--- /dev/null
+From 97148d0ae5303bcc18fcd1c9b968a9485292f32a Mon Sep 17 00:00:00 2001
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Tue, 13 Oct 2020 10:42:47 +0530
+Subject: cpufreq: Improve code around unlisted freq check
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+commit 97148d0ae5303bcc18fcd1c9b968a9485292f32a upstream.
+
+The cpufreq core checks if the frequency programmed by the bootloaders
+is not listed in the freq table and programs one from the table in such
+a case. This is done only if the driver has set the
+CPUFREQ_NEED_INITIAL_FREQ_CHECK flag.
+
+Currently we print two separate messages, with almost the same content,
+and do this with a pr_warn() which may be a bit too much as the driver
+only asked us to check this as it expected this to be the case. Lower
+down the severity of the print message by switching to pr_info() instead
+and print a single message only.
+
+Reported-by: Sumit Gupta <sumitg@nvidia.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Reviewed-by: Sumit Gupta <sumitg@nvidia.com>
+Tested-by: Sumit Gupta <sumitg@nvidia.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Cc: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/cpufreq.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -1450,14 +1450,13 @@ static int cpufreq_online(unsigned int c
+ */
+ if ((cpufreq_driver->flags & CPUFREQ_NEED_INITIAL_FREQ_CHECK)
+ && has_target()) {
++ unsigned int old_freq = policy->cur;
++
+ /* Are we running at unknown frequency ? */
+- ret = cpufreq_frequency_table_get_index(policy, policy->cur);
++ ret = cpufreq_frequency_table_get_index(policy, old_freq);
+ if (ret == -EINVAL) {
+- /* Warn user and fix it */
+- pr_warn("%s: CPU%d: Running at unlisted freq: %u KHz\n",
+- __func__, policy->cpu, policy->cur);
+- ret = __cpufreq_driver_target(policy, policy->cur - 1,
+- CPUFREQ_RELATION_L);
++ ret = __cpufreq_driver_target(policy, old_freq - 1,
++ CPUFREQ_RELATION_L);
+
+ /*
+ * Reaching here after boot in a few seconds may not
+@@ -1465,8 +1464,8 @@ static int cpufreq_online(unsigned int c
+ * frequency for longer duration. Hence, a BUG_ON().
+ */
+ BUG_ON(ret);
+- pr_warn("%s: CPU%d: Unlisted initial frequency changed to: %u KHz\n",
+- __func__, policy->cpu, policy->cur);
++ pr_info("%s: CPU%d: Running at unlisted initial frequency: %u KHz, changing to: %u KHz\n",
++ __func__, policy->cpu, old_freq, policy->cur);
+ }
+ }
+
--- /dev/null
+From 31cc578ae2de19c748af06d859019dced68e325d Mon Sep 17 00:00:00 2001
+From: Saeed Mirzamohammadi <saeed.mirzamohammadi@oracle.com>
+Date: Tue, 20 Oct 2020 13:41:36 +0200
+Subject: netfilter: nftables_offload: KASAN slab-out-of-bounds Read in nft_flow_rule_create
+
+From: Saeed Mirzamohammadi <saeed.mirzamohammadi@oracle.com>
+
+commit 31cc578ae2de19c748af06d859019dced68e325d upstream.
+
+This patch fixes the issue due to:
+
+BUG: KASAN: slab-out-of-bounds in nft_flow_rule_create+0x622/0x6a2
+net/netfilter/nf_tables_offload.c:40
+Read of size 8 at addr ffff888103910b58 by task syz-executor227/16244
+
+The error happens when expr->ops is accessed early on before performing the boundary check and after nft_expr_next() moves the expr to go out-of-bounds.
+
+This patch checks the boundary condition before expr->ops that fixes the slab-out-of-bounds Read issue.
+
+Add nft_expr_more() and use it to fix this problem.
+
+Signed-off-by: Saeed Mirzamohammadi <saeed.mirzamohammadi@oracle.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/netfilter/nf_tables.h | 6 ++++++
+ net/netfilter/nf_tables_api.c | 6 +++---
+ net/netfilter/nf_tables_offload.c | 4 ++--
+ 3 files changed, 11 insertions(+), 5 deletions(-)
+
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -896,6 +896,12 @@ static inline struct nft_expr *nft_expr_
+ return (struct nft_expr *)&rule->data[rule->dlen];
+ }
+
++static inline bool nft_expr_more(const struct nft_rule *rule,
++ const struct nft_expr *expr)
++{
++ return expr != nft_expr_last(rule) && expr->ops;
++}
++
+ static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
+ {
+ return (void *)&rule->data[rule->dlen];
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -302,7 +302,7 @@ static void nft_rule_expr_activate(const
+ struct nft_expr *expr;
+
+ expr = nft_expr_first(rule);
+- while (expr != nft_expr_last(rule) && expr->ops) {
++ while (nft_expr_more(rule, expr)) {
+ if (expr->ops->activate)
+ expr->ops->activate(ctx, expr);
+
+@@ -317,7 +317,7 @@ static void nft_rule_expr_deactivate(con
+ struct nft_expr *expr;
+
+ expr = nft_expr_first(rule);
+- while (expr != nft_expr_last(rule) && expr->ops) {
++ while (nft_expr_more(rule, expr)) {
+ if (expr->ops->deactivate)
+ expr->ops->deactivate(ctx, expr, phase);
+
+@@ -3036,7 +3036,7 @@ static void nf_tables_rule_destroy(const
+ * is called on error from nf_tables_newrule().
+ */
+ expr = nft_expr_first(rule);
+- while (expr != nft_expr_last(rule) && expr->ops) {
++ while (nft_expr_more(rule, expr)) {
+ next = nft_expr_next(expr);
+ nf_tables_expr_destroy(ctx, expr);
+ expr = next;
+--- a/net/netfilter/nf_tables_offload.c
++++ b/net/netfilter/nf_tables_offload.c
+@@ -37,7 +37,7 @@ struct nft_flow_rule *nft_flow_rule_crea
+ struct nft_expr *expr;
+
+ expr = nft_expr_first(rule);
+- while (expr->ops && expr != nft_expr_last(rule)) {
++ while (nft_expr_more(rule, expr)) {
+ if (expr->ops->offload_flags & NFT_OFFLOAD_F_ACTION)
+ num_actions++;
+
+@@ -61,7 +61,7 @@ struct nft_flow_rule *nft_flow_rule_crea
+ ctx->net = net;
+ ctx->dep.type = NFT_OFFLOAD_DEP_UNSPEC;
+
+- while (expr->ops && expr != nft_expr_last(rule)) {
++ while (nft_expr_more(rule, expr)) {
+ if (!expr->ops->offload) {
+ err = -EOPNOTSUPP;
+ goto err_out;
projects / thirdparty / kernel / stable-queue.git / commitdiff
