From: Sasha Levin Date: Wed, 11 Oct 2023 14:22:58 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v6.1.58~46 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=93119d816a9f9f2df36f1cbbb94a2d44008c2a39;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/indirect-call-wrappers-helpers-to-speed-up-indirect-.patch b/queue-4.19/indirect-call-wrappers-helpers-to-speed-up-indirect-.patch new file mode 100644 index 00000000000..f73ca8e6c61 --- /dev/null +++ b/queue-4.19/indirect-call-wrappers-helpers-to-speed-up-indirect-.patch @@ -0,0 +1,93 @@ +From a86c33fec3afa1138b1c1dd6a69ef49234c391ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Dec 2018 11:51:57 +0100 +Subject: indirect call wrappers: helpers to speed-up indirect calls of builtin + +From: Paolo Abeni + +[ Upstream commit 283c16a2dfd332bf5610c874f7b9f9c8b601ce53 ] + +This header define a bunch of helpers that allow avoiding the +retpoline overhead when calling builtin functions via function pointers. +It boils down to explicitly comparing the function pointers to +known builtin functions and eventually invoke directly the latter. + +The macros defined here implement the boilerplate for the above schema +and will be used by the next patches. + +rfc -> v1: + - use branch prediction hint, as suggested by Eric +v1 -> v2: + - list explicitly the builtin function names in INDIRECT_CALL_*(), + as suggested by Ed Cree + +Suggested-by: Eric Dumazet +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Stable-dep-of: 86a7e0b69bd5 ("net: prevent rewrite of msg_name in sock_sendmsg()") +Signed-off-by: Sasha Levin +--- + include/linux/indirect_call_wrapper.h | 51 +++++++++++++++++++++++++++ + 1 file changed, 51 insertions(+) + create mode 100644 include/linux/indirect_call_wrapper.h + +diff --git a/include/linux/indirect_call_wrapper.h b/include/linux/indirect_call_wrapper.h +new file mode 100644 +index 0000000000000..7c8b7f4948af5 +--- /dev/null ++++ b/include/linux/indirect_call_wrapper.h +@@ -0,0 +1,51 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef _LINUX_INDIRECT_CALL_WRAPPER_H ++#define _LINUX_INDIRECT_CALL_WRAPPER_H ++ ++#ifdef CONFIG_RETPOLINE ++ ++/* ++ * INDIRECT_CALL_$NR - wrapper for indirect calls with $NR known builtin ++ * @f: function pointer ++ * @f$NR: builtin functions names, up to $NR of them ++ * @__VA_ARGS__: arguments for @f ++ * ++ * Avoid retpoline overhead for known builtin, checking @f vs each of them and ++ * eventually invoking directly the builtin function. The functions are check ++ * in the given order. Fallback to the indirect call. ++ */ ++#define INDIRECT_CALL_1(f, f1, ...) \ ++ ({ \ ++ likely(f == f1) ? f1(__VA_ARGS__) : f(__VA_ARGS__); \ ++ }) ++#define INDIRECT_CALL_2(f, f2, f1, ...) \ ++ ({ \ ++ likely(f == f2) ? f2(__VA_ARGS__) : \ ++ INDIRECT_CALL_1(f, f1, __VA_ARGS__); \ ++ }) ++ ++#define INDIRECT_CALLABLE_DECLARE(f) f ++#define INDIRECT_CALLABLE_SCOPE ++ ++#else ++#define INDIRECT_CALL_1(f, name, ...) f(__VA_ARGS__) ++#define INDIRECT_CALL_2(f, name, ...) f(__VA_ARGS__) ++#define INDIRECT_CALLABLE_DECLARE(f) ++#define INDIRECT_CALLABLE_SCOPE static ++#endif ++ ++/* ++ * We can use INDIRECT_CALL_$NR for ipv6 related functions only if ipv6 is ++ * builtin, this macro simplify dealing with indirect calls with only ipv4/ipv6 ++ * alternatives ++ */ ++#if IS_BUILTIN(CONFIG_IPV6) ++#define INDIRECT_CALL_INET(f, f2, f1, ...) \ ++ INDIRECT_CALL_2(f, f2, f1, __VA_ARGS__) ++#elif IS_ENABLED(CONFIG_INET) ++#define INDIRECT_CALL_INET(f, f2, f1, ...) INDIRECT_CALL_1(f, f1, __VA_ARGS__) ++#else ++#define INDIRECT_CALL_INET(f, f2, f1, ...) f(__VA_ARGS__) ++#endif ++ ++#endif +-- +2.40.1 + diff --git a/queue-4.19/net-fix-kernel-doc-warnings-for-socket.c.patch b/queue-4.19/net-fix-kernel-doc-warnings-for-socket.c.patch new file mode 100644 index 00000000000..7fd653d8d19 --- /dev/null +++ b/queue-4.19/net-fix-kernel-doc-warnings-for-socket.c.patch @@ -0,0 +1,97 @@ +From 70792d804991a307f7f07df7bb49a790c4b26b0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 May 2019 21:23:07 -0700 +Subject: net: fix kernel-doc warnings for socket.c + +From: Randy Dunlap + +[ Upstream commit 85806af0c6bac0feb777e255a25fd5d0cf6ad38e ] + +Fix kernel-doc warnings by moving the kernel-doc notation to be +immediately above the functions that it describes. + +Fixes these warnings for sock_sendmsg() and sock_recvmsg(): + +../net/socket.c:658: warning: Excess function parameter 'sock' description in 'INDIRECT_CALLABLE_DECLARE' +../net/socket.c:658: warning: Excess function parameter 'msg' description in 'INDIRECT_CALLABLE_DECLARE' +../net/socket.c:889: warning: Excess function parameter 'sock' description in 'INDIRECT_CALLABLE_DECLARE' +../net/socket.c:889: warning: Excess function parameter 'msg' description in 'INDIRECT_CALLABLE_DECLARE' +../net/socket.c:889: warning: Excess function parameter 'flags' description in 'INDIRECT_CALLABLE_DECLARE' + +Signed-off-by: Randy Dunlap +Signed-off-by: David S. Miller +Stable-dep-of: 86a7e0b69bd5 ("net: prevent rewrite of msg_name in sock_sendmsg()") +Signed-off-by: Sasha Levin +--- + net/socket.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/net/socket.c b/net/socket.c +index dc4d4ecd6cea2..adf1fb37c17c6 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -645,14 +645,6 @@ void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags) + } + EXPORT_SYMBOL(__sock_tx_timestamp); + +-/** +- * sock_sendmsg - send a message through @sock +- * @sock: socket +- * @msg: message to send +- * +- * Sends @msg through @sock, passing through LSM. +- * Returns the number of bytes sent, or an error code. +- */ + INDIRECT_CALLABLE_DECLARE(int inet_sendmsg(struct socket *, struct msghdr *, + size_t)); + static inline int sock_sendmsg_nosec(struct socket *sock, struct msghdr *msg) +@@ -663,6 +655,14 @@ static inline int sock_sendmsg_nosec(struct socket *sock, struct msghdr *msg) + return ret; + } + ++/** ++ * sock_sendmsg - send a message through @sock ++ * @sock: socket ++ * @msg: message to send ++ * ++ * Sends @msg through @sock, passing through LSM. ++ * Returns the number of bytes sent, or an error code. ++ */ + int sock_sendmsg(struct socket *sock, struct msghdr *msg) + { + int err = security_socket_sendmsg(sock, msg, +@@ -853,15 +853,6 @@ void __sock_recv_ts_and_drops(struct msghdr *msg, struct sock *sk, + } + EXPORT_SYMBOL_GPL(__sock_recv_ts_and_drops); + +-/** +- * sock_recvmsg - receive a message from @sock +- * @sock: socket +- * @msg: message to receive +- * @flags: message flags +- * +- * Receives @msg from @sock, passing through LSM. Returns the total number +- * of bytes received, or an error. +- */ + INDIRECT_CALLABLE_DECLARE(int inet_recvmsg(struct socket *, struct msghdr *, + size_t , int )); + static inline int sock_recvmsg_nosec(struct socket *sock, struct msghdr *msg, +@@ -871,6 +862,15 @@ static inline int sock_recvmsg_nosec(struct socket *sock, struct msghdr *msg, + msg_data_left(msg), flags); + } + ++/** ++ * sock_recvmsg - receive a message from @sock ++ * @sock: socket ++ * @msg: message to receive ++ * @flags: message flags ++ * ++ * Receives @msg from @sock, passing through LSM. Returns the total number ++ * of bytes received, or an error. ++ */ + int sock_recvmsg(struct socket *sock, struct msghdr *msg, int flags) + { + int err = security_socket_recvmsg(sock, msg, msg_data_left(msg), flags); +-- +2.40.1 + diff --git a/queue-4.19/net-prevent-rewrite-of-msg_name-in-sock_sendmsg.patch b/queue-4.19/net-prevent-rewrite-of-msg_name-in-sock_sendmsg.patch new file mode 100644 index 00000000000..cce405c7ce4 --- /dev/null +++ b/queue-4.19/net-prevent-rewrite-of-msg_name-in-sock_sendmsg.patch @@ -0,0 +1,110 @@ +From a954bed47975c5e2ed579ef1cbc27908bc6b70fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 18:46:41 -0500 +Subject: net: prevent rewrite of msg_name in sock_sendmsg() + +From: Jordan Rife + +[ Upstream commit 86a7e0b69bd5b812e48a20c66c2161744f3caa16 ] + +Callers of sock_sendmsg(), and similarly kernel_sendmsg(), in kernel +space may observe their value of msg_name change in cases where BPF +sendmsg hooks rewrite the send address. This has been confirmed to break +NFS mounts running in UDP mode and has the potential to break other +systems. + +This patch: + +1) Creates a new function called __sock_sendmsg() with same logic as the + old sock_sendmsg() function. +2) Replaces calls to sock_sendmsg() made by __sys_sendto() and + __sys_sendmsg() with __sock_sendmsg() to avoid an unnecessary copy, + as these system calls are already protected. +3) Modifies sock_sendmsg() so that it makes a copy of msg_name if + present before passing it down the stack to insulate callers from + changes to the send address. + +Link: https://lore.kernel.org/netdev/20230912013332.2048422-1-jrife@google.com/ +Fixes: 1cedee13d25a ("bpf: Hooks for sys_sendmsg") +Cc: stable@vger.kernel.org +Reviewed-by: Willem de Bruijn +Signed-off-by: Jordan Rife +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/socket.c | 29 +++++++++++++++++++++++------ + 1 file changed, 23 insertions(+), 6 deletions(-) + +diff --git a/net/socket.c b/net/socket.c +index adf1fb37c17c6..d9eaab948d69f 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -655,6 +655,14 @@ static inline int sock_sendmsg_nosec(struct socket *sock, struct msghdr *msg) + return ret; + } + ++static int __sock_sendmsg(struct socket *sock, struct msghdr *msg) ++{ ++ int err = security_socket_sendmsg(sock, msg, ++ msg_data_left(msg)); ++ ++ return err ?: sock_sendmsg_nosec(sock, msg); ++} ++ + /** + * sock_sendmsg - send a message through @sock + * @sock: socket +@@ -665,10 +673,19 @@ static inline int sock_sendmsg_nosec(struct socket *sock, struct msghdr *msg) + */ + int sock_sendmsg(struct socket *sock, struct msghdr *msg) + { +- int err = security_socket_sendmsg(sock, msg, +- msg_data_left(msg)); ++ struct sockaddr_storage *save_addr = (struct sockaddr_storage *)msg->msg_name; ++ struct sockaddr_storage address; ++ int ret; + +- return err ?: sock_sendmsg_nosec(sock, msg); ++ if (msg->msg_name) { ++ memcpy(&address, msg->msg_name, msg->msg_namelen); ++ msg->msg_name = &address; ++ } ++ ++ ret = __sock_sendmsg(sock, msg); ++ msg->msg_name = save_addr; ++ ++ return ret; + } + EXPORT_SYMBOL(sock_sendmsg); + +@@ -975,7 +992,7 @@ static ssize_t sock_write_iter(struct kiocb *iocb, struct iov_iter *from) + if (sock->type == SOCK_SEQPACKET) + msg.msg_flags |= MSG_EOR; + +- res = sock_sendmsg(sock, &msg); ++ res = __sock_sendmsg(sock, &msg); + *from = msg.msg_iter; + return res; + } +@@ -1908,7 +1925,7 @@ int __sys_sendto(int fd, void __user *buff, size_t len, unsigned int flags, + if (sock->file->f_flags & O_NONBLOCK) + flags |= MSG_DONTWAIT; + msg.msg_flags = flags; +- err = sock_sendmsg(sock, &msg); ++ err = __sock_sendmsg(sock, &msg); + + out_put: + fput_light(sock->file, fput_needed); +@@ -2236,7 +2253,7 @@ static int ___sys_sendmsg(struct socket *sock, struct user_msghdr __user *msg, + err = sock_sendmsg_nosec(sock, msg_sys); + goto out_freectl; + } +- err = sock_sendmsg(sock, msg_sys); ++ err = __sock_sendmsg(sock, msg_sys); + /* + * If this is sendmmsg() and sending to current destination address was + * successful, remember it. +-- +2.40.1 + diff --git a/queue-4.19/net-use-indirect-calls-helpers-at-the-socket-layer.patch b/queue-4.19/net-use-indirect-calls-helpers-at-the-socket-layer.patch new file mode 100644 index 00000000000..03cecc48ecd --- /dev/null +++ b/queue-4.19/net-use-indirect-calls-helpers-at-the-socket-layer.patch @@ -0,0 +1,80 @@ +From 886bcd09646b3b3d1e7633dfaf3b555b47103ac2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 May 2019 17:01:39 +0200 +Subject: net: use indirect calls helpers at the socket layer + +From: Paolo Abeni + +[ Upstream commit 8c3c447b3cec27cf6f77080f4d157d53b64e9555 ] + +This avoids an indirect call per {send,recv}msg syscall in +the common (IPv6 or IPv4 socket) case. + +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Stable-dep-of: 86a7e0b69bd5 ("net: prevent rewrite of msg_name in sock_sendmsg()") +Signed-off-by: Sasha Levin +--- + net/socket.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/net/socket.c b/net/socket.c +index db9d908198f21..dc4d4ecd6cea2 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -90,6 +90,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -108,6 +109,13 @@ + #include + #include + ++/* proto_ops for ipv4 and ipv6 use the same {recv,send}msg function */ ++#if IS_ENABLED(CONFIG_INET) ++#define INDIRECT_CALL_INET4(f, f1, ...) INDIRECT_CALL_1(f, f1, __VA_ARGS__) ++#else ++#define INDIRECT_CALL_INET4(f, f1, ...) f(__VA_ARGS__) ++#endif ++ + #ifdef CONFIG_NET_RX_BUSY_POLL + unsigned int sysctl_net_busy_read __read_mostly; + unsigned int sysctl_net_busy_poll __read_mostly; +@@ -645,10 +653,12 @@ EXPORT_SYMBOL(__sock_tx_timestamp); + * Sends @msg through @sock, passing through LSM. + * Returns the number of bytes sent, or an error code. + */ +- ++INDIRECT_CALLABLE_DECLARE(int inet_sendmsg(struct socket *, struct msghdr *, ++ size_t)); + static inline int sock_sendmsg_nosec(struct socket *sock, struct msghdr *msg) + { +- int ret = sock->ops->sendmsg(sock, msg, msg_data_left(msg)); ++ int ret = INDIRECT_CALL_INET4(sock->ops->sendmsg, inet_sendmsg, sock, ++ msg, msg_data_left(msg)); + BUG_ON(ret == -EIOCBQUEUED); + return ret; + } +@@ -852,11 +862,13 @@ EXPORT_SYMBOL_GPL(__sock_recv_ts_and_drops); + * Receives @msg from @sock, passing through LSM. Returns the total number + * of bytes received, or an error. + */ +- ++INDIRECT_CALLABLE_DECLARE(int inet_recvmsg(struct socket *, struct msghdr *, ++ size_t , int )); + static inline int sock_recvmsg_nosec(struct socket *sock, struct msghdr *msg, + int flags) + { +- return sock->ops->recvmsg(sock, msg, msg_data_left(msg), flags); ++ return INDIRECT_CALL_INET4(sock->ops->recvmsg, inet_recvmsg, sock, msg, ++ msg_data_left(msg), flags); + } + + int sock_recvmsg(struct socket *sock, struct msghdr *msg, int flags) +-- +2.40.1 + diff --git a/queue-4.19/platform-x86-hp-wmi-mark-driver-struct-with-__refdat.patch b/queue-4.19/platform-x86-hp-wmi-mark-driver-struct-with-__refdat.patch new file mode 100644 index 00000000000..9cd2c0348ec --- /dev/null +++ b/queue-4.19/platform-x86-hp-wmi-mark-driver-struct-with-__refdat.patch @@ -0,0 +1,51 @@ +From a4b467c1e7741ec60e6697f8edccaf83d29d61e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 13:16:24 +0200 +Subject: platform/x86: hp-wmi:: Mark driver struct with __refdata to prevent + section mismatch warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 5b44abbc39ca15df80d0da4756078c98c831090f ] + +As described in the added code comment, a reference to .exit.text is ok +for drivers registered via module_platform_driver_probe(). Make this +explicit to prevent a section mismatch warning: + + WARNING: modpost: drivers/platform/x86/hp/hp-wmi: section mismatch in reference: hp_wmi_driver+0x8 (section: .data) -> hp_wmi_bios_remove (section: .exit.text) + +Fixes: c165b80cfecc ("hp-wmi: fix handling of platform device") +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20231004111624.2667753-1-u.kleine-koenig@pengutronix.de +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/hp-wmi.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/hp-wmi.c b/drivers/platform/x86/hp-wmi.c +index c65b800310f3a..67a9f838dfb9d 100644 +--- a/drivers/platform/x86/hp-wmi.c ++++ b/drivers/platform/x86/hp-wmi.c +@@ -1001,7 +1001,13 @@ static const struct dev_pm_ops hp_wmi_pm_ops = { + .restore = hp_wmi_resume_handler, + }; + +-static struct platform_driver hp_wmi_driver = { ++/* ++ * hp_wmi_bios_remove() lives in .exit.text. For drivers registered via ++ * module_platform_driver_probe() this is ok because they cannot get unbound at ++ * runtime. So mark the driver struct with __refdata to prevent modpost ++ * triggering a section mismatch warning. ++ */ ++static struct platform_driver hp_wmi_driver __refdata = { + .driver = { + .name = "hp-wmi", + .pm = &hp_wmi_pm_ops, +-- +2.40.1 + diff --git a/queue-4.19/rdma-cxgb4-check-skb-value-for-failure-to-allocate.patch b/queue-4.19/rdma-cxgb4-check-skb-value-for-failure-to-allocate.patch new file mode 100644 index 00000000000..55b86ac0b4d --- /dev/null +++ b/queue-4.19/rdma-cxgb4-check-skb-value-for-failure-to-allocate.patch @@ -0,0 +1,39 @@ +From de509668ca26e4ff4f162b2f0c306b10cc5fd1f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 15:40:48 +0300 +Subject: RDMA/cxgb4: Check skb value for failure to allocate + +From: Artem Chernyshev + +[ Upstream commit 8fb8a82086f5bda6893ea6557c5a458e4549c6d7 ] + +get_skb() can fail to allocate skb, so check it. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 5be78ee924ae ("RDMA/cxgb4: Fix LE hash collision bug for active open connection") +Signed-off-by: Artem Chernyshev +Link: https://lore.kernel.org/r/20230905124048.284165-1-artem.chernyshev@red-soft.ru +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/cm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index a252b13958b3b..e8d2135df22db 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -1922,6 +1922,9 @@ static int send_fw_act_open_req(struct c4iw_ep *ep, unsigned int atid) + int win; + + skb = get_skb(NULL, sizeof(*req), GFP_KERNEL); ++ if (!skb) ++ return -ENOMEM; ++ + req = __skb_put_zero(skb, sizeof(*req)); + req->op_compl = htonl(WR_OP_V(FW_OFLD_CONNECTION_WR)); + req->len16_pkd = htonl(FW_WR_LEN16_V(DIV_ROUND_UP(sizeof(*req), 16))); +-- +2.40.1 + diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..67a40c29777 --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,6 @@ +indirect-call-wrappers-helpers-to-speed-up-indirect-.patch +net-use-indirect-calls-helpers-at-the-socket-layer.patch +net-fix-kernel-doc-warnings-for-socket.c.patch +net-prevent-rewrite-of-msg_name-in-sock_sendmsg.patch +rdma-cxgb4-check-skb-value-for-failure-to-allocate.patch +platform-x86-hp-wmi-mark-driver-struct-with-__refdat.patch