From e252335a75a9e8c3a3a2b09dd4b710787adfffe0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 7 Jan 2022 14:27:02 +0100 Subject: [PATCH] 5.10-stable patches added patches: i40e-fix-to-not-show-opcode-msg-on-unsuccessful-vf-mac-change.patch iavf-fix-limit-of-total-number-of-queues-to-active-queues-of-vf.patch mac80211-initialize-variable-have_higher_than_11mbit.patch netrom-fix-copying-in-user-data-in-nr_setsockopt.patch rdma-core-don-t-infoleak-grh-fields.patch rdma-uverbs-check-for-null-return-of-kmalloc_array.patch --- ...de-msg-on-unsuccessful-vf-mac-change.patch | 150 ++++++++++++++++++ ...ber-of-queues-to-active-queues-of-vf.patch | 43 +++++ ...ize-variable-have_higher_than_11mbit.patch | 41 +++++ ...opying-in-user-data-in-nr_setsockopt.patch | 32 ++++ .../rdma-core-don-t-infoleak-grh-fields.patch | 64 ++++++++ ...eck-for-null-return-of-kmalloc_array.patch | 35 ++++ queue-5.10/series | 6 + 7 files changed, 371 insertions(+) create mode 100644 queue-5.10/i40e-fix-to-not-show-opcode-msg-on-unsuccessful-vf-mac-change.patch create mode 100644 queue-5.10/iavf-fix-limit-of-total-number-of-queues-to-active-queues-of-vf.patch create mode 100644 queue-5.10/mac80211-initialize-variable-have_higher_than_11mbit.patch create mode 100644 queue-5.10/netrom-fix-copying-in-user-data-in-nr_setsockopt.patch create mode 100644 queue-5.10/rdma-core-don-t-infoleak-grh-fields.patch create mode 100644 queue-5.10/rdma-uverbs-check-for-null-return-of-kmalloc_array.patch diff --git a/queue-5.10/i40e-fix-to-not-show-opcode-msg-on-unsuccessful-vf-mac-change.patch b/queue-5.10/i40e-fix-to-not-show-opcode-msg-on-unsuccessful-vf-mac-change.patch new file mode 100644 index 00000000000..b273187c43b --- /dev/null +++ b/queue-5.10/i40e-fix-to-not-show-opcode-msg-on-unsuccessful-vf-mac-change.patch @@ -0,0 +1,150 @@ +From 01cbf50877e602e2376af89e4a51c30bc574c618 Mon Sep 17 00:00:00 2001 +From: Mateusz Palczewski +Date: Wed, 3 Mar 2021 11:45:33 +0000 +Subject: i40e: Fix to not show opcode msg on unsuccessful VF MAC change + +From: Mateusz Palczewski + +commit 01cbf50877e602e2376af89e4a51c30bc574c618 upstream. + +Hide i40e opcode information sent during response to VF in case when +untrusted VF tried to change MAC on the VF interface. + +This is implemented by adding an additional parameter 'hide' to the +response sent to VF function that hides the display of error +information, but forwards the error code to VF. + +Previously it was not possible to send response with some error code +to VF without displaying opcode information. + +Fixes: 5c3c48ac6bf5 ("i40e: implement virtual device interface") +Signed-off-by: Grzegorz Szczurek +Signed-off-by: Mateusz Palczewski +Reviewed-by: Paul M Stillwell Jr +Reviewed-by: Aleksandr Loktionov +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 40 ++++++++++++++++----- + 1 file changed, 32 insertions(+), 8 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -1824,17 +1824,19 @@ sriov_configure_out: + /***********************virtual channel routines******************/ + + /** +- * i40e_vc_send_msg_to_vf ++ * i40e_vc_send_msg_to_vf_ex + * @vf: pointer to the VF info + * @v_opcode: virtual channel opcode + * @v_retval: virtual channel return value + * @msg: pointer to the msg buffer + * @msglen: msg length ++ * @is_quiet: true for not printing unsuccessful return values, false otherwise + * + * send msg to VF + **/ +-static int i40e_vc_send_msg_to_vf(struct i40e_vf *vf, u32 v_opcode, +- u32 v_retval, u8 *msg, u16 msglen) ++static int i40e_vc_send_msg_to_vf_ex(struct i40e_vf *vf, u32 v_opcode, ++ u32 v_retval, u8 *msg, u16 msglen, ++ bool is_quiet) + { + struct i40e_pf *pf; + struct i40e_hw *hw; +@@ -1850,7 +1852,7 @@ static int i40e_vc_send_msg_to_vf(struct + abs_vf_id = vf->vf_id + hw->func_caps.vf_base_id; + + /* single place to detect unsuccessful return values */ +- if (v_retval) { ++ if (v_retval && !is_quiet) { + vf->num_invalid_msgs++; + dev_info(&pf->pdev->dev, "VF %d failed opcode %d, retval: %d\n", + vf->vf_id, v_opcode, v_retval); +@@ -1881,6 +1883,23 @@ static int i40e_vc_send_msg_to_vf(struct + } + + /** ++ * i40e_vc_send_msg_to_vf ++ * @vf: pointer to the VF info ++ * @v_opcode: virtual channel opcode ++ * @v_retval: virtual channel return value ++ * @msg: pointer to the msg buffer ++ * @msglen: msg length ++ * ++ * send msg to VF ++ **/ ++static int i40e_vc_send_msg_to_vf(struct i40e_vf *vf, u32 v_opcode, ++ u32 v_retval, u8 *msg, u16 msglen) ++{ ++ return i40e_vc_send_msg_to_vf_ex(vf, v_opcode, v_retval, ++ msg, msglen, false); ++} ++ ++/** + * i40e_vc_send_resp_to_vf + * @vf: pointer to the VF info + * @opcode: operation code +@@ -2641,6 +2660,7 @@ error_param: + * i40e_check_vf_permission + * @vf: pointer to the VF info + * @al: MAC address list from virtchnl ++ * @is_quiet: set true for printing msg without opcode info, false otherwise + * + * Check that the given list of MAC addresses is allowed. Will return -EPERM + * if any address in the list is not valid. Checks the following conditions: +@@ -2655,13 +2675,15 @@ error_param: + * addresses might not be accurate. + **/ + static inline int i40e_check_vf_permission(struct i40e_vf *vf, +- struct virtchnl_ether_addr_list *al) ++ struct virtchnl_ether_addr_list *al, ++ bool *is_quiet) + { + struct i40e_pf *pf = vf->pf; + struct i40e_vsi *vsi = pf->vsi[vf->lan_vsi_idx]; + int mac2add_cnt = 0; + int i; + ++ *is_quiet = false; + for (i = 0; i < al->num_elements; i++) { + struct i40e_mac_filter *f; + u8 *addr = al->list[i].addr; +@@ -2685,6 +2707,7 @@ static inline int i40e_check_vf_permissi + !ether_addr_equal(addr, vf->default_lan_addr.addr)) { + dev_err(&pf->pdev->dev, + "VF attempting to override administratively set MAC address, bring down and up the VF interface to resume normal operation\n"); ++ *is_quiet = true; + return -EPERM; + } + +@@ -2721,6 +2744,7 @@ static int i40e_vc_add_mac_addr_msg(stru + (struct virtchnl_ether_addr_list *)msg; + struct i40e_pf *pf = vf->pf; + struct i40e_vsi *vsi = NULL; ++ bool is_quiet = false; + i40e_status ret = 0; + int i; + +@@ -2737,7 +2761,7 @@ static int i40e_vc_add_mac_addr_msg(stru + */ + spin_lock_bh(&vsi->mac_filter_hash_lock); + +- ret = i40e_check_vf_permission(vf, al); ++ ret = i40e_check_vf_permission(vf, al, &is_quiet); + if (ret) { + spin_unlock_bh(&vsi->mac_filter_hash_lock); + goto error_param; +@@ -2775,8 +2799,8 @@ static int i40e_vc_add_mac_addr_msg(stru + + error_param: + /* send the response to the VF */ +- return i40e_vc_send_resp_to_vf(vf, VIRTCHNL_OP_ADD_ETH_ADDR, +- ret); ++ return i40e_vc_send_msg_to_vf_ex(vf, VIRTCHNL_OP_ADD_ETH_ADDR, ++ ret, NULL, 0, is_quiet); + } + + /** diff --git a/queue-5.10/iavf-fix-limit-of-total-number-of-queues-to-active-queues-of-vf.patch b/queue-5.10/iavf-fix-limit-of-total-number-of-queues-to-active-queues-of-vf.patch new file mode 100644 index 00000000000..b6c865f2a19 --- /dev/null +++ b/queue-5.10/iavf-fix-limit-of-total-number-of-queues-to-active-queues-of-vf.patch @@ -0,0 +1,43 @@ +From b712941c8085e638bb92456e866ed3de4404e3d5 Mon Sep 17 00:00:00 2001 +From: Karen Sornek +Date: Wed, 1 Sep 2021 09:21:46 +0200 +Subject: iavf: Fix limit of total number of queues to active queues of VF + +From: Karen Sornek + +commit b712941c8085e638bb92456e866ed3de4404e3d5 upstream. + +In the absence of this validation, if the user requests to +configure queues more than the enabled queues, it results in +sending the requested number of queues to the kernel stack +(due to the asynchronous nature of VF response), in which +case the stack might pick a queue to transmit that is not +enabled and result in Tx hang. Fix this bug by +limiting the total number of queues allocated for VF to +active queues of VF. + +Fixes: d5b33d024496 ("i40evf: add ndo_setup_tc callback to i40evf") +Signed-off-by: Ashwin Vijayavel +Signed-off-by: Karen Sornek +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -2598,8 +2598,11 @@ static int iavf_validate_ch_config(struc + total_max_rate += tx_rate; + num_qps += mqprio_qopt->qopt.count[i]; + } +- if (num_qps > IAVF_MAX_REQ_QUEUES) ++ if (num_qps > adapter->num_active_queues) { ++ dev_err(&adapter->pdev->dev, ++ "Cannot support requested number of queues\n"); + return -EINVAL; ++ } + + ret = iavf_validate_tx_bandwidth(adapter, total_max_rate); + return ret; diff --git a/queue-5.10/mac80211-initialize-variable-have_higher_than_11mbit.patch b/queue-5.10/mac80211-initialize-variable-have_higher_than_11mbit.patch new file mode 100644 index 00000000000..fa2921d6c05 --- /dev/null +++ b/queue-5.10/mac80211-initialize-variable-have_higher_than_11mbit.patch @@ -0,0 +1,41 @@ +From 68a18ad71378a56858141c4449e02a30c829763e Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Thu, 23 Dec 2021 08:28:48 -0800 +Subject: mac80211: initialize variable have_higher_than_11mbit + +From: Tom Rix + +commit 68a18ad71378a56858141c4449e02a30c829763e upstream. + +Clang static analysis reports this warnings + +mlme.c:5332:7: warning: Branch condition evaluates to a + garbage value + have_higher_than_11mbit) + ^~~~~~~~~~~~~~~~~~~~~~~ + +have_higher_than_11mbit is only set to true some of the time in +ieee80211_get_rates() but is checked all of the time. So +have_higher_than_11mbit needs to be initialized to false. + +Fixes: 5d6a1b069b7f ("mac80211: set basic rates earlier") +Signed-off-by: Tom Rix +Reviewed-by: Nick Desaulniers +Link: https://lore.kernel.org/r/20211223162848.3243702-1-trix@redhat.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mlme.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -5194,7 +5194,7 @@ static int ieee80211_prep_connection(str + */ + if (new_sta) { + u32 rates = 0, basic_rates = 0; +- bool have_higher_than_11mbit; ++ bool have_higher_than_11mbit = false; + int min_rate = INT_MAX, min_rate_index = -1; + const struct cfg80211_bss_ies *ies; + int shift = ieee80211_vif_get_shift(&sdata->vif); diff --git a/queue-5.10/netrom-fix-copying-in-user-data-in-nr_setsockopt.patch b/queue-5.10/netrom-fix-copying-in-user-data-in-nr_setsockopt.patch new file mode 100644 index 00000000000..a081320c5ee --- /dev/null +++ b/queue-5.10/netrom-fix-copying-in-user-data-in-nr_setsockopt.patch @@ -0,0 +1,32 @@ +From 3087a6f36ee028ec095c04a8531d7d33899b7fed Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Tue, 4 Jan 2022 10:21:26 +0100 +Subject: netrom: fix copying in user data in nr_setsockopt + +From: Christoph Hellwig + +commit 3087a6f36ee028ec095c04a8531d7d33899b7fed upstream. + +This code used to copy in an unsigned long worth of data before +the sockptr_t conversion, so restore that. + +Fixes: a7b75c5a8c41 ("net: pass a sockptr_t into ->setsockopt") +Reported-by: Dan Carpenter +Signed-off-by: Christoph Hellwig +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netrom/af_netrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -306,7 +306,7 @@ static int nr_setsockopt(struct socket * + if (optlen < sizeof(unsigned int)) + return -EINVAL; + +- if (copy_from_sockptr(&opt, optval, sizeof(unsigned int))) ++ if (copy_from_sockptr(&opt, optval, sizeof(unsigned long))) + return -EFAULT; + + switch (optname) { diff --git a/queue-5.10/rdma-core-don-t-infoleak-grh-fields.patch b/queue-5.10/rdma-core-don-t-infoleak-grh-fields.patch new file mode 100644 index 00000000000..4492fb60b21 --- /dev/null +++ b/queue-5.10/rdma-core-don-t-infoleak-grh-fields.patch @@ -0,0 +1,64 @@ +From b35a0f4dd544eaa6162b6d2f13a2557a121ae5fd Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Tue, 4 Jan 2022 14:21:52 +0200 +Subject: RDMA/core: Don't infoleak GRH fields + +From: Leon Romanovsky + +commit b35a0f4dd544eaa6162b6d2f13a2557a121ae5fd upstream. + +If dst->is_global field is not set, the GRH fields are not cleared +and the following infoleak is reported. + +===================================================== +BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] +BUG: KMSAN: kernel-infoleak in _copy_to_user+0x1c9/0x270 lib/usercopy.c:33 + instrument_copy_to_user include/linux/instrumented.h:121 [inline] + _copy_to_user+0x1c9/0x270 lib/usercopy.c:33 + copy_to_user include/linux/uaccess.h:209 [inline] + ucma_init_qp_attr+0x8c7/0xb10 drivers/infiniband/core/ucma.c:1242 + ucma_write+0x637/0x6c0 drivers/infiniband/core/ucma.c:1732 + vfs_write+0x8ce/0x2030 fs/read_write.c:588 + ksys_write+0x28b/0x510 fs/read_write.c:643 + __do_sys_write fs/read_write.c:655 [inline] + __se_sys_write fs/read_write.c:652 [inline] + __ia32_sys_write+0xdb/0x120 fs/read_write.c:652 + do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline] + __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180 + do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205 + do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c + +Local variable resp created at: + ucma_init_qp_attr+0xa4/0xb10 drivers/infiniband/core/ucma.c:1214 + ucma_write+0x637/0x6c0 drivers/infiniband/core/ucma.c:1732 + +Bytes 40-59 of 144 are uninitialized +Memory access of size 144 starts at ffff888167523b00 +Data copied to user address 0000000020000100 + +CPU: 1 PID: 25910 Comm: syz-executor.1 Not tainted 5.16.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +===================================================== + +Fixes: 4ba66093bdc6 ("IB/core: Check for global flag when using ah_attr") +Link: https://lore.kernel.org/r/0e9dd51f93410b7b2f4f5562f52befc878b71afa.1641298868.git.leonro@nvidia.com +Reported-by: syzbot+6d532fa8f9463da290bc@syzkaller.appspotmail.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/uverbs_marshall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/uverbs_marshall.c ++++ b/drivers/infiniband/core/uverbs_marshall.c +@@ -66,7 +66,7 @@ void ib_copy_ah_attr_to_user(struct ib_d + struct rdma_ah_attr *src = ah_attr; + struct rdma_ah_attr conv_ah; + +- memset(&dst->grh.reserved, 0, sizeof(dst->grh.reserved)); ++ memset(&dst->grh, 0, sizeof(dst->grh)); + + if ((ah_attr->type == RDMA_AH_ATTR_TYPE_OPA) && + (rdma_ah_get_dlid(ah_attr) > be16_to_cpu(IB_LID_PERMISSIVE)) && diff --git a/queue-5.10/rdma-uverbs-check-for-null-return-of-kmalloc_array.patch b/queue-5.10/rdma-uverbs-check-for-null-return-of-kmalloc_array.patch new file mode 100644 index 00000000000..55784fd8a04 --- /dev/null +++ b/queue-5.10/rdma-uverbs-check-for-null-return-of-kmalloc_array.patch @@ -0,0 +1,35 @@ +From 7694a7de22c53a312ea98960fcafc6ec62046531 Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Fri, 31 Dec 2021 17:33:15 +0800 +Subject: RDMA/uverbs: Check for null return of kmalloc_array + +From: Jiasheng Jiang + +commit 7694a7de22c53a312ea98960fcafc6ec62046531 upstream. + +Because of the possible failure of the allocation, data might be NULL +pointer and will cause the dereference of the NULL pointer later. +Therefore, it might be better to check it and return -ENOMEM. + +Fixes: 6884c6c4bd09 ("RDMA/verbs: Store the write/write_ex uapi entry points in the uverbs_api") +Link: https://lore.kernel.org/r/20211231093315.1917667-1-jiasheng@iscas.ac.cn +Signed-off-by: Jiasheng Jiang +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/uverbs_uapi.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/core/uverbs_uapi.c ++++ b/drivers/infiniband/core/uverbs_uapi.c +@@ -450,6 +450,9 @@ static int uapi_finalize(struct uverbs_a + uapi->num_write_ex = max_write_ex + 1; + data = kmalloc_array(uapi->num_write + uapi->num_write_ex, + sizeof(*uapi->write_methods), GFP_KERNEL); ++ if (!data) ++ return -ENOMEM; ++ + for (i = 0; i != uapi->num_write + uapi->num_write_ex; i++) + data[i] = &uapi->notsupp_method; + uapi->write_methods = data; diff --git a/queue-5.10/series b/queue-5.10/series index 2a1b0dac212..588935deae5 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -3,3 +3,9 @@ selftests-x86-fix-warn-in-test_process_vm_readv.patch tracing-fix-check-for-trace_percpu_buffer-validity-in-get_trace_buf.patch tracing-tag-trace_percpu_buffer-as-a-percpu-pointer.patch ieee802154-atusb-fix-uninit-value-in-atusb_set_extended_addr.patch +i40e-fix-to-not-show-opcode-msg-on-unsuccessful-vf-mac-change.patch +iavf-fix-limit-of-total-number-of-queues-to-active-queues-of-vf.patch +rdma-core-don-t-infoleak-grh-fields.patch +netrom-fix-copying-in-user-data-in-nr_setsockopt.patch +rdma-uverbs-check-for-null-return-of-kmalloc_array.patch +mac80211-initialize-variable-have_higher_than_11mbit.patch -- 2.47.3