From: Greg Kroah-Hartman Date: Mon, 22 Aug 2022 08:55:13 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.9.326~71 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c6aa45ba91e9f1da431b7a38e26b8705560e8152;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: acpi-property-return-type-of-acpi_add_nondev_subnodes-should-be-bool.patch apparmor-fix-aa_label_asxprint-return-check.patch apparmor-fix-failed-mount-permission-check-error-message.patch apparmor-fix-quiet_denied-for-file-rules.patch apparmor-fix-reference-count-leak-in-aa_pivotroot.patch can-ems_usb-fix-clang-s-wunaligned-access-warning.patch geneve-do-not-use-rt_tos-for-ipv6-flowlabel.patch nfsv4-fix-races-in-the-legacy-idmapper-upcall.patch nfsv4.1-reclaim_complete-must-handle-eacces.patch pinctrl-nomadik-fix-refcount-leak-in-nmk_pinctrl_dt_subnode_to_map.patch pinctrl-qcom-msm8916-allow-camss-gp-clocks-to-be-muxed.patch sunrpc-reinitialise-the-backchannel-request-buffers-before-reuse.patch vsock-fix-memory-leak-in-vsock_connect.patch vsock-set-socket-state-back-to-ss_unconnected-in-vsock_connect_timeout.patch --- diff --git a/queue-4.14/acpi-property-return-type-of-acpi_add_nondev_subnodes-should-be-bool.patch b/queue-4.14/acpi-property-return-type-of-acpi_add_nondev_subnodes-should-be-bool.patch new file mode 100644 index 00000000000..e3720462b4c --- /dev/null +++ b/queue-4.14/acpi-property-return-type-of-acpi_add_nondev_subnodes-should-be-bool.patch @@ -0,0 +1,38 @@ +From 85140ef275f577f64e8a2c5789447222dfc14fc4 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Mon, 11 Jul 2022 14:25:59 +0300 +Subject: ACPI: property: Return type of acpi_add_nondev_subnodes() should be bool + +From: Sakari Ailus + +commit 85140ef275f577f64e8a2c5789447222dfc14fc4 upstream. + +The value acpi_add_nondev_subnodes() returns is bool so change the return +type of the function to match that. + +Fixes: 445b0eb058f5 ("ACPI / property: Add support for data-only subnodes") +Signed-off-by: Sakari Ailus +Reviewed-by: Andy Shevchenko +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/property.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/acpi/property.c ++++ b/drivers/acpi/property.c +@@ -132,10 +132,10 @@ static bool acpi_nondev_subnode_ok(acpi_ + return acpi_nondev_subnode_data_ok(handle, link, list, parent); + } + +-static int acpi_add_nondev_subnodes(acpi_handle scope, +- const union acpi_object *links, +- struct list_head *list, +- struct fwnode_handle *parent) ++static bool acpi_add_nondev_subnodes(acpi_handle scope, ++ const union acpi_object *links, ++ struct list_head *list, ++ struct fwnode_handle *parent) + { + bool ret = false; + int i; diff --git a/queue-4.14/apparmor-fix-aa_label_asxprint-return-check.patch b/queue-4.14/apparmor-fix-aa_label_asxprint-return-check.patch new file mode 100644 index 00000000000..7de74d87b84 --- /dev/null +++ b/queue-4.14/apparmor-fix-aa_label_asxprint-return-check.patch @@ -0,0 +1,56 @@ +From 3e2a3a0830a2090e766d0d887d52c67de2a6f323 Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Sun, 13 Feb 2022 13:32:28 -0800 +Subject: apparmor: fix aa_label_asxprint return check + +From: Tom Rix + +commit 3e2a3a0830a2090e766d0d887d52c67de2a6f323 upstream. + +Clang static analysis reports this issue +label.c:1802:3: warning: 2nd function call argument + is an uninitialized value + pr_info("%s", str); + ^~~~~~~~~~~~~~~~~~ + +str is set from a successful call to aa_label_asxprint(&str, ...) +On failure a negative value is returned, not a -1. So change +the check. + +Fixes: f1bd904175e8 ("apparmor: add the base fns() for domain labels") +Signed-off-by: Tom Rix +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman +--- + security/apparmor/label.