From: Greg Kroah-Hartman Date: Sun, 3 Apr 2022 12:45:19 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.17.2~125 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3843874011cdfcc93572d8e622c7df62fa117f16;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: crypto-arm-aes-neonbs-cbc-select-generic-cbc-and-aes.patch gfs2-gfs2_setattr_size-error-path-fix.patch gfs2-make-sure-fitrim-minlen-is-rounded-up-to-fs-block-size.patch mailbox-imx-fix-wakeup-failure-from-freeze-mode.patch net-hns3-fix-software-vlan-talbe-of-vlan-0-inconsistent-with-hardware.patch net-hns3-fix-the-concurrency-between-functions-reading-debugfs.patch rtc-check-if-__rtc_read_time-was-successful.patch rxrpc-fix-call-timer-start-racing-with-call-destruction.patch rxrpc-fix-some-null-ptr-deref-bugs-in-server_key.c.patch --- diff --git a/queue-5.15/crypto-arm-aes-neonbs-cbc-select-generic-cbc-and-aes.patch b/queue-5.15/crypto-arm-aes-neonbs-cbc-select-generic-cbc-and-aes.patch new file mode 100644 index 00000000000..38249ebb245 --- /dev/null +++ b/queue-5.15/crypto-arm-aes-neonbs-cbc-select-generic-cbc-and-aes.patch @@ -0,0 +1,31 @@ +From c8bd296cca3434b13b28b074eaeb78a23284de77 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Thu, 17 Mar 2022 10:55:13 +1200 +Subject: crypto: arm/aes-neonbs-cbc - Select generic cbc and aes + +From: Herbert Xu + +commit c8bd296cca3434b13b28b074eaeb78a23284de77 upstream. + +The algorithm __cbc-aes-neonbs requires a fallback so we need +to select the config options for them or otherwise it will fail +to register on boot-up. + +Fixes: 00b99ad2bac2 ("crypto: arm/aes-neonbs - Use generic cbc...") +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/crypto/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/crypto/Kconfig ++++ b/arch/arm/crypto/Kconfig +@@ -102,6 +102,8 @@ config CRYPTO_AES_ARM_BS + depends on KERNEL_MODE_NEON + select CRYPTO_SKCIPHER + select CRYPTO_LIB_AES ++ select CRYPTO_AES ++ select CRYPTO_CBC + select CRYPTO_SIMD + help + Use a faster and more secure NEON based implementation of AES in CBC, diff --git a/queue-5.15/gfs2-gfs2_setattr_size-error-path-fix.patch b/queue-5.15/gfs2-gfs2_setattr_size-error-path-fix.patch new file mode 100644 index 00000000000..ab14aa4650b --- /dev/null +++ b/queue-5.15/gfs2-gfs2_setattr_size-error-path-fix.patch @@ -0,0 +1,109 @@ +From 7336905a89f19173bf9301cd50a24421162f417c Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Fri, 10 Dec 2021 14:43:36 +0100 +Subject: gfs2: gfs2_setattr_size error path fix + +From: Andreas Gruenbacher + +commit 7336905a89f19173bf9301cd50a24421162f417c upstream. + +When gfs2_setattr_size() fails, it calls gfs2_rs_delete(ip, NULL) to get +rid of any reservations the inode may have. Instead, it should pass in +the inode's write count as the second parameter to allow +gfs2_rs_delete() to figure out if the inode has any writers left. + +In a next step, there are two instances of gfs2_rs_delete(ip, NULL) left +where we know that there can be no other users of the inode. Replace +those with gfs2_rs_deltree(&ip->i_res) to avoid the unnecessary write +count check. + +With that, gfs2_rs_delete() is only called with the inode's actual write +count, so get rid of the second parameter. + +Fixes: a097dc7e24cb ("GFS2: Make rgrp reservations part of the gfs2_inode structure") +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/bmap.c | 2 +- + fs/gfs2/file.c | 2 +- + fs/gfs2/inode.c | 2 +- + fs/gfs2/rgrp.c | 7 ++++--- + fs/gfs2/rgrp.h | 2 +- + fs/gfs2/super.c | 2 +- + 6 files changed, 9 insertions(+), 8 deletions(-) + +--- a/fs/gfs2/bmap.c ++++ b/fs/gfs2/bmap.c +@@ -2204,7 +2204,7 @@ int gfs2_setattr_size(struct inode *inod + + ret = do_shrink(inode, newsize); + out: +- gfs2_rs_delete(ip, NULL); ++ gfs2_rs_delete(ip); + gfs2_qa_put(ip); + return ret; + } +--- a/fs/gfs2/file.c ++++ b/fs/gfs2/file.c +@@ -713,7 +713,7 @@ static int gfs2_release(struct inode *in + + if (file->f_mode & FMODE_WRITE) { + if (gfs2_rs_active(&ip->i_res)) +- gfs2_rs_delete(ip, &inode->i_writecount); ++ gfs2_rs_delete(ip); + gfs2_qa_put(ip); + } + return 0; +--- a/fs/gfs2/inode.c ++++ b/fs/gfs2/inode.c +@@ -811,7 +811,7 @@ fail_free_inode: + if (free_vfs_inode) /* else evict will do the put for us */ + gfs2_glock_put(ip->i_gl); + } +- gfs2_rs_delete(ip, NULL); ++ gfs2_rs_deltree(&ip->i_res); + gfs2_qa_put(ip); + fail_free_acls: + posix_acl_release(default_acl); +--- a/fs/gfs2/rgrp.c ++++ b/fs/gfs2/rgrp.c +@@ -680,13 +680,14 @@ void gfs2_rs_deltree(struct gfs2_blkrese + /** + * gfs2_rs_delete - delete a multi-block reservation + * @ip: The inode for this reservation +- * @wcount: The inode's write count, or NULL + * + */ +-void gfs2_rs_delete(struct gfs2_inode *ip, atomic_t *wcount) ++void gfs2_rs_delete(struct gfs2_inode *ip) + { ++ struct inode *inode = &ip->i_inode; ++ + down_write(&ip->i_rw_mutex); +- if ((wcount == NULL) || (atomic_read(wcount) <= 1)) ++ if (atomic_read(&inode->i_writecount) <= 1) + gfs2_rs_deltree(&ip->i_res); + up_write(&ip->i_rw_mutex); + } +--- a/fs/gfs2/rgrp.h ++++ b/fs/gfs2/rgrp.h +@@ -45,7 +45,7 @@ extern int gfs2_alloc_blocks(struct gfs2 + bool dinode, u64 *generation); + + extern void gfs2_rs_deltree(struct gfs2_blkreserv *rs); +-extern void gfs2_rs_delete(struct gfs2_inode *ip, atomic_t *wcount); ++extern void gfs2_rs_delete(struct gfs2_inode *ip); + extern void __gfs2_free_blocks(struct gfs2_inode *ip, struct gfs2_rgrpd *rgd, + u64 bstart, u32 blen, int meta); + extern void gfs2_free_meta(struct gfs2_inode *ip, struct gfs2_rgrpd *rgd, +--- a/fs/gfs2/super.c ++++ b/fs/gfs2/super.c +@@ -1398,7 +1398,7 @@ out: + truncate_inode_pages_final(&inode->i_data); + if (ip->i_qadata) + gfs2_assert_warn(sdp, ip->i_qadata->qa_ref == 0); +- gfs2_rs_delete(ip, NULL); ++ gfs2_rs_deltree(&ip->i_res); + gfs2_ordered_del_inode(ip); + clear_inode(inode); + gfs2_dir_hash_inval(ip); diff --git a/queue-5.15/gfs2-make-sure-fitrim-minlen-is-rounded-up-to-fs-block-size.patch b/queue-5.15/gfs2-make-sure-fitrim-minlen-is-rounded-up-to-fs-block-size.patch new file mode 100644 index 00000000000..ba047a45473 --- /dev/null +++ b/queue-5.15/gfs2-make-sure-fitrim-minlen-is-rounded-up-to-fs-block-size.patch @@ -0,0 +1,42 @@ +From 27ca8273fda398638ca994a207323a85b6d81190 Mon Sep 17 00:00:00 2001 +From: Andrew Price +Date: Tue, 22 Mar 2022 19:05:51 +0000 +Subject: gfs2: Make sure FITRIM minlen is rounded up to fs block size + +From: Andrew Price + +commit 27ca8273fda398638ca994a207323a85b6d81190 upstream. + +Per fstrim(8) we must round up the minlen argument to the fs block size. +The current calculation doesn't take into account devices that have a +discard granularity and requested minlen less than 1 fs block, so the +value can get shifted away to zero in the translation to fs blocks. + +The zero minlen passed to gfs2_rgrp_send_discards() then allows +sb_issue_discard() to be called with nr_sects == 0 which returns -EINVAL +and results in gfs2_rgrp_send_discards() returning -EIO. + +Make sure minlen is never < 1 fs block by taking the max of the +requested minlen and the fs block size before comparing to the device's +discard granularity and shifting to fs blocks. + +Fixes: 076f0faa764ab ("GFS2: Fix FITRIM argument handling") +Signed-off-by: Andrew Price +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/rgrp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/gfs2/rgrp.c ++++ b/fs/gfs2/rgrp.c +@@ -1428,7 +1428,8 @@ int gfs2_fitrim(struct file *filp, void + + start = r.start >> bs_shift; + end = start + (r.len >> bs_shift); +- minlen = max_t(u64, r.minlen, ++ minlen = max_t(u64, r.minlen, sdp->sd_sb.sb_bsize); ++ minlen = max_t(u64, minlen, + q->limits.discard_granularity) >> bs_shift; + + if (end <= start || minlen > sdp->sd_max_rg_data) diff --git a/queue-5.15/mailbox-imx-fix-wakeup-failure-from-freeze-mode.patch b/queue-5.15/mailbox-imx-fix-wakeup-failure-from-freeze-mode.patch new file mode 100644 index 00000000000..2a2896272c1 --- /dev/null +++ b/queue-5.15/mailbox-imx-fix-wakeup-failure-from-freeze-mode.patch @@ -0,0 +1,70 @@ +From 892cb524ae8a27bf5e42f711318371acd9a9f74a Mon Sep 17 00:00:00 2001 +From: Robin Gong +Date: Mon, 7 Feb 2022 09:52:06 +0800 +Subject: mailbox: imx: fix wakeup failure from freeze mode + +From: Robin Gong + +commit 892cb524ae8a27bf5e42f711318371acd9a9f74a upstream. + +Since IRQF_NO_SUSPEND used for imx mailbox driver, that means this irq +can't be used for wakeup source so that can't wakeup from freeze mode. +Add pm_system_wakeup() to wakeup from freeze mode. + +Fixes: b7b2796b9b31e("mailbox: imx: ONLY IPC MU needs IRQF_NO_SUSPEND flag") +Reviewed-by: Jacky Bai +Reviewed-by: Peng Fan +Signed-off-by: Robin Gong +Signed-off-by: Peng Fan +Signed-off-by: Jassi Brar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mailbox/imx-mailbox.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/mailbox/imx-mailbox.c ++++ b/drivers/mailbox/imx-mailbox.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + + #define IMX_MU_CHANS 16 +@@ -67,6 +68,7 @@ struct imx_mu_priv { + const struct imx_mu_dcfg *dcfg; + struct clk *clk; + int irq; ++ bool suspend; + + u32 xcr[4]; + +@@ -307,6 +309,9 @@ static irqreturn_t imx_mu_isr(int irq, v + return IRQ_NONE; + } + ++ if (priv->suspend) ++ pm_system_wakeup(); ++ + return IRQ_HANDLED; + } + +@@ -652,6 +657,8 @@ static int __maybe_unused imx_mu_suspend + priv->xcr[i] = imx_mu_read(priv, priv->dcfg->xCR[i]); + } + ++ priv->suspend = true; ++ + return 0; + } + +@@ -673,6 +680,8 @@ static int __maybe_unused imx_mu_resume_ + imx_mu_write(priv, priv->xcr[i], priv->dcfg->xCR[i]); + } + ++ priv->suspend = false; ++ + return 0; + } + diff --git a/queue-5.15/net-hns3-fix-software-vlan-talbe-of-vlan-0-inconsistent-with-hardware.patch b/queue-5.15/net-hns3-fix-software-vlan-talbe-of-vlan-0-inconsistent-with-hardware.patch new file mode 100644 index 00000000000..8217597d936 --- /dev/null +++ b/queue-5.15/net-hns3-fix-software-vlan-talbe-of-vlan-0-inconsistent-with-hardware.patch @@ -0,0 +1,38 @@ +From 7ed258f12ec5ce855f15cdfb5710361dc82fe899 Mon Sep 17 00:00:00 2001 +From: Guangbin Huang +Date: Wed, 30 Mar 2022 21:45:06 +0800 +Subject: net: hns3: fix software vlan talbe of vlan 0 inconsistent with hardware + +From: Guangbin Huang + +commit 7ed258f12ec5ce855f15cdfb5710361dc82fe899 upstream. + +When user delete vlan 0, as driver will not delete vlan 0 for hardware in +function hclge_set_vlan_filter_hw(), so vlan 0 in software vlan talbe should +not be deleted. + +Fixes: fe4144d47eef ("net: hns3: sync VLAN filter entries when kill VLAN ID failed") +Signed-off-by: Guangbin Huang +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -10595,11 +10595,11 @@ int hclge_set_vlan_filter(struct hnae3_h + } + + if (!ret) { +- if (is_kill) +- hclge_rm_vport_vlan_table(vport, vlan_id, false); +- else ++ if (!is_kill) + hclge_add_vport_vlan_table(vport, vlan_id, + writen_to_tbl); ++ else if (is_kill && vlan_id != 0) ++ hclge_rm_vport_vlan_table(vport, vlan_id, false); + } else if (is_kill) { + /* when remove hw vlan filter failed, record the vlan id, + * and try to remove it from hw later, to be consistence diff --git a/queue-5.15/net-hns3-fix-the-concurrency-between-functions-reading-debugfs.patch b/queue-5.15/net-hns3-fix-the-concurrency-between-functions-reading-debugfs.patch new file mode 100644 index 00000000000..0bc28b24d7d --- /dev/null +++ b/queue-5.15/net-hns3-fix-the-concurrency-between-functions-reading-debugfs.patch @@ -0,0 +1,85 @@ +From 9c9a04212fa380d2e7d1412bb281309955c0a781 Mon Sep 17 00:00:00 2001 +From: Yufeng Mo +Date: Wed, 30 Mar 2022 21:45:05 +0800 +Subject: net: hns3: fix the concurrency between functions reading debugfs + +From: Yufeng Mo + +commit 9c9a04212fa380d2e7d1412bb281309955c0a781 upstream. + +Currently, the debugfs mechanism is that all functions share a +global variable to save the pointer for obtaining data. When +different functions concurrently access the same file node, +repeated release exceptions occur. Therefore, the granularity +of the pointer for storing the obtained data is adjusted to be +private for each function. + +Fixes: 5e69ea7ee2a6 ("net: hns3: refactor the debugfs process") +Signed-off-by: Yufeng Mo +Signed-off-by: Guangbin Huang +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hnae3.h | 1 + + drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 15 +++++++++++---- + drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h | 1 - + 3 files changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.h +@@ -835,6 +835,7 @@ struct hnae3_handle { + struct dentry *hnae3_dbgfs; + /* protects concurrent contention between debugfs commands */ + struct mutex dbgfs_lock; ++ char **dbgfs_buf; + + /* Network interface message level enabled bits */ + u32 msg_enable; +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +@@ -1022,7 +1022,7 @@ static ssize_t hns3_dbg_read(struct file + return ret; + + mutex_lock(&handle->dbgfs_lock); +- save_buf = &hns3_dbg_cmd[index].buf; ++ save_buf = &handle->dbgfs_buf[index]; + + if (!test_bit(HNS3_NIC_STATE_INITED, &priv->state) || + test_bit(HNS3_NIC_STATE_RESETTING, &priv->state)) { +@@ -1127,6 +1127,13 @@ int hns3_dbg_init(struct hnae3_handle *h + int ret; + u32 i; + ++ handle->dbgfs_buf = devm_kcalloc(&handle->pdev->dev, ++ ARRAY_SIZE(hns3_dbg_cmd), ++ sizeof(*handle->dbgfs_buf), ++ GFP_KERNEL); ++ if (!handle->dbgfs_buf) ++ return -ENOMEM; ++ + hns3_dbg_dentry[HNS3_DBG_DENTRY_COMMON].dentry = + debugfs_create_dir(name, hns3_dbgfs_root); + handle->hnae3_dbgfs = hns3_dbg_dentry[HNS3_DBG_DENTRY_COMMON].dentry; +@@ -1175,9 +1182,9 @@ void hns3_dbg_uninit(struct hnae3_handle + u32 i; + + for (i = 0; i < ARRAY_SIZE(hns3_dbg_cmd); i++) +- if (hns3_dbg_cmd[i].buf) { +- kvfree(hns3_dbg_cmd[i].buf); +- hns3_dbg_cmd[i].buf = NULL; ++ if (handle->dbgfs_buf[i]) { ++ kvfree(handle->dbgfs_buf[i]); ++ handle->dbgfs_buf[i] = NULL; + } + + mutex_destroy(&handle->dbgfs_lock); +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h +@@ -47,7 +47,6 @@ struct hns3_dbg_cmd_info { + enum hnae3_dbg_cmd cmd; + enum hns3_dbg_dentry_type dentry; + u32 buf_len; +- char *buf; + int (*init)(struct hnae3_handle *handle, unsigned int cmd); + }; + diff --git a/queue-5.15/rtc-check-if-__rtc_read_time-was-successful.patch b/queue-5.15/rtc-check-if-__rtc_read_time-was-successful.patch new file mode 100644 index 00000000000..0c8eaea5602 --- /dev/null +++ b/queue-5.15/rtc-check-if-__rtc_read_time-was-successful.patch @@ -0,0 +1,54 @@ +From 915593a7a663b2ad08b895a5f3ba8b19d89d4ebf Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Sat, 26 Mar 2022 12:42:36 -0700 +Subject: rtc: check if __rtc_read_time was successful + +From: Tom Rix + +commit 915593a7a663b2ad08b895a5f3ba8b19d89d4ebf upstream. + +Clang static analysis reports this issue +interface.c:810:8: warning: Passed-by-value struct + argument contains uninitialized data + now = rtc_tm_to_ktime(tm); + ^~~~~~~~~~~~~~~~~~~ + +tm is set by a successful call to __rtc_read_time() +but its return status is not checked. Check if +it was successful before setting the enabled flag. +Move the decl of err to function scope. + +Fixes: 2b2f5ff00f63 ("rtc: interface: ignore expired timers when enqueuing new timers") +Signed-off-by: Tom Rix +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20220326194236.2916310-1-trix@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/interface.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/rtc/interface.c ++++ b/drivers/rtc/interface.c +@@ -793,9 +793,13 @@ static int rtc_timer_enqueue(struct rtc_ + struct timerqueue_node *next = timerqueue_getnext(&rtc->timerqueue); + struct rtc_time tm; + ktime_t now; ++ int err; ++ ++ err = __rtc_read_time(rtc, &tm); ++ if (err) ++ return err; + + timer->enabled = 1; +- __rtc_read_time(rtc, &tm); + now = rtc_tm_to_ktime(tm); + + /* Skip over expired timers */ +@@ -809,7 +813,6 @@ static int rtc_timer_enqueue(struct rtc_ + trace_rtc_timer_enqueue(timer); + if (!next || ktime_before(timer->node.expires, next->expires)) { + struct rtc_wkalrm alarm; +- int err; + + alarm.time = rtc_ktime_to_tm(timer->node.expires); + alarm.enabled = 1; diff --git a/queue-5.15/rxrpc-fix-call-timer-start-racing-with-call-destruction.patch b/queue-5.15/rxrpc-fix-call-timer-start-racing-with-call-destruction.patch new file mode 100644 index 00000000000..ede565fe068 --- /dev/null +++ b/queue-5.15/rxrpc-fix-call-timer-start-racing-with-call-destruction.patch @@ -0,0 +1,200 @@ +From 4a7f62f91933c8ae5308f9127fd8ea48188b6bc3 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 30 Mar 2022 15:39:16 +0100 +Subject: rxrpc: Fix call timer start racing with call destruction + +From: David Howells + +commit 4a7f62f91933c8ae5308f9127fd8ea48188b6bc3 upstream. + +The rxrpc_call struct has a timer used to handle various timed events +relating to a call. This timer can get started from the packet input +routines that are run in softirq mode with just the RCU read lock held. +Unfortunately, because only the RCU read lock is held - and neither ref or +other lock is taken - the call can start getting destroyed at the same time +a packet comes in addressed to that call. This causes the timer - which +was already stopped - to get restarted. Later, the timer dispatch code may +then oops if the timer got deallocated first. + +Fix this by trying to take a ref on the rxrpc_call struct and, if +successful, passing that ref along to the timer. If the timer was already +running, the ref is discarded. + +The timer completion routine can then pass the ref along to the call's work +item when it queues it. If the timer or work item where already +queued/running, the extra ref is discarded. + +Fixes: a158bdd3247b ("rxrpc: Fix call timeouts") +Reported-by: Marc Dionne +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +Tested-by: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: http://lists.infradead.org/pipermail/linux-afs/2022-March/005073.html +Link: https://lore.kernel.org/r/164865115696.2943015.11097991776647323586.stgit@warthog.procyon.org.uk +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + include/trace/events/rxrpc.h | 8 +++++++- + net/rxrpc/ar-internal.h | 15 +++++++-------- + net/rxrpc/call_event.c | 2 +- + net/rxrpc/call_object.c | 40 +++++++++++++++++++++++++++++++++++----- + 4 files changed, 50 insertions(+), 15 deletions(-) + +--- a/include/trace/events/rxrpc.h ++++ b/include/trace/events/rxrpc.h +@@ -83,12 +83,15 @@ enum rxrpc_call_trace { + rxrpc_call_error, + rxrpc_call_got, + rxrpc_call_got_kernel, ++ rxrpc_call_got_timer, + rxrpc_call_got_userid, + rxrpc_call_new_client, + rxrpc_call_new_service, + rxrpc_call_put, + rxrpc_call_put_kernel, + rxrpc_call_put_noqueue, ++ rxrpc_call_put_notimer, ++ rxrpc_call_put_timer, + rxrpc_call_put_userid, + rxrpc_call_queued, + rxrpc_call_queued_ref, +@@ -278,12 +281,15 @@ enum rxrpc_tx_point { + EM(rxrpc_call_error, "*E*") \ + EM(rxrpc_call_got, "GOT") \ + EM(rxrpc_call_got_kernel, "Gke") \ ++ EM(rxrpc_call_got_timer, "GTM") \ + EM(rxrpc_call_got_userid, "Gus") \ + EM(rxrpc_call_new_client, "NWc") \ + EM(rxrpc_call_new_service, "NWs") \ + EM(rxrpc_call_put, "PUT") \ + EM(rxrpc_call_put_kernel, "Pke") \ +- EM(rxrpc_call_put_noqueue, "PNQ") \ ++ EM(rxrpc_call_put_noqueue, "PnQ") \ ++ EM(rxrpc_call_put_notimer, "PnT") \ ++ EM(rxrpc_call_put_timer, "PTM") \ + EM(rxrpc_call_put_userid, "Pus") \ + EM(rxrpc_call_queued, "QUE") \ + EM(rxrpc_call_queued_ref, "QUR") \ +--- a/net/rxrpc/ar-internal.h ++++ b/net/rxrpc/ar-internal.h +@@ -777,14 +777,12 @@ void rxrpc_propose_ACK(struct rxrpc_call + enum rxrpc_propose_ack_trace); + void rxrpc_process_call(struct work_struct *); + +-static inline void rxrpc_reduce_call_timer(struct rxrpc_call *call, +- unsigned long expire_at, +- unsigned long now, +- enum rxrpc_timer_trace why) +-{ +- trace_rxrpc_timer(call, why, now); +- timer_reduce(&call->timer, expire_at); +-} ++void rxrpc_reduce_call_timer(struct rxrpc_call *call, ++ unsigned long expire_at, ++ unsigned long now, ++ enum rxrpc_timer_trace why); ++ ++void rxrpc_delete_call_timer(struct rxrpc_call *call); + + /* + * call_object.c +@@ -808,6 +806,7 @@ void rxrpc_release_calls_on_socket(struc + bool __rxrpc_queue_call(struct rxrpc_call *); + bool rxrpc_queue_call(struct rxrpc_call *); + void rxrpc_see_call(struct rxrpc_call *); ++bool rxrpc_try_get_call(struct rxrpc_call *call, enum rxrpc_call_trace op); + void rxrpc_get_call(struct rxrpc_call *, enum rxrpc_call_trace); + void rxrpc_put_call(struct rxrpc_call *, enum rxrpc_call_trace); + void rxrpc_cleanup_call(struct rxrpc_call *); +--- a/net/rxrpc/call_event.c ++++ b/net/rxrpc/call_event.c +@@ -310,7 +310,7 @@ recheck_state: + } + + if (call->state == RXRPC_CALL_COMPLETE) { +- del_timer_sync(&call->timer); ++ rxrpc_delete_call_timer(call); + goto out_put; + } + +--- a/net/rxrpc/call_object.c ++++ b/net/rxrpc/call_object.c +@@ -53,10 +53,30 @@ static void rxrpc_call_timer_expired(str + + if (call->state < RXRPC_CALL_COMPLETE) { + trace_rxrpc_timer(call, rxrpc_timer_expired, jiffies); +- rxrpc_queue_call(call); ++ __rxrpc_queue_call(call); ++ } else { ++ rxrpc_put_call(call, rxrpc_call_put); ++ } ++} ++ ++void rxrpc_reduce_call_timer(struct rxrpc_call *call, ++ unsigned long expire_at, ++ unsigned long now, ++ enum rxrpc_timer_trace why) ++{ ++ if (rxrpc_try_get_call(call, rxrpc_call_got_timer)) { ++ trace_rxrpc_timer(call, why, now); ++ if (timer_reduce(&call->timer, expire_at)) ++ rxrpc_put_call(call, rxrpc_call_put_notimer); + } + } + ++void rxrpc_delete_call_timer(struct rxrpc_call *call) ++{ ++ if (del_timer_sync(&call->timer)) ++ rxrpc_put_call(call, rxrpc_call_put_timer); ++} ++ + static struct lock_class_key rxrpc_call_user_mutex_lock_class_key; + + /* +@@ -463,6 +483,17 @@ void rxrpc_see_call(struct rxrpc_call *c + } + } + ++bool rxrpc_try_get_call(struct rxrpc_call *call, enum rxrpc_call_trace op) ++{ ++ const void *here = __builtin_return_address(0); ++ int n = atomic_fetch_add_unless(&call->usage, 1, 0); ++ ++ if (n == 0) ++ return false; ++ trace_rxrpc_call(call->debug_id, op, n, here, NULL); ++ return true; ++} ++ + /* + * Note the addition of a ref on a call. + */ +@@ -510,8 +541,7 @@ void rxrpc_release_call(struct rxrpc_soc + spin_unlock_bh(&call->lock); + + rxrpc_put_call_slot(call); +- +- del_timer_sync(&call->timer); ++ rxrpc_delete_call_timer(call); + + /* Make sure we don't get any more notifications */ + write_lock_bh(&rx->recvmsg_lock); +@@ -618,6 +648,8 @@ static void rxrpc_destroy_call(struct wo + struct rxrpc_call *call = container_of(work, struct rxrpc_call, processor); + struct rxrpc_net *rxnet = call->rxnet; + ++ rxrpc_delete_call_timer(call); ++ + rxrpc_put_connection(call->conn); + rxrpc_put_peer(call->peer); + kfree(call->rxtx_buffer); +@@ -652,8 +684,6 @@ void rxrpc_cleanup_call(struct rxrpc_cal + + memset(&call->sock_node, 0xcd, sizeof(call->sock_node)); + +- del_timer_sync(&call->timer); +- + ASSERTCMP(call->state, ==, RXRPC_CALL_COMPLETE); + ASSERT(test_bit(RXRPC_CALL_RELEASED, &call->flags)); + diff --git a/queue-5.15/rxrpc-fix-some-null-ptr-deref-bugs-in-server_key.c.patch b/queue-5.15/rxrpc-fix-some-null-ptr-deref-bugs-in-server_key.c.patch new file mode 100644 index 00000000000..1121e33f6fd --- /dev/null +++ b/queue-5.15/rxrpc-fix-some-null-ptr-deref-bugs-in-server_key.c.patch @@ -0,0 +1,87 @@ +From ff8376ade4f668130385839cef586a0990f8ef87 Mon Sep 17 00:00:00 2001 +From: Xiaolong Huang +Date: Wed, 30 Mar 2022 15:22:14 +0100 +Subject: rxrpc: fix some null-ptr-deref bugs in server_key.c + +From: Xiaolong Huang + +commit ff8376ade4f668130385839cef586a0990f8ef87 upstream. + +Some function calls are not implemented in rxrpc_no_security, there are +preparse_server_key, free_preparse_server_key and destroy_server_key. +When rxrpc security type is rxrpc_no_security, user can easily trigger a +null-ptr-deref bug via ioctl. So judgment should be added to prevent it + +The crash log: +user@syzkaller:~$ ./rxrpc_preparse_s +[ 37.956878][T15626] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 37.957645][T15626] #PF: supervisor instruction fetch in kernel mode +[ 37.958229][T15626] #PF: error_code(0x0010) - not-present page +[ 37.958762][T15626] PGD 4aadf067 P4D 4aadf067 PUD 4aade067 PMD 0 +[ 37.959321][T15626] Oops: 0010 [#1] PREEMPT SMP +[ 37.959739][T15626] CPU: 0 PID: 15626 Comm: rxrpc_preparse_ Not tainted 5.17.0-01442-gb47d5a4f6b8d #43 +[ 37.960588][T15626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 +[ 37.961474][T15626] RIP: 0010:0x0 +[ 37.961787][T15626] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. +[ 37.962480][T15626] RSP: 0018:ffffc9000d9abdc0 EFLAGS: 00010286 +[ 37.963018][T15626] RAX: ffffffff84335200 RBX: ffff888012a1ce80 RCX: 0000000000000000 +[ 37.963727][T15626] RDX: 0000000000000000 RSI: ffffffff84a736dc RDI: ffffc9000d9abe48 +[ 37.964425][T15626] RBP: ffffc9000d9abe48 R08: 0000000000000000 R09: 0000000000000002 +[ 37.965118][T15626] R10: 000000000000000a R11: f000000000000000 R12: ffff888013145680 +[ 37.965836][T15626] R13: 0000000000000000 R14: ffffffffffffffec R15: ffff8880432aba80 +[ 37.966441][T15626] FS: 00007f2177907700(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 +[ 37.966979][T15626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 37.967384][T15626] CR2: ffffffffffffffd6 CR3: 000000004aaf1000 CR4: 00000000000006f0 +[ 37.967864][T15626] Call Trace: +[ 37.968062][T15626] +[ 37.968240][T15626] rxrpc_preparse_s+0x59/0x90 +[ 37.968541][T15626] key_create_or_update+0x174/0x510 +[ 37.968863][T15626] __x64_sys_add_key+0x139/0x1d0 +[ 37.969165][T15626] do_syscall_64+0x35/0xb0 +[ 37.969451][T15626] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 37.969824][T15626] RIP: 0033:0x43a1f9 + +Signed-off-by: Xiaolong Huang +Tested-by: Xiaolong Huang +Signed-off-by: David Howells +Acked-by: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: http://lists.infradead.org/pipermail/linux-afs/2022-March/005069.html +Fixes: 12da59fcab5a ("rxrpc: Hand server key parsing off to the security class") +Link: https://lore.kernel.org/r/164865013439.2941502.8966285221215590921.stgit@warthog.procyon.org.uk +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/server_key.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/rxrpc/server_key.c ++++ b/net/rxrpc/server_key.c +@@ -84,6 +84,9 @@ static int rxrpc_preparse_s(struct key_p + + prep->payload.data[1] = (struct rxrpc_security *)sec; + ++ if (!sec->preparse_server_key) ++ return -EINVAL; ++ + return sec->preparse_server_key(prep); + } + +@@ -91,7 +94,7 @@ static void rxrpc_free_preparse_s(struct + { + const struct rxrpc_security *sec = prep->payload.data[1]; + +- if (sec) ++ if (sec && sec->free_preparse_server_key) + sec->free_preparse_server_key(prep); + } + +@@ -99,7 +102,7 @@ static void rxrpc_destroy_s(struct key * + { + const struct rxrpc_security *sec = key->payload.data[1]; + +- if (sec) ++ if (sec && sec->destroy_server_key) + sec->destroy_server_key(key); + } + diff --git a/queue-5.15/series b/queue-5.15/series index 931fdfd2d98..b6c271207e2 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -835,3 +835,12 @@ can-mcba_usb-properly-check-endpoint-type.patch can-mcp251xfd-mcp251xfd_register_get_dev_id-fix-return-of-error-value.patch xarray-update-the-lru-list-in-xas_split.patch modpost-restore-the-warning-message-for-missing-symbol-versions.patch +rtc-check-if-__rtc_read_time-was-successful.patch +gfs2-gfs2_setattr_size-error-path-fix.patch +gfs2-make-sure-fitrim-minlen-is-rounded-up-to-fs-block-size.patch +net-hns3-fix-the-concurrency-between-functions-reading-debugfs.patch +net-hns3-fix-software-vlan-talbe-of-vlan-0-inconsistent-with-hardware.patch +rxrpc-fix-some-null-ptr-deref-bugs-in-server_key.c.patch +rxrpc-fix-call-timer-start-racing-with-call-destruction.patch +mailbox-imx-fix-wakeup-failure-from-freeze-mode.patch +crypto-arm-aes-neonbs-cbc-select-generic-cbc-and-aes.patch