From: Sasha Levin Date: Sun, 15 May 2022 18:30:37 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.9.315~47 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7c0c81f25b8cc541cfaf63d2f010980f0738b252;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/asoc-max98090-generate-notifications-on-changes-for-.patch b/queue-4.14/asoc-max98090-generate-notifications-on-changes-for-.patch new file mode 100644 index 00000000000..2b2912b4022 --- /dev/null +++ b/queue-4.14/asoc-max98090-generate-notifications-on-changes-for-.patch @@ -0,0 +1,37 @@ +From 806c6d0e4e66f6eb2440537d782087d9c6b1a4a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 20:34:54 +0100 +Subject: ASoC: max98090: Generate notifications on changes for custom control + +From: Mark Brown + +[ Upstream commit 13fcf676d9e102594effc686d98521ff5c90b925 ] + +The max98090 driver has some custom controls which share a put() function +which returns 0 unconditionally, meaning that events are not generated +when the value changes. Fix that. + +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20220420193454.2647908-2-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/max98090.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/max98090.c b/sound/soc/codecs/max98090.c +index a25183f6fba6..362d1fb2aae9 100644 +--- a/sound/soc/codecs/max98090.c ++++ b/sound/soc/codecs/max98090.c +@@ -436,7 +436,7 @@ static int max98090_put_enab_tlv(struct snd_kcontrol *kcontrol, + mask << mc->shift, + sel << mc->shift); + +- return 0; ++ return *select != val; + } + + static const char *max98090_perf_pwr_text[] = +-- +2.35.1 + diff --git a/queue-4.14/asoc-max98090-reject-invalid-values-in-custom-contro.patch b/queue-4.14/asoc-max98090-reject-invalid-values-in-custom-contro.patch new file mode 100644 index 00000000000..a774f31ecd9 --- /dev/null +++ b/queue-4.14/asoc-max98090-reject-invalid-values-in-custom-contro.patch @@ -0,0 +1,40 @@ +From 0deb8c174ae971da70330b75afb1a61f04402787 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 20:34:53 +0100 +Subject: ASoC: max98090: Reject invalid values in custom control put() + +From: Mark Brown + +[ Upstream commit 2fbe467bcbfc760a08f08475eea6bbd4c2874319 ] + +The max98090 driver has a custom put function for some controls which can +only be updated in certain circumstances which makes no effort to validate +that input is suitable for the control, allowing out of spec values to be +written to the hardware and presented to userspace. Fix this by returning +an error when invalid values are written. + +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20220420193454.2647908-1-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/max98090.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/codecs/max98090.c b/sound/soc/codecs/max98090.c +index 3fe09828745a..a25183f6fba6 100644 +--- a/sound/soc/codecs/max98090.c ++++ b/sound/soc/codecs/max98090.c +@@ -419,6 +419,9 @@ static int max98090_put_enab_tlv(struct snd_kcontrol *kcontrol, + + val = (val >> mc->shift) & mask; + ++ if (sel < 0 || sel > mc->max) ++ return -EINVAL; ++ + *select = sel; + + /* Setting a volume is only valid if it is already On */ +-- +2.35.1 + diff --git a/queue-4.14/asoc-ops-validate-input-values-in-snd_soc_put_volsw_.patch b/queue-4.14/asoc-ops-validate-input-values-in-snd_soc_put_volsw_.patch new file mode 100644 index 00000000000..4a609226723 --- /dev/null +++ b/queue-4.14/asoc-ops-validate-input-values-in-snd_soc_put_volsw_.patch @@ -0,0 +1,60 @@ +From d11ca3d73d77c92e53cc2c44962cdeb693a8e44b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Apr 2022 14:12:39 +0100 +Subject: ASoC: ops: Validate input values in snd_soc_put_volsw_range() + +From: Mark Brown + +[ Upstream commit aa22125c57f9e577f0a667e4fa07fc3fa8ca1e60 ] + +Check that values written via snd_soc_put_volsw_range() are +within the range advertised by the control, ensuring that we +don't write out of spec values to the hardware. + +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20220423131239.3375261-1-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-ops.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c +index d6d72595fbd0..0848aec1bd24 100644 +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -528,7 +528,15 @@ int snd_soc_put_volsw_range(struct snd_kcontrol *kcontrol, + unsigned int mask = (1 << fls(max)) - 1; + unsigned int invert = mc->invert; + unsigned int val, val_mask; +- int err, ret; ++ int err, ret, tmp; ++ ++ tmp = ucontrol->value.integer.value[0]; ++ if (tmp < 0) ++ return -EINVAL; ++ if (mc->platform_max && tmp > mc->platform_max) ++ return -EINVAL; ++ if (tmp > mc->max - mc->min + 1) ++ return -EINVAL; + + if (invert) + val = (max - ucontrol->value.integer.value[0]) & mask; +@@ -543,6 +551,14 @@ int snd_soc_put_volsw_range(struct snd_kcontrol *kcontrol, + ret = err; + + if (snd_soc_volsw_is_stereo(mc)) { ++ tmp = ucontrol->value.integer.value[1]; ++ if (tmp < 0) ++ return -EINVAL; ++ if (mc->platform_max && tmp > mc->platform_max) ++ return -EINVAL; ++ if (tmp > mc->max - mc->min + 1) ++ return -EINVAL; ++ + if (invert) + val = (max - ucontrol->value.integer.value[1]) & mask; + else +-- +2.35.1 + diff --git a/queue-4.14/batman-adv-don-t-skb_split-skbuffs-with-frag_list.patch b/queue-4.14/batman-adv-don-t-skb_split-skbuffs-with-frag_list.patch new file mode 100644 index 00000000000..b8aa170a079 --- /dev/null +++ b/queue-4.14/batman-adv-don-t-skb_split-skbuffs-with-frag_list.patch @@ -0,0 +1,60 @@ +From df80ecfd7e2cf5ebddb1365006b5ccbdfff51553 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Apr 2022 13:51:10 +0200 +Subject: batman-adv: Don't skb_split skbuffs with frag_list + +From: Sven Eckelmann + +[ Upstream commit a063f2fba3fa633a599253b62561051ac185fa99 ] + +The receiving interface might have used GRO to receive more fragments than +MAX_SKB_FRAGS fragments. In this case, these will not be stored in +skb_shinfo(skb)->frags but merged into the frag list. + +batman-adv relies on the function skb_split to split packets up into +multiple smaller packets which are not larger than the MTU on the outgoing +interface. But this function cannot handle frag_list entries and is only +operating on skb_shinfo(skb)->frags. If it is still trying to split such an +skb and xmit'ing it on an interface without support for NETIF_F_FRAGLIST, +then validate_xmit_skb() will try to linearize it. But this fails due to +inconsistent information. And __pskb_pull_tail will trigger a BUG_ON after +skb_copy_bits() returns an error. + +In case of entries in frag_list, just linearize the skb before operating on +it with skb_split(). + +Reported-by: Felix Kaechele +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Signed-off-by: Sven Eckelmann +Tested-by: Felix Kaechele +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/fragmentation.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c +index 4842436c55f3..a50c87329bc5 100644 +--- a/net/batman-adv/fragmentation.c ++++ b/net/batman-adv/fragmentation.c +@@ -489,6 +489,17 @@ int batadv_frag_send_packet(struct sk_buff *skb, + goto free_skb; + } + ++ /* GRO might have added fragments to the fragment list instead of ++ * frags[]. But this is not handled by skb_split and must be ++ * linearized to avoid incorrect length information after all ++ * batman-adv fragments were created and submitted to the ++ * hard-interface ++ */ ++ if (skb_has_frag_list(skb) && __skb_linearize(skb)) { ++ ret = -ENOMEM; ++ goto free_skb; ++ } ++ + /* Create one header to be copied to all fragments */ + frag_header.packet_type = BATADV_UNICAST_FRAG; + frag_header.version = BATADV_COMPAT_VERSION; +-- +2.35.1 + diff --git a/queue-4.14/hwmon-f71882fg-fix-negative-temperature.patch b/queue-4.14/hwmon-f71882fg-fix-negative-temperature.patch new file mode 100644 index 00000000000..ec92bfea0e3 --- /dev/null +++ b/queue-4.14/hwmon-f71882fg-fix-negative-temperature.patch @@ -0,0 +1,46 @@ +From 65eff8836ac5f8aae56cb8b44b9a15bc709f2c19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Apr 2022 17:07:06 +0800 +Subject: hwmon: (f71882fg) Fix negative temperature + +From: Ji-Ze Hong (Peter Hong) + +[ Upstream commit 4aaaaf0f279836f06d3b9d0ffeec7a1e1a04ceef ] + +All temperature of Fintek superio hwmonitor that using 1-byte reg will use +2's complement. + +In show_temp() + temp = data->temp[nr] * 1000; + +When data->temp[nr] read as 255, it indicate -1C, but this code will report +255C to userspace. It'll be ok when change to: + temp = ((s8)data->temp[nr]) * 1000; + +Signed-off-by: Ji-Ze Hong (Peter Hong) +Link: https://lore.kernel.org/r/20220418090706.6339-1-hpeter+linux_kernel@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/f71882fg.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/f71882fg.c b/drivers/hwmon/f71882fg.c +index ca54ce5c8e10..4010b61743f5 100644 +--- a/drivers/hwmon/f71882fg.c ++++ b/drivers/hwmon/f71882fg.c +@@ -1590,8 +1590,9 @@ static ssize_t show_temp(struct device *dev, struct device_attribute *devattr, + temp *= 125; + if (sign) + temp -= 128000; +- } else +- temp = data->temp[nr] * 1000; ++ } else { ++ temp = ((s8)data->temp[nr]) * 1000; ++ } + + return sprintf(buf, "%d\n", temp); + } +-- +2.35.1 + diff --git a/queue-4.14/hwmon-ltq-cputemp-restrict-it-to-soc_xway.patch b/queue-4.14/hwmon-ltq-cputemp-restrict-it-to-soc_xway.patch new file mode 100644 index 00000000000..f73c6708452 --- /dev/null +++ b/queue-4.14/hwmon-ltq-cputemp-restrict-it-to-soc_xway.patch @@ -0,0 +1,56 @@ +From bb1caa8f54e7de85196b8da027db353a2834be83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 16:47:40 -0700 +Subject: hwmon: (ltq-cputemp) restrict it to SOC_XWAY + +From: Randy Dunlap + +[ Upstream commit 151d6dcbed836270c6c240932da66f147950cbdb ] + +Building with SENSORS_LTQ_CPUTEMP=y with SOC_FALCON=y causes build +errors since FALCON does not support the same features as XWAY. + +Change this symbol to depend on SOC_XWAY since that provides the +necessary interfaces. + +Repairs these build errors: + +../drivers/hwmon/ltq-cputemp.c: In function 'ltq_cputemp_enable': +../drivers/hwmon/ltq-cputemp.c:23:9: error: implicit declaration of function 'ltq_cgu_w32'; did you mean 'ltq_ebu_w32'? [-Werror=implicit-function-declaration] + 23 | ltq_cgu_w32(ltq_cgu_r32(CGU_GPHY1_CR) | CGU_TEMP_PD, CGU_GPHY1_CR); +../drivers/hwmon/ltq-cputemp.c:23:21: error: implicit declaration of function 'ltq_cgu_r32'; did you mean 'ltq_ebu_r32'? [-Werror=implicit-function-declaration] + 23 | ltq_cgu_w32(ltq_cgu_r32(CGU_GPHY1_CR) | CGU_TEMP_PD, CGU_GPHY1_CR); +../drivers/hwmon/ltq-cputemp.c: In function 'ltq_cputemp_probe': +../drivers/hwmon/ltq-cputemp.c:92:31: error: 'SOC_TYPE_VR9_2' undeclared (first use in this function) + 92 | if (ltq_soc_type() != SOC_TYPE_VR9_2) + +Fixes: 7074d0a92758 ("hwmon: (ltq-cputemp) add cpu temp sensor driver") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Florian Eckert +Cc: Guenter Roeck +Cc: Jean Delvare +Cc: linux-hwmon@vger.kernel.org +Link: https://lore.kernel.org/r/20220509234740.26841-1-rdunlap@infradead.org +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/Kconfig b/drivers/hwmon/Kconfig +index d65431417b17..e02d7bfc4ae4 100644 +--- a/drivers/hwmon/Kconfig ++++ b/drivers/hwmon/Kconfig +@@ -793,7 +793,7 @@ config SENSORS_LTC4261 + + config SENSORS_LTQ_CPUTEMP + bool "Lantiq cpu temperature sensor driver" +- depends on LANTIQ ++ depends on SOC_XWAY + help + If you say yes here you get support for the temperature + sensor inside your CPU. +-- +2.35.1 + diff --git a/queue-4.14/ipv4-drop-dst-in-multicast-routing-path.patch b/queue-4.14/ipv4-drop-dst-in-multicast-routing-path.patch new file mode 100644 index 00000000000..5515e07cc3f --- /dev/null +++ b/queue-4.14/ipv4-drop-dst-in-multicast-routing-path.patch @@ -0,0 +1,67 @@ +From 4818956431511bf7685862f234db177ed61513d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 May 2022 14:00:17 +1200 +Subject: ipv4: drop dst in multicast routing path + +From: Lokesh Dhoundiyal + +[ Upstream commit 9e6c6d17d1d6a3f1515ce399f9a011629ec79aa0 ] + +kmemleak reports the following when routing multicast traffic over an +ipsec tunnel. + +Kmemleak output: +unreferenced object 0x8000000044bebb00 (size 256): + comm "softirq", pid 0, jiffies 4294985356 (age 126.810s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 80 00 00 00 05 13 74 80 ..............t. + 80 00 00 00 04 9b bf f9 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000f83947e0>] __kmalloc+0x1e8/0x300 + [<00000000b7ed8dca>] metadata_dst_alloc+0x24/0x58 + [<0000000081d32c20>] __ipgre_rcv+0x100/0x2b8 + [<00000000824f6cf1>] gre_rcv+0x178/0x540 + [<00000000ccd4e162>] gre_rcv+0x7c/0xd8 + [<00000000c024b148>] ip_protocol_deliver_rcu+0x124/0x350 + [<000000006a483377>] ip_local_deliver_finish+0x54/0x68 + [<00000000d9271b3a>] ip_local_deliver+0x128/0x168 + [<00000000bd4968ae>] xfrm_trans_reinject+0xb8/0xf8 + [<0000000071672a19>] tasklet_action_common.isra.16+0xc4/0x1b0 + [<0000000062e9c336>] __do_softirq+0x1fc/0x3e0 + [<00000000013d7914>] irq_exit+0xc4/0xe0 + [<00000000a4d73e90>] plat_irq_dispatch+0x7c/0x108 + [<000000000751eb8e>] handle_int+0x16c/0x178 + [<000000001668023b>] _raw_spin_unlock_irqrestore+0x1c/0x28 + +The metadata dst is leaked when ip_route_input_mc() updates the dst for +the skb. Commit f38a9eb1f77b ("dst: Metadata destinations") correctly +handled dropping the dst in ip_route_input_slow() but missed the +multicast case which is handled by ip_route_input_mc(). Drop the dst in +ip_route_input_mc() avoiding the leak. + +Fixes: f38a9eb1f77b ("dst: Metadata destinations") +Signed-off-by: Lokesh Dhoundiyal +Signed-off-by: Chris Packham +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20220505020017.3111846-1-chris.packham@alliedtelesis.co.nz +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 34cf572cc5dc..52c4098e1deb 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1697,6 +1697,7 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, + #endif + RT_CACHE_STAT_INC(in_slow_mc); + ++ skb_dst_drop(skb); + skb_dst_set(skb, &rth->dst); + return 0; + } +-- +2.35.1 + diff --git a/queue-4.14/mac80211_hwsim-call-ieee80211_tx_prepare_skb-under-r.patch b/queue-4.14/mac80211_hwsim-call-ieee80211_tx_prepare_skb-under-r.patch new file mode 100644 index 00000000000..2244650e7e2 --- /dev/null +++ b/queue-4.14/mac80211_hwsim-call-ieee80211_tx_prepare_skb-under-r.patch @@ -0,0 +1,52 @@ +From a43a65f12e6e13ac411aa51f3af3a1b4cc8912c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 May 2022 23:04:22 +0200 +Subject: mac80211_hwsim: call ieee80211_tx_prepare_skb under RCU protection + +From: Johannes Berg + +[ Upstream commit 9e2db50f1ef2238fc2f71c5de1c0418b7a5b0ea2 ] + +This is needed since it might use (and pass out) pointers to +e.g. keys protected by RCU. Can't really happen here as the +frames aren't encrypted, but we need to still adhere to the +rules. + +Fixes: cacfddf82baf ("mac80211_hwsim: initialize ieee80211_tx_info at hw_scan_work") +Signed-off-by: Johannes Berg +Link: https://lore.kernel.org/r/20220505230421.5f139f9de173.I77ae111a28f7c0e9fd1ebcee7f39dbec5c606770@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index ee1eb14ae8fc..885c4352bdef 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -2025,11 +2025,13 @@ static void hw_scan_work(struct work_struct *work) + if (req->ie_len) + skb_put_data(probe, req->ie, req->ie_len); + ++ rcu_read_lock(); + if (!ieee80211_tx_prepare_skb(hwsim->hw, + hwsim->hw_scan_vif, + probe, + hwsim->tmp_chan->band, + NULL)) { ++ rcu_read_unlock(); + kfree_skb(probe); + continue; + } +@@ -2037,6 +2039,7 @@ static void hw_scan_work(struct work_struct *work) + local_bh_disable(); + mac80211_hwsim_tx_frame(hwsim->hw, probe, + hwsim->tmp_chan); ++ rcu_read_unlock(); + local_bh_enable(); + } + } +-- +2.35.1 + diff --git a/queue-4.14/net-fix-features-skip-in-for_each_netdev_feature.patch b/queue-4.14/net-fix-features-skip-in-for_each_netdev_feature.patch new file mode 100644 index 00000000000..7b05c52b80a --- /dev/null +++ b/queue-4.14/net-fix-features-skip-in-for_each_netdev_feature.patch @@ -0,0 +1,49 @@ +From be784afb74d37dd4f25ebb7500f0dd6496cf28a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 May 2022 11:09:14 +0300 +Subject: net: Fix features skip in for_each_netdev_feature() + +From: Tariq Toukan + +[ Upstream commit 85db6352fc8a158a893151baa1716463d34a20d0 ] + +The find_next_netdev_feature() macro gets the "remaining length", +not bit index. +Passing "bit - 1" for the following iteration is wrong as it skips +the adjacent bit. Pass "bit" instead. + +Fixes: 3b89ea9c5902 ("net: Fix for_each_netdev_feature on Big endian") +Signed-off-by: Tariq Toukan +Reviewed-by: Gal Pressman +Link: https://lore.kernel.org/r/20220504080914.1918-1-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/netdev_features.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/netdev_features.h b/include/linux/netdev_features.h +index de123f436f1a..3a308bf98fc3 100644 +--- a/include/linux/netdev_features.h ++++ b/include/linux/netdev_features.h +@@ -145,7 +145,7 @@ enum { + #define NETIF_F_HW_ESP_TX_CSUM __NETIF_F(HW_ESP_TX_CSUM) + #define NETIF_F_RX_UDP_TUNNEL_PORT __NETIF_F(RX_UDP_TUNNEL_PORT) + +-/* Finds the next feature with the highest number of the range of start till 0. ++/* Finds the next feature with the highest number of the range of start-1 till 0. + */ + static inline int find_next_netdev_feature(u64 feature, unsigned long start) + { +@@ -164,7 +164,7 @@ static inline int find_next_netdev_feature(u64 feature, unsigned long start) + for ((bit) = find_next_netdev_feature((mask_addr), \ + NETDEV_FEATURE_COUNT); \ + (bit) >= 0; \ +- (bit) = find_next_netdev_feature((mask_addr), (bit) - 1)) ++ (bit) = find_next_netdev_feature((mask_addr), (bit))) + + /* Features valid for ethtool to change */ + /* = all defined minus driver/device-class-related */ +-- +2.35.1 + diff --git a/queue-4.14/net-sfc-ef10-fix-memory-leak-in-efx_ef10_mtd_probe.patch b/queue-4.14/net-sfc-ef10-fix-memory-leak-in-efx_ef10_mtd_probe.patch new file mode 100644 index 00000000000..e017018a086 --- /dev/null +++ b/queue-4.14/net-sfc-ef10-fix-memory-leak-in-efx_ef10_mtd_probe.patch @@ -0,0 +1,72 @@ +From 2e7fb7250fb14f12cdd575a9da6461ad0ca57d0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 May 2022 05:47:09 +0000 +Subject: net: sfc: ef10: fix memory leak in efx_ef10_mtd_probe() + +From: Taehee Yoo + +[ Upstream commit 1fa89ffbc04545b7582518e57f4b63e2a062870f ] + +In the NIC ->probe() callback, ->mtd_probe() callback is called. +If NIC has 2 ports, ->probe() is called twice and ->mtd_probe() too. +In the ->mtd_probe(), which is efx_ef10_mtd_probe() it allocates and +initializes mtd partiion. +But mtd partition for sfc is shared data. +So that allocated mtd partition data from last called +efx_ef10_mtd_probe() will not be used. +Therefore it must be freed. +But it doesn't free a not used mtd partition data in efx_ef10_mtd_probe(). + +kmemleak reports: +unreferenced object 0xffff88811ddb0000 (size 63168): + comm "systemd-udevd", pid 265, jiffies 4294681048 (age 348.586s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmalloc_order_trace+0x19/0x120 + [] __kmalloc+0x20e/0x250 + [] efx_ef10_mtd_probe+0x11f/0x270 [sfc] + [] efx_pci_probe.cold.17+0x3df/0x53d [sfc] + [] local_pci_probe+0xdc/0x170 + [] pci_device_probe+0x235/0x680 + [] really_probe+0x1c2/0x8f0 + [] __driver_probe_device+0x2ab/0x460 + [] driver_probe_device+0x4a/0x120 + [] __driver_attach+0x16e/0x320 + [] bus_for_each_dev+0x110/0x190 + [] bus_add_driver+0x39e/0x560 + [] driver_register+0x18e/0x310 + [] 0xffffffffc02e2055 + [] do_one_initcall+0xc3/0x450 + [] do_init_module+0x1b4/0x700 + +Acked-by: Martin Habets +Fixes: 8127d661e77f ("sfc: Add support for Solarflare SFC9100 family") +Signed-off-by: Taehee Yoo +Link: https://lore.kernel.org/r/20220512054709.12513-1-ap420073@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef10.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c +index 2d92a9fe4606..4f0da3963b01 100644 +--- a/drivers/net/ethernet/sfc/ef10.c ++++ b/drivers/net/ethernet/sfc/ef10.c +@@ -5956,6 +5956,11 @@ static int efx_ef10_mtd_probe(struct efx_nic *efx) + n_parts++; + } + ++ if (!n_parts) { ++ kfree(parts); ++ return 0; ++ } ++ + rc = efx_mtd_add(efx, &parts[0].common, n_parts, sizeof(*parts)); + fail: + if (rc) +-- +2.35.1 + diff --git a/queue-4.14/net-smc-non-blocking-recvmsg-return-eagain-when-no-d.patch b/queue-4.14/net-smc-non-blocking-recvmsg-return-eagain-when-no-d.patch new file mode 100644 index 00000000000..4f4cbe35ad0 --- /dev/null +++ b/queue-4.14/net-smc-non-blocking-recvmsg-return-eagain-when-no-d.patch @@ -0,0 +1,49 @@ +From 9870893a02dd569f574686da2dadd3151d290fc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 May 2022 11:08:20 +0800 +Subject: net/smc: non blocking recvmsg() return -EAGAIN when no data and + signal_pending + +From: Guangguan Wang + +[ Upstream commit f3c46e41b32b6266cf60b0985c61748f53bf1c61 ] + +Non blocking sendmsg will return -EAGAIN when any signal pending +and no send space left, while non blocking recvmsg return -EINTR +when signal pending and no data received. This may makes confused. +As TCP returns -EAGAIN in the conditions described above. Align the +behavior of smc with TCP. + +Fixes: 846e344eb722 ("net/smc: add receive timeout check") +Signed-off-by: Guangguan Wang +Reviewed-by: Tony Lu +Acked-by: Karsten Graul +Link: https://lore.kernel.org/r/20220512030820.73848-1-guangguan.wang@linux.alibaba.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/smc_rx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/smc/smc_rx.c b/net/smc/smc_rx.c +index cbf58637ee14..0d5146d6d105 100644 +--- a/net/smc/smc_rx.c ++++ b/net/smc/smc_rx.c +@@ -145,12 +145,12 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg, size_t len, + } + break; + } ++ if (!timeo) ++ return -EAGAIN; + if (signal_pending(current)) { + read_done = sock_intr_errno(timeo); + break; + } +- if (!timeo) +- return -EAGAIN; + } + + if (!atomic_read(&conn->bytes_to_rcv)) { +-- +2.35.1 + diff --git a/queue-4.14/netlink-do-not-reset-transport-header-in-netlink_rec.patch b/queue-4.14/netlink-do-not-reset-transport-header-in-netlink_rec.patch new file mode 100644 index 00000000000..327304c5dfa --- /dev/null +++ b/queue-4.14/netlink-do-not-reset-transport-header-in-netlink_rec.patch @@ -0,0 +1,76 @@ +From b70f27387d09a08505038ba8b6f7f1570509856f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 May 2022 09:19:46 -0700 +Subject: netlink: do not reset transport header in netlink_recvmsg() + +From: Eric Dumazet + +[ Upstream commit d5076fe4049cadef1f040eda4aaa001bb5424225 ] + +netlink_recvmsg() does not need to change transport header. + +If transport header was needed, it should have been reset +by the producer (netlink_dump()), not the consumer(s). + +The following trace probably happened when multiple threads +were using MSG_PEEK. + +BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg + +write to 0xffff88811e9f15b2 of 2 bytes by task 32012 on cpu 1: + skb_reset_transport_header include/linux/skbuff.h:2760 [inline] + netlink_recvmsg+0x1de/0x790 net/netlink/af_netlink.c:1978 + sock_recvmsg_nosec net/socket.c:948 [inline] + sock_recvmsg net/socket.c:966 [inline] + __sys_recvfrom+0x204/0x2c0 net/socket.c:2097 + __do_sys_recvfrom net/socket.c:2115 [inline] + __se_sys_recvfrom net/socket.c:2111 [inline] + __x64_sys_recvfrom+0x74/0x90 net/socket.c:2111 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +write to 0xffff88811e9f15b2 of 2 bytes by task 32005 on cpu 0: + skb_reset_transport_header include/linux/skbuff.h:2760 [inline] + netlink_recvmsg+0x1de/0x790 net/netlink/af_netlink.c:1978 + ____sys_recvmsg+0x162/0x2f0 + ___sys_recvmsg net/socket.c:2674 [inline] + __sys_recvmsg+0x209/0x3f0 net/socket.c:2704 + __do_sys_recvmsg net/socket.c:2714 [inline] + __se_sys_recvmsg net/socket.c:2711 [inline] + __x64_sys_recvmsg+0x42/0x50 net/socket.c:2711 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0xffff -> 0x0000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 32005 Comm: syz-executor.4 Not tainted 5.18.0-rc1-syzkaller-00328-ge1f700ebd6be-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Link: https://lore.kernel.org/r/20220505161946.2867638-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 979cd7dff40a..1b2e99ce54e5 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1947,7 +1947,6 @@ static int netlink_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + copied = len; + } + +- skb_reset_transport_header(data_skb); + err = skb_copy_datagram_msg(data_skb, 0, msg, copied); + + if (msg->msg_name) { +-- +2.35.1 + diff --git a/queue-4.14/s390-ctcm-fix-potential-memory-leak.patch b/queue-4.14/s390-ctcm-fix-potential-memory-leak.patch new file mode 100644 index 00000000000..b729cf5517a --- /dev/null +++ b/queue-4.14/s390-ctcm-fix-potential-memory-leak.patch @@ -0,0 +1,67 @@ +From 8f4591f92dcb8ae1391fc2916b78f2e0b6a504ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 May 2022 09:05:07 +0200 +Subject: s390/ctcm: fix potential memory leak + +From: Alexandra Winter + +[ Upstream commit 0c0b20587b9f25a2ad14db7f80ebe49bdf29920a ] + +smatch complains about +drivers/s390/net/ctcm_mpc.c:1210 ctcmpc_unpack_skb() warn: possible memory leak of 'mpcginfo' + +mpc_action_discontact() did not free mpcginfo. Consolidate the freeing in +ctcmpc_unpack_skb(). + +Fixes: 293d984f0e36 ("ctcm: infrastructure for replaced ctc driver") +Signed-off-by: Alexandra Winter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/ctcm_mpc.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/s390/net/ctcm_mpc.c b/drivers/s390/net/ctcm_mpc.c +index e02f295d38a9..07d9668137df 100644 +--- a/drivers/s390/net/ctcm_mpc.c ++++ b/drivers/s390/net/ctcm_mpc.c +@@ -625,8 +625,6 @@ static void mpc_rcvd_sweep_resp(struct mpcg_info *mpcginfo) + ctcm_clear_busy_do(dev); + } + +- kfree(mpcginfo); +- + return; + + } +@@ -1205,10 +1203,10 @@ static void ctcmpc_unpack_skb(struct channel *ch, struct sk_buff *pskb) + CTCM_FUNTAIL, dev->name); + priv->stats.rx_dropped++; + /* mpcginfo only used for non-data transfers */ +- kfree(mpcginfo); + if (do_debug_data) + ctcmpc_dump_skb(pskb, -8); + } ++ kfree(mpcginfo); + } + done: + +@@ -1991,7 +1989,6 @@ static void mpc_action_rcvd_xid0(fsm_instance *fsm, int event, void *arg) + } + break; + } +- kfree(mpcginfo); + + CTCM_PR_DEBUG("ctcmpc:%s() %s xid2:%i xid7:%i xidt_p2:%i \n", + __func__, ch->id, grp->outstanding_xid2, +@@ -2052,7 +2049,6 @@ static void mpc_action_rcvd_xid7(fsm_instance *fsm, int event, void *arg) + mpc_validate_xid(mpcginfo); + break; + } +- kfree(mpcginfo); + return; + } + +-- +2.35.1 + diff --git a/queue-4.14/s390-ctcm-fix-variable-dereferenced-before-check.patch b/queue-4.14/s390-ctcm-fix-variable-dereferenced-before-check.patch new file mode 100644 index 00000000000..4b0f8f20fb8 --- /dev/null +++ b/queue-4.14/s390-ctcm-fix-variable-dereferenced-before-check.patch @@ -0,0 +1,44 @@ +From 8cfab4cfee39e64d17282ac0cdced96ce934d01b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 May 2022 09:05:06 +0200 +Subject: s390/ctcm: fix variable dereferenced before check + +From: Alexandra Winter + +[ Upstream commit 2c50c6867c85afee6f2b3bcbc50fc9d0083d1343 ] + +Found by cppcheck and smatch. +smatch complains about +drivers/s390/net/ctcm_sysfs.c:43 ctcm_buffer_write() warn: variable dereferenced before check 'priv' (see line 42) + +Fixes: 3c09e2647b5e ("ctcm: rename READ/WRITE defines to avoid redefinitions") +Reported-by: Colin Ian King +Signed-off-by: Alexandra Winter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/ctcm_sysfs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/s390/net/ctcm_sysfs.c b/drivers/s390/net/ctcm_sysfs.c +index ded1930a00b2..e3813a7aa5e6 100644 +--- a/drivers/s390/net/ctcm_sysfs.c ++++ b/drivers/s390/net/ctcm_sysfs.c +@@ -39,11 +39,12 @@ static ssize_t ctcm_buffer_write(struct device *dev, + struct ctcm_priv *priv = dev_get_drvdata(dev); + int rc; + +- ndev = priv->channel[CTCM_READ]->netdev; +- if (!(priv && priv->channel[CTCM_READ] && ndev)) { ++ if (!(priv && priv->channel[CTCM_READ] && ++ priv->channel[CTCM_READ]->netdev)) { + CTCM_DBF_TEXT(SETUP, CTC_DBF_ERROR, "bfnondev"); + return -ENODEV; + } ++ ndev = priv->channel[CTCM_READ]->netdev; + + rc = kstrtouint(buf, 0, &bs1); + if (rc) +-- +2.35.1 + diff --git a/queue-4.14/s390-lcs-fix-variable-dereferenced-before-check.patch b/queue-4.14/s390-lcs-fix-variable-dereferenced-before-check.patch new file mode 100644 index 00000000000..d1774b6147e --- /dev/null +++ b/queue-4.14/s390-lcs-fix-variable-dereferenced-before-check.patch @@ -0,0 +1,42 @@ +From bc68285c82cbd30b201b827abb86a9285db17405 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 May 2022 09:05:08 +0200 +Subject: s390/lcs: fix variable dereferenced before check + +From: Alexandra Winter + +[ Upstream commit 671bb35c8e746439f0ed70815968f9a4f20a8deb ] + +smatch complains about +drivers/s390/net/lcs.c:1741 lcs_get_control() warn: variable dereferenced before check 'card->dev' (see line 1739) + +Fixes: 27eb5ac8f015 ("[PATCH] s390: lcs driver bug fixes and improvements [1/2]") +Signed-off-by: Alexandra Winter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/lcs.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/s390/net/lcs.c b/drivers/s390/net/lcs.c +index d01b5c2a7760..da4d7284db67 100644 +--- a/drivers/s390/net/lcs.c ++++ b/drivers/s390/net/lcs.c +@@ -1757,10 +1757,11 @@ lcs_get_control(struct lcs_card *card, struct lcs_cmd *cmd) + lcs_schedule_recovery(card); + break; + case LCS_CMD_STOPLAN: +- pr_warn("Stoplan for %s initiated by LGW\n", +- card->dev->name); +- if (card->dev) ++ if (card->dev) { ++ pr_warn("Stoplan for %s initiated by LGW\n", ++ card->dev->name); + netif_carrier_off(card->dev); ++ } + break; + default: + LCS_DBF_TEXT(5, trace, "noLGWcmd"); +-- +2.35.1 + diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..cefec271e3d --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,16 @@ +batman-adv-don-t-skb_split-skbuffs-with-frag_list.patch +net-fix-features-skip-in-for_each_netdev_feature.patch +ipv4-drop-dst-in-multicast-routing-path.patch +netlink-do-not-reset-transport-header-in-netlink_rec.patch +mac80211_hwsim-call-ieee80211_tx_prepare_skb-under-r.patch +hwmon-ltq-cputemp-restrict-it-to-soc_xway.patch +s390-ctcm-fix-variable-dereferenced-before-check.patch +s390-ctcm-fix-potential-memory-leak.patch +s390-lcs-fix-variable-dereferenced-before-check.patch +net-smc-non-blocking-recvmsg-return-eagain-when-no-d.patch +net-sfc-ef10-fix-memory-leak-in-efx_ef10_mtd_probe.patch +hwmon-f71882fg-fix-negative-temperature.patch +asoc-max98090-reject-invalid-values-in-custom-contro.patch +asoc-max98090-generate-notifications-on-changes-for-.patch +asoc-ops-validate-input-values-in-snd_soc_put_volsw_.patch +tcp-resalt-the-secret-every-10-seconds.patch diff --git a/queue-4.14/tcp-resalt-the-secret-every-10-seconds.patch b/queue-4.14/tcp-resalt-the-secret-every-10-seconds.patch new file mode 100644 index 00000000000..e849ab1538a --- /dev/null +++ b/queue-4.14/tcp-resalt-the-secret-every-10-seconds.patch @@ -0,0 +1,70 @@ +From 7005fe1bee6044712f83b5c524f0245a6235bb5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 May 2022 10:46:10 +0200 +Subject: tcp: resalt the secret every 10 seconds + +From: Eric Dumazet + +[ Upstream commit 4dfa9b438ee34caca4e6a4e5e961641807367f6f ] + +In order to limit the ability for an observer to recognize the source +ports sequence used to contact a set of destinations, we should +periodically shuffle the secret. 10 seconds looks effective enough +without causing particular issues. + +Cc: Moshe Kol +Cc: Yossi Gilad +Cc: Amit Klein +Cc: Jason A. Donenfeld +Tested-by: Willy Tarreau +Signed-off-by: Eric Dumazet +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/secure_seq.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c +index 7232274de334..17683aea8a35 100644 +--- a/net/core/secure_seq.c ++++ b/net/core/secure_seq.c +@@ -22,6 +22,8 @@ + static siphash_key_t net_secret __read_mostly; + static siphash_key_t ts_secret __read_mostly; + ++#define EPHEMERAL_PORT_SHUFFLE_PERIOD (10 * HZ) ++ + static __always_inline void net_secret_init(void) + { + net_get_random_once(&net_secret, sizeof(net_secret)); +@@ -100,11 +102,13 @@ u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr, + const struct { + struct in6_addr saddr; + struct in6_addr daddr; ++ unsigned int timeseed; + __be16 dport; + } __aligned(SIPHASH_ALIGNMENT) combined = { + .saddr = *(struct in6_addr *)saddr, + .daddr = *(struct in6_addr *)daddr, +- .dport = dport ++ .timeseed = jiffies / EPHEMERAL_PORT_SHUFFLE_PERIOD, ++ .dport = dport, + }; + net_secret_init(); + return siphash(&combined, offsetofend(typeof(combined), dport), +@@ -144,8 +148,10 @@ u32 secure_tcp_seq(__be32 saddr, __be32 daddr, + u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport) + { + net_secret_init(); +- return siphash_3u32((__force u32)saddr, (__force u32)daddr, +- (__force u16)dport, &net_secret); ++ return siphash_4u32((__force u32)saddr, (__force u32)daddr, ++ (__force u16)dport, ++ jiffies / EPHEMERAL_PORT_SHUFFLE_PERIOD, ++ &net_secret); + } + EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral); + #endif +-- +2.35.1 +