From 04837cf4e861532f56d898f98f01becb99975c45 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 15 Dec 2023 22:36:37 -0500 Subject: [PATCH] Fixes for 4.14 Signed-off-by: Sasha Levin --- ...lk-fix-use-after-free-in-atalk_ioctl.patch | 55 +++++++++ ...m-fix-use-after-free-in-do_vcc_ioctl.patch | 55 +++++++++ ...x-potential-deadlock-on-cli_queue_lo.patch | 55 +++++++++ ...x-potential-deadlock-on-tx_queue_loc.patch | 61 ++++++++++ ...-syn-flag-from-packet-in-the-transmi.patch | 111 ++++++++++++++++++ ...ose-fix-use-after-free-in-rose_ioctl.patch | 48 ++++++++ ...ebug-fix-ethtool-g-iface-tx-behavior.patch | 80 +++++++++++++ ...bug-prevent-crash-on-tx-ring-changes.patch | 86 ++++++++++++++ queue-4.14/qca_spi-fix-reset-behavior.patch | 51 ++++++++ ...ial-use-after-free-in-qed_cxt_tables.patch | 41 +++++++ queue-4.14/series | 12 ++ ...le-fix-incorrect-return-values-check.patch | 79 +++++++++++++ ...-unsigned-integer-wrap-around-in-vir.patch | 41 +++++++ 13 files changed, 775 insertions(+) create mode 100644 queue-4.14/appletalk-fix-use-after-free-in-atalk_ioctl.patch create mode 100644 queue-4.14/atm-fix-use-after-free-in-do_vcc_ioctl.patch create mode 100644 queue-4.14/atm-solos-pci-fix-potential-deadlock-on-cli_queue_lo.patch create mode 100644 queue-4.14/atm-solos-pci-fix-potential-deadlock-on-tx_queue_loc.patch create mode 100644 queue-4.14/net-remove-acked-syn-flag-from-packet-in-the-transmi.patch create mode 100644 queue-4.14/net-rose-fix-use-after-free-in-rose_ioctl.patch create mode 100644 queue-4.14/qca_debug-fix-ethtool-g-iface-tx-behavior.patch create mode 100644 queue-4.14/qca_debug-prevent-crash-on-tx-ring-changes.patch create mode 100644 queue-4.14/qca_spi-fix-reset-behavior.patch create mode 100644 queue-4.14/qed-fix-a-potential-use-after-free-in-qed_cxt_tables.patch create mode 100644 queue-4.14/series create mode 100644 queue-4.14/sign-file-fix-incorrect-return-values-check.patch create mode 100644 queue-4.14/vsock-virtio-fix-unsigned-integer-wrap-around-in-vir.patch diff --git a/queue-4.14/appletalk-fix-use-after-free-in-atalk_ioctl.patch b/queue-4.14/appletalk-fix-use-after-free-in-atalk_ioctl.patch new file mode 100644 index 00000000000..edd75d7168c --- /dev/null +++ b/queue-4.14/appletalk-fix-use-after-free-in-atalk_ioctl.patch @@ -0,0 +1,55 @@ +From 861f059bdfa882ab509d364e8eb4d34abead3ff0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Dec 2023 23:10:56 -0500 +Subject: appletalk: Fix Use-After-Free in atalk_ioctl + +From: Hyunwoo Kim + +[ Upstream commit 189ff16722ee36ced4d2a2469d4ab65a8fee4198 ] + +Because atalk_ioctl() accesses sk->sk_receive_queue +without holding a sk->sk_receive_queue.lock, it can +cause a race with atalk_recvmsg(). +A use-after-free for skb occurs with the following flow. +``` +atalk_ioctl() -> skb_peek() +atalk_recvmsg() -> skb_recv_datagram() -> skb_free_datagram() +``` +Add sk->sk_receive_queue.lock to atalk_ioctl() to fix this issue. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Hyunwoo Kim +Link: https://lore.kernel.org/r/20231213041056.GA519680@v4bel-B760M-AORUS-ELITE-AX +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/appletalk/ddp.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c +index 36a67e62710ce..4bb3561b03678 100644 +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1810,15 +1810,14 @@ static int atalk_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) + break; + } + case TIOCINQ: { +- /* +- * These two are safe on a single CPU system as only +- * user tasks fiddle here +- */ +- struct sk_buff *skb = skb_peek(&sk->sk_receive_queue); ++ struct sk_buff *skb; + long amount = 0; + ++ spin_lock_irq(&sk->sk_receive_queue.lock); ++ skb = skb_peek(&sk->sk_receive_queue); + if (skb) + amount = skb->len - sizeof(struct ddpehdr); ++ spin_unlock_irq(&sk->sk_receive_queue.lock); + rc = put_user(amount, (int __user *)argp); + break; + } +-- +2.43.0 + diff --git a/queue-4.14/atm-fix-use-after-free-in-do_vcc_ioctl.patch b/queue-4.14/atm-fix-use-after-free-in-do_vcc_ioctl.patch new file mode 100644 index 00000000000..e303f96f95e --- /dev/null +++ b/queue-4.14/atm-fix-use-after-free-in-do_vcc_ioctl.patch @@ -0,0 +1,55 @@ +From 381b157abea304ce9b9837427f66335f896c83e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Dec 2023 04:42:10 -0500 +Subject: atm: Fix Use-After-Free in do_vcc_ioctl + +From: Hyunwoo Kim + +[ Upstream commit 24e90b9e34f9e039f56b5f25f6e6eb92cdd8f4b3 ] + +Because do_vcc_ioctl() accesses sk->sk_receive_queue +without holding a sk->sk_receive_queue.lock, it can +cause a race with vcc_recvmsg(). +A use-after-free for skb occurs with the following flow. +``` +do_vcc_ioctl() -> skb_peek() +vcc_recvmsg() -> skb_recv_datagram() -> skb_free_datagram() +``` +Add sk->sk_receive_queue.lock to do_vcc_ioctl() to fix this issue. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Hyunwoo Kim +Link: https://lore.kernel.org/r/20231209094210.GA403126@v4bel-B760M-AORUS-ELITE-AX +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/atm/ioctl.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/atm/ioctl.c b/net/atm/ioctl.c +index 2ff0e5e470e3d..38f7f164e4848 100644 +--- a/net/atm/ioctl.c ++++ b/net/atm/ioctl.c +@@ -71,14 +71,17 @@ static int do_vcc_ioctl(struct socket *sock, unsigned int cmd, + case SIOCINQ: + { + struct sk_buff *skb; ++ int amount; + + if (sock->state != SS_CONNECTED) { + error = -EINVAL; + goto done; + } ++ spin_lock_irq(&sk->sk_receive_queue.lock); + skb = skb_peek(&sk->sk_receive_queue); +- error = put_user(skb ? skb->len : 0, +- (int __user *)argp) ? -EFAULT : 0; ++ amount = skb ? skb->len : 0; ++ spin_unlock_irq(&sk->sk_receive_queue.lock); ++ error = put_user(amount, (int __user *)argp) ? -EFAULT : 0; + goto done; + } + case SIOCGSTAMP: /* borrowed from IP */ +-- +2.43.0 + diff --git a/queue-4.14/atm-solos-pci-fix-potential-deadlock-on-cli_queue_lo.patch b/queue-4.14/atm-solos-pci-fix-potential-deadlock-on-cli_queue_lo.patch new file mode 100644 index 00000000000..960d36e7586 --- /dev/null +++ b/queue-4.14/atm-solos-pci-fix-potential-deadlock-on-cli_queue_lo.patch @@ -0,0 +1,55 @@ +From 5f27af931e2025dd2072ee33bf974f4c9de3118b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Dec 2023 12:34:37 +0000 +Subject: atm: solos-pci: Fix potential deadlock on &cli_queue_lock + +From: Chengfeng Ye + +[ Upstream commit d5dba32b8f6cb39be708b726044ba30dbc088b30 ] + +As &card->cli_queue_lock is acquired under softirq context along the +following call chain from solos_bh(), other acquisition of the same +lock inside process context should disable at least bh to avoid double +lock. + + +console_show() +--> spin_lock(&card->cli_queue_lock) + + --> solos_bh() + --> spin_lock(&card->cli_queue_lock) + +This flaw was found by an experimental static analysis tool I am +developing for irq-related deadlock. + +To prevent the potential deadlock, the patch uses spin_lock_bh() +on the card->cli_queue_lock under process context code consistently +to prevent the possible deadlock scenario. + +Fixes: 9c54004ea717 ("atm: Driver for Solos PCI ADSL2+ card.") +Signed-off-by: Chengfeng Ye +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/solos-pci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/atm/solos-pci.c b/drivers/atm/solos-pci.c +index 0df1a1c80b001..3a115c7f224fb 100644 +--- a/drivers/atm/solos-pci.c ++++ b/drivers/atm/solos-pci.c +@@ -458,9 +458,9 @@ static ssize_t console_show(struct device *dev, struct device_attribute *attr, + struct sk_buff *skb; + unsigned int len; + +- spin_lock(&card->cli_queue_lock); ++ spin_lock_bh(&card->cli_queue_lock); + skb = skb_dequeue(&card->cli_queue[SOLOS_CHAN(atmdev)]); +- spin_unlock(&card->cli_queue_lock); ++ spin_unlock_bh(&card->cli_queue_lock); + if(skb == NULL) + return sprintf(buf, "No data.\n"); + +-- +2.43.0 + diff --git a/queue-4.14/atm-solos-pci-fix-potential-deadlock-on-tx_queue_loc.patch b/queue-4.14/atm-solos-pci-fix-potential-deadlock-on-tx_queue_loc.patch new file mode 100644 index 00000000000..2667273d678 --- /dev/null +++ b/queue-4.14/atm-solos-pci-fix-potential-deadlock-on-tx_queue_loc.patch @@ -0,0 +1,61 @@ +From 506ffee3b36c8987083aa69a0155c2a9076ca7a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Dec 2023 12:34:53 +0000 +Subject: atm: solos-pci: Fix potential deadlock on &tx_queue_lock + +From: Chengfeng Ye + +[ Upstream commit 15319a4e8ee4b098118591c6ccbd17237f841613 ] + +As &card->tx_queue_lock is acquired under softirq context along the +following call chain from solos_bh(), other acquisition of the same +lock inside process context should disable at least bh to avoid double +lock. + + +pclose() +--> spin_lock(&card->tx_queue_lock) + + --> solos_bh() + --> fpga_tx() + --> spin_lock(&card->tx_queue_lock) + +This flaw was found by an experimental static analysis tool I am +developing for irq-related deadlock. + +To prevent the potential deadlock, the patch uses spin_lock_bh() +on &card->tx_queue_lock under process context code consistently to +prevent the possible deadlock scenario. + +Fixes: 213e85d38912 ("solos-pci: clean up pclose() function") +Signed-off-by: Chengfeng Ye +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/solos-pci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/atm/solos-pci.c b/drivers/atm/solos-pci.c +index 3a115c7f224fb..07a136cc20ab5 100644 +--- a/drivers/atm/solos-pci.c ++++ b/drivers/atm/solos-pci.c +@@ -968,14 +968,14 @@ static void pclose(struct atm_vcc *vcc) + struct pkt_hdr *header; + + /* Remove any yet-to-be-transmitted packets from the pending queue */ +- spin_lock(&card->tx_queue_lock); ++ spin_lock_bh(&card->tx_queue_lock); + skb_queue_walk_safe(&card->tx_queue[port], skb, tmpskb) { + if (SKB_CB(skb)->vcc == vcc) { + skb_unlink(skb, &card->tx_queue[port]); + solos_pop(vcc, skb); + } + } +- spin_unlock(&card->tx_queue_lock); ++ spin_unlock_bh(&card->tx_queue_lock); + + skb = alloc_skb(sizeof(*header), GFP_KERNEL); + if (!skb) { +-- +2.43.0 + diff --git a/queue-4.14/net-remove-acked-syn-flag-from-packet-in-the-transmi.patch b/queue-4.14/net-remove-acked-syn-flag-from-packet-in-the-transmi.patch new file mode 100644 index 00000000000..a90264d99bc --- /dev/null +++ b/queue-4.14/net-remove-acked-syn-flag-from-packet-in-the-transmi.patch @@ -0,0 +1,111 @@ +From 0b224a5f9d1286e90963b24ded2a83cc448da438 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Dec 2023 10:02:00 +0800 +Subject: net: Remove acked SYN flag from packet in the transmit queue + correctly + +From: Dong Chenchen + +[ Upstream commit f99cd56230f56c8b6b33713c5be4da5d6766be1f ] + +syzkaller report: + + kernel BUG at net/core/skbuff.c:3452! + invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI + CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.7.0-rc4-00009-gbee0e7762ad2-dirty #135 + RIP: 0010:skb_copy_and_csum_bits (net/core/skbuff.c:3452) + Call Trace: + icmp_glue_bits (net/ipv4/icmp.c:357) + __ip_append_data.isra.0 (net/ipv4/ip_output.c:1165) + ip_append_data (net/ipv4/ip_output.c:1362 net/ipv4/ip_output.c:1341) + icmp_push_reply (net/ipv4/icmp.c:370) + __icmp_send (./include/net/route.h:252 net/ipv4/icmp.c:772) + ip_fragment.constprop.0 (./include/linux/skbuff.h:1234 net/ipv4/ip_output.c:592 net/ipv4/ip_output.c:577) + __ip_finish_output (net/ipv4/ip_output.c:311 net/ipv4/ip_output.c:295) + ip_output (net/ipv4/ip_output.c:427) + __ip_queue_xmit (net/ipv4/ip_output.c:535) + __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) + __tcp_retransmit_skb (net/ipv4/tcp_output.c:3387) + tcp_retransmit_skb (net/ipv4/tcp_output.c:3404) + tcp_retransmit_timer (net/ipv4/tcp_timer.c:604) + tcp_write_timer (./include/linux/spinlock.h:391 net/ipv4/tcp_timer.c:716) + +The panic issue was trigered by tcp simultaneous initiation. +The initiation process is as follows: + + TCP A TCP B + + 1. CLOSED CLOSED + + 2. SYN-SENT --> ... + + 3. SYN-RECEIVED <-- <-- SYN-SENT + + 4. ... --> SYN-RECEIVED + + 5. SYN-RECEIVED --> ... + + // TCP B: not send challenge ack for ack limit or packet loss + // TCP A: close + tcp_close + tcp_send_fin + if (!tskb && tcp_under_memory_pressure(sk)) + tskb = skb_rb_last(&sk->tcp_rtx_queue); //pick SYN_ACK packet + TCP_SKB_CB(tskb)->tcp_flags |= TCPHDR_FIN; // set FIN flag + + 6. FIN_WAIT_1 --> ... + + // TCP B: send challenge ack to SYN_FIN_ACK + + 7. ... <-- SYN-RECEIVED //challenge ack + + // TCP A: + + 8. FIN_WAIT_1 --> ... // retransmit panic + + __tcp_retransmit_skb //skb->len=0 + tcp_trim_head + len = tp->snd_una - TCP_SKB_CB(skb)->seq // len=101-100 + __pskb_trim_head + skb->data_len -= len // skb->len=-1, wrap around + ... ... + ip_fragment + icmp_glue_bits //BUG_ON + +If we use tcp_trim_head() to remove acked SYN from packet that contains data +or other flags, skb->len will be incorrectly decremented. We can remove SYN +flag that has been acked from rtx_queue earlier than tcp_trim_head(), which +can fix the problem mentioned above. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Co-developed-by: Eric Dumazet +Signed-off-by: Eric Dumazet +Signed-off-by: Dong Chenchen +Link: https://lore.kernel.org/r/20231210020200.1539875-1-dongchenchen2@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_output.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 67636017f275a..2a07a167124c4 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2883,7 +2883,13 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs) + if (skb_still_in_host_queue(sk, skb)) + return -EBUSY; + ++start: + if (before(TCP_SKB_CB(skb)->seq, tp->snd_una)) { ++ if (unlikely(TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN)) { ++ TCP_SKB_CB(skb)->tcp_flags &= ~TCPHDR_SYN; ++ TCP_SKB_CB(skb)->seq++; ++ goto start; ++ } + if (unlikely(before(TCP_SKB_CB(skb)->end_seq, tp->snd_una))) { + WARN_ON_ONCE(1); + return -EINVAL; +-- +2.43.0 + diff --git a/queue-4.14/net-rose-fix-use-after-free-in-rose_ioctl.patch b/queue-4.14/net-rose-fix-use-after-free-in-rose_ioctl.patch new file mode 100644 index 00000000000..b1dd6ddb967 --- /dev/null +++ b/queue-4.14/net-rose-fix-use-after-free-in-rose_ioctl.patch @@ -0,0 +1,48 @@ +From 508918b6ded6045d9095076e392d84e9690f6e1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Dec 2023 05:05:38 -0500 +Subject: net/rose: Fix Use-After-Free in rose_ioctl + +From: Hyunwoo Kim + +[ Upstream commit 810c38a369a0a0ce625b5c12169abce1dd9ccd53 ] + +Because rose_ioctl() accesses sk->sk_receive_queue +without holding a sk->sk_receive_queue.lock, it can +cause a race with rose_accept(). +A use-after-free for skb occurs with the following flow. +``` +rose_ioctl() -> skb_peek() +rose_accept() -> skb_dequeue() -> kfree_skb() +``` +Add sk->sk_receive_queue.lock to rose_ioctl() to fix this issue. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Hyunwoo Kim +Link: https://lore.kernel.org/r/20231209100538.GA407321@v4bel-B760M-AORUS-ELITE-AX +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index ac2ea4ebf7c7c..04e5e01002ae0 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -1309,9 +1309,11 @@ static int rose_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) + case TIOCINQ: { + struct sk_buff *skb; + long amount = 0L; +- /* These two are safe on a single CPU system as only user tasks fiddle here */ ++ ++ spin_lock_irq(&sk->sk_receive_queue.lock); + if ((skb = skb_peek(&sk->sk_receive_queue)) != NULL) + amount = skb->len; ++ spin_unlock_irq(&sk->sk_receive_queue.lock); + return put_user(amount, (unsigned int __user *) argp); + } + +-- +2.43.0 + diff --git a/queue-4.14/qca_debug-fix-ethtool-g-iface-tx-behavior.patch b/queue-4.14/qca_debug-fix-ethtool-g-iface-tx-behavior.patch new file mode 100644 index 00000000000..d591a0e836a --- /dev/null +++ b/queue-4.14/qca_debug-fix-ethtool-g-iface-tx-behavior.patch @@ -0,0 +1,80 @@ +From c52715189f116238b946915b3d56e1a1dd145f38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 15:12:21 +0100 +Subject: qca_debug: Fix ethtool -G iface tx behavior + +From: Stefan Wahren + +[ Upstream commit 96a7e861d9e04d07febd3011c30cd84cd141d81f ] + +After calling ethtool -g it was not possible to adjust the TX ring +size again: + + # ethtool -g eth1 + Ring parameters for eth1: + Pre-set maximums: + RX: 4 + RX Mini: n/a + RX Jumbo: n/a + TX: 10 + Current hardware settings: + RX: 4 + RX Mini: n/a + RX Jumbo: n/a + TX: 10 + # ethtool -G eth1 tx 8 + netlink error: Invalid argument + +The reason for this is that the readonly setting rx_pending get +initialized and after that the range check in qcaspi_set_ringparam() +fails regardless of the provided parameter. So fix this by accepting +the exposed RX defaults. Instead of adding another magic number +better use a new define here. + +Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") +Suggested-by: Paolo Abeni +Signed-off-by: Stefan Wahren +Link: https://lore.kernel.org/r/20231206141222.52029-3-wahrenst@gmx.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qualcomm/qca_debug.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/qualcomm/qca_debug.c b/drivers/net/ethernet/qualcomm/qca_debug.c +index 858c39cdae08a..acb60721991d8 100644 +--- a/drivers/net/ethernet/qualcomm/qca_debug.c ++++ b/drivers/net/ethernet/qualcomm/qca_debug.c +@@ -30,6 +30,8 @@ + + #define QCASPI_MAX_REGS 0x20 + ++#define QCASPI_RX_MAX_FRAMES 4 ++ + static const u16 qcaspi_spi_regs[] = { + SPI_REG_BFR_SIZE, + SPI_REG_WRBUF_SPC_AVA, +@@ -266,9 +268,9 @@ qcaspi_get_ringparam(struct net_device *dev, struct ethtool_ringparam *ring) + { + struct qcaspi *qca = netdev_priv(dev); + +- ring->rx_max_pending = 4; ++ ring->rx_max_pending = QCASPI_RX_MAX_FRAMES; + ring->tx_max_pending = TX_RING_MAX_LEN; +- ring->rx_pending = 4; ++ ring->rx_pending = QCASPI_RX_MAX_FRAMES; + ring->tx_pending = qca->txr.count; + } + +@@ -277,7 +279,7 @@ qcaspi_set_ringparam(struct net_device *dev, struct ethtool_ringparam *ring) + { + struct qcaspi *qca = netdev_priv(dev); + +- if ((ring->rx_pending) || ++ if (ring->rx_pending != QCASPI_RX_MAX_FRAMES || + (ring->rx_mini_pending) || + (ring->rx_jumbo_pending)) + return -EINVAL; +-- +2.43.0 + diff --git a/queue-4.14/qca_debug-prevent-crash-on-tx-ring-changes.patch b/queue-4.14/qca_debug-prevent-crash-on-tx-ring-changes.patch new file mode 100644 index 00000000000..50998616d12 --- /dev/null +++ b/queue-4.14/qca_debug-prevent-crash-on-tx-ring-changes.patch @@ -0,0 +1,86 @@ +From 7afd2295c6709f4591430544492f4851e58110d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 15:12:20 +0100 +Subject: qca_debug: Prevent crash on TX ring changes + +From: Stefan Wahren + +[ Upstream commit f4e6064c97c050bd9904925ff7d53d0c9954fc7b ] + +The qca_spi driver stop and restart the SPI kernel thread +(via ndo_stop & ndo_open) in case of TX ring changes. This is +a big issue because it allows userspace to prevent restart of +the SPI kernel thread (via signals). A subsequent change of +TX ring wrongly assume a valid spi_thread pointer which result +in a crash. + +So prevent this by stopping the network traffic handling and +temporary park the SPI thread. + +Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") +Signed-off-by: Stefan Wahren +Link: https://lore.kernel.org/r/20231206141222.52029-2-wahrenst@gmx.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qualcomm/qca_debug.c | 9 ++++----- + drivers/net/ethernet/qualcomm/qca_spi.c | 12 ++++++++++++ + 2 files changed, 16 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/qualcomm/qca_debug.c b/drivers/net/ethernet/qualcomm/qca_debug.c +index 92b6be9c44296..858c39cdae08a 100644 +--- a/drivers/net/ethernet/qualcomm/qca_debug.c ++++ b/drivers/net/ethernet/qualcomm/qca_debug.c +@@ -275,7 +275,6 @@ qcaspi_get_ringparam(struct net_device *dev, struct ethtool_ringparam *ring) + static int + qcaspi_set_ringparam(struct net_device *dev, struct ethtool_ringparam *ring) + { +- const struct net_device_ops *ops = dev->netdev_ops; + struct qcaspi *qca = netdev_priv(dev); + + if ((ring->rx_pending) || +@@ -283,14 +282,14 @@ qcaspi_set_ringparam(struct net_device *dev, struct ethtool_ringparam *ring) + (ring->rx_jumbo_pending)) + return -EINVAL; + +- if (netif_running(dev)) +- ops->ndo_stop(dev); ++ if (qca->spi_thread) ++ kthread_park(qca->spi_thread); + + qca->txr.count = max_t(u32, ring->tx_pending, TX_RING_MIN_LEN); + qca->txr.count = min_t(u16, qca->txr.count, TX_RING_MAX_LEN); + +- if (netif_running(dev)) +- ops->ndo_open(dev); ++ if (qca->spi_thread) ++ kthread_unpark(qca->spi_thread); + + return 0; + } +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c +index 0c454eeb3bd8e..4142554dc29e3 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -552,6 +552,18 @@ qcaspi_spi_thread(void *data) + netdev_info(qca->net_dev, "SPI thread created\n"); + while (!kthread_should_stop()) { + set_current_state(TASK_INTERRUPTIBLE); ++ if (kthread_should_park()) { ++ netif_tx_disable(qca->net_dev); ++ netif_carrier_off(qca->net_dev); ++ qcaspi_flush_tx_ring(qca); ++ kthread_parkme(); ++ if (qca->sync == QCASPI_SYNC_READY) { ++ netif_carrier_on(qca->net_dev); ++ netif_wake_queue(qca->net_dev); ++ } ++ continue; ++ } ++ + if ((qca->intr_req == qca->intr_svc) && + !qca->txr.skb[qca->txr.head]) + schedule(); +-- +2.43.0 + diff --git a/queue-4.14/qca_spi-fix-reset-behavior.patch b/queue-4.14/qca_spi-fix-reset-behavior.patch new file mode 100644 index 00000000000..2d7a7168654 --- /dev/null +++ b/queue-4.14/qca_spi-fix-reset-behavior.patch @@ -0,0 +1,51 @@ +From de6aaa95a992f6b60baff7292f09f0fdcab270ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 15:12:22 +0100 +Subject: qca_spi: Fix reset behavior + +From: Stefan Wahren + +[ Upstream commit 1057812d146dd658c9a9a96d869c2551150207b5 ] + +In case of a reset triggered by the QCA7000 itself, the behavior of the +qca_spi driver was not quite correct: +- in case of a pending RX frame decoding the drop counter must be + incremented and decoding state machine reseted +- also the reset counter must always be incremented regardless of sync + state + +Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") +Signed-off-by: Stefan Wahren +Link: https://lore.kernel.org/r/20231206141222.52029-4-wahrenst@gmx.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qualcomm/qca_spi.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c +index 4142554dc29e3..201da9fba72a6 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -592,11 +592,17 @@ qcaspi_spi_thread(void *data) + if (intr_cause & SPI_INT_CPU_ON) { + qcaspi_qca7k_sync(qca, QCASPI_EVENT_CPUON); + ++ /* Frame decoding in progress */ ++ if (qca->frm_handle.state != qca->frm_handle.init) ++ qca->net_dev->stats.rx_dropped++; ++ ++ qcafrm_fsm_init_spi(&qca->frm_handle); ++ qca->stats.device_reset++; ++ + /* not synced. */ + if (qca->sync != QCASPI_SYNC_READY) + continue; + +- qca->stats.device_reset++; + netif_wake_queue(qca->net_dev); + netif_carrier_on(qca->net_dev); + } +-- +2.43.0 + diff --git a/queue-4.14/qed-fix-a-potential-use-after-free-in-qed_cxt_tables.patch b/queue-4.14/qed-fix-a-potential-use-after-free-in-qed_cxt_tables.patch new file mode 100644 index 00000000000..ee11b200707 --- /dev/null +++ b/queue-4.14/qed-fix-a-potential-use-after-free-in-qed_cxt_tables.patch @@ -0,0 +1,41 @@ +From 909155cf2efe136e5fddc282a16a913c4b1a87e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Dec 2023 12:52:55 +0800 +Subject: qed: Fix a potential use-after-free in qed_cxt_tables_alloc + +From: Dinghao Liu + +[ Upstream commit b65d52ac9c085c0c52dee012a210d4e2f352611b ] + +qed_ilt_shadow_alloc() will call qed_ilt_shadow_free() to +free p_hwfn->p_cxt_mngr->ilt_shadow on error. However, +qed_cxt_tables_alloc() accesses the freed pointer on failure +of qed_ilt_shadow_alloc() through calling qed_cxt_mngr_free(), +which may lead to use-after-free. Fix this issue by setting +p_mngr->ilt_shadow to NULL in qed_ilt_shadow_free(). + +Fixes: fe56b9e6a8d9 ("qed: Add module with basic common support") +Reviewed-by: Przemek Kitszel +Signed-off-by: Dinghao Liu +Link: https://lore.kernel.org/r/20231210045255.21383-1-dinghao.liu@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_cxt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_cxt.c b/drivers/net/ethernet/qlogic/qed/qed_cxt.c +index 4fc3468f6f38b..6e8f894dcc13e 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c +@@ -1024,6 +1024,7 @@ static void qed_ilt_shadow_free(struct qed_hwfn *p_hwfn) + p_dma->p_virt = NULL; + } + kfree(p_mngr->ilt_shadow); ++ p_mngr->ilt_shadow = NULL; + } + + static int qed_ilt_blk_alloc(struct qed_hwfn *p_hwfn, +-- +2.43.0 + diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..e2b38d6be1b --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,12 @@ +qca_debug-prevent-crash-on-tx-ring-changes.patch +qca_debug-fix-ethtool-g-iface-tx-behavior.patch +qca_spi-fix-reset-behavior.patch +atm-solos-pci-fix-potential-deadlock-on-cli_queue_lo.patch +atm-solos-pci-fix-potential-deadlock-on-tx_queue_loc.patch +atm-fix-use-after-free-in-do_vcc_ioctl.patch +net-rose-fix-use-after-free-in-rose_ioctl.patch +qed-fix-a-potential-use-after-free-in-qed_cxt_tables.patch +net-remove-acked-syn-flag-from-packet-in-the-transmi.patch +sign-file-fix-incorrect-return-values-check.patch +vsock-virtio-fix-unsigned-integer-wrap-around-in-vir.patch +appletalk-fix-use-after-free-in-atalk_ioctl.patch diff --git a/queue-4.14/sign-file-fix-incorrect-return-values-check.patch b/queue-4.14/sign-file-fix-incorrect-return-values-check.patch new file mode 100644 index 00000000000..3a327a06d23 --- /dev/null +++ b/queue-4.14/sign-file-fix-incorrect-return-values-check.patch @@ -0,0 +1,79 @@ +From edc956081f67e6865439f225cad0fc7567cd61a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 10:31:10 +0000 +Subject: sign-file: Fix incorrect return values check + +From: Yusong Gao + +[ Upstream commit 829649443e78d85db0cff0c37cadb28fbb1a5f6f ] + +There are some wrong return values check in sign-file when call OpenSSL +API. The ERR() check cond is wrong because of the program only check the +return value is < 0 which ignored the return val is 0. For example: +1. CMS_final() return 1 for success or 0 for failure. +2. i2d_CMS_bio_stream() returns 1 for success or 0 for failure. +3. i2d_TYPEbio() return 1 for success and 0 for failure. +4. BIO_free() return 1 for success and 0 for failure. + +Link: https://www.openssl.org/docs/manmaster/man3/ +Fixes: e5a2e3c84782 ("scripts/sign-file.c: Add support for signing with a raw signature") +Signed-off-by: Yusong Gao +Reviewed-by: Juerg Haefliger +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/20231213024405.624692-1-a869920004@gmail.com/ # v5 +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + scripts/sign-file.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/scripts/sign-file.c b/scripts/sign-file.c +index 7434e9ea926e2..12acc70e5a7a5 100644 +--- a/scripts/sign-file.c ++++ b/scripts/sign-file.c +@@ -322,7 +322,7 @@ int main(int argc, char **argv) + CMS_NOSMIMECAP | use_keyid | + use_signed_attrs), + "CMS_add1_signer"); +- ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) < 0, ++ ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) != 1, + "CMS_final"); + + #else +@@ -341,10 +341,10 @@ int main(int argc, char **argv) + b = BIO_new_file(sig_file_name, "wb"); + ERR(!b, "%s", sig_file_name); + #ifndef USE_PKCS7 +- ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0, ++ ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) != 1, + "%s", sig_file_name); + #else +- ERR(i2d_PKCS7_bio(b, pkcs7) < 0, ++ ERR(i2d_PKCS7_bio(b, pkcs7) != 1, + "%s", sig_file_name); + #endif + BIO_free(b); +@@ -374,9 +374,9 @@ int main(int argc, char **argv) + + if (!raw_sig) { + #ifndef USE_PKCS7 +- ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", dest_name); ++ ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) != 1, "%s", dest_name); + #else +- ERR(i2d_PKCS7_bio(bd, pkcs7) < 0, "%s", dest_name); ++ ERR(i2d_PKCS7_bio(bd, pkcs7) != 1, "%s", dest_name); + #endif + } else { + BIO *b; +@@ -396,7 +396,7 @@ int main(int argc, char **argv) + ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name); + ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name); + +- ERR(BIO_free(bd) < 0, "%s", dest_name); ++ ERR(BIO_free(bd) != 1, "%s", dest_name); + + /* Finally, if we're signing in place, replace the original. */ + if (replace_orig) +-- +2.43.0 + diff --git a/queue-4.14/vsock-virtio-fix-unsigned-integer-wrap-around-in-vir.patch b/queue-4.14/vsock-virtio-fix-unsigned-integer-wrap-around-in-vir.patch new file mode 100644 index 00000000000..d8a586a7cc9 --- /dev/null +++ b/queue-4.14/vsock-virtio-fix-unsigned-integer-wrap-around-in-vir.patch @@ -0,0 +1,41 @@ +From c9d6b3c6fc16096ab2a4942e33b57380d1b606d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 19:23:17 +0300 +Subject: vsock/virtio: Fix unsigned integer wrap around in + virtio_transport_has_space() + +From: Nikolay Kuratov + +[ Upstream commit 60316d7f10b17a7ebb1ead0642fee8710e1560e0 ] + +We need to do signed arithmetic if we expect condition +`if (bytes < 0)` to be possible + +Found by Linux Verification Center (linuxtesting.org) with SVACE + +Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko") +Signed-off-by: Nikolay Kuratov +Reviewed-by: Stefano Garzarella +Link: https://lore.kernel.org/r/20231211162317.4116625-1-kniv@yandex-team.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index 9b8f592897ec5..df09ac4e35056 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -348,7 +348,7 @@ static s64 virtio_transport_has_space(struct vsock_sock *vsk) + struct virtio_vsock_sock *vvs = vsk->trans; + s64 bytes; + +- bytes = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); ++ bytes = (s64)vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); + if (bytes < 0) + bytes = 0; + +-- +2.43.0 + -- 2.47.3