summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch198
-rw-r--r--debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch125
-rw-r--r--debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch155
-rw-r--r--debian/patches/bugfix/all/tipc-fix-UAF-in-error-path.patch141
-rw-r--r--debian/patches/bugfix/all/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch38
-rw-r--r--debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch35
-rw-r--r--debian/patches/series6
7 files changed, 181 insertions, 517 deletions
diff --git a/debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch b/debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch
deleted file mode 100644
index 5e77d7985..000000000
--- a/debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch
+++ /dev/null
@@ -1,198 +0,0 @@
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Date: Thu, 11 Apr 2024 09:26:49 +0200
-Subject: Revert "scsi: core: Add struct for args to execution functions"
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=d1e620297a84caac1cd67615f4f4f6901527ca2b
-
-This reverts commit cf33e6ca12d814e1be2263cb76960d0019d7fb94 which is
-commit d0949565811f0896c1c7e781ab2ad99d34273fdf upstream.
-
-It is known to cause problems and has asked to be dropped.
-
-Link: https://lore.kernel.org/r/yq1frvvpymp.fsf@ca-mkp.ca.oracle.com
-Cc: Tasos Sahanidis <tasos@tasossah.com>
-Cc: Ewan D. Milne <emilne@redhat.com>
-Cc: Bart Van Assche <bvanassche@acm.org>
-Cc: Tasos Sahanidis <tasos@tasossah.com>
-Cc: Martin K. Petersen <martin.petersen@oracle.com>
-Cc: James Bottomley <jejb@linux.ibm.com>
-Cc: Sasha Levin <sashal@kernel.org>
-Reported-by: John David Anglin <dave.anglin@bell.net>
-Reported-by: Cyril Brulebois <kibi@debian.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/scsi_lib.c | 52 ++++++++++++++++++++------------------
- include/scsi/scsi_device.h | 51 ++++++++++---------------------------
- 2 files changed, 41 insertions(+), 62 deletions(-)
-
-diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
-index edd296f950a3..5c5954b78585 100644
---- a/drivers/scsi/scsi_lib.c
-+++ b/drivers/scsi/scsi_lib.c
-@@ -185,37 +185,39 @@ void scsi_queue_insert(struct scsi_cmnd *cmd, int reason)
- __scsi_queue_insert(cmd, reason, true);
- }
-
-+
- /**
-- * scsi_execute_cmd - insert request and wait for the result
-- * @sdev: scsi_device
-+ * __scsi_execute - insert request and wait for the result
-+ * @sdev: scsi device
- * @cmd: scsi command
-- * @opf: block layer request cmd_flags
-+ * @data_direction: data direction
- * @buffer: data buffer
- * @bufflen: len of buffer
-+ * @sense: optional sense buffer
-+ * @sshdr: optional decoded sense header
- * @timeout: request timeout in HZ
- * @retries: number of times to retry request
-- * @args: Optional args. See struct definition for field descriptions
-+ * @flags: flags for ->cmd_flags
-+ * @rq_flags: flags for ->rq_flags
-+ * @resid: optional residual length
- *
- * Returns the scsi_cmnd result field if a command was executed, or a negative
- * Linux error code if we didn't get that far.
- */
--int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd,
-- blk_opf_t opf, void *buffer, unsigned int bufflen,
-- int timeout, int retries,
-- const struct scsi_exec_args *args)
-+int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
-+ int data_direction, void *buffer, unsigned bufflen,
-+ unsigned char *sense, struct scsi_sense_hdr *sshdr,
-+ int timeout, int retries, blk_opf_t flags,
-+ req_flags_t rq_flags, int *resid)
- {
-- static const struct scsi_exec_args default_args;
- struct request *req;
- struct scsi_cmnd *scmd;
- int ret;
-
-- if (!args)
-- args = &default_args;
-- else if (WARN_ON_ONCE(args->sense &&
-- args->sense_len != SCSI_SENSE_BUFFERSIZE))
-- return -EINVAL;
--
-- req = scsi_alloc_request(sdev->request_queue, opf, args->req_flags);
-+ req = scsi_alloc_request(sdev->request_queue,
-+ data_direction == DMA_TO_DEVICE ?
-+ REQ_OP_DRV_OUT : REQ_OP_DRV_IN,
-+ rq_flags & RQF_PM ? BLK_MQ_REQ_PM : 0);
- if (IS_ERR(req))
- return PTR_ERR(req);
-
-@@ -230,7 +232,8 @@ int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd,
- memcpy(scmd->cmnd, cmd, scmd->cmd_len);
- scmd->allowed = retries;
- req->timeout = timeout;
-- req->rq_flags |= RQF_QUIET;
-+ req->cmd_flags |= flags;
-+ req->rq_flags |= rq_flags | RQF_QUIET;
-
- /*
- * head injection *required* here otherwise quiesce won't work
-@@ -246,21 +249,20 @@ int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd,
- if (unlikely(scmd->resid_len > 0 && scmd->resid_len <= bufflen))
- memset(buffer + bufflen - scmd->resid_len, 0, scmd->resid_len);
-
-- if (args->resid)
-- *args->resid = scmd->resid_len;
-- if (args->sense)
-- memcpy(args->sense, scmd->sense_buffer, SCSI_SENSE_BUFFERSIZE);
-- if (args->sshdr)
-+ if (resid)
-+ *resid = scmd->resid_len;
-+ if (sense && scmd->sense_len)
-+ memcpy(sense, scmd->sense_buffer, SCSI_SENSE_BUFFERSIZE);
-+ if (sshdr)
- scsi_normalize_sense(scmd->sense_buffer, scmd->sense_len,
-- args->sshdr);
--
-+ sshdr);
- ret = scmd->result;
- out:
- blk_mq_free_request(req);
-
- return ret;
- }
--EXPORT_SYMBOL(scsi_execute_cmd);
-+EXPORT_SYMBOL(__scsi_execute);
-
- /*
- * Wake up the error handler if necessary. Avoid as follows that the error
-diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
-index b407807cc669..d2751ed536df 100644
---- a/include/scsi/scsi_device.h
-+++ b/include/scsi/scsi_device.h
-@@ -479,51 +479,28 @@ extern const char *scsi_device_state_name(enum scsi_device_state);
- extern int scsi_is_sdev_device(const struct device *);
- extern int scsi_is_target_device(const struct device *);
- extern void scsi_sanitize_inquiry_string(unsigned char *s, int len);
--
--/* Optional arguments to scsi_execute_cmd */
--struct scsi_exec_args {
-- unsigned char *sense; /* sense buffer */
-- unsigned int sense_len; /* sense buffer len */
-- struct scsi_sense_hdr *sshdr; /* decoded sense header */
-- blk_mq_req_flags_t req_flags; /* BLK_MQ_REQ flags */
-- int *resid; /* residual length */
--};
--
--int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd,
-- blk_opf_t opf, void *buffer, unsigned int bufflen,
-- int timeout, int retries,
-- const struct scsi_exec_args *args);
--
-+extern int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
-+ int data_direction, void *buffer, unsigned bufflen,
-+ unsigned char *sense, struct scsi_sense_hdr *sshdr,
-+ int timeout, int retries, blk_opf_t flags,
-+ req_flags_t rq_flags, int *resid);
- /* Make sure any sense buffer is the correct size. */
--#define scsi_execute(_sdev, _cmd, _data_dir, _buffer, _bufflen, _sense, \
-- _sshdr, _timeout, _retries, _flags, _rq_flags, \
-- _resid) \
-+#define scsi_execute(sdev, cmd, data_direction, buffer, bufflen, sense, \
-+ sshdr, timeout, retries, flags, rq_flags, resid) \
- ({ \
-- scsi_execute_cmd(_sdev, _cmd, (_data_dir == DMA_TO_DEVICE ? \
-- REQ_OP_DRV_OUT : REQ_OP_DRV_IN) | _flags, \
-- _buffer, _bufflen, _timeout, _retries, \
-- &(struct scsi_exec_args) { \
-- .sense = _sense, \
-- .sshdr = _sshdr, \
-- .req_flags = _rq_flags & RQF_PM ? \
-- BLK_MQ_REQ_PM : 0, \
-- .resid = _resid, \
-- }); \
-+ BUILD_BUG_ON((sense) != NULL && \
-+ sizeof(sense) != SCSI_SENSE_BUFFERSIZE); \
-+ __scsi_execute(sdev, cmd, data_direction, buffer, bufflen, \
-+ sense, sshdr, timeout, retries, flags, rq_flags, \
-+ resid); \
- })
--
- static inline int scsi_execute_req(struct scsi_device *sdev,
- const unsigned char *cmd, int data_direction, void *buffer,
- unsigned bufflen, struct scsi_sense_hdr *sshdr, int timeout,
- int retries, int *resid)
- {
-- return scsi_execute_cmd(sdev, cmd,
-- data_direction == DMA_TO_DEVICE ?
-- REQ_OP_DRV_OUT : REQ_OP_DRV_IN, buffer,
-- bufflen, timeout, retries,
-- &(struct scsi_exec_args) {
-- .sshdr = sshdr,
-- .resid = resid,
-- });
-+ return scsi_execute(sdev, cmd, data_direction, buffer,
-+ bufflen, NULL, sshdr, timeout, retries, 0, 0, resid);
- }
- extern void sdev_disable_disk_events(struct scsi_device *sdev);
- extern void sdev_enable_disk_events(struct scsi_device *sdev);
---
-2.43.0
-
diff --git a/debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch b/debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch
deleted file mode 100644
index 2b03fad36..000000000
--- a/debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Date: Thu, 11 Apr 2024 09:24:48 +0200
-Subject: Revert "scsi: sd: usb_storage: uas: Access media prior to querying
- device properties"
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=fc7309d7c76e446d7804fcc075da53694cecd755
-Bug-Debian: https://bugs.debian.org/1068675
-
-This reverts commit b73dd5f9997279715cd450ee8ca599aaff2eabb9 which is
-commit 321da3dc1f3c92a12e3c5da934090d2992a8814c upstream.
-
-It is known to cause problems and has asked to be dropped.
-
-Link: https://lore.kernel.org/r/yq1frvvpymp.fsf@ca-mkp.ca.oracle.com
-Cc: Tasos Sahanidis <tasos@tasossah.com>
-Cc: Ewan D. Milne <emilne@redhat.com>
-Cc: Bart Van Assche <bvanassche@acm.org>
-Cc: Tasos Sahanidis <tasos@tasossah.com>
-Cc: Martin K. Petersen <martin.petersen@oracle.com>
-Cc: James Bottomley <jejb@linux.ibm.com>
-Cc: Sasha Levin <sashal@kernel.org>
-Reported-by: John David Anglin <dave.anglin@bell.net>
-Reported-by: Cyril Brulebois <kibi@debian.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/sd.c | 26 +-------------------------
- drivers/usb/storage/scsiglue.c | 7 -------
- drivers/usb/storage/uas.c | 7 -------
- include/scsi/scsi_device.h | 1 -
- 4 files changed, 1 insertion(+), 40 deletions(-)
-
-diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
-index f32236c3f81c..ad619f7c7418 100644
---- a/drivers/scsi/sd.c
-+++ b/drivers/scsi/sd.c
-@@ -3286,24 +3286,6 @@ static bool sd_validate_opt_xfer_size(struct scsi_disk *sdkp,
- return true;
- }
-
--static void sd_read_block_zero(struct scsi_disk *sdkp)
--{
-- unsigned int buf_len = sdkp->device->sector_size;
-- char *buffer, cmd[10] = { };
--
-- buffer = kmalloc(buf_len, GFP_KERNEL);
-- if (!buffer)
-- return;
--
-- cmd[0] = READ_10;
-- put_unaligned_be32(0, &cmd[2]); /* Logical block address 0 */
-- put_unaligned_be16(1, &cmd[7]); /* Transfer 1 logical block */
--
-- scsi_execute_cmd(sdkp->device, cmd, REQ_OP_DRV_IN, buffer, buf_len,
-- SD_TIMEOUT, sdkp->max_retries, NULL);
-- kfree(buffer);
--}
--
- /**
- * sd_revalidate_disk - called the first time a new disk is seen,
- * performs disk spin up, read_capacity, etc.
