From b6e4646bf869a5c02eaf5eb2fdd95e2e3ed56278 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 6 Dec 2020 10:33:11 +0100 Subject: [PATCH] 4.4-stable patches added patches: cxgb3-fix-error-return-code-in-t3_sge_alloc_qset.patch dt-bindings-net-correct-interrupt-flags-in-examples.patch net-pasemi-fix-error-return-code-in-pasemi_mac_open.patch net-x25-prevent-a-couple-of-overflows.patch netfilter-bridge-reset-skb-pkt_type-after-nf_inet_post_routing-traversal.patch --- ...ror-return-code-in-t3_sge_alloc_qset.patch | 33 ++++++++ ...-correct-interrupt-flags-in-examples.patch | 56 +++++++++++++ ...error-return-code-in-pasemi_mac_open.patch | 48 +++++++++++ ...et-x25-prevent-a-couple-of-overflows.patch | 59 +++++++++++++ ...after-nf_inet_post_routing-traversal.patch | 84 +++++++++++++++++++ queue-4.4/series | 5 ++ 6 files changed, 285 insertions(+) create mode 100644 queue-4.4/cxgb3-fix-error-return-code-in-t3_sge_alloc_qset.patch create mode 100644 queue-4.4/dt-bindings-net-correct-interrupt-flags-in-examples.patch create mode 100644 queue-4.4/net-pasemi-fix-error-return-code-in-pasemi_mac_open.patch create mode 100644 queue-4.4/net-x25-prevent-a-couple-of-overflows.patch create mode 100644 queue-4.4/netfilter-bridge-reset-skb-pkt_type-after-nf_inet_post_routing-traversal.patch diff --git a/queue-4.4/cxgb3-fix-error-return-code-in-t3_sge_alloc_qset.patch b/queue-4.4/cxgb3-fix-error-return-code-in-t3_sge_alloc_qset.patch new file mode 100644 index 00000000000..c88339b1a58 --- /dev/null +++ b/queue-4.4/cxgb3-fix-error-return-code-in-t3_sge_alloc_qset.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Dec 6 10:32:44 AM CET 2020 +From: Zhang Changzhong +Date: Wed, 2 Dec 2020 17:56:05 +0800 +Subject: cxgb3: fix error return code in t3_sge_alloc_qset() + +From: Zhang Changzhong + +[ Upstream commit ff9924897f8bfed82e61894b373ab9d2dfea5b10 ] + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: b1fb1f280d09 ("cxgb3 - Fix dma mapping error path") +Reported-by: Hulk Robot +Signed-off-by: Zhang Changzhong +Acked-by: Raju Rangoju +Link: https://lore.kernel.org/r/1606902965-1646-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb3/sge.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/chelsio/cxgb3/sge.c ++++ b/drivers/net/ethernet/chelsio/cxgb3/sge.c +@@ -3111,6 +3111,7 @@ int t3_sge_alloc_qset(struct adapter *ad + GFP_KERNEL | __GFP_COMP); + if (!avail) { + CH_ALERT(adapter, "free list queue 0 initialization failed\n"); ++ ret = -ENOMEM; + goto err; + } + if (avail < q->fl[0].size) diff --git a/queue-4.4/dt-bindings-net-correct-interrupt-flags-in-examples.patch b/queue-4.4/dt-bindings-net-correct-interrupt-flags-in-examples.patch new file mode 100644 index 00000000000..331bdc443a2 --- /dev/null +++ b/queue-4.4/dt-bindings-net-correct-interrupt-flags-in-examples.patch @@ -0,0 +1,56 @@ +From foo@baz Sun Dec 6 10:32:44 AM CET 2020 +From: Krzysztof Kozlowski +Date: Mon, 26 Oct 2020 16:36:20 +0100 +Subject: dt-bindings: net: correct interrupt flags in examples + +From: Krzysztof Kozlowski + +[ Upstream commit 4d521943f76bd0d1e68ea5e02df7aadd30b2838a ] + +GPIO_ACTIVE_x flags are not correct in the context of interrupt flags. +These are simple defines so they could be used in DTS but they will not +have the same meaning: +1. GPIO_ACTIVE_HIGH = 0 = IRQ_TYPE_NONE +2. GPIO_ACTIVE_LOW = 1 = IRQ_TYPE_EDGE_RISING + +Correct the interrupt flags, assuming the author of the code wanted same +logical behavior behind the name "ACTIVE_xxx", this is: + ACTIVE_LOW => IRQ_TYPE_LEVEL_LOW + ACTIVE_HIGH => IRQ_TYPE_LEVEL_HIGH + +Fixes: a1a8b4594f8d ("NFC: pn544: i2c: Add DTS Documentation") +Fixes: 6be88670fc59 ("NFC: nxp-nci_i2c: Add I2C support to NXP NCI driver") +Fixes: e3b329221567 ("dt-bindings: can: tcan4x5x: Update binding to use interrupt property") +Signed-off-by: Krzysztof Kozlowski +Acked-by: Rob Herring +Acked-by: Marc Kleine-Budde # for tcan4x5x.txt +Link: https://lore.kernel.org/r/20201026153620.89268-1-krzk@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/net/nfc/nxp-nci.txt | 2 +- + Documentation/devicetree/bindings/net/nfc/pn544.txt | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/Documentation/devicetree/bindings/net/nfc/nxp-nci.txt ++++ b/Documentation/devicetree/bindings/net/nfc/nxp-nci.txt +@@ -27,7 +27,7 @@ Example (for ARM-based BeagleBone with N + clock-frequency = <100000>; + + interrupt-parent = <&gpio1>; +- interrupts = <29 GPIO_ACTIVE_HIGH>; ++ interrupts = <29 IRQ_TYPE_LEVEL_HIGH>; + + enable-gpios = <&gpio0 30 GPIO_ACTIVE_HIGH>; + firmware-gpios = <&gpio0 31 GPIO_ACTIVE_HIGH>; +--- a/Documentation/devicetree/bindings/net/nfc/pn544.txt ++++ b/Documentation/devicetree/bindings/net/nfc/pn544.txt +@@ -27,7 +27,7 @@ Example (for ARM-based BeagleBone with P + clock-frequency = <400000>; + + interrupt-parent = <&gpio1>; +- interrupts = <17 GPIO_ACTIVE_HIGH>; ++ interrupts = <17 IRQ_TYPE_LEVEL_HIGH>; + + enable-gpios = <&gpio3 21 GPIO_ACTIVE_HIGH>; + firmware-gpios = <&gpio3 19 GPIO_ACTIVE_HIGH>; diff --git a/queue-4.4/net-pasemi-fix-error-return-code-in-pasemi_mac_open.patch b/queue-4.4/net-pasemi-fix-error-return-code-in-pasemi_mac_open.patch new file mode 100644 index 00000000000..f2332ef51f2 --- /dev/null +++ b/queue-4.4/net-pasemi-fix-error-return-code-in-pasemi_mac_open.patch @@ -0,0 +1,48 @@ +From foo@baz Sun Dec 6 10:32:44 AM CET 2020 +From: Zhang Changzhong +Date: Wed, 2 Dec 2020 17:57:15 +0800 +Subject: net: pasemi: fix error return code in pasemi_mac_open() + +From: Zhang Changzhong + +[ Upstream commit aba84871bd4f52c4dfcf3ad5d4501a6c9d2de90e ] + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: 72b05b9940f0 ("pasemi_mac: RX/TX ring management cleanup") +Fixes: 8d636d8bc5ff ("pasemi_mac: jumbo frame support") +Reported-by: Hulk Robot +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/r/1606903035-1838-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/pasemi/pasemi_mac.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/pasemi/pasemi_mac.c ++++ b/drivers/net/ethernet/pasemi/pasemi_mac.c +@@ -1129,16 +1129,20 @@ static int pasemi_mac_open(struct net_de + + mac->tx = pasemi_mac_setup_tx_resources(dev); + +- if (!mac->tx) ++ if (!mac->tx) { ++ ret = -ENOMEM; + goto out_tx_ring; ++ } + + /* We might already have allocated rings in case mtu was changed + * before interface was brought up. + */ + if (dev->mtu > 1500 && !mac->num_cs) { + pasemi_mac_setup_csrings(mac); +- if (!mac->num_cs) ++ if (!mac->num_cs) { ++ ret = -ENOMEM; + goto out_tx_ring; ++ } + } + + /* Zero out rmon counters */ diff --git a/queue-4.4/net-x25-prevent-a-couple-of-overflows.patch b/queue-4.4/net-x25-prevent-a-couple-of-overflows.patch new file mode 100644 index 00000000000..47e849be166 --- /dev/null +++ b/queue-4.4/net-x25-prevent-a-couple-of-overflows.patch @@ -0,0 +1,59 @@ +From foo@baz Sun Dec 6 10:32:44 AM CET 2020 +From: Dan Carpenter +Date: Tue, 1 Dec 2020 18:15:12 +0300 +Subject: net/x25: prevent a couple of overflows + +From: Dan Carpenter + +[ Upstream commit 6ee50c8e262a0f0693dad264c3c99e30e6442a56 ] + +The .x25_addr[] address comes from the user and is not necessarily +NUL terminated. This leads to a couple problems. The first problem is +that the strlen() in x25_bind() can read beyond the end of the buffer. + +The second problem is more subtle and could result in memory corruption. +The call tree is: + x25_connect() + --> x25_write_internal() + --> x25_addr_aton() + +The .x25_addr[] buffers are copied to the "addresses" buffer from +x25_write_internal() so it will lead to stack corruption. + +Verify that the strings are NUL terminated and return -EINVAL if they +are not. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Fixes: a9288525d2ae ("X25: Dont let x25_bind use addresses containing characters") +Reported-by: "kiyin(尹亮)" +Signed-off-by: Dan Carpenter +Acked-by: Martin Schiller +Link: https://lore.kernel.org/r/X8ZeAKm8FnFpN//B@mwanda +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/x25/af_x25.