--- /dev/null
+From d795848ecce24a75dfd46481aee066ae6fe39775 Mon Sep 17 00:00:00 2001
+From: Hagar Hemdan <hagarhem@amazon.com>
+Date: Thu, 23 May 2024 08:53:32 +0000
+Subject: gpio: prevent potential speculation leaks in gpio_device_get_desc()
+
+From: Hagar Hemdan <hagarhem@amazon.com>
+
+commit d795848ecce24a75dfd46481aee066ae6fe39775 upstream.
+
+Userspace may trigger a speculative read of an address outside the gpio
+descriptor array.
+Users can do that by calling gpio_ioctl() with an offset out of range.
+Offset is copied from user and then used as an array index to get
+the gpio descriptor without sanitization in gpio_device_get_desc().
+
+This change ensures that the offset is sanitized by using
+array_index_nospec() to mitigate any possibility of speculative
+information leaks.
+
+This bug was discovered and resolved using Coverity Static Analysis
+Security Testing (SAST) by Synopsys, Inc.
+
+Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
+Link: https://lore.kernel.org/r/20240523085332.1801-1-hagarhem@amazon.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -5,6 +5,7 @@
+ #include <linux/module.h>
+ #include <linux/interrupt.h>
+ #include <linux/irq.h>
++#include <linux/nospec.h>
+ #include <linux/spinlock.h>
+ #include <linux/list.h>
+ #include <linux/device.h>
+@@ -146,7 +147,7 @@ struct gpio_desc *gpiochip_get_desc(stru
+ if (hwnum >= gdev->ngpio)
+ return ERR_PTR(-EINVAL);
+
+- return &gdev->descs[hwnum];
++ return &gdev->descs[array_index_nospec(hwnum, gdev->ngpio)];
+ }
+ EXPORT_SYMBOL_GPL(gpiochip_get_desc);
+
--- /dev/null
+From stable+bounces-76614-greg=kroah.com@vger.kernel.org Tue Sep 17 22:25:39 2024
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 17 Sep 2024 22:25:15 +0200
+Subject: netfilter: nf_tables: missing iterator type in lookup walk
+To: netfilter-devel@vger.kernel.org
+Cc: gregkh@linuxfoundation.org, sashal@kernel.org, stable@vger.kernel.org
+Message-ID: <20240917202515.179699-3-pablo@netfilter.org>
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit efefd4f00c967d00ad7abe092554ffbb70c1a793 upstream.
+
+Add missing decorator type to lookup expression and tighten WARN_ON_ONCE
+check in pipapo to spot earlier that this is unset.
+
+Fixes: 29b359cf6d95 ("netfilter: nft_set_pipapo: walk over current view on netlink dump")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_lookup.c | 1 +
+ net/netfilter/nft_set_pipapo.c | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_lookup.c
++++ b/net/netfilter/nft_lookup.c
+@@ -211,6 +211,7 @@ static int nft_lookup_validate(const str
+ return 0;
+
+ iter.genmask = nft_genmask_next(ctx->net);
++ iter.type = NFT_ITER_UPDATE;
+ iter.skip = 0;
+ iter.count = 0;
+ iter.err = 0;
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -2046,7 +2046,8 @@ static void nft_pipapo_walk(const struct
+ const struct nft_pipapo_field *f;
+ int i, r;
+
+- WARN_ON_ONCE(iter->type == NFT_ITER_UNSPEC);
++ WARN_ON_ONCE(iter->type != NFT_ITER_READ &&
++ iter->type != NFT_ITER_UPDATE);
+
+ rcu_read_lock();
+ if (iter->type == NFT_ITER_READ)
--- /dev/null
+From stable+bounces-76613-greg=kroah.com@vger.kernel.org Tue Sep 17 22:25:35 2024
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 17 Sep 2024 22:25:14 +0200
+Subject: netfilter: nft_set_pipapo: walk over current view on netlink dump
+To: netfilter-devel@vger.kernel.org
+Cc: gregkh@linuxfoundation.org, sashal@kernel.org, stable@vger.kernel.org
+Message-ID: <20240917202515.179699-2-pablo@netfilter.org>
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 29b359cf6d95fd60730533f7f10464e95bd17c73 upstream.
+
+The generation mask can be updated while netlink dump is in progress.
+The pipapo set backend walk iterator cannot rely on it to infer what
+view of the datastructure is to be used. Add notation to specify if user
+wants to read/update the set.
+
+Based on patch from Florian Westphal.
+
+Fixes: 2b84e215f874 ("netfilter: nft_set_pipapo: .walk does not deal with generations")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/netfilter/nf_tables.h | 13 +++++++++++++
+ net/netfilter/nf_tables_api.c | 5 +++++
+ net/netfilter/nft_set_pipapo.c | 5 +++--
+ 3 files changed, 21 insertions(+), 2 deletions(-)
+
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -283,9 +283,22 @@ struct nft_set_elem {
+ void *priv;
+ };
+
++/**
++ * enum nft_iter_type - nftables set iterator type
++ *
++ * @NFT_ITER_READ: read-only iteration over set elements
++ * @NFT_ITER_UPDATE: iteration under mutex to update set element state
++ */
++enum nft_iter_type {
++ NFT_ITER_UNSPEC,
++ NFT_ITER_READ,
++ NFT_ITER_UPDATE,
++};
++
+ struct nft_set;
+ struct nft_set_iter {
+ u8 genmask;
++ enum nft_iter_type type:8;
+ unsigned int count;
+ unsigned int skip;
+ int err;
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -628,6 +628,7 @@ static void nft_map_deactivate(const str
+ {
+ struct nft_set_iter iter = {
+ .genmask = nft_genmask_next(ctx->net),
++ .type = NFT_ITER_UPDATE,
+ .fn = nft_mapelem_deactivate,
+ };
+
+@@ -5073,6 +5074,7 @@ int nf_tables_bind_set(const struct nft_
+ }
+
+ iter.genmask = nft_genmask_next(ctx->net);
++ iter.type = NFT_ITER_UPDATE;
+ iter.skip = 0;
+ iter.count = 0;
+ iter.err = 0;
+@@ -5148,6 +5150,7 @@ static void nft_map_activate(const struc
+ {
+ struct nft_set_iter iter = {
+ .genmask = nft_genmask_next(ctx->net),
++ .type = NFT_ITER_UPDATE,
+ .fn = nft_mapelem_activate,
+ };
+
+@@ -5504,6 +5507,7 @@ static int nf_tables_dump_set(struct sk_
+ args.cb = cb;
+ args.skb = skb;
+ args.iter.genmask = nft_genmask_cur(net);
++ args.iter.type = NFT_ITER_READ;
+ args.iter.skip = cb->args[0];
+ args.iter.count = 0;
+ args.iter.err = 0;
+@@ -6833,6 +6837,7 @@ static int nft_set_flush(struct nft_ctx
+ {
+ struct nft_set_iter iter = {
+ .genmask = genmask,
++ .type = NFT_ITER_UPDATE,
+ .fn = nft_setelem_flush,
+ };
+
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -2042,13 +2042,14 @@ static void nft_pipapo_walk(const struct
+ struct nft_set_iter *iter)
+ {
+ struct nft_pipapo *priv = nft_set_priv(set);
+- struct net *net = read_pnet(&set->net);
+ const struct nft_pipapo_match *m;
+ const struct nft_pipapo_field *f;
+ int i, r;
+
++ WARN_ON_ONCE(iter->type == NFT_ITER_UNSPEC);
++
+ rcu_read_lock();
+- if (iter->genmask == nft_genmask_cur(net))
++ if (iter->type == NFT_ITER_READ)
+ m = rcu_dereference(priv->match);
+ else
+ m = priv->clone;
--- /dev/null
+From pkshih@realtek.com Fri Sep 27 09:45:55 2024
+From: Ping-Ke Shih <pkshih@realtek.com>
+Date: Thu, 26 Sep 2024 08:30:17 +0800
+Subject: Revert "wifi: cfg80211: check wiphy mutex is held for wdev mutex"
+To: <stable@vger.kernel.org>
+Cc: <linux-wireless@vger.kernel.org>, <johannes@sipsolutions.net>
+Message-ID: <20240926003017.5427-1-pkshih@realtek.com>
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+This reverts commit 89795eeba6d13b5ba432425dd43c34c66f2cebde which is
+commmit 1474bc87fe57deac726cc10203f73daa6c3212f7 upstream.
+
+The reverted commit is based on implementation of wiphy locking that isn't
+planned to redo on a stable kernel, so revert it to avoid warning:
+
+ WARNING: CPU: 0 PID: 9 at net/wireless/core.h:231 disconnect_work+0xb8/0x144 [cfg80211]
+ CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.6.51-00141-ga1649b6f8ed6 #7
+ Hardware name: Freescale i.MX6 SoloX (Device Tree)
+ Workqueue: events disconnect_work [cfg80211]
+ unwind_backtrace from show_stack+0x10/0x14
+ show_stack from dump_stack_lvl+0x58/0x70
+ dump_stack_lvl from __warn+0x70/0x1c0
+ __warn from warn_slowpath_fmt+0x16c/0x294
+ warn_slowpath_fmt from disconnect_work+0xb8/0x144 [cfg80211]
+ disconnect_work [cfg80211] from process_one_work+0x204/0x620
+ process_one_work from worker_thread+0x1b0/0x474
+ worker_thread from kthread+0x10c/0x12c
+ kthread from ret_from_fork+0x14/0x24
+
+Reported-by: petter@technux.se
+Closes: https://lore.kernel.org/linux-wireless/9e98937d781c990615ef27ee0c858ff9@technux.se/T/#t
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/core.h | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/net/wireless/core.h
++++ b/net/wireless/core.h
+@@ -217,7 +217,6 @@ void cfg80211_register_wdev(struct cfg80
+ static inline void wdev_lock(struct wireless_dev *wdev)
+ __acquires(wdev)
+ {
+- lockdep_assert_held(&wdev->wiphy->mtx);
+ mutex_lock(&wdev->mtx);
+ __acquire(wdev->mtx);
+ }
+@@ -225,16 +224,11 @@ static inline void wdev_lock(struct wire
+ static inline void wdev_unlock(struct wireless_dev *wdev)
+ __releases(wdev)
+ {
+- lockdep_assert_held(&wdev->wiphy->mtx);
+ __release(wdev->mtx);
+ mutex_unlock(&wdev->mtx);
+ }
+
+-static inline void ASSERT_WDEV_LOCK(struct wireless_dev *wdev)
+-{
+- lockdep_assert_held(&wdev->wiphy->mtx);
+- lockdep_assert_held(&wdev->mtx);
+-}
++#define ASSERT_WDEV_LOCK(wdev) lockdep_assert_held(&(wdev)->mtx)
+
+ static inline bool cfg80211_has_monitors_only(struct cfg80211_registered_device *rdev)
+ {
ocfs2-add-bounds-checking-to-ocfs2_xattr_find_entry.patch
ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xatt.patch
cgroup-make-operations-on-the-cgroup-root_list-rcu-s.patch
+netfilter-nft_set_pipapo-walk-over-current-view-on-netlink-dump.patch
+netfilter-nf_tables-missing-iterator-type-in-lookup-walk.patch
+revert-wifi-cfg80211-check-wiphy-mutex-is-held-for-wdev-mutex.patch
+gpio-prevent-potential-speculation-leaks-in-gpio_device_get_desc.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
