--- /dev/null
+From 1ade48d0c27d5da1ccf4b583d8c5fc8b534a3ac8 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Fri, 17 Dec 2021 10:29:41 +0800
+Subject: ax25: NPD bug when detaching AX25 device
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit 1ade48d0c27d5da1ccf4b583d8c5fc8b534a3ac8 upstream.
+
+The existing cleanup routine implementation is not well synchronized
+with the syscall routine. When a device is detaching, below race could
+occur.
+
+static int ax25_sendmsg(...) {
+ ...
+ lock_sock()
+ ax25 = sk_to_ax25(sk);
+ if (ax25->ax25_dev == NULL) // CHECK
+ ...
+ ax25_queue_xmit(skb, ax25->ax25_dev->dev); // USE
+ ...
+}
+
+static void ax25_kill_by_device(...) {
+ ...
+ if (s->ax25_dev == ax25_dev) {
+ s->ax25_dev = NULL;
+ ...
+}
+
+Other syscall functions like ax25_getsockopt, ax25_getname,
+ax25_info_show also suffer from similar races. To fix them, this patch
+introduce lock_sock() into ax25_kill_by_device in order to guarantee
+that the nullify action in cleanup routine cannot proceed when another
+socket request is pending.
+
+Signed-off-by: Hanjie Wu <nagi@zju.edu.cn>
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ax25/af_ax25.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -85,8 +85,10 @@ static void ax25_kill_by_device(struct n
+ again:
+ ax25_for_each(s, &ax25_list) {
+ if (s->ax25_dev == ax25_dev) {
+- s->ax25_dev = NULL;
+ spin_unlock_bh(&ax25_list_lock);
++ lock_sock(s->sk);
++ s->ax25_dev = NULL;
++ release_sock(s->sk);
+ ax25_disconnect(s, ENETUNREACH);
+ spin_lock_bh(&ax25_list_lock);
+
--- /dev/null
+From 3e0588c291d6ce225f2b891753ca41d45ba42469 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Mon, 8 Nov 2021 18:37:21 +0800
+Subject: hamradio: defer ax25 kfree after unregister_netdev
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit 3e0588c291d6ce225f2b891753ca41d45ba42469 upstream.
+
+There is a possible race condition (use-after-free) like below
+
+ (USE) | (FREE)
+ax25_sendmsg |
+ ax25_queue_xmit |
+ dev_queue_xmit |
+ __dev_queue_xmit |
+ __dev_xmit_skb |
+ sch_direct_xmit | ...
+ xmit_one |
+ netdev_start_xmit | tty_ldisc_kill
+ __netdev_start_xmit | mkiss_close
+ ax_xmit | kfree
+ ax_encaps |
+ |
+
+Even though there are two synchronization primitives before the kfree:
+1. wait_for_completion(&ax->dead). This can prevent the race with
+routines from mkiss_ioctl. However, it cannot stop the routine coming
+from upper layer, i.e., the ax25_sendmsg.
+
+2. netif_stop_queue(ax->dev). It seems that this line of code aims to
+halt the transmit queue but it fails to stop the routine that already
+being xmit.
+
+This patch reorder the kfree after the unregister_netdev to avoid the
+possible UAF as the unregister_netdev() is well synchronized and won't
+return if there is a running routine.
+
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hamradio/mkiss.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/hamradio/mkiss.c
++++ b/drivers/net/hamradio/mkiss.c
+@@ -793,13 +793,14 @@ static void mkiss_close(struct tty_struc
+ */
+ netif_stop_queue(ax->dev);
+
+- /* Free all AX25 frame buffers. */
+- kfree(ax->rbuff);
+- kfree(ax->xbuff);
+-
+ ax->tty = NULL;
+
+ unregister_netdev(ax->dev);
++
++ /* Free all AX25 frame buffers after unreg. */
++ kfree(ax->rbuff);
++ kfree(ax->xbuff);
++
+ free_netdev(ax->dev);
+ }
+
--- /dev/null
+From b2f37aead1b82a770c48b5d583f35ec22aabb61e Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Fri, 17 Dec 2021 10:13:56 +0800
+Subject: hamradio: improve the incomplete fix to avoid NPD
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit b2f37aead1b82a770c48b5d583f35ec22aabb61e upstream.
+
+The previous commit 3e0588c291d6 ("hamradio: defer ax25 kfree after
+unregister_netdev") reorder the kfree operations and unregister_netdev
+operation to prevent UAF.
+
+This commit improves the previous one by also deferring the nullify of
+the ax->tty pointer. Otherwise, a NULL pointer dereference bug occurs.
+Partial of the stack trace is shown below.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000538
+RIP: 0010:ax_xmit+0x1f9/0x400
+...
+Call Trace:
+ dev_hard_start_xmit+0xec/0x320
+ sch_direct_xmit+0xea/0x240
+ __qdisc_run+0x166/0x5c0
+ __dev_queue_xmit+0x2c7/0xaf0
+ ax25_std_establish_data_link+0x59/0x60
+ ax25_connect+0x3a0/0x500
+ ? security_socket_connect+0x2b/0x40
+ __sys_connect+0x96/0xc0
+ ? __hrtimer_init+0xc0/0xc0
+ ? common_nsleep+0x2e/0x50
+ ? switch_fpu_return+0x139/0x1a0
+ __x64_sys_connect+0x11/0x20
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+The crash point is shown as below
+
+static void ax_encaps(...) {
+ ...
+ set_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags); // ax->tty = NULL!
+ ...
+}
+
+By placing the nullify action after the unregister_netdev, the ax->tty
+pointer won't be assigned as NULL net_device framework layer is well
+synchronized.
+
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hamradio/mkiss.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/hamradio/mkiss.c
++++ b/drivers/net/hamradio/mkiss.c
+@@ -793,14 +793,14 @@ static void mkiss_close(struct tty_struc
+ */
+ netif_stop_queue(ax->dev);
+
+- ax->tty = NULL;
+-
+ unregister_netdev(ax->dev);
+
+ /* Free all AX25 frame buffers after unreg. */
+ kfree(ax->rbuff);
+ kfree(ax->xbuff);
+
++ ax->tty = NULL;
++
+ free_netdev(ax->dev);
+ }
+
--- /dev/null
+From da7dc0568491104c7acb632e9d41ddce9aaabbb1 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Fri, 26 Nov 2021 22:43:39 -0800
+Subject: hwmom: (lm90) Fix citical alarm status for MAX6680/MAX6681
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit da7dc0568491104c7acb632e9d41ddce9aaabbb1 upstream.
+
+Tests with a real chip and a closer look into the datasheet reveals
+that the local and remote critical alarm status bits are swapped for
+MAX6680/MAX6681.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/lm90.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/hwmon/lm90.c
++++ b/drivers/hwmon/lm90.c
+@@ -190,6 +190,7 @@ enum chips { lm90, adm1032, lm99, lm86,
+ #define LM90_HAVE_EXTENDED_TEMP (1 << 8) /* extended temperature support*/
+ #define LM90_PAUSE_FOR_CONFIG (1 << 9) /* Pause conversion for config */
+ #define LM90_HAVE_CRIT (1 << 10)/* Chip supports CRIT/OVERT register */
++#define LM90_HAVE_CRIT_ALRM_SWP (1 << 11)/* critical alarm bits swapped */
+
+ /* LM90 status */
+ #define LM90_STATUS_LTHRM (1 << 0) /* local THERM limit tripped */
+@@ -415,7 +416,8 @@ static const struct lm90_params lm90_par
+ .reg_local_ext = MAX6657_REG_R_LOCAL_TEMPL,
+ },
+ [max6680] = {
+- .flags = LM90_HAVE_OFFSET | LM90_HAVE_CRIT,
++ .flags = LM90_HAVE_OFFSET | LM90_HAVE_CRIT
++ | LM90_HAVE_CRIT_ALRM_SWP,
+ .alert_alarms = 0x7c,
+ .max_convrate = 7,
+ },
+@@ -1191,6 +1193,7 @@ static const u8 lm90_temp_emerg_index[3]
+ static const u8 lm90_min_alarm_bits[3] = { 5, 3, 11 };
+ static const u8 lm90_max_alarm_bits[3] = { 6, 4, 12 };
+ static const u8 lm90_crit_alarm_bits[3] = { 0, 1, 9 };
++static const u8 lm90_crit_alarm_bits_swapped[3] = { 1, 0, 9 };
+ static const u8 lm90_emergency_alarm_bits[3] = { 15, 13, 14 };
+ static const u8 lm90_fault_bits[3] = { 0, 2, 10 };
+
+@@ -1216,7 +1219,10 @@ static int lm90_temp_read(struct device
+ *val = (data->alarms >> lm90_max_alarm_bits[channel]) & 1;
+ break;
+ case hwmon_temp_crit_alarm:
+- *val = (data->alarms >> lm90_crit_alarm_bits[channel]) & 1;
++ if (data->flags & LM90_HAVE_CRIT_ALRM_SWP)
++ *val = (data->alarms >> lm90_crit_alarm_bits_swapped[channel]) & 1;
++ else
++ *val = (data->alarms >> lm90_crit_alarm_bits[channel]) & 1;
+ break;
+ case hwmon_temp_emergency_alarm:
+ *val = (data->alarms >> lm90_emergency_alarm_bits[channel]) & 1;
--- /dev/null
+From cdc5287acad9ede121924a9c9313544b80d15842 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Fri, 3 Dec 2021 13:42:22 -0800
+Subject: hwmon: (lm90) Do not report 'busy' status bit as alarm
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit cdc5287acad9ede121924a9c9313544b80d15842 upstream.
+
+Bit 7 of the status register indicates that the chip is busy
+doing a conversion. It does not indicate an alarm status.
