From 88abd9b23d36693c36f7188c75dad194b99793de Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 25 Feb 2022 13:00:19 +0100 Subject: [PATCH] 5.4-stable patches added patches: drm-amdgpu-disable-mmhub-pg-for-picasso.patch netfilter-nf_tables_offload-incorrect-flow-offload-action-array-size.patch sr9700-sanity-check-for-packet-length.patch usb-zaurus-support-another-broken-zaurus.patch --- ...-amdgpu-disable-mmhub-pg-for-picasso.patch | 35 +++++ ...rrect-flow-offload-action-array-size.patch | 136 ++++++++++++++++++ queue-5.4/series | 4 + ...r9700-sanity-check-for-packet-length.patch | 31 ++++ ...zaurus-support-another-broken-zaurus.patch | 79 ++++++++++ 5 files changed, 285 insertions(+) create mode 100644 queue-5.4/drm-amdgpu-disable-mmhub-pg-for-picasso.patch create mode 100644 queue-5.4/netfilter-nf_tables_offload-incorrect-flow-offload-action-array-size.patch create mode 100644 queue-5.4/sr9700-sanity-check-for-packet-length.patch create mode 100644 queue-5.4/usb-zaurus-support-another-broken-zaurus.patch diff --git a/queue-5.4/drm-amdgpu-disable-mmhub-pg-for-picasso.patch b/queue-5.4/drm-amdgpu-disable-mmhub-pg-for-picasso.patch new file mode 100644 index 00000000000..544c9e7b600 --- /dev/null +++ b/queue-5.4/drm-amdgpu-disable-mmhub-pg-for-picasso.patch @@ -0,0 +1,35 @@ +From f626dd0ff05043e5a7154770cc7cda66acee33a3 Mon Sep 17 00:00:00 2001 +From: Evan Quan +Date: Thu, 20 Jan 2022 16:15:52 +0800 +Subject: drm/amdgpu: disable MMHUB PG for Picasso + +From: Evan Quan + +commit f626dd0ff05043e5a7154770cc7cda66acee33a3 upstream. + +MMHUB PG needs to be disabled for Picasso for stability reasons. + +Signed-off-by: Evan Quan +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/soc15.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/soc15.c ++++ b/drivers/gpu/drm/amd/amdgpu/soc15.c +@@ -1143,8 +1143,11 @@ static int soc15_common_early_init(void + AMD_CG_SUPPORT_SDMA_MGCG | + AMD_CG_SUPPORT_SDMA_LS; + ++ /* ++ * MMHUB PG needs to be disabled for Picasso for ++ * stability reasons. ++ */ + adev->pg_flags = AMD_PG_SUPPORT_SDMA | +- AMD_PG_SUPPORT_MMHUB | + AMD_PG_SUPPORT_VCN; + } else { + adev->cg_flags = AMD_CG_SUPPORT_GFX_MGCG | diff --git a/queue-5.4/netfilter-nf_tables_offload-incorrect-flow-offload-action-array-size.patch b/queue-5.4/netfilter-nf_tables_offload-incorrect-flow-offload-action-array-size.patch new file mode 100644 index 00000000000..affd21f76cb --- /dev/null +++ b/queue-5.4/netfilter-nf_tables_offload-incorrect-flow-offload-action-array-size.patch @@ -0,0 +1,136 @@ +From b1a5983f56e371046dcf164f90bfaf704d2b89f6 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 17 Feb 2022 23:41:20 +0100 +Subject: netfilter: nf_tables_offload: incorrect flow offload action array size + +From: Pablo Neira Ayuso + +commit b1a5983f56e371046dcf164f90bfaf704d2b89f6 upstream. + +immediate verdict expression needs to allocate one slot in the flow offload +action array, however, immediate data expression does not need to do so. + +fwd and dup expression need to allocate one slot, this is missing. + +Add a new offload_action interface to report if this expression needs to +allocate one slot in the flow offload action array. + +Fixes: be2861dc36d7 ("netfilter: nft_{fwd,dup}_netdev: add offload support") +Reported-and-tested-by: Nick Gregory +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_tables.h | 2 +- + include/net/netfilter/nf_tables_offload.h | 2 -- + net/netfilter/nf_tables_offload.c | 3 ++- + net/netfilter/nft_dup_netdev.c | 6 ++++++ + net/netfilter/nft_fwd_netdev.c | 6 ++++++ + net/netfilter/nft_immediate.c | 12 +++++++++++- + 6 files changed, 26 insertions(+), 5 deletions(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -805,7 +805,7 @@ struct nft_expr_ops { + int (*offload)(struct nft_offload_ctx *ctx, + struct nft_flow_rule *flow, + const struct nft_expr *expr); +- u32 offload_flags; ++ bool (*offload_action)(const struct nft_expr *expr); + const struct nft_expr_type *type; + void *data; + }; +--- a/include/net/netfilter/nf_tables_offload.h ++++ b/include/net/netfilter/nf_tables_offload.h +@@ -60,8 +60,6 @@ struct nft_flow_rule { + struct flow_rule *rule; + }; + +-#define NFT_OFFLOAD_F_ACTION (1 << 0) +- + void nft_flow_rule_set_addr_type(struct nft_flow_rule *flow, + enum flow_dissector_key_id addr_type); + +--- a/net/netfilter/nf_tables_offload.c ++++ b/net/netfilter/nf_tables_offload.c +@@ -55,7 +55,8 @@ struct nft_flow_rule *nft_flow_rule_crea + + expr = nft_expr_first(rule); + while (nft_expr_more(rule, expr)) { +- if (expr->ops->offload_flags & NFT_OFFLOAD_F_ACTION) ++ if (expr->ops->offload_action && ++ expr->ops->offload_action(expr)) + num_actions++; + + expr = nft_expr_next(expr); +--- a/net/netfilter/nft_dup_netdev.c ++++ b/net/netfilter/nft_dup_netdev.c +@@ -67,6 +67,11 @@ static int nft_dup_netdev_offload(struct + return nft_fwd_dup_netdev_offload(ctx, flow, FLOW_ACTION_MIRRED, oif); + } + ++static bool nft_dup_netdev_offload_action(const struct nft_expr *expr) ++{ ++ return true; ++} ++ + static struct nft_expr_type nft_dup_netdev_type; + static const struct nft_expr_ops nft_dup_netdev_ops = { + .type = &nft_dup_netdev_type, +@@ -75,6 +80,7 @@ static const struct nft_expr_ops nft_dup + .init = nft_dup_netdev_init, + .dump = nft_dup_netdev_dump, + .offload = nft_dup_netdev_offload, ++ .offload_action = nft_dup_netdev_offload_action, + }; + + static struct nft_expr_type nft_dup_netdev_type __read_mostly = { +--- a/net/netfilter/nft_fwd_netdev.c ++++ b/net/netfilter/nft_fwd_netdev.c +@@ -77,6 +77,11 @@ static int nft_fwd_netdev_offload(struct + return nft_fwd_dup_netdev_offload(ctx, flow, FLOW_ACTION_REDIRECT, oif); + } + ++static bool nft_fwd_netdev_offload_action(const struct nft_expr *expr) ++{ ++ return true; ++} ++ + struct nft_fwd_neigh { + enum nft_registers sreg_dev:8; + enum nft_registers sreg_addr:8; +@@ -219,6 +224,7 @@ static const struct nft_expr_ops nft_fwd + .dump = nft_fwd_netdev_dump, + .validate = nft_fwd_validate, + .offload = nft_fwd_netdev_offload, ++ .offload_action = nft_fwd_netdev_offload_action, + }; + + static const struct nft_expr_ops * +--- a/net/netfilter/nft_immediate.c ++++ b/net/netfilter/nft_immediate.c +@@ -163,6 +163,16 @@ static int nft_immediate_offload(struct + return 0; + } + ++static bool nft_immediate_offload_action(const struct nft_expr *expr) ++{ ++ const struct nft_immediate_expr *priv = nft_expr_priv(expr); ++ ++ if (priv->dreg == NFT_REG_VERDICT) ++ return true; ++ ++ return false; ++} ++ + static const struct nft_expr_ops nft_imm_ops = { + .type = &nft_imm_type, + .size = NFT_EXPR_SIZE(sizeof(struct nft_immediate_expr)), +@@ -173,7 +183,7 @@ static const struct nft_expr_ops nft_imm + .dump = nft_immediate_dump, + .validate = nft_immediate_validate, + .offload = nft_immediate_offload, +- .offload_flags = NFT_OFFLOAD_F_ACTION, ++ .offload_action = nft_immediate_offload_action, + }; + + struct nft_expr_type nft_imm_type __read_mostly = { diff --git a/queue-5.4/series b/queue-5.4/series index 91fdf2307cd..9ff9d27e1d4 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -3,3 +3,7 @@ clk-jz4725b-fix-mmc0-clock-gating.patch vhost-vsock-don-t-check-owner-in-vhost_vsock_stop-while-releasing.patch parisc-unaligned-fix-fldd-and-fstd-unaligned-handlers-on-32-bit-kernel.patch parisc-unaligned-fix-ldw-and-stw-unalignment-handlers.patch +drm-amdgpu-disable-mmhub-pg-for-picasso.patch +sr9700-sanity-check-for-packet-length.patch +usb-zaurus-support-another-broken-zaurus.patch +netfilter-nf_tables_offload-incorrect-flow-offload-action-array-size.patch diff --git a/queue-5.4/sr9700-sanity-check-for-packet-length.patch b/queue-5.4/sr9700-sanity-check-for-packet-length.patch new file mode 