From: Sasha Levin Date: Sat, 16 Dec 2023 03:36:37 +0000 (-0500) Subject: Fixes for 4.19 X-Git-Tag: v5.15.144~54 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6dc479e7bb0113277b8bd4490d5b876ece395329;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/appletalk-fix-use-after-free-in-atalk_ioctl.patch b/queue-4.19/appletalk-fix-use-after-free-in-atalk_ioctl.patch new file mode 100644 index 00000000000..80061412717 --- /dev/null +++ b/queue-4.19/appletalk-fix-use-after-free-in-atalk_ioctl.patch @@ -0,0 +1,55 @@ +From 7d657244cc203104c4fb1b80ac300d20080a2c4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Dec 2023 23:10:56 -0500 +Subject: appletalk: Fix Use-After-Free in atalk_ioctl + +From: Hyunwoo Kim + +[ Upstream commit 189ff16722ee36ced4d2a2469d4ab65a8fee4198 ] + +Because atalk_ioctl() accesses sk->sk_receive_queue +without holding a sk->sk_receive_queue.lock, it can +cause a race with atalk_recvmsg(). +A use-after-free for skb occurs with the following flow. +``` +atalk_ioctl() -> skb_peek() +atalk_recvmsg() -> skb_recv_datagram() -> skb_free_datagram() +``` +Add sk->sk_receive_queue.lock to atalk_ioctl() to fix this issue. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Hyunwoo Kim +Link: https://lore.kernel.org/r/20231213041056.GA519680@v4bel-B760M-AORUS-ELITE-AX +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/appletalk/ddp.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c +index 20ec8e7f94236..c4f1bfe6e0402 100644 +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1808,15 +1808,14 @@ static int atalk_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) + break; + } + case TIOCINQ: { +- /* +- * These two are safe on a single CPU system as only +- * user tasks fiddle here +- */ +- struct sk_buff *skb = skb_peek(&sk->sk_receive_queue); ++ struct sk_buff *skb; + long amount = 0; + ++ spin_lock_irq(&sk->sk_receive_queue.lock); ++ skb = skb_peek(&sk->sk_receive_queue); + if (skb) + amount = skb->len - sizeof(struct ddpehdr); ++ spin_unlock_irq(&sk->sk_receive_queue.lock); + rc = put_user(amount, (int __user *)argp); + break; + } +-- +2.43.0 + diff --git a/queue-4.19/atm-fix-use-after-free-in-do_vcc_ioctl.patch b/queue-4.19/atm-fix-use-after-free-in-do_vcc_ioctl.patch new file mode 100644 index 00000000000..080fce33cc1 --- /dev/null +++ b/queue-4.19/atm-fix-use-after-free-in-do_vcc_ioctl.patch @@ -0,0 +1,55 @@ +From a62aefbbfeb6a4f9f6ae53d2f1aaa1da17fa9b7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Dec 2023 04:42:10 -0500 +Subject: atm: Fix Use-After-Free in do_vcc_ioctl + +From: Hyunwoo Kim + +[ Upstream commit 24e90b9e34f9e039f56b5f25f6e6eb92cdd8f4b3 ] + +Because do_vcc_ioctl() accesses sk->sk_receive_queue +without holding a sk->sk_receive_queue.lock, it can +cause a race with vcc_recvmsg(). +A use-after-free for skb occurs with the following flow. +``` +do_vcc_ioctl() -> skb_peek() +vcc_recvmsg() -> skb_recv_datagram() -> skb_free_datagram() +``` +Add sk->sk_receive_queue.lock to do_vcc_ioctl() to fix this issue. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Hyunwoo Kim +Link: https://lore.kernel.org/r/20231209094210.GA403126@v4bel-B760M-AORUS-ELITE-AX +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/atm/ioctl.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/atm/ioctl.c b/net/atm/ioctl.c +index 2ff0e5e470e3d..38f7f164e4848 100644 +--- a/net/atm/ioctl.c ++++ b/net/atm/ioctl.c +@@ -71,14 +71,17 @@ static int do_vcc_ioctl(struct socket *sock, unsigned int cmd, + case SIOCINQ: + { + struct sk_buff *skb; ++ int amount; + + if (sock->state != SS_CONNECTED) { + error = -EINVAL; + goto done; + } ++ spin_lock_irq(&sk->sk_receive_queue.lock); + skb = skb_peek(&sk->sk_receive_queue); +- error = put_user(skb ? skb->len : 0, +- (int __user *)argp) ? -EFAULT : 0; ++ amount = skb ? skb->len : 0; ++ spin_unlock_irq(&sk->sk_receive_queue.lock); ++ error = put_user(amount, (int __user *)argp) ? -EFAULT : 0; + goto done; + } + case SIOCGSTAMP: /* borrowed from IP */ +-- +2.43.0 + diff --git a/queue-4.19/atm-solos-pci-fix-potential-deadlock-on-cli_queue_lo.patch b/queue-4.19/atm-solos-pci-fix-potential-deadlock-on-cli_queue_lo.patch new file mode 100644 index 00000000000..4cc3441983a --- /dev/null +++ b/queue-4.19/atm-solos-pci-fix-potential-deadlock-on-cli_queue_lo.patch @@ -0,0 +1,55 @@ +From 649dc45e94a2889eaca07135c843605793755bfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Dec 2023 12:34:37 +0000 +Subject: atm: solos-pci: Fix potential deadlock on &cli_queue_lock + +From: Chengfeng Ye + +[ Upstream commit d5dba32b8f6cb39be708b726044ba30dbc088b30 ] + +As &card->cli_queue_lock is acquired under softirq context along the +following call chain from solos_bh(), other acquisition of the same +lock inside process context should disable at least bh to avoid double +lock. + + +console_show() +--> spin_lock(&card->cli_queue_lock) + + --> solos_bh() + --> spin_lock(&card->cli_queue_lock) + +This flaw was found by an experimental static analysis tool I am +developing for irq-related deadlock. + +To prevent the potential deadlock, the patch uses spin_lock_bh() +on the card->cli_queue_lock under process context code consistently +to prevent the possible deadlock scenario. + +Fixes: 9c54004ea717 ("atm: Driver for Solos PCI ADSL2+ card.") +Signed-off-by: Chengfeng Ye +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/solos-pci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/atm/solos-pci.c b/drivers/atm/solos-pci.c +index 17283018269f0..95d8f1b8cf75f 100644 +--- a/drivers/atm/solos-pci.c ++++ b/drivers/atm/solos-pci.c +@@ -458,9 +458,9 @@ static ssize_t console_show(struct device *dev, struct device_attribute *attr, + struct sk_buff *skb; + unsigned int len; + +- spin_lock(&card->cli_queue_lock); ++ spin_lock_bh(&card->cli_queue_lock); + skb = skb_dequeue(&card->cli_queue[SOLOS_CHAN(atmdev)]); +- spin_unlock(&card->cli_queue_lock); ++ spin_unlock_bh(&card->cli_queue_lock); + if(skb == NULL) + return sprintf(buf, "No data.\n"); + +-- +2.43.0 + diff --git a/queue-4.19/atm-solos-pci-fix-potential-deadlock-on-tx_queue_loc.patch b/queue-4.19/atm-solos-pci-fix-potential-deadlock-on-tx_queue_loc.patch new file mode 100644 index 00000000000..5b589fd5ae6 --- /dev/null +++ b/queue-4.19/atm-solos-pci-fix-potential-deadlock-on-tx_queue_loc.patch @@ -0,0 +1,61 @@ +From 50f4379d3be14d571c5d800c2d1182cabe453648 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Dec 2023 12:34:53 +0000 +Subject: atm: solos-pci: Fix potential deadlock on &tx_queue_lock + +From: Chengfeng Ye + +[ Upstream commit 15319a4e8ee4b098118591c6ccbd17237f841613 ] + +As &card->tx_queue_lock is acquired under softirq context along the +following call chain from solos_bh(), other acquisition of the same +lock inside process context should disable at least bh to avoid double +lock. + + +pclose() +--> spin_lock(&card->tx_queue_lock) + + --> solos_bh() + --> fpga_tx() + --> spin_lock(&card->tx_queue_lock) + +This flaw was found by an experimental static analysis tool I am +developing for irq-related deadlock. + +To prevent the potential deadlock, the patch uses spin_lock_bh() +on &card->tx_queue_lock under process context code consistently to +prevent the possible deadlock scenario. + +Fixes: 213e85d38912 ("solos-pci: clean up pclose() function") +Signed-off-by: Chengfeng Ye +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/solos-pci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/atm/solos-pci.c b/drivers/atm/solos-pci.c +index 95d8f1b8cf75f..60fd48f23c6df 100644 +--- a/drivers/atm/solos-pci.c ++++ b/drivers/atm/solos-pci.c +@@ -968,14 +968,14 @@ static void pclose(struct atm_vcc *vcc) + struct pkt_hdr *header; + + /* Remove any yet-to-be-transmitted packets from the pending queue */ +- spin_lock(&card->tx_queue_lock); ++ spin_lock_bh(&card->tx_queue_lock); + skb_queue_walk_safe(&card->tx_queue[port], skb, tmpskb) { + if (SKB_CB(skb)->vcc == vcc) { + skb_unlink(skb, &card->tx_queue[port]); + solos_pop(vcc, skb); + } + } +- spin_unlock(&card->tx_queue_lock); ++ spin_unlock_bh(&card->tx_queue_lock); + + skb = alloc_skb(sizeof(*header), GFP_KERNEL); + if (!skb) { +-- +2.43.0 + diff --git a/queue-4.19/driver-core-add-device-probe-log-helper.patch b/queue-4.19/driver-core-add-device-probe-log-helper.patch new file mode 100644 index 00000000000..50dec388fb9 --- /dev/null +++ b/queue-4.19/driver-core-add-device-probe-log-helper.patch @@ -0,0 +1,105 @@ +From aa5372119cc3e64850a2ebeaf59b983572cfa161 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jul 2020 16:43:21 +0200 +Subject: driver core: add device probe log helper + +From: Andrzej Hajda + +[ Upstream commit a787e5400a1ceeb0ef92d71ec43aeb35b1fa1334 ] + +During probe every time driver gets resource it should usually check for +error printk some message if it is not -EPROBE_DEFER and return the error. +This pattern is simple but requires adding few lines after any resource +acquisition code, as a result it is often omitted or implemented only +partially. +dev_err_probe helps to replace such code sequences with simple call, +so code: + if (err != -EPROBE_DEFER) + dev_err(dev, ...); + return err; +becomes: + return dev_err_probe(dev, err, ...); + +Signed-off-by: Andrzej Hajda +Reviewed-by: Rafael J. Wysocki +Reviewed-by: Mark Brown +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20200713144324.23654-2-a.hajda@samsung.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: e23c0d21ce92 ("net: stmmac: Handle disabled MDIO busses from devicetree") +Signed-off-by: Sasha Levin +--- + drivers/base/core.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + include/linux/device.h | 3 +++ + 2 files changed, 45 insertions(+) + +diff --git a/drivers/base/core.c b/drivers/base/core.c +index 6e380ad9d08ad..b66647277d524 100644 +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -3334,6 +3334,48 @@ define_dev_printk_level(_dev_info, KERN_INFO); + + #endif + ++/** ++ * dev_err_probe - probe error check and log helper ++ * @dev: the pointer to the struct device ++ * @err: error value to test ++ * @fmt: printf-style format string ++ * @...: arguments as specified in the format string ++ * ++ * This helper implements common pattern present in probe functions for error ++ * checking: print debug or error message depending if the error value is ++ * -EPROBE_DEFER and propagate error upwards. ++ * It replaces code sequence: ++ * if (err != -EPROBE_DEFER) ++ * dev_err(dev, ...); ++ * else ++ * dev_dbg(dev, ...); ++ * return err; ++ * with ++ * return dev_err_probe(dev, err, ...); ++ * ++ * Returns @err. ++ * ++ */ ++int dev_err_probe(const struct device *dev, int err, const char *fmt, ...) ++{ ++ struct va_format vaf; ++ va_list args; ++ ++ va_start(args, fmt); ++ vaf.fmt = fmt; ++ vaf.va = &args; ++ ++ if (err != -EPROBE_DEFER) ++ dev_err(dev, "error %d: %pV", err, &vaf); ++ else ++ dev_dbg(dev, "error %d: %pV", err, &vaf); ++ ++ va_end(args); ++ ++ return err; ++} ++EXPORT_SYMBOL_GPL(dev_err_probe); ++ + static inline bool fwnode_is_primary(struct fwnode_handle *fwnode) + { + return fwnode && !IS_ERR(fwnode->secondary); +diff --git a/include/linux/device.h b/include/linux/device.h +index bccd367c11de5..0714d6e5d500b 100644 +--- a/include/linux/device.h ++++ b/include/linux/device.h +@@ -1581,6 +1581,9 @@ do { \ + WARN_ONCE(condition, "%s %s: " format, \ + dev_driver_string(dev), dev_name(dev), ## arg) + ++extern __printf(3, 4) ++int dev_err_probe(const struct device *dev, int err, const char *fmt, ...); ++ + /* Create alias, so I can be autoloaded. */ + #define MODULE_ALIAS_CHARDEV(major,minor) \ + MODULE_ALIAS("char-major-" __stringify(major) "-" __stringify(minor)) +-- +2.43.0 + diff --git a/queue-4.19/net-prevent-mss-overflow-in-skb_segment.patch b/queue-4.19/net-prevent-mss-overflow-in-skb_segment.patch new file mode 100644 index 00000000000..294509e1b79 --- /dev/null +++ b/queue-4.19/net-prevent-mss-overflow-in-skb_segment.patch @@ -0,0 +1,117 @@ +From 25b9097fe309ea5e1cf2616fc5fc44a31414cd69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Dec 2023 16:46:21 +0000 +Subject: net: prevent mss overflow in skb_segment() + +From: Eric Dumazet + +[ Upstream commit 23d05d563b7e7b0314e65c8e882bc27eac2da8e7 ] + +Once again syzbot is able to crash the kernel in skb_segment() [1] + +GSO_BY_FRAGS is a forbidden value, but unfortunately the following +computation in skb_segment() can reach it quite easily : + + mss = mss * partial_segs; + +65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to +a bad final result. + +Make sure to limit segmentation so that the new mss value is smaller +than GSO_BY_FRAGS. + +[1] + +general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] +CPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 +RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551 +Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00 +RSP: 0018:ffffc900043473d0 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597 +RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070 +RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff +R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0 +R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046 +FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +udp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109 +ipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120 +skb_mac_gso_segment+0x290/0x610 net/core/gso.c:53 +__skb_gso_segment+0x339/0x710 net/core/gso.c:124 +skb_gso_segment include/net/gso.h:83 [inline] +validate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626 +__dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338 +dev_queue_xmit include/linux/netdevice.h:3134 [inline] +packet_xmit+0x257/0x380 net/packet/af_packet.c:276 +packet_snd net/packet/af_packet.c:3087 [inline] +packet_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +__do_sys_sendto net/socket.c:2202 [inline] +__se_sys_sendto net/socket.c:2198 [inline] +__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 +do_syscall_x64 arch/x86/entry/common.c:52 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 +entry_SYSCALL_64_after_hwframe+0x63/0x6b +RIP: 0033:0x7f8692032aa9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9 +RDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003 +RBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480 +R13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003 + +Modules linked in: +---[ end trace 0000000000000000 ]--- +RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551 +Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00 +RSP: 0018:ffffc900043473d0 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597 +RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070 +RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff +R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0 +R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046 +FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Fixes: 3953c46c3ac7 ("sk_buff: allow segmenting based on frag sizes") +Signed-off-by: Eric Dumazet +Cc: Marcelo Ricardo Leitner +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20231212164621.4131800-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/skbuff.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index e03cd719b86b7..c93662512d02e 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3625,8 +3625,9 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, + /* GSO partial only requires that we trim off any excess that + * doesn't fit into an MSS sized block, so take care of that + * now. ++ * Cap len to not accidentally hit GSO_BY_FRAGS. + */ +- partial_segs = len / mss; ++ partial_segs = min(len, GSO_BY_FRAGS - 1) / mss; + if (partial_segs > 1) + mss *= partial_segs; + else +-- +2.43.0 + diff --git a/queue-4.19/net-remove-acked-syn-flag-from-packet-in-the-transmi.patch b/queue-4.19/net-remove-acked-syn-flag-from-packet-in-the-transmi.patch new file mode 100644 index 00000000000..1ffb00ce611 --- /dev/null +++ b/queue-4.19/net-remove-acked-syn-flag-from-packet-in-the-transmi.patch @@ -0,0 +1,111 @@ +From 001762d3a8336588d37d5121c56e3552b66f8443 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Dec 2023 10:02:00 +0800 +Subject: net: Remove acked SYN flag from packet in the transmit queue + correctly + +From: Dong Chenchen + +[ Upstream commit f99cd56230f56c8b6b33713c5be4da5d6766be1f ] + +syzkaller report: + + kernel BUG at net/core/skbuff.c:3452! + invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI + CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.7.0-rc4-00009-gbee0e7762ad2-dirty #135 + RIP: 0010:skb_copy_and_csum_bits (net/core/skbuff.c:3452) + Call Trace: + icmp_glue_bits (net/ipv4/icmp.c:357) + __ip_append_data.isra.0 (net/ipv4/ip_output.c:1165) + ip_append_data (net/ipv4/ip_output.c:1362 net/ipv4/ip_output.c:1341) + icmp_push_reply (net/ipv4/icmp.c:370) + __icmp_send (./include/net/route.h:252 net/ipv4/icmp.c:772) + ip_fragment.constprop.0 (./include/linux/skbuff.h:1234 net/ipv4/ip_output.c:592 net/ipv4/ip_output.c:577) + __ip_finish_output (net/ipv4/ip_output.c:311 net/ipv4/ip_output.c:295) + ip_output (net/ipv4/ip_output.c:427) + __ip_queue_xmit (net/ipv4/ip_output.c:535) + __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) + __tcp_retransmit_skb (net/ipv4/tcp_output.c:3387) + tcp_retransmit_skb (net/ipv4/tcp_output.c:3404) + tcp_retransmit_timer (net/ipv4/tcp_timer.c:604) + tcp_write_timer (./include/linux/spinlock.h:391 net/ipv4/tcp_timer.c:716) + +The panic issue was trigered by tcp simultaneous initiation. +The initiation process is as follows: + + TCP A TCP B + + 1. CLOSED CLOSED + + 2. SYN-SENT --> ... + + 3. SYN-RECEIVED <-- <-- SYN-SENT + + 4. ... --> SYN-RECEIVED + + 5. SYN-RECEIVED --> ... + + // TCP B: not send challenge ack for ack limit or packet loss + // TCP A: close + tcp_close + tcp_send_fin + if (!tskb && tcp_under_memory_pressure(sk)) + tskb = skb_rb_last(&sk->tcp_rtx_queue); //pick SYN_ACK packet + TCP_SKB_CB(tskb)->tcp_flags |= TCPHDR_FIN; // set FIN flag + + 6. FIN_WAIT_1 --> ... + + // TCP B: send challenge ack to SYN_FIN_ACK + + 7. ... <-- SYN-RECEIVED //challenge ack + + // TCP A: + + 8. FIN_WAIT_1 --> ... // retransmit panic + + __tcp_retransmit_skb //skb->len=0 + tcp_trim_head + len = tp->snd_una - TCP_SKB_CB(skb)->seq // len=101-100 + __pskb_trim_head + skb->data_len -= len // skb->len=-1, wrap around + ... ... + ip_fragment + icmp_glue_bits //BUG_ON + +If we use tcp_trim_head() to remove acked SYN from packet that contains data +or other flags, skb->len will be incorrectly decremented. We can remove SYN +flag that has been acked from rtx_queue earlier than tcp_trim_head(), which +can fix the problem mentioned above. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Co-developed-by: Eric Dumazet +Signed-off-by: Eric Dumazet +Signed-off-by: Dong Chenchen +Link: https://lore.kernel.org/r/20231210020200.1539875-1-dongchenchen2@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_output.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index a0875dc60e08f..670804d4c1690 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2890,7 +2890,13 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs) + if (skb_still_in_host_queue(sk, skb)) + return -EBUSY; + ++start: + if (before(TCP_SKB_CB(skb)->seq, tp->snd_una)) { ++ if (unlikely(TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN)) { ++ TCP_SKB_CB(skb)->tcp_flags &= ~TCPHDR_SYN; ++ TCP_SKB_CB(skb)->seq++; ++ goto start; ++ } + if (unlikely(before(TCP_SKB_CB(skb)->end_seq, tp->snd_una))) { + WARN_ON_ONCE(1); + return -EINVAL; +-- +2.43.0 + diff --git a/queue-4.19/net-rose-fix-use-after-free-in-rose_ioctl.patch b/queue-4.19/net-rose-fix-use-after-free-in-rose_ioctl.patch new file mode 100644 index 00000000000..433965d2669 --- /dev/null +++ b/queue-4.19/net-rose-fix-use-after-free-in-rose_ioctl.patch @@ -0,0 +1,48 @@ +From 515502309030830fd5982ba73aec41d64506cd21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Dec 2023 05:05:38 -0500 +Subject: net/rose: Fix Use-After-Free in rose_ioctl + +From: Hyunwoo Kim + +[ Upstream commit 810c38a369a0a0ce625b5c12169abce1dd9ccd53 ] + +Because rose_ioctl() accesses sk->sk_receive_queue +without holding a sk->sk_receive_queue.lock, it can +cause a race with rose_accept(). +A use-after-free for skb occurs with the following flow. +``` +rose_ioctl() -> skb_peek() +rose_accept() -> skb_dequeue() -> kfree_skb() +``` +Add sk->sk_receive_queue.lock to rose_ioctl() to fix this issue. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Hyunwoo Kim +Link: https://lore.kernel.org/r/20231209100538.GA407321@v4bel-B760M-AORUS-ELITE-AX +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index 4edd127bb8928..d32fb40650a75 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -1308,9 +1308,11 @@ static int rose_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) + case TIOCINQ: { + struct sk_buff *skb; + long amount = 0L; +- /* These two are safe on a single CPU system as only user tasks fiddle here */ ++ ++ spin_lock_irq(&sk->sk_receive_queue.lock); + if ((skb = skb_peek(&sk->sk_receive_queue)) != NULL) + amount = skb->len; ++ spin_unlock_irq(&sk->sk_receive_queue.lock); + return put_user(amount, (unsigned int __user *) argp); + } + +-- +2.43.0 + diff --git a/queue-4.19/net-stmmac-handle-disabled-mdio-busses-from-devicetr.patch b/queue-4.19/net-stmmac-handle-disabled-mdio-busses-from-devicetr.patch new file mode 100644 index 00000000000..11b6c70568d --- /dev/null +++ b/queue-4.19/net-stmmac-handle-disabled-mdio-busses-from-devicetr.patch @@ -0,0 +1,45 @@ +From df0139bec42776272097df5993659d24b634b668 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Dec 2023 16:18:33 -0600 +Subject: net: stmmac: Handle disabled MDIO busses from devicetree + +From: Andrew Halaney + +[ Upstream commit e23c0d21ce9234fbc31ece35663ababbb83f9347 ] + +Many hardware configurations have the MDIO bus disabled, and are instead +using some other MDIO bus to talk to the MAC's phy. + +of_mdiobus_register() returns -ENODEV in this case. Let's handle it +gracefully instead of failing to probe the MAC. + +Fixes: 47dd7a540b8a ("net: add support for STMicroelectronics Ethernet controllers.") +Signed-off-by: Andrew Halaney +Reviewed-by: Serge Semin +Link: https://lore.kernel.org/r/20231212-b4-stmmac-handle-mdio-enodev-v2-1-600171acf79f@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c +index f84dd3dcbe3f4..f7ad9172d1fb8 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c +@@ -360,7 +360,11 @@ int stmmac_mdio_register(struct net_device *ndev) + new_bus->parent = priv->device; + + err = of_mdiobus_register(new_bus, mdio_node); +- if (err != 0) { ++ if (err == -ENODEV) { ++ err = 0; ++ dev_info(dev, "MDIO bus is disabled\n"); ++ goto bus_register_fail; ++ } else if (err) { + dev_err_probe(dev, err, "Cannot register the MDIO bus\n"); + goto bus_register_fail; + } +-- +2.43.0 + diff --git a/queue-4.19/net-stmmac-use-dev_err_probe-for-reporting-mdio-bus-.patch b/queue-4.19/net-stmmac-use-dev_err_probe-for-reporting-mdio-bus-.patch new file mode 100644 index 00000000000..24f6938ba06 --- /dev/null +++ b/queue-4.19/net-stmmac-use-dev_err_probe-for-reporting-mdio-bus-.patch @@ -0,0 +1,68 @@ +From 28b92d837c6dd2fd39360d6d6c6bfb01cfb33230 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 09:48:40 +0200 +Subject: net: stmmac: use dev_err_probe() for reporting mdio bus registration + failure + +From: Rasmus Villemoes + +[ Upstream commit 839612d23ffd933174db911ce56dc3f3ca883ec5 ] + +I have a board where these two lines are always printed during boot: + + imx-dwmac 30bf0000.ethernet: Cannot register the MDIO bus + imx-dwmac 30bf0000.ethernet: stmmac_dvr_probe: MDIO bus (id: 1) registration failed + +It's perfectly fine, and the device is successfully (and silently, as +far as the console goes) probed later. + +Use dev_err_probe() instead, which will demote these messages to debug +level (thus removing the alarming messages from the console) when the +error is -EPROBE_DEFER, and also has the advantage of including the +error code if/when it happens to be something other than -EPROBE_DEFER. + +While here, add the missing \n to one of the format strings. + +Signed-off-by: Rasmus Villemoes +Link: https://lore.kernel.org/r/20220602074840.1143360-1-linux@rasmusvillemoes.dk +Signed-off-by: Jakub Kicinski +Stable-dep-of: e23c0d21ce92 ("net: stmmac: Handle disabled MDIO busses from devicetree") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 6 +++--- + drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 3e35cdf0d2b76..940eff518ef9e 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -4427,9 +4427,9 @@ int stmmac_dvr_probe(struct device *device, + /* MDIO bus Registration */ + ret = stmmac_mdio_register(ndev); + if (ret < 0) { +- dev_err(priv->device, +- "%s: MDIO bus (id: %d) registration failed", +- __func__, priv->plat->bus_id); ++ dev_err_probe(priv->device, ret, ++ "%s: MDIO bus (id: %d) registration failed\n", ++ __func__, priv->plat->bus_id); + goto error_mdio_register; + } + } +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c +index 093a223fe4088..f84dd3dcbe3f4 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c +@@ -361,7 +361,7 @@ int stmmac_mdio_register(struct net_device *ndev) + + err = of_mdiobus_register(new_bus, mdio_node); + if (err != 0) { +- dev_err(dev, "Cannot register the MDIO bus\n"); ++ dev_err_probe(dev, err, "Cannot register the MDIO bus\n"); + goto bus_register_fail; + } + +-- +2.43.0 + diff --git a/queue-4.19/qca_debug-fix-ethtool-g-iface-tx-behavior.patch b/queue-4.19/qca_debug-fix-ethtool-g-iface-tx-behavior.patch new file mode 100644 index 00000000000..c72ed201542 --- /dev/null +++ b/queue-4.19/qca_debug-fix-ethtool-g-iface-tx-behavior.patch @@ -0,0 +1,80 @@ +From 4791ca8dfce063ee35ad6a83fb4532cb5edcf817 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 15:12:21 +0100 +Subject: qca_debug: Fix ethtool -G iface tx behavior + +From: Stefan Wahren + +[ Upstream commit 96a7e861d9e04d07febd3011c30cd84cd141d81f ] + +After calling ethtool -g it was not possible to adjust the TX ring +size again: + + # ethtool -g eth1 + Ring parameters for eth1: + Pre-set maximums: + RX: 4 + RX Mini: n/a + RX Jumbo: n/a + TX: 10 + Current hardware settings: + RX: 4 + RX Mini: n/a + RX Jumbo: n/a + TX: 10 + # ethtool -G eth1 tx 8 + netlink error: Invalid argument + +The reason for this is that the readonly setting rx_pending get +initialized and after that the range check in qcaspi_set_ringparam() +fails regardless of the provided parameter. So fix this by accepting +the exposed RX defaults. Instead of adding another magic number +better use a new define here. + +Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") +Suggested-by: Paolo Abeni +Signed-off-by: Stefan Wahren +Link: https://lore.kernel.org/r/20231206141222.52029-3-wahrenst@gmx.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qualcomm/qca_debug.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/qualcomm/qca_debug.c b/drivers/net/ethernet/qualcomm/qca_debug.c +index 26b0ca7a7b43d..b650b6a5e8718 100644 +--- a/drivers/net/ethernet/qualcomm/qca_debug.c ++++ b/drivers/net/ethernet/qualcomm/qca_debug.c +@@ -30,6 +30,8 @@ + + #define QCASPI_MAX_REGS 0x20 + ++#define QCASPI_RX_MAX_FRAMES 4 ++ + static const u16 qcaspi_spi_regs[] = { + SPI_REG_BFR_SIZE, + SPI_REG_WRBUF_SPC_AVA, +@@ -266,9 +268,9 @@ qcaspi_get_ringparam(struct net_device *dev, struct ethtool_ringparam *ring) + { + struct qcaspi *qca = netdev_priv(dev); + +- ring->rx_max_pending = 4; ++ ring->rx_max_pending = QCASPI_RX_MAX_FRAMES; + ring->tx_max_pending = TX_RING_MAX_LEN; +- ring->rx_pending = 4; ++ ring->rx_pending = QCASPI_RX_MAX_FRAMES; + ring->tx_pending = qca->txr.count; + } + +@@ -277,7 +279,7 @@ qcaspi_set_ringparam(struct net_device *dev, struct ethtool_ringparam *ring) + { + struct qcaspi *qca = netdev_priv(dev); + +- if ((ring->rx_pending) || ++ if (ring->rx_pending != QCASPI_RX_MAX_FRAMES || + (ring->rx_mini_pending) || + (ring->rx_jumbo_pending)) + return -EINVAL; +-- +2.43.0 + diff --git a/queue-4.19/qca_debug-prevent-crash-on-tx-ring-changes.patch b/queue-4.19/qca_debug-prevent-crash-on-tx-ring-changes.patch new file mode 100644 index 00000000000..cd515584367 --- /dev/null +++ b/queue-4.19/qca_debug-prevent-crash-on-tx-ring-changes.patch @@ -0,0 +1,86 @@ +From 84e580ccd7e80ae4bbf82aa68b2b755702b3feea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 15:12:20 +0100 +Subject: qca_debug: Prevent crash on TX ring changes + +From: Stefan Wahren + +[ Upstream commit f4e6064c97c050bd9904925ff7d53d0c9954fc7b ] + +The qca_spi driver stop and restart the SPI kernel thread +(via ndo_stop & ndo_open) in case of TX ring changes. This is +a big issue because it allows userspace to prevent restart of +the SPI kernel thread (via signals). A subsequent change of +TX ring wrongly assume a valid spi_thread pointer which result +in a crash. + +So prevent this by stopping the network traffic handling and +temporary park the SPI thread. + +Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") +Signed-off-by: Stefan Wahren +Link: https://lore.kernel.org/r/20231206141222.52029-2-wahrenst@gmx.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qualcomm/qca_debug.c | 9 ++++----- + drivers/net/ethernet/qualcomm/qca_spi.c | 12 ++++++++++++ + 2 files changed, 16 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/qualcomm/qca_debug.c b/drivers/net/ethernet/qualcomm/qca_debug.c +index 51d89c86e60f5..26b0ca7a7b43d 100644 +--- a/drivers/net/ethernet/qualcomm/qca_debug.c ++++ b/drivers/net/ethernet/qualcomm/qca_debug.c +@@ -275,7 +275,6 @@ qcaspi_get_ringparam(struct net_device *dev, struct ethtool_ringparam *ring) + static int + qcaspi_set_ringparam(struct net_device *dev, struct ethtool_ringparam *ring) + { +- const struct net_device_ops *ops = dev->netdev_ops; + struct qcaspi *qca = netdev_priv(dev); + + if ((ring->rx_pending) || +@@ -283,14 +282,14 @@ qcaspi_set_ringparam(struct net_device *dev, struct ethtool_ringparam *ring) + (ring->rx_jumbo_pending)) + return -EINVAL; + +- if (netif_running(dev)) +- ops->ndo_stop(dev); ++ if (qca->spi_thread) ++ kthread_park(qca->spi_thread); + + qca->txr.count = max_t(u32, ring->tx_pending, TX_RING_MIN_LEN); + qca->txr.count = min_t(u16, qca->txr.count, TX_RING_MAX_LEN); + +- if (netif_running(dev)) +- ops->ndo_open(dev); ++ if (qca->spi_thread) ++ kthread_unpark(qca->spi_thread); + + return 0; + } +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c +index 3e6095f0cb5f5..656e2955fb792 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -552,6 +552,18 @@ qcaspi_spi_thread(void *data) + netdev_info(qca->net_dev, "SPI thread created\n"); + while (!kthread_should_stop()) { + set_current_state(TASK_INTERRUPTIBLE); ++ if (kthread_should_park()) { ++ netif_tx_disable(qca->net_dev); ++ netif_carrier_off(qca->net_dev); ++ qcaspi_flush_tx_ring(qca); ++ kthread_parkme(); ++ if (qca->sync == QCASPI_SYNC_READY) { ++ netif_carrier_on(qca->net_dev); ++ netif_wake_queue(qca->net_dev); ++ } ++ continue; ++ } ++ + if ((qca->intr_req == qca->intr_svc) && + !qca->txr.skb[qca->txr.head]) + schedule(); +-- +2.43.0 + diff --git a/queue-4.19/qca_spi-fix-reset-behavior.patch b/queue-4.19/qca_spi-fix-reset-behavior.patch new file mode 100644 index 00000000000..f64a3d5a675 --- /dev/null +++ b/queue-4.19/qca_spi-fix-reset-behavior.patch @@ -0,0 +1,51 @@ +From 2cadd094892005458abb2ecf83825f4fc48c6293 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 15:12:22 +0100 +Subject: qca_spi: Fix reset behavior + +From: Stefan Wahren + +[ Upstream commit 1057812d146dd658c9a9a96d869c2551150207b5 ] + +In case of a reset triggered by the QCA7000 itself, the behavior of the +qca_spi driver was not quite correct: +- in case of a pending RX frame decoding the drop counter must be + incremented and decoding state machine reseted +- also the reset counter must always be incremented regardless of sync + state + +Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") +Signed-off-by: Stefan Wahren +Link: https://lore.kernel.org/r/20231206141222.52029-4-wahrenst@gmx.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qualcomm/qca_spi.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c +index 656e2955fb792..c4a826176f3ab 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -592,11 +592,17 @@ qcaspi_spi_thread(void *data) + if (intr_cause & SPI_INT_CPU_ON) { + qcaspi_qca7k_sync(qca, QCASPI_EVENT_CPUON); + ++ /* Frame decoding in progress */ ++ if (qca->frm_handle.state != qca->frm_handle.init) ++ qca->net_dev->stats.rx_dropped++; ++ ++ qcafrm_fsm_init_spi(&qca->frm_handle); ++ qca->stats.device_reset++; ++ + /* not synced. */ + if (qca->sync != QCASPI_SYNC_READY) + continue; + +- qca->stats.device_reset++; + netif_wake_queue(qca->net_dev); + netif_carrier_on(qca->net_dev); + } +-- +2.43.0 + diff --git a/queue-4.19/qed-fix-a-potential-use-after-free-in-qed_cxt_tables.patch b/queue-4.19/qed-fix-a-potential-use-after-free-in-qed_cxt_tables.patch new file mode 100644 index 00000000000..a5d965fffee --- /dev/null +++ b/queue-4.19/qed-fix-a-potential-use-after-free-in-qed_cxt_tables.patch @@ -0,0 +1,41 @@ +From a48e6a5d478defed6375609f959507ee119314d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Dec 2023 12:52:55 +0800 +Subject: qed: Fix a potential use-after-free in qed_cxt_tables_alloc + +From: Dinghao Liu + +[ Upstream commit b65d52ac9c085c0c52dee012a210d4e2f352611b ] + +qed_ilt_shadow_alloc() will call qed_ilt_shadow_free() to +free p_hwfn->p_cxt_mngr->ilt_shadow on error. However, +qed_cxt_tables_alloc() accesses the freed pointer on failure +of qed_ilt_shadow_alloc() through calling qed_cxt_mngr_free(), +which may lead to use-after-free. Fix this issue by setting +p_mngr->ilt_shadow to NULL in qed_ilt_shadow_free(). + +Fixes: fe56b9e6a8d9 ("qed: Add module with basic common support") +Reviewed-by: Przemek Kitszel +Signed-off-by: Dinghao Liu +Link: https://lore.kernel.org/r/20231210045255.21383-1-dinghao.liu@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_cxt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_cxt.c b/drivers/net/ethernet/qlogic/qed/qed_cxt.c +index 734462f8d881c..88232a6a4584d 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c +@@ -1024,6 +1024,7 @@ static void qed_ilt_shadow_free(struct qed_hwfn *p_hwfn) + p_dma->p_virt = NULL; + } + kfree(p_mngr->ilt_shadow); ++ p_mngr->ilt_shadow = NULL; + } + + static int qed_ilt_blk_alloc(struct qed_hwfn *p_hwfn, +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..7c226c5acd8 --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,16 @@ +qca_debug-prevent-crash-on-tx-ring-changes.patch +qca_debug-fix-ethtool-g-iface-tx-behavior.patch +qca_spi-fix-reset-behavior.patch +atm-solos-pci-fix-potential-deadlock-on-cli_queue_lo.patch +atm-solos-pci-fix-potential-deadlock-on-tx_queue_loc.patch +atm-fix-use-after-free-in-do_vcc_ioctl.patch +net-rose-fix-use-after-free-in-rose_ioctl.patch +qed-fix-a-potential-use-after-free-in-qed_cxt_tables.patch +net-remove-acked-syn-flag-from-packet-in-the-transmi.patch +sign-file-fix-incorrect-return-values-check.patch +vsock-virtio-fix-unsigned-integer-wrap-around-in-vir.patch +net-prevent-mss-overflow-in-skb_segment.patch +driver-core-add-device-probe-log-helper.patch +net-stmmac-use-dev_err_probe-for-reporting-mdio-bus-.patch +net-stmmac-handle-disabled-mdio-busses-from-devicetr.patch +appletalk-fix-use-after-free-in-atalk_ioctl.patch diff --git a/queue-4.19/sign-file-fix-incorrect-return-values-check.patch b/queue-4.19/sign-file-fix-incorrect-return-values-check.patch new file mode 100644 index 00000000000..cffdba353f9 --- /dev/null +++ b/queue-4.19/sign-file-fix-incorrect-return-values-check.patch @@ -0,0 +1,79 @@ +From ede90a361c63ece855025bef8f35321d5735ee28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 10:31:10 +0000 +Subject: sign-file: Fix incorrect return values check + +From: Yusong Gao + +[ Upstream commit 829649443e78d85db0cff0c37cadb28fbb1a5f6f ] + +There are some wrong return values check in sign-file when call OpenSSL +API. The ERR() check cond is wrong because of the program only check the +return value is < 0 which ignored the return val is 0. For example: +1. CMS_final() return 1 for success or 0 for failure. +2. i2d_CMS_bio_stream() returns 1 for success or 0 for failure. +3. i2d_TYPEbio() return 1 for success and 0 for failure. +4. BIO_free() return 1 for success and 0 for failure. + +Link: https://www.openssl.org/docs/manmaster/man3/ +Fixes: e5a2e3c84782 ("scripts/sign-file.c: Add support for signing with a raw signature") +Signed-off-by: Yusong Gao +Reviewed-by: Juerg Haefliger +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/20231213024405.624692-1-a869920004@gmail.com/ # v5 +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + scripts/sign-file.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/scripts/sign-file.c b/scripts/sign-file.c +index 7434e9ea926e2..12acc70e5a7a5 100644 +--- a/scripts/sign-file.c ++++ b/scripts/sign-file.c +@@ -322,7 +322,7 @@ int main(int argc, char **argv) + CMS_NOSMIMECAP | use_keyid | + use_signed_attrs), + "CMS_add1_signer"); +- ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) < 0, ++ ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) != 1, + "CMS_final"); + + #else +@@ -341,10 +341,10 @@ int main(int argc, char **argv) + b = BIO_new_file(sig_file_name, "wb"); + ERR(!b, "%s", sig_file_name); + #ifndef USE_PKCS7 +- ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0, ++ ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) != 1, + "%s", sig_file_name); + #else +- ERR(i2d_PKCS7_bio(b, pkcs7) < 0, ++ ERR(i2d_PKCS7_bio(b, pkcs7) != 1, + "%s", sig_file_name); + #endif + BIO_free(b); +@@ -374,9 +374,9 @@ int main(int argc, char **argv) + + if (!raw_sig) { + #ifndef USE_PKCS7 +- ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", dest_name); ++ ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) != 1, "%s", dest_name); + #else +- ERR(i2d_PKCS7_bio(bd, pkcs7) < 0, "%s", dest_name); ++ ERR(i2d_PKCS7_bio(bd, pkcs7) != 1, "%s", dest_name); + #endif + } else { + BIO *b; +@@ -396,7 +396,7 @@ int main(int argc, char **argv) + ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name); + ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name); + +- ERR(BIO_free(bd) < 0, "%s", dest_name); ++ ERR(BIO_free(bd) != 1, "%s", dest_name); + + /* Finally, if we're signing in place, replace the original. */ + if (replace_orig) +-- +2.43.0 + diff --git a/queue-4.19/vsock-virtio-fix-unsigned-integer-wrap-around-in-vir.patch b/queue-4.19/vsock-virtio-fix-unsigned-integer-wrap-around-in-vir.patch new file mode 100644 index 00000000000..91ca07646b7 --- /dev/null +++ b/queue-4.19/vsock-virtio-fix-unsigned-integer-wrap-around-in-vir.patch @@ -0,0 +1,41 @@ +From c31da294e92c36305029e0312db351bfda60f1c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 19:23:17 +0300 +Subject: vsock/virtio: Fix unsigned integer wrap around in + virtio_transport_has_space() + +From: Nikolay Kuratov + +[ Upstream commit 60316d7f10b17a7ebb1ead0642fee8710e1560e0 ] + +We need to do signed arithmetic if we expect condition +`if (bytes < 0)` to be possible + +Found by Linux Verification Center (linuxtesting.org) with SVACE + +Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko") +Signed-off-by: Nikolay Kuratov +Reviewed-by: Stefano Garzarella +Link: https://lore.kernel.org/r/20231211162317.4116625-1-kniv@yandex-team.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index 449b5261e6610..187d0f7253a6f 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -348,7 +348,7 @@ static s64 virtio_transport_has_space(struct vsock_sock *vsk) + struct virtio_vsock_sock *vvs = vsk->trans; + s64 bytes; + +- bytes = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); ++ bytes = (s64)vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); + if (bytes < 0) + bytes = 0; + +-- +2.43.0 +