From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 14 Oct 2024 12:15:25 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v5.10.227~35
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a8cd6004c9a7918821f2e4979560e1d259005b9f;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	net-dsa-lan9303-ensure-chip-reset-and-wait-for-ready-status.patch
	net-fix-an-unsafe-loop-on-the-list.patch
	nouveau-dmem-fix-vulnerability-in-migrate_to_ram-upon-copy-error.patch
---

diff --git a/queue-5.10/net-dsa-lan9303-ensure-chip-reset-and-wait-for-ready-status.patch b/queue-5.10/net-dsa-lan9303-ensure-chip-reset-and-wait-for-ready-status.patch
new file mode 100644
index 00000000000..31f93cd10a0
--- /dev/null
+++ b/queue-5.10/net-dsa-lan9303-ensure-chip-reset-and-wait-for-ready-status.patch
@@ -0,0 +1,83 @@
+From 5c14e51d2d7df49fe0d4e64a12c58d2542f452ff Mon Sep 17 00:00:00 2001
+From: Anatolij Gustschin <agust@denx.de>
+Date: Fri, 4 Oct 2024 13:36:54 +0200
+Subject: net: dsa: lan9303: ensure chip reset and wait for READY status
+
+From: Anatolij Gustschin <agust@denx.de>
+
+commit 5c14e51d2d7df49fe0d4e64a12c58d2542f452ff upstream.
+
+Accessing device registers seems to be not reliable, the chip
+revision is sometimes detected wrongly (0 instead of expected 1).
+
+Ensure that the chip reset is performed via reset GPIO and then
+wait for 'Device Ready' status in HW_CFG register before doing
+any register initializations.
+
+Cc: stable@vger.kernel.org
+Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303")
+Signed-off-by: Anatolij Gustschin <agust@denx.de>
+[alex: reworked using read_poll_timeout()]
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Link: https://patch.msgid.link/20241004113655.3436296-1-alexander.sverdlin@siemens.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/lan9303-core.c |   29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+--- a/drivers/net/dsa/lan9303-core.c
++++ b/drivers/net/dsa/lan9303-core.c
+@@ -6,6 +6,7 @@
+ #include <linux/module.h>
+ #include <linux/gpio/consumer.h>
+ #include <linux/regmap.h>
++#include <linux/iopoll.h>
+ #include <linux/mutex.h>
+ #include <linux/mii.h>
+ #include <linux/phy.h>
+@@ -819,6 +820,8 @@ static void lan9303_handle_reset(struct
+ 	if (!chip->reset_gpio)
+ 		return;
+ 
++	gpiod_set_value_cansleep(chip->reset_gpio, 1);
++
+ 	if (chip->reset_duration != 0)
+ 		msleep(chip->reset_duration);
+ 
+@@ -844,8 +847,34 @@ static int lan9303_disable_processing(st
+ static int lan9303_check_device(struct lan9303 *chip)
+ {
+ 	int ret;
++	int err;
+ 	u32 reg;
+ 
++	/* In I2C-managed configurations this polling loop will clash with
++	 * switch's reading of EEPROM right after reset and this behaviour is
++	 * not configurable. While lan9303_read() already has quite long retry
++	 * timeout, seems not all cases are being detected as arbitration error.
++	 *
++	 * According to datasheet, EEPROM loader has 30ms timeout (in case of
++	 * missing EEPROM).
++	 *
++	 * Loading of the largest supported EEPROM is expected to take at least
++	 * 5.9s.
++	 */
++	err = read_poll_timeout(lan9303_read, ret,
++				!ret && reg & LAN9303_HW_CFG_READY,
++				20000, 6000000, false,
++				chip->regmap, LAN9303_HW_CFG, &reg);
++	if (ret) {
++		dev_err(chip->dev, "failed to read HW_CFG reg: %pe\n",
++			ERR_PTR(ret));
++		return ret;
++	}
++	if (err) {
++		dev_err(chip->dev, "HW_CFG not ready: 0x%08x\n", reg);
++		return err;
++	}
++
+ 	ret = lan9303_read(chip->regmap, LAN9303_CHIP_REV, &reg);
+ 	if (ret) {
+ 		dev_err(chip->dev, "failed to read chip revision register: %d\n",
diff --git a/queue-5.10/net-fix-an-unsafe-loop-on-the-list.patch b/queue-5.10/net-fix-an-unsafe-loop-on-the-list.patch
new file mode 100644
index 00000000000..f79cd5a5cbb
--- /dev/null
+++ b/queue-5.10/net-fix-an-unsafe-loop-on-the-list.patch
@@ -0,0 +1,60 @@
+From 1dae9f1187189bc09ff6d25ca97ead711f7e26f9 Mon Sep 17 00:00:00 2001
+From: Anastasia Kovaleva <a.kovaleva@yadro.com>
+Date: Thu, 3 Oct 2024 13:44:31 +0300
+Subject: net: Fix an unsafe loop on the list
+
+From: Anastasia Kovaleva <a.kovaleva@yadro.com>
+
+commit 1dae9f1187189bc09ff6d25ca97ead711f7e26f9 upstream.
+
+The kernel may crash when deleting a genetlink family if there are still
+listeners for that family:
+
+Oops: Kernel access of bad area, sig: 11 [#1]
+  ...
