From 200bf37632e5e4f54f551442b7d4e0fcd759cb26 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 28 Dec 2019 06:08:45 -0500 Subject: [PATCH] 4.4-stable patches added patches: af_packet-set-defaule-value-for-tmo.patch fjes-fix-missed-check-in-fjes_acpi_add.patch mod_devicetable-fix-phy-module-format.patch net-dst-force-4-byte-alignment-of-dst_metrics.patch net-hisilicon-fix-a-bug-trigered-by-wrong-bytes_compl.patch net-nfc-nci-fix-a-possible-sleep-in-atomic-context-bug-in-nci_uart_tty_receive.patch net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch net-usb-lan78xx-fix-suspend-resume-phy-register-access-error.patch sctp-fully-initialize-v4-addr-in-some-functions.patch --- .../af_packet-set-defaule-value-for-tmo.patch | 54 +++++++++ ...es-fix-missed-check-in-fjes_acpi_add.patch | 32 ++++++ ...od_devicetable-fix-phy-module-format.patch | 43 +++++++ ...orce-4-byte-alignment-of-dst_metrics.patch | 60 ++++++++++ ...-a-bug-trigered-by-wrong-bytes_compl.patch | 90 +++++++++++++++ ...-context-bug-in-nci_uart_tty_receive.patch | 45 ++++++++ ...rror-paths-in-ql_alloc_large_buffers.patch | 76 +++++++++++++ ...end-resume-phy-register-access-error.patch | 34 ++++++ ...initialize-v4-addr-in-some-functions.patch | 107 ++++++++++++++++++ queue-4.4/series | 9 ++ 10 files changed, 550 insertions(+) create mode 100644 queue-4.4/af_packet-set-defaule-value-for-tmo.patch create mode 100644 queue-4.4/fjes-fix-missed-check-in-fjes_acpi_add.patch create mode 100644 queue-4.4/mod_devicetable-fix-phy-module-format.patch create mode 100644 queue-4.4/net-dst-force-4-byte-alignment-of-dst_metrics.patch create mode 100644 queue-4.4/net-hisilicon-fix-a-bug-trigered-by-wrong-bytes_compl.patch create mode 100644 queue-4.4/net-nfc-nci-fix-a-possible-sleep-in-atomic-context-bug-in-nci_uart_tty_receive.patch create mode 100644 queue-4.4/net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch create mode 100644 queue-4.4/net-usb-lan78xx-fix-suspend-resume-phy-register-access-error.patch create mode 100644 queue-4.4/sctp-fully-initialize-v4-addr-in-some-functions.patch diff --git a/queue-4.4/af_packet-set-defaule-value-for-tmo.patch b/queue-4.4/af_packet-set-defaule-value-for-tmo.patch new file mode 100644 index 00000000000..fed18ded7b6 --- /dev/null +++ b/queue-4.4/af_packet-set-defaule-value-for-tmo.patch @@ -0,0 +1,54 @@ +From foo@baz Sat 28 Dec 2019 06:07:33 AM EST +From: Mao Wenan +Date: Mon, 9 Dec 2019 21:31:25 +0800 +Subject: af_packet: set defaule value for tmo + +From: Mao Wenan + +[ Upstream commit b43d1f9f7067c6759b1051e8ecb84e82cef569fe ] + +There is softlockup when using TPACKET_V3: +... +NMI watchdog: BUG: soft lockup - CPU#2 stuck for 60010ms! +(__irq_svc) from [] (_raw_spin_unlock_irqrestore+0x44/0x54) +(_raw_spin_unlock_irqrestore) from [] (mod_timer+0x210/0x25c) +(mod_timer) from [] +(prb_retire_rx_blk_timer_expired+0x68/0x11c) +(prb_retire_rx_blk_timer_expired) from [] +(call_timer_fn+0x90/0x17c) +(call_timer_fn) from [] (run_timer_softirq+0x2d4/0x2fc) +(run_timer_softirq) from [] (__do_softirq+0x218/0x318) +(__do_softirq) from [] (irq_exit+0x88/0xac) +(irq_exit) from [] (msa_irq_exit+0x11c/0x1d4) +(msa_irq_exit) from [] (handle_IPI+0x650/0x7f4) +(handle_IPI) from [] (gic_handle_irq+0x108/0x118) +(gic_handle_irq) from [] (__irq_usr+0x44/0x5c) +... + +If __ethtool_get_link_ksettings() is failed in +prb_calc_retire_blk_tmo(), msec and tmo will be zero, so tov_in_jiffies +is zero and the timer expire for retire_blk_timer is turn to +mod_timer(&pkc->retire_blk_timer, jiffies + 0), +which will trigger cpu usage of softirq is 100%. + +Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") +Tested-by: Xiao Jiangfeng +Signed-off-by: Mao Wenan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -587,7 +587,8 @@ static int prb_calc_retire_blk_tmo(struc + msec = 1; + div = speed / 1000; + } +- } ++ } else ++ return DEFAULT_PRB_RETIRE_TOV; + + mbits = (blk_size_in_bytes * 8) / (1024 * 1024); + diff --git a/queue-4.4/fjes-fix-missed-check-in-fjes_acpi_add.patch b/queue-4.4/fjes-fix-missed-check-in-fjes_acpi_add.patch new file mode 100644 index 00000000000..55a21f697ba --- /dev/null +++ b/queue-4.4/fjes-fix-missed-check-in-fjes_acpi_add.patch @@ -0,0 +1,32 @@ +From foo@baz Sat 28 Dec 2019 06:07:33 AM EST +From: Chuhong Yuan +Date: Tue, 10 Dec 2019 00:22:07 +0800 +Subject: fjes: fix missed check in fjes_acpi_add + +From: Chuhong Yuan + +[ Upstream commit a288f105a03a7e0e629a8da2b31f34ebf0343ee2 ] + +fjes_acpi_add() misses a check for platform_device_register_simple(). +Add a check to fix it. + +Fixes: 658d439b2292 ("fjes: Introduce FUJITSU Extended Socket Network Device driver") +Signed-off-by: Chuhong Yuan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/fjes/fjes_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/fjes/fjes_main.c ++++ b/drivers/net/fjes/fjes_main.c +@@ -149,6 +149,9 @@ static int fjes_acpi_add(struct acpi_dev + /* create platform_device */ + plat_dev = platform_device_register_simple(DRV_NAME, 0, fjes_resource, + ARRAY_SIZE(fjes_resource)); ++ if (IS_ERR(plat_dev)) ++ return PTR_ERR(plat_dev); ++ + device->driver_data = plat_dev; + + return 0; diff --git a/queue-4.4/mod_devicetable-fix-phy-module-format.patch b/queue-4.4/mod_devicetable-fix-phy-module-format.patch new file mode 100644 index 00000000000..be7d9179755 --- /dev/null +++ b/queue-4.4/mod_devicetable-fix-phy-module-format.patch @@ -0,0 +1,43 @@ +From foo@baz Sat 28 Dec 2019 06:07:33 AM EST +From: Russell King +Date: Thu, 19 Dec 2019 23:24:47 +0000 +Subject: mod_devicetable: fix PHY module format + +From: Russell King + +[ Upstream commit d2ed49cf6c13e379c5819aa5ac20e1f9674ebc89 ] + +When a PHY is probed, if the top bit is set, we end up requesting a +module with the string "mdio:-10101110000000100101000101010001" - +the top bit is printed to a signed -1 value. This leads to the module +not being loaded. + +Fix the module format string and the macro generating the values for +it to ensure that we only print unsigned types and the top bit is +always 0/1. We correctly end up with +"mdio:10101110000000100101000101010001". + +Fixes: 8626d3b43280 ("phylib: Support phy module autoloading") +Reviewed-by: Andrew Lunn +Signed-off-by: Russell King +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/mod_devicetable.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/mod_devicetable.h ++++ b/include/linux/mod_devicetable.h +@@ -502,9 +502,9 @@ struct platform_device_id { + + #define MDIO_MODULE_PREFIX "mdio:" + +-#define MDIO_ID_FMT "%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d" ++#define MDIO_ID_FMT "%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u" + #define MDIO_ID_ARGS(_id) \ +- (_id)>>31, ((_id)>>30) & 1, ((_id)>>29) & 1, ((_id)>>28) & 1, \ ++ ((_id)>>31) & 1, ((_id)>>30) & 1, ((_id)>>29) & 1, ((_id)>>28) & 1, \ + ((_id)>>27) & 1, ((_id)>>26) & 1, ((_id)>>25) & 1, ((_id)>>24) & 1, \ + ((_id)>>23) & 1, ((_id)>>22) & 1, ((_id)>>21) & 1, ((_id)>>20) & 1, \ + ((_id)>>19) & 1, ((_id)>>18) & 1, ((_id)>>17) & 1, ((_id)>>16) & 1, \ diff --git a/queue-4.4/net-dst-force-4-byte-alignment-of-dst_metrics.patch b/queue-4.4/net-dst-force-4-byte-alignment-of-dst_metrics.patch new file mode 100644 index 00000000000..fc77c998c84 --- /dev/null +++ b/queue-4.4/net-dst-force-4-byte-alignment-of-dst_metrics.patch @@ -0,0 +1,60 @@ +From foo@baz Sat 28 Dec 2019 06:03:45 AM EST +From: Geert Uytterhoeven +Date: Fri, 20 Dec 2019 14:31:40 +0100 +Subject: net: dst: Force 4-byte alignment of dst_metrics + +From: Geert Uytterhoeven + +[ Upstream commit 258a980d1ec23e2c786e9536a7dd260bea74bae6 ] + +When storing a pointer to a dst_metrics structure in dst_entry._metrics, +two flags are added in the least significant bits of the pointer value. +Hence this assumes all pointers to dst_metrics structures have at least +4-byte alignment. + +However, on m68k, the minimum alignment of 32-bit values is 2 bytes, not +4 bytes. Hence in some kernel builds, dst_default_metrics may be only +2-byte aligned, leading to obscure boot warnings like: + + WARNING: CPU: 0 PID: 7 at lib/refcount.c:28 refcount_warn_saturate+0x44/0x9a + refcount_t: underflow; use-after-free. + Modules linked in: + CPU: 0 PID: 7 Comm: ksoftirqd/0 Tainted: G W 5.5.0-rc2-atari-01448-g114a1a1038af891d-dirty #261 + Stack from 10835e6c: + 10835e6c 0038134f 00023fa6 00394b0f 0000001c 00000009 00321560 00023fea + 00394b0f 0000001c 001a70f8 00000009 00000000 10835eb4 00000001 00000000 + 04208040 0000000a 00394b4a 10835ed4 00043aa8 001a70f8 00394b0f 0000001c + 00000009 00394b4a 0026aba8 003215a4 00000003 00000000 0026d5a8 00000001 + 003215a4 003a4361 003238d6 000001f0 00000000 003215a4 10aa3b00 00025e84 + 003ddb00 10834000 002416a8 10aa3b00 00000000 00000080 000aa038 0004854a + Call Trace: [<00023fa6>] __warn+0xb2/0xb4 + [<00023fea>] warn_slowpath_fmt+0x42/0x64 + [<001a70f8>] refcount_warn_saturate+0x44/0x9a + [<00043aa8>] printk+0x0/0x18 + [<001a70f8>] refcount_warn_saturate+0x44/0x9a + [<0026aba8>] refcount_sub_and_test.constprop.73+0x38/0x3e + [<0026d5a8>] ipv4_dst_destroy+0x5e/0x7e + [<00025e84>] __local_bh_enable_ip+0x0/0x8e + [<002416a8>] dst_destroy+0x40/0xae + +Fix this by forcing 4-byte alignment of all dst_metrics structures. + +Fixes: e5fd387ad5b30ca3 ("ipv6: do not overwrite inetpeer metrics prematurely") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/dst.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/dst.h ++++ b/include/net/dst.h +@@ -113,7 +113,7 @@ struct dst_entry { + struct dst_metrics { + u32 metrics[RTAX_MAX]; + atomic_t refcnt; +-}; ++} __aligned(4); /* Low pointer bits contain DST_METRICS_FLAGS */ + extern const struct dst_metrics dst_default_metrics; + + u32 *dst_cow_metrics_generic(struct dst_entry *dst, unsigned long old); diff --git a/queue-4.4/net-hisilicon-fix-a-bug-trigered-by-wrong-bytes_compl.patch b/queue-4.4/net-hisilicon-fix-a-bug-trigered-by-wrong-bytes_compl.patch new file mode 100644 index 00000000000..aeac0fc9162 --- /dev/null +++ b/queue-4.4/net-hisilicon-fix-a-bug-trigered-by-wrong-bytes_compl.patch @@ -0,0 +1,90 @@ +From foo@baz Sat 28 Dec 2019 06:07:33 AM EST +From: Jiangfeng Xiao +Date: Thu, 19 Dec 2019 10:08:07 +0800 +Subject: net: hisilicon: Fix a BUG trigered by wrong bytes_compl + +From: Jiangfeng Xiao + +[ Upstream commit 90b3b339364c76baa2436445401ea9ade040c216 ] + +When doing stress test, we get the following trace: +kernel BUG at lib/dynamic_queue_limits.c:26! +Internal error: Oops - BUG: 0 [#1] SMP ARM +Modules linked in: hip04_eth +CPU: 0 PID: 