From: Greg Kroah-Hartman Date: Thu, 26 May 2022 12:24:37 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v5.18.1~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e8629fea55200ca5cdec09af468fa2801c051d54;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: media-vim2m-initialize-the-media-device-earlier.patch media-vim2m-register-video-device-after-setting-up-internals.patch secure_seq-use-the-64-bits-of-the-siphash-for-port-offset-calculation.patch tcp-change-source-port-randomizarion-at-connect-time.patch --- diff --git a/queue-5.4/media-vim2m-initialize-the-media-device-earlier.patch b/queue-5.4/media-vim2m-initialize-the-media-device-earlier.patch new file mode 100644 index 00000000000..ef449e40318 --- /dev/null +++ b/queue-5.4/media-vim2m-initialize-the-media-device-earlier.patch @@ -0,0 +1,53 @@ +From 1a28dce222a6ece725689ad58c0cf4a1b48894f4 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Tue, 2 Feb 2021 15:49:23 +0100 +Subject: media: vim2m: initialize the media device earlier + +From: Hans Verkuil + +commit 1a28dce222a6ece725689ad58c0cf4a1b48894f4 upstream. + +Before the video device node is registered, the v4l2_dev.mdev +pointer must be set in order to correctly associate the video +device with the media device. Move the initialization of the +media device up. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Mark-PK Tsai +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/vim2m.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/media/platform/vim2m.c ++++ b/drivers/media/platform/vim2m.c +@@ -1347,12 +1347,6 @@ static int vim2m_probe(struct platform_d + goto error_dev; + } + +- ret = video_register_device(vfd, VFL_TYPE_GRABBER, 0); +- if (ret) { +- v4l2_err(&dev->v4l2_dev, "Failed to register video device\n"); +- goto error_m2m; +- } +- + #ifdef CONFIG_MEDIA_CONTROLLER + dev->mdev.dev = &pdev->dev; + strscpy(dev->mdev.model, "vim2m", sizeof(dev->mdev.model)); +@@ -1361,7 +1355,15 @@ static int vim2m_probe(struct platform_d + media_device_init(&dev->mdev); + dev->mdev.ops = &m2m_media_ops; + dev->v4l2_dev.mdev = &dev->mdev; ++#endif + ++ ret = video_register_device(vfd, VFL_TYPE_GRABBER, 0); ++ if (ret) { ++ v4l2_err(&dev->v4l2_dev, "Failed to register video device\n"); ++ goto error_m2m; ++ } ++ ++#ifdef CONFIG_MEDIA_CONTROLLER + ret = v4l2_m2m_register_media_controller(dev->m2m_dev, vfd, + MEDIA_ENT_F_PROC_VIDEO_SCALER); + if (ret) { diff --git a/queue-5.4/media-vim2m-register-video-device-after-setting-up-internals.patch b/queue-5.4/media-vim2m-register-video-device-after-setting-up-internals.patch new file mode 100644 index 00000000000..16cac8cc19f --- /dev/null +++ b/queue-5.4/media-vim2m-register-video-device-after-setting-up-internals.patch @@ -0,0 +1,76 @@ +From cf7f34777a5b4100a3a44ff95f3d949c62892bdd Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Tue, 10 Nov 2020 00:07:22 +0100 +Subject: media: vim2m: Register video device after setting up internals + +From: Sakari Ailus + +commit cf7f34777a5b4100a3a44ff95f3d949c62892bdd upstream. + +Prevent NULL (or close to NULL) pointer dereference in various places by +registering the video device only when the V4L2 m2m framework has been set +up. + +Fixes: commit 96d8eab5d0a1 ("V4L/DVB: [v5,2/2] v4l: Add a mem-to-mem videobuf framework test device") +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Mark-PK Tsai +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/vim2m.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +--- a/drivers/media/platform/vim2m.c ++++ b/drivers/media/platform/vim2m.c +@@ -1333,12 +1333,6 @@ static int vim2m_probe(struct platform_d + vfd->lock = &dev->dev_mutex; + vfd->v4l2_dev = &dev->v4l2_dev; + +- ret = video_register_device(vfd, VFL_TYPE_GRABBER, 0); +- if (ret) { +- v4l2_err(&dev->v4l2_dev, "Failed to register video device\n"); +- goto error_v4l2; +- } +- + video_set_drvdata(vfd, dev); + v4l2_info(&dev->v4l2_dev, + "Device registered as /dev/video%d\n", vfd->num); +@@ -1353,6 +1347,12 @@ static int vim2m_probe(struct platform_d + goto error_dev; + } + ++ ret = video_register_device(vfd, VFL_TYPE_GRABBER, 0); ++ if (ret) { ++ v4l2_err(&dev->v4l2_dev, "Failed to register video device\n"); ++ goto error_m2m; ++ } ++ + #ifdef CONFIG_MEDIA_CONTROLLER + dev->mdev.dev = &pdev->dev; + strscpy(dev->mdev.model, "vim2m", sizeof(dev->mdev.model)); +@@ -1366,7 +1366,7 @@ static int vim2m_probe(struct platform_d + MEDIA_ENT_F_PROC_VIDEO_SCALER); + if (ret) { + v4l2_err(&dev->v4l2_dev, "Failed to init mem2mem media controller\n"); +- goto error_dev; ++ goto error_v4l2; + } + + ret = media_device_register(&dev->mdev); +@@ -1381,11 +1381,13 @@ static int vim2m_probe(struct platform_d + error_m2m_mc: + v4l2_m2m_unregister_media_controller(dev->m2m_dev); + #endif +-error_dev: ++error_v4l2: + video_unregister_device(&dev->vfd); + /* vim2m_device_release called by video_unregister_device to release various objects */ + return ret; +-error_v4l2: ++error_m2m: ++ v4l2_m2m_release(dev->m2m_dev); ++error_dev: + v4l2_device_unregister(&dev->v4l2_dev); + error_free: + kfree(dev); diff --git a/queue-5.4/secure_seq-use-the-64-bits-of-the-siphash-for-port-offset-calculation.patch b/queue-5.4/secure_seq-use-the-64-bits-of-the-siphash-for-port-offset-calculation.patch new file mode 100644 index 00000000000..31c40a4fc43 --- /dev/null +++ b/queue-5.4/secure_seq-use-the-64-bits-of-the-siphash-for-port-offset-calculation.patch @@ -0,0 +1,139 @@ +From b2d057560b8107c633b39aabe517ff9d93f285e3 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Mon, 2 May 2022 10:46:08 +0200 +Subject: secure_seq: use the 64 bits of the siphash for port offset calculation + +From: Willy Tarreau + +commit b2d057560b8107c633b39aabe517ff9d93f285e3 upstream. + +SipHash replaced MD5 in secure_ipv{4,6}_port_ephemeral() via commit +7cd23e5300c1 ("secure_seq: use SipHash in place of MD5"), but the output +remained truncated to 32-bit only. In order to exploit more bits from the +hash, let's make the functions return the full 64-bit of siphash_3u32(). +We also make sure the port offset calculation in __inet_hash_connect() +remains done on 32-bit to avoid the need for div_u64_rem() and an extra +cost on 32-bit systems. + +Cc: Jason A. Donenfeld +Cc: Moshe Kol +Cc: Yossi Gilad +Cc: Amit Klein +Reviewed-by: Eric Dumazet +Signed-off-by: Willy Tarreau +Signed-off-by: Jakub Kicinski +[SG: Adjusted context] +Signed-off-by: Stefan Ghinea +Signed-off-by: Greg Kroah-Hartman +--- + include/net/inet_hashtables.h | 2 +- + include/net/secure_seq.h | 4 ++-- + net/core/secure_seq.c | 4 ++-- + net/ipv4/inet_hashtables.c | 10 ++++++---- + net/ipv6/inet6_hashtables.c | 4 ++-- + 5 files changed, 13 insertions(+), 11 deletions(-) + +--- a/include/net/inet_hashtables.h ++++ b/include/net/inet_hashtables.h +@@ -420,7 +420,7 @@ static inline void sk_rcv_saddr_set(stru + } + + int __inet_hash_connect(struct inet_timewait_death_row *death_row, +- struct sock *sk, u32 port_offset, ++ struct sock *sk, u64 port_offset, + int (*check_established)(struct inet_timewait_death_row *, + struct sock *, __u16, + struct inet_timewait_sock **)); +--- a/include/net/secure_seq.h ++++ b/include/net/secure_seq.h +@@ -4,8 +4,8 @@ + + #include + +-u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport); +-u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr, ++u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport); ++u64 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr, + __be16 dport); + u32 secure_tcp_seq(__be32 saddr, __be32 daddr, + __be16 sport, __be16 dport); +--- a/net/core/secure_seq.c ++++ b/net/core/secure_seq.c +@@ -97,7 +97,7 @@ u32 secure_tcpv6_seq(const __be32 *saddr + } + EXPORT_SYMBOL(secure_tcpv6_seq); + +-u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr, ++u64 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr, + __be16 dport) + { + const struct { +@@ -147,7 +147,7 @@ u32 secure_tcp_seq(__be32 saddr, __be32 + } + EXPORT_SYMBOL_GPL(secure_tcp_seq); + +-u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport) ++u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport) + { + net_secret_init(); + return siphash_4u32((__force u32)saddr, (__force u32)daddr, +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -464,7 +464,7 @@ not_unique: + return -EADDRNOTAVAIL; + } + +-static u32 inet_sk_port_offset(const struct sock *sk) ++static u64 inet_sk_port_offset(const struct sock *sk) + { + const struct inet_sock *inet = inet_sk(sk); + +@@ -683,7 +683,7 @@ EXPORT_SYMBOL_GPL(inet_unhash); + static u32 table_perturb[1 << INET_TABLE_PERTURB_SHIFT]; + + int __inet_hash_connect(struct inet_timewait_death_row *death_row, +- struct sock *sk, u32 port_offset, ++ struct sock *sk, u64 port_offset, + int (*check_established)(struct inet_timewait_death_row *, + struct sock *, __u16, struct inet_timewait_sock **)) + { +@@ -726,7 +726,9 @@ int __inet_hash_connect(struct inet_time + net_get_random_once(table_perturb, sizeof(table_perturb)); + index = hash_32(port_offset, INET_TABLE_PERTURB_SHIFT); + +- offset = (READ_ONCE(table_perturb[index]) + port_offset) % remaining; ++ offset = READ_ONCE(table_perturb[index]) + port_offset; ++ offset %= remaining; ++ + /* In first pass we try ports of @low parity. + * inet_csk_get_port() does the opposite choice. + */ +@@ -803,7 +805,7 @@ ok: + int inet_hash_connect(struct inet_timewait_death_row *death_row, + struct sock *sk) + { +- u32 port_offset = 0; ++ u64 port_offset = 0; + + if (!inet_sk(sk)->inet_num) + port_offset = inet_sk_port_offset(sk); +--- a/net/ipv6/inet6_hashtables.c ++++ b/net/ipv6/inet6_hashtables.c +@@ -262,7 +262,7 @@ not_unique: + return -EADDRNOTAVAIL; + } + +-static u32 inet6_sk_port_offset(const struct sock *sk) ++static u64 inet6_sk_port_offset(const struct sock *sk) + { + const struct inet_sock *inet = inet_sk(sk); + +@@ -274,7 +274,7 @@ static u32 inet6_sk_port_offset(const st + int inet6_hash_connect(struct inet_timewait_death_row *death_row, + struct sock *sk) + { +- u32 port_offset = 0; ++ u64 port_offset = 0; + + if (!inet_sk(sk)->inet_num) + port_offset = inet6_sk_port_offset(sk); diff --git a/queue-5.4/series b/queue-5.4/series index 90f5a5c8d35..b0aab1dcc4b 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -2,3 +2,7 @@ lockdown-also-lock-down-previous-kgdb-use.patch x86-pci-xen-disable-pci-msi-masking-for-xen_hvm-guests.patch staging-rtl8723bs-prevent-ssid-overflow-in-rtw_wx_set_scan.patch input-goodix-fix-spurious-key-release-events.patch +tcp-change-source-port-randomizarion-at-connect-time.patch +secure_seq-use-the-64-bits-of-the-siphash-for-port-offset-calculation.patch +media-vim2m-register-video-device-after-setting-up-internals.patch +media-vim2m-initialize-the-media-device-earlier.patch diff --git a/queue-5.4/tcp-change-source-port-randomizarion-at-connect-time.patch b/queue-5.4/tcp-change-source-port-randomizarion-at-connect-time.patch new file mode 100644 index 00000000000..b5aba7ea2c1 --- /dev/null +++ b/queue-5.4/tcp-change-source-port-randomizarion-at-connect-time.patch @@ -0,0 +1,98 @@ +From 190cc82489f46f9d88e73c81a47e14f80a791e1a Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 9 Feb 2021 11:20:27 -0800 +Subject: tcp: change source port randomizarion at connect() time + +From: Eric Dumazet + +commit 190cc82489f46f9d88e73c81a47e14f80a791e1a upstream. + +RFC 6056 (Recommendations for Transport-Protocol Port Randomization) +provides good summary of why source selection needs extra care. + +David Dworken reminded us that linux implements Algorithm 3 +as described in RFC 6056 3.3.3 + +Quoting David : + In the context of the web, this creates an interesting info leak where + websites can count how many TCP connections a user's computer is + establishing over time. For example, this allows a website to count + exactly how many subresources a third party website loaded. + This also allows: + - Distinguishing between different users behind a VPN based on + distinct source port ranges. + - Tracking users over time across multiple networks. + - Covert communication channels between different browsers/browser + profiles running on the same computer + - Tracking what applications are running on a computer based on + the pattern of how fast source ports are getting incremented. + +Section 3.3.4 describes an enhancement, that reduces +attackers ability to use the basic information currently +stored into the shared 'u32 hint'. + +This change also decreases collision rate when +multiple applications need to connect() to +different destinations. + +Signed-off-by: Eric Dumazet +Reported-by: David Dworken +Cc: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Stefan Ghinea +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/inet_hashtables.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -671,6 +671,17 @@ unlock: + } + EXPORT_SYMBOL_GPL(inet_unhash); + ++/* RFC 6056 3.3.4. Algorithm 4: Double-Hash Port Selection Algorithm ++ * Note that we use 32bit integers (vs RFC 'short integers') ++ * because 2^16 is not a multiple of num_ephemeral and this ++ * property might be used by clever attacker. ++ * RFC claims using TABLE_LENGTH=10 buckets gives an improvement, ++ * we use 256 instead to really give more isolation and ++ * privacy, this only consumes 1 KB of kernel memory. ++ */ ++#define INET_TABLE_PERTURB_SHIFT 8 ++static u32 table_perturb[1 << INET_TABLE_PERTURB_SHIFT]; ++ + int __inet_hash_connect(struct inet_timewait_death_row *death_row, + struct sock *sk, u32 port_offset, + int (*check_established)(struct inet_timewait_death_row *, +@@ -684,8 +695,8 @@ int __inet_hash_connect(struct inet_time + struct inet_bind_bucket *tb; + u32 remaining, offset; + int ret, i, low, high; +- static u32 hint; + int l3mdev; ++ u32 index; + + if (port) { + head = &hinfo->bhash[inet_bhashfn(net, port, +@@ -712,7 +723,10 @@ int __inet_hash_connect(struct inet_time + if (likely(remaining > 1)) + remaining &= ~1U; + +- offset = (hint + port_offset) % remaining; ++ net_get_random_once(table_perturb, sizeof(table_perturb)); ++ index = hash_32(port_offset, INET_TABLE_PERTURB_SHIFT); ++ ++ offset = (READ_ONCE(table_perturb[index]) + port_offset) % remaining; + /* In first pass we try ports of @low parity. + * inet_csk_get_port() does the opposite choice. + */ +@@ -766,7 +780,7 @@ next_port: + return -EADDRNOTAVAIL; + + ok: +- hint += i + 2; ++ WRITE_ONCE(table_perturb[index], READ_ONCE(table_perturb[index]) + i + 2); + + /* Head lock still held and bh's disabled */ + inet_bind_hash(sk, tb, port);