diff options
| author | Salvatore Bonaccorso <carnil@debian.org> | 2021-10-13 14:51:25 +0200 |
|---|---|---|
| committer | Salvatore Bonaccorso <carnil@debian.org> | 2021-10-13 16:37:54 +0200 |
| commit | bb020ae81069c5c10c8fc570b76145bee8ebbae2 (patch) | |
| tree | 758fd8f692bd6a4def80a7eba264f44e762dfd14 | |
| parent | 9c3b0f151b5f366a47aecb6a4b15b6f560769074 (diff) | |
| download | kernel_replicant_linux-bb020ae81069c5c10c8fc570b76145bee8ebbae2.tar.gz kernel_replicant_linux-bb020ae81069c5c10c8fc570b76145bee8ebbae2.tar.bz2 kernel_replicant_linux-bb020ae81069c5c10c8fc570b76145bee8ebbae2.zip | |
Update to 5.14.10
Drop patches applied upstream
Cleanup debian/changelog file
6 files changed, 151 insertions, 455 deletions
diff --git a/debian/changelog b/debian/changelog index 049afafdbe8b..6e54c35d42d3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,155 @@ -linux (5.14.9-3) UNRELEASED; urgency=medium +linux (5.14.10-1) UNRELEASED; urgency=medium - [ Salvatore Bonaccorso ] - * HID: u2fzero: ignore incomplete packets without data (Closes: #994535) - * [x86] crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() - (CVE-2021-3744, CVE-2021-3764) + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.14.10 + - [arm64,armhf] media: cedrus: Fix SUNXI tile size calculation + - [arm64] ASoC: fsl_sai: register platform component before registering cpu + dai + - [armhf] ASoC: fsl_spdif: register platform component before registering + cpu dai + - [x86] ASoC: SOF: Fix DSP oops stack dump output contents + - [arm64] pinctrl: qcom: spmi-gpio: correct parent irqspec translation + - net/mlx4_en: Resolve bad operstate value + - [s390x] qeth: Fix deadlock in remove_discipline + - [s390x] qeth: fix deadlock during failing recovery + - [x86] crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() + (CVE-2021-3744, CVE-2021-3764) + - [m68k] Update ->thread.esp0 before calling syscall_trace() in + ret_from_signal + - [amd64] HID: amd_sfh: Fix potential NULL pointer dereference + - tty: Fix out-of-bound vmalloc access in imageblit + - cpufreq: schedutil: Use kobject release() method to free sugov_tunables + - scsi: qla2xxx: Changes to support kdump kernel for NVMe BFS + - drm/amdgpu: adjust fence driver enable sequence + - drm/amdgpu: avoid over-handle of fence driver fini in s3 test (v2) + - drm/amdgpu: stop scheduler when calling hw_fini (v2) + - cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory + - scsi: ufs: ufs-pci: Fix Intel LKF link stability + - ALSA: rawmidi: introduce SNDRV_RAWMIDI_IOCTL_USER_PVERSION + - ALSA: firewire-motu: fix truncated bytes in message tracepoints + - ALSA: hda/realtek: Quirks to enable speaker output for Lenovo Legion 7i + 15IMHG05, Yoga 7i 14ITL5/15ITL5, and 13s Gen2 laptops. + - [amd64,arm64] ACPI: NFIT: Use fallback node id when numa info in NFIT + table is incorrect + - fs-verity: fix signed integer overflow with i_size near S64_MAX + - hwmon: (tmp421) handle I2C errors + - hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary + structure field + - hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary + structure field + - hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary + structure field + - [arm64,armhf] gpio: pca953x: do not ignore i2c errors + - scsi: ufs: Fix illegal offset in UPIU event trace + - mac80211: fix use-after-free in CCMP/GCMP RX + - [x86] platform/x86/intel: hid: Add DMI switches allow list + - [x86] kvmclock: Move this_cpu_pvti into kvmclock.h + - [x86] ptp: Fix ptp_kvm_getcrosststamp issue for x86 ptp_kvm + - [x86] KVM: x86: Fix stack-out-of-bounds memory access from + ioapic_write_indirect() + - [x86] KVM: x86: nSVM: don't copy virt_ext from vmcb12 + - [x86] KVM: x86: Clear KVM's cached guest CR3 at RESET/INIT + - [x86] KVM: x86: Swap order of CPUID entry "index" vs. "significant flag" + checks + - [x86] KVM: nVMX: Filter out all unsupported controls when eVMCS was + activated + - [x86] KVM: SEV: Update svm_vm_copy_asid_from for SEV-ES + - [x86] KVM: SEV: Pin guest memory for write for RECEIVE_UPDATE_DATA + - [x86] KVM: SEV: Acquire vcpu mutex when updating VMSA + - [x86] KVM: SEV: Allow some commands for mirror VM + - [x86] KVM: SVM: fix missing sev_decommission in sev_receive_start + - [x86] KVM: nVMX: Fix nested bus lock VM exit + - [x86] KVM: VMX: Fix a TSX_CTRL_CPUID_CLEAR field mask issue + - RDMA/cma: Do not change route.addr.src_addr.ss_family + - RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests + - nbd: use shifts rather than multiplies + - drm/amd/display: initialize backlight_ramping_override to false + - drm/amd/display: Pass PCI deviceid into DC + - drm/amd/display: Fix Display Flicker on embedded panels + - drm/amdgpu: force exit gfxoff on sdma resume for rmb s0ix + - drm/amdgpu: check tiling flags when creating FB on GFX8- + - drm/amdgpu: correct initial cp_hqd_quantum for gfx9 + - [amd64] drm/i915/gvt: fix the usage of ww lock in gvt scheduler. + - ipvs: check that ip_vs_conn_tab_bits is between 8 and 20 + - bpf: Handle return value of BPF_PROG_TYPE_STRUCT_OPS prog + - IB/cma: Do not send IGMP leaves for sendonly Multicast groups + - RDMA/cma: Fix listener leak in rdma_cma_listen_on_all() failure + - netfilter: nf_tables: unlink table before deleting it + - netfilter: log: work around missing softdep backend module + - Revert "mac80211: do not use low data rates for data frames with no ack + flag" + - mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug + - mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap + - mac80211: mesh: fix potentially unaligned access + - mac80211-hwsim: fix late beacon hrtimer handling + - driver core: fw_devlink: Add support for + FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD + - net: mdiobus: Set FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD for mdiobus parents + - sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb + - mptcp: don't return sockets in foreign netns + - mptcp: allow changing the 'backup' bit when no sockets are open + - [arm64] RDMA/hns: Work around broken constant propagation in gcc 8 + - hwmon: (tmp421) report /PVLD condition as fault + - hwmon: (tmp421) fix rounding for negative values + - [arm64] net: enetc: fix the incorrect clearing of IF_MODE bits + - net: ipv4: Fix rtnexthop len when RTA_FLOW is present + - smsc95xx: fix stalled rx after link change + - [x86] drm/i915/request: fix early tracepoints + - [x86] drm/i915: Remove warning from the rps worker + - [arm64,armhf] dsa: mv88e6xxx: 6161: Use chip wide MAX MTU + - [arm64,armhf] dsa: mv88e6xxx: Fix MTU definition + - [arm64,armhf] dsa: mv88e6xxx: Include tagger overhead when setting MTU for + DSA and CPU ports + - e100: fix length calculation in e100_get_regs_len + - e100: fix buffer overrun in e100_get_regs + - [amd64] RDMA/hfi1: Fix kernel pointer leak + - [arm64] RDMA/hns: Fix the size setting error when copying CQE in + clean_cq() + - [arm64] RDMA/hns: Add the check of the CQE size of the user space + - bpf: Exempt CAP_BPF from checks against bpf_jit_limit + - [amd64] bpf, x86: Fix bpf mapping of atomic fetch implementation + - Revert "block, bfq: honor already-setup queue merges" + - scsi: csiostor: Add module softdep on cxgb4 + - ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup + - [arm64] net: hns3: do not allow call hns3_nic_net_open repeatedly + - [arm64] net: hns3: remove tc enable checking + - [arm64] net: hns3: don't rollback when destroy mqprio fail + - [arm64] net: hns3: fix mixed flag HCLGE_FLAG_MQPRIO_ENABLE and + HCLGE_FLAG_DCB_ENABLE + - [arm64] net: hns3: fix show wrong state when add existing uc mac address + - [arm64] net: hns3: reconstruct function hns3_self_test + - [arm64] net: hns3: fix always enable rx vlan filter problem after selftest + - [arm64] net: hns3: disable firmware compatible features when uninstall PF + - [arm64,armhf] net: phy: bcm7xxx: Fixed indirect MMD operations + - net: sched: flower: protect fl_walk() with rcu + - net: stmmac: fix EEE init issue when paired with EEE capable PHYs + - af_unix: fix races in sk_peer_pid and sk_peer_cred accesses + - [x86] perf/x86/intel: Update event constraints for ICX + - sched/fair: Add ancestors of unthrottled undecayed cfs_rq + - sched/fair: Null terminate buffer when updating tunable_scaling + - [armhf] hwmon: (occ) Fix P10 VRM temp sensors + - [x86] kvm: fix objtool relocation warning + - nvme: add command id quirk for apple controllers + - elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings + - driver core: fw_devlink: Improve handling of cyclic dependencies + - debugfs: debugfs_create_file_size(): use IS_ERR to check for error + - ext4: fix loff_t overflow in ext4_max_bitmap_size() + - ext4: fix reserved space counter leakage + - ext4: add error checking to ext4_ext_replay_set_iblocks() + - ext4: fix potential infinite loop in ext4_dx_readdir() + - ext4: flush s_error_work before journal destroy in ext4_fill_super + - HID: u2fzero: ignore incomplete packets without data (Closes: #994535) + - net: udp: annotate data race around udp_sk(sk)->corkflag + - usb: hso: remove the bailout parameter + - HID: betop: fix slab-out-of-bounds Write in betop_probe + - netfilter: ipset: Fix oversized kvmalloc() calls + - mm: don't allow oversized kvmalloc() calls + - HID: usbhid: free raw_report buffers in usbhid_stop + - [x86] crypto: aesni - xts_crypt() return if walk.nbytes is 0 + - [x86] KVM: x86: Handle SRCU initialization failure during page track init + - netfilter: conntrack: serialize hash resizes and cleanups + - netfilter: nf_tables: Fix oversized kvmalloc() calls + - [amd64] HID: amd_sfh: Fix potential NULL pointer dereference - take 2 [ Ben Hutchings ] * debian/.gitignore: Ignore debian/tests/control again diff --git a/debian/patches/bugfix/all/HID-u2fzero-ignore-incomplete-packets-without-data.patch b/debian/patches/bugfix/all/HID-u2fzero-ignore-incomplete-packets-without-data.patch deleted file mode 100644 index a4067d186439..000000000000 --- a/debian/patches/bugfix/all/HID-u2fzero-ignore-incomplete-packets-without-data.