From: Sasha Levin Date: Sun, 27 Nov 2022 19:07:05 +0000 (-0500) Subject: Fixes for 4.9 X-Git-Tag: v5.10.157~90 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9409414c61803dee467748895f742efc288f5b4a;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/9p-fd-fix-issue-of-list_del-corruption-in-p9_fd_canc.patch b/queue-4.9/9p-fd-fix-issue-of-list_del-corruption-in-p9_fd_canc.patch new file mode 100644 index 00000000000..3a96f32d8d7 --- /dev/null +++ b/queue-4.9/9p-fd-fix-issue-of-list_del-corruption-in-p9_fd_canc.patch @@ -0,0 +1,75 @@ +From dc4eea95b22236cd93064577fb66218aefe32ae8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 20:26:06 +0800 +Subject: 9p/fd: fix issue of list_del corruption in p9_fd_cancel() + +From: Zhengchao Shao + +[ Upstream commit 11c10956515b8ec44cf4f2a7b9d8bf8b9dc05ec4 ] + +Syz reported the following issue: +kernel BUG at lib/list_debug.c:53! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +RIP: 0010:__list_del_entry_valid.cold+0x5c/0x72 +Call Trace: + +p9_fd_cancel+0xb1/0x270 +p9_client_rpc+0x8ea/0xba0 +p9_client_create+0x9c0/0xed0 +v9fs_session_init+0x1e0/0x1620 +v9fs_mount+0xba/0xb80 +legacy_get_tree+0x103/0x200 +vfs_get_tree+0x89/0x2d0 +path_mount+0x4c0/0x1ac0 +__x64_sys_mount+0x33b/0x430 +do_syscall_64+0x35/0x80 +entry_SYSCALL_64_after_hwframe+0x46/0xb0 + + +The process is as follows: +Thread A: Thread B: +p9_poll_workfn() p9_client_create() +... ... + p9_conn_cancel() p9_fd_cancel() + list_del() ... + ... list_del() //list_del + corruption +There is no lock protection when deleting list in p9_conn_cancel(). After +deleting list in Thread A, thread B will delete the same list again. It +will cause issue of list_del corruption. + +Setting req->status to REQ_STATUS_ERROR under lock prevents other +cleanup paths from trying to manipulate req_list. +The other thread can safely check req->status because it still holds a +reference to req at this point. + +Link: https://lkml.kernel.org/r/20221110122606.383352-1-shaozhengchao@huawei.com +Fixes: 52f1c45dde91 ("9p: trans_fd/p9_conn_cancel: drop client lock earlier") +Reported-by: syzbot+9b69b8d10ab4a7d88056@syzkaller.appspotmail.com +Signed-off-by: Zhengchao Shao +[Dominique: add description of the fix in commit message] +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_fd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c +index a7973bd56a40..e70e843ee48f 100644 +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -210,9 +210,11 @@ static void p9_conn_cancel(struct p9_conn *m, int err) + + list_for_each_entry_safe(req, rtmp, &m->req_list, req_list) { + list_move(&req->req_list, &cancel_list); ++ req->status = REQ_STATUS_ERROR; + } + list_for_each_entry_safe(req, rtmp, &m->unsent_req_list, req_list) { + list_move(&req->req_list, &cancel_list); ++ req->status = REQ_STATUS_ERROR; + } + + spin_unlock(&m->client->lock); +-- +2.35.1 + diff --git a/queue-4.9/af_key-fix-send_acquire-race-with-pfkey_register.patch b/queue-4.9/af_key-fix-send_acquire-race-with-pfkey_register.patch new file mode 100644 index 00000000000..0df6a5acc64 --- /dev/null +++ b/queue-4.9/af_key-fix-send_acquire-race-with-pfkey_register.patch @@ -0,0 +1,147 @@ +From 64e8f544d01592343dca187e4136aa3548c8e4d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Oct 2022 14:06:48 +0800 +Subject: af_key: Fix send_acquire race with pfkey_register + +From: Herbert Xu + +[ Upstream commit 7f57f8165cb6d2c206e2b9ada53b9e2d6d8af42f ] + +The function pfkey_send_acquire may race with pfkey_register +(which could even be in a different name space). This may result +in a buffer overrun. + +Allocating the maximum amount of memory that could be used prevents +this. + +Reported-by: syzbot+1e9af9185d8850e2c2fa@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Herbert Xu +Reviewed-by: Sabrina Dubroca +Reviewed-by: Eric Dumazet +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 32 ++++++++++++++++++++++---------- + 1 file changed, 22 insertions(+), 10 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 88d4a3a02ab7..2bd2ce8ceb80 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -2940,7 +2940,7 @@ static int count_ah_combs(const struct xfrm_tmpl *t) + break; + if (!aalg->pfkey_supported) + continue; +- if (aalg_tmpl_set(t, aalg) && aalg->available) ++ if (aalg_tmpl_set(t, aalg)) + sz += sizeof(struct sadb_comb); + } + return sz + sizeof(struct sadb_prop); +@@ -2958,7 +2958,7 @@ static int count_esp_combs(const struct xfrm_tmpl *t) + if (!ealg->pfkey_supported) + continue; + +- if (!(ealg_tmpl_set(t, ealg) && ealg->available)) ++ if (!(ealg_tmpl_set(t, ealg))) + continue; + + for (k = 1; ; k++) { +@@ -2969,16 +2969,17 @@ static int count_esp_combs(const struct xfrm_tmpl *t) + if (!aalg->pfkey_supported) + continue; + +- if (aalg_tmpl_set(t, aalg) && aalg->available) ++ if (aalg_tmpl_set(t, aalg)) + sz += sizeof(struct sadb_comb); + } + } + return sz + sizeof(struct sadb_prop); + } + +-static void dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) ++static int dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) + { + struct sadb_prop *p; ++ int sz = 0; + int i; + + p = (struct sadb_prop*)skb_put(skb, sizeof(struct sadb_prop)); +@@ -3007,13 +3008,17 @@ static void dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) + c->sadb_comb_soft_addtime = 20*60*60; + c->sadb_comb_hard_usetime = 8*60*60; + c->sadb_comb_soft_usetime = 7*60*60; ++ sz += sizeof(*c); + } + } ++ ++ return sz + sizeof(*p); + } + +-static void dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) ++static int dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) + { + struct sadb_prop *p; ++ int sz = 0; + int i, k; + + p = (struct sadb_prop*)skb_put(skb, sizeof(struct sadb_prop)); +@@ -3055,8 +3060,11 @@ static void dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) + c->sadb_comb_soft_addtime = 20*60*60; + c->sadb_comb_hard_usetime = 8*60*60; + c->sadb_comb_soft_usetime = 7*60*60; ++ sz += sizeof(*c); + } + } ++ ++ return sz + sizeof(*p); + } + + static int key_notify_policy_expire(struct xfrm_policy *xp, const struct km_event *c) +@@ -3186,6 +3194,7 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct + struct sadb_x_sec_ctx *sec_ctx; + struct xfrm_sec_ctx *xfrm_ctx; + int ctx_size = 0; ++ int alg_size = 0; + + sockaddr_size = pfkey_sockaddr_size(x->props.family); + if (!sockaddr_size) +@@ -3197,16 +3206,16 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct + sizeof(struct sadb_x_policy); + + if (x->id.proto == IPPROTO_AH) +- size += count_ah_combs(t); ++ alg_size = count_ah_combs(t); + else if (x->id.proto == IPPROTO_ESP) +- size += count_esp_combs(t); ++ alg_size = count_esp_combs(t); + + if ((xfrm_ctx = x->security)) { + ctx_size = PFKEY_ALIGN8(xfrm_ctx->ctx_len); + size += sizeof(struct sadb_x_sec_ctx) + ctx_size; + } + +- skb = alloc_skb(size + 16, GFP_ATOMIC); ++ skb = alloc_skb(size + alg_size + 16, GFP_ATOMIC); + if (skb == NULL) + return -ENOMEM; + +@@ -3262,10 +3271,13 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct + pol->sadb_x_policy_priority = xp->priority; + + /* Set sadb_comb's. */ ++ alg_size = 0; + if (x->id.proto == IPPROTO_AH) +- dump_ah_combs(skb, t); ++ alg_size = dump_ah_combs(skb, t); + else if (x->id.proto == IPPROTO_ESP) +- dump_esp_combs(skb, t); ++ alg_size = dump_esp_combs(skb, t); ++ ++ hdr->sadb_msg_len += alg_size / 8; + + /* security context */ + if (xfrm_ctx) { +-- +2.35.1 + diff --git a/queue-4.9/arm-dts-at91-sam9g20ek-enable-udc-vbus-gpio-pinctrl.patch b/queue-4.9/arm-dts-at91-sam9g20ek-enable-udc-vbus-gpio-pinctrl.patch new file mode 100644 index 00000000000..1772395a60e --- /dev/null +++ b/queue-4.9/arm-dts-at91-sam9g20ek-enable-udc-vbus-gpio-pinctrl.patch @@ -0,0 +1,57 @@ +From 610d844fbb6f815dbd1c97d2eccb7b46636fef61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 19:59:23 +0100 +Subject: ARM: dts: at91: sam9g20ek: enable udc vbus gpio pinctrl + +From: Michael Grzeschik + +[ Upstream commit 40a2226e8bfacb79dd154dea68febeead9d847e9 ] + +We set the PIOC to GPIO mode. This way the pin becomes an +input signal will be usable by the controller. Without +this change the udc on the 9g20ek does not work. + +Cc: nicolas.ferre@microchip.com +Cc: ludovic.desroches@microchip.com +Cc: alexandre.belloni@bootlin.com +Cc: linux-arm-kernel@lists.infradead.org +Cc: kernel@pengutronix.de +Fixes: 5cb4e73575e3 ("ARM: at91: add at91sam9g20ek boards dt support") +Signed-off-by: Michael Grzeschik +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20221114185923.1023249-3-m.grzeschik@pengutronix.de +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/at91sam9g20ek_common.dtsi | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/arch/arm/boot/dts/at91sam9g20ek_common.dtsi b/arch/arm/boot/dts/at91sam9g20ek_common.dtsi +index 27847a47c108..1b326a0a2c92 100644 +--- a/arch/arm/boot/dts/at91sam9g20ek_common.dtsi ++++ b/arch/arm/boot/dts/at91sam9g20ek_common.dtsi +@@ -39,6 +39,13 @@ pinctrl_pck0_as_mck: pck0_as_mck { + + }; + ++ usb1 { ++ pinctrl_usb1_vbus_gpio: usb1_vbus_gpio { ++ atmel,pins = ++ ; /* PC5 GPIO */ ++ }; ++ }; ++ + mmc0_slot1 { + pinctrl_board_mmc0_slot1: mmc0_slot1-board { + atmel,pins = +@@ -72,6 +79,8 @@ macb0: ethernet@fffc4000 { + }; + + usb1: gadget@fffa4000 { ++ pinctrl-0 = <&pinctrl_usb1_vbus_gpio>; ++ pinctrl-names = "default"; + atmel,vbus-gpio = <&pioC 5 GPIO_ACTIVE_HIGH>; + status = "okay"; + }; +-- +2.35.1 + diff --git a/queue-4.9/arm-mxs-fix-memory-leak-in-mxs_machine_init.patch b/queue-4.9/arm-mxs-fix-memory-leak-in-mxs_machine_init.patch new file mode 100644 index 00000000000..42ca206ad3a --- /dev/null +++ b/queue-4.9/arm-mxs-fix-memory-leak-in-mxs_machine_init.patch @@ -0,0 +1,40 @@ +From 994423809df319050bac5414bc32dccc4100fa2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 06:20:11 +0000 +Subject: ARM: mxs: fix memory leak in mxs_machine_init() + +From: Zheng Yongjun + +[ Upstream commit f31e3c204d1844b8680a442a48868af5ac3d5481 ] + +If of_property_read_string() failed, 'soc_dev_attr' should be +freed before return. Otherwise there is a memory leak. + +Fixes: 2046338dcbc6 ("ARM: mxs: Use soc bus infrastructure") +Signed-off-by: Zheng Yongjun +Reviewed-by: Marco Felsch +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/mach-mxs/mach-mxs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-mxs/mach-mxs.c b/arch/arm/mach-mxs/mach-mxs.c +index e4f21086b42b..57cb97ff82bc 100644 +--- a/arch/arm/mach-mxs/mach-mxs.c ++++ b/arch/arm/mach-mxs/mach-mxs.c +@@ -393,8 +393,10 @@ static void __init mxs_machine_init(void) + + root = of_find_node_by_path("/"); + ret = of_property_read_string(root, "model", &soc_dev_attr->machine); +- if (ret) ++ if (ret) { ++ kfree(soc_dev_attr); + return; ++ } + + soc_dev_attr->family = "Freescale MXS Family"; + soc_dev_attr->soc_id = mxs_get_soc_id(); +-- +2.35.1 + diff --git a/queue-4.9/bus-sunxi-rsb-support-atomic-transfers.patch b/queue-4.9/bus-sunxi-rsb-support-atomic-transfers.patch new file mode 100644 index 00000000000..562e0e286aa --- /dev/null +++ b/queue-4.9/bus-sunxi-rsb-support-atomic-transfers.patch @@ -0,0 +1,92 @@ +From eb0166df8ed1936a8cac84259072bbbde5ee3a15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Nov 2022 19:57:48 -0600 +Subject: bus: sunxi-rsb: Support atomic transfers + +From: Samuel Holland + +[ Upstream commit 077686da0e2162c4ea5ae0df205849c2a7a84479 ] + +When communicating with a PMIC during system poweroff (pm_power_off()), +IRQs are disabled and we are in a RCU read-side critical section, so we +cannot use wait_for_completion_io_timeout(). Instead, poll the status +register for transfer completion. + +Fixes: d787dcdb9c8f ("bus: sunxi-rsb: Add driver for Allwinner Reduced Serial Bus") +Signed-off-by: Samuel Holland +Reviewed-by: Jernej Skrabec +Link: https://lore.kernel.org/r/20221114015749.28490-3-samuel@sholland.org +Signed-off-by: Jernej Skrabec +Signed-off-by: Sasha Levin +--- + drivers/bus/sunxi-rsb.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +diff --git a/drivers/bus/sunxi-rsb.c b/drivers/bus/sunxi-rsb.c +index ce5b976a8856..bf323b540c03 100644 +--- a/drivers/bus/sunxi-rsb.c ++++ b/drivers/bus/sunxi-rsb.c +@@ -268,6 +268,9 @@ EXPORT_SYMBOL_GPL(sunxi_rsb_driver_register); + /* common code that starts a transfer */ + static int _sunxi_rsb_run_xfer(struct sunxi_rsb *rsb) + { ++ u32 int_mask, status; ++ bool timeout; ++ + if (readl(rsb->regs + RSB_CTRL) & RSB_CTRL_START_TRANS) { + dev_dbg(rsb->dev, "RSB transfer still in progress\n"); + return -EBUSY; +@@ -275,13 +278,23 @@ static int _sunxi_rsb_run_xfer(struct sunxi_rsb *rsb) + + reinit_completion(&rsb->complete); + +- writel(RSB_INTS_LOAD_BSY | RSB_INTS_TRANS_ERR | RSB_INTS_TRANS_OVER, +- rsb->regs + RSB_INTE); ++ int_mask = RSB_INTS_LOAD_BSY | RSB_INTS_TRANS_ERR | RSB_INTS_TRANS_OVER; ++ writel(int_mask, rsb->regs + RSB_INTE); + writel(RSB_CTRL_START_TRANS | RSB_CTRL_GLOBAL_INT_ENB, + rsb->regs + RSB_CTRL); + +- if (!wait_for_completion_io_timeout(&rsb->complete, +- msecs_to_jiffies(100))) { ++ if (irqs_disabled()) { ++ timeout = readl_poll_timeout_atomic(rsb->regs + RSB_INTS, ++ status, (status & int_mask), ++ 10, 100000); ++ writel(status, rsb->regs + RSB_INTS); ++ } else { ++ timeout = !wait_for_completion_io_timeout(&rsb->complete, ++ msecs_to_jiffies(100)); ++ status = rsb->status; ++ } ++ ++ if (timeout) { + dev_dbg(rsb->dev, "RSB timeout\n"); + + /* abort the transfer */ +@@ -293,18 +306,18 @@ static int _sunxi_rsb_run_xfer(struct sunxi_rsb *rsb) + return -ETIMEDOUT; + } + +- if (rsb->status & RSB_INTS_LOAD_BSY) { ++ if (status & RSB_INTS_LOAD_BSY) { + dev_dbg(rsb->dev, "RSB busy\n"); + return -EBUSY; + } + +- if (rsb->status & RSB_INTS_TRANS_ERR) { +- if (rsb->status & RSB_INTS_TRANS_ERR_ACK) { ++ if (status & RSB_INTS_TRANS_ERR) { ++ if (status & RSB_INTS_TRANS_ERR_ACK) { + dev_dbg(rsb->dev, "RSB slave nack\n"); + return -EINVAL; + } + +- if (rsb->status & RSB_INTS_TRANS_ERR_DATA) { ++ if (status & RSB_INTS_TRANS_ERR_DATA) { + dev_dbg(rsb->dev, "RSB transfer data error\n"); + return -EIO; + } +-- +2.35.1 + diff --git a/queue-4.9/net-mlx4-check-retval-of-mlx4_bitmap_init.patch b/queue-4.9/net-mlx4-check-retval-of-mlx4_bitmap_init.patch new file mode 100644 index 00000000000..08c73c3f331 --- /dev/null +++ b/queue-4.9/net-mlx4-check-retval-of-mlx4_bitmap_init.patch @@ -0,0 +1,43 @@ +From 28a01f2ae097dfa87464dcbd3913a9dc50a92c68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 18:28:06 +0300 +Subject: net/mlx4: Check retval of mlx4_bitmap_init + +From: Peter Kosyh + +[ Upstream commit 594c61ffc77de0a197934aa0f1df9285c68801c6 ] + +If mlx4_bitmap_init fails, mlx4_bitmap_alloc_range will dereference +the NULL pointer (bitmap->table). + +Make sure, that mlx4_bitmap_alloc_range called in no error case. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: d57febe1a478 ("net/mlx4: Add A0 hybrid steering") +Reviewed-by: Tariq Toukan +Signed-off-by: Peter Kosyh +Link: https://lore.kernel.org/r/20221117152806.278072-1-pkosyh@yandex.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/qp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/qp.c b/drivers/net/ethernet/mellanox/mlx4/qp.c +index 71578d48efbc..54026043b5e2 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/qp.c ++++ b/drivers/net/ethernet/mellanox/mlx4/qp.c +@@ -696,7 +696,8 @@ static int mlx4_create_zones(struct mlx4_dev *dev, + err = mlx4_bitmap_init(*bitmap + k, 1, + MLX4_QP_TABLE_RAW_ETH_SIZE - 1, 0, + 0); +- mlx4_bitmap_alloc_range(*bitmap + k, 1, 1, 0); ++ if (!err) ++ mlx4_bitmap_alloc_range(*bitmap + k, 1, 1, 0); + } + + if (err) +-- +2.35.1 + diff --git a/queue-4.9/net-pch_gbe-fix-potential-memleak-in-pch_gbe_tx_queu.patch b/queue-4.9/net-pch_gbe-fix-potential-memleak-in-pch_gbe_tx_queu.patch new file mode 100644 index 00000000000..92d0b820d13 --- /dev/null +++ b/queue-4.9/net-pch_gbe-fix-potential-memleak-in-pch_gbe_tx_queu.patch @@ -0,0 +1,38 @@ +From f50f8f6abb18279dd7fa8ff01dc1e1b3876f10a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 14:55:27 +0800 +Subject: net: pch_gbe: fix potential memleak in pch_gbe_tx_queue() + +From: Wang Hai + +[ Upstream commit 2360f9b8c4e81d242d4cbf99d630a2fffa681fab ] + +In pch_gbe_xmit_frame(), NETDEV_TX_OK will be returned whether +pch_gbe_tx_queue() sends data successfully or not, so pch_gbe_tx_queue() +needs to free skb before returning. But pch_gbe_tx_queue() returns without +freeing skb in case of dma_map_single() fails. Add dev_kfree_skb_any() +to fix it. + +Fixes: 77555ee72282 ("net: Add Gigabit Ethernet driver of Topcliff PCH") +Signed-off-by: Wang Hai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +index cd59577a0c92..ca6c4e7254cd 100644 +--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c ++++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +@@ -1221,6 +1221,7 @@ static void pch_gbe_tx_queue(struct pch_gbe_adapter *adapter, + buffer_info->dma = 0; + buffer_info->time_stamp = 0; + tx_ring->next_to_use = ring_num; ++ dev_kfree_skb_any(skb); + return; + } + buffer_info->mapped = true; +-- +2.35.1 + diff --git a/queue-4.9/net-qla3xxx-fix-potential-memleak-in-ql3xxx_send.patch b/queue-4.9/net-qla3xxx-fix-potential-memleak-in-ql3xxx_send.patch new file mode 100644 index 00000000000..bf0d8407f03 --- /dev/null +++ b/queue-4.9/net-qla3xxx-fix-potential-memleak-in-ql3xxx_send.patch @@ -0,0 +1,36 @@ +From 492108f39bd34e43d76bb2f65cff603fd1c5e7fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 16:50:38 +0800 +Subject: net/qla3xxx: fix potential memleak in ql3xxx_send() + +From: Zhang Changzhong + +[ Upstream commit 62a7311fb96c61d281da9852dbee4712fc8c3277 ] + +The ql3xxx_send() returns NETDEV_TX_OK without freeing skb in error +handling case, add dev_kfree_skb_any() to fix it. + +Fixes: bd36b0ac5d06 ("qla3xxx: Add support for Qlogic 4032 chip.") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/r/1668675039-21138-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c +index e62e3a9d5249..4ad4fb832a4a 100644 +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -2472,6 +2472,7 @@ static netdev_tx_t ql3xxx_send(struct sk_buff *skb, + skb_shinfo(skb)->nr_frags); + if (tx_cb->seg_count == -1) { + netdev_err(ndev, "%s: invalid segment count!\n", __func__); ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + +-- +2.35.1 + diff --git a/queue-4.9/net-thunderx-fix-the-acpi-memory-leak.patch b/queue-4.9/net-thunderx-fix-the-acpi-memory-leak.patch new file mode 100644 index 00000000000..59da24994be --- /dev/null +++ b/queue-4.9/net-thunderx-fix-the-acpi-memory-leak.patch @@ -0,0 +1,41 @@ +From 80966c08b0463d920e25016bc2a9cbbbbce3e159 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 16:22:36 +0800 +Subject: net: thunderx: Fix the ACPI memory leak + +From: Yu Liao + +[ Upstream commit 661e5ebbafd26d9d2e3c749f5cf591e55c7364f5 ] + +The ACPI buffer memory (string.pointer) should be freed as the buffer is +not used after returning from bgx_acpi_match_id(), free it to prevent +memory leak. + +Fixes: 46b903a01c05 ("net, thunder, bgx: Add support to get MAC address from ACPI.") +Signed-off-by: Yu Liao +Link: https://lore.kernel.org/r/20221123082237.1220521-1-liaoyu15@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index e858b1af788d..0a58e55f8613 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1183,8 +1183,10 @@ static acpi_status bgx_acpi_match_id(acpi_handle handle, u32 lvl, + return AE_OK; + } + +- if (strncmp(string.pointer, bgx_sel, 4)) ++ if (strncmp(string.pointer, bgx_sel, 4)) { ++ kfree(string.pointer); + return AE_OK; ++ } + + acpi_walk_namespace(ACPI_TYPE_DEVICE, handle, 1, + bgx_acpi_register_phy, NULL, bgx, NULL); +-- +2.35.1 + diff --git a/queue-4.9/nfc-nci-fix-memory-leak-in-nci_rx_data_packet.patch b/queue-4.9/nfc-nci-fix-memory-leak-in-nci_rx_data_packet.patch new file mode 100644 index 00000000000..c001881658f --- /dev/null +++ b/queue-4.9/nfc-nci-fix-memory-leak-in-nci_rx_data_packet.patch @@ -0,0 +1,61 @@ +From 810c0aed0745e3bb6fdb16bbc59916f9f2a6cbbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 16:24:19 +0800 +Subject: NFC: nci: fix memory leak in nci_rx_data_packet() + +From: Liu Shixin + +[ Upstream commit 53270fb0fd77fe786d8c07a0793981d797836b93 ] + +Syzbot reported a memory leak about skb: + +unreferenced object 0xffff88810e144e00 (size 240): + comm "syz-executor284", pid 3701, jiffies 4294952403 (age 12.620s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:497 + [] alloc_skb include/linux/skbuff.h:1267 [inline] + [] virtual_ncidev_write+0x24/0xe0 drivers/nfc/virtual_ncidev.c:116 + [] do_loop_readv_writev fs/read_write.c:759 [inline] + [] do_loop_readv_writev fs/read_write.c:743 [inline] + [] do_iter_write+0x253/0x300 fs/read_write.c:863 + [] vfs_writev+0xdd/0x240 fs/read_write.c:934 + [] do_writev+0xa6/0x1c0 fs/read_write.c:977 + [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + [] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +In nci_rx_data_packet(), if we don't get a valid conn_info, we will return +directly but forget to release the skb. + +Reported-by: syzbot+cdb9a427d1bc08815104@syzkaller.appspotmail.com +Fixes: 4aeee6871e8c ("NFC: nci: Add dynamic logical connections support") +Signed-off-by: Liu Shixin +Link: https://lore.kernel.org/r/20221118082419.239475-1-liushixin2@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/nfc/nci/data.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c +index b8a295dd15d8..45b654dca6f9 100644 +--- a/net/nfc/nci/data.c ++++ b/net/nfc/nci/data.c +@@ -291,8 +291,10 @@ void nci_rx_data_packet(struct nci_dev *ndev, struct sk_buff *skb) + nci_plen(skb->data)); + + conn_info = nci_get_conn_info_by_conn_id(ndev, nci_conn_id(skb->data)); +- if (!conn_info) ++ if (!conn_info) { ++ kfree_skb(skb); + return; ++ } + + /* strip the nci data header */ + skb_pull(skb, NCI_DATA_HDR_SIZE); +-- +2.35.1 + diff --git a/queue-4.9/nfc-nci-fix-race-with-opening-and-closing.patch b/queue-4.9/nfc-nci-fix-race-with-opening-and-closing.patch new file mode 100644 index 00000000000..8418f3c6b51 --- /dev/null +++ b/queue-4.9/nfc-nci-fix-race-with-opening-and-closing.patch @@ -0,0 +1,42 @@ +From b9149eaf886192b5e09c5ea09ca0aae4f28afd4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 21:02:49 +0800 +Subject: nfc/nci: fix race with opening and closing + +From: Lin Ma + +[ Upstream commit 0ad6bded175e829c2ca261529c9dce39a32a042d ] + +Previously we leverage NCI_UNREG and the lock inside nci_close_device to +prevent the race condition between opening a device and closing a +device. However, it still has problem because a failed opening command +will erase the NCI_UNREG flag and allow another opening command to +bypass the status checking. + +This fix corrects that by making sure the NCI_UNREG is held. + +Reported-by: syzbot+43475bf3cfbd6e41f5b7@syzkaller.appspotmail.com +Fixes: 48b71a9e66c2 ("NFC: add NCI_UNREG flag to eliminate the race") +Signed-off-by: Lin Ma +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nfc/nci/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index df90872fcf90..e7701c36f36c 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -543,7 +543,7 @@ static int nci_open_device(struct nci_dev *ndev) + skb_queue_purge(&ndev->tx_q); + + ndev->ops->close(ndev); +- ndev->flags = 0; ++ ndev->flags &= BIT(NCI_UNREG); + } + + done: +-- +2.35.1 + diff --git a/queue-4.9/nfc-st-nci-fix-incorrect-validating-logic-in-evt_tra.patch b/queue-4.9/nfc-st-nci-fix-incorrect-validating-logic-in-evt_tra.patch new file mode 100644 index 00000000000..eb06e24616d --- /dev/null +++ b/queue-4.9/nfc-st-nci-fix-incorrect-validating-logic-in-evt_tra.patch @@ -0,0 +1,41 @@ +From ff484ba32b4481e6c037d865457e2c612bfc84d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 18:42:44 -0600 +Subject: nfc: st-nci: fix incorrect validating logic in EVT_TRANSACTION + +From: Martin Faltesek + +[ Upstream commit c60c152230828825c06e62a8f1ce956d4b659266 ] + +The first validation check for EVT_TRANSACTION has two different checks +tied together with logical AND. One is a check for minimum packet length, +and the other is for a valid aid_tag. If either condition is true (fails), +then an error should be triggered. The fix is to change && to ||. + +Reported-by: Denis Efremov +Reviewed-by: Guenter Roeck +Fixes: 5d1ceb7f5e56 ("NFC: st21nfcb: Add HCI transaction event support") +Signed-off-by: Martin Faltesek +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/st-nci/se.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c +index 85df2e009310..e75929ff330e 100644 +--- a/drivers/nfc/st-nci/se.c ++++ b/drivers/nfc/st-nci/se.c +@@ -338,7 +338,7 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev, + * AID 81 5 to 16 + * PARAMETERS 82 0 to 255 + */ +- if (skb->len < NFC_MIN_AID_LENGTH + 2 && ++ if (skb->len < NFC_MIN_AID_LENGTH + 2 || + skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG) + return -EPROTO; + +-- +2.35.1 + diff --git a/queue-4.9/nfc-st-nci-fix-memory-leaks-in-evt_transaction.patch b/queue-4.9/nfc-st-nci-fix-memory-leaks-in-evt_transaction.patch new file mode 100644 index 00000000000..59b28e7a10f --- /dev/null +++ b/queue-4.9/nfc-st-nci-fix-memory-leaks-in-evt_transaction.patch @@ -0,0 +1,42 @@ +From 17cd47e85857d7b40159cb5cd39e82d51a7bfc25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 18:42:45 -0600 +Subject: nfc: st-nci: fix memory leaks in EVT_TRANSACTION + +From: Martin Faltesek + +[ Upstream commit 440f2ae9c9f06e26f5dcea697a53717fc61a318c ] + +Error path does not free previously allocated memory. Add devm_kfree() to +the failure path. + +Reported-by: Denis Efremov +Reviewed-by: Guenter Roeck +Fixes: 5d1ceb7f5e56 ("NFC: st21nfcb: Add HCI transaction event support") +Signed-off-by: Martin Faltesek +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/st-nci/se.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c +index e75929ff330e..b1d23b35aac4 100644 +--- a/drivers/nfc/st-nci/se.c ++++ b/drivers/nfc/st-nci/se.c +@@ -352,8 +352,10 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev, + + /* Check next byte is PARAMETERS tag (82) */ + if (skb->data[transaction->aid_len + 2] != +- NFC_EVT_TRANSACTION_PARAMS_TAG) ++ NFC_EVT_TRANSACTION_PARAMS_TAG) { ++ devm_kfree(dev, transaction); + return -EPROTO; ++ } + + transaction->params_len = skb->data[transaction->aid_len + 3]; + memcpy(transaction->params, skb->data + +-- +2.35.1 + diff --git a/queue-4.9/s390-crashdump-fix-tod-programmable-field-size.patch b/queue-4.9/s390-crashdump-fix-tod-programmable-field-size.patch new file mode 100644 index 00000000000..4864ef810cf --- /dev/null +++ b/queue-4.9/s390-crashdump-fix-tod-programmable-field-size.patch @@ -0,0 +1,61 @@ +From fbe515f999a0f4774fe3ce686b8787be4a7257d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 13:05:39 +0100 +Subject: s390/crashdump: fix TOD programmable field size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Heiko Carstens + +[ Upstream commit f44e07a8afdd713ddc1a8832c39372fe5dd86895 ] + +The size of the TOD programmable field was incorrectly increased from +four to eight bytes with commit 1a2c5840acf9 ("s390/dump: cleanup CPU +save area handling"). +This leads to an elf notes section NT_S390_TODPREG which has a size of +eight instead of four bytes in case of kdump, however even worse is +that the contents is incorrect: it is supposed to contain only the +contents of the TOD programmable field, but in fact contains a mix of +the TOD programmable field (32 bit upper bits) and parts of the CPU +timer register (lower 32 bits). + +Fix this by simply changing the size of the todpreg field within the +save area structure. This will implicitly also fix the size of the +corresponding elf notes sections. + +This also gets rid of this compile time warning: + +in function ‘fortify_memcpy_chk’, + inlined from ‘save_area_add_regs’ at arch/s390/kernel/crash_dump.c:99:2: +./include/linux/fortify-string.h:413:25: error: call to ‘__read_overflow2_field’ + declared with attribute warning: detected read beyond size of field + (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning] + 413 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Fixes: 1a2c5840acf9 ("s390/dump: cleanup CPU save area handling") +Reviewed-by: Christian Borntraeger +Signed-off-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/crash_dump.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/crash_dump.c b/arch/s390/kernel/crash_dump.c +index 167135294ca5..d246cb23e341 100644 +--- a/arch/s390/kernel/crash_dump.c ++++ b/arch/s390/kernel/crash_dump.c +@@ -42,7 +42,7 @@ struct save_area { + u64 fprs[16]; + u32 fpc; + u32 prefix; +- u64 todpreg; ++ u32 todpreg; + u64 timer; + u64 todcmp; + u64 vxrs_low[16]; +-- +2.35.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 11c2bff3bd8..5d89c21254d 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -2,3 +2,18 @@ wifi-mac80211_hwsim-fix-debugfs-attribute-ps-with-rc.patch audit-fix-undefined-behavior-in-bit-shift-for-audit_.patch wifi-mac80211-fix-ack-frame-idr-leak-when-mesh-has-n.patch mips-pic32-treat-port-as-signed-integer.patch +af_key-fix-send_acquire-race-with-pfkey_register.patch +bus-sunxi-rsb-support-atomic-transfers.patch +arm-dts-at91-sam9g20ek-enable-udc-vbus-gpio-pinctrl.patch +nfc-nci-fix-race-with-opening-and-closing.patch +net-pch_gbe-fix-potential-memleak-in-pch_gbe_tx_queu.patch +9p-fd-fix-issue-of-list_del-corruption-in-p9_fd_canc.patch +arm-mxs-fix-memory-leak-in-mxs_machine_init.patch +net-mlx4-check-retval-of-mlx4_bitmap_init.patch +net-qla3xxx-fix-potential-memleak-in-ql3xxx_send.patch +xfrm-fix-ignored-return-value-in-xfrm6_init.patch +nfc-nci-fix-memory-leak-in-nci_rx_data_packet.patch +nfc-st-nci-fix-incorrect-validating-logic-in-evt_tra.patch +nfc-st-nci-fix-memory-leaks-in-evt_transaction.patch +net-thunderx-fix-the-acpi-memory-leak.patch +s390-crashdump-fix-tod-programmable-field-size.patch diff --git a/queue-4.9/xfrm-fix-ignored-return-value-in-xfrm6_init.patch b/queue-4.9/xfrm-fix-ignored-return-value-in-xfrm6_init.patch new file mode 100644 index 00000000000..47610935f6b --- /dev/null +++ b/queue-4.9/xfrm-fix-ignored-return-value-in-xfrm6_init.patch @@ -0,0 +1,59 @@ +From 2afd8110edf90704789926055f86f4041942b241 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 17:07:13 +0800 +Subject: xfrm: Fix ignored return value in xfrm6_init() + +From: Chen Zhongjin + +[ Upstream commit 40781bfb836eda57d19c0baa37c7e72590e05fdc ] + +When IPv6 module initializing in xfrm6_init(), register_pernet_subsys() +is possible to fail but its return value is ignored. + +If IPv6 initialization fails later and xfrm6_fini() is called, +removing uninitialized list in xfrm6_net_ops will cause null-ptr-deref: + +KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] +CPU: 1 PID: 330 Comm: insmod +RIP: 0010:unregister_pernet_operations+0xc9/0x450 +Call Trace: + + unregister_pernet_subsys+0x31/0x3e + xfrm6_fini+0x16/0x30 [ipv6] + ip6_route_init+0xcd/0x128 [ipv6] + inet6_init+0x29c/0x602 [ipv6] + ... + +Fix it by catching the error return value of register_pernet_subsys(). + +Fixes: 8d068875caca ("xfrm: make gc_thresh configurable in all namespaces") +Signed-off-by: Chen Zhongjin +Reviewed-by: Leon Romanovsky +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv6/xfrm6_policy.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c +index 0c7f27a1725f..6887922ea828 100644 +--- a/net/ipv6/xfrm6_policy.c ++++ b/net/ipv6/xfrm6_policy.c +@@ -419,9 +419,13 @@ int __init xfrm6_init(void) + if (ret) + goto out_state; + +- register_pernet_subsys(&xfrm6_net_ops); ++ ret = register_pernet_subsys(&xfrm6_net_ops); ++ if (ret) ++ goto out_protocol; + out: + return ret; ++out_protocol: ++ xfrm6_protocol_fini(); + out_state: + xfrm6_state_fini(); + out_policy: +-- +2.35.1 +