Merge tag 'ASB-2023-05-05_11-5.4' of https://android.googlesource.com/kernel/common into android13-5.4-lahaina
https://source.android.com/docs/security/bulletin/2023-05-01 CVE-2023-21102 CVE-2023-21106 CVE-2023-0266 * tag 'ASB-2023-05-05_11-5.4' of https://android.googlesource.com/kernel/common: UPSTREAM: usb: musb: mediatek: don't unregister something that wasn't registered UPSTREAM: net: fix NULL pointer in skb_segment_list UPSTREAM: xfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr() UPSTREAM: xfrm: compat: change expression for switch in xfrm_xlate64 UPSTREAM: perf/core: Call LSM hook after copying perf_event_attr UPSTREAM: ext4: fix use-after-free in ext4_xattr_set_entry UPSTREAM: ext4: remove duplicate definition of ext4_xattr_ibody_inline_set() UPSTREAM: Revert "ext4: fix use-after-free in ext4_xattr_set_entry" UPSTREAM: media: rc: Fix use-after-free bugs caused by ene_tx_irqsim() ANDROID: incremental fs: Evict inodes before freeing mount data Change-Id: I0b01081a4a6d475b67b443421b8e0a2be57c8257
This commit is contained in:
Michael Bestas
commit
dfc478b4fe
@ -1106,6 +1106,8 @@ static void ene_remove(struct pnp_dev *pnp_dev)
|
||||
struct ene_device *dev = pnp_get_drvdata(pnp_dev);
|
||||
unsigned long flags;
|
||||
|
||||
rc_unregister_device(dev->rdev);
|
||||
del_timer_sync(&dev->tx_sim_timer);
|
||||
spin_lock_irqsave(&dev->hw_lock, flags);
|
||||
ene_rx_disable(dev);
|
||||
ene_rx_restore_hw_buffer(dev);
|
||||
@ -1113,7 +1115,6 @@ static void ene_remove(struct pnp_dev *pnp_dev)
|
||||
|
||||
free_irq(dev->irq, dev);
|
||||
release_region(dev->hw_io, ENE_IO_SIZE);
|
||||
rc_unregister_device(dev->rdev);
|
||||
kfree(dev);
|
||||
}
|
||||
|
||||
|
||||
@ -342,7 +342,8 @@ static int mtk_musb_init(struct musb *musb)
|
||||
err_phy_power_on:
|
||||
phy_exit(glue->phy);
|
||||
err_phy_init:
|
||||
mtk_otg_switch_exit(glue);
|
||||
if (musb->port_mode == MUSB_OTG)
|
||||
mtk_otg_switch_exit(glue);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
@ -208,7 +208,7 @@ static int ext4_read_inline_data(struct inode *inode, void *buffer,
|
||||
/*
|
||||
* write the buffer to the inline inode.
|
||||
* If 'create' is set, we don't need to do the extra copy in the xattr
|
||||
* value since it is already handled by ext4_xattr_ibody_inline_set.
|
||||
* value since it is already handled by ext4_xattr_ibody_set.
|
||||
* That saves us one memcpy.
|
||||
*/
|
||||
static void ext4_write_inline_data(struct inode *inode, struct ext4_iloc *iloc,
|
||||
@ -290,7 +290,7 @@ static int ext4_create_inline_data(handle_t *handle,
|
||||
|
||||
BUG_ON(!is.s.not_found);
|
||||
|
||||
error = ext4_xattr_ibody_inline_set(handle, inode, &i, &is);
|
||||
error = ext4_xattr_ibody_set(handle, inode, &i, &is);
|
||||
if (error) {
|
||||
if (error == -ENOSPC)
|
||||
ext4_clear_inode_state(inode,
|
||||
@ -362,7 +362,7 @@ static int ext4_update_inline_data(handle_t *handle, struct inode *inode,
|
||||
i.value = value;
|
||||
i.value_len = len;
|
||||
|
||||
error = ext4_xattr_ibody_inline_set(handle, inode, &i, &is);
|
||||
error = ext4_xattr_ibody_set(handle, inode, &i, &is);
|
||||
if (error)
|
||||
goto out;
|
||||
|
||||
@ -435,7 +435,7 @@ static int ext4_destroy_inline_data_nolock(handle_t *handle,
|
||||
if (error)
|
||||
goto out;
|
||||
|
||||
error = ext4_xattr_ibody_inline_set(handle, inode, &i, &is);
|
||||
error = ext4_xattr_ibody_set(handle, inode, &i, &is);
|
||||
if (error)
|
||||
goto out;
|
||||
|
||||
@ -1989,8 +1989,7 @@ int ext4_inline_data_truncate(struct inode *inode, int *has_inline)
|
||||
i.value = value;
|
||||
i.value_len = i_size > EXT4_MIN_INLINE_DATA_SIZE ?
|
||||
i_size - EXT4_MIN_INLINE_DATA_SIZE : 0;
|
||||
err = ext4_xattr_ibody_inline_set(handle, inode,
|
||||
&i, &is);
|
||||
err = ext4_xattr_ibody_set(handle, inode, &i, &is);
|
||||
if (err)
|
||||
goto out_error;
|
||||
}
|
||||
|
||||
@ -2221,7 +2221,7 @@ int ext4_xattr_ibody_find(struct inode *inode, struct ext4_xattr_info *i,
|
||||
return 0;
|
||||
}
|
||||
|
||||
int ext4_xattr_ibody_inline_set(handle_t *handle, struct inode *inode,
|
||||
int ext4_xattr_ibody_set(handle_t *handle, struct inode *inode,
|
||||
struct ext4_xattr_info *i,
|
||||
struct ext4_xattr_ibody_find *is)
|
||||
{
|
||||
@ -2246,30 +2246,6 @@ int ext4_xattr_ibody_inline_set(handle_t *handle, struct inode *inode,
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int ext4_xattr_ibody_set(handle_t *handle, struct inode *inode,
|
||||
struct ext4_xattr_info *i,
|
||||
struct ext4_xattr_ibody_find *is)
|
||||
{
|
||||
struct ext4_xattr_ibody_header *header;
|
||||
struct ext4_xattr_search *s = &is->s;
|
||||
int error;
|
||||
|
||||
if (EXT4_I(inode)->i_extra_isize == 0)
|
||||
return -ENOSPC;
|
||||
error = ext4_xattr_set_entry(i, s, handle, inode, false /* is_block */);
|
||||
if (error)
|
||||
return error;
|
||||
header = IHDR(inode, ext4_raw_inode(&is->iloc));
|
||||
if (!IS_LAST_ENTRY(s->first)) {
|
||||
header->h_magic = cpu_to_le32(EXT4_XATTR_MAGIC);
|
||||
ext4_set_inode_state(inode, EXT4_STATE_XATTR);
|
||||
} else {
|
||||
header->h_magic = cpu_to_le32(0);
|
||||
ext4_clear_inode_state(inode, EXT4_STATE_XATTR);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int ext4_xattr_value_same(struct ext4_xattr_search *s,
|
||||
struct ext4_xattr_info *i)
|
||||
{
|
||||
|
||||
@ -199,9 +199,9 @@ extern int ext4_xattr_ibody_find(struct inode *inode, struct ext4_xattr_info *i,
|
||||
extern int ext4_xattr_ibody_get(struct inode *inode, int name_index,
|
||||
const char *name,
|
||||
void *buffer, size_t buffer_size);
|
||||
extern int ext4_xattr_ibody_inline_set(handle_t *handle, struct inode *inode,
|
||||
struct ext4_xattr_info *i,
|
||||
struct ext4_xattr_ibody_find *is);
|
||||
extern int ext4_xattr_ibody_set(handle_t *handle, struct inode *inode,
|
||||
struct ext4_xattr_info *i,
|
||||
struct ext4_xattr_ibody_find *is);
|
||||
|
||||
extern struct mb_cache *ext4_xattr_create_cache(void);
|
||||
extern void ext4_xattr_destroy_cache(struct mb_cache *);
|
||||
|
||||
@ -30,6 +30,15 @@ static ssize_t corefs_show(struct kobject *kobj,
|
||||
|
||||
static struct kobj_attribute corefs_attr = __ATTR_RO(corefs);
|
||||
|
||||
static ssize_t bugfix_inode_eviction_show(struct kobject *kobj,
|
||||
struct kobj_attribute *attr, char *buff)
|
||||
{
|
||||
return snprintf(buff, PAGE_SIZE, "supported\n");
|
||||
}
|
||||
|
||||
static struct kobj_attribute bugfix_inode_eviction_attr =
|
||||
__ATTR_RO(bugfix_inode_eviction);
|
||||
|
||||
static ssize_t mounter_context_for_backing_rw_show(struct kobject *kobj,
|
||||
struct kobj_attribute *attr, char *buff)
|
||||
{
|
||||
@ -41,6 +50,7 @@ static struct kobj_attribute mounter_context_for_backing_rw_attr =
|
||||
|
||||
static struct attribute *attributes[] = {
|
||||
&corefs_attr.attr,
|
||||
&bugfix_inode_eviction_attr.attr,
|
||||
&mounter_context_for_backing_rw_attr.attr,
|
||||
NULL,
|
||||
};
|
||||
|
||||
@ -2311,6 +2311,13 @@ void incfs_kill_sb(struct super_block *sb)
|
||||
|
||||
pr_debug("incfs: unmount\n");
|
||||
|
||||
/*
|
||||
* We must kill the super before freeing mi, since killing the super
|
||||
* triggers inode eviction, which triggers the final update of the
|
||||
* backing file, which uses certain information for mi
|
||||
*/
|
||||
kill_anon_super(sb);
|
||||
|
||||
if (mi) {
|
||||
if (mi->mi_backing_dir_path.dentry)
|
||||
dinode = d_inode(mi->mi_backing_dir_path.dentry);
|
||||
@ -2322,7 +2329,6 @@ void incfs_kill_sb(struct super_block *sb)
|
||||
incfs_free_mount_info(mi);
|
||||
sb->s_fs_info = NULL;
|
||||
}
|
||||
kill_anon_super(sb);
|
||||
}
|
||||
|
||||
static int show_options(struct seq_file *m, struct dentry *root)
|
||||
|
||||
@ -11195,12 +11195,12 @@ SYSCALL_DEFINE5(perf_event_open,
|
||||
if (flags & ~PERF_FLAG_ALL)
|
||||
return -EINVAL;
|
||||
|
||||
/* Do we allow access to perf_event_open(2) ? */
|
||||
err = security_perf_event_open(&attr, PERF_SECURITY_OPEN);
|
||||
err = perf_copy_attr(attr_uptr, &attr);
|
||||
if (err)
|
||||
return err;
|
||||
|
||||
err = perf_copy_attr(attr_uptr, &attr);
|
||||
/* Do we allow access to perf_event_open(2) ? */
|
||||
err = security_perf_event_open(&attr, PERF_SECURITY_OPEN);
|
||||
if (err)
|
||||
return err;
|
||||
|
||||
|
||||
@ -3697,7 +3697,7 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb,
|
||||
|
||||
skb_shinfo(skb)->frag_list = NULL;
|
||||
|
||||
do {
|
||||
while (list_skb) {
|
||||
nskb = list_skb;
|
||||
list_skb = list_skb->next;
|
||||
|
||||
@ -3743,8 +3743,7 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb,
|
||||
if (skb_needs_linearize(nskb, features) &&
|
||||
__skb_linearize(nskb))
|
||||
goto err_linearize;
|
||||
|
||||
} while (list_skb);
|
||||
}
|
||||
|
||||
skb->truesize = skb->truesize - delta_truesize;
|
||||
skb->data_len = skb->data_len - delta_len;
|
||||
|
||||
@ -5,6 +5,7 @@
|
||||
* Based on code and translator idea by: Florian Westphal <fw@strlen.de>
|
||||
*/
|
||||
#include <linux/compat.h>
|
||||
#include <linux/nospec.h>
|
||||
#include <linux/xfrm.h>
|
||||
#include <net/xfrm.h>
|
||||
|
||||
@ -300,7 +301,7 @@ static int xfrm_xlate64(struct sk_buff *dst, const struct nlmsghdr *nlh_src)
|
||||
nla_for_each_attr(nla, attrs, len, remaining) {
|
||||
int err;
|
||||
|
||||
switch (type) {
|
||||
switch (nlh_src->nlmsg_type) {
|
||||
case XFRM_MSG_NEWSPDINFO:
|
||||
err = xfrm_nla_cpy(dst, nla, nla_len(nla));
|
||||
break;
|
||||
@ -435,6 +436,7 @@ static int xfrm_xlate32_attr(void *dst, const struct nlattr *nla,
|
||||
NL_SET_ERR_MSG(extack, "Bad attribute");
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
type = array_index_nospec(type, XFRMA_MAX + 1);
|
||||
if (nla_len(nla) < compat_policy[type].len) {
|
||||
NL_SET_ERR_MSG(extack, "Attribute bad length");
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user