From: Greg Kroah-Hartman Date: Sat, 30 Oct 2021 13:13:45 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.4.291~20 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a3b6ee15d5f9df735c41a36e5484b3741e867a34;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: net-batman-adv-fix-error-handling.patch net-nxp-lpc_eth.c-avoid-hang-when-bringing-interface-down.patch nios2-make-nios2_dtb_source_bool-depend-on-compile_test.patch regmap-fix-possible-double-free-in-regcache_rbtree_exit.patch --- diff --git a/queue-4.14/net-batman-adv-fix-error-handling.patch b/queue-4.14/net-batman-adv-fix-error-handling.patch new file mode 100644 index 00000000000..453366ad8b5 --- /dev/null +++ b/queue-4.14/net-batman-adv-fix-error-handling.patch @@ -0,0 +1,173 @@ +From 6f68cd634856f8ca93bafd623ba5357e0f648c68 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Sun, 24 Oct 2021 16:13:56 +0300 +Subject: net: batman-adv: fix error handling + +From: Pavel Skripkin + +commit 6f68cd634856f8ca93bafd623ba5357e0f648c68 upstream. + +Syzbot reported ODEBUG warning in batadv_nc_mesh_free(). The problem was +in wrong error handling in batadv_mesh_init(). + +Before this patch batadv_mesh_init() was calling batadv_mesh_free() in case +of any batadv_*_init() calls failure. This approach may work well, when +there is some kind of indicator, which can tell which parts of batadv are +initialized; but there isn't any. + +All written above lead to cleaning up uninitialized fields. Even if we hide +ODEBUG warning by initializing bat_priv->nc.work, syzbot was able to hit +GPF in batadv_nc_purge_paths(), because hash pointer in still NULL. [1] + +To fix these bugs we can unwind batadv_*_init() calls one by one. +It is good approach for 2 reasons: 1) It fixes bugs on error handling +path 2) It improves the performance, since we won't call unneeded +batadv_*_free() functions. + +So, this patch makes all batadv_*_init() clean up all allocated memory +before returning with an error to no call correspoing batadv_*_free() +and open-codes batadv_mesh_free() with proper order to avoid touching +uninitialized fields. + +Link: https://lore.kernel.org/netdev/000000000000c87fbd05cef6bcb0@google.com/ [1] +Reported-and-tested-by: syzbot+28b0702ada0bf7381f58@syzkaller.appspotmail.com +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Signed-off-by: Pavel Skripkin +Acked-by: Sven Eckelmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bridge_loop_avoidance.c | 8 +++- + net/batman-adv/main.c | 56 +++++++++++++++++++++++---------- + net/batman-adv/network-coding.c | 4 +- + net/batman-adv/translation-table.c | 4 +- + 4 files changed, 52 insertions(+), 20 deletions(-) + +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -1574,10 +1574,14 @@ int batadv_bla_init(struct batadv_priv * + return 0; + + bat_priv->bla.claim_hash = batadv_hash_new(128); +- bat_priv->bla.backbone_hash = batadv_hash_new(32); ++ if (!bat_priv->bla.claim_hash) ++ return -ENOMEM; + +- if (!bat_priv->bla.claim_hash || !bat_priv->bla.backbone_hash) ++ bat_priv->bla.backbone_hash = batadv_hash_new(32); ++ if (!bat_priv->bla.backbone_hash) { ++ batadv_hash_destroy(bat_priv->bla.claim_hash); + return -ENOMEM; ++ } + + batadv_hash_set_lock_class(bat_priv->bla.claim_hash, + &batadv_claim_hash_lock_class_key); +--- a/net/batman-adv/main.c ++++ b/net/batman-adv/main.c +@@ -180,29 +180,41 @@ int batadv_mesh_init(struct net_device * + INIT_HLIST_HEAD(&bat_priv->softif_vlan_list); + INIT_HLIST_HEAD(&bat_priv->tp_list); + +- ret = batadv_v_mesh_init(bat_priv); +- if (ret < 0) +- goto err; +- + ret = batadv_originator_init(bat_priv); +- if (ret < 0) +- goto err; ++ if (ret < 0) { ++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING); ++ goto err_orig; ++ } + + ret = batadv_tt_init(bat_priv); +- if (ret < 0) +- goto err; ++ if (ret < 0) { ++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING); ++ goto err_tt; ++ } ++ ++ ret = batadv_v_mesh_init(bat_priv); ++ if (ret < 0) { ++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING); ++ goto err_v; ++ } + + ret = batadv_bla_init(bat_priv); +- if (ret < 0) +- goto err; ++ if (ret < 0) { ++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING); ++ goto err_bla; ++ } + + ret = batadv_dat_init(bat_priv); +- if (ret < 0) +- goto err; ++ if (ret < 0) { ++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING); ++ goto err_dat; ++ } + + ret = batadv_nc_mesh_init(bat_priv); +- if (ret < 0) +- goto err; ++ if (ret < 0) { ++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING); ++ goto err_nc; ++ } + + batadv_gw_init(bat_priv); + batadv_mcast_init(bat_priv); +@@ -212,8 +224,20 @@ int batadv_mesh_init(struct net_device * + + return 0; + +-err: +- batadv_mesh_free(soft_iface); ++err_nc: ++ batadv_dat_free(bat_priv); ++err_dat: ++ batadv_bla_free(bat_priv); ++err_bla: ++ batadv_v_mesh_free(bat_priv); ++err_v: ++ batadv_tt_free(bat_priv); ++err_tt: ++ batadv_originator_free(bat_priv); ++err_orig: ++ batadv_purge_outstanding_packets(bat_priv, NULL); ++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_INACTIVE); ++ + return ret; + } + +--- a/net/batman-adv/network-coding.c ++++ b/net/batman-adv/network-coding.c +@@ -165,8 +165,10 @@ int batadv_nc_mesh_init(struct batadv_pr + &batadv_nc_coding_hash_lock_class_key); + + bat_priv->nc.decoding_hash = batadv_hash_new(128); +- if (!bat_priv->nc.decoding_hash) ++ if (!bat_priv->nc.decoding_hash) { ++ batadv_hash_destroy(bat_priv->nc.coding_hash); + goto err; ++ } + + batadv_hash_set_lock_class(bat_priv->nc.decoding_hash, + &batadv_nc_decoding_hash_lock_class_key); +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -4373,8 +4373,10 @@ int batadv_tt_init(struct batadv_priv *b + return ret; + + ret = batadv_tt_global_init(bat_priv); +- if (ret < 0) ++ if (ret < 0) { ++ batadv_tt_local_table_free(bat_priv); + return ret; ++ } + + batadv_tvlv_handler_register(bat_priv, batadv_tt_tvlv_ogm_handler_v1, + batadv_tt_tvlv_unicast_handler_v1, diff --git a/queue-4.14/net-nxp-lpc_eth.c-avoid-hang-when-bringing-interface-down.patch b/queue-4.14/net-nxp-lpc_eth.c-avoid-hang-when-bringing-interface-down.patch new file mode 100644 index 00000000000..b5bf0f5aac4 --- /dev/null +++ b/queue-4.14/net-nxp-lpc_eth.c-avoid-hang-when-bringing-interface-down.patch @@ -0,0 +1,44 @@ +From ace19b992436a257d9a793672e57abc28fe83e2e Mon Sep 17 00:00:00 2001 +From: Trevor Woerner +Date: Sun, 24 Oct 2021 13:50:02 -0400 +Subject: net: nxp: lpc_eth.c: avoid hang when bringing interface down + +From: Trevor Woerner + +commit ace19b992436a257d9a793672e57abc28fe83e2e upstream. + +A hard hang is observed whenever the ethernet interface is brought +down. If the PHY is stopped before the LPC core block is reset, +the SoC will hang. Comparing lpc_eth_close() and lpc_eth_open() I +re-arranged the ordering of the functions calls in lpc_eth_close() to +reset the hardware before stopping the PHY. +Fixes: b7370112f519 ("lpc32xx: Added ethernet driver") +Signed-off-by: Trevor Woerner +Acked-by: Vladimir Zapolskiy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/nxp/lpc_eth.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/nxp/lpc_eth.c ++++ b/drivers/net/ethernet/nxp/lpc_eth.c +@@ -1037,9 +1037,6 @@ static int lpc_eth_close(struct net_devi + napi_disable(&pldat->napi); + netif_stop_queue(ndev); + +- if (ndev->phydev) +- phy_stop(ndev->phydev); +- + spin_lock_irqsave(&pldat->lock, flags); + __lpc_eth_reset(pldat); + netif_carrier_off(ndev); +@@ -1047,6 +1044,8 @@ static int lpc_eth_close(struct net_devi + writel(0, LPC_ENET_MAC2(pldat->net_base)); + spin_unlock_irqrestore(&pldat->lock, flags); + ++ if (ndev->phydev) ++ phy_stop(ndev->phydev); + clk_disable_unprepare(pldat->clk); + + return 0; diff --git a/queue-4.14/nios2-make-nios2_dtb_source_bool-depend-on-compile_test.patch b/queue-4.14/nios2-make-nios2_dtb_source_bool-depend-on-compile_test.patch new file mode 100644 index 00000000000..6474a538735 --- /dev/null +++ b/queue-4.14/nios2-make-nios2_dtb_source_bool-depend-on-compile_test.patch @@ -0,0 +1,39 @@ +From 4a089e95b4d6bb625044d47aed0c442a8f7bd093 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Wed, 20 Oct 2021 12:11:16 -0700 +Subject: nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST + +From: Guenter Roeck + +commit 4a089e95b4d6bb625044d47aed0c442a8f7bd093 upstream. + +nios2:allmodconfig builds fail with + +make[1]: *** No rule to make target 'arch/nios2/boot/dts/""', + needed by 'arch/nios2/boot/dts/built-in.a'. Stop. +make: [Makefile:1868: arch/nios2/boot/dts] Error 2 (ignored) + +This is seen with compile tests since those enable NIOS2_DTB_SOURCE_BOOL, +which in turn enables NIOS2_DTB_SOURCE. This causes the build error +because the default value for NIOS2_DTB_SOURCE is an empty string. +Disable NIOS2_DTB_SOURCE_BOOL for compile tests to avoid the error. + +Fixes: 2fc8483fdcde ("nios2: Build infrastructure") +Signed-off-by: Guenter Roeck +Reviewed-by: Randy Dunlap +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + arch/nios2/platform/Kconfig.platform | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/nios2/platform/Kconfig.platform ++++ b/arch/nios2/platform/Kconfig.platform +@@ -37,6 +37,7 @@ config NIOS2_DTB_PHYS_ADDR + + config NIOS2_DTB_SOURCE_BOOL + bool "Compile and link device tree into kernel image" ++ depends on !COMPILE_TEST + default n + help + This allows you to specify a dts (device tree source) file diff --git a/queue-4.14/regmap-fix-possible-double-free-in-regcache_rbtree_exit.patch b/queue-4.14/regmap-fix-possible-double-free-in-regcache_rbtree_exit.patch new file mode 100644 index 00000000000..b18e8adcccc --- /dev/null +++ b/queue-4.14/regmap-fix-possible-double-free-in-regcache_rbtree_exit.patch @@ -0,0 +1,70 @@ +From 55e6d8037805b3400096d621091dfbf713f97e83 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Tue, 12 Oct 2021 10:37:35 +0800 +Subject: regmap: Fix possible double-free in regcache_rbtree_exit() + +From: Yang Yingliang + +commit 55e6d8037805b3400096d621091dfbf713f97e83 upstream. + +In regcache_rbtree_insert_to_block(), when 'present' realloc failed, +the 'blk' which is supposed to assign to 'rbnode->block' will be freed, +so 'rbnode->block' points a freed memory, in the error handling path of +regcache_rbtree_init(), 'rbnode->block' will be freed again in +regcache_rbtree_exit(), KASAN will report double-free as follows: + +BUG: KASAN: double-free or invalid-free in kfree+0xce/0x390 +Call Trace: + slab_free_freelist_hook+0x10d/0x240 + kfree+0xce/0x390 + regcache_rbtree_exit+0x15d/0x1a0 + regcache_rbtree_init+0x224/0x2c0 + regcache_init+0x88d/0x1310 + __regmap_init+0x3151/0x4a80 + __devm_regmap_init+0x7d/0x100 + madera_spi_probe+0x10f/0x333 [madera_spi] + spi_probe+0x183/0x210 + really_probe+0x285/0xc30 + +To fix this, moving up the assignment of rbnode->block to immediately after +the reallocation has succeeded so that the data structure stays valid even +if the second reallocation fails. + +Reported-by: Hulk Robot +Fixes: 3f4ff561bc88b ("regmap: rbtree: Make cache_present bitmap per node") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20211012023735.1632786-1-yangyingliang@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regcache-rbtree.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/base/regmap/regcache-rbtree.c ++++ b/drivers/base/regmap/regcache-rbtree.c +@@ -295,14 +295,14 @@ static int regcache_rbtree_insert_to_blo + if (!blk) + return -ENOMEM; + ++ rbnode->block = blk; ++ + if (BITS_TO_LONGS(blklen) > BITS_TO_LONGS(rbnode->blklen)) { + present = krealloc(rbnode->cache_present, + BITS_TO_LONGS(blklen) * sizeof(*present), + GFP_KERNEL); +- if (!present) { +- kfree(blk); ++ if (!present) + return -ENOMEM; +- } + + memset(present + BITS_TO_LONGS(rbnode->blklen), 0, + (BITS_TO_LONGS(blklen) - BITS_TO_LONGS(rbnode->blklen)) +@@ -319,7 +319,6 @@ static int regcache_rbtree_insert_to_blo + } + + /* update the rbnode block, its size and the base register */ +- rbnode->block = blk; + rbnode->blklen = blklen; + rbnode->base_reg = base_reg; + rbnode->cache_present = present; diff --git a/queue-4.14/series b/queue-4.14/series index 99c02f94c60..aaadaff5a32 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -14,3 +14,7 @@ mmc-dw_mmc-exynos-fix-the-finding-clock-sample-value.patch mmc-sdhci-map-more-voltage-level-to-sdhci_power_330.patch mmc-sdhci-esdhc-imx-clear-the-buffer_read_ready-to-reset-standard-tuning-circuit.patch net-lan78xx-fix-division-by-zero-in-send-path.patch +regmap-fix-possible-double-free-in-regcache_rbtree_exit.patch +net-batman-adv-fix-error-handling.patch +nios2-make-nios2_dtb_source_bool-depend-on-compile_test.patch +net-nxp-lpc_eth.c-avoid-hang-when-bringing-interface-down.patch