From: Greg Kroah-Hartman Date: Tue, 12 Mar 2019 12:05:59 +0000 (-0700) Subject: drop 4.20 networking patch at the moment X-Git-Tag: v5.0.2~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=855fdab37472a00002095f3d96511d5b29bc2ea4;p=thirdparty%2Fkernel%2Fstable-queue.git drop 4.20 networking patch at the moment --- diff --git a/queue-4.20/series b/queue-4.20/series index c780fc45740..fce752dee0c 100644 --- a/queue-4.20/series +++ b/queue-4.20/series @@ -96,7 +96,6 @@ dts-ci20-fix-bugs-in-ci20-s-device-tree.patch usb-phy-fix-link-errors.patch usb-dwc3-exynos-fix-error-handling-of-clk_prepare_en.patch irqchip-gic-v4-fix-occasional-vlpi-drop.patch -sk_msg-always-cancel-strp-work-before-freeing-the-ps.patch irqchip-gic-v3-its-gracefully-fail-on-lpi-exhaustion.patch irqchip-mmp-only-touch-the-pj4-irq-fiq-bits-on-enabl.patch drm-amdgpu-add-missing-power-attribute-to-apu-check.patch @@ -159,3 +158,5 @@ arm-dts-exynos-fix-pinctrl-definition-for-emmc-rtsn-line-on-odroid-x2-u3.patch arm-dts-exynos-add-minimal-clkout-parameters-to-exynos3250-pmu.patch arm-dts-exynos-fix-max-voltage-for-buck8-regulator-on-odroid-xu3-xu4.patch drm-disable-uncached-dma-optimization-for-arm-and-ar.patch +media-revert-media-rc-some-events-are-dropped-by-userspace.patch +revert-pci-pme-implement-runtime-pm-callbacks.patch diff --git a/queue-4.20/sk_msg-always-cancel-strp-work-before-freeing-the-ps.patch b/queue-4.20/sk_msg-always-cancel-strp-work-before-freeing-the-ps.patch deleted file mode 100644 index e7dbb644d8d..00000000000 --- a/queue-4.20/sk_msg-always-cancel-strp-work-before-freeing-the-ps.patch +++ /dev/null @@ -1,97 +0,0 @@ -From d3747ebdfd2fd5e12d8d04ad3f6261503ce52913 Mon Sep 17 00:00:00 2001 -From: Jakub Sitnicki -Date: Mon, 28 Jan 2019 10:13:35 +0100 -Subject: sk_msg: Always cancel strp work before freeing the psock - -[ Upstream commit 1d79895aef18fa05789995d86d523c9b2ee58a02 ] - -Despite having stopped the parser, we still need to deinitialize it -by calling strp_done so that it cancels its work. Otherwise the worker -thread can run after we have freed the parser, and attempt to access -its workqueue resulting in a use-after-free: - -================================================================== -BUG: KASAN: use-after-free in pwq_activate_delayed_work+0x1b/0x1d0 -Read of size 8 at addr ffff888069975240 by task kworker/u2:2/93 - -CPU: 0 PID: 93 Comm: kworker/u2:2 Not tainted 5.0.0-rc2-00335-g28f9d1a3d4fe-dirty #14 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014 -Workqueue: (null) (kstrp) -Call Trace: - print_address_description+0x6e/0x2b0 - ? pwq_activate_delayed_work+0x1b/0x1d0 - kasan_report+0xfd/0x177 - ? pwq_activate_delayed_work+0x1b/0x1d0 - ? pwq_activate_delayed_work+0x1b/0x1d0 - pwq_activate_delayed_work+0x1b/0x1d0 - ? process_one_work+0x4aa/0x660 - pwq_dec_nr_in_flight+0x9b/0x100 - worker_thread+0x82/0x680 - ? process_one_work+0x660/0x660 - kthread+0x1b9/0x1e0 - ? __kthread_create_on_node+0x250/0x250 - ret_from_fork+0x1f/0x30 - -Allocated by task 111: - sk_psock_init+0x3c/0x1b0 - sock_map_link.isra.2+0x103/0x4b0 - sock_map_update_common+0x94/0x270 - sock_map_update_elem+0x145/0x160 - __se_sys_bpf+0x152e/0x1e10 - do_syscall_64+0xb2/0x3e0 - entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -Freed by task 112: - kfree+0x7f/0x140 - process_one_work+0x40b/0x660 - worker_thread+0x82/0x680 - kthread+0x1b9/0x1e0 - ret_from_fork+0x1f/0x30 - -The buggy address belongs to the object at ffff888069975180 - which belongs to the cache kmalloc-512 of size 512 -The buggy address is located 192 bytes inside of - 512-byte region [ffff888069975180, ffff888069975380) -The buggy address belongs to the page: -page:ffffea0001a65d00 count:1 mapcount:0 mapping:ffff88806d401280 index:0x0 compound_mapcount: 0 -flags: 0x4000000000010200(slab|head) -raw: 4000000000010200 dead000000000100 dead000000000200 ffff88806d401280 -raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 -page dumped because: kasan: bad access detected - -Memory state around the buggy address: - ffff888069975100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc - ffff888069975180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ->ffff888069975200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - ^ - ffff888069975280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - ffff888069975300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -================================================================== - -Reported-by: Marek Majkowski -Signed-off-by: Jakub Sitnicki -Link: https://lore.kernel.org/netdev/CAJPywTLwgXNEZ2dZVoa=udiZmtrWJ0q5SuBW64aYs0Y1khXX3A@mail.gmail.com -Acked-by: Song Liu -Signed-off-by: Daniel Borkmann -Signed-off-by: Sasha Levin ---- - net/core/skmsg.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/net/core/skmsg.c b/net/core/skmsg.c -index 54d854807630..4932861d7b88 100644 ---- a/net/core/skmsg.c -+++ b/net/core/skmsg.c -@@ -545,8 +545,7 @@ static void sk_psock_destroy_deferred(struct work_struct *gc) - struct sk_psock *psock = container_of(gc, struct sk_psock, gc); - - /* No sk_callback_lock since already detached. */ -- if (psock->parser.enabled) -- strp_done(&psock->parser.strp); -+ strp_done(&psock->parser.strp); - - cancel_work_sync(&psock->work); - --- -2.19.1 -