4.4-stable patches

added patches:
	net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch
	net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch
	net-moxa-fix-uaf-in-moxart_mac_probe.patch
	net-ti-fix-uaf-in-tlan_remove_one.patch
	net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch

diff --git a/queue-4.4/net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch b/queue-4.4/net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch
new file mode 100644 (file)
index 0000000..584d75e
--- /dev/null
+++ b/queue-4.4/net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch
@@ -0,0 +1,46 @@
+From 2b452550a203d88112eaf0ba9fc4b750a000b496 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Thu, 8 Jul 2021 18:55:32 -0700
+Subject: net: bcmgenet: Ensure all TX/RX queues DMAs are disabled
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+commit 2b452550a203d88112eaf0ba9fc4b750a000b496 upstream.
+
+Make sure that we disable each of the TX and RX queues in the TDMA and
+RDMA control registers. This is a correctness change to be symmetrical
+with the code that enables the TX and RX queues.
+
+Tested-by: Maxime Ripard <maxime@cerno.tech>
+Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -2663,15 +2663,21 @@ static void bcmgenet_set_hw_addr(struct
+ /* Returns a reusable dma control register value */
+ static u32 bcmgenet_dma_disable(struct bcmgenet_priv *priv)
+ {
++      unsigned int i;
+       u32 reg;
+       u32 dma_ctrl;
+ 
+       /* disable DMA */
+       dma_ctrl = 1 << (DESC_INDEX + DMA_RING_BUF_EN_SHIFT) | DMA_EN;
++      for (i = 0; i < priv->hw_params->tx_queues; i++)
++              dma_ctrl |= (1 << (i + DMA_RING_BUF_EN_SHIFT));
+       reg = bcmgenet_tdma_readl(priv, DMA_CTRL);
+       reg &= ~dma_ctrl;
+       bcmgenet_tdma_writel(priv, reg, DMA_CTRL);
+ 
++      dma_ctrl = 1 << (DESC_INDEX + DMA_RING_BUF_EN_SHIFT) | DMA_EN;
++      for (i = 0; i < priv->hw_params->rx_queues; i++)
++              dma_ctrl |= (1 << (i + DMA_RING_BUF_EN_SHIFT));
+       reg = bcmgenet_rdma_readl(priv, DMA_CTRL);
+       reg &= ~dma_ctrl;
+       bcmgenet_rdma_writel(priv, reg, DMA_CTRL);

diff --git a/queue-4.4/net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch b/queue-4.4/net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch
new file mode 100644 (file)
index 0000000..b4a8eb2
--- /dev/null
+++ b/queue-4.4/net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch
@@ -0,0 +1,49 @@
+From 40fc3054b45820c28ea3c65e2c86d041dc244a8a Mon Sep 17 00:00:00 2001
+From: Vadim Fedorenko <vfedorenko@novek.ru>
+Date: Fri, 2 Jul 2021 02:47:00 +0300
+Subject: net: ipv6: fix return value of ip6_skb_dst_mtu
+
+From: Vadim Fedorenko <vfedorenko@novek.ru>
+
+commit 40fc3054b45820c28ea3c65e2c86d041dc244a8a upstream.
+
+Commit 628a5c561890 ("[INET]: Add IP(V6)_PMTUDISC_RPOBE") introduced
+ip6_skb_dst_mtu with return value of signed int which is inconsistent
+with actually returned values. Also 2 users of this function actually
+assign its value to unsigned int variable and only __xfrm6_output
+assigns result of this function to signed variable but actually uses
+as unsigned in further comparisons and calls. Change this function
+to return unsigned int value.
+
+Fixes: 628a5c561890 ("[INET]: Add IP(V6)_PMTUDISC_RPOBE")
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Vadim Fedorenko <vfedorenko@novek.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ip6_route.h |    2 +-
+ net/ipv6/xfrm6_output.c |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/net/ip6_route.h
++++ b/include/net/ip6_route.h
+@@ -181,7 +181,7 @@ static inline bool ipv6_anycast_destinat
+ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
+                int (*output)(struct net *, struct sock *, struct sk_buff *));
+ 
+-static inline int ip6_skb_dst_mtu(struct sk_buff *skb)
++static inline unsigned int ip6_skb_dst_mtu(struct sk_buff *skb)
+ {
+       struct ipv6_pinfo *np = skb->sk && !dev_recursion_level() ?
+                               inet6_sk(skb->sk) : NULL;
+--- a/net/ipv6/xfrm6_output.c
++++ b/net/ipv6/xfrm6_output.c
+@@ -141,7 +141,7 @@ static int __xfrm6_output(struct net *ne
+ {
+       struct dst_entry *dst = skb_dst(skb);
+       struct xfrm_state *x = dst->xfrm;
+-      int mtu;
++      unsigned int mtu;
+       bool toobig;
+ 
+ #ifdef CONFIG_NETFILTER

diff --git a/queue-4.4/net-moxa-fix-uaf-in-moxart_mac_probe.patch b/queue-4.4/net-moxa-fix-uaf-in-moxart_mac_probe.patch
new file mode 100644 (file)
index 0000000..b2adadc
--- /dev/null
+++ b/queue-4.4/net-moxa-fix-uaf-in-moxart_mac_probe.patch
@@ -0,0 +1,45 @@
+From c78eaeebe855fd93f2e77142ffd0404a54070d84 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Fri, 9 Jul 2021 17:09:53 +0300
+Subject: net: moxa: fix UAF in moxart_mac_probe
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit c78eaeebe855fd93f2e77142ffd0404a54070d84 upstream.
+
+In case of netdev registration failure the code path will
+jump to init_fail label:
+
+init_fail:
+       netdev_err(ndev, "init failed\n");
+       moxart_mac_free_memory(ndev);
+irq_map_fail:
+       free_netdev(ndev);
+       return ret;
+
+So, there is no need to call free_netdev() before jumping
+to error handling path, since it can cause UAF or double-free
+bug.
+
+Fixes: 6c821bd9edc9 ("net: Add MOXA ART SoCs ethernet driver")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/moxa/moxart_ether.c |    4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/moxa/moxart_ether.c
++++ b/drivers/net/ethernet/moxa/moxart_ether.c
+@@ -518,10 +518,8 @@ static int moxart_mac_probe(struct platf
+       SET_NETDEV_DEV(ndev, &pdev->dev);
+ 
+       ret = register_netdev(ndev);
+-      if (ret) {
+-              free_netdev(ndev);
++      if (ret)
+               goto init_fail;
+-      }
+ 
+       netdev_dbg(ndev, "%s: IRQ=%d address=%pM\n",
+                  __func__, ndev->irq, ndev->dev_addr);

diff --git a/queue-4.4/net-ti-fix-uaf-in-tlan_remove_one.patch b/queue-4.4/net-ti-fix-uaf-in-tlan_remove_one.patch
new file mode 100644 (file)
index 0000000..620580e
--- /dev/null
+++ b/queue-4.4/net-ti-fix-uaf-in-tlan_remove_one.patch
@@ -0,0 +1,35 @@
+From 0336f8ffece62f882ab3012820965a786a983f70 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Fri, 9 Jul 2021 17:58:29 +0300
+Subject: net: ti: fix UAF in tlan_remove_one
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 0336f8ffece62f882ab3012820965a786a983f70 upstream.
+
+priv is netdev private data and it cannot be
+used after free_netdev() call. Using priv after free_netdev()
+can cause UAF bug. Fix it by moving free_netdev() at the end of the
+function.
+
+Fixes: 1e0a8b13d355 ("tlan: cancel work at remove path")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/tlan.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/ti/tlan.c
++++ b/drivers/net/ethernet/ti/tlan.c
+@@ -313,9 +313,8 @@ static void tlan_remove_one(struct pci_d
+       pci_release_regions(pdev);
+ #endif
+ 
+-      free_netdev(dev);
+-
+       cancel_work_sync(&priv->tlan_tqueue);
++      free_netdev(dev);
+ }
+ 
+ static void tlan_start(struct net_device *dev)

diff --git a/queue-4.4/net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch b/queue-4.4/net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch
new file mode 100644 (file)
index 0000000..eb9b721
--- /dev/null
+++ b/queue-4.4/net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch
@@ -0,0 +1,62 @@
+From 67a9c94317402b826fc3db32afc8f39336803d97 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Fri, 9 Jul 2021 17:35:18 +0000
+Subject: net: validate lwtstate->data before returning from skb_tunnel_info()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+commit 67a9c94317402b826fc3db32afc8f39336803d97 upstream.
+
+skb_tunnel_info() returns pointer of lwtstate->data as ip_tunnel_info
+type without validation. lwtstate->data can have various types such as
+mpls_iptunnel_encap, etc and these are not compatible.
+So skb_tunnel_info() should validate before returning that pointer.
+
+Splat looks like:
+BUG: KASAN: slab-out-of-bounds in vxlan_get_route+0x418/0x4b0 [vxlan]
+Read of size 2 at addr ffff888106ec2698 by task ping/811
+
+CPU: 1 PID: 811 Comm: ping Not tainted 5.13.0+ #1195
+Call Trace:
+ dump_stack_lvl+0x56/0x7b
+ print_address_description.constprop.8.cold.13+0x13/0x2ee
+ ? vxlan_get_route+0x418/0x4b0 [vxlan]
+ ? vxlan_get_route+0x418/0x4b0 [vxlan]
+ kasan_report.cold.14+0x83/0xdf
+ ? vxlan_get_route+0x418/0x4b0 [vxlan]
+ vxlan_get_route+0x418/0x4b0 [vxlan]
+ [ ... ]
+ vxlan_xmit_one+0x148b/0x32b0 [vxlan]
+ [ ... ]
+ vxlan_xmit+0x25c5/0x4780 [vxlan]
+ [ ... ]
+ dev_hard_start_xmit+0x1ae/0x6e0
+ __dev_queue_xmit+0x1f39/0x31a0
+ [ ... ]
+ neigh_xmit+0x2f9/0x940
+ mpls_xmit+0x911/0x1600 [mpls_iptunnel]
+ lwtunnel_xmit+0x18f/0x450
+ ip_finish_output2+0x867/0x2040
+ [ ... ]
+
+Fixes: 61adedf3e3f1 ("route: move lwtunnel state to dst_entry")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/dst_metadata.h |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/include/net/dst_metadata.h
++++ b/include/net/dst_metadata.h
+@@ -31,7 +31,9 @@ static inline struct ip_tunnel_info *skb
+               return &md_dst->u.tun_info;
+ 
+       dst = skb_dst(skb);
+-      if (dst && dst->lwtstate)
++      if (dst && dst->lwtstate &&
++          (dst->lwtstate->type == LWTUNNEL_ENCAP_IP ||
++           dst->lwtstate->type == LWTUNNEL_ENCAP_IP6))
+               return lwt_tun_info(dst->lwtstate);
+ 
+       return NULL;

diff --git a/queue-4.4/series b/queue-4.4/series
index 7dce515862561a22e004aecd8894870726dd91c4..838bd7e25361ee11345a4433961687687bf0d3e1 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -8,3 +8,8 @@ scsi-aic7xxx-fix-unintentional-sign-extension-issue-.patch
 sched-fair-fix-cfs-bandwidth-hrtimer-expiry-type.patch
 revert-memory-fsl_ifc-fix-leak-of-io-mapping-on-probe-failure.patch
 x86-fpu-make-init_fpstate-correct-with-optimized-xsave.patch
+net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch
+net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch
+net-moxa-fix-uaf-in-moxart_mac_probe.patch
+net-ti-fix-uaf-in-tlan_remove_one.patch
+net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch