From: Sasha Levin Date: Fri, 1 Nov 2024 19:19:37 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v4.19.323~118 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c04b4977be52e734c14a898a287e9a872c73fe4b;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/bpf-fix-out-of-bounds-write-in-trie_get_next_key.patch b/queue-4.19/bpf-fix-out-of-bounds-write-in-trie_get_next_key.patch new file mode 100644 index 00000000000..4fb36dda34f --- /dev/null +++ b/queue-4.19/bpf-fix-out-of-bounds-write-in-trie_get_next_key.patch @@ -0,0 +1,47 @@ +From 883494a4c3fc6756a34a061c6dd66d65ce7af330 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Oct 2024 14:02:43 +0900 +Subject: bpf: Fix out-of-bounds write in trie_get_next_key() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Byeonguk Jeong + +[ Upstream commit 13400ac8fb80c57c2bfb12ebd35ee121ce9b4d21 ] + +trie_get_next_key() allocates a node stack with size trie->max_prefixlen, +while it writes (trie->max_prefixlen + 1) nodes to the stack when it has +full paths from the root to leaves. For example, consider a trie with +max_prefixlen is 8, and the nodes with key 0x00/0, 0x00/1, 0x00/2, ... +0x00/8 inserted. Subsequent calls to trie_get_next_key with _key with +.prefixlen = 8 make 9 nodes be written on the node stack with size 8. + +Fixes: b471f2f1de8b ("bpf: implement MAP_GET_NEXT_KEY command for LPM_TRIE map") +Signed-off-by: Byeonguk Jeong +Reviewed-by: Toke Høiland-Jørgensen +Tested-by: Hou Tao +Acked-by: Hou Tao +Link: https://lore.kernel.org/r/Zxx384ZfdlFYnz6J@localhost.localdomain +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/lpm_trie.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c +index fcd3a15add41d..a929ee0e86b16 100644 +--- a/kernel/bpf/lpm_trie.c ++++ b/kernel/bpf/lpm_trie.c +@@ -629,7 +629,7 @@ static int trie_get_next_key(struct bpf_map *map, void *_key, void *_next_key) + if (!key || key->prefixlen > trie->max_prefixlen) + goto find_leftmost; + +- node_stack = kmalloc_array(trie->max_prefixlen, ++ node_stack = kmalloc_array(trie->max_prefixlen + 1, + sizeof(struct lpm_trie_node *), + GFP_ATOMIC | __GFP_NOWARN); + if (!node_stack) +-- +2.43.0 + diff --git a/queue-4.19/gtp-allow-1-to-be-specified-as-file-description-from.patch b/queue-4.19/gtp-allow-1-to-be-specified-as-file-description-from.patch new file mode 100644 index 00000000000..e5084a533d4 --- /dev/null +++ b/queue-4.19/gtp-allow-1-to-be-specified-as-file-description-from.patch @@ -0,0 +1,68 @@ +From d935c60095becf0d1d6c7ff309f53140532d9bfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2024 16:48:25 +0200 +Subject: gtp: allow -1 to be specified as file description from userspace + +From: Pablo Neira Ayuso + +[ Upstream commit 7515e37bce5c428a56a9b04ea7e96b3f53f17150 ] + +Existing user space applications maintained by the Osmocom project are +breaking since a recent fix that addresses incorrect error checking. + +Restore operation for user space programs that specify -1 as file +descriptor to skip GTPv0 or GTPv1 only sockets. + +Fixes: defd8b3c37b0 ("gtp: fix a potential NULL pointer dereference") +Reported-by: Pau Espin Pedrol +Signed-off-by: Pablo Neira Ayuso +Tested-by: Oliver Smith +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241022144825.66740-1-pablo@netfilter.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index 8ad324ef99a2b..2a544724f0e2a 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -853,20 +853,24 @@ static int gtp_encap_enable(struct gtp_dev *gtp, struct nlattr *data[]) + unsigned int role = GTP_ROLE_GGSN; + + if (data[IFLA_GTP_FD0]) { +- u32 fd0 = nla_get_u32(data[IFLA_GTP_FD0]); ++ int fd0 = nla_get_u32(data[IFLA_GTP_FD0]); + +- sk0 = gtp_encap_enable_socket(fd0, UDP_ENCAP_GTP0, gtp); +- if (IS_ERR(sk0)) +- return PTR_ERR(sk0); ++ if (fd0 >= 0) { ++ sk0 = gtp_encap_enable_socket(fd0, UDP_ENCAP_GTP0, gtp); ++ if (IS_ERR(sk0)) ++ return PTR_ERR(sk0); ++ } + } + + if (data[IFLA_GTP_FD1]) { +- u32 fd1 = nla_get_u32(data[IFLA_GTP_FD1]); ++ int fd1 = nla_get_u32(data[IFLA_GTP_FD1]); + +- sk1u = gtp_encap_enable_socket(fd1, UDP_ENCAP_GTP1U, gtp); +- if (IS_ERR(sk1u)) { +- gtp_encap_disable_sock(sk0); +- return PTR_ERR(sk1u); ++ if (fd1 >= 0) { ++ sk1u = gtp_encap_enable_socket(fd1, UDP_ENCAP_GTP1U, gtp); ++ if (IS_ERR(sk1u)) { ++ gtp_encap_disable_sock(sk0); ++ return PTR_ERR(sk1u); ++ } + } + } + +-- +2.43.0 + diff --git a/queue-4.19/gtp-simplify-error-handling-code-in-gtp_encap_enable.patch b/queue-4.19/gtp-simplify-error-handling-code-in-gtp_encap_enable.patch new file mode 100644 index 00000000000..cda62ec3a2f --- /dev/null +++ b/queue-4.19/gtp-simplify-error-handling-code-in-gtp_encap_enable.patch @@ -0,0 +1,53 @@ +From 8232016263a67f4d5e26cbd1054db2aa23347e7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jan 2020 18:36:07 +0100 +Subject: gtp: simplify error handling code in 'gtp_encap_enable()' + +From: Christophe JAILLET + +[ Upstream commit b289ba5e07105548b8219695e5443d807a825eb8 ] + +'gtp_encap_disable_sock(sk)' handles the case where sk is NULL, so there +is no need to test it before calling the function. + +This saves a few line of code. + +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Stable-dep-of: 7515e37bce5c ("gtp: allow -1 to be specified as file description from userspace") +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index 733cafb0888f6..8ad324ef99a2b 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -865,8 +865,7 @@ static int gtp_encap_enable(struct gtp_dev *gtp, struct nlattr *data[]) + + sk1u = gtp_encap_enable_socket(fd1, UDP_ENCAP_GTP1U, gtp); + if (IS_ERR(sk1u)) { +- if (sk0) +- gtp_encap_disable_sock(sk0); ++ gtp_encap_disable_sock(sk0); + return PTR_ERR(sk1u); + } + } +@@ -874,10 +873,8 @@ static int gtp_encap_enable(struct gtp_dev *gtp, struct nlattr *data[]) + if (data[IFLA_GTP_ROLE]) { + role = nla_get_u32(data[IFLA_GTP_ROLE]); + if (role > GTP_ROLE_SGSN) { +- if (sk0) +- gtp_encap_disable_sock(sk0); +- if (sk1u) +- gtp_encap_disable_sock(sk1u); ++ gtp_encap_disable_sock(sk0); ++ gtp_encap_disable_sock(sk1u); + return -EINVAL; + } + } +-- +2.43.0 + diff --git a/queue-4.19/igb-disable-threaded-irq-for-igb_msix_other.patch b/queue-4.19/igb-disable-threaded-irq-for-igb_msix_other.patch new file mode 100644 index 00000000000..ac7be127398 --- /dev/null +++ b/queue-4.19/igb-disable-threaded-irq-for-igb_msix_other.patch @@ -0,0 +1,79 @@ +From 4218875d87f8973c20320d160c6a49dfeb0e6399 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2024 16:26:24 -0700 +Subject: igb: Disable threaded IRQ for igb_msix_other + +From: Wander Lairson Costa + +[ Upstream commit 338c4d3902feb5be49bfda530a72c7ab860e2c9f ] + +During testing of SR-IOV, Red Hat QE encountered an issue where the +ip link up command intermittently fails for the igbvf interfaces when +using the PREEMPT_RT variant. Investigation revealed that +e1000_write_posted_mbx returns an error due to the lack of an ACK +from e1000_poll_for_ack. + +The underlying issue arises from the fact that IRQs are threaded by +default under PREEMPT_RT. While the exact hardware details are not +available, it appears that the IRQ handled by igb_msix_other must +be processed before e1000_poll_for_ack times out. However, +e1000_write_posted_mbx is called with preemption disabled, leading +to a scenario where the IRQ is serviced only after the failure of +e1000_write_posted_mbx. + +To resolve this, we set IRQF_NO_THREAD for the affected interrupt, +ensuring that the kernel handles it immediately, thereby preventing +the aforementioned error. + +Reproducer: + + #!/bin/bash + + # echo 2 > /sys/class/net/ens14f0/device/sriov_numvfs + ipaddr_vlan=3 + nic_test=ens14f0 + vf=${nic_test}v0 + + while true; do + ip link set ${nic_test} mtu 1500 + ip link set ${vf} mtu 1500 + ip link set $vf up + ip link set ${nic_test} vf 0 vlan ${ipaddr_vlan} + ip addr add 172.30.${ipaddr_vlan}.1/24 dev ${vf} + ip addr add 2021:db8:${ipaddr_vlan}::1/64 dev ${vf} + if ! ip link show $vf | grep 'state UP'; then + echo 'Error found' + break + fi + ip link set $vf down + done + +Signed-off-by: Wander Lairson Costa +Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver") +Reported-by: Yuying Ma +Reviewed-by: Przemek Kitszel +Tested-by: Rafal Romanowski +Signed-off-by: Jacob Keller +Reviewed-by: Simon Horman +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 3a65dccc08ba8..5867e2db17fd5 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -943,7 +943,7 @@ static int igb_request_msix(struct igb_adapter *adapter) + int i, err = 0, vector = 0, free_vector = 0; + + err = request_irq(adapter->msix_entries[vector].vector, +- igb_msix_other, 0, netdev->name, adapter); ++ igb_msix_other, IRQF_NO_THREAD, netdev->name, adapter); + if (err) + goto err_out; + +-- +2.43.0 + diff --git a/queue-4.19/net-sched-stop-qdisc_tree_reduce_backlog-on-tc_h_roo.patch b/queue-4.19/net-sched-stop-qdisc_tree_reduce_backlog-on-tc_h_roo.patch new file mode 100644 index 00000000000..167d8a30b6b --- /dev/null +++ b/queue-4.19/net-sched-stop-qdisc_tree_reduce_backlog-on-tc_h_roo.patch @@ -0,0 +1,59 @@ +From 62130899e3525d1f0a384fa9b2847830ab9510c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2024 12:55:47 -0400 +Subject: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT + +From: Pedro Tammela + +[ Upstream commit 2e95c4384438adeaa772caa560244b1a2efef816 ] + +In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed +to be either root or ingress. This assumption is bogus since it's valid +to create egress qdiscs with major handle ffff: +Budimir Markovic found that for qdiscs like DRR that maintain an active +class list, it will cause a UAF with a dangling class pointer. + +In 066a3b5b2346, the concern was to avoid iterating over the ingress +qdisc since its parent is itself. The proper fix is to stop when parent +TC_H_ROOT is reached because the only way to retrieve ingress is when a +hierarchy which does not contain a ffff: major handle call into +qdisc_lookup with TC_H_MAJ(TC_H_ROOT). + +In the scenario where major ffff: is an egress qdisc in any of the tree +levels, the updates will also propagate to TC_H_ROOT, which then the +iteration must stop. + +Fixes: 066a3b5b2346 ("[NET_SCHED] sch_api: fix qdisc_tree_decrease_qlen() loop") +Reported-by: Budimir Markovic +Suggested-by: Jamal Hadi Salim +Tested-by: Victor Nogueira +Signed-off-by: Pedro Tammela +Signed-off-by: Jamal Hadi Salim + + net/sched/sch_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) +Reviewed-by: Simon Horman + +Link: https://patch.msgid.link/20241024165547.418570-1-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index ab57c0ee9923b..49c4e85257886 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -783,7 +783,7 @@ void qdisc_tree_reduce_backlog(struct Qdisc *sch, unsigned int n, + drops = max_t(int, n, 0); + rcu_read_lock(); + while ((parentid = sch->parent)) { +- if (TC_H_MAJ(parentid) == TC_H_MAJ(TC_H_INGRESS)) ++ if (parentid == TC_H_ROOT) + break; + + if (sch->flags & TCQ_F_NOPARENT) +-- +2.43.0 + diff --git a/queue-4.19/net-skip-offload-for-netif_f_ipv6_csum-if-ipv6-heade.patch b/queue-4.19/net-skip-offload-for-netif_f_ipv6_csum-if-ipv6-heade.patch new file mode 100644 index 00000000000..95cf7361027 --- /dev/null +++ b/queue-4.19/net-skip-offload-for-netif_f_ipv6_csum-if-ipv6-heade.patch @@ -0,0 +1,73 @@ +From 7fa0f19c7831bb7a44b7048aee888bc1f8f0aac7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2024 16:01:54 +0200 +Subject: net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains + extension +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benoît Monin + +[ Upstream commit 04c20a9356f283da623903e81e7c6d5df7e4dc3c ] + +As documented in skbuff.h, devices with NETIF_F_IPV6_CSUM capability +can only checksum TCP and UDP over IPv6 if the IP header does not +contains extension. + +This is enforced for UDP packets emitted from user-space to an IPv6 +address as they go through ip6_make_skb(), which calls +__ip6_append_data() where a check is done on the header size before +setting CHECKSUM_PARTIAL. + +But the introduction of UDP encapsulation with fou6 added a code-path +where it is possible to get an skb with a partial UDP checksum and an +IPv6 header with extension: +* fou6 adds a UDP header with a partial checksum if the inner packet +does not contains a valid checksum. +* ip6_tunnel adds an IPv6 header with a destination option extension +header if encap_limit is non-zero (the default value is 4). + +The thread linked below describes in more details how to reproduce the +problem with GRE-in-UDP tunnel. + +Add a check on the network header size in skb_csum_hwoffload_help() to +make sure no IPv6 packet with extension header is handed to a network +device with NETIF_F_IPV6_CSUM capability. + +Link: https://lore.kernel.org/netdev/26548921.1r3eYUQgxm@benoit.monin/T/#u +Fixes: aa3463d65e7b ("fou: Add encap ops for IPv6 tunnels") +Signed-off-by: Benoît Monin +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/5fbeecfc311ea182aa1d1c771725ab8b4cac515e.1729778144.git.benoit.monin@gmx.fr +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/core/dev.c b/net/core/dev.c +index fb48a6b1301fb..c5b5dac093d6a 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3327,6 +3327,9 @@ int skb_csum_hwoffload_help(struct sk_buff *skb, + return 0; + + if (features & (NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM)) { ++ if (vlan_get_protocol(skb) == htons(ETH_P_IPV6) && ++ skb_network_header_len(skb) != sizeof(struct ipv6hdr)) ++ goto sw_checksum; + switch (skb->csum_offset) { + case offsetof(struct tcphdr, check): + case offsetof(struct udphdr, check): +@@ -3334,6 +3337,7 @@ int skb_csum_hwoffload_help(struct sk_buff *skb, + } + } + ++sw_checksum: + return skb_checksum_help(skb); + } + EXPORT_SYMBOL(skb_csum_hwoffload_help); +-- +2.43.0 + diff --git a/queue-4.19/net-support-ip-generic-csum-processing-in-skb_csum_h.patch b/queue-4.19/net-support-ip-generic-csum-processing-in-skb_csum_h.patch new file mode 100644 index 00000000000..e99a235e6cb --- /dev/null +++ b/queue-4.19/net-support-ip-generic-csum-processing-in-skb_csum_h.patch @@ -0,0 +1,72 @@ +From 47ab8d8b35c8ebf9b953d0a4f47cab5f0a4b0d74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jan 2021 17:18:31 +0800 +Subject: net: support ip generic csum processing in skb_csum_hwoffload_help + +From: Xin Long + +[ Upstream commit 62fafcd63139920eb25b3fbf154177ce3e6f3232 ] + +NETIF_F_IP|IPV6_CSUM feature flag indicates UDP and TCP csum offload +while NETIF_F_HW_CSUM feature flag indicates ip generic csum offload +for HW, which includes not only for TCP/UDP csum, but also for other +protocols' csum like GRE's. + +However, in skb_csum_hwoffload_help() it only checks features against +NETIF_F_CSUM_MASK(NETIF_F_HW|IP|IPV6_CSUM). So if it's a non TCP/UDP +packet and the features doesn't support NETIF_F_HW_CSUM, but supports +NETIF_F_IP|IPV6_CSUM only, it would still return 0 and leave the HW +to do csum. + +This patch is to support ip generic csum processing by checking +NETIF_F_HW_CSUM for all protocols, and check (NETIF_F_IP_CSUM | +NETIF_F_IPV6_CSUM) only for TCP and UDP. + +Note that we're using skb->csum_offset to check if it's a TCP/UDP +proctol, this might be fragile. However, as Alex said, for now we +only have a few L4 protocols that are requesting Tx csum offload, +we'd better fix this until a new protocol comes with a same csum +offset. + +v1->v2: + - not extend skb->csum_not_inet, but use skb->csum_offset to tell + if it's an UDP/TCP csum packet. +v2->v3: + - add a note in the changelog, as Willem suggested. + +Suggested-by: Alexander Duyck +Signed-off-by: Xin Long +Signed-off-by: Jakub Kicinski +Stable-dep-of: 04c20a9356f2 ("net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension") +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 0409c051ed5d4..fb48a6b1301fb 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3323,7 +3323,18 @@ int skb_csum_hwoffload_help(struct sk_buff *skb, + return !!(features & NETIF_F_SCTP_CRC) ? 0 : + skb_crc32c_csum_help(skb); + +- return !!(features & NETIF_F_CSUM_MASK) ? 0 : skb_checksum_help(skb); ++ if (features & NETIF_F_HW_CSUM) ++ return 0; ++ ++ if (features & (NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM)) { ++ switch (skb->csum_offset) { ++ case offsetof(struct tcphdr, check): ++ case offsetof(struct udphdr, check): ++ return 0; ++ } ++ } ++ ++ return skb_checksum_help(skb); + } + EXPORT_SYMBOL(skb_csum_hwoffload_help); + +-- +2.43.0 + diff --git a/queue-4.19/netfilter-nft_payload-sanitize-offset-and-length-bef.patch b/queue-4.19/netfilter-nft_payload-sanitize-offset-and-length-bef.patch new file mode 100644 index 00000000000..f7fffa12a57 --- /dev/null +++ b/queue-4.19/netfilter-nft_payload-sanitize-offset-and-length-bef.patch @@ -0,0 +1,42 @@ +From a69cb162878c00b0a221cfa2343274b8d9dfa067 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Oct 2024 23:13:48 +0100 +Subject: netfilter: nft_payload: sanitize offset and length before calling + skb_checksum() + +From: Pablo Neira Ayuso + +[ Upstream commit d5953d680f7e96208c29ce4139a0e38de87a57fe ] + +If access to offset + length is larger than the skbuff length, then +skb_checksum() triggers BUG_ON(). + +skb_checksum() internally subtracts the length parameter while iterating +over skbuff, BUG_ON(len) at the end of it checks that the expected +length to be included in the checksum calculation is fully consumed. + +Fixes: 7ec3f7b47b8d ("netfilter: nft_payload: add packet mangling support") +Reported-by: Slavin Liu +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_payload.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c +index 0ef51c81ec94c..128195a7ea5ed 100644 +--- a/net/netfilter/nft_payload.c ++++ b/net/netfilter/nft_payload.c +@@ -306,6 +306,9 @@ static void nft_payload_set_eval(const struct nft_expr *expr, + if ((priv->csum_type == NFT_PAYLOAD_CSUM_INET || priv->csum_flags) && + (priv->base != NFT_PAYLOAD_TRANSPORT_HEADER || + skb->ip_summed != CHECKSUM_PARTIAL)) { ++ if (offset + priv->len > skb->len) ++ goto err; ++ + fsum = skb_checksum(skb, offset, priv->len, 0); + tsum = csum_partial(src, priv->len, 0); + +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index f5add71cb28..c81917b7db5 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -324,3 +324,12 @@ usb-dwc3-remove-generic-phy-calibrate-calls.patch usb-dwc3-add-splitdisable-quirk-for-hisilicon-kirin-.patch usb-dwc3-core-stop-processing-of-pending-events-if-c.patch cgroup-fix-potential-overflow-issue-when-checking-ma.patch +wifi-mac80211-skip-non-uploaded-keys-in-ieee80211_it.patch +igb-disable-threaded-irq-for-igb_msix_other.patch +gtp-simplify-error-handling-code-in-gtp_encap_enable.patch +gtp-allow-1-to-be-specified-as-file-description-from.patch +net-sched-stop-qdisc_tree_reduce_backlog-on-tc_h_roo.patch +bpf-fix-out-of-bounds-write-in-trie_get_next_key.patch +net-support-ip-generic-csum-processing-in-skb_csum_h.patch +net-skip-offload-for-netif_f_ipv6_csum-if-ipv6-heade.patch +netfilter-nft_payload-sanitize-offset-and-length-bef.patch diff --git a/queue-4.19/wifi-mac80211-skip-non-uploaded-keys-in-ieee80211_it.patch b/queue-4.19/wifi-mac80211-skip-non-uploaded-keys-in-ieee80211_it.patch new file mode 100644 index 00000000000..3807507ce1c --- /dev/null +++ b/queue-4.19/wifi-mac80211-skip-non-uploaded-keys-in-ieee80211_it.patch @@ -0,0 +1,94 @@ +From 4a9354d1a2d07f458dfddd7ef7dab36771093977 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Oct 2024 17:36:30 +0200 +Subject: wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys + +From: Felix Fietkau + +[ Upstream commit 52009b419355195912a628d0a9847922e90c348c ] + +Sync iterator conditions with ieee80211_iter_keys_rcu. + +Fixes: 830af02f24fb ("mac80211: allow driver to iterate keys") +Signed-off-by: Felix Fietkau +Link: https://patch.msgid.link/20241006153630.87885-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/key.c | 42 +++++++++++++++++++++++++----------------- + 1 file changed, 25 insertions(+), 17 deletions(-) + +diff --git a/net/mac80211/key.c b/net/mac80211/key.c +index 7fc55177db847..bb09a1ec258d8 100644 +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -777,6 +777,26 @@ void ieee80211_reset_crypto_tx_tailroom(struct ieee80211_sub_if_data *sdata) + mutex_unlock(&sdata->local->key_mtx); + } + ++static void ++ieee80211_key_iter(struct ieee80211_hw *hw, ++ struct ieee80211_vif *vif, ++ struct ieee80211_key *key, ++ void (*iter)(struct ieee80211_hw *hw, ++ struct ieee80211_vif *vif, ++ struct ieee80211_sta *sta, ++ struct ieee80211_key_conf *key, ++ void *data), ++ void *iter_data) ++{ ++ /* skip keys of station in removal process */ ++ if (key->sta && key->sta->removed) ++ return; ++ if (!(key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE)) ++ return; ++ iter(hw, vif, key->sta ? &key->sta->sta : NULL, ++ &key->conf, iter_data); ++} ++ + void ieee80211_iter_keys(struct ieee80211_hw *hw, + struct ieee80211_vif *vif, + void (*iter)(struct ieee80211_hw *hw, +@@ -796,16 +816,13 @@ void ieee80211_iter_keys(struct ieee80211_hw *hw, + if (vif) { + sdata = vif_to_sdata(vif); + list_for_each_entry_safe(key, tmp, &sdata->key_list, list) +- iter(hw, &sdata->vif, +- key->sta ? &key->sta->sta : NULL, +- &key->conf, iter_data); ++ ieee80211_key_iter(hw, vif, key, iter, iter_data); + } else { + list_for_each_entry(sdata, &local->interfaces, list) + list_for_each_entry_safe(key, tmp, + &sdata->key_list, list) +- iter(hw, &sdata->vif, +- key->sta ? &key->sta->sta : NULL, +- &key->conf, iter_data); ++ ieee80211_key_iter(hw, &sdata->vif, key, ++ iter, iter_data); + } + mutex_unlock(&local->key_mtx); + } +@@ -823,17 +840,8 @@ _ieee80211_iter_keys_rcu(struct ieee80211_hw *hw, + { + struct ieee80211_key *key; + +- list_for_each_entry_rcu(key, &sdata->key_list, list) { +- /* skip keys of station in removal process */ +- if (key->sta && key->sta->removed) +- continue; +- if (!(key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE)) +- continue; +- +- iter(hw, &sdata->vif, +- key->sta ? &key->sta->sta : NULL, +- &key->conf, iter_data); +- } ++ list_for_each_entry_rcu(key, &sdata->key_list, list) ++ ieee80211_key_iter(hw, &sdata->vif, key, iter, iter_data); + } + + void ieee80211_iter_keys_rcu(struct ieee80211_hw *hw, +-- +2.43.0 +