From: Sasha Levin Date: Thu, 12 Nov 2020 17:05:32 +0000 (-0500) Subject: Fixes for 4.4 X-Git-Tag: v4.4.244~73 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1cd0068dadbe59fbaf1dc92755a3e01c48aab4f0;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/btrfs-fix-missing-error-return-if-writeback-for-exte.patch b/queue-4.4/btrfs-fix-missing-error-return-if-writeback-for-exte.patch new file mode 100644 index 00000000000..da9744a8f10 --- /dev/null +++ b/queue-4.4/btrfs-fix-missing-error-return-if-writeback-for-exte.patch @@ -0,0 +1,47 @@ +From 0271973ca04afeb73ba95854899ba2ad8bcf4d87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2019 17:42:28 +0100 +Subject: Btrfs: fix missing error return if writeback for extent buffer never + started + +From: Filipe Manana + +[ Upstream commit 0607eb1d452d45c5ac4c745a9e9e0d95152ea9d0 ] + +If lock_extent_buffer_for_io() fails, it returns a negative value, but its +caller btree_write_cache_pages() ignores such error. This means that a +call to flush_write_bio(), from lock_extent_buffer_for_io(), might have +failed. We should make btree_write_cache_pages() notice such error values +and stop immediatelly, making sure filemap_fdatawrite_range() returns an +error to the transaction commit path. A failure from flush_write_bio() +should also result in the endio callback end_bio_extent_buffer_writepage() +being invoked, which sets the BTRFS_FS_*_ERR bits appropriately, so that +there's no risk a transaction or log commit doesn't catch a writeback +failure. + +Reviewed-by: Josef Bacik +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent_io.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c +index 97a80238fdee3..b28bc7690d4b3 100644 +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -4000,6 +4000,10 @@ int btree_write_cache_pages(struct address_space *mapping, + if (!ret) { + free_extent_buffer(eb); + continue; ++ } else if (ret < 0) { ++ done = 1; ++ free_extent_buffer(eb); ++ break; + } + + ret = write_one_eb(eb, fs_info, wbc, &epd); +-- +2.27.0 + diff --git a/queue-4.4/geneve-add-transport-ports-in-route-lookup-for-genev.patch b/queue-4.4/geneve-add-transport-ports-in-route-lookup-for-genev.patch new file mode 100644 index 00000000000..9fa1226aded --- /dev/null +++ b/queue-4.4/geneve-add-transport-ports-in-route-lookup-for-genev.patch @@ -0,0 +1,182 @@ +From d7ecaf473281fb0f96ada3ad3d065811f3d2e3ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 05:19:35 -0400 +Subject: geneve: add transport ports in route lookup for geneve + +From: Mark Gray + +commit 34beb21594519ce64a55a498c2fe7d567bc1ca20 upstream. + +This patch adds transport ports information for route lookup so that +IPsec can select Geneve tunnel traffic to do encryption. This is +needed for OVS/OVN IPsec with encrypted Geneve tunnels. + +This can be tested by configuring a host-host VPN using an IKE +daemon and specifying port numbers. For example, for an +Openswan-type configuration, the following parameters should be +configured on both hosts and IPsec set up as-per normal: + +$ cat /etc/ipsec.conf + +conn in +... +left=$IP1 +right=$IP2 +... +leftprotoport=udp/6081 +rightprotoport=udp +... +conn out +... +left=$IP1 +right=$IP2 +... +leftprotoport=udp +rightprotoport=udp/6081 +... + +The tunnel can then be setup using "ip" on both hosts (but +changing the relevant IP addresses): + +$ ip link add tun type geneve id 1000 remote $IP2 +$ ip addr add 192.168.0.1/24 dev tun +$ ip link set tun up + +This can then be tested by pinging from $IP1: + +$ ping 192.168.0.2 + +Without this patch the traffic is unencrypted on the wire. + +Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels") +Signed-off-by: Qiuyu Xiao +Signed-off-by: Mark Gray +Reviewed-by: Greg Rose +Signed-off-by: David S. Miller +[bwh: Backported to 4.4: + - Use geneve->dst_port instead of geneve->cfg.info.key.tp_dst + - Adjust context] +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + drivers/net/geneve.c | 36 ++++++++++++++++++++++++++---------- + 1 file changed, 26 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c +index ec13e2ae6d16e..ee38299f9c578 100644 +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -711,7 +711,8 @@ static int geneve6_build_skb(struct dst_entry *dst, struct sk_buff *skb, + static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, + struct net_device *dev, + struct flowi4 *fl4, +- struct ip_tunnel_info *info) ++ struct ip_tunnel_info *info, ++ __be16 dport, __be16 sport) + { + struct geneve_dev *geneve = netdev_priv(dev); + struct rtable *rt = NULL; +@@ -720,6 +721,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, + memset(fl4, 0, sizeof(*fl4)); + fl4->flowi4_mark = skb->mark; + fl4->flowi4_proto = IPPROTO_UDP; ++ fl4->fl4_dport = dport; ++ fl4->fl4_sport = sport; + + if (info) { + fl4->daddr = info->key.u.ipv4.dst; +@@ -754,7 +757,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, + static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, + struct net_device *dev, + struct flowi6 *fl6, +- struct ip_tunnel_info *info) ++ struct ip_tunnel_info *info, ++ __be16 dport, __be16 sport) + { + struct geneve_dev *geneve = netdev_priv(dev); + struct geneve_sock *gs6 = geneve->sock6; +@@ -764,6 +768,8 @@ static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, + memset(fl6, 0, sizeof(*fl6)); + fl6->flowi6_mark = skb->mark; + fl6->flowi6_proto = IPPROTO_UDP; ++ fl6->fl6_dport = dport; ++ fl6->fl6_sport = sport; + + if (info) { + fl6->daddr = info->key.u.ipv6.dst; +@@ -834,13 +840,14 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev, + goto tx_error; + } + +- rt = geneve_get_v4_rt(skb, dev, &fl4, info); ++ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); ++ rt = geneve_get_v4_rt(skb, dev, &fl4, info, ++ geneve->dst_port, sport); + if (IS_ERR(rt)) { + err = PTR_ERR(rt); + goto tx_error; + } + +- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + skb_reset_mac_header(skb); + + if (info) { +@@ -916,13 +923,14 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev, + } + } + +- dst = geneve_get_v6_dst(skb, dev, &fl6, info); ++ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); ++ dst = geneve_get_v6_dst(skb, dev, &fl6, info, ++ geneve->dst_port, sport); + if (IS_ERR(dst)) { + err = PTR_ERR(dst); + goto tx_error; + } + +- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + skb_reset_mac_header(skb); + + if (info) { +@@ -1011,9 +1019,14 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) + struct dst_entry *dst; + struct flowi6 fl6; + #endif ++ __be16 sport; + + if (ip_tunnel_info_af(info) == AF_INET) { +- rt = geneve_get_v4_rt(skb, dev, &fl4, info); ++ sport = udp_flow_src_port(geneve->net, skb, ++ 1, USHRT_MAX, true); ++ ++ rt = geneve_get_v4_rt(skb, dev, &fl4, info, ++ geneve->dst_port, sport); + if (IS_ERR(rt)) + return PTR_ERR(rt); + +@@ -1021,7 +1034,11 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) + info->key.u.ipv4.src = fl4.saddr; + #if IS_ENABLED(CONFIG_IPV6) + } else if (ip_tunnel_info_af(info) == AF_INET6) { +- dst = geneve_get_v6_dst(skb, dev, &fl6, info); ++ sport = udp_flow_src_port(geneve->net, skb, ++ 1, USHRT_MAX, true); ++ ++ dst = geneve_get_v6_dst(skb, dev, &fl6, info, ++ geneve->dst_port, sport); + if (IS_ERR(dst)) + return PTR_ERR(dst); + +@@ -1032,8 +1049,7 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) + return -EINVAL; + } + +- info->key.tp_src = udp_flow_src_port(geneve->net, skb, +- 1, USHRT_MAX, true); ++ info->key.tp_src = sport; + info->key.tp_dst = geneve->dst_port; + return 0; + } +-- +2.27.0 + diff --git a/queue-4.4/i40e-fix-of-memory-leak-and-integer-truncation-in-i4.patch b/queue-4.4/i40e-fix-of-memory-leak-and-integer-truncation-in-i4.patch new file mode 100644 index 00000000000..94763fe9b51 --- /dev/null +++ b/queue-4.4/i40e-fix-of-memory-leak-and-integer-truncation-in-i4.patch @@ -0,0 +1,42 @@ +From 1dd0ef4aecb53370b3495701a553a32c62f7d68b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2019 14:43:07 -0700 +Subject: i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c + +From: Martyna Szapar + +commit 24474f2709af6729b9b1da1c5e160ab62e25e3a4 upstream. + +Fixed possible memory leak in i40e_vc_add_cloud_filter function: +cfilter is being allocated and in some error conditions +the function returns without freeing the memory. + +Fix of integer truncation from u16 (type of queue_id value) to u8 +when calling i40e_vc_isvalid_queue_id function. + +Signed-off-by: Martyna Szapar +Signed-off-by: Jeff Kirsher +[bwh: Backported to 4.4: i40e_vc_add_cloud_filter() does not exist + but the integer truncation is still possible] +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index 18e10357f1d0b..b4b4d46da1734 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -188,7 +188,7 @@ static inline bool i40e_vc_isvalid_vsi_id(struct i40e_vf *vf, u16 vsi_id) + * check for the valid queue id + **/ + static inline bool i40e_vc_isvalid_queue_id(struct i40e_vf *vf, u16 vsi_id, +- u8 qid) ++ u16 qid) + { + struct i40e_pf *pf = vf->pf; + struct i40e_vsi *vsi = i40e_find_vsi_from_id(pf, vsi_id); +-- +2.27.0 + diff --git a/queue-4.4/i40e-wrong-truncation-from-u16-to-u8.patch b/queue-4.4/i40e-wrong-truncation-from-u16-to-u8.patch new file mode 100644 index 00000000000..684368c67e5 --- /dev/null +++ b/queue-4.4/i40e-wrong-truncation-from-u16-to-u8.patch @@ -0,0 +1,40 @@ +From 9725725b51945b642b99ffcf8b5a85f3e8c073ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2019 15:08:37 -0700 +Subject: i40e: Wrong truncation from u16 to u8 + +From: Grzegorz Siwik + +commit c004804dceee9ca384d97d9857ea2e2795c2651d upstream. + +In this patch fixed wrong truncation method from u16 to u8 during +validation. + +It was changed by changing u8 to u32 parameter in method declaration +and arguments were changed to u32. + +Signed-off-by: Grzegorz Siwik +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index cdb263875efb3..18e10357f1d0b 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -203,7 +203,7 @@ static inline bool i40e_vc_isvalid_queue_id(struct i40e_vf *vf, u16 vsi_id, + * + * check for the valid vector id + **/ +-static inline bool i40e_vc_isvalid_vector_id(struct i40e_vf *vf, u8 vector_id) ++static inline bool i40e_vc_isvalid_vector_id(struct i40e_vf *vf, u32 vector_id) + { + struct i40e_pf *pf = vf->pf; + +-- +2.27.0 + diff --git a/queue-4.4/pinctrl-devicetree-avoid-taking-direct-reference-to-.patch b/queue-4.4/pinctrl-devicetree-avoid-taking-direct-reference-to-.patch new file mode 100644 index 00000000000..0c6de5b0961 --- /dev/null +++ b/queue-4.4/pinctrl-devicetree-avoid-taking-direct-reference-to-.patch @@ -0,0 +1,115 @@ +From 409b382688e1000eb0185d7bf9677347b462cfe1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2019 13:42:06 +0100 +Subject: pinctrl: devicetree: Avoid taking direct reference to device name + string + +From: Will Deacon + +commit be4c60b563edee3712d392aaeb0943a768df7023 upstream. + +When populating the pinctrl mapping table entries for a device, the +'dev_name' field for each entry is initialised to point directly at the +string returned by 'dev_name()' for the device and subsequently used by +'create_pinctrl()' when looking up the mappings for the device being +probed. + +This is unreliable in the presence of calls to 'dev_set_name()', which may +reallocate the device name string leaving the pinctrl mappings with a +dangling reference. This then leads to a use-after-free every time the +name is dereferenced by a device probe: + + | BUG: KASAN: invalid-access in strcmp+0x20/0x64 + | Read of size 1 at addr 13ffffc153494b00 by task modprobe/590 + | Pointer tag: [13], memory tag: [fe] + | + | Call trace: + | __kasan_report+0x16c/0x1dc + | kasan_report+0x10/0x18 + | check_memory_region + | __hwasan_load1_noabort+0x4c/0x54 + | strcmp+0x20/0x64 + | create_pinctrl+0x18c/0x7f4 + | pinctrl_get+0x90/0x114 + | devm_pinctrl_get+0x44/0x98 + | pinctrl_bind_pins+0x5c/0x450 + | really_probe+0x1c8/0x9a4 + | driver_probe_device+0x120/0x1d8 + +Follow the example of sysfs, and duplicate the device name string before +stashing it away in the pinctrl mapping entries. + +Cc: Linus Walleij +Reported-by: Elena Petrova +Tested-by: Elena Petrova +Signed-off-by: Will Deacon +Link: https://lore.kernel.org/r/20191002124206.22928-1-will@kernel.org +Signed-off-by: Linus Walleij +[bwh: Backported to 4.4: adjust context] +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/devicetree.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/drivers/pinctrl/devicetree.c b/drivers/pinctrl/devicetree.c +index fe04e748dfe4b..eb8c29f3e16ef 100644 +--- a/drivers/pinctrl/devicetree.c ++++ b/drivers/pinctrl/devicetree.c +@@ -40,6 +40,13 @@ struct pinctrl_dt_map { + static void dt_free_map(struct pinctrl_dev *pctldev, + struct pinctrl_map *map, unsigned num_maps) + { ++ int i; ++ ++ for (i = 0; i < num_maps; ++i) { ++ kfree_const(map[i].dev_name); ++ map[i].dev_name = NULL; ++ } ++ + if (pctldev) { + const struct pinctrl_ops *ops = pctldev->desc->pctlops; + ops->dt_free_map(pctldev, map, num_maps); +@@ -73,7 +80,13 @@ static int dt_remember_or_free_map(struct pinctrl *p, const char *statename, + + /* Initialize common mapping table entry fields */ + for (i = 0; i < num_maps; i++) { +- map[i].dev_name = dev_name(p->dev); ++ const char *devname; ++ ++ devname = kstrdup_const(dev_name(p->dev), GFP_KERNEL); ++ if (!devname) ++ goto err_free_map; ++ ++ map[i].dev_name = devname; + map[i].name = statename; + if (pctldev) + map[i].ctrl_dev_name = dev_name(pctldev->dev); +@@ -81,11 +94,8 @@ static int dt_remember_or_free_map(struct pinctrl *p, const char *statename, + + /* Remember the converted mapping table entries */ + dt_map = kzalloc(sizeof(*dt_map), GFP_KERNEL); +- if (!dt_map) { +- dev_err(p->dev, "failed to alloc struct pinctrl_dt_map\n"); +- dt_free_map(pctldev, map, num_maps); +- return -ENOMEM; +- } ++ if (!dt_map) ++ goto err_free_map; + + dt_map->pctldev = pctldev; + dt_map->map = map; +@@ -93,6 +103,10 @@ static int dt_remember_or_free_map(struct pinctrl *p, const char *statename, + list_add_tail(&dt_map->node, &p->dt_maps); + + return pinctrl_register_map(map, num_maps, false); ++ ++err_free_map: ++ dt_free_map(pctldev, map, num_maps); ++ return -ENOMEM; + } + + struct pinctrl_dev *of_pinctrl_get(struct device_node *np) +-- +2.27.0 + diff --git a/queue-4.4/series b/queue-4.4/series index be57bff9d14..548299ed933 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -11,3 +11,8 @@ can-dev-__can_get_echo_skb-fix-real-payload-length-r.patch can-can_create_echo_skb-fix-echo-skb-generation-alwa.patch can-peak_usb-add-range-checking-in-decode-operations.patch can-peak_usb-peak_usb_get_ts_time-fix-timestamp-wrap.patch +btrfs-fix-missing-error-return-if-writeback-for-exte.patch +pinctrl-devicetree-avoid-taking-direct-reference-to-.patch +i40e-wrong-truncation-from-u16-to-u8.patch +i40e-fix-of-memory-leak-and-integer-truncation-in-i4.patch +geneve-add-transport-ports-in-route-lookup-for-genev.patch