]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
Fixes for 4.9
authorSasha Levin <sashal@kernel.org>
Mon, 25 Jan 2021 03:21:30 +0000 (22:21 -0500)
committerSasha Levin <sashal@kernel.org>
Mon, 25 Jan 2021 03:21:30 +0000 (22:21 -0500)
Signed-off-by: Sasha Levin <sashal@kernel.org>
queue-4.9/can-dev-can_restart-fix-use-after-free-bug.patch [new file with mode: 0644]
queue-4.9/i2c-octeon-check-correct-size-of-maximum-recv_len-pa.patch [new file with mode: 0644]
queue-4.9/series

diff --git a/queue-4.9/can-dev-can_restart-fix-use-after-free-bug.patch b/queue-4.9/can-dev-can_restart-fix-use-after-free-bug.patch
new file mode 100644 (file)
index 0000000..93adeae
--- /dev/null
@@ -0,0 +1,46 @@
+From 19aa0b41232476f371e0c623fc644fe02f197149 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Jan 2021 20:41:35 +0900
+Subject: can: dev: can_restart: fix use after free bug
+
+From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+
+[ Upstream commit 03f16c5075b22c8902d2af739969e878b0879c94 ]
+
+After calling netif_rx_ni(skb), dereferencing skb is unsafe.
+Especially, the can_frame cf which aliases skb memory is accessed
+after the netif_rx_ni() in:
+      stats->rx_bytes += cf->len;
+
+Reordering the lines solves the issue.
+
+Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
+Link: https://lore.kernel.org/r/20210120114137.200019-2-mailhol.vincent@wanadoo.fr
+Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/dev.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
+index c7508d9a4c6fb..164078609f98e 100644
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -555,11 +555,11 @@ static void can_restart(struct net_device *dev)
+       }
+       cf->can_id |= CAN_ERR_RESTARTED;
+-      netif_rx_ni(skb);
+-
+       stats->rx_packets++;
+       stats->rx_bytes += cf->can_dlc;
++      netif_rx_ni(skb);
++
+ restart:
+       netdev_dbg(dev, "restarted\n");
+       priv->can_stats.restarts++;
+-- 
+2.27.0
+
diff --git a/queue-4.9/i2c-octeon-check-correct-size-of-maximum-recv_len-pa.patch b/queue-4.9/i2c-octeon-check-correct-size-of-maximum-recv_len-pa.patch
new file mode 100644 (file)
index 0000000..039077b
--- /dev/null
@@ -0,0 +1,37 @@
+From d5f1d167baad0d412bd055f96c4b401cb66db13d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 Jan 2021 13:43:08 +0100
+Subject: i2c: octeon: check correct size of maximum RECV_LEN packet
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 1b2cfa2d1dbdcc3b6dba1ecb7026a537a1d7277f ]
+
+I2C_SMBUS_BLOCK_MAX defines already the maximum number as defined in the
+SMBus 2.0 specs. No reason to add one to it.
+
+Fixes: 886f6f8337dd ("i2c: octeon: Support I2C_M_RECV_LEN")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Robert Richter <rric@kernel.org>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-octeon-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-octeon-core.c b/drivers/i2c/busses/i2c-octeon-core.c
+index 5e63b17f935d5..e5ad3f9cd372f 100644
+--- a/drivers/i2c/busses/i2c-octeon-core.c
++++ b/drivers/i2c/busses/i2c-octeon-core.c
+@@ -383,7 +383,7 @@ static int octeon_i2c_read(struct octeon_i2c *i2c, int target,
+               data[i] = octeon_i2c_data_read(i2c);
+               if (recv_len && i == 0) {
+-                      if (data[i] > I2C_SMBUS_BLOCK_MAX + 1)
++                      if (data[i] > I2C_SMBUS_BLOCK_MAX)
+                               return -EPROTO;
+                       length += data[i];
+               }
+-- 
+2.27.0
+
index 1490fe3cb01979a1e9649ecf798ef482e2dedcba..3d097e1baa8d52f4e4c2acb2f6810cf95e6a5d03 100644 (file)
@@ -6,3 +6,5 @@ asoc-intel-haswell-add-missing-pm_ops.patch
 scsi-ufs-correct-the-lun-used-in-eh_device_reset_han.patch
 drm-nouveau-bios-fix-issue-shadowing-expansion-roms.patch
 drm-nouveau-i2c-gm200-increase-width-of-aux-semaphor.patch
+i2c-octeon-check-correct-size-of-maximum-recv_len-pa.patch
+can-dev-can_restart-fix-use-after-free-bug.patch