From: Greg Kroah-Hartman Date: Tue, 3 Mar 2020 10:13:09 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.19.108~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f4e95ca9db13ba294b5a13e77effc031958f2635;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: net-atlantic-fix-potential-error-handling.patch net-atlantic-fix-use-after-free-kasan-warn.patch net-netlink-cap-max-groups-which-will-be-considered-in-netlink_bind.patch s390-qeth-vnicc-fix-eopnotsupp-precedence.patch --- diff --git a/queue-4.19/net-atlantic-fix-potential-error-handling.patch b/queue-4.19/net-atlantic-fix-potential-error-handling.patch new file mode 100644 index 00000000000..50024b01882 --- /dev/null +++ b/queue-4.19/net-atlantic-fix-potential-error-handling.patch @@ -0,0 +1,40 @@ +From 380ec5b9af7f0d57dbf6ac067fd9f33cff2fef71 Mon Sep 17 00:00:00 2001 +From: Pavel Belous +Date: Fri, 14 Feb 2020 18:44:56 +0300 +Subject: net: atlantic: fix potential error handling + +From: Pavel Belous + +commit 380ec5b9af7f0d57dbf6ac067fd9f33cff2fef71 upstream. + +Code inspection found that in case of mapping error we do return current +'ret' value. But beside error, it is used to count number of descriptors +allocated for the packet. In that case map_skb function could return '1'. + +Changing it to return zero (number of mapped descriptors for skb) + +Fixes: 018423e90bee ("net: ethernet: aquantia: Add ring support code") +Signed-off-by: Pavel Belous +Signed-off-by: Igor Russkikh +Signed-off-by: Dmitry Bogdanov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c +@@ -399,8 +399,10 @@ static unsigned int aq_nic_map_skb(struc + dx_buff->len, + DMA_TO_DEVICE); + +- if (unlikely(dma_mapping_error(aq_nic_get_dev(self), dx_buff->pa))) ++ if (unlikely(dma_mapping_error(aq_nic_get_dev(self), dx_buff->pa))) { ++ ret = 0; + goto exit; ++ } + + first = dx_buff; + dx_buff->len_pkt = skb->len; diff --git a/queue-4.19/net-atlantic-fix-use-after-free-kasan-warn.patch b/queue-4.19/net-atlantic-fix-use-after-free-kasan-warn.patch new file mode 100644 index 00000000000..6dd12b696c0 --- /dev/null +++ b/queue-4.19/net-atlantic-fix-use-after-free-kasan-warn.patch @@ -0,0 +1,62 @@ +From a4980919ad6a7be548d499bc5338015e1a9191c6 Mon Sep 17 00:00:00 2001 +From: Pavel Belous +Date: Fri, 14 Feb 2020 18:44:55 +0300 +Subject: net: atlantic: fix use after free kasan warn + +From: Pavel Belous + +commit a4980919ad6a7be548d499bc5338015e1a9191c6 upstream. + +skb->len is used to calculate statistics after xmit invocation. + +Under a stress load it may happen that skb will be xmited, +rx interrupt will come and skb will be freed, all before xmit function +is even returned. + +Eventually, skb->len will access unallocated area. + +Moving stats calculation into tx_clean routine. + +Fixes: 018423e90bee ("net: ethernet: aquantia: Add ring support code") +Reported-by: Christophe Vu-Brugier +Signed-off-by: Igor Russkikh +Signed-off-by: Pavel Belous +Signed-off-by: Dmitry Bogdanov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 4 ---- + drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 7 +++++-- + 2 files changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c +@@ -530,10 +530,6 @@ int aq_nic_xmit(struct aq_nic_s *self, s + if (likely(frags)) { + err = self->aq_hw_ops->hw_ring_tx_xmit(self->aq_hw, + ring, frags); +- if (err >= 0) { +- ++ring->stats.tx.packets; +- ring->stats.tx.bytes += skb->len; +- } + } else { + err = NETDEV_TX_BUSY; + } +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +@@ -162,9 +162,12 @@ bool aq_ring_tx_clean(struct aq_ring_s * + } + } + +- if (unlikely(buff->is_eop)) +- dev_kfree_skb_any(buff->skb); ++ if (unlikely(buff->is_eop)) { ++ ++self->stats.rx.packets; ++ self->stats.tx.bytes += buff->skb->len; + ++ dev_kfree_skb_any(buff->skb); ++ } + buff->pa = 0U; + buff->eop_index = 0xffffU; + self->sw_head = aq_ring_next_dx(self, self->sw_head); diff --git a/queue-4.19/net-netlink-cap-max-groups-which-will-be-considered-in-netlink_bind.patch b/queue-4.19/net-netlink-cap-max-groups-which-will-be-considered-in-netlink_bind.patch new file mode 100644 index 00000000000..a209d345335 --- /dev/null +++ b/queue-4.19/net-netlink-cap-max-groups-which-will-be-considered-in-netlink_bind.patch @@ -0,0 +1,53 @@ +From 3a20773beeeeadec41477a5ba872175b778ff752 Mon Sep 17 00:00:00 2001 +From: Nikolay Aleksandrov +Date: Thu, 20 Feb 2020 16:42:13 +0200 +Subject: net: netlink: cap max groups which will be considered in netlink_bind() + +From: Nikolay Aleksandrov + +commit 3a20773beeeeadec41477a5ba872175b778ff752 upstream. + +Since nl_groups is a u32 we can't bind more groups via ->bind +(netlink_bind) call, but netlink has supported more groups via +setsockopt() for a long time and thus nlk->ngroups could be over 32. +Recently I added support for per-vlan notifications and increased the +groups to 33 for NETLINK_ROUTE which exposed an old bug in the +netlink_bind() code causing out-of-bounds access on archs where unsigned +long is 32 bits via test_bit() on a local variable. Fix this by capping the +maximum groups in netlink_bind() to BITS_PER_TYPE(u32), effectively +capping them at 32 which is the minimum of allocated groups and the +maximum groups which can be bound via netlink_bind(). + +CC: Christophe Leroy +CC: Richard Guy Briggs +Fixes: 4f520900522f ("netlink: have netlink per-protocol bind function return an error code.") +Reported-by: Erhard F. +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/netlink/af_netlink.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1029,7 +1029,8 @@ static int netlink_bind(struct socket *s + if (nlk->netlink_bind && groups) { + int group; + +- for (group = 0; group < nlk->ngroups; group++) { ++ /* nl_groups is a u32, so cap the maximum groups we can bind */ ++ for (group = 0; group < BITS_PER_TYPE(u32); group++) { + if (!test_bit(group, &groups)) + continue; + err = nlk->netlink_bind(net, group + 1); +@@ -1048,7 +1049,7 @@ static int netlink_bind(struct socket *s + netlink_insert(sk, nladdr->nl_pid) : + netlink_autobind(sock); + if (err) { +- netlink_undo_bind(nlk->ngroups, groups, sk); ++ netlink_undo_bind(BITS_PER_TYPE(u32), groups, sk); + goto unlock; + } + } diff --git a/queue-4.19/net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch b/queue-4.19/net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch index 242ce60a2da..8d425bc5913 100644 --- a/queue-4.19/net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch +++ b/queue-4.19/net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch @@ -5,6 +5,8 @@ Subject: net: phy: restore mdio regs in the iproc mdio driver From: Arun Parameswaran +commit 6f08e98d62799e53c89dbf2c9a49d77e20ca648c upstream. + The mii management register in iproc mdio block does not have a retention register so it is lost on suspend. Save and restore value of register while resuming from suspend. diff --git a/queue-4.19/s390-qeth-vnicc-fix-eopnotsupp-precedence.patch b/queue-4.19/s390-qeth-vnicc-fix-eopnotsupp-precedence.patch new file mode 100644 index 00000000000..fcb51008d59 --- /dev/null +++ b/queue-4.19/s390-qeth-vnicc-fix-eopnotsupp-precedence.patch @@ -0,0 +1,106 @@ +From 6f3846f0955308b6d1b219419da42b8de2c08845 Mon Sep 17 00:00:00 2001 +From: Alexandra Winter +Date: Thu, 20 Feb 2020 15:54:54 +0100 +Subject: s390/qeth: vnicc Fix EOPNOTSUPP precedence + +From: Alexandra Winter + +commit 6f3846f0955308b6d1b219419da42b8de2c08845 upstream. + +When getting or setting VNICC parameters, the error code EOPNOTSUPP +should have precedence over EBUSY. + +EBUSY is used because vnicc feature and bridgeport feature are mutually +exclusive, which is a temporary condition. +Whereas EOPNOTSUPP indicates that the HW does not support all or parts of +the vnicc feature. +This issue causes the vnicc sysfs params to show 'blocked by bridgeport' +for HW that does not support VNICC at all. + +Fixes: caa1f0b10d18 ("s390/qeth: add VNICC enable/disable support") +Signed-off-by: Alexandra Winter +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/net/qeth_l2_main.c | 29 +++++++++++++---------------- + 1 file changed, 13 insertions(+), 16 deletions(-) + +--- a/drivers/s390/net/qeth_l2_main.c ++++ b/drivers/s390/net/qeth_l2_main.c +@@ -2148,15 +2148,14 @@ int qeth_l2_vnicc_set_state(struct qeth_ + + QETH_CARD_TEXT(card, 2, "vniccsch"); + +- /* do not change anything if BridgePort is enabled */ +- if (qeth_bridgeport_is_in_use(card)) +- return -EBUSY; +- + /* check if characteristic and enable/disable are supported */ + if (!(card->options.vnicc.sup_chars & vnicc) || + !(card->options.vnicc.set_char_sup & vnicc)) + return -EOPNOTSUPP; + ++ if (qeth_bridgeport_is_in_use(card)) ++ return -EBUSY; ++ + /* set enable/disable command and store wanted characteristic */ + if (state) { + cmd = IPA_VNICC_ENABLE; +@@ -2202,14 +2201,13 @@ int qeth_l2_vnicc_get_state(struct qeth_ + + QETH_CARD_TEXT(card, 2, "vniccgch"); + +- /* do not get anything if BridgePort is enabled */ +- if (qeth_bridgeport_is_in_use(card)) +- return -EBUSY; +- + /* check if characteristic is supported */ + if (!(card->options.vnicc.sup_chars & vnicc)) + return -EOPNOTSUPP; + ++ if (qeth_bridgeport_is_in_use(card)) ++ return -EBUSY; ++ + /* if card is ready, query current VNICC state */ + if (qeth_card_hw_is_reachable(card)) + rc = qeth_l2_vnicc_query_chars(card); +@@ -2227,15 +2225,14 @@ int qeth_l2_vnicc_set_timeout(struct qet + + QETH_CARD_TEXT(card, 2, "vniccsto"); + +- /* do not change anything if BridgePort is enabled */ +- if (qeth_bridgeport_is_in_use(card)) +- return -EBUSY; +- + /* check if characteristic and set_timeout are supported */ + if (!(card->options.vnicc.sup_chars & QETH_VNICC_LEARNING) || + !(card->options.vnicc.getset_timeout_sup & QETH_VNICC_LEARNING)) + return -EOPNOTSUPP; + ++ if (qeth_bridgeport_is_in_use(card)) ++ return -EBUSY; ++ + /* do we need to do anything? */ + if (card->options.vnicc.learning_timeout == timeout) + return rc; +@@ -2264,14 +2261,14 @@ int qeth_l2_vnicc_get_timeout(struct qet + + QETH_CARD_TEXT(card, 2, "vniccgto"); + +- /* do not get anything if BridgePort is enabled */ +- if (qeth_bridgeport_is_in_use(card)) +- return -EBUSY; +- + /* check if characteristic and get_timeout are supported */ + if (!(card->options.vnicc.sup_chars & QETH_VNICC_LEARNING) || + !(card->options.vnicc.getset_timeout_sup & QETH_VNICC_LEARNING)) + return -EOPNOTSUPP; ++ ++ if (qeth_bridgeport_is_in_use(card)) ++ return -EBUSY; ++ + /* if card is ready, get timeout. Otherwise, just return stored value */ + *timeout = card->options.vnicc.learning_timeout; + if (qeth_card_hw_is_reachable(card)) diff --git a/queue-4.19/series b/queue-4.19/series index a69615a768b..921c1fabf26 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -58,3 +58,7 @@ drm-i915-gvt-fix-orphan-vgpu-dmabuf_objs-lifetime.patch drm-i915-gvt-separate-display-reset-from-all_engines-reset.patch hv_netvsc-fix-unwanted-wakeup-in-netvsc_attach.patch usb-charger-assign-specific-number-for-enum-value.patch +s390-qeth-vnicc-fix-eopnotsupp-precedence.patch +net-netlink-cap-max-groups-which-will-be-considered-in-netlink_bind.patch +net-atlantic-fix-use-after-free-kasan-warn.patch +net-atlantic-fix-potential-error-handling.patch