From: Sasha Levin Date: Mon, 28 Sep 2020 04:17:07 +0000 (-0400) Subject: Fixes for 4.9 X-Git-Tag: v4.4.238~40 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=45addf3a8e59fe934a44edd914a404c99831e667;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/alsa-asihpi-fix-iounmap-in-error-handler.patch b/queue-4.9/alsa-asihpi-fix-iounmap-in-error-handler.patch new file mode 100644 index 00000000000..9db11c75d8a --- /dev/null +++ b/queue-4.9/alsa-asihpi-fix-iounmap-in-error-handler.patch @@ -0,0 +1,59 @@ +From ef6b1ce2b7ef239c36b3eef0423e4bbb709c1b4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Sep 2020 09:52:30 -0700 +Subject: ALSA: asihpi: fix iounmap in error handler + +From: Tom Rix + +[ Upstream commit 472eb39103e885f302fd8fd6eff104fcf5503f1b ] + +clang static analysis flags this problem +hpioctl.c:513:7: warning: Branch condition evaluates to + a garbage value + if (pci.ap_mem_base[idx]) { + ^~~~~~~~~~~~~~~~~~~~ + +If there is a failure in the middle of the memory space loop, +only some of the memory spaces need to be cleaned up. + +At the error handler, idx holds the number of successful +memory spaces mapped. So rework the handler loop to use the +old idx. + +There is a second problem, the memory space loop conditionally +iomaps()/sets the mem_base so it is necessay to initize pci. + +Fixes: 719f82d3987a ("ALSA: Add support of AudioScience ASI boards") +Signed-off-by: Tom Rix +Link: https://lore.kernel.org/r/20200913165230.17166-1-trix@redhat.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/asihpi/hpioctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c +index 3ef9af53ef497..0d5ff00cdabca 100644 +--- a/sound/pci/asihpi/hpioctl.c ++++ b/sound/pci/asihpi/hpioctl.c +@@ -346,7 +346,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev, + struct hpi_message hm; + struct hpi_response hr; + struct hpi_adapter adapter; +- struct hpi_pci pci; ++ struct hpi_pci pci = { 0 }; + + memset(&adapter, 0, sizeof(adapter)); + +@@ -502,7 +502,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev, + return 0; + + err: +- for (idx = 0; idx < HPI_MAX_ADAPTER_MEM_SPACES; idx++) { ++ while (--idx >= 0) { + if (pci.ap_mem_base[idx]) { + iounmap(pci.ap_mem_base[idx]); + pci.ap_mem_base[idx] = NULL; +-- +2.25.1 + diff --git a/queue-4.9/atm-eni-fix-the-missed-pci_disable_device-for-eni_in.patch b/queue-4.9/atm-eni-fix-the-missed-pci_disable_device-for-eni_in.patch new file mode 100644 index 00000000000..bbeb9a22b79 --- /dev/null +++ b/queue-4.9/atm-eni-fix-the-missed-pci_disable_device-for-eni_in.patch @@ -0,0 +1,36 @@ +From 7a8e51bb64d215941b65d469d39d76de6645a150 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 10:51:03 +0800 +Subject: atm: eni: fix the missed pci_disable_device() for eni_init_one() + +From: Jing Xiangfeng + +[ Upstream commit c2b947879ca320ac5505c6c29a731ff17da5e805 ] + +eni_init_one() misses to call pci_disable_device() in an error path. +Jump to err_disable to fix it. + +Fixes: ede58ef28e10 ("atm: remove deprecated use of pci api") +Signed-off-by: Jing Xiangfeng +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/atm/eni.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c +index 88819409e0beb..9d16743c49178 100644 +--- a/drivers/atm/eni.c ++++ b/drivers/atm/eni.c +@@ -2243,7 +2243,7 @@ static int eni_init_one(struct pci_dev *pci_dev, + + rc = dma_set_mask_and_coherent(&pci_dev->dev, DMA_BIT_MASK(32)); + if (rc < 0) +- goto out; ++ goto err_disable; + + rc = -ENOMEM; + eni_dev = kmalloc(sizeof(struct eni_dev), GFP_KERNEL); +-- +2.25.1 + diff --git a/queue-4.9/batman-adv-add-missing-include-for-in_interrupt.patch b/queue-4.9/batman-adv-add-missing-include-for-in_interrupt.patch new file mode 100644 index 00000000000..c6d22183478 --- /dev/null +++ b/queue-4.9/batman-adv-add-missing-include-for-in_interrupt.patch @@ -0,0 +1,37 @@ +From 8aa1fafdce8e961f83a148a1d86c4eb6f7662b90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 13:58:16 +0200 +Subject: batman-adv: Add missing include for in_interrupt() + +From: Sven Eckelmann + +[ Upstream commit 4bba9dab86b6ac15ca560ef1f2b5aa4529cbf784 ] + +The fix for receiving (internally generated) bla packets outside the +interrupt context introduced the usage of in_interrupt(). But this +functionality is only defined in linux/preempt.h which was not included +with the same patch. + +Fixes: 279e89b2281a ("batman-adv: bla: use netif_rx_ni when not in interrupt context") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bridge_loop_avoidance.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index f8b117acb9443..f24b1cee4993f 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -36,6 +36,7 @@ + #include + #include + #include ++#include + #include + #include + #include +-- +2.25.1 + diff --git a/queue-4.9/batman-adv-bla-fix-type-misuse-for-backbone_gw-hash-.patch b/queue-4.9/batman-adv-bla-fix-type-misuse-for-backbone_gw-hash-.patch new file mode 100644 index 00000000000..49c64ad2985 --- /dev/null +++ b/queue-4.9/batman-adv-bla-fix-type-misuse-for-backbone_gw-hash-.patch @@ -0,0 +1,54 @@ +From c779985a2e935e43b8c6cc3d7b2b373e84dd1942 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 17:34:48 +0200 +Subject: batman-adv: bla: fix type misuse for backbone_gw hash indexing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 097930e85f90f252c44dc0d084598265dd44ca48 ] + +It seems that due to a copy & paste error the void pointer +in batadv_choose_backbone_gw() is cast to the wrong type. + +Fixing this by using "struct batadv_bla_backbone_gw" instead of "struct +batadv_bla_claim" which better matches the caller's side. + +For now it seems that we were lucky because the two structs both have +their orig/vid and addr/vid in the beginning. However I stumbled over +this issue when I was trying to add some debug variables in front of +"orig" in batadv_backbone_gw, which caused hash lookups to fail. + +Fixes: 07568d0369f9 ("batman-adv: don't rely on positions in struct for hashing") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Sasha Levin +--- + net/batman-adv/bridge_loop_avoidance.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index e545b42ab0b98..f8b117acb9443 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -95,11 +95,12 @@ static inline u32 batadv_choose_claim(const void *data, u32 size) + */ + static inline u32 batadv_choose_backbone_gw(const void *data, u32 size) + { +- const struct batadv_bla_claim *claim = (struct batadv_bla_claim *)data; ++ const struct batadv_bla_backbone_gw *gw; + u32 hash = 0; + +- hash = jhash(&claim->addr, sizeof(claim->addr), hash); +- hash = jhash(&claim->vid, sizeof(claim->vid), hash); ++ gw = (struct batadv_bla_backbone_gw *)data; ++ hash = jhash(&gw->orig, sizeof(gw->orig), hash); ++ hash = jhash(&gw->vid, sizeof(gw->vid), hash); + + return hash % size; + } +-- +2.25.1 + diff --git a/queue-4.9/batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch b/queue-4.9/batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch new file mode 100644 index 00000000000..41b797bb56d --- /dev/null +++ b/queue-4.9/batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch @@ -0,0 +1,172 @@ +From 142cef2d99013091e4cb594736ad0d9d6dca2a17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 09:54:09 +0200 +Subject: batman-adv: mcast: fix duplicate mcast packets in BLA backbone from + mesh +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 74c09b7275126da1b642b90c9cdc3ae8b729ad4b ] + +Scenario: +* Multicast frame send from mesh to a BLA backbone (multiple nodes + with their bat0 bridged together, with BLA enabled) + +Issue: +* BLA backbone nodes receive the frame multiple times on bat0, + once from mesh->bat0 and once from each backbone_gw from LAN + +For unicast, a node will send only to the best backbone gateway +according to the TQ. However for multicast we currently cannot determine +if multiple destination nodes share the same backbone if they don't share +the same backbone with us. So we need to keep sending the unicasts to +all backbone gateways and let the backbone gateways decide which one +will forward the frame. We can use the CLAIM mechanism to make this +decision. + +One catch: The batman-adv gateway feature for DHCP packets potentially +sends multicast packets in the same batman-adv unicast header as the +multicast optimizations code. And we are not allowed to drop those even +if we did not claim the source address of the sender, as for such +packets there is only this one multicast-in-unicast packet. + +How can we distinguish the two cases? + +The gateway feature uses a batman-adv unicast 4 address header. While +the multicast-to-unicasts feature uses a simple, 3 address batman-adv +unicast header. So let's use this to distinguish. + +Fixes: fe2da6ff27c7 ("batman-adv: check incoming packet type for bla") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bridge_loop_avoidance.c | 34 +++++++++++++++++++------- + net/batman-adv/bridge_loop_avoidance.h | 4 +-- + net/batman-adv/soft-interface.c | 6 ++--- + 3 files changed, 30 insertions(+), 14 deletions(-) + +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index f24b1cee4993f..516c45771d59b 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -1822,7 +1822,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb, + * @bat_priv: the bat priv with all the soft interface information + * @skb: the frame to be checked + * @vid: the VLAN ID of the frame +- * @is_bcast: the packet came in a broadcast packet type. ++ * @packet_type: the batman packet type this frame came in + * + * batadv_bla_rx avoidance checks if: + * * we have to race for a claim +@@ -1834,7 +1834,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb, + * further process the skb. + */ + bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, +- unsigned short vid, bool is_bcast) ++ unsigned short vid, int packet_type) + { + struct batadv_bla_backbone_gw *backbone_gw; + struct ethhdr *ethhdr; +@@ -1856,9 +1856,24 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, + goto handled; + + if (unlikely(atomic_read(&bat_priv->bla.num_requests))) +- /* don't allow broadcasts while requests are in flight */ +- if (is_multicast_ether_addr(ethhdr->h_dest) && is_bcast) +- goto handled; ++ /* don't allow multicast packets while requests are in flight */ ++ if (is_multicast_ether_addr(ethhdr->h_dest)) ++ /* Both broadcast flooding or multicast-via-unicasts ++ * delivery might send to multiple backbone gateways ++ * sharing the same LAN and therefore need to coordinate ++ * which backbone gateway forwards into the LAN, ++ * by claiming the payload source address. ++ * ++ * Broadcast flooding and multicast-via-unicasts ++ * delivery use the following two batman packet types. ++ * Note: explicitly exclude BATADV_UNICAST_4ADDR, ++ * as the DHCP gateway feature will send explicitly ++ * to only one BLA gateway, so the claiming process ++ * should be avoided there. ++ */ ++ if (packet_type == BATADV_BCAST || ++ packet_type == BATADV_UNICAST) ++ goto handled; + + ether_addr_copy(search_claim.addr, ethhdr->h_source); + search_claim.vid = vid; +@@ -1886,13 +1901,14 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, + goto allow; + } + +- /* if it is a broadcast ... */ +- if (is_multicast_ether_addr(ethhdr->h_dest) && is_bcast) { ++ /* if it is a multicast ... */ ++ if (is_multicast_ether_addr(ethhdr->h_dest) && ++ (packet_type == BATADV_BCAST || packet_type == BATADV_UNICAST)) { + /* ... drop it. the responsible gateway is in charge. + * +- * We need to check is_bcast because with the gateway ++ * We need to check packet type because with the gateway + * feature, broadcasts (like DHCP requests) may be sent +- * using a unicast packet type. ++ * using a unicast 4 address packet type. See comment above. + */ + goto handled; + } else { +diff --git a/net/batman-adv/bridge_loop_avoidance.h b/net/batman-adv/bridge_loop_avoidance.h +index 1ae93e46fb984..40b8ec9d4b1b5 100644 +--- a/net/batman-adv/bridge_loop_avoidance.h ++++ b/net/batman-adv/bridge_loop_avoidance.h +@@ -29,7 +29,7 @@ struct sk_buff; + + #ifdef CONFIG_BATMAN_ADV_BLA + bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, +- unsigned short vid, bool is_bcast); ++ unsigned short vid, int packet_type); + bool batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb, + unsigned short vid); + bool batadv_bla_is_backbone_gw(struct sk_buff *skb, +@@ -56,7 +56,7 @@ int batadv_bla_claim_dump(struct sk_buff *msg, struct netlink_callback *cb); + + static inline bool batadv_bla_rx(struct batadv_priv *bat_priv, + struct sk_buff *skb, unsigned short vid, +- bool is_bcast) ++ int packet_type) + { + return false; + } +diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c +index 99d2c453c8722..af0a8439cf08a 100644 +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -415,10 +415,10 @@ void batadv_interface_rx(struct net_device *soft_iface, + struct vlan_ethhdr *vhdr; + struct ethhdr *ethhdr; + unsigned short vid; +- bool is_bcast; ++ int packet_type; + + batadv_bcast_packet = (struct batadv_bcast_packet *)skb->data; +- is_bcast = (batadv_bcast_packet->packet_type == BATADV_BCAST); ++ packet_type = batadv_bcast_packet->packet_type; + + skb_pull_rcsum(skb, hdr_size); + skb_reset_mac_header(skb); +@@ -463,7 +463,7 @@ void batadv_interface_rx(struct net_device *soft_iface, + /* Let the bridge loop avoidance check the packet. If will + * not handle it, we can safely push it up. + */ +- if (batadv_bla_rx(bat_priv, skb, vid, is_bcast)) ++ if (batadv_bla_rx(bat_priv, skb, vid, packet_type)) + goto out; + + if (orig_node) +-- +2.25.1 + diff --git a/queue-4.9/batman-adv-mcast-tt-fix-wrongly-dropped-or-rerouted-.patch b/queue-4.9/batman-adv-mcast-tt-fix-wrongly-dropped-or-rerouted-.patch new file mode 100644 index 00000000000..9e7e09b5305 --- /dev/null +++ b/queue-4.9/batman-adv-mcast-tt-fix-wrongly-dropped-or-rerouted-.patch @@ -0,0 +1,59 @@ +From 477dcef51262b3bfe0a330767bcf184ff33a5d96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 20:28:00 +0200 +Subject: batman-adv: mcast/TT: fix wrongly dropped or rerouted packets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 7dda5b3384121181c4e79f6eaeac2b94c0622c8d ] + +The unicast packet rerouting code makes several assumptions. For +instance it assumes that there is always exactly one destination in the +TT. This breaks for multicast frames in a unicast packets in several ways: + +For one thing if there is actually no TT entry and the destination node +was selected due to the multicast tvlv flags it announced. Then an +intermediate node will wrongly drop the packet. + +For another thing if there is a TT entry but the TTVN of this entry is +newer than the originally addressed destination node: Then the +intermediate node will wrongly redirect the packet, leading to +duplicated multicast packets at a multicast listener and missing +packets at other multicast listeners or multicast routers. + +Fixing this by not applying the unicast packet rerouting to batman-adv +unicast packets with a multicast payload. We are not able to detect a +roaming multicast listener at the moment and will just continue to send +the multicast frame to both the new and old destination for a while in +case of such a roaming multicast listener. + +Fixes: a73105b8d4c7 ("batman-adv: improved client announcement mechanism") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/routing.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c +index 19059ae26e519..1ba205c3ea9fa 100644 +--- a/net/batman-adv/routing.c ++++ b/net/batman-adv/routing.c +@@ -803,6 +803,10 @@ static bool batadv_check_unicast_ttvn(struct batadv_priv *bat_priv, + vid = batadv_get_vid(skb, hdr_len); + ethhdr = (struct ethhdr *)(skb->data + hdr_len); + ++ /* do not reroute multicast frames in a unicast header */ ++ if (is_multicast_ether_addr(ethhdr->h_dest)) ++ return true; ++ + /* check if the destination client was served by this node and it is now + * roaming. In this case, it means that the node has got a ROAM_ADV + * message and that it knows the new destination in the mesh to re-route +-- +2.25.1 + diff --git a/queue-4.9/clocksource-drivers-h8300_timer8-fix-wrong-return-va.patch b/queue-4.9/clocksource-drivers-h8300_timer8-fix-wrong-return-va.patch new file mode 100644 index 00000000000..1039d35f88e --- /dev/null +++ b/queue-4.9/clocksource-drivers-h8300_timer8-fix-wrong-return-va.patch @@ -0,0 +1,41 @@ +From 843a63e3e76736ef2991e57254a4fef7b0cccd7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 19:15:41 +0800 +Subject: clocksource/drivers/h8300_timer8: Fix wrong return value in + h8300_8timer_init() + +From: Tianjia Zhang + +[ Upstream commit 400d033f5a599120089b5f0c54d14d198499af5a ] + +In the init function, if the call to of_iomap() fails, the return +value is ENXIO instead of -ENXIO. + +Change to the right negative errno. + +Fixes: 691f8f878290f ("clocksource/drivers/h8300_timer8: Convert init function to return error") +Cc: Daniel Lezcano +Signed-off-by: Tianjia Zhang +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20200802111541.5429-1-tianjia.zhang@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + drivers/clocksource/h8300_timer8.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clocksource/h8300_timer8.c b/drivers/clocksource/h8300_timer8.c +index 546bb180f5a44..8202e49ac64cd 100644 +--- a/drivers/clocksource/h8300_timer8.c ++++ b/drivers/clocksource/h8300_timer8.c +@@ -176,7 +176,7 @@ static int __init h8300_8timer_init(struct device_node *node) + return PTR_ERR(clk); + } + +- ret = ENXIO; ++ ret = -ENXIO; + base = of_iomap(node, 0); + if (!base) { + pr_err("failed to map registers for clockevent\n"); +-- +2.25.1 + diff --git a/queue-4.9/ieee802154-adf7242-check-status-of-adf7242_read_reg.patch b/queue-4.9/ieee802154-adf7242-check-status-of-adf7242_read_reg.patch new file mode 100644 index 00000000000..e0b422b1bc1 --- /dev/null +++ b/queue-4.9/ieee802154-adf7242-check-status-of-adf7242_read_reg.patch @@ -0,0 +1,51 @@ +From 7169e4e2af2b9f956dcab8267b9984161e91bf7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 07:23:39 -0700 +Subject: ieee802154/adf7242: check status of adf7242_read_reg + +From: Tom Rix + +[ Upstream commit e3914ed6cf44bfe1f169e26241f8314556fd1ac1 ] + +Clang static analysis reports this error + +adf7242.c:887:6: warning: Assigned value is garbage or undefined + len = len_u8; + ^ ~~~~~~ + +len_u8 is set in + adf7242_read_reg(lp, 0, &len_u8); + +When this call fails, len_u8 is not set. + +So check the return code. + +Fixes: 7302b9d90117 ("ieee802154/adf7242: Driver for ADF7242 MAC IEEE802154") + +Signed-off-by: Tom Rix +Acked-by: Michael Hennerich +Link: https://lore.kernel.org/r/20200802142339.21091-1-trix@redhat.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/adf7242.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c +index 1b980f12663af..a605dfb15bb75 100644 +--- a/drivers/net/ieee802154/adf7242.c ++++ b/drivers/net/ieee802154/adf7242.c +@@ -834,7 +834,9 @@ static int adf7242_rx(struct adf7242_local *lp) + int ret; + u8 lqi, len_u8, *data; + +- adf7242_read_reg(lp, 0, &len_u8); ++ ret = adf7242_read_reg(lp, 0, &len_u8); ++ if (ret) ++ return ret; + + len = len_u8; + +-- +2.25.1 + diff --git a/queue-4.9/mac802154-tx-fix-use-after-free.patch b/queue-4.9/mac802154-tx-fix-use-after-free.patch new file mode 100644 index 00000000000..a9db440bb95 --- /dev/null +++ b/queue-4.9/mac802154-tx-fix-use-after-free.patch @@ -0,0 +1,170 @@ +From c26a94e919295a45e519221f8d07b8f1561226da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 03:40:25 -0700 +Subject: mac802154: tx: fix use-after-free + +From: Eric Dumazet + +[ Upstream commit 0ff4628f4c6c1ab87eef9f16b25355cadc426d64 ] + +syzbot reported a bug in ieee802154_tx() [1] + +A similar issue in ieee802154_xmit_worker() is also fixed in this patch. + +[1] +BUG: KASAN: use-after-free in ieee802154_tx+0x3d2/0x480 net/mac802154/tx.c:88 +Read of size 4 at addr ffff8880251a8c70 by task syz-executor.3/928 + +CPU: 0 PID: 928 Comm: syz-executor.3 Not tainted 5.9.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x198/0x1fd lib/dump_stack.c:118 + print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383 + __kasan_report mm/kasan/report.c:513 [inline] + kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 + ieee802154_tx+0x3d2/0x480 net/mac802154/tx.c:88 + ieee802154_subif_start_xmit+0xbe/0xe4 net/mac802154/tx.c:130 + __netdev_start_xmit include/linux/netdevice.h:4634 [inline] + netdev_start_xmit include/linux/netdevice.h:4648 [inline] + dev_direct_xmit+0x4e9/0x6e0 net/core/dev.c:4203 + packet_snd net/packet/af_packet.c:2989 [inline] + packet_sendmsg+0x2413/0x5290 net/packet/af_packet.c:3014 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:671 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2407 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45d5b9 +Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007fc98e749c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 000000000002ccc0 RCX: 000000000045d5b9 +RDX: 0000000000000000 RSI: 0000000020007780 RDI: 000000000000000b +RBP: 000000000118d020 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cfec +R13: 00007fff690c720f R14: 00007fc98e74a9c0 R15: 000000000118cfec + +Allocated by task 928: + kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 + kasan_set_track mm/kasan/common.c:56 [inline] + __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461 + slab_post_alloc_hook mm/slab.h:518 [inline] + slab_alloc_node mm/slab.c:3254 [inline] + kmem_cache_alloc_node+0x136/0x3e0 mm/slab.c:3574 + __alloc_skb+0x71/0x550 net/core/skbuff.c:198 + alloc_skb include/linux/skbuff.h:1094 [inline] + alloc_skb_with_frags+0x92/0x570 net/core/skbuff.c:5771 + sock_alloc_send_pskb+0x72a/0x880 net/core/sock.c:2348 + packet_alloc_skb net/packet/af_packet.c:2837 [inline] + packet_snd net/packet/af_packet.c:2932 [inline] + packet_sendmsg+0x19fb/0x5290 net/packet/af_packet.c:3014 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:671 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2407 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Freed by task 928: + kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 + kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 + kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355 + __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422 + __cache_free mm/slab.c:3418 [inline] + kmem_cache_free.part.0+0x74/0x1e0 mm/slab.c:3693 + kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:622 + __kfree_skb net/core/skbuff.c:679 [inline] + consume_skb net/core/skbuff.c:838 [inline] + consume_skb+0xcf/0x160 net/core/skbuff.c:832 + __dev_kfree_skb_any+0x9c/0xc0 net/core/dev.c:3107 + fakelb_hw_xmit+0x20e/0x2a0 drivers/net/ieee802154/fakelb.c:81 + drv_xmit_async net/mac802154/driver-ops.h:16 [inline] + ieee802154_tx+0x282/0x480 net/mac802154/tx.c:81 + ieee802154_subif_start_xmit+0xbe/0xe4 net/mac802154/tx.c:130 + __netdev_start_xmit include/linux/netdevice.h:4634 [inline] + netdev_start_xmit include/linux/netdevice.h:4648 [inline] + dev_direct_xmit+0x4e9/0x6e0 net/core/dev.c:4203 + packet_snd net/packet/af_packet.c:2989 [inline] + packet_sendmsg+0x2413/0x5290 net/packet/af_packet.c:3014 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:671 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2407 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The buggy address belongs to the object at ffff8880251a8c00 + which belongs to the cache skbuff_head_cache of size 224 +The buggy address is located 112 bytes inside of + 224-byte region [ffff8880251a8c00, ffff8880251a8ce0) +The buggy address belongs to the page: +page:0000000062b6a4f1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x251a8 +flags: 0xfffe0000000200(slab) +raw: 00fffe0000000200 ffffea0000435c88 ffffea00028b6c08 ffff8880a9055d00 +raw: 0000000000000000 ffff8880251a80c0 000000010000000c 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8880251a8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880251a8b80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc +>ffff8880251a8c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8880251a8c80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc + ffff8880251a8d00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb + +Fixes: 409c3b0c5f03 ("mac802154: tx: move stats tx increment") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Alexander Aring +Cc: Stefan Schmidt +Cc: linux-wpan@vger.kernel.org +Link: https://lore.kernel.org/r/20200908104025.4009085-1-edumazet@google.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + net/mac802154/tx.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/mac802154/tx.c b/net/mac802154/tx.c +index bcd1a5e6ebf42..2f873a0dc5836 100644 +--- a/net/mac802154/tx.c ++++ b/net/mac802154/tx.c +@@ -42,11 +42,11 @@ void ieee802154_xmit_worker(struct work_struct *work) + if (res) + goto err_tx; + +- ieee802154_xmit_complete(&local->hw, skb, false); +- + dev->stats.tx_packets++; + dev->stats.tx_bytes += skb->len; + ++ ieee802154_xmit_complete(&local->hw, skb, false); ++ + return; + + err_tx: +@@ -86,6 +86,8 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb) + + /* async is priority, otherwise sync is fallback */ + if (local->ops->xmit_async) { ++ unsigned int len = skb->len; ++ + ret = drv_xmit_async(local, skb); + if (ret) { + ieee802154_wake_queue(&local->hw); +@@ -93,7 +95,7 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb) + } + + dev->stats.tx_packets++; +- dev->stats.tx_bytes += skb->len; ++ dev->stats.tx_bytes += len; + } else { + local->tx_skb = skb; + queue_work(local->workqueue, &local->tx_work); +-- +2.25.1 + diff --git a/queue-4.9/mips-add-the-missing-cpu_1074k-into-__get_cpu_type.patch b/queue-4.9/mips-add-the-missing-cpu_1074k-into-__get_cpu_type.patch new file mode 100644 index 00000000000..919f62c6fca --- /dev/null +++ b/queue-4.9/mips-add-the-missing-cpu_1074k-into-__get_cpu_type.patch @@ -0,0 +1,36 @@ +From 54b8c43b82829a5d91e396ddeb1647a02cfd7f4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 14:53:12 +0800 +Subject: MIPS: Add the missing 'CPU_1074K' into __get_cpu_type() + +From: Wei Li + +[ Upstream commit e393fbe6fa27af23f78df6e16a8fd2963578a8c4 ] + +Commit 442e14a2c55e ("MIPS: Add 1074K CPU support explicitly.") split +1074K from the 74K as an unique CPU type, while it missed to add the +'CPU_1074K' in __get_cpu_type(). So let's add it back. + +Fixes: 442e14a2c55e ("MIPS: Add 1074K CPU support explicitly.") +Signed-off-by: Wei Li +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/cpu-type.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/mips/include/asm/cpu-type.h b/arch/mips/include/asm/cpu-type.h +index bdd6dc18e65c6..941efd8783344 100644 +--- a/arch/mips/include/asm/cpu-type.h ++++ b/arch/mips/include/asm/cpu-type.h +@@ -47,6 +47,7 @@ static inline int __pure __get_cpu_type(const int cpu_type) + case CPU_34K: + case CPU_1004K: + case CPU_74K: ++ case CPU_1074K: + case CPU_M14KC: + case CPU_M14KEC: + case CPU_INTERAPTIV: +-- +2.25.1 + diff --git a/queue-4.9/mwifiex-increase-aes-key-storage-size-to-256-bits.patch b/queue-4.9/mwifiex-increase-aes-key-storage-size-to-256-bits.patch new file mode 100644 index 00000000000..a87ed27c6bf --- /dev/null +++ b/queue-4.9/mwifiex-increase-aes-key-storage-size-to-256-bits.patch @@ -0,0 +1,80 @@ +From 0e30db64216af3fa3b73ebf33fa476bdd2c30955 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 17:38:29 +0200 +Subject: mwifiex: Increase AES key storage size to 256 bits + +From: Maximilian Luz + +[ Upstream commit 4afc850e2e9e781976fb2c7852ce7bac374af938 ] + +Following commit e18696786548 ("mwifiex: Prevent memory corruption +handling keys") the mwifiex driver fails to authenticate with certain +networks, specifically networks with 256 bit keys, and repeatedly asks +for the password. The kernel log repeats the following lines (id and +bssid redacted): + + mwifiex_pcie 0000:01:00.0: info: trying to associate to '' bssid + mwifiex_pcie 0000:01:00.0: info: associated to bssid successfully + mwifiex_pcie 0000:01:00.0: crypto keys added + mwifiex_pcie 0000:01:00.0: info: successfully disconnected from : reason code 3 + +Tracking down this problem lead to the overflow check introduced by the +aforementioned commit into mwifiex_ret_802_11_key_material_v2(). This +check fails on networks with 256 bit keys due to the current storage +size for AES keys in struct mwifiex_aes_param being only 128 bit. + +To fix this issue, increase the storage size for AES keys to 256 bit. + +Fixes: e18696786548 ("mwifiex: Prevent memory corruption handling keys") +Signed-off-by: Maximilian Luz +Reported-by: Kaloyan Nikolov +Tested-by: Kaloyan Nikolov +Reviewed-by: Dan Carpenter +Reviewed-by: Brian Norris +Tested-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200825153829.38043-1-luzmaximilian@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/fw.h | 2 +- + drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h +index 395d6ece2cacb..341f6ed5b3556 100644 +--- a/drivers/net/wireless/marvell/mwifiex/fw.h ++++ b/drivers/net/wireless/marvell/mwifiex/fw.h +@@ -921,7 +921,7 @@ struct mwifiex_tkip_param { + struct mwifiex_aes_param { + u8 pn[WPA_PN_SIZE]; + __le16 key_len; +- u8 key[WLAN_KEY_LEN_CCMP]; ++ u8 key[WLAN_KEY_LEN_CCMP_256]; + } __packed; + + struct mwifiex_wapi_param { +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +index 1e26936c0d727..aa84fdb709830 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +@@ -625,7 +625,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + key_v2 = &resp->params.key_material_v2; + + len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len); +- if (len > WLAN_KEY_LEN_CCMP) ++ if (len > sizeof(key_v2->key_param_set.key_params.aes.key)) + return -EINVAL; + + if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) { +@@ -641,7 +641,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + return 0; + + memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0, +- WLAN_KEY_LEN_CCMP); ++ sizeof(key_v2->key_param_set.key_params.aes.key)); + priv->aes_key_v2.key_param_set.key_params.aes.key_len = + cpu_to_le16(len); + memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key, +-- +2.25.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 4bc4522368a..fcf0b0906db 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -103,3 +103,14 @@ vfio-pci-fix-racy-on-error-and-request-eventfd-ctx.patch s390-init-add-missing-__init-annotations.patch i2c-core-call-i2c_acpi_install_space_handler-before-.patch objtool-fix-noreturn-detection-for-ignored-functions.patch +ieee802154-adf7242-check-status-of-adf7242_read_reg.patch +clocksource-drivers-h8300_timer8-fix-wrong-return-va.patch +mwifiex-increase-aes-key-storage-size-to-256-bits.patch +batman-adv-bla-fix-type-misuse-for-backbone_gw-hash-.patch +atm-eni-fix-the-missed-pci_disable_device-for-eni_in.patch +batman-adv-mcast-tt-fix-wrongly-dropped-or-rerouted-.patch +mac802154-tx-fix-use-after-free.patch +batman-adv-add-missing-include-for-in_interrupt.patch +batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch +alsa-asihpi-fix-iounmap-in-error-handler.patch +mips-add-the-missing-cpu_1074k-into-__get_cpu_type.patch