From: Sasha Levin Date: Sun, 19 Mar 2023 12:04:25 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.14.311~63 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=18e0e44b41bb8cdd609e6563aa6a4112aed88364;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/block-sunvdc-add-check-for-mdesc_grab-returning-null.patch b/queue-4.14/block-sunvdc-add-check-for-mdesc_grab-returning-null.patch new file mode 100644 index 00000000000..3baf0a762c5 --- /dev/null +++ b/queue-4.14/block-sunvdc-add-check-for-mdesc_grab-returning-null.patch @@ -0,0 +1,38 @@ +From a9d58a4846b493a676988e07350ef2a561f29eb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 14:20:32 +0800 +Subject: block: sunvdc: add check for mdesc_grab() returning NULL + +From: Liang He + +[ Upstream commit 6030363199e3a6341afb467ddddbed56640cbf6a ] + +In vdc_port_probe(), we should check the return value of mdesc_grab() as +it may return NULL, which can cause potential NPD bug. + +Fixes: 43fdf27470b2 ("[SPARC64]: Abstract out mdesc accesses for better MD update handling.") +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20230315062032.1741692-1-windhl@126.com +[axboe: style cleanup] +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/sunvdc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c +index ed4d6276e94f3..ebf1e9b7f93b6 100644 +--- a/drivers/block/sunvdc.c ++++ b/drivers/block/sunvdc.c +@@ -940,6 +940,8 @@ static int vdc_port_probe(struct vio_dev *vdev, const struct vio_device_id *id) + print_version(); + + hp = mdesc_grab(); ++ if (!hp) ++ return -ENODEV; + + err = -ENODEV; + if ((vdev->dev_no << PARTITION_SHIFT) & ~(u64)MINORMASK) { +-- +2.39.2 + diff --git a/queue-4.14/ethernet-sun-add-check-for-the-mdesc_grab.patch b/queue-4.14/ethernet-sun-add-check-for-the-mdesc_grab.patch new file mode 100644 index 00000000000..f8cc07777f5 --- /dev/null +++ b/queue-4.14/ethernet-sun-add-check-for-the-mdesc_grab.patch @@ -0,0 +1,55 @@ +From 3184449dac4606fb4d972796be3951ac4a429214 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 14:00:21 +0800 +Subject: ethernet: sun: add check for the mdesc_grab() + +From: Liang He + +[ Upstream commit 90de546d9a0b3c771667af18bb3f80567eabb89b ] + +In vnet_port_probe() and vsw_port_probe(), we should +check the return value of mdesc_grab() as it may +return NULL which can caused NPD bugs. + +Fixes: 5d01fa0c6bd8 ("ldmvsw: Add ldmvsw.c driver code") +Fixes: 43fdf27470b2 ("[SPARC64]: Abstract out mdesc accesses for better MD update handling.") +Signed-off-by: Liang He +Reviewed-by: Piotr Raczynski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/ldmvsw.c | 3 +++ + drivers/net/ethernet/sun/sunvnet.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/sun/ldmvsw.c b/drivers/net/ethernet/sun/ldmvsw.c +index e6b96c2989b22..f0a8e3598057e 100644 +--- a/drivers/net/ethernet/sun/ldmvsw.c ++++ b/drivers/net/ethernet/sun/ldmvsw.c +@@ -289,6 +289,9 @@ static int vsw_port_probe(struct vio_dev *vdev, const struct vio_device_id *id) + + hp = mdesc_grab(); + ++ if (!hp) ++ return -ENODEV; ++ + rmac = mdesc_get_property(hp, vdev->mp, remote_macaddr_prop, &len); + err = -ENODEV; + if (!rmac) { +diff --git a/drivers/net/ethernet/sun/sunvnet.c b/drivers/net/ethernet/sun/sunvnet.c +index 02ebbe74d93de..824f5951ad507 100644 +--- a/drivers/net/ethernet/sun/sunvnet.c ++++ b/drivers/net/ethernet/sun/sunvnet.c +@@ -430,6 +430,9 @@ static int vnet_port_probe(struct vio_dev *vdev, const struct vio_device_id *id) + + hp = mdesc_grab(); + ++ if (!hp) ++ return -ENODEV; ++ + vp = vnet_find_parent(hp, vdev->mp, vdev); + if (IS_ERR(vp)) { + pr_err("Cannot find port parent vnet\n"); +-- +2.39.2 + diff --git a/queue-4.14/ipv4-fix-incorrect-table-id-in-ioctl-path.patch b/queue-4.14/ipv4-fix-incorrect-table-id-in-ioctl-path.patch new file mode 100644 index 00000000000..da881897185 --- /dev/null +++ b/queue-4.14/ipv4-fix-incorrect-table-id-in-ioctl-path.patch @@ -0,0 +1,74 @@ +From e391a84d7d4fa9590afc4dc2fa7b68a15b1b1604 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 14:40:09 +0200 +Subject: ipv4: Fix incorrect table ID in IOCTL path + +From: Ido Schimmel + +[ Upstream commit 8a2618e14f81604a9b6ad305d57e0c8da939cd65 ] + +Commit f96a3d74554d ("ipv4: Fix incorrect route flushing when source +address is deleted") started to take the table ID field in the FIB info +structure into account when determining if two structures are identical +or not. This field is initialized using the 'fc_table' field in the +route configuration structure, which is not set when adding a route via +IOCTL. + +The above can result in user space being able to install two identical +routes that only differ in the table ID field of their associated FIB +info. + +Fix by initializing the table ID field in the route configuration +structure in the IOCTL path. + +Before the fix: + + # ip route add default via 192.0.2.2 + # route add default gw 192.0.2.2 + # ip -4 r show default + # default via 192.0.2.2 dev dummy10 + # default via 192.0.2.2 dev dummy10 + +After the fix: + + # ip route add default via 192.0.2.2 + # route add default gw 192.0.2.2 + SIOCADDRT: File exists + # ip -4 r show default + default via 192.0.2.2 dev dummy10 + +Audited the code paths to ensure there are no other paths that do not +properly initialize the route configuration structure when installing a +route. + +Fixes: 5a56a0b3a45d ("net: Don't delete routes in different VRFs") +Fixes: f96a3d74554d ("ipv4: Fix incorrect route flushing when source address is deleted") +Reported-by: gaoxingwang +Link: https://lore.kernel.org/netdev/20230314144159.2354729-1-gaoxingwang1@huawei.com/ +Tested-by: gaoxingwang +Signed-off-by: Ido Schimmel +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20230315124009.4015212-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_frontend.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index ee467d744b07d..710f5609b7f4e 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -529,6 +529,9 @@ static int rtentry_to_fib_config(struct net *net, int cmd, struct rtentry *rt, + cfg->fc_scope = RT_SCOPE_UNIVERSE; + } + ++ if (!cfg->fc_table) ++ cfg->fc_table = RT_TABLE_MAIN; ++ + if (cmd == SIOCDELRT) + return 0; + +-- +2.39.2 + diff --git a/queue-4.14/net-iucv-fix-size-of-interrupt-data.patch b/queue-4.14/net-iucv-fix-size-of-interrupt-data.patch new file mode 100644 index 00000000000..ee994a91941 --- /dev/null +++ b/queue-4.14/net-iucv-fix-size-of-interrupt-data.patch @@ -0,0 +1,105 @@ +From 1139095279f97c24afd5ce6ff10bd1ee4f23c119 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 14:14:35 +0100 +Subject: net/iucv: Fix size of interrupt data + +From: Alexandra Winter + +[ Upstream commit 3d87debb8ed2649608ff432699e7c961c0c6f03b ] + +iucv_irq_data needs to be 4 bytes larger. +These bytes are not used by the iucv module, but written by +the z/VM hypervisor in case a CPU is deconfigured. + +Reported as: +BUG dma-kmalloc-64 (Not tainted): kmalloc Redzone overwritten +----------------------------------------------------------------------------- +0x0000000000400564-0x0000000000400567 @offset=1380. First byte 0x80 instead of 0xcc +Allocated in iucv_cpu_prepare+0x44/0xd0 age=167839 cpu=2 pid=1 +__kmem_cache_alloc_node+0x166/0x450 +kmalloc_node_trace+0x3a/0x70 +iucv_cpu_prepare+0x44/0xd0 +cpuhp_invoke_callback+0x156/0x2f0 +cpuhp_issue_call+0xf0/0x298 +__cpuhp_setup_state_cpuslocked+0x136/0x338 +__cpuhp_setup_state+0xf4/0x288 +iucv_init+0xf4/0x280 +do_one_initcall+0x78/0x390 +do_initcalls+0x11a/0x140 +kernel_init_freeable+0x25e/0x2a0 +kernel_init+0x2e/0x170 +__ret_from_fork+0x3c/0x58 +ret_from_fork+0xa/0x40 +Freed in iucv_init+0x92/0x280 age=167839 cpu=2 pid=1 +__kmem_cache_free+0x308/0x358 +iucv_init+0x92/0x280 +do_one_initcall+0x78/0x390 +do_initcalls+0x11a/0x140 +kernel_init_freeable+0x25e/0x2a0 +kernel_init+0x2e/0x170 +__ret_from_fork+0x3c/0x58 +ret_from_fork+0xa/0x40 +Slab 0x0000037200010000 objects=32 used=30 fp=0x0000000000400640 flags=0x1ffff00000010200(slab|head|node=0|zone=0| +Object 0x0000000000400540 @offset=1344 fp=0x0000000000000000 +Redzone 0000000000400500: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Redzone 0000000000400510: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Redzone 0000000000400520: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Redzone 0000000000400530: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Object 0000000000400540: 00 01 00 03 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object 0000000000400550: f3 86 81 f2 f4 82 f8 82 f0 f0 f0 f0 f0 f0 f0 f2 ................ +Object 0000000000400560: 00 00 00 00 80 00 00 00 cc cc cc cc cc cc cc cc ................ +Object 0000000000400570: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Redzone 0000000000400580: cc cc cc cc cc cc cc cc ........ +Padding 00000000004005d4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ +Padding 00000000004005e4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ +Padding 00000000004005f4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ +CPU: 6 PID: 121030 Comm: 116-pai-crypto. Not tainted 6.3.0-20230221.rc0.git4.99b8246b2d71.300.fc37.s390x+debug #1 +Hardware name: IBM 3931 A01 704 (z/VM 7.3.0) +Call Trace: +[<000000032aa034ec>] dump_stack_lvl+0xac/0x100 +[<0000000329f5a6cc>] check_bytes_and_report+0x104/0x140 +[<0000000329f5aa78>] check_object+0x370/0x3c0 +[<0000000329f5ede6>] free_debug_processing+0x15e/0x348 +[<0000000329f5f06a>] free_to_partial_list+0x9a/0x2f0 +[<0000000329f5f4a4>] __slab_free+0x1e4/0x3a8 +[<0000000329f61768>] __kmem_cache_free+0x308/0x358 +[<000000032a91465c>] iucv_cpu_dead+0x6c/0x88 +[<0000000329c2fc66>] cpuhp_invoke_callback+0x156/0x2f0 +[<000000032aa062da>] _cpu_down.constprop.0+0x22a/0x5e0 +[<0000000329c3243e>] cpu_device_down+0x4e/0x78 +[<000000032a61dee0>] device_offline+0xc8/0x118 +[<000000032a61e048>] online_store+0x60/0xe0 +[<000000032a08b6b0>] kernfs_fop_write_iter+0x150/0x1e8 +[<0000000329fab65c>] vfs_write+0x174/0x360 +[<0000000329fab9fc>] ksys_write+0x74/0x100 +[<000000032aa03a5a>] __do_syscall+0x1da/0x208 +[<000000032aa177b2>] system_call+0x82/0xb0 +INFO: lockdep is turned off. +FIX dma-kmalloc-64: Restoring kmalloc Redzone 0x0000000000400564-0x0000000000400567=0xcc +FIX dma-kmalloc-64: Object at 0x0000000000400540 not freed + +Fixes: 2356f4cb1911 ("[S390]: Rewrite of the IUCV base code, part 2") +Signed-off-by: Alexandra Winter +Link: https://lore.kernel.org/r/20230315131435.4113889-1-wintera@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/iucv/iucv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c +index 8f7ef167c45a7..255a716fa395d 100644 +--- a/net/iucv/iucv.c ++++ b/net/iucv/iucv.c +@@ -119,7 +119,7 @@ struct iucv_irq_data { + u16 ippathid; + u8 ipflags1; + u8 iptype; +- u32 res2[8]; ++ u32 res2[9]; + }; + + struct iucv_irq_list { +-- +2.39.2 + diff --git a/queue-4.14/net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch b/queue-4.14/net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch new file mode 100644 index 00000000000..47cfe614c78 --- /dev/null +++ b/queue-4.14/net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch @@ -0,0 +1,44 @@ +From c740fa7a5f39d88dd34c2ab1f9b16b6514eb2dd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Mar 2023 19:34:45 +0100 +Subject: net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status + fails + +From: Heiner Kallweit + +[ Upstream commit c22c3bbf351e4ce905f082649cffa1ff893ea8c1 ] + +If genphy_read_status fails then further access to the PHY may result +in unpredictable behavior. To prevent this bail out immediately if +genphy_read_status fails. + +Fixes: 4223dbffed9f ("net: phy: smsc: Re-enable EDPD mode for LAN87xx") +Signed-off-by: Heiner Kallweit +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/026aa4f2-36f5-1c10-ab9f-cdb17dda6ac4@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/smsc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c +index 2306bfae057f0..d5d96e728683f 100644 +--- a/drivers/net/phy/smsc.c ++++ b/drivers/net/phy/smsc.c +@@ -112,8 +112,11 @@ static int lan911x_config_init(struct phy_device *phydev) + static int lan87xx_read_status(struct phy_device *phydev) + { + struct smsc_phy_priv *priv = phydev->priv; ++ int err; + +- int err = genphy_read_status(phydev); ++ err = genphy_read_status(phydev); ++ if (err) ++ return err; + + if (!phydev->link && priv->energy_enable) { + int i; +-- +2.39.2 + diff --git a/queue-4.14/net-tunnels-annotate-lockless-accesses-to-dev-needed.patch b/queue-4.14/net-tunnels-annotate-lockless-accesses-to-dev-needed.patch new file mode 100644 index 00000000000..0fa0d0fac5a --- /dev/null +++ b/queue-4.14/net-tunnels-annotate-lockless-accesses-to-dev-needed.patch @@ -0,0 +1,252 @@ +From 8fe01e64325380a5d025cdcf83c72eee98fffb44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Mar 2023 19:11:09 +0000 +Subject: net: tunnels: annotate lockless accesses to dev->needed_headroom + +From: Eric Dumazet + +[ Upstream commit 4b397c06cb987935b1b097336532aa6b4210e091 ] + +IP tunnels can apparently update dev->needed_headroom +in their xmit path. + +This patch takes care of three tunnels xmit, and also the +core LL_RESERVED_SPACE() and LL_RESERVED_SPACE_EXTRA() +helpers. + +More changes might be needed for completeness. + +BUG: KCSAN: data-race in ip_tunnel_xmit / ip_tunnel_xmit + +read to 0xffff88815b9da0ec of 2 bytes by task 888 on cpu 1: +ip_tunnel_xmit+0x1270/0x1730 net/ipv4/ip_tunnel.c:803 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 + +write to 0xffff88815b9da0ec of 2 bytes by task 2379 on cpu 0: +ip_tunnel_xmit+0x1294/0x1730 net/ipv4/ip_tunnel.c:804 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip6_finish_output2+0x9bc/0xc50 net/ipv6/ip6_output.c:134 +__ip6_finish_output net/ipv6/ip6_output.c:195 [inline] +ip6_finish_output+0x39a/0x4e0 net/ipv6/ip6_output.c:206 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip6_output+0xeb/0x220 net/ipv6/ip6_output.c:227 +dst_output include/net/dst.h:444 [inline] +NF_HOOK include/linux/netfilter.h:302 [inline] +mld_sendpack+0x438/0x6a0 net/ipv6/mcast.c:1820 +mld_send_cr net/ipv6/mcast.c:2121 [inline] +mld_ifc_work+0x519/0x7b0 net/ipv6/mcast.c:2653 +process_one_work+0x3e6/0x750 kernel/workqueue.c:2390 +worker_thread+0x5f2/0xa10 kernel/workqueue.c:2537 +kthread+0x1ac/0x1e0 kernel/kthread.c:376 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +value changed: 0x0dd4 -> 0x0e14 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 2379 Comm: kworker/0:0 Not tainted 6.3.0-rc1-syzkaller-00002-g8ca09d5fa354-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 +Workqueue: mld mld_ifc_work + +Fixes: 8eb30be0352d ("ipv6: Create ip6_tnl_xmit") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230310191109.2384387-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 6 ++++-- + net/ipv4/ip_tunnel.c | 12 ++++++------ + net/ipv6/ip6_tunnel.c | 4 ++-- + 3 files changed, 12 insertions(+), 10 deletions(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 1edc2af51e038..2cd7eb2b91739 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -258,9 +258,11 @@ struct hh_cache { + * relationship HH alignment <= LL alignment. + */ + #define LL_RESERVED_SPACE(dev) \ +- ((((dev)->hard_header_len+(dev)->needed_headroom)&~(HH_DATA_MOD - 1)) + HH_DATA_MOD) ++ ((((dev)->hard_header_len + READ_ONCE((dev)->needed_headroom)) \ ++ & ~(HH_DATA_MOD - 1)) + HH_DATA_MOD) + #define LL_RESERVED_SPACE_EXTRA(dev,extra) \ +- ((((dev)->hard_header_len+(dev)->needed_headroom+(extra))&~(HH_DATA_MOD - 1)) + HH_DATA_MOD) ++ ((((dev)->hard_header_len + READ_ONCE((dev)->needed_headroom) + (extra)) \ ++ & ~(HH_DATA_MOD - 1)) + HH_DATA_MOD) + + struct header_ops { + int (*create) (struct sk_buff *skb, struct net_device *dev, +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c +index e9cf0d1854595..f0e4b3381258c 100644 +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -609,10 +609,10 @@ void ip_md_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, u8 proto) + else if (skb->protocol == htons(ETH_P_IP)) + df = inner_iph->frag_off & htons(IP_DF); + headroom += LL_RESERVED_SPACE(rt->dst.dev) + rt->dst.header_len; +- if (headroom > dev->needed_headroom) +- dev->needed_headroom = headroom; ++ if (headroom > READ_ONCE(dev->needed_headroom)) ++ WRITE_ONCE(dev->needed_headroom, headroom); + +- if (skb_cow_head(skb, dev->needed_headroom)) { ++ if (skb_cow_head(skb, READ_ONCE(dev->needed_headroom))) { + ip_rt_put(rt); + goto tx_dropped; + } +@@ -786,10 +786,10 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, + + max_headroom = LL_RESERVED_SPACE(rt->dst.dev) + sizeof(struct iphdr) + + rt->dst.header_len + ip_encap_hlen(&tunnel->encap); +- if (max_headroom > dev->needed_headroom) +- dev->needed_headroom = max_headroom; ++ if (max_headroom > READ_ONCE(dev->needed_headroom)) ++ WRITE_ONCE(dev->needed_headroom, max_headroom); + +- if (skb_cow_head(skb, dev->needed_headroom)) { ++ if (skb_cow_head(skb, READ_ONCE(dev->needed_headroom))) { + ip_rt_put(rt); + dev->stats.tx_dropped++; + kfree_skb(skb); +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index 639440032c2b8..d59bf0da29124 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -1200,8 +1200,8 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield, + */ + max_headroom = LL_RESERVED_SPACE(dst->dev) + sizeof(struct ipv6hdr) + + dst->header_len + t->hlen; +- if (max_headroom > dev->needed_headroom) +- dev->needed_headroom = max_headroom; ++ if (max_headroom > READ_ONCE(dev->needed_headroom)) ++ WRITE_ONCE(dev->needed_headroom, max_headroom); + + err = ip6_tnl_encap(skb, t, &proto, fl6); + if (err) +-- +2.39.2 + diff --git a/queue-4.14/net-usb-smsc75xx-limit-packet-length-to-skb-len.patch b/queue-4.14/net-usb-smsc75xx-limit-packet-length-to-skb-len.patch new file mode 100644 index 00000000000..f8d0e87b965 --- /dev/null +++ b/queue-4.14/net-usb-smsc75xx-limit-packet-length-to-skb-len.patch @@ -0,0 +1,39 @@ +From c46839490a9d9fd934b650d177791c40bc1e4fb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 23:00:45 +0100 +Subject: net: usb: smsc75xx: Limit packet length to skb->len + +From: Szymon Heidrich + +[ Upstream commit d8b228318935044dafe3a5bc07ee71a1f1424b8d ] + +Packet length retrieved from skb data may be larger than +the actual socket buffer length (up to 9026 bytes). In such +case the cloned skb passed up the network stack will leak +kernel memory contents. + +Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver") +Signed-off-by: Szymon Heidrich +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc75xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index 8b9fd4e071f3d..b4705dee2b751 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -2225,7 +2225,8 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + dev->net->stats.rx_frame_errors++; + } else { + /* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */ +- if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) { ++ if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) || ++ size > skb->len)) { + netif_dbg(dev, rx_err, dev->net, + "size err rx_cmd_a=0x%08x\n", + rx_cmd_a); +-- +2.39.2 + diff --git a/queue-4.14/net-usb-smsc75xx-move-packet-length-check-to-prevent.patch b/queue-4.14/net-usb-smsc75xx-move-packet-length-check-to-prevent.patch new file mode 100644 index 00000000000..1e10cdbf8c0 --- /dev/null +++ b/queue-4.14/net-usb-smsc75xx-move-packet-length-check-to-prevent.patch @@ -0,0 +1,54 @@ +From d728880ef62eca64a6901fc4df48cf961e96467d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 12:05:40 +0100 +Subject: net: usb: smsc75xx: Move packet length check to prevent kernel panic + in skb_pull + +From: Szymon Heidrich + +[ Upstream commit 43ffe6caccc7a1bb9d7442fbab521efbf6c1378c ] + +Packet length check needs to be located after size and align_count +calculation to prevent kernel panic in skb_pull() in case +rx_cmd_a & RX_CMD_A_RED evaluates to true. + +Fixes: d8b228318935 ("net: usb: smsc75xx: Limit packet length to skb->len") +Signed-off-by: Szymon Heidrich +Link: https://lore.kernel.org/r/20230316110540.77531-1-szymon.heidrich@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc75xx.