From: Greg Kroah-Hartman Date: Wed, 15 Jan 2020 15:04:45 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.14.166~41 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=848f42161d624827addb07531424955c4949bc46;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: arm64-don-t-open-code-page-table-entry-creation.patch arm64-enforce-bbm-for-huge-io-vmap-mappings.patch arm64-make-sure-permission-updates-happen-for-pmd-pud.patch arm64-mm-change-page-table-pointer-name-in-p_set_huge.patch cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public-function.patch cifs-fix-lease-buffer-length-error.patch dccp-fix-memleak-in-__feat_register_sp.patch iwlwifi-dbg_ini-fix-memory-leak-in-alloc_sgtable.patch mac80211-do-not-send-layer-2-update-frame-before-authorization.patch media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-zr364xx_vidioc_querycap.patch rsi-add-fix-for-crash-during-assertions.patch wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch wimax-i2400-fix-memory-leak.patch --- diff --git a/queue-4.14/arm64-don-t-open-code-page-table-entry-creation.patch b/queue-4.14/arm64-don-t-open-code-page-table-entry-creation.patch new file mode 100644 index 00000000000..37e146d5557 --- /dev/null +++ b/queue-4.14/arm64-don-t-open-code-page-table-entry-creation.patch @@ -0,0 +1,118 @@ +From foo@baz Wed 15 Jan 2020 03:59:12 PM CET +From: Kristina Martsenko +Date: Wed, 13 Dec 2017 17:07:20 +0000 +Subject: arm64: don't open code page table entry creation + +From: Kristina Martsenko + +commit 193383043f14a398393dc18bae8380f7fe665ec3 upstream. + +Instead of open coding the generation of page table entries, use the +macros/functions that exist for this - pfn_p*d and p*d_populate. Most +code in the kernel already uses these macros, this patch tries to fix +up the few places that don't. This is useful for the next patch in this +series, which needs to change the page table entry logic, and it's +better to have that logic in one place. + +The KVM extended ID map is special, since we're creating a level above +CONFIG_PGTABLE_LEVELS and the required function isn't available. Leave +it as is and add a comment to explain it. (The normal kernel ID map code +doesn't need this change because its page tables are created in assembly +(__create_page_tables)). + +Tested-by: Suzuki K Poulose +Reviewed-by: Suzuki K Poulose +Reviewed-by: Marc Zyngier +Tested-by: Bob Picco +Reviewed-by: Bob Picco +Signed-off-by: Kristina Martsenko +Signed-off-by: Catalin Marinas +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/kvm_mmu.h | 5 +++++ + arch/arm64/include/asm/pgtable.h | 1 + + arch/arm64/kernel/hibernate.c | 3 +-- + arch/arm64/mm/mmu.c | 14 +++++++++----- + 4 files changed, 16 insertions(+), 7 deletions(-) + +--- a/arch/arm64/include/asm/kvm_mmu.h ++++ b/arch/arm64/include/asm/kvm_mmu.h +@@ -296,6 +296,11 @@ static inline bool __kvm_cpu_uses_extend + return __cpu_uses_extended_idmap(); + } + ++/* ++ * Can't use pgd_populate here, because the extended idmap adds an extra level ++ * above CONFIG_PGTABLE_LEVELS (which is 2 or 3 if we're using the extended ++ * idmap), and pgd_populate is only available if CONFIG_PGTABLE_LEVELS = 4. ++ */ + static inline void __kvm_extend_hypmap(pgd_t *boot_hyp_pgd, + pgd_t *hyp_pgd, + pgd_t *merged_hyp_pgd, +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -343,6 +343,7 @@ static inline int pmd_protnone(pmd_t pmd + + #define pud_write(pud) pte_write(pud_pte(pud)) + #define pud_pfn(pud) (((pud_val(pud) & PUD_MASK) & PHYS_MASK) >> PAGE_SHIFT) ++#define pfn_pud(pfn,prot) (__pud(((phys_addr_t)(pfn) << PAGE_SHIFT) | pgprot_val(prot))) + + #define set_pmd_at(mm, addr, pmdp, pmd) set_pte_at(mm, addr, (pte_t *)pmdp, pmd_pte(pmd)) + +--- a/arch/arm64/kernel/hibernate.c ++++ b/arch/arm64/kernel/hibernate.c +@@ -246,8 +246,7 @@ static int create_safe_exec_page(void *s + } + + pte = pte_offset_kernel(pmd, dst_addr); +- set_pte(pte, __pte(virt_to_phys((void *)dst) | +- pgprot_val(PAGE_KERNEL_EXEC))); ++ set_pte(pte, pfn_pte(virt_to_pfn(dst), PAGE_KERNEL_EXEC)); + + /* + * Load our new page tables. A strict BBM approach requires that we +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -605,8 +605,8 @@ static void __init map_kernel(pgd_t *pgd + * entry instead. + */ + BUG_ON(!IS_ENABLED(CONFIG_ARM64_16K_PAGES)); +- set_pud(pud_set_fixmap_offset(pgd, FIXADDR_START), +- __pud(__pa_symbol(bm_pmd) | PUD_TYPE_TABLE)); ++ pud_populate(&init_mm, pud_set_fixmap_offset(pgd, FIXADDR_START), ++ lm_alias(bm_pmd)); + pud_clear_fixmap(); + } else { + BUG(); +@@ -721,7 +721,7 @@ int __meminit vmemmap_populate(unsigned + if (!p) + return -ENOMEM; + +- set_pmd(pmd, __pmd(__pa(p) | PROT_SECT_NORMAL)); ++ pmd_set_huge(pmd, __pa(p), __pgprot(PROT_SECT_NORMAL)); + } else + vmemmap_verify((pte_t *)pmd, node, addr, next); + } while (addr = next, addr != end); +@@ -915,15 +915,19 @@ int __init arch_ioremap_pmd_supported(vo + + int pud_set_huge(pud_t *pud, phys_addr_t phys, pgprot_t prot) + { ++ pgprot_t sect_prot = __pgprot(PUD_TYPE_SECT | ++ pgprot_val(mk_sect_prot(prot))); + BUG_ON(phys & ~PUD_MASK); +- set_pud(pud, __pud(phys | PUD_TYPE_SECT | pgprot_val(mk_sect_prot(prot)))); ++ set_pud(pud, pfn_pud(__phys_to_pfn(phys), sect_prot)); + return 1; + } + + int pmd_set_huge(pmd_t *pmd, phys_addr_t phys, pgprot_t prot) + { ++ pgprot_t sect_prot = __pgprot(PMD_TYPE_SECT | ++ pgprot_val(mk_sect_prot(prot))); + BUG_ON(phys & ~PMD_MASK); +- set_pmd(pmd, __pmd(phys | PMD_TYPE_SECT | pgprot_val(mk_sect_prot(prot)))); ++ set_pmd(pmd, pfn_pmd(__phys_to_pfn(phys), sect_prot)); + return 1; + } + diff --git a/queue-4.14/arm64-enforce-bbm-for-huge-io-vmap-mappings.patch b/queue-4.14/arm64-enforce-bbm-for-huge-io-vmap-mappings.patch new file mode 100644 index 00000000000..0d0aa9da295 --- /dev/null +++ b/queue-4.14/arm64-enforce-bbm-for-huge-io-vmap-mappings.patch @@ -0,0 +1,56 @@ +From foo@baz Wed 15 Jan 2020 03:59:12 PM CET +From: Will Deacon +Date: Wed, 21 Feb 2018 12:59:27 +0000 +Subject: arm64: Enforce BBM for huge IO/VMAP mappings + +From: Will Deacon + +commit 15122ee2c515a253b0c66a3e618bc7ebe35105eb upstream. + +ioremap_page_range doesn't honour break-before-make and attempts to put +down huge mappings (using p*d_set_huge) over the top of pre-existing +table entries. This leads to us leaking page table memory and also gives +rise to TLB conflicts and spurious aborts, which have been seen in +practice on Cortex-A75. + +Until this has been resolved, refuse to put block mappings when the +existing entry is found to be present. + +Fixes: 324420bf91f60 ("arm64: add support for ioremap() block mappings") +Reported-by: Hanjun Guo +Reported-by: Lei Li +Acked-by: Ard Biesheuvel +Signed-off-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/mm/mmu.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -917,6 +917,11 @@ int pud_set_huge(pud_t *pudp, phys_addr_ + { + pgprot_t sect_prot = __pgprot(PUD_TYPE_SECT | + pgprot_val(mk_sect_prot(prot))); ++ ++ /* ioremap_page_range doesn't honour BBM */ ++ if (pud_present(READ_ONCE(*pudp))) ++ return 0; ++ + BUG_ON(phys & ~PUD_MASK); + set_pud(pudp, pfn_pud(__phys_to_pfn(phys), sect_prot)); + return 1; +@@ -926,6 +931,11 @@ int pmd_set_huge(pmd_t *pmdp, phys_addr_ + { + pgprot_t sect_prot = __pgprot(PMD_TYPE_SECT | + pgprot_val(mk_sect_prot(prot))); ++ ++ /* ioremap_page_range doesn't honour BBM */ ++ if (pmd_present(READ_ONCE(*pmdp))) ++ return 0; ++ + BUG_ON(phys & ~PMD_MASK); + set_pmd(pmdp, pfn_pmd(__phys_to_pfn(phys), sect_prot)); + return 1; diff --git a/queue-4.14/arm64-make-sure-permission-updates-happen-for-pmd-pud.patch b/queue-4.14/arm64-make-sure-permission-updates-happen-for-pmd-pud.patch new file mode 100644 index 00000000000..aa465ca744e --- /dev/null +++ b/queue-4.14/arm64-make-sure-permission-updates-happen-for-pmd-pud.patch @@ -0,0 +1,72 @@ +From foo@baz Wed 15 Jan 2020 03:59:12 PM CET +From: Laura Abbott +Date: Wed, 23 May 2018 11:43:46 -0700 +Subject: arm64: Make sure permission updates happen for pmd/pud + +From: Laura Abbott + +commit 82034c23fcbc2389c73d97737f61fa2dd6526413 upstream. + +Commit 15122ee2c515 ("arm64: Enforce BBM for huge IO/VMAP mappings") +disallowed block mappings for ioremap since that code does not honor +break-before-make. The same APIs are also used for permission updating +though and the extra checks prevent the permission updates from happening, +even though this should be permitted. This results in read-only permissions +not being fully applied. Visibly, this can occasionaly be seen as a failure +on the built in rodata test when the test data ends up in a section or +as an odd RW gap on the page table dump. Fix this by using +pgattr_change_is_safe instead of p*d_present for determining if the +change is permitted. + +Reviewed-by: Kees Cook +Tested-by: Peter Robinson +Reported-by: Peter Robinson +Fixes: 15122ee2c515 ("arm64: Enforce BBM for huge IO/VMAP mappings") +Signed-off-by: Laura Abbott +Signed-off-by: Will Deacon +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/mm/mmu.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -917,13 +917,15 @@ int pud_set_huge(pud_t *pudp, phys_addr_ + { + pgprot_t sect_prot = __pgprot(PUD_TYPE_SECT | + pgprot_val(mk_sect_prot(prot))); ++ pud_t new_pud = pfn_pud(__phys_to_pfn(phys), sect_prot); + +- /* ioremap_page_range doesn't honour BBM */ +- if (pud_present(READ_ONCE(*pudp))) ++ /* Only allow permission changes for now */ ++ if (!pgattr_change_is_safe(READ_ONCE(pud_val(*pudp)), ++ pud_val(new_pud))) + return 0; + + BUG_ON(phys & ~PUD_MASK); +- set_pud(pudp, pfn_pud(__phys_to_pfn(phys), sect_prot)); ++ set_pud(pudp, new_pud); + return 1; + } + +@@ -931,13 +933,15 @@ int pmd_set_huge(pmd_t *pmdp, phys_addr_ + { + pgprot_t sect_prot = __pgprot(PMD_TYPE_SECT | + pgprot_val(mk_sect_prot(prot))); ++ pmd_t new_pmd = pfn_pmd(__phys_to_pfn(phys), sect_prot); + +- /* ioremap_page_range doesn't honour BBM */ +- if (pmd_present(READ_ONCE(*pmdp))) ++ /* Only allow permission changes for now */ ++ if (!pgattr_change_is_safe(READ_ONCE(pmd_val(*pmdp)), ++ pmd_val(new_pmd))) + return 0; + + BUG_ON(phys & ~PMD_MASK); +- set_pmd(pmdp, pfn_pmd(__phys_to_pfn(phys), sect_prot)); ++ set_pmd(pmdp, new_pmd); + return 1; + } + diff --git a/queue-4.14/arm64-mm-change-page-table-pointer-name-in-p_set_huge.patch b/queue-4.14/arm64-mm-change-page-table-pointer-name-in-p_set_huge.patch new file mode 100644 index 00000000000..f0f70e227b2 --- /dev/null +++ b/queue-4.14/arm64-mm-change-page-table-pointer-name-in-p_set_huge.patch @@ -0,0 +1,46 @@ +From foo@baz Wed 15 Jan 2020 03:59:12 PM CET +From: Ben Hutchings +Date: Tue, 14 Jan 2020 15:44:11 +0000 +Subject: arm64: mm: Change page table pointer name in p[md]_set_huge() + +From: Ben Hutchings + +This is preparation for the following backported fixes. It was done +upstream as part of commit 20a004e7b017 "arm64: mm: Use +READ_ONCE/WRITE_ONCE when accessing page tables", the rest of which +does not seem suitable for stable. + +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/mm/mmu.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -913,21 +913,21 @@ int __init arch_ioremap_pmd_supported(vo + return !IS_ENABLED(CONFIG_ARM64_PTDUMP_DEBUGFS); + } + +-int pud_set_huge(pud_t *pud, phys_addr_t phys, pgprot_t prot) ++int pud_set_huge(pud_t *pudp, phys_addr_t phys, pgprot_t prot) + { + pgprot_t sect_prot = __pgprot(PUD_TYPE_SECT | + pgprot_val(mk_sect_prot(prot))); + BUG_ON(phys & ~PUD_MASK); +- set_pud(pud, pfn_pud(__phys_to_pfn(phys), sect_prot)); ++ set_pud(pudp, pfn_pud(__phys_to_pfn(phys), sect_prot)); + return 1; + } + +-int pmd_set_huge(pmd_t *pmd, phys_addr_t phys, pgprot_t prot) ++int pmd_set_huge(pmd_t *pmdp, phys_addr_t phys, pgprot_t prot) + { + pgprot_t sect_prot = __pgprot(PMD_TYPE_SECT | + pgprot_val(mk_sect_prot(prot))); + BUG_ON(phys & ~PMD_MASK); +- set_pmd(pmd, pfn_pmd(__phys_to_pfn(phys), sect_prot)); ++ set_pmd(pmdp, pfn_pmd(__phys_to_pfn(phys), sect_prot)); + return 1; + } + diff --git a/queue-4.14/cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public-function.patch b/queue-4.14/cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public-function.patch new file mode 100644 index 00000000000..b3ea4833846 --- /dev/null +++ b/queue-4.14/cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public-function.patch @@ -0,0 +1,166 @@ +From foo@baz Wed 15 Jan 2020 03:59:12 PM CET +From: Dedy Lansky +Date: Sun, 29 Jul 2018 14:59:16 +0300 +Subject: cfg80211/mac80211: make ieee80211_send_layer2_update a public function + +From: Dedy Lansky + +commit 30ca1aa536211f5ac3de0173513a7a99a98a97f3 upstream. + +Make ieee80211_send_layer2_update() a common function so other drivers +can re-use it. + +Signed-off-by: Dedy Lansky +Signed-off-by: Johannes Berg +[bwh: Backported to 4.14 as dependency of commit 3e493173b784 + "mac80211: Do not send Layer 2 Update frame before authorization"] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + include/net/cfg80211.h | 11 +++++++++++ + net/mac80211/cfg.c | 48 ++---------------------------------------------- + net/wireless/util.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 58 insertions(+), 46 deletions(-) + +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -4480,6 +4480,17 @@ const u8 *cfg80211_find_vendor_ie(unsign + const u8 *ies, int len); + + /** ++ * cfg80211_send_layer2_update - send layer 2 update frame ++ * ++ * @dev: network device ++ * @addr: STA MAC address ++ * ++ * Wireless drivers can use this function to update forwarding tables in bridge ++ * devices upon STA association. ++ */ ++void cfg80211_send_layer2_update(struct net_device *dev, const u8 *addr); ++ ++/** + * DOC: Regulatory enforcement infrastructure + * + * TODO +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1089,50 +1089,6 @@ static int ieee80211_stop_ap(struct wiph + return 0; + } + +-/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */ +-struct iapp_layer2_update { +- u8 da[ETH_ALEN]; /* broadcast */ +- u8 sa[ETH_ALEN]; /* STA addr */ +- __be16 len; /* 6 */ +- u8 dsap; /* 0 */ +- u8 ssap; /* 0 */ +- u8 control; +- u8 xid_info[3]; +-} __packed; +- +-static void ieee80211_send_layer2_update(struct sta_info *sta) +-{ +- struct iapp_layer2_update *msg; +- struct sk_buff *skb; +- +- /* Send Level 2 Update Frame to update forwarding tables in layer 2 +- * bridge devices */ +- +- skb = dev_alloc_skb(sizeof(*msg)); +- if (!skb) +- return; +- msg = skb_put(skb, sizeof(*msg)); +- +- /* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID) +- * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */ +- +- eth_broadcast_addr(msg->da); +- memcpy(msg->sa, sta->sta.addr, ETH_ALEN); +- msg->len = htons(6); +- msg->dsap = 0; +- msg->ssap = 0x01; /* NULL LSAP, CR Bit: Response */ +- msg->control = 0xaf; /* XID response lsb.1111F101. +- * F=0 (no poll command; unsolicited frame) */ +- msg->xid_info[0] = 0x81; /* XID format identifier */ +- msg->xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */ +- msg->xid_info[2] = 0; /* XID sender's receive window size (RW) */ +- +- skb->dev = sta->sdata->dev; +- skb->protocol = eth_type_trans(skb, sta->sdata->dev); +- memset(skb->cb, 0, sizeof(skb->cb)); +- netif_rx_ni(skb); +-} +- + static int sta_apply_auth_flags(struct ieee80211_local *local, + struct sta_info *sta, + u32 mask, u32 set) +@@ -1496,7 +1452,7 @@ static int ieee80211_add_station(struct + } + + if (layer2_update) +- ieee80211_send_layer2_update(sta); ++ cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr); + + rcu_read_unlock(); + +@@ -1598,7 +1554,7 @@ static int ieee80211_change_station(stru + if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) + ieee80211_vif_inc_num_mcast(sta->sdata); + +- ieee80211_send_layer2_update(sta); ++ cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr); + } + + err = sta_apply_parameters(local, sta, params); +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1873,3 +1873,48 @@ EXPORT_SYMBOL(rfc1042_header); + const unsigned char bridge_tunnel_header[] __aligned(2) = + { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0xf8 }; + EXPORT_SYMBOL(bridge_tunnel_header); ++ ++/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */ ++struct iapp_layer2_update { ++ u8 da[ETH_ALEN]; /* broadcast */ ++ u8 sa[ETH_ALEN]; /* STA addr */ ++ __be16 len; /* 6 */ ++ u8 dsap; /* 0 */ ++ u8 ssap; /* 0 */ ++ u8 control; ++ u8 xid_info[3]; ++} __packed; ++ ++void cfg80211_send_layer2_update(struct net_device *dev, const u8 *addr) ++{ ++ struct iapp_layer2_update *msg; ++ struct sk_buff *skb; ++ ++ /* Send Level 2 Update Frame to update forwarding tables in layer 2 ++ * bridge devices */ ++ ++ skb = dev_alloc_skb(sizeof(*msg)); ++ if (!skb) ++ return; ++ msg = skb_put(skb, sizeof(*msg)); ++ ++ /* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID) ++ * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */ ++ ++ eth_broadcast_addr(msg->da); ++ ether_addr_copy(msg->sa, addr); ++ msg->len = htons(6); ++ msg->dsap = 0; ++ msg->ssap = 0x01; /* NULL LSAP, CR Bit: Response */ ++ msg->control = 0xaf; /* XID response lsb.1111F101. ++ * F=0 (no poll command; unsolicited frame) */ ++ msg->xid_info[0] = 0x81; /* XID format identifier */ ++ msg->xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */ ++ msg->xid_info[2] = 0; /* XID sender's receive window size (RW) */ ++ ++ skb->dev = dev; ++ skb->protocol = eth_type_trans(skb, dev); ++ memset(skb->cb, 0, sizeof(skb->cb)); ++ netif_rx_ni(skb); ++} ++EXPORT_SYMBOL(cfg80211_send_layer2_update); diff --git a/queue-4.14/cifs-fix-lease-buffer-length-error.patch b/queue-4.14/cifs-fix-lease-buffer-length-error.patch new file mode 100644 index 00000000000..d71d6ec8003 --- /dev/null +++ b/queue-4.14/cifs-fix-lease-buffer-length-error.patch @@ -0,0 +1,85 @@ +From foo@baz Wed 15 Jan 2020 03:59:12 PM CET +From: ZhangXiaoxu +Date: Sat, 6 Apr 2019 15:30:38 +0800 +Subject: cifs: Fix lease buffer length error + +From: ZhangXiaoxu + +commit b57a55e2200ede754e4dc9cce4ba9402544b9365 upstream. + +There is a KASAN slab-out-of-bounds: +BUG: KASAN: slab-out-of-bounds in _copy_from_iter_full+0x783/0xaa0 +Read of size 80 at addr ffff88810c35e180 by task mount.cifs/539 + +CPU: 1 PID: 539 Comm: mount.cifs Not tainted 4.19 #10 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS + rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014 +Call Trace: + dump_stack+0xdd/0x12a + print_address_description+0xa7/0x540 + kasan_report+0x1ff/0x550 + check_memory_region+0x2f1/0x310 + memcpy+0x2f/0x80 + _copy_from_iter_full+0x783/0xaa0 + tcp_sendmsg_locked+0x1840/0x4140 + tcp_sendmsg+0x37/0x60 + inet_sendmsg+0x18c/0x490 + sock_sendmsg+0xae/0x130 + smb_send_kvec+0x29c/0x520 + __smb_send_rqst+0x3ef/0xc60 + smb_send_rqst+0x25a/0x2e0 + compound_send_recv+0x9e8/0x2af0 + cifs_send_recv+0x24/0x30 + SMB2_open+0x35e/0x1620 + open_shroot+0x27b/0x490 + smb2_open_op_close+0x4e1/0x590 + smb2_query_path_info+0x2ac/0x650 + cifs_get_inode_info+0x1058/0x28f0 + cifs_root_iget+0x3bb/0xf80 + cifs_smb3_do_mount+0xe00/0x14c0 + cifs_do_mount+0x15/0x20 + mount_fs+0x5e/0x290 + vfs_kern_mount+0x88/0x460 + do_mount+0x398/0x31e0 + ksys_mount+0xc6/0x150 + __x64_sys_mount+0xea/0x190 + do_syscall_64+0x122/0x590 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +It can be reproduced by the following step: + 1. samba configured with: server max protocol = SMB2_10 + 2. mount -o vers=default + +When parse the mount version parameter, the 'ops' and 'vals' +was setted to smb30, if negotiate result is smb21, just +update the 'ops' to smb21, but the 'vals' is still smb30. +When add lease context, the iov_base is allocated with smb21 +ops, but the iov_len is initiallited with the smb30. Because +the iov_len is longer than iov_base, when send the message, +copy array out of bounds. + +we need to keep the 'ops' and 'vals' consistent. + +Fixes: 9764c02fcbad ("SMB3: Add support for multidialect negotiate (SMB2.1 and later)") +Fixes: d5c7076b772a ("smb3: add smb3.1.1 to default dialect list") + +Signed-off-by: ZhangXiaoxu +Signed-off-by: Steve French +Reviewed-by: Pavel Shilovsky +[bwh: Backported to 4.14: We never switch to SMB3.1.1 here] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2pdu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -575,6 +575,7 @@ SMB2_negotiate(const unsigned int xid, s + } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) { + /* ops set to 3.0 by default for default so update */ + ses->server->ops = &smb21_operations; ++ ses->server->vals = &smb21_values; + } + } else if (le16_to_cpu(rsp->DialectRevision) != + ses->server->vals->protocol_id) { diff --git a/queue-4.14/dccp-fix-memleak-in-__feat_register_sp.patch b/queue-4.14/dccp-fix-memleak-in-__feat_register_sp.patch new file mode 100644 index 00000000000..27f0748e9b9 --- /dev/null +++ b/queue-4.14/dccp-fix-memleak-in-__feat_register_sp.patch @@ -0,0 +1,39 @@ +From foo@baz Wed 15 Jan 2020 03:59:12 PM CET +From: YueHaibing +Date: Mon, 1 Apr 2019 09:35:54 +0800 +Subject: dccp: Fix memleak in __feat_register_sp + +From: YueHaibing + +commit 1d3ff0950e2b40dc861b1739029649d03f591820 upstream. + +If dccp_feat_push_change fails, we forget free the mem +which is alloced by kmemdup in dccp_feat_clone_sp_val. + +Reported-by: Hulk Robot +Fixes: e8ef967a54f4 ("dccp: Registration routines for changing feature values") +Reviewed-by: Mukesh Ojha +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/feat.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/dccp/feat.c ++++ b/net/dccp/feat.c +@@ -738,7 +738,12 @@ static int __feat_register_sp(struct lis + if (dccp_feat_clone_sp_val(&fval, sp_val, sp_len)) + return -ENOMEM; + +- return dccp_feat_push_change(fn, feat, is_local, mandatory, &fval); ++ if (dccp_feat_push_change(fn, feat, is_local, mandatory, &fval)) { ++ kfree(fval.sp.vec); ++ return -ENOMEM; ++ } ++ ++ return 0; + } + + /** diff --git a/queue-4.14/iwlwifi-dbg_ini-fix-memory-leak-in-alloc_sgtable.patch b/queue-4.14/iwlwifi-dbg_ini-fix-memory-leak-in-alloc_sgtable.patch new file mode 100644 index 00000000000..379ae0ffc97 --- /dev/null +++ b/queue-4.14/iwlwifi-dbg_ini-fix-memory-leak-in-alloc_sgtable.patch @@ -0,0 +1,30 @@ +From foo@baz Wed 15 Jan 2020 03:59:12 PM CET +From: Navid Emamdoost +Date: Thu, 12 Sep 2019 23:23:27 -0500 +Subject: iwlwifi: dbg_ini: fix memory leak in alloc_sgtable + +From: Navid Emamdoost + +commit b4b814fec1a5a849383f7b3886b654a13abbda7d upstream. + +In alloc_sgtable if alloc_page fails, the alocated table should be +released. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Luca Coelho +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +@@ -532,6 +532,7 @@ static struct scatterlist *alloc_sgtable + if (new_page) + __free_page(new_page); + } ++ kfree(table); + return NULL; + } + alloc_size = min_t(int, size, PAGE_SIZE); diff --git a/queue-4.14/mac80211-do-not-send-layer-2-update-frame-before-authorization.patch b/queue-4.14/mac80211-do-not-send-layer-2-update-frame-before-authorization.patch new file mode 100644 index 00000000000..85b57a40ef1 --- /dev/null +++ b/queue-4.14/mac80211-do-not-send-layer-2-update-frame-before-authorization.patch @@ -0,0 +1,101 @@ +From foo@baz Wed 15 Jan 2020 03:59:12 PM CET +From: Jouni Malinen +Date: Wed, 11 Sep 2019 16:03:05 +0300 +Subject: mac80211: Do not send Layer 2 Update frame before authorization + +From: Jouni Malinen + +commit 3e493173b7841259a08c5c8e5cbe90adb349da7e upstream. + +The Layer 2 Update frame is used to update bridges when a station roams +to another AP even if that STA does not transmit any frames after the +reassociation. This behavior was described in IEEE Std 802.11F-2003 as +something that would happen based on MLME-ASSOCIATE.indication, i.e., +before completing 4-way handshake. However, this IEEE trial-use +recommended practice document was published before RSN (IEEE Std +802.11i-2004) and as such, did not consider RSN use cases. Furthermore, +IEEE Std 802.11F-2003 was withdrawn in 2006 and as such, has not been +maintained amd should not be used anymore. + +Sending out the Layer 2 Update frame immediately after association is +fine for open networks (and also when using SAE, FT protocol, or FILS +authentication when the station is actually authenticated by the time +association completes). However, it is not appropriate for cases where +RSN is used with PSK or EAP authentication since the station is actually +fully authenticated only once the 4-way handshake completes after +authentication and attackers might be able to use the unauthenticated +triggering of Layer 2 Update frame transmission to disrupt bridge +behavior. + +Fix this by postponing transmission of the Layer 2 Update frame from +station entry addition to the point when the station entry is marked +authorized. Similarly, send out the VLAN binding update only if the STA +entry has already been authorized. + +Signed-off-by: Jouni Malinen +Reviewed-by: Johannes Berg +Signed-off-by: David S. Miller +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/cfg.c | 14 ++++---------- + net/mac80211/sta_info.c | 4 ++++ + 2 files changed, 8 insertions(+), 10 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1398,7 +1398,6 @@ static int ieee80211_add_station(struct + struct sta_info *sta; + struct ieee80211_sub_if_data *sdata; + int err; +- int layer2_update; + + if (params->vlan) { + sdata = IEEE80211_DEV_TO_SUB_IF(params->vlan); +@@ -1442,18 +1441,12 @@ static int ieee80211_add_station(struct + test_sta_flag(sta, WLAN_STA_ASSOC)) + rate_control_rate_init(sta); + +- layer2_update = sdata->vif.type == NL80211_IFTYPE_AP_VLAN || +- sdata->vif.type == NL80211_IFTYPE_AP; +- + err = sta_info_insert_rcu(sta); + if (err) { + rcu_read_unlock(); + return err; + } + +- if (layer2_update) +- cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr); +- + rcu_read_unlock(); + + return 0; +@@ -1551,10 +1544,11 @@ static int ieee80211_change_station(stru + sta->sdata = vlansdata; + ieee80211_check_fast_xmit(sta); + +- if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) ++ if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) { + ieee80211_vif_inc_num_mcast(sta->sdata); +- +- cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr); ++ cfg80211_send_layer2_update(sta->sdata->dev, ++ sta->sta.addr); ++ } + } + + err = sta_apply_parameters(local, sta, params); +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -1899,6 +1899,10 @@ int sta_info_move_state(struct sta_info + ieee80211_check_fast_xmit(sta); + ieee80211_check_fast_rx(sta); + } ++ if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN || ++ sta->sdata->vif.type == NL80211_IFTYPE_AP) ++ cfg80211_send_layer2_update(sta->sdata->dev, ++ sta->sta.addr); + break; + default: + break; diff --git a/queue-4.14/media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-zr364xx_vidioc_querycap.patch b/queue-4.14/media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-zr364xx_vidioc_querycap.patch new file mode 100644 index 00000000000..61721dfa3d6 --- /dev/null +++ b/queue-4.14/media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-zr364xx_vidioc_querycap.patch @@ -0,0 +1,80 @@ +From foo@baz Wed 15 Jan 2020 03:59:12 PM CET +From: Vandana BN +Date: Wed, 22 May 2019 04:34:15 -0400 +Subject: media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap + +From: Vandana BN + +commit 5d2e73a5f80a5b5aff3caf1ec6d39b5b3f54b26e upstream. + +SyzKaller hit the null pointer deref while reading from uninitialized +udev->product in zr364xx_vidioc_querycap(). + +================================================================== +BUG: KASAN: null-ptr-deref in read_word_at_a_time+0xe/0x20 +include/linux/compiler.h:274 +Read of size 1 at addr 0000000000000000 by task v4l_id/5287 + +CPU: 1 PID: 5287 Comm: v4l_id Not tainted 5.1.0-rc3-319004-g43151d6 #6 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xe8/0x16e lib/dump_stack.c:113 + kasan_report.cold+0x5/0x3c mm/kasan/report.c:321 + read_word_at_a_time+0xe/0x20 include/linux/compiler.h:274 + strscpy+0x8a/0x280 lib/string.c:207 + zr364xx_vidioc_querycap+0xb5/0x210 drivers/media/usb/zr364xx/zr364xx.c:706 + v4l_querycap+0x12b/0x340 drivers/media/v4l2-core/v4l2-ioctl.c:1062 + __video_do_ioctl+0x5bb/0xb40 drivers/media/v4l2-core/v4l2-ioctl.c:2874 + video_usercopy+0x44e/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3056 + v4l2_ioctl+0x14e/0x1a0 drivers/media/v4l2-core/v4l2-dev.c:364 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:509 [inline] + do_vfs_ioctl+0xced/0x12f0 fs/ioctl.c:696 + ksys_ioctl+0xa0/0xc0 fs/ioctl.c:713 + __do_sys_ioctl fs/ioctl.c:720 [inline] + __se_sys_ioctl fs/ioctl.c:718 [inline] + __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:718 + do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x7f3b56d8b347 +Code: 90 90 90 48 8b 05 f1 fa 2a 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff +ff c3 90 90 90 90 90 90 90 90 90 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff +ff 73 01 c3 48 8b 0d c1 fa 2a 00 31 d2 48 29 c2 64 +RSP: 002b:00007ffe005d5d68 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3b56d8b347 +RDX: 00007ffe005d5d70 RSI: 0000000080685600 RDI: 0000000000000003 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400884 +R13: 00007ffe005d5ec0 R14: 0000000000000000 R15: 0000000000000000 +================================================================== + +For this device udev->product is not initialized and accessing it causes a NULL pointer deref. + +The fix is to check for NULL before strscpy() and copy empty string, if +product is NULL + +Reported-by: syzbot+66010012fd4c531a1a96@syzkaller.appspotmail.com +Signed-off-by: Vandana BN +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +[bwh: Backported to 4.14: This function uses strlcpy() instead of strscpy()] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/zr364xx/zr364xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/zr364xx/zr364xx.c ++++ b/drivers/media/usb/zr364xx/zr364xx.c +@@ -706,7 +706,8 @@ static int zr364xx_vidioc_querycap(struc + struct zr364xx_camera *cam = video_drvdata(file); + + strlcpy(cap->driver, DRIVER_DESC, sizeof(cap->driver)); +- strlcpy(cap->card, cam->udev->product, sizeof(cap->card)); ++ if (cam->udev->product) ++ strlcpy(cap->card, cam->udev->product, sizeof(cap->card)); + strlcpy(cap->bus_info, dev_name(&cam->udev->dev), + sizeof(cap->bus_info)); + cap->device_caps = V4L2_CAP_VIDEO_CAPTURE | diff --git a/queue-4.14/rsi-add-fix-for-crash-during-assertions.patch b/queue-4.14/rsi-add-fix-for-crash-during-assertions.patch new file mode 100644 index 00000000000..00d4ca19292 --- /dev/null +++ b/queue-4.14/rsi-add-fix-for-crash-during-assertions.patch @@ -0,0 +1,34 @@ +From foo@baz Wed 15 Jan 2020 03:59:12 PM CET +From: Sanjay Konduri +Date: Tue, 15 May 2018 14:34:30 +0530 +Subject: rsi: add fix for crash during assertions + +From: Sanjay Konduri + +commit abd39c6ded9db53aa44c2540092bdd5fb6590fa8 upstream. + +Observed crash in some scenarios when assertion has occurred, +this is because hw structure is freed and is tried to get +accessed in some functions where null check is already +present. So, avoided the crash by making the hw to NULL after +freeing. + +Signed-off-by: Sanjay Konduri +Signed-off-by: Sushant Kumar Mishra +Signed-off-by: Kalle Valo +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rsi/rsi_91x_mac80211.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/rsi/rsi_91x_mac80211.c ++++ b/drivers/net/wireless/rsi/rsi_91x_mac80211.c +@@ -218,6 +218,7 @@ void rsi_mac80211_detach(struct rsi_hw * + ieee80211_stop_queues(hw); + ieee80211_unregister_hw(hw); + ieee80211_free_hw(hw); ++ adapter->hw = NULL; + } + + for (band = 0; band < NUM_NL80211_BANDS; band++) { diff --git a/queue-4.14/series b/queue-4.14/series index 15de0a098eb..a6271a72e69 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -3,3 +3,16 @@ hid-hidraw-fix-returning-epollout-from-hidraw_poll.patch hid-hidraw-uhid-always-report-epollout.patch ethtool-reduce-stack-usage-with-clang.patch fs-select-avoid-clang-stack-usage-warning.patch +rsi-add-fix-for-crash-during-assertions.patch +arm64-don-t-open-code-page-table-entry-creation.patch +arm64-mm-change-page-table-pointer-name-in-p_set_huge.patch +arm64-enforce-bbm-for-huge-io-vmap-mappings.patch +arm64-make-sure-permission-updates-happen-for-pmd-pud.patch +cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public-function.patch +mac80211-do-not-send-layer-2-update-frame-before-authorization.patch +media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-zr364xx_vidioc_querycap.patch +cifs-fix-lease-buffer-length-error.patch +wimax-i2400-fix-memory-leak.patch +wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch +iwlwifi-dbg_ini-fix-memory-leak-in-alloc_sgtable.patch +dccp-fix-memleak-in-__feat_register_sp.patch diff --git a/queue-4.14/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch b/queue-4.14/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch new file mode 100644 index 00000000000..d03c75a4420 --- /dev/null +++ b/queue-4.14/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch @@ -0,0 +1,40 @@ +From foo@baz Wed 15 Jan 2020 03:59:12 PM CET +From: Navid Emamdoost +Date: Fri, 25 Oct 2019 23:53:30 -0500 +Subject: wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle + +From: Navid Emamdoost + +commit 6f3ef5c25cc762687a7341c18cbea5af54461407 upstream. + +In the implementation of i2400m_op_rfkill_sw_toggle() the allocated +buffer for cmd should be released before returning. The +documentation for i2400m_msg_to_dev() says when it returns the buffer +can be reused. Meaning cmd should be released in either case. Move +kfree(cmd) before return to be reached by all execution paths. + +Fixes: 2507e6ab7a9a ("wimax: i2400: fix memory leak") +Signed-off-by: Navid Emamdoost +Signed-off-by: David S. Miller +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wimax/i2400m/op-rfkill.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wimax/i2400m/op-rfkill.c ++++ b/drivers/net/wimax/i2400m/op-rfkill.c +@@ -142,12 +142,12 @@ int i2400m_op_rfkill_sw_toggle(struct wi + "%d\n", result); + result = 0; + error_cmd: +- kfree(cmd); + kfree_skb(ack_skb); + error_msg_to_dev: + error_alloc: + d_fnend(4, dev, "(wimax_dev %p state %d) = %d\n", + wimax_dev, state, result); ++ kfree(cmd); + return result; + } + diff --git a/queue-4.14/wimax-i2400-fix-memory-leak.patch b/queue-4.14/wimax-i2400-fix-memory-leak.patch new file mode 100644 index 00000000000..1e7d94cf4a2 --- /dev/null +++ b/queue-4.14/wimax-i2400-fix-memory-leak.patch @@ -0,0 +1,30 @@ +From foo@baz Wed 15 Jan 2020 03:59:12 PM CET +From: Navid Emamdoost +Date: Tue, 10 Sep 2019 18:01:40 -0500 +Subject: wimax: i2400: fix memory leak + +From: Navid Emamdoost + +commit 2507e6ab7a9a440773be476141a255934468c5ef upstream. + +In i2400m_op_rfkill_sw_toggle cmd buffer should be released along with +skb response. + +Signed-off-by: Navid Emamdoost +Signed-off-by: David S. Miller +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wimax/i2400m/op-rfkill.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wimax/i2400m/op-rfkill.c ++++ b/drivers/net/wimax/i2400m/op-rfkill.c +@@ -142,6 +142,7 @@ int i2400m_op_rfkill_sw_toggle(struct wi + "%d\n", result); + result = 0; + error_cmd: ++ kfree(cmd); + kfree_skb(ack_skb); + error_msg_to_dev: + error_alloc: