From: Sasha Levin Date: Fri, 22 Dec 2023 22:48:18 +0000 (-0500) Subject: Fixes for 4.19 X-Git-Tag: v5.15.145~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=080e8a35fadece99d00a2a3da4376febd772fb06;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch b/queue-4.19/afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch new file mode 100644 index 00000000000..8bfed77e34b --- /dev/null +++ b/queue-4.19/afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch @@ -0,0 +1,53 @@ +From 5af91831385fa66738cd4dd403b92254242b0f90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 15:08:57 +0000 +Subject: afs: Fix the dynamic root's d_delete to always delete unused dentries + +From: David Howells + +[ Upstream commit 71f8b55bc30e82d6355e07811213d847981a32e2 ] + +Fix the afs dynamic root's d_delete function to always delete unused +dentries rather than only deleting them if they're positive. With things +as they stand upstream, negative dentries stemming from failed DNS lookups +stick around preventing retries. + +Fixes: 66c7e1d319a5 ("afs: Split the dynroot stuff out and give it its own ops tables") +Signed-off-by: David Howells +Tested-by: Markus Suvanto +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Sasha Levin +--- + fs/afs/dynroot.c | 13 +------------ + 1 file changed, 1 insertion(+), 12 deletions(-) + +diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c +index fc6c42eeb659c..ff21ce511f47c 100644 +--- a/fs/afs/dynroot.c ++++ b/fs/afs/dynroot.c +@@ -172,20 +172,9 @@ static int afs_dynroot_d_revalidate(struct dentry *dentry, unsigned int flags) + return 1; + } + +-/* +- * Allow the VFS to enquire as to whether a dentry should be unhashed (mustn't +- * sleep) +- * - called from dput() when d_count is going to 0. +- * - return 1 to request dentry be unhashed, 0 otherwise +- */ +-static int afs_dynroot_d_delete(const struct dentry *dentry) +-{ +- return d_really_is_positive(dentry); +-} +- + const struct dentry_operations afs_dynroot_dentry_operations = { + .d_revalidate = afs_dynroot_d_revalidate, +- .d_delete = afs_dynroot_d_delete, ++ .d_delete = always_delete_dentry, + .d_release = afs_d_release, + .d_automount = afs_d_automount, + }; +-- +2.43.0 + diff --git a/queue-4.19/arm-omap2-fix-null-pointer-dereference-and-memory-le.patch b/queue-4.19/arm-omap2-fix-null-pointer-dereference-and-memory-le.patch new file mode 100644 index 00000000000..cf02aee37e3 --- /dev/null +++ b/queue-4.19/arm-omap2-fix-null-pointer-dereference-and-memory-le.patch @@ -0,0 +1,49 @@ +From 1e7506b85d2b096f74cd9f544f8502410472cc7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Nov 2023 22:52:37 +0800 +Subject: ARM: OMAP2+: Fix null pointer dereference and memory leak in + omap_soc_device_init + +From: Kunwu Chan + +[ Upstream commit c72b9c33ef9695ad7ce7a6eb39a9df8a01b70796 ] + +kasprintf() returns a pointer to dynamically allocated memory which can +be NULL upon failure. When 'soc_dev_attr->family' is NULL,it'll trigger +the null pointer dereference issue, such as in 'soc_info_show'. + +And when 'soc_device_register' fails, it's necessary to release +'soc_dev_attr->family' to avoid memory leaks. + +Fixes: 6770b2114325 ("ARM: OMAP2+: Export SoC information to userspace") +Signed-off-by: Kunwu Chan +Message-ID: <20231123145237.609442-1-chentao@kylinos.cn> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/id.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm/mach-omap2/id.c b/arch/arm/mach-omap2/id.c +index 859c71c4e9324..df8a9dda67a01 100644 +--- a/arch/arm/mach-omap2/id.c ++++ b/arch/arm/mach-omap2/id.c +@@ -800,10 +800,15 @@ void __init omap_soc_device_init(void) + + soc_dev_attr->machine = soc_name; + soc_dev_attr->family = omap_get_family(); ++ if (!soc_dev_attr->family) { ++ kfree(soc_dev_attr); ++ return; ++ } + soc_dev_attr->revision = soc_rev; + + soc_dev = soc_device_register(soc_dev_attr); + if (IS_ERR(soc_dev)) { ++ kfree(soc_dev_attr->family); + kfree(soc_dev_attr); + return; + } +-- +2.43.0 + diff --git a/queue-4.19/ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch b/queue-4.19/ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch new file mode 100644 index 00000000000..7e6d698d27f --- /dev/null +++ b/queue-4.19/ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch @@ -0,0 +1,44 @@ +From 5ca99893751b891069707981482c473648bf62bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 21:04:04 +0800 +Subject: ethernet: atheros: fix a memleak in atl1e_setup_ring_resources + +From: Zhipeng Lu + +[ Upstream commit 309fdb1c33fe726d92d0030481346f24e1b01f07 ] + +In the error handling of 'offset > adapter->ring_size', the +tx_ring->tx_buffer allocated by kzalloc should be freed, +instead of 'goto failed' instantly. + +Fixes: a6a5325239c2 ("atl1e: Atheros L1E Gigabit Ethernet driver") +Signed-off-by: Zhipeng Lu +Reviewed-by: Suman Ghosh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c +index e4d58c7aeaf82..c72ba133072fb 100644 +--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c ++++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c +@@ -881,10 +881,13 @@ static int atl1e_setup_ring_resources(struct atl1e_adapter *adapter) + netdev_err(adapter->netdev, "offset(%d) > ring size(%d) !!\n", + offset, adapter->ring_size); + err = -1; +- goto failed; ++ goto free_buffer; + } + + return 0; ++free_buffer: ++ kfree(tx_ring->tx_buffer); ++ tx_ring->tx_buffer = NULL; + failed: + if (adapter->ring_vir_addr != NULL) { + pci_free_consistent(pdev, adapter->ring_size, +-- +2.43.0 + diff --git a/queue-4.19/net-check-dev-gso_max_size-in-gso_features_check.patch b/queue-4.19/net-check-dev-gso_max_size-in-gso_features_check.patch new file mode 100644 index 00000000000..b247cf501e0 --- /dev/null +++ b/queue-4.19/net-check-dev-gso_max_size-in-gso_features_check.patch @@ -0,0 +1,49 @@ +From e1a790bbacc9e84bb63df53fb8f0048727b4490f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 12:53:31 +0000 +Subject: net: check dev->gso_max_size in gso_features_check() + +From: Eric Dumazet + +[ Upstream commit 24ab059d2ebd62fdccc43794796f6ffbabe49ebc ] + +Some drivers might misbehave if TSO packets get too big. + +GVE for instance uses a 16bit field in its TX descriptor, +and will do bad things if a packet is bigger than 2^16 bytes. + +Linux TCP stack honors dev->gso_max_size, but there are +other ways for too big packets to reach an ndo_start_xmit() +handler : virtio_net, af_packet, GRO... + +Add a generic check in gso_features_check() and fallback +to GSO when needed. + +gso_max_size was added in the blamed commit. + +Fixes: 82cc1a7a5687 ("[NET]: Add per-connection option to set max TSO frame size") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20231219125331.4127498-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/core/dev.c b/net/core/dev.c +index ea05db68aa95a..b5c9648c2192f 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3200,6 +3200,9 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb, + if (gso_segs > dev->gso_max_segs) + return features & ~NETIF_F_GSO_MASK; + ++ if (unlikely(skb->len >= READ_ONCE(dev->gso_max_size))) ++ return features & ~NETIF_F_GSO_MASK; ++ + if (!skb_shinfo(skb)->gso_type) { + skb_warn_bad_offload(skb); + return features & ~NETIF_F_GSO_MASK; +-- +2.43.0 + diff --git a/queue-4.19/net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch b/queue-4.19/net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch new file mode 100644 index 00000000000..42166564986 --- /dev/null +++ b/queue-4.19/net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch @@ -0,0 +1,99 @@ +From e4ba74bf4526e7ca34db519ecd7d017357fabcff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Dec 2023 15:52:18 +0800 +Subject: net: check vlan filter feature in vlan_vids_add_by_dev() and + vlan_vids_del_by_dev() + +From: Liu Jian + +[ Upstream commit 01a564bab4876007ce35f312e16797dfe40e4823 ] + +I got the below warning trace: + +WARNING: CPU: 4 PID: 4056 at net/core/dev.c:11066 unregister_netdevice_many_notify +CPU: 4 PID: 4056 Comm: ip Not tainted 6.7.0-rc4+ #15 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +RIP: 0010:unregister_netdevice_many_notify+0x9a4/0x9b0 +Call Trace: + rtnl_dellink + rtnetlink_rcv_msg + netlink_rcv_skb + netlink_unicast + netlink_sendmsg + __sock_sendmsg + ____sys_sendmsg + ___sys_sendmsg + __sys_sendmsg + do_syscall_64 + entry_SYSCALL_64_after_hwframe + +It can be repoduced via: + + ip netns add ns1 + ip netns exec ns1 ip link add bond0 type bond mode 0 + ip netns exec ns1 ip link add bond_slave_1 type veth peer veth2 + ip netns exec ns1 ip link set bond_slave_1 master bond0 +[1] ip netns exec ns1 ethtool -K bond0 rx-vlan-filter off +[2] ip netns exec ns1 ip link add link bond_slave_1 name bond_slave_1.0 type vlan id 0 +[3] ip netns exec ns1 ip link add link bond0 name bond0.0 type vlan id 0 +[4] ip netns exec ns1 ip link set bond_slave_1 nomaster +[5] ip netns exec ns1 ip link del veth2 + ip netns del ns1 + +This is all caused by command [1] turning off the rx-vlan-filter function +of bond0. The reason is the same as commit 01f4fd270870 ("bonding: Fix +incorrect deletion of ETH_P_8021AD protocol vid from slaves"). Commands +[2] [3] add the same vid to slave and master respectively, causing +command [4] to empty slave->vlan_info. The following command [5] triggers +this problem. + +To fix this problem, we should add VLAN_FILTER feature checks in +vlan_vids_add_by_dev() and vlan_vids_del_by_dev() to prevent incorrect +addition or deletion of vlan_vid information. + +Fixes: 348a1443cc43 ("vlan: introduce functions to do mass addition/deletion of vids by another device") +Signed-off-by: Liu Jian +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/8021q/vlan_core.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c +index 4f60e86f4b8d3..e92c914316cbd 100644 +--- a/net/8021q/vlan_core.c ++++ b/net/8021q/vlan_core.c +@@ -380,6 +380,8 @@ int vlan_vids_add_by_dev(struct net_device *dev, + return 0; + + list_for_each_entry(vid_info, &vlan_info->vid_list, list) { ++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto)) ++ continue; + err = vlan_vid_add(dev, vid_info->proto, vid_info->vid); + if (err) + goto unwind; +@@ -390,6 +392,8 @@ int vlan_vids_add_by_dev(struct net_device *dev, + list_for_each_entry_continue_reverse(vid_info, + &vlan_info->vid_list, + list) { ++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto)) ++ continue; + vlan_vid_del(dev, vid_info->proto, vid_info->vid); + } + +@@ -409,8 +413,11 @@ void vlan_vids_del_by_dev(struct net_device *dev, + if (!vlan_info) + return; + +- list_for_each_entry(vid_info, &vlan_info->vid_list, list) ++ list_for_each_entry(vid_info, &vlan_info->vid_list, list) { ++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto)) ++ continue; + vlan_vid_del(dev, vid_info->proto, vid_info->vid); ++ } + } + EXPORT_SYMBOL(vlan_vids_del_by_dev); + +-- +2.43.0 + diff --git a/queue-4.19/net-mlx5-fix-fw-tracer-first-block-check.patch b/queue-4.19/net-mlx5-fix-fw-tracer-first-block-check.patch new file mode 100644 index 00000000000..ace5078dd13 --- /dev/null +++ b/queue-4.19/net-mlx5-fix-fw-tracer-first-block-check.patch @@ -0,0 +1,39 @@ +From 1869e35a601a1c20a8a23f32605a5bb3b38f3ccd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 11:30:34 +0200 +Subject: net/mlx5: Fix fw tracer first block check + +From: Moshe Shemesh + +[ Upstream commit 4261edf11cb7c9224af713a102e5616329306932 ] + +While handling new traces, to verify it is not the first block being +written, last_timestamp is checked. But instead of checking it is non +zero it is verified to be zero. Fix to verify last_timestamp is not +zero. + +Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling") +Signed-off-by: Moshe Shemesh +Reviewed-by: Feras Daoud +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +index 21dbb25552140..24e9699434e36 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +@@ -652,7 +652,7 @@ static void mlx5_fw_tracer_handle_traces(struct work_struct *work) + + while (block_timestamp > tracer->last_timestamp) { + /* Check block override if it's not the first block */ +- if (!tracer->last_timestamp) { ++ if (tracer->last_timestamp) { + u64 *ts_event; + /* To avoid block override be the HW in case of buffer + * wraparound, the time stamp of the previous block +-- +2.43.0 + diff --git a/queue-4.19/net-mlx5-improve-some-comments.patch b/queue-4.19/net-mlx5-improve-some-comments.patch new file mode 100644 index 00000000000..af88208af67 --- /dev/null +++ b/queue-4.19/net-mlx5-improve-some-comments.patch @@ -0,0 +1,35 @@ +From 291ebd0d02ffe0378d7a830293256da879cc1836 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2020 20:57:20 +0800 +Subject: net/mlx5: improve some comments + +From: Hu Haowen + +[ Upstream commit 6533380dfd003ea7636cb5672f4f85124b56328b ] + +Replaced "its" with "it's". + +Signed-off-by: Hu Haowen +Signed-off-by: Saeed Mahameed +Stable-dep-of: 4261edf11cb7 ("net/mlx5: Fix fw tracer first block check") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +index 97e6b06b1bff3..21dbb25552140 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +@@ -651,7 +651,7 @@ static void mlx5_fw_tracer_handle_traces(struct work_struct *work) + get_block_timestamp(tracer, &tmp_trace_block[TRACES_PER_BLOCK - 1]); + + while (block_timestamp > tracer->last_timestamp) { +- /* Check block override if its not the first block */ ++ /* Check block override if it's not the first block */ + if (!tracer->last_timestamp) { + u64 *ts_event; + /* To avoid block override be the HW in case of buffer +-- +2.43.0 + diff --git a/queue-4.19/net-rose-fix-races-in-rose_kill_by_device.patch b/queue-4.19/net-rose-fix-races-in-rose_kill_by_device.patch new file mode 100644 index 00000000000..d75ca6a56b3 --- /dev/null +++ b/queue-4.19/net-rose-fix-races-in-rose_kill_by_device.patch @@ -0,0 +1,177 @@ +From 1a9f980e764e6b7beac5c2f17b73a1ab8282e89c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 15:27:47 +0000 +Subject: net/rose: fix races in rose_kill_by_device() + +From: Eric Dumazet + +[ Upstream commit 64b8bc7d5f1434c636a40bdcfcd42b278d1714be ] + +syzbot found an interesting netdev refcounting issue in +net/rose/af_rose.c, thanks to CONFIG_NET_DEV_REFCNT_TRACKER=y [1] + +Problem is that rose_kill_by_device() can change rose->device +while other threads do not expect the pointer to be changed. + +We have to first collect sockets in a temporary array, +then perform the changes while holding the socket +lock and rose_list_lock spinlock (in this order) + +Change rose_release() to also acquire rose_list_lock +before releasing the netdev refcount. + +[1] + +[ 1185.055088][ T7889] ref_tracker: reference already released. +[ 1185.061476][ T7889] ref_tracker: allocated in: +[ 1185.066081][ T7889] rose_bind+0x4ab/0xd10 +[ 1185.070446][ T7889] __sys_bind+0x1ec/0x220 +[ 1185.074818][ T7889] __x64_sys_bind+0x72/0xb0 +[ 1185.079356][ T7889] do_syscall_64+0x40/0x110 +[ 1185.083897][ T7889] entry_SYSCALL_64_after_hwframe+0x63/0x6b +[ 1185.089835][ T7889] ref_tracker: freed in: +[ 1185.094088][ T7889] rose_release+0x2f5/0x570 +[ 1185.098629][ T7889] __sock_release+0xae/0x260 +[ 1185.103262][ T7889] sock_close+0x1c/0x20 +[ 1185.107453][ T7889] __fput+0x270/0xbb0 +[ 1185.111467][ T7889] task_work_run+0x14d/0x240 +[ 1185.116085][ T7889] get_signal+0x106f/0x2790 +[ 1185.120622][ T7889] arch_do_signal_or_restart+0x90/0x7f0 +[ 1185.126205][ T7889] exit_to_user_mode_prepare+0x121/0x240 +[ 1185.131846][ T7889] syscall_exit_to_user_mode+0x1e/0x60 +[ 1185.137293][ T7889] do_syscall_64+0x4d/0x110 +[ 1185.141783][ T7889] entry_SYSCALL_64_after_hwframe+0x63/0x6b +[ 1185.148085][ T7889] ------------[ cut here ]------------ + +WARNING: CPU: 1 PID: 7889 at lib/ref_tracker.c:255 ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255 +Modules linked in: +CPU: 1 PID: 7889 Comm: syz-executor.2 Not tainted 6.7.0-rc4-syzkaller-00162-g65c95f78917e #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 +RIP: 0010:ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255 +Code: 00 44 8b 6b 18 31 ff 44 89 ee e8 21 62 f5 fc 45 85 ed 0f 85 a6 00 00 00 e8 a3 66 f5 fc 48 8b 34 24 48 89 ef e8 27 5f f1 05 90 <0f> 0b 90 bb ea ff ff ff e9 52 fd ff ff e8 84 66 f5 fc 4c 8d 6d 44 +RSP: 0018:ffffc90004917850 EFLAGS: 00010202 +RAX: 0000000000000201 RBX: ffff88802618f4c0 RCX: 0000000000000000 +RDX: 0000000000000202 RSI: ffffffff8accb920 RDI: 0000000000000001 +RBP: ffff8880269ea5b8 R08: 0000000000000001 R09: fffffbfff23e35f6 +R10: ffffffff91f1afb7 R11: 0000000000000001 R12: 1ffff92000922f0c +R13: 0000000005a2039b R14: ffff88802618f4d8 R15: 00000000ffffffff +FS: 00007f0a720ef6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f43a819d988 CR3: 0000000076c64000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +netdev_tracker_free include/linux/netdevice.h:4127 [inline] +netdev_put include/linux/netdevice.h:4144 [inline] +netdev_put include/linux/netdevice.h:4140 [inline] +rose_kill_by_device net/rose/af_rose.c:195 [inline] +rose_device_event+0x25d/0x330 net/rose/af_rose.c:218 +notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93 +call_netdevice_notifiers_info+0xbe/0x130 net/core/dev.c:1967 +call_netdevice_notifiers_extack net/core/dev.c:2005 [inline] +call_netdevice_notifiers net/core/dev.c:2019 [inline] +__dev_notify_flags+0x1f5/0x2e0 net/core/dev.c:8646 +dev_change_flags+0x122/0x170 net/core/dev.c:8682 +dev_ifsioc+0x9ad/0x1090 net/core/dev_ioctl.c:529 +dev_ioctl+0x224/0x1090 net/core/dev_ioctl.c:786 +sock_do_ioctl+0x198/0x270 net/socket.c:1234 +sock_ioctl+0x22e/0x6b0 net/socket.c:1339 +vfs_ioctl fs/ioctl.c:51 [inline] +__do_sys_ioctl fs/ioctl.c:871 [inline] +__se_sys_ioctl fs/ioctl.c:857 [inline] +__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857 +do_syscall_x64 arch/x86/entry/common.c:52 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 +entry_SYSCALL_64_after_hwframe+0x63/0x6b +RIP: 0033:0x7f0a7147cba9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f0a720ef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007f0a7159bf80 RCX: 00007f0a7147cba9 +RDX: 0000000020000040 RSI: 0000000000008914 RDI: 0000000000000004 +RBP: 00007f0a714c847a R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007f0a7159bf80 R15: 00007ffc8bb3a5f8 + + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Bernard Pidoux +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 39 ++++++++++++++++++++++++++++++++++----- + 1 file changed, 34 insertions(+), 5 deletions(-) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index d32fb40650a75..015e475f5554b 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -184,21 +184,47 @@ void rose_kill_by_neigh(struct rose_neigh *neigh) + */ + static void rose_kill_by_device(struct net_device *dev) + { +- struct sock *s; ++ struct sock *sk, *array[16]; ++ struct rose_sock *rose; ++ bool rescan; ++ int i, cnt; + ++start: ++ rescan = false; ++ cnt = 0; + spin_lock_bh(&rose_list_lock); +- sk_for_each(s, &rose_list) { +- struct rose_sock *rose = rose_sk(s); ++ sk_for_each(sk, &rose_list) { ++ rose = rose_sk(sk); ++ if (rose->device == dev) { ++ if (cnt == ARRAY_SIZE(array)) { ++ rescan = true; ++ break; ++ } ++ sock_hold(sk); ++ array[cnt++] = sk; ++ } ++ } ++ spin_unlock_bh(&rose_list_lock); + ++ for (i = 0; i < cnt; i++) { ++ sk = array[cnt]; ++ rose = rose_sk(sk); ++ lock_sock(sk); ++ spin_lock_bh(&rose_list_lock); + if (rose->device == dev) { +- rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0); ++ rose_disconnect(sk, ENETUNREACH, ROSE_OUT_OF_ORDER, 0); + if (rose->neighbour) + rose->neighbour->use--; + dev_put(rose->device); + rose->device = NULL; + } ++ spin_unlock_bh(&rose_list_lock); ++ release_sock(sk); ++ sock_put(sk); ++ cond_resched(); + } +- spin_unlock_bh(&rose_list_lock); ++ if (rescan) ++ goto start; + } + + /* +@@ -658,7 +684,10 @@ static int rose_release(struct socket *sock) + break; + } + ++ spin_lock_bh(&rose_list_lock); + dev_put(rose->device); ++ rose->device = NULL; ++ spin_unlock_bh(&rose_list_lock); + sock->sk = NULL; + release_sock(sk); + sock_put(sk); +-- +2.43.0 + diff --git a/queue-4.19/net-sched-ife-fix-potential-use-after-free.patch b/queue-4.19/net-sched-ife-fix-potential-use-after-free.patch new file mode 100644 index 00000000000..f15dbaffce0 --- /dev/null +++ b/queue-4.19/net-sched-ife-fix-potential-use-after-free.patch @@ -0,0 +1,238 @@ +From 91b0f15112a3b66f4aa316ce634ff169060aa78e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 11:30:38 +0000 +Subject: net: sched: ife: fix potential use-after-free + +From: Eric Dumazet + +[ Upstream commit 19391a2ca98baa7b80279306cdf7dd43f81fa595 ] + +ife_decode() calls pskb_may_pull() two times, we need to reload +ifehdr after the second one, or risk use-after-free as reported +by syzbot: + +BUG: KASAN: slab-use-after-free in __ife_tlv_meta_valid net/ife/ife.c:108 [inline] +BUG: KASAN: slab-use-after-free in ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131 +Read of size 2 at addr ffff88802d7300a4 by task syz-executor.5/22323 + +CPU: 0 PID: 22323 Comm: syz-executor.5 Not tainted 6.7.0-rc3-syzkaller-00804-g074ac38d5b95 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 +Call Trace: + +__dump_stack lib/dump_stack.c:88 [inline] +dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 +print_address_description mm/kasan/report.c:364 [inline] +print_report+0xc4/0x620 mm/kasan/report.c:475 +kasan_report+0xda/0x110 mm/kasan/report.c:588 +__ife_tlv_meta_valid net/ife/ife.c:108 [inline] +ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131 +tcf_ife_decode net/sched/act_ife.c:739 [inline] +tcf_ife_act+0x4e3/0x1cd0 net/sched/act_ife.c:879 +tc_act include/net/tc_wrapper.h:221 [inline] +tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079 +tcf_exts_exec include/net/pkt_cls.h:344 [inline] +mall_classify+0x201/0x310 net/sched/cls_matchall.c:42 +tc_classify include/net/tc_wrapper.h:227 [inline] +__tcf_classify net/sched/cls_api.c:1703 [inline] +tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800 +hfsc_classify net/sched/sch_hfsc.c:1147 [inline] +hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546 +dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739 +__dev_xmit_skb net/core/dev.c:3828 [inline] +__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311 +dev_queue_xmit include/linux/netdevice.h:3165 [inline] +packet_xmit+0x237/0x350 net/packet/af_packet.c:276 +packet_snd net/packet/af_packet.c:3081 [inline] +packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +__do_sys_sendto net/socket.c:2202 [inline] +__se_sys_sendto net/socket.c:2198 [inline] +__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 +entry_SYSCALL_64_after_hwframe+0x63/0x6b +RIP: 0033:0x7fe9acc7cae9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fe9ada450c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00007fe9acd9bf80 RCX: 00007fe9acc7cae9 +RDX: 000000000000fce0 RSI: 00000000200002c0 RDI: 0000000000000003 +RBP: 00007fe9accc847a R08: 0000000020000140 R09: 0000000000000014 +R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007fe9acd9bf80 R15: 00007ffd5427ae78 + + +Allocated by task 22323: +kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 +kasan_set_track+0x25/0x30 mm/kasan/common.c:52 +____kasan_kmalloc mm/kasan/common.c:374 [inline] +__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383 +kasan_kmalloc include/linux/kasan.h:198 [inline] +__do_kmalloc_node mm/slab_common.c:1007 [inline] +__kmalloc_node_track_caller+0x5a/0x90 mm/slab_common.c:1027 +kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582 +__alloc_skb+0x12b/0x330 net/core/skbuff.c:651 +alloc_skb include/linux/skbuff.h:1298 [inline] +alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331 +sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780 +packet_alloc_skb net/packet/af_packet.c:2930 [inline] +packet_snd net/packet/af_packet.c:3024 [inline] +packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +__do_sys_sendto net/socket.c:2202 [inline] +__se_sys_sendto net/socket.c:2198 [inline] +__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 +entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Freed by task 22323: +kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 +kasan_set_track+0x25/0x30 mm/kasan/common.c:52 +kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522 +____kasan_slab_free mm/kasan/common.c:236 [inline] +____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200 +kasan_slab_free include/linux/kasan.h:164 [inline] +slab_free_hook mm/slub.c:1800 [inline] +slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826 +slab_free mm/slub.c:3809 [inline] +__kmem_cache_free+0xc0/0x180 mm/slub.c:3822 +skb_kfree_head net/core/skbuff.c:950 [inline] +skb_free_head+0x110/0x1b0 net/core/skbuff.c:962 +pskb_expand_head+0x3c5/0x1170 net/core/skbuff.c:2130 +__pskb_pull_tail+0xe1/0x1830 net/core/skbuff.c:2655 +pskb_may_pull_reason include/linux/skbuff.h:2685 [inline] +pskb_may_pull include/linux/skbuff.h:2693 [inline] +ife_decode+0x394/0x4f0 net/ife/ife.c:82 +tcf_ife_decode net/sched/act_ife.c:727 [inline] +tcf_ife_act+0x43b/0x1cd0 net/sched/act_ife.c:879 +tc_act include/net/tc_wrapper.h:221 [inline] +tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079 +tcf_exts_exec include/net/pkt_cls.h:344 [inline] +mall_classify+0x201/0x310 net/sched/cls_matchall.c:42 +tc_classify include/net/tc_wrapper.h:227 [inline] +__tcf_classify net/sched/cls_api.c:1703 [inline] +tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800 +hfsc_classify net/sched/sch_hfsc.c:1147 [inline] +hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546 +dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739 +__dev_xmit_skb net/core/dev.c:3828 [inline] +__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311 +dev_queue_xmit include/linux/netdevice.h:3165 [inline] +packet_xmit+0x237/0x350 net/packet/af_packet.c:276 +packet_snd net/packet/af_packet.c:3081 [inline] +packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +__do_sys_sendto net/socket.c:2202 [inline] +__se_sys_sendto net/socket.c:2198 [inline] +__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 +entry_SYSCALL_64_after_hwframe+0x63/0x6b + +The buggy address belongs to the object at ffff88802d730000 +which belongs to the cache kmalloc-8k of size 8192 +The buggy address is located 164 bytes inside of +freed 8192-byte region [ffff88802d730000, ffff88802d732000) + +The buggy address belongs to the physical page: +page:ffffea0000b5cc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2d730 +head:ffffea0000b5cc00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) +page_type: 0xffffffff() +raw: 00fff00000000840 ffff888013042280 dead000000000122 0000000000000000 +raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 22323, tgid 22320 (syz-executor.5), ts 950317230369, free_ts 950233467461 +set_page_owner include/linux/page_owner.h:31 [inline] +post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1544 +prep_new_page mm/page_alloc.c:1551 [inline] +get_page_from_freelist+0xa28/0x3730 mm/page_alloc.c:3319 +__alloc_pages+0x22e/0x2420 mm/page_alloc.c:4575 +alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133 +alloc_slab_page mm/slub.c:1870 [inline] +allocate_slab mm/slub.c:2017 [inline] +new_slab+0x283/0x3c0 mm/slub.c:2070 +___slab_alloc+0x979/0x1500 mm/slub.c:3223 +__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322 +__slab_alloc_node mm/slub.c:3375 [inline] +slab_alloc_node mm/slub.c:3468 [inline] +__kmem_cache_alloc_node+0x131/0x310 mm/slub.c:3517 +__do_kmalloc_node mm/slab_common.c:1006 [inline] +__kmalloc_node_track_caller+0x4a/0x90 mm/slab_common.c:1027 +kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582 +__alloc_skb+0x12b/0x330 net/core/skbuff.c:651 +alloc_skb include/linux/skbuff.h:1298 [inline] +alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331 +sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780 +packet_alloc_skb net/packet/af_packet.c:2930 [inline] +packet_snd net/packet/af_packet.c:3024 [inline] +packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +page last free stack trace: +reset_page_owner include/linux/page_owner.h:24 [inline] +free_pages_prepare mm/page_alloc.c:1144 [inline] +free_unref_page_prepare+0x53c/0xb80 mm/page_alloc.c:2354 +free_unref_page+0x33/0x3b0 mm/page_alloc.c:2494 +__unfreeze_partials+0x226/0x240 mm/slub.c:2655 +qlink_free mm/kasan/quarantine.c:168 [inline] +qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 +kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294 +__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305 +kasan_slab_alloc include/linux/kasan.h:188 [inline] +slab_post_alloc_hook mm/slab.h:763 [inline] +slab_alloc_node mm/slub.c:3478 [inline] +slab_alloc mm/slub.c:3486 [inline] +__kmem_cache_alloc_lru mm/slub.c:3493 [inline] +kmem_cache_alloc_lru+0x219/0x6f0 mm/slub.c:3509 +alloc_inode_sb include/linux/fs.h:2937 [inline] +ext4_alloc_inode+0x28/0x650 fs/ext4/super.c:1408 +alloc_inode+0x5d/0x220 fs/inode.c:261 +new_inode_pseudo fs/inode.c:1006 [inline] +new_inode+0x22/0x260 fs/inode.c:1032 +__ext4_new_inode+0x333/0x5200 fs/ext4/ialloc.c:958 +ext4_symlink+0x5d7/0xa20 fs/ext4/namei.c:3398 +vfs_symlink fs/namei.c:4464 [inline] +vfs_symlink+0x3e5/0x620 fs/namei.c:4448 +do_symlinkat+0x25f/0x310 fs/namei.c:4490 +__do_sys_symlinkat fs/namei.c:4506 [inline] +__se_sys_symlinkat fs/namei.c:4503 [inline] +__x64_sys_symlinkat+0x97/0xc0 fs/namei.c:4503 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 + +Fixes: d57493d6d1be ("net: sched: ife: check on metadata length") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Jamal Hadi Salim +Cc: Alexander Aring +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ife/ife.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ife/ife.c b/net/ife/ife.c +index 13bbf8cb6a396..be05b690b9ef2 100644 +--- a/net/ife/ife.c ++++ b/net/ife/ife.c +@@ -82,6 +82,7 @@ void *ife_decode(struct sk_buff *skb, u16 *metalen) + if (unlikely(!pskb_may_pull(skb, total_pull))) + return NULL; + ++ ifehdr = (struct ifeheadr *)(skb->data + skb->dev->hard_header_len); + skb_set_mac_header(skb, total_pull); + __skb_pull(skb, total_pull); + *metalen = ifehdrln - IFE_METAHDRLEN; +-- +2.43.0 + diff --git a/queue-4.19/net-warn-if-gso_type-isn-t-set-for-a-gso-skb.patch b/queue-4.19/net-warn-if-gso_type-isn-t-set-for-a-gso-skb.patch new file mode 100644 index 00000000000..d000fb51f4b --- /dev/null +++ b/queue-4.19/net-warn-if-gso_type-isn-t-set-for-a-gso-skb.patch @@ -0,0 +1,49 @@ +From 682d37842719da6758569bf59701d52a015fd500 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Nov 2020 00:22:20 +0100 +Subject: net: warn if gso_type isn't set for a GSO SKB + +From: Heiner Kallweit + +[ Upstream commit 1d155dfdf50efc2b0793bce93c06d1a5b23d0877 ] + +In bug report [0] a warning in r8169 driver was reported that was +caused by an invalid GSO SKB (gso_type was 0). See [1] for a discussion +about this issue. Still the origin of the invalid GSO SKB isn't clear. + +It shouldn't be a network drivers task to check for invalid GSO SKB's. +Also, even if issue [0] can be fixed, we can't be sure that a +similar issue doesn't pop up again at another place. +Therefore let gso_features_check() check for such invalid GSO SKB's. + +[0] https://bugzilla.kernel.org/show_bug.cgi?id=209423 +[1] https://www.spinics.net/lists/netdev/msg690794.html + +Signed-off-by: Heiner Kallweit +Link: https://lore.kernel.org/r/97c78d21-7f0b-d843-df17-3589f224d2cf@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 24ab059d2ebd ("net: check dev->gso_max_size in gso_features_check()") +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 0f9214fb36e01..ea05db68aa95a 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3200,6 +3200,11 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb, + if (gso_segs > dev->gso_max_segs) + return features & ~NETIF_F_GSO_MASK; + ++ if (!skb_shinfo(skb)->gso_type) { ++ skb_warn_bad_offload(skb); ++ return features & ~NETIF_F_GSO_MASK; ++ } ++ + /* Support for GSO partial features requires software + * intervention before we can actually process the packets + * so we need to strip support for any partial features now +-- +2.43.0 + diff --git a/queue-4.19/reset-fix-crash-when-freeing-non-existent-optional-r.patch b/queue-4.19/reset-fix-crash-when-freeing-non-existent-optional-r.patch new file mode 100644 index 00000000000..bd3199f2754 --- /dev/null +++ b/queue-4.19/reset-fix-crash-when-freeing-non-existent-optional-r.patch @@ -0,0 +1,50 @@ +From ee854c1285102b29dbfab8d1cf2c4cc6c87f5bee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 17:55:33 +0100 +Subject: reset: Fix crash when freeing non-existent optional resets + +From: Geert Uytterhoeven + +[ Upstream commit 4a6756f56bcf8e64c87144a626ce53aea4899c0e ] + +When obtaining one or more optional resets, non-existent resets are +stored as NULL pointers, and all related error and cleanup paths need to +take this into account. + +Currently only reset_control_put() and reset_control_bulk_put() +get this right. All of __reset_control_bulk_get(), +of_reset_control_array_get(), and reset_control_array_put() lack the +proper checking, causing NULL pointer dereferences on failure or +release. + +Fix this by moving the existing check from reset_control_bulk_put() to +__reset_control_put_internal(), so it applies to all callers. +The double check in reset_control_put() doesn't hurt. + +Fixes: 17c82e206d2a3cd8 ("reset: Add APIs to manage array of resets") +Fixes: 48d71395896d54ee ("reset: Add reset_control_bulk API") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/2440edae7ca8534628cdbaf559ded288f2998178.1701276806.git.geert+renesas@glider.be +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/reset/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/reset/core.c b/drivers/reset/core.c +index ccb97f4e31c38..1680d27040c9b 100644 +--- a/drivers/reset/core.c ++++ b/drivers/reset/core.c +@@ -459,6 +459,9 @@ static void __reset_control_put_internal(struct reset_control *rstc) + { + lockdep_assert_held(&reset_list_mutex); + ++ if (IS_ERR_OR_NULL(rstc)) ++ return; ++ + kref_put(&rstc->refcnt, __reset_control_release); + } + +-- +2.43.0 + diff --git a/queue-4.19/s390-vx-fix-save-restore-of-fpu-kernel-context.patch