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/security/apparmor/label.c ++++ b/security/apparmor/label.c +@@ -1722,7 +1722,7 @@ void aa_label_xaudit(struct audit_buffer + if (!use_label_hname(ns, label, flags) || + display_mode(ns, label, flags)) { + len = aa_label_asxprint(&name, ns, label, flags, gfp); +- if (len == -1) { ++ if (len < 0) { + AA_DEBUG("label print error"); + return; + } +@@ -1750,7 +1750,7 @@ void aa_label_seq_xprint(struct seq_file + int len; + + len = aa_label_asxprint(&str, ns, label, flags, gfp); +- if (len == -1) { ++ if (len < 0) { + AA_DEBUG("label print error"); + return; + } +@@ -1773,7 +1773,7 @@ void aa_label_xprintk(struct aa_ns *ns, + int len; + + len = aa_label_asxprint(&str, ns, label, flags, gfp); +- if (len == -1) { ++ if (len < 0) { + AA_DEBUG("label print error"); + return; + } diff --git a/queue-4.14/apparmor-fix-failed-mount-permission-check-error-message.patch b/queue-4.14/apparmor-fix-failed-mount-permission-check-error-message.patch new file mode 100644 index 00000000000..503ef22bb66 --- /dev/null +++ b/queue-4.14/apparmor-fix-failed-mount-permission-check-error-message.patch @@ -0,0 +1,45 @@ +From ec240b5905bbb09a03dccffee03062cf39e38dc2 Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Tue, 25 Jan 2022 00:37:42 -0800 +Subject: apparmor: Fix failed mount permission check error message + +From: John Johansen + +commit ec240b5905bbb09a03dccffee03062cf39e38dc2 upstream. + +When the mount check fails due to a permission check failure instead +of explicitly at one of the subcomponent checks, AppArmor is reporting +a failure in the flags match. However this is not true and AppArmor +can not attribute the error at this point to any particular component, +and should only indicate the mount failed due to missing permissions. + +Fixes: 2ea3ffb7782a ("apparmor: add mount mediation") +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman +--- + security/apparmor/mount.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/security/apparmor/mount.c ++++ b/security/apparmor/mount.c +@@ -233,7 +233,8 @@ static const char * const mnt_info_table + "failed srcname match", + "failed type match", + "failed flags match", +- "failed data match" ++ "failed data match", ++ "failed perms check" + }; + + /* +@@ -288,8 +289,8 @@ static int do_match_mnt(struct aa_dfa *d + return 0; + } + +- /* failed at end of flags match */ +- return 4; ++ /* failed at perms check, don't confuse with flags match */ ++ return 6; + } + + diff --git a/queue-4.14/apparmor-fix-quiet_denied-for-file-rules.patch b/queue-4.14/apparmor-fix-quiet_denied-for-file-rules.patch new file mode 100644 index 00000000000..bcb91089415 --- /dev/null +++ b/queue-4.14/apparmor-fix-quiet_denied-for-file-rules.patch @@ -0,0 +1,31 @@ +From 68ff8540cc9e4ab557065b3f635c1ff4c96e1f1c Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Thu, 29 Apr 2021 01:48:28 -0700 +Subject: apparmor: fix quiet_denied for file rules + +From: John Johansen + +commit 68ff8540cc9e4ab557065b3f635c1ff4c96e1f1c upstream. + +Global quieting of denied AppArmor generated file events is not +handled correctly. Unfortunately the is checking if quieting of all +audit events is set instead of just denied events. + +Fixes: 67012e8209df ("AppArmor: basic auditing infrastructure.") +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman +--- + security/apparmor/audit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/apparmor/audit.c ++++ b/security/apparmor/audit.c +@@ -143,7 +143,7 @@ int aa_audit(int type, struct aa_profile + } + if (AUDIT_MODE(profile) == AUDIT_QUIET || + (type == AUDIT_APPARMOR_DENIED && +- AUDIT_MODE(profile) == AUDIT_QUIET)) ++ AUDIT_MODE(profile) == AUDIT_QUIET_DENIED)) + return aad(sa)->error; + + if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED) diff --git a/queue-4.14/apparmor-fix-reference-count-leak-in-aa_pivotroot.patch b/queue-4.14/apparmor-fix-reference-count-leak-in-aa_pivotroot.patch new file mode 100644 index 00000000000..d28a4de5204 --- /dev/null +++ b/queue-4.14/apparmor-fix-reference-count-leak-in-aa_pivotroot.patch @@ -0,0 +1,41 @@ +From 11c3627ec6b56c1525013f336f41b79a983b4d46 Mon Sep 17 00:00:00 2001 +From: Xin Xiong +Date: Thu, 28 Apr 2022 11:39:08 +0800 +Subject: apparmor: fix reference count leak in aa_pivotroot() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xin Xiong + +commit 11c3627ec6b56c1525013f336f41b79a983b4d46 upstream. + +The aa_pivotroot() function has a reference counting bug in a specific +path. When aa_replace_current_label() returns on success, the function +forgets to decrement the reference count of “target”, which is +increased earlier by build_pivotroot(), causing a reference leak. + +Fix it by decreasing the refcount of “target” in that path. + +Fixes: 2ea3ffb7782a ("apparmor: add mount mediation") +Co-developed-by: Xiyu Yang +Signed-off-by: Xiyu Yang +Co-developed-by: Xin Tan +Signed-off-by: Xin Tan +Signed-off-by: Xin Xiong +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman +--- + security/apparmor/mount.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/security/apparmor/mount.c ++++ b/security/apparmor/mount.c +@@ -687,6 +687,7 @@ int aa_pivotroot(struct aa_label *label, + aa_put_label(target); + goto out; + } ++ aa_put_label(target); + } else + /* already audited error */ + error = PTR_ERR(target); diff --git a/queue-4.14/can-ems_usb-fix-clang-s-wunaligned-access-warning.patch b/queue-4.14/can-ems_usb-fix-clang-s-wunaligned-access-warning.patch new file mode 100644 index 00000000000..c8c3e72a2a0 --- /dev/null +++ b/queue-4.14/can-ems_usb-fix-clang-s-wunaligned-access-warning.patch @@ -0,0 +1,65 @@ +From a4cb6e62ea4d36e53fb3c0f18ea4503d7b76674f Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Mon, 1 Aug 2022 22:47:16 +0200 +Subject: can: ems_usb: fix clang's -Wunaligned-access warning + +From: Marc Kleine-Budde + +commit a4cb6e62ea4d36e53fb3c0f18ea4503d7b76674f upstream. + +clang emits a -Wunaligned-access warning on struct __packed +ems_cpc_msg. + +The reason is that the anonymous union msg (not declared as packed) is +being packed right after some non naturally aligned variables (3*8 +bits + 2*32) inside a packed struct: + +| struct __packed ems_cpc_msg { +| u8 type; /* type of message */ +| u8 length; /* length of data within union 'msg' */ +| u8 msgid; /* confirmation handle */ +| __le32 ts_sec; /* timestamp in seconds */ +| __le32 ts_nsec; /* timestamp in nano seconds */ +| /* ^ not naturally aligned */ +| +| union { +| /* ^ not declared as packed */ +| u8 generic[64]; +| struct cpc_can_msg can_msg; +| struct cpc_can_params can_params; +| struct cpc_confirm confirmation; +| struct cpc_overrun overrun; +| struct cpc_can_error error; +| struct cpc_can_err_counter err_counter; +| u8 can_state; +| } msg; +| }; + +Starting from LLVM 14, having an unpacked struct nested in a packed +struct triggers a warning. c.f. [1]. + +Fix the warning by marking the anonymous union as packed. + +[1] https://github.com/llvm/llvm-project/issues/55520 + +Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface") +Link: https://lore.kernel.org/all/20220802094021.959858-1-mkl@pengutronix.de +Cc: Gerhard Uttenthaler +Cc: Sebastian Haas +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/ems_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/ems_usb.c ++++ b/drivers/net/can/usb/ems_usb.c +@@ -206,7 +206,7 @@ struct __packed ems_cpc_msg { + __le32 ts_sec; /* timestamp in seconds */ + __le32 ts_nsec; /* timestamp in nano seconds */ + +- union { ++ union __packed { + u8 generic[64]; + struct cpc_can_msg can_msg; + struct cpc_can_params can_params; diff --git a/queue-4.14/geneve-do-not-use-rt_tos-for-ipv6-flowlabel.patch b/queue-4.14/geneve-do-not-use-rt_tos-for-ipv6-flowlabel.patch new file mode 100644 index 00000000000..9f6c4dd59e7 --- /dev/null +++ b/queue-4.14/geneve-do-not-use-rt_tos-for-ipv6-flowlabel.patch @@ -0,0 +1,42 @@ +From ca2bb69514a8bc7f83914122f0d596371352416c Mon Sep 17 00:00:00 2001 +From: Matthias May +Date: Fri, 5 Aug 2022 21:19:03 +0200 +Subject: geneve: do not use RT_TOS for IPv6 flowlabel + +From: Matthias May + +commit ca2bb69514a8bc7f83914122f0d596371352416c upstream. + +According to Guillaume Nault RT_TOS should never be used for IPv6. + +Quote: +RT_TOS() is an old macro used to interprete IPv4 TOS as described in +the obsolete RFC 1349. It's conceptually wrong to use it even in IPv4 +code, although, given the current state of the code, most of the +existing calls have no consequence. + +But using RT_TOS() in IPv6 code is always a bug: IPv6 never had a "TOS" +field to be interpreted the RFC 1349 way. There's no historical +compatibility to worry about. + +Fixes: 3a56f86f1be6 ("geneve: handle ipv6 priority like ipv4 tos") +Acked-by: Guillaume Nault +Signed-off-by: Matthias May +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/geneve.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -795,8 +795,7 @@ static struct dst_entry *geneve_get_v6_d + use_cache = false; + } + +- fl6->flowlabel = ip6_make_flowinfo(RT_TOS(prio), +- info->key.label); ++ fl6->flowlabel = ip6_make_flowinfo(prio, info->key.label); + dst_cache = (struct dst_cache *)&info->dst_cache; + if (use_cache) { + dst = dst_cache_get_ip6(dst_cache, &fl6->saddr); diff --git a/queue-4.14/nfsv4-fix-races-in-the-legacy-idmapper-upcall.patch b/queue-4.14/nfsv4-fix-races-in-the-legacy-idmapper-upcall.patch new file mode 100644 index 00000000000..0bb2592d440 --- /dev/null +++ b/queue-4.14/nfsv4-fix-races-in-the-legacy-idmapper-upcall.patch @@ -0,0 +1,138 @@ +From 51fd2eb52c0ca8275a906eed81878ef50ae94eb0 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Wed, 13 Jul 2022 17:46:52 -0400 +Subject: NFSv4: Fix races in the legacy idmapper upcall + +From: Trond Myklebust + +commit 51fd2eb52c0ca8275a906eed81878ef50ae94eb0 upstream. + +nfs_idmap_instantiate() will cause the process that is waiting in +request_key_with_auxdata() to wake up and exit. If there is a second +process waiting for the idmap->idmap_mutex, then it may wake up and +start a new call to request_key_with_auxdata(). If the call to +idmap_pipe_downcall() from the first process has not yet finished +calling nfs_idmap_complete_pipe_upcall_locked(), then we may end up +triggering the WARN_ON_ONCE() in nfs_idmap_prepare_pipe_upcall(). + +The fix is to ensure that we clear idmap->idmap_upcall_data before +calling nfs_idmap_instantiate(). + +Fixes: e9ab41b620e4 ("NFSv4: Clean up the legacy idmapper upcall") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4idmap.c | 46 ++++++++++++++++++++++++---------------------- + 1 file changed, 24 insertions(+), 22 deletions(-) + +--- a/fs/nfs/nfs4idmap.c ++++ b/fs/nfs/nfs4idmap.c +@@ -543,22 +543,20 @@ nfs_idmap_prepare_pipe_upcall(struct idm + return true; + } + +-static void +-nfs_idmap_complete_pipe_upcall_locked(struct idmap *idmap, int ret) ++static void nfs_idmap_complete_pipe_upcall(struct idmap_legacy_upcalldata *data, ++ int ret) + { +- struct key *authkey = idmap->idmap_upcall_data->authkey; +- +- kfree(idmap->idmap_upcall_data); +- idmap->idmap_upcall_data = NULL; +- complete_request_key(authkey, ret); +- key_put(authkey); ++ complete_request_key(data->authkey, ret); ++ key_put(data->authkey); ++ kfree(data); + } + +-static void +-nfs_idmap_abort_pipe_upcall(struct idmap *idmap, int ret) ++static void nfs_idmap_abort_pipe_upcall(struct idmap *idmap, ++ struct idmap_legacy_upcalldata *data, ++ int ret) + { +- if (idmap->idmap_upcall_data != NULL) +- nfs_idmap_complete_pipe_upcall_locked(idmap, ret); ++ if (cmpxchg(&idmap->idmap_upcall_data, data, NULL) == data) ++ nfs_idmap_complete_pipe_upcall(data, ret); + } + + static int nfs_idmap_legacy_upcall(struct key *authkey, void *aux) +@@ -595,7 +593,7 @@ static int nfs_idmap_legacy_upcall(struc + + ret = rpc_queue_upcall(idmap->idmap_pipe, msg); + if (ret < 0) +- nfs_idmap_abort_pipe_upcall(idmap, ret); ++ nfs_idmap_abort_pipe_upcall(idmap, data, ret); + + return ret; + out2: +@@ -651,6 +649,7 @@ idmap_pipe_downcall(struct file *filp, c + struct request_key_auth *rka; + struct rpc_inode *rpci = RPC_I(file_inode(filp)); + struct idmap *idmap = (struct idmap *)rpci->private; ++ struct idmap_legacy_upcalldata *data; + struct key *authkey; + struct idmap_msg im; + size_t namelen_in; +@@ -660,10 +659,11 @@ idmap_pipe_downcall(struct file *filp, c + * will have been woken up and someone else may now have used + * idmap_key_cons - so after this point we may no longer touch it. + */ +- if (idmap->idmap_upcall_data == NULL) ++ data = xchg(&idmap->idmap_upcall_data, NULL); ++ if (data == NULL) + goto out_noupcall; + +- authkey = idmap->idmap_upcall_data->authkey; ++ authkey = data->authkey; + rka = get_request_key_auth(authkey); + + if (mlen != sizeof(im)) { +@@ -685,18 +685,17 @@ idmap_pipe_downcall(struct file *filp, c + if (namelen_in == 0 || namelen_in == IDMAP_NAMESZ) { + ret = -EINVAL; + goto out; +-} ++ } + +- ret = nfs_idmap_read_and_verify_message(&im, +- &idmap->idmap_upcall_data->idmap_msg, +- rka->target_key, authkey); ++ ret = nfs_idmap_read_and_verify_message(&im, &data->idmap_msg, ++ rka->target_key, authkey); + if (ret >= 0) { + key_set_timeout(rka->target_key, nfs_idmap_cache_timeout); + ret = mlen; + } + + out: +- nfs_idmap_complete_pipe_upcall_locked(idmap, ret); ++ nfs_idmap_complete_pipe_upcall(data, ret); + out_noupcall: + return ret; + } +@@ -710,7 +709,7 @@ idmap_pipe_destroy_msg(struct rpc_pipe_m + struct idmap *idmap = data->idmap; + + if (msg->errno) +- nfs_idmap_abort_pipe_upcall(idmap, msg->errno); ++ nfs_idmap_abort_pipe_upcall(idmap, data, msg->errno); + } + + static void +@@ -718,8 +717,11 @@ idmap_release_pipe(struct inode *inode) + { + struct rpc_inode *rpci = RPC_I(inode); + struct idmap *idmap = (struct idmap *)rpci->private; ++ struct idmap_legacy_upcalldata *data; + +- nfs_idmap_abort_pipe_upcall(idmap, -EPIPE); ++ data = xchg(&idmap->idmap_upcall_data, NULL); ++ if (data) ++ nfs_idmap_complete_pipe_upcall(data, -EPIPE); + } + + int nfs_map_name_to_uid(const struct nfs_server *server, const char *name, size_t namelen, kuid_t *uid) diff --git a/queue-4.14/nfsv4.1-reclaim_complete-must-handle-eacces.patch b/queue-4.14/nfsv4.1-reclaim_complete-must-handle-eacces.patch new file mode 100644 index 00000000000..d448e6a7b75 --- /dev/null +++ b/queue-4.14/nfsv4.1-reclaim_complete-must-handle-eacces.patch @@ -0,0 +1,38 @@ +From e35a5e782f67ed76a65ad0f23a484444a95f000f Mon Sep 17 00:00:00 2001 +From: Zhang Xianwei +Date: Wed, 27 Jul 2022 18:01:07 +0800 +Subject: NFSv4.1: RECLAIM_COMPLETE must handle EACCES + +From: Zhang Xianwei + +commit e35a5e782f67ed76a65ad0f23a484444a95f000f upstream. + +A client should be able to handle getting an EACCES error while doing +a mount operation to reclaim state due to NFS4CLNT_RECLAIM_REBOOT +being set. If the server returns RPC_AUTH_BADCRED because authentication +failed when we execute "exportfs -au", then RECLAIM_COMPLETE will go a +wrong way. After mount succeeds, all OPEN call will fail due to an +NFS4ERR_GRACE error being returned. This patch is to fix it by resending +a RPC request. + +Signed-off-by: Zhang Xianwei +Signed-off-by: Yi Wang +Fixes: aa5190d0ed7d ("NFSv4: Kill nfs4_async_handle_error() abuses by NFSv4.1") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -8371,6 +8371,9 @@ static int nfs41_reclaim_complete_handle + rpc_delay(task, NFS4_POLL_RETRY_MAX); + /* fall through */ + case -NFS4ERR_RETRY_UNCACHED_REP: ++ case -EACCES: ++ dprintk("%s: failed to reclaim complete error %d for server %s, retrying\n", ++ __func__, task->tk_status, clp->cl_hostname); + return -EAGAIN; + case -NFS4ERR_BADSESSION: + case -NFS4ERR_DEADSESSION: diff --git a/queue-4.14/pinctrl-nomadik-fix-refcount-leak-in-nmk_pinctrl_dt_subnode_to_map.patch b/queue-4.14/pinctrl-nomadik-fix-refcount-leak-in-nmk_pinctrl_dt_subnode_to_map.patch new file mode 100644 index 00000000000..008373a1a9b --- /dev/null +++ b/queue-4.14/pinctrl-nomadik-fix-refcount-leak-in-nmk_pinctrl_dt_subnode_to_map.patch @@ -0,0 +1,36 @@ +From 4b32e054335ea0ce50967f63a7bfd4db058b14b9 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Tue, 7 Jun 2022 15:16:01 +0400 +Subject: pinctrl: nomadik: Fix refcount leak in nmk_pinctrl_dt_subnode_to_map + +From: Miaoqian Lin + +commit 4b32e054335ea0ce50967f63a7bfd4db058b14b9 upstream. + +of_parse_phandle() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak." + +Fixes: c2f6d059abfc ("pinctrl: nomadik: refactor DT parser to take two paths") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220607111602.57355-1-linmq006@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/nomadik/pinctrl-nomadik.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/pinctrl/nomadik/pinctrl-nomadik.c ++++ b/drivers/pinctrl/nomadik/pinctrl-nomadik.c +@@ -1455,8 +1455,10 @@ static int nmk_pinctrl_dt_subnode_to_map + + has_config = nmk_pinctrl_dt_get_config(np, &configs); + np_config = of_parse_phandle(np, "ste,config", 0); +- if (np_config) ++ if (np_config) { + has_config |= nmk_pinctrl_dt_get_config(np_config, &configs); ++ of_node_put(np_config); ++ } + if (has_config) { + const char *gpio_name; + const char *pin; diff --git a/queue-4.14/pinctrl-qcom-msm8916-allow-camss-gp-clocks-to-be-muxed.patch b/queue-4.14/pinctrl-qcom-msm8916-allow-camss-gp-clocks-to-be-muxed.patch new file mode 100644 index 00000000000..110c1cfbed6 --- /dev/null +++ b/queue-4.14/pinctrl-qcom-msm8916-allow-camss-gp-clocks-to-be-muxed.patch @@ -0,0 +1,37 @@ +From 44339391c666e46cba522d19c65a6ad1071c68b7 Mon Sep 17 00:00:00 2001 +From: Nikita Travkin +Date: Sun, 12 Jun 2022 19:59:54 +0500 +Subject: pinctrl: qcom: msm8916: Allow CAMSS GP clocks to be muxed + +From: Nikita Travkin + +commit 44339391c666e46cba522d19c65a6ad1071c68b7 upstream. + +GPIO 31, 32 can be muxed to GCC_CAMSS_GP(1,2)_CLK respectively but the +function was never assigned to the pingroup (even though the function +exists already). + +Add this mode to the related pins. + +Fixes: 5373a2c5abb6 ("pinctrl: qcom: Add msm8916 pinctrl driver") +Signed-off-by: Nikita Travkin +Link: https://lore.kernel.org/r/20220612145955.385787-4-nikita@trvn.ru +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/qcom/pinctrl-msm8916.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/qcom/pinctrl-msm8916.c ++++ b/drivers/pinctrl/qcom/pinctrl-msm8916.c +@@ -852,8 +852,8 @@ static const struct msm_pingroup msm8916 + PINGROUP(28, pwr_modem_enabled_a, NA, NA, NA, NA, NA, qdss_tracedata_b, NA, atest_combodac), + PINGROUP(29, cci_i2c, NA, NA, NA, NA, NA, qdss_tracedata_b, NA, atest_combodac), + PINGROUP(30, cci_i2c, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b), +- PINGROUP(31, cci_timer0, NA, NA, NA, NA, NA, NA, NA, NA), +- PINGROUP(32, cci_timer1, NA, NA, NA, NA, NA, NA, NA, NA), ++ PINGROUP(31, cci_timer0, flash_strobe, NA, NA, NA, NA, NA, NA, NA), ++ PINGROUP(32, cci_timer1, flash_strobe, NA, NA, NA, NA, NA, NA, NA), + PINGROUP(33, cci_async, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b), + PINGROUP(34, pwr_nav_enabled_a, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b), + PINGROUP(35, pwr_crypto_enabled_a, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b), diff --git a/queue-4.14/series b/queue-4.14/series index b44659da7f7..d7633a6fe37 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -177,3 +177,17 @@ alsa-info-fix-llseek-return-value-when-using-callback.patch rds-add-missing-barrier-to-release_refill.patch ata-libata-eh-add-missing-command-name.patch btrfs-fix-lost-error-handling-when-looking-up-extended-ref-on-log-replay.patch +can-ems_usb-fix-clang-s-wunaligned-access-warning.patch +apparmor-fix-quiet_denied-for-file-rules.patch +apparmor-fix-failed-mount-permission-check-error-message.patch +apparmor-fix-aa_label_asxprint-return-check.patch +apparmor-fix-reference-count-leak-in-aa_pivotroot.patch +nfsv4-fix-races-in-the-legacy-idmapper-upcall.patch +nfsv4.1-reclaim_complete-must-handle-eacces.patch +sunrpc-reinitialise-the-backchannel-request-buffers-before-reuse.patch +pinctrl-nomadik-fix-refcount-leak-in-nmk_pinctrl_dt_subnode_to_map.patch +pinctrl-qcom-msm8916-allow-camss-gp-clocks-to-be-muxed.patch +acpi-property-return-type-of-acpi_add_nondev_subnodes-should-be-bool.patch +geneve-do-not-use-rt_tos-for-ipv6-flowlabel.patch +vsock-fix-memory-leak-in-vsock_connect.patch +vsock-set-socket-state-back-to-ss_unconnected-in-vsock_connect_timeout.patch diff --git a/queue-4.14/sunrpc-reinitialise-the-backchannel-request-buffers-before-reuse.patch b/queue-4.14/sunrpc-reinitialise-the-backchannel-request-buffers-before-reuse.patch new file mode 100644 index 00000000000..2e7ea8c14b1 --- /dev/null +++ b/queue-4.14/sunrpc-reinitialise-the-backchannel-request-buffers-before-reuse.patch @@ -0,0 +1,50 @@ +From 6622e3a73112fc336c1c2c582428fb5ef18e456a Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Wed, 27 Jul 2022 12:27:54 -0400 +Subject: SUNRPC: Reinitialise the backchannel request buffers before reuse + +From: Trond Myklebust + +commit 6622e3a73112fc336c1c2c582428fb5ef18e456a upstream. + +When we're reusing the backchannel requests instead of freeing them, +then we should reinitialise any values of the send/receive xdr_bufs so +that they reflect the available space. + +Fixes: 0d2a970d0ae5 ("SUNRPC: Fix a backchannel race") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/backchannel_rqst.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/net/sunrpc/backchannel_rqst.c ++++ b/net/sunrpc/backchannel_rqst.c +@@ -69,6 +69,17 @@ static void xprt_free_allocation(struct + kfree(req); + } + ++static void xprt_bc_reinit_xdr_buf(struct xdr_buf *buf) ++{ ++ buf->head[0].iov_len = PAGE_SIZE; ++ buf->tail[0].iov_len = 0; ++ buf->pages = NULL; ++ buf->page_len = 0; ++ buf->flags = 0; ++ buf->len = 0; ++ buf->buflen = PAGE_SIZE; ++} ++ + static int xprt_alloc_xdr_buf(struct xdr_buf *buf, gfp_t gfp_flags) + { + struct page *page; +@@ -291,6 +302,9 @@ void xprt_free_bc_rqst(struct rpc_rqst * + */ + spin_lock_bh(&xprt->bc_pa_lock); + if (xprt_need_to_requeue(xprt)) { ++ xprt_bc_reinit_xdr_buf(&req->rq_snd_buf); ++ xprt_bc_reinit_xdr_buf(&req->rq_rcv_buf); ++ req->rq_rcv_buf.len = PAGE_SIZE; + list_add_tail(&req->rq_bc_pa_list, &xprt->bc_pa_list); + xprt->bc_alloc_count++; + req = NULL; diff --git a/queue-4.14/vsock-fix-memory-leak-in-vsock_connect.patch b/queue-4.14/vsock-fix-memory-leak-in-vsock_connect.patch new file mode 100644 index 00000000000..2b34765d072 --- /dev/null +++ b/queue-4.14/vsock-fix-memory-leak-in-vsock_connect.patch @@ -0,0 +1,83 @@ +From 7e97cfed9929eaabc41829c395eb0d1350fccb9d Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Mon, 8 Aug 2022 11:04:47 -0700 +Subject: vsock: Fix memory leak in vsock_connect() + +From: Peilin Ye + +commit 7e97cfed9929eaabc41829c395eb0d1350fccb9d upstream. + +An O_NONBLOCK vsock_connect() request may try to reschedule +@connect_work. Imagine the following sequence of vsock_connect() +requests: + + 1. The 1st, non-blocking request schedules @connect_work, which will + expire after 200 jiffies. Socket state is now SS_CONNECTING; + + 2. Later, the 2nd, blocking request gets interrupted by a signal after + a few jiffies while waiting for the connection to be established. + Socket state is back to SS_UNCONNECTED, but @connect_work is still + pending, and will expire after 100 jiffies. + + 3. Now, the 3rd, non-blocking request tries to schedule @connect_work + again. Since @connect_work is already scheduled, + schedule_delayed_work() silently returns. sock_hold() is called + twice, but sock_put() will only be called once in + vsock_connect_timeout(), causing a memory leak reported by syzbot: + + BUG: memory leak + unreferenced object 0xffff88810ea56a40 (size 1232): + comm "syz-executor756", pid 3604, jiffies 4294947681 (age 12.350s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 28 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............ + backtrace: + [] sk_prot_alloc+0x3e/0x1b0 net/core/sock.c:1930 + [] sk_alloc+0x32/0x2e0 net/core/sock.c:1989 + [] __vsock_create.constprop.0+0x38/0x320 net/vmw_vsock/af_vsock.c:734 + [] vsock_create+0xc1/0x2d0 net/vmw_vsock/af_vsock.c:2203 + [] __sock_create+0x1ab/0x2b0 net/socket.c:1468 + [] sock_create net/socket.c:1519 [inline] + [] __sys_socket+0x6f/0x140 net/socket.c:1561 + [] __do_sys_socket net/socket.c:1570 [inline] + [] __se_sys_socket net/socket.c:1568 [inline] + [] __x64_sys_socket+0x1a/0x20 net/socket.c:1568 + [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + <...> + +Use mod_delayed_work() instead: if @connect_work is already scheduled, +reschedule it, and undo sock_hold() to keep the reference count +balanced. + +Reported-and-tested-by: syzbot+b03f55bf128f9a38f064@syzkaller.appspotmail.com +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Co-developed-by: Stefano Garzarella +Signed-off-by: Stefano Garzarella +Reviewed-by: Stefano Garzarella +Signed-off-by: Peilin Ye +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1222,7 +1222,14 @@ static int vsock_stream_connect(struct s + * timeout fires. + */ + sock_hold(sk); +- schedule_delayed_work(&vsk->connect_work, timeout); ++ ++ /* If the timeout function is already scheduled, ++ * reschedule it, then ungrab the socket refcount to ++ * keep it balanced. ++ */ ++ if (mod_delayed_work(system_wq, &vsk->connect_work, ++ timeout)) ++ sock_put(sk); + + /* Skip ahead to preserve error code set above. */ + goto out_wait; diff --git a/queue-4.14/vsock-set-socket-state-back-to-ss_unconnected-in-vsock_connect_timeout.patch b/queue-4.14/vsock-set-socket-state-back-to-ss_unconnected-in-vsock_connect_timeout.patch new file mode 100644 index 00000000000..1ef2f9902fb --- /dev/null +++ b/queue-4.14/vsock-set-socket-state-back-to-ss_unconnected-in-vsock_connect_timeout.patch @@ -0,0 +1,41 @@ +From a3e7b29e30854ed67be0d17687e744ad0c769c4b Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Mon, 8 Aug 2022 11:05:25 -0700 +Subject: vsock: Set socket state back to SS_UNCONNECTED in vsock_connect_timeout() + +From: Peilin Ye + +commit a3e7b29e30854ed67be0d17687e744ad0c769c4b upstream. + +Imagine two non-blocking vsock_connect() requests on the same socket. +The first request schedules @connect_work, and after it times out, +vsock_connect_timeout() sets *sock* state back to TCP_CLOSE, but keeps +*socket* state as SS_CONNECTING. + +Later, the second request returns -EALREADY, meaning the socket "already +has a pending connection in progress", even though the first request has +already timed out. + +As suggested by Stefano, fix it by setting *socket* state back to +SS_UNCONNECTED, so that the second request will return -ETIMEDOUT. + +Suggested-by: Stefano Garzarella +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Reviewed-by: Stefano Garzarella +Signed-off-by: Peilin Ye +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1125,6 +1125,7 @@ static void vsock_connect_timeout(struct + if (sk->sk_state == TCP_SYN_SENT && + (sk->sk_shutdown != SHUTDOWN_MASK)) { + sk->sk_state = TCP_CLOSE; ++ sk->sk_socket->state = SS_UNCONNECTED; + sk->sk_err = ETIMEDOUT; + sk->sk_error_report(sk); + vsock_transport_cancel_pkt(vsk);