From: Greg Kroah-Hartman Date: Tue, 29 Apr 2025 13:09:28 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v5.4.293~27 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a1318c24b24af51ded1f5bd139ef93d83320b484;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: comedi-jr3_pci-fix-synchronous-deletion-of-timer.patch crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch --- diff --git a/queue-6.1/comedi-jr3_pci-fix-synchronous-deletion-of-timer.patch b/queue-6.1/comedi-jr3_pci-fix-synchronous-deletion-of-timer.patch new file mode 100644 index 0000000000..ecf46933d8 --- /dev/null +++ b/queue-6.1/comedi-jr3_pci-fix-synchronous-deletion-of-timer.patch @@ -0,0 +1,73 @@ +From 44d9b3f584c59a606b521e7274e658d5b866c699 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Tue, 15 Apr 2025 13:39:01 +0100 +Subject: comedi: jr3_pci: Fix synchronous deletion of timer + +From: Ian Abbott + +commit 44d9b3f584c59a606b521e7274e658d5b866c699 upstream. + +When `jr3_pci_detach()` is called during device removal, it calls +`timer_delete_sync()` to stop the timer, but the timer expiry function +always reschedules the timer, so the synchronization is ineffective. + +Call `timer_shutdown_sync()` instead. It does not matter that the timer +expiry function pointer is cleared, because the device is being removed. + +Fixes: 07b509e6584a5 ("Staging: comedi: add jr3_pci driver") +Cc: stable +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20250415123901.13483-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers/jr3_pci.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/comedi/drivers/jr3_pci.c ++++ b/drivers/comedi/drivers/jr3_pci.c +@@ -87,6 +87,7 @@ struct jr3_pci_poll_delay { + struct jr3_pci_dev_private { + struct timer_list timer; + struct comedi_device *dev; ++ bool timer_enable; + }; + + union jr3_pci_single_range { +@@ -596,10 +597,11 @@ static void jr3_pci_poll_dev(struct time + delay = sub_delay.max; + } + } ++ if (devpriv->timer_enable) { ++ devpriv->timer.expires = jiffies + msecs_to_jiffies(delay); ++ add_timer(&devpriv->timer); ++ } + spin_unlock_irqrestore(&dev->spinlock, flags); +- +- devpriv->timer.expires = jiffies + msecs_to_jiffies(delay); +- add_timer(&devpriv->timer); + } + + static struct jr3_pci_subdev_private * +@@ -748,6 +750,7 @@ static int jr3_pci_auto_attach(struct co + devpriv->dev = dev; + timer_setup(&devpriv->timer, jr3_pci_poll_dev, 0); + devpriv->timer.expires = jiffies + msecs_to_jiffies(1000); ++ devpriv->timer_enable = true; + add_timer(&devpriv->timer); + + return 0; +@@ -757,8 +760,12 @@ static void jr3_pci_detach(struct comedi + { + struct jr3_pci_dev_private *devpriv = dev->private; + +- if (devpriv) +- del_timer_sync(&devpriv->timer); ++ if (devpriv) { ++ spin_lock_bh(&dev->spinlock); ++ devpriv->timer_enable = false; ++ spin_unlock_bh(&dev->spinlock); ++ timer_delete_sync(&devpriv->timer); ++ } + + comedi_pci_detach(dev); + } diff --git a/queue-6.1/crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch b/queue-6.1/crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch new file mode 100644 index 0000000000..6343fe3704 --- /dev/null +++ b/queue-6.1/crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch @@ -0,0 +1,47 @@ +From 8006aff15516a170640239c5a8e6696c0ba18d8e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Beh=C3=BAn?= +Date: Tue, 22 Apr 2025 11:57:18 +0200 +Subject: crypto: atmel-sha204a - Set hwrng quality to lowest possible +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +commit 8006aff15516a170640239c5a8e6696c0ba18d8e upstream. + +According to the review by Bill Cox [1], the Atmel SHA204A random number +generator produces random numbers with very low entropy. + +Set the lowest possible entropy for this chip just to be safe. + +[1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html + +Fixes: da001fb651b00e1d ("crypto: atmel-i2c - add support for SHA204A random number generator") +Cc: +Signed-off-by: Marek Behún +Acked-by: Ard Biesheuvel +Reviewed-by: Linus Walleij +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Marek Behún +--- + drivers/crypto/atmel-sha204a.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/crypto/atmel-sha204a.c ++++ b/drivers/crypto/atmel-sha204a.c +@@ -107,7 +107,12 @@ static int atmel_sha204a_probe(struct i2 + + i2c_priv->hwrng.name = dev_name(&client->dev); + i2c_priv->hwrng.read = atmel_sha204a_rng_read; +- i2c_priv->hwrng.quality = 1024; ++ ++ /* ++ * According to review by Bill Cox [1], this HWRNG has very low entropy. ++ * [1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html ++ */ ++ i2c_priv->hwrng.quality = 1; + + ret = devm_hwrng_register(&client->dev, &i2c_priv->hwrng); + if (ret) diff --git a/queue-6.1/net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch b/queue-6.1/net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch new file mode 100644 index 0000000000..aa0f85c4a0 --- /dev/null +++ b/queue-6.1/net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch @@ -0,0 +1,89 @@ +From 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski +Date: Thu, 15 Feb 2024 06:33:46 -0800 +Subject: net/sched: act_mirred: don't override retval if we already lost the skb + +From: Jakub Kicinski + +commit 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 upstream. + +If we're redirecting the skb, and haven't called tcf_mirred_forward(), +yet, we need to tell the core to drop the skb by setting the retcode +to SHOT. If we have called tcf_mirred_forward(), however, the skb +is out of our hands and returning SHOT will lead to UaF. + +Move the retval override to the error path which actually need it. + +Reviewed-by: Michal Swiatkowski +Fixes: e5cf1baf92cb ("act_mirred: use TC_ACT_REINSERT when possible") +Signed-off-by: Jakub Kicinski +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +[Minor conflict resolved due to code context change.] +Signed-off-by: Jianqi Ren +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_mirred.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +--- a/net/sched/act_mirred.c ++++ b/net/sched/act_mirred.c +@@ -255,31 +255,31 @@ static int tcf_mirred_act(struct sk_buff + + m_mac_header_xmit = READ_ONCE(m->tcfm_mac_header_xmit); + m_eaction = READ_ONCE(m->tcfm_eaction); ++ is_redirect = tcf_mirred_is_act_redirect(m_eaction); + retval = READ_ONCE(m->tcf_action); + dev = rcu_dereference_bh(m->tcfm_dev); + if (unlikely(!dev)) { + pr_notice_once("tc mirred: target device is gone\n"); +- goto out; ++ goto err_cant_do; + } + + if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) { + net_notice_ratelimited("tc mirred to Houston: device %s is down\n", + dev->name); +- goto out; ++ goto err_cant_do; + } + + /* we could easily avoid the clone only if called by ingress and clsact; + * since we can't easily detect the clsact caller, skip clone only for + * ingress - that covers the TC S/W datapath. + */ +- is_redirect = tcf_mirred_is_act_redirect(m_eaction); + at_ingress = skb_at_tc_ingress(skb); + use_reinsert = at_ingress && is_redirect && + tcf_mirred_can_reinsert(retval); + if (!use_reinsert) { + skb2 = skb_clone(skb, GFP_ATOMIC); + if (!skb2) +- goto out; ++ goto err_cant_do; + } + + want_ingress = tcf_mirred_act_wants_ingress(m_eaction); +@@ -321,12 +321,16 @@ static int tcf_mirred_act(struct sk_buff + } + + err = tcf_mirred_forward(want_ingress, skb2); +- if (err) { +-out: ++ if (err) + tcf_action_inc_overlimit_qstats(&m->common); +- if (tcf_mirred_is_act_redirect(m_eaction)) +- retval = TC_ACT_SHOT; +- } ++ __this_cpu_dec(mirred_nest_level); ++ ++ return retval; ++ ++err_cant_do: ++ if (is_redirect) ++ retval = TC_ACT_SHOT; ++ tcf_action_inc_overlimit_qstats(&m->common); + __this_cpu_dec(mirred_nest_level); + + return retval; diff --git a/queue-6.1/series b/queue-6.1/series index 2489853874..30e72619cc 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -149,3 +149,6 @@ md-raid1-add-check-for-missing-source-disk-in-proces.patch spi-spi-imx-add-check-for-spi_imx_setupxfer.patch of-module-add-buffer-overflow-check-in-of_modalias.patch jfs-define-xtree-root-and-page-independently.patch +comedi-jr3_pci-fix-synchronous-deletion-of-timer.patch +crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch +net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch