From: Sasha Levin Date: Sun, 11 Feb 2024 03:04:53 +0000 (-0500) Subject: Fixes for 4.19 X-Git-Tag: v6.1.78~62 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4967be4b3375479c93dc086f585026a77d78490d;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/atm-idt77252-fix-a-memleak-in-open_card_ubr0.patch b/queue-4.19/atm-idt77252-fix-a-memleak-in-open_card_ubr0.patch new file mode 100644 index 00000000000..4ac4b5305c1 --- /dev/null +++ b/queue-4.19/atm-idt77252-fix-a-memleak-in-open_card_ubr0.patch @@ -0,0 +1,46 @@ +From 2028406f1edd5d503f3755a0107216afa6779297 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Feb 2024 20:41:05 +0800 +Subject: atm: idt77252: fix a memleak in open_card_ubr0 + +From: Zhipeng Lu + +[ Upstream commit f3616173bf9be9bf39d131b120d6eea4e6324cb5 ] + +When alloc_scq fails, card->vcs[0] (i.e. vc) should be freed. Otherwise, +in the following call chain: + +idt77252_init_one + |-> idt77252_dev_open + |-> open_card_ubr0 + |-> alloc_scq [failed] + |-> deinit_card + |-> vfree(card->vcs); + +card->vcs is freed and card->vcs[0] is leaked. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Zhipeng Lu +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/idt77252.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c +index 3380322df98e..36629633ae52 100644 +--- a/drivers/atm/idt77252.c ++++ b/drivers/atm/idt77252.c +@@ -2936,6 +2936,8 @@ open_card_ubr0(struct idt77252_dev *card) + vc->scq = alloc_scq(card, vc->class); + if (!vc->scq) { + printk("%s: can't get SCQ.\n", card->name); ++ kfree(card->vcs[0]); ++ card->vcs[0] = NULL; + return -ENOMEM; + } + +-- +2.43.0 + diff --git a/queue-4.19/hwmon-aspeed-pwm-tacho-mutex-for-tach-reading.patch b/queue-4.19/hwmon-aspeed-pwm-tacho-mutex-for-tach-reading.patch new file mode 100644 index 00000000000..f76b605ab43 --- /dev/null +++ b/queue-4.19/hwmon-aspeed-pwm-tacho-mutex-for-tach-reading.patch @@ -0,0 +1,65 @@ +From aa6b4787d76a4305db76dc7421b88a866bd269e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 11:30:55 +0100 +Subject: hwmon: (aspeed-pwm-tacho) mutex for tach reading + +From: Loic Prylli + +[ Upstream commit 1168491e7f53581ba7b6014a39a49cfbbb722feb ] + +the ASPEED_PTCR_RESULT Register can only hold the result for a +single fan input. Adding a mutex to protect the register until the +reading is done. + +Signed-off-by: Loic Prylli +Signed-off-by: Alexander Hansen +Fixes: 2d7a548a3eff ("drivers: hwmon: Support for ASPEED PWM/Fan tach") +Link: https://lore.kernel.org/r/121d888762a1232ef403cf35230ccf7b3887083a.1699007401.git.alexander.hansen@9elements.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/aspeed-pwm-tacho.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/hwmon/aspeed-pwm-tacho.c b/drivers/hwmon/aspeed-pwm-tacho.c +index a43fa730a513..4097ae62e9a4 100644 +--- a/drivers/hwmon/aspeed-pwm-tacho.c ++++ b/drivers/hwmon/aspeed-pwm-tacho.c +@@ -197,6 +197,8 @@ struct aspeed_pwm_tacho_data { + u8 fan_tach_ch_source[16]; + struct aspeed_cooling_device *cdev[8]; + const struct attribute_group *groups[3]; ++ /* protects access to shared ASPEED_PTCR_RESULT */ ++ struct mutex tach_lock; + }; + + enum type { TYPEM, TYPEN, TYPEO }; +@@ -531,6 +533,8 @@ static int aspeed_get_fan_tach_ch_rpm(struct aspeed_pwm_tacho_data *priv, + u8 fan_tach_ch_source, type, mode, both; + int ret; + ++ mutex_lock(&priv->tach_lock); ++ + regmap_write(priv->regmap, ASPEED_PTCR_TRIGGER, 0); + regmap_write(priv->regmap, ASPEED_PTCR_TRIGGER, 0x1 << fan_tach_ch); + +@@ -548,6 +552,8 @@ static int aspeed_get_fan_tach_ch_rpm(struct aspeed_pwm_tacho_data *priv, + ASPEED_RPM_STATUS_SLEEP_USEC, + usec); + ++ mutex_unlock(&priv->tach_lock); ++ + /* return -ETIMEDOUT if we didn't get an answer. */ + if (ret) + return ret; +@@ -938,6 +944,7 @@ static int aspeed_pwm_tacho_probe(struct platform_device *pdev) + priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL); + if (!priv) + return -ENOMEM; ++ mutex_init(&priv->tach_lock); + priv->regmap = devm_regmap_init(dev, NULL, (__force void *)regs, + &aspeed_pwm_tacho_regmap_config); + if (IS_ERR(priv->regmap)) +-- +2.43.0 + diff --git a/queue-4.19/hwmon-coretemp-fix-bogus-core_id-to-attr-name-mappin.patch b/queue-4.19/hwmon-coretemp-fix-bogus-core_id-to-attr-name-mappin.patch new file mode 100644 index 00000000000..2b31ec4b718 --- /dev/null +++ b/queue-4.19/hwmon-coretemp-fix-bogus-core_id-to-attr-name-mappin.patch @@ -0,0 +1,148 @@ +From 12f1c1ef7fe802b2c66b9df81633507c42d88b8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 17:21:35 +0800 +Subject: hwmon: (coretemp) Fix bogus core_id to attr name mapping + +From: Zhang Rui + +[ Upstream commit fdaf0c8629d4524a168cb9e4ad4231875749b28c ] + +Before commit 7108b80a542b ("hwmon/coretemp: Handle large core ID +value"), there is a fixed mapping between +1. cpu_core_id +2. the index in pdata->core_data[] array +3. the sysfs attr name, aka "tempX_" +The later two always equal cpu_core_id + 2. + +After the commit, pdata->core_data[] index is got from ida so that it +can handle sparse core ids and support more cores within a package. + +However, the commit erroneously maps the sysfs attr name to +pdata->core_data[] index instead of cpu_core_id + 2. + +As a result, the code is not aligned with the comments, and brings user +visible changes in hwmon sysfs on systems with sparse core id. + +For example, before commit 7108b80a542b ("hwmon/coretemp: Handle large +core ID value"), +/sys/class/hwmon/hwmon2/temp2_label:Core 0 +/sys/class/hwmon/hwmon2/temp3_label:Core 1 +/sys/class/hwmon/hwmon2/temp4_label:Core 2 +/sys/class/hwmon/hwmon2/temp5_label:Core 3 +/sys/class/hwmon/hwmon2/temp6_label:Core 4 +/sys/class/hwmon/hwmon3/temp10_label:Core 8 +/sys/class/hwmon/hwmon3/temp11_label:Core 9 +after commit, +/sys/class/hwmon/hwmon2/temp2_label:Core 0 +/sys/class/hwmon/hwmon2/temp3_label:Core 1 +/sys/class/hwmon/hwmon2/temp4_label:Core 2 +/sys/class/hwmon/hwmon2/temp5_label:Core 3 +/sys/class/hwmon/hwmon2/temp6_label:Core 4 +/sys/class/hwmon/hwmon2/temp7_label:Core 8 +/sys/class/hwmon/hwmon2/temp8_label:Core 9 + +Restore the previous behavior and rework the code, comments and variable +names to avoid future confusions. + +Fixes: 7108b80a542b ("hwmon/coretemp: Handle large core ID value") +Signed-off-by: Zhang Rui +Link: https://lore.kernel.org/r/20240202092144.71180-3-rui.zhang@intel.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/coretemp.c | 32 +++++++++++++++++++------------- + 1 file changed, 19 insertions(+), 13 deletions(-) + +diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c +index 6832569c9bac..d06e88477588 100644 +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -393,7 +393,7 @@ static int get_tjmax(struct cpuinfo_x86 *c, u32 id, struct device *dev) + } + + static int create_core_attrs(struct temp_data *tdata, struct device *dev, +- int attr_no) ++ int index) + { + int i; + static ssize_t (*const rd_ptr[TOTAL_ATTRS]) (struct device *dev, +@@ -405,13 +405,20 @@ static int create_core_attrs(struct temp_data *tdata, struct device *dev, + }; + + for (i = 0; i < tdata->attr_size; i++) { ++ /* ++ * We map the attr number to core id of the CPU ++ * The attr number is always core id + 2 ++ * The Pkgtemp will always show up as temp1_*, if available ++ */ ++ int attr_no = tdata->is_pkg_data ? 