diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 10:15:47 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 10:18:11 +0000 |
commit | be73b1d84399bcab2ddf56a346b2430ac94b26b0 (patch) | |
tree | 1a71a0dccb4cf23b5633ddc6c770edc36542c106 /debian/patches/bugfix/all | |
parent | Merging upstream version 6.1.85. (diff) | |
download | linux-be73b1d84399bcab2ddf56a346b2430ac94b26b0.tar.xz linux-be73b1d84399bcab2ddf56a346b2430ac94b26b0.zip |
Merging debian version 6.1.85-1.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/bugfix/all')
11 files changed, 513 insertions, 356 deletions
diff --git a/debian/patches/bugfix/all/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch b/debian/patches/bugfix/all/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch deleted file mode 100644 index 258ab6ea4..000000000 --- a/debian/patches/bugfix/all/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch +++ /dev/null @@ -1,57 +0,0 @@ -From: Yuxuan Hu <20373622@buaa.edu.cn> -Date: Wed, 3 Jan 2024 17:10:43 +0800 -Subject: Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=567c0411dc3b424fc7bd1e6109726d7ba32d4f73 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-22099 - -[ Upstream commit 2535b848fa0f42ddff3e5255cf5e742c9b77bb26 ] - -During our fuzz testing of the connection and disconnection process at the -RFCOMM layer, we discovered this bug. By comparing the packets from a -normal connection and disconnection process with the testcase that -triggered a KASAN report. We analyzed the cause of this bug as follows: - -1. In the packets captured during a normal connection, the host sends a -`Read Encryption Key Size` type of `HCI_CMD` packet -(Command Opcode: 0x1408) to the controller to inquire the length of -encryption key.After receiving this packet, the controller immediately -replies with a Command Completepacket (Event Code: 0x0e) to return the -Encryption Key Size. - -2. In our fuzz test case, the timing of the controller's response to this -packet was delayed to an unexpected point: after the RFCOMM and L2CAP -layers had disconnected but before the HCI layer had disconnected. - -3. After receiving the Encryption Key Size Response at the time described -in point 2, the host still called the rfcomm_check_security function. -However, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;` -had already been released, and when the function executed -`return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`, -specifically when accessing `conn->hcon`, a null-ptr-deref error occurred. - -To fix this bug, check if `sk->sk_state` is BT_CLOSED before calling -rfcomm_recv_frame in rfcomm_process_rx. - -Signed-off-by: Yuxuan Hu <20373622@buaa.edu.cn> -Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - net/bluetooth/rfcomm/core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c -index 8d6fce9005bd..4f54c7df3a94 100644 ---- a/net/bluetooth/rfcomm/core.c -+++ b/net/bluetooth/rfcomm/core.c -@@ -1937,7 +1937,7 @@ static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s) - /* Get data directly from socket receive queue without copying it. */ - while ((skb = skb_dequeue(&sk->sk_receive_queue))) { - skb_orphan(skb); -- if (!skb_linearize(skb)) { -+ if (!skb_linearize(skb) && sk->sk_state != BT_CLOSED) { - s = rfcomm_recv_frame(s, skb); - if (!s) - break; --- -2.43.0 - diff --git a/debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch b/debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch new file mode 100644 index 000000000..5e77d7985 --- /dev/null +++ b/debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch @@ -0,0 +1,198 @@ +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Date: Thu, 11 Apr 2024 09:26:49 +0200 +Subject: Revert "scsi: core: Add struct for args to execution functions" +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=d1e620297a84caac1cd67615f4f4f6901527ca2b + +This reverts commit cf33e6ca12d814e1be2263cb76960d0019d7fb94 which is +commit d0949565811f0896c1c7e781ab2ad99d34273fdf upstream. + +It is known to cause problems and has asked to be dropped. + +Link: https://lore.kernel.org/r/yq1frvvpymp.fsf@ca-mkp.ca.oracle.com +Cc: Tasos Sahanidis <tasos@tasossah.com> +Cc: Ewan D. Milne <emilne@redhat.com> +Cc: Bart Van Assche <bvanassche@acm.org> +Cc: Tasos Sahanidis <tasos@tasossah.com> +Cc: Martin K. Petersen <martin.petersen@oracle.com> +Cc: James Bottomley <jejb@linux.ibm.com> +Cc: Sasha Levin <sashal@kernel.org> +Reported-by: John David Anglin <dave.anglin@bell.net> +Reported-by: Cyril Brulebois <kibi@debian.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/scsi/scsi_lib.c | 52 ++++++++++++++++++++------------------ + include/scsi/scsi_device.h | 51 ++++++++++--------------------------- + 2 files changed, 41 insertions(+), 62 deletions(-) + +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index edd296f950a3..5c5954b78585 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -185,37 +185,39 @@ void scsi_queue_insert(struct scsi_cmnd *cmd, int reason) + __scsi_queue_insert(cmd, reason, true); + } + ++ + /** +- * scsi_execute_cmd - insert request and wait for the result +- * @sdev: scsi_device ++ * __scsi_execute - insert request and wait for the result ++ * @sdev: scsi device + * @cmd: scsi command +- * @opf: block layer request cmd_flags ++ * @data_direction: data direction + * @buffer: data buffer + * @bufflen: len of buffer ++ * @sense: optional sense buffer ++ * @sshdr: optional decoded sense header + * @timeout: request timeout in HZ + * @retries: number of times to retry request +- * @args: Optional args. See struct definition for field descriptions ++ * @flags: flags for ->cmd_flags ++ * @rq_flags: flags for ->rq_flags ++ * @resid: optional residual length + * + * Returns the scsi_cmnd result field if a command was executed, or a negative + * Linux error code if we didn't get that far. + */ +-int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd, +- blk_opf_t opf, void *buffer, unsigned int bufflen, +- int timeout, int retries, +- const struct scsi_exec_args *args) ++int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd, ++ int data_direction, void *buffer, unsigned bufflen, ++ unsigned char *sense, struct scsi_sense_hdr *sshdr, ++ int timeout, int retries, blk_opf_t flags, ++ req_flags_t rq_flags, int *resid) + { +- static const struct scsi_exec_args default_args; + struct request *req; + struct scsi_cmnd *scmd; + int ret; + +- if (!args) +- args = &default_args; +- else if (WARN_ON_ONCE(args->sense && +- args->sense_len != SCSI_SENSE_BUFFERSIZE)) +- return -EINVAL; +- +- req = scsi_alloc_request(sdev->request_queue, opf, args->req_flags); ++ req = scsi_alloc_request(sdev->request_queue, ++ data_direction == DMA_TO_DEVICE ? ++ REQ_OP_DRV_OUT : REQ_OP_DRV_IN, ++ rq_flags & RQF_PM ? BLK_MQ_REQ_PM : 0); + if (IS_ERR(req)) + return PTR_ERR(req); + +@@ -230,7 +232,8 @@ int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd, + memcpy(scmd->cmnd, cmd, scmd->cmd_len); + scmd->allowed = retries; + req->timeout = timeout; +- req->rq_flags |= RQF_QUIET; ++ req->cmd_flags |= flags; ++ req->rq_flags |= rq_flags | RQF_QUIET; + + /* + * head injection *required* here otherwise quiesce won't work +@@ -246,21 +249,20 @@ int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd, + if (unlikely(scmd->resid_len > 0 && scmd->resid_len <= bufflen)) + memset(buffer + bufflen - scmd->resid_len, 0, scmd->resid_len); + +- if (args->resid) +- *args->resid = scmd->resid_len; +- if (args->sense) +- memcpy(args->sense, scmd->sense_buffer, SCSI_SENSE_BUFFERSIZE); +- if (args->sshdr) ++ if (resid) ++ *resid = scmd->resid_len; ++ if (sense && scmd->sense_len) ++ memcpy(sense, scmd->sense_buffer, SCSI_SENSE_BUFFERSIZE); ++ if (sshdr) + scsi_normalize_sense(scmd->sense_buffer, scmd->sense_len, +- args->sshdr); +- ++ sshdr); + ret = scmd->result; + out: + blk_mq_free_request(req); + + return ret; + } +-EXPORT_SYMBOL(scsi_execute_cmd); ++EXPORT_SYMBOL(__scsi_execute); + + /* + * Wake up the error handler if necessary. Avoid as follows that the error +diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h +index b407807cc669..d2751ed536df 100644 +--- a/include/scsi/scsi_device.h ++++ b/include/scsi/scsi_device.h +@@ -479,51 +479,28 @@ extern const char *scsi_device_state_name(enum scsi_device_state); + extern int scsi_is_sdev_device(const struct device *); + extern int scsi_is_target_device(const struct device *); + extern void scsi_sanitize_inquiry_string(unsigned char *s, int len); +- +-/* Optional arguments to scsi_execute_cmd */ +-struct scsi_exec_args { +- unsigned char *sense; /* sense buffer */ +- unsigned int sense_len; /* sense buffer len */ +- struct scsi_sense_hdr *sshdr; /* decoded sense header */ +- blk_mq_req_flags_t req_flags; /* BLK_MQ_REQ flags */ +- int *resid; /* residual length */ +-}; +- +-int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd, +- blk_opf_t opf, void *buffer, unsigned int bufflen, +- int timeout, int retries, +- const struct scsi_exec_args *args); +- ++extern int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd, ++ int data_direction, void *buffer, unsigned