5.14-stable patches

added patches:
	ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch
	net-tls-fix-flipped-sign-in-tls_err_abort-calls.patch
	nfc-port100-fix-using-errno-as-command-type-mask.patch
	pinctrl-amd-disable-and-mask-interrupts-on-probe.patch
	revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
	revert-pinctrl-bcm-ns-support-updated-dt-binding-as-syscon-subnode.patch
	tipc-fix-size-validations-for-the-msg_crypto-type.patch
	usbnet-fix-error-return-code-in-usbnet_probe.patch
	usbnet-sanity-check-for-maxpacket.patch

diff --git a/queue-5.14/ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch b/queue-5.14/ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch
new file mode 100644 (file)
index 0000000..bead79f
--- /dev/null
+++ b/queue-5.14/ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch
@@ -0,0 +1,38 @@
+From a0023bb9dd9bc439d44604eeec62426a990054cd Mon Sep 17 00:00:00 2001
+From: Zheyu Ma <zheyuma97@gmail.com>
+Date: Fri, 22 Oct 2021 09:12:26 +0000
+Subject: ata: sata_mv: Fix the error handling of mv_chip_id()
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+commit a0023bb9dd9bc439d44604eeec62426a990054cd upstream.
+
+mv_init_host() propagates the value returned by mv_chip_id() which in turn
+gets propagated by mv_pci_init_one() and hits local_pci_probe().
+
+During the process of driver probing, the probe function should return < 0
+for failure, otherwise, the kernel will treat value > 0 as success.
+
+Since this is a bug rather than a recoverable runtime error we should
+use dev_alert() instead of dev_err().
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/sata_mv.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/sata_mv.c
++++ b/drivers/ata/sata_mv.c
+@@ -3896,8 +3896,8 @@ static int mv_chip_id(struct ata_host *h
+               break;
+ 
+       default:
+-              dev_err(host->dev, "BUG: invalid board index %u\n", board_idx);
+-              return 1;
++              dev_alert(host->dev, "BUG: invalid board index %u\n", board_idx);
++              return -EINVAL;
+       }
+ 
+       hpriv->hp_flags = hp_flags;

diff --git a/queue-5.14/net-tls-fix-flipped-sign-in-tls_err_abort-calls.patch b/queue-5.14/net-tls-fix-flipped-sign-in-tls_err_abort-calls.patch
new file mode 100644 (file)
index 0000000..b7a650b
--- /dev/null
+++ b/queue-5.14/net-tls-fix-flipped-sign-in-tls_err_abort-calls.patch
@@ -0,0 +1,140 @@
+From da353fac65fede6b8b4cfe207f0d9408e3121105 Mon Sep 17 00:00:00 2001
+From: Daniel Jordan <daniel.m.jordan@oracle.com>
+Date: Wed, 27 Oct 2021 17:59:20 -0400
+Subject: net/tls: Fix flipped sign in tls_err_abort() calls
+
+From: Daniel Jordan <daniel.m.jordan@oracle.com>
+
+commit da353fac65fede6b8b4cfe207f0d9408e3121105 upstream.
+
+sk->sk_err appears to expect a positive value, a convention that ktls
+doesn't always follow and that leads to memory corruption in other code.
+For instance,
+
+    [kworker]
+    tls_encrypt_done(..., err=<negative error from crypto request>)
+      tls_err_abort(.., err)
+        sk->sk_err = err;
+
+    [task]
+    splice_from_pipe_feed
+      ...
+        tls_sw_do_sendpage
+          if (sk->sk_err) {
+            ret = -sk->sk_err;  // ret is positive
+
+    splice_from_pipe_feed (continued)
+      ret = actor(...)  // ret is still positive and interpreted as bytes
+                        // written, resulting in underflow of buf->len and
+                        // sd->len, leading to huge buf->offset and bogus
+                        // addresses computed in later calls to actor()
+
+Fix all tls_err_abort() callers to pass a negative error code
+consistently and centralize the error-prone sign flip there, throwing in
+a warning to catch future misuse and uninlining the function so it
+really does only warn once.
+
+Cc: stable@vger.kernel.org
+Fixes: c46234ebb4d1e ("tls: RX path for ktls")
+Reported-by: syzbot+b187b77c8474f9648fae@syzkaller.appspotmail.com
+Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/tls.h |    9 ++-------
+ net/tls/tls_sw.c  |   17 +++++++++++++----
+ 2 files changed, 15 insertions(+), 11 deletions(-)
+
+--- a/include/net/tls.h
++++ b/include/net/tls.h
+@@ -358,6 +358,7 @@ int tls_sk_query(struct sock *sk, int op
+               int __user *optlen);
+ int tls_sk_attach(struct sock *sk, int optname, char __user *optval,
+                 unsigned int optlen);
++void tls_err_abort(struct sock *sk, int err);
+ 
+ int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx);
+ void tls_sw_strparser_arm(struct sock *sk, struct tls_context *ctx);
+@@ -466,12 +467,6 @@ static inline bool tls_is_sk_tx_device_o
+ #endif
+ }
+ 
+-static inline void tls_err_abort(struct sock *sk, int err)
+-{
+-      sk->sk_err = err;
+-      sk_error_report(sk);
+-}
+-
+ static inline bool tls_bigint_increment(unsigned char *seq, int len)
+ {
+       int i;
+@@ -512,7 +507,7 @@ static inline void tls_advance_record_sn
+                                        struct cipher_context *ctx)
+ {
+       if (tls_bigint_increment(ctx->rec_seq, prot->rec_seq_size))
+-              tls_err_abort(sk, EBADMSG);
++              tls_err_abort(sk, -EBADMSG);
+ 
+       if (prot->version != TLS_1_3_VERSION &&
+           prot->cipher_type != TLS_CIPHER_CHACHA20_POLY1305)
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -35,6 +35,7 @@
+  * SOFTWARE.
+  */
+ 
++#include <linux/bug.h>
+ #include <linux/sched/signal.h>
+ #include <linux/module.h>
+ #include <linux/splice.h>
+@@ -43,6 +44,14 @@
+ #include <net/strparser.h>
+ #include <net/tls.h>
+ 
++noinline void tls_err_abort(struct sock *sk, int err)
++{
++      WARN_ON_ONCE(err >= 0);
++      /* sk->sk_err should contain a positive error code. */
++      sk->sk_err = -err;
++      sk_error_report(sk);
++}
++
+ static int __skb_nsg(struct sk_buff *skb, int offset, int len,
+                      unsigned int recursion_level)
+ {
+@@ -419,7 +428,7 @@ int tls_tx_records(struct sock *sk, int
+ 
+ tx_err:
+       if (rc < 0 && rc != -EAGAIN)
+-              tls_err_abort(sk, EBADMSG);
++              tls_err_abort(sk, -EBADMSG);
+ 
+       return rc;
+ }
+@@ -763,7 +772,7 @@ static int tls_push_record(struct sock *
+                              msg_pl->sg.size + prot->tail_size, i);
+       if (rc < 0) {
+               if (rc != -EINPROGRESS) {
+-                      tls_err_abort(sk, EBADMSG);
++                      tls_err_abort(sk, -EBADMSG);
+                       if (split) {
+                               tls_ctx->pending_open_record_frags = true;
+                               tls_merge_open_record(sk, rec, tmp, orig_end);
+@@ -1827,7 +1836,7 @@ int tls_sw_recvmsg(struct sock *sk,
+               err = decrypt_skb_update(sk, skb, &msg->msg_iter,
+                                        &chunk, &zc, async_capable);
+               if (err < 0 && err != -EINPROGRESS) {
+-                      tls_err_abort(sk, EBADMSG);
++                      tls_err_abort(sk, -EBADMSG);
+                       goto recv_end;
+               }
+ 
+@@ -2007,7 +2016,7 @@ ssize_t tls_sw_splice_read(struct socket
+               }
+ 
+               if (err < 0) {
+-                      tls_err_abort(sk, EBADMSG);
++                      tls_err_abort(sk, -EBADMSG);
+                       goto splice_read_end;
+               }
+               ctx->decrypted = 1;

diff --git a/queue-5.14/nfc-port100-fix-using-errno-as-command-type-mask.patch b/queue-5.14/nfc-port100-fix-using-errno-as-command-type-mask.patch
new file mode 100644 (file)
index 0000000..a5f23a8
--- /dev/null
+++ b/queue-5.14/nfc-port100-fix-using-errno-as-command-type-mask.patch
@@ -0,0 +1,43 @@
+From 2195f2062e4cc93870da8e71c318ef98a1c51cef Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Date: Mon, 25 Oct 2021 16:49:36 +0200
+Subject: nfc: port100: fix using -ERRNO as command type mask
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+commit 2195f2062e4cc93870da8e71c318ef98a1c51cef upstream.
