From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 10 Dec 2021 15:52:53 +0000 (+0100)
Subject: 4.14-stable patches
X-Git-Tag: v4.4.295~57
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=82b6e43023c2c6a5a15862dc51ba9163a7af9dce;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	bpf-fix-the-off-by-two-error-in-range-markings.patch
	nfc-fix-potential-null-pointer-deref-in-nfc_genl_dump_ses_done.patch
	nfp-fix-memory-leak-in-nfp_cpp_area_cache_add.patch
---

diff --git a/queue-4.14/bpf-fix-the-off-by-two-error-in-range-markings.patch b/queue-4.14/bpf-fix-the-off-by-two-error-in-range-markings.patch
new file mode 100644
index 00000000000..8e9241bcb14
--- /dev/null
+++ b/queue-4.14/bpf-fix-the-off-by-two-error-in-range-markings.patch
@@ -0,0 +1,63 @@
+From 2fa7d94afc1afbb4d702760c058dc2d7ed30f226 Mon Sep 17 00:00:00 2001
+From: Maxim Mikityanskiy <maximmi@nvidia.com>
+Date: Tue, 30 Nov 2021 20:16:07 +0200
+Subject: bpf: Fix the off-by-two error in range markings
+
+From: Maxim Mikityanskiy <maximmi@nvidia.com>
+
+commit 2fa7d94afc1afbb4d702760c058dc2d7ed30f226 upstream.
+
+The first commit cited below attempts to fix the off-by-one error that
+appeared in some comparisons with an open range. Due to this error,
+arithmetically equivalent pieces of code could get different verdicts
+from the verifier, for example (pseudocode):
+
+  // 1. Passes the verifier:
+  if (data + 8 > data_end)
+      return early
+  read *(u64 *)data, i.e. [data; data+7]
+
+  // 2. Rejected by the verifier (should still pass):
+  if (data + 7 >= data_end)
+      return early
+  read *(u64 *)data, i.e. [data; data+7]
+
+The attempted fix, however, shifts the range by one in a wrong
+direction, so the bug not only remains, but also such piece of code
+starts failing in the verifier:
+
+  // 3. Rejected by the verifier, but the check is stricter than in #1.
+  if (data + 8 >= data_end)
+      return early
+  read *(u64 *)data, i.e. [data; data+7]
+
+The change performed by that fix converted an off-by-one bug into
+off-by-two. The second commit cited below added the BPF selftests
+written to ensure than code chunks like #3 are rejected, however,
+they should be accepted.
+
+This commit fixes the off-by-two error by adjusting new_range in the
+right direction and fixes the tests by changing the range into the
+one that should actually fail.
+
+Fixes: fb2a311a31d3 ("bpf: fix off by one for range markings with L{T, E} patterns")
+Fixes: b37242c773b2 ("bpf: add test cases to bpf selftests to cover all access tests")
+Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20211130181607.593149-1-maximmi@nvidia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/verifier.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2989,7 +2989,7 @@ static void find_good_pkt_pointers(struc
+ 
+ 	new_range = dst_reg->off;
+ 	if (range_right_open)
+-		new_range--;
++		new_range++;
+ 
+ 	/* Examples for register markings:
+ 	 *
diff --git a/queue-4.14/nfc-fix-potential-null-pointer-deref-in-nfc_genl_dump_ses_done.patch b/queue-4.14/nfc-fix-potential-null-pointer-deref-in-nfc_genl_dump_ses_done.patch
new file mode 100644
index 00000000000..19d99e4a3c9
--- /dev/null
+++ b/queue-4.14/nfc-fix-potential-null-pointer-deref-in-nfc_genl_dump_ses_done.patch
@@ -0,0 +1,37 @@
+From 4cd8371a234d051f9c9557fcbb1f8c523b1c0d10 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Date: Thu, 9 Dec 2021 09:13:07 +0100
+Subject: nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+commit 4cd8371a234d051f9c9557fcbb1f8c523b1c0d10 upstream.
+
+The done() netlink callback nfc_genl_dump_ses_done() should check if
+received argument is non-NULL, because its allocation could fail earlier
+in dumpit() (nfc_genl_dump_ses()).
