From: Greg Kroah-Hartman Date: Mon, 22 Aug 2022 09:22:54 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.9.326~55 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=65d1acf21ce3aeaf56955aeb7705df00a53e4567;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: atm-idt77252-fix-use-after-free-bugs-caused-by-tst_timer.patch dpaa2-eth-trace-the-allocated-address-instead-of-page-struct.patch geneve-fix-tos-inheriting-for-ipv4.patch nfp-ethtool-fix-the-display-error-of-ethtool-m-devname.patch ntb-ntb_tool-uninitialized-heap-data-in-tool_fn_write.patch perf-probe-fix-an-error-handling-path-in-parse_perf_probe_command.patch xen-xenbus-fix-return-type-in-xenbus_file_read.patch --- diff --git a/queue-5.10/atm-idt77252-fix-use-after-free-bugs-caused-by-tst_timer.patch b/queue-5.10/atm-idt77252-fix-use-after-free-bugs-caused-by-tst_timer.patch new file mode 100644 index 00000000000..1017c803075 --- /dev/null +++ b/queue-5.10/atm-idt77252-fix-use-after-free-bugs-caused-by-tst_timer.patch @@ -0,0 +1,51 @@ +From 3f4093e2bf4673f218c0bf17d8362337c400e77b Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Fri, 5 Aug 2022 15:00:08 +0800 +Subject: atm: idt77252: fix use-after-free bugs caused by tst_timer + +From: Duoming Zhou + +commit 3f4093e2bf4673f218c0bf17d8362337c400e77b upstream. + +There are use-after-free bugs caused by tst_timer. The root cause +is that there are no functions to stop tst_timer in idt77252_exit(). +One of the possible race conditions is shown below: + + (thread 1) | (thread 2) + | idt77252_init_one + | init_card + | fill_tst + | mod_timer(&card->tst_timer, ...) +idt77252_exit | (wait a time) + | tst_timer + | + | ... + kfree(card) // FREE | + | card->soft_tst[e] // USE + +The idt77252_dev is deallocated in idt77252_exit() and used in +timer handler. + +This patch adds del_timer_sync() in idt77252_exit() in order that +the timer handler could be stopped before the idt77252_dev is +deallocated. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Duoming Zhou +Link: https://lore.kernel.org/r/20220805070008.18007-1-duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/atm/idt77252.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/atm/idt77252.c ++++ b/drivers/atm/idt77252.c +@@ -3767,6 +3767,7 @@ static void __exit idt77252_exit(void) + card = idt77252_chain; + dev = card->atmdev; + idt77252_chain = card->next; ++ del_timer_sync(&card->tst_timer); + + if (dev->phy->stop) + dev->phy->stop(dev); diff --git a/queue-5.10/dpaa2-eth-trace-the-allocated-address-instead-of-page-struct.patch b/queue-5.10/dpaa2-eth-trace-the-allocated-address-instead-of-page-struct.patch new file mode 100644 index 00000000000..d422b2f387f --- /dev/null +++ b/queue-5.10/dpaa2-eth-trace-the-allocated-address-instead-of-page-struct.patch @@ -0,0 +1,34 @@ +From e34f49348f8b7a53205b6f77707a3a6a40cf420b Mon Sep 17 00:00:00 2001 +From: Chen Lin +Date: Thu, 11 Aug 2022 23:16:51 +0800 +Subject: dpaa2-eth: trace the allocated address instead of page struct + +From: Chen Lin + +commit e34f49348f8b7a53205b6f77707a3a6a40cf420b upstream. + +We should trace the allocated address instead of page struct. + +Fixes: 27c874867c4e ("dpaa2-eth: Use a single page per Rx buffer") +Signed-off-by: Chen Lin +Reviewed-by: Ioana Ciornei +Link: https://lore.kernel.org/r/20220811151651.3327-1-chen45464546@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +@@ -1349,8 +1349,8 @@ static int dpaa2_eth_add_bufs(struct dpa + buf_array[i] = addr; + + /* tracing point */ +- trace_dpaa2_eth_buf_seed(priv->net_dev, +- page, DPAA2_ETH_RX_BUF_RAW_SIZE, ++ trace_dpaa2_eth_buf_seed(priv->net_dev, page_address(page), ++ DPAA2_ETH_RX_BUF_RAW_SIZE, + addr, priv->rx_buf_size, + bpid); + } diff --git a/queue-5.10/geneve-fix-tos-inheriting-for-ipv4.patch b/queue-5.10/geneve-fix-tos-inheriting-for-ipv4.patch new file mode 100644 index 00000000000..a55afbc20fb --- /dev/null +++ b/queue-5.10/geneve-fix-tos-inheriting-for-ipv4.patch @@ -0,0 +1,85 @@ +From b4ab94d6adaa5cf842b68bd28f4b50bc774496bd Mon Sep 17 00:00:00 2001 +From: Matthias May +Date: Fri, 5 Aug 2022 21:00:06 +0200 +Subject: geneve: fix TOS inheriting for ipv4 + +From: Matthias May + +commit b4ab94d6adaa5cf842b68bd28f4b50bc774496bd upstream. + +The current code retrieves the TOS field after the lookup +on the ipv4 routing table. The routing process currently +only allows routing based on the original 3 TOS bits, and +not on the full 6 DSCP bits. +As a result the retrieved TOS is cut to the 3 bits. +However for inheriting purposes the full 6 bits should be used. + +Extract the full 6 bits before the route lookup and use +that instead of the cut off 3 TOS bits. + +Fixes: e305ac6cf5a1 ("geneve: Add support to collect tunnel metadata.") +Signed-off-by: Matthias May +Acked-by: Guillaume Nault +Link: https://lore.kernel.org/r/20220805190006.8078-1-matthias.may@westermo.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/geneve.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -772,7 +772,8 @@ static struct rtable *geneve_get_v4_rt(s + struct geneve_sock *gs4, + struct flowi4 *fl4, + const struct ip_tunnel_info *info, +- __be16 dport, __be16 sport) ++ __be16 dport, __be16 sport, ++ __u8 *full_tos) + { + bool use_cache = ip_tunnel_dst_cache_usable(skb, info); + struct geneve_dev *geneve = netdev_priv(dev); +@@ -797,6 +798,8 @@ static struct rtable *geneve_get_v4_rt(s + use_cache = false; + } + fl4->flowi4_tos = RT_TOS(tos); ++ if (full_tos) ++ *full_tos = tos; + + dst_cache = (struct dst_cache *)&info->dst_cache; + if (use_cache) { +@@ -884,6 +887,7 @@ static int geneve_xmit_skb(struct sk_buf + const struct ip_tunnel_key *key = &info->key; + struct rtable *rt; + struct flowi4 fl4; ++ __u8 full_tos; + __u8 tos, ttl; + __be16 df = 0; + __be16 sport; +@@ -894,7 +898,7 @@ static int geneve_xmit_skb(struct sk_buf + + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info, +- geneve->cfg.info.key.tp_dst, sport); ++ geneve->cfg.info.key.tp_dst, sport, &full_tos); + if (IS_ERR(rt)) + return PTR_ERR(rt); + +@@ -938,7 +942,7 @@ static int geneve_xmit_skb(struct sk_buf + + df = key->tun_flags & TUNNEL_DONT_FRAGMENT ? htons(IP_DF) : 0; + } else { +- tos = ip_tunnel_ecn_encap(fl4.flowi4_tos, ip_hdr(skb), skb); ++ tos = ip_tunnel_ecn_encap(full_tos, ip_hdr(skb), skb); + if (geneve->cfg.ttl_inherit) + ttl = ip_tunnel_get_ttl(ip_hdr(skb), skb); + else +@@ -1120,7 +1124,7 @@ static int geneve_fill_metadata_dst(stru + 1, USHRT_MAX, true); + + rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info, +- geneve->cfg.info.key.tp_dst, sport); ++ geneve->cfg.info.key.tp_dst, sport, NULL); + if (IS_ERR(rt)) + return PTR_ERR(rt); + diff --git a/queue-5.10/nfp-ethtool-fix-the-display-error-of-ethtool-m-devname.patch b/queue-5.10/nfp-ethtool-fix-the-display-error-of-ethtool-m-devname.patch new file mode 100644 index 00000000000..046cf270cf0 --- /dev/null +++ b/queue-5.10/nfp-ethtool-fix-the-display-error-of-ethtool-m-devname.patch @@ -0,0 +1,43 @@ +From 4ae97cae07e15d41e5c0ebabba64c6eefdeb0bbe Mon Sep 17 00:00:00 2001 +From: Yu Xiao +Date: Tue, 2 Aug 2022 10:33:55 +0100 +Subject: nfp: ethtool: fix the display error of `ethtool -m DEVNAME` + +From: Yu Xiao + +commit 4ae97cae07e15d41e5c0ebabba64c6eefdeb0bbe upstream. + +The port flag isn't set to `NFP_PORT_CHANGED` when using +`ethtool -m