From d0d243d9c23ecfbe2f1ebbd3e744dc4fbac00441 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 17 Apr 2018 17:20:00 +0200 Subject: [PATCH] 4.9-stable patches added patches: cdc_ether-flag-the-cinterion-ahs8-modem-by-gemalto-as-wwan.patch lan78xx-correctly-indicate-invalid-otp.patch rds-mp-rds-may-use-an-invalid-c_path.patch slip-check-if-rstate-is-initialized-before-uncompressing.patch vhost-fix-vhost_vq_access_ok-log-check.patch --- ...terion-ahs8-modem-by-gemalto-as-wwan.patch | 42 ++++++++++ ...n78xx-correctly-indicate-invalid-otp.patch | 35 +++++++++ ...rds-mp-rds-may-use-an-invalid-c_path.patch | 61 +++++++++++++++ queue-4.9/series | 5 ++ ...-is-initialized-before-uncompressing.patch | 76 +++++++++++++++++++ ...ost-fix-vhost_vq_access_ok-log-check.patch | 56 ++++++++++++++ 6 files changed, 275 insertions(+) create mode 100644 queue-4.9/cdc_ether-flag-the-cinterion-ahs8-modem-by-gemalto-as-wwan.patch create mode 100644 queue-4.9/lan78xx-correctly-indicate-invalid-otp.patch create mode 100644 queue-4.9/rds-mp-rds-may-use-an-invalid-c_path.patch create mode 100644 queue-4.9/slip-check-if-rstate-is-initialized-before-uncompressing.patch create mode 100644 queue-4.9/vhost-fix-vhost_vq_access_ok-log-check.patch diff --git a/queue-4.9/cdc_ether-flag-the-cinterion-ahs8-modem-by-gemalto-as-wwan.patch b/queue-4.9/cdc_ether-flag-the-cinterion-ahs8-modem-by-gemalto-as-wwan.patch new file mode 100644 index 00000000000..cba051c9214 --- /dev/null +++ b/queue-4.9/cdc_ether-flag-the-cinterion-ahs8-modem-by-gemalto-as-wwan.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Apr 17 16:58:36 CEST 2018 +From: Bassem Boubaker +Date: Wed, 11 Apr 2018 13:15:53 +0200 +Subject: cdc_ether: flag the Cinterion AHS8 modem by gemalto as WWAN + +From: Bassem Boubaker + + +[ Upstream commit 53765341ee821c0a0f1dec41adc89c9096ad694c ] + +The Cinterion AHS8 is a 3G device with one embedded WWAN interface +using cdc_ether as a driver. + +The modem is controlled via AT commands through the exposed TTYs. + +AT+CGDCONT write command can be used to activate or deactivate a WWAN +connection for a PDP context defined with the same command. UE +supports one WWAN adapter. + +Signed-off-by: Bassem Boubaker +Acked-by: Oliver Neukum +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_ether.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/usb/cdc_ether.c ++++ b/drivers/net/usb/cdc_ether.c +@@ -774,6 +774,12 @@ static const struct usb_device_id produc + USB_CDC_PROTO_NONE), + .driver_info = (unsigned long)&wwan_info, + }, { ++ /* Cinterion AHS3 modem by GEMALTO */ ++ USB_DEVICE_AND_INTERFACE_INFO(0x1e2d, 0x0055, USB_CLASS_COMM, ++ USB_CDC_SUBCLASS_ETHERNET, ++ USB_CDC_PROTO_NONE), ++ .driver_info = (unsigned long)&wwan_info, ++}, { + /* Telit modules */ + USB_VENDOR_AND_INTERFACE_INFO(0x1bc7, USB_CLASS_COMM, + USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE), diff --git a/queue-4.9/lan78xx-correctly-indicate-invalid-otp.patch b/queue-4.9/lan78xx-correctly-indicate-invalid-otp.patch new file mode 100644 index 00000000000..cc8f154b881 --- /dev/null +++ b/queue-4.9/lan78xx-correctly-indicate-invalid-otp.patch @@ -0,0 +1,35 @@ +From foo@baz Tue Apr 17 16:58:36 CEST 2018 +From: Phil Elwell +Date: Wed, 11 Apr 2018 10:59:17 +0100 +Subject: lan78xx: Correctly indicate invalid OTP + +From: Phil Elwell + + +[ Upstream commit 4bfc33807a9a02764bdd1e42e794b3b401240f27 ] + +lan78xx_read_otp tries to return -EINVAL in the event of invalid OTP +content, but the value gets overwritten before it is returned and the +read goes ahead anyway. Make the read conditional as it should be +and preserve the error code. + +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") +Signed-off-by: Phil Elwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/lan78xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -873,7 +873,8 @@ static int lan78xx_read_otp(struct lan78 + offset += 0x100; + else + ret = -EINVAL; +- ret = lan78xx_read_raw_otp(dev, offset, length, data); ++ if (!ret) ++ ret = lan78xx_read_raw_otp(dev, offset, length, data); + } + + return ret; diff --git a/queue-4.9/rds-mp-rds-may-use-an-invalid-c_path.patch b/queue-4.9/rds-mp-rds-may-use-an-invalid-c_path.patch new file mode 100644 index 00000000000..1c715beef2d --- /dev/null +++ b/queue-4.9/rds-mp-rds-may-use-an-invalid-c_path.patch @@ -0,0 +1,61 @@ +From foo@baz Tue Apr 17 16:58:36 CEST 2018 +From: Ka-Cheong Poon +Date: Wed, 11 Apr 2018 00:57:25 -0700 +Subject: rds: MP-RDS may use an invalid c_path + +From: Ka-Cheong Poon + + +[ Upstream commit a43cced9a348901f9015f4730b70b69e7c41a9c9 ] + +rds_sendmsg() calls rds_send_mprds_hash() to find a c_path to use to +send a message. Suppose the RDS connection is not yet up. In +rds_send_mprds_hash(), it does + + if (conn->c_npaths == 0) + wait_event_interruptible(conn->c_hs_waitq, + (conn->c_npaths != 0)); + +If it is interrupted before the connection is set up, +rds_send_mprds_hash() will return a non-zero hash value. Hence +rds_sendmsg() will use a non-zero c_path to send the message. But if +the RDS connection ends up to be non-MP capable, the message will be +lost as only the zero c_path can be used. + +Signed-off-by: Ka-Cheong Poon +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/send.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/net/rds/send.c ++++ b/net/rds/send.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2006 Oracle. All rights reserved. ++ * Copyright (c) 2006, 2018 Oracle and/or its affiliates. All rights reserved. + * + * This software is available to you under a choice of one of two + * licenses. You may choose to be licensed under the terms of the GNU +@@ -983,10 +983,15 @@ static int rds_send_mprds_hash(struct rd + if (conn->c_npaths == 0 && hash != 0) { + rds_send_ping(conn); + +- if (conn->c_npaths == 0) { +- wait_event_interruptible(conn->c_hs_waitq, +- (conn->c_npaths != 0)); +- } ++ /* The underlying connection is not up yet. Need to wait ++ * until it is up to be sure that the non-zero c_path can be ++ * used. But if we are interrupted, we have to use the zero ++ * c_path in case the connection ends up being non-MP capable. ++ */ ++ if (conn->c_npaths == 0) ++ if (wait_event_interruptible(conn->c_hs_waitq, ++ conn->c_npaths != 0)) ++ hash = 0; + if (conn->c_npaths == 1) + hash = 0; + } diff --git a/queue-4.9/series b/queue-4.9/series index 8378b151a3d..894789cec6b 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -59,3 +59,8 @@ getname_kernel-needs-to-make-sure-that-name-iname-in-long-case.patch bluetooth-fix-connection-if-directed-advertising-and-privacy-is-used.patch rtl8187-fix-null-pointer-dereference-in-priv-conf_mutex.patch hwmon-ina2xx-fix-access-to-uninitialized-mutex.patch +cdc_ether-flag-the-cinterion-ahs8-modem-by-gemalto-as-wwan.patch +rds-mp-rds-may-use-an-invalid-c_path.patch +slip-check-if-rstate-is-initialized-before-uncompressing.patch +vhost-fix-vhost_vq_access_ok-log-check.patch +lan78xx-correctly-indicate-invalid-otp.patch diff --git a/queue-4.9/slip-check-if-rstate-is-initialized-before-uncompressing.patch b/queue-4.9/slip-check-if-rstate-is-initialized-before-uncompressing.patch new file mode 100644 index 00000000000..5e0ee5ec91d --- /dev/null +++ b/queue-4.9/slip-check-if-rstate-is-initialized-before-uncompressing.patch @@ -0,0 +1,76 @@ +From foo@baz Tue Apr 17 16:58:36 CEST 2018 +From: Tejaswi Tanikella +Date: Wed, 11 Apr 2018 16:34:47 +0530 +Subject: slip: Check if rstate is initialized before uncompressing + +From: Tejaswi Tanikella + + +[ Upstream commit 3f01ddb962dc506916c243f9524e8bef97119b77 ] + +On receiving a packet the state index points to the rstate which must be +used to fill up IP and TCP headers. But if the state index points to a +rstate which is unitialized, i.e. filled with zeros, it gets stuck in an +infinite loop inside ip_fast_csum trying to compute the ip checsum of a +header with zero length. + +89.666953: <2> [] slhc_uncompress+0x464/0x468 +89.666965: <2> [] ppp_receive_nonmp_frame+0x3b4/0x65c +89.666978: <2> [] ppp_receive_frame+0x64/0x7e0 +89.666991: <2> [] ppp_input+0x104/0x198 +89.667005: <2> [] pppopns_recv_core+0x238/0x370 +89.667027: <2> [] __sk_receive_skb+0xdc/0x250 +89.667040: <2> [] pppopns_recv+0x44/0x60 +89.667053: <2> [] __sock_queue_rcv_skb+0x16c/0x24c +89.667065: <2> [] sock_queue_rcv_skb+0x2c/0x38 +89.667085: <2> [] raw_rcv+0x124/0x154 +89.667098: <2> [] raw_local_deliver+0x1e0/0x22c +89.667117: <2> [] ip_local_deliver_finish+0x70/0x24c +89.667131: <2> [] ip_local_deliver+0x100/0x10c + +./scripts/faddr2line vmlinux slhc_uncompress+0x464/0x468 output: + ip_fast_csum at arch/arm64/include/asm/checksum.h:40 + (inlined by) slhc_uncompress at drivers/net/slip/slhc.c:615 + +Adding a variable to indicate if the current rstate is initialized. If +such a packet arrives, move to toss state. + +Signed-off-by: Tejaswi Tanikella +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/slip/slhc.c | 5 +++++ + include/net/slhc_vj.h | 1 + + 2 files changed, 6 insertions(+) + +--- a/drivers/net/slip/slhc.c ++++ b/drivers/net/slip/slhc.c +@@ -509,6 +509,10 @@ slhc_uncompress(struct slcompress *comp, + if(x < 0 || x > comp->rslot_limit) + goto bad; + ++ /* Check if the cstate is initialized */ ++ if (!comp->rstate[x].initialized) ++ goto bad; ++ + comp->flags &=~ SLF_TOSS; + comp->recv_current = x; + } else { +@@ -673,6 +677,7 @@ slhc_remember(struct slcompress *comp, u + if (cs->cs_tcp.doff > 5) + memcpy(cs->cs_tcpopt, icp + ihl*4 + sizeof(struct tcphdr), (cs->cs_tcp.doff - 5) * 4); + cs->cs_hsize = ihl*2 + cs->cs_tcp.doff*2; ++ cs->initialized = true; + /* Put headers back on packet + * Neither header checksum is recalculated + */ +--- a/include/net/slhc_vj.h ++++ b/include/net/slhc_vj.h +@@ -127,6 +127,7 @@ typedef __u32 int32; + */ + struct cstate { + byte_t cs_this; /* connection id number (xmit) */ ++ bool initialized; /* true if initialized */ + struct cstate *next; /* next in ring (xmit) */ + struct iphdr cs_ip; /* ip/tcp hdr from most recent packet */ + struct tcphdr cs_tcp; diff --git a/queue-4.9/vhost-fix-vhost_vq_access_ok-log-check.patch b/queue-4.9/vhost-fix-vhost_vq_access_ok-log-check.patch new file mode 100644 index 00000000000..52ca82b615c --- /dev/null +++ b/queue-4.9/vhost-fix-vhost_vq_access_ok-log-check.patch @@ -0,0 +1,56 @@ +From foo@baz Tue Apr 17 16:58:36 CEST 2018 +From: Stefan Hajnoczi +Date: Wed, 11 Apr 2018 10:35:40 +0800 +Subject: vhost: fix vhost_vq_access_ok() log check + +From: Stefan Hajnoczi + + +[ Upstream commit d14d2b78090c7de0557362b26a4ca591aa6a9faa ] + +Commit d65026c6c62e7d9616c8ceb5a53b68bcdc050525 ("vhost: validate log +when IOTLB is enabled") introduced a regression. The logic was +originally: + + if (vq->iotlb) + return 1; + return A && B; + +After the patch the short-circuit logic for A was inverted: + + if (A || vq->iotlb) + return A; + return B; + +This patch fixes the regression by rewriting the checks in the obvious +way, no longer returning A when vq->iotlb is non-NULL (which is hard to +understand). + +Reported-by: syzbot+65a84dde0214b0387ccd@syzkaller.appspotmail.com +Cc: Jason Wang +Signed-off-by: Stefan Hajnoczi +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vhost.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -1175,10 +1175,12 @@ static int vq_log_access_ok(struct vhost + /* Caller should have vq mutex and device mutex */ + int vhost_vq_access_ok(struct vhost_virtqueue *vq) + { +- int ret = vq_log_access_ok(vq, vq->log_base); ++ if (!vq_log_access_ok(vq, vq->log_base)) ++ return 0; + +- if (ret || vq->iotlb) +- return ret; ++ /* Access validation occurs at prefetch time with IOTLB */ ++ if (vq->iotlb) ++ return 1; + + return vq_access_ok(vq, vq->num, vq->desc, vq->avail, vq->used); + } -- 2.47.2