From: Greg Kroah-Hartman Date: Mon, 30 Mar 2020 14:32:58 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v5.6.1~34 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e827ffccf8b838f5775d76cf4acebd93cac36197;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: arm-dts-sun8i-a83t-tbs-a711-fix-usb-otg-mode-detection.patch bpf-btf-fix-btf-verification-of-enum-members-in-struct-union.patch bpf-initialize-storage-pointers-to-null-to-prevent-freeing-garbage-pointer.patch bpf-sockmap-remove-bucket-lock-from-sock_-hash-map-_free.patch bpf-x32-fix-bug-with-jmp32-jset-bpf_x-checking-upper-bits.patch i2c-nvidia-gpu-handle-timeout-correctly-in-gpu_i2c_check_status.patch vti6-fix-memory-leak-of-skb-if-input-policy-check-fails.patch --- diff --git a/queue-5.4/arm-dts-sun8i-a83t-tbs-a711-fix-usb-otg-mode-detection.patch b/queue-5.4/arm-dts-sun8i-a83t-tbs-a711-fix-usb-otg-mode-detection.patch new file mode 100644 index 00000000000..a1b75ce12e2 --- /dev/null +++ b/queue-5.4/arm-dts-sun8i-a83t-tbs-a711-fix-usb-otg-mode-detection.patch @@ -0,0 +1,39 @@ +From b642d4825441bf30c72b72deb739bd2d5f53af08 Mon Sep 17 00:00:00 2001 +From: Ondrej Jirman +Date: Sat, 22 Feb 2020 23:31:53 +0100 +Subject: ARM: dts: sun8i-a83t-tbs-a711: Fix USB OTG mode detection + +From: Ondrej Jirman + +commit b642d4825441bf30c72b72deb739bd2d5f53af08 upstream. + +USB-ID signal has a pullup on the schematic, but in reality it's not +pulled up, so add a GPIO pullup. And we also need a usb0_vbus_power-supply +for VBUS detection. + +This fixes OTG mode detection and charging issues on TBS A711 tablet. +The issues came from ID pin reading 0, causing host mode to be enabled, +when it should not be, leading to DRVVBUS being enabled, which disabled +the charger. + +Fixes: f2f221c7810b824e ("ARM: dts: sun8i: a711: Enable USB OTG") +Signed-off-by: Ondrej Jirman +Signed-off-by: Maxime Ripard +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/sun8i-a83t-tbs-a711.dts | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/sun8i-a83t-tbs-a711.dts ++++ b/arch/arm/boot/dts/sun8i-a83t-tbs-a711.dts +@@ -482,7 +482,8 @@ + }; + + &usbphy { +- usb0_id_det-gpios = <&pio 7 11 GPIO_ACTIVE_HIGH>; /* PH11 */ ++ usb0_id_det-gpios = <&pio 7 11 (GPIO_ACTIVE_HIGH | GPIO_PULL_UP)>; /* PH11 */ ++ usb0_vbus_power-supply = <&usb_power_supply>; + usb0_vbus-supply = <®_drivevbus>; + usb1_vbus-supply = <®_vmain>; + usb2_vbus-supply = <®_vmain>; diff --git a/queue-5.4/bpf-btf-fix-btf-verification-of-enum-members-in-struct-union.patch b/queue-5.4/bpf-btf-fix-btf-verification-of-enum-members-in-struct-union.patch new file mode 100644 index 00000000000..f1fc15d0b1b --- /dev/null +++ b/queue-5.4/bpf-btf-fix-btf-verification-of-enum-members-in-struct-union.patch @@ -0,0 +1,37 @@ +From da6c7faeb103c493e505e87643272f70be586635 Mon Sep 17 00:00:00 2001 +From: Yoshiki Komachi +Date: Tue, 10 Mar 2020 16:32:29 +0900 +Subject: bpf/btf: Fix BTF verification of enum members in struct/union + +From: Yoshiki Komachi + +commit da6c7faeb103c493e505e87643272f70be586635 upstream. + +btf_enum_check_member() was currently sure to recognize the size of +"enum" type members in struct/union as the size of "int" even if +its size was packed. + +This patch fixes BTF enum verification to use the correct size +of member in BPF programs. + +Fixes: 179cde8cef7e ("bpf: btf: Check members of struct/union") +Signed-off-by: Yoshiki Komachi +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/1583825550-18606-2-git-send-email-komachi.yoshiki@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bpf/btf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/bpf/btf.c ++++ b/kernel/bpf/btf.c +@@ -2309,7 +2309,7 @@ static int btf_enum_check_member(struct + + struct_size = struct_type->size; + bytes_offset = BITS_ROUNDDOWN_BYTES(struct_bits_off); +- if (struct_size - bytes_offset < sizeof(int)) { ++ if (struct_size - bytes_offset < member_type->size) { + btf_verifier_log_member(env, struct_type, member, + "Member exceeds struct_size"); + return -EINVAL; diff --git a/queue-5.4/bpf-initialize-storage-pointers-to-null-to-prevent-freeing-garbage-pointer.patch b/queue-5.4/bpf-initialize-storage-pointers-to-null-to-prevent-freeing-garbage-pointer.patch new file mode 100644 index 00000000000..52ba1742f40 --- /dev/null +++ b/queue-5.4/bpf-initialize-storage-pointers-to-null-to-prevent-freeing-garbage-pointer.patch @@ -0,0 +1,37 @@ +From 62039c30c19dcab96621e074aeeb90da7100def7 Mon Sep 17 00:00:00 2001 +From: Andrii Nakryiko +Date: Mon, 9 Mar 2020 15:27:55 -0700 +Subject: bpf: Initialize storage pointers to NULL to prevent freeing garbage pointer + +From: Andrii Nakryiko + +commit 62039c30c19dcab96621e074aeeb90da7100def7 upstream. + +Local storage array isn't initialized, so if cgroup storage allocation fails +for BPF_CGROUP_STORAGE_SHARED, error handling code will attempt to free +uninitialized pointer for BPF_CGROUP_STORAGE_PERCPU storage type. Avoid this +by always initializing storage pointers to NULLs. + +Fixes: 8bad74f9840f ("bpf: extend cgroup bpf core to allow multiple cgroup storage types") +Signed-off-by: Andrii Nakryiko +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20200309222756.1018737-1-andriin@fb.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bpf/cgroup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/bpf/cgroup.c ++++ b/kernel/bpf/cgroup.c +@@ -303,8 +303,8 @@ int __cgroup_bpf_attach(struct cgroup *c + { + struct list_head *progs = &cgrp->bpf.progs[type]; + struct bpf_prog *old_prog = NULL; +- struct bpf_cgroup_storage *storage[MAX_BPF_CGROUP_STORAGE_TYPE], +- *old_storage[MAX_BPF_CGROUP_STORAGE_TYPE] = {NULL}; ++ struct bpf_cgroup_storage *storage[MAX_BPF_CGROUP_STORAGE_TYPE] = {}; ++ struct bpf_cgroup_storage *old_storage[MAX_BPF_CGROUP_STORAGE_TYPE] = {}; + enum bpf_cgroup_storage_type stype; + struct bpf_prog_list *pl; + bool pl_was_allocated; diff --git a/queue-5.4/bpf-sockmap-remove-bucket-lock-from-sock_-hash-map-_free.patch b/queue-5.4/bpf-sockmap-remove-bucket-lock-from-sock_-hash-map-_free.patch new file mode 100644 index 00000000000..32ee637feb7 --- /dev/null +++ b/queue-5.4/bpf-sockmap-remove-bucket-lock-from-sock_-hash-map-_free.patch @@ -0,0 +1,104 @@ +From 90db6d772f749e38171d04619a5e3cd8804a6d02 Mon Sep 17 00:00:00 2001 +From: John Fastabend +Date: Tue, 10 Mar 2020 09:41:48 -0700 +Subject: bpf, sockmap: Remove bucket->lock from sock_{hash|map}_free + +From: John Fastabend + +commit 90db6d772f749e38171d04619a5e3cd8804a6d02 upstream. + +The bucket->lock is not needed in the sock_hash_free and sock_map_free +calls, in fact it is causing a splat due to being inside rcu block. + +| BUG: sleeping function called from invalid context at net/core/sock.c:2935 +| in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 62, name: kworker/0:1 +| 3 locks held by kworker/0:1/62: +| #0: ffff88813b019748 ((wq_completion)events){+.+.}, at: process_one_work+0x1d7/0x5e0 +| #1: ffffc900000abe50 ((work_completion)(&map->work)){+.+.}, at: process_one_work+0x1d7/0x5e0 +| #2: ffff8881381f6df8 (&stab->lock){+...}, at: sock_map_free+0x26/0x180 +| CPU: 0 PID: 62 Comm: kworker/0:1 Not tainted 5.5.0-04008-g7b083332376e #454 +| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 +| Workqueue: events bpf_map_free_deferred +| Call Trace: +| dump_stack+0x71/0xa0 +| ___might_sleep.cold+0xa6/0xb6 +| lock_sock_nested+0x28/0x90 +| sock_map_free+0x5f/0x180 +| bpf_map_free_deferred+0x58/0x80 +| process_one_work+0x260/0x5e0 +| worker_thread+0x4d/0x3e0 +| kthread+0x108/0x140 +| ? process_one_work+0x5e0/0x5e0 +| ? kthread_park+0x90/0x90 +| ret_from_fork+0x3a/0x50 + +The reason we have stab->lock and bucket->locks in sockmap code is to +handle checking EEXIST in update/delete cases. We need to be careful during +an update operation that we check for EEXIST and we need to ensure that the +psock object is not in some partial state of removal/insertion while we do +this. So both map_update_common and sock_map_delete need to guard from being +run together potentially deleting an entry we are checking, etc. But by the +time we get to the tear-down code in sock_{ma[|hash}_free we have already +disconnected the map and we just did synchronize_rcu() in the line above so +no updates/deletes should be in flight. Because of this we can drop the +bucket locks from the map free'ing code, noting no update/deletes can be +in-flight. + +Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") +Reported-by: Jakub Sitnicki +Suggested-by: Jakub Sitnicki +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/158385850787.30597.8346421465837046618.stgit@john-Precision-5820-Tower +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/sock_map.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/net/core/sock_map.c ++++ b/net/core/sock_map.c +@@ -233,8 +233,11 @@ static void sock_map_free(struct bpf_map + struct bpf_stab *stab = container_of(map, struct bpf_stab, map); + int i; + ++ /* After the sync no updates or deletes will be in-flight so it ++ * is safe to walk map and remove entries without risking a race ++ * in EEXIST update case. ++ */ + synchronize_rcu(); +- raw_spin_lock_bh(&stab->lock); + for (i = 0; i < stab->map.max_entries; i++) { + struct sock **psk = &stab->sks[i]; + struct sock *sk; +@@ -248,7 +251,6 @@ static void sock_map_free(struct bpf_map + release_sock(sk); + } + } +- raw_spin_unlock_bh(&stab->lock); + + /* wait for psock readers accessing its map link */ + synchronize_rcu(); +@@ -863,10 +865,13 @@ static void sock_hash_free(struct bpf_ma + struct hlist_node *node; + int i; + ++ /* After the sync no updates or deletes will be in-flight so it ++ * is safe to walk map and remove entries without risking a race ++ * in EEXIST update case. ++ */ + synchronize_rcu(); + for (i = 0; i < htab->buckets_num; i++) { + bucket = sock_hash_select_bucket(htab, i); +- raw_spin_lock_bh(&bucket->lock); + hlist_for_each_entry_safe(elem, node, &bucket->head, node) { + hlist_del_rcu(&elem->node); + lock_sock(elem->sk); +@@ -875,7 +880,6 @@ static void sock_hash_free(struct bpf_ma + rcu_read_unlock(); + release_sock(elem->sk); + } +- raw_spin_unlock_bh(&bucket->lock); + } + + /* wait for psock readers accessing its map link */ diff --git a/queue-5.4/bpf-x32-fix-bug-with-jmp32-jset-bpf_x-checking-upper-bits.patch b/queue-5.4/bpf-x32-fix-bug-with-jmp32-jset-bpf_x-checking-upper-bits.patch new file mode 100644 index 00000000000..36d080b3bdb --- /dev/null +++ b/queue-5.4/bpf-x32-fix-bug-with-jmp32-jset-bpf_x-checking-upper-bits.patch @@ -0,0 +1,85 @@ +From 80f1f85036355e5581ec0b99913410345ad3491b Mon Sep 17 00:00:00 2001 +From: Luke Nelson +Date: Thu, 5 Mar 2020 15:44:12 -0800 +Subject: bpf, x32: Fix bug with JMP32 JSET BPF_X checking upper bits + +From: Luke Nelson + +commit 80f1f85036355e5581ec0b99913410345ad3491b upstream. + +The current x32 BPF JIT is incorrect for JMP32 JSET BPF_X when the upper +32 bits of operand registers are non-zero in certain situations. + +The problem is in the following code: + + case BPF_JMP | BPF_JSET | BPF_X: + case BPF_JMP32 | BPF_JSET | BPF_X: + ... + + /* and dreg_lo,sreg_lo */ + EMIT2(0x23, add_2reg(0xC0, sreg_lo, dreg_lo)); + /* and dreg_hi,sreg_hi */ + EMIT2(0x23, add_2reg(0xC0, sreg_hi, dreg_hi)); + /* or dreg_lo,dreg_hi */ + EMIT2(0x09, add_2reg(0xC0, dreg_lo, dreg_hi)); + +This code checks the upper bits of the operand registers regardless if +the BPF instruction is BPF_JMP32 or BPF_JMP64. Registers dreg_hi and +dreg_lo are not loaded from the stack for BPF_JMP32, however, they can +still be polluted with values from previous instructions. + +The following BPF program demonstrates the bug. The jset64 instruction +loads the temporary registers and performs the jump, since ((u64)r7 & +(u64)r8) is non-zero. The jset32 should _not_ be taken, as the lower +32 bits are all zero, however, the current JIT will take the branch due +the pollution of temporary registers from the earlier jset64. + + mov64 r0, 0 + ld64 r7, 0x8000000000000000 + ld64 r8, 0x8000000000000000 + jset64 r7, r8, 1 + exit + jset32 r7, r8, 1 + mov64 r0, 2 + exit + +The expected return value of this program is 2; under the buggy x32 JIT +it returns 0. The fix is to skip using the upper 32 bits for jset32 and +compare the upper 32 bits for jset64 only. + +All tests in test_bpf.ko and selftests/bpf/test_verifier continue to +pass with this change. + +We found this bug using our automated verification tool, Serval. + +Fixes: 69f827eb6e14 ("x32: bpf: implement jitting of JMP32") +Co-developed-by: Xi Wang +Signed-off-by: Xi Wang +Signed-off-by: Luke Nelson +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20200305234416.31597-1-luke.r.nels@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/net/bpf_jit_comp32.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/arch/x86/net/bpf_jit_comp32.c ++++ b/arch/x86/net/bpf_jit_comp32.c +@@ -2039,10 +2039,12 @@ static int do_jit(struct bpf_prog *bpf_p + } + /* and dreg_lo,sreg_lo */ + EMIT2(0x23, add_2reg(0xC0, sreg_lo, dreg_lo)); +- /* and dreg_hi,sreg_hi */ +- EMIT2(0x23, add_2reg(0xC0, sreg_hi, dreg_hi)); +- /* or dreg_lo,dreg_hi */ +- EMIT2(0x09, add_2reg(0xC0, dreg_lo, dreg_hi)); ++ if (is_jmp64) { ++ /* and dreg_hi,sreg_hi */ ++ EMIT2(0x23, add_2reg(0xC0, sreg_hi, dreg_hi)); ++ /* or dreg_lo,dreg_hi */ ++ EMIT2(0x09, add_2reg(0xC0, dreg_lo, dreg_hi)); ++ } + goto emit_cond_jmp; + } + case BPF_JMP | BPF_JSET | BPF_K: diff --git a/queue-5.4/i2c-nvidia-gpu-handle-timeout-correctly-in-gpu_i2c_check_status.patch b/queue-5.4/i2c-nvidia-gpu-handle-timeout-correctly-in-gpu_i2c_check_status.patch new file mode 100644 index 00000000000..b3ba4b66e2e --- /dev/null +++ b/queue-5.4/i2c-nvidia-gpu-handle-timeout-correctly-in-gpu_i2c_check_status.patch @@ -0,0 +1,66 @@ +From d944b27df121e2ee854a6c2fad13d6c6300792d4 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Tue, 24 Mar 2020 23:28:11 +0800 +Subject: i2c: nvidia-gpu: Handle timeout correctly in gpu_i2c_check_status() + +From: Kai-Heng Feng + +commit d944b27df121e2ee854a6c2fad13d6c6300792d4 upstream. + +Nvidia card may come with a "phantom" UCSI device, and its driver gets +stuck in probe routine, prevents any system PM operations like suspend. + +There's an unaccounted case that the target time can equal to jiffies in +gpu_i2c_check_status(), let's solve that by using readl_poll_timeout() +instead of jiffies comparison functions. + +Fixes: c71bcdcb42a7 ("i2c: add i2c bus driver for NVIDIA GPU") +Suggested-by: Andy Shevchenko +Signed-off-by: Kai-Heng Feng +Reviewed-by: Andy Shevchenko +Reviewed-by: Ajay Gupta +Tested-by: Ajay Gupta +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-nvidia-gpu.c | 18 +++++++----------- + 1 file changed, 7 insertions(+), 11 deletions(-) + +--- a/drivers/i2c/busses/i2c-nvidia-gpu.c ++++ b/drivers/i2c/busses/i2c-nvidia-gpu.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -75,20 +76,15 @@ static void gpu_enable_i2c_bus(struct gp + + static int gpu_i2c_check_status(struct gpu_i2c_dev *i2cd) + { +- unsigned long target = jiffies + msecs_to_jiffies(1000); + u32 val; ++ int ret; + +- do { +- val = readl(i2cd->regs + I2C_MST_CNTL); +- if (!(val & I2C_MST_CNTL_CYCLE_TRIGGER)) +- break; +- if ((val & I2C_MST_CNTL_STATUS) != +- I2C_MST_CNTL_STATUS_BUS_BUSY) +- break; +- usleep_range(500, 600); +- } while (time_is_after_jiffies(target)); ++ ret = readl_poll_timeout(i2cd->regs + I2C_MST_CNTL, val, ++ !(val & I2C_MST_CNTL_CYCLE_TRIGGER) || ++ (val & I2C_MST_CNTL_STATUS) != I2C_MST_CNTL_STATUS_BUS_BUSY, ++ 500, 1000 * USEC_PER_MSEC); + +- if (time_is_before_jiffies(target)) { ++ if (ret) { + dev_err(i2cd->dev, "i2c timeout error %x\n", val); + return -ETIMEDOUT; + } diff --git a/queue-5.4/series b/queue-5.4/series index 0b54fa75897..c53a3b92c12 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -124,3 +124,10 @@ mac80211-set-ieee80211_tx_ctrl_port_ctrl_proto-for-nl80211-tx.patch netfilter-flowtable-reload-ip-v6-h-in-nf_flow_tuple_ip-v6.patch netfilter-nft_fwd_netdev-validate-family-and-chain-type.patch netfilter-nft_fwd_netdev-allow-to-redirect-to-ifb-via-ingress.patch +i2c-nvidia-gpu-handle-timeout-correctly-in-gpu_i2c_check_status.patch +bpf-x32-fix-bug-with-jmp32-jset-bpf_x-checking-upper-bits.patch +bpf-initialize-storage-pointers-to-null-to-prevent-freeing-garbage-pointer.patch +bpf-btf-fix-btf-verification-of-enum-members-in-struct-union.patch +bpf-sockmap-remove-bucket-lock-from-sock_-hash-map-_free.patch +arm-dts-sun8i-a83t-tbs-a711-fix-usb-otg-mode-detection.patch +vti6-fix-memory-leak-of-skb-if-input-policy-check-fails.patch diff --git a/queue-5.4/vti6-fix-memory-leak-of-skb-if-input-policy-check-fails.patch b/queue-5.4/vti6-fix-memory-leak-of-skb-if-input-policy-check-fails.patch new file mode 100644 index 00000000000..0a8b8c9ca1b --- /dev/null +++ b/queue-5.4/vti6-fix-memory-leak-of-skb-if-input-policy-check-fails.patch @@ -0,0 +1,39 @@ +From 2a9de3af21aa8c31cd68b0b39330d69f8c1e59df Mon Sep 17 00:00:00 2001 +From: Torsten Hilbrich +Date: Wed, 11 Mar 2020 11:19:06 +0100 +Subject: vti6: Fix memory leak of skb if input policy check fails + +From: Torsten Hilbrich + +commit 2a9de3af21aa8c31cd68b0b39330d69f8c1e59df upstream. + +The vti6_rcv function performs some tests on the retrieved tunnel +including checking the IP protocol, the XFRM input policy, the +source and destination address. + +In all but one places the skb is released in the error case. When +the input policy check fails the network packet is leaked. + +Using the same goto-label discard in this case to fix this problem. + +Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces") +Signed-off-by: Torsten Hilbrich +Reviewed-by: Nicolas Dichtel +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ip6_vti.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -311,7 +311,7 @@ static int vti6_rcv(struct sk_buff *skb) + + if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) { + rcu_read_unlock(); +- return 0; ++ goto discard; + } + + ipv6h = ipv6_hdr(skb);