From 391ccd98f84e87313e368b00dd783ef1815ce43b Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 14 Aug 2020 12:51:38 -0400 Subject: [PATCH] Fixes for 4.4 Signed-off-by: Sasha Levin --- ...sulting-from-calling-of_get_named_gp.patch | 123 ++++++++++++++++++ queue-4.4/series | 2 + ...-packets-earlier-to-avoid-data-corru.patch | 89 +++++++++++++ 3 files changed, 214 insertions(+) create mode 100644 queue-4.4/gpio-fix-oops-resulting-from-calling-of_get_named_gp.patch create mode 100644 queue-4.4/udp-drop-corrupt-packets-earlier-to-avoid-data-corru.patch diff --git a/queue-4.4/gpio-fix-oops-resulting-from-calling-of_get_named_gp.patch b/queue-4.4/gpio-fix-oops-resulting-from-calling-of_get_named_gp.patch new file mode 100644 index 00000000000..9d1ae576deb --- /dev/null +++ b/queue-4.4/gpio-fix-oops-resulting-from-calling-of_get_named_gp.patch @@ -0,0 +1,123 @@ +From 5c1144e0632a117473b959bdbe96ba0ab79bbf99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 09:47:11 +0200 +Subject: gpio: fix oops resulting from calling of_get_named_gpio(NULL, ...) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +This happens for the spi-imx driver when running a dt-enabled kernel on +a non-dt machine on Linux 4.0. Among the still supported stable versions +only 4.4 and 4.9 are affected. (However the spi-imx driver doesn't call +of_get_named_gpio() since v4.8-rc1 (commit b36581df7e78 ("spi: imx: +Using existing properties for chipselects")) any more, but the problem +might still affect other users of of_get_named_gpio().) + +In 4.14-rc1 this problem is gone with +commit 7eb6ce2f2723 ("gpio: Convert to using %pOF instead of +full_name"). This commit however doesn't seem sensible to backport as it +depends on ce4fecf1fe15 ("vsprintf: Add %p extension "%pOF" for device +tree") which doesn't trivially apply to v4.4. + +[ 1.649453] Unable to handle kernel NULL pointer dereference at virtual address 0000000c +[ 1.659270] pgd = c0004000 +[ 1.662036] [0000000c] *pgd=00000000 +[ 1.665919] Internal error: Oops - BUG: 5 [#1] PREEMPT ARM +[ 1.671438] Modules linked in: +[ 1.674552] CPU: 0 PID: 1 Comm: swapper Not tainted 4.0.0 #1 +[ 1.680235] Hardware name: Eckelmann ECU01 +[ 1.684361] task: c7840000 ti: c7842000 task.ti: c7842000 +[ 1.689821] PC is at of_get_named_gpiod_flags+0xac/0xe0 +[ 1.695104] LR is at of_find_property+0x38/0x7c +[ 1.699674] pc : [] lr : [] psr: a0000013 +[ 1.699674] sp : c7843cc8 ip : c7843c38 fp : c7843d3c +[ 1.711183] r10: c7884dc0 r9 : c7a8de10 r8 : 00000000 +[ 1.716434] r7 : 00000000 r6 : 00000000 r5 : c065ef50 r4 : fffffffe +[ 1.722986] r3 : 00000000 r2 : 00000000 r1 : c065ef50 r0 : fffffffe +[ 1.729541] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel +[ 1.736879] Control: 0005317f Table: 80004000 DAC: 00000017 +[ 1.742652] Process swapper (pid: 1, stack limit = 0xc7842190) +[ 1.748510] Stack: (0xc7843cc8 to 0xc7844000) +[ 1.752906] 3cc0: c7843cd4 c003ccec 00000000 00000000 00000000 00000000 +[ 1.761125] 3ce0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 1.769345] 3d00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 fffffdfb +[ 1.777566] 3d20: 00000000 c78b4e10 c7a8dc00 000001ff c7843d4c c7843d40 c025db70 c025da90 +[ 1.785788] 3d40: c7843dcc c7843d50 c02f8938 c025db70 c7843d74 c7843d60 c79bc3c0 c79bc320 +[ 1.794007] 3d60: c78bb140 c065476c c7a8de10 00000000 c78b4e10 c78b4e00 00000004 00000001 +[ 1.802227] 3d80: c06d25d4 00000000 c7843dbc c7843d98 c0115a68 c0112538 00000001 c78b4e10 +[ 1.810448] 3da0: c78b4e18 ffffffed c78b4e10 fffffdfb c070bc80 00000000 c06d25d4 00000000 +[ 1.818669] 3dc0: c7843dec c7843dd0 c02a0670 c02f8828 c78b4e10 c073fcb0 00000000 c070bc80 +[ 1.826890] 3de0: c7843e14 c7843df0 c029f064 c02a0630 00000000 c78b4e10 c070bc80 c78b4e44 +[ 1.835110] 3e00: 00000000 c06c8cac c7843e34 c7843e18 c029f204 c029ef70 c029f170 00000000 +[ 1.843332] 3e20: c070bc80 c029f170 c7843e5c c7843e38 c029d6f4 c029f180 c785c1cc c7873c30 +[ 1.851553] 3e40: c0235728 c070bc80 c7ab9720 c0701e20 c7843e6c c7843e60 c029eb74 c029d6a4 +[ 1.859774] 3e60: c7843e94 c7843e70 c029e7f4 c029eb64 c065f390 c7843e80 c070bc80 c06f0718 +[ 1.867998] 3e80: c7ab8d60 c06b1528 c7843eac c7843e98 c029f810 c029e728 c06f0718 c06f0718 +[ 1.876220] 3ea0: c7843ebc c7843eb0 c02a04dc c029f7ac c7843ecc c7843ec0 c06c8cc4 c02a049c +[ 1.884443] 3ec0: c7843f4c c7843ed0 c00089dc c06c8cbc c0109ec0 c0109d18 c780ac00 00000001 +[ 1.892665] 3ee0: c7843f00 c7843ef0 c06b1544 c0238a24 c7ffca48 c054c854 c7843f4c c7843f08 +[ 1.900886] 3f00: c002e7f4 c06b1538 c003d0e0 00000006 00000006 c06af1a4 00000000 c066ccb4 +[ 1.909107] 3f20: c7843f4c c06ea994 00000006 c071ff20 c06b1528 c06d25e0 c06d25d4 0000008f +[ 1.917327] 3f40: c7843f94 c7843f50 c06b1e6c c0008964 00000006 00000006 c06b1528 dfe48a08 +[ 1.925547] 3f60: 33f73660 3fd760c5 0b5d4bfd 00000000 c0527ef0 00000000 00000000 00000000 +[ 1.933768] 3f80: 00000000 00000000 c7843fac c7843f98 c0527f00 c06b1d00 c7842000 00000000 +[ 1.941988] 3fa0: 00000000 c7843fb0 c0009798 c0527f00 00000000 00000000 00000000 00000000 +[ 1.950206] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 1.958424] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 b3cf731f fe6afeef +[ 1.966617] Backtrace: +[ 1.969150] [] (of_get_named_gpiod_flags) from [] (of_get_named_gpio_flags+0x10/0x24) +[ 1.978744] r7:000001ff r6:c7a8dc00 r5:c78b4e10 r4:00000000 +[ 1.984548] [] (of_get_named_gpio_flags) from [] (spi_imx_probe+0x120/0x67c) +[ 1.993390] [] (spi_imx_probe) from [] (platform_drv_probe+0x50/0xac) +[ 2.001589] r10:00000000 r9:c06d25d4 r8:00000000 r7:c070bc80 r6:fffffdfb r5:c78b4e10 +[ 2.009549] r4:ffffffed +[ 2.012144] [] (platform_drv_probe) from [] (driver_probe_device+0x104/0x210) +[ 2.021040] r7:c070bc80 r6:00000000 r5:c073fcb0 r4:c78b4e10 +[ 2.026822] [] (driver_probe_device) from [] (__driver_attach+0x94/0x98) +[ 2.035282] r8:c06c8cac r7:00000000 r6:c78b4e44 r5:c070bc80 r4:c78b4e10 r3:00000000 +[ 2.043191] [] (__driver_attach) from [] (bus_for_each_dev+0x60/0x90) +[ 2.051394] r6:c029f170 r5:c070bc80 r4:00000000 r3:c029f170 +[ 2.057185] [] (bus_for_each_dev) from [] (driver_attach+0x20/0x28) +[ 2.065212] r6:c0701e20 r5:c7ab9720 r4:c070bc80 +[ 2.069931] [] (driver_attach) from [] (bus_add_driver+0xdc/0x1dc) +[ 2.077894] [] (bus_add_driver) from [] (driver_register+0x74/0xec) +[ 2.085919] r7:c06b1528 r6:c7ab8d60 r5:c06f0718 r4:c070bc80 +[ 2.091705] [] (driver_register) from [] (__platform_driver_register+0x50/0x64) +[ 2.100774] r5:c06f0718 r4:c06f0718 +[ 2.104437] [] (__platform_driver_register) from [] (spi_imx_driver_init+0x18/0x20) +[ 2.113884] [] (spi_imx_driver_init) from [] (do_one_initcall+0x88/0x1b0) +[ 2.122459] [] (do_one_initcall) from [] (kernel_init_freeable+0x17c/0x248) +[ 2.131182] r10:0000008f r9:c06d25d4 r8:c06d25e0 r7:c06b1528 r6:c071ff20 r5:00000006 +[ 2.139141] r4:c06ea994 +[ 2.141751] [] (kernel_init_freeable) from [] (kernel_init+0x10/0xec) +[ 2.149955] r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:c0527ef0 +[ 2.157909] r4:00000000 +[ 2.160508] [] (kernel_init) from [] (ret_from_fork+0x14/0x3c) +[ 2.168099] r4:00000000 r3:c7842000 +[ 2.171755] Code: eb0b2dc2 e51b0020 e24bd01c e89da8f0 (e597300c) + +Cc: stable@vger.kernel.org # v4.4.x, v4.9.x +Signed-off-by: Uwe Kleine-König +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-of.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index 5fe34a9df3e6b..179ad7c35ae33 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -91,7 +91,7 @@ struct gpio_desc *of_get_named_gpiod_flags(struct device_node *np, + &gg_data.gpiospec); + if (ret) { + pr_debug("%s: can't parse '%s' property of node '%s[%d]'\n", +- __func__, propname, np->full_name, index); ++ __func__, propname, np ? np->full_name : NULL, index); + return ERR_PTR(ret); + } + +-- +2.25.