From: Sasha Levin Date: Sun, 22 Aug 2021 02:39:22 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v5.13.13~17 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=08c8d95eb7673006588a98466c7e746eb863fc38;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/dccp-add-do-while-0-stubs-for-dccp_pr_debug-macros.patch b/queue-4.4/dccp-add-do-while-0-stubs-for-dccp_pr_debug-macros.patch new file mode 100644 index 00000000000..6d185fe563e --- /dev/null +++ b/queue-4.4/dccp-add-do-while-0-stubs-for-dccp_pr_debug-macros.patch @@ -0,0 +1,54 @@ +From 3d0f94e5eeb80063398792330044b199b6f7bd0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Aug 2021 16:04:40 -0700 +Subject: dccp: add do-while-0 stubs for dccp_pr_debug macros + +From: Randy Dunlap + +[ Upstream commit 86aab09a4870bb8346c9579864588c3d7f555299 ] + +GCC complains about empty macros in an 'if' statement, so convert +them to 'do {} while (0)' macros. + +Fixes these build warnings: + +net/dccp/output.c: In function 'dccp_xmit_packet': +../net/dccp/output.c:283:71: warning: suggest braces around empty body in an 'if' statement [-Wempty-body] + 283 | dccp_pr_debug("transmit_skb() returned err=%d\n", err); +net/dccp/ackvec.c: In function 'dccp_ackvec_update_old': +../net/dccp/ackvec.c:163:80: warning: suggest braces around empty body in an 'else' statement [-Wempty-body] + 163 | (unsigned long long)seqno, state); + +Fixes: dc841e30eaea ("dccp: Extend CCID packet dequeueing interface") +Fixes: 380240864451 ("dccp ccid-2: Update code for the Ack Vector input/registration routine") +Signed-off-by: Randy Dunlap +Cc: dccp@vger.kernel.org +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: Gerrit Renker +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/dccp/dccp.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/dccp/dccp.h b/net/dccp/dccp.h +index b0e28d24e1a7..e50fc19690c8 100644 +--- a/net/dccp/dccp.h ++++ b/net/dccp/dccp.h +@@ -44,9 +44,9 @@ extern bool dccp_debug; + #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a) + #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a) + #else +-#define dccp_pr_debug(format, a...) +-#define dccp_pr_debug_cat(format, a...) +-#define dccp_debug(format, a...) ++#define dccp_pr_debug(format, a...) do {} while (0) ++#define dccp_pr_debug_cat(format, a...) do {} while (0) ++#define dccp_debug(format, a...) do {} while (0) + #endif + + extern struct inet_hashinfo dccp_hashinfo; +-- +2.30.2 + diff --git a/queue-4.4/net-6pack-fix-slab-out-of-bounds-in-decode_data.patch b/queue-4.4/net-6pack-fix-slab-out-of-bounds-in-decode_data.patch new file mode 100644 index 00000000000..f7ecf3edd77 --- /dev/null +++ b/queue-4.4/net-6pack-fix-slab-out-of-bounds-in-decode_data.patch @@ -0,0 +1,67 @@ +From 1c44b652ef4a3b43ce019a8ac2ee54ed5627fc9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Aug 2021 18:14:33 +0300 +Subject: net: 6pack: fix slab-out-of-bounds in decode_data + +From: Pavel Skripkin + +[ Upstream commit 19d1532a187669ce86d5a2696eb7275310070793 ] + +Syzbot reported slab-out-of bounds write in decode_data(). +The problem was in missing validation checks. + +Syzbot's reproducer generated malicious input, which caused +decode_data() to be called a lot in sixpack_decode(). Since +rx_count_cooked is only 400 bytes and noone reported before, +that 400 bytes is not enough, let's just check if input is malicious +and complain about buffer overrun. + +Fail log: +================================================================== +BUG: KASAN: slab-out-of-bounds in drivers/net/hamradio/6pack.c:843 +Write of size 1 at addr ffff888087c5544e by task kworker/u4:0/7 + +CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 5.6.0-rc3-syzkaller #0 +... +Workqueue: events_unbound flush_to_ldisc +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x197/0x210 lib/dump_stack.c:118 + print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 + __kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506 + kasan_report+0x12/0x20 mm/kasan/common.c:641 + __asan_report_store1_noabort+0x17/0x20 mm/kasan/generic_report.c:137 + decode_data.part.0+0x23b/0x270 drivers/net/hamradio/6pack.c:843 + decode_data drivers/net/hamradio/6pack.c:965 [inline] + sixpack_decode drivers/net/hamradio/6pack.c:968 [inline] + +Reported-and-tested-by: syzbot+fc8cd9a673d4577fb2e4@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Pavel Skripkin +Reviewed-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/6pack.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c +index 732c68ed166a..cce901add654 100644 +--- a/drivers/net/hamradio/6pack.c ++++ b/drivers/net/hamradio/6pack.c +@@ -874,6 +874,12 @@ static void decode_data(struct sixpack *sp, unsigned char inbyte) + return; + } + ++ if (sp->rx_count_cooked + 2 >= sizeof(sp->cooked_buf)) { ++ pr_err("6pack: cooked buffer overrun, data loss\n"); ++ sp->rx_count = 0; ++ return; ++ } ++ + buf = sp->raw_buf; + sp->cooked_buf[sp->rx_count_cooked++] = + buf[0] | ((buf[1] << 2) & 0xc0); +-- +2.30.2 + diff --git a/queue-4.4/net-qlcnic-add-missed-unlock-in-qlcnic_83xx_flash_re.patch b/queue-4.4/net-qlcnic-add-missed-unlock-in-qlcnic_83xx_flash_re.patch new file mode 100644 index 00000000000..86221697e2b --- /dev/null +++ b/queue-4.4/net-qlcnic-add-missed-unlock-in-qlcnic_83xx_flash_re.patch @@ -0,0 +1,42 @@ +From af34b964c81222212c41b9354e614b2b90f82cb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Aug 2021 21:14:04 +0800 +Subject: net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 + +From: Dinghao Liu + +[ Upstream commit 0a298d133893c72c96e2156ed7cb0f0c4a306a3e ] + +qlcnic_83xx_unlock_flash() is called on all paths after we call +qlcnic_83xx_lock_flash(), except for one error path on failure +of QLCRD32(), which may cause a deadlock. This bug is suggested +by a static analysis tool, please advise. + +Fixes: 81d0aeb0a4fff ("qlcnic: flash template based firmware reset recovery") +Signed-off-by: Dinghao Liu +Link: https://lore.kernel.org/r/20210816131405.24024-1-dinghao.liu@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +index 75ac5cc2fc23..fc9c1e6f0ff5 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +@@ -3156,8 +3156,10 @@ int qlcnic_83xx_flash_read32(struct qlcnic_adapter *adapter, u32 flash_addr, + + indirect_addr = QLC_83XX_FLASH_DIRECT_DATA(addr); + ret = QLCRD32(adapter, indirect_addr, &err); +- if (err == -EIO) ++ if (err == -EIO) { ++ qlcnic_83xx_unlock_flash(adapter); + return err; ++ } + + word = ret; + *(u32 *)p_data = word; +-- +2.30.2 + diff --git a/queue-4.4/series b/queue-4.4/series index f98d4d95987..212bb2cdce9 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -19,3 +19,6 @@ dmaengine-of-dma-router_xlate-to-return-eprobe_defer.patch scsi-megaraid_mm-fix-end-of-loop-tests-for-list_for_.patch scsi-core-avoid-printing-an-error-if-target_alloc-re.patch bluetooth-hidp-use-correct-wait-queue-when-removing-.patch +dccp-add-do-while-0-stubs-for-dccp_pr_debug-macros.patch +net-6pack-fix-slab-out-of-bounds-in-decode_data.patch +net-qlcnic-add-missed-unlock-in-qlcnic_83xx_flash_re.patch