From: Sasha Levin Date: Mon, 6 Feb 2023 13:35:50 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v5.15.93~55 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4853cfe485451bbf642d261d7a45f30677f2273b;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch b/queue-5.4/alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch new file mode 100644 index 00000000000..284acee3737 --- /dev/null +++ b/queue-5.4/alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch @@ -0,0 +1,41 @@ +From 85791a81bca85948be58573a9978df325c350a93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 00:22:59 -0800 +Subject: ALSA: hda/via: Avoid potential array out-of-bound in + add_secret_dac_path() + +From: Artemii Karasev + +[ Upstream commit b9cee506da2b7920b5ea02ccd8e78a907d0ee7aa ] + +snd_hda_get_connections() can return a negative error code. +It may lead to accessing 'conn' array at a negative index. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Artemii Karasev +Fixes: 30b4503378c9 ("ALSA: hda - Expose secret DAC-AA connection of some VIA codecs") +Link: https://lore.kernel.org/r/20230119082259.3634-1-karasev@ispras.ru +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_via.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/pci/hda/patch_via.c b/sound/pci/hda/patch_via.c +index 3edb4e25797d..4a74ccf7cf3e 100644 +--- a/sound/pci/hda/patch_via.c ++++ b/sound/pci/hda/patch_via.c +@@ -821,6 +821,9 @@ static int add_secret_dac_path(struct hda_codec *codec) + return 0; + nums = snd_hda_get_connections(codec, spec->gen.mixer_nid, conn, + ARRAY_SIZE(conn) - 1); ++ if (nums < 0) ++ return nums; ++ + for (i = 0; i < nums; i++) { + if (get_wcaps_type(get_wcaps(codec, conn[i])) == AC_WID_AUD_OUT) + return 0; +-- +2.39.0 + diff --git a/queue-5.4/arm64-dts-imx8mm-fix-pad-control-for-uart1_dte_rx.patch b/queue-5.4/arm64-dts-imx8mm-fix-pad-control-for-uart1_dte_rx.patch new file mode 100644 index 00000000000..b461dd31ad1 --- /dev/null +++ b/queue-5.4/arm64-dts-imx8mm-fix-pad-control-for-uart1_dte_rx.patch @@ -0,0 +1,43 @@ +From bd5d5fdb3a5056d20761951cc274d060d25275ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Jan 2023 22:35:03 +0100 +Subject: arm64: dts: imx8mm: Fix pad control for UART1_DTE_RX +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierluigi Passaro + +[ Upstream commit 47123900f3e4a7f769631d6ec15abf44086276f6 ] + +According section +    8.2.5.313 Select Input Register (IOMUXC_UART1_RXD_SELECT_INPUT) +of  +    i.MX 8M Mini Applications Processor Reference Manual, Rev. 3, 11/2020 +the required setting for this specific pin configuration is "1" + +Signed-off-by: Pierluigi Passaro +Reviewed-by: Fabio Estevam +Fixes: c1c9d41319c3 ("dt-bindings: imx: Add pinctrl binding doc for imx8mm") +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h b/arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h +index 93b44efdbc52..35a60b0d3a4f 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h ++++ b/arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h +@@ -585,7 +585,7 @@ + #define MX8MM_IOMUXC_UART1_RXD_GPIO5_IO22 0x234 0x49C 0x000 0x5 0x0 + #define MX8MM_IOMUXC_UART1_RXD_TPSMP_HDATA24 0x234 0x49C 0x000 0x7 0x0 + #define MX8MM_IOMUXC_UART1_TXD_UART1_DCE_TX 0x238 0x4A0 0x000 0x0 0x0 +-#define MX8MM_IOMUXC_UART1_TXD_UART1_DTE_RX 0x238 0x4A0 0x4F4 0x0 0x0 ++#define MX8MM_IOMUXC_UART1_TXD_UART1_DTE_RX 0x238 0x4A0 0x4F4 0x0 0x1 + #define MX8MM_IOMUXC_UART1_TXD_ECSPI3_MOSI 0x238 0x4A0 0x000 0x1 0x0 + #define MX8MM_IOMUXC_UART1_TXD_GPIO5_IO23 0x238 0x4A0 0x000 0x5 0x0 + #define MX8MM_IOMUXC_UART1_TXD_TPSMP_HDATA25 0x238 0x4A0 0x000 0x7 0x0 +-- +2.39.0 + diff --git a/queue-5.4/asoc-intel-bytcr_rt5651-drop-reference-count-of-acpi.patch b/queue-5.4/asoc-intel-bytcr_rt5651-drop-reference-count-of-acpi.patch new file mode 100644 index 00000000000..5b6ad2bcada --- /dev/null +++ b/queue-5.4/asoc-intel-bytcr_rt5651-drop-reference-count-of-acpi.patch @@ -0,0 +1,52 @@ +From fcbd689fb7cd08c8758de449ab3491a52ebabdc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jan 2023 13:28:49 +0200 +Subject: ASoC: Intel: bytcr_rt5651: Drop reference count of ACPI device after + use + +From: Andy Shevchenko + +[ Upstream commit 721858823d7cdc8f2a897579b040e935989f6f02 ] + +Theoretically the device might gone if its reference count drops to 0. +This might be the case when we try to find the first physical node of +the ACPI device. We need to keep reference to it until we get a result +of the above mentioned call. Refactor the code to drop the reference +count at the correct place. + +While at it, move to acpi_dev_put() as symmetrical call to the +acpi_dev_get_first_match_dev(). + +Fixes: 02c0a3b3047f ("ASoC: Intel: bytcr_rt5651: add MCLK, quirks and cleanups") +Signed-off-by: Andy Shevchenko +Acked-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20230112112852.67714-3-andriy.shevchenko@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bytcr_rt5651.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/intel/boards/bytcr_rt5651.c b/sound/soc/intel/boards/bytcr_rt5651.c +index 921c09cdb480..0c1c8628b991 100644 +--- a/sound/soc/intel/boards/bytcr_rt5651.c ++++ b/sound/soc/intel/boards/bytcr_rt5651.c +@@ -919,7 +919,6 @@ static int snd_byt_rt5651_mc_probe(struct platform_device *pdev) + if (adev) { + snprintf(byt_rt5651_codec_name, sizeof(byt_rt5651_codec_name), + "i2c-%s", acpi_dev_name(adev)); +- put_device(&adev->dev); + byt_rt5651_dais[dai_index].codecs->name = byt_rt5651_codec_name; + } else { + dev_err(&pdev->dev, "Error cannot find '%s' dev\n", mach->id); +@@ -928,6 +927,7 @@ static int snd_byt_rt5651_mc_probe(struct platform_device *pdev) + + codec_dev = bus_find_device_by_name(&i2c_bus_type, NULL, + byt_rt5651_codec_name); ++ acpi_dev_put(adev); + if (!codec_dev) + return -EPROBE_DEFER; + +-- +2.39.0 + diff --git a/queue-5.4/ata-libata-fix-sata_down_spd_limit-when-no-link-spee.patch b/queue-5.4/ata-libata-fix-sata_down_spd_limit-when-no-link-spee.patch new file mode 100644 index 00000000000..147addfe88f --- /dev/null +++ b/queue-5.4/ata-libata-fix-sata_down_spd_limit-when-no-link-spee.patch @@ -0,0 +1,57 @@ +From 3f18627cb9082e78aadedeac2a2830ce572e65d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 12:27:41 +0900 +Subject: ata: libata: Fix sata_down_spd_limit() when no link speed is reported + +From: Damien Le Moal + +[ Upstream commit 69f2c9346313ba3d3dfa4091ff99df26c67c9021 ] + +Commit 2dc0b46b5ea3 ("libata: sata_down_spd_limit should return if +driver has not recorded sstatus speed") changed the behavior of +sata_down_spd_limit() to return doing nothing if a drive does not report +a current link speed, to avoid reducing the link speed to the lowest 1.5 +Gbps speed. + +However, the change assumed that a speed was recorded before probing +(e.g. before a suspend/resume) and set in link->sata_spd. This causes +problems with adapters/drives combination failing to establish a link +speed during probe autonegotiation. One example reported of this problem +is an mvebu adapter with a 3Gbps port-multiplier box: autonegotiation +fails, leaving no recorded link speed and no reported current link +speed. Probe retries also fail as no action is taken by sata_set_spd() +after each retry. + +Fix this by returning early in sata_down_spd_limit() only if we do have +a recorded link speed, that is, if link->sata_spd is not 0. With this +fix, a failed probe not leading to a recorded link speed is retried at +the lower 1.5 Gbps speed, with the link speed potentially increased +later on the second revalidate of the device if the device reports +that it supports higher link speeds. + +Reported-by: Marius Dinu +Fixes: 2dc0b46b5ea3 ("libata: sata_down_spd_limit should return if driver has not recorded sstatus speed") +Reviewed-by: Niklas Cassel +Tested-by: Marius Dinu +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index fbb1676aa33f..c06f618b1aa3 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -3096,7 +3096,7 @@ int sata_down_spd_limit(struct ata_link *link, u32 spd_limit) + */ + if (spd > 1) + mask &= (1 << (spd - 1)) - 1; +- else ++ else if (link->sata_spd) + return -EINVAL; + + /* were we already at the bottom? */ +-- +2.39.0 + diff --git a/queue-5.4/bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch b/queue-5.4/bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch new file mode 100644 index 00000000000..ee2daa40fb3 --- /dev/null +++ b/queue-5.4/bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch @@ -0,0 +1,46 @@ +From 981c2e3b3a3b2cab77beea58ce7d00fee0fe3bab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 09:42:00 +0000 +Subject: bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() + +From: Yuan Can + +[ Upstream commit f71eaf2708be7831428eacae7db25d8ec6b8b4c5 ] + +The sunxi_rsb_init() returns the platform_driver_register() directly +without checking its return value, if platform_driver_register() failed, +the sunxi_rsb_bus is not unregistered. +Fix by unregister sunxi_rsb_bus when platform_driver_register() failed. + +Fixes: d787dcdb9c8f ("bus: sunxi-rsb: Add driver for Allwinner Reduced Serial Bus") +Signed-off-by: Yuan Can +Reviewed-by: Jernej Skrabec +Link: https://lore.kernel.org/r/20221123094200.12036-1-yuancan@huawei.com +Signed-off-by: Jernej Skrabec +Signed-off-by: Sasha Levin +--- + drivers/bus/sunxi-rsb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/bus/sunxi-rsb.c b/drivers/bus/sunxi-rsb.c +index f8c29b888e6b..98cbb18f17fa 100644 +--- a/drivers/bus/sunxi-rsb.c ++++ b/drivers/bus/sunxi-rsb.c +@@ -781,7 +781,13 @@ static int __init sunxi_rsb_init(void) + return ret; + } + +- return platform_driver_register(&sunxi_rsb_driver); ++ ret = platform_driver_register(&sunxi_rsb_driver); ++ if (ret) { ++ bus_unregister(&sunxi_rsb_bus); ++ return ret; ++ } ++ ++ return 0; + } + module_init(sunxi_rsb_init); + +-- +2.39.0 + diff --git a/queue-5.4/can-j1939-fix-errant-warn_on_once-in-j1939_session_d.patch b/queue-5.4/can-j1939-fix-errant-warn_on_once-in-j1939_session_d.patch new file mode 100644 index 00000000000..17fa60cd6cc --- /dev/null +++ b/queue-5.4/can-j1939-fix-errant-warn_on_once-in-j1939_session_d.patch @@ -0,0 +1,77 @@ +From 4f4c97777153f31df623b2ecc1b9939bd3e5d96f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 17:42:00 +0800 +Subject: can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate + +From: Ziyang Xuan + +[ Upstream commit d0553680f94c49bbe0e39eb50d033ba563b4212d ] + +The conclusion "j1939_session_deactivate() should be called with a +session ref-count of at least 2" is incorrect. In some concurrent +scenarios, j1939_session_deactivate can be called with the session +ref-count less than 2. But there is not any problem because it +will check the session active state before session putting in +j1939_session_deactivate_locked(). + +Here is the concurrent scenario of the problem reported by syzbot +and my reproduction log. + + cpu0 cpu1 + j1939_xtp_rx_eoma +j1939_xtp_rx_abort_one + j1939_session_get_by_addr [kref == 2] +j1939_session_get_by_addr [kref == 3] +j1939_session_deactivate [kref == 2] +j1939_session_put [kref == 1] + j1939_session_completed + j1939_session_deactivate + WARN_ON_ONCE(kref < 2) + +===================================================== +WARNING: CPU: 1 PID: 21 at net/can/j1939/transport.c:1088 j1939_session_deactivate+0x5f/0x70 +CPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.14.0-rc7+ #32 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 +RIP: 0010:j1939_session_deactivate+0x5f/0x70 +Call Trace: + j1939_session_deactivate_activate_next+0x11/0x28 + j1939_xtp_rx_eoma+0x12a/0x180 + j1939_tp_recv+0x4a2/0x510 + j1939_can_recv+0x226/0x380 + can_rcv_filter+0xf8/0x220 + can_receive+0x102/0x220 + ? process_backlog+0xf0/0x2c0 + can_rcv+0x53/0xf0 + __netif_receive_skb_one_core+0x67/0x90 + ? process_backlog+0x97/0x2c0 + __netif_receive_skb+0x22/0x80 + +Fixes: 0c71437dd50d ("can: j1939: j1939_session_deactivate(): clarify lifetime of session object") +Reported-by: syzbot+9981a614060dcee6eeca@syzkaller.appspotmail.com +Signed-off-by: Ziyang Xuan +Acked-by: Oleksij Rempel +Link: https://lore.kernel.org/all/20210906094200.95868-1-william.xuanziyang@huawei.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/transport.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c +index 9ca19dfe3e83..9c8c7c5dc9c3 100644 +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1087,10 +1087,6 @@ static bool j1939_session_deactivate(struct j1939_session *session) + bool active; + + j1939_session_list_lock(priv); +- /* This function should be called with a session ref-count of at +- * least 2. +- */ +- WARN_ON_ONCE(kref_read(&session->kref) < 2); + active = j1939_session_deactivate_locked(session); + j1939_session_list_unlock(priv); + +-- +2.39.0 + diff --git a/queue-5.4/efi-fix-potential-null-deref-in-efi_mem_reserve_pers.patch b/queue-5.4/efi-fix-potential-null-deref-in-efi_mem_reserve_pers.patch new file mode 100644 index 00000000000..4d23042fbcd --- /dev/null +++ b/queue-5.4/efi-fix-potential-null-deref-in-efi_mem_reserve_pers.patch @@ -0,0 +1,42 @@ +From ac3113068d5c65a99ca8f5f7d040558ded8a6227 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Feb 2023 16:22:13 +0300 +Subject: efi: fix potential NULL deref in efi_mem_reserve_persistent + +From: Anton Gusev + +[ Upstream commit 966d47e1f27c45507c5df82b2a2157e5a4fd3909 ] + +When iterating on a linked list, a result of memremap is dereferenced +without checking it for NULL. + +This patch adds a check that falls back on allocating a new page in +case memremap doesn't succeed. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 18df7577adae ("efi/memreserve: deal with memreserve entries in unmapped memory") +Signed-off-by: Anton Gusev +[ardb: return -ENOMEM instead of breaking out of the loop] +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/efi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c +index eb98018ab420..ed31b08855f9 100644 +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -1022,6 +1022,8 @@ int __ref efi_mem_reserve_persistent(phys_addr_t addr, u64 size) + /* first try to find a slot in an existing linked list entry */ + for (prsv = efi_memreserve_root->next; prsv; ) { + rsv = memremap(prsv, sizeof(*rsv), MEMREMAP_WB); ++ if (!rsv) ++ return -ENOMEM; + index = atomic_fetch_add_unless(&rsv->count, 1, rsv->size); + if (index < rsv->size) { + rsv->entry[index].base = addr; +-- +2.39.0 + diff --git a/queue-5.4/fix-direction-argument-of-iov_iter_kvec.patch b/queue-5.4/fix-direction-argument-of-iov_iter_kvec.patch new file mode 100644 index 00000000000..25db14b7cdf --- /dev/null +++ b/queue-5.4/fix-direction-argument-of-iov_iter_kvec.patch @@ -0,0 +1,54 @@ +From 4a6b53c4c9a64e48b4338a7183c31050b58e6ce6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 19:16:56 -0400 +Subject: fix "direction" argument of iov_iter_kvec() + +From: Al Viro + +[ Upstream commit fc02f33787d8dd227b54f263eba983d5b249c032 ] + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + drivers/xen/pvcalls-back.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/xen/pvcalls-back.c b/drivers/xen/pvcalls-back.c +index 9439de2ca0e4..9c267e27d9d9 100644 +--- a/drivers/xen/pvcalls-back.c ++++ b/drivers/xen/pvcalls-back.c +@@ -129,13 +129,13 @@ static bool pvcalls_conn_back_read(void *opaque) + if (masked_prod < masked_cons) { + vec[0].iov_base = data->in + masked_prod; + vec[0].iov_len = wanted; +- iov_iter_kvec(&msg.msg_iter, WRITE, vec, 1, wanted); ++ iov_iter_kvec(&msg.msg_iter, READ, vec, 1, wanted); + } else { + vec[0].iov_base = data->in + masked_prod; + vec[0].iov_len = array_size - masked_prod; + vec[1].iov_base = data->in; + vec[1].iov_len = wanted - vec[0].iov_len; +- iov_iter_kvec(&msg.msg_iter, WRITE, vec, 2, wanted); ++ iov_iter_kvec(&msg.msg_iter, READ, vec, 2, wanted); + } + + atomic_set(&map->read, 0); +@@ -188,13 +188,13 @@ static bool pvcalls_conn_back_write(struct sock_mapping *map) + if (pvcalls_mask(prod, array_size) > pvcalls_mask(cons, array_size)) { + vec[0].iov_base = data->out + pvcalls_mask(cons, array_size); + vec[0].iov_len = size; +- iov_iter_kvec(&msg.msg_iter, READ, vec, 1, size); ++ iov_iter_kvec(&msg.msg_iter, WRITE, vec, 1, size); + } else { + vec[0].iov_base = data->out + pvcalls_mask(cons, array_size); + vec[0].iov_len = array_size - pvcalls_mask(cons, array_size); + vec[1].iov_base = data->out; + vec[1].iov_len = size - vec[0].iov_len; +- iov_iter_kvec(&msg.msg_iter, READ, vec, 2, size); ++ iov_iter_kvec(&msg.msg_iter, WRITE, vec, 2, size); + } + + atomic_set(&map->write, 0); +-- +2.39.0 + diff --git a/queue-5.4/fix-iov_iter_bvec-direction-argument.patch b/queue-5.4/fix-iov_iter_bvec-direction-argument.patch new file mode 100644 index 00000000000..eacbf618439 --- /dev/null +++ b/queue-5.4/fix-iov_iter_bvec-direction-argument.patch @@ -0,0 +1,40 @@ +From 840ce5bd30b1be2f3d0ccf196be63ef0f0e06609 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 19:04:18 -0400 +Subject: fix iov_iter_bvec() "direction" argument + +From: Al Viro + +[ Upstream commit b676668d99155e6859d99bbf2df18b3f03851902 ] + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_file.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/target/target_core_file.c b/drivers/target/target_core_file.c +index 7143d03f0e02..18fbbe510d01 100644 +--- a/drivers/target/target_core_file.c ++++ b/drivers/target/target_core_file.c +@@ -340,7 +340,7 @@ static int fd_do_rw(struct se_cmd *cmd, struct file *fd, + len += sg->length; + } + +- iov_iter_bvec(&iter, READ, bvec, sgl_nents, len); ++ iov_iter_bvec(&iter, is_write, bvec, sgl_nents, len); + if (is_write) + ret = vfs_iter_write(fd, &iter, &pos, 0); + else +@@ -477,7 +477,7 @@ fd_execute_write_same(struct se_cmd *cmd) + len += se_dev->dev_attrib.block_size; + } + +- iov_iter_bvec(&iter, READ, bvec, nolb, len); ++ iov_iter_bvec(&iter, WRITE, bvec, nolb, len); + ret = vfs_iter_write(fd_dev->fd_file, &iter, &pos, 0); + + kfree(bvec); +-- +2.39.0 + diff --git a/queue-5.4/i2c-rk3x-fix-a-bunch-of-kernel-doc-warnings.patch b/queue-5.4/i2c-rk3x-fix-a-bunch-of-kernel-doc-warnings.patch new file mode 100644 index 00000000000..a61d1ae7408 --- /dev/null +++ b/queue-5.4/i2c-rk3x-fix-a-bunch-of-kernel-doc-warnings.patch @@ -0,0 +1,180 @@ +From 35f69ebc2c115c89c371c76c9356e55cd235533c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jan 2023 22:38:05 -0800 +Subject: i2c: rk3x: fix a bunch of kernel-doc warnings + +From: Randy Dunlap + +[ Upstream commit 0582d984793d30442da88fe458674502bad1ad29 ] + +Fix multiple W=1 kernel-doc warnings in i2c-rk3x.c: + +drivers/i2c/busses/i2c-rk3x.c:83: warning: missing initial short description on line: + * struct i2c_spec_values: +drivers/i2c/busses/i2c-rk3x.c:139: warning: missing initial short description on line: + * struct rk3x_i2c_calced_timings: +drivers/i2c/busses/i2c-rk3x.c:162: warning: missing initial short description on line: + * struct rk3x_i2c_soc_data: +drivers/i2c/busses/i2c-rk3x.c:242: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Generate a START condition, which triggers a REG_INT_START interrupt. +drivers/i2c/busses/i2c-rk3x.c:261: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Generate a STOP condition, which triggers a REG_INT_STOP interrupt. +drivers/i2c/busses/i2c-rk3x.c:304: warning: expecting prototype for Setup a read according to i2c(). Prototype was for rk3x_i2c_prepare_read() instead +drivers/i2c/busses/i2c-rk3x.c:335: warning: expecting prototype for Fill the transmit buffer with data from i2c(). Prototype was for rk3x_i2c_fill_transmit_buf() instead +drivers/i2c/busses/i2c-rk3x.c:535: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Get timing values of I2C specification +drivers/i2c/busses/i2c-rk3x.c:552: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Calculate divider values for desired SCL frequency +drivers/i2c/busses/i2c-rk3x.c:713: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Calculate timing values for desired SCL frequency +drivers/i2c/busses/i2c-rk3x.c:963: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Setup I2C registers for an I2C operation specified by msgs, num. + +Signed-off-by: Randy Dunlap +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-rk3x.c | 44 +++++++++++++++++------------------ + 1 file changed, 22 insertions(+), 22 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-rk3x.c b/drivers/i2c/busses/i2c-rk3x.c +index 1107a5e7229e..ac3ae14a4c07 100644 +--- a/drivers/i2c/busses/i2c-rk3x.c ++++ b/drivers/i2c/busses/i2c-rk3x.c +@@ -79,7 +79,7 @@ enum { + #define DEFAULT_SCL_RATE (100 * 1000) /* Hz */ + + /** +- * struct i2c_spec_values: ++ * struct i2c_spec_values - I2C specification values for various modes + * @min_hold_start_ns: min hold time (repeated) START condition + * @min_low_ns: min LOW period of the SCL clock + * @min_high_ns: min HIGH period of the SCL cloc +@@ -135,7 +135,7 @@ static const struct i2c_spec_values fast_mode_plus_spec = { + }; + + /** +- * struct rk3x_i2c_calced_timings: ++ * struct rk3x_i2c_calced_timings - calculated V1 timings + * @div_low: Divider output for low + * @div_high: Divider output for high + * @tuning: Used to adjust setup/hold data time, +@@ -158,7 +158,7 @@ enum rk3x_i2c_state { + }; + + /** +- * struct rk3x_i2c_soc_data: ++ * struct rk3x_i2c_soc_data - SOC-specific data + * @grf_offset: offset inside the grf regmap for setting the i2c type + * @calc_timings: Callback function for i2c timing information calculated + */ +@@ -238,7 +238,8 @@ static inline void rk3x_i2c_clean_ipd(struct rk3x_i2c *i2c) + } + + /** +- * Generate a START condition, which triggers a REG_INT_START interrupt. ++ * rk3x_i2c_start - Generate a START condition, which triggers a REG_INT_START interrupt. ++ * @i2c: target controller data + */ + static void rk3x_i2c_start(struct rk3x_i2c *i2c) + { +@@ -257,8 +258,8 @@ static void rk3x_i2c_start(struct rk3x_i2c *i2c) + } + + /** +- * Generate a STOP condition, which triggers a REG_INT_STOP interrupt. +- * ++ * rk3x_i2c_stop - Generate a STOP condition, which triggers a REG_INT_STOP interrupt. ++ * @i2c: target controller data + * @error: Error code to return in rk3x_i2c_xfer + */ + static void rk3x_i2c_stop(struct rk3x_i2c *i2c, int error) +@@ -297,7 +298,8 @@ static void rk3x_i2c_stop(struct rk3x_i2c *i2c, int error) + } + + /** +- * Setup a read according to i2c->msg ++ * rk3x_i2c_prepare_read - Setup a read according to i2c->msg ++ * @i2c: target controller data + */ + static void rk3x_i2c_prepare_read(struct rk3x_i2c *i2c) + { +@@ -328,7 +330,8 @@ static void rk3x_i2c_prepare_read(struct rk3x_i2c *i2c) + } + + /** +- * Fill the transmit buffer with data from i2c->msg ++ * rk3x_i2c_fill_transmit_buf - Fill the transmit buffer with data from i2c->msg ++ * @i2c: target controller data + */ + static void rk3x_i2c_fill_transmit_buf(struct rk3x_i2c *i2c) + { +@@ -531,11 +534,10 @@ static irqreturn_t rk3x_i2c_irq(int irqno, void *dev_id) + } + + /** +- * Get timing values of I2C specification +- * ++ * rk3x_i2c_get_spec - Get timing values of I2C specification + * @speed: Desired SCL frequency + * +- * Returns: Matched i2c spec values. ++ * Return: Matched i2c_spec_values. + */ + static const struct i2c_spec_values *rk3x_i2c_get_spec(unsigned int speed) + { +@@ -548,13 +550,12 @@ static const struct i2c_spec_values *rk3x_i2c_get_spec(unsigned int speed) + } + + /** +- * Calculate divider values for desired SCL frequency +- * ++ * rk3x_i2c_v0_calc_timings - Calculate divider values for desired SCL frequency + * @clk_rate: I2C input clock rate + * @t: Known I2C timing information + * @t_calc: Caculated rk3x private timings that would be written into regs + * +- * Returns: 0 on success, -EINVAL if the goal SCL rate is too slow. In that case ++ * Return: %0 on success, -%EINVAL if the goal SCL rate is too slow. In that case + * a best-effort divider value is returned in divs. If the target rate is + * too high, we silently use the highest possible rate. + */ +@@ -709,13 +710,12 @@ static int rk3x_i2c_v0_calc_timings(unsigned long clk_rate, + } + + /** +- * Calculate timing values for desired SCL frequency +- * ++ * rk3x_i2c_v1_calc_timings - Calculate timing values for desired SCL frequency + * @clk_rate: I2C input clock rate + * @t: Known I2C timing information + * @t_calc: Caculated rk3x private timings that would be written into regs + * +- * Returns: 0 on success, -EINVAL if the goal SCL rate is too slow. In that case ++ * Return: %0 on success, -%EINVAL if the goal SCL rate is too slow. In that case + * a best-effort divider value is returned in divs. If the target rate is + * too high, we silently use the highest possible rate. + * The following formulas are v1's method to calculate timings. +@@ -959,14 +959,14 @@ static int rk3x_i2c_clk_notifier_cb(struct notifier_block *nb, unsigned long + } + + /** +- * Setup I2C registers for an I2C operation specified by msgs, num. +- * +- * Must be called with i2c->lock held. +- * ++ * rk3x_i2c_setup - Setup I2C registers for an I2C operation specified by msgs, num. ++ * @i2c: target controller data + * @msgs: I2C msgs to process + * @num: Number of msgs + * +- * returns: Number of I2C msgs processed or negative in case of error ++ * Must be called with i2c->lock held. ++ * ++ * Return: Number of I2C msgs processed or negative in case of error + */ + static int rk3x_i2c_setup(struct rk3x_i2c *i2c, struct i2c_msg *msgs, int num) + { +-- +2.39.0 + diff --git a/queue-5.4/net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch b/queue-5.4/net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch new file mode 100644 index 00000000000..6eb0df50bff --- /dev/null +++ b/queue-5.4/net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch @@ -0,0 +1,110 @@ +From e08358f77a332bf53c053ea399764a5be23f60de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Feb 2023 00:02:18 +0300 +Subject: net: openvswitch: fix flow memory leak in ovs_flow_cmd_new + +From: Fedor Pchelkin + +[ Upstream commit 0c598aed445eb45b0ee7ba405f7ece99ee349c30 ] + +Syzkaller reports a memory leak of new_flow in ovs_flow_cmd_new() as it is +not freed when an allocation of a key fails. + +BUG: memory leak +unreferenced object 0xffff888116668000 (size 632): + comm "syz-executor231", pid 1090, jiffies 4294844701 (age 18.871s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000defa3494>] kmem_cache_zalloc include/linux/slab.h:654 [inline] + [<00000000defa3494>] ovs_flow_alloc+0x19/0x180 net/openvswitch/flow_table.c:77 + [<00000000c67d8873>] ovs_flow_cmd_new+0x1de/0xd40 net/openvswitch/datapath.c:957 + [<0000000010a539a8>] genl_family_rcv_msg_doit+0x22d/0x330 net/netlink/genetlink.c:739 + [<00000000dff3302d>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] + [<00000000dff3302d>] genl_rcv_msg+0x328/0x590 net/netlink/genetlink.c:800 + [<000000000286dd87>] netlink_rcv_skb+0x153/0x430 net/netlink/af_netlink.c:2515 + [<0000000061fed410>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 + [<000000009dc0f111>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] + [<000000009dc0f111>] netlink_unicast+0x545/0x7f0 net/netlink/af_netlink.c:1339 + [<000000004a5ee816>] netlink_sendmsg+0x8e7/0xde0 net/netlink/af_netlink.c:1934 + [<00000000482b476f>] sock_sendmsg_nosec net/socket.c:651 [inline] + [<00000000482b476f>] sock_sendmsg+0x152/0x190 net/socket.c:671 + [<00000000698574ba>] ____sys_sendmsg+0x70a/0x870 net/socket.c:2356 + [<00000000d28d9e11>] ___sys_sendmsg+0xf3/0x170 net/socket.c:2410 + [<0000000083ba9120>] __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439 + [<00000000c00628f8>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 + [<000000004abfdcf4>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +To fix this the patch rearranges the goto labels to reflect the order of +object allocations and adds appropriate goto statements on the error +paths. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 68bb10101e6b ("openvswitch: Fix flow lookup to use unmasked key") +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Acked-by: Eelco Chaudron +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230201210218.361970-1-pchelkin@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/datapath.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c +index a8a8396dd983..4c537e74b18c 100644 +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -941,14 +941,14 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + key = kzalloc(sizeof(*key), GFP_KERNEL); + if (!key) { + error = -ENOMEM; +- goto err_kfree_key; ++ goto err_kfree_flow; + } + + ovs_match_init(&match, key, false, &mask); + error = ovs_nla_get_match(net, &match, a[OVS_FLOW_ATTR_KEY], + a[OVS_FLOW_ATTR_MASK], log); + if (error) +- goto err_kfree_flow; ++ goto err_kfree_key; + + ovs_flow_mask_key(&new_flow->key, key, true, &mask); + +@@ -956,14 +956,14 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + error = ovs_nla_get_identifier(&new_flow->id, a[OVS_FLOW_ATTR_UFID], + key, log); + if (error) +- goto err_kfree_flow; ++ goto err_kfree_key; + + /* Validate actions. */ + error = ovs_nla_copy_actions(net, a[OVS_FLOW_ATTR_ACTIONS], + &new_flow->key, &acts, log); + if (error) { + OVS_NLERR(log, "Flow actions may not be safe on all matching packets."); +- goto err_kfree_flow; ++ goto err_kfree_key; + } + + reply = ovs_flow_cmd_alloc_info(acts, &new_flow->id, info, false, +@@ -1063,10 +1063,10 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + kfree_skb(reply); + err_kfree_acts: + ovs_nla_free_flow_actions(acts); +-err_kfree_flow: +- ovs_flow_free(new_flow, false); + err_kfree_key: + kfree(key); ++err_kfree_flow: ++ ovs_flow_free(new_flow, false); + error: + return error; + } +-- +2.39.0 + diff --git a/queue-5.4/net-phy-meson-gxl-add-generic-dummy-stubs-for-mmd-re.patch b/queue-5.4/net-phy-meson-gxl-add-generic-dummy-stubs-for-mmd-re.patch new file mode 100644 index 00000000000..0c33f5ca079 --- /dev/null +++ b/queue-5.4/net-phy-meson-gxl-add-generic-dummy-stubs-for-mmd-re.patch @@ -0,0 +1,42 @@ +From d6ff5ab2bc13555de23865a2b2d5ce449c5e1b4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 15:14:02 -0800 +Subject: net: phy: meson-gxl: Add generic dummy stubs for MMD register access + +From: Chris Healy + +[ Upstream commit afc2336f89dc0fc0ef25b92366814524b0fd90fb ] + +The Meson G12A Internal PHY does not support standard IEEE MMD extended +register access, therefore add generic dummy stubs to fail the read and +write MMD calls. This is necessary to prevent the core PHY code from +erroneously believing that EEE is supported by this PHY even though this +PHY does not support EEE, as MMD register access returns all FFFFs. + +Fixes: 5c3407abb338 ("net: phy: meson-gxl: add g12a support") +Reviewed-by: Heiner Kallweit +Signed-off-by: Chris Healy +Reviewed-by: Jerome Brunet +Link: https://lore.kernel.org/r/20230130231402.471493-1-cphealy@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/meson-gxl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/phy/meson-gxl.c b/drivers/net/phy/meson-gxl.c +index e8f2ca625837..f7a9e6599a64 100644 +--- a/drivers/net/phy/meson-gxl.c ++++ b/drivers/net/phy/meson-gxl.c +@@ -245,6 +245,8 @@ static struct phy_driver meson_gxl_phy[] = { + .config_intr = meson_gxl_config_intr, + .suspend = genphy_suspend, + .resume = genphy_resume, ++ .read_mmd = genphy_read_mmd_unsupported, ++ .write_mmd = genphy_write_mmd_unsupported, + }, + }; + +-- +2.39.0 + diff --git a/queue-5.4/net-x25-fix-to-not-accept-on-connected-socket.patch b/queue-5.4/net-x25-fix-to-not-accept-on-connected-socket.patch new file mode 100644 index 00000000000..84ef04855df --- /dev/null +++ b/queue-5.4/net-x25-fix-to-not-accept-on-connected-socket.patch @@ -0,0 +1,47 @@ +From a20ca3916a78e55db0c9bd63463dd9893174842d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 11:43:23 -0800 +Subject: net/x25: Fix to not accept on connected socket + +From: Hyunwoo Kim + +[ Upstream commit f2b0b5210f67c56a3bcdf92ff665fb285d6e0067 ] + +When listen() and accept() are called on an x25 socket +that connect() succeeds, accept() succeeds immediately. +This is because x25_connect() queues the skb to +sk->sk_receive_queue, and x25_accept() dequeues it. + +This creates a child socket with the sk of the parent +x25 socket, which can cause confusion. + +Fix x25_listen() to return -EINVAL if the socket has +already been successfully connect()ed to avoid this issue. + +Signed-off-by: Hyunwoo Kim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/x25/af_x25.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index c94aa587e0c9..43dd489ad6db 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -492,6 +492,12 @@ static int x25_listen(struct socket *sock, int backlog) + int rc = -EOPNOTSUPP; + + lock_sock(sk); ++ if (sock->state != SS_UNCONNECTED) { ++ rc = -EINVAL; ++ release_sock(sk); ++ return rc; ++ } ++ + if (sk->sk_state != TCP_LISTEN) { + memset(&x25_sk(sk)->dest_addr, 0, X25_ADDR_LEN); + sk->sk_max_ack_backlog = backlog; +-- +2.39.0 + diff --git a/queue-5.4/netfilter-br_netfilter-disable-sabotage_in-hook-afte.patch b/queue-5.4/netfilter-br_netfilter-disable-sabotage_in-hook-afte.patch new file mode 100644 index 00000000000..ce39fd0fce1 --- /dev/null +++ b/queue-5.4/netfilter-br_netfilter-disable-sabotage_in-hook-afte.patch @@ -0,0 +1,66 @@ +From 10619dc8ffd23df674c512ed08b90eec19bc7913 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 11:39:29 +0100 +Subject: netfilter: br_netfilter: disable sabotage_in hook after first + suppression + +From: Florian Westphal + +[ Upstream commit 2b272bb558f1d3a5aa95ed8a82253786fd1a48ba ] + +When using a xfrm interface in a bridged setup (the outgoing device is +bridged), the incoming packets in the xfrm interface are only tracked +in the outgoing direction. + +$ brctl show +bridge name interfaces +br_eth1 eth1 + +$ conntrack -L +tcp 115 SYN_SENT src=192... dst=192... [UNREPLIED] ... + +If br_netfilter is enabled, the first (encrypted) packet is received onR +eth1, conntrack hooks are called from br_netfilter emulation which +allocates nf_bridge info for this skb. + +If the packet is for local machine, skb gets passed up the ip stack. +The skb passes through ip prerouting a second time. br_netfilter +ip_sabotage_in supresses the re-invocation of the hooks. + +After this, skb gets decrypted in xfrm layer and appears in +network stack a second time (after decryption). + +Then, ip_sabotage_in is called again and suppresses netfilter +hook invocation, even though the bridge layer never called them +for the plaintext incarnation of the packet. + +Free the bridge info after the first suppression to avoid this. + +I was unable to figure out where the regression comes from, as far as i +can see br_netfilter always had this problem; i did not expect that skb +is looped again with different headers. + +Fixes: c4b0e771f906 ("netfilter: avoid using skb->nf_bridge directly") +Reported-and-tested-by: Wolfgang Nothdurft +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/bridge/br_netfilter_hooks.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 01e33724d10c..43cb7aab4eed 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -871,6 +871,7 @@ static unsigned int ip_sabotage_in(void *priv, + if (nf_bridge && !nf_bridge->in_prerouting && + !netif_is_l3_master(skb->dev) && + !netif_is_l3_slave(skb->dev)) { ++ nf_bridge_info_free(skb); + state->okfn(state->net, state->sk, skb); + return NF_STOLEN; + } +-- +2.39.0 + diff --git a/queue-5.4/netrom-fix-use-after-free-caused-by-accept-on-alread.patch b/queue-5.4/netrom-fix-use-after-free-caused-by-accept-on-alread.patch new file mode 100644 index 00000000000..f8438055593 --- /dev/null +++ b/queue-5.4/netrom-fix-use-after-free-caused-by-accept-on-alread.patch @@ -0,0 +1,211 @@ +From 62646971191feb37e36a720eea5bd23a0b080a80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 18:32:50 -0800 +Subject: netrom: Fix use-after-free caused by accept on already connected + socket + +From: Hyunwoo Kim + +[ Upstream commit 611792920925fb088ddccbe2783c7f92fdfb6b64 ] + +If you call listen() and accept() on an already connect()ed +AF_NETROM socket, accept() can successfully connect. +This is because when the peer socket sends data to sendmsg, +the skb with its own sk stored in the connected socket's +sk->sk_receive_queue is connected, and nr_accept() dequeues +the skb waiting in the sk->sk_receive_queue. + +As a result, nr_accept() allocates and returns a sock with +the sk of the parent AF_NETROM socket. + +And here use-after-free can happen through complex race conditions: +``` + cpu0 cpu1 + 1. socket_2 = socket(AF_NETROM) + . + . + listen(socket_2) + accepted_socket = accept(socket_2) + 2. socket_1 = socket(AF_NETROM) + nr_create() // sk refcount : 1 + connect(socket_1) + 3. write(accepted_socket) + nr_sendmsg() + nr_output() + nr_kick() + nr_send_iframe() + nr_transmit_buffer() + nr_route_frame() + nr_loopback_queue() + nr_loopback_timer() + nr_rx_frame() + nr_process_rx_frame(sk, skb); // sk : socket_1's sk + nr_state3_machine() + nr_queue_rx_frame() + sock_queue_rcv_skb() + sock_queue_rcv_skb_reason() + __sock_queue_rcv_skb() + __skb_queue_tail(list, skb); // list : socket_1's sk->sk_receive_queue + 4. listen(socket_1) + nr_listen() + uaf_socket = accept(socket_1) + nr_accept() + skb_dequeue(&sk->sk_receive_queue); + 5. close(accepted_socket) + nr_release() + nr_write_internal(sk, NR_DISCREQ) + nr_transmit_buffer() // NR_DISCREQ + nr_route_frame() + nr_loopback_queue() + nr_loopback_timer() + nr_rx_frame() // sk : socket_1's sk + nr_process_rx_frame() // NR_STATE_3 + nr_state3_machine() // NR_DISCREQ + nr_disconnect() + nr_sk(sk)->state = NR_STATE_0; + 6. close(socket_1) // sk refcount : 3 + nr_release() // NR_STATE_0 + sock_put(sk); // sk refcount : 0 + sk_free(sk); + close(uaf_socket) + nr_release() + sock_hold(sk); // UAF +``` + +KASAN report by syzbot: +``` +BUG: KASAN: use-after-free in nr_release+0x66/0x460 net/netrom/af_netrom.c:520 +Write of size 4 at addr ffff8880235d8080 by task syz-executor564/5128 + +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:306 [inline] + print_report+0x15e/0x461 mm/kasan/report.c:417 + kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 + check_region_inline mm/kasan/generic.c:183 [inline] + kasan_check_range+0x141/0x190 mm/kasan/generic.c:189 + instrument_atomic_read_write include/linux/instrumented.h:102 [inline] + atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline] + __refcount_add include/linux/refcount.h:193 [inline] + __refcount_inc include/linux/refcount.h:250 [inline] + refcount_inc include/linux/refcount.h:267 [inline] + sock_hold include/net/sock.h:775 [inline] + nr_release+0x66/0x460 net/netrom/af_netrom.c:520 + __sock_release+0xcd/0x280 net/socket.c:650 + sock_close+0x1c/0x20 net/socket.c:1365 + __fput+0x27c/0xa90 fs/file_table.c:320 + task_work_run+0x16f/0x270 kernel/task_work.c:179 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0xaa8/0x2950 kernel/exit.c:867 + do_group_exit+0xd4/0x2a0 kernel/exit.c:1012 + get_signal+0x21c3/0x2450 kernel/signal.c:2859 + arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306 + exit_to_user_mode_loop kernel/entry/common.c:168 [inline] + exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 + __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] + syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 + do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f6c19e3c9b9 +Code: Unable to access opcode bytes at 0x7f6c19e3c98f. +RSP: 002b:00007fffd4ba2ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 +RAX: 0000000000000116 RBX: 0000000000000003 RCX: 00007f6c19e3c9b9 +RDX: 0000000000000318 RSI: 00000000200bd000 RDI: 0000000000000006 +RBP: 0000000000000003 R08: 000000000000000d R09: 000000000000000d +R10: 0000000000000000 R11: 0000000000000246 R12: 000055555566a2c0 +R13: 0000000000000011 R14: 0000000000000000 R15: 0000000000000000 + + +Allocated by task 5128: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + ____kasan_kmalloc mm/kasan/common.c:371 [inline] + ____kasan_kmalloc mm/kasan/common.c:330 [inline] + __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380 + kasan_kmalloc include/linux/kasan.h:211 [inline] + __do_kmalloc_node mm/slab_common.c:968 [inline] + __kmalloc+0x5a/0xd0 mm/slab_common.c:981 + kmalloc include/linux/slab.h:584 [inline] + sk_prot_alloc+0x140/0x290 net/core/sock.c:2038 + sk_alloc+0x3a/0x7a0 net/core/sock.c:2091 + nr_create+0xb6/0x5f0 net/netrom/af_netrom.c:433 + __sock_create+0x359/0x790 net/socket.c:1515 + sock_create net/socket.c:1566 [inline] + __sys_socket_create net/socket.c:1603 [inline] + __sys_socket_create net/socket.c:1588 [inline] + __sys_socket+0x133/0x250 net/socket.c:1636 + __do_sys_socket net/socket.c:1649 [inline] + __se_sys_socket net/socket.c:1647 [inline] + __x64_sys_socket+0x73/0xb0 net/socket.c:1647 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 5128: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:518 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200 + kasan_slab_free include/linux/kasan.h:177 [inline] + __cache_free mm/slab.c:3394 [inline] + __do_kmem_cache_free mm/slab.c:3580 [inline] + __kmem_cache_free+0xcd/0x3b0 mm/slab.c:3587 + sk_prot_free net/core/sock.c:2074 [inline] + __sk_destruct+0x5df/0x750 net/core/sock.c:2166 + sk_destruct net/core/sock.c:2181 [inline] + __sk_free+0x175/0x460 net/core/sock.c:2192 + sk_free+0x7c/0xa0 net/core/sock.c:2203 + sock_put include/net/sock.h:1991 [inline] + nr_release+0x39e/0x460 net/netrom/af_netrom.c:554 + __sock_release+0xcd/0x280 net/socket.c:650 + sock_close+0x1c/0x20 net/socket.c:1365 + __fput+0x27c/0xa90 fs/file_table.c:320 + task_work_run+0x16f/0x270 kernel/task_work.c:179 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0xaa8/0x2950 kernel/exit.c:867 + do_group_exit+0xd4/0x2a0 kernel/exit.c:1012 + get_signal+0x21c3/0x2450 kernel/signal.c:2859 + arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306 + exit_to_user_mode_loop kernel/entry/common.c:168 [inline] + exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 + __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] + syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 + do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +``` + +To fix this issue, nr_listen() returns -EINVAL for sockets that +successfully nr_connect(). + +Reported-by: syzbot+caa188bdfc1eeafeb418@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Hyunwoo Kim +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netrom/af_netrom.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index 58d5373c513c..7da77ddba5f4 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -378,6 +378,11 @@ static int nr_listen(struct socket *sock, int backlog) + struct sock *sk = sock->sk; + + lock_sock(sk); ++ if (sock->state != SS_UNCONNECTED) { ++ release_sock(sk); ++ return -EINVAL; ++ } ++ + if (sk->sk_state != TCP_LISTEN) { + memset(&nr_sk(sk)->user_addr, 0, AX25_ADDR_LEN); + sk->sk_max_ack_backlog = backlog; +-- +2.39.0 + diff --git a/queue-5.4/scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch b/queue-5.4/scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch new file mode 100644 index 00000000000..acee7f92bb0 --- /dev/null +++ b/queue-5.4/scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch @@ -0,0 +1,69 @@ +From f550f841dbfdb9350ebbf83407b473f985d0a4ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 13:39:37 -0600 +Subject: scsi: iscsi_tcp: Fix UAF during login when accessing the shost + ipaddress + +From: Mike Christie + +[ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ] + +If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails, +userspace could be accessing the host's ipaddress attr. If we then free the +session via iscsi_session_teardown() while userspace is still accessing the +session we will hit a use after free bug. + +Set the tcp_sw_host->session after we have completed session creation and +can no longer fail. + +Link: https://lore.kernel.org/r/20230117193937.21244-3-michael.christie@oracle.com +Signed-off-by: Mike Christie +Reviewed-by: Lee Duncan +Acked-by: Ding Hui +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/iscsi_tcp.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c +index b5dd1caae5e9..9320a0a92bb2 100644 +--- a/drivers/scsi/iscsi_tcp.c ++++ b/drivers/scsi/iscsi_tcp.c +@@ -770,7 +770,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost, + enum iscsi_host_param param, char *buf) + { + struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost); +- struct iscsi_session *session = tcp_sw_host->session; ++ struct iscsi_session *session; + struct iscsi_conn *conn; + struct iscsi_tcp_conn *tcp_conn; + struct iscsi_sw_tcp_conn *tcp_sw_conn; +@@ -779,6 +779,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost, + + switch (param) { + case ISCSI_HOST_PARAM_IPADDRESS: ++ session = tcp_sw_host->session; + if (!session) + return -ENOTCONN; + +@@ -867,12 +868,14 @@ iscsi_sw_tcp_session_create(struct iscsi_endpoint *ep, uint16_t cmds_max, + if (!cls_session) + goto remove_host; + session = cls_session->dd_data; +- tcp_sw_host = iscsi_host_priv(shost); +- tcp_sw_host->session = session; + + shost->can_queue = session->scsi_cmds_max; + if (iscsi_tcp_r2tpool_alloc(session)) + goto remove_session; ++ ++ /* We are now fully setup so expose the session to sysfs. */ ++ tcp_sw_host = iscsi_host_priv(shost); ++ tcp_sw_host->session = session; + return cls_session; + + remove_session: +-- +2.39.0 + diff --git a/queue-5.4/scsi-revert-scsi-core-map-pq-1-pdt-other-values-to-s.patch b/queue-5.4/scsi-revert-scsi-core-map-pq-1-pdt-other-values-to-s.patch new file mode 100644 index 00000000000..4ebcc71f06b --- /dev/null +++ b/queue-5.4/scsi-revert-scsi-core-map-pq-1-pdt-other-values-to-s.patch @@ -0,0 +1,56 @@ +From 7354d6c95d0a16ea8b91a1e30eeeb083a4abb10c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 22:06:08 -0500 +Subject: scsi: Revert "scsi: core: map PQ=1, PDT=other values to + SCSI_SCAN_TARGET_PRESENT" + +From: Martin K. Petersen + +[ Upstream commit 15600159bcc6abbeae6b33a849bef90dca28b78f ] + +This reverts commit 948e922fc44611ee2de0c89583ca958cb5307d36. + +Not all targets that return PQ=1 and PDT=0 should be ignored. While +the SCSI spec is vague in this department, there appears to be a +critical mass of devices which rely on devices being accessible with +this combination of reported values. + +Fixes: 948e922fc446 ("scsi: core: map PQ=1, PDT=other values to SCSI_SCAN_TARGET_PRESENT") +Link: https://lore.kernel.org/r/yq1lelrleqr.fsf@ca-mkp.ca.oracle.com +Acked-by: Bart Van Assche +Acked-by: Martin Wilck +Acked-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_scan.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c +index 3fd109fd9335..d236322ced30 100644 +--- a/drivers/scsi/scsi_scan.c ++++ b/drivers/scsi/scsi_scan.c +@@ -1130,8 +1130,7 @@ static int scsi_probe_and_add_lun(struct scsi_target *starget, + * that no LUN is present, so don't add sdev in these cases. + * Two specific examples are: + * 1) NetApp targets: return PQ=1, PDT=0x1f +- * 2) IBM/2145 targets: return PQ=1, PDT=0 +- * 3) USB UFI: returns PDT=0x1f, with the PQ bits being "reserved" ++ * 2) USB UFI: returns PDT=0x1f, with the PQ bits being "reserved" + * in the UFI 1.0 spec (we cannot rely on reserved bits). + * + * References: +@@ -1145,8 +1144,8 @@ static int scsi_probe_and_add_lun(struct scsi_target *starget, + * PDT=00h Direct-access device (floppy) + * PDT=1Fh none (no FDD connected to the requested logical unit) + */ +- if (((result[0] >> 5) == 1 || +- (starget->pdt_1f_for_no_lun && (result[0] & 0x1f) == 0x1f)) && ++ if (((result[0] >> 5) == 1 || starget->pdt_1f_for_no_lun) && ++ (result[0] & 0x1f) == 0x1f && + !scsi_is_wlun(lun)) { + SCSI_LOG_SCAN_BUS(3, sdev_printk(KERN_INFO, sdev, + "scsi scan: peripheral device type" +-- +2.39.0 + diff --git a/queue-5.4/scsi-target-core-fix-warning-on-rt-kernels.patch b/queue-5.4/scsi-target-core-fix-warning-on-rt-kernels.patch new file mode 100644 index 00000000000..26d870672f3 --- /dev/null +++ b/queue-5.4/scsi-target-core-fix-warning-on-rt-kernels.patch @@ -0,0 +1,40 @@ +From 7ec0013b83f759325bf63aaaae0f958b8daa0b3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jan 2023 13:53:10 +0100 +Subject: scsi: target: core: Fix warning on RT kernels + +From: Maurizio Lombardi + +[ Upstream commit 84ed64b1a7a7fcd507598dee7708c1f225123711 ] + +Calling spin_lock_irqsave() does not disable the interrupts on realtime +kernels, remove the warning and replace assert_spin_locked() with +lockdep_assert_held(). + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230110125310.55884-1-mlombard@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_tmr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c +index feeba3966617..6928ebf0be9c 100644 +--- a/drivers/target/target_core_tmr.c ++++ b/drivers/target/target_core_tmr.c +@@ -82,8 +82,8 @@ static bool __target_check_io_state(struct se_cmd *se_cmd, + { + struct se_session *sess = se_cmd->se_sess; + +- assert_spin_locked(&sess->sess_cmd_lock); +- WARN_ON_ONCE(!irqs_disabled()); ++ lockdep_assert_held(&sess->sess_cmd_lock); ++ + /* + * If command already reached CMD_T_COMPLETE state within + * target_complete_cmd() or CMD_T_FABRIC_STOP due to shutdown, +-- +2.39.0 + diff --git a/queue-5.4/selftests-net-udpgso_bench-fix-racing-bug-between-th.patch b/queue-5.4/selftests-net-udpgso_bench-fix-racing-bug-between-th.patch new file mode 100644 index 00000000000..439f86f2b3e --- /dev/null +++ b/queue-5.4/selftests-net-udpgso_bench-fix-racing-bug-between-th.patch @@ -0,0 +1,80 @@ +From ad9ce4c9e0a8fbf34afd53437304f12b34dc3d1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Feb 2023 00:16:14 +0000 +Subject: selftests: net: udpgso_bench: Fix racing bug between the rx/tx + programs + +From: Andrei Gherzan + +[ Upstream commit dafe93b9ee21028d625dce347118b82659652eff ] + +"udpgro_bench.sh" invokes udpgso_bench_rx/udpgso_bench_tx programs +subsequently and while doing so, there is a chance that the rx one is not +ready to accept socket connections. This racing bug could fail the test +with at least one of the following: + +./udpgso_bench_tx: connect: Connection refused +./udpgso_bench_tx: sendmsg: Connection refused +./udpgso_bench_tx: write: Connection refused + +This change addresses this by making udpgro_bench.sh wait for the rx +program to be ready before firing off the tx one - up to a 10s timeout. + +Fixes: 3a687bef148d ("selftests: udp gso benchmark") +Signed-off-by: Andrei Gherzan +Cc: Paolo Abeni +Cc: Willem de Bruijn +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20230201001612.515730-3-andrei.gherzan@canonical.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/udpgso_bench.sh | 24 +++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/net/udpgso_bench.sh b/tools/testing/selftests/net/udpgso_bench.sh +index dc932fd65363..640bc43452fa 100755 +--- a/tools/testing/selftests/net/udpgso_bench.sh ++++ b/tools/testing/selftests/net/udpgso_bench.sh +@@ -7,6 +7,7 @@ readonly GREEN='\033[0;92m' + readonly YELLOW='\033[0;33m' + readonly RED='\033[0;31m' + readonly NC='\033[0m' # No Color ++readonly TESTPORT=8000 + + readonly KSFT_PASS=0 + readonly KSFT_FAIL=1 +@@ -56,11 +57,26 @@ trap wake_children EXIT + + run_one() { + local -r args=$@ ++ local nr_socks=0 ++ local i=0 ++ local -r timeout=10 ++ ++ ./udpgso_bench_rx -p "$TESTPORT" & ++ ./udpgso_bench_rx -p "$TESTPORT" -t & ++ ++ # Wait for the above test program to get ready to receive connections. ++ while [ "$i" -lt "$timeout" ]; do ++ nr_socks="$(ss -lnHi | grep -c "\*:${TESTPORT}")" ++ [ "$nr_socks" -eq 2 ] && break ++ i=$((i + 1)) ++ sleep 1 ++ done ++ if [ "$nr_socks" -ne 2 ]; then ++ echo "timed out while waiting for udpgso_bench_rx" ++ exit 1 ++ fi + +- ./udpgso_bench_rx & +- ./udpgso_bench_rx -t & +- +- ./udpgso_bench_tx ${args} ++ ./udpgso_bench_tx -p "$TESTPORT" ${args} + } + + run_in_netns() { +-- +2.39.0 + diff --git a/queue-5.4/selftests-net-udpgso_bench_rx-fix-used-uninitialized.patch b/queue-5.4/selftests-net-udpgso_bench_rx-fix-used-uninitialized.patch new file mode 100644 index 00000000000..89bedbdef74 --- /dev/null +++ b/queue-5.4/selftests-net-udpgso_bench_rx-fix-used-uninitialized.patch @@ -0,0 +1,51 @@ +From a19939dca060cb9706d7d3a36b72fe6bf6a28685 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Feb 2023 00:16:10 +0000 +Subject: selftests: net: udpgso_bench_rx: Fix 'used uninitialized' compiler + warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrei Gherzan + +[ Upstream commit c03c80e3a03ffb4f790901d60797e9810539d946 ] + +This change fixes the following compiler warning: + +/usr/include/x86_64-linux-gnu/bits/error.h:40:5: warning: ‘gso_size’ may +be used uninitialized [-Wmaybe-uninitialized] + 40 | __error_noreturn (__status, __errnum, __format, + __va_arg_pack ()); + | + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + udpgso_bench_rx.c: In function ‘main’: + udpgso_bench_rx.c:253:23: note: ‘gso_size’ was declared here + 253 | int ret, len, gso_size, budget = 256; + +Fixes: 3327a9c46352 ("selftests: add functionals test for UDP GRO") +Signed-off-by: Andrei Gherzan +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20230201001612.515730-1-andrei.gherzan@canonical.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/udpgso_bench_rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/udpgso_bench_rx.c b/tools/testing/selftests/net/udpgso_bench_rx.c +index 6a193425c367..d0895bd1933f 100644 +--- a/tools/testing/selftests/net/udpgso_bench_rx.c ++++ b/tools/testing/selftests/net/udpgso_bench_rx.c +@@ -250,7 +250,7 @@ static int recv_msg(int fd, char *buf, int len, int *gso_size) + static void do_flush_udp(int fd) + { + static char rbuf[ETH_MAX_MTU]; +- int ret, len, gso_size, budget = 256; ++ int ret, len, gso_size = 0, budget = 256; + + len = cfg_read_all ? sizeof(rbuf) : 0; + while (budget--) { +-- +2.39.0 + diff --git a/queue-5.4/selftests-net-udpgso_bench_rx-tx-stop-when-wrong-cli.patch b/queue-5.4/selftests-net-udpgso_bench_rx-tx-stop-when-wrong-cli.patch new file mode 100644 index 00000000000..f1836060382 --- /dev/null +++ b/queue-5.4/selftests-net-udpgso_bench_rx-tx-stop-when-wrong-cli.patch @@ -0,0 +1,55 @@ +From e59fcaed421e995bd1a606fb451d1e3ccff07191 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Feb 2023 00:16:12 +0000 +Subject: selftests: net: udpgso_bench_rx/tx: Stop when wrong CLI args are + provided + +From: Andrei Gherzan + +[ Upstream commit db9b47ee9f5f375ab0c5daeb20321c75b4fa657d ] + +Leaving unrecognized arguments buried in the output, can easily hide a +CLI/script typo. Avoid this by exiting when wrong arguments are provided to +the udpgso_bench test programs. + +Fixes: 3a687bef148d ("selftests: udp gso benchmark") +Signed-off-by: Andrei Gherzan +Cc: Willem de Bruijn +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20230201001612.515730-2-andrei.gherzan@canonical.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/udpgso_bench_rx.c | 2 ++ + tools/testing/selftests/net/udpgso_bench_tx.c | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/tools/testing/selftests/net/udpgso_bench_rx.c b/tools/testing/selftests/net/udpgso_bench_rx.c +index d0895bd1933f..4058c7451e70 100644 +--- a/tools/testing/selftests/net/udpgso_bench_rx.c ++++ b/tools/testing/selftests/net/udpgso_bench_rx.c +@@ -336,6 +336,8 @@ static void parse_opts(int argc, char **argv) + cfg_verify = true; + cfg_read_all = true; + break; ++ default: ++ exit(1); + } + } + +diff --git a/tools/testing/selftests/net/udpgso_bench_tx.c b/tools/testing/selftests/net/udpgso_bench_tx.c +index f1fdaa270291..b47b5c32039f 100644 +--- a/tools/testing/selftests/net/udpgso_bench_tx.c ++++ b/tools/testing/selftests/net/udpgso_bench_tx.c +@@ -490,6 +490,8 @@ static void parse_opts(int argc, char **argv) + case 'z': + cfg_zerocopy = true; + break; ++ default: ++ exit(1); + } + } + +-- +2.39.0 + diff --git a/queue-5.4/selftests-net-udpgso_bench_tx-cater-for-pending-data.patch b/queue-5.4/selftests-net-udpgso_bench_tx-cater-for-pending-data.patch new file mode 100644 index 00000000000..c5c3b357026 --- /dev/null +++ b/queue-5.4/selftests-net-udpgso_bench_tx-cater-for-pending-data.patch @@ -0,0 +1,135 @@ +From 88682441ce9aecdf4290742d18ea39140807aacd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Feb 2023 00:16:16 +0000 +Subject: selftests: net: udpgso_bench_tx: Cater for pending datagrams zerocopy + benchmarking + +From: Andrei Gherzan + +[ Upstream commit 329c9cd769c2e306957df031efff656c40922c76 ] + +The test tool can check that the zerocopy number of completions value is +valid taking into consideration the number of datagram send calls. This can +catch the system into a state where the datagrams are still in the system +(for example in a qdisk, waiting for the network interface to return a +completion notification, etc). + +This change adds a retry logic of computing the number of completions up to +a configurable (via CLI) timeout (default: 2 seconds). + +Fixes: 79ebc3c26010 ("net/udpgso_bench_tx: options to exercise TX CMSG") +Signed-off-by: Andrei Gherzan +Cc: Willem de Bruijn +Cc: Paolo Abeni +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20230201001612.515730-4-andrei.gherzan@canonical.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/udpgso_bench_tx.c | 34 +++++++++++++++---- + 1 file changed, 27 insertions(+), 7 deletions(-) + +diff --git a/tools/testing/selftests/net/udpgso_bench_tx.c b/tools/testing/selftests/net/udpgso_bench_tx.c +index b47b5c32039f..477392715a9a 100644 +--- a/tools/testing/selftests/net/udpgso_bench_tx.c ++++ b/tools/testing/selftests/net/udpgso_bench_tx.c +@@ -62,6 +62,7 @@ static int cfg_payload_len = (1472 * 42); + static int cfg_port = 8000; + static int cfg_runtime_ms = -1; + static bool cfg_poll; ++static int cfg_poll_loop_timeout_ms = 2000; + static bool cfg_segment; + static bool cfg_sendmmsg; + static bool cfg_tcp; +@@ -235,16 +236,17 @@ static void flush_errqueue_recv(int fd) + } + } + +-static void flush_errqueue(int fd, const bool do_poll) ++static void flush_errqueue(int fd, const bool do_poll, ++ unsigned long poll_timeout, const bool poll_err) + { + if (do_poll) { + struct pollfd fds = {0}; + int ret; + + fds.fd = fd; +- ret = poll(&fds, 1, 500); ++ ret = poll(&fds, 1, poll_timeout); + if (ret == 0) { +- if (cfg_verbose) ++ if ((cfg_verbose) && (poll_err)) + fprintf(stderr, "poll timeout\n"); + } else if (ret < 0) { + error(1, errno, "poll"); +@@ -254,6 +256,20 @@ static void flush_errqueue(int fd, const bool do_poll) + flush_errqueue_recv(fd); + } + ++static void flush_errqueue_retry(int fd, unsigned long num_sends) ++{ ++ unsigned long tnow, tstop; ++ bool first_try = true; ++ ++ tnow = gettimeofday_ms(); ++ tstop = tnow + cfg_poll_loop_timeout_ms; ++ do { ++ flush_errqueue(fd, true, tstop - tnow, first_try); ++ first_try = false; ++ tnow = gettimeofday_ms(); ++ } while ((stat_zcopies != num_sends) && (tnow < tstop)); ++} ++ + static int send_tcp(int fd, char *data) + { + int ret, done = 0, count = 0; +@@ -413,7 +429,8 @@ static int send_udp_segment(int fd, char *data) + + static void usage(const char *filepath) + { +- error(1, 0, "Usage: %s [-46acmHPtTuvz] [-C cpu] [-D dst ip] [-l secs] [-M messagenr] [-p port] [-s sendsize] [-S gsosize]", ++ error(1, 0, "Usage: %s [-46acmHPtTuvz] [-C cpu] [-D dst ip] [-l secs] " ++ "[-L secs] [-M messagenr] [-p port] [-s sendsize] [-S gsosize]", + filepath); + } + +@@ -423,7 +440,7 @@ static void parse_opts(int argc, char **argv) + int max_len, hdrlen; + int c; + +- while ((c = getopt(argc, argv, "46acC:D:Hl:mM:p:s:PS:tTuvz")) != -1) { ++ while ((c = getopt(argc, argv, "46acC:D:Hl:L:mM:p:s:PS:tTuvz")) != -1) { + switch (c) { + case '4': + if (cfg_family != PF_UNSPEC) +@@ -452,6 +469,9 @@ static void parse_opts(int argc, char **argv) + case 'l': + cfg_runtime_ms = strtoul(optarg, NULL, 10) * 1000; + break; ++ case 'L': ++ cfg_poll_loop_timeout_ms = strtoul(optarg, NULL, 10) * 1000; ++ break; + case 'm': + cfg_sendmmsg = true; + break; +@@ -679,7 +699,7 @@ int main(int argc, char **argv) + num_sends += send_udp(fd, buf[i]); + num_msgs++; + if ((cfg_zerocopy && ((num_msgs & 0xF) == 0)) || cfg_tx_tstamp) +- flush_errqueue(fd, cfg_poll); ++ flush_errqueue(fd, cfg_poll, 500, true); + + if (cfg_msg_nr && num_msgs >= cfg_msg_nr) + break; +@@ -698,7 +718,7 @@ int main(int argc, char **argv) + } while (!interrupted && (cfg_runtime_ms == -1 || tnow < tstop)); + + if (cfg_zerocopy || cfg_tx_tstamp) +- flush_errqueue(fd, true); ++ flush_errqueue_retry(fd, num_sends); + + if (close(fd)) + error(1, errno, "close"); +-- +2.39.0 + diff --git a/queue-5.4/series b/queue-5.4/series index e8e31cc7adc..3488aa33eea 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1 +1,26 @@ firewire-fix-memory-leak-for-payload-of-request-subaction-to-iec-61883-1-fcp-region.patch +bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch +asoc-intel-bytcr_rt5651-drop-reference-count-of-acpi.patch +alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch +arm64-dts-imx8mm-fix-pad-control-for-uart1_dte_rx.patch +scsi-revert-scsi-core-map-pq-1-pdt-other-values-to-s.patch +write-is-data-source-not-destination.patch +fix-iov_iter_bvec-direction-argument.patch +fix-direction-argument-of-iov_iter_kvec.patch +netrom-fix-use-after-free-caused-by-accept-on-alread.patch +netfilter-br_netfilter-disable-sabotage_in-hook-afte.patch +squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch +net-phy-meson-gxl-add-generic-dummy-stubs-for-mmd-re.patch +can-j1939-fix-errant-warn_on_once-in-j1939_session_d.patch +ata-libata-fix-sata_down_spd_limit-when-no-link-spee.patch +selftests-net-udpgso_bench_rx-fix-used-uninitialized.patch +selftests-net-udpgso_bench_rx-tx-stop-when-wrong-cli.patch +selftests-net-udpgso_bench-fix-racing-bug-between-th.patch +selftests-net-udpgso_bench_tx-cater-for-pending-data.patch +virtio-net-keep-stop-to-follow-mirror-sequence-of-op.patch +net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch +efi-fix-potential-null-deref-in-efi_mem_reserve_pers.patch +scsi-target-core-fix-warning-on-rt-kernels.patch +scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch +i2c-rk3x-fix-a-bunch-of-kernel-doc-warnings.patch +net-x25-fix-to-not-accept-on-connected-socket.patch diff --git a/queue-5.4/squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch b/queue-5.4/squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch new file mode 100644 index 00000000000..be95b9fdc05 --- /dev/null +++ b/queue-5.4/squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch @@ -0,0 +1,45 @@ +From d76d1f7a87a1dc0c273af8d27f9ac3afaecef76f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 13:52:26 +0300 +Subject: squashfs: harden sanity check in squashfs_read_xattr_id_table + +From: Fedor Pchelkin + +[ Upstream commit 72e544b1b28325fe78a4687b980871a7e4101f76 ] + +While mounting a corrupted filesystem, a signed integer '*xattr_ids' can +become less than zero. This leads to the incorrect computation of 'len' +and 'indexes' values which can cause null-ptr-deref in copy_bio_to_actor() +or out-of-bounds accesses in the next sanity checks inside +squashfs_read_xattr_id_table(). + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Link: https://lkml.kernel.org/r/20230117105226.329303-2-pchelkin@ispras.ru +Fixes: 506220d2ba21 ("squashfs: add more sanity checks in xattr id lookup") +Reported-by: +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Cc: Phillip Lougher +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/squashfs/xattr_id.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/squashfs/xattr_id.c b/fs/squashfs/xattr_id.c +index 087cab8c78f4..f6d78cbc3e74 100644 +--- a/fs/squashfs/xattr_id.c ++++ b/fs/squashfs/xattr_id.c +@@ -76,7 +76,7 @@ __le64 *squashfs_read_xattr_id_table(struct super_block *sb, u64 table_start, + /* Sanity check values */ + + /* there is always at least one xattr id */ +- if (*xattr_ids == 0) ++ if (*xattr_ids <= 0) + return ERR_PTR(-EINVAL); + + len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids); +-- +2.39.0 + diff --git a/queue-5.4/virtio-net-keep-stop-to-follow-mirror-sequence-of-op.patch b/queue-5.4/virtio-net-keep-stop-to-follow-mirror-sequence-of-op.patch new file mode 100644 index 00000000000..32ddb9e686c --- /dev/null +++ b/queue-5.4/virtio-net-keep-stop-to-follow-mirror-sequence-of-op.patch @@ -0,0 +1,44 @@ +From 094e8f9f102291ad493f95810f9d1c4fce645713 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Feb 2023 18:35:16 +0200 +Subject: virtio-net: Keep stop() to follow mirror sequence of open() + +From: Parav Pandit + +[ Upstream commit 63b114042d8a9c02d9939889177c36dbdb17a588 ] + +Cited commit in fixes tag frees rxq xdp info while RQ NAPI is +still enabled and packet processing may be ongoing. + +Follow the mirror sequence of open() in the stop() callback. +This ensures that when rxq info is unregistered, no rx +packet processing is ongoing. + +Fixes: 754b8a21a96d ("virtio_net: setup xdp_rxq_info") +Acked-by: Michael S. Tsirkin +Reviewed-by: Jiri Pirko +Signed-off-by: Parav Pandit +Link: https://lore.kernel.org/r/20230202163516.12559-1-parav@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 579df7c5411d..5212d9cb0372 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1910,8 +1910,8 @@ static int virtnet_close(struct net_device *dev) + cancel_delayed_work_sync(&vi->refill); + + for (i = 0; i < vi->max_queue_pairs; i++) { +- xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq); + napi_disable(&vi->rq[i].napi); ++ xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq); + virtnet_napi_tx_disable(&vi->sq[i].napi); + } + +-- +2.39.0 + diff --git a/queue-5.4/write-is-data-source-not-destination.patch b/queue-5.4/write-is-data-source-not-destination.patch new file mode 100644 index 00000000000..6018cdff80d --- /dev/null +++ b/queue-5.4/write-is-data-source-not-destination.patch @@ -0,0 +1,49 @@ +From b6bd0af2bd429e157690cd6e3e9e08a6c91ecafa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 18:59:12 -0400 +Subject: WRITE is "data source", not destination... + +From: Al Viro + +[ Upstream commit 974c36fb828aeae7b4f9063f94860ae6c5633efd ] + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + drivers/fsi/fsi-sbefifo.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/fsi/fsi-sbefifo.c b/drivers/fsi/fsi-sbefifo.c +index c8ccc99e214f..84a60d2d8e8a 100644 +--- a/drivers/fsi/fsi-sbefifo.c ++++ b/drivers/fsi/fsi-sbefifo.c +@@ -640,7 +640,7 @@ static void sbefifo_collect_async_ffdc(struct sbefifo *sbefifo) + } + ffdc_iov.iov_base = ffdc; + ffdc_iov.iov_len = SBEFIFO_MAX_FFDC_SIZE; +- iov_iter_kvec(&ffdc_iter, WRITE, &ffdc_iov, 1, SBEFIFO_MAX_FFDC_SIZE); ++ iov_iter_kvec(&ffdc_iter, READ, &ffdc_iov, 1, SBEFIFO_MAX_FFDC_SIZE); + cmd[0] = cpu_to_be32(2); + cmd[1] = cpu_to_be32(SBEFIFO_CMD_GET_SBE_FFDC); + rc = sbefifo_do_command(sbefifo, cmd, 2, &ffdc_iter); +@@ -737,7 +737,7 @@ int sbefifo_submit(struct device *dev, const __be32 *command, size_t cmd_len, + rbytes = (*resp_len) * sizeof(__be32); + resp_iov.iov_base = response; + resp_iov.iov_len = rbytes; +- iov_iter_kvec(&resp_iter, WRITE, &resp_iov, 1, rbytes); ++ iov_iter_kvec(&resp_iter, READ, &resp_iov, 1, rbytes); + + /* Perform the command */ + mutex_lock(&sbefifo->lock); +@@ -817,7 +817,7 @@ static ssize_t sbefifo_user_read(struct file *file, char __user *buf, + /* Prepare iov iterator */ + resp_iov.iov_base = buf; + resp_iov.iov_len = len; +- iov_iter_init(&resp_iter, WRITE, &resp_iov, 1, len); ++ iov_iter_init(&resp_iter, READ, &resp_iov, 1, len); + + /* Perform the command */ + mutex_lock(&sbefifo->lock); +-- +2.39.0 +