From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 5 Dec 2021 13:46:40 +0000 (+0100)
Subject: 4.14-stable patches
X-Git-Tag: v4.4.294~26
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=54f860aced5f3ec51f598dec9936dcd4cbd737ab;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	net-mlx4_en-fix-an-use-after-free-bug-in-mlx4_en_try_alloc_resources.patch
	net-rds-correct-socket-tunable-error-in-rds_tcp_tune.patch
	net-smc-keep-smc_close_final-rc-during-active-close.patch
	net-usb-lan78xx-lan78xx_phy_init-use-phy_poll-instead-of-0-if-no-irq-is-available.patch
---

diff --git a/queue-4.14/net-mlx4_en-fix-an-use-after-free-bug-in-mlx4_en_try_alloc_resources.patch b/queue-4.14/net-mlx4_en-fix-an-use-after-free-bug-in-mlx4_en_try_alloc_resources.patch
new file mode 100644
index 00000000000..c1bf4b1d415
--- /dev/null
+++ b/queue-4.14/net-mlx4_en-fix-an-use-after-free-bug-in-mlx4_en_try_alloc_resources.patch
@@ -0,0 +1,59 @@
+From addad7643142f500080417dd7272f49b7a185570 Mon Sep 17 00:00:00 2001
+From: Zhou Qingyang <zhou1615@umn.edu>
+Date: Wed, 1 Dec 2021 00:44:38 +0800
+Subject: net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
+
+From: Zhou Qingyang <zhou1615@umn.edu>
+
+commit addad7643142f500080417dd7272f49b7a185570 upstream.
+
+In mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and
+tmp->tx_cq will be freed on the error path of mlx4_en_copy_priv().
+After that mlx4_en_alloc_resources() is called and there is a dereference
+of &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to
+a use after free problem on failure of mlx4_en_copy_priv().
+
+Fix this bug by adding a check of mlx4_en_copy_priv()
+
+This bug was found by a static analyzer. The analysis employs
+differential checking to identify inconsistent security operations
+(e.g., checks or kfrees) between two code paths and confirms that the
+inconsistent operations are not recovered in the current function or
+the callers, so they constitute bugs.
+
+Note that, as a bug found by static analysis, it can be a false
+positive or hard to trigger. Multiple researchers have cross-reviewed
+the bug.
+
+Builds with CONFIG_MLX4_EN=m show no new warnings,
+and our static analyzer no longer warns about this code.
+
+Fixes: ec25bc04ed8e ("net/mlx4_en: Add resilience in low memory systems")
+Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Link: https://lore.kernel.org/r/20211130164438.190591-1-zhou1615@umn.edu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_netdev.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+@@ -2283,9 +2283,14 @@ int mlx4_en_try_alloc_resources(struct m
+ 				bool carry_xdp_prog)
+ {
+ 	struct bpf_prog *xdp_prog;
+-	int i, t;
++	int i, t, ret;
+ 
+-	mlx4_en_copy_priv(tmp, priv, prof);
++	ret = mlx4_en_copy_priv(tmp, priv, prof);
++	if (ret) {
++		en_warn(priv, "%s: mlx4_en_copy_priv() failed, return\n",
++			__func__);
++		return ret;
++	}
+ 
+ 	if (mlx4_en_alloc_resources(tmp)) {
+ 		en_warn(priv,
diff --git a/queue-4.14/net-rds-correct-socket-tunable-error-in-rds_tcp_tune.patch b/queue-4.14/net-rds-correct-socket-tunable-error-in-rds_tcp_tune.patch
new file mode 100644
index 00000000000..7fe3fbcd516
--- /dev/null
+++ b/queue-4.14/net-rds-correct-socket-tunable-error-in-rds_tcp_tune.patch
@@ -0,0 +1,32 @@
+From 19f36edf14bcdb783aef3af8217df96f76a8ce34 Mon Sep 17 00:00:00 2001
+From: William Kucharski <william.kucharski@oracle.com>
+Date: Wed, 1 Dec 2021 07:45:22 -0700
+Subject: net/rds: correct socket tunable error in rds_tcp_tune()
+
+From: William Kucharski <william.kucharski@oracle.com>
+
+commit 19f36edf14bcdb783aef3af8217df96f76a8ce34 upstream.
+
+Correct an error where setting /proc/sys/net/rds/tcp/rds_tcp_rcvbuf would
+instead modify the socket's sk_sndbuf and would leave sk_rcvbuf untouched.
+
+Fixes: c6a58ffed536 ("RDS: TCP: Add sysctl tunables for sndbuf/rcvbuf on rds-tcp socket")
+Signed-off-by: William Kucharski <william.kucharski@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/tcp.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/rds/tcp.c
++++ b/net/rds/tcp.c
+@@ -392,7 +392,7 @@ void rds_tcp_tune(struct socket *sock)
+ 		sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
+ 	}
+ 	if (rtn->rcvbuf_size > 0) {
+-		sk->sk_sndbuf = rtn->rcvbuf_size;
++		sk->sk_rcvbuf = rtn->rcvbuf_size;
+ 		sk->sk_userlocks |= SOCK_RCVBUF_LOCK;
+ 	}
+ 	release_sock(sk);
diff --git a/queue-4.14/net-smc-keep-smc_close_final-rc-during-active-close.patch b/queue-4.14/net-smc-keep-smc_close_final-rc-during-active-close.patch
new file mode 100644
index 00000000000..2530aeca7e2
--- /dev/null
+++ b/queue-4.14/net-smc-keep-smc_close_final-rc-during-active-close.patch
@@ -0,0 +1,53 @@
+From 00e158fb91dfaff3f94746f260d11f1a4853506e Mon Sep 17 00:00:00 2001
+From: Tony Lu <tonylu@linux.alibaba.com>
+Date: Wed, 1 Dec 2021 14:42:16 +0800
+Subject: net/smc: Keep smc_close_final rc during active close
+
+From: Tony Lu <tonylu@linux.alibaba.com>
+
+commit 00e158fb91dfaff3f94746f260d11f1a4853506e upstream.
+
+When smc_close_final() returns error, the return code overwrites by
+kernel_sock_shutdown() in smc_close_active(). The return code of
+smc_close_final() is more important than kernel_sock_shutdown(), and it
+will pass to userspace directly.
+
+Fix it by keeping both return codes, if smc_close_final() raises an
+error, return it or kernel_sock_shutdown()'s.
+
+Link: https://lore.kernel.org/linux-s390/1f67548e-cbf6-0dce-82b5-10288a4583bd@linux.ibm.com/
+Fixes: 606a63c9783a ("net/smc: Ensure the active closing peer first closes clcsock")
+Suggested-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Tony Lu <tonylu@linux.alibaba.com>
+Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
+Acked-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/smc_close.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/smc/smc_close.c
++++ b/net/smc/smc_close.c
+@@ -180,6 +180,7 @@ int smc_close_active(struct smc_sock *sm
+ 	int old_state;
+ 	long timeout;
+ 	int rc = 0;
++	int rc1 = 0;
+ 
+ 	timeout = current->flags & PF_EXITING ?
+ 		  0 : sock_flag(sk, SOCK_LINGER) ?
+@@ -219,8 +220,11 @@ again:
+ 			/* actively shutdown clcsock before peer close it,
+ 			 * prevent peer from entering TIME_WAIT state.
+ 			 */
+-			if (smc->clcsock && smc->clcsock->sk)
+-				rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR);
++			if (smc->clcsock && smc->clcsock->sk) {
++				rc1 = kernel_sock_shutdown(smc->clcsock,
++							   SHUT_RDWR);
++				rc = rc ? rc : rc1;
++			}
+ 		} else {
+ 			/* peer event has changed the state */
+ 			goto again;
diff --git a/queue-4.14/net-usb-lan78xx-lan78xx_phy_init-use-phy_poll-instead-of-0-if-no-irq-is-available.patch b/queue-4.14/net-usb-lan78xx-lan78xx_phy_init-use-phy_poll-instead-of-0-if-no-irq-is-available.patch
new file mode 100644
index 00000000000..b76b9c10c52
--- /dev/null
+++ b/queue-4.14/net-usb-lan78xx-lan78xx_phy_init-use-phy_poll-instead-of-0-if-no-irq-is-available.patch
@@ -0,0 +1,33 @@
+From 817b653160db9852d5a0498a31f047e18ce27e5b Mon Sep 17 00:00:00 2001
+From: Sven Schuchmann <schuchmann@schleissheimer.de>
+Date: Sat, 27 Nov 2021 11:47:07 +0100
+Subject: net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is available
+
+From: Sven Schuchmann <schuchmann@schleissheimer.de>
+
+commit 817b653160db9852d5a0498a31f047e18ce27e5b upstream.
+
+On most systems request for IRQ 0 will fail, phylib will print an error message
+and fall back to polling. To fix this set the phydev->irq to PHY_POLL if no IRQ
+is available.
+
+Fixes: cc89c323a30e ("lan78xx: Use irq_domain for phy interrupt from USB Int. EP")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Sven Schuchmann <schuchmann@schleissheimer.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/lan78xx.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -2052,7 +2052,7 @@ static int lan78xx_phy_init(struct lan78
+ 	if (dev->domain_data.phyirq > 0)
+ 		phydev->irq = dev->domain_data.phyirq;
+ 	else
+-		phydev->irq = 0;
++		phydev->irq = PHY_POLL;
+ 	netdev_dbg(dev->net, "phydev->irq = %d\n", phydev->irq);
+ 
+ 	/* set to AUTOMDIX */
diff --git a/queue-4.14/series b/queue-4.14/series
index 78680eb1829..04cba80341c 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -90,3 +90,7 @@ natsemi-xtensa-fix-section-mismatch-warnings.patch
 net-qlogic-qlcnic-fix-a-null-pointer-dereference-in-qlcnic_83xx_add_rings.patch
 net-mpls-fix-notifications-when-deleting-a-device.patch
 siphash-use-_unaligned-version-by-default.patch
+net-mlx4_en-fix-an-use-after-free-bug-in-mlx4_en_try_alloc_resources.patch
+net-usb-lan78xx-lan78xx_phy_init-use-phy_poll-instead-of-0-if-no-irq-is-available.patch
+net-rds-correct-socket-tunable-error-in-rds_tcp_tune.patch
+net-smc-keep-smc_close_final-rc-during-active-close.patch