From: Greg Kroah-Hartman Date: Wed, 22 May 2019 16:52:18 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v5.1.5~46 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a0f7280811163b36d2e9bc8e7ba6e06a29112e9e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: net-always-descend-into-dsa.patch net-avoid-weird-emergency-message.patch net-mlx4_core-change-the-error-print-to-info-print.patch net-test-nouarg-before-dereferencing-zerocopy-pointers.patch net-usb-qmi_wwan-add-telit-0x1260-and-0x1261-compositions.patch ppp-deflate-fix-possible-crash-in-deflate_init.patch tipc-fix-modprobe-tipc-failed-after-switch-order-of-device-registration.patch tipc-switch-order-of-device-registration-to-fix-a-crash.patch vsock-virtio-free-packets-during-the-socket-release.patch vsock-virtio-initialize-core-virtio-vsock-before-registering-the-driver.patch --- diff --git a/queue-4.14/net-always-descend-into-dsa.patch b/queue-4.14/net-always-descend-into-dsa.patch new file mode 100644 index 00000000000..bcc872c96b1 --- /dev/null +++ b/queue-4.14/net-always-descend-into-dsa.patch @@ -0,0 +1,38 @@ +From foo@baz Wed 22 May 2019 06:44:44 PM CEST +From: Florian Fainelli +Date: Mon, 13 May 2019 14:06:24 -0700 +Subject: net: Always descend into dsa/ + +From: Florian Fainelli + +[ Upstream commit 0fe9f173d6cda95874edeb413b1fa9907b5ae830 ] + +Jiri reported that with a kernel built with CONFIG_FIXED_PHY=y, +CONFIG_NET_DSA=m and CONFIG_NET_DSA_LOOP=m, we would not get to a +functional state where the mock-up driver is registered. Turns out that +we are not descending into drivers/net/dsa/ unconditionally, and we +won't be able to link-in dsa_loop_bdinfo.o which does the actual mock-up +mdio device registration. + +Reported-by: Jiri Pirko +Fixes: 40013ff20b1b ("net: dsa: Fix functional dsa-loop dependency on FIXED_PHY") +Signed-off-by: Florian Fainelli +Reviewed-by: Vivien Didelot +Tested-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/Makefile ++++ b/drivers/net/Makefile +@@ -41,7 +41,7 @@ obj-$(CONFIG_DEV_APPLETALK) += appletalk + obj-$(CONFIG_CAIF) += caif/ + obj-$(CONFIG_CAN) += can/ + obj-$(CONFIG_ETRAX_ETHERNET) += cris/ +-obj-$(CONFIG_NET_DSA) += dsa/ ++obj-y += dsa/ + obj-$(CONFIG_ETHERNET) += ethernet/ + obj-$(CONFIG_FDDI) += fddi/ + obj-$(CONFIG_HIPPI) += hippi/ diff --git a/queue-4.14/net-avoid-weird-emergency-message.patch b/queue-4.14/net-avoid-weird-emergency-message.patch new file mode 100644 index 00000000000..758adeb3096 --- /dev/null +++ b/queue-4.14/net-avoid-weird-emergency-message.patch @@ -0,0 +1,38 @@ +From foo@baz Wed 22 May 2019 06:44:44 PM CEST +From: Eric Dumazet +Date: Thu, 16 May 2019 08:09:57 -0700 +Subject: net: avoid weird emergency message + +From: Eric Dumazet + +[ Upstream commit d7c04b05c9ca14c55309eb139430283a45c4c25f ] + +When host is under high stress, it is very possible thread +running netdev_wait_allrefs() returns from msleep(250) +10 seconds late. + +This leads to these messages in the syslog : + +[...] unregister_netdevice: waiting for syz_tun to become free. Usage count = 0 + +If the device refcount is zero, the wait is over. + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -7852,7 +7852,7 @@ static void netdev_wait_allrefs(struct n + + refcnt = netdev_refcnt_read(dev); + +- if (time_after(jiffies, warning_time + 10 * HZ)) { ++ if (refcnt && time_after(jiffies, warning_time + 10 * HZ)) { + pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n", + dev->name, refcnt); + warning_time = jiffies; diff --git a/queue-4.14/net-mlx4_core-change-the-error-print-to-info-print.patch b/queue-4.14/net-mlx4_core-change-the-error-print-to-info-print.patch new file mode 100644 index 00000000000..80e87d0e4a7 --- /dev/null +++ b/queue-4.14/net-mlx4_core-change-the-error-print-to-info-print.patch @@ -0,0 +1,32 @@ +From foo@baz Wed 22 May 2019 06:44:44 PM CEST +From: Yunjian Wang +Date: Tue, 14 May 2019 19:03:19 +0800 +Subject: net/mlx4_core: Change the error print to info print + +From: Yunjian Wang + +[ Upstream commit 00f9fec48157f3734e52130a119846e67a12314b ] + +The error print within mlx4_flow_steer_promisc_add() should +be a info print. + +Fixes: 592e49dda812 ('net/mlx4: Implement promiscuous mode with device managed flow-steering') +Signed-off-by: Yunjian Wang +Reviewed-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/mcg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/mcg.c ++++ b/drivers/net/ethernet/mellanox/mlx4/mcg.c +@@ -1490,7 +1490,7 @@ int mlx4_flow_steer_promisc_add(struct m + rule.port = port; + rule.qpn = qpn; + INIT_LIST_HEAD(&rule.list); +- mlx4_err(dev, "going promisc on %x\n", port); ++ mlx4_info(dev, "going promisc on %x\n", port); + + return mlx4_flow_attach(dev, &rule, regid_p); + } diff --git a/queue-4.14/net-test-nouarg-before-dereferencing-zerocopy-pointers.patch b/queue-4.14/net-test-nouarg-before-dereferencing-zerocopy-pointers.patch new file mode 100644 index 00000000000..7b61698b1c7 --- /dev/null +++ b/queue-4.14/net-test-nouarg-before-dereferencing-zerocopy-pointers.patch @@ -0,0 +1,56 @@ +From foo@baz Wed 22 May 2019 06:44:44 PM CEST +From: Willem de Bruijn +Date: Wed, 15 May 2019 13:29:16 -0400 +Subject: net: test nouarg before dereferencing zerocopy pointers + +From: Willem de Bruijn + +[ Upstream commit 185ce5c38ea76f29b6bd9c7c8c7a5e5408834920 ] + +Zerocopy skbs without completion notification were added for packet +sockets with PACKET_TX_RING user buffers. Those signal completion +through the TP_STATUS_USER bit in the ring. Zerocopy annotation was +added only to avoid premature notification after clone or orphan, by +triggering a copy on these paths for these packets. + +The mechanism had to define a special "no-uarg" mode because packet +sockets already use skb_uarg(skb) == skb_shinfo(skb)->destructor_arg +for a different pointer. + +Before deferencing skb_uarg(skb), verify that it is a real pointer. + +Fixes: 5cd8d46ea1562 ("packet: copy user buffers before orphan or clone") +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -1310,10 +1310,12 @@ static inline void skb_zcopy_clear(struc + struct ubuf_info *uarg = skb_zcopy(skb); + + if (uarg) { +- if (uarg->callback == sock_zerocopy_callback) { ++ if (skb_zcopy_is_nouarg(skb)) { ++ /* no notification callback */ ++ } else if (uarg->callback == sock_zerocopy_callback) { + uarg->zerocopy = uarg->zerocopy && zerocopy; + sock_zerocopy_put(uarg); +- } else if (!skb_zcopy_is_nouarg(skb)) { ++ } else { + uarg->callback(uarg, zerocopy); + } + +@@ -2572,7 +2574,8 @@ static inline int skb_orphan_frags(struc + { + if (likely(!skb_zcopy(skb))) + return 0; +- if (skb_uarg(skb)->callback == sock_zerocopy_callback) ++ if (!skb_zcopy_is_nouarg(skb) && ++ skb_uarg(skb)->callback == sock_zerocopy_callback) + return 0; + return skb_copy_ubufs(skb, gfp_mask); + } diff --git a/queue-4.14/net-usb-qmi_wwan-add-telit-0x1260-and-0x1261-compositions.patch b/queue-4.14/net-usb-qmi_wwan-add-telit-0x1260-and-0x1261-compositions.patch new file mode 100644 index 00000000000..8fb90d93242 --- /dev/null +++ b/queue-4.14/net-usb-qmi_wwan-add-telit-0x1260-and-0x1261-compositions.patch @@ -0,0 +1,30 @@ +From foo@baz Wed 22 May 2019 06:44:44 PM CEST +From: Daniele Palmas +Date: Wed, 15 May 2019 17:29:43 +0200 +Subject: net: usb: qmi_wwan: add Telit 0x1260 and 0x1261 compositions + +From: Daniele Palmas + +[ Upstream commit b4e467c82f8c12af78b6f6fa5730cb7dea7af1b4 ] + +Added support for Telit LE910Cx 0x1260 and 0x1261 compositions. + +Signed-off-by: Daniele Palmas +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1225,6 +1225,8 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1201, 2)}, /* Telit LE920, LE920A4 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1260, 2)}, /* Telit LE910Cx */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1261, 2)}, /* Telit LE910Cx */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1900, 1)}, /* Telit LN940 series */ + {QMI_FIXED_INTF(0x1c9e, 0x9801, 3)}, /* Telewell TW-3G HSPA+ */ + {QMI_FIXED_INTF(0x1c9e, 0x9803, 4)}, /* Telewell TW-3G HSPA+ */ diff --git a/queue-4.14/ppp-deflate-fix-possible-crash-in-deflate_init.patch b/queue-4.14/ppp-deflate-fix-possible-crash-in-deflate_init.patch new file mode 100644 index 00000000000..4e3fe55a375 --- /dev/null +++ b/queue-4.14/ppp-deflate-fix-possible-crash-in-deflate_init.patch @@ -0,0 +1,86 @@ +From foo@baz Wed 22 May 2019 06:44:44 PM CEST +From: YueHaibing +Date: Tue, 14 May 2019 22:55:32 +0800 +Subject: ppp: deflate: Fix possible crash in deflate_init + +From: YueHaibing + +[ Upstream commit 3ebe1bca58c85325c97a22d4fc3f5b5420752e6f ] + +BUG: unable to handle kernel paging request at ffffffffa018f000 +PGD 3270067 P4D 3270067 PUD 3271063 PMD 2307eb067 PTE 0 +Oops: 0000 [#1] PREEMPT SMP +CPU: 0 PID: 4138 Comm: modprobe Not tainted 5.1.0-rc7+ #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 +RIP: 0010:ppp_register_compressor+0x3e/0xd0 [ppp_generic] +Code: 98 4a 3f e2 48 8b 15 c1 67 00 00 41 8b 0c 24 48 81 fa 40 f0 19 a0 +75 0e eb 35 48 8b 12 48 81 fa 40 f0 19 a0 74 +RSP: 0018:ffffc90000d93c68 EFLAGS: 00010287 +RAX: ffffffffa018f000 RBX: ffffffffa01a3000 RCX: 000000000000001a +RDX: ffff888230c750a0 RSI: 0000000000000000 RDI: ffffffffa019f000 +RBP: ffffc90000d93c80 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa0194080 +R13: ffff88822ee1a700 R14: 0000000000000000 R15: ffffc90000d93e78 +FS: 00007f2339557540(0000) GS:ffff888237a00000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffa018f000 CR3: 000000022bde4000 CR4: 00000000000006f0 +Call Trace: + ? 0xffffffffa01a3000 + deflate_init+0x11/0x1000 [ppp_deflate] + ? 0xffffffffa01a3000 + do_one_initcall+0x6c/0x3cc + ? kmem_cache_alloc_trace+0x248/0x3b0 + do_init_module+0x5b/0x1f1 + load_module+0x1db1/0x2690 + ? m_show+0x1d0/0x1d0 + __do_sys_finit_module+0xc5/0xd0 + __x64_sys_finit_module+0x15/0x20 + do_syscall_64+0x6b/0x1d0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +If ppp_deflate fails to register in deflate_init, +module initialization failed out, however +ppp_deflate_draft may has been regiestred and not +unregistered before return. +Then the seconed modprobe will trigger crash like this. + +Reported-by: Hulk Robot +Signed-off-by: YueHaibing +Acked-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/ppp_deflate.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/net/ppp/ppp_deflate.c ++++ b/drivers/net/ppp/ppp_deflate.c +@@ -610,12 +610,20 @@ static struct compressor ppp_deflate_dra + + static int __init deflate_init(void) + { +- int answer = ppp_register_compressor(&ppp_deflate); +- if (answer == 0) +- printk(KERN_INFO +- "PPP Deflate Compression module registered\n"); +- ppp_register_compressor(&ppp_deflate_draft); +- return answer; ++ int rc; ++ ++ rc = ppp_register_compressor(&ppp_deflate); ++ if (rc) ++ return rc; ++ ++ rc = ppp_register_compressor(&ppp_deflate_draft); ++ if (rc) { ++ ppp_unregister_compressor(&ppp_deflate); ++ return rc; ++ } ++ ++ pr_info("PPP Deflate Compression module registered\n"); ++ return 0; + } + + static void __exit deflate_cleanup(void) diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..1a1f6e40a39 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,10 @@ +net-avoid-weird-emergency-message.patch +net-mlx4_core-change-the-error-print-to-info-print.patch +net-test-nouarg-before-dereferencing-zerocopy-pointers.patch +net-usb-qmi_wwan-add-telit-0x1260-and-0x1261-compositions.patch +ppp-deflate-fix-possible-crash-in-deflate_init.patch +tipc-switch-order-of-device-registration-to-fix-a-crash.patch +vsock-virtio-free-packets-during-the-socket-release.patch +tipc-fix-modprobe-tipc-failed-after-switch-order-of-device-registration.patch +vsock-virtio-initialize-core-virtio-vsock-before-registering-the-driver.patch +net-always-descend-into-dsa.patch diff --git a/queue-4.14/tipc-fix-modprobe-tipc-failed-after-switch-order-of-device-registration.patch b/queue-4.14/tipc-fix-modprobe-tipc-failed-after-switch-order-of-device-registration.patch new file mode 100644 index 00000000000..ee729a7db61 --- /dev/null +++ b/queue-4.14/tipc-fix-modprobe-tipc-failed-after-switch-order-of-device-registration.patch @@ -0,0 +1,92 @@ +From foo@baz Wed 22 May 2019 06:44:44 PM CEST +From: Junwei Hu +Date: Fri, 17 May 2019 19:27:34 +0800 +Subject: tipc: fix modprobe tipc failed after switch order of device registration + +From: Junwei Hu + +[ Upstream commit 532b0f7ece4cb2ffd24dc723ddf55242d1188e5e ] + +Error message printed: +modprobe: ERROR: could not insert 'tipc': Address family not +supported by protocol. +when modprobe tipc after the following patch: switch order of +device registration, commit 7e27e8d6130c +("tipc: switch order of device registration to fix a crash") + +Because sock_create_kern(net, AF_TIPC, ...) is called by +tipc_topsrv_create_listener() in the initialization process +of tipc_net_ops, tipc_socket_init() must be execute before that. + +I move tipc_socket_init() into function tipc_init_net(). + +Fixes: 7e27e8d6130c +("tipc: switch order of device registration to fix a crash") +Signed-off-by: Junwei Hu +Reported-by: Wang Wang +Reviewed-by: Kang Zhou +Reviewed-by: Suanming Mou +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/net/tipc/core.c ++++ b/net/tipc/core.c +@@ -62,6 +62,10 @@ static int __net_init tipc_init_net(stru + INIT_LIST_HEAD(&tn->node_list); + spin_lock_init(&tn->node_list_lock); + ++ err = tipc_socket_init(); ++ if (err) ++ goto out_socket; ++ + err = tipc_sk_rht_init(net); + if (err) + goto out_sk_rht; +@@ -88,6 +92,8 @@ out_subscr: + out_nametbl: + tipc_sk_rht_destroy(net); + out_sk_rht: ++ tipc_socket_stop(); ++out_socket: + return err; + } + +@@ -98,6 +104,7 @@ static void __net_exit tipc_exit_net(str + tipc_bcast_stop(net); + tipc_nametbl_stop(net); + tipc_sk_rht_destroy(net); ++ tipc_socket_stop(); + } + + static struct pernet_operations tipc_net_ops = { +@@ -133,10 +140,6 @@ static int __init tipc_init(void) + if (err) + goto out_pernet; + +- err = tipc_socket_init(); +- if (err) +- goto out_socket; +- + err = tipc_bearer_setup(); + if (err) + goto out_bearer; +@@ -144,8 +147,6 @@ static int __init tipc_init(void) + pr_info("Started in single node mode\n"); + return 0; + out_bearer: +- tipc_socket_stop(); +-out_socket: + unregister_pernet_subsys(&tipc_net_ops); + out_pernet: + tipc_unregister_sysctl(); +@@ -161,7 +162,6 @@ out_netlink: + static void __exit tipc_exit(void) + { + tipc_bearer_cleanup(); +- tipc_socket_stop(); + unregister_pernet_subsys(&tipc_net_ops); + tipc_netlink_stop(); + tipc_netlink_compat_stop(); diff --git a/queue-4.14/tipc-switch-order-of-device-registration-to-fix-a-crash.patch b/queue-4.14/tipc-switch-order-of-device-registration-to-fix-a-crash.patch new file mode 100644 index 00000000000..e79fc3da34a --- /dev/null +++ b/queue-4.14/tipc-switch-order-of-device-registration-to-fix-a-crash.patch @@ -0,0 +1,94 @@ +From foo@baz Wed 22 May 2019 06:44:44 PM CEST +From: Junwei Hu +Date: Thu, 16 May 2019 10:51:15 +0800 +Subject: tipc: switch order of device registration to fix a crash + +From: Junwei Hu + +[ Upstream commit 7e27e8d6130c5e88fac9ddec4249f7f2337fe7f8 ] + +When tipc is loaded while many processes try to create a TIPC socket, +a crash occurs: + PANIC: Unable to handle kernel paging request at virtual + address "dfff20000000021d" + pc : tipc_sk_create+0x374/0x1180 [tipc] + lr : tipc_sk_create+0x374/0x1180 [tipc] + Exception class = DABT (current EL), IL = 32 bits + Call trace: + tipc_sk_create+0x374/0x1180 [tipc] + __sock_create+0x1cc/0x408 + __sys_socket+0xec/0x1f0 + __arm64_sys_socket+0x74/0xa8 + ... + +This is due to race between sock_create and unfinished +register_pernet_device. tipc_sk_insert tries to do +"net_generic(net, tipc_net_id)". +but tipc_net_id is not initialized yet. + +So switch the order of the two to close the race. + +This can be reproduced with multiple processes doing socket(AF_TIPC, ...) +and one process doing module removal. + +Fixes: a62fbccecd62 ("tipc: make subscriber server support net namespace") +Signed-off-by: Junwei Hu +Reported-by: Wang Wang +Reviewed-by: Xiaogang Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/net/tipc/core.c ++++ b/net/tipc/core.c +@@ -125,10 +125,6 @@ static int __init tipc_init(void) + if (err) + goto out_netlink_compat; + +- err = tipc_socket_init(); +- if (err) +- goto out_socket; +- + err = tipc_register_sysctl(); + if (err) + goto out_sysctl; +@@ -137,6 +133,10 @@ static int __init tipc_init(void) + if (err) + goto out_pernet; + ++ err = tipc_socket_init(); ++ if (err) ++ goto out_socket; ++ + err = tipc_bearer_setup(); + if (err) + goto out_bearer; +@@ -144,12 +144,12 @@ static int __init tipc_init(void) + pr_info("Started in single node mode\n"); + return 0; + out_bearer: ++ tipc_socket_stop(); ++out_socket: + unregister_pernet_subsys(&tipc_net_ops); + out_pernet: + tipc_unregister_sysctl(); + out_sysctl: +- tipc_socket_stop(); +-out_socket: + tipc_netlink_compat_stop(); + out_netlink_compat: + tipc_netlink_stop(); +@@ -161,10 +161,10 @@ out_netlink: + static void __exit tipc_exit(void) + { + tipc_bearer_cleanup(); ++ tipc_socket_stop(); + unregister_pernet_subsys(&tipc_net_ops); + tipc_netlink_stop(); + tipc_netlink_compat_stop(); +- tipc_socket_stop(); + tipc_unregister_sysctl(); + + pr_info("Deactivated\n"); diff --git a/queue-4.14/vsock-virtio-free-packets-during-the-socket-release.patch b/queue-4.14/vsock-virtio-free-packets-during-the-socket-release.patch new file mode 100644 index 00000000000..5cf5e9ebf55 --- /dev/null +++ b/queue-4.14/vsock-virtio-free-packets-during-the-socket-release.patch @@ -0,0 +1,42 @@ +From foo@baz Wed 22 May 2019 06:44:44 PM CEST +From: Stefano Garzarella +Date: Fri, 17 May 2019 16:45:43 +0200 +Subject: vsock/virtio: free packets during the socket release + +From: Stefano Garzarella + +[ Upstream commit ac03046ece2b158ebd204dfc4896fd9f39f0e6c8 ] + +When the socket is released, we should free all packets +queued in the per-socket list in order to avoid a memory +leak. + +Signed-off-by: Stefano Garzarella +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -786,12 +786,19 @@ static bool virtio_transport_close(struc + + void virtio_transport_release(struct vsock_sock *vsk) + { ++ struct virtio_vsock_sock *vvs = vsk->trans; ++ struct virtio_vsock_pkt *pkt, *tmp; + struct sock *sk = &vsk->sk; + bool remove_sock = true; + + lock_sock(sk); + if (sk->sk_type == SOCK_STREAM) + remove_sock = virtio_transport_close(vsk); ++ ++ list_for_each_entry_safe(pkt, tmp, &vvs->rx_queue, list) { ++ list_del(&pkt->list); ++ virtio_transport_free_pkt(pkt); ++ } + release_sock(sk); + + if (remove_sock) diff --git a/queue-4.14/vsock-virtio-initialize-core-virtio-vsock-before-registering-the-driver.patch b/queue-4.14/vsock-virtio-initialize-core-virtio-vsock-before-registering-the-driver.patch new file mode 100644 index 00000000000..79852ede635 --- /dev/null +++ b/queue-4.14/vsock-virtio-initialize-core-virtio-vsock-before-registering-the-driver.patch @@ -0,0 +1,108 @@ +From foo@baz Wed 22 May 2019 06:44:44 PM CEST +From: "Jorge E. Moreira" +Date: Thu, 16 May 2019 13:51:07 -0700 +Subject: vsock/virtio: Initialize core virtio vsock before registering the driver + +From: "Jorge E. Moreira" + +[ Upstream commit ba95e5dfd36647622d8897a2a0470dde60e59ffd ] + +Avoid a race in which static variables in net/vmw_vsock/af_vsock.c are +accessed (while handling interrupts) before they are initialized. + +[ 4.201410] BUG: unable to handle kernel paging request at ffffffffffffffe8 +[ 4.207829] IP: vsock_addr_equals_addr+0x3/0x20 +[ 4.211379] PGD 28210067 P4D 28210067 PUD 28212067 PMD 0 +[ 4.211379] Oops: 0000 [#1] PREEMPT SMP PTI +[ 4.211379] Modules linked in: +[ 4.211379] CPU: 1 PID: 30 Comm: kworker/1:1 Not tainted 4.14.106-419297-gd7e28cc1f241 #1 +[ 4.211379] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 +[ 4.211379] Workqueue: virtio_vsock virtio_transport_rx_work +[ 4.211379] task: ffffa3273d175280 task.stack: ffffaea1800e8000 +[ 4.211379] RIP: 0010:vsock_addr_equals_addr+0x3/0x20 +[ 4.211379] RSP: 0000:ffffaea1800ebd28 EFLAGS: 00010286 +[ 4.211379] RAX: 0000000000000002 RBX: 0000000000000000 RCX: ffffffffb94e42f0 +[ 4.211379] RDX: 0000000000000400 RSI: ffffffffffffffe0 RDI: ffffaea1800ebdd0 +[ 4.211379] RBP: ffffaea1800ebd58 R08: 0000000000000001 R09: 0000000000000001 +[ 4.211379] R10: 0000000000000000 R11: ffffffffb89d5d60 R12: ffffaea1800ebdd0 +[ 4.211379] R13: 00000000828cbfbf R14: 0000000000000000 R15: ffffaea1800ebdc0 +[ 4.211379] FS: 0000000000000000(0000) GS:ffffa3273fd00000(0000) knlGS:0000000000000000 +[ 4.211379] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 4.211379] CR2: ffffffffffffffe8 CR3: 000000002820e001 CR4: 00000000001606e0 +[ 4.211379] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 4.211379] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 4.211379] Call Trace: +[ 4.211379] ? vsock_find_connected_socket+0x6c/0xe0 +[ 4.211379] virtio_transport_recv_pkt+0x15f/0x740 +[ 4.211379] ? detach_buf+0x1b5/0x210 +[ 4.211379] virtio_transport_rx_work+0xb7/0x140 +[ 4.211379] process_one_work+0x1ef/0x480 +[ 4.211379] worker_thread+0x312/0x460 +[ 4.211379] kthread+0x132/0x140 +[ 4.211379] ? process_one_work+0x480/0x480 +[ 4.211379] ? kthread_destroy_worker+0xd0/0xd0 +[ 4.211379] ret_from_fork+0x35/0x40 +[ 4.211379] Code: c7 47 08 00 00 00 00 66 c7 07 28 00 c7 47 08 ff ff ff ff c7 47 04 ff ff ff ff c3 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 8b 47 08 <3b> 46 08 75 0a 8b 47 04 3b 46 04 0f 94 c0 c3 31 c0 c3 90 66 2e +[ 4.211379] RIP: vsock_addr_equals_addr+0x3/0x20 RSP: ffffaea1800ebd28 +[ 4.211379] CR2: ffffffffffffffe8 +[ 4.211379] ---[ end trace f31cc4a2e6df3689 ]--- +[ 4.211379] Kernel panic - not syncing: Fatal exception in interrupt +[ 4.211379] Kernel Offset: 0x37000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) +[ 4.211379] Rebooting in 5 seconds.. + +Fixes: 22b5c0b63f32 ("vsock/virtio: fix kernel panic after device hot-unplug") +Cc: Stefan Hajnoczi +Cc: Stefano Garzarella +Cc: "David S. Miller" +Cc: kvm@vger.kernel.org +Cc: virtualization@lists.linux-foundation.org +Cc: netdev@vger.kernel.org +Cc: kernel-team@android.com +Cc: stable@vger.kernel.org [4.9+] +Signed-off-by: Jorge E. Moreira +Reviewed-by: Stefano Garzarella +Reviewed-by: Stefan Hajnoczi +Acked-by: Stefan Hajnoczi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/net/vmw_vsock/virtio_transport.c ++++ b/net/vmw_vsock/virtio_transport.c +@@ -702,28 +702,27 @@ static int __init virtio_vsock_init(void + if (!virtio_vsock_workqueue) + return -ENOMEM; + +- ret = register_virtio_driver(&virtio_vsock_driver); ++ ret = vsock_core_init(&virtio_transport.transport); + if (ret) + goto out_wq; + +- ret = vsock_core_init(&virtio_transport.transport); ++ ret = register_virtio_driver(&virtio_vsock_driver); + if (ret) +- goto out_vdr; ++ goto out_vci; + + return 0; + +-out_vdr: +- unregister_virtio_driver(&virtio_vsock_driver); ++out_vci: ++ vsock_core_exit(); + out_wq: + destroy_workqueue(virtio_vsock_workqueue); + return ret; +- + } + + static void __exit virtio_vsock_exit(void) + { +- vsock_core_exit(); + unregister_virtio_driver(&virtio_vsock_driver); ++ vsock_core_exit(); + destroy_workqueue(virtio_vsock_workqueue); + } +