From: Sasha Levin Date: Sat, 5 Nov 2022 13:27:11 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.9.333~88 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=48a4a83f8b28edf7b3aaf7404ace64356a856b77;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/ata-pata_legacy-fix-pdc20230_set_piomode.patch b/queue-5.4/ata-pata_legacy-fix-pdc20230_set_piomode.patch new file mode 100644 index 00000000000..c4fdc0c083c --- /dev/null +++ b/queue-5.4/ata-pata_legacy-fix-pdc20230_set_piomode.patch @@ -0,0 +1,45 @@ +From 3d15848e0cc7dead157dc1e6ea0c0cd91262ca40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Oct 2022 00:07:06 +0300 +Subject: ata: pata_legacy: fix pdc20230_set_piomode() + +From: Sergey Shtylyov + +[ Upstream commit 171a93182eccd6e6835d2c86b40787f9f832efaa ] + +Clang gives a warning when compiling pata_legacy.c with 'make W=1' about +the 'rt' local variable in pdc20230_set_piomode() being set but unused. +Quite obviously, there is an outb() call missing to write back the updated +variable. Moreover, checking the docs by Petr Soucek revealed that bitwise +AND should have been done with a negated timing mask and the master/slave +timing masks were swapped while updating... + +Fixes: 669a5db411d8 ("[libata] Add a bunch of PATA drivers.") +Reported-by: Damien Le Moal +Signed-off-by: Sergey Shtylyov +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_legacy.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/pata_legacy.c b/drivers/ata/pata_legacy.c +index d91ba47f2fc4..4405d255e3aa 100644 +--- a/drivers/ata/pata_legacy.c ++++ b/drivers/ata/pata_legacy.c +@@ -278,9 +278,10 @@ static void pdc20230_set_piomode(struct ata_port *ap, struct ata_device *adev) + outb(inb(0x1F4) & 0x07, 0x1F4); + + rt = inb(0x1F3); +- rt &= 0x07 << (3 * adev->devno); ++ rt &= ~(0x07 << (3 * !adev->devno)); + if (pio) +- rt |= (1 + 3 * pio) << (3 * adev->devno); ++ rt |= (1 + 3 * pio) << (3 * !adev->devno); ++ outb(rt, 0x1F3); + + udelay(100); + outb(inb(0x1F2) | 0x01, 0x1F2); +-- +2.35.1 + diff --git a/queue-5.4/bluetooth-l2cap-fix-use-after-free-caused-by-l2cap_r.patch b/queue-5.4/bluetooth-l2cap-fix-use-after-free-caused-by-l2cap_r.patch new file mode 100644 index 00000000000..687fb40cb8d --- /dev/null +++ b/queue-5.4/bluetooth-l2cap-fix-use-after-free-caused-by-l2cap_r.patch @@ -0,0 +1,175 @@ +From 5ad25d6e149be3ae91598d47fbc617de697661a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Oct 2022 00:27:18 +0300 +Subject: Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu + +From: Maxim Mikityanskiy + +[ Upstream commit 3aff8aaca4e36dc8b17eaa011684881a80238966 ] + +Fix the race condition between the following two flows that run in +parallel: + +1. l2cap_reassemble_sdu -> chan->ops->recv (l2cap_sock_recv_cb) -> + __sock_queue_rcv_skb. + +2. bt_sock_recvmsg -> skb_recv_datagram, skb_free_datagram. + +An SKB can be queued by the first flow and immediately dequeued and +freed by the second flow, therefore the callers of l2cap_reassemble_sdu +can't use the SKB after that function returns. However, some places +continue accessing struct l2cap_ctrl that resides in the SKB's CB for a +short time after l2cap_reassemble_sdu returns, leading to a +use-after-free condition (the stack trace is below, line numbers for +kernel 5.19.8). + +Fix it by keeping a local copy of struct l2cap_ctrl. + +BUG: KASAN: use-after-free in l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth +Read of size 1 at addr ffff88812025f2f0 by task kworker/u17:3/43169 + +Workqueue: hci0 hci_rx_work [bluetooth] +Call Trace: + + dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4)) + print_report.cold (mm/kasan/report.c:314 mm/kasan/report.c:429) + ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth + kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493) + ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth + l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth + l2cap_rx (net/bluetooth/l2cap_core.c:7236 net/bluetooth/l2cap_core.c:7271) bluetooth + ret_from_fork (arch/x86/entry/entry_64.S:306) + + +Allocated by task 43169: + kasan_save_stack (mm/kasan/common.c:39) + __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) + kmem_cache_alloc_node (mm/slab.h:750 mm/slub.c:3243 mm/slub.c:3293) + __alloc_skb (net/core/skbuff.c:414) + l2cap_recv_frag (./include/net/bluetooth/bluetooth.h:425 net/bluetooth/l2cap_core.c:8329) bluetooth + l2cap_recv_acldata (net/bluetooth/l2cap_core.c:8442) bluetooth + hci_rx_work (net/bluetooth/hci_core.c:3642 net/bluetooth/hci_core.c:3832) bluetooth + process_one_work (kernel/workqueue.c:2289) + worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2437) + kthread (kernel/kthread.c:376) + ret_from_fork (arch/x86/entry/entry_64.S:306) + +Freed by task 27920: + kasan_save_stack (mm/kasan/common.c:39) + kasan_set_track (mm/kasan/common.c:45) + kasan_set_free_info (mm/kasan/generic.c:372) + ____kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328) + slab_free_freelist_hook (mm/slub.c:1780) + kmem_cache_free (mm/slub.c:3536 mm/slub.c:3553) + skb_free_datagram (./include/net/sock.h:1578 ./include/net/sock.h:1639 net/core/datagram.c:323) + bt_sock_recvmsg (net/bluetooth/af_bluetooth.c:295) bluetooth + l2cap_sock_recvmsg (net/bluetooth/l2cap_sock.c:1212) bluetooth + sock_read_iter (net/socket.c:1087) + new_sync_read (./include/linux/fs.h:2052 fs/read_write.c:401) + vfs_read (fs/read_write.c:482) + ksys_read (fs/read_write.c:620) + do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) + +Link: https://lore.kernel.org/linux-bluetooth/CAKErNvoqga1WcmoR3-0875esY6TVWFQDandbVZncSiuGPBQXLA@mail.gmail.com/T/#u +Fixes: d2a7ac5d5d3a ("Bluetooth: Add the ERTM receive state machine") +Fixes: 4b51dae96731 ("Bluetooth: Add streaming mode receive and incoming packet classifier") +Signed-off-by: Maxim Mikityanskiy +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 48 ++++++++++++++++++++++++++++++++------ + 1 file changed, 41 insertions(+), 7 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 2d28b4e49b7a..5fa9a4e7d3ee 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -6273,6 +6273,7 @@ static int l2cap_rx_state_recv(struct l2cap_chan *chan, + struct l2cap_ctrl *control, + struct sk_buff *skb, u8 event) + { ++ struct l2cap_ctrl local_control; + int err = 0; + bool skb_in_use = false; + +@@ -6297,15 +6298,32 @@ static int l2cap_rx_state_recv(struct l2cap_chan *chan, + chan->buffer_seq = chan->expected_tx_seq; + skb_in_use = true; + ++ /* l2cap_reassemble_sdu may free skb, hence invalidate ++ * control, so make a copy in advance to use it after ++ * l2cap_reassemble_sdu returns and to avoid the race ++ * condition, for example: ++ * ++ * The current thread calls: ++ * l2cap_reassemble_sdu ++ * chan->ops->recv == l2cap_sock_recv_cb ++ * __sock_queue_rcv_skb ++ * Another thread calls: ++ * bt_sock_recvmsg ++ * skb_recv_datagram ++ * skb_free_datagram ++ * Then the current thread tries to access control, but ++ * it was freed by skb_free_datagram. ++ */ ++ local_control = *control; + err = l2cap_reassemble_sdu(chan, skb, control); + if (err) + break; + +- if (control->final) { ++ if (local_control.final) { + if (!test_and_clear_bit(CONN_REJ_ACT, + &chan->conn_state)) { +- control->final = 0; +- l2cap_retransmit_all(chan, control); ++ local_control.final = 0; ++ l2cap_retransmit_all(chan, &local_control); + l2cap_ertm_send(chan); + } + } +@@ -6685,11 +6703,27 @@ static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, + static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, + struct sk_buff *skb) + { ++ /* l2cap_reassemble_sdu may free skb, hence invalidate control, so store ++ * the txseq field in advance to use it after l2cap_reassemble_sdu ++ * returns and to avoid the race condition, for example: ++ * ++ * The current thread calls: ++ * l2cap_reassemble_sdu ++ * chan->ops->recv == l2cap_sock_recv_cb ++ * __sock_queue_rcv_skb ++ * Another thread calls: ++ * bt_sock_recvmsg ++ * skb_recv_datagram ++ * skb_free_datagram ++ * Then the current thread tries to access control, but it was freed by ++ * skb_free_datagram. ++ */ ++ u16 txseq = control->txseq; ++ + BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb, + chan->rx_state); + +- if (l2cap_classify_txseq(chan, control->txseq) == +- L2CAP_TXSEQ_EXPECTED) { ++ if (l2cap_classify_txseq(chan, txseq) == L2CAP_TXSEQ_EXPECTED) { + l2cap_pass_to_tx(chan, control); + + BT_DBG("buffer_seq %d->%d", chan->buffer_seq, +@@ -6712,8 +6746,8 @@ static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, + } + } + +- chan->last_acked_seq = control->txseq; +- chan->expected_tx_seq = __next_seq(chan, control->txseq); ++ chan->last_acked_seq = txseq; ++ chan->expected_tx_seq = __next_seq(chan, txseq); + + return 0; + } +-- +2.35.1 + diff --git a/queue-5.4/bluetooth-l2cap-fix-use-after-free-in-l2cap_conn_del.patch b/queue-5.4/bluetooth-l2cap-fix-use-after-free-in-l2cap_conn_del.patch new file mode 100644 index 00000000000..c12a521ccc5 --- /dev/null +++ b/queue-5.4/bluetooth-l2cap-fix-use-after-free-in-l2cap_conn_del.patch @@ -0,0 +1,141 @@ +From df809fb91ea61719d127fac7aac86a4eaae7d769 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Oct 2022 15:58:13 +0800 +Subject: Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() + +From: Zhengchao Shao + +[ Upstream commit 0d0e2d032811280b927650ff3c15fe5020e82533 ] + +When l2cap_recv_frame() is invoked to receive data, and the cid is +L2CAP_CID_A2MP, if the channel does not exist, it will create a channel. +However, after a channel is created, the hold operation of the channel +is not performed. In this case, the value of channel reference counting +is 1. As a result, after hci_error_reset() is triggered, l2cap_conn_del() +invokes the close hook function of A2MP to release the channel. Then + l2cap_chan_unlock(chan) will trigger UAF issue. + +The process is as follows: +Receive data: +l2cap_data_channel() + a2mp_channel_create() --->channel ref is 2 + l2cap_chan_put() --->channel ref is 1 + +Triger event: + hci_error_reset() + hci_dev_do_close() + ... + l2cap_disconn_cfm() + l2cap_conn_del() + l2cap_chan_hold() --->channel ref is 2 + l2cap_chan_del() --->channel ref is 1 + a2mp_chan_close_cb() --->channel ref is 0, release channel + l2cap_chan_unlock() --->UAF of channel + +The detailed Call Trace is as follows: +BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0xa6/0x5e0 +Read of size 8 at addr ffff8880160664b8 by task kworker/u11:1/7593 +Workqueue: hci0 hci_error_reset +Call Trace: + + dump_stack_lvl+0xcd/0x134 + print_report.cold+0x2ba/0x719 + kasan_report+0xb1/0x1e0 + kasan_check_range+0x140/0x190 + __mutex_unlock_slowpath+0xa6/0x5e0 + l2cap_conn_del+0x404/0x7b0 + l2cap_disconn_cfm+0x8c/0xc0 + hci_conn_hash_flush+0x11f/0x260 + hci_dev_close_sync+0x5f5/0x11f0 + hci_dev_do_close+0x2d/0x70 + hci_error_reset+0x9e/0x140 + process_one_work+0x98a/0x1620 + worker_thread+0x665/0x1080 + kthread+0x2e4/0x3a0 + ret_from_fork+0x1f/0x30 + + +Allocated by task 7593: + kasan_save_stack+0x1e/0x40 + __kasan_kmalloc+0xa9/0xd0 + l2cap_chan_create+0x40/0x930 + amp_mgr_create+0x96/0x990 + a2mp_channel_create+0x7d/0x150 + l2cap_recv_frame+0x51b8/0x9a70 + l2cap_recv_acldata+0xaa3/0xc00 + hci_rx_work+0x702/0x1220 + process_one_work+0x98a/0x1620 + worker_thread+0x665/0x1080 + kthread+0x2e4/0x3a0 + ret_from_fork+0x1f/0x30 + +Freed by task 7593: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + kasan_set_free_info+0x20/0x30 + ____kasan_slab_free+0x167/0x1c0 + slab_free_freelist_hook+0x89/0x1c0 + kfree+0xe2/0x580 + l2cap_chan_put+0x22a/0x2d0 + l2cap_conn_del+0x3fc/0x7b0 + l2cap_disconn_cfm+0x8c/0xc0 + hci_conn_hash_flush+0x11f/0x260 + hci_dev_close_sync+0x5f5/0x11f0 + hci_dev_do_close+0x2d/0x70 + hci_error_reset+0x9e/0x140 + process_one_work+0x98a/0x1620 + worker_thread+0x665/0x1080 + kthread+0x2e4/0x3a0 + ret_from_fork+0x1f/0x30 + +Last potentially related work creation: + kasan_save_stack+0x1e/0x40 + __kasan_record_aux_stack+0xbe/0xd0 + call_rcu+0x99/0x740 + netlink_release+0xe6a/0x1cf0 + __sock_release+0xcd/0x280 + sock_close+0x18/0x20 + __fput+0x27c/0xa90 + task_work_run+0xdd/0x1a0 + exit_to_user_mode_prepare+0x23c/0x250 + syscall_exit_to_user_mode+0x19/0x50 + do_syscall_64+0x42/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Second to last potentially related work creation: + kasan_save_stack+0x1e/0x40 + __kasan_record_aux_stack+0xbe/0xd0 + call_rcu+0x99/0x740 + netlink_release+0xe6a/0x1cf0 + __sock_release+0xcd/0x280 + sock_close+0x18/0x20 + __fput+0x27c/0xa90 + task_work_run+0xdd/0x1a0 + exit_to_user_mode_prepare+0x23c/0x250 + syscall_exit_to_user_mode+0x19/0x50 + do_syscall_64+0x42/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put") +Signed-off-by: Zhengchao Shao +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 5fa9a4e7d3ee..5dbe7aeca5a7 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -7001,6 +7001,7 @@ static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid, + return; + } + ++ l2cap_chan_hold(chan); + l2cap_chan_lock(chan); + } else { + BT_DBG("unknown cid 0x%4.4x", cid); +-- +2.35.1 + diff --git a/queue-5.4/btrfs-fix-inode-list-leak-during-backref-walking-at-.patch b/queue-5.4/btrfs-fix-inode-list-leak-during-backref-walking-at-.patch new file mode 100644 index 00000000000..b1511a0140e --- /dev/null +++ b/queue-5.4/btrfs-fix-inode-list-leak-during-backref-walking-at-.patch @@ -0,0 +1,94 @@ +From 6aa2c1e5eabe54573802666e1f3ebbcee86a3afe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 16:15:37 +0000 +Subject: btrfs: fix inode list leak during backref walking at + resolve_indirect_refs() + +From: Filipe Manana + +[ Upstream commit 5614dc3a47e3310fbc77ea3b67eaadd1c6417bf1 ] + +During backref walking, at resolve_indirect_refs(), if we get an error +we jump to the 'out' label and call ulist_free() on the 'parents' ulist, +which frees all the elements in the ulist - however that does not free +any inode lists that may be attached to elements, through the 'aux' field +of a ulist node, so we end up leaking lists if we have any attached to +the unodes. + +Fix this by calling free_leaf_list() instead of ulist_free() when we exit +from resolve_indirect_refs(). The static function free_leaf_list() is +moved up for this to be possible and it's slightly simplified by removing +unnecessary code. + +Fixes: 3301958b7c1d ("Btrfs: add inodes before dropping the extent lock in find_all_leafs") +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/backref.c | 36 +++++++++++++++++------------------- + 1 file changed, 17 insertions(+), 19 deletions(-) + +diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c +index 7147bb66a482..4809cc07a885 100644 +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -642,6 +642,18 @@ unode_aux_to_inode_list(struct ulist_node *node) + return (struct extent_inode_elem *)(uintptr_t)node->aux; + } + ++static void free_leaf_list(struct ulist *ulist) ++{ ++ struct ulist_node *node; ++ struct ulist_iterator uiter; ++ ++ ULIST_ITER_INIT(&uiter); ++ while ((node = ulist_next(ulist, &uiter))) ++ free_inode_elem_list(unode_aux_to_inode_list(node)); ++ ++ ulist_free(ulist); ++} ++ + /* + * We maintain three separate rbtrees: one for direct refs, one for + * indirect refs which have a key, and one for indirect refs which do not +@@ -756,7 +768,11 @@ static int resolve_indirect_refs(struct btrfs_fs_info *fs_info, + cond_resched(); + } + out: +- ulist_free(parents); ++ /* ++ * We may have inode lists attached to refs in the parents ulist, so we ++ * must free them before freeing the ulist and its refs. ++ */ ++ free_leaf_list(parents); + return ret; + } + +@@ -1408,24 +1424,6 @@ static int find_parent_nodes(struct btrfs_trans_handle *trans, + return ret; + } + +-static void free_leaf_list(struct ulist *blocks) +-{ +- struct ulist_node *node = NULL; +- struct extent_inode_elem *eie; +- struct ulist_iterator uiter; +- +- ULIST_ITER_INIT(&uiter); +- while ((node = ulist_next(blocks, &uiter))) { +- if (!node->aux) +- continue; +- eie = unode_aux_to_inode_list(node); +- free_inode_elem_list(eie); +- node->aux = 0; +- } +- +- ulist_free(blocks); +-} +- + /* + * Finds all leafs with a reference to the specified combination of bytenr and + * offset. key_list_head will point to a list of corresponding keys (caller must +-- +2.35.1 + diff --git a/queue-5.4/btrfs-fix-inode-list-leak-during-backref-walking-at-.patch-32726 b/queue-5.4/btrfs-fix-inode-list-leak-during-backref-walking-at-.patch-32726 new file mode 100644 index 00000000000..0c95b72ae53 --- /dev/null +++ b/queue-5.4/btrfs-fix-inode-list-leak-during-backref-walking-at-.patch-32726 @@ -0,0 +1,81 @@ +From 94f5bb90b0a9d73d2cfe9c85f07dcc09af84f70f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 16:15:38 +0000 +Subject: btrfs: fix inode list leak during backref walking at + find_parent_nodes() + +From: Filipe Manana + +[ Upstream commit 92876eec382a0f19f33d09d2c939e9ca49038ae5 ] + +During backref walking, at find_parent_nodes(), if we are dealing with a +data extent and we get an error while resolving the indirect backrefs, at +resolve_indirect_refs(), or in the while loop that iterates over the refs +in the direct refs rbtree, we end up leaking the inode lists attached to +the direct refs we have in the direct refs rbtree that were not yet added +to the refs ulist passed as argument to find_parent_nodes(). Since they +were not yet added to the refs ulist and prelim_release() does not free +the lists, on error the caller can only free the lists attached to the +refs that were added to the refs ulist, all the remaining refs get their +inode lists never freed, therefore leaking their memory. + +Fix this by having prelim_release() always free any attached inode list +to each ref found in the rbtree, and have find_parent_nodes() set the +ref's inode list to NULL once it transfers ownership of the inode list +to a ref added to the refs ulist passed to find_parent_nodes(). + +Fixes: 86d5f9944252 ("btrfs: convert prelimary reference tracking to use rbtrees") +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/backref.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c +index 4809cc07a885..3cbca2ebdeb0 100644 +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -287,8 +287,10 @@ static void prelim_release(struct preftree *preftree) + struct prelim_ref *ref, *next_ref; + + rbtree_postorder_for_each_entry_safe(ref, next_ref, +- &preftree->root.rb_root, rbnode) ++ &preftree->root.rb_root, rbnode) { ++ free_inode_elem_list(ref->inode_list); + free_pref(ref); ++ } + + preftree->root = RB_ROOT_CACHED; + preftree->count = 0; +@@ -1383,6 +1385,12 @@ static int find_parent_nodes(struct btrfs_trans_handle *trans, + if (ret < 0) + goto out; + ref->inode_list = eie; ++ /* ++ * We transferred the list ownership to the ref, ++ * so set to NULL to avoid a double free in case ++ * an error happens after this. ++ */ ++ eie = NULL; + } + ret = ulist_add_merge_ptr(refs, ref->parent, + ref->inode_list, +@@ -1408,6 +1416,14 @@ static int find_parent_nodes(struct btrfs_trans_handle *trans, + eie->next = ref->inode_list; + } + eie = NULL; ++ /* ++ * We have transferred the inode list ownership from ++ * this ref to the ref we added to the 'refs' ulist. ++ * So set this ref's inode list to NULL to avoid ++ * use-after-free when our caller uses it or double ++ * frees in case an error happens before we return. ++ */ ++ ref->inode_list = NULL; + } + cond_resched(); + } +-- +2.35.1 + diff --git a/queue-5.4/btrfs-fix-ulist-leaks-in-error-paths-of-qgroup-self-.patch b/queue-5.4/btrfs-fix-ulist-leaks-in-error-paths-of-qgroup-self-.patch new file mode 100644 index 00000000000..c470846b537 --- /dev/null +++ b/queue-5.4/btrfs-fix-ulist-leaks-in-error-paths-of-qgroup-self-.patch @@ -0,0 +1,90 @@ +From 8550389017744dd9f8ea4f6ddb879318c3064ca0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 16:15:39 +0000 +Subject: btrfs: fix ulist leaks in error paths of qgroup self tests + +From: Filipe Manana + +[ Upstream commit d37de92b38932d40e4a251e876cc388f9aee5f42 ] + +In the test_no_shared_qgroup() and test_multiple_refs() qgroup self tests, +if we fail to add the tree ref, remove the extent item or remove the +extent ref, we are returning from the test function without freeing the +"old_roots" ulist that was allocated by the previous calls to +btrfs_find_all_roots(). Fix that by calling ulist_free() before returning. + +Fixes: 442244c96332 ("btrfs: qgroup: Switch self test to extent-oriented qgroup mechanism.") +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tests/qgroup-tests.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/fs/btrfs/tests/qgroup-tests.c b/fs/btrfs/tests/qgroup-tests.c +index ac035a6fa003..f312ed5abb19 100644 +--- a/fs/btrfs/tests/qgroup-tests.c ++++ b/fs/btrfs/tests/qgroup-tests.c +@@ -237,8 +237,10 @@ static int test_no_shared_qgroup(struct btrfs_root *root, + + ret = insert_normal_tree_ref(root, nodesize, nodesize, 0, + BTRFS_FS_TREE_OBJECTID); +- if (ret) ++ if (ret) { ++ ulist_free(old_roots); + return ret; ++ } + + ret = btrfs_find_all_roots(&trans, fs_info, nodesize, 0, &new_roots, + false); +@@ -273,8 +275,10 @@ static int test_no_shared_qgroup(struct btrfs_root *root, + } + + ret = remove_extent_item(root, nodesize, nodesize); +- if (ret) ++ if (ret) { ++ ulist_free(old_roots); + return -EINVAL; ++ } + + ret = btrfs_find_all_roots(&trans, fs_info, nodesize, 0, &new_roots, + false); +@@ -338,8 +342,10 @@ static int test_multiple_refs(struct btrfs_root *root, + + ret = insert_normal_tree_ref(root, nodesize, nodesize, 0, + BTRFS_FS_TREE_OBJECTID); +- if (ret) ++ if (ret) { ++ ulist_free(old_roots); + return ret; ++ } + + ret = btrfs_find_all_roots(&trans, fs_info, nodesize, 0, &new_roots, + false); +@@ -373,8 +379,10 @@ static int test_multiple_refs(struct btrfs_root *root, + + ret = add_tree_ref(root, nodesize, nodesize, 0, + BTRFS_FIRST_FREE_OBJECTID); +- if (ret) ++ if (ret) { ++ ulist_free(old_roots); + return ret; ++ } + + ret = btrfs_find_all_roots(&trans, fs_info, nodesize, 0, &new_roots, + false); +@@ -414,8 +422,10 @@ static int test_multiple_refs(struct btrfs_root *root, + + ret = remove_extent_ref(root, nodesize, nodesize, 0, + BTRFS_FIRST_FREE_OBJECTID); +- if (ret) ++ if (ret) { ++ ulist_free(old_roots); + return ret; ++ } + + ret = btrfs_find_all_roots(&trans, fs_info, nodesize, 0, &new_roots, + false); +-- +2.35.1 + diff --git a/queue-5.4/ib-hfi1-correctly-move-list-in-sc_disable.patch b/queue-5.4/ib-hfi1-correctly-move-list-in-sc_disable.patch new file mode 100644 index 00000000000..4c0ab22cf61 --- /dev/null +++ b/queue-5.4/ib-hfi1-correctly-move-list-in-sc_disable.patch @@ -0,0 +1,59 @@ +From 56def264184f051c5b5f1c7fcd3c73ee66e11628 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 10:27:50 -0400 +Subject: IB/hfi1: Correctly move list in sc_disable() + +From: Dean Luick + +[ Upstream commit 1afac08b39d85437187bb2a92d89a741b1078f55 ] + +Commit 13bac861952a ("IB/hfi1: Fix abba locking issue with sc_disable()") +incorrectly tries to move a list from one list head to another. The +result is a kernel crash. + +The crash is triggered when a link goes down and there are waiters for a +send to complete. The following signature is seen: + + BUG: kernel NULL pointer dereference, address: 0000000000000030 + [...] + Call Trace: + sc_disable+0x1ba/0x240 [hfi1] + pio_freeze+0x3d/0x60 [hfi1] + handle_freeze+0x27/0x1b0 [hfi1] + process_one_work+0x1b0/0x380 + ? process_one_work+0x380/0x380 + worker_thread+0x30/0x360 + ? process_one_work+0x380/0x380 + kthread+0xd7/0x100 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x1f/0x30 + +The fix is to use the correct call to move the list. + +Fixes: 13bac861952a ("IB/hfi1: Fix abba locking issue with sc_disable()") +Signed-off-by: Dean Luick +Signed-off-by: Dennis Dalessandro +Link: https://lore.kernel.org/r/166610327042.674422.6146908799669288976.stgit@awfm-02.cornelisnetworks.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/pio.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/pio.c b/drivers/infiniband/hw/hfi1/pio.c +index 1a82ea73a0fc..fa5de362010f 100644 +--- a/drivers/infiniband/hw/hfi1/pio.c ++++ b/drivers/infiniband/hw/hfi1/pio.c +@@ -955,8 +955,7 @@ void sc_disable(struct send_context *sc) + spin_unlock(&sc->release_lock); + + write_seqlock(&sc->waitlock); +- if (!list_empty(&sc->piowait)) +- list_move(&sc->piowait, &wake_list); ++ list_splice_init(&sc->piowait, &wake_list); + write_sequnlock(&sc->waitlock); + while (!list_empty(&wake_list)) { + struct iowait *wait; +-- +2.35.1 + diff --git a/queue-5.4/ipv6-fix-warning-in-ip6_route_net_exit_late.patch b/queue-5.4/ipv6-fix-warning-in-ip6_route_net_exit_late.patch new file mode 100644 index 00000000000..3e81a55b77c --- /dev/null +++ b/queue-5.4/ipv6-fix-warning-in-ip6_route_net_exit_late.patch @@ -0,0 +1,70 @@ +From 18bd9573c8066215d4139a1fcfe69a814eefc9cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 10:06:10 +0800 +Subject: ipv6: fix WARNING in ip6_route_net_exit_late() + +From: Zhengchao Shao + +[ Upstream commit 768b3c745fe5789f2430bdab02f35a9ad1148d97 ] + +During the initialization of ip6_route_net_init_late(), if file +ipv6_route or rt6_stats fails to be created, the initialization is +successful by default. Therefore, the ipv6_route or rt6_stats file +doesn't be found during the remove in ip6_route_net_exit_late(). It +will cause WRNING. + +The following is the stack information: +name 'rt6_stats' +WARNING: CPU: 0 PID: 9 at fs/proc/generic.c:712 remove_proc_entry+0x389/0x460 +Modules linked in: +Workqueue: netns cleanup_net +RIP: 0010:remove_proc_entry+0x389/0x460 +PKRU: 55555554 +Call Trace: + +ops_exit_list+0xb0/0x170 +cleanup_net+0x4ea/0xb00 +process_one_work+0x9bf/0x1710 +worker_thread+0x665/0x1080 +kthread+0x2e4/0x3a0 +ret_from_fork+0x1f/0x30 + + +Fixes: cdb1876192db ("[NETNS][IPV6] route6 - create route6 proc files for the namespace") +Signed-off-by: Zhengchao Shao +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20221102020610.351330-1-shaozhengchao@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 00732ee6bbd8..badfe6939638 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -6359,10 +6359,16 @@ static void __net_exit ip6_route_net_exit(struct net *net) + static int __net_init ip6_route_net_init_late(struct net *net) + { + #ifdef CONFIG_PROC_FS +- proc_create_net("ipv6_route", 0, net->proc_net, &ipv6_route_seq_ops, +- sizeof(struct ipv6_route_iter)); +- proc_create_net_single("rt6_stats", 0444, net->proc_net, +- rt6_stats_seq_show, NULL); ++ if (!proc_create_net("ipv6_route", 0, net->proc_net, ++ &ipv6_route_seq_ops, ++ sizeof(struct ipv6_route_iter))) ++ return -ENOMEM; ++ ++ if (!proc_create_net_single("rt6_stats", 0444, net->proc_net, ++ rt6_stats_seq_show, NULL)) { ++ remove_proc_entry("ipv6_route", net->proc_net); ++ return -ENOMEM; ++ } + #endif + return 0; + } +-- +2.35.1 + diff --git a/queue-5.4/ipvs-fix-warning-in-__ip_vs_cleanup_batch.patch b/queue-5.4/ipvs-fix-warning-in-__ip_vs_cleanup_batch.patch new file mode 100644 index 00000000000..7ee30d7c860 --- /dev/null +++ b/queue-5.4/ipvs-fix-warning-in-__ip_vs_cleanup_batch.patch @@ -0,0 +1,90 @@ +From a11c42c4a069684537d0d83d757c5e880a6e9b6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 20:07:04 +0800 +Subject: ipvs: fix WARNING in __ip_vs_cleanup_batch() + +From: Zhengchao Shao + +[ Upstream commit 3d00c6a0da8ddcf75213e004765e4a42acc71d5d ] + +During the initialization of ip_vs_conn_net_init(), if file ip_vs_conn +or ip_vs_conn_sync fails to be created, the initialization is successful +by default. Therefore, the ip_vs_conn or ip_vs_conn_sync file doesn't +be found during the remove. + +The following is the stack information: +name 'ip_vs_conn_sync' +WARNING: CPU: 3 PID: 9 at fs/proc/generic.c:712 +remove_proc_entry+0x389/0x460 +Modules linked in: +Workqueue: netns cleanup_net +RIP: 0010:remove_proc_entry+0x389/0x460 +Call Trace: + +__ip_vs_cleanup_batch+0x7d/0x120 +ops_exit_list+0x125/0x170 +cleanup_net+0x4ea/0xb00 +process_one_work+0x9bf/0x1710 +worker_thread+0x665/0x1080 +kthread+0x2e4/0x3a0 +ret_from_fork+0x1f/0x30 + + +Fixes: 61b1ab4583e2 ("IPVS: netns, add basic init per netns.") +Signed-off-by: Zhengchao Shao +Acked-by: Julian Anastasov +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_conn.c | 26 +++++++++++++++++++++----- + 1 file changed, 21 insertions(+), 5 deletions(-) + +diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c +index e913ab0096cb..d66548d2e5de 100644 +--- a/net/netfilter/ipvs/ip_vs_conn.c ++++ b/net/netfilter/ipvs/ip_vs_conn.c +@@ -1373,20 +1373,36 @@ int __net_init ip_vs_conn_net_init(struct netns_ipvs *ipvs) + { + atomic_set(&ipvs->conn_count, 0); + +- proc_create_net("ip_vs_conn", 0, ipvs->net->proc_net, +- &ip_vs_conn_seq_ops, sizeof(struct ip_vs_iter_state)); +- proc_create_net("ip_vs_conn_sync", 0, ipvs->net->proc_net, +- &ip_vs_conn_sync_seq_ops, +- sizeof(struct ip_vs_iter_state)); ++#ifdef CONFIG_PROC_FS ++ if (!proc_create_net("ip_vs_conn", 0, ipvs->net->proc_net, ++ &ip_vs_conn_seq_ops, ++ sizeof(struct ip_vs_iter_state))) ++ goto err_conn; ++ ++ if (!proc_create_net("ip_vs_conn_sync", 0, ipvs->net->proc_net, ++ &ip_vs_conn_sync_seq_ops, ++ sizeof(struct ip_vs_iter_state))) ++ goto err_conn_sync; ++#endif ++ + return 0; ++ ++#ifdef CONFIG_PROC_FS ++err_conn_sync: ++ remove_proc_entry("ip_vs_conn", ipvs->net->proc_net); ++err_conn: ++ return -ENOMEM; ++#endif + } + + void __net_exit ip_vs_conn_net_cleanup(struct netns_ipvs *ipvs) + { + /* flush all the connection entries first */ + ip_vs_conn_flush(ipvs); ++#ifdef CONFIG_PROC_FS + remove_proc_entry("ip_vs_conn", ipvs->net->proc_net); + remove_proc_entry("ip_vs_conn_sync", ipvs->net->proc_net); ++#endif + } + + int __init ip_vs_conn_init(void) +-- +2.35.1 + diff --git a/queue-5.4/ipvs-fix-warning-in-ip_vs_app_net_cleanup.patch b/queue-5.4/ipvs-fix-warning-in-ip_vs_app_net_cleanup.patch new file mode 100644 index 00000000000..95033973686 --- /dev/null +++ b/queue-5.4/ipvs-fix-warning-in-ip_vs_app_net_cleanup.patch @@ -0,0 +1,68 @@ +From 46cbf1847493573e4c14505fb952bb5715f50aaa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 20:07:05 +0800 +Subject: ipvs: fix WARNING in ip_vs_app_net_cleanup() + +From: Zhengchao Shao + +[ Upstream commit 5663ed63adb9619c98ab7479aa4606fa9b7a548c ] + +During the initialization of ip_vs_app_net_init(), if file ip_vs_app +fails to be created, the initialization is successful by default. +Therefore, the ip_vs_app file doesn't be found during the remove in +ip_vs_app_net_cleanup(). It will cause WRNING. + +The following is the stack information: +name 'ip_vs_app' +WARNING: CPU: 1 PID: 9 at fs/proc/generic.c:712 remove_proc_entry+0x389/0x460 +Modules linked in: +Workqueue: netns cleanup_net +RIP: 0010:remove_proc_entry+0x389/0x460 +Call Trace: + +ops_exit_list+0x125/0x170 +cleanup_net+0x4ea/0xb00 +process_one_work+0x9bf/0x1710 +worker_thread+0x665/0x1080 +kthread+0x2e4/0x3a0 +ret_from_fork+0x1f/0x30 + + +Fixes: 457c4cbc5a3d ("[NET]: Make /proc/net per network namespace") +Signed-off-by: Zhengchao Shao +Acked-by: Julian Anastasov +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_app.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/ipvs/ip_vs_app.c b/net/netfilter/ipvs/ip_vs_app.c +index f9b16f2b2219..fdacbc3c15be 100644 +--- a/net/netfilter/ipvs/ip_vs_app.c ++++ b/net/netfilter/ipvs/ip_vs_app.c +@@ -599,13 +599,19 @@ static const struct seq_operations ip_vs_app_seq_ops = { + int __net_init ip_vs_app_net_init(struct netns_ipvs *ipvs) + { + INIT_LIST_HEAD(&ipvs->app_list); +- proc_create_net("ip_vs_app", 0, ipvs->net->proc_net, &ip_vs_app_seq_ops, +- sizeof(struct seq_net_private)); ++#ifdef CONFIG_PROC_FS ++ if (!proc_create_net("ip_vs_app", 0, ipvs->net->proc_net, ++ &ip_vs_app_seq_ops, ++ sizeof(struct seq_net_private))) ++ return -ENOMEM; ++#endif + return 0; + } + + void __net_exit ip_vs_app_net_cleanup(struct netns_ipvs *ipvs) + { + unregister_ip_vs_app(ipvs, NULL /* all */); ++#ifdef CONFIG_PROC_FS + remove_proc_entry("ip_vs_app", ipvs->net->proc_net); ++#endif + } +-- +2.35.1 + diff --git a/queue-5.4/ipvs-use-explicitly-signed-chars.patch b/queue-5.4/ipvs-use-explicitly-signed-chars.patch new file mode 100644 index 00000000000..6cd22fcac7f --- /dev/null +++ b/queue-5.4/ipvs-use-explicitly-signed-chars.patch @@ -0,0 +1,41 @@ +From 8b7b8f5667eb0ac128d5951158ac9ff03de094be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Oct 2022 14:32:16 +0200 +Subject: ipvs: use explicitly signed chars + +From: Jason A. Donenfeld + +[ Upstream commit 5c26159c97b324dc5174a5713eafb8c855cf8106 ] + +The `char` type with no explicit sign is sometimes signed and sometimes +unsigned. This code will break on platforms such as arm, where char is +unsigned. So mark it here as explicitly signed, so that the +todrop_counter decrement and subsequent comparison is correct. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jason A. Donenfeld +Acked-by: Julian Anastasov +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_conn.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c +index a189079a6ea5..e913ab0096cb 100644 +--- a/net/netfilter/ipvs/ip_vs_conn.c ++++ b/net/netfilter/ipvs/ip_vs_conn.c +@@ -1225,8 +1225,8 @@ static inline int todrop_entry(struct ip_vs_conn *cp) + * The drop rate array needs tuning for real environments. + * Called from timer bh only => no locking + */ +- static const char todrop_rate[9] = {0, 1, 2, 3, 4, 5, 6, 7, 8}; +- static char todrop_counter[9] = {0}; ++ static const signed char todrop_rate[9] = {0, 1, 2, 3, 4, 5, 6, 7, 8}; ++ static signed char todrop_counter[9] = {0}; + int i; + + /* if the conn entry hasn't lasted for 60 seconds, don't drop it. +-- +2.35.1 + diff --git a/queue-5.4/isdn-misdn-netjet-fix-wrong-check-of-device-registra.patch b/queue-5.4/isdn-misdn-netjet-fix-wrong-check-of-device-registra.patch new file mode 100644 index 00000000000..5f0184b59ee --- /dev/null +++ b/queue-5.4/isdn-misdn-netjet-fix-wrong-check-of-device-registra.patch @@ -0,0 +1,37 @@ +From c98aead40cdb046e48557248596dde56630dc4ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 20:13:41 +0800 +Subject: isdn: mISDN: netjet: fix wrong check of device registration + +From: Yang Yingliang + +[ Upstream commit bf00f5426074249058a106a6edbb89e4b25a4d79 ] + +The class is set in mISDN_register_device(), but if device_add() returns +error, it will lead to delete a device without added, fix this by using +device_is_registered() to check if the device is registered. + +Fixes: a900845e5661 ("mISDN: Add support for Traverse Technologies NETJet PCI cards") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/hardware/mISDN/netjet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/isdn/hardware/mISDN/netjet.c b/drivers/isdn/hardware/mISDN/netjet.c +index 8299defff55a..6d818d5d1377 100644 +--- a/drivers/isdn/hardware/mISDN/netjet.c ++++ b/drivers/isdn/hardware/mISDN/netjet.c +@@ -956,7 +956,7 @@ nj_release(struct tiger_hw *card) + } + if (card->irq > 0) + free_irq(card->irq, card); +- if (card->isac.dch.dev.dev.class) ++ if (device_is_registered(&card->isac.dch.dev.dev)) + mISDN_unregister_device(&card->isac.dch.dev); + + for (i = 0; i < 2; i++) { +-- +2.35.1 + diff --git a/queue-5.4/misdn-fix-possible-memory-leak-in-misdn_register_dev.patch b/queue-5.4/misdn-fix-possible-memory-leak-in-misdn_register_dev.patch new file mode 100644 index 00000000000..819076533a0 --- /dev/null +++ b/queue-5.4/misdn-fix-possible-memory-leak-in-misdn_register_dev.patch @@ -0,0 +1,56 @@ +From f7bc42741cbda09db93b00f25513eba5dbbd86fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 20:13:40 +0800 +Subject: mISDN: fix possible memory leak in mISDN_register_device() + +From: Yang Yingliang + +[ Upstream commit e7d1d4d9ac0dfa40be4c2c8abd0731659869b297 ] + +Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's +bus_id string array"), the name of device is allocated dynamically, +add put_device() to give up the reference, so that the name can be +freed in kobject_cleanup() when the refcount is 0. + +Set device class before put_device() to avoid null release() function +WARN message in device_release(). + +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/isdn/mISDN/core.c b/drivers/isdn/mISDN/core.c +index a41b4b264594..7ea0100f218a 100644 +--- a/drivers/isdn/mISDN/core.c ++++ b/drivers/isdn/mISDN/core.c +@@ -233,11 +233,12 @@ mISDN_register_device(struct mISDNdevice *dev, + if (debug & DEBUG_CORE) + printk(KERN_DEBUG "mISDN_register %s %d\n", + dev_name(&dev->dev), dev->id); ++ dev->dev.class = &mISDN_class; ++ + err = create_stack(dev); + if (err) + goto error1; + +- dev->dev.class = &mISDN_class; + dev->dev.platform_data = dev; + dev->dev.parent = parent; + dev_set_drvdata(&dev->dev, dev); +@@ -249,8 +250,8 @@ mISDN_register_device(struct mISDNdevice *dev, + + error3: + delete_stack(dev); +- return err; + error1: ++ put_device(&dev->dev); + return err; + + } +-- +2.35.1 + diff --git a/queue-5.4/net-dsa-fix-possible-memory-leaks-in-dsa_loop_init.patch b/queue-5.4/net-dsa-fix-possible-memory-leaks-in-dsa_loop_init.patch new file mode 100644 index 00000000000..5e31471b661 --- /dev/null +++ b/queue-5.4/net-dsa-fix-possible-memory-leaks-in-dsa_loop_init.patch @@ -0,0 +1,108 @@ +From 3780002d1fcf5fc87dea659c96cf4bfd33ed3d03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Oct 2022 10:03:21 +0800 +Subject: net: dsa: Fix possible memory leaks in dsa_loop_init() + +From: Chen Zhongjin + +[ Upstream commit 633efc8b3dc96f56f5a57f2a49764853a2fa3f50 ] + +kmemleak reported memory leaks in dsa_loop_init(): + +kmemleak: 12 new suspected memory leaks + +unreferenced object 0xffff8880138ce000 (size 2048): + comm "modprobe", pid 390, jiffies 4295040478 (age 238.976s) + backtrace: + [<000000006a94f1d5>] kmalloc_trace+0x26/0x60 + [<00000000a9c44622>] phy_device_create+0x5d/0x970 + [<00000000d0ee2afc>] get_phy_device+0xf3/0x2b0 + [<00000000dca0c71f>] __fixed_phy_register.part.0+0x92/0x4e0 + [<000000008a834798>] fixed_phy_register+0x84/0xb0 + [<0000000055223fcb>] dsa_loop_init+0xa9/0x116 [dsa_loop] + ... + +There are two reasons for memleak in dsa_loop_init(). + +First, fixed_phy_register() create and register phy_device: + +fixed_phy_register() + get_phy_device() + phy_device_create() # freed by phy_device_free() + phy_device_register() # freed by phy_device_remove() + +But fixed_phy_unregister() only calls phy_device_remove(). +So the memory allocated in phy_device_create() is leaked. + +Second, when mdio_driver_register() fail in dsa_loop_init(), +it just returns and there is no cleanup for phydevs. + +Fix the problems by catching the error of mdio_driver_register() +in dsa_loop_init(), then calling both fixed_phy_unregister() and +phy_device_free() to release phydevs. +Also add a function for phydevs cleanup to avoid duplacate. + +Fixes: 98cd1552ea27 ("net: dsa: Mock-up driver") +Signed-off-by: Chen Zhongjin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/dsa_loop.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/dsa/dsa_loop.c b/drivers/net/dsa/dsa_loop.c +index 0df6c2b9484a..e99e38c6738e 100644 +--- a/drivers/net/dsa/dsa_loop.c ++++ b/drivers/net/dsa/dsa_loop.c +@@ -329,6 +329,17 @@ static struct mdio_driver dsa_loop_drv = { + + #define NUM_FIXED_PHYS (DSA_LOOP_NUM_PORTS - 2) + ++static void dsa_loop_phydevs_unregister(void) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < NUM_FIXED_PHYS; i++) ++ if (!IS_ERR(phydevs[i])) { ++ fixed_phy_unregister(phydevs[i]); ++ phy_device_free(phydevs[i]); ++ } ++} ++ + static int __init dsa_loop_init(void) + { + struct fixed_phy_status status = { +@@ -336,23 +347,23 @@ static int __init dsa_loop_init(void) + .speed = SPEED_100, + .duplex = DUPLEX_FULL, + }; +- unsigned int i; ++ unsigned int i, ret; + + for (i = 0; i < NUM_FIXED_PHYS; i++) + phydevs[i] = fixed_phy_register(PHY_POLL, &status, NULL); + +- return mdio_driver_register(&dsa_loop_drv); ++ ret = mdio_driver_register(&dsa_loop_drv); ++ if (ret) ++ dsa_loop_phydevs_unregister(); ++ ++ return ret; + } + module_init(dsa_loop_init); + + static void __exit dsa_loop_exit(void) + { +- unsigned int i; +- + mdio_driver_unregister(&dsa_loop_drv); +- for (i = 0; i < NUM_FIXED_PHYS; i++) +- if (!IS_ERR(phydevs[i])) +- fixed_phy_unregister(phydevs[i]); ++ dsa_loop_phydevs_unregister(); + } + module_exit(dsa_loop_exit); + +-- +2.35.1 + diff --git a/queue-5.4/net-fec-fix-improper-use-of-netdev_tx_busy.patch b/queue-5.4/net-fec-fix-improper-use-of-netdev_tx_busy.patch new file mode 100644 index 00000000000..9fc7f2aa566 --- /dev/null +++ b/queue-5.4/net-fec-fix-improper-use-of-netdev_tx_busy.patch @@ -0,0 +1,47 @@ +From cd2e7a468d976a2692e015a22cacaad6783ad8fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Oct 2022 10:09:11 +0800 +Subject: net: fec: fix improper use of NETDEV_TX_BUSY + +From: Zhang Changzhong + +[ Upstream commit 06a4df5863f73af193a4ff7abf7cb04058584f06 ] + +The ndo_start_xmit() method must not free skb when returning +NETDEV_TX_BUSY, since caller is going to requeue freed skb. + +Fix it by returning NETDEV_TX_OK in case of dma_map_single() fails. + +Fixes: 79f339125ea3 ("net: fec: Add software TSO support") +Signed-off-by: Zhang Changzhong +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index a31f891d51fb..e1b8c58c4d6b 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -626,7 +626,7 @@ fec_enet_txq_put_data_tso(struct fec_enet_priv_tx_q *txq, struct sk_buff *skb, + dev_kfree_skb_any(skb); + if (net_ratelimit()) + netdev_err(ndev, "Tx DMA memory map failed\n"); +- return NETDEV_TX_BUSY; ++ return NETDEV_TX_OK; + } + + bdp->cbd_datlen = cpu_to_fec16(size); +@@ -688,7 +688,7 @@ fec_enet_txq_put_hdr_tso(struct fec_enet_priv_tx_q *txq, + dev_kfree_skb_any(skb); + if (net_ratelimit()) + netdev_err(ndev, "Tx DMA memory map failed\n"); +- return NETDEV_TX_BUSY; ++ return NETDEV_TX_OK; + } + } + +-- +2.35.1 + diff --git a/queue-5.4/net-mdio-fix-undefined-behavior-in-bit-shift-for-__m.patch b/queue-5.4/net-mdio-fix-undefined-behavior-in-bit-shift-for-__m.patch new file mode 100644 index 00000000000..6380dcc7193 --- /dev/null +++ b/queue-5.4/net-mdio-fix-undefined-behavior-in-bit-shift-for-__m.patch @@ -0,0 +1,54 @@ +From 8b8b924133c1949b2c54e311231104de733d4ffe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 21:26:45 +0800 +Subject: net: mdio: fix undefined behavior in bit shift for __mdiobus_register + +From: Gaosheng Cui + +[ Upstream commit 40e4eb324c59e11fcb927aa46742d28aba6ecb8a ] + +Shifting signed 32-bit value by 31 bits is undefined, so changing +significant bit to unsigned. The UBSAN warning calltrace like below: + +UBSAN: shift-out-of-bounds in drivers/net/phy/mdio_bus.c:586:27 +left shift of 1 by 31 places cannot be represented in type 'int' +Call Trace: + + dump_stack_lvl+0x7d/0xa5 + dump_stack+0x15/0x1b + ubsan_epilogue+0xe/0x4e + __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c + __mdiobus_register+0x49d/0x4e0 + fixed_mdio_bus_init+0xd8/0x12d + do_one_initcall+0x76/0x430 + kernel_init_freeable+0x3b3/0x422 + kernel_init+0x24/0x1e0 + ret_from_fork+0x1f/0x30 + + +Fixes: 4fd5f812c23c ("phylib: allow incremental scanning of an mii bus") +Signed-off-by: Gaosheng Cui +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20221031132645.168421-1-cuigaosheng1@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mdio_bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c +index 05c24db507a2..757763735e1f 100644 +--- a/drivers/net/phy/mdio_bus.c ++++ b/drivers/net/phy/mdio_bus.c +@@ -419,7 +419,7 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner) + bus->reset(bus); + + for (i = 0; i < PHY_MAX_ADDR; i++) { +- if ((bus->phy_mask & (1 << i)) == 0) { ++ if ((bus->phy_mask & BIT(i)) == 0) { + struct phy_device *phydev; + + phydev = mdiobus_scan(bus, i); +-- +2.35.1 + diff --git a/queue-5.4/net-neigh-fix-null-ptr-deref-in-neigh_table_clear.patch b/queue-5.4/net-neigh-fix-null-ptr-deref-in-neigh_table_clear.patch new file mode 100644 index 00000000000..aa1f646d15c --- /dev/null +++ b/queue-5.4/net-neigh-fix-null-ptr-deref-in-neigh_table_clear.patch @@ -0,0 +1,65 @@ +From bc954f862769f1dd0cf27478af190187c157ba7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 20:15:52 +0800 +Subject: net, neigh: Fix null-ptr-deref in neigh_table_clear() + +From: Chen Zhongjin + +[ Upstream commit f8017317cb0b279b8ab98b0f3901a2e0ac880dad ] + +When IPv6 module gets initialized but hits an error in the middle, +kenel panic with: + +KASAN: null-ptr-deref in range [0x0000000000000598-0x000000000000059f] +CPU: 1 PID: 361 Comm: insmod +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) +RIP: 0010:__neigh_ifdown.isra.0+0x24b/0x370 +RSP: 0018:ffff888012677908 EFLAGS: 00000202 +... +Call Trace: + + neigh_table_clear+0x94/0x2d0 + ndisc_cleanup+0x27/0x40 [ipv6] + inet6_init+0x21c/0x2cb [ipv6] + do_one_initcall+0xd3/0x4d0 + do_init_module+0x1ae/0x670 +... +Kernel panic - not syncing: Fatal exception + +When ipv6 initialization fails, it will try to cleanup and calls: + +neigh_table_clear() + neigh_ifdown(tbl, NULL) + pneigh_queue_purge(&tbl->proxy_queue, dev_net(dev == NULL)) + # dev_net(NULL) triggers null-ptr-deref. + +Fix it by passing NULL to pneigh_queue_purge() in neigh_ifdown() if dev +is NULL, to make kernel not panic immediately. + +Fixes: 66ba215cb513 ("neigh: fix possible DoS due to net iface start/stop loop") +Signed-off-by: Chen Zhongjin +Reviewed-by: Eric Dumazet +Reviewed-by: Denis V. Lunev +Link: https://lore.kernel.org/r/20221101121552.21890-1-chenzhongjin@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/neighbour.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index aa81aead0a65..67820219e3b6 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -373,7 +373,7 @@ static int __neigh_ifdown(struct neigh_table *tbl, struct net_device *dev, + write_lock_bh(&tbl->lock); + neigh_flush_dev(tbl, dev, skip_perm); + pneigh_ifdown_and_unlock(tbl, dev); +- pneigh_queue_purge(&tbl->proxy_queue, dev_net(dev)); ++ pneigh_queue_purge(&tbl->proxy_queue, dev ? dev_net(dev) : NULL); + if (skb_queue_empty_lockless(&tbl->proxy_queue)) + del_timer_sync(&tbl->proxy_timer); + return 0; +-- +2.35.1 + diff --git a/queue-5.4/net-sched-fix-use-after-free-in-red_enqueue.patch b/queue-5.4/net-sched-fix-use-after-free-in-red_enqueue.patch new file mode 100644 index 00000000000..a34ef54c28b --- /dev/null +++ b/queue-5.4/net-sched-fix-use-after-free-in-red_enqueue.patch @@ -0,0 +1,49 @@ +From fb648475fbbab934a29e01b55802dcdb75281353 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Oct 2022 18:05:00 +0300 +Subject: net: sched: Fix use after free in red_enqueue() + +From: Dan Carpenter + +[ Upstream commit 8bdc2acd420c6f3dd1f1c78750ec989f02a1e2b9 ] + +We can't use "skb" again after passing it to qdisc_enqueue(). This is +basically identical to commit 2f09707d0c97 ("sch_sfb: Also store skb +len before calling child enqueue"). + +Fixes: d7f4f332f082 ("sch_red: update backlog as well") +Signed-off-by: Dan Carpenter +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_red.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c +index 7741f102be4a..476853ff6989 100644 +--- a/net/sched/sch_red.c ++++ b/net/sched/sch_red.c +@@ -59,6 +59,7 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch, + { + struct red_sched_data *q = qdisc_priv(sch); + struct Qdisc *child = q->qdisc; ++ unsigned int len; + int ret; + + q->vars.qavg = red_calc_qavg(&q->parms, +@@ -94,9 +95,10 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch, + break; + } + ++ len = qdisc_pkt_len(skb); + ret = qdisc_enqueue(skb, child, to_free); + if (likely(ret == NET_XMIT_SUCCESS)) { +- qdisc_qstats_backlog_inc(sch, skb); ++ sch->qstats.backlog += len; + sch->q.qlen++; + } else if (net_xmit_drop_count(ret)) { + q->stats.pdrop++; +-- +2.35.1 + diff --git a/queue-5.4/net-tun-fix-bugs-for-oversize-packet-when-napi-frags.patch b/queue-5.4/net-tun-fix-bugs-for-oversize-packet-when-napi-frags.patch new file mode 100644 index 00000000000..5ad120ada12 --- /dev/null +++ b/queue-5.4/net-tun-fix-bugs-for-oversize-packet-when-napi-frags.patch @@ -0,0 +1,96 @@ +From 6cfb2266662a0970d73ee1c8f33ac3cde43064a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Oct 2022 17:41:01 +0800 +Subject: net: tun: fix bugs for oversize packet when napi frags enabled + +From: Ziyang Xuan + +[ Upstream commit 363a5328f4b0517e59572118ccfb7c626d81dca9 ] + +Recently, we got two syzkaller problems because of oversize packet +when napi frags enabled. + +One of the problems is because the first seg size of the iov_iter +from user space is very big, it is 2147479538 which is bigger than +the threshold value for bail out early in __alloc_pages(). And +skb->pfmemalloc is true, __kmalloc_reserve() would use pfmemalloc +reserves without __GFP_NOWARN flag. Thus we got a warning as following: + +======================================================== +WARNING: CPU: 1 PID: 17965 at mm/page_alloc.c:5295 __alloc_pages+0x1308/0x16c4 mm/page_alloc.c:5295 +... +Call trace: + __alloc_pages+0x1308/0x16c4 mm/page_alloc.c:5295 + __alloc_pages_node include/linux/gfp.h:550 [inline] + alloc_pages_node include/linux/gfp.h:564 [inline] + kmalloc_large_node+0x94/0x350 mm/slub.c:4038 + __kmalloc_node_track_caller+0x620/0x8e4 mm/slub.c:4545 + __kmalloc_reserve.constprop.0+0x1e4/0x2b0 net/core/skbuff.c:151 + pskb_expand_head+0x130/0x8b0 net/core/skbuff.c:1654 + __skb_grow include/linux/skbuff.h:2779 [inline] + tun_napi_alloc_frags+0x144/0x610 drivers/net/tun.c:1477 + tun_get_user+0x31c/0x2010 drivers/net/tun.c:1835 + tun_chr_write_iter+0x98/0x100 drivers/net/tun.c:2036 + +The other problem is because odd IPv6 packets without NEXTHDR_NONE +extension header and have big packet length, it is 2127925 which is +bigger than ETH_MAX_MTU(65535). After ipv6_gso_pull_exthdrs() in +ipv6_gro_receive(), network_header offset and transport_header offset +are all bigger than U16_MAX. That would trigger skb->network_header +and skb->transport_header overflow error, because they are all '__u16' +type. Eventually, it would affect the value for __skb_push(skb, value), +and make it be a big value. After __skb_push() in ipv6_gro_receive(), +skb->data would less than skb->head, an out of bounds memory bug occurred. +That would trigger the problem as following: + +================================================================== +BUG: KASAN: use-after-free in eth_type_trans+0x100/0x260 +... +Call trace: + dump_backtrace+0xd8/0x130 + show_stack+0x1c/0x50 + dump_stack_lvl+0x64/0x7c + print_address_description.constprop.0+0xbc/0x2e8 + print_report+0x100/0x1e4 + kasan_report+0x80/0x120 + __asan_load8+0x78/0xa0 + eth_type_trans+0x100/0x260 + napi_gro_frags+0x164/0x550 + tun_get_user+0xda4/0x1270 + tun_chr_write_iter+0x74/0x130 + do_iter_readv_writev+0x130/0x1ec + do_iter_write+0xbc/0x1e0 + vfs_writev+0x13c/0x26c + +To fix the problems, restrict the packet size less than +(ETH_MAX_MTU - NET_SKB_PAD - NET_IP_ALIGN) which has considered reserved +skb space in napi_alloc_skb() because transport_header is an offset from +skb->head. Add len check in tun_napi_alloc_frags() simply. + +Fixes: 90e33d459407 ("tun: enable napi_gro_frags() for TUN/TAP driver") +Signed-off-by: Ziyang Xuan +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20221029094101.1653855-1-william.xuanziyang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/tun.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index dd02fcc97277..22a46a1382ba 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1492,7 +1492,8 @@ static struct sk_buff *tun_napi_alloc_frags(struct tun_file *tfile, + int err; + int i; + +- if (it->nr_segs > MAX_SKB_FRAGS + 1) ++ if (it->nr_segs > MAX_SKB_FRAGS + 1 || ++ len > (ETH_MAX_MTU - NET_SKB_PAD - NET_IP_ALIGN)) + return ERR_PTR(-EMSGSIZE); + + local_bh_disable(); +-- +2.35.1 + diff --git a/queue-5.4/netfilter-nf_tables-release-flow-rule-object-from-co.patch b/queue-5.4/netfilter-nf_tables-release-flow-rule-object-from-co.patch new file mode 100644 index 00000000000..8c130a90879 --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-release-flow-rule-object-from-co.patch @@ -0,0 +1,48 @@ +From 7157f00ecfcf600e693bcfad2f96de7a7a5bffab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Oct 2022 09:54:45 +0200 +Subject: netfilter: nf_tables: release flow rule object from commit path + +From: Pablo Neira Ayuso + +[ Upstream commit 26b5934ff4194e13196bedcba373cd4915071d0e ] + +No need to postpone this to the commit release path, since no packets +are walking over this object, this is accessed from control plane only. +This helped uncovered UAF triggered by races with the netlink notifier. + +Fixes: 9dd732e0bdf5 ("netfilter: nf_tables: memleak flow rule from commit path") +Reported-by: syzbot+8f747f62763bc6c32916@syzkaller.appspotmail.com +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index f9cecd30f1ba..140c24f1b6c6 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6576,9 +6576,6 @@ static void nft_commit_release(struct nft_trans *trans) + nf_tables_chain_destroy(&trans->ctx); + break; + case NFT_MSG_DELRULE: +- if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) +- nft_flow_rule_destroy(nft_trans_flow_rule(trans)); +- + nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); + break; + case NFT_MSG_DELSET: +@@ -6913,6 +6910,9 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + nft_rule_expr_deactivate(&trans->ctx, + nft_trans_rule(trans), + NFT_TRANS_COMMIT); ++ ++ if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) ++ nft_flow_rule_destroy(nft_trans_flow_rule(trans)); + break; + case NFT_MSG_NEWSET: + nft_clear(net, nft_trans_set(trans)); +-- +2.35.1 + diff --git a/queue-5.4/nfc-nfcmrvl-fix-potential-memory-leak-in-nfcmrvl_i2c.patch b/queue-5.4/nfc-nfcmrvl-fix-potential-memory-leak-in-nfcmrvl_i2c.patch new file mode 100644 index 00000000000..f89c18e2eb6 --- /dev/null +++ b/queue-5.4/nfc-nfcmrvl-fix-potential-memory-leak-in-nfcmrvl_i2c.patch @@ -0,0 +1,47 @@ +From 0a1901a00d4057ce4410d17eaa9e83259e9c6151 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 22:03:32 +0800 +Subject: nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send() + +From: Shang XiaoJing + +[ Upstream commit 93d904a734a74c54d945a9884b4962977f1176cd ] + +nfcmrvl_i2c_nci_send() will be called by nfcmrvl_nci_send(), and skb +should be freed in nfcmrvl_i2c_nci_send(). However, nfcmrvl_nci_send() +will only free skb when i2c_master_send() return >=0, which means skb +will memleak when i2c_master_send() failed. Free skb no matter whether +i2c_master_send() succeeds. + +Fixes: b5b3e23e4cac ("NFC: nfcmrvl: add i2c driver") +Signed-off-by: Shang XiaoJing +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/nfcmrvl/i2c.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/nfc/nfcmrvl/i2c.c b/drivers/nfc/nfcmrvl/i2c.c +index 919b4d2f5d8b..fa6db971bee9 100644 +--- a/drivers/nfc/nfcmrvl/i2c.c ++++ b/drivers/nfc/nfcmrvl/i2c.c +@@ -151,10 +151,15 @@ static int nfcmrvl_i2c_nci_send(struct nfcmrvl_private *priv, + ret = -EREMOTEIO; + } else + ret = 0; ++ } ++ ++ if (ret) { + kfree_skb(skb); ++ return ret; + } + +- return ret; ++ consume_skb(skb); ++ return 0; + } + + static void nfcmrvl_i2c_nci_update_config(struct nfcmrvl_private *priv, +-- +2.35.1 + diff --git a/queue-5.4/nfc-s3fwrn5-fix-potential-memory-leak-in-s3fwrn5_nci.patch b/queue-5.4/nfc-s3fwrn5-fix-potential-memory-leak-in-s3fwrn5_nci.patch new file mode 100644 index 00000000000..ce570ca5435 --- /dev/null +++ b/queue-5.4/nfc-s3fwrn5-fix-potential-memory-leak-in-s3fwrn5_nci.patch @@ -0,0 +1,48 @@ +From 94f922fe092c5f1a435a796ab5dc4d79b51d4296 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 22:03:31 +0800 +Subject: nfc: s3fwrn5: Fix potential memory leak in s3fwrn5_nci_send() + +From: Shang XiaoJing + +[ Upstream commit 3a146b7e3099dc7cf3114f627d9b79291e2d2203 ] + +s3fwrn5_nci_send() will call s3fwrn5_i2c_write() or s3fwrn82_uart_write(), +and free the skb if write() failed. However, even if the write() run +succeeds, the skb will not be freed in write(). As the result, the skb +will memleak. s3fwrn5_nci_send() should also free the skb when write() +succeeds. + +Fixes: c04c674fadeb ("nfc: s3fwrn5: Add driver for Samsung S3FWRN5 NFC Chip") +Signed-off-by: Shang XiaoJing +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/s3fwrn5/core.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/nfc/s3fwrn5/core.c b/drivers/nfc/s3fwrn5/core.c +index ba6c486d6465..9b43cd3a45af 100644 +--- a/drivers/nfc/s3fwrn5/core.c ++++ b/drivers/nfc/s3fwrn5/core.c +@@ -97,11 +97,15 @@ static int s3fwrn5_nci_send(struct nci_dev *ndev, struct sk_buff *skb) + } + + ret = s3fwrn5_write(info, skb); +- if (ret < 0) ++ if (ret < 0) { + kfree_skb(skb); ++ mutex_unlock(&info->mutex); ++ return ret; ++ } + ++ consume_skb(skb); + mutex_unlock(&info->mutex); +- return ret; ++ return 0; + } + + static int s3fwrn5_nci_post_setup(struct nci_dev *ndev) +-- +2.35.1 + diff --git a/queue-5.4/nfs4-fix-kmemleak-when-allocate-slot-failed.patch b/queue-5.4/nfs4-fix-kmemleak-when-allocate-slot-failed.patch new file mode 100644 index 00000000000..7021f65c7a9 --- /dev/null +++ b/queue-5.4/nfs4-fix-kmemleak-when-allocate-slot-failed.patch @@ -0,0 +1,54 @@ +From 29e76292a971f9ab5acd9be5a7eb6540ddb893e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Oct 2022 11:20:54 +0800 +Subject: nfs4: Fix kmemleak when allocate slot failed + +From: Zhang Xiaoxu + +[ Upstream commit 7e8436728e22181c3f12a5dbabd35ed3a8b8c593 ] + +If one of the slot allocate failed, should cleanup all the other +allocated slots, otherwise, the allocated slots will leak: + + unreferenced object 0xffff8881115aa100 (size 64): + comm ""mount.nfs"", pid 679, jiffies 4294744957 (age 115.037s) + hex dump (first 32 bytes): + 00 cc 19 73 81 88 ff ff 00 a0 5a 11 81 88 ff ff ...s......Z..... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<000000007a4c434a>] nfs4_find_or_create_slot+0x8e/0x130 + [<000000005472a39c>] nfs4_realloc_slot_table+0x23f/0x270 + [<00000000cd8ca0eb>] nfs40_init_client+0x4a/0x90 + [<00000000128486db>] nfs4_init_client+0xce/0x270 + [<000000008d2cacad>] nfs4_set_client+0x1a2/0x2b0 + [<000000000e593b52>] nfs4_create_server+0x300/0x5f0 + [<00000000e4425dd2>] nfs4_try_get_tree+0x65/0x110 + [<00000000d3a6176f>] vfs_get_tree+0x41/0xf0 + [<0000000016b5ad4c>] path_mount+0x9b3/0xdd0 + [<00000000494cae71>] __x64_sys_mount+0x190/0x1d0 + [<000000005d56bdec>] do_syscall_64+0x35/0x80 + [<00000000687c9ae4>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Fixes: abf79bb341bf ("NFS: Add a slot table to struct nfs_client for NFSv4.0 transport blocking") +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4client.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c +index 3671a51fe5eb..1f4bdcda3fda 100644 +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -346,6 +346,7 @@ int nfs40_init_client(struct nfs_client *clp) + ret = nfs4_setup_slot_table(tbl, NFS4_MAX_SLOT_TABLE, + "NFSv4.0 transport Slot table"); + if (ret) { ++ nfs4_shutdown_slot_table(tbl); + kfree(tbl); + return ret; + } +-- +2.35.1 + diff --git a/queue-5.4/nfsv4.1-handle-reclaim_complete-trunking-errors.patch b/queue-5.4/nfsv4.1-handle-reclaim_complete-trunking-errors.patch new file mode 100644 index 00000000000..c5d50db4035 --- /dev/null +++ b/queue-5.4/nfsv4.1-handle-reclaim_complete-trunking-errors.patch @@ -0,0 +1,35 @@ +From 89e1710f458886fd612d34dfdb86d9e8f9a0f775 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Oct 2022 14:44:32 -0400 +Subject: NFSv4.1: Handle RECLAIM_COMPLETE trunking errors + +From: Trond Myklebust + +[ Upstream commit 5d917cba3201e5c25059df96c29252fd99c4f6a7 ] + +If RECLAIM_COMPLETE sets the NFS4CLNT_BIND_CONN_TO_SESSION flag, then we +need to loop back in order to handle it. + +Fixes: 0048fdd06614 ("NFSv4.1: RECLAIM_COMPLETE must handle NFS4ERR_CONN_NOT_BOUND_TO_SESSION") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4state.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c +index 1d2b81a233bb..700cb36c93f3 100644 +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -2588,6 +2588,7 @@ static void nfs4_state_manager(struct nfs_client *clp) + if (status < 0) + goto out_error; + nfs4_state_end_reclaim_reboot(clp); ++ continue; + } + + /* Detect expired delegations... */ +-- +2.35.1 + diff --git a/queue-5.4/nfsv4.1-we-must-always-send-reclaim_complete-after-a.patch b/queue-5.4/nfsv4.1-we-must-always-send-reclaim_complete-after-a.patch new file mode 100644 index 00000000000..47795e3051d --- /dev/null +++ b/queue-5.4/nfsv4.1-we-must-always-send-reclaim_complete-after-a.patch @@ -0,0 +1,36 @@ +From 6dab601058edebca64b1c2f1cffe503e3e55cbda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Oct 2022 14:44:33 -0400 +Subject: NFSv4.1: We must always send RECLAIM_COMPLETE after a reboot + +From: Trond Myklebust + +[ Upstream commit e59679f2b7e522ecad99974e5636291ffd47c184 ] + +Currently, we are only guaranteed to send RECLAIM_COMPLETE if we have +open state to recover. Fix the client to always send RECLAIM_COMPLETE +after setting up the lease. + +Fixes: fce5c838e133 ("nfs41: RECLAIM_COMPLETE functionality") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4state.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c +index 700cb36c93f3..c60b3a1f6d2b 100644 +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1743,6 +1743,7 @@ static void nfs4_state_mark_reclaim_helper(struct nfs_client *clp, + + static void nfs4_state_start_reclaim_reboot(struct nfs_client *clp) + { ++ set_bit(NFS4CLNT_RECLAIM_REBOOT, &clp->cl_state); + /* Mark all delegations for reclaim */ + nfs_delegation_mark_reclaim(clp); + nfs4_state_mark_reclaim_helper(clp, nfs4_state_mark_reclaim_reboot); +-- +2.35.1 + diff --git a/queue-5.4/rdma-cma-use-output-interface-for-net_dev-check.patch b/queue-5.4/rdma-cma-use-output-interface-for-net_dev-check.patch new file mode 100644 index 00000000000..53cc4b34450 --- /dev/null +++ b/queue-5.4/rdma-cma-use-output-interface-for-net_dev-check.patch @@ -0,0 +1,49 @@ +From 3d054a633f9c7e22440d31027528752045f76570 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Oct 2022 16:15:42 +0200 +Subject: RDMA/cma: Use output interface for net_dev check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: HÃ¥kon Bugge + +[ Upstream commit eb83f502adb036cd56c27e13b9ca3b2aabfa790b ] + +Commit 27cfde795a96 ("RDMA/cma: Fix arguments order in net device +validation") swapped the src and dst addresses in the call to +validate_net_dev(). + +As a consequence, the test in validate_ipv4_net_dev() to see if the +net_dev is the right one, is incorrect for port 1 <-> 2 communication when +the ports are on the same sub-net. This is fixed by denoting the +flowi4_oif as the device instead of the incoming one. + +The bug has not been observed using IPv6 addresses. + +Fixes: 27cfde795a96 ("RDMA/cma: Fix arguments order in net device validation") +Signed-off-by: HÃ¥kon Bugge +Link: https://lore.kernel.org/r/20221012141542.16925-1-haakon.bugge@oracle.com +Reviewed-by: Leon Romanovsky +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index cf174aa7fe25..052d15629153 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -1434,7 +1434,7 @@ static bool validate_ipv4_net_dev(struct net_device *net_dev, + return false; + + memset(&fl4, 0, sizeof(fl4)); +- fl4.flowi4_iif = net_dev->ifindex; ++ fl4.flowi4_oif = net_dev->ifindex; + fl4.daddr = daddr; + fl4.saddr = saddr; + +-- +2.35.1 + diff --git a/queue-5.4/rdma-core-fix-null-ptr-deref-in-ib_core_cleanup.patch b/queue-5.4/rdma-core-fix-null-ptr-deref-in-ib_core_cleanup.patch new file mode 100644 index 00000000000..a48504280f5 --- /dev/null +++ b/queue-5.4/rdma-core-fix-null-ptr-deref-in-ib_core_cleanup.patch @@ -0,0 +1,89 @@ +From 56d7654010b88e9186275207c4d1e2a6130d8ef9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Oct 2022 10:41:46 +0800 +Subject: RDMA/core: Fix null-ptr-deref in ib_core_cleanup() + +From: Chen Zhongjin + +[ Upstream commit 07c0d131cc0fe1f3981a42958fc52d573d303d89 ] + +KASAN reported a null-ptr-deref error: + + KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] + CPU: 1 PID: 379 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) + RIP: 0010:destroy_workqueue+0x2f/0x740 + RSP: 0018:ffff888016137df8 EFLAGS: 00000202 + ... + Call Trace: + ib_core_cleanup+0xa/0xa1 [ib_core] + __do_sys_delete_module.constprop.0+0x34f/0x5b0 + do_syscall_64+0x3a/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + RIP: 0033:0x7fa1a0d221b7 + ... + +It is because the fail of roce_gid_mgmt_init() is ignored: + + ib_core_init() + roce_gid_mgmt_init() + gid_cache_wq = alloc_ordered_workqueue # fail + ... + ib_core_cleanup() + roce_gid_mgmt_cleanup() + destroy_workqueue(gid_cache_wq) + # destroy an unallocated wq + +Fix this by catching the fail of roce_gid_mgmt_init() in ib_core_init(). + +Fixes: 03db3a2d81e6 ("IB/core: Add RoCE GID table management") +Signed-off-by: Chen Zhongjin +Link: https://lore.kernel.org/r/20221025024146.109137-1-chenzhongjin@huawei.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/device.c | 10 +++++++++- + drivers/infiniband/core/nldev.c | 2 +- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c +index de66d7da1bf6..372ca5347d3c 100644 +--- a/drivers/infiniband/core/device.c ++++ b/drivers/infiniband/core/device.c +@@ -2762,10 +2762,18 @@ static int __init ib_core_init(void) + + nldev_init(); + rdma_nl_register(RDMA_NL_LS, ibnl_ls_cb_table); +- roce_gid_mgmt_init(); ++ ret = roce_gid_mgmt_init(); ++ if (ret) { ++ pr_warn("Couldn't init RoCE GID management\n"); ++ goto err_parent; ++ } + + return 0; + ++err_parent: ++ rdma_nl_unregister(RDMA_NL_LS); ++ nldev_exit(); ++ unregister_pernet_device(&rdma_dev_net_ops); + err_compat: + unregister_blocking_lsm_notifier(&ibdev_lsm_nb); + err_sa: +diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c +index e4905d9fecb0..81b70f1f1290 100644 +--- a/drivers/infiniband/core/nldev.c ++++ b/drivers/infiniband/core/nldev.c +@@ -2098,7 +2098,7 @@ void __init nldev_init(void) + rdma_nl_register(RDMA_NL_NLDEV, nldev_cb_table); + } + +-void __exit nldev_exit(void) ++void nldev_exit(void) + { + rdma_nl_unregister(RDMA_NL_NLDEV); + } +-- +2.35.1 + diff --git a/queue-5.4/rdma-qedr-clean-up-work-queue-on-failure-in-qedr_all.patch b/queue-5.4/rdma-qedr-clean-up-work-queue-on-failure-in-qedr_all.patch new file mode 100644 index 00000000000..f6368bcdfe4 --- /dev/null +++ b/queue-5.4/rdma-qedr-clean-up-work-queue-on-failure-in-qedr_all.patch @@ -0,0 +1,59 @@ +From 58d30074f5ff88fffdbc9b8a4342fb8ea6d0cd37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Oct 2022 18:32:32 +0300 +Subject: RDMA/qedr: clean up work queue on failure in qedr_alloc_resources() + +From: Dan Carpenter + +[ Upstream commit 7a47e077e503feb73d56e491ce89aa73b67a3972 ] + +Add a check for if create_singlethread_workqueue() fails and also destroy +the work queue on failure paths. + +Fixes: e411e0587e0d ("RDMA/qedr: Add iWARP connection management functions") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/Y1gBkDucQhhWj5YM@kili +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/main.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/qedr/main.c b/drivers/infiniband/hw/qedr/main.c +index 93040c994e2e..50b75bd4633c 100644 +--- a/drivers/infiniband/hw/qedr/main.c ++++ b/drivers/infiniband/hw/qedr/main.c +@@ -362,6 +362,10 @@ static int qedr_alloc_resources(struct qedr_dev *dev) + if (IS_IWARP(dev)) { + xa_init(&dev->qps); + dev->iwarp_wq = create_singlethread_workqueue("qedr_iwarpq"); ++ if (!dev->iwarp_wq) { ++ rc = -ENOMEM; ++ goto err1; ++ } + } + + /* Allocate Status blocks for CNQ */ +@@ -369,7 +373,7 @@ static int qedr_alloc_resources(struct qedr_dev *dev) + GFP_KERNEL); + if (!dev->sb_array) { + rc = -ENOMEM; +- goto err1; ++ goto err_destroy_wq; + } + + dev->cnq_array = kcalloc(dev->num_cnq, +@@ -423,6 +427,9 @@ static int qedr_alloc_resources(struct qedr_dev *dev) + kfree(dev->cnq_array); + err2: + kfree(dev->sb_array); ++err_destroy_wq: ++ if (IS_IWARP(dev)) ++ destroy_workqueue(dev->iwarp_wq); + err1: + kfree(dev->sgid_tbl); + return rc; +-- +2.35.1 + diff --git a/queue-5.4/rose-fix-null-pointer-dereference-in-rose_send_frame.patch b/queue-5.4/rose-fix-null-pointer-dereference-in-rose_send_frame.patch new file mode 100644 index 00000000000..db71ad03565 --- /dev/null +++ b/queue-5.4/rose-fix-null-pointer-dereference-in-rose_send_frame.patch @@ -0,0 +1,76 @@ +From bc11030d3f791aac3aa3fae8836b6841b201af8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Oct 2022 00:10:49 +0800 +Subject: rose: Fix NULL pointer dereference in rose_send_frame() + +From: Zhang Qilong + +[ Upstream commit e97c089d7a49f67027395ddf70bf327eeac2611e ] + +The syzkaller reported an issue: + +KASAN: null-ptr-deref in range [0x0000000000000380-0x0000000000000387] +CPU: 0 PID: 4069 Comm: kworker/0:15 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 +Workqueue: rcu_gp srcu_invoke_callbacks +RIP: 0010:rose_send_frame+0x1dd/0x2f0 net/rose/rose_link.c:101 +Call Trace: + + rose_transmit_clear_request+0x1d5/0x290 net/rose/rose_link.c:255 + rose_rx_call_request+0x4c0/0x1bc0 net/rose/af_rose.c:1009 + rose_loopback_timer+0x19e/0x590 net/rose/rose_loopback.c:111 + call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474 + expire_timers kernel/time/timer.c:1519 [inline] + __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790 + __run_timers kernel/time/timer.c:1768 [inline] + run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803 + __do_softirq+0x1d0/0x9c8 kernel/softirq.c:571 + [...] + + +It triggers NULL pointer dereference when 'neigh->dev->dev_addr' is +called in the rose_send_frame(). It's the first occurrence of the +`neigh` is in rose_loopback_timer() as `rose_loopback_neigh', and +the 'dev' in 'rose_loopback_neigh' is initialized sa nullptr. + +It had been fixed by commit 3b3fd068c56e3fbea30090859216a368398e39bf +("rose: Fix Null pointer dereference in rose_send_frame()") ever. +But it's introduced by commit 3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8 +("rose: check NULL rose_loopback_neigh->loopback") again. + +We fix it by add NULL check in rose_transmit_clear_request(). When +the 'dev' in 'neigh' is NULL, we don't reply the request and just +clear it. + +syzkaller don't provide repro, and I provide a syz repro like: +r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) +ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000180)={'rose0\x00', 0x201}) +r1 = syz_init_net_socket$rose(0xb, 0x5, 0x0) +bind$rose(r1, &(0x7f00000000c0)=@full={0xb, @dev, @null, 0x0, [@null, @null, @netrom, @netrom, @default, @null]}, 0x40) +connect$rose(r1, &(0x7f0000000240)=@short={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}}, 0x1c) + +Fixes: 3c53cd65dece ("rose: check NULL rose_loopback_neigh->loopback") +Signed-off-by: Zhang Qilong +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rose/rose_link.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/rose/rose_link.c b/net/rose/rose_link.c +index f6102e6f5161..730d2205f197 100644 +--- a/net/rose/rose_link.c ++++ b/net/rose/rose_link.c +@@ -236,6 +236,9 @@ void rose_transmit_clear_request(struct rose_neigh *neigh, unsigned int lci, uns + unsigned char *dptr; + int len; + ++ if (!neigh->dev) ++ return; ++ + len = AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN + 3; + + if ((skb = alloc_skb(len, GFP_ATOMIC)) == NULL) +-- +2.35.1 + diff --git a/queue-5.4/series b/queue-5.4/series new file mode 100644 index 00000000000..9e3d812a4a7 --- /dev/null +++ b/queue-5.4/series @@ -0,0 +1,29 @@ +rdma-cma-use-output-interface-for-net_dev-check.patch +ib-hfi1-correctly-move-list-in-sc_disable.patch +nfsv4.1-handle-reclaim_complete-trunking-errors.patch +nfsv4.1-we-must-always-send-reclaim_complete-after-a.patch +nfs4-fix-kmemleak-when-allocate-slot-failed.patch +net-dsa-fix-possible-memory-leaks-in-dsa_loop_init.patch +rdma-core-fix-null-ptr-deref-in-ib_core_cleanup.patch +rdma-qedr-clean-up-work-queue-on-failure-in-qedr_all.patch +nfc-s3fwrn5-fix-potential-memory-leak-in-s3fwrn5_nci.patch +nfc-nfcmrvl-fix-potential-memory-leak-in-nfcmrvl_i2c.patch +net-fec-fix-improper-use-of-netdev_tx_busy.patch +ata-pata_legacy-fix-pdc20230_set_piomode.patch +net-sched-fix-use-after-free-in-red_enqueue.patch +net-tun-fix-bugs-for-oversize-packet-when-napi-frags.patch +netfilter-nf_tables-release-flow-rule-object-from-co.patch +ipvs-use-explicitly-signed-chars.patch +ipvs-fix-warning-in-__ip_vs_cleanup_batch.patch +ipvs-fix-warning-in-ip_vs_app_net_cleanup.patch +rose-fix-null-pointer-dereference-in-rose_send_frame.patch +misdn-fix-possible-memory-leak-in-misdn_register_dev.patch +isdn-misdn-netjet-fix-wrong-check-of-device-registra.patch +btrfs-fix-inode-list-leak-during-backref-walking-at-.patch +btrfs-fix-inode-list-leak-during-backref-walking-at-.patch-32726 +btrfs-fix-ulist-leaks-in-error-paths-of-qgroup-self-.patch +bluetooth-l2cap-fix-use-after-free-caused-by-l2cap_r.patch +bluetooth-l2cap-fix-use-after-free-in-l2cap_conn_del.patch +net-mdio-fix-undefined-behavior-in-bit-shift-for-__m.patch +net-neigh-fix-null-ptr-deref-in-neigh_table_clear.patch +ipv6-fix-warning-in-ip6_route_net_exit_late.patch