From: Sasha Levin Date: Mon, 12 Oct 2020 02:46:08 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.4.239~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aff5f5dfae888cb35b8a3602923c139f858d1798;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch b/queue-4.14/bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch new file mode 100644 index 00000000000..e76c584704b --- /dev/null +++ b/queue-4.14/bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch @@ -0,0 +1,71 @@ +From 03c7570c2fa986118defff7c8a354a6145d365e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 06:38:07 -0700 +Subject: bonding: set dev->needed_headroom in bond_setup_by_slave() + +From: Eric Dumazet + +[ Upstream commit f32f19339596b214c208c0dba716f4b6cc4f6958 ] + +syzbot managed to crash a host by creating a bond +with a GRE device. + +For non Ethernet device, bonding calls bond_setup_by_slave() +instead of ether_setup(), and unfortunately dev->needed_headroom +was not copied from the new added member. + +[ 171.243095] skbuff: skb_under_panic: text:ffffffffa184b9ea len:116 put:20 head:ffff883f84012dc0 data:ffff883f84012dbc tail:0x70 end:0xd00 dev:bond0 +[ 171.243111] ------------[ cut here ]------------ +[ 171.243112] kernel BUG at net/core/skbuff.c:112! +[ 171.243117] invalid opcode: 0000 [#1] SMP KASAN PTI +[ 171.243469] gsmi: Log Shutdown Reason 0x03 +[ 171.243505] Call Trace: +[ 171.243506] +[ 171.243512] [] skb_push+0x49/0x50 +[ 171.243516] [] ipgre_header+0x2a/0xf0 +[ 171.243520] [] neigh_connected_output+0xb7/0x100 +[ 171.243524] [] ip6_finish_output2+0x383/0x490 +[ 171.243528] [] __ip6_finish_output+0xa2/0x110 +[ 171.243531] [] ip6_finish_output+0x2c/0xa0 +[ 171.243534] [] ip6_output+0x69/0x110 +[ 171.243537] [] ? ip6_output+0x110/0x110 +[ 171.243541] [] mld_sendpack+0x1b2/0x2d0 +[ 171.243544] [] ? mld_send_report+0xf0/0xf0 +[ 171.243548] [] mld_ifc_timer_expire+0x2d7/0x3b0 +[ 171.243551] [] ? mld_gq_timer_expire+0x50/0x50 +[ 171.243556] [] call_timer_fn+0x30/0x130 +[ 171.243559] [] expire_timers+0x4c/0x110 +[ 171.243563] [] __run_timers+0x213/0x260 +[ 171.243566] [] ? ktime_get+0x3d/0xa0 +[ 171.243570] [] ? clockevents_program_event+0x7e/0xe0 +[ 171.243574] [] ? sched_clock_cpu+0x15/0x190 +[ 171.243577] [] run_timer_softirq+0x1d/0x40 +[ 171.243581] [] __do_softirq+0x152/0x2f0 +[ 171.243585] [] irq_exit+0x9f/0xb0 +[ 171.243588] [] smp_apic_timer_interrupt+0xfd/0x1a0 +[ 171.243591] [] apic_timer_interrupt+0x86/0x90 + +Fixes: f5184d267c1a ("net: Allow netdevices to specify needed head/tailroom") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 861d2c0a521a4..6aaf1196d9a55 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1129,6 +1129,7 @@ static void bond_setup_by_slave(struct net_device *bond_dev, + + bond_dev->type = slave_dev->type; + bond_dev->hard_header_len = slave_dev->hard_header_len; ++ bond_dev->needed_headroom = slave_dev->needed_headroom; + bond_dev->addr_len = slave_dev->addr_len; + + memcpy(bond_dev->broadcast, slave_dev->broadcast, +-- +2.25.1 + diff --git a/queue-4.14/mdio-fix-mdio-thunder.c-dependency-build-error.patch b/queue-4.14/mdio-fix-mdio-thunder.c-dependency-build-error.patch new file mode 100644 index 00000000000..d5847e26f3a --- /dev/null +++ b/queue-4.14/mdio-fix-mdio-thunder.c-dependency-build-error.patch @@ -0,0 +1,45 @@ +From 39f2da0b0ab6285ac5ad169c4e5a45e5f218c13c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Sep 2020 21:33:43 -0700 +Subject: mdio: fix mdio-thunder.c dependency & build error + +From: Randy Dunlap + +[ Upstream commit 7dbbcf496f2a4b6d82cfc7810a0746e160b79762 ] + +Fix build error by selecting MDIO_DEVRES for MDIO_THUNDER. +Fixes this build error: + +ld: drivers/net/phy/mdio-thunder.o: in function `thunder_mdiobus_pci_probe': +drivers/net/phy/mdio-thunder.c:78: undefined reference to `devm_mdiobus_alloc_size' + +Fixes: 379d7ac7ca31 ("phy: mdio-thunder: Add driver for Cavium Thunder SoC MDIO buses.") +Reported-by: kernel test robot +Signed-off-by: Randy Dunlap +Cc: Bartosz Golaszewski +Cc: Andrew Lunn +Cc: Heiner Kallweit +Cc: netdev@vger.kernel.org +Cc: David Daney +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/phy/Kconfig b/drivers/net/phy/Kconfig +index cd931cf9dcc26..e08d822338341 100644 +--- a/drivers/net/phy/Kconfig ++++ b/drivers/net/phy/Kconfig +@@ -146,6 +146,7 @@ config MDIO_THUNDER + depends on 64BIT + depends on PCI + select MDIO_CAVIUM ++ select MDIO_DEVRES + help + This driver supports the MDIO interfaces found on Cavium + ThunderX SoCs when the MDIO bus device appears as a PCI +-- +2.25.1 + diff --git a/queue-4.14/mmc-core-don-t-set-limits.discard_granularity-as-0.patch b/queue-4.14/mmc-core-don-t-set-limits.discard_granularity-as-0.patch new file mode 100644 index 00000000000..5c0afc00965 --- /dev/null +++ b/queue-4.14/mmc-core-don-t-set-limits.discard_granularity-as-0.patch @@ -0,0 +1,70 @@ +From 0f1430c1d00252a33e8bb987805610e7adfbf3f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 09:38:52 +0800 +Subject: mmc: core: don't set limits.discard_granularity as 0 + +From: Coly Li + +[ Upstream commit 4243219141b67d7c2fdb2d8073c17c539b9263eb ] + +In mmc_queue_setup_discard() the mmc driver queue's discard_granularity +might be set as 0 (when card->pref_erase > max_discard) while the mmc +device still declares to support discard operation. This is buggy and +triggered the following kernel warning message, + +WARNING: CPU: 0 PID: 135 at __blkdev_issue_discard+0x200/0x294 +CPU: 0 PID: 135 Comm: f2fs_discard-17 Not tainted 5.9.0-rc6 #1 +Hardware name: Google Kevin (DT) +pstate: 00000005 (nzcv daif -PAN -UAO BTYPE=--) +pc : __blkdev_issue_discard+0x200/0x294 +lr : __blkdev_issue_discard+0x54/0x294 +sp : ffff800011dd3b10 +x29: ffff800011dd3b10 x28: 0000000000000000 x27: ffff800011dd3cc4 x26: ffff800011dd3e18 x25: 000000000004e69b x24: 0000000000000c40 x23: ffff0000f1deaaf0 x22: ffff0000f2849200 x21: 00000000002734d8 x20: 0000000000000008 x19: 0000000000000000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000394 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 00000000000008b0 x9 : ffff800011dd3cb0 x8 : 000000000004e69b x7 : 0000000000000000 x6 : ffff0000f1926400 x5 : ffff0000f1940800 x4 : 0000000000000000 x3 : 0000000000000c40 x2 : 0000000000000008 x1 : 00000000002734d8 x0 : 0000000000000000 Call trace: +__blkdev_issue_discard+0x200/0x294 +__submit_discard_cmd+0x128/0x374 +__issue_discard_cmd_orderly+0x188/0x244 +__issue_discard_cmd+0x2e8/0x33c +issue_discard_thread+0xe8/0x2f0 +kthread+0x11c/0x120 +ret_from_fork+0x10/0x1c +---[ end trace e4c8023d33dfe77a ]--- + +This patch fixes the issue by setting discard_granularity as SECTOR_SIZE +instead of 0 when (card->pref_erase > max_discard) is true. Now no more +complain from __blkdev_issue_discard() for the improper value of discard +granularity. + +This issue is exposed after commit b35fd7422c2f ("block: check queue's +limits.discard_granularity in __blkdev_issue_discard()"), a "Fixes:" tag +is also added for the commit to make sure people won't miss this patch +after applying the change of __blkdev_issue_discard(). + +Fixes: e056a1b5b67b ("mmc: queue: let host controllers specify maximum discard timeout") +Fixes: b35fd7422c2f ("block: check queue's limits.discard_granularity in __blkdev_issue_discard()"). +Reported-and-tested-by: Vicente Bergas +Signed-off-by: Coly Li +Acked-by: Adrian Hunter +Cc: Ulf Hansson +Link: https://lore.kernel.org/r/20201002013852.51968-1-colyli@suse.de +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/queue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/core/queue.c b/drivers/mmc/core/queue.c +index f74f9ef460cc9..218472879d9ce 100644 +--- a/drivers/mmc/core/queue.c ++++ b/drivers/mmc/core/queue.c +@@ -143,7 +143,7 @@ static void mmc_queue_setup_discard(struct request_queue *q, + q->limits.discard_granularity = card->pref_erase << 9; + /* granularity must not be greater than max. discard */ + if (card->pref_erase > max_discard) +- q->limits.discard_granularity = 0; ++ q->limits.discard_granularity = SECTOR_SIZE; + if (mmc_can_secure_erase_trim(card)) + queue_flag_set_unlocked(QUEUE_FLAG_SECERASE, q); + } +-- +2.25.1 + diff --git a/queue-4.14/net-stmmac-removed-enabling-eee-in-eee-set-callback.patch b/queue-4.14/net-stmmac-removed-enabling-eee-in-eee-set-callback.patch new file mode 100644 index 00000000000..3820fba1c35 --- /dev/null +++ b/queue-4.14/net-stmmac-removed-enabling-eee-in-eee-set-callback.patch @@ -0,0 +1,66 @@ +From fe594f43982b1056f8cc19ee03884b7b32d1ae1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 16:56:14 +0800 +Subject: net: stmmac: removed enabling eee in EEE set callback + +From: Voon Weifeng + +[ Upstream commit 7241c5a697479c7d0c5a96595822cdab750d41ae ] + +EEE should be only be enabled during stmmac_mac_link_up() when the +link are up and being set up properly. set_eee should only do settings +configuration and disabling the eee. + +Without this fix, turning on EEE using ethtool will return +"Operation not supported". This is due to the driver is in a dead loop +waiting for eee to be advertised in the for eee to be activated but the +driver will only configure the EEE advertisement after the eee is +activated. + +Ethtool should only return "Operation not supported" if there is no EEE +capbility in the MAC controller. + +Fixes: 8a7493e58ad6 ("net: stmmac: Fix a race in EEE enable callback") +Signed-off-by: Voon Weifeng +Acked-by: Mark Gross +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +index 8c71090081852..5105e1f724fb7 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +@@ -677,23 +677,16 @@ static int stmmac_ethtool_op_set_eee(struct net_device *dev, + struct stmmac_priv *priv = netdev_priv(dev); + int ret; + +- if (!edata->eee_enabled) { ++ if (!priv->dma_cap.eee) ++ return -EOPNOTSUPP; ++ ++ if (!edata->eee_enabled) + stmmac_disable_eee_mode(priv); +- } else { +- /* We are asking for enabling the EEE but it is safe +- * to verify all by invoking the eee_init function. +- * In case of failure it will return an error. +- */ +- edata->eee_enabled = stmmac_eee_init(priv); +- if (!edata->eee_enabled) +- return -EOPNOTSUPP; +- } + + ret = phy_ethtool_set_eee(dev->phydev, edata); + if (ret) + return ret; + +- priv->eee_enabled = edata->eee_enabled; + priv->tx_lpi_timer = edata->tx_lpi_timer; + return 0; + } +-- +2.25.1 + diff --git a/queue-4.14/net-usb-ax88179_178a-fix-missing-stop-entry-in-drive.patch b/queue-4.14/net-usb-ax88179_178a-fix-missing-stop-entry-in-drive.patch new file mode 100644 index 00000000000..cfdf417ff94 --- /dev/null +++ b/queue-4.14/net-usb-ax88179_178a-fix-missing-stop-entry-in-drive.patch @@ -0,0 +1,34 @@ +From e0c5b634e3f9c145cddd87dafd0463e9f9ac1020 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 11:01:04 +0200 +Subject: net: usb: ax88179_178a: fix missing stop entry in driver_info + +From: Wilken Gottwalt + +[ Upstream commit 9666ea66a74adfe295cb3a8760c76e1ef70f9caf ] + +Adds the missing .stop entry in the Belkin driver_info structure. + +Fixes: e20bd60bf62a ("net: usb: asix88179_178a: Add support for the Belkin B2B128") +Signed-off-by: Wilken Gottwalt +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/ax88179_178a.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c +index 875639b0e9d56..e7193a541244b 100644 +--- a/drivers/net/usb/ax88179_178a.c ++++ b/drivers/net/usb/ax88179_178a.c +@@ -1736,6 +1736,7 @@ static const struct driver_info belkin_info = { + .status = ax88179_status, + .link_reset = ax88179_link_reset, + .reset = ax88179_reset, ++ .stop = ax88179_stop, + .flags = FLAG_ETHER | FLAG_FRAMING_AX, + .rx_fixup = ax88179_rx_fixup, + .tx_fixup = ax88179_tx_fixup, +-- +2.25.1 + diff --git a/queue-4.14/perf-fix-task_function_call-error-handling.patch b/queue-4.14/perf-fix-task_function_call-error-handling.patch new file mode 100644 index 00000000000..1ebf7d49a48 --- /dev/null +++ b/queue-4.14/perf-fix-task_function_call-error-handling.patch @@ -0,0 +1,57 @@ +From fe7f6def8d9dfdd88781ee1bcef6ca10fac02d17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 12:17:32 +0530 +Subject: perf: Fix task_function_call() error handling + +From: Kajol Jain + +[ Upstream commit 6d6b8b9f4fceab7266ca03d194f60ec72bd4b654 ] + +The error handling introduced by commit: + + 2ed6edd33a21 ("perf: Add cond_resched() to task_function_call()") + +looses any return value from smp_call_function_single() that is not +{0, -EINVAL}. This is a problem because it will return -EXNIO when the +target CPU is offline. Worse, in that case it'll turn into an infinite +loop. + +Fixes: 2ed6edd33a21 ("perf: Add cond_resched() to task_function_call()") +Reported-by: Srikar Dronamraju +Signed-off-by: Kajol Jain +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Reviewed-by: Barret Rhoden +Tested-by: Srikar Dronamraju +Link: https://lkml.kernel.org/r/20200827064732.20860-1-kjain@linux.ibm.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index e50b140053f9a..5807fad2c4057 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -98,7 +98,7 @@ static void remote_function(void *data) + * retry due to any failures in smp_call_function_single(), such as if the + * task_cpu() goes offline concurrently. + * +- * returns @func return value or -ESRCH when the process isn't running ++ * returns @func return value or -ESRCH or -ENXIO when the process isn't running + */ + static int + task_function_call(struct task_struct *p, remote_function_f func, void *info) +@@ -114,7 +114,8 @@ task_function_call(struct task_struct *p, remote_function_f func, void *info) + for (;;) { + ret = smp_call_function_single(task_cpu(p), remote_function, + &data, 1); +- ret = !ret ? data.ret : -EAGAIN; ++ if (!ret) ++ ret = data.ret; + + if (ret != -EAGAIN) + break; +-- +2.25.1 + diff --git a/queue-4.14/platform-x86-fix-kconfig-dependency-warning-for-fuji.patch b/queue-4.14/platform-x86-fix-kconfig-dependency-warning-for-fuji.patch new file mode 100644 index 00000000000..c44e04fe5ee --- /dev/null +++ b/queue-4.14/platform-x86-fix-kconfig-dependency-warning-for-fuji.patch @@ -0,0 +1,46 @@ +From 530808f9bc084003192ad559de1c23b2e7d51304 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 19:16:53 +0300 +Subject: platform/x86: fix kconfig dependency warning for FUJITSU_LAPTOP + +From: Necip Fazil Yildiran + +[ Upstream commit afdd1ebb72051e8b6b83c4d7dc542a9be0e1352d ] + +When FUJITSU_LAPTOP is enabled and NEW_LEDS is disabled, it results in the +following Kbuild warning: + +WARNING: unmet direct dependencies detected for LEDS_CLASS + Depends on [n]: NEW_LEDS [=n] + Selected by [y]: + - FUJITSU_LAPTOP [=y] && X86 [=y] && X86_PLATFORM_DEVICES [=y] && ACPI [=y] && INPUT [=y] && BACKLIGHT_CLASS_DEVICE [=y] && (ACPI_VIDEO [=n] || ACPI_VIDEO [=n]=n) + +The reason is that FUJITSU_LAPTOP selects LEDS_CLASS without depending on +or selecting NEW_LEDS while LEDS_CLASS is subordinate to NEW_LEDS. + +Honor the kconfig menu hierarchy to remove kconfig dependency warnings. + +Reported-by: Hans de Goede +Fixes: d89bcc83e709 ("platform/x86: fujitsu-laptop: select LEDS_CLASS") +Signed-off-by: Necip Fazil Yildiran +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig +index 09035705d0a07..4f872e62508a8 100644 +--- a/drivers/platform/x86/Kconfig ++++ b/drivers/platform/x86/Kconfig +@@ -183,6 +183,7 @@ config FUJITSU_LAPTOP + depends on BACKLIGHT_CLASS_DEVICE + depends on ACPI_VIDEO || ACPI_VIDEO = n + select INPUT_SPARSEKMAP ++ select NEW_LEDS + select LEDS_CLASS + ---help--- + This is a driver for laptops built by Fujitsu: +-- +2.25.1 + diff --git a/queue-4.14/rxrpc-downgrade-the-bug-for-unsupported-token-type-i.patch b/queue-4.14/rxrpc-downgrade-the-bug-for-unsupported-token-type-i.patch new file mode 100644 index 00000000000..c01bd94be76 --- /dev/null +++ b/queue-4.14/rxrpc-downgrade-the-bug-for-unsupported-token-type-i.patch @@ -0,0 +1,47 @@ +From 615744cbecc16c162ef9fe7cc3a5776ce06e3ff9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 22:09:04 +0100 +Subject: rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read() + +From: David Howells + +[ Upstream commit 9a059cd5ca7d9c5c4ca5a6e755cf72f230176b6a ] + +If rxrpc_read() (which allows KEYCTL_READ to read a key), sees a token of a +type it doesn't recognise, it can BUG in a couple of places, which is +unnecessary as it can easily get back to userspace. + +Fix this to print an error message instead. + +Fixes: 99455153d067 ("RxRPC: Parse security index 5 keys (Kerberos 5)") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/key.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c +index fead67b42a993..1fe203c56faf0 100644 +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -1110,7 +1110,8 @@ static long rxrpc_read(const struct key *key, + break; + + default: /* we have a ticket we can't encode */ +- BUG(); ++ pr_err("Unsupported key token type (%u)\n", ++ token->security_index); + continue; + } + +@@ -1226,7 +1227,6 @@ static long rxrpc_read(const struct key *key, + break; + + default: +- BUG(); + break; + } + +-- +2.25.1 + diff --git a/queue-4.14/rxrpc-fix-rxkad-token-xdr-encoding.patch b/queue-4.14/rxrpc-fix-rxkad-token-xdr-encoding.patch new file mode 100644 index 00000000000..98d6ca8d986 --- /dev/null +++ b/queue-4.14/rxrpc-fix-rxkad-token-xdr-encoding.patch @@ -0,0 +1,68 @@ +From 44ef7b1f4a0ebf3e6bd5f72de035b4752616cae6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 14:01:24 -0300 +Subject: rxrpc: Fix rxkad token xdr encoding + +From: Marc Dionne + +[ Upstream commit 56305118e05b2db8d0395bba640ac9a3aee92624 ] + +The session key should be encoded with just the 8 data bytes and +no length; ENCODE_DATA precedes it with a 4 byte length, which +confuses some existing tools that try to parse this format. + +Add an ENCODE_BYTES macro that does not include a length, and use +it for the key. Also adjust the expected length. + +Note that commit 774521f353e1d ("rxrpc: Fix an assertion in +rxrpc_read()") had fixed a BUG by changing the length rather than +fixing the encoding. The original length was correct. + +Fixes: 99455153d067 ("RxRPC: Parse security index 5 keys (Kerberos 5)") +Signed-off-by: Marc Dionne +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/key.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c +index ad9d1b21cb0ba..fead67b42a993 100644 +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -1075,7 +1075,7 @@ static long rxrpc_read(const struct key *key, + + switch (token->security_index) { + case RXRPC_SECURITY_RXKAD: +- toksize += 9 * 4; /* viceid, kvno, key*2 + len, begin, ++ toksize += 8 * 4; /* viceid, kvno, key*2, begin, + * end, primary, tktlen */ + toksize += RND(token->kad->ticket_len); + break; +@@ -1141,6 +1141,14 @@ static long rxrpc_read(const struct key *key, + memcpy((u8 *)xdr + _l, &zero, 4 - (_l & 3)); \ + xdr += (_l + 3) >> 2; \ + } while(0) ++#define ENCODE_BYTES(l, s) \ ++ do { \ ++ u32 _l = (l); \ ++ memcpy(xdr, (s), _l); \ ++ if (_l & 3) \ ++ memcpy((u8 *)xdr + _l, &zero, 4 - (_l & 3)); \ ++ xdr += (_l + 3) >> 2; \ ++ } while(0) + #define ENCODE64(x) \ + do { \ + __be64 y = cpu_to_be64(x); \ +@@ -1168,7 +1176,7 @@ static long rxrpc_read(const struct key *key, + case RXRPC_SECURITY_RXKAD: + ENCODE(token->kad->vice_id); + ENCODE(token->kad->kvno); +- ENCODE_DATA(8, token->kad->session_key); ++ ENCODE_BYTES(8, token->kad->session_key); + ENCODE(token->kad->start); + ENCODE(token->kad->expiry); + ENCODE(token->kad->primary_flag); +-- +2.25.1 + diff --git a/queue-4.14/rxrpc-fix-server-keyring-leak.patch b/queue-4.14/rxrpc-fix-server-keyring-leak.patch new file mode 100644 index 00000000000..22e75d04d45 --- /dev/null +++ b/queue-4.14/rxrpc-fix-server-keyring-leak.patch @@ -0,0 +1,37 @@ +From 5cb078d5c282903d6e3d539a4f043b36b43ba2d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 14:04:51 +0100 +Subject: rxrpc: Fix server keyring leak + +From: David Howells + +[ Upstream commit 38b1dc47a35ba14c3f4472138ea56d014c2d609b ] + +If someone calls setsockopt() twice to set a server key keyring, the first +keyring is leaked. + +Fix it to return an error instead if the server key keyring is already set. + +Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c +index 1fe203c56faf0..2fe2add62a8ed 100644 +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -905,7 +905,7 @@ int rxrpc_request_key(struct rxrpc_sock *rx, char __user *optval, int optlen) + + _enter(""); + +- if (optlen <= 0 || optlen > PAGE_SIZE - 1) ++ if (optlen <= 0 || optlen > PAGE_SIZE - 1 || rx->securities) + return -EINVAL; + + description = memdup_user_nul(optval, optlen); +-- +2.25.1 + diff --git a/queue-4.14/rxrpc-fix-some-missing-_bh-annotations-on-locking-co.patch b/queue-4.14/rxrpc-fix-some-missing-_bh-annotations-on-locking-co.patch new file mode 100644 index 00000000000..204c6401928 --- /dev/null +++ b/queue-4.14/rxrpc-fix-some-missing-_bh-annotations-on-locking-co.patch @@ -0,0 +1,51 @@ +From c10f252af3f01e30f2ee3a86fe96dea21f81e967 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Oct 2020 11:57:40 +0100 +Subject: rxrpc: Fix some missing _bh annotations on locking conn->state_lock + +From: David Howells + +[ Upstream commit fa1d113a0f96f9ab7e4fe4f8825753ba1e34a9d3 ] + +conn->state_lock may be taken in softirq mode, but a previous patch +replaced an outer lock in the response-packet event handling code, and lost +the _bh from that when doing so. + +Fix this by applying the _bh annotation to the state_lock locking. + +Fixes: a1399f8bb033 ("rxrpc: Call channels should have separate call number spaces") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/conn_event.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c +index 75ec1ad595b72..2432c118397f6 100644 +--- a/net/rxrpc/conn_event.c ++++ b/net/rxrpc/conn_event.c +@@ -316,18 +316,18 @@ static int rxrpc_process_event(struct rxrpc_connection *conn, + return ret; + + spin_lock(&conn->channel_lock); +- spin_lock(&conn->state_lock); ++ spin_lock_bh(&conn->state_lock); + + if (conn->state == RXRPC_CONN_SERVICE_CHALLENGING) { + conn->state = RXRPC_CONN_SERVICE; +- spin_unlock(&conn->state_lock); ++ spin_unlock_bh(&conn->state_lock); + for (loop = 0; loop < RXRPC_MAXCALLS; loop++) + rxrpc_call_is_secure( + rcu_dereference_protected( + conn->channels[loop].call, + lockdep_is_held(&conn->channel_lock))); + } else { +- spin_unlock(&conn->state_lock); ++ spin_unlock_bh(&conn->state_lock); + } + + spin_unlock(&conn->channel_lock); +-- +2.25.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 5bd8827c5ee..128ba336957 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -51,3 +51,18 @@ team-set-dev-needed_headroom-in-team_setup_by_port.patch net-team-fix-memory-leak-in-__team_options_register.patch openvswitch-handle-dnat-tuple-collision.patch drm-amdgpu-prevent-double-kfree-ttm-sg.patch +xfrm-clone-xfrma_replay_esn_val-in-xfrm_do_migrate.patch +xfrm-clone-xfrma_sec_ctx-in-xfrm_do_migrate.patch +xfrm-clone-whole-liftime_cur-structure-in-xfrm_do_mi.patch +net-stmmac-removed-enabling-eee-in-eee-set-callback.patch +platform-x86-fix-kconfig-dependency-warning-for-fuji.patch +xfrm-use-correct-address-family-in-xfrm_state_find.patch +bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch +mdio-fix-mdio-thunder.c-dependency-build-error.patch +net-usb-ax88179_178a-fix-missing-stop-entry-in-drive.patch +rxrpc-fix-rxkad-token-xdr-encoding.patch +rxrpc-downgrade-the-bug-for-unsupported-token-type-i.patch +rxrpc-fix-some-missing-_bh-annotations-on-locking-co.patch +rxrpc-fix-server-keyring-leak.patch +perf-fix-task_function_call-error-handling.patch +mmc-core-don-t-set-limits.discard_granularity-as-0.patch diff --git a/queue-4.14/xfrm-clone-whole-liftime_cur-structure-in-xfrm_do_mi.patch b/queue-4.14/xfrm-clone-whole-liftime_cur-structure-in-xfrm_do_mi.patch new file mode 100644 index 00000000000..341cf00ef32 --- /dev/null +++ b/queue-4.14/xfrm-clone-whole-liftime_cur-structure-in-xfrm_do_mi.patch @@ -0,0 +1,39 @@ +From 893ddfb8bbaa33c416cf53d650104dfad5f39400 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 08:50:29 +0200 +Subject: xfrm: clone whole liftime_cur structure in xfrm_do_migrate + +From: Antony Antony + +[ Upstream commit 8366685b2883e523f91e9816d7be371eb1144749 ] + +When we clone state only add_time was cloned. It missed values like +bytes, packets. Now clone the all members of the structure. + +v1->v3: + - use memcpy to copy the entire structure + +Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)") +Signed-off-by: Antony Antony +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index 37104258808a8..3f21d34833cf0 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1427,7 +1427,7 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, + x->tfcpad = orig->tfcpad; + x->replay_maxdiff = orig->replay_maxdiff; + x->replay_maxage = orig->replay_maxage; +- x->curlft.add_time = orig->curlft.add_time; ++ memcpy(&x->curlft, &orig->curlft, sizeof(x->curlft)); + x->km.state = orig->km.state; + x->km.seq = orig->km.seq; + x->replay = orig->replay; +-- +2.25.1 + diff --git a/queue-4.14/xfrm-clone-xfrma_replay_esn_val-in-xfrm_do_migrate.patch b/queue-4.14/xfrm-clone-xfrma_replay_esn_val-in-xfrm_do_migrate.patch new file mode 100644 index 00000000000..9f946cbe3cc --- /dev/null +++ b/queue-4.14/xfrm-clone-xfrma_replay_esn_val-in-xfrm_do_migrate.patch @@ -0,0 +1,58 @@ +From fa86f7f41d1c1d41a52ae35e8119badfa3b39c1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 08:49:55 +0200 +Subject: xfrm: clone XFRMA_REPLAY_ESN_VAL in xfrm_do_migrate + +From: Antony Antony + +[ Upstream commit 91a46c6d1b4fcbfa4773df9421b8ad3e58088101 ] + +XFRMA_REPLAY_ESN_VAL was not cloned completely from the old to the new. +Migrate this attribute during XFRMA_MSG_MIGRATE + +v1->v2: + - move curleft cloning to a separate patch + +Fixes: af2f464e326e ("xfrm: Assign esn pointers when cloning a state") +Signed-off-by: Antony Antony +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/xfrm.h | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index 57b8b11cf7d42..86ff111574496 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -1808,21 +1808,17 @@ static inline int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay + static inline int xfrm_replay_clone(struct xfrm_state *x, + struct xfrm_state *orig) + { +- x->replay_esn = kzalloc(xfrm_replay_state_esn_len(orig->replay_esn), ++ ++ x->replay_esn = kmemdup(orig->replay_esn, ++ xfrm_replay_state_esn_len(orig->replay_esn), + GFP_KERNEL); + if (!x->replay_esn) + return -ENOMEM; +- +- x->replay_esn->bmp_len = orig->replay_esn->bmp_len; +- x->replay_esn->replay_window = orig->replay_esn->replay_window; +- +- x->preplay_esn = kmemdup(x->replay_esn, +- xfrm_replay_state_esn_len(x->replay_esn), ++ x->preplay_esn = kmemdup(orig->preplay_esn, ++ xfrm_replay_state_esn_len(orig->preplay_esn), + GFP_KERNEL); +- if (!x->preplay_esn) { +- kfree(x->replay_esn); ++ if (!x->preplay_esn) + return -ENOMEM; +- } + + return 0; + } +-- +2.25.1 + diff --git a/queue-4.14/xfrm-clone-xfrma_sec_ctx-in-xfrm_do_migrate.patch b/queue-4.14/xfrm-clone-xfrma_sec_ctx-in-xfrm_do_migrate.patch new file mode 100644 index 00000000000..331756637bf --- /dev/null +++ b/queue-4.14/xfrm-clone-xfrma_sec_ctx-in-xfrm_do_migrate.patch @@ -0,0 +1,74 @@ +From 6b45c75b907fe590aabb1db265dd7e7136ee0cb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 08:50:11 +0200 +Subject: xfrm: clone XFRMA_SEC_CTX in xfrm_do_migrate + +From: Antony Antony + +[ Upstream commit 7aa05d304785204703a67a6aa7f1db402889a172 ] + +XFRMA_SEC_CTX was not cloned from the old to the new. +Migrate this attribute during XFRMA_MSG_MIGRATE + +v1->v2: + - return -ENOMEM on error +v2->v3: + - fix return type to int + +Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)") +Signed-off-by: Antony Antony +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index 190ca59d5ba31..37104258808a8 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1320,6 +1320,30 @@ out: + EXPORT_SYMBOL(xfrm_state_add); + + #ifdef CONFIG_XFRM_MIGRATE ++static inline int clone_security(struct xfrm_state *x, struct xfrm_sec_ctx *security) ++{ ++ struct xfrm_user_sec_ctx *uctx; ++ int size = sizeof(*uctx) + security->ctx_len; ++ int err; ++ ++ uctx = kmalloc(size, GFP_KERNEL); ++ if (!uctx) ++ return -ENOMEM; ++ ++ uctx->exttype = XFRMA_SEC_CTX; ++ uctx->len = size; ++ uctx->ctx_doi = security->ctx_doi; ++ uctx->ctx_alg = security->ctx_alg; ++ uctx->ctx_len = security->ctx_len; ++ memcpy(uctx + 1, security->ctx_str, security->ctx_len); ++ err = security_xfrm_state_alloc(x, uctx); ++ kfree(uctx); ++ if (err) ++ return err; ++ ++ return 0; ++} ++ + static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, + struct xfrm_encap_tmpl *encap) + { +@@ -1376,6 +1400,10 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, + goto error; + } + ++ if (orig->security) ++ if (clone_security(x, orig->security)) ++ goto error; ++ + if (orig->coaddr) { + x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr), + GFP_KERNEL); +-- +2.25.1 + diff --git a/queue-4.14/xfrm-use-correct-address-family-in-xfrm_state_find.patch b/queue-4.14/xfrm-use-correct-address-family-in-xfrm_state_find.patch new file mode 100644 index 00000000000..388cbcf256f --- /dev/null +++ b/queue-4.14/xfrm-use-correct-address-family-in-xfrm_state_find.patch @@ -0,0 +1,82 @@ +From 5c0c1ee8a691bc558010c896eb397fbe5031a97b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 14:42:56 +1000 +Subject: xfrm: Use correct address family in xfrm_state_find + +From: Herbert Xu + +[ Upstream commit e94ee171349db84c7cfdc5fefbebe414054d0924 ] + +The struct flowi must never be interpreted by itself as its size +depends on the address family. Therefore it must always be grouped +with its original family value. + +In this particular instance, the original family value is lost in +the function xfrm_state_find. Therefore we get a bogus read when +it's coupled with the wrong family which would occur with inter- +family xfrm states. + +This patch fixes it by keeping the original family value. + +Note that the same bug could potentially occur in LSM through +the xfrm_state_pol_flow_match hook. I checked the current code +there and it seems to be safe for now as only secid is used which +is part of struct flowi_common. But that API should be changed +so that so that we don't get new bugs in the future. We could +do that by replacing fl with just secid or adding a family field. + +Reported-by: syzbot+577fbac3145a6eb2e7a5@syzkaller.appspotmail.com +Fixes: 48b8d78315bf ("[XFRM]: State selection update to use inner...") +Signed-off-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index 3f21d34833cf0..05c275a712f11 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -909,7 +909,8 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x, + */ + if (x->km.state == XFRM_STATE_VALID) { + if ((x->sel.family && +- !xfrm_selector_match(&x->sel, fl, x->sel.family)) || ++ (x->sel.family != family || ++ !xfrm_selector_match(&x->sel, fl, family))) || + !security_xfrm_state_pol_flow_match(x, pol, fl)) + return; + +@@ -922,7 +923,9 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x, + *acq_in_progress = 1; + } else if (x->km.state == XFRM_STATE_ERROR || + x->km.state == XFRM_STATE_EXPIRED) { +- if (xfrm_selector_match(&x->sel, fl, x->sel.family) && ++ if ((!x->sel.family || ++ (x->sel.family == family && ++ xfrm_selector_match(&x->sel, fl, family))) && + security_xfrm_state_pol_flow_match(x, pol, fl)) + *error = -ESRCH; + } +@@ -961,7 +964,7 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr, + tmpl->mode == x->props.mode && + tmpl->id.proto == x->id.proto && + (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) +- xfrm_state_look_at(pol, x, fl, encap_family, ++ xfrm_state_look_at(pol, x, fl, family, + &best, &acquire_in_progress, &error); + } + if (best || acquire_in_progress) +@@ -977,7 +980,7 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr, + tmpl->mode == x->props.mode && + tmpl->id.proto == x->id.proto && + (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) +- xfrm_state_look_at(pol, x, fl, encap_family, ++ xfrm_state_look_at(pol, x, fl, family, + &best, &acquire_in_progress, &error); + } + +-- +2.25.1 +