From: Greg Kroah-Hartman Date: Mon, 11 Jan 2021 11:47:21 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.4.251~10 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=564d6bd892955f672366bd4b3f0e3881f5bd4c5a;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: arm-dts-omap3-disable-aes-on-n950-n9.patch dmaengine-idxd-off-by-one-in-cleanup-code.patch kvm-x86-fix-shift-out-of-bounds-reported-by-ubsan.patch net-mlx5e-fix-swp-offsets-when-vlan-inserted-by-driver.patch netfilter-ipset-fix-shift-out-of-bounds-in-htable_bits.patch netfilter-nft_dynset-report-eopnotsupp-on-missing-set-feature.patch netfilter-x_tables-update-remaining-dereference-to-rcu.patch netfilter-xt_rateest-reject-non-null-terminated-string-from-userspace.patch rtlwifi-rise-completion-at-the-last-step-of-firmware-callback.patch x86-mtrr-correct-the-range-check-before-performing-mtrr-type-lookups.patch xsk-fix-memory-leak-for-failed-bind.patch --- diff --git a/queue-5.10/arm-dts-omap3-disable-aes-on-n950-n9.patch b/queue-5.10/arm-dts-omap3-disable-aes-on-n950-n9.patch new file mode 100644 index 00000000000..1ace1c1a8d5 --- /dev/null +++ b/queue-5.10/arm-dts-omap3-disable-aes-on-n950-n9.patch @@ -0,0 +1,35 @@ +From f1dc15cd7fc146107cad2a926d9c1d005f69002a Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 29 Nov 2020 16:47:10 +0200 +Subject: ARM: dts: OMAP3: disable AES on N950/N9 + +From: Aaro Koskinen + +commit f1dc15cd7fc146107cad2a926d9c1d005f69002a upstream. + +AES needs to be disabled on Nokia N950/N9 as well (HS devices), otherwise +kernel fails to boot. + +Fixes: c312f066314e ("ARM: dts: omap3: Migrate AES from hwmods to sysc-omap2") +Signed-off-by: Aaro Koskinen +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/omap3-n950-n9.dtsi | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/arm/boot/dts/omap3-n950-n9.dtsi ++++ b/arch/arm/boot/dts/omap3-n950-n9.dtsi +@@ -494,3 +494,11 @@ + clock-names = "sysclk"; + }; + }; ++ ++&aes1_target { ++ status = "disabled"; ++}; ++ ++&aes2_target { ++ status = "disabled"; ++}; diff --git a/queue-5.10/dmaengine-idxd-off-by-one-in-cleanup-code.patch b/queue-5.10/dmaengine-idxd-off-by-one-in-cleanup-code.patch new file mode 100644 index 00000000000..eb8e1ab9ec3 --- /dev/null +++ b/queue-5.10/dmaengine-idxd-off-by-one-in-cleanup-code.patch @@ -0,0 +1,44 @@ +From ff58f7dd0c1352a01de3a40327895bd51e03de3a Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 16 Dec 2020 11:29:46 +0300 +Subject: dmaengine: idxd: off by one in cleanup code + +From: Dan Carpenter + +commit ff58f7dd0c1352a01de3a40327895bd51e03de3a upstream. + +The clean up is off by one so this will start at "i" and it should start +with "i - 1" and then it doesn't unregister the zeroeth elements in the +array. + +Fixes: c52ca478233c ("dmaengine: idxd: add configuration component of driver") +Signed-off-by: Dan Carpenter +Acked-by: Dave Jiang +Link: https://lore.kernel.org/r/X9nFeojulsNqUSnG@mwanda +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/idxd/sysfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/dma/idxd/sysfs.c ++++ b/drivers/dma/idxd/sysfs.c +@@ -379,7 +379,7 @@ int idxd_register_driver(void) + return 0; + + drv_fail: +- for (; i > 0; i--) ++ while (--i >= 0) + driver_unregister(&idxd_drvs[i]->drv); + return rc; + } +@@ -1639,7 +1639,7 @@ int idxd_register_bus_type(void) + return 0; + + bus_err: +- for (; i > 0; i--) ++ while (--i >= 0) + bus_unregister(idxd_bus_types[i]); + return rc; + } diff --git a/queue-5.10/kvm-x86-fix-shift-out-of-bounds-reported-by-ubsan.patch b/queue-5.10/kvm-x86-fix-shift-out-of-bounds-reported-by-ubsan.patch new file mode 100644 index 00000000000..c06cd97bb48 --- /dev/null +++ b/queue-5.10/kvm-x86-fix-shift-out-of-bounds-reported-by-ubsan.patch @@ -0,0 +1,32 @@ +From 2f80d502d627f30257ba7e3655e71c373b7d1a5a Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 22 Dec 2020 05:20:43 -0500 +Subject: KVM: x86: fix shift out of bounds reported by UBSAN + +From: Paolo Bonzini + +commit 2f80d502d627f30257ba7e3655e71c373b7d1a5a upstream. + +Since we know that e >= s, we can reassociate the left shift, +changing the shifted number from 1 to 2 in exchange for +decreasing the right hand side by 1. + +Reported-by: syzbot+e87846c48bf72bc85311@syzkaller.appspotmail.com +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/mmu.h ++++ b/arch/x86/kvm/mmu.h +@@ -49,7 +49,7 @@ static inline u64 rsvd_bits(int s, int e + if (e < s) + return 0; + +- return ((1ULL << (e - s + 1)) - 1) << s; ++ return ((2ULL << (e - s)) - 1) << s; + } + + void kvm_mmu_set_mmio_spte_mask(u64 mmio_value, u64 access_mask); diff --git a/queue-5.10/net-mlx5e-fix-swp-offsets-when-vlan-inserted-by-driver.patch b/queue-5.10/net-mlx5e-fix-swp-offsets-when-vlan-inserted-by-driver.patch new file mode 100644 index 00000000000..59b6c8414be --- /dev/null +++ b/queue-5.10/net-mlx5e-fix-swp-offsets-when-vlan-inserted-by-driver.patch @@ -0,0 +1,115 @@ +From b544011f0e58ce43c40105468d6dc67f980a0c7a Mon Sep 17 00:00:00 2001 +From: Moshe Shemesh +Date: Fri, 13 Nov 2020 06:06:28 +0200 +Subject: net/mlx5e: Fix SWP offsets when vlan inserted by driver + +From: Moshe Shemesh + +commit b544011f0e58ce43c40105468d6dc67f980a0c7a upstream. + +In case WQE includes inline header the vlan is inserted by driver even +if vlan offload is set. On geneve over vlan interface where software +parser is used the SWP offsets should be updated according to the added +vlan. + +Fixes: e3cfc7e6b7bd ("net/mlx5e: TX, Add geneve tunnel stateless offload support") +Signed-off-by: Moshe Shemesh +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlx5/core/en/txrx.h | 9 +++++++++ + drivers/net/ethernet/mellanox/mlx5/core/en_accel/en_accel.h | 8 +++++--- + drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 9 +++++---- + 3 files changed, 19 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/txrx.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/txrx.h +@@ -366,6 +366,15 @@ struct mlx5e_swp_spec { + u8 tun_l4_proto; + }; + ++static inline void mlx5e_eseg_swp_offsets_add_vlan(struct mlx5_wqe_eth_seg *eseg) ++{ ++ /* SWP offsets are in 2-bytes words */ ++ eseg->swp_outer_l3_offset += VLAN_HLEN / 2; ++ eseg->swp_outer_l4_offset += VLAN_HLEN / 2; ++ eseg->swp_inner_l3_offset += VLAN_HLEN / 2; ++ eseg->swp_inner_l4_offset += VLAN_HLEN / 2; ++} ++ + static inline void + mlx5e_set_eseg_swp(struct sk_buff *skb, struct mlx5_wqe_eth_seg *eseg, + struct mlx5e_swp_spec *swp_spec) +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/en_accel.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/en_accel.h +@@ -51,7 +51,7 @@ static inline bool mlx5_geneve_tx_allowe + } + + static inline void +-mlx5e_tx_tunnel_accel(struct sk_buff *skb, struct mlx5_wqe_eth_seg *eseg) ++mlx5e_tx_tunnel_accel(struct sk_buff *skb, struct mlx5_wqe_eth_seg *eseg, u16 ihs) + { + struct mlx5e_swp_spec swp_spec = {}; + unsigned int offset = 0; +@@ -85,6 +85,8 @@ mlx5e_tx_tunnel_accel(struct sk_buff *sk + } + + mlx5e_set_eseg_swp(skb, eseg, &swp_spec); ++ if (skb_vlan_tag_present(skb) && ihs) ++ mlx5e_eseg_swp_offsets_add_vlan(eseg); + } + + #else +@@ -163,7 +165,7 @@ static inline unsigned int mlx5e_accel_t + + static inline bool mlx5e_accel_tx_eseg(struct mlx5e_priv *priv, + struct sk_buff *skb, +- struct mlx5_wqe_eth_seg *eseg) ++ struct mlx5_wqe_eth_seg *eseg, u16 ihs) + { + #ifdef CONFIG_MLX5_EN_IPSEC + if (xfrm_offload(skb)) +@@ -172,7 +174,7 @@ static inline bool mlx5e_accel_tx_eseg(s + + #if IS_ENABLED(CONFIG_GENEVE) + if (skb->encapsulation) +- mlx5e_tx_tunnel_accel(skb, eseg); ++ mlx5e_tx_tunnel_accel(skb, eseg, ihs); + #endif + + return true; +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +@@ -615,9 +615,9 @@ void mlx5e_tx_mpwqe_ensure_complete(stru + + static bool mlx5e_txwqe_build_eseg(struct mlx5e_priv *priv, struct mlx5e_txqsq *sq, + struct sk_buff *skb, struct mlx5e_accel_tx_state *accel, +- struct mlx5_wqe_eth_seg *eseg) ++ struct mlx5_wqe_eth_seg *eseg, u16 ihs) + { +- if (unlikely(!mlx5e_accel_tx_eseg(priv, skb, eseg))) ++ if (unlikely(!mlx5e_accel_tx_eseg(priv, skb, eseg, ihs))) + return false; + + mlx5e_txwqe_build_eseg_csum(sq, skb, accel, eseg); +@@ -647,7 +647,8 @@ netdev_tx_t mlx5e_xmit(struct sk_buff *s + if (mlx5e_tx_skb_supports_mpwqe(skb, &attr)) { + struct mlx5_wqe_eth_seg eseg = {}; + +- if (unlikely(!mlx5e_txwqe_build_eseg(priv, sq, skb, &accel, &eseg))) ++ if (unlikely(!mlx5e_txwqe_build_eseg(priv, sq, skb, &accel, &eseg, ++ attr.ihs))) + return NETDEV_TX_OK; + + mlx5e_sq_xmit_mpwqe(sq, skb, &eseg, netdev_xmit_more()); +@@ -664,7 +665,7 @@ netdev_tx_t mlx5e_xmit(struct sk_buff *s + /* May update the WQE, but may not post other WQEs. */ + mlx5e_accel_tx_finish(sq, wqe, &accel, + (struct mlx5_wqe_inline_seg *)(wqe->data + wqe_attr.ds_cnt_inl)); +- if (unlikely(!mlx5e_txwqe_build_eseg(priv, sq, skb, &accel, &wqe->eth))) ++ if (unlikely(!mlx5e_txwqe_build_eseg(priv, sq, skb, &accel, &wqe->eth, attr.ihs))) + return NETDEV_TX_OK; + + mlx5e_sq_xmit_wqe(sq, skb, &attr, &wqe_attr, wqe, pi, netdev_xmit_more()); diff --git a/queue-5.10/netfilter-ipset-fix-shift-out-of-bounds-in-htable_bits.patch b/queue-5.10/netfilter-ipset-fix-shift-out-of-bounds-in-htable_bits.patch new file mode 100644 index 00000000000..4365856cf97 --- /dev/null +++ b/queue-5.10/netfilter-ipset-fix-shift-out-of-bounds-in-htable_bits.patch @@ -0,0 +1,89 @@ +From 5c8193f568ae16f3242abad6518dc2ca6c8eef86 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Thu, 17 Dec 2020 17:53:18 +0300 +Subject: netfilter: ipset: fix shift-out-of-bounds in htable_bits() + +From: Vasily Averin + +commit 5c8193f568ae16f3242abad6518dc2ca6c8eef86 upstream. + +htable_bits() can call jhash_size(32) and trigger shift-out-of-bounds + +UBSAN: shift-out-of-bounds in net/netfilter/ipset/ip_set_hash_gen.h:151:6 +shift exponent 32 is too large for 32-bit type 'unsigned int' +CPU: 0 PID: 8498 Comm: syz-executor519 + Not tainted 5.10.0-rc7-next-20201208-syzkaller #0 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x107/0x163 lib/dump_stack.c:120 + ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 + __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395 + htable_bits net/netfilter/ipset/ip_set_hash_gen.h:151 [inline] + hash_mac_create.cold+0x58/0x9b net/netfilter/ipset/ip_set_hash_gen.h:1524 + ip_set_create+0x610/0x1380 net/netfilter/ipset/ip_set_core.c:1115 + nfnetlink_rcv_msg+0xecc/0x1180 net/netfilter/nfnetlink.c:252 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 + nfnetlink_rcv+0x1ac/0x420 net/netfilter/nfnetlink.c:600 + netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 + netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:672 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2345 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2399 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +This patch replaces htable_bits() by simple fls(hashsize - 1) call: +it alone returns valid nbits both for round and non-round hashsizes. +It is normal to set any nbits here because it is validated inside +following htable_size() call which returns 0 for nbits>31. + +Fixes: 1feab10d7e6d("netfilter: ipset: Unified hash type generation") +Reported-by: syzbot+d66bfadebca46cf61a2b@syzkaller.appspotmail.com +Signed-off-by: Vasily Averin +Acked-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipset/ip_set_hash_gen.h | 20 +++++--------------- + 1 file changed, 5 insertions(+), 15 deletions(-) + +--- a/net/netfilter/ipset/ip_set_hash_gen.h ++++ b/net/netfilter/ipset/ip_set_hash_gen.h +@@ -143,20 +143,6 @@ htable_size(u8 hbits) + return hsize * sizeof(struct hbucket *) + sizeof(struct htable); + } + +-/* Compute htable_bits from the user input parameter hashsize */ +-static u8 +-htable_bits(u32 hashsize) +-{ +- /* Assume that hashsize == 2^htable_bits */ +- u8 bits = fls(hashsize - 1); +- +- if (jhash_size(bits) != hashsize) +- /* Round up to the first 2^n value */ +- bits = fls(hashsize); +- +- return bits; +-} +- + #ifdef IP_SET_HASH_WITH_NETS + #if IPSET_NET_COUNT > 1 + #define __CIDR(cidr, i) (cidr[i]) +@@ -1520,7 +1506,11 @@ IPSET_TOKEN(HTYPE, _create)(struct net * + if (!h) + return -ENOMEM; + +- hbits = htable_bits(hashsize); ++ /* Compute htable_bits from the user input parameter hashsize. ++ * Assume that hashsize == 2^htable_bits, ++ * otherwise round up to the first 2^n value. ++ */ ++ hbits = fls(hashsize - 1); + hsize = htable_size(hbits); + if (hsize == 0) { + kfree(h); diff --git a/queue-5.10/netfilter-nft_dynset-report-eopnotsupp-on-missing-set-feature.patch b/queue-5.10/netfilter-nft_dynset-report-eopnotsupp-on-missing-set-feature.patch new file mode 100644 index 00000000000..7bcd18ca15b --- /dev/null +++ b/queue-5.10/netfilter-nft_dynset-report-eopnotsupp-on-missing-set-feature.patch @@ -0,0 +1,52 @@ +From 95cd4bca7b1f4a25810f3ddfc5e767fb46931789 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Sun, 27 Dec 2020 12:33:44 +0100 +Subject: netfilter: nft_dynset: report EOPNOTSUPP on missing set feature + +From: Pablo Neira Ayuso + +commit 95cd4bca7b1f4a25810f3ddfc5e767fb46931789 upstream. + +If userspace requests a feature which is not available the original set +definition, then bail out with EOPNOTSUPP. If userspace sends +unsupported dynset flags (new feature not supported by this kernel), +then report EOPNOTSUPP to userspace. EINVAL should be only used to +report malformed netlink messages from userspace. + +Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nft_dynset.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -123,7 +123,7 @@ static int nft_dynset_init(const struct + u32 flags = ntohl(nla_get_be32(tb[NFTA_DYNSET_FLAGS])); + + if (flags & ~NFT_DYNSET_F_INV) +- return -EINVAL; ++ return -EOPNOTSUPP; + if (flags & NFT_DYNSET_F_INV) + priv->invert = true; + } +@@ -156,7 +156,7 @@ static int nft_dynset_init(const struct + timeout = 0; + if (tb[NFTA_DYNSET_TIMEOUT] != NULL) { + if (!(set->flags & NFT_SET_TIMEOUT)) +- return -EINVAL; ++ return -EOPNOTSUPP; + + err = nf_msecs_to_jiffies64(tb[NFTA_DYNSET_TIMEOUT], &timeout); + if (err) +@@ -170,7 +170,7 @@ static int nft_dynset_init(const struct + + if (tb[NFTA_DYNSET_SREG_DATA] != NULL) { + if (!(set->flags & NFT_SET_MAP)) +- return -EINVAL; ++ return -EOPNOTSUPP; + if (set->dtype == NFT_DATA_VERDICT) + return -EOPNOTSUPP; + diff --git a/queue-5.10/netfilter-x_tables-update-remaining-dereference-to-rcu.patch b/queue-5.10/netfilter-x_tables-update-remaining-dereference-to-rcu.patch new file mode 100644 index 00000000000..9d361177923 --- /dev/null +++ b/queue-5.10/netfilter-x_tables-update-remaining-dereference-to-rcu.patch @@ -0,0 +1,58 @@ +From 443d6e86f821a165fae3fc3fc13086d27ac140b1 Mon Sep 17 00:00:00 2001 +From: Subash Abhinov Kasiviswanathan +Date: Wed, 16 Dec 2020 21:38:02 -0700 +Subject: netfilter: x_tables: Update remaining dereference to RCU + +From: Subash Abhinov Kasiviswanathan + +commit 443d6e86f821a165fae3fc3fc13086d27ac140b1 upstream. + +This fixes the dereference to fetch the RCU pointer when holding +the appropriate xtables lock. + +Reported-by: kernel test robot +Fixes: cc00bcaa5899 ("netfilter: x_tables: Switch synchronization to RCU") +Signed-off-by: Subash Abhinov Kasiviswanathan +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/arp_tables.c | 2 +- + net/ipv4/netfilter/ip_tables.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -1379,7 +1379,7 @@ static int compat_get_entries(struct net + xt_compat_lock(NFPROTO_ARP); + t = xt_find_table_lock(net, NFPROTO_ARP, get.name); + if (!IS_ERR(t)) { +- const struct xt_table_info *private = t->private; ++ const struct xt_table_info *private = xt_table_get_private_protected(t); + struct xt_table_info info; + + ret = compat_table_info(private, &info); +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1589,7 +1589,7 @@ compat_get_entries(struct net *net, stru + xt_compat_lock(AF_INET); + t = xt_find_table_lock(net, AF_INET, get.name); + if (!IS_ERR(t)) { +- const struct xt_table_info *private = t->private; ++ const struct xt_table_info *private = xt_table_get_private_protected(t); + struct xt_table_info info; + ret = compat_table_info(private, &info); + if (!ret && get.size == info.size) +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1598,7 +1598,7 @@ compat_get_entries(struct net *net, stru + xt_compat_lock(AF_INET6); + t = xt_find_table_lock(net, AF_INET6, get.name); + if (!IS_ERR(t)) { +- const struct xt_table_info *private = t->private; ++ const struct xt_table_info *private = xt_table_get_private_protected(t); + struct xt_table_info info; + ret = compat_table_info(private, &info); + if (!ret && get.size == info.size) diff --git a/queue-5.10/netfilter-xt_rateest-reject-non-null-terminated-string-from-userspace.patch b/queue-5.10/netfilter-xt_rateest-reject-non-null-terminated-string-from-userspace.patch new file mode 100644 index 00000000000..6fcbe88b798 --- /dev/null +++ b/queue-5.10/netfilter-xt_rateest-reject-non-null-terminated-string-from-userspace.patch @@ -0,0 +1,41 @@ +From 6cb56218ad9e580e519dcd23bfb3db08d8692e5a Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 22 Dec 2020 23:23:56 +0100 +Subject: netfilter: xt_RATEEST: reject non-null terminated string from userspace + +From: Florian Westphal + +commit 6cb56218ad9e580e519dcd23bfb3db08d8692e5a upstream. + +syzbot reports: +detected buffer overflow in strlen +[..] +Call Trace: + strlen include/linux/string.h:325 [inline] + strlcpy include/linux/string.h:348 [inline] + xt_rateest_tg_checkentry+0x2a5/0x6b0 net/netfilter/xt_RATEEST.c:143 + +strlcpy assumes src is a c-string. Check info->name before its used. + +Reported-by: syzbot+e86f7c428c8c50db65b4@syzkaller.appspotmail.com +Fixes: 5859034d7eb8793 ("[NETFILTER]: x_tables: add RATEEST target") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/xt_RATEEST.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/xt_RATEEST.c ++++ b/net/netfilter/xt_RATEEST.c +@@ -115,6 +115,9 @@ static int xt_rateest_tg_checkentry(cons + } cfg; + int ret; + ++ if (strnlen(info->name, sizeof(est->name)) >= sizeof(est->name)) ++ return -ENAMETOOLONG; ++ + net_get_random_once(&jhash_rnd, sizeof(jhash_rnd)); + + mutex_lock(&xn->hash_lock); diff --git a/queue-5.10/rtlwifi-rise-completion-at-the-last-step-of-firmware-callback.patch b/queue-5.10/rtlwifi-rise-completion-at-the-last-step-of-firmware-callback.patch new file mode 100644 index 00000000000..51e32155638 --- /dev/null +++ b/queue-5.10/rtlwifi-rise-completion-at-the-last-step-of-firmware-callback.patch @@ -0,0 +1,100 @@ +From 4dfde294b9792dcf8615b55c58f093d544f472f0 Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Mon, 14 Dec 2020 13:31:06 +0800 +Subject: rtlwifi: rise completion at the last step of firmware callback + +From: Ping-Ke Shih + +commit 4dfde294b9792dcf8615b55c58f093d544f472f0 upstream. + +request_firmware_nowait() which schedules another work is used to load +firmware when USB is probing. If USB is unplugged before running the +firmware work, it goes disconnect ops, and then causes use-after-free. +Though we wait for completion of firmware work before freeing the hw, +firmware callback rises completion too early. So I move it to the +last step. + +usb 5-1: Direct firmware load for rtlwifi/rtl8192cufw.bin failed with error -2 +rtlwifi: Loading alternative firmware rtlwifi/rtl8192cufw.bin +rtlwifi: Selected firmware is not available +================================================================== +BUG: KASAN: use-after-free in rtl_fw_do_work.cold+0x68/0x6a drivers/net/wireless/realtek/rtlwifi/core.c:93 +Write of size 4 at addr ffff8881454cff50 by task kworker/0:6/7379 + +CPU: 0 PID: 7379 Comm: kworker/0:6 Not tainted 5.10.0-rc7-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: events request_firmware_work_func +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x107/0x163 lib/dump_stack.c:118 + print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385 + __kasan_report mm/kasan/report.c:545 [inline] + kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 + rtl_fw_do_work.cold+0x68/0x6a drivers/net/wireless/realtek/rtlwifi/core.c:93 + request_firmware_work_func+0x12c/0x230 drivers/base/firmware_loader/main.c:1079 + process_one_work+0x933/0x1520 kernel/workqueue.c:2272 + worker_thread+0x64c/0x1120 kernel/workqueue.c:2418 + kthread+0x38c/0x460 kernel/kthread.c:292 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 + +The buggy address belongs to the page: +page:00000000f54435b3 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1454cf +flags: 0x200000000000000() +raw: 0200000000000000 0000000000000000 ffffea00051533c8 0000000000000000 +raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8881454cfe00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ffff8881454cfe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +>ffff8881454cff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ^ + ffff8881454cff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ffff8881454d0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + +Reported-by: syzbot+65be4277f3c489293939@syzkaller.appspotmail.com +Signed-off-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20201214053106.7748-1-pkshih@realtek.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/core.