From 607c2f4b1d17b53220f6e6bbeb62b5edd0de7537 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 2 Sep 2022 00:23:52 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...clear-optc-underflow-before-turn-off.patch | 45 ++++++ ...le-dos-due-to-net-iface-start-stop-l.patch | 129 ++++++++++++++++++ ...ack-nf_conntrack_procfs-should-no-lo.patch | 36 +++++ ...-hypfs-avoid-error-message-under-kvm.patch | 60 ++++++++ queue-4.19/series | 4 + 5 files changed, 274 insertions(+) create mode 100644 queue-4.19/drm-amd-display-clear-optc-underflow-before-turn-off.patch create mode 100644 queue-4.19/neigh-fix-possible-dos-due-to-net-iface-start-stop-l.patch create mode 100644 queue-4.19/netfilter-conntrack-nf_conntrack_procfs-should-no-lo.patch create mode 100644 queue-4.19/s390-hypfs-avoid-error-message-under-kvm.patch diff --git a/queue-4.19/drm-amd-display-clear-optc-underflow-before-turn-off.patch b/queue-4.19/drm-amd-display-clear-optc-underflow-before-turn-off.patch new file mode 100644 index 00000000000..d3fae245369 --- /dev/null +++ b/queue-4.19/drm-amd-display-clear-optc-underflow-before-turn-off.patch @@ -0,0 +1,45 @@ +From 03662eccd8b3e068f1357d17de7e6a82a00e9057 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jul 2022 12:01:29 +0800 +Subject: drm/amd/display: clear optc underflow before turn off odm clock + +From: Fudong Wang + +[ Upstream commit b2a93490201300a749ad261b5c5d05cb50179c44 ] + +[Why] +After ODM clock off, optc underflow bit will be kept there always and clear not work. +We need to clear that before clock off. + +[How] +Clear that if have when clock off. + +Reviewed-by: Alvin Lee +Acked-by: Tom Chung +Signed-off-by: Fudong Wang +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_optc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_optc.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_optc.c +index 411f89218e019..cb5c44b339e09 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_optc.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_optc.c +@@ -452,6 +452,11 @@ void optc1_enable_optc_clock(struct timing_generator *optc, bool enable) + OTG_CLOCK_ON, 1, + 1, 1000); + } else { ++ ++ //last chance to clear underflow, otherwise, it will always there due to clock is off. ++ if (optc->funcs->is_optc_underflow_occurred(optc) == true) ++ optc->funcs->clear_optc_underflow(optc); ++ + REG_UPDATE_2(OTG_CLOCK_CONTROL, + OTG_CLOCK_GATE_DIS, 0, + OTG_CLOCK_EN, 0); +-- +2.35.1 + diff --git a/queue-4.19/neigh-fix-possible-dos-due-to-net-iface-start-stop-l.patch b/queue-4.19/neigh-fix-possible-dos-due-to-net-iface-start-stop-l.patch new file mode 100644 index 00000000000..e350adda0fa --- /dev/null +++ b/queue-4.19/neigh-fix-possible-dos-due-to-net-iface-start-stop-l.patch @@ -0,0 +1,129 @@ +From 9d94749f9f8c70e7dfdbc2b5b7951c82a88f1397 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Aug 2022 18:20:11 +0300 +Subject: neigh: fix possible DoS due to net iface start/stop loop + +From: Denis V. Lunev + +[ Upstream commit 66ba215cb51323e4e55e38fd5f250e0fae0cbc94 ] + +Normal processing of ARP request (usually this is Ethernet broadcast +packet) coming to the host is looking like the following: +* the packet comes to arp_process() call and is passed through routing + procedure +* the request is put into the queue using pneigh_enqueue() if + corresponding ARP record is not local (common case for container + records on the host) +* the request is processed by timer (within 80 jiffies by default) and + ARP reply is sent from the same arp_process() using + NEIGH_CB(skb)->flags & LOCALLY_ENQUEUED condition (flag is set inside + pneigh_enqueue()) + +And here the problem comes. Linux kernel calls pneigh_queue_purge() +which destroys the whole queue of ARP requests on ANY network interface +start/stop event through __neigh_ifdown(). + +This is actually not a problem within the original world as network +interface start/stop was accessible to the host 'root' only, which +could do more destructive things. But the world is changed and there +are Linux containers available. Here container 'root' has an access +to this API and could be considered as untrusted user in the hosting +(container's) world. + +Thus there is an attack vector to other containers on node when +container's root will endlessly start/stop interfaces. We have observed +similar situation on a real production node when docker container was +doing such activity and thus other containers on the node become not +accessible. + +The patch proposed doing very simple thing. It drops only packets from +the same namespace in the pneigh_queue_purge() where network interface +state change is detected. This is enough to prevent the problem for the +whole node preserving original semantics of the code. + +v2: + - do del_timer_sync() if queue is empty after pneigh_queue_purge() +v3: + - rebase to net tree + +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Daniel Borkmann +Cc: David Ahern +Cc: Yajun Deng +Cc: Roopa Prabhu +Cc: Christian Brauner +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: Alexey Kuznetsov +Cc: Alexander Mikhalitsyn +Cc: Konstantin Khorenko +Cc: kernel@openvz.org +Cc: devel@openvz.org +Investigated-by: Alexander Mikhalitsyn +Signed-off-by: Denis V. Lunev +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/neighbour.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 6233e9856016e..65e80aaa09481 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -224,14 +224,23 @@ static int neigh_del_timer(struct neighbour *n) + return 0; + } + +-static void pneigh_queue_purge(struct sk_buff_head *list) ++static void pneigh_queue_purge(struct sk_buff_head *list, struct net *net) + { ++ unsigned long flags; + struct sk_buff *skb; + +- while ((skb = skb_dequeue(list)) != NULL) { +- dev_put(skb->dev); +- kfree_skb(skb); ++ spin_lock_irqsave(&list->lock, flags); ++ skb = skb_peek(list); ++ while (skb != NULL) { ++ struct sk_buff *skb_next = skb_peek_next(skb, list); ++ if (net == NULL || net_eq(dev_net(skb->dev), net)) { ++ __skb_unlink(skb, list); ++ dev_put(skb->dev); ++ kfree_skb(skb); ++ } ++ skb = skb_next; + } ++ spin_unlock_irqrestore(&list->lock, flags); + } + + static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev) +@@ -297,9 +306,9 @@ int neigh_ifdown(struct neigh_table *tbl, struct net_device *dev) + write_lock_bh(&tbl->lock); + neigh_flush_dev(tbl, dev); + pneigh_ifdown_and_unlock(tbl, dev); +- +- del_timer_sync(&tbl->proxy_timer); +- pneigh_queue_purge(&tbl->proxy_queue); ++ pneigh_queue_purge(&tbl->proxy_queue, dev_net(dev)); ++ if (skb_queue_empty_lockless(&tbl->proxy_queue)) ++ del_timer_sync(&tbl->proxy_timer); + return 0; + } + EXPORT_SYMBOL(neigh_ifdown); +@@ -1614,7 +1623,7 @@ int neigh_table_clear(int index, struct neigh_table *tbl) + /* It is not clean... Fix it to unload IPv6 module safely */ + cancel_delayed_work_sync(&tbl->gc_work); + del_timer_sync(&tbl->proxy_timer); +- pneigh_queue_purge(&tbl->proxy_queue); ++ pneigh_queue_purge(&tbl->proxy_queue, NULL); + neigh_ifdown(tbl, NULL); + if (atomic_read(&tbl->entries)) + pr_crit("neighbour leakage\n"); +-- +2.35.1 + diff --git a/queue-4.19/netfilter-conntrack-nf_conntrack_procfs-should-no-lo.patch b/queue-4.19/netfilter-conntrack-nf_conntrack_procfs-should-no-lo.patch new file mode 100644 index 00000000000..ca17afd2794 --- /dev/null +++ b/queue-4.19/netfilter-conntrack-nf_conntrack_procfs-should-no-lo.patch @@ -0,0 +1,36 @@ +From 82b4cb31a5093f79b705b2824ac9f324e2c7b580 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Aug 2022 12:39:20 +0200 +Subject: netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to + y + +From: Geert Uytterhoeven + +[ Upstream commit aa5762c34213aba7a72dc58e70601370805fa794 ] + +NF_CONNTRACK_PROCFS was marked obsolete in commit 54b07dca68557b09 +("netfilter: provide config option to disable ancient procfs parts") in +v3.3. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig +index 56cddadb65d0c..92e0514f624fa 100644 +--- a/net/netfilter/Kconfig ++++ b/net/netfilter/Kconfig +@@ -117,7 +117,6 @@ config NF_CONNTRACK_ZONES + + config NF_CONNTRACK_PROCFS + bool "Supply CT list in procfs (OBSOLETE)" +- default y + depends on PROC_FS + ---help--- + This option enables for the list of known conntrack entries +-- +2.35.1 + diff --git a/queue-4.19/s390-hypfs-avoid-error-message-under-kvm.patch b/queue-4.19/s390-hypfs-avoid-error-message-under-kvm.patch new file mode 100644 index 00000000000..fbd8f01fc7e --- /dev/null +++ b/queue-4.19/s390-hypfs-avoid-error-message-under-kvm.patch @@ -0,0 +1,60 @@ +From 5be09296c5e64e2239177284e589bebbb1486d19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jun 2022 11:45:34 +0200 +Subject: s390/hypfs: avoid error message under KVM + +From: Juergen Gross + +[ Upstream commit 7b6670b03641ac308aaa6fa2e6f964ac993b5ea3 ] + +When booting under KVM the following error messages are issued: + +hypfs.7f5705: The hardware system does not support hypfs +hypfs.7a79f0: Initialization of hypfs failed with rc=-61 + +Demote the severity of first message from "error" to "info" and issue +the second message only in other error cases. + +Signed-off-by: Juergen Gross +Acked-by: Heiko Carstens +Acked-by: Christian Borntraeger +Link: https://lore.kernel.org/r/20220620094534.18967-1-jgross@suse.com +[arch/s390/hypfs/hypfs_diag.c changed description] +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/hypfs/hypfs_diag.c | 2 +- + arch/s390/hypfs/inode.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/hypfs/hypfs_diag.c b/arch/s390/hypfs/hypfs_diag.c +index 3452e18bb1ca8..38105ba35c814 100644 +--- a/arch/s390/hypfs/hypfs_diag.c ++++ b/arch/s390/hypfs/hypfs_diag.c +@@ -437,7 +437,7 @@ __init int hypfs_diag_init(void) + int rc; + + if (diag204_probe()) { +- pr_err("The hardware system does not support hypfs\n"); ++ pr_info("The hardware system does not support hypfs\n"); + return -ENODATA; + } + if (diag204_info_type == DIAG204_INFO_EXT) { +diff --git a/arch/s390/hypfs/inode.c b/arch/s390/hypfs/inode.c +index e4d17d9ea93d8..4af5c0dd9fbe2 100644 +--- a/arch/s390/hypfs/inode.c ++++ b/arch/s390/hypfs/inode.c +@@ -494,9 +494,9 @@ static int __init hypfs_init(void) + hypfs_vm_exit(); + fail_hypfs_diag_exit: + hypfs_diag_exit(); ++ pr_err("Initialization of hypfs failed with rc=%i\n", rc); + fail_dbfs_exit: + hypfs_dbfs_exit(); +- pr_err("Initialization of hypfs failed with rc=%i\n", rc); + return rc; + } + device_initcall(hypfs_init) +-- +2.35.1 + diff --git a/queue-4.19/series b/queue-4.19/series index db8e7b24f41..999a886c622 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -48,3 +48,7 @@ hid-hidraw-fix-memory-leak-in-hidraw_release.patch fbdev-fb_pm2fb-avoid-potential-divide-by-zero-error.patch ftrace-fix-null-pointer-dereference-in-is_ftrace_trampoline-when-ftrace-is-dead.patch mm-rmap-fix-anon_vma-degree-ambiguity-leading-to-double-reuse.patch +drm-amd-display-clear-optc-underflow-before-turn-off.patch +neigh-fix-possible-dos-due-to-net-iface-start-stop-l.patch +s390-hypfs-avoid-error-message-under-kvm.patch +netfilter-conntrack-nf_conntrack_procfs-should-no-lo.patch -- 2.47.3