From: Greg Kroah-Hartman Date: Tue, 3 Mar 2020 10:12:49 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.19.108~46 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d626b460582fa4f02623685f66ba1feb7b0a2fa6;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: net-atlantic-fix-potential-error-handling.patch net-netlink-cap-max-groups-which-will-be-considered-in-netlink_bind.patch --- diff --git a/queue-4.14/net-atlantic-fix-potential-error-handling.patch b/queue-4.14/net-atlantic-fix-potential-error-handling.patch new file mode 100644 index 00000000000..67bd7df3eb3 --- /dev/null +++ b/queue-4.14/net-atlantic-fix-potential-error-handling.patch @@ -0,0 +1,40 @@ +From 380ec5b9af7f0d57dbf6ac067fd9f33cff2fef71 Mon Sep 17 00:00:00 2001 +From: Pavel Belous +Date: Fri, 14 Feb 2020 18:44:56 +0300 +Subject: net: atlantic: fix potential error handling + +From: Pavel Belous + +commit 380ec5b9af7f0d57dbf6ac067fd9f33cff2fef71 upstream. + +Code inspection found that in case of mapping error we do return current +'ret' value. But beside error, it is used to count number of descriptors +allocated for the packet. In that case map_skb function could return '1'. + +Changing it to return zero (number of mapped descriptors for skb) + +Fixes: 018423e90bee ("net: ethernet: aquantia: Add ring support code") +Signed-off-by: Pavel Belous +Signed-off-by: Igor Russkikh +Signed-off-by: Dmitry Bogdanov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c +@@ -519,8 +519,10 @@ static unsigned int aq_nic_map_skb(struc + dx_buff->len, + DMA_TO_DEVICE); + +- if (unlikely(dma_mapping_error(aq_nic_get_dev(self), dx_buff->pa))) ++ if (unlikely(dma_mapping_error(aq_nic_get_dev(self), dx_buff->pa))) { ++ ret = 0; + goto exit; ++ } + + first = dx_buff; + dx_buff->len_pkt = skb->len; diff --git a/queue-4.14/net-netlink-cap-max-groups-which-will-be-considered-in-netlink_bind.patch b/queue-4.14/net-netlink-cap-max-groups-which-will-be-considered-in-netlink_bind.patch new file mode 100644 index 00000000000..7a384acf158 --- /dev/null +++ b/queue-4.14/net-netlink-cap-max-groups-which-will-be-considered-in-netlink_bind.patch @@ -0,0 +1,53 @@ +From 3a20773beeeeadec41477a5ba872175b778ff752 Mon Sep 17 00:00:00 2001 +From: Nikolay Aleksandrov +Date: Thu, 20 Feb 2020 16:42:13 +0200 +Subject: net: netlink: cap max groups which will be considered in netlink_bind() + +From: Nikolay Aleksandrov + +commit 3a20773beeeeadec41477a5ba872175b778ff752 upstream. + +Since nl_groups is a u32 we can't bind more groups via ->bind +(netlink_bind) call, but netlink has supported more groups via +setsockopt() for a long time and thus nlk->ngroups could be over 32. +Recently I added support for per-vlan notifications and increased the +groups to 33 for NETLINK_ROUTE which exposed an old bug in the +netlink_bind() code causing out-of-bounds access on archs where unsigned +long is 32 bits via test_bit() on a local variable. Fix this by capping the +maximum groups in netlink_bind() to BITS_PER_TYPE(u32), effectively +capping them at 32 which is the minimum of allocated groups and the +maximum groups which can be bound via netlink_bind(). + +CC: Christophe Leroy +CC: Richard Guy Briggs +Fixes: 4f520900522f ("netlink: have netlink per-protocol bind function return an error code.") +Reported-by: Erhard F. +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/netlink/af_netlink.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -997,7 +997,8 @@ static int netlink_bind(struct socket *s + if (nlk->netlink_bind && groups) { + int group; + +- for (group = 0; group < nlk->ngroups; group++) { ++ /* nl_groups is a u32, so cap the maximum groups we can bind */ ++ for (group = 0; group < BITS_PER_TYPE(u32); group++) { + if (!test_bit(group, &groups)) + continue; + err = nlk->netlink_bind(net, group + 1); +@@ -1016,7 +1017,7 @@ static int netlink_bind(struct socket *s + netlink_insert(sk, nladdr->nl_pid) : + netlink_autobind(sock); + if (err) { +- netlink_undo_bind(nlk->ngroups, groups, sk); ++ netlink_undo_bind(BITS_PER_TYPE(u32), groups, sk); + goto unlock; + } + } diff --git a/queue-4.14/net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch b/queue-4.14/net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch index cbd53e10808..ae21d9d640a 100644 --- a/queue-4.14/net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch +++ b/queue-4.14/net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch @@ -5,6 +5,8 @@ Subject: net: phy: restore mdio regs in the iproc mdio driver From: Arun Parameswaran +commit 6f08e98d62799e53c89dbf2c9a49d77e20ca648c upstream. + The mii management register in iproc mdio block does not have a retention register so it is lost on suspend. Save and restore value of register while resuming from suspend. diff --git a/queue-4.14/series b/queue-4.14/series index 71a9da7ce3a..7500b90dd41 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -50,3 +50,5 @@ i2c-jz4780-silence-log-flood-on-txabrt.patch drm-i915-gvt-separate-display-reset-from-all_engines-reset.patch usb-charger-assign-specific-number-for-enum-value.patch ecryptfs-fix-up-bad-backport-of-fe2e082f5da5b4a0a92ae32978f81507ef37ec66.patch +net-netlink-cap-max-groups-which-will-be-considered-in-netlink_bind.patch +net-atlantic-fix-potential-error-handling.patch