From: Sasha Levin Date: Sun, 30 Jan 2022 03:40:52 +0000 (-0500) Subject: Fixes for 4.14 X-Git-Tag: v5.4.176~67 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ab6623a43822dcc5616981586a787d6961a7d5f2;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabl.patch-24160 b/queue-4.14/arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabl.patch-24160 new file mode 100644 index 00000000000..58a014eb643 --- /dev/null +++ b/queue-4.14/arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabl.patch-24160 @@ -0,0 +1,119 @@ +From 4636ec0191f287fdd575e73c0f51aa62c6b02370 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 10:08:23 +0100 +Subject: ARM: 9170/1: fix panic when kasan and kprobe are enabled + +From: sparkhuang + +[ Upstream commit 8b59b0a53c840921b625378f137e88adfa87647e ] + +arm32 uses software to simulate the instruction replaced +by kprobe. some instructions may be simulated by constructing +assembly functions. therefore, before executing instruction +simulation, it is necessary to construct assembly function +execution environment in C language through binding registers. +after kasan is enabled, the register binding relationship will +be destroyed, resulting in instruction simulation errors and +causing kernel panic. + +the kprobe emulate instruction function is distributed in three +files: actions-common.c actions-arm.c actions-thumb.c, so disable +KASAN when compiling these files. + +for example, use kprobe insert on cap_capable+20 after kasan +enabled, the cap_capable assembly code is as follows: +: +e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} +e1a05000 mov r5, r0 +e280006c add r0, r0, #108 ; 0x6c +e1a04001 mov r4, r1 +e1a06002 mov r6, r2 +e59fa090 ldr sl, [pc, #144] ; +ebfc7bf8 bl c03aa4b4 <__asan_load4> +e595706c ldr r7, [r5, #108] ; 0x6c +e2859014 add r9, r5, #20 +...... +The emulate_ldr assembly code after enabling kasan is as follows: +c06f1384 : +e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} +e282803c add r8, r2, #60 ; 0x3c +e1a05000 mov r5, r0 +e7e37855 ubfx r7, r5, #16, #4 +e1a00008 mov r0, r8 +e1a09001 mov r9, r1 +e1a04002 mov r4, r2 +ebf35462 bl c03c6530 <__asan_load4> +e357000f cmp r7, #15 +e7e36655 ubfx r6, r5, #12, #4 +e205a00f and sl, r5, #15 +0a000001 beq c06f13bc +e0840107 add r0, r4, r7, lsl #2 +ebf3545c bl c03c6530 <__asan_load4> +e084010a add r0, r4, sl, lsl #2 +ebf3545a bl c03c6530 <__asan_load4> +e2890010 add r0, r9, #16 +ebf35458 bl c03c6530 <__asan_load4> +e5990010 ldr r0, [r9, #16] +e12fff30 blx r0 +e356000f cm r6, #15 +1a000014 bne c06f1430 +e1a06000 mov r6, r0 +e2840040 add r0, r4, #64 ; 0x40 +...... + +when running in emulate_ldr to simulate the ldr instruction, panic +occurred, and the log is as follows: +Unable to handle kernel NULL pointer dereference at virtual address +00000090 +pgd = ecb46400 +[00000090] *pgd=2e0fa003, *pmd=00000000 +Internal error: Oops: 206 [#1] SMP ARM +PC is at cap_capable+0x14/0xb0 +LR is at emulate_ldr+0x50/0xc0 +psr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c +r10: 00000000 r9 : c30897f4 r8 : ecd63cd4 +r7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98 +r3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008 +Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user +Control: 32c5387d Table: 2d546400 DAC: 55555555 +Process bash (pid: 1643, stack limit = 0xecd60190) +(cap_capable) from (kprobe_handler+0x218/0x340) +(kprobe_handler) from (kprobe_trap_handler+0x24/0x48) +(kprobe_trap_handler) from (do_undefinstr+0x13c/0x364) +(do_undefinstr) from (__und_svc_finish+0x0/0x30) +(__und_svc_finish) from (cap_capable+0x18/0xb0) +(cap_capable) from (cap_vm_enough_memory+0x38/0x48) +(cap_vm_enough_memory) from +(security_vm_enough_memory_mm+0x48/0x6c) +(security_vm_enough_memory_mm) from +(copy_process.constprop.5+0x16b4/0x25c8) +(copy_process.constprop.5) from (_do_fork+0xe8/0x55c) +(_do_fork) from (SyS_clone+0x1c/0x24) +(SyS_clone) from (__sys_trace_return+0x0/0x10) +Code: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7) + +Fixes: 35aa1df43283 ("ARM kprobes: instruction single-stepping support") +Fixes: 421015713b30 ("ARM: 9017/2: Enable KASan for ARM") +Signed-off-by: huangshaobo +Acked-by: Ard Biesheuvel +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/probes/kprobes/Makefile | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/probes/kprobes/Makefile b/arch/arm/probes/kprobes/Makefile +index 14db56f49f0a3..6159010dac4a6 100644 +--- a/arch/arm/probes/kprobes/Makefile ++++ b/arch/arm/probes/kprobes/Makefile +@@ -1,4 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 ++KASAN_SANITIZE_actions-common.o := n ++KASAN_SANITIZE_actions-arm.o := n ++KASAN_SANITIZE_actions-thumb.o := n + obj-$(CONFIG_KPROBES) += core.o actions-common.o checkers-common.o + obj-$(CONFIG_ARM_KPROBES_TEST) += test-kprobes.o + test-kprobes-objs := test-core.o +-- +2.34.1 + diff --git a/queue-4.14/drm-msm-dsi-invalid-parameter-check-in-msm_dsi_phy_e.patch-4641 b/queue-4.14/drm-msm-dsi-invalid-parameter-check-in-msm_dsi_phy_e.patch-4641 new file mode 100644 index 00000000000..dc2033117cd --- /dev/null +++ b/queue-4.14/drm-msm-dsi-invalid-parameter-check-in-msm_dsi_phy_e.patch-4641 @@ -0,0 +1,52 @@ +From 7b19d8c30563ea4b7af9f195dda8ef20d2d2db65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Jan 2022 19:18:44 +0100 +Subject: drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +[ Upstream commit 5e761a2287234bc402ba7ef07129f5103bcd775c ] + +The function performs a check on the "phy" input parameter, however, it +is used before the check. + +Initialize the "dev" variable after the sanity check to avoid a possible +NULL pointer dereference. + +Fixes: 5c8290284402b ("drm/msm/dsi: Split PHY drivers to separate files") +Addresses-Coverity-ID: 1493860 ("Null pointer dereference") +Signed-off-by: José Expósito +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20220116181844.7400-1-jose.exposito89@gmail.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/phy/dsi_phy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c +index c0a7fa56d9a74..32c7bf0d44faf 100644 +--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c ++++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c +@@ -554,12 +554,14 @@ void __exit msm_dsi_phy_driver_unregister(void) + int msm_dsi_phy_enable(struct msm_dsi_phy *phy, int src_pll_id, + struct msm_dsi_phy_clk_request *clk_req) + { +- struct device *dev = &phy->pdev->dev; ++ struct device *dev; + int ret; + + if (!phy || !phy->cfg->ops.enable) + return -EINVAL; + ++ dev = &phy->pdev->dev; ++ + ret = dsi_phy_enable_resource(phy); + if (ret) { + dev_err(dev, "%s: resource enable failed, %d\n", +-- +2.34.1 + diff --git a/queue-4.14/drm-msm-fix-wrong-size-calculation.patch-1527 b/queue-4.14/drm-msm-fix-wrong-size-calculation.patch-1527 new file mode 100644 index 00000000000..67bf3224ed9 --- /dev/null +++ b/queue-4.14/drm-msm-fix-wrong-size-calculation.patch-1527 @@ -0,0 +1,46 @@ +From f61db1d219e63b29edb9a28beb8781f70ed4eb63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jan 2022 20:33:34 +0800 +Subject: drm/msm: Fix wrong size calculation + +From: Xianting Tian + +[ Upstream commit 0a727b459ee39bd4c5ced19d6024258ac87b6b2e ] + +For example, memory-region in .dts as below, + reg = <0x0 0x50000000 0x0 0x20000000> + +We can get below values, +struct resource r; +r.start = 0x50000000; +r.end = 0x6fffffff; + +So the size should be: +size = r.end - r.start + 1 = 0x20000000 + +Signed-off-by: Xianting Tian +Fixes: 072f1f9168ed ("drm/msm: add support for "stolen" mem") +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20220112123334.749776-1-xianting.tian@linux.alibaba.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c +index 3dad4687d3ddc..7951f57f92027 100644 +--- a/drivers/gpu/drm/msm/msm_drv.c ++++ b/drivers/gpu/drm/msm/msm_drv.c +@@ -321,7 +321,7 @@ static int msm_init_vram(struct drm_device *dev) + of_node_put(node); + if (ret) + return ret; +- size = r.end - r.start; ++ size = r.end - r.start + 1; + DRM_INFO("using VRAM carveout: %lx@%pa\n", size, &r.start); + + /* if we have no IOMMU, then we need to use carveout allocator. +-- +2.34.1 + diff --git a/queue-4.14/hwmon-lm90-reduce-maximum-conversion-rate-for-g781.patch-21434 b/queue-4.14/hwmon-lm90-reduce-maximum-conversion-rate-for-g781.patch-21434 new file mode 100644 index 00000000000..6422d192908 --- /dev/null +++ b/queue-4.14/hwmon-lm90-reduce-maximum-conversion-rate-for-g781.patch-21434 @@ -0,0 +1,44 @@ +From 55203c3122376a36fa505316a17be9f5ebf4edde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jan 2022 11:48:52 -0800 +Subject: hwmon: (lm90) Reduce maximum conversion rate for G781 + +From: Guenter Roeck + +[ Upstream commit a66c5ed539277b9f2363bbace0dba88b85b36c26 ] + +According to its datasheet, G781 supports a maximum conversion rate value +of 8 (62.5 ms). However, chips labeled G781 and G780 were found to only +support a maximum conversion rate value of 7 (125 ms). On the other side, +chips labeled G781-1 and G784 were found to support a conversion rate value +of 8. There is no known means to distinguish G780 from G781 or G784; all +chips report the same manufacturer ID and chip revision. +Setting the conversion rate register value to 8 on chips not supporting +it causes unexpected behavior since the real conversion rate is set to 0 +(16 seconds) if a value of 8 is written into the conversion rate register. +Limit the conversion rate register value to 7 for all G78x chips to avoid +the problem. + +Fixes: ae544f64cc7b ("hwmon: (lm90) Add support for GMT G781") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/lm90.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/lm90.c b/drivers/hwmon/lm90.c +index 30a7f7fde6511..033c89f8359d1 100644 +--- a/drivers/hwmon/lm90.c ++++ b/drivers/hwmon/lm90.c +@@ -359,7 +359,7 @@ static const struct lm90_params lm90_params[] = { + .flags = LM90_HAVE_OFFSET | LM90_HAVE_REM_LIMIT_EXT + | LM90_HAVE_BROKEN_ALERT, + .alert_alarms = 0x7c, +- .max_convrate = 8, ++ .max_convrate = 7, + }, + [lm86] = { + .flags = LM90_HAVE_OFFSET | LM90_HAVE_REM_LIMIT_EXT, +-- +2.34.1 + diff --git a/queue-4.14/i40e-fix-unsigned-stat-widths.patch-14535 b/queue-4.14/i40e-fix-unsigned-stat-widths.patch-14535 new file mode 100644 index 00000000000..36634777031 --- /dev/null +++ b/queue-4.14/i40e-fix-unsigned-stat-widths.patch-14535 @@ -0,0 +1,79 @@ +From 27fb062af392358b5b0ddfe162f5822fe6a47e31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Dec 2021 17:56:33 -0800 +Subject: i40e: fix unsigned stat widths + +From: Joe Damato + +[ Upstream commit 3b8428b84539c78fdc8006c17ebd25afd4722d51 ] + +Change i40e_update_vsi_stats and struct i40e_vsi to use u64 fields to match +the width of the stats counters in struct i40e_rx_queue_stats. + +Update debugfs code to use the correct format specifier for u64. + +Fixes: 41c445ff0f48 ("i40e: main driver core") +Signed-off-by: Joe Damato +Reported-by: kernel test robot +Tested-by: Gurucharan G +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e.h | 8 ++++---- + drivers/net/ethernet/intel/i40e/i40e_debugfs.c | 2 +- + drivers/net/ethernet/intel/i40e/i40e_main.c | 4 ++-- + 3 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h +index 438e2675bc132..bb46a635c7e54 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e.h ++++ b/drivers/net/ethernet/intel/i40e/i40e.h +@@ -627,12 +627,12 @@ struct i40e_vsi { + struct rtnl_link_stats64 net_stats_offsets; + struct i40e_eth_stats eth_stats; + struct i40e_eth_stats eth_stats_offsets; +- u32 tx_restart; +- u32 tx_busy; ++ u64 tx_restart; ++ u64 tx_busy; + u64 tx_linearize; + u64 tx_force_wb; +- u32 rx_buf_failed; +- u32 rx_page_failed; ++ u64 rx_buf_failed; ++ u64 rx_page_failed; + + /* These are containers of ring pointers, allocated at run-time */ + struct i40e_ring **rx_rings; +diff --git a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c +index 8f326f87a815b..126207be492d3 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c +@@ -259,7 +259,7 @@ static void i40e_dbg_dump_vsi_seid(struct i40e_pf *pf, int seid) + (unsigned long int)vsi->net_stats_offsets.rx_compressed, + (unsigned long int)vsi->net_stats_offsets.tx_compressed); + dev_info(&pf->pdev->dev, +- " tx_restart = %d, tx_busy = %d, rx_buf_failed = %d, rx_page_failed = %d\n", ++ " tx_restart = %llu, tx_busy = %llu, rx_buf_failed = %llu, rx_page_failed = %llu\n", + vsi->tx_restart, vsi->tx_busy, + vsi->rx_buf_failed, vsi->rx_page_failed); + rcu_read_lock(); +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 05f7762d23355..5dac08c2c6e68 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -778,9 +778,9 @@ static void i40e_update_vsi_stats(struct i40e_vsi *vsi) + struct rtnl_link_stats64 *ns; /* netdev stats */ + struct i40e_eth_stats *oes; + struct i40e_eth_stats *es; /* device's eth stats */ +- u32 tx_restart, tx_busy; ++ u64 tx_restart, tx_busy; + struct i40e_ring *p; +- u32 rx_page, rx_buf; ++ u64 rx_page, rx_buf; + u64 bytes, packets; + unsigned int start; + u64 tx_linearize; +-- +2.34.1 + diff --git a/queue-4.14/i40e-increase-delay-to-1-s-after-global-emp-reset.patch-25583 b/queue-4.14/i40e-increase-delay-to-1-s-after-global-emp-reset.patch-25583 new file mode 100644 index 00000000000..8f4f5ed0d80 --- /dev/null +++ b/queue-4.14/i40e-increase-delay-to-1-s-after-global-emp-reset.patch-25583 @@ -0,0 +1,52 @@ +From 97fbd2ff2707dec6397eaa8f8a15f50e00e6db36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 13:51:14 +0000 +Subject: i40e: Increase delay to 1 s after global EMP reset + +From: Jedrzej Jagielski + +[ Upstream commit 9b13bd53134c9ddd544a790125199fdbdb505e67 ] + +Recently simplified i40e_rebuild causes that FW sometimes +is not ready after NVM update, the ping does not return. + +Increase the delay in case of EMP reset. +Old delay of 300 ms was introduced for specific cards for 710 series. +Now it works for all the cards and delay was increased. + +Fixes: 1fa51a650e1d ("i40e: Add delay after EMP reset for firmware to recover") +Signed-off-by: Arkadiusz Kubalewski +Signed-off-by: Jedrzej Jagielski +Tested-by: Gurucharan G +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 5b5434976698e..05f7762d23355 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -7245,15 +7245,9 @@ static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired) + } + i40e_get_oem_version(&pf->hw); + +- if (test_bit(__I40E_EMP_RESET_INTR_RECEIVED, pf->state) && +- ((hw->aq.fw_maj_ver == 4 && hw->aq.fw_min_ver <= 33) || +- hw->aq.fw_maj_ver < 4) && hw->mac.type == I40E_MAC_XL710) { +- /* The following delay is necessary for 4.33 firmware and older +- * to recover after EMP reset. 200 ms should suffice but we +- * put here 300 ms to be sure that FW is ready to operate +- * after reset. +- */ +- mdelay(300); ++ if (test_and_clear_bit(__I40E_EMP_RESET_INTR_RECEIVED, pf->state)) { ++ /* The following delay is necessary for firmware update. */ ++ mdelay(1000); + } + + /* re-verify the eeprom if we just had an EMP reset */ +-- +2.34.1 + diff --git a/queue-4.14/ibmvnic-don-t-spin-in-tasklet.patch-22225 b/queue-4.14/ibmvnic-don-t-spin-in-tasklet.patch-22225 new file mode 100644 index 00000000000..93f08963045 --- /dev/null +++ b/queue-4.14/ibmvnic-don-t-spin-in-tasklet.patch-22225 @@ -0,0 +1,47 @@ +From 222c97ab0a5386db945534a32f4e41aae4d278a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jan 2022 18:59:20 -0800 +Subject: ibmvnic: don't spin in tasklet + +From: Sukadev Bhattiprolu + +[ Upstream commit 48079e7fdd0269d66b1d7d66ae88bd03162464ad ] + +ibmvnic_tasklet() continuously spins waiting for responses to all +capability requests. It does this to avoid encountering an error +during initialization of the vnic. However if there is a bug in the +VIOS and we do not receive a response to one or more queries the +tasklet ends up spinning continuously leading to hard lock ups. + +If we fail to receive a message from the VIOS it is reasonable to +timeout the login attempt rather than spin indefinitely in the tasklet. + +Fixes: 249168ad07cd ("ibmvnic: Make CRQ interrupt tasklet wait for all capabilities crqs") +Signed-off-by: Sukadev Bhattiprolu +Reviewed-by: Dany Madden +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 4befc885efb8d..8d8eb9e2465ff 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -3691,12 +3691,6 @@ static void ibmvnic_tasklet(void *data) + ibmvnic_handle_crq(crq, adapter); + crq->generic.first = 0; + } +- +- /* remain in tasklet until all +- * capabilities responses are received +- */ +- if (!adapter->wait_capability) +- done = true; + } + /* if capabilities CRQ's were sent in this tasklet, the following + * tasklet must wait until all responses are received +-- +2.34.1 + diff --git a/queue-4.14/ipv4-avoid-using-shared-ip-generator-for-connected-s.patch-11359 b/queue-4.14/ipv4-avoid-using-shared-ip-generator-for-connected-s.patch-11359 new file mode 100644 index 00000000000..572b0f5d92d --- /dev/null +++ b/queue-4.14/ipv4-avoid-using-shared-ip-generator-for-connected-s.patch-11359 @@ -0,0 +1,70 @@ +From f360e0f08e34964ff4677d1689a814259d1c8795 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jan 2022 17:10:22 -0800 +Subject: ipv4: avoid using shared IP generator for connected sockets + +From: Eric Dumazet + +[ Upstream commit 23f57406b82de51809d5812afd96f210f8b627f3 ] + +ip_select_ident_segs() has been very conservative about using +the connected socket private generator only for packets with IP_DF +set, claiming it was needed for some VJ compression implementations. + +As mentioned in this referenced document, this can be abused. +(Ref: Off-Path TCP Exploits of the Mixed IPID Assignment) + +Before switching to pure random IPID generation and possibly hurt +some workloads, lets use the private inet socket generator. + +Not only this will remove one vulnerability, this will also +improve performance of TCP flows using pmtudisc==IP_PMTUDISC_DONT + +Fixes: 73f156a6e8c1 ("inetpeer: get rid of ip_id_count") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Reported-by: Ray Che +Cc: Willy Tarreau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/ip.h | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +diff --git a/include/net/ip.h b/include/net/ip.h +index 20a92cdb1e35c..4aff48d6ba915 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -399,19 +399,18 @@ static inline void ip_select_ident_segs(struct net *net, struct sk_buff *skb, + { + struct iphdr *iph = ip_hdr(skb); + ++ /* We had many attacks based on IPID, use the private ++ * generator as much as we can. ++ */ ++ if (sk && inet_sk(sk)->inet_daddr) { ++ iph->id = htons(inet_sk(sk)->inet_id); ++ inet_sk(sk)->inet_id += segs; ++ return; ++ } + if ((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) { +- /* This is only to work around buggy Windows95/2000 +- * VJ compression implementations. If the ID field +- * does not change, they drop every other packet in +- * a TCP stream using header compression. +- */ +- if (sk && inet_sk(sk)->inet_daddr) { +- iph->id = htons(inet_sk(sk)->inet_id); +- inet_sk(sk)->inet_id += segs; +- } else { +- iph->id = 0; +- } ++ iph->id = 0; + } else { ++ /* Unfortunately we need the big hammer to get a suitable IPID */ + __ip_select_ident(net, iph, segs); + } + } +-- +2.34.1 + diff --git a/queue-4.14/ipv4-raw-lock-the-socket-in-raw_bind.patch-11142 b/queue-4.14/ipv4-raw-lock-the-socket-in-raw_bind.patch-11142 new file mode 100644 index 00000000000..7c46718f620 --- /dev/null +++ b/queue-4.14/ipv4-raw-lock-the-socket-in-raw_bind.patch-11142 @@ -0,0 +1,78 @@ +From e05972e53cf0b7858905f6fc4649954de757e660 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jan 2022 16:51:16 -0800 +Subject: ipv4: raw: lock the socket in raw_bind() + +From: Eric Dumazet + +[ Upstream commit 153a0d187e767c68733b8e9f46218eb1f41ab902 ] + +For some reason, raw_bind() forgot to lock the socket. + +BUG: KCSAN: data-race in __ip4_datagram_connect / raw_bind + +write to 0xffff8881170d4308 of 4 bytes by task 5466 on cpu 0: + raw_bind+0x1b0/0x250 net/ipv4/raw.c:739 + inet_bind+0x56/0xa0 net/ipv4/af_inet.c:443 + __sys_bind+0x14b/0x1b0 net/socket.c:1697 + __do_sys_bind net/socket.c:1708 [inline] + __se_sys_bind net/socket.c:1706 [inline] + __x64_sys_bind+0x3d/0x50 net/socket.c:1706 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff8881170d4308 of 4 bytes by task 5468 on cpu 1: + __ip4_datagram_connect+0xb7/0x7b0 net/ipv4/datagram.c:39 + ip4_datagram_connect+0x2a/0x40 net/ipv4/datagram.c:89 + inet_dgram_connect+0x107/0x190 net/ipv4/af_inet.c:576 + __sys_connect_file net/socket.c:1900 [inline] + __sys_connect+0x197/0x1b0 net/socket.c:1917 + __do_sys_connect net/socket.c:1927 [inline] + __se_sys_connect net/socket.c:1924 [inline] + __x64_sys_connect+0x3d/0x50 net/socket.c:1924 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x00000000 -> 0x0003007f + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 5468 Comm: syz-executor.5 Not tainted 5.17.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/raw.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c +index 261a9813b88cd..9c4b2c0dc68ae 100644 +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -721,6 +721,7 @@ static int raw_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len) + int ret = -EINVAL; + int chk_addr_ret; + ++ lock_sock(sk); + if (sk->sk_state != TCP_CLOSE || addr_len < sizeof(struct sockaddr_in)) + goto out; + +@@ -740,7 +741,9 @@ static int raw_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len) + inet->inet_saddr = 0; /* Use device */ + sk_dst_reset(sk); + ret = 0; +-out: return ret; ++out: ++ release_sock(sk); ++ return ret; + } + + /* +-- +2.34.1 + diff --git a/queue-4.14/ipv4-tcp-send-zero-ipid-in-synack-messages.patch-24482 b/queue-4.14/ipv4-tcp-send-zero-ipid-in-synack-messages.patch-24482 new file mode 100644 index 00000000000..4f0a8aa90a4 --- /dev/null +++ b/queue-4.14/ipv4-tcp-send-zero-ipid-in-synack-messages.patch-24482 @@ -0,0 +1,77 @@ +From f68cdd2eda0683929432d682e1d28198045c370c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jan 2022 17:10:21 -0800 +Subject: ipv4: tcp: send zero IPID in SYNACK messages + +From: Eric Dumazet + +[ Upstream commit 970a5a3ea86da637471d3cd04d513a0755aba4bf ] + +In commit 431280eebed9 ("ipv4: tcp: send zero IPID for RST and +ACK sent in SYN-RECV and TIME-WAIT state") we took care of some +ctl packets sent by TCP. + +It turns out we need to use a similar strategy for SYNACK packets. + +By default, they carry IP_DF and IPID==0, but there are ways +to ask them to use the hashed IP ident generator and thus +be used to build off-path attacks. +(Ref: Off-Path TCP Exploits of the Mixed IPID Assignment) + +One of this way is to force (before listener is started) +echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc + +Another way is using forged ICMP ICMP_FRAG_NEEDED +with a very small MTU (like 68) to force a false return from +ip_dont_fragment() + +In this patch, ip_build_and_send_pkt() uses the following +heuristics. + +1) Most SYNACK packets are smaller than IPV4_MIN_MTU and therefore +can use IP_DF regardless of the listener or route pmtu setting. + +2) In case the SYNACK packet is bigger than IPV4_MIN_MTU, +we use prandom_u32() generator instead of the IPv4 hashed ident one. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: Ray Che +Reviewed-by: David Ahern +Cc: Geoff Alexander +Cc: Willy Tarreau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_output.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index c9f82525bfa45..aab18ab49e3b9 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -160,12 +160,19 @@ int ip_build_and_send_pkt(struct sk_buff *skb, const struct sock *sk, + iph->daddr = (opt && opt->opt.srr ? opt->opt.faddr : daddr); + iph->saddr = saddr; + iph->protocol = sk->sk_protocol; +- if (ip_dont_fragment(sk, &rt->dst)) { ++ /* Do not bother generating IPID for small packets (eg SYNACK) */ ++ if (skb->len <= IPV4_MIN_MTU || ip_dont_fragment(sk, &rt->dst)) { + iph->frag_off = htons(IP_DF); + iph->id = 0; + } else { + iph->frag_off = 0; +- __ip_select_ident(net, iph, 1); ++ /* TCP packets here are SYNACK with fat IPv4/TCP options. ++ * Avoid using the hashed IP ident generator. ++ */ ++ if (sk->sk_protocol == IPPROTO_TCP) ++ iph->id = (__force __be16)prandom_u32(); ++ else ++ __ip_select_ident(net, iph, 1); + } + + if (opt && opt->opt.optlen) { +-- +2.34.1 + diff --git a/queue-4.14/net-fix-information-leakage-in-proc-net-ptype.patch-1813 b/queue-4.14/net-fix-information-leakage-in-proc-net-ptype.patch-1813 new file mode 100644 index 00000000000..5ef01149593 --- /dev/null +++ b/queue-4.14/net-fix-information-leakage-in-proc-net-ptype.patch-1813 @@ -0,0 +1,78 @@ +From 5ecf9a242f3da2317c60d411582062189e6e4d98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jan 2022 14:20:13 -0500 +Subject: net: fix information leakage in /proc/net/ptype + +From: Congyu Liu + +[ Upstream commit 47934e06b65637c88a762d9c98329ae6e3238888 ] + +In one net namespace, after creating a packet socket without binding +it to a device, users in other net namespaces can observe the new +`packet_type` added by this packet socket by reading `/proc/net/ptype` +file. This is minor information leakage as packet socket is +namespace aware. + +Add a net pointer in `packet_type` to keep the net namespace of +of corresponding packet socket. In `ptype_seq_show`, this net pointer +must be checked when it is not NULL. + +Fixes: 2feb27dbe00c ("[NETNS]: Minor information leak via /proc/net/ptype file.") +Signed-off-by: Congyu Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 1 + + net/core/net-procfs.c | 3 ++- + net/packet/af_packet.c | 2 ++ + 3 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index fc552da905b3a..7972aac9264c0 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -2206,6 +2206,7 @@ struct packet_type { + struct net_device *); + bool (*id_match)(struct packet_type *ptype, + struct sock *sk); ++ struct net *af_packet_net; + void *af_packet_priv; + struct list_head list; + }; +diff --git a/net/core/net-procfs.c b/net/core/net-procfs.c +index 615ccab55f387..d576517f581c4 100644 +--- a/net/core/net-procfs.c ++++ b/net/core/net-procfs.c +@@ -279,7 +279,8 @@ static int ptype_seq_show(struct seq_file *seq, void *v) + + if (v == SEQ_START_TOKEN) + seq_puts(seq, "Type Device Function\n"); +- else if (pt->dev == NULL || dev_net(pt->dev) == seq_file_net(seq)) { ++ else if ((!pt->af_packet_net || net_eq(pt->af_packet_net, seq_file_net(seq))) && ++ (!pt->dev || net_eq(dev_net(pt->dev), seq_file_net(seq)))) { + if (pt->type == htons(ETH_P_ALL)) + seq_puts(seq, "ALL "); + else +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 3177b9320c62d..d54497b57a29f 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -1756,6 +1756,7 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags) + match->prot_hook.dev = po->prot_hook.dev; + match->prot_hook.func = packet_rcv_fanout; + match->prot_hook.af_packet_priv = match; ++ match->prot_hook.af_packet_net = read_pnet(&match->net); + match->prot_hook.id_match = match_fanout_group; + list_add(&match->list, &fanout_list); + } +@@ -3330,6 +3331,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, + po->prot_hook.func = packet_rcv_spkt; + + po->prot_hook.af_packet_priv = sk; ++ po->prot_hook.af_packet_net = sock_net(sk); + + if (proto) { + po->prot_hook.type = proto; +-- +2.34.1 + diff --git a/queue-4.14/nfsv4-handle-case-where-the-lookup-of-a-directory-fa.patch-15107 b/queue-4.14/nfsv4-handle-case-where-the-lookup-of-a-directory-fa.patch-15107 new file mode 100644 index 00000000000..cc639bd23cd --- /dev/null +++ b/queue-4.14/nfsv4-handle-case-where-the-lookup-of-a-directory-fa.patch-15107 @@ -0,0 +1,52 @@ +From 436c80dff9e56f3eda62dcf698e61d73501ddb12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jan 2022 18:24:02 -0500 +Subject: NFSv4: Handle case where the lookup of a directory fails + +From: Trond Myklebust + +[ Upstream commit ac795161c93699d600db16c1a8cc23a65a1eceaf ] + +If the application sets the O_DIRECTORY flag, and tries to open a +regular file, nfs_atomic_open() will punt to doing a regular lookup. +If the server then returns a regular file, we will happily return a +file descriptor with uninitialised open state. + +The fix is to return the expected ENOTDIR error in these cases. + +Reported-by: Lyu Tao +Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 5c26e90db5887..0fb7189347af9 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1607,6 +1607,19 @@ out: + + no_open: + res = nfs_lookup(dir, dentry, lookup_flags); ++ if (!res) { ++ inode = d_inode(dentry); ++ if ((lookup_flags & LOOKUP_DIRECTORY) && inode && ++ !S_ISDIR(inode->i_mode)) ++ res = ERR_PTR(-ENOTDIR); ++ } else if (!IS_ERR(res)) { ++ inode = d_inode(res); ++ if ((lookup_flags & LOOKUP_DIRECTORY) && inode && ++ !S_ISDIR(inode->i_mode)) { ++ dput(res); ++ res = ERR_PTR(-ENOTDIR); ++ } ++ } + if (switched) { + d_lookup_done(dentry); + if (!res) +-- +2.34.1 + diff --git a/queue-4.14/nfsv4-nfs_atomic_open-can-race-when-looking-up-a-non.patch-11193 b/queue-4.14/nfsv4-nfs_atomic_open-can-race-when-looking-up-a-non.patch-11193 new file mode 100644 index 00000000000..4bebef3dc26 --- /dev/null +++ b/queue-4.14/nfsv4-nfs_atomic_open-can-race-when-looking-up-a-non.patch-11193 @@ -0,0 +1,45 @@ +From 4c268333a5a4b48af0392b9f8cd70d08af1a942a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jan 2022 18:24:03 -0500 +Subject: NFSv4: nfs_atomic_open() can race when looking up a non-regular file + +From: Trond Myklebust + +[ Upstream commit 1751fc1db36f6f411709e143d5393f92d12137a9 ] + +If the file type changes back to being a regular file on the server +between the failed OPEN and our LOOKUP, then we need to re-run the OPEN. + +Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 0fb7189347af9..c3ae37036b9d1 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1612,12 +1612,17 @@ no_open: + if ((lookup_flags & LOOKUP_DIRECTORY) && inode && + !S_ISDIR(inode->i_mode)) + res = ERR_PTR(-ENOTDIR); ++ else if (inode && S_ISREG(inode->i_mode)) ++ res = ERR_PTR(-EOPENSTALE); + } else if (!IS_ERR(res)) { + inode = d_inode(res); + if ((lookup_flags & LOOKUP_DIRECTORY) && inode && + !S_ISDIR(inode->i_mode)) { + dput(res); + res = ERR_PTR(-ENOTDIR); ++ } else if (inode && S_ISREG(inode->i_mode)) { ++ dput(res); ++ res = ERR_PTR(-EOPENSTALE); + } + } + if (switched) { +-- +2.34.1 + diff --git a/queue-4.14/ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch-13110 b/queue-4.14/ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch-13110 new file mode 100644 index 00000000000..bef95cd6b7c --- /dev/null +++ b/queue-4.14/ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch-13110 @@ -0,0 +1,51 @@ +From e2639a63fd3031046f5c7a4a3a962c2c80020b24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Jan 2022 06:40:56 -0500 +Subject: ping: fix the sk_bound_dev_if match in ping_lookup + +From: Xin Long + +[ Upstream commit 2afc3b5a31f9edf3ef0f374f5d70610c79c93a42 ] + +When 'ping' changes to use PING socket instead of RAW socket by: + + # sysctl -w net.ipv4.ping_group_range="0 100" + +the selftests 'router_broadcast.sh' will fail, as such command + + # ip vrf exec vrf-h1 ping -I veth0 198.51.100.255 -b + +can't receive the response skb by the PING socket. It's caused by mismatch +of sk_bound_dev_if and dif in ping_rcv() when looking up the PING socket, +as dif is vrf-h1 if dif's master was set to vrf-h1. + +This patch is to fix this regression by also checking the sk_bound_dev_if +against sdif so that the packets can stil be received even if the socket +is not bound to the vrf device but to the real iif. + +Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") +Reported-by: Hangbin Liu +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/ping.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index aab141c4a3892..bfd0ab9d3b578 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -225,7 +225,8 @@ static struct sock *ping_lookup(struct net *net, struct sk_buff *skb, u16 ident) + continue; + } + +- if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif) ++ if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif && ++ sk->sk_bound_dev_if != inet_sdif(skb)) + continue; + + sock_hold(sk); +-- +2.34.1 + diff --git a/queue-4.14/rpmsg-char-fix-race-between-the-release-of-rpmsg_ctr.patch-26086 b/queue-4.14/rpmsg-char-fix-race-between-the-release-of-rpmsg_ctr.patch-26086 new file mode 100644 index 00000000000..32b902ee004 --- /dev/null +++ b/queue-4.14/rpmsg-char-fix-race-between-the-release-of-rpmsg_ctr.patch-26086 @@ -0,0 +1,117 @@ +From 52db54eb49b6ec46b9cb1c5c0b42bfcab446b692 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jan 2022 10:47:36 -0800 +Subject: rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev + +From: Sujit Kautkar + +[ Upstream commit b7fb2dad571d1e21173c06cef0bced77b323990a ] + +struct rpmsg_ctrldev contains a struct cdev. The current code frees +the rpmsg_ctrldev struct in rpmsg_ctrldev_release_device(), but the +cdev is a managed object, therefore its release is not predictable +and the rpmsg_ctrldev could be freed before the cdev is entirely +released, as in the backtrace below. + +[ 93.625603] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x7c +[ 93.636115] WARNING: CPU: 0 PID: 12 at lib/debugobjects.c:488 debug_print_object+0x13c/0x1b0 +[ 93.644799] Modules linked in: veth xt_cgroup xt_MASQUERADE rfcomm algif_hash algif_skcipher af_alg uinput ip6table_nat fuse uvcvideo videobuf2_vmalloc venus_enc venus_dec videobuf2_dma_contig hci_uart btandroid btqca snd_soc_rt5682_i2c bluetooth qcom_spmi_temp_alarm snd_soc_rt5682v +[ 93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.4.163-lockdep #26 +[ 93.723855] Hardware name: Google Lazor (rev3 - 8) with LTE (DT) +[ 93.730055] Workqueue: events kobject_delayed_cleanup +[ 93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO) +[ 93.740216] pc : debug_print_object+0x13c/0x1b0 +[ 93.744890] lr : debug_print_object+0x13c/0x1b0 +[ 93.749555] sp : ffffffacf5bc7940 +[ 93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000 +[ 93.758448] x27: ffffffacdb11a800 x26: dfffffd000000000 +[ 93.763916] x25: ffffffd0734f856c x24: dfffffd000000000 +[ 93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0 +[ 93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0 +[ 93.780338] x19: ffffffd075199100 x18: 00000000000276e0 +[ 93.785814] x17: 0000000000000000 x16: dfffffd000000000 +[ 93.791291] x15: ffffffffffffffff x14: 6e6968207473696c +[ 93.796768] x13: 0000000000000000 x12: ffffffd075e2b000 +[ 93.802244] x11: 0000000000000001 x10: 0000000000000000 +[ 93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900 +[ 93.813200] x7 : 0000000000000000 x6 : 0000000000000000 +[ 93.818676] x5 : 0000000000000080 x4 : 0000000000000000 +[ 93.824152] x3 : ffffffd0732a0fa4 x2 : 0000000000000001 +[ 93.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061 +[ 93.835104] Call trace: +[ 93.837644] debug_print_object+0x13c/0x1b0 +[ 93.841963] __debug_check_no_obj_freed+0x25c/0x3c0 +[ 93.846987] debug_check_no_obj_freed+0x18/0x20 +[ 93.851669] slab_free_freelist_hook+0xbc/0x1e4 +[ 93.856346] kfree+0xfc/0x2f4 +[ 93.859416] rpmsg_ctrldev_release_device+0x78/0xb8 +[ 93.864445] device_release+0x84/0x168 +[ 93.868310] kobject_cleanup+0x12c/0x298 +[ 93.872356] kobject_delayed_cleanup+0x10/0x18 +[ 93.876948] process_one_work+0x578/0x92c +[ 93.881086] worker_thread+0x804/0xcf8 +[ 93.884963] kthread+0x2a8/0x314 +[ 93.888303] ret_from_fork+0x10/0x18 + +The cdev_device_add/del() API was created to address this issue (see +commit '233ed09d7fda ("chardev: add helper function to register char +devs with a struct device")'), use it instead of cdev add/del(). + +Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface") +Signed-off-by: Sujit Kautkar +Signed-off-by: Matthias Kaehlcke +Reviewed-by: Mathieu Poirier +Reviewed-by: Bjorn Andersson +Reviewed-by: Stephen Boyd +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220110104706.v6.1.Iaac908f3e3149a89190ce006ba166e2d3fd247a3@changeid +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/rpmsg_char.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c +index 6a5b5b16145e3..bc26e0c331e11 100644 +--- a/drivers/rpmsg/rpmsg_char.c ++++ b/drivers/rpmsg/rpmsg_char.c +@@ -461,7 +461,6 @@ static void rpmsg_ctrldev_release_device(struct device *dev) + + ida_simple_remove(&rpmsg_ctrl_ida, dev->id); + ida_simple_remove(&rpmsg_minor_ida, MINOR(dev->devt)); +- cdev_del(&ctrldev->cdev); + kfree(ctrldev); + } + +@@ -496,19 +495,13 @@ static int rpmsg_chrdev_probe(struct rpmsg_device *rpdev) + dev->id = ret; + dev_set_name(&ctrldev->dev, "rpmsg_ctrl%d", ret); + +- ret = cdev_add(&ctrldev->cdev, dev->devt, 1); ++ ret = cdev_device_add(&ctrldev->cdev, &ctrldev->dev); + if (ret) + goto free_ctrl_ida; + + /* We can now rely on the release function for cleanup */ + dev->release = rpmsg_ctrldev_release_device; + +- ret = device_add(dev); +- if (ret) { +- dev_err(&rpdev->dev, "device_add failed: %d\n", ret); +- put_device(dev); +- } +- + dev_set_drvdata(&rpdev->dev, ctrldev); + + return ret; +@@ -534,7 +527,7 @@ static void rpmsg_chrdev_remove(struct rpmsg_device *rpdev) + if (ret) + dev_warn(&rpdev->dev, "failed to nuke endpoints: %d\n", ret); + +- device_del(&ctrldev->dev); ++ cdev_device_del(&ctrldev->cdev, &ctrldev->dev); + put_device(&ctrldev->dev); + } + +-- +2.34.1 + diff --git a/queue-4.14/rpmsg-char-fix-race-between-the-release-of-rpmsg_ept.patch-29734 b/queue-4.14/rpmsg-char-fix-race-between-the-release-of-rpmsg_ept.patch-29734 new file mode 100644 index 00000000000..95efd53bf95 --- /dev/null +++ b/queue-4.14/rpmsg-char-fix-race-between-the-release-of-rpmsg_ept.patch-29734 @@ -0,0 +1,76 @@ +From e6d70f8340665f65dadb32c744c83dd4ee25b8bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jan 2022 10:47:37 -0800 +Subject: rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev + +From: Matthias Kaehlcke + +[ Upstream commit 7a534ae89e34e9b51acb5a63dd0f88308178b46a ] + +struct rpmsg_eptdev contains a struct cdev. The current code frees +the rpmsg_eptdev struct in rpmsg_eptdev_destroy(), but the cdev is +a managed object, therefore its release is not predictable and the +rpmsg_eptdev could be freed before the cdev is entirely released. + +The cdev_device_add/del() API was created to address this issue +(see commit '233ed09d7fda ("chardev: add helper function to register +char devs with a struct device")'), use it instead of cdev add/del(). + +Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface") +Suggested-by: Bjorn Andersson +Signed-off-by: Matthias Kaehlcke +Reviewed-by: Mathieu Poirier +Reviewed-by: Stephen Boyd +Reviewed-by: Bjorn Andersson +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220110104706.v6.2.Idde68b05b88d4a2e6e54766c653f3a6d9e419ce6@changeid +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/rpmsg_char.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c +index bc26e0c331e11..3805bcce9691b 100644 +--- a/drivers/rpmsg/rpmsg_char.c ++++ b/drivers/rpmsg/rpmsg_char.c +@@ -100,7 +100,7 @@ static int rpmsg_eptdev_destroy(struct device *dev, void *data) + /* wake up any blocked readers */ + wake_up_interruptible(&eptdev->readq); + +- device_del(&eptdev->dev); ++ cdev_device_del(&eptdev->cdev, &eptdev->dev); + put_device(&eptdev->dev); + + return 0; +@@ -336,7 +336,6 @@ static void rpmsg_eptdev_release_device(struct device *dev) + + ida_simple_remove(&rpmsg_ept_ida, dev->id); + ida_simple_remove(&rpmsg_minor_ida, MINOR(eptdev->dev.devt)); +- cdev_del(&eptdev->cdev); + kfree(eptdev); + } + +@@ -381,19 +380,13 @@ static int rpmsg_eptdev_create(struct rpmsg_ctrldev *ctrldev, + dev->id = ret; + dev_set_name(dev, "rpmsg%d", ret); + +- ret = cdev_add(&eptdev->cdev, dev->devt, 1); ++ ret = cdev_device_add(&eptdev->cdev, &eptdev->dev); + if (ret) + goto free_ept_ida; + + /* We can now rely on the release function for cleanup */ + dev->release = rpmsg_eptdev_release_device; + +- ret = device_add(dev); +- if (ret) { +- dev_err(dev, "device_add failed: %d\n", ret); +- put_device(dev); +- } +- + return ret; + + free_ept_ida: +-- +2.34.1 + diff --git a/queue-4.14/scsi-bnx2fc-flush-destroy_work-queue-before-calling-.patch-13645 b/queue-4.14/scsi-bnx2fc-flush-destroy_work-queue-before-calling-.patch-13645 new file mode 100644 index 00000000000..1b05847d81a --- /dev/null +++ b/queue-4.14/scsi-bnx2fc-flush-destroy_work-queue-before-calling-.patch-13645 @@ -0,0 +1,152 @@ +From 88ff82010cfa34748f3bc6e3997579d74c292b00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jan 2022 23:00:44 -0500 +Subject: scsi: bnx2fc: Flush destroy_work queue before calling + bnx2fc_interface_put() + +From: John Meneghini + +[ Upstream commit 847f9ea4c5186fdb7b84297e3eeed9e340e83fce ] + +The bnx2fc_destroy() functions are removing the interface before calling +destroy_work. This results multiple WARNings from sysfs_remove_group() as +the controller rport device attributes are removed too early. + +Replace the fcoe_port's destroy_work queue. It's not needed. + +The problem is easily reproducible with the following steps. + +Example: + + $ dmesg -w & + $ systemctl enable --now fcoe + $ fipvlan -s -c ens2f1 + $ fcoeadm -d ens2f1.802 + [ 583.464488] host2: libfc: Link down on port (7500a1) + [ 583.472651] bnx2fc: 7500a1 - rport not created Yet!! + [ 583.490468] ------------[ cut here ]------------ + [ 583.538725] sysfs group 'power' not found for kobject 'rport-2:0-0' + [ 583.568814] WARNING: CPU: 3 PID: 192 at fs/sysfs/group.c:279 sysfs_remove_group+0x6f/0x80 + [ 583.607130] Modules linked in: dm_service_time 8021q garp mrp stp llc bnx2fc cnic uio rpcsec_gss_krb5 auth_rpcgss nfsv4 ... + [ 583.942994] CPU: 3 PID: 192 Comm: kworker/3:2 Kdump: loaded Not tainted 5.14.0-39.el9.x86_64 #1 + [ 583.984105] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013 + [ 584.016535] Workqueue: fc_wq_2 fc_rport_final_delete [scsi_transport_fc] + [ 584.050691] RIP: 0010:sysfs_remove_group+0x6f/0x80 + [ 584.074725] Code: ff 5b 48 89 ef 5d 41 5c e9 ee c0 ff ff 48 89 ef e8 f6 b8 ff ff eb d1 49 8b 14 24 48 8b 33 48 c7 c7 ... + [ 584.162586] RSP: 0018:ffffb567c15afdc0 EFLAGS: 00010282 + [ 584.188225] RAX: 0000000000000000 RBX: ffffffff8eec4220 RCX: 0000000000000000 + [ 584.221053] RDX: ffff8c1586ce84c0 RSI: ffff8c1586cd7cc0 RDI: ffff8c1586cd7cc0 + [ 584.255089] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb567c15afc00 + [ 584.287954] R10: ffffb567c15afbf8 R11: ffffffff8fbe7f28 R12: ffff8c1486326400 + [ 584.322356] R13: ffff8c1486326480 R14: ffff8c1483a4a000 R15: 0000000000000004 + [ 584.355379] FS: 0000000000000000(0000) GS:ffff8c1586cc0000(0000) knlGS:0000000000000000 + [ 584.394419] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 584.421123] CR2: 00007fe95a6f7840 CR3: 0000000107674002 CR4: 00000000000606e0 + [ 584.454888] Call Trace: + [ 584.466108] device_del+0xb2/0x3e0 + [ 584.481701] device_unregister+0x13/0x60 + [ 584.501306] bsg_unregister_queue+0x5b/0x80 + [ 584.522029] bsg_remove_queue+0x1c/0x40 + [ 584.541884] fc_rport_final_delete+0xf3/0x1d0 [scsi_transport_fc] + [ 584.573823] process_one_work+0x1e3/0x3b0 + [ 584.592396] worker_thread+0x50/0x3b0 + [ 584.609256] ? rescuer_thread+0x370/0x370 + [ 584.628877] kthread+0x149/0x170 + [ 584.643673] ? set_kthread_struct+0x40/0x40 + [ 584.662909] ret_from_fork+0x22/0x30 + [ 584.680002] ---[ end trace 53575ecefa942ece ]--- + +Link: https://lore.kernel.org/r/20220115040044.1013475-1-jmeneghi@redhat.com +Fixes: 0cbf32e1681d ("[SCSI] bnx2fc: Avoid calling bnx2fc_if_destroy with unnecessary locks") +Tested-by: Guangwu Zhang +Co-developed-by: Maurizio Lombardi +Signed-off-by: Maurizio Lombardi +Signed-off-by: John Meneghini +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 20 +++++--------------- + 1 file changed, 5 insertions(+), 15 deletions(-) + +diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c +index 116a56f0af016..4e99f384196f3 100644 +--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c ++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c +@@ -80,7 +80,7 @@ static int bnx2fc_bind_pcidev(struct bnx2fc_hba *hba); + static void bnx2fc_unbind_pcidev(struct bnx2fc_hba *hba); + static struct fc_lport *bnx2fc_if_create(struct bnx2fc_interface *interface, + struct device *parent, int npiv); +-static void bnx2fc_destroy_work(struct work_struct *work); ++static void bnx2fc_port_destroy(struct fcoe_port *port); + + static struct bnx2fc_hba *bnx2fc_hba_lookup(struct net_device *phys_dev); + static struct bnx2fc_interface *bnx2fc_interface_lookup(struct net_device +@@ -911,9 +911,6 @@ static void bnx2fc_indicate_netevent(void *context, unsigned long event, + __bnx2fc_destroy(interface); + } + mutex_unlock(&bnx2fc_dev_lock); +- +- /* Ensure ALL destroy work has been completed before return */ +- flush_workqueue(bnx2fc_wq); + return; + + default: +@@ -1220,8 +1217,8 @@ static int bnx2fc_vport_destroy(struct fc_vport *vport) + mutex_unlock(&n_port->lp_mutex); + bnx2fc_free_vport(interface->hba, port->lport); + bnx2fc_port_shutdown(port->lport); ++ bnx2fc_port_destroy(port); + bnx2fc_interface_put(interface); +- queue_work(bnx2fc_wq, &port->destroy_work); + return 0; + } + +@@ -1530,7 +1527,6 @@ static struct fc_lport *bnx2fc_if_create(struct bnx2fc_interface *interface, + port->lport = lport; + port->priv = interface; + port->get_netdev = bnx2fc_netdev; +- INIT_WORK(&port->destroy_work, bnx2fc_destroy_work); + + /* Configure fcoe_port */ + rc = bnx2fc_lport_config(lport); +@@ -1658,8 +1654,8 @@ static void __bnx2fc_destroy(struct bnx2fc_interface *interface) + bnx2fc_interface_cleanup(interface); + bnx2fc_stop(interface); + list_del(&interface->list); ++ bnx2fc_port_destroy(port); + bnx2fc_interface_put(interface); +- queue_work(bnx2fc_wq, &port->destroy_work); + } + + /** +@@ -1700,15 +1696,12 @@ netdev_err: + return rc; + } + +-static void bnx2fc_destroy_work(struct work_struct *work) ++static void bnx2fc_port_destroy(struct fcoe_port *port) + { +- struct fcoe_port *port; + struct fc_lport *lport; + +- port = container_of(work, struct fcoe_port, destroy_work); + lport = port->lport; +- +- BNX2FC_HBA_DBG(lport, "Entered bnx2fc_destroy_work\n"); ++ BNX2FC_HBA_DBG(lport, "Entered %s, destroying lport %p\n", __func__, lport); + + bnx2fc_if_destroy(lport); + } +@@ -2563,9 +2556,6 @@ static void bnx2fc_ulp_exit(struct cnic_dev *dev) + __bnx2fc_destroy(interface); + mutex_unlock(&bnx2fc_dev_lock); + +- /* Ensure ALL destroy work has been completed before return */ +- flush_workqueue(bnx2fc_wq); +- + bnx2fc_ulp_stop(hba); + /* unregister cnic device */ + if (test_and_clear_bit(BNX2FC_CNIC_REGISTERED, &hba->reg_with_cnic)) +-- +2.34.1 + diff --git a/queue-4.14/series b/queue-4.14/series index c85f6f8fbdd..ed1d9378f8f 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -14,3 +14,39 @@ usb-gadget-f_sourcesink-fix-isoc-transfer-for-usb_speed_super_plus.patch usb-core-fix-hang-in-usb_kill_urb-by-adding-memory-barriers.patch usb-typec-tcpm-do-not-disconnect-while-receiving-vbus-off.patch net-sfp-ignore-disabled-sfp-node.patch +nfsv4-handle-case-where-the-lookup-of-a-directory-fa.patch +nfsv4-nfs_atomic_open-can-race-when-looking-up-a-non.patch +rpmsg-char-fix-race-between-the-release-of-rpmsg_ctr.patch +rpmsg-char-fix-race-between-the-release-of-rpmsg_ept.patch +arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabl.patch +net-fix-information-leakage-in-proc-net-ptype.patch +i40e-increase-delay-to-1-s-after-global-emp-reset.patch +i40e-fix-unsigned-stat-widths.patch +hwmon-lm90-reduce-maximum-conversion-rate-for-g781.patch +ibmvnic-don-t-spin-in-tasklet.patch +ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch +drm-msm-fix-wrong-size-calculation.patch +drm-msm-dsi-invalid-parameter-check-in-msm_dsi_phy_e.patch +scsi-bnx2fc-flush-destroy_work-queue-before-calling-.patch +yam-fix-a-memory-leak-in-yam_siocdevprivate.patch +ipv4-raw-lock-the-socket-in-raw_bind.patch +ipv4-tcp-send-zero-ipid-in-synack-messages.patch +ipv4-avoid-using-shared-ip-generator-for-connected-s.patch +nfsv4-handle-case-where-the-lookup-of-a-directory-fa.patch-15107 +nfsv4-nfs_atomic_open-can-race-when-looking-up-a-non.patch-11193 +rpmsg-char-fix-race-between-the-release-of-rpmsg_ctr.patch-26086 +rpmsg-char-fix-race-between-the-release-of-rpmsg_ept.patch-29734 +arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabl.patch-24160 +net-fix-information-leakage-in-proc-net-ptype.patch-1813 +i40e-increase-delay-to-1-s-after-global-emp-reset.patch-25583 +i40e-fix-unsigned-stat-widths.patch-14535 +hwmon-lm90-reduce-maximum-conversion-rate-for-g781.patch-21434 +ibmvnic-don-t-spin-in-tasklet.patch-22225 +ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch-13110 +drm-msm-fix-wrong-size-calculation.patch-1527 +drm-msm-dsi-invalid-parameter-check-in-msm_dsi_phy_e.patch-4641 +scsi-bnx2fc-flush-destroy_work-queue-before-calling-.patch-13645 +yam-fix-a-memory-leak-in-yam_siocdevprivate.patch-22906 +ipv4-raw-lock-the-socket-in-raw_bind.patch-11142 +ipv4-tcp-send-zero-ipid-in-synack-messages.patch-24482 +ipv4-avoid-using-shared-ip-generator-for-connected-s.patch-11359 diff --git a/queue-4.14/yam-fix-a-memory-leak-in-yam_siocdevprivate.patch-22906 b/queue-4.14/yam-fix-a-memory-leak-in-yam_siocdevprivate.patch-22906 new file mode 100644 index 00000000000..122379ef111 --- /dev/null +++ b/queue-4.14/yam-fix-a-memory-leak-in-yam_siocdevprivate.patch-22906 @@ -0,0 +1,37 @@ +From d16d555477666c17f4268bee566df717c875aebf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jan 2022 11:29:54 +0800 +Subject: yam: fix a memory leak in yam_siocdevprivate() + +From: Hangyu Hua + +[ Upstream commit 29eb31542787e1019208a2e1047bb7c76c069536 ] + +ym needs to be free when ym->cmd != SIOCYAMSMCS. + +Fixes: 0781168e23a2 ("yam: fix a missing-check bug") +Signed-off-by: Hangyu Hua +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/yam.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/hamradio/yam.c b/drivers/net/hamradio/yam.c +index b74c735a423dd..3338e24b91a57 100644 +--- a/drivers/net/hamradio/yam.c ++++ b/drivers/net/hamradio/yam.c +@@ -980,9 +980,7 @@ static int yam_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) + sizeof(struct yamdrv_ioctl_mcs)); + if (IS_ERR(ym)) + return PTR_ERR(ym); +- if (ym->cmd != SIOCYAMSMCS) +- return -EINVAL; +- if (ym->bitrate > YAM_MAXBITRATE) { ++ if (ym->cmd != SIOCYAMSMCS || ym->bitrate > YAM_MAXBITRATE) { + kfree(ym); + return -EINVAL; + } +-- +2.34.1 +