--- /dev/null
+From f1dc15cd7fc146107cad2a926d9c1d005f69002a Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Sun, 29 Nov 2020 16:47:10 +0200
+Subject: ARM: dts: OMAP3: disable AES on N950/N9
+
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+
+commit f1dc15cd7fc146107cad2a926d9c1d005f69002a upstream.
+
+AES needs to be disabled on Nokia N950/N9 as well (HS devices), otherwise
+kernel fails to boot.
+
+Fixes: c312f066314e ("ARM: dts: omap3: Migrate AES from hwmods to sysc-omap2")
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/omap3-n950-n9.dtsi | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/arch/arm/boot/dts/omap3-n950-n9.dtsi
++++ b/arch/arm/boot/dts/omap3-n950-n9.dtsi
+@@ -494,3 +494,11 @@
+ clock-names = "sysclk";
+ };
+ };
++
++&aes1_target {
++ status = "disabled";
++};
++
++&aes2_target {
++ status = "disabled";
++};
--- /dev/null
+From ff58f7dd0c1352a01de3a40327895bd51e03de3a Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 16 Dec 2020 11:29:46 +0300
+Subject: dmaengine: idxd: off by one in cleanup code
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit ff58f7dd0c1352a01de3a40327895bd51e03de3a upstream.
+
+The clean up is off by one so this will start at "i" and it should start
+with "i - 1" and then it doesn't unregister the zeroeth elements in the
+array.
+
+Fixes: c52ca478233c ("dmaengine: idxd: add configuration component of driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Dave Jiang <dave.jiang@intel.com>
+Link: https://lore.kernel.org/r/X9nFeojulsNqUSnG@mwanda
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/idxd/sysfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/dma/idxd/sysfs.c
++++ b/drivers/dma/idxd/sysfs.c
+@@ -379,7 +379,7 @@ int idxd_register_driver(void)
+ return 0;
+
+ drv_fail:
+- for (; i > 0; i--)
++ while (--i >= 0)
+ driver_unregister(&idxd_drvs[i]->drv);
+ return rc;
+ }
+@@ -1639,7 +1639,7 @@ int idxd_register_bus_type(void)
+ return 0;
+
+ bus_err:
+- for (; i > 0; i--)
++ while (--i >= 0)
+ bus_unregister(idxd_bus_types[i]);
+ return rc;
+ }
--- /dev/null
+From 2f80d502d627f30257ba7e3655e71c373b7d1a5a Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 22 Dec 2020 05:20:43 -0500
+Subject: KVM: x86: fix shift out of bounds reported by UBSAN
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 2f80d502d627f30257ba7e3655e71c373b7d1a5a upstream.
+
+Since we know that e >= s, we can reassociate the left shift,
+changing the shifted number from 1 to 2 in exchange for
+decreasing the right hand side by 1.
+
+Reported-by: syzbot+e87846c48bf72bc85311@syzkaller.appspotmail.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/mmu.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/mmu.h
++++ b/arch/x86/kvm/mmu.h
+@@ -49,7 +49,7 @@ static inline u64 rsvd_bits(int s, int e
+ if (e < s)
+ return 0;
+
+- return ((1ULL << (e - s + 1)) - 1) << s;
++ return ((2ULL << (e - s)) - 1) << s;
+ }
+
+ void kvm_mmu_set_mmio_spte_mask(u64 mmio_value, u64 access_mask);
--- /dev/null
+From b544011f0e58ce43c40105468d6dc67f980a0c7a Mon Sep 17 00:00:00 2001
+From: Moshe Shemesh <moshe@mellanox.com>
+Date: Fri, 13 Nov 2020 06:06:28 +0200
+Subject: net/mlx5e: Fix SWP offsets when vlan inserted by driver
+
+From: Moshe Shemesh <moshe@mellanox.com>
+
+commit b544011f0e58ce43c40105468d6dc67f980a0c7a upstream.
+
+In case WQE includes inline header the vlan is inserted by driver even
+if vlan offload is set. On geneve over vlan interface where software
+parser is used the SWP offsets should be updated according to the added
+vlan.
+
+Fixes: e3cfc7e6b7bd ("net/mlx5e: TX, Add geneve tunnel stateless offload support")
+Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/txrx.h | 9 +++++++++
+ drivers/net/ethernet/mellanox/mlx5/core/en_accel/en_accel.h | 8 +++++---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 9 +++++----
+ 3 files changed, 19 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/txrx.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/txrx.h
+@@ -366,6 +366,15 @@ struct mlx5e_swp_spec {
+ u8 tun_l4_proto;
+ };
+
++static inline void mlx5e_eseg_swp_offsets_add_vlan(struct mlx5_wqe_eth_seg *eseg)
++{
++ /* SWP offsets are in 2-bytes words */
++ eseg->swp_outer_l3_offset += VLAN_HLEN / 2;
++ eseg->swp_outer_l4_offset += VLAN_HLEN / 2;
++ eseg->swp_inner_l3_offset += VLAN_HLEN / 2;
++ eseg->swp_inner_l4_offset += VLAN_HLEN / 2;
++}
++
+ static inline void
+ mlx5e_set_eseg_swp(struct sk_buff *skb, struct mlx5_wqe_eth_seg *eseg,
+ struct mlx5e_swp_spec *swp_spec)
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/en_accel.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/en_accel.h
+@@ -51,7 +51,7 @@ static inline bool mlx5_geneve_tx_allowe
+ }
+
+ static inline void
+-mlx5e_tx_tunnel_accel(struct sk_buff *skb, struct mlx5_wqe_eth_seg *eseg)
++mlx5e_tx_tunnel_accel(struct sk_buff *skb, struct mlx5_wqe_eth_seg *eseg, u16 ihs)
+ {
+ struct mlx5e_swp_spec swp_spec = {};
+ unsigned int offset = 0;
+@@ -85,6 +85,8 @@ mlx5e_tx_tunnel_accel(struct sk_buff *sk
+ }
+
+ mlx5e_set_eseg_swp(skb, eseg, &swp_spec);
++ if (skb_vlan_tag_present(skb) && ihs)
++ mlx5e_eseg_swp_offsets_add_vlan(eseg);
+ }
+
+ #else
+@@ -163,7 +165,7 @@ static inline unsigned int mlx5e_accel_t
+
+ static inline bool mlx5e_accel_tx_eseg(struct mlx5e_priv *priv,
+ struct sk_buff *skb,
+- struct mlx5_wqe_eth_seg *eseg)
++ struct mlx5_wqe_eth_seg *eseg, u16 ihs)
+ {
+ #ifdef CONFIG_MLX5_EN_IPSEC
+ if (xfrm_offload(skb))
+@@ -172,7 +174,7 @@ static inline bool mlx5e_accel_tx_eseg(s
+
+ #if IS_ENABLED(CONFIG_GENEVE)
+ if (skb->encapsulation)
+- mlx5e_tx_tunnel_accel(skb, eseg);
++ mlx5e_tx_tunnel_accel(skb, eseg, ihs);
+ #endif
+
+ return true;
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
+@@ -615,9 +615,9 @@ void mlx5e_tx_mpwqe_ensure_complete(stru
+
+ static bool mlx5e_txwqe_build_eseg(struct mlx5e_priv *priv, struct mlx5e_txqsq *sq,
+ struct sk_buff *skb, struct mlx5e_accel_tx_state *accel,
+- struct mlx5_wqe_eth_seg *eseg)
++ struct mlx5_wqe_eth_seg *eseg, u16 ihs)
+ {
+- if (unlikely(!mlx5e_accel_tx_eseg(priv, skb, eseg)))
++ if (unlikely(!mlx5e_accel_tx_eseg(priv, skb, eseg, ihs)))
+ return false;
+
+ mlx5e_txwqe_build_eseg_csum(sq, skb, accel, eseg);
+@@ -647,7 +647,8 @@ netdev_tx_t mlx5e_xmit(struct sk_buff *s
+ if (mlx5e_tx_skb_supports_mpwqe(skb, &attr)) {
+ struct mlx5_wqe_eth_seg eseg = {};
+
+- if (unlikely(!mlx5e_txwqe_build_eseg(priv, sq, skb, &accel, &eseg)))
++ if (unlikely(!mlx5e_txwqe_build_eseg(priv, sq, skb, &accel, &eseg,
++ attr.ihs)))
+ return NETDEV_TX_OK;
+
+ mlx5e_sq_xmit_mpwqe(sq, skb, &eseg, netdev_xmit_more());
+@@ -664,7 +665,7 @@ netdev_tx_t mlx5e_xmit(struct sk_buff *s
+ /* May update the WQE, but may not post other WQEs. */
+ mlx5e_accel_tx_finish(sq, wqe, &accel,
+ (struct mlx5_wqe_inline_seg *)(wqe->data + wqe_attr.ds_cnt_inl));
+- if (unlikely(!mlx5e_txwqe_build_eseg(priv, sq, skb, &accel, &wqe->eth)))
++ if (unlikely(!mlx5e_txwqe_build_eseg(priv, sq, skb, &accel, &wqe->eth, attr.ihs)))
+ return NETDEV_TX_OK;
+
+ mlx5e_sq_xmit_wqe(sq, skb, &attr, &wqe_attr, wqe, pi, netdev_xmit_more());
--- /dev/null
+From 5c8193f568ae16f3242abad6518dc2ca6c8eef86 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 17 Dec 2020 17:53:18 +0300
+Subject: netfilter: ipset: fix shift-out-of-bounds in htable_bits()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 5c8193f568ae16f3242abad6518dc2ca6c8eef86 upstream.
+
+htable_bits() can call jhash_size(32) and trigger shift-out-of-bounds
+
+UBSAN: shift-out-of-bounds in net/netfilter/ipset/ip_set_hash_gen.h:151:6
+shift exponent 32 is too large for 32-bit type 'unsigned int'
+CPU: 0 PID: 8498 Comm: syz-executor519
+ Not tainted 5.10.0-rc7-next-20201208-syzkaller #0
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x107/0x163 lib/dump_stack.c:120
+ ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
+ __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
+ htable_bits net/netfilter/ipset/ip_set_hash_gen.h:151 [inline]
+ hash_mac_create.cold+0x58/0x9b net/netfilter/ipset/ip_set_hash_gen.h:1524
+ ip_set_create+0x610/0x1380 net/netfilter/ipset/ip_set_core.c:1115
+ nfnetlink_rcv_msg+0xecc/0x1180 net/netfilter/nfnetlink.c:252
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
+ nfnetlink_rcv+0x1ac/0x420 net/netfilter/nfnetlink.c:600
+ netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
+ netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:672
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2345
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2399
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+This patch replaces htable_bits() by simple fls(hashsize - 1) call:
+it alone returns valid nbits both for round and non-round hashsizes.
+It is normal to set any nbits here because it is validated inside
+following htable_size() call which returns 0 for nbits>31.
+
+Fixes: 1feab10d7e6d("netfilter: ipset: Unified hash type generation")
+Reported-by: syzbot+d66bfadebca46cf61a2b@syzkaller.appspotmail.com
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipset/ip_set_hash_gen.h | 20 +++++---------------
+ 1 file changed, 5 insertions(+), 15 deletions(-)
+
+--- a/net/netfilter/ipset/ip_set_hash_gen.h
++++ b/net/netfilter/ipset/ip_set_hash_gen.h
+@@ -143,20 +143,6 @@ htable_size(u8 hbits)
+ return hsize * sizeof(struct hbucket *) + sizeof(struct htable);
+ }
+
+-/* Compute htable_bits from the user input parameter hashsize */
+-static u8
+-htable_bits(u32 hashsize)
+-{
+- /* Assume that hashsize == 2^htable_bits */
+- u8 bits = fls(hashsize - 1);
+-
+- if (jhash_size(bits) != hashsize)
+- /* Round up to the first 2^n value */
+- bits = fls(hashsize);
+-
+- return bits;
+-}
+-
+ #ifdef IP_SET_HASH_WITH_NETS
+ #if IPSET_NET_COUNT > 1
+ #define __CIDR(cidr, i) (cidr[i])
+@@ -1520,7 +1506,11 @@ IPSET_TOKEN(HTYPE, _create)(struct net *
+ if (!h)
+ return -ENOMEM;
+
+- hbits = htable_bits(hashsize);
++ /* Compute htable_bits from the user input parameter hashsize.
++ * Assume that hashsize == 2^htable_bits,
++ * otherwise round up to the first 2^n value.
++ */
++ hbits = fls(hashsize - 1);
+ hsize = htable_size(hbits);
+ if (hsize == 0) {
+ kfree(h);
--- /dev/null
+From 95cd4bca7b1f4a25810f3ddfc5e767fb46931789 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sun, 27 Dec 2020 12:33:44 +0100
+Subject: netfilter: nft_dynset: report EOPNOTSUPP on missing set feature
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 95cd4bca7b1f4a25810f3ddfc5e767fb46931789 upstream.
+
+If userspace requests a feature which is not available the original set
+definition, then bail out with EOPNOTSUPP. If userspace sends
+unsupported dynset flags (new feature not supported by this kernel),
+then report EOPNOTSUPP to userspace. EINVAL should be only used to
+report malformed netlink messages from userspace.
+
+Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nft_dynset.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/nft_dynset.c
++++ b/net/netfilter/nft_dynset.c
+@@ -123,7 +123,7 @@ static int nft_dynset_init(const struct
+ u32 flags = ntohl(nla_get_be32(tb[NFTA_DYNSET_FLAGS]));
+
+ if (flags & ~NFT_DYNSET_F_INV)
+- return -EINVAL;
++ return -EOPNOTSUPP;
+ if (flags & NFT_DYNSET_F_INV)
+ priv->invert = true;
+ }
+@@ -156,7 +156,7 @@ static int nft_dynset_init(const struct
+ timeout = 0;
+ if (tb[NFTA_DYNSET_TIMEOUT] != NULL) {
+ if (!(set->flags & NFT_SET_TIMEOUT))
+- return -EINVAL;
++ return -EOPNOTSUPP;
+
+ err = nf_msecs_to_jiffies64(tb[NFTA_DYNSET_TIMEOUT], &timeout);
+ if (err)
+@@ -170,7 +170,7 @@ static int nft_dynset_init(const struct
+
+ if (tb[NFTA_DYNSET_SREG_DATA] != NULL) {
+ if (!(set->flags & NFT_SET_MAP))
+- return -EINVAL;
++ return -EOPNOTSUPP;
+ if (set->dtype == NFT_DATA_VERDICT)
+ return -EOPNOTSUPP;
+
--- /dev/null
+From 443d6e86f821a165fae3fc3fc13086d27ac140b1 Mon Sep 17 00:00:00 2001
+From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+Date: Wed, 16 Dec 2020 21:38:02 -0700
+Subject: netfilter: x_tables: Update remaining dereference to RCU
+
+From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+
+commit 443d6e86f821a165fae3fc3fc13086d27ac140b1 upstream.
+
+This fixes the dereference to fetch the RCU pointer when holding
+the appropriate xtables lock.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Fixes: cc00bcaa5899 ("netfilter: x_tables: Switch synchronization to RCU")
+Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/netfilter/arp_tables.c | 2 +-
+ net/ipv4/netfilter/ip_tables.c | 2 +-
+ net/ipv6/netfilter/ip6_tables.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -1379,7 +1379,7 @@ static int compat_get_entries(struct net
+ xt_compat_lock(NFPROTO_ARP);
+ t = xt_find_table_lock(net, NFPROTO_ARP, get.name);
+ if (!IS_ERR(t)) {
+- const struct xt_table_info *private = t->private;
++ const struct xt_table_info *private = xt_table_get_private_protected(t);
+ struct xt_table_info info;
+
+ ret = compat_table_info(private, &info);
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -1589,7 +1589,7 @@ compat_get_entries(struct net *net, stru
+ xt_compat_lock(AF_INET);
+ t = xt_find_table_lock(net, AF_INET, get.name);
+ if (!IS_ERR(t)) {
+- const struct xt_table_info *private = t->private;
++ const struct xt_table_info *private = xt_table_get_private_protected(t);
+ struct xt_table_info info;
+ ret = compat_table_info(private, &info);
+ if (!ret && get.size == info.size)
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -1598,7 +1598,7 @@ compat_get_entries(struct net *net, stru
+ xt_compat_lock(AF_INET6);
+ t = xt_find_table_lock(net, AF_INET6, get.name);
+ if (!IS_ERR(t)) {
+- const struct xt_table_info *private = t->private;
++ const struct xt_table_info *private = xt_table_get_private_protected(t);
+ struct xt_table_info info;
+ ret = compat_table_info(private, &info);
+ if (!ret && get.size == info.size)
--- /dev/null
+From 6cb56218ad9e580e519dcd23bfb3db08d8692e5a Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 22 Dec 2020 23:23:56 +0100
+Subject: netfilter: xt_RATEEST: reject non-null terminated string from userspace
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 6cb56218ad9e580e519dcd23bfb3db08d8692e5a upstream.
+
+syzbot reports:
+detected buffer overflow in strlen
+[..]
+Call Trace:
+ strlen include/linux/string.h:325 [inline]
+ strlcpy include/linux/string.h:348 [inline]
+ xt_rateest_tg_checkentry+0x2a5/0x6b0 net/netfilter/xt_RATEEST.c:143
+
+strlcpy assumes src is a c-string. Check info->name before its used.
+
+Reported-by: syzbot+e86f7c428c8c50db65b4@syzkaller.appspotmail.com
+Fixes: 5859034d7eb8793 ("[NETFILTER]: x_tables: add RATEEST target")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/xt_RATEEST.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/xt_RATEEST.c
++++ b/net/netfilter/xt_RATEEST.c
+@@ -115,6 +115,9 @@ static int xt_rateest_tg_checkentry(cons
+ } cfg;
+ int ret;
+
++ if (strnlen(info->name, sizeof(est->name)) >= sizeof(est->name))
++ return -ENAMETOOLONG;
++
+ net_get_random_once(&jhash_rnd, sizeof(jhash_rnd));
+
+ mutex_lock(&xn->hash_lock);
--- /dev/null
+From 4dfde294b9792dcf8615b55c58f093d544f472f0 Mon Sep 17 00:00:00 2001
+From: Ping-Ke Shih <pkshih@realtek.com>
+Date: Mon, 14 Dec 2020 13:31:06 +0800
+Subject: rtlwifi: rise completion at the last step of firmware callback
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+commit 4dfde294b9792dcf8615b55c58f093d544f472f0 upstream.
+
+request_firmware_nowait() which schedules another work is used to load
+firmware when USB is probing. If USB is unplugged before running the
+firmware work, it goes disconnect ops, and then causes use-after-free.
+Though we wait for completion of firmware work before freeing the hw,
+firmware callback rises completion too early. So I move it to the
+last step.
+
+usb 5-1: Direct firmware load for rtlwifi/rtl8192cufw.bin failed with error -2
+rtlwifi: Loading alternative firmware rtlwifi/rtl8192cufw.bin
+rtlwifi: Selected firmware is not available
+==================================================================
+BUG: KASAN: use-after-free in rtl_fw_do_work.cold+0x68/0x6a drivers/net/wireless/realtek/rtlwifi/core.c:93
+Write of size 4 at addr ffff8881454cff50 by task kworker/0:6/7379
+
+CPU: 0 PID: 7379 Comm: kworker/0:6 Not tainted 5.10.0-rc7-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: events request_firmware_work_func
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x107/0x163 lib/dump_stack.c:118
+ print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385
+ __kasan_report mm/kasan/report.c:545 [inline]
+ kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562
+ rtl_fw_do_work.cold+0x68/0x6a drivers/net/wireless/realtek/rtlwifi/core.c:93
+ request_firmware_work_func+0x12c/0x230 drivers/base/firmware_loader/main.c:1079
+ process_one_work+0x933/0x1520 kernel/workqueue.c:2272
+ worker_thread+0x64c/0x1120 kernel/workqueue.c:2418
+ kthread+0x38c/0x460 kernel/kthread.c:292
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
+
+The buggy address belongs to the page:
+page:00000000f54435b3 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1454cf
+flags: 0x200000000000000()
+raw: 0200000000000000 0000000000000000 ffffea00051533c8 0000000000000000
+raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8881454cfe00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff8881454cfe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+>ffff8881454cff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ^
+ ffff8881454cff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff8881454d0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+
+Reported-by: syzbot+65be4277f3c489293939@syzkaller.appspotmail.com
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20201214053106.7748-1-pkshih@realtek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/core.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/core.c
++++ b/drivers/net/wireless/realtek/rtlwifi/core.c
+@@ -78,7 +78,6 @@ static void rtl_fw_do_work(const struct
+
+ rtl_dbg(rtlpriv, COMP_ERR, DBG_LOUD,
+ "Firmware callback routine entered!\n");
+- complete(&rtlpriv->firmware_loading_complete);
+ if (!firmware) {
+ if (rtlpriv->cfg->alt_fw_name) {
+ err = request_firmware(&firmware,
+@@ -91,13 +90,13 @@ static void rtl_fw_do_work(const struct
+ }
+ pr_err("Selected firmware is not available\n");
+ rtlpriv->max_fw_size = 0;
+- return;
++ goto exit;
+ }
+ found_alt:
+ if (firmware->size > rtlpriv->max_fw_size) {
+ pr_err("Firmware is too big!\n");
+ release_firmware(firmware);
+- return;
++ goto exit;
+ }
+ if (!is_wow) {
+ memcpy(rtlpriv->rtlhal.pfirmware, firmware->data,
+@@ -109,6 +108,9 @@ found_alt:
+ rtlpriv->rtlhal.wowlan_fwsize = firmware->size;
+ }
+ release_firmware(firmware);
++
++exit:
++ complete(&rtlpriv->firmware_loading_complete);
+ }
+
+ void rtl_fw_cb(const struct firmware *firmware, void *context)
bcache-fix-typo-from-suup-to-supp-in-features.h.patch
bcache-check-unsupported-feature-sets-for-bcache-register.patch
bcache-introduce-bch_feature_incompat_log_large_bucket_size-for-large-bucket.patch
+net-mlx5e-fix-swp-offsets-when-vlan-inserted-by-driver.patch
+arm-dts-omap3-disable-aes-on-n950-n9.patch
+netfilter-x_tables-update-remaining-dereference-to-rcu.patch
+netfilter-ipset-fix-shift-out-of-bounds-in-htable_bits.patch
+netfilter-xt_rateest-reject-non-null-terminated-string-from-userspace.patch
+netfilter-nft_dynset-report-eopnotsupp-on-missing-set-feature.patch
+dmaengine-idxd-off-by-one-in-cleanup-code.patch
+x86-mtrr-correct-the-range-check-before-performing-mtrr-type-lookups.patch
+kvm-x86-fix-shift-out-of-bounds-reported-by-ubsan.patch
+xsk-fix-memory-leak-for-failed-bind.patch
+rtlwifi-rise-completion-at-the-last-step-of-firmware-callback.patch
--- /dev/null
+From cb7f4a8b1fb426a175d1708f05581939c61329d4 Mon Sep 17 00:00:00 2001
+From: Ying-Tsun Huang <ying-tsun.huang@amd.com>
+Date: Tue, 15 Dec 2020 15:07:20 +0800
+Subject: x86/mtrr: Correct the range check before performing MTRR type lookups
+
+From: Ying-Tsun Huang <ying-tsun.huang@amd.com>
+
+commit cb7f4a8b1fb426a175d1708f05581939c61329d4 upstream.
+
+In mtrr_type_lookup(), if the input memory address region is not in the
+MTRR, over 4GB, and not over the top of memory, a write-back attribute
+is returned. These condition checks are for ensuring the input memory
+address region is actually mapped to the physical memory.
+
+However, if the end address is just aligned with the top of memory,
+the condition check treats the address is over the top of memory, and
+write-back attribute is not returned.
+
+And this hits in a real use case with NVDIMM: the nd_pmem module tries
+to map NVDIMMs as cacheable memories when NVDIMMs are connected. If a
+NVDIMM is the last of the DIMMs, the performance of this NVDIMM becomes
+very low since it is aligned with the top of memory and its memory type
+is uncached-minus.
+
+Move the input end address change to inclusive up into
+mtrr_type_lookup(), before checking for the top of memory in either
+mtrr_type_lookup_{variable,fixed}() helpers.
+
+ [ bp: Massage commit message. ]
+
+Fixes: 0cc705f56e40 ("x86/mm/mtrr: Clean up mtrr_type_lookup()")
+Signed-off-by: Ying-Tsun Huang <ying-tsun.huang@amd.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/20201215070721.4349-1-ying-tsun.huang@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/mtrr/generic.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mtrr/generic.c
++++ b/arch/x86/kernel/cpu/mtrr/generic.c
+@@ -167,9 +167,6 @@ static u8 mtrr_type_lookup_variable(u64
+ *repeat = 0;
+ *uniform = 1;
+
+- /* Make end inclusive instead of exclusive */
+- end--;
+-
+ prev_match = MTRR_TYPE_INVALID;
+ for (i = 0; i < num_var_ranges; ++i) {
+ unsigned short start_state, end_state, inclusive;
+@@ -261,6 +258,9 @@ u8 mtrr_type_lookup(u64 start, u64 end,
+ int repeat;
+ u64 partial_end;
+
++ /* Make end inclusive instead of exclusive */
++ end--;
++
+ if (!mtrr_state_set)
+ return MTRR_TYPE_INVALID;
+
--- /dev/null
+From 8bee683384087a6275c9183a483435225f7bb209 Mon Sep 17 00:00:00 2001
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+Date: Mon, 14 Dec 2020 09:51:27 +0100
+Subject: xsk: Fix memory leak for failed bind
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+
+commit 8bee683384087a6275c9183a483435225f7bb209 upstream.
+
+Fix a possible memory leak when a bind of an AF_XDP socket fails. When
+the fill and completion rings are created, they are tied to the
+socket. But when the buffer pool is later created at bind time, the
+ownership of these two rings are transferred to the buffer pool as
+they might be shared between sockets (and the buffer pool cannot be
+created until we know what we are binding to). So, before the buffer
+pool is created, these two rings are cleaned up with the socket, and
+after they have been transferred they are cleaned up together with
+the buffer pool.
+
+The problem is that ownership was transferred before it was absolutely
+certain that the buffer pool could be created and initialized
+correctly and when one of these errors occurred, the fill and
+completion rings did neither belong to the socket nor the pool and
+where therefore leaked. Solve this by moving the ownership transfer
+to the point where the buffer pool has been completely set up and
+there is no way it can fail.
+
+Fixes: 7361f9c3d719 ("xsk: Move fill and completion rings to buffer pool")
+Reported-by: syzbot+cfa88ddd0655afa88763@syzkaller.appspotmail.com
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Björn Töpel <bjorn.topel@intel.com>
+Link: https://lore.kernel.org/bpf/20201214085127.3960-1-magnus.karlsson@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xdp/xsk.c | 4 ++++
+ net/xdp/xsk_buff_pool.c | 2 --
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/xdp/xsk.c
++++ b/net/xdp/xsk.c
+@@ -772,6 +772,10 @@ static int xsk_bind(struct socket *sock,
+ }
+ }
+
++ /* FQ and CQ are now owned by the buffer pool and cleaned up with it. */
++ xs->fq_tmp = NULL;
++ xs->cq_tmp = NULL;
++
+ xs->dev = dev;
+ xs->zc = xs->umem->zc;
+ xs->queue_id = qid;
+--- a/net/xdp/xsk_buff_pool.c
++++ b/net/xdp/xsk_buff_pool.c
+@@ -75,8 +75,6 @@ struct xsk_buff_pool *xp_create_and_assi
+
+ pool->fq = xs->fq_tmp;
+ pool->cq = xs->cq_tmp;
+- xs->fq_tmp = NULL;
+- xs->cq_tmp = NULL;
+
+ for (i = 0; i < pool->free_heads_cnt; i++) {
+ xskb = &pool->heads[i];
projects / thirdparty / kernel / stable-queue.git / commitdiff
