From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 29 Oct 2020 11:34:20 +0000 (+0100)
Subject: 5.9-stable patches
X-Git-Tag: v4.19.154~25
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0b64d4ab6592f0c6861f5c231d322d83ee215905;p=thirdparty%2Fkernel%2Fstable-queue.git

5.9-stable patches

added patches:
	cpufreq-improve-code-around-unlisted-freq-check.patch
	netfilter-nftables_offload-kasan-slab-out-of-bounds-read-in-nft_flow_rule_create.patch
---

diff --git a/queue-5.9/cpufreq-improve-code-around-unlisted-freq-check.patch b/queue-5.9/cpufreq-improve-code-around-unlisted-freq-check.patch
new file mode 100644
index 00000000000..04089b31d1c
--- /dev/null
+++ b/queue-5.9/cpufreq-improve-code-around-unlisted-freq-check.patch
@@ -0,0 +1,65 @@
+From 97148d0ae5303bcc18fcd1c9b968a9485292f32a Mon Sep 17 00:00:00 2001
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Tue, 13 Oct 2020 10:42:47 +0530
+Subject: cpufreq: Improve code around unlisted freq check
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+commit 97148d0ae5303bcc18fcd1c9b968a9485292f32a upstream.
+
+The cpufreq core checks if the frequency programmed by the bootloaders
+is not listed in the freq table and programs one from the table in such
+a case. This is done only if the driver has set the
+CPUFREQ_NEED_INITIAL_FREQ_CHECK flag.
+
+Currently we print two separate messages, with almost the same content,
+and do this with a pr_warn() which may be a bit too much as the driver
+only asked us to check this as it expected this to be the case. Lower
+down the severity of the print message by switching to pr_info() instead
+and print a single message only.
+
+Reported-by: Sumit Gupta <sumitg@nvidia.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Reviewed-by: Sumit Gupta <sumitg@nvidia.com>
+Tested-by: Sumit Gupta <sumitg@nvidia.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Cc: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/cpufreq.c |   15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -1450,14 +1450,13 @@ static int cpufreq_online(unsigned int c
+ 	 */
+ 	if ((cpufreq_driver->flags & CPUFREQ_NEED_INITIAL_FREQ_CHECK)
+ 	    && has_target()) {
++		unsigned int old_freq = policy->cur;
++
+ 		/* Are we running at unknown frequency ? */
+-		ret = cpufreq_frequency_table_get_index(policy, policy->cur);
++		ret = cpufreq_frequency_table_get_index(policy, old_freq);
+ 		if (ret == -EINVAL) {
+-			/* Warn user and fix it */
+-			pr_warn("%s: CPU%d: Running at unlisted freq: %u KHz\n",
+-				__func__, policy->cpu, policy->cur);
+-			ret = __cpufreq_driver_target(policy, policy->cur - 1,
+-				CPUFREQ_RELATION_L);
++			ret = __cpufreq_driver_target(policy, old_freq - 1,
++						      CPUFREQ_RELATION_L);
+ 
+ 			/*
+ 			 * Reaching here after boot in a few seconds may not
+@@ -1465,8 +1464,8 @@ static int cpufreq_online(unsigned int c
+ 			 * frequency for longer duration. Hence, a BUG_ON().
+ 			 */
+ 			BUG_ON(ret);
+-			pr_warn("%s: CPU%d: Unlisted initial frequency changed to: %u KHz\n",
+-				__func__, policy->cpu, policy->cur);
++			pr_info("%s: CPU%d: Running at unlisted initial frequency: %u KHz, changing to: %u KHz\n",
++				__func__, policy->cpu, old_freq, policy->cur);
+ 		}
+ 	}
+ 
diff --git a/queue-5.9/netfilter-nftables_offload-kasan-slab-out-of-bounds-read-in-nft_flow_rule_create.patch b/queue-5.9/netfilter-nftables_offload-kasan-slab-out-of-bounds-read-in-nft_flow_rule_create.patch
new file mode 100644
index 00000000000..edd217492a3
--- /dev/null
+++ b/queue-5.9/netfilter-nftables_offload-kasan-slab-out-of-bounds-read-in-nft_flow_rule_create.patch
@@ -0,0 +1,95 @@
+From 31cc578ae2de19c748af06d859019dced68e325d Mon Sep 17 00:00:00 2001
+From: Saeed Mirzamohammadi <saeed.mirzamohammadi@oracle.com>
+Date: Tue, 20 Oct 2020 13:41:36 +0200
+Subject: netfilter: nftables_offload: KASAN slab-out-of-bounds Read in nft_flow_rule_create
+
+From: Saeed Mirzamohammadi <saeed.mirzamohammadi@oracle.com>
+
+commit 31cc578ae2de19c748af06d859019dced68e325d upstream.
+
+This patch fixes the issue due to:
+
+BUG: KASAN: slab-out-of-bounds in nft_flow_rule_create+0x622/0x6a2
+net/netfilter/nf_tables_offload.c:40
+Read of size 8 at addr ffff888103910b58 by task syz-executor227/16244
+
+The error happens when expr->ops is accessed early on before performing the boundary check and after nft_expr_next() moves the expr to go out-of-bounds.
+
+This patch checks the boundary condition before expr->ops that fixes the slab-out-of-bounds Read issue.
+
+Add nft_expr_more() and use it to fix this problem.
+
+Signed-off-by: Saeed Mirzamohammadi <saeed.mirzamohammadi@oracle.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/netfilter/nf_tables.h |    6 ++++++
+ net/netfilter/nf_tables_api.c     |    6 +++---
+ net/netfilter/nf_tables_offload.c |    4 ++--
+ 3 files changed, 11 insertions(+), 5 deletions(-)
+
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -896,6 +896,12 @@ static inline struct nft_expr *nft_expr_
+ 	return (struct nft_expr *)&rule->data[rule->dlen];
+ }
+ 
++static inline bool nft_expr_more(const struct nft_rule *rule,
++				 const struct nft_expr *expr)
++{
++	return expr != nft_expr_last(rule) && expr->ops;
++}
++
+ static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
+ {
+ 	return (void *)&rule->data[rule->dlen];
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -302,7 +302,7 @@ static void nft_rule_expr_activate(const
+ 	struct nft_expr *expr;
+ 
+ 	expr = nft_expr_first(rule);
+-	while (expr != nft_expr_last(rule) && expr->ops) {
++	while (nft_expr_more(rule, expr)) {
+ 		if (expr->ops->activate)
+ 			expr->ops->activate(ctx, expr);
+ 
+@@ -317,7 +317,7 @@ static void nft_rule_expr_deactivate(con
+ 	struct nft_expr *expr;
+ 
+ 	expr = nft_expr_first(rule);
+-	while (expr != nft_expr_last(rule) && expr->ops) {
++	while (nft_expr_more(rule, expr)) {
+ 		if (expr->ops->deactivate)
+ 			expr->ops->deactivate(ctx, expr, phase);
+ 
+@@ -3036,7 +3036,7 @@ static void nf_tables_rule_destroy(const
+ 	 * is called on error from nf_tables_newrule().
+ 	 */
+ 	expr = nft_expr_first(rule);
+-	while (expr != nft_expr_last(rule) && expr->ops) {
++	while (nft_expr_more(rule, expr)) {
+ 		next = nft_expr_next(expr);
+ 		nf_tables_expr_destroy(ctx, expr);
+ 		expr = next;
+--- a/net/netfilter/nf_tables_offload.c
++++ b/net/netfilter/nf_tables_offload.c
+@@ -37,7 +37,7 @@ struct nft_flow_rule *nft_flow_rule_crea
+ 	struct nft_expr *expr;
+ 
+ 	expr = nft_expr_first(rule);
+-	while (expr->ops && expr != nft_expr_last(rule)) {
++	while (nft_expr_more(rule, expr)) {
+ 		if (expr->ops->offload_flags & NFT_OFFLOAD_F_ACTION)
+ 			num_actions++;
+ 
+@@ -61,7 +61,7 @@ struct nft_flow_rule *nft_flow_rule_crea
+ 	ctx->net = net;
+ 	ctx->dep.type = NFT_OFFLOAD_DEP_UNSPEC;
+ 
+-	while (expr->ops && expr != nft_expr_last(rule)) {
++	while (nft_expr_more(rule, expr)) {
+ 		if (!expr->ops->offload) {
+ 			err = -EOPNOTSUPP;
+ 			goto err_out;