From: Sasha Levin Date: Mon, 12 Dec 2022 05:44:19 +0000 (-0500) Subject: Fixes for 4.14 X-Git-Tag: v4.9.336~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b43f7b9361055dc101c43bcef3bc90546a4cefdc;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/bluetooth-6lowpan-add-missing-hci_dev_put-in-get_l2c.patch b/queue-4.14/bluetooth-6lowpan-add-missing-hci_dev_put-in-get_l2c.patch new file mode 100644 index 00000000000..1ebed612392 --- /dev/null +++ b/queue-4.14/bluetooth-6lowpan-add-missing-hci_dev_put-in-get_l2c.patch @@ -0,0 +1,35 @@ +From d36a780ad7dfcace67f2b584d02c32f369836e76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 17:37:26 +0800 +Subject: Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn() + +From: Wang ShaoBo + +[ Upstream commit 747da1308bdd5021409974f9180f0d8ece53d142 ] + +hci_get_route() takes reference, we should use hci_dev_put() to release +it when not need anymore. + +Fixes: 6b8d4a6a0314 ("Bluetooth: 6LoWPAN: Use connected oriented channel instead of fixed one") +Signed-off-by: Wang ShaoBo +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/6lowpan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c +index 9a75f9b00b51..4530ffb2481a 100644 +--- a/net/bluetooth/6lowpan.c ++++ b/net/bluetooth/6lowpan.c +@@ -1014,6 +1014,7 @@ static int get_l2cap_conn(char *buf, bdaddr_t *addr, u8 *addr_type, + hci_dev_lock(hdev); + hcon = hci_conn_hash_lookup_le(hdev, addr, *addr_type); + hci_dev_unlock(hdev); ++ hci_dev_put(hdev); + + if (!hcon) + return -ENOENT; +-- +2.35.1 + diff --git a/queue-4.14/ca8210-fix-crash-by-zero-initializing-data.patch b/queue-4.14/ca8210-fix-crash-by-zero-initializing-data.patch new file mode 100644 index 00000000000..eb5bae231de --- /dev/null +++ b/queue-4.14/ca8210-fix-crash-by-zero-initializing-data.patch @@ -0,0 +1,40 @@ +From c8aece2c48285eb806b0476fd67fa95f38df350c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 01:22:01 +0100 +Subject: ca8210: Fix crash by zero initializing data + +From: Hauke Mehrtens + +[ Upstream commit 1e24c54da257ab93cff5826be8a793b014a5dc9c ] + +The struct cas_control embeds multiple generic SPI structures and we +have to make sure these structures are initialized to default values. +This driver does not set all attributes. When using kmalloc before some +attributes were not initialized and contained random data which caused +random crashes at bootup. + +Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") +Signed-off-by: Hauke Mehrtens +Link: https://lore.kernel.org/r/20221121002201.1339636-1-hauke@hauke-m.de +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/ca8210.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c +index 9a1352f3fa4c..eff7571dbea2 100644 +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -926,7 +926,7 @@ static int ca8210_spi_transfer( + + dev_dbg(&spi->dev, "ca8210_spi_transfer called\n"); + +- cas_ctl = kmalloc(sizeof(*cas_ctl), GFP_ATOMIC); ++ cas_ctl = kzalloc(sizeof(*cas_ctl), GFP_ATOMIC); + if (!cas_ctl) + return -ENOMEM; + +-- +2.35.1 + diff --git a/queue-4.14/e1000e-fix-tx-dispatch-condition.patch b/queue-4.14/e1000e-fix-tx-dispatch-condition.patch new file mode 100644 index 00000000000..140585f5422 --- /dev/null +++ b/queue-4.14/e1000e-fix-tx-dispatch-condition.patch @@ -0,0 +1,67 @@ +From 37b00c27b8bca421c12fddee3267272a46b117a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Oct 2022 22:00:00 +0900 +Subject: e1000e: Fix TX dispatch condition + +From: Akihiko Odaki + +[ Upstream commit eed913f6919e253f35d454b2f115f2a4db2b741a ] + +e1000_xmit_frame is expected to stop the queue and dispatch frames to +hardware if there is not sufficient space for the next frame in the +buffer, but sometimes it failed to do so because the estimated maximum +size of frame was wrong. As the consequence, the later invocation of +e1000_xmit_frame failed with NETDEV_TX_BUSY, and the frame in the buffer +remained forever, resulting in a watchdog failure. + +This change fixes the estimated size by making it match with the +condition for NETDEV_TX_BUSY. Apparently, the old estimation failed to +account for the following lines which determines the space requirement +for not causing NETDEV_TX_BUSY: + ``` + /* reserve a descriptor for the offload context */ + if ((mss) || (skb->ip_summed == CHECKSUM_PARTIAL)) + count++; + count++; + + count += DIV_ROUND_UP(len, adapter->tx_fifo_limit); + ``` + +This issue was found when running http-stress02 test included in Linux +Test Project 20220930 on QEMU with the following commandline: +``` +qemu-system-x86_64 -M q35,accel=kvm -m 8G -smp 8 + -drive if=virtio,format=raw,file=root.img,file.locking=on + -device e1000e,netdev=netdev + -netdev tap,script=ifup,downscript=no,id=netdev +``` + +Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)") +Signed-off-by: Akihiko Odaki +Tested-by: Gurucharan G (A Contingent worker at Intel) +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index 116914de603e..cb3ff3c2fb03 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -5897,9 +5897,9 @@ static netdev_tx_t e1000_xmit_frame(struct sk_buff *skb, + e1000_tx_queue(tx_ring, tx_flags, count); + /* Make sure there is space in the ring for the next send. */ + e1000_maybe_stop_tx(tx_ring, +- (MAX_SKB_FRAGS * ++ ((MAX_SKB_FRAGS + 1) * + DIV_ROUND_UP(PAGE_SIZE, +- adapter->tx_fifo_limit) + 2)); ++ adapter->tx_fifo_limit) + 4)); + + if (!skb->xmit_more || + netif_xmit_stopped(netdev_get_tx_queue(netdev, 0))) { +-- +2.35.1 + diff --git a/queue-4.14/ethernet-aeroflex-fix-potential-skb-leak-in-greth_in.patch b/queue-4.14/ethernet-aeroflex-fix-potential-skb-leak-in-greth_in.patch new file mode 100644 index 00000000000..3a8d37d7349 --- /dev/null +++ b/queue-4.14/ethernet-aeroflex-fix-potential-skb-leak-in-greth_in.patch @@ -0,0 +1,39 @@ +From 08261cac32660bc61c4f7bfc20cf0ab53a78951d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Dec 2022 14:09:08 +0800 +Subject: ethernet: aeroflex: fix potential skb leak in greth_init_rings() + +From: Zhang Changzhong + +[ Upstream commit 063a932b64db3317ec020c94466fe52923a15f60 ] + +The greth_init_rings() function won't free the newly allocated skb when +dma_mapping_error() returns error, so add dev_kfree_skb() to fix it. + +Compile tested only. + +Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver") +Signed-off-by: Zhang Changzhong +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/1670134149-29516-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aeroflex/greth.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c +index a20e95b39cf7..4df8da8f5e7e 100644 +--- a/drivers/net/ethernet/aeroflex/greth.c ++++ b/drivers/net/ethernet/aeroflex/greth.c +@@ -262,6 +262,7 @@ static int greth_init_rings(struct greth_private *greth) + if (dma_mapping_error(greth->dev, dma_addr)) { + if (netif_msg_ifup(greth)) + dev_err(greth->dev, "Could not create initial DMA mapping\n"); ++ dev_kfree_skb(skb); + goto cleanup; + } + greth->rx_skbuff[i] = skb; +-- +2.35.1 + diff --git a/queue-4.14/gpio-amd8111-fix-pci-device-reference-count-leak.patch b/queue-4.14/gpio-amd8111-fix-pci-device-reference-count-leak.patch new file mode 100644 index 00000000000..a074b47c755 --- /dev/null +++ b/queue-4.14/gpio-amd8111-fix-pci-device-reference-count-leak.patch @@ -0,0 +1,54 @@ +From 1ab95d029335b9f59d75b51ecc036d1cbfe3bfce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 20:35:08 +0800 +Subject: gpio: amd8111: Fix PCI device reference count leak + +From: Xiongfeng Wang + +[ Upstream commit 45fecdb9f658d9c82960c98240bc0770ade19aca ] + +for_each_pci_dev() is implemented by pci_get_device(). The comment of +pci_get_device() says that it will increase the reference count for the +returned pci_dev and also decrease the reference count for the input +pci_dev @from if it is not NULL. + +If we break for_each_pci_dev() loop with pdev not NULL, we need to call +pci_dev_put() to decrease the reference count. Add the missing +pci_dev_put() after the 'out' label. Since pci_dev_put() can handle NULL +input parameter, there is no problem for the 'Device not found' branch. +For the normal path, add pci_dev_put() in amd_gpio_exit(). + +Fixes: f942a7de047d ("gpio: add a driver for GPIO pins found on AMD-8111 south bridge chips") +Signed-off-by: Xiongfeng Wang +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-amd8111.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpio/gpio-amd8111.c b/drivers/gpio/gpio-amd8111.c +index 30ad7d7c1678..f8486bac12d0 100644 +--- a/drivers/gpio/gpio-amd8111.c ++++ b/drivers/gpio/gpio-amd8111.c +@@ -231,7 +231,10 @@ static int __init amd_gpio_init(void) + ioport_unmap(gp.pm); + goto out; + } ++ return 0; ++ + out: ++ pci_dev_put(pdev); + return err; + } + +@@ -239,6 +242,7 @@ static void __exit amd_gpio_exit(void) + { + gpiochip_remove(&gp.chip); + ioport_unmap(gp.pm); ++ pci_dev_put(gp.pdev); + } + + module_init(amd_gpio_init); +-- +2.35.1 + diff --git a/queue-4.14/ieee802154-cc2520-fix-error-return-code-in-cc2520_hw.patch b/queue-4.14/ieee802154-cc2520-fix-error-return-code-in-cc2520_hw.patch new file mode 100644 index 00000000000..e3ff30c3180 --- /dev/null +++ b/queue-4.14/ieee802154-cc2520-fix-error-return-code-in-cc2520_hw.patch @@ -0,0 +1,37 @@ +From 31bd16667c7b885fe050f2090b3149063eb38bd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Nov 2022 15:50:46 +0800 +Subject: ieee802154: cc2520: Fix error return code in cc2520_hw_init() + +From: Ziyang Xuan + +[ Upstream commit 4d002d6a2a00ac1c433899bd7625c6400a74cfba ] + +In cc2520_hw_init(), if oscillator start failed, the error code +should be returned. + +Fixes: 0da6bc8cc341 ("ieee802154: cc2520: adds driver for TI CC2520 radio") +Signed-off-by: Ziyang Xuan +Link: https://lore.kernel.org/r/20221120075046.2213633-1-william.xuanziyang@huawei.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/cc2520.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/cc2520.c b/drivers/net/ieee802154/cc2520.c +index 436cf2007138..92aefaf8ea19 100644 +--- a/drivers/net/ieee802154/cc2520.c ++++ b/drivers/net/ieee802154/cc2520.c +@@ -979,7 +979,7 @@ static int cc2520_hw_init(struct cc2520_private *priv) + + if (timeout-- <= 0) { + dev_err(&priv->spi->dev, "oscillator start failed!\n"); +- return ret; ++ return -ETIMEDOUT; + } + udelay(1); + } while (!(status & CC2520_STATUS_XOSC32M_STABLE)); +-- +2.35.1 + diff --git a/queue-4.14/igb-allocate-msi-x-vector-when-testing.patch b/queue-4.14/igb-allocate-msi-x-vector-when-testing.patch new file mode 100644 index 00000000000..0802419f3e9 --- /dev/null +++ b/queue-4.14/igb-allocate-msi-x-vector-when-testing.patch @@ -0,0 +1,69 @@ +From 091ff98a3cf598e9ae21b75bec5326608d6149ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 22:30:31 +0900 +Subject: igb: Allocate MSI-X vector when testing + +From: Akihiko Odaki + +[ Upstream commit 28e96556baca7056d11d9fb3cdd0aba4483e00d8 ] + +Without this change, the interrupt test fail with MSI-X environment: + +$ sudo ethtool -t enp0s2 offline +[ 43.921783] igb 0000:00:02.0: offline testing starting +[ 44.855824] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Down +[ 44.961249] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX +[ 51.272202] igb 0000:00:02.0: testing shared interrupt +[ 56.996975] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX +The test result is FAIL +The test extra info: +Register test (offline) 0 +Eeprom test (offline) 0 +Interrupt test (offline) 4 +Loopback test (offline) 0 +Link test (on/offline) 0 + +Here, "4" means an expected interrupt was not delivered. + +To fix this, route IRQs correctly to the first MSI-X vector by setting +IVAR_MISC. Also, set bit 0 of EIMS so that the vector will not be +masked. The interrupt test now runs properly with this change: + +$ sudo ethtool -t enp0s2 offline +[ 42.762985] igb 0000:00:02.0: offline testing starting +[ 50.141967] igb 0000:00:02.0: testing shared interrupt +[ 56.163957] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX +The test result is PASS +The test extra info: +Register test (offline) 0 +Eeprom test (offline) 0 +Interrupt test (offline) 0 +Loopback test (offline) 0 +Link test (on/offline) 0 + +Fixes: 4eefa8f01314 ("igb: add single vector msi-x testing to interrupt test") +Signed-off-by: Akihiko Odaki +Reviewed-by: Maciej Fijalkowski +Tested-by: Gurucharan G (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_ethtool.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_ethtool.c b/drivers/net/ethernet/intel/igb/igb_ethtool.c +index ff2be34bff39..049a67c14780 100644 +--- a/drivers/net/ethernet/intel/igb/igb_ethtool.c ++++ b/drivers/net/ethernet/intel/igb/igb_ethtool.c +@@ -1419,6 +1419,8 @@ static int igb_intr_test(struct igb_adapter *adapter, u64 *data) + *data = 1; + return -1; + } ++ wr32(E1000_IVAR_MISC, E1000_IVAR_VALID << 8); ++ wr32(E1000_EIMS, BIT(0)); + } else if (adapter->flags & IGB_FLAG_HAS_MSI) { + shared_int = false; + if (request_irq(irq, +-- +2.35.1 + diff --git a/queue-4.14/ipv6-avoid-use-after-free-in-ip6_fragment.patch b/queue-4.14/ipv6-avoid-use-after-free-in-ip6_fragment.patch new file mode 100644 index 00000000000..f5cb992f0ed --- /dev/null +++ b/queue-4.14/ipv6-avoid-use-after-free-in-ip6_fragment.patch @@ -0,0 +1,289 @@ +From 9f4a49355f950c61e5b50614dc366c319a966ea1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Dec 2022 10:13:51 +0000 +Subject: ipv6: avoid use-after-free in ip6_fragment() + +From: Eric Dumazet + +[ Upstream commit 803e84867de59a1e5d126666d25eb4860cfd2ebe ] + +Blamed commit claimed rcu_read_lock() was held by ip6_fragment() callers. + +It seems to not be always true, at least for UDP stack. + +syzbot reported: + +BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline] +BUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951 +Read of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618 + +CPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:284 [inline] + print_report+0x15e/0x45d mm/kasan/report.c:395 + kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 + ip6_dst_idev include/net/ip6_fib.h:245 [inline] + ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951 + __ip6_finish_output net/ipv6/ip6_output.c:193 [inline] + ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206 + NF_HOOK_COND include/linux/netfilter.h:291 [inline] + ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227 + dst_output include/net/dst.h:445 [inline] + ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161 + ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966 + udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286 + udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313 + udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606 + inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg+0xd3/0x120 net/socket.c:734 + sock_write_iter+0x295/0x3d0 net/socket.c:1108 + call_write_iter include/linux/fs.h:2191 [inline] + new_sync_write fs/read_write.c:491 [inline] + vfs_write+0x9ed/0xdd0 fs/read_write.c:584 + ksys_write+0x1ec/0x250 fs/read_write.c:637 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7fde3588c0d9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9 +RDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a +RBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000 + + +Allocated by task 7618: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + __kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325 + kasan_slab_alloc include/linux/kasan.h:201 [inline] + slab_post_alloc_hook mm/slab.h:737 [inline] + slab_alloc_node mm/slub.c:3398 [inline] + slab_alloc mm/slub.c:3406 [inline] + __kmem_cache_alloc_lru mm/slub.c:3413 [inline] + kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422 + dst_alloc+0x14a/0x1f0 net/core/dst.c:92 + ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344 + ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline] + rt6_make_pcpu_route net/ipv6/route.c:1417 [inline] + ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254 + pol_lookup_func include/net/ip6_fib.h:582 [inline] + fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121 + ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625 + ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638 + ip6_route_output include/net/ip6_route.h:98 [inline] + ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092 + ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222 + ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260 + udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554 + inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg+0xd3/0x120 net/socket.c:734 + __sys_sendto+0x23a/0x340 net/socket.c:2117 + __do_sys_sendto net/socket.c:2129 [inline] + __se_sys_sendto net/socket.c:2125 [inline] + __x64_sys_sendto+0xe1/0x1b0 net/socket.c:2125 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 7599: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:511 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200 + kasan_slab_free include/linux/kasan.h:177 [inline] + slab_free_hook mm/slub.c:1724 [inline] + slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1750 + slab_free mm/slub.c:3661 [inline] + kmem_cache_free+0xee/0x5c0 mm/slub.c:3683 + dst_destroy+0x2ea/0x400 net/core/dst.c:127 + rcu_do_batch kernel/rcu/tree.c:2250 [inline] + rcu_core+0x81f/0x1980 kernel/rcu/tree.c:2510 + __do_softirq+0x1fb/0xadc kernel/softirq.c:571 + +Last potentially related work creation: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481 + call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798 + dst_release net/core/dst.c:177 [inline] + dst_release+0x7d/0xe0 net/core/dst.c:167 + refdst_drop include/net/dst.h:256 [inline] + skb_dst_drop include/net/dst.h:268 [inline] + skb_release_head_state+0x250/0x2a0 net/core/skbuff.c:838 + skb_release_all net/core/skbuff.c:852 [inline] + __kfree_skb net/core/skbuff.c:868 [inline] + kfree_skb_reason+0x151/0x4b0 net/core/skbuff.c:891 + kfree_skb_list_reason+0x4b/0x70 net/core/skbuff.c:901 + kfree_skb_list include/linux/skbuff.h:1227 [inline] + ip6_fragment+0x2026/0x2770 net/ipv6/ip6_output.c:949 + __ip6_finish_output net/ipv6/ip6_output.c:193 [inline] + ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206 + NF_HOOK_COND include/linux/netfilter.h:291 [inline] + ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227 + dst_output include/net/dst.h:445 [inline] + ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161 + ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966 + udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286 + udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313 + udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606 + inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg+0xd3/0x120 net/socket.c:734 + sock_write_iter+0x295/0x3d0 net/socket.c:1108 + call_write_iter include/linux/fs.h:2191 [inline] + new_sync_write fs/read_write.c:491 [inline] + vfs_write+0x9ed/0xdd0 fs/read_write.c:584 + ksys_write+0x1ec/0x250 fs/read_write.c:637 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Second to last potentially related work creation: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481 + call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798 + dst_release net/core/dst.c:177 [inline] + dst_release+0x7d/0xe0 net/core/dst.c:167 + refdst_drop include/net/dst.h:256 [inline] + skb_dst_drop include/net/dst.h:268 [inline] + __dev_queue_xmit+0x1b9d/0x3ba0 net/core/dev.c:4211 + dev_queue_xmit include/linux/netdevice.h:3008 [inline] + neigh_resolve_output net/core/neighbour.c:1552 [inline] + neigh_resolve_output+0x51b/0x840 net/core/neighbour.c:1532 + neigh_output include/net/neighbour.h:546 [inline] + ip6_finish_output2+0x56c/0x1530 net/ipv6/ip6_output.c:134 + __ip6_finish_output net/ipv6/ip6_output.c:195 [inline] + ip6_finish_output+0x694/0x1170 net/ipv6/ip6_output.c:206 + NF_HOOK_COND include/linux/netfilter.h:291 [inline] + ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227 + dst_output include/net/dst.h:445 [inline] + NF_HOOK include/linux/netfilter.h:302 [inline] + NF_HOOK include/linux/netfilter.h:296 [inline] + mld_sendpack+0xa09/0xe70 net/ipv6/mcast.c:1820 + mld_send_cr net/ipv6/mcast.c:2121 [inline] + mld_ifc_work+0x720/0xdc0 net/ipv6/mcast.c:2653 + process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 + worker_thread+0x669/0x1090 kernel/workqueue.c:2436 + kthread+0x2e8/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 + +The buggy address belongs to the object at ffff88801d403dc0 + which belongs to the cache ip6_dst_cache of size 240 +The buggy address is located 192 bytes inside of + 240-byte region [ffff88801d403dc0, ffff88801d403eb0) + +The buggy address belongs to the physical page: +page:ffffea00007500c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d403 +memcg:ffff888022f49c81 +flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) +raw: 00fff00000000200 ffffea0001ef6580 dead000000000002 ffff88814addf640 +raw: 0000000000000000 00000000800c000c 00000001ffffffff ffff888022f49c81 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 3719, tgid 3719 (kworker/0:6), ts 136223432244, free_ts 136222971441 + prep_new_page mm/page_alloc.c:2539 [inline] + get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4288 + __alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5555 + alloc_pages+0x1aa/0x270 mm/mempolicy.c:2285 + alloc_slab_page mm/slub.c:1794 [inline] + allocate_slab+0x213/0x300 mm/slub.c:1939 + new_slab mm/slub.c:1992 [inline] + ___slab_alloc+0xa91/0x1400 mm/slub.c:3180 + __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279 + slab_alloc_node mm/slub.c:3364 [inline] + slab_alloc mm/slub.c:3406 [inline] + __kmem_cache_alloc_lru mm/slub.c:3413 [inline] + kmem_cache_alloc+0x31a/0x3d0 mm/slub.c:3422 + dst_alloc+0x14a/0x1f0 net/core/dst.c:92 + ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344 + icmp6_dst_alloc+0x71/0x680 net/ipv6/route.c:3261 + mld_sendpack+0x5de/0xe70 net/ipv6/mcast.c:1809 + mld_send_cr net/ipv6/mcast.c:2121 [inline] + mld_ifc_work+0x720/0xdc0 net/ipv6/mcast.c:2653 + process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 + worker_thread+0x669/0x1090 kernel/workqueue.c:2436 + kthread+0x2e8/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 +page last free stack trace: + reset_page_owner include/linux/page_owner.h:24 [inline] + free_pages_prepare mm/page_alloc.c:1459 [inline] + free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1509 + free_unref_page_prepare mm/page_alloc.c:3387 [inline] + free_unref_page+0x1d/0x4d0 mm/page_alloc.c:3483 + __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2586 + qlink_free mm/kasan/quarantine.c:168 [inline] + qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 + kasan_quarantine_reduce+0x184/0x210 mm/kasan/quarantine.c:294 + __kasan_slab_alloc+0x66/0x90 mm/kasan/common.c:302 + kasan_slab_alloc include/linux/kasan.h:201 [inline] + slab_post_alloc_hook mm/slab.h:737 [inline] + slab_alloc_node mm/slub.c:3398 [inline] + kmem_cache_alloc_node+0x304/0x410 mm/slub.c:3443 + __alloc_skb+0x214/0x300 net/core/skbuff.c:497 + alloc_skb include/linux/skbuff.h:1267 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1191 [inline] + netlink_sendmsg+0x9a6/0xe10 net/netlink/af_netlink.c:1896 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg+0xd3/0x120 net/socket.c:734 + __sys_sendto+0x23a/0x340 net/socket.c:2117 + __do_sys_sendto net/socket.c:2129 [inline] + __se_sys_sendto net/socket.c:2125 [inline] + __x64_sys_sendto+0xe1/0x1b0 net/socket.c:2125 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: 1758fd4688eb ("ipv6: remove unnecessary dst_hold() in ip6_fragment()") +Reported-by: syzbot+8c0ac31aa9681abb9e2d@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Cc: Wei Wang +Cc: Martin KaFai Lau +Link: https://lore.kernel.org/r/20221206101351.2037285-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_output.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index fbad7828568f..4f40331ceb5a 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -756,6 +756,9 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + ipv6_hdr(skb)->payload_len = htons(first_len - + sizeof(struct ipv6hdr)); + ++ /* We prevent @rt from being freed. */ ++ rcu_read_lock(); ++ + for (;;) { + /* Prepare header of the next frame, + * before previous one went down. */ +@@ -798,6 +801,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + if (err == 0) { + IP6_INC_STATS(net, ip6_dst_idev(&rt->dst), + IPSTATS_MIB_FRAGOKS); ++ rcu_read_unlock(); + return 0; + } + +@@ -805,6 +809,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + + IP6_INC_STATS(net, ip6_dst_idev(&rt->dst), + IPSTATS_MIB_FRAGFAILS); ++ rcu_read_unlock(); + return err; + + slow_path_clean: +-- +2.35.1 + diff --git a/queue-4.14/mac802154-fix-missing-init_list_head-in-ieee802154_i.patch b/queue-4.14/mac802154-fix-missing-init_list_head-in-ieee802154_i.patch new file mode 100644 index 00000000000..b6e7d238ced --- /dev/null +++ b/queue-4.14/mac802154-fix-missing-init_list_head-in-ieee802154_i.patch @@ -0,0 +1,56 @@ +From a29caaff5edb3f7cf39ba883d28a045eeadfd082 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Nov 2022 09:17:05 +0000 +Subject: mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() + +From: Wei Yongjun + +[ Upstream commit b3d72d3135d2ef68296c1ee174436efd65386f04 ] + +Kernel fault injection test reports null-ptr-deref as follows: + +BUG: kernel NULL pointer dereference, address: 0000000000000008 +RIP: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114 +Call Trace: + + raw_notifier_call_chain+0x6d/0xa0 kernel/notifier.c:87 + call_netdevice_notifiers_info+0x6e/0xc0 net/core/dev.c:1944 + unregister_netdevice_many_notify+0x60d/0xcb0 net/core/dev.c:1982 + unregister_netdevice_queue+0x154/0x1a0 net/core/dev.c:10879 + register_netdevice+0x9a8/0xb90 net/core/dev.c:10083 + ieee802154_if_add+0x6ed/0x7e0 net/mac802154/iface.c:659 + ieee802154_register_hw+0x29c/0x330 net/mac802154/main.c:229 + mcr20a_probe+0xaaa/0xcb1 drivers/net/ieee802154/mcr20a.c:1316 + +ieee802154_if_add() allocates wpan_dev as netdev's private data, but not +init the list in struct wpan_dev. cfg802154_netdev_notifier_call() manage +the list when device register/unregister, and may lead to null-ptr-deref. + +Use INIT_LIST_HEAD() on it to initialize it correctly. + +Fixes: fcf39e6e88e9 ("ieee802154: add wpan_dev_list") +Signed-off-by: Wei Yongjun +Acked-by: Alexander Aring + +Link: https://lore.kernel.org/r/20221130091705.1831140-1-weiyongjun@huaweicloud.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + net/mac802154/iface.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c +index bd88a9b80773..8c2aedf3fa74 100644 +--- a/net/mac802154/iface.c ++++ b/net/mac802154/iface.c +@@ -669,6 +669,7 @@ ieee802154_if_add(struct ieee802154_local *local, const char *name, + sdata->dev = ndev; + sdata->wpan_dev.wpan_phy = local->hw.phy; + sdata->local = local; ++ INIT_LIST_HEAD(&sdata->wpan_dev.list); + + /* setup type-dependent data */ + ret = ieee802154_setup_sdata(sdata, type); +-- +2.35.1 + diff --git a/queue-4.14/net-encx24j600-add-parentheses-to-fix-precedence.patch b/queue-4.14/net-encx24j600-add-parentheses-to-fix-precedence.patch new file mode 100644 index 00000000000..daf5c4bf3e2 --- /dev/null +++ b/queue-4.14/net-encx24j600-add-parentheses-to-fix-precedence.patch @@ -0,0 +1,50 @@ +From 4d1c556b4075cf37619be26a0018509e08393f43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 20:34:07 +0300 +Subject: net: encx24j600: Add parentheses to fix precedence + +From: Valentina Goncharenko + +[ Upstream commit 167b3f2dcc62c271f3555b33df17e361bb1fa0ee ] + +In functions regmap_encx24j600_phy_reg_read() and +regmap_encx24j600_phy_reg_write() in the conditions of the waiting +cycles for filling the variable 'ret' it is necessary to add parentheses +to prevent wrong assignment due to logical operations precedence. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: d70e53262f5c ("net: Microchip encx24j600 driver") +Signed-off-by: Valentina Goncharenko +Reviewed-by: Pavan Chebbi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/encx24j600-regmap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/encx24j600-regmap.c b/drivers/net/ethernet/microchip/encx24j600-regmap.c +index 46181559d1f1..4a3c0870c8e4 100644 +--- a/drivers/net/ethernet/microchip/encx24j600-regmap.c ++++ b/drivers/net/ethernet/microchip/encx24j600-regmap.c +@@ -367,7 +367,7 @@ static int regmap_encx24j600_phy_reg_read(void *context, unsigned int reg, + goto err_out; + + usleep_range(26, 100); +- while ((ret = regmap_read(ctx->regmap, MISTAT, &mistat) != 0) && ++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) && + (mistat & BUSY)) + cpu_relax(); + +@@ -405,7 +405,7 @@ static int regmap_encx24j600_phy_reg_write(void *context, unsigned int reg, + goto err_out; + + usleep_range(26, 100); +- while ((ret = regmap_read(ctx->regmap, MISTAT, &mistat) != 0) && ++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) && + (mistat & BUSY)) + cpu_relax(); + +-- +2.35.1 + diff --git a/queue-4.14/net-encx24j600-fix-invalid-logic-in-reading-of-mista.patch b/queue-4.14/net-encx24j600-fix-invalid-logic-in-reading-of-mista.patch new file mode 100644 index 00000000000..ee511f51c69 --- /dev/null +++ b/queue-4.14/net-encx24j600-fix-invalid-logic-in-reading-of-mista.patch @@ -0,0 +1,52 @@ +From 9fc1d680865e7c7c048ebc290c5ff22a5521124e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 20:34:08 +0300 +Subject: net: encx24j600: Fix invalid logic in reading of MISTAT register + +From: Valentina Goncharenko + +[ Upstream commit 25f427ac7b8d89b0259f86c0c6407b329df742b2 ] + +A loop for reading MISTAT register continues while regmap_read() fails +and (mistat & BUSY), but if regmap_read() fails a value of mistat is +undefined. + +The patch proposes to check for BUSY flag only when regmap_read() +succeed. Compile test only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: d70e53262f5c ("net: Microchip encx24j600 driver") +Signed-off-by: Valentina Goncharenko +Reviewed-by: Pavan Chebbi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/encx24j600-regmap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/encx24j600-regmap.c b/drivers/net/ethernet/microchip/encx24j600-regmap.c +index 4a3c0870c8e4..4a8d9633e082 100644 +--- a/drivers/net/ethernet/microchip/encx24j600-regmap.c ++++ b/drivers/net/ethernet/microchip/encx24j600-regmap.c +@@ -367,7 +367,7 @@ static int regmap_encx24j600_phy_reg_read(void *context, unsigned int reg, + goto err_out; + + usleep_range(26, 100); +- while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) && ++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) == 0) && + (mistat & BUSY)) + cpu_relax(); + +@@ -405,7 +405,7 @@ static int regmap_encx24j600_phy_reg_write(void *context, unsigned int reg, + goto err_out; + + usleep_range(26, 100); +- while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) && ++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) == 0) && + (mistat & BUSY)) + cpu_relax(); + +-- +2.35.1 + diff --git a/queue-4.14/net-hisilicon-fix-potential-use-after-free-in-hisi_f.patch b/queue-4.14/net-hisilicon-fix-potential-use-after-free-in-hisi_f.patch new file mode 100644 index 00000000000..462908e53ca --- /dev/null +++ b/queue-4.14/net-hisilicon-fix-potential-use-after-free-in-hisi_f.patch @@ -0,0 +1,37 @@ +From 216748447bad2157c94970bb2c7aca93f29e677b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 17:42:39 +0800 +Subject: net: hisilicon: Fix potential use-after-free in hisi_femac_rx() + +From: Liu Jian + +[ Upstream commit 4640177049549de1a43e9bc49265f0cdfce08cfd ] + +The skb is delivered to napi_gro_receive() which may free it, after +calling this, dereferencing skb may trigger use-after-free. + +Fixes: 542ae60af24f ("net: hisilicon: Add Fast Ethernet MAC driver") +Signed-off-by: Liu Jian +Link: https://lore.kernel.org/r/20221203094240.1240211-1-liujian56@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hisi_femac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hisi_femac.c b/drivers/net/ethernet/hisilicon/hisi_femac.c +index 2c2808830e95..f29040520ca0 100644 +--- a/drivers/net/ethernet/hisilicon/hisi_femac.c ++++ b/drivers/net/ethernet/hisilicon/hisi_femac.c +@@ -295,7 +295,7 @@ static int hisi_femac_rx(struct net_device *dev, int limit) + skb->protocol = eth_type_trans(skb, dev); + napi_gro_receive(&priv->napi, skb); + dev->stats.rx_packets++; +- dev->stats.rx_bytes += skb->len; ++ dev->stats.rx_bytes += len; + next: + pos = (pos + 1) % rxq->num; + if (rx_pkts_num >= limit) +-- +2.35.1 + diff --git a/queue-4.14/net-hisilicon-fix-potential-use-after-free-in-hix5hd.patch b/queue-4.14/net-hisilicon-fix-potential-use-after-free-in-hix5hd.patch new file mode 100644 index 00000000000..b5096a431b7 --- /dev/null +++ b/queue-4.14/net-hisilicon-fix-potential-use-after-free-in-hix5hd.patch @@ -0,0 +1,37 @@ +From 8ba3075e196f12a96a984346edbc9e1bdee07442 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 17:42:40 +0800 +Subject: net: hisilicon: Fix potential use-after-free in hix5hd2_rx() + +From: Liu Jian + +[ Upstream commit 433c07a13f59856e4585e89e86b7d4cc59348fab ] + +The skb is delivered to napi_gro_receive() which may free it, after +calling this, dereferencing skb may trigger use-after-free. + +Fixes: 57c5bc9ad7d7 ("net: hisilicon: add hix5hd2 mac driver") +Signed-off-by: Liu Jian +Link: https://lore.kernel.org/r/20221203094240.1240211-2-liujian56@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hix5hd2_gmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c b/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c +index 6adf6831d120..55e344ee1572 100644 +--- a/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c ++++ b/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c +@@ -554,7 +554,7 @@ static int hix5hd2_rx(struct net_device *dev, int limit) + skb->protocol = eth_type_trans(skb, dev); + napi_gro_receive(&priv->napi, skb); + dev->stats.rx_packets++; +- dev->stats.rx_bytes += skb->len; ++ dev->stats.rx_bytes += len; + next: + pos = dma_ring_incr(pos, RX_DESC_NUM); + } +-- +2.35.1 + diff --git a/queue-4.14/net-mvneta-fix-an-out-of-bounds-check.patch b/queue-4.14/net-mvneta-fix-an-out-of-bounds-check.patch new file mode 100644 index 00000000000..de509629f4f --- /dev/null +++ b/queue-4.14/net-mvneta-fix-an-out-of-bounds-check.patch @@ -0,0 +1,55 @@ +From 43f481204326b88e6f9dc78b822f8e3615fa8ab4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 10:06:31 +0300 +Subject: net: mvneta: Fix an out of bounds check + +From: Dan Carpenter + +[ Upstream commit cdd97383e19d4afe29adc3376025a15ae3bab3a3 ] + +In an earlier commit, I added a bounds check to prevent an out of bounds +read and a WARN(). On further discussion and consideration that check +was probably too aggressive. Instead of returning -EINVAL, a better fix +would be to just prevent the out of bounds read but continue the process. + +Background: The value of "pp->rxq_def" is a number between 0-7 by default, +or even higher depending on the value of "rxq_number", which is a module +parameter. If the value is more than the number of available CPUs then +it will trigger the WARN() in cpu_max_bits_warn(). + +Fixes: e8b4fc13900b ("net: mvneta: Prevent out of bounds read in mvneta_config_rss()") +Signed-off-by: Dan Carpenter +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/Y5A7d1E5ccwHTYPf@kadam +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index 526705c21550..dbed8fbedd8a 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -3362,7 +3362,7 @@ static void mvneta_percpu_elect(struct mvneta_port *pp) + /* Use the cpu associated to the rxq when it is online, in all + * the other cases, use the cpu 0 which can't be offline. + */ +- if (cpu_online(pp->rxq_def)) ++ if (pp->rxq_def < nr_cpu_ids && cpu_online(pp->rxq_def)) + elected_cpu = pp->rxq_def; + + max_cpu = num_present_cpus(); +@@ -3871,9 +3871,6 @@ static int mvneta_config_rss(struct mvneta_port *pp) + napi_disable(&pcpu_port->napi); + } + +- if (pp->indir[0] >= nr_cpu_ids) +- return -EINVAL; +- + pp->rxq_def = pp->indir[0]; + + /* Update unicast mapping */ +-- +2.35.1 + diff --git a/queue-4.14/net-mvneta-prevent-out-of-bounds-read-in-mvneta_conf.patch b/queue-4.14/net-mvneta-prevent-out-of-bounds-read-in-mvneta_conf.patch new file mode 100644 index 00000000000..906fadfff6d --- /dev/null +++ b/queue-4.14/net-mvneta-prevent-out-of-bounds-read-in-mvneta_conf.patch @@ -0,0 +1,41 @@ +From 3b44de41ca2943418670d0566b90d796aa29fb9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 12:58:26 +0300 +Subject: net: mvneta: Prevent out of bounds read in mvneta_config_rss() + +From: Dan Carpenter + +[ Upstream commit e8b4fc13900b8e8be48debffd0dfd391772501f7 ] + +The pp->indir[0] value comes from the user. It is passed to: + + if (cpu_online(pp->rxq_def)) + +inside the mvneta_percpu_elect() function. It needs bounds checkeding +to ensure that it is not beyond the end of the cpu bitmap. + +Fixes: cad5d847a093 ("net: mvneta: Fix the CPU choice in mvneta_percpu_elect") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index 8fde1515aec7..526705c21550 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -3871,6 +3871,9 @@ static int mvneta_config_rss(struct mvneta_port *pp) + napi_disable(&pcpu_port->napi); + } + ++ if (pp->indir[0] >= nr_cpu_ids) ++ return -EINVAL; ++ + pp->rxq_def = pp->indir[0]; + + /* Update unicast mapping */ +-- +2.35.1 + diff --git a/queue-4.14/net-plip-don-t-call-kfree_skb-dev_kfree_skb-under-sp.patch b/queue-4.14/net-plip-don-t-call-kfree_skb-dev_kfree_skb-under-sp.patch new file mode 100644 index 00000000000..d126604ef09 --- /dev/null +++ b/queue-4.14/net-plip-don-t-call-kfree_skb-dev_kfree_skb-under-sp.patch @@ -0,0 +1,46 @@ +From 9fdd3a2e8a52858af3610b101aebc8b8d50dfa81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 09:53:10 +0800 +Subject: net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq() + +From: Yang Yingliang + +[ Upstream commit 7d8c19bfc8ff3f78e5337107ca9246327fcb6b45 ] + +It is not allowed to call kfree_skb() or consume_skb() from +hardware interrupt context or with interrupts being disabled. +So replace kfree_skb/dev_kfree_skb() with dev_kfree_skb_irq() +and dev_consume_skb_irq() under spin_lock_irq(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20221207015310.2984909-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/plip/plip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/plip/plip.c b/drivers/net/plip/plip.c +index 3c55ea357f35..f4eaafb84cbe 100644 +--- a/drivers/net/plip/plip.c ++++ b/drivers/net/plip/plip.c +@@ -448,12 +448,12 @@ plip_bh_timeout_error(struct net_device *dev, struct net_local *nl, + } + rcv->state = PLIP_PK_DONE; + if (rcv->skb) { +- kfree_skb(rcv->skb); ++ dev_kfree_skb_irq(rcv->skb); + rcv->skb = NULL; + } + snd->state = PLIP_PK_DONE; + if (snd->skb) { +- dev_kfree_skb(snd->skb); ++ dev_consume_skb_irq(snd->skb); + snd->skb = NULL; + } + spin_unlock_irq(&nl->lock); +-- +2.35.1 + diff --git a/queue-4.14/net-stmmac-fix-snps-axi-config-node-property-parsing.patch b/queue-4.14/net-stmmac-fix-snps-axi-config-node-property-parsing.patch new file mode 100644 index 00000000000..fe4f4dc27c0 --- /dev/null +++ b/queue-4.14/net-stmmac-fix-snps-axi-config-node-property-parsing.patch @@ -0,0 +1,45 @@ +From 651e5bf1953011d77bcc7a61fd3a55e95ef4e4e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 00:17:39 +0800 +Subject: net: stmmac: fix "snps,axi-config" node property parsing + +From: Jisheng Zhang + +[ Upstream commit 61d4f140943c47c1386ed89f7260e00418dfad9d ] + +In dt-binding snps,dwmac.yaml, some properties under "snps,axi-config" +node are named without "axi_" prefix, but the driver expects the +prefix. Since the dt-binding has been there for a long time, we'd +better make driver match the binding for compatibility. + +Fixes: afea03656add ("stmmac: rework DMA bus setting and introduce new platform AXI structure") +Signed-off-by: Jisheng Zhang +Link: https://lore.kernel.org/r/20221202161739.2203-1-jszhang@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +index 14d11f9fcbe8..07951b43de21 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +@@ -115,10 +115,10 @@ static struct stmmac_axi *stmmac_axi_setup(struct platform_device *pdev) + + axi->axi_lpi_en = of_property_read_bool(np, "snps,lpi_en"); + axi->axi_xit_frm = of_property_read_bool(np, "snps,xit_frm"); +- axi->axi_kbbe = of_property_read_bool(np, "snps,axi_kbbe"); +- axi->axi_fb = of_property_read_bool(np, "snps,axi_fb"); +- axi->axi_mb = of_property_read_bool(np, "snps,axi_mb"); +- axi->axi_rb = of_property_read_bool(np, "snps,axi_rb"); ++ axi->axi_kbbe = of_property_read_bool(np, "snps,kbbe"); ++ axi->axi_fb = of_property_read_bool(np, "snps,fb"); ++ axi->axi_mb = of_property_read_bool(np, "snps,mb"); ++ axi->axi_rb = of_property_read_bool(np, "snps,rb"); + + if (of_property_read_u32(np, "snps,wr_osr_lmt", &axi->axi_wr_osr_lmt)) + axi->axi_wr_osr_lmt = 1; +-- +2.35.1 + diff --git a/queue-4.14/nfc-nci-bounds-check-struct-nfc_target-arrays.patch b/queue-4.14/nfc-nci-bounds-check-struct-nfc_target-arrays.patch new file mode 100644 index 00000000000..f98b11d4e60 --- /dev/null +++ b/queue-4.14/nfc-nci-bounds-check-struct-nfc_target-arrays.patch @@ -0,0 +1,62 @@ +From ab824d789cb7d3cfe8fba838c7401f39317e8cd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 13:44:14 -0800 +Subject: NFC: nci: Bounds check struct nfc_target arrays + +From: Kees Cook + +[ Upstream commit e329e71013c9b5a4535b099208493c7826ee4a64 ] + +While running under CONFIG_FORTIFY_SOURCE=y, syzkaller reported: + + memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18) + +This appears to be a legitimate lack of bounds checking in +nci_add_new_protocol(). Add the missing checks. + +Reported-by: syzbot+210e196cef4711b65139@syzkaller.appspotmail.com +Link: https://lore.kernel.org/lkml/0000000000001c590f05ee7b3ff4@google.com +Fixes: 019c4fbaa790 ("NFC: Add NCI multiple targets support") +Signed-off-by: Kees Cook +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20221202214410.never.693-kees@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/nci/ntf.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c +index 1e8c1a12aaec..4f75453c07aa 100644 +--- a/net/nfc/nci/ntf.c ++++ b/net/nfc/nci/ntf.c +@@ -230,6 +230,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev, + target->sens_res = nfca_poll->sens_res; + target->sel_res = nfca_poll->sel_res; + target->nfcid1_len = nfca_poll->nfcid1_len; ++ if (target->nfcid1_len > ARRAY_SIZE(target->nfcid1)) ++ return -EPROTO; + if (target->nfcid1_len > 0) { + memcpy(target->nfcid1, nfca_poll->nfcid1, + target->nfcid1_len); +@@ -238,6 +240,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev, + nfcb_poll = (struct rf_tech_specific_params_nfcb_poll *)params; + + target->sensb_res_len = nfcb_poll->sensb_res_len; ++ if (target->sensb_res_len > ARRAY_SIZE(target->sensb_res)) ++ return -EPROTO; + if (target->sensb_res_len > 0) { + memcpy(target->sensb_res, nfcb_poll->sensb_res, + target->sensb_res_len); +@@ -246,6 +250,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev, + nfcf_poll = (struct rf_tech_specific_params_nfcf_poll *)params; + + target->sensf_res_len = nfcf_poll->sensf_res_len; ++ if (target->sensf_res_len > ARRAY_SIZE(target->sensf_res)) ++ return -EPROTO; + if (target->sensf_res_len > 0) { + memcpy(target->sensf_res, nfcf_poll->sensf_res, + target->sensf_res_len); +-- +2.35.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 682e41af9eb..4f33ad3b4c3 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -16,3 +16,23 @@ memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch hid-hid-lg4ff-add-check-for-empty-lbuf.patch hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch +ieee802154-cc2520-fix-error-return-code-in-cc2520_hw.patch +ca8210-fix-crash-by-zero-initializing-data.patch +gpio-amd8111-fix-pci-device-reference-count-leak.patch +e1000e-fix-tx-dispatch-condition.patch +igb-allocate-msi-x-vector-when-testing.patch +bluetooth-6lowpan-add-missing-hci_dev_put-in-get_l2c.patch +mac802154-fix-missing-init_list_head-in-ieee802154_i.patch +net-encx24j600-add-parentheses-to-fix-precedence.patch +net-encx24j600-fix-invalid-logic-in-reading-of-mista.patch +net-mvneta-prevent-out-of-bounds-read-in-mvneta_conf.patch +nfc-nci-bounds-check-struct-nfc_target-arrays.patch +net-stmmac-fix-snps-axi-config-node-property-parsing.patch +net-hisilicon-fix-potential-use-after-free-in-hisi_f.patch +net-hisilicon-fix-potential-use-after-free-in-hix5hd.patch +tipc-fix-potential-oob-in-tipc_link_proto_rcv.patch +ethernet-aeroflex-fix-potential-skb-leak-in-greth_in.patch +xen-netback-fix-build-warning.patch +net-plip-don-t-call-kfree_skb-dev_kfree_skb-under-sp.patch +ipv6-avoid-use-after-free-in-ip6_fragment.patch +net-mvneta-fix-an-out-of-bounds-check.patch diff --git a/queue-4.14/tipc-fix-potential-oob-in-tipc_link_proto_rcv.patch b/queue-4.14/tipc-fix-potential-oob-in-tipc_link_proto_rcv.patch new file mode 100644 index 00000000000..0324ebd9b16 --- /dev/null +++ b/queue-4.14/tipc-fix-potential-oob-in-tipc_link_proto_rcv.patch @@ -0,0 +1,39 @@ +From 50087b0ca6b5a425750d8f7985e215a18dae5875 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 17:46:35 +0800 +Subject: tipc: Fix potential OOB in tipc_link_proto_rcv() + +From: YueHaibing + +[ Upstream commit 743117a997bbd4840e827295c07e59bcd7f7caa3 ] + +Fix the potential risk of OOB if skb_linearize() fails in +tipc_link_proto_rcv(). + +Fixes: 5cbb28a4bf65 ("tipc: linearize arriving NAME_DISTR and LINK_PROTO buffers") +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20221203094635.29024-1-yuehaibing@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tipc/link.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/link.c b/net/tipc/link.c +index d3017811b67a..edcc768a17ce 100644 +--- a/net/tipc/link.c ++++ b/net/tipc/link.c +@@ -1477,7 +1477,9 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, + if (tipc_own_addr(l->net) > msg_prevnode(hdr)) + l->net_plane = msg_net_plane(hdr); + +- skb_linearize(skb); ++ if (skb_linearize(skb)) ++ goto exit; ++ + hdr = buf_msg(skb); + data = msg_data(hdr); + +-- +2.35.1 + diff --git a/queue-4.14/xen-netback-fix-build-warning.patch b/queue-4.14/xen-netback-fix-build-warning.patch new file mode 100644 index 00000000000..ea93389ca9c --- /dev/null +++ b/queue-4.14/xen-netback-fix-build-warning.patch @@ -0,0 +1,40 @@ +From 2e0fe312b3c98c2a5a926aa53977b667c7b3f3f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 08:19:38 +0100 +Subject: xen/netback: fix build warning + +From: Juergen Gross + +[ Upstream commit 7dfa764e0223a324366a2a1fc056d4d9d4e95491 ] + +Commit ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in +the non-linear area") introduced a (valid) build warning. There have +even been reports of this problem breaking networking of Xen guests. + +Fixes: ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in the non-linear area") +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Reviewed-by: Ross Lagerwall +Tested-by: Jason Andryuk +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netback/netback.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c +index 665c96f4d7e4..9d4bf69ab7b8 100644 +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -523,7 +523,7 @@ static int xenvif_tx_check_gop(struct xenvif_queue *queue, + const bool sharedslot = nr_frags && + frag_get_pending_idx(&shinfo->frags[0]) == + copy_pending_idx(skb, copy_count(skb) - 1); +- int i, err; ++ int i, err = 0; + + for (i = 0; i < copy_count(skb); i++) { + int newerr; +-- +2.35.1 +