From: Sasha Levin Date: Sun, 27 Nov 2022 19:07:02 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v5.10.157~93 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ea8924c479cb3613620aff0f895b8b54b9070998;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/9p-fd-fix-issue-of-list_del-corruption-in-p9_fd_canc.patch b/queue-5.4/9p-fd-fix-issue-of-list_del-corruption-in-p9_fd_canc.patch new file mode 100644 index 00000000000..92d11b70b55 --- /dev/null +++ b/queue-5.4/9p-fd-fix-issue-of-list_del-corruption-in-p9_fd_canc.patch @@ -0,0 +1,75 @@ +From 49af254277b89207edaac3dc625ed9dbbe812e3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 20:26:06 +0800 +Subject: 9p/fd: fix issue of list_del corruption in p9_fd_cancel() + +From: Zhengchao Shao + +[ Upstream commit 11c10956515b8ec44cf4f2a7b9d8bf8b9dc05ec4 ] + +Syz reported the following issue: +kernel BUG at lib/list_debug.c:53! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +RIP: 0010:__list_del_entry_valid.cold+0x5c/0x72 +Call Trace: + +p9_fd_cancel+0xb1/0x270 +p9_client_rpc+0x8ea/0xba0 +p9_client_create+0x9c0/0xed0 +v9fs_session_init+0x1e0/0x1620 +v9fs_mount+0xba/0xb80 +legacy_get_tree+0x103/0x200 +vfs_get_tree+0x89/0x2d0 +path_mount+0x4c0/0x1ac0 +__x64_sys_mount+0x33b/0x430 +do_syscall_64+0x35/0x80 +entry_SYSCALL_64_after_hwframe+0x46/0xb0 + + +The process is as follows: +Thread A: Thread B: +p9_poll_workfn() p9_client_create() +... ... + p9_conn_cancel() p9_fd_cancel() + list_del() ... + ... list_del() //list_del + corruption +There is no lock protection when deleting list in p9_conn_cancel(). After +deleting list in Thread A, thread B will delete the same list again. It +will cause issue of list_del corruption. + +Setting req->status to REQ_STATUS_ERROR under lock prevents other +cleanup paths from trying to manipulate req_list. +The other thread can safely check req->status because it still holds a +reference to req at this point. + +Link: https://lkml.kernel.org/r/20221110122606.383352-1-shaozhengchao@huawei.com +Fixes: 52f1c45dde91 ("9p: trans_fd/p9_conn_cancel: drop client lock earlier") +Reported-by: syzbot+9b69b8d10ab4a7d88056@syzkaller.appspotmail.com +Signed-off-by: Zhengchao Shao +[Dominique: add description of the fix in commit message] +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_fd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c +index b691871d9a02..5d6284adbac0 100644 +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -200,9 +200,11 @@ static void p9_conn_cancel(struct p9_conn *m, int err) + + list_for_each_entry_safe(req, rtmp, &m->req_list, req_list) { + list_move(&req->req_list, &cancel_list); ++ req->status = REQ_STATUS_ERROR; + } + list_for_each_entry_safe(req, rtmp, &m->unsent_req_list, req_list) { + list_move(&req->req_list, &cancel_list); ++ req->status = REQ_STATUS_ERROR; + } + + spin_unlock(&m->client->lock); +-- +2.35.1 + diff --git a/queue-5.4/af_key-fix-send_acquire-race-with-pfkey_register.patch b/queue-5.4/af_key-fix-send_acquire-race-with-pfkey_register.patch new file mode 100644 index 00000000000..7f82c787b48 --- /dev/null +++ b/queue-5.4/af_key-fix-send_acquire-race-with-pfkey_register.patch @@ -0,0 +1,147 @@ +From 7c290f5c66229c341d60f743ff879934dfb78dba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Oct 2022 14:06:48 +0800 +Subject: af_key: Fix send_acquire race with pfkey_register + +From: Herbert Xu + +[ Upstream commit 7f57f8165cb6d2c206e2b9ada53b9e2d6d8af42f ] + +The function pfkey_send_acquire may race with pfkey_register +(which could even be in a different name space). This may result +in a buffer overrun. + +Allocating the maximum amount of memory that could be used prevents +this. + +Reported-by: syzbot+1e9af9185d8850e2c2fa@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Herbert Xu +Reviewed-by: Sabrina Dubroca +Reviewed-by: Eric Dumazet +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 32 ++++++++++++++++++++++---------- + 1 file changed, 22 insertions(+), 10 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index c06cc48c68c9..92f71e8f321c 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -2909,7 +2909,7 @@ static int count_ah_combs(const struct xfrm_tmpl *t) + break; + if (!aalg->pfkey_supported) + continue; +- if (aalg_tmpl_set(t, aalg) && aalg->available) ++ if (aalg_tmpl_set(t, aalg)) + sz += sizeof(struct sadb_comb); + } + return sz + sizeof(struct sadb_prop); +@@ -2927,7 +2927,7 @@ static int count_esp_combs(const struct xfrm_tmpl *t) + if (!ealg->pfkey_supported) + continue; + +- if (!(ealg_tmpl_set(t, ealg) && ealg->available)) ++ if (!(ealg_tmpl_set(t, ealg))) + continue; + + for (k = 1; ; k++) { +@@ -2938,16 +2938,17 @@ static int count_esp_combs(const struct xfrm_tmpl *t) + if (!aalg->pfkey_supported) + continue; + +- if (aalg_tmpl_set(t, aalg) && aalg->available) ++ if (aalg_tmpl_set(t, aalg)) + sz += sizeof(struct sadb_comb); + } + } + return sz + sizeof(struct sadb_prop); + } + +-static void dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) ++static int dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) + { + struct sadb_prop *p; ++ int sz = 0; + int i; + + p = skb_put(skb, sizeof(struct sadb_prop)); +@@ -2975,13 +2976,17 @@ static void dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) + c->sadb_comb_soft_addtime = 20*60*60; + c->sadb_comb_hard_usetime = 8*60*60; + c->sadb_comb_soft_usetime = 7*60*60; ++ sz += sizeof(*c); + } + } ++ ++ return sz + sizeof(*p); + } + +-static void dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) ++static int dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) + { + struct sadb_prop *p; ++ int sz = 0; + int i, k; + + p = skb_put(skb, sizeof(struct sadb_prop)); +@@ -3023,8 +3028,11 @@ static void dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) + c->sadb_comb_soft_addtime = 20*60*60; + c->sadb_comb_hard_usetime = 8*60*60; + c->sadb_comb_soft_usetime = 7*60*60; ++ sz += sizeof(*c); + } + } ++ ++ return sz + sizeof(*p); + } + + static int key_notify_policy_expire(struct xfrm_policy *xp, const struct km_event *c) +@@ -3154,6 +3162,7 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct + struct sadb_x_sec_ctx *sec_ctx; + struct xfrm_sec_ctx *xfrm_ctx; + int ctx_size = 0; ++ int alg_size = 0; + + sockaddr_size = pfkey_sockaddr_size(x->props.family); + if (!sockaddr_size) +@@ -3165,16 +3174,16 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct + sizeof(struct sadb_x_policy); + + if (x->id.proto == IPPROTO_AH) +- size += count_ah_combs(t); ++ alg_size = count_ah_combs(t); + else if (x->id.proto == IPPROTO_ESP) +- size += count_esp_combs(t); ++ alg_size = count_esp_combs(t); + + if ((xfrm_ctx = x->security)) { + ctx_size = PFKEY_ALIGN8(xfrm_ctx->ctx_len); + size += sizeof(struct sadb_x_sec_ctx) + ctx_size; + } + +- skb = alloc_skb(size + 16, GFP_ATOMIC); ++ skb = alloc_skb(size + alg_size + 16, GFP_ATOMIC); + if (skb == NULL) + return -ENOMEM; + +@@ -3228,10 +3237,13 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct + pol->sadb_x_policy_priority = xp->priority; + + /* Set sadb_comb's. */ ++ alg_size = 0; + if (x->id.proto == IPPROTO_AH) +- dump_ah_combs(skb, t); ++ alg_size = dump_ah_combs(skb, t); + else if (x->id.proto == IPPROTO_ESP) +- dump_esp_combs(skb, t); ++ alg_size = dump_esp_combs(skb, t); ++ ++ hdr->sadb_msg_len += alg_size / 8; + + /* security context */ + if (xfrm_ctx) { +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-am335x-pcm-953-define-fixed-regulators-in-ro.patch b/queue-5.4/arm-dts-am335x-pcm-953-define-fixed-regulators-in-ro.patch new file mode 100644 index 00000000000..81cdb864e8b --- /dev/null +++ b/queue-5.4/arm-dts-am335x-pcm-953-define-fixed-regulators-in-ro.patch @@ -0,0 +1,66 @@ +From 63877f1388b6e842dd6a70c69461f04e71748a96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Oct 2022 16:31:15 +0200 +Subject: ARM: dts: am335x-pcm-953: Define fixed regulators in root node + +From: Dominik Haller + +[ Upstream commit 8950f345a67d8046d2472dd6ea81fa18ef5b4844 ] + +Remove the regulators node and define fixed regulators in the root node. +Prevents the sdhci-omap driver from waiting in probe deferral forever +because of the missing vmmc-supply and keeps am335x-pcm-953 consistent with +the other Phytec AM335 boards. + +Fixes: bb07a829ec38 ("ARM: dts: Add support for phyCORE-AM335x PCM-953 carrier board") +Signed-off-by: Dominik Haller +Message-Id: <20221011143115.248003-1-d.haller@phytec.de> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/am335x-pcm-953.dtsi | 28 +++++++++++++-------------- + 1 file changed, 13 insertions(+), 15 deletions(-) + +diff --git a/arch/arm/boot/dts/am335x-pcm-953.dtsi b/arch/arm/boot/dts/am335x-pcm-953.dtsi +index 9bfa032bcada..f2d9145b3c6a 100644 +--- a/arch/arm/boot/dts/am335x-pcm-953.dtsi ++++ b/arch/arm/boot/dts/am335x-pcm-953.dtsi +@@ -12,22 +12,20 @@ / { + compatible = "phytec,am335x-pcm-953", "phytec,am335x-phycore-som", "ti,am33xx"; + + /* Power */ +- regulators { +- vcc3v3: fixedregulator@1 { +- compatible = "regulator-fixed"; +- regulator-name = "vcc3v3"; +- regulator-min-microvolt = <3300000>; +- regulator-max-microvolt = <3300000>; +- regulator-boot-on; +- }; ++ vcc3v3: fixedregulator1 { ++ compatible = "regulator-fixed"; ++ regulator-name = "vcc3v3"; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; ++ regulator-boot-on; ++ }; + +- vcc1v8: fixedregulator@2 { +- compatible = "regulator-fixed"; +- regulator-name = "vcc1v8"; +- regulator-min-microvolt = <1800000>; +- regulator-max-microvolt = <1800000>; +- regulator-boot-on; +- }; ++ vcc1v8: fixedregulator2 { ++ compatible = "regulator-fixed"; ++ regulator-name = "vcc1v8"; ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <1800000>; ++ regulator-boot-on; + }; + + /* User IO */ +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-at91-sam9g20ek-enable-udc-vbus-gpio-pinctrl.patch b/queue-5.4/arm-dts-at91-sam9g20ek-enable-udc-vbus-gpio-pinctrl.patch new file mode 100644 index 00000000000..91c3bcf6646 --- /dev/null +++ b/queue-5.4/arm-dts-at91-sam9g20ek-enable-udc-vbus-gpio-pinctrl.patch @@ -0,0 +1,57 @@ +From 7e8b53845353cba3ba5d9c7f518c1465473be8ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 19:59:23 +0100 +Subject: ARM: dts: at91: sam9g20ek: enable udc vbus gpio pinctrl + +From: Michael Grzeschik + +[ Upstream commit 40a2226e8bfacb79dd154dea68febeead9d847e9 ] + +We set the PIOC to GPIO mode. This way the pin becomes an +input signal will be usable by the controller. Without +this change the udc on the 9g20ek does not work. + +Cc: nicolas.ferre@microchip.com +Cc: ludovic.desroches@microchip.com +Cc: alexandre.belloni@bootlin.com +Cc: linux-arm-kernel@lists.infradead.org +Cc: kernel@pengutronix.de +Fixes: 5cb4e73575e3 ("ARM: at91: add at91sam9g20ek boards dt support") +Signed-off-by: Michael Grzeschik +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20221114185923.1023249-3-m.grzeschik@pengutronix.de +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/at91sam9g20ek_common.dtsi | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/arch/arm/boot/dts/at91sam9g20ek_common.dtsi b/arch/arm/boot/dts/at91sam9g20ek_common.dtsi +index 287566e09a67..3d694b60d452 100644 +--- a/arch/arm/boot/dts/at91sam9g20ek_common.dtsi ++++ b/arch/arm/boot/dts/at91sam9g20ek_common.dtsi +@@ -38,6 +38,13 @@ pinctrl_pck0_as_mck: pck0_as_mck { + + }; + ++ usb1 { ++ pinctrl_usb1_vbus_gpio: usb1_vbus_gpio { ++ atmel,pins = ++ ; /* PC5 GPIO */ ++ }; ++ }; ++ + mmc0_slot1 { + pinctrl_board_mmc0_slot1: mmc0_slot1-board { + atmel,pins = +@@ -83,6 +90,8 @@ macb0: ethernet@fffc4000 { + }; + + usb1: gadget@fffa4000 { ++ pinctrl-0 = <&pinctrl_usb1_vbus_gpio>; ++ pinctrl-names = "default"; + atmel,vbus-gpio = <&pioC 5 GPIO_ACTIVE_HIGH>; + status = "okay"; + }; +-- +2.35.1 + diff --git a/queue-5.4/arm-mxs-fix-memory-leak-in-mxs_machine_init.patch b/queue-5.4/arm-mxs-fix-memory-leak-in-mxs_machine_init.patch new file mode 100644 index 00000000000..107f587cb35 --- /dev/null +++ b/queue-5.4/arm-mxs-fix-memory-leak-in-mxs_machine_init.patch @@ -0,0 +1,40 @@ +From 21d5067dbaf3d6b48e7c97abaf66737f767f2ae1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 06:20:11 +0000 +Subject: ARM: mxs: fix memory leak in mxs_machine_init() + +From: Zheng Yongjun + +[ Upstream commit f31e3c204d1844b8680a442a48868af5ac3d5481 ] + +If of_property_read_string() failed, 'soc_dev_attr' should be +freed before return. Otherwise there is a memory leak. + +Fixes: 2046338dcbc6 ("ARM: mxs: Use soc bus infrastructure") +Signed-off-by: Zheng Yongjun +Reviewed-by: Marco Felsch +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/mach-mxs/mach-mxs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-mxs/mach-mxs.c b/arch/arm/mach-mxs/mach-mxs.c +index c109f47e9cbc..a687e83ad604 100644 +--- a/arch/arm/mach-mxs/mach-mxs.c ++++ b/arch/arm/mach-mxs/mach-mxs.c +@@ -387,8 +387,10 @@ static void __init mxs_machine_init(void) + + root = of_find_node_by_path("/"); + ret = of_property_read_string(root, "model", &soc_dev_attr->machine); +- if (ret) ++ if (ret) { ++ kfree(soc_dev_attr); + return; ++ } + + soc_dev_attr->family = "Freescale MXS Family"; + soc_dev_attr->soc_id = mxs_get_soc_id(); +-- +2.35.1 + diff --git a/queue-5.4/asoc-sgtl5000-reset-the-chip_clk_ctrl-reg-on-remove.patch b/queue-5.4/asoc-sgtl5000-reset-the-chip_clk_ctrl-reg-on-remove.patch new file mode 100644 index 00000000000..1d2cdd54be1 --- /dev/null +++ b/queue-5.4/asoc-sgtl5000-reset-the-chip_clk_ctrl-reg-on-remove.patch @@ -0,0 +1,48 @@ +From 0b430c5e92278aa82ae3c9853b1aa770c129416e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 14:06:12 -0500 +Subject: ASoC: sgtl5000: Reset the CHIP_CLK_CTRL reg on remove + +From: Detlev Casanova + +[ Upstream commit 0bb8e9b36b5b7f2e77892981ff6c27ee831d8026 ] + +Since commit bf2aebccddef ("ASoC: sgtl5000: Fix noise on shutdown/remove"), +the device power control registers are reset when the driver is +removed/shutdown. + +This is an issue when the device is configured to use the PLL clock. The +device will stop responding if it is still configured to use the PLL +clock but the PLL clock is powered down. + +When rebooting linux, the probe function will show: +sgtl5000 0-000a: Error reading chip id -11 + +Make sure that the CHIP_CLK_CTRL is reset to its default value before +powering down the device. + +Fixes: bf2aebccddef ("ASoC: sgtl5000: Fix noise on shutdown/remove") +Signed-off-by: Detlev Casanova +Reviewed-by: Fabio Estevam +Link: https://lore.kernel.org/r/20221110190612.1341469-1-detlev.casanova@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/sgtl5000.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/codecs/sgtl5000.c b/sound/soc/codecs/sgtl5000.c +index 76d3c0681f37..d2dfc53e30ff 100644 +--- a/sound/soc/codecs/sgtl5000.c ++++ b/sound/soc/codecs/sgtl5000.c +@@ -1788,6 +1788,7 @@ static int sgtl5000_i2c_remove(struct i2c_client *client) + { + struct sgtl5000_priv *sgtl5000 = i2c_get_clientdata(client); + ++ regmap_write(sgtl5000->regmap, SGTL5000_CHIP_CLK_CTRL, SGTL5000_CHIP_CLK_CTRL_DEFAULT); + regmap_write(sgtl5000->regmap, SGTL5000_CHIP_DIG_POWER, SGTL5000_DIG_POWER_DEFAULT); + regmap_write(sgtl5000->regmap, SGTL5000_CHIP_ANA_POWER, SGTL5000_ANA_POWER_DEFAULT); + +-- +2.35.1 + diff --git a/queue-5.4/bnx2x-fix-pci-device-refcount-leak-in-bnx2x_vf_is_pc.patch b/queue-5.4/bnx2x-fix-pci-device-refcount-leak-in-bnx2x_vf_is_pc.patch new file mode 100644 index 00000000000..c8619090997 --- /dev/null +++ b/queue-5.4/bnx2x-fix-pci-device-refcount-leak-in-bnx2x_vf_is_pc.patch @@ -0,0 +1,58 @@ +From c1d15d82814a2bd1a4058c004755b9ff989e82a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Nov 2022 15:02:02 +0800 +Subject: bnx2x: fix pci device refcount leak in bnx2x_vf_is_pcie_pending() + +From: Yang Yingliang + +[ Upstream commit 3637a29ccbb6461b7268c5c5db525935d510afc6 ] + +As comment of pci_get_domain_bus_and_slot() says, it returns +a pci device with refcount increment, when finish using it, +the caller must decrement the reference count by calling +pci_dev_put(). Call pci_dev_put() before returning from +bnx2x_vf_is_pcie_pending() to avoid refcount leak. + +Fixes: b56e9670ffa4 ("bnx2x: Prepare device and initialize VF database") +Suggested-by: Jakub Kicinski +Signed-off-by: Yang Yingliang +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20221119070202.1407648-1-yangyingliang@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c +index 4630998d47fd..d920bb8dae77 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c +@@ -807,16 +807,20 @@ static void bnx2x_vf_enable_traffic(struct bnx2x *bp, struct bnx2x_virtf *vf) + + static u8 bnx2x_vf_is_pcie_pending(struct bnx2x *bp, u8 abs_vfid) + { +- struct pci_dev *dev; + struct bnx2x_virtf *vf = bnx2x_vf_by_abs_fid(bp, abs_vfid); ++ struct pci_dev *dev; ++ bool pending; + + if (!vf) + return false; + + dev = pci_get_domain_bus_and_slot(vf->domain, vf->bus, vf->devfn); +- if (dev) +- return bnx2x_is_pcie_pending(dev); +- return false; ++ if (!dev) ++ return false; ++ pending = bnx2x_is_pcie_pending(dev); ++ pci_dev_put(dev); ++ ++ return pending; + } + + int bnx2x_vf_flr_clnup_epilog(struct bnx2x *bp, u8 abs_vfid) +-- +2.35.1 + diff --git a/queue-5.4/bus-sunxi-rsb-support-atomic-transfers.patch b/queue-5.4/bus-sunxi-rsb-support-atomic-transfers.patch new file mode 100644 index 00000000000..730d155beca --- /dev/null +++ b/queue-5.4/bus-sunxi-rsb-support-atomic-transfers.patch @@ -0,0 +1,92 @@ +From 0a0949fee8dbe537fb9104c59cad400038b93a49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Nov 2022 19:57:48 -0600 +Subject: bus: sunxi-rsb: Support atomic transfers + +From: Samuel Holland + +[ Upstream commit 077686da0e2162c4ea5ae0df205849c2a7a84479 ] + +When communicating with a PMIC during system poweroff (pm_power_off()), +IRQs are disabled and we are in a RCU read-side critical section, so we +cannot use wait_for_completion_io_timeout(). Instead, poll the status +register for transfer completion. + +Fixes: d787dcdb9c8f ("bus: sunxi-rsb: Add driver for Allwinner Reduced Serial Bus") +Signed-off-by: Samuel Holland +Reviewed-by: Jernej Skrabec +Link: https://lore.kernel.org/r/20221114015749.28490-3-samuel@sholland.org +Signed-off-by: Jernej Skrabec +Signed-off-by: Sasha Levin +--- + drivers/bus/sunxi-rsb.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +diff --git a/drivers/bus/sunxi-rsb.c b/drivers/bus/sunxi-rsb.c +index 9b1a5e62417c..f8c29b888e6b 100644 +--- a/drivers/bus/sunxi-rsb.c ++++ b/drivers/bus/sunxi-rsb.c +@@ -268,6 +268,9 @@ EXPORT_SYMBOL_GPL(sunxi_rsb_driver_register); + /* common code that starts a transfer */ + static int _sunxi_rsb_run_xfer(struct sunxi_rsb *rsb) + { ++ u32 int_mask, status; ++ bool timeout; ++ + if (readl(rsb->regs + RSB_CTRL) & RSB_CTRL_START_TRANS) { + dev_dbg(rsb->dev, "RSB transfer still in progress\n"); + return -EBUSY; +@@ -275,13 +278,23 @@ static int _sunxi_rsb_run_xfer(struct sunxi_rsb *rsb) + + reinit_completion(&rsb->complete); + +- writel(RSB_INTS_LOAD_BSY | RSB_INTS_TRANS_ERR | RSB_INTS_TRANS_OVER, +- rsb->regs + RSB_INTE); ++ int_mask = RSB_INTS_LOAD_BSY | RSB_INTS_TRANS_ERR | RSB_INTS_TRANS_OVER; ++ writel(int_mask, rsb->regs + RSB_INTE); + writel(RSB_CTRL_START_TRANS | RSB_CTRL_GLOBAL_INT_ENB, + rsb->regs + RSB_CTRL); + +- if (!wait_for_completion_io_timeout(&rsb->complete, +- msecs_to_jiffies(100))) { ++ if (irqs_disabled()) { ++ timeout = readl_poll_timeout_atomic(rsb->regs + RSB_INTS, ++ status, (status & int_mask), ++ 10, 100000); ++ writel(status, rsb->regs + RSB_INTS); ++ } else { ++ timeout = !wait_for_completion_io_timeout(&rsb->complete, ++ msecs_to_jiffies(100)); ++ status = rsb->status; ++ } ++ ++ if (timeout) { + dev_dbg(rsb->dev, "RSB timeout\n"); + + /* abort the transfer */ +@@ -293,18 +306,18 @@ static int _sunxi_rsb_run_xfer(struct sunxi_rsb *rsb) + return -ETIMEDOUT; + } + +- if (rsb->status & RSB_INTS_LOAD_BSY) { ++ if (status & RSB_INTS_LOAD_BSY) { + dev_dbg(rsb->dev, "RSB busy\n"); + return -EBUSY; + } + +- if (rsb->status & RSB_INTS_TRANS_ERR) { +- if (rsb->status & RSB_INTS_TRANS_ERR_ACK) { ++ if (status & RSB_INTS_TRANS_ERR) { ++ if (status & RSB_INTS_TRANS_ERR_ACK) { + dev_dbg(rsb->dev, "RSB slave nack\n"); + return -EINVAL; + } + +- if (rsb->status & RSB_INTS_TRANS_ERR_DATA) { ++ if (status & RSB_INTS_TRANS_ERR_DATA) { + dev_dbg(rsb->dev, "RSB transfer data error\n"); + return -EIO; + } +-- +2.35.1 + diff --git a/queue-5.4/dccp-tcp-reset-saddr-on-failure-after-inet6-_hash_co.patch b/queue-5.4/dccp-tcp-reset-saddr-on-failure-after-inet6-_hash_co.patch new file mode 100644 index 00000000000..1706f8126df --- /dev/null +++ b/queue-5.4/dccp-tcp-reset-saddr-on-failure-after-inet6-_hash_co.patch @@ -0,0 +1,113 @@ +From 820880943d24aabb542816129297da2b0bc5f122 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 17:49:11 -0800 +Subject: dccp/tcp: Reset saddr on failure after inet6?_hash_connect(). + +From: Kuniyuki Iwashima + +[ Upstream commit 77934dc6db0d2b111a8f2759e9ad2fb67f5cffa5 ] + +When connect() is called on a socket bound to the wildcard address, +we change the socket's saddr to a local address. If the socket +fails to connect() to the destination, we have to reset the saddr. + +However, when an error occurs after inet_hash6?_connect() in +(dccp|tcp)_v[46]_conect(), we forget to reset saddr and leave +the socket bound to the address. + +From the user's point of view, whether saddr is reset or not varies +with errno. Let's fix this inconsistent behaviour. + +Note that after this patch, the repro [0] will trigger the WARN_ON() +in inet_csk_get_port() again, but this patch is not buggy and rather +fixes a bug papering over the bhash2's bug for which we need another +fix. + +For the record, the repro causes -EADDRNOTAVAIL in inet_hash6_connect() +by this sequence: + + s1 = socket() + s1.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1) + s1.bind(('127.0.0.1', 10000)) + s1.sendto(b'hello', MSG_FASTOPEN, (('127.0.0.1', 10000))) + # or s1.connect(('127.0.0.1', 10000)) + + s2 = socket() + s2.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1) + s2.bind(('0.0.0.0', 10000)) + s2.connect(('127.0.0.1', 10000)) # -EADDRNOTAVAIL + + s2.listen(32) # WARN_ON(inet_csk(sk)->icsk_bind2_hash != tb2); + +[0]: https://syzkaller.appspot.com/bug?extid=015d756bbd1f8b5c8f09 + +Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6") +Fixes: 7c657876b63c ("[DCCP]: Initial implementation") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Acked-by: Joanne Koong +Reviewed-by: Eric Dumazet +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dccp/ipv4.c | 2 ++ + net/dccp/ipv6.c | 2 ++ + net/ipv4/tcp_ipv4.c | 2 ++ + net/ipv6/tcp_ipv6.c | 2 ++ + 4 files changed, 8 insertions(+) + +diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c +index 7cf903f9e29a..cd59a669b8a7 100644 +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -130,6 +130,8 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) + * This unhashes the socket and releases the local port, if necessary. + */ + dccp_set_state(sk, DCCP_CLOSED); ++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK)) ++ inet_reset_saddr(sk); + ip_rt_put(rt); + sk->sk_route_caps = 0; + inet->inet_dport = 0; +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index 7c24927e9c2c..1bf267d36a9c 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -957,6 +957,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr, + + late_failure: + dccp_set_state(sk, DCCP_CLOSED); ++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK)) ++ inet_reset_saddr(sk); + __sk_dst_reset(sk); + failure: + inet->inet_dport = 0; +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index eb9c05acf77e..a54505c29a5c 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -323,6 +323,8 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) + * if necessary. + */ + tcp_set_state(sk, TCP_CLOSE); ++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK)) ++ inet_reset_saddr(sk); + ip_rt_put(rt); + sk->sk_route_caps = 0; + inet->inet_dport = 0; +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 831f779aba7b..e84b79357b2f 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -334,6 +334,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr, + + late_failure: + tcp_set_state(sk, TCP_CLOSE); ++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK)) ++ inet_reset_saddr(sk); + failure: + inet->inet_dport = 0; + sk->sk_route_caps = 0; +-- +2.35.1 + diff --git a/queue-5.4/drivers-hv-vmbus-fix-double-free-in-the-error-path-o.patch b/queue-5.4/drivers-hv-vmbus-fix-double-free-in-the-error-path-o.patch new file mode 100644 index 00000000000..fa834be4b66 --- /dev/null +++ b/queue-5.4/drivers-hv-vmbus-fix-double-free-in-the-error-path-o.patch @@ -0,0 +1,53 @@ +From 64404dea00f8a70f86e89b189c78aae720ee6f06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Nov 2022 16:11:34 +0800 +Subject: Drivers: hv: vmbus: fix double free in the error path of + vmbus_add_channel_work() + +From: Yang Yingliang + +[ Upstream commit f92a4b50f0bd7fd52391dc4bb9a309085d278f91 ] + +In the error path of vmbus_device_register(), device_unregister() +is called, which calls vmbus_device_release(). The latter frees +the struct hv_device that was passed in to vmbus_device_register(). +So remove the kfree() in vmbus_add_channel_work() to avoid a double +free. + +Fixes: c2e5df616e1a ("vmbus: add per-channel sysfs info") +Suggested-by: Michael Kelley +Signed-off-by: Yang Yingliang +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/20221119081135.1564691-2-yangyingliang@huawei.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/channel_mgmt.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c +index 9260ad47350f..3adf4fae452a 100644 +--- a/drivers/hv/channel_mgmt.c ++++ b/drivers/hv/channel_mgmt.c +@@ -493,13 +493,17 @@ static void vmbus_add_channel_work(struct work_struct *work) + * Add the new device to the bus. This will kick off device-driver + * binding which eventually invokes the device driver's AddDevice() + * method. ++ * ++ * If vmbus_device_register() fails, the 'device_obj' is freed in ++ * vmbus_device_release() as called by device_unregister() in the ++ * error path of vmbus_device_register(). In the outside error ++ * path, there's no need to free it. + */ + ret = vmbus_device_register(newchannel->device_obj); + + if (ret != 0) { + pr_err("unable to add child device object (relid %d)\n", + newchannel->offermsg.child_relid); +- kfree(newchannel->device_obj); + goto err_deq_chan; + } + +-- +2.35.1 + diff --git a/queue-5.4/drivers-hv-vmbus-fix-possible-memory-leak-in-vmbus_d.patch b/queue-5.4/drivers-hv-vmbus-fix-possible-memory-leak-in-vmbus_d.patch new file mode 100644 index 00000000000..294da12f40d --- /dev/null +++ b/queue-5.4/drivers-hv-vmbus-fix-possible-memory-leak-in-vmbus_d.patch @@ -0,0 +1,41 @@ +From 338faafb28da68b309c8904a0b71deb517898026 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Nov 2022 16:11:35 +0800 +Subject: Drivers: hv: vmbus: fix possible memory leak in + vmbus_device_register() + +From: Yang Yingliang + +[ Upstream commit 25c94b051592c010abe92c85b0485f1faedc83f3 ] + +If device_register() returns error in vmbus_device_register(), +the name allocated by dev_set_name() must be freed. As comment +of device_register() says, it should use put_device() to give +up the reference in the error path. So fix this by calling +put_device(), then the name can be freed in kobject_cleanup(). + +Fixes: 09d50ff8a233 ("Staging: hv: make the Hyper-V virtual bus code build") +Signed-off-by: Yang Yingliang +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/20221119081135.1564691-3-yangyingliang@huawei.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/vmbus_drv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index d4c5efc6e157..a1cfa7596853 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -1863,6 +1863,7 @@ int vmbus_device_register(struct hv_device *child_device_obj) + ret = device_register(&child_device_obj->device); + if (ret) { + pr_err("Unable to register child device\n"); ++ put_device(&child_device_obj->device); + return ret; + } + +-- +2.35.1 + diff --git a/queue-5.4/net-liquidio-simplify-if-expression.patch b/queue-5.4/net-liquidio-simplify-if-expression.patch new file mode 100644 index 00000000000..25e38db2a7a --- /dev/null +++ b/queue-5.4/net-liquidio-simplify-if-expression.patch @@ -0,0 +1,50 @@ +From fddc21aba6a2b43bbcf76e027a9d9c0944603202 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 19:34:39 +0200 +Subject: net: liquidio: simplify if expression + +From: Leon Romanovsky + +[ Upstream commit 733d4bbf9514890eb53ebe75827bf1fb4fd25ebe ] + +Fix the warning reported by kbuild: + +cocci warnings: (new ones prefixed by >>) +>> drivers/net/ethernet/cavium/liquidio/lio_main.c:1797:54-56: WARNING !A || A && B is equivalent to !A || B + drivers/net/ethernet/cavium/liquidio/lio_main.c:1827:54-56: WARNING !A || A && B is equivalent to !A || B + +Fixes: 8979f428a4af ("net: liquidio: release resources when liquidio driver open failed") +Reported-by: kernel test robot +Signed-off-by: Leon Romanovsky +Reviewed-by: Saeed Mahameed +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/lio_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c +index 69878589213a..ab86240e4532 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c +@@ -1836,7 +1836,7 @@ static int liquidio_open(struct net_device *netdev) + + ifstate_set(lio, LIO_IFSTATE_RUNNING); + +- if (!OCTEON_CN23XX_PF(oct) || (OCTEON_CN23XX_PF(oct) && !oct->msix_on)) { ++ if (!OCTEON_CN23XX_PF(oct) || !oct->msix_on) { + ret = setup_tx_poll_fn(netdev); + if (ret) + goto err_poll; +@@ -1866,7 +1866,7 @@ static int liquidio_open(struct net_device *netdev) + return 0; + + err_rx_ctrl: +- if (!OCTEON_CN23XX_PF(oct) || (OCTEON_CN23XX_PF(oct) && !oct->msix_on)) ++ if (!OCTEON_CN23XX_PF(oct) || !oct->msix_on) + cleanup_tx_poll_fn(netdev); + err_poll: + if (lio->ptp_clock) { +-- +2.35.1 + diff --git a/queue-5.4/net-mlx4-check-retval-of-mlx4_bitmap_init.patch b/queue-5.4/net-mlx4-check-retval-of-mlx4_bitmap_init.patch new file mode 100644 index 00000000000..bd8b0b64b61 --- /dev/null +++ b/queue-5.4/net-mlx4-check-retval-of-mlx4_bitmap_init.patch @@ -0,0 +1,43 @@ +From cf9fa4b4abfabe5a7b68e2ba678308768ffc0ea1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 18:28:06 +0300 +Subject: net/mlx4: Check retval of mlx4_bitmap_init + +From: Peter Kosyh + +[ Upstream commit 594c61ffc77de0a197934aa0f1df9285c68801c6 ] + +If mlx4_bitmap_init fails, mlx4_bitmap_alloc_range will dereference +the NULL pointer (bitmap->table). + +Make sure, that mlx4_bitmap_alloc_range called in no error case. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: d57febe1a478 ("net/mlx4: Add A0 hybrid steering") +Reviewed-by: Tariq Toukan +Signed-off-by: Peter Kosyh +Link: https://lore.kernel.org/r/20221117152806.278072-1-pkosyh@yandex.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/qp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/qp.c b/drivers/net/ethernet/mellanox/mlx4/qp.c +index 427e7a31862c..d7f2890c254f 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/qp.c ++++ b/drivers/net/ethernet/mellanox/mlx4/qp.c +@@ -697,7 +697,8 @@ static int mlx4_create_zones(struct mlx4_dev *dev, + err = mlx4_bitmap_init(*bitmap + k, 1, + MLX4_QP_TABLE_RAW_ETH_SIZE - 1, 0, + 0); +- mlx4_bitmap_alloc_range(*bitmap + k, 1, 1, 0); ++ if (!err) ++ mlx4_bitmap_alloc_range(*bitmap + k, 1, 1, 0); + } + + if (err) +-- +2.35.1 + diff --git a/queue-5.4/net-mlx5-fix-fw-tracer-timestamp-calculation.patch b/queue-5.4/net-mlx5-fix-fw-tracer-timestamp-calculation.patch new file mode 100644 index 00000000000..ece7ddfb7e8 --- /dev/null +++ b/queue-5.4/net-mlx5-fix-fw-tracer-timestamp-calculation.patch @@ -0,0 +1,38 @@ +From bdc8d0fd87caae798d3de38adbf6bda0045bf6ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Oct 2022 12:25:59 +0300 +Subject: net/mlx5: Fix FW tracer timestamp calculation + +From: Moshe Shemesh + +[ Upstream commit 61db3d7b99a367416e489ccf764cc5f9b00d62a1 ] + +Fix a bug in calculation of FW tracer timestamp. Decreasing one in the +calculation should effect only bits 52_7 and not effect bits 6_0 of the +timestamp, otherwise bits 6_0 are always set in this calculation. + +Fixes: 70dd6fdb8987 ("net/mlx5: FW tracer, parse traces and kernel tracing support") +Signed-off-by: Moshe Shemesh +Reviewed-by: Feras Daoud +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +index f8144ce7e476..db9ecc3a8c67 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +@@ -636,7 +636,7 @@ static void mlx5_tracer_handle_timestamp_trace(struct mlx5_fw_tracer *tracer, + trace_timestamp = (timestamp_event.timestamp & MASK_52_7) | + (str_frmt->timestamp & MASK_6_0); + else +- trace_timestamp = ((timestamp_event.timestamp & MASK_52_7) - 1) | ++ trace_timestamp = ((timestamp_event.timestamp - 1) & MASK_52_7) | + (str_frmt->timestamp & MASK_6_0); + + mlx5_tracer_print_trace(str_frmt, dev, trace_timestamp); +-- +2.35.1 + diff --git a/queue-5.4/net-pch_gbe-fix-pci-device-refcount-leak-while-modul.patch b/queue-5.4/net-pch_gbe-fix-pci-device-refcount-leak-while-modul.patch new file mode 100644 index 00000000000..64b5999ab67 --- /dev/null +++ b/queue-5.4/net-pch_gbe-fix-pci-device-refcount-leak-while-modul.patch @@ -0,0 +1,60 @@ +From 76b435a3906743d0247306f3b282baa5f7690783 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 21:51:48 +0800 +Subject: net: pch_gbe: fix pci device refcount leak while module exiting + +From: Yang Yingliang + +[ Upstream commit 5619537284f1017e9f6c7500b02b859b3830a06d ] + +As comment of pci_get_domain_bus_and_slot() says, it returns +a pci device with refcount increment, when finish using it, +the caller must decrement the reference count by calling +pci_dev_put(). + +In pch_gbe_probe(), pci_get_domain_bus_and_slot() is called, +so in error path in probe() and remove() function, pci_dev_put() +should be called to avoid refcount leak. Compile tested only. + +Fixes: 1a0bdadb4e36 ("net/pch_gbe: supports eg20t ptp clock") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221117135148.301014-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +index cc442cd775ff..45b7f0f419c9 100644 +--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c ++++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +@@ -2481,6 +2481,7 @@ static void pch_gbe_remove(struct pci_dev *pdev) + unregister_netdev(netdev); + + pch_gbe_phy_hw_reset(&adapter->hw); ++ pci_dev_put(adapter->ptp_pdev); + + free_netdev(netdev); + } +@@ -2562,7 +2563,7 @@ static int pch_gbe_probe(struct pci_dev *pdev, + /* setup the private structure */ + ret = pch_gbe_sw_init(adapter); + if (ret) +- goto err_free_netdev; ++ goto err_put_dev; + + /* Initialize PHY */ + ret = pch_gbe_init_phy(adapter); +@@ -2620,6 +2621,8 @@ static int pch_gbe_probe(struct pci_dev *pdev, + + err_free_adapter: + pch_gbe_phy_hw_reset(&adapter->hw); ++err_put_dev: ++ pci_dev_put(adapter->ptp_pdev); + err_free_netdev: + free_netdev(netdev); + return ret; +-- +2.35.1 + diff --git a/queue-5.4/net-pch_gbe-fix-potential-memleak-in-pch_gbe_tx_queu.patch b/queue-5.4/net-pch_gbe-fix-potential-memleak-in-pch_gbe_tx_queu.patch new file mode 100644 index 00000000000..b1f0ee04006 --- /dev/null +++ b/queue-5.4/net-pch_gbe-fix-potential-memleak-in-pch_gbe_tx_queu.patch @@ -0,0 +1,38 @@ +From ebc0d4979cb099f0c47dfed9ffc9770fca0a44be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 14:55:27 +0800 +Subject: net: pch_gbe: fix potential memleak in pch_gbe_tx_queue() + +From: Wang Hai + +[ Upstream commit 2360f9b8c4e81d242d4cbf99d630a2fffa681fab ] + +In pch_gbe_xmit_frame(), NETDEV_TX_OK will be returned whether +pch_gbe_tx_queue() sends data successfully or not, so pch_gbe_tx_queue() +needs to free skb before returning. But pch_gbe_tx_queue() returns without +freeing skb in case of dma_map_single() fails. Add dev_kfree_skb_any() +to fix it. + +Fixes: 77555ee72282 ("net: Add Gigabit Ethernet driver of Topcliff PCH") +Signed-off-by: Wang Hai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +index 8ff4c616f0ad..cc442cd775ff 100644 +--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c ++++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +@@ -1166,6 +1166,7 @@ static void pch_gbe_tx_queue(struct pch_gbe_adapter *adapter, + buffer_info->dma = 0; + buffer_info->time_stamp = 0; + tx_ring->next_to_use = ring_num; ++ dev_kfree_skb_any(skb); + return; + } + buffer_info->mapped = true; +-- +2.35.1 + diff --git a/queue-5.4/net-qla3xxx-fix-potential-memleak-in-ql3xxx_send.patch b/queue-5.4/net-qla3xxx-fix-potential-memleak-in-ql3xxx_send.patch new file mode 100644 index 00000000000..a53b5cec0c0 --- /dev/null +++ b/queue-5.4/net-qla3xxx-fix-potential-memleak-in-ql3xxx_send.patch @@ -0,0 +1,36 @@ +From f693bebf303530a5d0ddf18cab64fa938d286350 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 16:50:38 +0800 +Subject: net/qla3xxx: fix potential memleak in ql3xxx_send() + +From: Zhang Changzhong + +[ Upstream commit 62a7311fb96c61d281da9852dbee4712fc8c3277 ] + +The ql3xxx_send() returns NETDEV_TX_OK without freeing skb in error +handling case, add dev_kfree_skb_any() to fix it. + +Fixes: bd36b0ac5d06 ("qla3xxx: Add support for Qlogic 4032 chip.") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/r/1668675039-21138-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c +index 5e81cd317a32..11616aca0e6a 100644 +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -2476,6 +2476,7 @@ static netdev_tx_t ql3xxx_send(struct sk_buff *skb, + skb_shinfo(skb)->nr_frags); + if (tx_cb->seg_count == -1) { + netdev_err(ndev, "%s: invalid segment count!\n", __func__); ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + +-- +2.35.1 + diff --git a/queue-5.4/net-thunderx-fix-the-acpi-memory-leak.patch b/queue-5.4/net-thunderx-fix-the-acpi-memory-leak.patch new file mode 100644 index 00000000000..470f391ea91 --- /dev/null +++ b/queue-5.4/net-thunderx-fix-the-acpi-memory-leak.patch @@ -0,0 +1,41 @@ +From 393a337188a7ef32b77aef80e801229d38410404 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 16:22:36 +0800 +Subject: net: thunderx: Fix the ACPI memory leak + +From: Yu Liao + +[ Upstream commit 661e5ebbafd26d9d2e3c749f5cf591e55c7364f5 ] + +The ACPI buffer memory (string.pointer) should be freed as the buffer is +not used after returning from bgx_acpi_match_id(), free it to prevent +memory leak. + +Fixes: 46b903a01c05 ("net, thunder, bgx: Add support to get MAC address from ACPI.") +Signed-off-by: Yu Liao +Link: https://lore.kernel.org/r/20221123082237.1220521-1-liaoyu15@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index 76ff42ec3ae5..a34c33e8a8ad 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1438,8 +1438,10 @@ static acpi_status bgx_acpi_match_id(acpi_handle handle, u32 lvl, + return AE_OK; + } + +- if (strncmp(string.pointer, bgx_sel, 4)) ++ if (strncmp(string.pointer, bgx_sel, 4)) { ++ kfree(string.pointer); + return AE_OK; ++ } + + acpi_walk_namespace(ACPI_TYPE_DEVICE, handle, 1, + bgx_acpi_register_phy, NULL, bgx, NULL); +-- +2.35.1 + diff --git a/queue-5.4/nfc-nci-fix-memory-leak-in-nci_rx_data_packet.patch b/queue-5.4/nfc-nci-fix-memory-leak-in-nci_rx_data_packet.patch new file mode 100644 index 00000000000..9791241bb73 --- /dev/null +++ b/queue-5.4/nfc-nci-fix-memory-leak-in-nci_rx_data_packet.patch @@ -0,0 +1,61 @@ +From 915e66b35a7fc9d0030838ff4c2139b6154dd255 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 16:24:19 +0800 +Subject: NFC: nci: fix memory leak in nci_rx_data_packet() + +From: Liu Shixin + +[ Upstream commit 53270fb0fd77fe786d8c07a0793981d797836b93 ] + +Syzbot reported a memory leak about skb: + +unreferenced object 0xffff88810e144e00 (size 240): + comm "syz-executor284", pid 3701, jiffies 4294952403 (age 12.620s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:497 + [] alloc_skb include/linux/skbuff.h:1267 [inline] + [] virtual_ncidev_write+0x24/0xe0 drivers/nfc/virtual_ncidev.c:116 + [] do_loop_readv_writev fs/read_write.c:759 [inline] + [] do_loop_readv_writev fs/read_write.c:743 [inline] + [] do_iter_write+0x253/0x300 fs/read_write.c:863 + [] vfs_writev+0xdd/0x240 fs/read_write.c:934 + [] do_writev+0xa6/0x1c0 fs/read_write.c:977 + [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + [] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +In nci_rx_data_packet(), if we don't get a valid conn_info, we will return +directly but forget to release the skb. + +Reported-by: syzbot+cdb9a427d1bc08815104@syzkaller.appspotmail.com +Fixes: 4aeee6871e8c ("NFC: nci: Add dynamic logical connections support") +Signed-off-by: Liu Shixin +Link: https://lore.kernel.org/r/20221118082419.239475-1-liushixin2@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/nfc/nci/data.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c +index b002e18f38c8..b4548d887489 100644 +--- a/net/nfc/nci/data.c ++++ b/net/nfc/nci/data.c +@@ -279,8 +279,10 @@ void nci_rx_data_packet(struct nci_dev *ndev, struct sk_buff *skb) + nci_plen(skb->data)); + + conn_info = nci_get_conn_info_by_conn_id(ndev, nci_conn_id(skb->data)); +- if (!conn_info) ++ if (!conn_info) { ++ kfree_skb(skb); + return; ++ } + + /* strip the nci data header */ + skb_pull(skb, NCI_DATA_HDR_SIZE); +-- +2.35.1 + diff --git a/queue-5.4/nfc-nci-fix-race-with-opening-and-closing.patch b/queue-5.4/nfc-nci-fix-race-with-opening-and-closing.patch new file mode 100644 index 00000000000..297ea13ce66 --- /dev/null +++ b/queue-5.4/nfc-nci-fix-race-with-opening-and-closing.patch @@ -0,0 +1,42 @@ +From a2e1513f0d1c12b022615bc84357576bd480f1ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 21:02:49 +0800 +Subject: nfc/nci: fix race with opening and closing + +From: Lin Ma + +[ Upstream commit 0ad6bded175e829c2ca261529c9dce39a32a042d ] + +Previously we leverage NCI_UNREG and the lock inside nci_close_device to +prevent the race condition between opening a device and closing a +device. However, it still has problem because a failed opening command +will erase the NCI_UNREG flag and allow another opening command to +bypass the status checking. + +This fix corrects that by making sure the NCI_UNREG is held. + +Reported-by: syzbot+43475bf3cfbd6e41f5b7@syzkaller.appspotmail.com +Fixes: 48b71a9e66c2 ("NFC: add NCI_UNREG flag to eliminate the race") +Signed-off-by: Lin Ma +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nfc/nci/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index b2e922fcc70d..57849baf9294 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -530,7 +530,7 @@ static int nci_open_device(struct nci_dev *ndev) + skb_queue_purge(&ndev->tx_q); + + ndev->ops->close(ndev); +- ndev->flags = 0; ++ ndev->flags &= BIT(NCI_UNREG); + } + + done: +-- +2.35.1 + diff --git a/queue-5.4/nfc-st-nci-fix-incorrect-validating-logic-in-evt_tra.patch b/queue-5.4/nfc-st-nci-fix-incorrect-validating-logic-in-evt_tra.patch new file mode 100644 index 00000000000..def9f803e4f --- /dev/null +++ b/queue-5.4/nfc-st-nci-fix-incorrect-validating-logic-in-evt_tra.patch @@ -0,0 +1,41 @@ +From 9a8301ea2f2d0de3ff7405bb2ba35ea413c87620 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 18:42:44 -0600 +Subject: nfc: st-nci: fix incorrect validating logic in EVT_TRANSACTION + +From: Martin Faltesek + +[ Upstream commit c60c152230828825c06e62a8f1ce956d4b659266 ] + +The first validation check for EVT_TRANSACTION has two different checks +tied together with logical AND. One is a check for minimum packet length, +and the other is for a valid aid_tag. If either condition is true (fails), +then an error should be triggered. The fix is to change && to ||. + +Reported-by: Denis Efremov +Reviewed-by: Guenter Roeck +Fixes: 5d1ceb7f5e56 ("NFC: st21nfcb: Add HCI transaction event support") +Signed-off-by: Martin Faltesek +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/st-nci/se.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c +index f25f1ec5f9e9..75f9a754b7eb 100644 +--- a/drivers/nfc/st-nci/se.c ++++ b/drivers/nfc/st-nci/se.c +@@ -327,7 +327,7 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev, + * AID 81 5 to 16 + * PARAMETERS 82 0 to 255 + */ +- if (skb->len < NFC_MIN_AID_LENGTH + 2 && ++ if (skb->len < NFC_MIN_AID_LENGTH + 2 || + skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG) + return -EPROTO; + +-- +2.35.1 + diff --git a/queue-5.4/nfc-st-nci-fix-memory-leaks-in-evt_transaction.patch b/queue-5.4/nfc-st-nci-fix-memory-leaks-in-evt_transaction.patch new file mode 100644 index 00000000000..01646133b93 --- /dev/null +++ b/queue-5.4/nfc-st-nci-fix-memory-leaks-in-evt_transaction.patch @@ -0,0 +1,42 @@ +From e7b951e88a6198da03cc2057487bd75710508a7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 18:42:45 -0600 +Subject: nfc: st-nci: fix memory leaks in EVT_TRANSACTION + +From: Martin Faltesek + +[ Upstream commit 440f2ae9c9f06e26f5dcea697a53717fc61a318c ] + +Error path does not free previously allocated memory. Add devm_kfree() to +the failure path. + +Reported-by: Denis Efremov +Reviewed-by: Guenter Roeck +Fixes: 5d1ceb7f5e56 ("NFC: st21nfcb: Add HCI transaction event support") +Signed-off-by: Martin Faltesek +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/st-nci/se.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c +index 75f9a754b7eb..0cd70cd680dc 100644 +--- a/drivers/nfc/st-nci/se.c ++++ b/drivers/nfc/st-nci/se.c +@@ -341,8 +341,10 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev, + + /* Check next byte is PARAMETERS tag (82) */ + if (skb->data[transaction->aid_len + 2] != +- NFC_EVT_TRANSACTION_PARAMS_TAG) ++ NFC_EVT_TRANSACTION_PARAMS_TAG) { ++ devm_kfree(dev, transaction); + return -EPROTO; ++ } + + transaction->params_len = skb->data[transaction->aid_len + 3]; + memcpy(transaction->params, skb->data + +-- +2.35.1 + diff --git a/queue-5.4/nfp-add-port-from-netdev-validation-for-eeprom-acces.patch b/queue-5.4/nfp-add-port-from-netdev-validation-for-eeprom-acces.patch new file mode 100644 index 00000000000..42511009263 --- /dev/null +++ b/queue-5.4/nfp-add-port-from-netdev-validation-for-eeprom-acces.patch @@ -0,0 +1,45 @@ +From 58e980c6e66c181a534072e191b96685e612e8f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 16:37:44 +0100 +Subject: nfp: add port from netdev validation for EEPROM access + +From: Jaco Coetzee + +[ Upstream commit 0873016d46f6dfafd1bdf4d9b935b3331b226f7c ] + +Setting of the port flag `NFP_PORT_CHANGED`, introduced +to ensure the correct reading of EEPROM data, causes a +fatal kernel NULL pointer dereference in cases where +the target netdev type cannot be determined. + +Add validation of port struct pointer before attempting +to set the `NFP_PORT_CHANGED` flag. Return that operation +is not supported if the netdev type cannot be determined. + +Fixes: 4ae97cae07e1 ("nfp: ethtool: fix the display error of `ethtool -m DEVNAME`") +Signed-off-by: Jaco Coetzee +Reviewed-by: Louis Peens +Signed-off-by: Simon Horman +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c +index 46d6988829ff..ff8810357181 100644 +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c +@@ -1127,6 +1127,9 @@ nfp_port_get_module_info(struct net_device *netdev, + u8 data; + + port = nfp_port_from_netdev(netdev); ++ if (!port) ++ return -EOPNOTSUPP; ++ + /* update port state to get latest interface */ + set_bit(NFP_PORT_CHANGED, &port->flags); + eth_port = nfp_port_get_eth_port(port); +-- +2.35.1 + diff --git a/queue-5.4/regulator-core-fix-kobject-release-warning-and-memor.patch b/queue-5.4/regulator-core-fix-kobject-release-warning-and-memor.patch new file mode 100644 index 00000000000..b3e9e34da59 --- /dev/null +++ b/queue-5.4/regulator-core-fix-kobject-release-warning-and-memor.patch @@ -0,0 +1,75 @@ +From d166ec84f281dc8b42c772daa953ced120d9ad46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 15:43:39 +0800 +Subject: regulator: core: fix kobject release warning and memory leak in + regulator_register() + +From: Zeng Heng + +[ Upstream commit 5f4b204b6b8153923d5be8002c5f7082985d153f ] + +Here is a warning report about lack of registered release() +from kobject lib: + +Device '(null)' does not have a release() function, it is broken and must be fixed. +WARNING: CPU: 0 PID: 48430 at drivers/base/core.c:2332 device_release+0x104/0x120 +Call Trace: + kobject_put+0xdc/0x180 + put_device+0x1b/0x30 + regulator_register+0x651/0x1170 + devm_regulator_register+0x4f/0xb0 + +When regulator_register() returns fail and directly goto `clean` symbol, +rdev->dev has not registered release() function yet (which is registered +by regulator_class in the following), so rdev needs to be freed manually. +If rdev->dev.of_node is not NULL, which means the of_node has gotten by +regulator_of_get_init_data(), it needs to call of_node_put() to avoid +refcount leak. + +Otherwise, only calling put_device() would lead memory leak of rdev +in further: + +unreferenced object 0xffff88810d0b1000 (size 2048): + comm "107-i2c-rtq6752", pid 48430, jiffies 4342258431 (age 1341.780s) + backtrace: + kmalloc_trace+0x22/0x110 + regulator_register+0x184/0x1170 + devm_regulator_register+0x4f/0xb0 + +When regulator_register() returns fail and goto `wash` symbol, +rdev->dev has registered release() function, so directly call +put_device() to cleanup everything. + +Fixes: d3c731564e09 ("regulator: plug of_node leak in regulator_register()'s error path") +Signed-off-by: Zeng Heng +Link: https://lore.kernel.org/r/20221116074339.1024240-1-zengheng4@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 6ba3f6e7ea4f..173798c0fbcd 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -5269,11 +5269,15 @@ regulator_register(const struct regulator_desc *regulator_desc, + mutex_lock(®ulator_list_mutex); + regulator_ena_gpio_free(rdev); + mutex_unlock(®ulator_list_mutex); ++ put_device(&rdev->dev); ++ rdev = NULL; + clean: + if (dangling_of_gpiod) + gpiod_put(config->ena_gpiod); ++ if (rdev && rdev->dev.of_node) ++ of_node_put(rdev->dev.of_node); ++ kfree(rdev); + kfree(config); +- put_device(&rdev->dev); + rinse: + if (dangling_cfg_gpiod) + gpiod_put(cfg->ena_gpiod); +-- +2.35.1 + diff --git a/queue-5.4/regulator-core-fix-uaf-in-destroy_regulator.patch b/queue-5.4/regulator-core-fix-uaf-in-destroy_regulator.patch new file mode 100644 index 00000000000..bef2fe27c69 --- /dev/null +++ b/queue-5.4/regulator-core-fix-uaf-in-destroy_regulator.patch @@ -0,0 +1,132 @@ +From d43918642461a08532042651d5eb5feafb0da5d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 11:37:06 +0800 +Subject: regulator: core: fix UAF in destroy_regulator() + +From: Yang Yingliang + +[ Upstream commit 1f386d6894d0f1b7de8ef640c41622ddd698e7ab ] + +I got a UAF report as following: + +================================================================== +BUG: KASAN: use-after-free in __lock_acquire+0x935/0x2060 +Read of size 8 at addr ffff88810e838220 by task python3/268 +Call Trace: + + dump_stack_lvl+0x67/0x83 + print_report+0x178/0x4b0 + kasan_report+0x90/0x190 + __lock_acquire+0x935/0x2060 + lock_acquire+0x156/0x400 + _raw_spin_lock+0x2a/0x40 + lockref_get+0x11/0x30 + simple_recursive_removal+0x41/0x440 + debugfs_remove.part.12+0x32/0x50 + debugfs_remove+0x29/0x30 + _regulator_put.cold.54+0x3e/0x27f + regulator_put+0x1f/0x30 + release_nodes+0x6a/0xa0 + devres_release_all+0xf8/0x150 + +Allocated by task 37: + kasan_save_stack+0x1c/0x40 + kasan_set_track+0x21/0x30 + __kasan_slab_alloc+0x5d/0x70 + slab_post_alloc_hook+0x62/0x510 + kmem_cache_alloc_lru+0x222/0x5a0 + __d_alloc+0x31/0x440 + d_alloc+0x30/0xf0 + d_alloc_parallel+0xc4/0xd20 + __lookup_slow+0x15e/0x2f0 + lookup_one_len+0x13a/0x150 + start_creating+0xea/0x190 + debugfs_create_dir+0x1e/0x210 + create_regulator+0x254/0x4e0 + _regulator_get+0x2a1/0x467 + _devm_regulator_get+0x5a/0xb0 + regulator_virtual_probe+0xb9/0x1a0 + +Freed by task 30: + kasan_save_stack+0x1c/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x2a/0x50 + __kasan_slab_free+0x102/0x190 + kmem_cache_free+0xf6/0x600 + rcu_core+0x54c/0x12b0 + __do_softirq+0xf2/0x5e3 + +Last potentially related work creation: + kasan_save_stack+0x1c/0x40 + __kasan_record_aux_stack+0x98/0xb0 + call_rcu+0x42/0x700 + dentry_free+0x6c/0xd0 + __dentry_kill+0x23b/0x2d0 + dput.part.31+0x431/0x780 + simple_recursive_removal+0xa9/0x440 + debugfs_remove.part.12+0x32/0x50 + debugfs_remove+0x29/0x30 + regulator_unregister+0xe3/0x230 + release_nodes+0x6a/0xa0 + +================================================================== + +Here is how happened: + +processor A processor B +regulator_register() + rdev_init_debugfs() + rdev->debugfs = debugfs_create_dir() + devm_regulator_get() + rdev = regulator_dev_lookup() + create_regulator(rdev) + // using rdev->debugfs as parent + debugfs_create_dir(rdev->debugfs) + +mfd_remove_devices_fn() + release_nodes() + regulator_unregister() + // free rdev->debugfs + debugfs_remove_recursive(rdev->debugfs) + release_nodes() + destroy_regulator() + debugfs_remove_recursive() <- causes UAF + +In devm_regulator_get(), after getting rdev, the refcount +is get, so fix this by moving debugfs_remove_recursive() +to regulator_dev_release(), then it can be proctected by +the refcount, the 'rdev->debugfs' can not be freed until +the refcount is 0. + +Fixes: 5de705194e98 ("regulator: Add basic per consumer debugfs") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221116033706.3595812-1-yangyingliang@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 173798c0fbcd..7d15312d6792 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -4802,6 +4802,7 @@ static void regulator_dev_release(struct device *dev) + { + struct regulator_dev *rdev = dev_get_drvdata(dev); + ++ debugfs_remove_recursive(rdev->debugfs); + kfree(rdev->constraints); + of_node_put(rdev->dev.of_node); + kfree(rdev); +@@ -5306,7 +5307,6 @@ void regulator_unregister(struct regulator_dev *rdev) + + mutex_lock(®ulator_list_mutex); + +- debugfs_remove_recursive(rdev->debugfs); + WARN_ON(rdev->open_count); + regulator_remove_coupling(rdev); + unset_regulator_supplies(rdev); +-- +2.35.1 + diff --git a/queue-5.4/regulator-twl6030-re-add-twl6032_subclass.patch b/queue-5.4/regulator-twl6030-re-add-twl6032_subclass.patch new file mode 100644 index 00000000000..f137532b5ac --- /dev/null +++ b/queue-5.4/regulator-twl6030-re-add-twl6032_subclass.patch @@ -0,0 +1,47 @@ +From d1d579cd480de33c6a20a463d2a5dcf0c4653291 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Nov 2022 23:12:07 +0100 +Subject: regulator: twl6030: re-add TWL6032_SUBCLASS + +From: Andreas Kemnade + +[ Upstream commit 3d6c982b26db94cc21bc9f7784f63e8286b7be62 ] + +In former times, info->feature was populated via the parent driver +by pdata/regulator_init_data->driver_data for all regulators when +USB_PRODUCT_ID_LSB indicates a TWL6032. +Today, the information is not set, so re-add it at the regulator +definitions. + +Fixes: 25d82337705e2 ("regulator: twl: make driver DT only") +Signed-off-by: Andreas Kemnade +Link: https://lore.kernel.org/r/20221120221208.3093727-2-andreas@kemnade.info +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/twl6030-regulator.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/regulator/twl6030-regulator.c b/drivers/regulator/twl6030-regulator.c +index b8100c3cedad..4ffb32ffec35 100644 +--- a/drivers/regulator/twl6030-regulator.c ++++ b/drivers/regulator/twl6030-regulator.c +@@ -530,6 +530,7 @@ static const struct twlreg_info TWL6030_INFO_##label = { \ + #define TWL6032_ADJUSTABLE_LDO(label, offset) \ + static const struct twlreg_info TWL6032_INFO_##label = { \ + .base = offset, \ ++ .features = TWL6032_SUBCLASS, \ + .desc = { \ + .name = #label, \ + .id = TWL6032_REG_##label, \ +@@ -562,6 +563,7 @@ static const struct twlreg_info TWLFIXED_INFO_##label = { \ + #define TWL6032_ADJUSTABLE_SMPS(label, offset) \ + static const struct twlreg_info TWLSMPS_INFO_##label = { \ + .base = offset, \ ++ .features = TWL6032_SUBCLASS, \ + .desc = { \ + .name = #label, \ + .id = TWL6032_REG_##label, \ +-- +2.35.1 + diff --git a/queue-5.4/s390-crashdump-fix-tod-programmable-field-size.patch b/queue-5.4/s390-crashdump-fix-tod-programmable-field-size.patch new file mode 100644 index 00000000000..1805852ba35 --- /dev/null +++ b/queue-5.4/s390-crashdump-fix-tod-programmable-field-size.patch @@ -0,0 +1,61 @@ +From 4a2e38fc0eb729f64dea3be07e6c061f43db96bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 13:05:39 +0100 +Subject: s390/crashdump: fix TOD programmable field size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Heiko Carstens + +[ Upstream commit f44e07a8afdd713ddc1a8832c39372fe5dd86895 ] + +The size of the TOD programmable field was incorrectly increased from +four to eight bytes with commit 1a2c5840acf9 ("s390/dump: cleanup CPU +save area handling"). +This leads to an elf notes section NT_S390_TODPREG which has a size of +eight instead of four bytes in case of kdump, however even worse is +that the contents is incorrect: it is supposed to contain only the +contents of the TOD programmable field, but in fact contains a mix of +the TOD programmable field (32 bit upper bits) and parts of the CPU +timer register (lower 32 bits). + +Fix this by simply changing the size of the todpreg field within the +save area structure. This will implicitly also fix the size of the +corresponding elf notes sections. + +This also gets rid of this compile time warning: + +in function ‘fortify_memcpy_chk’, + inlined from ‘save_area_add_regs’ at arch/s390/kernel/crash_dump.c:99:2: +./include/linux/fortify-string.h:413:25: error: call to ‘__read_overflow2_field’ + declared with attribute warning: detected read beyond size of field + (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning] + 413 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Fixes: 1a2c5840acf9 ("s390/dump: cleanup CPU save area handling") +Reviewed-by: Christian Borntraeger +Signed-off-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/crash_dump.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/crash_dump.c b/arch/s390/kernel/crash_dump.c +index f96a5857bbfd..01d7c281087f 100644 +--- a/arch/s390/kernel/crash_dump.c ++++ b/arch/s390/kernel/crash_dump.c +@@ -44,7 +44,7 @@ struct save_area { + u64 fprs[16]; + u32 fpc; + u32 prefix; +- u64 todpreg; ++ u32 todpreg; + u64 timer; + u64 todcmp; + u64 vxrs_low[16]; +-- +2.35.1 + diff --git a/queue-5.4/s390-dasd-fix-no-record-found-for-raw_track_access.patch b/queue-5.4/s390-dasd-fix-no-record-found-for-raw_track_access.patch new file mode 100644 index 00000000000..fa483706ad6 --- /dev/null +++ b/queue-5.4/s390-dasd-fix-no-record-found-for-raw_track_access.patch @@ -0,0 +1,75 @@ +From 4e186c11e9ba0df2aec611e4b01f1a441e1e7c4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 17:07:18 +0100 +Subject: s390/dasd: fix no record found for raw_track_access + +From: Stefan Haberland + +[ Upstream commit 590ce6d96d6a224b470a3862c33a483d5022bfdb ] + +For DASD devices in raw_track_access mode only full track images are +read and written. +For this purpose it is not necessary to do search operation in the +locate record extended function. The documentation even states that +this might fail if the searched record is not found on a track. + +Currently the driver sets a value of 1 in the search field for the first +record after record zero. This is the default for disks not in +raw_track_access mode but record 1 might be missing on a completely +empty track. + +There has not been any problem with this on IBM storage servers but it +might lead to errors with DASD devices on other vendors storage servers. + +Fix this by setting the search field to 0. Record zero is always available +even on a completely empty track. + +Fixes: e4dbb0f2b5dd ("[S390] dasd: Add support for raw ECKD access.") +Signed-off-by: Stefan Haberland +Reviewed-by: Jan Hoeppner +Link: https://lore.kernel.org/r/20221123160719.3002694-4-sth@linux.ibm.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/s390/block/dasd_eckd.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c +index 7749deb614d7..53d22975a32f 100644 +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -4627,7 +4627,6 @@ static struct dasd_ccw_req *dasd_eckd_build_cp_raw(struct dasd_device *startdev, + struct dasd_device *basedev; + struct req_iterator iter; + struct dasd_ccw_req *cqr; +- unsigned int first_offs; + unsigned int trkcount; + unsigned long *idaws; + unsigned int size; +@@ -4661,7 +4660,6 @@ static struct dasd_ccw_req *dasd_eckd_build_cp_raw(struct dasd_device *startdev, + last_trk = (blk_rq_pos(req) + blk_rq_sectors(req) - 1) / + DASD_RAW_SECTORS_PER_TRACK; + trkcount = last_trk - first_trk + 1; +- first_offs = 0; + + if (rq_data_dir(req) == READ) + cmd = DASD_ECKD_CCW_READ_TRACK; +@@ -4705,13 +4703,13 @@ static struct dasd_ccw_req *dasd_eckd_build_cp_raw(struct dasd_device *startdev, + + if (use_prefix) { + prefix_LRE(ccw++, data, first_trk, last_trk, cmd, basedev, +- startdev, 1, first_offs + 1, trkcount, 0, 0); ++ startdev, 1, 0, trkcount, 0, 0); + } else { + define_extent(ccw++, data, first_trk, last_trk, cmd, basedev, 0); + ccw[-1].flags |= CCW_FLAG_CC; + + data += sizeof(struct DE_eckd_data); +- locate_record_ext(ccw++, data, first_trk, first_offs + 1, ++ locate_record_ext(ccw++, data, first_trk, 0, + trkcount, cmd, basedev, 0, 0); + } + +-- +2.35.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 10b37b4d681..0a9247ac997 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -8,3 +8,36 @@ block-bfq-fix-null-pointer-dereference-in-bfq_bio_bf.patch arm64-syscall-include-asm-ptrace.h-in-syscall_wrappe.patch risc-v-vdso-do-not-add-missing-symbols-to-version-se.patch mips-pic32-treat-port-as-signed-integer.patch +af_key-fix-send_acquire-race-with-pfkey_register.patch +arm-dts-am335x-pcm-953-define-fixed-regulators-in-ro.patch +asoc-sgtl5000-reset-the-chip_clk_ctrl-reg-on-remove.patch +regulator-core-fix-kobject-release-warning-and-memor.patch +regulator-core-fix-uaf-in-destroy_regulator.patch +bus-sunxi-rsb-support-atomic-transfers.patch +tee-optee-fix-possible-memory-leak-in-optee_register.patch +arm-dts-at91-sam9g20ek-enable-udc-vbus-gpio-pinctrl.patch +net-liquidio-simplify-if-expression.patch +nfc-nci-fix-race-with-opening-and-closing.patch +net-pch_gbe-fix-potential-memleak-in-pch_gbe_tx_queu.patch +9p-fd-fix-issue-of-list_del-corruption-in-p9_fd_canc.patch +arm-mxs-fix-memory-leak-in-mxs_machine_init.patch +net-mlx4-check-retval-of-mlx4_bitmap_init.patch +net-qla3xxx-fix-potential-memleak-in-ql3xxx_send.patch +net-pch_gbe-fix-pci-device-refcount-leak-while-modul.patch +nfp-add-port-from-netdev-validation-for-eeprom-acces.patch +drivers-hv-vmbus-fix-double-free-in-the-error-path-o.patch +drivers-hv-vmbus-fix-possible-memory-leak-in-vmbus_d.patch +net-mlx5-fix-fw-tracer-timestamp-calculation.patch +tipc-set-con-sock-in-tipc_conn_alloc.patch +tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch +tipc-check-skb_linearize-return-value-in-tipc_disc_r.patch +xfrm-fix-ignored-return-value-in-xfrm6_init.patch +nfc-nci-fix-memory-leak-in-nci_rx_data_packet.patch +regulator-twl6030-re-add-twl6032_subclass.patch +bnx2x-fix-pci-device-refcount-leak-in-bnx2x_vf_is_pc.patch +dccp-tcp-reset-saddr-on-failure-after-inet6-_hash_co.patch +s390-dasd-fix-no-record-found-for-raw_track_access.patch +nfc-st-nci-fix-incorrect-validating-logic-in-evt_tra.patch +nfc-st-nci-fix-memory-leaks-in-evt_transaction.patch +net-thunderx-fix-the-acpi-memory-leak.patch +s390-crashdump-fix-tod-programmable-field-size.patch diff --git a/queue-5.4/tee-optee-fix-possible-memory-leak-in-optee_register.patch b/queue-5.4/tee-optee-fix-possible-memory-leak-in-optee_register.patch new file mode 100644 index 00000000000..3bc03b44339 --- /dev/null +++ b/queue-5.4/tee-optee-fix-possible-memory-leak-in-optee_register.patch @@ -0,0 +1,41 @@ +From f97869ea82e239469b45eed9859920a7fb20a146 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 22:01:24 +0800 +Subject: tee: optee: fix possible memory leak in optee_register_device() + +From: Yang Yingliang + +[ Upstream commit cce616e012c215d65c15e5d1afa73182dea49389 ] + +If device_register() returns error in optee_register_device(), +the name allocated by dev_set_name() need be freed. As comment +of device_register() says, it should use put_device() to give +up the reference in the error path. So fix this by calling +put_device(), then the name can be freed in kobject_cleanup(), +and optee_device is freed in optee_release_device(). + +Fixes: c3fa24af9244 ("tee: optee: add TEE bus device enumeration support") +Signed-off-by: Yang Yingliang +Reviewed-by: Sumit Garg +Signed-off-by: Jens Wiklander +Signed-off-by: Sasha Levin +--- + drivers/tee/optee/device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tee/optee/device.c b/drivers/tee/optee/device.c +index acff7dd677d6..71c491cbb0c5 100644 +--- a/drivers/tee/optee/device.c ++++ b/drivers/tee/optee/device.c +@@ -89,7 +89,7 @@ static int optee_register_device(const uuid_t *device_uuid, u32 device_id) + rc = device_register(&optee_device->dev); + if (rc) { + pr_err("device registration failed, err: %d\n", rc); +- kfree(optee_device); ++ put_device(&optee_device->dev); + } + + return rc; +-- +2.35.1 + diff --git a/queue-5.4/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch b/queue-5.4/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch new file mode 100644 index 00000000000..10fd7c8655d --- /dev/null +++ b/queue-5.4/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch @@ -0,0 +1,84 @@ +From 9ac84b6e2d748f2d6c285c7e9d2d71c174590777 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 16:45:01 -0500 +Subject: tipc: add an extra conn_get in tipc_conn_alloc + +From: Xin Long + +[ Upstream commit a7b42969d63f47320853a802efd879fbdc4e010e ] + +One extra conn_get() is needed in tipc_conn_alloc(), as after +tipc_conn_alloc() is called, tipc_conn_close() may free this +con before deferencing it in tipc_topsrv_accept(): + + tipc_conn_alloc(); + newsk = newsock->sk; + <---- tipc_conn_close(); + write_lock_bh(&sk->sk_callback_lock); + newsk->sk_data_ready = tipc_conn_data_ready; + +Then an uaf issue can be triggered: + + BUG: KASAN: use-after-free in tipc_topsrv_accept+0x1e7/0x370 [tipc] + Call Trace: + + dump_stack_lvl+0x33/0x46 + print_report+0x178/0x4b0 + kasan_report+0x8c/0x100 + kasan_check_range+0x179/0x1e0 + tipc_topsrv_accept+0x1e7/0x370 [tipc] + process_one_work+0x6a3/0x1030 + worker_thread+0x8a/0xdf0 + +This patch fixes it by holding it in tipc_conn_alloc(), then after +all accessing in tipc_topsrv_accept() releasing it. Note when does +this in tipc_topsrv_kern_subscr(), as tipc_conn_rcv_sub() returns +0 or -1 only, we don't need to check for "> 0". + +Fixes: c5fa7b3cf3cb ("tipc: introduce new TIPC server infrastructure") +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/topsrv.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c +index 532343c7788a..88e8e8d69b60 100644 +--- a/net/tipc/topsrv.c ++++ b/net/tipc/topsrv.c +@@ -207,6 +207,7 @@ static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s, struct socket *s + set_bit(CF_CONNECTED, &con->flags); + con->server = s; + con->sock = sock; ++ conn_get(con); + spin_unlock_bh(&s->idr_lock); + + return con; +@@ -484,6 +485,7 @@ static void tipc_topsrv_accept(struct work_struct *work) + + /* Wake up receive process in case of 'SYN+' message */ + newsk->sk_data_ready(newsk); ++ conn_put(con); + } + } + +@@ -583,10 +585,11 @@ bool tipc_topsrv_kern_subscr(struct net *net, u32 port, u32 type, u32 lower, + + *conid = con->conid; + rc = tipc_conn_rcv_sub(tipc_topsrv(net), con, &sub); +- if (rc >= 0) +- return true; ++ if (rc) ++ conn_put(con); ++ + conn_put(con); +- return false; ++ return !rc; + } + + void tipc_topsrv_kern_unsubscr(struct net *net, int conid) +-- +2.35.1 + diff --git a/queue-5.4/tipc-check-skb_linearize-return-value-in-tipc_disc_r.patch b/queue-5.4/tipc-check-skb_linearize-return-value-in-tipc_disc_r.patch new file mode 100644 index 00000000000..049837fa3b2 --- /dev/null +++ b/queue-5.4/tipc-check-skb_linearize-return-value-in-tipc_disc_r.patch @@ -0,0 +1,41 @@ +From a2458f3bd6ee2218d414122639e27fddbca3537c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Nov 2022 15:28:32 +0800 +Subject: tipc: check skb_linearize() return value in tipc_disc_rcv() + +From: YueHaibing + +[ Upstream commit cd0f6421162201e4b22ce757a1966729323185eb ] + +If skb_linearize() fails in tipc_disc_rcv(), we need to free the skb instead of +handle it. + +Fixes: 25b0b9c4e835 ("tipc: handle collisions of 32-bit node address hash values") +Signed-off-by: YueHaibing +Acked-by: Jon Maloy +Link: https://lore.kernel.org/r/20221119072832.7896-1-yuehaibing@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/discover.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/discover.c b/net/tipc/discover.c +index 0006c9f87199..0436c8f2967d 100644 +--- a/net/tipc/discover.c ++++ b/net/tipc/discover.c +@@ -208,7 +208,10 @@ void tipc_disc_rcv(struct net *net, struct sk_buff *skb, + u32 self; + int err; + +- skb_linearize(skb); ++ if (skb_linearize(skb)) { ++ kfree_skb(skb); ++ return; ++ } + hdr = buf_msg(skb); + + if (caps & TIPC_NODE_ID128) +-- +2.35.1 + diff --git a/queue-5.4/tipc-set-con-sock-in-tipc_conn_alloc.patch b/queue-5.4/tipc-set-con-sock-in-tipc_conn_alloc.patch new file mode 100644 index 00000000000..d2af1ac0aab --- /dev/null +++ b/queue-5.4/tipc-set-con-sock-in-tipc_conn_alloc.patch @@ -0,0 +1,106 @@ +From 932662dab1f66d9e5f125d6a5646418f9f2bbe8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 16:45:00 -0500 +Subject: tipc: set con sock in tipc_conn_alloc + +From: Xin Long + +[ Upstream commit 0e5d56c64afcd6fd2d132ea972605b66f8a7d3c4 ] + +A crash was reported by Wei Chen: + + BUG: kernel NULL pointer dereference, address: 0000000000000018 + RIP: 0010:tipc_conn_close+0x12/0x100 + Call Trace: + tipc_topsrv_exit_net+0x139/0x320 + ops_exit_list.isra.9+0x49/0x80 + cleanup_net+0x31a/0x540 + process_one_work+0x3fa/0x9f0 + worker_thread+0x42/0x5c0 + +It was caused by !con->sock in tipc_conn_close(). In tipc_topsrv_accept(), +con is allocated in conn_idr then its sock is set: + + con = tipc_conn_alloc(); + ... <----[1] + con->sock = newsock; + +If tipc_conn_close() is called in anytime of [1], the null-pointer-def +is triggered by con->sock->sk due to con->sock is not yet set. + +This patch fixes it by moving the con->sock setting to tipc_conn_alloc() +under s->idr_lock. So that con->sock can never be NULL when getting the +con from s->conn_idr. It will be also safer to move con->server and flag +CF_CONNECTED setting under s->idr_lock, as they should all be set before +tipc_conn_alloc() is called. + +Fixes: c5fa7b3cf3cb ("tipc: introduce new TIPC server infrastructure") +Reported-by: Wei Chen +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/topsrv.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c +index 1c5319678f28..532343c7788a 100644 +--- a/net/tipc/topsrv.c ++++ b/net/tipc/topsrv.c +@@ -177,7 +177,7 @@ static void tipc_conn_close(struct tipc_conn *con) + conn_put(con); + } + +-static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s) ++static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s, struct socket *sock) + { + struct tipc_conn *con; + int ret; +@@ -203,10 +203,11 @@ static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s) + } + con->conid = ret; + s->idr_in_use++; +- spin_unlock_bh(&s->idr_lock); + + set_bit(CF_CONNECTED, &con->flags); + con->server = s; ++ con->sock = sock; ++ spin_unlock_bh(&s->idr_lock); + + return con; + } +@@ -467,7 +468,7 @@ static void tipc_topsrv_accept(struct work_struct *work) + ret = kernel_accept(lsock, &newsock, O_NONBLOCK); + if (ret < 0) + return; +- con = tipc_conn_alloc(srv); ++ con = tipc_conn_alloc(srv, newsock); + if (IS_ERR(con)) { + ret = PTR_ERR(con); + sock_release(newsock); +@@ -479,7 +480,6 @@ static void tipc_topsrv_accept(struct work_struct *work) + newsk->sk_data_ready = tipc_conn_data_ready; + newsk->sk_write_space = tipc_conn_write_space; + newsk->sk_user_data = con; +- con->sock = newsock; + write_unlock_bh(&newsk->sk_callback_lock); + + /* Wake up receive process in case of 'SYN+' message */ +@@ -577,12 +577,11 @@ bool tipc_topsrv_kern_subscr(struct net *net, u32 port, u32 type, u32 lower, + sub.filter = filter; + *(u64 *)&sub.usr_handle = (u64)port; + +- con = tipc_conn_alloc(tipc_topsrv(net)); ++ con = tipc_conn_alloc(tipc_topsrv(net), NULL); + if (IS_ERR(con)) + return false; + + *conid = con->conid; +- con->sock = NULL; + rc = tipc_conn_rcv_sub(tipc_topsrv(net), con, &sub); + if (rc >= 0) + return true; +-- +2.35.1 + diff --git a/queue-5.4/xfrm-fix-ignored-return-value-in-xfrm6_init.patch b/queue-5.4/xfrm-fix-ignored-return-value-in-xfrm6_init.patch new file mode 100644 index 00000000000..428fd69c192 --- /dev/null +++ b/queue-5.4/xfrm-fix-ignored-return-value-in-xfrm6_init.patch @@ -0,0 +1,59 @@ +From 85867fcb756f0caae0ae9cf41a21086ac6f2acc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 17:07:13 +0800 +Subject: xfrm: Fix ignored return value in xfrm6_init() + +From: Chen Zhongjin + +[ Upstream commit 40781bfb836eda57d19c0baa37c7e72590e05fdc ] + +When IPv6 module initializing in xfrm6_init(), register_pernet_subsys() +is possible to fail but its return value is ignored. + +If IPv6 initialization fails later and xfrm6_fini() is called, +removing uninitialized list in xfrm6_net_ops will cause null-ptr-deref: + +KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] +CPU: 1 PID: 330 Comm: insmod +RIP: 0010:unregister_pernet_operations+0xc9/0x450 +Call Trace: + + unregister_pernet_subsys+0x31/0x3e + xfrm6_fini+0x16/0x30 [ipv6] + ip6_route_init+0xcd/0x128 [ipv6] + inet6_init+0x29c/0x602 [ipv6] + ... + +Fix it by catching the error return value of register_pernet_subsys(). + +Fixes: 8d068875caca ("xfrm: make gc_thresh configurable in all namespaces") +Signed-off-by: Chen Zhongjin +Reviewed-by: Leon Romanovsky +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv6/xfrm6_policy.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c +index af7a4b8b1e9c..247296e3294b 100644 +--- a/net/ipv6/xfrm6_policy.c ++++ b/net/ipv6/xfrm6_policy.c +@@ -289,9 +289,13 @@ int __init xfrm6_init(void) + if (ret) + goto out_state; + +- register_pernet_subsys(&xfrm6_net_ops); ++ ret = register_pernet_subsys(&xfrm6_net_ops); ++ if (ret) ++ goto out_protocol; + out: + return ret; ++out_protocol: ++ xfrm6_protocol_fini(); + out_state: + xfrm6_state_fini(); + out_policy: +-- +2.35.1 +