From b79e2601793b2f2ac460ae07897712ab043e28ef Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 28 Mar 2022 11:10:15 -0400 Subject: [PATCH] Fixes for 4.14 Signed-off-by: Sasha Levin --- ..._zero-flag-for-compose_sadb_supporte.patch | 43 ++++++++++++++ ...e-the-coherent-when-failing-in-probi.patch | 47 +++++++++++++++ queue-4.14/series | 5 ++ ...i-fix-erroneous-sgs-value-with-min_t.patch | 59 +++++++++++++++++++ queue-4.14/spi-fix-invalid-sgs-value.patch | 47 +++++++++++++++ ...sole-break-out-of-buf-poll-on-remove.patch | 55 +++++++++++++++++ 6 files changed, 256 insertions(+) create mode 100644 queue-4.14/af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch create mode 100644 queue-4.14/ethernet-sun-free-the-coherent-when-failing-in-probi.patch create mode 100644 queue-4.14/spi-fix-erroneous-sgs-value-with-min_t.patch create mode 100644 queue-4.14/spi-fix-invalid-sgs-value.patch create mode 100644 queue-4.14/virtio_console-break-out-of-buf-poll-on-remove.patch diff --git a/queue-4.14/af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch b/queue-4.14/af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch new file mode 100644 index 00000000000..f1db6716aec --- /dev/null +++ b/queue-4.14/af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch @@ -0,0 +1,43 @@ +From 8c0cfff62828f63373a4f8188d1d1c11176ef180 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 11:20:28 +0800 +Subject: af_key: add __GFP_ZERO flag for compose_sadb_supported in function + pfkey_register + +From: Haimin Zhang + +[ Upstream commit 9a564bccb78a76740ea9d75a259942df8143d02c ] + +Add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register +to initialize the buffer of supp_skb to fix a kernel-info-leak issue. +1) Function pfkey_register calls compose_sadb_supported to request +a sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate +a sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then +compose_sadb_supported treats the memory as a struct sadb_supported and +begins to initialize. But it just initializes the field sadb_supported_len +and field sadb_supported_exttype without field sadb_supported_reserved. + +Reported-by: TCS Robot +Signed-off-by: Haimin Zhang +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index a10336cd7f97..9b3756aa7ca2 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1709,7 +1709,7 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sad + + xfrm_probe_algs(); + +- supp_skb = compose_sadb_supported(hdr, GFP_KERNEL); ++ supp_skb = compose_sadb_supported(hdr, GFP_KERNEL | __GFP_ZERO); + if (!supp_skb) { + if (hdr->sadb_msg_satype != SADB_SATYPE_UNSPEC) + pfk->registered &= ~(1<sadb_msg_satype); +-- +2.34.1 + diff --git a/queue-4.14/ethernet-sun-free-the-coherent-when-failing-in-probi.patch b/queue-4.14/ethernet-sun-free-the-coherent-when-failing-in-probi.patch new file mode 100644 index 00000000000..5c3bdfaa38d --- /dev/null +++ b/queue-4.14/ethernet-sun-free-the-coherent-when-failing-in-probi.patch @@ -0,0 +1,47 @@ +From 85e4c7fbbc24189d74848820e6dc63b900d459ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 14:55:04 +0000 +Subject: ethernet: sun: Free the coherent when failing in probing + +From: Zheyu Ma + +[ Upstream commit bb77bd31c281f70ec77c9c4f584950a779e05cf8 ] + +When the driver fails to register net device, it should free the DMA +region first, and then do other cleanup. + +Signed-off-by: Zheyu Ma +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/sunhme.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sun/sunhme.c b/drivers/net/ethernet/sun/sunhme.c +index 9e983e1d8249..7522f277e912 100644 +--- a/drivers/net/ethernet/sun/sunhme.c ++++ b/drivers/net/ethernet/sun/sunhme.c +@@ -3165,7 +3165,7 @@ static int happy_meal_pci_probe(struct pci_dev *pdev, + if (err) { + printk(KERN_ERR "happymeal(PCI): Cannot register net device, " + "aborting.\n"); +- goto err_out_iounmap; ++ goto err_out_free_coherent; + } + + pci_set_drvdata(pdev, hp); +@@ -3198,6 +3198,10 @@ static int happy_meal_pci_probe(struct pci_dev *pdev, + + return 0; + ++err_out_free_coherent: ++ dma_free_coherent(hp->dma_dev, PAGE_SIZE, ++ hp->happy_block, hp->hblock_dvma); ++ + err_out_iounmap: + iounmap(hp->gregs); + +-- +2.34.1 + diff --git a/queue-4.14/series b/queue-4.14/series index c276d554964..9a7065bc1c8 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -2,3 +2,8 @@ usb-serial-pl2303-add-ibm-device-ids.patch usb-serial-simple-add-nokia-phone-driver.patch hv-utils-add-ptp_1588_clock-to-kconfig-to-fix-build.patch netdevice-add-the-case-if-dev-is-null.patch +virtio_console-break-out-of-buf-poll-on-remove.patch +ethernet-sun-free-the-coherent-when-failing-in-probi.patch +spi-fix-invalid-sgs-value.patch +spi-fix-erroneous-sgs-value-with-min_t.patch +af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch diff --git a/queue-4.14/spi-fix-erroneous-sgs-value-with-min_t.patch b/queue-4.14/spi-fix-erroneous-sgs-value-with-min_t.patch new file mode 100644 index 00000000000..44cdbc61383 --- /dev/null +++ b/queue-4.14/spi-fix-erroneous-sgs-value-with-min_t.patch @@ -0,0 +1,59 @@ +From fc3b3f4213f419338f4d39bd058b674a00751619 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Mar 2022 17:53:17 +0000 +Subject: spi: Fix erroneous sgs value with min_t() + +From: Biju Das + +[ Upstream commit ebc4cb43ea5ada3db46c80156fca58a54b9bbca8 ] + +While computing sgs in spi_map_buf(), the data type +used in min_t() for max_seg_size is 'unsigned int' where +as that of ctlr->max_dma_len is 'size_t'. + +min_t(unsigned int,x,y) gives wrong results if one of x/y is +'size_t' + +Consider the below examples on a 64-bit machine (ie size_t is +64-bits, and unsigned int is 32-bit). + case 1) min_t(unsigned int, 5, 0x100000001); + case 2) min_t(size_t, 5, 0x100000001); + +Case 1 returns '1', where as case 2 returns '5'. As you can see +the result from case 1 is wrong. + +This patch fixes the above issue by using the data type of the +parameters that are used in min_t with maximum data length. + +Fixes: commit 1a4e53d2fc4f68aa ("spi: Fix invalid sgs value") +Reported-by: Linus Torvalds +Suggested-by: Geert Uytterhoeven +Signed-off-by: Biju Das +Reviewed-by: Lad Prabhakar +Link: https://lore.kernel.org/r/20220316175317.465-1-biju.das.jz@bp.renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index d26aefed16ac..1031c8e38144 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -774,10 +774,10 @@ static int spi_map_buf(struct spi_controller *ctlr, struct device *dev, + int i, ret; + + if (vmalloced_buf || kmap_buf) { +- desc_len = min_t(unsigned int, max_seg_size, PAGE_SIZE); ++ desc_len = min_t(unsigned long, max_seg_size, PAGE_SIZE); + sgs = DIV_ROUND_UP(len + offset_in_page(buf), desc_len); + } else if (virt_addr_valid(buf)) { +- desc_len = min_t(unsigned int, max_seg_size, ctlr->max_dma_len); ++ desc_len = min_t(size_t, max_seg_size, ctlr->max_dma_len); + sgs = DIV_ROUND_UP(len, desc_len); + } else { + return -EINVAL; +-- +2.34.1 + diff --git a/queue-4.14/spi-fix-invalid-sgs-value.patch b/queue-4.14/spi-fix-invalid-sgs-value.patch new file mode 100644 index 00000000000..f5584a11555 --- /dev/null +++ b/queue-4.14/spi-fix-invalid-sgs-value.patch @@ -0,0 +1,47 @@ +From e7caf06210dd2de847f94ee4525e71bb4b2f6fd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 18:48:43 +0000 +Subject: spi: Fix invalid sgs value + +From: Biju Das + +[ Upstream commit 1a4e53d2fc4f68aa654ad96d13ad042e1a8e8a7d ] + +max_seg_size is unsigned int and it can have a value up to 2^32 +(for eg:-RZ_DMAC driver sets dma_set_max_seg_size as U32_MAX) +When this value is used in min_t() as an integer type, it becomes +-1 and the value of sgs becomes 0. + +Fix this issue by replacing the 'int' data type with 'unsigned int' +in min_t(). + +Signed-off-by: Biju Das +Reviewed-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20220307184843.9994-1-biju.das.jz@bp.renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index 71f74015efb9..d26aefed16ac 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -774,10 +774,10 @@ static int spi_map_buf(struct spi_controller *ctlr, struct device *dev, + int i, ret; + + if (vmalloced_buf || kmap_buf) { +- desc_len = min_t(int, max_seg_size, PAGE_SIZE); ++ desc_len = min_t(unsigned int, max_seg_size, PAGE_SIZE); + sgs = DIV_ROUND_UP(len + offset_in_page(buf), desc_len); + } else if (virt_addr_valid(buf)) { +- desc_len = min_t(int, max_seg_size, ctlr->max_dma_len); ++ desc_len = min_t(unsigned int, max_seg_size, ctlr->max_dma_len); + sgs = DIV_ROUND_UP(len, desc_len); + } else { + return -EINVAL; +-- +2.34.1 + diff --git a/queue-4.14/virtio_console-break-out-of-buf-poll-on-remove.patch b/queue-4.14/virtio_console-break-out-of-buf-poll-on-remove.patch new file mode 100644 index 00000000000..521cb91688c --- /dev/null +++ b/queue-4.14/virtio_console-break-out-of-buf-poll-on-remove.patch @@ -0,0 +1,55 @@ +From d7d8910150ce158b57b6cf2546966ed4e165b873 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 03:04:10 -0400 +Subject: virtio_console: break out of buf poll on remove + +From: Michael S. Tsirkin + +[ Upstream commit 0e7174b9d5877130fec41fb4a16e0c2ee4958d44 ] + +A common pattern for device reset is currently: +vdev->config->reset(vdev); +.. cleanup .. + +reset prevents new interrupts from arriving and waits for interrupt +handlers to finish. + +However if - as is common - the handler queues a work request which is +flushed during the cleanup stage, we have code adding buffers / trying +to get buffers while device is reset. Not good. + +This was reproduced by running + modprobe virtio_console + modprobe -r virtio_console +in a loop. + +Fix this up by calling virtio_break_device + flush before reset. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1786239 +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/char/virtio_console.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c +index 0fb3a8e62e62..2140d401523f 100644 +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -2001,6 +2001,13 @@ static void virtcons_remove(struct virtio_device *vdev) + list_del(&portdev->list); + spin_unlock_irq(&pdrvdata_lock); + ++ /* Device is going away, exit any polling for buffers */ ++ virtio_break_device(vdev); ++ if (use_multiport(portdev)) ++ flush_work(&portdev->control_work); ++ else ++ flush_work(&portdev->config_work); ++ + /* Disable interrupts for vqs */ + vdev->config->reset(vdev); + /* Finish up work that's lined up */ +-- +2.34.1 + -- 2.47.3