This is the start of the stable review cycle for the 4.14.254 release.
There are 25 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 03 Nov 2021 08:24:20 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.254-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 4.14.254-rc1
Xin Long <[email protected]>
sctp: add vtag check in sctp_sf_ootb
Xin Long <[email protected]>
sctp: add vtag check in sctp_sf_do_8_5_1_E_sa
Xin Long <[email protected]>
sctp: add vtag check in sctp_sf_violation
Xin Long <[email protected]>
sctp: fix the processing for COOKIE_ECHO chunk
Xin Long <[email protected]>
sctp: use init_tag from inithdr for ABORT chunk
Trevor Woerner <[email protected]>
net: nxp: lpc_eth.c: avoid hang when bringing interface down
Guenter Roeck <[email protected]>
nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST
Pavel Skripkin <[email protected]>
net: batman-adv: fix error handling
Yang Yingliang <[email protected]>
regmap: Fix possible double-free in regcache_rbtree_exit()
Johan Hovold <[email protected]>
net: lan78xx: fix division by zero in send path
Haibo Chen <[email protected]>
mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit
Shawn Guo <[email protected]>
mmc: sdhci: Map more voltage level to SDHCI_POWER_330
Jaehoon Chung <[email protected]>
mmc: dw_mmc: exynos: fix the finding clock sample value
Johan Hovold <[email protected]>
mmc: vub300: fix control-message timeouts
Eric Dumazet <[email protected]>
ipv4: use siphash instead of Jenkins in fnhe_hashfun()
Pavel Skripkin <[email protected]>
Revert "net: mdiobus: Fix memory leak in __mdiobus_register"
Krzysztof Kozlowski <[email protected]>
nfc: port100: fix using -ERRNO as command type mask
Zheyu Ma <[email protected]>
ata: sata_mv: Fix the error handling of mv_chip_id()
Wang Hai <[email protected]>
usbnet: fix error return code in usbnet_probe()
Oliver Neukum <[email protected]>
usbnet: sanity check for maxpacket
Nathan Chancellor <[email protected]>
ARM: 8819/1: Remove '-p' from LDFLAGS
Naveen N. Rao <[email protected]>
powerpc/bpf: Fix BPF_MOD when imm == 1
Arnd Bergmann <[email protected]>
ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype
Arnd Bergmann <[email protected]>
ARM: 9134/1: remove duplicate memcpy() definition
Nick Desaulniers <[email protected]>
ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned
-------------
Diffstat:
Makefile | 4 +--
arch/arm/Makefile | 2 +-
arch/arm/boot/bootp/Makefile | 2 +-
arch/arm/boot/compressed/Makefile | 2 --
arch/arm/boot/compressed/decompress.c | 3 ++
arch/arm/mm/proc-macros.S | 1 +
arch/arm/probes/kprobes/core.c | 2 +-
arch/nios2/platform/Kconfig.platform | 1 +
arch/powerpc/net/bpf_jit_comp64.c | 10 ++++--
drivers/ata/sata_mv.c | 4 +--
drivers/base/regmap/regcache-rbtree.c | 7 ++---
drivers/mmc/host/dw_mmc-exynos.c | 14 +++++++++
drivers/mmc/host/sdhci-esdhc-imx.c | 16 ++++++++++
drivers/mmc/host/sdhci.c | 6 ++++
drivers/mmc/host/vub300.c | 18 +++++------
drivers/net/ethernet/nxp/lpc_eth.c | 5 ++-
drivers/net/phy/mdio_bus.c | 1 -
drivers/net/usb/lan78xx.c | 6 ++++
drivers/net/usb/usbnet.c | 5 +++
drivers/nfc/port100.c | 4 +--
net/batman-adv/bridge_loop_avoidance.c | 8 +++--
net/batman-adv/main.c | 56 ++++++++++++++++++++++++----------
net/batman-adv/network-coding.c | 4 ++-
net/batman-adv/translation-table.c | 4 ++-
net/ipv4/route.c | 12 ++++----
net/sctp/sm_statefuns.c | 30 ++++++++++++------
26 files changed, 161 insertions(+), 66 deletions(-)
From: Krzysztof Kozlowski <[email protected]>
commit 2195f2062e4cc93870da8e71c318ef98a1c51cef upstream.
During probing, the driver tries to get a list (mask) of supported
command types in port100_get_command_type_mask() function. The value
is u64 and 0 is treated as invalid mask (no commands supported). The
function however returns also -ERRNO as u64 which will be interpret as
valid command mask.
Return 0 on every error case of port100_get_command_type_mask(), so the
probing will stop.
Cc: <[email protected]>
Fixes: 0347a6ab300a ("NFC: port100: Commands mechanism implementation")
Signed-off-by: Krzysztof Kozlowski <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/nfc/port100.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/nfc/port100.c
+++ b/drivers/nfc/port100.c
@@ -1012,11 +1012,11 @@ static u64 port100_get_command_type_mask
skb = port100_alloc_skb(dev, 0);
if (!skb)
- return -ENOMEM;
+ return 0;
resp = port100_send_cmd_sync(dev, PORT100_CMD_GET_COMMAND_TYPE, skb);
if (IS_ERR(resp))
- return PTR_ERR(resp);
+ return 0;
if (resp->len < 8)
mask = 0;
From: Xin Long <[email protected]>
[ Upstream commit ef16b1734f0a176277b7bb9c71a6d977a6ef3998 ]
sctp_sf_do_8_5_1_E_sa() is called when processing SHUTDOWN_ACK chunk
in cookie_wait and cookie_echoed state.
The vtag in the chunk's sctphdr should be verified, otherwise, as
later in chunk length check, it may send abort with the existent
asoc's vtag, which can be exploited by one to cook a malicious
chunk to terminate a SCTP asoc.
Note that when fails to verify the vtag from SHUTDOWN-ACK chunk,
SHUTDOWN COMPLETE message will still be sent back to peer, but
with the vtag from SHUTDOWN-ACK chunk, as said in 5) of
rfc4960#section-8.4.
While at it, also remove the unnecessary chunk length check from
sctp_sf_shut_8_4_5(), as it's already done in both places where
it calls sctp_sf_shut_8_4_5().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <[email protected]>
Acked-by: Marcelo Ricardo Leitner <[email protected]>
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
net/sctp/sm_statefuns.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index e6260946eafe..c3cb0ae7df2b 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -3613,12 +3613,6 @@ static enum sctp_disposition sctp_sf_shut_8_4_5(
SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
- /* If the chunk length is invalid, we don't want to process
- * the reset of the packet.
- */
- if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
- return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
-
/* We need to discard the rest of the packet to prevent
* potential bomming attacks from additional bundled chunks.
* This is documented in SCTP Threats ID.
@@ -3646,6 +3640,9 @@ enum sctp_disposition sctp_sf_do_8_5_1_E_sa(struct net *net,
{
struct sctp_chunk *chunk = arg;
+ if (!sctp_vtag_verify(chunk, asoc))
+ asoc = NULL;
+
/* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
--
2.33.0
From: Xin Long <[email protected]>
[ Upstream commit a64b341b8695e1c744dd972b39868371b4f68f83 ]
1. In closed state: in sctp_sf_do_5_1D_ce():
When asoc is NULL, making packet for abort will use chunk's vtag
in sctp_ootb_pkt_new(). But when asoc exists, vtag from the chunk
should be verified before using peer.i.init_tag to make packet
for abort in sctp_ootb_pkt_new(), and just discard it if vtag is
not correct.
2. In the other states: in sctp_sf_do_5_2_4_dupcook():
asoc always exists, but duplicate cookie_echo's vtag will be
handled by sctp_tietags_compare() and then take actions, so before
that we only verify the vtag for the abort sent for invalid chunk
length.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <[email protected]>
Acked-by: Marcelo Ricardo Leitner <[email protected]>
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
net/sctp/sm_statefuns.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index b1200c4122b0..4b519ec35ab7 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -704,6 +704,9 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
struct sock *sk;
int error = 0;
+ if (asoc && !sctp_vtag_verify(chunk, asoc))
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
/* If the packet is an OOTB packet which is temporarily on the
* control endpoint, respond with an ABORT.
*/
@@ -718,7 +721,8 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
* in sctp_unpack_cookie().
*/
if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
- return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+ return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
+ commands);
/* If the endpoint is not listening or if the number of associations
* on the TCP-style socket exceed the max backlog, respond with an
@@ -2080,9 +2084,11 @@ enum sctp_disposition sctp_sf_do_5_2_4_dupcook(
* enough for the chunk header. Cookie length verification is
* done later.
*/
- if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
- return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
- commands);
+ if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) {
+ if (!sctp_vtag_verify(chunk, asoc))
+ asoc = NULL;
+ return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, commands);
+ }
/* "Decode" the chunk. We have no optional parameters so we
* are in good shape.
--
2.33.0
On Mon, 1 Nov 2021 at 14:51, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 4.14.254 release.
> There are 25 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 03 Nov 2021 08:24:20 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.254-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Regression found on arm builds
Following build warnings / errors reported on stable-rc 5.4, 4.19 and
4.14 builds.
> Haibo Chen <[email protected]>
> mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit
build error :
--------------
drivers/mmc/host/sdhci-esdhc-imx.c: In function 'esdhc_reset_tuning':
drivers/mmc/host/sdhci-esdhc-imx.c:1041:10: error: implicit
declaration of function 'readl_poll_timeout'; did you mean
'key_set_timeout'? [-Werror=implicit-function-declaration]
ret = readl_poll_timeout(host->ioaddr + SDHCI_AUTO_CMD_STATUS,
^~~~~~~~~~~~~~~~~~
key_set_timeoutcc1: some warnings being treated as errors
Reported-by: Linux Kernel Functional Testing <[email protected]>
--
Linaro LKFT
https://lkft.linaro.org