From 38a71a21cde7c5f25e5664d66cbf8106eb49312a Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 14 May 2021 22:13:38 -0400 Subject: [PATCH] Fixes for 4.4 Signed-off-by: Sasha Levin --- ...sa-hdsp-don-t-disable-if-not-enabled.patch | 49 +++ ...a-hdspm-don-t-disable-if-not-enabled.patch | 49 +++ ...rme9652-don-t-disable-if-not-enabled.patch | 49 +++ ...generalize-support-for-alc3263-codec.patch | 99 ++++++ ...rt286_set_gpio_-readable-and-writabl.patch | 39 +++ ...lize-skb_queue_head-at-l2cap_chan_cr.patch | 43 +++ ...nf_not_complete-as-l2cap_chan-defaul.patch | 77 +++++ queue-4.4/cuse-prevent-clone.patch | 37 +++ ...ff-by-one-power_state-index-heap-ove.patch | 119 ++++++++ queue-4.4/fs-dlm-fix-debugfs-dump.patch | 40 +++ ...ev_-hold-put-in-ndo_-un-init-methods.patch | 98 ++++++ ...nfig-nconf-stop-endless-search-loops.patch | 62 ++++ ...e-fix-error-return-code-of-kexec_cal.patch | 45 +++ ...al-missing-rmap_item-for-stable_node.patch | 57 ++++ ...he-beacon-s-crc-after-channel-switch.patch | 52 ++++ ...et-stmmac-set-fifo-sizes-for-ipq806x.patch | 44 +++ ...ly-with-attribute-generation-counter.patch | 49 +++ ...x-handling-of-sr_eof-in-seek-s-reply.patch | 43 +++ ...node-in-pci_scan_device-s-error-path.patch | 38 +++ ...ix-incorrect-size-check-in-decode_nf.patch | 52 ++++ ...mmu-annotate-nested-lock-for-lockdep.patch | 70 +++++ ...mib_currestab-leak-in-sctp_sf_do_dup.patch | 52 ++++ ...bounds-warning-in-sctp_process_ascon.patch | 44 +++ ...cc-to-clang-in-lib.mk-if-llvm-is-set.patch | 42 +++ queue-4.4/series | 27 ++ ...dest-node-s-address-to-network-order.patch | 41 +++ ...t-of-bounds-warnings-in-wl3501_mgmt_.patch | 286 ++++++++++++++++++ ...t-of-bounds-warnings-in-wl3501_send_.patch | 147 +++++++++ 28 files changed, 1850 insertions(+) create mode 100644 queue-4.4/alsa-hdsp-don-t-disable-if-not-enabled.patch create mode 100644 queue-4.4/alsa-hdspm-don-t-disable-if-not-enabled.patch create mode 100644 queue-4.4/alsa-rme9652-don-t-disable-if-not-enabled.patch create mode 100644 queue-4.4/asoc-rt286-generalize-support-for-alc3263-codec.patch create mode 100644 queue-4.4/asoc-rt286-make-rt286_set_gpio_-readable-and-writabl.patch create mode 100644 queue-4.4/bluetooth-initialize-skb_queue_head-at-l2cap_chan_cr.patch create mode 100644 queue-4.4/bluetooth-set-conf_not_complete-as-l2cap_chan-defaul.patch create mode 100644 queue-4.4/cuse-prevent-clone.patch create mode 100644 queue-4.4/drm-radeon-fix-off-by-one-power_state-index-heap-ove.patch create mode 100644 queue-4.4/fs-dlm-fix-debugfs-dump.patch create mode 100644 queue-4.4/ip6_vti-proper-dev_-hold-put-in-ndo_-un-init-methods.patch create mode 100644 queue-4.4/kconfig-nconf-stop-endless-search-loops.patch create mode 100644 queue-4.4/kernel-kexec_file-fix-error-return-code-of-kexec_cal.patch create mode 100644 queue-4.4/ksm-fix-potential-missing-rmap_item-for-stable_node.patch create mode 100644 queue-4.4/mac80211-clear-the-beacon-s-crc-after-channel-switch.patch create mode 100644 queue-4.4/net-stmmac-set-fifo-sizes-for-ipq806x.patch create mode 100644 queue-4.4/nfs-deal-correctly-with-attribute-generation-counter.patch create mode 100644 queue-4.4/nfsv4.2-fix-handling-of-sr_eof-in-seek-s-reply.patch create mode 100644 queue-4.4/pci-release-of-node-in-pci_scan_device-s-error-path.patch create mode 100644 queue-4.4/pnfs-flexfiles-fix-incorrect-size-check-in-decode_nf.patch create mode 100644 queue-4.4/powerpc-iommu-annotate-nested-lock-for-lockdep.patch create mode 100644 queue-4.4/sctp-fix-a-sctp_mib_currestab-leak-in-sctp_sf_do_dup.patch create mode 100644 queue-4.4/sctp-fix-out-of-bounds-warning-in-sctp_process_ascon.patch create mode 100644 queue-4.4/selftests-set-cc-to-clang-in-lib.mk-if-llvm-is-set.patch create mode 100644 queue-4.4/tipc-convert-dest-node-s-address-to-network-order.patch create mode 100644 queue-4.4/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_mgmt_.patch create mode 100644 queue-4.4/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_send_.patch diff --git a/queue-4.4/alsa-hdsp-don-t-disable-if-not-enabled.patch b/queue-4.4/alsa-hdsp-don-t-disable-if-not-enabled.patch new file mode 100644 index 00000000000..69495397e04 --- /dev/null +++ b/queue-4.4/alsa-hdsp-don-t-disable-if-not-enabled.patch @@ -0,0 +1,49 @@ +From e9f710c9b9efa68c0d1b05f251702f9ef6a2fefa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Mar 2021 11:38:38 -0400 +Subject: ALSA: hdsp: don't disable if not enabled + +From: Tong Zhang + +[ Upstream commit 507cdb9adba006a7798c358456426e1aea3d9c4f ] + +hdsp wants to disable a not enabled pci device, which makes kernel +throw a warning. Make sure the device is enabled before calling disable. + +[ 1.758292] snd_hdsp 0000:00:03.0: disabling already-disabled device +[ 1.758327] WARNING: CPU: 0 PID: 180 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0 +[ 1.766985] Call Trace: +[ 1.767121] snd_hdsp_card_free+0x94/0xf0 [snd_hdsp] +[ 1.767388] release_card_device+0x4b/0x80 [snd] +[ 1.767639] device_release+0x3b/0xa0 +[ 1.767838] kobject_put+0x94/0x1b0 +[ 1.768027] put_device+0x13/0x20 +[ 1.768207] snd_card_free+0x61/0x90 [snd] +[ 1.768430] snd_hdsp_probe+0x524/0x5e0 [snd_hdsp] + +Suggested-by: Takashi Iwai +Signed-off-by: Tong Zhang +Link: https://lore.kernel.org/r/20210321153840.378226-2-ztong0001@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/rme9652/hdsp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c +index dd6c9e6a1d53..4128c04fbfde 100644 +--- a/sound/pci/rme9652/hdsp.c ++++ b/sound/pci/rme9652/hdsp.c +@@ -5314,7 +5314,8 @@ static int snd_hdsp_free(struct hdsp *hdsp) + if (hdsp->port) + pci_release_regions(hdsp->pci); + +- pci_disable_device(hdsp->pci); ++ if (pci_is_enabled(hdsp->pci)) ++ pci_disable_device(hdsp->pci); + return 0; + } + +-- +2.30.2 + diff --git a/queue-4.4/alsa-hdspm-don-t-disable-if-not-enabled.patch b/queue-4.4/alsa-hdspm-don-t-disable-if-not-enabled.patch new file mode 100644 index 00000000000..141013f2f79 --- /dev/null +++ b/queue-4.4/alsa-hdspm-don-t-disable-if-not-enabled.patch @@ -0,0 +1,49 @@ +From 91a1d23e70cfa4802f5b898fba0edaa8bc2e9148 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Mar 2021 11:38:39 -0400 +Subject: ALSA: hdspm: don't disable if not enabled + +From: Tong Zhang + +[ Upstream commit 790f5719b85e12e10c41753b864e74249585ed08 ] + +hdspm wants to disable a not enabled pci device, which makes kernel +throw a warning. Make sure the device is enabled before calling disable. + +[ 1.786391] snd_hdspm 0000:00:03.0: disabling already-disabled device +[ 1.786400] WARNING: CPU: 0 PID: 182 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0 +[ 1.795181] Call Trace: +[ 1.795320] snd_hdspm_card_free+0x58/0xa0 [snd_hdspm] +[ 1.795595] release_card_device+0x4b/0x80 [snd] +[ 1.795860] device_release+0x3b/0xa0 +[ 1.796072] kobject_put+0x94/0x1b0 +[ 1.796260] put_device+0x13/0x20 +[ 1.796438] snd_card_free+0x61/0x90 [snd] +[ 1.796659] snd_hdspm_probe+0x97b/0x1440 [snd_hdspm] + +Suggested-by: Takashi Iwai +Signed-off-by: Tong Zhang +Link: https://lore.kernel.org/r/20210321153840.378226-3-ztong0001@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/rme9652/hdspm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c +index 1a0c0d16a279..f4b164f19d30 100644 +--- a/sound/pci/rme9652/hdspm.c ++++ b/sound/pci/rme9652/hdspm.c +@@ -6912,7 +6912,8 @@ static int snd_hdspm_free(struct hdspm * hdspm) + if (hdspm->port) + pci_release_regions(hdspm->pci); + +- pci_disable_device(hdspm->pci); ++ if (pci_is_enabled(hdspm->pci)) ++ pci_disable_device(hdspm->pci); + return 0; + } + +-- +2.30.2 + diff --git a/queue-4.4/alsa-rme9652-don-t-disable-if-not-enabled.patch b/queue-4.4/alsa-rme9652-don-t-disable-if-not-enabled.patch new file mode 100644 index 00000000000..5527485eae9 --- /dev/null +++ b/queue-4.4/alsa-rme9652-don-t-disable-if-not-enabled.patch @@ -0,0 +1,49 @@ +From 0cb428823d9a1e35284106203fb3c22834f4c424 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Mar 2021 11:38:40 -0400 +Subject: ALSA: rme9652: don't disable if not enabled + +From: Tong Zhang + +[ Upstream commit f57a741874bb6995089020e97a1dcdf9b165dcbe ] + +rme9652 wants to disable a not enabled pci device, which makes kernel +throw a warning. Make sure the device is enabled before calling disable. + +[ 1.751595] snd_rme9652 0000:00:03.0: disabling already-disabled device +[ 1.751605] WARNING: CPU: 0 PID: 174 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0 +[ 1.759968] Call Trace: +[ 1.760145] snd_rme9652_card_free+0x76/0xa0 [snd_rme9652] +[ 1.760434] release_card_device+0x4b/0x80 [snd] +[ 1.760679] device_release+0x3b/0xa0 +[ 1.760874] kobject_put+0x94/0x1b0 +[ 1.761059] put_device+0x13/0x20 +[ 1.761235] snd_card_free+0x61/0x90 [snd] +[ 1.761454] snd_rme9652_probe+0x3be/0x700 [snd_rme9652] + +Suggested-by: Takashi Iwai +Signed-off-by: Tong Zhang +Link: https://lore.kernel.org/r/20210321153840.378226-4-ztong0001@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/rme9652/rme9652.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/rme9652/rme9652.c b/sound/pci/rme9652/rme9652.c +index c253bdf92e36..e5611ee9f2ae 100644 +--- a/sound/pci/rme9652/rme9652.c ++++ b/sound/pci/rme9652/rme9652.c +@@ -1761,7 +1761,8 @@ static int snd_rme9652_free(struct snd_rme9652 *rme9652) + if (rme9652->port) + pci_release_regions(rme9652->pci); + +- pci_disable_device(rme9652->pci); ++ if (pci_is_enabled(rme9652->pci)) ++ pci_disable_device(rme9652->pci); + return 0; + } + +-- +2.30.2 + diff --git a/queue-4.4/asoc-rt286-generalize-support-for-alc3263-codec.patch b/queue-4.4/asoc-rt286-generalize-support-for-alc3263-codec.patch new file mode 100644 index 00000000000..742be635962 --- /dev/null +++ b/queue-4.4/asoc-rt286-generalize-support-for-alc3263-codec.patch @@ -0,0 +1,99 @@ +From 2c70b8ba700c991d16e2d8b007b8d0b30d45e74b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Apr 2021 09:46:58 -0400 +Subject: ASoC: rt286: Generalize support for ALC3263 codec + +From: David Ward + +[ Upstream commit aa2f9c12821e6a4ba1df4fb34a3dbc6a2a1ee7fe ] + +The ALC3263 codec on the XPS 13 9343 is also found on the Latitude 13 7350 +and Venue 11 Pro 7140. They require the same handling for the combo jack to +work with a headset: GPIO pin 6 must be set. + +The HDA driver always sets this pin on the ALC3263, which it distinguishes +by the codec vendor/device ID 0x10ec0288 and PCI subsystem vendor ID 0x1028 +(Dell). The ASoC driver does not use PCI, so adapt this check to use DMI to +determine if Dell is the system vendor. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=150601 +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=205961 +Signed-off-by: David Ward +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20210418134658.4333-6-david.ward@gatech.edu +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt286.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/sound/soc/codecs/rt286.c b/sound/soc/codecs/rt286.c +index af2ed774b552..63ed5b38b11f 100644 +--- a/sound/soc/codecs/rt286.c ++++ b/sound/soc/codecs/rt286.c +@@ -1117,12 +1117,11 @@ static const struct dmi_system_id force_combo_jack_table[] = { + { } + }; + +-static const struct dmi_system_id dmi_dell_dino[] = { ++static const struct dmi_system_id dmi_dell[] = { + { +- .ident = "Dell Dino", ++ .ident = "Dell", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "XPS 13 9343") + } + }, + { } +@@ -1133,7 +1132,7 @@ static int rt286_i2c_probe(struct i2c_client *i2c, + { + struct rt286_platform_data *pdata = dev_get_platdata(&i2c->dev); + struct rt286_priv *rt286; +- int i, ret, val; ++ int i, ret, vendor_id; + + rt286 = devm_kzalloc(&i2c->dev, sizeof(*rt286), + GFP_KERNEL); +@@ -1149,14 +1148,15 @@ static int rt286_i2c_probe(struct i2c_client *i2c, + } + + ret = regmap_read(rt286->regmap, +- RT286_GET_PARAM(AC_NODE_ROOT, AC_PAR_VENDOR_ID), &val); ++ RT286_GET_PARAM(AC_NODE_ROOT, AC_PAR_VENDOR_ID), &vendor_id); + if (ret != 0) { + dev_err(&i2c->dev, "I2C error %d\n", ret); + return ret; + } +- if (val != RT286_VENDOR_ID && val != RT288_VENDOR_ID) { ++ if (vendor_id != RT286_VENDOR_ID && vendor_id != RT288_VENDOR_ID) { + dev_err(&i2c->dev, +- "Device with ID register %#x is not rt286\n", val); ++ "Device with ID register %#x is not rt286\n", ++ vendor_id); + return -ENODEV; + } + +@@ -1180,8 +1180,8 @@ static int rt286_i2c_probe(struct i2c_client *i2c, + if (pdata) + rt286->pdata = *pdata; + +- if (dmi_check_system(force_combo_jack_table) || +- dmi_check_system(dmi_dell_dino)) ++ if ((vendor_id == RT288_VENDOR_ID && dmi_check_system(dmi_dell)) || ++ dmi_check_system(force_combo_jack_table)) + rt286->pdata.cbj_en = true; + + regmap_write(rt286->regmap, RT286_SET_AUDIO_POWER, AC_PWRST_D3); +@@ -1220,7 +1220,7 @@ static int rt286_i2c_probe(struct i2c_client *i2c, + regmap_update_bits(rt286->regmap, RT286_DEPOP_CTRL3, 0xf777, 0x4737); + regmap_update_bits(rt286->regmap, RT286_DEPOP_CTRL4, 0x00ff, 0x003f); + +- if (dmi_check_system(dmi_dell_dino)) { ++ if (vendor_id == RT288_VENDOR_ID && dmi_check_system(dmi_dell)) { + regmap_update_bits(rt286->regmap, + RT286_SET_GPIO_MASK, 0x40, 0x40); + regmap_update_bits(rt286->regmap, +-- +2.30.2 + diff --git a/queue-4.4/asoc-rt286-make-rt286_set_gpio_-readable-and-writabl.patch b/queue-4.4/asoc-rt286-make-rt286_set_gpio_-readable-and-writabl.patch new file mode 100644 index 00000000000..4931157a2d1 --- /dev/null +++ b/queue-4.4/asoc-rt286-make-rt286_set_gpio_-readable-and-writabl.patch @@ -0,0 +1,39 @@ +From f632ad73cac17f222ee0685484ec2ee04a78d272 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Apr 2021 09:46:57 -0400 +Subject: ASoC: rt286: Make RT286_SET_GPIO_* readable and writable + +From: David Ward + +[ Upstream commit cd8499d5c03ba260e3191e90236d0e5f6b147563 ] + +The GPIO configuration cannot be applied if the registers are inaccessible. +This prevented the headset mic from working on the Dell XPS 13 9343. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=114171 +Signed-off-by: David Ward +Link: https://lore.kernel.org/r/20210418134658.4333-5-david.ward@gatech.edu +Reviewed-by: Pierre-Louis Bossart +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt286.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/codecs/rt286.c b/sound/soc/codecs/rt286.c +index 63ed5b38b11f..146099ec8570 100644 +--- a/sound/soc/codecs/rt286.c ++++ b/sound/soc/codecs/rt286.c +@@ -174,6 +174,9 @@ static bool rt286_readable_register(struct device *dev, unsigned int reg) + case RT286_PROC_COEF: + case RT286_SET_AMP_GAIN_ADC_IN1: + case RT286_SET_AMP_GAIN_ADC_IN2: ++ case RT286_SET_GPIO_MASK: ++ case RT286_SET_GPIO_DIRECTION: ++ case RT286_SET_GPIO_DATA: + case RT286_SET_POWER(RT286_DAC_OUT1): + case RT286_SET_POWER(RT286_DAC_OUT2): + case RT286_SET_POWER(RT286_ADC_IN1): +-- +2.30.2 + diff --git a/queue-4.4/bluetooth-initialize-skb_queue_head-at-l2cap_chan_cr.patch b/queue-4.4/bluetooth-initialize-skb_queue_head-at-l2cap_chan_cr.patch new file mode 100644 index 00000000000..85ef98f9a08 --- /dev/null +++ b/queue-4.4/bluetooth-initialize-skb_queue_head-at-l2cap_chan_cr.patch @@ -0,0 +1,43 @@ +From 0f62b5b7eb1444c222a08a8a6efc9980f0d46684 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Mar 2021 07:52:07 +0900 +Subject: Bluetooth: initialize skb_queue_head at l2cap_chan_create() + +From: Tetsuo Handa + +[ Upstream commit be8597239379f0f53c9710dd6ab551bbf535bec6 ] + +syzbot is hitting "INFO: trying to register non-static key." message [1], +for "struct l2cap_chan"->tx_q.lock spinlock is not yet initialized when +l2cap_chan_del() is called due to e.g. timeout. + +Since "struct l2cap_chan"->lock mutex is initialized at l2cap_chan_create() +immediately after "struct l2cap_chan" is allocated using kzalloc(), let's +as well initialize "struct l2cap_chan"->{tx_q,srej_q}.lock spinlocks there. + +[1] https://syzkaller.appspot.com/bug?extid=fadfba6a911f6bf71842 + +Reported-and-tested-by: syzbot +Signed-off-by: Tetsuo Handa +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 515f3e52f70a..0de77e741a78 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -434,6 +434,8 @@ struct l2cap_chan *l2cap_chan_create(void) + if (!chan) + return NULL; + ++ skb_queue_head_init(&chan->tx_q); ++ skb_queue_head_init(&chan->srej_q); + mutex_init(&chan->lock); + + /* Set default lock nesting level */ +-- +2.30.2 + diff --git a/queue-4.4/bluetooth-set-conf_not_complete-as-l2cap_chan-defaul.patch b/queue-4.4/bluetooth-set-conf_not_complete-as-l2cap_chan-defaul.patch new file mode 100644 index 00000000000..df5b8a2811d --- /dev/null +++ b/queue-4.4/bluetooth-set-conf_not_complete-as-l2cap_chan-defaul.patch @@ -0,0 +1,77 @@ +From 141cf588560d121d5f7356d6de75fe378149e973 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Mar 2021 14:02:15 +0800 +Subject: Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default + +From: Archie Pusaka + +[ Upstream commit 3a9d54b1947ecea8eea9a902c0b7eb58a98add8a ] + +Currently l2cap_chan_set_defaults() reset chan->conf_state to zero. +However, there is a flag CONF_NOT_COMPLETE which is set when +creating the l2cap_chan. It is suggested that the flag should be +cleared when l2cap_chan is ready, but when l2cap_chan_set_defaults() +is called, l2cap_chan is not yet ready. Therefore, we must set this +flag as the default. + +Example crash call trace: +__dump_stack lib/dump_stack.c:15 [inline] +dump_stack+0xc4/0x118 lib/dump_stack.c:56 +panic+0x1c6/0x38b kernel/panic.c:117 +__warn+0x170/0x1b9 kernel/panic.c:471 +warn_slowpath_fmt+0xc7/0xf8 kernel/panic.c:494 +debug_print_object+0x175/0x193 lib/debugobjects.c:260 +debug_object_assert_init+0x171/0x1bf lib/debugobjects.c:614 +debug_timer_assert_init kernel/time/timer.c:629 [inline] +debug_assert_init kernel/time/timer.c:677 [inline] +del_timer+0x7c/0x179 kernel/time/timer.c:1034 +try_to_grab_pending+0x81/0x2e5 kernel/workqueue.c:1230 +cancel_delayed_work+0x7c/0x1c4 kernel/workqueue.c:2929 +l2cap_clear_timer+0x1e/0x41 include/net/bluetooth/l2cap.h:834 +l2cap_chan_del+0x2d8/0x37e net/bluetooth/l2cap_core.c:640 +l2cap_chan_close+0x532/0x5d8 net/bluetooth/l2cap_core.c:756 +l2cap_sock_shutdown+0x806/0x969 net/bluetooth/l2cap_sock.c:1174 +l2cap_sock_release+0x64/0x14d net/bluetooth/l2cap_sock.c:1217 +__sock_release+0xda/0x217 net/socket.c:580 +sock_close+0x1b/0x1f net/socket.c:1039 +__fput+0x322/0x55c fs/file_table.c:208 +____fput+0x17/0x19 fs/file_table.c:244 +task_work_run+0x19b/0x1d3 kernel/task_work.c:115 +exit_task_work include/linux/task_work.h:21 [inline] +do_exit+0xe4c/0x204a kernel/exit.c:766 +do_group_exit+0x291/0x291 kernel/exit.c:891 +get_signal+0x749/0x1093 kernel/signal.c:2396 +do_signal+0xa5/0xcdb arch/x86/kernel/signal.c:737 +exit_to_usermode_loop arch/x86/entry/common.c:243 [inline] +prepare_exit_to_usermode+0xed/0x235 arch/x86/entry/common.c:277 +syscall_return_slowpath+0x3a7/0x3b3 arch/x86/entry/common.c:348 +int_ret_from_sys_call+0x25/0xa3 + +Signed-off-by: Archie Pusaka +Reported-by: syzbot+338f014a98367a08a114@syzkaller.appspotmail.com +Reviewed-by: Alain Michaud +Reviewed-by: Abhishek Pandit-Subedi +Reviewed-by: Guenter Roeck +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index f2db50da8ce2..515f3e52f70a 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -499,7 +499,9 @@ void l2cap_chan_set_defaults(struct l2cap_chan *chan) + chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; + chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO; + chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO; ++ + chan->conf_state = 0; ++ set_bit(CONF_NOT_COMPLETE, &chan->conf_state); + + set_bit(FLAG_FORCE_ACTIVE, &chan->flags); + } +-- +2.30.2 + diff --git a/queue-4.4/cuse-prevent-clone.patch b/queue-4.4/cuse-prevent-clone.patch new file mode 100644 index 00000000000..e69886e6b7a --- /dev/null +++ b/queue-4.4/cuse-prevent-clone.patch @@ -0,0 +1,37 @@ +From 0da6849cc58fad64a86966e3230d5a6c414ad7dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Apr 2021 10:40:58 +0200 +Subject: cuse: prevent clone + +From: Miklos Szeredi + +[ Upstream commit 8217673d07256b22881127bf50dce874d0e51653 ] + +For cloned connections cuse_channel_release() will be called more than +once, resulting in use after free. + +Prevent device cloning for CUSE, which does not make sense at this point, +and highly unlikely to be used in real life. + +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +--- + fs/fuse/cuse.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c +index d9aba9700726..b83367300f48 100644 +--- a/fs/fuse/cuse.c ++++ b/fs/fuse/cuse.c +@@ -616,6 +616,8 @@ static int __init cuse_init(void) + cuse_channel_fops.owner = THIS_MODULE; + cuse_channel_fops.open = cuse_channel_open; + cuse_channel_fops.release = cuse_channel_release; ++ /* CUSE is not prepared for FUSE_DEV_IOC_CLONE */ ++ cuse_channel_fops.unlocked_ioctl = NULL; + + cuse_class = class_create(THIS_MODULE, "cuse"); + if (IS_ERR(cuse_class)) +-- +2.30.2 + diff --git a/queue-4.4/drm-radeon-fix-off-by-one-power_state-index-heap-ove.patch b/queue-4.4/drm-radeon-fix-off-by-one-power_state-index-heap-ove.patch new file mode 100644 index 00000000000..6814b20a204 --- /dev/null +++ b/queue-4.4/drm-radeon-fix-off-by-one-power_state-index-heap-ove.patch @@ -0,0 +1,119 @@ +From f4ed22958842aeb8e71660de666437c536a602ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 May 2021 22:06:07 -0700 +Subject: drm/radeon: Fix off-by-one power_state index heap overwrite + +From: Kees Cook + +[ Upstream commit 5bbf219328849e83878bddb7c226d8d42e84affc ] + +An out of bounds write happens when setting the default power state. +KASAN sees this as: + +[drm] radeon: 512M of GTT memory ready. +[drm] GART: num cpu pages 131072, num gpu pages 131072 +================================================================== +BUG: KASAN: slab-out-of-bounds in +radeon_atombios_parse_power_table_1_3+0x1837/0x1998 [radeon] +Write of size 4 at addr ffff88810178d858 by task systemd-udevd/157 + +CPU: 0 PID: 157 Comm: systemd-udevd Not tainted 5.12.0-E620 #50 +Hardware name: eMachines eMachines E620 /Nile , BIOS V1.03 09/30/2008 +Call Trace: + dump_stack+0xa5/0xe6 + print_address_description.constprop.0+0x18/0x239 + kasan_report+0x170/0x1a8 + radeon_atombios_parse_power_table_1_3+0x1837/0x1998 [radeon] + radeon_atombios_get_power_modes+0x144/0x1888 [radeon] + radeon_pm_init+0x1019/0x1904 [radeon] + rs690_init+0x76e/0x84a [radeon] + radeon_device_init+0x1c1a/0x21e5 [radeon] + radeon_driver_load_kms+0xf5/0x30b [radeon] + drm_dev_register+0x255/0x4a0 [drm] + radeon_pci_probe+0x246/0x2f6 [radeon] + pci_device_probe+0x1aa/0x294 + really_probe+0x30e/0x850 + driver_probe_device+0xe6/0x135 + device_driver_attach+0xc1/0xf8 + __driver_attach+0x13f/0x146 + bus_for_each_dev+0xfa/0x146 + bus_add_driver+0x2b3/0x447 + driver_register+0x242/0x2c1 + do_one_initcall+0x149/0x2fd + do_init_module+0x1ae/0x573 + load_module+0x4dee/0x5cca + __do_sys_finit_module+0xf1/0x140 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Without KASAN, this will manifest later when the kernel attempts to +allocate memory that was stomped, since it collides with the inline slab +freelist pointer: + +invalid opcode: 0000 [#1] SMP NOPTI +CPU: 0 PID: 781 Comm: openrc-run.sh Tainted: G W 5.10.12-gentoo-E620 #2 +Hardware name: eMachines eMachines E620 /Nile , BIOS V1.03 09/30/2008 +RIP: 0010:kfree+0x115/0x230 +Code: 89 c5 e8 75 ea ff ff 48 8b 00 0f ba e0 09 72 63 e8 1f f4 ff ff 41 89 c4 48 8b 45 00 0f ba e0 10 72 0a 48 8b 45 08 a8 01 75 02 <0f> 0b 44 89 e1 48 c7 c2 00 f0 ff ff be 06 00 00 00 48 d3 e2 48 c7 +RSP: 0018:ffffb42f40267e10 EFLAGS: 00010246 +RAX: ffffd61280ee8d88 RBX: 0000000000000004 RCX: 000000008010000d +RDX: 4000000000000000 RSI: ffffffffba1360b0 RDI: ffffd61280ee8d80 +RBP: ffffd61280ee8d80 R08: ffffffffb91bebdf R09: 0000000000000000 +R10: ffff8fe2c1047ac8 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000100 +FS: 00007fe80eff6b68(0000) GS:ffff8fe339c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fe80eec7bc0 CR3: 0000000038012000 CR4: 00000000000006f0 +Call Trace: + __free_fdtable+0x16/0x1f + put_files_struct+0x81/0x9b + do_exit+0x433/0x94d + do_group_exit+0xa6/0xa6 + __x64_sys_exit_group+0xf/0xf + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x7fe80ef64bea +Code: Unable to access opcode bytes at RIP 0x7fe80ef64bc0. +RSP: 002b:00007ffdb1c47528 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fe80ef64bea +RDX: 00007fe80ef64f60 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 +R10: 00007fe80ee2c620 R11: 0000000000000246 R12: 00007fe80eff41e0 +R13: 00000000ffffffff R14: 0000000000000024 R15: 00007fe80edf9cd0 +Modules linked in: radeon(+) ath5k(+) snd_hda_codec_realtek ... + +Use a valid power_state index when initializing the "flags" and "misc" +and "misc2" fields. + +Bug: https://bugzilla.kernel.org/show_bug.cgi?id=211537 +Reported-by: Erhard F. +Fixes: a48b9b4edb8b ("drm/radeon/kms/pm: add asic specific callbacks for getting power state (v2)") +Fixes: 79daedc94281 ("drm/radeon/kms: minor pm cleanups") +Signed-off-by: Kees Cook +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_atombios.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c +index 0c5b3eeff82d..230e2dcdf053 100644 +--- a/drivers/gpu/drm/radeon/radeon_atombios.c ++++ b/drivers/gpu/drm/radeon/radeon_atombios.c +@@ -2259,10 +2259,10 @@ static int radeon_atombios_parse_power_table_1_3(struct radeon_device *rdev) + rdev->pm.default_power_state_index = state_index - 1; + rdev->pm.power_state[state_index - 1].default_clock_mode = + &rdev->pm.power_state[state_index - 1].clock_info[0]; +- rdev->pm.power_state[state_index].flags &= ++ rdev->pm.power_state[state_index - 1].flags &= + ~RADEON_PM_STATE_SINGLE_DISPLAY_ONLY; +- rdev->pm.power_state[state_index].misc = 0; +- rdev->pm.power_state[state_index].misc2 = 0; ++ rdev->pm.power_state[state_index - 1].misc = 0; ++ rdev->pm.power_state[state_index - 1].misc2 = 0; + } + return state_index; + } +-- +2.30.2 + diff --git a/queue-4.4/fs-dlm-fix-debugfs-dump.patch b/queue-4.4/fs-dlm-fix-debugfs-dump.patch new file mode 100644 index 00000000000..e18ff41f287 --- /dev/null +++ b/queue-4.4/fs-dlm-fix-debugfs-dump.patch @@ -0,0 +1,40 @@ +From ed0d6fa74009762411a45056c2d0e80b8cbb706e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 17:05:08 -0500 +Subject: fs: dlm: fix debugfs dump + +From: Alexander Aring + +[ Upstream commit 92c48950b43f4a767388cf87709d8687151a641f ] + +This patch fixes the following message which randomly pops up during +glocktop call: + +seq_file: buggy .next function table_seq_next did not update position index + +The issue is that seq_read_iter() in fs/seq_file.c also needs an +increment of the index in an non next record case as well which this +patch fixes otherwise seq_read_iter() will print out the above message. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/debug_fs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/dlm/debug_fs.c b/fs/dlm/debug_fs.c +index eea64912c9c0..3b79c0284a30 100644 +--- a/fs/dlm/debug_fs.c ++++ b/fs/dlm/debug_fs.c +@@ -545,6 +545,7 @@ static void *table_seq_next(struct seq_file *seq, void *iter_ptr, loff_t *pos) + + if (bucket >= ls->ls_rsbtbl_size) { + kfree(ri); ++ ++*pos; + return NULL; + } + tree = toss ? &ls->ls_rsbtbl[bucket].toss : &ls->ls_rsbtbl[bucket].keep; +-- +2.30.2 + diff --git a/queue-4.4/ip6_vti-proper-dev_-hold-put-in-ndo_-un-init-methods.patch b/queue-4.4/ip6_vti-proper-dev_-hold-put-in-ndo_-un-init-methods.patch new file mode 100644 index 00000000000..7ea508ecb7c --- /dev/null +++ b/queue-4.4/ip6_vti-proper-dev_-hold-put-in-ndo_-un-init-methods.patch @@ -0,0 +1,98 @@ +From fc9269daf5c51a670877289d895003643cc350c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 12:12:54 -0700 +Subject: ip6_vti: proper dev_{hold|put} in ndo_[un]init methods + +From: Eric Dumazet + +[ Upstream commit 40cb881b5aaa0b69a7d93dec8440d5c62dae299f ] + +After adopting CONFIG_PCPU_DEV_REFCNT=n option, syzbot was able to trigger +a warning [1] + +Issue here is that: + +- all dev_put() should be paired with a corresponding prior dev_hold(). + +- A driver doing a dev_put() in its ndo_uninit() MUST also + do a dev_hold() in its ndo_init(), only when ndo_init() + is returning 0. + +Otherwise, register_netdevice() would call ndo_uninit() +in its error path and release a refcount too soon. + +Therefore, we need to move dev_hold() call from +vti6_tnl_create2() to vti6_dev_init_gen() + +[1] +WARNING: CPU: 0 PID: 15951 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31 +Modules linked in: +CPU: 0 PID: 15951 Comm: syz-executor.3 Not tainted 5.12.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31 +Code: 1d 6a 5a e8 09 31 ff 89 de e8 8d 1a ab fd 84 db 75 e0 e8 d4 13 ab fd 48 c7 c7 a0 e1 c1 89 c6 05 4a 5a e8 09 01 e8 2e 36 fb 04 <0f> 0b eb c4 e8 b8 13 ab fd 0f b6 1d 39 5a e8 09 31 ff 89 de e8 58 +RSP: 0018:ffffc90001eaef28 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000040000 RSI: ffffffff815c51f5 RDI: fffff520003d5dd7 +RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 +R10: ffffffff815bdf8e R11: 0000000000000000 R12: ffff88801bb1c568 +R13: ffff88801f69e800 R14: 00000000ffffffff R15: ffff888050889d40 +FS: 00007fc79314e700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f1c1ff47108 CR3: 0000000020fd5000 CR4: 00000000001506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + __refcount_dec include/linux/refcount.h:344 [inline] + refcount_dec include/linux/refcount.h:359 [inline] + dev_put include/linux/netdevice.h:4135 [inline] + vti6_dev_uninit+0x31a/0x360 net/ipv6/ip6_vti.c:297 + register_netdevice+0xadf/0x1500 net/core/dev.c:10308 + vti6_tnl_create2+0x1b5/0x400 net/ipv6/ip6_vti.c:190 + vti6_newlink+0x9d/0xd0 net/ipv6/ip6_vti.c:1020 + __rtnl_newlink+0x1062/0x1710 net/core/rtnetlink.c:3443 + rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3491 + rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502 + netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 + netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:674 + ____sys_sendmsg+0x331/0x810 net/socket.c:2350 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 + __sys_sendmmsg+0x195/0x470 net/socket.c:2490 + __do_sys_sendmmsg net/socket.c:2519 [inline] + __se_sys_sendmmsg net/socket.c:2516 [inline] + __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2516 + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_vti.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c +index 2267920c086a..3e917e358459 100644 +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -196,7 +196,6 @@ static int vti6_tnl_create2(struct net_device *dev) + + strcpy(t->parms.name, dev->name); + +- dev_hold(dev); + vti6_tnl_link(ip6n, t); + + return 0; +@@ -900,6 +899,7 @@ static inline int vti6_dev_init_gen(struct net_device *dev) + dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats); + if (!dev->tstats) + return -ENOMEM; ++ dev_hold(dev); + return 0; + } + +-- +2.30.2 + diff --git a/queue-4.4/kconfig-nconf-stop-endless-search-loops.patch b/queue-4.4/kconfig-nconf-stop-endless-search-loops.patch new file mode 100644 index 00000000000..f739269a73e --- /dev/null +++ b/queue-4.4/kconfig-nconf-stop-endless-search-loops.patch @@ -0,0 +1,62 @@ +From 471d384513bb814b3acb4e608fd76efd80cac5b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 09:28:03 +0200 +Subject: kconfig: nconf: stop endless search loops + +From: Mihai Moldovan + +[ Upstream commit 8c94b430b9f6213dec84e309bb480a71778c4213 ] + +If the user selects the very first entry in a page and performs a +search-up operation, or selects the very last entry in a page and +performs a search-down operation that will not succeed (e.g., via +[/]asdfzzz[Up Arrow]), nconf will never terminate searching the page. + +The reason is that in this case, the starting point will be set to -1 +or n, which is then translated into (n - 1) (i.e., the last entry of +the page) or 0 (i.e., the first entry of the page) and finally the +search begins. This continues to work fine until the index reaches 0 or +(n - 1), at which point it will be decremented to -1 or incremented to +n, but not checked against the starting point right away. Instead, it's +wrapped around to the bottom or top again, after which the starting +point check occurs... and naturally fails. + +My original implementation added another check for -1 before wrapping +the running index variable around, but Masahiro Yamada pointed out that +the actual issue is that the comparison point (starting point) exceeds +bounds (i.e., the [0,n-1] interval) in the first place and that, +instead, the starting point should be fixed. + +This has the welcome side-effect of also fixing the case where the +starting point was n while searching down, which also lead to an +infinite loop. + +OTOH, this code is now essentially all his work. + +Amazingly, nobody seems to have been hit by this for 11 years - or at +the very least nobody bothered to debug and fix this. + +Signed-off-by: Mihai Moldovan +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/nconf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c +index f7049e288e93..c58a46904861 100644 +--- a/scripts/kconfig/nconf.c ++++ b/scripts/kconfig/nconf.c +@@ -502,8 +502,8 @@ static int get_mext_match(const char *match_str, match_f flag) + else if (flag == FIND_NEXT_MATCH_UP) + --match_start; + ++ match_start = (match_start + items_num) % items_num; + index = match_start; +- index = (index + items_num) % items_num; + while (true) { + char *str = k_menu_items[index].str; + if (strcasestr(str, match_str) != 0) +-- +2.30.2 + diff --git a/queue-4.4/kernel-kexec_file-fix-error-return-code-of-kexec_cal.patch b/queue-4.4/kernel-kexec_file-fix-error-return-code-of-kexec_cal.patch new file mode 100644 index 00000000000..34b8bfbe8c8 --- /dev/null +++ b/queue-4.4/kernel-kexec_file-fix-error-return-code-of-kexec_cal.patch @@ -0,0 +1,45 @@ +From 4df1c631f07c8519703634ad3a296ed15c4f26d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 18:04:38 -0700 +Subject: kernel: kexec_file: fix error return code of + kexec_calculate_store_digests() + +From: Jia-Ju Bai + +[ Upstream commit 31d82c2c787d5cf65fedd35ebbc0c1bd95c1a679 ] + +When vzalloc() returns NULL to sha_regions, no error return code of +kexec_calculate_store_digests() is assigned. To fix this bug, ret is +assigned with -ENOMEM in this case. + +Link: https://lkml.kernel.org/r/20210309083904.24321-1-baijiaju1990@gmail.com +Fixes: a43cac0d9dc2 ("kexec: split kexec_file syscall code to kexec_file.c") +Signed-off-by: Jia-Ju Bai +Reported-by: TOTE Robot +Acked-by: Baoquan He +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/kexec_file.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c +index 6030efd4a188..1210cd6bcaa6 100644 +--- a/kernel/kexec_file.c ++++ b/kernel/kexec_file.c +@@ -575,8 +575,10 @@ static int kexec_calculate_store_digests(struct kimage *image) + + sha_region_sz = KEXEC_SEGMENT_MAX * sizeof(struct kexec_sha_region); + sha_regions = vzalloc(sha_region_sz); +- if (!sha_regions) ++ if (!sha_regions) { ++ ret = -ENOMEM; + goto out_free_desc; ++ } + + desc->tfm = tfm; + desc->flags = 0; +-- +2.30.2 + diff --git a/queue-4.4/ksm-fix-potential-missing-rmap_item-for-stable_node.patch b/queue-4.4/ksm-fix-potential-missing-rmap_item-for-stable_node.patch new file mode 100644 index 00000000000..27038877299 --- /dev/null +++ b/queue-4.4/ksm-fix-potential-missing-rmap_item-for-stable_node.patch @@ -0,0 +1,57 @@ +From 418a0bce0b6bc03bb51d219856065574ab069b3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 18:37:45 -0700 +Subject: ksm: fix potential missing rmap_item for stable_node + +From: Miaohe Lin + +[ Upstream commit c89a384e2551c692a9fe60d093fd7080f50afc51 ] + +When removing rmap_item from stable tree, STABLE_FLAG of rmap_item is +cleared with head reserved. So the following scenario might happen: For +ksm page with rmap_item1: + +cmp_and_merge_page + stable_node->head = &migrate_nodes; + remove_rmap_item_from_tree, but head still equal to stable_node; + try_to_merge_with_ksm_page failed; + return; + +For the same ksm page with rmap_item2, stable node migration succeed this +time. The stable_node->head does not equal to migrate_nodes now. For ksm +page with rmap_item1 again: + +cmp_and_merge_page + stable_node->head != &migrate_nodes && rmap_item->head == stable_node + return; + +We would miss the rmap_item for stable_node and might result in failed +rmap_walk_ksm(). Fix this by set rmap_item->head to NULL when rmap_item +is removed from stable tree. + +Link: https://lkml.kernel.org/r/20210330140228.45635-5-linmiaohe@huawei.com +Fixes: 4146d2d673e8 ("ksm: make !merge_across_nodes migration safe") +Signed-off-by: Miaohe Lin +Cc: Hugh Dickins +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/ksm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/mm/ksm.c b/mm/ksm.c +index f51613052aee..cafe00dfdc3b 100644 +--- a/mm/ksm.c ++++ b/mm/ksm.c +@@ -633,6 +633,7 @@ static void remove_rmap_item_from_tree(struct rmap_item *rmap_item) + ksm_pages_shared--; + + put_anon_vma(rmap_item->anon_vma); ++ rmap_item->head = NULL; + rmap_item->address &= PAGE_MASK; + + } else if (rmap_item->address & UNSTABLE_FLAG) { +-- +2.30.2 + diff --git a/queue-4.4/mac80211-clear-the-beacon-s-crc-after-channel-switch.patch b/queue-4.4/mac80211-clear-the-beacon-s-crc-after-channel-switch.patch new file mode 100644 index 00000000000..fe32ec38599 --- /dev/null +++ b/queue-4.4/mac80211-clear-the-beacon-s-crc-after-channel-switch.patch @@ -0,0 +1,52 @@ +From ab80c6c17634060ddf50e9260b5731fab1a74272 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 14:31:25 +0200 +Subject: mac80211: clear the beacon's CRC after channel switch + +From: Emmanuel Grumbach + +[ Upstream commit d6843d1ee283137723b4a8c76244607ce6db1951 ] + +After channel switch, we should consider any beacon with a +CSA IE as a new switch. If the CSA IE is a leftover from +before the switch that the AP forgot to remove, we'll get +a CSA-to-Self. + +This caused issues in iwlwifi where the firmware saw a beacon +with a CSA-to-Self with mode = 1 on the new channel after a +switch. The firmware considered this a new switch and closed +its queues. Since the beacon didn't change between before and +after the switch, we wouldn't handle it (the CRC is the same) +and we wouldn't let the firmware open its queues again or +disconnect if the CSA IE stays for too long. + +Clear the CRC valid state after we switch to make sure that +we handle the beacon and handle the CSA IE as required. + +Signed-off-by: Emmanuel Grumbach +Link: https://lore.kernel.org/r/20210408143124.b9e68aa98304.I465afb55ca2c7d59f7bf610c6046a1fd732b4c28@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mlme.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 4ab78bc6c2ca..7e2f0cd94e62 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1133,6 +1133,11 @@ static void ieee80211_chswitch_post_beacon(struct ieee80211_sub_if_data *sdata) + + sdata->vif.csa_active = false; + ifmgd->csa_waiting_bcn = false; ++ /* ++ * If the CSA IE is still present on the beacon after the switch, ++ * we need to consider it as a new CSA (possibly to self). ++ */ ++ ifmgd->beacon_crc_valid = false; + + ret = drv_post_channel_switch(sdata); + if (ret) { +-- +2.30.2 + diff --git a/queue-4.4/net-stmmac-set-fifo-sizes-for-ipq806x.patch b/queue-4.4/net-stmmac-set-fifo-sizes-for-ipq806x.patch new file mode 100644 index 00000000000..87c396c4755 --- /dev/null +++ b/queue-4.4/net-stmmac-set-fifo-sizes-for-ipq806x.patch @@ -0,0 +1,44 @@ +From 1d5fcf31ccdb9bdbe8b0e1b71814e8cdcc12dde4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Mar 2021 13:18:26 +0000 +Subject: net: stmmac: Set FIFO sizes for ipq806x + +From: Jonathan McDowell + +[ Upstream commit e127906b68b49ddb3ecba39ffa36a329c48197d3 ] + +Commit eaf4fac47807 ("net: stmmac: Do not accept invalid MTU values") +started using the TX FIFO size to verify what counts as a valid MTU +request for the stmmac driver. This is unset for the ipq806x variant. +Looking at older patches for this it seems the RX + TXs buffers can be +up to 8k, so set appropriately. + +(I sent this as an RFC patch in June last year, but received no replies. +I've been running with this on my hardware (a MikroTik RB3011) since +then with larger MTUs to support both the internal qca8k switch and +VLANs with no problems. Without the patch it's impossible to set the +larger MTU required to support this.) + +Signed-off-by: Jonathan McDowell +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c +index ee5a7c05a0e6..f1eb9f99076a 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c +@@ -361,6 +361,8 @@ static int ipq806x_gmac_probe(struct platform_device *pdev) + plat_dat->bsp_priv = gmac; + plat_dat->fix_mac_speed = ipq806x_gmac_fix_mac_speed; + plat_dat->multicast_filter_bins = 0; ++ plat_dat->tx_fifo_size = 8192; ++ plat_dat->rx_fifo_size = 8192; + + return stmmac_dvr_probe(&pdev->dev, plat_dat, &stmmac_res); + } +-- +2.30.2 + diff --git a/queue-4.4/nfs-deal-correctly-with-attribute-generation-counter.patch b/queue-4.4/nfs-deal-correctly-with-attribute-generation-counter.patch new file mode 100644 index 00000000000..63253ccf7d6 --- /dev/null +++ b/queue-4.4/nfs-deal-correctly-with-attribute-generation-counter.patch @@ -0,0 +1,49 @@ +From 10046a285efcfce6db76c800e923f291a3f0aeef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 16:46:05 -0400 +Subject: NFS: Deal correctly with attribute generation counter overflow + +From: Trond Myklebust + +[ Upstream commit 9fdbfad1777cb4638f489eeb62d85432010c0031 ] + +We need to use unsigned long subtraction and then convert to signed in +order to deal correcly with C overflow rules. + +Fixes: f5062003465c ("NFS: Set an attribute barrier on all updates") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/inode.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c +index b15236641191..0d7b8c6e1de8 100644 +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -1430,10 +1430,10 @@ EXPORT_SYMBOL_GPL(_nfs_display_fhandle); + */ + static int nfs_inode_attrs_need_update(const struct inode *inode, const struct nfs_fattr *fattr) + { +- const struct nfs_inode *nfsi = NFS_I(inode); ++ unsigned long attr_gencount = NFS_I(inode)->attr_gencount; + +- return ((long)fattr->gencount - (long)nfsi->attr_gencount) > 0 || +- ((long)nfsi->attr_gencount - (long)nfs_read_attr_generation_counter() > 0); ++ return (long)(fattr->gencount - attr_gencount) > 0 || ++ (long)(attr_gencount - nfs_read_attr_generation_counter()) > 0; + } + + /* +@@ -1849,7 +1849,7 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr) + nfsi->attrtimeo_timestamp = now; + } + /* Set the barrier to be more recent than this fattr */ +- if ((long)fattr->gencount - (long)nfsi->attr_gencount > 0) ++ if ((long)(fattr->gencount - nfsi->attr_gencount) > 0) + nfsi->attr_gencount = fattr->gencount; + } + +-- +2.30.2 + diff --git a/queue-4.4/nfsv4.2-fix-handling-of-sr_eof-in-seek-s-reply.patch b/queue-4.4/nfsv4.2-fix-handling-of-sr_eof-in-seek-s-reply.patch new file mode 100644 index 00000000000..e67e0fb5a4d --- /dev/null +++ b/queue-4.4/nfsv4.2-fix-handling-of-sr_eof-in-seek-s-reply.patch @@ -0,0 +1,43 @@ +From 434e7ea6e2792e4ea45b7205cf56e4c84693e072 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Mar 2021 15:30:25 -0400 +Subject: NFSv4.2 fix handling of sr_eof in SEEK's reply + +From: Olga Kornievskaia + +[ Upstream commit 73f5c88f521a630ea1628beb9c2d48a2e777a419 ] + +Currently the client ignores the value of the sr_eof of the SEEK +operation. According to the spec, if the server didn't find the +requested extent and reached the end of the file, the server +would return sr_eof=true. In case the request for DATA and no +data was found (ie in the middle of the hole), then the lseek +expects that ENXIO would be returned. + +Fixes: 1c6dcbe5ceff8 ("NFS: Implement SEEK") +Signed-off-by: Olga Kornievskaia +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs42proc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c +index 7f1a0fb8c493..31cc6f3d992d 100644 +--- a/fs/nfs/nfs42proc.c ++++ b/fs/nfs/nfs42proc.c +@@ -168,7 +168,10 @@ static loff_t _nfs42_proc_llseek(struct file *filep, loff_t offset, int whence) + if (status) + return status; + +- return vfs_setpos(filep, res.sr_offset, inode->i_sb->s_maxbytes); ++ if (whence == SEEK_DATA && res.sr_eof) ++ return -NFS4ERR_NXIO; ++ else ++ return vfs_setpos(filep, res.sr_offset, inode->i_sb->s_maxbytes); + } + + loff_t nfs42_proc_llseek(struct file *filep, loff_t offset, int whence) +-- +2.30.2 + diff --git a/queue-4.4/pci-release-of-node-in-pci_scan_device-s-error-path.patch b/queue-4.4/pci-release-of-node-in-pci_scan_device-s-error-path.patch new file mode 100644 index 00000000000..9fa85836a9c --- /dev/null +++ b/queue-4.4/pci-release-of-node-in-pci_scan_device-s-error-path.patch @@ -0,0 +1,38 @@ +From 482bf3bf67705eaf699505fd2d9d2ba292d9be01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jan 2021 02:28:26 +0300 +Subject: PCI: Release OF node in pci_scan_device()'s error path + +From: Dmitry Baryshkov + +[ Upstream commit c99e755a4a4c165cad6effb39faffd0f3377c02d ] + +In pci_scan_device(), if pci_setup_device() fails for any reason, the code +will not release device's of_node by calling pci_release_of_node(). Fix +that by calling the release function. + +Fixes: 98d9f30c820d ("pci/of: Match PCI devices to OF nodes dynamically") +Link: https://lore.kernel.org/r/20210124232826.1879-1-dmitry.baryshkov@linaro.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Bjorn Helgaas +Reviewed-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/pci/probe.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c +index becedabff141..63c62e2c8c0d 100644 +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -1668,6 +1668,7 @@ static struct pci_dev *pci_scan_device(struct pci_bus *bus, int devfn) + pci_set_of_node(dev); + + if (pci_setup_device(dev)) { ++ pci_release_of_node(dev); + pci_bus_put(dev->bus); + kfree(dev); + return NULL; +-- +2.30.2 + diff --git a/queue-4.4/pnfs-flexfiles-fix-incorrect-size-check-in-decode_nf.patch b/queue-4.4/pnfs-flexfiles-fix-incorrect-size-check-in-decode_nf.patch new file mode 100644 index 00000000000..40fef5d22b6 --- /dev/null +++ b/queue-4.4/pnfs-flexfiles-fix-incorrect-size-check-in-decode_nf.patch @@ -0,0 +1,52 @@ +From 20d83549834200d05e548b64af21804600e017b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 11:56:49 +0300 +Subject: pNFS/flexfiles: fix incorrect size check in decode_nfs_fh() + +From: Nikola Livic + +[ Upstream commit ed34695e15aba74f45247f1ee2cf7e09d449f925 ] + +We (adam zabrocki, alexander matrosov, alexander tereshkin, maksym +bazalii) observed the check: + + if (fh->size > sizeof(struct nfs_fh)) + +should not use the size of the nfs_fh struct which includes an extra two +bytes from the size field. + +struct nfs_fh { + unsigned short size; + unsigned char data[NFS_MAXFHSIZE]; +} + +but should determine the size from data[NFS_MAXFHSIZE] so the memcpy +will not write 2 bytes beyond destination. The proposed fix is to +compare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs +code base. + +Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver") +Signed-off-by: Nikola Livic +Signed-off-by: Dan Carpenter +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/flexfilelayout/flexfilelayout.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/flexfilelayout/flexfilelayout.c b/fs/nfs/flexfilelayout/flexfilelayout.c +index 17771e157e92..e7f8732895b7 100644 +--- a/fs/nfs/flexfilelayout/flexfilelayout.c ++++ b/fs/nfs/flexfilelayout/flexfilelayout.c +@@ -86,7 +86,7 @@ static int decode_nfs_fh(struct xdr_stream *xdr, struct nfs_fh *fh) + if (unlikely(!p)) + return -ENOBUFS; + fh->size = be32_to_cpup(p++); +- if (fh->size > sizeof(struct nfs_fh)) { ++ if (fh->size > NFS_MAXFHSIZE) { + printk(KERN_ERR "NFS flexfiles: Too big fh received %d\n", + fh->size); + return -EOVERFLOW; +-- +2.30.2 + diff --git a/queue-4.4/powerpc-iommu-annotate-nested-lock-for-lockdep.patch b/queue-4.4/powerpc-iommu-annotate-nested-lock-for-lockdep.patch new file mode 100644 index 00000000000..da3ab4582f4 --- /dev/null +++ b/queue-4.4/powerpc-iommu-annotate-nested-lock-for-lockdep.patch @@ -0,0 +1,70 @@ +From e63cbddb97938e08f393a82ec097089b1791dee6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 17:36:53 +1100 +Subject: powerpc/iommu: Annotate nested lock for lockdep + +From: Alexey Kardashevskiy + +[ Upstream commit cc7130bf119add37f36238343a593b71ef6ecc1e ] + +The IOMMU table is divided into pools for concurrent mappings and each +pool has a separate spinlock. When taking the ownership of an IOMMU group +to pass through a device to a VM, we lock these spinlocks which triggers +a false negative warning in lockdep (below). + +This fixes it by annotating the large pool's spinlock as a nest lock +which makes lockdep not complaining when locking nested locks if +the nest lock is locked already. + +=== +WARNING: possible recursive locking detected +5.11.0-le_syzkaller_a+fstn1 #100 Not tainted +-------------------------------------------- +qemu-system-ppc/4129 is trying to acquire lock: +c0000000119bddb0 (&(p->lock)/1){....}-{2:2}, at: iommu_take_ownership+0xac/0x1e0 + +but task is already holding lock: +c0000000119bdd30 (&(p->lock)/1){....}-{2:2}, at: iommu_take_ownership+0xac/0x1e0 + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&(p->lock)/1); + lock(&(p->lock)/1); +=== + +Signed-off-by: Alexey Kardashevskiy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210301063653.51003-1-aik@ozlabs.ru +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/iommu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kernel/iommu.c b/arch/powerpc/kernel/iommu.c +index 4c9b5970af37..282ad1930593 100644 +--- a/arch/powerpc/kernel/iommu.c ++++ b/arch/powerpc/kernel/iommu.c +@@ -1019,7 +1019,7 @@ int iommu_take_ownership(struct iommu_table *tbl) + + spin_lock_irqsave(&tbl->large_pool.lock, flags); + for (i = 0; i < tbl->nr_pools; i++) +- spin_lock(&tbl->pools[i].lock); ++ spin_lock_nest_lock(&tbl->pools[i].lock, &tbl->large_pool.lock); + + if (tbl->it_offset == 0) + clear_bit(0, tbl->it_map); +@@ -1048,7 +1048,7 @@ void iommu_release_ownership(struct iommu_table *tbl) + + spin_lock_irqsave(&tbl->large_pool.lock, flags); + for (i = 0; i < tbl->nr_pools; i++) +- spin_lock(&tbl->pools[i].lock); ++ spin_lock_nest_lock(&tbl->pools[i].lock, &tbl->large_pool.lock); + + memset(tbl->it_map, 0, sz); + +-- +2.30.2 + diff --git a/queue-4.4/sctp-fix-a-sctp_mib_currestab-leak-in-sctp_sf_do_dup.patch b/queue-4.4/sctp-fix-a-sctp_mib_currestab-leak-in-sctp_sf_do_dup.patch new file mode 100644 index 00000000000..e7811cbd4a4 --- /dev/null +++ b/queue-4.4/sctp-fix-a-sctp_mib_currestab-leak-in-sctp_sf_do_dup.patch @@ -0,0 +1,52 @@ +From 6ddcff5d29fa0f47f8a5c7a1454912fc4fa66d51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 May 2021 04:41:20 +0800 +Subject: sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b + +From: Xin Long + +[ Upstream commit f282df0391267fb2b263da1cc3233aa6fb81defc ] + +Normally SCTP_MIB_CURRESTAB is always incremented once asoc enter into +ESTABLISHED from the state < ESTABLISHED and decremented when the asoc +is being deleted. + +However, in sctp_sf_do_dupcook_b(), the asoc's state can be changed to +ESTABLISHED from the state >= ESTABLISHED where it shouldn't increment +SCTP_MIB_CURRESTAB. Otherwise, one asoc may increment MIB_CURRESTAB +multiple times but only decrement once at the end. + +I was able to reproduce it by using scapy to do the 4-way shakehands, +after that I replayed the COOKIE-ECHO chunk with 'peer_vtag' field +changed to different values, and SCTP_MIB_CURRESTAB was incremented +multiple times and never went back to 0 even when the asoc was freed. + +This patch is to fix it by only incrementing SCTP_MIB_CURRESTAB when +the state < ESTABLISHED in sctp_sf_do_dupcook_b(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Marcelo Ricardo Leitner +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index a9a72f7e0cd7..a9ba6f2bb8c8 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -1851,7 +1851,8 @@ static sctp_disposition_t sctp_sf_do_dupcook_b(struct net *net, + sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); + sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, + SCTP_STATE(SCTP_STATE_ESTABLISHED)); +- SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); ++ if (asoc->state < SCTP_STATE_ESTABLISHED) ++ SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); + sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); + + repl = sctp_make_cookie_ack(new_asoc, chunk); +-- +2.30.2 + diff --git a/queue-4.4/sctp-fix-out-of-bounds-warning-in-sctp_process_ascon.patch b/queue-4.4/sctp-fix-out-of-bounds-warning-in-sctp_process_ascon.patch new file mode 100644 index 00000000000..0e4a51a98b7 --- /dev/null +++ b/queue-4.4/sctp-fix-out-of-bounds-warning-in-sctp_process_ascon.patch @@ -0,0 +1,44 @@ +From 41af2c567e5d0cbcda29cf69a4b59bb4075b7601 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Apr 2021 14:12:36 -0500 +Subject: sctp: Fix out-of-bounds warning in sctp_process_asconf_param() + +From: Gustavo A. R. Silva + +[ Upstream commit e5272ad4aab347dde5610c0aedb786219e3ff793 ] + +Fix the following out-of-bounds warning: + +net/sctp/sm_make_chunk.c:3150:4: warning: 'memcpy' offset [17, 28] from the object at 'addr' is out of the bounds of referenced subobject 'v4' with type 'struct sockaddr_in' at offset 0 [-Warray-bounds] + +This helps with the ongoing efforts to globally enable -Warray-bounds +and get us closer to being able to tighten the FORTIFY_SOURCE routines +on memcpy(). + +Link: https://github.com/KSPP/linux/issues/109 +Reported-by: kernel test robot +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Kees Cook +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/sm_make_chunk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c +index e3e44237de1c..9de03d2e5da9 100644 +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -3119,7 +3119,7 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc, + * primary. + */ + if (af->is_any(&addr)) +- memcpy(&addr.v4, sctp_source(asconf), sizeof(addr)); ++ memcpy(&addr, sctp_source(asconf), sizeof(addr)); + + peer = sctp_assoc_lookup_paddr(asoc, &addr); + if (!peer) +-- +2.30.2 + diff --git a/queue-4.4/selftests-set-cc-to-clang-in-lib.mk-if-llvm-is-set.patch b/queue-4.4/selftests-set-cc-to-clang-in-lib.mk-if-llvm-is-set.patch new file mode 100644 index 00000000000..1d369a2b32e --- /dev/null +++ b/queue-4.4/selftests-set-cc-to-clang-in-lib.mk-if-llvm-is-set.patch @@ -0,0 +1,42 @@ +From afde92857c0cd3808db9c2c6e7a399fcf104590a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Apr 2021 08:34:13 -0700 +Subject: selftests: Set CC to clang in lib.mk if LLVM is set + +From: Yonghong Song + +[ Upstream commit 26e6dd1072763cd5696b75994c03982dde952ad9 ] + +selftests/bpf/Makefile includes lib.mk. With the following command + make -j60 LLVM=1 LLVM_IAS=1 <=== compile kernel + make -j60 -C tools/testing/selftests/bpf LLVM=1 LLVM_IAS=1 V=1 +some files are still compiled with gcc. This patch +fixed lib.mk issue which sets CC to gcc in all cases. + +Signed-off-by: Yonghong Song +Signed-off-by: Alexei Starovoitov +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20210413153413.3027426-1-yhs@fb.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/lib.mk | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/testing/selftests/lib.mk b/tools/testing/selftests/lib.mk +index 50a93f5f13d6..d8fa6c72b7ca 100644 +--- a/tools/testing/selftests/lib.mk ++++ b/tools/testing/selftests/lib.mk +@@ -1,6 +1,10 @@ + # This mimics the top-level Makefile. We do it explicitly here so that this + # Makefile can operate with or without the kbuild infrastructure. ++ifneq ($(LLVM),) ++CC := clang ++else + CC := $(CROSS_COMPILE)gcc ++endif + + define RUN_TESTS + @for TEST in $(TEST_PROGS); do \ +-- +2.30.2 + diff --git a/queue-4.4/series b/queue-4.4/series index ea8c1b1ddf1..b8524aa2cc3 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -132,3 +132,30 @@ net-nfc-digital-fix-a-double-free-in-digital_tg_recv.patch kfifo-fix-ternary-sign-extension-bugs.patch revert-net-sctp-fix-race-condition-in-sctp_destroy_sock.patch sctp-delay-auto_asconf-init-until-binding-the-first-addr.patch +fs-dlm-fix-debugfs-dump.patch +tipc-convert-dest-node-s-address-to-network-order.patch +net-stmmac-set-fifo-sizes-for-ipq806x.patch +alsa-hdsp-don-t-disable-if-not-enabled.patch +alsa-hdspm-don-t-disable-if-not-enabled.patch +alsa-rme9652-don-t-disable-if-not-enabled.patch +bluetooth-set-conf_not_complete-as-l2cap_chan-defaul.patch +bluetooth-initialize-skb_queue_head-at-l2cap_chan_cr.patch +ip6_vti-proper-dev_-hold-put-in-ndo_-un-init-methods.patch +mac80211-clear-the-beacon-s-crc-after-channel-switch.patch +cuse-prevent-clone.patch +selftests-set-cc-to-clang-in-lib.mk-if-llvm-is-set.patch +kconfig-nconf-stop-endless-search-loops.patch +sctp-fix-out-of-bounds-warning-in-sctp_process_ascon.patch +asoc-rt286-generalize-support-for-alc3263-codec.patch +wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_send_.patch +wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_mgmt_.patch +powerpc-iommu-annotate-nested-lock-for-lockdep.patch +asoc-rt286-make-rt286_set_gpio_-readable-and-writabl.patch +pci-release-of-node-in-pci_scan_device-s-error-path.patch +nfs-deal-correctly-with-attribute-generation-counter.patch +pnfs-flexfiles-fix-incorrect-size-check-in-decode_nf.patch +nfsv4.2-fix-handling-of-sr_eof-in-seek-s-reply.patch +sctp-fix-a-sctp_mib_currestab-leak-in-sctp_sf_do_dup.patch +drm-radeon-fix-off-by-one-power_state-index-heap-ove.patch +ksm-fix-potential-missing-rmap_item-for-stable_node.patch +kernel-kexec_file-fix-error-return-code-of-kexec_cal.patch diff --git a/queue-4.4/tipc-convert-dest-node-s-address-to-network-order.patch b/queue-4.4/tipc-convert-dest-node-s-address-to-network-order.patch new file mode 100644 index 00000000000..0457ff7edb6 --- /dev/null +++ b/queue-4.4/tipc-convert-dest-node-s-address-to-network-order.patch @@ -0,0 +1,41 @@ +From 5cfff4bbe2e31ed0b3e14f133a8b5cf4fda1999b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Mar 2021 10:33:22 +0700 +Subject: tipc: convert dest node's address to network order + +From: Hoang Le + +[ Upstream commit 1980d37565061ab44bdc2f9e4da477d3b9752e81 ] + +(struct tipc_link_info)->dest is in network order (__be32), so we must +convert the value to network order before assigning. The problem detected +by sparse: + +net/tipc/netlink_compat.c:699:24: warning: incorrect type in assignment (different base types) +net/tipc/netlink_compat.c:699:24: expected restricted __be32 [usertype] dest +net/tipc/netlink_compat.c:699:24: got int + +Acked-by: Jon Maloy +Signed-off-by: Hoang Le +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/netlink_compat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c +index 0975a28f8686..fb1b5dcf0142 100644 +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -632,7 +632,7 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg, + + nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], NULL); + +- link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]); ++ link_info.dest = htonl(nla_get_flag(link[TIPC_NLA_LINK_DEST])); + link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP])); + nla_strlcpy(link_info.str, link[TIPC_NLA_LINK_NAME], + TIPC_MAX_LINK_NAME); +-- +2.30.2 + diff --git a/queue-4.4/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_mgmt_.patch b/queue-4.4/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_mgmt_.patch new file mode 100644 index 00000000000..bd46aa486c0 --- /dev/null +++ b/queue-4.4/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_mgmt_.patch @@ -0,0 +1,286 @@ +From 4fb03d3a8443db8a4e62929879c61a166944fe9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Apr 2021 18:45:15 -0500 +Subject: wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join + +From: Gustavo A. R. Silva + +[ Upstream commit bb43e5718d8f1b46e7a77e7b39be3c691f293050 ] + +Fix the following out-of-bounds warnings by adding a new structure +wl3501_req instead of duplicating the same members in structure +wl3501_join_req and wl3501_scan_confirm: + +arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [39, 108] from the object at 'sig' is out of the bounds of referenced subobject 'beacon_period' with type 'short unsigned int' at offset 36 [-Warray-bounds] +arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [25, 95] from the object at 'sig' is out of the bounds of referenced subobject 'beacon_period' with type 'short unsigned int' at offset 22 [-Warray-bounds] + +Refactor the code, accordingly: + +$ pahole -C wl3501_req drivers/net/wireless/wl3501_cs.o +struct wl3501_req { + u16 beacon_period; /* 0 2 */ + u16 dtim_period; /* 2 2 */ + u16 cap_info; /* 4 2 */ + u8 bss_type; /* 6 1 */ + u8 bssid[6]; /* 7 6 */ + struct iw_mgmt_essid_pset ssid; /* 13 34 */ + struct iw_mgmt_ds_pset ds_pset; /* 47 3 */ + struct iw_mgmt_cf_pset cf_pset; /* 50 8 */ + struct iw_mgmt_ibss_pset ibss_pset; /* 58 4 */ + struct iw_mgmt_data_rset bss_basic_rset; /* 62 10 */ + + /* size: 72, cachelines: 2, members: 10 */ + /* last cacheline: 8 bytes */ +}; + +$ pahole -C wl3501_join_req drivers/net/wireless/wl3501_cs.o +struct wl3501_join_req { + u16 next_blk; /* 0 2 */ + u8 sig_id; /* 2 1 */ + u8 reserved; /* 3 1 */ + struct iw_mgmt_data_rset operational_rset; /* 4 10 */ + u16 reserved2; /* 14 2 */ + u16 timeout; /* 16 2 */ + u16 probe_delay; /* 18 2 */ + u8 timestamp[8]; /* 20 8 */ + u8 local_time[8]; /* 28 8 */ + struct wl3501_req req; /* 36 72 */ + + /* size: 108, cachelines: 2, members: 10 */ + /* last cacheline: 44 bytes */ +}; + +$ pahole -C wl3501_scan_confirm drivers/net/wireless/wl3501_cs.o +struct wl3501_scan_confirm { + u16 next_blk; /* 0 2 */ + u8 sig_id; /* 2 1 */ + u8 reserved; /* 3 1 */ + u16 status; /* 4 2 */ + char timestamp[8]; /* 6 8 */ + char localtime[8]; /* 14 8 */ + struct wl3501_req req; /* 22 72 */ + /* --- cacheline 1 boundary (64 bytes) was 30 bytes ago --- */ + u8 rssi; /* 94 1 */ + + /* size: 96, cachelines: 2, members: 8 */ + /* padding: 1 */ + /* last cacheline: 32 bytes */ +}; + +The problem is that the original code is trying to copy data into a +bunch of struct members adjacent to each other in a single call to +memcpy(). Now that a new struct wl3501_req enclosing all those adjacent +members is introduced, memcpy() doesn't overrun the length of +&sig.beacon_period and &this->bss_set[i].beacon_period, because the +address of the new struct object _req_ is used as the destination, +instead. + +This helps with the ongoing efforts to globally enable -Warray-bounds +and get us closer to being able to tighten the FORTIFY_SOURCE routines +on memcpy(). + +Link: https://github.com/KSPP/linux/issues/109 +Reported-by: kernel test robot +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Kees Cook +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1fbaf516da763b50edac47d792a9145aa4482e29.1618442265.git.gustavoars@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501.h | 35 +++++++++++-------------- + drivers/net/wireless/wl3501_cs.c | 44 +++++++++++++++++--------------- + 2 files changed, 38 insertions(+), 41 deletions(-) + +diff --git a/drivers/net/wireless/wl3501.h b/drivers/net/wireless/wl3501.h +index ba2a36cfb1c8..ca2021bcac14 100644 +--- a/drivers/net/wireless/wl3501.h ++++ b/drivers/net/wireless/wl3501.h +@@ -378,16 +378,7 @@ struct wl3501_get_confirm { + u8 mib_value[100]; + }; + +-struct wl3501_join_req { +- u16 next_blk; +- u8 sig_id; +- u8 reserved; +- struct iw_mgmt_data_rset operational_rset; +- u16 reserved2; +- u16 timeout; +- u16 probe_delay; +- u8 timestamp[8]; +- u8 local_time[8]; ++struct wl3501_req { + u16 beacon_period; + u16 dtim_period; + u16 cap_info; +@@ -400,6 +391,19 @@ struct wl3501_join_req { + struct iw_mgmt_data_rset bss_basic_rset; + }; + ++struct wl3501_join_req { ++ u16 next_blk; ++ u8 sig_id; ++ u8 reserved; ++ struct iw_mgmt_data_rset operational_rset; ++ u16 reserved2; ++ u16 timeout; ++ u16 probe_delay; ++ u8 timestamp[8]; ++ u8 local_time[8]; ++ struct wl3501_req req; ++}; ++ + struct wl3501_join_confirm { + u16 next_blk; + u8 sig_id; +@@ -442,16 +446,7 @@ struct wl3501_scan_confirm { + u16 status; + char timestamp[8]; + char localtime[8]; +- u16 beacon_period; +- u16 dtim_period; +- u16 cap_info; +- u8 bss_type; +- u8 bssid[ETH_ALEN]; +- struct iw_mgmt_essid_pset ssid; +- struct iw_mgmt_ds_pset ds_pset; +- struct iw_mgmt_cf_pset cf_pset; +- struct iw_mgmt_ibss_pset ibss_pset; +- struct iw_mgmt_data_rset bss_basic_rset; ++ struct wl3501_req req; + u8 rssi; + }; + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index 15613f4761f4..f91f7bd90b85 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -578,7 +578,7 @@ static int wl3501_mgmt_join(struct wl3501_card *this, u16 stas) + struct wl3501_join_req sig = { + .sig_id = WL3501_SIG_JOIN_REQ, + .timeout = 10, +- .ds_pset = { ++ .req.ds_pset = { + .el = { + .id = IW_MGMT_INFO_ELEMENT_DS_PARAMETER_SET, + .len = 1, +@@ -587,7 +587,7 @@ static int wl3501_mgmt_join(struct wl3501_card *this, u16 stas) + }, + }; + +- memcpy(&sig.beacon_period, &this->bss_set[stas].beacon_period, 72); ++ memcpy(&sig.req, &this->bss_set[stas].req, sizeof(sig.req)); + return wl3501_esbq_exec(this, &sig, sizeof(sig)); + } + +@@ -655,35 +655,37 @@ static void wl3501_mgmt_scan_confirm(struct wl3501_card *this, u16 addr) + if (sig.status == WL3501_STATUS_SUCCESS) { + pr_debug("success"); + if ((this->net_type == IW_MODE_INFRA && +- (sig.cap_info & WL3501_MGMT_CAPABILITY_ESS)) || ++ (sig.req.cap_info & WL3501_MGMT_CAPABILITY_ESS)) || + (this->net_type == IW_MODE_ADHOC && +- (sig.cap_info & WL3501_MGMT_CAPABILITY_IBSS)) || ++ (sig.req.cap_info & WL3501_MGMT_CAPABILITY_IBSS)) || + this->net_type == IW_MODE_AUTO) { + if (!this->essid.el.len) + matchflag = 1; + else if (this->essid.el.len == 3 && + !memcmp(this->essid.essid, "ANY", 3)) + matchflag = 1; +- else if (this->essid.el.len != sig.ssid.el.len) ++ else if (this->essid.el.len != sig.req.ssid.el.len) + matchflag = 0; +- else if (memcmp(this->essid.essid, sig.ssid.essid, ++ else if (memcmp(this->essid.essid, sig.req.ssid.essid, + this->essid.el.len)) + matchflag = 0; + else + matchflag = 1; + if (matchflag) { + for (i = 0; i < this->bss_cnt; i++) { +- if (ether_addr_equal_unaligned(this->bss_set[i].bssid, sig.bssid)) { ++ if (ether_addr_equal_unaligned(this->bss_set[i].req.bssid, ++ sig.req.bssid)) { + matchflag = 0; + break; + } + } + } + if (matchflag && (i < 20)) { +- memcpy(&this->bss_set[i].beacon_period, +- &sig.beacon_period, 73); ++ memcpy(&this->bss_set[i].req, ++ &sig.req, sizeof(sig.req)); + this->bss_cnt++; + this->rssi = sig.rssi; ++ this->bss_set[i].rssi = sig.rssi; + } + } + } else if (sig.status == WL3501_STATUS_TIMEOUT) { +@@ -875,19 +877,19 @@ static void wl3501_mgmt_join_confirm(struct net_device *dev, u16 addr) + if (this->join_sta_bss < this->bss_cnt) { + const int i = this->join_sta_bss; + memcpy(this->bssid, +- this->bss_set[i].bssid, ETH_ALEN); +- this->chan = this->bss_set[i].ds_pset.chan; ++ this->bss_set[i].req.bssid, ETH_ALEN); ++ this->chan = this->bss_set[i].req.ds_pset.chan; + iw_copy_mgmt_info_element(&this->keep_essid.el, +- &this->bss_set[i].ssid.el); ++ &this->bss_set[i].req.ssid.el); + wl3501_mgmt_auth(this); + } + } else { + const int i = this->join_sta_bss; + +- memcpy(&this->bssid, &this->bss_set[i].bssid, ETH_ALEN); +- this->chan = this->bss_set[i].ds_pset.chan; ++ memcpy(&this->bssid, &this->bss_set[i].req.bssid, ETH_ALEN); ++ this->chan = this->bss_set[i].req.ds_pset.chan; + iw_copy_mgmt_info_element(&this->keep_essid.el, +- &this->bss_set[i].ssid.el); ++ &this->bss_set[i].req.ssid.el); + wl3501_online(dev); + } + } else { +@@ -1566,30 +1568,30 @@ static int wl3501_get_scan(struct net_device *dev, struct iw_request_info *info, + for (i = 0; i < this->bss_cnt; ++i) { + iwe.cmd = SIOCGIWAP; + iwe.u.ap_addr.sa_family = ARPHRD_ETHER; +- memcpy(iwe.u.ap_addr.sa_data, this->bss_set[i].bssid, ETH_ALEN); ++ memcpy(iwe.u.ap_addr.sa_data, this->bss_set[i].req.bssid, ETH_ALEN); + current_ev = iwe_stream_add_event(info, current_ev, + extra + IW_SCAN_MAX_DATA, + &iwe, IW_EV_ADDR_LEN); + iwe.cmd = SIOCGIWESSID; + iwe.u.data.flags = 1; +- iwe.u.data.length = this->bss_set[i].ssid.el.len; ++ iwe.u.data.length = this->bss_set[i].req.ssid.el.len; + current_ev = iwe_stream_add_point(info, current_ev, + extra + IW_SCAN_MAX_DATA, + &iwe, +- this->bss_set[i].ssid.essid); ++ this->bss_set[i].req.ssid.essid); + iwe.cmd = SIOCGIWMODE; +- iwe.u.mode = this->bss_set[i].bss_type; ++ iwe.u.mode = this->bss_set[i].req.bss_type; + current_ev = iwe_stream_add_event(info, current_ev, + extra + IW_SCAN_MAX_DATA, + &iwe, IW_EV_UINT_LEN); + iwe.cmd = SIOCGIWFREQ; +- iwe.u.freq.m = this->bss_set[i].ds_pset.chan; ++ iwe.u.freq.m = this->bss_set[i].req.ds_pset.chan; + iwe.u.freq.e = 0; + current_ev = iwe_stream_add_event(info, current_ev, + extra + IW_SCAN_MAX_DATA, + &iwe, IW_EV_FREQ_LEN); + iwe.cmd = SIOCGIWENCODE; +- if (this->bss_set[i].cap_info & WL3501_MGMT_CAPABILITY_PRIVACY) ++ if (this->bss_set[i].req.cap_info & WL3501_MGMT_CAPABILITY_PRIVACY) + iwe.u.data.flags = IW_ENCODE_ENABLED | IW_ENCODE_NOKEY; + else + iwe.u.data.flags = IW_ENCODE_DISABLED; +-- +2.30.2 + diff --git a/queue-4.4/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_send_.patch b/queue-4.4/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_send_.patch new file mode 100644 index 00000000000..314d34ed71e --- /dev/null +++ b/queue-4.4/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_send_.patch @@ -0,0 +1,147 @@ +From 3426230e6477298dc5f012f4a834407d0409bb36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Apr 2021 18:43:19 -0500 +Subject: wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt + +From: Gustavo A. R. Silva + +[ Upstream commit 820aa37638a252b57967bdf4038a514b1ab85d45 ] + +Fix the following out-of-bounds warnings by enclosing structure members +daddr and saddr into new struct addr, in structures wl3501_md_req and +wl3501_md_ind: + +arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds] +arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds] + +Refactor the code, accordingly: + +$ pahole -C wl3501_md_req drivers/net/wireless/wl3501_cs.o +struct wl3501_md_req { + u16 next_blk; /* 0 2 */ + u8 sig_id; /* 2 1 */ + u8 routing; /* 3 1 */ + u16 data; /* 4 2 */ + u16 size; /* 6 2 */ + u8 pri; /* 8 1 */ + u8 service_class; /* 9 1 */ + struct { + u8 daddr[6]; /* 10 6 */ + u8 saddr[6]; /* 16 6 */ + } addr; /* 10 12 */ + + /* size: 22, cachelines: 1, members: 8 */ + /* last cacheline: 22 bytes */ +}; + +$ pahole -C wl3501_md_ind drivers/net/wireless/wl3501_cs.o +struct wl3501_md_ind { + u16 next_blk; /* 0 2 */ + u8 sig_id; /* 2 1 */ + u8 routing; /* 3 1 */ + u16 data; /* 4 2 */ + u16 size; /* 6 2 */ + u8 reception; /* 8 1 */ + u8 pri; /* 9 1 */ + u8 service_class; /* 10 1 */ + struct { + u8 daddr[6]; /* 11 6 */ + u8 saddr[6]; /* 17 6 */ + } addr; /* 11 12 */ + + /* size: 24, cachelines: 1, members: 9 */ + /* padding: 1 */ + /* last cacheline: 24 bytes */ +}; + +The problem is that the original code is trying to copy data into a +couple of arrays adjacent to each other in a single call to memcpy(). +Now that a new struct _addr_ enclosing those two adjacent arrays +is introduced, memcpy() doesn't overrun the length of &sig.daddr[0] +and &sig.daddr, because the address of the new struct object _addr_ +is used, instead. + +This helps with the ongoing efforts to globally enable -Warray-bounds +and get us closer to being able to tighten the FORTIFY_SOURCE routines +on memcpy(). + +Link: https://github.com/KSPP/linux/issues/109 +Reported-by: kernel test robot +Reviewed-by: Kees Cook +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/d260fe56aed7112bff2be5b4d152d03ad7b78e78.1618442265.git.gustavoars@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501.h | 12 ++++++++---- + drivers/net/wireless/wl3501_cs.c | 10 ++++++---- + 2 files changed, 14 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/wl3501.h b/drivers/net/wireless/wl3501.h +index 3fbfd19818f1..ba2a36cfb1c8 100644 +--- a/drivers/net/wireless/wl3501.h ++++ b/drivers/net/wireless/wl3501.h +@@ -470,8 +470,10 @@ struct wl3501_md_req { + u16 size; + u8 pri; + u8 service_class; +- u8 daddr[ETH_ALEN]; +- u8 saddr[ETH_ALEN]; ++ struct { ++ u8 daddr[ETH_ALEN]; ++ u8 saddr[ETH_ALEN]; ++ } addr; + }; + + struct wl3501_md_ind { +@@ -483,8 +485,10 @@ struct wl3501_md_ind { + u8 reception; + u8 pri; + u8 service_class; +- u8 daddr[ETH_ALEN]; +- u8 saddr[ETH_ALEN]; ++ struct { ++ u8 daddr[ETH_ALEN]; ++ u8 saddr[ETH_ALEN]; ++ } addr; + }; + + struct wl3501_md_confirm { +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index d5c371d77ddf..15613f4761f4 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -457,6 +457,7 @@ static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len) + struct wl3501_md_req sig = { + .sig_id = WL3501_SIG_MD_REQ, + }; ++ size_t sig_addr_len = sizeof(sig.addr); + u8 *pdata = (char *)data; + int rc = -EIO; + +@@ -472,9 +473,9 @@ static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len) + goto out; + } + rc = 0; +- memcpy(&sig.daddr[0], pdata, 12); +- pktlen = len - 12; +- pdata += 12; ++ memcpy(&sig.addr, pdata, sig_addr_len); ++ pktlen = len - sig_addr_len; ++ pdata += sig_addr_len; + sig.data = bf; + if (((*pdata) * 256 + (*(pdata + 1))) > 1500) { + u8 addr4[ETH_ALEN] = { +@@ -968,7 +969,8 @@ static inline void wl3501_md_ind_interrupt(struct net_device *dev, + } else { + skb->dev = dev; + skb_reserve(skb, 2); /* IP headers on 16 bytes boundaries */ +- skb_copy_to_linear_data(skb, (unsigned char *)&sig.daddr, 12); ++ skb_copy_to_linear_data(skb, (unsigned char *)&sig.addr, ++ sizeof(sig.addr)); + wl3501_receive(this, skb->data, pkt_len); + skb_put(skb, pkt_len); + skb->protocol = eth_type_trans(skb, dev); +-- +2.30.2 + -- 2.47.3