From c685ac4c5f8024e7f685f4f4c64f7ba23598f296 Mon Sep 17 00:00:00 2001 From: Kernel Build Daemon Date: May 14 2023 05:34:07 +0000 Subject: Merge branch 'SLE12-SP5' into SLE12-SP5-AZURE --- diff --git a/blacklist.conf b/blacklist.conf index ceeb76c..a7351b6 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -2808,3 +2808,4 @@ de526f401284e1638d4c97cb5a4c292ac3f37655 # not needed 4b9880dbf3bdba3a7c56445137c3d0e30aaa0a40 # not needed with downstream version of patch 07b050f9290ee012a407a0f64151db902a1520f5 # not needed with downstream version of patch a494398bde273143c2352dd373cad8211f7d94b2 # not needed with downstream version of patch +8c43bd1706885ba1acfa88da02bc60a2ec16f68c # not needed diff --git a/patches.suse/0001-netrom-Fix-use-after-free-caused-by-accept-on-alread.patch b/patches.suse/0001-netrom-Fix-use-after-free-caused-by-accept-on-alread.patch new file mode 100644 index 0000000..c23c763 --- /dev/null +++ b/patches.suse/0001-netrom-Fix-use-after-free-caused-by-accept-on-alread.patch @@ -0,0 +1,211 @@ +From 611792920925fb088ddccbe2783c7f92fdfb6b64 Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Thu, 26 Jan 2023 18:32:50 -0800 +Subject: [PATCH] netrom: Fix use-after-free caused by accept on already + connected socket +Git-commit: 611792920925fb088ddccbe2783c7f92fdfb6b64 +Patch-mainline: v6.2-rc7 +References: bsc#1211186 CVE-2023-32269 + +If you call listen() and accept() on an already connect()ed +AF_NETROM socket, accept() can successfully connect. +This is because when the peer socket sends data to sendmsg, +the skb with its own sk stored in the connected socket's +sk->sk_receive_queue is connected, and nr_accept() dequeues +the skb waiting in the sk->sk_receive_queue. + +As a result, nr_accept() allocates and returns a sock with +the sk of the parent AF_NETROM socket. + +And here use-after-free can happen through complex race conditions: +``` + cpu0 cpu1 + 1. socket_2 = socket(AF_NETROM) + . + . + listen(socket_2) + accepted_socket = accept(socket_2) + 2. socket_1 = socket(AF_NETROM) + nr_create() // sk refcount : 1 + connect(socket_1) + 3. write(accepted_socket) + nr_sendmsg() + nr_output() + nr_kick() + nr_send_iframe() + nr_transmit_buffer() + nr_route_frame() + nr_loopback_queue() + nr_loopback_timer() + nr_rx_frame() + nr_process_rx_frame(sk, skb); // sk : socket_1's sk + nr_state3_machine() + nr_queue_rx_frame() + sock_queue_rcv_skb() + sock_queue_rcv_skb_reason() + __sock_queue_rcv_skb() + __skb_queue_tail(list, skb); // list : socket_1's sk->sk_receive_queue + 4. listen(socket_1) + nr_listen() + uaf_socket = accept(socket_1) + nr_accept() + skb_dequeue(&sk->sk_receive_queue); + 5. close(accepted_socket) + nr_release() + nr_write_internal(sk, NR_DISCREQ) + nr_transmit_buffer() // NR_DISCREQ + nr_route_frame() + nr_loopback_queue() + nr_loopback_timer() + nr_rx_frame() // sk : socket_1's sk + nr_process_rx_frame() // NR_STATE_3 + nr_state3_machine() // NR_DISCREQ + nr_disconnect() + nr_sk(sk)->state = NR_STATE_0; + 6. close(socket_1) // sk refcount : 3 + nr_release() // NR_STATE_0 + sock_put(sk); // sk refcount : 0 + sk_free(sk); + close(uaf_socket) + nr_release() + sock_hold(sk); // UAF +``` + +KASAN report by syzbot: +``` +Bug: KASAN: use-after-free in nr_release+0x66/0x460 net/netrom/af_netrom.c:520 +Write of size 4 at addr ffff8880235d8080 by task syz-executor564/5128 + +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:306 [inline] + print_report+0x15e/0x461 mm/kasan/report.c:417 + kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 + check_region_inline mm/kasan/generic.c:183 [inline] + kasan_check_range+0x141/0x190 mm/kasan/generic.c:189 + instrument_atomic_read_write include/linux/instrumented.h:102 [inline] + atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline] + __refcount_add include/linux/refcount.h:193 [inline] + __refcount_inc include/linux/refcount.h:250 [inline] + refcount_inc include/linux/refcount.h:267 [inline] + sock_hold include/net/sock.h:775 [inline] + nr_release+0x66/0x460 net/netrom/af_netrom.c:520 + __sock_release+0xcd/0x280 net/socket.c:650 + sock_close+0x1c/0x20 net/socket.c:1365 + __fput+0x27c/0xa90 fs/file_table.c:320 + task_work_run+0x16f/0x270 kernel/task_work.c:179 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0xaa8/0x2950 kernel/exit.c:867 + do_group_exit+0xd4/0x2a0 kernel/exit.c:1012 + get_signal+0x21c3/0x2450 kernel/signal.c:2859 + arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306 + exit_to_user_mode_loop kernel/entry/common.c:168 [inline] + exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 + __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] + syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 + do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +Rip: 0033:0x7f6c19e3c9b9 +Code: Unable to access opcode bytes at 0x7f6c19e3c98f. +Rsp: 002b:00007fffd4ba2ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 +Rax: 0000000000000116 RBX: 0000000000000003 RCX: 00007f6c19e3c9b9 +Rdx: 0000000000000318 RSI: 00000000200bd000 RDI: 0000000000000006 +Rbp: 0000000000000003 R08: 000000000000000d R09: 000000000000000d +R10: 0000000000000000 R11: 0000000000000246 R12: 000055555566a2c0 +R13: 0000000000000011 R14: 0000000000000000 R15: 0000000000000000 + + +Allocated by task 5128: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + ____kasan_kmalloc mm/kasan/common.c:371 [inline] + ____kasan_kmalloc mm/kasan/common.c:330 [inline] + __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380 + kasan_kmalloc include/linux/kasan.h:211 [inline] + __do_kmalloc_node mm/slab_common.c:968 [inline] + __kmalloc+0x5a/0xd0 mm/slab_common.c:981 + kmalloc include/linux/slab.h:584 [inline] + sk_prot_alloc+0x140/0x290 net/core/sock.c:2038 + sk_alloc+0x3a/0x7a0 net/core/sock.c:2091 + nr_create+0xb6/0x5f0 net/netrom/af_netrom.c:433 + __sock_create+0x359/0x790 net/socket.c:1515 + sock_create net/socket.c:1566 [inline] + __sys_socket_create net/socket.c:1603 [inline] + __sys_socket_create net/socket.c:1588 [inline] + __sys_socket+0x133/0x250 net/socket.c:1636 + __do_sys_socket net/socket.c:1649 [inline] + __se_sys_socket net/socket.c:1647 [inline] + __x64_sys_socket+0x73/0xb0 net/socket.c:1647 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 5128: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:518 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200 + kasan_slab_free include/linux/kasan.h:177 [inline] + __cache_free mm/slab.c:3394 [inline] + __do_kmem_cache_free mm/slab.c:3580 [inline] + __kmem_cache_free+0xcd/0x3b0 mm/slab.c:3587 + sk_prot_free net/core/sock.c:2074 [inline] + __sk_destruct+0x5df/0x750 net/core/sock.c:2166 + sk_destruct net/core/sock.c:2181 [inline] + __sk_free+0x175/0x460 net/core/sock.c:2192 + sk_free+0x7c/0xa0 net/core/sock.c:2203 + sock_put include/net/sock.h:1991 [inline] + nr_release+0x39e/0x460 net/netrom/af_netrom.c:554 + __sock_release+0xcd/0x280 net/socket.c:650 + sock_close+0x1c/0x20 net/socket.c:1365 + __fput+0x27c/0xa90 fs/file_table.c:320 + task_work_run+0x16f/0x270 kernel/task_work.c:179 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0xaa8/0x2950 kernel/exit.c:867 + do_group_exit+0xd4/0x2a0 kernel/exit.c:1012 + get_signal+0x21c3/0x2450 kernel/signal.c:2859 + arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306 + exit_to_user_mode_loop kernel/entry/common.c:168 [inline] + exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 + __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] + syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 + do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +``` + +To fix this issue, nr_listen() returns -EINVAL for sockets that +successfully nr_connect(). + +Reported-by: syzbot+caa188bdfc1eeafeb418@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Hyunwoo Kim +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Acked-by: Vasant Karasulli + +--- + net/netrom/af_netrom.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index 6f7f4392cffb..5a4cb796150f 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -400,6 +400,11 @@ static int nr_listen(struct socket *sock, int backlog) + struct sock *sk = sock->sk; + + lock_sock(sk); ++ if (sock->state != SS_UNCONNECTED) { ++ release_sock(sk); ++ return -EINVAL; ++ } ++ + if (sk->sk_state != TCP_LISTEN) { + memset(&nr_sk(sk)->user_addr, 0, AX25_ADDR_LEN); + sk->sk_max_ack_backlog = backlog; +-- +2.34.1 + diff --git a/patches.suse/0001-wifi-brcmfmac-slab-out-of-bounds-read-in-brcmf_get_a.patch b/patches.suse/0001-wifi-brcmfmac-slab-out-of-bounds-read-in-brcmf_get_a.patch new file mode 100644 index 0000000..581c0de --- /dev/null +++ b/patches.suse/0001-wifi-brcmfmac-slab-out-of-bounds-read-in-brcmf_get_a.patch @@ -0,0 +1,174 @@ +From 0da40e018fd034d87c9460123fa7f897b69fdee7 Mon Sep 17 00:00:00 2001 +From: Jisoo Jang +Date: Thu, 9 Mar 2023 19:44:57 +0900 +Subject: [PATCH] wifi: brcmfmac: slab-out-of-bounds read in + brcmf_get_assoc_ies() +Git-commit: 0da40e018fd034d87c9460123fa7f897b69fdee7 +Patch-mainline: v6.4 or v6.4-rc1 (next release) +References: bsc#1209287 CVE-2023-1380 + +Fix a slab-out-of-bounds read that occurs in kmemdup() called from +brcmf_get_assoc_ies(). +The bug could occur when assoc_info->req_len, data from a URB provided +by a USB device, is bigger than the size of buffer which is defined as +WL_EXTRA_BUF_MAX. + +Add the size check for req_len/resp_len of assoc_info. + +Found by a modified version of syzkaller. + +[ 46.592467][ T7] ================================================================== +[ 46.594687][ T7] BUG: KASAN: slab-out-of-bounds in kmemdup+0x3e/0x50 +[ 46.596572][ T7] Read of size 3014656 at addr ffff888019442000 by task kworker/0:1/7 +[ 46.598575][ T7] +[ 46.599157][ T7] CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #145 +[ 46.601333][ T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +[ 46.604360][ T7] Workqueue: events brcmf_fweh_event_worker +[ 46.605943][ T7] Call Trace: +[ 46.606584][ T7] dump_stack_lvl+0x8e/0xd1 +[ 46.607446][ T7] print_address_description.constprop.0.cold+0x93/0x334 +[ 46.608610][ T7] ? kmemdup+0x3e/0x50 +[ 46.609341][ T7] kasan_report.cold+0x79/0xd5 +[ 46.610151][ T7] ? kmemdup+0x3e/0x50 +[ 46.610796][ T7] kasan_check_range+0x14e/0x1b0 +[ 46.611691][ T7] memcpy+0x20/0x60 +[ 46.612323][ T7] kmemdup+0x3e/0x50 +[ 46.612987][ T7] brcmf_get_assoc_ies+0x967/0xf60 +[ 46.613904][ T7] ? brcmf_notify_vif_event+0x3d0/0x3d0 +[ 46.614831][ T7] ? lock_chain_count+0x20/0x20 +[ 46.615683][ T7] ? mark_lock.part.0+0xfc/0x2770 +[ 46.616552][ T7] ? lock_chain_count+0x20/0x20 +[ 46.617409][ T7] ? mark_lock.part.0+0xfc/0x2770 +[ 46.618244][ T7] ? lock_chain_count+0x20/0x20 +[ 46.619024][ T7] brcmf_bss_connect_done.constprop.0+0x241/0x2e0 +[ 46.620019][ T7] ? brcmf_parse_configure_security.isra.0+0x2a0/0x2a0 +[ 46.620818][ T7] ? __lock_acquire+0x181f/0x5790 +[ 46.621462][ T7] brcmf_notify_connect_status+0x448/0x1950 +[ 46.622134][ T7] ? rcu_read_lock_bh_held+0xb0/0xb0 +[ 46.622736][ T7] ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0 +[ 46.623390][ T7] ? find_held_lock+0x2d/0x110 +[ 46.623962][ T7] ? brcmf_fweh_event_worker+0x19f/0xc60 +[ 46.624603][ T7] ? mark_held_locks+0x9f/0xe0 +[ 46.625145][ T7] ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0 +[ 46.625871][ T7] ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0 +[ 46.626545][ T7] brcmf_fweh_call_event_handler.isra.0+0x90/0x100 +[ 46.627338][ T7] brcmf_fweh_event_worker+0x557/0xc60 +[ 46.627962][ T7] ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100 +[ 46.628736][ T7] ? rcu_read_lock_sched_held+0xa1/0xd0 +[ 46.629396][ T7] ? rcu_read_lock_bh_held+0xb0/0xb0 +[ 46.629970][ T7] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 46.630649][ T7] process_one_work+0x92b/0x1460 +[ 46.631205][ T7] ? pwq_dec_nr_in_flight+0x330/0x330 +[ 46.631821][ T7] ? rwlock_bug.part.0+0x90/0x90 +[ 46.632347][ T7] worker_thread+0x95/0xe00 +[ 46.632832][ T7] ? __kthread_parkme+0x115/0x1e0 +[ 46.633393][ T7] ? process_one_work+0x1460/0x1460 +[ 46.633957][ T7] kthread+0x3a1/0x480 +[ 46.634369][ T7] ? set_kthread_struct+0x120/0x120 +[ 46.634933][ T7] ret_from_fork+0x1f/0x30 +[ 46.635431][ T7] +[ 46.635687][ T7] Allocated by task 7: +[ 46.636151][ T7] kasan_save_stack+0x1b/0x40 +[ 46.636628][ T7] __kasan_kmalloc+0x7c/0x90 +[ 46.637108][ T7] kmem_cache_alloc_trace+0x19e/0x330 +[ 46.637696][ T7] brcmf_cfg80211_attach+0x4a0/0x4040 +[ 46.638275][ T7] brcmf_attach+0x389/0xd40 +[ 46.638739][ T7] brcmf_usb_probe+0x12de/0x1690 +[ 46.639279][ T7] usb_probe_interface+0x2aa/0x760 +[ 46.639820][ T7] really_probe+0x205/0xb70 +[ 46.640342][ T7] __driver_probe_device+0x311/0x4b0 +[ 46.640876][ T7] driver_probe_device+0x4e/0x150 +[ 46.641445][ T7] __device_attach_driver+0x1cc/0x2a0 +[ 46.642000][ T7] bus_for_each_drv+0x156/0x1d0 +[ 46.642543][ T7] __device_attach+0x23f/0x3a0 +[ 46.643065][ T7] bus_probe_device+0x1da/0x290 +[ 46.643644][ T7] device_add+0xb7b/0x1eb0 +[ 46.644130][ T7] usb_set_configuration+0xf59/0x16f0 +[ 46.644720][ T7] usb_generic_driver_probe+0x82/0xa0 +[ 46.645295][ T7] usb_probe_device+0xbb/0x250 +[ 46.645786][ T7] really_probe+0x205/0xb70 +[ 46.646258][ T7] __driver_probe_device+0x311/0x4b0 +[ 46.646804][ T7] driver_probe_device+0x4e/0x150 +[ 46.647387][ T7] __device_attach_driver+0x1cc/0x2a0 +[ 46.647926][ T7] bus_for_each_drv+0x156/0x1d0 +[ 46.648454][ T7] __device_attach+0x23f/0x3a0 +[ 46.648939][ T7] bus_probe_device+0x1da/0x290 +[ 46.649478][ T7] device_add+0xb7b/0x1eb0 +[ 46.649936][ T7] usb_new_device.cold+0x49c/0x1029 +[ 46.650526][ T7] hub_event+0x1c98/0x3950 +[ 46.650975][ T7] process_one_work+0x92b/0x1460 +[ 46.651535][ T7] worker_thread+0x95/0xe00 +[ 46.651991][ T7] kthread+0x3a1/0x480 +[ 46.652413][ T7] ret_from_fork+0x1f/0x30 +[ 46.652885][ T7] +[ 46.653131][ T7] The buggy address belongs to the object at ffff888019442000 +[ 46.653131][ T7] which belongs to the cache kmalloc-2k of size 2048 +[ 46.654669][ T7] The buggy address is located 0 bytes inside of +[ 46.654669][ T7] 2048-byte region [ffff888019442000, ffff888019442800) +[ 46.656137][ T7] The buggy address belongs to the page: +[ 46.656720][ T7] page:ffffea0000651000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19440 +[ 46.657792][ T7] head:ffffea0000651000 order:3 compound_mapcount:0 compound_pincount:0 +[ 46.658673][ T7] flags: 0x100000000010200(slab|head|node=0|zone=1) +[ 46.659422][ T7] raw: 0100000000010200 0000000000000000 dead000000000122 ffff888100042000 +[ 46.660363][ T7] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 +[ 46.661236][ T7] page dumped because: kasan: bad access detected +[ 46.661956][ T7] page_owner tracks the page as allocated +[ 46.662588][ T7] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 7, ts 31136961085, free_ts 0 +[ 46.664271][ T7] prep_new_page+0x1aa/0x240 +[ 46.664763][ T7] get_page_from_freelist+0x159a/0x27c0 +[ 46.665340][ T7] __alloc_pages+0x2da/0x6a0 +[ 46.665847][ T7] alloc_pages+0xec/0x1e0 +[ 46.666308][ T7] allocate_slab+0x380/0x4e0 +[ 46.666770][ T7] ___slab_alloc+0x5bc/0x940 +[ 46.667264][ T7] __slab_alloc+0x6d/0x80 +[ 46.667712][ T7] kmem_cache_alloc_trace+0x30a/0x330 +[ 46.668299][ T7] brcmf_usbdev_qinit.constprop.0+0x50/0x470 +[ 46.668885][ T7] brcmf_usb_probe+0xc97/0x1690 +[ 46.669438][ T7] usb_probe_interface+0x2aa/0x760 +[ 46.669988][ T7] really_probe+0x205/0xb70 +[ 46.670487][ T7] __driver_probe_device+0x311/0x4b0 +[ 46.671031][ T7] driver_probe_device+0x4e/0x150 +[ 46.671604][ T7] __device_attach_driver+0x1cc/0x2a0 +[ 46.672192][ T7] bus_for_each_drv+0x156/0x1d0 +[ 46.672739][ T7] page_owner free stack trace missing +[ 46.673335][ T7] +[ 46.673620][ T7] Memory state around the buggy address: +[ 46.674213][ T7] ffff888019442700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 46.675083][ T7] ffff888019442780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 46.675994][ T7] >ffff888019442800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 46.676875][ T7] ^ +[ 46.677323][ T7] ffff888019442880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 46.678190][ T7] ffff888019442900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 46.679052][ T7] ================================================================== +[ 46.679945][ T7] Disabling lock debugging due to kernel taint +[ 46.680725][ T7] Kernel panic - not syncing: + +Reviewed-by: Arend van Spriel +Signed-off-by: Jisoo Jang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230309104457.22628-1-jisoo.jang@yonsei.ac.kr +Acked-by: Vasant Karasulli + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +index 548799fefb4b..de8a2e27f49c 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -6280,6 +6280,11 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg, + (struct brcmf_cfg80211_assoc_ielen_le *)cfg->extra_buf; + req_len = le32_to_cpu(assoc_info->req_len); + resp_len = le32_to_cpu(assoc_info->resp_len); ++ if (req_len > WL_EXTRA_BUF_MAX || resp_len > WL_EXTRA_BUF_MAX) { ++ brcmf_err("invalid lengths in assoc info: req %u resp %u\n", ++ req_len, resp_len); ++ return -EINVAL; ++ } + if (req_len) { + err = brcmf_fil_iovar_data_get(ifp, "assoc_req_ies", + cfg->extra_buf, +-- +2.34.1 + diff --git a/patches.suse/net-propagate-dev_get_valid_name-return-code.patch b/patches.suse/net-propagate-dev_get_valid_name-return-code.patch new file mode 100644 index 0000000..c4ec564 --- /dev/null +++ b/patches.suse/net-propagate-dev_get_valid_name-return-code.patch @@ -0,0 +1,45 @@ +From b5f0e7a99cce7c47ff6ebb3035192b173d361ffd Mon Sep 17 00:00:00 2001 +From: Li RongQing +Date: Tue, 19 Jun 2018 17:23:17 +0800 +Subject: [PATCH 1/2] net: propagate dev_get_valid_name return code +References: git-fixes +Patch-mainline: v4.18-rc2 +Git-commit: 7892bd081045222b9e4027fec279a28d6fe7aa66 + +if dev_get_valid_name failed, propagate its return code + +and remove the setting err to ENODEV, it will be set to +0 again before dev_change_net_namespace exits. + +Signed-off-by: Li RongQing +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/core/dev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 1213a4ac3a49..721f0abf1741 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -9153,7 +9153,8 @@ int dev_change_net_namespace(struct net_device *dev, struct net *net, const char + /* We get here if we can't use the current device name */ + if (!pat) + goto out; +- if (dev_get_valid_name(net, dev, pat) < 0) ++ err = dev_get_valid_name(net, dev, pat); ++ if (err < 0) + goto out; + } + +@@ -9165,7 +9166,6 @@ int dev_change_net_namespace(struct net_device *dev, struct net *net, const char + dev_close(dev); + + /* And unlink it from device chain */ +- err = -ENODEV; + unlist_netdevice(dev); + + synchronize_net(); +-- +2.16.4 + diff --git a/patches.suse/sctp-fix-erroneous-inc-of-snmp-SctpFragUsrMsgs.patch b/patches.suse/sctp-fix-erroneous-inc-of-snmp-SctpFragUsrMsgs.patch new file mode 100644 index 0000000..b95b414 --- /dev/null +++ b/patches.suse/sctp-fix-erroneous-inc-of-snmp-SctpFragUsrMsgs.patch @@ -0,0 +1,41 @@ +From 483a69f6fad664c76148afbd0c454cd03c813abb Mon Sep 17 00:00:00 2001 +From: Marcelo Ricardo Leitner +Date: Wed, 20 Jun 2018 12:47:52 -0300 +Subject: [PATCH 2/2] sctp: fix erroneous inc of snmp SctpFragUsrMsgs +References: git-fixes +Patch-mainline: v4.18-rc3 +Git-commit: fedb1bd3d274b33c432cb83c80c6b3cf54d509c8 + +Currently it is incrementing SctpFragUsrMsgs when the user message size +is of the exactly same size as the maximum fragment size, which is wrong. + +The fix is to increment it only when user message is bigger than the +maximum fragment size. + +Fixes: bfd2e4b8734d ("sctp: refactor sctp_datamsg_from_user") +Signed-off-by: Marcelo Ricardo Leitner +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/sctp/chunk.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c +index 697721a7a3f1..f9d93f9b6814 100644 +--- a/net/sctp/chunk.c ++++ b/net/sctp/chunk.c +@@ -230,7 +230,9 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, + /* Account for a different sized first fragment */ + if (msg_len >= first_len) { + msg->can_delay = 0; +- SCTP_INC_STATS(sock_net(asoc->base.sk), SCTP_MIB_FRAGUSRMSGS); ++ if (msg_len > first_len) ++ SCTP_INC_STATS(sock_net(asoc->base.sk), ++ SCTP_MIB_FRAGUSRMSGS); + } else { + /* Which may be the only one... */ + first_len = msg_len; +-- +2.16.4 + diff --git a/series.conf b/series.conf index 02585ab..c1cd3c9 100644 --- a/series.conf +++ b/series.conf @@ -35282,6 +35282,7 @@ patches.suse/ipvlan-use-ETH_MAX_MTU-as-max-mtu.patch patches.suse/net-net_failover-fix-typo-in-net_failover_slave_regi.patch patches.suse/enic-do-not-overwrite-error-code.patch + patches.suse/net-propagate-dev_get_valid_name-return-code.patch patches.suse/net-sched-act_ife-fix-recursive-lock-and-idr-leak.patch patches.suse/net-sched-act_ife-preserve-the-action-control-in-cas.patch patches.suse/net-sungem-fix-rx-checksum-support.patch @@ -35381,6 +35382,7 @@ patches.suse/x86-cpu-amd-fix-llc-id-bit-shift-calculation patches.suse/uprobes-x86-Remove-incorrect-WARN_ON-in-uprobe_init_.patch patches.suse/bpf-enforce-correct-alignment-for-instructions.patch + patches.suse/sctp-fix-erroneous-inc-of-snmp-SctpFragUsrMsgs.patch patches.suse/ipvlan-fix-IFLA_MTU-ignored-on-NEWLINK.patch patches.suse/net-packet-fix-use-after-free.patch patches.suse/cls_flower-fix-use-after-free-in-flower-S-W-path.patch @@ -63241,6 +63243,7 @@ patches.suse/net-mana-Fix-IRQ-name-add-PCI-and-queue-number.patch patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch patches.suse/tracing-Make-sure-trace_printk-can-output-as-soon-as-it-can-be-used.patch + patches.suse/0001-netrom-Fix-use-after-free-caused-by-accept-on-alread.patch patches.suse/net-USB-Fix-wrong-direction-WARNING-in-plusb.c.patch patches.suse/usb-typec-altmodes-displayport-Fix-probe-pin-assign-.patch patches.suse/net-sched-tcindex-update-imperfect-hash-filters-resp.patch @@ -63323,6 +63326,7 @@ patches.suse/cgroup-cpuset-Wake-up-cpuset_attach_wq-tasks-in-cpuset_cancel_attach.patch patches.suse/cifs-fix-negotiate-context-parsing.patch patches.suse/powerpc-papr_scm-Update-the-NUMA-distance-table-for-.patch + patches.suse/0001-wifi-brcmfmac-slab-out-of-bounds-read-in-brcmf_get_a.patch patches.suse/wifi-ath5k-fix-an-off-by-one-check-in-ath5k_eeprom_r.patch patches.suse/ipmi-fix-SSIF-not-responding-under-certain-cond.patch patches.suse/USB-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch