From 0cad00d8d8d33955876640b4f33637b3938f73dd Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 13 Nov 2022 17:41:34 -0500 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...ntially-incorrect-return-value-for-n.patch | 45 ++++++++ ...-undefined-behavior-in-bit-shift-for.patch | 53 +++++++++ ..._v2-fix-a-resource-leak-in-mv_xor_v2.patch | 38 +++++++ ...e-disable-napi-when-register-irq-fai.patch | 42 +++++++ ...ing-platform_unregister_drivers-call.patch | 65 +++++++++++ ...sable-napi-when-start-nic-failed-in-.patch | 86 ++++++++++++++ ...ue-of-dev-reference-count-leakage-in.patch | 49 ++++++++ ...ossible-memory-leak-in-mousevsc_prob.patch | 37 ++++++ ...ix-infoleak-when-sending-struct-ifad.patch | 77 +++++++++++++ ...isable-napi-when-bind-qsets-failed-i.patch | 37 ++++++ ...nregister-ethernet-device-on-removal.patch | 53 +++++++++ ...c-on-frag_list-with-mixed-head-alloc.patch | 105 ++++++++++++++++++ ...x-issue-of-dev-reference-count-leaka.patch | 49 ++++++++ ...memory-leaks-of-macvlan_common_newli.patch | 68 ++++++++++++ ...disable-napi-when-init-rxq-or-txq-fa.patch | 38 +++++++ ...e-napi-when-enable-interrupts-failed.patch | 38 +++++++ ...n-fix-memory-leaks-of-napi_get_frags.patch | 73 ++++++++++++ ...phy-stm32-fix-an-error-code-in-probe.patch | 38 +++++++ ...iscv-process-fix-kernel-info-leakage.patch | 43 +++++++ queue-4.19/series | 21 ++++ ...-req-tlv-len-check-in-tipc_nl_compat.patch | 59 ++++++++++ ...-fix-memory-leak-in-query_regdb_file.patch | 55 +++++++++ 22 files changed, 1169 insertions(+) create mode 100644 queue-4.19/bnxt_en-fix-potentially-incorrect-return-value-for-n.patch create mode 100644 queue-4.19/capabilities-fix-undefined-behavior-in-bit-shift-for.patch create mode 100644 queue-4.19/dmaengine-mv_xor_v2-fix-a-resource-leak-in-mv_xor_v2.patch create mode 100644 queue-4.19/drivers-net-xgene-disable-napi-when-register-irq-fai.patch create mode 100644 queue-4.19/drm-vc4-fix-missing-platform_unregister_drivers-call.patch create mode 100644 queue-4.19/ethernet-s2io-disable-napi-when-start-nic-failed-in-.patch create mode 100644 queue-4.19/hamradio-fix-issue-of-dev-reference-count-leakage-in.patch create mode 100644 queue-4.19/hid-hyperv-fix-possible-memory-leak-in-mousevsc_prob.patch create mode 100644 queue-4.19/ipv6-addrlabel-fix-infoleak-when-sending-struct-ifad.patch create mode 100644 queue-4.19/net-cxgb3_main-disable-napi-when-bind-qsets-failed-i.patch create mode 100644 queue-4.19/net-fman-unregister-ethernet-device-on-removal.patch create mode 100644 queue-4.19/net-gso-fix-panic-on-frag_list-with-mixed-head-alloc.patch create mode 100644 queue-4.19/net-lapbether-fix-issue-of-dev-reference-count-leaka.patch create mode 100644 queue-4.19/net-macvlan-fix-memory-leaks-of-macvlan_common_newli.patch create mode 100644 queue-4.19/net-mv643xx_eth-disable-napi-when-init-rxq-or-txq-fa.patch create mode 100644 queue-4.19/net-nixge-disable-napi-when-enable-interrupts-failed.patch create mode 100644 queue-4.19/net-tun-fix-memory-leaks-of-napi_get_frags.patch create mode 100644 queue-4.19/phy-stm32-fix-an-error-code-in-probe.patch create mode 100644 queue-4.19/riscv-process-fix-kernel-info-leakage.patch create mode 100644 queue-4.19/series create mode 100644 queue-4.19/tipc-fix-the-msg-req-tlv-len-check-in-tipc_nl_compat.patch create mode 100644 queue-4.19/wifi-cfg80211-fix-memory-leak-in-query_regdb_file.patch diff --git a/queue-4.19/bnxt_en-fix-potentially-incorrect-return-value-for-n.patch b/queue-4.19/bnxt_en-fix-potentially-incorrect-return-value-for-n.patch new file mode 100644 index 00000000000..01a6d0a986c --- /dev/null +++ b/queue-4.19/bnxt_en-fix-potentially-incorrect-return-value-for-n.patch @@ -0,0 +1,45 @@ +From 5959ba362dec49a96c766f3aa8e42fe75ada4169 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 19:33:27 -0400 +Subject: bnxt_en: fix potentially incorrect return value for ndo_rx_flow_steer + +From: Alex Barba + +[ Upstream commit 02597d39145bb0aa81d04bf39b6a913ce9a9d465 ] + +In the bnxt_en driver ndo_rx_flow_steer returns '0' whenever an entry +that we are attempting to steer is already found. This is not the +correct behavior. The return code should be the value/index that +corresponds to the entry. Returning zero all the time causes the +RFS records to be incorrect unless entry '0' is the correct one. As +flows migrate to different cores this can create entries that are not +correct. + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Reported-by: Akshay Navgire +Signed-off-by: Alex Barba +Signed-off-by: Andy Gospodarek +Signed-off-by: Michael Chan +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 5e30299bcf64..b49f8a97d753 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -8327,8 +8327,8 @@ static int bnxt_rx_flow_steer(struct net_device *dev, const struct sk_buff *skb, + rcu_read_lock(); + hlist_for_each_entry_rcu(fltr, head, hash) { + if (bnxt_fltr_match(fltr, new_fltr)) { ++ rc = fltr->sw_id; + rcu_read_unlock(); +- rc = 0; + goto err_free; + } + } +-- +2.35.1 + diff --git a/queue-4.19/capabilities-fix-undefined-behavior-in-bit-shift-for.patch b/queue-4.19/capabilities-fix-undefined-behavior-in-bit-shift-for.patch new file mode 100644 index 00000000000..569e771d9d9 --- /dev/null +++ b/queue-4.19/capabilities-fix-undefined-behavior-in-bit-shift-for.patch @@ -0,0 +1,53 @@ +From 64bcea5d38c36e8a28779032daf83653c6c4d0c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 19:25:36 +0800 +Subject: capabilities: fix undefined behavior in bit shift for CAP_TO_MASK + +From: Gaosheng Cui + +[ Upstream commit 46653972e3ea64f79e7f8ae3aa41a4d3fdb70a13 ] + +Shifting signed 32-bit value by 31 bits is undefined, so changing +significant bit to unsigned. The UBSAN warning calltrace like below: + +UBSAN: shift-out-of-bounds in security/commoncap.c:1252:2 +left shift of 1 by 31 places cannot be represented in type 'int' +Call Trace: + + dump_stack_lvl+0x7d/0xa5 + dump_stack+0x15/0x1b + ubsan_epilogue+0xe/0x4e + __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c + cap_task_prctl+0x561/0x6f0 + security_task_prctl+0x5a/0xb0 + __x64_sys_prctl+0x61/0x8f0 + do_syscall_64+0x58/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + + +Fixes: e338d263a76a ("Add 64-bit capability support to the kernel") +Signed-off-by: Gaosheng Cui +Acked-by: Andrew G. Morgan +Reviewed-by: Serge Hallyn +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + include/uapi/linux/capability.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h +index 240fdb9a60f6..6e0d68e841cd 100644 +--- a/include/uapi/linux/capability.h ++++ b/include/uapi/linux/capability.h +@@ -376,7 +376,7 @@ struct vfs_ns_cap_data { + */ + + #define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */ +-#define CAP_TO_MASK(x) (1 << ((x) & 31)) /* mask for indexed __u32 */ ++#define CAP_TO_MASK(x) (1U << ((x) & 31)) /* mask for indexed __u32 */ + + + #endif /* _UAPI_LINUX_CAPABILITY_H */ +-- +2.35.1 + diff --git a/queue-4.19/dmaengine-mv_xor_v2-fix-a-resource-leak-in-mv_xor_v2.patch b/queue-4.19/dmaengine-mv_xor_v2-fix-a-resource-leak-in-mv_xor_v2.patch new file mode 100644 index 00000000000..2aad0f4c5ec --- /dev/null +++ b/queue-4.19/dmaengine-mv_xor_v2-fix-a-resource-leak-in-mv_xor_v2.patch @@ -0,0 +1,38 @@ +From 147ed5321fa89ee4160a83f542abe822fb5ee596 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Oct 2022 21:50:09 +0200 +Subject: dmaengine: mv_xor_v2: Fix a resource leak in mv_xor_v2_remove() + +From: Christophe JAILLET + +[ Upstream commit 081195d17a0c4c636da2b869bd5809d42e8cbb13 ] + +A clk_prepare_enable() call in the probe is not balanced by a corresponding +clk_disable_unprepare() in the remove function. + +Add the missing call. + +Fixes: 3cd2c313f1d6 ("dmaengine: mv_xor_v2: Fix clock resource by adding a register clock") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/e9e3837a680c9bd2438e4db2b83270c6c052d005.1666640987.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/mv_xor_v2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/dma/mv_xor_v2.c b/drivers/dma/mv_xor_v2.c +index 462adf7e4e95..62864b3e120f 100644 +--- a/drivers/dma/mv_xor_v2.c ++++ b/drivers/dma/mv_xor_v2.c +@@ -906,6 +906,7 @@ static int mv_xor_v2_remove(struct platform_device *pdev) + tasklet_kill(&xor_dev->irq_tasklet); + + clk_disable_unprepare(xor_dev->clk); ++ clk_disable_unprepare(xor_dev->reg_clk); + + return 0; + } +-- +2.35.1 + diff --git a/queue-4.19/drivers-net-xgene-disable-napi-when-register-irq-fai.patch b/queue-4.19/drivers-net-xgene-disable-napi-when-register-irq-fai.patch new file mode 100644 index 00000000000..dc469c6b3d4 --- /dev/null +++ b/queue-4.19/drivers-net-xgene-disable-napi-when-register-irq-fai.patch @@ -0,0 +1,42 @@ +From f2a0f181d0dcf8a067a5b88ef12428974a3b94c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 12:30:32 +0800 +Subject: drivers: net: xgene: disable napi when register irq failed in + xgene_enet_open() + +From: Zhengchao Shao + +[ Upstream commit ce9e57feeed81d17d5e80ed86f516ff0d39c3867 ] + +When failed to register irq in xgene_enet_open() for opening device, +napi isn't disabled. When open xgene device next time, it will reports +a invalid opcode issue. Fix it. Only be compiled, not be tested. + +Fixes: aeb20b6b3f4e ("drivers: net: xgene: fix: ifconfig up/down crash") +Signed-off-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20221107043032.357673-1-shaozhengchao@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/apm/xgene/xgene_enet_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c +index 86811de191ed..f27391abd7da 100644 +--- a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c ++++ b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c +@@ -1015,8 +1015,10 @@ static int xgene_enet_open(struct net_device *ndev) + + xgene_enet_napi_enable(pdata); + ret = xgene_enet_register_irq(ndev); +- if (ret) ++ if (ret) { ++ xgene_enet_napi_disable(pdata); + return ret; ++ } + + if (ndev->phydev) { + phy_start(ndev->phydev); +-- +2.35.1 + diff --git a/queue-4.19/drm-vc4-fix-missing-platform_unregister_drivers-call.patch b/queue-4.19/drm-vc4-fix-missing-platform_unregister_drivers-call.patch new file mode 100644 index 00000000000..2e9de02767f --- /dev/null +++ b/queue-4.19/drm-vc4-fix-missing-platform_unregister_drivers-call.patch @@ -0,0 +1,65 @@ +From fab801212347470fc8d38a6733a1075477fa794b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 01:47:05 +0000 +Subject: drm/vc4: Fix missing platform_unregister_drivers() call in + vc4_drm_register() + +From: Yuan Can + +[ Upstream commit cf53db768a8790fdaae2fa3a81322b080285f7e5 ] + +A problem about modprobe vc4 failed is triggered with the following log +given: + + [ 420.327987] Error: Driver 'vc4_hvs' is already registered, aborting... + [ 420.333904] failed to register platform driver vc4_hvs_driver [vc4]: -16 + modprobe: ERROR: could not insert 'vc4': Device or resource busy + +The reason is that vc4_drm_register() returns platform_driver_register() +directly without checking its return value, if platform_driver_register() +fails, it returns without unregistering all the vc4 drivers, resulting the +vc4 can never be installed later. +A simple call graph is shown as below: + + vc4_drm_register() + platform_register_drivers() # all vc4 drivers are registered + platform_driver_register() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without unregister drivers + +Fixing this problem by checking the return value of +platform_driver_register() and do platform_unregister_drivers() if +error happened. + +Fixes: c8b75bca92cb ("drm/vc4: Add KMS support for Raspberry Pi.") +Signed-off-by: Yuan Can +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20221103014705.109322-1-yuancan@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_drv.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_drv.c b/drivers/gpu/drm/vc4/vc4_drv.c +index 868dd1ef3b69..f210560a4831 100644 +--- a/drivers/gpu/drm/vc4/vc4_drv.c ++++ b/drivers/gpu/drm/vc4/vc4_drv.c +@@ -394,7 +394,12 @@ static int __init vc4_drm_register(void) + if (ret) + return ret; + +- return platform_driver_register(&vc4_platform_driver); ++ ret = platform_driver_register(&vc4_platform_driver); ++ if (ret) ++ platform_unregister_drivers(component_drivers, ++ ARRAY_SIZE(component_drivers)); ++ ++ return ret; + } + + static void __exit vc4_drm_unregister(void) +-- +2.35.1 + diff --git a/queue-4.19/ethernet-s2io-disable-napi-when-start-nic-failed-in-.patch b/queue-4.19/ethernet-s2io-disable-napi-when-start-nic-failed-in-.patch new file mode 100644 index 00000000000..9ad722269fa --- /dev/null +++ b/queue-4.19/ethernet-s2io-disable-napi-when-start-nic-failed-in-.patch @@ -0,0 +1,86 @@ +From 0752ee2396652f246af1e359ed1ea55c8e56c3bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 10:37:41 +0800 +Subject: ethernet: s2io: disable napi when start nic failed in s2io_card_up() + +From: Zhengchao Shao + +[ Upstream commit 0348c1ab980c1d43fb37b758d4b760990c066cb5 ] + +When failed to start nic or add interrupt service routine in +s2io_card_up() for opening device, napi isn't disabled. When open +s2io device next time, it will trigger a BUG_ON()in napi_enable(). +Compile tested only. + +Fixes: 5f490c968056 ("S2io: Fixed synchronization between scheduling of napi with card reset and close") +Signed-off-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20221109023741.131552-1-shaozhengchao@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/neterion/s2io.c | 29 +++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/neterion/s2io.c b/drivers/net/ethernet/neterion/s2io.c +index 85a54215616c..0a8483c615d4 100644 +--- a/drivers/net/ethernet/neterion/s2io.c ++++ b/drivers/net/ethernet/neterion/s2io.c +@@ -7126,9 +7126,8 @@ static int s2io_card_up(struct s2io_nic *sp) + if (ret) { + DBG_PRINT(ERR_DBG, "%s: Out of memory in Open\n", + dev->name); +- s2io_reset(sp); +- free_rx_buffers(sp); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto err_fill_buff; + } + DBG_PRINT(INFO_DBG, "Buf in ring:%d is %d:\n", i, + ring->rx_bufs_left); +@@ -7166,18 +7165,16 @@ static int s2io_card_up(struct s2io_nic *sp) + /* Enable Rx Traffic and interrupts on the NIC */ + if (start_nic(sp)) { + DBG_PRINT(ERR_DBG, "%s: Starting NIC failed\n", dev->name); +- s2io_reset(sp); +- free_rx_buffers(sp); +- return -ENODEV; ++ ret = -ENODEV; ++ goto err_out; + } + + /* Add interrupt service routine */ + if (s2io_add_isr(sp) != 0) { + if (sp->config.intr_type == MSI_X) + s2io_rem_isr(sp); +- s2io_reset(sp); +- free_rx_buffers(sp); +- return -ENODEV; ++ ret = -ENODEV; ++ goto err_out; + } + + timer_setup(&sp->alarm_timer, s2io_alarm_handle, 0); +@@ -7197,6 +7194,20 @@ static int s2io_card_up(struct s2io_nic *sp) + } + + return 0; ++ ++err_out: ++ if (config->napi) { ++ if (config->intr_type == MSI_X) { ++ for (i = 0; i < sp->config.rx_ring_num; i++) ++ napi_disable(&sp->mac_control.rings[i].napi); ++ } else { ++ napi_disable(&sp->napi); ++ } ++ } ++err_fill_buff: ++ s2io_reset(sp); ++ free_rx_buffers(sp); ++ return ret; + } + + /** +-- +2.35.1 + diff --git a/queue-4.19/hamradio-fix-issue-of-dev-reference-count-leakage-in.patch b/queue-4.19/hamradio-fix-issue-of-dev-reference-count-leakage-in.patch new file mode 100644 index 00000000000..377055b389b --- /dev/null +++ b/queue-4.19/hamradio-fix-issue-of-dev-reference-count-leakage-in.patch @@ -0,0 +1,49 @@ +From 320d1aa951c9cdd5de6fc1f4872035e12f8e52ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 17:09:05 +0800 +Subject: hamradio: fix issue of dev reference count leakage in + bpq_device_event() + +From: Zhengchao Shao + +[ Upstream commit 85cbaf032d3cd9f595152625eda5d4ecb1d6d78d ] + +When following tests are performed, it will cause dev reference counting +leakage. +a)ip link add bond2 type bond mode balance-rr +b)ip link set bond2 up +c)ifenslave -f bond2 rose1 +d)ip link del bond2 + +When new bond device is created, the default type of the bond device is +ether. And the bond device is up, bpq_device_event() receives the message +and creates a new bpq device. In this case, the reference count value of +dev is hold once. But after "ifenslave -f bond2 rose1" command is +executed, the type of the bond device is changed to rose. When the bond +device is unregistered, bpq_device_event() will not put the dev reference +count. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Zhengchao Shao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/bpqether.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/hamradio/bpqether.c b/drivers/net/hamradio/bpqether.c +index 777fa59f5e0c..1eeddfea389c 100644 +--- a/drivers/net/hamradio/bpqether.c ++++ b/drivers/net/hamradio/bpqether.c +@@ -537,7 +537,7 @@ static int bpq_device_event(struct notifier_block *this, + if (!net_eq(dev_net(dev), &init_net)) + return NOTIFY_DONE; + +- if (!dev_is_ethdev(dev)) ++ if (!dev_is_ethdev(dev) && !bpq_get_ax25_dev(dev)) + return NOTIFY_DONE; + + switch (event) { +-- +2.35.1 + diff --git a/queue-4.19/hid-hyperv-fix-possible-memory-leak-in-mousevsc_prob.patch b/queue-4.19/hid-hyperv-fix-possible-memory-leak-in-mousevsc_prob.patch new file mode 100644 index 00000000000..cfbc2242e3d --- /dev/null +++ b/queue-4.19/hid-hyperv-fix-possible-memory-leak-in-mousevsc_prob.patch @@ -0,0 +1,37 @@ +From 74a759854d471160779c092bbf8131e9c624fa01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Oct 2022 21:40:43 +0800 +Subject: HID: hyperv: fix possible memory leak in mousevsc_probe() + +From: Yang Yingliang + +[ Upstream commit b5bcb94b0954a026bbd671741fdb00e7141f9c91 ] + +If hid_add_device() returns error, it should call hid_destroy_device() +to free hid_dev which is allocated in hid_allocate_device(). + +Fixes: 74c4fb058083 ("HID: hv_mouse: Properly add the hid device") +Signed-off-by: Yang Yingliang +Reviewed-by: Wei Liu +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-hyperv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-hyperv.c b/drivers/hid/hid-hyperv.c +index 4d1496f60071..8f2bf70218bf 100644 +--- a/drivers/hid/hid-hyperv.c ++++ b/drivers/hid/hid-hyperv.c +@@ -500,7 +500,7 @@ static int mousevsc_probe(struct hv_device *device, + + ret = hid_add_device(hid_dev); + if (ret) +- goto probe_err1; ++ goto probe_err2; + + + ret = hid_parse(hid_dev); +-- +2.35.1 + diff --git a/queue-4.19/ipv6-addrlabel-fix-infoleak-when-sending-struct-ifad.patch b/queue-4.19/ipv6-addrlabel-fix-infoleak-when-sending-struct-ifad.patch new file mode 100644 index 00000000000..e619419143d --- /dev/null +++ b/queue-4.19/ipv6-addrlabel-fix-infoleak-when-sending-struct-ifad.patch @@ -0,0 +1,77 @@ +From e21a97f015f1dfe39f8adac8bba4b02c4420b7f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 11:32:16 +0100 +Subject: ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to + network + +From: Alexander Potapenko + +[ Upstream commit c23fb2c82267638f9d206cb96bb93e1f93ad7828 ] + +When copying a `struct ifaddrlblmsg` to the network, __ifal_reserved +remained uninitialized, resulting in a 1-byte infoleak: + + BUG: KMSAN: kernel-network-infoleak in __netdev_start_xmit ./include/linux/netdevice.h:4841 + __netdev_start_xmit ./include/linux/netdevice.h:4841 + netdev_start_xmit ./include/linux/netdevice.h:4857 + xmit_one net/core/dev.c:3590 + dev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606 + __dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256 + dev_queue_xmit ./include/linux/netdevice.h:3009 + __netlink_deliver_tap_skb net/netlink/af_netlink.c:307 + __netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325 + netlink_deliver_tap net/netlink/af_netlink.c:338 + __netlink_sendskb net/netlink/af_netlink.c:1263 + netlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272 + netlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360 + nlmsg_unicast ./include/net/netlink.h:1061 + rtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758 + ip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628 + rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 + ... + Uninit was created at: + slab_post_alloc_hook+0x118/0xb00 mm/slab.h:742 + slab_alloc_node mm/slub.c:3398 + __kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437 + __do_kmalloc_node mm/slab_common.c:954 + __kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975 + kmalloc_reserve net/core/skbuff.c:437 + __alloc_skb+0x27a/0xab0 net/core/skbuff.c:509 + alloc_skb ./include/linux/skbuff.h:1267 + nlmsg_new ./include/net/netlink.h:964 + ip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608 + rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 + netlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540 + rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 + netlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921 + ... + +This patch ensures that the reserved field is always initialized. + +Reported-by: syzbot+3553517af6020c4f2813f1003fe76ef3cbffe98d@syzkaller.appspotmail.com +Fixes: 2a8cc6c89039 ("[IPV6] ADDRCONF: Support RFC3484 configurable address selection policy table.") +Signed-off-by: Alexander Potapenko +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/addrlabel.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv6/addrlabel.c b/net/ipv6/addrlabel.c +index c7dc8b2de6c2..7fdd433b968e 100644 +--- a/net/ipv6/addrlabel.c ++++ b/net/ipv6/addrlabel.c +@@ -437,6 +437,7 @@ static void ip6addrlbl_putmsg(struct nlmsghdr *nlh, + { + struct ifaddrlblmsg *ifal = nlmsg_data(nlh); + ifal->ifal_family = AF_INET6; ++ ifal->__ifal_reserved = 0; + ifal->ifal_prefixlen = prefixlen; + ifal->ifal_flags = 0; + ifal->ifal_index = ifindex; +-- +2.35.1 + diff --git a/queue-4.19/net-cxgb3_main-disable-napi-when-bind-qsets-failed-i.patch b/queue-4.19/net-cxgb3_main-disable-napi-when-bind-qsets-failed-i.patch new file mode 100644 index 00000000000..6865b6cc3ad --- /dev/null +++ b/queue-4.19/net-cxgb3_main-disable-napi-when-bind-qsets-failed-i.patch @@ -0,0 +1,37 @@ +From 8935eb658f1044e2d583baa7ca6c19018465c3e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 10:14:51 +0800 +Subject: net: cxgb3_main: disable napi when bind qsets failed in cxgb_up() + +From: Zhengchao Shao + +[ Upstream commit d75aed1428da787cbe42bc073d76f1354f364d92 ] + +When failed to bind qsets in cxgb_up() for opening device, napi isn't +disabled. When open cxgb3 device next time, it will trigger a BUG_ON() +in napi_enable(). Compile tested only. + +Fixes: 48c4b6dbb7e2 ("cxgb3 - fix port up/down error path") +Signed-off-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20221109021451.121490-1-shaozhengchao@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +index c82469ab7aba..2c72e716b973 100644 +--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +@@ -1304,6 +1304,7 @@ static int cxgb_up(struct adapter *adap) + if (ret < 0) { + CH_ERR(adap, "failed to bind qsets, err %d\n", ret); + t3_intr_disable(adap); ++ quiesce_rx(adap); + free_irq_resources(adap); + err = ret; + goto out; +-- +2.35.1 + diff --git a/queue-4.19/net-fman-unregister-ethernet-device-on-removal.patch b/queue-4.19/net-fman-unregister-ethernet-device-on-removal.patch new file mode 100644 index 00000000000..df79a3e2f22 --- /dev/null +++ b/queue-4.19/net-fman-unregister-ethernet-device-on-removal.patch @@ -0,0 +1,53 @@ +From d2f9e2d1c55111b904fd14a90c16e909e4a3e535 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 14:28:30 -0400 +Subject: net: fman: Unregister ethernet device on removal + +From: Sean Anderson + +[ Upstream commit b7cbc6740bd6ad5d43345a2504f7e4beff0d709f ] + +When the mac device gets removed, it leaves behind the ethernet device. +This will result in a segfault next time the ethernet device accesses +mac_dev. Remove the ethernet device when we get removed to prevent +this. This is not completely reversible, since some resources aren't +cleaned up properly, but that can be addressed later. + +Fixes: 3933961682a3 ("fsl/fman: Add FMan MAC driver") +Signed-off-by: Sean Anderson +Link: https://lore.kernel.org/r/20221103182831.2248833-1-sean.anderson@seco.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fman/mac.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/fman/mac.c b/drivers/net/ethernet/freescale/fman/mac.c +index 713abcd9371f..390849faf4cd 100644 +--- a/drivers/net/ethernet/freescale/fman/mac.c ++++ b/drivers/net/ethernet/freescale/fman/mac.c +@@ -891,12 +891,21 @@ static int mac_probe(struct platform_device *_of_dev) + return err; + } + ++static int mac_remove(struct platform_device *pdev) ++{ ++ struct mac_device *mac_dev = platform_get_drvdata(pdev); ++ ++ platform_device_unregister(mac_dev->priv->eth_dev); ++ return 0; ++} ++ + static struct platform_driver mac_driver = { + .driver = { + .name = KBUILD_MODNAME, + .of_match_table = mac_match, + }, + .probe = mac_probe, ++ .remove = mac_remove, + }; + + builtin_platform_driver(mac_driver); +-- +2.35.1 + diff --git a/queue-4.19/net-gso-fix-panic-on-frag_list-with-mixed-head-alloc.patch b/queue-4.19/net-gso-fix-panic-on-frag_list-with-mixed-head-alloc.patch new file mode 100644 index 00000000000..82c0f55a3e2 --- /dev/null +++ b/queue-4.19/net-gso-fix-panic-on-frag_list-with-mixed-head-alloc.patch @@ -0,0 +1,105 @@ +From 0adf2714eccb18bb8fdaef55570ac49381121d5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 17:53:25 +0100 +Subject: net: gso: fix panic on frag_list with mixed head alloc types + +From: Jiri Benc + +[ Upstream commit 9e4b7a99a03aefd37ba7bb1f022c8efab5019165 ] + +Since commit 3dcbdb134f32 ("net: gso: Fix skb_segment splat when +splitting gso_size mangled skb having linear-headed frag_list"), it is +allowed to change gso_size of a GRO packet. However, that commit assumes +that "checking the first list_skb member suffices; i.e if either of the +list_skb members have non head_frag head, then the first one has too". + +It turns out this assumption does not hold. We've seen BUG_ON being hit +in skb_segment when skbs on the frag_list had differing head_frag with +the vmxnet3 driver. This happens because __netdev_alloc_skb and +__napi_alloc_skb can return a skb that is page backed or kmalloced +depending on the requested size. As the result, the last small skb in +the GRO packet can be kmalloced. + +There are three different locations where this can be fixed: + +(1) We could check head_frag in GRO and not allow GROing skbs with + different head_frag. However, that would lead to performance + regression on normal forward paths with unmodified gso_size, where + !head_frag in the last packet is not a problem. + +(2) Set a flag in bpf_skb_net_grow and bpf_skb_net_shrink indicating + that NETIF_F_SG is undesirable. That would need to eat a bit in + sk_buff. Furthermore, that flag can be unset when all skbs on the + frag_list are page backed. To retain good performance, + bpf_skb_net_grow/shrink would have to walk the frag_list. + +(3) Walk the frag_list in skb_segment when determining whether + NETIF_F_SG should be cleared. This of course slows things down. + +This patch implements (3). To limit the performance impact in +skb_segment, the list is walked only for skbs with SKB_GSO_DODGY set +that have gso_size changed. Normal paths thus will not hit it. + +We could check only the last skb but since we need to walk the whole +list anyway, let's stay on the safe side. + +Fixes: 3dcbdb134f32 ("net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list") +Signed-off-by: Jiri Benc +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/e04426a6a91baf4d1081e1b478c82b5de25fdf21.1667407944.git.jbenc@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/skbuff.c | 36 +++++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index e0be1f8651bb..4178fc28c277 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3560,23 +3560,25 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, + int pos; + int dummy; + +- if (list_skb && !list_skb->head_frag && skb_headlen(list_skb) && +- (skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY)) { +- /* gso_size is untrusted, and we have a frag_list with a linear +- * non head_frag head. +- * +- * (we assume checking the first list_skb member suffices; +- * i.e if either of the list_skb members have non head_frag +- * head, then the first one has too). +- * +- * If head_skb's headlen does not fit requested gso_size, it +- * means that the frag_list members do NOT terminate on exact +- * gso_size boundaries. Hence we cannot perform skb_frag_t page +- * sharing. Therefore we must fallback to copying the frag_list +- * skbs; we do so by disabling SG. +- */ +- if (mss != GSO_BY_FRAGS && mss != skb_headlen(head_skb)) +- features &= ~NETIF_F_SG; ++ if ((skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY) && ++ mss != GSO_BY_FRAGS && mss != skb_headlen(head_skb)) { ++ struct sk_buff *check_skb; ++ ++ for (check_skb = list_skb; check_skb; check_skb = check_skb->next) { ++ if (skb_headlen(check_skb) && !check_skb->head_frag) { ++ /* gso_size is untrusted, and we have a frag_list with ++ * a linear non head_frag item. ++ * ++ * If head_skb's headlen does not fit requested gso_size, ++ * it means that the frag_list members do NOT terminate ++ * on exact gso_size boundaries. Hence we cannot perform ++ * skb_frag_t page sharing. Therefore we must fallback to ++ * copying the frag_list skbs; we do so by disabling SG. ++ */ ++ features &= ~NETIF_F_SG; ++ break; ++ } ++ } + } + + __skb_push(head_skb, doffset); +-- +2.35.1 + diff --git a/queue-4.19/net-lapbether-fix-issue-of-dev-reference-count-leaka.patch b/queue-4.19/net-lapbether-fix-issue-of-dev-reference-count-leaka.patch new file mode 100644 index 00000000000..5d2a5ed67f1 --- /dev/null +++ b/queue-4.19/net-lapbether-fix-issue-of-dev-reference-count-leaka.patch @@ -0,0 +1,49 @@ +From 13e939cccb6ab0e7c36998b48cfd096e9fc75c4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 17:05:37 +0800 +Subject: net: lapbether: fix issue of dev reference count leakage in + lapbeth_device_event() + +From: Zhengchao Shao + +[ Upstream commit 531705a765493655472c993627106e19f7e5a6d2 ] + +When following tests are performed, it will cause dev reference counting +leakage. +a)ip link add bond2 type bond mode balance-rr +b)ip link set bond2 up +c)ifenslave -f bond2 rose1 +d)ip link del bond2 + +When new bond device is created, the default type of the bond device is +ether. And the bond device is up, lapbeth_device_event() receives the +message and creates a new lapbeth device. In this case, the reference +count value of dev is hold once. But after "ifenslave -f bond2 rose1" +command is executed, the type of the bond device is changed to rose. When +the bond device is unregistered, lapbeth_device_event() will not put the +dev reference count. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Zhengchao Shao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wan/lapbether.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c +index 3ec922bed2d8..6233805fc032 100644 +--- a/drivers/net/wan/lapbether.c ++++ b/drivers/net/wan/lapbether.c +@@ -406,7 +406,7 @@ static int lapbeth_device_event(struct notifier_block *this, + if (dev_net(dev) != &init_net) + return NOTIFY_DONE; + +- if (!dev_is_ethdev(dev)) ++ if (!dev_is_ethdev(dev) && !lapbeth_get_x25_dev(dev)) + return NOTIFY_DONE; + + switch (event) { +-- +2.35.1 + diff --git a/queue-4.19/net-macvlan-fix-memory-leaks-of-macvlan_common_newli.patch b/queue-4.19/net-macvlan-fix-memory-leaks-of-macvlan_common_newli.patch new file mode 100644 index 00000000000..e165393d175 --- /dev/null +++ b/queue-4.19/net-macvlan-fix-memory-leaks-of-macvlan_common_newli.patch @@ -0,0 +1,68 @@ +From 0906ee167bccc82e145e79d88a99e2119c8afba2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 17:07:34 +0800 +Subject: net: macvlan: fix memory leaks of macvlan_common_newlink + +From: Chuang Wang + +[ Upstream commit 23569b5652ee8e8e55a12f7835f59af6f3cefc30 ] + +kmemleak reports memory leaks in macvlan_common_newlink, as follows: + + ip link add link eth0 name .. type macvlan mode source macaddr add + + +kmemleak reports: + +unreferenced object 0xffff8880109bb140 (size 64): + comm "ip", pid 284, jiffies 4294986150 (age 430.108s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 b8 aa 5a 12 80 88 ff ff ..........Z..... + 80 1b fa 0d 80 88 ff ff 1e ff ac af c7 c1 6b 6b ..............kk + backtrace: + [] kmem_cache_alloc_trace+0x1c7/0x300 + [] macvlan_hash_add_source+0x45/0xc0 + [] macvlan_changelink_sources+0xd7/0x170 + [] macvlan_common_newlink+0x38c/0x5a0 + [] macvlan_newlink+0xe/0x20 + [] __rtnl_newlink+0x7af/0xa50 + [] rtnl_newlink+0x48/0x70 + ... + +In the scenario where the macvlan mode is configured as 'source', +macvlan_changelink_sources() will be execured to reconfigure list of +remote source mac addresses, at the same time, if register_netdevice() +return an error, the resource generated by macvlan_changelink_sources() +is not cleaned up. + +Using this patch, in the case of an error, it will execute +macvlan_flush_sources() to ensure that the resource is cleaned up. + +Fixes: aa5fd0fb7748 ("driver: macvlan: Destroy new macvlan port if macvlan_common_newlink failed.") +Signed-off-by: Chuang Wang +Link: https://lore.kernel.org/r/20221109090735.690500-1-nashuiliang@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/macvlan.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index e226a96da3a3..6c6fa821aad5 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -1471,8 +1471,10 @@ int macvlan_common_newlink(struct net *src_net, struct net_device *dev, + /* the macvlan port may be freed by macvlan_uninit when fail to register. + * so we destroy the macvlan port only when it's valid. + */ +- if (create && macvlan_port_get_rtnl(lowerdev)) ++ if (create && macvlan_port_get_rtnl(lowerdev)) { ++ macvlan_flush_sources(port, vlan); + macvlan_port_destroy(port->dev); ++ } + return err; + } + EXPORT_SYMBOL_GPL(macvlan_common_newlink); +-- +2.35.1 + diff --git a/queue-4.19/net-mv643xx_eth-disable-napi-when-init-rxq-or-txq-fa.patch b/queue-4.19/net-mv643xx_eth-disable-napi-when-init-rxq-or-txq-fa.patch new file mode 100644 index 00000000000..d5257346c1a --- /dev/null +++ b/queue-4.19/net-mv643xx_eth-disable-napi-when-init-rxq-or-txq-fa.patch @@ -0,0 +1,38 @@ +From 504d80c6f8230bc5c194de3d1998653d2c3da4c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 10:54:32 +0800 +Subject: net: mv643xx_eth: disable napi when init rxq or txq failed in + mv643xx_eth_open() + +From: Zhengchao Shao + +[ Upstream commit f111606b63ff2282428ffbac0447c871eb957b6c ] + +When failed to init rxq or txq in mv643xx_eth_open() for opening device, +napi isn't disabled. When open mv643xx_eth device next time, it will +trigger a BUG_ON() in napi_enable(). Compile tested only. + +Fixes: 2257e05c1705 ("mv643xx_eth: get rid of receive-side locking") +Signed-off-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20221109025432.80900-1-shaozhengchao@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mv643xx_eth.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c +index 59007d6cd36d..2bfad889fdec 100644 +--- a/drivers/net/ethernet/marvell/mv643xx_eth.c ++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c +@@ -2495,6 +2495,7 @@ static int mv643xx_eth_open(struct net_device *dev) + for (i = 0; i < mp->rxq_count; i++) + rxq_deinit(mp->rxq + i); + out: ++ napi_disable(&mp->napi); + free_irq(dev->irq, dev); + + return err; +-- +2.35.1 + diff --git a/queue-4.19/net-nixge-disable-napi-when-enable-interrupts-failed.patch b/queue-4.19/net-nixge-disable-napi-when-enable-interrupts-failed.patch new file mode 100644 index 00000000000..dcd8c952805 --- /dev/null +++ b/queue-4.19/net-nixge-disable-napi-when-enable-interrupts-failed.patch @@ -0,0 +1,38 @@ +From 750fe256e5a49f87c4f038cf4b0dbafaefc623d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 18:14:43 +0800 +Subject: net: nixge: disable napi when enable interrupts failed in + nixge_open() + +From: Zhengchao Shao + +[ Upstream commit b06334919c7a068d54ba5b219c05e919d89943f7 ] + +When failed to enable interrupts in nixge_open() for opening device, +napi isn't disabled. When open nixge device next time, it will reports +a invalid opcode issue. Fix it. Only be compiled, not be tested. + +Fixes: 492caffa8a1a ("net: ethernet: nixge: Add support for National Instruments XGE netdev") +Signed-off-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20221107101443.120205-1-shaozhengchao@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ni/nixge.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/ni/nixge.c b/drivers/net/ethernet/ni/nixge.c +index a791d7932b0e..abbb25f1384c 100644 +--- a/drivers/net/ethernet/ni/nixge.c ++++ b/drivers/net/ethernet/ni/nixge.c +@@ -833,6 +833,7 @@ static int nixge_open(struct net_device *ndev) + err_rx_irq: + free_irq(priv->tx_irq, ndev); + err_tx_irq: ++ napi_disable(&priv->napi); + phy_stop(phy); + phy_disconnect(phy); + tasklet_kill(&priv->dma_err_tasklet); +-- +2.35.1 + diff --git a/queue-4.19/net-tun-fix-memory-leaks-of-napi_get_frags.patch b/queue-4.19/net-tun-fix-memory-leaks-of-napi_get_frags.patch new file mode 100644 index 00000000000..9b704035b27 --- /dev/null +++ b/queue-4.19/net-tun-fix-memory-leaks-of-napi_get_frags.patch @@ -0,0 +1,73 @@ +From a6af4e12d85435d246048257da5a584d721a5ad7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 17:41:19 +0800 +Subject: net: tun: Fix memory leaks of napi_get_frags + +From: Wang Yufen + +[ Upstream commit 1118b2049d77ca0b505775fc1a8d1909cf19a7ec ] + +kmemleak reports after running test_progs: + +unreferenced object 0xffff8881b1672dc0 (size 232): + comm "test_progs", pid 394388, jiffies 4354712116 (age 841.975s) + hex dump (first 32 bytes): + e0 84 d7 a8 81 88 ff ff 80 2c 67 b1 81 88 ff ff .........,g..... + 00 40 c5 9b 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. + backtrace: + [<00000000c8f01748>] napi_skb_cache_get+0xd4/0x150 + [<0000000041c7fc09>] __napi_build_skb+0x15/0x50 + [<00000000431c7079>] __napi_alloc_skb+0x26e/0x540 + [<000000003ecfa30e>] napi_get_frags+0x59/0x140 + [<0000000099b2199e>] tun_get_user+0x183d/0x3bb0 [tun] + [<000000008a5adef0>] tun_chr_write_iter+0xc0/0x1b1 [tun] + [<0000000049993ff4>] do_iter_readv_writev+0x19f/0x320 + [<000000008f338ea2>] do_iter_write+0x135/0x630 + [<000000008a3377a4>] vfs_writev+0x12e/0x440 + [<00000000a6b5639a>] do_writev+0x104/0x280 + [<00000000ccf065d8>] do_syscall_64+0x3b/0x90 + [<00000000d776e329>] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The issue occurs in the following scenarios: +tun_get_user() + napi_gro_frags() + napi_frags_finish() + case GRO_NORMAL: + gro_normal_one() + list_add_tail(&skb->list, &napi->rx_list); + <-- While napi->rx_count < READ_ONCE(gro_normal_batch), + <-- gro_normal_list() is not called, napi->rx_list is not empty + <-- not ask to complete the gro work, will cause memory leaks in + <-- following tun_napi_del() +... +tun_napi_del() + netif_napi_del() + __netif_napi_del() + <-- &napi->rx_list is not empty, which caused memory leaks + +To fix, add napi_complete() after napi_gro_frags(). + +Fixes: 90e33d459407 ("tun: enable napi_gro_frags() for TUN/TAP driver") +Signed-off-by: Wang Yufen +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/tun.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 8d1b34640f79..79cdca44ec78 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1972,6 +1972,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + + local_bh_disable(); + napi_gro_frags(&tfile->napi); ++ napi_complete(&tfile->napi); + local_bh_enable(); + mutex_unlock(&tfile->napi_mutex); + } else if (tfile->napi_enabled) { +-- +2.35.1 + diff --git a/queue-4.19/phy-stm32-fix-an-error-code-in-probe.patch b/queue-4.19/phy-stm32-fix-an-error-code-in-probe.patch new file mode 100644 index 00000000000..0683e8b684e --- /dev/null +++ b/queue-4.19/phy-stm32-fix-an-error-code-in-probe.patch @@ -0,0 +1,38 @@ +From d74c42dd12d58f2277f44e600140ad589b7693e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Oct 2022 12:25:06 +0300 +Subject: phy: stm32: fix an error code in probe + +From: Dan Carpenter + +[ Upstream commit ca1c73628f5bd0c1ef6e46073cc3be2450605b06 ] + +If "index > usbphyc->nphys" is true then this returns success but it +should return -EINVAL. + +Fixes: 94c358da3a05 ("phy: stm32: add support for STM32 USB PHY Controller (USBPHYC)") +Signed-off-by: Dan Carpenter +Reviewed-by: Amelie Delaunay +Link: https://lore.kernel.org/r/Y0kq8j6S+5nDdMpr@kili +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/st/phy-stm32-usbphyc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c +index 1255cd1d9a60..5056662d2927 100644 +--- a/drivers/phy/st/phy-stm32-usbphyc.c ++++ b/drivers/phy/st/phy-stm32-usbphyc.c +@@ -393,6 +393,8 @@ static int stm32_usbphyc_probe(struct platform_device *pdev) + ret = of_property_read_u32(child, "reg", &index); + if (ret || index > usbphyc->nphys) { + dev_err(&phy->dev, "invalid reg property: %d\n", ret); ++ if (!ret) ++ ret = -EINVAL; + goto put_child; + } + +-- +2.35.1 + diff --git a/queue-4.19/riscv-process-fix-kernel-info-leakage.patch b/queue-4.19/riscv-process-fix-kernel-info-leakage.patch new file mode 100644 index 00000000000..3699cd69750 --- /dev/null +++ b/queue-4.19/riscv-process-fix-kernel-info-leakage.patch @@ -0,0 +1,43 @@ +From 3304f85ab2ff8373b1efc34b3b20e0bada6277f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Oct 2022 19:34:50 +0800 +Subject: riscv: process: fix kernel info leakage + +From: Jisheng Zhang + +[ Upstream commit 6510c78490c490a6636e48b61eeaa6fb65981f4b ] + +thread_struct's s[12] may contain random kernel memory content, which +may be finally leaked to userspace. This is a security hole. Fix it +by clearing the s[12] array in thread_struct when fork. + +As for kthread case, it's better to clear the s[12] array as well. + +Fixes: 7db91e57a0ac ("RISC-V: Task implementation") +Signed-off-by: Jisheng Zhang +Tested-by: Guo Ren +Link: https://lore.kernel.org/r/20221029113450.4027-1-jszhang@kernel.org +Reviewed-by: Guo Ren +Link: https://lore.kernel.org/r/CAJF2gTSdVyAaM12T%2B7kXAdRPGS4VyuO08X1c7paE-n4Fr8OtRA@mail.gmail.com/ +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/process.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c +index d7c6ca7c95ae..64180108072c 100644 +--- a/arch/riscv/kernel/process.c ++++ b/arch/riscv/kernel/process.c +@@ -104,6 +104,8 @@ int copy_thread(unsigned long clone_flags, unsigned long usp, + { + struct pt_regs *childregs = task_pt_regs(p); + ++ memset(&p->thread.s, 0, sizeof(p->thread.s)); ++ + /* p->thread holds context to be restored by __switch_to() */ + if (unlikely(p->flags & PF_KTHREAD)) { + /* Kernel thread */ +-- +2.35.1 + diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..bff70e423c9 --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,21 @@ +phy-stm32-fix-an-error-code-in-probe.patch +wifi-cfg80211-fix-memory-leak-in-query_regdb_file.patch +hid-hyperv-fix-possible-memory-leak-in-mousevsc_prob.patch +net-gso-fix-panic-on-frag_list-with-mixed-head-alloc.patch +net-tun-fix-memory-leaks-of-napi_get_frags.patch +bnxt_en-fix-potentially-incorrect-return-value-for-n.patch +net-fman-unregister-ethernet-device-on-removal.patch +capabilities-fix-undefined-behavior-in-bit-shift-for.patch +net-lapbether-fix-issue-of-dev-reference-count-leaka.patch +hamradio-fix-issue-of-dev-reference-count-leakage-in.patch +drm-vc4-fix-missing-platform_unregister_drivers-call.patch +ipv6-addrlabel-fix-infoleak-when-sending-struct-ifad.patch +tipc-fix-the-msg-req-tlv-len-check-in-tipc_nl_compat.patch +dmaengine-mv_xor_v2-fix-a-resource-leak-in-mv_xor_v2.patch +drivers-net-xgene-disable-napi-when-register-irq-fai.patch +net-nixge-disable-napi-when-enable-interrupts-failed.patch +net-cxgb3_main-disable-napi-when-bind-qsets-failed-i.patch +ethernet-s2io-disable-napi-when-start-nic-failed-in-.patch +net-mv643xx_eth-disable-napi-when-init-rxq-or-txq-fa.patch +net-macvlan-fix-memory-leaks-of-macvlan_common_newli.patch +riscv-process-fix-kernel-info-leakage.patch diff --git a/queue-4.19/tipc-fix-the-msg-req-tlv-len-check-in-tipc_nl_compat.patch b/queue-4.19/tipc-fix-the-msg-req-tlv-len-check-in-tipc_nl_compat.patch new file mode 100644 index 00000000000..ca4660e8d0f --- /dev/null +++ b/queue-4.19/tipc-fix-the-msg-req-tlv-len-check-in-tipc_nl_compat.patch @@ -0,0 +1,59 @@ +From 3c5abf23278e536b646552e4413565011f54f416 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 16:48:53 -0400 +Subject: tipc: fix the msg->req tlv len check in + tipc_nl_compat_name_table_dump_header + +From: Xin Long + +[ Upstream commit 1c075b192fe41030457cd4a5f7dea730412bca40 ] + +This is a follow-up for commit 974cb0e3e7c9 ("tipc: fix uninit-value +in tipc_nl_compat_name_table_dump") where it should have type casted +sizeof(..) to int to work when TLV_GET_DATA_LEN() returns a negative +value. + +syzbot reported a call trace because of it: + + BUG: KMSAN: uninit-value in ... + tipc_nl_compat_name_table_dump+0x841/0xea0 net/tipc/netlink_compat.c:934 + __tipc_nl_compat_dumpit+0xab2/0x1320 net/tipc/netlink_compat.c:238 + tipc_nl_compat_dumpit+0x991/0xb50 net/tipc/netlink_compat.c:321 + tipc_nl_compat_recv+0xb6e/0x1640 net/tipc/netlink_compat.c:1324 + genl_family_rcv_msg_doit net/netlink/genetlink.c:731 [inline] + genl_family_rcv_msg net/netlink/genetlink.c:775 [inline] + genl_rcv_msg+0x103f/0x1260 net/netlink/genetlink.c:792 + netlink_rcv_skb+0x3a5/0x6c0 net/netlink/af_netlink.c:2501 + genl_rcv+0x3c/0x50 net/netlink/genetlink.c:803 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] + netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg net/socket.c:734 [inline] + +Reported-by: syzbot+e5dbaaa238680ce206ea@syzkaller.appspotmail.com +Fixes: 974cb0e3e7c9 ("tipc: fix uninit-value in tipc_nl_compat_name_table_dump") +Signed-off-by: Xin Long +Link: https://lore.kernel.org/r/ccd6a7ea801b15aec092c3b532a883b4c5708695.1667594933.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/netlink_compat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c +index 5086e27d3011..59e8e17d8da9 100644 +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -865,7 +865,7 @@ static int tipc_nl_compat_name_table_dump_header(struct tipc_nl_compat_msg *msg) + }; + + ntq = (struct tipc_name_table_query *)TLV_DATA(msg->req); +- if (TLV_GET_DATA_LEN(msg->req) < sizeof(struct tipc_name_table_query)) ++ if (TLV_GET_DATA_LEN(msg->req) < (int)sizeof(struct tipc_name_table_query)) + return -EINVAL; + + depth = ntohl(ntq->depth); +-- +2.35.1 + diff --git a/queue-4.19/wifi-cfg80211-fix-memory-leak-in-query_regdb_file.patch b/queue-4.19/wifi-cfg80211-fix-memory-leak-in-query_regdb_file.patch new file mode 100644 index 00000000000..c5ccaa9b5b4 --- /dev/null +++ b/queue-4.19/wifi-cfg80211-fix-memory-leak-in-query_regdb_file.patch @@ -0,0 +1,55 @@ +From 4e7f36c28ef9a7c1e77f9e81b501c6bca1b5d327 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Oct 2022 13:40:40 +0200 +Subject: wifi: cfg80211: fix memory leak in query_regdb_file() + +From: Arend van Spriel + +[ Upstream commit 57b962e627ec0ae53d4d16d7bd1033e27e67677a ] + +In the function query_regdb_file() the alpha2 parameter is duplicated +using kmemdup() and subsequently freed in regdb_fw_cb(). However, +request_firmware_nowait() can fail without calling regdb_fw_cb() and +thus leak memory. + +Fixes: 007f6c5e6eb4 ("cfg80211: support loading regulatory database as firmware file") +Signed-off-by: Arend van Spriel +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/reg.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index dd8503a3ef1e..07d053603e3a 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -1050,6 +1050,8 @@ static void regdb_fw_cb(const struct firmware *fw, void *context) + + static int query_regdb_file(const char *alpha2) + { ++ int err; ++ + ASSERT_RTNL(); + + if (regdb) +@@ -1059,9 +1061,13 @@ static int query_regdb_file(const char *alpha2) + if (!alpha2) + return -ENOMEM; + +- return request_firmware_nowait(THIS_MODULE, true, "regulatory.db", +- ®_pdev->dev, GFP_KERNEL, +- (void *)alpha2, regdb_fw_cb); ++ err = request_firmware_nowait(THIS_MODULE, true, "regulatory.db", ++ ®_pdev->dev, GFP_KERNEL, ++ (void *)alpha2, regdb_fw_cb); ++ if (err) ++ kfree(alpha2); ++ ++ return err; + } + + int reg_reload_regdb(void) +-- +2.35.1 + -- 2.47.3