DEVNAME` before, so the port state (e.g. interface) +cannot be updated. Therefore, it caused that `ethtool -m DEVNAME` +sometimes cannot read the correct information. + +E.g. `ethtool -m DEVNAME` cannot work when load driver before plug +in optical module, as the port interface is still NONE without port +update. + +Now update the port state before sending info to NIC to ensure that +port interface is correct (latest state). + +Fixes: 61f7c6f44870 ("nfp: implement ethtool get module EEPROM") +Reviewed-by: Louis Peens +Signed-off-by: Yu Xiao +Signed-off-by: Simon Horman +Link: https://lore.kernel.org/r/20220802093355.69065-1-simon.horman@corigine.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c +@@ -1225,6 +1225,8 @@ nfp_port_get_module_info(struct net_devi + u8 data; + + port = nfp_port_from_netdev(netdev); ++ /* update port state to get latest interface */ ++ set_bit(NFP_PORT_CHANGED, &port->flags); + eth_port = nfp_port_get_eth_port(port); + if (!eth_port) + return -EOPNOTSUPP; diff --git a/queue-5.10/ntb-ntb_tool-uninitialized-heap-data-in-tool_fn_write.patch b/queue-5.10/ntb-ntb_tool-uninitialized-heap-data-in-tool_fn_write.patch new file mode 100644 index 00000000000..842fe115887 --- /dev/null +++ b/queue-5.10/ntb-ntb_tool-uninitialized-heap-data-in-tool_fn_write.patch @@ -0,0 +1,52 @@ +From 45e1058b77feade4e36402828bfe3e0d3363177b Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 20 Jul 2022 21:28:18 +0300 +Subject: NTB: ntb_tool: uninitialized heap data in tool_fn_write() + +From: Dan Carpenter + +commit 45e1058b77feade4e36402828bfe3e0d3363177b upstream. + +The call to: + + ret = simple_write_to_buffer(buf, size, offp, ubuf, size); + +will return success if it is able to write even one byte to "buf". +The value of "*offp" controls which byte. This could result in +reading uninitialized data when we do the sscanf() on the next line. + +This code is not really desigined to handle partial writes where +*offp is non-zero and the "buf" is preserved and re-used between writes. +Just ban partial writes and replace the simple_write_to_buffer() with +copy_from_user(). + +Fixes: 578b881ba9c4 ("NTB: Add tool test client") +Signed-off-by: Dan Carpenter +Signed-off-by: Jon Mason +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ntb/test/ntb_tool.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/ntb/test/ntb_tool.c ++++ b/drivers/ntb/test/ntb_tool.c +@@ -367,14 +367,16 @@ static ssize_t tool_fn_write(struct tool + u64 bits; + int n; + ++ if (*offp) ++ return 0; ++ + buf = kmalloc(size + 1, GFP_KERNEL); + if (!buf) + return -ENOMEM; + +- ret = simple_write_to_buffer(buf, size, offp, ubuf, size); +- if (ret < 0) { ++ if (copy_from_user(buf, ubuf, size)) { + kfree(buf); +- return ret; ++ return -EFAULT; + } + + buf[size] = 0; diff --git a/queue-5.10/perf-probe-fix-an-error-handling-path-in-parse_perf_probe_command.patch b/queue-5.10/perf-probe-fix-an-error-handling-path-in-parse_perf_probe_command.patch new file mode 100644 index 00000000000..36a60300e65 --- /dev/null +++ b/queue-5.10/perf-probe-fix-an-error-handling-path-in-parse_perf_probe_command.patch @@ -0,0 +1,44 @@ +From 4bf6dcaa93bcd083a13c278a91418fe10e6d23a0 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sat, 6 Aug 2022 16:51:26 +0200 +Subject: perf probe: Fix an error handling path in 'parse_perf_probe_command()' + +From: Christophe JAILLET + +commit 4bf6dcaa93bcd083a13c278a91418fe10e6d23a0 upstream. + +If a memory allocation fail, we should branch to the error handling path +in order to free some resources allocated a few lines above. + +Fixes: 15354d54698648e2 ("perf probe: Generate event name with line number") +Signed-off-by: Christophe JAILLET +Acked-by: Masami Hiramatsu +Cc: Alexander Shishkin +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: kernel-janitors@vger.kernel.org +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/b71bcb01fa0c7b9778647235c3ab490f699ba278.1659797452.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/probe-event.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/tools/perf/util/probe-event.c ++++ b/tools/perf/util/probe-event.c +@@ -1760,8 +1760,10 @@ int parse_perf_probe_command(const char + if (!pev->event && pev->point.function && pev->point.line + && !pev->point.lazy_line && !pev->point.offset) { + if (asprintf(&pev->event, "%s_L%d", pev->point.function, +- pev->point.line) < 0) +- return -ENOMEM; ++ pev->point.line) < 0) { ++ ret = -ENOMEM; ++ goto out; ++ } + } + + /* Copy arguments and ensure return probe has no C argument */ diff --git a/queue-5.10/series b/queue-5.10/series index 02c3d1e555f..ac8d3d9d4ad 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -54,3 +54,10 @@ tools-vm-slabinfo-use-alphabetic-order-when-two-values-are-equal.patch ceph-don-t-leak-snap_rwsem-in-handle_cap_grant.patch kbuild-dummy-tools-avoid-tmpdir-leak-in-dummy-gcc.patch tools-build-switch-to-new-openssl-api-for-test-libcrypto.patch +ntb-ntb_tool-uninitialized-heap-data-in-tool_fn_write.patch +nfp-ethtool-fix-the-display-error-of-ethtool-m-devname.patch +xen-xenbus-fix-return-type-in-xenbus_file_read.patch +atm-idt77252-fix-use-after-free-bugs-caused-by-tst_timer.patch +geneve-fix-tos-inheriting-for-ipv4.patch +perf-probe-fix-an-error-handling-path-in-parse_perf_probe_command.patch +dpaa2-eth-trace-the-allocated-address-instead-of-page-struct.patch diff --git a/queue-5.10/xen-xenbus-fix-return-type-in-xenbus_file_read.patch b/queue-5.10/xen-xenbus-fix-return-type-in-xenbus_file_read.patch new file mode 100644 index 00000000000..f116f03a96d --- /dev/null +++ b/queue-5.10/xen-xenbus-fix-return-type-in-xenbus_file_read.patch @@ -0,0 +1,48 @@ +From 32ad11127b95236dfc52375f3707853194a7f4b4 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 4 Aug 2022 10:11:33 +0300 +Subject: xen/xenbus: fix return type in xenbus_file_read() + +From: Dan Carpenter + +commit 32ad11127b95236dfc52375f3707853194a7f4b4 upstream. + +This code tries to store -EFAULT in an unsigned int. The +xenbus_file_read() function returns type ssize_t so the negative value +is returned as a positive value to the user. + +This change forces another change to the min() macro. Originally, the +min() macro used "unsigned" type which checkpatch complains about. Also +unsigned type would break if "len" were not capped at MAX_RW_COUNT. Use +size_t for the min(). (No effect on runtime for the min_t() change). + +Fixes: 2fb3683e7b16 ("xen: Add xenbus device driver") +Signed-off-by: Dan Carpenter +Reviewed-by: Oleksandr Tyshchenko +Link: https://lore.kernel.org/r/YutxJUaUYRG/VLVc@kili +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xenbus/xenbus_dev_frontend.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/xen/xenbus/xenbus_dev_frontend.c ++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c +@@ -128,7 +128,7 @@ static ssize_t xenbus_file_read(struct f + { + struct xenbus_file_priv *u = filp->private_data; + struct read_buffer *rb; +- unsigned i; ++ ssize_t i; + int ret; + + mutex_lock(&u->reply_mutex); +@@ -148,7 +148,7 @@ again: + rb = list_entry(u->read_buffers.next, struct read_buffer, list); + i = 0; + while (i < len) { +- unsigned sz = min((unsigned)len - i, rb->len - rb->cons); ++ size_t sz = min_t(size_t, len - i, rb->len - rb->cons); + + ret = copy_to_user(ubuf + i, &rb->msg[rb->cons], sz); +