From: Greg Kroah-Hartman Date: Sun, 24 Oct 2021 12:12:05 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.4.290~45 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fb9328db67652a26683d8c8a08f0983843fc9c6d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: drm-mxsfb-fix-null-pointer-dereference-crash-on-unload.patch isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch net-bridge-mcast-use-multicast_membership_interval-for-igmpv3.patch net-hns3-fix-the-max-tx-size-according-to-user-manual.patch netfilter-kconfig-use-default-y-instead-of-m-for-bool-config-option.patch nfc-nci-fix-the-uaf-of-rf_conn_info-object.patch selftests-netfilter-remove-stray-bash-debug-line.patch --- diff --git a/queue-5.10/drm-mxsfb-fix-null-pointer-dereference-crash-on-unload.patch b/queue-5.10/drm-mxsfb-fix-null-pointer-dereference-crash-on-unload.patch new file mode 100644 index 00000000000..e0dc90acf0c --- /dev/null +++ b/queue-5.10/drm-mxsfb-fix-null-pointer-dereference-crash-on-unload.patch @@ -0,0 +1,46 @@ +From 3cfc183052c3dbf8eae57b6c1685dab00ed3db4a Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Sat, 16 Oct 2021 23:04:46 +0200 +Subject: drm: mxsfb: Fix NULL pointer dereference crash on unload + +From: Marek Vasut + +commit 3cfc183052c3dbf8eae57b6c1685dab00ed3db4a upstream. + +The mxsfb->crtc.funcs may already be NULL when unloading the driver, +in which case calling mxsfb_irq_disable() via drm_irq_uninstall() from +mxsfb_unload() leads to NULL pointer dereference. + +Since all we care about is masking the IRQ and mxsfb->base is still +valid, just use that to clear and mask the IRQ. + +Fixes: ae1ed00932819 ("drm: mxsfb: Stop using DRM simple display pipeline helper") +Signed-off-by: Marek Vasut +Cc: Daniel Abrecht +Cc: Emil Velikov +Cc: Laurent Pinchart +Cc: Sam Ravnborg +Cc: Stefan Agner +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20211016210446.171616-1-marex@denx.de +Signed-off-by: Maarten Lankhorst +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/mxsfb/mxsfb_drv.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/mxsfb/mxsfb_drv.c ++++ b/drivers/gpu/drm/mxsfb/mxsfb_drv.c +@@ -268,7 +268,11 @@ static void mxsfb_irq_disable(struct drm + struct mxsfb_drm_private *mxsfb = drm->dev_private; + + mxsfb_enable_axi_clk(mxsfb); +- mxsfb->crtc.funcs->disable_vblank(&mxsfb->crtc); ++ ++ /* Disable and clear VBLANK IRQ */ ++ writel(CTRL1_CUR_FRAME_DONE_IRQ_EN, mxsfb->base + LCDC_CTRL1 + REG_CLR); ++ writel(CTRL1_CUR_FRAME_DONE_IRQ, mxsfb->base + LCDC_CTRL1 + REG_CLR); ++ + mxsfb_disable_axi_clk(mxsfb); + } + diff --git a/queue-5.10/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch b/queue-5.10/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch new file mode 100644 index 00000000000..b3c62a32eea --- /dev/null +++ b/queue-5.10/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch @@ -0,0 +1,64 @@ +From 1f3e2e97c003f80c4b087092b225c8787ff91e4d Mon Sep 17 00:00:00 2001 +From: Xiaolong Huang +Date: Fri, 8 Oct 2021 14:58:30 +0800 +Subject: isdn: cpai: check ctr->cnr to avoid array index out of bound + +From: Xiaolong Huang + +commit 1f3e2e97c003f80c4b087092b225c8787ff91e4d upstream. + +The cmtp_add_connection() would add a cmtp session to a controller +and run a kernel thread to process cmtp. + + __module_get(THIS_MODULE); + session->task = kthread_run(cmtp_session, session, "kcmtpd_ctr_%d", + session->num); + +During this process, the kernel thread would call detach_capi_ctr() +to detach a register controller. if the controller +was not attached yet, detach_capi_ctr() would +trigger an array-index-out-bounds bug. + +[ 46.866069][ T6479] UBSAN: array-index-out-of-bounds in +drivers/isdn/capi/kcapi.c:483:21 +[ 46.867196][ T6479] index -1 is out of range for type 'capi_ctr *[32]' +[ 46.867982][ T6479] CPU: 1 PID: 6479 Comm: kcmtpd_ctr_0 Not tainted +5.15.0-rc2+ #8 +[ 46.869002][ T6479] Hardware name: QEMU Standard PC (i440FX + PIIX, +1996), BIOS 1.14.0-2 04/01/2014 +[ 46.870107][ T6479] Call Trace: +[ 46.870473][ T6479] dump_stack_lvl+0x57/0x7d +[ 46.870974][ T6479] ubsan_epilogue+0x5/0x40 +[ 46.871458][ T6479] __ubsan_handle_out_of_bounds.cold+0x43/0x48 +[ 46.872135][ T6479] detach_capi_ctr+0x64/0xc0 +[ 46.872639][ T6479] cmtp_session+0x5c8/0x5d0 +[ 46.873131][ T6479] ? __init_waitqueue_head+0x60/0x60 +[ 46.873712][ T6479] ? cmtp_add_msgpart+0x120/0x120 +[ 46.874256][ T6479] kthread+0x147/0x170 +[ 46.874709][ T6479] ? set_kthread_struct+0x40/0x40 +[ 46.875248][ T6479] ret_from_fork+0x1f/0x30 +[ 46.875773][ T6479] + +Signed-off-by: Xiaolong Huang +Acked-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20211008065830.305057-1-butterflyhuangxx@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/capi/kcapi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/isdn/capi/kcapi.c ++++ b/drivers/isdn/capi/kcapi.c +@@ -480,6 +480,11 @@ int detach_capi_ctr(struct capi_ctr *ctr + + ctr_down(ctr, CAPI_CTR_DETACHED); + ++ if (ctr->cnr < 1 || ctr->cnr - 1 >= CAPI_MAXCONTR) { ++ err = -EINVAL; ++ goto unlock_out; ++ } ++ + if (capi_controller[ctr->cnr - 1] != ctr) { + err = -EINVAL; + goto unlock_out; diff --git a/queue-5.10/net-bridge-mcast-use-multicast_membership_interval-for-igmpv3.patch b/queue-5.10/net-bridge-mcast-use-multicast_membership_interval-for-igmpv3.patch new file mode 100644 index 00000000000..a4dfac2cbcc --- /dev/null +++ b/queue-5.10/net-bridge-mcast-use-multicast_membership_interval-for-igmpv3.patch @@ -0,0 +1,51 @@ +From fac3cb82a54a4b7c49c932f96ef196cf5774344c Mon Sep 17 00:00:00 2001 +From: Nikolay Aleksandrov +Date: Fri, 15 Oct 2021 12:05:46 +0300 +Subject: net: bridge: mcast: use multicast_membership_interval for IGMPv3 + +From: Nikolay Aleksandrov + +commit fac3cb82a54a4b7c49c932f96ef196cf5774344c upstream. + +When I added IGMPv3 support I decided to follow the RFC for computing +the GMI dynamically: +" 8.4. Group Membership Interval + + The Group Membership Interval is the amount of time that must pass + before a multicast router decides there are no more members of a + group or a particular source on a network. + + This value MUST be ((the Robustness Variable) times (the Query + Interval)) plus (one Query Response Interval)." + +But that actually is inconsistent with how the bridge used to compute it +for IGMPv2, where it was user-configurable that has a correct default value +but it is up to user-space to maintain it. This would make it consistent +with the other timer values which are also maintained correct by the user +instead of being dynamically computed. It also changes back to the previous +user-expected GMI behaviour for IGMPv3 queries which were supported before +IGMPv3 was added. Note that to properly compute it dynamically we would +need to add support for "Robustness Variable" which is currently missing. + +Reported-by: Hangbin Liu +Fixes: 0436862e417e ("net: bridge: mcast: support for IGMPv3/MLDv2 ALLOW_NEW_SOURCES report") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_private.h | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -931,9 +931,7 @@ static inline unsigned long br_multicast + + static inline unsigned long br_multicast_gmi(const struct net_bridge *br) + { +- /* use the RFC default of 2 for QRV */ +- return 2 * br->multicast_query_interval + +- br->multicast_query_response_interval; ++ return br->multicast_membership_interval; + } + #else + static inline int br_multicast_rcv(struct net_bridge *br, diff --git a/queue-5.10/net-hns3-fix-the-max-tx-size-according-to-user-manual.patch b/queue-5.10/net-hns3-fix-the-max-tx-size-according-to-user-manual.patch new file mode 100644 index 00000000000..2c7392a3297 --- /dev/null +++ b/queue-5.10/net-hns3-fix-the-max-tx-size-according-to-user-manual.patch @@ -0,0 +1,72 @@ +From adfb7b4966c0c4c63a791f202b8b3837b07a9ece Mon Sep 17 00:00:00 2001 +From: Yunsheng Lin +Date: Tue, 19 Oct 2021 22:16:31 +0800 +Subject: net: hns3: fix the max tx size according to user manual + +From: Yunsheng Lin + +commit adfb7b4966c0c4c63a791f202b8b3837b07a9ece upstream. + +Currently the max tx size supported by the hw is calculated by +using the max BD num supported by the hw. According to the hw +user manual, the max tx size is fixed value for both non-TSO and +TSO skb. + +This patch updates the max tx size according to the manual. + +Fixes: 8ae10cfb5089("net: hns3: support tx-scatter-gather-fraglist feature") +Signed-off-by: Yunsheng Lin +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 7 ++----- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.h | 6 ++---- + 2 files changed, 4 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -1283,7 +1283,6 @@ void hns3_shinfo_pack(struct skb_shared_ + + static int hns3_skb_linearize(struct hns3_enet_ring *ring, + struct sk_buff *skb, +- u8 max_non_tso_bd_num, + unsigned int bd_num) + { + /* 'bd_num == UINT_MAX' means the skb' fraglist has a +@@ -1300,8 +1299,7 @@ static int hns3_skb_linearize(struct hns + * will not help. + */ + if (skb->len > HNS3_MAX_TSO_SIZE || +- (!skb_is_gso(skb) && skb->len > +- HNS3_MAX_NON_TSO_SIZE(max_non_tso_bd_num))) { ++ (!skb_is_gso(skb) && skb->len > HNS3_MAX_NON_TSO_SIZE)) { + u64_stats_update_begin(&ring->syncp); + ring->stats.hw_limitation++; + u64_stats_update_end(&ring->syncp); +@@ -1336,8 +1334,7 @@ static int hns3_nic_maybe_stop_tx(struct + goto out; + } + +- if (hns3_skb_linearize(ring, skb, max_non_tso_bd_num, +- bd_num)) ++ if (hns3_skb_linearize(ring, skb, bd_num)) + return -ENOMEM; + + bd_num = hns3_tx_bd_count(skb->len); +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.h +@@ -170,11 +170,9 @@ enum hns3_nic_state { + + #define HNS3_MAX_BD_SIZE 65535 + #define HNS3_MAX_TSO_BD_NUM 63U +-#define HNS3_MAX_TSO_SIZE \ +- (HNS3_MAX_BD_SIZE * HNS3_MAX_TSO_BD_NUM) ++#define HNS3_MAX_TSO_SIZE 1048576U ++#define HNS3_MAX_NON_TSO_SIZE 9728U + +-#define HNS3_MAX_NON_TSO_SIZE(max_non_tso_bd_num) \ +- (HNS3_MAX_BD_SIZE * (max_non_tso_bd_num)) + + #define HNS3_VECTOR_GL0_OFFSET 0x100 + #define HNS3_VECTOR_GL1_OFFSET 0x200 diff --git a/queue-5.10/netfilter-kconfig-use-default-y-instead-of-m-for-bool-config-option.patch b/queue-5.10/netfilter-kconfig-use-default-y-instead-of-m-for-bool-config-option.patch new file mode 100644 index 00000000000..d95847d7156 --- /dev/null +++ b/queue-5.10/netfilter-kconfig-use-default-y-instead-of-m-for-bool-config-option.patch @@ -0,0 +1,30 @@ +From 77076934afdcd46516caf18ed88b2f88025c9ddb Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Tue, 5 Oct 2021 22:54:54 +0200 +Subject: netfilter: Kconfig: use 'default y' instead of 'm' for bool config option + +From: Vegard Nossum + +commit 77076934afdcd46516caf18ed88b2f88025c9ddb upstream. + +This option, NF_CONNTRACK_SECMARK, is a bool, so it can never be 'm'. + +Fixes: 33b8e77605620 ("[NETFILTER]: Add CONFIG_NETFILTER_ADVANCED option") +Signed-off-by: Vegard Nossum +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/Kconfig ++++ b/net/netfilter/Kconfig +@@ -94,7 +94,7 @@ config NF_CONNTRACK_MARK + config NF_CONNTRACK_SECMARK + bool 'Connection tracking security mark support' + depends on NETWORK_SECMARK +- default m if NETFILTER_ADVANCED=n ++ default y if NETFILTER_ADVANCED=n + help + This option enables security markings to be applied to + connections. Typically they are copied to connections from diff --git a/queue-5.10/nfc-nci-fix-the-uaf-of-rf_conn_info-object.patch b/queue-5.10/nfc-nci-fix-the-uaf-of-rf_conn_info-object.patch new file mode 100644 index 00000000000..2a2545aa4a8 --- /dev/null +++ b/queue-5.10/nfc-nci-fix-the-uaf-of-rf_conn_info-object.patch @@ -0,0 +1,34 @@ +From 1b1499a817c90fd1ce9453a2c98d2a01cca0e775 Mon Sep 17 00:00:00 2001 +From: Lin Ma +Date: Thu, 7 Oct 2021 19:44:30 +0200 +Subject: nfc: nci: fix the UAF of rf_conn_info object + +From: Lin Ma + +commit 1b1499a817c90fd1ce9453a2c98d2a01cca0e775 upstream. + +The nci_core_conn_close_rsp_packet() function will release the conn_info +with given conn_id. However, it needs to set the rf_conn_info to NULL to +prevent other routines like nci_rf_intf_activated_ntf_packet() to trigger +the UAF. + +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Lin Ma +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/nci/rsp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/nfc/nci/rsp.c ++++ b/net/nfc/nci/rsp.c +@@ -277,6 +277,8 @@ static void nci_core_conn_close_rsp_pack + ndev->cur_conn_id); + if (conn_info) { + list_del(&conn_info->list); ++ if (conn_info == ndev->rf_conn_info) ++ ndev->rf_conn_info = NULL; + devm_kfree(&ndev->nfc_dev->dev, conn_info); + } + } diff --git a/queue-5.10/selftests-netfilter-remove-stray-bash-debug-line.patch b/queue-5.10/selftests-netfilter-remove-stray-bash-debug-line.patch new file mode 100644 index 00000000000..514bcef912d --- /dev/null +++ b/queue-5.10/selftests-netfilter-remove-stray-bash-debug-line.patch @@ -0,0 +1,29 @@ +From 3e6ed7703dae6838c104d73d3e76e9b79f5c0528 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 12 Oct 2021 18:37:09 +0200 +Subject: selftests: netfilter: remove stray bash debug line + +From: Florian Westphal + +commit 3e6ed7703dae6838c104d73d3e76e9b79f5c0528 upstream. + +This should not be there. + +Fixes: 2de03b45236f ("selftests: netfilter: add flowtable test script") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/netfilter/nft_flowtable.sh | 1 - + 1 file changed, 1 deletion(-) + +--- a/tools/testing/selftests/netfilter/nft_flowtable.sh ++++ b/tools/testing/selftests/netfilter/nft_flowtable.sh +@@ -199,7 +199,6 @@ fi + # test basic connectivity + if ! ip netns exec ns1 ping -c 1 -q 10.0.2.99 > /dev/null; then + echo "ERROR: ns1 cannot reach ns2" 1>&2 +- bash + exit 1 + fi + diff --git a/queue-5.10/series b/queue-5.10/series index 8db481299d5..1554a1657c7 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -60,3 +60,10 @@ mm-slub-fix-mismatch-between-reconstructed-freelist-depth-and-cnt.patch mm-slub-fix-potential-memoryleak-in-kmem_cache_open.patch mm-slub-fix-incorrect-memcg-slab-count-for-bulk-free.patch kvm-nvmx-promptly-process-interrupts-delivered-while-in-guest-mode.patch +nfc-nci-fix-the-uaf-of-rf_conn_info-object.patch +isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch +netfilter-kconfig-use-default-y-instead-of-m-for-bool-config-option.patch +selftests-netfilter-remove-stray-bash-debug-line.patch +net-bridge-mcast-use-multicast_membership_interval-for-igmpv3.patch +drm-mxsfb-fix-null-pointer-dereference-crash-on-unload.patch +net-hns3-fix-the-max-tx-size-according-to-user-manual.patch