From 277228a943aa1fb03ace79c24ac0761fe10c8184 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 30 Mar 2020 15:46:04 +0200 Subject: [PATCH] 4.19-stable patches added patches: afs-fix-some-tracing-details.patch genirq-fix-reference-leaks-on-irq-affinity-notifiers.patch gpiolib-acpi-add-quirk-to-ignore-ec-wakeups-on-hp-x2-10-byt-axp288-model.patch gpiolib-acpi-correct-comment-for-hp-x2-10-honor_wakeup-quirk.patch gpiolib-acpi-rework-honor_wakeup-option-into-an-ignore_wake-option.patch netfilter-flowtable-reload-ip-v6-h-in-nf_flow_tuple_ip-v6.patch netfilter-nft_fwd_netdev-allow-to-redirect-to-ifb-via-ingress.patch netfilter-nft_fwd_netdev-validate-family-and-chain-type.patch rdma-core-ensure-security-pkey-modify-is-not-lost.patch rdma-mlx5-block-delay-drop-to-unprivileged-users.patch vti-fix-packet-tx-through-bpf_redirect-in-xiny-cases.patch xfrm-add-the-missing-verify_sec_ctx_len-check-in-xfrm_add_acquire.patch xfrm-fix-uctx-len-check-in-verify_sec_ctx_len.patch xfrm-handle-netdev_unregister-for-xfrm-device.patch xfrm-policy-fix-doulbe-free-in-xfrm_policy_timer.patch --- queue-4.19/afs-fix-some-tracing-details.patch | 56 +++++ ...ence-leaks-on-irq-affinity-notifiers.patch | 60 +++++ ...wakeups-on-hp-x2-10-byt-axp288-model.patch | 64 ++++++ ...ment-for-hp-x2-10-honor_wakeup-quirk.patch | 72 ++++++ ...up-option-into-an-ignore_wake-option.patch | 215 ++++++++++++++++++ ...eload-ip-v6-h-in-nf_flow_tuple_ip-v6.patch | 40 ++++ ...allow-to-redirect-to-ifb-via-ingress.patch | 38 ++++ ...etdev-validate-family-and-chain-type.patch | 51 +++++ ...ure-security-pkey-modify-is-not-lost.patch | 75 ++++++ ...ock-delay-drop-to-unprivileged-users.patch | 36 +++ queue-4.19/series | 15 ++ ...x-through-bpf_redirect-in-xiny-cases.patch | 124 ++++++++++ ...ec_ctx_len-check-in-xfrm_add_acquire.patch | 60 +++++ ...uctx-len-check-in-verify_sec_ctx_len.patch | 37 +++ ...le-netdev_unregister-for-xfrm-device.patch | 34 +++ ...fix-doulbe-free-in-xfrm_policy_timer.patch | 73 ++++++ 16 files changed, 1050 insertions(+) create mode 100644 queue-4.19/afs-fix-some-tracing-details.patch create mode 100644 queue-4.19/genirq-fix-reference-leaks-on-irq-affinity-notifiers.patch create mode 100644 queue-4.19/gpiolib-acpi-add-quirk-to-ignore-ec-wakeups-on-hp-x2-10-byt-axp288-model.patch create mode 100644 queue-4.19/gpiolib-acpi-correct-comment-for-hp-x2-10-honor_wakeup-quirk.patch create mode 100644 queue-4.19/gpiolib-acpi-rework-honor_wakeup-option-into-an-ignore_wake-option.patch create mode 100644 queue-4.19/netfilter-flowtable-reload-ip-v6-h-in-nf_flow_tuple_ip-v6.patch create mode 100644 queue-4.19/netfilter-nft_fwd_netdev-allow-to-redirect-to-ifb-via-ingress.patch create mode 100644 queue-4.19/netfilter-nft_fwd_netdev-validate-family-and-chain-type.patch create mode 100644 queue-4.19/rdma-core-ensure-security-pkey-modify-is-not-lost.patch create mode 100644 queue-4.19/rdma-mlx5-block-delay-drop-to-unprivileged-users.patch create mode 100644 queue-4.19/vti-fix-packet-tx-through-bpf_redirect-in-xiny-cases.patch create mode 100644 queue-4.19/xfrm-add-the-missing-verify_sec_ctx_len-check-in-xfrm_add_acquire.patch create mode 100644 queue-4.19/xfrm-fix-uctx-len-check-in-verify_sec_ctx_len.patch create mode 100644 queue-4.19/xfrm-handle-netdev_unregister-for-xfrm-device.patch create mode 100644 queue-4.19/xfrm-policy-fix-doulbe-free-in-xfrm_policy_timer.patch diff --git a/queue-4.19/afs-fix-some-tracing-details.patch b/queue-4.19/afs-fix-some-tracing-details.patch new file mode 100644 index 00000000000..8321a7a7696 --- /dev/null +++ b/queue-4.19/afs-fix-some-tracing-details.patch @@ -0,0 +1,56 @@ +From 4636cf184d6d9a92a56c2554681ea520dd4fe49a Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Fri, 13 Mar 2020 13:36:01 +0000 +Subject: afs: Fix some tracing details + +From: David Howells + +commit 4636cf184d6d9a92a56c2554681ea520dd4fe49a upstream. + +Fix a couple of tracelines to indicate the usage count after the atomic op, +not the usage count before it to be consistent with other afs and rxrpc +trace lines. + +Change the wording of the afs_call_trace_work trace ID label from "WORK" to +"QUEUE" to reflect the fact that it's queueing work, not doing work. + +Fixes: 341f741f04be ("afs: Refcount the afs_call struct") +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + fs/afs/rxrpc.c | 4 ++-- + include/trace/events/afs.h | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/afs/rxrpc.c ++++ b/fs/afs/rxrpc.c +@@ -159,7 +159,7 @@ void afs_put_call(struct afs_call *call) + int n = atomic_dec_return(&call->usage); + int o = atomic_read(&net->nr_outstanding_calls); + +- trace_afs_call(call, afs_call_trace_put, n + 1, o, ++ trace_afs_call(call, afs_call_trace_put, n, o, + __builtin_return_address(0)); + + ASSERTCMP(n, >=, 0); +@@ -654,7 +654,7 @@ static void afs_wake_up_async_call(struc + + u = atomic_fetch_add_unless(&call->usage, 1, 0); + if (u != 0) { +- trace_afs_call(call, afs_call_trace_wake, u, ++ trace_afs_call(call, afs_call_trace_wake, u + 1, + atomic_read(&call->net->nr_outstanding_calls), + __builtin_return_address(0)); + +--- a/include/trace/events/afs.h ++++ b/include/trace/events/afs.h +@@ -94,7 +94,7 @@ enum afs_edit_dir_reason { + EM(afs_call_trace_free, "FREE ") \ + EM(afs_call_trace_put, "PUT ") \ + EM(afs_call_trace_wake, "WAKE ") \ +- E_(afs_call_trace_work, "WORK ") ++ E_(afs_call_trace_work, "QUEUE") + + #define afs_fs_operations \ + EM(afs_FS_FetchData, "FS.FetchData") \ diff --git a/queue-4.19/genirq-fix-reference-leaks-on-irq-affinity-notifiers.patch b/queue-4.19/genirq-fix-reference-leaks-on-irq-affinity-notifiers.patch new file mode 100644 index 00000000000..bd5902c8af4 --- /dev/null +++ b/queue-4.19/genirq-fix-reference-leaks-on-irq-affinity-notifiers.patch @@ -0,0 +1,60 @@ +From df81dfcfd6991d547653d46c051bac195cd182c1 Mon Sep 17 00:00:00 2001 +From: Edward Cree +Date: Fri, 13 Mar 2020 20:33:07 +0000 +Subject: genirq: Fix reference leaks on irq affinity notifiers + +From: Edward Cree + +commit df81dfcfd6991d547653d46c051bac195cd182c1 upstream. + +The handling of notify->work did not properly maintain notify->kref in two + cases: +1) where the work was already scheduled, another irq_set_affinity_locked() + would get the ref and (no-op-ly) schedule the work. Thus when + irq_affinity_notify() ran, it would drop the original ref but not the + additional one. +2) when cancelling the (old) work in irq_set_affinity_notifier(), if there + was outstanding work a ref had been got for it but was never put. +Fix both by checking the return values of the work handling functions + (schedule_work() for (1) and cancel_work_sync() for (2)) and put the + extra ref if the return value indicates preexisting work. + +Fixes: cd7eab44e994 ("genirq: Add IRQ affinity notifiers") +Fixes: 59c39840f5ab ("genirq: Prevent use-after-free and work list corruption") +Signed-off-by: Edward Cree +Signed-off-by: Thomas Gleixner +Acked-by: Ben Hutchings +Link: https://lkml.kernel.org/r/24f5983f-2ab5-e83a-44ee-a45b5f9300f5@solarflare.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/irq/manage.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -283,7 +283,11 @@ int irq_set_affinity_locked(struct irq_d + + if (desc->affinity_notify) { + kref_get(&desc->affinity_notify->kref); +- schedule_work(&desc->affinity_notify->work); ++ if (!schedule_work(&desc->affinity_notify->work)) { ++ /* Work was already scheduled, drop our extra ref */ ++ kref_put(&desc->affinity_notify->kref, ++ desc->affinity_notify->release); ++ } + } + irqd_set(data, IRQD_AFFINITY_SET); + +@@ -383,7 +387,10 @@ irq_set_affinity_notifier(unsigned int i + raw_spin_unlock_irqrestore(&desc->lock, flags); + + if (old_notify) { +- cancel_work_sync(&old_notify->work); ++ if (cancel_work_sync(&old_notify->work)) { ++ /* Pending work had a ref, put that one too */ ++ kref_put(&old_notify->kref, old_notify->release); ++ } + kref_put(&old_notify->kref, old_notify->release); + } + diff --git a/queue-4.19/gpiolib-acpi-add-quirk-to-ignore-ec-wakeups-on-hp-x2-10-byt-axp288-model.patch b/queue-4.19/gpiolib-acpi-add-quirk-to-ignore-ec-wakeups-on-hp-x2-10-byt-axp288-model.patch new file mode 100644 index 00000000000..e0906594b58 --- /dev/null +++ b/queue-4.19/gpiolib-acpi-add-quirk-to-ignore-ec-wakeups-on-hp-x2-10-byt-axp288-model.patch @@ -0,0 +1,64 @@ +From 0e91506ba00730f088961a8d39f8693b0f8e3fea Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 2 Mar 2020 12:12:24 +0100 +Subject: gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 BYT + AXP288 model + +From: Hans de Goede + +commit 0e91506ba00730f088961a8d39f8693b0f8e3fea upstream. + +Commit aa23ca3d98f7 ("gpiolib: acpi: Add honor_wakeup module-option + +quirk mechanism") was added to deal with spurious wakeups on one specific +model of the HP x2 10 series. In the mean time I have learned that there +are at least 3 different HP x2 10 models: + +Bay Trail SoC + AXP288 PMIC +Cherry Trail SoC + AXP288 PMIC +Cherry Trail SoC + TI PMIC + +And the original quirk is only correct for (and only matches the) +Cherry Trail SoC + TI PMIC model. + +The Bay Trail SoC + AXP288 PMIC model has different DMI strings, has +the external EC interrupt on a different GPIO pin and only needs to ignore +wakeups on the EC interrupt, the INT0002 device works fine on this model. + +This commit adds an extra DMI based quirk for the HP x2 10 BYT + AXP288 +model, ignoring wakeups for ACPI GPIO events on the EC interrupt pin +on this model. This fixes spurious wakeups from suspend on this model. + +Fixes: aa23ca3d98f7 ("gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism") +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20200302111225.6641-3-hdegoede@redhat.com +Acked-by: Mika Westerberg +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib-acpi.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -1376,6 +1376,21 @@ static const struct dmi_system_id gpioli + .ignore_wake = "INT33FF:01@0,INT0002:00@2", + }, + }, ++ { ++ /* ++ * HP X2 10 models with Bay Trail SoC + AXP288 PMIC use an ++ * external embedded-controller connected via I2C + an ACPI GPIO ++ * event handler on INT33FC:02 pin 28, causing spurious wakeups. ++ */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion x2 Detachable"), ++ DMI_MATCH(DMI_BOARD_NAME, "815D"), ++ }, ++ .driver_data = &(struct acpi_gpiolib_dmi_quirk) { ++ .ignore_wake = "INT33FC:02@28", ++ }, ++ }, + {} /* Terminating entry */ + }; + diff --git a/queue-4.19/gpiolib-acpi-correct-comment-for-hp-x2-10-honor_wakeup-quirk.patch b/queue-4.19/gpiolib-acpi-correct-comment-for-hp-x2-10-honor_wakeup-quirk.patch new file mode 100644 index 00000000000..12bc3bb8abe --- /dev/null +++ b/queue-4.19/gpiolib-acpi-correct-comment-for-hp-x2-10-honor_wakeup-quirk.patch @@ -0,0 +1,72 @@ +From efaa87fa0947d525cf7c075316adde4e3ac7720b Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 2 Mar 2020 12:12:22 +0100 +Subject: gpiolib: acpi: Correct comment for HP x2 10 honor_wakeup quirk + +From: Hans de Goede + +commit efaa87fa0947d525cf7c075316adde4e3ac7720b upstream. + +Commit aa23ca3d98f7 ("gpiolib: acpi: Add honor_wakeup module-option + +quirk mechanism") added a quirk for some models of the HP x2 10 series. + +There are 2 issues with the comment describing the quirk: +1) The comment claims the DMI quirk applies to all Cherry Trail based HP x2 + 10 models. In the mean time I have learned that there are at least 3 + models of the HP x2 10 models: + + Bay Trail SoC + AXP288 PMIC + Cherry Trail SoC + AXP288 PMIC + Cherry Trail SoC + TI PMIC + + And this quirk's DMI matches only match the Cherry Trail SoC + TI PMIC + SoC, which is good because we want a slightly different quirk for the + others. This commit updates the comment to make it clear that the quirk + is only for the Cherry Trail SoC + TI PMIC models. + +2) The comment says that it is ok to disable wakeup on all ACPI GPIO event + handlers, because there is only the one for the embedded-controller + events. This is not true, there also is a handler for the special + INT0002 device which is related to USB wakeups. We need to also disable + wakeups on that one because the device turns of the USB-keyboard built + into the dock when closing the lid. The XHCI controller takes a while + to notice this, so it only notices it when already suspended, causing + a spurious wakeup because of this. So disabling wakeup on all handlers + is the right thing to do, but not because there only is the one handler + for the EC events. This commit updates the comment to correctly reflect + this. + +Fixes: aa23ca3d98f7 ("gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism") +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20200302111225.6641-1-hdegoede@redhat.com +Acked-by: Mika Westerberg +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib-acpi.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -1299,12 +1299,14 @@ static const struct dmi_system_id gpioli + }, + { + /* +- * Various HP X2 10 Cherry Trail models use an external +- * embedded-controller connected via I2C + an ACPI GPIO +- * event handler. The embedded controller generates various +- * spurious wakeup events when suspended. So disable wakeup +- * for its handler (it uses the only ACPI GPIO event handler). +- * This breaks wakeup when opening the lid, the user needs ++ * HP X2 10 models with Cherry Trail SoC + TI PMIC use an ++ * external embedded-controller connected via I2C + an ACPI GPIO ++ * event handler on INT33FF:01 pin 0, causing spurious wakeups. ++ * When suspending by closing the LID, the power to the USB ++ * keyboard is turned off, causing INT0002 ACPI events to ++ * trigger once the XHCI controller notices the keyboard is ++ * gone. So INT0002 events cause spurious wakeups too. Ignoring ++ * EC wakes breaks wakeup when opening the lid, the user needs + * to press the power-button to wakeup the system. The + * alternative is suspend simply not working, which is worse. + */ diff --git a/queue-4.19/gpiolib-acpi-rework-honor_wakeup-option-into-an-ignore_wake-option.patch b/queue-4.19/gpiolib-acpi-rework-honor_wakeup-option-into-an-ignore_wake-option.patch new file mode 100644 index 00000000000..6a053e1268e --- /dev/null +++ b/queue-4.19/gpiolib-acpi-rework-honor_wakeup-option-into-an-ignore_wake-option.patch @@ -0,0 +1,215 @@ +From 2ccb21f5516afef5e251184eeefbf36db90206d7 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 2 Mar 2020 12:12:23 +0100 +Subject: gpiolib: acpi: Rework honor_wakeup option into an ignore_wake option + +From: Hans de Goede + +commit 2ccb21f5516afef5e251184eeefbf36db90206d7 upstream. + +Commit aa23ca3d98f7 ("gpiolib: acpi: Add honor_wakeup module-option + +quirk mechanism") was added to deal with spurious wakeups on one specific +model of the HP x2 10 series. + +The approach taken there was to add a bool controlling wakeup support for +all ACPI GPIO events. This was sufficient for the specific HP x2 10 model +the commit was trying to fix, but in the mean time other models have +turned up which need a similar workaround to avoid spurious wakeups from +suspend, but only for one of the pins on which the ACPI tables request +ACPI GPIO events. + +Since the honor_wakeup option was added to be able to ignore wake events, +the name was perhaps not the best, this commit renames it to ignore_wake +and changes it to a string with the following format: +gpiolib_acpi.ignore_wake=controller@pin[,controller@pin[,...]] + +This allows working around spurious wakeup issues on a per pin basis. + +This commit also reworks the existing quirk for the HP x2 10 so that +it functions as before. + +Note: +-This removes the honor_wakeup parameter. This has only been upstream for + a short time and to the best of my knowledge there are no users using + this module parameter. + +-The controller@pin[,controller@pin[,...]] syntax is based on an existing + kernel module parameter using the same controller@pin format. That version + uses ';' as separator, but in practice that is problematic because grub2 + cannot handle this without taking special care to escape the ';', so here + we are using a ',' as separator instead which does not have this issue. + +Fixes: aa23ca3d98f7 ("gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism") +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20200302111225.6641-2-hdegoede@redhat.com +Acked-by: Mika Westerberg +Reviewed-by: Andy Shevchenko +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib-acpi.c | 96 ++++++++++++++++++++++++++++++++++---------- + 1 file changed, 76 insertions(+), 20 deletions(-) + +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -24,18 +24,21 @@ + + #include "gpiolib.h" + +-#define QUIRK_NO_EDGE_EVENTS_ON_BOOT 0x01l +-#define QUIRK_NO_WAKEUP 0x02l +- + static int run_edge_events_on_boot = -1; + module_param(run_edge_events_on_boot, int, 0444); + MODULE_PARM_DESC(run_edge_events_on_boot, + "Run edge _AEI event-handlers at boot: 0=no, 1=yes, -1=auto"); + +-static int honor_wakeup = -1; +-module_param(honor_wakeup, int, 0444); +-MODULE_PARM_DESC(honor_wakeup, +- "Honor the ACPI wake-capable flag: 0=no, 1=yes, -1=auto"); ++static char *ignore_wake; ++module_param(ignore_wake, charp, 0444); ++MODULE_PARM_DESC(ignore_wake, ++ "controller@pin combos on which to ignore the ACPI wake flag " ++ "ignore_wake=controller@pin[,controller@pin[,...]]"); ++ ++struct acpi_gpiolib_dmi_quirk { ++ bool no_edge_events_on_boot; ++ char *ignore_wake; ++}; + + /** + * struct acpi_gpio_event - ACPI GPIO event handler data +@@ -205,6 +208,57 @@ static void acpi_gpiochip_request_irqs(s + acpi_gpiochip_request_irq(acpi_gpio, event); + } + ++static bool acpi_gpio_in_ignore_list(const char *controller_in, int pin_in) ++{ ++ const char *controller, *pin_str; ++ int len, pin; ++ char *endp; ++ ++ controller = ignore_wake; ++ while (controller) { ++ pin_str = strchr(controller, '@'); ++ if (!pin_str) ++ goto err; ++ ++ len = pin_str - controller; ++ if (len == strlen(controller_in) && ++ strncmp(controller, controller_in, len) == 0) { ++ pin = simple_strtoul(pin_str + 1, &endp, 10); ++ if (*endp != 0 && *endp != ',') ++ goto err; ++ ++ if (pin == pin_in) ++ return true; ++ } ++ ++ controller = strchr(controller, ','); ++ if (controller) ++ controller++; ++ } ++ ++ return false; ++err: ++ pr_err_once("Error invalid value for gpiolib_acpi.ignore_wake: %s\n", ++ ignore_wake); ++ return false; ++} ++ ++static bool acpi_gpio_irq_is_wake(struct device *parent, ++ struct acpi_resource_gpio *agpio) ++{ ++ int pin = agpio->pin_table[0]; ++ ++ if (agpio->wake_capable != ACPI_WAKE_CAPABLE) ++ return false; ++ ++ if (acpi_gpio_in_ignore_list(dev_name(parent), pin)) { ++ dev_info(parent, "Ignoring wakeup on pin %d\n", pin); ++ return false; ++ } ++ ++ return true; ++} ++ + static acpi_status acpi_gpiochip_alloc_event(struct acpi_resource *ares, + void *context) + { +@@ -286,7 +340,7 @@ static acpi_status acpi_gpiochip_alloc_e + event->handle = evt_handle; + event->handler = handler; + event->irq = irq; +- event->irq_is_wake = honor_wakeup && agpio->wake_capable == ACPI_WAKE_CAPABLE; ++ event->irq_is_wake = acpi_gpio_irq_is_wake(chip->parent, agpio); + event->pin = pin; + event->desc = desc; + +@@ -1282,7 +1336,9 @@ static const struct dmi_system_id gpioli + DMI_MATCH(DMI_SYS_VENDOR, "MINIX"), + DMI_MATCH(DMI_PRODUCT_NAME, "Z83-4"), + }, +- .driver_data = (void *)QUIRK_NO_EDGE_EVENTS_ON_BOOT, ++ .driver_data = &(struct acpi_gpiolib_dmi_quirk) { ++ .no_edge_events_on_boot = true, ++ }, + }, + { + /* +@@ -1295,7 +1351,9 @@ static const struct dmi_system_id gpioli + DMI_MATCH(DMI_SYS_VENDOR, "Wortmann_AG"), + DMI_MATCH(DMI_PRODUCT_NAME, "TERRA_PAD_1061"), + }, +- .driver_data = (void *)QUIRK_NO_EDGE_EVENTS_ON_BOOT, ++ .driver_data = &(struct acpi_gpiolib_dmi_quirk) { ++ .no_edge_events_on_boot = true, ++ }, + }, + { + /* +@@ -1314,33 +1372,31 @@ static const struct dmi_system_id gpioli + DMI_MATCH(DMI_SYS_VENDOR, "HP"), + DMI_MATCH(DMI_PRODUCT_NAME, "HP x2 Detachable 10-p0XX"), + }, +- .driver_data = (void *)QUIRK_NO_WAKEUP, ++ .driver_data = &(struct acpi_gpiolib_dmi_quirk) { ++ .ignore_wake = "INT33FF:01@0,INT0002:00@2", ++ }, + }, + {} /* Terminating entry */ + }; + + static int acpi_gpio_setup_params(void) + { ++ const struct acpi_gpiolib_dmi_quirk *quirk = NULL; + const struct dmi_system_id *id; +- long quirks = 0; + + id = dmi_first_match(gpiolib_acpi_quirks); + if (id) +- quirks = (long)id->driver_data; ++ quirk = id->driver_data; + + if (run_edge_events_on_boot < 0) { +- if (quirks & QUIRK_NO_EDGE_EVENTS_ON_BOOT) ++ if (quirk && quirk->no_edge_events_on_boot) + run_edge_events_on_boot = 0; + else + run_edge_events_on_boot = 1; + } + +- if (honor_wakeup < 0) { +- if (quirks & QUIRK_NO_WAKEUP) +- honor_wakeup = 0; +- else +- honor_wakeup = 1; +- } ++ if (ignore_wake == NULL && quirk && quirk->ignore_wake) ++ ignore_wake = quirk->ignore_wake; + + return 0; + } diff --git a/queue-4.19/netfilter-flowtable-reload-ip-v6-h-in-nf_flow_tuple_ip-v6.patch b/queue-4.19/netfilter-flowtable-reload-ip-v6-h-in-nf_flow_tuple_ip-v6.patch new file mode 100644 index 00000000000..8826432d3a9 --- /dev/null +++ b/queue-4.19/netfilter-flowtable-reload-ip-v6-h-in-nf_flow_tuple_ip-v6.patch @@ -0,0 +1,40 @@ +From 41e9ec5a54f95eee1a57c8d26ab70e0492548c1b Mon Sep 17 00:00:00 2001 +From: Haishuang Yan +Date: Tue, 17 Mar 2020 10:02:53 +0800 +Subject: netfilter: flowtable: reload ip{v6}h in nf_flow_tuple_ip{v6} + +From: Haishuang Yan + +commit 41e9ec5a54f95eee1a57c8d26ab70e0492548c1b upstream. + +Since pskb_may_pull may change skb->data, so we need to reload ip{v6}h at +the right place. + +Fixes: a908fdec3dda ("netfilter: nf_flow_table: move ipv6 offload hook code to nf_flow_table") +Fixes: 7d2086871762 ("netfilter: nf_flow_table: move ipv4 offload hook code to nf_flow_table") +Signed-off-by: Haishuang Yan +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_flow_table_ip.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/netfilter/nf_flow_table_ip.c ++++ b/net/netfilter/nf_flow_table_ip.c +@@ -188,6 +188,7 @@ static int nf_flow_tuple_ip(struct sk_bu + if (!pskb_may_pull(skb, thoff + sizeof(*ports))) + return -1; + ++ iph = ip_hdr(skb); + ports = (struct flow_ports *)(skb_network_header(skb) + thoff); + + tuple->src_v4.s_addr = iph->saddr; +@@ -421,6 +422,7 @@ static int nf_flow_tuple_ipv6(struct sk_ + if (!pskb_may_pull(skb, thoff + sizeof(*ports))) + return -1; + ++ ip6h = ipv6_hdr(skb); + ports = (struct flow_ports *)(skb_network_header(skb) + thoff); + + tuple->src_v6 = ip6h->saddr; diff --git a/queue-4.19/netfilter-nft_fwd_netdev-allow-to-redirect-to-ifb-via-ingress.patch b/queue-4.19/netfilter-nft_fwd_netdev-allow-to-redirect-to-ifb-via-ingress.patch new file mode 100644 index 00000000000..01f547d36e8 --- /dev/null +++ b/queue-4.19/netfilter-nft_fwd_netdev-allow-to-redirect-to-ifb-via-ingress.patch @@ -0,0 +1,38 @@ +From bcfabee1afd99484b6ba067361b8678e28bbc065 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 23 Mar 2020 19:53:10 +0100 +Subject: netfilter: nft_fwd_netdev: allow to redirect to ifb via ingress + +From: Pablo Neira Ayuso + +commit bcfabee1afd99484b6ba067361b8678e28bbc065 upstream. + +Set skb->tc_redirected to 1, otherwise the ifb driver drops the packet. +Set skb->tc_from_ingress to 1 to reinject the packet back to the ingress +path after leaving the ifb egress path. + +This patch inconditionally sets on these two skb fields that are +meaningful to the ifb driver. The existing forward action is guaranteed +to run from ingress path. + +Fixes: 39e6dea28adc ("netfilter: nf_tables: add forward expression to the netdev family") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nft_fwd_netdev.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/netfilter/nft_fwd_netdev.c ++++ b/net/netfilter/nft_fwd_netdev.c +@@ -30,6 +30,10 @@ static void nft_fwd_netdev_eval(const st + struct nft_fwd_netdev *priv = nft_expr_priv(expr); + int oif = regs->data[priv->sreg_dev]; + ++ /* These are used by ifb only. */ ++ pkt->skb->tc_redirected = 1; ++ pkt->skb->tc_from_ingress = 1; ++ + nf_fwd_netdev_egress(pkt, oif); + regs->verdict.code = NF_STOLEN; + } diff --git a/queue-4.19/netfilter-nft_fwd_netdev-validate-family-and-chain-type.patch b/queue-4.19/netfilter-nft_fwd_netdev-validate-family-and-chain-type.patch new file mode 100644 index 00000000000..9b446e1968b --- /dev/null +++ b/queue-4.19/netfilter-nft_fwd_netdev-validate-family-and-chain-type.patch @@ -0,0 +1,51 @@ +From 76a109fac206e158eb3c967af98c178cff738e6a Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 23 Mar 2020 14:27:16 +0100 +Subject: netfilter: nft_fwd_netdev: validate family and chain type + +From: Pablo Neira Ayuso + +commit 76a109fac206e158eb3c967af98c178cff738e6a upstream. + +Make sure the forward action is only used from ingress. + +Fixes: 39e6dea28adc ("netfilter: nf_tables: add forward expression to the netdev family") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nft_fwd_netdev.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/netfilter/nft_fwd_netdev.c ++++ b/net/netfilter/nft_fwd_netdev.c +@@ -186,6 +186,13 @@ nla_put_failure: + return -1; + } + ++static int nft_fwd_validate(const struct nft_ctx *ctx, ++ const struct nft_expr *expr, ++ const struct nft_data **data) ++{ ++ return nft_chain_validate_hooks(ctx->chain, (1 << NF_NETDEV_INGRESS)); ++} ++ + static struct nft_expr_type nft_fwd_netdev_type; + static const struct nft_expr_ops nft_fwd_neigh_netdev_ops = { + .type = &nft_fwd_netdev_type, +@@ -193,6 +200,7 @@ static const struct nft_expr_ops nft_fwd + .eval = nft_fwd_neigh_eval, + .init = nft_fwd_neigh_init, + .dump = nft_fwd_neigh_dump, ++ .validate = nft_fwd_validate, + }; + + static const struct nft_expr_ops nft_fwd_netdev_ops = { +@@ -201,6 +209,7 @@ static const struct nft_expr_ops nft_fwd + .eval = nft_fwd_netdev_eval, + .init = nft_fwd_netdev_init, + .dump = nft_fwd_netdev_dump, ++ .validate = nft_fwd_validate, + }; + + static const struct nft_expr_ops * diff --git a/queue-4.19/rdma-core-ensure-security-pkey-modify-is-not-lost.patch b/queue-4.19/rdma-core-ensure-security-pkey-modify-is-not-lost.patch new file mode 100644 index 00000000000..36f084902e9 --- /dev/null +++ b/queue-4.19/rdma-core-ensure-security-pkey-modify-is-not-lost.patch @@ -0,0 +1,75 @@ +From 2d47fbacf2725a67869f4d3634c2415e7dfab2f4 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Fri, 13 Mar 2020 08:47:05 -0400 +Subject: RDMA/core: Ensure security pkey modify is not lost + +From: Mike Marciniszyn + +commit 2d47fbacf2725a67869f4d3634c2415e7dfab2f4 upstream. + +The following modify sequence (loosely based on ipoib) will lose a pkey +modifcation: + +- Modify (pkey index, port) +- Modify (new pkey index, NO port) + +After the first modify, the qp_pps list will have saved the pkey and the +unit on the main list. + +During the second modify, get_new_pps() will fetch the port from qp_pps +and read the new pkey index from qp_attr->pkey_index. The state will +still be zero, or IB_PORT_PKEY_NOT_VALID. Because of the invalid state, +the new values will never replace the one in the qp pps list, losing the +new pkey. + +This happens because the following if statements will never correct the +state because the first term will be false. If the code had been executed, +it would incorrectly overwrite valid values. + + if ((qp_attr_mask & IB_QP_PKEY_INDEX) && (qp_attr_mask & IB_QP_PORT)) + new_pps->main.state = IB_PORT_PKEY_VALID; + + if (!(qp_attr_mask & (IB_QP_PKEY_INDEX | IB_QP_PORT)) && qp_pps) { + new_pps->main.port_num = qp_pps->main.port_num; + new_pps->main.pkey_index = qp_pps->main.pkey_index; + if (qp_pps->main.state != IB_PORT_PKEY_NOT_VALID) + new_pps->main.state = IB_PORT_PKEY_VALID; + } + +Fix by joining the two if statements with an or test to see if qp_pps is +non-NULL and in the correct state. + +Fixes: 1dd017882e01 ("RDMA/core: Fix protection fault in get_pkey_idx_qp_list") +Link: https://lore.kernel.org/r/20200313124704.14982.55907.stgit@awfm-01.aw.intel.com +Reviewed-by: Kaike Wan +Signed-off-by: Mike Marciniszyn +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/security.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +--- a/drivers/infiniband/core/security.c ++++ b/drivers/infiniband/core/security.c +@@ -346,16 +346,11 @@ static struct ib_ports_pkeys *get_new_pp + else if (qp_pps) + new_pps->main.pkey_index = qp_pps->main.pkey_index; + +- if ((qp_attr_mask & IB_QP_PKEY_INDEX) && (qp_attr_mask & IB_QP_PORT)) ++ if (((qp_attr_mask & IB_QP_PKEY_INDEX) && ++ (qp_attr_mask & IB_QP_PORT)) || ++ (qp_pps && qp_pps->main.state != IB_PORT_PKEY_NOT_VALID)) + new_pps->main.state = IB_PORT_PKEY_VALID; + +- if (!(qp_attr_mask & (IB_QP_PKEY_INDEX | IB_QP_PORT)) && qp_pps) { +- new_pps->main.port_num = qp_pps->main.port_num; +- new_pps->main.pkey_index = qp_pps->main.pkey_index; +- if (qp_pps->main.state != IB_PORT_PKEY_NOT_VALID) +- new_pps->main.state = IB_PORT_PKEY_VALID; +- } +- + if (qp_attr_mask & IB_QP_ALT_PATH) { + new_pps->alt.port_num = qp_attr->alt_port_num; + new_pps->alt.pkey_index = qp_attr->alt_pkey_index; diff --git a/queue-4.19/rdma-mlx5-block-delay-drop-to-unprivileged-users.patch b/queue-4.19/rdma-mlx5-block-delay-drop-to-unprivileged-users.patch new file mode 100644 index 00000000000..e1f077a4fd2 --- /dev/null +++ b/queue-4.19/rdma-mlx5-block-delay-drop-to-unprivileged-users.patch @@ -0,0 +1,36 @@ +From ba80013fba656b9830ef45cd40a6a1e44707f47a Mon Sep 17 00:00:00 2001 +From: Maor Gottlieb +Date: Sun, 22 Mar 2020 14:49:06 +0200 +Subject: RDMA/mlx5: Block delay drop to unprivileged users + +From: Maor Gottlieb + +commit ba80013fba656b9830ef45cd40a6a1e44707f47a upstream. + +It has been discovered that this feature can globally block the RX port, +so it should be allowed for highly privileged users only. + +Fixes: 03404e8ae652("IB/mlx5: Add support to dropless RQ") +Link: https://lore.kernel.org/r/20200322124906.1173790-1-leon@kernel.org +Signed-off-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/qp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -5524,6 +5524,10 @@ struct ib_wq *mlx5_ib_create_wq(struct i + if (udata->outlen && udata->outlen < min_resp_len) + return ERR_PTR(-EINVAL); + ++ if (!capable(CAP_SYS_RAWIO) && ++ init_attr->create_flags & IB_WQ_FLAGS_DELAY_DROP) ++ return ERR_PTR(-EPERM); ++ + dev = to_mdev(pd->device); + switch (init_attr->wq_type) { + case IB_WQT_RQ: diff --git a/queue-4.19/series b/queue-4.19/series index 7b60fea07f1..0c81b2341fa 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -57,3 +57,18 @@ scripts-dtc-remove-redundant-yyloc-global-declaration.patch scsi-sd-fix-optimal-i-o-size-for-devices-that-change-reported-values.patch nl80211-fix-nl80211_attr_channel_width-attribute-type.patch mac80211-mark-station-unauthorized-before-key-removal.patch +gpiolib-acpi-correct-comment-for-hp-x2-10-honor_wakeup-quirk.patch +gpiolib-acpi-rework-honor_wakeup-option-into-an-ignore_wake-option.patch +gpiolib-acpi-add-quirk-to-ignore-ec-wakeups-on-hp-x2-10-byt-axp288-model.patch +rdma-core-ensure-security-pkey-modify-is-not-lost.patch +genirq-fix-reference-leaks-on-irq-affinity-notifiers.patch +xfrm-handle-netdev_unregister-for-xfrm-device.patch +vti-fix-packet-tx-through-bpf_redirect-in-xiny-cases.patch +rdma-mlx5-block-delay-drop-to-unprivileged-users.patch +xfrm-fix-uctx-len-check-in-verify_sec_ctx_len.patch +xfrm-add-the-missing-verify_sec_ctx_len-check-in-xfrm_add_acquire.patch +xfrm-policy-fix-doulbe-free-in-xfrm_policy_timer.patch +afs-fix-some-tracing-details.patch +netfilter-flowtable-reload-ip-v6-h-in-nf_flow_tuple_ip-v6.patch +netfilter-nft_fwd_netdev-validate-family-and-chain-type.patch +netfilter-nft_fwd_netdev-allow-to-redirect-to-ifb-via-ingress.patch diff --git a/queue-4.19/vti-fix-packet-tx-through-bpf_redirect-in-xiny-cases.patch b/queue-4.19/vti-fix-packet-tx-through-bpf_redirect-in-xiny-cases.patch new file mode 100644 index 00000000000..ffec29b47f8 --- /dev/null +++ b/queue-4.19/vti-fix-packet-tx-through-bpf_redirect-in-xiny-cases.patch @@ -0,0 +1,124 @@ +From f1ed10264ed6b66b9cd5e8461cffce69be482356 Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Tue, 4 Feb 2020 17:00:27 +0100 +Subject: vti[6]: fix packet tx through bpf_redirect() in XinY cases + +From: Nicolas Dichtel + +commit f1ed10264ed6b66b9cd5e8461cffce69be482356 upstream. + +I forgot the 4in6/6in4 cases in my previous patch. Let's fix them. + +Fixes: 95224166a903 ("vti[6]: fix packet tx through bpf_redirect()") +Signed-off-by: Nicolas Dichtel +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/Kconfig | 1 + + net/ipv4/ip_vti.c | 36 +++++++++++++++++++++++++++++------- + net/ipv6/ip6_vti.c | 32 +++++++++++++++++++++++++------- + 3 files changed, 55 insertions(+), 14 deletions(-) + +--- a/net/ipv4/Kconfig ++++ b/net/ipv4/Kconfig +@@ -302,6 +302,7 @@ config SYN_COOKIES + + config NET_IPVTI + tristate "Virtual (secure) IP: tunneling" ++ depends on IPV6 || IPV6=n + select INET_TUNNEL + select NET_IP_TUNNEL + depends on INET_XFRM_MODE_TUNNEL +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -208,17 +208,39 @@ static netdev_tx_t vti_xmit(struct sk_bu + int mtu; + + if (!dst) { +- struct rtable *rt; ++ switch (skb->protocol) { ++ case htons(ETH_P_IP): { ++ struct rtable *rt; + +- fl->u.ip4.flowi4_oif = dev->ifindex; +- fl->u.ip4.flowi4_flags |= FLOWI_FLAG_ANYSRC; +- rt = __ip_route_output_key(dev_net(dev), &fl->u.ip4); +- if (IS_ERR(rt)) { ++ fl->u.ip4.flowi4_oif = dev->ifindex; ++ fl->u.ip4.flowi4_flags |= FLOWI_FLAG_ANYSRC; ++ rt = __ip_route_output_key(dev_net(dev), &fl->u.ip4); ++ if (IS_ERR(rt)) { ++ dev->stats.tx_carrier_errors++; ++ goto tx_error_icmp; ++ } ++ dst = &rt->dst; ++ skb_dst_set(skb, dst); ++ break; ++ } ++#if IS_ENABLED(CONFIG_IPV6) ++ case htons(ETH_P_IPV6): ++ fl->u.ip6.flowi6_oif = dev->ifindex; ++ fl->u.ip6.flowi6_flags |= FLOWI_FLAG_ANYSRC; ++ dst = ip6_route_output(dev_net(dev), NULL, &fl->u.ip6); ++ if (dst->error) { ++ dst_release(dst); ++ dst = NULL; ++ dev->stats.tx_carrier_errors++; ++ goto tx_error_icmp; ++ } ++ skb_dst_set(skb, dst); ++ break; ++#endif ++ default: + dev->stats.tx_carrier_errors++; + goto tx_error_icmp; + } +- dst = &rt->dst; +- skb_dst_set(skb, dst); + } + + dst_hold(dst); +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -454,15 +454,33 @@ vti6_xmit(struct sk_buff *skb, struct ne + int mtu; + + if (!dst) { +- fl->u.ip6.flowi6_oif = dev->ifindex; +- fl->u.ip6.flowi6_flags |= FLOWI_FLAG_ANYSRC; +- dst = ip6_route_output(dev_net(dev), NULL, &fl->u.ip6); +- if (dst->error) { +- dst_release(dst); +- dst = NULL; ++ switch (skb->protocol) { ++ case htons(ETH_P_IP): { ++ struct rtable *rt; ++ ++ fl->u.ip4.flowi4_oif = dev->ifindex; ++ fl->u.ip4.flowi4_flags |= FLOWI_FLAG_ANYSRC; ++ rt = __ip_route_output_key(dev_net(dev), &fl->u.ip4); ++ if (IS_ERR(rt)) ++ goto tx_err_link_failure; ++ dst = &rt->dst; ++ skb_dst_set(skb, dst); ++ break; ++ } ++ case htons(ETH_P_IPV6): ++ fl->u.ip6.flowi6_oif = dev->ifindex; ++ fl->u.ip6.flowi6_flags |= FLOWI_FLAG_ANYSRC; ++ dst = ip6_route_output(dev_net(dev), NULL, &fl->u.ip6); ++ if (dst->error) { ++ dst_release(dst); ++ dst = NULL; ++ goto tx_err_link_failure; ++ } ++ skb_dst_set(skb, dst); ++ break; ++ default: + goto tx_err_link_failure; + } +- skb_dst_set(skb, dst); + } + + dst_hold(dst); diff --git a/queue-4.19/xfrm-add-the-missing-verify_sec_ctx_len-check-in-xfrm_add_acquire.patch b/queue-4.19/xfrm-add-the-missing-verify_sec_ctx_len-check-in-xfrm_add_acquire.patch new file mode 100644 index 00000000000..72c417ff93f --- /dev/null +++ b/queue-4.19/xfrm-add-the-missing-verify_sec_ctx_len-check-in-xfrm_add_acquire.patch @@ -0,0 +1,60 @@ +From a1a7e3a36e01ca6e67014f8cf673cb8e47be5550 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Sun, 9 Feb 2020 21:16:38 +0800 +Subject: xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire + +From: Xin Long + +commit a1a7e3a36e01ca6e67014f8cf673cb8e47be5550 upstream. + +Without doing verify_sec_ctx_len() check in xfrm_add_acquire(), it may be +out-of-bounds to access uctx->ctx_str with uctx->ctx_len, as noticed by +syz: + + BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x237/0x430 + Read of size 768 at addr ffff8880123be9b4 by task syz-executor.1/11650 + + Call Trace: + dump_stack+0xe8/0x16e + print_address_description.cold.3+0x9/0x23b + kasan_report.cold.4+0x64/0x95 + memcpy+0x1f/0x50 + selinux_xfrm_alloc_user+0x237/0x430 + security_xfrm_policy_alloc+0x5c/0xb0 + xfrm_policy_construct+0x2b1/0x650 + xfrm_add_acquire+0x21d/0xa10 + xfrm_user_rcv_msg+0x431/0x6f0 + netlink_rcv_skb+0x15a/0x410 + xfrm_netlink_rcv+0x6d/0x90 + netlink_unicast+0x50e/0x6a0 + netlink_sendmsg+0x8ae/0xd40 + sock_sendmsg+0x133/0x170 + ___sys_sendmsg+0x834/0x9a0 + __sys_sendmsg+0x100/0x1e0 + do_syscall_64+0xe5/0x660 + entry_SYSCALL_64_after_hwframe+0x6a/0xdf + +So fix it by adding the missing verify_sec_ctx_len check there. + +Fixes: 980ebd25794f ("[IPSEC]: Sync series - acquire insert") +Reported-by: Hangbin Liu +Signed-off-by: Xin Long +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_user.