From 733a2d88e31c380da12eb6dc62c91a3756b59030 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 28 Mar 2022 11:10:15 -0400 Subject: [PATCH] Fixes for 4.9 Signed-off-by: Sasha Levin --- ..._zero-flag-for-compose_sadb_supporte.patch | 43 +++++++++++++++ ...e-the-coherent-when-failing-in-probi.patch | 47 ++++++++++++++++ queue-4.9/series | 3 + ...sole-break-out-of-buf-poll-on-remove.patch | 55 +++++++++++++++++++ 4 files changed, 148 insertions(+) create mode 100644 queue-4.9/af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch create mode 100644 queue-4.9/ethernet-sun-free-the-coherent-when-failing-in-probi.patch create mode 100644 queue-4.9/virtio_console-break-out-of-buf-poll-on-remove.patch diff --git a/queue-4.9/af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch b/queue-4.9/af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch new file mode 100644 index 00000000000..63bd3df9634 --- /dev/null +++ b/queue-4.9/af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch @@ -0,0 +1,43 @@ +From cd3369427007c5f18a17e099133f8a678f70a69b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 11:20:28 +0800 +Subject: af_key: add __GFP_ZERO flag for compose_sadb_supported in function + pfkey_register + +From: Haimin Zhang + +[ Upstream commit 9a564bccb78a76740ea9d75a259942df8143d02c ] + +Add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register +to initialize the buffer of supp_skb to fix a kernel-info-leak issue. +1) Function pfkey_register calls compose_sadb_supported to request +a sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate +a sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then +compose_sadb_supported treats the memory as a struct sadb_supported and +begins to initialize. But it just initializes the field sadb_supported_len +and field sadb_supported_exttype without field sadb_supported_reserved. + +Reported-by: TCS Robot +Signed-off-by: Haimin Zhang +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index adc93329e6aa..3f7e27c1aa83 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1726,7 +1726,7 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sad + + xfrm_probe_algs(); + +- supp_skb = compose_sadb_supported(hdr, GFP_KERNEL); ++ supp_skb = compose_sadb_supported(hdr, GFP_KERNEL | __GFP_ZERO); + if (!supp_skb) { + if (hdr->sadb_msg_satype != SADB_SATYPE_UNSPEC) + pfk->registered &= ~(1<sadb_msg_satype); +-- +2.34.1 + diff --git a/queue-4.9/ethernet-sun-free-the-coherent-when-failing-in-probi.patch b/queue-4.9/ethernet-sun-free-the-coherent-when-failing-in-probi.patch new file mode 100644 index 00000000000..db9959e5560 --- /dev/null +++ b/queue-4.9/ethernet-sun-free-the-coherent-when-failing-in-probi.patch @@ -0,0 +1,47 @@ +From 8db16c4128ba286da5e2ced0e0386cb7fbdf32cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 14:55:04 +0000 +Subject: ethernet: sun: Free the coherent when failing in probing + +From: Zheyu Ma + +[ Upstream commit bb77bd31c281f70ec77c9c4f584950a779e05cf8 ] + +When the driver fails to register net device, it should free the DMA +region first, and then do other cleanup. + +Signed-off-by: Zheyu Ma +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/sunhme.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sun/sunhme.c b/drivers/net/ethernet/sun/sunhme.c +index cf4dcff051d5..b38106a7cb5d 100644 +--- a/drivers/net/ethernet/sun/sunhme.c ++++ b/drivers/net/ethernet/sun/sunhme.c +@@ -3160,7 +3160,7 @@ static int happy_meal_pci_probe(struct pci_dev *pdev, + if (err) { + printk(KERN_ERR "happymeal(PCI): Cannot register net device, " + "aborting.\n"); +- goto err_out_iounmap; ++ goto err_out_free_coherent; + } + + pci_set_drvdata(pdev, hp); +@@ -3193,6 +3193,10 @@ static int happy_meal_pci_probe(struct pci_dev *pdev, + + return 0; + ++err_out_free_coherent: ++ dma_free_coherent(hp->dma_dev, PAGE_SIZE, ++ hp->happy_block, hp->hblock_dvma); ++ + err_out_iounmap: + iounmap(hp->gregs); + +-- +2.34.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 8df3e8e8682..93adf578edc 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1,3 +1,6 @@ usb-serial-pl2303-add-ibm-device-ids.patch usb-serial-simple-add-nokia-phone-driver.patch netdevice-add-the-case-if-dev-is-null.patch +virtio_console-break-out-of-buf-poll-on-remove.patch +ethernet-sun-free-the-coherent-when-failing-in-probi.patch +af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch diff --git a/queue-4.9/virtio_console-break-out-of-buf-poll-on-remove.patch b/queue-4.9/virtio_console-break-out-of-buf-poll-on-remove.patch new file mode 100644 index 00000000000..765dc68ec37 --- /dev/null +++ b/queue-4.9/virtio_console-break-out-of-buf-poll-on-remove.patch @@ -0,0 +1,55 @@ +From 6eaa046d4d4eddef9baaaa6fcb428be37b6f666e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 03:04:10 -0400 +Subject: virtio_console: break out of buf poll on remove + +From: Michael S. Tsirkin + +[ Upstream commit 0e7174b9d5877130fec41fb4a16e0c2ee4958d44 ] + +A common pattern for device reset is currently: +vdev->config->reset(vdev); +.. cleanup .. + +reset prevents new interrupts from arriving and waits for interrupt +handlers to finish. + +However if - as is common - the handler queues a work request which is +flushed during the cleanup stage, we have code adding buffers / trying +to get buffers while device is reset. Not good. + +This was reproduced by running + modprobe virtio_console + modprobe -r virtio_console +in a loop. + +Fix this up by calling virtio_break_device + flush before reset. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1786239 +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/char/virtio_console.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c +index 2632b0fdb1b5..a6b6dc204c1f 100644 +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -2004,6 +2004,13 @@ static void virtcons_remove(struct virtio_device *vdev) + list_del(&portdev->list); + spin_unlock_irq(&pdrvdata_lock); + ++ /* Device is going away, exit any polling for buffers */ ++ virtio_break_device(vdev); ++ if (use_multiport(portdev)) ++ flush_work(&portdev->control_work); ++ else ++ flush_work(&portdev->config_work); ++ + /* Disable interrupts for vqs */ + vdev->config->reset(vdev); + /* Finish up work that's lined up */ +-- +2.34.1 + -- 2.47.3