+
+Fixes: ac22ac466a65 ("NFC: Add a GET_SE netlink API")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Link: https://lore.kernel.org/r/20211209081307.57337-1-krzysztof.kozlowski@canonical.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/netlink.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -1400,8 +1400,10 @@ static int nfc_genl_dump_ses_done(struct
+ {
+ 	struct class_dev_iter *iter = (struct class_dev_iter *) cb->args[0];
+ 
+-	nfc_device_iter_exit(iter);
+-	kfree(iter);
++	if (iter) {
++		nfc_device_iter_exit(iter);
++		kfree(iter);
++	}
+ 
+ 	return 0;
+ }
diff --git a/queue-4.14/nfp-fix-memory-leak-in-nfp_cpp_area_cache_add.patch b/queue-4.14/nfp-fix-memory-leak-in-nfp_cpp_area_cache_add.patch
new file mode 100644
index 00000000000..277df6dc26d
--- /dev/null
+++ b/queue-4.14/nfp-fix-memory-leak-in-nfp_cpp_area_cache_add.patch
@@ -0,0 +1,60 @@
+From c56c96303e9289cc34716b1179597b6f470833de Mon Sep 17 00:00:00 2001
+From: Jianglei Nie <niejianglei2021@163.com>
+Date: Thu, 9 Dec 2021 14:15:11 +0800
+Subject: nfp: Fix memory leak in nfp_cpp_area_cache_add()
+
+From: Jianglei Nie <niejianglei2021@163.com>
+
+commit c56c96303e9289cc34716b1179597b6f470833de upstream.
+
+In line 800 (#1), nfp_cpp_area_alloc() allocates and initializes a
+CPP area structure. But in line 807 (#2), when the cache is allocated
+failed, this CPP area structure is not freed, which will result in
+memory leak.
+
+We can fix it by freeing the CPP area when the cache is allocated
+failed (#2).
+
+792 int nfp_cpp_area_cache_add(struct nfp_cpp *cpp, size_t size)
+793 {
+794 	struct nfp_cpp_area_cache *cache;
+795 	struct nfp_cpp_area *area;
+
+800	area = nfp_cpp_area_alloc(cpp, NFP_CPP_ID(7, NFP_CPP_ACTION_RW, 0),
+801 				  0, size);
+	// #1: allocates and initializes
+
+802 	if (!area)
+803 		return -ENOMEM;
+
+805 	cache = kzalloc(sizeof(*cache), GFP_KERNEL);
+806 	if (!cache)
+807 		return -ENOMEM; // #2: missing free
+
+817	return 0;
+818 }
+
+Fixes: 4cb584e0ee7d ("nfp: add CPP access core")
+Signed-off-by: Jianglei Nie <niejianglei2021@163.com>
+Acked-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20211209061511.122535-1-niejianglei2021@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c
++++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c
+@@ -787,8 +787,10 @@ int nfp_cpp_area_cache_add(struct nfp_cp
+ 		return -ENOMEM;
+ 
+ 	cache = kzalloc(sizeof(*cache), GFP_KERNEL);
+-	if (!cache)
++	if (!cache) {
++		nfp_cpp_area_free(area);
+ 		return -ENOMEM;
++	}
+ 
+ 	cache->id = 0;
+ 	cache->addr = 0;
diff --git a/queue-4.14/series b/queue-4.14/series
index d9e28b65ce9..c55f7da2226 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -5,3 +5,6 @@ hid-add-usb_hid-dependancy-on-some-usb-hid-drivers.patch
 hid-wacom-fix-problems-when-device-is-not-a-valid-usb-device.patch
 hid-check-for-valid-usb-device-for-many-hid-drivers.patch
 can-sja1000-fix-use-after-free-in-ems_pcmcia_add_card.patch
+nfc-fix-potential-null-pointer-deref-in-nfc_genl_dump_ses_done.patch
+bpf-fix-the-off-by-two-error-in-range-markings.patch
+nfp-fix-memory-leak-in-nfp_cpp_area_cache_add.patch