From: Greg Kroah-Hartman Date: Wed, 21 Feb 2024 11:11:01 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.19.307~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7de44191bba0f8c7a99ac4a570c4e53e67656a8e;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: net-bcmgenet-fix-eee-implementation.patch netfilter-nf_tables-fix-pointer-math-issue-in-nft_byteorder_eval.patch --- diff --git a/queue-5.10/cifs-fix-off-by-one-in-smb2_query_info_init.patch b/queue-5.10/cifs-fix-off-by-one-in-smb2_query_info_init.patch deleted file mode 100644 index 5235b1a2de4..00000000000 --- a/queue-5.10/cifs-fix-off-by-one-in-smb2_query_info_init.patch +++ /dev/null @@ -1,58 +0,0 @@ -From harshit.m.mogalapalli@oracle.com Mon Jan 29 08:14:10 2024 -From: Harshit Mogalapalli -Date: Sun, 28 Jan 2024 21:43:42 -0800 -Subject: cifs: fix off-by-one in SMB2_query_info_init() -To: stable@vger.kernel.org -Cc: kovalev@altlinux.org, abuehaze@amazon.com, smfrench@gmail.com, greg@kroah.com, linux-cifs@vger.kernel.org, keescook@chromium.org, darren.kenny@oracle.com, pc@manguebit.com, nspmangalore@gmail.com, vegard.nossum@oracle.com, Harshit Mogalapalli -Message-ID: <20240129054342.2472454-1-harshit.m.mogalapalli@oracle.com> - -From: Harshit Mogalapalli - -Bug: After mounting the cifs fs, it complains with Resource temporarily -unavailable messages. - -[root@vm1 xfstests-dev]# ./check -g quick -s smb3 -TEST_DEV=///TEST is mounted but not a type cifs filesystem -[root@vm1 xfstests-dev]# df -df: /mnt/test: Resource temporarily unavailable - -Paul's analysis of the bug: - - Bug is related to an off-by-one in smb2_set_next_command() when - the client attempts to pad SMB2_QUERY_INFO request -- since it isn't - 8 byte aligned -- even though smb2_query_info_compound() doesn't - provide an extra iov for such padding. - - v5.10.y doesn't have - - eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays") - - and the commit does - - if (unlikely(check_add_overflow(input_len, sizeof(*req), &len) || - len > CIFSMaxBufSize)) - return -EINVAL; - - so sizeof(*req) will wrongly include the extra byte from - smb2_query_info_req::Buffer making @len unaligned and therefore causing - OOB in smb2_set_next_command(). - -Fixes: 203a412e52b5 ("smb: client: fix OOB in SMB2_query_info_init()") -Suggested-by: Paulo Alcantara -Signed-off-by: Harshit Mogalapalli -Signed-off-by: Greg Kroah-Hartman ---- - fs/cifs/smb2pdu.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/cifs/smb2pdu.c -+++ b/fs/cifs/smb2pdu.c -@@ -3378,7 +3378,7 @@ SMB2_query_info_init(struct cifs_tcon *t - - iov[0].iov_base = (char *)req; - /* 1 for Buffer */ -- iov[0].iov_len = len; -+ iov[0].iov_len = len - 1; - return 0; - } - diff --git a/queue-5.10/net-bcmgenet-fix-eee-implementation.patch b/queue-5.10/net-bcmgenet-fix-eee-implementation.patch new file mode 100644 index 00000000000..c5ddf4ba5dd --- /dev/null +++ b/queue-5.10/net-bcmgenet-fix-eee-implementation.patch @@ -0,0 +1,142 @@ +From a9f31047baca57d47440c879cf259b86f900260c Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Tue, 6 Jun 2023 14:43:47 -0700 +Subject: net: bcmgenet: Fix EEE implementation + +From: Florian Fainelli + +commit a9f31047baca57d47440c879cf259b86f900260c upstream. + +We had a number of short comings: + +- EEE must be re-evaluated whenever the state machine detects a link + change as wight be switching from a link partner with EEE + enabled/disabled + +- tx_lpi_enabled controls whether EEE should be enabled/disabled for the + transmit path, which applies to the TBUF block + +- We do not need to forcibly enable EEE upon system resume, as the PHY + state machine will trigger a link event that will do that, too + +Fixes: 6ef398ea60d9 ("net: bcmgenet: add EEE support") +Signed-off-by: Florian Fainelli +Reviewed-by: Russell King (Oracle) +Link: https://lore.kernel.org/r/20230606214348.2408018-1-florian.fainelli@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 22 ++++++++-------------- + drivers/net/ethernet/broadcom/genet/bcmgenet.h | 3 +++ + drivers/net/ethernet/broadcom/genet/bcmmii.c | 6 ++++++ + 3 files changed, 17 insertions(+), 14 deletions(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -1244,7 +1244,8 @@ static void bcmgenet_get_ethtool_stats(s + } + } + +-static void bcmgenet_eee_enable_set(struct net_device *dev, bool enable) ++void bcmgenet_eee_enable_set(struct net_device *dev, bool enable, ++ bool tx_lpi_enabled) + { + struct bcmgenet_priv *priv = netdev_priv(dev); + u32 off = priv->hw_params->tbuf_offset + TBUF_ENERGY_CTRL; +@@ -1264,7 +1265,7 @@ static void bcmgenet_eee_enable_set(stru + + /* Enable EEE and switch to a 27Mhz clock automatically */ + reg = bcmgenet_readl(priv->base + off); +- if (enable) ++ if (tx_lpi_enabled) + reg |= TBUF_EEE_EN | TBUF_PM_EN; + else + reg &= ~(TBUF_EEE_EN | TBUF_PM_EN); +@@ -1285,6 +1286,7 @@ static void bcmgenet_eee_enable_set(stru + + priv->eee.eee_enabled = enable; + priv->eee.eee_active = enable; ++ priv->eee.tx_lpi_enabled = tx_lpi_enabled; + } + + static int bcmgenet_get_eee(struct net_device *dev, struct ethtool_eee *e) +@@ -1300,6 +1302,7 @@ static int bcmgenet_get_eee(struct net_d + + e->eee_enabled = p->eee_enabled; + e->eee_active = p->eee_active; ++ e->tx_lpi_enabled = p->tx_lpi_enabled; + e->tx_lpi_timer = bcmgenet_umac_readl(priv, UMAC_EEE_LPI_TIMER); + + return phy_ethtool_get_eee(dev->phydev, e); +@@ -1309,7 +1312,6 @@ static int bcmgenet_set_eee(struct net_d + { + struct bcmgenet_priv *priv = netdev_priv(dev); + struct ethtool_eee *p = &priv->eee; +- int ret = 0; + + if (GENET_IS_V1(priv)) + return -EOPNOTSUPP; +@@ -1320,16 +1322,11 @@ static int bcmgenet_set_eee(struct net_d + p->eee_enabled = e->eee_enabled; + + if (!p->eee_enabled) { +- bcmgenet_eee_enable_set(dev, false); ++ bcmgenet_eee_enable_set(dev, false, false); + } else { +- ret = phy_init_eee(dev->phydev, 0); +- if (ret) { +- netif_err(priv, hw, dev, "EEE initialization failed\n"); +- return ret; +- } +- ++ p->eee_active = phy_init_eee(dev->phydev, false) >= 0; + bcmgenet_umac_writel(priv, e->tx_lpi_timer, UMAC_EEE_LPI_TIMER); +- bcmgenet_eee_enable_set(dev, true); ++ bcmgenet_eee_enable_set(dev, p->eee_active, e->tx_lpi_enabled); + } + + return phy_ethtool_set_eee(dev->phydev, e); +@@ -4217,9 +4214,6 @@ static int bcmgenet_resume(struct device + if (!device_may_wakeup(d)) + phy_resume(dev->phydev); + +- if (priv->eee.eee_enabled) +- bcmgenet_eee_enable_set(dev, true); +- + bcmgenet_netif_start(dev); + + netif_device_attach(dev); +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h +@@ -756,4 +756,7 @@ int bcmgenet_wol_power_down_cfg(struct b + void bcmgenet_wol_power_up_cfg(struct bcmgenet_priv *priv, + enum bcmgenet_power_mode mode); + ++void bcmgenet_eee_enable_set(struct net_device *dev, bool enable, ++ bool tx_lpi_enabled); ++ + #endif /* __BCMGENET_H__ */ +--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c +@@ -25,6 +25,7 @@ + + #include "bcmgenet.h" + ++ + /* setup netdev link state when PHY link status change and + * update UMAC and RGMII block when link up + */ +@@ -102,6 +103,11 @@ void bcmgenet_mii_setup(struct net_devic + reg |= CMD_TX_EN | CMD_RX_EN; + } + bcmgenet_umac_writel(priv, reg, UMAC_CMD); ++ ++ priv->eee.eee_active = phy_init_eee(phydev, 0) >= 0; ++ bcmgenet_eee_enable_set(dev, ++ priv->eee.eee_enabled && priv->eee.eee_active, ++ priv->eee.tx_lpi_enabled); + } else { + /* done if nothing has changed */ + if (!status_changed) diff --git a/queue-5.10/netfilter-nf_tables-fix-pointer-math-issue-in-nft_byteorder_eval.patch b/queue-5.10/netfilter-nf_tables-fix-pointer-math-issue-in-nft_byteorder_eval.patch new file mode 100644 index 00000000000..a19d0f736ee --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-fix-pointer-math-issue-in-nft_byteorder_eval.patch @@ -0,0 +1,83 @@ +From c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 3 Nov 2023 09:42:51 +0300 +Subject: netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() + +From: Dan Carpenter + +commit c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 upstream. + +The problem is in nft_byteorder_eval() where we are iterating through a +loop and writing to dst[0], dst[1], dst[2] and so on... On each +iteration we are writing 8 bytes. But dst[] is an array of u32 so each +element only has space for 4 bytes. That means that every iteration +overwrites part of the previous element. + +I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter: +nf_tables: prevent OOB access in nft_byteorder_eval") which is a related +issue. I think that the reason we have not detected this bug in testing +is that most of time we only write one element. + +Fixes: ce1e7989d989 ("netfilter: nft_byteorder: provide 64bit le/be conversion") +Signed-off-by: Dan Carpenter +Signed-off-by: Pablo Neira Ayuso +[Ajay: Modified to apply on v5.10.y] +Signed-off-by: Ajay Kaher +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_tables.h | 4 ++-- + net/netfilter/nft_byteorder.c | 5 +++-- + net/netfilter/nft_meta.c | 2 +- + 3 files changed, 6 insertions(+), 5 deletions(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -142,9 +142,9 @@ static inline u16 nft_reg_load16(const u + return *(u16 *)sreg; + } + +-static inline void nft_reg_store64(u32 *dreg, u64 val) ++static inline void nft_reg_store64(u64 *dreg, u64 val) + { +- put_unaligned(val, (u64 *)dreg); ++ put_unaligned(val, dreg); + } + + static inline u64 nft_reg_load64(const u32 *sreg) +--- a/net/netfilter/nft_byteorder.c ++++ b/net/netfilter/nft_byteorder.c +@@ -38,20 +38,21 @@ void nft_byteorder_eval(const struct nft + + switch (priv->size) { + case 8: { ++ u64 *dst64 = (void *)dst; + u64 src64; + + switch (priv->op) { + case NFT_BYTEORDER_NTOH: + for (i = 0; i < priv->len / 8; i++) { + src64 = nft_reg_load64(&src[i]); +- nft_reg_store64(&dst[i], be64_to_cpu(src64)); ++ nft_reg_store64(&dst64[i], be64_to_cpu(src64)); + } + break; + case NFT_BYTEORDER_HTON: + for (i = 0; i < priv->len / 8; i++) { + src64 = (__force __u64) + cpu_to_be64(nft_reg_load64(&src[i])); +- nft_reg_store64(&dst[i], src64); ++ nft_reg_store64(&dst64[i], src64); + } + break; + } +--- a/net/netfilter/nft_meta.c ++++ b/net/netfilter/nft_meta.c +@@ -63,7 +63,7 @@ nft_meta_get_eval_time(enum nft_meta_key + { + switch (key) { + case NFT_META_TIME_NS: +- nft_reg_store64(dest, ktime_get_real_ns()); ++ nft_reg_store64((u64 *)dest, ktime_get_real_ns()); + break; + case NFT_META_TIME_DAY: + nft_reg_store8(dest, nft_meta_weekday()); diff --git a/queue-5.10/series b/queue-5.10/series index 18615de74f2..7931558976f 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -98,7 +98,6 @@ spi-bcm-qspi-fix-sfdp-bfpt-read-by-usig-mspi-read.patch mips-call-lose_fpu-0-before-initializing-fcr31-in-mips_set_personality_nan.patch tick-sched-preserve-number-of-idle-sleeps-across-cpu-hotplug-events.patch x86-entry-ia32-ensure-s32-is-sign-extended-to-s64.patch -cifs-fix-off-by-one-in-smb2_query_info_init.patch powerpc-mm-fix-null-pointer-dereference-in-pgtable_c.patch drivers-perf-pmuv3-don-t-expose-sw_incr-event-in-sys.patch powerpc-fix-build-error-due-to-is_valid_bugaddr.patch @@ -376,3 +375,5 @@ dm-limit-the-number-of-targets-and-parameter-size-area.patch pm-runtime-add-devm_pm_runtime_enable-helper.patch pm-runtime-have-devm_pm_runtime_enable-handle-pm_runtime_dont_use_autosuspend.patch drm-msm-dsi-enable-runtime-pm.patch +netfilter-nf_tables-fix-pointer-math-issue-in-nft_byteorder_eval.patch +net-bcmgenet-fix-eee-implementation.patch