From: Sasha Levin Date: Mon, 4 Oct 2021 03:18:15 +0000 (-0400) Subject: Fixes for 4.9 X-Git-Tag: v4.4.286~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0fb6edf74a37230abc90d574a73e13f54731150c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/e100-fix-buffer-overrun-in-e100_get_regs.patch b/queue-4.9/e100-fix-buffer-overrun-in-e100_get_regs.patch new file mode 100644 index 00000000000..60254b330d3 --- /dev/null +++ b/queue-4.9/e100-fix-buffer-overrun-in-e100_get_regs.patch @@ -0,0 +1,107 @@ +From a51479075601cba09a0669780c6dba772a955932 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 10:52:37 -0700 +Subject: e100: fix buffer overrun in e100_get_regs + +From: Jacob Keller + +[ Upstream commit 51032e6f17ce990d06123ad7307f258c50d25aa7 ] + +The e100_get_regs function is used to implement a simple register dump +for the e100 device. The data is broken into a couple of MAC control +registers, and then a series of PHY registers, followed by a memory dump +buffer. + +The total length of the register dump is defined as (1 + E100_PHY_REGS) +* sizeof(u32) + sizeof(nic->mem->dump_buf). + +The logic for filling in the PHY registers uses a convoluted inverted +count for loop which counts from E100_PHY_REGS (0x1C) down to 0, and +assigns the slots 1 + E100_PHY_REGS - i. The first loop iteration will +fill in [1] and the final loop iteration will fill in [1 + 0x1C]. This +is actually one more than the supposed number of PHY registers. + +The memory dump buffer is then filled into the space at +[2 + E100_PHY_REGS] which will cause that memcpy to assign 4 bytes past +the total size. + +The end result is that we overrun the total buffer size allocated by the +kernel, which could lead to a panic or other issues due to memory +corruption. + +It is difficult to determine the actual total number of registers +here. The only 8255x datasheet I could find indicates there are 28 total +MDI registers. However, we're reading 29 here, and reading them in +reverse! + +In addition, the ethtool e100 register dump interface appears to read +the first PHY register to determine if the device is in MDI or MDIx +mode. This doesn't appear to be documented anywhere within the 8255x +datasheet. I can only assume it must be in register 28 (the extra +register we're reading here). + +Lets not change any of the intended meaning of what we copy here. Just +extend the space by 4 bytes to account for the extra register and +continue copying the data out in the same order. + +Change the E100_PHY_REGS value to be the correct total (29) so that the +total register dump size is calculated properly. Fix the offset for +where we copy the dump buffer so that it doesn't overrun the total size. + +Re-write the for loop to use counting up instead of the convoluted +down-counting. Correct the mdio_read offset to use the 0-based register +offsets, but maintain the bizarre reverse ordering so that we have the +ABI expected by applications like ethtool. This requires and additional +subtraction of 1. It seems a bit odd but it makes the flow of assignment +into the register buffer easier to follow. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Felicitas Hetzelt +Signed-off-by: Jacob Keller +Tested-by: Jacob Keller +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e100.