-@@ -3343,13 +3325,7 @@ static int sd_revalidate_disk(struct gendisk *disk)
- */
- if (sdkp->media_present) {
- sd_read_capacity(sdkp, buffer);
-- /*
-- * Some USB/UAS devices return generic values for mode pages
-- * until the media has been accessed. Trigger a READ operation
-- * to force the device to populate mode pages.
-- */
-- if (sdp->read_before_ms)
-- sd_read_block_zero(sdkp);
-+
- /*
- * set the default to rotational. All non-rotational devices
- * support the block characteristics VPD page, which will
-diff --git a/drivers/usb/storage/scsiglue.c b/drivers/usb/storage/scsiglue.c
-index 12cf9940e5b6..c54e9805da53 100644
---- a/drivers/usb/storage/scsiglue.c
-+++ b/drivers/usb/storage/scsiglue.c
-@@ -179,13 +179,6 @@ static int slave_configure(struct scsi_device *sdev)
- */
- sdev->use_192_bytes_for_3f = 1;
-
-- /*
-- * Some devices report generic values until the media has been
-- * accessed. Force a READ(10) prior to querying device
-- * characteristics.
-- */
-- sdev->read_before_ms = 1;
--
- /*
- * Some devices don't like MODE SENSE with page=0x3f,
- * which is the command used for checking if a device
-diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
-index af619efe8eab..ee5621bdb11e 100644
---- a/drivers/usb/storage/uas.c
-+++ b/drivers/usb/storage/uas.c
-@@ -876,13 +876,6 @@ static int uas_slave_configure(struct scsi_device *sdev)
- if (devinfo->flags & US_FL_CAPACITY_HEURISTICS)
- sdev->guess_capacity = 1;
-
-- /*
-- * Some devices report generic values until the media has been
-- * accessed. Force a READ(10) prior to querying device
-- * characteristics.
-- */
-- sdev->read_before_ms = 1;
--
- /*
- * Some devices don't like MODE SENSE with page=0x3f,
- * which is the command used for checking if a device
-diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
-index a64713fe5264..b407807cc669 100644
---- a/include/scsi/scsi_device.h
-+++ b/include/scsi/scsi_device.h
-@@ -204,7 +204,6 @@ struct scsi_device {
- unsigned use_10_for_rw:1; /* first try 10-byte read / write */
- unsigned use_10_for_ms:1; /* first try 10-byte mode sense/select */
- unsigned set_dbd_for_ms:1; /* Set "DBD" field in mode sense */
-- unsigned read_before_ms:1; /* perform a READ before MODE SENSE */
- unsigned no_report_opcodes:1; /* no REPORT SUPPORTED OPERATION CODES */
- unsigned no_write_same:1; /* no WRITE SAME command */
- unsigned use_16_for_rw:1; /* Use read/write(16) over read/write(10) */
---
-2.43.0
-
diff --git a/debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch b/debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch
deleted file mode 100644
index c59abc9f8..000000000
--- a/debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-From: "Martin K. Petersen" <martin.petersen@oracle.com>
-Date: Tue, 13 Feb 2024 09:33:06 -0500
-Subject: scsi: sd: usb_storage: uas: Access media prior to querying device
- properties
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=46e587855c060a0fdcbb4349accb62b31e9ce70f
-
-[ Upstream commit 321da3dc1f3c92a12e3c5da934090d2992a8814c ]
-
-It has been observed that some USB/UAS devices return generic properties
-hardcoded in firmware for mode pages for a period of time after a device
-has been discovered. The reported properties are either garbage or they do
-not accurately reflect the characteristics of the physical storage device
-attached in the case of a bridge.
