From: Greg Kroah-Hartman Date: Sun, 24 Oct 2021 12:12:19 +0000 (+0200) Subject: 5.14-stable patches X-Git-Tag: v4.4.290~44 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ce6640e5f4d6e850a7582c566d9a64eb0c534507;p=thirdparty%2Fkernel%2Fstable-queue.git 5.14-stable patches added patches: drm-mxsfb-fix-null-pointer-dereference-crash-on-unload.patch isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch kvm-mmu-reset-mmu-pkru_mask-to-avoid-stale-data.patch kvm-sev-es-set-guest_state_protected-after-vmsa-update.patch net-bridge-mcast-use-multicast_membership_interval-for-igmpv3.patch net-hns3-fix-the-max-tx-size-according-to-user-manual.patch netfilter-kconfig-use-default-y-instead-of-m-for-bool-config-option.patch nfc-nci-fix-the-uaf-of-rf_conn_info-object.patch selftests-netfilter-remove-stray-bash-debug-line.patch --- diff --git a/queue-5.14/drm-mxsfb-fix-null-pointer-dereference-crash-on-unload.patch b/queue-5.14/drm-mxsfb-fix-null-pointer-dereference-crash-on-unload.patch new file mode 100644 index 00000000000..e0dc90acf0c --- /dev/null +++ b/queue-5.14/drm-mxsfb-fix-null-pointer-dereference-crash-on-unload.patch @@ -0,0 +1,46 @@ +From 3cfc183052c3dbf8eae57b6c1685dab00ed3db4a Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Sat, 16 Oct 2021 23:04:46 +0200 +Subject: drm: mxsfb: Fix NULL pointer dereference crash on unload + +From: Marek Vasut + +commit 3cfc183052c3dbf8eae57b6c1685dab00ed3db4a upstream. + +The mxsfb->crtc.funcs may already be NULL when unloading the driver, +in which case calling mxsfb_irq_disable() via drm_irq_uninstall() from +mxsfb_unload() leads to NULL pointer dereference. + +Since all we care about is masking the IRQ and mxsfb->base is still +valid, just use that to clear and mask the IRQ. + +Fixes: ae1ed00932819 ("drm: mxsfb: Stop using DRM simple display pipeline helper") +Signed-off-by: Marek Vasut +Cc: Daniel Abrecht +Cc: Emil Velikov +Cc: Laurent Pinchart +Cc: Sam Ravnborg +Cc: Stefan Agner +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20211016210446.171616-1-marex@denx.de +Signed-off-by: Maarten Lankhorst +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/mxsfb/mxsfb_drv.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/mxsfb/mxsfb_drv.c ++++ b/drivers/gpu/drm/mxsfb/mxsfb_drv.c +@@ -268,7 +268,11 @@ static void mxsfb_irq_disable(struct drm + struct mxsfb_drm_private *mxsfb = drm->dev_private; + + mxsfb_enable_axi_clk(mxsfb); +- mxsfb->crtc.funcs->disable_vblank(&mxsfb->crtc); ++ ++ /* Disable and clear VBLANK IRQ */ ++ writel(CTRL1_CUR_FRAME_DONE_IRQ_EN, mxsfb->base + LCDC_CTRL1 + REG_CLR); ++ writel(CTRL1_CUR_FRAME_DONE_IRQ, mxsfb->base + LCDC_CTRL1 + REG_CLR); ++ + mxsfb_disable_axi_clk(mxsfb); + } + diff --git a/queue-5.14/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch b/queue-5.14/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch new file mode 100644 index 00000000000..b3c62a32eea --- /dev/null +++ b/queue-5.14/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch @@ -0,0 +1,64 @@ +From 1f3e2e97c003f80c4b087092b225c8787ff91e4d Mon Sep 17 00:00:00 2001 +From: Xiaolong Huang +Date: Fri, 8 Oct 2021 14:58:30 +0800 +Subject: isdn: cpai: check ctr->cnr to avoid array index out of bound + +From: Xiaolong Huang + +commit 1f3e2e97c003f80c4b087092b225c8787ff91e4d upstream. + +The cmtp_add_connection() would add a cmtp session to a controller +and run a kernel thread to process cmtp. + + __module_get(THIS_MODULE); + session->task = kthread_run(cmtp_session, session, "kcmtpd_ctr_%d", + session->num); + +During this process, the kernel thread would call detach_capi_ctr() +to detach a register controller. if the controller +was not attached yet, detach_capi_ctr() would +trigger an array-index-out-bounds bug. + +[ 46.866069][ T6479] UBSAN: array-index-out-of-bounds in +drivers/isdn/capi/kcapi.c:483:21 +[ 46.867196][ T6479] index -1 is out of range for type 'capi_ctr *[32]' +[ 46.867982][ T6479] CPU: 1 PID: 6479 Comm: kcmtpd_ctr_0 Not tainted +5.15.0-rc2+ #8 +[ 46.869002][ T6479] Hardware name: QEMU Standard PC (i440FX + PIIX, +1996), BIOS 1.14.0-2 04/01/2014 +[ 46.870107][ T6479] Call Trace: +[ 46.870473][ T6479] dump_stack_lvl+0x57/0x7d +[ 46.870974][ T6479] ubsan_epilogue+0x5/0x40 +[ 46.871458][ T6479] __ubsan_handle_out_of_bounds.cold+0x43/0x48 +[ 46.872135][ T6479] detach_capi_ctr+0x64/0xc0 +[ 46.872639][ T6479] cmtp_session+0x5c8/0x5d0 +[ 46.873131][ T6479] ? __init_waitqueue_head+0x60/0x60 +[ 46.873712][ T6479] ? cmtp_add_msgpart+0x120/0x120 +[ 46.874256][ T6479] kthread+0x147/0x170 +[ 46.874709][ T6479] ? set_kthread_struct+0x40/0x40 +[ 46.875248][ T6479] ret_from_fork+0x1f/0x30 +[ 46.875773][ T6479] + +Signed-off-by: Xiaolong Huang +Acked-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20211008065830.305057-1-butterflyhuangxx@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/capi/kcapi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/isdn/capi/kcapi.c ++++ b/drivers/isdn/capi/kcapi.c +@@ -480,6 +480,11 @@ int detach_capi_ctr(struct capi_ctr *ctr + + ctr_down(ctr, CAPI_CTR_DETACHED); + ++ if (ctr->cnr < 1 || ctr->cnr - 1 >= CAPI_MAXCONTR) { ++ err = -EINVAL; ++ goto unlock_out; ++ } ++ + if (capi_controller[ctr->cnr - 1] != ctr) { + err = -EINVAL; + goto unlock_out; diff --git a/queue-5.14/kvm-mmu-reset-mmu-pkru_mask-to-avoid-stale-data.patch b/queue-5.14/kvm-mmu-reset-mmu-pkru_mask-to-avoid-stale-data.patch new file mode 100644 index 00000000000..488a9832160 --- /dev/null +++ b/queue-5.14/kvm-mmu-reset-mmu-pkru_mask-to-avoid-stale-data.patch @@ -0,0 +1,39 @@ +From a3ca5281bb771d8103ea16f0a6a8a5df9a7fb4f3 Mon Sep 17 00:00:00 2001 +From: Chenyi Qiang +Date: Thu, 21 Oct 2021 15:10:22 +0800 +Subject: KVM: MMU: Reset mmu->pkru_mask to avoid stale data + +From: Chenyi Qiang + +commit a3ca5281bb771d8103ea16f0a6a8a5df9a7fb4f3 upstream. + +When updating mmu->pkru_mask, the value can only be added but it isn't +reset in advance. This will make mmu->pkru_mask keep the stale data. +Fix this issue. + +Fixes: 2d344105f57c ("KVM, pkeys: introduce pkru_mask to cache conditions") +Signed-off-by: Chenyi Qiang +Message-Id: <20211021071022.1140-1-chenyi.qiang@intel.com> +Reviewed-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu/mmu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/mmu/mmu.c ++++ b/arch/x86/kvm/mmu/mmu.c +@@ -4465,10 +4465,10 @@ static void update_pkru_bitmask(struct k + unsigned bit; + bool wp; + +- if (!is_cr4_pke(mmu)) { +- mmu->pkru_mask = 0; ++ mmu->pkru_mask = 0; ++ ++ if (!is_cr4_pke(mmu)) + return; +- } + + wp = is_cr0_wp(mmu); + diff --git a/queue-5.14/kvm-sev-es-set-guest_state_protected-after-vmsa-update.patch b/queue-5.14/kvm-sev-es-set-guest_state_protected-after-vmsa-update.patch new file mode 100644 index 00000000000..ae658213378 --- /dev/null +++ b/queue-5.14/kvm-sev-es-set-guest_state_protected-after-vmsa-update.patch @@ -0,0 +1,39 @@ +From baa1e5ca172ce7bf9554070139482dd7ea919528 Mon Sep 17 00:00:00 2001 +From: Peter Gonda +Date: Fri, 15 Oct 2021 13:32:22 -0400 +Subject: KVM: SEV-ES: Set guest_state_protected after VMSA update + +From: Peter Gonda + +commit baa1e5ca172ce7bf9554070139482dd7ea919528 upstream. + +The refactoring in commit bb18a6777465 ("KVM: SEV: Acquire +vcpu mutex when updating VMSA") left behind the assignment to +svm->vcpu.arch.guest_state_protected; add it back. + +Signed-off-by: Peter Gonda +[Delta between v2 and v3 of Peter's patch, which had already been + committed; the commit message is my own. - Paolo] +Fixes: bb18a6777465 ("KVM: SEV: Acquire vcpu mutex when updating VMSA") +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/sev.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/svm/sev.c ++++ b/arch/x86/kvm/svm/sev.c +@@ -619,7 +619,12 @@ static int __sev_launch_update_vmsa(stru + vmsa.handle = to_kvm_svm(kvm)->sev_info.handle; + vmsa.address = __sme_pa(svm->vmsa); + vmsa.len = PAGE_SIZE; +- return sev_issue_cmd(kvm, SEV_CMD_LAUNCH_UPDATE_VMSA, &vmsa, error); ++ ret = sev_issue_cmd(kvm, SEV_CMD_LAUNCH_UPDATE_VMSA, &vmsa, error); ++ if (ret) ++ return ret; ++ ++ vcpu->arch.guest_state_protected = true; ++ return 0; + } + + static int sev_launch_update_vmsa(struct kvm *kvm, struct kvm_sev_cmd *argp) diff --git a/queue-5.14/net-bridge-mcast-use-multicast_membership_interval-for-igmpv3.patch b/queue-5.14/net-bridge-mcast-use-multicast_membership_interval-for-igmpv3.patch new file mode 100644 index 00000000000..729a6d49099 --- /dev/null +++ b/queue-5.14/net-bridge-mcast-use-multicast_membership_interval-for-igmpv3.patch @@ -0,0 +1,51 @@ +From fac3cb82a54a4b7c49c932f96ef196cf5774344c Mon Sep 17 00:00:00 2001 +From: Nikolay Aleksandrov +Date: Fri, 15 Oct 2021 12:05:46 +0300 +Subject: net: bridge: mcast: use multicast_membership_interval for IGMPv3 + +From: Nikolay Aleksandrov + +commit fac3cb82a54a4b7c49c932f96ef196cf5774344c upstream. + +When I added IGMPv3 support I decided to follow the RFC for computing +the GMI dynamically: +" 8.4. Group Membership Interval + + The Group Membership Interval is the amount of time that must pass + before a multicast router decides there are no more members of a + group or a particular source on a network. + + This value MUST be ((the Robustness Variable) times (the Query + Interval)) plus (one Query Response Interval)." + +But that actually is inconsistent with how the bridge used to compute it +for IGMPv2, where it was user-configurable that has a correct default value +but it is up to user-space to maintain it. This would make it consistent +with the other timer values which are also maintained correct by the user +instead of being dynamically computed. It also changes back to the previous +user-expected GMI behaviour for IGMPv3 queries which were supported before +IGMPv3 was added. Note that to properly compute it dynamically we would +need to add support for "Robustness Variable" which is currently missing. + +Reported-by: Hangbin Liu +Fixes: 0436862e417e ("net: bridge: mcast: support for IGMPv3/MLDv2 ALLOW_NEW_SOURCES report") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_private.h | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -1002,9 +1002,7 @@ static inline unsigned long br_multicast + + static inline unsigned long br_multicast_gmi(const struct net_bridge *br) + { +- /* use the RFC default of 2 for QRV */ +- return 2 * br->multicast_query_interval + +- br->multicast_query_response_interval; ++ return br->multicast_membership_interval; + } + #else + static inline int br_multicast_rcv(struct net_bridge *br, diff --git a/queue-5.14/net-hns3-fix-the-max-tx-size-according-to-user-manual.patch b/queue-5.14/net-hns3-fix-the-max-tx-size-according-to-user-manual.patch new file mode 100644 index 00000000000..3d59d0b687a --- /dev/null +++ b/queue-5.14/net-hns3-fix-the-max-tx-size-according-to-user-manual.patch @@ -0,0 +1,72 @@ +From adfb7b4966c0c4c63a791f202b8b3837b07a9ece Mon Sep 17 00:00:00 2001 +From: Yunsheng Lin +Date: Tue, 19 Oct 2021 22:16:31 +0800 +Subject: net: hns3: fix the max tx size according to user manual + +From: Yunsheng Lin + +commit adfb7b4966c0c4c63a791f202b8b3837b07a9ece upstream. + +Currently the max tx size supported by the hw is calculated by +using the max BD num supported by the hw. According to the hw +user manual, the max tx size is fixed value for both non-TSO and +TSO skb. + +This patch updates the max tx size according to the manual. + +Fixes: 8ae10cfb5089("net: hns3: support tx-scatter-gather-fraglist feature") +Signed-off-by: Yunsheng Lin +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 7 ++----- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.h | 6 ++---- + 2 files changed, 4 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -1845,7 +1845,6 @@ void hns3_shinfo_pack(struct skb_shared_ + + static int hns3_skb_linearize(struct hns3_enet_ring *ring, + struct sk_buff *skb, +- u8 max_non_tso_bd_num, + unsigned int bd_num) + { + /* 'bd_num == UINT_MAX' means the skb' fraglist has a +@@ -1862,8 +1861,7 @@ static int hns3_skb_linearize(struct hns + * will not help. + */ + if (skb->len > HNS3_MAX_TSO_SIZE || +- (!skb_is_gso(skb) && skb->len > +- HNS3_MAX_NON_TSO_SIZE(max_non_tso_bd_num))) { ++ (!skb_is_gso(skb) && skb->len > HNS3_MAX_NON_TSO_SIZE)) { + u64_stats_update_begin(&ring->syncp); + ring->stats.hw_limitation++; + u64_stats_update_end(&ring->syncp); +@@ -1898,8 +1896,7 @@ static int hns3_nic_maybe_stop_tx(struct + goto out; + } + +- if (hns3_skb_linearize(ring, skb, max_non_tso_bd_num, +- bd_num)) ++ if (hns3_skb_linearize(ring, skb, bd_num)) + return -ENOMEM; + + bd_num = hns3_tx_bd_count(skb->len); +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.h +@@ -185,11 +185,9 @@ enum hns3_nic_state { + + #define HNS3_MAX_BD_SIZE 65535 + #define HNS3_MAX_TSO_BD_NUM 63U +-#define HNS3_MAX_TSO_SIZE \ +- (HNS3_MAX_BD_SIZE * HNS3_MAX_TSO_BD_NUM) ++#define HNS3_MAX_TSO_SIZE 1048576U ++#define HNS3_MAX_NON_TSO_SIZE 9728U + +-#define HNS3_MAX_NON_TSO_SIZE(max_non_tso_bd_num) \ +- (HNS3_MAX_BD_SIZE * (max_non_tso_bd_num)) + + #define HNS3_VECTOR_GL0_OFFSET 0x100 + #define HNS3_VECTOR_GL1_OFFSET 0x200 diff --git a/queue-5.14/netfilter-kconfig-use-default-y-instead-of-m-for-bool-config-option.patch b/queue-5.14/netfilter-kconfig-use-default-y-instead-of-m-for-bool-config-option.patch new file mode 100644 index 00000000000..7edb4bc550d --- /dev/null +++ b/queue-5.14/netfilter-kconfig-use-default-y-instead-of-m-for-bool-config-option.patch @@ -0,0 +1,30 @@ +From 77076934afdcd46516caf18ed88b2f88025c9ddb Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Tue, 5 Oct 2021 22:54:54 +0200 +Subject: netfilter: Kconfig: use 'default y' instead of 'm' for bool config option + +From: Vegard Nossum + +commit 77076934afdcd46516caf18ed88b2f88025c9ddb upstream. + +This option, NF_CONNTRACK_SECMARK, is a bool, so it can never be 'm'. + +Fixes: 33b8e77605620 ("[NETFILTER]: Add CONFIG_NETFILTER_ADVANCED option") +Signed-off-by: Vegard Nossum +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/Kconfig ++++ b/net/netfilter/Kconfig +@@ -109,7 +109,7 @@ config NF_CONNTRACK_MARK + config NF_CONNTRACK_SECMARK + bool 'Connection tracking security mark support' + depends on NETWORK_SECMARK +- default m if NETFILTER_ADVANCED=n ++ default y if NETFILTER_ADVANCED=n + help + This option enables security markings to be applied to + connections. Typically they are copied to connections from diff --git a/queue-5.14/nfc-nci-fix-the-uaf-of-rf_conn_info-object.patch b/queue-5.14/nfc-nci-fix-the-uaf-of-rf_conn_info-object.patch new file mode 100644 index 00000000000..b7aa365c184 --- /dev/null +++ b/queue-5.14/nfc-nci-fix-the-uaf-of-rf_conn_info-object.patch @@ -0,0 +1,34 @@ +From 1b1499a817c90fd1ce9453a2c98d2a01cca0e775 Mon Sep 17 00:00:00 2001 +From: Lin Ma +Date: Thu, 7 Oct 2021 19:44:30 +0200 +Subject: nfc: nci: fix the UAF of rf_conn_info object + +From: Lin Ma + +commit 1b1499a817c90fd1ce9453a2c98d2a01cca0e775 upstream. + +The nci_core_conn_close_rsp_packet() function will release the conn_info +with given conn_id. However, it needs to set the rf_conn_info to NULL to +prevent other routines like nci_rf_intf_activated_ntf_packet() to trigger +the UAF. + +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Lin Ma +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/nci/rsp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/nfc/nci/rsp.c ++++ b/net/nfc/nci/rsp.c +@@ -330,6 +330,8 @@ static void nci_core_conn_close_rsp_pack + ndev->cur_conn_id); + if (conn_info) { + list_del(&conn_info->list); ++ if (conn_info == ndev->rf_conn_info) ++ ndev->rf_conn_info = NULL; + devm_kfree(&ndev->nfc_dev->dev, conn_info); + } + } diff --git a/queue-5.14/selftests-netfilter-remove-stray-bash-debug-line.patch b/queue-5.14/selftests-netfilter-remove-stray-bash-debug-line.patch new file mode 100644 index 00000000000..514bcef912d --- /dev/null +++ b/queue-5.14/selftests-netfilter-remove-stray-bash-debug-line.patch @@ -0,0 +1,29 @@ +From 3e6ed7703dae6838c104d73d3e76e9b79f5c0528 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 12 Oct 2021 18:37:09 +0200 +Subject: selftests: netfilter: remove stray bash debug line + +From: Florian Westphal + +commit 3e6ed7703dae6838c104d73d3e76e9b79f5c0528 upstream. + +This should not be there. + +Fixes: 2de03b45236f ("selftests: netfilter: add flowtable test script") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/netfilter/nft_flowtable.sh | 1 - + 1 file changed, 1 deletion(-) + +--- a/tools/testing/selftests/netfilter/nft_flowtable.sh ++++ b/tools/testing/selftests/netfilter/nft_flowtable.sh +@@ -199,7 +199,6 @@ fi + # test basic connectivity + if ! ip netns exec ns1 ping -c 1 -q 10.0.2.99 > /dev/null; then + echo "ERROR: ns1 cannot reach ns2" 1>&2 +- bash + exit 1 + fi + diff --git a/queue-5.14/series b/queue-5.14/series index 94411670022..936baea7e85 100644 --- a/queue-5.14/series +++ b/queue-5.14/series @@ -113,3 +113,12 @@ kvm-x86-leave-vcpu-arch.pio.count-alone-in-emulator_pio_in_out.patch kvm-x86-check-for-interrupts-before-deciding-whether-to-exit-the-fast-path.patch kvm-x86-split-the-two-parts-of-emulator_pio_in.patch kvm-x86-remove-unnecessary-arguments-from-complete_emulator_pio_in.patch +nfc-nci-fix-the-uaf-of-rf_conn_info-object.patch +isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch +netfilter-kconfig-use-default-y-instead-of-m-for-bool-config-option.patch +selftests-netfilter-remove-stray-bash-debug-line.patch +net-bridge-mcast-use-multicast_membership_interval-for-igmpv3.patch +kvm-sev-es-set-guest_state_protected-after-vmsa-update.patch +drm-mxsfb-fix-null-pointer-dereference-crash-on-unload.patch +net-hns3-fix-the-max-tx-size-according-to-user-manual.patch +kvm-mmu-reset-mmu-pkru_mask-to-avoid-stale-data.patch