From: Sasha Levin Date: Mon, 12 Apr 2021 03:51:18 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v4.19.187~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e74ea1b0eddb8e9e07498c6872fe2684e5c9c564;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/clk-fix-invalid-usage-of-list-cursor-in-unregister.patch b/queue-4.4/clk-fix-invalid-usage-of-list-cursor-in-unregister.patch new file mode 100644 index 00000000000..a32bb52356c --- /dev/null +++ b/queue-4.4/clk-fix-invalid-usage-of-list-cursor-in-unregister.patch @@ -0,0 +1,107 @@ +From 79b5501b2062061fecf8c61855cc5602c6a68982 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Apr 2021 00:51:49 +0200 +Subject: clk: fix invalid usage of list cursor in unregister + +From: Lukasz Bartosik + +[ Upstream commit 7045465500e465b09f09d6e5bdc260a9f1aab97b ] + +Fix invalid usage of a list_for_each_entry cursor in +clk_notifier_unregister(). When list is empty or if the list +is completely traversed (without breaking from the loop on one +of the entries) then the list cursor does not point to a valid +entry and therefore should not be used. The patch fixes a logical +bug that hasn't been seen in pratice however it is analogus +to the bug fixed in clk_notifier_register(). + +The issue was dicovered when running 5.12-rc1 kernel on x86_64 +with KASAN enabled: +BUG: KASAN: global-out-of-bounds in clk_notifier_register+0xab/0x230 +Read of size 8 at addr ffffffffa0d10588 by task swapper/0/1 + +CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.12.0-rc1 #1 +Hardware name: Google Caroline/Caroline, +BIOS Google_Caroline.7820.430.0 07/20/2018 +Call Trace: + dump_stack+0xee/0x15c + print_address_description+0x1e/0x2dc + kasan_report+0x188/0x1ce + ? clk_notifier_register+0xab/0x230 + ? clk_prepare_lock+0x15/0x7b + ? clk_notifier_register+0xab/0x230 + clk_notifier_register+0xab/0x230 + dw8250_probe+0xc01/0x10d4 + ... + Memory state around the buggy address: + ffffffffa0d10480: 00 00 00 00 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00 + ffffffffa0d10500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 + >ffffffffa0d10580: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 + ^ + ffffffffa0d10600: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 + ffffffffa0d10680: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00 + ================================================================== + +Fixes: b2476490ef11 ("clk: introduce the common clock framework") +Reported-by: Lukasz Majczak +Signed-off-by: Lukasz Bartosik +Link: https://lore.kernel.org/r/20210401225149.18826-2-lb@semihalf.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk.c | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c +index 53c068f90b37..c46fff3a32fe 100644 +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -2870,32 +2870,28 @@ EXPORT_SYMBOL_GPL(clk_notifier_register); + */ + int clk_notifier_unregister(struct clk *clk, struct notifier_block *nb) + { +- struct clk_notifier *cn = NULL; +- int ret = -EINVAL; ++ struct clk_notifier *cn; ++ int ret = -ENOENT; + + if (!clk || !nb) + return -EINVAL; + + clk_prepare_lock(); + +- list_for_each_entry(cn, &clk_notifier_list, node) +- if (cn->clk == clk) +- break; +- +- if (cn->clk == clk) { +- ret = srcu_notifier_chain_unregister(&cn->notifier_head, nb); ++ list_for_each_entry(cn, &clk_notifier_list, node) { ++ if (cn->clk == clk) { ++ ret = srcu_notifier_chain_unregister(&cn->notifier_head, nb); + +- clk->core->notifier_count--; ++ clk->core->notifier_count--; + +- /* XXX the notifier code should handle this better */ +- if (!cn->notifier_head.head) { +- srcu_cleanup_notifier_head(&cn->notifier_head); +- list_del(&cn->node); +- kfree(cn); ++ /* XXX the notifier code should handle this better */ ++ if (!cn->notifier_head.head) { ++ srcu_cleanup_notifier_head(&cn->notifier_head); ++ list_del(&cn->node); ++ kfree(cn); ++ } ++ break; + } +- +- } else { +- ret = -ENOENT; + } + + clk_prepare_unlock(); +-- +2.30.2 + diff --git a/queue-4.4/gianfar-handle-error-code-at-mac-address-change.patch b/queue-4.4/gianfar-handle-error-code-at-mac-address-change.patch new file mode 100644 index 00000000000..bdc3f2f6890 --- /dev/null +++ b/queue-4.4/gianfar-handle-error-code-at-mac-address-change.patch @@ -0,0 +1,39 @@ +From 5ea125477d875794e6c11558a47611b253698a70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 17:08:47 +0300 +Subject: gianfar: Handle error code at MAC address change + +From: Claudiu Manoil + +[ Upstream commit bff5b62585123823842833ab20b1c0a7fa437f8c ] + +Handle return error code of eth_mac_addr(); + +Fixes: 3d23a05c75c7 ("gianfar: Enable changing mac addr when if up") +Signed-off-by: Claudiu Manoil +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/gianfar.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c +index bc00fa5e864f..fb135797688a 100644 +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -485,7 +485,11 @@ static struct net_device_stats *gfar_get_stats(struct net_device *dev) + + static int gfar_set_mac_addr(struct net_device *dev, void *p) + { +- eth_mac_addr(dev, p); ++ int ret; ++ ++ ret = eth_mac_addr(dev, p); ++ if (ret) ++ return ret; + + gfar_set_mac_for_addr(dev, 0, dev->dev_addr); + +-- +2.30.2 + diff --git a/queue-4.4/net-tipc-fix-a-double-free-in-tipc_sk_mcast_rcv.patch b/queue-4.4/net-tipc-fix-a-double-free-in-tipc_sk_mcast_rcv.patch new file mode 100644 index 00000000000..7bfe1ca12d3 --- /dev/null +++ b/queue-4.4/net-tipc-fix-a-double-free-in-tipc_sk_mcast_rcv.patch @@ -0,0 +1,44 @@ +From 9da68c1139b5f1fadef6ea6e77a5a4af7effb9ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Mar 2021 00:30:29 -0700 +Subject: net:tipc: Fix a double free in tipc_sk_mcast_rcv + +From: Lv Yunlong + +[ Upstream commit 6bf24dc0cc0cc43b29ba344b66d78590e687e046 ] + +In the if(skb_peek(arrvq) == skb) branch, it calls __skb_dequeue(arrvq) to get +the skb by skb = skb_peek(arrvq). Then __skb_dequeue() unlinks the skb from arrvq +and returns the skb which equals to skb_peek(arrvq). After __skb_dequeue(arrvq) +finished, the skb is freed by kfree_skb(__skb_dequeue(arrvq)) in the first time. + +Unfortunately, the same skb is freed in the second time by kfree_skb(skb) after +the branch completed. + +My patch removes kfree_skb() in the if(skb_peek(arrvq) == skb) branch, because +this skb will be freed by kfree_skb(skb) finally. + +Fixes: cb1b728096f54 ("tipc: eliminate race condition at multicast reception") +Signed-off-by: Lv Yunlong +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index 65171f8e8c45..0e5bb03c6425 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -763,7 +763,7 @@ void tipc_sk_mcast_rcv(struct net *net, struct sk_buff_head *arrvq, + spin_lock_bh(&inputq->lock); + if (skb_peek(arrvq) == skb) { + skb_queue_splice_tail_init(&tmpq, inputq); +- kfree_skb(__skb_dequeue(arrvq)); ++ __skb_dequeue(arrvq); + } + spin_unlock_bh(&inputq->lock); + __skb_queue_purge(&tmpq); +-- +2.30.2 + diff --git a/queue-4.4/rdma-cxgb4-check-for-ipv6-address-properly-while-des.patch b/queue-4.4/rdma-cxgb4-check-for-ipv6-address-properly-while-des.patch new file mode 100644 index 00000000000..f8c69462820 --- /dev/null +++ b/queue-4.4/rdma-cxgb4-check-for-ipv6-address-properly-while-des.patch @@ -0,0 +1,39 @@ +From 7303abe03bf44626465292d01afa599db776bfba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Mar 2021 19:27:15 +0530 +Subject: RDMA/cxgb4: check for ipv6 address properly while destroying listener + +From: Potnuri Bharat Teja + +[ Upstream commit 603c4690b01aaffe3a6c3605a429f6dac39852ae ] + +ipv6 bit is wrongly set by the below which causes fatal adapter lookup +engine errors for ipv4 connections while destroying a listener. Fix it to +properly check the local address for ipv6. + +Fixes: 3408be145a5d ("RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 listening server") +Link: https://lore.kernel.org/r/20210331135715.30072-1-bharat@chelsio.com +Signed-off-by: Potnuri Bharat Teja +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/cm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index 8d75161854ee..f422a8a2528b 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -3447,7 +3447,8 @@ int c4iw_destroy_listen(struct iw_cm_id *cm_id) + c4iw_init_wr_wait(&ep->com.wr_wait); + err = cxgb4_remove_server( + ep->com.dev->rdev.lldi.ports[0], ep->stid, +- ep->com.dev->rdev.lldi.rxq_ids[0], true); ++ ep->com.dev->rdev.lldi.rxq_ids[0], ++ ep->com.local_addr.ss_family == AF_INET6); + if (err) + goto done; + err = c4iw_wait_for_reply(&ep->com.dev->rdev, &ep->com.wr_wait, +-- +2.30.2 + diff --git a/queue-4.4/s390-cpcmd-fix-inline-assembly-register-clobbering.patch b/queue-4.4/s390-cpcmd-fix-inline-assembly-register-clobbering.patch new file mode 100644 index 00000000000..39eda31a9bc --- /dev/null +++ b/queue-4.4/s390-cpcmd-fix-inline-assembly-register-clobbering.patch @@ -0,0 +1,46 @@ +From 41728420e02b9b843269721fdbe35abd71e5548d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 18:35:07 +0200 +Subject: s390/cpcmd: fix inline assembly register clobbering + +From: Alexander Gordeev + +[ Upstream commit 7a2f91441b2c1d81b77c1cd816a4659f4abc9cbe ] + +Register variables initialized using arithmetic. That leads to +kasan instrumentaton code corrupting the registers contents. +Follow GCC guidlines and use temporary variables for assigning +init values to register variables. + +Fixes: 94c12cc7d196 ("[S390] Inline assembly cleanup.") +Signed-off-by: Alexander Gordeev +Acked-by: Ilya Leoshkevich +Link: https://gcc.gnu.org/onlinedocs/gcc-10.2.0/gcc/Local-Register-Variables.html +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/cpcmd.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/kernel/cpcmd.c b/arch/s390/kernel/cpcmd.c +index 7f768914fb4f..c15546c6fb66 100644 +--- a/arch/s390/kernel/cpcmd.c ++++ b/arch/s390/kernel/cpcmd.c +@@ -37,10 +37,12 @@ static int diag8_noresponse(int cmdlen) + + static int diag8_response(int cmdlen, char *response, int *rlen) + { ++ unsigned long _cmdlen = cmdlen | 0x40000000L; ++ unsigned long _rlen = *rlen; + register unsigned long reg2 asm ("2") = (addr_t) cpcmd_buf; + register unsigned long reg3 asm ("3") = (addr_t) response; +- register unsigned long reg4 asm ("4") = cmdlen | 0x40000000L; +- register unsigned long reg5 asm ("5") = *rlen; ++ register unsigned long reg4 asm ("4") = _cmdlen; ++ register unsigned long reg5 asm ("5") = _rlen; + + asm volatile( + " sam31\n" +-- +2.30.2 + diff --git a/queue-4.4/sch_red-fix-off-by-one-checks-in-red_check_params.patch b/queue-4.4/sch_red-fix-off-by-one-checks-in-red_check_params.patch new file mode 100644 index 00000000000..d603319d85f --- /dev/null +++ b/queue-4.4/sch_red-fix-off-by-one-checks-in-red_check_params.patch @@ -0,0 +1,73 @@ +From af2a29d26ce154b29a59cafab60f6830b4ff0944 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 11:14:53 -0700 +Subject: sch_red: fix off-by-one checks in red_check_params() + +From: Eric Dumazet + +[ Upstream commit 3a87571f0ffc51ba3bf3ecdb6032861d0154b164 ] + +This fixes following syzbot report: + +UBSAN: shift-out-of-bounds in ./include/net/red.h:237:23 +shift exponent 32 is too large for 32-bit type 'unsigned int' +CPU: 1 PID: 8418 Comm: syz-executor170 Not tainted 5.12.0-rc4-next-20210324-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x141/0x1d7 lib/dump_stack.c:120 + ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 + __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327 + red_set_parms include/net/red.h:237 [inline] + choke_change.cold+0x3c/0xc8 net/sched/sch_choke.c:414 + qdisc_create+0x475/0x12f0 net/sched/sch_api.c:1247 + tc_modify_qdisc+0x4c8/0x1a50 net/sched/sch_api.c:1663 + rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502 + netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 + netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:674 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x43f039 +Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffdfa725168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043f039 +RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000004 +RBP: 0000000000403020 R08: 0000000000400488 R09: 0000000000400488 +R10: 0000000000400488 R11: 0000000000000246 R12: 00000000004030b0 +R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488 + +Fixes: 8afa10cbe281 ("net_sched: red: Avoid illegal values") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/red.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/net/red.h b/include/net/red.h +index b3ab5c6bfa83..117a3654d319 100644 +--- a/include/net/red.h ++++ b/include/net/red.h +@@ -170,9 +170,9 @@ static inline void red_set_vars(struct red_vars *v) + static inline bool red_check_params(u32 qth_min, u32 qth_max, u8 Wlog, + u8 Scell_log, u8 *stab) + { +- if (fls(qth_min) + Wlog > 32) ++ if (fls(qth_min) + Wlog >= 32) + return false; +- if (fls(qth_max) + Wlog > 32) ++ if (fls(qth_max) + Wlog >= 32) + return false; + if (Scell_log >= 32) + return false; +-- +2.30.2 + diff --git a/queue-4.4/series b/queue-4.4/series index 426c9c1732a..ebfcf40bfd8 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -11,3 +11,10 @@ fs-direct-io-fix-missing-sdio-boundary.patch parisc-parisc-agp-requires-sba-iommu-driver.patch batman-adv-initialize-struct-batadv_tvlv_tt_vlan_data-reserved-field.patch net-sched-sch_teql-fix-null-pointer-dereference.patch +sch_red-fix-off-by-one-checks-in-red_check_params.patch +gianfar-handle-error-code-at-mac-address-change.patch +net-tipc-fix-a-double-free-in-tipc_sk_mcast_rcv.patch +clk-fix-invalid-usage-of-list-cursor-in-unregister.patch +workqueue-move-the-position-of-debug_work_activate-i.patch +s390-cpcmd-fix-inline-assembly-register-clobbering.patch +rdma-cxgb4-check-for-ipv6-address-properly-while-des.patch diff --git a/queue-4.4/workqueue-move-the-position-of-debug_work_activate-i.patch b/queue-4.4/workqueue-move-the-position-of-debug_work_activate-i.patch new file mode 100644 index 00000000000..115fecdca9a --- /dev/null +++ b/queue-4.4/workqueue-move-the-position-of-debug_work_activate-i.patch @@ -0,0 +1,46 @@ +From bffc26734265faf35f2fc20c4005e43c5c3f8a01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Feb 2021 11:16:49 +0800 +Subject: workqueue: Move the position of debug_work_activate() in + __queue_work() + +From: Zqiang + +[ Upstream commit 0687c66b5f666b5ad433f4e94251590d9bc9d10e ] + +The debug_work_activate() is called on the premise that +the work can be inserted, because if wq be in WQ_DRAINING +status, insert work may be failed. + +Fixes: e41e704bc4f4 ("workqueue: improve destroy_workqueue() debuggability") +Signed-off-by: Zqiang +Reviewed-by: Lai Jiangshan +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/workqueue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 6b293804cd73..a2de597604e6 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -1351,7 +1351,6 @@ static void __queue_work(int cpu, struct workqueue_struct *wq, + */ + WARN_ON_ONCE(!irqs_disabled()); + +- debug_work_activate(work); + + /* if draining, only works from the same workqueue are allowed */ + if (unlikely(wq->flags & __WQ_DRAINING) && +@@ -1430,6 +1429,7 @@ retry: + worklist = &pwq->delayed_works; + } + ++ debug_work_activate(work); + insert_work(pwq, work, worklist, work_flags); + + spin_unlock(&pwq->pool->lock); +-- +2.30.2 +