100644 index 00000000000..a81b362b525 --- /dev/null +++ b/queue-5.4/sr9700-sanity-check-for-packet-length.patch @@ -0,0 +1,31 @@ +From e9da0b56fe27206b49f39805f7dcda8a89379062 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 17 Feb 2022 14:10:44 +0100 +Subject: sr9700: sanity check for packet length + +From: Oliver Neukum + +commit e9da0b56fe27206b49f39805f7dcda8a89379062 upstream. + +A malicious device can leak heap data to user space +providing bogus frame lengths. Introduce a sanity check. + +Signed-off-by: Oliver Neukum +Reviewed-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/sr9700.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/sr9700.c ++++ b/drivers/net/usb/sr9700.c +@@ -410,7 +410,7 @@ static int sr9700_rx_fixup(struct usbnet + /* ignore the CRC length */ + len = (skb->data[1] | (skb->data[2] << 8)) - 4; + +- if (len > ETH_FRAME_LEN) ++ if (len > ETH_FRAME_LEN || len > skb->len) + return 0; + + /* the last packet of current skb */ diff --git a/queue-5.4/usb-zaurus-support-another-broken-zaurus.patch b/queue-5.4/usb-zaurus-support-another-broken-zaurus.patch new file mode 100644 index 00000000000..88192a34b56 --- /dev/null +++ b/queue-5.4/usb-zaurus-support-another-broken-zaurus.patch @@ -0,0 +1,79 @@ +From 6605cc67ca18b9d583eb96e18a20f5f4e726103c Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Mon, 14 Feb 2022 15:08:18 +0100 +Subject: USB: zaurus: support another broken Zaurus + +From: Oliver Neukum + +commit 6605cc67ca18b9d583eb96e18a20f5f4e726103c upstream. + +This SL-6000 says Direct Line, not Ethernet + +v2: added Reporter and Link + +Signed-off-by: Oliver Neukum +Reported-by: Ross Maynard +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215361 +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_ether.c | 12 ++++++++++++ + drivers/net/usb/zaurus.c | 12 ++++++++++++ + 2 files changed, 24 insertions(+) + +--- a/drivers/net/usb/cdc_ether.c ++++ b/drivers/net/usb/cdc_ether.c +@@ -571,6 +571,11 @@ static const struct usb_device_id produc + .bInterfaceSubClass = USB_CDC_SUBCLASS_ETHERNET, \ + .bInterfaceProtocol = USB_CDC_PROTO_NONE + ++#define ZAURUS_FAKE_INTERFACE \ ++ .bInterfaceClass = USB_CLASS_COMM, \ ++ .bInterfaceSubClass = USB_CDC_SUBCLASS_MDLM, \ ++ .bInterfaceProtocol = USB_CDC_PROTO_NONE ++ + /* SA-1100 based Sharp Zaurus ("collie"), or compatible; + * wire-incompatible with true CDC Ethernet implementations. + * (And, it seems, needlessly so...) +@@ -626,6 +631,13 @@ static const struct usb_device_id produc + .driver_info = 0, + }, { + .match_flags = USB_DEVICE_ID_MATCH_INT_INFO ++ | USB_DEVICE_ID_MATCH_DEVICE, ++ .idVendor = 0x04DD, ++ .idProduct = 0x9032, /* SL-6000 */ ++ ZAURUS_FAKE_INTERFACE, ++ .driver_info = 0, ++}, { ++ .match_flags = USB_DEVICE_ID_MATCH_INT_INFO + | USB_DEVICE_ID_MATCH_DEVICE, + .idVendor = 0x04DD, + /* reported with some C860 units */ +--- a/drivers/net/usb/zaurus.c ++++ b/drivers/net/usb/zaurus.c +@@ -256,6 +256,11 @@ static const struct usb_device_id produc + .bInterfaceSubClass = USB_CDC_SUBCLASS_ETHERNET, \ + .bInterfaceProtocol = USB_CDC_PROTO_NONE + ++#define ZAURUS_FAKE_INTERFACE \ ++ .bInterfaceClass = USB_CLASS_COMM, \ ++ .bInterfaceSubClass = USB_CDC_SUBCLASS_MDLM, \ ++ .bInterfaceProtocol = USB_CDC_PROTO_NONE ++ + /* SA-1100 based Sharp Zaurus ("collie"), or compatible. */ + { + .match_flags = USB_DEVICE_ID_MATCH_INT_INFO +@@ -315,6 +320,13 @@ static const struct usb_device_id produc + .driver_info = ZAURUS_PXA_INFO, + }, { + .match_flags = USB_DEVICE_ID_MATCH_INT_INFO ++ | USB_DEVICE_ID_MATCH_DEVICE, ++ .idVendor = 0x04DD, ++ .idProduct = 0x9032, /* SL-6000 */ ++ ZAURUS_FAKE_INTERFACE, ++ .driver_info = (unsigned long)&bogus_mdlm_info, ++}, { ++ .match_flags = USB_DEVICE_ID_MATCH_INT_INFO + | USB_DEVICE_ID_MATCH_DEVICE, + .idVendor = 0x04DD, + /* reported with some C860 units */ -- 2.47.3