-
-Prior to commit 1e029397d12f ("scsi: sd: Reorganize DIF/DIX code to
-avoid calling revalidate twice") we would call revalidate several
-times during device discovery. As a result, incorrect values would
-eventually get replaced with ones accurately describing the attached
-storage. When we did away with the redundant revalidate pass, several
-cases were reported where devices reported nonsensical values or would
-end up in write-protected state.
-
-An initial attempt at addressing this issue involved introducing a
-delayed second revalidate invocation. However, this approach still
-left some devices reporting incorrect characteristics.
-
-Tasos Sahanidis debugged the problem further and identified that
-introducing a READ operation prior to MODE SENSE fixed the problem and that
-it wasn't a timing issue. Issuing a READ appears to cause the devices to
-update their state to reflect the actual properties of the storage
-media. Device properties like vendor, model, and storage capacity appear to
-be correctly reported from the get-go. It is unclear why these devices
-defer populating the remaining characteristics.
-
-Match the behavior of a well known commercial operating system and
-trigger a READ operation prior to querying device characteristics to
-force the device to populate the mode pages.
-
-The additional READ is triggered by a flag set in the USB storage and
-UAS drivers. We avoid issuing the READ for other transport classes
-since some storage devices identify Linux through our particular
-discovery command sequence.
-
-Link: https://lore.kernel.org/r/20240213143306.2194237-1-martin.petersen@oracle.com
-Fixes: 1e029397d12f ("scsi: sd: Reorganize DIF/DIX code to avoid calling revalidate twice")
-Cc: stable@vger.kernel.org
-Reported-by: Tasos Sahanidis <tasos@tasossah.com>
-Reviewed-by: Ewan D. Milne <emilne@redhat.com>
-Reviewed-by: Bart Van Assche <bvanassche@acm.org>
-Tested-by: Tasos Sahanidis <tasos@tasossah.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/sd.c | 26 +++++++++++++++++++++++++-
- drivers/usb/storage/scsiglue.c | 7 +++++++
- drivers/usb/storage/uas.c | 7 +++++++
- include/scsi/scsi_device.h | 1 +
- 4 files changed, 40 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
-index ad619f7c7418..3ec9b324fdcf 100644
---- a/drivers/scsi/sd.c
-+++ b/drivers/scsi/sd.c
-@@ -3286,6 +3286,24 @@ static bool sd_validate_opt_xfer_size(struct scsi_disk *sdkp,
- return true;
- }
-
-+static void sd_read_block_zero(struct scsi_disk *sdkp)
-+{
-+ unsigned int buf_len = sdkp->device->sector_size;
-+ char *buffer, cmd[10] = { };
-+
-+ buffer = kmalloc(buf_len, GFP_KERNEL);
-+ if (!buffer)
-+ return;
-+
-+ cmd[0] = READ_10;
-+ put_unaligned_be32(0, &cmd[2]); /* Logical block address 0 */
-+ put_unaligned_be16(1, &cmd[7]); /* Transfer 1 logical block */
-+
-+ scsi_execute_req(sdkp->device, cmd, DMA_FROM_DEVICE, buffer, buf_len,
-+ NULL, SD_TIMEOUT, sdkp->max_retries, NULL);
-+ kfree(buffer);
-+}
-+
- /**
- * sd_revalidate_disk - called the first time a new disk is seen,
- * performs disk spin up, read_capacity, etc.
-@@ -3325,7 +3343,13 @@ static int sd_revalidate_disk(struct gendisk *disk)
- */
- if (sdkp->media_present) {
- sd_read_capacity(sdkp, buffer);
--
-+ /*
-+ * Some USB/UAS devices return generic values for mode pages
-+ * until the media has been accessed. Trigger a READ operation
-+ * to force the device to populate mode pages.
