From 4e91b229673476d02427827b2bf3831b2292b6df Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 20 Aug 2023 19:42:06 -0400 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- ...tek-remodified-3k-pull-low-procedure.patch | 63 ++++++ ...default-tuning-step-for-imx6sx-usdhc.patch | 63 ++++++ ...rb5165-rb5-fix-thermal-zone-conflict.patch | 45 ++++ ...dm-formatter-fix-channel-slot-alloca.patch | 110 +++++++++ ...65-add-missed-regulator_bulk_disable.patch | 38 ++++ ...h-posted-write-on-enable-before-rese.patch | 48 ++++ ...-fix-auo-g121ean01-panel-timings-acc.patch | 78 +++++++ .../i40e-fix-misleading-debug-logs.patch | 67 ++++++ ...ix-fdir-rule-fields-masks-validation.patch | 209 ++++++++++++++++++ ...ab-use-after-free-in-decode_session6.patch | 117 ++++++++++ ...tial-slab-use-after-free-in-decode_s.patch | 48 ++++ ...acy-memcpy-in-proc_do_sync_threshold.patch | 69 ++++++ ...-af_key-fix-sadb_x_filter-validation.patch | 41 ++++ ...w-gso_size-to-be-set-to-gso_by_frags.patch | 90 ++++++++ ...x-wait-for-eeprom-done-before-hw-res.patch | 49 ++++ ...oadcom-stub-c45-read-write-for-54810.patch | 58 +++++ ...based-wake-on-lan-over-hibernate-pow.patch | 92 ++++++++ ...d-xfrma_sec_ctx-nla_policy-structure.patch | 62 ++++++ ...frm-fix-xfrm_address_filter-oob-read.patch | 202 +++++++++++++++++ ...les-deactivate-catchall-elements-in-.patch | 48 ++++ ...les-fix-false-positive-lockdep-splat.patch | 70 ++++++ ...lter-nft_dynset-disallow-object-maps.patch | 36 +++ ...turn-the-number-of-bytes-effectively.patch | 91 ++++++++ ..._gre_changes-tighten-up-the-ttl-test.patch | 48 ++++ queue-5.15/series | 34 +++ ...aspeed-socinfo-add-kfree-for-kstrdup.patch | 37 ++++ ...x-misuse-of-sk_under_memory_pressure.patch | 74 +++++++ ...ct-deletion-of-eth_p_8021ad-protocol.patch | 54 +++++ ...srso_safe_ret-and-__x86_return_thunk.patch | 53 +++++ ...-the-mitigation-status-when-smt-is-d.patch | 48 ++++ ...-the-mitigation-on-unaffected-config.patch | 50 +++++ ...-static_call-fix-__static_call_fixup.patch | 56 +++++ ...en-nla_policy-for-xfrma_mtimer_thres.patch | 54 +++++ ...-null-check-in-xfrm_update_ae_params.patch | 104 +++++++++ ...ab-use-after-free-in-decode_session6.patch | 122 ++++++++++ 35 files changed, 2528 insertions(+) create mode 100644 queue-5.15/alsa-hda-realtek-remodified-3k-pull-low-procedure.patch create mode 100644 queue-5.15/arm-dts-imx-set-default-tuning-step-for-imx6sx-usdhc.patch create mode 100644 queue-5.15/arm64-dts-qcom-qrb5165-rb5-fix-thermal-zone-conflict.patch create mode 100644 queue-5.15/asoc-meson-axg-tdm-formatter-fix-channel-slot-alloca.patch create mode 100644 queue-5.15/asoc-rt5665-add-missed-regulator_bulk_disable.patch create mode 100644 queue-5.15/bus-ti-sysc-flush-posted-write-on-enable-before-rese.patch create mode 100644 queue-5.15/drm-panel-simple-fix-auo-g121ean01-panel-timings-acc.patch create mode 100644 queue-5.15/i40e-fix-misleading-debug-logs.patch create mode 100644 queue-5.15/iavf-fix-fdir-rule-fields-masks-validation.patch create mode 100644 queue-5.15/ip6_vti-fix-slab-use-after-free-in-decode_session6.patch create mode 100644 queue-5.15/ip_vti-fix-potential-slab-use-after-free-in-decode_s.patch create mode 100644 queue-5.15/ipvs-fix-racy-memcpy-in-proc_do_sync_threshold.patch create mode 100644 queue-5.15/net-af_key-fix-sadb_x_filter-validation.patch create mode 100644 queue-5.15/net-do-not-allow-gso_size-to-be-set-to-gso_by_frags.patch create mode 100644 queue-5.15/net-dsa-mv88e6xxx-wait-for-eeprom-done-before-hw-res.patch create mode 100644 queue-5.15/net-phy-broadcom-stub-c45-read-write-for-54810.patch create mode 100644 queue-5.15/net-phy-fix-irq-based-wake-on-lan-over-hibernate-pow.patch create mode 100644 queue-5.15/net-xfrm-amend-xfrma_sec_ctx-nla_policy-structure.patch create mode 100644 queue-5.15/net-xfrm-fix-xfrm_address_filter-oob-read.patch create mode 100644 queue-5.15/netfilter-nf_tables-deactivate-catchall-elements-in-.patch create mode 100644 queue-5.15/netfilter-nf_tables-fix-false-positive-lockdep-splat.patch create mode 100644 queue-5.15/netfilter-nft_dynset-disallow-object-maps.patch create mode 100644 queue-5.15/riscv-uaccess-return-the-number-of-bytes-effectively.patch create mode 100644 queue-5.15/selftests-mirror_gre_changes-tighten-up-the-ttl-test.patch create mode 100644 queue-5.15/soc-aspeed-socinfo-add-kfree-for-kstrdup.patch create mode 100644 queue-5.15/sock-fix-misuse-of-sk_under_memory_pressure.patch create mode 100644 queue-5.15/team-fix-incorrect-deletion-of-eth_p_8021ad-protocol.patch create mode 100644 queue-5.15/x86-cpu-fix-up-srso_safe_ret-and-__x86_return_thunk.patch create mode 100644 queue-5.15/x86-srso-correct-the-mitigation-status-when-smt-is-d.patch create mode 100644 queue-5.15/x86-srso-disable-the-mitigation-on-unaffected-config.patch create mode 100644 queue-5.15/x86-static_call-fix-__static_call_fixup.patch create mode 100644 queue-5.15/xfrm-add-forgotten-nla_policy-for-xfrma_mtimer_thres.patch create mode 100644 queue-5.15/xfrm-add-null-check-in-xfrm_update_ae_params.patch create mode 100644 queue-5.15/xfrm-fix-slab-use-after-free-in-decode_session6.patch diff --git a/queue-5.15/alsa-hda-realtek-remodified-3k-pull-low-procedure.patch b/queue-5.15/alsa-hda-realtek-remodified-3k-pull-low-procedure.patch new file mode 100644 index 00000000000..6d376b60b38 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-remodified-3k-pull-low-procedure.patch @@ -0,0 +1,63 @@ +From 5971d0ffcbd7017dc1dc44a2af0a55a35f7e3532 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 15:54:23 +0800 +Subject: ALSA: hda/realtek - Remodified 3k pull low procedure + +From: Kailang Yang + +[ Upstream commit 46cdff2369cbdf8d78081a22526e77bd1323f563 ] + +Set spec->en_3kpull_low default to true. +Then fillback ALC236 and ALC257 to false. + +Additional note: this addresses a regression caused by the previous +fix 69ea4c9d02b7 ("ALSA: hda/realtek - remove 3k pull low procedure"). +The previous workaround was applied too widely without necessity, +which resulted in the pop noise at PM again. This patch corrects the +condition and restores the old behavior for the devices that don't +suffer from the original problem. + +Fixes: 69ea4c9d02b7 ("ALSA: hda/realtek - remove 3k pull low procedure") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217732 +Link: https://lore.kernel.org/r/01e212a538fc407ca6edd10b81ff7b05@realtek.com +Signed-off-by: Kailang Yang +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index e335f3b5338f7..59e11a070c202 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10088,6 +10088,7 @@ static int patch_alc269(struct hda_codec *codec) + spec = codec->spec; + spec->gen.shared_mic_vref_pin = 0x18; + codec->power_save_node = 0; ++ spec->en_3kpull_low = true; + + #ifdef CONFIG_PM + codec->patch_ops.suspend = alc269_suspend; +@@ -10170,14 +10171,16 @@ static int patch_alc269(struct hda_codec *codec) + spec->shutup = alc256_shutup; + spec->init_hook = alc256_init; + spec->gen.mixer_nid = 0; /* ALC256 does not have any loopback mixer path */ +- if (codec->bus->pci->vendor == PCI_VENDOR_ID_AMD) +- spec->en_3kpull_low = true; ++ if (codec->core.vendor_id == 0x10ec0236 && ++ codec->bus->pci->vendor != PCI_VENDOR_ID_AMD) ++ spec->en_3kpull_low = false; + break; + case 0x10ec0257: + spec->codec_variant = ALC269_TYPE_ALC257; + spec->shutup = alc256_shutup; + spec->init_hook = alc256_init; + spec->gen.mixer_nid = 0; ++ spec->en_3kpull_low = false; + break; + case 0x10ec0215: + case 0x10ec0245: +-- +2.40.1 + diff --git a/queue-5.15/arm-dts-imx-set-default-tuning-step-for-imx6sx-usdhc.patch b/queue-5.15/arm-dts-imx-set-default-tuning-step-for-imx6sx-usdhc.patch new file mode 100644 index 00000000000..18e66ce8334 --- /dev/null +++ b/queue-5.15/arm-dts-imx-set-default-tuning-step-for-imx6sx-usdhc.patch @@ -0,0 +1,63 @@ +From ba4bde9c84653e7cfcedd74b2723683064c9fc35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jul 2023 15:57:47 +0800 +Subject: ARM: dts: imx: Set default tuning step for imx6sx usdhc + +From: Xiaolei Wang + +[ Upstream commit 0a2b96e42a0284c4fc03022236f656a085ca714a ] + +If the tuning step is not set, the tuning step is set to 1. +For some sd cards, the following Tuning timeout will occur. + +Tuning failed, falling back to fixed sampling clock + +So set the default tuning step. This refers to the NXP vendor's +commit below: + +https://github.com/nxp-imx/linux-imx/blob/lf-6.1.y/ +arch/arm/boot/dts/imx6sx.dtsi#L1108-L1109 + +Fixes: 1e336aa0c025 ("mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting") +Signed-off-by: Xiaolei Wang +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6sx.dtsi | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6sx.dtsi b/arch/arm/boot/dts/imx6sx.dtsi +index 8bef5440278ba..3e779fd0a3961 100644 +--- a/arch/arm/boot/dts/imx6sx.dtsi ++++ b/arch/arm/boot/dts/imx6sx.dtsi +@@ -981,6 +981,8 @@ + <&clks IMX6SX_CLK_USDHC1>; + clock-names = "ipg", "ahb", "per"; + bus-width = <4>; ++ fsl,tuning-start-tap = <20>; ++ fsl,tuning-step= <2>; + status = "disabled"; + }; + +@@ -993,6 +995,8 @@ + <&clks IMX6SX_CLK_USDHC2>; + clock-names = "ipg", "ahb", "per"; + bus-width = <4>; ++ fsl,tuning-start-tap = <20>; ++ fsl,tuning-step= <2>; + status = "disabled"; + }; + +@@ -1005,6 +1009,8 @@ + <&clks IMX6SX_CLK_USDHC3>; + clock-names = "ipg", "ahb", "per"; + bus-width = <4>; ++ fsl,tuning-start-tap = <20>; ++ fsl,tuning-step= <2>; + status = "disabled"; + }; + +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-qrb5165-rb5-fix-thermal-zone-conflict.patch b/queue-5.15/arm64-dts-qcom-qrb5165-rb5-fix-thermal-zone-conflict.patch new file mode 100644 index 00000000000..708e89f12a3 --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-qrb5165-rb5-fix-thermal-zone-conflict.patch @@ -0,0 +1,45 @@ +From 3b28ff7c89f4c4905279b2bb58d6842f09498cd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jun 2023 16:12:24 +0300 +Subject: arm64: dts: qcom: qrb5165-rb5: fix thermal zone conflict + +From: Dmitry Baryshkov + +[ Upstream commit 798f1df86e5709b7b6aedf493cc04c7fedbf544a ] + +The commit 3a786086c6f8 ("arm64: dts: qcom: Add missing "-thermal" +suffix for thermal zones") renamed the thermal zone in the pm8150l.dtsi +file to comply with the schema. However this resulted in a clash with +the RB5 board file, which already contained the pm8150l-thermal zone for +the on-board sensor. This resulted in the board file definition +overriding the thermal zone defined in the PMIC include file (and thus +the on-die PMIC temp alarm was not probing at all). + +Rename the thermal zone in qcom/qrb5165-rb5.dts to remove this override. + +Fixes: 3a786086c6f8 ("arm64: dts: qcom: Add missing "-thermal" suffix for thermal zones") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230613131224.666668-1-dmitry.baryshkov@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/qrb5165-rb5.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/qrb5165-rb5.dts b/arch/arm64/boot/dts/qcom/qrb5165-rb5.dts +index 0ce2d36ab257f..d3449cb52defe 100644 +--- a/arch/arm64/boot/dts/qcom/qrb5165-rb5.dts ++++ b/arch/arm64/boot/dts/qcom/qrb5165-rb5.dts +@@ -113,7 +113,7 @@ + }; + }; + +- pm8150l-thermal { ++ pm8150l-pcb-thermal { + polling-delay-passive = <0>; + polling-delay = <0>; + thermal-sensors = <&pm8150l_adc_tm 1>; +-- +2.40.1 + diff --git a/queue-5.15/asoc-meson-axg-tdm-formatter-fix-channel-slot-alloca.patch b/queue-5.15/asoc-meson-axg-tdm-formatter-fix-channel-slot-alloca.patch new file mode 100644 index 00000000000..1b1e14f7278 --- /dev/null +++ b/queue-5.15/asoc-meson-axg-tdm-formatter-fix-channel-slot-alloca.patch @@ -0,0 +1,110 @@ +From 52e601cd29ed6bafd4c64d62316071a95b9101aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Aug 2023 19:19:31 +0200 +Subject: ASoC: meson: axg-tdm-formatter: fix channel slot allocation + +From: Jerome Brunet + +[ Upstream commit c1f848f12103920ca165758aedb1c10904e193e1 ] + +When the tdm lane mask is computed, the driver currently fills the 1st lane +before moving on to the next. If the stream has less channels than the +lanes can accommodate, slots will be disabled on the last lanes. + +Unfortunately, the HW distribute channels in a different way. It distribute +channels in pair on each lanes before moving on the next slots. + +This difference leads to problems if a device has an interface with more +than 1 lane and with more than 2 slots per lane. + +For example: a playback interface with 2 lanes and 4 slots each (total 8 +slots - zero based numbering) +- Playing a 8ch stream: + - All slots activated by the driver + - channel #2 will be played on lane #1 - slot #0 following HW placement +- Playing a 4ch stream: + - Lane #1 disabled by the driver + - channel #2 will be played on lane #0 - slot #2 + +This behaviour is obviously not desirable. + +Change the way slots are activated on the TDM lanes to follow what the HW +does and make sure each channel always get mapped to the same slot/lane. + +Fixes: 1a11d88f499c ("ASoC: meson: add tdm formatter base driver") +Signed-off-by: Jerome Brunet +Link: https://lore.kernel.org/r/20230809171931.1244502-1-jbrunet@baylibre.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/meson/axg-tdm-formatter.c | 42 ++++++++++++++++++----------- + 1 file changed, 26 insertions(+), 16 deletions(-) + +diff --git a/sound/soc/meson/axg-tdm-formatter.c b/sound/soc/meson/axg-tdm-formatter.c +index cab7fa2851aa8..4834cfd163c03 100644 +--- a/sound/soc/meson/axg-tdm-formatter.c ++++ b/sound/soc/meson/axg-tdm-formatter.c +@@ -30,27 +30,32 @@ int axg_tdm_formatter_set_channel_masks(struct regmap *map, + struct axg_tdm_stream *ts, + unsigned int offset) + { +- unsigned int val, ch = ts->channels; +- unsigned long mask; +- int i, j; ++ unsigned int ch = ts->channels; ++ u32 val[AXG_TDM_NUM_LANES]; ++ int i, j, k; ++ ++ /* ++ * We need to mimick the slot distribution used by the HW to keep the ++ * channel placement consistent regardless of the number of channel ++ * in the stream. This is why the odd algorithm below is used. ++ */ ++ memset(val, 0, sizeof(*val) * AXG_TDM_NUM_LANES); + + /* + * Distribute the channels of the stream over the available slots +- * of each TDM lane ++ * of each TDM lane. We need to go over the 32 slots ... + */ +- for (i = 0; i < AXG_TDM_NUM_LANES; i++) { +- val = 0; +- mask = ts->mask[i]; +- +- for (j = find_first_bit(&mask, 32); +- (j < 32) && ch; +- j = find_next_bit(&mask, 32, j + 1)) { +- val |= 1 << j; +- ch -= 1; ++ for (i = 0; (i < 32) && ch; i += 2) { ++ /* ... of all the lanes ... */ ++ for (j = 0; j < AXG_TDM_NUM_LANES; j++) { ++ /* ... then distribute the channels in pairs */ ++ for (k = 0; k < 2; k++) { ++ if ((BIT(i + k) & ts->mask[j]) && ch) { ++ val[j] |= BIT(i + k); ++ ch -= 1; ++ } ++ } + } +- +- regmap_write(map, offset, val); +- offset += regmap_get_reg_stride(map); + } + + /* +@@ -63,6 +68,11 @@ int axg_tdm_formatter_set_channel_masks(struct regmap *map, + return -EINVAL; + } + ++ for (i = 0; i < AXG_TDM_NUM_LANES; i++) { ++ regmap_write(map, offset, val[i]); ++ offset += regmap_get_reg_stride(map); ++ } ++ + return 0; + } + EXPORT_SYMBOL_GPL(axg_tdm_formatter_set_channel_masks); +-- +2.40.1 + diff --git a/queue-5.15/asoc-rt5665-add-missed-regulator_bulk_disable.patch b/queue-5.15/asoc-rt5665-add-missed-regulator_bulk_disable.patch new file mode 100644 index 00000000000..6d1c2321740 --- /dev/null +++ b/queue-5.15/asoc-rt5665-add-missed-regulator_bulk_disable.patch @@ -0,0 +1,38 @@ +From 9969cf103e4f2aa565ca1fcac77b4f2c085a255c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 23:59:11 +0800 +Subject: ASoC: rt5665: add missed regulator_bulk_disable + +From: Zhang Shurong + +[ Upstream commit c163108e706909570f8aa9aa5bcf6806e2b4c98c ] + +The driver forgets to call regulator_bulk_disable() + +Add the missed call to fix it. + +Fixes: 33ada14a26c8 ("ASoC: add rt5665 codec driver") +Signed-off-by: Zhang Shurong +Link: https://lore.kernel.org/r/tencent_A560D01E3E0A00A85A12F137E4B5205B3508@qq.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5665.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/codecs/rt5665.c b/sound/soc/codecs/rt5665.c +index e59323fd5bf24..5e00aca0c418a 100644 +--- a/sound/soc/codecs/rt5665.c ++++ b/sound/soc/codecs/rt5665.c +@@ -4472,6 +4472,8 @@ static void rt5665_remove(struct snd_soc_component *component) + struct rt5665_priv *rt5665 = snd_soc_component_get_drvdata(component); + + regmap_write(rt5665->regmap, RT5665_RESET, 0); ++ ++ regulator_bulk_disable(ARRAY_SIZE(rt5665->supplies), rt5665->supplies); + } + + #ifdef CONFIG_PM +-- +2.40.1 + diff --git a/queue-5.15/bus-ti-sysc-flush-posted-write-on-enable-before-rese.patch b/queue-5.15/bus-ti-sysc-flush-posted-write-on-enable-before-rese.patch new file mode 100644 index 00000000000..57fe4f9349a --- /dev/null +++ b/queue-5.15/bus-ti-sysc-flush-posted-write-on-enable-before-rese.patch @@ -0,0 +1,48 @@ +From 458b40e88c2cdfcb9c0e71d4cf646260368812ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 10:18:23 +0300 +Subject: bus: ti-sysc: Flush posted write on enable before reset + +From: Tony Lindgren + +[ Upstream commit 34539b442b3bc7d5bf10164750302b60b91f18a7 ] + +The am335x devices started producing boot errors for resetting musb module +in because of subtle timing changes: + +Unhandled fault: external abort on non-linefetch (0x1008) +... +sysc_poll_reset_sysconfig from sysc_reset+0x109/0x12 +sysc_reset from sysc_probe+0xa99/0xeb0 +... + +The fix is to flush posted write after enable before reset during +probe. Note that some devices also need to specify the delay after enable +with ti,sysc-delay-us, but this is not needed for musb on am335x based on +my tests. + +Reported-by: kernelci.org bot +Closes: https://storage.kernelci.org/next/master/next-20230614/arm/multi_v7_defconfig+CONFIG_THUMB2_KERNEL=y/gcc-10/lab-cip/baseline-beaglebone-black.html +Fixes: 596e7955692b ("bus: ti-sysc: Add support for software reset") +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/bus/ti-sysc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c +index 7d508f9050038..71b541538801e 100644 +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -2089,6 +2089,8 @@ static int sysc_reset(struct sysc *ddata) + sysc_val = sysc_read_sysconfig(ddata); + sysc_val |= sysc_mask; + sysc_write(ddata, sysc_offset, sysc_val); ++ /* Flush posted write */ ++ sysc_val = sysc_read_sysconfig(ddata); + } + + if (ddata->cfg.srst_udelay) +-- +2.40.1 + diff --git a/queue-5.15/drm-panel-simple-fix-auo-g121ean01-panel-timings-acc.patch b/queue-5.15/drm-panel-simple-fix-auo-g121ean01-panel-timings-acc.patch new file mode 100644 index 00000000000..757ffa766f0 --- /dev/null +++ b/queue-5.15/drm-panel-simple-fix-auo-g121ean01-panel-timings-acc.patch @@ -0,0 +1,78 @@ +From 925e289763343d02dc002a0ea99a9e7fb2bbb85f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 17:12:39 +0200 +Subject: drm/panel: simple: Fix AUO G121EAN01 panel timings according to the + docs + +From: Luca Ceresoli + +[ Upstream commit e8470c0a7bcaa82f78ad34282d662dd7bd9630c2 ] + +Commit 03e909acd95a ("drm/panel: simple: Add support for AUO G121EAN01.4 +panel") added support for this panel model, but the timings it implements +are very different from what the datasheet describes. I checked both the +G121EAN01.0 datasheet from [0] and the G121EAN01.4 one from [1] and they +all have the same timings: for example the LVDS clock typical value is 74.4 +MHz, not 66.7 MHz as implemented. + +Replace the timings with the ones from the documentation. These timings +have been tested and the clock frequencies verified with an oscilloscope to +ensure they are correct. + +Also use struct display_timing instead of struct drm_display_mode in order +to also specify the minimum and maximum values. + +[0] https://embedded.avnet.com/product/g121ean01-0/ +[1] https://embedded.avnet.com/product/g121ean01-4/ + +Fixes: 03e909acd95a ("drm/panel: simple: Add support for AUO G121EAN01.4 panel") +Signed-off-by: Luca Ceresoli +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230804151239.835216-1-luca.ceresoli@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index 391d73d2638a8..7cf0af78b7bc9 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -1258,21 +1258,21 @@ static const struct panel_desc auo_g104sn02 = { + .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + +-static const struct drm_display_mode auo_g121ean01_mode = { +- .clock = 66700, +- .hdisplay = 1280, +- .hsync_start = 1280 + 58, +- .hsync_end = 1280 + 58 + 8, +- .htotal = 1280 + 58 + 8 + 70, +- .vdisplay = 800, +- .vsync_start = 800 + 6, +- .vsync_end = 800 + 6 + 4, +- .vtotal = 800 + 6 + 4 + 10, ++static const struct display_timing auo_g121ean01_timing = { ++ .pixelclock = { 60000000, 74400000, 90000000 }, ++ .hactive = { 1280, 1280, 1280 }, ++ .hfront_porch = { 20, 50, 100 }, ++ .hback_porch = { 20, 50, 100 }, ++ .hsync_len = { 30, 100, 200 }, ++ .vactive = { 800, 800, 800 }, ++ .vfront_porch = { 2, 10, 25 }, ++ .vback_porch = { 2, 10, 25 }, ++ .vsync_len = { 4, 18, 50 }, + }; + + static const struct panel_desc auo_g121ean01 = { +- .modes = &auo_g121ean01_mode, +- .num_modes = 1, ++ .timings = &auo_g121ean01_timing, ++ .num_timings = 1, + .bpc = 8, + .size = { + .width = 261, +-- +2.40.1 + diff --git a/queue-5.15/i40e-fix-misleading-debug-logs.patch b/queue-5.15/i40e-fix-misleading-debug-logs.patch new file mode 100644 index 00000000000..dbcbe282ee3 --- /dev/null +++ b/queue-5.15/i40e-fix-misleading-debug-logs.patch @@ -0,0 +1,67 @@ +From acac1a6e7aaf1f17bb894f35dc2d553c96b1e519 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 09:47:32 +0200 +Subject: i40e: fix misleading debug logs + +From: Andrii Staikov + +[ Upstream commit 2f2beb8874cb0844e84ad26e990f05f4f13ff63f ] + +Change "write" into the actual "read" word. +Change parameters description. + +Fixes: 7073f46e443e ("i40e: Add AQ commands for NVM Update for X722") +Signed-off-by: Aleksandr Loktionov +Signed-off-by: Andrii Staikov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_nvm.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_nvm.c b/drivers/net/ethernet/intel/i40e/i40e_nvm.c +index 82af180cc5ee5..b7556a6c27589 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_nvm.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_nvm.c +@@ -210,11 +210,11 @@ static int i40e_read_nvm_word_srctl(struct i40e_hw *hw, u16 offset, + * @hw: pointer to the HW structure. + * @module_pointer: module pointer location in words from the NVM beginning + * @offset: offset in words from module start +- * @words: number of words to write +- * @data: buffer with words to write to the Shadow RAM ++ * @words: number of words to read ++ * @data: buffer with words to read to the Shadow RAM + * @last_command: tells the AdminQ that this is the last command + * +- * Writes a 16 bit words buffer to the Shadow RAM using the admin command. ++ * Reads a 16 bit words buffer to the Shadow RAM using the admin command. + **/ + static int i40e_read_nvm_aq(struct i40e_hw *hw, + u8 module_pointer, u32 offset, +@@ -234,18 +234,18 @@ static int i40e_read_nvm_aq(struct i40e_hw *hw, + */ + if ((offset + words) > hw->nvm.sr_size) + i40e_debug(hw, I40E_DEBUG_NVM, +- "NVM write error: offset %d beyond Shadow RAM limit %d\n", ++ "NVM read error: offset %d beyond Shadow RAM limit %d\n", + (offset + words), hw->nvm.sr_size); + else if (words > I40E_SR_SECTOR_SIZE_IN_WORDS) +- /* We can write only up to 4KB (one sector), in one AQ write */ ++ /* We can read only up to 4KB (one sector), in one AQ write */ + i40e_debug(hw, I40E_DEBUG_NVM, +- "NVM write fail error: tried to write %d words, limit is %d.\n", ++ "NVM read fail error: tried to read %d words, limit is %d.\n", + words, I40E_SR_SECTOR_SIZE_IN_WORDS); + else if (((offset + (words - 1)) / I40E_SR_SECTOR_SIZE_IN_WORDS) + != (offset / I40E_SR_SECTOR_SIZE_IN_WORDS)) +- /* A single write cannot spread over two sectors */ ++ /* A single read cannot spread over two sectors */ + i40e_debug(hw, I40E_DEBUG_NVM, +- "NVM write error: cannot spread over two sectors in a single write offset=%d words=%d\n", ++ "NVM read error: cannot spread over two sectors in a single read offset=%d words=%d\n", + offset, words); + else + ret_code = i40e_aq_read_nvm(hw, module_pointer, +-- +2.40.1 + diff --git a/queue-5.15/iavf-fix-fdir-rule-fields-masks-validation.patch b/queue-5.15/iavf-fix-fdir-rule-fields-masks-validation.patch new file mode 100644 index 00000000000..fd89cf5d0a8 --- /dev/null +++ b/queue-5.15/iavf-fix-fdir-rule-fields-masks-validation.patch @@ -0,0 +1,209 @@ +From b3811ef02b472475fcfed377752ea29d235336ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Aug 2023 16:46:04 +0200 +Subject: iavf: fix FDIR rule fields masks validation + +From: Piotr Gardocki + +[ Upstream commit 751969e5b1196821ef78f0aa664a8a97c92c9057 ] + +Return an error if a field's mask is neither full nor empty. When a mask +is only partial the field is not being used for rule programming but it +gives a wrong impression it is used. Fix by returning an error on any +partial mask to make it clear they are not supported. +The ip_ver assignment is moved earlier in code to allow using it in +iavf_validate_fdir_fltr_masks. + +Fixes: 527691bf0682 ("iavf: Support IPv4 Flow Director filters") +Fixes: e90cbc257a6f ("iavf: Support IPv6 Flow Director filters") +Signed-off-by: Piotr Gardocki +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + .../net/ethernet/intel/iavf/iavf_ethtool.c | 10 +++ + drivers/net/ethernet/intel/iavf/iavf_fdir.c | 77 ++++++++++++++++++- + drivers/net/ethernet/intel/iavf/iavf_fdir.h | 2 + + 3 files changed, 85 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +index e622b6e6ac2b9..a9a7453d969cb 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -1275,6 +1275,7 @@ iavf_add_fdir_fltr_info(struct iavf_adapter *adapter, struct ethtool_rx_flow_spe + fltr->ip_mask.src_port = fsp->m_u.tcp_ip4_spec.psrc; + fltr->ip_mask.dst_port = fsp->m_u.tcp_ip4_spec.pdst; + fltr->ip_mask.tos = fsp->m_u.tcp_ip4_spec.tos; ++ fltr->ip_ver = 4; + break; + case AH_V4_FLOW: + case ESP_V4_FLOW: +@@ -1286,6 +1287,7 @@ iavf_add_fdir_fltr_info(struct iavf_adapter *adapter, struct ethtool_rx_flow_spe + fltr->ip_mask.v4_addrs.dst_ip = fsp->m_u.ah_ip4_spec.ip4dst; + fltr->ip_mask.spi = fsp->m_u.ah_ip4_spec.spi; + fltr->ip_mask.tos = fsp->m_u.ah_ip4_spec.tos; ++ fltr->ip_ver = 4; + break; + case IPV4_USER_FLOW: + fltr->ip_data.v4_addrs.src_ip = fsp->h_u.usr_ip4_spec.ip4src; +@@ -1298,6 +1300,7 @@ iavf_add_fdir_fltr_info(struct iavf_adapter *adapter, struct ethtool_rx_flow_spe + fltr->ip_mask.l4_header = fsp->m_u.usr_ip4_spec.l4_4_bytes; + fltr->ip_mask.tos = fsp->m_u.usr_ip4_spec.tos; + fltr->ip_mask.proto = fsp->m_u.usr_ip4_spec.proto; ++ fltr->ip_ver = 4; + break; + case TCP_V6_FLOW: + case UDP_V6_FLOW: +@@ -1316,6 +1319,7 @@ iavf_add_fdir_fltr_info(struct iavf_adapter *adapter, struct ethtool_rx_flow_spe + fltr->ip_mask.src_port = fsp->m_u.tcp_ip6_spec.psrc; + fltr->ip_mask.dst_port = fsp->m_u.tcp_ip6_spec.pdst; + fltr->ip_mask.tclass = fsp->m_u.tcp_ip6_spec.tclass; ++ fltr->ip_ver = 6; + break; + case AH_V6_FLOW: + case ESP_V6_FLOW: +@@ -1331,6 +1335,7 @@ iavf_add_fdir_fltr_info(struct iavf_adapter *adapter, struct ethtool_rx_flow_spe + sizeof(struct in6_addr)); + fltr->ip_mask.spi = fsp->m_u.ah_ip6_spec.spi; + fltr->ip_mask.tclass = fsp->m_u.ah_ip6_spec.tclass; ++ fltr->ip_ver = 6; + break; + case IPV6_USER_FLOW: + memcpy(&fltr->ip_data.v6_addrs.src_ip, fsp->h_u.usr_ip6_spec.ip6src, +@@ -1347,6 +1352,7 @@ iavf_add_fdir_fltr_info(struct iavf_adapter *adapter, struct ethtool_rx_flow_spe + fltr->ip_mask.l4_header = fsp->m_u.usr_ip6_spec.l4_4_bytes; + fltr->ip_mask.tclass = fsp->m_u.usr_ip6_spec.tclass; + fltr->ip_mask.proto = fsp->m_u.usr_ip6_spec.l4_proto; ++ fltr->ip_ver = 6; + break; + case ETHER_FLOW: + fltr->eth_data.etype = fsp->h_u.ether_spec.h_proto; +@@ -1357,6 +1363,10 @@ iavf_add_fdir_fltr_info(struct iavf_adapter *adapter, struct ethtool_rx_flow_spe + return -EINVAL; + } + ++ err = iavf_validate_fdir_fltr_masks(adapter, fltr); ++ if (err) ++ return err; ++ + if (iavf_fdir_is_dup_fltr(adapter, fltr)) + return -EEXIST; + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_fdir.c b/drivers/net/ethernet/intel/iavf/iavf_fdir.c +index 505e82ebafe47..03e774bd2a5b4 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_fdir.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_fdir.c +@@ -18,6 +18,79 @@ static const struct in6_addr ipv6_addr_full_mask = { + } + }; + ++static const struct in6_addr ipv6_addr_zero_mask = { ++ .in6_u = { ++ .u6_addr8 = { ++ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ++ } ++ } ++}; ++ ++/** ++ * iavf_validate_fdir_fltr_masks - validate Flow Director filter fields masks ++ * @adapter: pointer to the VF adapter structure ++ * @fltr: Flow Director filter data structure ++ * ++ * Returns 0 if all masks of packet fields are either full or empty. Returns ++ * error on at least one partial mask. ++ */ ++int iavf_validate_fdir_fltr_masks(struct iavf_adapter *adapter, ++ struct iavf_fdir_fltr *fltr) ++{ ++ if (fltr->eth_mask.etype && fltr->eth_mask.etype != htons(U16_MAX)) ++ goto partial_mask; ++ ++ if (fltr->ip_ver == 4) { ++ if (fltr->ip_mask.v4_addrs.src_ip && ++ fltr->ip_mask.v4_addrs.src_ip != htonl(U32_MAX)) ++ goto partial_mask; ++ ++ if (fltr->ip_mask.v4_addrs.dst_ip && ++ fltr->ip_mask.v4_addrs.dst_ip != htonl(U32_MAX)) ++ goto partial_mask; ++ ++ if (fltr->ip_mask.tos && fltr->ip_mask.tos != U8_MAX) ++ goto partial_mask; ++ } else if (fltr->ip_ver == 6) { ++ if (memcmp(&fltr->ip_mask.v6_addrs.src_ip, &ipv6_addr_zero_mask, ++ sizeof(struct in6_addr)) && ++ memcmp(&fltr->ip_mask.v6_addrs.src_ip, &ipv6_addr_full_mask, ++ sizeof(struct in6_addr))) ++ goto partial_mask; ++ ++ if (memcmp(&fltr->ip_mask.v6_addrs.dst_ip, &ipv6_addr_zero_mask, ++ sizeof(struct in6_addr)) && ++ memcmp(&fltr->ip_mask.v6_addrs.dst_ip, &ipv6_addr_full_mask, ++ sizeof(struct in6_addr))) ++ goto partial_mask; ++ ++ if (fltr->ip_mask.tclass && fltr->ip_mask.tclass != U8_MAX) ++ goto partial_mask; ++ } ++ ++ if (fltr->ip_mask.proto && fltr->ip_mask.proto != U8_MAX) ++ goto partial_mask; ++ ++ if (fltr->ip_mask.src_port && fltr->ip_mask.src_port != htons(U16_MAX)) ++ goto partial_mask; ++ ++ if (fltr->ip_mask.dst_port && fltr->ip_mask.dst_port != htons(U16_MAX)) ++ goto partial_mask; ++ ++ if (fltr->ip_mask.spi && fltr->ip_mask.spi != htonl(U32_MAX)) ++ goto partial_mask; ++ ++ if (fltr->ip_mask.l4_header && ++ fltr->ip_mask.l4_header != htonl(U32_MAX)) ++ goto partial_mask; ++ ++ return 0; ++ ++partial_mask: ++ dev_err(&adapter->pdev->dev, "Failed to add Flow Director filter, partial masks are not supported\n"); ++ return -EOPNOTSUPP; ++} ++ + /** + * iavf_pkt_udp_no_pay_len - the length of UDP packet without payload + * @fltr: Flow Director filter data structure +@@ -263,8 +336,6 @@ iavf_fill_fdir_ip4_hdr(struct iavf_fdir_fltr *fltr, + VIRTCHNL_ADD_PROTO_HDR_FIELD_BIT(hdr, IPV4, DST); + } + +- fltr->ip_ver = 4; +- + return 0; + } + +@@ -309,8 +380,6 @@ iavf_fill_fdir_ip6_hdr(struct iavf_fdir_fltr *fltr, + VIRTCHNL_ADD_PROTO_HDR_FIELD_BIT(hdr, IPV6, DST); + } + +- fltr->ip_ver = 6; +- + return 0; + } + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_fdir.h b/drivers/net/ethernet/intel/iavf/iavf_fdir.h +index 33c55c366315b..9eb9f73f6adf3 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_fdir.h ++++ b/drivers/net/ethernet/intel/iavf/iavf_fdir.h +@@ -110,6 +110,8 @@ struct iavf_fdir_fltr { + struct virtchnl_fdir_add vc_add_msg; + }; + ++int iavf_validate_fdir_fltr_masks(struct iavf_adapter *adapter, ++ struct iavf_fdir_fltr *fltr); + int iavf_fill_fdir_add_msg(struct iavf_adapter *adapter, struct iavf_fdir_fltr *fltr); + void iavf_print_fdir_fltr(struct iavf_adapter *adapter, struct iavf_fdir_fltr *fltr); + bool iavf_fdir_is_dup_fltr(struct iavf_adapter *adapter, struct iavf_fdir_fltr *fltr); +-- +2.40.1 + diff --git a/queue-5.15/ip6_vti-fix-slab-use-after-free-in-decode_session6.patch b/queue-5.15/ip6_vti-fix-slab-use-after-free-in-decode_session6.patch new file mode 100644 index 00000000000..031395c28d8 --- /dev/null +++ b/queue-5.15/ip6_vti-fix-slab-use-after-free-in-decode_session6.patch @@ -0,0 +1,117 @@ +From 4891e784a917249ffec88a4412c982431121527c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 17:40:52 +0800 +Subject: ip6_vti: fix slab-use-after-free in decode_session6 + +From: Zhengchao Shao + +[ Upstream commit 9fd41f1ba638938c9a1195d09bc6fa3be2712f25 ] + +When ipv6_vti device is set to the qdisc of the sfb type, the cb field +of the sent skb may be modified during enqueuing. Then, +slab-use-after-free may occur when ipv6_vti device sends IPv6 packets. + +The stack information is as follows: +BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890 +Read of size 1 at addr ffff88802e08edc2 by task swapper/0/0 +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0-next-20230707-00001-g84e2cad7f979 #410 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 +Call Trace: + +dump_stack_lvl+0xd9/0x150 +print_address_description.constprop.0+0x2c/0x3c0 +kasan_report+0x11d/0x130 +decode_session6+0x103f/0x1890 +__xfrm_decode_session+0x54/0xb0 +vti6_tnl_xmit+0x3e6/0x1ee0 +dev_hard_start_xmit+0x187/0x700 +sch_direct_xmit+0x1a3/0xc30 +__qdisc_run+0x510/0x17a0 +__dev_queue_xmit+0x2215/0x3b10 +neigh_connected_output+0x3c2/0x550 +ip6_finish_output2+0x55a/0x1550 +ip6_finish_output+0x6b9/0x1270 +ip6_output+0x1f1/0x540 +ndisc_send_skb+0xa63/0x1890 +ndisc_send_rs+0x132/0x6f0 +addrconf_rs_timer+0x3f1/0x870 +call_timer_fn+0x1a0/0x580 +expire_timers+0x29b/0x4b0 +run_timer_softirq+0x326/0x910 +__do_softirq+0x1d4/0x905 +irq_exit_rcu+0xb7/0x120 +sysvec_apic_timer_interrupt+0x97/0xc0 + +Allocated by task 9176: +kasan_save_stack+0x22/0x40 +kasan_set_track+0x25/0x30 +__kasan_slab_alloc+0x7f/0x90 +kmem_cache_alloc_node+0x1cd/0x410 +kmalloc_reserve+0x165/0x270 +__alloc_skb+0x129/0x330 +netlink_sendmsg+0x9b1/0xe30 +sock_sendmsg+0xde/0x190 +____sys_sendmsg+0x739/0x920 +___sys_sendmsg+0x110/0x1b0 +__sys_sendmsg+0xf7/0x1c0 +do_syscall_64+0x39/0xb0 +entry_SYSCALL_64_after_hwframe+0x63/0xcd +Freed by task 9176: +kasan_save_stack+0x22/0x40 +kasan_set_track+0x25/0x30 +kasan_save_free_info+0x2b/0x40 +____kasan_slab_free+0x160/0x1c0 +slab_free_freelist_hook+0x11b/0x220 +kmem_cache_free+0xf0/0x490 +skb_free_head+0x17f/0x1b0 +skb_release_data+0x59c/0x850 +consume_skb+0xd2/0x170 +netlink_unicast+0x54f/0x7f0 +netlink_sendmsg+0x926/0xe30 +sock_sendmsg+0xde/0x190 +____sys_sendmsg+0x739/0x920 +___sys_sendmsg+0x110/0x1b0 +__sys_sendmsg+0xf7/0x1c0 +do_syscall_64+0x39/0xb0 +entry_SYSCALL_64_after_hwframe+0x63/0xcd +The buggy address belongs to the object at ffff88802e08ed00 +which belongs to the cache skbuff_small_head of size 640 +The buggy address is located 194 bytes inside of +freed 640-byte region [ffff88802e08ed00, ffff88802e08ef80) + +As commit f855691975bb ("xfrm6: Fix the nexthdr offset in +_decode_session6.") showed, xfrm_decode_session was originally intended +only for the receive path. IP6CB(skb)->nhoff is not set during +transmission. Therefore, set the cb field in the skb to 0 before +sending packets. + +Fixes: f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.") +Signed-off-by: Zhengchao Shao +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_vti.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c +index 42c37ec832f15..190aa3b19591c 100644 +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -570,12 +570,12 @@ vti6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) + vti6_addr_conflict(t, ipv6_hdr(skb))) + goto tx_err; + +- xfrm_decode_session(skb, &fl, AF_INET6); + memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); ++ xfrm_decode_session(skb, &fl, AF_INET6); + break; + case htons(ETH_P_IP): +- xfrm_decode_session(skb, &fl, AF_INET); + memset(IPCB(skb), 0, sizeof(*IPCB(skb))); ++ xfrm_decode_session(skb, &fl, AF_INET); + break; + default: + goto tx_err; +-- +2.40.1 + diff --git a/queue-5.15/ip_vti-fix-potential-slab-use-after-free-in-decode_s.patch b/queue-5.15/ip_vti-fix-potential-slab-use-after-free-in-decode_s.patch new file mode 100644 index 00000000000..592e4a6d20d --- /dev/null +++ b/queue-5.15/ip_vti-fix-potential-slab-use-after-free-in-decode_s.patch @@ -0,0 +1,48 @@ +From a92509695f1f77e78a16839cdf3b5e298ca49b1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 17:40:53 +0800 +Subject: ip_vti: fix potential slab-use-after-free in decode_session6 + +From: Zhengchao Shao + +[ Upstream commit 6018a266279b1a75143c7c0804dd08a5fc4c3e0b ] + +When ip_vti device is set to the qdisc of the sfb type, the cb field +of the sent skb may be modified during enqueuing. Then, +slab-use-after-free may occur when ip_vti device sends IPv6 packets. +As commit f855691975bb ("xfrm6: Fix the nexthdr offset in +_decode_session6.") showed, xfrm_decode_session was originally intended +only for the receive path. IP6CB(skb)->nhoff is not set during +transmission. Therefore, set the cb field in the skb to 0 before +sending packets. + +Fixes: f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.") +Signed-off-by: Zhengchao Shao +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_vti.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c +index efe25a0172e6f..df23319adc804 100644 +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -287,12 +287,12 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev) + + switch (skb->protocol) { + case htons(ETH_P_IP): +- xfrm_decode_session(skb, &fl, AF_INET); + memset(IPCB(skb), 0, sizeof(*IPCB(skb))); ++ xfrm_decode_session(skb, &fl, AF_INET); + break; + case htons(ETH_P_IPV6): +- xfrm_decode_session(skb, &fl, AF_INET6); + memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); ++ xfrm_decode_session(skb, &fl, AF_INET6); + break; + default: + goto tx_err; +-- +2.40.1 + diff --git a/queue-5.15/ipvs-fix-racy-memcpy-in-proc_do_sync_threshold.patch b/queue-5.15/ipvs-fix-racy-memcpy-in-proc_do_sync_threshold.patch new file mode 100644 index 00000000000..14a1d6d1b23 --- /dev/null +++ b/queue-5.15/ipvs-fix-racy-memcpy-in-proc_do_sync_threshold.patch @@ -0,0 +1,69 @@ +From e274c0080ef86a3bb80d27a9815868a5ebe9878e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 15:12:42 -0400 +Subject: ipvs: fix racy memcpy in proc_do_sync_threshold + +From: Sishuai Gong + +[ Upstream commit 5310760af1d4fbea1452bfc77db5f9a680f7ae47 ] + +When two threads run proc_do_sync_threshold() in parallel, +data races could happen between the two memcpy(): + +Thread-1 Thread-2 +memcpy(val, valp, sizeof(val)); + memcpy(valp, val, sizeof(val)); + +This race might mess up the (struct ctl_table *) table->data, +so we add a mutex lock to serialize them. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://lore.kernel.org/netdev/B6988E90-0A1E-4B85-BF26-2DAF6D482433@gmail.com/ +Signed-off-by: Sishuai Gong +Acked-by: Simon Horman +Acked-by: Julian Anastasov +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_ctl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 29ec3ef63edc7..d0b64c36471d5 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -1802,6 +1802,7 @@ static int + proc_do_sync_threshold(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { ++ struct netns_ipvs *ipvs = table->extra2; + int *valp = table->data; + int val[2]; + int rc; +@@ -1811,6 +1812,7 @@ proc_do_sync_threshold(struct ctl_table *table, int write, + .mode = table->mode, + }; + ++ mutex_lock(&ipvs->sync_mutex); + memcpy(val, valp, sizeof(val)); + rc = proc_dointvec(&tmp, write, buffer, lenp, ppos); + if (write) { +@@ -1820,6 +1822,7 @@ proc_do_sync_threshold(struct ctl_table *table, int write, + else + memcpy(valp, val, sizeof(val)); + } ++ mutex_unlock(&ipvs->sync_mutex); + return rc; + } + +@@ -4077,6 +4080,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs) + ipvs->sysctl_sync_threshold[0] = DEFAULT_SYNC_THRESHOLD; + ipvs->sysctl_sync_threshold[1] = DEFAULT_SYNC_PERIOD; + tbl[idx].data = &ipvs->sysctl_sync_threshold; ++ tbl[idx].extra2 = ipvs; + tbl[idx++].maxlen = sizeof(ipvs->sysctl_sync_threshold); + ipvs->sysctl_sync_refresh_period = DEFAULT_SYNC_REFRESH_PERIOD; + tbl[idx++].data = &ipvs->sysctl_sync_refresh_period; +-- +2.40.1 + diff --git a/queue-5.15/net-af_key-fix-sadb_x_filter-validation.patch b/queue-5.15/net-af_key-fix-sadb_x_filter-validation.patch new file mode 100644 index 00000000000..d12f6493fb4 --- /dev/null +++ b/queue-5.15/net-af_key-fix-sadb_x_filter-validation.patch @@ -0,0 +1,41 @@ +From 453c0680c8435b476f98bfe7b1283131e0a83d5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jun 2023 11:39:54 +0800 +Subject: net: af_key: fix sadb_x_filter validation + +From: Lin Ma + +[ Upstream commit 75065a8929069bc93181848818e23f147a73f83a ] + +When running xfrm_state_walk_init(), the xfrm_address_filter being used +is okay to have a splen/dplen that equals to sizeof(xfrm_address_t)<<3. +This commit replaces >= to > to make sure the boundary checking is +correct. + +Fixes: 37bd22420f85 ("af_key: pfkey_dump needs parameter validation") +Signed-off-by: Lin Ma +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index d34fed1a484a7..258fa046f440d 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1848,9 +1848,9 @@ static int pfkey_dump(struct sock *sk, struct sk_buff *skb, const struct sadb_ms + if (ext_hdrs[SADB_X_EXT_FILTER - 1]) { + struct sadb_x_filter *xfilter = ext_hdrs[SADB_X_EXT_FILTER - 1]; + +- if ((xfilter->sadb_x_filter_splen >= ++ if ((xfilter->sadb_x_filter_splen > + (sizeof(xfrm_address_t) << 3)) || +- (xfilter->sadb_x_filter_dplen >= ++ (xfilter->sadb_x_filter_dplen > + (sizeof(xfrm_address_t) << 3))) { + mutex_unlock(&pfk->dump_lock); + return -EINVAL; +-- +2.40.1 + diff --git a/queue-5.15/net-do-not-allow-gso_size-to-be-set-to-gso_by_frags.patch b/queue-5.15/net-do-not-allow-gso_size-to-be-set-to-gso_by_frags.patch new file mode 100644 index 00000000000..e5919f69a67 --- /dev/null +++ b/queue-5.15/net-do-not-allow-gso_size-to-be-set-to-gso_by_frags.patch @@ -0,0 +1,90 @@ +From b5b5dd5127017f61191faba49acc71b020079862 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 14:21:58 +0000 +Subject: net: do not allow gso_size to be set to GSO_BY_FRAGS + +From: Eric Dumazet + +[ Upstream commit b616be6b97688f2f2bd7c4a47ab32f27f94fb2a9 ] + +One missing check in virtio_net_hdr_to_skb() allowed +syzbot to crash kernels again [1] + +Do not allow gso_size to be set to GSO_BY_FRAGS (0xffff), +because this magic value is used by the kernel. + +[1] +general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] +CPU: 0 PID: 5039 Comm: syz-executor401 Not tainted 6.5.0-rc5-next-20230809-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 +RIP: 0010:skb_segment+0x1a52/0x3ef0 net/core/skbuff.c:4500 +Code: 00 00 00 e9 ab eb ff ff e8 6b 96 5d f9 48 8b 84 24 00 01 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e ea 21 00 00 48 8b 84 24 00 01 +RSP: 0018:ffffc90003d3f1c8 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: 000000000001fffe RCX: 0000000000000000 +RDX: 000000000000000e RSI: ffffffff882a3115 RDI: 0000000000000070 +RBP: ffffc90003d3f378 R08: 0000000000000005 R09: 000000000000ffff +R10: 000000000000ffff R11: 5ee4a93e456187d6 R12: 000000000001ffc6 +R13: dffffc0000000000 R14: 0000000000000008 R15: 000000000000ffff +FS: 00005555563f2380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020020000 CR3: 000000001626d000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +udp6_ufo_fragment+0x9d2/0xd50 net/ipv6/udp_offload.c:109 +ipv6_gso_segment+0x5c4/0x17b0 net/ipv6/ip6_offload.c:120 +skb_mac_gso_segment+0x292/0x610 net/core/gso.c:53 +__skb_gso_segment+0x339/0x710 net/core/gso.c:124 +skb_gso_segment include/net/gso.h:83 [inline] +validate_xmit_skb+0x3a5/0xf10 net/core/dev.c:3625 +__dev_queue_xmit+0x8f0/0x3d60 net/core/dev.c:4329 +dev_queue_xmit include/linux/netdevice.h:3082 [inline] +packet_xmit+0x257/0x380 net/packet/af_packet.c:276 +packet_snd net/packet/af_packet.c:3087 [inline] +packet_sendmsg+0x24c7/0x5570 net/packet/af_packet.c:3119 +sock_sendmsg_nosec net/socket.c:727 [inline] +sock_sendmsg+0xd9/0x180 net/socket.c:750 +____sys_sendmsg+0x6ac/0x940 net/socket.c:2496 +___sys_sendmsg+0x135/0x1d0 net/socket.c:2550 +__sys_sendmsg+0x117/0x1e0 net/socket.c:2579 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7ff27cdb34d9 + +Fixes: 3953c46c3ac7 ("sk_buff: allow segmenting based on frag sizes") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Xin Long +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Reviewed-by: Willem de Bruijn +Reviewed-by: Marcelo Ricardo Leitner +Reviewed-by: Xuan Zhuo +Link: https://lore.kernel.org/r/20230816142158.1779798-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/virtio_net.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h +index a960de68ac69e..6047058d67037 100644 +--- a/include/linux/virtio_net.h ++++ b/include/linux/virtio_net.h +@@ -148,6 +148,10 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, + if (gso_type & SKB_GSO_UDP) + nh_off -= thlen; + ++ /* Kernel has a special handling for GSO_BY_FRAGS. */ ++ if (gso_size == GSO_BY_FRAGS) ++ return -EINVAL; ++ + /* Too small packets are not really GSO ones. */ + if (skb->len - nh_off > gso_size) { + shinfo->gso_size = gso_size; +-- +2.40.1 + diff --git a/queue-5.15/net-dsa-mv88e6xxx-wait-for-eeprom-done-before-hw-res.patch b/queue-5.15/net-dsa-mv88e6xxx-wait-for-eeprom-done-before-hw-res.patch new file mode 100644 index 00000000000..cde1b1ada34 --- /dev/null +++ b/queue-5.15/net-dsa-mv88e6xxx-wait-for-eeprom-done-before-hw-res.patch @@ -0,0 +1,49 @@ +From 7e0fa74b75479f2a9e7737b386c5038890d79c59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 17:13:23 -0700 +Subject: net: dsa: mv88e6xxx: Wait for EEPROM done before HW reset + +From: Alfred Lee + +[ Upstream commit 23d775f12dcd23d052a4927195f15e970e27ab26 ] + +If the switch is reset during active EEPROM transactions, as in +just after an SoC reset after power up, the I2C bus transaction +may be cut short leaving the EEPROM internal I2C state machine +in the wrong state. When the switch is reset again, the bad +state machine state may result in data being read from the wrong +memory location causing the switch to enter unexpected mode +rendering it inoperational. + +Fixes: a3dcb3e7e70c ("net: dsa: mv88e6xxx: Wait for EEPROM done after HW reset") +Signed-off-by: Alfred Lee +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230815001323.24739-1-l00g33k@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index ac1560fa29e45..7e93b72f9b541 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -2588,6 +2588,14 @@ static void mv88e6xxx_hardware_reset(struct mv88e6xxx_chip *chip) + + /* If there is a GPIO connected to the reset pin, toggle it */ + if (gpiod) { ++ /* If the switch has just been reset and not yet completed ++ * loading EEPROM, the reset may interrupt the I2C transaction ++ * mid-byte, causing the first EEPROM read after the reset ++ * from the wrong location resulting in the switch booting ++ * to wrong mode and inoperable. ++ */ ++ mv88e6xxx_g1_wait_eeprom_done(chip); ++ + gpiod_set_value_cansleep(gpiod, 1); + usleep_range(10000, 20000); + gpiod_set_value_cansleep(gpiod, 0); +-- +2.40.1 + diff --git a/queue-5.15/net-phy-broadcom-stub-c45-read-write-for-54810.patch b/queue-5.15/net-phy-broadcom-stub-c45-read-write-for-54810.patch new file mode 100644 index 00000000000..52ec663fcbb --- /dev/null +++ b/queue-5.15/net-phy-broadcom-stub-c45-read-write-for-54810.patch @@ -0,0 +1,58 @@ +From 497462a1993071a9752b97c0f05756f4333f27d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Aug 2023 21:41:47 -0700 +Subject: net: phy: broadcom: stub c45 read/write for 54810 + +From: Justin Chen + +[ Upstream commit 096516d092d54604d590827d05b1022c8f326639 ] + +The 54810 does not support c45. The mmd_phy_indirect accesses return +arbirtary values leading to odd behavior like saying it supports EEE +when it doesn't. We also see that reading/writing these non-existent +MMD registers leads to phy instability in some cases. + +Fixes: b14995ac2527 ("net: phy: broadcom: Add BCM54810 PHY entry") +Signed-off-by: Justin Chen +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/1691901708-28650-1-git-send-email-justin.chen@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/broadcom.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/net/phy/broadcom.c b/drivers/net/phy/broadcom.c +index b330efb98209b..f3b39af83a272 100644 +--- a/drivers/net/phy/broadcom.c ++++ b/drivers/net/phy/broadcom.c +@@ -412,6 +412,17 @@ static int bcm54xx_resume(struct phy_device *phydev) + return bcm54xx_config_init(phydev); + } + ++static int bcm54810_read_mmd(struct phy_device *phydev, int devnum, u16 regnum) ++{ ++ return -EOPNOTSUPP; ++} ++ ++static int bcm54810_write_mmd(struct phy_device *phydev, int devnum, u16 regnum, ++ u16 val) ++{ ++ return -EOPNOTSUPP; ++} ++ + static int bcm54811_config_init(struct phy_device *phydev) + { + int err, reg; +@@ -832,6 +843,8 @@ static struct phy_driver broadcom_drivers[] = { + .get_strings = bcm_phy_get_strings, + .get_stats = bcm54xx_get_stats, + .probe = bcm54xx_phy_probe, ++ .read_mmd = bcm54810_read_mmd, ++ .write_mmd = bcm54810_write_mmd, + .config_init = bcm54xx_config_init, + .config_aneg = bcm5481_config_aneg, + .config_intr = bcm_phy_config_intr, +-- +2.40.1 + diff --git a/queue-5.15/net-phy-fix-irq-based-wake-on-lan-over-hibernate-pow.patch b/queue-5.15/net-phy-fix-irq-based-wake-on-lan-over-hibernate-pow.patch new file mode 100644 index 00000000000..1dda78eb5fc --- /dev/null +++ b/queue-5.15/net-phy-fix-irq-based-wake-on-lan-over-hibernate-pow.patch @@ -0,0 +1,92 @@ +From 9e432f0b7ae9f76328a714555be82f6963297f89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 11:26:30 +0100 +Subject: net: phy: fix IRQ-based wake-on-lan over hibernate / power off +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Russell King (Oracle) + +[ Upstream commit cc941e548bffc01b5816b4edc5cb432a137a58b3 ] + +Uwe reports: +"Most PHYs signal WoL using an interrupt. So disabling interrupts [at +shutdown] breaks WoL at least on PHYs covered by the marvell driver." + +Discussing with Ioana, the problem which was trying to be solved was: +"The board in question is a LS1021ATSN which has two AR8031 PHYs that +share an interrupt line. In case only one of the PHYs is probed and +there are pending interrupts on the PHY#2 an IRQ storm will happen +since there is no entity to clear the interrupt from PHY#2's registers. +PHY#1's driver will get stuck in .handle_interrupt() indefinitely." + +Further confirmation that "the two AR8031 PHYs are on the same MDIO +bus." + +With WoL using interrupts to wake the system, in such a case, the +system will begin booting with an asserted interrupt. Thus, we need to +cope with an interrupt asserted during boot. + +Solve this instead by disabling interrupts during PHY probe. This will +ensure in Ioana's situation that both PHYs of the same type sharing an +interrupt line on a common MDIO bus will have their interrupt outputs +disabled when the driver probes the device, but before we hook in any +interrupt handlers - thus avoiding the interrupt storm. + +A better fix would be for platform firmware to disable the interrupting +devices at source during boot, before control is handed to the kernel. + +Fixes: e2f016cf7751 ("net: phy: add a shutdown procedure") +Link: 20230804071757.383971-1-u.kleine-koenig@pengutronix.de +Reported-by: Uwe Kleine-König +Signed-off-by: Russell King (Oracle) +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 6085a28cae3d2..0429825a7179d 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -3061,6 +3061,8 @@ static int phy_probe(struct device *dev) + goto out; + } + ++ phy_disable_interrupts(phydev); ++ + /* Start out supporting everything. Eventually, + * a controller will attach, and may modify one + * or both of these values +@@ -3148,16 +3150,6 @@ static int phy_remove(struct device *dev) + return 0; + } + +-static void phy_shutdown(struct device *dev) +-{ +- struct phy_device *phydev = to_phy_device(dev); +- +- if (phydev->state == PHY_READY || !phydev->attached_dev) +- return; +- +- phy_disable_interrupts(phydev); +-} +- + /** + * phy_driver_register - register a phy_driver with the PHY layer + * @new_driver: new phy_driver to register +@@ -3181,7 +3173,6 @@ int phy_driver_register(struct phy_driver *new_driver, struct module *owner) + new_driver->mdiodrv.driver.bus = &mdio_bus_type; + new_driver->mdiodrv.driver.probe = phy_probe; + new_driver->mdiodrv.driver.remove = phy_remove; +- new_driver->mdiodrv.driver.shutdown = phy_shutdown; + new_driver->mdiodrv.driver.owner = owner; + new_driver->mdiodrv.driver.probe_type = PROBE_FORCE_SYNCHRONOUS; + +-- +2.40.1 + diff --git a/queue-5.15/net-xfrm-amend-xfrma_sec_ctx-nla_policy-structure.patch b/queue-5.15/net-xfrm-amend-xfrma_sec_ctx-nla_policy-structure.patch new file mode 100644 index 00000000000..851704e042b --- /dev/null +++ b/queue-5.15/net-xfrm-amend-xfrma_sec_ctx-nla_policy-structure.patch @@ -0,0 +1,62 @@ +From 4458af2cbe46ac9648ac1ad0a770cbd086ebb5c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 16:19:11 +0800 +Subject: net: xfrm: Amend XFRMA_SEC_CTX nla_policy structure + +From: Lin Ma + +[ Upstream commit d1e0e61d617ba17aa516db707aa871387566bbf7 ] + +According to all consumers code of attrs[XFRMA_SEC_CTX], like + +* verify_sec_ctx_len(), convert to xfrm_user_sec_ctx* +* xfrm_state_construct(), call security_xfrm_state_alloc whose prototype +is int security_xfrm_state_alloc(.., struct xfrm_user_sec_ctx *sec_ctx); +* copy_from_user_sec_ctx(), convert to xfrm_user_sec_ctx * +... + +It seems that the expected parsing result for XFRMA_SEC_CTX should be +structure xfrm_user_sec_ctx, and the current xfrm_sec_ctx is confusing +and misleading (Luckily, they happen to have same size 8 bytes). + +This commit amend the policy structure to xfrm_user_sec_ctx to avoid +ambiguity. + +Fixes: cf5cb79f6946 ("[XFRM] netlink: Establish an attribute policy") +Signed-off-by: Lin Ma +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_compat.c | 2 +- + net/xfrm/xfrm_user.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/xfrm/xfrm_compat.c b/net/xfrm/xfrm_compat.c +index 8cbf45a8bcdc2..655fe4ff86212 100644 +--- a/net/xfrm/xfrm_compat.c ++++ b/net/xfrm/xfrm_compat.c +@@ -108,7 +108,7 @@ static const struct nla_policy compat_policy[XFRMA_MAX+1] = { + [XFRMA_ALG_COMP] = { .len = sizeof(struct xfrm_algo) }, + [XFRMA_ENCAP] = { .len = sizeof(struct xfrm_encap_tmpl) }, + [XFRMA_TMPL] = { .len = sizeof(struct xfrm_user_tmpl) }, +- [XFRMA_SEC_CTX] = { .len = sizeof(struct xfrm_sec_ctx) }, ++ [XFRMA_SEC_CTX] = { .len = sizeof(struct xfrm_user_sec_ctx) }, + [XFRMA_LTIME_VAL] = { .len = sizeof(struct xfrm_lifetime_cur) }, + [XFRMA_REPLAY_VAL] = { .len = sizeof(struct xfrm_replay_state) }, + [XFRMA_REPLAY_THRESH] = { .type = NLA_U32 }, +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index b2065f69c3d2c..f36fd1379effc 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -2834,7 +2834,7 @@ const struct nla_policy xfrma_policy[XFRMA_MAX+1] = { + [XFRMA_ALG_COMP] = { .len = sizeof(struct xfrm_algo) }, + [XFRMA_ENCAP] = { .len = sizeof(struct xfrm_encap_tmpl) }, + [XFRMA_TMPL] = { .len = sizeof(struct xfrm_user_tmpl) }, +- [XFRMA_SEC_CTX] = { .len = sizeof(struct xfrm_sec_ctx) }, ++ [XFRMA_SEC_CTX] = { .len = sizeof(struct xfrm_user_sec_ctx) }, + [XFRMA_LTIME_VAL] = { .len = sizeof(struct xfrm_lifetime_cur) }, + [XFRMA_REPLAY_VAL] = { .len = sizeof(struct xfrm_replay_state) }, + [XFRMA_REPLAY_THRESH] = { .type = NLA_U32 }, +-- +2.40.1 + diff --git a/queue-5.15/net-xfrm-fix-xfrm_address_filter-oob-read.patch b/queue-5.15/net-xfrm-fix-xfrm_address_filter-oob-read.patch new file mode 100644 index 00000000000..e2e313ede3e --- /dev/null +++ b/queue-5.15/net-xfrm-fix-xfrm_address_filter-oob-read.patch @@ -0,0 +1,202 @@ +From 04a65a149752acce03ded1718743d048784e1986 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jun 2023 11:31:38 +0800 +Subject: net: xfrm: Fix xfrm_address_filter OOB read + +From: Lin Ma + +[ Upstream commit dfa73c17d55b921e1d4e154976de35317e43a93a ] + +We found below OOB crash: + +[ 44.211730] ================================================================== +[ 44.212045] BUG: KASAN: slab-out-of-bounds in memcmp+0x8b/0xb0 +[ 44.212045] Read of size 8 at addr ffff88800870f320 by task poc.xfrm/97 +[ 44.212045] +[ 44.212045] CPU: 0 PID: 97 Comm: poc.xfrm Not tainted 6.4.0-rc7-00072-gdad9774deaf1-dirty #4 +[ 44.212045] Call Trace: +[ 44.212045] +[ 44.212045] dump_stack_lvl+0x37/0x50 +[ 44.212045] print_report+0xcc/0x620 +[ 44.212045] ? __virt_addr_valid+0xf3/0x170 +[ 44.212045] ? memcmp+0x8b/0xb0 +[ 44.212045] kasan_report+0xb2/0xe0 +[ 44.212045] ? memcmp+0x8b/0xb0 +[ 44.212045] kasan_check_range+0x39/0x1c0 +[ 44.212045] memcmp+0x8b/0xb0 +[ 44.212045] xfrm_state_walk+0x21c/0x420 +[ 44.212045] ? __pfx_dump_one_state+0x10/0x10 +[ 44.212045] xfrm_dump_sa+0x1e2/0x290 +[ 44.212045] ? __pfx_xfrm_dump_sa+0x10/0x10 +[ 44.212045] ? __kernel_text_address+0xd/0x40 +[ 44.212045] ? kasan_unpoison+0x27/0x60 +[ 44.212045] ? mutex_lock+0x60/0xe0 +[ 44.212045] ? __pfx_mutex_lock+0x10/0x10 +[ 44.212045] ? kasan_save_stack+0x22/0x50 +[ 44.212045] netlink_dump+0x322/0x6c0 +[ 44.212045] ? __pfx_netlink_dump+0x10/0x10 +[ 44.212045] ? mutex_unlock+0x7f/0xd0 +[ 44.212045] ? __pfx_mutex_unlock+0x10/0x10 +[ 44.212045] __netlink_dump_start+0x353/0x430 +[ 44.212045] xfrm_user_rcv_msg+0x3a4/0x410 +[ 44.212045] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 +[ 44.212045] ? __pfx_xfrm_user_rcv_msg+0x10/0x10 +[ 44.212045] ? __pfx_xfrm_dump_sa+0x10/0x10 +[ 44.212045] ? __pfx_xfrm_dump_sa_done+0x10/0x10 +[ 44.212045] ? __stack_depot_save+0x382/0x4e0 +[ 44.212045] ? filter_irq_stacks+0x1c/0x70 +[ 44.212045] ? kasan_save_stack+0x32/0x50 +[ 44.212045] ? kasan_save_stack+0x22/0x50 +[ 44.212045] ? kasan_set_track+0x25/0x30 +[ 44.212045] ? __kasan_slab_alloc+0x59/0x70 +[ 44.212045] ? kmem_cache_alloc_node+0xf7/0x260 +[ 44.212045] ? kmalloc_reserve+0xab/0x120 +[ 44.212045] ? __alloc_skb+0xcf/0x210 +[ 44.212045] ? netlink_sendmsg+0x509/0x700 +[ 44.212045] ? sock_sendmsg+0xde/0xe0 +[ 44.212045] ? __sys_sendto+0x18d/0x230 +[ 44.212045] ? __x64_sys_sendto+0x71/0x90 +[ 44.212045] ? do_syscall_64+0x3f/0x90 +[ 44.212045] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc +[ 44.212045] ? netlink_sendmsg+0x509/0x700 +[ 44.212045] ? sock_sendmsg+0xde/0xe0 +[ 44.212045] ? __sys_sendto+0x18d/0x230 +[ 44.212045] ? __x64_sys_sendto+0x71/0x90 +[ 44.212045] ? do_syscall_64+0x3f/0x90 +[ 44.212045] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc +[ 44.212045] ? kasan_save_stack+0x22/0x50 +[ 44.212045] ? kasan_set_track+0x25/0x30 +[ 44.212045] ? kasan_save_free_info+0x2e/0x50 +[ 44.212045] ? __kasan_slab_free+0x10a/0x190 +[ 44.212045] ? kmem_cache_free+0x9c/0x340 +[ 44.212045] ? netlink_recvmsg+0x23c/0x660 +[ 44.212045] ? sock_recvmsg+0xeb/0xf0 +[ 44.212045] ? __sys_recvfrom+0x13c/0x1f0 +[ 44.212045] ? __x64_sys_recvfrom+0x71/0x90 +[ 44.212045] ? do_syscall_64+0x3f/0x90 +[ 44.212045] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc +[ 44.212045] ? copyout+0x3e/0x50 +[ 44.212045] netlink_rcv_skb+0xd6/0x210 +[ 44.212045] ? __pfx_xfrm_user_rcv_msg+0x10/0x10 +[ 44.212045] ? __pfx_netlink_rcv_skb+0x10/0x10 +[ 44.212045] ? __pfx_sock_has_perm+0x10/0x10 +[ 44.212045] ? mutex_lock+0x8d/0xe0 +[ 44.212045] ? __pfx_mutex_lock+0x10/0x10 +[ 44.212045] xfrm_netlink_rcv+0x44/0x50 +[ 44.212045] netlink_unicast+0x36f/0x4c0 +[ 44.212045] ? __pfx_netlink_unicast+0x10/0x10 +[ 44.212045] ? netlink_recvmsg+0x500/0x660 +[ 44.212045] netlink_sendmsg+0x3b7/0x700 +[ 44.212045] ? __pfx_netlink_sendmsg+0x10/0x10 +[ 44.212045] ? __pfx_netlink_sendmsg+0x10/0x10 +[ 44.212045] sock_sendmsg+0xde/0xe0 +[ 44.212045] __sys_sendto+0x18d/0x230 +[ 44.212045] ? __pfx___sys_sendto+0x10/0x10 +[ 44.212045] ? rcu_core+0x44a/0xe10 +[ 44.212045] ? __rseq_handle_notify_resume+0x45b/0x740 +[ 44.212045] ? _raw_spin_lock_irq+0x81/0xe0 +[ 44.212045] ? __pfx___rseq_handle_notify_resume+0x10/0x10 +[ 44.212045] ? __pfx_restore_fpregs_from_fpstate+0x10/0x10 +[ 44.212045] ? __pfx_blkcg_maybe_throttle_current+0x10/0x10 +[ 44.212045] ? __pfx_task_work_run+0x10/0x10 +[ 44.212045] __x64_sys_sendto+0x71/0x90 +[ 44.212045] do_syscall_64+0x3f/0x90 +[ 44.212045] entry_SYSCALL_64_after_hwframe+0x72/0xdc +[ 44.212045] RIP: 0033:0x44b7da +[ 44.212045] RSP: 002b:00007ffdc8838548 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +[ 44.212045] RAX: ffffffffffffffda RBX: 00007ffdc8839978 RCX: 000000000044b7da +[ 44.212045] RDX: 0000000000000038 RSI: 00007ffdc8838770 RDI: 0000000000000003 +[ 44.212045] RBP: 00007ffdc88385b0 R08: 00007ffdc883858c R09: 000000000000000c +[ 44.212045] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 +[ 44.212045] R13: 00007ffdc8839968 R14: 00000000004c37d0 R15: 0000000000000001 +[ 44.212045] +[ 44.212045] +[ 44.212045] Allocated by task 97: +[ 44.212045] kasan_save_stack+0x22/0x50 +[ 44.212045] kasan_set_track+0x25/0x30 +[ 44.212045] __kasan_kmalloc+0x7f/0x90 +[ 44.212045] __kmalloc_node_track_caller+0x5b/0x140 +[ 44.212045] kmemdup+0x21/0x50 +[ 44.212045] xfrm_dump_sa+0x17d/0x290 +[ 44.212045] netlink_dump+0x322/0x6c0 +[ 44.212045] __netlink_dump_start+0x353/0x430 +[ 44.212045] xfrm_user_rcv_msg+0x3a4/0x410 +[ 44.212045] netlink_rcv_skb+0xd6/0x210 +[ 44.212045] xfrm_netlink_rcv+0x44/0x50 +[ 44.212045] netlink_unicast+0x36f/0x4c0 +[ 44.212045] netlink_sendmsg+0x3b7/0x700 +[ 44.212045] sock_sendmsg+0xde/0xe0 +[ 44.212045] __sys_sendto+0x18d/0x230 +[ 44.212045] __x64_sys_sendto+0x71/0x90 +[ 44.212045] do_syscall_64+0x3f/0x90 +[ 44.212045] entry_SYSCALL_64_after_hwframe+0x72/0xdc +[ 44.212045] +[ 44.212045] The buggy address belongs to the object at ffff88800870f300 +[ 44.212045] which belongs to the cache kmalloc-64 of size 64 +[ 44.212045] The buggy address is located 32 bytes inside of +[ 44.212045] allocated 36-byte region [ffff88800870f300, ffff88800870f324) +[ 44.212045] +[ 44.212045] The buggy address belongs to the physical page: +[ 44.212045] page:00000000e4de16ee refcount:1 mapcount:0 mapping:000000000 ... +[ 44.212045] flags: 0x100000000000200(slab|node=0|zone=1) +[ 44.212045] page_type: 0xffffffff() +[ 44.212045] raw: 0100000000000200 ffff888004c41640 dead000000000122 0000000000000000 +[ 44.212045] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 +[ 44.212045] page dumped because: kasan: bad access detected +[ 44.212045] +[ 44.212045] Memory state around the buggy address: +[ 44.212045] ffff88800870f200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[ 44.212045] ffff88800870f280: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc +[ 44.212045] >ffff88800870f300: 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc +[ 44.212045] ^ +[ 44.212045] ffff88800870f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 44.212045] ffff88800870f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 44.212045] ================================================================== + +By investigating the code, we find the root cause of this OOB is the lack +of checks in xfrm_dump_sa(). The buggy code allows a malicious user to pass +arbitrary value of filter->splen/dplen. Hence, with crafted xfrm states, +the attacker can achieve 8 bytes heap OOB read, which causes info leak. + + if (attrs[XFRMA_ADDRESS_FILTER]) { + filter = kmemdup(nla_data(attrs[XFRMA_ADDRESS_FILTER]), + sizeof(*filter), GFP_KERNEL); + if (filter == NULL) + return -ENOMEM; + // NO MORE CHECKS HERE !!! + } + +This patch fixes the OOB by adding necessary boundary checks, just like +the code in pfkey_dump() function. + +Fixes: d3623099d350 ("ipsec: add support of limited SA dump") +Signed-off-by: Lin Ma +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index eb0952dbf4236..b2065f69c3d2c 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1159,6 +1159,15 @@ static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb) + sizeof(*filter), GFP_KERNEL); + if (filter == NULL) + return -ENOMEM; ++ ++ /* see addr_match(), (prefix length >> 5) << 2 ++ * will be used to compare xfrm_address_t ++ */ ++ if (filter->splen > (sizeof(xfrm_address_t) << 3) || ++ filter->dplen > (sizeof(xfrm_address_t) << 3)) { ++ kfree(filter); ++ return -EINVAL; ++ } + } + + if (attrs[XFRMA_PROTO]) +-- +2.40.1 + diff --git a/queue-5.15/netfilter-nf_tables-deactivate-catchall-elements-in-.patch b/queue-5.15/netfilter-nf_tables-deactivate-catchall-elements-in-.patch new file mode 100644 index 00000000000..0589d0f9d67 --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-deactivate-catchall-elements-in-.patch @@ -0,0 +1,48 @@ +From ae4280765e0fae8b9020f63ed316191af1eb5ba3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Aug 2023 13:05:16 +0200 +Subject: netfilter: nf_tables: deactivate catchall elements in next generation + +From: Florian Westphal + +[ Upstream commit 90e5b3462efa37b8bba82d7c4e63683856e188af ] + +When flushing, individual set elements are disabled in the next +generation via the ->flush callback. + +Catchall elements are not disabled. This is incorrect and may lead to +double-deactivations of catchall elements which then results in memory +leaks: + +WARNING: CPU: 1 PID: 3300 at include/net/netfilter/nf_tables.h:1172 nft_map_deactivate+0x549/0x730 +CPU: 1 PID: 3300 Comm: nft Not tainted 6.5.0-rc5+ #60 +RIP: 0010:nft_map_deactivate+0x549/0x730 + [..] + ? nft_map_deactivate+0x549/0x730 + nf_tables_delset+0xb66/0xeb0 + +(the warn is due to nft_use_dec() detecting underflow). + +Fixes: aaa31047a6d2 ("netfilter: nftables: add catch-all set element support") +Reported-by: lonial con +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 1e84314fe334a..1e2d1e4bdb74d 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6719,6 +6719,7 @@ static int nft_set_catchall_flush(const struct nft_ctx *ctx, + ret = __nft_set_catchall_flush(ctx, set, &elem); + if (ret < 0) + break; ++ nft_set_elem_change_active(ctx->net, set, ext); + } + + return ret; +-- +2.40.1 + diff --git a/queue-5.15/netfilter-nf_tables-fix-false-positive-lockdep-splat.patch b/queue-5.15/netfilter-nf_tables-fix-false-positive-lockdep-splat.patch new file mode 100644 index 00000000000..7d6208633da --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-fix-false-positive-lockdep-splat.patch @@ -0,0 +1,70 @@ +From 172263b50015b92afba4c922db52578f8428324f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Aug 2023 20:40:17 +0200 +Subject: netfilter: nf_tables: fix false-positive lockdep splat + +From: Florian Westphal + +[ Upstream commit b9f052dc68f69dac89fe1e24693354c033daa091 ] + +->abort invocation may cause splat on debug kernels: + +WARNING: suspicious RCU usage +net/netfilter/nft_set_pipapo.c:1697 suspicious rcu_dereference_check() usage! +[..] +rcu_scheduler_active = 2, debug_locks = 1 +1 lock held by nft/133554: [..] (nft_net->commit_mutex){+.+.}-{3:3}, at: nf_tables_valid_genid +[..] + lockdep_rcu_suspicious+0x1ad/0x260 + nft_pipapo_abort+0x145/0x180 + __nf_tables_abort+0x5359/0x63d0 + nf_tables_abort+0x24/0x40 + nfnetlink_rcv+0x1a0a/0x22c0 + netlink_unicast+0x73c/0x900 + netlink_sendmsg+0x7f0/0xc20 + ____sys_sendmsg+0x48d/0x760 + +Transaction mutex is held, so parallel updates are not possible. +Switch to _protected and check mutex is held for lockdep enabled builds. + +Fixes: 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index a81829c10feab..32cfd0a84b0e2 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1665,6 +1665,17 @@ static void nft_pipapo_commit(const struct nft_set *set) + priv->clone = new_clone; + } + ++static bool nft_pipapo_transaction_mutex_held(const struct nft_set *set) ++{ ++#ifdef CONFIG_PROVE_LOCKING ++ const struct net *net = read_pnet(&set->net); ++ ++ return lockdep_is_held(&nft_pernet(net)->commit_mutex); ++#else ++ return true; ++#endif ++} ++ + static void nft_pipapo_abort(const struct nft_set *set) + { + struct nft_pipapo *priv = nft_set_priv(set); +@@ -1673,7 +1684,7 @@ static void nft_pipapo_abort(const struct nft_set *set) + if (!priv->dirty) + return; + +- m = rcu_dereference(priv->match); ++ m = rcu_dereference_protected(priv->match, nft_pipapo_transaction_mutex_held(set)); + + new_clone = pipapo_clone(m); + if (IS_ERR(new_clone)) +-- +2.40.1 + diff --git a/queue-5.15/netfilter-nft_dynset-disallow-object-maps.patch b/queue-5.15/netfilter-nft_dynset-disallow-object-maps.patch new file mode 100644 index 00000000000..7a417256092 --- /dev/null +++ b/queue-5.15/netfilter-nft_dynset-disallow-object-maps.patch @@ -0,0 +1,36 @@ +From eba1345393572378468a72bd4482f028401a6fc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 15:39:02 +0200 +Subject: netfilter: nft_dynset: disallow object maps + +From: Pablo Neira Ayuso + +[ Upstream commit 23185c6aed1ffb8fc44087880ba2767aba493779 ] + +Do not allow to insert elements from datapath to objects maps. + +Fixes: 8aeff920dcc9 ("netfilter: nf_tables: add stateful object reference to set elements") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_dynset.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c +index 29c7ae8789e95..73e606372b05d 100644 +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -191,6 +191,9 @@ static int nft_dynset_init(const struct nft_ctx *ctx, + if (IS_ERR(set)) + return PTR_ERR(set); + ++ if (set->flags & NFT_SET_OBJECT) ++ return -EOPNOTSUPP; ++ + if (set->ops->update == NULL) + return -EOPNOTSUPP; + +-- +2.40.1 + diff --git a/queue-5.15/riscv-uaccess-return-the-number-of-bytes-effectively.patch b/queue-5.15/riscv-uaccess-return-the-number-of-bytes-effectively.patch new file mode 100644 index 00000000000..4c6f51bb884 --- /dev/null +++ b/queue-5.15/riscv-uaccess-return-the-number-of-bytes-effectively.patch @@ -0,0 +1,91 @@ +From cb0ceddaa7664e3d6ab84521cf992351f6b8e0ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 17:06:04 +0200 +Subject: riscv: uaccess: Return the number of bytes effectively not copied +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexandre Ghiti + +[ Upstream commit 4b05b993900dd3eba0fc83ef5c5ddc7d65d786c6 ] + +It was reported that the riscv kernel hangs while executing the test +in [1]. + +Indeed, the test hangs when trying to write a buffer to a file. The +problem is that the riscv implementation of raw_copy_from_user() does not +return the correct number of bytes not written when an exception happens +and is fixed up, instead it always returns the initial size to copy, +even if some bytes were actually copied. + +generic_perform_write() pre-faults the user pages and bails out if nothing +can be written, otherwise it will access the userspace buffer: here the +riscv implementation keeps returning it was not able to copy any byte +though the pre-faulting indicates otherwise. So generic_perform_write() +keeps retrying to access the user memory and ends up in an infinite +loop. + +Note that before the commit mentioned in [1] that introduced this +regression, it worked because generic_perform_write() would bail out if +only one byte could not be written. + +So fix this by returning the number of bytes effectively not written in +__asm_copy_[to|from]_user() and __clear_user(), as it is expected. + +Link: https://lore.kernel.org/linux-riscv/20230309151841.bomov6hq3ybyp42a@debian/ [1] +Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code") +Reported-by: Bo YU +Closes: https://lore.kernel.org/linux-riscv/20230309151841.bomov6hq3ybyp42a@debian/#t +Reported-by: Aurelien Jarno +Closes: https://lore.kernel.org/linux-riscv/ZNOnCakhwIeue3yr@aurel32.net/ +Signed-off-by: Alexandre Ghiti +Reviewed-by: Björn Töpel +Tested-by: Aurelien Jarno +Reviewed-by: Aurelien Jarno +Link: https://lore.kernel.org/r/20230811150604.1621784-1-alexghiti@rivosinc.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/lib/uaccess.S | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S +index 2c7c1c5026af3..4fe436a0eec2c 100644 +--- a/arch/riscv/lib/uaccess.S ++++ b/arch/riscv/lib/uaccess.S +@@ -19,8 +19,11 @@ ENTRY(__asm_copy_from_user) + li t6, SR_SUM + csrs CSR_STATUS, t6 + +- /* Save for return value */ +- mv t5, a2 ++ /* ++ * Save the terminal address which will be used to compute the number ++ * of bytes copied in case of a fixup exception. ++ */ ++ add t5, a0, a2 + + /* + * Register allocation for code below: +@@ -178,7 +181,7 @@ ENTRY(__asm_copy_from_user) + 10: + /* Disable access to user memory */ + csrc CSR_STATUS, t6 +- mv a0, t5 ++ sub a0, t5, a0 + ret + ENDPROC(__asm_copy_to_user) + ENDPROC(__asm_copy_from_user) +@@ -230,7 +233,7 @@ ENTRY(__clear_user) + 11: + /* Disable access to user memory */ + csrc CSR_STATUS, t6 +- mv a0, a1 ++ sub a0, a3, a0 + ret + ENDPROC(__clear_user) + EXPORT_SYMBOL(__clear_user) +-- +2.40.1 + diff --git a/queue-5.15/selftests-mirror_gre_changes-tighten-up-the-ttl-test.patch b/queue-5.15/selftests-mirror_gre_changes-tighten-up-the-ttl-test.patch new file mode 100644 index 00000000000..cc3840af08e --- /dev/null +++ b/queue-5.15/selftests-mirror_gre_changes-tighten-up-the-ttl-test.patch @@ -0,0 +1,48 @@ +From 75e17d1f2bc76b3d3b3fc41d47a442bca76010f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 17:59:27 +0200 +Subject: selftests: mirror_gre_changes: Tighten up the TTL test match + +From: Petr Machata + +[ Upstream commit 855067defa36b1f9effad8c219d9a85b655cf500 ] + +This test verifies whether the encapsulated packets have the correct +configured TTL. It does so by sending ICMP packets through the test +topology and mirroring them to a gretap netdevice. On a busy host +however, more than just the test ICMP packets may end up flowing +through the topology, get mirrored, and counted. This leads to +potential spurious failures as the test observes much more mirrored +packets than the sent test packets, and assumes a bug. + +Fix this by tightening up the mirror action match. Change it from +matchall to a flower classifier matching on ICMP packets specifically. + +Fixes: 45315673e0c5 ("selftests: forwarding: Test changes in mirror-to-gretap") +Signed-off-by: Petr Machata +Tested-by: Mirsad Todorovac +Reviewed-by: Ido Schimmel +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/forwarding/mirror_gre_changes.sh | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/forwarding/mirror_gre_changes.sh b/tools/testing/selftests/net/forwarding/mirror_gre_changes.sh +index 472bd023e2a5f..b501b366367f7 100755 +--- a/tools/testing/selftests/net/forwarding/mirror_gre_changes.sh ++++ b/tools/testing/selftests/net/forwarding/mirror_gre_changes.sh +@@ -72,7 +72,8 @@ test_span_gre_ttl() + + RET=0 + +- mirror_install $swp1 ingress $tundev "matchall $tcflags" ++ mirror_install $swp1 ingress $tundev \ ++ "prot ip flower $tcflags ip_prot icmp" + tc filter add dev $h3 ingress pref 77 prot $prot \ + flower ip_ttl 50 action pass + +-- +2.40.1 + diff --git a/queue-5.15/series b/queue-5.15/series index 8c3470d5ab7..496d6bf9e54 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -80,3 +80,37 @@ tty-serial-fsl_lpuart-clear-the-error-flags-by-writing-1-for-lpuart32-platforms. btrfs-fix-bug_on-condition-in-btrfs_cancel_balance.patch i2c-designware-correct-length-byte-validation-logic.patch i2c-designware-handle-invalid-smbus-block-data-response-length-value.patch +net-xfrm-fix-xfrm_address_filter-oob-read.patch +net-af_key-fix-sadb_x_filter-validation.patch +net-xfrm-amend-xfrma_sec_ctx-nla_policy-structure.patch +xfrm-fix-slab-use-after-free-in-decode_session6.patch +ip6_vti-fix-slab-use-after-free-in-decode_session6.patch +ip_vti-fix-potential-slab-use-after-free-in-decode_s.patch +xfrm-add-null-check-in-xfrm_update_ae_params.patch +xfrm-add-forgotten-nla_policy-for-xfrma_mtimer_thres.patch +net-phy-fix-irq-based-wake-on-lan-over-hibernate-pow.patch +selftests-mirror_gre_changes-tighten-up-the-ttl-test.patch +drm-panel-simple-fix-auo-g121ean01-panel-timings-acc.patch +netfilter-nf_tables-fix-false-positive-lockdep-splat.patch +netfilter-nf_tables-deactivate-catchall-elements-in-.patch +ipvs-fix-racy-memcpy-in-proc_do_sync_threshold.patch +netfilter-nft_dynset-disallow-object-maps.patch +net-phy-broadcom-stub-c45-read-write-for-54810.patch +team-fix-incorrect-deletion-of-eth_p_8021ad-protocol.patch +iavf-fix-fdir-rule-fields-masks-validation.patch +i40e-fix-misleading-debug-logs.patch +net-dsa-mv88e6xxx-wait-for-eeprom-done-before-hw-res.patch +sock-fix-misuse-of-sk_under_memory_pressure.patch +net-do-not-allow-gso_size-to-be-set-to-gso_by_frags.patch +bus-ti-sysc-flush-posted-write-on-enable-before-rese.patch +arm64-dts-qcom-qrb5165-rb5-fix-thermal-zone-conflict.patch +arm-dts-imx-set-default-tuning-step-for-imx6sx-usdhc.patch +asoc-rt5665-add-missed-regulator_bulk_disable.patch +asoc-meson-axg-tdm-formatter-fix-channel-slot-alloca.patch +soc-aspeed-socinfo-add-kfree-for-kstrdup.patch +x86-srso-disable-the-mitigation-on-unaffected-config.patch +x86-cpu-fix-up-srso_safe_ret-and-__x86_return_thunk.patch +alsa-hda-realtek-remodified-3k-pull-low-procedure.patch +riscv-uaccess-return-the-number-of-bytes-effectively.patch +x86-static_call-fix-__static_call_fixup.patch +x86-srso-correct-the-mitigation-status-when-smt-is-d.patch diff --git a/queue-5.15/soc-aspeed-socinfo-add-kfree-for-kstrdup.patch b/queue-5.15/soc-aspeed-socinfo-add-kfree-for-kstrdup.patch new file mode 100644 index 00000000000..1be8cf98e72 --- /dev/null +++ b/queue-5.15/soc-aspeed-socinfo-add-kfree-for-kstrdup.patch @@ -0,0 +1,37 @@ +From 14a7145d30f1a4add2c71c050b3328a31ffad5d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 22:01:04 +0930 +Subject: soc: aspeed: socinfo: Add kfree for kstrdup + +From: Jiasheng Jiang + +[ Upstream commit 6e6d847a8ce18ab2fbec4f579f682486a82d2c6b ] + +Add kfree() in the later error handling in order to avoid memory leak. + +Fixes: e0218dca5787 ("soc: aspeed: Add soc info driver") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20230707021625.7727-1-jiasheng@iscas.ac.cn +Signed-off-by: Joel Stanley +Link: https://lore.kernel.org/r/20230810123104.231167-1-joel@jms.id.au +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/soc/aspeed/aspeed-socinfo.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/soc/aspeed/aspeed-socinfo.c b/drivers/soc/aspeed/aspeed-socinfo.c +index 1ca140356a084..3f759121dc00a 100644 +--- a/drivers/soc/aspeed/aspeed-socinfo.c ++++ b/drivers/soc/aspeed/aspeed-socinfo.c +@@ -137,6 +137,7 @@ static int __init aspeed_socinfo_init(void) + + soc_dev = soc_device_register(attrs); + if (IS_ERR(soc_dev)) { ++ kfree(attrs->machine); + kfree(attrs->soc_id); + kfree(attrs->serial_number); + kfree(attrs); +-- +2.40.1 + diff --git a/queue-5.15/sock-fix-misuse-of-sk_under_memory_pressure.patch b/queue-5.15/sock-fix-misuse-of-sk_under_memory_pressure.patch new file mode 100644 index 00000000000..746531b515a --- /dev/null +++ b/queue-5.15/sock-fix-misuse-of-sk_under_memory_pressure.patch @@ -0,0 +1,74 @@ +From 3bf1c69d5e42920eb5906bb683a9a1add142e538 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 17:12:22 +0800 +Subject: sock: Fix misuse of sk_under_memory_pressure() + +From: Abel Wu + +[ Upstream commit 2d0c88e84e483982067a82073f6125490ddf3614 ] + +The status of global socket memory pressure is updated when: + + a) __sk_mem_raise_allocated(): + + enter: sk_memory_allocated(sk) > sysctl_mem[1] + leave: sk_memory_allocated(sk) <= sysctl_mem[0] + + b) __sk_mem_reduce_allocated(): + + leave: sk_under_memory_pressure(sk) && + sk_memory_allocated(sk) < sysctl_mem[0] + +So the conditions of leaving global pressure are inconstant, which +may lead to the situation that one pressured net-memcg prevents the +global pressure from being cleared when there is indeed no global +pressure, thus the global constrains are still in effect unexpectedly +on the other sockets. + +This patch fixes this by ignoring the net-memcg's pressure when +deciding whether should leave global memory pressure. + +Fixes: e1aab161e013 ("socket: initial cgroup code.") +Signed-off-by: Abel Wu +Acked-by: Shakeel Butt +Link: https://lore.kernel.org/r/20230816091226.1542-1-wuyun.abel@bytedance.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 6 ++++++ + net/core/sock.c | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 93a6717213aeb..6b12b62417e08 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1381,6 +1381,12 @@ static inline bool sk_has_memory_pressure(const struct sock *sk) + return sk->sk_prot->memory_pressure != NULL; + } + ++static inline bool sk_under_global_memory_pressure(const struct sock *sk) ++{ ++ return sk->sk_prot->memory_pressure && ++ !!*sk->sk_prot->memory_pressure; ++} ++ + static inline bool sk_under_memory_pressure(const struct sock *sk) + { + if (!sk->sk_prot->memory_pressure) +diff --git a/net/core/sock.c b/net/core/sock.c +index 1f9401d757cbb..ae1e9e2b82557 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2880,7 +2880,7 @@ void __sk_mem_reduce_allocated(struct sock *sk, int amount) + if (mem_cgroup_sockets_enabled && sk->sk_memcg) + mem_cgroup_uncharge_skmem(sk->sk_memcg, amount); + +- if (sk_under_memory_pressure(sk) && ++ if (sk_under_global_memory_pressure(sk) && + (sk_memory_allocated(sk) < sk_prot_mem_limits(sk, 0))) + sk_leave_memory_pressure(sk); + } +-- +2.40.1 + diff --git a/queue-5.15/team-fix-incorrect-deletion-of-eth_p_8021ad-protocol.patch b/queue-5.15/team-fix-incorrect-deletion-of-eth_p_8021ad-protocol.patch new file mode 100644 index 00000000000..64a43fc94d9 --- /dev/null +++ b/queue-5.15/team-fix-incorrect-deletion-of-eth_p_8021ad-protocol.patch @@ -0,0 +1,54 @@ +From feaf4edb94a02c1f901b4d0739fd62fbf50187e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 11:23:01 +0800 +Subject: team: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves + +From: Ziyang Xuan + +[ Upstream commit dafcbce07136d799edc4c67f04f9fd69ff1eac1f ] + +Similar to commit 01f4fd270870 ("bonding: Fix incorrect deletion of +ETH_P_8021AD protocol vid from slaves"), we can trigger BUG_ON(!vlan_info) +in unregister_vlan_dev() with the following testcase: + + # ip netns add ns1 + # ip netns exec ns1 ip link add team1 type team + # ip netns exec ns1 ip link add team_slave type veth peer veth2 + # ip netns exec ns1 ip link set team_slave master team1 + # ip netns exec ns1 ip link add link team_slave name team_slave.10 type vlan id 10 protocol 802.1ad + # ip netns exec ns1 ip link add link team1 name team1.10 type vlan id 10 protocol 802.1ad + # ip netns exec ns1 ip link set team_slave nomaster + # ip netns del ns1 + +Add S-VLAN tag related features support to team driver. So the team driver +will always propagate the VLAN info to its slaves. + +Fixes: 8ad227ff89a7 ("net: vlan: add 802.1ad support") +Suggested-by: Ido Schimmel +Signed-off-by: Ziyang Xuan +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230814032301.2804971-1-william.xuanziyang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/team/team.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index 4dfa9c610974a..f99df92d211e2 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -2195,7 +2195,9 @@ static void team_setup(struct net_device *dev) + + dev->hw_features = TEAM_VLAN_FEATURES | + NETIF_F_HW_VLAN_CTAG_RX | +- NETIF_F_HW_VLAN_CTAG_FILTER; ++ NETIF_F_HW_VLAN_CTAG_FILTER | ++ NETIF_F_HW_VLAN_STAG_RX | ++ NETIF_F_HW_VLAN_STAG_FILTER; + + dev->hw_features |= NETIF_F_GSO_ENCAP_ALL; + dev->features |= dev->hw_features; +-- +2.40.1 + diff --git a/queue-5.15/x86-cpu-fix-up-srso_safe_ret-and-__x86_return_thunk.patch b/queue-5.15/x86-cpu-fix-up-srso_safe_ret-and-__x86_return_thunk.patch new file mode 100644 index 00000000000..c39a1b9c5b0 --- /dev/null +++ b/queue-5.15/x86-cpu-fix-up-srso_safe_ret-and-__x86_return_thunk.patch @@ -0,0 +1,53 @@ +From bc6163e84da235b393d09fc25a9cb9d8cfdef8bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 13:44:28 +0200 +Subject: x86/cpu: Fix up srso_safe_ret() and __x86_return_thunk() + +From: Peter Zijlstra + +[ Upstream commit af023ef335f13c8b579298fc432daeef609a9e60 ] + + vmlinux.o: warning: objtool: srso_untrain_ret() falls through to next function __x86_return_skl() + vmlinux.o: warning: objtool: __x86_return_thunk() falls through to next function __x86_return_skl() + +This is because these functions (can) end with CALL, which objtool +does not consider a terminating instruction. Therefore, replace the +INT3 instruction (which is a non-fatal trap) with UD2 (which is a +fatal-trap). + +This indicates execution will not continue past this point. + +Fixes: fb3bd914b3ec ("x86/srso: Add a Speculative RAS Overflow mitigation") +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/20230814121148.637802730@infradead.org +Signed-off-by: Sasha Levin +--- + arch/x86/lib/retpoline.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S +index 5f7eed97487ec..a0fa45e8a87cd 100644 +--- a/arch/x86/lib/retpoline.S ++++ b/arch/x86/lib/retpoline.S +@@ -199,7 +199,7 @@ SYM_INNER_LABEL(srso_safe_ret, SYM_L_GLOBAL) + int3 + lfence + call srso_safe_ret +- int3 ++ ud2 + SYM_CODE_END(srso_safe_ret) + SYM_FUNC_END(srso_untrain_ret) + __EXPORT_THUNK(srso_untrain_ret) +@@ -207,7 +207,7 @@ __EXPORT_THUNK(srso_untrain_ret) + SYM_FUNC_START(__x86_return_thunk) + ALTERNATIVE_2 "jmp __ret", "call srso_safe_ret", X86_FEATURE_SRSO, \ + "call srso_safe_ret_alias", X86_FEATURE_SRSO_ALIAS +- int3 ++ ud2 + SYM_CODE_END(__x86_return_thunk) + EXPORT_SYMBOL(__x86_return_thunk) + +-- +2.40.1 + diff --git a/queue-5.15/x86-srso-correct-the-mitigation-status-when-smt-is-d.patch b/queue-5.15/x86-srso-correct-the-mitigation-status-when-smt-is-d.patch new file mode 100644 index 00000000000..771d40926dc --- /dev/null +++ b/queue-5.15/x86-srso-correct-the-mitigation-status-when-smt-is-d.patch @@ -0,0 +1,48 @@ +From e5b6912ca25e39c24687201aab3f95243aeb69e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 11:53:13 +0200 +Subject: x86/srso: Correct the mitigation status when SMT is disabled + +From: Borislav Petkov (AMD) + +[ Upstream commit 6405b72e8d17bd1875a56ae52d23ec3cd51b9d66 ] + +Specify how is SRSO mitigated when SMT is disabled. Also, correct the +SMT check for that. + +Fixes: e9fbc47b818b ("x86/srso: Disable the mitigation on unaffected configurations") +Suggested-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Josh Poimboeuf +Link: https://lore.kernel.org/r/20230814200813.p5czl47zssuej7nv@treble +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/bugs.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 6e107df443230..d556f7f481bff 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -2388,8 +2388,7 @@ static void __init srso_select_mitigation(void) + * Zen1/2 with SMT off aren't vulnerable after the right + * IBPB microcode has been applied. + */ +- if ((boot_cpu_data.x86 < 0x19) && +- (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) { ++ if (boot_cpu_data.x86 < 0x19 && !cpu_smt_possible()) { + setup_force_cpu_cap(X86_FEATURE_SRSO_NO); + return; + } +@@ -2675,7 +2674,7 @@ static ssize_t gds_show_state(char *buf) + static ssize_t srso_show_state(char *buf) + { + if (boot_cpu_has(X86_FEATURE_SRSO_NO)) +- return sysfs_emit(buf, "Not affected\n"); ++ return sysfs_emit(buf, "Mitigation: SMT disabled\n"); + + return sysfs_emit(buf, "%s%s\n", + srso_strings[srso_mitigation], +-- +2.40.1 + diff --git a/queue-5.15/x86-srso-disable-the-mitigation-on-unaffected-config.patch b/queue-5.15/x86-srso-disable-the-mitigation-on-unaffected-config.patch new file mode 100644 index 00000000000..02c8ff5ed34 --- /dev/null +++ b/queue-5.15/x86-srso-disable-the-mitigation-on-unaffected-config.patch @@ -0,0 +1,50 @@ +From 38c1a8c0d7db7556b070d6ed82f07fb0e914c3d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Aug 2023 12:39:34 +0200 +Subject: x86/srso: Disable the mitigation on unaffected configurations + +From: Borislav Petkov (AMD) + +[ Upstream commit e9fbc47b818b964ddff5df5b2d5c0f5f32f4a147 ] + +Skip the srso cmd line parsing which is not needed on Zen1/2 with SMT +disabled and with the proper microcode applied (latter should be the +case anyway) as those are not affected. + +Fixes: 5a15d8348881 ("x86/srso: Tie SBPB bit setting to microcode patch detection") +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/20230813104517.3346-1-bp@alien8.de +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/bugs.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 73dad1400633e..6e107df443230 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -2389,8 +2389,10 @@ static void __init srso_select_mitigation(void) + * IBPB microcode has been applied. + */ + if ((boot_cpu_data.x86 < 0x19) && +- (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) ++ (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) { + setup_force_cpu_cap(X86_FEATURE_SRSO_NO); ++ return; ++ } + } + + if (retbleed_mitigation == RETBLEED_MITIGATION_IBPB) { +@@ -2672,6 +2674,9 @@ static ssize_t gds_show_state(char *buf) + + static ssize_t srso_show_state(char *buf) + { ++ if (boot_cpu_has(X86_FEATURE_SRSO_NO)) ++ return sysfs_emit(buf, "Not affected\n"); ++ + return sysfs_emit(buf, "%s%s\n", + srso_strings[srso_mitigation], + (cpu_has_ibpb_brtype_microcode() ? "" : ", no microcode")); +-- +2.40.1 + diff --git a/queue-5.15/x86-static_call-fix-__static_call_fixup.patch b/queue-5.15/x86-static_call-fix-__static_call_fixup.patch new file mode 100644 index 00000000000..3c35d2eb1e2 --- /dev/null +++ b/queue-5.15/x86-static_call-fix-__static_call_fixup.patch @@ -0,0 +1,56 @@ +From 0377908ba0e128c01c25bb82cfce0107c9681897 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 12:44:19 +0200 +Subject: x86/static_call: Fix __static_call_fixup() + +From: Peter Zijlstra + +[ Upstream commit 54097309620ef0dc2d7083783dc521c6a5fef957 ] + +Christian reported spurious module load crashes after some of Song's +module memory layout patches. + +Turns out that if the very last instruction on the very last page of the +module is a 'JMP __x86_return_thunk' then __static_call_fixup() will +trip a fault and die. + +And while the module rework made this slightly more likely to happen, +it's always been possible. + +Fixes: ee88d363d156 ("x86,static_call: Use alternative RET encoding") +Reported-by: Christian Bricart +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Josh Poimboeuf +Link: https://lkml.kernel.org/r/20230816104419.GA982867@hirez.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/static_call.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/arch/x86/kernel/static_call.c b/arch/x86/kernel/static_call.c +index 2fc4f96702e62..b48b659ccf6fb 100644 +--- a/arch/x86/kernel/static_call.c ++++ b/arch/x86/kernel/static_call.c +@@ -135,6 +135,19 @@ EXPORT_SYMBOL_GPL(arch_static_call_transform); + */ + bool __static_call_fixup(void *tramp, u8 op, void *dest) + { ++ unsigned long addr = (unsigned long)tramp; ++ /* ++ * Not all .return_sites are a static_call trampoline (most are not). ++ * Check if the 3 bytes after the return are still kernel text, if not, ++ * then this definitely is not a trampoline and we need not worry ++ * further. ++ * ++ * This avoids the memcmp() below tripping over pagefaults etc.. ++ */ ++ if (((addr >> PAGE_SHIFT) != ((addr + 7) >> PAGE_SHIFT)) && ++ !kernel_text_address(addr + 7)) ++ return false; ++ + if (memcmp(tramp+5, tramp_ud, 3)) { + /* Not a trampoline site, not our problem. */ + return false; +-- +2.40.1 + diff --git a/queue-5.15/xfrm-add-forgotten-nla_policy-for-xfrma_mtimer_thres.patch b/queue-5.15/xfrm-add-forgotten-nla_policy-for-xfrma_mtimer_thres.patch new file mode 100644 index 00000000000..df44f455b2f --- /dev/null +++ b/queue-5.15/xfrm-add-forgotten-nla_policy-for-xfrma_mtimer_thres.patch @@ -0,0 +1,54 @@ +From ceaae450ec9d8f08e9bcbb9baa8b3bc3aa576e8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 15:41:10 +0800 +Subject: xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH + +From: Lin Ma + +[ Upstream commit 5e2424708da7207087934c5c75211e8584d553a0 ] + +The previous commit 4e484b3e969b ("xfrm: rate limit SA mapping change +message to user space") added one additional attribute named +XFRMA_MTIMER_THRESH and described its type at compat_policy +(net/xfrm/xfrm_compat.c). + +However, the author forgot to also describe the nla_policy at +xfrma_policy (net/xfrm/xfrm_user.c). Hence, this suppose NLA_U32 (4 +bytes) value can be faked as empty (0 bytes) by a malicious user, which +leads to 4 bytes overflow read and heap information leak when parsing +nlattrs. + +To exploit this, one malicious user can spray the SLUB objects and then +leverage this 4 bytes OOB read to leak the heap data into +x->mapping_maxage (see xfrm_update_ae_params(...)), and leak it to +userspace via copy_to_user_state_extra(...). + +The above bug is assigned CVE-2023-3773. To fix it, this commit just +completes the nla_policy description for XFRMA_MTIMER_THRESH, which +enforces the length check and avoids such OOB read. + +Fixes: 4e484b3e969b ("xfrm: rate limit SA mapping change message to user space") +Signed-off-by: Lin Ma +Reviewed-by: Simon Horman +Reviewed-by: Leon Romanovsky +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 6ff405c2cd2c1..ff56b6a0162ea 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -2854,6 +2854,7 @@ const struct nla_policy xfrma_policy[XFRMA_MAX+1] = { + [XFRMA_SET_MARK] = { .type = NLA_U32 }, + [XFRMA_SET_MARK_MASK] = { .type = NLA_U32 }, + [XFRMA_IF_ID] = { .type = NLA_U32 }, ++ [XFRMA_MTIMER_THRESH] = { .type = NLA_U32 }, + }; + EXPORT_SYMBOL_GPL(xfrma_policy); + +-- +2.40.1 + diff --git a/queue-5.15/xfrm-add-null-check-in-xfrm_update_ae_params.patch b/queue-5.15/xfrm-add-null-check-in-xfrm_update_ae_params.patch new file mode 100644 index 00000000000..4b0b515e434 --- /dev/null +++ b/queue-5.15/xfrm-add-null-check-in-xfrm_update_ae_params.patch @@ -0,0 +1,104 @@ +From 978502e1e064d177770896018d3bfefa89e8aeae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 22:51:03 +0800 +Subject: xfrm: add NULL check in xfrm_update_ae_params + +From: Lin Ma + +[ Upstream commit 00374d9b6d9f932802b55181be9831aa948e5b7c ] + +Normally, x->replay_esn and x->preplay_esn should be allocated at +xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the +xfrm_update_ae_params(...) is okay to update them. However, the current +implementation of xfrm_new_ae(...) allows a malicious user to directly +dereference a NULL pointer and crash the kernel like below. + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +PGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0 +Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI +CPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774deaf1 #8 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4 +RIP: 0010:memcpy_orig+0xad/0x140 +Code: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c +RSP: 0018:ffff888008f57658 EFLAGS: 00000202 +RAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571 +RDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818 +R13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000 +FS: 00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0 +Call Trace: + + ? __die+0x1f/0x70 + ? page_fault_oops+0x1e8/0x500 + ? __pfx_is_prefetch.constprop.0+0x10/0x10 + ? __pfx_page_fault_oops+0x10/0x10 + ? _raw_spin_unlock_irqrestore+0x11/0x40 + ? fixup_exception+0x36/0x460 + ? _raw_spin_unlock_irqrestore+0x11/0x40 + ? exc_page_fault+0x5e/0xc0 + ? asm_exc_page_fault+0x26/0x30 + ? xfrm_update_ae_params+0xd1/0x260 + ? memcpy_orig+0xad/0x140 + ? __pfx__raw_spin_lock_bh+0x10/0x10 + xfrm_update_ae_params+0xe7/0x260 + xfrm_new_ae+0x298/0x4e0 + ? __pfx_xfrm_new_ae+0x10/0x10 + ? __pfx_xfrm_new_ae+0x10/0x10 + xfrm_user_rcv_msg+0x25a/0x410 + ? __pfx_xfrm_user_rcv_msg+0x10/0x10 + ? __alloc_skb+0xcf/0x210 + ? stack_trace_save+0x90/0xd0 + ? filter_irq_stacks+0x1c/0x70 + ? __stack_depot_save+0x39/0x4e0 + ? __kasan_slab_free+0x10a/0x190 + ? kmem_cache_free+0x9c/0x340 + ? netlink_recvmsg+0x23c/0x660 + ? sock_recvmsg+0xeb/0xf0 + ? __sys_recvfrom+0x13c/0x1f0 + ? __x64_sys_recvfrom+0x71/0x90 + ? do_syscall_64+0x3f/0x90 + ? entry_SYSCALL_64_after_hwframe+0x72/0xdc + ? copyout+0x3e/0x50 + netlink_rcv_skb+0xd6/0x210 + ? __pfx_xfrm_user_rcv_msg+0x10/0x10 + ? __pfx_netlink_rcv_skb+0x10/0x10 + ? __pfx_sock_has_perm+0x10/0x10 + ? mutex_lock+0x8d/0xe0 + ? __pfx_mutex_lock+0x10/0x10 + xfrm_netlink_rcv+0x44/0x50 + netlink_unicast+0x36f/0x4c0 + ? __pfx_netlink_unicast+0x10/0x10 + ? netlink_recvmsg+0x500/0x660 + netlink_sendmsg+0x3b7/0x700 + +This Null-ptr-deref bug is assigned CVE-2023-3772. And this commit +adds additional NULL check in xfrm_update_ae_params to fix the NPD. + +Fixes: d8647b79c3b7 ("xfrm: Add user interface for esn and big anti-replay windows") +Signed-off-by: Lin Ma +Reviewed-by: Leon Romanovsky +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index f36fd1379effc..6ff405c2cd2c1 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -527,7 +527,7 @@ static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs, + struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH]; + struct nlattr *mt = attrs[XFRMA_MTIMER_THRESH]; + +- if (re) { ++ if (re && x->replay_esn && x->preplay_esn) { + struct xfrm_replay_state_esn *replay_esn; + replay_esn = nla_data(re); + memcpy(x->replay_esn, replay_esn, +-- +2.40.1 + diff --git a/queue-5.15/xfrm-fix-slab-use-after-free-in-decode_session6.patch b/queue-5.15/xfrm-fix-slab-use-after-free-in-decode_session6.patch new file mode 100644 index 00000000000..5924defcd25 --- /dev/null +++ b/queue-5.15/xfrm-fix-slab-use-after-free-in-decode_session6.patch @@ -0,0 +1,122 @@ +From b1c556e997eb025ed6eee7c2f3bc9ed35e33e618 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 17:40:51 +0800 +Subject: xfrm: fix slab-use-after-free in decode_session6 + +From: Zhengchao Shao + +[ Upstream commit 53223f2ed1ef5c90dad814daaaefea4e68a933c8 ] + +When the xfrm device is set to the qdisc of the sfb type, the cb field +of the sent skb may be modified during enqueuing. Then, +slab-use-after-free may occur when the xfrm device sends IPv6 packets. + +The stack information is as follows: +BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890 +Read of size 1 at addr ffff8881111458ef by task swapper/3/0 +CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.4.0-next-20230707 #409 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 +Call Trace: + +dump_stack_lvl+0xd9/0x150 +print_address_description.constprop.0+0x2c/0x3c0 +kasan_report+0x11d/0x130 +decode_session6+0x103f/0x1890 +__xfrm_decode_session+0x54/0xb0 +xfrmi_xmit+0x173/0x1ca0 +dev_hard_start_xmit+0x187/0x700 +sch_direct_xmit+0x1a3/0xc30 +__qdisc_run+0x510/0x17a0 +__dev_queue_xmit+0x2215/0x3b10 +neigh_connected_output+0x3c2/0x550 +ip6_finish_output2+0x55a/0x1550 +ip6_finish_output+0x6b9/0x1270 +ip6_output+0x1f1/0x540 +ndisc_send_skb+0xa63/0x1890 +ndisc_send_rs+0x132/0x6f0 +addrconf_rs_timer+0x3f1/0x870 +call_timer_fn+0x1a0/0x580 +expire_timers+0x29b/0x4b0 +run_timer_softirq+0x326/0x910 +__do_softirq+0x1d4/0x905 +irq_exit_rcu+0xb7/0x120 +sysvec_apic_timer_interrupt+0x97/0xc0 + + +asm_sysvec_apic_timer_interrupt+0x1a/0x20 +RIP: 0010:intel_idle_hlt+0x23/0x30 +Code: 1f 84 00 00 00 00 00 f3 0f 1e fa 41 54 41 89 d4 0f 1f 44 00 00 66 90 0f 1f 44 00 00 0f 00 2d c4 9f ab 00 0f 1f 44 00 00 fb f4 44 89 e0 41 5c c3 66 0f 1f 44 00 00 f3 0f 1e fa 41 54 41 89 d4 +RSP: 0018:ffffc90000197d78 EFLAGS: 00000246 +RAX: 00000000000a83c3 RBX: ffffe8ffffd09c50 RCX: ffffffff8a22d8e5 +RDX: 0000000000000001 RSI: ffffffff8d3f8080 RDI: ffffe8ffffd09c50 +RBP: ffffffff8d3f8080 R08: 0000000000000001 R09: ffffed1026ba6d9d +R10: ffff888135d36ceb R11: 0000000000000001 R12: 0000000000000001 +R13: ffffffff8d3f8100 R14: 0000000000000001 R15: 0000000000000000 +cpuidle_enter_state+0xd3/0x6f0 +cpuidle_enter+0x4e/0xa0 +do_idle+0x2fe/0x3c0 +cpu_startup_entry+0x18/0x20 +start_secondary+0x200/0x290 +secondary_startup_64_no_verify+0x167/0x16b + +Allocated by task 939: +kasan_save_stack+0x22/0x40 +kasan_set_track+0x25/0x30 +__kasan_slab_alloc+0x7f/0x90 +kmem_cache_alloc_node+0x1cd/0x410 +kmalloc_reserve+0x165/0x270 +__alloc_skb+0x129/0x330 +inet6_ifa_notify+0x118/0x230 +__ipv6_ifa_notify+0x177/0xbe0 +addrconf_dad_completed+0x133/0xe00 +addrconf_dad_work+0x764/0x1390 +process_one_work+0xa32/0x16f0 +worker_thread+0x67d/0x10c0 +kthread+0x344/0x440 +ret_from_fork+0x1f/0x30 +The buggy address belongs to the object at ffff888111145800 +which belongs to the cache skbuff_small_head of size 640 +The buggy address is located 239 bytes inside of +freed 640-byte region [ffff888111145800, ffff888111145a80) + +As commit f855691975bb ("xfrm6: Fix the nexthdr offset in +_decode_session6.") showed, xfrm_decode_session was originally intended +only for the receive path. IP6CB(skb)->nhoff is not set during +transmission. Therefore, set the cb field in the skb to 0 before +sending packets. + +Fixes: f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.") +Signed-off-by: Zhengchao Shao +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_interface_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/xfrm/xfrm_interface_core.c b/net/xfrm/xfrm_interface_core.c +index 694eec6ca147e..ded752e33dacd 100644 +--- a/net/xfrm/xfrm_interface_core.c ++++ b/net/xfrm/xfrm_interface_core.c +@@ -399,8 +399,8 @@ static netdev_tx_t xfrmi_xmit(struct sk_buff *skb, struct net_device *dev) + + switch (skb->protocol) { + case htons(ETH_P_IPV6): +- xfrm_decode_session(skb, &fl, AF_INET6); + memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); ++ xfrm_decode_session(skb, &fl, AF_INET6); + if (!dst) { + fl.u.ip6.flowi6_oif = dev->ifindex; + fl.u.ip6.flowi6_flags |= FLOWI_FLAG_ANYSRC; +@@ -414,8 +414,8 @@ static netdev_tx_t xfrmi_xmit(struct sk_buff *skb, struct net_device *dev) + } + break; + case htons(ETH_P_IP): +- xfrm_decode_session(skb, &fl, AF_INET); + memset(IPCB(skb), 0, sizeof(*IPCB(skb))); ++ xfrm_decode_session(skb, &fl, AF_INET); + if (!dst) { + struct rtable *rt; + +-- +2.40.1 + -- 2.47.3