From: Greg Kroah-Hartman Date: Fri, 10 Dec 2021 15:53:09 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.4.295~56 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b1221e5aff99af6f078c5185393e7eb66023edc6;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: bonding-make-tx_rebalance_counter-an-atomic.patch bpf-fix-the-off-by-two-error-in-range-markings.patch ice-ignore-dropped-packets-during-init.patch nfc-fix-potential-null-pointer-deref-in-nfc_genl_dump_ses_done.patch nfp-fix-memory-leak-in-nfp_cpp_area_cache_add.patch --- diff --git a/queue-4.19/bonding-make-tx_rebalance_counter-an-atomic.patch b/queue-4.19/bonding-make-tx_rebalance_counter-an-atomic.patch new file mode 100644 index 00000000000..5adfe897d97 --- /dev/null +++ b/queue-4.19/bonding-make-tx_rebalance_counter-an-atomic.patch @@ -0,0 +1,132 @@ +From dac8e00fb640e9569cdeefd3ce8a75639e5d0711 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 2 Dec 2021 18:27:18 -0800 +Subject: bonding: make tx_rebalance_counter an atomic + +From: Eric Dumazet + +commit dac8e00fb640e9569cdeefd3ce8a75639e5d0711 upstream. + +KCSAN reported a data-race [1] around tx_rebalance_counter +which can be accessed from different contexts, without +the protection of a lock/mutex. + +[1] +BUG: KCSAN: data-race in bond_alb_init_slave / bond_alb_monitor + +write to 0xffff888157e8ca24 of 4 bytes by task 7075 on cpu 0: + bond_alb_init_slave+0x713/0x860 drivers/net/bonding/bond_alb.c:1613 + bond_enslave+0xd94/0x3010 drivers/net/bonding/bond_main.c:1949 + do_set_master net/core/rtnetlink.c:2521 [inline] + __rtnl_newlink net/core/rtnetlink.c:3475 [inline] + rtnl_newlink+0x1298/0x13b0 net/core/rtnetlink.c:3506 + rtnetlink_rcv_msg+0x745/0x7e0 net/core/rtnetlink.c:5571 + netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2491 + rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5589 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] + netlink_unicast+0x5fc/0x6c0 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0x6e1/0x7d0 net/netlink/af_netlink.c:1916 + sock_sendmsg_nosec net/socket.c:704 [inline] + sock_sendmsg net/socket.c:724 [inline] + ____sys_sendmsg+0x39a/0x510 net/socket.c:2409 + ___sys_sendmsg net/socket.c:2463 [inline] + __sys_sendmsg+0x195/0x230 net/socket.c:2492 + __do_sys_sendmsg net/socket.c:2501 [inline] + __se_sys_sendmsg net/socket.c:2499 [inline] + __x64_sys_sendmsg+0x42/0x50 net/socket.c:2499 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff888157e8ca24 of 4 bytes by task 1082 on cpu 1: + bond_alb_monitor+0x8f/0xc00 drivers/net/bonding/bond_alb.c:1511 + process_one_work+0x3fc/0x980 kernel/workqueue.c:2298 + worker_thread+0x616/0xa70 kernel/workqueue.c:2445 + kthread+0x2c7/0x2e0 kernel/kthread.c:327 + ret_from_fork+0x1f/0x30 + +value changed: 0x00000001 -> 0x00000064 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 1082 Comm: kworker/u4:3 Not tainted 5.16.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: bond1 bond_alb_monitor + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_alb.c | 14 ++++++++------ + include/net/bond_alb.h | 2 +- + 2 files changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/net/bonding/bond_alb.c ++++ b/drivers/net/bonding/bond_alb.c +@@ -1530,14 +1530,14 @@ void bond_alb_monitor(struct work_struct + struct slave *slave; + + if (!bond_has_slaves(bond)) { +- bond_info->tx_rebalance_counter = 0; ++ atomic_set(&bond_info->tx_rebalance_counter, 0); + bond_info->lp_counter = 0; + goto re_arm; + } + + rcu_read_lock(); + +- bond_info->tx_rebalance_counter++; ++ atomic_inc(&bond_info->tx_rebalance_counter); + bond_info->lp_counter++; + + /* send learning packets */ +@@ -1559,7 +1559,7 @@ void bond_alb_monitor(struct work_struct + } + + /* rebalance tx traffic */ +- if (bond_info->tx_rebalance_counter >= BOND_TLB_REBALANCE_TICKS) { ++ if (atomic_read(&bond_info->tx_rebalance_counter) >= BOND_TLB_REBALANCE_TICKS) { + bond_for_each_slave_rcu(bond, slave, iter) { + tlb_clear_slave(bond, slave, 1); + if (slave == rcu_access_pointer(bond->curr_active_slave)) { +@@ -1569,7 +1569,7 @@ void bond_alb_monitor(struct work_struct + bond_info->unbalanced_load = 0; + } + } +- bond_info->tx_rebalance_counter = 0; ++ atomic_set(&bond_info->tx_rebalance_counter, 0); + } + + if (bond_info->rlb_enabled) { +@@ -1639,7 +1639,8 @@ int bond_alb_init_slave(struct bonding * + tlb_init_slave(slave); + + /* order a rebalance ASAP */ +- bond->alb_info.tx_rebalance_counter = BOND_TLB_REBALANCE_TICKS; ++ atomic_set(&bond->alb_info.tx_rebalance_counter, ++ BOND_TLB_REBALANCE_TICKS); + + if (bond->alb_info.rlb_enabled) + bond->alb_info.rlb_rebalance = 1; +@@ -1676,7 +1677,8 @@ void bond_alb_handle_link_change(struct + rlb_clear_slave(bond, slave); + } else if (link == BOND_LINK_UP) { + /* order a rebalance ASAP */ +- bond_info->tx_rebalance_counter = BOND_TLB_REBALANCE_TICKS; ++ atomic_set(&bond_info->tx_rebalance_counter, ++ BOND_TLB_REBALANCE_TICKS); + if (bond->alb_info.rlb_enabled) { + bond->alb_info.rlb_rebalance = 1; + /* If the updelay module parameter is smaller than the +--- a/include/net/bond_alb.h ++++ b/include/net/bond_alb.h +@@ -142,7 +142,7 @@ struct tlb_slave_info { + struct alb_bond_info { + struct tlb_client_info *tx_hashtbl; /* Dynamically allocated */ + u32 unbalanced_load; +- int tx_rebalance_counter; ++ atomic_t tx_rebalance_counter; + int lp_counter; + /* -------- rlb parameters -------- */ + int rlb_enabled; diff --git a/queue-4.19/bpf-fix-the-off-by-two-error-in-range-markings.patch b/queue-4.19/bpf-fix-the-off-by-two-error-in-range-markings.patch new file mode 100644 index 00000000000..f92ac205786 --- /dev/null +++ b/queue-4.19/bpf-fix-the-off-by-two-error-in-range-markings.patch @@ -0,0 +1,63 @@ +From 2fa7d94afc1afbb4d702760c058dc2d7ed30f226 Mon Sep 17 00:00:00 2001 +From: Maxim Mikityanskiy +Date: Tue, 30 Nov 2021 20:16:07 +0200 +Subject: bpf: Fix the off-by-two error in range markings + +From: Maxim Mikityanskiy + +commit 2fa7d94afc1afbb4d702760c058dc2d7ed30f226 upstream. + +The first commit cited below attempts to fix the off-by-one error that +appeared in some comparisons with an open range. Due to this error, +arithmetically equivalent pieces of code could get different verdicts +from the verifier, for example (pseudocode): + + // 1. Passes the verifier: + if (data + 8 > data_end) + return early + read *(u64 *)data, i.e. [data; data+7] + + // 2. Rejected by the verifier (should still pass): + if (data + 7 >= data_end) + return early + read *(u64 *)data, i.e. [data; data+7] + +The attempted fix, however, shifts the range by one in a wrong +direction, so the bug not only remains, but also such piece of code +starts failing in the verifier: + + // 3. Rejected by the verifier, but the check is stricter than in #1. + if (data + 8 >= data_end) + return early + read *(u64 *)data, i.e. [data; data+7] + +The change performed by that fix converted an off-by-one bug into +off-by-two. The second commit cited below added the BPF selftests +written to ensure than code chunks like #3 are rejected, however, +they should be accepted. + +This commit fixes the off-by-two error by adjusting new_range in the +right direction and fixes the tests by changing the range into the +one that should actually fail. + +Fixes: fb2a311a31d3 ("bpf: fix off by one for range markings with L{T, E} patterns") +Fixes: b37242c773b2 ("bpf: add test cases to bpf selftests to cover all access tests") +Signed-off-by: Maxim Mikityanskiy +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20211130181607.593149-1-maximmi@nvidia.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -3761,7 +3761,7 @@ static void find_good_pkt_pointers(struc + + new_range = dst_reg->off; + if (range_right_open) +- new_range--; ++ new_range++; + + /* Examples for register markings: + * diff --git a/queue-4.19/ice-ignore-dropped-packets-during-init.patch b/queue-4.19/ice-ignore-dropped-packets-during-init.patch new file mode 100644 index 00000000000..cfea0a61567 --- /dev/null +++ b/queue-4.19/ice-ignore-dropped-packets-during-init.patch @@ -0,0 +1,39 @@ +From 28dc1b86f8ea9fd6f4c9e0b363db73ecabf84e22 Mon Sep 17 00:00:00 2001 +From: Jesse Brandeburg +Date: Fri, 22 Oct 2021 17:28:17 -0700 +Subject: ice: ignore dropped packets during init + +From: Jesse Brandeburg + +commit 28dc1b86f8ea9fd6f4c9e0b363db73ecabf84e22 upstream. + +If the hardware is constantly receiving unicast or broadcast packets +during driver load, the device previously counted many GLV_RDPC (VSI +dropped packets) events during init. This causes confusing dropped +packet statistics during driver load. The dropped packets counter +incrementing does stop once the driver finishes loading. + +Avoid this problem by baselining our statistics at the end of driver +open instead of the end of probe. + +Fixes: cdedef59deb0 ("ice: Configure VSIs for Tx/Rx") +Signed-off-by: Jesse Brandeburg +Tested-by: Gurucharan G +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -4404,6 +4404,9 @@ static int ice_up_complete(struct ice_vs + netif_carrier_on(vsi->netdev); + } + ++ /* clear this now, and the first stats read will be used as baseline */ ++ vsi->stat_offsets_loaded = false; ++ + ice_service_task_schedule(pf); + + return err; diff --git a/queue-4.19/nfc-fix-potential-null-pointer-deref-in-nfc_genl_dump_ses_done.patch b/queue-4.19/nfc-fix-potential-null-pointer-deref-in-nfc_genl_dump_ses_done.patch new file mode 100644 index 00000000000..dc276ff2a0c --- /dev/null +++ b/queue-4.19/nfc-fix-potential-null-pointer-deref-in-nfc_genl_dump_ses_done.patch @@ -0,0 +1,37 @@ +From 4cd8371a234d051f9c9557fcbb1f8c523b1c0d10 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 9 Dec 2021 09:13:07 +0100 +Subject: nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done + +From: Krzysztof Kozlowski + +commit 4cd8371a234d051f9c9557fcbb1f8c523b1c0d10 upstream. + +The done() netlink callback nfc_genl_dump_ses_done() should check if +received argument is non-NULL, because its allocation could fail earlier +in dumpit() (nfc_genl_dump_ses()). + +Fixes: ac22ac466a65 ("NFC: Add a GET_SE netlink API") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20211209081307.57337-1-krzysztof.kozlowski@canonical.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/netlink.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -1410,8 +1410,10 @@ static int nfc_genl_dump_ses_done(struct + { + struct class_dev_iter *iter = (struct class_dev_iter *) cb->args[0]; + +- nfc_device_iter_exit(iter); +- kfree(iter); ++ if (iter) { ++ nfc_device_iter_exit(iter); ++ kfree(iter); ++ } + + return 0; + } diff --git a/queue-4.19/nfp-fix-memory-leak-in-nfp_cpp_area_cache_add.patch b/queue-4.19/nfp-fix-memory-leak-in-nfp_cpp_area_cache_add.patch new file mode 100644 index 00000000000..5220ad371fd --- /dev/null +++ b/queue-4.19/nfp-fix-memory-leak-in-nfp_cpp_area_cache_add.patch @@ -0,0 +1,60 @@ +From c56c96303e9289cc34716b1179597b6f470833de Mon Sep 17 00:00:00 2001 +From: Jianglei Nie +Date: Thu, 9 Dec 2021 14:15:11 +0800 +Subject: nfp: Fix memory leak in nfp_cpp_area_cache_add() + +From: Jianglei Nie + +commit c56c96303e9289cc34716b1179597b6f470833de upstream. + +In line 800 (#1), nfp_cpp_area_alloc() allocates and initializes a +CPP area structure. But in line 807 (#2), when the cache is allocated +failed, this CPP area structure is not freed, which will result in +memory leak. + +We can fix it by freeing the CPP area when the cache is allocated +failed (#2). + +792 int nfp_cpp_area_cache_add(struct nfp_cpp *cpp, size_t size) +793 { +794 struct nfp_cpp_area_cache *cache; +795 struct nfp_cpp_area *area; + +800 area = nfp_cpp_area_alloc(cpp, NFP_CPP_ID(7, NFP_CPP_ACTION_RW, 0), +801 0, size); + // #1: allocates and initializes + +802 if (!area) +803 return -ENOMEM; + +805 cache = kzalloc(sizeof(*cache), GFP_KERNEL); +806 if (!cache) +807 return -ENOMEM; // #2: missing free + +817 return 0; +818 } + +Fixes: 4cb584e0ee7d ("nfp: add CPP access core") +Signed-off-by: Jianglei Nie +Acked-by: Simon Horman +Link: https://lore.kernel.org/r/20211209061511.122535-1-niejianglei2021@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c ++++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c +@@ -803,8 +803,10 @@ int nfp_cpp_area_cache_add(struct nfp_cp + return -ENOMEM; + + cache = kzalloc(sizeof(*cache), GFP_KERNEL); +- if (!cache) ++ if (!cache) { ++ nfp_cpp_area_free(area); + return -ENOMEM; ++ } + + cache->id = 0; + cache->addr = 0; diff --git a/queue-4.19/series b/queue-4.19/series index 8f6f376a5a3..630ba7000c2 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -12,3 +12,8 @@ net-sched-rename-qdisc_destroy-to-qdisc_put.patch net-sched-extend-qdisc-with-rcu.patch net-sched-add-helper-function-to-take-reference-to-qdisc.patch net-sched-use-qdisc-rcu-api-instead-of-relying-on-rtnl-lock.patch +nfc-fix-potential-null-pointer-deref-in-nfc_genl_dump_ses_done.patch +bpf-fix-the-off-by-two-error-in-range-markings.patch +ice-ignore-dropped-packets-during-init.patch +bonding-make-tx_rebalance_counter-an-atomic.patch +nfp-fix-memory-leak-in-nfp_cpp_area_cache_add.patch