From: Greg Kroah-Hartman Date: Sat, 9 Sep 2023 12:44:35 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v6.1.53~98 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=715861f9e081900dc3b76ee8a8c9c6bcf76cb87f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch netfilter-xt_sctp-validate-the-flag_info-count.patch netfilter-xt_u32-validate-user-space-input.patch pm-devfreq-fix-leak-in-devfreq_dev_release.patch --- diff --git a/queue-4.14/alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch b/queue-4.14/alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch new file mode 100644 index 00000000000..ab7ef10e4c0 --- /dev/null +++ b/queue-4.14/alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch @@ -0,0 +1,49 @@ +From 358040e3807754944dbddf948a23c6d914297ed7 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 29 Aug 2023 15:43:44 +0200 +Subject: ALSA: pcm: Fix missing fixup call in compat hw_refine ioctl + +From: Takashi Iwai + +commit 358040e3807754944dbddf948a23c6d914297ed7 upstream. + +The update of rate_num/den and msbits were factored out to +fixup_unreferenced_params() function to be called explicitly after the +hw_refine or hw_params procedure. It's called from +snd_pcm_hw_refine_user(), but it's forgotten in the PCM compat ioctl. +This ended up with the incomplete rate_num/den and msbits parameters +when 32bit compat ioctl is used. + +This patch adds the missing call in snd_pcm_ioctl_hw_params_compat(). + +Reported-by: Meng_Cai@novatek.com.cn +Fixes: f9a076bff053 ("ALSA: pcm: calculate non-mask/non-interval parameters always when possible") +Reviewed-by: Takashi Sakamoto +Reviewed-by: Jaroslav Kysela +Cc: +Link: https://lore.kernel.org/r/20230829134344.31588-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/pcm_compat.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/sound/core/pcm_compat.c ++++ b/sound/core/pcm_compat.c +@@ -335,10 +335,14 @@ static int snd_pcm_ioctl_hw_params_compa + goto error; + } + +- if (refine) ++ if (refine) { + err = snd_pcm_hw_refine(substream, data); +- else ++ if (err < 0) ++ goto error; ++ err = fixup_unreferenced_params(substream, data); ++ } else { + err = snd_pcm_hw_params(substream, data); ++ } + if (err < 0) + goto error; + if (copy_to_user(data32, data, sizeof(*data32)) || diff --git a/queue-4.14/arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch b/queue-4.14/arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch new file mode 100644 index 00000000000..55c4246749a --- /dev/null +++ b/queue-4.14/arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch @@ -0,0 +1,45 @@ +From 847fb80cc01a54bc827b02547bb8743bdb59ddab Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Wed, 7 Jun 2023 22:12:11 -0600 +Subject: ARM: OMAP2+: Fix -Warray-bounds warning in _pwrdm_state_switch() + +From: Gustavo A. R. Silva + +commit 847fb80cc01a54bc827b02547bb8743bdb59ddab upstream. + +If function pwrdm_read_prev_pwrst() returns -EINVAL, we will end +up accessing array pwrdm->state_counter through negative index +-22. This is wrong and the compiler is legitimately warning us +about this potential problem. + +Fix this by sanity checking the value stored in variable _prev_ +before accessing array pwrdm->state_counter. + +Address the following -Warray-bounds warning: +arch/arm/mach-omap2/powerdomain.c:178:45: warning: array subscript -22 is below array bounds of 'unsigned int[4]' [-Warray-bounds] + +Link: https://github.com/KSPP/linux/issues/307 +Fixes: ba20bb126940 ("OMAP: PM counter infrastructure.") +Cc: stable@vger.kernel.org +Reported-by: kernel test robot +Link: https://lore.kernel.org/lkml/20230607050639.LzbPn%25lkp@intel.com/ +Signed-off-by: Gustavo A. R. Silva +Message-ID: +Acked-by: Ard Biesheuvel +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap2/powerdomain.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mach-omap2/powerdomain.c ++++ b/arch/arm/mach-omap2/powerdomain.c +@@ -173,7 +173,7 @@ static int _pwrdm_state_switch(struct po + break; + case PWRDM_STATE_PREV: + prev = pwrdm_read_prev_pwrst(pwrdm); +- if (pwrdm->state != prev) ++ if (prev >= 0 && pwrdm->state != prev) + pwrdm->state_counter[prev]++; + if (prev == PWRDM_POWER_RET) + _update_logic_membank_counters(pwrdm); diff --git a/queue-4.14/igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch b/queue-4.14/igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch new file mode 100644 index 00000000000..36d49006e1b --- /dev/null +++ b/queue-4.14/igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch @@ -0,0 +1,52 @@ +From bb5ed01cd2428cd25b1c88a3a9cba87055eb289f Mon Sep 17 00:00:00 2001 +From: Radoslaw Tyl +Date: Thu, 24 Aug 2023 13:46:19 -0700 +Subject: igb: set max size RX buffer when store bad packet is enabled + +From: Radoslaw Tyl + +commit bb5ed01cd2428cd25b1c88a3a9cba87055eb289f upstream. + +Increase the RX buffer size to 3K when the SBP bit is on. The size of +the RX buffer determines the number of pages allocated which may not +be sufficient for receive frames larger than the set MTU size. + +Cc: stable@vger.kernel.org +Fixes: 89eaefb61dc9 ("igb: Support RX-ALL feature flag.") +Reported-by: Manfred Rudigier +Signed-off-by: Radoslaw Tyl +Tested-by: Arpana Arland (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/igb/igb_main.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -3856,6 +3856,10 @@ void igb_configure_rx_ring(struct igb_ad + static void igb_set_rx_buffer_len(struct igb_adapter *adapter, + struct igb_ring *rx_ring) + { ++#if (PAGE_SIZE < 8192) ++ struct e1000_hw *hw = &adapter->hw; ++#endif ++ + /* set build_skb and buffer size flags */ + clear_ring_build_skb_enabled(rx_ring); + clear_ring_uses_large_buffer(rx_ring); +@@ -3866,10 +3870,9 @@ static void igb_set_rx_buffer_len(struct + set_ring_build_skb_enabled(rx_ring); + + #if (PAGE_SIZE < 8192) +- if (adapter->max_frame_size <= IGB_MAX_FRAME_BUILD_SKB) +- return; +- +- set_ring_uses_large_buffer(rx_ring); ++ if (adapter->max_frame_size > IGB_MAX_FRAME_BUILD_SKB || ++ rd32(E1000_RCTL) & E1000_RCTL_SBP) ++ set_ring_uses_large_buffer(rx_ring); + #endif + } + diff --git a/queue-4.14/netfilter-xt_sctp-validate-the-flag_info-count.patch b/queue-4.14/netfilter-xt_sctp-validate-the-flag_info-count.patch new file mode 100644 index 00000000000..68fc69456f8 --- /dev/null +++ b/queue-4.14/netfilter-xt_sctp-validate-the-flag_info-count.patch @@ -0,0 +1,36 @@ +From e99476497687ef9e850748fe6d232264f30bc8f9 Mon Sep 17 00:00:00 2001 +From: Wander Lairson Costa +Date: Mon, 28 Aug 2023 19:12:55 -0300 +Subject: netfilter: xt_sctp: validate the flag_info count + +From: Wander Lairson Costa + +commit e99476497687ef9e850748fe6d232264f30bc8f9 upstream. + +sctp_mt_check doesn't validate the flag_count field. An attacker can +take advantage of that to trigger a OOB read and leak memory +information. + +Add the field validation in the checkentry function. + +Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables") +Cc: stable@vger.kernel.org +Reported-by: Lucas Leong +Signed-off-by: Wander Lairson Costa +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/xt_sctp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/netfilter/xt_sctp.c ++++ b/net/netfilter/xt_sctp.c +@@ -149,6 +149,8 @@ static int sctp_mt_check(const struct xt + { + const struct xt_sctp_info *info = par->matchinfo; + ++ if (info->flag_count > ARRAY_SIZE(info->flag_info)) ++ return -EINVAL; + if (info->flags & ~XT_SCTP_VALID_FLAGS) + return -EINVAL; + if (info->invflags & ~XT_SCTP_VALID_FLAGS) diff --git a/queue-4.14/netfilter-xt_u32-validate-user-space-input.patch b/queue-4.14/netfilter-xt_u32-validate-user-space-input.patch new file mode 100644 index 00000000000..294b413525d --- /dev/null +++ b/queue-4.14/netfilter-xt_u32-validate-user-space-input.patch @@ -0,0 +1,61 @@ +From 69c5d284f67089b4750d28ff6ac6f52ec224b330 Mon Sep 17 00:00:00 2001 +From: Wander Lairson Costa +Date: Mon, 28 Aug 2023 10:21:07 -0300 +Subject: netfilter: xt_u32: validate user space input + +From: Wander Lairson Costa + +commit 69c5d284f67089b4750d28ff6ac6f52ec224b330 upstream. + +The xt_u32 module doesn't validate the fields in the xt_u32 structure. +An attacker may take advantage of this to trigger an OOB read by setting +the size fields with a value beyond the arrays boundaries. + +Add a checkentry function to validate the structure. + +This was originally reported by the ZDI project (ZDI-CAN-18408). + +Fixes: 1b50b8a371e9 ("[NETFILTER]: Add u32 match") +Cc: stable@vger.kernel.org +Signed-off-by: Wander Lairson Costa +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/xt_u32.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/net/netfilter/xt_u32.c ++++ b/net/netfilter/xt_u32.c +@@ -95,11 +95,32 @@ static bool u32_mt(const struct sk_buff + return ret ^ data->invert; + } + ++static int u32_mt_checkentry(const struct xt_mtchk_param *par) ++{ ++ const struct xt_u32 *data = par->matchinfo; ++ const struct xt_u32_test *ct; ++ unsigned int i; ++ ++ if (data->ntests > ARRAY_SIZE(data->tests)) ++ return -EINVAL; ++ ++ for (i = 0; i < data->ntests; ++i) { ++ ct = &data->tests[i]; ++ ++ if (ct->nnums > ARRAY_SIZE(ct->location) || ++ ct->nvalues > ARRAY_SIZE(ct->value)) ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + static struct xt_match xt_u32_mt_reg __read_mostly = { + .name = "u32", + .revision = 0, + .family = NFPROTO_UNSPEC, + .match = u32_mt, ++ .checkentry = u32_mt_checkentry, + .matchsize = sizeof(struct xt_u32), + .me = THIS_MODULE, + }; diff --git a/queue-4.14/pm-devfreq-fix-leak-in-devfreq_dev_release.patch b/queue-4.14/pm-devfreq-fix-leak-in-devfreq_dev_release.patch new file mode 100644 index 00000000000..c8db01e4562 --- /dev/null +++ b/queue-4.14/pm-devfreq-fix-leak-in-devfreq_dev_release.patch @@ -0,0 +1,34 @@ +From 5693d077595de721f9ddbf9d37f40e5409707dfe Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Wed, 9 Aug 2023 13:31:08 +0200 +Subject: PM / devfreq: Fix leak in devfreq_dev_release() + +From: Boris Brezillon + +commit 5693d077595de721f9ddbf9d37f40e5409707dfe upstream. + +srcu_init_notifier_head() allocates resources that need to be released +with a srcu_cleanup_notifier_head() call. + +Reported by kmemleak. + +Fixes: 0fe3a66410a3 ("PM / devfreq: Add new DEVFREQ_TRANSITION_NOTIFIER notifier") +Cc: +Signed-off-by: Boris Brezillon +Reviewed-by: Dhruva Gole +Signed-off-by: Chanwoo Choi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/devfreq/devfreq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -495,6 +495,7 @@ static void devfreq_dev_release(struct d + devfreq->profile->exit(devfreq->dev.parent); + + mutex_destroy(&devfreq->lock); ++ srcu_cleanup_notifier_head(&devfreq->transition_notifier_list); + kfree(devfreq); + } + diff --git a/queue-4.14/series b/queue-4.14/series index 20d5907d775..f4163875e9f 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -97,3 +97,9 @@ rpmsg-glink-add-check-for-kstrdup.patch dmaengine-ste_dma40-add-missing-irq-check-in-d40_pro.patch igmp-limit-igmpv3_newpack-packet-size-to-ip_max_mtu.patch netfilter-ipset-add-the-missing-ip_set_hash_with_net0-macro-for-ip_set_hash_netportnet.c.patch +netfilter-xt_u32-validate-user-space-input.patch +netfilter-xt_sctp-validate-the-flag_info-count.patch +igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch +pm-devfreq-fix-leak-in-devfreq_dev_release.patch +alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch +arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch