From: Greg Kroah-Hartman Date: Tue, 2 Feb 2021 13:19:40 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.4.255~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6fccfe02de9a4cf6cc94c5d2f0f58ae934ab7ed1;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: asoc-topology-fix-memory-corruption-in-soc_tplg_denum_create_values.patch nfc-fix-possible-resource-leak.patch nfc-fix-resource-leak-when-target-index-is-invalid.patch rxrpc-fix-memory-leak-in-rxrpc_lookup_local.patch tcp-fix-tlp-timer-not-set-when-ca_state-changes-from-disorder-to-open.patch team-protect-features-update-by-rcu-to-avoid-deadlock.patch --- diff --git a/queue-5.4/asoc-topology-fix-memory-corruption-in-soc_tplg_denum_create_values.patch b/queue-5.4/asoc-topology-fix-memory-corruption-in-soc_tplg_denum_create_values.patch new file mode 100644 index 00000000000..2f798edcd6a --- /dev/null +++ b/queue-5.4/asoc-topology-fix-memory-corruption-in-soc_tplg_denum_create_values.patch @@ -0,0 +1,34 @@ +From 543466ef3571069b8eb13a8ff7c7cfc8d8a75c43 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 20 Jan 2021 12:59:13 +0300 +Subject: ASoC: topology: Fix memory corruption in soc_tplg_denum_create_values() + +From: Dan Carpenter + +commit 543466ef3571069b8eb13a8ff7c7cfc8d8a75c43 upstream. + +The allocation uses sizeof(u32) when it should use sizeof(unsigned long) +so it leads to memory corruption later in the function when the data is +initialized. + +Fixes: 5aebe7c7f9c2 ("ASoC: topology: fix endianness issues") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YAf+8QZoOv+ct526@mwanda +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -982,7 +982,7 @@ static int soc_tplg_denum_create_values( + return -EINVAL; + + se->dobj.control.dvalues = kzalloc(le32_to_cpu(ec->items) * +- sizeof(u32), ++ sizeof(*se->dobj.control.dvalues), + GFP_KERNEL); + if (!se->dobj.control.dvalues) + return -ENOMEM; diff --git a/queue-5.4/nfc-fix-possible-resource-leak.patch b/queue-5.4/nfc-fix-possible-resource-leak.patch new file mode 100644 index 00000000000..881823fe636 --- /dev/null +++ b/queue-5.4/nfc-fix-possible-resource-leak.patch @@ -0,0 +1,32 @@ +From d8f923c3ab96dbbb4e3c22d1afc1dc1d3b195cd8 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Thu, 21 Jan 2021 07:37:45 -0800 +Subject: NFC: fix possible resource leak + +From: Pan Bian + +commit d8f923c3ab96dbbb4e3c22d1afc1dc1d3b195cd8 upstream. + +Put the device to avoid resource leak on path that the polling flag is +invalid. + +Fixes: a831b9132065 ("NFC: Do not return EBUSY when stopping a poll that's already stopped") +Signed-off-by: Pan Bian +Link: https://lore.kernel.org/r/20210121153745.122184-1-bianpan2016@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + net/nfc/netlink.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -860,6 +860,7 @@ static int nfc_genl_stop_poll(struct sk_ + + if (!dev->polling) { + device_unlock(&dev->dev); ++ nfc_put_device(dev); + return -EINVAL; + } + diff --git a/queue-5.4/nfc-fix-resource-leak-when-target-index-is-invalid.patch b/queue-5.4/nfc-fix-resource-leak-when-target-index-is-invalid.patch new file mode 100644 index 00000000000..9baa9fde104 --- /dev/null +++ b/queue-5.4/nfc-fix-resource-leak-when-target-index-is-invalid.patch @@ -0,0 +1,33 @@ +From 3a30537cee233fb7da302491b28c832247d89bbe Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Thu, 21 Jan 2021 07:27:48 -0800 +Subject: NFC: fix resource leak when target index is invalid + +From: Pan Bian + +commit 3a30537cee233fb7da302491b28c832247d89bbe upstream. + +Goto to the label put_dev instead of the label error to fix potential +resource leak on path that the target index is invalid. + +Fixes: c4fbb6515a4d ("NFC: The core part should generate the target index") +Signed-off-by: Pan Bian +Link: https://lore.kernel.org/r/20210121152748.98409-1-bianpan2016@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + net/nfc/rawsock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/nfc/rawsock.c ++++ b/net/nfc/rawsock.c +@@ -105,7 +105,7 @@ static int rawsock_connect(struct socket + if (addr->target_idx > dev->target_next_idx - 1 || + addr->target_idx < dev->target_next_idx - dev->n_targets) { + rc = -EINVAL; +- goto error; ++ goto put_dev; + } + + rc = nfc_activate_target(dev, addr->target_idx, addr->nfc_protocol); diff --git a/queue-5.4/rxrpc-fix-memory-leak-in-rxrpc_lookup_local.patch b/queue-5.4/rxrpc-fix-memory-leak-in-rxrpc_lookup_local.patch new file mode 100644 index 00000000000..9df58487250 --- /dev/null +++ b/queue-5.4/rxrpc-fix-memory-leak-in-rxrpc_lookup_local.patch @@ -0,0 +1,67 @@ +From b8323f7288abd71794cd7b11a4c0a38b8637c8b5 Mon Sep 17 00:00:00 2001 +From: Takeshi Misawa +Date: Thu, 28 Jan 2021 10:48:36 +0000 +Subject: rxrpc: Fix memory leak in rxrpc_lookup_local + +From: Takeshi Misawa + +commit b8323f7288abd71794cd7b11a4c0a38b8637c8b5 upstream. + +Commit 9ebeddef58c4 ("rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record") +Then release ref in __rxrpc_put_peer and rxrpc_put_peer_locked. + + struct rxrpc_peer *rxrpc_alloc_peer(struct rxrpc_local *local, gfp_t gfp) + - peer->local = local; + + peer->local = rxrpc_get_local(local); + +rxrpc_discard_prealloc also need ref release in discarding. + +syzbot report: +BUG: memory leak +unreferenced object 0xffff8881080ddc00 (size 256): + comm "syz-executor339", pid 8462, jiffies 4294942238 (age 12.350s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 0a 00 00 00 00 c0 00 08 81 88 ff ff ................ + backtrace: + [<000000002b6e495f>] kmalloc include/linux/slab.h:552 [inline] + [<000000002b6e495f>] kzalloc include/linux/slab.h:682 [inline] + [<000000002b6e495f>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline] + [<000000002b6e495f>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244 + [<000000006b43a77b>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149 + [<00000000fd447a55>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64 + [<000000007fd8867c>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126 + [<0000000063d80ec1>] ops_init+0x4e/0x190 net/core/net_namespace.c:152 + [<00000000073c5efa>] setup_net+0xde/0x2d0 net/core/net_namespace.c:342 + [<00000000a6744d5b>] copy_net_ns+0x19f/0x3e0 net/core/net_namespace.c:483 + [<0000000017d3aec3>] create_new_namespaces+0x199/0x4f0 kernel/nsproxy.c:110 + [<00000000186271ef>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226 + [<000000002de7bac4>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2957 + [<00000000349b12ba>] __do_sys_unshare kernel/fork.c:3025 [inline] + [<00000000349b12ba>] __se_sys_unshare kernel/fork.c:3023 [inline] + [<00000000349b12ba>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3023 + [<000000006d178ef7>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + [<00000000637076d4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 9ebeddef58c4 ("rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record") +Signed-off-by: Takeshi Misawa +Reported-and-tested-by: syzbot+305326672fed51b205f7@syzkaller.appspotmail.com +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/161183091692.3506637.3206605651502458810.stgit@warthog.procyon.org.uk +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + net/rxrpc/call_accept.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/rxrpc/call_accept.c ++++ b/net/rxrpc/call_accept.c +@@ -207,6 +207,7 @@ void rxrpc_discard_prealloc(struct rxrpc + tail = b->peer_backlog_tail; + while (CIRC_CNT(head, tail, size) > 0) { + struct rxrpc_peer *peer = b->peer_backlog[tail]; ++ rxrpc_put_local(peer->local); + kfree(peer); + tail = (tail + 1) & (size - 1); + } diff --git a/queue-5.4/series b/queue-5.4/series index 73dacce52cc..b74ab06ec0d 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -53,3 +53,9 @@ nvme-multipath-early-exit-if-no-path-is-available.patch selftests-forwarding-specify-interface-when-invoking.patch iommu-vt-d-gracefully-handle-dmar-units-with-no-supported-address-widths.patch iommu-vt-d-don-t-dereference-iommu_device-if-iommu_api-is-not-built.patch +rxrpc-fix-memory-leak-in-rxrpc_lookup_local.patch +nfc-fix-resource-leak-when-target-index-is-invalid.patch +nfc-fix-possible-resource-leak.patch +asoc-topology-fix-memory-corruption-in-soc_tplg_denum_create_values.patch +team-protect-features-update-by-rcu-to-avoid-deadlock.patch +tcp-fix-tlp-timer-not-set-when-ca_state-changes-from-disorder-to-open.patch diff --git a/queue-5.4/tcp-fix-tlp-timer-not-set-when-ca_state-changes-from-disorder-to-open.patch b/queue-5.4/tcp-fix-tlp-timer-not-set-when-ca_state-changes-from-disorder-to-open.patch new file mode 100644 index 00000000000..c297571680b --- /dev/null +++ b/queue-5.4/tcp-fix-tlp-timer-not-set-when-ca_state-changes-from-disorder-to-open.patch @@ -0,0 +1,111 @@ +From 62d9f1a6945ba69c125e548e72a36d203b30596e Mon Sep 17 00:00:00 2001 +From: Pengcheng Yang +Date: Sun, 24 Jan 2021 13:07:14 +0800 +Subject: tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN + +From: Pengcheng Yang + +commit 62d9f1a6945ba69c125e548e72a36d203b30596e upstream. + +Upon receiving a cumulative ACK that changes the congestion state from +Disorder to Open, the TLP timer is not set. If the sender is app-limited, +it can only wait for the RTO timer to expire and retransmit. + +The reason for this is that the TLP timer is set before the congestion +state changes in tcp_ack(), so we delay the time point of calling +tcp_set_xmit_timer() until after tcp_fastretrans_alert() returns and +remove the FLAG_SET_XMIT_TIMER from ack_flag when the RACK reorder timer +is set. + +This commit has two additional benefits: +1) Make sure to reset RTO according to RFC6298 when receiving ACK, to +avoid spurious RTO caused by RTO timer early expires. +2) Reduce the xmit timer reschedule once per ACK when the RACK reorder +timer is set. + +Fixes: df92c8394e6e ("tcp: fix xmit timer to only be reset if data ACKed/SACKed") +Link: https://lore.kernel.org/netdev/1611311242-6675-1-git-send-email-yangpc@wangsu.com +Signed-off-by: Pengcheng Yang +Acked-by: Neal Cardwell +Acked-by: Yuchung Cheng +Cc: Eric Dumazet +Link: https://lore.kernel.org/r/1611464834-23030-1-git-send-email-yangpc@wangsu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/tcp.h | 2 +- + net/ipv4/tcp_input.c | 10 ++++++---- + net/ipv4/tcp_recovery.c | 5 +++-- + 3 files changed, 10 insertions(+), 7 deletions(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -2030,7 +2030,7 @@ void tcp_mark_skb_lost(struct sock *sk, + void tcp_newreno_mark_lost(struct sock *sk, bool snd_una_advanced); + extern s32 tcp_rack_skb_timeout(struct tcp_sock *tp, struct sk_buff *skb, + u32 reo_wnd); +-extern void tcp_rack_mark_lost(struct sock *sk); ++extern bool tcp_rack_mark_lost(struct sock *sk); + extern void tcp_rack_advance(struct tcp_sock *tp, u8 sacked, u32 end_seq, + u64 xmit_time); + extern void tcp_rack_reo_timeout(struct sock *sk); +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -2764,7 +2764,8 @@ static void tcp_identify_packet_loss(str + } else if (tcp_is_rack(sk)) { + u32 prior_retrans = tp->retrans_out; + +- tcp_rack_mark_lost(sk); ++ if (tcp_rack_mark_lost(sk)) ++ *ack_flag &= ~FLAG_SET_XMIT_TIMER; + if (prior_retrans > tp->retrans_out) + *ack_flag |= FLAG_LOST_RETRANS; + } +@@ -3713,9 +3714,6 @@ static int tcp_ack(struct sock *sk, cons + + if (tp->tlp_high_seq) + tcp_process_tlp_ack(sk, ack, flag); +- /* If needed, reset TLP/RTO timer; RACK may later override this. */ +- if (flag & FLAG_SET_XMIT_TIMER) +- tcp_set_xmit_timer(sk); + + if (tcp_ack_is_dubious(sk, flag)) { + if (!(flag & (FLAG_SND_UNA_ADVANCED | FLAG_NOT_DUP))) { +@@ -3728,6 +3726,10 @@ static int tcp_ack(struct sock *sk, cons + &rexmit); + } + ++ /* If needed, reset TLP/RTO timer when RACK doesn't set. */ ++ if (flag & FLAG_SET_XMIT_TIMER) ++ tcp_set_xmit_timer(sk); ++ + if ((flag & FLAG_FORWARD_PROGRESS) || !(flag & FLAG_NOT_DUP)) + sk_dst_confirm(sk); + +--- a/net/ipv4/tcp_recovery.c ++++ b/net/ipv4/tcp_recovery.c +@@ -110,13 +110,13 @@ static void tcp_rack_detect_loss(struct + } + } + +-void tcp_rack_mark_lost(struct sock *sk) ++bool tcp_rack_mark_lost(struct sock *sk) + { + struct tcp_sock *tp = tcp_sk(sk); + u32 timeout; + + if (!tp->rack.advanced) +- return; ++ return false; + + /* Reset the advanced flag to avoid unnecessary queue scanning */ + tp->rack.advanced = 0; +@@ -126,6 +126,7 @@ void tcp_rack_mark_lost(struct sock *sk) + inet_csk_reset_xmit_timer(sk, ICSK_TIME_REO_TIMEOUT, + timeout, inet_csk(sk)->icsk_rto); + } ++ return !!timeout; + } + + /* Record the most recently (re)sent time among the (s)acked packets diff --git a/queue-5.4/team-protect-features-update-by-rcu-to-avoid-deadlock.patch b/queue-5.4/team-protect-features-update-by-rcu-to-avoid-deadlock.patch new file mode 100644 index 00000000000..a3d40635df8 --- /dev/null +++ b/queue-5.4/team-protect-features-update-by-rcu-to-avoid-deadlock.patch @@ -0,0 +1,80 @@ +From f0947d0d21b219e03940b9be6628a43445c0de7a Mon Sep 17 00:00:00 2001 +From: Ivan Vecera +Date: Mon, 25 Jan 2021 08:44:16 +0100 +Subject: team: protect features update by RCU to avoid deadlock + +From: Ivan Vecera + +commit f0947d0d21b219e03940b9be6628a43445c0de7a upstream. + +Function __team_compute_features() is protected by team->lock +mutex when it is called from team_compute_features() used when +features of an underlying device is changed. This causes +a deadlock when NETDEV_FEAT_CHANGE notifier for underlying device +is fired due to change propagated from team driver (e.g. MTU +change). It's because callbacks like team_change_mtu() or +team_vlan_rx_{add,del}_vid() protect their port list traversal +by team->lock mutex. + +Example (r8169 case where this driver disables TSO for certain MTU +values): +... +[ 6391.348202] __mutex_lock.isra.6+0x2d0/0x4a0 +[ 6391.358602] team_device_event+0x9d/0x160 [team] +[ 6391.363756] notifier_call_chain+0x47/0x70 +[ 6391.368329] netdev_update_features+0x56/0x60 +[ 6391.373207] rtl8169_change_mtu+0x14/0x50 [r8169] +[ 6391.378457] dev_set_mtu_ext+0xe1/0x1d0 +[ 6391.387022] dev_set_mtu+0x52/0x90 +[ 6391.390820] team_change_mtu+0x64/0xf0 [team] +[ 6391.395683] dev_set_mtu_ext+0xe1/0x1d0 +[ 6391.399963] do_setlink+0x231/0xf50 +... + +In fact team_compute_features() called from team_device_event() +does not need to be protected by team->lock mutex and rcu_read_lock() +is sufficient there for port list traversal. + +Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device") +Cc: Saeed Mahameed +Signed-off-by: Ivan Vecera +Reviewed-by: Cong Wang +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20210125074416.4056484-1-ivecera@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/team/team.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -991,7 +991,8 @@ static void __team_compute_features(stru + unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE | + IFF_XMIT_DST_RELEASE_PERM; + +- list_for_each_entry(port, &team->port_list, list) { ++ rcu_read_lock(); ++ list_for_each_entry_rcu(port, &team->port_list, list) { + vlan_features = netdev_increment_features(vlan_features, + port->dev->vlan_features, + TEAM_VLAN_FEATURES); +@@ -1005,6 +1006,7 @@ static void __team_compute_features(stru + if (port->dev->hard_header_len > max_hard_header_len) + max_hard_header_len = port->dev->hard_header_len; + } ++ rcu_read_unlock(); + + team->dev->vlan_features = vlan_features; + team->dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL | +@@ -1020,9 +1022,7 @@ static void __team_compute_features(stru + + static void team_compute_features(struct team *team) + { +- mutex_lock(&team->lock); + __team_compute_features(team); +- mutex_unlock(&team->lock); + netdev_change_features(team->dev); + } +