--- /dev/null
+From d5f9023fa61ee8b94f37a93f08e94b136cf1e463 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Sat, 19 Jun 2021 13:18:13 -0300
+Subject: can: bcm: delay release of struct bcm_op after synchronize_rcu()
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+commit d5f9023fa61ee8b94f37a93f08e94b136cf1e463 upstream.
+
+can_rx_register() callbacks may be called concurrently to the call to
+can_rx_unregister(). The callbacks and callback data, though, are
+protected by RCU and the struct sock reference count.
+
+So the callback data is really attached to the life of sk, meaning
+that it should be released on sk_destruct. However, bcm_remove_op()
+calls tasklet_kill(), and RCU callbacks may be called under RCU
+softirq, so that cannot be used on kernels before the introduction of
+HRTIMER_MODE_SOFT.
+
+However, bcm_rx_handler() is called under RCU protection, so after
+calling can_rx_unregister(), we may call synchronize_rcu() in order to
+wait for any RCU read-side critical sections to finish. That is,
+bcm_rx_handler() won't be called anymore for those ops. So, we only
+free them, after we do that synchronize_rcu().
+
+Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol")
+Link: https://lore.kernel.org/r/20210619161813.2098382-1-cascardo@canonical.com
+Cc: linux-stable <stable@vger.kernel.org>
+Reported-by: syzbot+0f7e7e5e2f4f40fa89c0@syzkaller.appspotmail.com
+Reported-by: Norbert Slusarek <nslusarek@gmx.net>
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ net/can/bcm.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -839,6 +839,7 @@ static int bcm_delete_rx_op(struct list_
+ bcm_rx_handler, op);
+
+ list_del(&op->list);
++ synchronize_rcu();
+ bcm_remove_op(op);
+ return 1; /* done */
+ }
+@@ -1589,9 +1590,13 @@ static int bcm_release(struct socket *so
+ REGMASK(op->can_id),
+ bcm_rx_handler, op);
+
+- bcm_remove_op(op);
+ }
+
++ synchronize_rcu();
++
++ list_for_each_entry_safe(op, next, &bo->rx_ops, list)
++ bcm_remove_op(op);
++
+ /* remove procfs entry */
+ if (proc_dir && bo->bcm_proc_read)
+ remove_proc_entry(bo->procname, proc_dir);
--- /dev/null
+From fb8696ab14adadb2e3f6c17c18ed26b3ecd96691 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Fri, 18 Jun 2021 19:36:45 +0200
+Subject: can: gw: synchronize rcu operations before removing gw job entry
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit fb8696ab14adadb2e3f6c17c18ed26b3ecd96691 upstream.
+
+can_can_gw_rcv() is called under RCU protection, so after calling
+can_rx_unregister(), we have to call synchronize_rcu in order to wait
+for any RCU read-side critical sections to finish before removing the
+kmem_cache entry with the referenced gw job entry.
+
+Link: https://lore.kernel.org/r/20210618173645.2238-1-socketcan@hartkopp.net
+Fixes: c1aabdf379bc ("can-gw: add netlink based CAN routing")
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/can/gw.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/can/gw.c
++++ b/net/can/gw.c
+@@ -497,6 +497,7 @@ static int cgw_notifier(struct notifier_
+ if (gwj->src.dev == dev || gwj->dst.dev == dev) {
+ hlist_del(&gwj->list);
+ cgw_unregister_filter(gwj);
++ synchronize_rcu();
+ kmem_cache_free(cgw_cache, gwj);
+ }
+ }
+@@ -941,6 +942,7 @@ static void cgw_remove_all_jobs(void)
+ hlist_for_each_entry_safe(gwj, nx, &cgw_list, list) {
+ hlist_del(&gwj->list);
+ cgw_unregister_filter(gwj);
++ synchronize_rcu();
+ kmem_cache_free(cgw_cache, gwj);
+ }
+ }
+@@ -1008,6 +1010,7 @@ static int cgw_remove_job(struct sk_buff
+
+ hlist_del(&gwj->list);
+ cgw_unregister_filter(gwj);
++ synchronize_rcu();
+ kmem_cache_free(cgw_cache, gwj);
+ err = 0;
+ break;
--- /dev/null
+From davis@mosenkovs.lv Thu Jul 15 13:54:04 2021
+From: Davis Mosenkovs <davis@mosenkovs.lv>
+Date: Sat, 10 Jul 2021 21:37:10 +0300
+Subject: mac80211: fix memory corruption in EAPOL handling
+To: johannes@sipsolutions.net
+Cc: linux-wireless@vger.kernel.org, stable@vger.kernel.org, Davis Mosenkovs <davis@mosenkovs.lv>
+Message-ID: <20210710183710.5687-1-davis@mosenkovs.lv>
+
+From: Davis Mosenkovs <davis@mosenkovs.lv>
+
+Commit e3d4030498c3 ("mac80211: do not accept/forward invalid EAPOL
+frames") uses skb_mac_header() before eth_type_trans() is called
+leading to incorrect pointer, the pointer gets written to. This issue
+has appeared during backporting to 4.4, 4.9 and 4.14.
+
+Fixes: e3d4030498c3 ("mac80211: do not accept/forward invalid EAPOL frames")
+Link: https://lore.kernel.org/r/CAHQn7pKcyC_jYmGyTcPCdk9xxATwW5QPNph=bsZV8d-HPwNsyA@mail.gmail.com
+Cc: <stable@vger.kernel.org> # 4.4.x
+Signed-off-by: Davis Mosenkovs <davis@mosenkovs.lv>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2380,7 +2380,7 @@ ieee80211_deliver_skb(struct ieee80211_r
+ #endif
+
+ if (skb) {
+- struct ethhdr *ehdr = (void *)skb_mac_header(skb);
++ struct ethhdr *ehdr = (struct ethhdr *)skb->data;
+
+ /* deliver to local stack */
+ skb->protocol = eth_type_trans(skb, dev);
--- /dev/null
+From 015d98149b326e0f1f02e44413112ca8b4330543 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Fri, 28 May 2021 11:27:52 -0700
+Subject: powerpc/barrier: Avoid collision with clang's __lwsync macro
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 015d98149b326e0f1f02e44413112ca8b4330543 upstream.
+
+A change in clang 13 results in the __lwsync macro being defined as
+__builtin_ppc_lwsync, which emits 'lwsync' or 'msync' depending on what
+the target supports. This breaks the build because of -Werror in
+arch/powerpc, along with thousands of warnings:
+
+ In file included from arch/powerpc/kernel/pmc.c:12:
+ In file included from include/linux/bug.h:5:
+ In file included from arch/powerpc/include/asm/bug.h:109:
+ In file included from include/asm-generic/bug.h:20:
+ In file included from include/linux/kernel.h:12:
+ In file included from include/linux/bitops.h:32:
+ In file included from arch/powerpc/include/asm/bitops.h:62:
+ arch/powerpc/include/asm/barrier.h:49:9: error: '__lwsync' macro redefined [-Werror,-Wmacro-redefined]
+ #define __lwsync() __asm__ __volatile__ (stringify_in_c(LWSYNC) : : :"memory")
+ ^
+ <built-in>:308:9: note: previous definition is here
+ #define __lwsync __builtin_ppc_lwsync
+ ^
+ 1 error generated.
+
+Undefine this macro so that the runtime patching introduced by
+commit 2d1b2027626d ("powerpc: Fixup lwsync at runtime") continues to
+work properly with clang and the build no longer breaks.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1386
+Link: https://github.com/llvm/llvm-project/commit/62b5df7fe2b3fda1772befeda15598fbef96a614
+Link: https://lore.kernel.org/r/20210528182752.1852002-1-nathan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/barrier.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/powerpc/include/asm/barrier.h
++++ b/arch/powerpc/include/asm/barrier.h
+@@ -41,6 +41,8 @@
+ # define SMPWMB eieio
+ #endif
+
++/* clang defines this macro for a builtin, which will not work with runtime patching */
++#undef __lwsync
+ #define __lwsync() __asm__ __volatile__ (stringify_in_c(LWSYNC) : : :"memory")
+ #define dma_rmb() __lwsync()
+ #define dma_wmb() __asm__ __volatile__ (stringify_in_c(SMPWMB) : : :"memory")
bluetooth-btusb-fix-bt-fiwmare-downloading-failure-i.patch
sctp-add-size-validation-when-walking-chunks.patch
fuse-reject-internal-errno.patch
+can-gw-synchronize-rcu-operations-before-removing-gw-job-entry.patch
+can-bcm-delay-release-of-struct-bcm_op-after-synchronize_rcu.patch
+mac80211-fix-memory-corruption-in-eapol-handling.patch
+powerpc-barrier-avoid-collision-with-clang-s-__lwsync-macro.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
