From: Sasha Levin Date: Sat, 26 Jun 2021 01:30:26 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.12.14~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ad3024437a7f045e5d3f94402ab2dece02b6a1c8;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/cfg80211-call-cfg80211_leave_ocb-when-switching-away.patch b/queue-4.19/cfg80211-call-cfg80211_leave_ocb-when-switching-away.patch new file mode 100644 index 00000000000..d1f226a42b5 --- /dev/null +++ b/queue-4.19/cfg80211-call-cfg80211_leave_ocb-when-switching-away.patch @@ -0,0 +1,62 @@ +From f3e51e9725e16709f49207571e3b9107f8e56661 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Apr 2021 14:39:41 +0800 +Subject: cfg80211: call cfg80211_leave_ocb when switching away from OCB + +From: Du Cheng + +[ Upstream commit a64b6a25dd9f984ed05fade603a00e2eae787d2f ] + +If the userland switches back-and-forth between NL80211_IFTYPE_OCB and +NL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), there is a +chance where the cleanup cfg80211_leave_ocb() is not called. This leads +to initialization of in-use memory (e.g. init u.ibss while in-use by +u.ocb) due to a shared struct/union within ieee80211_sub_if_data: + +struct ieee80211_sub_if_data { + ... + union { + struct ieee80211_if_ap ap; + struct ieee80211_if_vlan vlan; + struct ieee80211_if_managed mgd; + struct ieee80211_if_ibss ibss; // <- shares address + struct ieee80211_if_mesh mesh; + struct ieee80211_if_ocb ocb; // <- shares address + struct ieee80211_if_mntr mntr; + struct ieee80211_if_nan nan; + } u; + ... +} + +Therefore add handling of otype == NL80211_IFTYPE_OCB, during +cfg80211_change_iface() to perform cleanup when leaving OCB mode. + +link to syzkaller bug: +https://syzkaller.appspot.com/bug?id=0612dbfa595bf4b9b680ff7b4948257b8e3732d5 + +Reported-by: syzbot+105896fac213f26056f9@syzkaller.appspotmail.com +Signed-off-by: Du Cheng +Link: https://lore.kernel.org/r/20210428063941.105161-1-ducheng2@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/util.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/wireless/util.c b/net/wireless/util.c +index c4536468dfbe..e7be500b6452 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -965,6 +965,9 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev, + case NL80211_IFTYPE_MESH_POINT: + /* mesh should be handled? */ + break; ++ case NL80211_IFTYPE_OCB: ++ cfg80211_leave_ocb(rdev, dev); ++ break; + default: + break; + } +-- +2.30.2 + diff --git a/queue-4.19/inet-annotate-date-races-around-sk-sk_txhash.patch b/queue-4.19/inet-annotate-date-races-around-sk-sk_txhash.patch new file mode 100644 index 00000000000..c20e94fca72 --- /dev/null +++ b/queue-4.19/inet-annotate-date-races-around-sk-sk_txhash.patch @@ -0,0 +1,97 @@ +From 302cae3ba5d3d865816a947524461be69037c9dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 07:44:11 -0700 +Subject: inet: annotate date races around sk->sk_txhash + +From: Eric Dumazet + +[ Upstream commit b71eaed8c04f72a919a9c44e83e4ee254e69e7f3 ] + +UDP sendmsg() path can be lockless, it is possible for another +thread to re-connect an change sk->sk_txhash under us. + +There is no serious impact, but we can use READ_ONCE()/WRITE_ONCE() +pair to document the race. + +BUG: KCSAN: data-race in __ip4_datagram_connect / skb_set_owner_w + +write to 0xffff88813397920c of 4 bytes by task 30997 on cpu 1: + sk_set_txhash include/net/sock.h:1937 [inline] + __ip4_datagram_connect+0x69e/0x710 net/ipv4/datagram.c:75 + __ip6_datagram_connect+0x551/0x840 net/ipv6/datagram.c:189 + ip6_datagram_connect+0x2a/0x40 net/ipv6/datagram.c:272 + inet_dgram_connect+0xfd/0x180 net/ipv4/af_inet.c:580 + __sys_connect_file net/socket.c:1837 [inline] + __sys_connect+0x245/0x280 net/socket.c:1854 + __do_sys_connect net/socket.c:1864 [inline] + __se_sys_connect net/socket.c:1861 [inline] + __x64_sys_connect+0x3d/0x50 net/socket.c:1861 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff88813397920c of 4 bytes by task 31039 on cpu 0: + skb_set_hash_from_sk include/net/sock.h:2211 [inline] + skb_set_owner_w+0x118/0x220 net/core/sock.c:2101 + sock_alloc_send_pskb+0x452/0x4e0 net/core/sock.c:2359 + sock_alloc_send_skb+0x2d/0x40 net/core/sock.c:2373 + __ip6_append_data+0x1743/0x21a0 net/ipv6/ip6_output.c:1621 + ip6_make_skb+0x258/0x420 net/ipv6/ip6_output.c:1983 + udpv6_sendmsg+0x160a/0x16b0 net/ipv6/udp.c:1527 + inet6_sendmsg+0x5f/0x80 net/ipv6/af_inet6.c:642 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg net/socket.c:674 [inline] + ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350 + ___sys_sendmsg net/socket.c:2404 [inline] + __sys_sendmmsg+0x315/0x4b0 net/socket.c:2490 + __do_sys_sendmmsg net/socket.c:2519 [inline] + __se_sys_sendmmsg net/socket.c:2516 [inline] + __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2516 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0xbca3c43d -> 0xfdb309e0 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 31039 Comm: syz-executor.2 Not tainted 5.13.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index bc752237dff3..351749c694ce 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1832,7 +1832,8 @@ static inline u32 net_tx_rndhash(void) + + static inline void sk_set_txhash(struct sock *sk) + { +- sk->sk_txhash = net_tx_rndhash(); ++ /* This pairs with READ_ONCE() in skb_set_hash_from_sk() */ ++ WRITE_ONCE(sk->sk_txhash, net_tx_rndhash()); + } + + static inline void sk_rethink_txhash(struct sock *sk) +@@ -2103,9 +2104,12 @@ static inline void sock_poll_wait(struct file *filp, struct socket *sock, + + static inline void skb_set_hash_from_sk(struct sk_buff *skb, struct sock *sk) + { +- if (sk->sk_txhash) { ++ /* This pairs with WRITE_ONCE() in sk_set_txhash() */ ++ u32 txhash = READ_ONCE(sk->sk_txhash); ++ ++ if (txhash) { + skb->l4_hash = 1; +- skb->hash = sk->sk_txhash; ++ skb->hash = txhash; + } + } + +-- +2.30.2 + diff --git a/queue-4.19/kvm-selftests-fix-kvm_check_cap-assertion.patch b/queue-4.19/kvm-selftests-fix-kvm_check_cap-assertion.patch new file mode 100644 index 00000000000..23e76284204 --- /dev/null +++ b/queue-4.19/kvm-selftests-fix-kvm_check_cap-assertion.patch @@ -0,0 +1,36 @@ +From cd25612e1b3d2edadfe0051824b51ccfc9eb5a72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jun 2021 16:04:43 +0100 +Subject: KVM: selftests: Fix kvm_check_cap() assertion + +From: Fuad Tabba + +[ Upstream commit d8ac05ea13d789d5491a5920d70a05659015441d ] + +KVM_CHECK_EXTENSION ioctl can return any negative value on error, +and not necessarily -1. Change the assertion to reflect that. + +Signed-off-by: Fuad Tabba +Message-Id: <20210615150443.1183365-1-tabba@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kvm/lib/kvm_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/kvm/lib/kvm_util.c b/tools/testing/selftests/kvm/lib/kvm_util.c +index fb5d2d1e0c04..b138fd5e4620 100644 +--- a/tools/testing/selftests/kvm/lib/kvm_util.c ++++ b/tools/testing/selftests/kvm/lib/kvm_util.c +@@ -55,7 +55,7 @@ int kvm_check_cap(long cap) + exit(KSFT_SKIP); + + ret = ioctl(kvm_fd, KVM_CHECK_EXTENSION, cap); +- TEST_ASSERT(ret != -1, "KVM_CHECK_EXTENSION IOCTL failed,\n" ++ TEST_ASSERT(ret >= 0, "KVM_CHECK_EXTENSION IOCTL failed,\n" + " rc: %i errno: %i", ret, errno); + + close(kvm_fd); +-- +2.30.2 + diff --git a/queue-4.19/mac80211-drop-multicast-fragments.patch b/queue-4.19/mac80211-drop-multicast-fragments.patch new file mode 100644 index 00000000000..0fedd71fee5 --- /dev/null +++ b/queue-4.19/mac80211-drop-multicast-fragments.patch @@ -0,0 +1,54 @@ +From 525bc3fabb9719db4b3fbdab152f45aa19800fff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 16:13:06 +0200 +Subject: mac80211: drop multicast fragments + +From: Johannes Berg + +[ Upstream commit a9799541ca34652d9996e45f80e8e03144c12949 ] + +These are not permitted by the spec, just drop them. + +Link: https://lore.kernel.org/r/20210609161305.23def022b750.Ibd6dd3cdce573dae262fcdc47f8ac52b883a9c50@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index 2ba19decb126..012697efafc3 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2124,17 +2124,15 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + sc = le16_to_cpu(hdr->seq_ctrl); + frag = sc & IEEE80211_SCTL_FRAG; + +- if (is_multicast_ether_addr(hdr->addr1)) { +- I802_DEBUG_INC(rx->local->dot11MulticastReceivedFrameCount); +- goto out_no_led; +- } +- + if (rx->sta) + cache = &rx->sta->frags; + + if (likely(!ieee80211_has_morefrags(fc) && frag == 0)) + goto out; + ++ if (is_multicast_ether_addr(hdr->addr1)) ++ return RX_DROP_MONITOR; ++ + I802_DEBUG_INC(rx->local->rx_handlers_fragments); + + if (skb_linearize(rx->skb)) +@@ -2260,7 +2258,6 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + + out: + ieee80211_led_rx(rx->local); +- out_no_led: + if (rx->sta) + rx->sta->rx_stats.packets++; + return RX_CONTINUE; +-- +2.30.2 + diff --git a/queue-4.19/mac80211-remove-warning-in-ieee80211_get_sband.patch b/queue-4.19/mac80211-remove-warning-in-ieee80211_get_sband.patch new file mode 100644 index 00000000000..094c7d45165 --- /dev/null +++ b/queue-4.19/mac80211-remove-warning-in-ieee80211_get_sband.patch @@ -0,0 +1,39 @@ +From 03feffb6d582056892897bd534e9646623870fc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 May 2021 16:47:17 +0200 +Subject: mac80211: remove warning in ieee80211_get_sband() + +From: Johannes Berg + +[ Upstream commit 0ee4d55534f82a0624701d0bb9fc2304d4529086 ] + +Syzbot reports that it's possible to hit this from userspace, +by trying to add a station before any other connection setup +has been done. Instead of trying to catch this in some other +way simply remove the warning, that will appropriately reject +the call from userspace. + +Reported-by: syzbot+7716dbc401d9a437890d@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20210517164715.f537da276d17.Id05f40ec8761d6a8cc2df87f1aa09c651988a586@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/ieee80211_i.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index 6c9d9c94983b..dea48696f994 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1398,7 +1398,7 @@ ieee80211_get_sband(struct ieee80211_sub_if_data *sdata) + rcu_read_lock(); + chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf); + +- if (WARN_ON_ONCE(!chanctx_conf)) { ++ if (!chanctx_conf) { + rcu_read_unlock(); + return NULL; + } +-- +2.30.2 + diff --git a/queue-4.19/net-caif-fix-memory-leak-in-ldisc_open.patch b/queue-4.19/net-caif-fix-memory-leak-in-ldisc_open.patch new file mode 100644 index 00000000000..65a4ea7b564 --- /dev/null +++ b/queue-4.19/net-caif-fix-memory-leak-in-ldisc_open.patch @@ -0,0 +1,53 @@ +From fd9db48cbfaaa89247c32203aa0817aad6f31438 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 17:51:22 +0300 +Subject: net: caif: fix memory leak in ldisc_open + +From: Pavel Skripkin + +[ Upstream commit 58af3d3d54e87bfc1f936e16c04ade3369d34011 ] + +Syzbot reported memory leak in tty_init_dev(). +The problem was in unputted tty in ldisc_open() + +static int ldisc_open(struct tty_struct *tty) +{ +... + ser->tty = tty_kref_get(tty); +... + result = register_netdevice(dev); + if (result) { + rtnl_unlock(); + free_netdev(dev); + return -ENODEV; + } +... +} + +Ser pointer is netdev private_data, so after free_netdev() +this pointer goes away with unputted tty reference. So, fix +it by adding tty_kref_put() before freeing netdev. + +Reported-and-tested-by: syzbot+f303e045423e617d2cad@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/caif/caif_serial.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c +index 94d5ce9419ca..81ec17b9c49c 100644 +--- a/drivers/net/caif/caif_serial.c ++++ b/drivers/net/caif/caif_serial.c +@@ -360,6 +360,7 @@ static int ldisc_open(struct tty_struct *tty) + rtnl_lock(); + result = register_netdevice(dev); + if (result) { ++ tty_kref_put(tty); + rtnl_unlock(); + free_netdev(dev); + return -ENODEV; +-- +2.30.2 + diff --git a/queue-4.19/net-ethtool-clear-heap-allocations-for-ethtool-funct.patch b/queue-4.19/net-ethtool-clear-heap-allocations-for-ethtool-funct.patch new file mode 100644 index 00000000000..e56511ef39e --- /dev/null +++ b/queue-4.19/net-ethtool-clear-heap-allocations-for-ethtool-funct.patch @@ -0,0 +1,72 @@ +From 4ab5d36568161d8f63a845ee3b3fc06e5fb81428 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 03:34:25 +0100 +Subject: net: ethtool: clear heap allocations for ethtool function + +From: Austin Kim + +[ Upstream commit 80ec82e3d2c1fab42eeb730aaa7985494a963d3f ] + +Several ethtool functions leave heap uncleared (potentially) by +drivers. This will leave the unused portion of heap unchanged and +might copy the full contents back to userspace. + +Signed-off-by: Austin Kim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/ethtool.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/core/ethtool.c b/net/core/ethtool.c +index 83028017c26d..4db9512feba8 100644 +--- a/net/core/ethtool.c ++++ b/net/core/ethtool.c +@@ -1594,7 +1594,7 @@ static int ethtool_get_any_eeprom(struct net_device *dev, void __user *useraddr, + if (eeprom.offset + eeprom.len > total_len) + return -EINVAL; + +- data = kmalloc(PAGE_SIZE, GFP_USER); ++ data = kzalloc(PAGE_SIZE, GFP_USER); + if (!data) + return -ENOMEM; + +@@ -1659,7 +1659,7 @@ static int ethtool_set_eeprom(struct net_device *dev, void __user *useraddr) + if (eeprom.offset + eeprom.len > ops->get_eeprom_len(dev)) + return -EINVAL; + +- data = kmalloc(PAGE_SIZE, GFP_USER); ++ data = kzalloc(PAGE_SIZE, GFP_USER); + if (!data) + return -ENOMEM; + +@@ -1840,7 +1840,7 @@ static int ethtool_self_test(struct net_device *dev, char __user *useraddr) + return -EFAULT; + + test.len = test_len; +- data = kmalloc_array(test_len, sizeof(u64), GFP_USER); ++ data = kcalloc(test_len, sizeof(u64), GFP_USER); + if (!data) + return -ENOMEM; + +@@ -2372,7 +2372,7 @@ static int ethtool_get_tunable(struct net_device *dev, void __user *useraddr) + ret = ethtool_tunable_valid(&tuna); + if (ret) + return ret; +- data = kmalloc(tuna.len, GFP_USER); ++ data = kzalloc(tuna.len, GFP_USER); + if (!data) + return -ENOMEM; + ret = ops->get_tunable(dev, &tuna, data); +@@ -2552,7 +2552,7 @@ static int get_phy_tunable(struct net_device *dev, void __user *useraddr) + ret = ethtool_phy_tunable_valid(&tuna); + if (ret) + return ret; +- data = kmalloc(tuna.len, GFP_USER); ++ data = kzalloc(tuna.len, GFP_USER); + if (!data) + return -ENOMEM; + mutex_lock(&phydev->lock); +-- +2.30.2 + diff --git a/queue-4.19/net-ll_temac-avoid-ndo_start_xmit-returning-netdev_t.patch b/queue-4.19/net-ll_temac-avoid-ndo_start_xmit-returning-netdev_t.patch new file mode 100644 index 00000000000..1269b0395e7 --- /dev/null +++ b/queue-4.19/net-ll_temac-avoid-ndo_start_xmit-returning-netdev_t.patch @@ -0,0 +1,40 @@ +From bd9183a5d2b9a69f6b90cf581e54d177cc34be21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 12:52:38 +0200 +Subject: net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY + +From: Esben Haabendal + +[ Upstream commit f6396341194234e9b01cd7538bc2c6ac4501ab14 ] + +As documented in Documentation/networking/driver.rst, the ndo_start_xmit +method must not return NETDEV_TX_BUSY under any normal circumstances, and +as recommended, we simply stop the tx queue in advance, when there is a +risk that the next xmit would cause a NETDEV_TX_BUSY return. + +Signed-off-by: Esben Haabendal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/ll_temac_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c +index 2241f9897092..939de185bc6b 100644 +--- a/drivers/net/ethernet/xilinx/ll_temac_main.c ++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c +@@ -736,6 +736,11 @@ temac_start_xmit(struct sk_buff *skb, struct net_device *ndev) + /* Kick off the transfer */ + lp->dma_out(lp, TX_TAILDESC_PTR, tail_p); /* DMA start */ + ++ if (temac_check_tx_bd_space(lp, MAX_SKB_FRAGS + 1)) { ++ netdev_info(ndev, "%s -> netif_stop_queue\n", __func__); ++ netif_stop_queue(ndev); ++ } ++ + return NETDEV_TX_OK; + } + +-- +2.30.2 + diff --git a/queue-4.19/net-packet-annotate-accesses-to-po-bind.patch b/queue-4.19/net-packet-annotate-accesses-to-po-bind.patch new file mode 100644 index 00000000000..325ce3bd9c9 --- /dev/null +++ b/queue-4.19/net-packet-annotate-accesses-to-po-bind.patch @@ -0,0 +1,135 @@ +From ccbe649cc838184d471d1ab6ba8f4b972d678909 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 06:42:01 -0700 +Subject: net/packet: annotate accesses to po->bind + +From: Eric Dumazet + +[ Upstream commit c7d2ef5dd4b03ed0ee1d13bc0c55f9cf62d49bd6 ] + +tpacket_snd(), packet_snd(), packet_getname() and packet_seq_show() +can read po->num without holding a lock. This means other threads +can change po->num at the same time. + +KCSAN complained about this known fact [1] +Add READ_ONCE()/WRITE_ONCE() to address the issue. + +[1] BUG: KCSAN: data-race in packet_do_bind / packet_sendmsg + +write to 0xffff888131a0dcc0 of 2 bytes by task 24714 on cpu 0: + packet_do_bind+0x3ab/0x7e0 net/packet/af_packet.c:3181 + packet_bind+0xc3/0xd0 net/packet/af_packet.c:3255 + __sys_bind+0x200/0x290 net/socket.c:1637 + __do_sys_bind net/socket.c:1648 [inline] + __se_sys_bind net/socket.c:1646 [inline] + __x64_sys_bind+0x3d/0x50 net/socket.c:1646 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff888131a0dcc0 of 2 bytes by task 24719 on cpu 1: + packet_snd net/packet/af_packet.c:2899 [inline] + packet_sendmsg+0x317/0x3570 net/packet/af_packet.c:3040 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg net/socket.c:674 [inline] + ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350 + ___sys_sendmsg net/socket.c:2404 [inline] + __sys_sendmsg+0x1ed/0x270 net/socket.c:2433 + __do_sys_sendmsg net/socket.c:2442 [inline] + __se_sys_sendmsg net/socket.c:2440 [inline] + __x64_sys_sendmsg+0x42/0x50 net/socket.c:2440 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x0000 -> 0x1200 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 24719 Comm: syz-executor.5 Not tainted 5.13.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 16b745d254fe..42299fa02038 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2656,7 +2656,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + } + if (likely(saddr == NULL)) { + dev = packet_cached_dev_get(po); +- proto = po->num; ++ proto = READ_ONCE(po->num); + } else { + err = -EINVAL; + if (msg->msg_namelen < sizeof(struct sockaddr_ll)) +@@ -2869,7 +2869,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + + if (likely(saddr == NULL)) { + dev = packet_cached_dev_get(po); +- proto = po->num; ++ proto = READ_ONCE(po->num); + } else { + err = -EINVAL; + if (msg->msg_namelen < sizeof(struct sockaddr_ll)) +@@ -3141,7 +3141,7 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex, + /* prevents packet_notifier() from calling + * register_prot_hook() + */ +- po->num = 0; ++ WRITE_ONCE(po->num, 0); + __unregister_prot_hook(sk, true); + rcu_read_lock(); + dev_curr = po->prot_hook.dev; +@@ -3151,7 +3151,7 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex, + } + + BUG_ON(po->running); +- po->num = proto; ++ WRITE_ONCE(po->num, proto); + po->prot_hook.type = proto; + + if (unlikely(unlisted)) { +@@ -3497,7 +3497,7 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr, + + sll->sll_family = AF_PACKET; + sll->sll_ifindex = po->ifindex; +- sll->sll_protocol = po->num; ++ sll->sll_protocol = READ_ONCE(po->num); + sll->sll_pkttype = 0; + rcu_read_lock(); + dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex); +@@ -4391,7 +4391,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + was_running = po->running; + num = po->num; + if (was_running) { +- po->num = 0; ++ WRITE_ONCE(po->num, 0); + __unregister_prot_hook(sk, false); + } + spin_unlock(&po->bind_lock); +@@ -4426,7 +4426,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + + spin_lock(&po->bind_lock); + if (was_running) { +- po->num = num; ++ WRITE_ONCE(po->num, num); + register_prot_hook(sk); + } + spin_unlock(&po->bind_lock); +@@ -4597,7 +4597,7 @@ static int packet_seq_show(struct seq_file *seq, void *v) + s, + refcount_read(&s->sk_refcnt), + s->sk_type, +- ntohs(po->num), ++ ntohs(READ_ONCE(po->num)), + po->ifindex, + po->running, + atomic_read(&s->sk_rmem_alloc), +-- +2.30.2 + diff --git a/queue-4.19/net-packet-annotate-accesses-to-po-ifindex.patch b/queue-4.19/net-packet-annotate-accesses-to-po-ifindex.patch new file mode 100644 index 00000000000..ca11bc9047a --- /dev/null +++ b/queue-4.19/net-packet-annotate-accesses-to-po-ifindex.patch @@ -0,0 +1,119 @@ +From b6825090a03ec4a9bce2f1cf5fc61a110c7c313d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 06:42:02 -0700 +Subject: net/packet: annotate accesses to po->ifindex + +From: Eric Dumazet + +[ Upstream commit e032f7c9c7cefffcfb79b9fc16c53011d2d9d11f ] + +Like prior patch, we need to annotate lockless accesses to po->ifindex +For instance, packet_getname() is reading po->ifindex (twice) while +another thread is able to change po->ifindex. + +KCSAN reported: + +BUG: KCSAN: data-race in packet_do_bind / packet_getname + +write to 0xffff888143ce3cbc of 4 bytes by task 25573 on cpu 1: + packet_do_bind+0x420/0x7e0 net/packet/af_packet.c:3191 + packet_bind+0xc3/0xd0 net/packet/af_packet.c:3255 + __sys_bind+0x200/0x290 net/socket.c:1637 + __do_sys_bind net/socket.c:1648 [inline] + __se_sys_bind net/socket.c:1646 [inline] + __x64_sys_bind+0x3d/0x50 net/socket.c:1646 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff888143ce3cbc of 4 bytes by task 25578 on cpu 0: + packet_getname+0x5b/0x1a0 net/packet/af_packet.c:3525 + __sys_getsockname+0x10e/0x1a0 net/socket.c:1887 + __do_sys_getsockname net/socket.c:1902 [inline] + __se_sys_getsockname net/socket.c:1899 [inline] + __x64_sys_getsockname+0x3e/0x50 net/socket.c:1899 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x00000000 -> 0x00000001 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 25578 Comm: syz-executor.5 Not tainted 5.13.0-rc6-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 42299fa02038..8d9005019ef7 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3157,11 +3157,11 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex, + if (unlikely(unlisted)) { + dev_put(dev); + po->prot_hook.dev = NULL; +- po->ifindex = -1; ++ WRITE_ONCE(po->ifindex, -1); + packet_cached_dev_reset(po); + } else { + po->prot_hook.dev = dev; +- po->ifindex = dev ? dev->ifindex : 0; ++ WRITE_ONCE(po->ifindex, dev ? dev->ifindex : 0); + packet_cached_dev_assign(po, dev); + } + } +@@ -3476,7 +3476,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr, + uaddr->sa_family = AF_PACKET; + memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data)); + rcu_read_lock(); +- dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex); ++ dev = dev_get_by_index_rcu(sock_net(sk), READ_ONCE(pkt_sk(sk)->ifindex)); + if (dev) + strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data)); + rcu_read_unlock(); +@@ -3491,16 +3491,18 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr, + struct sock *sk = sock->sk; + struct packet_sock *po = pkt_sk(sk); + DECLARE_SOCKADDR(struct sockaddr_ll *, sll, uaddr); ++ int ifindex; + + if (peer) + return -EOPNOTSUPP; + ++ ifindex = READ_ONCE(po->ifindex); + sll->sll_family = AF_PACKET; +- sll->sll_ifindex = po->ifindex; ++ sll->sll_ifindex = ifindex; + sll->sll_protocol = READ_ONCE(po->num); + sll->sll_pkttype = 0; + rcu_read_lock(); +- dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex); ++ dev = dev_get_by_index_rcu(sock_net(sk), ifindex); + if (dev) { + sll->sll_hatype = dev->type; + sll->sll_halen = dev->addr_len; +@@ -4079,7 +4081,7 @@ static int packet_notifier(struct notifier_block *this, + } + if (msg == NETDEV_UNREGISTER) { + packet_cached_dev_reset(po); +- po->ifindex = -1; ++ WRITE_ONCE(po->ifindex, -1); + if (po->prot_hook.dev) + dev_put(po->prot_hook.dev); + po->prot_hook.dev = NULL; +@@ -4598,7 +4600,7 @@ static int packet_seq_show(struct seq_file *seq, void *v) + refcount_read(&s->sk_refcnt), + s->sk_type, + ntohs(READ_ONCE(po->num)), +- po->ifindex, ++ READ_ONCE(po->ifindex), + po->running, + atomic_read(&s->sk_rmem_alloc), + from_kuid_munged(seq_user_ns(seq), sock_i_uid(s)), +-- +2.30.2 + diff --git a/queue-4.19/net-qed-fix-memcpy-overflow-of-qed_dcbx_params.patch b/queue-4.19/net-qed-fix-memcpy-overflow-of-qed_dcbx_params.patch new file mode 100644 index 00000000000..cbc975e0903 --- /dev/null +++ b/queue-4.19/net-qed-fix-memcpy-overflow-of-qed_dcbx_params.patch @@ -0,0 +1,50 @@ +From c68a62e0c58aa175ff952e49c3b5952060b3ad6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jun 2021 10:09:53 -0700 +Subject: net: qed: Fix memcpy() overflow of qed_dcbx_params() + +From: Kees Cook + +[ Upstream commit 1c200f832e14420fa770193f9871f4ce2df00d07 ] + +The source (&dcbx_info->operational.params) and dest +(&p_hwfn->p_dcbx_info->set.config.params) are both struct qed_dcbx_params +(560 bytes), not struct qed_dcbx_admin_params (564 bytes), which is used +as the memcpy() size. + +However it seems that struct qed_dcbx_operational_params +(dcbx_info->operational)'s layout matches struct qed_dcbx_admin_params +(p_hwfn->p_dcbx_info->set.config)'s 4 byte difference (3 padding, 1 byte +for "valid"). + +On the assumption that the size is wrong (rather than the source structure +type), adjust the memcpy() size argument to be 4 bytes smaller and add +a BUILD_BUG_ON() to validate any changes to the structure sizes. + +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_dcbx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c +index 5900a506bf8d..ff8a7750d3c0 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c +@@ -1294,9 +1294,11 @@ int qed_dcbx_get_config_params(struct qed_hwfn *p_hwfn, + p_hwfn->p_dcbx_info->set.ver_num |= DCBX_CONFIG_VERSION_STATIC; + + p_hwfn->p_dcbx_info->set.enabled = dcbx_info->operational.enabled; ++ BUILD_BUG_ON(sizeof(dcbx_info->operational.params) != ++ sizeof(p_hwfn->p_dcbx_info->set.config.params)); + memcpy(&p_hwfn->p_dcbx_info->set.config.params, + &dcbx_info->operational.params, +- sizeof(struct qed_dcbx_admin_params)); ++ sizeof(p_hwfn->p_dcbx_info->set.config.params)); + p_hwfn->p_dcbx_info->set.config.valid = true; + + memcpy(params, &p_hwfn->p_dcbx_info->set, sizeof(struct qed_dcbx_set)); +-- +2.30.2 + diff --git a/queue-4.19/pci-add-amd-rs690-quirk-to-enable-64-bit-dma.patch b/queue-4.19/pci-add-amd-rs690-quirk-to-enable-64-bit-dma.patch new file mode 100644 index 00000000000..ca3618e290e --- /dev/null +++ b/queue-4.19/pci-add-amd-rs690-quirk-to-enable-64-bit-dma.patch @@ -0,0 +1,96 @@ +From 311cfb9798f23adb637cf2ccaa6b1165cb0ec90b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 17:48:23 -0400 +Subject: PCI: Add AMD RS690 quirk to enable 64-bit DMA + +From: Mikel Rychliski + +[ Upstream commit cacf994a91d3a55c0c2f853d6429cd7b86113915 ] + +Although the AMD RS690 chipset has 64-bit DMA support, BIOS implementations +sometimes fail to configure the memory limit registers correctly. + +The Acer F690GVM mainboard uses this chipset and a Marvell 88E8056 NIC. The +sky2 driver programs the NIC to use 64-bit DMA, which will not work: + + sky2 0000:02:00.0: error interrupt status=0x8 + sky2 0000:02:00.0 eth0: tx timeout + sky2 0000:02:00.0 eth0: transmit ring 0 .. 22 report=0 done=0 + +Other drivers required by this mainboard either don't support 64-bit DMA, +or have it disabled using driver specific quirks. For example, the ahci +driver has quirks to enable or disable 64-bit DMA depending on the BIOS +version (see ahci_sb600_enable_64bit() in ahci.c). This ahci quirk matches +against the SB600 SATA controller, but the real issue is almost certainly +with the RS690 PCI host that it was commonly attached to. + +To avoid this issue in all drivers with 64-bit DMA support, fix the +configuration of the PCI host. If the kernel is aware of physical memory +above 4GB, but the BIOS never configured the PCI host with this +information, update the registers with our values. + +[bhelgaas: drop PCI_DEVICE_ID_ATI_RS690 definition] +Link: https://lore.kernel.org/r/20210611214823.4898-1-mikel@mikelr.com +Signed-off-by: Mikel Rychliski +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + arch/x86/pci/fixup.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 44 insertions(+) + +diff --git a/arch/x86/pci/fixup.c b/arch/x86/pci/fixup.c +index 0c67a5a94de3..76959a7d88c8 100644 +--- a/arch/x86/pci/fixup.c ++++ b/arch/x86/pci/fixup.c +@@ -779,4 +779,48 @@ DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1571, pci_amd_enable_64bit_bar); + DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x15b1, pci_amd_enable_64bit_bar); + DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1601, pci_amd_enable_64bit_bar); + ++#define RS690_LOWER_TOP_OF_DRAM2 0x30 ++#define RS690_LOWER_TOP_OF_DRAM2_VALID 0x1 ++#define RS690_UPPER_TOP_OF_DRAM2 0x31 ++#define RS690_HTIU_NB_INDEX 0xA8 ++#define RS690_HTIU_NB_INDEX_WR_ENABLE 0x100 ++#define RS690_HTIU_NB_DATA 0xAC ++ ++/* ++ * Some BIOS implementations support RAM above 4GB, but do not configure the ++ * PCI host to respond to bus master accesses for these addresses. These ++ * implementations set the TOP_OF_DRAM_SLOT1 register correctly, so PCI DMA ++ * works as expected for addresses below 4GB. ++ * ++ * Reference: "AMD RS690 ASIC Family Register Reference Guide" (pg. 2-57) ++ * https://www.amd.com/system/files/TechDocs/43372_rs690_rrg_3.00o.pdf ++ */ ++static void rs690_fix_64bit_dma(struct pci_dev *pdev) ++{ ++ u32 val = 0; ++ phys_addr_t top_of_dram = __pa(high_memory - 1) + 1; ++ ++ if (top_of_dram <= (1ULL << 32)) ++ return; ++ ++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX, ++ RS690_LOWER_TOP_OF_DRAM2); ++ pci_read_config_dword(pdev, RS690_HTIU_NB_DATA, &val); ++ ++ if (val) ++ return; ++ ++ pci_info(pdev, "Adjusting top of DRAM to %pa for 64-bit DMA support\n", &top_of_dram); ++ ++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX, ++ RS690_UPPER_TOP_OF_DRAM2 | RS690_HTIU_NB_INDEX_WR_ENABLE); ++ pci_write_config_dword(pdev, RS690_HTIU_NB_DATA, top_of_dram >> 32); ++ ++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX, ++ RS690_LOWER_TOP_OF_DRAM2 | RS690_HTIU_NB_INDEX_WR_ENABLE); ++ pci_write_config_dword(pdev, RS690_HTIU_NB_DATA, ++ top_of_dram | RS690_LOWER_TOP_OF_DRAM2_VALID); ++} ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x7910, rs690_fix_64bit_dma); ++ + #endif +-- +2.30.2 + diff --git a/queue-4.19/ping-check-return-value-of-function-ping_queue_rcv_s.patch b/queue-4.19/ping-check-return-value-of-function-ping_queue_rcv_s.patch new file mode 100644 index 00000000000..da1068b7a29 --- /dev/null +++ b/queue-4.19/ping-check-return-value-of-function-ping_queue_rcv_s.patch @@ -0,0 +1,56 @@ +From 628adc6f5af266e6beebcac6df3ad9d6789b538c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 09:41:36 +0800 +Subject: ping: Check return value of function 'ping_queue_rcv_skb' + +From: Zheng Yongjun + +[ Upstream commit 9d44fa3e50cc91691896934d106c86e4027e61ca ] + +Function 'ping_queue_rcv_skb' not always return success, which will +also return fail. If not check the wrong return value of it, lead to function +`ping_rcv` return success. + +Signed-off-by: Zheng Yongjun +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/ping.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index c59144502ee8..862744c28548 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -968,6 +968,7 @@ bool ping_rcv(struct sk_buff *skb) + struct sock *sk; + struct net *net = dev_net(skb->dev); + struct icmphdr *icmph = icmp_hdr(skb); ++ bool rc = false; + + /* We assume the packet has already been checked by icmp_rcv */ + +@@ -982,14 +983,15 @@ bool ping_rcv(struct sk_buff *skb) + struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC); + + pr_debug("rcv on socket %p\n", sk); +- if (skb2) +- ping_queue_rcv_skb(sk, skb2); ++ if (skb2 && !ping_queue_rcv_skb(sk, skb2)) ++ rc = true; + sock_put(sk); +- return true; + } +- pr_debug("no socket, dropping\n"); + +- return false; ++ if (!rc) ++ pr_debug("no socket, dropping\n"); ++ ++ return rc; + } + EXPORT_SYMBOL_GPL(ping_rcv); + +-- +2.30.2 + diff --git a/queue-4.19/r8152-avoid-memcpy-over-reading-of-eth_ss_stats.patch b/queue-4.19/r8152-avoid-memcpy-over-reading-of-eth_ss_stats.patch new file mode 100644 index 00000000000..82b207ab137 --- /dev/null +++ b/queue-4.19/r8152-avoid-memcpy-over-reading-of-eth_ss_stats.patch @@ -0,0 +1,40 @@ +From cdb94e845edfd57e5a590c2bd5b1a80172ed12f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 12:53:03 -0700 +Subject: r8152: Avoid memcpy() over-reading of ETH_SS_STATS + +From: Kees Cook + +[ Upstream commit 99718abdc00e86e4f286dd836408e2834886c16e ] + +In preparation for FORTIFY_SOURCE performing compile-time and run-time +field bounds checking for memcpy(), memmove(), and memset(), avoid +intentionally reading across neighboring array fields. + +The memcpy() is copying the entire structure, not just the first array. +Adjust the source argument so the compiler can do appropriate bounds +checking. + +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index a27ea04cfa6c..726fb5561a0f 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -4649,7 +4649,7 @@ static void rtl8152_get_strings(struct net_device *dev, u32 stringset, u8 *data) + { + switch (stringset) { + case ETH_SS_STATS: +- memcpy(data, *rtl8152_gstrings, sizeof(rtl8152_gstrings)); ++ memcpy(data, rtl8152_gstrings, sizeof(rtl8152_gstrings)); + break; + } + } +-- +2.30.2 + diff --git a/queue-4.19/r8169-avoid-memcpy-over-reading-of-eth_ss_stats.patch b/queue-4.19/r8169-avoid-memcpy-over-reading-of-eth_ss_stats.patch new file mode 100644 index 00000000000..69dd105c192 --- /dev/null +++ b/queue-4.19/r8169-avoid-memcpy-over-reading-of-eth_ss_stats.patch @@ -0,0 +1,40 @@ +From f526102db940a94b68ca4311f1004bb5e6f55db5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 12:53:59 -0700 +Subject: r8169: Avoid memcpy() over-reading of ETH_SS_STATS + +From: Kees Cook + +[ Upstream commit da5ac772cfe2a03058b0accfac03fad60c46c24d ] + +In preparation for FORTIFY_SOURCE performing compile-time and run-time +field bounds checking for memcpy(), memmove(), and memset(), avoid +intentionally reading across neighboring array fields. + +The memcpy() is copying the entire structure, not just the first array. +Adjust the source argument so the compiler can do appropriate bounds +checking. + +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c +index 0c9e6cb0e341..523626f2ffbe 100644 +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -1823,7 +1823,7 @@ static void rtl8169_get_strings(struct net_device *dev, u32 stringset, u8 *data) + { + switch(stringset) { + case ETH_SS_STATS: +- memcpy(data, *rtl8169_gstrings, sizeof(rtl8169_gstrings)); ++ memcpy(data, rtl8169_gstrings, sizeof(rtl8169_gstrings)); + break; + } + } +-- +2.30.2 + diff --git a/queue-4.19/series b/queue-4.19/series index 9ceceac3c12..a85d46a9790 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -87,3 +87,19 @@ arm-9081-1-fix-gcc-10-thumb2-kernel-regression.patch makefile-move-wno-unused-but-set-variable-out-of-gcc-only-block.patch mips-generic-update-node-names-to-avoid-unit-addresses.patch revert-pci-pm-do-not-read-power-state-in-pci_enable_.patch +mac80211-remove-warning-in-ieee80211_get_sband.patch +cfg80211-call-cfg80211_leave_ocb-when-switching-away.patch +mac80211-drop-multicast-fragments.patch +net-ethtool-clear-heap-allocations-for-ethtool-funct.patch +ping-check-return-value-of-function-ping_queue_rcv_s.patch +inet-annotate-date-races-around-sk-sk_txhash.patch +net-caif-fix-memory-leak-in-ldisc_open.patch +net-packet-annotate-accesses-to-po-bind.patch +net-packet-annotate-accesses-to-po-ifindex.patch +r8152-avoid-memcpy-over-reading-of-eth_ss_stats.patch +sh_eth-avoid-memcpy-over-reading-of-eth_ss_stats.patch +r8169-avoid-memcpy-over-reading-of-eth_ss_stats.patch +kvm-selftests-fix-kvm_check_cap-assertion.patch +net-qed-fix-memcpy-overflow-of-qed_dcbx_params.patch +pci-add-amd-rs690-quirk-to-enable-64-bit-dma.patch +net-ll_temac-avoid-ndo_start_xmit-returning-netdev_t.patch diff --git a/queue-4.19/sh_eth-avoid-memcpy-over-reading-of-eth_ss_stats.patch b/queue-4.19/sh_eth-avoid-memcpy-over-reading-of-eth_ss_stats.patch new file mode 100644 index 00000000000..364d3b7da66 --- /dev/null +++ b/queue-4.19/sh_eth-avoid-memcpy-over-reading-of-eth_ss_stats.patch @@ -0,0 +1,40 @@ +From 48f4b27f36e58d3711066bc4a795158b9e00071a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 12:53:33 -0700 +Subject: sh_eth: Avoid memcpy() over-reading of ETH_SS_STATS + +From: Kees Cook + +[ Upstream commit 224004fbb033600715dbd626bceec10bfd9c58bc ] + +In preparation for FORTIFY_SOURCE performing compile-time and run-time +field bounds checking for memcpy(), memmove(), and memset(), avoid +intentionally reading across neighboring array fields. + +The memcpy() is copying the entire structure, not just the first array. +Adjust the source argument so the compiler can do appropriate bounds +checking. + +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/sh_eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index 24638cb157ca..394ab9cdfe2c 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -2302,7 +2302,7 @@ static void sh_eth_get_strings(struct net_device *ndev, u32 stringset, u8 *data) + { + switch (stringset) { + case ETH_SS_STATS: +- memcpy(data, *sh_eth_gstrings_stats, ++ memcpy(data, sh_eth_gstrings_stats, + sizeof(sh_eth_gstrings_stats)); + break; + } +-- +2.30.2 +