +signs again. This excessive casting in combination with the KCSAN +instrumentation causes LLVM to fail to eliminate the __bad_copy_from() +call, failing the build. + +The official recommendation from LLVM developers is to consistently use +long types for all size variables to avoid the unnecessary casting in +the first place. Change the type of len to size_t in both +l2cap_sock_getsockopt_old() and sco_sock_getsockopt_old(). This clears +up the error while allowing min_t() to be replaced with min(), resulting +in simpler code with no casts and fewer implicit conversions. While len +is a different type than optlen now, it should result in no functional +change because the result of sizeof() will clamp all values of optlen in +the same manner as before. + +Cc: stable@vger.kernel.org +Closes: https://github.com/ClangBuiltLinux/linux/issues/2007 +Link: https://github.com/llvm/llvm-project/issues/85647 +Signed-off-by: Nathan Chancellor <nathan@kernel.org> +Reviewed-by: Justin Stitt <justinstitt@google.com> +Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/bluetooth/l2cap_sock.c | 7 ++++--- + net/bluetooth/sco.c | 7 ++++--- + 2 files changed, 8 insertions(+), 6 deletions(-) + +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -456,7 +456,8 @@ static int l2cap_sock_getsockopt_old(str + struct l2cap_chan *chan = l2cap_pi(sk)->chan; + struct l2cap_options opts; + struct l2cap_conninfo cinfo; +- int len, err = 0; ++ int err = 0; ++ size_t len; + u32 opt; + + BT_DBG("sk %p", sk); +@@ -503,7 +504,7 @@ static int l2cap_sock_getsockopt_old(str + + BT_DBG("mode 0x%2.2x", chan->mode); + +- len = min_t(unsigned int, len, sizeof(opts)); ++ len = min(len, sizeof(opts)); + if (copy_to_user(optval, (char *) &opts, len)) + err = -EFAULT; + +@@ -553,7 +554,7 @@ static int l2cap_sock_getsockopt_old(str + cinfo.hci_handle = chan->conn->hcon->handle; + memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3); + +- len = min_t(unsigned int, len, sizeof(cinfo)); ++ len = min(len, sizeof(cinfo)); + if (copy_to_user(optval, (char *) &cinfo, len)) + err = -EFAULT; + +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -901,7 +901,8 @@ static int sco_sock_getsockopt_old(struc + struct sock *sk = sock->sk; + struct sco_options opts; + struct sco_conninfo cinfo; +- int len, err = 0; ++ int err = 0; ++ size_t len; + + BT_DBG("sk %p", sk); + +@@ -923,7 +924,7 @@ static int sco_sock_getsockopt_old(struc + + BT_DBG("mtu %d", opts.mtu); + +- len = min_t(unsigned int, len, sizeof(opts)); ++ len = min(len, sizeof(opts)); + if (copy_to_user(optval, (char *)&opts, len)) + err = -EFAULT; + +@@ -941,7 +942,7 @@ static int sco_sock_getsockopt_old(struc + cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle; + memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3); + +- len = min_t(unsigned int, len, sizeof(cinfo)); ++ len = min(len, sizeof(cinfo)); + if (copy_to_user(optval, (char *)&cinfo, len)) + err = -EFAULT; + diff --git a/queue-5.10/btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch b/queue-5.10/btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch new file mode 100644 index 0000000000..69a84f3d38 --- /dev/null +++ b/queue-5.10/btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch @@ -0,0 +1,95 @@ +From 2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn <johannes.thumshirn@wdc.com> +Date: Wed, 17 Apr 2024 10:45:47 +0200 +Subject: btrfs: fix information leak in btrfs_ioctl_logical_to_ino() + +From: Johannes Thumshirn <johannes.thumshirn@wdc.com> + +commit 2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf upstream. + +Syzbot reported the following information leak for in +btrfs_ioctl_logical_to_ino(): + + BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] + BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40 + instrument_copy_to_user include/linux/instrumented.h:114 [inline] + _copy_to_user+0xbc/0x110 lib/usercopy.c:40 + copy_to_user include/linux/uaccess.h:191 [inline] + btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499 + btrfs_ioctl+0x714/0x1260 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:904 [inline] + __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 + __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 + x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + Uninit was created at: + __kmalloc_large_node+0x231/0x370 mm/slub.c:3921 + __do_kmalloc_node mm/slub.c:3954 [inline] + __kmalloc_node+0xb07/0x1060 mm/slub.c:3973 + kmalloc_node include/linux/slab.h:648 [inline] + kvmalloc_node+0xc0/0x2d0 mm/util.c:634 + kvmalloc include/linux/slab.h:766 [inline] + init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779 + btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480 + btrfs_ioctl+0x714/0x1260 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:904 [inline] + __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 + __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 + x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + Bytes 40-65535 of 65536 are uninitialized + Memory access of size 65536 starts at ffff888045a40000 + +This happens, because we're copying a 'struct btrfs_data_container' back +to user-space. This btrfs_data_container is allocated in +'init_data_container()' via kvmalloc(), which does not zero-fill the +memory. + +Fix this by using kvzalloc() which zeroes out the memory on allocation. + +CC: stable@vger.kernel.org # 4.14+ +Reported-by: <syzbot+510a1abbb8116eeb341d@syzkaller.appspotmail.com> +Reviewed-by: Qu Wenruo <wqu@suse.com> +Reviewed-by: Filipe Manana <fdmanana@suse.com> +Signed-off-by: Johannes Thumshirn <Johannes.thumshirn@wdc.com> +Reviewed-by: David Sterba <dsterba@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/btrfs/backref.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -2315,20 +2315,14 @@ struct btrfs_data_container *init_data_c + size_t alloc_bytes; + + alloc_bytes = max_t(size_t, total_bytes, sizeof(*data)); +- data = kvmalloc(alloc_bytes, GFP_KERNEL); ++ data = kvzalloc(alloc_bytes, GFP_KERNEL); + if (!data) + return ERR_PTR(-ENOMEM); + +- if (total_bytes >= sizeof(*data)) { ++ if (total_bytes >= sizeof(*data)) + data->bytes_left = total_bytes - sizeof(*data); +- data->bytes_missing = 0; +- } else { ++ else + data->bytes_missing = sizeof(*data) - total_bytes; +- data->bytes_left = 0; +- } +- +- data->elem_cnt = 0; +- data->elem_missed = 0; + + return data; + } diff --git a/queue-5.10/cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch b/queue-5.10/cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch new file mode 100644 index 0000000000..4afefac2b2 --- /dev/null +++ b/queue-5.10/cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch @@ -0,0 +1,108 @@ +From fe42754b94a42d08cf9501790afc25c4f6a5f631 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson <seanjc@google.com> +Date: Fri, 19 Apr 2024 17:05:54 -0700 +Subject: cpu: Re-enable CPU mitigations by default for !X86 architectures + +From: Sean Christopherson <seanjc@google.com> + +commit fe42754b94a42d08cf9501790afc25c4f6a5f631 upstream. + +Rename x86's to CPU_MITIGATIONS, define it in generic code, and force it +on for all architectures exception x86. A recent commit to turn +mitigations off by default if SPECULATION_MITIGATIONS=n kinda sorta +missed that "cpu_mitigations" is completely generic, whereas +SPECULATION_MITIGATIONS is x86-specific. + +Rename x86's SPECULATIVE_MITIGATIONS instead of keeping both and have it +select CPU_MITIGATIONS, as having two configs for the same thing is +unnecessary and confusing. This will also allow x86 to use the knob to +manage mitigations that aren't strictly related to speculative +execution. + +Use another Kconfig to communicate to common code that CPU_MITIGATIONS +is already defined instead of having x86's menu depend on the common +CPU_MITIGATIONS. This allows keeping a single point of contact for all +of x86's mitigations, and it's not clear that other architectures *want* +to allow disabling mitigations at compile-time. + +Fixes: f337a6a21e2f ("x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n") +Closes: https://lkml.kernel.org/r/20240413115324.53303a68%40canb.auug.org.au +Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> +Reported-by: Michael Ellerman <mpe@ellerman.id.au> +Reported-by: Geert Uytterhoeven <geert@linux-m68k.org> +Signed-off-by: Sean Christopherson <seanjc@google.com> +Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> +Acked-by: Josh Poimboeuf <jpoimboe@kernel.org> +Acked-by: Borislav Petkov (AMD) <bp@alien8.de> +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240420000556.2645001-2-seanjc@google.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/Kconfig | 8 ++++++++ + arch/x86/Kconfig | 11 ++++++----- + kernel/cpu.c | 4 ++-- + 3 files changed, 16 insertions(+), 7 deletions(-) + +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -9,6 +9,14 @@ + # + source "arch/$(SRCARCH)/Kconfig" + ++config ARCH_CONFIGURES_CPU_MITIGATIONS ++ bool ++ ++if !ARCH_CONFIGURES_CPU_MITIGATIONS ++config CPU_MITIGATIONS ++ def_bool y ++endif ++ + menu "General architecture-dependent options" + + config CRASH_CORE +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -57,6 +57,7 @@ config X86 + select ACPI_LEGACY_TABLES_LOOKUP if ACPI + select ACPI_SYSTEM_POWER_STATES_SUPPORT if ACPI + select ARCH_32BIT_OFF_T if X86_32 ++ select ARCH_CONFIGURES_CPU_MITIGATIONS + select ARCH_CLOCKSOURCE_INIT + select ARCH_HAS_ACPI_TABLE_UPGRADE if ACPI + select ARCH_HAS_CPU_FINALIZE_INIT +@@ -2408,17 +2409,17 @@ config CC_HAS_SLS + config CC_HAS_RETURN_THUNK + def_bool $(cc-option,-mfunction-return=thunk-extern) + +-menuconfig SPECULATION_MITIGATIONS +- bool "Mitigations for speculative execution vulnerabilities" ++menuconfig CPU_MITIGATIONS ++ bool "Mitigations for CPU vulnerabilities" + default y + help +- Say Y here to enable options which enable mitigations for +- speculative execution hardware vulnerabilities. ++ Say Y here to enable options which enable mitigations for hardware ++ vulnerabilities (usually related to speculative execution). + + If you say N, all mitigations will be disabled. You really + should know what you are doing to say so. + +-if SPECULATION_MITIGATIONS ++if CPU_MITIGATIONS + + config PAGE_TABLE_ISOLATION + bool "Remove the kernel mapping in user mode" +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -2600,8 +2600,8 @@ enum cpu_mitigations { + }; + + static enum cpu_mitigations cpu_mitigations __ro_after_init = +- IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO : +- CPU_MITIGATIONS_OFF; ++ IS_ENABLED(CONFIG_CPU_MITIGATIONS) ? CPU_MITIGATIONS_AUTO : ++ CPU_MITIGATIONS_OFF; + + static int __init mitigations_parse_cmdline(char *arg) + { diff --git a/queue-5.10/series b/queue-5.10/series index 38a8ac5e7c..62a0db9960 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -111,3 +111,7 @@ net-mlx5e-fix-a-race-in-command-alloc-flow.patch tracing-show-size-of-requested-perf-buffer.patch tracing-increase-perf_max_trace_size-to-handle-sentinel1-and-docker-together.patch pm-devfreq-fix-buffer-overflow-in-trans_stat_show.patch +bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch +bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch +btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch +cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch |