5.4-stable patches

added patches:
	can-j1939-fix-uaf-in-j1939_sk_match_filter-during-setsockopt-so_j1939_filter.patch
	irqchip-irq-brcmstb-l2-add-write-memory-barrier-before-exit.patch
	nfp-flower-prevent-re-adding-mac-index-for-bonded-port.patch
	nfp-use-correct-macro-for-lengthselect-in-bar-config.patch
	pmdomain-core-move-the-unused-cleanup-to-a-_sync-initcall.patch

diff --git a/queue-5.4/can-j1939-fix-uaf-in-j1939_sk_match_filter-during-setsockopt-so_j1939_filter.patch b/queue-5.4/can-j1939-fix-uaf-in-j1939_sk_match_filter-during-setsockopt-so_j1939_filter.patch
new file mode 100644 (file)
index 0000000..7023993
--- /dev/null
+++ b/queue-5.4/can-j1939-fix-uaf-in-j1939_sk_match_filter-during-setsockopt-so_j1939_filter.patch
@@ -0,0 +1,194 @@
+From efe7cf828039aedb297c1f9920b638fffee6aabc Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Fri, 20 Oct 2023 15:38:14 +0200
+Subject: can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit efe7cf828039aedb297c1f9920b638fffee6aabc upstream.
+
+Lock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...)
+modifies jsk->filters while receiving packets.
+
+Following trace was seen on affected system:
+ ==================================================================
+ BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
+ Read of size 4 at addr ffff888012144014 by task j1939/350
+
+ CPU: 0 PID: 350 Comm: j1939 Tainted: G        W  OE      6.5.0-rc5 #1
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+ Call Trace:
+  print_report+0xd3/0x620
+  ? kasan_complete_mode_report_info+0x7d/0x200
+  ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
+  kasan_report+0xc2/0x100
+  ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
+  __asan_load4+0x84/0xb0
+  j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
+  j1939_sk_recv+0x20b/0x320 [can_j1939]
+  ? __kasan_check_write+0x18/0x20
+  ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939]
+  ? j1939_simple_recv+0x69/0x280 [can_j1939]
+  ? j1939_ac_recv+0x5e/0x310 [can_j1939]
+  j1939_can_recv+0x43f/0x580 [can_j1939]
+  ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]
+  ? raw_rcv+0x42/0x3c0 [can_raw]
+  ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]
+  can_rcv_filter+0x11f/0x350 [can]
+  can_receive+0x12f/0x190 [can]
+  ? __pfx_can_rcv+0x10/0x10 [can]
+  can_rcv+0xdd/0x130 [can]
+  ? __pfx_can_rcv+0x10/0x10 [can]
+  __netif_receive_skb_one_core+0x13d/0x150
+  ? __pfx___netif_receive_skb_one_core+0x10/0x10
+  ? __kasan_check_write+0x18/0x20
+  ? _raw_spin_lock_irq+0x8c/0xe0
+  __netif_receive_skb+0x23/0xb0
+  process_backlog+0x107/0x260
+  __napi_poll+0x69/0x310
+  net_rx_action+0x2a1/0x580
+  ? __pfx_net_rx_action+0x10/0x10
+  ? __pfx__raw_spin_lock+0x10/0x10
+  ? handle_irq_event+0x7d/0xa0
+  __do_softirq+0xf3/0x3f8
+  do_softirq+0x53/0x80
+  </IRQ>
+  <TASK>
+  __local_bh_enable_ip+0x6e/0x70
+  netif_rx+0x16b/0x180
+  can_send+0x32b/0x520 [can]
+  ? __pfx_can_send+0x10/0x10 [can]
+  ? __check_object_size+0x299/0x410
+  raw_sendmsg+0x572/0x6d0 [can_raw]
+  ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]
+  ? apparmor_socket_sendmsg+0x2f/0x40
+  ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]
+  sock_sendmsg+0xef/0x100
+  sock_write_iter+0x162/0x220
+  ? __pfx_sock_write_iter+0x10/0x10
+  ? __rtnl_unlock+0x47/0x80
+  ? security_file_permission+0x54/0x320
+  vfs_write+0x6ba/0x750
+  ? __pfx_vfs_write+0x10/0x10
+  ? __fget_light+0x1ca/0x1f0
+  ? __rcu_read_unlock+0x5b/0x280
+  ksys_write+0x143/0x170
+  ? __pfx_ksys_write+0x10/0x10
+  ? __kasan_check_read+0x15/0x20
+  ? fpregs_assert_state_consistent+0x62/0x70
+  __x64_sys_write+0x47/0x60
+  do_syscall_64+0x60/0x90
+  ? do_syscall_64+0x6d/0x90
+  ? irqentry_exit+0x3f/0x50
+  ? exc_page_fault+0x79/0xf0
+  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+ Allocated by task 348:
+  kasan_save_stack+0x2a/0x50
+  kasan_set_track+0x29/0x40
+  kasan_save_alloc_info+0x1f/0x30
+  __kasan_kmalloc+0xb5/0xc0
+  __kmalloc_node_track_caller+0x67/0x160
+  j1939_sk_setsockopt+0x284/0x450 [can_j1939]
+  __sys_setsockopt+0x15c/0x2f0
+  __x64_sys_setsockopt+0x6b/0x80
+  do_syscall_64+0x60/0x90
+  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+ Freed by task 349:
+  kasan_save_stack+0x2a/0x50
+  kasan_set_track+0x29/0x40
+  kasan_save_free_info+0x2f/0x50
+  __kasan_slab_free+0x12e/0x1c0
+  __kmem_cache_free+0x1b9/0x380
+  kfree+0x7a/0x120
+  j1939_sk_setsockopt+0x3b2/0x450 [can_j1939]
+  __sys_setsockopt+0x15c/0x2f0
+  __x64_sys_setsockopt+0x6b/0x80
+  do_syscall_64+0x60/0x90
+  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+Fixes: 9d71dd0c70099 ("can: add support of SAE J1939 protocol")
+Reported-by: Sili Luo <rootlab@huawei.com>
+Suggested-by: Sili Luo <rootlab@huawei.com>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/all/20231020133814.383996-1-o.rempel@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/j1939-priv.h |    1 +
+ net/can/j1939/socket.c     |   22 ++++++++++++++++++----
+ 2 files changed, 19 insertions(+), 4 deletions(-)
+
+--- a/net/can/j1939/j1939-priv.h
++++ b/net/can/j1939/j1939-priv.h
+@@ -297,6 +297,7 @@ struct j1939_sock {
+ 
+       int ifindex;
+       struct j1939_addr addr;
++      spinlock_t filters_lock;
+       struct j1939_filter *filters;
+       int nfilters;
+       pgn_t pgn_rx_filter;
+--- a/net/can/j1939/socket.c
++++ b/net/can/j1939/socket.c
+@@ -262,12 +262,17 @@ static bool j1939_sk_match_dst(struct j1
+ static bool j1939_sk_match_filter(struct j1939_sock *jsk,
+                                 const struct j1939_sk_buff_cb *skcb)
+ {
+-      const struct j1939_filter *f = jsk->filters;
+-      int nfilter = jsk->nfilters;
++      const struct j1939_filter *f;
++      int nfilter;
++
++      spin_lock_bh(&jsk->filters_lock);
++
++      f = jsk->filters;
++      nfilter = jsk->nfilters;
+ 
+       if (!nfilter)
+               /* receive all when no filters are assigned */
+-              return true;
++              goto filter_match_found;
+ 
+       for (; nfilter; ++f, --nfilter) {
+               if ((skcb->addr.pgn & f->pgn_mask) != f->pgn)
+@@ -276,9 +281,15 @@ static bool j1939_sk_match_filter(struct
+                       continue;
+               if ((skcb->addr.src_name & f->name_mask) != f->name)
+                       continue;
+-              return true;
++              goto filter_match_found;
+       }
++
++      spin_unlock_bh(&jsk->filters_lock);
+       return false;
++
++filter_match_found:
++      spin_unlock_bh(&jsk->filters_lock);
++      return true;
+ }
+ 
+ static bool j1939_sk_recv_match_one(struct j1939_sock *jsk,
+@@ -401,6 +412,7 @@ static int j1939_sk_init(struct sock *sk
+       atomic_set(&jsk->skb_pending, 0);
+       spin_lock_init(&jsk->sk_session_queue_lock);
+       INIT_LIST_HEAD(&jsk->sk_session_queue);
++      spin_lock_init(&jsk->filters_lock);
+ 
+       /* j1939_sk_sock_destruct() depends on SOCK_RCU_FREE flag */
+       sock_set_flag(sk, SOCK_RCU_FREE);
+@@ -703,9 +715,11 @@ static int j1939_sk_setsockopt(struct so
+               }
+ 
+               lock_sock(&jsk->sk);
++              spin_lock_bh(&jsk->filters_lock);
+               ofilters = jsk->filters;
+               jsk->filters = filters;
+               jsk->nfilters = count;
++              spin_unlock_bh(&jsk->filters_lock);
+               release_sock(&jsk->sk);
+               kfree(ofilters);
+               return 0;

diff --git a/queue-5.4/irqchip-irq-brcmstb-l2-add-write-memory-barrier-before-exit.patch b/queue-5.4/irqchip-irq-brcmstb-l2-add-write-memory-barrier-before-exit.patch
new file mode 100644 (file)
index 0000000..ab00322
--- /dev/null
+++ b/queue-5.4/irqchip-irq-brcmstb-l2-add-write-memory-barrier-before-exit.patch
@@ -0,0 +1,63 @@
+From b0344d6854d25a8b3b901c778b1728885dd99007 Mon Sep 17 00:00:00 2001
+From: Doug Berger <opendmb@gmail.com>
+Date: Fri, 9 Feb 2024 17:24:49 -0800
+Subject: irqchip/irq-brcmstb-l2: Add write memory barrier before exit
+
+From: Doug Berger <opendmb@gmail.com>
+
+commit b0344d6854d25a8b3b901c778b1728885dd99007 upstream.
+
+It was observed on Broadcom devices that use GIC v3 architecture L1
+interrupt controllers as the parent of brcmstb-l2 interrupt controllers
+that the deactivation of the parent interrupt could happen before the
+brcmstb-l2 deasserted its output. This would lead the GIC to reactivate the
+interrupt only to find that no L2 interrupt was pending. The result was a
+spurious interrupt invoking handle_bad_irq() with its associated
+messaging. While this did not create a functional problem it is a waste of
+cycles.
+
+The hazard exists because the memory mapped bus writes to the brcmstb-l2
+registers are buffered and the GIC v3 architecture uses a very efficient
+system register write to deactivate the interrupt.
+
+Add a write memory barrier prior to invoking chained_irq_exit() to
+introduce a dsb(st) on those systems to ensure the system register write
+cannot be executed until the memory mapped writes are visible to the
+system.
+
+[ florian: Added Fixes tag ]
+
+Fixes: 7f646e92766e ("irqchip: brcmstb-l2: Add Broadcom Set Top Box  Level-2 interrupt controller")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240210012449.3009125-1-florian.fainelli@broadcom.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-brcmstb-l2.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/irqchip/irq-brcmstb-l2.c
++++ b/drivers/irqchip/irq-brcmstb-l2.c
+@@ -2,7 +2,7 @@
+ /*
+  * Generic Broadcom Set Top Box Level 2 Interrupt controller driver
+  *
+- * Copyright (C) 2014-2017 Broadcom
++ * Copyright (C) 2014-2024 Broadcom
+  */
+ 
+ #define pr_fmt(fmt)   KBUILD_MODNAME  ": " fmt
+@@ -113,6 +113,9 @@ static void brcmstb_l2_intc_irq_handle(s
+               generic_handle_irq(irq_linear_revmap(b->domain, irq));
+       } while (status);
+ out:
++      /* Don't ack parent before all device writes are done */
++      wmb();
++
+       chained_irq_exit(chip, desc);
+ }
+ 

diff --git a/queue-5.4/nfp-flower-prevent-re-adding-mac-index-for-bonded-port.patch b/queue-5.4/nfp-flower-prevent-re-adding-mac-index-for-bonded-port.patch
new file mode 100644 (file)
index 0000000..ae87df5
--- /dev/null
+++ b/queue-5.4/nfp-flower-prevent-re-adding-mac-index-for-bonded-port.patch
@@ -0,0 +1,50 @@
+From 1a1c13303ff6d64e6f718dc8aa614e580ca8d9b4 Mon Sep 17 00:00:00 2001
+From: Daniel de Villiers <daniel.devilliers@corigine.com>
+Date: Fri, 2 Feb 2024 13:37:18 +0200
+Subject: nfp: flower: prevent re-adding mac index for bonded port
+
+From: Daniel de Villiers <daniel.devilliers@corigine.com>
+
+commit 1a1c13303ff6d64e6f718dc8aa614e580ca8d9b4 upstream.
+
+When physical ports are reset (either through link failure or manually
+toggled down and up again) that are slaved to a Linux bond with a tunnel
+endpoint IP address on the bond device, not all tunnel packets arriving
+on the bond port are decapped as expected.
+
+The bond dev assigns the same MAC address to itself and each of its
+slaves. When toggling a slave device, the same MAC address is therefore
+offloaded to the NFP multiple times with different indexes.
+
+The issue only occurs when re-adding the shared mac. The
+nfp_tunnel_add_shared_mac() function has a conditional check early on
+that checks if a mac entry already exists and if that mac entry is
+global: (entry && nfp_tunnel_is_mac_idx_global(entry->index)). In the
+case of a bonded device (For example br-ex), the mac index is obtained,
+and no new index is assigned.
+
+We therefore modify the conditional in nfp_tunnel_add_shared_mac() to
+check if the port belongs to the LAG along with the existing checks to
+prevent a new global mac index from being re-assigned to the slave port.
+
+Fixes: 20cce8865098 ("nfp: flower: enable MAC address sharing for offloadable devs")
+CC: stable@vger.kernel.org # 5.1+
+Signed-off-by: Daniel de Villiers <daniel.devilliers@corigine.com>
+Signed-off-by: Louis Peens <louis.peens@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c
++++ b/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c
+@@ -593,7 +593,7 @@ nfp_tunnel_add_shared_mac(struct nfp_app
+       u16 nfp_mac_idx = 0;
+ 
+       entry = nfp_tunnel_lookup_offloaded_macs(app, netdev->dev_addr);
+-      if (entry && nfp_tunnel_is_mac_idx_global(entry->index)) {
++      if (entry && (nfp_tunnel_is_mac_idx_global(entry->index) || netif_is_lag_port(netdev))) {
+               if (entry->bridge_count ||
+                   !nfp_flower_is_supported_bridge(netdev)) {
+                       nfp_tunnel_offloaded_macs_inc_ref_and_link(entry,

diff --git a/queue-5.4/nfp-use-correct-macro-for-lengthselect-in-bar-config.patch b/queue-5.4/nfp-use-correct-macro-for-lengthselect-in-bar-config.patch
new file mode 100644 (file)
index 0000000..9089978
--- /dev/null
+++ b/queue-5.4/nfp-use-correct-macro-for-lengthselect-in-bar-config.patch
@@ -0,0 +1,46 @@
+From b3d4f7f2288901ed2392695919b3c0e24c1b4084 Mon Sep 17 00:00:00 2001
+From: Daniel Basilio <daniel.basilio@corigine.com>
+Date: Fri, 2 Feb 2024 13:37:17 +0200
+Subject: nfp: use correct macro for LengthSelect in BAR config
+
+From: Daniel Basilio <daniel.basilio@corigine.com>
+
+commit b3d4f7f2288901ed2392695919b3c0e24c1b4084 upstream.
+
+The 1st and 2nd expansion BAR configuration registers are configured,
+when the driver starts up, in variables 'barcfg_msix_general' and
+'barcfg_msix_xpb', respectively. The 'LengthSelect' field is ORed in
+from bit 0, which is incorrect. The 'LengthSelect' field should
+start from bit 27.
+
+This has largely gone un-noticed because
+NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT happens to be 0.
