--- /dev/null
+From 6f68cd634856f8ca93bafd623ba5357e0f648c68 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Sun, 24 Oct 2021 16:13:56 +0300
+Subject: net: batman-adv: fix error handling
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 6f68cd634856f8ca93bafd623ba5357e0f648c68 upstream.
+
+Syzbot reported ODEBUG warning in batadv_nc_mesh_free(). The problem was
+in wrong error handling in batadv_mesh_init().
+
+Before this patch batadv_mesh_init() was calling batadv_mesh_free() in case
+of any batadv_*_init() calls failure. This approach may work well, when
+there is some kind of indicator, which can tell which parts of batadv are
+initialized; but there isn't any.
+
+All written above lead to cleaning up uninitialized fields. Even if we hide
+ODEBUG warning by initializing bat_priv->nc.work, syzbot was able to hit
+GPF in batadv_nc_purge_paths(), because hash pointer in still NULL. [1]
+
+To fix these bugs we can unwind batadv_*_init() calls one by one.
+It is good approach for 2 reasons: 1) It fixes bugs on error handling
+path 2) It improves the performance, since we won't call unneeded
+batadv_*_free() functions.
+
+So, this patch makes all batadv_*_init() clean up all allocated memory
+before returning with an error to no call correspoing batadv_*_free()
+and open-codes batadv_mesh_free() with proper order to avoid touching
+uninitialized fields.
+
+Link: https://lore.kernel.org/netdev/000000000000c87fbd05cef6bcb0@google.com/ [1]
+Reported-and-tested-by: syzbot+28b0702ada0bf7381f58@syzkaller.appspotmail.com
+Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Acked-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 8 +++-
+ net/batman-adv/main.c | 56 +++++++++++++++++++++++----------
+ net/batman-adv/network-coding.c | 4 +-
+ net/batman-adv/translation-table.c | 4 +-
+ 4 files changed, 52 insertions(+), 20 deletions(-)
+
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -1569,10 +1569,14 @@ int batadv_bla_init(struct batadv_priv *
+ return 0;
+
+ bat_priv->bla.claim_hash = batadv_hash_new(128);
+- bat_priv->bla.backbone_hash = batadv_hash_new(32);
++ if (!bat_priv->bla.claim_hash)
++ return -ENOMEM;
+
+- if (!bat_priv->bla.claim_hash || !bat_priv->bla.backbone_hash)
++ bat_priv->bla.backbone_hash = batadv_hash_new(32);
++ if (!bat_priv->bla.backbone_hash) {
++ batadv_hash_destroy(bat_priv->bla.claim_hash);
+ return -ENOMEM;
++ }
+
+ batadv_hash_set_lock_class(bat_priv->bla.claim_hash,
+ &batadv_claim_hash_lock_class_key);
+--- a/net/batman-adv/main.c
++++ b/net/batman-adv/main.c
+@@ -177,29 +177,41 @@ int batadv_mesh_init(struct net_device *
+ INIT_HLIST_HEAD(&bat_priv->softif_vlan_list);
+ INIT_HLIST_HEAD(&bat_priv->tp_list);
+
+- ret = batadv_v_mesh_init(bat_priv);
+- if (ret < 0)
+- goto err;
+-
+ ret = batadv_originator_init(bat_priv);
+- if (ret < 0)
+- goto err;
++ if (ret < 0) {
++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING);
++ goto err_orig;
++ }
+
+ ret = batadv_tt_init(bat_priv);
+- if (ret < 0)
+- goto err;
++ if (ret < 0) {
++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING);
++ goto err_tt;
++ }
++
++ ret = batadv_v_mesh_init(bat_priv);
++ if (ret < 0) {
++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING);
++ goto err_v;
++ }
+
+ ret = batadv_bla_init(bat_priv);
+- if (ret < 0)
+- goto err;
++ if (ret < 0) {
++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING);
++ goto err_bla;
++ }
+
+ ret = batadv_dat_init(bat_priv);
+- if (ret < 0)
+- goto err;
++ if (ret < 0) {
++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING);
++ goto err_dat;
++ }
+
+ ret = batadv_nc_mesh_init(bat_priv);
+- if (ret < 0)
+- goto err;
++ if (ret < 0) {
++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING);
++ goto err_nc;
++ }
+
+ batadv_gw_init(bat_priv);
+ batadv_mcast_init(bat_priv);
+@@ -209,8 +221,20 @@ int batadv_mesh_init(struct net_device *
+
+ return 0;
+
+-err:
+- batadv_mesh_free(soft_iface);
++err_nc:
++ batadv_dat_free(bat_priv);
++err_dat:
++ batadv_bla_free(bat_priv);
++err_bla:
++ batadv_v_mesh_free(bat_priv);
++err_v:
++ batadv_tt_free(bat_priv);
++err_tt:
++ batadv_originator_free(bat_priv);
++err_orig:
++ batadv_purge_outstanding_packets(bat_priv, NULL);
++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_INACTIVE);
++
+ return ret;
+ }
+
+--- a/net/batman-adv/network-coding.c
++++ b/net/batman-adv/network-coding.c
+@@ -166,8 +166,10 @@ int batadv_nc_mesh_init(struct batadv_pr
+ &batadv_nc_coding_hash_lock_class_key);
+
+ bat_priv->nc.decoding_hash = batadv_hash_new(128);
+- if (!bat_priv->nc.decoding_hash)
++ if (!bat_priv->nc.decoding_hash) {
++ batadv_hash_destroy(bat_priv->nc.coding_hash);
+ goto err;
++ }
+
+ batadv_hash_set_lock_class(bat_priv->nc.decoding_hash,
+ &batadv_nc_decoding_hash_lock_class_key);
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -4373,8 +4373,10 @@ int batadv_tt_init(struct batadv_priv *b
+ return ret;
+
+ ret = batadv_tt_global_init(bat_priv);
+- if (ret < 0)
++ if (ret < 0) {
++ batadv_tt_local_table_free(bat_priv);
+ return ret;
++ }
+
+ batadv_tvlv_handler_register(bat_priv, batadv_tt_tvlv_ogm_handler_v1,
+ batadv_tt_tvlv_unicast_handler_v1,
--- /dev/null
+From ace19b992436a257d9a793672e57abc28fe83e2e Mon Sep 17 00:00:00 2001
+From: Trevor Woerner <twoerner@gmail.com>
+Date: Sun, 24 Oct 2021 13:50:02 -0400
+Subject: net: nxp: lpc_eth.c: avoid hang when bringing interface down
+
+From: Trevor Woerner <twoerner@gmail.com>
+
+commit ace19b992436a257d9a793672e57abc28fe83e2e upstream.
+
+A hard hang is observed whenever the ethernet interface is brought
+down. If the PHY is stopped before the LPC core block is reset,
+the SoC will hang. Comparing lpc_eth_close() and lpc_eth_open() I
+re-arranged the ordering of the functions calls in lpc_eth_close() to
+reset the hardware before stopping the PHY.
+Fixes: b7370112f519 ("lpc32xx: Added ethernet driver")
+Signed-off-by: Trevor Woerner <twoerner@gmail.com>
+Acked-by: Vladimir Zapolskiy <vz@mleia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/nxp/lpc_eth.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/nxp/lpc_eth.c
++++ b/drivers/net/ethernet/nxp/lpc_eth.c
+@@ -1039,9 +1039,6 @@ static int lpc_eth_close(struct net_devi
+ napi_disable(&pldat->napi);
+ netif_stop_queue(ndev);
+
+- if (ndev->phydev)
+- phy_stop(ndev->phydev);
+-
+ spin_lock_irqsave(&pldat->lock, flags);
+ __lpc_eth_reset(pldat);
+ netif_carrier_off(ndev);
+@@ -1049,6 +1046,8 @@ static int lpc_eth_close(struct net_devi
+ writel(0, LPC_ENET_MAC2(pldat->net_base));
+ spin_unlock_irqrestore(&pldat->lock, flags);
+
++ if (ndev->phydev)
++ phy_stop(ndev->phydev);
+ clk_disable_unprepare(pldat->clk);
+
+ return 0;
--- /dev/null
+From 4a089e95b4d6bb625044d47aed0c442a8f7bd093 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Wed, 20 Oct 2021 12:11:16 -0700
+Subject: nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 4a089e95b4d6bb625044d47aed0c442a8f7bd093 upstream.
+
+nios2:allmodconfig builds fail with
+
+make[1]: *** No rule to make target 'arch/nios2/boot/dts/""',
+ needed by 'arch/nios2/boot/dts/built-in.a'. Stop.
+make: [Makefile:1868: arch/nios2/boot/dts] Error 2 (ignored)
+
+This is seen with compile tests since those enable NIOS2_DTB_SOURCE_BOOL,
+which in turn enables NIOS2_DTB_SOURCE. This causes the build error
+because the default value for NIOS2_DTB_SOURCE is an empty string.
+Disable NIOS2_DTB_SOURCE_BOOL for compile tests to avoid the error.
+
+Fixes: 2fc8483fdcde ("nios2: Build infrastructure")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/nios2/platform/Kconfig.platform | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/nios2/platform/Kconfig.platform
++++ b/arch/nios2/platform/Kconfig.platform
+@@ -37,6 +37,7 @@ config NIOS2_DTB_PHYS_ADDR
+
+ config NIOS2_DTB_SOURCE_BOOL
+ bool "Compile and link device tree into kernel image"
++ depends on !COMPILE_TEST
+ default n
+ help
+ This allows you to specify a dts (device tree source) file
--- /dev/null
+From 55e6d8037805b3400096d621091dfbf713f97e83 Mon Sep 17 00:00:00 2001
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Tue, 12 Oct 2021 10:37:35 +0800
+Subject: regmap: Fix possible double-free in regcache_rbtree_exit()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+commit 55e6d8037805b3400096d621091dfbf713f97e83 upstream.
+
+In regcache_rbtree_insert_to_block(), when 'present' realloc failed,
+the 'blk' which is supposed to assign to 'rbnode->block' will be freed,
+so 'rbnode->block' points a freed memory, in the error handling path of
+regcache_rbtree_init(), 'rbnode->block' will be freed again in
+regcache_rbtree_exit(), KASAN will report double-free as follows:
+
+BUG: KASAN: double-free or invalid-free in kfree+0xce/0x390
+Call Trace:
+ slab_free_freelist_hook+0x10d/0x240
+ kfree+0xce/0x390
+ regcache_rbtree_exit+0x15d/0x1a0
+ regcache_rbtree_init+0x224/0x2c0
+ regcache_init+0x88d/0x1310
+ __regmap_init+0x3151/0x4a80
+ __devm_regmap_init+0x7d/0x100
+ madera_spi_probe+0x10f/0x333 [madera_spi]
+ spi_probe+0x183/0x210
+ really_probe+0x285/0xc30
+
+To fix this, moving up the assignment of rbnode->block to immediately after
+the reallocation has succeeded so that the data structure stays valid even
+if the second reallocation fails.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: 3f4ff561bc88b ("regmap: rbtree: Make cache_present bitmap per node")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20211012023735.1632786-1-yangyingliang@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/regmap/regcache-rbtree.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/base/regmap/regcache-rbtree.c
++++ b/drivers/base/regmap/regcache-rbtree.c
+@@ -296,14 +296,14 @@ static int regcache_rbtree_insert_to_blo
+ if (!blk)
+ return -ENOMEM;
+
++ rbnode->block = blk;
++
+ if (BITS_TO_LONGS(blklen) > BITS_TO_LONGS(rbnode->blklen)) {
+ present = krealloc(rbnode->cache_present,
+ BITS_TO_LONGS(blklen) * sizeof(*present),
+ GFP_KERNEL);
+- if (!present) {
+- kfree(blk);
++ if (!present)
+ return -ENOMEM;
+- }
+
+ memset(present + BITS_TO_LONGS(rbnode->blklen), 0,
+ (BITS_TO_LONGS(blklen) - BITS_TO_LONGS(rbnode->blklen))
+@@ -320,7 +320,6 @@ static int regcache_rbtree_insert_to_blo
+ }
+
+ /* update the rbnode block, its size and the base register */
+- rbnode->block = blk;
+ rbnode->blklen = blklen;
+ rbnode->base_reg = base_reg;
+ rbnode->cache_present = present;
mmc-dw_mmc-exynos-fix-the-finding-clock-sample-value.patch
mmc-sdhci-map-more-voltage-level-to-sdhci_power_330.patch
net-lan78xx-fix-division-by-zero-in-send-path.patch
+regmap-fix-possible-double-free-in-regcache_rbtree_exit.patch
+net-batman-adv-fix-error-handling.patch
+nios2-make-nios2_dtb_source_bool-depend-on-compile_test.patch
+net-nxp-lpc_eth.c-avoid-hang-when-bringing-interface-down.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
