From: Greg Kroah-Hartman Date: Sun, 15 Oct 2023 17:55:55 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.15.136~35 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=97bb0f85ed27268cfef0c6f1c9e3e933d2292853;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: media-mtk-jpeg-fix-use-after-free-bug-due-to-uncanceled-work.patch net-add-sysctl-accept_ra_min_rtr_lft.patch net-change-accept_ra_min_rtr_lft-to-affect-all-ra-lifetimes.patch net-release-reference-to-inet6_dev-pointer.patch --- diff --git a/queue-5.10/media-mtk-jpeg-fix-use-after-free-bug-due-to-uncanceled-work.patch b/queue-5.10/media-mtk-jpeg-fix-use-after-free-bug-due-to-uncanceled-work.patch new file mode 100644 index 00000000000..5ac977a69ff --- /dev/null +++ b/queue-5.10/media-mtk-jpeg-fix-use-after-free-bug-due-to-uncanceled-work.patch @@ -0,0 +1,50 @@ +From c677d7ae83141d390d1253abebafa49c962afb52 Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Fri, 7 Jul 2023 17:24:14 +0800 +Subject: media: mtk-jpeg: Fix use after free bug due to uncanceled work + +From: Zheng Wang + +commit c677d7ae83141d390d1253abebafa49c962afb52 upstream. + +In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with +mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run +and mtk_jpeg_enc_device_run may be called to start the +work. +If we remove the module which will call mtk_jpeg_remove +to make cleanup, there may be a unfinished work. The +possible sequence is as follows, which will cause a +typical UAF bug. + +Fix it by canceling the work before cleanup in the mtk_jpeg_remove + +CPU0 CPU1 + + |mtk_jpeg_job_timeout_work +mtk_jpeg_remove | + v4l2_m2m_release | + kfree(m2m_dev); | + | + | v4l2_m2m_get_curr_priv + | m2m_dev->curr_ctx //use +Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver") +Signed-off-by: Zheng Wang +Reviewed-by: Alexandre Mergnat +Reviewed-by: Chen-Yu Tsai +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c ++++ b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c +@@ -1455,6 +1455,7 @@ static int mtk_jpeg_remove(struct platfo + { + struct mtk_jpeg_dev *jpeg = platform_get_drvdata(pdev); + ++ cancel_delayed_work_sync(&jpeg->job_timeout_work); + pm_runtime_disable(&pdev->dev); + video_unregister_device(jpeg->vdev); + video_device_release(jpeg->vdev); diff --git a/queue-5.10/net-add-sysctl-accept_ra_min_rtr_lft.patch b/queue-5.10/net-add-sysctl-accept_ra_min_rtr_lft.patch new file mode 100644 index 00000000000..0e27f45560e --- /dev/null +++ b/queue-5.10/net-add-sysctl-accept_ra_min_rtr_lft.patch @@ -0,0 +1,165 @@ +From stable-owner@vger.kernel.org Fri Oct 13 23:44:40 2023 +From: Patrick Rohr +Date: Fri, 13 Oct 2023 14:44:12 -0700 +Subject: net: add sysctl accept_ra_min_rtr_lft +To: stable@vger.kernel.org +Cc: "Greg KH" , "Sasha Levin" , "Maciej Żenczykowski" , "Lorenzo Colitti" , "Patrick Rohr" , "David S . Miller" +Message-ID: <20231013214414.3482322-2-prohr@google.com> + +From: Patrick Rohr + +commit 1671bcfd76fdc0b9e65153cf759153083755fe4c upstream. + +This change adds a new sysctl accept_ra_min_rtr_lft to specify the +minimum acceptable router lifetime in an RA. If the received RA router +lifetime is less than the configured value (and not 0), the RA is +ignored. +This is useful for mobile devices, whose battery life can be impacted +by networks that configure RAs with a short lifetime. On such networks, +the device should never gain IPv6 provisioning and should attempt to +drop RAs via hardware offload, if available. + +Signed-off-by: Patrick Rohr +Cc: Maciej Żenczykowski +Cc: Lorenzo Colitti +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/networking/ip-sysctl.rst | 8 ++++++++ + include/linux/ipv6.h | 1 + + include/uapi/linux/ipv6.h | 7 +++++++ + net/ipv6/addrconf.c | 10 ++++++++++ + net/ipv6/ndisc.c | 18 ++++++++++++++++-- + 5 files changed, 42 insertions(+), 2 deletions(-) + +--- a/Documentation/networking/ip-sysctl.rst ++++ b/Documentation/networking/ip-sysctl.rst +@@ -1916,6 +1916,14 @@ accept_ra_min_hop_limit - INTEGER + + Default: 1 + ++accept_ra_min_rtr_lft - INTEGER ++ Minimum acceptable router lifetime in Router Advertisement. ++ ++ RAs with a router lifetime less than this value shall be ++ ignored. RAs with a router lifetime of 0 are unaffected. ++ ++ Default: 0 ++ + accept_ra_pinfo - BOOLEAN + Learn Prefix Information in Router Advertisement. + +--- a/include/linux/ipv6.h ++++ b/include/linux/ipv6.h +@@ -32,6 +32,7 @@ struct ipv6_devconf { + __s32 max_addresses; + __s32 accept_ra_defrtr; + __s32 accept_ra_min_hop_limit; ++ __s32 accept_ra_min_rtr_lft; + __s32 accept_ra_pinfo; + __s32 ignore_routes_with_linkdown; + #ifdef CONFIG_IPV6_ROUTER_PREF +--- a/include/uapi/linux/ipv6.h ++++ b/include/uapi/linux/ipv6.h +@@ -192,6 +192,13 @@ enum { + DEVCONF_ACCEPT_RA_RT_INFO_MIN_PLEN, + DEVCONF_NDISC_TCLASS, + DEVCONF_RPL_SEG_ENABLED, ++ DEVCONF_RA_DEFRTR_METRIC, ++ DEVCONF_IOAM6_ENABLED, ++ DEVCONF_IOAM6_ID, ++ DEVCONF_IOAM6_ID_WIDE, ++ DEVCONF_NDISC_EVICT_NOCARRIER, ++ DEVCONF_ACCEPT_UNTRACKED_NA, ++ DEVCONF_ACCEPT_RA_MIN_RTR_LFT, + DEVCONF_MAX + }; + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -207,6 +207,7 @@ static struct ipv6_devconf ipv6_devconf + .accept_ra_defrtr = 1, + .accept_ra_from_local = 0, + .accept_ra_min_hop_limit= 1, ++ .accept_ra_min_rtr_lft = 0, + .accept_ra_pinfo = 1, + #ifdef CONFIG_IPV6_ROUTER_PREF + .accept_ra_rtr_pref = 1, +@@ -262,6 +263,7 @@ static struct ipv6_devconf ipv6_devconf_ + .accept_ra_defrtr = 1, + .accept_ra_from_local = 0, + .accept_ra_min_hop_limit= 1, ++ .accept_ra_min_rtr_lft = 0, + .accept_ra_pinfo = 1, + #ifdef CONFIG_IPV6_ROUTER_PREF + .accept_ra_rtr_pref = 1, +@@ -5559,6 +5561,7 @@ static inline void ipv6_store_devconf(st + array[DEVCONF_DISABLE_POLICY] = cnf->disable_policy; + array[DEVCONF_NDISC_TCLASS] = cnf->ndisc_tclass; + array[DEVCONF_RPL_SEG_ENABLED] = cnf->rpl_seg_enabled; ++ array[DEVCONF_ACCEPT_RA_MIN_RTR_LFT] = cnf->accept_ra_min_rtr_lft; + } + + static inline size_t inet6_ifla6_size(void) +@@ -6715,6 +6718,13 @@ static const struct ctl_table addrconf_s + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec, ++ }, ++ { ++ .procname = "accept_ra_min_rtr_lft", ++ .data = &ipv6_devconf.accept_ra_min_rtr_lft, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, + }, + { + .procname = "accept_ra_pinfo", +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1222,6 +1222,8 @@ static void ndisc_router_discovery(struc + return; + } + ++ lifetime = ntohs(ra_msg->icmph.icmp6_rt_lifetime); ++ + if (!ipv6_accept_ra(in6_dev)) { + ND_PRINTK(2, info, + "RA: %s, did not accept ra for dev: %s\n", +@@ -1229,6 +1231,13 @@ static void ndisc_router_discovery(struc + goto skip_linkparms; + } + ++ if (lifetime != 0 && lifetime < in6_dev->cnf.accept_ra_min_rtr_lft) { ++ ND_PRINTK(2, info, ++ "RA: router lifetime (%ds) is too short: %s\n", ++ lifetime, skb->dev->name); ++ goto skip_linkparms; ++ } ++ + #ifdef CONFIG_IPV6_NDISC_NODETYPE + /* skip link-specific parameters from interior routers */ + if (skb->ndisc_nodetype == NDISC_NODETYPE_NODEFAULT) { +@@ -1281,8 +1290,6 @@ static void ndisc_router_discovery(struc + goto skip_defrtr; + } + +- lifetime = ntohs(ra_msg->icmph.icmp6_rt_lifetime); +- + #ifdef CONFIG_IPV6_ROUTER_PREF + pref = ra_msg->icmph.icmp6_router_pref; + /* 10b is handled as if it were 00b (medium) */ +@@ -1429,6 +1436,13 @@ skip_linkparms: + goto out; + } + ++ if (lifetime != 0 && lifetime < in6_dev->cnf.accept_ra_min_rtr_lft) { ++ ND_PRINTK(2, info, ++ "RA: router lifetime (%ds) is too short: %s\n", ++ lifetime, skb->dev->name); ++ goto out; ++ } ++ + #ifdef CONFIG_IPV6_ROUTE_INFO + if (!in6_dev->cnf.accept_ra_from_local && + ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr, diff --git a/queue-5.10/net-change-accept_ra_min_rtr_lft-to-affect-all-ra-lifetimes.patch b/queue-5.10/net-change-accept_ra_min_rtr_lft-to-affect-all-ra-lifetimes.patch new file mode 100644 index 00000000000..a5da8ed72fe --- /dev/null +++ b/queue-5.10/net-change-accept_ra_min_rtr_lft-to-affect-all-ra-lifetimes.patch @@ -0,0 +1,209 @@ +From stable-owner@vger.kernel.org Fri Oct 13 23:44:43 2023 +From: Patrick Rohr +Date: Fri, 13 Oct 2023 14:44:13 -0700 +Subject: net: change accept_ra_min_rtr_lft to affect all RA lifetimes +To: stable@vger.kernel.org +Cc: "Greg KH" , "Sasha Levin" , "Maciej Żenczykowski" , "Lorenzo Colitti" , "Patrick Rohr" , "David Ahern" , "Jakub Kicinski" +Message-ID: <20231013214414.3482322-3-prohr@google.com> + +From: Patrick Rohr + +commit 5027d54a9c30bc7ec808360378e2b4753f053f25 upstream. + +accept_ra_min_rtr_lft only considered the lifetime of the default route +and discarded entire RAs accordingly. + +This change renames accept_ra_min_rtr_lft to accept_ra_min_lft, and +applies the value to individual RA sections; in particular, router +lifetime, PIO preferred lifetime, and RIO lifetime. If any of those +lifetimes are lower than the configured value, the specific RA section +is ignored. + +In order for the sysctl to be useful to Android, it should really apply +to all lifetimes in the RA, since that is what determines the minimum +frequency at which RAs must be processed by the kernel. Android uses +hardware offloads to drop RAs for a fraction of the minimum of all +lifetimes present in the RA (some networks have very frequent RAs (5s) +with high lifetimes (2h)). Despite this, we have encountered networks +that set the router lifetime to 30s which results in very frequent CPU +wakeups. Instead of disabling IPv6 (and dropping IPv6 ethertype in the +WiFi firmware) entirely on such networks, it seems better to ignore the +misconfigured routers while still processing RAs from other IPv6 routers +on the same network (i.e. to support IoT applications). + +The previous implementation dropped the entire RA based on router +lifetime. This turned out to be hard to expand to the other lifetimes +present in the RA in a consistent manner; dropping the entire RA based +on RIO/PIO lifetimes would essentially require parsing the whole thing +twice. + +Fixes: 1671bcfd76fd ("net: add sysctl accept_ra_min_rtr_lft") +Cc: Lorenzo Colitti +Signed-off-by: Patrick Rohr +Reviewed-by: Maciej Żenczykowski +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20230726230701.919212-1-prohr@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/networking/ip-sysctl.rst | 8 ++++---- + include/linux/ipv6.h | 2 +- + include/uapi/linux/ipv6.h | 2 +- + net/ipv6/addrconf.c | 13 ++++++++----- + net/ipv6/ndisc.c | 27 +++++++++++---------------- + 5 files changed, 25 insertions(+), 27 deletions(-) + +--- a/Documentation/networking/ip-sysctl.rst ++++ b/Documentation/networking/ip-sysctl.rst +@@ -1916,11 +1916,11 @@ accept_ra_min_hop_limit - INTEGER + + Default: 1 + +-accept_ra_min_rtr_lft - INTEGER +- Minimum acceptable router lifetime in Router Advertisement. ++accept_ra_min_lft - INTEGER ++ Minimum acceptable lifetime value in Router Advertisement. + +- RAs with a router lifetime less than this value shall be +- ignored. RAs with a router lifetime of 0 are unaffected. ++ RA sections with a lifetime less than this value shall be ++ ignored. Zero lifetimes stay unaffected. + + Default: 0 + +--- a/include/linux/ipv6.h ++++ b/include/linux/ipv6.h +@@ -32,7 +32,7 @@ struct ipv6_devconf { + __s32 max_addresses; + __s32 accept_ra_defrtr; + __s32 accept_ra_min_hop_limit; +- __s32 accept_ra_min_rtr_lft; ++ __s32 accept_ra_min_lft; + __s32 accept_ra_pinfo; + __s32 ignore_routes_with_linkdown; + #ifdef CONFIG_IPV6_ROUTER_PREF +--- a/include/uapi/linux/ipv6.h ++++ b/include/uapi/linux/ipv6.h +@@ -198,7 +198,7 @@ enum { + DEVCONF_IOAM6_ID_WIDE, + DEVCONF_NDISC_EVICT_NOCARRIER, + DEVCONF_ACCEPT_UNTRACKED_NA, +- DEVCONF_ACCEPT_RA_MIN_RTR_LFT, ++ DEVCONF_ACCEPT_RA_MIN_LFT, + DEVCONF_MAX + }; + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -207,7 +207,7 @@ static struct ipv6_devconf ipv6_devconf + .accept_ra_defrtr = 1, + .accept_ra_from_local = 0, + .accept_ra_min_hop_limit= 1, +- .accept_ra_min_rtr_lft = 0, ++ .accept_ra_min_lft = 0, + .accept_ra_pinfo = 1, + #ifdef CONFIG_IPV6_ROUTER_PREF + .accept_ra_rtr_pref = 1, +@@ -263,7 +263,7 @@ static struct ipv6_devconf ipv6_devconf_ + .accept_ra_defrtr = 1, + .accept_ra_from_local = 0, + .accept_ra_min_hop_limit= 1, +- .accept_ra_min_rtr_lft = 0, ++ .accept_ra_min_lft = 0, + .accept_ra_pinfo = 1, + #ifdef CONFIG_IPV6_ROUTER_PREF + .accept_ra_rtr_pref = 1, +@@ -2726,6 +2726,9 @@ void addrconf_prefix_rcv(struct net_devi + return; + } + ++ if (valid_lft != 0 && valid_lft < in6_dev->cnf.accept_ra_min_lft) ++ return; ++ + /* + * Two things going on here: + * 1) Add routes for on-link prefixes +@@ -5561,7 +5564,7 @@ static inline void ipv6_store_devconf(st + array[DEVCONF_DISABLE_POLICY] = cnf->disable_policy; + array[DEVCONF_NDISC_TCLASS] = cnf->ndisc_tclass; + array[DEVCONF_RPL_SEG_ENABLED] = cnf->rpl_seg_enabled; +- array[DEVCONF_ACCEPT_RA_MIN_RTR_LFT] = cnf->accept_ra_min_rtr_lft; ++ array[DEVCONF_ACCEPT_RA_MIN_LFT] = cnf->accept_ra_min_lft; + } + + static inline size_t inet6_ifla6_size(void) +@@ -6720,8 +6723,8 @@ static const struct ctl_table addrconf_s + .proc_handler = proc_dointvec, + }, + { +- .procname = "accept_ra_min_rtr_lft", +- .data = &ipv6_devconf.accept_ra_min_rtr_lft, ++ .procname = "accept_ra_min_lft", ++ .data = &ipv6_devconf.accept_ra_min_lft, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec, +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1222,8 +1222,6 @@ static void ndisc_router_discovery(struc + return; + } + +- lifetime = ntohs(ra_msg->icmph.icmp6_rt_lifetime); +- + if (!ipv6_accept_ra(in6_dev)) { + ND_PRINTK(2, info, + "RA: %s, did not accept ra for dev: %s\n", +@@ -1231,13 +1229,6 @@ static void ndisc_router_discovery(struc + goto skip_linkparms; + } + +- if (lifetime != 0 && lifetime < in6_dev->cnf.accept_ra_min_rtr_lft) { +- ND_PRINTK(2, info, +- "RA: router lifetime (%ds) is too short: %s\n", +- lifetime, skb->dev->name); +- goto skip_linkparms; +- } +- + #ifdef CONFIG_IPV6_NDISC_NODETYPE + /* skip link-specific parameters from interior routers */ + if (skb->ndisc_nodetype == NDISC_NODETYPE_NODEFAULT) { +@@ -1278,6 +1269,14 @@ static void ndisc_router_discovery(struc + goto skip_defrtr; + } + ++ lifetime = ntohs(ra_msg->icmph.icmp6_rt_lifetime); ++ if (lifetime != 0 && lifetime < in6_dev->cnf.accept_ra_min_lft) { ++ ND_PRINTK(2, info, ++ "RA: router lifetime (%ds) is too short: %s\n", ++ lifetime, skb->dev->name); ++ goto skip_defrtr; ++ } ++ + /* Do not accept RA with source-addr found on local machine unless + * accept_ra_from_local is set to true. + */ +@@ -1436,13 +1435,6 @@ skip_linkparms: + goto out; + } + +- if (lifetime != 0 && lifetime < in6_dev->cnf.accept_ra_min_rtr_lft) { +- ND_PRINTK(2, info, +- "RA: router lifetime (%ds) is too short: %s\n", +- lifetime, skb->dev->name); +- goto out; +- } +- + #ifdef CONFIG_IPV6_ROUTE_INFO + if (!in6_dev->cnf.accept_ra_from_local && + ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr, +@@ -1467,6 +1459,9 @@ skip_linkparms: + if (ri->prefix_len == 0 && + !in6_dev->cnf.accept_ra_defrtr) + continue; ++ if (ri->lifetime != 0 && ++ ntohl(ri->lifetime) < in6_dev->cnf.accept_ra_min_lft) ++ continue; + if (ri->prefix_len < in6_dev->cnf.accept_ra_rt_info_min_plen) + continue; + if (ri->prefix_len > in6_dev->cnf.accept_ra_rt_info_max_plen) diff --git a/queue-5.10/net-release-reference-to-inet6_dev-pointer.patch b/queue-5.10/net-release-reference-to-inet6_dev-pointer.patch new file mode 100644 index 00000000000..c27ce7b6cb8 --- /dev/null +++ b/queue-5.10/net-release-reference-to-inet6_dev-pointer.patch @@ -0,0 +1,41 @@ +From stable-owner@vger.kernel.org Fri Oct 13 23:44:46 2023 +From: Patrick Rohr +Date: Fri, 13 Oct 2023 14:44:14 -0700 +Subject: net: release reference to inet6_dev pointer +To: stable@vger.kernel.org +Cc: "Greg KH" , "Sasha Levin" , "Maciej Żenczykowski" , "Lorenzo Colitti" , "Patrick Rohr" , "David Ahern" , "Simon Horman" , "Leon Romanovsky" , "David S . Miller" +Message-ID: <20231013214414.3482322-4-prohr@google.com> + +From: Patrick Rohr + +commit 5cb249686e67dbef3ffe53887fa725eefc5a7144 upstream. + +addrconf_prefix_rcv returned early without releasing the inet6_dev +pointer when the PIO lifetime is less than accept_ra_min_lft. + +Fixes: 5027d54a9c30 ("net: change accept_ra_min_rtr_lft to affect all RA lifetimes") +Cc: Maciej Żenczykowski +Cc: Lorenzo Colitti +Cc: David Ahern +Cc: Simon Horman +Reviewed-by: Simon Horman +Reviewed-by: Maciej Żenczykowski +Signed-off-by: Patrick Rohr +Reviewed-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -2727,7 +2727,7 @@ void addrconf_prefix_rcv(struct net_devi + } + + if (valid_lft != 0 && valid_lft < in6_dev->cnf.accept_ra_min_lft) +- return; ++ goto put; + + /* + * Two things going on here: diff --git a/queue-5.10/series b/queue-5.10/series index a6bac10f3b0..d2f0b0fa403 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -29,3 +29,7 @@ workqueue-override-implicit-ordered-attribute-in-wor.patch perf-inject-fix-gen_elf_text_offset-for-jit.patch revert-spi-zynqmp-gqspi-fix-clock-imbalance-on-probe.patch revert-spi-spi-zynqmp-gqspi-fix-runtime-pm-imbalance.patch +net-add-sysctl-accept_ra_min_rtr_lft.patch +net-change-accept_ra_min_rtr_lft-to-affect-all-ra-lifetimes.patch +net-release-reference-to-inet6_dev-pointer.patch +media-mtk-jpeg-fix-use-after-free-bug-due-to-uncanceled-work.patch