From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 22 Aug 2022 09:22:47 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v4.9.326~56
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4722c5d9a0fe89696218682909a8eda3b66f81f0;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	atm-idt77252-fix-use-after-free-bugs-caused-by-tst_timer.patch
	dpaa2-eth-trace-the-allocated-address-instead-of-page-struct.patch
	nfp-ethtool-fix-the-display-error-of-ethtool-m-devname.patch
	ntb-ntb_tool-uninitialized-heap-data-in-tool_fn_write.patch
	xen-xenbus-fix-return-type-in-xenbus_file_read.patch
---

diff --git a/queue-5.4/atm-idt77252-fix-use-after-free-bugs-caused-by-tst_timer.patch b/queue-5.4/atm-idt77252-fix-use-after-free-bugs-caused-by-tst_timer.patch
new file mode 100644
index 00000000000..fc1ee320517
--- /dev/null
+++ b/queue-5.4/atm-idt77252-fix-use-after-free-bugs-caused-by-tst_timer.patch
@@ -0,0 +1,51 @@
+From 3f4093e2bf4673f218c0bf17d8362337c400e77b Mon Sep 17 00:00:00 2001
+From: Duoming Zhou <duoming@zju.edu.cn>
+Date: Fri, 5 Aug 2022 15:00:08 +0800
+Subject: atm: idt77252: fix use-after-free bugs caused by tst_timer
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+commit 3f4093e2bf4673f218c0bf17d8362337c400e77b upstream.
+
+There are use-after-free bugs caused by tst_timer. The root cause
+is that there are no functions to stop tst_timer in idt77252_exit().
+One of the possible race conditions is shown below:
+
+    (thread 1)          |        (thread 2)
+                        |  idt77252_init_one
+                        |    init_card
+                        |      fill_tst
+                        |        mod_timer(&card->tst_timer, ...)
+idt77252_exit           |  (wait a time)
+                        |  tst_timer
+                        |
+                        |    ...
+  kfree(card) // FREE   |
+                        |    card->soft_tst[e] // USE
+
+The idt77252_dev is deallocated in idt77252_exit() and used in
+timer handler.
+
+This patch adds del_timer_sync() in idt77252_exit() in order that
+the timer handler could be stopped before the idt77252_dev is
+deallocated.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Link: https://lore.kernel.org/r/20220805070008.18007-1-duoming@zju.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/atm/idt77252.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/atm/idt77252.c
++++ b/drivers/atm/idt77252.c
+@@ -3766,6 +3766,7 @@ static void __exit idt77252_exit(void)
+ 		card = idt77252_chain;
+ 		dev = card->atmdev;
+ 		idt77252_chain = card->next;
++		del_timer_sync(&card->tst_timer);
+ 
+ 		if (dev->phy->stop)
+ 			dev->phy->stop(dev);
diff --git a/queue-5.4/dpaa2-eth-trace-the-allocated-address-instead-of-page-struct.patch b/queue-5.4/dpaa2-eth-trace-the-allocated-address-instead-of-page-struct.patch
new file mode 100644
index 00000000000..a1cdeab7167
--- /dev/null
+++ b/queue-5.4/dpaa2-eth-trace-the-allocated-address-instead-of-page-struct.patch
@@ -0,0 +1,34 @@
+From e34f49348f8b7a53205b6f77707a3a6a40cf420b Mon Sep 17 00:00:00 2001
+From: Chen Lin <chen45464546@163.com>
+Date: Thu, 11 Aug 2022 23:16:51 +0800
+Subject: dpaa2-eth: trace the allocated address instead of page struct
+
+From: Chen Lin <chen45464546@163.com>
+
+commit e34f49348f8b7a53205b6f77707a3a6a40cf420b upstream.
+
+We should trace the allocated address instead of page struct.
+
+Fixes: 27c874867c4e ("dpaa2-eth: Use a single page per Rx buffer")
+Signed-off-by: Chen Lin <chen.lin5@zte.com.cn>
+Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Link: https://lore.kernel.org/r/20220811151651.3327-1-chen45464546@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+@@ -971,8 +971,8 @@ static int add_bufs(struct dpaa2_eth_pri
+ 		buf_array[i] = addr;
+ 
+ 		/* tracing point */
+-		trace_dpaa2_eth_buf_seed(priv->net_dev,
+-					 page, DPAA2_ETH_RX_BUF_RAW_SIZE,
++		trace_dpaa2_eth_buf_seed(priv->net_dev, page_address(page),
++					 DPAA2_ETH_RX_BUF_RAW_SIZE,
+ 					 addr, priv->rx_buf_size,
+ 					 bpid);
+ 	}
diff --git a/queue-5.4/nfp-ethtool-fix-the-display-error-of-ethtool-m-devname.patch b/queue-5.4/nfp-ethtool-fix-the-display-error-of-ethtool-m-devname.patch
new file mode 100644
index 00000000000..c628dc1bbc7
--- /dev/null
+++ b/queue-5.4/nfp-ethtool-fix-the-display-error-of-ethtool-m-devname.patch
@@ -0,0 +1,43 @@
+From 4ae97cae07e15d41e5c0ebabba64c6eefdeb0bbe Mon Sep 17 00:00:00 2001
+From: Yu Xiao <yu.xiao@corigine.com>
+Date: Tue, 2 Aug 2022 10:33:55 +0100
+Subject: nfp: ethtool: fix the display error of `ethtool -m DEVNAME`
+
+From: Yu Xiao <yu.xiao@corigine.com>
+
+commit 4ae97cae07e15d41e5c0ebabba64c6eefdeb0bbe upstream.
+
+The port flag isn't set to `NFP_PORT_CHANGED` when using
+`ethtool -m DEVNAME` before, so the port state (e.g. interface)
+cannot be updated. Therefore, it caused that `ethtool -m DEVNAME`
+sometimes cannot read the correct information.
+
+E.g. `ethtool -m DEVNAME` cannot work when load driver before plug
+in optical module, as the port interface is still NONE without port
+update.
+
+Now update the port state before sending info to NIC to ensure that
+port interface is correct (latest state).
+
+Fixes: 61f7c6f44870 ("nfp: implement ethtool get module EEPROM")
+Reviewed-by: Louis Peens <louis.peens@corigine.com>
+Signed-off-by: Yu Xiao <yu.xiao@corigine.com>
+Signed-off-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20220802093355.69065-1-simon.horman@corigine.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
+@@ -1127,6 +1127,8 @@ nfp_port_get_module_info(struct net_devi
+ 	u8 data;
+ 
+ 	port = nfp_port_from_netdev(netdev);
++	/* update port state to get latest interface */
++	set_bit(NFP_PORT_CHANGED, &port->flags);
+ 	eth_port = nfp_port_get_eth_port(port);
+ 	if (!eth_port)
+ 		return -EOPNOTSUPP;
diff --git a/queue-5.4/ntb-ntb_tool-uninitialized-heap-data-in-tool_fn_write.patch b/queue-5.4/ntb-ntb_tool-uninitialized-heap-data-in-tool_fn_write.patch
new file mode 100644
index 00000000000..842fe115887
--- /dev/null
+++ b/queue-5.4/ntb-ntb_tool-uninitialized-heap-data-in-tool_fn_write.patch
@@ -0,0 +1,52 @@
+From 45e1058b77feade4e36402828bfe3e0d3363177b Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 20 Jul 2022 21:28:18 +0300
+Subject: NTB: ntb_tool: uninitialized heap data in tool_fn_write()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 45e1058b77feade4e36402828bfe3e0d3363177b upstream.
+
+The call to:
+
+	ret = simple_write_to_buffer(buf, size, offp, ubuf, size);
+
+will return success if it is able to write even one byte to "buf".
+The value of "*offp" controls which byte.  This could result in
+reading uninitialized data when we do the sscanf() on the next line.
+
+This code is not really desigined to handle partial writes where
+*offp is non-zero and the "buf" is preserved and re-used between writes.
+Just ban partial writes and replace the simple_write_to_buffer() with
+copy_from_user().
+
+Fixes: 578b881ba9c4 ("NTB: Add tool test client")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ntb/test/ntb_tool.c |    8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/ntb/test/ntb_tool.c
++++ b/drivers/ntb/test/ntb_tool.c
+@@ -367,14 +367,16 @@ static ssize_t tool_fn_write(struct tool
+ 	u64 bits;
+ 	int n;
+ 
++	if (*offp)
++		return 0;
++
+ 	buf = kmalloc(size + 1, GFP_KERNEL);
+ 	if (!buf)
+ 		return -ENOMEM;
+ 
+-	ret = simple_write_to_buffer(buf, size, offp, ubuf, size);
+-	if (ret < 0) {
++	if (copy_from_user(buf, ubuf, size)) {
+ 		kfree(buf);
+-		return ret;
++		return -EFAULT;
+ 	}
+ 
+ 	buf[size] = 0;
diff --git a/queue-5.4/series b/queue-5.4/series
index af365d875bf..e8634929a9b 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -321,3 +321,8 @@ vsock-set-socket-state-back-to-ss_unconnected-in-vsock_connect_timeout.patch
 dt-bindings-arm-qcom-fix-msm8916-mtp-compatibles.patch
 tools-vm-slabinfo-use-alphabetic-order-when-two-values-are-equal.patch
 tools-build-switch-to-new-openssl-api-for-test-libcrypto.patch
+ntb-ntb_tool-uninitialized-heap-data-in-tool_fn_write.patch
+nfp-ethtool-fix-the-display-error-of-ethtool-m-devname.patch
+xen-xenbus-fix-return-type-in-xenbus_file_read.patch
+atm-idt77252-fix-use-after-free-bugs-caused-by-tst_timer.patch
+dpaa2-eth-trace-the-allocated-address-instead-of-page-struct.patch
diff --git a/queue-5.4/xen-xenbus-fix-return-type-in-xenbus_file_read.patch b/queue-5.4/xen-xenbus-fix-return-type-in-xenbus_file_read.patch
new file mode 100644
index 00000000000..f116f03a96d
--- /dev/null
+++ b/queue-5.4/xen-xenbus-fix-return-type-in-xenbus_file_read.patch
@@ -0,0 +1,48 @@
+From 32ad11127b95236dfc52375f3707853194a7f4b4 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 4 Aug 2022 10:11:33 +0300
+Subject: xen/xenbus: fix return type in xenbus_file_read()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 32ad11127b95236dfc52375f3707853194a7f4b4 upstream.
+
+This code tries to store -EFAULT in an unsigned int.  The
+xenbus_file_read() function returns type ssize_t so the negative value
+is returned as a positive value to the user.
+
+This change forces another change to the min() macro.  Originally, the
+min() macro used "unsigned" type which checkpatch complains about.  Also
+unsigned type would break if "len" were not capped at MAX_RW_COUNT.  Use
+size_t for the min().  (No effect on runtime for the min_t() change).
+
+Fixes: 2fb3683e7b16 ("xen: Add xenbus device driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
+Link: https://lore.kernel.org/r/YutxJUaUYRG/VLVc@kili
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/xenbus/xenbus_dev_frontend.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
+@@ -128,7 +128,7 @@ static ssize_t xenbus_file_read(struct f
+ {
+ 	struct xenbus_file_priv *u = filp->private_data;
+ 	struct read_buffer *rb;
+-	unsigned i;
++	ssize_t i;
+ 	int ret;
+ 
+ 	mutex_lock(&u->reply_mutex);
+@@ -148,7 +148,7 @@ again:
+ 	rb = list_entry(u->read_buffers.next, struct read_buffer, list);
+ 	i = 0;
+ 	while (i < len) {
+-		unsigned sz = min((unsigned)len - i, rb->len - rb->cons);
++		size_t sz = min_t(size_t, len - i, rb->len - rb->cons);
+ 
+ 		ret = copy_to_user(ubuf + i, &rb->msg[rb->cons], sz);
+