From: Sasha Levin Date: Tue, 7 Jan 2020 18:07:25 +0000 (-0500) Subject: fixes for 4.4 X-Git-Tag: v4.14.163~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9bdf091f84ea8c1115c2a18f48120e3971c48337;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/ath9k_htc-discard-undersized-packets.patch b/queue-4.4/ath9k_htc-discard-undersized-packets.patch new file mode 100644 index 00000000000..d545405d007 --- /dev/null +++ b/queue-4.4/ath9k_htc-discard-undersized-packets.patch @@ -0,0 +1,124 @@ +From a4c07c9e15da0985f1a22bfd218442791b6c47a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2019 11:51:46 +0900 +Subject: ath9k_htc: Discard undersized packets + +From: Masashi Honma + +[ Upstream commit cd486e627e67ee9ab66914d36d3127ef057cc010 ] + +Sometimes the hardware will push small packets that trigger a WARN_ON +in mac80211. Discard them early to avoid this issue. + +This patch ports 2 patches from ath9k to ath9k_htc. +commit 3c0efb745a172bfe96459e20cbd37b0c945d5f8d "ath9k: discard +undersized packets". +commit df5c4150501ee7e86383be88f6490d970adcf157 "ath9k: correctly +handle short radar pulses". + +[ 112.835889] ------------[ cut here ]------------ +[ 112.835971] WARNING: CPU: 5 PID: 0 at net/mac80211/rx.c:804 ieee80211_rx_napi+0xaac/0xb40 [mac80211] +[ 112.835973] Modules linked in: ath9k_htc ath9k_common ath9k_hw ath mac80211 cfg80211 libarc4 nouveau snd_hda_codec_hdmi intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp coretemp snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_hda_codec video snd_hda_core ttm snd_hwdep drm_kms_helper snd_pcm crct10dif_pclmul snd_seq_midi drm snd_seq_midi_event crc32_pclmul snd_rawmidi ghash_clmulni_intel snd_seq aesni_intel aes_x86_64 crypto_simd cryptd snd_seq_device glue_helper snd_timer sch_fq_codel i2c_algo_bit fb_sys_fops snd input_leds syscopyarea sysfillrect sysimgblt intel_cstate mei_me intel_rapl_perf soundcore mxm_wmi lpc_ich mei kvm_intel kvm mac_hid irqbypass parport_pc ppdev lp parport ip_tables x_tables autofs4 hid_generic usbhid hid raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear e1000e ahci libahci wmi +[ 112.836022] CPU: 5 PID: 0 Comm: swapper/5 Not tainted 5.3.0-wt #1 +[ 112.836023] Hardware name: MouseComputer Co.,Ltd. X99-S01/X99-S01, BIOS 1.0C-W7 04/01/2015 +[ 112.836056] RIP: 0010:ieee80211_rx_napi+0xaac/0xb40 [mac80211] +[ 112.836059] Code: 00 00 66 41 89 86 b0 00 00 00 e9 c8 fa ff ff 4c 89 b5 40 ff ff ff 49 89 c6 e9 c9 fa ff ff 48 c7 c7 e0 a2 a5 c0 e8 47 41 b0 e9 <0f> 0b 48 89 df e8 5a 94 2d ea e9 02 f9 ff ff 41 39 c1 44 89 85 60 +[ 112.836060] RSP: 0018:ffffaa6180220da8 EFLAGS: 00010286 +[ 112.836062] RAX: 0000000000000024 RBX: ffff909a20eeda00 RCX: 0000000000000000 +[ 112.836064] RDX: 0000000000000000 RSI: ffff909a2f957448 RDI: ffff909a2f957448 +[ 112.836065] RBP: ffffaa6180220e78 R08: 00000000000006e9 R09: 0000000000000004 +[ 112.836066] R10: 000000000000000a R11: 0000000000000001 R12: 0000000000000000 +[ 112.836068] R13: ffff909a261a47a0 R14: 0000000000000000 R15: 0000000000000004 +[ 112.836070] FS: 0000000000000000(0000) GS:ffff909a2f940000(0000) knlGS:0000000000000000 +[ 112.836071] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 112.836073] CR2: 00007f4e3ffffa08 CR3: 00000001afc0a006 CR4: 00000000001606e0 +[ 112.836074] Call Trace: +[ 112.836076] +[ 112.836083] ? finish_td+0xb3/0xf0 +[ 112.836092] ? ath9k_rx_prepare.isra.11+0x22f/0x2a0 [ath9k_htc] +[ 112.836099] ath9k_rx_tasklet+0x10b/0x1d0 [ath9k_htc] +[ 112.836105] tasklet_action_common.isra.22+0x63/0x110 +[ 112.836108] tasklet_action+0x22/0x30 +[ 112.836115] __do_softirq+0xe4/0x2da +[ 112.836118] irq_exit+0xae/0xb0 +[ 112.836121] do_IRQ+0x86/0xe0 +[ 112.836125] common_interrupt+0xf/0xf +[ 112.836126] +[ 112.836130] RIP: 0010:cpuidle_enter_state+0xa9/0x440 +[ 112.836133] Code: 3d bc 20 38 55 e8 f7 1d 84 ff 49 89 c7 0f 1f 44 00 00 31 ff e8 28 29 84 ff 80 7d d3 00 0f 85 e6 01 00 00 fb 66 0f 1f 44 00 00 <45> 85 ed 0f 89 ff 01 00 00 41 c7 44 24 10 00 00 00 00 48 83 c4 18 +[ 112.836134] RSP: 0018:ffffaa61800e3e48 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffde +[ 112.836136] RAX: ffff909a2f96b340 RBX: ffffffffabb58200 RCX: 000000000000001f +[ 112.836137] RDX: 0000001a458adc5d RSI: 0000000026c9b581 RDI: 0000000000000000 +[ 112.836139] RBP: ffffaa61800e3e88 R08: 0000000000000002 R09: 000000000002abc0 +[ 112.836140] R10: ffffaa61800e3e18 R11: 000000000000002d R12: ffffca617fb40b00 +[ 112.836141] R13: 0000000000000002 R14: ffffffffabb582d8 R15: 0000001a458adc5d +[ 112.836145] ? cpuidle_enter_state+0x98/0x440 +[ 112.836149] ? menu_select+0x370/0x600 +[ 112.836151] cpuidle_enter+0x2e/0x40 +[ 112.836154] call_cpuidle+0x23/0x40 +[ 112.836156] do_idle+0x204/0x280 +[ 112.836159] cpu_startup_entry+0x1d/0x20 +[ 112.836164] start_secondary+0x167/0x1c0 +[ 112.836169] secondary_startup_64+0xa4/0xb0 +[ 112.836173] ---[ end trace 9f4cd18479cc5ae5 ]--- + +Signed-off-by: Masashi Honma +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 23 +++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +index 54e96c661a9c..0d757ced49ba 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +@@ -972,6 +972,8 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv, + struct ath_htc_rx_status *rxstatus; + struct ath_rx_status rx_stats; + bool decrypt_error = false; ++ __be16 rs_datalen; ++ bool is_phyerr; + + if (skb->len < HTC_RX_FRAME_HEADER_SIZE) { + ath_err(common, "Corrupted RX frame, dropping (len: %d)\n", +@@ -981,11 +983,24 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv, + + rxstatus = (struct ath_htc_rx_status *)skb->data; + +- if (be16_to_cpu(rxstatus->rs_datalen) - +- (skb->len - HTC_RX_FRAME_HEADER_SIZE) != 0) { ++ rs_datalen = be16_to_cpu(rxstatus->rs_datalen); ++ if (unlikely(rs_datalen - ++ (skb->len - HTC_RX_FRAME_HEADER_SIZE) != 0)) { + ath_err(common, + "Corrupted RX data len, dropping (dlen: %d, skblen: %d)\n", +- be16_to_cpu(rxstatus->rs_datalen), skb->len); ++ rs_datalen, skb->len); ++ goto rx_next; ++ } ++ ++ is_phyerr = rxstatus->rs_status & ATH9K_RXERR_PHY; ++ /* ++ * Discard zero-length packets and packets smaller than an ACK ++ * which are not PHY_ERROR (short radar pulses have a length of 3) ++ */ ++ if (unlikely(!rs_datalen || (rs_datalen < 10 && !is_phyerr))) { ++ ath_warn(common, ++ "Short RX data len, dropping (dlen: %d)\n", ++ rs_datalen); + goto rx_next; + } + +@@ -1010,7 +1025,7 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv, + * Process PHY errors and return so that the packet + * can be dropped. + */ +- if (rx_stats.rs_status & ATH9K_RXERR_PHY) { ++ if (unlikely(is_phyerr)) { + /* TODO: Not using DFS processing now. */ + if (ath_cmn_process_fft(&priv->spec_priv, hdr, + &rx_stats, rx_status->mactime)) { +-- +2.20.1 + diff --git a/queue-4.4/ath9k_htc-modify-byte-order-for-an-error-message.patch b/queue-4.4/ath9k_htc-modify-byte-order-for-an-error-message.patch new file mode 100644 index 00000000000..05fc759a126 --- /dev/null +++ b/queue-4.4/ath9k_htc-modify-byte-order-for-an-error-message.patch @@ -0,0 +1,34 @@ +From 71f422d17c69142443fe0d45dde09f656e8d0f0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2019 11:51:45 +0900 +Subject: ath9k_htc: Modify byte order for an error message + +From: Masashi Honma + +[ Upstream commit e01fddc19d215f6ad397894ec2a851d99bf154e2 ] + +rs_datalen is be16 so we need to convert it before printing. + +Signed-off-by: Masashi Honma +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +index cc9648f844ae..54e96c661a9c 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +@@ -985,7 +985,7 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv, + (skb->len - HTC_RX_FRAME_HEADER_SIZE) != 0) { + ath_err(common, + "Corrupted RX data len, dropping (dlen: %d, skblen: %d)\n", +- rxstatus->rs_datalen, skb->len); ++ be16_to_cpu(rxstatus->rs_datalen), skb->len); + goto rx_next; + } + +-- +2.20.1 + diff --git a/queue-4.4/drm-mst-fix-mst-sideband-up-reply-failure-handling.patch b/queue-4.4/drm-mst-fix-mst-sideband-up-reply-failure-handling.patch new file mode 100644 index 00000000000..2db0a3e934d --- /dev/null +++ b/queue-4.4/drm-mst-fix-mst-sideband-up-reply-failure-handling.patch @@ -0,0 +1,83 @@ +From f7f29564b159e28dd4126abd39e2097efd1d14f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 May 2019 00:24:33 +0300 +Subject: drm/mst: Fix MST sideband up-reply failure handling + +From: Imre Deak + +[ Upstream commit d8fd3722207f154b53c80eee2cf4977c3fc25a92 ] + +Fix the breakage resulting in the stacktrace below, due to tx queue +being full when trying to send an up-reply. txmsg->seqno is -1 in this +case leading to a corruption of the mstb object by + + txmsg->dst->tx_slots[txmsg->seqno] = NULL; + +in process_single_up_tx_qlock(). + +[ +0,005162] [drm:process_single_tx_qlock [drm_kms_helper]] set_hdr_from_dst_qlock: failed to find slot +[ +0,000015] [drm:drm_dp_send_up_ack_reply.constprop.19 [drm_kms_helper]] failed to send msg in q -11 +[ +0,000939] BUG: kernel NULL pointer dereference, address: 00000000000005a0 +[ +0,006982] #PF: supervisor write access in kernel mode +[ +0,005223] #PF: error_code(0x0002) - not-present page +[ +0,005135] PGD 0 P4D 0 +[ +0,002581] Oops: 0002 [#1] PREEMPT SMP NOPTI +[ +0,004359] CPU: 1 PID: 1200 Comm: kworker/u16:3 Tainted: G U 5.2.0-rc1+ #410 +[ +0,008433] Hardware name: Intel Corporation Ice Lake Client Platform/IceLake U DDR4 SODIMM PD RVP, BIOS ICLSFWR1.R00.3175.A00.1904261428 04/26/2019 +[ +0,013323] Workqueue: i915-dp i915_digport_work_func [i915] +[ +0,005676] RIP: 0010:queue_work_on+0x19/0x70 +[ +0,004372] Code: ff ff ff 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 41 56 49 89 f6 41 55 41 89 fd 41 54 55 53 48 89 d3 9c 5d fa e8 e7 81 0c 00 48 0f ba 2b 00 73 31 45 31 e4 f7 c5 00 02 00 00 74 13 e8 cf 7f +[ +0,018750] RSP: 0018:ffffc900007dfc50 EFLAGS: 00010006 +[ +0,005222] RAX: 0000000000000046 RBX: 00000000000005a0 RCX: 0000000000000001 +[ +0,007133] RDX: 000000000001b608 RSI: 0000000000000000 RDI: ffffffff82121972 +[ +0,007129] RBP: 0000000000000202 R08: 0000000000000000 R09: 0000000000000001 +[ +0,007129] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88847bfa5096 +[ +0,007131] R13: 0000000000000010 R14: ffff88849c08f3f8 R15: 0000000000000000 +[ +0,007128] FS: 0000000000000000(0000) GS:ffff88849dc80000(0000) knlGS:0000000000000000 +[ +0,008083] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ +0,005749] CR2: 00000000000005a0 CR3: 0000000005210006 CR4: 0000000000760ee0 +[ +0,007128] PKRU: 55555554 +[ +0,002722] Call Trace: +[ +0,002458] drm_dp_mst_handle_up_req+0x517/0x540 [drm_kms_helper] +[ +0,006197] ? drm_dp_mst_hpd_irq+0x5b/0x9c0 [drm_kms_helper] +[ +0,005764] drm_dp_mst_hpd_irq+0x5b/0x9c0 [drm_kms_helper] +[ +0,005623] ? intel_dp_hpd_pulse+0x205/0x370 [i915] +[ +0,005018] intel_dp_hpd_pulse+0x205/0x370 [i915] +[ +0,004836] i915_digport_work_func+0xbb/0x140 [i915] +[ +0,005108] process_one_work+0x245/0x610 +[ +0,004027] worker_thread+0x37/0x380 +[ +0,003684] ? process_one_work+0x610/0x610 +[ +0,004184] kthread+0x119/0x130 +[ +0,003240] ? kthread_park+0x80/0x80 +[ +0,003668] ret_from_fork+0x24/0x50 + +Cc: Lyude Paul +Cc: Dave Airlie +Signed-off-by: Imre Deak +Reviewed-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20190523212433.9058-1-imre.deak@intel.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c +index ff12d926eb65..cd707b401b10 100644 +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -1538,7 +1538,11 @@ static void process_single_up_tx_qlock(struct drm_dp_mst_topology_mgr *mgr, + if (ret != 1) + DRM_DEBUG_KMS("failed to send msg in q %d\n", ret); + +- txmsg->dst->tx_slots[txmsg->seqno] = NULL; ++ if (txmsg->seqno != -1) { ++ WARN_ON((unsigned int)txmsg->seqno > ++ ARRAY_SIZE(txmsg->dst->tx_slots)); ++ txmsg->dst->tx_slots[txmsg->seqno] = NULL; ++ } + } + + static void drm_dp_queue_down_tx(struct drm_dp_mst_topology_mgr *mgr, +-- +2.20.1 + diff --git a/queue-4.4/net-add-annotations-on-hh-hh_len-lockless-accesses.patch b/queue-4.4/net-add-annotations-on-hh-hh_len-lockless-accesses.patch new file mode 100644 index 00000000000..e8e24635094 --- /dev/null +++ b/queue-4.4/net-add-annotations-on-hh-hh_len-lockless-accesses.patch @@ -0,0 +1,149 @@ +From 259f00427fbdcfcde920086d4f4976c3bb66bb71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 18:29:11 -0800 +Subject: net: add annotations on hh->hh_len lockless accesses + +From: Eric Dumazet + +[ Upstream commit c305c6ae79e2ce20c22660ceda94f0d86d639a82 ] + +KCSAN reported a data-race [1] + +While we can use READ_ONCE() on the read sides, +we need to make sure hh->hh_len is written last. + +[1] + +BUG: KCSAN: data-race in eth_header_cache / neigh_resolve_output + +write to 0xffff8880b9dedcb8 of 4 bytes by task 29760 on cpu 0: + eth_header_cache+0xa9/0xd0 net/ethernet/eth.c:247 + neigh_hh_init net/core/neighbour.c:1463 [inline] + neigh_resolve_output net/core/neighbour.c:1480 [inline] + neigh_resolve_output+0x415/0x470 net/core/neighbour.c:1470 + neigh_output include/net/neighbour.h:511 [inline] + ip6_finish_output2+0x7a2/0xec0 net/ipv6/ip6_output.c:116 + __ip6_finish_output net/ipv6/ip6_output.c:142 [inline] + __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127 + ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152 + NF_HOOK_COND include/linux/netfilter.h:294 [inline] + ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175 + dst_output include/net/dst.h:436 [inline] + NF_HOOK include/linux/netfilter.h:305 [inline] + ndisc_send_skb+0x459/0x5f0 net/ipv6/ndisc.c:505 + ndisc_send_ns+0x207/0x430 net/ipv6/ndisc.c:647 + rt6_probe_deferred+0x98/0xf0 net/ipv6/route.c:615 + process_one_work+0x3d4/0x890 kernel/workqueue.c:2269 + worker_thread+0xa0/0x800 kernel/workqueue.c:2415 + kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 + +read to 0xffff8880b9dedcb8 of 4 bytes by task 29572 on cpu 1: + neigh_resolve_output net/core/neighbour.c:1479 [inline] + neigh_resolve_output+0x113/0x470 net/core/neighbour.c:1470 + neigh_output include/net/neighbour.h:511 [inline] + ip6_finish_output2+0x7a2/0xec0 net/ipv6/ip6_output.c:116 + __ip6_finish_output net/ipv6/ip6_output.c:142 [inline] + __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127 + ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152 + NF_HOOK_COND include/linux/netfilter.h:294 [inline] + ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175 + dst_output include/net/dst.h:436 [inline] + NF_HOOK include/linux/netfilter.h:305 [inline] + ndisc_send_skb+0x459/0x5f0 net/ipv6/ndisc.c:505 + ndisc_send_ns+0x207/0x430 net/ipv6/ndisc.c:647 + rt6_probe_deferred+0x98/0xf0 net/ipv6/route.c:615 + process_one_work+0x3d4/0x890 kernel/workqueue.c:2269 + worker_thread+0xa0/0x800 kernel/workqueue.c:2415 + kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 29572 Comm: kworker/1:4 Not tainted 5.4.0-rc6+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: events rt6_probe_deferred + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/firewire/net.c | 6 +++++- + include/net/neighbour.h | 2 +- + net/core/neighbour.c | 4 ++-- + net/ethernet/eth.c | 7 ++++++- + 4 files changed, 14 insertions(+), 5 deletions(-) + +diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c +index b9d2f76a0cf7..117d16a455fd 100644 +--- a/drivers/firewire/net.c ++++ b/drivers/firewire/net.c +@@ -249,7 +249,11 @@ static int fwnet_header_cache(const struct neighbour *neigh, + h = (struct fwnet_header *)((u8 *)hh->hh_data + HH_DATA_OFF(sizeof(*h))); + h->h_proto = type; + memcpy(h->h_dest, neigh->ha, net->addr_len); +- hh->hh_len = FWNET_HLEN; ++ ++ /* Pairs with the READ_ONCE() in neigh_resolve_output(), ++ * neigh_hh_output() and neigh_update_hhs(). ++ */ ++ smp_store_release(&hh->hh_len, FWNET_HLEN); + + return 0; + } +diff --git a/include/net/neighbour.h b/include/net/neighbour.h +index 1c0d07376125..a68a460fa4f3 100644 +--- a/include/net/neighbour.h ++++ b/include/net/neighbour.h +@@ -454,7 +454,7 @@ static inline int neigh_hh_output(const struct hh_cache *hh, struct sk_buff *skb + + do { + seq = read_seqbegin(&hh->hh_lock); +- hh_len = hh->hh_len; ++ hh_len = READ_ONCE(hh->hh_len); + if (likely(hh_len <= HH_DATA_MOD)) { + hh_alen = HH_DATA_MOD; + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 8aef689b8f32..af1ecd0e7b07 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -1058,7 +1058,7 @@ static void neigh_update_hhs(struct neighbour *neigh) + + if (update) { + hh = &neigh->hh; +- if (hh->hh_len) { ++ if (READ_ONCE(hh->hh_len)) { + write_seqlock_bh(&hh->hh_lock); + update(hh, neigh->dev, neigh->ha); + write_sequnlock_bh(&hh->hh_lock); +@@ -1323,7 +1323,7 @@ int neigh_resolve_output(struct neighbour *neigh, struct sk_buff *skb) + struct net_device *dev = neigh->dev; + unsigned int seq; + +- if (dev->header_ops->cache && !neigh->hh.hh_len) ++ if (dev->header_ops->cache && !READ_ONCE(neigh->hh.hh_len)) + neigh_hh_init(neigh); + + do { +diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c +index 52dcd414c2af..3f51b4e590b1 100644 +--- a/net/ethernet/eth.c ++++ b/net/ethernet/eth.c +@@ -235,7 +235,12 @@ int eth_header_cache(const struct neighbour *neigh, struct hh_cache *hh, __be16 + eth->h_proto = type; + memcpy(eth->h_source, dev->dev_addr, ETH_ALEN); + memcpy(eth->h_dest, neigh->ha, ETH_ALEN); +- hh->hh_len = ETH_HLEN; ++ ++ /* Pairs with READ_ONCE() in neigh_resolve_output(), ++ * neigh_hh_output() and neigh_update_hhs(). ++ */ ++ smp_store_release(&hh->hh_len, ETH_HLEN); ++ + return 0; + } + EXPORT_SYMBOL(eth_header_cache); +-- +2.20.1 + diff --git a/queue-4.4/powerpc-pseries-hvconsole-fix-stack-overread-via-udb.patch b/queue-4.4/powerpc-pseries-hvconsole-fix-stack-overread-via-udb.patch new file mode 100644 index 00000000000..b6135031d42 --- /dev/null +++ b/queue-4.4/powerpc-pseries-hvconsole-fix-stack-overread-via-udb.patch @@ -0,0 +1,116 @@ +From 0cc92cb9b5cb9ccbf2c501b42270226073aaa07d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jun 2019 16:56:57 +1000 +Subject: powerpc/pseries/hvconsole: Fix stack overread via udbg + +From: Daniel Axtens + +[ Upstream commit 934bda59f286d0221f1a3ebab7f5156a996cc37d ] + +While developing KASAN for 64-bit book3s, I hit the following stack +over-read. + +It occurs because the hypercall to put characters onto the terminal +takes 2 longs (128 bits/16 bytes) of characters at a time, and so +hvc_put_chars() would unconditionally copy 16 bytes from the argument +buffer, regardless of supplied length. However, udbg_hvc_putc() can +call hvc_put_chars() with a single-byte buffer, leading to the error. + + ================================================================== + BUG: KASAN: stack-out-of-bounds in hvc_put_chars+0xdc/0x110 + Read of size 8 at addr c0000000023e7a90 by task swapper/0 + + CPU: 0 PID: 0 Comm: swapper Not tainted 5.2.0-rc2-next-20190528-02824-g048a6ab4835b #113 + Call Trace: + dump_stack+0x104/0x154 (unreliable) + print_address_description+0xa0/0x30c + __kasan_report+0x20c/0x224 + kasan_report+0x18/0x30 + __asan_report_load8_noabort+0x24/0x40 + hvc_put_chars+0xdc/0x110 + hvterm_raw_put_chars+0x9c/0x110 + udbg_hvc_putc+0x154/0x200 + udbg_write+0xf0/0x240 + console_unlock+0x868/0xd30 + register_console+0x970/0xe90 + register_early_udbg_console+0xf8/0x114 + setup_arch+0x108/0x790 + start_kernel+0x104/0x784 + start_here_common+0x1c/0x534 + + Memory state around the buggy address: + c0000000023e7980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + c0000000023e7a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 + >c0000000023e7a80: f1 f1 01 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 + ^ + c0000000023e7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + c0000000023e7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ================================================================== + +Document that a 16-byte buffer is requred, and provide it in udbg. + +Signed-off-by: Daniel Axtens +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/hvconsole.c | 2 +- + drivers/tty/hvc/hvc_vio.c | 16 +++++++++++++++- + 2 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/hvconsole.c b/arch/powerpc/platforms/pseries/hvconsole.c +index 849b29b3e9ae..954ef27128f2 100644 +--- a/arch/powerpc/platforms/pseries/hvconsole.c ++++ b/arch/powerpc/platforms/pseries/hvconsole.c +@@ -62,7 +62,7 @@ EXPORT_SYMBOL(hvc_get_chars); + * @vtermno: The vtermno or unit_address of the adapter from which the data + * originated. + * @buf: The character buffer that contains the character data to send to +- * firmware. ++ * firmware. Must be at least 16 bytes, even if count is less than 16. + * @count: Send this number of characters. + */ + int hvc_put_chars(uint32_t vtermno, const char *buf, int count) +diff --git a/drivers/tty/hvc/hvc_vio.c b/drivers/tty/hvc/hvc_vio.c +index f575a9b5ede7..1d671d058dcb 100644 +--- a/drivers/tty/hvc/hvc_vio.c ++++ b/drivers/tty/hvc/hvc_vio.c +@@ -122,6 +122,14 @@ static int hvterm_raw_get_chars(uint32_t vtermno, char *buf, int count) + return got; + } + ++/** ++ * hvterm_raw_put_chars: send characters to firmware for given vterm adapter ++ * @vtermno: The virtual terminal number. ++ * @buf: The characters to send. Because of the underlying hypercall in ++ * hvc_put_chars(), this buffer must be at least 16 bytes long, even if ++ * you are sending fewer chars. ++ * @count: number of chars to send. ++ */ + static int hvterm_raw_put_chars(uint32_t vtermno, const char *buf, int count) + { + struct hvterm_priv *pv = hvterm_privs[vtermno]; +@@ -234,6 +242,7 @@ static const struct hv_ops hvterm_hvsi_ops = { + static void udbg_hvc_putc(char c) + { + int count = -1; ++ unsigned char bounce_buffer[16]; + + if (!hvterm_privs[0]) + return; +@@ -244,7 +253,12 @@ static void udbg_hvc_putc(char c) + do { + switch(hvterm_privs[0]->proto) { + case HV_PROTOCOL_RAW: +- count = hvterm_raw_put_chars(0, &c, 1); ++ /* ++ * hvterm_raw_put_chars requires at least a 16-byte ++ * buffer, so go via the bounce buffer ++ */ ++ bounce_buffer[0] = c; ++ count = hvterm_raw_put_chars(0, bounce_buffer, 1); + break; + case HV_PROTOCOL_HVSI: + count = hvterm_hvsi_put_chars(0, &c, 1); +-- +2.20.1 + diff --git a/queue-4.4/s390-smp-fix-physical-to-logical-cpu-map-for-smt.patch b/queue-4.4/s390-smp-fix-physical-to-logical-cpu-map-for-smt.patch new file mode 100644 index 00000000000..7cff6a26383 --- /dev/null +++ b/queue-4.4/s390-smp-fix-physical-to-logical-cpu-map-for-smt.patch @@ -0,0 +1,155 @@ +From f8038adf2fff55d8da5202e1c4edbdd3c80aa45f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Nov 2019 14:55:38 +0100 +Subject: s390/smp: fix physical to logical CPU map for SMT + +From: Heiko Carstens + +[ Upstream commit 72a81ad9d6d62dcb79f7e8ad66ffd1c768b72026 ] + +If an SMT capable system is not IPL'ed from the first CPU the setup of +the physical to logical CPU mapping is broken: the IPL core gets CPU +number 0, but then the next core gets CPU number 1. Correct would be +that all SMT threads of CPU 0 get the subsequent logical CPU numbers. + +This is important since a lot of code (like e.g. the CPU topology +code) assumes that CPU maps are setup like this. If the mapping is +broken the system will not IPL due to broken topology masks: + +[ 1.716341] BUG: arch topology broken +[ 1.716342] the SMT domain not a subset of the MC domain +[ 1.716343] BUG: arch topology broken +[ 1.716344] the MC domain not a subset of the BOOK domain + +This scenario can usually not happen since LPARs are always IPL'ed +from CPU 0 and also re-IPL is intiated from CPU 0. However older +kernels did initiate re-IPL on an arbitrary CPU. If therefore a re-IPL +from an old kernel into a new kernel is initiated this may lead to +crash. + +Fix this by setting up the physical to logical CPU mapping correctly. + +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/smp.c | 80 ++++++++++++++++++++++++++++-------------- + 1 file changed, 54 insertions(+), 26 deletions(-) + +diff --git a/arch/s390/kernel/smp.c b/arch/s390/kernel/smp.c +index 29e5409c0d48..f113fcd781d8 100644 +--- a/arch/s390/kernel/smp.c ++++ b/arch/s390/kernel/smp.c +@@ -702,39 +702,67 @@ static struct sclp_core_info *smp_get_core_info(void) + + static int smp_add_present_cpu(int cpu); + +-static int __smp_rescan_cpus(struct sclp_core_info *info, int sysfs_add) ++static int smp_add_core(struct sclp_core_entry *core, cpumask_t *avail, ++ bool configured, bool early) + { + struct pcpu *pcpu; +- cpumask_t avail; +- int cpu, nr, i, j; ++ int cpu, nr, i; + u16 address; + + nr = 0; +- cpumask_xor(&avail, cpu_possible_mask, cpu_present_mask); +- cpu = cpumask_first(&avail); +- for (i = 0; (i < info->combined) && (cpu < nr_cpu_ids); i++) { +- if (sclp.has_core_type && info->core[i].type != boot_core_type) ++ if (sclp.has_core_type && core->type != boot_core_type) ++ return nr; ++ cpu = cpumask_first(avail); ++ address = core->core_id << smp_cpu_mt_shift; ++ for (i = 0; (i <= smp_cpu_mtid) && (cpu < nr_cpu_ids); i++) { ++ if (pcpu_find_address(cpu_present_mask, address + i)) + continue; +- address = info->core[i].core_id << smp_cpu_mt_shift; +- for (j = 0; j <= smp_cpu_mtid; j++) { +- if (pcpu_find_address(cpu_present_mask, address + j)) +- continue; +- pcpu = pcpu_devices + cpu; +- pcpu->address = address + j; +- pcpu->state = +- (cpu >= info->configured*(smp_cpu_mtid + 1)) ? +- CPU_STATE_STANDBY : CPU_STATE_CONFIGURED; +- smp_cpu_set_polarization(cpu, POLARIZATION_UNKNOWN); +- set_cpu_present(cpu, true); +- if (sysfs_add && smp_add_present_cpu(cpu) != 0) +- set_cpu_present(cpu, false); +- else +- nr++; +- cpu = cpumask_next(cpu, &avail); +- if (cpu >= nr_cpu_ids) ++ pcpu = pcpu_devices + cpu; ++ pcpu->address = address + i; ++ if (configured) ++ pcpu->state = CPU_STATE_CONFIGURED; ++ else ++ pcpu->state = CPU_STATE_STANDBY; ++ smp_cpu_set_polarization(cpu, POLARIZATION_UNKNOWN); ++ set_cpu_present(cpu, true); ++ if (!early && smp_add_present_cpu(cpu) != 0) ++ set_cpu_present(cpu, false); ++ else ++ nr++; ++ cpumask_clear_cpu(cpu, avail); ++ cpu = cpumask_next(cpu, avail); ++ } ++ return nr; ++} ++ ++static int __smp_rescan_cpus(struct sclp_core_info *info, bool early) ++{ ++ struct sclp_core_entry *core; ++ cpumask_t avail; ++ bool configured; ++ u16 core_id; ++ int nr, i; ++ ++ nr = 0; ++ cpumask_xor(&avail, cpu_possible_mask, cpu_present_mask); ++ /* ++ * Add IPL core first (which got logical CPU number 0) to make sure ++ * that all SMT threads get subsequent logical CPU numbers. ++ */ ++ if (early) { ++ core_id = pcpu_devices[0].address >> smp_cpu_mt_shift; ++ for (i = 0; i < info->configured; i++) { ++ core = &info->core[i]; ++ if (core->core_id == core_id) { ++ nr += smp_add_core(core, &avail, true, early); + break; ++ } + } + } ++ for (i = 0; i < info->combined; i++) { ++ configured = i < info->configured; ++ nr += smp_add_core(&info->core[i], &avail, configured, early); ++ } + return nr; + } + +@@ -782,7 +810,7 @@ static void __init smp_detect_cpus(void) + + /* Add CPUs present at boot */ + get_online_cpus(); +- __smp_rescan_cpus(info, 0); ++ __smp_rescan_cpus(info, true); + put_online_cpus(); + kfree(info); + } +@@ -1140,7 +1168,7 @@ int __ref smp_rescan_cpus(void) + return -ENOMEM; + get_online_cpus(); + mutex_lock(&smp_cpu_state_mutex); +- nr = __smp_rescan_cpus(info, 1); ++ nr = __smp_rescan_cpus(info, false); + mutex_unlock(&smp_cpu_state_mutex); + put_online_cpus(); + kfree(info); +-- +2.20.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 554ef49719f..e439028b261 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -24,3 +24,9 @@ bluetooth-btusb-fix-pm-leak-in-error-case-of-setup.patch bluetooth-delete-a-stray-unlock.patch regulator-ab8500-remove-ab8505-usb-regulator.patch tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch +drm-mst-fix-mst-sideband-up-reply-failure-handling.patch +powerpc-pseries-hvconsole-fix-stack-overread-via-udb.patch +ath9k_htc-modify-byte-order-for-an-error-message.patch +ath9k_htc-discard-undersized-packets.patch +net-add-annotations-on-hh-hh_len-lockless-accesses.patch +s390-smp-fix-physical-to-logical-cpu-map-for-smt.patch