5.4-stable patches

added patches:
	net-sched-act_skbmod-prevent-kernel-infoleak.patch
	net-stmmac-fix-rx-queue-priority-assignment.patch

3 files changed, 282 insertions, 0 deletions

diff --git a/queue-5.4/net-sched-act_skbmod-prevent-kernel-infoleak.patch b/queue-5.4/net-sched-act_skbmod-prevent-kernel-infoleak.patch
new file mode 100644
index 0000000000..b6bd64aadd
--- /dev/null
+++ b/queue-5.4/net-sched-act_skbmod-prevent-kernel-infoleak.patch
@@ -0,0 +1,141 @@
+From d313eb8b77557a6d5855f42d2234bd592c7b50dd Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 3 Apr 2024 13:09:08 +0000
+Subject: net/sched: act_skbmod: prevent kernel-infoleak
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit d313eb8b77557a6d5855f42d2234bd592c7b50dd upstream.
+
+syzbot found that tcf_skbmod_dump() was copying four bytes
+from kernel stack to user space [1].
+
+The issue here is that 'struct tc_skbmod' has a four bytes hole.
+
+We need to clear the structure before filling fields.
+
+[1]
+BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
+ BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
+ BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
+ BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
+ BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
+ BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
+  instrument_copy_to_user include/linux/instrumented.h:114 [inline]
+  copy_to_user_iter lib/iov_iter.c:24 [inline]
+  iterate_ubuf include/linux/iov_iter.h:29 [inline]
+  iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
+  iterate_and_advance include/linux/iov_iter.h:271 [inline]
+  _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
+  copy_to_iter include/linux/uio.h:196 [inline]
+  simple_copy_to_iter net/core/datagram.c:532 [inline]
+  __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420
+  skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546
+  skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]
+  netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962
+  sock_recvmsg_nosec net/socket.c:1046 [inline]
+  sock_recvmsg+0x2c4/0x340 net/socket.c:1068
+  __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242
+  __do_sys_recvfrom net/socket.c:2260 [inline]
+  __se_sys_recvfrom net/socket.c:2256 [inline]
+  __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256
+ do_syscall_64+0xd5/0x1f0
+ entry_SYSCALL_64_after_hwframe+0x6d/0x75
+
+Uninit was stored to memory at:
+  pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253
+  netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317
+  netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351
+  nlmsg_unicast include/net/netlink.h:1144 [inline]
+  nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610
+  rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741
+  rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]
+  tcf_add_notify net/sched/act_api.c:2048 [inline]
+  tcf_action_add net/sched/act_api.c:2071 [inline]
+  tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119
+  rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595
+  netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559
+  rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613
+  netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
+  netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361
+  netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905
+  sock_sendmsg_nosec net/socket.c:730 [inline]
+  __sock_sendmsg+0x30f/0x380 net/socket.c:745
+  ____sys_sendmsg+0x877/0xb60 net/socket.c:2584
+  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
+  __sys_sendmsg net/socket.c:2667 [inline]
+  __do_sys_sendmsg net/socket.c:2676 [inline]
+  __se_sys_sendmsg net/socket.c:2674 [inline]
+  __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
+ do_syscall_64+0xd5/0x1f0
+ entry_SYSCALL_64_after_hwframe+0x6d/0x75
+
+Uninit was stored to memory at:
+  __nla_put lib/nlattr.c:1041 [inline]
+  nla_put+0x1c6/0x230 lib/nlattr.c:1099
+  tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256
+  tcf_action_dump_old net/sched/act_api.c:1191 [inline]
+  tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227
+  tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251
+  tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628
+  tcf_add_notify_msg net/sched/act_api.c:2023 [inline]
+  tcf_add_notify net/sched/act_api.c:2042 [inline]
+  tcf_action_add net/sched/act_api.c:2071 [inline]
+  tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119
+  rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595
+  netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559
+  rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613
+  netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
+  netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361
+  netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905
+  sock_sendmsg_nosec net/socket.c:730 [inline]
+  __sock_sendmsg+0x30f/0x380 net/socket.c:745
+  ____sys_sendmsg+0x877/0xb60 net/socket.c:2584
+  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
+  __sys_sendmsg net/socket.c:2667 [inline]
+  __do_sys_sendmsg net/socket.c:2676 [inline]
+  __se_sys_sendmsg net/socket.c:2674 [inline]
+  __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
+ do_syscall_64+0xd5/0x1f0
+ entry_SYSCALL_64_after_hwframe+0x6d/0x75
+
+Local variable opt created at:
+  tcf_skbmod_dump+0x9d/0xc20 net/sched/act_skbmod.c:244
+  tcf_action_dump_old net/sched/act_api.c:1191 [inline]
+  tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227
+
+Bytes 188-191 of 248 are uninitialized
+Memory access of size 248 starts at ffff888117697680
+Data copied to user address 00007ffe56d855f0
+
+Fixes: 86da71b57383 ("net_sched: Introduce skbmod action")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://lore.kernel.org/r/20240403130908.93421-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_skbmod.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/sched/act_skbmod.c
++++ b/net/sched/act_skbmod.c
+@@ -219,13 +219,13 @@ static int tcf_skbmod_dump(struct sk_buf
+ 	struct tcf_skbmod *d = to_skbmod(a);
+ 	unsigned char *b = skb_tail_pointer(skb);
+ 	struct tcf_skbmod_params  *p;
+-	struct tc_skbmod opt = {
+-		.index   = d->tcf_index,
+-		.refcnt  = refcount_read(&d->tcf_refcnt) - ref,
+-		.bindcnt = atomic_read(&d->tcf_bindcnt) - bind,
+-	};
++	struct tc_skbmod opt;
+ 	struct tcf_t t;
+ 
++	memset(&opt, 0, sizeof(opt));
++	opt.index   = d->tcf_index;
++	opt.refcnt  = refcount_read(&d->tcf_refcnt) - ref,
++	opt.bindcnt = atomic_read(&d->tcf_bindcnt) - bind;
+ 	spin_lock_bh(&d->tcf_lock);
+ 	opt.action = d->tcf_action;
+ 	p = rcu_dereference_protected(d->skbmod_p,
diff --git a/queue-5.4/net-stmmac-fix-rx-queue-priority-assignment.patch b/queue-5.4/net-stmmac-fix-rx-queue-priority-assignment.patch
new file mode 100644
index 0000000000..560fc66206
--- /dev/null
+++ b/queue-5.4/net-stmmac-fix-rx-queue-priority-assignment.patch
@@ -0,0 +1,139 @@
+From b3da86d432b7cd65b025a11f68613e333d2483db Mon Sep 17 00:00:00 2001
+From: Piotr Wejman <piotrwejman90@gmail.com>
+Date: Mon, 1 Apr 2024 21:22:39 +0200
+Subject: net: stmmac: fix rx queue priority assignment
+
+From: Piotr Wejman <piotrwejman90@gmail.com>
+
+commit b3da86d432b7cd65b025a11f68613e333d2483db upstream.
+
+The driver should ensure that same priority is not mapped to multiple
+rx queues. From DesignWare Cores Ethernet Quality-of-Service
+Databook, section 17.1.29 MAC_RxQ_Ctrl2:
+"[...]The software must ensure that the content of this field is
+mutually exclusive to the PSRQ fields for other queues, that is,
+the same priority is not mapped to multiple Rx queues[...]"
+
+Previously rx_queue_priority() function was:
+- clearing all priorities from a queue
+- adding new priorities to that queue
+After this patch it will:
+- first assign new priorities to a queue
+- then remove those priorities from all other queues
+- keep other priorities previously assigned to that queue
+
+Fixes: a8f5102af2a7 ("net: stmmac: TX and RX queue priority configuration")
+Fixes: 2142754f8b9c ("net: stmmac: Add MAC related callbacks for XGMAC2")
+Signed-off-by: Piotr Wejman <piotrwejman90@gmail.com>
+Link: https://lore.kernel.org/r/20240401192239.33942-1-piotrwejman90@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c   |   40 +++++++++++++++-----
+ drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c |   38 +++++++++++++++----
+ 2 files changed, 62 insertions(+), 16 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+@@ -75,19 +75,41 @@ static void dwmac4_rx_queue_priority(str
+ 				     u32 prio, u32 queue)
+ {
+ 	void __iomem *ioaddr = hw->pcsr;
+-	u32 base_register;
+-	u32 value;
++	u32 clear_mask = 0;
++	u32 ctrl2, ctrl3;
++	int i;
+ 
+-	base_register = (queue < 4) ? GMAC_RXQ_CTRL2 : GMAC_RXQ_CTRL3;
+-	if (queue >= 4)
+-		queue -= 4;
++	ctrl2 = readl(ioaddr + GMAC_RXQ_CTRL2);
++	ctrl3 = readl(ioaddr + GMAC_RXQ_CTRL3);
++
++	/* The software must ensure that the same priority
++	 * is not mapped to multiple Rx queues
++	 */
++	for (i = 0; i < 4; i++)
++		clear_mask |= ((prio << GMAC_RXQCTRL_PSRQX_SHIFT(i)) &
++						GMAC_RXQCTRL_PSRQX_MASK(i));
+ 
+-	value = readl(ioaddr + base_register);
++	ctrl2 &= ~clear_mask;
++	ctrl3 &= ~clear_mask;
+ 
+-	value &= ~GMAC_RXQCTRL_PSRQX_MASK(queue);
+-	value |= (prio << GMAC_RXQCTRL_PSRQX_SHIFT(queue)) &
++	/* First assign new priorities to a queue, then
++	 * clear them from others queues
++	 */
++	if (queue < 4) {
++		ctrl2 |= (prio << GMAC_RXQCTRL_PSRQX_SHIFT(queue)) &
+ 						GMAC_RXQCTRL_PSRQX_MASK(queue);
+-	writel(value, ioaddr + base_register);
++
++		writel(ctrl2, ioaddr + GMAC_RXQ_CTRL2);
++		writel(ctrl3, ioaddr + GMAC_RXQ_CTRL3);
++	} else {
++		queue -= 4;
++
++		ctrl3 |= (prio << GMAC_RXQCTRL_PSRQX_SHIFT(queue)) &
++						GMAC_RXQCTRL_PSRQX_MASK(queue);
++
++		writel(ctrl3, ioaddr + GMAC_RXQ_CTRL3);
++		writel(ctrl2, ioaddr + GMAC_RXQ_CTRL2);
++	}
+ }
+ 
+ static void dwmac4_tx_queue_priority(struct mac_device_info *hw,
+--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
+@@ -96,17 +96,41 @@ static void dwxgmac2_rx_queue_prio(struc
+ 				   u32 queue)
+ {
+ 	void __iomem *ioaddr = hw->pcsr;
+-	u32 value, reg;
++	u32 clear_mask = 0;
++	u32 ctrl2, ctrl3;
++	int i;
+ 
+-	reg = (queue < 4) ? XGMAC_RXQ_CTRL2 : XGMAC_RXQ_CTRL3;
+-	if (queue >= 4)
++	ctrl2 = readl(ioaddr + XGMAC_RXQ_CTRL2);
++	ctrl3 = readl(ioaddr + XGMAC_RXQ_CTRL3);
++
++	/* The software must ensure that the same priority
++	 * is not mapped to multiple Rx queues
++	 */
++	for (i = 0; i < 4; i++)
++		clear_mask |= ((prio << XGMAC_PSRQ_SHIFT(i)) &
++						XGMAC_PSRQ(i));
++
++	ctrl2 &= ~clear_mask;
++	ctrl3 &= ~clear_mask;
++
++	/* First assign new priorities to a queue, then
++	 * clear them from others queues
++	 */
++	if (queue < 4) {
++		ctrl2 |= (prio << XGMAC_PSRQ_SHIFT(queue)) &
++						XGMAC_PSRQ(queue);
++
++		writel(ctrl2, ioaddr + XGMAC_RXQ_CTRL2);
++		writel(ctrl3, ioaddr + XGMAC_RXQ_CTRL3);
++	} else {
+ 		queue -= 4;
+ 
+-	value = readl(ioaddr + reg);
+-	value &= ~XGMAC_PSRQ(queue);
+-	value |= (prio << XGMAC_PSRQ_SHIFT(queue)) & XGMAC_PSRQ(queue);
++		ctrl3 |= (prio << XGMAC_PSRQ_SHIFT(queue)) &
++						XGMAC_PSRQ(queue);
+ 
+-	writel(value, ioaddr + reg);
++		writel(ctrl3, ioaddr + XGMAC_RXQ_CTRL3);
++		writel(ctrl2, ioaddr + XGMAC_RXQ_CTRL2);
++	}
+ }
+ 
+ static void dwxgmac2_tx_queue_prio(struct mac_device_info *hw, u32 prio,
diff --git a/queue-5.4/series b/queue-5.4/series
index caa725abfe..bbce7ba690 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -149,3 +149,5 @@ mm-vmscan-prevent-infinite-loop-for-costly-gfp_noio-__gfp_retry_mayfail-allocati
 netfilter-nf_tables-flush-pending-destroy-work-before-exit_net-release.patch
 netfilter-nf_tables-fix-potential-data-race-in-__nft_flowtable_type_get.patch
 bpf-sockmap-prevent-lock-inversion-deadlock-in-map-delete-elem.patch
+net-sched-act_skbmod-prevent-kernel-infoleak.patch
+net-stmmac-fix-rx-queue-priority-assignment.patch