From 5218c57d5ffa54be65b22d3b23756e2f58b66ce2 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 31 Jul 2021 22:52:12 -0400 Subject: [PATCH] Fixes for 4.4 Signed-off-by: Sasha Levin --- ...-missing-error-code-in-mlx4_load_one.patch | 42 +++++ queue-4.4/net-llc-fix-skb_over_panic.patch | 161 ++++++++++++++++++ ...t-allow-to-specify-layer-4-protocol-.patch | 36 ++++ queue-4.4/series | 6 + ...ng-pci_disable_device-in-probe-and-r.patch | 64 +++++++ ...-fix-sleeping-in-tipc-accept-routine.patch | 62 +++++++ ...40-fix-missing-pci_disable_device-in.patch | 65 +++++++ 7 files changed, 436 insertions(+) create mode 100644 queue-4.4/mlx4-fix-missing-error-code-in-mlx4_load_one.patch create mode 100644 queue-4.4/net-llc-fix-skb_over_panic.patch create mode 100644 queue-4.4/netfilter-nft_nat-allow-to-specify-layer-4-protocol-.patch create mode 100644 queue-4.4/sis900-fix-missing-pci_disable_device-in-probe-and-r.patch create mode 100644 queue-4.4/tipc-fix-sleeping-in-tipc-accept-routine.patch create mode 100644 queue-4.4/tulip-windbond-840-fix-missing-pci_disable_device-in.patch diff --git a/queue-4.4/mlx4-fix-missing-error-code-in-mlx4_load_one.patch b/queue-4.4/mlx4-fix-missing-error-code-in-mlx4_load_one.patch new file mode 100644 index 00000000000..d21b61270c7 --- /dev/null +++ b/queue-4.4/mlx4-fix-missing-error-code-in-mlx4_load_one.patch @@ -0,0 +1,42 @@ +From 2f97aeee71dbc876d89f040e166279108dc5a565 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jul 2021 18:36:09 +0800 +Subject: mlx4: Fix missing error code in mlx4_load_one() + +From: Jiapeng Chong + +[ Upstream commit 7e4960b3d66d7248b23de3251118147812b42da2 ] + +The error code is missing in this code scenario, add the error code +'-EINVAL' to the return value 'err'. + +Eliminate the follow smatch warning: + +drivers/net/ethernet/mellanox/mlx4/main.c:3538 mlx4_load_one() warn: +missing error code 'err'. + +Reported-by: Abaci Robot +Fixes: 7ae0e400cd93 ("net/mlx4_core: Flexible (asymmetric) allocation of EQs and MSI-X vectors for PF/VFs") +Signed-off-by: Jiapeng Chong +Reviewed-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c +index b774ba64bd4b..913e0fd10fde 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/main.c ++++ b/drivers/net/ethernet/mellanox/mlx4/main.c +@@ -3222,6 +3222,7 @@ slave_start: + + if (!SRIOV_VALID_STATE(dev->flags)) { + mlx4_err(dev, "Invalid SRIOV state\n"); ++ err = -EINVAL; + goto err_close; + } + } +-- +2.30.2 + diff --git a/queue-4.4/net-llc-fix-skb_over_panic.patch b/queue-4.4/net-llc-fix-skb_over_panic.patch new file mode 100644 index 00000000000..c88d3b9f7fd --- /dev/null +++ b/queue-4.4/net-llc-fix-skb_over_panic.patch @@ -0,0 +1,161 @@ +From f365a66c1669743af85a7c34aad2e9ef80928b5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Jul 2021 00:11:59 +0300 +Subject: net: llc: fix skb_over_panic + +From: Pavel Skripkin + +[ Upstream commit c7c9d2102c9c098916ab9e0ab248006107d00d6c ] + +Syzbot reported skb_over_panic() in llc_pdu_init_as_xid_cmd(). The +problem was in wrong LCC header manipulations. + +Syzbot's reproducer tries to send XID packet. llc_ui_sendmsg() is +doing following steps: + + 1. skb allocation with size = len + header size + len is passed from userpace and header size + is 3 since addr->sllc_xid is set. + + 2. skb_reserve() for header_len = 3 + 3. filling all other space with memcpy_from_msg() + +Ok, at this moment we have fully loaded skb, only headers needs to be +filled. + +Then code comes to llc_sap_action_send_xid_c(). This function pushes 3 +bytes for LLC PDU header and initializes it. Then comes +llc_pdu_init_as_xid_cmd(). It initalizes next 3 bytes *AFTER* LLC PDU +header and call skb_push(skb, 3). This looks wrong for 2 reasons: + + 1. Bytes rigth after LLC header are user data, so this function + was overwriting payload. + + 2. skb_push(skb, 3) call can cause skb_over_panic() since + all free space was filled in llc_ui_sendmsg(). (This can + happen is user passed 686 len: 686 + 14 (eth header) + 3 (LLC + header) = 703. SKB_DATA_ALIGN(703) = 704) + +So, in this patch I added 2 new private constansts: LLC_PDU_TYPE_U_XID +and LLC_PDU_LEN_U_XID. LLC_PDU_LEN_U_XID is used to correctly reserve +header size to handle LLC + XID case. LLC_PDU_TYPE_U_XID is used by +llc_pdu_header_init() function to push 6 bytes instead of 3. And finally +I removed skb_push() call from llc_pdu_init_as_xid_cmd(). + +This changes should not affect other parts of LLC, since after +all steps we just transmit buffer. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: syzbot+5e5a981ad7cc54c4b2b4@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/llc_pdu.h | 31 +++++++++++++++++++++++-------- + net/llc/af_llc.c | 10 +++++++++- + net/llc/llc_s_ac.c | 2 +- + 3 files changed, 33 insertions(+), 10 deletions(-) + +diff --git a/include/net/llc_pdu.h b/include/net/llc_pdu.h +index c0f0a13ed818..49aa79c7b278 100644 +--- a/include/net/llc_pdu.h ++++ b/include/net/llc_pdu.h +@@ -15,9 +15,11 @@ + #include + + /* Lengths of frame formats */ +-#define LLC_PDU_LEN_I 4 /* header and 2 control bytes */ +-#define LLC_PDU_LEN_S 4 +-#define LLC_PDU_LEN_U 3 /* header and 1 control byte */ ++#define LLC_PDU_LEN_I 4 /* header and 2 control bytes */ ++#define LLC_PDU_LEN_S 4 ++#define LLC_PDU_LEN_U 3 /* header and 1 control byte */ ++/* header and 1 control byte and XID info */ ++#define LLC_PDU_LEN_U_XID (LLC_PDU_LEN_U + sizeof(struct llc_xid_info)) + /* Known SAP addresses */ + #define LLC_GLOBAL_SAP 0xFF + #define LLC_NULL_SAP 0x00 /* not network-layer visible */ +@@ -50,9 +52,10 @@ + #define LLC_PDU_TYPE_U_MASK 0x03 /* 8-bit control field */ + #define LLC_PDU_TYPE_MASK 0x03 + +-#define LLC_PDU_TYPE_I 0 /* first bit */ +-#define LLC_PDU_TYPE_S 1 /* first two bits */ +-#define LLC_PDU_TYPE_U 3 /* first two bits */ ++#define LLC_PDU_TYPE_I 0 /* first bit */ ++#define LLC_PDU_TYPE_S 1 /* first two bits */ ++#define LLC_PDU_TYPE_U 3 /* first two bits */ ++#define LLC_PDU_TYPE_U_XID 4 /* private type for detecting XID commands */ + + #define LLC_PDU_TYPE_IS_I(pdu) \ + ((!(pdu->ctrl_1 & LLC_PDU_TYPE_I_MASK)) ? 1 : 0) +@@ -230,9 +233,18 @@ static inline struct llc_pdu_un *llc_pdu_un_hdr(struct sk_buff *skb) + static inline void llc_pdu_header_init(struct sk_buff *skb, u8 type, + u8 ssap, u8 dsap, u8 cr) + { +- const int hlen = type == LLC_PDU_TYPE_U ? 3 : 4; ++ int hlen = 4; /* default value for I and S types */ + struct llc_pdu_un *pdu; + ++ switch (type) { ++ case LLC_PDU_TYPE_U: ++ hlen = 3; ++ break; ++ case LLC_PDU_TYPE_U_XID: ++ hlen = 6; ++ break; ++ } ++ + skb_push(skb, hlen); + skb_reset_network_header(skb); + pdu = llc_pdu_un_hdr(skb); +@@ -374,7 +386,10 @@ static inline void llc_pdu_init_as_xid_cmd(struct sk_buff *skb, + xid_info->fmt_id = LLC_XID_FMT_ID; /* 0x81 */ + xid_info->type = svcs_supported; + xid_info->rw = rx_window << 1; /* size of receive window */ +- skb_put(skb, sizeof(struct llc_xid_info)); ++ ++ /* no need to push/put since llc_pdu_header_init() has already ++ * pushed 3 + 3 bytes ++ */ + } + + /** +diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c +index f613a1007107..82b07bc43071 100644 +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -96,8 +96,16 @@ static inline u8 llc_ui_header_len(struct sock *sk, struct sockaddr_llc *addr) + { + u8 rc = LLC_PDU_LEN_U; + +- if (addr->sllc_test || addr->sllc_xid) ++ if (addr->sllc_test) + rc = LLC_PDU_LEN_U; ++ else if (addr->sllc_xid) ++ /* We need to expand header to sizeof(struct llc_xid_info) ++ * since llc_pdu_init_as_xid_cmd() sets 4,5,6 bytes of LLC header ++ * as XID PDU. In llc_ui_sendmsg() we reserved header size and then ++ * filled all other space with user data. If we won't reserve this ++ * bytes, llc_pdu_init_as_xid_cmd() will overwrite user data ++ */ ++ rc = LLC_PDU_LEN_U_XID; + else if (sk->sk_type == SOCK_STREAM) + rc = LLC_PDU_LEN_I; + return rc; +diff --git a/net/llc/llc_s_ac.c b/net/llc/llc_s_ac.c +index 7ae4cc684d3a..9fa3342c7a82 100644 +--- a/net/llc/llc_s_ac.c ++++ b/net/llc/llc_s_ac.c +@@ -79,7 +79,7 @@ int llc_sap_action_send_xid_c(struct llc_sap *sap, struct sk_buff *skb) + struct llc_sap_state_ev *ev = llc_sap_ev(skb); + int rc; + +- llc_pdu_header_init(skb, LLC_PDU_TYPE_U, ev->saddr.lsap, ++ llc_pdu_header_init(skb, LLC_PDU_TYPE_U_XID, ev->saddr.lsap, + ev->daddr.lsap, LLC_PDU_CMD); + llc_pdu_init_as_xid_cmd(skb, LLC_XID_NULL_CLASS_2, 0); + rc = llc_mac_hdr_init(skb, ev->saddr.mac, ev->daddr.mac); +-- +2.30.2 + diff --git a/queue-4.4/netfilter-nft_nat-allow-to-specify-layer-4-protocol-.patch b/queue-4.4/netfilter-nft_nat-allow-to-specify-layer-4-protocol-.patch new file mode 100644 index 00000000000..bede33d9509 --- /dev/null +++ b/queue-4.4/netfilter-nft_nat-allow-to-specify-layer-4-protocol-.patch @@ -0,0 +1,36 @@ +From 500b18f44ee000ea2421989d7e88897f2a04d932 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 18:22:50 +0200 +Subject: netfilter: nft_nat: allow to specify layer 4 protocol NAT only + +From: Pablo Neira Ayuso + +[ Upstream commit a33f387ecd5aafae514095c2c4a8c24f7aea7e8b ] + +nft_nat reports a bogus EAFNOSUPPORT if no layer 3 information is specified. + +Fixes: d07db9884a5f ("netfilter: nf_tables: introduce nft_validate_register_load()") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_nat.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c +index 868480b83649..182704b980d1 100644 +--- a/net/netfilter/nft_nat.c ++++ b/net/netfilter/nft_nat.c +@@ -157,7 +157,9 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr, + alen = FIELD_SIZEOF(struct nf_nat_range, min_addr.ip6); + break; + default: +- return -EAFNOSUPPORT; ++ if (tb[NFTA_NAT_REG_ADDR_MIN]) ++ return -EAFNOSUPPORT; ++ break; + } + priv->family = family; + +-- +2.30.2 + diff --git a/queue-4.4/series b/queue-4.4/series index 0bfa94a90ff..ea42503d89c 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -18,3 +18,9 @@ can-esd_usb2-fix-memory-leak.patch niu-fix-incorrect-error-return-missed-in-previous-revert.patch x86-asm-ensure-asm-proto.h-can-be-included-stand-alo.patch cfg80211-fix-possible-memory-leak-in-function-cfg80211_bss_update.patch +netfilter-nft_nat-allow-to-specify-layer-4-protocol-.patch +tipc-fix-sleeping-in-tipc-accept-routine.patch +mlx4-fix-missing-error-code-in-mlx4_load_one.patch +net-llc-fix-skb_over_panic.patch +tulip-windbond-840-fix-missing-pci_disable_device-in.patch +sis900-fix-missing-pci_disable_device-in-probe-and-r.patch diff --git a/queue-4.4/sis900-fix-missing-pci_disable_device-in-probe-and-r.patch b/queue-4.4/sis900-fix-missing-pci_disable_device-in-probe-and-r.patch new file mode 100644 index 00000000000..07eec3111e7 --- /dev/null +++ b/queue-4.4/sis900-fix-missing-pci_disable_device-in-probe-and-r.patch @@ -0,0 +1,64 @@ +From a985f1db5beee4b5542d9dee93e8397d692e7aeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jul 2021 20:11:07 +0800 +Subject: sis900: Fix missing pci_disable_device() in probe and remove + +From: Wang Hai + +[ Upstream commit 89fb62fde3b226f99b7015280cf132e2a7438edf ] + +Replace pci_enable_device() with pcim_enable_device(), +pci_disable_device() and pci_release_regions() will be +called in release automatically. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sis/sis900.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/sis/sis900.c b/drivers/net/ethernet/sis/sis900.c +index dff5b56738d3..9fe5d13402e0 100644 +--- a/drivers/net/ethernet/sis/sis900.c ++++ b/drivers/net/ethernet/sis/sis900.c +@@ -442,7 +442,7 @@ static int sis900_probe(struct pci_dev *pci_dev, + #endif + + /* setup various bits in PCI command register */ +- ret = pci_enable_device(pci_dev); ++ ret = pcim_enable_device(pci_dev); + if(ret) return ret; + + i = pci_set_dma_mask(pci_dev, DMA_BIT_MASK(32)); +@@ -468,7 +468,7 @@ static int sis900_probe(struct pci_dev *pci_dev, + ioaddr = pci_iomap(pci_dev, 0, 0); + if (!ioaddr) { + ret = -ENOMEM; +- goto err_out_cleardev; ++ goto err_out; + } + + sis_priv = netdev_priv(net_dev); +@@ -576,8 +576,6 @@ err_unmap_tx: + sis_priv->tx_ring_dma); + err_out_unmap: + pci_iounmap(pci_dev, ioaddr); +-err_out_cleardev: +- pci_release_regions(pci_dev); + err_out: + free_netdev(net_dev); + return ret; +@@ -2425,7 +2423,6 @@ static void sis900_remove(struct pci_dev *pci_dev) + sis_priv->tx_ring_dma); + pci_iounmap(pci_dev, sis_priv->ioaddr); + free_netdev(net_dev); +- pci_release_regions(pci_dev); + } + + #ifdef CONFIG_PM +-- +2.30.2 + diff --git a/queue-4.4/tipc-fix-sleeping-in-tipc-accept-routine.patch b/queue-4.4/tipc-fix-sleeping-in-tipc-accept-routine.patch new file mode 100644 index 00000000000..e857cee8ec5 --- /dev/null +++ b/queue-4.4/tipc-fix-sleeping-in-tipc-accept-routine.patch @@ -0,0 +1,62 @@ +From 01959d4d70d9f8e3ad67e387c64792947462845b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jul 2021 09:25:34 +0700 +Subject: tipc: fix sleeping in tipc accept routine + +From: Hoang Le + +[ Upstream commit d237a7f11719ff9320721be5818352e48071aab6 ] + +The release_sock() is blocking function, it would change the state +after sleeping. In order to evaluate the stated condition outside +the socket lock context, switch to use wait_woken() instead. + +Fixes: 6398e23cdb1d8 ("tipc: standardize accept routine") +Acked-by: Jon Maloy +Signed-off-by: Hoang Le +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/socket.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index 3ad9158ecf30..9d15bb865eea 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -1987,7 +1987,7 @@ static int tipc_listen(struct socket *sock, int len) + static int tipc_wait_for_accept(struct socket *sock, long timeo) + { + struct sock *sk = sock->sk; +- DEFINE_WAIT(wait); ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); + int err; + + /* True wake-one mechanism for incoming connections: only +@@ -1996,12 +1996,12 @@ static int tipc_wait_for_accept(struct socket *sock, long timeo) + * anymore, the common case will execute the loop only once. + */ + for (;;) { +- prepare_to_wait_exclusive(sk_sleep(sk), &wait, +- TASK_INTERRUPTIBLE); + if (timeo && skb_queue_empty(&sk->sk_receive_queue)) { ++ add_wait_queue(sk_sleep(sk), &wait); + release_sock(sk); +- timeo = schedule_timeout(timeo); ++ timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); + lock_sock(sk); ++ remove_wait_queue(sk_sleep(sk), &wait); + } + err = 0; + if (!skb_queue_empty(&sk->sk_receive_queue)) +@@ -2016,7 +2016,6 @@ static int tipc_wait_for_accept(struct socket *sock, long timeo) + if (signal_pending(current)) + break; + } +- finish_wait(sk_sleep(sk), &wait); + return err; + } + +-- +2.30.2 + diff --git a/queue-4.4/tulip-windbond-840-fix-missing-pci_disable_device-in.patch b/queue-4.4/tulip-windbond-840-fix-missing-pci_disable_device-in.patch new file mode 100644 index 00000000000..95ad15c7a93 --- /dev/null +++ b/queue-4.4/tulip-windbond-840-fix-missing-pci_disable_device-in.patch @@ -0,0 +1,65 @@ +From 0ffb5a365e17ec6696bae16292652bf6a0df4da5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jul 2021 15:43:13 +0800 +Subject: tulip: windbond-840: Fix missing pci_disable_device() in probe and + remove + +From: Wang Hai + +[ Upstream commit 76a16be07b209a3f507c72abe823bd3af1c8661a ] + +Replace pci_enable_device() with pcim_enable_device(), +pci_disable_device() and pci_release_regions() will be +called in release automatically. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dec/tulip/winbond-840.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/dec/tulip/winbond-840.c b/drivers/net/ethernet/dec/tulip/winbond-840.c +index 3c0e4d5c5fef..abc66eb13c35 100644 +--- a/drivers/net/ethernet/dec/tulip/winbond-840.c ++++ b/drivers/net/ethernet/dec/tulip/winbond-840.c +@@ -368,7 +368,7 @@ static int w840_probe1(struct pci_dev *pdev, const struct pci_device_id *ent) + int i, option = find_cnt < MAX_UNITS ? options[find_cnt] : 0; + void __iomem *ioaddr; + +- i = pci_enable_device(pdev); ++ i = pcim_enable_device(pdev); + if (i) return i; + + pci_set_master(pdev); +@@ -390,7 +390,7 @@ static int w840_probe1(struct pci_dev *pdev, const struct pci_device_id *ent) + + ioaddr = pci_iomap(pdev, TULIP_BAR, netdev_res_size); + if (!ioaddr) +- goto err_out_free_res; ++ goto err_out_netdev; + + for (i = 0; i < 3; i++) + ((__le16 *)dev->dev_addr)[i] = cpu_to_le16(eeprom_read(ioaddr, i)); +@@ -469,8 +469,6 @@ static int w840_probe1(struct pci_dev *pdev, const struct pci_device_id *ent) + + err_out_cleardev: + pci_iounmap(pdev, ioaddr); +-err_out_free_res: +- pci_release_regions(pdev); + err_out_netdev: + free_netdev (dev); + return -ENODEV; +@@ -1537,7 +1535,6 @@ static void w840_remove1(struct pci_dev *pdev) + if (dev) { + struct netdev_private *np = netdev_priv(dev); + unregister_netdev(dev); +- pci_release_regions(pdev); + pci_iounmap(pdev, np->base_addr); + free_netdev(dev); + } +-- +2.30.2 + -- 2.47.3