From: Greg Kroah-Hartman Date: Wed, 22 May 2019 17:40:19 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v5.1.5~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9f934e41fccb0dcb4714519a8f98f9e9fce56ae6;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: net-avoid-weird-emergency-message.patch net-mlx4_core-change-the-error-print-to-info-print.patch ppp-deflate-fix-possible-crash-in-deflate_init.patch tipc-fix-modprobe-tipc-failed-after-switch-order-of-device-registration.patch tipc-switch-order-of-device-registration-to-fix-a-crash.patch --- diff --git a/queue-4.4/net-avoid-weird-emergency-message.patch b/queue-4.4/net-avoid-weird-emergency-message.patch new file mode 100644 index 00000000000..a7e61476eb5 --- /dev/null +++ b/queue-4.4/net-avoid-weird-emergency-message.patch @@ -0,0 +1,38 @@ +From foo@baz Wed 22 May 2019 07:38:16 PM CEST +From: Eric Dumazet +Date: Thu, 16 May 2019 08:09:57 -0700 +Subject: net: avoid weird emergency message + +From: Eric Dumazet + +[ Upstream commit d7c04b05c9ca14c55309eb139430283a45c4c25f ] + +When host is under high stress, it is very possible thread +running netdev_wait_allrefs() returns from msleep(250) +10 seconds late. + +This leads to these messages in the syslog : + +[...] unregister_netdevice: waiting for syz_tun to become free. Usage count = 0 + +If the device refcount is zero, the wait is over. + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -6986,7 +6986,7 @@ static void netdev_wait_allrefs(struct n + + refcnt = netdev_refcnt_read(dev); + +- if (time_after(jiffies, warning_time + 10 * HZ)) { ++ if (refcnt && time_after(jiffies, warning_time + 10 * HZ)) { + pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n", + dev->name, refcnt); + warning_time = jiffies; diff --git a/queue-4.4/net-mlx4_core-change-the-error-print-to-info-print.patch b/queue-4.4/net-mlx4_core-change-the-error-print-to-info-print.patch new file mode 100644 index 00000000000..af266de95a3 --- /dev/null +++ b/queue-4.4/net-mlx4_core-change-the-error-print-to-info-print.patch @@ -0,0 +1,32 @@ +From foo@baz Wed 22 May 2019 07:38:16 PM CEST +From: Yunjian Wang +Date: Tue, 14 May 2019 19:03:19 +0800 +Subject: net/mlx4_core: Change the error print to info print + +From: Yunjian Wang + +[ Upstream commit 00f9fec48157f3734e52130a119846e67a12314b ] + +The error print within mlx4_flow_steer_promisc_add() should +be a info print. + +Fixes: 592e49dda812 ('net/mlx4: Implement promiscuous mode with device managed flow-steering') +Signed-off-by: Yunjian Wang +Reviewed-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/mcg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/mcg.c ++++ b/drivers/net/ethernet/mellanox/mlx4/mcg.c +@@ -1485,7 +1485,7 @@ int mlx4_flow_steer_promisc_add(struct m + rule.port = port; + rule.qpn = qpn; + INIT_LIST_HEAD(&rule.list); +- mlx4_err(dev, "going promisc on %x\n", port); ++ mlx4_info(dev, "going promisc on %x\n", port); + + return mlx4_flow_attach(dev, &rule, regid_p); + } diff --git a/queue-4.4/ppp-deflate-fix-possible-crash-in-deflate_init.patch b/queue-4.4/ppp-deflate-fix-possible-crash-in-deflate_init.patch new file mode 100644 index 00000000000..7a7e975d96e --- /dev/null +++ b/queue-4.4/ppp-deflate-fix-possible-crash-in-deflate_init.patch @@ -0,0 +1,86 @@ +From foo@baz Wed 22 May 2019 07:38:16 PM CEST +From: YueHaibing +Date: Tue, 14 May 2019 22:55:32 +0800 +Subject: ppp: deflate: Fix possible crash in deflate_init + +From: YueHaibing + +[ Upstream commit 3ebe1bca58c85325c97a22d4fc3f5b5420752e6f ] + +BUG: unable to handle kernel paging request at ffffffffa018f000 +PGD 3270067 P4D 3270067 PUD 3271063 PMD 2307eb067 PTE 0 +Oops: 0000 [#1] PREEMPT SMP +CPU: 0 PID: 4138 Comm: modprobe Not tainted 5.1.0-rc7+ #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 +RIP: 0010:ppp_register_compressor+0x3e/0xd0 [ppp_generic] +Code: 98 4a 3f e2 48 8b 15 c1 67 00 00 41 8b 0c 24 48 81 fa 40 f0 19 a0 +75 0e eb 35 48 8b 12 48 81 fa 40 f0 19 a0 74 +RSP: 0018:ffffc90000d93c68 EFLAGS: 00010287 +RAX: ffffffffa018f000 RBX: ffffffffa01a3000 RCX: 000000000000001a +RDX: ffff888230c750a0 RSI: 0000000000000000 RDI: ffffffffa019f000 +RBP: ffffc90000d93c80 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa0194080 +R13: ffff88822ee1a700 R14: 0000000000000000 R15: ffffc90000d93e78 +FS: 00007f2339557540(0000) GS:ffff888237a00000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffa018f000 CR3: 000000022bde4000 CR4: 00000000000006f0 +Call Trace: + ? 0xffffffffa01a3000 + deflate_init+0x11/0x1000 [ppp_deflate] + ? 0xffffffffa01a3000 + do_one_initcall+0x6c/0x3cc + ? kmem_cache_alloc_trace+0x248/0x3b0 + do_init_module+0x5b/0x1f1 + load_module+0x1db1/0x2690 + ? m_show+0x1d0/0x1d0 + __do_sys_finit_module+0xc5/0xd0 + __x64_sys_finit_module+0x15/0x20 + do_syscall_64+0x6b/0x1d0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +If ppp_deflate fails to register in deflate_init, +module initialization failed out, however +ppp_deflate_draft may has been regiestred and not +unregistered before return. +Then the seconed modprobe will trigger crash like this. + +Reported-by: Hulk Robot +Signed-off-by: YueHaibing +Acked-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/ppp_deflate.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/net/ppp/ppp_deflate.c ++++ b/drivers/net/ppp/ppp_deflate.c +@@ -610,12 +610,20 @@ static struct compressor ppp_deflate_dra + + static int __init deflate_init(void) + { +- int answer = ppp_register_compressor(&ppp_deflate); +- if (answer == 0) +- printk(KERN_INFO +- "PPP Deflate Compression module registered\n"); +- ppp_register_compressor(&ppp_deflate_draft); +- return answer; ++ int rc; ++ ++ rc = ppp_register_compressor(&ppp_deflate); ++ if (rc) ++ return rc; ++ ++ rc = ppp_register_compressor(&ppp_deflate_draft); ++ if (rc) { ++ ppp_unregister_compressor(&ppp_deflate); ++ return rc; ++ } ++ ++ pr_info("PPP Deflate Compression module registered\n"); ++ return 0; + } + + static void __exit deflate_cleanup(void) diff --git a/queue-4.4/series b/queue-4.4/series index 23f3d680e07..bd5b0e01911 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -29,3 +29,8 @@ fs-writeback.c-use-rcu_barrier-to-wait-for-inflight-wb-switches-going-into-workq ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch +net-avoid-weird-emergency-message.patch +net-mlx4_core-change-the-error-print-to-info-print.patch +ppp-deflate-fix-possible-crash-in-deflate_init.patch +tipc-switch-order-of-device-registration-to-fix-a-crash.patch +tipc-fix-modprobe-tipc-failed-after-switch-order-of-device-registration.patch diff --git a/queue-4.4/tipc-fix-modprobe-tipc-failed-after-switch-order-of-device-registration.patch b/queue-4.4/tipc-fix-modprobe-tipc-failed-after-switch-order-of-device-registration.patch new file mode 100644 index 00000000000..4befb8dc1ff --- /dev/null +++ b/queue-4.4/tipc-fix-modprobe-tipc-failed-after-switch-order-of-device-registration.patch @@ -0,0 +1,92 @@ +From foo@baz Wed 22 May 2019 07:38:16 PM CEST +From: Junwei Hu +Date: Fri, 17 May 2019 19:27:34 +0800 +Subject: tipc: fix modprobe tipc failed after switch order of device registration + +From: Junwei Hu + +[ Upstream commit 532b0f7ece4cb2ffd24dc723ddf55242d1188e5e ] + +Error message printed: +modprobe: ERROR: could not insert 'tipc': Address family not +supported by protocol. +when modprobe tipc after the following patch: switch order of +device registration, commit 7e27e8d6130c +("tipc: switch order of device registration to fix a crash") + +Because sock_create_kern(net, AF_TIPC, ...) is called by +tipc_topsrv_create_listener() in the initialization process +of tipc_net_ops, tipc_socket_init() must be execute before that. + +I move tipc_socket_init() into function tipc_init_net(). + +Fixes: 7e27e8d6130c +("tipc: switch order of device registration to fix a crash") +Signed-off-by: Junwei Hu +Reported-by: Wang Wang +Reviewed-by: Kang Zhou +Reviewed-by: Suanming Mou +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/net/tipc/core.c ++++ b/net/tipc/core.c +@@ -61,6 +61,10 @@ static int __net_init tipc_init_net(stru + INIT_LIST_HEAD(&tn->node_list); + spin_lock_init(&tn->node_list_lock); + ++ err = tipc_socket_init(); ++ if (err) ++ goto out_socket; ++ + err = tipc_sk_rht_init(net); + if (err) + goto out_sk_rht; +@@ -87,6 +91,8 @@ out_subscr: + out_nametbl: + tipc_sk_rht_destroy(net); + out_sk_rht: ++ tipc_socket_stop(); ++out_socket: + return err; + } + +@@ -97,6 +103,7 @@ static void __net_exit tipc_exit_net(str + tipc_bcast_stop(net); + tipc_nametbl_stop(net); + tipc_sk_rht_destroy(net); ++ tipc_socket_stop(); + } + + static struct pernet_operations tipc_net_ops = { +@@ -134,10 +141,6 @@ static int __init tipc_init(void) + if (err) + goto out_pernet; + +- err = tipc_socket_init(); +- if (err) +- goto out_socket; +- + err = tipc_bearer_setup(); + if (err) + goto out_bearer; +@@ -145,8 +148,6 @@ static int __init tipc_init(void) + pr_info("Started in single node mode\n"); + return 0; + out_bearer: +- tipc_socket_stop(); +-out_socket: + unregister_pernet_subsys(&tipc_net_ops); + out_pernet: + tipc_unregister_sysctl(); +@@ -162,7 +163,6 @@ out_netlink: + static void __exit tipc_exit(void) + { + tipc_bearer_cleanup(); +- tipc_socket_stop(); + unregister_pernet_subsys(&tipc_net_ops); + tipc_netlink_stop(); + tipc_netlink_compat_stop(); diff --git a/queue-4.4/tipc-switch-order-of-device-registration-to-fix-a-crash.patch b/queue-4.4/tipc-switch-order-of-device-registration-to-fix-a-crash.patch new file mode 100644 index 00000000000..55e2c10008f --- /dev/null +++ b/queue-4.4/tipc-switch-order-of-device-registration-to-fix-a-crash.patch @@ -0,0 +1,94 @@ +From foo@baz Wed 22 May 2019 07:38:16 PM CEST +From: Junwei Hu +Date: Thu, 16 May 2019 10:51:15 +0800 +Subject: tipc: switch order of device registration to fix a crash + +From: Junwei Hu + +[ Upstream commit 7e27e8d6130c5e88fac9ddec4249f7f2337fe7f8 ] + +When tipc is loaded while many processes try to create a TIPC socket, +a crash occurs: + PANIC: Unable to handle kernel paging request at virtual + address "dfff20000000021d" + pc : tipc_sk_create+0x374/0x1180 [tipc] + lr : tipc_sk_create+0x374/0x1180 [tipc] + Exception class = DABT (current EL), IL = 32 bits + Call trace: + tipc_sk_create+0x374/0x1180 [tipc] + __sock_create+0x1cc/0x408 + __sys_socket+0xec/0x1f0 + __arm64_sys_socket+0x74/0xa8 + ... + +This is due to race between sock_create and unfinished +register_pernet_device. tipc_sk_insert tries to do +"net_generic(net, tipc_net_id)". +but tipc_net_id is not initialized yet. + +So switch the order of the two to close the race. + +This can be reproduced with multiple processes doing socket(AF_TIPC, ...) +and one process doing module removal. + +Fixes: a62fbccecd62 ("tipc: make subscriber server support net namespace") +Signed-off-by: Junwei Hu +Reported-by: Wang Wang +Reviewed-by: Xiaogang Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/net/tipc/core.c ++++ b/net/tipc/core.c +@@ -126,10 +126,6 @@ static int __init tipc_init(void) + if (err) + goto out_netlink_compat; + +- err = tipc_socket_init(); +- if (err) +- goto out_socket; +- + err = tipc_register_sysctl(); + if (err) + goto out_sysctl; +@@ -138,6 +134,10 @@ static int __init tipc_init(void) + if (err) + goto out_pernet; + ++ err = tipc_socket_init(); ++ if (err) ++ goto out_socket; ++ + err = tipc_bearer_setup(); + if (err) + goto out_bearer; +@@ -145,12 +145,12 @@ static int __init tipc_init(void) + pr_info("Started in single node mode\n"); + return 0; + out_bearer: ++ tipc_socket_stop(); ++out_socket: + unregister_pernet_subsys(&tipc_net_ops); + out_pernet: + tipc_unregister_sysctl(); + out_sysctl: +- tipc_socket_stop(); +-out_socket: + tipc_netlink_compat_stop(); + out_netlink_compat: + tipc_netlink_stop(); +@@ -162,10 +162,10 @@ out_netlink: + static void __exit tipc_exit(void) + { + tipc_bearer_cleanup(); ++ tipc_socket_stop(); + unregister_pernet_subsys(&tipc_net_ops); + tipc_netlink_stop(); + tipc_netlink_compat_stop(); +- tipc_socket_stop(); + tipc_unregister_sysctl(); + + pr_info("Deactivated\n");