From: Greg Kroah-Hartman Date: Fri, 20 Oct 2023 20:50:30 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.14.328~81 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c064108a2e6e56fb6167f00cee476ae8c0444cd2;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: i40e-prevent-crash-on-probe-if-hw-registers-have-invalid-values.patch net-ipv4-fix-return-value-check-in-esp_remove_trailer.patch net-ipv6-fix-return-value-check-in-esp_remove_trailer.patch net-rfkill-gpio-prevent-value-glitch-during-probe.patch net-usb-smsc95xx-fix-an-error-code-in-smsc95xx_reset.patch xfrm-fix-a-data-race-in-xfrm_gen_index.patch --- diff --git a/queue-4.14/i40e-prevent-crash-on-probe-if-hw-registers-have-invalid-values.patch b/queue-4.14/i40e-prevent-crash-on-probe-if-hw-registers-have-invalid-values.patch new file mode 100644 index 00000000000..1afba2fb587 --- /dev/null +++ b/queue-4.14/i40e-prevent-crash-on-probe-if-hw-registers-have-invalid-values.patch @@ -0,0 +1,57 @@ +From fc6f716a5069180c40a8c9b63631e97da34f64a3 Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Wed, 11 Oct 2023 16:33:32 -0700 +Subject: i40e: prevent crash on probe if hw registers have invalid values + +From: Michal Schmidt + +commit fc6f716a5069180c40a8c9b63631e97da34f64a3 upstream. + +The hardware provides the indexes of the first and the last available +queue and VF. From the indexes, the driver calculates the numbers of +queues and VFs. In theory, a faulty device might say the last index is +smaller than the first index. In that case, the driver's calculation +would underflow, it would attempt to write to non-existent registers +outside of the ioremapped range and crash. + +I ran into this not by having a faulty device, but by an operator error. +I accidentally ran a QE test meant for i40e devices on an ice device. +The test used 'echo i40e > /sys/...ice PCI device.../driver_override', +bound the driver to the device and crashed in one of the wr32 calls in +i40e_clear_hw. + +Add checks to prevent underflows in the calculations of num_queues and +num_vfs. With this fix, the wrong device probing reports errors and +returns a failure without crashing. + +Fixes: 838d41d92a90 ("i40e: clear all queues and interrupts") +Signed-off-by: Michal Schmidt +Reviewed-by: Simon Horman +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Link: https://lore.kernel.org/r/20231011233334.336092-2-jacob.e.keller@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40e/i40e_common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e_common.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_common.c +@@ -1320,7 +1320,7 @@ void i40e_clear_hw(struct i40e_hw *hw) + I40E_PFLAN_QALLOC_FIRSTQ_SHIFT; + j = (val & I40E_PFLAN_QALLOC_LASTQ_MASK) >> + I40E_PFLAN_QALLOC_LASTQ_SHIFT; +- if (val & I40E_PFLAN_QALLOC_VALID_MASK) ++ if (val & I40E_PFLAN_QALLOC_VALID_MASK && j >= base_queue) + num_queues = (j - base_queue) + 1; + else + num_queues = 0; +@@ -1330,7 +1330,7 @@ void i40e_clear_hw(struct i40e_hw *hw) + I40E_PF_VT_PFALLOC_FIRSTVF_SHIFT; + j = (val & I40E_PF_VT_PFALLOC_LASTVF_MASK) >> + I40E_PF_VT_PFALLOC_LASTVF_SHIFT; +- if (val & I40E_PF_VT_PFALLOC_VALID_MASK) ++ if (val & I40E_PF_VT_PFALLOC_VALID_MASK && j >= i) + num_vfs = (j - i) + 1; + else + num_vfs = 0; diff --git a/queue-4.14/net-ipv4-fix-return-value-check-in-esp_remove_trailer.patch b/queue-4.14/net-ipv4-fix-return-value-check-in-esp_remove_trailer.patch new file mode 100644 index 00000000000..18db1322326 --- /dev/null +++ b/queue-4.14/net-ipv4-fix-return-value-check-in-esp_remove_trailer.patch @@ -0,0 +1,32 @@ +From 513f61e2193350c7a345da98559b80f61aec4fa6 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Mon, 9 Oct 2023 09:13:37 +0800 +Subject: net: ipv4: fix return value check in esp_remove_trailer + +From: Ma Ke + +commit 513f61e2193350c7a345da98559b80f61aec4fa6 upstream. + +In esp_remove_trailer(), to avoid an unexpected result returned by +pskb_trim, we should check the return value of pskb_trim(). + +Signed-off-by: Ma Ke +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/esp4.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -547,7 +547,9 @@ static inline int esp_remove_trailer(str + skb->csum = csum_block_sub(skb->csum, csumdiff, + skb->len - trimlen); + } +- pskb_trim(skb, skb->len - trimlen); ++ ret = pskb_trim(skb, skb->len - trimlen); ++ if (unlikely(ret)) ++ return ret; + + ret = nexthdr[1]; + diff --git a/queue-4.14/net-ipv6-fix-return-value-check-in-esp_remove_trailer.patch b/queue-4.14/net-ipv6-fix-return-value-check-in-esp_remove_trailer.patch new file mode 100644 index 00000000000..cbcfa303b31 --- /dev/null +++ b/queue-4.14/net-ipv6-fix-return-value-check-in-esp_remove_trailer.patch @@ -0,0 +1,32 @@ +From dad4e491e30b20f4dc615c9da65d2142d703b5c2 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Sat, 7 Oct 2023 08:59:53 +0800 +Subject: net: ipv6: fix return value check in esp_remove_trailer + +From: Ma Ke + +commit dad4e491e30b20f4dc615c9da65d2142d703b5c2 upstream. + +In esp_remove_trailer(), to avoid an unexpected result returned by +pskb_trim, we should check the return value of pskb_trim(). + +Signed-off-by: Ma Ke +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/esp6.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -499,7 +499,9 @@ static inline int esp_remove_trailer(str + skb->csum = csum_block_sub(skb->csum, csumdiff, + skb->len - trimlen); + } +- pskb_trim(skb, skb->len - trimlen); ++ ret = pskb_trim(skb, skb->len - trimlen); ++ if (unlikely(ret)) ++ return ret; + + ret = nexthdr[1]; + diff --git a/queue-4.14/net-rfkill-gpio-prevent-value-glitch-during-probe.patch b/queue-4.14/net-rfkill-gpio-prevent-value-glitch-during-probe.patch new file mode 100644 index 00000000000..061830eb093 --- /dev/null +++ b/queue-4.14/net-rfkill-gpio-prevent-value-glitch-during-probe.patch @@ -0,0 +1,56 @@ +From b2f750c3a80b285cd60c9346f8c96bd0a2a66cde Mon Sep 17 00:00:00 2001 +From: Josua Mayer +Date: Wed, 4 Oct 2023 18:39:28 +0200 +Subject: net: rfkill: gpio: prevent value glitch during probe + +From: Josua Mayer + +commit b2f750c3a80b285cd60c9346f8c96bd0a2a66cde upstream. + +When either reset- or shutdown-gpio have are initially deasserted, +e.g. after a reboot - or when the hardware does not include pull-down, +there will be a short toggle of both IOs to logical 0 and back to 1. + +It seems that the rfkill default is unblocked, so the driver should not +glitch to output low during probe. +It can lead e.g. to unexpected lte modem reconnect: + +[1] root@localhost:~# dmesg | grep "usb 2-1" +[ 2.136124] usb 2-1: new SuperSpeed USB device number 2 using xhci-hcd +[ 21.215278] usb 2-1: USB disconnect, device number 2 +[ 28.833977] usb 2-1: new SuperSpeed USB device number 3 using xhci-hcd + +The glitch has been discovered on an arm64 board, now that device-tree +support for the rfkill-gpio driver has finally appeared :). + +Change the flags for devm_gpiod_get_optional from GPIOD_OUT_LOW to +GPIOD_ASIS to avoid any glitches. +The rfkill driver will set the intended value during rfkill_sync_work. + +Fixes: 7176ba23f8b5 ("net: rfkill: add generic gpio rfkill driver") +Signed-off-by: Josua Mayer +Link: https://lore.kernel.org/r/20231004163928.14609-1-josua@solid-run.