4.19-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Mon, 10 Aug 2020 13:55:07 +0000 (15:55 +0200)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Mon, 10 Aug 2020 13:55:07 +0000 (15:55 +0200)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 10 Aug 2020 13:55:07 +0000 (15:55 +0200)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 10 Aug 2020 13:55:07 +0000 (15:55 +0200)
diff --git a/queue-4.19/i40e-add-num_vectors-checker-in-iwarp-handler.patch b/queue-4.19/i40e-add-num_vectors-checker-in-iwarp-handler.patch

new file mode 100644 (file)

index 0000000..39485b4
--- /dev/null
+++ b/queue-4.19/i40e-add-num_vectors-checker-in-iwarp-handler.patch
@@ -0,0 +1,45 @@
+From foo@baz Mon 10 Aug 2020 03:36:49 PM CEST
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Date: Fri,  7 Aug 2020 13:55:14 -0700
+Subject: i40e: add num_vectors checker in iwarp handler
+To: stable@vger.kernel.org
+Cc: Sergey Nemov <sergey.nemov@intel.com>, aleksandr.loktionov@intel.com, Andrew Bowers <andrewx.bowers@intel.com>, Jesse Brandeburg <jesse.brandeburg@intel.com>
+Message-ID: <20200807205517.1740307-2-jesse.brandeburg@intel.com>
+
+From: Sergey Nemov <sergey.nemov@intel.com>
+
+[ Upstream commit 7015ca3df965378bcef072cca9cd63ed098665b5 ]
+
+Field num_vectors from struct virtchnl_iwarp_qvlist_info should not be
+larger than num_msix_vectors_vf in the hw struct.  The iwarp uses the
+same set of vectors as the LAN VF driver.
+
+Fixes: e3219ce6a7754 ("i40e: Add support for client interface for IWARP driver")
+Signed-off-by: Sergey Nemov <sergey.nemov@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -442,6 +442,16 @@ static int i40e_config_iwarp_qvlist(stru
+       u32 next_q_idx, next_q_type;
+       u32 msix_vf, size;
+ 
++      msix_vf = pf->hw.func_caps.num_msix_vectors_vf;
++
++      if (qvlist_info->num_vectors > msix_vf) {
++              dev_warn(&pf->pdev->dev,
++                       "Incorrect number of iwarp vectors %u. Maximum %u allowed.\n",
++                       qvlist_info->num_vectors,
++                       msix_vf);
++              goto err;
++      }
++
+       size = sizeof(struct virtchnl_iwarp_qvlist_info) +
+              (sizeof(struct virtchnl_iwarp_qv_info) *
+                                               (qvlist_info->num_vectors - 1));
diff --git a/queue-4.19/i40e-fix-of-memory-leak-and-integer-truncation-in-i40e_virtchnl.c.patch b/queue-4.19/i40e-fix-of-memory-leak-and-integer-truncation-in-i40e_virtchnl.c.patch

new file mode 100644 (file)

index 0000000..ed0f161
--- /dev/null
+++ b/queue-4.19/i40e-fix-of-memory-leak-and-integer-truncation-in-i40e_virtchnl.c.patch
@@ -0,0 +1,87 @@
+From foo@baz Mon 10 Aug 2020 03:36:49 PM CEST
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Date: Fri,  7 Aug 2020 13:55:16 -0700
+Subject: i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c
+To: stable@vger.kernel.org
+Cc: Martyna Szapar <martyna.szapar@intel.com>, aleksandr.loktionov@intel.com, Jesse Brandeburg <jesse.brandeburg@intel.com>
+Message-ID: <20200807205517.1740307-4-jesse.brandeburg@intel.com>
+
+From: Martyna Szapar <martyna.szapar@intel.com>
+
+[ Upstream commit 24474f2709af6729b9b1da1c5e160ab62e25e3a4 ]
+
+Fixed possible memory leak in i40e_vc_add_cloud_filter function:
+cfilter is being allocated and in some error conditions
+the function returns without freeing the memory.
+
+Fix of integer truncation from u16 (type of queue_id value) to u8
+when calling i40e_vc_isvalid_queue_id function.
+
+Fixes: e284fc280473b ("i40e: Add and delete cloud filter")
+Signed-off-by: Martyna Szapar <martyna.szapar@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |   18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -181,7 +181,7 @@ static inline bool i40e_vc_isvalid_vsi_i
+  * check for the valid queue id
+  **/
+ static inline bool i40e_vc_isvalid_queue_id(struct i40e_vf *vf, u16 vsi_id,
+-                                          u8 qid)
++                                          u16 qid)
+ {
+       struct i40e_pf *pf = vf->pf;
+       struct i40e_vsi *vsi = i40e_find_vsi_from_id(pf, vsi_id);
+@@ -3345,7 +3345,7 @@ static int i40e_vc_add_cloud_filter(stru
+ 
+       if (!test_bit(I40E_VF_STATE_ACTIVE, &vf->vf_states)) {
+               aq_ret = I40E_ERR_PARAM;
+-              goto err;
++              goto err_out;
+       }
+ 
+       if (!vf->adq_enabled) {
+@@ -3353,15 +3353,15 @@ static int i40e_vc_add_cloud_filter(stru
+                        "VF %d: ADq is not enabled, can't apply cloud filter\n",
+                        vf->vf_id);
+               aq_ret = I40E_ERR_PARAM;
+-              goto err;
++              goto err_out;
+       }
+ 
+       if (i40e_validate_cloud_filter(vf, vcf)) {
+               dev_info(&pf->pdev->dev,
+                        "VF %d: Invalid input/s, can't apply cloud filter\n",
+                        vf->vf_id);
+-                      aq_ret = I40E_ERR_PARAM;
+-                      goto err;
++              aq_ret = I40E_ERR_PARAM;
++              goto err_out;
+       }
+ 
+       cfilter = kzalloc(sizeof(*cfilter), GFP_KERNEL);
+@@ -3422,13 +3422,17 @@ static int i40e_vc_add_cloud_filter(stru
+                       "VF %d: Failed to add cloud filter, err %s aq_err %s\n",
+                       vf->vf_id, i40e_stat_str(&pf->hw, ret),
+                       i40e_aq_str(&pf->hw, pf->hw.aq.asq_last_status));
+-              goto err;
++              goto err_free;
+       }
+ 
+       INIT_HLIST_NODE(&cfilter->cloud_node);
+       hlist_add_head(&cfilter->cloud_node, &vf->cloud_filter_list);
++      /* release the pointer passing it to the collection */
++      cfilter = NULL;
+       vf->num_cloud_filters++;
+-err:
++err_free:
++      kfree(cfilter);
++err_out:
+       return i40e_vc_send_resp_to_vf(vf, VIRTCHNL_OP_ADD_CLOUD_FILTER,
+                                      aq_ret);
+ }
diff --git a/queue-4.19/i40e-memory-leak-in-i40e_config_iwarp_qvlist.patch b/queue-4.19/i40e-memory-leak-in-i40e_config_iwarp_qvlist.patch

new file mode 100644 (file)

index 0000000..ea42a4e
--- /dev/null
+++ b/queue-4.19/i40e-memory-leak-in-i40e_config_iwarp_qvlist.patch
@@ -0,0 +1,87 @@
+From foo@baz Mon 10 Aug 2020 03:36:49 PM CEST
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Date: Fri,  7 Aug 2020 13:55:17 -0700
+Subject: i40e: Memory leak in i40e_config_iwarp_qvlist
+To: stable@vger.kernel.org
+Cc: Martyna Szapar <martyna.szapar@intel.com>, aleksandr.loktionov@intel.com, Andrew Bowers <andrewx.bowers@intel.com>, Jesse Brandeburg <jesse.brandeburg@intel.com>
+Message-ID: <20200807205517.1740307-5-jesse.brandeburg@intel.com>
+
+From: Martyna Szapar <martyna.szapar@intel.com>
+
+[ Upstream commit 0b63644602cfcbac849f7ea49272a39e90fa95eb ]
+
+Added freeing the old allocation of vf->qvlist_info in function
+i40e_config_iwarp_qvlist before overwriting it with
+the new allocation.
+
+Fixes: e3219ce6a7754 ("i40e: Add support for client interface for IWARP driver")
+Signed-off-by: Martyna Szapar <martyna.szapar@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |   23 +++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -441,6 +441,7 @@ static int i40e_config_iwarp_qvlist(stru
+       u32 v_idx, i, reg_idx, reg;
+       u32 next_q_idx, next_q_type;
+       u32 msix_vf, size;
++      int ret = 0;
+ 
+       msix_vf = pf->hw.func_caps.num_msix_vectors_vf;
+ 
+@@ -449,16 +450,19 @@ static int i40e_config_iwarp_qvlist(stru
+                        "Incorrect number of iwarp vectors %u. Maximum %u allowed.\n",
+                        qvlist_info->num_vectors,
+                        msix_vf);
+-              goto err;
++              ret = -EINVAL;
++              goto err_out;
+       }
+ 
+       size = sizeof(struct virtchnl_iwarp_qvlist_info) +
+              (sizeof(struct virtchnl_iwarp_qv_info) *
+                                               (qvlist_info->num_vectors - 1));
++      kfree(vf->qvlist_info);
+       vf->qvlist_info = kzalloc(size, GFP_KERNEL);
+-      if (!vf->qvlist_info)
+-              return -ENOMEM;
+-
++      if (!vf->qvlist_info) {
++              ret = -ENOMEM;
++              goto err_out;
++      }
+       vf->qvlist_info->num_vectors = qvlist_info->num_vectors;
+ 
+       msix_vf = pf->hw.func_caps.num_msix_vectors_vf;
+@@ -469,8 +473,10 @@ static int i40e_config_iwarp_qvlist(stru
+               v_idx = qv_info->v_idx;
+ 
+               /* Validate vector id belongs to this vf */
+-              if (!i40e_vc_isvalid_vector_id(vf, v_idx))
+-                      goto err;
++              if (!i40e_vc_isvalid_vector_id(vf, v_idx)) {
++                      ret = -EINVAL;
++                      goto err_free;
++              }
+ 
+               vf->qvlist_info->qv_info[i] = *qv_info;
+ 
+@@ -512,10 +518,11 @@ static int i40e_config_iwarp_qvlist(stru
+       }
+ 
+       return 0;
+-err:
++err_free:
+       kfree(vf->qvlist_info);
+       vf->qvlist_info = NULL;
+-      return -EINVAL;
++err_out:
++      return ret;
+ }
+ 
+ /**
diff --git a/queue-4.19/i40e-wrong-truncation-from-u16-to-u8.patch b/queue-4.19/i40e-wrong-truncation-from-u16-to-u8.patch

new file mode 100644 (file)

index 0000000..7706241
--- /dev/null
+++ b/queue-4.19/i40e-wrong-truncation-from-u16-to-u8.patch
@@ -0,0 +1,39 @@
+From foo@baz Mon 10 Aug 2020 03:36:49 PM CEST
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Date: Fri,  7 Aug 2020 13:55:15 -0700
+Subject: i40e: Wrong truncation from u16 to u8
+To: stable@vger.kernel.org
+Cc: Grzegorz Siwik <grzegorz.siwik@intel.com>, aleksandr.loktionov@intel.com, Andrew Bowers <andrewx.bowers@intel.com>, Jesse Brandeburg <jesse.brandeburg@intel.com>
+Message-ID: <20200807205517.1740307-3-jesse.brandeburg@intel.com>
+
+From: Grzegorz Siwik <grzegorz.siwik@intel.com>
+
+[ Upstream commit c004804dceee9ca384d97d9857ea2e2795c2651d ]
+
+In this patch fixed wrong truncation method from u16 to u8 during
+validation.
+
+It was changed by changing u8 to u32 parameter in method declaration
+and arguments were changed to u32.
+
+Fixes: 5c3c48ac6bf56 ("i40e: implement virtual device interface")
+Signed-off-by: Grzegorz Siwik <grzegorz.siwik@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -196,7 +196,7 @@ static inline bool i40e_vc_isvalid_queue
+  *
+  * check for the valid vector id
+  **/
+-static inline bool i40e_vc_isvalid_vector_id(struct i40e_vf *vf, u8 vector_id)
++static inline bool i40e_vc_isvalid_vector_id(struct i40e_vf *vf, u32 vector_id)
+ {
+       struct i40e_pf *pf = vf->pf;
+ 
diff --git a/queue-4.19/series b/queue-4.19/series

index 145e280b5158f3ee0fb5d76019d3714f20ff4089..1a5dd401de495c4021f9fcec759e8918eace88c7 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -41,3 +41,8 @@ openvswitch-prevent-kernel-infoleak-in-ovs_ct_put_key.patch
  revert-vxlan-fix-tos-value-before-xmit.patch
  selftests-net-relax-cpu-affinity-requirement-in-msg_zerocopy-test.patch
  rxrpc-fix-race-between-recvmsg-and-sendmsg-on-immediate-call-failure.patch
+i40e-add-num_vectors-checker-in-iwarp-handler.patch
+i40e-wrong-truncation-from-u16-to-u8.patch
+i40e-fix-of-memory-leak-and-integer-truncation-in-i40e_virtchnl.c.patch
+i40e-memory-leak-in-i40e_config_iwarp_qvlist.patch
+smack-fix-use-after-free-in-smk_write_relabel_self.patch
diff --git a/queue-4.19/smack-fix-use-after-free-in-smk_write_relabel_self.patch b/queue-4.19/smack-fix-use-after-free-in-smk_write_relabel_self.patch

new file mode 100644 (file)

index 0000000..bf3d64c
--- /dev/null
+++ b/queue-4.19/smack-fix-use-after-free-in-smk_write_relabel_self.patch
@@ -0,0 +1,79 @@
+From beb4ee6770a89646659e6a2178538d2b13e2654e Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 8 Jul 2020 13:15:20 -0700
+Subject: Smack: fix use-after-free in smk_write_relabel_self()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit beb4ee6770a89646659e6a2178538d2b13e2654e upstream.
+
+smk_write_relabel_self() frees memory from the task's credentials with
+no locking, which can easily cause a use-after-free because multiple
+tasks can share the same credentials structure.
+
+Fix this by using prepare_creds() and commit_creds() to correctly modify
+the task's credentials.
+
+Reproducer for "BUG: KASAN: use-after-free in smk_write_relabel_self":
+
+       #include <fcntl.h>
+       #include <pthread.h>
+       #include <unistd.h>
+
+       static void *thrproc(void *arg)
+       {
+               int fd = open("/sys/fs/smackfs/relabel-self", O_WRONLY);
+               for (;;) write(fd, "foo", 3);
+       }
+
+       int main()
+       {
+               pthread_t t;
+               pthread_create(&t, NULL, thrproc, NULL);
+               thrproc(NULL);
+       }
+
+Reported-by: syzbot+e6416dabb497a650da40@syzkaller.appspotmail.com
+Fixes: 38416e53936e ("Smack: limited capability for changing process label")
+Cc: <stable@vger.kernel.org> # v4.4+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/smack/smackfs.c |   13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -2746,7 +2746,6 @@ static int smk_open_relabel_self(struct
+ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
+                               size_t count, loff_t *ppos)
+ {
+-      struct task_smack *tsp = current_security();
+       char *data;
+       int rc;
+       LIST_HEAD(list_tmp);
+@@ -2771,11 +2770,21 @@ static ssize_t smk_write_relabel_self(st
+       kfree(data);
+ 
+       if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) {
++              struct cred *new;
++              struct task_smack *tsp;
++
++              new = prepare_creds();
++              if (!new) {
++                      rc = -ENOMEM;
++                      goto out;
++              }
++              tsp = new->security;
+               smk_destroy_label_list(&tsp->smk_relabel);
+               list_splice(&list_tmp, &tsp->smk_relabel);
++              commit_creds(new);
+               return count;
+       }
+-
++out:
+       smk_destroy_label_list(&list_tmp);
+       return rc;
+ }
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 10 Aug 2020 13:55:07 +0000 (15:55 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 10 Aug 2020 13:55:07 +0000 (15:55 +0200)
queue-4.19/i40e-add-num_vectors-checker-in-iwarp-handler.patch	[new file with mode: 0644]	patch \| blob
queue-4.19/i40e-fix-of-memory-leak-and-integer-truncation-in-i40e_virtchnl.c.patch	[new file with mode: 0644]	patch \| blob
queue-4.19/i40e-memory-leak-in-i40e_config_iwarp_qvlist.patch	[new file with mode: 0644]	patch \| blob
queue-4.19/i40e-wrong-truncation-from-u16-to-u8.patch	[new file with mode: 0644]	patch \| blob
queue-4.19/series		patch \| blob \| blame \| history
queue-4.19/smack-fix-use-after-free-in-smk_write_relabel_self.patch	[new file with mode: 0644]	patch \| blob