From: Sasha Levin Date: Mon, 25 Jan 2021 03:21:29 +0000 (-0500) Subject: Fixes for 4.14 X-Git-Tag: v4.19.171~29 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3894099715c21eb8b027f96a874b58f3152f4c7d;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/can-dev-can_restart-fix-use-after-free-bug.patch b/queue-4.14/can-dev-can_restart-fix-use-after-free-bug.patch new file mode 100644 index 00000000000..f3287d0d765 --- /dev/null +++ b/queue-4.14/can-dev-can_restart-fix-use-after-free-bug.patch @@ -0,0 +1,46 @@ +From a7b8861fa78554124e6f3d0a9755474bc76b953a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 20:41:35 +0900 +Subject: can: dev: can_restart: fix use after free bug + +From: Vincent Mailhol + +[ Upstream commit 03f16c5075b22c8902d2af739969e878b0879c94 ] + +After calling netif_rx_ni(skb), dereferencing skb is unsafe. +Especially, the can_frame cf which aliases skb memory is accessed +after the netif_rx_ni() in: + stats->rx_bytes += cf->len; + +Reordering the lines solves the issue. + +Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface") +Link: https://lore.kernel.org/r/20210120114137.200019-2-mailhol.vincent@wanadoo.fr +Signed-off-by: Vincent Mailhol +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/dev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c +index c483c4b787fee..1025cfd463ece 100644 +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -578,11 +578,11 @@ static void can_restart(struct net_device *dev) + } + cf->can_id |= CAN_ERR_RESTARTED; + +- netif_rx_ni(skb); +- + stats->rx_packets++; + stats->rx_bytes += cf->can_dlc; + ++ netif_rx_ni(skb); ++ + restart: + netdev_dbg(dev, "restarted\n"); + priv->can_stats.restarts++; +-- +2.27.0 + diff --git a/queue-4.14/can-vxcan-vxcan_xmit-fix-use-after-free-bug.patch b/queue-4.14/can-vxcan-vxcan_xmit-fix-use-after-free-bug.patch new file mode 100644 index 00000000000..5269bd2bfc7 --- /dev/null +++ b/queue-4.14/can-vxcan-vxcan_xmit-fix-use-after-free-bug.patch @@ -0,0 +1,53 @@ +From 3fde2248493e3460cd7818711a08e25787104fa2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 20:41:36 +0900 +Subject: can: vxcan: vxcan_xmit: fix use after free bug + +From: Vincent Mailhol + +[ Upstream commit 75854cad5d80976f6ea0f0431f8cedd3bcc475cb ] + +After calling netif_rx_ni(skb), dereferencing skb is unsafe. +Especially, the canfd_frame cfd which aliases skb memory is accessed +after the netif_rx_ni(). + +Fixes: a8f820a380a2 ("can: add Virtual CAN Tunnel driver (vxcan)") +Link: https://lore.kernel.org/r/20210120114137.200019-3-mailhol.vincent@wanadoo.fr +Signed-off-by: Vincent Mailhol +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/vxcan.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/vxcan.c b/drivers/net/can/vxcan.c +index b4c4a2c764378..fc9197f14a3fb 100644 +--- a/drivers/net/can/vxcan.c ++++ b/drivers/net/can/vxcan.c +@@ -49,6 +49,7 @@ static netdev_tx_t vxcan_xmit(struct sk_buff *skb, struct net_device *dev) + struct net_device *peer; + struct canfd_frame *cfd = (struct canfd_frame *)skb->data; + struct net_device_stats *peerstats, *srcstats = &dev->stats; ++ u8 len; + + if (can_dropped_invalid_skb(dev, skb)) + return NETDEV_TX_OK; +@@ -71,12 +72,13 @@ static netdev_tx_t vxcan_xmit(struct sk_buff *skb, struct net_device *dev) + skb->dev = peer; + skb->ip_summed = CHECKSUM_UNNECESSARY; + ++ len = cfd->len; + if (netif_rx_ni(skb) == NET_RX_SUCCESS) { + srcstats->tx_packets++; +- srcstats->tx_bytes += cfd->len; ++ srcstats->tx_bytes += len; + peerstats = &peer->stats; + peerstats->rx_packets++; +- peerstats->rx_bytes += cfd->len; ++ peerstats->rx_bytes += len; + } + + out_unlock: +-- +2.27.0 + diff --git a/queue-4.14/i2c-octeon-check-correct-size-of-maximum-recv_len-pa.patch b/queue-4.14/i2c-octeon-check-correct-size-of-maximum-recv_len-pa.patch new file mode 100644 index 00000000000..73ec04d4051 --- /dev/null +++ b/queue-4.14/i2c-octeon-check-correct-size-of-maximum-recv_len-pa.patch @@ -0,0 +1,37 @@ +From a1860851784c98bd2b6a7ddecfde9ebac99984aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Jan 2021 13:43:08 +0100 +Subject: i2c: octeon: check correct size of maximum RECV_LEN packet + +From: Wolfram Sang + +[ Upstream commit 1b2cfa2d1dbdcc3b6dba1ecb7026a537a1d7277f ] + +I2C_SMBUS_BLOCK_MAX defines already the maximum number as defined in the +SMBus 2.0 specs. No reason to add one to it. + +Fixes: 886f6f8337dd ("i2c: octeon: Support I2C_M_RECV_LEN") +Signed-off-by: Wolfram Sang +Reviewed-by: Robert Richter +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-octeon-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-octeon-core.c b/drivers/i2c/busses/i2c-octeon-core.c +index 1d87757990568..cd512a93f3ba9 100644 +--- a/drivers/i2c/busses/i2c-octeon-core.c ++++ b/drivers/i2c/busses/i2c-octeon-core.c +@@ -346,7 +346,7 @@ static int octeon_i2c_read(struct octeon_i2c *i2c, int target, + if (result) + return result; + if (recv_len && i == 0) { +- if (data[i] > I2C_SMBUS_BLOCK_MAX + 1) ++ if (data[i] > I2C_SMBUS_BLOCK_MAX) + return -EPROTO; + length += data[i]; + } +-- +2.27.0 + diff --git a/queue-4.14/series b/queue-4.14/series index 089d844c308..be7f2ef4d14 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -12,3 +12,6 @@ xen-fix-event-channel-callback-via-intx-gsi.patch drm-nouveau-bios-fix-issue-shadowing-expansion-roms.patch drm-nouveau-privring-ack-interrupts-the-same-way-as-.patch drm-nouveau-i2c-gm200-increase-width-of-aux-semaphor.patch +i2c-octeon-check-correct-size-of-maximum-recv_len-pa.patch +can-dev-can_restart-fix-use-after-free-bug.patch +can-vxcan-vxcan_xmit-fix-use-after-free-bug.patch