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 4990909cdb4..4c7cd165e99 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -52,3 +52,5 @@ usb-hso-check-for-return-value-in-hso_serial_common_create.patch vxlan-ensure-fdb-dump-is-performed-under-rcu.patch smack-fix-use-after-free-in-smk_write_relabel_self.patch tracepoint-mark-__tracepoint_string-s-__used.patch +udp-drop-corrupt-packets-earlier-to-avoid-data-corru.patch +gpio-fix-oops-resulting-from-calling-of_get_named_gp.patch diff --git a/queue-4.4/udp-drop-corrupt-packets-earlier-to-avoid-data-corru.patch b/queue-4.4/udp-drop-corrupt-packets-earlier-to-avoid-data-corru.patch new file mode 100644 index 00000000000..a994f3a818b --- /dev/null +++ b/queue-4.4/udp-drop-corrupt-packets-earlier-to-avoid-data-corru.patch @@ -0,0 +1,89 @@ +From 8b4d2b13de8bab2eb19d66cd15882d5627be8969 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jul 2020 18:55:05 -0700 +Subject: udp: drop corrupt packets earlier to avoid data corruption + +From: Dexuan Cui + +The v4.4 stable kernel lacks this bugfix: +commit 327868212381 ("make skb_copy_datagram_msg() et.al. preserve ->msg_iter on error"). +As a result, the v4.4 kernel can deliver corrupt data to the application +when a corrupt UDP packet is closely followed by a valid UDP packet: the +same invocation of the recvmsg() syscall can deliver the corrupt packet's +UDP payload to the application with the UDP payload length and the +"from IP/Port" of the valid packet. + +Details: + +For a UDP packet longer than 76 bytes (see the v5.8-rc6 kernel's +include/linux/skbuff.h:3951), Linux delays the UDP checksum verification +until the application invokes the syscall recvmsg(). + +In the recvmsg() syscall handler, while Linux is copying the UDP payload +to the application's memory, it calculates the UDP checksum. If the +calculated checksum doesn't match the received checksum, Linux drops the +corrupt UDP packet, and then starts to process the next packet (if any), +and if the next packet is valid (i.e. the checksum is correct), Linux +will copy the valid UDP packet's payload to the application's receiver +buffer. + +The bug is: before Linux starts to copy the valid UDP packet, the data +structure used to track how many more bytes should be copied to the +application memory is not reset to what it was when the application just +entered the kernel by the syscall! Consequently, only a small portion or +none of the valid packet's payload is copied to the application's +receive buffer, and later when the application exits from the kernel, +actually most of the application's receive buffer contains the payload +of the corrupt packet while recvmsg() returns the length of the UDP +payload of the valid packet. + +For the mainline kernel, the bug was fixed in commit 327868212381, +but unluckily the bugfix is only backported to v4.9+. It turns out +backporting 327868212381 to v4.4 means that some supporting patches +must be backported first, so the overall changes seem too big, so the +alternative is performs the csum validation earlier and drops the +corrupt packets earlier. + +Signed-off-by: Eric Dumazet +Signed-off-by: Dexuan Cui +Acked-by: Eric Dumazet +Signed-off-by: Sasha Levin +--- + net/ipv4/udp.c | 3 +-- + net/ipv6/udp.c | 6 ++---- + 2 files changed, 3 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 5464fd2102302..0d9f9d6251245 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1589,8 +1589,7 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) + } + } + +- if (rcu_access_pointer(sk->sk_filter) && +- udp_lib_checksum_complete(skb)) ++ if (udp_lib_checksum_complete(skb)) + goto csum_error; + + if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) { +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 79c583004575a..be570cd7c9aed 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -686,10 +686,8 @@ int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) + } + } + +- if (rcu_access_pointer(sk->sk_filter)) { +- if (udp_lib_checksum_complete(skb)) +- goto csum_error; +- } ++ if (udp_lib_checksum_complete(skb)) ++ goto csum_error; + + if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) { + UDP6_INC_STATS_BH(sock_net(sk), +-- +2.25.1 + -- 2.47.3