From: Sasha Levin Date: Sun, 22 Aug 2021 02:39:21 +0000 (-0400) Subject: Fixes for 4.9 X-Git-Tag: v5.13.13~18 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cbd81f0b2ef4ba8778e8d1bf9e67b7f8ee286db5;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/dccp-add-do-while-0-stubs-for-dccp_pr_debug-macros.patch b/queue-4.9/dccp-add-do-while-0-stubs-for-dccp_pr_debug-macros.patch new file mode 100644 index 00000000000..9e2a57ea0ef --- /dev/null +++ b/queue-4.9/dccp-add-do-while-0-stubs-for-dccp_pr_debug-macros.patch @@ -0,0 +1,54 @@ +From 70181f2171ab1e41ce8bf8e374cdd82dcf5a8ebf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Aug 2021 16:04:40 -0700 +Subject: dccp: add do-while-0 stubs for dccp_pr_debug macros + +From: Randy Dunlap + +[ Upstream commit 86aab09a4870bb8346c9579864588c3d7f555299 ] + +GCC complains about empty macros in an 'if' statement, so convert +them to 'do {} while (0)' macros. + +Fixes these build warnings: + +net/dccp/output.c: In function 'dccp_xmit_packet': +../net/dccp/output.c:283:71: warning: suggest braces around empty body in an 'if' statement [-Wempty-body] + 283 | dccp_pr_debug("transmit_skb() returned err=%d\n", err); +net/dccp/ackvec.c: In function 'dccp_ackvec_update_old': +../net/dccp/ackvec.c:163:80: warning: suggest braces around empty body in an 'else' statement [-Wempty-body] + 163 | (unsigned long long)seqno, state); + +Fixes: dc841e30eaea ("dccp: Extend CCID packet dequeueing interface") +Fixes: 380240864451 ("dccp ccid-2: Update code for the Ack Vector input/registration routine") +Signed-off-by: Randy Dunlap +Cc: dccp@vger.kernel.org +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: Gerrit Renker +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/dccp/dccp.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/dccp/dccp.h b/net/dccp/dccp.h +index 0c55ffb859bf..121aa71fcb5c 100644 +--- a/net/dccp/dccp.h ++++ b/net/dccp/dccp.h +@@ -44,9 +44,9 @@ extern bool dccp_debug; + #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a) + #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a) + #else +-#define dccp_pr_debug(format, a...) +-#define dccp_pr_debug_cat(format, a...) +-#define dccp_debug(format, a...) ++#define dccp_pr_debug(format, a...) do {} while (0) ++#define dccp_pr_debug_cat(format, a...) do {} while (0) ++#define dccp_debug(format, a...) do {} while (0) + #endif + + extern struct inet_hashinfo dccp_hashinfo; +-- +2.30.2 + diff --git a/queue-4.9/net-6pack-fix-slab-out-of-bounds-in-decode_data.patch b/queue-4.9/net-6pack-fix-slab-out-of-bounds-in-decode_data.patch new file mode 100644 index 00000000000..5776f827d04 --- /dev/null +++ b/queue-4.9/net-6pack-fix-slab-out-of-bounds-in-decode_data.patch @@ -0,0 +1,67 @@ +From 4161aec6b5474b36191504cdb50f5b6612822345 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Aug 2021 18:14:33 +0300 +Subject: net: 6pack: fix slab-out-of-bounds in decode_data + +From: Pavel Skripkin + +[ Upstream commit 19d1532a187669ce86d5a2696eb7275310070793 ] + +Syzbot reported slab-out-of bounds write in decode_data(). +The problem was in missing validation checks. + +Syzbot's reproducer generated malicious input, which caused +decode_data() to be called a lot in sixpack_decode(). Since +rx_count_cooked is only 400 bytes and noone reported before, +that 400 bytes is not enough, let's just check if input is malicious +and complain about buffer overrun. + +Fail log: +================================================================== +BUG: KASAN: slab-out-of-bounds in drivers/net/hamradio/6pack.c:843 +Write of size 1 at addr ffff888087c5544e by task kworker/u4:0/7 + +CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 5.6.0-rc3-syzkaller #0 +... +Workqueue: events_unbound flush_to_ldisc +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x197/0x210 lib/dump_stack.c:118 + print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 + __kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506 + kasan_report+0x12/0x20 mm/kasan/common.c:641 + __asan_report_store1_noabort+0x17/0x20 mm/kasan/generic_report.c:137 + decode_data.part.0+0x23b/0x270 drivers/net/hamradio/6pack.c:843 + decode_data drivers/net/hamradio/6pack.c:965 [inline] + sixpack_decode drivers/net/hamradio/6pack.c:968 [inline] + +Reported-and-tested-by: syzbot+fc8cd9a673d4577fb2e4@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Pavel Skripkin +Reviewed-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/6pack.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c +index 03c96a6cbafd..e510dbda77e5 100644 +--- a/drivers/net/hamradio/6pack.c ++++ b/drivers/net/hamradio/6pack.c +@@ -870,6 +870,12 @@ static void decode_data(struct sixpack *sp, unsigned char inbyte) + return; + } + ++ if (sp->rx_count_cooked + 2 >= sizeof(sp->cooked_buf)) { ++ pr_err("6pack: cooked buffer overrun, data loss\n"); ++ sp->rx_count = 0; ++ return; ++ } ++ + buf = sp->raw_buf; + sp->cooked_buf[sp->rx_count_cooked++] = + buf[0] | ((buf[1] << 2) & 0xc0); +-- +2.30.2 + diff --git a/queue-4.9/net-qlcnic-add-missed-unlock-in-qlcnic_83xx_flash_re.patch b/queue-4.9/net-qlcnic-add-missed-unlock-in-qlcnic_83xx_flash_re.patch new file mode 100644 index 00000000000..f440c5efcb6 --- /dev/null +++ b/queue-4.9/net-qlcnic-add-missed-unlock-in-qlcnic_83xx_flash_re.patch @@ -0,0 +1,42 @@ +From 51d594b2c013e28294476f3fc6a8ddd7b47c318b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Aug 2021 21:14:04 +0800 +Subject: net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 + +From: Dinghao Liu + +[ Upstream commit 0a298d133893c72c96e2156ed7cb0f0c4a306a3e ] + +qlcnic_83xx_unlock_flash() is called on all paths after we call +qlcnic_83xx_lock_flash(), except for one error path on failure +of QLCRD32(), which may cause a deadlock. This bug is suggested +by a static analysis tool, please advise. + +Fixes: 81d0aeb0a4fff ("qlcnic: flash template based firmware reset recovery") +Signed-off-by: Dinghao Liu +Link: https://lore.kernel.org/r/20210816131405.24024-1-dinghao.liu@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +index 5d2de48b77a0..dce36e9e1879 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +@@ -3157,8 +3157,10 @@ int qlcnic_83xx_flash_read32(struct qlcnic_adapter *adapter, u32 flash_addr, + + indirect_addr = QLC_83XX_FLASH_DIRECT_DATA(addr); + ret = QLCRD32(adapter, indirect_addr, &err); +- if (err == -EIO) ++ if (err == -EIO) { ++ qlcnic_83xx_unlock_flash(adapter); + return err; ++ } + + word = ret; + *(u32 *)p_data = word; +-- +2.30.2 + diff --git a/queue-4.9/series b/queue-4.9/series index 6b4bd2d2ad4..d4aceabbe23 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -28,3 +28,7 @@ scsi-scsi_dh_rdac-avoid-crash-during-rdac_bus_attach.patch scsi-core-avoid-printing-an-error-if-target_alloc-re.patch arm-dts-nomadik-fix-up-interrupt-controller-node-nam.patch bluetooth-hidp-use-correct-wait-queue-when-removing-.patch +dccp-add-do-while-0-stubs-for-dccp_pr_debug-macros.patch +vhost-fix-the-calculation-in-vhost_overflow.patch +net-6pack-fix-slab-out-of-bounds-in-decode_data.patch +net-qlcnic-add-missed-unlock-in-qlcnic_83xx_flash_re.patch diff --git a/queue-4.9/vhost-fix-the-calculation-in-vhost_overflow.patch b/queue-4.9/vhost-fix-the-calculation-in-vhost_overflow.patch new file mode 100644 index 00000000000..b9cd6361db2 --- /dev/null +++ b/queue-4.9/vhost-fix-the-calculation-in-vhost_overflow.patch @@ -0,0 +1,49 @@ +From 9ca9f32b294c540c4b3e72cb7bd1f64819f64e5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jul 2021 21:07:56 +0800 +Subject: vhost: Fix the calculation in vhost_overflow() + +From: Xie Yongji + +[ Upstream commit f7ad318ea0ad58ebe0e595e59aed270bb643b29b ] + +This fixes the incorrect calculation for integer overflow +when the last address of iova range is 0xffffffff. + +Fixes: ec33d031a14b ("vhost: detect 32 bit integer wrap around") +Reported-by: Jason Wang +Signed-off-by: Xie Yongji +Acked-by: Jason Wang +Link: https://lore.kernel.org/r/20210728130756.97-2-xieyongji@bytedance.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vhost/vhost.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index d2431afeda84..62c61a283b35 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -675,10 +675,16 @@ static int log_access_ok(void __user *log_base, u64 addr, unsigned long sz) + (sz + VHOST_PAGE_SIZE * 8 - 1) / VHOST_PAGE_SIZE / 8); + } + ++/* Make sure 64 bit math will not overflow. */ + static bool vhost_overflow(u64 uaddr, u64 size) + { +- /* Make sure 64 bit math will not overflow. */ +- return uaddr > ULONG_MAX || size > ULONG_MAX || uaddr > ULONG_MAX - size; ++ if (uaddr > ULONG_MAX || size > ULONG_MAX) ++ return true; ++ ++ if (!size) ++ return false; ++ ++ return uaddr > ULONG_MAX - size + 1; + } + + /* Caller should have vq mutex and device mutex. */ +-- +2.30.2 +