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c +index abb65ed9492b..aa556e4f9051 100644 +--- a/drivers/net/ethernet/intel/e100.c ++++ b/drivers/net/ethernet/intel/e100.c +@@ -2462,7 +2462,7 @@ static void e100_get_drvinfo(struct net_device *netdev, + sizeof(info->bus_info)); + } + +-#define E100_PHY_REGS 0x1C ++#define E100_PHY_REGS 0x1D + static int e100_get_regs_len(struct net_device *netdev) + { + struct nic *nic = netdev_priv(netdev); +@@ -2484,14 +2484,18 @@ static void e100_get_regs(struct net_device *netdev, + buff[0] = ioread8(&nic->csr->scb.cmd_hi) << 24 | + ioread8(&nic->csr->scb.cmd_lo) << 16 | + ioread16(&nic->csr->scb.status); +- for (i = E100_PHY_REGS; i >= 0; i--) +- buff[1 + E100_PHY_REGS - i] = +- mdio_read(netdev, nic->mii.phy_id, i); ++ for (i = 0; i < E100_PHY_REGS; i++) ++ /* Note that we read the registers in reverse order. This ++ * ordering is the ABI apparently used by ethtool and other ++ * applications. ++ */ ++ buff[1 + i] = mdio_read(netdev, nic->mii.phy_id, ++ E100_PHY_REGS - 1 - i); + memset(nic->mem->dump_buf, 0, sizeof(nic->mem->dump_buf)); + e100_exec_cb(nic, NULL, e100_dump); + msleep(10); +- memcpy(&buff[2 + E100_PHY_REGS], nic->mem->dump_buf, +- sizeof(nic->mem->dump_buf)); ++ memcpy(&buff[1 + E100_PHY_REGS], nic->mem->dump_buf, ++ sizeof(nic->mem->dump_buf)); + } + + static void e100_get_wol(struct net_device *netdev, struct ethtool_wolinfo *wol) +-- +2.33.0 + diff --git a/queue-4.9/e100-fix-length-calculation-in-e100_get_regs_len.patch b/queue-4.9/e100-fix-length-calculation-in-e100_get_regs_len.patch new file mode 100644 index 00000000000..b753c98c95a --- /dev/null +++ b/queue-4.9/e100-fix-length-calculation-in-e100_get_regs_len.patch @@ -0,0 +1,50 @@ +From 4440484f3bef583a4c6a02bf38b112dda5b2f637 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 10:52:36 -0700 +Subject: e100: fix length calculation in e100_get_regs_len + +From: Jacob Keller + +[ Upstream commit 4329c8dc110b25d5f04ed20c6821bb60deff279f ] + +commit abf9b902059f ("e100: cleanup unneeded math") tried to simplify +e100_get_regs_len and remove a double 'divide and then multiply' +calculation that the e100_reg_regs_len function did. + +This change broke the size calculation entirely as it failed to account +for the fact that the numbered registers are actually 4 bytes wide and +not 1 byte. This resulted in a significant under allocation of the +register buffer used by e100_get_regs. + +Fix this by properly multiplying the register count by u32 first before +adding the size of the dump buffer. + +Fixes: abf9b902059f ("e100: cleanup unneeded math") +Reported-by: Felicitas Hetzelt +Signed-off-by: Jacob Keller +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e100.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c +index 9035cb5fc70d..abb65ed9492b 100644 +--- a/drivers/net/ethernet/intel/e100.c ++++ b/drivers/net/ethernet/intel/e100.c +@@ -2466,7 +2466,11 @@ static void e100_get_drvinfo(struct net_device *netdev, + static int e100_get_regs_len(struct net_device *netdev) + { + struct nic *nic = netdev_priv(netdev); +- return 1 + E100_PHY_REGS + sizeof(nic->mem->dump_buf); ++ ++ /* We know the number of registers, and the size of the dump buffer. ++ * Calculate the total size in bytes. ++ */ ++ return (1 + E100_PHY_REGS) * sizeof(u32) + sizeof(nic->mem->dump_buf); + } + + static void e100_get_regs(struct net_device *netdev, +-- +2.33.0 + diff --git a/queue-4.9/hwmon-tmp421-fix-rounding-for-negative-values.patch b/queue-4.9/hwmon-tmp421-fix-rounding-for-negative-values.patch new file mode 100644 index 00000000000..43e6f37ed87 --- /dev/null +++ b/queue-4.9/hwmon-tmp421-fix-rounding-for-negative-values.patch @@ -0,0 +1,74 @@ +From 855939b03731b2b68721a4bc92e3ff7016b16313 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Sep 2021 12:30:11 +0300 +Subject: hwmon: (tmp421) fix rounding for negative values + +From: Paul Fertser + +[ Upstream commit 724e8af85854c4d3401313b6dd7d79cf792d8990 ] + +Old code produces -24999 for 0b1110011100000000 input in standard format due to +always rounding up rather than "away from zero". + +Use the common macro for division, unify and simplify the