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -2275,6 +2275,9 @@ static int xfrm_add_acquire(struct sk_bu + err = verify_newpolicy_info(&ua->policy); + if (err) + goto free_state; ++ err = verify_sec_ctx_len(attrs); ++ if (err) ++ goto free_state; + + /* build an XP */ + xp = xfrm_policy_construct(net, &ua->policy, attrs, &err); diff --git a/queue-4.19/xfrm-fix-uctx-len-check-in-verify_sec_ctx_len.patch b/queue-4.19/xfrm-fix-uctx-len-check-in-verify_sec_ctx_len.patch new file mode 100644 index 00000000000..966cb1d2217 --- /dev/null +++ b/queue-4.19/xfrm-fix-uctx-len-check-in-verify_sec_ctx_len.patch @@ -0,0 +1,37 @@ +From 171d449a028573b2f0acdc7f31ecbb045391b320 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Sun, 9 Feb 2020 21:15:29 +0800 +Subject: xfrm: fix uctx len check in verify_sec_ctx_len + +From: Xin Long + +commit 171d449a028573b2f0acdc7f31ecbb045391b320 upstream. + +It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) + +uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt), +in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str +later. + +This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt). + +Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.") +Signed-off-by: Xin Long +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_user.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -109,7 +109,8 @@ static inline int verify_sec_ctx_len(str + return 0; + + uctx = nla_data(rt); +- if (uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)) ++ if (uctx->len > nla_len(rt) || ++ uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)) + return -EINVAL; + + return 0; diff --git a/queue-4.19/xfrm-handle-netdev_unregister-for-xfrm-device.patch b/queue-4.19/xfrm-handle-netdev_unregister-for-xfrm-device.patch new file mode 100644 index 00000000000..6fc68eae024 --- /dev/null +++ b/queue-4.19/xfrm-handle-netdev_unregister-for-xfrm-device.patch @@ -0,0 +1,34 @@ +From 03891f820c2117b19e80b370281eb924a09cf79f Mon Sep 17 00:00:00 2001 +From: Raed Salem +Date: Sun, 2 Feb 2020 13:19:34 +0200 +Subject: xfrm: handle NETDEV_UNREGISTER for xfrm device + +From: Raed Salem + +commit 03891f820c2117b19e80b370281eb924a09cf79f upstream. + +This patch to handle the asynchronous unregister +device event so the device IPsec offload resources +could be cleanly released. + +Fixes: e4db5b61c572 ("xfrm: policy: remove pcpu policy cache") +Signed-off-by: Raed Salem +Reviewed-by: Boris Pismenny +Reviewed-by: Saeed Mahameed +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_device.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/xfrm/xfrm_device.c ++++ b/net/xfrm/xfrm_device.c +@@ -332,6 +332,7 @@ static int xfrm_dev_event(struct notifie + return xfrm_dev_feat_change(dev); + + case NETDEV_DOWN: ++ case NETDEV_UNREGISTER: + return xfrm_dev_down(dev); + } + return NOTIFY_DONE; diff --git a/queue-4.19/xfrm-policy-fix-doulbe-free-in-xfrm_policy_timer.patch b/queue-4.19/xfrm-policy-fix-doulbe-free-in-xfrm_policy_timer.patch new file mode 100644 index 00000000000..41fef6cb135 --- /dev/null +++ b/queue-4.19/xfrm-policy-fix-doulbe-free-in-xfrm_policy_timer.patch @@ -0,0 +1,73 @@ +From 4c59406ed00379c8663f8663d82b2537467ce9d7 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Mon, 23 Mar 2020 15:32:39 +0800 +Subject: xfrm: policy: Fix doulbe free in xfrm_policy_timer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: YueHaibing + +commit 4c59406ed00379c8663f8663d82b2537467ce9d7 upstream. + +After xfrm_add_policy add a policy, its ref is 2, then + + xfrm_policy_timer + read_lock + xp->walk.dead is 0 + .... + mod_timer() +xfrm_policy_kill + policy->walk.dead = 1 + .... + del_timer(&policy->timer) + xfrm_pol_put //ref is 1 + xfrm_pol_put //ref is 0 + xfrm_policy_destroy + call_rcu + xfrm_pol_hold //ref is 1 + read_unlock + xfrm_pol_put //ref is 0 + xfrm_policy_destroy + call_rcu + +xfrm_policy_destroy is called twice, which may leads to +double free. + +Call Trace: +RIP: 0010:refcount_warn_saturate+0x161/0x210 +... + xfrm_policy_timer+0x522/0x600 + call_timer_fn+0x1b3/0x5e0 + ? __xfrm_decode_session+0x2990/0x2990 + ? msleep+0xb0/0xb0 + ? _raw_spin_unlock_irq+0x24/0x40 + ? __xfrm_decode_session+0x2990/0x2990 + ? __xfrm_decode_session+0x2990/0x2990 + run_timer_softirq+0x5c5/0x10e0 + +Fix this by use write_lock_bh in xfrm_policy_kill. + +Fixes: ea2dea9dacc2 ("xfrm: remove policy lock when accessing policy->walk.dead") +Signed-off-by: YueHaibing +Acked-by: Timo Teräs +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_policy.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -309,7 +309,9 @@ EXPORT_SYMBOL(xfrm_policy_destroy); + + static void xfrm_policy_kill(struct xfrm_policy *policy) + { ++ write_lock_bh(&policy->lock); + policy->walk.dead = 1; ++ write_unlock_bh(&policy->lock); + + atomic_inc(&policy->genid); + -- 2.47.3