From: Greg Kroah-Hartman Date: Mon, 4 Oct 2021 10:14:36 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.4.286~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=32876ef7a1d0f4a3d759be112bbc0d5f512fff3f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: debugfs-debugfs_create_file_size-use-is_err-to-check-for-error.patch elf-don-t-use-map_fixed_noreplace-for-elf-interpreter-mappings.patch ext4-fix-loff_t-overflow-in-ext4_max_bitmap_size.patch ext4-fix-potential-infinite-loop-in-ext4_dx_readdir.patch ext4-fix-reserved-space-counter-leakage.patch hid-u2fzero-ignore-incomplete-packets-without-data.patch ipack-ipoctal-fix-missing-allocation-failure-check.patch ipack-ipoctal-fix-module-reference-leak.patch ipack-ipoctal-fix-stack-information-leak.patch ipack-ipoctal-fix-tty-registration-error-handling.patch ipack-ipoctal-fix-tty-registration-race.patch net-stmmac-don-t-attach-interface-until-resume-finishes.patch net-udp-annotate-data-race-around-udp_sk-sk-corkflag.patch --- diff --git a/queue-5.4/debugfs-debugfs_create_file_size-use-is_err-to-check-for-error.patch b/queue-5.4/debugfs-debugfs_create_file_size-use-is_err-to-check-for-error.patch new file mode 100644 index 00000000000..61c2f8ca298 --- /dev/null +++ b/queue-5.4/debugfs-debugfs_create_file_size-use-is_err-to-check-for-error.patch @@ -0,0 +1,37 @@ +From af505cad9567f7a500d34bf183696d570d7f6810 Mon Sep 17 00:00:00 2001 +From: Nirmoy Das +Date: Thu, 2 Sep 2021 12:29:17 +0200 +Subject: debugfs: debugfs_create_file_size(): use IS_ERR to check for error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nirmoy Das + +commit af505cad9567f7a500d34bf183696d570d7f6810 upstream. + +debugfs_create_file() returns encoded error so use IS_ERR for checking +return value. + +Reviewed-by: Christian König +Signed-off-by: Nirmoy Das +Fixes: ff9fb72bc077 ("debugfs: return error values, not NULL") +Cc: stable +References: https://gitlab.freedesktop.org/drm/amd/-/issues/1686 +Link: https://lore.kernel.org/r/20210902102917.2233-1-nirmoy.das@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/debugfs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/debugfs/inode.c ++++ b/fs/debugfs/inode.c +@@ -522,7 +522,7 @@ struct dentry *debugfs_create_file_size( + { + struct dentry *de = debugfs_create_file(name, mode, parent, data, fops); + +- if (de) ++ if (!IS_ERR(de)) + d_inode(de)->i_size = file_size; + return de; + } diff --git a/queue-5.4/elf-don-t-use-map_fixed_noreplace-for-elf-interpreter-mappings.patch b/queue-5.4/elf-don-t-use-map_fixed_noreplace-for-elf-interpreter-mappings.patch new file mode 100644 index 00000000000..52df34bc843 --- /dev/null +++ b/queue-5.4/elf-don-t-use-map_fixed_noreplace-for-elf-interpreter-mappings.patch @@ -0,0 +1,60 @@ +From 9b2f72cc0aa4bb444541bb87581c35b7508b37d3 Mon Sep 17 00:00:00 2001 +From: Chen Jingwen +Date: Tue, 28 Sep 2021 20:56:57 +0800 +Subject: elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings + +From: Chen Jingwen + +commit 9b2f72cc0aa4bb444541bb87581c35b7508b37d3 upstream. + +In commit b212921b13bd ("elf: don't use MAP_FIXED_NOREPLACE for elf +executable mappings") we still leave MAP_FIXED_NOREPLACE in place for +load_elf_interp. + +Unfortunately, this will cause kernel to fail to start with: + + 1 (init): Uhuuh, elf segment at 00003ffff7ffd000 requested but the memory is mapped already + Failed to execute /init (error -17) + +The reason is that the elf interpreter (ld.so) has overlapping segments. + + readelf -l ld-2.31.so + Program Headers: + Type Offset VirtAddr PhysAddr + FileSiz MemSiz Flags Align + LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000 + 0x000000000002c94c 0x000000000002c94c R E 0x10000 + LOAD 0x000000000002dae0 0x000000000003dae0 0x000000000003dae0 + 0x00000000000021e8 0x0000000000002320 RW 0x10000 + LOAD 0x000000000002fe00 0x000000000003fe00 0x000000000003fe00 + 0x00000000000011ac 0x0000000000001328 RW 0x10000 + +The reason for this problem is the same as described in commit +ad55eac74f20 ("elf: enforce MAP_FIXED on overlaying elf segments"). + +Not only executable binaries, elf interpreters (e.g. ld.so) can have +overlapping elf segments, so we better drop MAP_FIXED_NOREPLACE and go +back to MAP_FIXED in load_elf_interp. + +Fixes: 4ed28639519c ("fs, elf: drop MAP_FIXED usage from elf_map") +Cc: # v4.19 +Cc: Andrew Morton +Cc: Michal Hocko +Signed-off-by: Chen Jingwen +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/binfmt_elf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -583,7 +583,7 @@ static unsigned long load_elf_interp(str + + vaddr = eppnt->p_vaddr; + if (interp_elf_ex->e_type == ET_EXEC || load_addr_set) +- elf_type |= MAP_FIXED_NOREPLACE; ++ elf_type |= MAP_FIXED; + else if (no_base && interp_elf_ex->e_type == ET_DYN) + load_addr = -vaddr; + diff --git a/queue-5.4/ext4-fix-loff_t-overflow-in-ext4_max_bitmap_size.patch b/queue-5.4/ext4-fix-loff_t-overflow-in-ext4_max_bitmap_size.patch new file mode 100644 index 00000000000..314d7e8275a --- /dev/null +++ b/queue-5.4/ext4-fix-loff_t-overflow-in-ext4_max_bitmap_size.patch @@ -0,0 +1,65 @@ +From 75ca6ad408f459f00b09a64f04c774559848c097 Mon Sep 17 00:00:00 2001 +From: Ritesh Harjani +Date: Sat, 5 Jun 2021 10:39:32 +0530 +Subject: ext4: fix loff_t overflow in ext4_max_bitmap_size() + +From: Ritesh Harjani + +commit 75ca6ad408f459f00b09a64f04c774559848c097 upstream. + +We should use unsigned long long rather than loff_t to avoid +overflow in ext4_max_bitmap_size() for comparison before returning. +w/o this patch sbi->s_bitmap_maxbytes was becoming a negative +value due to overflow of upper_limit (with has_huge_files as true) + +Below is a quick test to trigger it on a 64KB pagesize system. + +sudo mkfs.ext4 -b 65536 -O ^has_extents,^64bit /dev/loop2 +sudo mount /dev/loop2 /mnt +sudo echo "hello" > /mnt/hello -> This will error out with + "echo: write error: File too large" + +Signed-off-by: Ritesh Harjani +Reviewed-by: Jan Kara +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/594f409e2c543e90fd836b78188dfa5c575065ba.1622867594.git.riteshh@linux.ibm.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2830,17 +2830,17 @@ static loff_t ext4_max_size(int blkbits, + */ + static loff_t ext4_max_bitmap_size(int bits, int has_huge_files) + { +- loff_t res = EXT4_NDIR_BLOCKS; ++ unsigned long long upper_limit, res = EXT4_NDIR_BLOCKS; + int meta_blocks; +- loff_t upper_limit; +- /* This is calculated to be the largest file size for a dense, block ++ ++ /* ++ * This is calculated to be the largest file size for a dense, block + * mapped file such that the file's total number of 512-byte sectors, + * including data and all indirect blocks, does not exceed (2^48 - 1). + * + * __u32 i_blocks_lo and _u16 i_blocks_high represent the total + * number of 512-byte sectors of the file. + */ +- + if (!has_huge_files) { + /* + * !has_huge_files or implies that the inode i_block field +@@ -2883,7 +2883,7 @@ static loff_t ext4_max_bitmap_size(int b + if (res > MAX_LFS_FILESIZE) + res = MAX_LFS_FILESIZE; + +- return res; ++ return (loff_t)res; + } + + static ext4_fsblk_t descriptor_loc(struct super_block *sb, diff --git a/queue-5.4/ext4-fix-potential-infinite-loop-in-ext4_dx_readdir.patch b/queue-5.4/ext4-fix-potential-infinite-loop-in-ext4_dx_readdir.patch new file mode 100644 index 00000000000..e19919a2c33 --- /dev/null +++ b/queue-5.4/ext4-fix-potential-infinite-loop-in-ext4_dx_readdir.patch @@ -0,0 +1,68 @@ +From 42cb447410d024e9d54139ae9c21ea132a8c384c Mon Sep 17 00:00:00 2001 +From: yangerkun +Date: Tue, 14 Sep 2021 19:14:15 +0800 +Subject: ext4: fix potential infinite loop in ext4_dx_readdir() + +From: yangerkun + +commit 42cb447410d024e9d54139ae9c21ea132a8c384c upstream. + +When ext4_htree_fill_tree() fails, ext4_dx_readdir() can run into an +infinite loop since if info->last_pos != ctx->pos this will reset the +directory scan and reread the failing entry. For example: + +1. a dx_dir which has 3 block, block 0 as dx_root block, block 1/2 as + leaf block which own the ext4_dir_entry_2 +2. block 1 read ok and call_filldir which will fill the dirent and update + the ctx->pos +3. block 2 read fail, but we has already fill some dirent, so we will + return back to userspace will a positive return val(see ksys_getdents64) +4. the second ext4_dx_readdir will reset the world since info->last_pos + != ctx->pos, and will also init the curr_hash which pos to block 1 +5. So we will read block1 too, and once block2 still read fail, we can + only fill one dirent because the hash of the entry in block1(besides + the last one) won't greater than curr_hash +6. this time, we forget update last_pos too since the read for block2 + will fail, and since we has got the one entry, ksys_getdents64 can + return success +7. Latter we will trapped in a loop with step 4~6 + +Cc: stable@kernel.org +Signed-off-by: yangerkun +Reviewed-by: Jan Kara +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/20210914111415.3921954-1-yangerkun@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/dir.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/ext4/dir.c ++++ b/fs/ext4/dir.c +@@ -536,7 +536,7 @@ static int ext4_dx_readdir(struct file * + struct dir_private_info *info = file->private_data; + struct inode *inode = file_inode(file); + struct fname *fname; +- int ret; ++ int ret = 0; + + if (!info) { + info = ext4_htree_create_dir_info(file, ctx->pos); +@@ -584,7 +584,7 @@ static int ext4_dx_readdir(struct file * + info->curr_minor_hash, + &info->next_hash); + if (ret < 0) +- return ret; ++ goto finished; + if (ret == 0) { + ctx->pos = ext4_get_htree_eof(file); + break; +@@ -615,7 +615,7 @@ static int ext4_dx_readdir(struct file * + } + finished: + info->last_pos = ctx->pos; +- return 0; ++ return ret < 0 ? ret : 0; + } + + static int ext4_dir_open(struct inode * inode, struct file * filp) diff --git a/queue-5.4/ext4-fix-reserved-space-counter-leakage.patch b/queue-5.4/ext4-fix-reserved-space-counter-leakage.patch new file mode 100644 index 00000000000..6cbcb8a545c --- /dev/null +++ b/queue-5.4/ext4-fix-reserved-space-counter-leakage.patch @@ -0,0 +1,89 @@ +From 6fed83957f21eff11c8496e9f24253b03d2bc1dc Mon Sep 17 00:00:00 2001 +From: Jeffle Xu +Date: Mon, 23 Aug 2021 14:13:58 +0800 +Subject: ext4: fix reserved space counter leakage + +From: Jeffle Xu + +commit 6fed83957f21eff11c8496e9f24253b03d2bc1dc upstream. + +When ext4_insert_delayed block receives and recovers from an error from +ext4_es_insert_delayed_block(), e.g., ENOMEM, it does not release the +space it has reserved for that block insertion as it should. One effect +of this bug is that s_dirtyclusters_counter is not decremented and +remains incorrectly elevated until the file system has been unmounted. +This can result in premature ENOSPC returns and apparent loss of free +space. + +Another effect of this bug is that +/sys/fs/ext4//delayed_allocation_blocks can remain non-zero even +after syncfs has been executed on the filesystem. + +Besides, add check for s_dirtyclusters_counter when inode is going to be +evicted and freed. s_dirtyclusters_counter can still keep non-zero until +inode is written back in .evict_inode(), and thus the check is delayed +to .destroy_inode(). + +Fixes: 51865fda28e5 ("ext4: let ext4 maintain extent status tree") +Cc: stable@kernel.org +Suggested-by: Gao Xiang +Signed-off-by: Jeffle Xu +Reviewed-by: Eric Whitney +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/20210823061358.84473-1-jefflexu@linux.alibaba.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inode.c | 5 +++++ + fs/ext4/super.c | 6 ++++++ + 2 files changed, 11 insertions(+) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -1782,6 +1782,7 @@ static int ext4_insert_delayed_block(str + struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); + int ret; + bool allocated = false; ++ bool reserved = false; + + /* + * If the cluster containing lblk is shared with a delayed, +@@ -1798,6 +1799,7 @@ static int ext4_insert_delayed_block(str + ret = ext4_da_reserve_space(inode); + if (ret != 0) /* ENOSPC */ + goto errout; ++ reserved = true; + } else { /* bigalloc */ + if (!ext4_es_scan_clu(inode, &ext4_es_is_delonly, lblk)) { + if (!ext4_es_scan_clu(inode, +@@ -1810,6 +1812,7 @@ static int ext4_insert_delayed_block(str + ret = ext4_da_reserve_space(inode); + if (ret != 0) /* ENOSPC */ + goto errout; ++ reserved = true; + } else { + allocated = true; + } +@@ -1820,6 +1823,8 @@ static int ext4_insert_delayed_block(str + } + + ret = ext4_es_insert_delayed_block(inode, lblk, allocated); ++ if (ret && reserved) ++ ext4_da_release_space(inode, 1); + + errout: + return ret; +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1141,6 +1141,12 @@ static void ext4_destroy_inode(struct in + true); + dump_stack(); + } ++ ++ if (EXT4_I(inode)->i_reserved_data_blocks) ++ ext4_msg(inode->i_sb, KERN_ERR, ++ "Inode %lu (%p): i_reserved_data_blocks (%u) not cleared!", ++ inode->i_ino, EXT4_I(inode), ++ EXT4_I(inode)->i_reserved_data_blocks); + } + + static void init_once(void *foo) diff --git a/queue-5.4/hid-u2fzero-ignore-incomplete-packets-without-data.patch b/queue-5.4/hid-u2fzero-ignore-incomplete-packets-without-data.patch new file mode 100644 index 00000000000..c18e0123d56 --- /dev/null +++ b/queue-5.4/hid-u2fzero-ignore-incomplete-packets-without-data.patch @@ -0,0 +1,35 @@ +From 22d65765f211cc83186fd8b87521159f354c0da9 Mon Sep 17 00:00:00 2001 +From: Andrej Shadura +Date: Thu, 16 Sep 2021 17:33:11 +0100 +Subject: HID: u2fzero: ignore incomplete packets without data + +From: Andrej Shadura + +commit 22d65765f211cc83186fd8b87521159f354c0da9 upstream. + +Since the actual_length calculation is performed unsigned, packets +shorter than 7 bytes (e.g. packets without data or otherwise truncated) +or non-received packets ("zero" bytes) can cause buffer overflow. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=214437 +Fixes: 42337b9d4d958("HID: add driver for U2F Zero built-in LED and RNG") +Signed-off-by: Andrej Shadura +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-u2fzero.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-u2fzero.c ++++ b/drivers/hid/hid-u2fzero.c +@@ -198,7 +198,9 @@ static int u2fzero_rng_read(struct hwrng + } + + ret = u2fzero_recv(dev, &req, &resp); +- if (ret < 0) ++ ++ /* ignore errors or packets without data */ ++ if (ret < offsetof(struct u2f_hid_msg, init.data)) + return 0; + + /* only take the minimum amount of data it is safe to take */ diff --git a/queue-5.4/ipack-ipoctal-fix-missing-allocation-failure-check.patch b/queue-5.4/ipack-ipoctal-fix-missing-allocation-failure-check.patch new file mode 100644 index 00000000000..53a491d7cf9 --- /dev/null +++ b/queue-5.4/ipack-ipoctal-fix-missing-allocation-failure-check.patch @@ -0,0 +1,36 @@ +From 445c8132727728dc297492a7d9fc074af3e94ba3 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Sep 2021 13:46:20 +0200 +Subject: ipack: ipoctal: fix missing allocation-failure check + +From: Johan Hovold + +commit 445c8132727728dc297492a7d9fc074af3e94ba3 upstream. + +Add the missing error handling when allocating the transmit buffer to +avoid dereferencing a NULL pointer in write() should the allocation +ever fail. + +Fixes: ba4dc61fe8c5 ("Staging: ipack: add support for IP-OCTAL mezzanine board") +Cc: stable@vger.kernel.org # 3.5 +Acked-by: Samuel Iglesias Gonsalvez +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210917114622.5412-5-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ipack/devices/ipoctal.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/ipack/devices/ipoctal.c ++++ b/drivers/ipack/devices/ipoctal.c +@@ -388,7 +388,9 @@ static int ipoctal_inst_slot(struct ipoc + + channel = &ipoctal->channel[i]; + tty_port_init(&channel->tty_port); +- tty_port_alloc_xmit_buf(&channel->tty_port); ++ res = tty_port_alloc_xmit_buf(&channel->tty_port); ++ if (res) ++ continue; + channel->tty_port.ops = &ipoctal_tty_port_ops; + + ipoctal_reset_stats(&channel->stats); diff --git a/queue-5.4/ipack-ipoctal-fix-module-reference-leak.patch b/queue-5.4/ipack-ipoctal-fix-module-reference-leak.patch new file mode 100644 index 00000000000..b9d316022e8 --- /dev/null +++ b/queue-5.4/ipack-ipoctal-fix-module-reference-leak.patch @@ -0,0 +1,79 @@ +From bb8a4fcb2136508224c596a7e665bdba1d7c3c27 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Sep 2021 13:46:21 +0200 +Subject: ipack: ipoctal: fix module reference leak + +From: Johan Hovold + +commit bb8a4fcb2136508224c596a7e665bdba1d7c3c27 upstream. + +A reference to the carrier module was taken on every open but was only +released once when the final reference to the tty struct was dropped. + +Fix this by taking the module reference and initialising the tty driver +data when installing the tty. + +Fixes: 82a82340bab6 ("ipoctal: get carrier driver to avoid rmmod") +Cc: stable@vger.kernel.org # 3.18 +Cc: Federico Vaga +Acked-by: Samuel Iglesias Gonsalvez +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210917114622.5412-6-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ipack/devices/ipoctal.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +--- a/drivers/ipack/devices/ipoctal.c ++++ b/drivers/ipack/devices/ipoctal.c +@@ -84,22 +84,34 @@ static int ipoctal_port_activate(struct + return 0; + } + +-static int ipoctal_open(struct tty_struct *tty, struct file *file) ++static int ipoctal_install(struct tty_driver *driver, struct tty_struct *tty) + { + struct ipoctal_channel *channel = dev_get_drvdata(tty->dev); + struct ipoctal *ipoctal = chan_to_ipoctal(channel, tty->index); +- int err; +- +- tty->driver_data = channel; ++ int res; + + if (!ipack_get_carrier(ipoctal->dev)) + return -EBUSY; + +- err = tty_port_open(&channel->tty_port, tty, file); +- if (err) +- ipack_put_carrier(ipoctal->dev); ++ res = tty_standard_install(driver, tty); ++ if (res) ++ goto err_put_carrier; ++ ++ tty->driver_data = channel; ++ ++ return 0; ++ ++err_put_carrier: ++ ipack_put_carrier(ipoctal->dev); ++ ++ return res; ++} ++ ++static int ipoctal_open(struct tty_struct *tty, struct file *file) ++{ ++ struct ipoctal_channel *channel = tty->driver_data; + +- return err; ++ return tty_port_open(&channel->tty_port, tty, file); + } + + static void ipoctal_reset_stats(struct ipoctal_stats *stats) +@@ -665,6 +677,7 @@ static void ipoctal_cleanup(struct tty_s + + static const struct tty_operations ipoctal_fops = { + .ioctl = NULL, ++ .install = ipoctal_install, + .open = ipoctal_open, + .close = ipoctal_close, + .write = ipoctal_write_tty, diff --git a/queue-5.4/ipack-ipoctal-fix-stack-information-leak.patch b/queue-5.4/ipack-ipoctal-fix-stack-information-leak.patch new file mode 100644 index 00000000000..df8c3dd1e69 --- /dev/null +++ b/queue-5.4/ipack-ipoctal-fix-stack-information-leak.patch @@ -0,0 +1,86 @@ +From a89936cce87d60766a75732a9e7e25c51164f47c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Sep 2021 13:46:17 +0200 +Subject: ipack: ipoctal: fix stack information leak + +From: Johan Hovold + +commit a89936cce87d60766a75732a9e7e25c51164f47c upstream. + +The tty driver name is used also after registering the driver and must +specifically not be allocated on the stack to avoid leaking information +to user space (or triggering an oops). + +Drivers should not try to encode topology information in the tty device +name but this one snuck in through staging without anyone noticing and +another driver has since copied this malpractice. + +Fixing the ABI is a separate issue, but this at least plugs the security +hole. + +Fixes: ba4dc61fe8c5 ("Staging: ipack: add support for IP-OCTAL mezzanine board") +Cc: stable@vger.kernel.org # 3.5 +Acked-by: Samuel Iglesias Gonsalvez +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210917114622.5412-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ipack/devices/ipoctal.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/ipack/devices/ipoctal.c ++++ b/drivers/ipack/devices/ipoctal.c +@@ -266,7 +266,6 @@ static int ipoctal_inst_slot(struct ipoc + int res; + int i; + struct tty_driver *tty; +- char name[20]; + struct ipoctal_channel *channel; + struct ipack_region *region; + void __iomem *addr; +@@ -357,8 +356,11 @@ static int ipoctal_inst_slot(struct ipoc + /* Fill struct tty_driver with ipoctal data */ + tty->owner = THIS_MODULE; + tty->driver_name = KBUILD_MODNAME; +- sprintf(name, KBUILD_MODNAME ".%d.%d.", bus_nr, slot); +- tty->name = name; ++ tty->name = kasprintf(GFP_KERNEL, KBUILD_MODNAME ".%d.%d.", bus_nr, slot); ++ if (!tty->name) { ++ res = -ENOMEM; ++ goto err_put_driver; ++ } + tty->major = 0; + + tty->minor_start = 0; +@@ -374,8 +376,7 @@ static int ipoctal_inst_slot(struct ipoc + res = tty_register_driver(tty); + if (res) { + dev_err(&ipoctal->dev->dev, "Can't register tty driver.\n"); +- put_tty_driver(tty); +- return res; ++ goto err_free_name; + } + + /* Save struct tty_driver for use it when uninstalling the device */ +@@ -412,6 +413,13 @@ static int ipoctal_inst_slot(struct ipoc + ipoctal_irq_handler, ipoctal); + + return 0; ++ ++err_free_name: ++ kfree(tty->name); ++err_put_driver: ++ put_tty_driver(tty); ++ ++ return res; + } + + static inline int ipoctal_copy_write_buffer(struct ipoctal_channel *channel, +@@ -700,6 +708,7 @@ static void __ipoctal_remove(struct ipoc + } + + tty_unregister_driver(ipoctal->tty_drv); ++ kfree(ipoctal->tty_drv->name); + put_tty_driver(ipoctal->tty_drv); + kfree(ipoctal); + } diff --git a/queue-5.4/ipack-ipoctal-fix-tty-registration-error-handling.patch b/queue-5.4/ipack-ipoctal-fix-tty-registration-error-handling.patch new file mode 100644 index 00000000000..ba333704e65 --- /dev/null +++ b/queue-5.4/ipack-ipoctal-fix-tty-registration-error-handling.patch @@ -0,0 +1,56 @@ +From cd20d59291d1790dc74248476e928f57fc455189 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Sep 2021 13:46:19 +0200 +Subject: ipack: ipoctal: fix tty-registration error handling + +From: Johan Hovold + +commit cd20d59291d1790dc74248476e928f57fc455189 upstream. + +Registration of the ipoctal tty devices is unlikely to fail, but if it +ever does, make sure not to deregister a never registered tty device +(and dereference a NULL pointer) when the driver is later unbound. + +Fixes: 2afb41d9d30d ("Staging: ipack/devices/ipoctal: Check tty_register_device return value.") +Cc: stable@vger.kernel.org # 3.7 +Acked-by: Samuel Iglesias Gonsalvez +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210917114622.5412-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ipack/devices/ipoctal.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/ipack/devices/ipoctal.c ++++ b/drivers/ipack/devices/ipoctal.c +@@ -35,6 +35,7 @@ struct ipoctal_channel { + unsigned int pointer_read; + unsigned int pointer_write; + struct tty_port tty_port; ++ bool tty_registered; + union scc2698_channel __iomem *regs; + union scc2698_block __iomem *block_regs; + unsigned int board_id; +@@ -399,9 +400,11 @@ static int ipoctal_inst_slot(struct ipoc + i, NULL, channel, NULL); + if (IS_ERR(tty_dev)) { + dev_err(&ipoctal->dev->dev, "Failed to register tty device.\n"); ++ tty_port_free_xmit_buf(&channel->tty_port); + tty_port_destroy(&channel->tty_port); + continue; + } ++ channel->tty_registered = true; + } + + /* +@@ -702,6 +705,10 @@ static void __ipoctal_remove(struct ipoc + + for (i = 0; i < NR_CHANNELS; i++) { + struct ipoctal_channel *channel = &ipoctal->channel[i]; ++ ++ if (!channel->tty_registered) ++ continue; ++ + tty_unregister_device(ipoctal->tty_drv, i); + tty_port_free_xmit_buf(&channel->tty_port); + tty_port_destroy(&channel->tty_port); diff --git a/queue-5.4/ipack-ipoctal-fix-tty-registration-race.patch b/queue-5.4/ipack-ipoctal-fix-tty-registration-race.patch new file mode 100644 index 00000000000..10b392e1025 --- /dev/null +++ b/queue-5.4/ipack-ipoctal-fix-tty-registration-race.patch @@ -0,0 +1,40 @@ +From 65c001df517a7bf9be8621b53d43c89f426ce8d6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Sep 2021 13:46:18 +0200 +Subject: ipack: ipoctal: fix tty registration race + +From: Johan Hovold + +commit 65c001df517a7bf9be8621b53d43c89f426ce8d6 upstream. + +Make sure to set the tty class-device driver data before registering the +tty to avoid having a racing open() dereference a NULL pointer. + +Fixes: 9c1d784afc6f ("Staging: ipack/devices/ipoctal: Get rid of ipoctal_list.") +Cc: stable@vger.kernel.org # 3.7 +Acked-by: Samuel Iglesias Gonsalvez +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210917114622.5412-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ipack/devices/ipoctal.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/ipack/devices/ipoctal.c ++++ b/drivers/ipack/devices/ipoctal.c +@@ -395,13 +395,13 @@ static int ipoctal_inst_slot(struct ipoc + spin_lock_init(&channel->lock); + channel->pointer_read = 0; + channel->pointer_write = 0; +- tty_dev = tty_port_register_device(&channel->tty_port, tty, i, NULL); ++ tty_dev = tty_port_register_device_attr(&channel->tty_port, tty, ++ i, NULL, channel, NULL); + if (IS_ERR(tty_dev)) { + dev_err(&ipoctal->dev->dev, "Failed to register tty device.\n"); + tty_port_destroy(&channel->tty_port); + continue; + } +- dev_set_drvdata(tty_dev, channel); + } + + /* diff --git a/queue-5.4/net-stmmac-don-t-attach-interface-until-resume-finishes.patch b/queue-5.4/net-stmmac-don-t-attach-interface-until-resume-finishes.patch new file mode 100644 index 00000000000..3cc763b1d11 --- /dev/null +++ b/queue-5.4/net-stmmac-don-t-attach-interface-until-resume-finishes.patch @@ -0,0 +1,73 @@ +From 31096c3e8b1163c6e966bf4d1f36d8b699008f84 Mon Sep 17 00:00:00 2001 +From: Leon Yu +Date: Fri, 22 May 2020 23:29:43 +0800 +Subject: net: stmmac: don't attach interface until resume finishes + +From: Leon Yu + +commit 31096c3e8b1163c6e966bf4d1f36d8b699008f84 upstream. + +Commit 14b41a2959fb ("net: stmmac: Delete txtimer in suspend") was the +first attempt to fix a race between mod_timer() and setup_timer() +during stmmac_resume(). However the issue still exists as the commit +only addressed half of the issue. + +Same race can still happen as stmmac_resume() re-attaches interface +way too early - even before hardware is fully initialized. Worse, +doing so allows network traffic to restart and stmmac_tx_timer_arm() +being called in the middle of stmmac_resume(), which re-init tx timers +in stmmac_init_coalesce(). timer_list will be corrupted and system +crashes as a result of race between mod_timer() and setup_timer(). + + systemd--1995 2.... 552950018us : stmmac_suspend: 4994 + ksoftirq-9 0..s2 553123133us : stmmac_tx_timer_arm: 2276 + systemd--1995 0.... 553127896us : stmmac_resume: 5101 + systemd--320 7...2 553132752us : stmmac_tx_timer_arm: 2276 + (sd-exec-1999 5...2 553135204us : stmmac_tx_timer_arm: 2276 + --------------------------------- + pc : run_timer_softirq+0x468/0x5e0 + lr : run_timer_softirq+0x570/0x5e0 + Call trace: + run_timer_softirq+0x468/0x5e0 + __do_softirq+0x124/0x398 + irq_exit+0xd8/0xe0 + __handle_domain_irq+0x6c/0xc0 + gic_handle_irq+0x60/0xb0 + el1_irq+0xb8/0x180 + arch_cpu_idle+0x38/0x230 + default_idle_call+0x24/0x3c + do_idle+0x1e0/0x2b8 + cpu_startup_entry+0x28/0x48 + secondary_start_kernel+0x1b4/0x208 + +Fix this by deferring netif_device_attach() to the end of +stmmac_resume(). + +Signed-off-by: Leon Yu +Signed-off-by: David S. Miller +Cc: Macpaul Lin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -4855,8 +4855,6 @@ int stmmac_resume(struct device *dev) + stmmac_mdio_reset(priv->mii); + } + +- netif_device_attach(ndev); +- + mutex_lock(&priv->lock); + + stmmac_reset_queues_param(priv); +@@ -4880,6 +4878,8 @@ int stmmac_resume(struct device *dev) + + phylink_mac_change(priv->phylink, true); + ++ netif_device_attach(ndev); ++ + return 0; + } + EXPORT_SYMBOL_GPL(stmmac_resume); diff --git a/queue-5.4/net-udp-annotate-data-race-around-udp_sk-sk-corkflag.patch b/queue-5.4/net-udp-annotate-data-race-around-udp_sk-sk-corkflag.patch new file mode 100644 index 00000000000..f7f3274fe37 --- /dev/null +++ b/queue-5.4/net-udp-annotate-data-race-around-udp_sk-sk-corkflag.patch @@ -0,0 +1,73 @@ +From a9f5970767d11eadc805d5283f202612c7ba1f59 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 27 Sep 2021 17:29:24 -0700 +Subject: net: udp: annotate data race around udp_sk(sk)->corkflag + +From: Eric Dumazet + +commit a9f5970767d11eadc805d5283f202612c7ba1f59 upstream. + +up->corkflag field can be read or written without any lock. +Annotate accesses to avoid possible syzbot/KCSAN reports. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp.c | 10 +++++----- + net/ipv6/udp.c | 2 +- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -981,7 +981,7 @@ int udp_sendmsg(struct sock *sk, struct + __be16 dport; + u8 tos; + int err, is_udplite = IS_UDPLITE(sk); +- int corkreq = up->corkflag || msg->msg_flags&MSG_MORE; ++ int corkreq = READ_ONCE(up->corkflag) || msg->msg_flags&MSG_MORE; + int (*getfrag)(void *, char *, int, int, int, struct sk_buff *); + struct sk_buff *skb; + struct ip_options_data opt_copy; +@@ -1289,7 +1289,7 @@ int udp_sendpage(struct sock *sk, struct + } + + up->len += size; +- if (!(up->corkflag || (flags&MSG_MORE))) ++ if (!(READ_ONCE(up->corkflag) || (flags&MSG_MORE))) + ret = udp_push_pending_frames(sk); + if (!ret) + ret = size; +@@ -2551,9 +2551,9 @@ int udp_lib_setsockopt(struct sock *sk, + switch (optname) { + case UDP_CORK: + if (val != 0) { +- up->corkflag = 1; ++ WRITE_ONCE(up->corkflag, 1); + } else { +- up->corkflag = 0; ++ WRITE_ONCE(up->corkflag, 0); + lock_sock(sk); + push_pending_frames(sk); + release_sock(sk); +@@ -2676,7 +2676,7 @@ int udp_lib_getsockopt(struct sock *sk, + + switch (optname) { + case UDP_CORK: +- val = up->corkflag; ++ val = READ_ONCE(up->corkflag); + break; + + case UDP_ENCAP: +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1231,7 +1231,7 @@ int udpv6_sendmsg(struct sock *sk, struc + int addr_len = msg->msg_namelen; + bool connected = false; + int ulen = len; +- int corkreq = up->corkflag || msg->msg_flags&MSG_MORE; ++ int corkreq = READ_ONCE(up->corkflag) || msg->msg_flags&MSG_MORE; + int err; + int is_udplite = IS_UDPLITE(sk); + int (*getfrag)(void *, char *, int, int, int, struct sk_buff *); diff --git a/queue-5.4/series b/queue-5.4/series index f41f3d9a341..9bced4f86e5 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -31,3 +31,16 @@ net-phy-bcm7xxx-fixed-indirect-mmd-operations.patch net-sched-flower-protect-fl_walk-with-rcu.patch af_unix-fix-races-in-sk_peer_pid-and-sk_peer_cred-ac.patch perf-x86-intel-update-event-constraints-for-icx.patch +elf-don-t-use-map_fixed_noreplace-for-elf-interpreter-mappings.patch +debugfs-debugfs_create_file_size-use-is_err-to-check-for-error.patch +ipack-ipoctal-fix-stack-information-leak.patch +ipack-ipoctal-fix-tty-registration-race.patch +ipack-ipoctal-fix-tty-registration-error-handling.patch +ipack-ipoctal-fix-missing-allocation-failure-check.patch +ipack-ipoctal-fix-module-reference-leak.patch +ext4-fix-loff_t-overflow-in-ext4_max_bitmap_size.patch +ext4-fix-reserved-space-counter-leakage.patch +ext4-fix-potential-infinite-loop-in-ext4_dx_readdir.patch +hid-u2fzero-ignore-incomplete-packets-without-data.patch +net-udp-annotate-data-race-around-udp_sk-sk-corkflag.patch +net-stmmac-don-t-attach-interface-until-resume-finishes.patch