+Stop reporting it as alarm status bit.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/lm90.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/hwmon/lm90.c
++++ b/drivers/hwmon/lm90.c
+@@ -200,6 +200,7 @@ enum chips { lm90, adm1032, lm99, lm86,
+ #define LM90_STATUS_RHIGH (1 << 4) /* remote high temp limit tripped */
+ #define LM90_STATUS_LLOW (1 << 5) /* local low temp limit tripped */
+ #define LM90_STATUS_LHIGH (1 << 6) /* local high temp limit tripped */
++#define LM90_STATUS_BUSY (1 << 7) /* conversion is ongoing */
+
+ #define MAX6696_STATUS2_R2THRM (1 << 1) /* remote2 THERM limit tripped */
+ #define MAX6696_STATUS2_R2OPEN (1 << 2) /* remote2 is an open circuit */
+@@ -819,7 +820,7 @@ static int lm90_update_device(struct dev
+ val = lm90_read_reg(client, LM90_REG_R_STATUS);
+ if (val < 0)
+ return val;
+- data->alarms = val; /* lower 8 bit of alarms */
++ data->alarms = val & ~LM90_STATUS_BUSY;
+
+ if (data->kind == max6696) {
+ val = lm90_select_remote_channel(data, 1);
--- /dev/null
+From 75a2f31520095600f650597c0ac41f48b5ba0068 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= <remi@remlab.net>
+Date: Sun, 19 Dec 2021 19:03:39 +0200
+Subject: phonet/pep: refuse to enable an unbound pipe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rémi Denis-Courmont <remi@remlab.net>
+
+commit 75a2f31520095600f650597c0ac41f48b5ba0068 upstream.
+
+This ioctl() implicitly assumed that the socket was already bound to
+a valid local socket name, i.e. Phonet object. If the socket was not
+bound, two separate problems would occur:
+
+1) We'd send an pipe enablement request with an invalid source object.
+2) Later socket calls could BUG on the socket unexpectedly being
+ connected yet not bound to a valid object.
+
+Reported-by: syzbot+2dc91e7fc3dea88b1e8a@syzkaller.appspotmail.com
+Signed-off-by: Rémi Denis-Courmont <remi@remlab.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/phonet/pep.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/phonet/pep.c
++++ b/net/phonet/pep.c
+@@ -946,6 +946,8 @@ static int pep_ioctl(struct sock *sk, in
+ ret = -EBUSY;
+ else if (sk->sk_state == TCP_ESTABLISHED)
+ ret = -EISCONN;
++ else if (!pn->pn_sk.sobject)
++ ret = -EADDRNOTAVAIL;
+ else
+ ret = pep_sock_enable(sk, NULL, 0);
+ release_sock(sk);
--- /dev/null
+From 2d5446da5acecf9c67db1c9d55ae2c3e5de01f8d Mon Sep 17 00:00:00 2001
+From: Guodong Liu <guodong.liu@mediatek.corp-partner.google.com>
+Date: Wed, 10 Nov 2021 15:19:00 +0800
+Subject: pinctrl: mediatek: fix global-out-of-bounds issue
+
+From: Guodong Liu <guodong.liu@mediatek.corp-partner.google.com>
+
+commit 2d5446da5acecf9c67db1c9d55ae2c3e5de01f8d upstream.
+
+When eint virtual eint number is greater than gpio number,
+it maybe produce 'desc[eint_n]' size globle-out-of-bounds issue.
+
+Signed-off-by: Guodong Liu <guodong.liu@mediatek.corp-partner.google.com>
+Signed-off-by: Zhiyong Tao <zhiyong.tao@mediatek.com>
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Link: https://lore.kernel.org/r/20211110071900.4490-2-zhiyong.tao@mediatek.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c
++++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c
+@@ -236,8 +236,12 @@ static int mtk_xt_get_gpio_n(void *data,
+ desc = (const struct mtk_pin_desc *)hw->soc->pins;
+ *gpio_chip = &hw->chip;
+
+- /* Be greedy to guess first gpio_n is equal to eint_n */
+- if (desc[eint_n].eint.eint_n == eint_n)
++ /*
++ * Be greedy to guess first gpio_n is equal to eint_n.
++ * Only eint virtual eint number is greater than gpio number.
++ */
++ if (hw->soc->npins > eint_n &&
++ desc[eint_n].eint.eint_n == eint_n)
+ *gpio_n = eint_n;
+ else
+ *gpio_n = mtk_xt_find_eint_num(hw, eint_n);
kvm-vmx-fix-stale-docs-for-kvm-intel.emulate_invalid_guest_state.patch
mm-mempolicy-fix-thp-allocations-escaping-mempolicy-restrictions.patch
input-i8042-enable-deferred-probe-quirk-for-asus-um325ua.patch
+pinctrl-mediatek-fix-global-out-of-bounds-issue.patch
+hwmom-lm90-fix-citical-alarm-status-for-max6680-max6681.patch
+hwmon-lm90-do-not-report-busy-status-bit-as-alarm.patch
+ax25-npd-bug-when-detaching-ax25-device.patch
+hamradio-defer-ax25-kfree-after-unregister_netdev.patch
+hamradio-improve-the-incomplete-fix-to-avoid-npd.patch
+phonet-pep-refuse-to-enable-an-unbound-pipe.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
