From: Sasha Levin Date: Sun, 12 Jun 2022 13:42:04 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.9.318~97 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5a63f5631e7cff81a325d82e2b1a8099c40a19fa;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/af_unix-fix-a-data-race-in-unix_dgram_peer_wake_me.patch b/queue-5.4/af_unix-fix-a-data-race-in-unix_dgram_peer_wake_me.patch new file mode 100644 index 00000000000..909ac0bd3b5 --- /dev/null +++ b/queue-5.4/af_unix-fix-a-data-race-in-unix_dgram_peer_wake_me.patch @@ -0,0 +1,39 @@ +From 171872c7b6137bb9fe92eb11fdda462753b2d2a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jun 2022 16:23:25 -0700 +Subject: af_unix: Fix a data-race in unix_dgram_peer_wake_me(). + +From: Kuniyuki Iwashima + +[ Upstream commit 662a80946ce13633ae90a55379f1346c10f0c432 ] + +unix_dgram_poll() calls unix_dgram_peer_wake_me() without `other`'s +lock held and check if its receive queue is full. Here we need to +use unix_recvq_full_lockless() instead of unix_recvq_full(), otherwise +KCSAN will report a data-race. + +Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20220605232325.11804-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 05470ca91bd9..f33e90bd0683 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -440,7 +440,7 @@ static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other) + * -ECONNREFUSED. Otherwise, if we haven't queued any skbs + * to other and its full, we will hang waiting for POLLOUT. + */ +- if (unix_recvq_full(other) && !sock_flag(other, SOCK_DEAD)) ++ if (unix_recvq_full_lockless(other) && !sock_flag(other, SOCK_DEAD)) + return 1; + + if (connected) +-- +2.35.1 + diff --git a/queue-5.4/ata-pata_octeon_cf-fix-refcount-leak-in-octeon_cf_pr.patch b/queue-5.4/ata-pata_octeon_cf-fix-refcount-leak-in-octeon_cf_pr.patch new file mode 100644 index 00000000000..d52a4dd428f --- /dev/null +++ b/queue-5.4/ata-pata_octeon_cf-fix-refcount-leak-in-octeon_cf_pr.patch @@ -0,0 +1,52 @@ +From 70dea6f1e498938841017b97ad1e8770a2083fef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jun 2022 12:59:26 +0400 +Subject: ata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe + +From: Miaoqian Lin + +[ Upstream commit 10d6bdf532902be1d8aa5900b3c03c5671612aa2 ] + +of_find_device_by_node() takes reference, we should use put_device() +to release it when not need anymore. +Add missing put_device() to avoid refcount leak. + +Fixes: 43f01da0f279 ("MIPS/OCTEON/ata: Convert pata_octeon_cf.c to use device tree.") +Signed-off-by: Miaoqian Lin +Reviewed-by: Sergey Shtylyov +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_octeon_cf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/ata/pata_octeon_cf.c b/drivers/ata/pata_octeon_cf.c +index ac3b1fda820f..c240d8cbfd41 100644 +--- a/drivers/ata/pata_octeon_cf.c ++++ b/drivers/ata/pata_octeon_cf.c +@@ -888,12 +888,14 @@ static int octeon_cf_probe(struct platform_device *pdev) + int i; + res_dma = platform_get_resource(dma_dev, IORESOURCE_MEM, 0); + if (!res_dma) { ++ put_device(&dma_dev->dev); + of_node_put(dma_node); + return -EINVAL; + } + cf_port->dma_base = (u64)devm_ioremap_nocache(&pdev->dev, res_dma->start, + resource_size(res_dma)); + if (!cf_port->dma_base) { ++ put_device(&dma_dev->dev); + of_node_put(dma_node); + return -EINVAL; + } +@@ -903,6 +905,7 @@ static int octeon_cf_probe(struct platform_device *pdev) + irq = i; + irq_handler = octeon_cf_interrupt; + } ++ put_device(&dma_dev->dev); + } + of_node_put(dma_node); + } +-- +2.35.1 + diff --git a/queue-5.4/bpf-arm64-clear-prog-jited_len-along-prog-jited.patch b/queue-5.4/bpf-arm64-clear-prog-jited_len-along-prog-jited.patch new file mode 100644 index 00000000000..bb486121230 --- /dev/null +++ b/queue-5.4/bpf-arm64-clear-prog-jited_len-along-prog-jited.patch @@ -0,0 +1,100 @@ +From a6350b97b0bfbfcfb16fc224bc2563ed31caa99e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 May 2022 14:51:13 -0700 +Subject: bpf, arm64: Clear prog->jited_len along prog->jited + +From: Eric Dumazet + +[ Upstream commit 10f3b29c65bb2fe0d47c2945cd0b4087be1c5218 ] + +syzbot reported an illegal copy_to_user() attempt +from bpf_prog_get_info_by_fd() [1] + +There was no repro yet on this bug, but I think +that commit 0aef499f3172 ("mm/usercopy: Detect vmalloc overruns") +is exposing a prior bug in bpf arm64. + +bpf_prog_get_info_by_fd() looks at prog->jited_len +to determine if the JIT image can be copied out to user space. + +My theory is that syzbot managed to get a prog where prog->jited_len +has been set to 43, while prog->bpf_func has ben cleared. + +It is not clear why copy_to_user(uinsns, NULL, ulen) is triggering +this particular warning. + +I thought find_vma_area(NULL) would not find a vm_struct. +As we do not hold vmap_area_lock spinlock, it might be possible +that the found vm_struct was garbage. + +[1] +usercopy: Kernel memory exposure attempt detected from vmalloc (offset 792633534417210172, size 43)! +kernel BUG at mm/usercopy.c:101! +Internal error: Oops - BUG: 0 [#1] PREEMPT SMP +Modules linked in: +CPU: 0 PID: 25002 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-10139-g8291eaafed36 #0 +Hardware name: linux,dummy-virt (DT) +pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : usercopy_abort+0x90/0x94 mm/usercopy.c:101 +lr : usercopy_abort+0x90/0x94 mm/usercopy.c:89 +sp : ffff80000b773a20 +x29: ffff80000b773a30 x28: faff80000b745000 x27: ffff80000b773b48 +x26: 0000000000000000 x25: 000000000000002b x24: 0000000000000000 +x23: 00000000000000e0 x22: ffff80000b75db67 x21: 0000000000000001 +x20: 000000000000002b x19: ffff80000b75db3c x18: 00000000fffffffd +x17: 2820636f6c6c616d x16: 76206d6f72662064 x15: 6574636574656420 +x14: 74706d6574746120 x13: 2129333420657a69 x12: 73202c3237313031 +x11: 3237313434333533 x10: 3336323937207465 x9 : 657275736f707865 +x8 : ffff80000a30c550 x7 : ffff80000b773830 x6 : ffff80000b773830 +x5 : 0000000000000000 x4 : ffff00007fbbaa10 x3 : 0000000000000000 +x2 : 0000000000000000 x1 : f7ff000028fc0000 x0 : 0000000000000064 +Call trace: + usercopy_abort+0x90/0x94 mm/usercopy.c:89 + check_heap_object mm/usercopy.c:186 [inline] + __check_object_size mm/usercopy.c:252 [inline] + __check_object_size+0x198/0x36c mm/usercopy.c:214 + check_object_size include/linux/thread_info.h:199 [inline] + check_copy_size include/linux/thread_info.h:235 [inline] + copy_to_user include/linux/uaccess.h:159 [inline] + bpf_prog_get_info_by_fd.isra.0+0xf14/0xfdc kernel/bpf/syscall.c:3993 + bpf_obj_get_info_by_fd+0x12c/0x510 kernel/bpf/syscall.c:4253 + __sys_bpf+0x900/0x2150 kernel/bpf/syscall.c:4956 + __do_sys_bpf kernel/bpf/syscall.c:5021 [inline] + __se_sys_bpf kernel/bpf/syscall.c:5019 [inline] + __arm64_sys_bpf+0x28/0x40 kernel/bpf/syscall.c:5019 + __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] + invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:52 + el0_svc_common.constprop.0+0x44/0xec arch/arm64/kernel/syscall.c:142 + do_el0_svc+0xa0/0xc0 arch/arm64/kernel/syscall.c:206 + el0_svc+0x44/0xb0 arch/arm64/kernel/entry-common.c:624 + el0t_64_sync_handler+0x1ac/0x1b0 arch/arm64/kernel/entry-common.c:642 + el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:581 +Code: aa0003e3 d00038c0 91248000 97fff65f (d4210000) + +Fixes: db496944fdaa ("bpf: arm64: add JIT support for multi-function programs") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: Daniel Borkmann +Acked-by: Song Liu +Link: https://lore.kernel.org/bpf/20220531215113.1100754-1-eric.dumazet@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/arm64/net/bpf_jit_comp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c +index 17a8d1484f9b..9f71ca441482 100644 +--- a/arch/arm64/net/bpf_jit_comp.c ++++ b/arch/arm64/net/bpf_jit_comp.c +@@ -973,6 +973,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + bpf_jit_binary_free(header); + prog->bpf_func = NULL; + prog->jited = 0; ++ prog->jited_len = 0; + goto out_off; + } + bpf_jit_binary_lock_ro(header); +-- +2.35.1 + diff --git a/queue-5.4/drm-imx-fix-compiler-warning-with-gcc-12.patch b/queue-5.4/drm-imx-fix-compiler-warning-with-gcc-12.patch new file mode 100644 index 00000000000..800021c8d8d --- /dev/null +++ b/queue-5.4/drm-imx-fix-compiler-warning-with-gcc-12.patch @@ -0,0 +1,51 @@ +From ecfc623511a9b9f41f3a8e51470a742a93ba45de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jun 2022 16:59:29 -0700 +Subject: drm: imx: fix compiler warning with gcc-12 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit 7aefd8b53815274f3ef398d370a3c9b27dd9f00c ] + +Gcc-12 correctly warned about this code using a non-NULL pointer as a +truth value: + + drivers/gpu/drm/imx/ipuv3-crtc.c: In function ‘ipu_crtc_disable_planes’: + drivers/gpu/drm/imx/ipuv3-crtc.c:72:21: error: the comparison will always evaluate as ‘true’ for the address of ‘plane’ will never be NULL [-Werror=address] + 72 | if (&ipu_crtc->plane[1] && plane == &ipu_crtc->plane[1]->base) + | ^ + +due to the extraneous '&' address-of operator. + +Philipp Zabel points out that The mistake had no adverse effect since +the following condition doesn't actually dereference the NULL pointer, +but the intent of the code was obviously to check for it, not to take +the address of the member. + +Fixes: eb8c88808c83 ("drm/imx: add deferred plane disabling") +Acked-by: Philipp Zabel +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/imx/ipuv3-crtc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/imx/ipuv3-crtc.c b/drivers/gpu/drm/imx/ipuv3-crtc.c +index 2256c9789fc2..f19264e91d4d 100644 +--- a/drivers/gpu/drm/imx/ipuv3-crtc.c ++++ b/drivers/gpu/drm/imx/ipuv3-crtc.c +@@ -68,7 +68,7 @@ static void ipu_crtc_disable_planes(struct ipu_crtc *ipu_crtc, + drm_atomic_crtc_state_for_each_plane(plane, old_crtc_state) { + if (plane == &ipu_crtc->plane[0]->base) + disable_full = true; +- if (&ipu_crtc->plane[1] && plane == &ipu_crtc->plane[1]->base) ++ if (ipu_crtc->plane[1] && plane == &ipu_crtc->plane[1]->base) + disable_partial = true; + } + +-- +2.35.1 + diff --git a/queue-5.4/ip_gre-test-csum_start-instead-of-transport-header.patch b/queue-5.4/ip_gre-test-csum_start-instead-of-transport-header.patch new file mode 100644 index 00000000000..9de67c2108f --- /dev/null +++ b/queue-5.4/ip_gre-test-csum_start-instead-of-transport-header.patch @@ -0,0 +1,87 @@ +From 03d622f38b7bcc8b8916ed03bb42a2ad6fc0c24b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 09:21:07 -0400 +Subject: ip_gre: test csum_start instead of transport header + +From: Willem de Bruijn + +[ Upstream commit 8d21e9963bec1aad2280cdd034c8993033ef2948 ] + +GRE with TUNNEL_CSUM will apply local checksum offload on +CHECKSUM_PARTIAL packets. + +ipgre_xmit must validate csum_start after an optional skb_pull, +else lco_csum may trigger an overflow. The original check was + + if (csum && skb_checksum_start(skb) < skb->data) + return -EINVAL; + +This had false positives when skb_checksum_start is undefined: +when ip_summed is not CHECKSUM_PARTIAL. A discussed refinement +was straightforward + + if (csum && skb->ip_summed == CHECKSUM_PARTIAL && + skb_checksum_start(skb) < skb->data) + return -EINVAL; + +But was eventually revised more thoroughly: +- restrict the check to the only branch where needed, in an + uncommon GRE path that uses header_ops and calls skb_pull. +- test skb_transport_header, which is set along with csum_start + in skb_partial_csum_set in the normal header_ops datapath. + +Turns out skbs can arrive in this branch without the transport +header set, e.g., through BPF redirection. + +Revise the check back to check csum_start directly, and only if +CHECKSUM_PARTIAL. Do leave the check in the updated location. +Check field regardless of whether TUNNEL_CSUM is configured. + +Link: https://lore.kernel.org/netdev/YS+h%2FtqCJJiQei+W@shredder/ +Link: https://lore.kernel.org/all/20210902193447.94039-2-willemdebruijn.kernel@gmail.com/T/#u +Fixes: 8a0ed250f911 ("ip_gre: validate csum_start only on pull") +Reported-by: syzbot +Signed-off-by: Willem de Bruijn +Reviewed-by: Eric Dumazet +Reviewed-by: Alexander Duyck +Link: https://lore.kernel.org/r/20220606132107.3582565-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index 5b38d03f6d79..614410a6db44 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -602,21 +602,20 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, + } + + if (dev->header_ops) { +- const int pull_len = tunnel->hlen + sizeof(struct iphdr); +- + if (skb_cow_head(skb, 0)) + goto free_skb; + + tnl_params = (const struct iphdr *)skb->data; + +- if (pull_len > skb_transport_offset(skb)) +- goto free_skb; +- + /* Pull skb since ip_tunnel_xmit() needs skb->data pointing + * to gre header. + */ +- skb_pull(skb, pull_len); ++ skb_pull(skb, tunnel->hlen + sizeof(struct iphdr)); + skb_reset_mac_header(skb); ++ ++ if (skb->ip_summed == CHECKSUM_PARTIAL && ++ skb_checksum_start(skb) < skb->data) ++ goto free_skb; + } else { + if (skb_cow_head(skb, dev->needed_headroom)) + goto free_skb; +-- +2.35.1 + diff --git a/queue-5.4/net-altera-fix-refcount-leak-in-altera_tse_mdio_crea.patch b/queue-5.4/net-altera-fix-refcount-leak-in-altera_tse_mdio_crea.patch new file mode 100644 index 00000000000..227b7b161f7 --- /dev/null +++ b/queue-5.4/net-altera-fix-refcount-leak-in-altera_tse_mdio_crea.patch @@ -0,0 +1,59 @@ +From 159c4ea3bdebefd25cd5b884c1e8b0be0e4da196 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 08:11:43 +0400 +Subject: net: altera: Fix refcount leak in altera_tse_mdio_create + +From: Miaoqian Lin + +[ Upstream commit 11ec18b1d8d92b9df307d31950dcba0b3dd7283c ] + +Every iteration of for_each_child_of_node() decrements +the reference count of the previous node. +When break from a for_each_child_of_node() loop, +we need to explicitly call of_node_put() on the child node when +not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: bbd2190ce96d ("Altera TSE: Add main and header file for Altera Ethernet Driver") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220607041144.7553-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/altera/altera_tse_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/altera/altera_tse_main.c b/drivers/net/ethernet/altera/altera_tse_main.c +index 1f8c3b669dc1..f36536114790 100644 +--- a/drivers/net/ethernet/altera/altera_tse_main.c ++++ b/drivers/net/ethernet/altera/altera_tse_main.c +@@ -163,7 +163,8 @@ static int altera_tse_mdio_create(struct net_device *dev, unsigned int id) + mdio = mdiobus_alloc(); + if (mdio == NULL) { + netdev_err(dev, "Error allocating MDIO bus\n"); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto put_node; + } + + mdio->name = ALTERA_TSE_RESOURCE_NAME; +@@ -180,6 +181,7 @@ static int altera_tse_mdio_create(struct net_device *dev, unsigned int id) + mdio->id); + goto out_free_mdio; + } ++ of_node_put(mdio_node); + + if (netif_msg_drv(priv)) + netdev_info(dev, "MDIO bus %s: created\n", mdio->id); +@@ -189,6 +191,8 @@ static int altera_tse_mdio_create(struct net_device *dev, unsigned int id) + out_free_mdio: + mdiobus_free(mdio); + mdio = NULL; ++put_node: ++ of_node_put(mdio_node); + return ret; + } + +-- +2.35.1 + diff --git a/queue-5.4/net-dsa-lantiq_gswip-fix-refcount-leak-in-gswip_gphy.patch b/queue-5.4/net-dsa-lantiq_gswip-fix-refcount-leak-in-gswip_gphy.patch new file mode 100644 index 00000000000..ae136b134a3 --- /dev/null +++ b/queue-5.4/net-dsa-lantiq_gswip-fix-refcount-leak-in-gswip_gphy.patch @@ -0,0 +1,43 @@ +From 652bd90d99a8c4c51e94b77ad41316bde540044f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jun 2022 11:23:34 +0400 +Subject: net: dsa: lantiq_gswip: Fix refcount leak in gswip_gphy_fw_list + +From: Miaoqian Lin + +[ Upstream commit 0737e018a05e2aa352828c52bdeed3b02cff2930 ] + +Every iteration of for_each_available_child_of_node() decrements +the reference count of the previous node. +when breaking early from a for_each_available_child_of_node() loop, +we need to explicitly call of_node_put() on the gphy_fw_np. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 14fceff4771e ("net: dsa: Add Lantiq / Intel DSA driver for vrx200") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220605072335.11257-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/lantiq_gswip.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/lantiq_gswip.c b/drivers/net/dsa/lantiq_gswip.c +index 0c191d395f8f..b546002e5fd4 100644 +--- a/drivers/net/dsa/lantiq_gswip.c ++++ b/drivers/net/dsa/lantiq_gswip.c +@@ -1958,8 +1958,10 @@ static int gswip_gphy_fw_list(struct gswip_priv *priv, + for_each_available_child_of_node(gphy_fw_list_np, gphy_fw_np) { + err = gswip_gphy_fw_probe(priv, &priv->gphy_fw[i], + gphy_fw_np, i); +- if (err) ++ if (err) { ++ of_node_put(gphy_fw_np); + goto remove_gphy; ++ } + i++; + } + +-- +2.35.1 + diff --git a/queue-5.4/net-ipv6-unexport-__init-annotated-seg6_hmac_init.patch b/queue-5.4/net-ipv6-unexport-__init-annotated-seg6_hmac_init.patch new file mode 100644 index 00000000000..147165d691c --- /dev/null +++ b/queue-5.4/net-ipv6-unexport-__init-annotated-seg6_hmac_init.patch @@ -0,0 +1,52 @@ +From 3823af0a7eb5fd2c7c7b1701bff14189a8d7e2e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 13:53:55 +0900 +Subject: net: ipv6: unexport __init-annotated seg6_hmac_init() + +From: Masahiro Yamada + +[ Upstream commit 5801f064e35181c71857a80ff18af4dbec3c5f5c ] + +EXPORT_SYMBOL and __init is a bad combination because the .init.text +section is freed up after the initialization. Hence, modules cannot +use symbols annotated __init. The access to a freed symbol may end up +with kernel panic. + +modpost used to detect it, but it has been broken for a decade. + +Recently, I fixed modpost so it started to warn it again, then this +showed up in linux-next builds. + +There are two ways to fix it: + + - Remove __init + - Remove EXPORT_SYMBOL + +I chose the latter for this case because the caller (net/ipv6/seg6.c) +and the callee (net/ipv6/seg6_hmac.c) belong to the same module. +It seems an internal function call in ipv6.ko. + +Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support") +Reported-by: Stephen Rothwell +Signed-off-by: Masahiro Yamada +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6_hmac.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c +index ffcfcd2b128f..a4cad71c4204 100644 +--- a/net/ipv6/seg6_hmac.c ++++ b/net/ipv6/seg6_hmac.c +@@ -401,7 +401,6 @@ int __init seg6_hmac_init(void) + { + return seg6_hmac_init_algo(); + } +-EXPORT_SYMBOL(seg6_hmac_init); + + int __net_init seg6_hmac_net_init(struct net *net) + { +-- +2.35.1 + diff --git a/queue-5.4/net-mdio-unexport-__init-annotated-mdio_bus_init.patch b/queue-5.4/net-mdio-unexport-__init-annotated-mdio_bus_init.patch new file mode 100644 index 00000000000..7527b8ff534 --- /dev/null +++ b/queue-5.4/net-mdio-unexport-__init-annotated-mdio_bus_init.patch @@ -0,0 +1,54 @@ +From 2324f62db73fd19f1ba9122137c460b72b0d3505 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 13:53:53 +0900 +Subject: net: mdio: unexport __init-annotated mdio_bus_init() + +From: Masahiro Yamada + +[ Upstream commit 35b42dce619701f1300fb8498dae82c9bb1f0263 ] + +EXPORT_SYMBOL and __init is a bad combination because the .init.text +section is freed up after the initialization. Hence, modules cannot +use symbols annotated __init. The access to a freed symbol may end up +with kernel panic. + +modpost used to detect it, but it has been broken for a decade. + +Recently, I fixed modpost so it started to warn it again, then this +showed up in linux-next builds. + +There are two ways to fix it: + + - Remove __init + - Remove EXPORT_SYMBOL + +I chose the latter for this case because the only in-tree call-site, +drivers/net/phy/phy_device.c is never compiled as modular. +(CONFIG_PHYLIB is boolean) + +Fixes: 90eff9096c01 ("net: phy: Allow splitting MDIO bus/device support from PHYs") +Reported-by: Stephen Rothwell +Signed-off-by: Masahiro Yamada +Reviewed-by: Florian Fainelli +Reviewed-by: Russell King (Oracle) +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mdio_bus.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c +index b0a439248ff6..05c24db507a2 100644 +--- a/drivers/net/phy/mdio_bus.c ++++ b/drivers/net/phy/mdio_bus.c +@@ -753,7 +753,6 @@ int __init mdio_bus_init(void) + + return ret; + } +-EXPORT_SYMBOL_GPL(mdio_bus_init); + + #if IS_ENABLED(CONFIG_PHYLIB) + void mdio_bus_exit(void) +-- +2.35.1 + diff --git a/queue-5.4/net-mlx4_en-fix-wrong-return-value-on-ioctl-eeprom-q.patch b/queue-5.4/net-mlx4_en-fix-wrong-return-value-on-ioctl-eeprom-q.patch new file mode 100644 index 00000000000..76de421c208 --- /dev/null +++ b/queue-5.4/net-mlx4_en-fix-wrong-return-value-on-ioctl-eeprom-q.patch @@ -0,0 +1,38 @@ +From cacd8a171f326eceb577da514b2e40ba3427acd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 14:57:18 +0300 +Subject: net/mlx4_en: Fix wrong return value on ioctl EEPROM query failure + +From: Gal Pressman + +[ Upstream commit f5826c8c9d57210a17031af5527056eefdc2b7eb ] + +The ioctl EEPROM query wrongly returns success on read failures, fix +that by returning the appropriate error code. + +Fixes: 7202da8b7f71 ("ethtool, net/mlx4_en: Cable info, get_module_info/eeprom ethtool support") +Signed-off-by: Gal Pressman +Signed-off-by: Tariq Toukan +Link: https://lore.kernel.org/r/20220606115718.14233-1-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +index dd029d91bbc2..b711148a9d50 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -2083,7 +2083,7 @@ static int mlx4_en_get_module_eeprom(struct net_device *dev, + en_err(priv, + "mlx4_get_module_info i(%d) offset(%d) bytes_to_read(%d) - FAILED (0x%x)\n", + i, offset, ee->len - i, ret); +- return 0; ++ return ret; + } + + i += ret; +-- +2.35.1 + diff --git a/queue-5.4/net-mlx5-fs-fail-conflicting-actions.patch b/queue-5.4/net-mlx5-fs-fail-conflicting-actions.patch new file mode 100644 index 00000000000..69daa58ff91 --- /dev/null +++ b/queue-5.4/net-mlx5-fs-fail-conflicting-actions.patch @@ -0,0 +1,91 @@ +From cc696ce67666ddc69cad77b61eebba0af50762c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 10:46:59 +0300 +Subject: net/mlx5: fs, fail conflicting actions + +From: Mark Bloch + +[ Upstream commit 8fa5e7b20e01042b14f8cd684d2da9b638460c74 ] + +When combining two steering rules into one check +not only do they share the same actions but those +actions are also the same. This resolves an issue where +when creating two different rules with the same match +the actions are overwritten and one of the rules is deleted +a FW syndrome can be seen in dmesg. + +mlx5_core 0000:03:00.0: mlx5_cmd_check:819:(pid 2105): DEALLOC_MODIFY_HEADER_CONTEXT(0x941) op_mod(0x0) failed, status bad resource state(0x9), syndrome (0x1ab444) + +Fixes: 0d235c3fabb7 ("net/mlx5: Add hash table to search FTEs in a flow-group") +Signed-off-by: Mark Bloch +Reviewed-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/fs_core.c | 35 +++++++++++++++++-- + 1 file changed, 32 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index 8c8b68e7abb4..41087c0618c1 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -1450,9 +1450,22 @@ static struct mlx5_flow_rule *find_flow_rule(struct fs_fte *fte, + return NULL; + } + +-static bool check_conflicting_actions(u32 action1, u32 action2) ++static bool check_conflicting_actions_vlan(const struct mlx5_fs_vlan *vlan0, ++ const struct mlx5_fs_vlan *vlan1) + { +- u32 xored_actions = action1 ^ action2; ++ return vlan0->ethtype != vlan1->ethtype || ++ vlan0->vid != vlan1->vid || ++ vlan0->prio != vlan1->prio; ++} ++ ++static bool check_conflicting_actions(const struct mlx5_flow_act *act1, ++ const struct mlx5_flow_act *act2) ++{ ++ u32 action1 = act1->action; ++ u32 action2 = act2->action; ++ u32 xored_actions; ++ ++ xored_actions = action1 ^ action2; + + /* if one rule only wants to count, it's ok */ + if (action1 == MLX5_FLOW_CONTEXT_ACTION_COUNT || +@@ -1469,6 +1482,22 @@ static bool check_conflicting_actions(u32 action1, u32 action2) + MLX5_FLOW_CONTEXT_ACTION_VLAN_PUSH_2)) + return true; + ++ if (action1 & MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT && ++ act1->pkt_reformat != act2->pkt_reformat) ++ return true; ++ ++ if (action1 & MLX5_FLOW_CONTEXT_ACTION_MOD_HDR && ++ act1->modify_hdr != act2->modify_hdr) ++ return true; ++ ++ if (action1 & MLX5_FLOW_CONTEXT_ACTION_VLAN_PUSH && ++ check_conflicting_actions_vlan(&act1->vlan[0], &act2->vlan[0])) ++ return true; ++ ++ if (action1 & MLX5_FLOW_CONTEXT_ACTION_VLAN_PUSH_2 && ++ check_conflicting_actions_vlan(&act1->vlan[1], &act2->vlan[1])) ++ return true; ++ + return false; + } + +@@ -1476,7 +1505,7 @@ static int check_conflicting_ftes(struct fs_fte *fte, + const struct mlx5_flow_context *flow_context, + const struct mlx5_flow_act *flow_act) + { +- if (check_conflicting_actions(flow_act->action, fte->action.action)) { ++ if (check_conflicting_actions(flow_act, &fte->action)) { + mlx5_core_warn(get_dev(&fte->node), + "Found two FTEs with conflicting actions\n"); + return -EEXIST; +-- +2.35.1 + diff --git a/queue-5.4/net-mlx5-rearm-the-fw-tracer-after-each-tracer-event.patch b/queue-5.4/net-mlx5-rearm-the-fw-tracer-after-each-tracer-event.patch new file mode 100644 index 00000000000..7c7eb0c8f1e --- /dev/null +++ b/queue-5.4/net-mlx5-rearm-the-fw-tracer-after-each-tracer-event.patch @@ -0,0 +1,59 @@ +From 8af79358b4a759aff111e5828844f58f4c6dadfd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Mar 2022 21:47:48 +0200 +Subject: net/mlx5: Rearm the FW tracer after each tracer event + +From: Feras Daoud + +[ Upstream commit 8bf94e6414c9481bfa28269022688ab445d0081d ] + +The current design does not arm the tracer if traces are available before +the tracer string database is fully loaded, leading to an unfunctional tracer. +This fix will rearm the tracer every time the FW triggers tracer event +regardless of the tracer strings database status. + +Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling") +Signed-off-by: Feras Daoud +Signed-off-by: Roy Novich +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +index 97359417c6e7..f8144ce7e476 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +@@ -673,6 +673,9 @@ static void mlx5_fw_tracer_handle_traces(struct work_struct *work) + if (!tracer->owner) + return; + ++ if (unlikely(!tracer->str_db.loaded)) ++ goto arm; ++ + block_count = tracer->buff.size / TRACER_BLOCK_SIZE_BYTE; + start_offset = tracer->buff.consumer_index * TRACER_BLOCK_SIZE_BYTE; + +@@ -730,6 +733,7 @@ static void mlx5_fw_tracer_handle_traces(struct work_struct *work) + &tmp_trace_block[TRACES_PER_BLOCK - 1]); + } + ++arm: + mlx5_fw_tracer_arm(dev); + } + +@@ -1084,8 +1088,7 @@ static int fw_tracer_event(struct notifier_block *nb, unsigned long action, void + queue_work(tracer->work_queue, &tracer->ownership_change_work); + break; + case MLX5_TRACER_SUBTYPE_TRACES_AVAILABLE: +- if (likely(tracer->str_db.loaded)) +- queue_work(tracer->work_queue, &tracer->handle_traces_work); ++ queue_work(tracer->work_queue, &tracer->handle_traces_work); + break; + default: + mlx5_core_dbg(dev, "FWTracer: Event with unrecognized subtype: sub_type %d\n", +-- +2.35.1 + diff --git a/queue-5.4/net-xfrm-unexport-__init-annotated-xfrm4_protocol_in.patch b/queue-5.4/net-xfrm-unexport-__init-annotated-xfrm4_protocol_in.patch new file mode 100644 index 00000000000..ace29e443ff --- /dev/null +++ b/queue-5.4/net-xfrm-unexport-__init-annotated-xfrm4_protocol_in.patch @@ -0,0 +1,50 @@ +From 103f52915e54d9695ecc89d2f43dcd2e37be18a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 13:53:54 +0900 +Subject: net: xfrm: unexport __init-annotated xfrm4_protocol_init() + +From: Masahiro Yamada + +[ Upstream commit 4a388f08d8784af48f352193d2b72aaf167a57a1 ] + +EXPORT_SYMBOL and __init is a bad combination because the .init.text +section is freed up after the initialization. Hence, modules cannot +use symbols annotated __init. The access to a freed symbol may end up +with kernel panic. + +modpost used to detect it, but it has been broken for a decade. + +Recently, I fixed modpost so it started to warn it again, then this +showed up in linux-next builds. + +There are two ways to fix it: + + - Remove __init + - Remove EXPORT_SYMBOL + +I chose the latter for this case because the only in-tree call-site, +net/ipv4/xfrm4_policy.c is never compiled as modular. +(CONFIG_XFRM is boolean) + +Fixes: 2f32b51b609f ("xfrm: Introduce xfrm_input_afinfo to access the the callbacks properly") +Reported-by: Stephen Rothwell +Signed-off-by: Masahiro Yamada +Acked-by: Steffen Klassert +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/xfrm4_protocol.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/ipv4/xfrm4_protocol.c b/net/ipv4/xfrm4_protocol.c +index 8a4285712808..9031b7732fec 100644 +--- a/net/ipv4/xfrm4_protocol.c ++++ b/net/ipv4/xfrm4_protocol.c +@@ -298,4 +298,3 @@ void __init xfrm4_protocol_init(void) + { + xfrm_input_register_afinfo(&xfrm4_input_afinfo); + } +-EXPORT_SYMBOL(xfrm4_protocol_init); +-- +2.35.1 + diff --git a/queue-5.4/netfilter-nat-really-support-inet-nat-without-l3-add.patch b/queue-5.4/netfilter-nat-really-support-inet-nat-without-l3-add.patch new file mode 100644 index 00000000000..e56ae676a5e --- /dev/null +++ b/queue-5.4/netfilter-nat-really-support-inet-nat-without-l3-add.patch @@ -0,0 +1,103 @@ +From 3b6469551594ec91ae28bb02fb582397eadf76bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jun 2022 10:47:35 +0200 +Subject: netfilter: nat: really support inet nat without l3 address + +From: Florian Westphal + +[ Upstream commit 282e5f8fe907dc3f2fbf9f2103b0e62ffc3a68a5 ] + +When no l3 address is given, priv->family is set to NFPROTO_INET and +the evaluation function isn't called. + +Call it too so l4-only rewrite can work. +Also add a test case for this. + +Fixes: a33f387ecd5aa ("netfilter: nft_nat: allow to specify layer 4 protocol NAT only") +Reported-by: Yi Chen +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_nat.c | 3 +- + tools/testing/selftests/netfilter/nft_nat.sh | 43 ++++++++++++++++++++ + 2 files changed, 45 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c +index 17c0f75dfcdb..0c5bc3c37ecf 100644 +--- a/net/netfilter/nft_nat.c ++++ b/net/netfilter/nft_nat.c +@@ -283,7 +283,8 @@ static void nft_nat_inet_eval(const struct nft_expr *expr, + { + const struct nft_nat *priv = nft_expr_priv(expr); + +- if (priv->family == nft_pf(pkt)) ++ if (priv->family == nft_pf(pkt) || ++ priv->family == NFPROTO_INET) + nft_nat_eval(expr, regs, pkt); + } + +diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh +index d7e07f4c3d7f..4e15e8167310 100755 +--- a/tools/testing/selftests/netfilter/nft_nat.sh ++++ b/tools/testing/selftests/netfilter/nft_nat.sh +@@ -374,6 +374,45 @@ EOF + return $lret + } + ++test_local_dnat_portonly() ++{ ++ local family=$1 ++ local daddr=$2 ++ local lret=0 ++ local sr_s ++ local sr_r ++ ++ip netns exec "$ns0" nft -f /dev/stdin < +Date: Mon, 6 Jun 2022 17:15:57 +0200 +Subject: netfilter: nf_tables: memleak flow rule from commit path + +From: Pablo Neira Ayuso + +[ Upstream commit 9dd732e0bdf538b1b76dc7c157e2b5e560ff30d3 ] + +Abort path release flow rule object, however, commit path does not. +Update code to destroy these objects before releasing the transaction. + +Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index b51c192105fc..58a7d89719b1 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6570,6 +6570,9 @@ static void nft_commit_release(struct nft_trans *trans) + nf_tables_chain_destroy(&trans->ctx); + break; + case NFT_MSG_DELRULE: ++ if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) ++ nft_flow_rule_destroy(nft_trans_flow_rule(trans)); ++ + nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); + break; + case NFT_MSG_DELSET: +@@ -6891,6 +6894,9 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + nf_tables_rule_notify(&trans->ctx, + nft_trans_rule(trans), + NFT_MSG_NEWRULE); ++ if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) ++ nft_flow_rule_destroy(nft_trans_flow_rule(trans)); ++ + nft_trans_destroy(trans); + break; + case NFT_MSG_DELRULE: +-- +2.35.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 22e5f48c016..fe2180c77aa 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -346,3 +346,20 @@ dmaengine-zynqmp_dma-in-struct-zynqmp_dma_chan-fix-d.patch nfsv4-don-t-hold-the-layoutget-locks-across-multiple.patch video-fbdev-pxa3xx-gcu-release-the-resources-correct.patch xprtrdma-treat-all-calls-not-a-bcall-when-bc_serv-is.patch +netfilter-nat-really-support-inet-nat-without-l3-add.patch +ata-pata_octeon_cf-fix-refcount-leak-in-octeon_cf_pr.patch +netfilter-nf_tables-memleak-flow-rule-from-commit-pa.patch +xen-unexport-__init-annotated-xen_xlate_map_balloone.patch +af_unix-fix-a-data-race-in-unix_dgram_peer_wake_me.patch +bpf-arm64-clear-prog-jited_len-along-prog-jited.patch +net-dsa-lantiq_gswip-fix-refcount-leak-in-gswip_gphy.patch +net-mlx4_en-fix-wrong-return-value-on-ioctl-eeprom-q.patch +sunrpc-fix-the-calculation-of-xdr-end-in-xdr_get_nex.patch +net-mdio-unexport-__init-annotated-mdio_bus_init.patch +net-xfrm-unexport-__init-annotated-xfrm4_protocol_in.patch +net-ipv6-unexport-__init-annotated-seg6_hmac_init.patch +net-mlx5-rearm-the-fw-tracer-after-each-tracer-event.patch +net-mlx5-fs-fail-conflicting-actions.patch +ip_gre-test-csum_start-instead-of-transport-header.patch +net-altera-fix-refcount-leak-in-altera_tse_mdio_crea.patch +drm-imx-fix-compiler-warning-with-gcc-12.patch diff --git a/queue-5.4/sunrpc-fix-the-calculation-of-xdr-end-in-xdr_get_nex.patch b/queue-5.4/sunrpc-fix-the-calculation-of-xdr-end-in-xdr_get_nex.patch new file mode 100644 index 00000000000..0eb73a7fa0b --- /dev/null +++ b/queue-5.4/sunrpc-fix-the-calculation-of-xdr-end-in-xdr_get_nex.patch @@ -0,0 +1,49 @@ +From bc2209527104ce7a989bbfc2f64ede44020c0af5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 16:47:52 -0400 +Subject: SUNRPC: Fix the calculation of xdr->end in + xdr_get_next_encode_buffer() + +From: Chuck Lever + +[ Upstream commit 6c254bf3b637dd4ef4f78eb78c7447419c0161d7 ] + +I found that NFSD's new NFSv3 READDIRPLUS XDR encoder was screwing up +right at the end of the page array. xdr_get_next_encode_buffer() does +not compute the value of xdr->end correctly: + + * The check to see if we're on the final available page in xdr->buf + needs to account for the space consumed by @nbytes. + + * The new xdr->end value needs to account for the portion of @nbytes + that is to be encoded into the previous buffer. + +Fixes: 2825a7f90753 ("nfsd4: allow encoding across page boundaries") +Signed-off-by: Chuck Lever +Reviewed-by: NeilBrown +Reviewed-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + net/sunrpc/xdr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c +index 7ef37054071f..cb8740d15633 100644 +--- a/net/sunrpc/xdr.c ++++ b/net/sunrpc/xdr.c +@@ -608,7 +608,11 @@ static __be32 *xdr_get_next_encode_buffer(struct xdr_stream *xdr, + */ + xdr->p = (void *)p + frag2bytes; + space_left = xdr->buf->buflen - xdr->buf->len; +- xdr->end = (void *)p + min_t(int, space_left, PAGE_SIZE); ++ if (space_left - nbytes >= PAGE_SIZE) ++ xdr->end = (void *)p + PAGE_SIZE; ++ else ++ xdr->end = (void *)p + space_left - frag1bytes; ++ + xdr->buf->page_len += frag2bytes; + xdr->buf->len += nbytes; + return p; +-- +2.35.1 + diff --git a/queue-5.4/xen-unexport-__init-annotated-xen_xlate_map_balloone.patch b/queue-5.4/xen-unexport-__init-annotated-xen_xlate_map_balloone.patch new file mode 100644 index 00000000000..673390d1c96 --- /dev/null +++ b/queue-5.4/xen-unexport-__init-annotated-xen_xlate_map_balloone.patch @@ -0,0 +1,55 @@ +From 663e38b3fb6b488fe62e467993f24189b38c5dd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 13:59:20 +0900 +Subject: xen: unexport __init-annotated xen_xlate_map_ballooned_pages() + +From: Masahiro Yamada + +[ Upstream commit dbac14a5a05ff8e1ce7c0da0e1f520ce39ec62ea ] + +EXPORT_SYMBOL and __init is a bad combination because the .init.text +section is freed up after the initialization. Hence, modules cannot +use symbols annotated __init. The access to a freed symbol may end up +with kernel panic. + +modpost used to detect it, but it has been broken for a decade. + +Recently, I fixed modpost so it started to warn it again, then this +showed up in linux-next builds. + +There are two ways to fix it: + + - Remove __init + - Remove EXPORT_SYMBOL + +I chose the latter for this case because none of the in-tree call-sites +(arch/arm/xen/enlighten.c, arch/x86/xen/grant-table.c) is compiled as +modular. + +Fixes: 243848fc018c ("xen/grant-table: Move xlated_setup_gnttab_pages to common place") +Reported-by: Stephen Rothwell +Signed-off-by: Masahiro Yamada +Reviewed-by: Oleksandr Tyshchenko +Acked-by: Stefano Stabellini +Link: https://lore.kernel.org/r/20220606045920.4161881-1-masahiroy@kernel.org +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/xlate_mmu.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/xen/xlate_mmu.c b/drivers/xen/xlate_mmu.c +index 7b1077f0abcb..c8aa4f5f85db 100644 +--- a/drivers/xen/xlate_mmu.c ++++ b/drivers/xen/xlate_mmu.c +@@ -261,7 +261,6 @@ int __init xen_xlate_map_ballooned_pages(xen_pfn_t **gfns, void **virt, + + return 0; + } +-EXPORT_SYMBOL_GPL(xen_xlate_map_ballooned_pages); + + struct remap_pfn { + struct mm_struct *mm; +-- +2.35.1 +