conversion code along +the way. + +Fixes: 9410700b881f ("hwmon: Add driver for Texas Instruments TMP421/422/423 sensor chips") +Signed-off-by: Paul Fertser +Link: https://lore.kernel.org/r/20210924093011.26083-3-fercerpav@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/tmp421.c | 24 ++++++++---------------- + 1 file changed, 8 insertions(+), 16 deletions(-) + +diff --git a/drivers/hwmon/tmp421.c b/drivers/hwmon/tmp421.c +index bfb98b96c781..324e7aaeb0b1 100644 +--- a/drivers/hwmon/tmp421.c ++++ b/drivers/hwmon/tmp421.c +@@ -83,23 +83,17 @@ struct tmp421_data { + s16 temp[4]; + }; + +-static int temp_from_s16(s16 reg) ++static int temp_from_raw(u16 reg, bool extended) + { + /* Mask out status bits */ + int temp = reg & ~0xf; + +- return (temp * 1000 + 128) / 256; +-} +- +-static int temp_from_u16(u16 reg) +-{ +- /* Mask out status bits */ +- int temp = reg & ~0xf; +- +- /* Add offset for extended temperature range. */ +- temp -= 64 * 256; ++ if (extended) ++ temp = temp - 64 * 256; ++ else ++ temp = (s16)temp; + +- return (temp * 1000 + 128) / 256; ++ return DIV_ROUND_CLOSEST(temp * 1000, 256); + } + + static struct tmp421_data *tmp421_update_device(struct device *dev) +@@ -136,10 +130,8 @@ static int tmp421_read(struct device *dev, enum hwmon_sensor_types type, + + switch (attr) { + case hwmon_temp_input: +- if (tmp421->config & TMP421_CONFIG_RANGE) +- *val = temp_from_u16(tmp421->temp[channel]); +- else +- *val = temp_from_s16(tmp421->temp[channel]); ++ *val = temp_from_raw(tmp421->temp[channel], ++ tmp421->config & TMP421_CONFIG_RANGE); + return 0; + case hwmon_temp_fault: + /* +-- +2.33.0 + diff --git a/queue-4.9/ipvs-check-that-ip_vs_conn_tab_bits-is-between-8-and.patch b/queue-4.9/ipvs-check-that-ip_vs_conn_tab_bits-is-between-8-and.patch new file mode 100644 index 00000000000..64171648c5a --- /dev/null +++ b/queue-4.9/ipvs-check-that-ip_vs_conn_tab_bits-is-between-8-and.patch @@ -0,0 +1,46 @@ +From 35755505d0018310bd2dfda4e3bc8e9235bc7427 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Sep 2021 18:08:39 +0200 +Subject: ipvs: check that ip_vs_conn_tab_bits is between 8 and 20 + +From: Andrea Claudi + +[ Upstream commit 69e73dbfda14fbfe748d3812da1244cce2928dcb ] + +ip_vs_conn_tab_bits may be provided by the user through the +conn_tab_bits module parameter. If this value is greater than 31, or +less than 0, the shift operator used to derive tab_size causes undefined +behaviour. + +Fix this checking ip_vs_conn_tab_bits value to be in the range specified +in ipvs Kconfig. If not, simply use default value. + +Fixes: 6f7edb4881bf ("IPVS: Allow boot time change of hash size") +Reported-by: Yi Chen +Signed-off-by: Andrea Claudi +Acked-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_conn.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c +index 096a45103f14..ecde2102d1ad 100644 +--- a/net/netfilter/ipvs/ip_vs_conn.c ++++ b/net/netfilter/ipvs/ip_vs_conn.c +@@ -1406,6 +1406,10 @@ int __init ip_vs_conn_init(void) + int idx; + + /* Compute size and mask */ ++ if (ip_vs_conn_tab_bits < 8 || ip_vs_conn_tab_bits > 20) { ++ pr_info("conn_tab_bits not in [8, 20]. Using default value\n"); ++ ip_vs_conn_tab_bits = CONFIG_IP_VS_TAB_BITS; ++ } + ip_vs_conn_tab_size = 1 << ip_vs_conn_tab_bits; + ip_vs_conn_tab_mask = ip_vs_conn_tab_size - 1; + +-- +2.33.0 + diff --git a/queue-4.9/mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch b/queue-4.9/mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch new file mode 100644 index 00000000000..d99b128420e --- /dev/null +++ b/queue-4.9/mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch @@ -0,0 +1,84 @@ +From baf89f40a26169fe09d8f132c8f107f2c5dc05e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Sep 2021 14:45:22 +0200 +Subject: mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap + +From: Lorenzo Bianconi + +[ Upstream commit 13cb6d826e0ac0d144b0d48191ff1a111d32f0c6 ] + +Limit max values for vht mcs and nss in ieee80211_parse_tx_radiotap +routine in order to fix the following warning reported by syzbot: + +WARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_rate_set_vht include/net/mac80211.h:989 [inline] +WARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244 +Modules linked in: +CPU: 0 PID: 10717 Comm: syz-executor.5 Not tainted 5.14.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:ieee80211_rate_set_vht include/net/mac80211.h:989 [inline] +RIP: 0010:ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244 +RSP: 0018:ffffc9000186f3e8 EFLAGS: 00010216 +RAX: 0000000000000618 RBX: ffff88804ef76500 RCX: ffffc900143a5000 +RDX: 0000000000040000 RSI: ffffffff888f478e RDI: 0000000000000003 +RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000100 +R10: ffffffff888f46f9 R11: 0000000000000000 R12: 00000000fffffff8 +R13: ffff88804ef7653c R14: 0000000000000001 R15: 0000000000000004 +FS: 00007fbf5718f700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b2de23000 CR3: 000000006a671000 CR4: 00000000001506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 +Call Trace: + ieee80211_monitor_select_queue+0xa6/0x250 net/mac80211/iface.c:740 + netdev_core_pick_tx+0x169/0x2e0 net/core/dev.c:4089 + __dev_queue_xmit+0x6f9/0x3710 net/core/dev.c:4165 + __bpf_tx_skb net/core/filter.c:2114 [inline] + __bpf_redirect_no_mac net/core/filter.c:2139 [inline] + __bpf_redirect+0x5ba/0xd20 net/core/filter.c:2162 + ____bpf_clone_redirect net/core/filter.c:2429 [inline] + bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2401 + bpf_prog_eeb6f53a69e5c6a2+0x59/0x234 + bpf_dispatcher_nop_func include/linux/bpf.h:717 [inline] + __bpf_prog_run include/linux/filter.h:624 [inline] + bpf_prog_run include/linux/filter.h:631 [inline] + bpf_test_run+0x381/0xa30 net/bpf/test_run.c:119 + bpf_prog_test_run_skb+0xb84/0x1ee0 net/bpf/test_run.c:663 + bpf_prog_test_run kernel/bpf/syscall.c:3307 [inline] + __sys_bpf+0x2137/0x5df0 kernel/bpf/syscall.c:4605 + __do_sys_bpf kernel/bpf/syscall.c:4691 [inline] + __se_sys_bpf kernel/bpf/syscall.c:4689 [inline] + __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4689 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x4665f9 + +Reported-by: syzbot+0196ac871673f0c20f68@syzkaller.appspotmail.com +Fixes: 646e76bb5daf4 ("mac80211: parse VHT info in injected frames") +Signed-off-by: Lorenzo Bianconi +Link: https://lore.kernel.org/r/c26c3f02dcb38ab63b2f2534cb463d95ee81bb13.1632141760.git.lorenzo@kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 48d0dd0beaa5..b6942b717a59 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -2064,7 +2064,11 @@ static bool ieee80211_parse_tx_radiotap(struct ieee80211_local *local, + } + + vht_mcs = iterator.this_arg[4] >> 4; ++ if (vht_mcs > 11) ++ vht_mcs = 0; + vht_nss = iterator.this_arg[4] & 0xF; ++ if (!vht_nss || vht_nss > 8) ++ vht_nss = 1; + break; + + /* +-- +2.33.0 + diff --git a/queue-4.9/series b/queue-4.9/series index 3002f0cf160..fddc2caf81e 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -33,3 +33,8 @@ tty-fix-out-of-bound-vmalloc-access-in-imageblit.patch cpufreq-schedutil-use-kobject-release-method-to-free.patch cpufreq-schedutil-destroy-mutex-before-kobject_put-f.patch mac80211-fix-use-after-free-in-ccmp-gcmp-rx.patch +ipvs-check-that-ip_vs_conn_tab_bits-is-between-8-and.patch +mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch +hwmon-tmp421-fix-rounding-for-negative-values.patch +e100-fix-length-calculation-in-e100_get_regs_len.patch +e100-fix-buffer-overrun-in-e100_get_regs.patch