bufflen, ++ unsigned char *sense, struct scsi_sense_hdr *sshdr, ++ int timeout, int retries, blk_opf_t flags, ++ req_flags_t rq_flags, int *resid); + /* Make sure any sense buffer is the correct size. */ +-#define scsi_execute(_sdev, _cmd, _data_dir, _buffer, _bufflen, _sense, \ +- _sshdr, _timeout, _retries, _flags, _rq_flags, \ +- _resid) \ ++#define scsi_execute(sdev, cmd, data_direction, buffer, bufflen, sense, \ ++ sshdr, timeout, retries, flags, rq_flags, resid) \ + ({ \ +- scsi_execute_cmd(_sdev, _cmd, (_data_dir == DMA_TO_DEVICE ? \ +- REQ_OP_DRV_OUT : REQ_OP_DRV_IN) | _flags, \ +- _buffer, _bufflen, _timeout, _retries, \ +- &(struct scsi_exec_args) { \ +- .sense = _sense, \ +- .sshdr = _sshdr, \ +- .req_flags = _rq_flags & RQF_PM ? \ +- BLK_MQ_REQ_PM : 0, \ +- .resid = _resid, \ +- }); \ ++ BUILD_BUG_ON((sense) != NULL && \ ++ sizeof(sense) != SCSI_SENSE_BUFFERSIZE); \ ++ __scsi_execute(sdev, cmd, data_direction, buffer, bufflen, \ ++ sense, sshdr, timeout, retries, flags, rq_flags, \ ++ resid); \ + }) +- + static inline int scsi_execute_req(struct scsi_device *sdev, + const unsigned char *cmd, int data_direction, void *buffer, + unsigned bufflen, struct scsi_sense_hdr *sshdr, int timeout, + int retries, int *resid) + { +- return scsi_execute_cmd(sdev, cmd, +- data_direction == DMA_TO_DEVICE ? +- REQ_OP_DRV_OUT : REQ_OP_DRV_IN, buffer, +- bufflen, timeout, retries, +- &(struct scsi_exec_args) { +- .sshdr = sshdr, +- .resid = resid, +- }); ++ return scsi_execute(sdev, cmd, data_direction, buffer, ++ bufflen, NULL, sshdr, timeout, retries, 0, 0, resid); + } + extern void sdev_disable_disk_events(struct scsi_device *sdev); + extern void sdev_enable_disk_events(struct scsi_device *sdev); +-- +2.43.0 + diff --git a/debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch b/debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch new file mode 100644 index 000000000..2b03fad36 --- /dev/null +++ b/debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch @@ -0,0 +1,125 @@ +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Date: Thu, 11 Apr 2024 09:24:48 +0200 +Subject: Revert "scsi: sd: usb_storage: uas: Access media prior to querying + device properties" +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=fc7309d7c76e446d7804fcc075da53694cecd755 +Bug-Debian: https://bugs.debian.org/1068675 + +This reverts commit b73dd5f9997279715cd450ee8ca599aaff2eabb9 which is +commit 321da3dc1f3c92a12e3c5da934090d2992a8814c upstream. + +It is known to cause problems and has asked to be dropped. + +Link: https://lore.kernel.org/r/yq1frvvpymp.fsf@ca-mkp.ca.oracle.com +Cc: Tasos Sahanidis <tasos@tasossah.com> +Cc: Ewan D. Milne <emilne@redhat.com> +Cc: Bart Van Assche <bvanassche@acm.org> +Cc: Tasos Sahanidis <tasos@tasossah.com> +Cc: Martin K. Petersen <martin.petersen@oracle.com> +Cc: James Bottomley <jejb@linux.ibm.com> +Cc: Sasha Levin <sashal@kernel.org> +Reported-by: John David Anglin <dave.anglin@bell.net> +Reported-by: Cyril Brulebois <kibi@debian.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/scsi/sd.c | 26 +------------------------- + drivers/usb/storage/scsiglue.c | 7 ------- + drivers/usb/storage/uas.c | 7 ------- + include/scsi/scsi_device.h | 1 - + 4 files changed, 1 insertion(+), 40 deletions(-) + +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index f32236c3f81c..ad619f7c7418 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -3286,24 +3286,6 @@ static bool sd_validate_opt_xfer_size(struct scsi_disk *sdkp, + return true; + } + +-static void sd_read_block_zero(struct scsi_disk *sdkp) +-{ +- unsigned int buf_len = sdkp->device->sector_size; +- char *buffer, cmd[10] = { }; +- +- buffer = kmalloc(buf_len, GFP_KERNEL); +- if (!buffer) +- return; +- +- cmd[0] = READ_10; +- put_unaligned_be32(0, &cmd[2]); /* Logical block address 0 */ +- put_unaligned_be16(1, &cmd[7]); /* Transfer 1 logical block */ +- +- scsi_execute_cmd(sdkp->device, cmd, REQ_OP_DRV_IN, buffer, buf_len, +- SD_TIMEOUT, sdkp->max_retries, NULL); +- kfree(buffer); +-} +- + /** + * sd_revalidate_disk - called the first time a new disk is seen, + * performs disk spin up, read_capacity, etc. +@@ -3343,13 +3325,7 @@ static int sd_revalidate_disk(struct gendisk *disk) + */ + if (sdkp->media_present) { + sd_read_capacity(sdkp, buffer); +- /* +- * Some USB/UAS devices return generic values for mode pages +- * until the media has been accessed. Trigger a READ operation +- * to force the device to populate mode pages. +- */ +- if (sdp->read_before_ms) +- sd_read_block_zero(sdkp); ++ + /* + * set the default to rotational. All non-rotational devices + * support the block characteristics VPD page, which will +diff --git a/drivers/usb/storage/scsiglue.c b/drivers/usb/storage/scsiglue.c +index 12cf9940e5b6..c54e9805da53 100644 +--- a/drivers/usb/storage/scsiglue.c ++++ b/drivers/usb/storage/scsiglue.c +@@ -179,13 +179,6 @@ static int slave_configure(struct scsi_device *sdev) + */ + sdev->use_192_bytes_for_3f = 1; + +- /* +- * Some devices report generic values until the media has been +- * accessed. Force a READ(10) prior to querying device +- * characteristics. +- */ +- sdev->read_before_ms = 1; +- + /* + * Some devices don't like MODE SENSE with page=0x3f, + * which is the command used for checking if a device +diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c +index af619efe8eab..ee5621bdb11e 100644 +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -876,13 +876,6 @@ static int uas_slave_configure(struct scsi_device *sdev) + if (devinfo->flags & US_FL_CAPACITY_HEURISTICS) + sdev->guess_capacity = 1; + +- /* +- * Some devices report generic values until the media has been +- * accessed. Force a READ(10) prior to querying device +- * characteristics. +- */ +- sdev->read_before_ms = 1; +- + /* + * Some devices don't like MODE SENSE with page=0x3f, + * which is the command used for checking if a device +diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h +index a64713fe5264..b407807cc669 100644 +--- a/include/scsi/scsi_device.h ++++ b/include/scsi/scsi_device.h +@@ -204,7 +204,6 @@ struct scsi_device { + unsigned use_10_for_rw:1; /* first try 10-byte read / write */ + unsigned use_10_for_ms:1; /* first try 10-byte mode sense/select */ + unsigned set_dbd_for_ms:1; /* Set "DBD" field in mode sense */ +- unsigned read_before_ms:1; /* perform a READ before MODE SENSE */ + unsigned no_report_opcodes:1; /* no REPORT SUPPORTED OPERATION CODES */ + unsigned no_write_same:1; /* no WRITE SAME command */ + unsigned use_16_for_rw:1; /* Use read/write(16) over read/write(10) */ +-- +2.43.0 + diff --git a/debian/patches/bugfix/all/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch b/debian/patches/bugfix/all/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch deleted file mode 100644 index f5cc88309..000000000 --- a/debian/patches/bugfix/all/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch +++ /dev/null @@ -1,87 +0,0 @@ -From: Chun-Yi Lee <jlee@suse.com> -Date: Tue, 5 Mar 2024 16:20:48 +0800 -Subject: aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=74ca3ef68d2f449bc848c0a814cefc487bf755fa -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-6270 - -[ Upstream commit f98364e926626c678fb4b9004b75cacf92ff0662 ] - -This patch is against CVE-2023-6270. The description of cve is: - - A flaw was found in the ATA over Ethernet (AoE) driver in the Linux - kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on - `struct net_device`, and a use-after-free can be triggered by racing - between the free on the struct and the access through the `skbtxq` - global queue. This could lead to a denial of service condition or - potential code execution. - -In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial -code is finished. But the net_device ifp will still be used in -later tx()->dev_queue_xmit() in kthread. Which means that the -dev_put(ifp) should NOT be called in the success path of skb -initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into -use-after-free because the net_device is freed. - -This patch removed the dev_put(ifp) in the success path in -aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx(). - -Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270 -Fixes: 7562f876cd93 ("[NET]: Rework dev_base via list_head (v3)") -Signed-off-by: Chun-Yi Lee <jlee@suse.com> -Link: https://lore.kernel.org/r/20240305082048.25526-1-jlee@suse.com -Signed-off-by: Jens Axboe <axboe@kernel.dk> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - drivers/block/aoe/aoecmd.c | 12 ++++++------ - drivers/block/aoe/aoenet.c | 1 + - 2 files changed, 7 insertions(+), 6 deletions(-) - -diff --git a/drivers/block/aoe/aoecmd.c b/drivers/block/aoe/aoecmd.c -index d7317425be51..cc9077b588d7 100644 ---- a/drivers/block/aoe/aoecmd.c -+++ b/drivers/block/aoe/aoecmd.c -@@ -419,13 +419,16 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu - rcu_read_lock(); - for_each_netdev_rcu(&init_net, ifp) { - dev_hold(ifp); -- if (!is_aoe_netif(ifp)) -- goto cont; -+ if (!is_aoe_netif(ifp)) { -+ dev_put(ifp); -+ continue; -+ } - - skb = new_skb(sizeof *h + sizeof *ch); - if (skb == NULL) { - printk(KERN_INFO "aoe: skb alloc failure\n"); -- goto cont; -+ dev_put(ifp); -+ continue; - } - skb_put(skb, sizeof *h + sizeof *ch); - skb->dev = ifp; -@@ -440,9 +443,6 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu - h->major = cpu_to_be16(aoemajor); - h->minor = aoeminor; - h->cmd = AOECMD_CFG; -- --cont: -- dev_put(ifp); - } - rcu_read_unlock(); - } -diff --git a/drivers/block/aoe/aoenet.c b/drivers/block/aoe/aoenet.c -index 63773a90581d..1e66c7a188a1 100644 ---- a/drivers/block/aoe/aoenet.c -+++ b/drivers/block/aoe/aoenet.c -@@ -64,6 +64,7 @@ tx(int id) __must_hold(&txlock) - pr_warn("aoe: packet could not be sent on %s. %s\n", - ifp ? ifp->name : "netif", - "consider increasing tx_queue_len"); -+ dev_put(ifp); - spin_lock_irq(&txlock); - } - return 0; --- -2.43.0 - diff --git a/debian/patches/bugfix/all/efi-fix-panic-in-kdump-kernel.patch b/debian/patches/bugfix/all/efi-fix-panic-in-kdump-kernel.patch deleted file mode 100644 index 009af084b..000000000 --- a/debian/patches/bugfix/all/efi-fix-panic-in-kdump-kernel.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Oleksandr Tymoshenko <ovt@google.com> -Date: Sat, 23 Mar 2024 06:33:33 +0000 -Subject: efi: fix panic in kdump kernel -Origin: https://git.kernel.org/linus/62b71cd73d41ddac6b1760402bbe8c4932e23531 - -Check if get_next_variable() is actually valid pointer before -calling it. In kdump kernel this method is set to NULL that causes -panic during the kexec-ed kernel boot. - -Tested with QEMU and OVMF firmware. - -Fixes: bad267f9e18f ("efi: verify that variable services are supported") -Signed-off-by: Oleksandr Tymoshenko <ovt@google.com> -Signed-off-by: Ard Biesheuvel <ardb@kernel.org> ---- - drivers/firmware/efi/efi.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c -index 8859fb0b006d..fdf07dd6f459 100644 ---- a/drivers/firmware/efi/efi.c -+++ b/drivers/firmware/efi/efi.c -@@ -203,6 +203,8 @@ static bool generic_ops_supported(void) - - name_size = sizeof(name); - -+ if (!efi.get_next_variable) -+ return false; - status = efi.get_next_variable(&name_size, &name, &guid); - if (status == EFI_UNSUPPORTED) - return false; --- -2.43.0 - diff --git a/debian/patches/bugfix/all/efi-libstub-Cast-away-type-warning-in-use-of-max.patch b/debian/patches/bugfix/all/efi-libstub-Cast-away-type-warning-in-use-of-max.patch deleted file mode 100644 index 402582b17..000000000 --- a/debian/patches/bugfix/all/efi-libstub-Cast-away-type-warning-in-use-of-max.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Ard Biesheuvel <ardb@kernel.org> -Date: Tue, 26 Mar 2024 11:15:25 +0100 -Subject: efi/libstub: Cast away type warning in use of max() -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/efi/efi.git/commit?id=07263d8a5a2cea66a3f10d930fea60ce49c7dc3b - -Add a missing (u64) cast to alloc_min, which is passed into -efi_random_alloc() as unsigned long, while efi_physical_addr_t is u64. - -Fixes: 3cb4a4827596abc82e ("efi/libstub: fix efi_random_alloc() ...") -Signed-off-by: Ard Biesheuvel <ardb@kernel.org> ---- - drivers/firmware/efi/libstub/randomalloc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/firmware/efi/libstub/randomalloc.c b/drivers/firmware/efi/libstub/randomalloc.c -index 7e1852859550..fa81528150fe 100644 ---- a/drivers/firmware/efi/libstub/randomalloc.c -+++ b/drivers/firmware/efi/libstub/randomalloc.c -@@ -120,7 +120,7 @@ efi_status_t efi_random_alloc(unsigned long size, - continue; - } - -- target = round_up(max(md->phys_addr, alloc_min), align) + target_slot * align; -+ target = round_up(max(md->phys_addr, (u64)alloc_min), align) + target_slot * align; - pages = size / EFI_PAGE_SIZE; - - status = efi_bs_call(allocate_pages, EFI_ALLOCATE_ADDRESS, --- -2.43.0 - diff --git a/debian/patches/bugfix/all/efi-libstub-fix-efi_random_alloc-to-allocate-memory-.patch b/debian/patches/bugfix/all/efi-libstub-fix-efi_random_alloc-to-allocate-memory-.patch deleted file mode 100644 index d5590f5db..000000000 --- a/debian/patches/bugfix/all/efi-libstub-fix-efi_random_alloc-to-allocate-memory-.patch +++ /dev/null @@ -1,68 +0,0 @@ -From: =?UTF-8?q?KONDO=20KAZUMA=28=E8=BF=91=E8=97=A4=E3=80=80=E5=92=8C?= - =?UTF-8?q?=E7=9C=9F=29?= <kazuma-kondo@nec.com> -Date: Fri, 22 Mar 2024 10:47:02 +0000 -Subject: efi/libstub: fix efi_random_alloc() to allocate memory at alloc_min - or higher address -Origin: https://git.kernel.org/linus/3cb4a4827596abc82e55b80364f509d0fefc3051 - -Following warning is sometimes observed while booting my servers: - [ 3.594838] DMA: preallocated 4096 KiB GFP_KERNEL pool for atomic allocations - [ 3.602918] swapper/0: page allocation failure: order:10, mode:0xcc1(GFP_KERNEL|GFP_DMA), nodemask=(null),cpuset=/,mems_allowed=0-1 - ... - [ 3.851862] DMA: preallocated 1024 KiB GFP_KERNEL|GFP_DMA pool for atomic allocation - -If 'nokaslr' boot option is set, the warning always happens. - -On x86, ZONE_DMA is small zone at the first 16MB of physical address -space. When this problem happens, most of that space seems to be used by -decompressed kernel. Thereby, there is not enough space at DMA_ZONE to -meet the request of DMA pool allocation. - -The commit 2f77465b05b1 ("x86/efistub: Avoid placing the kernel below -LOAD_PHYSICAL_ADDR") tried to fix this problem by introducing lower -bound of allocation. - -But the fix is not complete. - -efi_random_alloc() allocates pages by following steps. -1. Count total available slots ('total_slots') -2. Select a slot ('target_slot') to allocate randomly -3. Calculate a starting address ('target') to be included target_slot -4. Allocate pages, which starting address is 'target' - -In step 1, 'alloc_min' is used to offset the starting address of memory -chunk. But in step 3 'alloc_min' is not considered at all. As the -result, 'target' can be miscalculated and become lower than 'alloc_min'. - -When KASLR is disabled, 'target_slot' is always 0 and the problem -happens everytime if the EFI memory map of the system meets the -condition. - -Fix this problem by calculating 'target' considering 'alloc_min'. - -Cc: linux-efi@vger.kernel.org -Cc: Tom Englund <tomenglund26@gmail.com> -Cc: linux-kernel@vger.kernel.org -Fixes: 2f77465b05b1 ("x86/efistub: Avoid placing the kernel below LOAD_PHYSICAL_ADDR") -Signed-off-by: Kazuma Kondo <kazuma-kondo@nec.com> -Signed-off-by: Ard Biesheuvel <ardb@kernel.org> ---- - drivers/firmware/efi/libstub/randomalloc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/firmware/efi/libstub/randomalloc.c b/drivers/firmware/efi/libstub/randomalloc.c -index 4e96a855fdf4..7e1852859550 100644 ---- a/drivers/firmware/efi/libstub/randomalloc.c -+++ b/drivers/firmware/efi/libstub/randomalloc.c -@@ -120,7 +120,7 @@ efi_status_t efi_random_alloc(unsigned long size, - continue; - } - -- target = round_up(md->phys_addr, align) + target_slot * align; -+ target = round_up(max(md->phys_addr, alloc_min), align) + target_slot * align; - pages = size / EFI_PAGE_SIZE; - - status = efi_bs_call(allocate_pages, EFI_ALLOCATE_ADDRESS, --- -2.43.0 - diff --git a/debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch b/debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch new file mode 100644 index 000000000..c59abc9f8 --- /dev/null +++ b/debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch @@ -0,0 +1,155 @@ +From: "Martin K. Petersen" <martin.petersen@oracle.com> +Date: Tue, 13 Feb 2024 09:33:06 -0500 +Subject: scsi: sd: usb_storage: uas: Access media prior to querying device + properties +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=46e587855c060a0fdcbb4349accb62b31e9ce70f + +[ Upstream commit 321da3dc1f3c92a12e3c5da934090d2992a8814c ] + +It has been observed that some USB/UAS devices return generic properties +hardcoded in firmware for mode pages for a period of time after a device +has been discovered. The reported properties are either garbage or they do +not accurately reflect the characteristics of the physical storage device +attached in the case of a bridge. + +Prior to commit 1e029397d12f ("scsi: sd: Reorganize DIF/DIX code to +avoid calling revalidate twice") we would call revalidate several +times during device discovery. As a result, incorrect values would +eventually get replaced with ones accurately describing the attached +storage. When we did away with the redundant revalidate pass, several +cases were reported where devices reported nonsensical values or would +end up in write-protected state. + +An initial attempt at addressing this issue involved introducing a +delayed second revalidate invocation. However, this approach still +left some devices reporting incorrect characteristics. + +Tasos Sahanidis debugged the problem further and identified that +introducing a READ operation prior to MODE SENSE fixed the problem and that +it wasn't a timing issue. Issuing a READ appears to cause the devices to +update their state to reflect the actual properties of the storage +media. Device properties like vendor, model, and storage capacity appear to +be correctly reported from the get-go. It is unclear why these devices +defer populating the remaining characteristics. + +Match the behavior of a well known commercial operating system and +trigger a READ operation prior to querying device characteristics to +force the device to populate the mode pages. + +The additional READ is triggered by a flag set in the USB storage and +UAS drivers. We avoid issuing the READ for other transport classes +since some storage devices identify Linux through our particular +discovery command sequence. + +Link: https://lore.kernel.org/r/20240213143306.2194237-1-martin.petersen@oracle.com +Fixes: 1e029397d12f ("scsi: sd: Reorganize DIF/DIX code to avoid calling revalidate twice") +Cc: stable@vger.kernel.org +Reported-by: Tasos Sahanidis <tasos@tasossah.com> +Reviewed-by: Ewan D. Milne <emilne@redhat.com> +Reviewed-by: Bart Van Assche <bvanassche@acm.org> +Tested-by: Tasos Sahanidis <tasos@tasossah.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/scsi/sd.c | 26 +++++++++++++++++++++++++- + drivers/usb/storage/scsiglue.c | 7 +++++++ + drivers/usb/storage/uas.c | 7 +++++++ + include/scsi/scsi_device.h | 1 + + 4 files changed, 40 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index ad619f7c7418..3ec9b324fdcf 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -3286,6 +3286,24 @@ static bool sd_validate_opt_xfer_size(struct scsi_disk *sdkp, + return true; + } + ++static void sd_read_block_zero(struct scsi_disk *sdkp) ++{ ++ unsigned int buf_len = sdkp->device->sector_size; ++ char *buffer, cmd[10] = { }; ++ ++ buffer = kmalloc(buf_len, GFP_KERNEL); ++ if (!buffer) ++ return; ++ ++ cmd[0] = READ_10; ++ put_unaligned_be32(0, &cmd[2]); /* Logical block address 0 */ ++ put_unaligned_be16(1, &cmd[7]); /* Transfer 1 logical block */ ++ ++ scsi_execute_req(sdkp->device, cmd, DMA_FROM_DEVICE, buffer, buf_len, ++ NULL, SD_TIMEOUT, sdkp->max_retries, NULL); ++ kfree(buffer); ++} ++ + /** + * sd_revalidate_disk - called the first time a new disk is seen, + * performs disk spin up, read_capacity, etc. +@@ -3325,7 +3343,13 @@ static int sd_revalidate_disk(struct gendisk *disk) + */ + if (sdkp->media_present) { + sd_read_capacity(sdkp, buffer); +- ++ /* ++ * Some USB/UAS devices return generic values for mode pages ++ * until the media has been accessed. Trigger a READ operation ++ * to force the device to populate mode pages. ++ */ ++ if (sdp->read_before_ms) ++ sd_read_block_zero(sdkp); + /* + * set the default to rotational. All non-rotational devices + * support the block characteristics VPD page, which will +diff --git a/drivers/usb/storage/scsiglue.c b/drivers/usb/storage/scsiglue.c +index c54e9805da53..12cf9940e5b6 100644 +--- a/drivers/usb/storage/scsiglue.c ++++ b/drivers/usb/storage/scsiglue.c +@@ -179,6 +179,13 @@ static int slave_configure(struct scsi_device *sdev) + */ + sdev->use_192_bytes_for_3f = 1; + ++ /* ++ * Some devices report generic values until the media has been ++ * accessed. Force a READ(10) prior to querying device ++ * characteristics. ++ */ ++ sdev->read_before_ms = 1; ++ + /* + * Some devices don't like MODE SENSE with page=0x3f, + * which is the command used for checking if a device +diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c +index ee5621bdb11e..af619efe8eab 100644 +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -876,6 +876,13 @@ static int uas_slave_configure(struct scsi_device *sdev) + if (devinfo->flags & US_FL_CAPACITY_HEURISTICS) + sdev->guess_capacity = 1; + ++ /* ++ * Some devices report generic values until the media has been ++ * accessed. Force a READ(10) prior to querying device ++ * characteristics. ++ */ ++ sdev->read_before_ms = 1; ++ + /* + * Some devices don't like MODE SENSE with page=0x3f, + * which is the command used for checking if a device +diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h +index d2751ed536df..1504d3137cc6 100644 +--- a/include/scsi/scsi_device.h ++++ b/include/scsi/scsi_device.h +@@ -204,6 +204,7 @@ struct scsi_device { + unsigned use_10_for_rw:1; /* first try 10-byte read / write */ + unsigned use_10_for_ms:1; /* first try 10-byte mode sense/select */ + unsigned set_dbd_for_ms:1; /* Set "DBD" field in mode sense */ ++ unsigned read_before_ms:1; /* perform a READ before MODE SENSE */ + unsigned no_report_opcodes:1; /* no REPORT SUPPORTED OPERATION CODES */ + unsigned no_write_same:1; /* no WRITE SAME command */ + unsigned use_16_for_rw:1; /* Use read/write(16) over read/write(10) */ +-- +2.43.0 + diff --git a/debian/patches/bugfix/all/sr9800-Add-check-for-usbnet_get_endpoints.patch b/debian/patches/bugfix/all/sr9800-Add-check-for-usbnet_get_endpoints.patch deleted file mode 100644 index ac7fb2e3e..000000000 --- a/debian/patches/bugfix/all/sr9800-Add-check-for-usbnet_get_endpoints.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Chen Ni <nichen@iscas.ac.cn> -Date: Tue, 5 Mar 2024 07:59:27 +0000 -Subject: sr9800: Add check for usbnet_get_endpoints -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=9c402819620a842cbfe39359a3ddfaac9adc8384 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-26651 - -[ Upstream commit 07161b2416f740a2cb87faa5566873f401440a61 ] - -Add check for usbnet_get_endpoints() and return the error if it fails -in order to transfer the error. - -Signed-off-by: Chen Ni <nichen@iscas.ac.cn> -Reviewed-by: Simon Horman <horms@kernel.org> -Fixes: 19a38d8e0aa3 ("USB2NET : SR9800 : One chip USB2.0 USB2NET SR9800 Device Driver Support") -Link: https://lore.kernel.org/r/20240305075927.261284-1-nichen@iscas.ac.cn -Signed-off-by: Jakub Kicinski <kuba@kernel.org> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - drivers/net/usb/sr9800.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c -index f5e19f3ef6cd..4de514482183 100644 ---- a/drivers/net/usb/sr9800.c -+++ b/drivers/net/usb/sr9800.c -@@ -737,7 +737,9 @@ static int sr9800_bind(struct usbnet *dev, struct usb_interface *intf) - - data->eeprom_len = SR9800_EEPROM_LEN; - -- usbnet_get_endpoints(dev, intf); -+ ret = usbnet_get_endpoints(dev, intf); -+ if (ret) -+ goto out; - - /* LED Setting Rule : - * AABB:CCDD --- -2.43.0 - diff --git a/debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch b/debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch new file mode 100644 index 000000000..bfb6301cf --- /dev/null +++ b/debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch @@ -0,0 +1,35 @@ +From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Date: Mon, 31 Jul 2023 15:59:42 -0300 +Subject: tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc +Origin: https://git.kernel.org/linus/67c37756898a5a6b2941a13ae7260c89b54e0d88 +Bug-Debian: https://bugs.debian.org/1068770 + +Any unprivileged user can attach N_GSM0710 ldisc, but it requires +CAP_NET_ADMIN to create a GSM network anyway. + +Require initial namespace CAP_NET_ADMIN to do that. + +Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Link: https://lore.kernel.org/r/20230731185942.279611-1-cascardo@canonical.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/tty/n_gsm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c +index 1cdefac4dd1b..c7a787f10a9c 100644 +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -3576,6 +3576,9 @@ static int gsmld_open(struct tty_struct *tty) + { + struct gsm_mux *gsm; + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + if (tty->ops->write == NULL) + return -EINVAL; + +-- +2.43.0 + diff --git a/debian/patches/bugfix/all/wifi-ath10k-fix-NULL-pointer-dereference-in-ath10k_w.patch b/debian/patches/bugfix/all/wifi-ath10k-fix-NULL-pointer-dereference-in-ath10k_w.patch deleted file mode 100644 index 2747ec5b6..000000000 --- a/debian/patches/bugfix/all/wifi-ath10k-fix-NULL-pointer-dereference-in-ath10k_w.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Xingyuan Mo <hdthky0@gmail.com> -Date: Sun, 17 Dec 2023 13:29:01 +0200 -Subject: wifi: ath10k: fix NULL pointer dereference in - ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=90f089d77e38db1c48629f111f3c8c336be1bc38 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-7042 - -[ Upstream commit ad25ee36f00172f7d53242dc77c69fff7ced0755 ] - -We should check whether the WMI_TLV_TAG_STRUCT_MGMT_TX_COMPL_EVENT tlv is -present before accessing it, otherwise a null pointer deference error will -occur. - -Fixes: dc405152bb64 ("ath10k: handle mgmt tx completion event") -Signed-off-by: Xingyuan Mo <hdthky0@gmail.com> -Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com> -Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> -Link: https://msgid.link/20231208043433.271449-1-hdthky0@gmail.com -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - drivers/net/wireless/ath/ath10k/wmi-tlv.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c -index 876410a47d1d..4d5009604eee 100644 ---- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c -+++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c -@@ -844,6 +844,10 @@ ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev(struct ath10k *ar, struct sk_buff *skb, - } - - ev = tb[WMI_TLV_TAG_STRUCT_MGMT_TX_COMPL_EVENT]; -+ if (!ev) { -+ kfree(tb); -+ return -EPROTO; -+ } - - arg->desc_id = ev->desc_id; - arg->status = ev->status; --- -2.43.0 - |