From: Sasha Levin Date: Wed, 10 Feb 2021 16:35:01 +0000 (-0500) Subject: Fixes for 4.19 X-Git-Tag: v4.19.176~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=be8835e28a84faa1ea50f084b454f3122be4dffd;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/af_key-relax-availability-checks-for-skb-size-calcul.patch b/queue-4.19/af_key-relax-availability-checks-for-skb-size-calcul.patch new file mode 100644 index 00000000000..2c1b9a4c286 --- /dev/null +++ b/queue-4.19/af_key-relax-availability-checks-for-skb-size-calcul.patch @@ -0,0 +1,64 @@ +From 61c924d104a3a01a7d37e02aabf89d8ec7aeca4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Dec 2020 16:50:20 -0800 +Subject: af_key: relax availability checks for skb size calculation + +From: Cong Wang + +[ Upstream commit afbc293add6466f8f3f0c3d944d85f53709c170f ] + +xfrm_probe_algs() probes kernel crypto modules and changes the +availability of struct xfrm_algo_desc. But there is a small window +where ealg->available and aalg->available get changed between +count_ah_combs()/count_esp_combs() and dump_ah_combs()/dump_esp_combs(), +in this case we may allocate a smaller skb but later put a larger +amount of data and trigger the panic in skb_put(). + +Fix this by relaxing the checks when counting the size, that is, +skipping the test of ->available. We may waste some memory for a few +of sizeof(struct sadb_comb), but it is still much better than a panic. + +Reported-by: syzbot+b2bf2652983d23734c5c@syzkaller.appspotmail.com +Cc: Steffen Klassert +Cc: Herbert Xu +Signed-off-by: Cong Wang +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index e340e97224c3a..c7d5a6015389b 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -2908,7 +2908,7 @@ static int count_ah_combs(const struct xfrm_tmpl *t) + break; + if (!aalg->pfkey_supported) + continue; +- if (aalg_tmpl_set(t, aalg) && aalg->available) ++ if (aalg_tmpl_set(t, aalg)) + sz += sizeof(struct sadb_comb); + } + return sz + sizeof(struct sadb_prop); +@@ -2926,7 +2926,7 @@ static int count_esp_combs(const struct xfrm_tmpl *t) + if (!ealg->pfkey_supported) + continue; + +- if (!(ealg_tmpl_set(t, ealg) && ealg->available)) ++ if (!(ealg_tmpl_set(t, ealg))) + continue; + + for (k = 1; ; k++) { +@@ -2937,7 +2937,7 @@ static int count_esp_combs(const struct xfrm_tmpl *t) + if (!aalg->pfkey_supported) + continue; + +- if (aalg_tmpl_set(t, aalg) && aalg->available) ++ if (aalg_tmpl_set(t, aalg)) + sz += sizeof(struct sadb_comb); + } + } +-- +2.27.0 + diff --git a/queue-4.19/chtls-fix-potential-resource-leak.patch b/queue-4.19/chtls-fix-potential-resource-leak.patch new file mode 100644 index 00000000000..928019d2e1b --- /dev/null +++ b/queue-4.19/chtls-fix-potential-resource-leak.patch @@ -0,0 +1,51 @@ +From 5f17b05c51fdd05e4185c538c5de9665f3a96c21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jan 2021 06:57:38 -0800 +Subject: chtls: Fix potential resource leak + +From: Pan Bian + +[ Upstream commit b6011966ac6f402847eb5326beee8da3a80405c7 ] + +The dst entry should be released if no neighbour is found. Goto label +free_dst to fix the issue. Besides, the check of ndev against NULL is +redundant. + +Signed-off-by: Pan Bian +Link: https://lore.kernel.org/r/20210121145738.51091-1-bianpan2016@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/crypto/chelsio/chtls/chtls_cm.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/crypto/chelsio/chtls/chtls_cm.c b/drivers/crypto/chelsio/chtls/chtls_cm.c +index fd3092a4378e4..08ed3ff8b255f 100644 +--- a/drivers/crypto/chelsio/chtls/chtls_cm.c ++++ b/drivers/crypto/chelsio/chtls/chtls_cm.c +@@ -1051,11 +1051,9 @@ static struct sock *chtls_recv_sock(struct sock *lsk, + tcph = (struct tcphdr *)(iph + 1); + n = dst_neigh_lookup(dst, &iph->saddr); + if (!n || !n->dev) +- goto free_sk; ++ goto free_dst; + + ndev = n->dev; +- if (!ndev) +- goto free_dst; + if (is_vlan_dev(ndev)) + ndev = vlan_dev_real_dev(ndev); + +@@ -1117,7 +1115,8 @@ static struct sock *chtls_recv_sock(struct sock *lsk, + free_csk: + chtls_sock_release(&csk->kref); + free_dst: +- neigh_release(n); ++ if (n) ++ neigh_release(n); + dst_release(dst); + free_sk: + inet_csk_prepare_forced_close(newsk); +-- +2.27.0 + diff --git a/queue-4.19/iwlwifi-mvm-guard-against-device-removal-in-reprobe.patch b/queue-4.19/iwlwifi-mvm-guard-against-device-removal-in-reprobe.patch new file mode 100644 index 00000000000..17c3a514792 --- /dev/null +++ b/queue-4.19/iwlwifi-mvm-guard-against-device-removal-in-reprobe.patch @@ -0,0 +1,49 @@ +From 754a4119ef67a7b015ce1318cfc4d286c12c2014 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jan 2021 14:52:41 +0200 +Subject: iwlwifi: mvm: guard against device removal in reprobe + +From: Johannes Berg + +[ Upstream commit 7a21b1d4a728a483f07c638ccd8610d4b4f12684 ] + +If we get into a problem severe enough to attempt a reprobe, +we schedule a worker to do that. However, if the problem gets +more severe and the device is actually destroyed before this +worker has a chance to run, we use a free device. Bump up the +reference count of the device until the worker runs to avoid +this situation. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20210122144849.871f0892e4b2.I94819e11afd68d875f3e242b98bef724b8236f1e@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c +index 0e26619fb330b..d932171617e6a 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c +@@ -1192,6 +1192,7 @@ static void iwl_mvm_reprobe_wk(struct work_struct *wk) + reprobe = container_of(wk, struct iwl_mvm_reprobe, work); + if (device_reprobe(reprobe->dev)) + dev_err(reprobe->dev, "reprobe failed!\n"); ++ put_device(reprobe->dev); + kfree(reprobe); + module_put(THIS_MODULE); + } +@@ -1242,7 +1243,7 @@ void iwl_mvm_nic_restart(struct iwl_mvm *mvm, bool fw_error) + module_put(THIS_MODULE); + return; + } +- reprobe->dev = mvm->trans->dev; ++ reprobe->dev = get_device(mvm->trans->dev); + INIT_WORK(&reprobe->work, iwl_mvm_reprobe_wk); + schedule_work(&reprobe->work); + } else if (mvm->fwrt.cur_fw_img == IWL_UCODE_REGULAR && +-- +2.27.0 + diff --git a/queue-4.19/iwlwifi-mvm-take-mutex-for-calling-iwl_mvm_get_sync_.patch b/queue-4.19/iwlwifi-mvm-take-mutex-for-calling-iwl_mvm_get_sync_.patch new file mode 100644 index 00000000000..eb250c51f70 --- /dev/null +++ b/queue-4.19/iwlwifi-mvm-take-mutex-for-calling-iwl_mvm_get_sync_.patch @@ -0,0 +1,38 @@ +From 06bc6ba44693b529333d37618b06791bfc955769 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jan 2021 13:05:48 +0200 +Subject: iwlwifi: mvm: take mutex for calling iwl_mvm_get_sync_time() + +From: Johannes Berg + +[ Upstream commit 5c56d862c749669d45c256f581eac4244be00d4d ] + +We need to take the mutex to call iwl_mvm_get_sync_time(), do it. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20210115130252.4bb5ccf881a6.I62973cbb081e80aa5b0447a5c3b9c3251a65cf6b@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c +index 798605c4f1227..5287f21d7ba63 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c +@@ -520,7 +520,10 @@ static ssize_t iwl_dbgfs_os_device_timediff_read(struct file *file, + const size_t bufsz = sizeof(buf); + int pos = 0; + ++ mutex_lock(&mvm->mutex); + iwl_mvm_get_sync_time(mvm, &curr_gp2, &curr_os); ++ mutex_unlock(&mvm->mutex); ++ + do_div(curr_os, NSEC_PER_USEC); + diff = curr_os - curr_gp2; + pos += scnprintf(buf + pos, bufsz - pos, "diff=%lld\n", diff); +-- +2.27.0 + diff --git a/queue-4.19/iwlwifi-pcie-add-a-null-check-in-iwl_pcie_txq_unmap.patch b/queue-4.19/iwlwifi-pcie-add-a-null-check-in-iwl_pcie_txq_unmap.patch new file mode 100644 index 00000000000..7005ddbbb62 --- /dev/null +++ b/queue-4.19/iwlwifi-pcie-add-a-null-check-in-iwl_pcie_txq_unmap.patch @@ -0,0 +1,40 @@ +From b32602e81946f6b242fd0fc37e15a11e25d47e1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jan 2021 13:05:55 +0200 +Subject: iwlwifi: pcie: add a NULL check in iwl_pcie_txq_unmap + +From: Emmanuel Grumbach + +[ Upstream commit 98c7d21f957b10d9c07a3a60a3a5a8f326a197e5 ] + +I hit a NULL pointer exception in this function when the +init flow went really bad. + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20210115130252.2e8da9f2c132.I0234d4b8ddaf70aaa5028a20c863255e05bc1f84@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c +index b73582ec03a08..b1a71539ca3e5 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c +@@ -631,6 +631,11 @@ static void iwl_pcie_txq_unmap(struct iwl_trans *trans, int txq_id) + struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans); + struct iwl_txq *txq = trans_pcie->txq[txq_id]; + ++ if (!txq) { ++ IWL_ERR(trans, "Trying to free a queue that wasn't allocated?\n"); ++ return; ++ } ++ + spin_lock_bh(&txq->lock); + while (txq->write_ptr != txq->read_ptr) { + IWL_DEBUG_TX_REPLY(trans, "Q %d Free %d\n", +-- +2.27.0 + diff --git a/queue-4.19/iwlwifi-pcie-fix-context-info-memory-leak.patch b/queue-4.19/iwlwifi-pcie-fix-context-info-memory-leak.patch new file mode 100644 index 00000000000..1945a490a93 --- /dev/null +++ b/queue-4.19/iwlwifi-pcie-fix-context-info-memory-leak.patch @@ -0,0 +1,53 @@ +From 9d64e0f4dee5cf1378142e602d3d629bb971214b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jan 2021 13:05:56 +0200 +Subject: iwlwifi: pcie: fix context info memory leak + +From: Johannes Berg + +[ Upstream commit 2d6bc752cc2806366d9a4fd577b3f6c1f7a7e04e ] + +If the image loader allocation fails, we leak all the previously +allocated memory. Fix this. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20210115130252.97172cbaa67c.I3473233d0ad01a71aa9400832fb2b9f494d88a11@changeid +Signed-off-by: Sasha Levin +--- + .../net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c b/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c +index 6783b20d9681b..a1cecf4a0e820 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c +@@ -159,8 +159,10 @@ int iwl_pcie_ctxt_info_gen3_init(struct iwl_trans *trans, + /* Allocate IML */ + iml_img = dma_alloc_coherent(trans->dev, trans->iml_len, + &trans_pcie->iml_dma_addr, GFP_KERNEL); +- if (!iml_img) +- return -ENOMEM; ++ if (!iml_img) { ++ ret = -ENOMEM; ++ goto err_free_ctxt_info; ++ } + + memcpy(iml_img, trans->iml, trans->iml_len); + +@@ -177,6 +179,11 @@ int iwl_pcie_ctxt_info_gen3_init(struct iwl_trans *trans, + + return 0; + ++err_free_ctxt_info: ++ dma_free_coherent(trans->dev, sizeof(*trans_pcie->ctxt_info_gen3), ++ trans_pcie->ctxt_info_gen3, ++ trans_pcie->ctxt_info_dma_addr); ++ trans_pcie->ctxt_info_gen3 = NULL; + err_free_prph_info: + dma_free_coherent(trans->dev, + sizeof(*prph_info), +-- +2.27.0 + diff --git a/queue-4.19/pnfs-nfsv4-try-to-return-invalid-layout-in-pnfs_layo.patch b/queue-4.19/pnfs-nfsv4-try-to-return-invalid-layout-in-pnfs_layo.patch new file mode 100644 index 00000000000..c1804b50dd2 --- /dev/null +++ b/queue-4.19/pnfs-nfsv4-try-to-return-invalid-layout-in-pnfs_layo.patch @@ -0,0 +1,42 @@ +From dc63f5d8843f62f856dd1f0929bfd6e039db9bbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jan 2021 17:11:42 -0500 +Subject: pNFS/NFSv4: Try to return invalid layout in pnfs_layout_process() + +From: Trond Myklebust + +[ Upstream commit 08bd8dbe88825760e953759d7ec212903a026c75 ] + +If the server returns a new stateid that does not match the one in our +cache, then try to return the one we hold instead of just invalidating +it on the client side. This ensures that both client and server will +agree that the stateid is invalid. + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index 4b165aa5a2561..55965e8e9a2ed 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -2301,7 +2301,13 @@ pnfs_layout_process(struct nfs4_layoutget *lgp) + * We got an entirely new state ID. Mark all segments for the + * inode invalid, and retry the layoutget + */ +- pnfs_mark_layout_stateid_invalid(lo, &free_me); ++ struct pnfs_layout_range range = { ++ .iomode = IOMODE_ANY, ++ .length = NFS4_MAX_UINT64, ++ }; ++ pnfs_set_plh_return_info(lo, IOMODE_ANY, 0); ++ pnfs_mark_matching_lsegs_return(lo, &lo->plh_return_segs, ++ &range, 0); + goto out_forget; + } + +-- +2.27.0 + diff --git a/queue-4.19/regulator-core-avoid-regulator_resolve_supply-race-c.patch b/queue-4.19/regulator-core-avoid-regulator_resolve_supply-race-c.patch new file mode 100644 index 00000000000..8965e07e647 --- /dev/null +++ b/queue-4.19/regulator-core-avoid-regulator_resolve_supply-race-c.patch @@ -0,0 +1,155 @@ +From 721211e43c0a418ebc79efba14184aa9ad5f9cf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jan 2021 17:16:02 -0800 +Subject: regulator: core: avoid regulator_resolve_supply() race condition + +From: David Collins + +[ Upstream commit eaa7995c529b54d68d97a30f6344cc6ca2f214a7 ] + +The final step in regulator_register() is to call +regulator_resolve_supply() for each registered regulator +(including the one in the process of being registered). The +regulator_resolve_supply() function first checks if rdev->supply +is NULL, then it performs various steps to try to find the supply. +If successful, rdev->supply is set inside of set_supply(). + +This procedure can encounter a race condition if two concurrent +tasks call regulator_register() near to each other on separate CPUs +and one of the regulators has rdev->supply_name specified. There +is currently nothing guaranteeing atomicity between the rdev->supply +check and set steps. Thus, both tasks can observe rdev->supply==NULL +in their regulator_resolve_supply() calls. This then results in +both creating a struct regulator for the supply. One ends up +actually stored in rdev->supply and the other is lost (though still +present in the supply's consumer_list). + +Here is a kernel log snippet showing the issue: + +[ 12.421768] gpu_cc_gx_gdsc: supplied by pm8350_s5_level +[ 12.425854] gpu_cc_gx_gdsc: supplied by pm8350_s5_level +[ 12.429064] debugfs: Directory 'regulator.4-SUPPLY' with parent + '17a00000.rsc:rpmh-regulator-gfxlvl-pm8350_s5_level' + already present! + +Avoid this race condition by holding the rdev->mutex lock inside +of regulator_resolve_supply() while checking and setting +rdev->supply. + +Signed-off-by: David Collins +Link: https://lore.kernel.org/r/1610068562-4410-1-git-send-email-collinsd@codeaurora.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 39 ++++++++++++++++++++++++++++----------- + 1 file changed, 28 insertions(+), 11 deletions(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 8a6ca06d9c160..fa8f5fc04d8fd 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1567,23 +1567,34 @@ static int regulator_resolve_supply(struct regulator_dev *rdev) + { + struct regulator_dev *r; + struct device *dev = rdev->dev.parent; +- int ret; ++ int ret = 0; + + /* No supply to resovle? */ + if (!rdev->supply_name) + return 0; + +- /* Supply already resolved? */ ++ /* Supply already resolved? (fast-path without locking contention) */ + if (rdev->supply) + return 0; + ++ /* ++ * Recheck rdev->supply with rdev->mutex lock held to avoid a race ++ * between rdev->supply null check and setting rdev->supply in ++ * set_supply() from concurrent tasks. ++ */ ++ regulator_lock(rdev); ++ ++ /* Supply just resolved by a concurrent task? */ ++ if (rdev->supply) ++ goto out; ++ + r = regulator_dev_lookup(dev, rdev->supply_name); + if (IS_ERR(r)) { + ret = PTR_ERR(r); + + /* Did the lookup explicitly defer for us? */ + if (ret == -EPROBE_DEFER) +- return ret; ++ goto out; + + if (have_full_constraints()) { + r = dummy_regulator_rdev; +@@ -1591,15 +1602,18 @@ static int regulator_resolve_supply(struct regulator_dev *rdev) + } else { + dev_err(dev, "Failed to resolve %s-supply for %s\n", + rdev->supply_name, rdev->desc->name); +- return -EPROBE_DEFER; ++ ret = -EPROBE_DEFER; ++ goto out; + } + } + + if (r == rdev) { + dev_err(dev, "Supply for %s (%s) resolved to itself\n", + rdev->desc->name, rdev->supply_name); +- if (!have_full_constraints()) +- return -EINVAL; ++ if (!have_full_constraints()) { ++ ret = -EINVAL; ++ goto out; ++ } + r = dummy_regulator_rdev; + get_device(&r->dev); + } +@@ -1613,7 +1627,8 @@ static int regulator_resolve_supply(struct regulator_dev *rdev) + if (r->dev.parent && r->dev.parent != rdev->dev.parent) { + if (!device_is_bound(r->dev.parent)) { + put_device(&r->dev); +- return -EPROBE_DEFER; ++ ret = -EPROBE_DEFER; ++ goto out; + } + } + +@@ -1621,13 +1636,13 @@ static int regulator_resolve_supply(struct regulator_dev *rdev) + ret = regulator_resolve_supply(r); + if (ret < 0) { + put_device(&r->dev); +- return ret; ++ goto out; + } + + ret = set_supply(rdev, r); + if (ret < 0) { + put_device(&r->dev); +- return ret; ++ goto out; + } + + /* Cascade always-on state to supply */ +@@ -1636,11 +1651,13 @@ static int regulator_resolve_supply(struct regulator_dev *rdev) + if (ret < 0) { + _regulator_put(rdev->supply); + rdev->supply = NULL; +- return ret; ++ goto out; + } + } + +- return 0; ++out: ++ regulator_unlock(rdev); ++ return ret; + } + + /* Internal regulator request function */ +-- +2.27.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 8dc457dd31f..0c15744d9e1 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -3,3 +3,13 @@ block-fix-null-pointer-dereference-in-register_disk.patch fgraph-initialize-tracing_graph_pause-at-task-creation.patch remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch +af_key-relax-availability-checks-for-skb-size-calcul.patch +regulator-core-avoid-regulator_resolve_supply-race-c.patch +chtls-fix-potential-resource-leak.patch +pnfs-nfsv4-try-to-return-invalid-layout-in-pnfs_layo.patch +iwlwifi-mvm-take-mutex-for-calling-iwl_mvm_get_sync_.patch +iwlwifi-pcie-add-a-null-check-in-iwl_pcie_txq_unmap.patch +iwlwifi-pcie-fix-context-info-memory-leak.patch +iwlwifi-mvm-guard-against-device-removal-in-reprobe.patch +sunrpc-move-simple_get_bytes-and-simple_get_netobj-i.patch +sunrpc-handle-0-length-opaque-xdr-object-data-proper.patch diff --git a/queue-4.19/sunrpc-handle-0-length-opaque-xdr-object-data-proper.patch b/queue-4.19/sunrpc-handle-0-length-opaque-xdr-object-data-proper.patch new file mode 100644 index 00000000000..8f073f70da1 --- /dev/null +++ b/queue-4.19/sunrpc-handle-0-length-opaque-xdr-object-data-proper.patch @@ -0,0 +1,79 @@ +From 6ad23acbb9c8f4ae4031a64767883cdfea364a50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jan 2021 16:17:24 -0500 +Subject: SUNRPC: Handle 0 length opaque XDR object data properly + +From: Dave Wysochanski + +[ Upstream commit e4a7d1f7707eb44fd953a31dd59eff82009d879c ] + +When handling an auth_gss downcall, it's possible to get 0-length +opaque object for the acceptor. In the case of a 0-length XDR +object, make sure simple_get_netobj() fills in dest->data = NULL, +and does not continue to kmemdup() which will set +dest->data = ZERO_SIZE_PTR for the acceptor. + +The trace event code can handle NULL but not ZERO_SIZE_PTR for a +string, and so without this patch the rpcgss_context trace event +will crash the kernel as follows: + +[ 162.887992] BUG: kernel NULL pointer dereference, address: 0000000000000010 +[ 162.898693] #PF: supervisor read access in kernel mode +[ 162.900830] #PF: error_code(0x0000) - not-present page +[ 162.902940] PGD 0 P4D 0 +[ 162.904027] Oops: 0000 [#1] SMP PTI +[ 162.905493] CPU: 4 PID: 4321 Comm: rpc.gssd Kdump: loaded Not tainted 5.10.0 #133 +[ 162.908548] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 +[ 162.910978] RIP: 0010:strlen+0x0/0x20 +[ 162.912505] Code: 48 89 f9 74 09 48 83 c1 01 80 39 00 75 f7 31 d2 44 0f b6 04 16 44 88 04 11 48 83 c2 01 45 84 c0 75 ee c3 0f 1f 80 00 00 00 00 <80> 3f 00 74 10 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 31 +[ 162.920101] RSP: 0018:ffffaec900c77d90 EFLAGS: 00010202 +[ 162.922263] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000fffde697 +[ 162.925158] RDX: 000000000000002f RSI: 0000000000000080 RDI: 0000000000000010 +[ 162.928073] RBP: 0000000000000010 R08: 0000000000000e10 R09: 0000000000000000 +[ 162.930976] R10: ffff8e698a590cb8 R11: 0000000000000001 R12: 0000000000000e10 +[ 162.933883] R13: 00000000fffde697 R14: 000000010034d517 R15: 0000000000070028 +[ 162.936777] FS: 00007f1e1eb93700(0000) GS:ffff8e6ab7d00000(0000) knlGS:0000000000000000 +[ 162.940067] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 162.942417] CR2: 0000000000000010 CR3: 0000000104eba000 CR4: 00000000000406e0 +[ 162.945300] Call Trace: +[ 162.946428] trace_event_raw_event_rpcgss_context+0x84/0x140 [auth_rpcgss] +[ 162.949308] ? __kmalloc_track_caller+0x35/0x5a0 +[ 162.951224] ? gss_pipe_downcall+0x3a3/0x6a0 [auth_rpcgss] +[ 162.953484] gss_pipe_downcall+0x585/0x6a0 [auth_rpcgss] +[ 162.955953] rpc_pipe_write+0x58/0x70 [sunrpc] +[ 162.957849] vfs_write+0xcb/0x2c0 +[ 