From f5204071e2323f1d695a4d19be727fd6ad5f154c Mon Sep 17 00:00:00 2001
From: Joe Lawrence <joe.lawrence@redhat.com>
Date: Wed, 17 Jan 2024 15:29:28 -0500
Subject: [KPATCH CVE-2023-45871] kpatch fixes for CVE-2023-45871

Kernels:
3.10.0-1160.95.1.el7
3.10.0-1160.99.1.el7
3.10.0-1160.102.1.el7
3.10.0-1160.105.1.el7


Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/65
Changes since last build:
[x86_64]:
igb_main.o: changed function: igb_configure
l2cap_core.o: changed function: l2cap_chan_hold
l2cap_core.o: changed function: l2cap_conn_get
l2cap_core.o: changed function: l2cap_global_chan_by_psm
l2cap_core.o: changed function: l2cap_recv_frame
l2cap_core.o: new function: klp_l2cap_le_sig_cmd
sch_atm.o: changed function: atm_tc_peek
sch_atm.o: changed function: sch_atm_dequeue
sch_drr.o: changed function: drr_dequeue
sch_dsmark.o: changed function: dsmark_peek
sch_hfsc.o: changed function: hfsc_enqueue
sch_hfsc.o: changed function: qdisc_peek_len
sch_multiq.o: changed function: multiq_peek
sch_prio.o: changed function: prio_peek
sch_qfq.o: changed function: qfq_change_class
sch_qfq.o: changed function: qfq_dequeue
sch_red.o: changed function: red_peek
sch_sfb.o: changed function: sfb_peek
sch_tbf.o: changed function: tbf_dequeue

[ppc64le]:
l2cap_core.o: changed function: __l2cap_chan_add
l2cap_core.o: changed function: __l2cap_physical_cfm
l2cap_core.o: changed function: __set_monitor_timer
l2cap_core.o: changed function: __set_retrans_timer.part.24
l2cap_core.o: changed function: l2cap_ack_timeout
l2cap_core.o: changed function: l2cap_build_conf_req
l2cap_core.o: changed function: l2cap_chan_busy
l2cap_core.o: changed function: l2cap_chan_close
l2cap_core.o: changed function: l2cap_chan_connect
l2cap_core.o: changed function: l2cap_chan_del
l2cap_core.o: changed function: l2cap_chan_hold
l2cap_core.o: changed function: l2cap_chan_put
l2cap_core.o: changed function: l2cap_chan_send
l2cap_core.o: changed function: l2cap_chan_timeout
l2cap_core.o: changed function: l2cap_conn_add.part.28
l2cap_core.o: changed function: l2cap_conn_del
l2cap_core.o: changed function: l2cap_conn_start
l2cap_core.o: changed function: l2cap_connect
l2cap_core.o: changed function: l2cap_connect_cfm
l2cap_core.o: changed function: l2cap_connect_create_rsp
l2cap_core.o: changed function: l2cap_data_channel
l2cap_core.o: changed function: l2cap_disconn_cfm
l2cap_core.o: changed function: l2cap_do_create
l2cap_core.o: changed function: l2cap_do_start
l2cap_core.o: changed function: l2cap_ertm_resend
l2cap_core.o: changed function: l2cap_ertm_send
l2cap_core.o: changed function: l2cap_global_fixed_chan
l2cap_core.o: changed function: l2cap_handle_rej
l2cap_core.o: changed function: l2cap_handle_srej
l2cap_core.o: changed function: l2cap_logical_cfm
l2cap_core.o: changed function: l2cap_monitor_timeout
l2cap_core.o: changed function: l2cap_move_done
l2cap_core.o: changed function: l2cap_move_setup
l2cap_core.o: changed function: l2cap_parse_conf_rsp.constprop.36
l2cap_core.o: changed function: l2cap_pass_to_tx
l2cap_core.o: changed function: l2cap_process_reqseq
l2cap_core.o: changed function: l2cap_recv_frame
l2cap_core.o: changed function: l2cap_retrans_timeout
l2cap_core.o: changed function: l2cap_retransmit_all
l2cap_core.o: changed function: l2cap_rx
l2cap_core.o: changed function: l2cap_rx_state_recv
l2cap_core.o: changed function: l2cap_security_cfm
l2cap_core.o: changed function: l2cap_send_ack
l2cap_core.o: changed function: l2cap_send_efs_conf_rsp
l2cap_core.o: changed function: l2cap_send_i_or_rr_or_rnr
l2cap_core.o: changed function: l2cap_send_move_chan_cfm
l2cap_core.o: changed function: l2cap_send_move_chan_cfm_icid
l2cap_core.o: changed function: l2cap_send_move_chan_req
l2cap_core.o: changed function: l2cap_send_rr_or_rnr
l2cap_core.o: changed function: l2cap_send_sframe
l2cap_core.o: changed function: l2cap_send_srej
l2cap_core.o: changed function: l2cap_send_srej_tail
l2cap_core.o: changed function: l2cap_start_connection
l2cap_core.o: new function: l2cap_connect_req
sch_atm.o: changed function: atm_tc_bind_filter
sch_atm.o: changed function: atm_tc_change
sch_atm.o: changed function: atm_tc_delete
sch_atm.o: changed function: atm_tc_destroy
sch_atm.o: changed function: atm_tc_enqueue
sch_atm.o: changed function: atm_tc_find
sch_atm.o: changed function: atm_tc_graft
sch_atm.o: changed function: atm_tc_leaf
sch_atm.o: changed function: atm_tc_peek
sch_atm.o: changed function: atm_tc_put
sch_atm.o: changed function: atm_tc_reset
sch_atm.o: changed function: atm_tc_tcf_block
sch_atm.o: changed function: sch_atm_dequeue
sch_drr.o: changed function: drr_dequeue
sch_dsmark.o: changed function: dsmark_bind_filter
sch_dsmark.o: changed function: dsmark_change
sch_dsmark.o: changed function: dsmark_destroy
sch_dsmark.o: changed function: dsmark_dump_class
sch_dsmark.o: changed function: dsmark_init
sch_dsmark.o: changed function: dsmark_peek
sch_dsmark.o: changed function: dsmark_reset
sch_hfsc.o: changed function: hfsc_change_class
sch_hfsc.o: changed function: hfsc_dequeue
sch_hfsc.o: changed function: hfsc_enqueue
sch_multiq.o: changed function: multiq_peek
sch_prio.o: changed function: prio_peek
sch_qfq.o: changed function: qfq_change_class
sch_qfq.o: changed function: qfq_dequeue
sch_red.o: changed function: red_peek
sch_sfb.o: changed function: sfb_peek
sch_tbf.o: changed function: tbf_dequeue

---------------------------

Modifications: none

commit de534cd6d39849339867a3d587c3c3b04776ef6e
Author: Wander Lairson Costa <wander@redhat.com>
Date:   Wed Jan 10 10:07:38 2024 -0300

    igb: set max size RX buffer when store bad packet is enabled

    JIRA: https://issues.redhat.com/browse/RHEL-15181
    CVE: CVE-2023-45871

    commit bb5ed01cd2428cd25b1c88a3a9cba87055eb289f
    Author: Radoslaw Tyl <radoslawx.tyl@intel.com>
    Date:   Thu Aug 24 13:46:19 2023 -0700

        igb: set max size RX buffer when store bad packet is enabled

        Increase the RX buffer size to 3K when the SBP bit is on. The size of
        the RX buffer determines the number of pages allocated which may not
        be sufficient for receive frames larger than the set MTU size.

        Cc: stable@vger.kernel.org
        Fixes: 89eaefb61dc9 ("igb: Support RX-ALL feature flag.")
        Reported-by: Manfred Rudigier <manfred.rudigier@omicronenergy.com>
        Signed-off-by: Radoslaw Tyl <radoslawx.tyl@intel.com>
        Tested-by: Arpana Arland <arpanax.arland@intel.com> (A Contingent worker at Intel)
        Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
        Signed-off-by: David S. Miller <davem@davemloft.net>

    Signed-off-by: Wander Lairson Costa <wander@redhat.com>

Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
---
 drivers/net/ethernet/intel/igb/igb_main.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
index 58fa02b36285..44b23384123e 100644
--- a/drivers/net/ethernet/intel/igb/igb_main.c
+++ b/drivers/net/ethernet/intel/igb/igb_main.c
@@ -4576,6 +4576,10 @@ void igb_configure_rx_ring(struct igb_adapter *adapter,
 static void igb_set_rx_buffer_len(struct igb_adapter *adapter,
 				  struct igb_ring *rx_ring)
 {
+#if (PAGE_SIZE < 8192)
+	struct e1000_hw *hw = &adapter->hw;
+#endif
+
 	/* set build_skb and buffer size flags */
 	clear_ring_build_skb_enabled(rx_ring);
 	clear_ring_uses_large_buffer(rx_ring);
@@ -4586,10 +4590,9 @@ static void igb_set_rx_buffer_len(struct igb_adapter *adapter,
 	set_ring_build_skb_enabled(rx_ring);
 
 #if (PAGE_SIZE < 8192)
-	if (adapter->max_frame_size <= IGB_MAX_FRAME_BUILD_SKB)
-		return;
-
-	set_ring_uses_large_buffer(rx_ring);
+	if (adapter->max_frame_size > IGB_MAX_FRAME_BUILD_SKB ||
+	    rd32(E1000_RCTL) & E1000_RCTL_SBP)
+		set_ring_uses_large_buffer(rx_ring);
 #endif
 }
 
-- 
2.44.0