From: Greg Kroah-Hartman Date: Sun, 10 Nov 2024 05:21:38 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v5.15.172~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c749dcaa7efe7a4e3127fa8dcce0dafc59f74447;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: ice-add-a-per-vf-limit-on-number-of-fdir-filters.patch media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch net-do-not-delay-dst_entries_add-in-dst_release.patch --- diff --git a/queue-5.15/ice-add-a-per-vf-limit-on-number-of-fdir-filters.patch b/queue-5.15/ice-add-a-per-vf-limit-on-number-of-fdir-filters.patch new file mode 100644 index 00000000000..725336c6cf5 --- /dev/null +++ b/queue-5.15/ice-add-a-per-vf-limit-on-number-of-fdir-filters.patch @@ -0,0 +1,127 @@ +From 6ebbe97a488179f5dc85f2f1e0c89b486e99ee97 Mon Sep 17 00:00:00 2001 +From: Ahmed Zaki +Date: Fri, 14 Jun 2024 07:18:42 -0600 +Subject: ice: Add a per-VF limit on number of FDIR filters + +From: Ahmed Zaki + +commit 6ebbe97a488179f5dc85f2f1e0c89b486e99ee97 upstream. + +While the iavf driver adds a s/w limit (128) on the number of FDIR +filters that the VF can request, a malicious VF driver can request more +than that and exhaust the resources for other VFs. + +Add a similar limit in ice. + +CC: stable@vger.kernel.org +Fixes: 1f7ea1cd6a37 ("ice: Enable FDIR Configure for AVF") +Reviewed-by: Przemek Kitszel +Suggested-by: Sridhar Samudrala +Signed-off-by: Ahmed Zaki +Reviewed-by: Wojciech Drewek +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +[ Sherry: bp to fix CVE-2024-42291. Ignore context change in ice_fdir.h + to resolve conflicts. ] +Signed-off-by: Sherry Yang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_ethtool_fdir.c | 2 +- + drivers/net/ethernet/intel/ice/ice_fdir.h | 3 +++ + drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 16 ++++++++++++++++ + drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.h | 1 + + 4 files changed, 21 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/ice/ice_ethtool_fdir.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool_fdir.c +@@ -456,7 +456,7 @@ ice_parse_rx_flow_user_data(struct ethto + * + * Returns the number of available flow director filters to this VSI + */ +-static int ice_fdir_num_avail_fltr(struct ice_hw *hw, struct ice_vsi *vsi) ++int ice_fdir_num_avail_fltr(struct ice_hw *hw, struct ice_vsi *vsi) + { + u16 vsi_num = ice_get_hw_vsi_num(hw, vsi->idx); + u16 num_guar; +--- a/drivers/net/ethernet/intel/ice/ice_fdir.h ++++ b/drivers/net/ethernet/intel/ice/ice_fdir.h +@@ -201,6 +201,8 @@ struct ice_fdir_base_pkt { + const u8 *tun_pkt; + }; + ++struct ice_vsi; ++ + enum ice_status ice_alloc_fd_res_cntr(struct ice_hw *hw, u16 *cntr_id); + enum ice_status ice_free_fd_res_cntr(struct ice_hw *hw, u16 cntr_id); + enum ice_status +@@ -214,6 +216,7 @@ enum ice_status + ice_fdir_get_gen_prgm_pkt(struct ice_hw *hw, struct ice_fdir_fltr *input, + u8 *pkt, bool frag, bool tun); + int ice_get_fdir_cnt_all(struct ice_hw *hw); ++int ice_fdir_num_avail_fltr(struct ice_hw *hw, struct ice_vsi *vsi); + bool ice_fdir_is_dup_fltr(struct ice_hw *hw, struct ice_fdir_fltr *input); + bool ice_fdir_has_frag(enum ice_fltr_ptype flow); + struct ice_fdir_fltr * +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c +@@ -744,6 +744,8 @@ static void ice_vc_fdir_reset_cnt_all(st + fdir->fdir_fltr_cnt[flow][0] = 0; + fdir->fdir_fltr_cnt[flow][1] = 0; + } ++ ++ fdir->fdir_fltr_cnt_total = 0; + } + + /** +@@ -1837,6 +1839,7 @@ ice_vc_add_fdir_fltr_post(struct ice_vf + resp->status = status; + resp->flow_id = conf->flow_id; + vf->fdir.fdir_fltr_cnt[conf->input.flow_type][is_tun]++; ++ vf->fdir.fdir_fltr_cnt_total++; + + ret = ice_vc_send_msg_to_vf(vf, ctx->v_opcode, v_ret, + (u8 *)resp, len); +@@ -1901,6 +1904,7 @@ ice_vc_del_fdir_fltr_post(struct ice_vf + resp->status = status; + ice_vc_fdir_remove_entry(vf, conf, conf->flow_id); + vf->fdir.fdir_fltr_cnt[conf->input.flow_type][is_tun]--; ++ vf->fdir.fdir_fltr_cnt_total--; + + ret = ice_vc_send_msg_to_vf(vf, ctx->v_opcode, v_ret, + (u8 *)resp, len); +@@ -2065,6 +2069,7 @@ int ice_vc_add_fdir_fltr(struct ice_vf * + struct virtchnl_fdir_add *stat = NULL; + struct virtchnl_fdir_fltr_conf *conf; + enum virtchnl_status_code v_ret; ++ struct ice_vsi *vf_vsi; + struct device *dev; + struct ice_pf *pf; + int is_tun = 0; +@@ -2073,6 +2078,17 @@ int ice_vc_add_fdir_fltr(struct ice_vf * + + pf = vf->pf; + dev = ice_pf_to_dev(pf); ++ vf_vsi = ice_get_vf_vsi(vf); ++ ++#define ICE_VF_MAX_FDIR_FILTERS 128 ++ if (!ice_fdir_num_avail_fltr(&pf->hw, vf_vsi) || ++ vf->fdir.fdir_fltr_cnt_total >= ICE_VF_MAX_FDIR_FILTERS) { ++ v_ret = VIRTCHNL_STATUS_ERR_PARAM; ++ dev_err(dev, "Max number of FDIR filters for VF %d is reached\n", ++ vf->vf_id); ++ goto err_exit; ++ } ++ + ret = ice_vc_fdir_param_check(vf, fltr->vsi_id); + if (ret) { + v_ret = VIRTCHNL_STATUS_ERR_PARAM; +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.h ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.h +@@ -28,6 +28,7 @@ struct ice_vf_fdir_ctx { + struct ice_vf_fdir { + u16 fdir_fltr_cnt[ICE_FLTR_PTYPE_MAX][ICE_FD_HW_SEG_MAX]; + int prof_entry_cnt[ICE_FLTR_PTYPE_MAX][ICE_FD_HW_SEG_MAX]; ++ u16 fdir_fltr_cnt_total; + struct ice_fd_hw_prof **fdir_prof; + + struct idr fdir_rule_idr; diff --git a/queue-5.15/media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch b/queue-5.15/media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch new file mode 100644 index 00000000000..78c23ab9bc6 --- /dev/null +++ b/queue-5.15/media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch @@ -0,0 +1,35 @@ +From ecf2b43018da9579842c774b7f35dbe11b5c38dd Mon Sep 17 00:00:00 2001 +From: Benoit Sevens +Date: Thu, 7 Nov 2024 14:22:02 +0000 +Subject: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format + +From: Benoit Sevens + +commit ecf2b43018da9579842c774b7f35dbe11b5c38dd upstream. + +This can lead to out of bounds writes since frames of this type were not +taken into account when calculating the size of the frames buffer in +uvc_parse_streaming. + +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Signed-off-by: Benoit Sevens +Cc: stable@vger.kernel.org +Acked-by: Greg Kroah-Hartman +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_driver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -645,7 +645,7 @@ static int uvc_parse_format(struct uvc_d + /* Parse the frame descriptors. Only uncompressed, MJPEG and frame + * based formats have frame descriptors. + */ +- while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && ++ while (ftype && buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && + buffer[2] == ftype) { + frame = &format->frame[format->nframes]; + if (ftype != UVC_VS_FRAME_FRAME_BASED) diff --git a/queue-5.15/net-do-not-delay-dst_entries_add-in-dst_release.patch b/queue-5.15/net-do-not-delay-dst_entries_add-in-dst_release.patch new file mode 100644 index 00000000000..c6fa7630b39 --- /dev/null +++ b/queue-5.15/net-do-not-delay-dst_entries_add-in-dst_release.patch @@ -0,0 +1,99 @@ +From ac888d58869bb99753e7652be19a151df9ecb35d Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 8 Oct 2024 14:31:10 +0000 +Subject: net: do not delay dst_entries_add() in dst_release() + +From: Eric Dumazet + +commit ac888d58869bb99753e7652be19a151df9ecb35d upstream. + +dst_entries_add() uses per-cpu data that might be freed at netns +dismantle from ip6_route_net_exit() calling dst_entries_destroy() + +Before ip6_route_net_exit() can be called, we release all +the dsts associated with this netns, via calls to dst_release(), +which waits an rcu grace period before calling dst_destroy() + +dst_entries_add() use in dst_destroy() is racy, because +dst_entries_destroy() could have been called already. + +Decrementing the number of dsts must happen sooner. + +Notes: + +1) in CONFIG_XFRM case, dst_destroy() can call + dst_release_immediate(child), this might also cause UAF + if the child does not have DST_NOCOUNT set. + IPSEC maintainers might take a look and see how to address this. + +2) There is also discussion about removing this count of dst, + which might happen in future kernels. + +Fixes: f88649721268 ("ipv4: fix dst race in sk_dst_get()") +Closes: https://lore.kernel.org/lkml/CANn89iLCCGsP7SFn9HKpvnKu96Td4KD08xf7aGtiYgZnkjaL=w@mail.gmail.com/T/ +Reported-by: Naresh Kamboju +Tested-by: Linux Kernel Functional Testing +Tested-by: Naresh Kamboju +Signed-off-by: Eric Dumazet +Cc: Xin Long +Cc: Steffen Klassert +Reviewed-by: Xin Long +Link: https://patch.msgid.link/20241008143110.1064899-1-edumazet@google.com +Signed-off-by: Paolo Abeni +[ resolved conflict due to bc9d3a9f2afc ("net: dst: Switch to rcuref_t + reference counting") is not in the tree ] +Signed-off-by: Abdelkareem Abdelsaamad +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dst.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -108,9 +108,6 @@ struct dst_entry *dst_destroy(struct dst + child = xdst->child; + } + #endif +- if (!(dst->flags & DST_NOCOUNT)) +- dst_entries_add(dst->ops, -1); +- + if (dst->ops->destroy) + dst->ops->destroy(dst); + dev_put(dst->dev); +@@ -160,6 +157,12 @@ void dst_dev_put(struct dst_entry *dst) + } + EXPORT_SYMBOL(dst_dev_put); + ++static void dst_count_dec(struct dst_entry *dst) ++{ ++ if (!(dst->flags & DST_NOCOUNT)) ++ dst_entries_add(dst->ops, -1); ++} ++ + void dst_release(struct dst_entry *dst) + { + if (dst) { +@@ -169,8 +172,10 @@ void dst_release(struct dst_entry *dst) + if (WARN_ONCE(newrefcnt < 0, "dst_release underflow")) + net_warn_ratelimited("%s: dst:%p refcnt:%d\n", + __func__, dst, newrefcnt); +- if (!newrefcnt) ++ if (!newrefcnt){ ++ dst_count_dec(dst); + call_rcu(&dst->rcu_head, dst_destroy_rcu); ++ } + } + } + EXPORT_SYMBOL(dst_release); +@@ -184,8 +189,10 @@ void dst_release_immediate(struct dst_en + if (WARN_ONCE(newrefcnt < 0, "dst_release_immediate underflow")) + net_warn_ratelimited("%s: dst:%p refcnt:%d\n", + __func__, dst, newrefcnt); +- if (!newrefcnt) ++ if (!newrefcnt){ ++ dst_count_dec(dst); + dst_destroy(dst); ++ } + } + } + EXPORT_SYMBOL(dst_release_immediate); diff --git a/queue-5.15/series b/queue-5.15/series index e0bab77a274..70c1d725d1d 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -54,3 +54,6 @@ io_uring-rw-fix-missing-nowait-check-for-o_direct-st.patch nfs-fix-kmsan-warning-in-decode_getfattr_attrs.patch btrfs-reinitialize-delayed-ref-list-after-deleting-it-from-the-list.patch net-bridge-xmit-make-sure-we-have-at-least-eth-header-len-bytes.patch +ice-add-a-per-vf-limit-on-number-of-fdir-filters.patch +net-do-not-delay-dst_entries_add-in-dst_release.patch +media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch