From 09a6bec0468e1535e005b7d52453128ad265d46a Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 3 Oct 2021 23:18:13 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...s-in-sk_peer_pid-and-sk_peer_cred-ac.patch | 190 ++++++++++++++++++ ...-fix-buffer-overrun-in-e100_get_regs.patch | 107 ++++++++++ ...gth-calculation-in-e100_get_regs_len.patch | 50 +++++ ...-return-non-zero-value-when-fan-curr.patch | 128 ++++++++++++ ...421-fix-rounding-for-negative-values.patch | 74 +++++++ ...1-replace-s_-perms-with-octal-values.patch | 43 ++++ ...mp421-report-pvld-condition-as-fault.patch | 54 +++++ ...ip_vs_conn_tab_bits-is-between-8-and.patch | 46 +++++ ...e80211_amsdu_aggregate-frag_tail-bug.patch | 52 +++++ ...njected-vht-mcs-nss-in-ieee80211_par.patch | 84 ++++++++ ...bfq-honor-already-setup-queue-merges.patch | 68 +++++++ ...csiostor-add-module-softdep-on-cxgb4.patch | 44 ++++ ...f-skb_header_pointer-returns-null-in.patch | 55 +++++ queue-4.19/series | 13 ++ 14 files changed, 1008 insertions(+) create mode 100644 queue-4.19/af_unix-fix-races-in-sk_peer_pid-and-sk_peer_cred-ac.patch create mode 100644 queue-4.19/e100-fix-buffer-overrun-in-e100_get_regs.patch create mode 100644 queue-4.19/e100-fix-length-calculation-in-e100_get_regs_len.patch create mode 100644 queue-4.19/hwmon-mlxreg-fan-return-non-zero-value-when-fan-curr.patch create mode 100644 queue-4.19/hwmon-tmp421-fix-rounding-for-negative-values.patch create mode 100644 queue-4.19/hwmon-tmp421-replace-s_-perms-with-octal-values.patch create mode 100644 queue-4.19/hwmon-tmp421-report-pvld-condition-as-fault.patch create mode 100644 queue-4.19/ipvs-check-that-ip_vs_conn_tab_bits-is-between-8-and.patch create mode 100644 queue-4.19/mac80211-fix-ieee80211_amsdu_aggregate-frag_tail-bug.patch create mode 100644 queue-4.19/mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch create mode 100644 queue-4.19/revert-block-bfq-honor-already-setup-queue-merges.patch create mode 100644 queue-4.19/scsi-csiostor-add-module-softdep-on-cxgb4.patch create mode 100644 queue-4.19/sctp-break-out-if-skb_header_pointer-returns-null-in.patch diff --git a/queue-4.19/af_unix-fix-races-in-sk_peer_pid-and-sk_peer_cred-ac.patch b/queue-4.19/af_unix-fix-races-in-sk_peer_pid-and-sk_peer_cred-ac.patch new file mode 100644 index 00000000000..bd6695fb227 --- /dev/null +++ b/queue-4.19/af_unix-fix-races-in-sk_peer_pid-and-sk_peer_cred-ac.patch @@ -0,0 +1,190 @@ +From 13e2fe27dbf1e5779f78993ae089b03d4b205dbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 15:57:50 -0700 +Subject: af_unix: fix races in sk_peer_pid and sk_peer_cred accesses + +From: Eric Dumazet + +[ Upstream commit 35306eb23814444bd4021f8a1c3047d3cb0c8b2b ] + +Jann Horn reported that SO_PEERCRED and SO_PEERGROUPS implementations +are racy, as af_unix can concurrently change sk_peer_pid and sk_peer_cred. + +In order to fix this issue, this patch adds a new spinlock that needs +to be used whenever these fields are read or written. + +Jann also pointed out that l2cap_sock_get_peer_pid_cb() is currently +reading sk->sk_peer_pid which makes no sense, as this field +is only possibly set by AF_UNIX sockets. +We will have to clean this in a separate patch. +This could be done by reverting b48596d1dc25 "Bluetooth: L2CAP: Add get_peer_pid callback" +or implementing what was truly expected. + +Fixes: 109f6e39fa07 ("af_unix: Allow SO_PEERCRED to work across namespaces.") +Signed-off-by: Eric Dumazet +Reported-by: Jann Horn +Cc: Eric W. Biederman +Cc: Luiz Augusto von Dentz +Cc: Marcel Holtmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 2 ++ + net/core/sock.c | 32 ++++++++++++++++++++++++++------ + net/unix/af_unix.c | 34 ++++++++++++++++++++++++++++------ + 3 files changed, 56 insertions(+), 12 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 351749c694ce..75677050c82e 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -471,8 +471,10 @@ struct sock { + u32 sk_ack_backlog; + u32 sk_max_ack_backlog; + kuid_t sk_uid; ++ spinlock_t sk_peer_lock; + struct pid *sk_peer_pid; + const struct cred *sk_peer_cred; ++ + long sk_rcvtimeo; + ktime_t sk_stamp; + #if BITS_PER_LONG==32 +diff --git a/net/core/sock.c b/net/core/sock.c +index 956af38aa0d6..41a77027a549 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1057,6 +1057,16 @@ int sock_setsockopt(struct socket *sock, int level, int optname, + } + EXPORT_SYMBOL(sock_setsockopt); + ++static const struct cred *sk_get_peer_cred(struct sock *sk) ++{ ++ const struct cred *cred; ++ ++ spin_lock(&sk->sk_peer_lock); ++ cred = get_cred(sk->sk_peer_cred); ++ spin_unlock(&sk->sk_peer_lock); ++ ++ return cred; ++} + + static void cred_to_ucred(struct pid *pid, const struct cred *cred, + struct ucred *ucred) +@@ -1231,7 +1241,11 @@ int sock_getsockopt(struct socket *sock, int level, int optname, + struct ucred peercred; + if (len > sizeof(peercred)) + len = sizeof(peercred); ++ ++ spin_lock(&sk->sk_peer_lock); + cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred, &peercred); ++ spin_unlock(&sk->sk_peer_lock); ++ + if (copy_to_user(optval, &peercred, len)) + return -EFAULT; + goto lenout; +@@ -1239,20 +1253,23 @@ int sock_getsockopt(struct socket *sock, int level, int optname, + + case SO_PEERGROUPS: + { ++ const struct cred *cred; + int ret, n; + +- if (!sk->sk_peer_cred) ++ cred = sk_get_peer_cred(sk); ++ if (!cred) + return -ENODATA; + +- n = sk->sk_peer_cred->group_info->ngroups; ++ n = cred->group_info->ngroups; + if (len < n * sizeof(gid_t)) { + len = n * sizeof(gid_t); ++ put_cred(cred); + return put_user(len, optlen) ? -EFAULT : -ERANGE; + } + len = n * sizeof(gid_t); + +- ret = groups_to_user((gid_t __user *)optval, +- sk->sk_peer_cred->group_info); ++ ret = groups_to_user((gid_t __user *)optval, cred->group_info); ++ put_cred(cred); + if (ret) + return ret; + goto lenout; +@@ -1576,9 +1593,10 @@ static void __sk_destruct(struct rcu_head *head) + sk->sk_frag.page = NULL; + } + +- if (sk->sk_peer_cred) +- put_cred(sk->sk_peer_cred); ++ /* We do not need to acquire sk->sk_peer_lock, we are the last user. */ ++ put_cred(sk->sk_peer_cred); + put_pid(sk->sk_peer_pid); ++ + if (likely(sk->sk_net_refcnt)) + put_net(sock_net(sk)); + sk_prot_free(sk->sk_prot_creator, sk); +@@ -2826,6 +2844,8 @@ void sock_init_data(struct socket *sock, struct sock *sk) + + sk->sk_peer_pid = NULL; + sk->sk_peer_cred = NULL; ++ spin_lock_init(&sk->sk_peer_lock); ++ + sk->sk_write_pending = 0; + sk->sk_rcvlowat = 1; + sk->sk_rcvtimeo = MAX_SCHEDULE_TIMEOUT; +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index c293a558b0d4..82279dbd2f62 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -600,20 +600,42 @@ static void unix_release_sock(struct sock *sk, int embrion) + + static void init_peercred(struct sock *sk) + { +- put_pid(sk->sk_peer_pid); +- if (sk->sk_peer_cred) +- put_cred(sk->sk_peer_cred); ++ const struct cred *old_cred; ++ struct pid *old_pid; ++ ++ spin_lock(&sk->sk_peer_lock); ++ old_pid = sk->sk_peer_pid; ++ old_cred = sk->sk_peer_cred; + sk->sk_peer_pid = get_pid(task_tgid(current)); + sk->sk_peer_cred = get_current_cred(); ++ spin_unlock(&sk->sk_peer_lock); ++ ++ put_pid(old_pid); ++ put_cred(old_cred); + } + + static void copy_peercred(struct sock *sk, struct sock *peersk) + { +- put_pid(sk->sk_peer_pid); +- if (sk->sk_peer_cred) +- put_cred(sk->sk_peer_cred); ++ const struct cred *old_cred; ++ struct pid *old_pid; ++ ++ if (sk < peersk) { ++ spin_lock(&sk->sk_peer_lock); ++ spin_lock_nested(&peersk->sk_peer_lock, SINGLE_DEPTH_NESTING); ++ } else { ++ spin_lock(&peersk->sk_peer_lock); ++ spin_lock_nested(&sk->sk_peer_lock, SINGLE_DEPTH_NESTING); ++ } ++ old_pid = sk->sk_peer_pid; ++ old_cred = sk->sk_peer_cred; + sk->sk_peer_pid = get_pid(peersk->sk_peer_pid); + sk->sk_peer_cred = get_cred(peersk->sk_peer_cred); ++ ++ spin_unlock(&sk->sk_peer_lock); ++ spin_unlock(&peersk->sk_peer_lock); ++ ++ put_pid(old_pid); ++ put_cred(old_cred); + } + + static int unix_listen(struct socket *sock, int backlog) +-- +2.33.0 + diff --git a/queue-4.19/e100-fix-buffer-overrun-in-e100_get_regs.patch b/queue-4.19/e100-fix-buffer-overrun-in-e100_get_regs.patch new file mode 100644 index 00000000000..68483a6d661 --- /dev/null +++ b/queue-4.19/e100-fix-buffer-overrun-in-e100_get_regs.patch @@ -0,0 +1,107 @@ +From a4dee8d723fda2182d3eaa6a4d549e57dd48943c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 10:52:37 -0700 +Subject: e100: fix buffer overrun in e100_get_regs + +From: Jacob Keller + +[ Upstream commit 51032e6f17ce990d06123ad7307f258c50d25aa7 ] + +The e100_get_regs function is used to implement a simple register dump +for the e100 device. The data is broken into a couple of MAC control +registers, and then a series of PHY registers, followed by a memory dump +buffer. + +The total length of the register dump is defined as (1 + E100_PHY_REGS) +* sizeof(u32) + sizeof(nic->mem->dump_buf). + +The logic for filling in the PHY registers uses a convoluted inverted +count for loop which counts from E100_PHY_REGS (0x1C) down to 0, and +assigns the slots 1 + E100_PHY_REGS - i. The first loop iteration will +fill in [1] and the final loop iteration will fill in [1 + 0x1C]. This +is actually one more than the supposed number of PHY registers. + +The memory dump buffer is then filled into the space at +[2 + E100_PHY_REGS] which will cause that memcpy to assign 4 bytes past +the total size. + +The end result is that we overrun the total buffer size allocated by the +kernel, which could lead to a panic or other issues due to memory +corruption. + +It is difficult to determine the actual total number of registers +here. The only 8255x datasheet I could find indicates there are 28 total +MDI registers. However, we're reading 29 here, and reading them in +reverse! + +In addition, the ethtool e100 register dump interface appears to read +the first PHY register to determine if the device is in MDI or MDIx +mode. This doesn't appear to be documented anywhere within the 8255x +datasheet. I can only assume it must be in register 28 (the extra +register we're reading here). + +Lets not change any of the intended meaning of what we copy here. Just +extend the space by 4 bytes to account for the extra register and +continue copying the data out in the same order. + +Change the E100_PHY_REGS value to be the correct total (29) so that the +total register dump size is calculated properly. Fix the offset for +where we copy the dump buffer so that it doesn't overrun the total size. + +Re-write the for loop to use counting up instead of the convoluted +down-counting. Correct the mdio_read offset to use the 0-based register +offsets, but maintain the bizarre reverse ordering so that we have the +ABI expected by applications like ethtool. This requires and additional +subtraction of 1. It seems a bit odd but it makes the flow of assignment +into the register buffer easier to follow. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Felicitas Hetzelt +Signed-off-by: Jacob Keller +Tested-by: Jacob Keller +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e100.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c +index 4d27eaf05641..ba5b515c86e2 100644 +--- a/drivers/net/ethernet/intel/e100.c ++++ b/drivers/net/ethernet/intel/e100.c +@@ -2433,7 +2433,7 @@ static void e100_get_drvinfo(struct net_device *netdev, + sizeof(info->bus_info)); + } + +-#define E100_PHY_REGS 0x1C ++#define E100_PHY_REGS 0x1D + static int e100_get_regs_len(struct net_device *netdev) + { + struct nic *nic = netdev_priv(netdev); +@@ -2455,14 +2455,18 @@ static void e100_get_regs(struct net_device *netdev, + buff[0] = ioread8(&nic->csr->scb.cmd_hi) << 24 | + ioread8(&nic->csr->scb.cmd_lo) << 16 | + ioread16(&nic->csr->scb.status); +- for (i = E100_PHY_REGS; i >= 0; i--) +- buff[1 + E100_PHY_REGS - i] = +- mdio_read(netdev, nic->mii.phy_id, i); ++ for (i = 0; i < E100_PHY_REGS; i++) ++ /* Note that we read the registers in reverse order. This ++ * ordering is the ABI apparently used by ethtool and other ++ * applications. ++ */ ++ buff[1 + i] = mdio_read(netdev, nic->mii.phy_id, ++ E100_PHY_REGS - 1 - i); + memset(nic->mem->dump_buf, 0, sizeof(nic->mem->dump_buf)); + e100_exec_cb(nic, NULL, e100_dump); + msleep(10); +- memcpy(&buff[2 + E100_PHY_REGS], nic->mem->dump_buf, +- sizeof(nic->mem->dump_buf)); ++ memcpy(&buff[1 + E100_PHY_REGS], nic->mem->dump_buf, ++ sizeof(nic->mem->dump_buf)); + } + + static void e100_get_wol(struct net_device *netdev, struct ethtool_wolinfo *wol) +-- +2.33.0 + diff --git a/queue-4.19/e100-fix-length-calculation-in-e100_get_regs_len.patch b/queue-4.19/e100-fix-length-calculation-in-e100_get_regs_len.patch new file mode 100644 index 00000000000..38d196049a0 --- /dev/null +++ b/queue-4.19/e100-fix-length-calculation-in-e100_get_regs_len.patch @@ -0,0 +1,50 @@ +From 406e8ef601dff174589af132b940e924a2cf8528 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 10:52:36 -0700 +Subject: e100: fix length calculation in e100_get_regs_len + +From: Jacob Keller + +[ Upstream commit 4329c8dc110b25d5f04ed20c6821bb60deff279f ] + +commit abf9b902059f ("e100: cleanup unneeded math") tried to simplify +e100_get_regs_len and remove a double 'divide and then multiply' +calculation that the e100_reg_regs_len function did. + +This change broke the size calculation entirely as it failed to account +for the fact that the numbered registers are actually 4 bytes wide and +not 1 byte. This resulted in a significant under allocation of the +register buffer used by e100_get_regs. + +Fix this by properly multiplying the register count by u32 first before +adding the size of the dump buffer. + +Fixes: abf9b902059f ("e100: cleanup unneeded math") +Reported-by: Felicitas Hetzelt +Signed-off-by: Jacob Keller +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e100.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c +index bf64fab38385..4d27eaf05641 100644 +--- a/drivers/net/ethernet/intel/e100.c ++++ b/drivers/net/ethernet/intel/e100.c +@@ -2437,7 +2437,11 @@ static void e100_get_drvinfo(struct net_device *netdev, + static int e100_get_regs_len(struct net_device *netdev) + { + struct nic *nic = netdev_priv(netdev); +- return 1 + E100_PHY_REGS + sizeof(nic->mem->dump_buf); ++ ++ /* We know the number of registers, and the size of the dump buffer. ++ * Calculate the total size in bytes. ++ */ ++ return (1 + E100_PHY_REGS) * sizeof(u32) + sizeof(nic->mem->dump_buf); + } + + static void e100_get_regs(struct net_device *netdev, +-- +2.33.0 + diff --git a/queue-4.19/hwmon-mlxreg-fan-return-non-zero-value-when-fan-curr.patch b/queue-4.19/hwmon-mlxreg-fan-return-non-zero-value-when-fan-curr.patch new file mode 100644 index 00000000000..4aff22b3412 --- /dev/null +++ b/queue-4.19/hwmon-mlxreg-fan-return-non-zero-value-when-fan-curr.patch @@ -0,0 +1,128 @@ +From 03d3b8302b2b65f2347f2f8e73804e76758090d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 21:31:51 +0300 +Subject: hwmon: (mlxreg-fan) Return non-zero value when fan current state is + enforced from sysfs + +From: Vadim Pasternak + +[ Upstream commit e6fab7af6ba1bc77c78713a83876f60ca7a4a064 ] + +Fan speed minimum can be enforced from sysfs. For example, setting +current fan speed to 20 is used to enforce fan speed to be at 100% +speed, 19 - to be not below 90% speed, etcetera. This feature provides +ability to limit fan speed according to some system wise +considerations, like absence of some replaceable units or high system +ambient temperature. + +Request for changing fan minimum speed is configuration request and can +be set only through 'sysfs' write procedure. In this situation value of +argument 'state' is above nominal fan speed maximum. + +Return non-zero code in this case to avoid +thermal_cooling_device_stats_update() call, because in this case +statistics update violates thermal statistics table range. +The issues is observed in case kernel is configured with option +CONFIG_THERMAL_STATISTICS. + +Here is the trace from KASAN: +[ 159.506659] BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x7d/0xb0 +[ 159.516016] Read of size 4 at addr ffff888116163840 by task hw-management.s/7444 +[ 159.545625] Call Trace: +[ 159.548366] dump_stack+0x92/0xc1 +[ 159.552084] ? thermal_cooling_device_stats_update+0x7d/0xb0 +[ 159.635869] thermal_zone_device_update+0x345/0x780 +[ 159.688711] thermal_zone_device_set_mode+0x7d/0xc0 +[ 159.694174] mlxsw_thermal_modules_init+0x48f/0x590 [mlxsw_core] +[ 159.700972] ? mlxsw_thermal_set_cur_state+0x5a0/0x5a0 [mlxsw_core] +[ 159.731827] mlxsw_thermal_init+0x763/0x880 [mlxsw_core] +[ 160.070233] RIP: 0033:0x7fd995909970 +[ 160.074239] Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff .. +[ 160.095242] RSP: 002b:00007fff54f5d938 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 160.103722] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00007fd995909970 +[ 160.111710] RDX: 0000000000000013 RSI: 0000000001906008 RDI: 0000000000000001 +[ 160.119699] RBP: 0000000001906008 R08: 00007fd995bc9760 R09: 00007fd996210700 +[ 160.127687] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000013 +[ 160.135673] R13: 0000000000000001 R14: 00007fd995bc8600 R15: 0000000000000013 +[ 160.143671] +[ 160.145338] Allocated by task 2924: +[ 160.149242] kasan_save_stack+0x19/0x40 +[ 160.153541] __kasan_kmalloc+0x7f/0xa0 +[ 160.157743] __kmalloc+0x1a2/0x2b0 +[ 160.161552] thermal_cooling_device_setup_sysfs+0xf9/0x1a0 +[ 160.167687] __thermal_cooling_device_register+0x1b5/0x500 +[ 160.173833] devm_thermal_of_cooling_device_register+0x60/0xa0 +[ 160.180356] mlxreg_fan_probe+0x474/0x5e0 [mlxreg_fan] +[ 160.248140] +[ 160.249807] The buggy address belongs to the object at ffff888116163400 +[ 160.249807] which belongs to the cache kmalloc-1k of size 1024 +[ 160.263814] The buggy address is located 64 bytes to the right of +[ 160.263814] 1024-byte region [ffff888116163400, ffff888116163800) +[ 160.277536] The buggy address belongs to the page: +[ 160.282898] page:0000000012275840 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888116167000 pfn:0x116160 +[ 160.294872] head:0000000012275840 order:3 compound_mapcount:0 compound_pincount:0 +[ 160.303251] flags: 0x200000000010200(slab|head|node=0|zone=2) +[ 160.309694] raw: 0200000000010200 ffffea00046f7208 ffffea0004928208 ffff88810004dbc0 +[ 160.318367] raw: ffff888116167000 00000000000a0006 00000001ffffffff 0000000000000000 +[ 160.327033] page dumped because: kasan: bad access detected +[ 160.333270] +[ 160.334937] Memory state around the buggy address: +[ 160.356469] >ffff888116163800: fc .. + +Fixes: 65afb4c8e7e4 ("hwmon: (mlxreg-fan) Add support for Mellanox FAN driver") +Signed-off-by: Vadim Pasternak +Link: https://lore.kernel.org/r/20210916183151.869427-1-vadimp@nvidia.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/mlxreg-fan.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/hwmon/mlxreg-fan.c b/drivers/hwmon/mlxreg-fan.c +index d8fa4bea4bc8..e57b0c5119ce 100644 +--- a/drivers/hwmon/mlxreg-fan.c ++++ b/drivers/hwmon/mlxreg-fan.c +@@ -307,8 +307,8 @@ static int mlxreg_fan_set_cur_state(struct thermal_cooling_device *cdev, + { + struct mlxreg_fan *fan = cdev->devdata; + unsigned long cur_state; ++ int i, config = 0; + u32 regval; +- int i; + int err; + + /* +@@ -321,6 +321,12 @@ static int mlxreg_fan_set_cur_state(struct thermal_cooling_device *cdev, + * overwritten. + */ + if (state >= MLXREG_FAN_SPEED_MIN && state <= MLXREG_FAN_SPEED_MAX) { ++ /* ++ * This is configuration change, which is only supported through sysfs. ++ * For configuration non-zero value is to be returned to avoid thermal ++ * statistics update. ++ */ ++ config = 1; + state -= MLXREG_FAN_MAX_STATE; + for (i = 0; i < state; i++) + fan->cooling_levels[i] = state; +@@ -335,7 +341,7 @@ static int mlxreg_fan_set_cur_state(struct thermal_cooling_device *cdev, + + cur_state = MLXREG_FAN_PWM_DUTY2STATE(regval); + if (state < cur_state) +- return 0; ++ return config; + + state = cur_state; + } +@@ -351,7 +357,7 @@ static int mlxreg_fan_set_cur_state(struct thermal_cooling_device *cdev, + dev_err(fan->dev, "Failed to write PWM duty\n"); + return err; + } +- return 0; ++ return config; + } + + static const struct thermal_cooling_device_ops mlxreg_fan_cooling_ops = { +-- +2.33.0 + diff --git a/queue-4.19/hwmon-tmp421-fix-rounding-for-negative-values.patch b/queue-4.19/hwmon-tmp421-fix-rounding-for-negative-values.patch new file mode 100644 index 00000000000..4de7e1f37df --- /dev/null +++ b/queue-4.19/hwmon-tmp421-fix-rounding-for-negative-values.patch @@ -0,0 +1,74 @@ +From 6528dad97e34ce59df080c9115a2470af259868f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Sep 2021 12:30:11 +0300 +Subject: hwmon: (tmp421) fix rounding for negative values + +From: Paul Fertser + +[ Upstream commit 724e8af85854c4d3401313b6dd7d79cf792d8990 ] + +Old code produces -24999 for 0b1110011100000000 input in standard format due to +always rounding up rather than "away from zero". + +Use the common macro for division, unify and simplify the conversion code along +the way. + +Fixes: 9410700b881f ("hwmon: Add driver for Texas Instruments TMP421/422/423 sensor chips") +Signed-off-by: Paul Fertser +Link: https://lore.kernel.org/r/20210924093011.26083-3-fercerpav@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/tmp421.c | 24 ++++++++---------------- + 1 file changed, 8 insertions(+), 16 deletions(-) + +diff --git a/drivers/hwmon/tmp421.c b/drivers/hwmon/tmp421.c +index c2113c00b635..cdd01a848301 100644 +--- a/drivers/hwmon/tmp421.c ++++ b/drivers/hwmon/tmp421.c +@@ -109,23 +109,17 @@ struct tmp421_data { + s16 temp[4]; + }; + +-static int temp_from_s16(s16 reg) ++static int temp_from_raw(u16 reg, bool extended) + { + /* Mask out status bits */ + int temp = reg & ~0xf; + +- return (temp * 1000 + 128) / 256; +-} +- +-static int temp_from_u16(u16 reg) +-{ +- /* Mask out status bits */ +- int temp = reg & ~0xf; +- +- /* Add offset for extended temperature range. */ +- temp -= 64 * 256; ++ if (extended) ++ temp = temp - 64 * 256; ++ else ++ temp = (s16)temp; + +- return (temp * 1000 + 128) / 256; ++ return DIV_ROUND_CLOSEST(temp * 1000, 256); + } + + static struct tmp421_data *tmp421_update_device(struct device *dev) +@@ -162,10 +156,8 @@ static int tmp421_read(struct device *dev, enum hwmon_sensor_types type, + + switch (attr) { + case hwmon_temp_input: +- if (tmp421->config & TMP421_CONFIG_RANGE) +- *val = temp_from_u16(tmp421->temp[channel]); +- else +- *val = temp_from_s16(tmp421->temp[channel]); ++ *val = temp_from_raw(tmp421->temp[channel], ++ tmp421->config & TMP421_CONFIG_RANGE); + return 0; + case hwmon_temp_fault: + /* +-- +2.33.0 + diff --git a/queue-4.19/hwmon-tmp421-replace-s_-perms-with-octal-values.patch b/queue-4.19/hwmon-tmp421-replace-s_-perms-with-octal-values.patch new file mode 100644 index 00000000000..1e331e5e088 --- /dev/null +++ b/queue-4.19/hwmon-tmp421-replace-s_-perms-with-octal-values.patch @@ -0,0 +1,43 @@ +From 3c82d1cc56a4ce073341f85e680a6c3f53dbbfcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Dec 2018 14:02:23 -0800 +Subject: hwmon: (tmp421) Replace S_ with octal values + +From: Guenter Roeck + +[ Upstream commit b626eb22f9e17fcca4e262a8274e93690068557f ] + +Replace S_ with octal values. + +The conversion was done automatically with coccinelle. The semantic patches +and the scripts used to generate this commit log are available at +https://github.com/groeck/coccinelle-patches/hwmon/. + +This patch does not introduce functional changes. It was verified by +compiling the old and new files and comparing text and data sizes. + +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/tmp421.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/tmp421.c b/drivers/hwmon/tmp421.c +index ceb3db6f3fdd..06826a78c0f4 100644 +--- a/drivers/hwmon/tmp421.c ++++ b/drivers/hwmon/tmp421.c +@@ -187,9 +187,9 @@ static umode_t tmp421_is_visible(const void *data, enum hwmon_sensor_types type, + case hwmon_temp_fault: + if (channel == 0) + return 0; +- return S_IRUGO; ++ return 0444; + case hwmon_temp_input: +- return S_IRUGO; ++ return 0444; + default: + return 0; + } +-- +2.33.0 + diff --git a/queue-4.19/hwmon-tmp421-report-pvld-condition-as-fault.patch b/queue-4.19/hwmon-tmp421-report-pvld-condition-as-fault.patch new file mode 100644 index 00000000000..e8f71f01db4 --- /dev/null +++ b/queue-4.19/hwmon-tmp421-report-pvld-condition-as-fault.patch @@ -0,0 +1,54 @@ +From 3c870501dc8f117cb972426d752ed19da997599c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Sep 2021 12:30:10 +0300 +Subject: hwmon: (tmp421) report /PVLD condition as fault + +From: Paul Fertser + +[ Upstream commit 540effa7f283d25bcc13c0940d808002fee340b8 ] + +For both local and remote sensors all the supported ICs can report an +"undervoltage lockout" condition which means the conversion wasn't +properly performed due to insufficient power supply voltage and so the +measurement results can't be trusted. + +Fixes: 9410700b881f ("hwmon: Add driver for Texas Instruments TMP421/422/423 sensor chips") +Signed-off-by: Paul Fertser +Link: https://lore.kernel.org/r/20210924093011.26083-2-fercerpav@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/tmp421.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/hwmon/tmp421.c b/drivers/hwmon/tmp421.c +index 06826a78c0f4..c2113c00b635 100644 +--- a/drivers/hwmon/tmp421.c ++++ b/drivers/hwmon/tmp421.c +@@ -169,10 +169,10 @@ static int tmp421_read(struct device *dev, enum hwmon_sensor_types type, + return 0; + case hwmon_temp_fault: + /* +- * The OPEN bit signals a fault. This is bit 0 of the temperature +- * register (low byte). ++ * Any of OPEN or /PVLD bits indicate a hardware mulfunction ++ * and the conversion result may be incorrect + */ +- *val = tmp421->temp[channel] & 0x01; ++ *val = !!(tmp421->temp[channel] & 0x03); + return 0; + default: + return -EOPNOTSUPP; +@@ -185,9 +185,6 @@ static umode_t tmp421_is_visible(const void *data, enum hwmon_sensor_types type, + { + switch (attr) { + case hwmon_temp_fault: +- if (channel == 0) +- return 0; +- return 0444; + case hwmon_temp_input: + return 0444; + default: +-- +2.33.0 + diff --git a/queue-4.19/ipvs-check-that-ip_vs_conn_tab_bits-is-between-8-and.patch b/queue-4.19/ipvs-check-that-ip_vs_conn_tab_bits-is-between-8-and.patch new file mode 100644 index 00000000000..2215d779815 --- /dev/null +++ b/queue-4.19/ipvs-check-that-ip_vs_conn_tab_bits-is-between-8-and.patch @@ -0,0 +1,46 @@ +From 0f2837cd17ed7ad50d13c399a219c3a274de35bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Sep 2021 18:08:39 +0200 +Subject: ipvs: check that ip_vs_conn_tab_bits is between 8 and 20 + +From: Andrea Claudi + +[ Upstream commit 69e73dbfda14fbfe748d3812da1244cce2928dcb ] + +ip_vs_conn_tab_bits may be provided by the user through the +conn_tab_bits module parameter. If this value is greater than 31, or +less than 0, the shift operator used to derive tab_size causes undefined +behaviour. + +Fix this checking ip_vs_conn_tab_bits value to be in the range specified +in ipvs Kconfig. If not, simply use default value. + +Fixes: 6f7edb4881bf ("IPVS: Allow boot time change of hash size") +Reported-by: Yi Chen +Signed-off-by: Andrea Claudi +Acked-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_conn.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c +index 5b2b17867cb1..2780a847701e 100644 +--- a/net/netfilter/ipvs/ip_vs_conn.c ++++ b/net/netfilter/ipvs/ip_vs_conn.c +@@ -1399,6 +1399,10 @@ int __init ip_vs_conn_init(void) + int idx; + + /* Compute size and mask */ ++ if (ip_vs_conn_tab_bits < 8 || ip_vs_conn_tab_bits > 20) { ++ pr_info("conn_tab_bits not in [8, 20]. Using default value\n"); ++ ip_vs_conn_tab_bits = CONFIG_IP_VS_TAB_BITS; ++ } + ip_vs_conn_tab_size = 1 << ip_vs_conn_tab_bits; + ip_vs_conn_tab_mask = ip_vs_conn_tab_size - 1; + +-- +2.33.0 + diff --git a/queue-4.19/mac80211-fix-ieee80211_amsdu_aggregate-frag_tail-bug.patch b/queue-4.19/mac80211-fix-ieee80211_amsdu_aggregate-frag_tail-bug.patch new file mode 100644 index 00000000000..01d55b19ede --- /dev/null +++ b/queue-4.19/mac80211-fix-ieee80211_amsdu_aggregate-frag_tail-bug.patch @@ -0,0 +1,52 @@ +From 8109844741566243949136267e025415ff662c36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Aug 2021 15:32:40 +0800 +Subject: mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug + +From: Chih-Kang Chang + +[ Upstream commit fe94bac626d9c1c5bc98ab32707be8a9d7f8adba ] + +In ieee80211_amsdu_aggregate() set a pointer frag_tail point to the +end of skb_shinfo(head)->frag_list, and use it to bind other skb in +the end of this function. But when execute ieee80211_amsdu_aggregate() +->ieee80211_amsdu_realloc_pad()->pskb_expand_head(), the address of +skb_shinfo(head)->frag_list will be changed. However, the +ieee80211_amsdu_aggregate() not update frag_tail after call +pskb_expand_head(). That will cause the second skb can't bind to the +head skb appropriately.So we update the address of frag_tail to fix it. + +Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support") +Signed-off-by: Chih-Kang Chang +Signed-off-by: Zong-Zhe Yang +Signed-off-by: Ping-Ke Shih +Link: https://lore.kernel.org/r/20210830073240.12736-1-pkshih@realtek.com +[reword comment] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 5c5908127fcb..adeee760ab4c 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3264,6 +3264,14 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata, + if (!ieee80211_amsdu_prepare_head(sdata, fast_tx, head)) + goto out; + ++ /* If n == 2, the "while (*frag_tail)" loop above didn't execute ++ * and frag_tail should be &skb_shinfo(head)->frag_list. ++ * However, ieee80211_amsdu_prepare_head() can reallocate it. ++ * Reload frag_tail to have it pointing to the correct place. ++ */ ++ if (n == 2) ++ frag_tail = &skb_shinfo(head)->frag_list; ++ + /* + * Pad out the previous subframe to a multiple of 4 by adding the + * padding to the next one, that's being added. Note that head->len +-- +2.33.0 + diff --git a/queue-4.19/mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch b/queue-4.19/mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch new file mode 100644 index 00000000000..e7b70d41461 --- /dev/null +++ b/queue-4.19/mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch @@ -0,0 +1,84 @@ +From d278ccd760e262ff6956e5d24bd5ce920be40b5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Sep 2021 14:45:22 +0200 +Subject: mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap + +From: Lorenzo Bianconi + +[ Upstream commit 13cb6d826e0ac0d144b0d48191ff1a111d32f0c6 ] + +Limit max values for vht mcs and nss in ieee80211_parse_tx_radiotap +routine in order to fix the following warning reported by syzbot: + +WARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_rate_set_vht include/net/mac80211.h:989 [inline] +WARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244 +Modules linked in: +CPU: 0 PID: 10717 Comm: syz-executor.5 Not tainted 5.14.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:ieee80211_rate_set_vht include/net/mac80211.h:989 [inline] +RIP: 0010:ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244 +RSP: 0018:ffffc9000186f3e8 EFLAGS: 00010216 +RAX: 0000000000000618 RBX: ffff88804ef76500 RCX: ffffc900143a5000 +RDX: 0000000000040000 RSI: ffffffff888f478e RDI: 0000000000000003 +RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000100 +R10: ffffffff888f46f9 R11: 0000000000000000 R12: 00000000fffffff8 +R13: ffff88804ef7653c R14: 0000000000000001 R15: 0000000000000004 +FS: 00007fbf5718f700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b2de23000 CR3: 000000006a671000 CR4: 00000000001506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 +Call Trace: + ieee80211_monitor_select_queue+0xa6/0x250 net/mac80211/iface.c:740 + netdev_core_pick_tx+0x169/0x2e0 net/core/dev.c:4089 + __dev_queue_xmit+0x6f9/0x3710 net/core/dev.c:4165 + __bpf_tx_skb net/core/filter.c:2114 [inline] + __bpf_redirect_no_mac net/core/filter.c:2139 [inline] + __bpf_redirect+0x5ba/0xd20 net/core/filter.c:2162 + ____bpf_clone_redirect net/core/filter.c:2429 [inline] + bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2401 + bpf_prog_eeb6f53a69e5c6a2+0x59/0x234 + bpf_dispatcher_nop_func include/linux/bpf.h:717 [inline] + __bpf_prog_run include/linux/filter.h:624 [inline] + bpf_prog_run include/linux/filter.h:631 [inline] + bpf_test_run+0x381/0xa30 net/bpf/test_run.c:119 + bpf_prog_test_run_skb+0xb84/0x1ee0 net/bpf/test_run.c:663 + bpf_prog_test_run kernel/bpf/syscall.c:3307 [inline] + __sys_bpf+0x2137/0x5df0 kernel/bpf/syscall.c:4605 + __do_sys_bpf kernel/bpf/syscall.c:4691 [inline] + __se_sys_bpf kernel/bpf/syscall.c:4689 [inline] + __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4689 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x4665f9 + +Reported-by: syzbot+0196ac871673f0c20f68@syzkaller.appspotmail.com +Fixes: 646e76bb5daf4 ("mac80211: parse VHT info in injected frames") +Signed-off-by: Lorenzo Bianconi +Link: https://lore.kernel.org/r/c26c3f02dcb38ab63b2f2534cb463d95ee81bb13.1632141760.git.lorenzo@kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index adeee760ab4c..74045e927e04 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -2126,7 +2126,11 @@ static bool ieee80211_parse_tx_radiotap(struct ieee80211_local *local, + } + + vht_mcs = iterator.this_arg[4] >> 4; ++ if (vht_mcs > 11) ++ vht_mcs = 0; + vht_nss = iterator.this_arg[4] & 0xF; ++ if (!vht_nss || vht_nss > 8) ++ vht_nss = 1; + break; + + /* +-- +2.33.0 + diff --git a/queue-4.19/revert-block-bfq-honor-already-setup-queue-merges.patch b/queue-4.19/revert-block-bfq-honor-already-setup-queue-merges.patch new file mode 100644 index 00000000000..d2b8b61b4bd --- /dev/null +++ b/queue-4.19/revert-block-bfq-honor-already-setup-queue-merges.patch @@ -0,0 +1,68 @@ +From 460e6749ab186275e30aabd39e4d577392badcdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 06:33:15 -0600 +Subject: Revert "block, bfq: honor already-setup queue merges" + +From: Jens Axboe + +[ Upstream commit ebc69e897e17373fbe1daaff1debaa77583a5284 ] + +This reverts commit 2d52c58b9c9bdae0ca3df6a1eab5745ab3f7d80b. + +We have had several folks complain that this causes hangs for them, which +is especially problematic as the commit has also hit stable already. + +As no resolution seems to be forthcoming right now, revert the patch. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=214503 +Fixes: 2d52c58b9c9b ("block, bfq: honor already-setup queue merges") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 16 +++------------- + 1 file changed, 3 insertions(+), 13 deletions(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index c8c94e8e0f72..b2bad345c523 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -2137,15 +2137,6 @@ bfq_setup_merge(struct bfq_queue *bfqq, struct bfq_queue *new_bfqq) + * are likely to increase the throughput. + */ + bfqq->new_bfqq = new_bfqq; +- /* +- * The above assignment schedules the following redirections: +- * each time some I/O for bfqq arrives, the process that +- * generated that I/O is disassociated from bfqq and +- * associated with new_bfqq. Here we increases new_bfqq->ref +- * in advance, adding the number of processes that are +- * expected to be associated with new_bfqq as they happen to +- * issue I/O. +- */ + new_bfqq->ref += process_refs; + return new_bfqq; + } +@@ -2205,10 +2196,6 @@ bfq_setup_cooperator(struct bfq_data *bfqd, struct bfq_queue *bfqq, + { + struct bfq_queue *in_service_bfqq, *new_bfqq; + +- /* if a merge has already been setup, then proceed with that first */ +- if (bfqq->new_bfqq) +- return bfqq->new_bfqq; +- + /* + * Prevent bfqq from being merged if it has been created too + * long ago. The idea is that true cooperating processes, and +@@ -2223,6 +2210,9 @@ bfq_setup_cooperator(struct bfq_data *bfqd, struct bfq_queue *bfqq, + if (bfq_too_late_for_merging(bfqq)) + return NULL; + ++ if (bfqq->new_bfqq) ++ return bfqq->new_bfqq; ++ + if (!io_struct || unlikely(bfqq == &bfqd->oom_bfqq)) + return NULL; + +-- +2.33.0 + diff --git a/queue-4.19/scsi-csiostor-add-module-softdep-on-cxgb4.patch b/queue-4.19/scsi-csiostor-add-module-softdep-on-cxgb4.patch new file mode 100644 index 00000000000..30590b1fd7b --- /dev/null +++ b/queue-4.19/scsi-csiostor-add-module-softdep-on-cxgb4.patch @@ -0,0 +1,44 @@ +From ac177746fc90a478c5a971b57ecbd784d4a8e308 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 21:44:08 +0530 +Subject: scsi: csiostor: Add module softdep on cxgb4 + +From: Rahul Lakkireddy + +[ Upstream commit 79a7482249a7353bc86aff8127954d5febf02472 ] + +Both cxgb4 and csiostor drivers run on their own independent Physical +Function. But when cxgb4 and csiostor are both being loaded in parallel via +modprobe, there is a race when firmware upgrade is attempted by both the +drivers. + +When the cxgb4 driver initiates the firmware upgrade, it halts the firmware +and the chip until upgrade is complete. When the csiostor driver is coming +up in parallel, the firmware mailbox communication fails with timeouts and +the csiostor driver probe fails. + +Add a module soft dependency on cxgb4 driver to ensure loading csiostor +triggers cxgb4 to load first when available to avoid the firmware upgrade +race. + +Link: https://lore.kernel.org/r/1632759248-15382-1-git-send-email-rahul.lakkireddy@chelsio.com +Fixes: a3667aaed569 ("[SCSI] csiostor: Chelsio FCoE offload driver") +Signed-off-by: Rahul Lakkireddy +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/csiostor/csio_init.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/csiostor/csio_init.c b/drivers/scsi/csiostor/csio_init.c +index 1793981337dd..b59bcd2553d1 100644 +--- a/drivers/scsi/csiostor/csio_init.c ++++ b/drivers/scsi/csiostor/csio_init.c +@@ -1263,3 +1263,4 @@ MODULE_DEVICE_TABLE(pci, csio_pci_tbl); + MODULE_VERSION(CSIO_DRV_VERSION); + MODULE_FIRMWARE(FW_FNAME_T5); + MODULE_FIRMWARE(FW_FNAME_T6); ++MODULE_SOFTDEP("pre: cxgb4"); +-- +2.33.0 + diff --git a/queue-4.19/sctp-break-out-if-skb_header_pointer-returns-null-in.patch b/queue-4.19/sctp-break-out-if-skb_header_pointer-returns-null-in.patch new file mode 100644 index 00000000000..c908a4b7274 --- /dev/null +++ b/queue-4.19/sctp-break-out-if-skb_header_pointer-returns-null-in.patch @@ -0,0 +1,55 @@ +From 16686c4bdbfcd8151974d80c5d4dfdab11788c40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Sep 2021 00:05:04 -0400 +Subject: sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb + +From: Xin Long + +[ Upstream commit f7e745f8e94492a8ac0b0a26e25f2b19d342918f ] + +We should always check if skb_header_pointer's return is NULL before +using it, otherwise it may cause null-ptr-deref, as syzbot reported: + + KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline] + RIP: 0010:sctp_rcv+0x1d84/0x3220 net/sctp/input.c:196 + Call Trace: + + sctp6_rcv+0x38/0x60 net/sctp/ipv6.c:1109 + ip6_protocol_deliver_rcu+0x2e9/0x1ca0 net/ipv6/ip6_input.c:422 + ip6_input_finish+0x62/0x170 net/ipv6/ip6_input.c:463 + NF_HOOK include/linux/netfilter.h:307 [inline] + NF_HOOK include/linux/netfilter.h:301 [inline] + ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:472 + dst_input include/net/dst.h:460 [inline] + ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline] + NF_HOOK include/linux/netfilter.h:307 [inline] + NF_HOOK include/linux/netfilter.h:301 [inline] + ipv6_rcv+0x28c/0x3c0 net/ipv6/ip6_input.c:297 + +Fixes: 3acb50c18d8d ("sctp: delay as much as possible skb_linearize") +Reported-by: syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sctp/input.c b/net/sctp/input.c +index 8b7c07fc66d4..64dc2923a21b 100644 +--- a/net/sctp/input.c ++++ b/net/sctp/input.c +@@ -687,7 +687,7 @@ static int sctp_rcv_ootb(struct sk_buff *skb) + ch = skb_header_pointer(skb, offset, sizeof(*ch), &_ch); + + /* Break out if chunk length is less then minimal. */ +- if (ntohs(ch->length) < sizeof(_ch)) ++ if (!ch || ntohs(ch->length) < sizeof(_ch)) + break; + + ch_end = offset + SCTP_PAD4(ntohs(ch->length)); +-- +2.33.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 9041737a61c..f09f5640af8 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -59,3 +59,16 @@ cpufreq-schedutil-destroy-mutex-before-kobject_put-f.patch mac80211-fix-use-after-free-in-ccmp-gcmp-rx.patch x86-kvmclock-move-this_cpu_pvti-into-kvmclock.h.patch drm-amd-display-pass-pci-deviceid-into-dc.patch +ipvs-check-that-ip_vs_conn_tab_bits-is-between-8-and.patch +hwmon-mlxreg-fan-return-non-zero-value-when-fan-curr.patch +mac80211-fix-ieee80211_amsdu_aggregate-frag_tail-bug.patch +mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch +sctp-break-out-if-skb_header_pointer-returns-null-in.patch +hwmon-tmp421-replace-s_-perms-with-octal-values.patch +hwmon-tmp421-report-pvld-condition-as-fault.patch +hwmon-tmp421-fix-rounding-for-negative-values.patch +e100-fix-length-calculation-in-e100_get_regs_len.patch +e100-fix-buffer-overrun-in-e100_get_regs.patch +revert-block-bfq-honor-already-setup-queue-merges.patch +scsi-csiostor-add-module-softdep-on-cxgb4.patch +af_unix-fix-races-in-sk_peer_pid-and-sk_peer_cred-ac.patch -- 2.47.3