--- /dev/null
+From 8884300b4b3f3a2f80af795117c59d214ec77466 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Apr 2021 14:39:41 +0800
+Subject: cfg80211: call cfg80211_leave_ocb when switching away from OCB
+
+From: Du Cheng <ducheng2@gmail.com>
+
+[ Upstream commit a64b6a25dd9f984ed05fade603a00e2eae787d2f ]
+
+If the userland switches back-and-forth between NL80211_IFTYPE_OCB and
+NL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), there is a
+chance where the cleanup cfg80211_leave_ocb() is not called. This leads
+to initialization of in-use memory (e.g. init u.ibss while in-use by
+u.ocb) due to a shared struct/union within ieee80211_sub_if_data:
+
+struct ieee80211_sub_if_data {
+ ...
+ union {
+ struct ieee80211_if_ap ap;
+ struct ieee80211_if_vlan vlan;
+ struct ieee80211_if_managed mgd;
+ struct ieee80211_if_ibss ibss; // <- shares address
+ struct ieee80211_if_mesh mesh;
+ struct ieee80211_if_ocb ocb; // <- shares address
+ struct ieee80211_if_mntr mntr;
+ struct ieee80211_if_nan nan;
+ } u;
+ ...
+}
+
+Therefore add handling of otype == NL80211_IFTYPE_OCB, during
+cfg80211_change_iface() to perform cleanup when leaving OCB mode.
+
+link to syzkaller bug:
+https://syzkaller.appspot.com/bug?id=0612dbfa595bf4b9b680ff7b4948257b8e3732d5
+
+Reported-by: syzbot+105896fac213f26056f9@syzkaller.appspotmail.com
+Signed-off-by: Du Cheng <ducheng2@gmail.com>
+Link: https://lore.kernel.org/r/20210428063941.105161-1-ducheng2@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/util.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/wireless/util.c b/net/wireless/util.c
+index 915f1fa881e4..73c361fd4a16 100644
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -978,6 +978,9 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev,
+ case NL80211_IFTYPE_MESH_POINT:
+ /* mesh should be handled? */
+ break;
++ case NL80211_IFTYPE_OCB:
++ cfg80211_leave_ocb(rdev, dev);
++ break;
+ default:
+ break;
+ }
+--
+2.30.2
+
--- /dev/null
+From 174d6e2486cf08d5004c3d5f39a42c89f884fc87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 07:44:11 -0700
+Subject: inet: annotate date races around sk->sk_txhash
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b71eaed8c04f72a919a9c44e83e4ee254e69e7f3 ]
+
+UDP sendmsg() path can be lockless, it is possible for another
+thread to re-connect an change sk->sk_txhash under us.
+
+There is no serious impact, but we can use READ_ONCE()/WRITE_ONCE()
+pair to document the race.
+
+BUG: KCSAN: data-race in __ip4_datagram_connect / skb_set_owner_w
+
+write to 0xffff88813397920c of 4 bytes by task 30997 on cpu 1:
+ sk_set_txhash include/net/sock.h:1937 [inline]
+ __ip4_datagram_connect+0x69e/0x710 net/ipv4/datagram.c:75
+ __ip6_datagram_connect+0x551/0x840 net/ipv6/datagram.c:189
+ ip6_datagram_connect+0x2a/0x40 net/ipv6/datagram.c:272
+ inet_dgram_connect+0xfd/0x180 net/ipv4/af_inet.c:580
+ __sys_connect_file net/socket.c:1837 [inline]
+ __sys_connect+0x245/0x280 net/socket.c:1854
+ __do_sys_connect net/socket.c:1864 [inline]
+ __se_sys_connect net/socket.c:1861 [inline]
+ __x64_sys_connect+0x3d/0x50 net/socket.c:1861
+ do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff88813397920c of 4 bytes by task 31039 on cpu 0:
+ skb_set_hash_from_sk include/net/sock.h:2211 [inline]
+ skb_set_owner_w+0x118/0x220 net/core/sock.c:2101
+ sock_alloc_send_pskb+0x452/0x4e0 net/core/sock.c:2359
+ sock_alloc_send_skb+0x2d/0x40 net/core/sock.c:2373
+ __ip6_append_data+0x1743/0x21a0 net/ipv6/ip6_output.c:1621
+ ip6_make_skb+0x258/0x420 net/ipv6/ip6_output.c:1983
+ udpv6_sendmsg+0x160a/0x16b0 net/ipv6/udp.c:1527
+ inet6_sendmsg+0x5f/0x80 net/ipv6/af_inet6.c:642
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg net/socket.c:674 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350
+ ___sys_sendmsg net/socket.c:2404 [inline]
+ __sys_sendmmsg+0x315/0x4b0 net/socket.c:2490
+ __do_sys_sendmmsg net/socket.c:2519 [inline]
+ __se_sys_sendmmsg net/socket.c:2516 [inline]
+ __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2516
+ do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0xbca3c43d -> 0xfdb309e0
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 31039 Comm: syz-executor.2 Not tainted 5.13.0-rc3-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 31198b32d912..1b657a3a30b5 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1728,7 +1728,8 @@ static inline u32 net_tx_rndhash(void)
+
+ static inline void sk_set_txhash(struct sock *sk)
+ {
+- sk->sk_txhash = net_tx_rndhash();
++ /* This pairs with READ_ONCE() in skb_set_hash_from_sk() */
++ WRITE_ONCE(sk->sk_txhash, net_tx_rndhash());
+ }
+
+ static inline void sk_rethink_txhash(struct sock *sk)
+@@ -1980,9 +1981,12 @@ static inline void sock_poll_wait(struct file *filp,
+
+ static inline void skb_set_hash_from_sk(struct sk_buff *skb, struct sock *sk)
+ {
+- if (sk->sk_txhash) {
++ /* This pairs with WRITE_ONCE() in sk_set_txhash() */
++ u32 txhash = READ_ONCE(sk->sk_txhash);
++
++ if (txhash) {
+ skb->l4_hash = 1;
+- skb->hash = sk->sk_txhash;
++ skb->hash = txhash;
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From ac3be056602b9705caa3405cab511e09f79a9122 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 16:13:06 +0200
+Subject: mac80211: drop multicast fragments
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit a9799541ca34652d9996e45f80e8e03144c12949 ]
+
+These are not permitted by the spec, just drop them.
+
+Link: https://lore.kernel.org/r/20210609161305.23def022b750.Ibd6dd3cdce573dae262fcdc47f8ac52b883a9c50@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/rx.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index ae0fba044cd0..bde924968cd2 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1853,17 +1853,15 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
+ sc = le16_to_cpu(hdr->seq_ctrl);
+ frag = sc & IEEE80211_SCTL_FRAG;
+
+- if (is_multicast_ether_addr(hdr->addr1)) {
+- I802_DEBUG_INC(rx->local->dot11MulticastReceivedFrameCount);
+- goto out_no_led;
+- }
+-
+ if (rx->sta)
+ cache = &rx->sta->frags;
+
+ if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
+ goto out;
+
++ if (is_multicast_ether_addr(hdr->addr1))
++ return RX_DROP_MONITOR;
++
+ I802_DEBUG_INC(rx->local->rx_handlers_fragments);
+
+ if (skb_linearize(rx->skb))
+@@ -1992,7 +1990,6 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
+
+ out:
+ ieee80211_led_rx(rx->local);
+- out_no_led:
+ if (rx->sta)
+ rx->sta->rx_stats.packets++;
+ return RX_CONTINUE;
+--
+2.30.2
+
--- /dev/null
+From 282dd3434ef3106bebd3c907dc9ee153789d9296 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 17:51:22 +0300
+Subject: net: caif: fix memory leak in ldisc_open
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 58af3d3d54e87bfc1f936e16c04ade3369d34011 ]
+
+Syzbot reported memory leak in tty_init_dev().
+The problem was in unputted tty in ldisc_open()
+
+static int ldisc_open(struct tty_struct *tty)
+{
+...
+ ser->tty = tty_kref_get(tty);
+...
