From: Greg Kroah-Hartman Date: Sun, 3 Apr 2022 12:50:11 +0000 (+0200) Subject: 5.17-stable patches X-Git-Tag: v5.17.2~123 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=643dbe64ab1a2505dec8a1b9f483fe096a282d9d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.17-stable patches added patches: crypto-arm-aes-neonbs-cbc-select-generic-cbc-and-aes.patch crypto-x86-poly1305-fixup-sls.patch gfs2-fix-gfs2_file_buffered_write-endless-loop-workaround.patch gfs2-gfs2_setattr_size-error-path-fix.patch gfs2-make-sure-fitrim-minlen-is-rounded-up-to-fs-block-size.patch loop-fix-ioctl-calls-using-compat_loop_info.patch mailbox-imx-fix-wakeup-failure-from-freeze-mode.patch net-hns3-fix-software-vlan-talbe-of-vlan-0-inconsistent-with-hardware.patch net-hns3-fix-the-concurrency-between-functions-reading-debugfs.patch rtc-check-if-__rtc_read_time-was-successful.patch rtc-gamecube-fix-refcount-leak-in-gamecube_rtc_read_offset_from_sram.patch rxrpc-fix-call-timer-start-racing-with-call-destruction.patch rxrpc-fix-some-null-ptr-deref-bugs-in-server_key.c.patch --- diff --git a/queue-5.17/crypto-arm-aes-neonbs-cbc-select-generic-cbc-and-aes.patch b/queue-5.17/crypto-arm-aes-neonbs-cbc-select-generic-cbc-and-aes.patch new file mode 100644 index 00000000000..38249ebb245 --- /dev/null +++ b/queue-5.17/crypto-arm-aes-neonbs-cbc-select-generic-cbc-and-aes.patch @@ -0,0 +1,31 @@ +From c8bd296cca3434b13b28b074eaeb78a23284de77 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Thu, 17 Mar 2022 10:55:13 +1200 +Subject: crypto: arm/aes-neonbs-cbc - Select generic cbc and aes + +From: Herbert Xu + +commit c8bd296cca3434b13b28b074eaeb78a23284de77 upstream. + +The algorithm __cbc-aes-neonbs requires a fallback so we need +to select the config options for them or otherwise it will fail +to register on boot-up. + +Fixes: 00b99ad2bac2 ("crypto: arm/aes-neonbs - Use generic cbc...") +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/crypto/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/crypto/Kconfig ++++ b/arch/arm/crypto/Kconfig +@@ -102,6 +102,8 @@ config CRYPTO_AES_ARM_BS + depends on KERNEL_MODE_NEON + select CRYPTO_SKCIPHER + select CRYPTO_LIB_AES ++ select CRYPTO_AES ++ select CRYPTO_CBC + select CRYPTO_SIMD + help + Use a faster and more secure NEON based implementation of AES in CBC, diff --git a/queue-5.17/crypto-x86-poly1305-fixup-sls.patch b/queue-5.17/crypto-x86-poly1305-fixup-sls.patch new file mode 100644 index 00000000000..e37ac8b737a --- /dev/null +++ b/queue-5.17/crypto-x86-poly1305-fixup-sls.patch @@ -0,0 +1,207 @@ +From 7ed7aa4de9421229be6d331ed52d5cd09c99f409 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 24 Mar 2022 00:05:55 +0100 +Subject: crypto: x86/poly1305 - Fixup SLS + +From: Peter Zijlstra + +commit 7ed7aa4de9421229be6d331ed52d5cd09c99f409 upstream. + +Due to being a perl generated asm file, it got missed by the mass +convertion script. + +arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_init_x86_64()+0x3a: missing int3 after ret +arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_x86_64()+0xf2: missing int3 after ret +arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_emit_x86_64()+0x37: missing int3 after ret +arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: __poly1305_block()+0x6d: missing int3 after ret +arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: __poly1305_init_avx()+0x1e8: missing int3 after ret +arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx()+0x18a: missing int3 after ret +arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx()+0xaf8: missing int3 after ret +arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_emit_avx()+0x99: missing int3 after ret +arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx2()+0x18a: missing int3 after ret +arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx2()+0x776: missing int3 after ret +arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx512()+0x18a: missing int3 after ret +arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx512()+0x796: missing int3 after ret +arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx512()+0x10bd: missing int3 after ret + +Fixes: f94909ceb1ed ("x86: Prepare asm files for straight-line-speculation") +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/crypto/poly1305-x86_64-cryptogams.pl | 38 +++++++++++++------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +--- a/arch/x86/crypto/poly1305-x86_64-cryptogams.pl ++++ b/arch/x86/crypto/poly1305-x86_64-cryptogams.pl +@@ -297,7 +297,7 @@ ___ + $code.=<<___; + mov \$1,%eax + .Lno_key: +- ret ++ RET + ___ + &end_function("poly1305_init_x86_64"); + +@@ -373,7 +373,7 @@ $code.=<<___; + .cfi_adjust_cfa_offset -48 + .Lno_data: + .Lblocks_epilogue: +- ret ++ RET + .cfi_endproc + ___ + &end_function("poly1305_blocks_x86_64"); +@@ -399,7 +399,7 @@ $code.=<<___; + mov %rax,0($mac) # write result + mov %rcx,8($mac) + +- ret ++ RET + ___ + &end_function("poly1305_emit_x86_64"); + if ($avx) { +@@ -429,7 +429,7 @@ ___ + &poly1305_iteration(); + $code.=<<___; + pop $ctx +- ret ++ RET + .size __poly1305_block,.-__poly1305_block + + .type __poly1305_init_avx,\@abi-omnipotent +@@ -594,7 +594,7 @@ __poly1305_init_avx: + + lea -48-64($ctx),$ctx # size [de-]optimization + pop %rbp +- ret ++ RET + .size __poly1305_init_avx,.-__poly1305_init_avx + ___ + +@@ -747,7 +747,7 @@ $code.=<<___; + .cfi_restore %rbp + .Lno_data_avx: + .Lblocks_avx_epilogue: +- ret ++ RET + .cfi_endproc + + .align 32 +@@ -1452,7 +1452,7 @@ $code.=<<___ if (!$win64); + ___ + $code.=<<___; + vzeroupper +- ret ++ RET + .cfi_endproc + ___ + &end_function("poly1305_blocks_avx"); +@@ -1508,7 +1508,7 @@ $code.=<<___; + mov %rax,0($mac) # write result + mov %rcx,8($mac) + +- ret ++ RET + ___ + &end_function("poly1305_emit_avx"); + +@@ -1675,7 +1675,7 @@ $code.=<<___; + .cfi_restore %rbp + .Lno_data_avx2$suffix: + .Lblocks_avx2_epilogue$suffix: +- ret ++ RET + .cfi_endproc + + .align 32 +@@ -2201,7 +2201,7 @@ $code.=<<___ if (!$win64); + ___ + $code.=<<___; + vzeroupper +- ret ++ RET + .cfi_endproc + ___ + if($avx > 2 && $avx512) { +@@ -2792,7 +2792,7 @@ $code.=<<___ if (!$win64); + .cfi_def_cfa_register %rsp + ___ + $code.=<<___; +- ret ++ RET + .cfi_endproc + ___ + +@@ -2893,7 +2893,7 @@ $code.=<<___ if ($flavour =~ /elf32/); + ___ + $code.=<<___; + mov \$1,%eax +- ret ++ RET + .size poly1305_init_base2_44,.-poly1305_init_base2_44 + ___ + { +@@ -3010,7 +3010,7 @@ poly1305_blocks_vpmadd52: + jnz .Lblocks_vpmadd52_4x + + .Lno_data_vpmadd52: +- ret ++ RET + .size poly1305_blocks_vpmadd52,.-poly1305_blocks_vpmadd52 + ___ + } +@@ -3451,7 +3451,7 @@ poly1305_blocks_vpmadd52_4x: + vzeroall + + .Lno_data_vpmadd52_4x: +- ret ++ RET + .size poly1305_blocks_vpmadd52_4x,.-poly1305_blocks_vpmadd52_4x + ___ + } +@@ -3824,7 +3824,7 @@ $code.=<<___; + vzeroall + + .Lno_data_vpmadd52_8x: +- ret ++ RET + .size poly1305_blocks_vpmadd52_8x,.-poly1305_blocks_vpmadd52_8x + ___ + } +@@ -3861,7 +3861,7 @@ poly1305_emit_base2_44: + mov %rax,0($mac) # write result + mov %rcx,8($mac) + +- ret ++ RET + .size poly1305_emit_base2_44,.-poly1305_emit_base2_44 + ___ + } } } +@@ -3916,7 +3916,7 @@ xor128_encrypt_n_pad: + + .Ldone_enc: + mov $otp,%rax +- ret ++ RET + .size xor128_encrypt_n_pad,.-xor128_encrypt_n_pad + + .globl xor128_decrypt_n_pad +@@ -3967,7 +3967,7 @@ xor128_decrypt_n_pad: + + .Ldone_dec: + mov $otp,%rax +- ret ++ RET + .size xor128_decrypt_n_pad,.-xor128_decrypt_n_pad + ___ + } +@@ -4109,7 +4109,7 @@ avx_handler: + pop %rbx + pop %rdi + pop %rsi +- ret ++ RET + .size avx_handler,.-avx_handler + + .section .pdata diff --git a/queue-5.17/gfs2-fix-gfs2_file_buffered_write-endless-loop-workaround.patch b/queue-5.17/gfs2-fix-gfs2_file_buffered_write-endless-loop-workaround.patch new file mode 100644 index 00000000000..16dd8e23ab2 --- /dev/null +++ b/queue-5.17/gfs2-fix-gfs2_file_buffered_write-endless-loop-workaround.patch @@ -0,0 +1,29 @@ +From 46f3e0421ccb5474b5c006b0089b9dfd42534bb6 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Thu, 17 Mar 2022 14:47:24 +0100 +Subject: gfs2: Fix gfs2_file_buffered_write endless loop workaround + +From: Andreas Gruenbacher + +commit 46f3e0421ccb5474b5c006b0089b9dfd42534bb6 upstream. + +Since commit 554c577cee95b, gfs2_file_buffered_write() can accidentally +return a truncated iov_iter, which might confuse callers. Fix that. + +Fixes: 554c577cee95b ("gfs2: Prevent endless loops in gfs2_file_buffered_write") +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/file.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/gfs2/file.c ++++ b/fs/gfs2/file.c +@@ -1083,6 +1083,7 @@ out_uninit: + gfs2_holder_uninit(gh); + if (statfs_gh) + kfree(statfs_gh); ++ from->count = orig_count - read; + return read ? read : ret; + } + diff --git a/queue-5.17/gfs2-gfs2_setattr_size-error-path-fix.patch b/queue-5.17/gfs2-gfs2_setattr_size-error-path-fix.patch new file mode 100644 index 00000000000..f3c4cfb9862 --- /dev/null +++ b/queue-5.17/gfs2-gfs2_setattr_size-error-path-fix.patch @@ -0,0 +1,109 @@ +From 7336905a89f19173bf9301cd50a24421162f417c Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Fri, 10 Dec 2021 14:43:36 +0100 +Subject: gfs2: gfs2_setattr_size error path fix + +From: Andreas Gruenbacher + +commit 7336905a89f19173bf9301cd50a24421162f417c upstream. + +When gfs2_setattr_size() fails, it calls gfs2_rs_delete(ip, NULL) to get +rid of any reservations the inode may have. Instead, it should pass in +the inode's write count as the second parameter to allow +gfs2_rs_delete() to figure out if the inode has any writers left. + +In a next step, there are two instances of gfs2_rs_delete(ip, NULL) left +where we know that there can be no other users of the inode. Replace +those with gfs2_rs_deltree(&ip->i_res) to avoid the unnecessary write +count check. + +With that, gfs2_rs_delete() is only called with the inode's actual write +count, so get rid of the second parameter. + +Fixes: a097dc7e24cb ("GFS2: Make rgrp reservations part of the gfs2_inode structure") +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/bmap.c | 2 +- + fs/gfs2/file.c | 2 +- + fs/gfs2/inode.c | 2 +- + fs/gfs2/rgrp.c | 7 ++++--- + fs/gfs2/rgrp.h | 2 +- + fs/gfs2/super.c | 2 +- + 6 files changed, 9 insertions(+), 8 deletions(-) + +--- a/fs/gfs2/bmap.c ++++ b/fs/gfs2/bmap.c +@@ -2146,7 +2146,7 @@ int gfs2_setattr_size(struct inode *inod + + ret = do_shrink(inode, newsize); + out: +- gfs2_rs_delete(ip, NULL); ++ gfs2_rs_delete(ip); + gfs2_qa_put(ip); + return ret; + } +--- a/fs/gfs2/file.c ++++ b/fs/gfs2/file.c +@@ -706,7 +706,7 @@ static int gfs2_release(struct inode *in + + if (file->f_mode & FMODE_WRITE) { + if (gfs2_rs_active(&ip->i_res)) +- gfs2_rs_delete(ip, &inode->i_writecount); ++ gfs2_rs_delete(ip); + gfs2_qa_put(ip); + } + return 0; +--- a/fs/gfs2/inode.c ++++ b/fs/gfs2/inode.c +@@ -793,7 +793,7 @@ fail_free_inode: + if (free_vfs_inode) /* else evict will do the put for us */ + gfs2_glock_put(ip->i_gl); + } +- gfs2_rs_delete(ip, NULL); ++ gfs2_rs_deltree(&ip->i_res); + gfs2_qa_put(ip); + fail_free_acls: + posix_acl_release(default_acl); +--- a/fs/gfs2/rgrp.c ++++ b/fs/gfs2/rgrp.c +@@ -680,13 +680,14 @@ void gfs2_rs_deltree(struct gfs2_blkrese + /** + * gfs2_rs_delete - delete a multi-block reservation + * @ip: The inode for this reservation +- * @wcount: The inode's write count, or NULL + * + */ +-void gfs2_rs_delete(struct gfs2_inode *ip, atomic_t *wcount) ++void gfs2_rs_delete(struct gfs2_inode *ip) + { ++ struct inode *inode = &ip->i_inode; ++ + down_write(&ip->i_rw_mutex); +- if ((wcount == NULL) || (atomic_read(wcount) <= 1)) ++ if (atomic_read(&inode->i_writecount) <= 1) + gfs2_rs_deltree(&ip->i_res); + up_write(&ip->i_rw_mutex); + } +--- a/fs/gfs2/rgrp.h ++++ b/fs/gfs2/rgrp.h +@@ -45,7 +45,7 @@ extern int gfs2_alloc_blocks(struct gfs2 + bool dinode, u64 *generation); + + extern void gfs2_rs_deltree(struct gfs2_blkreserv *rs); +-extern void gfs2_rs_delete(struct gfs2_inode *ip, atomic_t *wcount); ++extern void gfs2_rs_delete(struct gfs2_inode *ip); + extern void __gfs2_free_blocks(struct gfs2_inode *ip, struct gfs2_rgrpd *rgd, + u64 bstart, u32 blen, int meta); + extern void gfs2_free_meta(struct gfs2_inode *ip, struct gfs2_rgrpd *rgd, +--- a/fs/gfs2/super.c ++++ b/fs/gfs2/super.c +@@ -1396,7 +1396,7 @@ out: + truncate_inode_pages_final(&inode->i_data); + if (ip->i_qadata) + gfs2_assert_warn(sdp, ip->i_qadata->qa_ref == 0); +- gfs2_rs_delete(ip, NULL); ++ gfs2_rs_deltree(&ip->i_res); + gfs2_ordered_del_inode(ip); + clear_inode(inode); + gfs2_dir_hash_inval(ip); diff --git a/queue-5.17/gfs2-make-sure-fitrim-minlen-is-rounded-up-to-fs-block-size.patch b/queue-5.17/gfs2-make-sure-fitrim-minlen-is-rounded-up-to-fs-block-size.patch new file mode 100644 index 00000000000..b8fcbe4bcbe --- /dev/null +++ b/queue-5.17/gfs2-make-sure-fitrim-minlen-is-rounded-up-to-fs-block-size.patch @@ -0,0 +1,42 @@ +From 27ca8273fda398638ca994a207323a85b6d81190 Mon Sep 17 00:00:00 2001 +From: Andrew Price +Date: Tue, 22 Mar 2022 19:05:51 +0000 +Subject: gfs2: Make sure FITRIM minlen is rounded up to fs block size + +From: Andrew Price + +commit 27ca8273fda398638ca994a207323a85b6d81190 upstream. + +Per fstrim(8) we must round up the minlen argument to the fs block size. +The current calculation doesn't take into account devices that have a +discard granularity and requested minlen less than 1 fs block, so the +value can get shifted away to zero in the translation to fs blocks. + +The zero minlen passed to gfs2_rgrp_send_discards() then allows +sb_issue_discard() to be called with nr_sects == 0 which returns -EINVAL +and results in gfs2_rgrp_send_discards() returning -EIO. + +Make sure minlen is never < 1 fs block by taking the max of the +requested minlen and the fs block size before comparing to the device's +discard granularity and shifting to fs blocks. + +Fixes: 076f0faa764ab ("GFS2: Fix FITRIM argument handling") +Signed-off-by: Andrew Price +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/rgrp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/gfs2/rgrp.c ++++ b/fs/gfs2/rgrp.c +@@ -1416,7 +1416,8 @@ int gfs2_fitrim(struct file *filp, void + + start = r.start >> bs_shift; + end = start + (r.len >> bs_shift); +- minlen = max_t(u64, r.minlen, ++ minlen = max_t(u64, r.minlen, sdp->sd_sb.sb_bsize); ++ minlen = max_t(u64, minlen, + q->limits.discard_granularity) >> bs_shift; + + if (end <= start || minlen > sdp->sd_max_rg_data) diff --git a/queue-5.17/loop-fix-ioctl-calls-using-compat_loop_info.patch b/queue-5.17/loop-fix-ioctl-calls-using-compat_loop_info.patch new file mode 100644 index 00000000000..b445a3ec6e4 --- /dev/null +++ b/queue-5.17/loop-fix-ioctl-calls-using-compat_loop_info.patch @@ -0,0 +1,59 @@ +From f941c51eeac7ebe0f8ec30943bf78e7f60aad039 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Tue, 29 Mar 2022 20:18:15 +0000 +Subject: loop: fix ioctl calls using compat_loop_info + +From: Carlos Llamas + +commit f941c51eeac7ebe0f8ec30943bf78e7f60aad039 upstream. + +Support for cryptoloop was deleted in commit 47e9624616c8 ("block: +remove support for cryptoloop and the xor transfer"), making the usage +of loop_info->lo_encrypt_type obsolete. However, this member was also +removed from the compat_loop_info definition and this breaks userspace +ioctl calls for 32-bit binaries and CONFIG_COMPAT=y. + +This patch restores the compat_loop_info->lo_encrypt_type member and +marks it obsolete as well as in the uapi header definitions. + +Fixes: 47e9624616c8 ("block: remove support for cryptoloop and the xor transfer") +Signed-off-by: Carlos Llamas +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20220329201815.1347500-1-cmllamas@google.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/loop.c | 1 + + include/uapi/linux/loop.h | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -1592,6 +1592,7 @@ struct compat_loop_info { + compat_ulong_t lo_inode; /* ioctl r/o */ + compat_dev_t lo_rdevice; /* ioctl r/o */ + compat_int_t lo_offset; ++ compat_int_t lo_encrypt_type; /* obsolete, ignored */ + compat_int_t lo_encrypt_key_size; /* ioctl w/o */ + compat_int_t lo_flags; /* ioctl r/o */ + char lo_name[LO_NAME_SIZE]; +--- a/include/uapi/linux/loop.h ++++ b/include/uapi/linux/loop.h +@@ -45,7 +45,7 @@ struct loop_info { + unsigned long lo_inode; /* ioctl r/o */ + __kernel_old_dev_t lo_rdevice; /* ioctl r/o */ + int lo_offset; +- int lo_encrypt_type; ++ int lo_encrypt_type; /* obsolete, ignored */ + int lo_encrypt_key_size; /* ioctl w/o */ + int lo_flags; + char lo_name[LO_NAME_SIZE]; +@@ -61,7 +61,7 @@ struct loop_info64 { + __u64 lo_offset; + __u64 lo_sizelimit;/* bytes, 0 == max available */ + __u32 lo_number; /* ioctl r/o */ +- __u32 lo_encrypt_type; ++ __u32 lo_encrypt_type; /* obsolete, ignored */ + __u32 lo_encrypt_key_size; /* ioctl w/o */ + __u32 lo_flags; + __u8 lo_file_name[LO_NAME_SIZE]; diff --git a/queue-5.17/mailbox-imx-fix-wakeup-failure-from-freeze-mode.patch b/queue-5.17/mailbox-imx-fix-wakeup-failure-from-freeze-mode.patch new file mode 100644 index 00000000000..9c8477a06ec --- /dev/null +++ b/queue-5.17/mailbox-imx-fix-wakeup-failure-from-freeze-mode.patch @@ -0,0 +1,70 @@ +From 892cb524ae8a27bf5e42f711318371acd9a9f74a Mon Sep 17 00:00:00 2001 +From: Robin Gong +Date: Mon, 7 Feb 2022 09:52:06 +0800 +Subject: mailbox: imx: fix wakeup failure from freeze mode + +From: Robin Gong + +commit 892cb524ae8a27bf5e42f711318371acd9a9f74a upstream. + +Since IRQF_NO_SUSPEND used for imx mailbox driver, that means this irq +can't be used for wakeup source so that can't wakeup from freeze mode. +Add pm_system_wakeup() to wakeup from freeze mode. + +Fixes: b7b2796b9b31e("mailbox: imx: ONLY IPC MU needs IRQF_NO_SUSPEND flag") +Reviewed-by: Jacky Bai +Reviewed-by: Peng Fan +Signed-off-by: Robin Gong +Signed-off-by: Peng Fan +Signed-off-by: Jassi Brar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mailbox/imx-mailbox.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/mailbox/imx-mailbox.c ++++ b/drivers/mailbox/imx-mailbox.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + + #define IMX_MU_CHANS 16 +@@ -76,6 +77,7 @@ struct imx_mu_priv { + const struct imx_mu_dcfg *dcfg; + struct clk *clk; + int irq; ++ bool suspend; + + u32 xcr[4]; + +@@ -334,6 +336,9 @@ static irqreturn_t imx_mu_isr(int irq, v + return IRQ_NONE; + } + ++ if (priv->suspend) ++ pm_system_wakeup(); ++ + return IRQ_HANDLED; + } + +@@ -702,6 +707,8 @@ static int __maybe_unused imx_mu_suspend + priv->xcr[i] = imx_mu_read(priv, priv->dcfg->xCR[i]); + } + ++ priv->suspend = true; ++ + return 0; + } + +@@ -723,6 +730,8 @@ static int __maybe_unused imx_mu_resume_ + imx_mu_write(priv, priv->xcr[i], priv->dcfg->xCR[i]); + } + ++ priv->suspend = false; ++ + return 0; + } + diff --git a/queue-5.17/net-hns3-fix-software-vlan-talbe-of-vlan-0-inconsistent-with-hardware.patch b/queue-5.17/net-hns3-fix-software-vlan-talbe-of-vlan-0-inconsistent-with-hardware.patch new file mode 100644 index 00000000000..2864db182e0 --- /dev/null +++ b/queue-5.17/net-hns3-fix-software-vlan-talbe-of-vlan-0-inconsistent-with-hardware.patch @@ -0,0 +1,38 @@ +From 7ed258f12ec5ce855f15cdfb5710361dc82fe899 Mon Sep 17 00:00:00 2001 +From: Guangbin Huang +Date: Wed, 30 Mar 2022 21:45:06 +0800 +Subject: net: hns3: fix software vlan talbe of vlan 0 inconsistent with hardware + +From: Guangbin Huang + +commit 7ed258f12ec5ce855f15cdfb5710361dc82fe899 upstream. + +When user delete vlan 0, as driver will not delete vlan 0 for hardware in +function hclge_set_vlan_filter_hw(), so vlan 0 in software vlan talbe should +not be deleted. + +Fixes: fe4144d47eef ("net: hns3: sync VLAN filter entries when kill VLAN ID failed") +Signed-off-by: Guangbin Huang +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -10314,11 +10314,11 @@ int hclge_set_vlan_filter(struct hnae3_h + } + + if (!ret) { +- if (is_kill) +- hclge_rm_vport_vlan_table(vport, vlan_id, false); +- else ++ if (!is_kill) + hclge_add_vport_vlan_table(vport, vlan_id, + writen_to_tbl); ++ else if (is_kill && vlan_id != 0) ++ hclge_rm_vport_vlan_table(vport, vlan_id, false); + } else if (is_kill) { + /* when remove hw vlan filter failed, record the vlan id, + * and try to remove it from hw later, to be consistence diff --git a/queue-5.17/net-hns3-fix-the-concurrency-between-functions-reading-debugfs.patch b/queue-5.17/net-hns3-fix-the-concurrency-between-functions-reading-debugfs.patch new file mode 100644 index 00000000000..18c4c2d5884 --- /dev/null +++ b/queue-5.17/net-hns3-fix-the-concurrency-between-functions-reading-debugfs.patch @@ -0,0 +1,85 @@ +From 9c9a04212fa380d2e7d1412bb281309955c0a781 Mon Sep 17 00:00:00 2001 +From: Yufeng Mo +Date: Wed, 30 Mar 2022 21:45:05 +0800 +Subject: net: hns3: fix the concurrency between functions reading debugfs + +From: Yufeng Mo + +commit 9c9a04212fa380d2e7d1412bb281309955c0a781 upstream. + +Currently, the debugfs mechanism is that all functions share a +global variable to save the pointer for obtaining data. When +different functions concurrently access the same file node, +repeated release exceptions occur. Therefore, the granularity +of the pointer for storing the obtained data is adjusted to be +private for each function. + +Fixes: 5e69ea7ee2a6 ("net: hns3: refactor the debugfs process") +Signed-off-by: Yufeng Mo +Signed-off-by: Guangbin Huang +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hnae3.h | 1 + + drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 15 +++++++++++---- + drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h | 1 - + 3 files changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.h +@@ -844,6 +844,7 @@ struct hnae3_handle { + struct dentry *hnae3_dbgfs; + /* protects concurrent contention between debugfs commands */ + struct mutex dbgfs_lock; ++ char **dbgfs_buf; + + /* Network interface message level enabled bits */ + u32 msg_enable; +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +@@ -1227,7 +1227,7 @@ static ssize_t hns3_dbg_read(struct file + return ret; + + mutex_lock(&handle->dbgfs_lock); +- save_buf = &hns3_dbg_cmd[index].buf; ++ save_buf = &handle->dbgfs_buf[index]; + + if (!test_bit(HNS3_NIC_STATE_INITED, &priv->state) || + test_bit(HNS3_NIC_STATE_RESETTING, &priv->state)) { +@@ -1332,6 +1332,13 @@ int hns3_dbg_init(struct hnae3_handle *h + int ret; + u32 i; + ++ handle->dbgfs_buf = devm_kcalloc(&handle->pdev->dev, ++ ARRAY_SIZE(hns3_dbg_cmd), ++ sizeof(*handle->dbgfs_buf), ++ GFP_KERNEL); ++ if (!handle->dbgfs_buf) ++ return -ENOMEM; ++ + hns3_dbg_dentry[HNS3_DBG_DENTRY_COMMON].dentry = + debugfs_create_dir(name, hns3_dbgfs_root); + handle->hnae3_dbgfs = hns3_dbg_dentry[HNS3_DBG_DENTRY_COMMON].dentry; +@@ -1380,9 +1387,9 @@ void hns3_dbg_uninit(struct hnae3_handle + u32 i; + + for (i = 0; i < ARRAY_SIZE(hns3_dbg_cmd); i++) +- if (hns3_dbg_cmd[i].buf) { +- kvfree(hns3_dbg_cmd[i].buf); +- hns3_dbg_cmd[i].buf = NULL; ++ if (handle->dbgfs_buf[i]) { ++ kvfree(handle->dbgfs_buf[i]); ++ handle->dbgfs_buf[i] = NULL; + } + + mutex_destroy(&handle->dbgfs_lock); +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h +@@ -49,7 +49,6 @@ struct hns3_dbg_cmd_info { + enum hnae3_dbg_cmd cmd; + enum hns3_dbg_dentry_type dentry; + u32 buf_len; +- char *buf; + int (*init)(struct hnae3_handle *handle, unsigned int cmd); + }; + diff --git a/queue-5.17/rtc-check-if-__rtc_read_time-was-successful.patch b/queue-5.17/rtc-check-if-__rtc_read_time-was-successful.patch new file mode 100644 index 00000000000..4678f5d16f9 --- /dev/null +++ b/queue-5.17/rtc-check-if-__rtc_read_time-was-successful.patch @@ -0,0 +1,54 @@ +From 915593a7a663b2ad08b895a5f3ba8b19d89d4ebf Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Sat, 26 Mar 2022 12:42:36 -0700 +Subject: rtc: check if __rtc_read_time was successful + +From: Tom Rix + +commit 915593a7a663b2ad08b895a5f3ba8b19d89d4ebf upstream. + +Clang static analysis reports this issue +interface.c:810:8: warning: Passed-by-value struct + argument contains uninitialized data + now = rtc_tm_to_ktime(tm); + ^~~~~~~~~~~~~~~~~~~ + +tm is set by a successful call to __rtc_read_time() +but its return status is not checked. Check if +it was successful before setting the enabled flag. +Move the decl of err to function scope. + +Fixes: 2b2f5ff00f63 ("rtc: interface: ignore expired timers when enqueuing new timers") +Signed-off-by: Tom Rix +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20220326194236.2916310-1-trix@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/interface.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/rtc/interface.c ++++ b/drivers/rtc/interface.c +@@ -804,9 +804,13 @@ static int rtc_timer_enqueue(struct rtc_ + struct timerqueue_node *next = timerqueue_getnext(&rtc->timerqueue); + struct rtc_time tm; + ktime_t now; ++ int err; ++ ++ err = __rtc_read_time(rtc, &tm); ++ if (err) ++ return err; + + timer->enabled = 1; +- __rtc_read_time(rtc, &tm); + now = rtc_tm_to_ktime(tm); + + /* Skip over expired timers */ +@@ -820,7 +824,6 @@ static int rtc_timer_enqueue(struct rtc_ + trace_rtc_timer_enqueue(timer); + if (!next || ktime_before(timer->node.expires, next->expires)) { + struct rtc_wkalrm alarm; +- int err; + + alarm.time = rtc_ktime_to_tm(timer->node.expires); + alarm.enabled = 1; diff --git a/queue-5.17/rtc-gamecube-fix-refcount-leak-in-gamecube_rtc_read_offset_from_sram.patch b/queue-5.17/rtc-gamecube-fix-refcount-leak-in-gamecube_rtc_read_offset_from_sram.patch new file mode 100644 index 00000000000..19b35e3496e --- /dev/null +++ b/queue-5.17/rtc-gamecube-fix-refcount-leak-in-gamecube_rtc_read_offset_from_sram.patch @@ -0,0 +1,32 @@ +From 4b2dc39ca024990abe36ad5d145c4fe0c06afd34 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Wed, 9 Mar 2022 09:22:25 +0000 +Subject: rtc: gamecube: Fix refcount leak in gamecube_rtc_read_offset_from_sram + +From: Miaoqian Lin + +commit 4b2dc39ca024990abe36ad5d145c4fe0c06afd34 upstream. + +The of_find_compatible_node() function returns a node pointer with +refcount incremented, We should use of_node_put() on it when done +Add the missing of_node_put() to release the refcount. + +Fixes: 86559400b3ef ("rtc: gamecube: Add a RTC driver for the GameCube, Wii and Wii U") +Signed-off-by: Miaoqian Lin +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20220309092225.6930-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-gamecube.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/rtc/rtc-gamecube.c ++++ b/drivers/rtc/rtc-gamecube.c +@@ -235,6 +235,7 @@ static int gamecube_rtc_read_offset_from + } + + ret = of_address_to_resource(np, 0, &res); ++ of_node_put(np); + if (ret) { + pr_err("no io memory range found\n"); + return -1; diff --git a/queue-5.17/rxrpc-fix-call-timer-start-racing-with-call-destruction.patch b/queue-5.17/rxrpc-fix-call-timer-start-racing-with-call-destruction.patch new file mode 100644 index 00000000000..ede565fe068 --- /dev/null +++ b/queue-5.17/rxrpc-fix-call-timer-start-racing-with-call-destruction.patch @@ -0,0 +1,200 @@ +From 4a7f62f91933c8ae5308f9127fd8ea48188b6bc3 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 30 Mar 2022 15:39:16 +0100 +Subject: rxrpc: Fix call timer start racing with call destruction + +From: David Howells + +commit 4a7f62f91933c8ae5308f9127fd8ea48188b6bc3 upstream. + +The rxrpc_call struct has a timer used to handle various timed events +relating to a call. This timer can get started from the packet input +routines that are run in softirq mode with just the RCU read lock held. +Unfortunately, because only the RCU read lock is held - and neither ref or +other lock is taken - the call can start getting destroyed at the same time +a packet comes in addressed to that call. This causes the timer - which +was already stopped - to get restarted. Later, the timer dispatch code may +then oops if the timer got deallocated first. + +Fix this by trying to take a ref on the rxrpc_call struct and, if +successful, passing that ref along to the timer. If the timer was already +running, the ref is discarded. + +The timer completion routine can then pass the ref along to the call's work +item when it queues it. If the timer or work item where already +queued/running, the extra ref is discarded. + +Fixes: a158bdd3247b ("rxrpc: Fix call timeouts") +Reported-by: Marc Dionne +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +Tested-by: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: http://lists.infradead.org/pipermail/linux-afs/2022-March/005073.html +Link: https://lore.kernel.org/r/164865115696.2943015.11097991776647323586.stgit@warthog.procyon.org.uk +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + include/trace/events/rxrpc.h | 8 +++++++- + net/rxrpc/ar-internal.h | 15 +++++++-------- + net/rxrpc/call_event.c | 2 +- + net/rxrpc/call_object.c | 40 +++++++++++++++++++++++++++++++++++----- + 4 files changed, 50 insertions(+), 15 deletions(-) + +--- a/include/trace/events/rxrpc.h ++++ b/include/trace/events/rxrpc.h +@@ -83,12 +83,15 @@ enum rxrpc_call_trace { + rxrpc_call_error, + rxrpc_call_got, + rxrpc_call_got_kernel, ++ rxrpc_call_got_timer, + rxrpc_call_got_userid, + rxrpc_call_new_client, + rxrpc_call_new_service, + rxrpc_call_put, + rxrpc_call_put_kernel, + rxrpc_call_put_noqueue, ++ rxrpc_call_put_notimer, ++ rxrpc_call_put_timer, + rxrpc_call_put_userid, + rxrpc_call_queued, + rxrpc_call_queued_ref, +@@ -278,12 +281,15 @@ enum rxrpc_tx_point { + EM(rxrpc_call_error, "*E*") \ + EM(rxrpc_call_got, "GOT") \ + EM(rxrpc_call_got_kernel, "Gke") \ ++ EM(rxrpc_call_got_timer, "GTM") \ + EM(rxrpc_call_got_userid, "Gus") \ + EM(rxrpc_call_new_client, "NWc") \ + EM(rxrpc_call_new_service, "NWs") \ + EM(rxrpc_call_put, "PUT") \ + EM(rxrpc_call_put_kernel, "Pke") \ +- EM(rxrpc_call_put_noqueue, "PNQ") \ ++ EM(rxrpc_call_put_noqueue, "PnQ") \ ++ EM(rxrpc_call_put_notimer, "PnT") \ ++ EM(rxrpc_call_put_timer, "PTM") \ + EM(rxrpc_call_put_userid, "Pus") \ + EM(rxrpc_call_queued, "QUE") \ + EM(rxrpc_call_queued_ref, "QUR") \ +--- a/net/rxrpc/ar-internal.h ++++ b/net/rxrpc/ar-internal.h +@@ -777,14 +777,12 @@ void rxrpc_propose_ACK(struct rxrpc_call + enum rxrpc_propose_ack_trace); + void rxrpc_process_call(struct work_struct *); + +-static inline void rxrpc_reduce_call_timer(struct rxrpc_call *call, +- unsigned long expire_at, +- unsigned long now, +- enum rxrpc_timer_trace why) +-{ +- trace_rxrpc_timer(call, why, now); +- timer_reduce(&call->timer, expire_at); +-} ++void rxrpc_reduce_call_timer(struct rxrpc_call *call, ++ unsigned long expire_at, ++ unsigned long now, ++ enum rxrpc_timer_trace why); ++ ++void rxrpc_delete_call_timer(struct rxrpc_call *call); + + /* + * call_object.c +@@ -808,6 +806,7 @@ void rxrpc_release_calls_on_socket(struc + bool __rxrpc_queue_call(struct rxrpc_call *); + bool rxrpc_queue_call(struct rxrpc_call *); + void rxrpc_see_call(struct rxrpc_call *); ++bool rxrpc_try_get_call(struct rxrpc_call *call, enum rxrpc_call_trace op); + void rxrpc_get_call(struct rxrpc_call *, enum rxrpc_call_trace); + void rxrpc_put_call(struct rxrpc_call *, enum rxrpc_call_trace); + void rxrpc_cleanup_call(struct rxrpc_call *); +--- a/net/rxrpc/call_event.c ++++ b/net/rxrpc/call_event.c +@@ -310,7 +310,7 @@ recheck_state: + } + + if (call->state == RXRPC_CALL_COMPLETE) { +- del_timer_sync(&call->timer); ++ rxrpc_delete_call_timer(call); + goto out_put; + } + +--- a/net/rxrpc/call_object.c ++++ b/net/rxrpc/call_object.c +@@ -53,10 +53,30 @@ static void rxrpc_call_timer_expired(str + + if (call->state < RXRPC_CALL_COMPLETE) { + trace_rxrpc_timer(call, rxrpc_timer_expired, jiffies); +- rxrpc_queue_call(call); ++ __rxrpc_queue_call(call); ++ } else { ++ rxrpc_put_call(call, rxrpc_call_put); ++ } ++} ++ ++void rxrpc_reduce_call_timer(struct rxrpc_call *call, ++ unsigned long expire_at, ++ unsigned long now, ++ enum rxrpc_timer_trace why) ++{ ++ if (rxrpc_try_get_call(call, rxrpc_call_got_timer)) { ++ trace_rxrpc_timer(call, why, now); ++ if (timer_reduce(&call->timer, expire_at)) ++ rxrpc_put_call(call, rxrpc_call_put_notimer); + } + } + ++void rxrpc_delete_call_timer(struct rxrpc_call *call) ++{ ++ if (del_timer_sync(&call->timer)) ++ rxrpc_put_call(call, rxrpc_call_put_timer); ++} ++ + static struct lock_class_key rxrpc_call_user_mutex_lock_class_key; + + /* +@@ -463,6 +483,17 @@ void rxrpc_see_call(struct rxrpc_call *c + } + } + ++bool rxrpc_try_get_call(struct rxrpc_call *call, enum rxrpc_call_trace op) ++{ ++ const void *here = __builtin_return_address(0); ++ int n = atomic_fetch_add_unless(&call->usage, 1, 0); ++ ++ if (n == 0) ++ return false; ++ trace_rxrpc_call(call->debug_id, op, n, here, NULL); ++ return true; ++} ++ + /* + * Note the addition of a ref on a call. + */ +@@ -510,8 +541,7 @@ void rxrpc_release_call(struct rxrpc_soc + spin_unlock_bh(&call->lock); + + rxrpc_put_call_slot(call); +- +- del_timer_sync(&call->timer); ++ rxrpc_delete_call_timer(call); + + /* Make sure we don't get any more notifications */ + write_lock_bh(&rx->recvmsg_lock); +@@ -618,6 +648,8 @@ static void rxrpc_destroy_call(struct wo + struct rxrpc_call *call = container_of(work, struct rxrpc_call, processor); + struct rxrpc_net *rxnet = call->rxnet; + ++ rxrpc_delete_call_timer(call); ++ + rxrpc_put_connection(call->conn); + rxrpc_put_peer(call->peer); + kfree(call->rxtx_buffer); +@@ -652,8 +684,6 @@ void rxrpc_cleanup_call(struct rxrpc_cal + + memset(&call->sock_node, 0xcd, sizeof(call->sock_node)); + +- del_timer_sync(&call->timer); +- + ASSERTCMP(call->state, ==, RXRPC_CALL_COMPLETE); + ASSERT(test_bit(RXRPC_CALL_RELEASED, &call->flags)); + diff --git a/queue-5.17/rxrpc-fix-some-null-ptr-deref-bugs-in-server_key.c.patch b/queue-5.17/rxrpc-fix-some-null-ptr-deref-bugs-in-server_key.c.patch new file mode 100644 index 00000000000..1121e33f6fd --- /dev/null +++ b/queue-5.17/rxrpc-fix-some-null-ptr-deref-bugs-in-server_key.c.patch @@ -0,0 +1,87 @@ +From ff8376ade4f668130385839cef586a0990f8ef87 Mon Sep 17 00:00:00 2001 +From: Xiaolong Huang +Date: Wed, 30 Mar 2022 15:22:14 +0100 +Subject: rxrpc: fix some null-ptr-deref bugs in server_key.c + +From: Xiaolong Huang + +commit ff8376ade4f668130385839cef586a0990f8ef87 upstream. + +Some function calls are not implemented in rxrpc_no_security, there are +preparse_server_key, free_preparse_server_key and destroy_server_key. +When rxrpc security type is rxrpc_no_security, user can easily trigger a +null-ptr-deref bug via ioctl. So judgment should be added to prevent it + +The crash log: +user@syzkaller:~$ ./rxrpc_preparse_s +[ 37.956878][T15626] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 37.957645][T15626] #PF: supervisor instruction fetch in kernel mode +[ 37.958229][T15626] #PF: error_code(0x0010) - not-present page +[ 37.958762][T15626] PGD 4aadf067 P4D 4aadf067 PUD 4aade067 PMD 0 +[ 37.959321][T15626] Oops: 0010 [#1] PREEMPT SMP +[ 37.959739][T15626] CPU: 0 PID: 15626 Comm: rxrpc_preparse_ Not tainted 5.17.0-01442-gb47d5a4f6b8d #43 +[ 37.960588][T15626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 +[ 37.961474][T15626] RIP: 0010:0x0 +[ 37.961787][T15626] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. +[ 37.962480][T15626] RSP: 0018:ffffc9000d9abdc0 EFLAGS: 00010286 +[ 37.963018][T15626] RAX: ffffffff84335200 RBX: ffff888012a1ce80 RCX: 0000000000000000 +[ 37.963727][T15626] RDX: 0000000000000000 RSI: ffffffff84a736dc RDI: ffffc9000d9abe48 +[ 37.964425][T15626] RBP: ffffc9000d9abe48 R08: 0000000000000000 R09: 0000000000000002 +[ 37.965118][T15626] R10: 000000000000000a R11: f000000000000000 R12: ffff888013145680 +[ 37.965836][T15626] R13: 0000000000000000 R14: ffffffffffffffec R15: ffff8880432aba80 +[ 37.966441][T15626] FS: 00007f2177907700(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 +[ 37.966979][T15626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 37.967384][T15626] CR2: ffffffffffffffd6 CR3: 000000004aaf1000 CR4: 00000000000006f0 +[ 37.967864][T15626] Call Trace: +[ 37.968062][T15626] +[ 37.968240][T15626] rxrpc_preparse_s+0x59/0x90 +[ 37.968541][T15626] key_create_or_update+0x174/0x510 +[ 37.968863][T15626] __x64_sys_add_key+0x139/0x1d0 +[ 37.969165][T15626] do_syscall_64+0x35/0xb0 +[ 37.969451][T15626] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 37.969824][T15626] RIP: 0033:0x43a1f9 + +Signed-off-by: Xiaolong Huang +Tested-by: Xiaolong Huang +Signed-off-by: David Howells +Acked-by: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: http://lists.infradead.org/pipermail/linux-afs/2022-March/005069.html +Fixes: 12da59fcab5a ("rxrpc: Hand server key parsing off to the security class") +Link: https://lore.kernel.org/r/164865013439.2941502.8966285221215590921.stgit@warthog.procyon.org.uk +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/server_key.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/rxrpc/server_key.c ++++ b/net/rxrpc/server_key.c +@@ -84,6 +84,9 @@ static int rxrpc_preparse_s(struct key_p + + prep->payload.data[1] = (struct rxrpc_security *)sec; + ++ if (!sec->preparse_server_key) ++ return -EINVAL; ++ + return sec->preparse_server_key(prep); + } + +@@ -91,7 +94,7 @@ static void rxrpc_free_preparse_s(struct + { + const struct rxrpc_security *sec = prep->payload.data[1]; + +- if (sec) ++ if (sec && sec->free_preparse_server_key) + sec->free_preparse_server_key(prep); + } + +@@ -99,7 +102,7 @@ static void rxrpc_destroy_s(struct key * + { + const struct rxrpc_security *sec = key->payload.data[1]; + +- if (sec) ++ if (sec && sec->destroy_server_key) + sec->destroy_server_key(key); + } + diff --git a/queue-5.17/series b/queue-5.17/series index 6cea243afe0..60ff4642952 100644 --- a/queue-5.17/series +++ b/queue-5.17/series @@ -1024,3 +1024,16 @@ can-mcp251xfd-mcp251xfd_register_get_dev_id-fix-return-of-error-value.patch xarray-include-bitmap.h-from-xarray.h.patch xarray-update-the-lru-list-in-xas_split.patch modpost-restore-the-warning-message-for-missing-symbol-versions.patch +rtc-gamecube-fix-refcount-leak-in-gamecube_rtc_read_offset_from_sram.patch +rtc-check-if-__rtc_read_time-was-successful.patch +loop-fix-ioctl-calls-using-compat_loop_info.patch +gfs2-gfs2_setattr_size-error-path-fix.patch +gfs2-fix-gfs2_file_buffered_write-endless-loop-workaround.patch +gfs2-make-sure-fitrim-minlen-is-rounded-up-to-fs-block-size.patch +net-hns3-fix-the-concurrency-between-functions-reading-debugfs.patch +net-hns3-fix-software-vlan-talbe-of-vlan-0-inconsistent-with-hardware.patch +rxrpc-fix-some-null-ptr-deref-bugs-in-server_key.c.patch +rxrpc-fix-call-timer-start-racing-with-call-destruction.patch +mailbox-imx-fix-wakeup-failure-from-freeze-mode.patch +crypto-x86-poly1305-fixup-sls.patch +crypto-arm-aes-neonbs-cbc-select-generic-cbc-and-aes.patch