backport a few fixes-fixes
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht
parent
1de3bb1f40
commit
3cf1727216
@ -0,0 +1,37 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Kara <jack@suse.cz>
|
||||
Date: Mon, 22 Aug 2022 13:48:32 +0200
|
||||
Subject: [PATCH] ext4: fix check for block being out of directory size
|
||||
|
||||
commit 61a1d87a324ad5e3ed27c6699dfc93218fcf3201 upstream.
|
||||
|
||||
The check in __ext4_read_dirblock() for block being outside of directory
|
||||
size was wrong because it compared block number against directory size
|
||||
in bytes. Fix it.
|
||||
|
||||
Fixes: 65f8ea4cd57d ("ext4: check if directory block is within i_size")
|
||||
CVE: CVE-2022-1184
|
||||
CC: stable@vger.kernel.org
|
||||
Signed-off-by: Jan Kara <jack@suse.cz>
|
||||
Reviewed-by: Lukas Czerner <lczerner@redhat.com>
|
||||
Link: https://lore.kernel.org/r/20220822114832.1482-1-jack@suse.cz
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
||||
---
|
||||
fs/ext4/namei.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
|
||||
index 7d3ec39121f7..86ee0e0eef67 100644
|
||||
--- a/fs/ext4/namei.c
|
||||
+++ b/fs/ext4/namei.c
|
||||
@@ -126,7 +126,7 @@ static struct buffer_head *__ext4_read_dirblock(struct inode *inode,
|
||||
struct ext4_dir_entry *dirent;
|
||||
int is_dx_block = 0;
|
||||
|
||||
- if (block >= inode->i_size) {
|
||||
+ if (block >= inode->i_size >> inode->i_blkbits) {
|
||||
ext4_error_inode(inode, func, line, block,
|
||||
"Attempting to read directory block (%u) that is past i_size (%llu)",
|
||||
block, inode->i_size);
|
||||
@ -0,0 +1,36 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Osipenko <dmitry.osipenko@collabora.com>
|
||||
Date: Thu, 30 Jun 2022 23:07:18 +0300
|
||||
Subject: [PATCH] drm/virtio: Correct drm_gem_shmem_get_sg_table() error
|
||||
handling
|
||||
|
||||
[ Upstream commit 64b88afbd92fbf434759d1896a7cf705e1c00e79 ]
|
||||
|
||||
Previous commit fixed checking of the ERR_PTR value returned by
|
||||
drm_gem_shmem_get_sg_table(), but it missed to zero out the shmem->pages,
|
||||
which will crash virtio_gpu_cleanup_object(). Add the missing zeroing of
|
||||
the shmem->pages.
|
||||
|
||||
Fixes: c24968734abf ("drm/virtio: Fix NULL vs IS_ERR checking in virtio_gpu_object_shmem_init")
|
||||
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
|
||||
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
|
||||
Link: http://patchwork.freedesktop.org/patch/msgid/20220630200726.1884320-2-dmitry.osipenko@collabora.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||||
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
||||
---
|
||||
drivers/gpu/drm/virtio/virtgpu_object.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/drivers/gpu/drm/virtio/virtgpu_object.c b/drivers/gpu/drm/virtio/virtgpu_object.c
|
||||
index 9af9f355e0a7..826ba2222062 100644
|
||||
--- a/drivers/gpu/drm/virtio/virtgpu_object.c
|
||||
+++ b/drivers/gpu/drm/virtio/virtgpu_object.c
|
||||
@@ -169,6 +169,7 @@ static int virtio_gpu_object_shmem_init(struct virtio_gpu_device *vgdev,
|
||||
shmem->pages = drm_gem_shmem_get_sg_table(&bo->base);
|
||||
if (IS_ERR(shmem->pages)) {
|
||||
drm_gem_shmem_unpin(&bo->base);
|
||||
+ shmem->pages = NULL;
|
||||
return PTR_ERR(shmem->pages);
|
||||
}
|
||||
|
||||
@ -0,0 +1,40 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Mon, 17 Oct 2022 14:12:58 +0200
|
||||
Subject: [PATCH] netfilter: nf_tables: relax NFTA_SET_ELEM_KEY_END set flags
|
||||
requirements
|
||||
|
||||
[ Upstream commit 96df8360dbb435cc69f7c3c8db44bf8b1c24cd7b ]
|
||||
|
||||
Otherwise EINVAL is bogusly reported to userspace when deleting a set
|
||||
element. NFTA_SET_ELEM_KEY_END does not need to be set in case of:
|
||||
|
||||
- insertion: if not present, start key is used as end key.
|
||||
- deletion: only start key needs to be specified, end key is ignored.
|
||||
|
||||
Hence, relax the sanity check.
|
||||
|
||||
Fixes: 88cccd908d51 ("netfilter: nf_tables: NFTA_SET_ELEM_KEY_END requires concat and interval flags")
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||||
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
||||
---
|
||||
net/netfilter/nf_tables_api.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
|
||||
index 460ad341d160..f7a5b8414423 100644
|
||||
--- a/net/netfilter/nf_tables_api.c
|
||||
+++ b/net/netfilter/nf_tables_api.c
|
||||
@@ -5720,8 +5720,9 @@ static bool nft_setelem_valid_key_end(const struct nft_set *set,
|
||||
(NFT_SET_CONCAT | NFT_SET_INTERVAL)) {
|
||||
if (flags & NFT_SET_ELEM_INTERVAL_END)
|
||||
return false;
|
||||
- if (!nla[NFTA_SET_ELEM_KEY_END] &&
|
||||
- !(flags & NFT_SET_ELEM_CATCHALL))
|
||||
+
|
||||
+ if (nla[NFTA_SET_ELEM_KEY_END] &&
|
||||
+ flags & NFT_SET_ELEM_CATCHALL)
|
||||
return false;
|
||||
} else {
|
||||
if (nla[NFTA_SET_ELEM_KEY_END])
|
||||
Loading…
Reference in New Issue
Block a user