From: Greg Kroah-Hartman Date: Sun, 11 Oct 2020 11:31:23 +0000 (+0200) Subject: 5.8-stable patches X-Git-Tag: v4.4.239~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=334f096e42e7d68e78829532a431f377cc0c1866;p=thirdparty%2Fkernel%2Fstable-queue.git 5.8-stable patches added patches: cifs-fix-incomplete-memory-allocation-on-setxattr-path.patch espintcp-restore-ip-cb-before-handing-the-packet-to-xfrm.patch i2c-meson-fix-clock-setting-overwrite.patch i2c-meson-fixup-rate-calculation-with-filter-delay.patch i2c-meson-keep-peripheral-clock-enabled.patch i2c-owl-clear-nack-and-bus-error-bits.patch sctp-fix-sctp_auth_init_hmacs-error-path.patch xfrmi-drop-ignore_df-check-before-updating-pmtu.patch --- diff --git a/queue-5.8/cifs-fix-incomplete-memory-allocation-on-setxattr-path.patch b/queue-5.8/cifs-fix-incomplete-memory-allocation-on-setxattr-path.patch new file mode 100644 index 00000000000..932f42fc890 --- /dev/null +++ b/queue-5.8/cifs-fix-incomplete-memory-allocation-on-setxattr-path.patch @@ -0,0 +1,73 @@ +From 64b7f674c292207624b3d788eda2dde3dc1415df Mon Sep 17 00:00:00 2001 +From: Vladimir Zapolskiy +Date: Sat, 10 Oct 2020 21:25:54 +0300 +Subject: cifs: Fix incomplete memory allocation on setxattr path + +From: Vladimir Zapolskiy + +commit 64b7f674c292207624b3d788eda2dde3dc1415df upstream. + +On setxattr() syscall path due to an apprent typo the size of a dynamically +allocated memory chunk for storing struct smb2_file_full_ea_info object is +computed incorrectly, to be more precise the first addend is the size of +a pointer instead of the wanted object size. Coincidentally it makes no +difference on 64-bit platforms, however on 32-bit targets the following +memcpy() writes 4 bytes of data outside of the dynamically allocated memory. + + ============================================================================= + BUG kmalloc-16 (Not tainted): Redzone overwritten + ----------------------------------------------------------------------------- + + Disabling lock debugging due to kernel taint + INFO: 0x79e69a6f-0x9e5cdecf @offset=368. First byte 0x73 instead of 0xcc + INFO: Slab 0xd36d2454 objects=85 used=51 fp=0xf7d0fc7a flags=0x35000201 + INFO: Object 0x6f171df3 @offset=352 fp=0x00000000 + + Redzone 5d4ff02d: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ + Object 6f171df3: 00 00 00 00 00 05 06 00 73 6e 72 75 62 00 66 69 ........snrub.fi + Redzone 79e69a6f: 73 68 32 0a sh2. + Padding 56254d82: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ + CPU: 0 PID: 8196 Comm: attr Tainted: G B 5.9.0-rc8+ #3 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014 + Call Trace: + dump_stack+0x54/0x6e + print_trailer+0x12c/0x134 + check_bytes_and_report.cold+0x3e/0x69 + check_object+0x18c/0x250 + free_debug_processing+0xfe/0x230 + __slab_free+0x1c0/0x300 + kfree+0x1d3/0x220 + smb2_set_ea+0x27d/0x540 + cifs_xattr_set+0x57f/0x620 + __vfs_setxattr+0x4e/0x60 + __vfs_setxattr_noperm+0x4e/0x100 + __vfs_setxattr_locked+0xae/0xd0 + vfs_setxattr+0x4e/0xe0 + setxattr+0x12c/0x1a0 + path_setxattr+0xa4/0xc0 + __ia32_sys_lsetxattr+0x1d/0x20 + __do_fast_syscall_32+0x40/0x70 + do_fast_syscall_32+0x29/0x60 + do_SYSENTER_32+0x15/0x20 + entry_SYSENTER_32+0x9f/0xf2 + +Fixes: 5517554e4313 ("cifs: Add support for writing attributes on SMB2+") +Signed-off-by: Vladimir Zapolskiy +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2ops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -1208,7 +1208,7 @@ smb2_set_ea(const unsigned int xid, stru + rqst[1].rq_iov = si_iov; + rqst[1].rq_nvec = 1; + +- len = sizeof(ea) + ea_name_len + ea_value_len + 1; ++ len = sizeof(*ea) + ea_name_len + ea_value_len + 1; + ea = kzalloc(len, GFP_KERNEL); + if (ea == NULL) { + rc = -ENOMEM; diff --git a/queue-5.8/espintcp-restore-ip-cb-before-handing-the-packet-to-xfrm.patch b/queue-5.8/espintcp-restore-ip-cb-before-handing-the-packet-to-xfrm.patch new file mode 100644 index 00000000000..1959d944e1f --- /dev/null +++ b/queue-5.8/espintcp-restore-ip-cb-before-handing-the-packet-to-xfrm.patch @@ -0,0 +1,42 @@ +From 4eb2e13415757a2bce5bb0d580d22bbeef1f5346 Mon Sep 17 00:00:00 2001 +From: Sabrina Dubroca +Date: Thu, 13 Aug 2020 16:24:04 +0200 +Subject: espintcp: restore IP CB before handing the packet to xfrm + +From: Sabrina Dubroca + +commit 4eb2e13415757a2bce5bb0d580d22bbeef1f5346 upstream. + +Xiumei reported a bug with espintcp over IPv6 in transport mode, +because xfrm6_transport_finish expects to find IP6CB data (struct +inet6_skb_cb). Currently, espintcp zeroes the CB, but the relevant +part is actually preserved by previous layers (first set up by tcp, +then strparser only zeroes a small part of tcp_skb_tb), so we can just +relocate it to the start of skb->cb. + +Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)") +Reported-by: Xiumei Mu +Signed-off-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/espintcp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/xfrm/espintcp.c ++++ b/net/xfrm/espintcp.c +@@ -29,8 +29,12 @@ static void handle_nonesp(struct espintc + + static void handle_esp(struct sk_buff *skb, struct sock *sk) + { ++ struct tcp_skb_cb *tcp_cb = (struct tcp_skb_cb *)skb->cb; ++ + skb_reset_transport_header(skb); +- memset(skb->cb, 0, sizeof(skb->cb)); ++ ++ /* restore IP CB, we need at least IP6CB->nhoff */ ++ memmove(skb->cb, &tcp_cb->header, sizeof(tcp_cb->header)); + + rcu_read_lock(); + skb->dev = dev_get_by_index_rcu(sock_net(sk), skb->skb_iif); diff --git a/queue-5.8/i2c-meson-fix-clock-setting-overwrite.patch b/queue-5.8/i2c-meson-fix-clock-setting-overwrite.patch new file mode 100644 index 00000000000..6274d721481 --- /dev/null +++ b/queue-5.8/i2c-meson-fix-clock-setting-overwrite.patch @@ -0,0 +1,82 @@ +From 28683e847e2f20eed22cdd24f185d7783db396d3 Mon Sep 17 00:00:00 2001 +From: Jerome Brunet +Date: Wed, 7 Oct 2020 10:07:49 +0200 +Subject: i2c: meson: fix clock setting overwrite + +From: Jerome Brunet + +commit 28683e847e2f20eed22cdd24f185d7783db396d3 upstream. + +When the slave address is written in do_start(), SLAVE_ADDR is written +completely. This may overwrite some setting related to the clock rate +or signal filtering. + +Fix this by writing only the bits related to slave address. To avoid +causing unexpected changed, explicitly disable filtering or high/low +clock mode which may have been left over by the bootloader. + +Fixes: 30021e3707a7 ("i2c: add support for Amlogic Meson I2C controller") +Signed-off-by: Jerome Brunet +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-meson.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-meson.c ++++ b/drivers/i2c/busses/i2c-meson.c +@@ -5,6 +5,7 @@ + * Copyright (C) 2014 Beniamino Galvani + */ + ++#include + #include + #include + #include +@@ -38,6 +39,12 @@ + #define REG_CTRL_CLKDIVEXT_SHIFT 28 + #define REG_CTRL_CLKDIVEXT_MASK GENMASK(29, 28) + ++#define REG_SLV_ADDR GENMASK(7, 0) ++#define REG_SLV_SDA_FILTER GENMASK(10, 8) ++#define REG_SLV_SCL_FILTER GENMASK(13, 11) ++#define REG_SLV_SCL_LOW GENMASK(27, 16) ++#define REG_SLV_SCL_LOW_EN BIT(28) ++ + #define I2C_TIMEOUT_MS 500 + + enum { +@@ -147,6 +154,9 @@ static void meson_i2c_set_clk_div(struct + meson_i2c_set_mask(i2c, REG_CTRL, REG_CTRL_CLKDIVEXT_MASK, + (div >> 10) << REG_CTRL_CLKDIVEXT_SHIFT); + ++ /* Disable HIGH/LOW mode */ ++ meson_i2c_set_mask(i2c, REG_SLAVE_ADDR, REG_SLV_SCL_LOW_EN, 0); ++ + dev_dbg(i2c->dev, "%s: clk %lu, freq %u, div %u\n", __func__, + clk_rate, freq, div); + } +@@ -280,7 +290,10 @@ static void meson_i2c_do_start(struct me + token = (msg->flags & I2C_M_RD) ? TOKEN_SLAVE_ADDR_READ : + TOKEN_SLAVE_ADDR_WRITE; + +- writel(msg->addr << 1, i2c->regs + REG_SLAVE_ADDR); ++ ++ meson_i2c_set_mask(i2c, REG_SLAVE_ADDR, REG_SLV_ADDR, ++ FIELD_PREP(REG_SLV_ADDR, msg->addr << 1)); ++ + meson_i2c_add_token(i2c, TOKEN_START); + meson_i2c_add_token(i2c, token); + } +@@ -461,6 +474,10 @@ static int meson_i2c_probe(struct platfo + return ret; + } + ++ /* Disable filtering */ ++ meson_i2c_set_mask(i2c, REG_SLAVE_ADDR, ++ REG_SLV_SDA_FILTER | REG_SLV_SCL_FILTER, 0); ++ + meson_i2c_set_clk_div(i2c, timings.bus_freq_hz); + + return 0; diff --git a/queue-5.8/i2c-meson-fixup-rate-calculation-with-filter-delay.patch b/queue-5.8/i2c-meson-fixup-rate-calculation-with-filter-delay.patch new file mode 100644 index 00000000000..030d5ea15fc --- /dev/null +++ b/queue-5.8/i2c-meson-fixup-rate-calculation-with-filter-delay.patch @@ -0,0 +1,77 @@ +From 1334d3b4e49e35d8912a7c37ffca4c5afb9a0516 Mon Sep 17 00:00:00 2001 +From: Nicolas Belin +Date: Wed, 7 Oct 2020 10:07:51 +0200 +Subject: i2c: meson: fixup rate calculation with filter delay + +From: Nicolas Belin + +commit 1334d3b4e49e35d8912a7c37ffca4c5afb9a0516 upstream. + +Apparently, 15 cycles of the peripheral clock are used by the controller +for sampling and filtering. Because this was not known before, the rate +calculation is slightly off. + +Clean up and fix the calculation taking this filtering delay into account. + +Fixes: 30021e3707a7 ("i2c: add support for Amlogic Meson I2C controller") +Signed-off-by: Nicolas Belin +Signed-off-by: Jerome Brunet +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-meson.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/drivers/i2c/busses/i2c-meson.c ++++ b/drivers/i2c/busses/i2c-meson.c +@@ -34,10 +34,8 @@ + #define REG_CTRL_ACK_IGNORE BIT(1) + #define REG_CTRL_STATUS BIT(2) + #define REG_CTRL_ERROR BIT(3) +-#define REG_CTRL_CLKDIV_SHIFT 12 +-#define REG_CTRL_CLKDIV_MASK GENMASK(21, 12) +-#define REG_CTRL_CLKDIVEXT_SHIFT 28 +-#define REG_CTRL_CLKDIVEXT_MASK GENMASK(29, 28) ++#define REG_CTRL_CLKDIV GENMASK(21, 12) ++#define REG_CTRL_CLKDIVEXT GENMASK(29, 28) + + #define REG_SLV_ADDR GENMASK(7, 0) + #define REG_SLV_SDA_FILTER GENMASK(10, 8) +@@ -46,6 +44,7 @@ + #define REG_SLV_SCL_LOW_EN BIT(28) + + #define I2C_TIMEOUT_MS 500 ++#define FILTER_DELAY 15 + + enum { + TOKEN_END = 0, +@@ -140,19 +139,21 @@ static void meson_i2c_set_clk_div(struct + unsigned long clk_rate = clk_get_rate(i2c->clk); + unsigned int div; + +- div = DIV_ROUND_UP(clk_rate, freq * i2c->data->div_factor); ++ div = DIV_ROUND_UP(clk_rate, freq); ++ div -= FILTER_DELAY; ++ div = DIV_ROUND_UP(div, i2c->data->div_factor); + + /* clock divider has 12 bits */ +- if (div >= (1 << 12)) { ++ if (div > GENMASK(11, 0)) { + dev_err(i2c->dev, "requested bus frequency too low\n"); +- div = (1 << 12) - 1; ++ div = GENMASK(11, 0); + } + +- meson_i2c_set_mask(i2c, REG_CTRL, REG_CTRL_CLKDIV_MASK, +- (div & GENMASK(9, 0)) << REG_CTRL_CLKDIV_SHIFT); ++ meson_i2c_set_mask(i2c, REG_CTRL, REG_CTRL_CLKDIV, ++ FIELD_PREP(REG_CTRL_CLKDIV, div & GENMASK(9, 0))); + +- meson_i2c_set_mask(i2c, REG_CTRL, REG_CTRL_CLKDIVEXT_MASK, +- (div >> 10) << REG_CTRL_CLKDIVEXT_SHIFT); ++ meson_i2c_set_mask(i2c, REG_CTRL, REG_CTRL_CLKDIVEXT, ++ FIELD_PREP(REG_CTRL_CLKDIVEXT, div >> 10)); + + /* Disable HIGH/LOW mode */ + meson_i2c_set_mask(i2c, REG_SLAVE_ADDR, REG_SLV_SCL_LOW_EN, 0); diff --git a/queue-5.8/i2c-meson-keep-peripheral-clock-enabled.patch b/queue-5.8/i2c-meson-keep-peripheral-clock-enabled.patch new file mode 100644 index 00000000000..64448551021 --- /dev/null +++ b/queue-5.8/i2c-meson-keep-peripheral-clock-enabled.patch @@ -0,0 +1,72 @@ +From 79e137b1540165f788394658442284d55a858984 Mon Sep 17 00:00:00 2001 +From: Jerome Brunet +Date: Wed, 7 Oct 2020 10:07:50 +0200 +Subject: i2c: meson: keep peripheral clock enabled + +From: Jerome Brunet + +commit 79e137b1540165f788394658442284d55a858984 upstream. + +SCL rate appears to be different than what is expected. For example, +We get 164kHz on i2c3 of the vim3 when 400kHz is expected. This is +partially due to the peripheral clock being disabled when the clock is +set. + +Let's keep the peripheral clock on after probe to fix the problem. This +does not affect the SCL output which is still gated when i2c is idle. + +Fixes: 09af1c2fa490 ("i2c: meson: set clock divider in probe instead of setting it for each transfer") +Signed-off-by: Jerome Brunet +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-meson.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/drivers/i2c/busses/i2c-meson.c ++++ b/drivers/i2c/busses/i2c-meson.c +@@ -370,16 +370,12 @@ static int meson_i2c_xfer_messages(struc + struct meson_i2c *i2c = adap->algo_data; + int i, ret = 0; + +- clk_enable(i2c->clk); +- + for (i = 0; i < num; i++) { + ret = meson_i2c_xfer_msg(i2c, msgs + i, i == num - 1, atomic); + if (ret) + break; + } + +- clk_disable(i2c->clk); +- + return ret ?: i; + } + +@@ -448,7 +444,7 @@ static int meson_i2c_probe(struct platfo + return ret; + } + +- ret = clk_prepare(i2c->clk); ++ ret = clk_prepare_enable(i2c->clk); + if (ret < 0) { + dev_err(&pdev->dev, "can't prepare clock\n"); + return ret; +@@ -470,7 +466,7 @@ static int meson_i2c_probe(struct platfo + + ret = i2c_add_adapter(&i2c->adap); + if (ret < 0) { +- clk_unprepare(i2c->clk); ++ clk_disable_unprepare(i2c->clk); + return ret; + } + +@@ -488,7 +484,7 @@ static int meson_i2c_remove(struct platf + struct meson_i2c *i2c = platform_get_drvdata(pdev); + + i2c_del_adapter(&i2c->adap); +- clk_unprepare(i2c->clk); ++ clk_disable_unprepare(i2c->clk); + + return 0; + } diff --git a/queue-5.8/i2c-owl-clear-nack-and-bus-error-bits.patch b/queue-5.8/i2c-owl-clear-nack-and-bus-error-bits.patch new file mode 100644 index 00000000000..bcc9ecec7cf --- /dev/null +++ b/queue-5.8/i2c-owl-clear-nack-and-bus-error-bits.patch @@ -0,0 +1,47 @@ +From f5b3f433641c543ebe5171285a42aa6adcdb2d22 Mon Sep 17 00:00:00 2001 +From: Cristian Ciocaltea +Date: Fri, 9 Oct 2020 00:44:39 +0300 +Subject: i2c: owl: Clear NACK and BUS error bits + +From: Cristian Ciocaltea + +commit f5b3f433641c543ebe5171285a42aa6adcdb2d22 upstream. + +When the NACK and BUS error bits are set by the hardware, the driver is +responsible for clearing them by writing "1" into the corresponding +status registers. + +Hence perform the necessary operations in owl_i2c_interrupt(). + +Fixes: d211e62af466 ("i2c: Add Actions Semiconductor Owl family S900 I2C driver") +Reported-by: Manivannan Sadhasivam +Signed-off-by: Cristian Ciocaltea +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-owl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/i2c/busses/i2c-owl.c ++++ b/drivers/i2c/busses/i2c-owl.c +@@ -176,6 +176,9 @@ static irqreturn_t owl_i2c_interrupt(int + fifostat = readl(i2c_dev->base + OWL_I2C_REG_FIFOSTAT); + if (fifostat & OWL_I2C_FIFOSTAT_RNB) { + i2c_dev->err = -ENXIO; ++ /* Clear NACK error bit by writing "1" */ ++ owl_i2c_update_reg(i2c_dev->base + OWL_I2C_REG_FIFOSTAT, ++ OWL_I2C_FIFOSTAT_RNB, true); + goto stop; + } + +@@ -183,6 +186,9 @@ static irqreturn_t owl_i2c_interrupt(int + stat = readl(i2c_dev->base + OWL_I2C_REG_STAT); + if (stat & OWL_I2C_STAT_BEB) { + i2c_dev->err = -EIO; ++ /* Clear BUS error bit by writing "1" */ ++ owl_i2c_update_reg(i2c_dev->base + OWL_I2C_REG_STAT, ++ OWL_I2C_STAT_BEB, true); + goto stop; + } + diff --git a/queue-5.8/sctp-fix-sctp_auth_init_hmacs-error-path.patch b/queue-5.8/sctp-fix-sctp_auth_init_hmacs-error-path.patch new file mode 100644 index 00000000000..557e1a4e299 --- /dev/null +++ b/queue-5.8/sctp-fix-sctp_auth_init_hmacs-error-path.patch @@ -0,0 +1,121 @@ +From d42ee76ecb6c49d499fc5eb32ca34468d95dbc3e Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 8 Oct 2020 01:38:31 -0700 +Subject: sctp: fix sctp_auth_init_hmacs() error path + +From: Eric Dumazet + +commit d42ee76ecb6c49d499fc5eb32ca34468d95dbc3e upstream. + +After freeing ep->auth_hmacs we have to clear the pointer +or risk use-after-free as reported by syzbot: + +BUG: KASAN: use-after-free in sctp_auth_destroy_hmacs net/sctp/auth.c:509 [inline] +BUG: KASAN: use-after-free in sctp_auth_destroy_hmacs net/sctp/auth.c:501 [inline] +BUG: KASAN: use-after-free in sctp_auth_free+0x17e/0x1d0 net/sctp/auth.c:1070 +Read of size 8 at addr ffff8880a8ff52c0 by task syz-executor941/6874 + +CPU: 0 PID: 6874 Comm: syz-executor941 Not tainted 5.9.0-rc8-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x198/0x1fd lib/dump_stack.c:118 + print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383 + __kasan_report mm/kasan/report.c:513 [inline] + kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 + sctp_auth_destroy_hmacs net/sctp/auth.c:509 [inline] + sctp_auth_destroy_hmacs net/sctp/auth.c:501 [inline] + sctp_auth_free+0x17e/0x1d0 net/sctp/auth.c:1070 + sctp_endpoint_destroy+0x95/0x240 net/sctp/endpointola.c:203 + sctp_endpoint_put net/sctp/endpointola.c:236 [inline] + sctp_endpoint_free+0xd6/0x110 net/sctp/endpointola.c:183 + sctp_destroy_sock+0x9c/0x3c0 net/sctp/socket.c:4981 + sctp_v6_destroy_sock+0x11/0x20 net/sctp/socket.c:9415 + sk_common_release+0x64/0x390 net/core/sock.c:3254 + sctp_close+0x4ce/0x8b0 net/sctp/socket.c:1533 + inet_release+0x12e/0x280 net/ipv4/af_inet.c:431 + inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:475 + __sock_release+0xcd/0x280 net/socket.c:596 + sock_close+0x18/0x20 net/socket.c:1277 + __fput+0x285/0x920 fs/file_table.c:281 + task_work_run+0xdd/0x190 kernel/task_work.c:141 + exit_task_work include/linux/task_work.h:25 [inline] + do_exit+0xb7d/0x29f0 kernel/exit.c:806 + do_group_exit+0x125/0x310 kernel/exit.c:903 + __do_sys_exit_group kernel/exit.c:914 [inline] + __se_sys_exit_group kernel/exit.c:912 [inline] + __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:912 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x43f278 +Code: Bad RIP value. +RSP: 002b:00007fffe0995c38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f278 +RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 +RBP: 00000000004bf068 R08: 00000000000000e7 R09: ffffffffffffffd0 +R10: 0000000020000000 R11: 0000000000000246 R12: 0000000000000001 +R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 + +Allocated by task 6874: + kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 + kasan_set_track mm/kasan/common.c:56 [inline] + __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461 + kmem_cache_alloc_trace+0x174/0x300 mm/slab.c:3554 + kmalloc include/linux/slab.h:554 [inline] + kmalloc_array include/linux/slab.h:593 [inline] + kcalloc include/linux/slab.h:605 [inline] + sctp_auth_init_hmacs+0xdb/0x3b0 net/sctp/auth.c:464 + sctp_auth_init+0x8a/0x4a0 net/sctp/auth.c:1049 + sctp_setsockopt_auth_supported net/sctp/socket.c:4354 [inline] + sctp_setsockopt+0x477e/0x97f0 net/sctp/socket.c:4631 + __sys_setsockopt+0x2db/0x610 net/socket.c:2132 + __do_sys_setsockopt net/socket.c:2143 [inline] + __se_sys_setsockopt net/socket.c:2140 [inline] + __x64_sys_setsockopt+0xba/0x150 net/socket.c:2140 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Freed by task 6874: + kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 + kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 + kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355 + __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422 + __cache_free mm/slab.c:3422 [inline] + kfree+0x10e/0x2b0 mm/slab.c:3760 + sctp_auth_destroy_hmacs net/sctp/auth.c:511 [inline] + sctp_auth_destroy_hmacs net/sctp/auth.c:501 [inline] + sctp_auth_init_hmacs net/sctp/auth.c:496 [inline] + sctp_auth_init_hmacs+0x2b7/0x3b0 net/sctp/auth.c:454 + sctp_auth_init+0x8a/0x4a0 net/sctp/auth.c:1049 + sctp_setsockopt_auth_supported net/sctp/socket.c:4354 [inline] + sctp_setsockopt+0x477e/0x97f0 net/sctp/socket.c:4631 + __sys_setsockopt+0x2db/0x610 net/socket.c:2132 + __do_sys_setsockopt net/socket.c:2143 [inline] + __se_sys_setsockopt net/socket.c:2140 [inline] + __x64_sys_setsockopt+0xba/0x150 net/socket.c:2140 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 1f485649f529 ("[SCTP]: Implement SCTP-AUTH internals") +Signed-off-by: Eric Dumazet +Cc: Vlad Yasevich +Cc: Neil Horman +Cc: Marcelo Ricardo Leitner +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + net/sctp/auth.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sctp/auth.c ++++ b/net/sctp/auth.c +@@ -494,6 +494,7 @@ int sctp_auth_init_hmacs(struct sctp_end + out_err: + /* Clean up any successful allocations */ + sctp_auth_destroy_hmacs(ep->auth_hmacs); ++ ep->auth_hmacs = NULL; + return -ENOMEM; + } + diff --git a/queue-5.8/series b/queue-5.8/series index 137b9013e85..d50583748c2 100644 --- a/queue-5.8/series +++ b/queue-5.8/series @@ -32,3 +32,11 @@ mm-khugepaged-fix-filemap-page_to_pgoff-page-offset.patch net-introduce-helper-sendpage_ok-in-include-linux-net.h.patch tcp-use-sendpage_ok-to-detect-misused-.sendpage.patch nvme-tcp-check-page-by-sendpage_ok-before-calling-kernel_sendpage.patch +xfrmi-drop-ignore_df-check-before-updating-pmtu.patch +espintcp-restore-ip-cb-before-handing-the-packet-to-xfrm.patch +cifs-fix-incomplete-memory-allocation-on-setxattr-path.patch +i2c-meson-fix-clock-setting-overwrite.patch +i2c-meson-keep-peripheral-clock-enabled.patch +i2c-meson-fixup-rate-calculation-with-filter-delay.patch +i2c-owl-clear-nack-and-bus-error-bits.patch +sctp-fix-sctp_auth_init_hmacs-error-path.patch diff --git a/queue-5.8/xfrmi-drop-ignore_df-check-before-updating-pmtu.patch b/queue-5.8/xfrmi-drop-ignore_df-check-before-updating-pmtu.patch new file mode 100644 index 00000000000..7a15a4399b4 --- /dev/null +++ b/queue-5.8/xfrmi-drop-ignore_df-check-before-updating-pmtu.patch @@ -0,0 +1,39 @@ +From 45a36a18d01907710bad5258d81f76c18882ad88 Mon Sep 17 00:00:00 2001 +From: Sabrina Dubroca +Date: Tue, 4 Aug 2020 11:37:29 +0200 +Subject: xfrmi: drop ignore_df check before updating pmtu + +From: Sabrina Dubroca + +commit 45a36a18d01907710bad5258d81f76c18882ad88 upstream. + +xfrm interfaces currently test for !skb->ignore_df when deciding +whether to update the pmtu on the skb's dst. Because of this, no pmtu +exception is created when we do something like: + + ping -s 1438 + +By dropping this check, the pmtu exception will be created and the +next ping attempt will work. + +Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces") +Reported-by: Xiumei Mu +Signed-off-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_interface.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/xfrm/xfrm_interface.c ++++ b/net/xfrm/xfrm_interface.c +@@ -292,7 +292,7 @@ xfrmi_xmit2(struct sk_buff *skb, struct + } + + mtu = dst_mtu(dst); +- if (!skb->ignore_df && skb->len > mtu) { ++ if (skb->len > mtu) { + skb_dst_update_pmtu_no_confirm(skb, mtu); + + if (skb->protocol == htons(ETH_P_IPV6)) {