~ubuntu-kernel/ubuntu/+source/linux/+git/focal:hwe-5.13-next

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

cb432c4... by Eric Dumazet <email address hidden> on 2022-06-21

llc: only change llc->dev when bind() succeeds

commit 2d327a79ee176930dc72c131a970c891d367c1dc upstream.

My latest patch, attempting to fix the refcount leak in a minimal
way turned out to add a new bug.

Whenever the bind operation fails before we attempt to grab
a reference count on a device, we might release the device refcount
of a prior successful bind() operation.

syzbot was not happy about this [1].

Note to stable teams:

Make sure commit b37a46683739 ("netdevice: add the case if dev is NULL")
is already present in your trees.

[1]
general protection fault, probably for non-canonical address 0xdffffc0000000070: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000380-0x0000000000000387]
CPU: 1 PID: 3590 Comm: syz-executor361 Tainted: G W 5.17.0-syzkaller-04796-g169e77764adc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:llc_ui_connect+0x400/0xcb0 net/llc/af_llc.c:500
Code: 80 3c 02 00 0f 85 fc 07 00 00 4c 8b a5 38 05 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d bc 24 80 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 a9 07 00 00 49 8b b4 24 80 03 00 00 4c 89 f2 48
RSP: 0018:ffffc900038cfcc0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8880756eb600 RCX: 0000000000000000
RDX: 0000000000000070 RSI: ffffc900038cfe3e RDI: 0000000000000380
RBP: ffff888015ee5000 R08: 0000000000000001 R09: ffff888015ee5535
R10: ffffed1002bdcaa6 R11: 0000000000000000 R12: 0000000000000000
R13: ffffc900038cfe37 R14: ffffc900038cfe38 R15: ffff888015ee5012
FS: 0000555555acd300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000280 CR3: 0000000077db6000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __sys_connect_file+0x155/0x1a0 net/socket.c:1900
 __sys_connect+0x161/0x190 net/socket.c:1917
 __do_sys_connect net/socket.c:1927 [inline]
 __se_sys_connect net/socket.c:1924 [inline]
 __x64_sys_connect+0x6f/0xb0 net/socket.c:1924
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f016acb90b9
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd417947f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f016acb90b9
RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000003
RBP: 00007f016ac7d0a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f016ac7d130
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:llc_ui_connect+0x400/0xcb0 net/llc/af_llc.c:500

Fixes: 764f4eb6846f ("llc: fix netdevice reference leaks in llc_ui_bind()")
Signed-off-by: Eric Dumazet <email address hidden>
Reported-by: syzbot <email address hidden>
Cc: 赵子轩 <email address hidden>
Cc: Stoyan Manolov <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Jakub Kicinski <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>

CVE-2022-28356
(cherry picked from commit 163960a7de1333514c9352deb7c80c6b9fd9abf2 linux-5.10.y)
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

f0895ab... by Yajun Deng <email address hidden> on 2022-06-21

netdevice: add the case if dev is NULL

Add the case if dev is NULL in dev_{put, hold}, so the caller doesn't
need to care whether dev is NULL or not.

Signed-off-by: Yajun Deng <email address hidden>
Signed-off-by: David S. Miller <email address hidden>

CVE-2022-28356
(cherry picked from commit b37a466837393af72fe8bcb8f1436410f3f173f3)
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

004bf8a... by Haimin Zhang <email address hidden> on 2022-06-24

af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register

Add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register
to initialize the buffer of supp_skb to fix a kernel-info-leak issue.
1) Function pfkey_register calls compose_sadb_supported to request
a sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate
a sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then
compose_sadb_supported treats the memory as a struct sadb_supported and
begins to initialize. But it just initializes the field sadb_supported_len
and field sadb_supported_exttype without field sadb_supported_reserved.

Reported-by: TCS Robot <email address hidden>
Signed-off-by: Haimin Zhang <email address hidden>
Signed-off-by: Steffen Klassert <email address hidden>

CVE-2022-1353
(cherry picked from commit 9a564bccb78a76740ea9d75a259942df8143d02c)
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Zachary Tahenakos <<email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

a42cfce... by Pavel Skripkin <email address hidden> on 2022-06-28

UBUNTU: SAUCE: ath9k: fix use-after-free in ath9k_hif_usb_rx_cb

Syzbot reported use-after-free Read in ath9k_hif_usb_rx_cb() [0]. The
problem was in incorrect htc_handle->drv_priv initialization.

Probable call trace which can trigger use-after-free:

ath9k_htc_probe_device()
  /* htc_handle->drv_priv = priv; */
  ath9k_htc_wait_for_target() <--- Failed
  ieee80211_free_hw() <--- priv pointer is freed

<IRQ>
...
ath9k_hif_usb_rx_cb()
  ath9k_hif_usb_rx_stream()
   RX_STAT_INC() <--- htc_handle->drv_priv access

In order to not add fancy protection for drv_priv we can move
htc_handle->drv_priv initialization at the end of the
ath9k_htc_probe_device() and add helper macro to make
all *_STAT_* macros NULL safe, since syzbot has reported related NULL
deref in that macros [1]

Link: https://syzkaller.appspot.com/bug?id=6ead44e37afb6866ac0c7dd121b4ce07cb665f60 [0]
Link: https://syzkaller.appspot.com/bug?id=b8101ffcec107c0567a0cd8acbbacec91e9ee8de [1]
Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
Reported-and-tested-by: <email address hidden>
Reported-and-tested-by: <email address hidden>
Signed-off-by: Pavel Skripkin <email address hidden>
Acked-by: Toke Høiland-Jørgensen <email address hidden>
Signed-off-by: Kalle Valo <email address hidden>
Link: https://lore.kernel.org/r/d57bbedc857950659bfacac0ab48790c1eda00c8<email address hidden>

CVE-2022-1679
(cherry picked from commit 0ac4827f78c7ffe8eef074bc010e7e34bc22f533 ath.git)
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

d401698... by Johan Hovold <email address hidden> on 2022-06-13

USB: serial: pl2303: fix type detection for odd device

BugLink: https://bugs.launchpad.net/bugs/1967493

At least one pl2303 device has a bcdUSB of 1.0.1 which most likely was
was intended as 1.1.

Allow bcdDevice 1.0.1 but interpret it as 1.1.

Fixes: 1e9faef4d26d ("USB: serial: pl2303: fix HX type detection")
Cc: <email address hidden> # 5.13
Link: https://lore.kernel.org<email address hidden>
Reported-by: Gary van der Merwe <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Johan Hovold <email address hidden>
(cherry picked from commit beeb68a71edc41648b6948d027b810c5acc7a2aa)
Signed-off-by: Po-Hsu Lin <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Luke Nowakowski-Krijger <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

5a3d457... by Marc Zyngier <email address hidden> on 2022-06-15

PCI: xgene: Revert "PCI: xgene: Use inbound resources for setup"

BugLink: https://bugs.launchpad.net/bugs/1952933

Commit 6dce5aa59e0b ("PCI: xgene: Use inbound resources for setup")
killed PCIe on my XGene-1 box (a Mustang board). The machine itself
is still alive, but half of its storage (over NVMe) is gone, and the
NVMe driver just times out.

Note that this machine boots with a device tree provided by the
UEFI firmware (2016 vintage), which could well be non conformant
with the spec, hence the breakage.

With the patch reverted, the box boots 5.17-rc8 with flying colors.

Link: https://<email address hidden>
Link: https://<email address hidden>
Fixes: 6dce5aa59e0b ("PCI: xgene: Use inbound resources for setup")
Signed-off-by: Marc Zyngier <email address hidden>
Signed-off-by: Lorenzo Pieralisi <email address hidden>
Cc: <email address hidden>
Cc: Rob Herring <email address hidden>
Cc: Toan Le <email address hidden>
Cc: Lorenzo Pieralisi <email address hidden>
Cc: Krzysztof Wilczyński <email address hidden>
Cc: Bjorn Helgaas <email address hidden>
Cc: Stéphane Graber <email address hidden>
Cc: dann frazier <email address hidden>
(backported from commit 1874b6d7ab1bdc900e8398026350313ac29caddb)
[dannf: minor context adjustment]
Signed-off-by: dann frazier <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Luke Nowakowski-Krijger <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

853811c... by Marc Zyngier <email address hidden> on 2022-06-15

PCI: xgene: Revert "PCI: xgene: Fix IB window setup"

BugLink: https://bugs.launchpad.net/bugs/1952933

Commit c7a75d07827a ("PCI: xgene: Fix IB window setup") tried to
fix the damages that 6dce5aa59e0b ("PCI: xgene: Use inbound resources
for setup") caused, but actually didn't improve anything for some
plarforms (at least Mustang and m400 are still broken).

Given that 6dce5aa59e0b has been reverted, revert this patch as well,
restoring the PCIe support on XGene to its pre-5.5, working state.

Link: https://<email address hidden>
Link: https://<email address hidden>
Fixes: c7a75d07827a ("PCI: xgene: Fix IB window setup")
Signed-off-by: Marc Zyngier <email address hidden>
Signed-off-by: Lorenzo Pieralisi <email address hidden>
Cc: <email address hidden>
Cc: Rob Herring <email address hidden>
Cc: Toan Le <email address hidden>
Cc: Lorenzo Pieralisi <email address hidden>
Cc: Krzysztof Wilczyński <email address hidden>
Cc: Bjorn Helgaas <email address hidden>
Cc: Stéphane Graber <email address hidden>
Cc: dann frazier <email address hidden>
(cherry picked from commit 825da4e9cec68713fbb02dc6f71fe1bf65fe8050)
Signed-off-by: dann frazier <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Luke Nowakowski-Krijger <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

a0472fb... by Po-Hsu Lin on 2022-05-30

Revert "UBUNTU: SAUCE: selftests: net: Make test for VXLAN underlay in non-default VRF an expected failure"

BugLink: https://bugs.launchpad.net/bugs/1975691

This reverts commit 3829acb7f33d2bcf746b2df598c9a3066713fc2d.

With the broken test case, "underlay in a VRF", fixed in the
test_vxlan_under_vrf.sh, we should remove the SAUCE patches that mark
this test failure as an expected failure to catch regressions in the
future. This could reduce maintenance cost as well.

Signed-off-by: Po-Hsu Lin <email address hidden>

Acked-by: Luke Nowakowski-Krijger <email address hidden>
Acked-by: Tim Gardner <email address hidden>

ecb6405... by Po-Hsu Lin on 2022-05-30

Revert "UBUNTU: SAUCE: selftests: net: Don't fail test_vxlan_under_vrf on xfail"

BugLink: https://bugs.launchpad.net/bugs/1975691

This reverts commit 7d9c6353c36a560ca73ca1bea35e16f62b4bec69.

With the broken test case, "underlay in a VRF", fixed in the
test_vxlan_under_vrf.sh, we should remove the SAUCE patches that mark
this test failure as an expected failure to catch regressions in the
future. This could reduce maintenance cost as well.

Signed-off-by: Po-Hsu Lin <email address hidden>

Acked-by: Luke Nowakowski-Krijger <email address hidden>
Acked-by: Tim Gardner <email address hidden>

14f85be... by Frank Heimes on 2022-06-10

s390/mm: use non-quiescing sske for KVM switch to keyed guest

s390/mm: use non-quiescing sske for KVM switch to keyed guest

From: Christian Borntraeger <email address hidden>

The switch to a keyed guest does not require a classic sske as the other
guest CPUs are not accessing the key before the switch is complete.
By using the NQ SSKE things are faster especially with multiple guests.

Signed-off-by: Christian Borntraeger <email address hidden>
Suggested-by: Janis Schoetterl-Glausch <email address hidden>
Reviewed-by: Claudio Imbrenda <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Christian Borntraeger <email address hidden>
Signed-off-by: Heiko Carstens <email address hidden>
(cherry picked from commit 3ae11dbcfac906a8c3a480e98660a823130dc16a)
Signed-off-by: Frank Heimes <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>