+
+During probing, the driver tries to get a list (mask) of supported
+command types in port100_get_command_type_mask() function.  The value
+is u64 and 0 is treated as invalid mask (no commands supported).  The
+function however returns also -ERRNO as u64 which will be interpret as
+valid command mask.
+
+Return 0 on every error case of port100_get_command_type_mask(), so the
+probing will stop.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 0347a6ab300a ("NFC: port100: Commands mechanism implementation")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/port100.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/nfc/port100.c
++++ b/drivers/nfc/port100.c
+@@ -1003,11 +1003,11 @@ static u64 port100_get_command_type_mask
+ 
+       skb = port100_alloc_skb(dev, 0);
+       if (!skb)
+-              return -ENOMEM;
++              return 0;
+ 
+       resp = port100_send_cmd_sync(dev, PORT100_CMD_GET_COMMAND_TYPE, skb);
+       if (IS_ERR(resp))
+-              return PTR_ERR(resp);
++              return 0;
+ 
+       if (resp->len < 8)
+               mask = 0;

diff --git a/queue-5.14/pinctrl-amd-disable-and-mask-interrupts-on-probe.patch b/queue-5.14/pinctrl-amd-disable-and-mask-interrupts-on-probe.patch
new file mode 100644 (file)
index 0000000..d0f5fe4
--- /dev/null
+++ b/queue-5.14/pinctrl-amd-disable-and-mask-interrupts-on-probe.patch
@@ -0,0 +1,73 @@
+From 4e5a04be88fe335ad5331f4f8c17f4ebd357e065 Mon Sep 17 00:00:00 2001
+From: Sachi King <nakato@nakato.io>
+Date: Sat, 9 Oct 2021 14:32:40 +1100
+Subject: pinctrl: amd: disable and mask interrupts on probe
+
+From: Sachi King <nakato@nakato.io>
+
+commit 4e5a04be88fe335ad5331f4f8c17f4ebd357e065 upstream.
+
+Some systems such as the Microsoft Surface Laptop 4 leave interrupts
+enabled and configured for use in sleep states on boot, which cause
+unexpected behaviour such as spurious wakes and failed resumes in
+s2idle states.
+
+As interrupts should not be enabled until they are claimed and
+explicitly enabled, disabling any interrupts mistakenly left enabled by
+firmware should be safe.
+
+Signed-off-by: Sachi King <nakato@nakato.io>
+Link: https://lore.kernel.org/r/20211009033240.21543-1-nakato@nakato.io
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-amd.c |   31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+--- a/drivers/pinctrl/pinctrl-amd.c
++++ b/drivers/pinctrl/pinctrl-amd.c
+@@ -832,6 +832,34 @@ static const struct pinconf_ops amd_pinc
+       .pin_config_group_set = amd_pinconf_group_set,
+ };
+ 
++static void amd_gpio_irq_init(struct amd_gpio *gpio_dev)
++{
++      struct pinctrl_desc *desc = gpio_dev->pctrl->desc;
++      unsigned long flags;
++      u32 pin_reg, mask;
++      int i;
++
++      mask = BIT(WAKE_CNTRL_OFF_S0I3) | BIT(WAKE_CNTRL_OFF_S3) |
++              BIT(INTERRUPT_MASK_OFF) | BIT(INTERRUPT_ENABLE_OFF) |
++              BIT(WAKE_CNTRL_OFF_S4);
++
++      for (i = 0; i < desc->npins; i++) {
++              int pin = desc->pins[i].number;
++              const struct pin_desc *pd = pin_desc_get(gpio_dev->pctrl, pin);
++
++              if (!pd)
++                      continue;
++
++              raw_spin_lock_irqsave(&gpio_dev->lock, flags);
++
++              pin_reg = readl(gpio_dev->base + i * 4);
++              pin_reg &= ~mask;
++              writel(pin_reg, gpio_dev->base + i * 4);
++
++              raw_spin_unlock_irqrestore(&gpio_dev->lock, flags);
++      }
++}
++
+ #ifdef CONFIG_PM_SLEEP
+ static bool amd_gpio_should_save(struct amd_gpio *gpio_dev, unsigned int pin)
+ {
+@@ -969,6 +997,9 @@ static int amd_gpio_probe(struct platfor
+               return PTR_ERR(gpio_dev->pctrl);
+       }
+ 
++      /* Disable and mask interrupts */
++      amd_gpio_irq_init(gpio_dev);
++
+       girq = &gpio_dev->gc.irq;
+       girq->chip = &amd_gpio_irqchip;
+       /* This will let us handle the parent IRQ in the driver */

diff --git a/queue-5.14/revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch b/queue-5.14/revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
new file mode 100644 (file)
index 0000000..6b404fe
--- /dev/null
+++ b/queue-5.14/revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
@@ -0,0 +1,44 @@
+From 10eff1f5788b6ffac212c254e2f3666219576889 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 30 Sep 2021 20:49:42 +0300
+Subject: Revert "net: mdiobus: Fix memory leak in __mdiobus_register"
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 10eff1f5788b6ffac212c254e2f3666219576889 upstream.
+
+This reverts commit ab609f25d19858513919369ff3d9a63c02cd9e2e.
+
+This patch is correct in the sense that we _should_ call device_put() in
+case of device_register() failure, but the problem in this code is more
+vast.
+
+We need to set bus->state to UNMDIOBUS_REGISTERED before calling
+device_register() to correctly release the device in mdiobus_free().
+This patch prevents us from doing it, since in case of device_register()
+failure put_device() will be called 2 times and it will cause UAF or
+something else.
+
+Also, Reported-by: tag in revered commit was wrong, since syzbot
+reported different leak in same function.
+
+Link: https://lore.kernel.org/netdev/20210928092657.GI2048@kadam/
+Acked-by: Yanfei Xu <yanfei.xu@windriver.com>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Link: https://lore.kernel.org/r/f12fb1faa4eccf0f355788225335eb4309ff2599.1633024062.git.paskripkin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/mdio_bus.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/phy/mdio_bus.c
++++ b/drivers/net/phy/mdio_bus.c
+@@ -548,7 +548,6 @@ int __mdiobus_register(struct mii_bus *b
+       err = device_register(&bus->dev);
+       if (err) {
+               pr_err("mii_bus %s failed to register\n", bus->id);
+-              put_device(&bus->dev);
+               return -EINVAL;
+       }
+ 

diff --git a/queue-5.14/revert-pinctrl-bcm-ns-support-updated-dt-binding-as-syscon-subnode.patch b/queue-5.14/revert-pinctrl-bcm-ns-support-updated-dt-binding-as-syscon-subnode.patch
new file mode 100644 (file)
index 0000000..2e1ce54
--- /dev/null
+++ b/queue-5.14/revert-pinctrl-bcm-ns-support-updated-dt-binding-as-syscon-subnode.patch
@@ -0,0 +1,110 @@
+From 6dba4bdfd7a30e77b848a45404b224588bf989e5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Fri, 8 Oct 2021 22:59:38 +0200
+Subject: Revert "pinctrl: bcm: ns: support updated DT binding as syscon subnode"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+commit 6dba4bdfd7a30e77b848a45404b224588bf989e5 upstream.
+
+This reverts commit a49d784d5a8272d0f63c448fe8dc69e589db006e.
+
+The updated binding was wrong / invalid and has been reverted. There
+isn't any upstream kernel DTS using it and Broadcom isn't known to use
+it neither. There is close to zero chance this will cause regression for
+anyone.
