diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2021-07-27 18:45:41 +0000 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2021-07-27 18:45:41 +0000 |
commit | a6dde89efb96e7aec62ac560b94f440b3f32ddeb (patch) | |
tree | fba8e596f2ab36353610040969281b242b09262a | |
parent | fab0761f647d09a7c28ee984c667d010dc51e5bb (diff) | |
parent | 996c999d539b7d7b202ba0bf2d83c9b0aa60c41c (diff) | |
download | kernel_replicant_linux-a6dde89efb96e7aec62ac560b94f440b3f32ddeb.tar.gz kernel_replicant_linux-a6dde89efb96e7aec62ac560b94f440b3f32ddeb.tar.bz2 kernel_replicant_linux-a6dde89efb96e7aec62ac560b94f440b3f32ddeb.zip |
Merge branch 'bullseye-bugfixes-before-d-i-rc3' into 'sid'
Add bugfixes targetting bullseye before d-i RC3 release
See merge request kernel-team/linux!379
10 files changed, 596 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 2a5164ddbc4f..7ef4af9d2f32 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,20 @@ +linux (5.10.46-3) UNRELEASED; urgency=medium + + * [armhf] Add mdio-aspeed to nic-modules. + Thanks to Joel Stanley <joel@jms.id.au> (Closes: #991262) + * Revert "drm/amdgpu/gfx9: fix the doorbell missing when in CGPG issue." + (Closes: #990312) + * Revert "drm/amdgpu/gfx10: enlarge CP_MEC_DOORBELL_RANGE_UPPER to cover full + doorbell." (Closes: #990312) + * Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl + (CVE-2021-3612) + * sctp: validate from_addr_param return (CVE-2021-3655) + * sctp: add size validation when walking chunks (CVE-2021-3655) + * [s390x] sclp_vt220: fix console name to match device (Closes: #961056) + * block: return the correct bvec when checking for gaps + + -- Salvatore Bonaccorso <carnil@debian.org> Sun, 25 Jul 2021 10:18:06 +0200 + linux (5.10.46-2) unstable; urgency=medium * swiotlb: manipulate orig_addr when tlb_addr has offset (Closes: #989778) diff --git a/debian/installer/modules/armhf-armmp/nic-modules b/debian/installer/modules/armhf-armmp/nic-modules index ed8489e87722..2f94f2d83167 100644 --- a/debian/installer/modules/armhf-armmp/nic-modules +++ b/debian/installer/modules/armhf-armmp/nic-modules @@ -11,3 +11,4 @@ sun4i-emac xgmac ti_cpsw davinci_mdio +mdio-aspeed diff --git a/debian/patches/bugfix/all/Input-joydev-prevent-use-of-not-validated-data-in-JS.patch b/debian/patches/bugfix/all/Input-joydev-prevent-use-of-not-validated-data-in-JS.patch new file mode 100644 index 000000000000..f290f052d457 --- /dev/null +++ b/debian/patches/bugfix/all/Input-joydev-prevent-use-of-not-validated-data-in-JS.patch @@ -0,0 +1,58 @@ +From: Alexander Larkin <avlarkin82@gmail.com> +Date: Sun, 4 Jul 2021 22:39:36 -0700 +Subject: Input: joydev - prevent use of not validated data in JSIOCSBTNMAP + ioctl +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=b4c35e9e8061b2386da1aa0d708e991204e76c45 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3612 + +commit f8f84af5da9ee04ef1d271528656dac42a090d00 upstream. + +Even though we validate user-provided inputs we then traverse past +validated data when applying the new map. The issue was originally +discovered by Murray McAllister with this simple POC (if the following +is executed by an unprivileged user it will instantly panic the system): + +int main(void) { + int fd, ret; + unsigned int buffer[10000]; + + fd = open("/dev/input/js0", O_RDONLY); + if (fd == -1) + printf("Error opening file\n"); + + ret = ioctl(fd, JSIOCSBTNMAP & ~IOCSIZE_MASK, &buffer); + printf("%d\n", ret); +} + +The solution is to traverse internal buffer which is guaranteed to only +contain valid date when constructing the map. + +Fixes: 182d679b2298 ("Input: joydev - prevent potential read overflow in ioctl") +Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones") +Reported-by: Murray McAllister <murray.mcallister@gmail.com> +Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Alexander Larkin <avlarkin82@gmail.com> +Link: https://lore.kernel.org/r/20210620120030.1513655-1-avlarkin82@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/input/joydev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/joydev.c b/drivers/input/joydev.c +index 430dc6975004..675fcd0952a2 100644 +--- a/drivers/input/joydev.c ++++ b/drivers/input/joydev.c +@@ -500,7 +500,7 @@ static int joydev_handle_JSIOCSBTNMAP(struct joydev *joydev, + memcpy(joydev->keypam, keypam, len); + + for (i = 0; i < joydev->nkey; i++) +- joydev->keymap[keypam[i] - BTN_MISC] = i; ++ joydev->keymap[joydev->keypam[i] - BTN_MISC] = i; + + out: + kfree(keypam); +-- +2.32.0 + diff --git a/debian/patches/bugfix/all/Revert-drm-amdgpu-gfx10-enlarge-CP_MEC_DOORBELL_RANG.patch b/debian/patches/bugfix/all/Revert-drm-amdgpu-gfx10-enlarge-CP_MEC_DOORBELL_RANG.patch new file mode 100644 index 000000000000..e437826828e2 --- /dev/null +++ b/debian/patches/bugfix/all/Revert-drm-amdgpu-gfx10-enlarge-CP_MEC_DOORBELL_RANG.patch @@ -0,0 +1,44 @@ +From: Yifan Zhang <yifan1.zhang@amd.com> +Date: Sat, 19 Jun 2021 11:39:43 +0800 +Subject: Revert "drm/amdgpu/gfx10: enlarge CP_MEC_DOORBELL_RANGE_UPPER to + cover full doorbell." +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=fea853aca3210c21dfcf07bb82d501b7fd1900a7 +Bug-Debian: https://bugs.debian.org/990312 + +commit baacf52a473b24e10322b67757ddb92ab8d86717 upstream. + +This reverts commit 1c0b0efd148d5b24c4932ddb3fa03c8edd6097b3. + +Reason for revert: Side effect of enlarging CP_MEC_DOORBELL_RANGE may +cause some APUs fail to enter gfxoff in certain user cases. + +Signed-off-by: Yifan Zhang <yifan1.zhang@amd.com> +Acked-by: Alex Deucher <alexander.deucher@amd.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c +index 3c92dacbc24a..fc8da5fed779 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c +@@ -6590,12 +6590,8 @@ static int gfx_v10_0_kiq_init_register(struct amdgpu_ring *ring) + if (ring->use_doorbell) { + WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_LOWER, + (adev->doorbell_index.kiq * 2) << 2); +- /* If GC has entered CGPG, ringing doorbell > first page doesn't +- * wakeup GC. Enlarge CP_MEC_DOORBELL_RANGE_UPPER to workaround +- * this issue. +- */ + WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_UPPER, +- (adev->doorbell.size - 4)); ++ (adev->doorbell_index.userqueue_end * 2) << 2); + } + + WREG32_SOC15(GC, 0, mmCP_HQD_PQ_DOORBELL_CONTROL, +-- +2.32.0 + diff --git a/debian/patches/bugfix/all/Revert-drm-amdgpu-gfx9-fix-the-doorbell-missing-when.patch b/debian/patches/bugfix/all/Revert-drm-amdgpu-gfx9-fix-the-doorbell-missing-when.patch new file mode 100644 index 000000000000..1ee611c1719a --- /dev/null +++ b/debian/patches/bugfix/all/Revert-drm-amdgpu-gfx9-fix-the-doorbell-missing-when.patch @@ -0,0 +1,44 @@ +From: Yifan Zhang <yifan1.zhang@amd.com> +Date: Sat, 19 Jun 2021 11:40:54 +0800 +Subject: Revert "drm/amdgpu/gfx9: fix the doorbell missing when in CGPG + issue." +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=1bd81429d53ded4e111616c755a64fad80849354 +Bug-Debian: https://bugs.debian.org/990312 + +commit ee5468b9f1d3bf48082eed351dace14598e8ca39 upstream. + +This reverts commit 4cbbe34807938e6e494e535a68d5ff64edac3f20. + +Reason for revert: side effect of enlarging CP_MEC_DOORBELL_RANGE may +cause some APUs fail to enter gfxoff in certain user cases. + +Signed-off-by: Yifan Zhang <yifan1.zhang@amd.com> +Acked-by: Alex Deucher <alexander.deucher@amd.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +index 1859d293ef71..fb15e8b5af32 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -3619,12 +3619,8 @@ static int gfx_v9_0_kiq_init_register(struct amdgpu_ring *ring) + if (ring->use_doorbell) { + WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_LOWER, + (adev->doorbell_index.kiq * 2) << 2); +- /* If GC has entered CGPG, ringing doorbell > first page doesn't +- * wakeup GC. Enlarge CP_MEC_DOORBELL_RANGE_UPPER to workaround +- * this issue. +- */ + WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_UPPER, +- (adev->doorbell.size - 4)); ++ (adev->doorbell_index.userqueue_end * 2) << 2); + } + + WREG32_SOC15_RLC(GC, 0, mmCP_HQD_PQ_DOORBELL_CONTROL, +-- +2.32.0 + diff --git a/debian/patches/bugfix/all/block-return-the-correct-bvec-when-checking-for-gaps.patch b/debian/patches/bugfix/all/block-return-the-correct-bvec-when-checking-for-gaps.patch new file mode 100644 index 000000000000..b7763776eefb --- /dev/null +++ b/debian/patches/bugfix/all/block-return-the-correct-bvec-when-checking-for-gaps.patch @@ -0,0 +1,83 @@ +From: Long Li <longli@microsoft.com> +Date: Mon, 7 Jun 2021 12:34:05 -0700 +Subject: block: return the correct bvec when checking for gaps +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=c98d9318dc99bf8822708dbab3f3ace946df7fe9 + +commit c9c9762d4d44dcb1b2ba90cfb4122dc11ceebf31 upstream. + +After commit 07173c3ec276 ("block: enable multipage bvecs"), a bvec can +have multiple pages. But bio_will_gap() still assumes one page bvec while +checking for merging. If the pages in the bvec go across the +seg_boundary_mask, this check for merging can potentially succeed if only +the 1st page is tested, and can fail if all the pages are tested. + +Later, when SCSI builds the SG list the same check for merging is done in +__blk_segment_map_sg_merge() with all the pages in the bvec tested. This +time the check may fail if the pages in bvec go across the +seg_boundary_mask (but tested okay in bio_will_gap() earlier, so those +BIOs were merged). If this check fails, we end up with a broken SG list +for drivers assuming the SG list not having offsets in intermediate pages. +This results in incorrect pages written to the disk. + +Fix this by returning the multi-page bvec when testing gaps for merging. + +Cc: Jens Axboe <axboe@kernel.dk> +Cc: Johannes Thumshirn <johannes.thumshirn@wdc.com> +Cc: Pavel Begunkov <asml.silence@gmail.com> +Cc: Ming Lei <ming.lei@redhat.com> +Cc: Tejun Heo <tj@kernel.org> +Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org> +Cc: Jeffle Xu <jefflexu@linux.alibaba.com> +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org +Fixes: 07173c3ec276 ("block: enable multipage bvecs") +Signed-off-by: Long Li <longli@microsoft.com> +Reviewed-by: Ming Lei <ming.lei@redhat.com> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Link: https://lore.kernel.org/r/1623094445-22332-1-git-send-email-longli@linuxonhyperv.com +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + include/linux/bio.h | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/include/linux/bio.h b/include/linux/bio.h +index c6d765382926..23b7a73cd757 100644 +--- a/include/linux/bio.h ++++ b/include/linux/bio.h +@@ -38,9 +38,6 @@ + #define bio_offset(bio) bio_iter_offset((bio), (bio)->bi_iter) + #define bio_iovec(bio) bio_iter_iovec((bio), (bio)->bi_iter) + +-#define bio_multiple_segments(bio) \ +- ((bio)->bi_iter.bi_size != bio_iovec(bio).bv_len) +- + #define bvec_iter_sectors(iter) ((iter).bi_size >> 9) + #define bvec_iter_end_sector(iter) ((iter).bi_sector + bvec_iter_sectors((iter))) + +@@ -252,7 +249,7 @@ static inline void bio_clear_flag(struct bio *bio, unsigned int bit) + + static inline void bio_get_first_bvec(struct bio *bio, struct bio_vec *bv) + { +- *bv = bio_iovec(bio); ++ *bv = mp_bvec_iter_bvec(bio->bi_io_vec, bio->bi_iter); + } + + static inline void bio_get_last_bvec(struct bio *bio, struct bio_vec *bv) +@@ -260,10 +257,9 @@ static inline void bio_get_last_bvec(struct bio *bio, struct bio_vec *bv) + struct bvec_iter iter = bio->bi_iter; + int idx; + +- if (unlikely(!bio_multiple_segments(bio))) { +- *bv = bio_iovec(bio); +- return; +- } ++ bio_get_first_bvec(bio, bv); ++ if (bv->bv_len == bio->bi_iter.bi_size) ++ return; /* this bio only has a single bvec */ + + bio_advance_iter(bio, &iter, iter.bi_size); + +-- +2.32.0 + diff --git a/debian/patches/bugfix/all/sctp-add-size-validation-when-walking-chunks.patch b/debian/patches/bugfix/all/sctp-add-size-validation-when-walking-chunks.patch new file mode 100644 index 000000000000..80085baf02c8 --- /dev/null +++ b/debian/patches/bugfix/all/sctp-add-size-validation-when-walking-chunks.patch @@ -0,0 +1,41 @@ +From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +Date: Mon, 28 Jun 2021 16:13:42 -0300 +Subject: sctp: add size validation when walking chunks +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=6ef81a5c0e22233e13c748e813c54d3bf0145782 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3655 + +[ Upstream commit 50619dbf8db77e98d821d615af4f634d08e22698 ] + +The first chunk in a packet is ensured to be present at the beginning of +sctp_rcv(), as a packet needs to have at least 1 chunk. But the second +one, may not be completely available and ch->length can be over +uninitialized memory. + +Fix here is by only trying to walk on the next chunk if there is enough to +hold at least the header, and then proceed with the ch->length validation +that is already there. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/sctp/input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sctp/input.c b/net/sctp/input.c +index 8924e2e142c8..f72bff93745c 100644 +--- a/net/sctp/input.c ++++ b/net/sctp/input.c +@@ -1247,7 +1247,7 @@ static struct sctp_association *__sctp_rcv_walk_lookup(struct net *net, + + ch = (struct sctp_chunkhdr *)ch_end; + chunk_num++; +- } while (ch_end < skb_tail_pointer(skb)); ++ } while (ch_end + sizeof(*ch) < skb_tail_pointer(skb)); + + return asoc; + } +-- +2.32.0 + diff --git a/debian/patches/bugfix/all/sctp-validate-from_addr_param-return.patch b/debian/patches/bugfix/all/sctp-validate-from_addr_param-return.patch new file mode 100644 index 000000000000..6ac54f4c2293 --- /dev/null +++ b/debian/patches/bugfix/all/sctp-validate-from_addr_param-return.patch @@ -0,0 +1,239 @@ +From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +Date: Mon, 28 Jun 2021 16:13:41 -0300 +Subject: sctp: validate from_addr_param return +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=d4dbef7046e24669278eba4455e9e8053ead6ba0 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3655 + +[ Upstream commit 0c5dc070ff3d6246d22ddd931f23a6266249e3db ] + +Ilja reported that, simply putting it, nothing was validating that +from_addr_param functions were operating on initialized memory. That is, +the parameter itself was being validated by sctp_walk_params, but it +doesn't check for types and their specific sizes and it could be a 0-length +one, causing from_addr_param to potentially work over the next parameter or +even uninitialized memory. + +The fix here is to, in all calls to from_addr_param, check if enough space +is there for the wanted IP address type. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + include/net/sctp/structs.h | 2 +- + net/sctp/bind_addr.c | 19 +++++++++++-------- + net/sctp/input.c | 6 ++++-- + net/sctp/ipv6.c | 7 ++++++- + net/sctp/protocol.c | 7 ++++++- + net/sctp/sm_make_chunk.c | 29 ++++++++++++++++------------- + 6 files changed, 44 insertions(+), 26 deletions(-) + +diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h +index 0bdff38eb4bb..51d698f2656f 100644 +--- a/include/net/sctp/structs.h ++++ b/include/net/sctp/structs.h +@@ -458,7 +458,7 @@ struct sctp_af { + int saddr); + void (*from_sk) (union sctp_addr *, + struct sock *sk); +- void (*from_addr_param) (union sctp_addr *, ++ bool (*from_addr_param) (union sctp_addr *, + union sctp_addr_param *, + __be16 port, int iif); + int (*to_addr_param) (const union sctp_addr *, +diff --git a/net/sctp/bind_addr.c b/net/sctp/bind_addr.c +index 53e5ed79f63f..59e653b528b1 100644 +--- a/net/sctp/bind_addr.c ++++ b/net/sctp/bind_addr.c +@@ -270,22 +270,19 @@ int sctp_raw_to_bind_addrs(struct sctp_bind_addr *bp, __u8 *raw_addr_list, + rawaddr = (union sctp_addr_param *)raw_addr_list; + + af = sctp_get_af_specific(param_type2af(param->type)); +- if (unlikely(!af)) { ++ if (unlikely(!af) || ++ !af->from_addr_param(&addr, rawaddr, htons(port), 0)) { + retval = -EINVAL; +- sctp_bind_addr_clean(bp); +- break; ++ goto out_err; + } + +- af->from_addr_param(&addr, rawaddr, htons(port), 0); + if (sctp_bind_addr_state(bp, &addr) != -1) + goto next; + retval = sctp_add_bind_addr(bp, &addr, sizeof(addr), + SCTP_ADDR_SRC, gfp); +- if (retval) { ++ if (retval) + /* Can't finish building the list, clean up. */ +- sctp_bind_addr_clean(bp); +- break; +- } ++ goto out_err; + + next: + len = ntohs(param->length); +@@ -294,6 +291,12 @@ int sctp_raw_to_bind_addrs(struct sctp_bind_addr *bp, __u8 *raw_addr_list, + } + + return retval; ++ ++out_err: ++ if (retval) ++ sctp_bind_addr_clean(bp); ++ ++ return retval; + } + + /******************************************************************** +diff --git a/net/sctp/input.c b/net/sctp/input.c +index d508f6f3dd08..8924e2e142c8 100644 +--- a/net/sctp/input.c ++++ b/net/sctp/input.c +@@ -1131,7 +1131,8 @@ static struct sctp_association *__sctp_rcv_init_lookup(struct net *net, + if (!af) + continue; + +- af->from_addr_param(paddr, params.addr, sh->source, 0); ++ if (!af->from_addr_param(paddr, params.addr, sh->source, 0)) ++ continue; + + asoc = __sctp_lookup_association(net, laddr, paddr, transportp); + if (asoc) +@@ -1174,7 +1175,8 @@ static struct sctp_association *__sctp_rcv_asconf_lookup( + if (unlikely(!af)) + return NULL; + +- af->from_addr_param(&paddr, param, peer_port, 0); ++ if (af->from_addr_param(&paddr, param, peer_port, 0)) ++ return NULL; + + return __sctp_lookup_association(net, laddr, &paddr, transportp); + } +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index c8074f435d3e..d594b949ae82 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -530,15 +530,20 @@ static void sctp_v6_to_sk_daddr(union sctp_addr *addr, struct sock *sk) + } + + /* Initialize a sctp_addr from an address parameter. */ +-static void sctp_v6_from_addr_param(union sctp_addr *addr, ++static bool sctp_v6_from_addr_param(union sctp_addr *addr, + union sctp_addr_param *param, + __be16 port, int iif) + { ++ if (ntohs(param->v6.param_hdr.length) < sizeof(struct sctp_ipv6addr_param)) ++ return false; ++ + addr->v6.sin6_family = AF_INET6; + addr->v6.sin6_port = port; + addr->v6.sin6_flowinfo = 0; /* BUG */ + addr->v6.sin6_addr = param->v6.addr; + addr->v6.sin6_scope_id = iif; ++ ++ return true; + } + + /* Initialize an address parameter from a sctp_addr and return the length +diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c +index 25833238fe93..47fb87ce489f 100644 +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -253,14 +253,19 @@ static void sctp_v4_to_sk_daddr(union sctp_addr *addr, struct sock *sk) + } + + /* Initialize a sctp_addr from an address parameter. */ +-static void sctp_v4_from_addr_param(union sctp_addr *addr, ++static bool sctp_v4_from_addr_param(union sctp_addr *addr, + union sctp_addr_param *param, + __be16 port, int iif) + { ++ if (ntohs(param->v4.param_hdr.length) < sizeof(struct sctp_ipv4addr_param)) ++ return false; ++ + addr->v4.sin_family = AF_INET; + addr->v4.sin_port = port; + addr->v4.sin_addr.s_addr = param->v4.addr.s_addr; + memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); ++ ++ return true; + } + + /* Initialize an address parameter from a sctp_addr and return the length +diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c +index b9d6babe2870..7411fa442821 100644 +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -2329,11 +2329,13 @@ int sctp_process_init(struct sctp_association *asoc, struct sctp_chunk *chunk, + + /* Process the initialization parameters. */ + sctp_walk_params(param, peer_init, init_hdr.params) { +- if (!src_match && (param.p->type == SCTP_PARAM_IPV4_ADDRESS || +- param.p->type == SCTP_PARAM_IPV6_ADDRESS)) { ++ if (!src_match && ++ (param.p->type == SCTP_PARAM_IPV4_ADDRESS || ++ param.p->type == SCTP_PARAM_IPV6_ADDRESS)) { + af = sctp_get_af_specific(param_type2af(param.p->type)); +- af->from_addr_param(&addr, param.addr, +- chunk->sctp_hdr->source, 0); ++ if (!af->from_addr_param(&addr, param.addr, ++ chunk->sctp_hdr->source, 0)) ++ continue; + if (sctp_cmp_addr_exact(sctp_source(chunk), &addr)) + src_match = 1; + } +@@ -2514,7 +2516,8 @@ static int sctp_process_param(struct sctp_association *asoc, + break; + do_addr_param: + af = sctp_get_af_specific(param_type2af(param.p->type)); +- af->from_addr_param(&addr, param.addr, htons(asoc->peer.port), 0); ++ if (!af->from_addr_param(&addr, param.addr, htons(asoc->peer.port), 0)) ++ break; + scope = sctp_scope(peer_addr); + if (sctp_in_scope(net, &addr, scope)) + if (!sctp_assoc_add_peer(asoc, &addr, gfp, SCTP_UNCONFIRMED)) +@@ -2615,15 +2618,13 @@ static int sctp_process_param(struct sctp_association *asoc, + addr_param = param.v + sizeof(struct sctp_addip_param); + + af = sctp_get_af_specific(param_type2af(addr_param->p.type)); +- if (af == NULL) ++ if (!af) + break; + +- af->from_addr_param(&addr, addr_param, +- htons(asoc->peer.port), 0); ++ if (!af->from_addr_param(&addr, addr_param, ++ htons(asoc->peer.port), 0)) ++ break; + +- /* if the address is invalid, we can't process it. +- * XXX: see spec for what to do. +- */ + if (!af->addr_valid(&addr, NULL, NULL)) + break; + +@@ -3037,7 +3038,8 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc, + if (unlikely(!af)) + return SCTP_ERROR_DNS_FAILED; + +- af->from_addr_param(&addr, addr_param, htons(asoc->peer.port), 0); ++ if (!af->from_addr_param(&addr, addr_param, htons(asoc->peer.port), 0)) ++ return SCTP_ERROR_DNS_FAILED; + + /* ADDIP 4.2.1 This parameter MUST NOT contain a broadcast + * or multicast address. +@@ -3314,7 +3316,8 @@ static void sctp_asconf_param_success(struct sctp_association *asoc, + + /* We have checked the packet before, so we do not check again. */ + af = sctp_get_af_specific(param_type2af(addr_param->p.type)); +- af->from_addr_param(&addr, addr_param, htons(bp->port), 0); ++ if (!af->from_addr_param(&addr, addr_param, htons(bp->port), 0)) ++ return; + + switch (asconf_param->param_hdr.type) { + case SCTP_PARAM_ADD_IP: +-- +2.32.0 + diff --git a/debian/patches/bugfix/s390x/s390-sclp_vt220-fix-console-name-to-match-device.patch b/debian/patches/bugfix/s390x/s390-sclp_vt220-fix-console-name-to-match-device.patch new file mode 100644 index 000000000000..173177912886 --- /dev/null +++ b/debian/patches/bugfix/s390x/s390-sclp_vt220-fix-console-name-to-match-device.patch @@ -0,0 +1,62 @@ +From: Valentin Vidic <vvidic@valentin-vidic.from.hr> +Date: Tue, 27 Apr 2021 21:40:10 +0200 +Subject: s390/sclp_vt220: fix console name to match device +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=78cddc9aa6be2122da9ee3a4d2fff0be5db08cea +Bug-Debian: https://bugs.debian.org/961056 + +[ Upstream commit b7d91d230a119fdcc334d10c9889ce9c5e15118b ] + +Console name reported in /proc/consoles: + + ttyS1 -W- (EC p ) 4:65 + +does not match the char device name: + + crw--w---- 1 root root 4, 65 May 17 12:18 /dev/ttysclp0 + +so debian-installer inside a QEMU s390x instance gets confused and fails +to start with the following error: + + steal-ctty: No such file or directory + +Signed-off-by: Valentin Vidic <vvidic@valentin-vidic.from.hr> +Link: https://lore.kernel.org/r/20210427194010.9330-1-vvidic@valentin-vidic.from.hr +Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> +Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + arch/s390/kernel/setup.c | 2 +- + drivers/s390/char/sclp_vt220.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c +index 83a3f346e5bd..5cd9d20af31e 100644 +--- a/arch/s390/kernel/setup.c ++++ b/arch/s390/kernel/setup.c +@@ -166,7 +166,7 @@ static void __init set_preferred_console(void) + else if (CONSOLE_IS_3270) + add_preferred_console("tty3270", 0, NULL); + else if (CONSOLE_IS_VT220) +- add_preferred_console("ttyS", 1, NULL); ++ add_preferred_console("ttysclp", 0, NULL); + else if (CONSOLE_IS_HVC) + add_preferred_console("hvc", 0, NULL); + } +diff --git a/drivers/s390/char/sclp_vt220.c b/drivers/s390/char/sclp_vt220.c +index 3f9a6ef650fa..3c2ed6d01387 100644 +--- a/drivers/s390/char/sclp_vt220.c ++++ b/drivers/s390/char/sclp_vt220.c +@@ -35,8 +35,8 @@ + #define SCLP_VT220_MINOR 65 + #define SCLP_VT220_DRIVER_NAME "sclp_vt220" + #define SCLP_VT220_DEVICE_NAME "ttysclp" +-#define SCLP_VT220_CONSOLE_NAME "ttyS" +-#define SCLP_VT220_CONSOLE_INDEX 1 /* console=ttyS1 */ ++#define SCLP_VT220_CONSOLE_NAME "ttysclp" ++#define SCLP_VT220_CONSOLE_INDEX 0 /* console=ttysclp0 */ + + /* Representation of a single write request */ + struct sclp_vt220_request { +-- +2.32.0 + diff --git a/debian/patches/series b/debian/patches/series index 8bd961bc9912..93ca000393db 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -78,6 +78,7 @@ bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch bugfix/x86/x86-32-disable-3dnow-in-generic-config.patch bugfix/arm/ARM-dts-sun8i-h3-orangepi-plus-Fix-ethernet-phy-mode.patch bugfix/x86/platform-x86-toshiba_haps-Fix-missing-newline-in-pr_.patch +bugfix/s390x/s390-sclp_vt220-fix-console-name-to-match-device.patch # Arch features features/arm64/arm64-dts-rockchip-Add-basic-support-for-Kobol-s-Hel.patch @@ -97,6 +98,9 @@ debian/makefile-do-not-check-for-libelf-when-building-oot-module.patch bugfix/all/partially-revert-net-socket-implement-64-bit-timestamps.patch bugfix/all/Revert-PCI-PM-Do-not-read-power-state-in-pci_enable_.patch bugfix/all/swiotlb-manipulate-orig_addr-when-tlb_addr-has-offse.patch +bugfix/all/Revert-drm-amdgpu-gfx9-fix-the-doorbell-missing-when.patch +bugfix/all/Revert-drm-amdgpu-gfx10-enlarge-CP_MEC_DOORBELL_RANG.patch +bugfix/all/block-return-the-correct-bvec-when-checking-for-gaps.patch # Miscellaneous features @@ -121,6 +125,9 @@ bugfix/all/vfs-move-cap_convert_nscap-call-into-vfs_setxattr.patch bugfix/all/can-bcm-delay-release-of-struct-bcm_op-after-synchro.patch bugfix/all/KVM-do-not-allow-mapping-valid-but-non-reference-cou.patch bugfix/all/seq_file-Disallow-extremely-large-seq-buffer-allocat.patch +bugfix/all/Input-joydev-prevent-use-of-not-validated-data-in-JS.patch +bugfix/all/sctp-validate-from_addr_param-return.patch +bugfix/all/sctp-add-size-validation-when-walking-chunks.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch |