From: Greg Kroah-Hartman Date: Mon, 16 Nov 2020 19:27:27 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.4.244~32 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3653099934baf38bb4a9996da00379cfbd1ee4ac;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: ipv6-set-sit-tunnel-hard_header_len-to-zero.patch net-af_iucv-fix-null-pointer-dereference-on-shutdown.patch net-udp-fix-udp-header-access-on-fast-frag0-udp-gro.patch net-update-window_clamp-if-sock_rcvbuf-is-set.patch net-x25-fix-null-ptr-deref-in-x25_connect.patch pinctrl-amd-fix-incorrect-way-to-disable-debounce-filter.patch pinctrl-amd-use-higher-precision-for-512-rtcclk.patch r8169-fix-potential-skb-double-free-in-an-error-path.patch swiotlb-fix-x86-don-t-panic-if-can-not-alloc-buffer-for-swiotlb.patch tipc-fix-memory-leak-in-tipc_topsrv_start.patch --- diff --git a/queue-5.4/ipv6-set-sit-tunnel-hard_header_len-to-zero.patch b/queue-5.4/ipv6-set-sit-tunnel-hard_header_len-to-zero.patch new file mode 100644 index 00000000000..8b79d576c2c --- /dev/null +++ b/queue-5.4/ipv6-set-sit-tunnel-hard_header_len-to-zero.patch @@ -0,0 +1,52 @@ +From foo@baz Mon Nov 16 07:54:22 PM CET 2020 +From: Oliver Herms +Date: Tue, 3 Nov 2020 11:41:33 +0100 +Subject: IPv6: Set SIT tunnel hard_header_len to zero + +From: Oliver Herms + +[ Upstream commit 8ef9ba4d666614497a057d09b0a6eafc1e34eadf ] + +Due to the legacy usage of hard_header_len for SIT tunnels while +already using infrastructure from net/ipv4/ip_tunnel.c the +calculation of the path MTU in tnl_update_pmtu is incorrect. +This leads to unnecessary creation of MTU exceptions for any +flow going over a SIT tunnel. + +As SIT tunnels do not have a header themsevles other than their +transport (L3, L2) headers we're leaving hard_header_len set to zero +as tnl_update_pmtu is already taking care of the transport headers +sizes. + +This will also help avoiding unnecessary IPv6 GC runs and spinlock +contention seen when using SIT tunnels and for more than +net.ipv6.route.gc_thresh flows. + +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Signed-off-by: Oliver Herms +Acked-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20201103104133.GA1573211@tws +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/sit.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1088,7 +1088,6 @@ static void ipip6_tunnel_bind_dev(struct + if (tdev && !netif_is_l3_master(tdev)) { + int t_hlen = tunnel->hlen + sizeof(struct iphdr); + +- dev->hard_header_len = tdev->hard_header_len + sizeof(struct iphdr); + dev->mtu = tdev->mtu - t_hlen; + if (dev->mtu < IPV6_MIN_MTU) + dev->mtu = IPV6_MIN_MTU; +@@ -1378,7 +1377,6 @@ static void ipip6_tunnel_setup(struct ne + dev->priv_destructor = ipip6_dev_free; + + dev->type = ARPHRD_SIT; +- dev->hard_header_len = LL_MAX_HEADER + t_hlen; + dev->mtu = ETH_DATA_LEN - t_hlen; + dev->min_mtu = IPV6_MIN_MTU; + dev->max_mtu = IP6_MAX_MTU - t_hlen; diff --git a/queue-5.4/net-af_iucv-fix-null-pointer-dereference-on-shutdown.patch b/queue-5.4/net-af_iucv-fix-null-pointer-dereference-on-shutdown.patch new file mode 100644 index 00000000000..7a9c63ff391 --- /dev/null +++ b/queue-5.4/net-af_iucv-fix-null-pointer-dereference-on-shutdown.patch @@ -0,0 +1,61 @@ +From foo@baz Mon Nov 16 07:54:22 PM CET 2020 +From: Ursula Braun +Date: Mon, 9 Nov 2020 08:57:05 +0100 +Subject: net/af_iucv: fix null pointer dereference on shutdown + +From: Ursula Braun + +[ Upstream commit 4031eeafa71eaf22ae40a15606a134ae86345daf ] + +syzbot reported the following KASAN finding: + +BUG: KASAN: nullptr-dereference in iucv_send_ctrl+0x390/0x3f0 net/iucv/af_iucv.c:385 +Read of size 2 at addr 000000000000021e by task syz-executor907/519 + +CPU: 0 PID: 519 Comm: syz-executor907 Not tainted 5.9.0-syzkaller-07043-gbcf9877ad213 #0 +Hardware name: IBM 3906 M04 701 (KVM/Linux) +Call Trace: + [<00000000c576af60>] unwind_start arch/s390/include/asm/unwind.h:65 [inline] + [<00000000c576af60>] show_stack+0x180/0x228 arch/s390/kernel/dumpstack.c:135 + [<00000000c9dcd1f8>] __dump_stack lib/dump_stack.c:77 [inline] + [<00000000c9dcd1f8>] dump_stack+0x268/0x2f0 lib/dump_stack.c:118 + [<00000000c5fed016>] print_address_description.constprop.0+0x5e/0x218 mm/kasan/report.c:383 + [<00000000c5fec82a>] __kasan_report mm/kasan/report.c:517 [inline] + [<00000000c5fec82a>] kasan_report+0x11a/0x168 mm/kasan/report.c:534 + [<00000000c98b5b60>] iucv_send_ctrl+0x390/0x3f0 net/iucv/af_iucv.c:385 + [<00000000c98b6262>] iucv_sock_shutdown+0x44a/0x4c0 net/iucv/af_iucv.c:1457 + [<00000000c89d3a54>] __sys_shutdown+0x12c/0x1c8 net/socket.c:2204 + [<00000000c89d3b70>] __do_sys_shutdown net/socket.c:2212 [inline] + [<00000000c89d3b70>] __s390x_sys_shutdown+0x38/0x48 net/socket.c:2210 + [<00000000c9e36eac>] system_call+0xe0/0x28c arch/s390/kernel/entry.S:415 + +There is nothing to shutdown if a connection has never been established. +Besides that iucv->hs_dev is not yet initialized if a socket is in +IUCV_OPEN state and iucv->path is not yet initialized if socket is in +IUCV_BOUND state. +So, just skip the shutdown calls for a socket in these states. + +Fixes: eac3731bd04c ("[S390]: Add AF_IUCV socket support") +Fixes: 82492a355fac ("af_iucv: add shutdown for HS transport") +Reviewed-by: Vasily Gorbik +Signed-off-by: Ursula Braun +[jwi: correct one Fixes tag] +Signed-off-by: Julian Wiedmann +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/iucv/af_iucv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/iucv/af_iucv.c ++++ b/net/iucv/af_iucv.c +@@ -1574,7 +1574,8 @@ static int iucv_sock_shutdown(struct soc + break; + } + +- if (how == SEND_SHUTDOWN || how == SHUTDOWN_MASK) { ++ if ((how == SEND_SHUTDOWN || how == SHUTDOWN_MASK) && ++ sk->sk_state == IUCV_CONNECTED) { + if (iucv->transport == AF_IUCV_TRANS_IUCV) { + txmsg.class = 0; + txmsg.tag = 0; diff --git a/queue-5.4/net-udp-fix-udp-header-access-on-fast-frag0-udp-gro.patch b/queue-5.4/net-udp-fix-udp-header-access-on-fast-frag0-udp-gro.patch new file mode 100644 index 00000000000..07d4f910899 --- /dev/null +++ b/queue-5.4/net-udp-fix-udp-header-access-on-fast-frag0-udp-gro.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Nov 16 07:54:22 PM CET 2020 +From: Alexander Lobakin +Date: Wed, 11 Nov 2020 20:45:25 +0000 +Subject: net: udp: fix UDP header access on Fast/frag0 UDP GRO + +From: Alexander Lobakin + +[ Upstream commit 4b1a86281cc1d0de46df3ad2cb8c1f86ac07681c ] + +UDP GRO uses udp_hdr(skb) in its .gro_receive() callback. While it's +probably OK for non-frag0 paths (when all headers or even the entire +frame are already in skb head), this inline points to junk when +using Fast GRO (napi_gro_frags() or napi_gro_receive() with only +Ethernet header in skb head and all the rest in the frags) and breaks +GRO packet compilation and the packet flow itself. +To support both modes, skb_gro_header_fast() + skb_gro_header_slow() +are typically used. UDP even has an inline helper that makes use of +them, udp_gro_udphdr(). Use that instead of troublemaking udp_hdr() +to get rid of the out-of-order delivers. + +Present since the introduction of plain UDP GRO in 5.0-rc1. + +Fixes: e20cf8d3f1f7 ("udp: implement GRO for plain UDP sockets.") +Cc: Eric Dumazet +Signed-off-by: Alexander Lobakin +Acked-by: Willem de Bruijn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp_offload.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/udp_offload.c ++++ b/net/ipv4/udp_offload.c +@@ -349,7 +349,7 @@ out: + static struct sk_buff *udp_gro_receive_segment(struct list_head *head, + struct sk_buff *skb) + { +- struct udphdr *uh = udp_hdr(skb); ++ struct udphdr *uh = udp_gro_udphdr(skb); + struct sk_buff *pp = NULL; + struct udphdr *uh2; + struct sk_buff *p; diff --git a/queue-5.4/net-update-window_clamp-if-sock_rcvbuf-is-set.patch b/queue-5.4/net-update-window_clamp-if-sock_rcvbuf-is-set.patch new file mode 100644 index 00000000000..dab601d9f0b --- /dev/null +++ b/queue-5.4/net-update-window_clamp-if-sock_rcvbuf-is-set.patch @@ -0,0 +1,82 @@ +From foo@baz Mon Nov 16 07:54:22 PM CET 2020 +From: Mao Wenan +Date: Tue, 10 Nov 2020 08:16:31 +0800 +Subject: net: Update window_clamp if SOCK_RCVBUF is set + +From: Mao Wenan + +[ Upstream commit 909172a149749242990a6e64cb55d55460d4e417 ] + +When net.ipv4.tcp_syncookies=1 and syn flood is happened, +cookie_v4_check or cookie_v6_check tries to redo what +tcp_v4_send_synack or tcp_v6_send_synack did, +rsk_window_clamp will be changed if SOCK_RCVBUF is set, +which will make rcv_wscale is different, the client +still operates with initial window scale and can overshot +granted window, the client use the initial scale but local +server use new scale to advertise window value, and session +work abnormally. + +Fixes: e88c64f0a425 ("tcp: allow effective reduction of TCP's rcv-buffer via setsockopt") +Signed-off-by: Mao Wenan +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/1604967391-123737-1-git-send-email-wenan.mao@linux.alibaba.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/syncookies.c | 9 +++++++-- + net/ipv6/syncookies.c | 10 ++++++++-- + 2 files changed, 15 insertions(+), 4 deletions(-) + +--- a/net/ipv4/syncookies.c ++++ b/net/ipv4/syncookies.c +@@ -291,7 +291,7 @@ struct sock *cookie_v4_check(struct sock + __u32 cookie = ntohl(th->ack_seq) - 1; + struct sock *ret = sk; + struct request_sock *req; +- int mss; ++ int full_space, mss; + struct rtable *rt; + __u8 rcv_wscale; + struct flowi4 fl4; +@@ -386,8 +386,13 @@ struct sock *cookie_v4_check(struct sock + + /* Try to redo what tcp_v4_send_synack did. */ + req->rsk_window_clamp = tp->window_clamp ? :dst_metric(&rt->dst, RTAX_WINDOW); ++ /* limit the window selection if the user enforce a smaller rx buffer */ ++ full_space = tcp_full_space(sk); ++ if (sk->sk_userlocks & SOCK_RCVBUF_LOCK && ++ (req->rsk_window_clamp > full_space || req->rsk_window_clamp == 0)) ++ req->rsk_window_clamp = full_space; + +- tcp_select_initial_window(sk, tcp_full_space(sk), req->mss, ++ tcp_select_initial_window(sk, full_space, req->mss, + &req->rsk_rcv_wnd, &req->rsk_window_clamp, + ireq->wscale_ok, &rcv_wscale, + dst_metric(&rt->dst, RTAX_INITRWND)); +--- a/net/ipv6/syncookies.c ++++ b/net/ipv6/syncookies.c +@@ -136,7 +136,7 @@ struct sock *cookie_v6_check(struct sock + __u32 cookie = ntohl(th->ack_seq) - 1; + struct sock *ret = sk; + struct request_sock *req; +- int mss; ++ int full_space, mss; + struct dst_entry *dst; + __u8 rcv_wscale; + u32 tsoff = 0; +@@ -241,7 +241,13 @@ struct sock *cookie_v6_check(struct sock + } + + req->rsk_window_clamp = tp->window_clamp ? :dst_metric(dst, RTAX_WINDOW); +- tcp_select_initial_window(sk, tcp_full_space(sk), req->mss, ++ /* limit the window selection if the user enforce a smaller rx buffer */ ++ full_space = tcp_full_space(sk); ++ if (sk->sk_userlocks & SOCK_RCVBUF_LOCK && ++ (req->rsk_window_clamp > full_space || req->rsk_window_clamp == 0)) ++ req->rsk_window_clamp = full_space; ++ ++ tcp_select_initial_window(sk, full_space, req->mss, + &req->rsk_rcv_wnd, &req->rsk_window_clamp, + ireq->wscale_ok, &rcv_wscale, + dst_metric(dst, RTAX_INITRWND)); diff --git a/queue-5.4/net-x25-fix-null-ptr-deref-in-x25_connect.patch b/queue-5.4/net-x25-fix-null-ptr-deref-in-x25_connect.patch new file mode 100644 index 00000000000..4f841d9b28e --- /dev/null +++ b/queue-5.4/net-x25-fix-null-ptr-deref-in-x25_connect.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Nov 16 07:54:22 PM CET 2020 +From: Martin Schiller +Date: Mon, 9 Nov 2020 07:54:49 +0100 +Subject: net/x25: Fix null-ptr-deref in x25_connect + +From: Martin Schiller + +[ Upstream commit 361182308766a265b6c521879b34302617a8c209 ] + +This fixes a regression for blocking connects introduced by commit +4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect"). + +The x25->neighbour is already set to "NULL" by x25_disconnect() now, +while a blocking connect is waiting in +x25_wait_for_connection_establishment(). Therefore x25->neighbour must +not be accessed here again and x25->state is also already set to +X25_STATE_0 by x25_disconnect(). + +Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect") +Signed-off-by: Martin Schiller +Reviewed-by: Xie He +Link: https://lore.kernel.org/r/20201109065449.9014-1-ms@dev.tdt.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/x25/af_x25.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -819,7 +819,7 @@ static int x25_connect(struct socket *so + sock->state = SS_CONNECTED; + rc = 0; + out_put_neigh: +- if (rc) { ++ if (rc && x25->neighbour) { + read_lock_bh(&x25_list_lock); + x25_neigh_put(x25->neighbour); + x25->neighbour = NULL; diff --git a/queue-5.4/pinctrl-amd-fix-incorrect-way-to-disable-debounce-filter.patch b/queue-5.4/pinctrl-amd-fix-incorrect-way-to-disable-debounce-filter.patch new file mode 100644 index 00000000000..5544169e0a9 --- /dev/null +++ b/queue-5.4/pinctrl-amd-fix-incorrect-way-to-disable-debounce-filter.patch @@ -0,0 +1,44 @@ +From 06abe8291bc31839950f7d0362d9979edc88a666 Mon Sep 17 00:00:00 2001 +From: Coiby Xu +Date: Fri, 6 Nov 2020 07:19:09 +0800 +Subject: pinctrl: amd: fix incorrect way to disable debounce filter + +From: Coiby Xu + +commit 06abe8291bc31839950f7d0362d9979edc88a666 upstream. + +The correct way to disable debounce filter is to clear bit 5 and 6 +of the register. + +Cc: stable@vger.kerne.org +Signed-off-by: Coiby Xu +Reviewed-by: Hans de Goede +Cc: Hans de Goede +Link: https://lore.kernel.org/linux-gpio/df2c008b-e7b5-4fdd-42ea-4d1c62b52139@redhat.com/ +Link: https://lore.kernel.org/r/20201105231912.69527-2-coiby.xu@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/pinctrl-amd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -163,14 +163,14 @@ static int amd_gpio_set_debounce(struct + pin_reg |= BIT(DB_TMR_OUT_UNIT_OFF); + pin_reg |= BIT(DB_TMR_LARGE_OFF); + } else { +- pin_reg &= ~DB_CNTRl_MASK; ++ pin_reg &= ~(DB_CNTRl_MASK << DB_CNTRL_OFF); + ret = -EINVAL; + } + } else { + pin_reg &= ~BIT(DB_TMR_OUT_UNIT_OFF); + pin_reg &= ~BIT(DB_TMR_LARGE_OFF); + pin_reg &= ~DB_TMR_OUT_MASK; +- pin_reg &= ~DB_CNTRl_MASK; ++ pin_reg &= ~(DB_CNTRl_MASK << DB_CNTRL_OFF); + } + writel(pin_reg, gpio_dev->base + offset * 4); + raw_spin_unlock_irqrestore(&gpio_dev->lock, flags); diff --git a/queue-5.4/pinctrl-amd-use-higher-precision-for-512-rtcclk.patch b/queue-5.4/pinctrl-amd-use-higher-precision-for-512-rtcclk.patch new file mode 100644 index 00000000000..dff368a3267 --- /dev/null +++ b/queue-5.4/pinctrl-amd-use-higher-precision-for-512-rtcclk.patch @@ -0,0 +1,40 @@ +From c64a6a0d4a928c63e5bc3b485552a8903a506c36 Mon Sep 17 00:00:00 2001 +From: Coiby Xu +Date: Fri, 6 Nov 2020 07:19:10 +0800 +Subject: pinctrl: amd: use higher precision for 512 RtcClk + +From: Coiby Xu + +commit c64a6a0d4a928c63e5bc3b485552a8903a506c36 upstream. + +RTC is 32.768kHz thus 512 RtcClk equals 15625 usec. The documentation +likely has dropped precision and that's why the driver mistakenly took +the slightly deviated value. + +Cc: stable@vger.kernel.org +Reported-by: Andy Shevchenko +Suggested-by: Andy Shevchenko +Suggested-by: Hans de Goede +Signed-off-by: Coiby Xu +Reviewed-by: Andy Shevchenko +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/linux-gpio/2f4706a1-502f-75f0-9596-cc25b4933b6c@redhat.com/ +Link: https://lore.kernel.org/r/20201105231912.69527-3-coiby.xu@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/pinctrl-amd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -153,7 +153,7 @@ static int amd_gpio_set_debounce(struct + pin_reg |= BIT(DB_TMR_OUT_UNIT_OFF); + pin_reg &= ~BIT(DB_TMR_LARGE_OFF); + } else if (debounce < 250000) { +- time = debounce / 15600; ++ time = debounce / 15625; + pin_reg |= time & DB_TMR_OUT_MASK; + pin_reg &= ~BIT(DB_TMR_OUT_UNIT_OFF); + pin_reg |= BIT(DB_TMR_LARGE_OFF); diff --git a/queue-5.4/r8169-fix-potential-skb-double-free-in-an-error-path.patch b/queue-5.4/r8169-fix-potential-skb-double-free-in-an-error-path.patch new file mode 100644 index 00000000000..f63e38786f9 --- /dev/null +++ b/queue-5.4/r8169-fix-potential-skb-double-free-in-an-error-path.patch @@ -0,0 +1,36 @@ +From foo@baz Mon Nov 16 07:54:22 PM CET 2020 +From: Heiner Kallweit +Date: Thu, 5 Nov 2020 15:28:42 +0100 +Subject: r8169: fix potential skb double free in an error path + +From: Heiner Kallweit + +[ Upstream commit cc6528bc9a0c901c83b8220a2e2617f3354d6dd9 ] + +The caller of rtl8169_tso_csum_v2() frees the skb if false is returned. +eth_skb_pad() internally frees the skb on error what would result in a +double free. Therefore use __skb_put_padto() directly and instruct it +to not free the skb on error. + +Fixes: b423e9ae49d7 ("r8169: fix offloaded tx checksum for small packets.") +Reported-by: Jakub Kicinski +Signed-off-by: Heiner Kallweit +Link: https://lore.kernel.org/r/f7e68191-acff-9ded-4263-c016428a8762@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -5846,7 +5846,8 @@ static bool rtl8169_tso_csum_v2(struct r + opts[1] |= transport_offset << TCPHO_SHIFT; + } else { + if (unlikely(rtl_test_hw_pad_bug(tp, skb))) +- return !eth_skb_pad(skb); ++ /* eth_skb_pad would free the skb on error */ ++ return !__skb_put_padto(skb, ETH_ZLEN, false); + } + + return true; diff --git a/queue-5.4/series b/queue-5.4/series index bedfe4ca263..553c9857a8d 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -132,3 +132,13 @@ mmc-sdhci-of-esdhc-handle-pulse-width-detection-erratum-for-more-socs.patch mmc-renesas_sdhi_core-add-missing-tmio_mmc_host_free-at-remove.patch don-t-dump-the-threads-that-had-been-already-exiting-when-zapped.patch drm-gma500-fix-out-of-bounds-access-to-struct-drm_device.vblank.patch +pinctrl-amd-use-higher-precision-for-512-rtcclk.patch +pinctrl-amd-fix-incorrect-way-to-disable-debounce-filter.patch +swiotlb-fix-x86-don-t-panic-if-can-not-alloc-buffer-for-swiotlb.patch +ipv6-set-sit-tunnel-hard_header_len-to-zero.patch +net-af_iucv-fix-null-pointer-dereference-on-shutdown.patch +net-udp-fix-udp-header-access-on-fast-frag0-udp-gro.patch +net-update-window_clamp-if-sock_rcvbuf-is-set.patch +net-x25-fix-null-ptr-deref-in-x25_connect.patch +tipc-fix-memory-leak-in-tipc_topsrv_start.patch +r8169-fix-potential-skb-double-free-in-an-error-path.patch diff --git a/queue-5.4/swiotlb-fix-x86-don-t-panic-if-can-not-alloc-buffer-for-swiotlb.patch b/queue-5.4/swiotlb-fix-x86-don-t-panic-if-can-not-alloc-buffer-for-swiotlb.patch new file mode 100644 index 00000000000..47535372b66 --- /dev/null +++ b/queue-5.4/swiotlb-fix-x86-don-t-panic-if-can-not-alloc-buffer-for-swiotlb.patch @@ -0,0 +1,76 @@ +From e9696d259d0fb5d239e8c28ca41089838ea76d13 Mon Sep 17 00:00:00 2001 +From: Stefano Stabellini +Date: Mon, 26 Oct 2020 17:02:14 -0700 +Subject: swiotlb: fix "x86: Don't panic if can not alloc buffer for swiotlb" + +From: Stefano Stabellini + +commit e9696d259d0fb5d239e8c28ca41089838ea76d13 upstream. + +kernel/dma/swiotlb.c:swiotlb_init gets called first and tries to +allocate a buffer for the swiotlb. It does so by calling + + memblock_alloc_low(PAGE_ALIGN(bytes), PAGE_SIZE); + +If the allocation must fail, no_iotlb_memory is set. + +Later during initialization swiotlb-xen comes in +(drivers/xen/swiotlb-xen.c:xen_swiotlb_init) and given that io_tlb_start +is != 0, it thinks the memory is ready to use when actually it is not. + +When the swiotlb is actually needed, swiotlb_tbl_map_single gets called +and since no_iotlb_memory is set the kernel panics. + +Instead, if swiotlb-xen.c:xen_swiotlb_init knew the swiotlb hadn't been +initialized, it would do the initialization itself, which might still +succeed. + +Fix the panic by setting io_tlb_start to 0 on swiotlb initialization +failure, and also by setting no_iotlb_memory to false on swiotlb +initialization success. + +Fixes: ac2cbab21f31 ("x86: Don't panic if can not alloc buffer for swiotlb") + +Reported-by: Elliott Mitchell +Tested-by: Elliott Mitchell +Signed-off-by: Stefano Stabellini +Reviewed-by: Christoph Hellwig +Cc: stable@vger.kernel.org +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/dma/swiotlb.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/dma/swiotlb.c ++++ b/kernel/dma/swiotlb.c +@@ -230,6 +230,7 @@ int __init swiotlb_init_with_tbl(char *t + io_tlb_orig_addr[i] = INVALID_PHYS_ADDR; + } + io_tlb_index = 0; ++ no_iotlb_memory = false; + + if (verbose) + swiotlb_print_info(); +@@ -261,9 +262,11 @@ swiotlb_init(int verbose) + if (vstart && !swiotlb_init_with_tbl(vstart, io_tlb_nslabs, verbose)) + return; + +- if (io_tlb_start) ++ if (io_tlb_start) { + memblock_free_early(io_tlb_start, + PAGE_ALIGN(io_tlb_nslabs << IO_TLB_SHIFT)); ++ io_tlb_start = 0; ++ } + pr_warn("Cannot allocate buffer"); + no_iotlb_memory = true; + } +@@ -361,6 +364,7 @@ swiotlb_late_init_with_tbl(char *tlb, un + io_tlb_orig_addr[i] = INVALID_PHYS_ADDR; + } + io_tlb_index = 0; ++ no_iotlb_memory = false; + + swiotlb_print_info(); + diff --git a/queue-5.4/tipc-fix-memory-leak-in-tipc_topsrv_start.patch b/queue-5.4/tipc-fix-memory-leak-in-tipc_topsrv_start.patch new file mode 100644 index 00000000000..f6ab3d766f7 --- /dev/null +++ b/queue-5.4/tipc-fix-memory-leak-in-tipc_topsrv_start.patch @@ -0,0 +1,64 @@ +From foo@baz Mon Nov 16 07:54:22 PM CET 2020 +From: Wang Hai +Date: Mon, 9 Nov 2020 22:09:13 +0800 +Subject: tipc: fix memory leak in tipc_topsrv_start() + +From: Wang Hai + +[ Upstream commit fa6882c63621821f73cc806f291208e1c6ea6187 ] + +kmemleak report a memory leak as follows: + +unreferenced object 0xffff88810a596800 (size 512): + comm "ip", pid 21558, jiffies 4297568990 (age 112.120s) + hex dump (first 32 bytes): + 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... + ff ff ff ff ff ff ff ff 00 83 60 b0 ff ff ff ff ..........`..... + backtrace: + [<0000000022bbe21f>] tipc_topsrv_init_net+0x1f3/0xa70 + [<00000000fe15ddf7>] ops_init+0xa8/0x3c0 + [<00000000138af6f2>] setup_net+0x2de/0x7e0 + [<000000008c6807a3>] copy_net_ns+0x27d/0x530 + [<000000006b21adbd>] create_new_namespaces+0x382/0xa30 + [<00000000bb169746>] unshare_nsproxy_namespaces+0xa1/0x1d0 + [<00000000fe2e42bc>] ksys_unshare+0x39c/0x780 + [<0000000009ba3b19>] __x64_sys_unshare+0x2d/0x40 + [<00000000614ad866>] do_syscall_64+0x56/0xa0 + [<00000000a1b5ca3c>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +'srv' is malloced in tipc_topsrv_start() but not free before +leaving from the error handling cases. We need to free it. + +Fixes: 5c45ab24ac77 ("tipc: make struct tipc_server private for server.c") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Link: https://lore.kernel.org/r/20201109140913.47370-1-wanghai38@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/topsrv.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/net/tipc/topsrv.c ++++ b/net/tipc/topsrv.c +@@ -664,12 +664,18 @@ static int tipc_topsrv_start(struct net + + ret = tipc_topsrv_work_start(srv); + if (ret < 0) +- return ret; ++ goto err_start; + + ret = tipc_topsrv_create_listener(srv); + if (ret < 0) +- tipc_topsrv_work_stop(srv); ++ goto err_create; + ++ return 0; ++ ++err_create: ++ tipc_topsrv_work_stop(srv); ++err_start: ++ kfree(srv); + return ret; + } +