From: Greg Kroah-Hartman Date: Mon, 17 Apr 2023 07:06:39 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.14.313~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=803b03117336b003d7e09d1bdcdf2c85236f2fd5;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch net-phy-nxp-c45-tja11xx-add-remove-callback.patch net-phy-nxp-c45-tja11xx-fix-unsigned-long-multiplication-overflow.patch net-sfp-initialize-sfp-i2c_block_size-at-sfp-allocation.patch riscv-add-icache-flush-for-nommu-sigreturn-trampoline.patch riscv-do-not-set-initial_boot_params-to-the-linear-address-of-the-dtb.patch riscv-no-need-to-relocate-the-dtb-as-it-lies-in-the-fixmap-region.patch --- diff --git a/queue-5.15/ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch b/queue-5.15/ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch new file mode 100644 index 00000000000..b04eb778dbb --- /dev/null +++ b/queue-5.15/ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch @@ -0,0 +1,68 @@ +From e7067a446264a7514fa1cfaa4052cdb6803bc6a2 Mon Sep 17 00:00:00 2001 +From: David Disseldorp +Date: Thu, 13 Apr 2023 23:49:57 +0900 +Subject: ksmbd: avoid out of bounds access in decode_preauth_ctxt() + +From: David Disseldorp + +commit e7067a446264a7514fa1cfaa4052cdb6803bc6a2 upstream. + +Confirm that the accessed pneg_ctxt->HashAlgorithms address sits within +the SMB request boundary; deassemble_neg_contexts() only checks that the +eight byte smb2_neg_context header + (client controlled) DataLength are +within the packet boundary, which is insufficient. + +Checking for sizeof(struct smb2_preauth_neg_context) is overkill given +that the type currently assumes SMB311_SALT_SIZE bytes of trailing Salt. + +Signed-off-by: David Disseldorp +Acked-by: Namjae Jeon +Cc: +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2pdu.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -880,17 +880,21 @@ static void assemble_neg_contexts(struct + } + + static __le32 decode_preauth_ctxt(struct ksmbd_conn *conn, +- struct smb2_preauth_neg_context *pneg_ctxt) ++ struct smb2_preauth_neg_context *pneg_ctxt, ++ int len_of_ctxts) + { +- __le32 err = STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP; ++ /* ++ * sizeof(smb2_preauth_neg_context) assumes SMB311_SALT_SIZE Salt, ++ * which may not be present. Only check for used HashAlgorithms[1]. ++ */ ++ if (len_of_ctxts < MIN_PREAUTH_CTXT_DATA_LEN) ++ return STATUS_INVALID_PARAMETER; + +- if (pneg_ctxt->HashAlgorithms == SMB2_PREAUTH_INTEGRITY_SHA512) { +- conn->preauth_info->Preauth_HashId = +- SMB2_PREAUTH_INTEGRITY_SHA512; +- err = STATUS_SUCCESS; +- } ++ if (pneg_ctxt->HashAlgorithms != SMB2_PREAUTH_INTEGRITY_SHA512) ++ return STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP; + +- return err; ++ conn->preauth_info->Preauth_HashId = SMB2_PREAUTH_INTEGRITY_SHA512; ++ return STATUS_SUCCESS; + } + + static void decode_encrypt_ctxt(struct ksmbd_conn *conn, +@@ -1018,7 +1022,8 @@ static __le32 deassemble_neg_contexts(st + break; + + status = decode_preauth_ctxt(conn, +- (struct smb2_preauth_neg_context *)pctx); ++ (struct smb2_preauth_neg_context *)pctx, ++ len_of_ctxts); + if (status != STATUS_SUCCESS) + break; + } else if (pctx->ContextType == SMB2_ENCRYPTION_CAPABILITIES) { diff --git a/queue-5.15/net-phy-nxp-c45-tja11xx-add-remove-callback.patch b/queue-5.15/net-phy-nxp-c45-tja11xx-add-remove-callback.patch new file mode 100644 index 00000000000..55ee1ad868f --- /dev/null +++ b/queue-5.15/net-phy-nxp-c45-tja11xx-add-remove-callback.patch @@ -0,0 +1,51 @@ +From a4506722dc39ca840593f14e3faa4c9ba9408211 Mon Sep 17 00:00:00 2001 +From: "Radu Pirea (OSS)" +Date: Thu, 6 Apr 2023 12:59:04 +0300 +Subject: net: phy: nxp-c45-tja11xx: add remove callback + +From: Radu Pirea (OSS) + +commit a4506722dc39ca840593f14e3faa4c9ba9408211 upstream. + +Unregister PTP clock when the driver is removed. +Purge the RX and TX skb queues. + +Fixes: 514def5dd339 ("phy: nxp-c45-tja11xx: add timestamping support") +CC: stable@vger.kernel.org # 5.15+ +Signed-off-by: Radu Pirea (OSS) +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230406095904.75456-1-radu-nicolae.pirea@oss.nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/nxp-c45-tja11xx.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/net/phy/nxp-c45-tja11xx.c ++++ b/drivers/net/phy/nxp-c45-tja11xx.c +@@ -1117,6 +1117,17 @@ no_ptp_support: + return ret; + } + ++static void nxp_c45_remove(struct phy_device *phydev) ++{ ++ struct nxp_c45_phy *priv = phydev->priv; ++ ++ if (priv->ptp_clock) ++ ptp_clock_unregister(priv->ptp_clock); ++ ++ skb_queue_purge(&priv->tx_queue); ++ skb_queue_purge(&priv->rx_queue); ++} ++ + static struct phy_driver nxp_c45_driver[] = { + { + PHY_ID_MATCH_MODEL(PHY_ID_TJA_1103), +@@ -1139,6 +1150,7 @@ static struct phy_driver nxp_c45_driver[ + .set_loopback = genphy_c45_loopback, + .get_sqi = nxp_c45_get_sqi, + .get_sqi_max = nxp_c45_get_sqi_max, ++ .remove = nxp_c45_remove, + }, + }; + diff --git a/queue-5.15/net-phy-nxp-c45-tja11xx-fix-unsigned-long-multiplication-overflow.patch b/queue-5.15/net-phy-nxp-c45-tja11xx-fix-unsigned-long-multiplication-overflow.patch new file mode 100644 index 00000000000..47d82224014 --- /dev/null +++ b/queue-5.15/net-phy-nxp-c45-tja11xx-fix-unsigned-long-multiplication-overflow.patch @@ -0,0 +1,38 @@ +From bdaaecc127d471c422ee9e994978617c8aa79e1e Mon Sep 17 00:00:00 2001 +From: "Radu Pirea (OSS)" +Date: Thu, 6 Apr 2023 12:59:53 +0300 +Subject: net: phy: nxp-c45-tja11xx: fix unsigned long multiplication overflow + +From: Radu Pirea (OSS) + +commit bdaaecc127d471c422ee9e994978617c8aa79e1e upstream. + +Any multiplication between GENMASK(31, 0) and a number bigger than 1 +will be truncated because of the overflow, if the size of unsigned long +is 32 bits. + +Replaced GENMASK with GENMASK_ULL to make sure that multiplication will +be between 64 bits values. + +Cc: # 5.15+ +Fixes: 514def5dd339 ("phy: nxp-c45-tja11xx: add timestamping support") +Signed-off-by: Radu Pirea (OSS) +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230406095953.75622-1-radu-nicolae.pirea@oss.nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/nxp-c45-tja11xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/phy/nxp-c45-tja11xx.c ++++ b/drivers/net/phy/nxp-c45-tja11xx.c +@@ -168,7 +168,7 @@ + #define MAX_ID_PS 2260U + #define DEFAULT_ID_PS 2000U + +-#define PPM_TO_SUBNS_INC(ppb) div_u64(GENMASK(31, 0) * (ppb) * \ ++#define PPM_TO_SUBNS_INC(ppb) div_u64(GENMASK_ULL(31, 0) * (ppb) * \ + PTP_CLK_PERIOD_100BT1, NSEC_PER_SEC) + + #define NXP_C45_SKB_CB(skb) ((struct nxp_c45_skb_cb *)(skb)->cb) diff --git a/queue-5.15/net-sfp-initialize-sfp-i2c_block_size-at-sfp-allocation.patch b/queue-5.15/net-sfp-initialize-sfp-i2c_block_size-at-sfp-allocation.patch new file mode 100644 index 00000000000..8b0907e4192 --- /dev/null +++ b/queue-5.15/net-sfp-initialize-sfp-i2c_block_size-at-sfp-allocation.patch @@ -0,0 +1,78 @@ +From 813c2dd78618f108fdcf9cd726ea90f081ee2881 Mon Sep 17 00:00:00 2001 +From: Ivan Bornyakov +Date: Thu, 6 Apr 2023 16:08:32 +0300 +Subject: net: sfp: initialize sfp->i2c_block_size at sfp allocation + +From: Ivan Bornyakov + +commit 813c2dd78618f108fdcf9cd726ea90f081ee2881 upstream. + +sfp->i2c_block_size is initialized at SFP module insertion in +sfp_sm_mod_probe(). Because of that, if SFP module was never inserted +since boot, sfp_read() call will lead to zero-length I2C read attempt, +and not all I2C controllers are happy with zero-length reads. + +One way to issue sfp_read() on empty SFP cage is to execute ethtool -m. +If SFP module was never plugged since boot, there will be a zero-length +I2C read attempt. + + # ethtool -m xge0 + i2c i2c-3: adapter quirk: no zero length (addr 0x0050, size 0, read) + Cannot get Module EEPROM data: Operation not supported + +If SFP module was plugged then removed at least once, +sfp->i2c_block_size will be initialized and ethtool -m will fail with +different exit code and without I2C error + + # ethtool -m xge0 + Cannot get Module EEPROM data: Remote I/O error + +Fix this by initializing sfp->i2_block_size at struct sfp allocation +stage so no wild sfp_read() could issue zero-length I2C read. + +Signed-off-by: Ivan Bornyakov +Fixes: 0d035bed2a4a ("net: sfp: VSOL V2801F / CarlitoxxPro CPGOS03-0490 v2.0 workaround") +Cc: stable@vger.kernel.org +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/sfp.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -208,6 +208,12 @@ static const enum gpiod_flags gpio_flags + */ + #define SFP_PHY_ADDR 22 + ++/* SFP_EEPROM_BLOCK_SIZE is the size of data chunk to read the EEPROM ++ * at a time. Some SFP modules and also some Linux I2C drivers do not like ++ * reads longer than 16 bytes. ++ */ ++#define SFP_EEPROM_BLOCK_SIZE 16 ++ + struct sff_data { + unsigned int gpios; + bool (*module_supported)(const struct sfp_eeprom_id *id); +@@ -1806,11 +1812,7 @@ static int sfp_sm_mod_probe(struct sfp * + u8 check; + int ret; + +- /* Some SFP modules and also some Linux I2C drivers do not like reads +- * longer than 16 bytes, so read the EEPROM in chunks of 16 bytes at +- * a time. +- */ +- sfp->i2c_block_size = 16; ++ sfp->i2c_block_size = SFP_EEPROM_BLOCK_SIZE; + + ret = sfp_read(sfp, false, 0, &id.base, sizeof(id.base)); + if (ret < 0) { +@@ -2462,6 +2464,7 @@ static struct sfp *sfp_alloc(struct devi + return ERR_PTR(-ENOMEM); + + sfp->dev = dev; ++ sfp->i2c_block_size = SFP_EEPROM_BLOCK_SIZE; + + mutex_init(&sfp->sm_mutex); + mutex_init(&sfp->st_mutex); diff --git a/queue-5.15/riscv-add-icache-flush-for-nommu-sigreturn-trampoline.patch b/queue-5.15/riscv-add-icache-flush-for-nommu-sigreturn-trampoline.patch new file mode 100644 index 00000000000..7b34f570410 --- /dev/null +++ b/queue-5.15/riscv-add-icache-flush-for-nommu-sigreturn-trampoline.patch @@ -0,0 +1,58 @@ +From 8d736482749f6d350892ef83a7a11d43cd49981e Mon Sep 17 00:00:00 2001 +From: Mathis Salmen +Date: Thu, 6 Apr 2023 12:11:31 +0200 +Subject: riscv: add icache flush for nommu sigreturn trampoline + +From: Mathis Salmen + +commit 8d736482749f6d350892ef83a7a11d43cd49981e upstream. + +In a NOMMU kernel, sigreturn trampolines are generated on the user +stack by setup_rt_frame. Currently, these trampolines are not instruction +fenced, thus their visibility to ifetch is not guaranteed. + +This patch adds a flush_icache_range in setup_rt_frame to fix this +problem. + +Signed-off-by: Mathis Salmen +Fixes: 6bd33e1ece52 ("riscv: add nommu support") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230406101130.82304-1-mathis.salmen@matsal.de +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/signal.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/arch/riscv/kernel/signal.c ++++ b/arch/riscv/kernel/signal.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + + extern u32 __user_rt_sigreturn[2]; + +@@ -178,6 +179,7 @@ static int setup_rt_frame(struct ksignal + { + struct rt_sigframe __user *frame; + long err = 0; ++ unsigned long __maybe_unused addr; + + frame = get_sigframe(ksig, regs, sizeof(*frame)); + if (!access_ok(frame, sizeof(*frame))) +@@ -206,7 +208,12 @@ static int setup_rt_frame(struct ksignal + if (copy_to_user(&frame->sigreturn_code, __user_rt_sigreturn, + sizeof(frame->sigreturn_code))) + return -EFAULT; +- regs->ra = (unsigned long)&frame->sigreturn_code; ++ ++ addr = (unsigned long)&frame->sigreturn_code; ++ /* Make sure the two instructions are pushed to icache. */ ++ flush_icache_range(addr, addr + sizeof(frame->sigreturn_code)); ++ ++ regs->ra = addr; + #endif /* CONFIG_MMU */ + + /* diff --git a/queue-5.15/riscv-do-not-set-initial_boot_params-to-the-linear-address-of-the-dtb.patch b/queue-5.15/riscv-do-not-set-initial_boot_params-to-the-linear-address-of-the-dtb.patch new file mode 100644 index 00000000000..43965b9262b --- /dev/null +++ b/queue-5.15/riscv-do-not-set-initial_boot_params-to-the-linear-address-of-the-dtb.patch @@ -0,0 +1,36 @@ +From f1581626071c8e37c58c5e8f0b4126b17172a211 Mon Sep 17 00:00:00 2001 +From: Alexandre Ghiti +Date: Wed, 29 Mar 2023 10:19:31 +0200 +Subject: riscv: Do not set initial_boot_params to the linear address of the dtb + +From: Alexandre Ghiti + +commit f1581626071c8e37c58c5e8f0b4126b17172a211 upstream. + +early_init_dt_verify() is already called in parse_dtb() and since the dtb +address does not change anymore (it is now in the fixmap region), no need +to reset initial_boot_params by calling early_init_dt_verify() again. + +Signed-off-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20230329081932.79831-3-alexghiti@rivosinc.com +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/setup.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/arch/riscv/kernel/setup.c ++++ b/arch/riscv/kernel/setup.c +@@ -286,10 +286,7 @@ void __init setup_arch(char **cmdline_p) + #if IS_ENABLED(CONFIG_BUILTIN_DTB) + unflatten_and_copy_device_tree(); + #else +- if (early_init_dt_verify(__va(XIP_FIXUP(dtb_early_pa)))) +- unflatten_device_tree(); +- else +- pr_err("No DTB found in kernel mappings\n"); ++ unflatten_device_tree(); + #endif + early_init_fdt_scan_reserved_mem(); + misc_mem_init(); diff --git a/queue-5.15/riscv-no-need-to-relocate-the-dtb-as-it-lies-in-the-fixmap-region.patch b/queue-5.15/riscv-no-need-to-relocate-the-dtb-as-it-lies-in-the-fixmap-region.patch new file mode 100644 index 00000000000..e7bd22f0842 --- /dev/null +++ b/queue-5.15/riscv-no-need-to-relocate-the-dtb-as-it-lies-in-the-fixmap-region.patch @@ -0,0 +1,58 @@ +From 1b50f956c8fe9082bdee4a9cfd798149c52f7043 Mon Sep 17 00:00:00 2001 +From: Alexandre Ghiti +Date: Wed, 29 Mar 2023 10:19:32 +0200 +Subject: riscv: No need to relocate the dtb as it lies in the fixmap region + +From: Alexandre Ghiti + +commit 1b50f956c8fe9082bdee4a9cfd798149c52f7043 upstream. + +We used to access the dtb via its linear mapping address but now that the +dtb early mapping was moved in the fixmap region, we can keep using this +address since it is present in swapper_pg_dir, and remove the dtb +relocation. + +Note that the relocation was wrong anyway since early_memremap() is +restricted to 256K whereas the maximum fdt size is 2MB. + +Signed-off-by: Alexandre Ghiti +Reviewed-by: Conor Dooley +Tested-by: Conor Dooley +Link: https://lore.kernel.org/r/20230329081932.79831-4-alexghiti@rivosinc.com +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/mm/init.c | 21 ++------------------- + 1 file changed, 2 insertions(+), 19 deletions(-) + +--- a/arch/riscv/mm/init.c ++++ b/arch/riscv/mm/init.c +@@ -222,25 +222,8 @@ static void __init setup_bootmem(void) + * early_init_fdt_reserve_self() since __pa() does + * not work for DTB pointers that are fixmap addresses + */ +- if (!IS_ENABLED(CONFIG_BUILTIN_DTB)) { +- /* +- * In case the DTB is not located in a memory region we won't +- * be able to locate it later on via the linear mapping and +- * get a segfault when accessing it via __va(dtb_early_pa). +- * To avoid this situation copy DTB to a memory region. +- * Note that memblock_phys_alloc will also reserve DTB region. +- */ +- if (!memblock_is_memory(dtb_early_pa)) { +- size_t fdt_size = fdt_totalsize(dtb_early_va); +- phys_addr_t new_dtb_early_pa = memblock_phys_alloc(fdt_size, PAGE_SIZE); +- void *new_dtb_early_va = early_memremap(new_dtb_early_pa, fdt_size); +- +- memcpy(new_dtb_early_va, dtb_early_va, fdt_size); +- early_memunmap(new_dtb_early_va, fdt_size); +- _dtb_early_pa = new_dtb_early_pa; +- } else +- memblock_reserve(dtb_early_pa, fdt_totalsize(dtb_early_va)); +- } ++ if (!IS_ENABLED(CONFIG_BUILTIN_DTB)) ++ memblock_reserve(dtb_early_pa, fdt_totalsize(dtb_early_va)); + + dma_contiguous_reserve(dma32_phys_limit); + if (IS_ENABLED(CONFIG_64BIT)) diff --git a/queue-5.15/series b/queue-5.15/series index 740684726c6..ee08ebe6572 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -54,3 +54,10 @@ tracing-add-trace_array_puts-to-write-into-instance.patch tracing-have-tracing_snapshot_instance_cond-write-er.patch i915-perf-replace-drm_debug-with-driver-specific-drm.patch drm-i915-fix-race-condition-uaf-in-i915_perf_add_con.patch +ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch +riscv-do-not-set-initial_boot_params-to-the-linear-address-of-the-dtb.patch +riscv-no-need-to-relocate-the-dtb-as-it-lies-in-the-fixmap-region.patch +riscv-add-icache-flush-for-nommu-sigreturn-trampoline.patch +net-sfp-initialize-sfp-i2c_block_size-at-sfp-allocation.patch +net-phy-nxp-c45-tja11xx-add-remove-callback.patch +net-phy-nxp-c45-tja11xx-fix-unsigned-long-multiplication-overflow.patch