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index b4705dee2b751..313a4b0edc6b3 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -2213,6 +2213,13 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + size = (rx_cmd_a & RX_CMD_A_LEN) - RXW_PADDING; + align_count = (4 - ((size + RXW_PADDING) % 4)) % 4; + ++ if (unlikely(size > skb->len)) { ++ netif_dbg(dev, rx_err, dev->net, ++ "size err rx_cmd_a=0x%08x\n", ++ rx_cmd_a); ++ return 0; ++ } ++ + if (unlikely(rx_cmd_a & RX_CMD_A_RED)) { + netif_dbg(dev, rx_err, dev->net, + "Error rx_cmd_a=0x%08x\n", rx_cmd_a); +@@ -2225,8 +2232,7 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + dev->net->stats.rx_frame_errors++; + } else { + /* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */ +- if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) || +- size > skb->len)) { ++ if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) { + netif_dbg(dev, rx_err, dev->net, + "size err rx_cmd_a=0x%08x\n", + rx_cmd_a); +-- +2.39.2 + diff --git a/queue-4.14/nfc-pn533-initialize-struct-pn533_out_arg-properly.patch b/queue-4.14/nfc-pn533-initialize-struct-pn533_out_arg-properly.patch new file mode 100644 index 00000000000..bfce566999d --- /dev/null +++ b/queue-4.14/nfc-pn533-initialize-struct-pn533_out_arg-properly.patch @@ -0,0 +1,65 @@ +From dfd75a0270eb176d71d45e37b46d7bebcb015ee7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Mar 2023 19:50:50 +0300 +Subject: nfc: pn533: initialize struct pn533_out_arg properly + +From: Fedor Pchelkin + +[ Upstream commit 484b7059796e3bc1cb527caa61dfc60da649b4f6 ] + +struct pn533_out_arg used as a temporary context for out_urb is not +initialized properly. Its uninitialized 'phy' field can be dereferenced in +error cases inside pn533_out_complete() callback function. It causes the +following failure: + +general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.2.0-rc3-next-20230110-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +RIP: 0010:pn533_out_complete.cold+0x15/0x44 drivers/nfc/pn533/usb.c:441 +Call Trace: + + __usb_hcd_giveback_urb+0x2b6/0x5c0 drivers/usb/core/hcd.c:1671 + usb_hcd_giveback_urb+0x384/0x430 drivers/usb/core/hcd.c:1754 + dummy_timer+0x1203/0x32d0 drivers/usb/gadget/udc/dummy_hcd.c:1988 + call_timer_fn+0x1da/0x800 kernel/time/timer.c:1700 + expire_timers+0x234/0x330 kernel/time/timer.c:1751 + __run_timers kernel/time/timer.c:2022 [inline] + __run_timers kernel/time/timer.c:1995 [inline] + run_timer_softirq+0x326/0x910 kernel/time/timer.c:2035 + __do_softirq+0x1fb/0xaf6 kernel/softirq.c:571 + invoke_softirq kernel/softirq.c:445 [inline] + __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650 + irq_exit_rcu+0x9/0x20 kernel/softirq.c:662 + sysvec_apic_timer_interrupt+0x97/0xc0 arch/x86/kernel/apic/apic.c:1107 + +Initialize the field with the pn533_usb_phy currently used. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 9dab880d675b ("nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()") +Reported-by: syzbot+1e608ba4217c96d1952f@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230309165050.207390-1-pchelkin@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/pn533/usb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nfc/pn533/usb.c b/drivers/nfc/pn533/usb.c +index c7da364b63584..a2d61d8240246 100644 +--- a/drivers/nfc/pn533/usb.c ++++ b/drivers/nfc/pn533/usb.c +@@ -187,6 +187,7 @@ static int pn533_usb_send_frame(struct pn533 *dev, + print_hex_dump_debug("PN533 TX: ", DUMP_PREFIX_NONE, 16, 1, + out->data, out->len, false); + ++ arg.phy = phy; + init_completion(&arg.done); + cntx = phy->out_urb->context; + phy->out_urb->context = &arg; +-- +2.39.2 + diff --git a/queue-4.14/nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch b/queue-4.14/nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch new file mode 100644 index 00000000000..a9d272741d0 --- /dev/null +++ b/queue-4.14/nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch @@ -0,0 +1,72 @@ +From d37da8068319e6bf30dee56042337b4832e7b532 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 00:08:37 +0800 +Subject: nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition + +From: Zheng Wang + +[ Upstream commit 5000fe6c27827a61d8250a7e4a1d26c3298ef4f6 ] + +This bug influences both st_nci_i2c_remove and st_nci_spi_remove. +Take st_nci_i2c_remove as an example. + +In st_nci_i2c_probe, it called ndlc_probe and bound &ndlc->sm_work +with llt_ndlc_sm_work. + +When it calls ndlc_recv or timeout handler, it will finally call +schedule_work to start the work. + +When we call st_nci_i2c_remove to remove the driver, there +may be a sequence as follows: + +Fix it by finishing the work before cleanup in ndlc_remove + +CPU0 CPU1 + + |llt_ndlc_sm_work +st_nci_i2c_remove | + ndlc_remove | + st_nci_remove | + nci_free_device| + kfree(ndev) | +//free ndlc->ndev | + |llt_ndlc_rcv_queue + |nci_recv_frame + |//use ndlc->ndev + +Fixes: 35630df68d60 ("NFC: st21nfcb: Add driver for STMicroelectronics ST21NFCB NFC chip") +Signed-off-by: Zheng Wang +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20230312160837.2040857-1-zyytlz.wz@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/st-nci/ndlc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/nfc/st-nci/ndlc.c b/drivers/nfc/st-nci/ndlc.c +index 9477994cf9753..a3dfb3d120210 100644 +--- a/drivers/nfc/st-nci/ndlc.c ++++ b/drivers/nfc/st-nci/ndlc.c +@@ -302,13 +302,15 @@ EXPORT_SYMBOL(ndlc_probe); + + void ndlc_remove(struct llt_ndlc *ndlc) + { +- st_nci_remove(ndlc->ndev); +- + /* cancel timers */ + del_timer_sync(&ndlc->t1_timer); + del_timer_sync(&ndlc->t2_timer); + ndlc->t2_active = false; + ndlc->t1_active = false; ++ /* cancel work */ ++ cancel_work_sync(&ndlc->sm_work); ++ ++ st_nci_remove(ndlc->ndev); + + skb_queue_purge(&ndlc->rcv_q); + skb_queue_purge(&ndlc->send_q); +-- +2.39.2 + diff --git a/queue-4.14/nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch b/queue-4.14/nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch new file mode 100644 index 00000000000..444ad2c5edc --- /dev/null +++ b/queue-4.14/nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch @@ -0,0 +1,46 @@ +From b43d87372e3dd20ec39f401c77e7a5216eced18d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 10:13:13 +0900 +Subject: nvmet: avoid potential UAF in nvmet_req_complete() + +From: Damien Le Moal + +[ Upstream commit 6173a77b7e9d3e202bdb9897b23f2a8afe7bf286 ] + +An nvme target ->queue_response() operation implementation may free the +request passed as argument. Such implementation potentially could result +in a use after free of the request pointer when percpu_ref_put() is +called in nvmet_req_complete(). + +Avoid such problem by using a local variable to save the sq pointer +before calling __nvmet_req_complete(), thus avoiding dereferencing the +req pointer after that function call. + +Fixes: a07b4970f464 ("nvmet: add a generic NVMe target") +Signed-off-by: Damien Le Moal +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index e02423d7b3b92..3d2dedd118a71 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -418,8 +418,10 @@ static void __nvmet_req_complete(struct nvmet_req *req, u16 status) + + void nvmet_req_complete(struct nvmet_req *req, u16 status) + { ++ struct nvmet_sq *sq = req->sq; ++ + __nvmet_req_complete(req, status); +- percpu_ref_put(&req->sq->ref); ++ percpu_ref_put(&sq->ref); + } + EXPORT_SYMBOL_GPL(nvmet_req_complete); + +-- +2.39.2 + diff --git a/queue-4.14/qed-qed_dev-guard-against-a-possible-division-by-zer.patch b/queue-4.14/qed-qed_dev-guard-against-a-possible-division-by-zer.patch new file mode 100644 index 00000000000..71ecf9dc730 --- /dev/null +++ b/queue-4.14/qed-qed_dev-guard-against-a-possible-division-by-zer.patch @@ -0,0 +1,46 @@ +From f9a7969473a806e36aa9366ffe5748b031f6cc54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Mar 2023 23:15:56 +0300 +Subject: qed/qed_dev: guard against a possible division by zero + +From: Daniil Tatianin + +[ Upstream commit 1a9dc5610ef89d807acdcfbff93a558f341a44da ] + +Previously we would divide total_left_rate by zero if num_vports +happened to be 1 because non_requested_count is calculated as +num_vports - req_count. Guard against this by validating num_vports at +the beginning and returning an error otherwise. + +Found by Linux Verification Center (linuxtesting.org) with the SVACE +static analysis tool. + +Fixes: bcd197c81f63 ("qed: Add vport WFQ configuration APIs") +Signed-off-by: Daniil Tatianin +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230309201556.191392-1-d-tatianin@yandex-team.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_dev.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c +index 6024b832b4d95..f713277bc517e 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c +@@ -3897,6 +3897,11 @@ static int qed_init_wfq_param(struct qed_hwfn *p_hwfn, + + num_vports = p_hwfn->qm_info.num_vports; + ++ if (num_vports < 2) { ++ DP_NOTICE(p_hwfn, "Unexpected num_vports: %d\n", num_vports); ++ return -EINVAL; ++ } ++ + /* Accounting for the vports which are configured for WFQ explicitly */ + for (i = 0; i < num_vports; i++) { + u32 tmp_speed; +-- +2.39.2 + diff --git a/queue-4.14/series b/queue-4.14/series index 7aa1bcaa1e1..94df7ddb65b 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -1,2 +1,15 @@ ext4-fix-cgroup-writeback-accounting-with-fs-layer-encryption.patch fs-sysfs_emit_at-remove-page_size-alignment-check.patch +tcp-tcp_make_synack-can-be-called-from-process-conte.patch +nfc-pn533-initialize-struct-pn533_out_arg-properly.patch +qed-qed_dev-guard-against-a-possible-division-by-zer.patch +net-tunnels-annotate-lockless-accesses-to-dev-needed.patch +net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch +nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch +net-usb-smsc75xx-limit-packet-length-to-skb-len.patch +nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch +block-sunvdc-add-check-for-mdesc_grab-returning-null.patch +ipv4-fix-incorrect-table-id-in-ioctl-path.patch +net-usb-smsc75xx-move-packet-length-check-to-prevent.patch +net-iucv-fix-size-of-interrupt-data.patch +ethernet-sun-add-check-for-the-mdesc_grab.patch diff --git a/queue-4.14/tcp-tcp_make_synack-can-be-called-from-process-conte.patch b/queue-4.14/tcp-tcp_make_synack-can-be-called-from-process-conte.patch new file mode 100644 index 00000000000..f87a6a711ad --- /dev/null +++ b/queue-4.14/tcp-tcp_make_synack-can-be-called-from-process-conte.patch @@ -0,0 +1,64 @@ +From cebda5cca51875eb507a9e6fee21f7067d46951a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 11:07:45 -0800 +Subject: tcp: tcp_make_synack() can be called from process context + +From: Breno Leitao + +[ Upstream commit bced3f7db95ff2e6ca29dc4d1c9751ab5e736a09 ] + +tcp_rtx_synack() now could be called in process context as explained in +0a375c822497 ("tcp: tcp_rtx_synack() can be called from process +context"). + +tcp_rtx_synack() might call tcp_make_synack(), which will touch per-CPU +variables with preemption enabled. This causes the following BUG: + + BUG: using __this_cpu_add() in preemptible [00000000] code: ThriftIO1/5464 + caller is tcp_make_synack+0x841/0xac0 + Call Trace: + + dump_stack_lvl+0x10d/0x1a0 + check_preemption_disabled+0x104/0x110 + tcp_make_synack+0x841/0xac0 + tcp_v6_send_synack+0x5c/0x450 + tcp_rtx_synack+0xeb/0x1f0 + inet_rtx_syn_ack+0x34/0x60 + tcp_check_req+0x3af/0x9e0 + tcp_rcv_state_process+0x59b/0x2030 + tcp_v6_do_rcv+0x5f5/0x700 + release_sock+0x3a/0xf0 + tcp_sendmsg+0x33/0x40 + ____sys_sendmsg+0x2f2/0x490 + __sys_sendmsg+0x184/0x230 + do_syscall_64+0x3d/0x90 + +Avoid calling __TCP_INC_STATS() with will touch per-cpu variables. Use +TCP_INC_STATS() which is safe to be called from context switch. + +Fixes: 8336886f786f ("tcp: TCP Fast Open Server - support TFO listeners") +Signed-off-by: Breno Leitao +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230308190745.780221-1-leitao@debian.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 2a9e55411ac42..8b2d49120ce23 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3300,7 +3300,7 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst, + th->window = htons(min(req->rsk_rcv_wnd, 65535U)); + tcp_options_write((__be32 *)(th + 1), NULL, &opts); + th->doff = (tcp_header_size >> 2); +- __TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS); ++ TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS); + + #ifdef CONFIG_TCP_MD5SIG + /* Okay, we have all we need - do the md5 hash if needed */ +-- +2.39.2 +