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/core.c ++++ b/drivers/net/wireless/realtek/rtlwifi/core.c +@@ -78,7 +78,6 @@ static void rtl_fw_do_work(const struct + + rtl_dbg(rtlpriv, COMP_ERR, DBG_LOUD, + "Firmware callback routine entered!\n"); +- complete(&rtlpriv->firmware_loading_complete); + if (!firmware) { + if (rtlpriv->cfg->alt_fw_name) { + err = request_firmware(&firmware, +@@ -91,13 +90,13 @@ static void rtl_fw_do_work(const struct + } + pr_err("Selected firmware is not available\n"); + rtlpriv->max_fw_size = 0; +- return; ++ goto exit; + } + found_alt: + if (firmware->size > rtlpriv->max_fw_size) { + pr_err("Firmware is too big!\n"); + release_firmware(firmware); +- return; ++ goto exit; + } + if (!is_wow) { + memcpy(rtlpriv->rtlhal.pfirmware, firmware->data, +@@ -109,6 +108,9 @@ found_alt: + rtlpriv->rtlhal.wowlan_fwsize = firmware->size; + } + release_firmware(firmware); ++ ++exit: ++ complete(&rtlpriv->firmware_loading_complete); + } + + void rtl_fw_cb(const struct firmware *firmware, void *context) diff --git a/queue-5.10/series b/queue-5.10/series index 1ceef81f533..f2e7249d02d 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -132,3 +132,14 @@ drm-i915-clear-the-gpu-reloc-batch.patch bcache-fix-typo-from-suup-to-supp-in-features.h.patch bcache-check-unsupported-feature-sets-for-bcache-register.patch bcache-introduce-bch_feature_incompat_log_large_bucket_size-for-large-bucket.patch +net-mlx5e-fix-swp-offsets-when-vlan-inserted-by-driver.patch +arm-dts-omap3-disable-aes-on-n950-n9.patch +netfilter-x_tables-update-remaining-dereference-to-rcu.patch +netfilter-ipset-fix-shift-out-of-bounds-in-htable_bits.patch +netfilter-xt_rateest-reject-non-null-terminated-string-from-userspace.patch +netfilter-nft_dynset-report-eopnotsupp-on-missing-set-feature.patch +dmaengine-idxd-off-by-one-in-cleanup-code.patch +x86-mtrr-correct-the-range-check-before-performing-mtrr-type-lookups.patch +kvm-x86-fix-shift-out-of-bounds-reported-by-ubsan.patch +xsk-fix-memory-leak-for-failed-bind.patch +rtlwifi-rise-completion-at-the-last-step-of-firmware-callback.patch diff --git a/queue-5.10/x86-mtrr-correct-the-range-check-before-performing-mtrr-type-lookups.patch b/queue-5.10/x86-mtrr-correct-the-range-check-before-performing-mtrr-type-lookups.patch new file mode 100644 index 00000000000..7ea7a060edc --- /dev/null +++ b/queue-5.10/x86-mtrr-correct-the-range-check-before-performing-mtrr-type-lookups.patch @@ -0,0 +1,62 @@ +From cb7f4a8b1fb426a175d1708f05581939c61329d4 Mon Sep 17 00:00:00 2001 +From: Ying-Tsun Huang +Date: Tue, 15 Dec 2020 15:07:20 +0800 +Subject: x86/mtrr: Correct the range check before performing MTRR type lookups + +From: Ying-Tsun Huang + +commit cb7f4a8b1fb426a175d1708f05581939c61329d4 upstream. + +In mtrr_type_lookup(), if the input memory address region is not in the +MTRR, over 4GB, and not over the top of memory, a write-back attribute +is returned. These condition checks are for ensuring the input memory +address region is actually mapped to the physical memory. + +However, if the end address is just aligned with the top of memory, +the condition check treats the address is over the top of memory, and +write-back attribute is not returned. + +And this hits in a real use case with NVDIMM: the nd_pmem module tries +to map NVDIMMs as cacheable memories when NVDIMMs are connected. If a +NVDIMM is the last of the DIMMs, the performance of this NVDIMM becomes +very low since it is aligned with the top of memory and its memory type +is uncached-minus. + +Move the input end address change to inclusive up into +mtrr_type_lookup(), before checking for the top of memory in either +mtrr_type_lookup_{variable,fixed}() helpers. + + [ bp: Massage commit message. ] + +Fixes: 0cc705f56e40 ("x86/mm/mtrr: Clean up mtrr_type_lookup()") +Signed-off-by: Ying-Tsun Huang +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20201215070721.4349-1-ying-tsun.huang@amd.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mtrr/generic.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/cpu/mtrr/generic.c ++++ b/arch/x86/kernel/cpu/mtrr/generic.c +@@ -167,9 +167,6 @@ static u8 mtrr_type_lookup_variable(u64 + *repeat = 0; + *uniform = 1; + +- /* Make end inclusive instead of exclusive */ +- end--; +- + prev_match = MTRR_TYPE_INVALID; + for (i = 0; i < num_var_ranges; ++i) { + unsigned short start_state, end_state, inclusive; +@@ -261,6 +258,9 @@ u8 mtrr_type_lookup(u64 start, u64 end, + int repeat; + u64 partial_end; + ++ /* Make end inclusive instead of exclusive */ ++ end--; ++ + if (!mtrr_state_set) + return MTRR_TYPE_INVALID; + diff --git a/queue-5.10/xsk-fix-memory-leak-for-failed-bind.patch b/queue-5.10/xsk-fix-memory-leak-for-failed-bind.patch new file mode 100644 index 00000000000..ed891d5ce0a --- /dev/null +++ b/queue-5.10/xsk-fix-memory-leak-for-failed-bind.patch @@ -0,0 +1,67 @@ +From 8bee683384087a6275c9183a483435225f7bb209 Mon Sep 17 00:00:00 2001 +From: Magnus Karlsson +Date: Mon, 14 Dec 2020 09:51:27 +0100 +Subject: xsk: Fix memory leak for failed bind +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Magnus Karlsson + +commit 8bee683384087a6275c9183a483435225f7bb209 upstream. + +Fix a possible memory leak when a bind of an AF_XDP socket fails. When +the fill and completion rings are created, they are tied to the +socket. But when the buffer pool is later created at bind time, the +ownership of these two rings are transferred to the buffer pool as +they might be shared between sockets (and the buffer pool cannot be +created until we know what we are binding to). So, before the buffer +pool is created, these two rings are cleaned up with the socket, and +after they have been transferred they are cleaned up together with +the buffer pool. + +The problem is that ownership was transferred before it was absolutely +certain that the buffer pool could be created and initialized +correctly and when one of these errors occurred, the fill and +completion rings did neither belong to the socket nor the pool and +where therefore leaked. Solve this by moving the ownership transfer +to the point where the buffer pool has been completely set up and +there is no way it can fail. + +Fixes: 7361f9c3d719 ("xsk: Move fill and completion rings to buffer pool") +Reported-by: syzbot+cfa88ddd0655afa88763@syzkaller.appspotmail.com +Signed-off-by: Magnus Karlsson +Signed-off-by: Daniel Borkmann +Acked-by: Björn Töpel +Link: https://lore.kernel.org/bpf/20201214085127.3960-1-magnus.karlsson@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + net/xdp/xsk.c | 4 ++++ + net/xdp/xsk_buff_pool.c | 2 -- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -772,6 +772,10 @@ static int xsk_bind(struct socket *sock, + } + } + ++ /* FQ and CQ are now owned by the buffer pool and cleaned up with it. */ ++ xs->fq_tmp = NULL; ++ xs->cq_tmp = NULL; ++ + xs->dev = dev; + xs->zc = xs->umem->zc; + xs->queue_id = qid; +--- a/net/xdp/xsk_buff_pool.c ++++ b/net/xdp/xsk_buff_pool.c +@@ -75,8 +75,6 @@ struct xsk_buff_pool *xp_create_and_assi + + pool->fq = xs->fq_tmp; + pool->cq = xs->cq_tmp; +- xs->fq_tmp = NULL; +- xs->cq_tmp = NULL; + + for (i = 0; i < pool->free_heads_cnt; i++) { + xskb = &pool->heads[i];