Fixes for 4.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.4/mlx4-fix-missing-error-code-in-mlx4_load_one.patch b/queue-4.4/mlx4-fix-missing-error-code-in-mlx4_load_one.patch
new file mode 100644 (file)
index 0000000..d21b612
--- /dev/null
+++ b/queue-4.4/mlx4-fix-missing-error-code-in-mlx4_load_one.patch
@@ -0,0 +1,42 @@
+From 2f97aeee71dbc876d89f040e166279108dc5a565 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 18:36:09 +0800
+Subject: mlx4: Fix missing error code in mlx4_load_one()
+
+From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+
+[ Upstream commit 7e4960b3d66d7248b23de3251118147812b42da2 ]
+
+The error code is missing in this code scenario, add the error code
+'-EINVAL' to the return value 'err'.
+
+Eliminate the follow smatch warning:
+
+drivers/net/ethernet/mellanox/mlx4/main.c:3538 mlx4_load_one() warn:
+missing error code 'err'.
+
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Fixes: 7ae0e400cd93 ("net/mlx4_core: Flexible (asymmetric) allocation of EQs and MSI-X vectors for PF/VFs")
+Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c
+index b774ba64bd4b..913e0fd10fde 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/main.c
++++ b/drivers/net/ethernet/mellanox/mlx4/main.c
+@@ -3222,6 +3222,7 @@ slave_start:
+ 
+               if (!SRIOV_VALID_STATE(dev->flags)) {
+                       mlx4_err(dev, "Invalid SRIOV state\n");
++                      err = -EINVAL;
+                       goto err_close;
+               }
+       }
+-- 
+2.30.2
+

diff --git a/queue-4.4/net-llc-fix-skb_over_panic.patch b/queue-4.4/net-llc-fix-skb_over_panic.patch
new file mode 100644 (file)
index 0000000..c88d3b9
--- /dev/null
+++ b/queue-4.4/net-llc-fix-skb_over_panic.patch
@@ -0,0 +1,161 @@
+From f365a66c1669743af85a7c34aad2e9ef80928b5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Jul 2021 00:11:59 +0300
+Subject: net: llc: fix skb_over_panic
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit c7c9d2102c9c098916ab9e0ab248006107d00d6c ]
+
+Syzbot reported skb_over_panic() in llc_pdu_init_as_xid_cmd(). The
+problem was in wrong LCC header manipulations.
+
+Syzbot's reproducer tries to send XID packet. llc_ui_sendmsg() is
+doing following steps:
+
+       1. skb allocation with size = len + header size
+               len is passed from userpace and header size
+               is 3 since addr->sllc_xid is set.
+
+       2. skb_reserve() for header_len = 3
+       3. filling all other space with memcpy_from_msg()
+
+Ok, at this moment we have fully loaded skb, only headers needs to be
+filled.
+
+Then code comes to llc_sap_action_send_xid_c(). This function pushes 3
+bytes for LLC PDU header and initializes it. Then comes
+llc_pdu_init_as_xid_cmd(). It initalizes next 3 bytes *AFTER* LLC PDU
+header and call skb_push(skb, 3). This looks wrong for 2 reasons:
+
+       1. Bytes rigth after LLC header are user data, so this function
+          was overwriting payload.
+
+       2. skb_push(skb, 3) call can cause skb_over_panic() since
+          all free space was filled in llc_ui_sendmsg(). (This can
+          happen is user passed 686 len: 686 + 14 (eth header) + 3 (LLC
+          header) = 703. SKB_DATA_ALIGN(703) = 704)
+
+So, in this patch I added 2 new private constansts: LLC_PDU_TYPE_U_XID
+and LLC_PDU_LEN_U_XID. LLC_PDU_LEN_U_XID is used to correctly reserve
+header size to handle LLC + XID case. LLC_PDU_TYPE_U_XID is used by
+llc_pdu_header_init() function to push 6 bytes instead of 3. And finally
+I removed skb_push() call from llc_pdu_init_as_xid_cmd().
+
+This changes should not affect other parts of LLC, since after
+all steps we just transmit buffer.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-and-tested-by: syzbot+5e5a981ad7cc54c4b2b4@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/llc_pdu.h | 31 +++++++++++++++++++++++--------
+ net/llc/af_llc.c      | 10 +++++++++-
+ net/llc/llc_s_ac.c    |  2 +-
+ 3 files changed, 33 insertions(+), 10 deletions(-)
+
+diff --git a/include/net/llc_pdu.h b/include/net/llc_pdu.h
+index c0f0a13ed818..49aa79c7b278 100644
+--- a/include/net/llc_pdu.h
++++ b/include/net/llc_pdu.h
+@@ -15,9 +15,11 @@
+ #include <linux/if_ether.h>
+ 
+ /* Lengths of frame formats */
+-#define LLC_PDU_LEN_I 4       /* header and 2 control bytes */
+-#define LLC_PDU_LEN_S 4
+-#define LLC_PDU_LEN_U 3       /* header and 1 control byte */
++#define LLC_PDU_LEN_I         4       /* header and 2 control bytes */
++#define LLC_PDU_LEN_S         4
++#define LLC_PDU_LEN_U         3       /* header and 1 control byte */
++/* header and 1 control byte and XID info */
++#define LLC_PDU_LEN_U_XID     (LLC_PDU_LEN_U + sizeof(struct llc_xid_info))
+ /* Known SAP addresses */
+ #define LLC_GLOBAL_SAP        0xFF
+ #define LLC_NULL_SAP  0x00    /* not network-layer visible */
+@@ -50,9 +52,10 @@
+ #define LLC_PDU_TYPE_U_MASK    0x03   /* 8-bit control field */
+ #define LLC_PDU_TYPE_MASK      0x03
+ 
+-#define LLC_PDU_TYPE_I        0       /* first bit */
+-#define LLC_PDU_TYPE_S        1       /* first two bits */
+-#define LLC_PDU_TYPE_U        3       /* first two bits */
++#define LLC_PDU_TYPE_I                0       /* first bit */
++#define LLC_PDU_TYPE_S                1       /* first two bits */
++#define LLC_PDU_TYPE_U                3       /* first two bits */
++#define LLC_PDU_TYPE_U_XID    4       /* private type for detecting XID commands */
+ 
+ #define LLC_PDU_TYPE_IS_I(pdu) \
+       ((!(pdu->ctrl_1 & LLC_PDU_TYPE_I_MASK)) ? 1 : 0)
+@@ -230,9 +233,18 @@ static inline struct llc_pdu_un *llc_pdu_un_hdr(struct sk_buff *skb)
+ static inline void llc_pdu_header_init(struct sk_buff *skb, u8 type,
+                                      u8 ssap, u8 dsap, u8 cr)
+ {
+-      const int hlen = type == LLC_PDU_TYPE_U ? 3 : 4;
++      int hlen = 4; /* default value for I and S types */
+       struct llc_pdu_un *pdu;
+ 
++      switch (type) {
++      case LLC_PDU_TYPE_U:
++              hlen = 3;
++              break;
++      case LLC_PDU_TYPE_U_XID:
++              hlen = 6;
++              break;
++      }
++
+       skb_push(skb, hlen);
+       skb_reset_network_header(skb);
+       pdu = llc_pdu_un_hdr(skb);
+@@ -374,7 +386,10 @@ static inline void llc_pdu_init_as_xid_cmd(struct sk_buff *skb,
+       xid_info->fmt_id = LLC_XID_FMT_ID;      /* 0x81 */
+       xid_info->type   = svcs_supported;
+       xid_info->rw     = rx_window << 1;      /* size of receive window */
+-      skb_put(skb, sizeof(struct llc_xid_info));
++
++      /* no need to push/put since llc_pdu_header_init() has already
++       * pushed 3 + 3 bytes
++       */
+ }
+ 
+ /**
+diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
+index f613a1007107..82b07bc43071 100644
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -96,8 +96,16 @@ static inline u8 llc_ui_header_len(struct sock *sk, struct sockaddr_llc *addr)
+ {
+       u8 rc = LLC_PDU_LEN_U;
+ 
+-      if (addr->sllc_test || addr->sllc_xid)
++      if (addr->sllc_test)
+               rc = LLC_PDU_LEN_U;
++      else if (addr->sllc_xid)
++              /* We need to expand header to sizeof(struct llc_xid_info)
++               * since llc_pdu_init_as_xid_cmd() sets 4,5,6 bytes of LLC header
++               * as XID PDU. In llc_ui_sendmsg() we reserved header size and then
++               * filled all other space with user data. If we won't reserve this
++               * bytes, llc_pdu_init_as_xid_cmd() will overwrite user data
++               */
++              rc = LLC_PDU_LEN_U_XID;
+       else if (sk->sk_type == SOCK_STREAM)
+               rc = LLC_PDU_LEN_I;
+       return rc;
+diff --git a/net/llc/llc_s_ac.c b/net/llc/llc_s_ac.c
+index 7ae4cc684d3a..9fa3342c7a82 100644
+--- a/net/llc/llc_s_ac.c
++++ b/net/llc/llc_s_ac.c
+@@ -79,7 +79,7 @@ int llc_sap_action_send_xid_c(struct llc_sap *sap, struct sk_buff *skb)
+       struct llc_sap_state_ev *ev = llc_sap_ev(skb);
+       int rc;
+ 
+-      llc_pdu_header_init(skb, LLC_PDU_TYPE_U, ev->saddr.lsap,
++      llc_pdu_header_init(skb, LLC_PDU_TYPE_U_XID, ev->saddr.lsap,
+                           ev->daddr.lsap, LLC_PDU_CMD);
+       llc_pdu_init_as_xid_cmd(skb, LLC_XID_NULL_CLASS_2, 0);
+       rc = llc_mac_hdr_init(skb, ev->saddr.mac, ev->daddr.mac);
+-- 
+2.30.2
+

diff --git a/queue-4.4/netfilter-nft_nat-allow-to-specify-layer-4-protocol-.patch b/queue-4.4/netfilter-nft_nat-allow-to-specify-layer-4-protocol-.patch
new file mode 100644 (file)
index 0000000..bede33d
--- /dev/null
+++ b/queue-4.4/netfilter-nft_nat-allow-to-specify-layer-4-protocol-.patch
@@ -0,0 +1,36 @@
+From 500b18f44ee000ea2421989d7e88897f2a04d932 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 18:22:50 +0200
+Subject: netfilter: nft_nat: allow to specify layer 4 protocol NAT only
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit a33f387ecd5aafae514095c2c4a8c24f7aea7e8b ]
+
+nft_nat reports a bogus EAFNOSUPPORT if no layer 3 information is specified.
+
+Fixes: d07db9884a5f ("netfilter: nf_tables: introduce nft_validate_register_load()")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_nat.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
+index 868480b83649..182704b980d1 100644
+--- a/net/netfilter/nft_nat.c
++++ b/net/netfilter/nft_nat.c
+@@ -157,7 +157,9 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+               alen = FIELD_SIZEOF(struct nf_nat_range, min_addr.ip6);
+               break;
+       default:
+-              return -EAFNOSUPPORT;
++              if (tb[NFTA_NAT_REG_ADDR_MIN])
++                      return -EAFNOSUPPORT;
++              break;
+       }
+       priv->family = family;
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.4/series b/queue-4.4/series
index 0bfa94a90ff3ca659da40e1b30fea74f838f2faa..ea42503d89c244529c356b8bc556af3d3e745967 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -18,3 +18,9 @@ can-esd_usb2-fix-memory-leak.patch
 niu-fix-incorrect-error-return-missed-in-previous-revert.patch
 x86-asm-ensure-asm-proto.h-can-be-included-stand-alo.patch
 cfg80211-fix-possible-memory-leak-in-function-cfg80211_bss_update.patch
+netfilter-nft_nat-allow-to-specify-layer-4-protocol-.patch
+tipc-fix-sleeping-in-tipc-accept-routine.patch
+mlx4-fix-missing-error-code-in-mlx4_load_one.patch
+net-llc-fix-skb_over_panic.patch
+tulip-windbond-840-fix-missing-pci_disable_device-in.patch
+sis900-fix-missing-pci_disable_device-in-probe-and-r.patch

diff --git a/queue-4.4/sis900-fix-missing-pci_disable_device-in-probe-and-r.patch b/queue-4.4/sis900-fix-missing-pci_disable_device-in-probe-and-r.patch
new file mode 100644 (file)
index 0000000..07eec31
--- /dev/null
+++ b/queue-4.4/sis900-fix-missing-pci_disable_device-in-probe-and-r.patch
@@ -0,0 +1,64 @@
+From a985f1db5beee4b5542d9dee93e8397d692e7aeb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 20:11:07 +0800
+Subject: sis900: Fix missing pci_disable_device() in probe and remove
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 89fb62fde3b226f99b7015280cf132e2a7438edf ]
+
+Replace pci_enable_device() with pcim_enable_device(),
+pci_disable_device() and pci_release_regions() will be
+called in release automatically.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sis/sis900.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/sis/sis900.c b/drivers/net/ethernet/sis/sis900.c
+index dff5b56738d3..9fe5d13402e0 100644
+--- a/drivers/net/ethernet/sis/sis900.c
++++ b/drivers/net/ethernet/sis/sis900.c
+@@ -442,7 +442,7 @@ static int sis900_probe(struct pci_dev *pci_dev,
+ #endif
+ 
+       /* setup various bits in PCI command register */
+-      ret = pci_enable_device(pci_dev);
++      ret = pcim_enable_device(pci_dev);
+       if(ret) return ret;
+ 
+       i = pci_set_dma_mask(pci_dev, DMA_BIT_MASK(32));
+@@ -468,7 +468,7 @@ static int sis900_probe(struct pci_dev *pci_dev,
+       ioaddr = pci_iomap(pci_dev, 0, 0);
+       if (!ioaddr) {
+               ret = -ENOMEM;
+-              goto err_out_cleardev;
++              goto err_out;
+       }
+ 
+       sis_priv = netdev_priv(net_dev);
+@@ -576,8 +576,6 @@ err_unmap_tx:
+               sis_priv->tx_ring_dma);
+ err_out_unmap:
+       pci_iounmap(pci_dev, ioaddr);
+-err_out_cleardev:
+-      pci_release_regions(pci_dev);
+  err_out:
+       free_netdev(net_dev);
+       return ret;
+@@ -2425,7 +2423,6 @@ static void sis900_remove(struct pci_dev *pci_dev)
+               sis_priv->tx_ring_dma);
+       pci_iounmap(pci_dev, sis_priv->ioaddr);
+       free_netdev(net_dev);
+-      pci_release_regions(pci_dev);
+ }
+ 
+ #ifdef CONFIG_PM
+-- 
+2.30.2
+

diff --git a/queue-4.4/tipc-fix-sleeping-in-tipc-accept-routine.patch b/queue-4.4/tipc-fix-sleeping-in-tipc-accept-routine.patch
new file mode 100644 (file)
index 0000000..e857cee
--- /dev/null
+++ b/queue-4.4/tipc-fix-sleeping-in-tipc-accept-routine.patch
@@ -0,0 +1,62 @@
+From 01959d4d70d9f8e3ad67e387c64792947462845b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 09:25:34 +0700
+Subject: tipc: fix sleeping in tipc accept routine
+
+From: Hoang Le <hoang.h.le@dektech.com.au>
+
+[ Upstream commit d237a7f11719ff9320721be5818352e48071aab6 ]
+
+The release_sock() is blocking function, it would change the state
+after sleeping. In order to evaluate the stated condition outside
+the socket lock context, switch to use wait_woken() instead.
+
+Fixes: 6398e23cdb1d8 ("tipc: standardize accept routine")
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/socket.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 3ad9158ecf30..9d15bb865eea 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -1987,7 +1987,7 @@ static int tipc_listen(struct socket *sock, int len)
+ static int tipc_wait_for_accept(struct socket *sock, long timeo)
+ {
+       struct sock *sk = sock->sk;
+-      DEFINE_WAIT(wait);
++      DEFINE_WAIT_FUNC(wait, woken_wake_function);
+       int err;
+ 
+       /* True wake-one mechanism for incoming connections: only
+@@ -1996,12 +1996,12 @@ static int tipc_wait_for_accept(struct socket *sock, long timeo)
+        * anymore, the common case will execute the loop only once.
+       */
+       for (;;) {
+-              prepare_to_wait_exclusive(sk_sleep(sk), &wait,
+-                                        TASK_INTERRUPTIBLE);
+               if (timeo && skb_queue_empty(&sk->sk_receive_queue)) {
++                      add_wait_queue(sk_sleep(sk), &wait);
+                       release_sock(sk);
+-                      timeo = schedule_timeout(timeo);
++                      timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
+                       lock_sock(sk);
++                      remove_wait_queue(sk_sleep(sk), &wait);
+               }
+               err = 0;
+               if (!skb_queue_empty(&sk->sk_receive_queue))
+@@ -2016,7 +2016,6 @@ static int tipc_wait_for_accept(struct socket *sock, long timeo)
+               if (signal_pending(current))
+                       break;
+       }
+-      finish_wait(sk_sleep(sk), &wait);
+       return err;
+ }
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.4/tulip-windbond-840-fix-missing-pci_disable_device-in.patch b/queue-4.4/tulip-windbond-840-fix-missing-pci_disable_device-in.patch
new file mode 100644 (file)
index 0000000..95ad15c
--- /dev/null
+++ b/queue-4.4/tulip-windbond-840-fix-missing-pci_disable_device-in.patch
@@ -0,0 +1,65 @@
+From 0ffb5a365e17ec6696bae16292652bf6a0df4da5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 15:43:13 +0800
+Subject: tulip: windbond-840: Fix missing pci_disable_device() in probe and
+ remove
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 76a16be07b209a3f507c72abe823bd3af1c8661a ]
+
+Replace pci_enable_device() with pcim_enable_device(),
+pci_disable_device() and pci_release_regions() will be
+called in release automatically.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/dec/tulip/winbond-840.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/dec/tulip/winbond-840.c b/drivers/net/ethernet/dec/tulip/winbond-840.c
+index 3c0e4d5c5fef..abc66eb13c35 100644
+--- a/drivers/net/ethernet/dec/tulip/winbond-840.c
++++ b/drivers/net/ethernet/dec/tulip/winbond-840.c
+@@ -368,7 +368,7 @@ static int w840_probe1(struct pci_dev *pdev, const struct pci_device_id *ent)
+       int i, option = find_cnt < MAX_UNITS ? options[find_cnt] : 0;
+       void __iomem *ioaddr;
+ 
+-      i = pci_enable_device(pdev);
++      i = pcim_enable_device(pdev);
+       if (i) return i;
+ 
+       pci_set_master(pdev);
+@@ -390,7 +390,7 @@ static int w840_probe1(struct pci_dev *pdev, const struct pci_device_id *ent)
+ 
+       ioaddr = pci_iomap(pdev, TULIP_BAR, netdev_res_size);
+       if (!ioaddr)
+-              goto err_out_free_res;
++              goto err_out_netdev;
+ 
+       for (i = 0; i < 3; i++)
+               ((__le16 *)dev->dev_addr)[i] = cpu_to_le16(eeprom_read(ioaddr, i));
+@@ -469,8 +469,6 @@ static int w840_probe1(struct pci_dev *pdev, const struct pci_device_id *ent)
+ 
+ err_out_cleardev:
+       pci_iounmap(pdev, ioaddr);
+-err_out_free_res:
+-      pci_release_regions(pdev);
+ err_out_netdev:
+       free_netdev (dev);
+       return -ENODEV;
+@@ -1537,7 +1535,6 @@ static void w840_remove1(struct pci_dev *pdev)
+       if (dev) {
+               struct netdev_private *np = netdev_priv(dev);
+               unregister_netdev(dev);
+-              pci_release_regions(pdev);
+               pci_iounmap(pdev, np->base_addr);
+               free_netdev(dev);
+       }
+-- 
+2.30.2
+