diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-08-21 05:38:19 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-08-21 05:38:34 +0000 |
commit | c3dc50caa219cea1d94d77e19b1e9bb7e27bb2f8 (patch) | |
tree | 532254be2db2c8e43370425c3aab5aa0f46219de /debian/patches/bugfix | |
parent | Merging upstream version 6.10.6. (diff) | |
download | linux-c3dc50caa219cea1d94d77e19b1e9bb7e27bb2f8.tar.xz linux-c3dc50caa219cea1d94d77e19b1e9bb7e27bb2f8.zip |
Merging debian version 6.10.6-1.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/bugfix')
-rw-r--r-- | debian/patches/bugfix/all/net-drop-bad-gso-csum_start-and-offset-in-virtio_net.patch | 148 | ||||
-rw-r--r-- | debian/patches/bugfix/all/spi-spidev-Add-missing-spi_device_id-for-bh2228fv.patch | 34 |
2 files changed, 0 insertions, 182 deletions
diff --git a/debian/patches/bugfix/all/net-drop-bad-gso-csum_start-and-offset-in-virtio_net.patch b/debian/patches/bugfix/all/net-drop-bad-gso-csum_start-and-offset-in-virtio_net.patch deleted file mode 100644 index 8b2d5743a2..0000000000 --- a/debian/patches/bugfix/all/net-drop-bad-gso-csum_start-and-offset-in-virtio_net.patch +++ /dev/null @@ -1,148 +0,0 @@ -From: Willem de Bruijn <willemb@google.com> -Date: Mon, 29 Jul 2024 16:10:12 -0400 -Subject: net: drop bad gso csum_start and offset in virtio_net_hdr -Origin: https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e - -Tighten csum_start and csum_offset checks in virtio_net_hdr_to_skb -for GSO packets. - -The function already checks that a checksum requested with -VIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packets -this might not hold for segs after segmentation. - -Syzkaller demonstrated to reach this warning in skb_checksum_help - - offset = skb_checksum_start_offset(skb); - ret = -EINVAL; - if (WARN_ON_ONCE(offset >= skb_headlen(skb))) - -By injecting a TSO packet: - -WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 - ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 - ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] - __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 - iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 - ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 - __gre_xmit net/ipv4/ip_gre.c:469 [inline] - ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 - __netdev_start_xmit include/linux/netdevice.h:4850 [inline] - netdev_start_xmit include/linux/netdevice.h:4864 [inline] - xmit_one net/core/dev.c:3595 [inline] - dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 - __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 - packet_snd net/packet/af_packet.c:3073 [inline] - -The geometry of the bad input packet at tcp_gso_segment: - -[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0 -[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244 -[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0)) -[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536 -ip_summed=3 complete_sw=0 valid=0 level=0) - -Mitigate with stricter input validation. - -csum_offset: for GSO packets, deduce the correct value from gso_type. -This is already done for USO. Extend it to TSO. Let UFO be: -udp[46]_ufo_fragment ignores these fields and always computes the -checksum in software. - -csum_start: finding the real offset requires parsing to the transport -header. Do not add a parser, use existing segmentation parsing. Thanks -to SKB_GSO_DODGY, that also catches bad packets that are hw offloaded. -Again test both TSO and USO. Do not test UFO for the above reason, and -do not test UDP tunnel offload. - -GSO packet are almost always CHECKSUM_PARTIAL. USO packets may be -CHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmit -from devices with no checksum offload"), but then still these fields -are initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So no -need to test for ip_summed == CHECKSUM_PARTIAL first. - -This revises an existing fix mentioned in the Fixes tag, which broke -small packets with GSO offload, as detected by kselftests. - -Link: https://syzkaller.appspot.com/bug?extid=e1db31216c789f552871 -Link: https://lore.kernel.org/netdev/20240723223109.2196886-1-kuba@kernel.org -Fixes: e269d79c7d35 ("net: missing check virtio") -Cc: stable@vger.kernel.org -Signed-off-by: Willem de Bruijn <willemb@google.com> -Link: https://patch.msgid.link/20240729201108.1615114-1-willemdebruijn.kernel@gmail.com -Signed-off-by: Jakub Kicinski <kuba@kernel.org> ---- - include/linux/virtio_net.h | 16 +++++----------- - net/ipv4/tcp_offload.c | 3 +++ - net/ipv4/udp_offload.c | 4 ++++ - 3 files changed, 12 insertions(+), 11 deletions(-) - -diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h -index d1d7825318c3..6c395a2600e8 100644 ---- a/include/linux/virtio_net.h -+++ b/include/linux/virtio_net.h -@@ -56,7 +56,6 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, - unsigned int thlen = 0; - unsigned int p_off = 0; - unsigned int ip_proto; -- u64 ret, remainder, gso_size; - - if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) { - switch (hdr->gso_type & ~VIRTIO_NET_HDR_GSO_ECN) { -@@ -99,16 +98,6 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, - u32 off = __virtio16_to_cpu(little_endian, hdr->csum_offset); - u32 needed = start + max_t(u32, thlen, off + sizeof(__sum16)); - -- if (hdr->gso_size) { -- gso_size = __virtio16_to_cpu(little_endian, hdr->gso_size); -- ret = div64_u64_rem(skb->len, gso_size, &remainder); -- if (!(ret && (hdr->gso_size > needed) && -- ((remainder > needed) || (remainder == 0)))) { -- return -EINVAL; -- } -- skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG; -- } -- - if (!pskb_may_pull(skb, needed)) - return -EINVAL; - -@@ -182,6 +171,11 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, - if (gso_type != SKB_GSO_UDP_L4) - return -EINVAL; - break; -+ case SKB_GSO_TCPV4: -+ case SKB_GSO_TCPV6: -+ if (skb->csum_offset != offsetof(struct tcphdr, check)) -+ return -EINVAL; -+ break; - } - - /* Kernel has a special handling for GSO_BY_FRAGS. */ -diff --git a/net/ipv4/tcp_offload.c b/net/ipv4/tcp_offload.c -index 4b791e74529e..e4ad3311e148 100644 ---- a/net/ipv4/tcp_offload.c -+++ b/net/ipv4/tcp_offload.c -@@ -140,6 +140,9 @@ struct sk_buff *tcp_gso_segment(struct sk_buff *skb, - if (thlen < sizeof(*th)) - goto out; - -+ if (unlikely(skb_checksum_start(skb) != skb_transport_header(skb))) -+ goto out; -+ - if (!pskb_may_pull(skb, thlen)) - goto out; - -diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c -index aa2e0a28ca61..bc8a9da750fe 100644 ---- a/net/ipv4/udp_offload.c -+++ b/net/ipv4/udp_offload.c -@@ -278,6 +278,10 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb, - if (gso_skb->len <= sizeof(*uh) + mss) - return ERR_PTR(-EINVAL); - -+ if (unlikely(skb_checksum_start(gso_skb) != -+ skb_transport_header(gso_skb))) -+ return ERR_PTR(-EINVAL); -+ - if (skb_gso_ok(gso_skb, features | NETIF_F_GSO_ROBUST)) { - /* Packet is from an untrusted source, reset gso_segs. */ - skb_shinfo(gso_skb)->gso_segs = DIV_ROUND_UP(gso_skb->len - sizeof(*uh), diff --git a/debian/patches/bugfix/all/spi-spidev-Add-missing-spi_device_id-for-bh2228fv.patch b/debian/patches/bugfix/all/spi-spidev-Add-missing-spi_device_id-for-bh2228fv.patch deleted file mode 100644 index ad4d220401..0000000000 --- a/debian/patches/bugfix/all/spi-spidev-Add-missing-spi_device_id-for-bh2228fv.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Geert Uytterhoeven <geert+renesas@glider.be> -Date: Tue, 30 Jul 2024 15:35:47 +0200 -Subject: spi: spidev: Add missing spi_device_id for bh2228fv -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi.git/commit?id=e4c4638b6a10427d30e29d22351c375886025f47 - -When the of_device_id entry for "rohm,bh2228fv" was added, the -corresponding spi_device_id was forgotten, causing a warning message -during boot-up: - - SPI driver spidev has no spi_device_id for rohm,bh2228fv - -Fix module autoloading and shut up the warning by adding the missing -entry. - -Fixes: fc28d1c1fe3b3e2f ("spi: spidev: add correct compatible for Rohm BH2228FV") -Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> -Link: https://patch.msgid.link/cb571d4128f41175f31319cd9febc829417ea167.1722346539.git.geert+renesas@glider.be -Signed-off-by: Mark Brown <broonie@kernel.org> ---- - drivers/spi/spidev.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c -index 05e6d007f9a7..5304728c68c2 100644 ---- a/drivers/spi/spidev.c -+++ b/drivers/spi/spidev.c -@@ -700,6 +700,7 @@ static const struct class spidev_class = { - }; - - static const struct spi_device_id spidev_spi_ids[] = { -+ { .name = "bh2228fv" }, - { .name = "dh2228fv" }, - { .name = "ltc2488" }, - { .name = "sx1301" }, |