stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 4.19 00/20] 4.19.237-rc1 review
@ 2022-03-25 15:04 Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 01/20] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION Greg Kroah-Hartman
                   ` (26 more replies)
  0 siblings, 27 replies; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, torvalds, akpm, linux, shuah,
	patches, lkft-triage, pavel, jonathanh, f.fainelli,
	sudipm.mukherjee, slade

This is the start of the stable review cycle for the 4.19.237 release.
There are 20 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Sun, 27 Mar 2022 15:04:08 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.237-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.19.237-rc1

Arnd Bergmann <arnd@arndb.de>
    nds32: fix access_ok() checks in get/put_user

Linus Lüssing <ll@simonwunderlich.de>
    mac80211: fix potential double free on mesh join

Giovanni Cabiddu <giovanni.cabiddu@intel.com>
    crypto: qat - disable registration of algorithms

Werner Sembach <wse@tuxedocomputers.com>
    ACPI: video: Force backlight native for Clevo NL5xRU and NL5xNU

Maximilian Luz <luzmaximilian@gmail.com>
    ACPI: battery: Add device HID and quirk for Microsoft Surface Go 3

Mark Cilissen <mark@yotsuba.nl>
    ACPI / x86: Work around broken XSDT on Advantech DAC-BJ01 board

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: nf_tables: initialize registers in nft_do_chain()

Stephane Graber <stgraber@ubuntu.com>
    drivers: net: xgene: Fix regression in CRC stripping

Giacomo Guiduzzi <guiduzzi.giacomo@gmail.com>
    ALSA: pci: fix reading of swapped values from pcmreg in AC97 codec

Jonathan Teh <jonathan.teh@outlook.com>
    ALSA: cmipci: Restore aux vol on suspend/resume

Lars-Peter Clausen <lars@metafoo.de>
    ALSA: usb-audio: Add mute TLV for playback volumes on RODE NT-USB

Takashi Iwai <tiwai@suse.de>
    ALSA: pcm: Add stream lock during PCM reset ioctl operations

Takashi Iwai <tiwai@suse.de>
    ALSA: oss: Fix PCM OSS buffer allocation overflow

Takashi Iwai <tiwai@suse.de>
    ASoC: sti: Fix deadlock via snd_pcm_stop_xrun() call

Eric Dumazet <edumazet@google.com>
    llc: fix netdevice reference leaks in llc_ui_bind()

Chuansheng Liu <chuansheng.liu@intel.com>
    thermal: int340x: fix memory leak in int3400_notify()

Oliver Graute <oliver.graute@kococonnector.com>
    staging: fbtft: fb_st7789v: reset display before initialization

Steffen Klassert <steffen.klassert@secunet.com>
    esp: Fix possible buffer overflow in ESP transformation

Tadeusz Struk <tadeusz.struk@linaro.org>
    net: ipv6: fix skb_over_panic in __ip6_append_data

Jordy Zomer <jordy@pwning.systems>
    nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION


-------------

Diffstat:

 Makefile                                          |  4 +-
 arch/nds32/include/asm/uaccess.h                  | 22 +++++--
 arch/x86/kernel/acpi/boot.c                       | 24 ++++++++
 drivers/acpi/battery.c                            | 12 ++++
 drivers/acpi/video_detect.c                       | 75 +++++++++++++++++++++++
 drivers/crypto/qat/qat_common/qat_crypto.c        |  8 +++
 drivers/net/ethernet/apm/xgene/xgene_enet_main.c  | 12 ++--
 drivers/nfc/st21nfca/se.c                         | 10 +++
 drivers/staging/fbtft/fb_st7789v.c                |  2 +
 drivers/thermal/int340x_thermal/int3400_thermal.c |  4 ++
 include/net/esp.h                                 |  2 +
 include/net/sock.h                                |  3 +
 net/core/sock.c                                   |  3 -
 net/ipv4/esp4.c                                   |  5 ++
 net/ipv6/esp6.c                                   |  5 ++
 net/ipv6/ip6_output.c                             |  4 +-
 net/llc/af_llc.c                                  |  8 +++
 net/mac80211/cfg.c                                |  3 -
 net/netfilter/nf_tables_core.c                    |  2 +-
 sound/core/oss/pcm_oss.c                          | 12 ++--
 sound/core/oss/pcm_plugin.c                       |  5 +-
 sound/core/pcm_native.c                           |  4 ++
 sound/pci/ac97/ac97_codec.c                       |  4 +-
 sound/pci/cmipci.c                                |  3 +-
 sound/soc/sti/uniperif_player.c                   |  6 +-
 sound/soc/sti/uniperif_reader.c                   |  2 +-
 sound/usb/mixer_quirks.c                          |  7 ++-
 27 files changed, 214 insertions(+), 37 deletions(-)



^ permalink raw reply	[flat|nested] 31+ messages in thread

* [PATCH 4.19 01/20] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
@ 2022-03-25 15:04 ` Greg Kroah-Hartman
  2022-06-02 16:12   ` Pavel Machek
  2022-03-25 15:04 ` [PATCH 4.19 02/20] net: ipv6: fix skb_over_panic in __ip6_append_data Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  26 siblings, 1 reply; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jordy Zomer, Krzysztof Kozlowski,
	David S. Miller, Denis Efremov

From: Jordy Zomer <jordy@pwning.systems>

commit 4fbcc1a4cb20fe26ad0225679c536c80f1648221 upstream.

It appears that there are some buffer overflows in EVT_TRANSACTION.
This happens because the length parameters that are passed to memcpy
come directly from skb->data and are not guarded in any way.

Signed-off-by: Jordy Zomer <jordy@pwning.systems>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/nfc/st21nfca/se.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/drivers/nfc/st21nfca/se.c
+++ b/drivers/nfc/st21nfca/se.c
@@ -332,6 +332,11 @@ int st21nfca_connectivity_event_received
 			return -ENOMEM;
 
 		transaction->aid_len = skb->data[1];
+
+		/* Checking if the length of the AID is valid */
+		if (transaction->aid_len > sizeof(transaction->aid))
+			return -EINVAL;
+
 		memcpy(transaction->aid, &skb->data[2],
 		       transaction->aid_len);
 
@@ -341,6 +346,11 @@ int st21nfca_connectivity_event_received
 			return -EPROTO;
 
 		transaction->params_len = skb->data[transaction->aid_len + 3];
+
+		/* Total size is allocated (skb->len - 2) minus fixed array members */
+		if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction)))
+			return -EINVAL;
+
 		memcpy(transaction->params, skb->data +
 		       transaction->aid_len + 4, transaction->params_len);
 



^ permalink raw reply	[flat|nested] 31+ messages in thread

* [PATCH 4.19 02/20] net: ipv6: fix skb_over_panic in __ip6_append_data
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 01/20] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION Greg Kroah-Hartman
@ 2022-03-25 15:04 ` Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 03/20] esp: Fix possible buffer overflow in ESP transformation Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+e223cf47ec8ae183f2a0,
	Tadeusz Struk, Willem de Bruijn, Jakub Kicinski

From: Tadeusz Struk <tadeusz.struk@linaro.org>

commit 5e34af4142ffe68f01c8a9acae83300f8911e20c upstream.

Syzbot found a kernel bug in the ipv6 stack:
LINK: https://syzkaller.appspot.com/bug?id=205d6f11d72329ab8d62a610c44c5e7e25415580
The reproducer triggers it by sending a crafted message via sendmmsg()
call, which triggers skb_over_panic, and crashes the kernel:

skbuff: skb_over_panic: text:ffffffff84647fb4 len:65575 put:65575
head:ffff888109ff0000 data:ffff888109ff0088 tail:0x100af end:0xfec0
dev:<NULL>

Update the check that prevents an invalid packet with MTU equal
to the fregment header size to eat up all the space for payload.

The reproducer can be found here:
LINK: https://syzkaller.appspot.com/text?tag=ReproC&x=1648c83fb00000

Reported-by: syzbot+e223cf47ec8ae183f2a0@syzkaller.appspotmail.com
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Acked-by: Willem de Bruijn <willemb@google.com>
Link: https://lore.kernel.org/r/20220310232538.1044947-1-tadeusz.struk@linaro.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/ip6_output.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1325,8 +1325,8 @@ static int __ip6_append_data(struct sock
 		      sizeof(struct frag_hdr) : 0) +
 		     rt->rt6i_nfheader_len;
 
-	if (mtu < fragheaderlen ||
-	    ((mtu - fragheaderlen) & ~7) + fragheaderlen < sizeof(struct frag_hdr))
+	if (mtu <= fragheaderlen ||
+	    ((mtu - fragheaderlen) & ~7) + fragheaderlen <= sizeof(struct frag_hdr))
 		goto emsgsize;
 
 	maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen -



^ permalink raw reply	[flat|nested] 31+ messages in thread

* [PATCH 4.19 03/20] esp: Fix possible buffer overflow in ESP transformation
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 01/20] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 02/20] net: ipv6: fix skb_over_panic in __ip6_append_data Greg Kroah-Hartman
@ 2022-03-25 15:04 ` Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 04/20] staging: fbtft: fb_st7789v: reset display before initialization Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, valis, Steffen Klassert, Vaibhav Rustagi

From: Steffen Klassert <steffen.klassert@secunet.com>

commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645 upstream.

The maximum message size that can be send is bigger than
the  maximum site that skb_page_frag_refill can allocate.
So it is possible to write beyond the allocated buffer.

Fix this by doing a fallback to COW in that case.

v2:

Avoid get get_order() costs as suggested by Linus Torvalds.

Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Reported-by: valis <sec@valis.email>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/esp.h  |    2 ++
 include/net/sock.h |    3 +++
 net/core/sock.c    |    3 ---
 net/ipv4/esp4.c    |    5 +++++
 net/ipv6/esp6.c    |    5 +++++
 5 files changed, 15 insertions(+), 3 deletions(-)

--- a/include/net/esp.h
+++ b/include/net/esp.h
@@ -4,6 +4,8 @@
 
 #include <linux/skbuff.h>
 
+#define ESP_SKB_FRAG_MAXSIZE (PAGE_SIZE << SKB_FRAG_PAGE_ORDER)
+
 struct ip_esp_hdr;
 
 static inline struct ip_esp_hdr *ip_esp_hdr(const struct sk_buff *skb)
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -2518,6 +2518,9 @@ extern int sysctl_optmem_max;
 extern __u32 sysctl_wmem_default;
 extern __u32 sysctl_rmem_default;
 
+/* On 32bit arches, an skb frag is limited to 2^15 */
+#define SKB_FRAG_PAGE_ORDER	get_order(32768)
+
 static inline int sk_get_wmem0(const struct sock *sk, const struct proto *proto)
 {
 	/* Does this proto have per netns sysctl_wmem ? */
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2207,9 +2207,6 @@ static void sk_leave_memory_pressure(str
 	}
 }
 
-/* On 32bit arches, an skb frag is limited to 2^15 */
-#define SKB_FRAG_PAGE_ORDER	get_order(32768)
-
 /**
  * skb_page_frag_refill - check that a page_frag contains enough room
  * @sz: minimum size of the fragment we want to get
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -275,6 +275,7 @@ int esp_output_head(struct xfrm_state *x
 	struct page *page;
 	struct sk_buff *trailer;
 	int tailen = esp->tailen;
+	unsigned int allocsz;
 
 	/* this is non-NULL only with UDP Encapsulation */
 	if (x->encap) {
@@ -284,6 +285,10 @@ int esp_output_head(struct xfrm_state *x
 			return err;
 	}
 
+	allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
+	if (allocsz > ESP_SKB_FRAG_MAXSIZE)
+		goto cow;
+
 	if (!skb_cloned(skb)) {
 		if (tailen <= skb_tailroom(skb)) {
 			nfrags = 1;
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -241,6 +241,11 @@ int esp6_output_head(struct xfrm_state *
 	struct page *page;
 	struct sk_buff *trailer;
 	int tailen = esp->tailen;
+	unsigned int allocsz;
+
+	allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
+	if (allocsz > ESP_SKB_FRAG_MAXSIZE)
+		goto cow;
 
 	if (!skb_cloned(skb)) {
 		if (tailen <= skb_tailroom(skb)) {



^ permalink raw reply	[flat|nested] 31+ messages in thread

* [PATCH 4.19 04/20] staging: fbtft: fb_st7789v: reset display before initialization
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2022-03-25 15:04 ` [PATCH 4.19 03/20] esp: Fix possible buffer overflow in ESP transformation Greg Kroah-Hartman
@ 2022-03-25 15:04 ` Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 05/20] thermal: int340x: fix memory leak in int3400_notify() Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Oliver Graute, Sudip Mukherjee

From: Oliver Graute <oliver.graute@kococonnector.com>

commit b6821b0d9b56386d2bf14806f90ec401468c799f upstream.

In rare cases the display is flipped or mirrored. This was observed more
often in a low temperature environment. A clean reset on init_display()
should help to get registers in a sane state.

Fixes: ef8f317795da (staging: fbtft: use init function instead of init sequence)
Cc: stable@vger.kernel.org
Signed-off-by: Oliver Graute <oliver.graute@kococonnector.com>
Link: https://lore.kernel.org/r/20220210085322.15676-1-oliver.graute@kococonnector.com
[sudip: adjust context]
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/fbtft/fb_st7789v.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/staging/fbtft/fb_st7789v.c
+++ b/drivers/staging/fbtft/fb_st7789v.c
@@ -76,6 +76,8 @@ enum st7789v_command {
  */
 static int init_display(struct fbtft_par *par)
 {
+	par->fbtftops.reset(par);
+
 	/* turn off sleep mode */
 	write_reg(par, MIPI_DCS_EXIT_SLEEP_MODE);
 	mdelay(120);



^ permalink raw reply	[flat|nested] 31+ messages in thread

* [PATCH 4.19 05/20] thermal: int340x: fix memory leak in int3400_notify()
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2022-03-25 15:04 ` [PATCH 4.19 04/20] staging: fbtft: fb_st7789v: reset display before initialization Greg Kroah-Hartman
@ 2022-03-25 15:04 ` Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 06/20] llc: fix netdevice reference leaks in llc_ui_bind() Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chuansheng Liu, Rafael J. Wysocki,
	Sudip Mukherjee

From: Chuansheng Liu <chuansheng.liu@intel.com>

commit 3abea10e6a8f0e7804ed4c124bea2d15aca977c8 upstream.

It is easy to hit the below memory leaks in my TigerLake platform:

unreferenced object 0xffff927c8b91dbc0 (size 32):
  comm "kworker/0:2", pid 112, jiffies 4294893323 (age 83.604s)
  hex dump (first 32 bytes):
    4e 41 4d 45 3d 49 4e 54 33 34 30 30 20 54 68 65  NAME=INT3400 The
    72 6d 61 6c 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5  rmal.kkkkkkkkkk.
  backtrace:
    [<ffffffff9c502c3e>] __kmalloc_track_caller+0x2fe/0x4a0
    [<ffffffff9c7b7c15>] kvasprintf+0x65/0xd0
    [<ffffffff9c7b7d6e>] kasprintf+0x4e/0x70
    [<ffffffffc04cb662>] int3400_notify+0x82/0x120 [int3400_thermal]
    [<ffffffff9c8b7358>] acpi_ev_notify_dispatch+0x54/0x71
    [<ffffffff9c88f1a7>] acpi_os_execute_deferred+0x17/0x30
    [<ffffffff9c2c2c0a>] process_one_work+0x21a/0x3f0
    [<ffffffff9c2c2e2a>] worker_thread+0x4a/0x3b0
    [<ffffffff9c2cb4dd>] kthread+0xfd/0x130
    [<ffffffff9c201c1f>] ret_from_fork+0x1f/0x30

Fix it by calling kfree() accordingly.

Fixes: 38e44da59130 ("thermal: int3400_thermal: process "thermal table changed" event")
Signed-off-by: Chuansheng Liu <chuansheng.liu@intel.com>
Cc: 4.14+ <stable@vger.kernel.org> # 4.14+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[sudip: change in old path]
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/thermal/int340x_thermal/int3400_thermal.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/thermal/int340x_thermal/int3400_thermal.c
+++ b/drivers/thermal/int340x_thermal/int3400_thermal.c
@@ -223,6 +223,10 @@ static void int3400_notify(acpi_handle h
 		thermal_prop[4] = NULL;
 		kobject_uevent_env(&priv->thermal->device.kobj, KOBJ_CHANGE,
 				thermal_prop);
+		kfree(thermal_prop[0]);
+		kfree(thermal_prop[1]);
+		kfree(thermal_prop[2]);
+		kfree(thermal_prop[3]);
 		break;
 	default:
 		/* Ignore unknown notification codes sent to INT3400 device */



^ permalink raw reply	[flat|nested] 31+ messages in thread

* [PATCH 4.19 06/20] llc: fix netdevice reference leaks in llc_ui_bind()
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2022-03-25 15:04 ` [PATCH 4.19 05/20] thermal: int340x: fix memory leak in int3400_notify() Greg Kroah-Hartman
@ 2022-03-25 15:04 ` Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 07/20] ASoC: sti: Fix deadlock via snd_pcm_stop_xrun() call Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet,
	赵子轩,
	Stoyan Manolov, Jakub Kicinski

From: Eric Dumazet <edumazet@google.com>

commit 764f4eb6846f5475f1244767d24d25dd86528a4a upstream.

Whenever llc_ui_bind() and/or llc_ui_autobind()
took a reference on a netdevice but subsequently fail,
they must properly release their reference
or risk the infamous message from unregister_netdevice()
at device dismantle.

unregister_netdevice: waiting for eth0 to become free. Usage count = 3

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: 赵子轩 <beraphin@gmail.com>
Reported-by: Stoyan Manolov <smanolov@suse.de>
Link: https://lore.kernel.org/r/20220323004147.1990845-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/llc/af_llc.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -311,6 +311,10 @@ static int llc_ui_autobind(struct socket
 	sock_reset_flag(sk, SOCK_ZAPPED);
 	rc = 0;
 out:
+	if (rc) {
+		dev_put(llc->dev);
+		llc->dev = NULL;
+	}
 	return rc;
 }
 
@@ -410,6 +414,10 @@ static int llc_ui_bind(struct socket *so
 out_put:
 	llc_sap_put(sap);
 out:
+	if (rc) {
+		dev_put(llc->dev);
+		llc->dev = NULL;
+	}
 	release_sock(sk);
 	return rc;
 }



^ permalink raw reply	[flat|nested] 31+ messages in thread

* [PATCH 4.19 07/20] ASoC: sti: Fix deadlock via snd_pcm_stop_xrun() call
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2022-03-25 15:04 ` [PATCH 4.19 06/20] llc: fix netdevice reference leaks in llc_ui_bind() Greg Kroah-Hartman
@ 2022-03-25 15:04 ` Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 08/20] ALSA: oss: Fix PCM OSS buffer allocation overflow Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel Palmer, Arnaud POULIQUEN,
	Takashi Iwai, Arnaud Pouliquen, Mark Brown

From: Takashi Iwai <tiwai@suse.de>

commit 455c5653f50e10b4f460ef24e99f0044fbe3401c upstream.

This is essentially a revert of the commit dc865fb9e7c2 ("ASoC: sti:
Use snd_pcm_stop_xrun() helper"), which converted the manual
snd_pcm_stop() calls with snd_pcm_stop_xrun().

The commit above introduced a deadlock as snd_pcm_stop_xrun() itself
takes the PCM stream lock while the caller already holds it.  Since
the conversion was done only for consistency reason and the open-call
with snd_pcm_stop() to the XRUN state is a correct usage, let's revert
the commit back as the fix.

Fixes: dc865fb9e7c2 ("ASoC: sti: Use snd_pcm_stop_xrun() helper")
Reported-by: Daniel Palmer <daniel@0x0f.com>
Cc: Arnaud POULIQUEN <arnaud.pouliquen@st.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220315091319.3351522-1-daniel@0x0f.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Reviewed-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
Link: https://lore.kernel.org/r/20220315164158.19804-1-tiwai@suse.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/soc/sti/uniperif_player.c |    6 +++---
 sound/soc/sti/uniperif_reader.c |    2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

--- a/sound/soc/sti/uniperif_player.c
+++ b/sound/soc/sti/uniperif_player.c
@@ -91,7 +91,7 @@ static irqreturn_t uni_player_irq_handle
 			SET_UNIPERIF_ITM_BCLR_FIFO_ERROR(player);
 
 			/* Stop the player */
-			snd_pcm_stop_xrun(player->substream);
+			snd_pcm_stop(player->substream, SNDRV_PCM_STATE_XRUN);
 		}
 
 		ret = IRQ_HANDLED;
@@ -105,7 +105,7 @@ static irqreturn_t uni_player_irq_handle
 		SET_UNIPERIF_ITM_BCLR_DMA_ERROR(player);
 
 		/* Stop the player */
-		snd_pcm_stop_xrun(player->substream);
+		snd_pcm_stop(player->substream, SNDRV_PCM_STATE_XRUN);
 
 		ret = IRQ_HANDLED;
 	}
@@ -138,7 +138,7 @@ static irqreturn_t uni_player_irq_handle
 		dev_err(player->dev, "Underflow recovery failed\n");
 
 		/* Stop the player */
-		snd_pcm_stop_xrun(player->substream);
+		snd_pcm_stop(player->substream, SNDRV_PCM_STATE_XRUN);
 
 		ret = IRQ_HANDLED;
 	}
--- a/sound/soc/sti/uniperif_reader.c
+++ b/sound/soc/sti/uniperif_reader.c
@@ -65,7 +65,7 @@ static irqreturn_t uni_reader_irq_handle
 	if (unlikely(status & UNIPERIF_ITS_FIFO_ERROR_MASK(reader))) {
 		dev_err(reader->dev, "FIFO error detected\n");
 
-		snd_pcm_stop_xrun(reader->substream);
+		snd_pcm_stop(reader->substream, SNDRV_PCM_STATE_XRUN);
 
 		ret = IRQ_HANDLED;
 	}



^ permalink raw reply	[flat|nested] 31+ messages in thread

* [PATCH 4.19 08/20] ALSA: oss: Fix PCM OSS buffer allocation overflow
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2022-03-25 15:04 ` [PATCH 4.19 07/20] ASoC: sti: Fix deadlock via snd_pcm_stop_xrun() call Greg Kroah-Hartman
@ 2022-03-25 15:04 ` Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 09/20] ALSA: pcm: Add stream lock during PCM reset ioctl operations Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+72732c532ac1454eeee9,
	Linus Torvalds, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit efb6402c3c4a7c26d97c92d70186424097b6e366 upstream.

We've got syzbot reports hitting INT_MAX overflow at vmalloc()
allocation that is called from snd_pcm_plug_alloc().  Although we
apply the restrictions to input parameters, it's based only on the
hw_params of the underlying PCM device.  Since the PCM OSS layer
allocates a temporary buffer for the data conversion, the size may
become unexpectedly large when more channels or higher rates is given;
in the reported case, it went over INT_MAX, hence it hits WARN_ON().

This patch is an attempt to avoid such an overflow and an allocation
for too large buffers.  First off, it adds the limit of 1MB as the
upper bound for period bytes.  This must be large enough for all use
cases, and we really don't want to handle a larger temporary buffer
than this size.  The size check is performed at two places, where the
original period bytes is calculated and where the plugin buffer size
is calculated.

In addition, the driver uses array_size() and array3_size() for
multiplications to catch overflows for the converted period size and
buffer bytes.

Reported-by: syzbot+72732c532ac1454eeee9@syzkaller.appspotmail.com
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/00000000000085b1b305da5a66f3@google.com
Link: https://lore.kernel.org/r/20220318082036.29699-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/core/oss/pcm_oss.c    |   12 ++++++++----
 sound/core/oss/pcm_plugin.c |    5 ++++-
 2 files changed, 12 insertions(+), 5 deletions(-)

--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -789,6 +789,11 @@ static int snd_pcm_oss_period_size(struc
 
 	if (oss_period_size < 16)
 		return -EINVAL;
+
+	/* don't allocate too large period; 1MB period must be enough */
+	if (oss_period_size > 1024 * 1024)
+		return -ENOMEM;
+
 	runtime->oss.period_bytes = oss_period_size;
 	runtime->oss.period_frames = 1;
 	runtime->oss.periods = oss_periods;
@@ -1060,10 +1065,9 @@ static int snd_pcm_oss_change_params_loc
 			goto failure;
 	}
 #endif
-	oss_period_size *= oss_frame_size;
-
-	oss_buffer_size = oss_period_size * runtime->oss.periods;
-	if (oss_buffer_size < 0) {
+	oss_period_size = array_size(oss_period_size, oss_frame_size);
+	oss_buffer_size = array_size(oss_period_size, runtime->oss.periods);
+	if (oss_buffer_size <= 0) {
 		err = -EINVAL;
 		goto failure;
 	}
--- a/sound/core/oss/pcm_plugin.c
+++ b/sound/core/oss/pcm_plugin.c
@@ -61,7 +61,10 @@ static int snd_pcm_plugin_alloc(struct s
 	}
 	if ((width = snd_pcm_format_physical_width(format->format)) < 0)
 		return width;
-	size = frames * format->channels * width;
+	size = array3_size(frames, format->channels, width);
+	/* check for too large period size once again */
+	if (size > 1024 * 1024)
+		return -ENOMEM;
 	if (snd_BUG_ON(size % 8))
 		return -ENXIO;
 	size /= 8;



^ permalink raw reply	[flat|nested] 31+ messages in thread

* [PATCH 4.19 09/20] ALSA: pcm: Add stream lock during PCM reset ioctl operations
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2022-03-25 15:04 ` [PATCH 4.19 08/20] ALSA: oss: Fix PCM OSS buffer allocation overflow Greg Kroah-Hartman
@ 2022-03-25 15:04 ` Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 10/20] ALSA: usb-audio: Add mute TLV for playback volumes on RODE NT-USB Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jaroslav Kysela, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 1f68915b2efd0d6bfd6e124aa63c94b3c69f127c upstream.

snd_pcm_reset() is a non-atomic operation, and it's allowed to run
during the PCM stream running.  It implies that the manipulation of
hw_ptr and other parameters might be racy.

This patch adds the PCM stream lock at appropriate places in
snd_pcm_*_reset() actions for covering that.

Cc: <stable@vger.kernel.org>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20220322171325.4355-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/core/pcm_native.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -1648,21 +1648,25 @@ static int snd_pcm_do_reset(struct snd_p
 	int err = substream->ops->ioctl(substream, SNDRV_PCM_IOCTL1_RESET, NULL);
 	if (err < 0)
 		return err;
+	snd_pcm_stream_lock_irq(substream);
 	runtime->hw_ptr_base = 0;
 	runtime->hw_ptr_interrupt = runtime->status->hw_ptr -
 		runtime->status->hw_ptr % runtime->period_size;
 	runtime->silence_start = runtime->status->hw_ptr;
 	runtime->silence_filled = 0;
+	snd_pcm_stream_unlock_irq(substream);
 	return 0;
 }
 
 static void snd_pcm_post_reset(struct snd_pcm_substream *substream, int state)
 {
 	struct snd_pcm_runtime *runtime = substream->runtime;
+	snd_pcm_stream_lock_irq(substream);
 	runtime->control->appl_ptr = runtime->status->hw_ptr;
 	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK &&
 	    runtime->silence_size > 0)
 		snd_pcm_playback_silence(substream, ULONG_MAX);
+	snd_pcm_stream_unlock_irq(substream);
 }
 
 static const struct action_ops snd_pcm_action_reset = {



^ permalink raw reply	[flat|nested] 31+ messages in thread

* [PATCH 4.19 10/20] ALSA: usb-audio: Add mute TLV for playback volumes on RODE NT-USB
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2022-03-25 15:04 ` [PATCH 4.19 09/20] ALSA: pcm: Add stream lock during PCM reset ioctl operations Greg Kroah-Hartman
@ 2022-03-25 15:04 ` Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 11/20] ALSA: cmipci: Restore aux vol on suspend/resume Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lars-Peter Clausen, Takashi Iwai

From: Lars-Peter Clausen <lars@metafoo.de>

commit 0f306cca42fe879694fb5e2382748c43dc9e0196 upstream.

For the RODE NT-USB the lowest Playback mixer volume setting mutes the
audio output. But it is not reported as such causing e.g. PulseAudio to
accidentally mute the device when selecting a low volume.

Fix this by applying the existing quirk for this kind of issue when the
device is detected.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220311201400.235892-1-lars@metafoo.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/usb/mixer_quirks.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -1997,9 +1997,10 @@ void snd_usb_mixer_fu_apply_quirk(struct
 		if (unitid == 7 && cval->control == UAC_FU_VOLUME)
 			snd_dragonfly_quirk_db_scale(mixer, cval, kctl);
 		break;
-	/* lowest playback value is muted on C-Media devices */
-	case USB_ID(0x0d8c, 0x000c):
-	case USB_ID(0x0d8c, 0x0014):
+	/* lowest playback value is muted on some devices */
+	case USB_ID(0x0d8c, 0x000c): /* C-Media */
+	case USB_ID(0x0d8c, 0x0014): /* C-Media */
+	case USB_ID(0x19f7, 0x0003): /* RODE NT-USB */
 		if (strstr(kctl->id.name, "Playback"))
 			cval->min_mute = 1;
 		break;



^ permalink raw reply	[flat|nested] 31+ messages in thread

* [PATCH 4.19 11/20] ALSA: cmipci: Restore aux vol on suspend/resume
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2022-03-25 15:04 ` [PATCH 4.19 10/20] ALSA: usb-audio: Add mute TLV for playback volumes on RODE NT-USB Greg Kroah-Hartman
@ 2022-03-25 15:04 ` Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 12/20] ALSA: pci: fix reading of swapped values from pcmreg in AC97 codec Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jonathan Teh, Takashi Iwai

From: Jonathan Teh <jonathan.teh@outlook.com>

commit c14231cc04337c2c2a937db084af342ce704dbde upstream.

Save and restore CM_REG_AUX_VOL instead of register 0x24 twice on
suspend/resume.

Tested on CMI8738LX.

Fixes: cb60e5f5b2b1 ("[ALSA] cmipci - Add PM support")
Signed-off-by: Jonathan Teh <jonathan.teh@outlook.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/DBAPR04MB7366CB3EA9C8521C35C56E8B920E9@DBAPR04MB7366.eurprd04.prod.outlook.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/cmipci.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/sound/pci/cmipci.c
+++ b/sound/pci/cmipci.c
@@ -315,7 +315,6 @@ MODULE_PARM_DESC(joystick_port, "Joystic
 #define CM_MICGAINZ		0x01	/* mic boost */
 #define CM_MICGAINZ_SHIFT	0
 
-#define CM_REG_MIXER3		0x24
 #define CM_REG_AUX_VOL		0x26
 #define CM_VAUXL_MASK		0xf0
 #define CM_VAUXR_MASK		0x0f
@@ -3326,7 +3325,7 @@ static void snd_cmipci_remove(struct pci
  */
 static unsigned char saved_regs[] = {
 	CM_REG_FUNCTRL1, CM_REG_CHFORMAT, CM_REG_LEGACY_CTRL, CM_REG_MISC_CTRL,
-	CM_REG_MIXER0, CM_REG_MIXER1, CM_REG_MIXER2, CM_REG_MIXER3, CM_REG_PLL,
+	CM_REG_MIXER0, CM_REG_MIXER1, CM_REG_MIXER2, CM_REG_AUX_VOL, CM_REG_PLL,
 	CM_REG_CH0_FRAME1, CM_REG_CH0_FRAME2,
 	CM_REG_CH1_FRAME1, CM_REG_CH1_FRAME2, CM_REG_EXT_MISC,
 	CM_REG_INT_STATUS, CM_REG_INT_HLDCLR, CM_REG_FUNCTRL0,



^ permalink raw reply	[flat|nested] 31+ messages in thread

* [PATCH 4.19 12/20] ALSA: pci: fix reading of swapped values from pcmreg in AC97 codec
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2022-03-25 15:04 ` [PATCH 4.19 11/20] ALSA: cmipci: Restore aux vol on suspend/resume Greg Kroah-Hartman
@ 2022-03-25 15:04 ` Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 13/20] drivers: net: xgene: Fix regression in CRC stripping Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Giacomo Guiduzzi, Paolo Valente,
	Takashi Iwai

From: Giacomo Guiduzzi <guiduzzi.giacomo@gmail.com>

commit 17aaf0193392cb3451bf0ac75ba396ec4cbded6e upstream.

Tests 72 and 78 for ALSA in kselftest fail due to reading
inconsistent values from some devices on a VirtualBox
Virtual Machine using the snd_intel8x0 driver for the AC'97
Audio Controller device.
Taking for example test number 72, this is what the test reports:
"Surround Playback Volume.0 expected 1 but read 0, is_volatile 0"
"Surround Playback Volume.1 expected 0 but read 1, is_volatile 0"
These errors repeat for each value from 0 to 31.

Taking a look at these error messages it is possible to notice
that the written values are read back swapped.
When the write is performed, these values are initially stored in
an array used to sanity-check them and write them in the pcmreg
array. To write them, the two one-byte values are packed together
in a two-byte variable through bitwise operations: the first
value is shifted left by one byte and the second value is stored in the
right byte through a bitwise OR. When reading the values back,
right shifts are performed to retrieve the previously stored
bytes. These shifts are executed in the wrong order, thus
reporting the values swapped as shown above.

This patch fixes this mistake by reversing the read
operations' order.

Signed-off-by: Giacomo Guiduzzi <guiduzzi.giacomo@gmail.com>
Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220322200653.15862-1-guiduzzi.giacomo@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/ac97/ac97_codec.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/sound/pci/ac97/ac97_codec.c
+++ b/sound/pci/ac97/ac97_codec.c
@@ -958,8 +958,8 @@ static int snd_ac97_ad18xx_pcm_get_volum
 	int codec = kcontrol->private_value & 3;
 	
 	mutex_lock(&ac97->page_mutex);
-	ucontrol->value.integer.value[0] = 31 - ((ac97->spec.ad18xx.pcmreg[codec] >> 0) & 31);
-	ucontrol->value.integer.value[1] = 31 - ((ac97->spec.ad18xx.pcmreg[codec] >> 8) & 31);
+	ucontrol->value.integer.value[0] = 31 - ((ac97->spec.ad18xx.pcmreg[codec] >> 8) & 31);
+	ucontrol->value.integer.value[1] = 31 - ((ac97->spec.ad18xx.pcmreg[codec] >> 0) & 31);
 	mutex_unlock(&ac97->page_mutex);
 	return 0;
 }



^ permalink raw reply	[flat|nested] 31+ messages in thread

* [PATCH 4.19 13/20] drivers: net: xgene: Fix regression in CRC stripping
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2022-03-25 15:04 ` [PATCH 4.19 12/20] ALSA: pci: fix reading of swapped values from pcmreg in AC97 codec Greg Kroah-Hartman
@ 2022-03-25 15:04 ` Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 14/20] netfilter: nf_tables: initialize registers in nft_do_chain() Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Stephane Graber, Jakub Kicinski

From: Stephane Graber <stgraber@ubuntu.com>

commit e9e6faeafaa00da1851bcf47912b0f1acae666b4 upstream.

All packets on ingress (except for jumbo) are terminated with a 4-bytes
CRC checksum. It's the responsability of the driver to strip those 4
bytes. Unfortunately a change dating back to March 2017 re-shuffled some
code and made the CRC stripping code effectively dead.

This change re-orders that part a bit such that the datalen is
immediately altered if needed.

Fixes: 4902a92270fb ("drivers: net: xgene: Add workaround for errata 10GE_8/ENET_11")
Cc: stable@vger.kernel.org
Signed-off-by: Stephane Graber <stgraber@ubuntu.com>
Tested-by: Stephane Graber <stgraber@ubuntu.com>
Link: https://lore.kernel.org/r/20220322224205.752795-1-stgraber@ubuntu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/apm/xgene/xgene_enet_main.c |   12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

--- a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c
+++ b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c
@@ -707,6 +707,12 @@ static int xgene_enet_rx_frame(struct xg
 	buf_pool->rx_skb[skb_index] = NULL;
 
 	datalen = xgene_enet_get_data_len(le64_to_cpu(raw_desc->m1));
+
+	/* strip off CRC as HW isn't doing this */
+	nv = GET_VAL(NV, le64_to_cpu(raw_desc->m0));
+	if (!nv)
+		datalen -= 4;
+
 	skb_put(skb, datalen);
 	prefetch(skb->data - NET_IP_ALIGN);
 	skb->protocol = eth_type_trans(skb, ndev);
@@ -728,12 +734,8 @@ static int xgene_enet_rx_frame(struct xg
 		}
 	}
 
-	nv = GET_VAL(NV, le64_to_cpu(raw_desc->m0));
-	if (!nv) {
-		/* strip off CRC as HW isn't doing this */
-		datalen -= 4;
+	if (!nv)
 		goto skip_jumbo;
-	}
 
 	slots = page_pool->slots - 1;
 	head = page_pool->head;



^ permalink raw reply	[flat|nested] 31+ messages in thread

* [PATCH 4.19 14/20] netfilter: nf_tables: initialize registers in nft_do_chain()
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2022-03-25 15:04 ` [PATCH 4.19 13/20] drivers: net: xgene: Fix regression in CRC stripping Greg Kroah-Hartman
@ 2022-03-25 15:04 ` Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 15/20] ACPI / x86: Work around broken XSDT on Advantech DAC-BJ01 board Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pablo Neira Ayuso

From: Pablo Neira Ayuso <pablo@netfilter.org>

commit 4c905f6740a365464e91467aa50916555b28213d upstream.

Initialize registers to avoid stack leak into userspace.

Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/netfilter/nf_tables_core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -144,7 +144,7 @@ nft_do_chain(struct nft_pktinfo *pkt, vo
 	struct nft_rule *const *rules;
 	const struct nft_rule *rule;
 	const struct nft_expr *expr, *last;
-	struct nft_regs regs;
+	struct nft_regs regs = {};
 	unsigned int stackptr = 0;
 	struct nft_jumpstack jumpstack[NFT_JUMP_STACK_SIZE];
 	bool genbit = READ_ONCE(net->nft.gencursor);



^ permalink raw reply	[flat|nested] 31+ messages in thread

* [PATCH 4.19 15/20] ACPI / x86: Work around broken XSDT on Advantech DAC-BJ01 board
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2022-03-25 15:04 ` [PATCH 4.19 14/20] netfilter: nf_tables: initialize registers in nft_do_chain() Greg Kroah-Hartman
@ 2022-03-25 15:04 ` Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 16/20] ACPI: battery: Add device HID and quirk for Microsoft Surface Go 3 Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Cilissen, Hans de Goede,
	Rafael J. Wysocki

From: Mark Cilissen <mark@yotsuba.nl>

commit e702196bf85778f2c5527ca47f33ef2e2fca8297 upstream.

On this board the ACPI RSDP structure points to both a RSDT and an XSDT,
but the XSDT points to a truncated FADT. This causes all sorts of trouble
and usually a complete failure to boot after the following error occurs:

  ACPI Error: Unsupported address space: 0x20 (*/hwregs-*)
  ACPI Error: AE_SUPPORT, Unable to initialize fixed events (*/evevent-*)
  ACPI: Unable to start ACPI Interpreter

This leaves the ACPI implementation in such a broken state that subsequent
kernel subsystem initialisations go wrong, resulting in among others
mismapped PCI memory, SATA and USB enumeration failures, and freezes.

As this is an older embedded platform that will likely never see any BIOS
updates to address this issue and its default shipping OS only complies to
ACPI 1.0, work around this by forcing `acpi=rsdt`. This patch, applied on
top of Linux 5.10.102, was confirmed on real hardware to fix the issue.

Signed-off-by: Mark Cilissen <mark@yotsuba.nl>
Cc: All applicable <stable@vger.kernel.org>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/acpi/boot.c |   24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

--- a/arch/x86/kernel/acpi/boot.c
+++ b/arch/x86/kernel/acpi/boot.c
@@ -1351,6 +1351,17 @@ static int __init disable_acpi_pci(const
 	return 0;
 }
 
+static int __init disable_acpi_xsdt(const struct dmi_system_id *d)
+{
+	if (!acpi_force) {
+		pr_notice("%s detected: force use of acpi=rsdt\n", d->ident);
+		acpi_gbl_do_not_use_xsdt = TRUE;
+	} else {
+		pr_notice("Warning: DMI blacklist says broken, but acpi XSDT forced\n");
+	}
+	return 0;
+}
+
 static int __init dmi_disable_acpi(const struct dmi_system_id *d)
 {
 	if (!acpi_force) {
@@ -1475,6 +1486,19 @@ static const struct dmi_system_id acpi_d
 		     DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
 		     },
 	 },
+	/*
+	 * Boxes that need ACPI XSDT use disabled due to corrupted tables
+	 */
+	{
+	 .callback = disable_acpi_xsdt,
+	 .ident = "Advantech DAC-BJ01",
+	 .matches = {
+		     DMI_MATCH(DMI_SYS_VENDOR, "NEC"),
+		     DMI_MATCH(DMI_PRODUCT_NAME, "Bearlake CRB Board"),
+		     DMI_MATCH(DMI_BIOS_VERSION, "V1.12"),
+		     DMI_MATCH(DMI_BIOS_DATE, "02/01/2011"),
+		     },
+	 },
 	{}
 };
 



^ permalink raw reply	[flat|nested] 31+ messages in thread

* [PATCH 4.19 16/20] ACPI: battery: Add device HID and quirk for Microsoft Surface Go 3
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2022-03-25 15:04 ` [PATCH 4.19 15/20] ACPI / x86: Work around broken XSDT on Advantech DAC-BJ01 board Greg Kroah-Hartman
@ 2022-03-25 15:04 ` Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 17/20] ACPI: video: Force backlight native for Clevo NL5xRU and NL5xNU Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maximilian Luz, Rafael J. Wysocki

From: Maximilian Luz <luzmaximilian@gmail.com>

commit 7dacee0b9efc8bd061f097b1a8d4daa6591af0c6 upstream.

For some reason, the Microsoft Surface Go 3 uses the standard ACPI
interface for battery information, but does not use the standard PNP0C0A
HID. Instead it uses MSHW0146 as identifier. Add that ID to the driver
as this seems to work well.

Additionally, the power state is not updated immediately after the AC
has been (un-)plugged, so add the respective quirk for that.

Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/acpi/battery.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

--- a/drivers/acpi/battery.c
+++ b/drivers/acpi/battery.c
@@ -90,6 +90,10 @@ extern void *acpi_unlock_battery_dir(str
 
 static const struct acpi_device_id battery_device_ids[] = {
 	{"PNP0C0A", 0},
+
+	/* Microsoft Surface Go 3 */
+	{"MSHW0146", 0},
+
 	{"", 0},
 };
 
@@ -1416,6 +1420,14 @@ static const struct dmi_system_id bat_dm
 			DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad"),
 		},
 	},
+	{
+		/* Microsoft Surface Go 3 */
+		.callback = battery_notification_delay_quirk,
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "Microsoft Corporation"),
+			DMI_MATCH(DMI_PRODUCT_NAME, "Surface Go 3"),
+		},
+	},
 	{},
 };
 



^ permalink raw reply	[flat|nested] 31+ messages in thread

* [PATCH 4.19 17/20] ACPI: video: Force backlight native for Clevo NL5xRU and NL5xNU
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2022-03-25 15:04 ` [PATCH 4.19 16/20] ACPI: battery: Add device HID and quirk for Microsoft Surface Go 3 Greg Kroah-Hartman
@ 2022-03-25 15:04 ` Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 18/20] crypto: qat - disable registration of algorithms Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Werner Sembach, Rafael J. Wysocki

From: Werner Sembach <wse@tuxedocomputers.com>

commit c844d22fe0c0b37dc809adbdde6ceb6462c43acf upstream.

Clevo NL5xRU and NL5xNU/TUXEDO Aura 15 Gen1 and Gen2 have both a working
native and video interface. However the default detection mechanism first
registers the video interface before unregistering it again and switching
to the native interface during boot. This results in a dangling SBIOS
request for backlight change for some reason, causing the backlight to
switch to ~2% once per boot on the first power cord connect or disconnect
event. Setting the native interface explicitly circumvents this buggy
behaviour by avoiding the unregistering process.

Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/acpi/video_detect.c |   75 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 75 insertions(+)

--- a/drivers/acpi/video_detect.c
+++ b/drivers/acpi/video_detect.c
@@ -356,6 +356,81 @@ static const struct dmi_system_id video_
 		DMI_MATCH(DMI_BOARD_NAME, "BA51_MV"),
 		},
 	},
+	/*
+	 * Clevo NL5xRU and NL5xNU/TUXEDO Aura 15 Gen1 and Gen2 have both a
+	 * working native and video interface. However the default detection
+	 * mechanism first registers the video interface before unregistering
+	 * it again and switching to the native interface during boot. This
+	 * results in a dangling SBIOS request for backlight change for some
+	 * reason, causing the backlight to switch to ~2% once per boot on the
+	 * first power cord connect or disconnect event. Setting the native
+	 * interface explicitly circumvents this buggy behaviour, by avoiding
+	 * the unregistering process.
+	 */
+	{
+	.callback = video_detect_force_native,
+	.ident = "Clevo NL5xRU",
+	.matches = {
+		DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
+		DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"),
+		},
+	},
+	{
+	.callback = video_detect_force_native,
+	.ident = "Clevo NL5xRU",
+	.matches = {
+		DMI_MATCH(DMI_SYS_VENDOR, "SchenkerTechnologiesGmbH"),
+		DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"),
+		},
+	},
+	{
+	.callback = video_detect_force_native,
+	.ident = "Clevo NL5xRU",
+	.matches = {
+		DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),
+		DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"),
+		},
+	},
+	{
+	.callback = video_detect_force_native,
+	.ident = "Clevo NL5xRU",
+	.matches = {
+		DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
+		DMI_MATCH(DMI_BOARD_NAME, "AURA1501"),
+		},
+	},
+	{
+	.callback = video_detect_force_native,
+	.ident = "Clevo NL5xRU",
+	.matches = {
+		DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
+		DMI_MATCH(DMI_BOARD_NAME, "EDUBOOK1502"),
+		},
+	},
+	{
+	.callback = video_detect_force_native,
+	.ident = "Clevo NL5xNU",
+	.matches = {
+		DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
+		DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"),
+		},
+	},
+	{
+	.callback = video_detect_force_native,
+	.ident = "Clevo NL5xNU",
+	.matches = {
+		DMI_MATCH(DMI_SYS_VENDOR, "SchenkerTechnologiesGmbH"),
+		DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"),
+		},
+	},
+	{
+	.callback = video_detect_force_native,
+	.ident = "Clevo NL5xNU",
+	.matches = {
+		DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),
+		DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"),
+		},
+	},
 
 	/*
 	 * Desktops which falsely report a backlight and which our heuristics



^ permalink raw reply	[flat|nested] 31+ messages in thread

* [PATCH 4.19 18/20] crypto: qat - disable registration of algorithms
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2022-03-25 15:04 ` [PATCH 4.19 17/20] ACPI: video: Force backlight native for Clevo NL5xRU and NL5xNU Greg Kroah-Hartman
@ 2022-03-25 15:04 ` Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 19/20] mac80211: fix potential double free on mesh join Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Giovanni Cabiddu, Herbert Xu

From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>

commit 8893d27ffcaf6ec6267038a177cb87bcde4dd3de upstream.

The implementations of aead and skcipher in the QAT driver do not
support properly requests with the CRYPTO_TFM_REQ_MAY_BACKLOG flag set.
If the HW queue is full, the driver returns -EBUSY but does not enqueue
the request.
This can result in applications like dm-crypt waiting indefinitely for a
completion of a request that was never submitted to the hardware.

To avoid this problem, disable the registration of all crypto algorithms
in the QAT driver by setting the number of crypto instances to 0 at
configuration time.

Cc: stable@vger.kernel.org
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/crypto/qat/qat_common/qat_crypto.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/crypto/qat/qat_common/qat_crypto.c
+++ b/drivers/crypto/qat/qat_common/qat_crypto.c
@@ -170,6 +170,14 @@ int qat_crypto_dev_config(struct adf_acc
 		goto err;
 	if (adf_cfg_section_add(accel_dev, "Accelerator0"))
 		goto err;
+
+	/* Temporarily set the number of crypto instances to zero to avoid
+	 * registering the crypto algorithms.
+	 * This will be removed when the algorithms will support the
+	 * CRYPTO_TFM_REQ_MAY_BACKLOG flag
+	 */
+	instances = 0;
+
 	for (i = 0; i < instances; i++) {
 		val = i;
 		snprintf(key, sizeof(key), ADF_CY "%d" ADF_RING_BANK_NUM, i);



^ permalink raw reply	[flat|nested] 31+ messages in thread

* [PATCH 4.19 19/20] mac80211: fix potential double free on mesh join
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2022-03-25 15:04 ` [PATCH 4.19 18/20] crypto: qat - disable registration of algorithms Greg Kroah-Hartman
@ 2022-03-25 15:04 ` Greg Kroah-Hartman
  2022-03-25 15:04 ` [PATCH 4.19 20/20] nds32: fix access_ok() checks in get/put_user Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Kretschmer,
	Linus Lüssing, Johannes Berg

From: Linus Lüssing <ll@simonwunderlich.de>

commit 4a2d4496e15ea5bb5c8e83b94ca8ca7fb045e7d3 upstream.

While commit 6a01afcf8468 ("mac80211: mesh: Free ie data when leaving
mesh") fixed a memory leak on mesh leave / teardown it introduced a
potential memory corruption caused by a double free when rejoining the
mesh:

  ieee80211_leave_mesh()
  -> kfree(sdata->u.mesh.ie);
  ...
  ieee80211_join_mesh()
  -> copy_mesh_setup()
     -> old_ie = ifmsh->ie;
     -> kfree(old_ie);

This double free / kernel panics can be reproduced by using wpa_supplicant
with an encrypted mesh (if set up without encryption via "iw" then
ifmsh->ie is always NULL, which avoids this issue). And then calling:

  $ iw dev mesh0 mesh leave
  $ iw dev mesh0 mesh join my-mesh

Note that typically these commands are not used / working when using
wpa_supplicant. And it seems that wpa_supplicant or wpa_cli are going
through a NETDEV_DOWN/NETDEV_UP cycle between a mesh leave and mesh join
where the NETDEV_UP resets the mesh.ie to NULL via a memcpy of
default_mesh_setup in cfg80211_netdev_notifier_call, which then avoids
the memory corruption, too.

The issue was first observed in an application which was not using
wpa_supplicant but "Senf" instead, which implements its own calls to
nl80211.

Fixing the issue by removing the kfree()'ing of the mesh IE in the mesh
join function and leaving it solely up to the mesh leave to free the
mesh IE.

Cc: stable@vger.kernel.org
Fixes: 6a01afcf8468 ("mac80211: mesh: Free ie data when leaving mesh")
Reported-by: Matthias Kretschmer <mathias.kretschmer@fit.fraunhofer.de>
Signed-off-by: Linus Lüssing <ll@simonwunderlich.de>
Tested-by: Mathias Kretschmer <mathias.kretschmer@fit.fraunhofer.de>
Link: https://lore.kernel.org/r/20220310183513.28589-1-linus.luessing@c0d3.blue
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac80211/cfg.c |    3 ---
 1 file changed, 3 deletions(-)

--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1823,13 +1823,11 @@ static int copy_mesh_setup(struct ieee80
 		const struct mesh_setup *setup)
 {
 	u8 *new_ie;
-	const u8 *old_ie;
 	struct ieee80211_sub_if_data *sdata = container_of(ifmsh,
 					struct ieee80211_sub_if_data, u.mesh);
 
 	/* allocate information elements */
 	new_ie = NULL;
-	old_ie = ifmsh->ie;
 
 	if (setup->ie_len) {
 		new_ie = kmemdup(setup->ie, setup->ie_len,
@@ -1839,7 +1837,6 @@ static int copy_mesh_setup(struct ieee80
 	}
 	ifmsh->ie_len = setup->ie_len;
 	ifmsh->ie = new_ie;
-	kfree(old_ie);
 
 	/* now copy the rest of the setup parameters */
 	ifmsh->mesh_id_len = setup->mesh_id_len;



^ permalink raw reply	[flat|nested] 31+ messages in thread

* [PATCH 4.19 20/20] nds32: fix access_ok() checks in get/put_user
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2022-03-25 15:04 ` [PATCH 4.19 19/20] mac80211: fix potential double free on mesh join Greg Kroah-Hartman
@ 2022-03-25 15:04 ` Greg Kroah-Hartman
  2022-03-25 18:40 ` [PATCH 4.19 00/20] 4.19.237-rc1 review Pavel Machek
                   ` (6 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Greg Kroah-Hartman @ 2022-03-25 15:04 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christoph Hellwig, Arnd Bergmann

From: Arnd Bergmann <arnd@arndb.de>

commit 8926d88ced46700bf6117ceaf391480b943ea9f4 upstream.

The get_user()/put_user() functions are meant to check for
access_ok(), while the __get_user()/__put_user() functions
don't.

This broke in 4.19 for nds32, when it gained an extraneous
check in __get_user(), but lost the check it needs in
__put_user().

Fixes: 487913ab18c2 ("nds32: Extract the checking and getting pointer to a macro")
Cc: stable@vger.kernel.org @ v4.19+
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/nds32/include/asm/uaccess.h |   22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

--- a/arch/nds32/include/asm/uaccess.h
+++ b/arch/nds32/include/asm/uaccess.h
@@ -75,9 +75,7 @@ static inline void set_fs(mm_segment_t f
  * versions are void (ie, don't return a value as such).
  */
 
-#define get_user	__get_user					\
-
-#define __get_user(x, ptr)						\
+#define get_user(x, ptr)						\
 ({									\
 	long __gu_err = 0;						\
 	__get_user_check((x), (ptr), __gu_err);				\
@@ -90,6 +88,14 @@ static inline void set_fs(mm_segment_t f
 	(void)0;							\
 })
 
+#define __get_user(x, ptr)						\
+({									\
+	long __gu_err = 0;						\
+	const __typeof__(*(ptr)) __user *__p = (ptr);			\
+	__get_user_err((x), __p, (__gu_err));				\
+	__gu_err;							\
+})
+
 #define __get_user_check(x, ptr, err)					\
 ({									\
 	const __typeof__(*(ptr)) __user *__p = (ptr);			\
@@ -170,12 +176,18 @@ do {									\
 		: "r"(addr), "i"(-EFAULT)				\
 		: "cc")
 
-#define put_user	__put_user					\
+#define put_user(x, ptr)						\
+({									\
+	long __pu_err = 0;						\
+	__put_user_check((x), (ptr), __pu_err);				\
+	__pu_err;							\
+})
 
 #define __put_user(x, ptr)						\
 ({									\
 	long __pu_err = 0;						\
-	__put_user_err((x), (ptr), __pu_err);				\
+	__typeof__(*(ptr)) __user *__p = (ptr);				\
+	__put_user_err((x), __p, __pu_err);				\
 	__pu_err;							\
 })
 



^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: [PATCH 4.19 00/20] 4.19.237-rc1 review
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2022-03-25 15:04 ` [PATCH 4.19 20/20] nds32: fix access_ok() checks in get/put_user Greg Kroah-Hartman
@ 2022-03-25 18:40 ` Pavel Machek
  2022-03-25 23:25 ` Shuah Khan
                   ` (5 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Pavel Machek @ 2022-03-25 18:40 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, stable, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
	slade

[-- Attachment #1: Type: text/plain, Size: 663 bytes --]

Hi!

> This is the start of the stable review cycle for the 4.19.237 release.
> There are 20 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.

CIP testing did not find any problems here:

https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-4.19.y

Tested-by: Pavel Machek (CIP) <pavel@denx.de>

Best regards,
                                                                Pavel

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: [PATCH 4.19 00/20] 4.19.237-rc1 review
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2022-03-25 18:40 ` [PATCH 4.19 00/20] 4.19.237-rc1 review Pavel Machek
@ 2022-03-25 23:25 ` Shuah Khan
  2022-03-26  3:46 ` Samuel Zou
                   ` (4 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Shuah Khan @ 2022-03-25 23:25 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: stable, torvalds, akpm, linux, shuah, patches, lkft-triage,
	pavel, jonathanh, f.fainelli, sudipm.mukherjee, slade,
	Shuah Khan

On 3/25/22 9:04 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.237 release.
> There are 20 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Sun, 27 Mar 2022 15:04:08 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.237-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

Tested-by: Shuah Khan <skhan@linuxfoundation.org>

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: [PATCH 4.19 00/20] 4.19.237-rc1 review
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2022-03-25 23:25 ` Shuah Khan
@ 2022-03-26  3:46 ` Samuel Zou
  2022-03-26 14:04 ` Sudip Mukherjee
                   ` (3 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Samuel Zou @ 2022-03-26  3:46 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: stable, torvalds, akpm, linux, shuah, patches, lkft-triage,
	pavel, jonathanh, f.fainelli, sudipm.mukherjee, slade



On 2022/3/25 23:04, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.237 release.
> There are 20 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Sun, 27 Mar 2022 15:04:08 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.237-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Tested on arm64 and x86 for 4.19.237-rc1,

Kernel repo:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
Branch: linux-4.19.y
Version: 4.19.237-rc1
Commit: e9ab0e419effc3553386aca9d6c836f29b65bea9
Compiler: gcc version 7.3.0 (GCC)

arm64:
--------------------------------------------------------------------
Testcase Result Summary:
total: 8938
passed: 8938
failed: 0
timeout: 0
--------------------------------------------------------------------

x86:
--------------------------------------------------------------------
Testcase Result Summary:
total: 8938
passed: 8938
failed: 0
timeout: 0
--------------------------------------------------------------------

Tested-by: Hulk Robot <hulkrobot@huawei.com>

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: [PATCH 4.19 00/20] 4.19.237-rc1 review
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2022-03-26  3:46 ` Samuel Zou
@ 2022-03-26 14:04 ` Sudip Mukherjee
  2022-03-26 14:24 ` Naresh Kamboju
                   ` (2 subsequent siblings)
  26 siblings, 0 replies; 31+ messages in thread
From: Sudip Mukherjee @ 2022-03-26 14:04 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, stable, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, slade

Hi Greg,

On Fri, Mar 25, 2022 at 04:04:38PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.237 release.
> There are 20 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Sun, 27 Mar 2022 15:04:08 +0000.
> Anything received after that time might be too late.

Build test:
mips (gcc version 11.2.1 20220314): 63 configs -> no new failure
arm (gcc version 11.2.1 20220314): 116 configs -> no new failure
arm64 (gcc version 11.2.1 20220314): 2 configs -> no failure
x86_64 (gcc version 11.2.1 20220314): 4 configs -> no failure

Boot test:
x86_64: Booted on my test laptop. No regression.
x86_64: Booted on qemu. No regression. [1]

[1]. https://openqa.qa.codethink.co.uk/tests/938


Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>

--
Regards
Sudip


^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: [PATCH 4.19 00/20] 4.19.237-rc1 review
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2022-03-26 14:04 ` Sudip Mukherjee
@ 2022-03-26 14:24 ` Naresh Kamboju
  2022-03-27  0:50 ` Guenter Roeck
  2022-03-28 14:24 ` Jon Hunter
  26 siblings, 0 replies; 31+ messages in thread
From: Naresh Kamboju @ 2022-03-26 14:24 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, stable, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
	slade

On Fri, 25 Mar 2022 at 20:37, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 4.19.237 release.
> There are 20 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 27 Mar 2022 15:04:08 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.237-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>

## Build
* kernel: 4.19.237-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git branch: linux-4.19.y
* git commit: 3a6a2212011395b420629a2d46310bd935d18c76
* git describe: v4.19.236-21-g3a6a22120113
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.19.y/build/v4.19.236-21-g3a6a22120113

## Test Regressions (compared to v4.19.234-31-g4a3043563aa9)
No test regressions found.

## Metric Regressions (compared to v4.19.234-31-g4a3043563aa9)
No metric regressions found.

## Test Fixes (compared to v4.19.234-31-g4a3043563aa9)
No test fixes found.

## Metric Fixes (compared to v4.19.234-31-g4a3043563aa9)
No metric fixes found.

## Test result summary
total: 84118, pass: 67440, fail: 1087, skip: 13378, xfail: 2213

## Build Summary
* arm: 281 total, 275 passed, 6 failed
* arm64: 39 total, 39 passed, 0 failed
* dragonboard-410c: 1 total, 1 passed, 0 failed
* hi6220-hikey: 1 total, 1 passed, 0 failed
* i386: 19 total, 19 passed, 0 failed
* juno-r2: 1 total, 1 passed, 0 failed
* mips: 27 total, 27 passed, 0 failed
* powerpc: 60 total, 54 passed, 6 failed
* s390: 12 total, 12 passed, 0 failed
* sparc: 12 total, 12 passed, 0 failed
* x15: 1 total, 1 passed, 0 failed
* x86: 1 total, 1 passed, 0 failed
* x86_64: 38 total, 38 passed, 0 failed

## Test suites summary
* fwts
* igt-gpu-tools
* kselftest-android
* kselftest-arm64
* kselftest-bpf
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-drivers
* kselftest-efivarfs
* kselftest-filesystems
* kselftest-firmware
* kselftest-fpu
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-membarrier
* kselftest-memfd
* kselftest-memory-hotplug
* kselftest-mincore
* kselftest-mount
* kselftest-mqueue
* kselftest-net
* kselftest-netfilter
* kselftest-nsfs
* kselftest-openat2
* kselftest-pid_namespace
* kselftest-pidfd
* kselftest-proc
* kselftest-pstore
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-splice
* kselftest-static_keys
* kselftest-sync
* kselftest-sysctl
* kselftest-tc-testing
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-vm
* kselftest-x86
* kselftest-zram
* kvm-unit-tests
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* network-basic-tests
* packetdrill
* perf
* rcutorture
* ssuite
* v4l2-compliance
* vdso

--
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: [PATCH 4.19 00/20] 4.19.237-rc1 review
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2022-03-26 14:24 ` Naresh Kamboju
@ 2022-03-27  0:50 ` Guenter Roeck
  2022-03-28 14:24 ` Jon Hunter
  26 siblings, 0 replies; 31+ messages in thread
From: Guenter Roeck @ 2022-03-27  0:50 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, stable, torvalds, akpm, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
	slade

On Fri, Mar 25, 2022 at 04:04:38PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.237 release.
> There are 20 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Sun, 27 Mar 2022 15:04:08 +0000.
> Anything received after that time might be too late.
> 

Build results:
	total: 156 pass: 156 fail: 0
Qemu test results:
	total: 425 pass: 425 fail: 0

Tested-by: Guenter Roeck <linux@roeck-us.net>

Guenter

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: [PATCH 4.19 00/20] 4.19.237-rc1 review
  2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2022-03-27  0:50 ` Guenter Roeck
@ 2022-03-28 14:24 ` Jon Hunter
  26 siblings, 0 replies; 31+ messages in thread
From: Jon Hunter @ 2022-03-28 14:24 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Greg Kroah-Hartman, stable, torvalds, akpm, linux, shuah,
	patches, lkft-triage, pavel, jonathanh, f.fainelli,
	sudipm.mukherjee, slade, linux-tegra

On Fri, 25 Mar 2022 16:04:38 +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.237 release.
> There are 20 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Sun, 27 Mar 2022 15:04:08 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.237-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

All tests passing for Tegra ...

Test results for stable-v4.19:
    10 builds:	10 pass, 0 fail
    22 boots:	22 pass, 0 fail
    40 tests:	40 pass, 0 fail

Linux version:	4.19.237-rc1-g3a6a22120113
Boards tested:	tegra124-jetson-tk1, tegra186-p2771-0000,
                tegra194-p2972-0000, tegra20-ventana,
                tegra210-p2371-2180, tegra30-cardhu-a04

Tested-by: Jon Hunter <jonathanh@nvidia.com>

Jon

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: [PATCH 4.19 01/20] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
  2022-03-25 15:04 ` [PATCH 4.19 01/20] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION Greg Kroah-Hartman
@ 2022-06-02 16:12   ` Pavel Machek
  2022-06-02 16:30     ` [External] : " Denis Efremov
  0 siblings, 1 reply; 31+ messages in thread
From: Pavel Machek @ 2022-06-02 16:12 UTC (permalink / raw)
  To: Greg Kroah-Hartman, theflamefire89
  Cc: linux-kernel, stable, Jordy Zomer, Krzysztof Kozlowski,
	David S. Miller, Denis Efremov

[-- Attachment #1: Type: text/plain, Size: 1901 bytes --]

Hi!

> commit 4fbcc1a4cb20fe26ad0225679c536c80f1648221 upstream.
> 
> It appears that there are some buffer overflows in EVT_TRANSACTION.
> This happens because the length parameters that are passed to memcpy
> come directly from skb->data and are not guarded in any way.
> 
> Signed-off-by: Jordy Zomer <jordy@pwning.systems>
> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

It seems that this patch causes an memory leak, transaction does not
seem to be freed in the error paths.

(I also wonder if the skb should be freed in the error paths...?)

Reported-by: <theflamefire89@gmail.com>

>  drivers/nfc/st21nfca/se.c |   10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> --- a/drivers/nfc/st21nfca/se.c
> +++ b/drivers/nfc/st21nfca/se.c
> @@ -332,6 +332,11 @@ int st21nfca_connectivity_event_received
>  			return -ENOMEM;
>  
>  		transaction->aid_len = skb->data[1];
> +
> +		/* Checking if the length of the AID is valid */
> +		if (transaction->aid_len > sizeof(transaction->aid))
> +			return -EINVAL;
> +
>  		memcpy(transaction->aid, &skb->data[2],
>  		       transaction->aid_len);
>  
> @@ -341,6 +346,11 @@ int st21nfca_connectivity_event_received
>  			return -EPROTO;
>  
>  		transaction->params_len = skb->data[transaction->aid_len + 3];
> +
> +		/* Total size is allocated (skb->len - 2) minus fixed array members */
> +		if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction)))
> +			return -EINVAL;
> +
>  		memcpy(transaction->params, skb->data +
>  		       transaction->aid_len + 4, transaction->params_len);
>  
> 

-- 
People of Russia, stop Putin before his war on Ukraine escalates.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: [External] : Re: [PATCH 4.19 01/20] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
  2022-06-02 16:12   ` Pavel Machek
@ 2022-06-02 16:30     ` Denis Efremov
  2022-06-02 19:03       ` Denis Efremov
  0 siblings, 1 reply; 31+ messages in thread
From: Denis Efremov @ 2022-06-02 16:30 UTC (permalink / raw)
  To: Pavel Machek, Greg Kroah-Hartman, theflamefire89
  Cc: linux-kernel, stable, Jordy Zomer, Krzysztof Kozlowski, David S. Miller

Hi,

On 6/2/22 20:12, Pavel Machek wrote:
> Hi!
> 
>> commit 4fbcc1a4cb20fe26ad0225679c536c80f1648221 upstream.
>>
>> It appears that there are some buffer overflows in EVT_TRANSACTION.
>> This happens because the length parameters that are passed to memcpy
>> come directly from skb->data and are not guarded in any way.
>>
>> Signed-off-by: Jordy Zomer <jordy@pwning.systems>
>> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
>> Signed-off-by: David S. Miller <davem@davemloft.net>
>> Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com>
>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> It seems that this patch causes an memory leak, transaction does not
> seem to be freed in the error paths.
> 
> (I also wonder if the skb should be freed in the error paths...?)
> 
> Reported-by: <theflamefire89@gmail.com>

Same for upstream code and it looks like the problem existed even
before this patch. I'll prepare an upstream patch and cc it to stable.

Thanks,
Denis

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: [External] : Re: [PATCH 4.19 01/20] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
  2022-06-02 16:30     ` [External] : " Denis Efremov
@ 2022-06-02 19:03       ` Denis Efremov
  0 siblings, 0 replies; 31+ messages in thread
From: Denis Efremov @ 2022-06-02 19:03 UTC (permalink / raw)
  To: Pavel Machek, Greg Kroah-Hartman, theflamefire89,
	Martin Faltesek, krzysztof.kozlowski
  Cc: linux-kernel, stable, Jordy Zomer, David S. Miller



On 6/2/22 20:30, Denis Efremov wrote:
> Hi,
> 
> On 6/2/22 20:12, Pavel Machek wrote:
>> Hi!
>>
>>> commit 4fbcc1a4cb20fe26ad0225679c536c80f1648221 upstream.
>>>
>>> It appears that there are some buffer overflows in EVT_TRANSACTION.
>>> This happens because the length parameters that are passed to memcpy
>>> come directly from skb->data and are not guarded in any way.
>>>
>>> Signed-off-by: Jordy Zomer <jordy@pwning.systems>
>>> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
>>> Signed-off-by: David S. Miller <davem@davemloft.net>
>>> Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com>
>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>
>> It seems that this patch causes an memory leak, transaction does not
>> seem to be freed in the error paths.
>>
>> (I also wonder if the skb should be freed in the error paths...?)
>>
>> Reported-by: <theflamefire89@gmail.com>
> 
> Same for upstream code and it looks like the problem existed even
> before this patch. I'll prepare an upstream patch and cc it to stable.
> 

I checked and Martin already sent patches upstream to fix this.

https://lore.kernel.org/all/20220401180939.2025819-1-mfaltesek@google.com/
https://lore.kernel.org/all/20220401180955.2025877-1-mfaltesek@google.com/
https://lore.kernel.org/all/20220401181032.2026076-1-mfaltesek@google.com/
https://lore.kernel.org/all/20220401181048.2026145-1-mfaltesek@google.com/

Thanks,
Denis

^ permalink raw reply	[flat|nested] 31+ messages in thread

end of thread, other threads:[~2022-06-02 19:04 UTC | newest]

Thread overview: 31+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 01/20] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION Greg Kroah-Hartman
2022-06-02 16:12   ` Pavel Machek
2022-06-02 16:30     ` [External] : " Denis Efremov
2022-06-02 19:03       ` Denis Efremov
2022-03-25 15:04 ` [PATCH 4.19 02/20] net: ipv6: fix skb_over_panic in __ip6_append_data Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 03/20] esp: Fix possible buffer overflow in ESP transformation Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 04/20] staging: fbtft: fb_st7789v: reset display before initialization Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 05/20] thermal: int340x: fix memory leak in int3400_notify() Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 06/20] llc: fix netdevice reference leaks in llc_ui_bind() Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 07/20] ASoC: sti: Fix deadlock via snd_pcm_stop_xrun() call Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 08/20] ALSA: oss: Fix PCM OSS buffer allocation overflow Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 09/20] ALSA: pcm: Add stream lock during PCM reset ioctl operations Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 10/20] ALSA: usb-audio: Add mute TLV for playback volumes on RODE NT-USB Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 11/20] ALSA: cmipci: Restore aux vol on suspend/resume Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 12/20] ALSA: pci: fix reading of swapped values from pcmreg in AC97 codec Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 13/20] drivers: net: xgene: Fix regression in CRC stripping Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 14/20] netfilter: nf_tables: initialize registers in nft_do_chain() Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 15/20] ACPI / x86: Work around broken XSDT on Advantech DAC-BJ01 board Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 16/20] ACPI: battery: Add device HID and quirk for Microsoft Surface Go 3 Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 17/20] ACPI: video: Force backlight native for Clevo NL5xRU and NL5xNU Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 18/20] crypto: qat - disable registration of algorithms Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 19/20] mac80211: fix potential double free on mesh join Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 20/20] nds32: fix access_ok() checks in get/put_user Greg Kroah-Hartman
2022-03-25 18:40 ` [PATCH 4.19 00/20] 4.19.237-rc1 review Pavel Machek
2022-03-25 23:25 ` Shuah Khan
2022-03-26  3:46 ` Samuel Zou
2022-03-26 14:04 ` Sudip Mukherjee
2022-03-26 14:24 ` Naresh Kamboju
2022-03-27  0:50 ` Guenter Roeck
2022-03-28 14:24 ` Jon Hunter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).