From: Sasha Levin Date: Fri, 22 Dec 2023 22:48:18 +0000 (-0500) Subject: Fixes for 4.14 X-Git-Tag: v5.15.145~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=aef092d803b627b1373bfdcd1554b643a84fafdc;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/arm-omap2-fix-null-pointer-dereference-and-memory-le.patch b/queue-4.14/arm-omap2-fix-null-pointer-dereference-and-memory-le.patch new file mode 100644 index 00000000000..c8a31e2b980 --- /dev/null +++ b/queue-4.14/arm-omap2-fix-null-pointer-dereference-and-memory-le.patch @@ -0,0 +1,49 @@ +From c2de6afa0518b61e551e0958c8a059563b41df9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Nov 2023 22:52:37 +0800 +Subject: ARM: OMAP2+: Fix null pointer dereference and memory leak in + omap_soc_device_init + +From: Kunwu Chan + +[ Upstream commit c72b9c33ef9695ad7ce7a6eb39a9df8a01b70796 ] + +kasprintf() returns a pointer to dynamically allocated memory which can +be NULL upon failure. When 'soc_dev_attr->family' is NULL,it'll trigger +the null pointer dereference issue, such as in 'soc_info_show'. + +And when 'soc_device_register' fails, it's necessary to release +'soc_dev_attr->family' to avoid memory leaks. + +Fixes: 6770b2114325 ("ARM: OMAP2+: Export SoC information to userspace") +Signed-off-by: Kunwu Chan +Message-ID: <20231123145237.609442-1-chentao@kylinos.cn> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/id.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm/mach-omap2/id.c b/arch/arm/mach-omap2/id.c +index 79d71b1eae594..1bc17fd49e488 100644 +--- a/arch/arm/mach-omap2/id.c ++++ b/arch/arm/mach-omap2/id.c +@@ -784,10 +784,15 @@ void __init omap_soc_device_init(void) + + soc_dev_attr->machine = soc_name; + soc_dev_attr->family = omap_get_family(); ++ if (!soc_dev_attr->family) { ++ kfree(soc_dev_attr); ++ return; ++ } + soc_dev_attr->revision = soc_rev; + + soc_dev = soc_device_register(soc_dev_attr); + if (IS_ERR(soc_dev)) { ++ kfree(soc_dev_attr->family); + kfree(soc_dev_attr); + return; + } +-- +2.43.0 + diff --git a/queue-4.14/ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch b/queue-4.14/ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch new file mode 100644 index 00000000000..5a3f85f5332 --- /dev/null +++ b/queue-4.14/ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch @@ -0,0 +1,44 @@ +From c04e3a8b23a6412ed734ce730a61944c9cd720c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 21:04:04 +0800 +Subject: ethernet: atheros: fix a memleak in atl1e_setup_ring_resources + +From: Zhipeng Lu + +[ Upstream commit 309fdb1c33fe726d92d0030481346f24e1b01f07 ] + +In the error handling of 'offset > adapter->ring_size', the +tx_ring->tx_buffer allocated by kzalloc should be freed, +instead of 'goto failed' instantly. + +Fixes: a6a5325239c2 ("atl1e: Atheros L1E Gigabit Ethernet driver") +Signed-off-by: Zhipeng Lu +Reviewed-by: Suman Ghosh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c +index 33a688d8aaba9..3c6a32d548468 100644 +--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c ++++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c +@@ -880,10 +880,13 @@ static int atl1e_setup_ring_resources(struct atl1e_adapter *adapter) + netdev_err(adapter->netdev, "offset(%d) > ring size(%d) !!\n", + offset, adapter->ring_size); + err = -1; +- goto failed; ++ goto free_buffer; + } + + return 0; ++free_buffer: ++ kfree(tx_ring->tx_buffer); ++ tx_ring->tx_buffer = NULL; + failed: + if (adapter->ring_vir_addr != NULL) { + pci_free_consistent(pdev, adapter->ring_size, +-- +2.43.0 + diff --git a/queue-4.14/net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch b/queue-4.14/net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch new file mode 100644 index 00000000000..84cbcb7848d --- /dev/null +++ b/queue-4.14/net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch @@ -0,0 +1,99 @@ +From 89e7a2d7c6734f64a7398697f7b7fb90d695c9e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Dec 2023 15:52:18 +0800 +Subject: net: check vlan filter feature in vlan_vids_add_by_dev() and + vlan_vids_del_by_dev() + +From: Liu Jian + +[ Upstream commit 01a564bab4876007ce35f312e16797dfe40e4823 ] + +I got the below warning trace: + +WARNING: CPU: 4 PID: 4056 at net/core/dev.c:11066 unregister_netdevice_many_notify +CPU: 4 PID: 4056 Comm: ip Not tainted 6.7.0-rc4+ #15 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +RIP: 0010:unregister_netdevice_many_notify+0x9a4/0x9b0 +Call Trace: + rtnl_dellink + rtnetlink_rcv_msg + netlink_rcv_skb + netlink_unicast + netlink_sendmsg + __sock_sendmsg + ____sys_sendmsg + ___sys_sendmsg + __sys_sendmsg + do_syscall_64 + entry_SYSCALL_64_after_hwframe + +It can be repoduced via: + + ip netns add ns1 + ip netns exec ns1 ip link add bond0 type bond mode 0 + ip netns exec ns1 ip link add bond_slave_1 type veth peer veth2 + ip netns exec ns1 ip link set bond_slave_1 master bond0 +[1] ip netns exec ns1 ethtool -K bond0 rx-vlan-filter off +[2] ip netns exec ns1 ip link add link bond_slave_1 name bond_slave_1.0 type vlan id 0 +[3] ip netns exec ns1 ip link add link bond0 name bond0.0 type vlan id 0 +[4] ip netns exec ns1 ip link set bond_slave_1 nomaster +[5] ip netns exec ns1 ip link del veth2 + ip netns del ns1 + +This is all caused by command [1] turning off the rx-vlan-filter function +of bond0. The reason is the same as commit 01f4fd270870 ("bonding: Fix +incorrect deletion of ETH_P_8021AD protocol vid from slaves"). Commands +[2] [3] add the same vid to slave and master respectively, causing +command [4] to empty slave->vlan_info. The following command [5] triggers +this problem. + +To fix this problem, we should add VLAN_FILTER feature checks in +vlan_vids_add_by_dev() and vlan_vids_del_by_dev() to prevent incorrect +addition or deletion of vlan_vid information. + +Fixes: 348a1443cc43 ("vlan: introduce functions to do mass addition/deletion of vids by another device") +Signed-off-by: Liu Jian +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/8021q/vlan_core.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c +index 45c9bf5ff3a0c..815d4fb052bde 100644 +--- a/net/8021q/vlan_core.c ++++ b/net/8021q/vlan_core.c +@@ -329,6 +329,8 @@ int vlan_vids_add_by_dev(struct net_device *dev, + return 0; + + list_for_each_entry(vid_info, &vlan_info->vid_list, list) { ++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto)) ++ continue; + err = vlan_vid_add(dev, vid_info->proto, vid_info->vid); + if (err) + goto unwind; +@@ -339,6 +341,8 @@ int vlan_vids_add_by_dev(struct net_device *dev, + list_for_each_entry_continue_reverse(vid_info, + &vlan_info->vid_list, + list) { ++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto)) ++ continue; + vlan_vid_del(dev, vid_info->proto, vid_info->vid); + } + +@@ -358,8 +362,11 @@ void vlan_vids_del_by_dev(struct net_device *dev, + if (!vlan_info) + return; + +- list_for_each_entry(vid_info, &vlan_info->vid_list, list) ++ list_for_each_entry(vid_info, &vlan_info->vid_list, list) { ++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto)) ++ continue; + vlan_vid_del(dev, vid_info->proto, vid_info->vid); ++ } + } + EXPORT_SYMBOL(vlan_vids_del_by_dev); + +-- +2.43.0 + diff --git a/queue-4.14/net-sched-ife-fix-potential-use-after-free.patch b/queue-4.14/net-sched-ife-fix-potential-use-after-free.patch new file mode 100644 index 00000000000..551cca04709 --- /dev/null +++ b/queue-4.14/net-sched-ife-fix-potential-use-after-free.patch @@ -0,0 +1,238 @@ +From 46e68b0b339becd56fa05368464b132fb1044222 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 11:30:38 +0000 +Subject: net: sched: ife: fix potential use-after-free + +From: Eric Dumazet + +[ Upstream commit 19391a2ca98baa7b80279306cdf7dd43f81fa595 ] + +ife_decode() calls pskb_may_pull() two times, we need to reload +ifehdr after the second one, or risk use-after-free as reported +by syzbot: + +BUG: KASAN: slab-use-after-free in __ife_tlv_meta_valid net/ife/ife.c:108 [inline] +BUG: KASAN: slab-use-after-free in ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131 +Read of size 2 at addr ffff88802d7300a4 by task syz-executor.5/22323 + +CPU: 0 PID: 22323 Comm: syz-executor.5 Not tainted 6.7.0-rc3-syzkaller-00804-g074ac38d5b95 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 +Call Trace: + +__dump_stack lib/dump_stack.c:88 [inline] +dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 +print_address_description mm/kasan/report.c:364 [inline] +print_report+0xc4/0x620 mm/kasan/report.c:475 +kasan_report+0xda/0x110 mm/kasan/report.c:588 +__ife_tlv_meta_valid net/ife/ife.c:108 [inline] +ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131 +tcf_ife_decode net/sched/act_ife.c:739 [inline] +tcf_ife_act+0x4e3/0x1cd0 net/sched/act_ife.c:879 +tc_act include/net/tc_wrapper.h:221 [inline] +tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079 +tcf_exts_exec include/net/pkt_cls.h:344 [inline] +mall_classify+0x201/0x310 net/sched/cls_matchall.c:42 +tc_classify include/net/tc_wrapper.h:227 [inline] +__tcf_classify net/sched/cls_api.c:1703 [inline] +tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800 +hfsc_classify net/sched/sch_hfsc.c:1147 [inline] +hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546 +dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739 +__dev_xmit_skb net/core/dev.c:3828 [inline] +__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311 +dev_queue_xmit include/linux/netdevice.h:3165 [inline] +packet_xmit+0x237/0x350 net/packet/af_packet.c:276 +packet_snd net/packet/af_packet.c:3081 [inline] +packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +__do_sys_sendto net/socket.c:2202 [inline] +__se_sys_sendto net/socket.c:2198 [inline] +__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 +entry_SYSCALL_64_after_hwframe+0x63/0x6b +RIP: 0033:0x7fe9acc7cae9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fe9ada450c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00007fe9acd9bf80 RCX: 00007fe9acc7cae9 +RDX: 000000000000fce0 RSI: 00000000200002c0 RDI: 0000000000000003 +RBP: 00007fe9accc847a R08: 0000000020000140 R09: 0000000000000014 +R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007fe9acd9bf80 R15: 00007ffd5427ae78 + + +Allocated by task 22323: +kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 +kasan_set_track+0x25/0x30 mm/kasan/common.c:52 +____kasan_kmalloc mm/kasan/common.c:374 [inline] +__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383 +kasan_kmalloc include/linux/kasan.h:198 [inline] +__do_kmalloc_node mm/slab_common.c:1007 [inline] +__kmalloc_node_track_caller+0x5a/0x90 mm/slab_common.c:1027 +kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582 +__alloc_skb+0x12b/0x330 net/core/skbuff.c:651 +alloc_skb include/linux/skbuff.h:1298 [inline] +alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331 +sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780 +packet_alloc_skb net/packet/af_packet.c:2930 [inline] +packet_snd net/packet/af_packet.c:3024 [inline] +packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +__do_sys_sendto net/socket.c:2202 [inline] +__se_sys_sendto net/socket.c:2198 [inline] +__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 +entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Freed by task 22323: +kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 +kasan_set_track+0x25/0x30 mm/kasan/common.c:52 +kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522 +____kasan_slab_free mm/kasan/common.c:236 [inline] +____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200 +kasan_slab_free include/linux/kasan.h:164 [inline] +slab_free_hook mm/slub.c:1800 [inline] +slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826 +slab_free mm/slub.c:3809 [inline] +__kmem_cache_free+0xc0/0x180 mm/slub.c:3822 +skb_kfree_head net/core/skbuff.c:950 [inline] +skb_free_head+0x110/0x1b0 net/core/skbuff.c:962 +pskb_expand_head+0x3c5/0x1170 net/core/skbuff.c:2130 +__pskb_pull_tail+0xe1/0x1830 net/core/skbuff.c:2655 +pskb_may_pull_reason include/linux/skbuff.h:2685 [inline] +pskb_may_pull include/linux/skbuff.h:2693 [inline] +ife_decode+0x394/0x4f0 net/ife/ife.c:82 +tcf_ife_decode net/sched/act_ife.c:727 [inline] +tcf_ife_act+0x43b/0x1cd0 net/sched/act_ife.c:879 +tc_act include/net/tc_wrapper.h:221 [inline] +tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079 +tcf_exts_exec include/net/pkt_cls.h:344 [inline] +mall_classify+0x201/0x310 net/sched/cls_matchall.c:42 +tc_classify include/net/tc_wrapper.h:227 [inline] +__tcf_classify net/sched/cls_api.c:1703 [inline] +tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800 +hfsc_classify net/sched/sch_hfsc.c:1147 [inline] +hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546 +dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739 +__dev_xmit_skb net/core/dev.c:3828 [inline] +__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311 +dev_queue_xmit include/linux/netdevice.h:3165 [inline] +packet_xmit+0x237/0x350 net/packet/af_packet.c:276 +packet_snd net/packet/af_packet.c:3081 [inline] +packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +__do_sys_sendto net/socket.c:2202 [inline] +__se_sys_sendto net/socket.c:2198 [inline] +__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 +entry_SYSCALL_64_after_hwframe+0x63/0x6b + +The buggy address belongs to the object at ffff88802d730000 +which belongs to the cache kmalloc-8k of size 8192 +The buggy address is located 164 bytes inside of +freed 8192-byte region [ffff88802d730000, ffff88802d732000) + +The buggy address belongs to the physical page: +page:ffffea0000b5cc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2d730 +head:ffffea0000b5cc00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) +page_type: 0xffffffff() +raw: 00fff00000000840 ffff888013042280 dead000000000122 0000000000000000 +raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 22323, tgid 22320 (syz-executor.5), ts 950317230369, free_ts 950233467461 +set_page_owner include/linux/page_owner.h:31 [inline] +post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1544 +prep_new_page mm/page_alloc.c:1551 [inline] +get_page_from_freelist+0xa28/0x3730 mm/page_alloc.c:3319 +__alloc_pages+0x22e/0x2420 mm/page_alloc.c:4575 +alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133 +alloc_slab_page mm/slub.c:1870 [inline] +allocate_slab mm/slub.c:2017 [inline] +new_slab+0x283/0x3c0 mm/slub.c:2070 +___slab_alloc+0x979/0x1500 mm/slub.c:3223 +__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322 +__slab_alloc_node mm/slub.c:3375 [inline] +slab_alloc_node mm/slub.c:3468 [inline] +__kmem_cache_alloc_node+0x131/0x310 mm/slub.c:3517 +__do_kmalloc_node mm/slab_common.c:1006 [inline] +__kmalloc_node_track_caller+0x4a/0x90 mm/slab_common.c:1027 +kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582 +__alloc_skb+0x12b/0x330 net/core/skbuff.c:651 +alloc_skb include/linux/skbuff.h:1298 [inline] +alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331 +sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780 +packet_alloc_skb net/packet/af_packet.c:2930 [inline] +packet_snd net/packet/af_packet.c:3024 [inline] +packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +page last free stack trace: +reset_page_owner include/linux/page_owner.h:24 [inline] +free_pages_prepare mm/page_alloc.c:1144 [inline] +free_unref_page_prepare+0x53c/0xb80 mm/page_alloc.c:2354 +free_unref_page+0x33/0x3b0 mm/page_alloc.c:2494 +__unfreeze_partials+0x226/0x240 mm/slub.c:2655 +qlink_free mm/kasan/quarantine.c:168 [inline] +qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 +kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294 +__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305 +kasan_slab_alloc include/linux/kasan.h:188 [inline] +slab_post_alloc_hook mm/slab.h:763 [inline] +slab_alloc_node mm/slub.c:3478 [inline] +slab_alloc mm/slub.c:3486 [inline] +__kmem_cache_alloc_lru mm/slub.c:3493 [inline] +kmem_cache_alloc_lru+0x219/0x6f0 mm/slub.c:3509 +alloc_inode_sb include/linux/fs.h:2937 [inline] +ext4_alloc_inode+0x28/0x650 fs/ext4/super.c:1408 +alloc_inode+0x5d/0x220 fs/inode.c:261 +new_inode_pseudo fs/inode.c:1006 [inline] +new_inode+0x22/0x260 fs/inode.c:1032 +__ext4_new_inode+0x333/0x5200 fs/ext4/ialloc.c:958 +ext4_symlink+0x5d7/0xa20 fs/ext4/namei.c:3398 +vfs_symlink fs/namei.c:4464 [inline] +vfs_symlink+0x3e5/0x620 fs/namei.c:4448 +do_symlinkat+0x25f/0x310 fs/namei.c:4490 +__do_sys_symlinkat fs/namei.c:4506 [inline] +__se_sys_symlinkat fs/namei.c:4503 [inline] +__x64_sys_symlinkat+0x97/0xc0 fs/namei.c:4503 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 + +Fixes: d57493d6d1be ("net: sched: ife: check on metadata length") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Jamal Hadi Salim +Cc: Alexander Aring +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ife/ife.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ife/ife.c b/net/ife/ife.c +index 13bbf8cb6a396..be05b690b9ef2 100644 +--- a/net/ife/ife.c ++++ b/net/ife/ife.c +@@ -82,6 +82,7 @@ void *ife_decode(struct sk_buff *skb, u16 *metalen) + if (unlikely(!pskb_may_pull(skb, total_pull))) + return NULL; + ++ ifehdr = (struct ifeheadr *)(skb->data + skb->dev->hard_header_len); + skb_set_mac_header(skb, total_pull); + __skb_pull(skb, total_pull); + *metalen = ifehdrln - IFE_METAHDRLEN; +-- +2.43.0 + diff --git a/queue-4.14/s390-vx-fix-save-restore-of-fpu-kernel-context.patch b/queue-4.14/s390-vx-fix-save-restore-of-fpu-kernel-context.patch new file mode 100644 index 00000000000..1fbdb579641 --- /dev/null +++ b/queue-4.14/s390-vx-fix-save-restore-of-fpu-kernel-context.patch @@ -0,0 +1,49 @@ +From de7bda91d8aab1e15c98be8e21744761b082acb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Dec 2023 15:03:15 +0100 +Subject: s390/vx: fix save/restore of fpu kernel context + +From: Heiko Carstens + +[ Upstream commit e6b2dab41888332bf83f592131e7ea07756770a4 ] + +The KERNEL_FPR mask only contains a flag for the first eight vector +registers. However floating point registers overlay parts of the first +sixteen vector registers. + +This could lead to vector register corruption if a kernel fpu context uses +any of the vector registers 8 to 15 and is interrupted or calls a +KERNEL_FPR context. If that context uses also vector registers 8 to 15, +their contents will be corrupted on return. + +Luckily this is currently not a real bug, since the kernel has only one +KERNEL_FPR user with s390_adjust_jiffies() and it is only using floating +point registers 0 to 2. + +Fix this by using the correct bits for KERNEL_FPR. + +Fixes: 7f79695cc1b6 ("s390/fpu: improve kernel_fpu_[begin|end]") +Signed-off-by: Heiko Carstens +Reviewed-by: Hendrik Brueckner +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/fpu/api.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/include/asm/fpu/api.h b/arch/s390/include/asm/fpu/api.h +index 34a7ae68485c6..be16a6c0f1276 100644 +--- a/arch/s390/include/asm/fpu/api.h ++++ b/arch/s390/include/asm/fpu/api.h +@@ -76,7 +76,7 @@ static inline int test_fp_ctl(u32 fpc) + #define KERNEL_VXR_HIGH (KERNEL_VXR_V16V23|KERNEL_VXR_V24V31) + + #define KERNEL_VXR (KERNEL_VXR_LOW|KERNEL_VXR_HIGH) +-#define KERNEL_FPR (KERNEL_FPC|KERNEL_VXR_V0V7) ++#define KERNEL_FPR (KERNEL_FPC|KERNEL_VXR_LOW) + + struct kernel_fpu; + +-- +2.43.0 + diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..f0d993c37b7 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,6 @@ +arm-omap2-fix-null-pointer-dereference-and-memory-le.patch +s390-vx-fix-save-restore-of-fpu-kernel-context.patch +wifi-mac80211-mesh_plink-fix-matches_local-logic.patch +net-sched-ife-fix-potential-use-after-free.patch +ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch +net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch diff --git a/queue-4.14/wifi-mac80211-mesh_plink-fix-matches_local-logic.patch b/queue-4.14/wifi-mac80211-mesh_plink-fix-matches_local-logic.patch new file mode 100644 index 00000000000..ddab89c559b --- /dev/null +++ b/queue-4.14/wifi-mac80211-mesh_plink-fix-matches_local-logic.patch @@ -0,0 +1,52 @@ +From 10fd315469ba260c8aab0037d5daf58f81cc0fec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 09:05:31 +0200 +Subject: wifi: mac80211: mesh_plink: fix matches_local logic + +From: Johannes Berg + +[ Upstream commit 8c386b166e2517cf3a123018e77941ec22625d0f ] + +During refactoring the "else" here got lost, add it back. + +Fixes: c99a89edb106 ("mac80211: factor out plink event gathering") +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20231211085121.795480fa0e0b.I017d501196a5bbdcd9afd33338d342d6fe1edd79@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_plink.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c +index f69c6c38ca439..ab46de4536c46 100644 +--- a/net/mac80211/mesh_plink.c ++++ b/net/mac80211/mesh_plink.c +@@ -1025,8 +1025,8 @@ mesh_plink_get_event(struct ieee80211_sub_if_data *sdata, + case WLAN_SP_MESH_PEERING_OPEN: + if (!matches_local) + event = OPN_RJCT; +- if (!mesh_plink_free_count(sdata) || +- (sta->mesh->plid && sta->mesh->plid != plid)) ++ else if (!mesh_plink_free_count(sdata) || ++ (sta->mesh->plid && sta->mesh->plid != plid)) + event = OPN_IGNR; + else + event = OPN_ACPT; +@@ -1034,9 +1034,9 @@ mesh_plink_get_event(struct ieee80211_sub_if_data *sdata, + case WLAN_SP_MESH_PEERING_CONFIRM: + if (!matches_local) + event = CNF_RJCT; +- if (!mesh_plink_free_count(sdata) || +- sta->mesh->llid != llid || +- (sta->mesh->plid && sta->mesh->plid != plid)) ++ else if (!mesh_plink_free_count(sdata) || ++ sta->mesh->llid != llid || ++ (sta->mesh->plid && sta->mesh->plid != plid)) + event = CNF_IGNR; + else + event = CNF_ACPT; +-- +2.43.0 +