From d9960f3ed9eca14ab4a96327e3141d6f5911bb43 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Tue, 16 Apr 2024 05:22:57 +0200 Subject: Adding debian version 6.1.85-1. Signed-off-by: Daniel Baumann --- ...fcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch | 57 ------ ...-core-Add-struct-for-args-to-execution-fu.patch | 198 +++++++++++++++++++++ ...-sd-usb_storage-uas-Access-media-prior-to.patch | 125 +++++++++++++ ...-potential-use-after-free-problem-in-aoec.patch | 87 --------- .../bugfix/all/efi-fix-panic-in-kdump-kernel.patch | 34 ---- ...stub-Cast-away-type-warning-in-use-of-max.patch | 30 ---- ...-fix-efi_random_alloc-to-allocate-memory-.patch | 68 ------- ..._storage-uas-Access-media-prior-to-queryi.patch | 155 ++++++++++++++++ ...sr9800-Add-check-for-usbnet_get_endpoints.patch | 39 ---- ...equire-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch | 35 ++++ ...-fix-NULL-pointer-dereference-in-ath10k_w.patch | 41 ----- ...-Clear-decompressor-BSS-in-native-EFI-ent.patch | 68 ------- ...istub-Don-t-clear-BSS-twice-in-mixed-mode.patch | 41 ----- ...wn-the-kernel-if-booted-in-secure-boot-mo.patch | 40 ++--- .../x86-make-x32-syscall-support-conditional.patch | 22 +-- debian/patches/series | 13 +- 16 files changed, 543 insertions(+), 510 deletions(-) delete mode 100644 debian/patches/bugfix/all/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch create mode 100644 debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch create mode 100644 debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch delete mode 100644 debian/patches/bugfix/all/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch delete mode 100644 debian/patches/bugfix/all/efi-fix-panic-in-kdump-kernel.patch delete mode 100644 debian/patches/bugfix/all/efi-libstub-Cast-away-type-warning-in-use-of-max.patch delete mode 100644 debian/patches/bugfix/all/efi-libstub-fix-efi_random_alloc-to-allocate-memory-.patch create mode 100644 debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch delete mode 100644 debian/patches/bugfix/all/sr9800-Add-check-for-usbnet_get_endpoints.patch create mode 100644 debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch delete mode 100644 debian/patches/bugfix/all/wifi-ath10k-fix-NULL-pointer-dereference-in-ath10k_w.patch delete mode 100644 debian/patches/bugfix/x86/x86-efistub-Clear-decompressor-BSS-in-native-EFI-ent.patch delete mode 100644 debian/patches/bugfix/x86/x86-efistub-Don-t-clear-BSS-twice-in-mixed-mode.patch (limited to 'debian/patches') diff --git a/debian/patches/bugfix/all/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch b/debian/patches/bugfix/all/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch deleted file mode 100644 index 258ab6ea4..000000000 --- a/debian/patches/bugfix/all/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch +++ /dev/null @@ -1,57 +0,0 @@ -From: Yuxuan Hu <20373622@buaa.edu.cn> -Date: Wed, 3 Jan 2024 17:10:43 +0800 -Subject: Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=567c0411dc3b424fc7bd1e6109726d7ba32d4f73 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-22099 - -[ Upstream commit 2535b848fa0f42ddff3e5255cf5e742c9b77bb26 ] - -During our fuzz testing of the connection and disconnection process at the -RFCOMM layer, we discovered this bug. By comparing the packets from a -normal connection and disconnection process with the testcase that -triggered a KASAN report. We analyzed the cause of this bug as follows: - -1. In the packets captured during a normal connection, the host sends a -`Read Encryption Key Size` type of `HCI_CMD` packet -(Command Opcode: 0x1408) to the controller to inquire the length of -encryption key.After receiving this packet, the controller immediately -replies with a Command Completepacket (Event Code: 0x0e) to return the -Encryption Key Size. - -2. In our fuzz test case, the timing of the controller's response to this -packet was delayed to an unexpected point: after the RFCOMM and L2CAP -layers had disconnected but before the HCI layer had disconnected. - -3. After receiving the Encryption Key Size Response at the time described -in point 2, the host still called the rfcomm_check_security function. -However, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;` -had already been released, and when the function executed -`return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`, -specifically when accessing `conn->hcon`, a null-ptr-deref error occurred. - -To fix this bug, check if `sk->sk_state` is BT_CLOSED before calling -rfcomm_recv_frame in rfcomm_process_rx. - -Signed-off-by: Yuxuan Hu <20373622@buaa.edu.cn> -Signed-off-by: Luiz Augusto von Dentz -Signed-off-by: Sasha Levin ---- - net/bluetooth/rfcomm/core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c -index 8d6fce9005bd..4f54c7df3a94 100644 ---- a/net/bluetooth/rfcomm/core.c -+++ b/net/bluetooth/rfcomm/core.c -@@ -1937,7 +1937,7 @@ static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s) - /* Get data directly from socket receive queue without copying it. */ - while ((skb = skb_dequeue(&sk->sk_receive_queue))) { - skb_orphan(skb); -- if (!skb_linearize(skb)) { -+ if (!skb_linearize(skb) && sk->sk_state != BT_CLOSED) { - s = rfcomm_recv_frame(s, skb); - if (!s) - break; --- -2.43.0 - diff --git a/debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch b/debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch new file mode 100644 index 000000000..5e77d7985 --- /dev/null +++ b/debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch @@ -0,0 +1,198 @@ +From: Greg Kroah-Hartman +Date: Thu, 11 Apr 2024 09:26:49 +0200 +Subject: Revert "scsi: core: Add struct for args to execution functions" +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=d1e620297a84caac1cd67615f4f4f6901527ca2b + +This reverts commit cf33e6ca12d814e1be2263cb76960d0019d7fb94 which is +commit d0949565811f0896c1c7e781ab2ad99d34273fdf upstream. + +It is known to cause problems and has asked to be dropped. + +Link: https://lore.kernel.org/r/yq1frvvpymp.fsf@ca-mkp.ca.oracle.com +Cc: Tasos Sahanidis +Cc: Ewan D. Milne +Cc: Bart Van Assche +Cc: Tasos Sahanidis +Cc: Martin K. Petersen +Cc: James Bottomley +Cc: Sasha Levin +Reported-by: John David Anglin +Reported-by: Cyril Brulebois +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_lib.c | 52 ++++++++++++++++++++------------------ + include/scsi/scsi_device.h | 51 ++++++++++--------------------------- + 2 files changed, 41 insertions(+), 62 deletions(-) + +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index edd296f950a3..5c5954b78585 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -185,37 +185,39 @@ void scsi_queue_insert(struct scsi_cmnd *cmd, int reason) + __scsi_queue_insert(cmd, reason, true); + } + ++ + /** +- * scsi_execute_cmd - insert request and wait for the result +- * @sdev: scsi_device ++ * __scsi_execute - insert request and wait for the result ++ * @sdev: scsi device + * @cmd: scsi command +- * @opf: block layer request cmd_flags ++ * @data_direction: data direction + * @buffer: data buffer + * @bufflen: len of buffer ++ * @sense: optional sense buffer ++ * @sshdr: optional decoded sense header + * @timeout: request timeout in HZ + * @retries: number of times to retry request +- * @args: Optional args. See struct definition for field descriptions ++ * @flags: flags for ->cmd_flags ++ * @rq_flags: flags for ->rq_flags ++ * @resid: optional residual length + * + * Returns the scsi_cmnd result field if a command was executed, or a negative + * Linux error code if we didn't get that far. + */ +-int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd, +- blk_opf_t opf, void *buffer, unsigned int bufflen, +- int timeout, int retries, +- const struct scsi_exec_args *args) ++int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd, ++ int data_direction, void *buffer, unsigned bufflen, ++ unsigned char *sense, struct scsi_sense_hdr *sshdr, ++ int timeout, int retries, blk_opf_t flags, ++ req_flags_t rq_flags, int *resid) + { +- static const struct scsi_exec_args default_args; + struct request *req; + struct scsi_cmnd *scmd; + int ret; + +- if (!args) +- args = &default_args; +- else if (WARN_ON_ONCE(args->sense && +- args->sense_len != SCSI_SENSE_BUFFERSIZE)) +- return -EINVAL; +- +- req = scsi_alloc_request(sdev->request_queue, opf, args->req_flags); ++ req = scsi_alloc_request(sdev->request_queue, ++ data_direction == DMA_TO_DEVICE ? ++ REQ_OP_DRV_OUT : REQ_OP_DRV_IN, ++ rq_flags & RQF_PM ? BLK_MQ_REQ_PM : 0); + if (IS_ERR(req)) + return PTR_ERR(req); + +@@ -230,7 +232,8 @@ int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd, + memcpy(scmd->cmnd, cmd, scmd->cmd_len); + scmd->allowed = retries; + req->timeout = timeout; +- req->rq_flags |= RQF_QUIET; ++ req->cmd_flags |= flags; ++ req->rq_flags |= rq_flags | RQF_QUIET; + + /* + * head injection *required* here otherwise quiesce won't work +@@ -246,21 +249,20 @@ int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd, + if (unlikely(scmd->resid_len > 0 && scmd->resid_len <= bufflen)) + memset(buffer + bufflen - scmd->resid_len, 0, scmd->resid_len); + +- if (args->resid) +- *args->resid = scmd->resid_len; +- if (args->sense) +- memcpy(args->sense, scmd->sense_buffer, SCSI_SENSE_BUFFERSIZE); +- if (args->sshdr) ++ if (resid) ++ *resid = scmd->resid_len; ++ if (sense && scmd->sense_len) ++ memcpy(sense, scmd->sense_buffer, SCSI_SENSE_BUFFERSIZE); ++ if (sshdr) + scsi_normalize_sense(scmd->sense_buffer, scmd->sense_len, +- args->sshdr); +- ++ sshdr); + ret = scmd->result; + out: + blk_mq_free_request(req); + + return ret; + } +-EXPORT_SYMBOL(scsi_execute_cmd); ++EXPORT_SYMBOL(__scsi_execute); + + /* + * Wake up the error handler if necessary. Avoid as follows that the error +diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h +index b407807cc669..d2751ed536df 100644 +--- a/include/scsi/scsi_device.h ++++ b/include/scsi/scsi_device.h +@@ -479,51 +479,28 @@ extern const char *scsi_device_state_name(enum scsi_device_state); + extern int scsi_is_sdev_device(const struct device *); + extern int scsi_is_target_device(const struct device *); + extern void scsi_sanitize_inquiry_string(unsigned char *s, int len); +- +-/* Optional arguments to scsi_execute_cmd */ +-struct scsi_exec_args { +- unsigned char *sense; /* sense buffer */ +- unsigned int sense_len; /* sense buffer len */ +- struct scsi_sense_hdr *sshdr; /* decoded sense header */ +- blk_mq_req_flags_t req_flags; /* BLK_MQ_REQ flags */ +- int *resid; /* residual length */ +-}; +- +-int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd, +- blk_opf_t opf, void *buffer, unsigned int bufflen, +- int timeout, int retries, +- const struct scsi_exec_args *args); +- ++extern int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd, ++ int data_direction, void *buffer, unsigned bufflen, ++ unsigned char *sense, struct scsi_sense_hdr *sshdr, ++ int timeout, int retries, blk_opf_t flags, ++ req_flags_t rq_flags, int *resid); + /* Make sure any sense buffer is the correct size. */ +-#define scsi_execute(_sdev, _cmd, _data_dir, _buffer, _bufflen, _sense, \ +- _sshdr, _timeout, _retries, _flags, _rq_flags, \ +- _resid) \ ++#define scsi_execute(sdev, cmd, data_direction, buffer, bufflen, sense, \ ++ sshdr, timeout, retries, flags, rq_flags, resid) \ + ({ \ +- scsi_execute_cmd(_sdev, _cmd, (_data_dir == DMA_TO_DEVICE ? \ +- REQ_OP_DRV_OUT : REQ_OP_DRV_IN) | _flags, \ +- _buffer, _bufflen, _timeout, _retries, \ +- &(struct scsi_exec_args) { \ +- .sense = _sense, \ +- .sshdr = _sshdr, \ +- .req_flags = _rq_flags & RQF_PM ? \ +- BLK_MQ_REQ_PM : 0, \ +- .resid = _resid, \ +- }); \ ++ BUILD_BUG_ON((sense) != NULL && \ ++ sizeof(sense) != SCSI_SENSE_BUFFERSIZE); \ ++ __scsi_execute(sdev, cmd, data_direction, buffer, bufflen, \ ++ sense, sshdr, timeout, retries, flags, rq_flags, \ ++ resid); \ + }) +- + static inline int scsi_execute_req(struct scsi_device *sdev, + const unsigned char *cmd, int data_direction, void *buffer, + unsigned bufflen, struct scsi_sense_hdr *sshdr, int timeout, + int retries, int *resid) + { +- return scsi_execute_cmd(sdev, cmd, +- data_direction == DMA_TO_DEVICE ? +- REQ_OP_DRV_OUT : REQ_OP_DRV_IN, buffer, +- bufflen, timeout, retries, +- &(struct scsi_exec_args) { +- .sshdr = sshdr, +- .resid = resid, +- }); ++ return scsi_execute(sdev, cmd, data_direction, buffer, ++ bufflen, NULL, sshdr, timeout, retries, 0, 0, resid); + } + extern void sdev_disable_disk_events(struct scsi_device *sdev); + extern void sdev_enable_disk_events(struct scsi_device *sdev); +-- +2.43.0 + diff --git a/debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch b/debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch new file mode 100644 index 000000000..2b03fad36 --- /dev/null +++ b/debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch @@ -0,0 +1,125 @@ +From: Greg Kroah-Hartman +Date: Thu, 11 Apr 2024 09:24:48 +0200 +Subject: Revert "scsi: sd: usb_storage: uas: Access media prior to querying + device properties" +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=fc7309d7c76e446d7804fcc075da53694cecd755 +Bug-Debian: https://bugs.debian.org/1068675 + +This reverts commit b73dd5f9997279715cd450ee8ca599aaff2eabb9 which is +commit 321da3dc1f3c92a12e3c5da934090d2992a8814c upstream. + +It is known to cause problems and has asked to be dropped. + +Link: https://lore.kernel.org/r/yq1frvvpymp.fsf@ca-mkp.ca.oracle.com +Cc: Tasos Sahanidis +Cc: Ewan D. Milne +Cc: Bart Van Assche +Cc: Tasos Sahanidis +Cc: Martin K. Petersen +Cc: James Bottomley +Cc: Sasha Levin +Reported-by: John David Anglin +Reported-by: Cyril Brulebois +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sd.c | 26 +------------------------- + drivers/usb/storage/scsiglue.c | 7 ------- + drivers/usb/storage/uas.c | 7 ------- + include/scsi/scsi_device.h | 1 - + 4 files changed, 1 insertion(+), 40 deletions(-) + +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index f32236c3f81c..ad619f7c7418 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -3286,24 +3286,6 @@ static bool sd_validate_opt_xfer_size(struct scsi_disk *sdkp, + return true; + } + +-static void sd_read_block_zero(struct scsi_disk *sdkp) +-{ +- unsigned int buf_len = sdkp->device->sector_size; +- char *buffer, cmd[10] = { }; +- +- buffer = kmalloc(buf_len, GFP_KERNEL); +- if (!buffer) +- return; +- +- cmd[0] = READ_10; +- put_unaligned_be32(0, &cmd[2]); /* Logical block address 0 */ +- put_unaligned_be16(1, &cmd[7]); /* Transfer 1 logical block */ +- +- scsi_execute_cmd(sdkp->device, cmd, REQ_OP_DRV_IN, buffer, buf_len, +- SD_TIMEOUT, sdkp->max_retries, NULL); +- kfree(buffer); +-} +- + /** + * sd_revalidate_disk - called the first time a new disk is seen, + * performs disk spin up, read_capacity, etc. +@@ -3343,13 +3325,7 @@ static int sd_revalidate_disk(struct gendisk *disk) + */ + if (sdkp->media_present) { + sd_read_capacity(sdkp, buffer); +- /* +- * Some USB/UAS devices return generic values for mode pages +- * until the media has been accessed. Trigger a READ operation +- * to force the device to populate mode pages. +- */ +- if (sdp->read_before_ms) +- sd_read_block_zero(sdkp); ++ + /* + * set the default to rotational. All non-rotational devices + * support the block characteristics VPD page, which will +diff --git a/drivers/usb/storage/scsiglue.c b/drivers/usb/storage/scsiglue.c +index 12cf9940e5b6..c54e9805da53 100644 +--- a/drivers/usb/storage/scsiglue.c ++++ b/drivers/usb/storage/scsiglue.c +@@ -179,13 +179,6 @@ static int slave_configure(struct scsi_device *sdev) + */ + sdev->use_192_bytes_for_3f = 1; + +- /* +- * Some devices report generic values until the media has been +- * accessed. Force a READ(10) prior to querying device +- * characteristics. +- */ +- sdev->read_before_ms = 1; +- + /* + * Some devices don't like MODE SENSE with page=0x3f, + * which is the command used for checking if a device +diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c +index af619efe8eab..ee5621bdb11e 100644 +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -876,13 +876,6 @@ static int uas_slave_configure(struct scsi_device *sdev) + if (devinfo->flags & US_FL_CAPACITY_HEURISTICS) + sdev->guess_capacity = 1; + +- /* +- * Some devices report generic values until the media has been +- * accessed. Force a READ(10) prior to querying device +- * characteristics. +- */ +- sdev->read_before_ms = 1; +- + /* + * Some devices don't like MODE SENSE with page=0x3f, + * which is the command used for checking if a device +diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h +index a64713fe5264..b407807cc669 100644 +--- a/include/scsi/scsi_device.h ++++ b/include/scsi/scsi_device.h +@@ -204,7 +204,6 @@ struct scsi_device { + unsigned use_10_for_rw:1; /* first try 10-byte read / write */ + unsigned use_10_for_ms:1; /* first try 10-byte mode sense/select */ + unsigned set_dbd_for_ms:1; /* Set "DBD" field in mode sense */ +- unsigned read_before_ms:1; /* perform a READ before MODE SENSE */ + unsigned no_report_opcodes:1; /* no REPORT SUPPORTED OPERATION CODES */ + unsigned no_write_same:1; /* no WRITE SAME command */ + unsigned use_16_for_rw:1; /* Use read/write(16) over read/write(10) */ +-- +2.43.0 + diff --git a/debian/patches/bugfix/all/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch b/debian/patches/bugfix/all/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch deleted file mode 100644 index f5cc88309..000000000 --- a/debian/patches/bugfix/all/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch +++ /dev/null @@ -1,87 +0,0 @@ -From: Chun-Yi Lee -Date: Tue, 5 Mar 2024 16:20:48 +0800 -Subject: aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=74ca3ef68d2f449bc848c0a814cefc487bf755fa -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-6270 - -[ Upstream commit f98364e926626c678fb4b9004b75cacf92ff0662 ] - -This patch is against CVE-2023-6270. The description of cve is: - - A flaw was found in the ATA over Ethernet (AoE) driver in the Linux - kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on - `struct net_device`, and a use-after-free can be triggered by racing - between the free on the struct and the access through the `skbtxq` - global queue. This could lead to a denial of service condition or - potential code execution. - -In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial -code is finished. But the net_device ifp will still be used in -later tx()->dev_queue_xmit() in kthread. Which means that the -dev_put(ifp) should NOT be called in the success path of skb -initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into -use-after-free because the net_device is freed. - -This patch removed the dev_put(ifp) in the success path in -aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx(). - -Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270 -Fixes: 7562f876cd93 ("[NET]: Rework dev_base via list_head (v3)") -Signed-off-by: Chun-Yi Lee -Link: https://lore.kernel.org/r/20240305082048.25526-1-jlee@suse.com -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin ---- - drivers/block/aoe/aoecmd.c | 12 ++++++------ - drivers/block/aoe/aoenet.c | 1 + - 2 files changed, 7 insertions(+), 6 deletions(-) - -diff --git a/drivers/block/aoe/aoecmd.c b/drivers/block/aoe/aoecmd.c -index d7317425be51..cc9077b588d7 100644 ---- a/drivers/block/aoe/aoecmd.c -+++ b/drivers/block/aoe/aoecmd.c -@@ -419,13 +419,16 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu - rcu_read_lock(); - for_each_netdev_rcu(&init_net, ifp) { - dev_hold(ifp); -- if (!is_aoe_netif(ifp)) -- goto cont; -+ if (!is_aoe_netif(ifp)) { -+ dev_put(ifp); -+ continue; -+ } - - skb = new_skb(sizeof *h + sizeof *ch); - if (skb == NULL) { - printk(KERN_INFO "aoe: skb alloc failure\n"); -- goto cont; -+ dev_put(ifp); -+ continue; - } - skb_put(skb, sizeof *h + sizeof *ch); - skb->dev = ifp; -@@ -440,9 +443,6 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu - h->major = cpu_to_be16(aoemajor); - h->minor = aoeminor; - h->cmd = AOECMD_CFG; -- --cont: -- dev_put(ifp); - } - rcu_read_unlock(); - } -diff --git a/drivers/block/aoe/aoenet.c b/drivers/block/aoe/aoenet.c -index 63773a90581d..1e66c7a188a1 100644 ---- a/drivers/block/aoe/aoenet.c -+++ b/drivers/block/aoe/aoenet.c -@@ -64,6 +64,7 @@ tx(int id) __must_hold(&txlock) - pr_warn("aoe: packet could not be sent on %s. %s\n", - ifp ? ifp->name : "netif", - "consider increasing tx_queue_len"); -+ dev_put(ifp); - spin_lock_irq(&txlock); - } - return 0; --- -2.43.0 - diff --git a/debian/patches/bugfix/all/efi-fix-panic-in-kdump-kernel.patch b/debian/patches/bugfix/all/efi-fix-panic-in-kdump-kernel.patch deleted file mode 100644 index 009af084b..000000000 --- a/debian/patches/bugfix/all/efi-fix-panic-in-kdump-kernel.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Oleksandr Tymoshenko -Date: Sat, 23 Mar 2024 06:33:33 +0000 -Subject: efi: fix panic in kdump kernel -Origin: https://git.kernel.org/linus/62b71cd73d41ddac6b1760402bbe8c4932e23531 - -Check if get_next_variable() is actually valid pointer before -calling it. In kdump kernel this method is set to NULL that causes -panic during the kexec-ed kernel boot. - -Tested with QEMU and OVMF firmware. - -Fixes: bad267f9e18f ("efi: verify that variable services are supported") -Signed-off-by: Oleksandr Tymoshenko -Signed-off-by: Ard Biesheuvel ---- - drivers/firmware/efi/efi.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c -index 8859fb0b006d..fdf07dd6f459 100644 ---- a/drivers/firmware/efi/efi.c -+++ b/drivers/firmware/efi/efi.c -@@ -203,6 +203,8 @@ static bool generic_ops_supported(void) - - name_size = sizeof(name); - -+ if (!efi.get_next_variable) -+ return false; - status = efi.get_next_variable(&name_size, &name, &guid); - if (status == EFI_UNSUPPORTED) - return false; --- -2.43.0 - diff --git a/debian/patches/bugfix/all/efi-libstub-Cast-away-type-warning-in-use-of-max.patch b/debian/patches/bugfix/all/efi-libstub-Cast-away-type-warning-in-use-of-max.patch deleted file mode 100644 index 402582b17..000000000 --- a/debian/patches/bugfix/all/efi-libstub-Cast-away-type-warning-in-use-of-max.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Ard Biesheuvel -Date: Tue, 26 Mar 2024 11:15:25 +0100 -Subject: efi/libstub: Cast away type warning in use of max() -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/efi/efi.git/commit?id=07263d8a5a2cea66a3f10d930fea60ce49c7dc3b - -Add a missing (u64) cast to alloc_min, which is passed into -efi_random_alloc() as unsigned long, while efi_physical_addr_t is u64. - -Fixes: 3cb4a4827596abc82e ("efi/libstub: fix efi_random_alloc() ...") -Signed-off-by: Ard Biesheuvel ---- - drivers/firmware/efi/libstub/randomalloc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/firmware/efi/libstub/randomalloc.c b/drivers/firmware/efi/libstub/randomalloc.c -index 7e1852859550..fa81528150fe 100644 ---- a/drivers/firmware/efi/libstub/randomalloc.c -+++ b/drivers/firmware/efi/libstub/randomalloc.c -@@ -120,7 +120,7 @@ efi_status_t efi_random_alloc(unsigned long size, - continue; - } - -- target = round_up(max(md->phys_addr, alloc_min), align) + target_slot * align; -+ target = round_up(max(md->phys_addr, (u64)alloc_min), align) + target_slot * align; - pages = size / EFI_PAGE_SIZE; - - status = efi_bs_call(allocate_pages, EFI_ALLOCATE_ADDRESS, --- -2.43.0 - diff --git a/debian/patches/bugfix/all/efi-libstub-fix-efi_random_alloc-to-allocate-memory-.patch b/debian/patches/bugfix/all/efi-libstub-fix-efi_random_alloc-to-allocate-memory-.patch deleted file mode 100644 index d5590f5db..000000000 --- a/debian/patches/bugfix/all/efi-libstub-fix-efi_random_alloc-to-allocate-memory-.patch +++ /dev/null @@ -1,68 +0,0 @@ -From: =?UTF-8?q?KONDO=20KAZUMA=28=E8=BF=91=E8=97=A4=E3=80=80=E5=92=8C?= - =?UTF-8?q?=E7=9C=9F=29?= -Date: Fri, 22 Mar 2024 10:47:02 +0000 -Subject: efi/libstub: fix efi_random_alloc() to allocate memory at alloc_min - or higher address -Origin: https://git.kernel.org/linus/3cb4a4827596abc82e55b80364f509d0fefc3051 - -Following warning is sometimes observed while booting my servers: - [ 3.594838] DMA: preallocated 4096 KiB GFP_KERNEL pool for atomic allocations - [ 3.602918] swapper/0: page allocation failure: order:10, mode:0xcc1(GFP_KERNEL|GFP_DMA), nodemask=(null),cpuset=/,mems_allowed=0-1 - ... - [ 3.851862] DMA: preallocated 1024 KiB GFP_KERNEL|GFP_DMA pool for atomic allocation - -If 'nokaslr' boot option is set, the warning always happens. - -On x86, ZONE_DMA is small zone at the first 16MB of physical address -space. When this problem happens, most of that space seems to be used by -decompressed kernel. Thereby, there is not enough space at DMA_ZONE to -meet the request of DMA pool allocation. - -The commit 2f77465b05b1 ("x86/efistub: Avoid placing the kernel below -LOAD_PHYSICAL_ADDR") tried to fix this problem by introducing lower -bound of allocation. - -But the fix is not complete. - -efi_random_alloc() allocates pages by following steps. -1. Count total available slots ('total_slots') -2. Select a slot ('target_slot') to allocate randomly -3. Calculate a starting address ('target') to be included target_slot -4. Allocate pages, which starting address is 'target' - -In step 1, 'alloc_min' is used to offset the starting address of memory -chunk. But in step 3 'alloc_min' is not considered at all. As the -result, 'target' can be miscalculated and become lower than 'alloc_min'. - -When KASLR is disabled, 'target_slot' is always 0 and the problem -happens everytime if the EFI memory map of the system meets the -condition. - -Fix this problem by calculating 'target' considering 'alloc_min'. - -Cc: linux-efi@vger.kernel.org -Cc: Tom Englund -Cc: linux-kernel@vger.kernel.org -Fixes: 2f77465b05b1 ("x86/efistub: Avoid placing the kernel below LOAD_PHYSICAL_ADDR") -Signed-off-by: Kazuma Kondo -Signed-off-by: Ard Biesheuvel ---- - drivers/firmware/efi/libstub/randomalloc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/firmware/efi/libstub/randomalloc.c b/drivers/firmware/efi/libstub/randomalloc.c -index 4e96a855fdf4..7e1852859550 100644 ---- a/drivers/firmware/efi/libstub/randomalloc.c -+++ b/drivers/firmware/efi/libstub/randomalloc.c -@@ -120,7 +120,7 @@ efi_status_t efi_random_alloc(unsigned long size, - continue; - } - -- target = round_up(md->phys_addr, align) + target_slot * align; -+ target = round_up(max(md->phys_addr, alloc_min), align) + target_slot * align; - pages = size / EFI_PAGE_SIZE; - - status = efi_bs_call(allocate_pages, EFI_ALLOCATE_ADDRESS, --- -2.43.0 - diff --git a/debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch b/debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch new file mode 100644 index 000000000..c59abc9f8 --- /dev/null +++ b/debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch @@ -0,0 +1,155 @@ +From: "Martin K. Petersen" +Date: Tue, 13 Feb 2024 09:33:06 -0500 +Subject: scsi: sd: usb_storage: uas: Access media prior to querying device + properties +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=46e587855c060a0fdcbb4349accb62b31e9ce70f + +[ Upstream commit 321da3dc1f3c92a12e3c5da934090d2992a8814c ] + +It has been observed that some USB/UAS devices return generic properties +hardcoded in firmware for mode pages for a period of time after a device +has been discovered. The reported properties are either garbage or they do +not accurately reflect the characteristics of the physical storage device +attached in the case of a bridge. + +Prior to commit 1e029397d12f ("scsi: sd: Reorganize DIF/DIX code to +avoid calling revalidate twice") we would call revalidate several +times during device discovery. As a result, incorrect values would +eventually get replaced with ones accurately describing the attached +storage. When we did away with the redundant revalidate pass, several +cases were reported where devices reported nonsensical values or would +end up in write-protected state. + +An initial attempt at addressing this issue involved introducing a +delayed second revalidate invocation. However, this approach still +left some devices reporting incorrect characteristics. + +Tasos Sahanidis debugged the problem further and identified that +introducing a READ operation prior to MODE SENSE fixed the problem and that +it wasn't a timing issue. Issuing a READ appears to cause the devices to +update their state to reflect the actual properties of the storage +media. Device properties like vendor, model, and storage capacity appear to +be correctly reported from the get-go. It is unclear why these devices +defer populating the remaining characteristics. + +Match the behavior of a well known commercial operating system and +trigger a READ operation prior to querying device characteristics to +force the device to populate the mode pages. + +The additional READ is triggered by a flag set in the USB storage and +UAS drivers. We avoid issuing the READ for other transport classes +since some storage devices identify Linux through our particular +discovery command sequence. + +Link: https://lore.kernel.org/r/20240213143306.2194237-1-martin.petersen@oracle.com +Fixes: 1e029397d12f ("scsi: sd: Reorganize DIF/DIX code to avoid calling revalidate twice") +Cc: stable@vger.kernel.org +Reported-by: Tasos Sahanidis +Reviewed-by: Ewan D. Milne +Reviewed-by: Bart Van Assche +Tested-by: Tasos Sahanidis +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sd.c | 26 +++++++++++++++++++++++++- + drivers/usb/storage/scsiglue.c | 7 +++++++ + drivers/usb/storage/uas.c | 7 +++++++ + include/scsi/scsi_device.h | 1 + + 4 files changed, 40 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index ad619f7c7418..3ec9b324fdcf 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -3286,6 +3286,24 @@ static bool sd_validate_opt_xfer_size(struct scsi_disk *sdkp, + return true; + } + ++static void sd_read_block_zero(struct scsi_disk *sdkp) ++{ ++ unsigned int buf_len = sdkp->device->sector_size; ++ char *buffer, cmd[10] = { }; ++ ++ buffer = kmalloc(buf_len, GFP_KERNEL); ++ if (!buffer) ++ return; ++ ++ cmd[0] = READ_10; ++ put_unaligned_be32(0, &cmd[2]); /* Logical block address 0 */ ++ put_unaligned_be16(1, &cmd[7]); /* Transfer 1 logical block */ ++ ++ scsi_execute_req(sdkp->device, cmd, DMA_FROM_DEVICE, buffer, buf_len, ++ NULL, SD_TIMEOUT, sdkp->max_retries, NULL); ++ kfree(buffer); ++} ++ + /** + * sd_revalidate_disk - called the first time a new disk is seen, + * performs disk spin up, read_capacity, etc. +@@ -3325,7 +3343,13 @@ static int sd_revalidate_disk(struct gendisk *disk) + */ + if (sdkp->media_present) { + sd_read_capacity(sdkp, buffer); +- ++ /* ++ * Some USB/UAS devices return generic values for mode pages ++ * until the media has been accessed. Trigger a READ operation ++ * to force the device to populate mode pages. ++ */ ++ if (sdp->read_before_ms) ++ sd_read_block_zero(sdkp); + /* + * set the default to rotational. All non-rotational devices + * support the block characteristics VPD page, which will +diff --git a/drivers/usb/storage/scsiglue.c b/drivers/usb/storage/scsiglue.c +index c54e9805da53..12cf9940e5b6 100644 +--- a/drivers/usb/storage/scsiglue.c ++++ b/drivers/usb/storage/scsiglue.c +@@ -179,6 +179,13 @@ static int slave_configure(struct scsi_device *sdev) + */ + sdev->use_192_bytes_for_3f = 1; + ++ /* ++ * Some devices report generic values until the media has been ++ * accessed. Force a READ(10) prior to querying device ++ * characteristics. ++ */ ++ sdev->read_before_ms = 1; ++ + /* + * Some devices don't like MODE SENSE with page=0x3f, + * which is the command used for checking if a device +diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c +index ee5621bdb11e..af619efe8eab 100644 +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -876,6 +876,13 @@ static int uas_slave_configure(struct scsi_device *sdev) + if (devinfo->flags & US_FL_CAPACITY_HEURISTICS) + sdev->guess_capacity = 1; + ++ /* ++ * Some devices report generic values until the media has been ++ * accessed. Force a READ(10) prior to querying device ++ * characteristics. ++ */ ++ sdev->read_before_ms = 1; ++ + /* + * Some devices don't like MODE SENSE with page=0x3f, + * which is the command used for checking if a device +diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h +index d2751ed536df..1504d3137cc6 100644 +--- a/include/scsi/scsi_device.h ++++ b/include/scsi/scsi_device.h +@@ -204,6 +204,7 @@ struct scsi_device { + unsigned use_10_for_rw:1; /* first try 10-byte read / write */ + unsigned use_10_for_ms:1; /* first try 10-byte mode sense/select */ + unsigned set_dbd_for_ms:1; /* Set "DBD" field in mode sense */ ++ unsigned read_before_ms:1; /* perform a READ before MODE SENSE */ + unsigned no_report_opcodes:1; /* no REPORT SUPPORTED OPERATION CODES */ + unsigned no_write_same:1; /* no WRITE SAME command */ + unsigned use_16_for_rw:1; /* Use read/write(16) over read/write(10) */ +-- +2.43.0 + diff --git a/debian/patches/bugfix/all/sr9800-Add-check-for-usbnet_get_endpoints.patch b/debian/patches/bugfix/all/sr9800-Add-check-for-usbnet_get_endpoints.patch deleted file mode 100644 index ac7fb2e3e..000000000 --- a/debian/patches/bugfix/all/sr9800-Add-check-for-usbnet_get_endpoints.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Chen Ni -Date: Tue, 5 Mar 2024 07:59:27 +0000 -Subject: sr9800: Add check for usbnet_get_endpoints -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=9c402819620a842cbfe39359a3ddfaac9adc8384 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-26651 - -[ Upstream commit 07161b2416f740a2cb87faa5566873f401440a61 ] - -Add check for usbnet_get_endpoints() and return the error if it fails -in order to transfer the error. - -Signed-off-by: Chen Ni -Reviewed-by: Simon Horman -Fixes: 19a38d8e0aa3 ("USB2NET : SR9800 : One chip USB2.0 USB2NET SR9800 Device Driver Support") -Link: https://lore.kernel.org/r/20240305075927.261284-1-nichen@iscas.ac.cn -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/usb/sr9800.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c -index f5e19f3ef6cd..4de514482183 100644 ---- a/drivers/net/usb/sr9800.c -+++ b/drivers/net/usb/sr9800.c -@@ -737,7 +737,9 @@ static int sr9800_bind(struct usbnet *dev, struct usb_interface *intf) - - data->eeprom_len = SR9800_EEPROM_LEN; - -- usbnet_get_endpoints(dev, intf); -+ ret = usbnet_get_endpoints(dev, intf); -+ if (ret) -+ goto out; - - /* LED Setting Rule : - * AABB:CCDD --- -2.43.0 - diff --git a/debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch b/debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch new file mode 100644 index 000000000..bfb6301cf --- /dev/null +++ b/debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch @@ -0,0 +1,35 @@ +From: Thadeu Lima de Souza Cascardo +Date: Mon, 31 Jul 2023 15:59:42 -0300 +Subject: tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc +Origin: https://git.kernel.org/linus/67c37756898a5a6b2941a13ae7260c89b54e0d88 +Bug-Debian: https://bugs.debian.org/1068770 + +Any unprivileged user can attach N_GSM0710 ldisc, but it requires +CAP_NET_ADMIN to create a GSM network anyway. + +Require initial namespace CAP_NET_ADMIN to do that. + +Signed-off-by: Thadeu Lima de Souza Cascardo +Link: https://lore.kernel.org/r/20230731185942.279611-1-cascardo@canonical.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_gsm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c +index 1cdefac4dd1b..c7a787f10a9c 100644 +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -3576,6 +3576,9 @@ static int gsmld_open(struct tty_struct *tty) + { + struct gsm_mux *gsm; + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + if (tty->ops->write == NULL) + return -EINVAL; + +-- +2.43.0 + diff --git a/debian/patches/bugfix/all/wifi-ath10k-fix-NULL-pointer-dereference-in-ath10k_w.patch b/debian/patches/bugfix/all/wifi-ath10k-fix-NULL-pointer-dereference-in-ath10k_w.patch deleted file mode 100644 index 2747ec5b6..000000000 --- a/debian/patches/bugfix/all/wifi-ath10k-fix-NULL-pointer-dereference-in-ath10k_w.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Xingyuan Mo -Date: Sun, 17 Dec 2023 13:29:01 +0200 -Subject: wifi: ath10k: fix NULL pointer dereference in - ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=90f089d77e38db1c48629f111f3c8c336be1bc38 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-7042 - -[ Upstream commit ad25ee36f00172f7d53242dc77c69fff7ced0755 ] - -We should check whether the WMI_TLV_TAG_STRUCT_MGMT_TX_COMPL_EVENT tlv is -present before accessing it, otherwise a null pointer deference error will -occur. - -Fixes: dc405152bb64 ("ath10k: handle mgmt tx completion event") -Signed-off-by: Xingyuan Mo -Acked-by: Jeff Johnson -Signed-off-by: Kalle Valo -Link: https://msgid.link/20231208043433.271449-1-hdthky0@gmail.com -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ath/ath10k/wmi-tlv.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c -index 876410a47d1d..4d5009604eee 100644 ---- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c -+++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c -@@ -844,6 +844,10 @@ ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev(struct ath10k *ar, struct sk_buff *skb, - } - - ev = tb[WMI_TLV_TAG_STRUCT_MGMT_TX_COMPL_EVENT]; -+ if (!ev) { -+ kfree(tb); -+ return -EPROTO; -+ } - - arg->desc_id = ev->desc_id; - arg->status = ev->status; --- -2.43.0 - diff --git a/debian/patches/bugfix/x86/x86-efistub-Clear-decompressor-BSS-in-native-EFI-ent.patch b/debian/patches/bugfix/x86/x86-efistub-Clear-decompressor-BSS-in-native-EFI-ent.patch deleted file mode 100644 index 63c4cafae..000000000 --- a/debian/patches/bugfix/x86/x86-efistub-Clear-decompressor-BSS-in-native-EFI-ent.patch +++ /dev/null @@ -1,68 +0,0 @@ -From: Ard Biesheuvel -Date: Fri, 15 Mar 2024 16:26:16 +0100 -Subject: x86/efistub: Clear decompressor BSS in native EFI entrypoint -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=9274ec2003042bf0ed847cb80ffcfab543a0a33a - -[ Upstream commit b3810c5a2cc4a6665f7a65bed5393c75ce3f3aa2 ] - -The EFI stub on x86 no longer invokes the decompressor as a subsequent -boot stage, but calls into the decompression code directly while running -in the context of the EFI boot services. - -This means that when using the native EFI entrypoint (as opposed to the -EFI handover protocol, which clears BSS explicitly), the firmware PE -image loader is being relied upon to ensure that BSS is zeroed before -the EFI stub is entered from the firmware. - -As Radek's report proves, this is a bad idea. Not all loaders do this -correctly, which means some global variables that should be statically -initialized to 0x0 may have junk in them. - -So clear BSS explicitly when entering via efi_pe_entry(). Note that -zeroing BSS from C code is not generally safe, but in this case, the -following assignment and dereference of a global pointer variable -ensures that the memset() cannot be deferred or reordered. - -Cc: # v6.1+ -Reported-by: Radek Podgorny -Closes: https://lore.kernel.org/all/a99a831a-8ad5-4cb0-bff9-be637311f771@podgorny.cz -Signed-off-by: Ard Biesheuvel -Signed-off-by: Sasha Levin ---- - drivers/firmware/efi/libstub/x86-stub.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c -index 784e1b2ae5cc..aa07051459f5 100644 ---- a/drivers/firmware/efi/libstub/x86-stub.c -+++ b/drivers/firmware/efi/libstub/x86-stub.c -@@ -21,6 +21,8 @@ - #include "efistub.h" - #include "x86-stub.h" - -+extern char _bss[], _ebss[]; -+ - const efi_system_table_t *efi_system_table; - const efi_dxe_services_table_t *efi_dxe_table; - static efi_loaded_image_t *image = NULL; -@@ -432,6 +434,8 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle, - efi_status_t status; - char *cmdline_ptr; - -+ memset(_bss, 0, _ebss - _bss); -+ - efi_system_table = sys_table_arg; - - /* Check if we were booted by the EFI firmware */ -@@ -950,8 +954,6 @@ void __noreturn efi_stub_entry(efi_handle_t handle, - void efi_handover_entry(efi_handle_t handle, efi_system_table_t *sys_table_arg, - struct boot_params *boot_params) - { -- extern char _bss[], _ebss[]; -- - memset(_bss, 0, _ebss - _bss); - efi_stub_entry(handle, sys_table_arg, boot_params); - } --- -2.43.0 - diff --git a/debian/patches/bugfix/x86/x86-efistub-Don-t-clear-BSS-twice-in-mixed-mode.patch b/debian/patches/bugfix/x86/x86-efistub-Don-t-clear-BSS-twice-in-mixed-mode.patch deleted file mode 100644 index 2624812c5..000000000 --- a/debian/patches/bugfix/x86/x86-efistub-Don-t-clear-BSS-twice-in-mixed-mode.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Ard Biesheuvel -Date: Fri, 22 Mar 2024 17:01:45 +0100 -Subject: x86/efistub: Don't clear BSS twice in mixed mode -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=3a2a828d252f4280e15e61e0666644f1fadcf6c4 - -[ Upstream commit df7ecce842b846a04d087ba85fdb79a90e26a1b0 ] - -Clearing BSS should only be done once, at the very beginning. -efi_pe_entry() is the entrypoint from the firmware, which may not clear -BSS and so it is done explicitly. However, efi_pe_entry() is also used -as an entrypoint by the mixed mode startup code, in which case BSS will -already have been cleared, and doing it again at this point will corrupt -global variables holding the firmware's GDT/IDT and segment selectors. - -So make the memset() conditional on whether the EFI stub is running in -native mode. - -Fixes: b3810c5a2cc4a666 ("x86/efistub: Clear decompressor BSS in native EFI entrypoint") -Signed-off-by: Ard Biesheuvel -Signed-off-by: Sasha Levin ---- - drivers/firmware/efi/libstub/x86-stub.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c -index aa07051459f5..dc50dda40239 100644 ---- a/drivers/firmware/efi/libstub/x86-stub.c -+++ b/drivers/firmware/efi/libstub/x86-stub.c -@@ -434,7 +434,8 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle, - efi_status_t status; - char *cmdline_ptr; - -- memset(_bss, 0, _ebss - _bss); -+ if (efi_is_native()) -+ memset(_bss, 0, _ebss - _bss); - - efi_system_table = sys_table_arg; - --- -2.43.0 - diff --git a/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch index 9ec425871..68255cb01 100644 --- a/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch +++ b/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch @@ -24,20 +24,18 @@ Signed-off-by: Salvatore Bonaccorso security/lockdown/lockdown.c | 2 +- 5 files changed, 27 insertions(+), 3 deletions(-) -Index: debian-kernel/arch/x86/kernel/setup.c -=================================================================== ---- debian-kernel.orig/arch/x86/kernel/setup.c -+++ debian-kernel/arch/x86/kernel/setup.c -@@ -979,6 +979,8 @@ void __init setup_arch(char **cmdline_p) +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1031,6 +1031,8 @@ void __init setup_arch(char **cmdline_p) if (efi_enabled(EFI_BOOT)) efi_init(); + efi_set_secure_boot(boot_params.secure_boot); + - dmi_setup(); + x86_init.resources.dmi_setup(); /* -@@ -1130,8 +1132,6 @@ void __init setup_arch(char **cmdline_p) +@@ -1200,8 +1202,6 @@ void __init setup_arch(char **cmdline_p) /* Allocate bigger log buffer */ setup_log_buf(1); @@ -46,10 +44,8 @@ Index: debian-kernel/arch/x86/kernel/setup.c reserve_initrd(); acpi_table_upgrade(); -Index: debian-kernel/drivers/firmware/efi/secureboot.c -=================================================================== ---- debian-kernel.orig/drivers/firmware/efi/secureboot.c -+++ debian-kernel/drivers/firmware/efi/secureboot.c +--- a/drivers/firmware/efi/secureboot.c ++++ b/drivers/firmware/efi/secureboot.c @@ -15,6 +15,7 @@ #include #include @@ -69,11 +65,9 @@ Index: debian-kernel/drivers/firmware/efi/secureboot.c pr_info("Secure boot enabled\n"); break; default: -Index: debian-kernel/include/linux/security.h -=================================================================== ---- debian-kernel.orig/include/linux/security.h -+++ debian-kernel/include/linux/security.h -@@ -451,6 +451,7 @@ int security_inode_notifysecctx(struct i +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -481,6 +481,7 @@ int security_inode_notifysecctx(struct i int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); int security_locked_down(enum lockdown_reason what); @@ -81,7 +75,7 @@ Index: debian-kernel/include/linux/security.h #else /* CONFIG_SECURITY */ static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) -@@ -1291,6 +1292,11 @@ static inline int security_locked_down(e +@@ -1381,6 +1382,11 @@ static inline int security_locked_down(e { return 0; } @@ -93,10 +87,8 @@ Index: debian-kernel/include/linux/security.h #endif /* CONFIG_SECURITY */ #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) -Index: debian-kernel/security/lockdown/Kconfig -=================================================================== ---- debian-kernel.orig/security/lockdown/Kconfig -+++ debian-kernel/security/lockdown/Kconfig +--- a/security/lockdown/Kconfig ++++ b/security/lockdown/Kconfig @@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTI disabled. @@ -116,10 +108,8 @@ Index: debian-kernel/security/lockdown/Kconfig + + Enabling this option results in kernel lockdown being + triggered in integrity mode if EFI Secure Boot is set. -Index: debian-kernel/security/lockdown/lockdown.c -=================================================================== ---- debian-kernel.orig/security/lockdown/lockdown.c -+++ debian-kernel/security/lockdown/lockdown.c +--- a/security/lockdown/lockdown.c ++++ b/security/lockdown/lockdown.c @@ -23,7 +23,7 @@ static const enum lockdown_reason lockdo /* * Put the kernel into lock-down mode. diff --git a/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch b/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch index 44dd25261..78f407896 100644 --- a/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch +++ b/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch @@ -29,7 +29,7 @@ Signed-off-by: Ben Hutchings --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -5768,6 +5768,10 @@ +@@ -6160,6 +6160,10 @@ later by a loaded module cannot be set this way. Example: sysctl.vm.swappiness=40 @@ -42,7 +42,7 @@ Signed-off-by: Ben Hutchings on older distributions. When this option is enabled --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -2865,6 +2865,14 @@ config COMPAT_32 +@@ -2997,6 +2997,14 @@ config COMPAT_32 select HAVE_UID16 select OLD_SIGSUSPEND3 @@ -59,14 +59,14 @@ Signed-off-by: Ben Hutchings depends on IA32_EMULATION || X86_X32_ABI --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c -@@ -62,7 +62,7 @@ static __always_inline bool do_syscall_x +@@ -63,7 +63,7 @@ static __always_inline bool do_syscall_x */ unsigned int xnr = nr - __X32_SYSCALL_BIT; - if (IS_ENABLED(CONFIG_X86_X32_ABI) && likely(xnr < X32_NR_syscalls)) { + if (IS_ENABLED(CONFIG_X86_X32_ABI) && unlikely(x32_enabled) && likely(xnr < X32_NR_syscalls)) { xnr = array_index_nospec(xnr, X32_NR_syscalls); - regs->ax = x32_sys_call_table[xnr](regs); + regs->ax = x32_sys_call(regs, xnr); return true; --- a/arch/x86/entry/syscall_x32.c +++ b/arch/x86/entry/syscall_x32.c @@ -80,9 +80,9 @@ Signed-off-by: Ben Hutchings #include #include -@@ -16,3 +19,46 @@ - asmlinkage const sys_call_ptr_t x32_sys_call_table[] = { - #include +@@ -20,3 +23,46 @@ long x32_sys_call(const struct pt_regs * + default: return __x64_sys_ni_syscall(regs); + } }; + +/* Maybe enable x32 syscalls */ @@ -139,7 +139,7 @@ Signed-off-by: Ben Hutchings typedef unsigned long elf_greg_t; -@@ -161,7 +164,8 @@ do { \ +@@ -150,7 +153,8 @@ do { \ #define compat_elf_check_arch(x) \ (elf_check_arch_ia32(x) || \ @@ -159,9 +159,9 @@ Signed-off-by: Ben Hutchings #include /* for TS_COMPAT */ #include -@@ -30,6 +31,18 @@ extern const sys_call_ptr_t ia32_sys_cal - extern const sys_call_ptr_t x32_sys_call_table[]; - #endif +@@ -28,6 +29,18 @@ extern long ia32_sys_call(const struct p + extern long x32_sys_call(const struct pt_regs *, unsigned int nr); + extern long x64_sys_call(const struct pt_regs *, unsigned int nr); +#if defined(CONFIG_X86_X32_ABI) +#if defined(CONFIG_X86_X32_DISABLED) diff --git a/debian/patches/series b/debian/patches/series index 7c91421ff..84927f452 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -71,8 +71,6 @@ bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch bugfix/alpha/alpha-fix-missing-symbol-versions-for-str-n-cat-cpy.patch -bugfix/x86/x86-efistub-Clear-decompressor-BSS-in-native-EFI-ent.patch -bugfix/x86/x86-efistub-Don-t-clear-BSS-twice-in-mixed-mode.patch # Arch features features/arm64/dt-bindings-rockchip-Add-Hardkernel-ODROID-M1-board.patch @@ -105,9 +103,9 @@ features/arm64/quartz64/arm64-dts-rockchip-Add-SOQuartz-Model-A-baseboard.patch # Miscellaneous bug fixes bugfix/all/disable-some-marvell-phys.patch bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch -bugfix/all/efi-fix-panic-in-kdump-kernel.patch -bugfix/all/efi-libstub-fix-efi_random_alloc-to-allocate-memory-.patch -bugfix/all/efi-libstub-Cast-away-type-warning-in-use-of-max.patch +bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch +bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch +bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch # Miscellaneous features @@ -125,10 +123,7 @@ features/all/db-mok-keyring/trust-machine-keyring-by-default.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch -bugfix/all/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch -bugfix/all/wifi-ath10k-fix-NULL-pointer-dereference-in-ath10k_w.patch -bugfix/all/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch -bugfix/all/sr9800-Add-check-for-usbnet_get_endpoints.patch +bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch -- cgit v1.2.3