+ result = register_netdevice(dev);
+ if (result) {
+ rtnl_unlock();
+ free_netdev(dev);
+ return -ENODEV;
+ }
+...
+}
+
+Ser pointer is netdev private_data, so after free_netdev()
+this pointer goes away with unputted tty reference. So, fix
+it by adding tty_kref_put() before freeing netdev.
+
+Reported-and-tested-by: syzbot+f303e045423e617d2cad@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/caif/caif_serial.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
+index 32834dad0b83..1243c2e5a86a 100644
+--- a/drivers/net/caif/caif_serial.c
++++ b/drivers/net/caif/caif_serial.c
+@@ -362,6 +362,7 @@ static int ldisc_open(struct tty_struct *tty)
+ rtnl_lock();
+ result = register_netdevice(dev);
+ if (result) {
++ tty_kref_put(tty);
+ rtnl_unlock();
+ free_netdev(dev);
+ return -ENODEV;
+--
+2.30.2
+
--- /dev/null
+From f4b66d8b309ec5445884a7042443dad2a78d4efd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 12:52:38 +0200
+Subject: net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY
+
+From: Esben Haabendal <esben@geanix.com>
+
+[ Upstream commit f6396341194234e9b01cd7538bc2c6ac4501ab14 ]
+
+As documented in Documentation/networking/driver.rst, the ndo_start_xmit
+method must not return NETDEV_TX_BUSY under any normal circumstances, and
+as recommended, we simply stop the tx queue in advance, when there is a
+risk that the next xmit would cause a NETDEV_TX_BUSY return.
+
+Signed-off-by: Esben Haabendal <esben@geanix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xilinx/ll_temac_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c
+index ed6a88cf3281..98a1c712b62a 100644
+--- a/drivers/net/ethernet/xilinx/ll_temac_main.c
++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c
+@@ -735,6 +735,11 @@ temac_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ /* Kick off the transfer */
+ lp->dma_out(lp, TX_TAILDESC_PTR, tail_p); /* DMA start */
+
++ if (temac_check_tx_bd_space(lp, MAX_SKB_FRAGS + 1)) {
++ netdev_info(ndev, "%s -> netif_stop_queue\n", __func__);
++ netif_stop_queue(ndev);
++ }
++
+ return NETDEV_TX_OK;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 4d08350e22bc97c5899e5fc5b41faf492579a233 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 09:41:36 +0800
+Subject: ping: Check return value of function 'ping_queue_rcv_skb'
+
+From: Zheng Yongjun <zhengyongjun3@huawei.com>
+
+[ Upstream commit 9d44fa3e50cc91691896934d106c86e4027e61ca ]
+
+Function 'ping_queue_rcv_skb' not always return success, which will
+also return fail. If not check the wrong return value of it, lead to function
+`ping_rcv` return success.
+
+Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ping.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index a3abd136b8e7..56d89dfd8831 100644
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -978,6 +978,7 @@ bool ping_rcv(struct sk_buff *skb)
+ struct sock *sk;
+ struct net *net = dev_net(skb->dev);
+ struct icmphdr *icmph = icmp_hdr(skb);
++ bool rc = false;
+
+ /* We assume the packet has already been checked by icmp_rcv */
+
+@@ -992,14 +993,15 @@ bool ping_rcv(struct sk_buff *skb)
+ struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
+
+ pr_debug("rcv on socket %p\n", sk);
+- if (skb2)
+- ping_queue_rcv_skb(sk, skb2);
++ if (skb2 && !ping_queue_rcv_skb(sk, skb2))
++ rc = true;
+ sock_put(sk);
+- return true;
+ }
+- pr_debug("no socket, dropping\n");
+
+- return false;
++ if (!rc)
++ pr_debug("no socket, dropping\n");
++
++ return rc;
+ }
+ EXPORT_SYMBOL_GPL(ping_rcv);
+
+--
+2.30.2
+
--- /dev/null
+From ad0f9f55b747fe7d273894f713daee95e875f6b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 12:53:03 -0700
+Subject: r8152: Avoid memcpy() over-reading of ETH_SS_STATS
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 99718abdc00e86e4f286dd836408e2834886c16e ]
+
+In preparation for FORTIFY_SOURCE performing compile-time and run-time
+field bounds checking for memcpy(), memmove(), and memset(), avoid
+intentionally reading across neighboring array fields.
