From f5204071e2323f1d695a4d19be727fd6ad5f154c Mon Sep 17 00:00:00 2001

From: Joe Lawrence <joe.lawrence@redhat.com>

Date: Wed, 17 Jan 2024 15:29:28 -0500

Subject: [KPATCH CVE-2023-45871] kpatch fixes for CVE-2023-45871

Kernels:

3.10.0-1160.95.1.el7

3.10.0-1160.99.1.el7

3.10.0-1160.102.1.el7

3.10.0-1160.105.1.el7

Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/65

Changes since last build:

[x86_64]:

igb_main.o: changed function: igb_configure

l2cap_core.o: changed function: l2cap_chan_hold

l2cap_core.o: changed function: l2cap_conn_get

l2cap_core.o: changed function: l2cap_global_chan_by_psm

l2cap_core.o: changed function: l2cap_recv_frame

l2cap_core.o: new function: klp_l2cap_le_sig_cmd

sch_atm.o: changed function: atm_tc_peek

sch_atm.o: changed function: sch_atm_dequeue

sch_drr.o: changed function: drr_dequeue

sch_dsmark.o: changed function: dsmark_peek

sch_hfsc.o: changed function: hfsc_enqueue

sch_hfsc.o: changed function: qdisc_peek_len

sch_multiq.o: changed function: multiq_peek

sch_prio.o: changed function: prio_peek

sch_qfq.o: changed function: qfq_dequeue

sch_qfq.o: changed function: qfq_enqueue

sch_red.o: changed function: red_peek

sch_sfb.o: changed function: sfb_peek

sch_tbf.o: changed function: tbf_dequeue

[ppc64le]:

l2cap_core.o: changed function: __l2cap_chan_add

l2cap_core.o: changed function: __l2cap_physical_cfm

l2cap_core.o: changed function: __set_monitor_timer

l2cap_core.o: changed function: __set_retrans_timer.part.24

l2cap_core.o: changed function: l2cap_ack_timeout

l2cap_core.o: changed function: l2cap_build_conf_req

l2cap_core.o: changed function: l2cap_chan_busy

l2cap_core.o: changed function: l2cap_chan_close

l2cap_core.o: changed function: l2cap_chan_connect

l2cap_core.o: changed function: l2cap_chan_del

l2cap_core.o: changed function: l2cap_chan_hold

l2cap_core.o: changed function: l2cap_chan_put

l2cap_core.o: changed function: l2cap_chan_send

l2cap_core.o: changed function: l2cap_chan_timeout

l2cap_core.o: changed function: l2cap_conn_add.part.28

l2cap_core.o: changed function: l2cap_conn_del

l2cap_core.o: changed function: l2cap_conn_start

l2cap_core.o: changed function: l2cap_connect

l2cap_core.o: changed function: l2cap_connect_cfm

l2cap_core.o: changed function: l2cap_connect_create_rsp

l2cap_core.o: changed function: l2cap_data_channel

l2cap_core.o: changed function: l2cap_disconn_cfm

l2cap_core.o: changed function: l2cap_do_create

l2cap_core.o: changed function: l2cap_do_start

l2cap_core.o: changed function: l2cap_ertm_resend

l2cap_core.o: changed function: l2cap_ertm_send

l2cap_core.o: changed function: l2cap_global_fixed_chan

l2cap_core.o: changed function: l2cap_handle_rej

l2cap_core.o: changed function: l2cap_handle_srej

l2cap_core.o: changed function: l2cap_logical_cfm

l2cap_core.o: changed function: l2cap_monitor_timeout

l2cap_core.o: changed function: l2cap_move_done

l2cap_core.o: changed function: l2cap_move_setup

l2cap_core.o: changed function: l2cap_parse_conf_rsp.constprop.36

l2cap_core.o: changed function: l2cap_pass_to_tx

l2cap_core.o: changed function: l2cap_process_reqseq

l2cap_core.o: changed function: l2cap_recv_frame

l2cap_core.o: changed function: l2cap_retrans_timeout

l2cap_core.o: changed function: l2cap_retransmit_all

l2cap_core.o: changed function: l2cap_rx

l2cap_core.o: changed function: l2cap_rx_state_recv

l2cap_core.o: changed function: l2cap_security_cfm

l2cap_core.o: changed function: l2cap_send_ack

l2cap_core.o: changed function: l2cap_send_efs_conf_rsp

l2cap_core.o: changed function: l2cap_send_i_or_rr_or_rnr

l2cap_core.o: changed function: l2cap_send_move_chan_cfm

l2cap_core.o: changed function: l2cap_send_move_chan_cfm_icid

l2cap_core.o: changed function: l2cap_send_move_chan_req

l2cap_core.o: changed function: l2cap_send_rr_or_rnr

l2cap_core.o: changed function: l2cap_send_sframe

l2cap_core.o: changed function: l2cap_send_srej

l2cap_core.o: changed function: l2cap_send_srej_tail

l2cap_core.o: changed function: l2cap_start_connection

l2cap_core.o: new function: l2cap_connect_req

sch_atm.o: changed function: atm_tc_bind_filter

sch_atm.o: changed function: atm_tc_change

sch_atm.o: changed function: atm_tc_delete

sch_atm.o: changed function: atm_tc_destroy

sch_atm.o: changed function: atm_tc_enqueue

sch_atm.o: changed function: atm_tc_find

sch_atm.o: changed function: atm_tc_graft

sch_atm.o: changed function: atm_tc_leaf

sch_atm.o: changed function: atm_tc_peek

sch_atm.o: changed function: atm_tc_put

sch_atm.o: changed function: atm_tc_reset

sch_atm.o: changed function: atm_tc_tcf_block

sch_atm.o: changed function: sch_atm_dequeue

sch_drr.o: changed function: drr_dequeue

sch_dsmark.o: changed function: dsmark_bind_filter

sch_dsmark.o: changed function: dsmark_change

sch_dsmark.o: changed function: dsmark_destroy

sch_dsmark.o: changed function: dsmark_dump_class

sch_dsmark.o: changed function: dsmark_init

sch_dsmark.o: changed function: dsmark_peek

sch_dsmark.o: changed function: dsmark_reset

sch_hfsc.o: changed function: hfsc_change_class

sch_hfsc.o: changed function: hfsc_dequeue

sch_hfsc.o: changed function: hfsc_enqueue

sch_multiq.o: changed function: multiq_peek

sch_prio.o: changed function: prio_peek

sch_qfq.o: changed function: qfq_dequeue

sch_qfq.o: changed function: qfq_enqueue

sch_red.o: changed function: red_peek

sch_sfb.o: changed function: sfb_peek

sch_tbf.o: changed function: tbf_dequeue

---------------------------

Modifications: none

commit de534cd6d39849339867a3d587c3c3b04776ef6e

Author: Wander Lairson Costa <wander@redhat.com>

Date:   Wed Jan 10 10:07:38 2024 -0300

    igb: set max size RX buffer when store bad packet is enabled

    JIRA: https://issues.redhat.com/browse/RHEL-15181

    CVE: CVE-2023-45871

    commit bb5ed01cd2428cd25b1c88a3a9cba87055eb289f

    Author: Radoslaw Tyl <radoslawx.tyl@intel.com>

    Date:   Thu Aug 24 13:46:19 2023 -0700

        igb: set max size RX buffer when store bad packet is enabled

        Increase the RX buffer size to 3K when the SBP bit is on. The size of

        the RX buffer determines the number of pages allocated which may not

        be sufficient for receive frames larger than the set MTU size.

        Cc: stable@vger.kernel.org

        Fixes: 89eaefb61dc9 ("igb: Support RX-ALL feature flag.")

        Reported-by: Manfred Rudigier <manfred.rudigier@omicronenergy.com>

        Signed-off-by: Radoslaw Tyl <radoslawx.tyl@intel.com>

        Tested-by: Arpana Arland <arpanax.arland@intel.com> (A Contingent worker at Intel)

        Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>

        Signed-off-by: David S. Miller <davem@davemloft.net>

    Signed-off-by: Wander Lairson Costa <wander@redhat.com>

Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>

---

 drivers/net/ethernet/intel/igb/igb_main.c | 11 +++++++----

 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c

index 58fa02b36285..44b23384123e 100644

--- a/drivers/net/ethernet/intel/igb/igb_main.c

+++ b/drivers/net/ethernet/intel/igb/igb_main.c

@@ -4576,6 +4576,10 @@ void igb_configure_rx_ring(struct igb_adapter *adapter,

 static void igb_set_rx_buffer_len(struct igb_adapter *adapter,

 				  struct igb_ring *rx_ring)

 {

+#if (PAGE_SIZE < 8192)

+	struct e1000_hw *hw = &adapter->hw;

+#endif

+

 	/* set build_skb and buffer size flags */

 	clear_ring_build_skb_enabled(rx_ring);

 	clear_ring_uses_large_buffer(rx_ring);

@@ -4586,10 +4590,9 @@ static void igb_set_rx_buffer_len(struct igb_adapter *adapter,

 	set_ring_build_skb_enabled(rx_ring);

 #if (PAGE_SIZE < 8192)

-	if (adapter->max_frame_size <= IGB_MAX_FRAME_BUILD_SKB)

-		return;

-

-	set_ring_uses_large_buffer(rx_ring);

+	if (adapter->max_frame_size > IGB_MAX_FRAME_BUILD_SKB ||

+	    rd32(E1000_RCTL) & E1000_RCTL_SBP)

+		set_ring_uses_large_buffer(rx_ring);

 #endif

 }

-- 

2.44.0