From patchwork Mon Jan 10 07:22:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 531504 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 46594C433F5 for ; Mon, 10 Jan 2022 07:30:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239941AbiAJHaP (ORCPT ); Mon, 10 Jan 2022 02:30:15 -0500 Received: from dfw.source.kernel.org ([139.178.84.217]:36182 "EHLO dfw.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240012AbiAJH2I (ORCPT ); Mon, 10 Jan 2022 02:28:08 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id D05A0611AA; Mon, 10 Jan 2022 07:28:07 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B6E91C36AED; Mon, 10 Jan 2022 07:28:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1641799687; bh=iiwAMT1Wz0s8M/2Kfjrbib1DKw7Qzm0d8p/EiP5o7YY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tca9mFyEOR+X9pbf6kHQela3sw4fa3hGbjUrVFwxhOpIsznJ9tvVwKQVmk7yQlPDq /pzlIZh42Dr5iygAoyBtLGHleOi7ZKCGQA5oAtOj0eH0WPRzdZe6MP5EUO8uX14SdN 6MC36Ix3yELsyqd+sR2i0wF+LBdB4TCopNNj3rYw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nathan Chancellor Subject: [PATCH 5.4 02/34] Input: touchscreen - Fix backport of a02dcde595f7cbd240ccd64de96034ad91cffc40 Date: Mon, 10 Jan 2022 08:22:57 +0100 Message-Id: <20220110071815.735904662@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220110071815.647309738@linuxfoundation.org> References: <20220110071815.647309738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nathan Chancellor Upstream commit a02dcde595f7 ("Input: touchscreen - avoid bitwise vs logical OR warning") was applied as commit f6e9e7be9b80 ("Input: touchscreen - avoid bitwise vs logical OR warning") in linux-5.4.y but it did not properly account for commit d9265e8a878a ("Input: of_touchscreen - add support for touchscreen-min-x|y"), which means the warning mentioned in the commit message is not fully fixed: drivers/input/touchscreen/of_touchscreen.c:78:17: warning: use of bitwise '|' with boolean operands [-Wbitwise-instead-of-logical] data_present = touchscreen_get_prop_u32(dev, "touchscreen-min-x", ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/input/touchscreen/of_touchscreen.c:78:17: note: cast one or both operands to int to silence this warning drivers/input/touchscreen/of_touchscreen.c:92:17: warning: use of bitwise '|' with boolean operands [-Wbitwise-instead-of-logical] data_present = touchscreen_get_prop_u32(dev, "touchscreen-min-y", ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/input/touchscreen/of_touchscreen.c:92:17: note: cast one or both operands to int to silence this warning 2 warnings generated. It seems like the 4.19 backport was applied to the 5.4 tree, which did not have any conflicts so no issue was noticed at that point. Fix up the backport to bring it more in line with the upstream version so that there is no warning. Fixes: f6e9e7be9b80 ("Input: touchscreen - avoid bitwise vs logical OR warning") Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman --- drivers/input/touchscreen/of_touchscreen.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- a/drivers/input/touchscreen/of_touchscreen.c +++ b/drivers/input/touchscreen/of_touchscreen.c @@ -77,8 +77,8 @@ void touchscreen_parse_properties(struct axis = multitouch ? ABS_MT_POSITION_X : ABS_X; data_present = touchscreen_get_prop_u32(dev, "touchscreen-min-x", input_abs_get_min(input, axis), - &minimum) | - touchscreen_get_prop_u32(dev, "touchscreen-size-x", + &minimum); + data_present |= touchscreen_get_prop_u32(dev, "touchscreen-size-x", input_abs_get_max(input, axis) + 1, &maximum); @@ -91,8 +91,8 @@ void touchscreen_parse_properties(struct axis = multitouch ? ABS_MT_POSITION_Y : ABS_Y; data_present = touchscreen_get_prop_u32(dev, "touchscreen-min-y", input_abs_get_min(input, axis), - &minimum) | - touchscreen_get_prop_u32(dev, "touchscreen-size-y", + &minimum); + data_present |= touchscreen_get_prop_u32(dev, "touchscreen-size-y", input_abs_get_max(input, axis) + 1, &maximum); From patchwork Mon Jan 10 07:22:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 531505 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 357B9C433FE for ; Mon, 10 Jan 2022 07:30:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233789AbiAJHaM (ORCPT ); Mon, 10 Jan 2022 02:30:12 -0500 Received: from ams.source.kernel.org ([145.40.68.75]:56806 "EHLO ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239546AbiAJH2M (ORCPT ); Mon, 10 Jan 2022 02:28:12 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 71DE2B8120F; Mon, 10 Jan 2022 07:28:11 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 905F1C36AE9; Mon, 10 Jan 2022 07:28:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1641799690; bh=9z4vPHpad6g3b7hVkTRWbqTSuWEc35ZyzvS9vo3vfAs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nqE01NNCQp1+Ku4vmOnvTvG/ryKLrMCd+aXHVcpK9xWhfOkb8w1Jnh1hyFBcKmk2M PEAlZefE+0djqqmDod7PI3Hl/E7UQYnblxrX8Tbr87XjFg+uFJ1C1NtY8lpxnT1nJr G/WG9R+CV/PNPZSEDGzaqPjeu8969dy31/UzDprw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Shuah Khan , Naresh Kamboju Subject: [PATCH 5.4 03/34] selftests: x86: fix [-Wstringop-overread] warn in test_process_vm_readv() Date: Mon, 10 Jan 2022 08:22:58 +0100 Message-Id: <20220110071815.771538163@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220110071815.647309738@linuxfoundation.org> References: <20220110071815.647309738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Shuah Khan commit dd40f44eabe1e122c6852fabb298aac05b083fce upstream. Fix the following [-Wstringop-overread] by passing in the variable instead of the value. test_vsyscall.c: In function ‘test_process_vm_readv’: test_vsyscall.c:500:22: warning: ‘__builtin_memcmp_eq’ specified bound 4096 exceeds source size 0 [-Wstringop-overread] 500 | if (!memcmp(buf, (const void *)0xffffffffff600000, 4096)) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Shuah Khan Cc: Naresh Kamboju Signed-off-by: Greg Kroah-Hartman --- tools/testing/selftests/x86/test_vsyscall.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/tools/testing/selftests/x86/test_vsyscall.c +++ b/tools/testing/selftests/x86/test_vsyscall.c @@ -480,7 +480,7 @@ static int test_process_vm_readv(void) } if (vsyscall_map_r) { - if (!memcmp(buf, (const void *)0xffffffffff600000, 4096)) { + if (!memcmp(buf, remote.iov_base, sizeof(buf))) { printf("[OK]\tIt worked and read correct data\n"); } else { printf("[FAIL]\tIt worked but returned incorrect data\n"); From patchwork Mon Jan 10 07:23:02 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 531489 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 567C7C433EF for ; Mon, 10 Jan 2022 07:32:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239889AbiAJHcF (ORCPT ); Mon, 10 Jan 2022 02:32:05 -0500 Received: from ams.source.kernel.org ([145.40.68.75]:58092 "EHLO ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240070AbiAJH2Y (ORCPT ); Mon, 10 Jan 2022 02:28:24 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C407BB81211; Mon, 10 Jan 2022 07:28:22 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id ED8C5C36AE9; Mon, 10 Jan 2022 07:28:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1641799701; bh=bOAqiS43WsOTF10mso47tS6oxlOJDrSUMlDHatGCKEs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=X1Mzf+Yn1ofgXpKRld4k1kwRerHjEBvTzA1keUOkkfCt3jPbnpI3D5afVqj+mU9U8 IyoLCrx3PU7lXA9Wig+m/g/1QmI8MLSck20U8SvAOvIjsFM7+apYp1IKwX2A7kzHak BVHnOCGtSFAcTOCot/wV7RG8IfCJUz92N/2YhJ20= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ashwin Vijayavel , Karen Sornek , Konrad Jankowski , Tony Nguyen Subject: [PATCH 5.4 07/34] iavf: Fix limit of total number of queues to active queues of VF Date: Mon, 10 Jan 2022 08:23:02 +0100 Message-Id: <20220110071815.897462914@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220110071815.647309738@linuxfoundation.org> References: <20220110071815.647309738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Karen Sornek commit b712941c8085e638bb92456e866ed3de4404e3d5 upstream. In the absence of this validation, if the user requests to configure queues more than the enabled queues, it results in sending the requested number of queues to the kernel stack (due to the asynchronous nature of VF response), in which case the stack might pick a queue to transmit that is not enabled and result in Tx hang. Fix this bug by limiting the total number of queues allocated for VF to active queues of VF. Fixes: d5b33d024496 ("i40evf: add ndo_setup_tc callback to i40evf") Signed-off-by: Ashwin Vijayavel Signed-off-by: Karen Sornek Tested-by: Konrad Jankowski Signed-off-by: Tony Nguyen Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/intel/iavf/iavf_main.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/drivers/net/ethernet/intel/iavf/iavf_main.c +++ b/drivers/net/ethernet/intel/iavf/iavf_main.c @@ -2604,8 +2604,11 @@ static int iavf_validate_ch_config(struc total_max_rate += tx_rate; num_qps += mqprio_qopt->qopt.count[i]; } - if (num_qps > IAVF_MAX_REQ_QUEUES) + if (num_qps > adapter->num_active_queues) { + dev_err(&adapter->pdev->dev, + "Cannot support requested number of queues\n"); return -EINVAL; + } ret = iavf_validate_tx_bandwidth(adapter, total_max_rate); return ret; From patchwork Mon Jan 10 07:23:04 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 531503 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D450EC4332F for ; Mon, 10 Jan 2022 07:30:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240284AbiAJHaa (ORCPT ); Mon, 10 Jan 2022 02:30:30 -0500 Received: from dfw.source.kernel.org ([139.178.84.217]:38028 "EHLO dfw.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240081AbiAJH22 (ORCPT ); Mon, 10 Jan 2022 02:28:28 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B23C8611C9; Mon, 10 Jan 2022 07:28:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 97EF9C36AE9; Mon, 10 Jan 2022 07:28:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1641799707; bh=WLcjkDH0MA5Ws7HBfmZfW8Pr+NSz5/fPbxZShZIadus=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=y6ylJ21a726y9kFRVTpyhQHT6A7NfAzw/eGdxuhF4gWpe2zyNYmWA7TeGnN/ydd1/ YyE2ptOchsJjT5QXiffXY7HKJEt7hUFByFD5DMIsftr375MrtKOHpxniDrT71zc3BB 0Kh+Wv0rSAxqLN0j9ZvtwLO9TcJww5ueGlsxGJpg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jiasheng Jiang , Leon Romanovsky , Jason Gunthorpe Subject: [PATCH 5.4 09/34] RDMA/uverbs: Check for null return of kmalloc_array Date: Mon, 10 Jan 2022 08:23:04 +0100 Message-Id: <20220110071815.967327967@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220110071815.647309738@linuxfoundation.org> References: <20220110071815.647309738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jiasheng Jiang commit 7694a7de22c53a312ea98960fcafc6ec62046531 upstream. Because of the possible failure of the allocation, data might be NULL pointer and will cause the dereference of the NULL pointer later. Therefore, it might be better to check it and return -ENOMEM. Fixes: 6884c6c4bd09 ("RDMA/verbs: Store the write/write_ex uapi entry points in the uverbs_api") Link: https://lore.kernel.org/r/20211231093315.1917667-1-jiasheng@iscas.ac.cn Signed-off-by: Jiasheng Jiang Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman --- drivers/infiniband/core/uverbs_uapi.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/infiniband/core/uverbs_uapi.c +++ b/drivers/infiniband/core/uverbs_uapi.c @@ -450,6 +450,9 @@ static int uapi_finalize(struct uverbs_a uapi->num_write_ex = max_write_ex + 1; data = kmalloc_array(uapi->num_write + uapi->num_write_ex, sizeof(*uapi->write_methods), GFP_KERNEL); + if (!data) + return -ENOMEM; + for (i = 0; i != uapi->num_write + uapi->num_write_ex; i++) data[i] = &uapi->notsupp_method; uapi->write_methods = data; From patchwork Mon Jan 10 07:23:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 531507 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C8AADC4332F for ; Mon, 10 Jan 2022 07:30:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239427AbiAJHaJ (ORCPT ); Mon, 10 Jan 2022 02:30:09 -0500 Received: from dfw.source.kernel.org ([139.178.84.217]:36178 "EHLO dfw.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239536AbiAJH17 (ORCPT ); Mon, 10 Jan 2022 02:27:59 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 66B59611EC; Mon, 10 Jan 2022 07:27:59 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4D80DC36AED; Mon, 10 Jan 2022 07:27:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1641799678; bh=LkCMpxp7In/MPx9LiMkILMu1+LY++XK6Yts1zoTFPOM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0Ft6oUr3yFEHSdJHcCqVcHFS1/w11LgzfXi5SlQFWM9SkxNL1lcxRmVGWKJRUZpT/ oltMwpXprYk50OE+1lzRkzHd36AZleEuWmeFuez10RLdDmI4znjzAM3e1Ag3Crnv9B 6mxNRhjxPkzwhZimvdUkTF8CM2IyMjib0b0mRE7E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Di Zhu , Rui Zhang , Gurucharan G , Tony Nguyen Subject: [PATCH 5.4 11/34] i40e: fix use-after-free in i40e_sync_filters_subtask() Date: Mon, 10 Jan 2022 08:23:06 +0100 Message-Id: <20220110071816.028374195@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220110071815.647309738@linuxfoundation.org> References: <20220110071815.647309738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Di Zhu commit 3116f59c12bd24c513194cd3acb3ec1f7d468954 upstream. Using ifconfig command to delete the ipv6 address will cause the i40e network card driver to delete its internal mac_filter and i40e_service_task kernel thread will concurrently access the mac_filter. These two processes are not protected by lock so causing the following use-after-free problems. print_address_description+0x70/0x360 ? vprintk_func+0x5e/0xf0 kasan_report+0x1b2/0x330 i40e_sync_vsi_filters+0x4f0/0x1850 [i40e] i40e_sync_filters_subtask+0xe3/0x130 [i40e] i40e_service_task+0x195/0x24c0 [i40e] process_one_work+0x3f5/0x7d0 worker_thread+0x61/0x6c0 ? process_one_work+0x7d0/0x7d0 kthread+0x1c3/0x1f0 ? kthread_park+0xc0/0xc0 ret_from_fork+0x35/0x40 Allocated by task 2279810: kasan_kmalloc+0xa0/0xd0 kmem_cache_alloc_trace+0xf3/0x1e0 i40e_add_filter+0x127/0x2b0 [i40e] i40e_add_mac_filter+0x156/0x190 [i40e] i40e_addr_sync+0x2d/0x40 [i40e] __hw_addr_sync_dev+0x154/0x210 i40e_set_rx_mode+0x6d/0xf0 [i40e] __dev_set_rx_mode+0xfb/0x1f0 __dev_mc_add+0x6c/0x90 igmp6_group_added+0x214/0x230 __ipv6_dev_mc_inc+0x338/0x4f0 addrconf_join_solict.part.7+0xa2/0xd0 addrconf_dad_work+0x500/0x980 process_one_work+0x3f5/0x7d0 worker_thread+0x61/0x6c0 kthread+0x1c3/0x1f0 ret_from_fork+0x35/0x40 Freed by task 2547073: __kasan_slab_free+0x130/0x180 kfree+0x90/0x1b0 __i40e_del_filter+0xa3/0xf0 [i40e] i40e_del_mac_filter+0xf3/0x130 [i40e] i40e_addr_unsync+0x85/0xa0 [i40e] __hw_addr_sync_dev+0x9d/0x210 i40e_set_rx_mode+0x6d/0xf0 [i40e] __dev_set_rx_mode+0xfb/0x1f0 __dev_mc_del+0x69/0x80 igmp6_group_dropped+0x279/0x510 __ipv6_dev_mc_dec+0x174/0x220 addrconf_leave_solict.part.8+0xa2/0xd0 __ipv6_ifa_notify+0x4cd/0x570 ipv6_ifa_notify+0x58/0x80 ipv6_del_addr+0x259/0x4a0 inet6_addr_del+0x188/0x260 addrconf_del_ifaddr+0xcc/0x130 inet6_ioctl+0x152/0x190 sock_do_ioctl+0xd8/0x2b0 sock_ioctl+0x2e5/0x4c0 do_vfs_ioctl+0x14e/0xa80 ksys_ioctl+0x7c/0xa0 __x64_sys_ioctl+0x42/0x50 do_syscall_64+0x98/0x2c0 entry_SYSCALL_64_after_hwframe+0x65/0xca Fixes: 41c445ff0f48 ("i40e: main driver core") Signed-off-by: Di Zhu Signed-off-by: Rui Zhang Tested-by: Gurucharan G Signed-off-by: Tony Nguyen Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/intel/i40e/i40e_main.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) --- a/drivers/net/ethernet/intel/i40e/i40e_main.c +++ b/drivers/net/ethernet/intel/i40e/i40e_main.c @@ -107,6 +107,24 @@ MODULE_VERSION(DRV_VERSION); static struct workqueue_struct *i40e_wq; +static void netdev_hw_addr_refcnt(struct i40e_mac_filter *f, + struct net_device *netdev, int delta) +{ + struct netdev_hw_addr *ha; + + if (!f || !netdev) + return; + + netdev_for_each_mc_addr(ha, netdev) { + if (ether_addr_equal(ha->addr, f->macaddr)) { + ha->refcount += delta; + if (ha->refcount <= 0) + ha->refcount = 1; + break; + } + } +} + /** * i40e_allocate_dma_mem_d - OS specific memory alloc for shared code * @hw: pointer to the HW structure @@ -2022,6 +2040,7 @@ static void i40e_undo_add_filter_entries hlist_for_each_entry_safe(new, h, from, hlist) { /* We can simply free the wrapper structure */ hlist_del(&new->hlist); + netdev_hw_addr_refcnt(new->f, vsi->netdev, -1); kfree(new); } } @@ -2369,6 +2388,10 @@ int i40e_sync_vsi_filters(struct i40e_vs &tmp_add_list, &tmp_del_list, vlan_filters); + + hlist_for_each_entry(new, &tmp_add_list, hlist) + netdev_hw_addr_refcnt(new->f, vsi->netdev, 1); + if (retval) goto err_no_memory_locked; @@ -2501,6 +2524,7 @@ int i40e_sync_vsi_filters(struct i40e_vs if (new->f->state == I40E_FILTER_NEW) new->f->state = new->state; hlist_del(&new->hlist); + netdev_hw_addr_refcnt(new->f, vsi->netdev, -1); kfree(new); } spin_unlock_bh(&vsi->mac_filter_hash_lock); From patchwork Mon Jan 10 07:23:07 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 531502 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EBA29C43217 for ; Mon, 10 Jan 2022 07:30:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240455AbiAJHaj (ORCPT ); Mon, 10 Jan 2022 02:30:39 -0500 Received: from ams.source.kernel.org ([145.40.68.75]:57920 "EHLO ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239998AbiAJH2E (ORCPT ); Mon, 10 Jan 2022 02:28:04 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id CFF62B81205; Mon, 10 Jan 2022 07:28:02 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1F9B2C36AE9; Mon, 10 Jan 2022 07:28:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1641799681; bh=/UEPMbtShXn5pcYLecF9tRLU9B6bfwJpFLPXCUE1fes=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Mwbw8H3r/3Fl69O57dAvj88O3VBkzVXykrJx0t3ibsh9i+dLMeVpKHkmALVAlHSbk K+D1EXN2lqclATNksjmCfuujlzFJuIZp9+ExnYWrazq8XQIaxw1IFkV4HXCDFJKNYV h0cAt4XsTbC1rmD6kkid0vFp2CnOUraO84mhiNto= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mateusz Palczewski , Gurucharan G , Tony Nguyen Subject: [PATCH 5.4 12/34] i40e: Fix for displaying message regarding NVM version Date: Mon, 10 Jan 2022 08:23:07 +0100 Message-Id: <20220110071816.059667607@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220110071815.647309738@linuxfoundation.org> References: <20220110071815.647309738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Mateusz Palczewski commit 40feded8a247f95957a0de9abd100085fb320a2f upstream. When loading the i40e driver, it prints a message like: 'The driver for the device detected a newer version of the NVM image v1.x than expected v1.y. Please install the most recent version of the network driver.' This is misleading as the driver is working as expected. Fix that by removing the second part of message and changing it from dev_info to dev_dbg. Fixes: 4fb29bddb57f ("i40e: The driver now prints the API version in error message") Signed-off-by: Mateusz Palczewski Tested-by: Gurucharan G Signed-off-by: Tony Nguyen Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/intel/i40e/i40e_main.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/net/ethernet/intel/i40e/i40e_main.c +++ b/drivers/net/ethernet/intel/i40e/i40e_main.c @@ -15036,8 +15036,8 @@ static int i40e_probe(struct pci_dev *pd if (hw->aq.api_maj_ver == I40E_FW_API_VERSION_MAJOR && hw->aq.api_min_ver > I40E_FW_MINOR_VERSION(hw)) - dev_info(&pdev->dev, - "The driver for the device detected a newer version of the NVM image v%u.%u than expected v%u.%u. Please install the most recent version of the network driver.\n", + dev_dbg(&pdev->dev, + "The driver for the device detected a newer version of the NVM image v%u.%u than v%u.%u.\n", hw->aq.api_maj_ver, hw->aq.api_min_ver, I40E_FW_API_VERSION_MAJOR, From patchwork Mon Jan 10 07:23:08 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 531452 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 54A9AC433FE for ; Mon, 10 Jan 2022 07:37:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240617AbiAJHhT (ORCPT ); Mon, 10 Jan 2022 02:37:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49466 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240110AbiAJHaa (ORCPT ); Mon, 10 Jan 2022 02:30:30 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A77E3C0258FC; Sun, 9 Jan 2022 23:28:05 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 15461611C6; Mon, 10 Jan 2022 07:28:05 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E4A40C36AED; Mon, 10 Jan 2022 07:28:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1641799684; bh=WMpkxc9IKw+HjwcC89h8QY3Vq5sPASl/UHPfzpKfHBQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ASDGKNRmD+WHRACNJy8CjTmEqA2ZCtcY+P9WY7SYsp23Wj+wezngHKMBqNS7pHft1 ryHEkdmgToPjdhQspco69FOnwRI36IE6JKExv42eDE8mTKkoSLfC+Hkq0KVECS6Ldq XR5ObokSdigQLa/74okAXcsQVUW4j0uEaQitCADs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lukasz Cieplicki , Jedrzej Jagielski , Gurucharan G , Tony Nguyen Subject: [PATCH 5.4 13/34] i40e: Fix incorrect netdevs real number of RX/TX queues Date: Mon, 10 Jan 2022 08:23:08 +0100 Message-Id: <20220110071816.092152297@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220110071815.647309738@linuxfoundation.org> References: <20220110071815.647309738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jedrzej Jagielski commit e738451d78b2f8a9635d66c6a87f304b4d965f7a upstream. There was a wrong queues representation in sysfs during driver's reinitialization in case of online cpus number is less than combined queues. It was caused by stopped NetworkManager, which is responsible for calling vsi_open function during driver's initialization. In specific situation (ex. 12 cpus online) there were 16 queues in /sys/class/net//queues. In case of modifying queues with value higher, than number of online cpus, then it caused write errors and other errors. Add updating of sysfs's queues representation during driver initialization. Fixes: 41c445ff0f48 ("i40e: main driver core") Signed-off-by: Lukasz Cieplicki Signed-off-by: Jedrzej Jagielski Tested-by: Gurucharan G Signed-off-by: Tony Nguyen Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/intel/i40e/i40e_main.c | 32 +++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) --- a/drivers/net/ethernet/intel/i40e/i40e_main.c +++ b/drivers/net/ethernet/intel/i40e/i40e_main.c @@ -8327,6 +8327,27 @@ int i40e_open(struct net_device *netdev) } /** + * i40e_netif_set_realnum_tx_rx_queues - Update number of tx/rx queues + * @vsi: vsi structure + * + * This updates netdev's number of tx/rx queues + * + * Returns status of setting tx/rx queues + **/ +static int i40e_netif_set_realnum_tx_rx_queues(struct i40e_vsi *vsi) +{ + int ret; + + ret = netif_set_real_num_rx_queues(vsi->netdev, + vsi->num_queue_pairs); + if (ret) + return ret; + + return netif_set_real_num_tx_queues(vsi->netdev, + vsi->num_queue_pairs); +} + +/** * i40e_vsi_open - * @vsi: the VSI to open * @@ -8362,13 +8383,7 @@ int i40e_vsi_open(struct i40e_vsi *vsi) goto err_setup_rx; /* Notify the stack of the actual queue counts. */ - err = netif_set_real_num_tx_queues(vsi->netdev, - vsi->num_queue_pairs); - if (err) - goto err_set_queues; - - err = netif_set_real_num_rx_queues(vsi->netdev, - vsi->num_queue_pairs); + err = i40e_netif_set_realnum_tx_rx_queues(vsi); if (err) goto err_set_queues; @@ -13792,6 +13807,9 @@ struct i40e_vsi *i40e_vsi_setup(struct i ret = i40e_config_netdev(vsi); if (ret) goto err_netdev; + ret = i40e_netif_set_realnum_tx_rx_queues(vsi); + if (ret) + goto err_netdev; ret = register_netdev(vsi->netdev); if (ret) goto err_netdev; From patchwork Mon Jan 10 07:23:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 531494 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B77B6C433F5 for ; Mon, 10 Jan 2022 07:31:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239361AbiAJHba (ORCPT ); Mon, 10 Jan 2022 02:31:30 -0500 Received: from dfw.source.kernel.org ([139.178.84.217]:38784 "EHLO dfw.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240230AbiAJH33 (ORCPT ); Mon, 10 Jan 2022 02:29:29 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 8A727611B8; Mon, 10 Jan 2022 07:29:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6D2BBC36AE9; Mon, 10 Jan 2022 07:29:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1641799769; bh=12lybpMKHhawVt8MCae9nzetMzfc8flqHe6kQ8r7dZc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OEQ53VrR8YXH4XESK6T9xkPdUEKSC3LJoJLBuPgJyiVl0LFjsDMOWtOVuypYN1YM4 4OO/1ACjofbBibGQ6l2O5VFqtiecYe+6AHp3C0Z4S80R5TLZd1e9I7XL9kriFdyCym 9LqiyhswQuLFUbGvcOwLaSXL9SDGDTuSAEd1Mv6g= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+d4b9a2851cc3ce998741@syzkaller.appspotmail.com, David Ahern , Thomas Graf , "David S. Miller" Subject: [PATCH 5.4 14/34] ipv4: Check attribute length for RTA_GATEWAY in multipath route Date: Mon, 10 Jan 2022 08:23:09 +0100 Message-Id: <20220110071816.131748180@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220110071815.647309738@linuxfoundation.org> References: <20220110071815.647309738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: David Ahern commit 7a3429bace0e08d94c39245631ea6bc109dafa49 upstream. syzbot reported uninit-value: ============================================================ BUG: KMSAN: uninit-value in fib_get_nhs+0xac4/0x1f80 net/ipv4/fib_semantics.c:708 fib_get_nhs+0xac4/0x1f80 net/ipv4/fib_semantics.c:708 fib_create_info+0x2411/0x4870 net/ipv4/fib_semantics.c:1453 fib_table_insert+0x45c/0x3a10 net/ipv4/fib_trie.c:1224 inet_rtm_newroute+0x289/0x420 net/ipv4/fib_frontend.c:886 Add helper to validate RTA_GATEWAY length before using the attribute. Fixes: 4e902c57417c ("[IPv4]: FIB configuration using struct fib_config") Reported-by: syzbot+d4b9a2851cc3ce998741@syzkaller.appspotmail.com Signed-off-by: David Ahern Cc: Thomas Graf Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/fib_semantics.c | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) --- a/net/ipv4/fib_semantics.c +++ b/net/ipv4/fib_semantics.c @@ -654,6 +654,19 @@ static int fib_count_nexthops(struct rtn return nhs; } +static int fib_gw_from_attr(__be32 *gw, struct nlattr *nla, + struct netlink_ext_ack *extack) +{ + if (nla_len(nla) < sizeof(*gw)) { + NL_SET_ERR_MSG(extack, "Invalid IPv4 address in RTA_GATEWAY"); + return -EINVAL; + } + + *gw = nla_get_in_addr(nla); + + return 0; +} + /* only called when fib_nh is integrated into fib_info */ static int fib_get_nhs(struct fib_info *fi, struct rtnexthop *rtnh, int remaining, struct fib_config *cfg, @@ -696,7 +709,11 @@ static int fib_get_nhs(struct fib_info * return -EINVAL; } if (nla) { - fib_cfg.fc_gw4 = nla_get_in_addr(nla); + ret = fib_gw_from_attr(&fib_cfg.fc_gw4, nla, + extack); + if (ret) + goto errout; + if (fib_cfg.fc_gw4) fib_cfg.fc_gw_family = AF_INET; } else if (nlav) { @@ -894,6 +911,7 @@ int fib_nh_match(struct fib_config *cfg, attrlen = rtnh_attrlen(rtnh); if (attrlen > 0) { struct nlattr *nla, *nlav, *attrs = rtnh_attrs(rtnh); + int err; nla = nla_find(attrs, attrlen, RTA_GATEWAY); nlav = nla_find(attrs, attrlen, RTA_VIA); @@ -904,12 +922,17 @@ int fib_nh_match(struct fib_config *cfg, } if (nla) { + __be32 gw; + + err = fib_gw_from_attr(&gw, nla, extack); + if (err) + return err; + if (nh->fib_nh_gw_family != AF_INET || - nla_get_in_addr(nla) != nh->fib_nh_gw4) + gw != nh->fib_nh_gw4) return 1; } else if (nlav) { struct fib_config cfg2; - int err; err = fib_gw_from_via(&cfg2, nlav, extack); if (err) From patchwork Mon Jan 10 07:23:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 531470 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40166C433EF for ; Mon, 10 Jan 2022 07:36:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241288AbiAJHga (ORCPT ); Mon, 10 Jan 2022 02:36:30 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49936 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240780AbiAJHcb (ORCPT ); Mon, 10 Jan 2022 02:32:31 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 82968C0254B1; Sun, 9 Jan 2022 23:29:04 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 213A9611A3; Mon, 10 Jan 2022 07:29:04 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0BE40C36AE9; Mon, 10 Jan 2022 07:29:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1641799743; bh=AkrxHaMRo/TSJY2VFau0GMMQ6yV9ELrLc7kZ1D4eIFY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=NI2XH2S1WWbIU194i/3P5JBCm9idh1+eS516eR+DLYkhQe85T3slsqn8r2316bgOR hqFNac+lc+j3LLoa0Amwz2jZ9XSv4m/bEcCunG52GMVUcE1d78hzJeYI7hcrnbK+h2 ocxR1Iv9WP58sxdUamgy4hnGSf5DQzMZ7hPzFkxY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Ahern , Nicolas Dichtel , "David S. Miller" Subject: [PATCH 5.4 16/34] ipv6: Check attribute length for RTA_GATEWAY in multipath route Date: Mon, 10 Jan 2022 08:23:11 +0100 Message-Id: <20220110071816.202666833@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220110071815.647309738@linuxfoundation.org> References: <20220110071815.647309738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: David Ahern commit 4619bcf91399f00a40885100fb61d594d8454033 upstream. Commit referenced in the Fixes tag used nla_memcpy for RTA_GATEWAY as does the current nla_get_in6_addr. nla_memcpy protects against accessing memory greater than what is in the attribute, but there is no check requiring the attribute to have an IPv6 address. Add it. Fixes: 51ebd3181572 ("ipv6: add support of equal cost multipath (ECMP)") Signed-off-by: David Ahern Cc: Nicolas Dichtel Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv6/route.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -5092,6 +5092,19 @@ static void ip6_route_mpath_notify(struc inet6_rt_notify(RTM_NEWROUTE, rt, info, nlflags); } +static int fib6_gw_from_attr(struct in6_addr *gw, struct nlattr *nla, + struct netlink_ext_ack *extack) +{ + if (nla_len(nla) < sizeof(*gw)) { + NL_SET_ERR_MSG(extack, "Invalid IPv6 address in RTA_GATEWAY"); + return -EINVAL; + } + + *gw = nla_get_in6_addr(nla); + + return 0; +} + static int ip6_route_multipath_add(struct fib6_config *cfg, struct netlink_ext_ack *extack) { @@ -5133,7 +5146,13 @@ static int ip6_route_multipath_add(struc nla = nla_find(attrs, attrlen, RTA_GATEWAY); if (nla) { - r_cfg.fc_gateway = nla_get_in6_addr(nla); + int ret; + + ret = fib6_gw_from_attr(&r_cfg.fc_gateway, nla, + extack); + if (ret) + return ret; + r_cfg.fc_flags |= RTF_GATEWAY; } r_cfg.fc_encap = nla_find(attrs, attrlen, RTA_ENCAP); From patchwork Mon Jan 10 07:23:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 531453 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E73E7C433FE for ; Mon, 10 Jan 2022 07:37:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240098AbiAJHhQ (ORCPT ); Mon, 10 Jan 2022 02:37:16 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49722 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240536AbiAJHdm (ORCPT ); Mon, 10 Jan 2022 02:33:42 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1CE1EC02547B; Sun, 9 Jan 2022 23:29:20 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id D2077B81216; Mon, 10 Jan 2022 07:29:18 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 232ADC36AF2; Mon, 10 Jan 2022 07:29:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1641799757; bh=hL96LzpfoO4m5GZoFJEaCllaxcBAZKgk4otdKobchbs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PvZtZsIoqle3mPMaWn6F5ogYmErUtSt20h0tsh5jCxuOfDIVCuzWVAfHxhnfydOk/ u8zlaN7PaJPhHkOKpWxPq3Y9FZiHMf0edLYtIJpWvcl6HKnAnYg5tbKXdincPwR6cP rb35X4/B58a4lN+kfyRTatrX18eOZpnOmA2yf4aY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , "David S. Miller" Subject: [PATCH 5.4 20/34] sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc Date: Mon, 10 Jan 2022 08:23:15 +0100 Message-Id: <20220110071816.328717861@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220110071815.647309738@linuxfoundation.org> References: <20220110071815.647309738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Eric Dumazet commit 7d18a07897d07495ee140dd319b0e9265c0f68ba upstream. tx_queue_len can be set to ~0U, we need to be more careful about overflows. __fls(0) is undefined, as this report shows: UBSAN: shift-out-of-bounds in net/sched/sch_qfq.c:1430:24 shift exponent 51770272 is too large for 32-bit type 'int' CPU: 0 PID: 25574 Comm: syz-executor.0 Not tainted 5.16.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x201/0x2d8 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_shift_out_of_bounds+0x494/0x530 lib/ubsan.c:330 qfq_init_qdisc+0x43f/0x450 net/sched/sch_qfq.c:1430 qdisc_create+0x895/0x1430 net/sched/sch_api.c:1253 tc_modify_qdisc+0x9d9/0x1e20 net/sched/sch_api.c:1660 rtnetlink_rcv_msg+0x934/0xe60 net/core/rtnetlink.c:5571 netlink_rcv_skb+0x200/0x470 net/netlink/af_netlink.c:2496 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x814/0x9f0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0xaea/0xe60 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg net/socket.c:724 [inline] ____sys_sendmsg+0x5b9/0x910 net/socket.c:2409 ___sys_sendmsg net/socket.c:2463 [inline] __sys_sendmsg+0x280/0x370 net/socket.c:2492 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sched/sch_qfq.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) --- a/net/sched/sch_qfq.c +++ b/net/sched/sch_qfq.c @@ -1421,10 +1421,8 @@ static int qfq_init_qdisc(struct Qdisc * if (err < 0) return err; - if (qdisc_dev(sch)->tx_queue_len + 1 > QFQ_MAX_AGG_CLASSES) - max_classes = QFQ_MAX_AGG_CLASSES; - else - max_classes = qdisc_dev(sch)->tx_queue_len + 1; + max_classes = min_t(u64, (u64)qdisc_dev(sch)->tx_queue_len + 1, + QFQ_MAX_AGG_CLASSES); /* max_cl_shift = floor(log_2(max_classes)) */ max_cl_shift = __fls(max_classes); q->max_agg_classes = 1< X-Patchwork-Id: 531495 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23D70C433EF for ; Mon, 10 Jan 2022 07:31:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239364AbiAJHb1 (ORCPT ); Mon, 10 Jan 2022 02:31:27 -0500 Received: from ams.source.kernel.org ([145.40.68.75]:58728 "EHLO ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239870AbiAJH3Z (ORCPT ); Mon, 10 Jan 2022 02:29:25 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 9DA5AB81213; Mon, 10 Jan 2022 07:29:24 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C87B6C36AED; Mon, 10 Jan 2022 07:29:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1641799763; bh=MMf2f0vu4IA7Jv+sYOUZISp3xfdeyBIn8UYYq1OeSGE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dWBTCVrV0RPIdZUhrT/ja8gHJiaC6gXreZlfAGXAZYTaeB76SesMk6+Egn+qwJtCd Zg8onD5cJTsu4Y/YXcHO+unG7H+8RRggxhuwMKic4HDzOf6zBQpD/TXboa2wHitdFN cZcCS2xIgaM5cQbfL9iG6mZOTb9uskZqsDqlbueM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kirill Tkhai , "Darrick J. Wong" , "Darrick J. Wong" , Dave Chinner , Eric Sandeen Subject: [PATCH 5.4 22/34] xfs: map unwritten blocks in XFS_IOC_{ALLOC, FREE}SP just like fallocate Date: Mon, 10 Jan 2022 08:23:17 +0100 Message-Id: <20220110071816.398154419@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220110071815.647309738@linuxfoundation.org> References: <20220110071815.647309738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Darrick J. Wong commit 983d8e60f50806f90534cc5373d0ce867e5aaf79 upstream. The old ALLOCSP/FREESP ioctls in XFS can be used to preallocate space at the end of files, just like fallocate and RESVSP. Make the behavior consistent with the other ioctls. Reported-by: Kirill Tkhai Signed-off-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Reviewed-by: Eric Sandeen Signed-off-by: Greg Kroah-Hartman --- fs/xfs/xfs_ioctl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/fs/xfs/xfs_ioctl.c +++ b/fs/xfs/xfs_ioctl.c @@ -714,7 +714,8 @@ xfs_ioc_space( flags |= XFS_PREALLOC_CLEAR; if (bf->l_start > XFS_ISIZE(ip)) { error = xfs_alloc_file_space(ip, XFS_ISIZE(ip), - bf->l_start - XFS_ISIZE(ip), 0); + bf->l_start - XFS_ISIZE(ip), + XFS_BMAPI_PREALLOC); if (error) goto out_unlock; } From patchwork Mon Jan 10 07:23:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 531461 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4EBD3C433EF for ; Mon, 10 Jan 2022 07:36:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240151AbiAJHgo (ORCPT ); Mon, 10 Jan 2022 02:36:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50382 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240689AbiAJHe1 (ORCPT ); Mon, 10 Jan 2022 02:34:27 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1F649C0253F3; Sun, 9 Jan 2022 23:29:27 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B1C19611B8; Mon, 10 Jan 2022 07:29:26 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 97BDDC36AE9; Mon, 10 Jan 2022 07:29:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1641799766; bh=T4ILPO1fB42eaV/zg5w/6VGIqmncqSWYw9giVFpEtpE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IzpW+4B3lfEAQpg6/Q0KXXuWjAvbt3sdqRrVjUcxPFGektBE7ZQsHZ7dBmVenxhD6 3z4ncF+AhLnDWV/vf57Z/TuMtN/Rut+nv9as0OH80Scy93XmaWW9ySZ7wNuoT08d+z qQj39I8otaEAWrbPlex7qvuy/3C+Jw5JBtT/5J+c= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Chunyan Zhang , Baolin Wang , Linus Walleij , Sebastian Reichel Subject: [PATCH 5.4 23/34] power: supply: core: Break capacity loop Date: Mon, 10 Jan 2022 08:23:18 +0100 Message-Id: <20220110071816.436348315@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220110071815.647309738@linuxfoundation.org> References: <20220110071815.647309738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Linus Walleij commit 51c7b6a0398f54b9120795796a4cff4fc9634f7d upstream. We should not go on looking for more capacity tables after we realize we have looked at the last one in power_supply_find_ocv2cap_table(). Fixes: 3afb50d7125b ("power: supply: core: Add some helpers to use the battery OCV capacity table") Cc: Chunyan Zhang Cc: Baolin Wang Signed-off-by: Linus Walleij Reviewed-by: Baolin Wang Signed-off-by: Sebastian Reichel Signed-off-by: Greg Kroah-Hartman --- drivers/power/supply/power_supply_core.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/drivers/power/supply/power_supply_core.c +++ b/drivers/power/supply/power_supply_core.c @@ -742,6 +742,10 @@ power_supply_find_ocv2cap_table(struct p return NULL; for (i = 0; i < POWER_SUPPLY_OCV_TEMP_MAX; i++) { + /* Out of capacity tables */ + if (!info->ocv_table[i]) + break; + temp_diff = abs(info->ocv_temp[i] - temp); if (temp_diff < best_temp_diff) { From patchwork Mon Jan 10 07:23:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 531474 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DEAC0C433EF for ; Mon, 10 Jan 2022 07:34:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239906AbiAJHe3 (ORCPT ); Mon, 10 Jan 2022 02:34:29 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49900 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239401AbiAJHc2 (ORCPT ); Mon, 10 Jan 2022 02:32:28 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6D86EC03325A; Sun, 9 Jan 2022 23:28:36 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0FF0A611B7; Mon, 10 Jan 2022 07:28:36 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E948BC36AE9; Mon, 10 Jan 2022 07:28:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1641799715; bh=lqWkFxXzeHiiWiphwCk/OALmbWCz2eduk0uhpTPGqAY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UHhf3Q1OIhlFYXFVFL8O2/j8cAmOXb8aVVakr/63it7CAscLS6BlMln8DVeNXRNwM vLg7WbD6oBPdaKUjdz6PpauvNIUDJDccuClYWXwXunhSD6jX8gkKvnXcAetVjSZxZx q2qf5GMEzK6m5TykWmsnrbLrhhMXwVYBuqU/Pm10= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nathan Chancellor , Nick Desaulniers , Sebastian Reichel Subject: [PATCH 5.4 24/34] power: reset: ltc2952: Fix use of floating point literals Date: Mon, 10 Jan 2022 08:23:19 +0100 Message-Id: <20220110071816.473962166@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220110071815.647309738@linuxfoundation.org> References: <20220110071815.647309738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nathan Chancellor commit 644106cdb89844be2496b21175b7c0c2e0fab381 upstream. A new commit in LLVM causes an error on the use of 'long double' when '-mno-x87' is used, which the kernel does through an alias, '-mno-80387' (see the LLVM commit below for more details around why it does this). drivers/power/reset/ltc2952-poweroff.c:162:28: error: expression requires 'long double' type support, but target 'x86_64-unknown-linux-gnu' does not support it data->wde_interval = 300L * 1E6L; ^ drivers/power/reset/ltc2952-poweroff.c:162:21: error: expression requires 'long double' type support, but target 'x86_64-unknown-linux-gnu' does not support it data->wde_interval = 300L * 1E6L; ^ drivers/power/reset/ltc2952-poweroff.c:163:41: error: expression requires 'long double' type support, but target 'x86_64-unknown-linux-gnu' does not support it data->trigger_delay = ktime_set(2, 500L*1E6L); ^ 3 errors generated. This happens due to the use of a 'long double' literal. The 'E6' part of '1E6L' causes the literal to be a 'double' then the 'L' suffix promotes it to 'long double'. There is no visible reason for floating point values in this driver, as the values are only assigned to integer types. Use NSEC_PER_MSEC, which is the same integer value as '1E6L', to avoid changing functionality but fix the error. Fixes: 6647156c00cc ("power: reset: add LTC2952 poweroff driver") Link: https://github.com/ClangBuiltLinux/linux/issues/1497 Link: https://github.com/llvm/llvm-project/commit/a8083d42b1c346e21623a1d36d1f0cadd7801d83 Signed-off-by: Nathan Chancellor Reviewed-by: Nick Desaulniers Signed-off-by: Sebastian Reichel Signed-off-by: Greg Kroah-Hartman --- drivers/power/reset/ltc2952-poweroff.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/power/reset/ltc2952-poweroff.c +++ b/drivers/power/reset/ltc2952-poweroff.c @@ -160,8 +160,8 @@ static void ltc2952_poweroff_kill(void) static void ltc2952_poweroff_default(struct ltc2952_poweroff *data) { - data->wde_interval = 300L * 1E6L; - data->trigger_delay = ktime_set(2, 500L*1E6L); + data->wde_interval = 300L * NSEC_PER_MSEC; + data->trigger_delay = ktime_set(2, 500L * NSEC_PER_MSEC); hrtimer_init(&data->timer_trigger, CLOCK_MONOTONIC, HRTIMER_MODE_REL); data->timer_trigger.function = ltc2952_poweroff_timer_trigger; From patchwork Mon Jan 10 07:23:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 531455 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 490F6C433EF for ; Mon, 10 Jan 2022 07:37:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240200AbiAJHhN (ORCPT ); Mon, 10 Jan 2022 02:37:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49908 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240738AbiAJHca (ORCPT ); Mon, 10 Jan 2022 02:32:30 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1AACCC033275; Sun, 9 Jan 2022 23:28:42 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B1679611B8; Mon, 10 Jan 2022 07:28:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 91F20C36AED; Mon, 10 Jan 2022 07:28:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1641799721; bh=3Ickka+6v+gJYj2pcGsavEYdwSot3ss+0+8d/9R7JoQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fZ2OXnXM+gPms8P9c0PO1r79obdNvOqBuXlRPGHwJNPu31Lkpzabh3fvIPJs3aH8X KgXMEqB4QICsMyDCsjx9/sw5/cs5qW8JnpOCBTxmVZOJ2MAg4cZCAieIQUApbRqJv+ 5n8oPwSzjj53ctyi3xKlS0OONEBAmdjCCE8LzhRE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hangyu Hua , Jakub Kicinski , Aayush Agarwal Subject: [PATCH 5.4 26/34] phonet: refcount leak in pep_sock_accep Date: Mon, 10 Jan 2022 08:23:21 +0100 Message-Id: <20220110071816.552824354@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220110071815.647309738@linuxfoundation.org> References: <20220110071815.647309738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Hangyu Hua commit bcd0f93353326954817a4f9fa55ec57fb38acbb0 upstream. sock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not invoked in subsequent failure branches(pep_accept_conn() != 0). Signed-off-by: Hangyu Hua Link: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Aayush Agarwal Signed-off-by: Greg Kroah-Hartman --- net/phonet/pep.c | 1 + 1 file changed, 1 insertion(+) --- a/net/phonet/pep.c +++ b/net/phonet/pep.c @@ -868,6 +868,7 @@ static struct sock *pep_sock_accept(stru err = pep_accept_conn(newsk, skb); if (err) { + __sock_put(sk); sock_put(newsk); newsk = NULL; goto drop; From patchwork Mon Jan 10 07:23:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 531501 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0862DC433FE for ; Mon, 10 Jan 2022 07:30:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239691AbiAJHap (ORCPT ); Mon, 10 Jan 2022 02:30:45 -0500 Received: from dfw.source.kernel.org ([139.178.84.217]:38236 "EHLO dfw.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239692AbiAJH2o (ORCPT ); Mon, 10 Jan 2022 02:28:44 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 8C5D8611D9; Mon, 10 Jan 2022 07:28:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6B740C36B05; Mon, 10 Jan 2022 07:28:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1641799724; bh=jkEXWI9Pmo/l/YUG1s/FNZV4BToj0sgLXf6XuL/YJzs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=I72a7uVeI/odY3hEp451dQ5mnTlfWt3yoVIfx+Y0JBgX+3If2+zIEYKHujBN4uRZx guLmcAGzBytLbS4mASqqIM2b8zcBgX63Oz9MXpdvg9Je0Qe5CAiN7sm2U4FTsTV5w3 AFdpk6yBTPF9bc/vccqvE2UjDxEu+Qb6PH/uhD4U= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Ahern , Nicolas Dichtel , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.4 27/34] ipv6: Continue processing multipath route even if gateway attribute is invalid Date: Mon, 10 Jan 2022 08:23:22 +0100 Message-Id: <20220110071816.582688860@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220110071815.647309738@linuxfoundation.org> References: <20220110071815.647309738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: David Ahern [ Upstream commit e30a845b0376eb51c9c94f56bbd53b2e08ba822f ] ip6_route_multipath_del loop continues processing the multipath attribute even if delete of a nexthop path fails. For consistency, do the same if the gateway attribute is invalid. Fixes: 1ff15a710a86 ("ipv6: Check attribute length for RTA_GATEWAY when deleting multipath route") Signed-off-by: David Ahern Acked-by: Nicolas Dichtel Link: https://lore.kernel.org/r/20220103171911.94739-1-dsahern@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- net/ipv6/route.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 53861f9c8ce0a..56f0783df5896 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -5313,8 +5313,10 @@ static int ip6_route_multipath_del(struct fib6_config *cfg, if (nla) { err = fib6_gw_from_attr(&r_cfg.fc_gateway, nla, extack); - if (err) - return err; + if (err) { + last_err = err; + goto next_rtnh; + } r_cfg.fc_flags |= RTF_GATEWAY; } @@ -5323,6 +5325,7 @@ static int ip6_route_multipath_del(struct fib6_config *cfg, if (err) last_err = err; +next_rtnh: rtnh = rtnh_next(rtnh, &remaining); } From patchwork Mon Jan 10 07:23:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 531499 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E0684C43217 for ; Mon, 10 Jan 2022 07:30:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239654AbiAJHax (ORCPT ); Mon, 10 Jan 2022 02:30:53 -0500 Received: from ams.source.kernel.org ([145.40.68.75]:58326 "EHLO ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239720AbiAJH2t (ORCPT ); Mon, 10 Jan 2022 02:28:49 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 0EA22B811E3; Mon, 10 Jan 2022 07:28:48 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3C0B7C36AE9; Mon, 10 Jan 2022 07:28:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1641799726; bh=D7vs6k8iFGyAvByHR8PckHt7Y5wDwH3cOCh2tIDChCc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZiAND1SKZSequMeqBHfPzTuH22tMKHlPda0ZK4kR3y+rCHlfqTDHCUiXiFvGvKYk2 S/KCXXI5Tsq1NaKKBb3QuRRa9tIRRb7amT4iP3K6zW+ckf3WZzBhWyos+A1d4Raqru N3TnStG74Ug9iwL96AW4PpsSzQB776xEoSLkPAfs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Ahern , Nicolas Dichtel , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.4 28/34] ipv6: Do cleanup if attribute validation fails in multipath route Date: Mon, 10 Jan 2022 08:23:23 +0100 Message-Id: <20220110071816.617673606@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220110071815.647309738@linuxfoundation.org> References: <20220110071815.647309738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: David Ahern [ Upstream commit 95bdba23b5b4aa75fe3e6c84335e638641c707bb ] As Nicolas noted, if gateway validation fails walking the multipath attribute the code should jump to the cleanup to free previously allocated memory. Fixes: 1ff15a710a86 ("ipv6: Check attribute length for RTA_GATEWAY when deleting multipath route") Signed-off-by: David Ahern Acked-by: Nicolas Dichtel Link: https://lore.kernel.org/r/20220103170555.94638-1-dsahern@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- net/ipv6/route.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 56f0783df5896..5ef6e27e026e9 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -5146,12 +5146,10 @@ static int ip6_route_multipath_add(struct fib6_config *cfg, nla = nla_find(attrs, attrlen, RTA_GATEWAY); if (nla) { - int ret; - - ret = fib6_gw_from_attr(&r_cfg.fc_gateway, nla, + err = fib6_gw_from_attr(&r_cfg.fc_gateway, nla, extack); - if (ret) - return ret; + if (err) + goto cleanup; r_cfg.fc_flags |= RTF_GATEWAY; } From patchwork Mon Jan 10 07:23:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 531471 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7A1F6C433FE for ; Mon, 10 Jan 2022 07:36:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240831AbiAJHgZ (ORCPT ); Mon, 10 Jan 2022 02:36:25 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49918 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240757AbiAJHca (ORCPT ); Mon, 10 Jan 2022 02:32:30 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 84236C029818; Sun, 9 Jan 2022 23:28:50 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 2603D611BC; Mon, 10 Jan 2022 07:28:50 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 11199C36AE9; Mon, 10 Jan 2022 07:28:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1641799729; bh=Nh+ZX6DpgLsEZsAZkNl4PXQbvAL4hXHFEs5ivU3Zt/U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=M7NFG2ZdbpVKaQJc9aUHLVI1VSLnvoABK3Zel7OUHJQpf7jII1p38twIVG25gYNt1 dF9NAhZ59Og5QSI9UJfb/RHs0en6nIItwPQXXN79Ta0b5p5m3eAGd3IUT7x31JKw/9 poTL45CeeLXmDrbjK+UNvP7AJYUcg8JwDpCvhjdQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Chunfeng Yun , Sasha Levin Subject: [PATCH 5.4 29/34] usb: mtu3: fix interval value for intr and isoc Date: Mon, 10 Jan 2022 08:23:24 +0100 Message-Id: <20220110071816.656375417@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220110071815.647309738@linuxfoundation.org> References: <20220110071815.647309738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Chunfeng Yun [ Upstream commit e3d4621c22f90c33321ae6a6baab60cdb8e5a77c ] Use the Interval value from isoc/intr endpoint descriptor, no need minus one. The original code doesn't cause transfer error for normal cases, but it may have side effect with respond time of ERDY or tPingTimeout. Signed-off-by: Chunfeng Yun Link: https://lore.kernel.org/r/20211218095749.6250-1-chunfeng.yun@mediatek.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/mtu3/mtu3_gadget.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c index 253c8b71d3c49..061da9b82b967 100644 --- a/drivers/usb/mtu3/mtu3_gadget.c +++ b/drivers/usb/mtu3/mtu3_gadget.c @@ -85,7 +85,7 @@ static int mtu3_ep_enable(struct mtu3_ep *mep) if (usb_endpoint_xfer_int(desc) || usb_endpoint_xfer_isoc(desc)) { interval = desc->bInterval; - interval = clamp_val(interval, 1, 16) - 1; + interval = clamp_val(interval, 1, 16); if (usb_endpoint_xfer_isoc(desc) && comp_desc) mult = comp_desc->bmAttributes; } @@ -97,7 +97,7 @@ static int mtu3_ep_enable(struct mtu3_ep *mep) if (usb_endpoint_xfer_isoc(desc) || usb_endpoint_xfer_int(desc)) { interval = desc->bInterval; - interval = clamp_val(interval, 1, 16) - 1; + interval = clamp_val(interval, 1, 16); mult = usb_endpoint_maxp_mult(desc) - 1; } break; From patchwork Mon Jan 10 07:23:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 531498 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 201D8C433EF for ; Mon, 10 Jan 2022 07:31:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240481AbiAJHbA (ORCPT ); Mon, 10 Jan 2022 02:31:00 -0500 Received: from ams.source.kernel.org ([145.40.68.75]:58456 "EHLO ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239591AbiAJH26 (ORCPT ); Mon, 10 Jan 2022 02:28:58 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 6C083B81212; Mon, 10 Jan 2022 07:28:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 98BDEC36AED; Mon, 10 Jan 2022 07:28:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1641799735; bh=k8/0gSeOtbpFZsSQqYVrOzLWhspV25uzPH5QsskH6i8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=td284CsbOtl0u4gWXnbrT8+sXuLb02TlWM4xHo6FJat8iC6Swn9F2xr6sIytRaB9r yLSMb8rYy3j5FoDQpJEiWmZWiXfMsMrI7VQn3Hv9bjannDo9GN4DPbauRkgTFeKXVP ekGlKOv6cez7tmhBsykPh4gXTzQ3eqCPv2qdxtKc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, William Zhao , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 31/34] ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate Date: Mon, 10 Jan 2022 08:23:26 +0100 Message-Id: <20220110071816.726259750@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220110071815.647309738@linuxfoundation.org> References: <20220110071815.647309738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: William Zhao [ Upstream commit c1833c3964d5bd8c163bd4e01736a38bc473cb8a ] The "__ip6_tnl_parm" struct was left uninitialized causing an invalid load of random data when the "__ip6_tnl_parm" struct was used elsewhere. As an example, in the function "ip6_tnl_xmit_ctl()", it tries to access the "collect_md" member. With "__ip6_tnl_parm" being uninitialized and containing random data, the UBSAN detected that "collect_md" held a non-boolean value. The UBSAN issue is as follows: =============================================================== UBSAN: invalid-load in net/ipv6/ip6_tunnel.c:1025:14 load of value 30 is not a valid value for type '_Bool' CPU: 1 PID: 228 Comm: kworker/1:3 Not tainted 5.16.0-rc4+ #8 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: dump_stack_lvl+0x44/0x57 ubsan_epilogue+0x5/0x40 __ubsan_handle_load_invalid_value+0x66/0x70 ? __cpuhp_setup_state+0x1d3/0x210 ip6_tnl_xmit_ctl.cold.52+0x2c/0x6f [ip6_tunnel] vti6_tnl_xmit+0x79c/0x1e96 [ip6_vti] ? lock_is_held_type+0xd9/0x130 ? vti6_rcv+0x100/0x100 [ip6_vti] ? lock_is_held_type+0xd9/0x130 ? rcu_read_lock_bh_held+0xc0/0xc0 ? lock_acquired+0x262/0xb10 dev_hard_start_xmit+0x1e6/0x820 __dev_queue_xmit+0x2079/0x3340 ? mark_lock.part.52+0xf7/0x1050 ? netdev_core_pick_tx+0x290/0x290 ? kvm_clock_read+0x14/0x30 ? kvm_sched_clock_read+0x5/0x10 ? sched_clock_cpu+0x15/0x200 ? find_held_lock+0x3a/0x1c0 ? lock_release+0x42f/0xc90 ? lock_downgrade+0x6b0/0x6b0 ? mark_held_locks+0xb7/0x120 ? neigh_connected_output+0x31f/0x470 ? lockdep_hardirqs_on+0x79/0x100 ? neigh_connected_output+0x31f/0x470 ? ip6_finish_output2+0x9b0/0x1d90 ? rcu_read_lock_bh_held+0x62/0xc0 ? ip6_finish_output2+0x9b0/0x1d90 ip6_finish_output2+0x9b0/0x1d90 ? ip6_append_data+0x330/0x330 ? ip6_mtu+0x166/0x370 ? __ip6_finish_output+0x1ad/0xfb0 ? nf_hook_slow+0xa6/0x170 ip6_output+0x1fb/0x710 ? nf_hook.constprop.32+0x317/0x430 ? ip6_finish_output+0x180/0x180 ? __ip6_finish_output+0xfb0/0xfb0 ? lock_is_held_type+0xd9/0x130 ndisc_send_skb+0xb33/0x1590 ? __sk_mem_raise_allocated+0x11cf/0x1560 ? dst_output+0x4a0/0x4a0 ? ndisc_send_rs+0x432/0x610 addrconf_dad_completed+0x30c/0xbb0 ? addrconf_rs_timer+0x650/0x650 ? addrconf_dad_work+0x73c/0x10e0 addrconf_dad_work+0x73c/0x10e0 ? addrconf_dad_completed+0xbb0/0xbb0 ? rcu_read_lock_sched_held+0xaf/0xe0 ? rcu_read_lock_bh_held+0xc0/0xc0 process_one_work+0x97b/0x1740 ? pwq_dec_nr_in_flight+0x270/0x270 worker_thread+0x87/0xbf0 ? process_one_work+0x1740/0x1740 kthread+0x3ac/0x490 ? set_kthread_struct+0x100/0x100 ret_from_fork+0x22/0x30 =============================================================== The solution is to initialize "__ip6_tnl_parm" struct to zeros in the "vti6_siocdevprivate()" function. Signed-off-by: William Zhao Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/ipv6/ip6_vti.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c index 12ab6605d9617..8b44d3b53844e 100644 --- a/net/ipv6/ip6_vti.c +++ b/net/ipv6/ip6_vti.c @@ -795,6 +795,8 @@ vti6_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) struct net *net = dev_net(dev); struct vti6_net *ip6n = net_generic(net, vti6_net_id); + memset(&p1, 0, sizeof(p1)); + switch (cmd) { case SIOCGETTUNNEL: if (dev == ip6n->fb_tnl_dev) { From patchwork Mon Jan 10 07:23:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 531496 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 284C2C433F5 for ; Mon, 10 Jan 2022 07:31:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239792AbiAJHbE (ORCPT ); Mon, 10 Jan 2022 02:31:04 -0500 Received: from ams.source.kernel.org ([145.40.68.75]:58502 "EHLO ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239771AbiAJH3D (ORCPT ); Mon, 10 Jan 2022 02:29:03 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 07E25B81215; Mon, 10 Jan 2022 07:29:02 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3A3AEC36AE9; Mon, 10 Jan 2022 07:29:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1641799740; bh=FMcC811dLrfa+pEL4aeEAecmD3gp+jbs0tlpxKta/6g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=T3SnN1thXB7qY7L5+vq0HbW8ermmcP6VP715bhRpnU+MSYyXitpOd+VrQyXz9NHmG RZfeaSvY1ipcs3GH+XeQM/NXaWwAMEvA2GwokWyJpuON1QDeoYAEIdBahEk801KYC0 nqe/+2Oojin2hra3JLQ0coT+L9Vy53TD3PaToxSc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zekun Shen , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 33/34] atlantic: Fix buff_ring OOB in aq_ring_rx_clean Date: Mon, 10 Jan 2022 08:23:28 +0100 Message-Id: <20220110071816.794916416@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220110071815.647309738@linuxfoundation.org> References: <20220110071815.647309738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Zekun Shen [ Upstream commit 5f50153288452e10b6edd69ec9112c49442b054a ] The function obtain the next buffer without boundary check. We should return with I/O error code. The bug is found by fuzzing and the crash report is attached. It is an OOB bug although reported as use-after-free. [ 4.804724] BUG: KASAN: use-after-free in aq_ring_rx_clean+0x1e88/0x2730 [atlantic] [ 4.805661] Read of size 4 at addr ffff888034fe93a8 by task ksoftirqd/0/9 [ 4.806505] [ 4.806703] CPU: 0 PID: 9 Comm: ksoftirqd/0 Tainted: G W 5.6.0 #34 [ 4.809030] Call Trace: [ 4.809343] dump_stack+0x76/0xa0 [ 4.809755] print_address_description.constprop.0+0x16/0x200 [ 4.810455] ? aq_ring_rx_clean+0x1e88/0x2730 [atlantic] [ 4.811234] ? aq_ring_rx_clean+0x1e88/0x2730 [atlantic] [ 4.813183] __kasan_report.cold+0x37/0x7c [ 4.813715] ? aq_ring_rx_clean+0x1e88/0x2730 [atlantic] [ 4.814393] kasan_report+0xe/0x20 [ 4.814837] aq_ring_rx_clean+0x1e88/0x2730 [atlantic] [ 4.815499] ? hw_atl_b0_hw_ring_rx_receive+0x9a5/0xb90 [atlantic] [ 4.816290] aq_vec_poll+0x179/0x5d0 [atlantic] [ 4.816870] ? _GLOBAL__sub_I_65535_1_aq_pci_func_init+0x20/0x20 [atlantic] [ 4.817746] ? __next_timer_interrupt+0xba/0xf0 [ 4.818322] net_rx_action+0x363/0xbd0 [ 4.818803] ? call_timer_fn+0x240/0x240 [ 4.819302] ? __switch_to_asm+0x40/0x70 [ 4.819809] ? napi_busy_loop+0x520/0x520 [ 4.820324] __do_softirq+0x18c/0x634 [ 4.820797] ? takeover_tasklets+0x5f0/0x5f0 [ 4.821343] run_ksoftirqd+0x15/0x20 [ 4.821804] smpboot_thread_fn+0x2f1/0x6b0 [ 4.822331] ? smpboot_unregister_percpu_thread+0x160/0x160 [ 4.823041] ? __kthread_parkme+0x80/0x100 [ 4.823571] ? smpboot_unregister_percpu_thread+0x160/0x160 [ 4.824301] kthread+0x2b5/0x3b0 [ 4.824723] ? kthread_create_on_node+0xd0/0xd0 [ 4.825304] ret_from_fork+0x35/0x40 Signed-off-by: Zekun Shen Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c index 03821b46a8cb4..4c22f119ac62f 100644 --- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c @@ -305,6 +305,10 @@ int aq_ring_rx_clean(struct aq_ring_s *self, if (!buff->is_eop) { buff_ = buff; do { + if (buff_->next >= self->size) { + err = -EIO; + goto err_exit; + } next_ = buff_->next, buff_ = &self->buff_ring[next_]; is_rsc_completed = @@ -327,6 +331,10 @@ int aq_ring_rx_clean(struct aq_ring_s *self, if (buff->is_error || buff->is_cso_err) { buff_ = buff; do { + if (buff_->next >= self->size) { + err = -EIO; + goto err_exit; + } next_ = buff_->next, buff_ = &self->buff_ring[next_];