--- /dev/null
+From 3f4093e2bf4673f218c0bf17d8362337c400e77b Mon Sep 17 00:00:00 2001
+From: Duoming Zhou <duoming@zju.edu.cn>
+Date: Fri, 5 Aug 2022 15:00:08 +0800
+Subject: atm: idt77252: fix use-after-free bugs caused by tst_timer
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+commit 3f4093e2bf4673f218c0bf17d8362337c400e77b upstream.
+
+There are use-after-free bugs caused by tst_timer. The root cause
+is that there are no functions to stop tst_timer in idt77252_exit().
+One of the possible race conditions is shown below:
+
+ (thread 1) | (thread 2)
+ | idt77252_init_one
+ | init_card
+ | fill_tst
+ | mod_timer(&card->tst_timer, ...)
+idt77252_exit | (wait a time)
+ | tst_timer
+ |
+ | ...
+ kfree(card) // FREE |
+ | card->soft_tst[e] // USE
+
+The idt77252_dev is deallocated in idt77252_exit() and used in
+timer handler.
+
+This patch adds del_timer_sync() in idt77252_exit() in order that
+the timer handler could be stopped before the idt77252_dev is
+deallocated.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Link: https://lore.kernel.org/r/20220805070008.18007-1-duoming@zju.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/atm/idt77252.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/atm/idt77252.c
++++ b/drivers/atm/idt77252.c
+@@ -3766,6 +3766,7 @@ static void __exit idt77252_exit(void)
+ card = idt77252_chain;
+ dev = card->atmdev;
+ idt77252_chain = card->next;
++ del_timer_sync(&card->tst_timer);
+
+ if (dev->phy->stop)
+ dev->phy->stop(dev);
--- /dev/null
+From e34f49348f8b7a53205b6f77707a3a6a40cf420b Mon Sep 17 00:00:00 2001
+From: Chen Lin <chen45464546@163.com>
+Date: Thu, 11 Aug 2022 23:16:51 +0800
+Subject: dpaa2-eth: trace the allocated address instead of page struct
+
+From: Chen Lin <chen45464546@163.com>
+
+commit e34f49348f8b7a53205b6f77707a3a6a40cf420b upstream.
+
+We should trace the allocated address instead of page struct.
+
+Fixes: 27c874867c4e ("dpaa2-eth: Use a single page per Rx buffer")
+Signed-off-by: Chen Lin <chen.lin5@zte.com.cn>
+Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Link: https://lore.kernel.org/r/20220811151651.3327-1-chen45464546@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+@@ -971,8 +971,8 @@ static int add_bufs(struct dpaa2_eth_pri
+ buf_array[i] = addr;
+
+ /* tracing point */
+- trace_dpaa2_eth_buf_seed(priv->net_dev,
+- page, DPAA2_ETH_RX_BUF_RAW_SIZE,
++ trace_dpaa2_eth_buf_seed(priv->net_dev, page_address(page),
++ DPAA2_ETH_RX_BUF_RAW_SIZE,
+ addr, priv->rx_buf_size,
+ bpid);
+ }
--- /dev/null
+From 4ae97cae07e15d41e5c0ebabba64c6eefdeb0bbe Mon Sep 17 00:00:00 2001
+From: Yu Xiao <yu.xiao@corigine.com>
+Date: Tue, 2 Aug 2022 10:33:55 +0100
+Subject: nfp: ethtool: fix the display error of `ethtool -m DEVNAME`
+
+From: Yu Xiao <yu.xiao@corigine.com>
+
+commit 4ae97cae07e15d41e5c0ebabba64c6eefdeb0bbe upstream.
+
+The port flag isn't set to `NFP_PORT_CHANGED` when using
+`ethtool -m DEVNAME` before, so the port state (e.g. interface)
+cannot be updated. Therefore, it caused that `ethtool -m DEVNAME`
+sometimes cannot read the correct information.
+
+E.g. `ethtool -m DEVNAME` cannot work when load driver before plug
+in optical module, as the port interface is still NONE without port
+update.
+
+Now update the port state before sending info to NIC to ensure that
+port interface is correct (latest state).
+
+Fixes: 61f7c6f44870 ("nfp: implement ethtool get module EEPROM")
+Reviewed-by: Louis Peens <louis.peens@corigine.com>
+Signed-off-by: Yu Xiao <yu.xiao@corigine.com>
+Signed-off-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20220802093355.69065-1-simon.horman@corigine.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
+@@ -1127,6 +1127,8 @@ nfp_port_get_module_info(struct net_devi
+ u8 data;
+
+ port = nfp_port_from_netdev(netdev);
++ /* update port state to get latest interface */
++ set_bit(NFP_PORT_CHANGED, &port->flags);
+ eth_port = nfp_port_get_eth_port(port);
+ if (!eth_port)
+ return -EOPNOTSUPP;
--- /dev/null
+From 45e1058b77feade4e36402828bfe3e0d3363177b Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 20 Jul 2022 21:28:18 +0300
+Subject: NTB: ntb_tool: uninitialized heap data in tool_fn_write()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 45e1058b77feade4e36402828bfe3e0d3363177b upstream.
+
+The call to:
+
+ ret = simple_write_to_buffer(buf, size, offp, ubuf, size);
+
+will return success if it is able to write even one byte to "buf".
+The value of "*offp" controls which byte. This could result in
+reading uninitialized data when we do the sscanf() on the next line.
+
+This code is not really desigined to handle partial writes where
+*offp is non-zero and the "buf" is preserved and re-used between writes.
+Just ban partial writes and replace the simple_write_to_buffer() with
+copy_from_user().
+
+Fixes: 578b881ba9c4 ("NTB: Add tool test client")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ntb/test/ntb_tool.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/ntb/test/ntb_tool.c
++++ b/drivers/ntb/test/ntb_tool.c
+@@ -367,14 +367,16 @@ static ssize_t tool_fn_write(struct tool
+ u64 bits;
+ int n;
+
++ if (*offp)
++ return 0;
++
+ buf = kmalloc(size + 1, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+
+- ret = simple_write_to_buffer(buf, size, offp, ubuf, size);
+- if (ret < 0) {
++ if (copy_from_user(buf, ubuf, size)) {
+ kfree(buf);
+- return ret;
++ return -EFAULT;
+ }
+
+ buf[size] = 0;
dt-bindings-arm-qcom-fix-msm8916-mtp-compatibles.patch
tools-vm-slabinfo-use-alphabetic-order-when-two-values-are-equal.patch
tools-build-switch-to-new-openssl-api-for-test-libcrypto.patch
+ntb-ntb_tool-uninitialized-heap-data-in-tool_fn_write.patch
+nfp-ethtool-fix-the-display-error-of-ethtool-m-devname.patch
+xen-xenbus-fix-return-type-in-xenbus_file_read.patch
+atm-idt77252-fix-use-after-free-bugs-caused-by-tst_timer.patch
+dpaa2-eth-trace-the-allocated-address-instead-of-page-struct.patch
--- /dev/null
+From 32ad11127b95236dfc52375f3707853194a7f4b4 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 4 Aug 2022 10:11:33 +0300
+Subject: xen/xenbus: fix return type in xenbus_file_read()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 32ad11127b95236dfc52375f3707853194a7f4b4 upstream.
+
+This code tries to store -EFAULT in an unsigned int. The
+xenbus_file_read() function returns type ssize_t so the negative value
+is returned as a positive value to the user.
+
+This change forces another change to the min() macro. Originally, the
+min() macro used "unsigned" type which checkpatch complains about. Also
+unsigned type would break if "len" were not capped at MAX_RW_COUNT. Use
+size_t for the min(). (No effect on runtime for the min_t() change).
+
+Fixes: 2fb3683e7b16 ("xen: Add xenbus device driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
+Link: https://lore.kernel.org/r/YutxJUaUYRG/VLVc@kili
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/xenbus/xenbus_dev_frontend.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
+@@ -128,7 +128,7 @@ static ssize_t xenbus_file_read(struct f
+ {
+ struct xenbus_file_priv *u = filp->private_data;
+ struct read_buffer *rb;
+- unsigned i;
++ ssize_t i;
+ int ret;
+
+ mutex_lock(&u->reply_mutex);
+@@ -148,7 +148,7 @@ again:
+ rb = list_entry(u->read_buffers.next, struct read_buffer, list);
+ i = 0;
+ while (i < len) {
+- unsigned sz = min((unsigned)len - i, rb->len - rb->cons);
++ size_t sz = min_t(size_t, len - i, rb->len - rb->cons);
+
+ ret = copy_to_user(ubuf + i, &rb->msg[rb->cons], sz);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
