From 1e74904969c0d034c77c0d214402f8490e13da7a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 4 Jul 2022 14:37:17 +0200 Subject: [PATCH] 5.18-stable patches added patches: hwmon-occ-prevent-power-cap-command-overwriting-poll-response.patch net-ipv6-unexport-__init-annotated-seg6_hmac_net_init.patch nfs-restore-module-put-when-manager-exits.patch nfsd-restore-einval-error-translation-in-nfsd_commit.patch nfsv4-add-an-fattr-allocation-to-_nfs4_discover_trunking.patch --- ...ap-command-overwriting-poll-response.patch | 143 ++++++++++++++++++ ...-__init-annotated-seg6_hmac_net_init.patch | 41 +++++ ...estore-module-put-when-manager-exits.patch | 39 +++++ ...val-error-translation-in-nfsd_commit.patch | 43 ++++++ ...llocation-to-_nfs4_discover_trunking.patch | 91 +++++++++++ queue-5.18/series | 5 + 6 files changed, 362 insertions(+) create mode 100644 queue-5.18/hwmon-occ-prevent-power-cap-command-overwriting-poll-response.patch create mode 100644 queue-5.18/net-ipv6-unexport-__init-annotated-seg6_hmac_net_init.patch create mode 100644 queue-5.18/nfs-restore-module-put-when-manager-exits.patch create mode 100644 queue-5.18/nfsd-restore-einval-error-translation-in-nfsd_commit.patch create mode 100644 queue-5.18/nfsv4-add-an-fattr-allocation-to-_nfs4_discover_trunking.patch diff --git a/queue-5.18/hwmon-occ-prevent-power-cap-command-overwriting-poll-response.patch b/queue-5.18/hwmon-occ-prevent-power-cap-command-overwriting-poll-response.patch new file mode 100644 index 00000000000..0f25aa3a8ce --- /dev/null +++ b/queue-5.18/hwmon-occ-prevent-power-cap-command-overwriting-poll-response.patch @@ -0,0 +1,143 @@ +From 1bbb2809040a1f9c7c53c9f06c21aa83275ed27b Mon Sep 17 00:00:00 2001 +From: Eddie James +Date: Tue, 28 Jun 2022 15:30:29 -0500 +Subject: hwmon: (occ) Prevent power cap command overwriting poll response + +From: Eddie James + +commit 1bbb2809040a1f9c7c53c9f06c21aa83275ed27b upstream. + +Currently, the response to the power cap command overwrites the +first eight bytes of the poll response, since the commands use +the same buffer. This means that user's get the wrong data between +the time of sending the power cap and the next poll response update. +Fix this by specifying a different buffer for the power cap command +response. + +Fixes: 5b5513b88002 ("hwmon: Add On-Chip Controller (OCC) hwmon driver") +Signed-off-by: Eddie James +Link: https://lore.kernel.org/r/20220628203029.51747-1-eajames@linux.ibm.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/occ/common.c | 5 +++-- + drivers/hwmon/occ/common.h | 3 ++- + drivers/hwmon/occ/p8_i2c.c | 13 +++++++------ + drivers/hwmon/occ/p9_sbe.c | 7 +++---- + 4 files changed, 15 insertions(+), 13 deletions(-) + +--- a/drivers/hwmon/occ/common.c ++++ b/drivers/hwmon/occ/common.c +@@ -145,7 +145,7 @@ static int occ_poll(struct occ *occ) + cmd[6] = 0; /* checksum lsb */ + + /* mutex should already be locked if necessary */ +- rc = occ->send_cmd(occ, cmd, sizeof(cmd)); ++ rc = occ->send_cmd(occ, cmd, sizeof(cmd), &occ->resp, sizeof(occ->resp)); + if (rc) { + occ->last_error = rc; + if (occ->error_count++ > OCC_ERROR_COUNT_THRESHOLD) +@@ -182,6 +182,7 @@ static int occ_set_user_power_cap(struct + { + int rc; + u8 cmd[8]; ++ u8 resp[8]; + __be16 user_power_cap_be = cpu_to_be16(user_power_cap); + + cmd[0] = 0; /* sequence number */ +@@ -198,7 +199,7 @@ static int occ_set_user_power_cap(struct + if (rc) + return rc; + +- rc = occ->send_cmd(occ, cmd, sizeof(cmd)); ++ rc = occ->send_cmd(occ, cmd, sizeof(cmd), resp, sizeof(resp)); + + mutex_unlock(&occ->lock); + +--- a/drivers/hwmon/occ/common.h ++++ b/drivers/hwmon/occ/common.h +@@ -96,7 +96,8 @@ struct occ { + + int powr_sample_time_us; /* average power sample time */ + u8 poll_cmd_data; /* to perform OCC poll command */ +- int (*send_cmd)(struct occ *occ, u8 *cmd, size_t len); ++ int (*send_cmd)(struct occ *occ, u8 *cmd, size_t len, void *resp, ++ size_t resp_len); + + unsigned long next_update; + struct mutex lock; /* lock OCC access */ +--- a/drivers/hwmon/occ/p8_i2c.c ++++ b/drivers/hwmon/occ/p8_i2c.c +@@ -111,7 +111,8 @@ static int p8_i2c_occ_putscom_be(struct + be32_to_cpu(data1)); + } + +-static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len) ++static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len, ++ void *resp, size_t resp_len) + { + int i, rc; + unsigned long start; +@@ -120,7 +121,7 @@ static int p8_i2c_occ_send_cmd(struct oc + const long wait_time = msecs_to_jiffies(OCC_CMD_IN_PRG_WAIT_MS); + struct p8_i2c_occ *ctx = to_p8_i2c_occ(occ); + struct i2c_client *client = ctx->client; +- struct occ_response *resp = &occ->resp; ++ struct occ_response *or = (struct occ_response *)resp; + + start = jiffies; + +@@ -151,7 +152,7 @@ static int p8_i2c_occ_send_cmd(struct oc + return rc; + + /* wait for OCC */ +- if (resp->return_status == OCC_RESP_CMD_IN_PRG) { ++ if (or->return_status == OCC_RESP_CMD_IN_PRG) { + rc = -EALREADY; + + if (time_after(jiffies, start + timeout)) +@@ -163,7 +164,7 @@ static int p8_i2c_occ_send_cmd(struct oc + } while (rc); + + /* check the OCC response */ +- switch (resp->return_status) { ++ switch (or->return_status) { + case OCC_RESP_CMD_IN_PRG: + rc = -ETIMEDOUT; + break; +@@ -192,8 +193,8 @@ static int p8_i2c_occ_send_cmd(struct oc + if (rc < 0) + return rc; + +- data_length = get_unaligned_be16(&resp->data_length); +- if (data_length > OCC_RESP_DATA_BYTES) ++ data_length = get_unaligned_be16(&or->data_length); ++ if ((data_length + 7) > resp_len) + return -EMSGSIZE; + + /* fetch the rest of the response data */ +--- a/drivers/hwmon/occ/p9_sbe.c ++++ b/drivers/hwmon/occ/p9_sbe.c +@@ -78,11 +78,10 @@ done: + return notify; + } + +-static int p9_sbe_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len) ++static int p9_sbe_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len, ++ void *resp, size_t resp_len) + { +- struct occ_response *resp = &occ->resp; + struct p9_sbe_occ *ctx = to_p9_sbe_occ(occ); +- size_t resp_len = sizeof(*resp); + int rc; + + rc = fsi_occ_submit(ctx->sbe, cmd, len, resp, &resp_len); +@@ -96,7 +95,7 @@ static int p9_sbe_occ_send_cmd(struct oc + return rc; + } + +- switch (resp->return_status) { ++ switch (((struct occ_response *)resp)->return_status) { + case OCC_RESP_CMD_IN_PRG: + rc = -ETIMEDOUT; + break; diff --git a/queue-5.18/net-ipv6-unexport-__init-annotated-seg6_hmac_net_init.patch b/queue-5.18/net-ipv6-unexport-__init-annotated-seg6_hmac_net_init.patch new file mode 100644 index 00000000000..367d7594bfa --- /dev/null +++ b/queue-5.18/net-ipv6-unexport-__init-annotated-seg6_hmac_net_init.patch @@ -0,0 +1,41 @@ +From 53ad46169fe2996fe1b623ba6c9c4fa33847876f Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Tue, 28 Jun 2022 11:31:34 +0800 +Subject: net: ipv6: unexport __init-annotated seg6_hmac_net_init() + +From: YueHaibing + +commit 53ad46169fe2996fe1b623ba6c9c4fa33847876f upstream. + +As of commit 5801f064e351 ("net: ipv6: unexport __init-annotated seg6_hmac_init()"), +EXPORT_SYMBOL and __init is a bad combination because the .init.text +section is freed up after the initialization. Hence, modules cannot +use symbols annotated __init. The access to a freed symbol may end up +with kernel panic. + +This remove the EXPORT_SYMBOL to fix modpost warning: + +WARNING: modpost: vmlinux.o(___ksymtab+seg6_hmac_net_init+0x0): Section mismatch in reference from the variable __ksymtab_seg6_hmac_net_init to the function .init.text:seg6_hmac_net_init() +The symbol seg6_hmac_net_init is exported and annotated __init +Fix this by removing the __init annotation of seg6_hmac_net_init or drop the export. + +Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support") +Reported-by: Hulk Robot +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20220628033134.21088-1-yuehaibing@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/seg6_hmac.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/ipv6/seg6_hmac.c ++++ b/net/ipv6/seg6_hmac.c +@@ -406,7 +406,6 @@ int __net_init seg6_hmac_net_init(struct + + return rhashtable_init(&sdata->hmac_infos, &rht_params); + } +-EXPORT_SYMBOL(seg6_hmac_net_init); + + void seg6_hmac_exit(void) + { diff --git a/queue-5.18/nfs-restore-module-put-when-manager-exits.patch b/queue-5.18/nfs-restore-module-put-when-manager-exits.patch new file mode 100644 index 00000000000..0c2afa6db0c --- /dev/null +++ b/queue-5.18/nfs-restore-module-put-when-manager-exits.patch @@ -0,0 +1,39 @@ +From 080abad71e99d2becf38c978572982130b927a28 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Thu, 23 Jun 2022 14:47:34 +1000 +Subject: NFS: restore module put when manager exits. + +From: NeilBrown + +commit 080abad71e99d2becf38c978572982130b927a28 upstream. + +Commit f49169c97fce ("NFSD: Remove svc_serv_ops::svo_module") removed +calls to module_put_and_kthread_exit() from threads that acted as SUNRPC +servers and had a related svc_serv_ops structure. This was correct. + +It ALSO removed the module_put_and_kthread_exit() call from +nfs4_run_state_manager() which is NOT a SUNRPC service. + +Consequently every time the NFSv4 state manager runs the module count +increments and won't be decremented. So the nfsv4 module cannot be +unloaded. + +So restore the module_put_and_kthread_exit() call. + +Fixes: f49169c97fce ("NFSD: Remove svc_serv_ops::svo_module") +Signed-off-by: NeilBrown +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4state.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -2743,5 +2743,6 @@ again: + goto again; + + nfs_put_client(clp); ++ module_put_and_kthread_exit(0); + return 0; + } diff --git a/queue-5.18/nfsd-restore-einval-error-translation-in-nfsd_commit.patch b/queue-5.18/nfsd-restore-einval-error-translation-in-nfsd_commit.patch new file mode 100644 index 00000000000..0bb7528af5b --- /dev/null +++ b/queue-5.18/nfsd-restore-einval-error-translation-in-nfsd_commit.patch @@ -0,0 +1,43 @@ +From 8a9ffb8c857c2c99403bd6483a5a005fed5c0773 Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov +Date: Sat, 25 Jun 2022 23:52:43 +0300 +Subject: NFSD: restore EINVAL error translation in nfsd_commit() + +From: Alexey Khoroshilov + +commit 8a9ffb8c857c2c99403bd6483a5a005fed5c0773 upstream. + +commit 555dbf1a9aac ("nfsd: Replace use of rwsem with errseq_t") +incidentally broke translation of -EINVAL to nfserr_notsupp. +The patch restores that. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Alexey Khoroshilov +Fixes: 555dbf1a9aac ("nfsd: Replace use of rwsem with errseq_t") +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/vfs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -1170,6 +1170,7 @@ nfsd_commit(struct svc_rqst *rqstp, stru + nfsd_copy_write_verifier(verf, nn); + err2 = filemap_check_wb_err(nf->nf_file->f_mapping, + since); ++ err = nfserrno(err2); + break; + case -EINVAL: + err = nfserr_notsupp; +@@ -1177,8 +1178,8 @@ nfsd_commit(struct svc_rqst *rqstp, stru + default: + nfsd_reset_write_verifier(nn); + trace_nfsd_writeverf_reset(nn, rqstp, err2); ++ err = nfserrno(err2); + } +- err = nfserrno(err2); + } else + nfsd_copy_write_verifier(verf, nn); + diff --git a/queue-5.18/nfsv4-add-an-fattr-allocation-to-_nfs4_discover_trunking.patch b/queue-5.18/nfsv4-add-an-fattr-allocation-to-_nfs4_discover_trunking.patch new file mode 100644 index 00000000000..885a08d7079 --- /dev/null +++ b/queue-5.18/nfsv4-add-an-fattr-allocation-to-_nfs4_discover_trunking.patch @@ -0,0 +1,91 @@ +From 4f40a5b5544618b096d1611a18219dd91fd57f80 Mon Sep 17 00:00:00 2001 +From: Scott Mayhew +Date: Mon, 27 Jun 2022 17:31:29 -0400 +Subject: NFSv4: Add an fattr allocation to _nfs4_discover_trunking() + +From: Scott Mayhew + +commit 4f40a5b5544618b096d1611a18219dd91fd57f80 upstream. + +This was missed in c3ed222745d9 ("NFSv4: Fix free of uninitialized +nfs4_label on referral lookup.") and causes a panic when mounting +with '-o trunkdiscovery': + +PID: 1604 TASK: ffff93dac3520000 CPU: 3 COMMAND: "mount.nfs" + #0 [ffffb79140f738f8] machine_kexec at ffffffffaec64bee + #1 [ffffb79140f73950] __crash_kexec at ffffffffaeda67fd + #2 [ffffb79140f73a18] crash_kexec at ffffffffaeda76ed + #3 [ffffb79140f73a30] oops_end at ffffffffaec2658d + #4 [ffffb79140f73a50] general_protection at ffffffffaf60111e + [exception RIP: nfs_fattr_init+0x5] + RIP: ffffffffc0c18265 RSP: ffffb79140f73b08 RFLAGS: 00010246 + RAX: 0000000000000000 RBX: ffff93dac304a800 RCX: 0000000000000000 + RDX: ffffb79140f73bb0 RSI: ffff93dadc8cbb40 RDI: d03ee11cfaf6bd50 + RBP: ffffb79140f73be8 R8: ffffffffc0691560 R9: 0000000000000006 + R10: ffff93db3ffd3df8 R11: 0000000000000000 R12: ffff93dac4040000 + R13: ffff93dac2848e00 R14: ffffb79140f73b60 R15: ffffb79140f73b30 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + #5 [ffffb79140f73b08] _nfs41_proc_get_locations at ffffffffc0c73d53 [nfsv4] + #6 [ffffb79140f73bf0] nfs4_proc_get_locations at ffffffffc0c83e90 [nfsv4] + #7 [ffffb79140f73c60] nfs4_discover_trunking at ffffffffc0c83fb7 [nfsv4] + #8 [ffffb79140f73cd8] nfs_probe_fsinfo at ffffffffc0c0f95f [nfs] + #9 [ffffb79140f73da0] nfs_probe_server at ffffffffc0c1026a [nfs] + RIP: 00007f6254fce26e RSP: 00007ffc69496ac8 RFLAGS: 00000246 + RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6254fce26e + RDX: 00005600220a82a0 RSI: 00005600220a64d0 RDI: 00005600220a6520 + RBP: 00007ffc69496c50 R8: 00005600220a8710 R9: 003035322e323231 + R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc69496c50 + R13: 00005600220a8440 R14: 0000000000000010 R15: 0000560020650ef9 + ORIG_RAX: 00000000000000a5 CS: 0033 SS: 002b + +Fixes: c3ed222745d9 ("NFSv4: Fix free of uninitialized nfs4_label on referral lookup.") +Signed-off-by: Scott Mayhew +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index c0fdcf8c0032..bb0e84a46d61 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -4012,22 +4012,29 @@ static int _nfs4_discover_trunking(struct nfs_server *server, + } + + page = alloc_page(GFP_KERNEL); ++ if (!page) ++ return -ENOMEM; + locations = kmalloc(sizeof(struct nfs4_fs_locations), GFP_KERNEL); +- if (page == NULL || locations == NULL) +- goto out; ++ if (!locations) ++ goto out_free; ++ locations->fattr = nfs_alloc_fattr(); ++ if (!locations->fattr) ++ goto out_free_2; + + status = nfs4_proc_get_locations(server, fhandle, locations, page, + cred); + if (status) +- goto out; ++ goto out_free_3; + + for (i = 0; i < locations->nlocations; i++) + test_fs_location_for_trunking(&locations->locations[i], clp, + server); +-out: +- if (page) +- __free_page(page); ++out_free_3: ++ kfree(locations->fattr); ++out_free_2: + kfree(locations); ++out_free: ++ __free_page(page); + return status; + } + +-- +2.37.0 + diff --git a/queue-5.18/series b/queue-5.18/series index b3278454ecc..c66ae0c1dd7 100644 --- a/queue-5.18/series +++ b/queue-5.18/series @@ -39,3 +39,8 @@ mptcp-fix-race-on-unaccepted-mptcp-sockets.patch selftests-mptcp-more-stable-diag-tests.patch mptcp-fix-conflict-with-netinet-in.h.patch selftests-mptcp-initialize-variables-to-quiet-gcc-12-warnings.patch +hwmon-occ-prevent-power-cap-command-overwriting-poll-response.patch +net-ipv6-unexport-__init-annotated-seg6_hmac_net_init.patch +nfs-restore-module-put-when-manager-exits.patch +nfsd-restore-einval-error-translation-in-nfsd_commit.patch +nfsv4-add-an-fattr-allocation-to-_nfs4_discover_trunking.patch -- 2.47.3