+
+The memcpy() is copying the entire structure, not just the first array.
+Adjust the source argument so the compiler can do appropriate bounds
+checking.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index 27e9c089b2fc..5baaa8291624 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -3820,7 +3820,7 @@ static void rtl8152_get_strings(struct net_device *dev, u32 stringset, u8 *data)
+ {
+ switch (stringset) {
+ case ETH_SS_STATS:
+- memcpy(data, *rtl8152_gstrings, sizeof(rtl8152_gstrings));
++ memcpy(data, rtl8152_gstrings, sizeof(rtl8152_gstrings));
+ break;
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From 6c7f2e9247997c261929d332cabe41f449437091 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 12:53:59 -0700
+Subject: r8169: Avoid memcpy() over-reading of ETH_SS_STATS
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit da5ac772cfe2a03058b0accfac03fad60c46c24d ]
+
+In preparation for FORTIFY_SOURCE performing compile-time and run-time
+field bounds checking for memcpy(), memmove(), and memset(), avoid
+intentionally reading across neighboring array fields.
+
+The memcpy() is copying the entire structure, not just the first array.
+Adjust the source argument so the compiler can do appropriate bounds
+checking.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
+index f3a685d3f649..55b0f11bf2a0 100644
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -2314,7 +2314,7 @@ static void rtl8169_get_strings(struct net_device *dev, u32 stringset, u8 *data)
+ {
+ switch(stringset) {
+ case ETH_SS_STATS:
+- memcpy(data, *rtl8169_gstrings, sizeof(rtl8169_gstrings));
++ memcpy(data, rtl8169_gstrings, sizeof(rtl8169_gstrings));
+ break;
+ }
+ }
+--
+2.30.2
+
arm-9081-1-fix-gcc-10-thumb2-kernel-regression.patch
makefile-move-wno-unused-but-set-variable-out-of-gcc-only-block.patch
revert-pci-pm-do-not-read-power-state-in-pci_enable_.patch
+cfg80211-call-cfg80211_leave_ocb-when-switching-away.patch
+mac80211-drop-multicast-fragments.patch
+ping-check-return-value-of-function-ping_queue_rcv_s.patch
+inet-annotate-date-races-around-sk-sk_txhash.patch
+net-caif-fix-memory-leak-in-ldisc_open.patch
+r8152-avoid-memcpy-over-reading-of-eth_ss_stats.patch
+sh_eth-avoid-memcpy-over-reading-of-eth_ss_stats.patch
+r8169-avoid-memcpy-over-reading-of-eth_ss_stats.patch
+net-ll_temac-avoid-ndo_start_xmit-returning-netdev_t.patch
--- /dev/null
+From d4c0ced4e6c5351bd009bcef2c57ce5f2f17b7c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 12:53:33 -0700
+Subject: sh_eth: Avoid memcpy() over-reading of ETH_SS_STATS
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 224004fbb033600715dbd626bceec10bfd9c58bc ]
+
+In preparation for FORTIFY_SOURCE performing compile-time and run-time
+field bounds checking for memcpy(), memmove(), and memset(), avoid
+intentionally reading across neighboring array fields.
+
+The memcpy() is copying the entire structure, not just the first array.
+Adjust the source argument so the compiler can do appropriate bounds
+checking.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/sh_eth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
+index 614b83c7ce81..1942264b621b 100644
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -2210,7 +2210,7 @@ static void sh_eth_get_strings(struct net_device *ndev, u32 stringset, u8 *data)
+ {
+ switch (stringset) {
+ case ETH_SS_STATS:
+- memcpy(data, *sh_eth_gstrings_stats,
++ memcpy(data, sh_eth_gstrings_stats,
+ sizeof(sh_eth_gstrings_stats));
+ break;
+ }
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