+
+Actually in-kernel bcm5301x.dtsi still uses the old good binding and so
+it's broken since the driver update. This revert fixes it.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Link: https://lore.kernel.org/r/20211008205938.29925-3-zajec5@gmail.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/bcm/pinctrl-ns.c |   29 ++++++++++-------------------
+ 1 file changed, 10 insertions(+), 19 deletions(-)
+
+--- a/drivers/pinctrl/bcm/pinctrl-ns.c
++++ b/drivers/pinctrl/bcm/pinctrl-ns.c
+@@ -5,7 +5,6 @@
+ 
+ #include <linux/err.h>
+ #include <linux/io.h>
+-#include <linux/mfd/syscon.h>
+ #include <linux/module.h>
+ #include <linux/of.h>
+ #include <linux/of_device.h>
+@@ -13,7 +12,6 @@
+ #include <linux/pinctrl/pinctrl.h>
+ #include <linux/pinctrl/pinmux.h>
+ #include <linux/platform_device.h>
+-#include <linux/regmap.h>
+ #include <linux/slab.h>
+ 
+ #define FLAG_BCM4708          BIT(1)
+@@ -24,8 +22,7 @@ struct ns_pinctrl {
+       struct device *dev;
+       unsigned int chipset_flag;
+       struct pinctrl_dev *pctldev;
+-      struct regmap *regmap;
+-      u32 offset;
++      void __iomem *base;
+ 
+       struct pinctrl_desc pctldesc;
+       struct ns_pinctrl_group *groups;
+@@ -232,9 +229,9 @@ static int ns_pinctrl_set_mux(struct pin
+               unset |= BIT(pin_number);
+       }
+ 
+-      regmap_read(ns_pinctrl->regmap, ns_pinctrl->offset, &tmp);
++      tmp = readl(ns_pinctrl->base);
+       tmp &= ~unset;
+-      regmap_write(ns_pinctrl->regmap, ns_pinctrl->offset, tmp);
++      writel(tmp, ns_pinctrl->base);
+ 
+       return 0;
+ }
+@@ -266,13 +263,13 @@ static const struct of_device_id ns_pinc
+ static int ns_pinctrl_probe(struct platform_device *pdev)
+ {
+       struct device *dev = &pdev->dev;
+-      struct device_node *np = dev->of_node;
+       const struct of_device_id *of_id;
+       struct ns_pinctrl *ns_pinctrl;
+       struct pinctrl_desc *pctldesc;
+       struct pinctrl_pin_desc *pin;
+       struct ns_pinctrl_group *group;
+       struct ns_pinctrl_function *function;
++      struct resource *res;
+       int i;
+ 
+       ns_pinctrl = devm_kzalloc(dev, sizeof(*ns_pinctrl), GFP_KERNEL);
+@@ -290,18 +287,12 @@ static int ns_pinctrl_probe(struct platf
+               return -EINVAL;
+       ns_pinctrl->chipset_flag = (uintptr_t)of_id->data;
+ 
+-      ns_pinctrl->regmap = syscon_node_to_regmap(of_get_parent(np));
+-      if (IS_ERR(ns_pinctrl->regmap)) {
+-              int err = PTR_ERR(ns_pinctrl->regmap);
+-
+-              dev_err(dev, "Failed to map pinctrl regs: %d\n", err);
+-
+-              return err;
+-      }
+-
+-      if (of_property_read_u32(np, "offset", &ns_pinctrl->offset)) {
+-              dev_err(dev, "Failed to get register offset\n");
+-              return -ENOENT;
++      res = platform_get_resource_byname(pdev, IORESOURCE_MEM,
++                                         "cru_gpio_control");
++      ns_pinctrl->base = devm_ioremap_resource(dev, res);
++      if (IS_ERR(ns_pinctrl->base)) {
++              dev_err(dev, "Failed to map pinctrl regs\n");
++              return PTR_ERR(ns_pinctrl->base);
+       }
+ 
+       memcpy(pctldesc, &ns_pinctrl_desc, sizeof(*pctldesc));

diff --git a/queue-5.14/series b/queue-5.14/series
index 4c074cd49fc83e4ccfd66a3e308baf59becfd134..2943863936761b6c759c383e930b01d484ca9dde 100644 (file)
--- a/queue-5.14/series
+++ b/queue-5.14/series
@@ -5,3 +5,12 @@ arm-9138-1-fix-link-warning-with-xip-frame-pointer.patch
 arm-9139-1-kprobes-fix-arch_init_kprobes-prototype.patch
 arm-9141-1-only-warn-about-xip-address-when-not-compile-testing.patch
 arm-9148-1-handle-config_cpu_endian_be32-in-arch-arm-kernel-head.s.patch
+usbnet-sanity-check-for-maxpacket.patch
+usbnet-fix-error-return-code-in-usbnet_probe.patch
+revert-pinctrl-bcm-ns-support-updated-dt-binding-as-syscon-subnode.patch
+pinctrl-amd-disable-and-mask-interrupts-on-probe.patch
+ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch
+tipc-fix-size-validations-for-the-msg_crypto-type.patch
+nfc-port100-fix-using-errno-as-command-type-mask.patch
+revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
+net-tls-fix-flipped-sign-in-tls_err_abort-calls.patch

diff --git a/queue-5.14/tipc-fix-size-validations-for-the-msg_crypto-type.patch b/queue-5.14/tipc-fix-size-validations-for-the-msg_crypto-type.patch
new file mode 100644 (file)
index 0000000..44afa44
--- /dev/null
+++ b/queue-5.14/tipc-fix-size-validations-for-the-msg_crypto-type.patch
@@ -0,0 +1,93 @@
+From fa40d9734a57bcbfa79a280189799f76c88f7bb0 Mon Sep 17 00:00:00 2001
+From: Max VA <maxv@sentinelone.com>
+Date: Mon, 25 Oct 2021 17:31:53 +0200
+Subject: tipc: fix size validations for the MSG_CRYPTO type
+
+From: Max VA <maxv@sentinelone.com>
+
+commit fa40d9734a57bcbfa79a280189799f76c88f7bb0 upstream.
+
+The function tipc_crypto_key_rcv is used to parse MSG_CRYPTO messages
+to receive keys from other nodes in the cluster in order to decrypt any
+further messages from them.
+This patch verifies that any supplied sizes in the message body are
+valid for the received message.
+
+Fixes: 1ef6f7c9390f ("tipc: add automatic session key exchange")
+Signed-off-by: Max VA <maxv@sentinelone.com>
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/crypto.c |   32 +++++++++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+--- a/net/tipc/crypto.c
++++ b/net/tipc/crypto.c
+@@ -2285,43 +2285,53 @@ static bool tipc_crypto_key_rcv(struct t
+       u16 key_gen = msg_key_gen(hdr);
+       u16 size = msg_data_sz(hdr);
+       u8 *data = msg_data(hdr);
++      unsigned int keylen;
++
++      /* Verify whether the size can exist in the packet */
++      if (unlikely(size < sizeof(struct tipc_aead_key) + TIPC_AEAD_KEYLEN_MIN)) {
++              pr_debug("%s: message data size is too small\n", rx->name);
++              goto exit;
++      }
++
++      keylen = ntohl(*((__be32 *)(data + TIPC_AEAD_ALG_NAME)));
++
++      /* Verify the supplied size values */
++      if (unlikely(size != keylen + sizeof(struct tipc_aead_key) ||
++                   keylen > TIPC_AEAD_KEY_SIZE_MAX)) {
++              pr_debug("%s: invalid MSG_CRYPTO key size\n", rx->name);
++              goto exit;
++      }
+ 
+       spin_lock(&rx->lock);
+       if (unlikely(rx->skey || (key_gen == rx->key_gen && rx->key.keys))) {
+               pr_err("%s: key existed <%p>, gen %d vs %d\n", rx->name,
+                      rx->skey, key_gen, rx->key_gen);
+-              goto exit;
++              goto exit_unlock;
+       }
+ 
+       /* Allocate memory for the key */
+       skey = kmalloc(size, GFP_ATOMIC);
+       if (unlikely(!skey)) {
+               pr_err("%s: unable to allocate memory for skey\n", rx->name);
+-              goto exit;
++              goto exit_unlock;
+       }
+ 
+       /* Copy key from msg data */
+-      skey->keylen = ntohl(*((__be32 *)(data + TIPC_AEAD_ALG_NAME)));
++      skey->keylen = keylen;
+       memcpy(skey->alg_name, data, TIPC_AEAD_ALG_NAME);
+       memcpy(skey->key, data + TIPC_AEAD_ALG_NAME + sizeof(__be32),
+              skey->keylen);
+ 
+-      /* Sanity check */
+-      if (unlikely(size != tipc_aead_key_size(skey))) {
+-              kfree(skey);
+-              skey = NULL;
+-              goto exit;
+-      }
+-
+       rx->key_gen = key_gen;
+       rx->skey_mode = msg_key_mode(hdr);
+       rx->skey = skey;
+       rx->nokey = 0;
+       mb(); /* for nokey flag */
+ 
+-exit:
++exit_unlock:
+       spin_unlock(&rx->lock);
+ 
++exit:
+       /* Schedule the key attaching on this crypto */
+       if (likely(skey && queue_delayed_work(tx->wq, &rx->work, 0)))
+               return true;

diff --git a/queue-5.14/usbnet-fix-error-return-code-in-usbnet_probe.patch b/queue-5.14/usbnet-fix-error-return-code-in-usbnet_probe.patch
new file mode 100644 (file)
index 0000000..340b302
--- /dev/null
+++ b/queue-5.14/usbnet-fix-error-return-code-in-usbnet_probe.patch
@@ -0,0 +1,32 @@
+From 6f7c88691191e6c52ef2543d6f1da8d360b27a24 Mon Sep 17 00:00:00 2001
+From: Wang Hai <wanghai38@huawei.com>
+Date: Tue, 26 Oct 2021 20:40:15 +0800
+Subject: usbnet: fix error return code in usbnet_probe()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+commit 6f7c88691191e6c52ef2543d6f1da8d360b27a24 upstream.
+
+Return error code if usb_maxpacket() returns 0 in usbnet_probe()
+
+Fixes: 397430b50a36 ("usbnet: sanity check for maxpacket")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211026124015.3025136-1-wanghai38@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1790,6 +1790,7 @@ usbnet_probe (struct usb_interface *udev
+       dev->maxpacket = usb_maxpacket (dev->udev, dev->out, 1);
+       if (dev->maxpacket == 0) {
+               /* that is a broken device */
++              status = -ENODEV;
+               goto out4;
+       }
+ 

diff --git a/queue-5.14/usbnet-sanity-check-for-maxpacket.patch b/queue-5.14/usbnet-sanity-check-for-maxpacket.patch
new file mode 100644 (file)
index 0000000..4a4f6a4
--- /dev/null
+++ b/queue-5.14/usbnet-sanity-check-for-maxpacket.patch
@@ -0,0 +1,37 @@
+From 397430b50a363d8b7bdda00522123f82df6adc5e Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 21 Oct 2021 14:29:44 +0200
+Subject: usbnet: sanity check for maxpacket
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 397430b50a363d8b7bdda00522123f82df6adc5e upstream.
+
+maxpacket of 0 makes no sense and oopses as we need to divide
+by it. Give up.
+
+V2: fixed typo in log and stylistic issues
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+76bb1d34ffa0adc03baa@syzkaller.appspotmail.com
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211021122944.21816-1-oneukum@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1788,6 +1788,10 @@ usbnet_probe (struct usb_interface *udev
+       if (!dev->rx_urb_size)
+               dev->rx_urb_size = dev->hard_mtu;
+       dev->maxpacket = usb_maxpacket (dev->udev, dev->out, 1);
++      if (dev->maxpacket == 0) {
++              /* that is a broken device */
++              goto out4;
++      }
+ 
+       /* let userspace know we have a random address */
+       if (ether_addr_equal(net->dev_addr, node_id))