From ef884a2f7784e2c9a61dcc7fbe56b77b9fe35f9a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 10 Nov 2019 18:23:39 +0100 Subject: [PATCH] 4.9-stable patches added patches: bonding-fix-state-transition-issue-in-link-monitoring.patch cdc-ncm-handle-incomplete-transfer-of-mtu.patch ipv4-fix-table-id-reference-in-fib_sync_down_addr.patch net-fix-data-race-in-neigh_event_send.patch net-usb-qmi_wwan-add-support-for-dw5821e-with-esim-support.patch nfc-fdp-fix-incorrect-free-object.patch nfc-netlink-fix-double-device-reference-drop.patch nfc-st21nfca-fix-double-free.patch qede-fix-null-pointer-deref-in-__qede_remove.patch --- queue-4.14/series | 11 + ...-transition-issue-in-link-monitoring.patch | 202 ++++++++++++++++++ ...cm-handle-incomplete-transfer-of-mtu.patch | 46 ++++ ...e-id-reference-in-fib_sync_down_addr.patch | 35 +++ ...et-fix-data-race-in-neigh_event_send.patch | 86 ++++++++ ...upport-for-dw5821e-with-esim-support.patch | 43 ++++ .../nfc-fdp-fix-incorrect-free-object.patch | 31 +++ ...ink-fix-double-device-reference-drop.patch | 41 ++++ queue-4.9/nfc-st21nfca-fix-double-free.patch | 31 +++ ...-null-pointer-deref-in-__qede_remove.patch | 101 +++++++++ queue-4.9/series | 9 + 11 files changed, 636 insertions(+) create mode 100644 queue-4.14/series create mode 100644 queue-4.9/bonding-fix-state-transition-issue-in-link-monitoring.patch create mode 100644 queue-4.9/cdc-ncm-handle-incomplete-transfer-of-mtu.patch create mode 100644 queue-4.9/ipv4-fix-table-id-reference-in-fib_sync_down_addr.patch create mode 100644 queue-4.9/net-fix-data-race-in-neigh_event_send.patch create mode 100644 queue-4.9/net-usb-qmi_wwan-add-support-for-dw5821e-with-esim-support.patch create mode 100644 queue-4.9/nfc-fdp-fix-incorrect-free-object.patch create mode 100644 queue-4.9/nfc-netlink-fix-double-device-reference-drop.patch create mode 100644 queue-4.9/nfc-st21nfca-fix-double-free.patch create mode 100644 queue-4.9/qede-fix-null-pointer-deref-in-__qede_remove.patch create mode 100644 queue-4.9/series diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..8d86b5f0ee2 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,11 @@ +bonding-fix-state-transition-issue-in-link-monitoring.patch +cdc-ncm-handle-incomplete-transfer-of-mtu.patch +ipv4-fix-table-id-reference-in-fib_sync_down_addr.patch +net-ethernet-octeon_mgmt-account-for-second-possible-vlan-header.patch +net-fix-data-race-in-neigh_event_send.patch +net-qualcomm-rmnet-fix-potential-uaf-when-unregistering.patch +net-usb-qmi_wwan-add-support-for-dw5821e-with-esim-support.patch +nfc-fdp-fix-incorrect-free-object.patch +nfc-netlink-fix-double-device-reference-drop.patch +nfc-st21nfca-fix-double-free.patch +qede-fix-null-pointer-deref-in-__qede_remove.patch diff --git a/queue-4.9/bonding-fix-state-transition-issue-in-link-monitoring.patch b/queue-4.9/bonding-fix-state-transition-issue-in-link-monitoring.patch new file mode 100644 index 00000000000..a19963d4198 --- /dev/null +++ b/queue-4.9/bonding-fix-state-transition-issue-in-link-monitoring.patch @@ -0,0 +1,202 @@ +From foo@baz Sun 10 Nov 2019 06:21:03 PM CET +From: Jay Vosburgh +Date: Fri, 1 Nov 2019 21:56:42 -0700 +Subject: bonding: fix state transition issue in link monitoring + +From: Jay Vosburgh + +[ Upstream commit 1899bb325149e481de31a4f32b59ea6f24e176ea ] + +Since de77ecd4ef02 ("bonding: improve link-status update in +mii-monitoring"), the bonding driver has utilized two separate variables +to indicate the next link state a particular slave should transition to. +Each is used to communicate to a different portion of the link state +change commit logic; one to the bond_miimon_commit function itself, and +another to the state transition logic. + + Unfortunately, the two variables can become unsynchronized, +resulting in incorrect link state transitions within bonding. This can +cause slaves to become stuck in an incorrect link state until a +subsequent carrier state transition. + + The issue occurs when a special case in bond_slave_netdev_event +sets slave->link directly to BOND_LINK_FAIL. On the next pass through +bond_miimon_inspect after the slave goes carrier up, the BOND_LINK_FAIL +case will set the proposed next state (link_new_state) to BOND_LINK_UP, +but the new_link to BOND_LINK_DOWN. The setting of the final link state +from new_link comes after that from link_new_state, and so the slave +will end up incorrectly in _DOWN state. + + Resolve this by combining the two variables into one. + +Reported-by: Aleksei Zakharov +Reported-by: Sha Zhang +Cc: Mahesh Bandewar +Fixes: de77ecd4ef02 ("bonding: improve link-status update in mii-monitoring") +Signed-off-by: Jay Vosburgh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 40 ++++++++++++++++++++-------------------- + include/net/bonding.h | 1 - + 2 files changed, 20 insertions(+), 21 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2031,7 +2031,7 @@ static int bond_miimon_inspect(struct bo + ignore_updelay = !rcu_dereference(bond->curr_active_slave); + + bond_for_each_slave_rcu(bond, slave, iter) { +- slave->new_link = BOND_LINK_NOCHANGE; ++ bond_propose_link_state(slave, BOND_LINK_NOCHANGE); + + link_state = bond_check_dev_link(bond, slave->dev, 0); + +@@ -2068,7 +2068,7 @@ static int bond_miimon_inspect(struct bo + } + + if (slave->delay <= 0) { +- slave->new_link = BOND_LINK_DOWN; ++ bond_propose_link_state(slave, BOND_LINK_DOWN); + commit++; + continue; + } +@@ -2109,7 +2109,7 @@ static int bond_miimon_inspect(struct bo + slave->delay = 0; + + if (slave->delay <= 0) { +- slave->new_link = BOND_LINK_UP; ++ bond_propose_link_state(slave, BOND_LINK_UP); + commit++; + ignore_updelay = false; + continue; +@@ -2129,7 +2129,7 @@ static void bond_miimon_commit(struct bo + struct slave *slave, *primary; + + bond_for_each_slave(bond, slave, iter) { +- switch (slave->new_link) { ++ switch (slave->link_new_state) { + case BOND_LINK_NOCHANGE: + /* For 802.3ad mode, check current slave speed and + * duplex again in case its port was disabled after +@@ -2222,8 +2222,8 @@ static void bond_miimon_commit(struct bo + + default: + netdev_err(bond->dev, "invalid new link %d on slave %s\n", +- slave->new_link, slave->dev->name); +- slave->new_link = BOND_LINK_NOCHANGE; ++ slave->link_new_state, slave->dev->name); ++ bond_propose_link_state(slave, BOND_LINK_NOCHANGE); + + continue; + } +@@ -2618,13 +2618,13 @@ static void bond_loadbalance_arp_mon(str + bond_for_each_slave_rcu(bond, slave, iter) { + unsigned long trans_start = dev_trans_start(slave->dev); + +- slave->new_link = BOND_LINK_NOCHANGE; ++ bond_propose_link_state(slave, BOND_LINK_NOCHANGE); + + if (slave->link != BOND_LINK_UP) { + if (bond_time_in_interval(bond, trans_start, 1) && + bond_time_in_interval(bond, slave->last_rx, 1)) { + +- slave->new_link = BOND_LINK_UP; ++ bond_propose_link_state(slave, BOND_LINK_UP); + slave_state_changed = 1; + + /* primary_slave has no meaning in round-robin +@@ -2651,7 +2651,7 @@ static void bond_loadbalance_arp_mon(str + if (!bond_time_in_interval(bond, trans_start, 2) || + !bond_time_in_interval(bond, slave->last_rx, 2)) { + +- slave->new_link = BOND_LINK_DOWN; ++ bond_propose_link_state(slave, BOND_LINK_DOWN); + slave_state_changed = 1; + + if (slave->link_failure_count < UINT_MAX) +@@ -2683,8 +2683,8 @@ static void bond_loadbalance_arp_mon(str + goto re_arm; + + bond_for_each_slave(bond, slave, iter) { +- if (slave->new_link != BOND_LINK_NOCHANGE) +- slave->link = slave->new_link; ++ if (slave->link_new_state != BOND_LINK_NOCHANGE) ++ slave->link = slave->link_new_state; + } + + if (slave_state_changed) { +@@ -2707,9 +2707,9 @@ re_arm: + } + + /* Called to inspect slaves for active-backup mode ARP monitor link state +- * changes. Sets new_link in slaves to specify what action should take +- * place for the slave. Returns 0 if no changes are found, >0 if changes +- * to link states must be committed. ++ * changes. Sets proposed link state in slaves to specify what action ++ * should take place for the slave. Returns 0 if no changes are found, >0 ++ * if changes to link states must be committed. + * + * Called with rcu_read_lock held. + */ +@@ -2721,12 +2721,12 @@ static int bond_ab_arp_inspect(struct bo + int commit = 0; + + bond_for_each_slave_rcu(bond, slave, iter) { +- slave->new_link = BOND_LINK_NOCHANGE; ++ bond_propose_link_state(slave, BOND_LINK_NOCHANGE); + last_rx = slave_last_rx(bond, slave); + + if (slave->link != BOND_LINK_UP) { + if (bond_time_in_interval(bond, last_rx, 1)) { +- slave->new_link = BOND_LINK_UP; ++ bond_propose_link_state(slave, BOND_LINK_UP); + commit++; + } + continue; +@@ -2754,7 +2754,7 @@ static int bond_ab_arp_inspect(struct bo + if (!bond_is_active_slave(slave) && + !rcu_access_pointer(bond->current_arp_slave) && + !bond_time_in_interval(bond, last_rx, 3)) { +- slave->new_link = BOND_LINK_DOWN; ++ bond_propose_link_state(slave, BOND_LINK_DOWN); + commit++; + } + +@@ -2767,7 +2767,7 @@ static int bond_ab_arp_inspect(struct bo + if (bond_is_active_slave(slave) && + (!bond_time_in_interval(bond, trans_start, 2) || + !bond_time_in_interval(bond, last_rx, 2))) { +- slave->new_link = BOND_LINK_DOWN; ++ bond_propose_link_state(slave, BOND_LINK_DOWN); + commit++; + } + } +@@ -2787,7 +2787,7 @@ static void bond_ab_arp_commit(struct bo + struct slave *slave; + + bond_for_each_slave(bond, slave, iter) { +- switch (slave->new_link) { ++ switch (slave->link_new_state) { + case BOND_LINK_NOCHANGE: + continue; + +@@ -2840,7 +2840,7 @@ static void bond_ab_arp_commit(struct bo + + default: + netdev_err(bond->dev, "impossible: new_link %d on slave %s\n", +- slave->new_link, slave->dev->name); ++ slave->link_new_state, slave->dev->name); + continue; + } + +--- a/include/net/bonding.h ++++ b/include/net/bonding.h +@@ -148,7 +148,6 @@ struct slave { + unsigned long last_rx; + unsigned long target_last_arp_rx[BOND_MAX_ARP_TARGETS]; + s8 link; /* one of BOND_LINK_XXXX */ +- s8 new_link; + u8 backup:1, /* indicates backup slave. Value corresponds with + BOND_STATE_ACTIVE and BOND_STATE_BACKUP */ + inactive:1, /* indicates inactive slave */ diff --git a/queue-4.9/cdc-ncm-handle-incomplete-transfer-of-mtu.patch b/queue-4.9/cdc-ncm-handle-incomplete-transfer-of-mtu.patch new file mode 100644 index 00000000000..cadba3edfe1 --- /dev/null +++ b/queue-4.9/cdc-ncm-handle-incomplete-transfer-of-mtu.patch @@ -0,0 +1,46 @@ +From foo@baz Sun 10 Nov 2019 06:21:03 PM CET +From: Oliver Neukum +Date: Thu, 7 Nov 2019 09:48:01 +0100 +Subject: CDC-NCM: handle incomplete transfer of MTU + +From: Oliver Neukum + +[ Upstream commit 332f989a3b0041b810836c5c3747e59aad7e9d0b ] + +A malicious device may give half an answer when asked +for its MTU. The driver will proceed after this with +a garbage MTU. Anything but a complete answer must be treated +as an error. + +V2: used sizeof as request by Alexander + +Reported-and-tested-by: syzbot+0631d878823ce2411636@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_ncm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -576,8 +576,8 @@ static void cdc_ncm_set_dgram_size(struc + /* read current mtu value from device */ + err = usbnet_read_cmd(dev, USB_CDC_GET_MAX_DATAGRAM_SIZE, + USB_TYPE_CLASS | USB_DIR_IN | USB_RECIP_INTERFACE, +- 0, iface_no, &max_datagram_size, 2); +- if (err < 0) { ++ 0, iface_no, &max_datagram_size, sizeof(max_datagram_size)); ++ if (err < sizeof(max_datagram_size)) { + dev_dbg(&dev->intf->dev, "GET_MAX_DATAGRAM_SIZE failed\n"); + goto out; + } +@@ -588,7 +588,7 @@ static void cdc_ncm_set_dgram_size(struc + max_datagram_size = cpu_to_le16(ctx->max_datagram_size); + err = usbnet_write_cmd(dev, USB_CDC_SET_MAX_DATAGRAM_SIZE, + USB_TYPE_CLASS | USB_DIR_OUT | USB_RECIP_INTERFACE, +- 0, iface_no, &max_datagram_size, 2); ++ 0, iface_no, &max_datagram_size, sizeof(max_datagram_size)); + if (err < 0) + dev_dbg(&dev->intf->dev, "SET_MAX_DATAGRAM_SIZE failed\n"); + diff --git a/queue-4.9/ipv4-fix-table-id-reference-in-fib_sync_down_addr.patch b/queue-4.9/ipv4-fix-table-id-reference-in-fib_sync_down_addr.patch new file mode 100644 index 00000000000..93a24cfa01c --- /dev/null +++ b/queue-4.9/ipv4-fix-table-id-reference-in-fib_sync_down_addr.patch @@ -0,0 +1,35 @@ +From foo@baz Sun 10 Nov 2019 06:21:03 PM CET +From: David Ahern +Date: Thu, 7 Nov 2019 18:29:52 +0000 +Subject: ipv4: Fix table id reference in fib_sync_down_addr + +From: David Ahern + +[ Upstream commit e0a312629fefa943534fc46f7bfbe6de3fdaf463 ] + +Hendrik reported routes in the main table using source address are not +removed when the address is removed. The problem is that fib_sync_down_addr +does not account for devices in the default VRF which are associated +with the main table. Fix by updating the table id reference. + +Fixes: 5a56a0b3a45d ("net: Don't delete routes in different VRFs") +Reported-by: Hendrik Donner +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_semantics.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -1358,8 +1358,8 @@ int fib_sync_down_addr(struct net_device + int ret = 0; + unsigned int hash = fib_laddr_hashfn(local); + struct hlist_head *head = &fib_info_laddrhash[hash]; ++ int tb_id = l3mdev_fib_table(dev) ? : RT_TABLE_MAIN; + struct net *net = dev_net(dev); +- int tb_id = l3mdev_fib_table(dev); + struct fib_info *fi; + + if (!fib_info_laddrhash || local == 0) diff --git a/queue-4.9/net-fix-data-race-in-neigh_event_send.patch b/queue-4.9/net-fix-data-race-in-neigh_event_send.patch new file mode 100644 index 00000000000..a8e30f13484 --- /dev/null +++ b/queue-4.9/net-fix-data-race-in-neigh_event_send.patch @@ -0,0 +1,86 @@ +From foo@baz Sun 10 Nov 2019 06:21:03 PM CET +From: Eric Dumazet +Date: Thu, 7 Nov 2019 20:08:19 -0800 +Subject: net: fix data-race in neigh_event_send() + +From: Eric Dumazet + +[ Upstream commit 1b53d64435d56902fc234ff2507142d971a09687 ] + +KCSAN reported the following data-race [1] + +The fix will also prevent the compiler from optimizing out +the condition. + +[1] + +BUG: KCSAN: data-race in neigh_resolve_output / neigh_resolve_output + +write to 0xffff8880a41dba78 of 8 bytes by interrupt on cpu 1: + neigh_event_send include/net/neighbour.h:443 [inline] + neigh_resolve_output+0x78/0x480 net/core/neighbour.c:1474 + neigh_output include/net/neighbour.h:511 [inline] + ip_finish_output2+0x4af/0xe40 net/ipv4/ip_output.c:228 + __ip_finish_output net/ipv4/ip_output.c:308 [inline] + __ip_finish_output+0x23a/0x490 net/ipv4/ip_output.c:290 + ip_finish_output+0x41/0x160 net/ipv4/ip_output.c:318 + NF_HOOK_COND include/linux/netfilter.h:294 [inline] + ip_output+0xdf/0x210 net/ipv4/ip_output.c:432 + dst_output include/net/dst.h:436 [inline] + ip_local_out+0x74/0x90 net/ipv4/ip_output.c:125 + __ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532 + ip_queue_xmit+0x45/0x60 include/net/ip.h:237 + __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169 + tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline] + __tcp_retransmit_skb+0x4bd/0x15f0 net/ipv4/tcp_output.c:2976 + tcp_retransmit_skb+0x36/0x1a0 net/ipv4/tcp_output.c:2999 + tcp_retransmit_timer+0x719/0x16d0 net/ipv4/tcp_timer.c:515 + tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:598 + tcp_write_timer+0xd1/0xf0 net/ipv4/tcp_timer.c:618 + +read to 0xffff8880a41dba78 of 8 bytes by interrupt on cpu 0: + neigh_event_send include/net/neighbour.h:442 [inline] + neigh_resolve_output+0x57/0x480 net/core/neighbour.c:1474 + neigh_output include/net/neighbour.h:511 [inline] + ip_finish_output2+0x4af/0xe40 net/ipv4/ip_output.c:228 + __ip_finish_output net/ipv4/ip_output.c:308 [inline] + __ip_finish_output+0x23a/0x490 net/ipv4/ip_output.c:290 + ip_finish_output+0x41/0x160 net/ipv4/ip_output.c:318 + NF_HOOK_COND include/linux/netfilter.h:294 [inline] + ip_output+0xdf/0x210 net/ipv4/ip_output.c:432 + dst_output include/net/dst.h:436 [inline] + ip_local_out+0x74/0x90 net/ipv4/ip_output.c:125 + __ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532 + ip_queue_xmit+0x45/0x60 include/net/ip.h:237 + __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169 + tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline] + __tcp_retransmit_skb+0x4bd/0x15f0 net/ipv4/tcp_output.c:2976 + tcp_retransmit_skb+0x36/0x1a0 net/ipv4/tcp_output.c:2999 + tcp_retransmit_timer+0x719/0x16d0 net/ipv4/tcp_timer.c:515 + tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:598 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-rc3+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/neighbour.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/net/neighbour.h ++++ b/include/net/neighbour.h +@@ -425,8 +425,8 @@ static inline int neigh_event_send(struc + { + unsigned long now = jiffies; + +- if (neigh->used != now) +- neigh->used = now; ++ if (READ_ONCE(neigh->used) != now) ++ WRITE_ONCE(neigh->used, now); + if (!(neigh->nud_state&(NUD_CONNECTED|NUD_DELAY|NUD_PROBE))) + return __neigh_event_send(neigh, skb); + return 0; diff --git a/queue-4.9/net-usb-qmi_wwan-add-support-for-dw5821e-with-esim-support.patch b/queue-4.9/net-usb-qmi_wwan-add-support-for-dw5821e-with-esim-support.patch new file mode 100644 index 00000000000..4ac1cadf050 --- /dev/null +++ b/queue-4.9/net-usb-qmi_wwan-add-support-for-dw5821e-with-esim-support.patch @@ -0,0 +1,43 @@ +From foo@baz Sun 10 Nov 2019 06:21:03 PM CET +From: Aleksander Morgado +Date: Thu, 7 Nov 2019 11:57:01 +0100 +Subject: net: usb: qmi_wwan: add support for DW5821e with eSIM support + +From: Aleksander Morgado + +[ Upstream commit e497df686e8fed8c1dd69179010656362858edb3 ] + +Exactly same layout as the default DW5821e module, just a different +vid/pid. + +The QMI interface is exposed in USB configuration #1: + +P: Vendor=413c ProdID=81e0 Rev=03.18 +S: Manufacturer=Dell Inc. +S: Product=DW5821e-eSIM Snapdragon X20 LTE +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +I: If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=00 Prot=00 Driver=usbhid +I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option + +Signed-off-by: Aleksander Morgado +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -951,6 +951,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x413c, 0x81b6, 8)}, /* Dell Wireless 5811e */ + {QMI_FIXED_INTF(0x413c, 0x81b6, 10)}, /* Dell Wireless 5811e */ + {QMI_FIXED_INTF(0x413c, 0x81d7, 0)}, /* Dell Wireless 5821e */ ++ {QMI_FIXED_INTF(0x413c, 0x81e0, 0)}, /* Dell Wireless 5821e with eSIM support*/ + {QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)}, /* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */ + {QMI_FIXED_INTF(0x03f0, 0x9d1d, 1)}, /* HP lt4120 Snapdragon X5 LTE */ + {QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */ diff --git a/queue-4.9/nfc-fdp-fix-incorrect-free-object.patch b/queue-4.9/nfc-fdp-fix-incorrect-free-object.patch new file mode 100644 index 00000000000..0940f24666c --- /dev/null +++ b/queue-4.9/nfc-fdp-fix-incorrect-free-object.patch @@ -0,0 +1,31 @@ +From foo@baz Sun 10 Nov 2019 06:21:03 PM CET +From: Pan Bian +Date: Tue, 5 Nov 2019 16:34:07 +0800 +Subject: NFC: fdp: fix incorrect free object + +From: Pan Bian + +[ Upstream commit 517ce4e93368938b204451285e53014549804868 ] + +The address of fw_vsc_cfg is on stack. Releasing it with devm_kfree() is +incorrect, which may result in a system crash or other security impacts. +The expected object to free is *fw_vsc_cfg. + +Signed-off-by: Pan Bian +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/fdp/i2c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nfc/fdp/i2c.c ++++ b/drivers/nfc/fdp/i2c.c +@@ -268,7 +268,7 @@ static void fdp_nci_i2c_read_device_prop + *fw_vsc_cfg, len); + + if (r) { +- devm_kfree(dev, fw_vsc_cfg); ++ devm_kfree(dev, *fw_vsc_cfg); + goto vsc_read_err; + } + } else { diff --git a/queue-4.9/nfc-netlink-fix-double-device-reference-drop.patch b/queue-4.9/nfc-netlink-fix-double-device-reference-drop.patch new file mode 100644 index 00000000000..cb8dd465489 --- /dev/null +++ b/queue-4.9/nfc-netlink-fix-double-device-reference-drop.patch @@ -0,0 +1,41 @@ +From foo@baz Sun 10 Nov 2019 06:21:03 PM CET +From: Pan Bian +Date: Thu, 7 Nov 2019 14:29:50 +0800 +Subject: nfc: netlink: fix double device reference drop + +From: Pan Bian + +[ Upstream commit 025ec40b81d785a98f76b8bdb509ac10773b4f12 ] + +The function nfc_put_device(dev) is called twice to drop the reference +to dev when there is no associated local llcp. Remove one of them to fix +the bug. + +Fixes: 52feb444a903 ("NFC: Extend netlink interface for LTO, RW, and MIUX parameters support") +Fixes: d9b8d8e19b07 ("NFC: llcp: Service Name Lookup netlink interface") +Signed-off-by: Pan Bian +Reviewed-by: Johan Hovold +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/netlink.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -1103,7 +1103,6 @@ static int nfc_genl_llc_set_params(struc + + local = nfc_llcp_find_local(dev); + if (!local) { +- nfc_put_device(dev); + rc = -ENODEV; + goto exit; + } +@@ -1163,7 +1162,6 @@ static int nfc_genl_llc_sdreq(struct sk_ + + local = nfc_llcp_find_local(dev); + if (!local) { +- nfc_put_device(dev); + rc = -ENODEV; + goto exit; + } diff --git a/queue-4.9/nfc-st21nfca-fix-double-free.patch b/queue-4.9/nfc-st21nfca-fix-double-free.patch new file mode 100644 index 00000000000..6a039b451c6 --- /dev/null +++ b/queue-4.9/nfc-st21nfca-fix-double-free.patch @@ -0,0 +1,31 @@ +From foo@baz Sun 10 Nov 2019 06:21:03 PM CET +From: Pan Bian +Date: Thu, 7 Nov 2019 09:33:20 +0800 +Subject: NFC: st21nfca: fix double free + +From: Pan Bian + +[ Upstream commit 99a8efbb6e30b72ac98cecf81103f847abffb1e5 ] + +The variable nfcid_skb is not changed in the callee nfc_hci_get_param() +if error occurs. Consequently, the freed variable nfcid_skb will be +freed again, resulting in a double free bug. Set nfcid_skb to NULL after +releasing it to fix the bug. + +Signed-off-by: Pan Bian +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/st21nfca/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/nfc/st21nfca/core.c ++++ b/drivers/nfc/st21nfca/core.c +@@ -719,6 +719,7 @@ static int st21nfca_hci_complete_target_ + NFC_PROTO_FELICA_MASK; + } else { + kfree_skb(nfcid_skb); ++ nfcid_skb = NULL; + /* P2P in type A */ + r = nfc_hci_get_param(hdev, ST21NFCA_RF_READER_F_GATE, + ST21NFCA_RF_READER_F_NFCID1, diff --git a/queue-4.9/qede-fix-null-pointer-deref-in-__qede_remove.patch b/queue-4.9/qede-fix-null-pointer-deref-in-__qede_remove.patch new file mode 100644 index 00000000000..32d34e48304 --- /dev/null +++ b/queue-4.9/qede-fix-null-pointer-deref-in-__qede_remove.patch @@ -0,0 +1,101 @@ +From foo@baz Sun 10 Nov 2019 06:21:03 PM CET +From: Manish Chopra +Date: Fri, 8 Nov 2019 02:42:30 -0800 +Subject: qede: fix NULL pointer deref in __qede_remove() + +From: Manish Chopra + +[ Upstream commit deabc87111c690097c03765ea017cd500f7376fc ] + +While rebooting the system with SR-IOV vfs enabled leads +to below crash due to recurrence of __qede_remove() on the VF +devices (first from .shutdown() flow of the VF itself and +another from PF's .shutdown() flow executing pci_disable_sriov()) + +This patch adds a safeguard in __qede_remove() flow to fix this, +so that driver doesn't attempt to remove "already removed" devices. + +[ 194.360134] BUG: unable to handle kernel NULL pointer dereference at 00000000000008dc +[ 194.360227] IP: [] __qede_remove+0x24/0x130 [qede] +[ 194.360304] PGD 0 +[ 194.360325] Oops: 0000 [#1] SMP +[ 194.360360] Modules linked in: tcp_lp fuse tun bridge stp llc devlink bonding ip_set nfnetlink ib_isert iscsi_target_mod ib_srpt target_core_mod ib_srp scsi_transport_srp scsi_tgt ib_ipoib ib_umad rpcrdma sunrpc rdma_ucm ib_uverbs ib_iser rdma_cm iw_cm ib_cm libiscsi scsi_transport_iscsi dell_smbios iTCO_wdt iTCO_vendor_support dell_wmi_descriptor dcdbas vfat fat pcc_cpufreq skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd qedr ib_core pcspkr ses enclosure joydev ipmi_ssif sg i2c_i801 lpc_ich mei_me mei wmi ipmi_si ipmi_devintf ipmi_msghandler tpm_crb acpi_pad acpi_power_meter xfs libcrc32c sd_mod crc_t10dif crct10dif_generic crct10dif_pclmul crct10dif_common crc32c_intel mgag200 +[ 194.361044] qede i2c_algo_bit drm_kms_helper qed syscopyarea sysfillrect nvme sysimgblt fb_sys_fops ttm nvme_core mpt3sas crc8 ptp drm pps_core ahci raid_class scsi_transport_sas libahci libata drm_panel_orientation_quirks nfit libnvdimm dm_mirror dm_region_hash dm_log dm_mod [last unloaded: ip_tables] +[ 194.361297] CPU: 51 PID: 7996 Comm: reboot Kdump: loaded Not tainted 3.10.0-1062.el7.x86_64 #1 +[ 194.361359] Hardware name: Dell Inc. PowerEdge MX840c/0740HW, BIOS 2.4.6 10/15/2019 +[ 194.361412] task: ffff9cea9b360000 ti: ffff9ceabebdc000 task.ti: ffff9ceabebdc000 +[ 194.361463] RIP: 0010:[] [] __qede_remove+0x24/0x130 [qede] +[ 194.361534] RSP: 0018:ffff9ceabebdfac0 EFLAGS: 00010282 +[ 194.361570] RAX: 0000000000000000 RBX: ffff9cd013846098 RCX: 0000000000000000 +[ 194.361621] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9cd013846098 +[ 194.361668] RBP: ffff9ceabebdfae8 R08: 0000000000000000 R09: 0000000000000000 +[ 194.361715] R10: 00000000bfe14201 R11: ffff9ceabfe141e0 R12: 0000000000000000 +[ 194.361762] R13: ffff9cd013846098 R14: 0000000000000000 R15: ffff9ceab5e48000 +[ 194.361810] FS: 00007f799c02d880(0000) GS:ffff9ceacb0c0000(0000) knlGS:0000000000000000 +[ 194.361865] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 194.361903] CR2: 00000000000008dc CR3: 0000001bdac76000 CR4: 00000000007607e0 +[ 194.361953] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 194.362002] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 194.362051] PKRU: 55555554 +[ 194.362073] Call Trace: +[ 194.362109] [] qede_remove+0x10/0x20 [qede] +[ 194.362180] [] pci_device_remove+0x3e/0xc0 +[ 194.362240] [] __device_release_driver+0x82/0xf0 +[ 194.362285] [] device_release_driver+0x23/0x30 +[ 194.362343] [] pci_stop_bus_device+0x84/0xa0 +[ 194.362388] [] pci_stop_and_remove_bus_device+0x12/0x20 +[ 194.362450] [] pci_iov_remove_virtfn+0xaf/0x160 +[ 194.362496] [] sriov_disable+0x3c/0xf0 +[ 194.362534] [] pci_disable_sriov+0x23/0x30 +[ 194.362599] [] qed_sriov_disable+0x5e3/0x650 [qed] +[ 194.362658] [] ? kfree+0x106/0x140 +[ 194.362709] [] ? qed_free_stream_mem+0x70/0x90 [qed] +[ 194.362754] [] ? kfree+0x106/0x140 +[ 194.362803] [] qed_slowpath_stop+0x1a9/0x1d0 [qed] +[ 194.362854] [] __qede_remove+0xae/0x130 [qede] +[ 194.362904] [] qede_shutdown+0x10/0x20 [qede] +[ 194.362956] [] pci_device_shutdown+0x3a/0x60 +[ 194.363010] [] device_shutdown+0xfb/0x1f0 +[ 194.363066] [] kernel_restart_prepare+0x36/0x40 +[ 194.363107] [] kernel_restart+0x12/0x60 +[ 194.363146] [] SYSC_reboot+0x229/0x260 +[ 194.363196] [] ? handle_mm_fault+0x39d/0x9b0 +[ 194.363253] [] ? __switch_to+0x151/0x580 +[ 194.363304] [] ? __schedule+0x448/0x9c0 +[ 194.363343] [] SyS_reboot+0xe/0x10 +[ 194.363387] [] system_call_fastpath+0x25/0x2a +[ 194.363430] Code: f9 e9 37 ff ff ff 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 4c 8d af 98 00 00 00 41 54 4c 89 ef 41 89 f4 53 e8 4c e4 55 f9 <80> b8 dc 08 00 00 01 48 89 c3 4c 8d b8 c0 08 00 00 4c 8b b0 c0 +[ 194.363712] RIP [] __qede_remove+0x24/0x130 [qede] +[ 194.363764] RSP +[ 194.363791] CR2: 00000000000008dc + +Signed-off-by: Manish Chopra +Signed-off-by: Ariel Elior +Signed-off-by: Sudarsana Kalluru +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qede/qede_main.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qede/qede_main.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c +@@ -2619,8 +2619,16 @@ enum qede_remove_mode { + static void __qede_remove(struct pci_dev *pdev, enum qede_remove_mode mode) + { + struct net_device *ndev = pci_get_drvdata(pdev); +- struct qede_dev *edev = netdev_priv(ndev); +- struct qed_dev *cdev = edev->cdev; ++ struct qede_dev *edev; ++ struct qed_dev *cdev; ++ ++ if (!ndev) { ++ dev_info(&pdev->dev, "Device has already been removed\n"); ++ return; ++ } ++ ++ edev = netdev_priv(ndev); ++ cdev = edev->cdev; + + DP_INFO(edev, "Starting qede_remove\n"); + diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..c86c73babc2 --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1,9 @@ +bonding-fix-state-transition-issue-in-link-monitoring.patch +cdc-ncm-handle-incomplete-transfer-of-mtu.patch +ipv4-fix-table-id-reference-in-fib_sync_down_addr.patch +net-fix-data-race-in-neigh_event_send.patch +net-usb-qmi_wwan-add-support-for-dw5821e-with-esim-support.patch +nfc-fdp-fix-incorrect-free-object.patch +nfc-netlink-fix-double-device-reference-drop.patch +nfc-st21nfca-fix-double-free.patch +qede-fix-null-pointer-deref-in-__qede_remove.patch -- 2.47.3