From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 23 Aug 2022 07:12:03 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v4.9.326~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ba26a98df60016aea48f4e87953456a4ed3c1aeb;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	can-j1939-j1939_session_destroy-fix-memory-leak-of-skbs.patch
	can-j1939-j1939_sk_queue_activate_next_locked-replace-warn_on_once-with-netdev_warn_once.patch
	pci-err-retain-status-from-error-notification.patch
---

diff --git a/queue-5.10/can-j1939-j1939_session_destroy-fix-memory-leak-of-skbs.patch b/queue-5.10/can-j1939-j1939_session_destroy-fix-memory-leak-of-skbs.patch
new file mode 100644
index 00000000000..2d98a26f791
--- /dev/null
+++ b/queue-5.10/can-j1939-j1939_session_destroy-fix-memory-leak-of-skbs.patch
@@ -0,0 +1,55 @@
+From 8c21c54a53ab21842f5050fa090f26b03c0313d6 Mon Sep 17 00:00:00 2001
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+Date: Fri, 5 Aug 2022 18:02:16 +0300
+Subject: can: j1939: j1939_session_destroy(): fix memory leak of skbs
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+commit 8c21c54a53ab21842f5050fa090f26b03c0313d6 upstream.
+
+We need to drop skb references taken in j1939_session_skb_queue() when
+destroying a session in j1939_session_destroy(). Otherwise those skbs
+would be lost.
+
+Link to Syzkaller info and repro: https://forge.ispras.ru/issues/11743.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+V1: https://lore.kernel.org/all/20220708175949.539064-1-pchelkin@ispras.ru
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Suggested-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/all/20220805150216.66313-1-pchelkin@ispras.ru
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/transport.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -260,6 +260,8 @@ static void __j1939_session_drop(struct
+ 
+ static void j1939_session_destroy(struct j1939_session *session)
+ {
++	struct sk_buff *skb;
++
+ 	if (session->err)
+ 		j1939_sk_errqueue(session, J1939_ERRQUEUE_ABORT);
+ 	else
+@@ -270,7 +272,11 @@ static void j1939_session_destroy(struct
+ 	WARN_ON_ONCE(!list_empty(&session->sk_session_queue_entry));
+ 	WARN_ON_ONCE(!list_empty(&session->active_session_list_entry));
+ 
+-	skb_queue_purge(&session->skb_queue);
++	while ((skb = skb_dequeue(&session->skb_queue)) != NULL) {
++		/* drop ref taken in j1939_session_skb_queue() */
++		skb_unref(skb);
++		kfree_skb(skb);
++	}
+ 	__j1939_session_drop(session);
+ 	j1939_priv_put(session->priv);
+ 	kfree(session);
diff --git a/queue-5.10/can-j1939-j1939_sk_queue_activate_next_locked-replace-warn_on_once-with-netdev_warn_once.patch b/queue-5.10/can-j1939-j1939_sk_queue_activate_next_locked-replace-warn_on_once-with-netdev_warn_once.patch
new file mode 100644
index 00000000000..99306439e87
--- /dev/null
+++ b/queue-5.10/can-j1939-j1939_sk_queue_activate_next_locked-replace-warn_on_once-with-netdev_warn_once.patch
@@ -0,0 +1,43 @@
+From 8ef49f7f8244424adcf4a546dba4cbbeb0b09c09 Mon Sep 17 00:00:00 2001
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+Date: Fri, 29 Jul 2022 17:36:55 +0300
+Subject: can: j1939: j1939_sk_queue_activate_next_locked(): replace WARN_ON_ONCE with netdev_warn_once()
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+commit 8ef49f7f8244424adcf4a546dba4cbbeb0b09c09 upstream.
+
+We should warn user-space that it is doing something wrong when trying
+to activate sessions with identical parameters but WARN_ON_ONCE macro
+can not be used here as it serves a different purpose.
+
+So it would be good to replace it with netdev_warn_once() message.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/all/20220729143655.1108297-1-pchelkin@ispras.ru
+[mkl: fix indention]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/socket.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/can/j1939/socket.c
++++ b/net/can/j1939/socket.c
+@@ -178,7 +178,10 @@ activate_next:
+ 	if (!first)
+ 		return;
+ 
+-	if (WARN_ON_ONCE(j1939_session_activate(first))) {
++	if (j1939_session_activate(first)) {
++		netdev_warn_once(first->priv->ndev,
++				 "%s: 0x%p: Identical session is already activated.\n",
++				 __func__, first);
+ 		first->err = -EBUSY;
+ 		goto activate_next;
+ 	} else {
diff --git a/queue-5.10/pci-err-retain-status-from-error-notification.patch b/queue-5.10/pci-err-retain-status-from-error-notification.patch
new file mode 100644
index 00000000000..468b8b838aa
--- /dev/null
+++ b/queue-5.10/pci-err-retain-status-from-error-notification.patch
@@ -0,0 +1,39 @@
+From 387c72cdd7fb6bef650fb078d0f6ae9682abf631 Mon Sep 17 00:00:00 2001
+From: Keith Busch <kbusch@kernel.org>
+Date: Mon, 4 Jan 2021 15:02:58 -0800
+Subject: PCI/ERR: Retain status from error notification
+
+From: Keith Busch <kbusch@kernel.org>
+
+commit 387c72cdd7fb6bef650fb078d0f6ae9682abf631 upstream.
+
+Overwriting the frozen detected status with the result of the link reset
+loses the NEED_RESET result that drivers are depending on for error
+handling to report the .slot_reset() callback. Retain this status so
+that subsequent error handling has the correct flow.
+
+Link: https://lore.kernel.org/r/20210104230300.1277180-4-kbusch@kernel.org
+Reported-by: Hinko Kocevar <hinko.kocevar@ess.eu>
+Tested-by: Hedi Berriche <hedi.berriche@hpe.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Sean V Kelley <sean.v.kelley@intel.com>
+Acked-by: Hedi Berriche <hedi.berriche@hpe.com>
+Cc: Dominique Martinet <dominique.martinet@atmark-techno.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pcie/err.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/pci/pcie/err.c
++++ b/drivers/pci/pcie/err.c
+@@ -196,8 +196,7 @@ pci_ers_result_t pcie_do_recovery(struct
+ 	pci_dbg(bridge, "broadcast error_detected message\n");
+ 	if (state == pci_channel_io_frozen) {
+ 		pci_walk_bridge(bridge, report_frozen_detected, &status);
+-		status = reset_subordinates(bridge);
+-		if (status != PCI_ERS_RESULT_RECOVERED) {
++		if (reset_subordinates(bridge) != PCI_ERS_RESULT_RECOVERED) {
+ 			pci_warn(bridge, "subordinate device reset failed\n");
+ 			goto failed;
+ 		}
diff --git a/queue-5.10/series b/queue-5.10/series
index caf0591cde6..48548907e03 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -151,3 +151,6 @@ mips-tlbex-explicitly-compare-_page_no_exec-against-.patch
 netfilter-nftables-fix-a-warning-message-in-nf_tables_commit_audit_collect.patch
 netfilter-nf_tables-fix-audit-memory-leak-in-nf_tables_commit.patch
 tracing-probes-have-kprobes-and-uprobes-use-comm-too.patch
+can-j1939-j1939_sk_queue_activate_next_locked-replace-warn_on_once-with-netdev_warn_once.patch
+can-j1939-j1939_session_destroy-fix-memory-leak-of-skbs.patch
+pci-err-retain-status-from-error-notification.patch