From 658442a575dbbb2c12be326c5a9495362c1cdcee Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 29 Oct 2021 10:14:32 +0200 Subject: [PATCH] 5.4-stable patches added patches: ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch ipv4-use-siphash-instead-of-jenkins-in-fnhe_hashfun.patch ipv6-use-siphash-in-rt6_exception_hash.patch net-tls-fix-flipped-sign-in-tls_err_abort-calls.patch nfc-port100-fix-using-errno-as-command-type-mask.patch revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch revert-pinctrl-bcm-ns-support-updated-dt-binding-as-syscon-subnode.patch usbnet-fix-error-return-code-in-usbnet_probe.patch usbnet-sanity-check-for-maxpacket.patch --- ...fix-the-error-handling-of-mv_chip_id.patch | 38 +++++ ...h-instead-of-jenkins-in-fnhe_hashfun.patch | 54 +++++++ ...v6-use-siphash-in-rt6_exception_hash.patch | 74 +++++++++ ...-flipped-sign-in-tls_err_abort-calls.patch | 140 ++++++++++++++++++ ...fix-using-errno-as-command-type-mask.patch | 43 ++++++ ...ix-memory-leak-in-__mdiobus_register.patch | 44 ++++++ ...updated-dt-binding-as-syscon-subnode.patch | 110 ++++++++++++++ queue-5.4/series | 9 ++ ...ix-error-return-code-in-usbnet_probe.patch | 32 ++++ .../usbnet-sanity-check-for-maxpacket.patch | 37 +++++ 10 files changed, 581 insertions(+) create mode 100644 queue-5.4/ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch create mode 100644 queue-5.4/ipv4-use-siphash-instead-of-jenkins-in-fnhe_hashfun.patch create mode 100644 queue-5.4/ipv6-use-siphash-in-rt6_exception_hash.patch create mode 100644 queue-5.4/net-tls-fix-flipped-sign-in-tls_err_abort-calls.patch create mode 100644 queue-5.4/nfc-port100-fix-using-errno-as-command-type-mask.patch create mode 100644 queue-5.4/revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch create mode 100644 queue-5.4/revert-pinctrl-bcm-ns-support-updated-dt-binding-as-syscon-subnode.patch create mode 100644 queue-5.4/usbnet-fix-error-return-code-in-usbnet_probe.patch create mode 100644 queue-5.4/usbnet-sanity-check-for-maxpacket.patch diff --git a/queue-5.4/ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch b/queue-5.4/ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch new file mode 100644 index 00000000000..09fa42e2a7a --- /dev/null +++ b/queue-5.4/ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch @@ -0,0 +1,38 @@ +From a0023bb9dd9bc439d44604eeec62426a990054cd Mon Sep 17 00:00:00 2001 +From: Zheyu Ma +Date: Fri, 22 Oct 2021 09:12:26 +0000 +Subject: ata: sata_mv: Fix the error handling of mv_chip_id() + +From: Zheyu Ma + +commit a0023bb9dd9bc439d44604eeec62426a990054cd upstream. + +mv_init_host() propagates the value returned by mv_chip_id() which in turn +gets propagated by mv_pci_init_one() and hits local_pci_probe(). + +During the process of driver probing, the probe function should return < 0 +for failure, otherwise, the kernel will treat value > 0 as success. + +Since this is a bug rather than a recoverable runtime error we should +use dev_alert() instead of dev_err(). + +Signed-off-by: Zheyu Ma +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/sata_mv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/ata/sata_mv.c ++++ b/drivers/ata/sata_mv.c +@@ -3892,8 +3892,8 @@ static int mv_chip_id(struct ata_host *h + break; + + default: +- dev_err(host->dev, "BUG: invalid board index %u\n", board_idx); +- return 1; ++ dev_alert(host->dev, "BUG: invalid board index %u\n", board_idx); ++ return -EINVAL; + } + + hpriv->hp_flags = hp_flags; diff --git a/queue-5.4/ipv4-use-siphash-instead-of-jenkins-in-fnhe_hashfun.patch b/queue-5.4/ipv4-use-siphash-instead-of-jenkins-in-fnhe_hashfun.patch new file mode 100644 index 00000000000..afb4838c7b8 --- /dev/null +++ b/queue-5.4/ipv4-use-siphash-instead-of-jenkins-in-fnhe_hashfun.patch @@ -0,0 +1,54 @@ +From foo@baz Fri Oct 29 09:38:21 AM CEST 2021 +From: Ovidiu Panait +Date: Thu, 28 Oct 2021 20:56:31 +0300 +Subject: ipv4: use siphash instead of Jenkins in fnhe_hashfun() +To: stable@vger.kernel.org +Message-ID: <20211028175631.1803277-3-ovidiu.panait@windriver.com> + +From: Eric Dumazet + +commit 6457378fe796815c973f631a1904e147d6ee33b1 upstream. + +A group of security researchers brought to our attention +the weakness of hash function used in fnhe_hashfun(). + +Lets use siphash instead of Jenkins Hash, to considerably +reduce security risks. + +Also remove the inline keyword, this really is distracting. + +Fixes: d546c621542d ("ipv4: harden fnhe_hashfun()") +Signed-off-by: Eric Dumazet +Reported-by: Keyu Man +Cc: Willy Tarreau +Signed-off-by: David S. Miller +[OP: adjusted context for 5.4 stable] +Signed-off-by: Ovidiu Panait +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -631,14 +631,14 @@ static void fnhe_remove_oldest(struct fn + kfree_rcu(oldest, rcu); + } + +-static inline u32 fnhe_hashfun(__be32 daddr) ++static u32 fnhe_hashfun(__be32 daddr) + { +- static u32 fnhe_hashrnd __read_mostly; +- u32 hval; ++ static siphash_key_t fnhe_hash_key __read_mostly; ++ u64 hval; + +- net_get_random_once(&fnhe_hashrnd, sizeof(fnhe_hashrnd)); +- hval = jhash_1word((__force u32) daddr, fnhe_hashrnd); +- return hash_32(hval, FNHE_HASH_SHIFT); ++ net_get_random_once(&fnhe_hash_key, sizeof(fnhe_hash_key)); ++ hval = siphash_1u32((__force u32)daddr, &fnhe_hash_key); ++ return hash_64(hval, FNHE_HASH_SHIFT); + } + + static void fill_route_from_fnhe(struct rtable *rt, struct fib_nh_exception *fnhe) diff --git a/queue-5.4/ipv6-use-siphash-in-rt6_exception_hash.patch b/queue-5.4/ipv6-use-siphash-in-rt6_exception_hash.patch new file mode 100644 index 00000000000..31fb0fa6360 --- /dev/null +++ b/queue-5.4/ipv6-use-siphash-in-rt6_exception_hash.patch @@ -0,0 +1,74 @@ +From foo@baz Fri Oct 29 09:38:21 AM CEST 2021 +From: Ovidiu Panait +Date: Thu, 28 Oct 2021 20:56:30 +0300 +Subject: ipv6: use siphash in rt6_exception_hash() +To: stable@vger.kernel.org +Message-ID: <20211028175631.1803277-2-ovidiu.panait@windriver.com> + +From: Eric Dumazet + +commit 4785305c05b25a242e5314cc821f54ade4c18810 upstream. + +A group of security researchers brought to our attention +the weakness of hash function used in rt6_exception_hash() + +Lets use siphash instead of Jenkins Hash, to considerably +reduce security risks. + +Following patch deals with IPv4. + +Fixes: 35732d01fe31 ("ipv6: introduce a hash table to store dst cache") +Signed-off-by: Eric Dumazet +Reported-by: Keyu Man +Cc: Wei Wang +Cc: Martin KaFai Lau +Acked-by: Wei Wang +Signed-off-by: David S. Miller +[OP: adjusted context for 5.4 stable] +Signed-off-by: Ovidiu Panait +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1502,17 +1503,24 @@ static void rt6_exception_remove_oldest( + static u32 rt6_exception_hash(const struct in6_addr *dst, + const struct in6_addr *src) + { +- static u32 seed __read_mostly; +- u32 val; ++ static siphash_key_t rt6_exception_key __read_mostly; ++ struct { ++ struct in6_addr dst; ++ struct in6_addr src; ++ } __aligned(SIPHASH_ALIGNMENT) combined = { ++ .dst = *dst, ++ }; ++ u64 val; + +- net_get_random_once(&seed, sizeof(seed)); +- val = jhash(dst, sizeof(*dst), seed); ++ net_get_random_once(&rt6_exception_key, sizeof(rt6_exception_key)); + + #ifdef CONFIG_IPV6_SUBTREES + if (src) +- val = jhash(src, sizeof(*src), val); ++ combined.src = *src; + #endif +- return hash_32(val, FIB6_EXCEPTION_BUCKET_SIZE_SHIFT); ++ val = siphash(&combined, sizeof(combined), &rt6_exception_key); ++ ++ return hash_64(val, FIB6_EXCEPTION_BUCKET_SIZE_SHIFT); + } + + /* Helper function to find the cached rt in the hash table diff --git a/queue-5.4/net-tls-fix-flipped-sign-in-tls_err_abort-calls.patch b/queue-5.4/net-tls-fix-flipped-sign-in-tls_err_abort-calls.patch new file mode 100644 index 00000000000..666533d6edf --- /dev/null +++ b/queue-5.4/net-tls-fix-flipped-sign-in-tls_err_abort-calls.patch @@ -0,0 +1,140 @@ +From da353fac65fede6b8b4cfe207f0d9408e3121105 Mon Sep 17 00:00:00 2001 +From: Daniel Jordan +Date: Wed, 27 Oct 2021 17:59:20 -0400 +Subject: net/tls: Fix flipped sign in tls_err_abort() calls + +From: Daniel Jordan + +commit da353fac65fede6b8b4cfe207f0d9408e3121105 upstream. + +sk->sk_err appears to expect a positive value, a convention that ktls +doesn't always follow and that leads to memory corruption in other code. +For instance, + + [kworker] + tls_encrypt_done(..., err=) + tls_err_abort(.., err) + sk->sk_err = err; + + [task] + splice_from_pipe_feed + ... + tls_sw_do_sendpage + if (sk->sk_err) { + ret = -sk->sk_err; // ret is positive + + splice_from_pipe_feed (continued) + ret = actor(...) // ret is still positive and interpreted as bytes + // written, resulting in underflow of buf->len and + // sd->len, leading to huge buf->offset and bogus + // addresses computed in later calls to actor() + +Fix all tls_err_abort() callers to pass a negative error code +consistently and centralize the error-prone sign flip there, throwing in +a warning to catch future misuse and uninlining the function so it +really does only warn once. + +Cc: stable@vger.kernel.org +Fixes: c46234ebb4d1e ("tls: RX path for ktls") +Reported-by: syzbot+b187b77c8474f9648fae@syzkaller.appspotmail.com +Signed-off-by: Daniel Jordan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tls.h | 9 ++------- + net/tls/tls_sw.c | 17 +++++++++++++---- + 2 files changed, 15 insertions(+), 11 deletions(-) + +--- a/include/net/tls.h ++++ b/include/net/tls.h +@@ -360,6 +360,7 @@ int tls_sk_query(struct sock *sk, int op + int __user *optlen); + int tls_sk_attach(struct sock *sk, int optname, char __user *optval, + unsigned int optlen); ++void tls_err_abort(struct sock *sk, int err); + + int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx); + void tls_sw_strparser_arm(struct sock *sk, struct tls_context *ctx); +@@ -465,12 +466,6 @@ static inline bool tls_is_sk_tx_device_o + #endif + } + +-static inline void tls_err_abort(struct sock *sk, int err) +-{ +- sk->sk_err = err; +- sk->sk_error_report(sk); +-} +- + static inline bool tls_bigint_increment(unsigned char *seq, int len) + { + int i; +@@ -499,7 +494,7 @@ static inline void tls_advance_record_sn + struct cipher_context *ctx) + { + if (tls_bigint_increment(ctx->rec_seq, prot->rec_seq_size)) +- tls_err_abort(sk, EBADMSG); ++ tls_err_abort(sk, -EBADMSG); + + if (prot->version != TLS_1_3_VERSION) + tls_bigint_increment(ctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE, +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -35,6 +35,7 @@ + * SOFTWARE. + */ + ++#include + #include + #include + #include +@@ -43,6 +44,14 @@ + #include + #include + ++noinline void tls_err_abort(struct sock *sk, int err) ++{ ++ WARN_ON_ONCE(err >= 0); ++ /* sk->sk_err should contain a positive error code. */ ++ sk->sk_err = -err; ++ sk->sk_error_report(sk); ++} ++ + static int __skb_nsg(struct sk_buff *skb, int offset, int len, + unsigned int recursion_level) + { +@@ -416,7 +425,7 @@ int tls_tx_records(struct sock *sk, int + + tx_err: + if (rc < 0 && rc != -EAGAIN) +- tls_err_abort(sk, EBADMSG); ++ tls_err_abort(sk, -EBADMSG); + + return rc; + } +@@ -761,7 +770,7 @@ static int tls_push_record(struct sock * + msg_pl->sg.size + prot->tail_size, i); + if (rc < 0) { + if (rc != -EINPROGRESS) { +- tls_err_abort(sk, EBADMSG); ++ tls_err_abort(sk, -EBADMSG); + if (split) { + tls_ctx->pending_open_record_frags = true; + tls_merge_open_record(sk, rec, tmp, orig_end); +@@ -1822,7 +1831,7 @@ int tls_sw_recvmsg(struct sock *sk, + err = decrypt_skb_update(sk, skb, &msg->msg_iter, + &chunk, &zc, async_capable); + if (err < 0 && err != -EINPROGRESS) { +- tls_err_abort(sk, EBADMSG); ++ tls_err_abort(sk, -EBADMSG); + goto recv_end; + } + +@@ -2002,7 +2011,7 @@ ssize_t tls_sw_splice_read(struct socket + } + + if (err < 0) { +- tls_err_abort(sk, EBADMSG); ++ tls_err_abort(sk, -EBADMSG); + goto splice_read_end; + } + ctx->decrypted = true; diff --git a/queue-5.4/nfc-port100-fix-using-errno-as-command-type-mask.patch b/queue-5.4/nfc-port100-fix-using-errno-as-command-type-mask.patch new file mode 100644 index 00000000000..a5f23a85c86 --- /dev/null +++ b/queue-5.4/nfc-port100-fix-using-errno-as-command-type-mask.patch @@ -0,0 +1,43 @@ +From 2195f2062e4cc93870da8e71c318ef98a1c51cef Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 25 Oct 2021 16:49:36 +0200 +Subject: nfc: port100: fix using -ERRNO as command type mask + +From: Krzysztof Kozlowski + +commit 2195f2062e4cc93870da8e71c318ef98a1c51cef upstream. + +During probing, the driver tries to get a list (mask) of supported +command types in port100_get_command_type_mask() function. The value +is u64 and 0 is treated as invalid mask (no commands supported). The +function however returns also -ERRNO as u64 which will be interpret as +valid command mask. + +Return 0 on every error case of port100_get_command_type_mask(), so the +probing will stop. + +Cc: +Fixes: 0347a6ab300a ("NFC: port100: Commands mechanism implementation") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/port100.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/nfc/port100.c ++++ b/drivers/nfc/port100.c +@@ -1003,11 +1003,11 @@ static u64 port100_get_command_type_mask + + skb = port100_alloc_skb(dev, 0); + if (!skb) +- return -ENOMEM; ++ return 0; + + resp = port100_send_cmd_sync(dev, PORT100_CMD_GET_COMMAND_TYPE, skb); + if (IS_ERR(resp)) +- return PTR_ERR(resp); ++ return 0; + + if (resp->len < 8) + mask = 0; diff --git a/queue-5.4/revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch b/queue-5.4/revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch new file mode 100644 index 00000000000..5ae0884b84a --- /dev/null +++ b/queue-5.4/revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch @@ -0,0 +1,44 @@ +From 10eff1f5788b6ffac212c254e2f3666219576889 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Thu, 30 Sep 2021 20:49:42 +0300 +Subject: Revert "net: mdiobus: Fix memory leak in __mdiobus_register" + +From: Pavel Skripkin + +commit 10eff1f5788b6ffac212c254e2f3666219576889 upstream. + +This reverts commit ab609f25d19858513919369ff3d9a63c02cd9e2e. + +This patch is correct in the sense that we _should_ call device_put() in +case of device_register() failure, but the problem in this code is more +vast. + +We need to set bus->state to UNMDIOBUS_REGISTERED before calling +device_register() to correctly release the device in mdiobus_free(). +This patch prevents us from doing it, since in case of device_register() +failure put_device() will be called 2 times and it will cause UAF or +something else. + +Also, Reported-by: tag in revered commit was wrong, since syzbot +reported different leak in same function. + +Link: https://lore.kernel.org/netdev/20210928092657.GI2048@kadam/ +Acked-by: Yanfei Xu +Signed-off-by: Pavel Skripkin +Link: https://lore.kernel.org/r/f12fb1faa4eccf0f355788225335eb4309ff2599.1633024062.git.paskripkin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/mdio_bus.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/phy/mdio_bus.c ++++ b/drivers/net/phy/mdio_bus.c +@@ -395,7 +395,6 @@ int __mdiobus_register(struct mii_bus *b + err = device_register(&bus->dev); + if (err) { + pr_err("mii_bus %s failed to register\n", bus->id); +- put_device(&bus->dev); + return -EINVAL; + } + diff --git a/queue-5.4/revert-pinctrl-bcm-ns-support-updated-dt-binding-as-syscon-subnode.patch b/queue-5.4/revert-pinctrl-bcm-ns-support-updated-dt-binding-as-syscon-subnode.patch new file mode 100644 index 00000000000..2e1ce549ed5 --- /dev/null +++ b/queue-5.4/revert-pinctrl-bcm-ns-support-updated-dt-binding-as-syscon-subnode.patch @@ -0,0 +1,110 @@ +From 6dba4bdfd7a30e77b848a45404b224588bf989e5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= +Date: Fri, 8 Oct 2021 22:59:38 +0200 +Subject: Revert "pinctrl: bcm: ns: support updated DT binding as syscon subnode" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +commit 6dba4bdfd7a30e77b848a45404b224588bf989e5 upstream. + +This reverts commit a49d784d5a8272d0f63c448fe8dc69e589db006e. + +The updated binding was wrong / invalid and has been reverted. There +isn't any upstream kernel DTS using it and Broadcom isn't known to use +it neither. There is close to zero chance this will cause regression for +anyone. + +Actually in-kernel bcm5301x.dtsi still uses the old good binding and so +it's broken since the driver update. This revert fixes it. + +Signed-off-by: Rafał Miłecki +Link: https://lore.kernel.org/r/20211008205938.29925-3-zajec5@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/bcm/pinctrl-ns.c | 29 ++++++++++------------------- + 1 file changed, 10 insertions(+), 19 deletions(-) + +--- a/drivers/pinctrl/bcm/pinctrl-ns.c ++++ b/drivers/pinctrl/bcm/pinctrl-ns.c +@@ -5,7 +5,6 @@ + + #include + #include +-#include + #include + #include + #include +@@ -13,7 +12,6 @@ + #include + #include + #include +-#include + #include + + #define FLAG_BCM4708 BIT(1) +@@ -24,8 +22,7 @@ struct ns_pinctrl { + struct device *dev; + unsigned int chipset_flag; + struct pinctrl_dev *pctldev; +- struct regmap *regmap; +- u32 offset; ++ void __iomem *base; + + struct pinctrl_desc pctldesc; + struct ns_pinctrl_group *groups; +@@ -232,9 +229,9 @@ static int ns_pinctrl_set_mux(struct pin + unset |= BIT(pin_number); + } + +- regmap_read(ns_pinctrl->regmap, ns_pinctrl->offset, &tmp); ++ tmp = readl(ns_pinctrl->base); + tmp &= ~unset; +- regmap_write(ns_pinctrl->regmap, ns_pinctrl->offset, tmp); ++ writel(tmp, ns_pinctrl->base); + + return 0; + } +@@ -266,13 +263,13 @@ static const struct of_device_id ns_pinc + static int ns_pinctrl_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; +- struct device_node *np = dev->of_node; + const struct of_device_id *of_id; + struct ns_pinctrl *ns_pinctrl; + struct pinctrl_desc *pctldesc; + struct pinctrl_pin_desc *pin; + struct ns_pinctrl_group *group; + struct ns_pinctrl_function *function; ++ struct resource *res; + int i; + + ns_pinctrl = devm_kzalloc(dev, sizeof(*ns_pinctrl), GFP_KERNEL); +@@ -290,18 +287,12 @@ static int ns_pinctrl_probe(struct platf + return -EINVAL; + ns_pinctrl->chipset_flag = (uintptr_t)of_id->data; + +- ns_pinctrl->regmap = syscon_node_to_regmap(of_get_parent(np)); +- if (IS_ERR(ns_pinctrl->regmap)) { +- int err = PTR_ERR(ns_pinctrl->regmap); +- +- dev_err(dev, "Failed to map pinctrl regs: %d\n", err); +- +- return err; +- } +- +- if (of_property_read_u32(np, "offset", &ns_pinctrl->offset)) { +- dev_err(dev, "Failed to get register offset\n"); +- return -ENOENT; ++ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, ++ "cru_gpio_control"); ++ ns_pinctrl->base = devm_ioremap_resource(dev, res); ++ if (IS_ERR(ns_pinctrl->base)) { ++ dev_err(dev, "Failed to map pinctrl regs\n"); ++ return PTR_ERR(ns_pinctrl->base); + } + + memcpy(pctldesc, &ns_pinctrl_desc, sizeof(*pctldesc)); diff --git a/queue-5.4/series b/queue-5.4/series index eb2d01d1570..c9358689f8a 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -3,3 +3,12 @@ arm-9134-1-remove-duplicate-memcpy-definition.patch arm-9139-1-kprobes-fix-arch_init_kprobes-prototype.patch arm-9141-1-only-warn-about-xip-address-when-not-compile-testing.patch powerpc-bpf-fix-bpf_mod-when-imm-1.patch +ipv6-use-siphash-in-rt6_exception_hash.patch +ipv4-use-siphash-instead-of-jenkins-in-fnhe_hashfun.patch +usbnet-sanity-check-for-maxpacket.patch +usbnet-fix-error-return-code-in-usbnet_probe.patch +revert-pinctrl-bcm-ns-support-updated-dt-binding-as-syscon-subnode.patch +ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch +nfc-port100-fix-using-errno-as-command-type-mask.patch +revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch +net-tls-fix-flipped-sign-in-tls_err_abort-calls.patch diff --git a/queue-5.4/usbnet-fix-error-return-code-in-usbnet_probe.patch b/queue-5.4/usbnet-fix-error-return-code-in-usbnet_probe.patch new file mode 100644 index 00000000000..4a51233e58e --- /dev/null +++ b/queue-5.4/usbnet-fix-error-return-code-in-usbnet_probe.patch @@ -0,0 +1,32 @@ +From 6f7c88691191e6c52ef2543d6f1da8d360b27a24 Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Tue, 26 Oct 2021 20:40:15 +0800 +Subject: usbnet: fix error return code in usbnet_probe() + +From: Wang Hai + +commit 6f7c88691191e6c52ef2543d6f1da8d360b27a24 upstream. + +Return error code if usb_maxpacket() returns 0 in usbnet_probe() + +Fixes: 397430b50a36 ("usbnet: sanity check for maxpacket") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Reviewed-by: Johan Hovold +Link: https://lore.kernel.org/r/20211026124015.3025136-1-wanghai38@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1775,6 +1775,7 @@ usbnet_probe (struct usb_interface *udev + dev->maxpacket = usb_maxpacket (dev->udev, dev->out, 1); + if (dev->maxpacket == 0) { + /* that is a broken device */ ++ status = -ENODEV; + goto out4; + } + diff --git a/queue-5.4/usbnet-sanity-check-for-maxpacket.patch b/queue-5.4/usbnet-sanity-check-for-maxpacket.patch new file mode 100644 index 00000000000..4f3968aadae --- /dev/null +++ b/queue-5.4/usbnet-sanity-check-for-maxpacket.patch @@ -0,0 +1,37 @@ +From 397430b50a363d8b7bdda00522123f82df6adc5e Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 21 Oct 2021 14:29:44 +0200 +Subject: usbnet: sanity check for maxpacket + +From: Oliver Neukum + +commit 397430b50a363d8b7bdda00522123f82df6adc5e upstream. + +maxpacket of 0 makes no sense and oopses as we need to divide +by it. Give up. + +V2: fixed typo in log and stylistic issues + +Signed-off-by: Oliver Neukum +Reported-by: syzbot+76bb1d34ffa0adc03baa@syzkaller.appspotmail.com +Reviewed-by: Johan Hovold +Link: https://lore.kernel.org/r/20211021122944.21816-1-oneukum@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1773,6 +1773,10 @@ usbnet_probe (struct usb_interface *udev + if (!dev->rx_urb_size) + dev->rx_urb_size = dev->hard_mtu; + dev->maxpacket = usb_maxpacket (dev->udev, dev->out, 1); ++ if (dev->maxpacket == 0) { ++ /* that is a broken device */ ++ goto out4; ++ } + + /* let userspace know we have a random address */ + if (ether_addr_equal(net->dev_addr, node_id)) -- 2.47.3