From: Greg Kroah-Hartman Date: Fri, 5 Jun 2020 13:52:42 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v5.7.1~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=da247fd34f2edc4df5011570905aba9035110fe4;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: scsi-ufs-release-clock-if-dma-map-fails.patch slcan-fix-double-free-on-slcan_open-error-path.patch slip-not-call-free_netdev-before-rtnl_unlock-in-slip_open.patch --- diff --git a/queue-4.4/scsi-ufs-release-clock-if-dma-map-fails.patch b/queue-4.4/scsi-ufs-release-clock-if-dma-map-fails.patch new file mode 100644 index 00000000000..e397ef96cf5 --- /dev/null +++ b/queue-4.4/scsi-ufs-release-clock-if-dma-map-fails.patch @@ -0,0 +1,36 @@ +From 17c7d35f141ef6158076adf3338f115f64fcf760 Mon Sep 17 00:00:00 2001 +From: Can Guo +Date: Thu, 5 Dec 2019 02:14:33 +0000 +Subject: scsi: ufs: Release clock if DMA map fails + +From: Can Guo + +commit 17c7d35f141ef6158076adf3338f115f64fcf760 upstream. + +In queuecommand path, if DMA map fails, it bails out with clock held. In +this case, release the clock to keep its usage paired. + +[mkp: applied by hand] + +Link: https://lore.kernel.org/r/0101016ed3d66395-1b7e7fce-b74d-42ca-a88a-4db78b795d3b-000000@us-west-2.amazonses.com +Reviewed-by: Bean Huo +Signed-off-by: Can Guo +Signed-off-by: Martin K. Petersen +[EB: resolved cherry-pick conflict caused by newer kernels not having + the clear_bit_unlock() line] +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ufs/ufshcd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -1374,6 +1374,7 @@ static int ufshcd_queuecommand(struct Sc + ufshcd_compose_upiu(hba, lrbp); + err = ufshcd_map_sg(lrbp); + if (err) { ++ ufshcd_release(hba); + lrbp->cmd = NULL; + clear_bit_unlock(tag, &hba->lrb_in_use); + goto out; diff --git a/queue-4.4/series b/queue-4.4/series index 75e25441639..ad6856519da 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -13,3 +13,6 @@ net-ethernet-freescale-rework-quiesce-activate-for-u.patch net-ethernet-stmmac-enable-interface-clocks-on-probe.patch pppoe-only-process-padt-targeted-at-local-interfaces.patch mmc-fix-compilation-of-user-api.patch +slcan-fix-double-free-on-slcan_open-error-path.patch +slip-not-call-free_netdev-before-rtnl_unlock-in-slip_open.patch +scsi-ufs-release-clock-if-dma-map-fails.patch diff --git a/queue-4.4/slcan-fix-double-free-on-slcan_open-error-path.patch b/queue-4.4/slcan-fix-double-free-on-slcan_open-error-path.patch new file mode 100644 index 00000000000..3ef4ddc5278 --- /dev/null +++ b/queue-4.4/slcan-fix-double-free-on-slcan_open-error-path.patch @@ -0,0 +1,47 @@ +From ben@decadent.org.uk Fri Jun 5 15:44:25 2020 +From: Ben Hutchings +Date: Tue, 2 Jun 2020 18:54:18 +0100 +Subject: slcan: Fix double-free on slcan_open() error path +To: Greg Kroah-Hartman , Sasha Levin +Cc: yangerkun , stable@vger.kernel.org +Message-ID: <20200602175418.GA53769@decadent.org.uk> +Content-Disposition: inline + +From: Ben Hutchings + +Commit 9ebd796e2400 ("can: slcan: Fix use-after-free Read in +slcan_open") was incorrectly backported to 4.4 and 4.9 stable +branches. + +Since they do not have commit cf124db566e6 ("net: Fix inconsistent +teardown and release of private netdev state."), the destructor +function slc_free_netdev() is already responsible for calling +free_netdev() and slcan_open() must not call both of them. + +yangerkun previously fixed the same bug in slip. + +Fixes: ce624b2089ea ("can: slcan: Fix use-after-free Read in slcan_open") # 4.4 +Fixes: f59604a80fa4 ("slcan: not call free_netdev before rtnl_unlock ...") # 4.4 +Fixes: 56635a1e6ffb ("can: slcan: Fix use-after-free Read in slcan_open") # 4.9 +Fixes: a1c9b23142ac ("slcan: not call free_netdev before rtnl_unlock ...") # 4.9 +Cc: yangerkun +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/slcan.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/can/slcan.c ++++ b/drivers/net/can/slcan.c +@@ -618,10 +618,9 @@ err_free_chan: + sl->tty = NULL; + tty->disc_data = NULL; + clear_bit(SLF_INUSE, &sl->flags); +- slc_free_netdev(sl->dev); + /* do not call free_netdev before rtnl_unlock */ + rtnl_unlock(); +- free_netdev(sl->dev); ++ slc_free_netdev(sl->dev); + return err; + + err_exit: diff --git a/queue-4.4/slip-not-call-free_netdev-before-rtnl_unlock-in-slip_open.patch b/queue-4.4/slip-not-call-free_netdev-before-rtnl_unlock-in-slip_open.patch new file mode 100644 index 00000000000..6ef24ae4b12 --- /dev/null +++ b/queue-4.4/slip-not-call-free_netdev-before-rtnl_unlock-in-slip_open.patch @@ -0,0 +1,35 @@ +From f596c87005f7b1baeb7d62d9a9e25d68c3dfae10 Mon Sep 17 00:00:00 2001 +From: yangerkun +Date: Wed, 26 Feb 2020 11:54:35 +0800 +Subject: slip: not call free_netdev before rtnl_unlock in slip_open + +From: yangerkun + +commit f596c87005f7b1baeb7d62d9a9e25d68c3dfae10 upstream. + +As the description before netdev_run_todo, we cannot call free_netdev +before rtnl_unlock, fix it by reorder the code. + +Signed-off-by: yangerkun +Reviewed-by: Oliver Hartkopp +Signed-off-by: David S. Miller +[bwh: Backported to <4.11: free_netdev() is called through sl_free_netdev()] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/slip/slip.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/slip/slip.c ++++ b/drivers/net/slip/slip.c +@@ -867,7 +867,10 @@ err_free_chan: + sl->tty = NULL; + tty->disc_data = NULL; + clear_bit(SLF_INUSE, &sl->flags); ++ /* do not call free_netdev before rtnl_unlock */ ++ rtnl_unlock(); + sl_free_netdev(sl->dev); ++ return err; + + err_exit: + rtnl_unlock();