From: Sasha Levin Date: Sat, 23 Apr 2022 23:59:38 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.9.312~54^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d86ccb67a2504453d4825aa0d065ddf4fa0836b4;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch b/queue-4.14/alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch new file mode 100644 index 00000000000..3100401c2d8 --- /dev/null +++ b/queue-4.14/alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch @@ -0,0 +1,49 @@ +From 39073af5e57389d49810639f5e9407d04117193e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Apr 2022 17:15:08 +0200 +Subject: ALSA: usb-audio: Fix undefined behavior due to shift overflowing the + constant +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Borislav Petkov + +[ Upstream commit 1ef8715975de8bd481abbd0839ed4f49d9e5b0ff ] + +Fix: + + sound/usb/midi.c: In function ‘snd_usbmidi_out_endpoint_create’: + sound/usb/midi.c:1389:2: error: case label does not reduce to an integer constant + case USB_ID(0xfc08, 0x0101): /* Unknown vendor Cable */ + ^~~~ + +See https://lore.kernel.org/r/YkwQ6%2BtIH8GQpuct@zn.tnic for the gory +details as to why it triggers with older gccs only. + +[ A slight correction with parentheses around the argument by tiwai ] + +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/20220405151517.29753-3-bp@alien8.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/usbaudio.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h +index 62456a806bb4..4b8f1c46420d 100644 +--- a/sound/usb/usbaudio.h ++++ b/sound/usb/usbaudio.h +@@ -22,7 +22,7 @@ + */ + + /* handling of USB vendor/product ID pairs as 32-bit numbers */ +-#define USB_ID(vendor, product) (((vendor) << 16) | (product)) ++#define USB_ID(vendor, product) (((unsigned int)(vendor) << 16) | (product)) + #define USB_ID_VENDOR(id) ((id) >> 16) + #define USB_ID_PRODUCT(id) ((u16)(id)) + +-- +2.35.1 + diff --git a/queue-4.14/arm-vexpress-spc-avoid-negative-array-index-when-smp.patch b/queue-4.14/arm-vexpress-spc-avoid-negative-array-index-when-smp.patch new file mode 100644 index 00000000000..5541200bdde --- /dev/null +++ b/queue-4.14/arm-vexpress-spc-avoid-negative-array-index-when-smp.patch @@ -0,0 +1,58 @@ +From 070dbacf8bf6c201f7acaa29234b79f494610f7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Mar 2022 12:04:43 -0700 +Subject: ARM: vexpress/spc: Avoid negative array index when !SMP + +From: Kees Cook + +[ Upstream commit b3f1dd52c991d79118f35e6d1bf4d7cb09882e38 ] + +When building multi_v7_defconfig+CONFIG_SMP=n, -Warray-bounds exposes +a couple negative array index accesses: + +arch/arm/mach-vexpress/spc.c: In function 've_spc_clk_init': +arch/arm/mach-vexpress/spc.c:583:21: warning: array subscript -1 is below array bounds of 'bool[2]' {aka '_Bool[2]'} [-Warray-bounds] + 583 | if (init_opp_table[cluster]) + | ~~~~~~~~~~~~~~^~~~~~~~~ +arch/arm/mach-vexpress/spc.c:556:7: note: while referencing 'init_opp_table' + 556 | bool init_opp_table[MAX_CLUSTERS] = { false }; + | ^~~~~~~~~~~~~~ +arch/arm/mach-vexpress/spc.c:592:18: warning: array subscript -1 is below array bounds of 'bool[2]' {aka '_Bool[2]'} [-Warray-bounds] + 592 | init_opp_table[cluster] = true; + | ~~~~~~~~~~~~~~^~~~~~~~~ +arch/arm/mach-vexpress/spc.c:556:7: note: while referencing 'init_opp_table' + 556 | bool init_opp_table[MAX_CLUSTERS] = { false }; + | ^~~~~~~~~~~~~~ + +Skip this logic when built !SMP. + +Link: https://lore.kernel.org/r/20220331190443.851661-1-keescook@chromium.org +Cc: Liviu Dudau +Cc: Sudeep Holla +Cc: Lorenzo Pieralisi +Cc: Russell King +Cc: linux-arm-kernel@lists.infradead.org +Acked-by: Liviu Dudau +Signed-off-by: Kees Cook +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + arch/arm/mach-vexpress/spc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-vexpress/spc.c b/arch/arm/mach-vexpress/spc.c +index 635b0d549487..c16f39614003 100644 +--- a/arch/arm/mach-vexpress/spc.c ++++ b/arch/arm/mach-vexpress/spc.c +@@ -584,7 +584,7 @@ static int __init ve_spc_clk_init(void) + } + + cluster = topology_physical_package_id(cpu_dev->id); +- if (init_opp_table[cluster]) ++ if (cluster < 0 || init_opp_table[cluster]) + continue; + + if (ve_init_opp_table(cpu_dev)) +-- +2.35.1 + diff --git a/queue-4.14/brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch b/queue-4.14/brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch new file mode 100644 index 00000000000..7aa88243575 --- /dev/null +++ b/queue-4.14/brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch @@ -0,0 +1,59 @@ +From 86f7c4093024bdff6f5bb56fa3cb98d14ad8382f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Apr 2022 18:55:37 +0200 +Subject: brcmfmac: sdio: Fix undefined behavior due to shift overflowing the + constant +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Borislav Petkov + +[ Upstream commit 6fb3a5868b2117611f41e421e10e6a8c2a13039a ] + +Fix: + + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c: In function ‘brcmf_sdio_drivestrengthinit’: + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:3798:2: error: case label does not reduce to an integer constant + case SDIOD_DRVSTR_KEY(BRCM_CC_43143_CHIP_ID, 17): + ^~~~ + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:3809:2: error: case label does not reduce to an integer constant + case SDIOD_DRVSTR_KEY(BRCM_CC_43362_CHIP_ID, 13): + ^~~~ + +See https://lore.kernel.org/r/YkwQ6%2BtIH8GQpuct@zn.tnic for the gory +details as to why it triggers with older gccs only. + +Signed-off-by: Borislav Petkov +Cc: Arend van Spriel +Cc: Franky Lin +Cc: Hante Meuleman +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: brcm80211-dev-list.pdl@broadcom.com +Cc: netdev@vger.kernel.org +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/Ykx0iRlvtBnKqtbG@zn.tnic +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +index d198a8780b96..8fa4ffff7c32 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -552,7 +552,7 @@ enum brcmf_sdio_frmtype { + BRCMF_SDIO_FT_SUB, + }; + +-#define SDIOD_DRVSTR_KEY(chip, pmu) (((chip) << 16) | (pmu)) ++#define SDIOD_DRVSTR_KEY(chip, pmu) (((unsigned int)(chip) << 16) | (pmu)) + + /* SDIO Pad drive strength to select value mappings */ + struct sdiod_drive_str { +-- +2.35.1 + diff --git a/queue-4.14/cifs-check-the-iocb_direct-flag-not-o_direct.patch b/queue-4.14/cifs-check-the-iocb_direct-flag-not-o_direct.patch new file mode 100644 index 00000000000..75c6eed4e24 --- /dev/null +++ b/queue-4.14/cifs-check-the-iocb_direct-flag-not-o_direct.patch @@ -0,0 +1,39 @@ +From a1647bb21db89c1b2e4b22104cd6e77497bda198 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 00:03:14 +0100 +Subject: cifs: Check the IOCB_DIRECT flag, not O_DIRECT + +From: David Howells + +[ Upstream commit 994fd530a512597ffcd713b0f6d5bc916c5698f0 ] + +Use the IOCB_DIRECT indicator flag on the I/O context rather than checking to +see if the file was opened O_DIRECT. + +Signed-off-by: David Howells +cc: Steve French +cc: Shyam Prasad N +cc: Rohith Surabattula +cc: linux-cifs@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/cifsfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c +index dba0d12c3db1..1d3f98572068 100644 +--- a/fs/cifs/cifsfs.c ++++ b/fs/cifs/cifsfs.c +@@ -773,7 +773,7 @@ cifs_loose_read_iter(struct kiocb *iocb, struct iov_iter *iter) + ssize_t rc; + struct inode *inode = file_inode(iocb->ki_filp); + +- if (iocb->ki_filp->f_flags & O_DIRECT) ++ if (iocb->ki_flags & IOCB_DIRECT) + return cifs_user_readv(iocb, iter); + + rc = cifs_revalidate_mapping(inode); +-- +2.35.1 + diff --git a/queue-4.14/dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch b/queue-4.14/dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch new file mode 100644 index 00000000000..ed5c2b294b6 --- /dev/null +++ b/queue-4.14/dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch @@ -0,0 +1,46 @@ +From dc7048449299964580d48f3c3eb7a93db4030431 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 06:49:51 +0000 +Subject: dmaengine: imx-sdma: Fix error checking in sdma_event_remap + +From: Miaoqian Lin + +[ Upstream commit 7104b9cb35a33ad803a1adbbfa50569b008faf15 ] + +of_parse_phandle() returns NULL on errors, rather than error +pointers. Using NULL check on grp_np to fix this. + +Fixes: d078cd1b4185 ("dmaengine: imx-sdma: Add imx6sx platform support") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220308064952.15743-1-linmq006@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/imx-sdma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c +index 99f3f22ed647..02d13a44ba45 100644 +--- a/drivers/dma/imx-sdma.c ++++ b/drivers/dma/imx-sdma.c +@@ -1528,7 +1528,7 @@ static int sdma_event_remap(struct sdma_engine *sdma) + u32 reg, val, shift, num_map, i; + int ret = 0; + +- if (IS_ERR(np) || IS_ERR(gpr_np)) ++ if (IS_ERR(np) || !gpr_np) + goto out; + + event_remap = of_find_property(np, propname, NULL); +@@ -1576,7 +1576,7 @@ static int sdma_event_remap(struct sdma_engine *sdma) + } + + out: +- if (!IS_ERR(gpr_np)) ++ if (gpr_np) + of_node_put(gpr_np); + + return ret; +-- +2.35.1 + diff --git a/queue-4.14/drm-msm-mdp5-check-the-return-of-kzalloc.patch b/queue-4.14/drm-msm-mdp5-check-the-return-of-kzalloc.patch new file mode 100644 index 00000000000..8f69a106600 --- /dev/null +++ b/queue-4.14/drm-msm-mdp5-check-the-return-of-kzalloc.patch @@ -0,0 +1,45 @@ +From 8081aa968b2fb73aa79a24b04bb74f1004cf5036 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 10:31:51 +0800 +Subject: drm/msm/mdp5: check the return of kzalloc() + +From: Xiaoke Wang + +[ Upstream commit 047ae665577776b7feb11bd4f81f46627cff95e7 ] + +kzalloc() is a memory allocation function which can return NULL when +some internal memory errors happen. So it is better to check it to +prevent potential wrong memory access. + +Besides, since mdp5_plane_reset() is void type, so we should better +set `plane-state` to NULL after releasing it. + +Signed-off-by: Xiaoke Wang +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/481055/ +Link: https://lore.kernel.org/r/tencent_8E2A1C78140EE1784AB2FF4B2088CC0AB908@qq.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c +index 4b22ac3413a1..1f9e3c5ea47d 100644 +--- a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c ++++ b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c +@@ -197,7 +197,10 @@ static void mdp5_plane_reset(struct drm_plane *plane) + drm_framebuffer_unreference(plane->state->fb); + + kfree(to_mdp5_plane_state(plane->state)); ++ plane->state = NULL; + mdp5_state = kzalloc(sizeof(*mdp5_state), GFP_KERNEL); ++ if (!mdp5_state) ++ return; + + /* assign default blend parameters */ + mdp5_state->alpha = 255; +-- +2.35.1 + diff --git a/queue-4.14/net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch b/queue-4.14/net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch new file mode 100644 index 00000000000..9d5693a0f1e --- /dev/null +++ b/queue-4.14/net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch @@ -0,0 +1,64 @@ +From 8168f5d5e491a78d2f8d0c95049aa2a6b040769b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 19:16:59 +0300 +Subject: net: macb: Restart tx only if queue pointer is lagging + +From: Tomas Melin + +[ Upstream commit 5ad7f18cd82cee8e773d40cc7a1465a526f2615c ] + +commit 4298388574da ("net: macb: restart tx after tx used bit read") +added support for restarting transmission. Restarting tx does not work +in case controller asserts TXUBR interrupt and TQBP is already at the end +of the tx queue. In that situation, restarting tx will immediately cause +assertion of another TXUBR interrupt. The driver will end up in an infinite +interrupt loop which it cannot break out of. + +For cases where TQBP is at the end of the tx queue, instead +only clear TX_USED interrupt. As more data gets pushed to the queue, +transmission will resume. + +This issue was observed on a Xilinx Zynq-7000 based board. +During stress test of the network interface, +driver would get stuck on interrupt loop within seconds or minutes +causing CPU to stall. + +Signed-off-by: Tomas Melin +Tested-by: Claudiu Beznea +Reviewed-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220407161659.14532-1-tomas.melin@vaisala.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 045ab0ec5ca2..456d84cbcc6b 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -1265,6 +1265,7 @@ static void macb_tx_restart(struct macb_queue *queue) + unsigned int head = queue->tx_head; + unsigned int tail = queue->tx_tail; + struct macb *bp = queue->bp; ++ unsigned int head_idx, tbqp; + + if (bp->caps & MACB_CAPS_ISR_CLEAR_ON_WRITE) + queue_writel(queue, ISR, MACB_BIT(TXUBR)); +@@ -1272,6 +1273,13 @@ static void macb_tx_restart(struct macb_queue *queue) + if (head == tail) + return; + ++ tbqp = queue_readl(queue, TBQP) / macb_dma_desc_get_size(bp); ++ tbqp = macb_adj_dma_desc_idx(bp, macb_tx_ring_wrap(bp, tbqp)); ++ head_idx = macb_adj_dma_desc_idx(bp, macb_tx_ring_wrap(bp, head)); ++ ++ if (tbqp == head_idx) ++ return; ++ + macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART)); + } + +-- +2.35.1 + diff --git a/queue-4.14/net-packet-fix-packet_sock-xmit-return-value-checkin.patch b/queue-4.14/net-packet-fix-packet_sock-xmit-return-value-checkin.patch new file mode 100644 index 00000000000..1bca2782a34 --- /dev/null +++ b/queue-4.14/net-packet-fix-packet_sock-xmit-return-value-checkin.patch @@ -0,0 +1,59 @@ +From 9655e514b1578403b81fcdb76514d50ec64da446 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Apr 2022 16:49:25 +0800 +Subject: net/packet: fix packet_sock xmit return value checking + +From: Hangbin Liu + +[ Upstream commit 29e8e659f984be00d75ec5fef4e37c88def72712 ] + +packet_sock xmit could be dev_queue_xmit, which also returns negative +errors. So only checking positive errors is not enough, or userspace +sendmsg may return success while packet is not send out. + +Move the net_xmit_errno() assignment in the braces as checkpatch.pl said +do not use assignment in if condition. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Flavio Leitner +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index b0dd17d1992e..61093ce76b61 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2829,8 +2829,9 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + + status = TP_STATUS_SEND_REQUEST; + err = po->xmit(skb); +- if (unlikely(err > 0)) { +- err = net_xmit_errno(err); ++ if (unlikely(err != 0)) { ++ if (err > 0) ++ err = net_xmit_errno(err); + if (err && __packet_get_status(po, ph) == + TP_STATUS_AVAILABLE) { + /* skb was destructed already */ +@@ -3029,8 +3030,12 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + skb->no_fcs = 1; + + err = po->xmit(skb); +- if (err > 0 && (err = net_xmit_errno(err)) != 0) +- goto out_unlock; ++ if (unlikely(err != 0)) { ++ if (err > 0) ++ err = net_xmit_errno(err); ++ if (err) ++ goto out_unlock; ++ } + + dev_put(dev); + +-- +2.35.1 + diff --git a/queue-4.14/netlink-reset-network-and-mac-headers-in-netlink_dum.patch b/queue-4.14/netlink-reset-network-and-mac-headers-in-netlink_dum.patch new file mode 100644 index 00000000000..7182d72f796 --- /dev/null +++ b/queue-4.14/netlink-reset-network-and-mac-headers-in-netlink_dum.patch @@ -0,0 +1,136 @@ +From 0f76527697f6076855641118ac422ab3634fcbf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Apr 2022 11:14:42 -0700 +Subject: netlink: reset network and mac headers in netlink_dump() + +From: Eric Dumazet + +[ Upstream commit 99c07327ae11e24886d552dddbe4537bfca2765d ] + +netlink_dump() is allocating an skb, reserves space in it +but forgets to reset network header. + +This allows a BPF program, invoked later from sk_filter() +to access uninitialized kernel memory from the reserved +space. + +Theorically mac header reset could be omitted, because +it is set to a special initial value. +bpf_internal_load_pointer_neg_helper calls skb_mac_header() +without checking skb_mac_header_was_set(). +Relying on skb->len not being too big seems fragile. +We also could add a sanity check in bpf_internal_load_pointer_neg_helper() +to avoid surprises in the future. + +syzbot report was: + +BUG: KMSAN: uninit-value in ___bpf_prog_run+0xa22b/0xb420 kernel/bpf/core.c:1637 + ___bpf_prog_run+0xa22b/0xb420 kernel/bpf/core.c:1637 + __bpf_prog_run32+0x121/0x180 kernel/bpf/core.c:1796 + bpf_dispatcher_nop_func include/linux/bpf.h:784 [inline] + __bpf_prog_run include/linux/filter.h:626 [inline] + bpf_prog_run include/linux/filter.h:633 [inline] + __bpf_prog_run_save_cb+0x168/0x580 include/linux/filter.h:756 + bpf_prog_run_save_cb include/linux/filter.h:770 [inline] + sk_filter_trim_cap+0x3bc/0x8c0 net/core/filter.c:150 + sk_filter include/linux/filter.h:905 [inline] + netlink_dump+0xe0c/0x16c0 net/netlink/af_netlink.c:2276 + netlink_recvmsg+0x1129/0x1c80 net/netlink/af_netlink.c:2002 + sock_recvmsg_nosec net/socket.c:948 [inline] + sock_recvmsg net/socket.c:966 [inline] + sock_read_iter+0x5a9/0x630 net/socket.c:1039 + do_iter_readv_writev+0xa7f/0xc70 + do_iter_read+0x52c/0x14c0 fs/read_write.c:786 + vfs_readv fs/read_write.c:906 [inline] + do_readv+0x432/0x800 fs/read_write.c:943 + __do_sys_readv fs/read_write.c:1034 [inline] + __se_sys_readv fs/read_write.c:1031 [inline] + __x64_sys_readv+0xe5/0x120 fs/read_write.c:1031 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Uninit was stored to memory at: + ___bpf_prog_run+0x96c/0xb420 kernel/bpf/core.c:1558 + __bpf_prog_run32+0x121/0x180 kernel/bpf/core.c:1796 + bpf_dispatcher_nop_func include/linux/bpf.h:784 [inline] + __bpf_prog_run include/linux/filter.h:626 [inline] + bpf_prog_run include/linux/filter.h:633 [inline] + __bpf_prog_run_save_cb+0x168/0x580 include/linux/filter.h:756 + bpf_prog_run_save_cb include/linux/filter.h:770 [inline] + sk_filter_trim_cap+0x3bc/0x8c0 net/core/filter.c:150 + sk_filter include/linux/filter.h:905 [inline] + netlink_dump+0xe0c/0x16c0 net/netlink/af_netlink.c:2276 + netlink_recvmsg+0x1129/0x1c80 net/netlink/af_netlink.c:2002 + sock_recvmsg_nosec net/socket.c:948 [inline] + sock_recvmsg net/socket.c:966 [inline] + sock_read_iter+0x5a9/0x630 net/socket.c:1039 + do_iter_readv_writev+0xa7f/0xc70 + do_iter_read+0x52c/0x14c0 fs/read_write.c:786 + vfs_readv fs/read_write.c:906 [inline] + do_readv+0x432/0x800 fs/read_write.c:943 + __do_sys_readv fs/read_write.c:1034 [inline] + __se_sys_readv fs/read_write.c:1031 [inline] + __x64_sys_readv+0xe5/0x120 fs/read_write.c:1031 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:737 [inline] + slab_alloc_node mm/slub.c:3244 [inline] + __kmalloc_node_track_caller+0xde3/0x14f0 mm/slub.c:4972 + kmalloc_reserve net/core/skbuff.c:354 [inline] + __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 + alloc_skb include/linux/skbuff.h:1158 [inline] + netlink_dump+0x30f/0x16c0 net/netlink/af_netlink.c:2242 + netlink_recvmsg+0x1129/0x1c80 net/netlink/af_netlink.c:2002 + sock_recvmsg_nosec net/socket.c:948 [inline] + sock_recvmsg net/socket.c:966 [inline] + sock_read_iter+0x5a9/0x630 net/socket.c:1039 + do_iter_readv_writev+0xa7f/0xc70 + do_iter_read+0x52c/0x14c0 fs/read_write.c:786 + vfs_readv fs/read_write.c:906 [inline] + do_readv+0x432/0x800 fs/read_write.c:943 + __do_sys_readv fs/read_write.c:1034 [inline] + __se_sys_readv fs/read_write.c:1031 [inline] + __x64_sys_readv+0xe5/0x120 fs/read_write.c:1031 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +CPU: 0 PID: 3470 Comm: syz-executor751 Not tainted 5.17.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: db65a3aaf29e ("netlink: Trim skb to alloc size to avoid MSG_TRUNC") +Fixes: 9063e21fb026 ("netlink: autosize skb lengthes") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Link: https://lore.kernel.org/r/20220415181442.551228-1-eric.dumazet@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 24e8ac2b724e..979cd7dff40a 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2212,6 +2212,13 @@ static int netlink_dump(struct sock *sk) + * single netdev. The outcome is MSG_TRUNC error. + */ + skb_reserve(skb, skb_tailroom(skb) - alloc_size); ++ ++ /* Make sure malicious BPF programs can not read unitialized memory ++ * from skb->head -> skb->data ++ */ ++ skb_reset_network_header(skb); ++ skb_reset_mac_header(skb); ++ + netlink_skb_set_owner_r(skb, sk); + + if (nlk->dump_done_errno > 0) +-- +2.35.1 + diff --git a/queue-4.14/platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch b/queue-4.14/platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch new file mode 100644 index 00000000000..650f3f8f2b9 --- /dev/null +++ b/queue-4.14/platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch @@ -0,0 +1,41 @@ +From d78274a79453aacb3d0cd29f6968ddefe29ad41d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Mar 2022 14:18:30 +0800 +Subject: platform/x86: samsung-laptop: Fix an unsigned comparison which can + never be negative + +From: Jiapeng Chong + +[ Upstream commit 0284d4d1be753f648f28b77bdfbe6a959212af5c ] + +Eliminate the follow smatch warnings: + +drivers/platform/x86/samsung-laptop.c:1124 kbd_led_set() warn: unsigned +'value' is never less than zero. + +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Chong +Link: https://lore.kernel.org/r/20220322061830.105579-1-jiapeng.chong@linux.alibaba.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/samsung-laptop.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c +index d3cb26f6df73..c1c34b495519 100644 +--- a/drivers/platform/x86/samsung-laptop.c ++++ b/drivers/platform/x86/samsung-laptop.c +@@ -1125,8 +1125,6 @@ static void kbd_led_set(struct led_classdev *led_cdev, + + if (value > samsung->kbd_led.max_brightness) + value = samsung->kbd_led.max_brightness; +- else if (value < 0) +- value = 0; + + samsung->kbd_led_wk = value; + queue_work(samsung->led_workqueue, &samsung->kbd_led_work); +-- +2.35.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 69b8235e1e3..54d0d657109 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -7,3 +7,15 @@ gfs2-assign-rgrp-glock-before-compute_bitstructs.patch alsa-usb-audio-clear-midi-port-active-flag-after-draining.patch tcp-fix-race-condition-when-creating-child-sockets-f.patch tcp-fix-potential-use-after-free-due-to-double-kfree.patch +dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch +net-packet-fix-packet_sock-xmit-return-value-checkin.patch +netlink-reset-network-and-mac-headers-in-netlink_dum.patch +arm-vexpress-spc-avoid-negative-array-index-when-smp.patch +platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch +alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch +vxlan-fix-error-return-code-in-vxlan_fdb_append.patch +cifs-check-the-iocb_direct-flag-not-o_direct.patch +brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch +drm-msm-mdp5-check-the-return-of-kzalloc.patch +net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch +stat-fix-inconsistency-between-struct-stat-and-struc.patch diff --git a/queue-4.14/stat-fix-inconsistency-between-struct-stat-and-struc.patch b/queue-4.14/stat-fix-inconsistency-between-struct-stat-and-struc.patch new file mode 100644 index 00000000000..2430f5f60a0 --- /dev/null +++ b/queue-4.14/stat-fix-inconsistency-between-struct-stat-and-struc.patch @@ -0,0 +1,138 @@ +From f3ae73808d560f7a03e96d43fbcce00e3caf14bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 05:41:00 -0400 +Subject: stat: fix inconsistency between struct stat and struct compat_stat + +From: Mikulas Patocka + +[ Upstream commit 932aba1e169090357a77af18850a10c256b50819 ] + +struct stat (defined in arch/x86/include/uapi/asm/stat.h) has 32-bit +st_dev and st_rdev; struct compat_stat (defined in +arch/x86/include/asm/compat.h) has 16-bit st_dev and st_rdev followed by +a 16-bit padding. + +This patch fixes struct compat_stat to match struct stat. + +[ Historical note: the old x86 'struct stat' did have that 16-bit field + that the compat layer had kept around, but it was changes back in 2003 + by "struct stat - support larger dev_t": + + https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git/commit/?id=e95b2065677fe32512a597a79db94b77b90c968d + + and back in those days, the x86_64 port was still new, and separate + from the i386 code, and had already picked up the old version with a + 16-bit st_dev field ] + +Note that we can't change compat_dev_t because it is used by +compat_loop_info. + +Also, if the st_dev and st_rdev values are 32-bit, we don't have to use +old_valid_dev to test if the value fits into them. This fixes +-EOVERFLOW on filesystems that are on NVMe because NVMe uses the major +number 259. + +Signed-off-by: Mikulas Patocka +Cc: Andreas Schwab +Cc: Matthew Wilcox +Cc: Christoph Hellwig +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/compat.h | 6 ++---- + fs/stat.c | 19 ++++++++++--------- + 2 files changed, 12 insertions(+), 13 deletions(-) + +diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h +index 2cbd75dd2fd3..ea142936bf11 100644 +--- a/arch/x86/include/asm/compat.h ++++ b/arch/x86/include/asm/compat.h +@@ -57,15 +57,13 @@ struct compat_timeval { + }; + + struct compat_stat { +- compat_dev_t st_dev; +- u16 __pad1; ++ u32 st_dev; + compat_ino_t st_ino; + compat_mode_t st_mode; + compat_nlink_t st_nlink; + __compat_uid_t st_uid; + __compat_gid_t st_gid; +- compat_dev_t st_rdev; +- u16 __pad2; ++ u32 st_rdev; + u32 st_size; + u32 st_blksize; + u32 st_blocks; +diff --git a/fs/stat.c b/fs/stat.c +index 873785dae022..0fda4b6b8fb2 100644 +--- a/fs/stat.c ++++ b/fs/stat.c +@@ -286,9 +286,6 @@ SYSCALL_DEFINE2(fstat, unsigned int, fd, struct __old_kernel_stat __user *, stat + # define choose_32_64(a,b) b + #endif + +-#define valid_dev(x) choose_32_64(old_valid_dev(x),true) +-#define encode_dev(x) choose_32_64(old_encode_dev,new_encode_dev)(x) +- + #ifndef INIT_STRUCT_STAT_PADDING + # define INIT_STRUCT_STAT_PADDING(st) memset(&st, 0, sizeof(st)) + #endif +@@ -297,7 +294,9 @@ static int cp_new_stat(struct kstat *stat, struct stat __user *statbuf) + { + struct stat tmp; + +- if (!valid_dev(stat->dev) || !valid_dev(stat->rdev)) ++ if (sizeof(tmp.st_dev) < 4 && !old_valid_dev(stat->dev)) ++ return -EOVERFLOW; ++ if (sizeof(tmp.st_rdev) < 4 && !old_valid_dev(stat->rdev)) + return -EOVERFLOW; + #if BITS_PER_LONG == 32 + if (stat->size > MAX_NON_LFS) +@@ -305,7 +304,7 @@ static int cp_new_stat(struct kstat *stat, struct stat __user *statbuf) + #endif + + INIT_STRUCT_STAT_PADDING(tmp); +- tmp.st_dev = encode_dev(stat->dev); ++ tmp.st_dev = new_encode_dev(stat->dev); + tmp.st_ino = stat->ino; + if (sizeof(tmp.st_ino) < sizeof(stat->ino) && tmp.st_ino != stat->ino) + return -EOVERFLOW; +@@ -315,7 +314,7 @@ static int cp_new_stat(struct kstat *stat, struct stat __user *statbuf) + return -EOVERFLOW; + SET_UID(tmp.st_uid, from_kuid_munged(current_user_ns(), stat->uid)); + SET_GID(tmp.st_gid, from_kgid_munged(current_user_ns(), stat->gid)); +- tmp.st_rdev = encode_dev(stat->rdev); ++ tmp.st_rdev = new_encode_dev(stat->rdev); + tmp.st_size = stat->size; + tmp.st_atime = stat->atime.tv_sec; + tmp.st_mtime = stat->mtime.tv_sec; +@@ -582,11 +581,13 @@ static int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf) + { + struct compat_stat tmp; + +- if (!old_valid_dev(stat->dev) || !old_valid_dev(stat->rdev)) ++ if (sizeof(tmp.st_dev) < 4 && !old_valid_dev(stat->dev)) ++ return -EOVERFLOW; ++ if (sizeof(tmp.st_rdev) < 4 && !old_valid_dev(stat->rdev)) + return -EOVERFLOW; + + memset(&tmp, 0, sizeof(tmp)); +- tmp.st_dev = old_encode_dev(stat->dev); ++ tmp.st_dev = new_encode_dev(stat->dev); + tmp.st_ino = stat->ino; + if (sizeof(tmp.st_ino) < sizeof(stat->ino) && tmp.st_ino != stat->ino) + return -EOVERFLOW; +@@ -596,7 +597,7 @@ static int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf) + return -EOVERFLOW; + SET_UID(tmp.st_uid, from_kuid_munged(current_user_ns(), stat->uid)); + SET_GID(tmp.st_gid, from_kgid_munged(current_user_ns(), stat->gid)); +- tmp.st_rdev = old_encode_dev(stat->rdev); ++ tmp.st_rdev = new_encode_dev(stat->rdev); + if ((u64) stat->size > MAX_NON_LFS) + return -EOVERFLOW; + tmp.st_size = stat->size; +-- +2.35.1 + diff --git a/queue-4.14/vxlan-fix-error-return-code-in-vxlan_fdb_append.patch b/queue-4.14/vxlan-fix-error-return-code-in-vxlan_fdb_append.patch new file mode 100644 index 00000000000..0f2a9b05219 --- /dev/null +++ b/queue-4.14/vxlan-fix-error-return-code-in-vxlan_fdb_append.patch @@ -0,0 +1,40 @@ +From 870b7cbd2a1ea728c0d3bfa134d161c5412671c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Apr 2022 22:46:22 -0400 +Subject: vxlan: fix error return code in vxlan_fdb_append + +From: Hongbin Wang + +[ Upstream commit 7cea5560bf656b84f9ed01c0cc829d4eecd0640b ] + +When kmalloc and dst_cache_init failed, +should return ENOMEM rather than ENOBUFS. + +Signed-off-by: Hongbin Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index 066a4654e838..31657f15eb07 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -524,11 +524,11 @@ static int vxlan_fdb_append(struct vxlan_fdb *f, + + rd = kmalloc(sizeof(*rd), GFP_ATOMIC); + if (rd == NULL) +- return -ENOBUFS; ++ return -ENOMEM; + + if (dst_cache_init(&rd->dst_cache, GFP_ATOMIC)) { + kfree(rd); +- return -ENOBUFS; ++ return -ENOMEM; + } + + rd->remote_ip = *ip; +-- +2.35.1 +