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -679,7 +679,8 @@ static int x25_bind(struct socket *sock, + int len, i, rc = 0; + + if (addr_len != sizeof(struct sockaddr_x25) || +- addr->sx25_family != AF_X25) { ++ addr->sx25_family != AF_X25 || ++ strnlen(addr->sx25_addr.x25_addr, X25_ADDR_LEN) == X25_ADDR_LEN) { + rc = -EINVAL; + goto out; + } +@@ -773,7 +774,8 @@ static int x25_connect(struct socket *so + + rc = -EINVAL; + if (addr_len != sizeof(struct sockaddr_x25) || +- addr->sx25_family != AF_X25) ++ addr->sx25_family != AF_X25 || ++ strnlen(addr->sx25_addr.x25_addr, X25_ADDR_LEN) == X25_ADDR_LEN) + goto out; + + rc = -ENETUNREACH; diff --git a/queue-4.4/netfilter-bridge-reset-skb-pkt_type-after-nf_inet_post_routing-traversal.patch b/queue-4.4/netfilter-bridge-reset-skb-pkt_type-after-nf_inet_post_routing-traversal.patch new file mode 100644 index 00000000000..719e1f4b617 --- /dev/null +++ b/queue-4.4/netfilter-bridge-reset-skb-pkt_type-after-nf_inet_post_routing-traversal.patch @@ -0,0 +1,84 @@ +From foo@baz Sun Dec 6 10:32:44 AM CET 2020 +From: Antoine Tenart +Date: Mon, 23 Nov 2020 18:49:02 +0100 +Subject: netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal + +From: Antoine Tenart + +[ Upstream commit 44f64f23bae2f0fad25503bc7ab86cd08d04cd47 ] + +Netfilter changes PACKET_OTHERHOST to PACKET_HOST before invoking the +hooks as, while it's an expected value for a bridge, routing expects +PACKET_HOST. The change is undone later on after hook traversal. This +can be seen with pairs of functions updating skb>pkt_type and then +reverting it to its original value: + +For hook NF_INET_PRE_ROUTING: + setup_pre_routing / br_nf_pre_routing_finish + +For hook NF_INET_FORWARD: + br_nf_forward_ip / br_nf_forward_finish + +But the third case where netfilter does this, for hook +NF_INET_POST_ROUTING, the packet type is changed in br_nf_post_routing +but never reverted. A comment says: + + /* We assume any code from br_dev_queue_push_xmit onwards doesn't care + * about the value of skb->pkt_type. */ + +But when having a tunnel (say vxlan) attached to a bridge we have the +following call trace: + + br_nf_pre_routing + br_nf_pre_routing_ipv6 + br_nf_pre_routing_finish + br_nf_forward_ip + br_nf_forward_finish + br_nf_post_routing <- pkt_type is updated to PACKET_HOST + br_nf_dev_queue_xmit <- but not reverted to its original value + vxlan_xmit + vxlan_xmit_one + skb_tunnel_check_pmtu <- a check on pkt_type is performed + +In this specific case, this creates issues such as when an ICMPv6 PTB +should be sent back. When CONFIG_BRIDGE_NETFILTER is enabled, the PTB +isn't sent (as skb_tunnel_check_pmtu checks if pkt_type is PACKET_HOST +and returns early). + +If the comment is right and no one cares about the value of +skb->pkt_type after br_dev_queue_push_xmit (which isn't true), resetting +it to its original value should be safe. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Antoine Tenart +Reviewed-by: Florian Westphal +Link: https://lore.kernel.org/r/20201123174902.622102-1-atenart@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_netfilter_hooks.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -711,6 +711,11 @@ static int br_nf_dev_queue_xmit(struct n + mtu_reserved = nf_bridge_mtu_reduction(skb); + mtu = skb->dev->mtu; + ++ if (nf_bridge->pkt_otherhost) { ++ skb->pkt_type = PACKET_OTHERHOST; ++ nf_bridge->pkt_otherhost = false; ++ } ++ + if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu) + mtu = nf_bridge->frag_max_size; + +@@ -804,8 +809,6 @@ static unsigned int br_nf_post_routing(v + else + return NF_ACCEPT; + +- /* We assume any code from br_dev_queue_push_xmit onwards doesn't care +- * about the value of skb->pkt_type. */ + if (skb->pkt_type == PACKET_OTHERHOST) { + skb->pkt_type = PACKET_HOST; + nf_bridge->pkt_otherhost = true; diff --git a/queue-4.4/series b/queue-4.4/series index 3d413007088..73998f29b9d 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -2,3 +2,8 @@ net-af_iucv-set-correct-sk_protocol-for-child-sockets.patch rose-fix-null-pointer-dereference-in-rose_send_frame.patch usbnet-ipheth-fix-connectivity-with-ios-14.patch bonding-wait-for-sysfs-kobject-destruction-before-freeing-struct-slave.patch +netfilter-bridge-reset-skb-pkt_type-after-nf_inet_post_routing-traversal.patch +net-x25-prevent-a-couple-of-overflows.patch +cxgb3-fix-error-return-code-in-t3_sge_alloc_qset.patch +net-pasemi-fix-error-return-code-in-pasemi_mac_open.patch +dt-bindings-net-correct-interrupt-flags-in-examples.patch -- 2.47.3