From 1147d5709a083b01c903687cf2eb4e0e5f396e37 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 14 May 2020 15:14:57 -0400 Subject: [PATCH] Fixes for 4.9 Signed-off-by: Sasha Levin --- ...k-around-gcc-10-stringop-overflow-wa.patch | 73 +++++++++++++++++ ...moxa-fix-a-potential-double-free_irq.patch | 36 +++++++++ ...resource-leak-in-an-error-handling-p.patch | 52 ++++++++++++ queue-4.9/series | 4 + ...sible-deadlocks-on-shmlock_user_lock.patch | 80 +++++++++++++++++++ 5 files changed, 245 insertions(+) create mode 100644 queue-4.9/drop_monitor-work-around-gcc-10-stringop-overflow-wa.patch create mode 100644 queue-4.9/net-moxa-fix-a-potential-double-free_irq.patch create mode 100644 queue-4.9/net-sonic-fix-a-resource-leak-in-an-error-handling-p.patch create mode 100644 queue-4.9/shmem-fix-possible-deadlocks-on-shmlock_user_lock.patch diff --git a/queue-4.9/drop_monitor-work-around-gcc-10-stringop-overflow-wa.patch b/queue-4.9/drop_monitor-work-around-gcc-10-stringop-overflow-wa.patch new file mode 100644 index 00000000000..0690eb59659 --- /dev/null +++ b/queue-4.9/drop_monitor-work-around-gcc-10-stringop-overflow-wa.patch @@ -0,0 +1,73 @@ +From 94728ca5f56fd392b0ef42b909b4f1c6f4b9b81b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Apr 2020 23:30:49 +0200 +Subject: drop_monitor: work around gcc-10 stringop-overflow warning + +From: Arnd Bergmann + +[ Upstream commit dc30b4059f6e2abf3712ab537c8718562b21c45d ] + +The current gcc-10 snapshot produces a false-positive warning: + +net/core/drop_monitor.c: In function 'trace_drop_common.constprop': +cc1: error: writing 8 bytes into a region of size 0 [-Werror=stringop-overflow=] +In file included from net/core/drop_monitor.c:23: +include/uapi/linux/net_dropmon.h:36:8: note: at offset 0 to object 'entries' with size 4 declared here + 36 | __u32 entries; + | ^~~~~~~ + +I reported this in the gcc bugzilla, but in case it does not get +fixed in the release, work around it by using a temporary variable. + +Fixes: 9a8afc8d3962 ("Network Drop Monitor: Adding drop monitor implementation & Netlink protocol") +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94881 +Signed-off-by: Arnd Bergmann +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/drop_monitor.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/net/core/drop_monitor.c b/net/core/drop_monitor.c +index ca2c9c8b9a3e9..6d7ff117f3792 100644 +--- a/net/core/drop_monitor.c ++++ b/net/core/drop_monitor.c +@@ -159,6 +159,7 @@ static void sched_send_work(unsigned long _data) + static void trace_drop_common(struct sk_buff *skb, void *location) + { + struct net_dm_alert_msg *msg; ++ struct net_dm_drop_point *point; + struct nlmsghdr *nlh; + struct nlattr *nla; + int i; +@@ -177,11 +178,13 @@ static void trace_drop_common(struct sk_buff *skb, void *location) + nlh = (struct nlmsghdr *)dskb->data; + nla = genlmsg_data(nlmsg_data(nlh)); + msg = nla_data(nla); ++ point = msg->points; + for (i = 0; i < msg->entries; i++) { +- if (!memcmp(&location, msg->points[i].pc, sizeof(void *))) { +- msg->points[i].count++; ++ if (!memcmp(&location, &point->pc, sizeof(void *))) { ++ point->count++; + goto out; + } ++ point++; + } + if (msg->entries == dm_hit_limit) + goto out; +@@ -190,8 +193,8 @@ static void trace_drop_common(struct sk_buff *skb, void *location) + */ + __nla_reserve_nohdr(dskb, sizeof(struct net_dm_drop_point)); + nla->nla_len += NLA_ALIGN(sizeof(struct net_dm_drop_point)); +- memcpy(msg->points[msg->entries].pc, &location, sizeof(void *)); +- msg->points[msg->entries].count = 1; ++ memcpy(point->pc, &location, sizeof(void *)); ++ point->count = 1; + msg->entries++; + + if (!timer_pending(&data->send_timer)) { +-- +2.20.1 + diff --git a/queue-4.9/net-moxa-fix-a-potential-double-free_irq.patch b/queue-4.9/net-moxa-fix-a-potential-double-free_irq.patch new file mode 100644 index 00000000000..0fb32f76ab5 --- /dev/null +++ b/queue-4.9/net-moxa-fix-a-potential-double-free_irq.patch @@ -0,0 +1,36 @@ +From 71c0f008267325c89cd67474fc40bb6866fd8175 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Apr 2020 22:59:21 +0200 +Subject: net: moxa: Fix a potential double 'free_irq()' + +From: Christophe JAILLET + +[ Upstream commit ee8d2267f0e39a1bfd95532da3a6405004114b27 ] + +Should an irq requested with 'devm_request_irq' be released explicitly, +it should be done by 'devm_free_irq()', not 'free_irq()'. + +Fixes: 6c821bd9edc9 ("net: Add MOXA ART SoCs ethernet driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/moxa/moxart_ether.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/moxa/moxart_ether.c b/drivers/net/ethernet/moxa/moxart_ether.c +index 0622fd03941b8..6fe61d9343cb8 100644 +--- a/drivers/net/ethernet/moxa/moxart_ether.c ++++ b/drivers/net/ethernet/moxa/moxart_ether.c +@@ -571,7 +571,7 @@ static int moxart_remove(struct platform_device *pdev) + struct net_device *ndev = platform_get_drvdata(pdev); + + unregister_netdev(ndev); +- free_irq(ndev->irq, ndev); ++ devm_free_irq(&pdev->dev, ndev->irq, ndev); + moxart_mac_free_memory(ndev); + free_netdev(ndev); + +-- +2.20.1 + diff --git a/queue-4.9/net-sonic-fix-a-resource-leak-in-an-error-handling-p.patch b/queue-4.9/net-sonic-fix-a-resource-leak-in-an-error-handling-p.patch new file mode 100644 index 00000000000..269e1827f9f --- /dev/null +++ b/queue-4.9/net-sonic-fix-a-resource-leak-in-an-error-handling-p.patch @@ -0,0 +1,52 @@ +From 6a66dafe4ab63de6ab7a758d295c942253cce717 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 08:18:03 +0200 +Subject: net/sonic: Fix a resource leak in an error handling path in + 'jazz_sonic_probe()' + +From: Christophe JAILLET + +[ Upstream commit 10e3cc180e64385edc9890c6855acf5ed9ca1339 ] + +A call to 'dma_alloc_coherent()' is hidden in 'sonic_alloc_descriptors()', +called from 'sonic_probe1()'. + +This is correctly freed in the remove function, but not in the error +handling path of the probe function. +Fix it and add the missing 'dma_free_coherent()' call. + +While at it, rename a label in order to be slightly more informative. + +Fixes: efcce839360f ("[PATCH] macsonic/jazzsonic network drivers update") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/natsemi/jazzsonic.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/natsemi/jazzsonic.c b/drivers/net/ethernet/natsemi/jazzsonic.c +index acf3f11e38cc1..68d2f31921ff8 100644 +--- a/drivers/net/ethernet/natsemi/jazzsonic.c ++++ b/drivers/net/ethernet/natsemi/jazzsonic.c +@@ -247,13 +247,15 @@ static int jazz_sonic_probe(struct platform_device *pdev) + goto out; + err = register_netdev(dev); + if (err) +- goto out1; ++ goto undo_probe1; + + printk("%s: MAC %pM IRQ %d\n", dev->name, dev->dev_addr, dev->irq); + + return 0; + +-out1: ++undo_probe1: ++ dma_free_coherent(lp->device, SIZEOF_SONIC_DESC * SONIC_BUS_SCALE(lp->dma_bitmode), ++ lp->descriptors, lp->descriptors_laddr); + release_mem_region(dev->base_addr, SONIC_MEM_SIZE); + out: + free_netdev(dev); +-- +2.20.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 397ee184c3a..dcdcda0ec14 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -38,3 +38,7 @@ chardev-add-helper-function-to-register-char-devs-wi.patch ptp-fix-pass-zero-to-err_ptr-in-ptp_clock_register.patch ptp-fix-the-race-between-the-release-of-ptp_clock-an.patch ptp-free-ptp-device-pin-descriptors-properly.patch +shmem-fix-possible-deadlocks-on-shmlock_user_lock.patch +net-sonic-fix-a-resource-leak-in-an-error-handling-p.patch +net-moxa-fix-a-potential-double-free_irq.patch +drop_monitor-work-around-gcc-10-stringop-overflow-wa.patch diff --git a/queue-4.9/shmem-fix-possible-deadlocks-on-shmlock_user_lock.patch b/queue-4.9/shmem-fix-possible-deadlocks-on-shmlock_user_lock.patch new file mode 100644 index 00000000000..b60767864e8 --- /dev/null +++ b/queue-4.9/shmem-fix-possible-deadlocks-on-shmlock_user_lock.patch @@ -0,0 +1,80 @@ +From 4c8a4c6ee15dd5268c50c5247ed06b19f07ceded Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Apr 2020 18:14:14 -0700 +Subject: shmem: fix possible deadlocks on shmlock_user_lock + +From: Hugh Dickins + +[ Upstream commit ea0dfeb4209b4eab954d6e00ed136bc6b48b380d ] + +Recent commit 71725ed10c40 ("mm: huge tmpfs: try to split_huge_page() +when punching hole") has allowed syzkaller to probe deeper, uncovering a +long-standing lockdep issue between the irq-unsafe shmlock_user_lock, +the irq-safe xa_lock on mapping->i_pages, and shmem inode's info->lock +which nests inside xa_lock (or tree_lock) since 4.8's shmem_uncharge(). + +user_shm_lock(), servicing SysV shmctl(SHM_LOCK), wants +shmlock_user_lock while its caller shmem_lock() holds info->lock with +interrupts disabled; but hugetlbfs_file_setup() calls user_shm_lock() +with interrupts enabled, and might be interrupted by a writeback endio +wanting xa_lock on i_pages. + +This may not risk an actual deadlock, since shmem inodes do not take +part in writeback accounting, but there are several easy ways to avoid +it. + +Requiring interrupts disabled for shmlock_user_lock would be easy, but +it's a high-level global lock for which that seems inappropriate. +Instead, recall that the use of info->lock to guard info->flags in +shmem_lock() dates from pre-3.1 days, when races with SHMEM_PAGEIN and +SHMEM_TRUNCATE could occur: nowadays it serves no purpose, the only flag +added or removed is VM_LOCKED itself, and calls to shmem_lock() an inode +are already serialized by the caller. + +Take info->lock out of the chain and the possibility of deadlock or +lockdep warning goes away. + +Fixes: 4595ef88d136 ("shmem: make shmem_inode_info::lock irq-safe") +Reported-by: syzbot+c8a8197c8852f566b9d9@syzkaller.appspotmail.com +Reported-by: syzbot+40b71e145e73f78f81ad@syzkaller.appspotmail.com +Signed-off-by: Hugh Dickins +Signed-off-by: Andrew Morton +Acked-by: Yang Shi +Cc: Yang Shi +Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2004161707410.16322@eggly.anvils +Link: https://lore.kernel.org/lkml/000000000000e5838c05a3152f53@google.com/ +Link: https://lore.kernel.org/lkml/0000000000003712b305a331d3b1@google.com/ +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/shmem.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/mm/shmem.c b/mm/shmem.c +index 90ccbb35458bd..31b0c09fe6c60 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2082,7 +2082,11 @@ int shmem_lock(struct file *file, int lock, struct user_struct *user) + struct shmem_inode_info *info = SHMEM_I(inode); + int retval = -ENOMEM; + +- spin_lock_irq(&info->lock); ++ /* ++ * What serializes the accesses to info->flags? ++ * ipc_lock_object() when called from shmctl_do_lock(), ++ * no serialization needed when called from shm_destroy(). ++ */ + if (lock && !(info->flags & VM_LOCKED)) { + if (!user_shm_lock(inode->i_size, user)) + goto out_nomem; +@@ -2097,7 +2101,6 @@ int shmem_lock(struct file *file, int lock, struct user_struct *user) + retval = 0; + + out_nomem: +- spin_unlock_irq(&info->lock); + return retval; + } + +-- +2.20.1 + -- 2.47.3