From 0d4a7ff3ee4305ff71468b012de61bde115b355b Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 14 Oct 2023 08:58:49 -0400 Subject: [PATCH] Fixes for 4.14 Signed-off-by: Sasha Levin --- ...m-vmwgfx-fix-typo-of-sizeof-argument.patch | 40 ++++++++++ ...0-fix-a-potential-uaf-in-ca8210_prob.patch | 75 +++++++++++++++++++ ...fix-crash-with-empty-vf-macvlan-list.patch | 49 ++++++++++++ ...i-assert-requested-protocol-is-valid.patch | 45 +++++++++++ queue-4.14/series | 5 ++ ...de-implicit-ordered-attribute-in-wor.patch | 58 ++++++++++++++ 6 files changed, 272 insertions(+) create mode 100644 queue-4.14/drm-vmwgfx-fix-typo-of-sizeof-argument.patch create mode 100644 queue-4.14/ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch create mode 100644 queue-4.14/ixgbe-fix-crash-with-empty-vf-macvlan-list.patch create mode 100644 queue-4.14/nfc-nci-assert-requested-protocol-is-valid.patch create mode 100644 queue-4.14/workqueue-override-implicit-ordered-attribute-in-wor.patch diff --git a/queue-4.14/drm-vmwgfx-fix-typo-of-sizeof-argument.patch b/queue-4.14/drm-vmwgfx-fix-typo-of-sizeof-argument.patch new file mode 100644 index 00000000000..808288226f9 --- /dev/null +++ b/queue-4.14/drm-vmwgfx-fix-typo-of-sizeof-argument.patch @@ -0,0 +1,40 @@ +From 6dbcd9e0c1f51e9a5bc7a86ecb8d6aaf0efc0db1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 18:02:03 +0800 +Subject: drm/vmwgfx: fix typo of sizeof argument + +From: Konstantin Meskhidze + +[ Upstream commit 39465cac283702a7d4a507a558db81898029c6d3 ] + +Since size of 'header' pointer and '*header' structure is equal on 64-bit +machines issue probably didn't cause any wrong behavior. But anyway, +fixing typo is required. + +Fixes: 7a73ba7469cb ("drm/vmwgfx: Use TTM handles instead of SIDs as user-space surface handles.") +Co-developed-by: Ivanov Mikhail +Signed-off-by: Konstantin Meskhidze +Reviewed-by: Zack Rusin +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20230905100203.1716731-1-konstantin.meskhidze@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +index 996696ad6f988..3bb0a36260c20 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -1836,7 +1836,7 @@ static int vmw_cmd_tex_state(struct vmw_private *dev_priv, + } *cmd; + + SVGA3dTextureState *last_state = (SVGA3dTextureState *) +- ((unsigned long) header + header->size + sizeof(header)); ++ ((unsigned long) header + header->size + sizeof(*header)); + SVGA3dTextureState *cur_state = (SVGA3dTextureState *) + ((unsigned long) header + sizeof(struct vmw_tex_state_cmd)); + struct vmw_resource_val_node *ctx_node; +-- +2.40.1 + diff --git a/queue-4.14/ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch b/queue-4.14/ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch new file mode 100644 index 00000000000..8731bd50e14 --- /dev/null +++ b/queue-4.14/ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch @@ -0,0 +1,75 @@ +From 72797c7408d7b24008b1c9ca8dc8caafc1c3976c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Oct 2023 11:30:49 +0800 +Subject: ieee802154: ca8210: Fix a potential UAF in ca8210_probe + +From: Dinghao Liu + +[ Upstream commit f990874b1c98fe8e57ee9385669f501822979258 ] + +If of_clk_add_provider() fails in ca8210_register_ext_clock(), +it calls clk_unregister() to release priv->clk and returns an +error. However, the caller ca8210_probe() then calls ca8210_remove(), +where priv->clk is freed again in ca8210_unregister_ext_clock(). In +this case, a use-after-free may happen in the second time we call +clk_unregister(). + +Fix this by removing the first clk_unregister(). Also, priv->clk could +be an error code on failure of clk_register_fixed_rate(). Use +IS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock(). + +Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") +Signed-off-by: Dinghao Liu +Message-ID: <20231007033049.22353-1-dinghao.liu@zju.edu.cn> +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/ca8210.c | 17 +++-------------- + 1 file changed, 3 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c +index 4ec65582eaf70..d903106436dc6 100644 +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -2782,7 +2782,6 @@ static int ca8210_register_ext_clock(struct spi_device *spi) + struct device_node *np = spi->dev.of_node; + struct ca8210_priv *priv = spi_get_drvdata(spi); + struct ca8210_platform_data *pdata = spi->dev.platform_data; +- int ret = 0; + + if (!np) + return -EFAULT; +@@ -2799,18 +2798,8 @@ static int ca8210_register_ext_clock(struct spi_device *spi) + dev_crit(&spi->dev, "Failed to register external clk\n"); + return PTR_ERR(priv->clk); + } +- ret = of_clk_add_provider(np, of_clk_src_simple_get, priv->clk); +- if (ret) { +- clk_unregister(priv->clk); +- dev_crit( +- &spi->dev, +- "Failed to register external clock as clock provider\n" +- ); +- } else { +- dev_info(&spi->dev, "External clock set as clock provider\n"); +- } + +- return ret; ++ return of_clk_add_provider(np, of_clk_src_simple_get, priv->clk); + } + + /** +@@ -2822,8 +2811,8 @@ static void ca8210_unregister_ext_clock(struct spi_device *spi) + { + struct ca8210_priv *priv = spi_get_drvdata(spi); + +- if (!priv->clk) +- return ++ if (IS_ERR_OR_NULL(priv->clk)) ++ return; + + of_clk_del_provider(spi->dev.of_node); + clk_unregister(priv->clk); +-- +2.40.1 + diff --git a/queue-4.14/ixgbe-fix-crash-with-empty-vf-macvlan-list.patch b/queue-4.14/ixgbe-fix-crash-with-empty-vf-macvlan-list.patch new file mode 100644 index 00000000000..74be59cc1f2 --- /dev/null +++ b/queue-4.14/ixgbe-fix-crash-with-empty-vf-macvlan-list.patch @@ -0,0 +1,49 @@ +From c7d806c67e48d437031f8c1516d213d488e6888f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Oct 2023 15:53:09 +0300 +Subject: ixgbe: fix crash with empty VF macvlan list + +From: Dan Carpenter + +[ Upstream commit 7b5add9af567c44e12196107f0fe106e194034fd ] + +The adapter->vf_mvs.l list needs to be initialized even if the list is +empty. Otherwise it will lead to crashes. + +Fixes: a1cbb15c1397 ("ixgbe: Add macvlan support for VF") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Reviewed-by: Jesse Brandeburg +Link: https://lore.kernel.org/r/ZSADNdIw8zFx1xw2@kadam +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c +index f36bb9e7d8d59..3698c45837d82 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c +@@ -53,6 +53,9 @@ static inline void ixgbe_alloc_vf_macvlans(struct ixgbe_adapter *adapter, + struct vf_macvlans *mv_list; + int num_vf_macvlans, i; + ++ /* Initialize list of VF macvlans */ ++ INIT_LIST_HEAD(&adapter->vf_mvs.l); ++ + num_vf_macvlans = hw->mac.num_rar_entries - + (IXGBE_MAX_PF_MACVLANS + 1 + num_vfs); + if (!num_vf_macvlans) +@@ -61,8 +64,6 @@ static inline void ixgbe_alloc_vf_macvlans(struct ixgbe_adapter *adapter, + mv_list = kcalloc(num_vf_macvlans, sizeof(struct vf_macvlans), + GFP_KERNEL); + if (mv_list) { +- /* Initialize list of VF macvlans */ +- INIT_LIST_HEAD(&adapter->vf_mvs.l); + for (i = 0; i < num_vf_macvlans; i++) { + mv_list[i].vf = -1; + mv_list[i].free = true; +-- +2.40.1 + diff --git a/queue-4.14/nfc-nci-assert-requested-protocol-is-valid.patch b/queue-4.14/nfc-nci-assert-requested-protocol-is-valid.patch new file mode 100644 index 00000000000..8acb03fa50f --- /dev/null +++ b/queue-4.14/nfc-nci-assert-requested-protocol-is-valid.patch @@ -0,0 +1,45 @@ +From 3d7cbc0e71221e98073a7be634f7f96dbcaa0bbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 16:00:54 -0400 +Subject: nfc: nci: assert requested protocol is valid + +From: Jeremy Cline + +[ Upstream commit 354a6e707e29cb0c007176ee5b8db8be7bd2dee0 ] + +The protocol is used in a bit mask to determine if the protocol is +supported. Assert the provided protocol is less than the maximum +defined so it doesn't potentially perform a shift-out-of-bounds and +provide a clearer error for undefined protocols vs unsupported ones. + +Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") +Reported-and-tested-by: syzbot+0839b78e119aae1fec78@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0839b78e119aae1fec78 +Signed-off-by: Jeremy Cline +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20231009200054.82557-1-jeremy@jcline.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/nfc/nci/core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index 216228c39acba..d42c603dd635c 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -906,6 +906,11 @@ static int nci_activate_target(struct nfc_dev *nfc_dev, + return -EINVAL; + } + ++ if (protocol >= NFC_PROTO_MAX) { ++ pr_err("the requested nfc protocol is invalid\n"); ++ return -EINVAL; ++ } ++ + if (!(nci_target->supported_protocols & (1 << protocol))) { + pr_err("target does not support the requested protocol 0x%x\n", + protocol); +-- +2.40.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 483e3bdcb1b..c20255d5569 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -2,3 +2,8 @@ rdma-cxgb4-check-skb-value-for-failure-to-allocate.patch platform-x86-hp-wmi-mark-driver-struct-with-__refdat.patch hid-logitech-hidpp-fix-kernel-crash-on-receiver-usb-disconnect.patch drm-etvnaviv-fix-bad-backport-leading-to-warning.patch +ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch +drm-vmwgfx-fix-typo-of-sizeof-argument.patch +ixgbe-fix-crash-with-empty-vf-macvlan-list.patch +nfc-nci-assert-requested-protocol-is-valid.patch +workqueue-override-implicit-ordered-attribute-in-wor.patch diff --git a/queue-4.14/workqueue-override-implicit-ordered-attribute-in-wor.patch b/queue-4.14/workqueue-override-implicit-ordered-attribute-in-wor.patch new file mode 100644 index 00000000000..0cf6470b693 --- /dev/null +++ b/queue-4.14/workqueue-override-implicit-ordered-attribute-in-wor.patch @@ -0,0 +1,58 @@ +From e49feebfb57d59829bce0712bca6f7a80f9018e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Oct 2023 22:48:42 -0400 +Subject: workqueue: Override implicit ordered attribute in + workqueue_apply_unbound_cpumask() + +From: Waiman Long + +[ Upstream commit ca10d851b9ad0338c19e8e3089e24d565ebfffd7 ] + +Commit 5c0338c68706 ("workqueue: restore WQ_UNBOUND/max_active==1 +to be ordered") enabled implicit ordered attribute to be added to +WQ_UNBOUND workqueues with max_active of 1. This prevented the changing +of attributes to these workqueues leading to fix commit 0a94efb5acbb +("workqueue: implicit ordered attribute should be overridable"). + +However, workqueue_apply_unbound_cpumask() was not updated at that time. +So sysfs changes to wq_unbound_cpumask has no effect on WQ_UNBOUND +workqueues with implicit ordered attribute. Since not all WQ_UNBOUND +workqueues are visible on sysfs, we are not able to make all the +necessary cpumask changes even if we iterates all the workqueue cpumasks +in sysfs and changing them one by one. + +Fix this problem by applying the corresponding change made +to apply_workqueue_attrs_locked() in the fix commit to +workqueue_apply_unbound_cpumask(). + +Fixes: 5c0338c68706 ("workqueue: restore WQ_UNBOUND/max_active==1 to be ordered") +Signed-off-by: Waiman Long +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/workqueue.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 87eca8d1faad1..69238bc8be50e 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -5001,9 +5001,13 @@ static int workqueue_apply_unbound_cpumask(void) + list_for_each_entry(wq, &workqueues, list) { + if (!(wq->flags & WQ_UNBOUND)) + continue; ++ + /* creating multiple pwqs breaks ordering guarantee */ +- if (wq->flags & __WQ_ORDERED) +- continue; ++ if (!list_empty(&wq->pwqs)) { ++ if (wq->flags & __WQ_ORDERED_EXPLICIT) ++ continue; ++ wq->flags &= ~__WQ_ORDERED; ++ } + + ctx = apply_wqattrs_prepare(wq, wq->unbound_attrs); + if (!ctx) { +-- +2.40.1 + -- 2.47.3