+  NIP [c000000000c080bc] netlink_update_socket_mc+0x3c/0xc0
+  LR [c000000000c0f764] __netlink_clear_multicast_users+0x74/0xc0
+  Call Trace:
+__netlink_clear_multicast_users+0x74/0xc0
+genl_unregister_family+0xd4/0x2d0
+
+Change the unsafe loop on the list to a safe one, because inside the
+loop there is an element removal from this list.
+
+Fixes: b8273570f802 ("genetlink: fix netns vs. netlink table locking (2)")
+Cc: stable@vger.kernel.org
+Signed-off-by: Anastasia Kovaleva <a.kovaleva@yadro.com>
+Reviewed-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://patch.msgid.link/20241003104431.12391-1-a.kovaleva@yadro.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sock.h       |    2 ++
+ net/netlink/af_netlink.c |    3 ++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -834,6 +834,8 @@ static inline void sk_add_bind_node(stru
+ 	hlist_for_each_entry_safe(__sk, tmp, list, sk_node)
+ #define sk_for_each_bound(__sk, list) \
+ 	hlist_for_each_entry(__sk, list, sk_bind_node)
++#define sk_for_each_bound_safe(__sk, tmp, list) \
++	hlist_for_each_entry_safe(__sk, tmp, list, sk_bind_node)
+ 
+ /**
+  * sk_for_each_entry_offset_rcu - iterate over a list at a given struct offset
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2155,8 +2155,9 @@ void __netlink_clear_multicast_users(str
+ {
+ 	struct sock *sk;
+ 	struct netlink_table *tbl = &nl_table[ksk->sk_protocol];
++	struct hlist_node *tmp;
+ 
+-	sk_for_each_bound(sk, &tbl->mc_list)
++	sk_for_each_bound_safe(sk, tmp, &tbl->mc_list)
+ 		netlink_update_socket_mc(nlk_sk(sk), group, 0);
+ }
+ 
diff --git a/queue-5.10/nouveau-dmem-fix-vulnerability-in-migrate_to_ram-upon-copy-error.patch b/queue-5.10/nouveau-dmem-fix-vulnerability-in-migrate_to_ram-upon-copy-error.patch
new file mode 100644
index 00000000000..555ce95336f
--- /dev/null
+++ b/queue-5.10/nouveau-dmem-fix-vulnerability-in-migrate_to_ram-upon-copy-error.patch
@@ -0,0 +1,48 @@
+From 835745a377a4519decd1a36d6b926e369b3033e2 Mon Sep 17 00:00:00 2001
+From: Yonatan Maman <Ymaman@Nvidia.com>
+Date: Tue, 8 Oct 2024 14:59:43 +0300
+Subject: nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error
+
+From: Yonatan Maman <Ymaman@Nvidia.com>
+
+commit 835745a377a4519decd1a36d6b926e369b3033e2 upstream.
+
+The `nouveau_dmem_copy_one` function ensures that the copy push command is
+sent to the device firmware but does not track whether it was executed
+successfully.
+
+In the case of a copy error (e.g., firmware or hardware failure), the
+copy push command will be sent via the firmware channel, and
+`nouveau_dmem_copy_one` will likely report success, leading to the
+`migrate_to_ram` function returning a dirty HIGH_USER page to the user.
+
+This can result in a security vulnerability, as a HIGH_USER page that may
+contain sensitive or corrupted data could be returned to the user.
+
+To prevent this vulnerability, we allocate a zero page. Thus, in case of
+an error, a non-dirty (zero) page will be returned to the user.
+
+Fixes: 5be73b690875 ("drm/nouveau/dmem: device memory helpers for SVM")
+Signed-off-by: Yonatan Maman <Ymaman@Nvidia.com>
+Co-developed-by: Gal Shalom <GalShalom@Nvidia.com>
+Signed-off-by: Gal Shalom <GalShalom@Nvidia.com>
+Reviewed-by: Ben Skeggs <bskeggs@nvidia.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241008115943.990286-3-ymaman@nvidia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_dmem.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_dmem.c
++++ b/drivers/gpu/drm/nouveau/nouveau_dmem.c
+@@ -149,7 +149,7 @@ static vm_fault_t nouveau_dmem_fault_cop
+ 	if (!spage || !(args->src[0] & MIGRATE_PFN_MIGRATE))
+ 		return 0;
+ 
+-	dpage = alloc_page_vma(GFP_HIGHUSER, vmf->vma, vmf->address);
++	dpage = alloc_page_vma(GFP_HIGHUSER | __GFP_ZERO, vmf->vma, vmf->address);
+ 	if (!dpage)
+ 		return VM_FAULT_SIGBUS;
+ 	lock_page(dpage);
diff --git a/queue-5.10/series b/queue-5.10/series
index e630c787ee2..d2beeb70856 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -512,3 +512,6 @@ usb-dwc3-core-stop-processing-of-pending-events-if-controller-is-halted.patch
 usb-xhci-fix-problem-with-xhci-resume-from-suspend.patch
 usb-storage-ignore-bogus-device-raised-by-jieli-br21-usb-sound-chip.patch
 hid-intel-ish-hid-fix-uninitialized-variable-rv-in-ish_fw_xfer_direct_dma.patch
+net-fix-an-unsafe-loop-on-the-list.patch
+net-dsa-lan9303-ensure-chip-reset-and-wait-for-ready-status.patch
+nouveau-dmem-fix-vulnerability-in-migrate_to_ram-upon-copy-error.patch