From: Sasha Levin Date: Thu, 23 May 2019 16:25:47 +0000 (-0400) Subject: fixes for 4.14 X-Git-Tag: v5.1.5~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cd5568badf2b7a3bc61e7b7ac7d9e02352896100;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/apparmorfs-fix-use-after-free-on-symlink-traversal.patch b/queue-4.14/apparmorfs-fix-use-after-free-on-symlink-traversal.patch new file mode 100644 index 00000000000..aa9d8b6a272 --- /dev/null +++ b/queue-4.14/apparmorfs-fix-use-after-free-on-symlink-traversal.patch @@ -0,0 +1,51 @@ +From d2e15493f9d394661139373b8b67b7f08bda10c4 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Wed, 10 Apr 2019 14:04:34 -0400 +Subject: apparmorfs: fix use-after-free on symlink traversal + +[ Upstream commit f51dcd0f621caac5380ce90fbbeafc32ce4517ae ] + +symlink body shouldn't be freed without an RCU delay. Switch apparmorfs +to ->destroy_inode() and use of call_rcu(); free both the inode and symlink +body in the callback. + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + security/apparmor/apparmorfs.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c +index 0e03377bb83ea..dd746bd69a9b2 100644 +--- a/security/apparmor/apparmorfs.c ++++ b/security/apparmor/apparmorfs.c +@@ -126,17 +126,22 @@ static int aafs_show_path(struct seq_file *seq, struct dentry *dentry) + return 0; + } + +-static void aafs_evict_inode(struct inode *inode) ++static void aafs_i_callback(struct rcu_head *head) + { +- truncate_inode_pages_final(&inode->i_data); +- clear_inode(inode); ++ struct inode *inode = container_of(head, struct inode, i_rcu); + if (S_ISLNK(inode->i_mode)) + kfree(inode->i_link); ++ free_inode_nonrcu(inode); ++} ++ ++static void aafs_destroy_inode(struct inode *inode) ++{ ++ call_rcu(&inode->i_rcu, aafs_i_callback); + } + + static const struct super_operations aafs_super_ops = { + .statfs = simple_statfs, +- .evict_inode = aafs_evict_inode, ++ .destroy_inode = aafs_destroy_inode, + .show_path = aafs_show_path, + }; + +-- +2.20.1 + diff --git a/queue-4.14/esp4-add-length-check-for-udp-encapsulation.patch b/queue-4.14/esp4-add-length-check-for-udp-encapsulation.patch new file mode 100644 index 00000000000..f3ffe7e7fe3 --- /dev/null +++ b/queue-4.14/esp4-add-length-check-for-udp-encapsulation.patch @@ -0,0 +1,90 @@ +From 11ada74dcc032cbb7a933cbaf585446ae31454d0 Mon Sep 17 00:00:00 2001 +From: Sabrina Dubroca +Date: Mon, 25 Mar 2019 14:30:00 +0100 +Subject: esp4: add length check for UDP encapsulation + +[ Upstream commit 8dfb4eba4100e7cdd161a8baef2d8d61b7a7e62e ] + +esp_output_udp_encap can produce a length that doesn't fit in the 16 +bits of a UDP header's length field. In that case, we'll send a +fragmented packet whose length is larger than IP_MAX_MTU (resulting in +"Oversized IP packet" warnings on receive) and with a bogus UDP +length. + +To prevent this, add a length check to esp_output_udp_encap and return + -EMSGSIZE on failure. + +This seems to be older than git history. + +Signed-off-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/esp4.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c +index d30285c5d52dd..c8e32f167ebbf 100644 +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -205,7 +205,7 @@ static void esp_output_fill_trailer(u8 *tail, int tfclen, int plen, __u8 proto) + tail[plen - 1] = proto; + } + +-static void esp_output_udp_encap(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp) ++static int esp_output_udp_encap(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp) + { + int encap_type; + struct udphdr *uh; +@@ -213,6 +213,7 @@ static void esp_output_udp_encap(struct xfrm_state *x, struct sk_buff *skb, stru + __be16 sport, dport; + struct xfrm_encap_tmpl *encap = x->encap; + struct ip_esp_hdr *esph = esp->esph; ++ unsigned int len; + + spin_lock_bh(&x->lock); + sport = encap->encap_sport; +@@ -220,11 +221,14 @@ static void esp_output_udp_encap(struct xfrm_state *x, struct sk_buff *skb, stru + encap_type = encap->encap_type; + spin_unlock_bh(&x->lock); + ++ len = skb->len + esp->tailen - skb_transport_offset(skb); ++ if (len + sizeof(struct iphdr) >= IP_MAX_MTU) ++ return -EMSGSIZE; ++ + uh = (struct udphdr *)esph; + uh->source = sport; + uh->dest = dport; +- uh->len = htons(skb->len + esp->tailen +- - skb_transport_offset(skb)); ++ uh->len = htons(len); + uh->check = 0; + + switch (encap_type) { +@@ -241,6 +245,8 @@ static void esp_output_udp_encap(struct xfrm_state *x, struct sk_buff *skb, stru + + *skb_mac_header(skb) = IPPROTO_UDP; + esp->esph = esph; ++ ++ return 0; + } + + int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp) +@@ -254,8 +260,12 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * + int tailen = esp->tailen; + + /* this is non-NULL only with UDP Encapsulation */ +- if (x->encap) +- esp_output_udp_encap(x, skb, esp); ++ if (x->encap) { ++ int err = esp_output_udp_encap(x, skb, esp); ++ ++ if (err < 0) ++ return err; ++ } + + if (!skb_cloned(skb)) { + if (tailen <= skb_tailroom(skb)) { +-- +2.20.1 + diff --git a/queue-4.14/iwlwifi-mvm-check-for-length-correctness-in-iwl_mvm_.patch b/queue-4.14/iwlwifi-mvm-check-for-length-correctness-in-iwl_mvm_.patch new file mode 100644 index 00000000000..9ea736e1589 --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-check-for-length-correctness-in-iwl_mvm_.patch @@ -0,0 +1,114 @@ +From bd8eb10c36b12ed7970e16e2e0b6e2afe9b8c286 Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Tue, 16 Apr 2019 12:57:21 +0300 +Subject: iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb() + +[ Upstream commit de1887c064b9996ac03120d90d0a909a3f678f98 ] + +We don't check for the validity of the lengths in the packet received +from the firmware. If the MPDU length received in the rx descriptor +is too short to contain the header length and the crypt length +together, we may end up trying to copy a negative number of bytes +(headlen - hdrlen < 0) which will underflow and cause us to try to +copy a huge amount of data. This causes oopses such as this one: + +BUG: unable to handle kernel paging request at ffff896be2970000 +PGD 5e201067 P4D 5e201067 PUD 5e205067 PMD 16110d063 PTE 8000000162970161 +Oops: 0003 [#1] PREEMPT SMP NOPTI +CPU: 2 PID: 1824 Comm: irq/134-iwlwifi Not tainted 4.19.33-04308-geea41cf4930f #1 +Hardware name: [...] +RIP: 0010:memcpy_erms+0x6/0x10 +Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 + 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe +RSP: 0018:ffffa4630196fc60 EFLAGS: 00010287 +RAX: ffff896be2924618 RBX: ffff896bc8ecc600 RCX: 00000000fffb4610 +RDX: 00000000fffffff8 RSI: ffff896a835e2a38 RDI: ffff896be2970000 +RBP: ffffa4630196fd30 R08: ffff896bc8ecc600 R09: ffff896a83597000 +R10: ffff896bd6998400 R11: 000000000200407f R12: ffff896a83597050 +R13: 00000000fffffff8 R14: 0000000000000010 R15: ffff896a83597038 +FS: 0000000000000000(0000) GS:ffff896be8280000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffff896be2970000 CR3: 000000005dc12002 CR4: 00000000003606e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + iwl_mvm_rx_mpdu_mq+0xb51/0x121b [iwlmvm] + iwl_pcie_rx_handle+0x58c/0xa89 [iwlwifi] + iwl_pcie_irq_rx_msix_handler+0xd9/0x12a [iwlwifi] + irq_thread_fn+0x24/0x49 + irq_thread+0xb0/0x122 + kthread+0x138/0x140 + ret_from_fork+0x1f/0x40 + +Fix that by checking the lengths for correctness and trigger a warning +to show that we have received wrong data. + +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 28 ++++++++++++++++--- + 1 file changed, 24 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c +index 8ba8c70571fb7..7fb8bbaf21420 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c +@@ -141,9 +141,9 @@ static inline int iwl_mvm_check_pn(struct iwl_mvm *mvm, struct sk_buff *skb, + } + + /* iwl_mvm_create_skb Adds the rxb to a new skb */ +-static void iwl_mvm_create_skb(struct sk_buff *skb, struct ieee80211_hdr *hdr, +- u16 len, u8 crypt_len, +- struct iwl_rx_cmd_buffer *rxb) ++static int iwl_mvm_create_skb(struct iwl_mvm *mvm, struct sk_buff *skb, ++ struct ieee80211_hdr *hdr, u16 len, u8 crypt_len, ++ struct iwl_rx_cmd_buffer *rxb) + { + struct iwl_rx_packet *pkt = rxb_addr(rxb); + struct iwl_rx_mpdu_desc *desc = (void *)pkt->data; +@@ -184,6 +184,20 @@ static void iwl_mvm_create_skb(struct sk_buff *skb, struct ieee80211_hdr *hdr, + * present before copying packet data. + */ + hdrlen += crypt_len; ++ ++ if (WARN_ONCE(headlen < hdrlen, ++ "invalid packet lengths (hdrlen=%d, len=%d, crypt_len=%d)\n", ++ hdrlen, len, crypt_len)) { ++ /* ++ * We warn and trace because we want to be able to see ++ * it in trace-cmd as well. ++ */ ++ IWL_DEBUG_RX(mvm, ++ "invalid packet lengths (hdrlen=%d, len=%d, crypt_len=%d)\n", ++ hdrlen, len, crypt_len); ++ return -EINVAL; ++ } ++ + skb_put_data(skb, hdr, hdrlen); + skb_put_data(skb, (u8 *)hdr + hdrlen + pad_len, headlen - hdrlen); + +@@ -196,6 +210,8 @@ static void iwl_mvm_create_skb(struct sk_buff *skb, struct ieee80211_hdr *hdr, + skb_add_rx_frag(skb, 0, rxb_steal_page(rxb), offset, + fraglen, rxb->truesize); + } ++ ++ return 0; + } + + /* iwl_mvm_pass_packet_to_mac80211 - passes the packet for mac80211 */ +@@ -1033,7 +1049,11 @@ void iwl_mvm_rx_mpdu_mq(struct iwl_mvm *mvm, struct napi_struct *napi, + rx_status->boottime_ns = ktime_get_boot_ns(); + } + +- iwl_mvm_create_skb(skb, hdr, len, crypt_len, rxb); ++ if (iwl_mvm_create_skb(mvm, skb, hdr, len, crypt_len, rxb)) { ++ kfree_skb(skb); ++ goto out; ++ } ++ + if (!iwl_mvm_reorder(mvm, napi, queue, sta, skb, desc)) + iwl_mvm_pass_packet_to_mac80211(mvm, napi, skb, queue, sta); + out: +-- +2.20.1 + diff --git a/queue-4.14/kvm-arm-arm64-ensure-vcpu-target-is-unset-on-reset-f.patch b/queue-4.14/kvm-arm-arm64-ensure-vcpu-target-is-unset-on-reset-f.patch new file mode 100644 index 00000000000..1b4f637a94b --- /dev/null +++ b/queue-4.14/kvm-arm-arm64-ensure-vcpu-target-is-unset-on-reset-f.patch @@ -0,0 +1,55 @@ +From cd107c9ab246608f0713f02f2d99514e5fbdfa3f Mon Sep 17 00:00:00 2001 +From: Andrew Jones +Date: Thu, 4 Apr 2019 19:42:30 +0200 +Subject: KVM: arm/arm64: Ensure vcpu target is unset on reset failure + +[ Upstream commit 811328fc3222f7b55846de0cd0404339e2e1e6d7 ] + +A failed KVM_ARM_VCPU_INIT should not set the vcpu target, +as the vcpu target is used by kvm_vcpu_initialized() to +determine if other vcpu ioctls may proceed. We need to set +the target before calling kvm_reset_vcpu(), but if that call +fails, we should then unset it and clear the feature bitmap +while we're at it. + +Signed-off-by: Andrew Jones +[maz: Simplified patch, completed commit message] +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + virt/kvm/arm/arm.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/virt/kvm/arm/arm.c b/virt/kvm/arm/arm.c +index 32aa88c19b8d5..4154f98b337c5 100644 +--- a/virt/kvm/arm/arm.c ++++ b/virt/kvm/arm/arm.c +@@ -856,7 +856,7 @@ int kvm_vm_ioctl_irq_line(struct kvm *kvm, struct kvm_irq_level *irq_level, + static int kvm_vcpu_set_target(struct kvm_vcpu *vcpu, + const struct kvm_vcpu_init *init) + { +- unsigned int i; ++ unsigned int i, ret; + int phys_target = kvm_target_cpu(); + + if (init->target != phys_target) +@@ -891,9 +891,14 @@ static int kvm_vcpu_set_target(struct kvm_vcpu *vcpu, + vcpu->arch.target = phys_target; + + /* Now we know what it is, we can reset it. */ +- return kvm_reset_vcpu(vcpu); +-} ++ ret = kvm_reset_vcpu(vcpu); ++ if (ret) { ++ vcpu->arch.target = -1; ++ bitmap_zero(vcpu->arch.features, KVM_VCPU_MAX_FEATURES); ++ } + ++ return ret; ++} + + static int kvm_arch_vcpu_ioctl_vcpu_init(struct kvm_vcpu *vcpu, + struct kvm_vcpu_init *init) +-- +2.20.1 + diff --git a/queue-4.14/mac80211-fix-kernel-panic-due-to-use-of-txq-after-fr.patch b/queue-4.14/mac80211-fix-kernel-panic-due-to-use-of-txq-after-fr.patch new file mode 100644 index 00000000000..2a6061bc65f --- /dev/null +++ b/queue-4.14/mac80211-fix-kernel-panic-due-to-use-of-txq-after-fr.patch @@ -0,0 +1,44 @@ +From ad661504f0fe699c3aa3e3f5ffb1fdec38da1f4c Mon Sep 17 00:00:00 2001 +From: Bhagavathi Perumal S +Date: Tue, 16 Apr 2019 12:54:40 +0530 +Subject: mac80211: Fix kernel panic due to use of txq after free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit f1267cf3c01b12e0f843fb6a7450a7f0b2efab8a ] + +The txq of vif is added to active_txqs list for ATF TXQ scheduling +in the function ieee80211_queue_skb(), but it was not properly removed +before freeing the txq object. It was causing use after free of the txq +objects from the active_txqs list, result was kernel panic +due to invalid memory access. + +Fix kernel invalid memory access by properly removing txq object +from active_txqs list before free the object. + +Signed-off-by: Bhagavathi Perumal S +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/iface.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index 222c063244f56..6ce13e976b7a2 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -1924,6 +1924,9 @@ void ieee80211_if_remove(struct ieee80211_sub_if_data *sdata) + list_del_rcu(&sdata->list); + mutex_unlock(&sdata->local->iflist_mtx); + ++ if (sdata->vif.txq) ++ ieee80211_txq_purge(sdata->local, to_txq_info(sdata->vif.txq)); ++ + synchronize_rcu(); + + if (sdata->dev) { +-- +2.20.1 + diff --git a/queue-4.14/perf-bench-numa-add-define-for-rusage_thread-if-not-.patch b/queue-4.14/perf-bench-numa-add-define-for-rusage_thread-if-not-.patch new file mode 100644 index 00000000000..b772b585908 --- /dev/null +++ b/queue-4.14/perf-bench-numa-add-define-for-rusage_thread-if-not-.patch @@ -0,0 +1,69 @@ +From a01bf5e00f3ab261a677f63af84e15c792437b3e Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Thu, 25 Apr 2019 18:36:51 -0300 +Subject: perf bench numa: Add define for RUSAGE_THREAD if not present +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit bf561d3c13423fc54daa19b5d49dc15fafdb7acc ] + +While cross building perf to the ARC architecture on a fedora 30 host, +we were failing with: + + CC /tmp/build/perf/bench/numa.o + bench/numa.c: In function ‘worker_thread’: + bench/numa.c:1261:12: error: ‘RUSAGE_THREAD’ undeclared (first use in this function); did you mean ‘SIGEV_THREAD’? + getrusage(RUSAGE_THREAD, &rusage); + ^~~~~~~~~~~~~ + SIGEV_THREAD + bench/numa.c:1261:12: note: each undeclared identifier is reported only once for each function it appears in + +[perfbuilder@60d5802468f6 perf]$ /arc_gnu_2019.03-rc1_prebuilt_uclibc_le_archs_linux_install/bin/arc-linux-gcc --version | head -1 +arc-linux-gcc (ARCv2 ISA Linux uClibc toolchain 2019.03-rc1) 8.3.1 20190225 +[perfbuilder@60d5802468f6 perf]$ + +Trying to reproduce a report by Vineet, I noticed that, with just +cross-built zlib and numactl libraries, I ended up with the above +failure. + +So, since RUSAGE_THREAD is available as a define, check for that and +numactl libraries, I ended up with the above failure. + +So, since RUSAGE_THREAD is available as a define in the system headers, +check if it is defined in the 'perf bench numa' sources and define it if +not. + +Now it builds and I have to figure out if the problem reported by Vineet +only takes place if we have libelf or some other library available. + +Cc: Arnd Bergmann +Cc: Jiri Olsa +Cc: linux-snps-arc@lists.infradead.org +Cc: Namhyung Kim +Cc: Vineet Gupta +Link: https://lkml.kernel.org/n/tip-2wb4r1gir9xrevbpq7qp0amk@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/bench/numa.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/perf/bench/numa.c b/tools/perf/bench/numa.c +index 0afcc7eccc619..997875c770b10 100644 +--- a/tools/perf/bench/numa.c ++++ b/tools/perf/bench/numa.c +@@ -38,6 +38,10 @@ + #include + #include + ++#ifndef RUSAGE_THREAD ++# define RUSAGE_THREAD 1 ++#endif ++ + /* + * Regular printout to the terminal, supressed if -q is specified: + */ +-- +2.20.1 + diff --git a/queue-4.14/power-supply-cpcap-battery-fix-division-by-zero.patch b/queue-4.14/power-supply-cpcap-battery-fix-division-by-zero.patch new file mode 100644 index 00000000000..376b689851d --- /dev/null +++ b/queue-4.14/power-supply-cpcap-battery-fix-division-by-zero.patch @@ -0,0 +1,44 @@ +From f42baa00d07e4cf9142c32b2959734ced5c0f053 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Sun, 7 Apr 2019 11:12:48 -0700 +Subject: power: supply: cpcap-battery: Fix division by zero + +[ Upstream commit dbe7208c6c4aec083571f2ec742870a0d0edbea3 ] + +If called fast enough so samples do not increment, we can get +division by zero in kernel: + +__div0 +cpcap_battery_cc_raw_div +cpcap_battery_get_property +power_supply_get_property.part.1 +power_supply_get_property +power_supply_show_property +power_supply_uevent + +Fixes: 874b2adbed12 ("power: supply: cpcap-battery: Add a battery driver") +Signed-off-by: Tony Lindgren +Acked-by: Pavel Machek +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/cpcap-battery.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/power/supply/cpcap-battery.c b/drivers/power/supply/cpcap-battery.c +index ee71a2b37b12c..fe7fcf3a2ad03 100644 +--- a/drivers/power/supply/cpcap-battery.c ++++ b/drivers/power/supply/cpcap-battery.c +@@ -221,6 +221,9 @@ static int cpcap_battery_cc_raw_div(struct cpcap_battery_ddata *ddata, + int avg_current; + u32 cc_lsb; + ++ if (!divider) ++ return 0; ++ + sample &= 0xffffff; /* 24-bits, unsigned */ + offset &= 0x7ff; /* 10-bits, signed */ + +-- +2.20.1 + diff --git a/queue-4.14/power-supply-sysfs-prevent-endless-uevent-loop-with-.patch b/queue-4.14/power-supply-sysfs-prevent-endless-uevent-loop-with-.patch new file mode 100644 index 00000000000..ab0782ebae4 --- /dev/null +++ b/queue-4.14/power-supply-sysfs-prevent-endless-uevent-loop-with-.patch @@ -0,0 +1,68 @@ +From 792c2a134fc45ff55431fa10a1077755a5b8193d Mon Sep 17 00:00:00 2001 +From: Andrey Smirnov +Date: Wed, 24 Apr 2019 00:16:10 -0700 +Subject: power: supply: sysfs: prevent endless uevent loop with + CONFIG_POWER_SUPPLY_DEBUG + +[ Upstream commit 349ced9984ff540ce74ca8a0b2e9b03dc434b9dd ] + +Fix a similar endless event loop as was done in commit +8dcf32175b4e ("i2c: prevent endless uevent loop with +CONFIG_I2C_DEBUG_CORE"): + + The culprit is the dev_dbg printk in the i2c uevent handler. If + this is activated (for instance by CONFIG_I2C_DEBUG_CORE) it results + in an endless loop with systemd-journald. + + This happens if user-space scans the system log and reads the uevent + file to get information about a newly created device, which seems + fair use to me. Unfortunately reading the "uevent" file uses the + same function that runs for creating the uevent for a new device, + generating the next syslog entry + +Both CONFIG_I2C_DEBUG_CORE and CONFIG_POWER_SUPPLY_DEBUG were reported +in https://bugs.freedesktop.org/show_bug.cgi?id=76886 but only former +seems to have been fixed. Drop debug prints as it was done in I2C +subsystem to resolve the issue. + +Signed-off-by: Andrey Smirnov +Cc: Chris Healy +Cc: linux-pm@vger.kernel.org +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/power_supply_sysfs.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/drivers/power/supply/power_supply_sysfs.c b/drivers/power/supply/power_supply_sysfs.c +index 5204f115970fe..eb5dc74820539 100644 +--- a/drivers/power/supply/power_supply_sysfs.c ++++ b/drivers/power/supply/power_supply_sysfs.c +@@ -325,15 +325,11 @@ int power_supply_uevent(struct device *dev, struct kobj_uevent_env *env) + char *prop_buf; + char *attrname; + +- dev_dbg(dev, "uevent\n"); +- + if (!psy || !psy->desc) { + dev_dbg(dev, "No power supply yet\n"); + return ret; + } + +- dev_dbg(dev, "POWER_SUPPLY_NAME=%s\n", psy->desc->name); +- + ret = add_uevent_var(env, "POWER_SUPPLY_NAME=%s", psy->desc->name); + if (ret) + return ret; +@@ -369,8 +365,6 @@ int power_supply_uevent(struct device *dev, struct kobj_uevent_env *env) + goto out; + } + +- dev_dbg(dev, "prop %s=%s\n", attrname, prop_buf); +- + ret = add_uevent_var(env, "POWER_SUPPLY_%s=%s", attrname, prop_buf); + kfree(attrname); + if (ret) +-- +2.20.1 + diff --git a/queue-4.14/sched-cpufreq-fix-kobject-memleak.patch b/queue-4.14/sched-cpufreq-fix-kobject-memleak.patch new file mode 100644 index 00000000000..0dce4dde53a --- /dev/null +++ b/queue-4.14/sched-cpufreq-fix-kobject-memleak.patch @@ -0,0 +1,45 @@ +From 420a423cd8885536dab307b1d0c18daf63919905 Mon Sep 17 00:00:00 2001 +From: "Tobin C. Harding" +Date: Tue, 30 Apr 2019 10:11:44 +1000 +Subject: sched/cpufreq: Fix kobject memleak + +[ Upstream commit 9a4f26cc98d81b67ecc23b890c28e2df324e29f3 ] + +Currently the error return path from kobject_init_and_add() is not +followed by a call to kobject_put() - which means we are leaking +the kobject. + +Fix it by adding a call to kobject_put() in the error path of +kobject_init_and_add(). + +Signed-off-by: Tobin C. Harding +Cc: Greg Kroah-Hartman +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Rafael J. Wysocki +Cc: Thomas Gleixner +Cc: Tobin C. Harding +Cc: Vincent Guittot +Cc: Viresh Kumar +Link: http://lkml.kernel.org/r/20190430001144.24890-1-tobin@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/sched/cpufreq_schedutil.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c +index b314c9eaa71d3..f8c45d30ec6d0 100644 +--- a/kernel/sched/cpufreq_schedutil.c ++++ b/kernel/sched/cpufreq_schedutil.c +@@ -600,6 +600,7 @@ out: + return 0; + + fail: ++ kobject_put(&tunables->attr_set.kobj); + policy->governor_data = NULL; + sugov_tunables_free(tunables); + +-- +2.20.1 + diff --git a/queue-4.14/securityfs-fix-use-after-free-on-symlink-traversal.patch b/queue-4.14/securityfs-fix-use-after-free-on-symlink-traversal.patch new file mode 100644 index 00000000000..b3b6f2070bf --- /dev/null +++ b/queue-4.14/securityfs-fix-use-after-free-on-symlink-traversal.patch @@ -0,0 +1,51 @@ +From 9140f5a8702f1481d763d7885b578eafbaf43de8 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Wed, 10 Apr 2019 14:03:45 -0400 +Subject: securityfs: fix use-after-free on symlink traversal + +[ Upstream commit 46c874419652bbefdfed17420fd6e88d8a31d9ec ] + +symlink body shouldn't be freed without an RCU delay. Switch securityfs +to ->destroy_inode() and use of call_rcu(); free both the inode and symlink +body in the callback. + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + security/inode.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/security/inode.c b/security/inode.c +index 8dd9ca8848e43..829f15672e01f 100644 +--- a/security/inode.c ++++ b/security/inode.c +@@ -26,17 +26,22 @@ + static struct vfsmount *mount; + static int mount_count; + +-static void securityfs_evict_inode(struct inode *inode) ++static void securityfs_i_callback(struct rcu_head *head) + { +- truncate_inode_pages_final(&inode->i_data); +- clear_inode(inode); ++ struct inode *inode = container_of(head, struct inode, i_rcu); + if (S_ISLNK(inode->i_mode)) + kfree(inode->i_link); ++ free_inode_nonrcu(inode); ++} ++ ++static void securityfs_destroy_inode(struct inode *inode) ++{ ++ call_rcu(&inode->i_rcu, securityfs_i_callback); + } + + static const struct super_operations securityfs_super_operations = { + .statfs = simple_statfs, +- .evict_inode = securityfs_evict_inode, ++ .destroy_inode = securityfs_destroy_inode, + }; + + static int fill_super(struct super_block *sb, void *data, int silent) +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 356fdd1befd..bad08a0cbe9 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -53,3 +53,19 @@ pci-work-around-pericom-pcie-to-pci-bridge-retrain-link-erratum.patch dm-cache-metadata-fix-loading-discard-bitset.patch dm-zoned-fix-zone-report-handling.patch dm-delay-fix-a-crash-when-invalid-device-is-specified.patch +xfrm-policy-fix-out-of-bound-array-accesses-in-__xfr.patch +xfrm6_tunnel-fix-potential-panic-when-unloading-xfrm.patch +vti4-ipip-tunnel-deregistration-fixes.patch +esp4-add-length-check-for-udp-encapsulation.patch +xfrm4-fix-uninitialized-memory-read-in-_decode_sessi.patch +power-supply-cpcap-battery-fix-division-by-zero.patch +securityfs-fix-use-after-free-on-symlink-traversal.patch +apparmorfs-fix-use-after-free-on-symlink-traversal.patch +mac80211-fix-kernel-panic-due-to-use-of-txq-after-fr.patch +kvm-arm-arm64-ensure-vcpu-target-is-unset-on-reset-f.patch +power-supply-sysfs-prevent-endless-uevent-loop-with-.patch +iwlwifi-mvm-check-for-length-correctness-in-iwl_mvm_.patch +sched-cpufreq-fix-kobject-memleak.patch +x86-mm-mem_encrypt-disable-all-instrumentation-for-e.patch +ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-ufs-.patch +perf-bench-numa-add-define-for-rusage_thread-if-not-.patch diff --git a/queue-4.14/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-ufs-.patch b/queue-4.14/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-ufs-.patch new file mode 100644 index 00000000000..7cf1eca263e --- /dev/null +++ b/queue-4.14/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-ufs-.patch @@ -0,0 +1,35 @@ +From 5716d09a05568e254901200dc8a05b69655c2e67 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Wed, 1 May 2019 22:46:11 -0400 +Subject: ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour + +[ Upstream commit 4e9036042fedaffcd868d7f7aa948756c48c637d ] + +To choose whether to pick the GID from the old (16bit) or new (32bit) +field, we should check if the old gid field is set to 0xffff. Mainline +checks the old *UID* field instead - cut'n'paste from the corresponding +code in ufs_get_inode_uid(). + +Fixes: 252e211e90ce +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/ufs/util.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ufs/util.h b/fs/ufs/util.h +index 1907be6d58085..f3092d513551a 100644 +--- a/fs/ufs/util.h ++++ b/fs/ufs/util.h +@@ -229,7 +229,7 @@ ufs_get_inode_gid(struct super_block *sb, struct ufs_inode *inode) + case UFS_UID_44BSD: + return fs32_to_cpu(sb, inode->ui_u3.ui_44.ui_gid); + case UFS_UID_EFT: +- if (inode->ui_u1.oldids.ui_suid == 0xFFFF) ++ if (inode->ui_u1.oldids.ui_sgid == 0xFFFF) + return fs32_to_cpu(sb, inode->ui_u3.ui_sun.ui_gid); + /* Fall through */ + default: +-- +2.20.1 + diff --git a/queue-4.14/vti4-ipip-tunnel-deregistration-fixes.patch b/queue-4.14/vti4-ipip-tunnel-deregistration-fixes.patch new file mode 100644 index 00000000000..f7052672245 --- /dev/null +++ b/queue-4.14/vti4-ipip-tunnel-deregistration-fixes.patch @@ -0,0 +1,48 @@ +From f3fe939de1b99ae433cd590dc9a568d6a47a2805 Mon Sep 17 00:00:00 2001 +From: Jeremy Sowden +Date: Tue, 19 Mar 2019 15:39:20 +0000 +Subject: vti4: ipip tunnel deregistration fixes. + +[ Upstream commit 5483844c3fc18474de29f5d6733003526e0a9f78 ] + +If tunnel registration failed during module initialization, the module +would fail to deregister the IPPROTO_COMP protocol and would attempt to +deregister the tunnel. + +The tunnel was not deregistered during module-exit. + +Fixes: dd9ee3444014e ("vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel") +Signed-off-by: Jeremy Sowden +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_vti.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c +index 306603a7f3514..c07065b7e3b0e 100644 +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -663,9 +663,9 @@ static int __init vti_init(void) + return err; + + rtnl_link_failed: +- xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP); +-xfrm_tunnel_failed: + xfrm4_tunnel_deregister(&ipip_handler, AF_INET); ++xfrm_tunnel_failed: ++ xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP); + xfrm_proto_comp_failed: + xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH); + xfrm_proto_ah_failed: +@@ -680,6 +680,7 @@ pernet_dev_failed: + static void __exit vti_fini(void) + { + rtnl_link_unregister(&vti_link_ops); ++ xfrm4_tunnel_deregister(&ipip_handler, AF_INET); + xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP); + xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH); + xfrm4_protocol_deregister(&vti_esp4_protocol, IPPROTO_ESP); +-- +2.20.1 + diff --git a/queue-4.14/x86-mm-mem_encrypt-disable-all-instrumentation-for-e.patch b/queue-4.14/x86-mm-mem_encrypt-disable-all-instrumentation-for-e.patch new file mode 100644 index 00000000000..975c32ec160 --- /dev/null +++ b/queue-4.14/x86-mm-mem_encrypt-disable-all-instrumentation-for-e.patch @@ -0,0 +1,102 @@ +From 87dc1789832ff284a3ecf0bc7dd50574e9c615fc Mon Sep 17 00:00:00 2001 +From: Gary Hook +Date: Mon, 29 Apr 2019 22:22:58 +0000 +Subject: x86/mm/mem_encrypt: Disable all instrumentation for early SME setup + +[ Upstream commit b51ce3744f115850166f3d6c292b9c8cb849ad4f ] + +Enablement of AMD's Secure Memory Encryption feature is determined very +early after start_kernel() is entered. Part of this procedure involves +scanning the command line for the parameter 'mem_encrypt'. + +To determine intended state, the function sme_enable() uses library +functions cmdline_find_option() and strncmp(). Their use occurs early +enough such that it cannot be assumed that any instrumentation subsystem +is initialized. + +For example, making calls to a KASAN-instrumented function before KASAN +is set up will result in the use of uninitialized memory and a boot +failure. + +When AMD's SME support is enabled, conditionally disable instrumentation +of these dependent functions in lib/string.c and arch/x86/lib/cmdline.c. + + [ bp: Get rid of intermediary nostackp var and cleanup whitespace. ] + +Fixes: aca20d546214 ("x86/mm: Add support to make use of Secure Memory Encryption") +Reported-by: Li RongQing +Signed-off-by: Gary R Hook +Signed-off-by: Borislav Petkov +Cc: Alexander Shishkin +Cc: Andrew Morton +Cc: Andy Shevchenko +Cc: Boris Brezillon +Cc: Coly Li +Cc: "dave.hansen@linux.intel.com" +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Kees Cook +Cc: Kent Overstreet +Cc: "luto@kernel.org" +Cc: Masahiro Yamada +Cc: Matthew Wilcox +Cc: "mingo@redhat.com" +Cc: "peterz@infradead.org" +Cc: Sebastian Andrzej Siewior +Cc: Thomas Gleixner +Cc: x86-ml +Link: https://lkml.kernel.org/r/155657657552.7116.18363762932464011367.stgit@sosrh3.amd.com +Signed-off-by: Sasha Levin +--- + arch/x86/lib/Makefile | 12 ++++++++++++ + lib/Makefile | 11 +++++++++++ + 2 files changed, 23 insertions(+) + +diff --git a/arch/x86/lib/Makefile b/arch/x86/lib/Makefile +index d435c89875c14..60b410ff31e8a 100644 +--- a/arch/x86/lib/Makefile ++++ b/arch/x86/lib/Makefile +@@ -6,6 +6,18 @@ + # Produces uninteresting flaky coverage. + KCOV_INSTRUMENT_delay.o := n + ++# Early boot use of cmdline; don't instrument it ++ifdef CONFIG_AMD_MEM_ENCRYPT ++KCOV_INSTRUMENT_cmdline.o := n ++KASAN_SANITIZE_cmdline.o := n ++ ++ifdef CONFIG_FUNCTION_TRACER ++CFLAGS_REMOVE_cmdline.o = -pg ++endif ++ ++CFLAGS_cmdline.o := $(call cc-option, -fno-stack-protector) ++endif ++ + inat_tables_script = $(srctree)/arch/x86/tools/gen-insn-attr-x86.awk + inat_tables_maps = $(srctree)/arch/x86/lib/x86-opcode-map.txt + quiet_cmd_inat_tables = GEN $@ +diff --git a/lib/Makefile b/lib/Makefile +index b1ac450329033..4ea31c2d982df 100644 +--- a/lib/Makefile ++++ b/lib/Makefile +@@ -17,6 +17,17 @@ KCOV_INSTRUMENT_list_debug.o := n + KCOV_INSTRUMENT_debugobjects.o := n + KCOV_INSTRUMENT_dynamic_debug.o := n + ++# Early boot use of cmdline, don't instrument it ++ifdef CONFIG_AMD_MEM_ENCRYPT ++KASAN_SANITIZE_string.o := n ++ ++ifdef CONFIG_FUNCTION_TRACER ++CFLAGS_REMOVE_string.o = -pg ++endif ++ ++CFLAGS_string.o := $(call cc-option, -fno-stack-protector) ++endif ++ + lib-y := ctype.o string.o vsprintf.o cmdline.o \ + rbtree.o radix-tree.o dump_stack.o timerqueue.o\ + idr.o int_sqrt.o extable.o \ +-- +2.20.1 + diff --git a/queue-4.14/xfrm-policy-fix-out-of-bound-array-accesses-in-__xfr.patch b/queue-4.14/xfrm-policy-fix-out-of-bound-array-accesses-in-__xfr.patch new file mode 100644 index 00000000000..3f3b5d4483e --- /dev/null +++ b/queue-4.14/xfrm-policy-fix-out-of-bound-array-accesses-in-__xfr.patch @@ -0,0 +1,89 @@ +From 6fefeef8f8d19792065f2a3305d017fcf1a8e596 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Thu, 28 Feb 2019 15:18:59 +0800 +Subject: xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink + +[ Upstream commit b805d78d300bcf2c83d6df7da0c818b0fee41427 ] + +UBSAN report this: + +UBSAN: Undefined behaviour in net/xfrm/xfrm_policy.c:1289:24 +index 6 is out of range for type 'unsigned int [6]' +CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.162-514.55.6.9.x86_64+ #13 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 + 0000000000000000 1466cf39b41b23c9 ffff8801f6b07a58 ffffffff81cb35f4 + 0000000041b58ab3 ffffffff83230f9c ffffffff81cb34e0 ffff8801f6b07a80 + ffff8801f6b07a20 1466cf39b41b23c9 ffffffff851706e0 ffff8801f6b07ae8 +Call Trace: + [] __dump_stack lib/dump_stack.c:15 [inline] + [] dump_stack+0x114/0x1a0 lib/dump_stack.c:51 + [] ubsan_epilogue+0x12/0x8f lib/ubsan.c:164 + [] __ubsan_handle_out_of_bounds+0x16e/0x1b2 lib/ubsan.c:382 + [] __xfrm_policy_unlink+0x3dd/0x5b0 net/xfrm/xfrm_policy.c:1289 + [] xfrm_policy_delete+0x52/0xb0 net/xfrm/xfrm_policy.c:1309 + [] xfrm_policy_timer+0x30b/0x590 net/xfrm/xfrm_policy.c:243 + [] call_timer_fn+0x237/0x990 kernel/time/timer.c:1144 + [] __run_timers kernel/time/timer.c:1218 [inline] + [] run_timer_softirq+0x6ce/0xb80 kernel/time/timer.c:1401 + [] __do_softirq+0x299/0xe10 kernel/softirq.c:273 + [] invoke_softirq kernel/softirq.c:350 [inline] + [] irq_exit+0x216/0x2c0 kernel/softirq.c:391 + [] exiting_irq arch/x86/include/asm/apic.h:652 [inline] + [] smp_apic_timer_interrupt+0x8b/0xc0 arch/x86/kernel/apic/apic.c:926 + [] apic_timer_interrupt+0xa5/0xb0 arch/x86/entry/entry_64.S:735 + [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:52 + [] arch_safe_halt arch/x86/include/asm/paravirt.h:111 [inline] + [] default_idle+0x27/0x430 arch/x86/kernel/process.c:446 + [] arch_cpu_idle+0x15/0x20 arch/x86/kernel/process.c:437 + [] default_idle_call+0x53/0x90 kernel/sched/idle.c:92 + [] cpuidle_idle_call kernel/sched/idle.c:156 [inline] + [] cpu_idle_loop kernel/sched/idle.c:251 [inline] + [] cpu_startup_entry+0x60d/0x9a0 kernel/sched/idle.c:299 + [] start_secondary+0x3c9/0x560 arch/x86/kernel/smpboot.c:245 + +The issue is triggered as this: + +xfrm_add_policy + -->verify_newpolicy_info //check the index provided by user with XFRM_POLICY_MAX + //In my case, the index is 0x6E6BB6, so it pass the check. + -->xfrm_policy_construct //copy the user's policy and set xfrm_policy_timer + -->xfrm_policy_insert + --> __xfrm_policy_link //use the orgin dir, in my case is 2 + --> xfrm_gen_index //generate policy index, there is 0x6E6BB6 + +then xfrm_policy_timer be fired + +xfrm_policy_timer + --> xfrm_policy_id2dir //get dir from (policy index & 7), in my case is 6 + --> xfrm_policy_delete + --> __xfrm_policy_unlink //access policy_count[dir], trigger out of range access + +Add xfrm_policy_id2dir check in verify_newpolicy_info, make sure the computed dir is +valid, to fix the issue. + +Reported-by: Hulk Robot +Fixes: e682adf021be ("xfrm: Try to honor policy index if it's supplied by user") +Signed-off-by: YueHaibing +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 9ff9255d2191b..919b8406028cc 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1381,7 +1381,7 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p) + ret = verify_policy_dir(p->dir); + if (ret) + return ret; +- if (p->index && ((p->index & XFRM_POLICY_MAX) != p->dir)) ++ if (p->index && (xfrm_policy_id2dir(p->index) != p->dir)) + return -EINVAL; + + return 0; +-- +2.20.1 + diff --git a/queue-4.14/xfrm4-fix-uninitialized-memory-read-in-_decode_sessi.patch b/queue-4.14/xfrm4-fix-uninitialized-memory-read-in-_decode_sessi.patch new file mode 100644 index 00000000000..82ac4d0eba0 --- /dev/null +++ b/queue-4.14/xfrm4-fix-uninitialized-memory-read-in-_decode_sessi.patch @@ -0,0 +1,115 @@ +From 31677dd4885412c2fc82ae54dd57f29c818db01b Mon Sep 17 00:00:00 2001 +From: Steffen Klassert +Date: Tue, 26 Feb 2019 07:04:50 +0100 +Subject: xfrm4: Fix uninitialized memory read in _decode_session4 + +[ Upstream commit 8742dc86d0c7a9628117a989c11f04a9b6b898f3 ] + +We currently don't reload pointers pointing into skb header +after doing pskb_may_pull() in _decode_session4(). So in case +pskb_may_pull() changed the pointers, we read from random +memory. Fix this by putting all the needed infos on the +stack, so that we don't need to access the header pointers +after doing pskb_may_pull(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/xfrm4_policy.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c +index 4b586e7d56370..5952dca98e6b7 100644 +--- a/net/ipv4/xfrm4_policy.c ++++ b/net/ipv4/xfrm4_policy.c +@@ -111,7 +111,8 @@ static void + _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) + { + const struct iphdr *iph = ip_hdr(skb); +- u8 *xprth = skb_network_header(skb) + iph->ihl * 4; ++ int ihl = iph->ihl; ++ u8 *xprth = skb_network_header(skb) + ihl * 4; + struct flowi4 *fl4 = &fl->u.ip4; + int oif = 0; + +@@ -122,6 +123,11 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) + fl4->flowi4_mark = skb->mark; + fl4->flowi4_oif = reverse ? skb->skb_iif : oif; + ++ fl4->flowi4_proto = iph->protocol; ++ fl4->daddr = reverse ? iph->saddr : iph->daddr; ++ fl4->saddr = reverse ? iph->daddr : iph->saddr; ++ fl4->flowi4_tos = iph->tos; ++ + if (!ip_is_fragment(iph)) { + switch (iph->protocol) { + case IPPROTO_UDP: +@@ -133,7 +139,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) + pskb_may_pull(skb, xprth + 4 - skb->data)) { + __be16 *ports; + +- xprth = skb_network_header(skb) + iph->ihl * 4; ++ xprth = skb_network_header(skb) + ihl * 4; + ports = (__be16 *)xprth; + + fl4->fl4_sport = ports[!!reverse]; +@@ -146,7 +152,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) + pskb_may_pull(skb, xprth + 2 - skb->data)) { + u8 *icmp; + +- xprth = skb_network_header(skb) + iph->ihl * 4; ++ xprth = skb_network_header(skb) + ihl * 4; + icmp = xprth; + + fl4->fl4_icmp_type = icmp[0]; +@@ -159,7 +165,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) + pskb_may_pull(skb, xprth + 4 - skb->data)) { + __be32 *ehdr; + +- xprth = skb_network_header(skb) + iph->ihl * 4; ++ xprth = skb_network_header(skb) + ihl * 4; + ehdr = (__be32 *)xprth; + + fl4->fl4_ipsec_spi = ehdr[0]; +@@ -171,7 +177,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) + pskb_may_pull(skb, xprth + 8 - skb->data)) { + __be32 *ah_hdr; + +- xprth = skb_network_header(skb) + iph->ihl * 4; ++ xprth = skb_network_header(skb) + ihl * 4; + ah_hdr = (__be32 *)xprth; + + fl4->fl4_ipsec_spi = ah_hdr[1]; +@@ -183,7 +189,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) + pskb_may_pull(skb, xprth + 4 - skb->data)) { + __be16 *ipcomp_hdr; + +- xprth = skb_network_header(skb) + iph->ihl * 4; ++ xprth = skb_network_header(skb) + ihl * 4; + ipcomp_hdr = (__be16 *)xprth; + + fl4->fl4_ipsec_spi = htonl(ntohs(ipcomp_hdr[1])); +@@ -196,7 +202,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) + __be16 *greflags; + __be32 *gre_hdr; + +- xprth = skb_network_header(skb) + iph->ihl * 4; ++ xprth = skb_network_header(skb) + ihl * 4; + greflags = (__be16 *)xprth; + gre_hdr = (__be32 *)xprth; + +@@ -213,10 +219,6 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) + break; + } + } +- fl4->flowi4_proto = iph->protocol; +- fl4->daddr = reverse ? iph->saddr : iph->daddr; +- fl4->saddr = reverse ? iph->daddr : iph->saddr; +- fl4->flowi4_tos = iph->tos; + } + + static void xfrm4_update_pmtu(struct dst_entry *dst, struct sock *sk, +-- +2.20.1 + diff --git a/queue-4.14/xfrm6_tunnel-fix-potential-panic-when-unloading-xfrm.patch b/queue-4.14/xfrm6_tunnel-fix-potential-panic-when-unloading-xfrm.patch new file mode 100644 index 00000000000..1d4d86ed071 --- /dev/null +++ b/queue-4.14/xfrm6_tunnel-fix-potential-panic-when-unloading-xfrm.patch @@ -0,0 +1,38 @@ +From 7fb4d1e51dee291f7e93f265511afcef6460b5a1 Mon Sep 17 00:00:00 2001 +From: Su Yanjun +Date: Thu, 14 Mar 2019 14:59:42 +0800 +Subject: xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module + +[ Upstream commit 6ee02a54ef990a71bf542b6f0a4e3321de9d9c66 ] + +When unloading xfrm6_tunnel module, xfrm6_tunnel_fini directly +frees the xfrm6_tunnel_spi_kmem. Maybe someone has gotten the +xfrm6_tunnel_spi, so need to wait it. + +Fixes: 91cc3bb0b04ff("xfrm6_tunnel: RCU conversion") +Signed-off-by: Su Yanjun +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv6/xfrm6_tunnel.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c +index c28e3eaad7c26..b51368ebd1e67 100644 +--- a/net/ipv6/xfrm6_tunnel.c ++++ b/net/ipv6/xfrm6_tunnel.c +@@ -391,6 +391,10 @@ static void __exit xfrm6_tunnel_fini(void) + xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6); + xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6); + unregister_pernet_subsys(&xfrm6_tunnel_net_ops); ++ /* Someone maybe has gotten the xfrm6_tunnel_spi. ++ * So need to wait it. ++ */ ++ rcu_barrier(); + kmem_cache_destroy(xfrm6_tunnel_spi_kmem); + } + +-- +2.20.1 +