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/rfkill/rfkill-gpio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/rfkill/rfkill-gpio.c ++++ b/net/rfkill/rfkill-gpio.c +@@ -111,13 +111,13 @@ static int rfkill_gpio_probe(struct plat + + rfkill->clk = devm_clk_get(&pdev->dev, NULL); + +- gpio = devm_gpiod_get_optional(&pdev->dev, "reset", GPIOD_OUT_LOW); ++ gpio = devm_gpiod_get_optional(&pdev->dev, "reset", GPIOD_ASIS); + if (IS_ERR(gpio)) + return PTR_ERR(gpio); + + rfkill->reset_gpio = gpio; + +- gpio = devm_gpiod_get_optional(&pdev->dev, "shutdown", GPIOD_OUT_LOW); ++ gpio = devm_gpiod_get_optional(&pdev->dev, "shutdown", GPIOD_ASIS); + if (IS_ERR(gpio)) + return PTR_ERR(gpio); + diff --git a/queue-4.14/net-usb-smsc95xx-fix-an-error-code-in-smsc95xx_reset.patch b/queue-4.14/net-usb-smsc95xx-fix-an-error-code-in-smsc95xx_reset.patch new file mode 100644 index 00000000000..96aa5144177 --- /dev/null +++ b/queue-4.14/net-usb-smsc95xx-fix-an-error-code-in-smsc95xx_reset.patch @@ -0,0 +1,32 @@ +From c53647a5df9e66dd9fedf240198e1fe50d88c286 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 16 Oct 2023 20:28:10 +0300 +Subject: net: usb: smsc95xx: Fix an error code in smsc95xx_reset() + +From: Dan Carpenter + +commit c53647a5df9e66dd9fedf240198e1fe50d88c286 upstream. + +Return a negative error code instead of success. + +Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver") +Signed-off-by: Dan Carpenter +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/147927f0-9ada-45cc-81ff-75a19dd30b76@moroto.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/smsc95xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -1054,7 +1054,7 @@ static int smsc95xx_reset(struct usbnet + + if (timeout >= 100) { + netdev_warn(dev->net, "timeout waiting for completion of Lite Reset\n"); +- return ret; ++ return -ETIMEDOUT; + } + + ret = smsc95xx_write_reg(dev, PM_CTRL, PM_CTL_PHY_RST_); diff --git a/queue-4.14/series b/queue-4.14/series index 9de4cc891b5..3def2ec76af 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -33,3 +33,9 @@ nfc-nci-fix-possible-null-pointer-dereference-in-send_acknowledge.patch regmap-fix-null-deref-on-lookup.patch kvm-x86-mask-lvtpc-when-handling-a-pmi.patch netfilter-nft_payload-fix-wrong-mac-header-matching.patch +xfrm-fix-a-data-race-in-xfrm_gen_index.patch +net-ipv4-fix-return-value-check-in-esp_remove_trailer.patch +net-ipv6-fix-return-value-check-in-esp_remove_trailer.patch +net-rfkill-gpio-prevent-value-glitch-during-probe.patch +net-usb-smsc95xx-fix-an-error-code-in-smsc95xx_reset.patch +i40e-prevent-crash-on-probe-if-hw-registers-have-invalid-values.patch diff --git a/queue-4.14/xfrm-fix-a-data-race-in-xfrm_gen_index.patch b/queue-4.14/xfrm-fix-a-data-race-in-xfrm_gen_index.patch new file mode 100644 index 00000000000..05103daa1e2 --- /dev/null +++ b/queue-4.14/xfrm-fix-a-data-race-in-xfrm_gen_index.patch @@ -0,0 +1,101 @@ +From 3e4bc23926b83c3c67e5f61ae8571602754131a6 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 8 Sep 2023 18:13:59 +0000 +Subject: xfrm: fix a data-race in xfrm_gen_index() + +From: Eric Dumazet + +commit 3e4bc23926b83c3c67e5f61ae8571602754131a6 upstream. + +xfrm_gen_index() mutual exclusion uses net->xfrm.xfrm_policy_lock. + +This means we must use a per-netns idx_generator variable, +instead of a static one. +Alternative would be to use an atomic variable. + +syzbot reported: + +BUG: KCSAN: data-race in xfrm_sk_policy_insert / xfrm_sk_policy_insert + +write to 0xffffffff87005938 of 4 bytes by task 29466 on cpu 0: +xfrm_gen_index net/xfrm/xfrm_policy.c:1385 [inline] +xfrm_sk_policy_insert+0x262/0x640 net/xfrm/xfrm_policy.c:2347 +xfrm_user_policy+0x413/0x540 net/xfrm/xfrm_state.c:2639 +do_ipv6_setsockopt+0x1317/0x2ce0 net/ipv6/ipv6_sockglue.c:943 +ipv6_setsockopt+0x57/0x130 net/ipv6/ipv6_sockglue.c:1012 +rawv6_setsockopt+0x21e/0x410 net/ipv6/raw.c:1054 +sock_common_setsockopt+0x61/0x70 net/core/sock.c:3697 +__sys_setsockopt+0x1c9/0x230 net/socket.c:2263 +__do_sys_setsockopt net/socket.c:2274 [inline] +__se_sys_setsockopt net/socket.c:2271 [inline] +__x64_sys_setsockopt+0x66/0x80 net/socket.c:2271 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffffffff87005938 of 4 bytes by task 29460 on cpu 1: +xfrm_sk_policy_insert+0x13e/0x640 +xfrm_user_policy+0x413/0x540 net/xfrm/xfrm_state.c:2639 +do_ipv6_setsockopt+0x1317/0x2ce0 net/ipv6/ipv6_sockglue.c:943 +ipv6_setsockopt+0x57/0x130 net/ipv6/ipv6_sockglue.c:1012 +rawv6_setsockopt+0x21e/0x410 net/ipv6/raw.c:1054 +sock_common_setsockopt+0x61/0x70 net/core/sock.c:3697 +__sys_setsockopt+0x1c9/0x230 net/socket.c:2263 +__do_sys_setsockopt net/socket.c:2274 [inline] +__se_sys_setsockopt net/socket.c:2271 [inline] +__x64_sys_setsockopt+0x66/0x80 net/socket.c:2271 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x00006ad8 -> 0x00006b18 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 29460 Comm: syz-executor.1 Not tainted 6.5.0-rc5-syzkaller-00243-g9106536c1aa3 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 + +Fixes: 1121994c803f ("netns xfrm: policy insertion in netns") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Steffen Klassert +Cc: Herbert Xu +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netns/xfrm.h | 1 + + net/xfrm/xfrm_policy.c | 6 ++---- + 2 files changed, 3 insertions(+), 4 deletions(-) + +--- a/include/net/netns/xfrm.h ++++ b/include/net/netns/xfrm.h +@@ -48,6 +48,7 @@ struct netns_xfrm { + struct list_head policy_all; + struct hlist_head *policy_byidx; + unsigned int policy_idx_hmask; ++ unsigned int idx_generator; + struct hlist_head policy_inexact[XFRM_POLICY_MAX]; + struct xfrm_policy_hash policy_bydst[XFRM_POLICY_MAX]; + unsigned int policy_count[XFRM_POLICY_MAX * 2]; +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -646,8 +646,6 @@ EXPORT_SYMBOL(xfrm_policy_hash_rebuild); + * of an absolute inpredictability of ordering of rules. This will not pass. */ + static u32 xfrm_gen_index(struct net *net, int dir, u32 index) + { +- static u32 idx_generator; +- + for (;;) { + struct hlist_head *list; + struct xfrm_policy *p; +@@ -655,8 +653,8 @@ static u32 xfrm_gen_index(struct net *ne + int found; + + if (!index) { +- idx = (idx_generator | dir); +- idx_generator += 8; ++ idx = (net->xfrm.idx_generator | dir); ++ net->xfrm.idx_generator += 8; + } else { + idx = index; + index = 0;