From c067c3cbcc55b371d2bb54382d892eb701288c01 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 26 Oct 2024 03:36:47 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...fix-potential-memory-leak-in-be_xmit.patch | 61 +++++++++++++++++++ ...r-add-r8a774b1-sysc-power-domain-def.patch | 57 +++++++++++++++++ ...-fix-use-after-free-in-taprio_change.patch | 45 ++++++++++++++ ...ix-potential-memory-leak-in-sun3_825.patch | 37 +++++++++++ .../net-usb-usbnet-fix-name-regression.patch | 46 ++++++++++++++ ...x-clock-fix-unbalanced-locking-in-pc.patch | 58 ++++++++++++++++++ .../r8169-avoid-unsolicited-interrupts.patch | 49 +++++++++++++++ queue-5.4/series | 7 +++ 8 files changed, 360 insertions(+) create mode 100644 queue-5.4/be2net-fix-potential-memory-leak-in-be_xmit.patch create mode 100644 queue-5.4/dt-bindings-power-add-r8a774b1-sysc-power-domain-def.patch create mode 100644 queue-5.4/net-sched-fix-use-after-free-in-taprio_change.patch create mode 100644 queue-5.4/net-sun3_82586-fix-potential-memory-leak-in-sun3_825.patch create mode 100644 queue-5.4/net-usb-usbnet-fix-name-regression.patch create mode 100644 queue-5.4/posix-clock-posix-clock-fix-unbalanced-locking-in-pc.patch create mode 100644 queue-5.4/r8169-avoid-unsolicited-interrupts.patch diff --git a/queue-5.4/be2net-fix-potential-memory-leak-in-be_xmit.patch b/queue-5.4/be2net-fix-potential-memory-leak-in-be_xmit.patch new file mode 100644 index 00000000000..19cc70dda98 --- /dev/null +++ b/queue-5.4/be2net-fix-potential-memory-leak-in-be_xmit.patch @@ -0,0 +1,61 @@ +From 8ffd15a20d01b67ece27b1c3b00436310659a7f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 22:48:02 +0800 +Subject: be2net: fix potential memory leak in be_xmit() + +From: Wang Hai + +[ Upstream commit e4dd8bfe0f6a23acd305f9b892c00899089bd621 ] + +The be_xmit() returns NETDEV_TX_OK without freeing skb +in case of be_xmit_enqueue() fails, add dev_kfree_skb_any() to fix it. + +Fixes: 760c295e0e8d ("be2net: Support for OS2BMC.") +Signed-off-by: Wang Hai +Reviewed-by: Simon Horman +Reviewed-by: Kalesh AP +Message-ID: <20241015144802.12150-1-wanghai38@huawei.com> +Signed-off-by: Andrew Lunn +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_main.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index a7a3e2ee06768..51dddf63d40f7 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -1383,10 +1383,8 @@ static netdev_tx_t be_xmit(struct sk_buff *skb, struct net_device *netdev) + be_get_wrb_params_from_skb(adapter, skb, &wrb_params); + + wrb_cnt = be_xmit_enqueue(adapter, txo, skb, &wrb_params); +- if (unlikely(!wrb_cnt)) { +- dev_kfree_skb_any(skb); +- goto drop; +- } ++ if (unlikely(!wrb_cnt)) ++ goto drop_skb; + + /* if os2bmc is enabled and if the pkt is destined to bmc, + * enqueue the pkt a 2nd time with mgmt bit set. +@@ -1395,7 +1393,7 @@ static netdev_tx_t be_xmit(struct sk_buff *skb, struct net_device *netdev) + BE_WRB_F_SET(wrb_params.features, OS2BMC, 1); + wrb_cnt = be_xmit_enqueue(adapter, txo, skb, &wrb_params); + if (unlikely(!wrb_cnt)) +- goto drop; ++ goto drop_skb; + else + skb_get(skb); + } +@@ -1409,6 +1407,8 @@ static netdev_tx_t be_xmit(struct sk_buff *skb, struct net_device *netdev) + be_xmit_flush(adapter, txo); + + return NETDEV_TX_OK; ++drop_skb: ++ dev_kfree_skb_any(skb); + drop: + tx_stats(txo)->tx_drv_drops++; + /* Flush the already enqueued tx requests */ +-- +2.43.0 + diff --git a/queue-5.4/dt-bindings-power-add-r8a774b1-sysc-power-domain-def.patch b/queue-5.4/dt-bindings-power-add-r8a774b1-sysc-power-domain-def.patch new file mode 100644 index 00000000000..1d26e28d8ac --- /dev/null +++ b/queue-5.4/dt-bindings-power-add-r8a774b1-sysc-power-domain-def.patch @@ -0,0 +1,57 @@ +From 578bd0a3851ba5352f529adbee00bf943c7ba22b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Sep 2019 07:52:06 +0100 +Subject: dt-bindings: power: Add r8a774b1 SYSC power domain definitions + +From: Biju Das + +[ Upstream commit be67c41781cb4c06a4acb0b92db0cbb728e955e2 ] + +This patch adds power domain indices for the RZ/G2N (a.k.a r8a774b1) +SoC. + +Signed-off-by: Biju Das +Link: https://lore.kernel.org/r/1567666326-27373-1-git-send-email-biju.das@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Stable-dep-of: 8a7d12d674ac ("net: usb: usbnet: fix name regression") +Signed-off-by: Sasha Levin +--- + include/dt-bindings/power/r8a774b1-sysc.h | 26 +++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + create mode 100644 include/dt-bindings/power/r8a774b1-sysc.h + +diff --git a/include/dt-bindings/power/r8a774b1-sysc.h b/include/dt-bindings/power/r8a774b1-sysc.h +new file mode 100644 +index 0000000000000..373736402f048 +--- /dev/null ++++ b/include/dt-bindings/power/r8a774b1-sysc.h +@@ -0,0 +1,26 @@ ++/* SPDX-License-Identifier: GPL-2.0 ++ * ++ * Copyright (C) 2019 Renesas Electronics Corp. ++ */ ++#ifndef __DT_BINDINGS_POWER_R8A774B1_SYSC_H__ ++#define __DT_BINDINGS_POWER_R8A774B1_SYSC_H__ ++ ++/* ++ * These power domain indices match the numbers of the interrupt bits ++ * representing the power areas in the various Interrupt Registers ++ * (e.g. SYSCISR, Interrupt Status Register) ++ */ ++ ++#define R8A774B1_PD_CA57_CPU0 0 ++#define R8A774B1_PD_CA57_CPU1 1 ++#define R8A774B1_PD_A3VP 9 ++#define R8A774B1_PD_CA57_SCU 12 ++#define R8A774B1_PD_A3VC 14 ++#define R8A774B1_PD_3DG_A 17 ++#define R8A774B1_PD_3DG_B 18 ++#define R8A774B1_PD_A2VC1 26 ++ ++/* Always-on power area */ ++#define R8A774B1_PD_ALWAYS_ON 32 ++ ++#endif /* __DT_BINDINGS_POWER_R8A774B1_SYSC_H__ */ +-- +2.43.0 + diff --git a/queue-5.4/net-sched-fix-use-after-free-in-taprio_change.patch b/queue-5.4/net-sched-fix-use-after-free-in-taprio_change.patch new file mode 100644 index 00000000000..34fe1d635dd --- /dev/null +++ b/queue-5.4/net-sched-fix-use-after-free-in-taprio_change.patch @@ -0,0 +1,45 @@ +From b1b87ba7de0e0a4521dc5f6ec0929caf7e9c5eec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Oct 2024 08:13:38 +0300 +Subject: net: sched: fix use-after-free in taprio_change() + +From: Dmitry Antipov + +[ Upstream commit f504465970aebb2467da548f7c1efbbf36d0f44b ] + +In 'taprio_change()', 'admin' pointer may become dangling due to sched +switch / removal caused by 'advance_sched()', and critical section +protected by 'q->current_entry_lock' is too small to prevent from such +a scenario (which causes use-after-free detected by KASAN). Fix this +by prefer 'rcu_replace_pointer()' over 'rcu_assign_pointer()' to update +'admin' immediately before an attempt to schedule freeing. + +Fixes: a3d43c0d56f1 ("taprio: Add support adding an admin schedule") +Reported-by: syzbot+b65e0af58423fc8a73aa@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa +Acked-by: Vinicius Costa Gomes +Signed-off-by: Dmitry Antipov +Link: https://patch.msgid.link/20241018051339.418890-1-dmantipov@yandex.ru +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_taprio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c +index b8e26013bd75f..8fccb30e3ee9b 100644 +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -1591,7 +1591,8 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt, + + taprio_start_sched(sch, start, new_admin); + +- rcu_assign_pointer(q->admin_sched, new_admin); ++ admin = rcu_replace_pointer(q->admin_sched, new_admin, ++ lockdep_rtnl_is_held()); + if (admin) + call_rcu(&admin->rcu, taprio_free_sched_cb); + +-- +2.43.0 + diff --git a/queue-5.4/net-sun3_82586-fix-potential-memory-leak-in-sun3_825.patch b/queue-5.4/net-sun3_82586-fix-potential-memory-leak-in-sun3_825.patch new file mode 100644 index 00000000000..16a302d42d0 --- /dev/null +++ b/queue-5.4/net-sun3_82586-fix-potential-memory-leak-in-sun3_825.patch @@ -0,0 +1,37 @@ +From d7a678cca0f7b0b5695343c0a2d7827f82378c3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 22:41:48 +0800 +Subject: net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() + +From: Wang Hai + +[ Upstream commit 2cb3f56e827abb22c4168ad0c1bbbf401bb2f3b8 ] + +The sun3_82586_send_packet() returns NETDEV_TX_OK without freeing skb +in case of skb->len being too long, add dev_kfree_skb() to fix it. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Wang Hai +Reviewed-by: Simon Horman +Message-ID: <20241015144148.7918-1-wanghai38@huawei.com> +Signed-off-by: Andrew Lunn +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/i825xx/sun3_82586.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/i825xx/sun3_82586.c b/drivers/net/ethernet/i825xx/sun3_82586.c +index e0c9fee4e1e65..7948d59b96282 100644 +--- a/drivers/net/ethernet/i825xx/sun3_82586.c ++++ b/drivers/net/ethernet/i825xx/sun3_82586.c +@@ -1015,6 +1015,7 @@ sun3_82586_send_packet(struct sk_buff *skb, struct net_device *dev) + if(skb->len > XMIT_BUFF_SIZE) + { + printk("%s: Sorry, max. framelength is %d bytes. The length of your frame is %d bytes.\n",dev->name,XMIT_BUFF_SIZE,skb->len); ++ dev_kfree_skb(skb); + return NETDEV_TX_OK; + } + +-- +2.43.0 + diff --git a/queue-5.4/net-usb-usbnet-fix-name-regression.patch b/queue-5.4/net-usb-usbnet-fix-name-regression.patch new file mode 100644 index 00000000000..2c9fa2f1270 --- /dev/null +++ b/queue-5.4/net-usb-usbnet-fix-name-regression.patch @@ -0,0 +1,46 @@ +From 908619874dd450b7eafd115c5e04c037e6c414d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Oct 2024 09:18:37 +0200 +Subject: net: usb: usbnet: fix name regression + +From: Oliver Neukum + +[ Upstream commit 8a7d12d674ac6f2147c18f36d1e15f1a48060edf ] + +The fix for MAC addresses broke detection of the naming convention +because it gave network devices no random MAC before bind() +was called. This means that the check for the local assignment bit +was always negative as the address was zeroed from allocation, +instead of from overwriting the MAC with a unique hardware address. + +The correct check for whether bind() has altered the MAC is +done with is_zero_ether_addr + +Signed-off-by: Oliver Neukum +Reported-by: Greg Thelen +Diagnosed-by: John Sperbeck +Fixes: bab8eb0dd4cb9 ("usbnet: modern method to get random MAC") +Link: https://patch.msgid.link/20241017071849.389636-1-oneukum@suse.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/usbnet.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index 240511b4246db..7439f4ab72c57 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1735,7 +1735,8 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod) + // can rename the link if it knows better. + if ((dev->driver_info->flags & FLAG_ETHER) != 0 && + ((dev->driver_info->flags & FLAG_POINTTOPOINT) == 0 || +- (net->dev_addr [0] & 0x02) == 0)) ++ /* somebody touched it*/ ++ !is_zero_ether_addr(net->dev_addr))) + strscpy(net->name, "eth%d", sizeof(net->name)); + /* WLAN devices should always be named "wlan%d" */ + if ((dev->driver_info->flags & FLAG_WLAN) != 0) +-- +2.43.0 + diff --git a/queue-5.4/posix-clock-posix-clock-fix-unbalanced-locking-in-pc.patch b/queue-5.4/posix-clock-posix-clock-fix-unbalanced-locking-in-pc.patch new file mode 100644 index 00000000000..0ce614ac033 --- /dev/null +++ b/queue-5.4/posix-clock-posix-clock-fix-unbalanced-locking-in-pc.patch @@ -0,0 +1,58 @@ +From 57564d903d9b247fb54ae662f8d1a8621226df6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Oct 2024 18:07:48 +0800 +Subject: posix-clock: posix-clock: Fix unbalanced locking in + pc_clock_settime() + +From: Jinjie Ruan + +[ Upstream commit 6e62807c7fbb3c758d233018caf94dfea9c65dbd ] + +If get_clock_desc() succeeds, it calls fget() for the clockid's fd, +and get the clk->rwsem read lock, so the error path should release +the lock to make the lock balance and fput the clockid's fd to make +the refcount balance and release the fd related resource. + +However the below commit left the error path locked behind resulting in +unbalanced locking. Check timespec64_valid_strict() before +get_clock_desc() to fix it, because the "ts" is not changed +after that. + +Fixes: d8794ac20a29 ("posix-clock: Fix missing timespec64 check in pc_clock_settime()") +Acked-by: Richard Cochran +Signed-off-by: Jinjie Ruan +Acked-by: Anna-Maria Behnsen +[pabeni@redhat.com: fixed commit message typo] +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + kernel/time/posix-clock.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/time/posix-clock.c b/kernel/time/posix-clock.c +index 369bb5caa8e3a..d123478a32c43 100644 +--- a/kernel/time/posix-clock.c ++++ b/kernel/time/posix-clock.c +@@ -290,6 +290,9 @@ static int pc_clock_settime(clockid_t id, const struct timespec64 *ts) + struct posix_clock_desc cd; + int err; + ++ if (!timespec64_valid_strict(ts)) ++ return -EINVAL; ++ + err = get_clock_desc(id, &cd); + if (err) + return err; +@@ -299,9 +302,6 @@ static int pc_clock_settime(clockid_t id, const struct timespec64 *ts) + goto out; + } + +- if (!timespec64_valid_strict(ts)) +- return -EINVAL; +- + if (cd.clk->ops.clock_settime) + err = cd.clk->ops.clock_settime(cd.clk, ts); + else +-- +2.43.0 + diff --git a/queue-5.4/r8169-avoid-unsolicited-interrupts.patch b/queue-5.4/r8169-avoid-unsolicited-interrupts.patch new file mode 100644 index 00000000000..56af4792a19 --- /dev/null +++ b/queue-5.4/r8169-avoid-unsolicited-interrupts.patch @@ -0,0 +1,49 @@ +From e711400e44092cb1b3e0d7770eaaabbbac14d390 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Oct 2024 11:08:16 +0200 +Subject: r8169: avoid unsolicited interrupts + +From: Heiner Kallweit + +[ Upstream commit 10ce0db787004875f4dba068ea952207d1d8abeb ] + +It was reported that after resume from suspend a PCI error is logged +and connectivity is broken. Error message is: +PCI error (cmd = 0x0407, status_errs = 0x0000) +The message seems to be a red herring as none of the error bits is set, +and the PCI command register value also is normal. Exception handling +for a PCI error includes a chip reset what apparently brakes connectivity +here. The interrupt status bit triggering the PCI error handling isn't +actually used on PCIe chip versions, so it's not clear why this bit is +set by the chip. Fix this by ignoring this bit on PCIe chip versions. + +Fixes: 0e4851502f84 ("r8169: merge with version 8.001.00 of Realtek's r8168 driver") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219388 +Tested-by: Atlas Yu +Signed-off-by: Heiner Kallweit +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/78e2f535-438f-4212-ad94-a77637ac6c9c@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index bb5f70ce63b3d..14bac7c0e6f90 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -6237,7 +6237,9 @@ static irqreturn_t rtl8169_interrupt(int irq, void *dev_instance) + !(status & tp->irq_mask)) + return IRQ_NONE; + +- if (unlikely(status & SYSErr)) { ++ /* At least RTL8168fp may unexpectedly set the SYSErr bit */ ++ if (unlikely(status & SYSErr && ++ tp->mac_version <= RTL_GIGA_MAC_VER_06)) { + rtl8169_pcierr_interrupt(tp->dev); + goto out; + } +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 80e37cd56ee..81ea99df322 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -405,3 +405,10 @@ drm-vboxvideo-replace-fake-vla-at-end-of-vbva_mouse_.patch udf-fix-uninit-value-use-in-udf_get_fileshortad.patch jfs-fix-sanity-check-in-dbmount.patch tracing-consider-the-null-character-when-validating-.patch +net-sun3_82586-fix-potential-memory-leak-in-sun3_825.patch +be2net-fix-potential-memory-leak-in-be_xmit.patch +dt-bindings-power-add-r8a774b1-sysc-power-domain-def.patch +net-usb-usbnet-fix-name-regression.patch +net-sched-fix-use-after-free-in-taprio_change.patch +r8169-avoid-unsolicited-interrupts.patch +posix-clock-posix-clock-fix-unbalanced-locking-in-pc.patch -- 2.47.2