+
+Fixes: 4cb584e0ee7d ("nfp: add CPP access core")
+Cc: stable@vger.kernel.org # 4.11+
+Signed-off-by: Daniel Basilio <daniel.basilio@corigine.com>
+Signed-off-by: Louis Peens <louis.peens@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c
++++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c
+@@ -542,11 +542,13 @@ static int enable_bars(struct nfp6000_pc
+       const u32 barcfg_msix_general =
+               NFP_PCIE_BAR_PCIE2CPP_MapType(
+                       NFP_PCIE_BAR_PCIE2CPP_MapType_GENERAL) |
+-              NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT;
++              NFP_PCIE_BAR_PCIE2CPP_LengthSelect(
++                      NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT);
+       const u32 barcfg_msix_xpb =
+               NFP_PCIE_BAR_PCIE2CPP_MapType(
+                       NFP_PCIE_BAR_PCIE2CPP_MapType_BULK) |
+-              NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT |
++              NFP_PCIE_BAR_PCIE2CPP_LengthSelect(
++                      NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT) |
+               NFP_PCIE_BAR_PCIE2CPP_Target_BaseAddress(
+                       NFP_CPP_TARGET_ISLAND_XPB);
+       const u32 barcfg_explicit[4] = {

diff --git a/queue-5.4/pmdomain-core-move-the-unused-cleanup-to-a-_sync-initcall.patch b/queue-5.4/pmdomain-core-move-the-unused-cleanup-to-a-_sync-initcall.patch
new file mode 100644 (file)
index 0000000..014c742
--- /dev/null
+++ b/queue-5.4/pmdomain-core-move-the-unused-cleanup-to-a-_sync-initcall.patch
@@ -0,0 +1,34 @@
+From 741ba0134fa7822fcf4e4a0a537a5c4cfd706b20 Mon Sep 17 00:00:00 2001
+From: Konrad Dybcio <konrad.dybcio@linaro.org>
+Date: Wed, 27 Dec 2023 16:21:24 +0100
+Subject: pmdomain: core: Move the unused cleanup to a _sync initcall
+
+From: Konrad Dybcio <konrad.dybcio@linaro.org>
+
+commit 741ba0134fa7822fcf4e4a0a537a5c4cfd706b20 upstream.
+
+The unused clock cleanup uses the _sync initcall to give all users at
+earlier initcalls time to probe. Do the same to avoid leaving some PDs
+dangling at "on" (which actually happened on qcom!).
+
+Fixes: 2fe71dcdfd10 ("PM / domains: Add late_initcall to disable unused PM domains")
+Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20231227-topic-pmdomain_sync_cleanup-v1-1-5f36769d538b@linaro.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/power/domain.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/power/domain.c
++++ b/drivers/base/power/domain.c
+@@ -920,7 +920,7 @@ static int __init genpd_power_off_unused
+ 
+       return 0;
+ }
+-late_initcall(genpd_power_off_unused);
++late_initcall_sync(genpd_power_off_unused);
+ 
+ #if defined(CONFIG_PM_SLEEP) || defined(CONFIG_PM_GENERIC_DOMAINS_OF)
+ 

diff --git a/queue-5.4/series b/queue-5.4/series
index bf483c1b7277a2e59aac9b922e2e2785dfc8b7c9..a46878514f7d1c1828fe56d0c943f538e5f00b61 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -239,3 +239,8 @@ mmc-slot-gpio-allow-non-sleeping-gpio-ro.patch
 alsa-hda-conexant-add-quirk-for-sws-js201d.patch
 nilfs2-fix-data-corruption-in-dsync-block-recovery-for-small-block-sizes.patch
 nilfs2-fix-hang-in-nilfs_lookup_dirty_data_buffers.patch
+nfp-use-correct-macro-for-lengthselect-in-bar-config.patch
+nfp-flower-prevent-re-adding-mac-index-for-bonded-port.patch
+irqchip-irq-brcmstb-l2-add-write-memory-barrier-before-exit.patch
+can-j1939-fix-uaf-in-j1939_sk_match_filter-during-setsockopt-so_j1939_filter.patch
+pmdomain-core-move-the-unused-cleanup-to-a-_sync-initcall.patch