From: Greg Kroah-Hartman Date: Sun, 17 Jun 2018 11:22:44 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.16.17~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=264f55888cc8c07e0cc1ddced49e4c4d88435da4;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: atm-zatm-fix-memcmp-casting.patch ipvs-fix-buffer-overflow-with-sync-daemon-and-service.patch iwlwifi-pcie-compare-with-number-of-irqs-requested-for-not-number-of-cpus.patch net-dsa-b53-add-bcm5389-support.patch net-qmi_wwan-add-netgear-aircard-779s.patch net-sonic-use-dma_mapping_error.patch netfilter-ebtables-handle-string-from-userspace-with-care.patch platform-x86-asus-wmi-fix-null-pointer-dereference.patch xfrm6-avoid-potential-infinite-loop-in-_decode_session6.patch --- diff --git a/queue-4.9/atm-zatm-fix-memcmp-casting.patch b/queue-4.9/atm-zatm-fix-memcmp-casting.patch new file mode 100644 index 00000000000..9ea8b4ba7a5 --- /dev/null +++ b/queue-4.9/atm-zatm-fix-memcmp-casting.patch @@ -0,0 +1,34 @@ +From foo@baz Sun Jun 17 13:06:34 CEST 2018 +From: Ivan Bornyakov +Date: Fri, 25 May 2018 20:49:52 +0300 +Subject: atm: zatm: fix memcmp casting + +From: Ivan Bornyakov + +[ Upstream commit f9c6442a8f0b1dde9e755eb4ff6fa22bcce4eabc ] + +memcmp() returns int, but eprom_try_esi() cast it to unsigned char. One +can lose significant bits and get 0 from non-0 value returned by the +memcmp(). + +Signed-off-by: Ivan Bornyakov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/atm/zatm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/atm/zatm.c ++++ b/drivers/atm/zatm.c +@@ -1151,8 +1151,8 @@ static void eprom_get_byte(struct zatm_d + } + + +-static unsigned char eprom_try_esi(struct atm_dev *dev, unsigned short cmd, +- int offset, int swap) ++static int eprom_try_esi(struct atm_dev *dev, unsigned short cmd, int offset, ++ int swap) + { + unsigned char buf[ZEPROM_SIZE]; + struct zatm_dev *zatm_dev; diff --git a/queue-4.9/ipvs-fix-buffer-overflow-with-sync-daemon-and-service.patch b/queue-4.9/ipvs-fix-buffer-overflow-with-sync-daemon-and-service.patch new file mode 100644 index 00000000000..41f6a7cc248 --- /dev/null +++ b/queue-4.9/ipvs-fix-buffer-overflow-with-sync-daemon-and-service.patch @@ -0,0 +1,146 @@ +From foo@baz Sun Jun 17 13:06:34 CEST 2018 +From: Julian Anastasov +Date: Sat, 19 May 2018 18:22:35 +0300 +Subject: ipvs: fix buffer overflow with sync daemon and service + +From: Julian Anastasov + +[ Upstream commit 52f96757905bbf0edef47f3ee6c7c784e7f8ff8a ] + +syzkaller reports for buffer overflow for interface name +when starting sync daemons [1] + +What we do is that we copy user structure into larger stack +buffer but later we search NUL past the stack buffer. +The same happens for sched_name when adding/editing virtual server. + +We are restricted by IP_VS_SCHEDNAME_MAXLEN and IP_VS_IFNAME_MAXLEN +being used as size in include/uapi/linux/ip_vs.h, so they +include the space for NUL. + +As using strlcpy is wrong for unsafe source, replace it with +strscpy and add checks to return EINVAL if source string is not +NUL-terminated. The incomplete strlcpy fix comes from 2.6.13. + +For the netlink interface reduce the len parameter for +IPVS_DAEMON_ATTR_MCAST_IFN and IPVS_SVC_ATTR_SCHED_NAME, +so that we get proper EINVAL. + +[1] +kernel BUG at lib/string.c:1052! +invalid opcode: 0000 [#1] SMP KASAN +Dumping ftrace buffer: + (ftrace buffer empty) +Modules linked in: +CPU: 1 PID: 373 Comm: syz-executor936 Not tainted 4.17.0-rc4+ #45 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051 +RSP: 0018:ffff8801c976f800 EFLAGS: 00010282 +RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000 +RDX: 0000000000000022 RSI: ffffffff8160f6f1 RDI: ffffed00392edef6 +RBP: ffff8801c976f800 R08: ffff8801cf4c62c0 R09: ffffed003b5e4fb0 +R10: ffffed003b5e4fb0 R11: ffff8801daf27d87 R12: ffff8801c976fa20 +R13: ffff8801c976fae4 R14: ffff8801c976fae0 R15: 000000000000048b +FS: 00007fd99f75e700(0000) GS:ffff8801daf00000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000200001c0 CR3: 00000001d6843000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + strlen include/linux/string.h:270 [inline] + strlcpy include/linux/string.h:293 [inline] + do_ip_vs_set_ctl+0x31c/0x1d00 net/netfilter/ipvs/ip_vs_ctl.c:2388 + nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] + nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115 + ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253 + udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2487 + ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917 + tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:3057 + sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3046 + __sys_setsockopt+0x1bd/0x390 net/socket.c:1903 + __do_sys_setsockopt net/socket.c:1914 [inline] + __se_sys_setsockopt net/socket.c:1911 [inline] + __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911 + do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x447369 +RSP: 002b:00007fd99f75dda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 +RAX: ffffffffffffffda RBX: 00000000006e39e4 RCX: 0000000000447369 +RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003 +RBP: 0000000000000000 R08: 0000000000000018 R09: 0000000000000000 +R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000006e39e0 +R13: 75a1ff93f0896195 R14: 6f745f3168746576 R15: 0000000000000001 +Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 8f 48 fa eb +de 55 48 89 fe 48 c7 c7 60 65 64 88 48 89 e5 e8 91 dd f3 f9 <0f> 0b 90 90 +90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56 +RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801c976f800 + +Reported-and-tested-by: syzbot+aac887f77319868646df@syzkaller.appspotmail.com +Fixes: e4ff67513096 ("ipvs: add sync_maxlen parameter for the sync daemon") +Fixes: 4da62fc70d7c ("[IPVS]: Fix for overflows") +Signed-off-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/ipvs/ip_vs_ctl.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -2390,8 +2390,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cm + struct ipvs_sync_daemon_cfg cfg; + + memset(&cfg, 0, sizeof(cfg)); +- strlcpy(cfg.mcast_ifn, dm->mcast_ifn, +- sizeof(cfg.mcast_ifn)); ++ ret = -EINVAL; ++ if (strscpy(cfg.mcast_ifn, dm->mcast_ifn, ++ sizeof(cfg.mcast_ifn)) <= 0) ++ goto out_dec; + cfg.syncid = dm->syncid; + ret = start_sync_thread(ipvs, &cfg, dm->state); + } else { +@@ -2429,12 +2431,19 @@ do_ip_vs_set_ctl(struct sock *sk, int cm + } + } + ++ if ((cmd == IP_VS_SO_SET_ADD || cmd == IP_VS_SO_SET_EDIT) && ++ strnlen(usvc.sched_name, IP_VS_SCHEDNAME_MAXLEN) == ++ IP_VS_SCHEDNAME_MAXLEN) { ++ ret = -EINVAL; ++ goto out_unlock; ++ } ++ + /* Check for valid protocol: TCP or UDP or SCTP, even for fwmark!=0 */ + if (usvc.protocol != IPPROTO_TCP && usvc.protocol != IPPROTO_UDP && + usvc.protocol != IPPROTO_SCTP) { +- pr_err("set_ctl: invalid protocol: %d %pI4:%d %s\n", ++ pr_err("set_ctl: invalid protocol: %d %pI4:%d\n", + usvc.protocol, &usvc.addr.ip, +- ntohs(usvc.port), usvc.sched_name); ++ ntohs(usvc.port)); + ret = -EFAULT; + goto out_unlock; + } +@@ -2863,7 +2872,7 @@ static const struct nla_policy ip_vs_cmd + static const struct nla_policy ip_vs_daemon_policy[IPVS_DAEMON_ATTR_MAX + 1] = { + [IPVS_DAEMON_ATTR_STATE] = { .type = NLA_U32 }, + [IPVS_DAEMON_ATTR_MCAST_IFN] = { .type = NLA_NUL_STRING, +- .len = IP_VS_IFNAME_MAXLEN }, ++ .len = IP_VS_IFNAME_MAXLEN - 1 }, + [IPVS_DAEMON_ATTR_SYNC_ID] = { .type = NLA_U32 }, + [IPVS_DAEMON_ATTR_SYNC_MAXLEN] = { .type = NLA_U16 }, + [IPVS_DAEMON_ATTR_MCAST_GROUP] = { .type = NLA_U32 }, +@@ -2881,7 +2890,7 @@ static const struct nla_policy ip_vs_svc + [IPVS_SVC_ATTR_PORT] = { .type = NLA_U16 }, + [IPVS_SVC_ATTR_FWMARK] = { .type = NLA_U32 }, + [IPVS_SVC_ATTR_SCHED_NAME] = { .type = NLA_NUL_STRING, +- .len = IP_VS_SCHEDNAME_MAXLEN }, ++ .len = IP_VS_SCHEDNAME_MAXLEN - 1 }, + [IPVS_SVC_ATTR_PE_NAME] = { .type = NLA_NUL_STRING, + .len = IP_VS_PENAME_MAXLEN }, + [IPVS_SVC_ATTR_FLAGS] = { .type = NLA_BINARY, diff --git a/queue-4.9/iwlwifi-pcie-compare-with-number-of-irqs-requested-for-not-number-of-cpus.patch b/queue-4.9/iwlwifi-pcie-compare-with-number-of-irqs-requested-for-not-number-of-cpus.patch new file mode 100644 index 00000000000..14fefdbd270 --- /dev/null +++ b/queue-4.9/iwlwifi-pcie-compare-with-number-of-irqs-requested-for-not-number-of-cpus.patch @@ -0,0 +1,71 @@ +From foo@baz Sun Jun 17 13:06:34 CEST 2018 +From: Hao Wei Tee +Date: Tue, 29 May 2018 10:25:17 +0300 +Subject: iwlwifi: pcie: compare with number of IRQs requested for, not number of CPUs + +From: Hao Wei Tee + +[ Upstream commit ab1068d6866e28bf6427ceaea681a381e5870a4a ] + +When there are 16 or more logical CPUs, we request for +`IWL_MAX_RX_HW_QUEUES` (16) IRQs only as we limit to that number of +IRQs, but later on we compare the number of IRQs returned to +nr_online_cpus+2 instead of max_irqs, the latter being what we +actually asked for. This ends up setting num_rx_queues to 17 which +causes lots of out-of-bounds array accesses later on. + +Compare to max_irqs instead, and also add an assertion in case +num_rx_queues > IWM_MAX_RX_HW_QUEUES. + +This fixes https://bugzilla.kernel.org/show_bug.cgi?id=199551 + +Fixes: 2e5d4a8f61dc ("iwlwifi: pcie: Add new configuration to enable MSIX") +Signed-off-by: Hao Wei Tee +Tested-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -1509,14 +1509,13 @@ static void iwl_pcie_set_interrupt_capa( + struct iwl_trans *trans) + { + struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans); +- int max_irqs, num_irqs, i, ret, nr_online_cpus; ++ int max_irqs, num_irqs, i, ret; + u16 pci_cmd; + + if (!trans->cfg->mq_rx_supported) + goto enable_msi; + +- nr_online_cpus = num_online_cpus(); +- max_irqs = min_t(u32, nr_online_cpus + 2, IWL_MAX_RX_HW_QUEUES); ++ max_irqs = min_t(u32, num_online_cpus() + 2, IWL_MAX_RX_HW_QUEUES); + for (i = 0; i < max_irqs; i++) + trans_pcie->msix_entries[i].entry = i; + +@@ -1542,16 +1541,17 @@ static void iwl_pcie_set_interrupt_capa( + * Two interrupts less: non rx causes shared with FBQ and RSS. + * More than two interrupts: we will use fewer RSS queues. + */ +- if (num_irqs <= nr_online_cpus) { ++ if (num_irqs <= max_irqs - 2) { + trans_pcie->trans->num_rx_queues = num_irqs + 1; + trans_pcie->shared_vec_mask = IWL_SHARED_IRQ_NON_RX | + IWL_SHARED_IRQ_FIRST_RSS; +- } else if (num_irqs == nr_online_cpus + 1) { ++ } else if (num_irqs == max_irqs - 1) { + trans_pcie->trans->num_rx_queues = num_irqs; + trans_pcie->shared_vec_mask = IWL_SHARED_IRQ_NON_RX; + } else { + trans_pcie->trans->num_rx_queues = num_irqs - 1; + } ++ WARN_ON(trans_pcie->trans->num_rx_queues > IWL_MAX_RX_HW_QUEUES); + + trans_pcie->alloc_vecs = num_irqs; + trans_pcie->msix_enabled = true; diff --git a/queue-4.9/net-dsa-b53-add-bcm5389-support.patch b/queue-4.9/net-dsa-b53-add-bcm5389-support.patch new file mode 100644 index 00000000000..3d8369790fa --- /dev/null +++ b/queue-4.9/net-dsa-b53-add-bcm5389-support.patch @@ -0,0 +1,100 @@ +From foo@baz Sun Jun 17 13:06:34 CEST 2018 +From: "Damien Thébault" +Date: Thu, 31 May 2018 07:04:01 +0000 +Subject: net: dsa: b53: Add BCM5389 support + +From: "Damien Thébault" + +[ Upstream commit a95691bc54af1ac4b12c354f91e9cabf1cb068df ] + +This patch adds support for the BCM5389 switch connected through MDIO. + +Signed-off-by: Damien Thébault +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/net/dsa/b53.txt | 1 + + drivers/net/dsa/b53/b53_common.c | 13 +++++++++++++ + drivers/net/dsa/b53/b53_mdio.c | 5 ++++- + drivers/net/dsa/b53/b53_priv.h | 1 + + 4 files changed, 19 insertions(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/net/dsa/b53.txt ++++ b/Documentation/devicetree/bindings/net/dsa/b53.txt +@@ -10,6 +10,7 @@ Required properties: + "brcm,bcm53128" + "brcm,bcm5365" + "brcm,bcm5395" ++ "brcm,bcm5389" + "brcm,bcm5397" + "brcm,bcm5398" + +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1516,6 +1516,18 @@ static const struct b53_chip_data b53_sw + .duplex_reg = B53_DUPLEX_STAT_FE, + }, + { ++ .chip_id = BCM5389_DEVICE_ID, ++ .dev_name = "BCM5389", ++ .vlans = 4096, ++ .enabled_ports = 0x1f, ++ .arl_entries = 4, ++ .cpu_port = B53_CPU_PORT, ++ .vta_regs = B53_VTA_REGS, ++ .duplex_reg = B53_DUPLEX_STAT_GE, ++ .jumbo_pm_reg = B53_JUMBO_PORT_MASK, ++ .jumbo_size_reg = B53_JUMBO_MAX_SIZE, ++ }, ++ { + .chip_id = BCM5395_DEVICE_ID, + .dev_name = "BCM5395", + .vlans = 4096, +@@ -1825,6 +1837,7 @@ int b53_switch_detect(struct b53_device + else + dev->chip_id = BCM5365_DEVICE_ID; + break; ++ case BCM5389_DEVICE_ID: + case BCM5395_DEVICE_ID: + case BCM5397_DEVICE_ID: + case BCM5398_DEVICE_ID: +--- a/drivers/net/dsa/b53/b53_mdio.c ++++ b/drivers/net/dsa/b53/b53_mdio.c +@@ -285,6 +285,7 @@ static const struct b53_io_ops b53_mdio_ + #define B53_BRCM_OUI_1 0x0143bc00 + #define B53_BRCM_OUI_2 0x03625c00 + #define B53_BRCM_OUI_3 0x00406000 ++#define B53_BRCM_OUI_4 0x01410c00 + + static int b53_mdio_probe(struct mdio_device *mdiodev) + { +@@ -311,7 +312,8 @@ static int b53_mdio_probe(struct mdio_de + */ + if ((phy_id & 0xfffffc00) != B53_BRCM_OUI_1 && + (phy_id & 0xfffffc00) != B53_BRCM_OUI_2 && +- (phy_id & 0xfffffc00) != B53_BRCM_OUI_3) { ++ (phy_id & 0xfffffc00) != B53_BRCM_OUI_3 && ++ (phy_id & 0xfffffc00) != B53_BRCM_OUI_4) { + dev_err(&mdiodev->dev, "Unsupported device: 0x%08x\n", phy_id); + return -ENODEV; + } +@@ -360,6 +362,7 @@ static const struct of_device_id b53_of_ + { .compatible = "brcm,bcm53125" }, + { .compatible = "brcm,bcm53128" }, + { .compatible = "brcm,bcm5365" }, ++ { .compatible = "brcm,bcm5389" }, + { .compatible = "brcm,bcm5395" }, + { .compatible = "brcm,bcm5397" }, + { .compatible = "brcm,bcm5398" }, +--- a/drivers/net/dsa/b53/b53_priv.h ++++ b/drivers/net/dsa/b53/b53_priv.h +@@ -47,6 +47,7 @@ struct b53_io_ops { + enum { + BCM5325_DEVICE_ID = 0x25, + BCM5365_DEVICE_ID = 0x65, ++ BCM5389_DEVICE_ID = 0x89, + BCM5395_DEVICE_ID = 0x95, + BCM5397_DEVICE_ID = 0x97, + BCM5398_DEVICE_ID = 0x98, diff --git a/queue-4.9/net-qmi_wwan-add-netgear-aircard-779s.patch b/queue-4.9/net-qmi_wwan-add-netgear-aircard-779s.patch new file mode 100644 index 00000000000..bed8cad9704 --- /dev/null +++ b/queue-4.9/net-qmi_wwan-add-netgear-aircard-779s.patch @@ -0,0 +1,30 @@ +From foo@baz Sun Jun 17 13:06:34 CEST 2018 +From: Josh Hill +Date: Sun, 27 May 2018 20:10:41 -0400 +Subject: net: qmi_wwan: Add Netgear Aircard 779S + +From: Josh Hill + +[ Upstream commit 2415f3bd059fe050eb98aedf93664d000ceb4e92 ] + +Add support for Netgear Aircard 779S + +Signed-off-by: Josh Hill +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -808,6 +808,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x05c6, 0x920d, 5)}, + {QMI_QUIRK_SET_DTR(0x05c6, 0x9625, 4)}, /* YUGA CLM920-NC5 */ + {QMI_FIXED_INTF(0x0846, 0x68a2, 8)}, ++ {QMI_FIXED_INTF(0x0846, 0x68d3, 8)}, /* Netgear Aircard 779S */ + {QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */ + {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */ + {QMI_FIXED_INTF(0x1435, 0xd181, 3)}, /* Wistron NeWeb D18Q1 */ diff --git a/queue-4.9/net-sonic-use-dma_mapping_error.patch b/queue-4.9/net-sonic-use-dma_mapping_error.patch new file mode 100644 index 00000000000..a83fd2cc780 --- /dev/null +++ b/queue-4.9/net-sonic-use-dma_mapping_error.patch @@ -0,0 +1,34 @@ +From foo@baz Sun Jun 17 13:06:34 CEST 2018 +From: Finn Thain +Date: Wed, 30 May 2018 13:03:51 +1000 +Subject: net/sonic: Use dma_mapping_error() + +From: Finn Thain + +[ Upstream commit 26de0b76d9ba3200f09c6cb9d9618bda338be5f7 ] + +With CONFIG_DMA_API_DEBUG=y, calling sonic_open() produces the +message, "DMA-API: device driver failed to check map error". +Add the missing dma_mapping_error() call. + +Cc: Thomas Bogendoerfer +Signed-off-by: Finn Thain +Acked-by: Thomas Bogendoerfer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/natsemi/sonic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/natsemi/sonic.c ++++ b/drivers/net/ethernet/natsemi/sonic.c +@@ -71,7 +71,7 @@ static int sonic_open(struct net_device + for (i = 0; i < SONIC_NUM_RRS; i++) { + dma_addr_t laddr = dma_map_single(lp->device, skb_put(lp->rx_skb[i], SONIC_RBSIZE), + SONIC_RBSIZE, DMA_FROM_DEVICE); +- if (!laddr) { ++ if (dma_mapping_error(lp->device, laddr)) { + while(i > 0) { /* free any that were mapped successfully */ + i--; + dma_unmap_single(lp->device, lp->rx_laddr[i], SONIC_RBSIZE, DMA_FROM_DEVICE); diff --git a/queue-4.9/netfilter-ebtables-handle-string-from-userspace-with-care.patch b/queue-4.9/netfilter-ebtables-handle-string-from-userspace-with-care.patch new file mode 100644 index 00000000000..cca48e6810e --- /dev/null +++ b/queue-4.9/netfilter-ebtables-handle-string-from-userspace-with-care.patch @@ -0,0 +1,100 @@ +From foo@baz Sun Jun 17 13:06:34 CEST 2018 +From: Paolo Abeni +Date: Fri, 27 Apr 2018 10:45:31 +0200 +Subject: netfilter: ebtables: handle string from userspace with care + +From: Paolo Abeni + +[ Upstream commit 94c752f99954797da583a84c4907ff19e92550a4 ] + +strlcpy() can't be safely used on a user-space provided string, +as it can try to read beyond the buffer's end, if the latter is +not NULL terminated. + +Leveraging the above, syzbot has been able to trigger the following +splat: + +BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 +[inline] +BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user +net/bridge/netfilter/ebtables.c:1957 [inline] +BUG: KASAN: stack-out-of-bounds in ebt_size_mwt +net/bridge/netfilter/ebtables.c:2059 [inline] +BUG: KASAN: stack-out-of-bounds in size_entry_mwt +net/bridge/netfilter/ebtables.c:2155 [inline] +BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0 +net/bridge/netfilter/ebtables.c:2194 +Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504 + +CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1b9/0x294 lib/dump_stack.c:113 + print_address_description+0x6c/0x20b mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 + memcpy+0x37/0x50 mm/kasan/kasan.c:303 + strlcpy include/linux/string.h:300 [inline] + compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline] + ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline] + size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline] + compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194 + compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285 + compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367 + compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline] + compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156 + compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279 + inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041 + compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901 + compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050 + __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403 + __do_compat_sys_setsockopt net/compat.c:416 [inline] + __se_compat_sys_setsockopt net/compat.c:413 [inline] + __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413 + do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline] + do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394 + entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 +RIP: 0023:0xf7fb3cb9 +RSP: 002b:00000000fff0c26c EFLAGS: 00000282 ORIG_RAX: 000000000000016e +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000 +RDX: 0000000000000080 RSI: 0000000020000300 RDI: 00000000000005f4 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +The buggy address belongs to the page: +page:ffffea0006c2afc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 +flags: 0x2fffc0000000000() +raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff +raw: 0000000000000000 ffffea0006c20101 0000000000000000 0000000000000000 +page dumped because: kasan: bad access detected + +Fix the issue replacing the unsafe function with strscpy() and +taking care of possible errors. + +Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support") +Reported-and-tested-by: syzbot+4e42a04e0bc33cb6c087@syzkaller.appspotmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/netfilter/ebtables.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1923,7 +1923,8 @@ static int compat_mtw_from_user(struct c + int off, pad = 0; + unsigned int size_kern, match_size = mwt->match_size; + +- strlcpy(name, mwt->u.name, sizeof(name)); ++ if (strscpy(name, mwt->u.name, sizeof(name)) < 0) ++ return -EINVAL; + + if (state->buf_kern_start) + dst = state->buf_kern_start + state->buf_kern_offset; diff --git a/queue-4.9/platform-x86-asus-wmi-fix-null-pointer-dereference.patch b/queue-4.9/platform-x86-asus-wmi-fix-null-pointer-dereference.patch new file mode 100644 index 00000000000..c0feac0308d --- /dev/null +++ b/queue-4.9/platform-x86-asus-wmi-fix-null-pointer-dereference.patch @@ -0,0 +1,122 @@ +From foo@baz Sun Jun 17 13:06:34 CEST 2018 +From: "João Paulo Rechi Vita" +Date: Tue, 22 May 2018 14:30:15 -0700 +Subject: platform/x86: asus-wmi: Fix NULL pointer dereference + +From: "João Paulo Rechi Vita" + +[ Upstream commit 32ffd6e8d1f6cef94bedca15dfcdebdeb590499d ] + +Do not perform the rfkill cleanup routine when +(asus->driver->wlan_ctrl_by_user && ashs_present()) is true, since +nothing is registered with the rfkill subsystem in that case. Doing so +leads to the following kernel NULL pointer dereference: + + BUG: unable to handle kernel NULL pointer dereference at (null) + IP: [] __mutex_lock_slowpath+0x98/0x120 + PGD 1a3aa8067 + PUD 1a3b3d067 + PMD 0 + + Oops: 0002 [#1] PREEMPT SMP + Modules linked in: bnep ccm binfmt_misc uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core hid_a4tech videodev x86_pkg_temp_thermal intel_powerclamp coretemp ath3k btusb btrtl btintel bluetooth kvm_intel snd_hda_codec_hdmi kvm snd_hda_codec_realtek snd_hda_codec_generic irqbypass crc32c_intel arc4 i915 snd_hda_intel snd_hda_codec ath9k ath9k_common ath9k_hw ath i2c_algo_bit snd_hwdep mac80211 ghash_clmulni_intel snd_hda_core snd_pcm snd_timer cfg80211 ehci_pci xhci_pci drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm xhci_hcd ehci_hcd asus_nb_wmi(-) asus_wmi sparse_keymap r8169 rfkill mxm_wmi serio_raw snd mii mei_me lpc_ich i2c_i801 video soundcore mei i2c_smbus wmi i2c_core mfd_core + CPU: 3 PID: 3275 Comm: modprobe Not tainted 4.9.34-gentoo #34 + Hardware name: ASUSTeK COMPUTER INC. K56CM/K56CM, BIOS K56CM.206 08/21/2012 + task: ffff8801a639ba00 task.stack: ffffc900014cc000 + RIP: 0010:[] [] __mutex_lock_slowpath+0x98/0x120 + RSP: 0018:ffffc900014cfce0 EFLAGS: 00010282 + RAX: 0000000000000000 RBX: ffff8801a54315b0 RCX: 00000000c0000100 + RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8801a54315b4 + RBP: ffffc900014cfd30 R08: 0000000000000000 R09: 0000000000000002 + R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801a54315b4 + R13: ffff8801a639ba00 R14: 00000000ffffffff R15: ffff8801a54315b8 + FS: 00007faa254fb700(0000) GS:ffff8801aef80000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 00000001a3b1b000 CR4: 00000000001406e0 + Stack: + ffff8801a54315b8 0000000000000000 ffffffff814733ae ffffc900014cfd28 + ffffffff8146a28c ffff8801a54315b0 0000000000000000 ffff8801a54315b0 + ffff8801a66f3820 0000000000000000 ffffc900014cfd48 ffffffff816c73e7 + Call Trace: + [] ? acpi_ut_release_mutex+0x5d/0x61 + [] ? acpi_ns_get_node+0x49/0x52 + [] mutex_lock+0x17/0x30 + [] asus_rfkill_hotplug+0x24/0x1a0 [asus_wmi] + [] asus_wmi_rfkill_exit+0x61/0x150 [asus_wmi] + [] asus_wmi_remove+0x61/0xb0 [asus_wmi] + [] platform_drv_remove+0x28/0x40 + [] __device_release_driver+0xa1/0x160 + [] device_release_driver+0x23/0x30 + [] bus_remove_device+0xfd/0x170 + [] device_del+0x139/0x270 + [] platform_device_del+0x28/0x90 + [] platform_device_unregister+0x12/0x30 + [] asus_wmi_unregister_driver+0x19/0x30 [asus_wmi] + [] asus_nb_wmi_exit+0x10/0xf26 [asus_nb_wmi] + [] SyS_delete_module+0x192/0x270 + [] ? exit_to_usermode_loop+0x92/0xa0 + [] entry_SYSCALL_64_fastpath+0x13/0x94 + Code: e8 5e 30 00 00 8b 03 83 f8 01 0f 84 93 00 00 00 48 8b 43 10 4c 8d 7b 08 48 89 63 10 41 be ff ff ff ff 4c 89 3c 24 48 89 44 24 08 <48> 89 20 4c 89 6c 24 10 eb 1d 4c 89 e7 49 c7 45 08 02 00 00 00 + RIP [] __mutex_lock_slowpath+0x98/0x120 + RSP + CR2: 0000000000000000 + ---[ end trace 8d484233fa7cb512 ]--- + note: modprobe[3275] exited with preempt_count 2 + +https://bugzilla.kernel.org/show_bug.cgi?id=196467 + +Reported-by: red.f0xyz@gmail.com +Signed-off-by: João Paulo Rechi Vita +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/asus-wmi.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -161,6 +161,16 @@ MODULE_LICENSE("GPL"); + + static const char * const ashs_ids[] = { "ATK4001", "ATK4002", NULL }; + ++static bool ashs_present(void) ++{ ++ int i = 0; ++ while (ashs_ids[i]) { ++ if (acpi_dev_found(ashs_ids[i++])) ++ return true; ++ } ++ return false; ++} ++ + struct bios_args { + u32 arg0; + u32 arg1; +@@ -966,6 +976,9 @@ static int asus_new_rfkill(struct asus_w + + static void asus_wmi_rfkill_exit(struct asus_wmi *asus) + { ++ if (asus->driver->wlan_ctrl_by_user && ashs_present()) ++ return; ++ + asus_unregister_rfkill_notifier(asus, "\\_SB.PCI0.P0P5"); + asus_unregister_rfkill_notifier(asus, "\\_SB.PCI0.P0P6"); + asus_unregister_rfkill_notifier(asus, "\\_SB.PCI0.P0P7"); +@@ -2062,16 +2075,6 @@ static int asus_wmi_fan_init(struct asus + return 0; + } + +-static bool ashs_present(void) +-{ +- int i = 0; +- while (ashs_ids[i]) { +- if (acpi_dev_found(ashs_ids[i++])) +- return true; +- } +- return false; +-} +- + /* + * WMI Driver + */ diff --git a/queue-4.9/series b/queue-4.9/series index 8319abcc016..f87a32323c2 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1 +1,10 @@ objtool-ignore.patch +xfrm6-avoid-potential-infinite-loop-in-_decode_session6.patch +netfilter-ebtables-handle-string-from-userspace-with-care.patch +ipvs-fix-buffer-overflow-with-sync-daemon-and-service.patch +iwlwifi-pcie-compare-with-number-of-irqs-requested-for-not-number-of-cpus.patch +atm-zatm-fix-memcmp-casting.patch +net-qmi_wwan-add-netgear-aircard-779s.patch +platform-x86-asus-wmi-fix-null-pointer-dereference.patch +net-sonic-use-dma_mapping_error.patch +net-dsa-b53-add-bcm5389-support.patch diff --git a/queue-4.9/xfrm6-avoid-potential-infinite-loop-in-_decode_session6.patch b/queue-4.9/xfrm6-avoid-potential-infinite-loop-in-_decode_session6.patch new file mode 100644 index 00000000000..c6361df210d --- /dev/null +++ b/queue-4.9/xfrm6-avoid-potential-infinite-loop-in-_decode_session6.patch @@ -0,0 +1,97 @@ +From foo@baz Sun Jun 17 13:06:34 CEST 2018 +From: Eric Dumazet +Date: Sat, 12 May 2018 02:49:30 -0700 +Subject: xfrm6: avoid potential infinite loop in _decode_session6() + +From: Eric Dumazet + +[ Upstream commit d9f92772e8ec388d070752ee8f187ef8fa18621f ] + +syzbot found a way to trigger an infinitie loop by overflowing +@offset variable that has been forced to use u16 for some very +obscure reason in the past. + +We probably want to look at NEXTHDR_FRAGMENT handling which looks +wrong, in a separate patch. + +In net-next, we shall try to use skb_header_pointer() instead of +pskb_may_pull(). + +watchdog: BUG: soft lockup - CPU#1 stuck for 134s! [syz-executor738:4553] +Modules linked in: +irq event stamp: 13885653 +hardirqs last enabled at (13885652): [] restore_regs_and_return_to_kernel+0x0/0x2b +hardirqs last disabled at (13885653): [] interrupt_entry+0xb5/0xf0 arch/x86/entry/entry_64.S:625 +softirqs last enabled at (13614028): [] tun_napi_alloc_frags drivers/net/tun.c:1478 [inline] +softirqs last enabled at (13614028): [] tun_get_user+0x1dd9/0x4290 drivers/net/tun.c:1825 +softirqs last disabled at (13614032): [] tun_get_user+0x313f/0x4290 drivers/net/tun.c:1942 +CPU: 1 PID: 4553 Comm: syz-executor738 Not tainted 4.17.0-rc3+ #40 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:check_kcov_mode kernel/kcov.c:67 [inline] +RIP: 0010:__sanitizer_cov_trace_pc+0x20/0x50 kernel/kcov.c:101 +RSP: 0018:ffff8801d8cfe250 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 +RAX: ffff8801d88a8080 RBX: ffff8801d7389e40 RCX: 0000000000000006 +RDX: 0000000000000000 RSI: ffffffff868da4ad RDI: ffff8801c8a53277 +RBP: ffff8801d8cfe250 R08: ffff8801d88a8080 R09: ffff8801d8cfe3e8 +R10: ffffed003b19fc87 R11: ffff8801d8cfe43f R12: ffff8801c8a5327f +R13: 0000000000000000 R14: ffff8801c8a4e5fe R15: ffff8801d8cfe3e8 +FS: 0000000000d88940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffff600400 CR3: 00000001acab3000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + _decode_session6+0xc1d/0x14f0 net/ipv6/xfrm6_policy.c:150 + __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2368 + xfrm_decode_session_reverse include/net/xfrm.h:1213 [inline] + icmpv6_route_lookup+0x395/0x6e0 net/ipv6/icmp.c:372 + icmp6_send+0x1982/0x2da0 net/ipv6/icmp.c:551 + icmpv6_send+0x17a/0x300 net/ipv6/ip6_icmp.c:43 + ip6_input_finish+0x14e1/0x1a30 net/ipv6/ip6_input.c:305 + NF_HOOK include/linux/netfilter.h:288 [inline] + ip6_input+0xe1/0x5e0 net/ipv6/ip6_input.c:327 + dst_input include/net/dst.h:450 [inline] + ip6_rcv_finish+0x29c/0xa10 net/ipv6/ip6_input.c:71 + NF_HOOK include/linux/netfilter.h:288 [inline] + ipv6_rcv+0xeb8/0x2040 net/ipv6/ip6_input.c:208 + __netif_receive_skb_core+0x2468/0x3650 net/core/dev.c:4646 + __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4711 + netif_receive_skb_internal+0x126/0x7b0 net/core/dev.c:4785 + napi_frags_finish net/core/dev.c:5226 [inline] + napi_gro_frags+0x631/0xc40 net/core/dev.c:5299 + tun_get_user+0x3168/0x4290 drivers/net/tun.c:1951 + tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:1996 + call_write_iter include/linux/fs.h:1784 [inline] + do_iter_readv_writev+0x859/0xa50 fs/read_write.c:680 + do_iter_write+0x185/0x5f0 fs/read_write.c:959 + vfs_writev+0x1c7/0x330 fs/read_write.c:1004 + do_writev+0x112/0x2f0 fs/read_write.c:1039 + __do_sys_writev fs/read_write.c:1112 [inline] + __se_sys_writev fs/read_write.c:1109 [inline] + __x64_sys_writev+0x75/0xb0 fs/read_write.c:1109 + do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Cc: Steffen Klassert +Cc: Nicolas Dichtel +Reported-by: syzbot+0053c8...@syzkaller.appspotmail.com +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/xfrm6_policy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/xfrm6_policy.c ++++ b/net/ipv6/xfrm6_policy.c +@@ -121,7 +121,7 @@ _decode_session6(struct sk_buff *skb, st + struct flowi6 *fl6 = &fl->u.ip6; + int onlyproto = 0; + const struct ipv6hdr *hdr = ipv6_hdr(skb); +- u16 offset = sizeof(*hdr); ++ u32 offset = sizeof(*hdr); + struct ipv6_opt_hdr *exthdr; + const unsigned char *nh = skb_network_header(skb); + u16 nhoff = IP6CB(skb)->nhoff;