-+ */
-+ if (sdp->read_before_ms)
-+ sd_read_block_zero(sdkp);
- /*
- * set the default to rotational. All non-rotational devices
- * support the block characteristics VPD page, which will
-diff --git a/drivers/usb/storage/scsiglue.c b/drivers/usb/storage/scsiglue.c
-index c54e9805da53..12cf9940e5b6 100644
---- a/drivers/usb/storage/scsiglue.c
-+++ b/drivers/usb/storage/scsiglue.c
-@@ -179,6 +179,13 @@ static int slave_configure(struct scsi_device *sdev)
- */
- sdev->use_192_bytes_for_3f = 1;
-
-+ /*
-+ * Some devices report generic values until the media has been
-+ * accessed. Force a READ(10) prior to querying device
-+ * characteristics.
-+ */
-+ sdev->read_before_ms = 1;
-+
- /*
- * Some devices don't like MODE SENSE with page=0x3f,
- * which is the command used for checking if a device
-diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
-index ee5621bdb11e..af619efe8eab 100644
---- a/drivers/usb/storage/uas.c
-+++ b/drivers/usb/storage/uas.c
-@@ -876,6 +876,13 @@ static int uas_slave_configure(struct scsi_device *sdev)
- if (devinfo->flags & US_FL_CAPACITY_HEURISTICS)
- sdev->guess_capacity = 1;
-
-+ /*
-+ * Some devices report generic values until the media has been
-+ * accessed. Force a READ(10) prior to querying device
-+ * characteristics.
-+ */
-+ sdev->read_before_ms = 1;
-+
- /*
- * Some devices don't like MODE SENSE with page=0x3f,
- * which is the command used for checking if a device
-diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
-index d2751ed536df..1504d3137cc6 100644
---- a/include/scsi/scsi_device.h
-+++ b/include/scsi/scsi_device.h
-@@ -204,6 +204,7 @@ struct scsi_device {
- unsigned use_10_for_rw:1; /* first try 10-byte read / write */
- unsigned use_10_for_ms:1; /* first try 10-byte mode sense/select */
- unsigned set_dbd_for_ms:1; /* Set "DBD" field in mode sense */
-+ unsigned read_before_ms:1; /* perform a READ before MODE SENSE */
- unsigned no_report_opcodes:1; /* no REPORT SUPPORTED OPERATION CODES */
- unsigned no_write_same:1; /* no WRITE SAME command */
- unsigned use_16_for_rw:1; /* Use read/write(16) over read/write(10) */
---
-2.43.0
-
diff --git a/debian/patches/bugfix/all/tipc-fix-UAF-in-error-path.patch b/debian/patches/bugfix/all/tipc-fix-UAF-in-error-path.patch
new file mode 100644
index 000000000..b21318ecc
--- /dev/null
+++ b/debian/patches/bugfix/all/tipc-fix-UAF-in-error-path.patch
@@ -0,0 +1,141 @@
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 30 Apr 2024 15:53:37 +0200
+Subject: tipc: fix UAF in error path
+Origin: https://git.kernel.org/linus/080cbb890286cd794f1ee788bbc5463e2deb7c2b
+
+Sam Page (sam4k) working with Trend Micro Zero Day Initiative reported
+a UAF in the tipc_buf_append() error path:
+
+BUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0
+linux/net/core/skbuff.c:1183
+Read of size 8 at addr ffff88804d2a7c80 by task poc/8034
+
+CPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+1.16.0-debian-1.16.0-5 04/01/2014
+Call Trace:
+ <IRQ>
+ __dump_stack linux/lib/dump_stack.c:88
+ dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106
+ print_address_description linux/mm/kasan/report.c:377
+ print_report+0xc4/0x620 linux/mm/kasan/report.c:488
+ kasan_report+0xda/0x110 linux/mm/kasan/report.c:601
+ kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183
+ skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026
+ skb_release_all linux/net/core/skbuff.c:1094
+ __kfree_skb linux/net/core/skbuff.c:1108
+ kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144
+ kfree_skb linux/./include/linux/skbuff.h:1244
+ tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186
+ tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324
+ tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824
+ tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159
+ tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390
+ udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108
+ udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186
+ udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346
+ __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422
+ ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205
+ ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233
+ NF_HOOK linux/./include/linux/netfilter.h:314
+ NF_HOOK linux/./include/linux/netfilter.h:308
+ ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254
+ dst_input linux/./include/net/dst.h:461
+ ip_rcv_finish linux/net/ipv4/ip_input.c:449
+ NF_HOOK linux/./include/linux/netfilter.h:314
+ NF_HOOK linux/./include/linux/netfilter.h:308
+ ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569
+ __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534
+ __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648
+ process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976
+ __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576
+ napi_poll linux/net/core/dev.c:6645
+ net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781
+ __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553
+ do_softirq linux/kernel/softirq.c:454
+ do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441
+ </IRQ>
+ <TASK>
+ __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381
+ local_bh_enable linux/./include/linux/bottom_half.h:33
+ rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851
+ __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378
+ dev_queue_xmit linux/./include/linux/netdevice.h:3169
+ neigh_hh_output linux/./include/net/neighbour.h:526
+ neigh_output linux/./include/net/neighbour.h:540
+ ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235
+ __ip_finish_output linux/net/ipv4/ip_output.c:313
+ __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295
+ ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323
+ NF_HOOK_COND linux/./include/linux/netfilter.h:303
+ ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433
+ dst_output linux/./include/net/dst.h:451
+ ip_local_out linux/net/ipv4/ip_output.c:129
+ ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492
+ udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963
+ udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250
+ inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850
+ sock_sendmsg_nosec linux/net/socket.c:730
+ __sock_sendmsg linux/net/socket.c:745
+ __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191
+ __do_sys_sendto linux/net/socket.c:2203
+ __se_sys_sendto linux/net/socket.c:2199
+ __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199
+ do_syscall_x64 linux/arch/x86/entry/common.c:52
+ do_syscall_64+0xd8/0x270 linux/arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x6f/0x77 linux/arch/x86/entry/entry_64.S:120
+RIP: 0033:0x7f3434974f29
+Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48
+89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
+01 f0 ff ff 73 01 c3 48 8b 0d 37 8f 0d 00 f7 d8 64 89 01 48
+RSP: 002b:00007fff9154f2b8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3434974f29
+RDX: 00000000000032c8 RSI: 00007fff9154f300 RDI: 0000000000000003
+RBP: 00007fff915532e0 R08: 00007fff91553360 R09: 0000000000000010
+R10: 0000000000000000 R11: 0000000000000212 R12: 000055ed86d261d0
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ </TASK>
+
+In the critical scenario, either the relevant skb is freed or its
+ownership is transferred into a frag_lists. In both cases, the cleanup
+code must not free it again: we need to clear the skb reference earlier.
+
+Fixes: 1149557d64c9 ("tipc: eliminate unnecessary linearization of incoming buffers")
+Cc: stable@vger.kernel.org
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-23852
+Acked-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/752f1ccf762223d109845365d07f55414058e5a3.1714484273.git.pabeni@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/tipc/msg.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/tipc/msg.c b/net/tipc/msg.c
+index 5c9fd4791c4b..9a6e9bcbf694 100644
+--- a/net/tipc/msg.c
++++ b/net/tipc/msg.c
+@@ -156,6 +156,11 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf)
+ if (!head)
+ goto err;
+
++ /* Either the input skb ownership is transferred to headskb
++ * or the input skb is freed, clear the reference to avoid
++ * bad access on error path.
++ */
++ *buf = NULL;
+ if (skb_try_coalesce(head, frag, &headstolen, &delta)) {
+ kfree_skb_partial(frag, headstolen);
+ } else {
+@@ -179,7 +184,6 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf)
+ *headbuf = NULL;
+ return 1;
+ }
+- *buf = NULL;
+ return 0;
+ err:
+ kfree_skb(*buf);
+--
+2.43.0
+
diff --git a/debian/patches/bugfix/all/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch b/debian/patches/bugfix/all/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch
new file mode 100644
index 000000000..0b0ac04c6
--- /dev/null
+++ b/debian/patches/bugfix/all/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch
@@ -0,0 +1,38 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 30 Apr 2024 10:03:38 -0400
+Subject: tipc: fix a possible memleak in tipc_buf_append
+Origin: https://git.kernel.org/linus/97bf6f81b29a8efaf5d0983251a7450e5794370d
+
+__skb_linearize() doesn't free the skb when it fails, so move
+'*buf = NULL' after __skb_linearize(), so that the skb can be
+freed on the err path.
+
+Fixes: b7df21cf1b79 ("tipc: skb_linearize the head skb when reassembling msgs")
+Reported-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+Link: https://lore.kernel.org/r/90710748c29a1521efac4f75ea01b3b7e61414cf.1714485818.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/tipc/msg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tipc/msg.c b/net/tipc/msg.c
+index 9a6e9bcbf694..76284fc538eb 100644
+--- a/net/tipc/msg.c
++++ b/net/tipc/msg.c
+@@ -142,9 +142,9 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf)
+ if (fragid == FIRST_FRAGMENT) {
+ if (unlikely(head))
+ goto err;
+- *buf = NULL;
+ if (skb_has_frag_list(frag) && __skb_linearize(frag))
+ goto err;
++ *buf = NULL;
+ frag = skb_unshare(frag, GFP_ATOMIC);
+ if (unlikely(!frag))
+ goto err;
+--
+2.43.0
+
diff --git a/debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch b/debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch
deleted file mode 100644
index bfb6301cf..000000000
--- a/debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-Date: Mon, 31 Jul 2023 15:59:42 -0300
-Subject: tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc
-Origin: https://git.kernel.org/linus/67c37756898a5a6b2941a13ae7260c89b54e0d88
-Bug-Debian: https://bugs.debian.org/1068770
-
-Any unprivileged user can attach N_GSM0710 ldisc, but it requires
-CAP_NET_ADMIN to create a GSM network anyway.
-
-Require initial namespace CAP_NET_ADMIN to do that.
-
-Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-Link: https://lore.kernel.org/r/20230731185942.279611-1-cascardo@canonical.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/n_gsm.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
-index 1cdefac4dd1b..c7a787f10a9c 100644
---- a/drivers/tty/n_gsm.c
-+++ b/drivers/tty/n_gsm.c
-@@ -3576,6 +3576,9 @@ static int gsmld_open(struct tty_struct *tty)
- {
- struct gsm_mux *gsm;
-
-+ if (!capable(CAP_NET_ADMIN))
-+ return -EPERM;
-+
- if (tty->ops->write == NULL)
- return -EINVAL;
-
---
-2.43.0
-
diff --git a/debian/patches/series b/debian/patches/series
index a8afed1fd..2ae6bae6f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -103,9 +103,6 @@ features/arm64/quartz64/arm64-dts-rockchip-Add-SOQuartz-Model-A-baseboard.patch
# Miscellaneous bug fixes
bugfix/all/disable-some-marvell-phys.patch
bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
-bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch
-bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch
-bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch
# Miscellaneous features
@@ -123,7 +120,8 @@ features/all/db-mok-keyring/trust-machine-keyring-by-default.patch
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
debian/ntfs-mark-it-as-broken.patch
-bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch
+bugfix/all/tipc-fix-UAF-in-error-path.patch
+bugfix/all/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch
# Fix exported symbol versions
bugfix/all/module-disable-matching-missing-version-crc.patch