--- /dev/null
+From 3cfc183052c3dbf8eae57b6c1685dab00ed3db4a Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Sat, 16 Oct 2021 23:04:46 +0200
+Subject: drm: mxsfb: Fix NULL pointer dereference crash on unload
+
+From: Marek Vasut <marex@denx.de>
+
+commit 3cfc183052c3dbf8eae57b6c1685dab00ed3db4a upstream.
+
+The mxsfb->crtc.funcs may already be NULL when unloading the driver,
+in which case calling mxsfb_irq_disable() via drm_irq_uninstall() from
+mxsfb_unload() leads to NULL pointer dereference.
+
+Since all we care about is masking the IRQ and mxsfb->base is still
+valid, just use that to clear and mask the IRQ.
+
+Fixes: ae1ed00932819 ("drm: mxsfb: Stop using DRM simple display pipeline helper")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Daniel Abrecht <public@danielabrecht.ch>
+Cc: Emil Velikov <emil.l.velikov@gmail.com>
+Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Cc: Sam Ravnborg <sam@ravnborg.org>
+Cc: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211016210446.171616-1-marex@denx.de
+Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/mxsfb/mxsfb_drv.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/mxsfb/mxsfb_drv.c
++++ b/drivers/gpu/drm/mxsfb/mxsfb_drv.c
+@@ -268,7 +268,11 @@ static void mxsfb_irq_disable(struct drm
+ struct mxsfb_drm_private *mxsfb = drm->dev_private;
+
+ mxsfb_enable_axi_clk(mxsfb);
+- mxsfb->crtc.funcs->disable_vblank(&mxsfb->crtc);
++
++ /* Disable and clear VBLANK IRQ */
++ writel(CTRL1_CUR_FRAME_DONE_IRQ_EN, mxsfb->base + LCDC_CTRL1 + REG_CLR);
++ writel(CTRL1_CUR_FRAME_DONE_IRQ, mxsfb->base + LCDC_CTRL1 + REG_CLR);
++
+ mxsfb_disable_axi_clk(mxsfb);
+ }
+
--- /dev/null
+From 1f3e2e97c003f80c4b087092b225c8787ff91e4d Mon Sep 17 00:00:00 2001
+From: Xiaolong Huang <butterflyhuangxx@gmail.com>
+Date: Fri, 8 Oct 2021 14:58:30 +0800
+Subject: isdn: cpai: check ctr->cnr to avoid array index out of bound
+
+From: Xiaolong Huang <butterflyhuangxx@gmail.com>
+
+commit 1f3e2e97c003f80c4b087092b225c8787ff91e4d upstream.
+
+The cmtp_add_connection() would add a cmtp session to a controller
+and run a kernel thread to process cmtp.
+
+ __module_get(THIS_MODULE);
+ session->task = kthread_run(cmtp_session, session, "kcmtpd_ctr_%d",
+ session->num);
+
+During this process, the kernel thread would call detach_capi_ctr()
+to detach a register controller. if the controller
+was not attached yet, detach_capi_ctr() would
+trigger an array-index-out-bounds bug.
+
+[ 46.866069][ T6479] UBSAN: array-index-out-of-bounds in
+drivers/isdn/capi/kcapi.c:483:21
+[ 46.867196][ T6479] index -1 is out of range for type 'capi_ctr *[32]'
+[ 46.867982][ T6479] CPU: 1 PID: 6479 Comm: kcmtpd_ctr_0 Not tainted
+5.15.0-rc2+ #8
+[ 46.869002][ T6479] Hardware name: QEMU Standard PC (i440FX + PIIX,
+1996), BIOS 1.14.0-2 04/01/2014
+[ 46.870107][ T6479] Call Trace:
+[ 46.870473][ T6479] dump_stack_lvl+0x57/0x7d
+[ 46.870974][ T6479] ubsan_epilogue+0x5/0x40
+[ 46.871458][ T6479] __ubsan_handle_out_of_bounds.cold+0x43/0x48
+[ 46.872135][ T6479] detach_capi_ctr+0x64/0xc0
+[ 46.872639][ T6479] cmtp_session+0x5c8/0x5d0
+[ 46.873131][ T6479] ? __init_waitqueue_head+0x60/0x60
+[ 46.873712][ T6479] ? cmtp_add_msgpart+0x120/0x120
+[ 46.874256][ T6479] kthread+0x147/0x170
+[ 46.874709][ T6479] ? set_kthread_struct+0x40/0x40
+[ 46.875248][ T6479] ret_from_fork+0x1f/0x30
+[ 46.875773][ T6479]
+
+Signed-off-by: Xiaolong Huang <butterflyhuangxx@gmail.com>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20211008065830.305057-1-butterflyhuangxx@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/capi/kcapi.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/isdn/capi/kcapi.c
++++ b/drivers/isdn/capi/kcapi.c
+@@ -480,6 +480,11 @@ int detach_capi_ctr(struct capi_ctr *ctr
+
+ ctr_down(ctr, CAPI_CTR_DETACHED);
+
++ if (ctr->cnr < 1 || ctr->cnr - 1 >= CAPI_MAXCONTR) {
++ err = -EINVAL;
++ goto unlock_out;
++ }
++
+ if (capi_controller[ctr->cnr - 1] != ctr) {
+ err = -EINVAL;
+ goto unlock_out;
--- /dev/null
+From a3ca5281bb771d8103ea16f0a6a8a5df9a7fb4f3 Mon Sep 17 00:00:00 2001
+From: Chenyi Qiang <chenyi.qiang@intel.com>
+Date: Thu, 21 Oct 2021 15:10:22 +0800
+Subject: KVM: MMU: Reset mmu->pkru_mask to avoid stale data
+
+From: Chenyi Qiang <chenyi.qiang@intel.com>
+
+commit a3ca5281bb771d8103ea16f0a6a8a5df9a7fb4f3 upstream.
+
+When updating mmu->pkru_mask, the value can only be added but it isn't
+reset in advance. This will make mmu->pkru_mask keep the stale data.
+Fix this issue.
+
+Fixes: 2d344105f57c ("KVM, pkeys: introduce pkru_mask to cache conditions")
+Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com>
+Message-Id: <20211021071022.1140-1-chenyi.qiang@intel.com>
+Reviewed-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/mmu/mmu.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kvm/mmu/mmu.c
++++ b/arch/x86/kvm/mmu/mmu.c
+@@ -4465,10 +4465,10 @@ static void update_pkru_bitmask(struct k
+ unsigned bit;
+ bool wp;
+
+- if (!is_cr4_pke(mmu)) {
+- mmu->pkru_mask = 0;
++ mmu->pkru_mask = 0;
++
++ if (!is_cr4_pke(mmu))
+ return;
+- }
+
+ wp = is_cr0_wp(mmu);
+
--- /dev/null
+From baa1e5ca172ce7bf9554070139482dd7ea919528 Mon Sep 17 00:00:00 2001
+From: Peter Gonda <pgonda@google.com>
+Date: Fri, 15 Oct 2021 13:32:22 -0400
+Subject: KVM: SEV-ES: Set guest_state_protected after VMSA update
+
+From: Peter Gonda <pgonda@google.com>
+
+commit baa1e5ca172ce7bf9554070139482dd7ea919528 upstream.
+
+The refactoring in commit bb18a6777465 ("KVM: SEV: Acquire
+vcpu mutex when updating VMSA") left behind the assignment to
+svm->vcpu.arch.guest_state_protected; add it back.
+
+Signed-off-by: Peter Gonda <pgonda@google.com>
+[Delta between v2 and v3 of Peter's patch, which had already been
+ committed; the commit message is my own. - Paolo]
+Fixes: bb18a6777465 ("KVM: SEV: Acquire vcpu mutex when updating VMSA")
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/sev.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/svm/sev.c
++++ b/arch/x86/kvm/svm/sev.c
+@@ -619,7 +619,12 @@ static int __sev_launch_update_vmsa(stru
+ vmsa.handle = to_kvm_svm(kvm)->sev_info.handle;
+ vmsa.address = __sme_pa(svm->vmsa);
+ vmsa.len = PAGE_SIZE;
+- return sev_issue_cmd(kvm, SEV_CMD_LAUNCH_UPDATE_VMSA, &vmsa, error);
++ ret = sev_issue_cmd(kvm, SEV_CMD_LAUNCH_UPDATE_VMSA, &vmsa, error);
++ if (ret)
++ return ret;
++
++ vcpu->arch.guest_state_protected = true;
++ return 0;
+ }
+
+ static int sev_launch_update_vmsa(struct kvm *kvm, struct kvm_sev_cmd *argp)
--- /dev/null
+From fac3cb82a54a4b7c49c932f96ef196cf5774344c Mon Sep 17 00:00:00 2001
+From: Nikolay Aleksandrov <nikolay@nvidia.com>
+Date: Fri, 15 Oct 2021 12:05:46 +0300
+Subject: net: bridge: mcast: use multicast_membership_interval for IGMPv3
+
+From: Nikolay Aleksandrov <nikolay@nvidia.com>
+
+commit fac3cb82a54a4b7c49c932f96ef196cf5774344c upstream.
+
+When I added IGMPv3 support I decided to follow the RFC for computing
+the GMI dynamically:
+" 8.4. Group Membership Interval
+
+ The Group Membership Interval is the amount of time that must pass
+ before a multicast router decides there are no more members of a
+ group or a particular source on a network.
+
+ This value MUST be ((the Robustness Variable) times (the Query
+ Interval)) plus (one Query Response Interval)."
+
+But that actually is inconsistent with how the bridge used to compute it
+for IGMPv2, where it was user-configurable that has a correct default value
+but it is up to user-space to maintain it. This would make it consistent
+with the other timer values which are also maintained correct by the user
+instead of being dynamically computed. It also changes back to the previous
+user-expected GMI behaviour for IGMPv3 queries which were supported before
+IGMPv3 was added. Note that to properly compute it dynamically we would
+need to add support for "Robustness Variable" which is currently missing.
+
+Reported-by: Hangbin Liu <liuhangbin@gmail.com>
+Fixes: 0436862e417e ("net: bridge: mcast: support for IGMPv3/MLDv2 ALLOW_NEW_SOURCES report")
+Signed-off-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_private.h | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -1002,9 +1002,7 @@ static inline unsigned long br_multicast
+
+ static inline unsigned long br_multicast_gmi(const struct net_bridge *br)
+ {
+- /* use the RFC default of 2 for QRV */
+- return 2 * br->multicast_query_interval +
+- br->multicast_query_response_interval;
++ return br->multicast_membership_interval;
+ }
+ #else
+ static inline int br_multicast_rcv(struct net_bridge *br,
--- /dev/null
+From adfb7b4966c0c4c63a791f202b8b3837b07a9ece Mon Sep 17 00:00:00 2001
+From: Yunsheng Lin <linyunsheng@huawei.com>
+Date: Tue, 19 Oct 2021 22:16:31 +0800
+Subject: net: hns3: fix the max tx size according to user manual
+
+From: Yunsheng Lin <linyunsheng@huawei.com>
+
+commit adfb7b4966c0c4c63a791f202b8b3837b07a9ece upstream.
+
+Currently the max tx size supported by the hw is calculated by
+using the max BD num supported by the hw. According to the hw
+user manual, the max tx size is fixed value for both non-TSO and
+TSO skb.
+
+This patch updates the max tx size according to the manual.
+
+Fixes: 8ae10cfb5089("net: hns3: support tx-scatter-gather-fraglist feature")
+Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
+Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 7 ++-----
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.h | 6 ++----
+ 2 files changed, 4 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -1845,7 +1845,6 @@ void hns3_shinfo_pack(struct skb_shared_
+
+ static int hns3_skb_linearize(struct hns3_enet_ring *ring,
+ struct sk_buff *skb,
+- u8 max_non_tso_bd_num,
+ unsigned int bd_num)
+ {
+ /* 'bd_num == UINT_MAX' means the skb' fraglist has a
+@@ -1862,8 +1861,7 @@ static int hns3_skb_linearize(struct hns
+ * will not help.
+ */
+ if (skb->len > HNS3_MAX_TSO_SIZE ||
+- (!skb_is_gso(skb) && skb->len >
+- HNS3_MAX_NON_TSO_SIZE(max_non_tso_bd_num))) {
++ (!skb_is_gso(skb) && skb->len > HNS3_MAX_NON_TSO_SIZE)) {
+ u64_stats_update_begin(&ring->syncp);
+ ring->stats.hw_limitation++;
+ u64_stats_update_end(&ring->syncp);
+@@ -1898,8 +1896,7 @@ static int hns3_nic_maybe_stop_tx(struct
+ goto out;
+ }
+
+- if (hns3_skb_linearize(ring, skb, max_non_tso_bd_num,
+- bd_num))
++ if (hns3_skb_linearize(ring, skb, bd_num))
+ return -ENOMEM;
+
+ bd_num = hns3_tx_bd_count(skb->len);
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.h
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.h
+@@ -185,11 +185,9 @@ enum hns3_nic_state {
+
+ #define HNS3_MAX_BD_SIZE 65535
+ #define HNS3_MAX_TSO_BD_NUM 63U
+-#define HNS3_MAX_TSO_SIZE \
+- (HNS3_MAX_BD_SIZE * HNS3_MAX_TSO_BD_NUM)
++#define HNS3_MAX_TSO_SIZE 1048576U
++#define HNS3_MAX_NON_TSO_SIZE 9728U
+
+-#define HNS3_MAX_NON_TSO_SIZE(max_non_tso_bd_num) \
+- (HNS3_MAX_BD_SIZE * (max_non_tso_bd_num))
+
+ #define HNS3_VECTOR_GL0_OFFSET 0x100
+ #define HNS3_VECTOR_GL1_OFFSET 0x200
--- /dev/null
+From 77076934afdcd46516caf18ed88b2f88025c9ddb Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nossum@gmail.com>
+Date: Tue, 5 Oct 2021 22:54:54 +0200
+Subject: netfilter: Kconfig: use 'default y' instead of 'm' for bool config option
+
+From: Vegard Nossum <vegard.nossum@gmail.com>
+
+commit 77076934afdcd46516caf18ed88b2f88025c9ddb upstream.
+
+This option, NF_CONNTRACK_SECMARK, is a bool, so it can never be 'm'.
+
+Fixes: 33b8e77605620 ("[NETFILTER]: Add CONFIG_NETFILTER_ADVANCED option")
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/Kconfig
++++ b/net/netfilter/Kconfig
+@@ -109,7 +109,7 @@ config NF_CONNTRACK_MARK
+ config NF_CONNTRACK_SECMARK
+ bool 'Connection tracking security mark support'
+ depends on NETWORK_SECMARK
+- default m if NETFILTER_ADVANCED=n
++ default y if NETFILTER_ADVANCED=n
+ help
+ This option enables security markings to be applied to
+ connections. Typically they are copied to connections from
--- /dev/null
+From 1b1499a817c90fd1ce9453a2c98d2a01cca0e775 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Thu, 7 Oct 2021 19:44:30 +0200
+Subject: nfc: nci: fix the UAF of rf_conn_info object
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit 1b1499a817c90fd1ce9453a2c98d2a01cca0e775 upstream.
+
+The nci_core_conn_close_rsp_packet() function will release the conn_info
+with given conn_id. However, it needs to set the rf_conn_info to NULL to
+prevent other routines like nci_rf_intf_activated_ntf_packet() to trigger
+the UAF.
+
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/nci/rsp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/nfc/nci/rsp.c
++++ b/net/nfc/nci/rsp.c
+@@ -330,6 +330,8 @@ static void nci_core_conn_close_rsp_pack
+ ndev->cur_conn_id);
+ if (conn_info) {
+ list_del(&conn_info->list);
++ if (conn_info == ndev->rf_conn_info)
++ ndev->rf_conn_info = NULL;
+ devm_kfree(&ndev->nfc_dev->dev, conn_info);
+ }
+ }
--- /dev/null
+From 3e6ed7703dae6838c104d73d3e76e9b79f5c0528 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 12 Oct 2021 18:37:09 +0200
+Subject: selftests: netfilter: remove stray bash debug line
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 3e6ed7703dae6838c104d73d3e76e9b79f5c0528 upstream.
+
+This should not be there.
+
+Fixes: 2de03b45236f ("selftests: netfilter: add flowtable test script")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/netfilter/nft_flowtable.sh | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/tools/testing/selftests/netfilter/nft_flowtable.sh
++++ b/tools/testing/selftests/netfilter/nft_flowtable.sh
+@@ -199,7 +199,6 @@ fi
+ # test basic connectivity
+ if ! ip netns exec ns1 ping -c 1 -q 10.0.2.99 > /dev/null; then
+ echo "ERROR: ns1 cannot reach ns2" 1>&2
+- bash
+ exit 1
+ fi
+
kvm-x86-check-for-interrupts-before-deciding-whether-to-exit-the-fast-path.patch
kvm-x86-split-the-two-parts-of-emulator_pio_in.patch
kvm-x86-remove-unnecessary-arguments-from-complete_emulator_pio_in.patch
+nfc-nci-fix-the-uaf-of-rf_conn_info-object.patch
+isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch
+netfilter-kconfig-use-default-y-instead-of-m-for-bool-config-option.patch
+selftests-netfilter-remove-stray-bash-debug-line.patch
+net-bridge-mcast-use-multicast_membership_interval-for-igmpv3.patch
+kvm-sev-es-set-guest_state_protected-after-vmsa-update.patch
+drm-mxsfb-fix-null-pointer-dereference-crash-on-unload.patch
+net-hns3-fix-the-max-tx-size-according-to-user-manual.patch
+kvm-mmu-reset-mmu-pkru_mask-to-avoid-stale-data.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