b/queue-4.19/s390-vx-fix-save-restore-of-fpu-kernel-context.patch new file mode 100644 index 00000000000..9d52de71971 --- /dev/null +++ b/queue-4.19/s390-vx-fix-save-restore-of-fpu-kernel-context.patch @@ -0,0 +1,49 @@ +From 2f746850fb93801721d44a9ec905ec019397d129 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Dec 2023 15:03:15 +0100 +Subject: s390/vx: fix save/restore of fpu kernel context + +From: Heiko Carstens + +[ Upstream commit e6b2dab41888332bf83f592131e7ea07756770a4 ] + +The KERNEL_FPR mask only contains a flag for the first eight vector +registers. However floating point registers overlay parts of the first +sixteen vector registers. + +This could lead to vector register corruption if a kernel fpu context uses +any of the vector registers 8 to 15 and is interrupted or calls a +KERNEL_FPR context. If that context uses also vector registers 8 to 15, +their contents will be corrupted on return. + +Luckily this is currently not a real bug, since the kernel has only one +KERNEL_FPR user with s390_adjust_jiffies() and it is only using floating +point registers 0 to 2. + +Fix this by using the correct bits for KERNEL_FPR. + +Fixes: 7f79695cc1b6 ("s390/fpu: improve kernel_fpu_[begin|end]") +Signed-off-by: Heiko Carstens +Reviewed-by: Hendrik Brueckner +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/fpu/api.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/include/asm/fpu/api.h b/arch/s390/include/asm/fpu/api.h +index 34a7ae68485c6..be16a6c0f1276 100644 +--- a/arch/s390/include/asm/fpu/api.h ++++ b/arch/s390/include/asm/fpu/api.h +@@ -76,7 +76,7 @@ static inline int test_fp_ctl(u32 fpc) + #define KERNEL_VXR_HIGH (KERNEL_VXR_V16V23|KERNEL_VXR_V24V31) + + #define KERNEL_VXR (KERNEL_VXR_LOW|KERNEL_VXR_HIGH) +-#define KERNEL_FPR (KERNEL_FPC|KERNEL_VXR_V0V7) ++#define KERNEL_FPR (KERNEL_FPC|KERNEL_VXR_LOW) + + struct kernel_fpu; + +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 0324b7a7193..0b161b05469 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -3,3 +3,16 @@ alsa-hda-realtek-add-quirk-for-lenovo-tianyi510pro-1.patch alsa-hda-realtek-enable-headset-onlenovo-m70-m90.patch alsa-hda-realtek-enable-headset-on-lenovo-m90-gen5.patch ksmbd-fix-wrong-name-of-smb2_create_allocation_size.patch +arm-omap2-fix-null-pointer-dereference-and-memory-le.patch +reset-fix-crash-when-freeing-non-existent-optional-r.patch +s390-vx-fix-save-restore-of-fpu-kernel-context.patch +wifi-mac80211-mesh_plink-fix-matches_local-logic.patch +net-mlx5-improve-some-comments.patch +net-mlx5-fix-fw-tracer-first-block-check.patch +net-sched-ife-fix-potential-use-after-free.patch +ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch +net-rose-fix-races-in-rose_kill_by_device.patch +net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch +afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch +net-warn-if-gso_type-isn-t-set-for-a-gso-skb.patch +net-check-dev-gso_max_size-in-gso_features_check.patch diff --git a/queue-4.19/wifi-mac80211-mesh_plink-fix-matches_local-logic.patch b/queue-4.19/wifi-mac80211-mesh_plink-fix-matches_local-logic.patch new file mode 100644 index 00000000000..f6830ecf53d --- /dev/null +++ b/queue-4.19/wifi-mac80211-mesh_plink-fix-matches_local-logic.patch @@ -0,0 +1,52 @@ +From 0aed0e5ef71e0d16fd1cda8a20a7afddb292f4b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 09:05:31 +0200 +Subject: wifi: mac80211: mesh_plink: fix matches_local logic + +From: Johannes Berg + +[ Upstream commit 8c386b166e2517cf3a123018e77941ec22625d0f ] + +During refactoring the "else" here got lost, add it back. + +Fixes: c99a89edb106 ("mac80211: factor out plink event gathering") +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20231211085121.795480fa0e0b.I017d501196a5bbdcd9afd33338d342d6fe1edd79@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_plink.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c +index 5b5b0f95ffd13..c7f47dba884e8 100644 +--- a/net/mac80211/mesh_plink.c ++++ b/net/mac80211/mesh_plink.c +@@ -1022,8 +1022,8 @@ mesh_plink_get_event(struct ieee80211_sub_if_data *sdata, + case WLAN_SP_MESH_PEERING_OPEN: + if (!matches_local) + event = OPN_RJCT; +- if (!mesh_plink_free_count(sdata) || +- (sta->mesh->plid && sta->mesh->plid != plid)) ++ else if (!mesh_plink_free_count(sdata) || ++ (sta->mesh->plid && sta->mesh->plid != plid)) + event = OPN_IGNR; + else + event = OPN_ACPT; +@@ -1031,9 +1031,9 @@ mesh_plink_get_event(struct ieee80211_sub_if_data *sdata, + case WLAN_SP_MESH_PEERING_CONFIRM: + if (!matches_local) + event = CNF_RJCT; +- if (!mesh_plink_free_count(sdata) || +- sta->mesh->llid != llid || +- (sta->mesh->plid && sta->mesh->plid != plid)) ++ else if (!mesh_plink_free_count(sdata) || ++ sta->mesh->llid != llid || ++ (sta->mesh->plid && sta->mesh->plid != plid)) + event = CNF_IGNR; + else + event = CNF_ACPT; +-- +2.43.0 +