From: Greg Kroah-Hartman Date: Sun, 10 Nov 2024 05:21:40 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v5.15.172~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=adc93bbdf50042977f1b6fa10e63e15f69315e7f;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib_alloc_init_hwq.patch kselftest-arm64-initialise-current-at-build-time-in-signal-tests.patch media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch net-do-not-delay-dst_entries_add-in-dst_release.patch revert-wifi-mac80211-fix-rcu-list-iterations.patch --- diff --git a/queue-6.1/bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib_alloc_init_hwq.patch b/queue-6.1/bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib_alloc_init_hwq.patch new file mode 100644 index 00000000000..4adeb23a7d1 --- /dev/null +++ b/queue-6.1/bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib_alloc_init_hwq.patch @@ -0,0 +1,118 @@ +From 78cfd17142ef70599d6409cbd709d94b3da58659 Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Tue, 7 May 2024 12:39:28 +0200 +Subject: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq + +From: Michal Schmidt + +commit 78cfd17142ef70599d6409cbd709d94b3da58659 upstream. + +Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called +with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. +In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called. +roundup_pow_of_two is documented as undefined for 0. + +Fix it in the one caller that had this combination. + +The undefined behavior was detected by UBSAN: + UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 + shift exponent 64 is too large for 64-bit type 'long unsigned int' + CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4 + Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023 + Call Trace: + + dump_stack_lvl+0x5d/0x80 + ubsan_epilogue+0x5/0x30 + __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec + __roundup_pow_of_two+0x25/0x35 [bnxt_re] + bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re] + bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re] + bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re] + ? srso_alias_return_thunk+0x5/0xfbef5 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __kmalloc+0x1b6/0x4f0 + ? create_qp.part.0+0x128/0x1c0 [ib_core] + ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re] + create_qp.part.0+0x128/0x1c0 [ib_core] + ib_create_qp_kernel+0x50/0xd0 [ib_core] + create_mad_qp+0x8e/0xe0 [ib_core] + ? __pfx_qp_event_handler+0x10/0x10 [ib_core] + ib_mad_init_device+0x2be/0x680 [ib_core] + add_client_context+0x10d/0x1a0 [ib_core] + enable_device_and_get+0xe0/0x1d0 [ib_core] + ib_register_device+0x53c/0x630 [ib_core] + ? srso_alias_return_thunk+0x5/0xfbef5 + bnxt_re_probe+0xbd8/0xe50 [bnxt_re] + ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re] + auxiliary_bus_probe+0x49/0x80 + ? driver_sysfs_add+0x57/0xc0 + really_probe+0xde/0x340 + ? pm_runtime_barrier+0x54/0x90 + ? __pfx___driver_attach+0x10/0x10 + __driver_probe_device+0x78/0x110 + driver_probe_device+0x1f/0xa0 + __driver_attach+0xba/0x1c0 + bus_for_each_dev+0x8f/0xe0 + bus_add_driver+0x146/0x220 + driver_register+0x72/0xd0 + __auxiliary_driver_register+0x6e/0xd0 + ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] + bnxt_re_mod_init+0x3e/0xff0 [bnxt_re] + ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] + do_one_initcall+0x5b/0x310 + do_init_module+0x90/0x250 + init_module_from_file+0x86/0xc0 + idempotent_init_module+0x121/0x2b0 + __x64_sys_finit_module+0x5e/0xb0 + do_syscall_64+0x82/0x160 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? syscall_exit_to_user_mode_prepare+0x149/0x170 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? syscall_exit_to_user_mode+0x75/0x230 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? do_syscall_64+0x8e/0x160 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __count_memcg_events+0x69/0x100 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? count_memcg_events.constprop.0+0x1a/0x30 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? handle_mm_fault+0x1f0/0x300 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? do_user_addr_fault+0x34e/0x640 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? srso_alias_return_thunk+0x5/0xfbef5 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + RIP: 0033:0x7f4e5132821d + Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48 + RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 + RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d + RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b + RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0 + R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d + R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60 + + ---[ end trace ]--- + +Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation") +Signed-off-by: Michal Schmidt +Link: https://lore.kernel.org/r/20240507103929.30003-1-mschmidt@redhat.com +Acked-by: Selvin Xavier +Signed-off-by: Leon Romanovsky +Signed-off-by: Xiangyu Chen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -1014,7 +1014,8 @@ int bnxt_qplib_create_qp(struct bnxt_qpl + hwq_attr.stride = sizeof(struct sq_sge); + hwq_attr.depth = bnxt_qplib_get_depth(sq); + hwq_attr.aux_stride = psn_sz; +- hwq_attr.aux_depth = bnxt_qplib_set_sq_size(sq, qp->wqe_mode); ++ hwq_attr.aux_depth = psn_sz ? bnxt_qplib_set_sq_size(sq, qp->wqe_mode) ++ : 0; + hwq_attr.type = HWQ_TYPE_QUEUE; + rc = bnxt_qplib_alloc_init_hwq(&sq->hwq, &hwq_attr); + if (rc) diff --git a/queue-6.1/kselftest-arm64-initialise-current-at-build-time-in-signal-tests.patch b/queue-6.1/kselftest-arm64-initialise-current-at-build-time-in-signal-tests.patch new file mode 100644 index 00000000000..9655514f940 --- /dev/null +++ b/queue-6.1/kselftest-arm64-initialise-current-at-build-time-in-signal-tests.patch @@ -0,0 +1,46 @@ +From 6e4b4f0eca88e47def703f90a403fef5b96730d5 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Thu, 12 Jan 2023 19:51:50 +0000 +Subject: kselftest/arm64: Initialise current at build time in signal tests + +From: Mark Brown + +commit 6e4b4f0eca88e47def703f90a403fef5b96730d5 upstream. + +When building with clang the toolchain refuses to link the signals +testcases since the assembly code has a reference to current which has +no initialiser so is placed in the BSS: + + /tmp/signals-af2042.o: in function `fake_sigreturn': + :51:(.text+0x40): relocation truncated to fit: R_AARCH64_LD_PREL_LO19 against symbol `current' defined in .bss section in /tmp/test_signals-ec1160.o + +Since the first statement in main() initialises current we may as well +fix this by moving the initialisation to build time so the variable +doesn't end up in the BSS. + +Signed-off-by: Mark Brown +Reviewed-by: Nick Desaulniers +Link: https://lore.kernel.org/r/20230111-arm64-kselftest-clang-v1-4-89c69d377727@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Mahmoud Adam +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/arm64/signal/test_signals.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/tools/testing/selftests/arm64/signal/test_signals.c ++++ b/tools/testing/selftests/arm64/signal/test_signals.c +@@ -12,12 +12,10 @@ + #include "test_signals.h" + #include "test_signals_utils.h" + +-struct tdescr *current; ++struct tdescr *current = &tde; + + int main(int argc, char *argv[]) + { +- current = &tde; +- + ksft_print_msg("%s :: %s\n", current->name, current->descr); + if (test_setup(current) && test_init(current)) { + test_run(current); diff --git a/queue-6.1/media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch b/queue-6.1/media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch new file mode 100644 index 00000000000..8ad08964f47 --- /dev/null +++ b/queue-6.1/media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch @@ -0,0 +1,35 @@ +From ecf2b43018da9579842c774b7f35dbe11b5c38dd Mon Sep 17 00:00:00 2001 +From: Benoit Sevens +Date: Thu, 7 Nov 2024 14:22:02 +0000 +Subject: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format + +From: Benoit Sevens + +commit ecf2b43018da9579842c774b7f35dbe11b5c38dd upstream. + +This can lead to out of bounds writes since frames of this type were not +taken into account when calculating the size of the frames buffer in +uvc_parse_streaming. + +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Signed-off-by: Benoit Sevens +Cc: stable@vger.kernel.org +Acked-by: Greg Kroah-Hartman +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_driver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -368,7 +368,7 @@ static int uvc_parse_format(struct uvc_d + * Parse the frame descriptors. Only uncompressed, MJPEG and frame + * based formats have frame descriptors. + */ +- while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && ++ while (ftype && buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && + buffer[2] == ftype) { + frame = &format->frame[format->nframes]; + if (ftype != UVC_VS_FRAME_FRAME_BASED) diff --git a/queue-6.1/net-do-not-delay-dst_entries_add-in-dst_release.patch b/queue-6.1/net-do-not-delay-dst_entries_add-in-dst_release.patch new file mode 100644 index 00000000000..1fa47987da3 --- /dev/null +++ b/queue-6.1/net-do-not-delay-dst_entries_add-in-dst_release.patch @@ -0,0 +1,99 @@ +From ac888d58869bb99753e7652be19a151df9ecb35d Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 8 Oct 2024 14:31:10 +0000 +Subject: net: do not delay dst_entries_add() in dst_release() + +From: Eric Dumazet + +commit ac888d58869bb99753e7652be19a151df9ecb35d upstream. + +dst_entries_add() uses per-cpu data that might be freed at netns +dismantle from ip6_route_net_exit() calling dst_entries_destroy() + +Before ip6_route_net_exit() can be called, we release all +the dsts associated with this netns, via calls to dst_release(), +which waits an rcu grace period before calling dst_destroy() + +dst_entries_add() use in dst_destroy() is racy, because +dst_entries_destroy() could have been called already. + +Decrementing the number of dsts must happen sooner. + +Notes: + +1) in CONFIG_XFRM case, dst_destroy() can call + dst_release_immediate(child), this might also cause UAF + if the child does not have DST_NOCOUNT set. + IPSEC maintainers might take a look and see how to address this. + +2) There is also discussion about removing this count of dst, + which might happen in future kernels. + +Fixes: f88649721268 ("ipv4: fix dst race in sk_dst_get()") +Closes: https://lore.kernel.org/lkml/CANn89iLCCGsP7SFn9HKpvnKu96Td4KD08xf7aGtiYgZnkjaL=w@mail.gmail.com/T/ +Reported-by: Naresh Kamboju +Tested-by: Linux Kernel Functional Testing +Tested-by: Naresh Kamboju +Signed-off-by: Eric Dumazet +Cc: Xin Long +Cc: Steffen Klassert +Reviewed-by: Xin Long +Link: https://patch.msgid.link/20241008143110.1064899-1-edumazet@google.com +Signed-off-by: Paolo Abeni +[ resolved conflict due to bc9d3a9f2afc ("net: dst: Switch to rcuref_t + reference counting") is not in the tree ] +Signed-off-by: Abdelkareem Abdelsaamad +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dst.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -108,9 +108,6 @@ struct dst_entry *dst_destroy(struct dst + child = xdst->child; + } + #endif +- if (!(dst->flags & DST_NOCOUNT)) +- dst_entries_add(dst->ops, -1); +- + if (dst->ops->destroy) + dst->ops->destroy(dst); + netdev_put(dst->dev, &dst->dev_tracker); +@@ -160,6 +157,12 @@ void dst_dev_put(struct dst_entry *dst) + } + EXPORT_SYMBOL(dst_dev_put); + ++static void dst_count_dec(struct dst_entry *dst) ++{ ++ if (!(dst->flags & DST_NOCOUNT)) ++ dst_entries_add(dst->ops, -1); ++} ++ + void dst_release(struct dst_entry *dst) + { + if (dst) { +@@ -169,8 +172,10 @@ void dst_release(struct dst_entry *dst) + if (WARN_ONCE(newrefcnt < 0, "dst_release underflow")) + net_warn_ratelimited("%s: dst:%p refcnt:%d\n", + __func__, dst, newrefcnt); +- if (!newrefcnt) ++ if (!newrefcnt){ ++ dst_count_dec(dst); + call_rcu(&dst->rcu_head, dst_destroy_rcu); ++ } + } + } + EXPORT_SYMBOL(dst_release); +@@ -184,8 +189,10 @@ void dst_release_immediate(struct dst_en + if (WARN_ONCE(newrefcnt < 0, "dst_release_immediate underflow")) + net_warn_ratelimited("%s: dst:%p refcnt:%d\n", + __func__, dst, newrefcnt); +- if (!newrefcnt) ++ if (!newrefcnt){ ++ dst_count_dec(dst); + dst_destroy(dst); ++ } + } + } + EXPORT_SYMBOL(dst_release_immediate); diff --git a/queue-6.1/revert-wifi-mac80211-fix-rcu-list-iterations.patch b/queue-6.1/revert-wifi-mac80211-fix-rcu-list-iterations.patch new file mode 100644 index 00000000000..a1bb6a05bf0 --- /dev/null +++ b/queue-6.1/revert-wifi-mac80211-fix-rcu-list-iterations.patch @@ -0,0 +1,71 @@ +From b16c79dcfd1f0c92b817e6f39e5880d34581dd63 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sun, 10 Nov 2024 06:02:40 +0100 +Subject: Revert "wifi: mac80211: fix RCU list iterations" + +From: Greg Kroah-Hartman + +This reverts commit b0b2dc1eaa7ec509e07a78c9974097168ae565b7 which is +commit ac35180032fbc5d80b29af00ba4881815ceefcb6 upstream. + +It should not have been backported here due to lack of other rcu +changes in the stable branches. + +Cc: Johannes Berg +Cc: Miriam Rachel Korenblit +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/chan.c | 4 +--- + net/mac80211/mlme.c | 2 +- + net/mac80211/scan.c | 2 +- + net/mac80211/util.c | 4 +--- + 4 files changed, 4 insertions(+), 8 deletions(-) + +--- a/net/mac80211/chan.c ++++ b/net/mac80211/chan.c +@@ -245,9 +245,7 @@ ieee80211_get_max_required_bw(struct iee + enum nl80211_chan_width max_bw = NL80211_CHAN_WIDTH_20_NOHT; + struct sta_info *sta; + +- lockdep_assert_wiphy(sdata->local->hw.wiphy); +- +- list_for_each_entry(sta, &sdata->local->sta_list, list) { ++ list_for_each_entry_rcu(sta, &sdata->local->sta_list, list) { + if (sdata != sta->sdata && + !(sta->sdata->bss && sta->sdata->bss == sdata->bss)) + continue; +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -660,7 +660,7 @@ static bool ieee80211_add_vht_ie(struct + bool disable_mu_mimo = false; + struct ieee80211_sub_if_data *other; + +- list_for_each_entry(other, &local->interfaces, list) { ++ list_for_each_entry_rcu(other, &local->interfaces, list) { + if (other->vif.bss_conf.mu_mimo_owner) { + disable_mu_mimo = true; + break; +--- a/net/mac80211/scan.c ++++ b/net/mac80211/scan.c +@@ -501,7 +501,7 @@ static void __ieee80211_scan_completed(s + * the scan was in progress; if there was none this will + * just be a no-op for the particular interface. + */ +- list_for_each_entry(sdata, &local->interfaces, list) { ++ list_for_each_entry_rcu(sdata, &local->interfaces, list) { + if (ieee80211_sdata_running(sdata)) + ieee80211_queue_work(&sdata->local->hw, &sdata->work); + } +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -767,9 +767,7 @@ static void __iterate_interfaces(struct + struct ieee80211_sub_if_data *sdata; + bool active_only = iter_flags & IEEE80211_IFACE_ITER_ACTIVE; + +- list_for_each_entry_rcu(sdata, &local->interfaces, list, +- lockdep_is_held(&local->iflist_mtx) || +- lockdep_is_held(&local->hw.wiphy->mtx)) { ++ list_for_each_entry_rcu(sdata, &local->interfaces, list) { + switch (sdata->vif.type) { + case NL80211_IFTYPE_MONITOR: + if (!(sdata->u.mntr.flags & MONITOR_FLAG_ACTIVE)) diff --git a/queue-6.1/series b/queue-6.1/series index eda3c4b8401..0947ae32db4 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -73,3 +73,8 @@ mptcp-use-sock_kfree_s-instead-of-kfree.patch arm64-kconfig-make-sme-depend-on-broken-for-now.patch btrfs-reinitialize-delayed-ref-list-after-deleting-it-from-the-list.patch riscv-purgatory-align-riscv_kernel_entry.patch +bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib_alloc_init_hwq.patch +revert-wifi-mac80211-fix-rcu-list-iterations.patch +net-do-not-delay-dst_entries_add-in-dst_release.patch +kselftest-arm64-initialise-current-at-build-time-in-signal-tests.patch +media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch