--- /dev/null
+From 2fa7d94afc1afbb4d702760c058dc2d7ed30f226 Mon Sep 17 00:00:00 2001
+From: Maxim Mikityanskiy <maximmi@nvidia.com>
+Date: Tue, 30 Nov 2021 20:16:07 +0200
+Subject: bpf: Fix the off-by-two error in range markings
+
+From: Maxim Mikityanskiy <maximmi@nvidia.com>
+
+commit 2fa7d94afc1afbb4d702760c058dc2d7ed30f226 upstream.
+
+The first commit cited below attempts to fix the off-by-one error that
+appeared in some comparisons with an open range. Due to this error,
+arithmetically equivalent pieces of code could get different verdicts
+from the verifier, for example (pseudocode):
+
+ // 1. Passes the verifier:
+ if (data + 8 > data_end)
+ return early
+ read *(u64 *)data, i.e. [data; data+7]
+
+ // 2. Rejected by the verifier (should still pass):
+ if (data + 7 >= data_end)
+ return early
+ read *(u64 *)data, i.e. [data; data+7]
+
+The attempted fix, however, shifts the range by one in a wrong
+direction, so the bug not only remains, but also such piece of code
+starts failing in the verifier:
+
+ // 3. Rejected by the verifier, but the check is stricter than in #1.
+ if (data + 8 >= data_end)
+ return early
+ read *(u64 *)data, i.e. [data; data+7]
+
+The change performed by that fix converted an off-by-one bug into
+off-by-two. The second commit cited below added the BPF selftests
+written to ensure than code chunks like #3 are rejected, however,
+they should be accepted.
+
+This commit fixes the off-by-two error by adjusting new_range in the
+right direction and fixes the tests by changing the range into the
+one that should actually fail.
+
+Fixes: fb2a311a31d3 ("bpf: fix off by one for range markings with L{T, E} patterns")
+Fixes: b37242c773b2 ("bpf: add test cases to bpf selftests to cover all access tests")
+Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20211130181607.593149-1-maximmi@nvidia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/verifier.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2989,7 +2989,7 @@ static void find_good_pkt_pointers(struc
+
+ new_range = dst_reg->off;
+ if (range_right_open)
+- new_range--;
++ new_range++;
+
+ /* Examples for register markings:
+ *
--- /dev/null
+From 4cd8371a234d051f9c9557fcbb1f8c523b1c0d10 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Date: Thu, 9 Dec 2021 09:13:07 +0100
+Subject: nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+commit 4cd8371a234d051f9c9557fcbb1f8c523b1c0d10 upstream.
+
+The done() netlink callback nfc_genl_dump_ses_done() should check if
+received argument is non-NULL, because its allocation could fail earlier
+in dumpit() (nfc_genl_dump_ses()).
+
+Fixes: ac22ac466a65 ("NFC: Add a GET_SE netlink API")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Link: https://lore.kernel.org/r/20211209081307.57337-1-krzysztof.kozlowski@canonical.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/netlink.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -1400,8 +1400,10 @@ static int nfc_genl_dump_ses_done(struct
+ {
+ struct class_dev_iter *iter = (struct class_dev_iter *) cb->args[0];
+
+- nfc_device_iter_exit(iter);
+- kfree(iter);
++ if (iter) {
++ nfc_device_iter_exit(iter);
++ kfree(iter);
++ }
+
+ return 0;
+ }
--- /dev/null
+From c56c96303e9289cc34716b1179597b6f470833de Mon Sep 17 00:00:00 2001
+From: Jianglei Nie <niejianglei2021@163.com>
+Date: Thu, 9 Dec 2021 14:15:11 +0800
+Subject: nfp: Fix memory leak in nfp_cpp_area_cache_add()
+
+From: Jianglei Nie <niejianglei2021@163.com>
+
+commit c56c96303e9289cc34716b1179597b6f470833de upstream.
+
+In line 800 (#1), nfp_cpp_area_alloc() allocates and initializes a
+CPP area structure. But in line 807 (#2), when the cache is allocated
+failed, this CPP area structure is not freed, which will result in
+memory leak.
+
+We can fix it by freeing the CPP area when the cache is allocated
+failed (#2).
+
+792 int nfp_cpp_area_cache_add(struct nfp_cpp *cpp, size_t size)
+793 {
+794 struct nfp_cpp_area_cache *cache;
+795 struct nfp_cpp_area *area;
+
+800 area = nfp_cpp_area_alloc(cpp, NFP_CPP_ID(7, NFP_CPP_ACTION_RW, 0),
+801 0, size);
+ // #1: allocates and initializes
+
+802 if (!area)
+803 return -ENOMEM;
+
+805 cache = kzalloc(sizeof(*cache), GFP_KERNEL);
+806 if (!cache)
+807 return -ENOMEM; // #2: missing free
+
+817 return 0;
+818 }
+
+Fixes: 4cb584e0ee7d ("nfp: add CPP access core")
+Signed-off-by: Jianglei Nie <niejianglei2021@163.com>
+Acked-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20211209061511.122535-1-niejianglei2021@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c
++++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c
+@@ -787,8 +787,10 @@ int nfp_cpp_area_cache_add(struct nfp_cp
+ return -ENOMEM;
+
+ cache = kzalloc(sizeof(*cache), GFP_KERNEL);
+- if (!cache)
++ if (!cache) {
++ nfp_cpp_area_free(area);
+ return -ENOMEM;
++ }
+
+ cache->id = 0;
+ cache->addr = 0;
hid-wacom-fix-problems-when-device-is-not-a-valid-usb-device.patch
hid-check-for-valid-usb-device-for-many-hid-drivers.patch
can-sja1000-fix-use-after-free-in-ems_pcmcia_add_card.patch
+nfc-fix-potential-null-pointer-deref-in-nfc_genl_dump_ses_done.patch
+bpf-fix-the-off-by-two-error-in-range-markings.patch
+nfp-fix-memory-leak-in-nfp_cpp_area_cache_add.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
