From: Sasha Levin Date: Sun, 13 Feb 2022 05:47:38 +0000 (-0500) Subject: Fixes for 4.9 X-Git-Tag: v4.9.302~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3f7f9bc92cb95630fa36edbeadff8e0d0084516f;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/arm-dts-imx6qdl-udoo-properly-describe-the-sd-card-d.patch b/queue-4.9/arm-dts-imx6qdl-udoo-properly-describe-the-sd-card-d.patch new file mode 100644 index 00000000000..dba7d81a8b6 --- /dev/null +++ b/queue-4.9/arm-dts-imx6qdl-udoo-properly-describe-the-sd-card-d.patch @@ -0,0 +1,54 @@ +From 4523c9214ef0e141fc86a8bd82d32a4e4ec36d7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Dec 2021 19:42:15 -0300 +Subject: ARM: dts: imx6qdl-udoo: Properly describe the SD card detect + +From: Fabio Estevam + +[ Upstream commit 993d66140f8d1c1853a3b58b77b43b681eb64dee ] + +GPIO7_IO00 is used as SD card detect. + +Properly describe this in the devicetree. + +Fixes: 40cdaa542cf0 ("ARM: dts: imx6q-udoo: Add initial board support") +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6qdl-udoo.dtsi | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6qdl-udoo.dtsi b/arch/arm/boot/dts/imx6qdl-udoo.dtsi +index fc4ae2e423bd7..b0fdcae66ead3 100644 +--- a/arch/arm/boot/dts/imx6qdl-udoo.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-udoo.dtsi +@@ -9,6 +9,8 @@ + * + */ + ++#include ++ + / { + aliases { + backlight = &backlight; +@@ -201,6 +203,7 @@ MX6QDL_PAD_SD3_DAT0__SD3_DATA0 0x17059 + MX6QDL_PAD_SD3_DAT1__SD3_DATA1 0x17059 + MX6QDL_PAD_SD3_DAT2__SD3_DATA2 0x17059 + MX6QDL_PAD_SD3_DAT3__SD3_DATA3 0x17059 ++ MX6QDL_PAD_SD3_DAT5__GPIO7_IO00 0x1b0b0 + >; + }; + +@@ -267,7 +270,7 @@ &usbh1 { + &usdhc3 { + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_usdhc3>; +- non-removable; ++ cd-gpios = <&gpio7 0 GPIO_ACTIVE_LOW>; + status = "okay"; + }; + +-- +2.34.1 + diff --git a/queue-4.9/bonding-pair-enable_port-with-slave_arr_updates.patch b/queue-4.9/bonding-pair-enable_port-with-slave_arr_updates.patch new file mode 100644 index 00000000000..c10c0ec44cc --- /dev/null +++ b/queue-4.9/bonding-pair-enable_port-with-slave_arr_updates.patch @@ -0,0 +1,55 @@ +From ed530e36e017ea372d6284b78f80c0a802bbbf13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Feb 2022 14:29:01 -0800 +Subject: bonding: pair enable_port with slave_arr_updates + +From: Mahesh Bandewar + +[ Upstream commit 23de0d7b6f0e3f9a6283a882594c479949da1120 ] + +When 803.2ad mode enables a participating port, it should update +the slave-array. I have observed that the member links are participating +and are part of the active aggregator while the traffic is egressing via +only one member link (in a case where two links are participating). Via +kprobes I discovered that slave-arr has only one link added while +the other participating link wasn't part of the slave-arr. + +I couldn't see what caused that situation but the simple code-walk +through provided me hints that the enable_port wasn't always associated +with the slave-array update. + +Fixes: ee6377147409 ("bonding: Simplify the xmit function for modes that use xmit_hash") +Signed-off-by: Mahesh Bandewar +Acked-by: Jay Vosburgh +Link: https://lore.kernel.org/r/20220207222901.1795287-1-maheshb@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_3ad.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c +index 1e2ee97b92406..578d8e12e2d21 100644 +--- a/drivers/net/bonding/bond_3ad.c ++++ b/drivers/net/bonding/bond_3ad.c +@@ -971,8 +971,8 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr) + if (port->aggregator && + port->aggregator->is_active && + !__port_is_enabled(port)) { +- + __enable_port(port); ++ *update_slave_arr = true; + } + } + break; +@@ -1724,6 +1724,7 @@ static void ad_agg_selection_logic(struct aggregator *agg, + port = port->next_port_in_aggregator) { + __enable_port(port); + } ++ *update_slave_arr = true; + } + } + +-- +2.34.1 + diff --git a/queue-4.9/ipmr-ip6mr-acquire-rtnl-before-calling-ip-6-mr_free_.patch b/queue-4.9/ipmr-ip6mr-acquire-rtnl-before-calling-ip-6-mr_free_.patch new file mode 100644 index 00000000000..eeb2dbd1556 --- /dev/null +++ b/queue-4.9/ipmr-ip6mr-acquire-rtnl-before-calling-ip-6-mr_free_.patch @@ -0,0 +1,101 @@ +From bde780f4f4e77c24b9292420707f0bbd66d0640c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Feb 2022 21:34:51 -0800 +Subject: ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on + failure path + +From: Eric Dumazet + +[ Upstream commit 5611a00697c8ecc5aad04392bea629e9d6a20463 ] + +ip[6]mr_free_table() can only be called under RTNL lock. + +RTNL: assertion failed at net/core/dev.c (10367) +WARNING: CPU: 1 PID: 5890 at net/core/dev.c:10367 unregister_netdevice_many+0x1246/0x1850 net/core/dev.c:10367 +Modules linked in: +CPU: 1 PID: 5890 Comm: syz-executor.2 Not tainted 5.16.0-syzkaller-11627-g422ee58dc0ef #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:unregister_netdevice_many+0x1246/0x1850 net/core/dev.c:10367 +Code: 0f 85 9b ee ff ff e8 69 07 4b fa ba 7f 28 00 00 48 c7 c6 00 90 ae 8a 48 c7 c7 40 90 ae 8a c6 05 6d b1 51 06 01 e8 8c 90 d8 01 <0f> 0b e9 70 ee ff ff e8 3e 07 4b fa 4c 89 e7 e8 86 2a 59 fa e9 ee +RSP: 0018:ffffc900046ff6e0 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: ffff888050f51d00 RSI: ffffffff815fa008 RDI: fffff520008dfece +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: ffffffff815f3d6e R11: 0000000000000000 R12: 00000000fffffff4 +R13: dffffc0000000000 R14: ffffc900046ff750 R15: ffff88807b7dc000 +FS: 00007f4ab736e700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fee0b4f8990 CR3: 000000001e7d2000 CR4: 00000000003506e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + mroute_clean_tables+0x244/0xb40 net/ipv6/ip6mr.c:1509 + ip6mr_free_table net/ipv6/ip6mr.c:389 [inline] + ip6mr_rules_init net/ipv6/ip6mr.c:246 [inline] + ip6mr_net_init net/ipv6/ip6mr.c:1306 [inline] + ip6mr_net_init+0x3f0/0x4e0 net/ipv6/ip6mr.c:1298 + ops_init+0xaf/0x470 net/core/net_namespace.c:140 + setup_net+0x54f/0xbb0 net/core/net_namespace.c:331 + copy_net_ns+0x318/0x760 net/core/net_namespace.c:475 + create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110 + copy_namespaces+0x391/0x450 kernel/nsproxy.c:178 + copy_process+0x2e0c/0x7300 kernel/fork.c:2167 + kernel_clone+0xe7/0xab0 kernel/fork.c:2555 + __do_sys_clone+0xc8/0x110 kernel/fork.c:2672 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7f4ab89f9059 +Code: Unable to access opcode bytes at RIP 0x7f4ab89f902f. +RSP: 002b:00007f4ab736e118 EFLAGS: 00000206 ORIG_RAX: 0000000000000038 +RAX: ffffffffffffffda RBX: 00007f4ab8b0bf60 RCX: 00007f4ab89f9059 +RDX: 0000000020000280 RSI: 0000000020000270 RDI: 0000000040200000 +RBP: 00007f4ab8a5308d R08: 0000000020000300 R09: 0000000020000300 +R10: 00000000200002c0 R11: 0000000000000206 R12: 0000000000000000 +R13: 00007ffc3977cc1f R14: 00007f4ab736e300 R15: 0000000000022000 + + +Fixes: f243e5a7859a ("ipmr,ip6mr: call ip6mr_free_table() on failure path") +Signed-off-by: Eric Dumazet +Cc: Cong Wang +Reported-by: syzbot +Link: https://lore.kernel.org/r/20220208053451.2885398-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ipmr.c | 2 ++ + net/ipv6/ip6mr.c | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c +index 354926e61f067..58c0ab8894c70 100644 +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -242,7 +242,9 @@ static int __net_init ipmr_rules_init(struct net *net) + return 0; + + err2: ++ rtnl_lock(); + ipmr_free_table(mrt); ++ rtnl_unlock(); + err1: + fib_rules_unregister(ops); + return err; +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c +index f38b22f54c093..3dce62ec37ed4 100644 +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -251,7 +251,9 @@ static int __net_init ip6mr_rules_init(struct net *net) + return 0; + + err2: ++ rtnl_lock(); + ip6mr_free_table(mrt); ++ rtnl_unlock(); + err1: + fib_rules_unregister(ops); + return err; +-- +2.34.1 + diff --git a/queue-4.9/net-do-not-keep-the-dst-cache-when-uncloning-an-skb-.patch b/queue-4.9/net-do-not-keep-the-dst-cache-when-uncloning-an-skb-.patch new file mode 100644 index 00000000000..604976155d9 --- /dev/null +++ b/queue-4.9/net-do-not-keep-the-dst-cache-when-uncloning-an-skb-.patch @@ -0,0 +1,65 @@ +From ff0ce481d7afc00d984aed052b9360b4b30a40c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Feb 2022 18:13:18 +0100 +Subject: net: do not keep the dst cache when uncloning an skb dst and its + metadata + +From: Antoine Tenart + +[ Upstream commit cfc56f85e72f5b9c5c5be26dc2b16518d36a7868 ] + +When uncloning an skb dst and its associated metadata a new dst+metadata +is allocated and the tunnel information from the old metadata is copied +over there. + +The issue is the tunnel metadata has references to cached dst, which are +copied along the way. When a dst+metadata refcount drops to 0 the +metadata is freed including the cached dst entries. As they are also +referenced in the initial dst+metadata, this ends up in UaFs. + +In practice the above did not happen because of another issue, the +dst+metadata was never freed because its refcount never dropped to 0 +(this will be fixed in a subsequent patch). + +Fix this by initializing the dst cache after copying the tunnel +information from the old metadata to also unshare the dst cache. + +Fixes: d71785ffc7e7 ("net: add dst_cache to ovs vxlan lwtunnel") +Cc: Paolo Abeni +Reported-by: Vlad Buslov +Tested-by: Vlad Buslov +Signed-off-by: Antoine Tenart +Acked-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/dst_metadata.h | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/include/net/dst_metadata.h b/include/net/dst_metadata.h +index 5a23535a5018d..33ca53057f318 100644 +--- a/include/net/dst_metadata.h ++++ b/include/net/dst_metadata.h +@@ -97,6 +97,19 @@ static inline struct metadata_dst *tun_dst_unclone(struct sk_buff *skb) + + memcpy(&new_md->u.tun_info, &md_dst->u.tun_info, + sizeof(struct ip_tunnel_info) + md_size); ++#ifdef CONFIG_DST_CACHE ++ /* Unclone the dst cache if there is one */ ++ if (new_md->u.tun_info.dst_cache.cache) { ++ int ret; ++ ++ ret = dst_cache_init(&new_md->u.tun_info.dst_cache, GFP_ATOMIC); ++ if (ret) { ++ metadata_dst_free(new_md); ++ return ERR_PTR(ret); ++ } ++ } ++#endif ++ + skb_dst_drop(skb); + dst_hold(&new_md->dst); + skb_dst_set(skb, &new_md->dst); +-- +2.34.1 + diff --git a/queue-4.9/net-fix-a-memleak-when-uncloning-an-skb-dst-and-its-.patch b/queue-4.9/net-fix-a-memleak-when-uncloning-an-skb-dst-and-its-.patch new file mode 100644 index 00000000000..d49f63e94e6 --- /dev/null +++ b/queue-4.9/net-fix-a-memleak-when-uncloning-an-skb-dst-and-its-.patch @@ -0,0 +1,49 @@ +From 3b5e08d1761978ba8e8fe6bdae407f1640be7ebd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Feb 2022 18:13:19 +0100 +Subject: net: fix a memleak when uncloning an skb dst and its metadata + +From: Antoine Tenart + +[ Upstream commit 9eeabdf17fa0ab75381045c867c370f4cc75a613 ] + +When uncloning an skb dst and its associated metadata, a new +dst+metadata is allocated and later replaces the old one in the skb. +This is helpful to have a non-shared dst+metadata attached to a specific +skb. + +The issue is the uncloned dst+metadata is initialized with a refcount of +1, which is increased to 2 before attaching it to the skb. When +tun_dst_unclone returns, the dst+metadata is only referenced from a +single place (the skb) while its refcount is 2. Its refcount will never +drop to 0 (when the skb is consumed), leading to a memory leak. + +Fix this by removing the call to dst_hold in tun_dst_unclone, as the +dst+metadata refcount is already 1. + +Fixes: fc4099f17240 ("openvswitch: Fix egress tunnel info.") +Cc: Pravin B Shelar +Reported-by: Vlad Buslov +Tested-by: Vlad Buslov +Signed-off-by: Antoine Tenart +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/dst_metadata.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/include/net/dst_metadata.h b/include/net/dst_metadata.h +index 33ca53057f318..6a6f1d3bf8538 100644 +--- a/include/net/dst_metadata.h ++++ b/include/net/dst_metadata.h +@@ -111,7 +111,6 @@ static inline struct metadata_dst *tun_dst_unclone(struct sk_buff *skb) + #endif + + skb_dst_drop(skb); +- dst_hold(&new_md->dst); + skb_dst_set(skb, &new_md->dst); + return new_md; + } +-- +2.34.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 633ba15defa..964b4dfd19f 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -12,3 +12,10 @@ nfsv4-remove-zero-number-of-fs_locations-entries-err.patch scsi-target-iscsi-make-sure-the-np-under-each-tpg-is.patch usb-dwc2-gadget-don-t-try-to-disable-ep0-in-dwc2_hso.patch arm-dts-imx23-evk-remove-mx23_pad_ssp1_detect-from-hog-group.patch +staging-fbtft-fix-error-path-in-fbtft_driver_module_.patch +arm-dts-imx6qdl-udoo-properly-describe-the-sd-card-d.patch +bonding-pair-enable_port-with-slave_arr_updates.patch +ipmr-ip6mr-acquire-rtnl-before-calling-ip-6-mr_free_.patch +net-do-not-keep-the-dst-cache-when-uncloning-an-skb-.patch +net-fix-a-memleak-when-uncloning-an-skb-dst-and-its-.patch +tipc-rate-limit-warning-for-received-illegal-binding.patch diff --git a/queue-4.9/staging-fbtft-fix-error-path-in-fbtft_driver_module_.patch b/queue-4.9/staging-fbtft-fix-error-path-in-fbtft_driver_module_.patch new file mode 100644 index 00000000000..375370018e6 --- /dev/null +++ b/queue-4.9/staging-fbtft-fix-error-path-in-fbtft_driver_module_.patch @@ -0,0 +1,43 @@ +From 8b85788f54210c79ca4b2061826c5c317a61b9bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jan 2022 19:13:37 +0100 +Subject: staging: fbtft: Fix error path in fbtft_driver_module_init() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 426aca16e903b387a0b0001d62207a745c67cfd3 ] + +If registering the platform driver fails, the function must not return +without undoing the spi driver registration first. + +Fixes: c296d5f9957c ("staging: fbtft: core support") +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20220118181338.207943-1-u.kleine-koenig@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/fbtft/fbtft.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/fbtft/fbtft.h b/drivers/staging/fbtft/fbtft.h +index 0275319906748..a76723a4219a6 100644 +--- a/drivers/staging/fbtft/fbtft.h ++++ b/drivers/staging/fbtft/fbtft.h +@@ -343,7 +343,10 @@ static int __init fbtft_driver_module_init(void) \ + ret = spi_register_driver(&fbtft_driver_spi_driver); \ + if (ret < 0) \ + return ret; \ +- return platform_driver_register(&fbtft_driver_platform_driver); \ ++ ret = platform_driver_register(&fbtft_driver_platform_driver); \ ++ if (ret < 0) \ ++ spi_unregister_driver(&fbtft_driver_spi_driver); \ ++ return ret; \ + } \ + \ + static void __exit fbtft_driver_module_exit(void) \ +-- +2.34.1 + diff --git a/queue-4.9/tipc-rate-limit-warning-for-received-illegal-binding.patch b/queue-4.9/tipc-rate-limit-warning-for-received-illegal-binding.patch new file mode 100644 index 00000000000..7403274962e --- /dev/null +++ b/queue-4.9/tipc-rate-limit-warning-for-received-illegal-binding.patch @@ -0,0 +1,38 @@ +From 9dfe115d56a38c4105f327b0a828680fd08e56f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Feb 2022 22:22:37 -0500 +Subject: tipc: rate limit warning for received illegal binding update + +From: Jon Maloy + +[ Upstream commit c7223d687758462826a20e9735305d55bb874c70 ] + +It would be easy to craft a message containing an illegal binding table +update operation. This is handled correctly by the code, but the +corresponding warning printout is not rate limited as is should be. +We fix this now. + +Fixes: b97bf3fd8f6a ("[TIPC] Initial merge") +Signed-off-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/name_distr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c +index 7ebcaff8c1c4f..963f607b34999 100644 +--- a/net/tipc/name_distr.c ++++ b/net/tipc/name_distr.c +@@ -288,7 +288,7 @@ static bool tipc_update_nametbl(struct net *net, struct distr_item *i, + return true; + } + } else { +- pr_warn("Unrecognized name table message received\n"); ++ pr_warn_ratelimited("Unknown name table message received\n"); + } + return false; + } +-- +2.34.1 +