From: Sasha Levin Date: Sun, 9 Apr 2023 12:31:06 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v5.15.107~54 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6ec56300b0e2a0e74ae68855332900e746c2d708;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/gpio-davinci-add-irq-chip-flag-to-skip-set-wake.patch b/queue-5.4/gpio-davinci-add-irq-chip-flag-to-skip-set-wake.patch new file mode 100644 index 00000000000..7aa69794fc2 --- /dev/null +++ b/queue-5.4/gpio-davinci-add-irq-chip-flag-to-skip-set-wake.patch @@ -0,0 +1,37 @@ +From a31a15fd33383d37f0bcbec6ab5c4e6c400e45f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 12:54:43 +0530 +Subject: gpio: davinci: Add irq chip flag to skip set wake + +From: Dhruva Gole + +[ Upstream commit 7b75c4703609a3ebaf67271813521bc0281e1ec1 ] + +Add the IRQCHIP_SKIP_SET_WAKE flag since there are no special IRQ Wake +bits that can be set to enable wakeup IRQ. + +Fixes: 3d9edf09d452 ("[ARM] 4457/2: davinci: GPIO support") +Signed-off-by: Dhruva Gole +Reviewed-by: Linus Walleij +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-davinci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-davinci.c b/drivers/gpio/gpio-davinci.c +index e0b0256896250..576cb2d0708f6 100644 +--- a/drivers/gpio/gpio-davinci.c ++++ b/drivers/gpio/gpio-davinci.c +@@ -333,7 +333,7 @@ static struct irq_chip gpio_irqchip = { + .irq_enable = gpio_irq_enable, + .irq_disable = gpio_irq_disable, + .irq_set_type = gpio_irq_type, +- .flags = IRQCHIP_SET_TYPE_MASKED, ++ .flags = IRQCHIP_SET_TYPE_MASKED | IRQCHIP_SKIP_SET_WAKE, + }; + + static void gpio_irq_handler(struct irq_desc *desc) +-- +2.39.2 + diff --git a/queue-5.4/icmp-guard-against-too-small-mtu.patch b/queue-5.4/icmp-guard-against-too-small-mtu.patch new file mode 100644 index 00000000000..3ea3addea38 --- /dev/null +++ b/queue-5.4/icmp-guard-against-too-small-mtu.patch @@ -0,0 +1,86 @@ +From 91ead7f8946d562bcc9ca859c5c63008674b4d46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 17:45:02 +0000 +Subject: icmp: guard against too small mtu + +From: Eric Dumazet + +[ Upstream commit 7d63b67125382ff0ffdfca434acbc94a38bd092b ] + +syzbot was able to trigger a panic [1] in icmp_glue_bits(), or +more exactly in skb_copy_and_csum_bits() + +There is no repro yet, but I think the issue is that syzbot +manages to lower device mtu to a small value, fooling __icmp_send() + +__icmp_send() must make sure there is enough room for the +packet to include at least the headers. + +We might in the future refactor skb_copy_and_csum_bits() and its +callers to no longer crash when something bad happens. + +[1] +kernel BUG at net/core/skbuff.c:3343 ! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +CPU: 0 PID: 15766 Comm: syz-executor.0 Not tainted 6.3.0-rc4-syzkaller-00039-gffe78bbd5121 #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 +RIP: 0010:skb_copy_and_csum_bits+0x798/0x860 net/core/skbuff.c:3343 +Code: f0 c1 c8 08 41 89 c6 e9 73 ff ff ff e8 61 48 d4 f9 e9 41 fd ff ff 48 8b 7c 24 48 e8 52 48 d4 f9 e9 c3 fc ff ff e8 c8 27 84 f9 <0f> 0b 48 89 44 24 28 e8 3c 48 d4 f9 48 8b 44 24 28 e9 9d fb ff ff +RSP: 0018:ffffc90000007620 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 00000000000001e8 RCX: 0000000000000100 +RDX: ffff8880276f6280 RSI: ffffffff87fdd138 RDI: 0000000000000005 +RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 +R10: 00000000000001e8 R11: 0000000000000001 R12: 000000000000003c +R13: 0000000000000000 R14: ffff888028244868 R15: 0000000000000b0e +FS: 00007fbc81f1c700(0000) GS:ffff88802ca00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b2df43000 CR3: 00000000744db000 CR4: 0000000000150ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +icmp_glue_bits+0x7b/0x210 net/ipv4/icmp.c:353 +__ip_append_data+0x1d1b/0x39f0 net/ipv4/ip_output.c:1161 +ip_append_data net/ipv4/ip_output.c:1343 [inline] +ip_append_data+0x115/0x1a0 net/ipv4/ip_output.c:1322 +icmp_push_reply+0xa8/0x440 net/ipv4/icmp.c:370 +__icmp_send+0xb80/0x1430 net/ipv4/icmp.c:765 +ipv4_send_dest_unreach net/ipv4/route.c:1239 [inline] +ipv4_link_failure+0x5a9/0x9e0 net/ipv4/route.c:1246 +dst_link_failure include/net/dst.h:423 [inline] +arp_error_report+0xcb/0x1c0 net/ipv4/arp.c:296 +neigh_invalidate+0x20d/0x560 net/core/neighbour.c:1079 +neigh_timer_handler+0xc77/0xff0 net/core/neighbour.c:1166 +call_timer_fn+0x1a0/0x580 kernel/time/timer.c:1700 +expire_timers+0x29b/0x4b0 kernel/time/timer.c:1751 +__run_timers kernel/time/timer.c:2022 [inline] + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+d373d60fddbdc915e666@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230330174502.1915328-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index b44f51e404aee..ac82a4158b86b 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -754,6 +754,11 @@ void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, + room = 576; + room -= sizeof(struct iphdr) + icmp_param.replyopts.opt.opt.optlen; + room -= sizeof(struct icmphdr); ++ /* Guard against tiny mtu. We need to include at least one ++ * IP network header for this message to make any sense. ++ */ ++ if (room <= (int)sizeof(struct iphdr)) ++ goto ende; + + icmp_param.data_len = skb_in->len - icmp_param.offset; + if (icmp_param.data_len > room) +-- +2.39.2 + diff --git a/queue-5.4/ipv6-fix-an-uninit-variable-access-bug-in-__ip6_make.patch b/queue-5.4/ipv6-fix-an-uninit-variable-access-bug-in-__ip6_make.patch new file mode 100644 index 00000000000..1d91cf06621 --- /dev/null +++ b/queue-5.4/ipv6-fix-an-uninit-variable-access-bug-in-__ip6_make.patch @@ -0,0 +1,101 @@ +From 90acfc9444eee543ff96e9a784cdd707810aba71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 15:34:17 +0800 +Subject: ipv6: Fix an uninit variable access bug in __ip6_make_skb() + +From: Ziyang Xuan + +[ Upstream commit ea30388baebcce37fd594d425a65037ca35e59e8 ] + +Syzbot reported a bug as following: + +===================================================== +BUG: KMSAN: uninit-value in arch_atomic64_inc arch/x86/include/asm/atomic64_64.h:88 [inline] +BUG: KMSAN: uninit-value in arch_atomic_long_inc include/linux/atomic/atomic-long.h:161 [inline] +BUG: KMSAN: uninit-value in atomic_long_inc include/linux/atomic/atomic-instrumented.h:1429 [inline] +BUG: KMSAN: uninit-value in __ip6_make_skb+0x2f37/0x30f0 net/ipv6/ip6_output.c:1956 + arch_atomic64_inc arch/x86/include/asm/atomic64_64.h:88 [inline] + arch_atomic_long_inc include/linux/atomic/atomic-long.h:161 [inline] + atomic_long_inc include/linux/atomic/atomic-instrumented.h:1429 [inline] + __ip6_make_skb+0x2f37/0x30f0 net/ipv6/ip6_output.c:1956 + ip6_finish_skb include/net/ipv6.h:1122 [inline] + ip6_push_pending_frames+0x10e/0x550 net/ipv6/ip6_output.c:1987 + rawv6_push_pending_frames+0xb12/0xb90 net/ipv6/raw.c:579 + rawv6_sendmsg+0x297e/0x2e60 net/ipv6/raw.c:922 + inet_sendmsg+0x101/0x180 net/ipv4/af_inet.c:827 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg net/socket.c:734 [inline] + ____sys_sendmsg+0xa8e/0xe70 net/socket.c:2476 + ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2530 + __sys_sendmsg net/socket.c:2559 [inline] + __do_sys_sendmsg net/socket.c:2568 [inline] + __se_sys_sendmsg net/socket.c:2566 [inline] + __x64_sys_sendmsg+0x367/0x540 net/socket.c:2566 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:766 [inline] + slab_alloc_node mm/slub.c:3452 [inline] + __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491 + __do_kmalloc_node mm/slab_common.c:967 [inline] + __kmalloc_node_track_caller+0x114/0x3b0 mm/slab_common.c:988 + kmalloc_reserve net/core/skbuff.c:492 [inline] + __alloc_skb+0x3af/0x8f0 net/core/skbuff.c:565 + alloc_skb include/linux/skbuff.h:1270 [inline] + __ip6_append_data+0x51c1/0x6bb0 net/ipv6/ip6_output.c:1684 + ip6_append_data+0x411/0x580 net/ipv6/ip6_output.c:1854 + rawv6_sendmsg+0x2882/0x2e60 net/ipv6/raw.c:915 + inet_sendmsg+0x101/0x180 net/ipv4/af_inet.c:827 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg net/socket.c:734 [inline] + ____sys_sendmsg+0xa8e/0xe70 net/socket.c:2476 + ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2530 + __sys_sendmsg net/socket.c:2559 [inline] + __do_sys_sendmsg net/socket.c:2568 [inline] + __se_sys_sendmsg net/socket.c:2566 [inline] + __x64_sys_sendmsg+0x367/0x540 net/socket.c:2566 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +It is because icmp6hdr does not in skb linear region under the scenario +of SOCK_RAW socket. Access icmp6_hdr(skb)->icmp6_type directly will +trigger the uninit variable access bug. + +Use a local variable icmp6_type to carry the correct value in different +scenarios. + +Fixes: 14878f75abd5 ("[IPV6]: Add ICMPMsgStats MIB (RFC 4293) [rev 2]") +Reported-by: syzbot+8257f4dcef79de670baf@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=3d605ec1d0a7f2a269a1a6936ac7f2b85975ee9c +Signed-off-by: Ziyang Xuan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_output.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 457eb07be4828..8231a7a3dd035 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1855,8 +1855,13 @@ struct sk_buff *__ip6_make_skb(struct sock *sk, + IP6_UPD_PO_STATS(net, rt->rt6i_idev, IPSTATS_MIB_OUT, skb->len); + if (proto == IPPROTO_ICMPV6) { + struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb)); ++ u8 icmp6_type; + +- ICMP6MSGOUT_INC_STATS(net, idev, icmp6_hdr(skb)->icmp6_type); ++ if (sk->sk_socket->type == SOCK_RAW && !inet_sk(sk)->hdrincl) ++ icmp6_type = fl6->fl6_icmp_type; ++ else ++ icmp6_type = icmp6_hdr(skb)->icmp6_type; ++ ICMP6MSGOUT_INC_STATS(net, idev, icmp6_type); + ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS); + } + +-- +2.39.2 + diff --git a/queue-5.4/net-don-t-let-netpoll-invoke-napi-if-in-xmit-context.patch b/queue-5.4/net-don-t-let-netpoll-invoke-napi-if-in-xmit-context.patch new file mode 100644 index 00000000000..4a057984470 --- /dev/null +++ b/queue-5.4/net-don-t-let-netpoll-invoke-napi-if-in-xmit-context.patch @@ -0,0 +1,80 @@ +From 10a0ef9c28fca190910112ca3adc6f927a046389 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 19:21:44 -0700 +Subject: net: don't let netpoll invoke NAPI if in xmit context + +From: Jakub Kicinski + +[ Upstream commit 275b471e3d2daf1472ae8fa70dc1b50c9e0b9e75 ] + +Commit 0db3dc73f7a3 ("[NETPOLL]: tx lock deadlock fix") narrowed +down the region under netif_tx_trylock() inside netpoll_send_skb(). +(At that point in time netif_tx_trylock() would lock all queues of +the device.) Taking the tx lock was problematic because driver's +cleanup method may take the same lock. So the change made us hold +the xmit lock only around xmit, and expected the driver to take +care of locking within ->ndo_poll_controller(). + +Unfortunately this only works if netpoll isn't itself called with +the xmit lock already held. Netpoll code is careful and uses +trylock(). The drivers, however, may be using plain lock(). +Printing while holding the xmit lock is going to result in rare +deadlocks. + +Luckily we record the xmit lock owners, so we can scan all the queues, +the same way we scan NAPI owners. If any of the xmit locks is held +by the local CPU we better not attempt any polling. + +It would be nice if we could narrow down the check to only the NAPIs +and the queue we're trying to use. I don't see a way to do that now. + +Reported-by: Roman Gushchin +Fixes: 0db3dc73f7a3 ("[NETPOLL]: tx lock deadlock fix") +Signed-off-by: Jakub Kicinski +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/netpoll.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/net/core/netpoll.c b/net/core/netpoll.c +index 78bbb912e5025..9b263a5c0f36f 100644 +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -136,6 +136,20 @@ static void queue_process(struct work_struct *work) + } + } + ++static int netif_local_xmit_active(struct net_device *dev) ++{ ++ int i; ++ ++ for (i = 0; i < dev->num_tx_queues; i++) { ++ struct netdev_queue *txq = netdev_get_tx_queue(dev, i); ++ ++ if (READ_ONCE(txq->xmit_lock_owner) == smp_processor_id()) ++ return 1; ++ } ++ ++ return 0; ++} ++ + static void poll_one_napi(struct napi_struct *napi) + { + int work; +@@ -182,7 +196,10 @@ void netpoll_poll_dev(struct net_device *dev) + if (!ni || down_trylock(&ni->dev_lock)) + return; + +- if (!netif_running(dev)) { ++ /* Some drivers will take the same locks in poll and xmit, ++ * we can't poll if local CPU is already in xmit. ++ */ ++ if (!netif_running(dev) || netif_local_xmit_active(dev)) { + up(&ni->dev_lock); + return; + } +-- +2.39.2 + diff --git a/queue-5.4/nfsd-callback-request-does-not-use-correct-credentia.patch b/queue-5.4/nfsd-callback-request-does-not-use-correct-credentia.patch new file mode 100644 index 00000000000..b5ef78c07fa --- /dev/null +++ b/queue-5.4/nfsd-callback-request-does-not-use-correct-credentia.patch @@ -0,0 +1,43 @@ +From abe39c3faba6ff7571b38d7a54e9b505abdf12bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Apr 2023 13:22:08 -0700 +Subject: NFSD: callback request does not use correct credential for AUTH_SYS + +From: Dai Ngo + +[ Upstream commit 7de82c2f36fb26aa78440bbf0efcf360b691d98b ] + +Currently callback request does not use the credential specified in +CREATE_SESSION if the security flavor for the back channel is AUTH_SYS. + +Problem was discovered by pynfs 4.1 DELEG5 and DELEG7 test with error: +DELEG5 st_delegation.testCBSecParms : FAILURE + expected callback with uid, gid == 17, 19, got 0, 0 + +Signed-off-by: Dai Ngo +Reviewed-by: Jeff Layton +Fixes: 8276c902bbe9 ("SUNRPC: remove uid and gid from struct auth_cred") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4callback.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c +index ffc2b838b123c..771733396eab2 100644 +--- a/fs/nfsd/nfs4callback.c ++++ b/fs/nfsd/nfs4callback.c +@@ -840,8 +840,8 @@ static const struct cred *get_backchannel_cred(struct nfs4_client *clp, struct r + if (!kcred) + return NULL; + +- kcred->uid = ses->se_cb_sec.uid; +- kcred->gid = ses->se_cb_sec.gid; ++ kcred->fsuid = ses->se_cb_sec.uid; ++ kcred->fsgid = ses->se_cb_sec.gid; + return kcred; + } + } +-- +2.39.2 + diff --git a/queue-5.4/pwm-cros-ec-explicitly-set-.polarity-in-.get_state.patch b/queue-5.4/pwm-cros-ec-explicitly-set-.polarity-in-.get_state.patch new file mode 100644 index 00000000000..d1c4119e6b9 --- /dev/null +++ b/queue-5.4/pwm-cros-ec-explicitly-set-.polarity-in-.get_state.patch @@ -0,0 +1,40 @@ +From 35a832b305d0e494bfb906b5b14cf42603a4d512 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 22:45:41 +0100 +Subject: pwm: cros-ec: Explicitly set .polarity in .get_state() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 30006b77c7e130e01d1ab2148cc8abf73dfcc4bf ] + +The driver only supports normal polarity. Complete the implementation of +.get_state() by setting .polarity accordingly. + +Reviewed-by: Guenter Roeck +Fixes: 1f0d3bb02785 ("pwm: Add ChromeOS EC PWM driver") +Link: https://lore.kernel.org/r/20230228135508.1798428-3-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-cros-ec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pwm/pwm-cros-ec.c b/drivers/pwm/pwm-cros-ec.c +index 89497448d2177..ad4321f2b6f87 100644 +--- a/drivers/pwm/pwm-cros-ec.c ++++ b/drivers/pwm/pwm-cros-ec.c +@@ -125,6 +125,7 @@ static void cros_ec_pwm_get_state(struct pwm_chip *chip, struct pwm_device *pwm, + + state->enabled = (ret > 0); + state->period = EC_PWM_MAX_DUTY; ++ state->polarity = PWM_POLARITY_NORMAL; + + /* Note that "disabled" and "duty cycle == 0" are treated the same */ + state->duty_cycle = ret; +-- +2.39.2 + diff --git a/queue-5.4/pwm-sprd-explicitly-set-.polarity-in-.get_state.patch b/queue-5.4/pwm-sprd-explicitly-set-.polarity-in-.get_state.patch new file mode 100644 index 00000000000..5acf9d5f89c --- /dev/null +++ b/queue-5.4/pwm-sprd-explicitly-set-.polarity-in-.get_state.patch @@ -0,0 +1,39 @@ +From 12a56452fc300fb037596d3a87ea00919cd6d954 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 22:45:43 +0100 +Subject: pwm: sprd: Explicitly set .polarity in .get_state() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 2be4dcf6627e1bcbbef8e6ba1811f5127d39202c ] + +The driver only supports normal polarity. Complete the implementation of +.get_state() by setting .polarity accordingly. + +Fixes: 8aae4b02e8a6 ("pwm: sprd: Add Spreadtrum PWM support") +Link: https://lore.kernel.org/r/20230228135508.1798428-5-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-sprd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pwm/pwm-sprd.c b/drivers/pwm/pwm-sprd.c +index 892d853d48a1a..b30d664bf7d57 100644 +--- a/drivers/pwm/pwm-sprd.c ++++ b/drivers/pwm/pwm-sprd.c +@@ -109,6 +109,7 @@ static void sprd_pwm_get_state(struct pwm_chip *chip, struct pwm_device *pwm, + duty = val & SPRD_PWM_DUTY_MSK; + tmp = (prescale + 1) * NSEC_PER_SEC * duty; + state->duty_cycle = DIV_ROUND_CLOSEST_ULL(tmp, chn->clk_rate); ++ state->polarity = PWM_POLARITY_NORMAL; + + /* Disable PWM clocks if the PWM channel is not in enable state. */ + if (!state->enabled) +-- +2.39.2 + diff --git a/queue-5.4/sctp-check-send-stream-number-after-wait_for_sndbuf.patch b/queue-5.4/sctp-check-send-stream-number-after-wait_for_sndbuf.patch new file mode 100644 index 00000000000..38d16484f2f --- /dev/null +++ b/queue-5.4/sctp-check-send-stream-number-after-wait_for_sndbuf.patch @@ -0,0 +1,66 @@ +From 7938d2d2c1fc40ac8833f34502d9a00aa3741757 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Apr 2023 19:09:57 -0400 +Subject: sctp: check send stream number after wait_for_sndbuf + +From: Xin Long + +[ Upstream commit 2584024b23552c00d95b50255e47bd18d306d31a ] + +This patch fixes a corner case where the asoc out stream count may change +after wait_for_sndbuf. + +When the main thread in the client starts a connection, if its out stream +count is set to N while the in stream count in the server is set to N - 2, +another thread in the client keeps sending the msgs with stream number +N - 1, and waits for sndbuf before processing INIT_ACK. + +However, after processing INIT_ACK, the out stream count in the client is +shrunk to N - 2, the same to the in stream count in the server. The crash +occurs when the thread waiting for sndbuf is awake and sends the msg in a +non-existing stream(N - 1), the call trace is as below: + + KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] + Call Trace: + + sctp_cmd_send_msg net/sctp/sm_sideeffect.c:1114 [inline] + sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1777 [inline] + sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline] + sctp_do_sm+0x197d/0x5310 net/sctp/sm_sideeffect.c:1170 + sctp_primitive_SEND+0x9f/0xc0 net/sctp/primitive.c:163 + sctp_sendmsg_to_asoc+0x10eb/0x1a30 net/sctp/socket.c:1868 + sctp_sendmsg+0x8d4/0x1d90 net/sctp/socket.c:2026 + inet_sendmsg+0x9d/0xe0 net/ipv4/af_inet.c:825 + sock_sendmsg_nosec net/socket.c:722 [inline] + sock_sendmsg+0xde/0x190 net/socket.c:745 + +The fix is to add an unlikely check for the send stream number after the +thread wakes up from the wait_for_sndbuf. + +Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations") +Reported-by: syzbot+47c24ca20a2fa01f082e@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index c76b40322ac7d..36db659a0f7f4 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1850,6 +1850,10 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc, + err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len); + if (err) + goto err; ++ if (unlikely(sinfo->sinfo_stream >= asoc->stream.outcnt)) { ++ err = -EINVAL; ++ goto err; ++ } + } + + if (sctp_state(asoc, CLOSED)) { +-- +2.39.2 + diff --git a/queue-5.4/series b/queue-5.4/series index 20ee4c534f9..ac507608eab 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -4,3 +4,13 @@ smb3-fix-problem-with-null-cifs-super-block-with-previous-patch.patch pinctrl-amd-use-irqchip-template.patch pinctrl-amd-disable-and-mask-interrupts-on-probe.patch pinctrl-amd-disable-and-mask-interrupts-on-resume.patch +pwm-cros-ec-explicitly-set-.polarity-in-.get_state.patch +pwm-sprd-explicitly-set-.polarity-in-.get_state.patch +wifi-mac80211-fix-invalid-drv_sta_pre_rcu_remove-cal.patch +icmp-guard-against-too-small-mtu.patch +net-don-t-let-netpoll-invoke-napi-if-in-xmit-context.patch +sctp-check-send-stream-number-after-wait_for_sndbuf.patch +ipv6-fix-an-uninit-variable-access-bug-in-__ip6_make.patch +gpio-davinci-add-irq-chip-flag-to-skip-set-wake.patch +sunrpc-only-free-unix-grouplist-after-rcu-settles.patch +nfsd-callback-request-does-not-use-correct-credentia.patch diff --git a/queue-5.4/sunrpc-only-free-unix-grouplist-after-rcu-settles.patch b/queue-5.4/sunrpc-only-free-unix-grouplist-after-rcu-settles.patch new file mode 100644 index 00000000000..93641295bca --- /dev/null +++ b/queue-5.4/sunrpc-only-free-unix-grouplist-after-rcu-settles.patch @@ -0,0 +1,58 @@ +From bda4be90583169a516523c007e95c6b2a1e72c40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 14:24:27 -0400 +Subject: sunrpc: only free unix grouplist after RCU settles + +From: Jeff Layton + +[ Upstream commit 5085e41f9e83a1bec51da1f20b54f2ec3a13a3fe ] + +While the unix_gid object is rcu-freed, the group_info list that it +contains is not. Ensure that we only put the group list reference once +we are really freeing the unix_gid object. + +Reported-by: Zhi Li +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2183056 +Signed-off-by: Jeff Layton +Fixes: fd5d2f78261b ("SUNRPC: Make server side AUTH_UNIX use lockless lookups") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/svcauth_unix.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c +index 5c04ba7d456b2..5b47e33632399 100644 +--- a/net/sunrpc/svcauth_unix.c ++++ b/net/sunrpc/svcauth_unix.c +@@ -428,14 +428,23 @@ static int unix_gid_hash(kuid_t uid) + return hash_long(from_kuid(&init_user_ns, uid), GID_HASHBITS); + } + +-static void unix_gid_put(struct kref *kref) ++static void unix_gid_free(struct rcu_head *rcu) + { +- struct cache_head *item = container_of(kref, struct cache_head, ref); +- struct unix_gid *ug = container_of(item, struct unix_gid, h); ++ struct unix_gid *ug = container_of(rcu, struct unix_gid, rcu); ++ struct cache_head *item = &ug->h; ++ + if (test_bit(CACHE_VALID, &item->flags) && + !test_bit(CACHE_NEGATIVE, &item->flags)) + put_group_info(ug->gi); +- kfree_rcu(ug, rcu); ++ kfree(ug); ++} ++ ++static void unix_gid_put(struct kref *kref) ++{ ++ struct cache_head *item = container_of(kref, struct cache_head, ref); ++ struct unix_gid *ug = container_of(item, struct unix_gid, h); ++ ++ call_rcu(&ug->rcu, unix_gid_free); + } + + static int unix_gid_match(struct cache_head *corig, struct cache_head *cnew) +-- +2.39.2 + diff --git a/queue-5.4/wifi-mac80211-fix-invalid-drv_sta_pre_rcu_remove-cal.patch b/queue-5.4/wifi-mac80211-fix-invalid-drv_sta_pre_rcu_remove-cal.patch new file mode 100644 index 00000000000..88f1f16abd1 --- /dev/null +++ b/queue-5.4/wifi-mac80211-fix-invalid-drv_sta_pre_rcu_remove-cal.patch @@ -0,0 +1,40 @@ +From f25e0729c42a07d11b6392704dd231aa3d5d6ae3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 13:09:24 +0100 +Subject: wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for + non-uploaded sta + +From: Felix Fietkau + +[ Upstream commit 12b220a6171faf10638ab683a975cadcf1a352d6 ] + +Avoid potential data corruption issues caused by uninitialized driver +private data structures. + +Reported-by: Brian Coverstone +Fixes: 6a9d1b91f34d ("mac80211: add pre-RCU-sync sta removal driver operation") +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20230324120924.38412-3-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/sta_info.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index 4d6890250337d..0f97c6fcec174 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -1023,7 +1023,8 @@ static int __must_check __sta_info_destroy_part1(struct sta_info *sta) + list_del_rcu(&sta->list); + sta->removed = true; + +- drv_sta_pre_rcu_remove(local, sta->sdata, sta); ++ if (sta->uploaded) ++ drv_sta_pre_rcu_remove(local, sta->sdata, sta); + + if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN && + rcu_access_pointer(sdata->u.vlan.sta) == sta) +-- +2.39.2 +