1 : tdata->cpu_core_id + 2; ++ + snprintf(tdata->attr_name[i], CORETEMP_NAME_LENGTH, + "temp%d_%s", attr_no, suffixes[i]); + sysfs_attr_init(&tdata->sd_attrs[i].dev_attr.attr); + tdata->sd_attrs[i].dev_attr.attr.name = tdata->attr_name[i]; + tdata->sd_attrs[i].dev_attr.attr.mode = S_IRUGO; + tdata->sd_attrs[i].dev_attr.show = rd_ptr[i]; +- tdata->sd_attrs[i].index = attr_no; ++ tdata->sd_attrs[i].index = index; + tdata->attrs[i] = &tdata->sd_attrs[i].dev_attr.attr; + } + tdata->attr_group.attrs = tdata->attrs; +@@ -469,23 +476,22 @@ static int create_core_data(struct platform_device *pdev, unsigned int cpu, + struct platform_data *pdata = platform_get_drvdata(pdev); + struct cpuinfo_x86 *c = &cpu_data(cpu); + u32 eax, edx; +- int err, index, attr_no; ++ int err, index; + + /* +- * Find attr number for sysfs: +- * We map the attr number to core id of the CPU +- * The attr number is always core id + 2 +- * The Pkgtemp will always show up as temp1_*, if available ++ * Get the index of tdata in pdata->core_data[] ++ * tdata for package: pdata->core_data[1] ++ * tdata for core: pdata->core_data[2] .. pdata->core_data[NUM_REAL_CORES + 1] + */ + if (pkg_flag) { +- attr_no = PKG_SYSFS_ATTR_NO; ++ index = PKG_SYSFS_ATTR_NO; + } else { + index = ida_alloc_max(&pdata->ida, NUM_REAL_CORES - 1, GFP_KERNEL); + if (index < 0) + return index; + + pdata->cpu_map[index] = topology_core_id(cpu); +- attr_no = index + BASE_SYSFS_ATTR_NO; ++ index += BASE_SYSFS_ATTR_NO; + } + + tdata = init_temp_data(cpu, pkg_flag); +@@ -517,20 +523,20 @@ static int create_core_data(struct platform_device *pdev, unsigned int cpu, + } + } + +- pdata->core_data[attr_no] = tdata; ++ pdata->core_data[index] = tdata; + + /* Create sysfs interfaces */ +- err = create_core_attrs(tdata, pdata->hwmon_dev, attr_no); ++ err = create_core_attrs(tdata, pdata->hwmon_dev, index); + if (err) + goto exit_free; + + return 0; + exit_free: +- pdata->core_data[attr_no] = NULL; ++ pdata->core_data[index] = NULL; + kfree(tdata); + ida_free: + if (!pkg_flag) +- ida_free(&pdata->ida, index); ++ ida_free(&pdata->ida, index - BASE_SYSFS_ATTR_NO); + return err; + } + +-- +2.43.0 + diff --git a/queue-4.19/hwmon-coretemp-fix-out-of-bounds-memory-access.patch b/queue-4.19/hwmon-coretemp-fix-out-of-bounds-memory-access.patch new file mode 100644 index 00000000000..d8549e36de9 --- /dev/null +++ b/queue-4.19/hwmon-coretemp-fix-out-of-bounds-memory-access.patch @@ -0,0 +1,52 @@ +From 276510eb5a24572f573b8008bf7807bc9c7ca910 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 17:21:34 +0800 +Subject: hwmon: (coretemp) Fix out-of-bounds memory access + +From: Zhang Rui + +[ Upstream commit 4e440abc894585a34c2904a32cd54af1742311b3 ] + +Fix a bug that pdata->cpu_map[] is set before out-of-bounds check. +The problem might be triggered on systems with more than 128 cores per +package. + +Fixes: 7108b80a542b ("hwmon/coretemp: Handle large core ID value") +Signed-off-by: Zhang Rui +Cc: +Link: https://lore.kernel.org/r/20240202092144.71180-2-rui.zhang@intel.com +Signed-off-by: Guenter Roeck +Stable-dep-of: fdaf0c8629d4 ("hwmon: (coretemp) Fix bogus core_id to attr name mapping") +Signed-off-by: Sasha Levin +--- + drivers/hwmon/coretemp.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c +index 33371f7a4c0f..6832569c9bac 100644 +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -480,18 +480,14 @@ static int create_core_data(struct platform_device *pdev, unsigned int cpu, + if (pkg_flag) { + attr_no = PKG_SYSFS_ATTR_NO; + } else { +- index = ida_alloc(&pdata->ida, GFP_KERNEL); ++ index = ida_alloc_max(&pdata->ida, NUM_REAL_CORES - 1, GFP_KERNEL); + if (index < 0) + return index; ++ + pdata->cpu_map[index] = topology_core_id(cpu); + attr_no = index + BASE_SYSFS_ATTR_NO; + } + +- if (attr_no > MAX_CORE_DATA - 1) { +- err = -ERANGE; +- goto ida_free; +- } +- + tdata = init_temp_data(cpu, pkg_flag); + if (!tdata) { + err = -ENOMEM; +-- +2.43.0 + diff --git a/queue-4.19/inet-read-sk-sk_family-once-in-inet_recv_error.patch b/queue-4.19/inet-read-sk-sk_family-once-in-inet_recv_error.patch new file mode 100644 index 00000000000..bcbed45d04d --- /dev/null +++ b/queue-4.19/inet-read-sk-sk_family-once-in-inet_recv_error.patch @@ -0,0 +1,46 @@ +From 92bcb33c6d024eae229082a089c81f2e380c3c66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 09:54:04 +0000 +Subject: inet: read sk->sk_family once in inet_recv_error() + +From: Eric Dumazet + +[ Upstream commit eef00a82c568944f113f2de738156ac591bbd5cd ] + +inet_recv_error() is called without holding the socket lock. + +IPv6 socket could mutate to IPv4 with IPV6_ADDRFORM +socket option and trigger a KCSAN warning. + +Fixes: f4713a3dfad0 ("net-timestamp: make tcp_recvmsg call ipv6_recv_error for AF_INET6 socks") +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Reviewed-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/af_inet.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index 7c902a1efbbf..01952a520d6f 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -1552,10 +1552,12 @@ EXPORT_SYMBOL(inet_current_timestamp); + + int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + { +- if (sk->sk_family == AF_INET) ++ unsigned int family = READ_ONCE(sk->sk_family); ++ ++ if (family == AF_INET) + return ip_recv_error(sk, msg, len, addr_len); + #if IS_ENABLED(CONFIG_IPV6) +- if (sk->sk_family == AF_INET6) ++ if (family == AF_INET6) + return pingv6_ops.ipv6_recv_error(sk, msg, len, addr_len); + #endif + return -EINVAL; +-- +2.43.0 + diff --git a/queue-4.19/netfilter-nft_compat-reject-unused-compat-flag.patch b/queue-4.19/netfilter-nft_compat-reject-unused-compat-flag.patch new file mode 100644 index 00000000000..ccfa3f63a04 --- /dev/null +++ b/queue-4.19/netfilter-nft_compat-reject-unused-compat-flag.patch @@ -0,0 +1,53 @@ +From 052ff6b1420caacd77f5ff62913ff24b9a974974 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Feb 2024 23:33:29 +0100 +Subject: netfilter: nft_compat: reject unused compat flag + +From: Pablo Neira Ayuso + +[ Upstream commit 292781c3c5485ce33bd22b2ef1b2bed709b4d672 ] + +Flag (1 << 0) is ignored is set, never used, reject it it with EINVAL +instead. + +Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/uapi/linux/netfilter/nf_tables.h | 2 ++ + net/netfilter/nft_compat.c | 3 ++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h +index cc00be102b9f..39774870c864 100644 +--- a/include/uapi/linux/netfilter/nf_tables.h ++++ b/include/uapi/linux/netfilter/nf_tables.h +@@ -238,9 +238,11 @@ enum nft_rule_attributes { + /** + * enum nft_rule_compat_flags - nf_tables rule compat flags + * ++ * @NFT_RULE_COMPAT_F_UNUSED: unused + * @NFT_RULE_COMPAT_F_INV: invert the check result + */ + enum nft_rule_compat_flags { ++ NFT_RULE_COMPAT_F_UNUSED = (1 << 0), + NFT_RULE_COMPAT_F_INV = (1 << 1), + NFT_RULE_COMPAT_F_MASK = NFT_RULE_COMPAT_F_INV, + }; +diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c +index 2846d64659f2..95af1dbc28c1 100644 +--- a/net/netfilter/nft_compat.c ++++ b/net/netfilter/nft_compat.c +@@ -207,7 +207,8 @@ static int nft_parse_compat(const struct nlattr *attr, u16 *proto, bool *inv) + return -EINVAL; + + flags = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_FLAGS])); +- if (flags & ~NFT_RULE_COMPAT_F_MASK) ++ if (flags & NFT_RULE_COMPAT_F_UNUSED || ++ flags & ~NFT_RULE_COMPAT_F_MASK) + return -EINVAL; + if (flags & NFT_RULE_COMPAT_F_INV) + *inv = true; +-- +2.43.0 + diff --git a/queue-4.19/netfilter-nft_compat-restrict-match-target-protocol-.patch b/queue-4.19/netfilter-nft_compat-restrict-match-target-protocol-.patch new file mode 100644 index 00000000000..ac516c42f3f --- /dev/null +++ b/queue-4.19/netfilter-nft_compat-restrict-match-target-protocol-.patch @@ -0,0 +1,51 @@ +From c77e8b24921ae686176fb29ea8bd163134d41260 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 00:05:23 +0100 +Subject: netfilter: nft_compat: restrict match/target protocol to u16 + +From: Pablo Neira Ayuso + +[ Upstream commit d694b754894c93fb4d71a7f3699439dec111decc ] + +xt_check_{match,target} expects u16, but NFTA_RULE_COMPAT_PROTO is u32. + +NLA_POLICY_MAX(NLA_BE32, 65535) cannot be used because .max in +nla_policy is s16, see 3e48be05f3c7 ("netlink: add attribute range +validation to policy"). + +Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_compat.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c +index 95af1dbc28c1..763ba07a58ab 100644 +--- a/net/netfilter/nft_compat.c ++++ b/net/netfilter/nft_compat.c +@@ -195,6 +195,7 @@ static const struct nla_policy nft_rule_compat_policy[NFTA_RULE_COMPAT_MAX + 1] + static int nft_parse_compat(const struct nlattr *attr, u16 *proto, bool *inv) + { + struct nlattr *tb[NFTA_RULE_COMPAT_MAX+1]; ++ u32 l4proto; + u32 flags; + int err; + +@@ -213,7 +214,12 @@ static int nft_parse_compat(const struct nlattr *attr, u16 *proto, bool *inv) + if (flags & NFT_RULE_COMPAT_F_INV) + *inv = true; + +- *proto = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_PROTO])); ++ l4proto = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_PROTO])); ++ if (l4proto > U16_MAX) ++ return -EINVAL; ++ ++ *proto = l4proto; ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-4.19/ppp_async-limit-mru-to-64k.patch b/queue-4.19/ppp_async-limit-mru-to-64k.patch new file mode 100644 index 00000000000..af78499b4a0 --- /dev/null +++ b/queue-4.19/ppp_async-limit-mru-to-64k.patch @@ -0,0 +1,91 @@ +From 77eaf364d6cd753430898d8ac29ab7987d3e113f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Feb 2024 17:10:04 +0000 +Subject: ppp_async: limit MRU to 64K + +From: Eric Dumazet + +[ Upstream commit cb88cb53badb8aeb3955ad6ce80b07b598e310b8 ] + +syzbot triggered a warning [1] in __alloc_pages(): + +WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp) + +Willem fixed a similar issue in commit c0a2a1b0d631 ("ppp: limit MRU to 64K") + +Adopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU) + +[1]: + + WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 +Modules linked in: +CPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 +Workqueue: events_unbound flush_to_ldisc +pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 + lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537 +sp : ffff800093967580 +x29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000 +x26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0 +x23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8 +x20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120 +x17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005 +x14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000 +x11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001 +x8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f +x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020 +x2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0 +Call trace: + __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 + __alloc_pages_node include/linux/gfp.h:238 [inline] + alloc_pages_node include/linux/gfp.h:261 [inline] + __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926 + __do_kmalloc_node mm/slub.c:3969 [inline] + __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001 + kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590 + __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651 + __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715 + netdev_alloc_skb include/linux/skbuff.h:3235 [inline] + dev_alloc_skb include/linux/skbuff.h:3248 [inline] + ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline] + ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341 + tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390 + tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37 + receive_buf drivers/tty/tty_buffer.c:444 [inline] + flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494 + process_one_work+0x694/0x1204 kernel/workqueue.c:2633 + process_scheduled_works kernel/workqueue.c:2706 [inline] + worker_thread+0x938/0xef4 kernel/workqueue.c:2787 + kthread+0x288/0x310 kernel/kthread.c:388 + ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: syzbot+c5da1f087c9e4ec6c933@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20240205171004.1059724-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_async.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ppp/ppp_async.c b/drivers/net/ppp/ppp_async.c +index bf03db40d4f0..fb1e28a29892 100644 +--- a/drivers/net/ppp/ppp_async.c ++++ b/drivers/net/ppp/ppp_async.c +@@ -474,6 +474,10 @@ ppp_async_ioctl(struct ppp_channel *chan, unsigned int cmd, unsigned long arg) + case PPPIOCSMRU: + if (get_user(val, p)) + break; ++ if (val > U16_MAX) { ++ err = -EINVAL; ++ break; ++ } + if (val < PPP_MRU) + val = PPP_MRU; + ap->mru = val; +-- +2.43.0 + diff --git a/queue-4.19/rxrpc-fix-response-to-ping-response-acks-to-a-dead-c.patch b/queue-4.19/rxrpc-fix-response-to-ping-response-acks-to-a-dead-c.patch new file mode 100644 index 00000000000..42c83966b5d --- /dev/null +++ b/queue-4.19/rxrpc-fix-response-to-ping-response-acks-to-a-dead-c.patch @@ -0,0 +1,50 @@ +From 1cd14b3ea09243357a3a7c690597416c44ce95c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 15:19:15 +0000 +Subject: rxrpc: Fix response to PING RESPONSE ACKs to a dead call + +From: David Howells + +[ Upstream commit 6f769f22822aa4124b556339781b04d810f0e038 ] + +Stop rxrpc from sending a DUP ACK in response to a PING RESPONSE ACK on a +dead call. We may have initiated the ping but the call may have beaten the +response to completion. + +Fixes: 18bfeba50dfd ("rxrpc: Perform terminal call ACK/ABORT retransmission from conn processor") +Signed-off-by: David Howells +cc: Marc Dionne +cc: "David S. Miller" +cc: Eric Dumazet +cc: Jakub Kicinski +cc: Paolo Abeni +cc: linux-afs@lists.infradead.org +cc: netdev@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rxrpc/conn_event.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c +index 04213afd7710..84a70d7d0285 100644 +--- a/net/rxrpc/conn_event.c ++++ b/net/rxrpc/conn_event.c +@@ -45,6 +45,14 @@ static void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn, + + _enter("%d", conn->debug_id); + ++ if (sp && sp->hdr.type == RXRPC_PACKET_TYPE_ACK) { ++ if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), ++ &pkt.ack, sizeof(pkt.ack)) < 0) ++ return; ++ if (pkt.ack.reason == RXRPC_ACK_PING_RESPONSE) ++ return; ++ } ++ + chan = &conn->channels[channel]; + + /* If the last call got moved on whilst we were waiting to run, just +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 896c1539a15..135d646150e 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -145,3 +145,13 @@ hid-apple-add-2021-magic-keyboard-fn-key-mapping.patch bonding-remove-print-in-bond_verify_device_path.patch dmaengine-fix-is_slave_direction-return-false-when-d.patch phy-ti-phy-omap-usb2-fix-null-pointer-dereference-fo.patch +atm-idt77252-fix-a-memleak-in-open_card_ubr0.patch +hwmon-aspeed-pwm-tacho-mutex-for-tach-reading.patch +hwmon-coretemp-fix-out-of-bounds-memory-access.patch +hwmon-coretemp-fix-bogus-core_id-to-attr-name-mappin.patch +inet-read-sk-sk_family-once-in-inet_recv_error.patch +rxrpc-fix-response-to-ping-response-acks-to-a-dead-c.patch +tipc-check-the-bearer-type-before-calling-tipc_udp_n.patch +ppp_async-limit-mru-to-64k.patch +netfilter-nft_compat-reject-unused-compat-flag.patch +netfilter-nft_compat-restrict-match-target-protocol-.patch diff --git a/queue-4.19/tipc-check-the-bearer-type-before-calling-tipc_udp_n.patch b/queue-4.19/tipc-check-the-bearer-type-before-calling-tipc_udp_n.patch new file mode 100644 index 00000000000..20755c09232 --- /dev/null +++ b/queue-4.19/tipc-check-the-bearer-type-before-calling-tipc_udp_n.patch @@ -0,0 +1,80 @@ +From 8b4d0d379d64185bfc9d8481bf38a5becedfa226 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Feb 2024 00:23:09 +0900 +Subject: tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() + +From: Shigeru Yoshida + +[ Upstream commit 3871aa01e1a779d866fa9dfdd5a836f342f4eb87 ] + +syzbot reported the following general protection fault [1]: + +general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087] +... +RIP: 0010:tipc_udp_is_known_peer+0x9c/0x250 net/tipc/udp_media.c:291 +... +Call Trace: + + tipc_udp_nl_bearer_add+0x212/0x2f0 net/tipc/udp_media.c:646 + tipc_nl_bearer_add+0x21e/0x360 net/tipc/bearer.c:1089 + genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972 + genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline] + genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067 + netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2544 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 + netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] + netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367 + netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1909 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0xd5/0x180 net/socket.c:745 + ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 + ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 + __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +The cause of this issue is that when tipc_nl_bearer_add() is called with +the TIPC_NLA_BEARER_UDP_OPTS attribute, tipc_udp_nl_bearer_add() is called +even if the bearer is not UDP. + +tipc_udp_is_known_peer() called by tipc_udp_nl_bearer_add() assumes that +the media_ptr field of the tipc_bearer has an udp_bearer type object, so +the function goes crazy for non-UDP bearers. + +This patch fixes the issue by checking the bearer type before calling +tipc_udp_nl_bearer_add() in tipc_nl_bearer_add(). + +Fixes: ef20cd4dd163 ("tipc: introduce UDP replicast") +Reported-and-tested-by: syzbot+5142b87a9abc510e14fa@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=5142b87a9abc510e14fa [1] +Signed-off-by: Shigeru Yoshida +Reviewed-by: Tung Nguyen +Link: https://lore.kernel.org/r/20240131152310.4089541-1-syoshida@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tipc/bearer.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c +index 4353968bc5a5..c7686ff00f5b 100644 +--- a/net/tipc/bearer.c ++++ b/net/tipc/bearer.c +@@ -958,6 +958,12 @@ int tipc_nl_bearer_add(struct sk_buff *skb, struct genl_info *info) + + #ifdef CONFIG_TIPC_MEDIA_UDP + if (attrs[TIPC_NLA_BEARER_UDP_OPTS]) { ++ if (b->media->type_id != TIPC_MEDIA_TYPE_UDP) { ++ rtnl_unlock(); ++ NL_SET_ERR_MSG(info->extack, "UDP option is unsupported"); ++ return -EINVAL; ++ } ++ + err = tipc_udp_nl_bearer_add(b, + attrs[TIPC_NLA_BEARER_UDP_OPTS]); + if (err) { +-- +2.43.0 +