From: Sasha Levin Date: Sun, 17 Sep 2023 02:27:56 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.10.195~23 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=046bd39f8d8d290f909150ff96b358d8082979e1;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/ixgbe-fix-timestamp-configuration-code.patch b/queue-4.19/ixgbe-fix-timestamp-configuration-code.patch new file mode 100644 index 00000000000..7089c3f099a --- /dev/null +++ b/queue-4.19/ixgbe-fix-timestamp-configuration-code.patch @@ -0,0 +1,149 @@ +From a7bdfd2c2de5a040a8d2c7a28e1b75e2ec32bbe0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Sep 2023 13:28:14 -0700 +Subject: ixgbe: fix timestamp configuration code + +From: Vadim Fedorenko + +[ Upstream commit 3c44191dd76cf9c0cc49adaf34384cbd42ef8ad2 ] + +The commit in fixes introduced flags to control the status of hardware +configuration while processing packets. At the same time another structure +is used to provide configuration of timestamper to user-space applications. +The way it was coded makes this structures go out of sync easily. The +repro is easy for 82599 chips: + +[root@hostname ~]# hwstamp_ctl -i eth0 -r 12 -t 1 +current settings: +tx_type 0 +rx_filter 0 +new settings: +tx_type 1 +rx_filter 12 + +The eth0 device is properly configured to timestamp any PTPv2 events. + +[root@hostname ~]# hwstamp_ctl -i eth0 -r 1 -t 1 +current settings: +tx_type 1 +rx_filter 12 +SIOCSHWTSTAMP failed: Numerical result out of range +The requested time stamping mode is not supported by the hardware. + +The error is properly returned because HW doesn't support all packets +timestamping. But the adapter->flags is cleared of timestamp flags +even though no HW configuration was done. From that point no RX timestamps +are received by user-space application. But configuration shows good +values: + +[root@hostname ~]# hwstamp_ctl -i eth0 +current settings: +tx_type 1 +rx_filter 12 + +Fix the issue by applying new flags only when the HW was actually +configured. + +Fixes: a9763f3cb54c ("ixgbe: Update PTP to support X550EM_x devices") +Signed-off-by: Vadim Fedorenko +Reviewed-by: Simon Horman +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 28 +++++++++++--------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c +index eec68cc9288c8..9c0e0ccbbe3cf 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c +@@ -844,6 +844,7 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter, + u32 tsync_tx_ctl = IXGBE_TSYNCTXCTL_ENABLED; + u32 tsync_rx_ctl = IXGBE_TSYNCRXCTL_ENABLED; + u32 tsync_rx_mtrl = PTP_EV_PORT << 16; ++ u32 aflags = adapter->flags; + bool is_l2 = false; + u32 regval; + +@@ -864,20 +865,20 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter, + case HWTSTAMP_FILTER_NONE: + tsync_rx_ctl = 0; + tsync_rx_mtrl = 0; +- adapter->flags &= ~(IXGBE_FLAG_RX_HWTSTAMP_ENABLED | +- IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER); ++ aflags &= ~(IXGBE_FLAG_RX_HWTSTAMP_ENABLED | ++ IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER); + break; + case HWTSTAMP_FILTER_PTP_V1_L4_SYNC: + tsync_rx_ctl |= IXGBE_TSYNCRXCTL_TYPE_L4_V1; + tsync_rx_mtrl |= IXGBE_RXMTRL_V1_SYNC_MSG; +- adapter->flags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED | +- IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER); ++ aflags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED | ++ IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER); + break; + case HWTSTAMP_FILTER_PTP_V1_L4_DELAY_REQ: + tsync_rx_ctl |= IXGBE_TSYNCRXCTL_TYPE_L4_V1; + tsync_rx_mtrl |= IXGBE_RXMTRL_V1_DELAY_REQ_MSG; +- adapter->flags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED | +- IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER); ++ aflags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED | ++ IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER); + break; + case HWTSTAMP_FILTER_PTP_V2_EVENT: + case HWTSTAMP_FILTER_PTP_V2_L2_EVENT: +@@ -891,8 +892,8 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter, + tsync_rx_ctl |= IXGBE_TSYNCRXCTL_TYPE_EVENT_V2; + is_l2 = true; + config->rx_filter = HWTSTAMP_FILTER_PTP_V2_EVENT; +- adapter->flags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED | +- IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER); ++ aflags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED | ++ IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER); + break; + case HWTSTAMP_FILTER_PTP_V1_L4_EVENT: + case HWTSTAMP_FILTER_NTP_ALL: +@@ -903,7 +904,7 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter, + if (hw->mac.type >= ixgbe_mac_X550) { + tsync_rx_ctl |= IXGBE_TSYNCRXCTL_TYPE_ALL; + config->rx_filter = HWTSTAMP_FILTER_ALL; +- adapter->flags |= IXGBE_FLAG_RX_HWTSTAMP_ENABLED; ++ aflags |= IXGBE_FLAG_RX_HWTSTAMP_ENABLED; + break; + } + /* fall through */ +@@ -914,8 +915,6 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter, + * Delay_Req messages and hardware does not support + * timestamping all packets => return error + */ +- adapter->flags &= ~(IXGBE_FLAG_RX_HWTSTAMP_ENABLED | +- IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER); + config->rx_filter = HWTSTAMP_FILTER_NONE; + return -ERANGE; + } +@@ -947,8 +946,8 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter, + IXGBE_TSYNCRXCTL_TYPE_ALL | + IXGBE_TSYNCRXCTL_TSIP_UT_EN; + config->rx_filter = HWTSTAMP_FILTER_ALL; +- adapter->flags |= IXGBE_FLAG_RX_HWTSTAMP_ENABLED; +- adapter->flags &= ~IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER; ++ aflags |= IXGBE_FLAG_RX_HWTSTAMP_ENABLED; ++ aflags &= ~IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER; + is_l2 = true; + break; + default: +@@ -981,6 +980,9 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter, + + IXGBE_WRITE_FLUSH(hw); + ++ /* configure adapter flags only when HW is actually configured */ ++ adapter->flags = aflags; ++ + /* clear TX/RX time stamp registers, just to be sure */ + ixgbe_ptp_clear_tx_timestamp(adapter); + IXGBE_READ_REG(hw, IXGBE_RXSTMPH); +-- +2.40.1 + diff --git a/queue-4.19/kcm-fix-error-handling-for-sock_dgram-in-kcm_sendmsg.patch b/queue-4.19/kcm-fix-error-handling-for-sock_dgram-in-kcm_sendmsg.patch new file mode 100644 index 00000000000..b58cbff4b1f --- /dev/null +++ b/queue-4.19/kcm-fix-error-handling-for-sock_dgram-in-kcm_sendmsg.patch @@ -0,0 +1,70 @@ +From 2790f087fc1ace4b6a73eb0d59b40a35f62a177e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Sep 2023 19:27:53 -0700 +Subject: kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg(). + +From: Kuniyuki Iwashima + +[ Upstream commit a22730b1b4bf437c6bbfdeff5feddf54be4aeada ] + +syzkaller found a memory leak in kcm_sendmsg(), and commit c821a88bd720 +("kcm: Fix memory leak in error path of kcm_sendmsg()") suppressed it by +updating kcm_tx_msg(head)->last_skb if partial data is copied so that the +following sendmsg() will resume from the skb. + +However, we cannot know how many bytes were copied when we get the error. +Thus, we could mess up the MSG_MORE queue. + +When kcm_sendmsg() fails for SOCK_DGRAM, we should purge the queue as we +do so for UDP by udp_flush_pending_frames(). + +Even without this change, when the error occurred, the following sendmsg() +resumed from a wrong skb and the queue was messed up. However, we have +yet to get such a report, and only syzkaller stumbled on it. So, this +can be changed safely. + +Note this does not change SOCK_SEQPACKET behaviour. + +Fixes: c821a88bd720 ("kcm: Fix memory leak in error path of kcm_sendmsg()") +Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230912022753.33327-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/kcm/kcmsock.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c +index 8305e229b4ece..a82892c288600 100644 +--- a/net/kcm/kcmsock.c ++++ b/net/kcm/kcmsock.c +@@ -1065,17 +1065,18 @@ static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) + out_error: + kcm_push(kcm); + +- if (copied && sock->type == SOCK_SEQPACKET) { ++ if (sock->type == SOCK_SEQPACKET) { + /* Wrote some bytes before encountering an + * error, return partial success. + */ +- goto partial_message; +- } +- +- if (head != kcm->seq_skb) ++ if (copied) ++ goto partial_message; ++ if (head != kcm->seq_skb) ++ kfree_skb(head); ++ } else { + kfree_skb(head); +- else if (copied) +- kcm_tx_msg(head)->last_skb = skb; ++ kcm->seq_skb = NULL; ++ } + + err = sk_stream_error(sk, msg->msg_flags, err); + +-- +2.40.1 + diff --git a/queue-4.19/kcm-fix-memory-leak-in-error-path-of-kcm_sendmsg.patch b/queue-4.19/kcm-fix-memory-leak-in-error-path-of-kcm_sendmsg.patch new file mode 100644 index 00000000000..b0788582706 --- /dev/null +++ b/queue-4.19/kcm-fix-memory-leak-in-error-path-of-kcm_sendmsg.patch @@ -0,0 +1,65 @@ +From b75c2d70973b7d5fbb91e8e321889f44c86668dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Sep 2023 02:03:10 +0900 +Subject: kcm: Fix memory leak in error path of kcm_sendmsg() + +From: Shigeru Yoshida + +[ Upstream commit c821a88bd720b0046433173185fd841a100d44ad ] + +syzbot reported a memory leak like below: + +BUG: memory leak +unreferenced object 0xffff88810b088c00 (size 240): + comm "syz-executor186", pid 5012, jiffies 4294943306 (age 13.680s) + hex dump (first 32 bytes): + 00 89 08 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] __alloc_skb+0x1ef/0x230 net/core/skbuff.c:634 + [] alloc_skb include/linux/skbuff.h:1289 [inline] + [] kcm_sendmsg+0x269/0x1050 net/kcm/kcmsock.c:815 + [] sock_sendmsg_nosec net/socket.c:725 [inline] + [] sock_sendmsg+0x56/0xb0 net/socket.c:748 + [] ____sys_sendmsg+0x365/0x470 net/socket.c:2494 + [] ___sys_sendmsg+0xc9/0x130 net/socket.c:2548 + [] __sys_sendmsg+0xa6/0x120 net/socket.c:2577 + [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 + [] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +In kcm_sendmsg(), kcm_tx_msg(head)->last_skb is used as a cursor to append +newly allocated skbs to 'head'. If some bytes are copied, an error occurred, +and jumped to out_error label, 'last_skb' is left unmodified. A later +kcm_sendmsg() will use an obsoleted 'last_skb' reference, corrupting the +'head' frag_list and causing the leak. + +This patch fixes this issue by properly updating the last allocated skb in +'last_skb'. + +Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") +Reported-and-tested-by: syzbot+6f98de741f7dbbfc4ccb@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=6f98de741f7dbbfc4ccb +Signed-off-by: Shigeru Yoshida +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/kcm/kcmsock.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c +index 55f1bf7a84490..8305e229b4ece 100644 +--- a/net/kcm/kcmsock.c ++++ b/net/kcm/kcmsock.c +@@ -1074,6 +1074,8 @@ static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) + + if (head != kcm->seq_skb) + kfree_skb(head); ++ else if (copied) ++ kcm_tx_msg(head)->last_skb = skb; + + err = sk_stream_error(sk, msg->msg_flags, err); + +-- +2.40.1 + diff --git a/queue-4.19/net-ethernet-mtk_eth_soc-fix-possible-null-pointer-d.patch b/queue-4.19/net-ethernet-mtk_eth_soc-fix-possible-null-pointer-d.patch new file mode 100644 index 00000000000..880fca87080 --- /dev/null +++ b/queue-4.19/net-ethernet-mtk_eth_soc-fix-possible-null-pointer-d.patch @@ -0,0 +1,40 @@ +From 2a2b444717b707a3eb242f565df84305bc350fcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 14:19:50 +0800 +Subject: net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in + mtk_hwlro_get_fdir_all() + +From: Hangyu Hua + +[ Upstream commit e4c79810755f66c9a933ca810da2724133b1165a ] + +rule_locs is allocated in ethtool_get_rxnfc and the size is determined by +rule_cnt from user space. So rule_cnt needs to be check before using +rule_locs to avoid NULL pointer dereference. + +Fixes: 7aab747e5563 ("net: ethernet: mediatek: add ethtool functions to configure RX flows of HW LRO") +Signed-off-by: Hangyu Hua +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 53cff913abf0b..1a4f96894cd70 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -1621,6 +1621,9 @@ static int mtk_hwlro_get_fdir_all(struct net_device *dev, + int i; + + for (i = 0; i < MTK_MAX_LRO_IP_CNT; i++) { ++ if (cnt == cmd->rule_cnt) ++ return -EMSGSIZE; ++ + if (mac->hwlro_ip[i]) { + rule_locs[cnt] = i; + cnt++; +-- +2.40.1 + diff --git a/queue-4.19/series b/queue-4.19/series index f996c7a8cff..b3ed1fc5d24 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -226,3 +226,7 @@ mtd-rawnand-brcmnand-fix-crash-during-the-panic_write.patch mtd-rawnand-brcmnand-fix-potential-out-of-bounds-access-in-oob-write.patch mtd-rawnand-brcmnand-fix-potential-false-time-out-warning.patch perf-hists-browser-fix-hierarchy-mode-header.patch +net-ethernet-mtk_eth_soc-fix-possible-null-pointer-d.patch +kcm-fix-memory-leak-in-error-path-of-kcm_sendmsg.patch +ixgbe-fix-timestamp-configuration-code.patch +kcm-fix-error-handling-for-sock_dgram-in-kcm_sendmsg.patch