2003 Comm: tDblStackPcap0 Tainted: G O L 4.4.197 #1 +Hardware name: Hisilicon A15 +task: c3637668 task.stack: de3bc000 +PC is at dql_completed+0x18/0x154 +LR is at hip04_tx_reclaim+0x110/0x174 [hip04_eth] +pc : [] lr : [] psr: 800f0313 +sp : de3bdc2c ip : 00000000 fp : c020fb10 +r10: 00000000 r9 : c39b4224 r8 : 00000001 +r7 : 00000046 r6 : c39b4000 r5 : 0078f392 r4 : 0078f392 +r3 : 00000047 r2 : 00000000 r1 : 00000046 r0 : df5d5c80 +Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user +Control: 32c5387d Table: 1e189b80 DAC: 55555555 +Process tDblStackPcap0 (pid: 2003, stack limit = 0xde3bc190) +Stack: (0xde3bdc2c to 0xde3be000) +[] (dql_completed) from [] (hip04_tx_reclaim+0x110/0x174 [hip04_eth]) +[] (hip04_tx_reclaim [hip04_eth]) from [] (hip04_rx_poll+0x20/0x388 [hip04_eth]) +[] (hip04_rx_poll [hip04_eth]) from [] (net_rx_action+0x120/0x374) +[] (net_rx_action) from [] (__do_softirq+0x218/0x318) +[] (__do_softirq) from [] (irq_exit+0x88/0xac) +[] (irq_exit) from [] (msa_irq_exit+0x11c/0x1d4) +[] (msa_irq_exit) from [] (__handle_domain_irq+0x110/0x148) +[] (__handle_domain_irq) from [] (gic_handle_irq+0xd4/0x118) +[] (gic_handle_irq) from [] (__irq_svc+0x40/0x58) +Exception stack(0xde3bdde0 to 0xde3bde28) +dde0: 00000000 00008001 c3637668 00000000 00000000 a00f0213 dd3627a0 c0af6380 +de00: c086d380 a00f0213 c0a22a50 de3bde6c 00000002 de3bde30 c0558138 c055813c +de20: 600f0213 ffffffff +[] (__irq_svc) from [] (_raw_spin_unlock_irqrestore+0x44/0x54) +Kernel panic - not syncing: Fatal exception in interrupt + +Pre-modification code: +int hip04_mac_start_xmit(struct sk_buff *skb, struct net_device *ndev) +{ +[...] +[1] priv->tx_head = TX_NEXT(tx_head); +[2] count++; +[3] netdev_sent_queue(ndev, skb->len); +[...] +} +An rx interrupt occurs if hip04_mac_start_xmit just executes to the line 2, +tx_head has been updated, but corresponding 'skb->len' has not been +added to dql_queue. + +And then +hip04_mac_interrupt->__napi_schedule->hip04_rx_poll->hip04_tx_reclaim + +In hip04_tx_reclaim, because tx_head has been updated, +bytes_compl will plus an additional "skb-> len" +which has not been added to dql_queue. And then +trigger the BUG_ON(bytes_compl > num_queued - dql->num_completed). + +To solve the problem described above, we put +"netdev_sent_queue(ndev, skb->len);" +before +"priv->tx_head = TX_NEXT(tx_head);" + +Fixes: a41ea46a9a12 ("net: hisilicon: new hip04 ethernet driver") +Signed-off-by: Jiangfeng Xiao +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -455,9 +455,9 @@ static int hip04_mac_start_xmit(struct s + skb_tx_timestamp(skb); + + hip04_set_xmit_desc(priv, phys); +- priv->tx_head = TX_NEXT(tx_head); + count++; + netdev_sent_queue(ndev, skb->len); ++ priv->tx_head = TX_NEXT(tx_head); + + stats->tx_bytes += skb->len; + stats->tx_packets++; diff --git a/queue-4.4/net-nfc-nci-fix-a-possible-sleep-in-atomic-context-bug-in-nci_uart_tty_receive.patch b/queue-4.4/net-nfc-nci-fix-a-possible-sleep-in-atomic-context-bug-in-nci_uart_tty_receive.patch new file mode 100644 index 00000000000..f450635eb3c --- /dev/null +++ b/queue-4.4/net-nfc-nci-fix-a-possible-sleep-in-atomic-context-bug-in-nci_uart_tty_receive.patch @@ -0,0 +1,45 @@ +From foo@baz Sat 28 Dec 2019 06:07:33 AM EST +From: Jia-Ju Bai +Date: Wed, 18 Dec 2019 17:21:55 +0800 +Subject: net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive() + +From: Jia-Ju Bai + +[ Upstream commit b7ac893652cafadcf669f78452329727e4e255cc ] + +The kernel may sleep while holding a spinlock. +The function call path (from bottom to top) in Linux 4.19 is: + +net/nfc/nci/uart.c, 349: + nci_skb_alloc in nci_uart_default_recv_buf +net/nfc/nci/uart.c, 255: + (FUNC_PTR)nci_uart_default_recv_buf in nci_uart_tty_receive +net/nfc/nci/uart.c, 254: + spin_lock in nci_uart_tty_receive + +nci_skb_alloc(GFP_KERNEL) can sleep at runtime. +(FUNC_PTR) means a function pointer is called. + +To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC for +nci_skb_alloc(). + +This bug is found by a static analysis tool STCheck written by myself. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/nci/uart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/nfc/nci/uart.c ++++ b/net/nfc/nci/uart.c +@@ -355,7 +355,7 @@ static int nci_uart_default_recv_buf(str + nu->rx_packet_len = -1; + nu->rx_skb = nci_skb_alloc(nu->ndev, + NCI_MAX_PACKET_SIZE, +- GFP_KERNEL); ++ GFP_ATOMIC); + if (!nu->rx_skb) + return -ENOMEM; + } diff --git a/queue-4.4/net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch b/queue-4.4/net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch new file mode 100644 index 00000000000..8e47ec3b55e --- /dev/null +++ b/queue-4.4/net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch @@ -0,0 +1,76 @@ +From foo@baz Sat 28 Dec 2019 06:07:33 AM EST +From: Ben Hutchings +Date: Tue, 17 Dec 2019 01:57:40 +0000 +Subject: net: qlogic: Fix error paths in ql_alloc_large_buffers() + +From: Ben Hutchings + +[ Upstream commit cad46039e4c99812db067c8ac22a864960e7acc4 ] + +ql_alloc_large_buffers() has the usual RX buffer allocation +loop where it allocates skbs and maps them for DMA. It also +treats failure as a fatal error. + +There are (at least) three bugs in the error paths: + +1. ql_free_large_buffers() assumes that the lrg_buf[] entry for the +first buffer that couldn't be allocated will have .skb == NULL. +But the qla_buf[] array is not zero-initialised. + +2. ql_free_large_buffers() DMA-unmaps all skbs in lrg_buf[]. This is +incorrect for the last allocated skb, if DMA mapping failed. + +3. Commit 1acb8f2a7a9f ("net: qlogic: Fix memory leak in +ql_alloc_large_buffers") added a direct call to dev_kfree_skb_any() +after the skb is recorded in lrg_buf[], so ql_free_large_buffers() +will double-free it. + +The bugs are somewhat inter-twined, so fix them all at once: + +* Clear each entry in qla_buf[] before attempting to allocate + an skb for it. This goes half-way to fixing bug 1. +* Set the .skb field only after the skb is DMA-mapped. This + fixes the rest. + +Fixes: 1357bfcf7106 ("qla3xxx: Dynamically size the rx buffer queue ...") +Fixes: 0f8ab89e825f ("qla3xxx: Check return code from pci_map_single() ...") +Fixes: 1acb8f2a7a9f ("net: qlogic: Fix memory leak in ql_alloc_large_buffers") +Signed-off-by: Ben Hutchings +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -2752,6 +2752,9 @@ static int ql_alloc_large_buffers(struct + int err; + + for (i = 0; i < qdev->num_large_buffers; i++) { ++ lrg_buf_cb = &qdev->lrg_buf[i]; ++ memset(lrg_buf_cb, 0, sizeof(struct ql_rcv_buf_cb)); ++ + skb = netdev_alloc_skb(qdev->ndev, + qdev->lrg_buffer_len); + if (unlikely(!skb)) { +@@ -2762,11 +2765,7 @@ static int ql_alloc_large_buffers(struct + ql_free_large_buffers(qdev); + return -ENOMEM; + } else { +- +- lrg_buf_cb = &qdev->lrg_buf[i]; +- memset(lrg_buf_cb, 0, sizeof(struct ql_rcv_buf_cb)); + lrg_buf_cb->index = i; +- lrg_buf_cb->skb = skb; + /* + * We save some space to copy the ethhdr from first + * buffer +@@ -2788,6 +2787,7 @@ static int ql_alloc_large_buffers(struct + return -ENOMEM; + } + ++ lrg_buf_cb->skb = skb; + dma_unmap_addr_set(lrg_buf_cb, mapaddr, map); + dma_unmap_len_set(lrg_buf_cb, maplen, + qdev->lrg_buffer_len - diff --git a/queue-4.4/net-usb-lan78xx-fix-suspend-resume-phy-register-access-error.patch b/queue-4.4/net-usb-lan78xx-fix-suspend-resume-phy-register-access-error.patch new file mode 100644 index 00000000000..6d71bd04182 --- /dev/null +++ b/queue-4.4/net-usb-lan78xx-fix-suspend-resume-phy-register-access-error.patch @@ -0,0 +1,34 @@ +From foo@baz Sat 28 Dec 2019 06:07:33 AM EST +From: Cristian Birsan +Date: Thu, 12 Dec 2019 13:52:47 +0200 +Subject: net: usb: lan78xx: Fix suspend/resume PHY register access error + +From: Cristian Birsan + +[ Upstream commit 20032b63586ac6c28c936dff696981159913a13f ] + +Lan78xx driver accesses the PHY registers through MDIO bus over USB +connection. When performing a suspend/resume, the PHY registers can be +accessed before the USB connection is resumed. This will generate an +error and will prevent the device to resume correctly. +This patch adds the dependency between the MDIO bus and USB device to +allow correct handling of suspend/resume. + +Fixes: ce85e13ad6ef ("lan78xx: Update to use phylib instead of mii_if_info.") +Signed-off-by: Cristian Birsan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/lan78xx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -1448,6 +1448,7 @@ static int lan78xx_mdio_init(struct lan7 + dev->mdiobus->read = lan78xx_mdiobus_read; + dev->mdiobus->write = lan78xx_mdiobus_write; + dev->mdiobus->name = "lan78xx-mdiobus"; ++ dev->mdiobus->parent = &dev->udev->dev; + + snprintf(dev->mdiobus->id, MII_BUS_ID_SIZE, "usb-%03d:%03d", + dev->udev->bus->busnum, dev->udev->devnum); diff --git a/queue-4.4/sctp-fully-initialize-v4-addr-in-some-functions.patch b/queue-4.4/sctp-fully-initialize-v4-addr-in-some-functions.patch new file mode 100644 index 00000000000..c14d11ab4cc --- /dev/null +++ b/queue-4.4/sctp-fully-initialize-v4-addr-in-some-functions.patch @@ -0,0 +1,107 @@ +From foo@baz Sat 28 Dec 2019 06:07:34 AM EST +From: Xin Long +Date: Mon, 9 Dec 2019 13:45:54 +0800 +Subject: sctp: fully initialize v4 addr in some functions + +From: Xin Long + +[ Upstream commit b6f3320b1d5267e7b583a6d0c88dda518101740c ] + +Syzbot found a crash: + + BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:112 [inline] + BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline] + BUG: KMSAN: uninit-value in __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202 + Call Trace: + crc32_body lib/crc32.c:112 [inline] + crc32_le_generic lib/crc32.c:179 [inline] + __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202 + chksum_update+0xb2/0x110 crypto/crc32c_generic.c:90 + crypto_shash_update+0x4c5/0x530 crypto/shash.c:107 + crc32c+0x150/0x220 lib/libcrc32c.c:47 + sctp_csum_update+0x89/0xa0 include/net/sctp/checksum.h:36 + __skb_checksum+0x1297/0x12a0 net/core/skbuff.c:2640 + sctp_compute_cksum include/net/sctp/checksum.h:59 [inline] + sctp_packet_pack net/sctp/output.c:528 [inline] + sctp_packet_transmit+0x40fb/0x4250 net/sctp/output.c:597 + sctp_outq_flush_transports net/sctp/outqueue.c:1146 [inline] + sctp_outq_flush+0x1823/0x5d80 net/sctp/outqueue.c:1194 + sctp_outq_uncork+0xd0/0xf0 net/sctp/outqueue.c:757 + sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1781 [inline] + sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline] + sctp_do_sm+0x8fe1/0x9720 net/sctp/sm_sideeffect.c:1155 + sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185 + sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433 + sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline] + sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672 + +The issue was caused by transport->ipaddr set with uninit addr param, which +was passed by: + + sctp_transport_init net/sctp/transport.c:47 [inline] + sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100 + sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611 + sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline] + +where 'addr' is set by sctp_v4_from_addr_param(), and it doesn't initialize +the padding of addr->v4. + +Later when calling sctp_make_heartbeat(), hbinfo.daddr(=transport->ipaddr) +will become the part of skb, and the issue occurs. + +This patch is to fix it by initializing the padding of addr->v4 in +sctp_v4_from_addr_param(), as well as other functions that do the similar +thing, and these functions shouldn't trust that the caller initializes the +memory, as Marcelo suggested. + +Reported-by: syzbot+6dcbfea81cd3d4dd0b02@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/protocol.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -191,6 +191,7 @@ static void sctp_free_local_addr_list(st + list_del(pos); + kfree(addr); + } ++ memset(sa->sin_zero, 0, sizeof(sa->sin_zero)); + } + + /* Copy the local addresses which are valid for 'scope' into 'bp'. */ +@@ -255,6 +256,7 @@ static void sctp_v4_from_sk(union sctp_a + addr->v4.sin_family = AF_INET; + addr->v4.sin_port = 0; + addr->v4.sin_addr.s_addr = inet_sk(sk)->inet_rcv_saddr; ++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); + } + + /* Initialize sk->sk_rcv_saddr from sctp_addr. */ +@@ -277,6 +279,7 @@ static void sctp_v4_from_addr_param(unio + addr->v4.sin_family = AF_INET; + addr->v4.sin_port = port; + addr->v4.sin_addr.s_addr = param->v4.addr.s_addr; ++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); + } + + /* Initialize an address parameter from a sctp_addr and return the length +@@ -301,6 +304,7 @@ static void sctp_v4_dst_saddr(union sctp + saddr->v4.sin_family = AF_INET; + saddr->v4.sin_port = port; + saddr->v4.sin_addr.s_addr = fl4->saddr; ++ memset(saddr->v4.sin_zero, 0, sizeof(saddr->v4.sin_zero)); + } + + /* Compare two addresses exactly. */ +@@ -323,6 +327,7 @@ static void sctp_v4_inaddr_any(union sct + addr->v4.sin_family = AF_INET; + addr->v4.sin_addr.s_addr = htonl(INADDR_ANY); + addr->v4.sin_port = port; ++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); + } + + /* Is this a wildcard address? */ diff --git a/queue-4.4/series b/queue-4.4/series index 732304dee49..d192b53ac02 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -72,3 +72,12 @@ btrfs-return-error-pointer-from-alloc_test_extent_bu.patch btrfs-abort-transaction-after-failed-inode-updates-i.patch btrfs-fix-removal-logic-of-the-tree-mod-log-that-lea.patch alsa-pcm-avoid-possible-info-leaks-from-pcm-stream-buffers.patch +af_packet-set-defaule-value-for-tmo.patch +fjes-fix-missed-check-in-fjes_acpi_add.patch +mod_devicetable-fix-phy-module-format.patch +net-hisilicon-fix-a-bug-trigered-by-wrong-bytes_compl.patch +net-nfc-nci-fix-a-possible-sleep-in-atomic-context-bug-in-nci_uart_tty_receive.patch +net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch +net-usb-lan78xx-fix-suspend-resume-phy-register-access-error.patch +sctp-fully-initialize-v4-addr-in-some-functions.patch +net-dst-force-4-byte-alignment-of-dst_metrics.patch -- 2.47.3