--- /dev/null
+From 79b5501b2062061fecf8c61855cc5602c6a68982 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Apr 2021 00:51:49 +0200
+Subject: clk: fix invalid usage of list cursor in unregister
+
+From: Lukasz Bartosik <lb@semihalf.com>
+
+[ Upstream commit 7045465500e465b09f09d6e5bdc260a9f1aab97b ]
+
+Fix invalid usage of a list_for_each_entry cursor in
+clk_notifier_unregister(). When list is empty or if the list
+is completely traversed (without breaking from the loop on one
+of the entries) then the list cursor does not point to a valid
+entry and therefore should not be used. The patch fixes a logical
+bug that hasn't been seen in pratice however it is analogus
+to the bug fixed in clk_notifier_register().
+
+The issue was dicovered when running 5.12-rc1 kernel on x86_64
+with KASAN enabled:
+BUG: KASAN: global-out-of-bounds in clk_notifier_register+0xab/0x230
+Read of size 8 at addr ffffffffa0d10588 by task swapper/0/1
+
+CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.12.0-rc1 #1
+Hardware name: Google Caroline/Caroline,
+BIOS Google_Caroline.7820.430.0 07/20/2018
+Call Trace:
+ dump_stack+0xee/0x15c
+ print_address_description+0x1e/0x2dc
+ kasan_report+0x188/0x1ce
+ ? clk_notifier_register+0xab/0x230
+ ? clk_prepare_lock+0x15/0x7b
+ ? clk_notifier_register+0xab/0x230
+ clk_notifier_register+0xab/0x230
+ dw8250_probe+0xc01/0x10d4
+ ...
+ Memory state around the buggy address:
+ ffffffffa0d10480: 00 00 00 00 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00
+ ffffffffa0d10500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9
+ >ffffffffa0d10580: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
+ ^
+ ffffffffa0d10600: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
+ ffffffffa0d10680: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
+ ==================================================================
+
+Fixes: b2476490ef11 ("clk: introduce the common clock framework")
+Reported-by: Lukasz Majczak <lma@semihalf.com>
+Signed-off-by: Lukasz Bartosik <lb@semihalf.com>
+Link: https://lore.kernel.org/r/20210401225149.18826-2-lb@semihalf.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk.c | 30 +++++++++++++-----------------
+ 1 file changed, 13 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c
+index 53c068f90b37..c46fff3a32fe 100644
+--- a/drivers/clk/clk.c
++++ b/drivers/clk/clk.c
+@@ -2870,32 +2870,28 @@ EXPORT_SYMBOL_GPL(clk_notifier_register);
+ */
+ int clk_notifier_unregister(struct clk *clk, struct notifier_block *nb)
+ {
+- struct clk_notifier *cn = NULL;
+- int ret = -EINVAL;
++ struct clk_notifier *cn;
++ int ret = -ENOENT;
+
+ if (!clk || !nb)
+ return -EINVAL;
+
+ clk_prepare_lock();
+
+- list_for_each_entry(cn, &clk_notifier_list, node)
+- if (cn->clk == clk)
+- break;
+-
+- if (cn->clk == clk) {
+- ret = srcu_notifier_chain_unregister(&cn->notifier_head, nb);
++ list_for_each_entry(cn, &clk_notifier_list, node) {
++ if (cn->clk == clk) {
++ ret = srcu_notifier_chain_unregister(&cn->notifier_head, nb);
+
+- clk->core->notifier_count--;
++ clk->core->notifier_count--;
+
+- /* XXX the notifier code should handle this better */
+- if (!cn->notifier_head.head) {
+- srcu_cleanup_notifier_head(&cn->notifier_head);
+- list_del(&cn->node);
+- kfree(cn);
++ /* XXX the notifier code should handle this better */
++ if (!cn->notifier_head.head) {
++ srcu_cleanup_notifier_head(&cn->notifier_head);
++ list_del(&cn->node);
++ kfree(cn);
++ }
++ break;
+ }
+-
+- } else {
+- ret = -ENOENT;
+ }
+
+ clk_prepare_unlock();
+--
+2.30.2
+
--- /dev/null
+From 5ea125477d875794e6c11558a47611b253698a70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Mar 2021 17:08:47 +0300
+Subject: gianfar: Handle error code at MAC address change
+
+From: Claudiu Manoil <claudiu.manoil@nxp.com>
+
+[ Upstream commit bff5b62585123823842833ab20b1c0a7fa437f8c ]
+
+Handle return error code of eth_mac_addr();
+
+Fixes: 3d23a05c75c7 ("gianfar: Enable changing mac addr when if up")
+Signed-off-by: Claudiu Manoil <claudiu.manoil@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/gianfar.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c
+index bc00fa5e864f..fb135797688a 100644
+--- a/drivers/net/ethernet/freescale/gianfar.c
++++ b/drivers/net/ethernet/freescale/gianfar.c
+@@ -485,7 +485,11 @@ static struct net_device_stats *gfar_get_stats(struct net_device *dev)
+
+ static int gfar_set_mac_addr(struct net_device *dev, void *p)
+ {
+- eth_mac_addr(dev, p);
++ int ret;
++
++ ret = eth_mac_addr(dev, p);
++ if (ret)
++ return ret;
+
+ gfar_set_mac_for_addr(dev, 0, dev->dev_addr);
+
+--
+2.30.2
+
--- /dev/null
+From 9da68c1139b5f1fadef6ea6e77a5a4af7effb9ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Mar 2021 00:30:29 -0700
+Subject: net:tipc: Fix a double free in tipc_sk_mcast_rcv
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+[ Upstream commit 6bf24dc0cc0cc43b29ba344b66d78590e687e046 ]
+
+In the if(skb_peek(arrvq) == skb) branch, it calls __skb_dequeue(arrvq) to get
+the skb by skb = skb_peek(arrvq). Then __skb_dequeue() unlinks the skb from arrvq
+and returns the skb which equals to skb_peek(arrvq). After __skb_dequeue(arrvq)
+finished, the skb is freed by kfree_skb(__skb_dequeue(arrvq)) in the first time.
+
+Unfortunately, the same skb is freed in the second time by kfree_skb(skb) after
+the branch completed.
+
+My patch removes kfree_skb() in the if(skb_peek(arrvq) == skb) branch, because
+this skb will be freed by kfree_skb(skb) finally.
+
+Fixes: cb1b728096f54 ("tipc: eliminate race condition at multicast reception")
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/socket.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 65171f8e8c45..0e5bb03c6425 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -763,7 +763,7 @@ void tipc_sk_mcast_rcv(struct net *net, struct sk_buff_head *arrvq,
+ spin_lock_bh(&inputq->lock);
+ if (skb_peek(arrvq) == skb) {
+ skb_queue_splice_tail_init(&tmpq, inputq);
+- kfree_skb(__skb_dequeue(arrvq));
++ __skb_dequeue(arrvq);
+ }
+ spin_unlock_bh(&inputq->lock);
+ __skb_queue_purge(&tmpq);
+--
+2.30.2
+
--- /dev/null
+From 7303abe03bf44626465292d01afa599db776bfba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Mar 2021 19:27:15 +0530
+Subject: RDMA/cxgb4: check for ipv6 address properly while destroying listener
+
+From: Potnuri Bharat Teja <bharat@chelsio.com>
+
+[ Upstream commit 603c4690b01aaffe3a6c3605a429f6dac39852ae ]
+
+ipv6 bit is wrongly set by the below which causes fatal adapter lookup
+engine errors for ipv4 connections while destroying a listener. Fix it to
+properly check the local address for ipv6.
+
+Fixes: 3408be145a5d ("RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 listening server")
+Link: https://lore.kernel.org/r/20210331135715.30072-1-bharat@chelsio.com
+Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
+index 8d75161854ee..f422a8a2528b 100644
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -3447,7 +3447,8 @@ int c4iw_destroy_listen(struct iw_cm_id *cm_id)
+ c4iw_init_wr_wait(&ep->com.wr_wait);
+ err = cxgb4_remove_server(
+ ep->com.dev->rdev.lldi.ports[0], ep->stid,
+- ep->com.dev->rdev.lldi.rxq_ids[0], true);
++ ep->com.dev->rdev.lldi.rxq_ids[0],
++ ep->com.local_addr.ss_family == AF_INET6);
+ if (err)
+ goto done;
+ err = c4iw_wait_for_reply(&ep->com.dev->rdev, &ep->com.wr_wait,
+--
+2.30.2
+
--- /dev/null
+From 41728420e02b9b843269721fdbe35abd71e5548d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Mar 2021 18:35:07 +0200
+Subject: s390/cpcmd: fix inline assembly register clobbering
+
+From: Alexander Gordeev <agordeev@linux.ibm.com>
+
+[ Upstream commit 7a2f91441b2c1d81b77c1cd816a4659f4abc9cbe ]
+
+Register variables initialized using arithmetic. That leads to
+kasan instrumentaton code corrupting the registers contents.
+Follow GCC guidlines and use temporary variables for assigning
+init values to register variables.
+
+Fixes: 94c12cc7d196 ("[S390] Inline assembly cleanup.")
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Link: https://gcc.gnu.org/onlinedocs/gcc-10.2.0/gcc/Local-Register-Variables.html
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/cpcmd.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/s390/kernel/cpcmd.c b/arch/s390/kernel/cpcmd.c
+index 7f768914fb4f..c15546c6fb66 100644
+--- a/arch/s390/kernel/cpcmd.c
++++ b/arch/s390/kernel/cpcmd.c
+@@ -37,10 +37,12 @@ static int diag8_noresponse(int cmdlen)
+
+ static int diag8_response(int cmdlen, char *response, int *rlen)
+ {
++ unsigned long _cmdlen = cmdlen | 0x40000000L;
++ unsigned long _rlen = *rlen;
+ register unsigned long reg2 asm ("2") = (addr_t) cpcmd_buf;
+ register unsigned long reg3 asm ("3") = (addr_t) response;
+- register unsigned long reg4 asm ("4") = cmdlen | 0x40000000L;
+- register unsigned long reg5 asm ("5") = *rlen;
++ register unsigned long reg4 asm ("4") = _cmdlen;
++ register unsigned long reg5 asm ("5") = _rlen;
+
+ asm volatile(
+ " sam31\n"
+--
+2.30.2
+
--- /dev/null
+From af2a29d26ce154b29a59cafab60f6830b4ff0944 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 11:14:53 -0700
+Subject: sch_red: fix off-by-one checks in red_check_params()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3a87571f0ffc51ba3bf3ecdb6032861d0154b164 ]
+
+This fixes following syzbot report:
+
+UBSAN: shift-out-of-bounds in ./include/net/red.h:237:23
+shift exponent 32 is too large for 32-bit type 'unsigned int'
+CPU: 1 PID: 8418 Comm: syz-executor170 Not tainted 5.12.0-rc4-next-20210324-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x141/0x1d7 lib/dump_stack.c:120
+ ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
+ __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
+ red_set_parms include/net/red.h:237 [inline]
+ choke_change.cold+0x3c/0xc8 net/sched/sch_choke.c:414
+ qdisc_create+0x475/0x12f0 net/sched/sch_api.c:1247
+ tc_modify_qdisc+0x4c8/0x1a50 net/sched/sch_api.c:1663
+ rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
+ netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:674
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x43f039
+Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffdfa725168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043f039
+RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000004
+RBP: 0000000000403020 R08: 0000000000400488 R09: 0000000000400488
+R10: 0000000000400488 R11: 0000000000000246 R12: 00000000004030b0
+R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488
+
+Fixes: 8afa10cbe281 ("net_sched: red: Avoid illegal values")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/red.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/red.h b/include/net/red.h
+index b3ab5c6bfa83..117a3654d319 100644
+--- a/include/net/red.h
++++ b/include/net/red.h
+@@ -170,9 +170,9 @@ static inline void red_set_vars(struct red_vars *v)
+ static inline bool red_check_params(u32 qth_min, u32 qth_max, u8 Wlog,
+ u8 Scell_log, u8 *stab)
+ {
+- if (fls(qth_min) + Wlog > 32)
++ if (fls(qth_min) + Wlog >= 32)
+ return false;
+- if (fls(qth_max) + Wlog > 32)
++ if (fls(qth_max) + Wlog >= 32)
+ return false;
+ if (Scell_log >= 32)
+ return false;
+--
+2.30.2
+
parisc-parisc-agp-requires-sba-iommu-driver.patch
batman-adv-initialize-struct-batadv_tvlv_tt_vlan_data-reserved-field.patch
net-sched-sch_teql-fix-null-pointer-dereference.patch
+sch_red-fix-off-by-one-checks-in-red_check_params.patch
+gianfar-handle-error-code-at-mac-address-change.patch
+net-tipc-fix-a-double-free-in-tipc_sk_mcast_rcv.patch
+clk-fix-invalid-usage-of-list-cursor-in-unregister.patch
+workqueue-move-the-position-of-debug_work_activate-i.patch
+s390-cpcmd-fix-inline-assembly-register-clobbering.patch
+rdma-cxgb4-check-for-ipv6-address-properly-while-des.patch
--- /dev/null
+From bffc26734265faf35f2fc20c4005e43c5c3f8a01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Feb 2021 11:16:49 +0800
+Subject: workqueue: Move the position of debug_work_activate() in
+ __queue_work()
+
+From: Zqiang <qiang.zhang@windriver.com>
+
+[ Upstream commit 0687c66b5f666b5ad433f4e94251590d9bc9d10e ]
+
+The debug_work_activate() is called on the premise that
+the work can be inserted, because if wq be in WQ_DRAINING
+status, insert work may be failed.
+
+Fixes: e41e704bc4f4 ("workqueue: improve destroy_workqueue() debuggability")
+Signed-off-by: Zqiang <qiang.zhang@windriver.com>
+Reviewed-by: Lai Jiangshan <jiangshanlai@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/workqueue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/workqueue.c b/kernel/workqueue.c
+index 6b293804cd73..a2de597604e6 100644
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -1351,7 +1351,6 @@ static void __queue_work(int cpu, struct workqueue_struct *wq,
+ */
+ WARN_ON_ONCE(!irqs_disabled());
+
+- debug_work_activate(work);
+
+ /* if draining, only works from the same workqueue are allowed */
+ if (unlikely(wq->flags & __WQ_DRAINING) &&
+@@ -1430,6 +1429,7 @@ retry:
+ worklist = &pwq->delayed_works;
+ }
+
++ debug_work_activate(work);
+ insert_work(pwq, work, worklist, work_flags);
+
+ spin_unlock(&pwq->pool->lock);
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