162.959264] ksys_write+0x68/0xe0 +[ 162.960706] do_syscall_64+0x33/0x40 +[ 162.962238] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 162.964346] RIP: 0033:0x7f1e1f1e57df + +Signed-off-by: Dave Wysochanski +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/auth_gss/auth_gss_internal.h | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/sunrpc/auth_gss/auth_gss_internal.h b/net/sunrpc/auth_gss/auth_gss_internal.h +index c5603242b54bf..f6d9631bd9d00 100644 +--- a/net/sunrpc/auth_gss/auth_gss_internal.h ++++ b/net/sunrpc/auth_gss/auth_gss_internal.h +@@ -34,9 +34,12 @@ simple_get_netobj(const void *p, const void *end, struct xdr_netobj *dest) + q = (const void *)((const char *)p + len); + if (unlikely(q > end || q < p)) + return ERR_PTR(-EFAULT); +- dest->data = kmemdup(p, len, GFP_NOFS); +- if (unlikely(dest->data == NULL)) +- return ERR_PTR(-ENOMEM); ++ if (len) { ++ dest->data = kmemdup(p, len, GFP_NOFS); ++ if (unlikely(dest->data == NULL)) ++ return ERR_PTR(-ENOMEM); ++ } else ++ dest->data = NULL; + dest->len = len; + return q; + } +-- +2.27.0 + diff --git a/queue-4.19/sunrpc-move-simple_get_bytes-and-simple_get_netobj-i.patch b/queue-4.19/sunrpc-move-simple_get_bytes-and-simple_get_netobj-i.patch new file mode 100644 index 00000000000..7384d37c021 --- /dev/null +++ b/queue-4.19/sunrpc-move-simple_get_bytes-and-simple_get_netobj-i.patch @@ -0,0 +1,190 @@ +From 3b9005a4456ebb4fb5681981ff2b8ef271715be1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jan 2021 16:17:23 -0500 +Subject: SUNRPC: Move simple_get_bytes and simple_get_netobj into private + header + +From: Dave Wysochanski + +[ Upstream commit ba6dfce47c4d002d96cd02a304132fca76981172 ] + +Remove duplicated helper functions to parse opaque XDR objects +and place inside new file net/sunrpc/auth_gss/auth_gss_internal.h. +In the new file carry the license and copyright from the source file +net/sunrpc/auth_gss/auth_gss.c. Finally, update the comment inside +include/linux/sunrpc/xdr.h since lockd is not the only user of +struct xdr_netobj. + +Signed-off-by: Dave Wysochanski +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + include/linux/sunrpc/xdr.h | 3 +- + net/sunrpc/auth_gss/auth_gss.c | 30 +----------------- + net/sunrpc/auth_gss/auth_gss_internal.h | 42 +++++++++++++++++++++++++ + net/sunrpc/auth_gss/gss_krb5_mech.c | 31 ++---------------- + 4 files changed, 46 insertions(+), 60 deletions(-) + create mode 100644 net/sunrpc/auth_gss/auth_gss_internal.h + +diff --git a/include/linux/sunrpc/xdr.h b/include/linux/sunrpc/xdr.h +index 2bd68177a442e..33580cc72a43d 100644 +--- a/include/linux/sunrpc/xdr.h ++++ b/include/linux/sunrpc/xdr.h +@@ -26,8 +26,7 @@ struct rpc_rqst; + #define XDR_QUADLEN(l) (((l) + 3) >> 2) + + /* +- * Generic opaque `network object.' At the kernel level, this type +- * is used only by lockd. ++ * Generic opaque `network object.' + */ + #define XDR_MAX_NETOBJ 1024 + struct xdr_netobj { +diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c +index 8cb7d812ccb82..e61c48c1b37d6 100644 +--- a/net/sunrpc/auth_gss/auth_gss.c ++++ b/net/sunrpc/auth_gss/auth_gss.c +@@ -53,6 +53,7 @@ + #include + #include + ++#include "auth_gss_internal.h" + #include "../netns.h" + + static const struct rpc_authops authgss_ops; +@@ -147,35 +148,6 @@ gss_cred_set_ctx(struct rpc_cred *cred, struct gss_cl_ctx *ctx) + clear_bit(RPCAUTH_CRED_NEW, &cred->cr_flags); + } + +-static const void * +-simple_get_bytes(const void *p, const void *end, void *res, size_t len) +-{ +- const void *q = (const void *)((const char *)p + len); +- if (unlikely(q > end || q < p)) +- return ERR_PTR(-EFAULT); +- memcpy(res, p, len); +- return q; +-} +- +-static inline const void * +-simple_get_netobj(const void *p, const void *end, struct xdr_netobj *dest) +-{ +- const void *q; +- unsigned int len; +- +- p = simple_get_bytes(p, end, &len, sizeof(len)); +- if (IS_ERR(p)) +- return p; +- q = (const void *)((const char *)p + len); +- if (unlikely(q > end || q < p)) +- return ERR_PTR(-EFAULT); +- dest->data = kmemdup(p, len, GFP_NOFS); +- if (unlikely(dest->data == NULL)) +- return ERR_PTR(-ENOMEM); +- dest->len = len; +- return q; +-} +- + static struct gss_cl_ctx * + gss_cred_get_ctx(struct rpc_cred *cred) + { +diff --git a/net/sunrpc/auth_gss/auth_gss_internal.h b/net/sunrpc/auth_gss/auth_gss_internal.h +new file mode 100644 +index 0000000000000..c5603242b54bf +--- /dev/null ++++ b/net/sunrpc/auth_gss/auth_gss_internal.h +@@ -0,0 +1,42 @@ ++// SPDX-License-Identifier: BSD-3-Clause ++/* ++ * linux/net/sunrpc/auth_gss/auth_gss_internal.h ++ * ++ * Internal definitions for RPCSEC_GSS client authentication ++ * ++ * Copyright (c) 2000 The Regents of the University of Michigan. ++ * All rights reserved. ++ * ++ */ ++#include ++#include ++#include ++ ++static inline const void * ++simple_get_bytes(const void *p, const void *end, void *res, size_t len) ++{ ++ const void *q = (const void *)((const char *)p + len); ++ if (unlikely(q > end || q < p)) ++ return ERR_PTR(-EFAULT); ++ memcpy(res, p, len); ++ return q; ++} ++ ++static inline const void * ++simple_get_netobj(const void *p, const void *end, struct xdr_netobj *dest) ++{ ++ const void *q; ++ unsigned int len; ++ ++ p = simple_get_bytes(p, end, &len, sizeof(len)); ++ if (IS_ERR(p)) ++ return p; ++ q = (const void *)((const char *)p + len); ++ if (unlikely(q > end || q < p)) ++ return ERR_PTR(-EFAULT); ++ dest->data = kmemdup(p, len, GFP_NOFS); ++ if (unlikely(dest->data == NULL)) ++ return ERR_PTR(-ENOMEM); ++ dest->len = len; ++ return q; ++} +diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c +index 7bb2514aadd9d..14f2823ad6c20 100644 +--- a/net/sunrpc/auth_gss/gss_krb5_mech.c ++++ b/net/sunrpc/auth_gss/gss_krb5_mech.c +@@ -46,6 +46,8 @@ + #include + #include + ++#include "auth_gss_internal.h" ++ + #if IS_ENABLED(CONFIG_SUNRPC_DEBUG) + # define RPCDBG_FACILITY RPCDBG_AUTH + #endif +@@ -187,35 +189,6 @@ get_gss_krb5_enctype(int etype) + return NULL; + } + +-static const void * +-simple_get_bytes(const void *p, const void *end, void *res, int len) +-{ +- const void *q = (const void *)((const char *)p + len); +- if (unlikely(q > end || q < p)) +- return ERR_PTR(-EFAULT); +- memcpy(res, p, len); +- return q; +-} +- +-static const void * +-simple_get_netobj(const void *p, const void *end, struct xdr_netobj *res) +-{ +- const void *q; +- unsigned int len; +- +- p = simple_get_bytes(p, end, &len, sizeof(len)); +- if (IS_ERR(p)) +- return p; +- q = (const void *)((const char *)p + len); +- if (unlikely(q > end || q < p)) +- return ERR_PTR(-EFAULT); +- res->data = kmemdup(p, len, GFP_NOFS); +- if (unlikely(res->data == NULL)) +- return ERR_PTR(-ENOMEM); +- res->len = len; +- return q; +-} +- + static inline const void * + get_key(const void *p, const void *end, + struct krb5_ctx *ctx, struct crypto_skcipher **res) +-- +2.27.0 +