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Andrej Shadura <andrew.shadura@collabora.co.uk> -Date: Thu, 16 Sep 2021 17:33:11 +0100 -Subject: HID: u2fzero: ignore incomplete packets without data -Origin: https://git.kernel.org/linus/22d65765f211cc83186fd8b87521159f354c0da9 -Bug: https://bugzilla.kernel.org/show_bug.cgi?id=214437 -Bug-Debian: https://bugs.debian.org/994535 - -Since the actual_length calculation is performed unsigned, packets -shorter than 7 bytes (e.g. packets without data or otherwise truncated) -or non-received packets ("zero" bytes) can cause buffer overflow. - -Link: https://bugzilla.kernel.org/show_bug.cgi?id=214437 -Fixes: 42337b9d4d958("HID: add driver for U2F Zero built-in LED and RNG") -Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk> -Signed-off-by: Jiri Kosina <jkosina@suse.cz> ---- - drivers/hid/hid-u2fzero.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c -index 95e0807878c7..d70cd3d7f583 100644 ---- a/drivers/hid/hid-u2fzero.c -+++ b/drivers/hid/hid-u2fzero.c -@@ -198,7 +198,9 @@ static int u2fzero_rng_read(struct hwrng *rng, void *data, - } - - ret = u2fzero_recv(dev, &req, &resp); -- if (ret < 0) -+ -+ /* ignore errors or packets without data */ -+ if (ret < offsetof(struct u2f_hid_msg, init.data)) - return 0; - - /* only take the minimum amount of data it is safe to take */ --- -2.33.0 - diff --git a/debian/patches/bugfix/all/ext4-limit-the-number-of-blocks-in-one-ADD_RANGE-TLV.patch b/debian/patches/bugfix/all/ext4-limit-the-number-of-blocks-in-one-ADD_RANGE-TLV.patch deleted file mode 100644 index 047eebefd7db..000000000000 --- a/debian/patches/bugfix/all/ext4-limit-the-number-of-blocks-in-one-ADD_RANGE-TLV.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: Hou Tao <houtao1@huawei.com> -Date: Fri, 20 Aug 2021 12:45:05 +0800 -Subject: ext4: limit the number of blocks in one ADD_RANGE TLV -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit/?h=dev&id=a2c2f0826e2b75560b31daf1cd9a755ab93cf4c6 -Bug-Debian: https://bugs.debian.org/995425 - -Now EXT4_FC_TAG_ADD_RANGE uses ext4_extent to track the -newly-added blocks, but the limit on the max value of -ee_len field is ignored, and it can lead to BUG_ON as -shown below when running command "fallocate -l 128M file" -on a fast_commit-enabled fs: - - kernel BUG at fs/ext4/ext4_extents.h:199! - invalid opcode: 0000 [#1] SMP PTI - CPU: 3 PID: 624 Comm: fallocate Not tainted 5.14.0-rc6+ #1 - Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) - RIP: 0010:ext4_fc_write_inode_data+0x1f3/0x200 - Call Trace: - ? ext4_fc_write_inode+0xf2/0x150 - ext4_fc_commit+0x93b/0xa00 - ? ext4_fallocate+0x1ad/0x10d0 - ext4_sync_file+0x157/0x340 - ? ext4_sync_file+0x157/0x340 - vfs_fsync_range+0x49/0x80 - do_fsync+0x3d/0x70 - __x64_sys_fsync+0x14/0x20 - do_syscall_64+0x3b/0xc0 - entry_SYSCALL_64_after_hwframe+0x44/0xae - -Simply fixing it by limiting the number of blocks -in one EXT4_FC_TAG_ADD_RANGE TLV. - -Fixes: aa75f4d3daae ("ext4: main fast-commit commit path") -Cc: stable@kernel.org -Signed-off-by: Hou Tao <houtao1@huawei.com> -Signed-off-by: Theodore Ts'o <tytso@mit.edu> -Link: https://lore.kernel.org/r/20210820044505.474318-1-houtao1@huawei.com ---- - fs/ext4/fast_commit.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c -index 8e610a381862..8ea5a81e6554 100644 ---- a/fs/ext4/fast_commit.c -+++ b/fs/ext4/fast_commit.c -@@ -892,6 +892,12 @@ static int ext4_fc_write_inode_data(struct inode *inode, u32 *crc) - sizeof(lrange), (u8 *)&lrange, crc)) - return -ENOSPC; - } else { -+ unsigned int max = (map.m_flags & EXT4_MAP_UNWRITTEN) ? -+ EXT_UNWRITTEN_MAX_LEN : EXT_INIT_MAX_LEN; -+ -+ /* Limit the number of blocks in one extent */ -+ map.m_len = min(max, map.m_len); -+ - fc_ext.fc_ino = cpu_to_le32(inode->i_ino); - ex = (struct ext4_extent *)&fc_ext.fc_ex; - ex->ee_block = cpu_to_le32(map.m_lblk); --- -2.33.0 - diff --git a/debian/patches/bugfix/mipsel/bpf-mips-Validate-conditional-branch-offsets.patch b/debian/patches/bugfix/mipsel/bpf-mips-Validate-conditional-branch-offsets.patch deleted file mode 100644 index 98c306840fcf..000000000000 --- a/debian/patches/bugfix/mipsel/bpf-mips-Validate-conditional-branch-offsets.patch +++ /dev/null @@ -1,267 +0,0 @@ -From: Piotr Krysiuk <piotras@gmail.com> -Date: Wed, 15 Sep 2021 17:04:37 +0100 -Subject: bpf, mips: Validate conditional branch offsets -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=37cb28ec7d3a36a5bace7063a3dba633ab110f8b -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-38300 - -The conditional branch instructions on MIPS use 18-bit signed offsets -allowing for a branch range of 128 KBytes (backward and forward). -However, this limit is not observed by the cBPF JIT compiler, and so -the JIT compiler emits out-of-range branches when translating certain -cBPF programs. A specific example of such a cBPF program is included in -the "BPF_MAXINSNS: exec all MSH" test from lib/test_bpf.c that executes -anomalous machine code containing incorrect branch offsets under JIT. - -Furthermore, this issue can be abused to craft undesirable machine -code, where the control flow is hijacked to execute arbitrary Kernel -code. - -The following steps can be used to reproduce the issue: - - # echo 1 > /proc/sys/net/core/bpf_jit_enable - # modprobe test_bpf test_name="BPF_MAXINSNS: exec all MSH" - -This should produce multiple warnings from build_bimm() similar to: - - ------------[ cut here ]------------ - WARNING: CPU: 0 PID: 209 at arch/mips/mm/uasm-mips.c:210 build_insn+0x558/0x590 - Micro-assembler field overflow - Modules linked in: test_bpf(+) - CPU: 0 PID: 209 Comm: modprobe Not tainted 5.14.3 #1 - Stack : 00000000 807bb824 82b33c9c 801843c0 00000000 00000004 00000000 63c9b5ee - 82b33af4 80999898 80910000 80900000 82fd6030 00000001 82b33a98 82087180 - 00000000 00000000 80873b28 00000000 000000fc 82b3394c 00000000 2e34312e - 6d6d6f43 809a180f 809a1836 6f6d203a 80900000 00000001 82b33bac 80900000 - 00027f80 00000000 00000000 807bb824 00000000 804ed790 001cc317 00000001 - [...] - Call Trace: - [<80108f44>] show_stack+0x38/0x118 - [<807a7aac>] dump_stack_lvl+0x5c/0x7c - [<807a4b3c>] __warn+0xcc/0x140 - [<807a4c3c>] warn_slowpath_fmt+0x8c/0xb8 - [<8011e198>] build_insn+0x558/0x590 - [<8011e358>] uasm_i_bne+0x20/0x2c - [<80127b48>] build_body+0xa58/0x2a94 - [<80129c98>] bpf_jit_compile+0x114/0x1e4 - [<80613fc4>] bpf_prepare_filter+0x2ec/0x4e4 - [<8061423c>] bpf_prog_create+0x80/0xc4 - [<c0a006e4>] test_bpf_init+0x300/0xba8 [test_bpf] - [<8010051c>] do_one_initcall+0x50/0x1d4 - [<801c5e54>] do_init_module+0x60/0x220 - [<801c8b20>] sys_finit_module+0xc4/0xfc - [<801144d0>] syscall_common+0x34/0x58 - [...] - ---[ end trace a287d9742503c645 ]--- - -Then the anomalous machine code executes: - -=> 0xc0a18000: addiu sp,sp,-16 - 0xc0a18004: sw s3,0(sp) - 0xc0a18008: sw s4,4(sp) - 0xc0a1800c: sw s5,8(sp) - 0xc0a18010: sw ra,12(sp) - 0xc0a18014: move s5,a0 - 0xc0a18018: move s4,zero - 0xc0a1801c: move s3,zero - - # __BPF_STMT(BPF_LDX | BPF_B | BPF_MSH, 0) - 0xc0a18020: lui t6,0x8012 - 0xc0a18024: ori t4,t6,0x9e14 - 0xc0a18028: li a1,0 - 0xc0a1802c: jalr t4 - 0xc0a18030: move a0,s5 - 0xc0a18034: bnez v0,0xc0a1ffb8 # incorrect branch offset - 0xc0a18038: move v0,zero - 0xc0a1803c: andi s4,s3,0xf - 0xc0a18040: b 0xc0a18048 - 0xc0a18044: sll s4,s4,0x2 - [...] - - # __BPF_STMT(BPF_LDX | BPF_B | BPF_MSH, 0) - 0xc0a1ffa0: lui t6,0x8012 - 0xc0a1ffa4: ori t4,t6,0x9e14 - 0xc0a1ffa8: li a1,0 - 0xc0a1ffac: jalr t4 - 0xc0a1ffb0: move a0,s5 - 0xc0a1ffb4: bnez v0,0xc0a1ffb8 # incorrect branch offset - 0xc0a1ffb8: move v0,zero - 0xc0a1ffbc: andi s4,s3,0xf - 0xc0a1ffc0: b 0xc0a1ffc8 - 0xc0a1ffc4: sll s4,s4,0x2 - - # __BPF_STMT(BPF_LDX | BPF_B | BPF_MSH, 0) - 0xc0a1ffc8: lui t6,0x8012 - 0xc0a1ffcc: ori t4,t6,0x9e14 - 0xc0a1ffd0: li a1,0 - 0xc0a1ffd4: jalr t4 - 0xc0a1ffd8: move a0,s5 - 0xc0a1ffdc: bnez v0,0xc0a3ffb8 # correct branch offset - 0xc0a1ffe0: move v0,zero - 0xc0a1ffe4: andi s4,s3,0xf - 0xc0a1ffe8: b 0xc0a1fff0 - 0xc0a1ffec: sll s4,s4,0x2 - [...] - - # epilogue - 0xc0a3ffb8: lw s3,0(sp) - 0xc0a3ffbc: lw s4,4(sp) - 0xc0a3ffc0: lw s5,8(sp) - 0xc0a3ffc4: lw ra,12(sp) - 0xc0a3ffc8: addiu sp,sp,16 - 0xc0a3ffcc: jr ra - 0xc0a3ffd0: nop - -To mitigate this issue, we assert the branch ranges for each emit call -that could generate an out-of-range branch. - -Fixes: 36366e367ee9 ("MIPS: BPF: Restore MIPS32 cBPF JIT") -Fixes: c6610de353da ("MIPS: net: Add BPF JIT") -Signed-off-by: Piotr Krysiuk <piotras@gmail.com> -Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> -Tested-by: Johan Almbladh <johan.almbladh@anyfinetworks.com> -Acked-by: Johan Almbladh <johan.almbladh@anyfinetworks.com> -Cc: Paul Burton <paulburton@kernel.org> -Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de> -Link: https://lore.kernel.org/bpf/20210915160437.4080-1-piotras@gmail.com ---- - arch/mips/net/bpf_jit.c | 57 +++++++++++++++++++++++++++++++---------- - 1 file changed, 43 insertions(+), 14 deletions(-) - -diff --git a/arch/mips/net/bpf_jit.c b/arch/mips/net/bpf_jit.c -index 0af88622c619..cb6d22439f71 100644 ---- a/arch/mips/net/bpf_jit.c -+++ b/arch/mips/net/bpf_jit.c -@@ -662,6 +662,11 @@ static void build_epilogue(struct jit_ctx *ctx) - ((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative : func) : \ - func##_positive) - -+static bool is_bad_offset(int b_off) -+{ -+ return b_off > 0x1ffff || b_off < -0x20000; -+} -+ - static int build_body(struct jit_ctx *ctx) - { - const struct bpf_prog *prog = ctx->skf; -@@ -728,7 +733,10 @@ static int build_body(struct jit_ctx *ctx) - /* Load return register on DS for failures */ - emit_reg_move(r_ret, r_zero, ctx); - /* Return with error */ -- emit_b(b_imm(prog->len, ctx), ctx); -+ b_off = b_imm(prog->len, ctx); -+ if (is_bad_offset(b_off)) -+ return -E2BIG; -+ emit_b(b_off, ctx); - emit_nop(ctx); - break; - case BPF_LD | BPF_W | BPF_IND: -@@ -775,8 +783,10 @@ static int build_body(struct jit_ctx *ctx) - emit_jalr(MIPS_R_RA, r_s0, ctx); - emit_reg_move(MIPS_R_A0, r_skb, ctx); /* delay slot */ - /* Check the error value */ -- emit_bcond(MIPS_COND_NE, r_ret, 0, -- b_imm(prog->len, ctx), ctx); -+ b_off = b_imm(prog->len, ctx); -+ if (is_bad_offset(b_off)) -+ return -E2BIG; -+ emit_bcond(MIPS_COND_NE, r_ret, 0, b_off, ctx); - emit_reg_move(r_ret, r_zero, ctx); - /* We are good */ - /* X <- P[1:K] & 0xf */ -@@ -855,8 +865,10 @@ static int build_body(struct jit_ctx *ctx) - /* A /= X */ - ctx->flags |= SEEN_X | SEEN_A; - /* Check if r_X is zero */ -- emit_bcond(MIPS_COND_EQ, r_X, r_zero, -- b_imm(prog->len, ctx), ctx); -+ b_off = b_imm(prog->len, ctx); -+ if (is_bad_offset(b_off)) -+ return -E2BIG; -+ emit_bcond(MIPS_COND_EQ, r_X, r_zero, b_off, ctx); - emit_load_imm(r_ret, 0, ctx); /* delay slot */ - emit_div(r_A, r_X, ctx); - break; -@@ -864,8 +876,10 @@ static int build_body(struct jit_ctx *ctx) - /* A %= X */ - ctx->flags |= SEEN_X | SEEN_A; - /* Check if r_X is zero */ -- emit_bcond(MIPS_COND_EQ, r_X, r_zero, -- b_imm(prog->len, ctx), ctx); -+ b_off = b_imm(prog->len, ctx); -+ if (is_bad_offset(b_off)) -+ return -E2BIG; -+ emit_bcond(MIPS_COND_EQ, r_X, r_zero, b_off, ctx); - emit_load_imm(r_ret, 0, ctx); /* delay slot */ - emit_mod(r_A, r_X, ctx); - break; -@@ -926,7 +940,10 @@ static int build_body(struct jit_ctx *ctx) - break; - case BPF_JMP | BPF_JA: - /* pc += K */ -- emit_b(b_imm(i + k + 1, ctx), ctx); -+ b_off = b_imm(i + k + 1, ctx); -+ if (is_bad_offset(b_off)) -+ return -E2BIG; -+ emit_b(b_off, ctx); - emit_nop(ctx); - break; - case BPF_JMP | BPF_JEQ | BPF_K: -@@ -1056,12 +1073,16 @@ static int build_body(struct jit_ctx *ctx) - break; - case BPF_RET | BPF_A: - ctx->flags |= SEEN_A; -- if (i != prog->len - 1) -+ if (i != prog->len - 1) { - /* - * If this is not the last instruction - * then jump to the epilogue - */ -- emit_b(b_imm(prog->len, ctx), ctx); -+ b_off = b_imm(prog->len, ctx); -+ if (is_bad_offset(b_off)) -+ return -E2BIG; -+ emit_b(b_off, ctx); -+ } - emit_reg_move(r_ret, r_A, ctx); /* delay slot */ - break; - case BPF_RET | BPF_K: -@@ -1075,7 +1096,10 @@ static int build_body(struct jit_ctx *ctx) - * If this is not the last instruction - * then jump to the epilogue - */ -- emit_b(b_imm(prog->len, ctx), ctx); -+ b_off = b_imm(prog->len, ctx); -+ if (is_bad_offset(b_off)) -+ return -E2BIG; -+ emit_b(b_off, ctx); - emit_nop(ctx); - } - break; -@@ -1133,8 +1157,10 @@ static int build_body(struct jit_ctx *ctx) - /* Load *dev pointer */ - emit_load_ptr(r_s0, r_skb, off, ctx); - /* error (0) in the delay slot */ -- emit_bcond(MIPS_COND_EQ, r_s0, r_zero, -- b_imm(prog->len, ctx), ctx); -+ b_off = b_imm(prog->len, ctx); -+ if (is_bad_offset(b_off)) -+ return -E2BIG; -+ emit_bcond(MIPS_COND_EQ, r_s0, r_zero, b_off, ctx); - emit_reg_move(r_ret, r_zero, ctx); - if (code == (BPF_ANC | SKF_AD_IFINDEX)) { - BUILD_BUG_ON(sizeof_field(struct net_device, ifindex) != 4); -@@ -1244,7 +1270,10 @@ void bpf_jit_compile(struct bpf_prog *fp) - - /* Generate the actual JIT code */ - build_prologue(&ctx); -- build_body(&ctx); -+ if (build_body(&ctx)) { -+ module_memfree(ctx.target); -+ goto out; -+ } - build_epilogue(&ctx); - - /* Update the icache */ --- -2.33.0 - diff --git a/debian/patches/bugfix/x86/crypto-ccp-fix-resource-leaks-in-ccp_run_aes_gcm_cmd.patch b/debian/patches/bugfix/x86/crypto-ccp-fix-resource-leaks-in-ccp_run_aes_gcm_cmd.patch deleted file mode 100644 index b299f1a893c2..000000000000 --- a/debian/patches/bugfix/x86/crypto-ccp-fix-resource-leaks-in-ccp_run_aes_gcm_cmd.patch +++ /dev/null @@ -1,81 +0,0 @@ -From: Dan Carpenter <dan.carpenter@oracle.com> -Date: Thu, 26 Aug 2021 16:04:27 +0300 -Subject: crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=e450c422aa233e9f80515f2ee9164e33f158a472 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3764 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3744 - -[ Upstream commit 505d9dcb0f7ddf9d075e729523a33d38642ae680 ] - -There are three bugs in this code: - -1) If we ccp_init_data() fails for &src then we need to free aad. - Use goto e_aad instead of goto e_ctx. -2) The label to free the &final_wa was named incorrectly as "e_tag" but - it should have been "e_final_wa". One error path leaked &final_wa. -3) The &tag was leaked on one error path. In that case, I added a free - before the goto because the resource was local to that block. - -Fixes: 36cf515b9bbe ("crypto: ccp - Enable support for AES GCM on v5 CCPs") -Reported-by: "minihanshen(沈明航)" <minihanshen@tencent.com> -Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -Reviewed-by: John Allen <john.allen@amd.com> -Tested-by: John Allen <john.allen@amd.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - drivers/crypto/ccp/ccp-ops.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c -index bb88198c874e..aa4e1a500691 100644 ---- a/drivers/crypto/ccp/ccp-ops.c -+++ b/drivers/crypto/ccp/ccp-ops.c -@@ -778,7 +778,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) - in_place ? DMA_BIDIRECTIONAL - : DMA_TO_DEVICE); - if (ret) -- goto e_ctx; -+ goto e_aad; - - if (in_place) { - dst = src; -@@ -863,7 +863,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) - op.u.aes.size = 0; - ret = cmd_q->ccp->vdata->perform->aes(&op); - if (ret) -- goto e_dst; -+ goto e_final_wa; - - if (aes->action == CCP_AES_ACTION_ENCRYPT) { - /* Put the ciphered tag after the ciphertext. */ -@@ -873,17 +873,19 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) - ret = ccp_init_dm_workarea(&tag, cmd_q, authsize, - DMA_BIDIRECTIONAL); - if (ret) -- goto e_tag; -+ goto e_final_wa; - ret = ccp_set_dm_area(&tag, 0, p_tag, 0, authsize); -- if (ret) -- goto e_tag; -+ if (ret) { -+ ccp_dm_free(&tag); -+ goto e_final_wa; -+ } - - ret = crypto_memneq(tag.address, final_wa.address, - authsize) ? -EBADMSG : 0; - ccp_dm_free(&tag); - } - --e_tag: -+e_final_wa: - ccp_dm_free(&final_wa); - - e_dst: --- -2.33.0 - diff --git a/debian/patches/series b/debian/patches/series index 7fb54a242fd2..3edd47feafc0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -76,7 +76,6 @@ bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch bugfix/x86/x86-32-disable-3dnow-in-generic-config.patch -bugfix/mipsel/bpf-mips-Validate-conditional-branch-offsets.patch bugfix/arm/ARM-dts-sun7i-A20-olinuxino-lime2-Fix-ethernet-phy-m.patch # Arch features @@ -91,8 +90,6 @@ bugfix/all/disable-some-marvell-phys.patch bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch bugfix/all/HID-apple-Add-missing-scan-code-event-for-keys-handl.patch -bugfix/all/ext4-limit-the-number-of-blocks-in-one-ADD_RANGE-TLV.patch -bugfix/all/HID-u2fzero-ignore-incomplete-packets-without-data.patch # Miscellaneous features @@ -112,7 +109,6 @@ features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signatu # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch -bugfix/x86/crypto-ccp-fix-resource-leaks-in-ccp_run_aes_gcm_cmd.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch |