From: Sasha Levin Date: Sun, 13 Feb 2022 05:47:37 +0000 (-0500) Subject: Fixes for 4.14 X-Git-Tag: v4.9.302~27 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8b87ea3dcf7c8f54f33211c06849dfbd63fdb117;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/arm-dts-imx6qdl-udoo-properly-describe-the-sd-card-d.patch b/queue-4.14/arm-dts-imx6qdl-udoo-properly-describe-the-sd-card-d.patch new file mode 100644 index 00000000000..1c4f986b8a4 --- /dev/null +++ b/queue-4.14/arm-dts-imx6qdl-udoo-properly-describe-the-sd-card-d.patch @@ -0,0 +1,54 @@ +From fbc22e07deecb4793ff967633e0fd8031bf31982 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Dec 2021 19:42:15 -0300 +Subject: ARM: dts: imx6qdl-udoo: Properly describe the SD card detect + +From: Fabio Estevam + +[ Upstream commit 993d66140f8d1c1853a3b58b77b43b681eb64dee ] + +GPIO7_IO00 is used as SD card detect. + +Properly describe this in the devicetree. + +Fixes: 40cdaa542cf0 ("ARM: dts: imx6q-udoo: Add initial board support") +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6qdl-udoo.dtsi | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6qdl-udoo.dtsi b/arch/arm/boot/dts/imx6qdl-udoo.dtsi +index fc4ae2e423bd7..b0fdcae66ead3 100644 +--- a/arch/arm/boot/dts/imx6qdl-udoo.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-udoo.dtsi +@@ -9,6 +9,8 @@ + * + */ + ++#include ++ + / { + aliases { + backlight = &backlight; +@@ -201,6 +203,7 @@ MX6QDL_PAD_SD3_DAT0__SD3_DATA0 0x17059 + MX6QDL_PAD_SD3_DAT1__SD3_DATA1 0x17059 + MX6QDL_PAD_SD3_DAT2__SD3_DATA2 0x17059 + MX6QDL_PAD_SD3_DAT3__SD3_DATA3 0x17059 ++ MX6QDL_PAD_SD3_DAT5__GPIO7_IO00 0x1b0b0 + >; + }; + +@@ -267,7 +270,7 @@ &usbh1 { + &usdhc3 { + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_usdhc3>; +- non-removable; ++ cd-gpios = <&gpio7 0 GPIO_ACTIVE_LOW>; + status = "okay"; + }; + +-- +2.34.1 + diff --git a/queue-4.14/arm-dts-meson-fix-the-uart-compatible-strings.patch b/queue-4.14/arm-dts-meson-fix-the-uart-compatible-strings.patch new file mode 100644 index 00000000000..97cf01096d8 --- /dev/null +++ b/queue-4.14/arm-dts-meson-fix-the-uart-compatible-strings.patch @@ -0,0 +1,69 @@ +From adba342e3edf30631e2a0e29547a2c456787894e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Dec 2021 19:00:24 +0100 +Subject: ARM: dts: meson: Fix the UART compatible strings + +From: Martin Blumenstingl + +[ Upstream commit 5225e1b87432dcf0d0fc3440824b91d04c1d6cc1 ] + +The dt-bindings for the UART controller only allow the following values +for Meson6 SoCs: +- "amlogic,meson6-uart", "amlogic,meson-ao-uart" +- "amlogic,meson6-uart" + +Use the correct fallback compatible string "amlogic,meson-ao-uart" for +AO UART. Drop the "amlogic,meson-uart" compatible string from the EE +domain UART controllers. + +Fixes: ec9b59162fd831 ("ARM: dts: meson6: use stable UART bindings") +Signed-off-by: Martin Blumenstingl +Signed-off-by: Neil Armstrong +Link: https://lore.kernel.org/r/20211227180026.4068352-2-martin.blumenstingl@googlemail.com +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/meson.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/boot/dts/meson.dtsi b/arch/arm/boot/dts/meson.dtsi +index cd6ad072e72c1..05dfd74a40044 100644 +--- a/arch/arm/boot/dts/meson.dtsi ++++ b/arch/arm/boot/dts/meson.dtsi +@@ -86,14 +86,14 @@ hwrng: rng@8100 { + }; + + uart_A: serial@84c0 { +- compatible = "amlogic,meson6-uart", "amlogic,meson-uart"; ++ compatible = "amlogic,meson6-uart"; + reg = <0x84c0 0x18>; + interrupts = ; + status = "disabled"; + }; + + uart_B: serial@84dc { +- compatible = "amlogic,meson6-uart", "amlogic,meson-uart"; ++ compatible = "amlogic,meson6-uart"; + reg = <0x84dc 0x18>; + interrupts = ; + status = "disabled"; +@@ -131,7 +131,7 @@ saradc: adc@8680 { + }; + + uart_C: serial@8700 { +- compatible = "amlogic,meson6-uart", "amlogic,meson-uart"; ++ compatible = "amlogic,meson6-uart"; + reg = <0x8700 0x18>; + interrupts = ; + status = "disabled"; +@@ -196,7 +196,7 @@ ir_receiver: ir-receiver@480 { + }; + + uart_AO: serial@4c0 { +- compatible = "amlogic,meson6-uart", "amlogic,meson-ao-uart", "amlogic,meson-uart"; ++ compatible = "amlogic,meson6-uart", "amlogic,meson-ao-uart"; + reg = <0x4c0 0x18>; + interrupts = ; + status = "disabled"; +-- +2.34.1 + diff --git a/queue-4.14/bonding-pair-enable_port-with-slave_arr_updates.patch b/queue-4.14/bonding-pair-enable_port-with-slave_arr_updates.patch new file mode 100644 index 00000000000..8b36df1aa2b --- /dev/null +++ b/queue-4.14/bonding-pair-enable_port-with-slave_arr_updates.patch @@ -0,0 +1,55 @@ +From 835d9e28a1126566e72094668b9d65d0d9a303b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Feb 2022 14:29:01 -0800 +Subject: bonding: pair enable_port with slave_arr_updates + +From: Mahesh Bandewar + +[ Upstream commit 23de0d7b6f0e3f9a6283a882594c479949da1120 ] + +When 803.2ad mode enables a participating port, it should update +the slave-array. I have observed that the member links are participating +and are part of the active aggregator while the traffic is egressing via +only one member link (in a case where two links are participating). Via +kprobes I discovered that slave-arr has only one link added while +the other participating link wasn't part of the slave-arr. + +I couldn't see what caused that situation but the simple code-walk +through provided me hints that the enable_port wasn't always associated +with the slave-array update. + +Fixes: ee6377147409 ("bonding: Simplify the xmit function for modes that use xmit_hash") +Signed-off-by: Mahesh Bandewar +Acked-by: Jay Vosburgh +Link: https://lore.kernel.org/r/20220207222901.1795287-1-maheshb@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_3ad.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c +index 93dfcef8afc4b..035923876c617 100644 +--- a/drivers/net/bonding/bond_3ad.c ++++ b/drivers/net/bonding/bond_3ad.c +@@ -1012,8 +1012,8 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr) + if (port->aggregator && + port->aggregator->is_active && + !__port_is_enabled(port)) { +- + __enable_port(port); ++ *update_slave_arr = true; + } + } + break; +@@ -1760,6 +1760,7 @@ static void ad_agg_selection_logic(struct aggregator *agg, + port = port->next_port_in_aggregator) { + __enable_port(port); + } ++ *update_slave_arr = true; + } + } + +-- +2.34.1 + diff --git a/queue-4.14/ipmr-ip6mr-acquire-rtnl-before-calling-ip-6-mr_free_.patch b/queue-4.14/ipmr-ip6mr-acquire-rtnl-before-calling-ip-6-mr_free_.patch new file mode 100644 index 00000000000..e0f9487019a --- /dev/null +++ b/queue-4.14/ipmr-ip6mr-acquire-rtnl-before-calling-ip-6-mr_free_.patch @@ -0,0 +1,101 @@ +From 235c61694bf67792ce332f6e148490c096952fd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Feb 2022 21:34:51 -0800 +Subject: ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on + failure path + +From: Eric Dumazet + +[ Upstream commit 5611a00697c8ecc5aad04392bea629e9d6a20463 ] + +ip[6]mr_free_table() can only be called under RTNL lock. + +RTNL: assertion failed at net/core/dev.c (10367) +WARNING: CPU: 1 PID: 5890 at net/core/dev.c:10367 unregister_netdevice_many+0x1246/0x1850 net/core/dev.c:10367 +Modules linked in: +CPU: 1 PID: 5890 Comm: syz-executor.2 Not tainted 5.16.0-syzkaller-11627-g422ee58dc0ef #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:unregister_netdevice_many+0x1246/0x1850 net/core/dev.c:10367 +Code: 0f 85 9b ee ff ff e8 69 07 4b fa ba 7f 28 00 00 48 c7 c6 00 90 ae 8a 48 c7 c7 40 90 ae 8a c6 05 6d b1 51 06 01 e8 8c 90 d8 01 <0f> 0b e9 70 ee ff ff e8 3e 07 4b fa 4c 89 e7 e8 86 2a 59 fa e9 ee +RSP: 0018:ffffc900046ff6e0 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: ffff888050f51d00 RSI: ffffffff815fa008 RDI: fffff520008dfece +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: ffffffff815f3d6e R11: 0000000000000000 R12: 00000000fffffff4 +R13: dffffc0000000000 R14: ffffc900046ff750 R15: ffff88807b7dc000 +FS: 00007f4ab736e700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fee0b4f8990 CR3: 000000001e7d2000 CR4: 00000000003506e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + mroute_clean_tables+0x244/0xb40 net/ipv6/ip6mr.c:1509 + ip6mr_free_table net/ipv6/ip6mr.c:389 [inline] + ip6mr_rules_init net/ipv6/ip6mr.c:246 [inline] + ip6mr_net_init net/ipv6/ip6mr.c:1306 [inline] + ip6mr_net_init+0x3f0/0x4e0 net/ipv6/ip6mr.c:1298 + ops_init+0xaf/0x470 net/core/net_namespace.c:140 + setup_net+0x54f/0xbb0 net/core/net_namespace.c:331 + copy_net_ns+0x318/0x760 net/core/net_namespace.c:475 + create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110 + copy_namespaces+0x391/0x450 kernel/nsproxy.c:178 + copy_process+0x2e0c/0x7300 kernel/fork.c:2167 + kernel_clone+0xe7/0xab0 kernel/fork.c:2555 + __do_sys_clone+0xc8/0x110 kernel/fork.c:2672 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7f4ab89f9059 +Code: Unable to access opcode bytes at RIP 0x7f4ab89f902f. +RSP: 002b:00007f4ab736e118 EFLAGS: 00000206 ORIG_RAX: 0000000000000038 +RAX: ffffffffffffffda RBX: 00007f4ab8b0bf60 RCX: 00007f4ab89f9059 +RDX: 0000000020000280 RSI: 0000000020000270 RDI: 0000000040200000 +RBP: 00007f4ab8a5308d R08: 0000000020000300 R09: 0000000020000300 +R10: 00000000200002c0 R11: 0000000000000206 R12: 0000000000000000 +R13: 00007ffc3977cc1f R14: 00007f4ab736e300 R15: 0000000000022000 + + +Fixes: f243e5a7859a ("ipmr,ip6mr: call ip6mr_free_table() on failure path") +Signed-off-by: Eric Dumazet +Cc: Cong Wang +Reported-by: syzbot +Link: https://lore.kernel.org/r/20220208053451.2885398-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ipmr.c | 2 ++ + net/ipv6/ip6mr.c | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c +index ce3d5f734fdb1..0a68020d1de1b 100644 +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -248,7 +248,9 @@ static int __net_init ipmr_rules_init(struct net *net) + return 0; + + err2: ++ rtnl_lock(); + ipmr_free_table(mrt); ++ rtnl_unlock(); + err1: + fib_rules_unregister(ops); + return err; +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c +index 459f282d90e16..f8d60d511d3ed 100644 +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -252,7 +252,9 @@ static int __net_init ip6mr_rules_init(struct net *net) + return 0; + + err2: ++ rtnl_lock(); + ip6mr_free_table(mrt); ++ rtnl_unlock(); + err1: + fib_rules_unregister(ops); + return err; +-- +2.34.1 + diff --git a/queue-4.14/net-amd-xgbe-disable-interrupts-during-pci-removal.patch b/queue-4.14/net-amd-xgbe-disable-interrupts-during-pci-removal.patch new file mode 100644 index 00000000000..79f2ffe7489 --- /dev/null +++ b/queue-4.14/net-amd-xgbe-disable-interrupts-during-pci-removal.patch @@ -0,0 +1,41 @@ +From d62ee155c7efc3e5d3857a1b0bf0cc22e7857123 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Feb 2022 10:02:01 +0530 +Subject: net: amd-xgbe: disable interrupts during pci removal + +From: Raju Rangoju + +[ Upstream commit 68c2d6af1f1e469544d6cbe9a601d96fb9c00e7f ] + +Hardware interrupts are enabled during the pci probe, however, +they are not disabled during pci removal. + +Disable all hardware interrupts during pci removal to avoid any +issues. + +Fixes: e75377404726 ("amd-xgbe: Update PCI support to use new IRQ functions") +Suggested-by: Selwin Sebastian +Signed-off-by: Raju Rangoju +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-pci.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-pci.c b/drivers/net/ethernet/amd/xgbe/xgbe-pci.c +index 82d1f416ee2ac..569e6d3d066bf 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-pci.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-pci.c +@@ -400,6 +400,9 @@ static void xgbe_pci_remove(struct pci_dev *pdev) + + pci_free_irq_vectors(pdata->pcidev); + ++ /* Disable all interrupts in the hardware */ ++ XP_IOWRITE(pdata, XP_INT_EN, 0x0); ++ + xgbe_free_pdata(pdata); + } + +-- +2.34.1 + diff --git a/queue-4.14/net-do-not-keep-the-dst-cache-when-uncloning-an-skb-.patch b/queue-4.14/net-do-not-keep-the-dst-cache-when-uncloning-an-skb-.patch new file mode 100644 index 00000000000..c9d1395165e --- /dev/null +++ b/queue-4.14/net-do-not-keep-the-dst-cache-when-uncloning-an-skb-.patch @@ -0,0 +1,65 @@ +From 7e2a46bab5c61c527d2a75f3d1bd71e6283c5844 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Feb 2022 18:13:18 +0100 +Subject: net: do not keep the dst cache when uncloning an skb dst and its + metadata + +From: Antoine Tenart + +[ Upstream commit cfc56f85e72f5b9c5c5be26dc2b16518d36a7868 ] + +When uncloning an skb dst and its associated metadata a new dst+metadata +is allocated and the tunnel information from the old metadata is copied +over there. + +The issue is the tunnel metadata has references to cached dst, which are +copied along the way. When a dst+metadata refcount drops to 0 the +metadata is freed including the cached dst entries. As they are also +referenced in the initial dst+metadata, this ends up in UaFs. + +In practice the above did not happen because of another issue, the +dst+metadata was never freed because its refcount never dropped to 0 +(this will be fixed in a subsequent patch). + +Fix this by initializing the dst cache after copying the tunnel +information from the old metadata to also unshare the dst cache. + +Fixes: d71785ffc7e7 ("net: add dst_cache to ovs vxlan lwtunnel") +Cc: Paolo Abeni +Reported-by: Vlad Buslov +Tested-by: Vlad Buslov +Signed-off-by: Antoine Tenart +Acked-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/dst_metadata.h | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/include/net/dst_metadata.h b/include/net/dst_metadata.h +index 0b3c2aaed3c82..bf820c54e7ccd 100644 +--- a/include/net/dst_metadata.h ++++ b/include/net/dst_metadata.h +@@ -121,6 +121,19 @@ static inline struct metadata_dst *tun_dst_unclone(struct sk_buff *skb) + + memcpy(&new_md->u.tun_info, &md_dst->u.tun_info, + sizeof(struct ip_tunnel_info) + md_size); ++#ifdef CONFIG_DST_CACHE ++ /* Unclone the dst cache if there is one */ ++ if (new_md->u.tun_info.dst_cache.cache) { ++ int ret; ++ ++ ret = dst_cache_init(&new_md->u.tun_info.dst_cache, GFP_ATOMIC); ++ if (ret) { ++ metadata_dst_free(new_md); ++ return ERR_PTR(ret); ++ } ++ } ++#endif ++ + skb_dst_drop(skb); + dst_hold(&new_md->dst); + skb_dst_set(skb, &new_md->dst); +-- +2.34.1 + diff --git a/queue-4.14/net-fix-a-memleak-when-uncloning-an-skb-dst-and-its-.patch b/queue-4.14/net-fix-a-memleak-when-uncloning-an-skb-dst-and-its-.patch new file mode 100644 index 00000000000..a6c6cfda942 --- /dev/null +++ b/queue-4.14/net-fix-a-memleak-when-uncloning-an-skb-dst-and-its-.patch @@ -0,0 +1,49 @@ +From 55b04e454da5a1b3c4902708417c5015fecba607 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Feb 2022 18:13:19 +0100 +Subject: net: fix a memleak when uncloning an skb dst and its metadata + +From: Antoine Tenart + +[ Upstream commit 9eeabdf17fa0ab75381045c867c370f4cc75a613 ] + +When uncloning an skb dst and its associated metadata, a new +dst+metadata is allocated and later replaces the old one in the skb. +This is helpful to have a non-shared dst+metadata attached to a specific +skb. + +The issue is the uncloned dst+metadata is initialized with a refcount of +1, which is increased to 2 before attaching it to the skb. When +tun_dst_unclone returns, the dst+metadata is only referenced from a +single place (the skb) while its refcount is 2. Its refcount will never +drop to 0 (when the skb is consumed), leading to a memory leak. + +Fix this by removing the call to dst_hold in tun_dst_unclone, as the +dst+metadata refcount is already 1. + +Fixes: fc4099f17240 ("openvswitch: Fix egress tunnel info.") +Cc: Pravin B Shelar +Reported-by: Vlad Buslov +Tested-by: Vlad Buslov +Signed-off-by: Antoine Tenart +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/dst_metadata.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/include/net/dst_metadata.h b/include/net/dst_metadata.h +index bf820c54e7ccd..177b1aabf95d1 100644 +--- a/include/net/dst_metadata.h ++++ b/include/net/dst_metadata.h +@@ -135,7 +135,6 @@ static inline struct metadata_dst *tun_dst_unclone(struct sk_buff *skb) + #endif + + skb_dst_drop(skb); +- dst_hold(&new_md->dst); + skb_dst_set(skb, &new_md->dst); + return new_md; + } +-- +2.34.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 28460687530..042f4f0781a 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -16,3 +16,13 @@ net-stmmac-dwmac-sun8i-use-return-val-of-readl_poll_.patch revert-net-axienet-wait-for-phyrstcmplt-after-core-r.patch bpf-add-kconfig-knob-for-disabling-unpriv-bpf-by-default.patch arm-dts-imx23-evk-remove-mx23_pad_ssp1_detect-from-hog-group.patch +arm-dts-meson-fix-the-uart-compatible-strings.patch +staging-fbtft-fix-error-path-in-fbtft_driver_module_.patch +arm-dts-imx6qdl-udoo-properly-describe-the-sd-card-d.patch +usb-f_fs-fix-use-after-free-for-epfile.patch +bonding-pair-enable_port-with-slave_arr_updates.patch +ipmr-ip6mr-acquire-rtnl-before-calling-ip-6-mr_free_.patch +net-do-not-keep-the-dst-cache-when-uncloning-an-skb-.patch +net-fix-a-memleak-when-uncloning-an-skb-dst-and-its-.patch +tipc-rate-limit-warning-for-received-illegal-binding.patch +net-amd-xgbe-disable-interrupts-during-pci-removal.patch diff --git a/queue-4.14/staging-fbtft-fix-error-path-in-fbtft_driver_module_.patch b/queue-4.14/staging-fbtft-fix-error-path-in-fbtft_driver_module_.patch new file mode 100644 index 00000000000..79e348461c2 --- /dev/null +++ b/queue-4.14/staging-fbtft-fix-error-path-in-fbtft_driver_module_.patch @@ -0,0 +1,43 @@ +From 3f28944e70159568872eb53c565ac2d16a63af62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jan 2022 19:13:37 +0100 +Subject: staging: fbtft: Fix error path in fbtft_driver_module_init() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 426aca16e903b387a0b0001d62207a745c67cfd3 ] + +If registering the platform driver fails, the function must not return +without undoing the spi driver registration first. + +Fixes: c296d5f9957c ("staging: fbtft: core support") +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20220118181338.207943-1-u.kleine-koenig@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/fbtft/fbtft.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/fbtft/fbtft.h b/drivers/staging/fbtft/fbtft.h +index 488ab788138e1..b086e8e5b4dd3 100644 +--- a/drivers/staging/fbtft/fbtft.h ++++ b/drivers/staging/fbtft/fbtft.h +@@ -342,7 +342,10 @@ static int __init fbtft_driver_module_init(void) \ + ret = spi_register_driver(&fbtft_driver_spi_driver); \ + if (ret < 0) \ + return ret; \ +- return platform_driver_register(&fbtft_driver_platform_driver); \ ++ ret = platform_driver_register(&fbtft_driver_platform_driver); \ ++ if (ret < 0) \ ++ spi_unregister_driver(&fbtft_driver_spi_driver); \ ++ return ret; \ + } \ + \ + static void __exit fbtft_driver_module_exit(void) \ +-- +2.34.1 + diff --git a/queue-4.14/tipc-rate-limit-warning-for-received-illegal-binding.patch b/queue-4.14/tipc-rate-limit-warning-for-received-illegal-binding.patch new file mode 100644 index 00000000000..94dcec4216c --- /dev/null +++ b/queue-4.14/tipc-rate-limit-warning-for-received-illegal-binding.patch @@ -0,0 +1,38 @@ +From 70d8338548368a20471c6435773280730f0cf3fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Feb 2022 22:22:37 -0500 +Subject: tipc: rate limit warning for received illegal binding update + +From: Jon Maloy + +[ Upstream commit c7223d687758462826a20e9735305d55bb874c70 ] + +It would be easy to craft a message containing an illegal binding table +update operation. This is handled correctly by the code, but the +corresponding warning printout is not rate limited as is should be. +We fix this now. + +Fixes: b97bf3fd8f6a ("[TIPC] Initial merge") +Signed-off-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/name_distr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c +index 7ebcaff8c1c4f..963f607b34999 100644 +--- a/net/tipc/name_distr.c ++++ b/net/tipc/name_distr.c +@@ -288,7 +288,7 @@ static bool tipc_update_nametbl(struct net *net, struct distr_item *i, + return true; + } + } else { +- pr_warn("Unrecognized name table message received\n"); ++ pr_warn_ratelimited("Unknown name table message received\n"); + } + return false; + } +-- +2.34.1 + diff --git a/queue-4.14/usb-f_fs-fix-use-after-free-for-epfile.patch b/queue-4.14/usb-f_fs-fix-use-after-free-for-epfile.patch new file mode 100644 index 00000000000..5457f62540a --- /dev/null +++ b/queue-4.14/usb-f_fs-fix-use-after-free-for-epfile.patch @@ -0,0 +1,163 @@ +From 0996701dd6665fe9ffeee7a36995a1e9394c78be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jan 2022 09:39:55 +0530 +Subject: usb: f_fs: Fix use-after-free for epfile + +From: Udipto Goswami + +[ Upstream commit ebe2b1add1055b903e2acd86b290a85297edc0b3 ] + +Consider a case where ffs_func_eps_disable is called from +ffs_func_disable as part of composition switch and at the +same time ffs_epfile_release get called from userspace. +ffs_epfile_release will free up the read buffer and call +ffs_data_closed which in turn destroys ffs->epfiles and +mark it as NULL. While this was happening the driver has +already initialized the local epfile in ffs_func_eps_disable +which is now freed and waiting to acquire the spinlock. Once +spinlock is acquired the driver proceeds with the stale value +of epfile and tries to free the already freed read buffer +causing use-after-free. + +Following is the illustration of the race: + + CPU1 CPU2 + + ffs_func_eps_disable + epfiles (local copy) + ffs_epfile_release + ffs_data_closed + if (last file closed) + ffs_data_reset + ffs_data_clear + ffs_epfiles_destroy +spin_lock +dereference epfiles + +Fix this races by taking epfiles local copy & assigning it under +spinlock and if epfiles(local) is null then update it in ffs->epfiles +then finally destroy it. +Extending the scope further from the race, protecting the ep related +structures, and concurrent accesses. + +Fixes: a9e6f83c2df1 ("usb: gadget: f_fs: stop sleeping in ffs_func_eps_disable") +Co-developed-by: Udipto Goswami +Reviewed-by: John Keeping +Signed-off-by: Pratham Pratap +Signed-off-by: Udipto Goswami +Link: https://lore.kernel.org/r/1643256595-10797-1-git-send-email-quic_ugoswami@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_fs.c | 56 ++++++++++++++++++++++-------- + 1 file changed, 42 insertions(+), 14 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 61795025f11b6..13a38ed806df9 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1626,16 +1626,24 @@ static void ffs_data_put(struct ffs_data *ffs) + + static void ffs_data_closed(struct ffs_data *ffs) + { ++ struct ffs_epfile *epfiles; ++ unsigned long flags; ++ + ENTER(); + + if (atomic_dec_and_test(&ffs->opened)) { + if (ffs->no_disconnect) { + ffs->state = FFS_DEACTIVATED; +- if (ffs->epfiles) { +- ffs_epfiles_destroy(ffs->epfiles, +- ffs->eps_count); +- ffs->epfiles = NULL; +- } ++ spin_lock_irqsave(&ffs->eps_lock, flags); ++ epfiles = ffs->epfiles; ++ ffs->epfiles = NULL; ++ spin_unlock_irqrestore(&ffs->eps_lock, ++ flags); ++ ++ if (epfiles) ++ ffs_epfiles_destroy(epfiles, ++ ffs->eps_count); ++ + if (ffs->setup_state == FFS_SETUP_PENDING) + __ffs_ep0_stall(ffs); + } else { +@@ -1682,14 +1690,27 @@ static struct ffs_data *ffs_data_new(const char *dev_name) + + static void ffs_data_clear(struct ffs_data *ffs) + { ++ struct ffs_epfile *epfiles; ++ unsigned long flags; ++ + ENTER(); + + ffs_closed(ffs); + + BUG_ON(ffs->gadget); + +- if (ffs->epfiles) { +- ffs_epfiles_destroy(ffs->epfiles, ffs->eps_count); ++ spin_lock_irqsave(&ffs->eps_lock, flags); ++ epfiles = ffs->epfiles; ++ ffs->epfiles = NULL; ++ spin_unlock_irqrestore(&ffs->eps_lock, flags); ++ ++ /* ++ * potential race possible between ffs_func_eps_disable ++ * & ffs_epfile_release therefore maintaining a local ++ * copy of epfile will save us from use-after-free. ++ */ ++ if (epfiles) { ++ ffs_epfiles_destroy(epfiles, ffs->eps_count); + ffs->epfiles = NULL; + } + +@@ -1837,12 +1858,15 @@ static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count) + + static void ffs_func_eps_disable(struct ffs_function *func) + { +- struct ffs_ep *ep = func->eps; +- struct ffs_epfile *epfile = func->ffs->epfiles; +- unsigned count = func->ffs->eps_count; ++ struct ffs_ep *ep; ++ struct ffs_epfile *epfile; ++ unsigned short count; + unsigned long flags; + + spin_lock_irqsave(&func->ffs->eps_lock, flags); ++ count = func->ffs->eps_count; ++ epfile = func->ffs->epfiles; ++ ep = func->eps; + while (count--) { + /* pending requests get nuked */ + if (likely(ep->ep)) +@@ -1860,14 +1884,18 @@ static void ffs_func_eps_disable(struct ffs_function *func) + + static int ffs_func_eps_enable(struct ffs_function *func) + { +- struct ffs_data *ffs = func->ffs; +- struct ffs_ep *ep = func->eps; +- struct ffs_epfile *epfile = ffs->epfiles; +- unsigned count = ffs->eps_count; ++ struct ffs_data *ffs; ++ struct ffs_ep *ep; ++ struct ffs_epfile *epfile; ++ unsigned short count; + unsigned long flags; + int ret = 0; + + spin_lock_irqsave(&func->ffs->eps_lock, flags); ++ ffs = func->ffs; ++ ep = func->eps; ++ epfile = ffs->epfiles; ++ count = ffs->eps_count; + while(count--) { + ep->ep->driver_data = ep; + +-- +2.34.1 +