From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 16 Jan 2023 15:18:09 +0000 (+0100)
Subject: 5.4-stable patches
X-Git-Tag: v4.14.303~20
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=dfa8feeefe578d61b9d7888fda1d514ce6fc61e2;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	tipc-add-a-missing-case-of-tipc_direct_msg-type.patch
	tipc-fix-use-after-free-in-tipc_disc_rcv.patch
	tty-serial-tegra-handle-rx-transfer-in-pio-mode-if-dma-wasn-t-started.patch
---

diff --git a/queue-5.4/series b/queue-5.4/series
index 7266fac5370..c18d32431cc 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -653,3 +653,6 @@ arm64-cmpxchg_double-hazard-against-entire-exchange-.patch
 efi-fix-null-deref-in-init-error-path.patch
 mm-always-release-pages-to-the-buddy-allocator-in-memblock_free_late.patch
 revert-usb-ulpi-defer-ulpi_register-on-ulpi_read_id-timeout.patch
+tipc-fix-use-after-free-in-tipc_disc_rcv.patch
+tty-serial-tegra-handle-rx-transfer-in-pio-mode-if-dma-wasn-t-started.patch
+tipc-add-a-missing-case-of-tipc_direct_msg-type.patch
diff --git a/queue-5.4/tipc-add-a-missing-case-of-tipc_direct_msg-type.patch b/queue-5.4/tipc-add-a-missing-case-of-tipc_direct_msg-type.patch
new file mode 100644
index 00000000000..584539630df
--- /dev/null
+++ b/queue-5.4/tipc-add-a-missing-case-of-tipc_direct_msg-type.patch
@@ -0,0 +1,70 @@
+From 8b1e5b0a99f04bda2d6c85ecfe5e68a356c10914 Mon Sep 17 00:00:00 2001
+From: Hoang Le <hoang.h.le@dektech.com.au>
+Date: Thu, 26 Mar 2020 09:50:29 +0700
+Subject: tipc: Add a missing case of TIPC_DIRECT_MSG type
+
+From: Hoang Le <hoang.h.le@dektech.com.au>
+
+commit 8b1e5b0a99f04bda2d6c85ecfe5e68a356c10914 upstream.
+
+In the commit f73b12812a3d
+("tipc: improve throughput between nodes in netns"), we're missing a check
+to handle TIPC_DIRECT_MSG type, it's still using old sending mechanism for
+this message type. So, throughput improvement is not significant as
+expected.
+
+Besides that, when sending a large message with that type, we're also
+handle wrong receiving queue, it should be enqueued in socket receiving
+instead of multicast messages.
+
+Fix this by adding the missing case for TIPC_DIRECT_MSG.
+
+Fixes: f73b12812a3d ("tipc: improve throughput between nodes in netns")
+Reported-by: Tuong Lien <tuong.t.lien@dektech.com.au>
+Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/msg.h    |    5 +++++
+ net/tipc/node.c   |    3 ++-
+ net/tipc/socket.c |    2 +-
+ 3 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/tipc/msg.h
++++ b/net/tipc/msg.h
+@@ -358,6 +358,11 @@ static inline u32 msg_connected(struct t
+ 	return msg_type(m) == TIPC_CONN_MSG;
+ }
+ 
++static inline u32 msg_direct(struct tipc_msg *m)
++{
++	return msg_type(m) == TIPC_DIRECT_MSG;
++}
++
+ static inline u32 msg_errcode(struct tipc_msg *m)
+ {
+ 	return msg_bits(m, 1, 25, 0xf);
+--- a/net/tipc/node.c
++++ b/net/tipc/node.c
+@@ -1489,7 +1489,8 @@ static void tipc_lxc_xmit(struct net *pe
+ 	case TIPC_MEDIUM_IMPORTANCE:
+ 	case TIPC_HIGH_IMPORTANCE:
+ 	case TIPC_CRITICAL_IMPORTANCE:
+-		if (msg_connected(hdr) || msg_named(hdr)) {
++		if (msg_connected(hdr) || msg_named(hdr) ||
++		    msg_direct(hdr)) {
+ 			tipc_loopback_trace(peer_net, list);
+ 			spin_lock_init(&list->lock);
+ 			tipc_sk_rcv(peer_net, list);
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -1407,7 +1407,7 @@ static int __tipc_sendmsg(struct socket
+ 	}
+ 
+ 	__skb_queue_head_init(&pkts);
+-	mtu = tipc_node_get_mtu(net, dnode, tsk->portid, false);
++	mtu = tipc_node_get_mtu(net, dnode, tsk->portid, true);
+ 	rc = tipc_msg_build(hdr, m, 0, dlen, mtu, &pkts);
+ 	if (unlikely(rc != dlen))
+ 		return rc;
diff --git a/queue-5.4/tipc-fix-use-after-free-in-tipc_disc_rcv.patch b/queue-5.4/tipc-fix-use-after-free-in-tipc_disc_rcv.patch
new file mode 100644
index 00000000000..98d8ed9426a
--- /dev/null
+++ b/queue-5.4/tipc-fix-use-after-free-in-tipc_disc_rcv.patch
@@ -0,0 +1,47 @@
+From 31e4ccc99eda8a5a7e6902c98bee6e78ffd3edb9 Mon Sep 17 00:00:00 2001
+From: Tuong Lien <tuong.t.lien@dektech.com.au>
+Date: Tue, 10 Dec 2019 15:21:05 +0700
+Subject: tipc: fix use-after-free in tipc_disc_rcv()
+
+From: Tuong Lien <tuong.t.lien@dektech.com.au>
+
+commit 31e4ccc99eda8a5a7e6902c98bee6e78ffd3edb9 upstream.
+
+In the function 'tipc_disc_rcv()', the 'msg_peer_net_hash()' is called
+to read the header data field but after the message skb has been freed,
+that might result in a garbage value...
+
+This commit fixes it by defining a new local variable to store the data
+first, just like the other header fields' handling.
+
+Fixes: f73b12812a3d ("tipc: improve throughput between nodes in netns")
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: Tuong Lien <tuong.t.lien@dektech.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/discover.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/tipc/discover.c
++++ b/net/tipc/discover.c
+@@ -194,6 +194,7 @@ void tipc_disc_rcv(struct net *net, stru
+ {
+ 	struct tipc_net *tn = tipc_net(net);
+ 	struct tipc_msg *hdr = buf_msg(skb);
++	u32 pnet_hash = msg_peer_net_hash(hdr);
+ 	u16 caps = msg_node_capabilities(hdr);
+ 	bool legacy = tn->legacy_addr_format;
+ 	u32 sugg = msg_sugg_node_addr(hdr);
+@@ -245,9 +246,8 @@ void tipc_disc_rcv(struct net *net, stru
+ 		return;
+ 	if (!tipc_in_scope(legacy, b->domain, src))
+ 		return;
+-	tipc_node_check_dest(net, src, peer_id, b, caps, signature,
+-			     msg_peer_net_hash(hdr), &maddr, &respond,
+-			     &dupl_addr);
++	tipc_node_check_dest(net, src, peer_id, b, caps, signature, pnet_hash,
++			     &maddr, &respond, &dupl_addr);
+ 	if (dupl_addr)
+ 		disc_dupl_alert(b, src, &maddr);
+ 	if (!respond)
diff --git a/queue-5.4/tty-serial-tegra-handle-rx-transfer-in-pio-mode-if-dma-wasn-t-started.patch b/queue-5.4/tty-serial-tegra-handle-rx-transfer-in-pio-mode-if-dma-wasn-t-started.patch
new file mode 100644
index 00000000000..a5fe84ce186
--- /dev/null
+++ b/queue-5.4/tty-serial-tegra-handle-rx-transfer-in-pio-mode-if-dma-wasn-t-started.patch
@@ -0,0 +1,94 @@
+From 1f69a1273b3f204a9c00dc3bbdcc4afcd0787428 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Sun, 9 Feb 2020 19:44:15 +0300
+Subject: tty: serial: tegra: Handle RX transfer in PIO mode if DMA wasn't started
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit 1f69a1273b3f204a9c00dc3bbdcc4afcd0787428 upstream.
+
+It is possible to get an instant RX timeout or end-of-transfer interrupt
+before RX DMA was started, if transaction is less than 16 bytes. Transfer
+should be handled in PIO mode in this case because DMA can't handle it.
+This patch brings back the original behaviour of the driver that was
+changed by accident by a previous commit, it fixes occasional Bluetooth HW
+initialization failures which I started to notice recently.
+
+Fixes: d5e3fadb7012 ("tty: serial: tegra: Activate RX DMA transfer by request")
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Link: https://lore.kernel.org/r/20200209164415.9632-1-digetx@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/serial-tegra.c |   35 ++++++++++++++++-------------------
+ 1 file changed, 16 insertions(+), 19 deletions(-)
+
+--- a/drivers/tty/serial/serial-tegra.c
++++ b/drivers/tty/serial/serial-tegra.c
+@@ -694,11 +694,22 @@ static void tegra_uart_copy_rx_to_tty(st
+ 				TEGRA_UART_RX_DMA_BUFFER_SIZE, DMA_TO_DEVICE);
+ }
+ 
++static void do_handle_rx_pio(struct tegra_uart_port *tup)
++{
++	struct tty_struct *tty = tty_port_tty_get(&tup->uport.state->port);
++	struct tty_port *port = &tup->uport.state->port;
++
++	tegra_uart_handle_rx_pio(tup, port);
++	if (tty) {
++		tty_flip_buffer_push(port);
++		tty_kref_put(tty);
++	}
++}
++
+ static void tegra_uart_rx_buffer_push(struct tegra_uart_port *tup,
+ 				      unsigned int residue)
+ {
+ 	struct tty_port *port = &tup->uport.state->port;
+-	struct tty_struct *tty = tty_port_tty_get(port);
+ 	unsigned int count;
+ 
+ 	async_tx_ack(tup->rx_dma_desc);
+@@ -707,11 +718,7 @@ static void tegra_uart_rx_buffer_push(st
+ 	/* If we are here, DMA is stopped */
+ 	tegra_uart_copy_rx_to_tty(tup, port, count);
+ 
+-	tegra_uart_handle_rx_pio(tup, port);
+-	if (tty) {
+-		tty_flip_buffer_push(port);
+-		tty_kref_put(tty);
+-	}
++	do_handle_rx_pio(tup);
+ }
+ 
+ static void tegra_uart_rx_dma_complete(void *args)
+@@ -751,8 +758,10 @@ static void tegra_uart_terminate_rx_dma(
+ {
+ 	struct dma_tx_state state;
+ 
+-	if (!tup->rx_dma_active)
++	if (!tup->rx_dma_active) {
++		do_handle_rx_pio(tup);
+ 		return;
++	}
+ 
+ 	dmaengine_pause(tup->rx_dma_chan);
+ 	dmaengine_tx_status(tup->rx_dma_chan, tup->rx_cookie, &state);
+@@ -821,18 +830,6 @@ static void tegra_uart_handle_modem_sign
+ 		uart_handle_cts_change(&tup->uport, msr & UART_MSR_CTS);
+ }
+ 
+-static void do_handle_rx_pio(struct tegra_uart_port *tup)
+-{
+-	struct tty_struct *tty = tty_port_tty_get(&tup->uport.state->port);
+-	struct tty_port *port = &tup->uport.state->port;
+-
+-	tegra_uart_handle_rx_pio(tup, port);
+-	if (tty) {
+-		tty_flip_buffer_push(port);
+-		tty_kref_put(tty);
+-	}
+-}
+-
+ static irqreturn_t tegra_uart_isr(int irq, void *data)
+ {
+ 	struct tegra_uart_port *tup = data;