From: Greg Kroah-Hartman Date: Sun, 5 Dec 2021 14:01:40 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.4.294~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ed141ee32ee48d1c59937b7b21e5da93fa8a2bf8;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: drm-msm-do-hw_init-before-capturing-gpu-state.patch net-annotate-data-races-on-txq-xmit_lock_owner.patch net-mlx4_en-fix-an-use-after-free-bug-in-mlx4_en_try_alloc_resources.patch net-rds-correct-socket-tunable-error-in-rds_tcp_tune.patch net-smc-keep-smc_close_final-rc-during-active-close.patch net-usb-lan78xx-lan78xx_phy_init-use-phy_poll-instead-of-0-if-no-irq-is-available.patch rxrpc-fix-rxrpc_local-leak-in-rxrpc_lookup_peer.patch --- diff --git a/queue-4.19/drm-msm-do-hw_init-before-capturing-gpu-state.patch b/queue-4.19/drm-msm-do-hw_init-before-capturing-gpu-state.patch new file mode 100644 index 00000000000..0bec9bccd43 --- /dev/null +++ b/queue-4.19/drm-msm-do-hw_init-before-capturing-gpu-state.patch @@ -0,0 +1,35 @@ +From e4840d537c2c6b1189d4de16ee0f4820e069dcea Mon Sep 17 00:00:00 2001 +From: Rob Clark +Date: Mon, 8 Nov 2021 10:01:22 -0800 +Subject: drm/msm: Do hw_init() before capturing GPU state + +From: Rob Clark + +commit e4840d537c2c6b1189d4de16ee0f4820e069dcea upstream. + +In particular, we need to ensure all the necessary blocks are switched +to 64b mode (a5xx+) otherwise the high bits of the address of the BO to +snapshot state into will be ignored, resulting in: + + *** gpu fault: ttbr0=0000000000000000 iova=0000000000012000 dir=READ type=TRANSLATION source=CP (0,0,0,0) + platform 506a000.gmu: [drm:a6xx_gmu_set_oob] *ERROR* Timeout waiting for GMU OOB set BOOT_SLUMBER: 0x0 + +Fixes: 4f776f4511c7 ("drm/msm/gpu: Convert the GPU show function to use the GPU state") +Signed-off-by: Rob Clark +Link: https://lore.kernel.org/r/20211108180122.487859-1-robdclark@gmail.com +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/msm_debugfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/msm/msm_debugfs.c ++++ b/drivers/gpu/drm/msm/msm_debugfs.c +@@ -83,6 +83,7 @@ static int msm_gpu_open(struct inode *in + goto free_priv; + + pm_runtime_get_sync(&gpu->pdev->dev); ++ msm_gpu_hw_init(gpu); + show_priv->state = gpu->funcs->gpu_state_get(gpu); + pm_runtime_put_sync(&gpu->pdev->dev); + diff --git a/queue-4.19/net-annotate-data-races-on-txq-xmit_lock_owner.patch b/queue-4.19/net-annotate-data-races-on-txq-xmit_lock_owner.patch new file mode 100644 index 00000000000..5a903205277 --- /dev/null +++ b/queue-4.19/net-annotate-data-races-on-txq-xmit_lock_owner.patch @@ -0,0 +1,193 @@ +From 7a10d8c810cfad3e79372d7d1c77899d86cd6662 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 30 Nov 2021 09:01:55 -0800 +Subject: net: annotate data-races on txq->xmit_lock_owner + +From: Eric Dumazet + +commit 7a10d8c810cfad3e79372d7d1c77899d86cd6662 upstream. + +syzbot found that __dev_queue_xmit() is reading txq->xmit_lock_owner +without annotations. + +No serious issue there, let's document what is happening there. + +BUG: KCSAN: data-race in __dev_queue_xmit / __dev_queue_xmit + +write to 0xffff888139d09484 of 4 bytes by interrupt on cpu 0: + __netif_tx_unlock include/linux/netdevice.h:4437 [inline] + __dev_queue_xmit+0x948/0xf70 net/core/dev.c:4229 + dev_queue_xmit_accel+0x19/0x20 net/core/dev.c:4265 + macvlan_queue_xmit drivers/net/macvlan.c:543 [inline] + macvlan_start_xmit+0x2b3/0x3d0 drivers/net/macvlan.c:567 + __netdev_start_xmit include/linux/netdevice.h:4987 [inline] + netdev_start_xmit include/linux/netdevice.h:5001 [inline] + xmit_one+0x105/0x2f0 net/core/dev.c:3590 + dev_hard_start_xmit+0x72/0x120 net/core/dev.c:3606 + sch_direct_xmit+0x1b2/0x7c0 net/sched/sch_generic.c:342 + __dev_xmit_skb+0x83d/0x1370 net/core/dev.c:3817 + __dev_queue_xmit+0x590/0xf70 net/core/dev.c:4194 + dev_queue_xmit+0x13/0x20 net/core/dev.c:4259 + neigh_hh_output include/net/neighbour.h:511 [inline] + neigh_output include/net/neighbour.h:525 [inline] + ip6_finish_output2+0x995/0xbb0 net/ipv6/ip6_output.c:126 + __ip6_finish_output net/ipv6/ip6_output.c:191 [inline] + ip6_finish_output+0x444/0x4c0 net/ipv6/ip6_output.c:201 + NF_HOOK_COND include/linux/netfilter.h:296 [inline] + ip6_output+0x10e/0x210 net/ipv6/ip6_output.c:224 + dst_output include/net/dst.h:450 [inline] + NF_HOOK include/linux/netfilter.h:307 [inline] + ndisc_send_skb+0x486/0x610 net/ipv6/ndisc.c:508 + ndisc_send_rs+0x3b0/0x3e0 net/ipv6/ndisc.c:702 + addrconf_rs_timer+0x370/0x540 net/ipv6/addrconf.c:3898 + call_timer_fn+0x2e/0x240 kernel/time/timer.c:1421 + expire_timers+0x116/0x240 kernel/time/timer.c:1466 + __run_timers+0x368/0x410 kernel/time/timer.c:1734 + run_timer_softirq+0x2e/0x60 kernel/time/timer.c:1747 + __do_softirq+0x158/0x2de kernel/softirq.c:558 + __irq_exit_rcu kernel/softirq.c:636 [inline] + irq_exit_rcu+0x37/0x70 kernel/softirq.c:648 + sysvec_apic_timer_interrupt+0x3e/0xb0 arch/x86/kernel/apic/apic.c:1097 + asm_sysvec_apic_timer_interrupt+0x12/0x20 + +read to 0xffff888139d09484 of 4 bytes by interrupt on cpu 1: + __dev_queue_xmit+0x5e3/0xf70 net/core/dev.c:4213 + dev_queue_xmit_accel+0x19/0x20 net/core/dev.c:4265 + macvlan_queue_xmit drivers/net/macvlan.c:543 [inline] + macvlan_start_xmit+0x2b3/0x3d0 drivers/net/macvlan.c:567 + __netdev_start_xmit include/linux/netdevice.h:4987 [inline] + netdev_start_xmit include/linux/netdevice.h:5001 [inline] + xmit_one+0x105/0x2f0 net/core/dev.c:3590 + dev_hard_start_xmit+0x72/0x120 net/core/dev.c:3606 + sch_direct_xmit+0x1b2/0x7c0 net/sched/sch_generic.c:342 + __dev_xmit_skb+0x83d/0x1370 net/core/dev.c:3817 + __dev_queue_xmit+0x590/0xf70 net/core/dev.c:4194 + dev_queue_xmit+0x13/0x20 net/core/dev.c:4259 + neigh_resolve_output+0x3db/0x410 net/core/neighbour.c:1523 + neigh_output include/net/neighbour.h:527 [inline] + ip6_finish_output2+0x9be/0xbb0 net/ipv6/ip6_output.c:126 + __ip6_finish_output net/ipv6/ip6_output.c:191 [inline] + ip6_finish_output+0x444/0x4c0 net/ipv6/ip6_output.c:201 + NF_HOOK_COND include/linux/netfilter.h:296 [inline] + ip6_output+0x10e/0x210 net/ipv6/ip6_output.c:224 + dst_output include/net/dst.h:450 [inline] + NF_HOOK include/linux/netfilter.h:307 [inline] + ndisc_send_skb+0x486/0x610 net/ipv6/ndisc.c:508 + ndisc_send_rs+0x3b0/0x3e0 net/ipv6/ndisc.c:702 + addrconf_rs_timer+0x370/0x540 net/ipv6/addrconf.c:3898 + call_timer_fn+0x2e/0x240 kernel/time/timer.c:1421 + expire_timers+0x116/0x240 kernel/time/timer.c:1466 + __run_timers+0x368/0x410 kernel/time/timer.c:1734 + run_timer_softirq+0x2e/0x60 kernel/time/timer.c:1747 + __do_softirq+0x158/0x2de kernel/softirq.c:558 + __irq_exit_rcu kernel/softirq.c:636 [inline] + irq_exit_rcu+0x37/0x70 kernel/softirq.c:648 + sysvec_apic_timer_interrupt+0x8d/0xb0 arch/x86/kernel/apic/apic.c:1097 + asm_sysvec_apic_timer_interrupt+0x12/0x20 + kcsan_setup_watchpoint+0x94/0x420 kernel/kcsan/core.c:443 + folio_test_anon include/linux/page-flags.h:581 [inline] + PageAnon include/linux/page-flags.h:586 [inline] + zap_pte_range+0x5ac/0x10e0 mm/memory.c:1347 + zap_pmd_range mm/memory.c:1467 [inline] + zap_pud_range mm/memory.c:1496 [inline] + zap_p4d_range mm/memory.c:1517 [inline] + unmap_page_range+0x2dc/0x3d0 mm/memory.c:1538 + unmap_single_vma+0x157/0x210 mm/memory.c:1583 + unmap_vmas+0xd0/0x180 mm/memory.c:1615 + exit_mmap+0x23d/0x470 mm/mmap.c:3170 + __mmput+0x27/0x1b0 kernel/fork.c:1113 + mmput+0x3d/0x50 kernel/fork.c:1134 + exit_mm+0xdb/0x170 kernel/exit.c:507 + do_exit+0x608/0x17a0 kernel/exit.c:819 + do_group_exit+0xce/0x180 kernel/exit.c:929 + get_signal+0xfc3/0x1550 kernel/signal.c:2852 + arch_do_signal_or_restart+0x8c/0x2e0 arch/x86/kernel/signal.c:868 + handle_signal_work kernel/entry/common.c:148 [inline] + exit_to_user_mode_loop kernel/entry/common.c:172 [inline] + exit_to_user_mode_prepare+0x113/0x190 kernel/entry/common.c:207 + __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] + syscall_exit_to_user_mode+0x20/0x40 kernel/entry/common.c:300 + do_syscall_64+0x50/0xd0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x00000000 -> 0xffffffff + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 28712 Comm: syz-executor.0 Tainted: G W 5.16.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Link: https://lore.kernel.org/r/20211130170155.2331929-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/netdevice.h | 19 +++++++++++++------ + net/core/dev.c | 5 ++++- + 2 files changed, 17 insertions(+), 7 deletions(-) + +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -3840,7 +3840,8 @@ static inline u32 netif_msg_init(int deb + static inline void __netif_tx_lock(struct netdev_queue *txq, int cpu) + { + spin_lock(&txq->_xmit_lock); +- txq->xmit_lock_owner = cpu; ++ /* Pairs with READ_ONCE() in __dev_queue_xmit() */ ++ WRITE_ONCE(txq->xmit_lock_owner, cpu); + } + + static inline bool __netif_tx_acquire(struct netdev_queue *txq) +@@ -3857,26 +3858,32 @@ static inline void __netif_tx_release(st + static inline void __netif_tx_lock_bh(struct netdev_queue *txq) + { + spin_lock_bh(&txq->_xmit_lock); +- txq->xmit_lock_owner = smp_processor_id(); ++ /* Pairs with READ_ONCE() in __dev_queue_xmit() */ ++ WRITE_ONCE(txq->xmit_lock_owner, smp_processor_id()); + } + + static inline bool __netif_tx_trylock(struct netdev_queue *txq) + { + bool ok = spin_trylock(&txq->_xmit_lock); +- if (likely(ok)) +- txq->xmit_lock_owner = smp_processor_id(); ++ ++ if (likely(ok)) { ++ /* Pairs with READ_ONCE() in __dev_queue_xmit() */ ++ WRITE_ONCE(txq->xmit_lock_owner, smp_processor_id()); ++ } + return ok; + } + + static inline void __netif_tx_unlock(struct netdev_queue *txq) + { +- txq->xmit_lock_owner = -1; ++ /* Pairs with READ_ONCE() in __dev_queue_xmit() */ ++ WRITE_ONCE(txq->xmit_lock_owner, -1); + spin_unlock(&txq->_xmit_lock); + } + + static inline void __netif_tx_unlock_bh(struct netdev_queue *txq) + { +- txq->xmit_lock_owner = -1; ++ /* Pairs with READ_ONCE() in __dev_queue_xmit() */ ++ WRITE_ONCE(txq->xmit_lock_owner, -1); + spin_unlock_bh(&txq->_xmit_lock); + } + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3831,7 +3831,10 @@ static int __dev_queue_xmit(struct sk_bu + if (dev->flags & IFF_UP) { + int cpu = smp_processor_id(); /* ok because BHs are off */ + +- if (txq->xmit_lock_owner != cpu) { ++ /* Other cpus might concurrently change txq->xmit_lock_owner ++ * to -1 or to their cpu id, but not to our id. ++ */ ++ if (READ_ONCE(txq->xmit_lock_owner) != cpu) { + if (dev_xmit_recursion()) + goto recursion_alert; + diff --git a/queue-4.19/net-mlx4_en-fix-an-use-after-free-bug-in-mlx4_en_try_alloc_resources.patch b/queue-4.19/net-mlx4_en-fix-an-use-after-free-bug-in-mlx4_en_try_alloc_resources.patch new file mode 100644 index 00000000000..6a2f61e7786 --- /dev/null +++ b/queue-4.19/net-mlx4_en-fix-an-use-after-free-bug-in-mlx4_en_try_alloc_resources.patch @@ -0,0 +1,59 @@ +From addad7643142f500080417dd7272f49b7a185570 Mon Sep 17 00:00:00 2001 +From: Zhou Qingyang +Date: Wed, 1 Dec 2021 00:44:38 +0800 +Subject: net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() + +From: Zhou Qingyang + +commit addad7643142f500080417dd7272f49b7a185570 upstream. + +In mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and +tmp->tx_cq will be freed on the error path of mlx4_en_copy_priv(). +After that mlx4_en_alloc_resources() is called and there is a dereference +of &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to +a use after free problem on failure of mlx4_en_copy_priv(). + +Fix this bug by adding a check of mlx4_en_copy_priv() + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_MLX4_EN=m show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: ec25bc04ed8e ("net/mlx4_en: Add resilience in low memory systems") +Signed-off-by: Zhou Qingyang +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20211130164438.190591-1-zhou1615@umn.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c +@@ -2282,9 +2282,14 @@ int mlx4_en_try_alloc_resources(struct m + bool carry_xdp_prog) + { + struct bpf_prog *xdp_prog; +- int i, t; ++ int i, t, ret; + +- mlx4_en_copy_priv(tmp, priv, prof); ++ ret = mlx4_en_copy_priv(tmp, priv, prof); ++ if (ret) { ++ en_warn(priv, "%s: mlx4_en_copy_priv() failed, return\n", ++ __func__); ++ return ret; ++ } + + if (mlx4_en_alloc_resources(tmp)) { + en_warn(priv, diff --git a/queue-4.19/net-rds-correct-socket-tunable-error-in-rds_tcp_tune.patch b/queue-4.19/net-rds-correct-socket-tunable-error-in-rds_tcp_tune.patch new file mode 100644 index 00000000000..1fa6ade202a --- /dev/null +++ b/queue-4.19/net-rds-correct-socket-tunable-error-in-rds_tcp_tune.patch @@ -0,0 +1,32 @@ +From 19f36edf14bcdb783aef3af8217df96f76a8ce34 Mon Sep 17 00:00:00 2001 +From: William Kucharski +Date: Wed, 1 Dec 2021 07:45:22 -0700 +Subject: net/rds: correct socket tunable error in rds_tcp_tune() + +From: William Kucharski + +commit 19f36edf14bcdb783aef3af8217df96f76a8ce34 upstream. + +Correct an error where setting /proc/sys/net/rds/tcp/rds_tcp_rcvbuf would +instead modify the socket's sk_sndbuf and would leave sk_rcvbuf untouched. + +Fixes: c6a58ffed536 ("RDS: TCP: Add sysctl tunables for sndbuf/rcvbuf on rds-tcp socket") +Signed-off-by: William Kucharski +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/rds/tcp.c ++++ b/net/rds/tcp.c +@@ -502,7 +502,7 @@ void rds_tcp_tune(struct socket *sock) + sk->sk_userlocks |= SOCK_SNDBUF_LOCK; + } + if (rtn->rcvbuf_size > 0) { +- sk->sk_sndbuf = rtn->rcvbuf_size; ++ sk->sk_rcvbuf = rtn->rcvbuf_size; + sk->sk_userlocks |= SOCK_RCVBUF_LOCK; + } + release_sock(sk); diff --git a/queue-4.19/net-smc-keep-smc_close_final-rc-during-active-close.patch b/queue-4.19/net-smc-keep-smc_close_final-rc-during-active-close.patch new file mode 100644 index 00000000000..5d812346d64 --- /dev/null +++ b/queue-4.19/net-smc-keep-smc_close_final-rc-during-active-close.patch @@ -0,0 +1,53 @@ +From 00e158fb91dfaff3f94746f260d11f1a4853506e Mon Sep 17 00:00:00 2001 +From: Tony Lu +Date: Wed, 1 Dec 2021 14:42:16 +0800 +Subject: net/smc: Keep smc_close_final rc during active close + +From: Tony Lu + +commit 00e158fb91dfaff3f94746f260d11f1a4853506e upstream. + +When smc_close_final() returns error, the return code overwrites by +kernel_sock_shutdown() in smc_close_active(). The return code of +smc_close_final() is more important than kernel_sock_shutdown(), and it +will pass to userspace directly. + +Fix it by keeping both return codes, if smc_close_final() raises an +error, return it or kernel_sock_shutdown()'s. + +Link: https://lore.kernel.org/linux-s390/1f67548e-cbf6-0dce-82b5-10288a4583bd@linux.ibm.com/ +Fixes: 606a63c9783a ("net/smc: Ensure the active closing peer first closes clcsock") +Suggested-by: Karsten Graul +Signed-off-by: Tony Lu +Reviewed-by: Wen Gu +Acked-by: Karsten Graul +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/smc_close.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/smc/smc_close.c ++++ b/net/smc/smc_close.c +@@ -167,6 +167,7 @@ int smc_close_active(struct smc_sock *sm + int old_state; + long timeout; + int rc = 0; ++ int rc1 = 0; + + timeout = current->flags & PF_EXITING ? + 0 : sock_flag(sk, SOCK_LINGER) ? +@@ -206,8 +207,11 @@ again: + /* actively shutdown clcsock before peer close it, + * prevent peer from entering TIME_WAIT state. + */ +- if (smc->clcsock && smc->clcsock->sk) +- rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR); ++ if (smc->clcsock && smc->clcsock->sk) { ++ rc1 = kernel_sock_shutdown(smc->clcsock, ++ SHUT_RDWR); ++ rc = rc ? rc : rc1; ++ } + } else { + /* peer event has changed the state */ + goto again; diff --git a/queue-4.19/net-usb-lan78xx-lan78xx_phy_init-use-phy_poll-instead-of-0-if-no-irq-is-available.patch b/queue-4.19/net-usb-lan78xx-lan78xx_phy_init-use-phy_poll-instead-of-0-if-no-irq-is-available.patch new file mode 100644 index 00000000000..75ba3cb4011 --- /dev/null +++ b/queue-4.19/net-usb-lan78xx-lan78xx_phy_init-use-phy_poll-instead-of-0-if-no-irq-is-available.patch @@ -0,0 +1,33 @@ +From 817b653160db9852d5a0498a31f047e18ce27e5b Mon Sep 17 00:00:00 2001 +From: Sven Schuchmann +Date: Sat, 27 Nov 2021 11:47:07 +0100 +Subject: net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is available + +From: Sven Schuchmann + +commit 817b653160db9852d5a0498a31f047e18ce27e5b upstream. + +On most systems request for IRQ 0 will fail, phylib will print an error message +and fall back to polling. To fix this set the phydev->irq to PHY_POLL if no IRQ +is available. + +Fixes: cc89c323a30e ("lan78xx: Use irq_domain for phy interrupt from USB Int. EP") +Reviewed-by: Andrew Lunn +Signed-off-by: Sven Schuchmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/lan78xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -2152,7 +2152,7 @@ static int lan78xx_phy_init(struct lan78 + if (dev->domain_data.phyirq > 0) + phydev->irq = dev->domain_data.phyirq; + else +- phydev->irq = 0; ++ phydev->irq = PHY_POLL; + netdev_dbg(dev->net, "phydev->irq = %d\n", phydev->irq); + + /* set to AUTOMDIX */ diff --git a/queue-4.19/rxrpc-fix-rxrpc_local-leak-in-rxrpc_lookup_peer.patch b/queue-4.19/rxrpc-fix-rxrpc_local-leak-in-rxrpc_lookup_peer.patch new file mode 100644 index 00000000000..4082464ef4b --- /dev/null +++ b/queue-4.19/rxrpc-fix-rxrpc_local-leak-in-rxrpc_lookup_peer.patch @@ -0,0 +1,69 @@ +From beacff50edbd6c9659a6f15fc7f6126909fade29 Mon Sep 17 00:00:00 2001 +From: Eiichi Tsukata +Date: Sun, 21 Nov 2021 04:16:08 +0000 +Subject: rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer() + +From: Eiichi Tsukata + +commit beacff50edbd6c9659a6f15fc7f6126909fade29 upstream. + +Need to call rxrpc_put_local() for peer candidate before kfree() as it +holds a ref to rxrpc_local. + +[DH: v2: Changed to abstract the peer freeing code out into a function] + +Fixes: 9ebeddef58c4 ("rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record") +Signed-off-by: Eiichi Tsukata +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/all/20211121041608.133740-2-eiichi.tsukata@nutanix.com/ # v1 +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/peer_object.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/net/rxrpc/peer_object.c ++++ b/net/rxrpc/peer_object.c +@@ -299,6 +299,12 @@ static struct rxrpc_peer *rxrpc_create_p + return peer; + } + ++static void rxrpc_free_peer(struct rxrpc_peer *peer) ++{ ++ rxrpc_put_local(peer->local); ++ kfree_rcu(peer, rcu); ++} ++ + /* + * Set up a new incoming peer. There shouldn't be any other matching peers + * since we've already done a search in the list from the non-reentrant context +@@ -365,7 +371,7 @@ struct rxrpc_peer *rxrpc_lookup_peer(str + spin_unlock_bh(&rxnet->peer_hash_lock); + + if (peer) +- kfree(candidate); ++ rxrpc_free_peer(candidate); + else + peer = candidate; + } +@@ -420,8 +426,7 @@ static void __rxrpc_put_peer(struct rxrp + list_del_init(&peer->keepalive_link); + spin_unlock_bh(&rxnet->peer_hash_lock); + +- rxrpc_put_local(peer->local); +- kfree_rcu(peer, rcu); ++ rxrpc_free_peer(peer); + } + + /* +@@ -457,8 +462,7 @@ void rxrpc_put_peer_locked(struct rxrpc_ + if (n == 0) { + hash_del_rcu(&peer->hash_link); + list_del_init(&peer->keepalive_link); +- rxrpc_put_local(peer->local); +- kfree_rcu(peer, rcu); ++ rxrpc_free_peer(peer); + } + } + diff --git a/queue-4.19/series b/queue-4.19/series index 3ac1fadca1b..d9a7146693e 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -27,3 +27,10 @@ natsemi-xtensa-fix-section-mismatch-warnings.patch net-qlogic-qlcnic-fix-a-null-pointer-dereference-in-qlcnic_83xx_add_rings.patch net-mpls-fix-notifications-when-deleting-a-device.patch siphash-use-_unaligned-version-by-default.patch +net-mlx4_en-fix-an-use-after-free-bug-in-mlx4_en_try_alloc_resources.patch +rxrpc-fix-rxrpc_local-leak-in-rxrpc_lookup_peer.patch +net-usb-lan78xx-lan78xx_phy_init-use-phy_poll-instead-of-0-if-no-irq-is-available.patch +net-annotate-data-races-on-txq-xmit_lock_owner.patch +net-rds-correct-socket-tunable-error-in-rds_tcp_tune.patch +net-smc-keep-smc_close_final-rc-during-active-close.patch +drm-msm-do-hw_init-before-capturing-gpu-state.patch