From 6f0f7e8485811465505f6dce139be152cc3502a7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 18 Feb 2022 15:55:41 +0100 Subject: [PATCH] 5.4-stable patches added patches: bonding-fix-data-races-around-agg_select_timer.patch bonding-force-carrier-update-when-releasing-slave.patch drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch iwlwifi-pcie-fix-locking-when-hw-not-ready.patch iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch libsubcmd-fix-use-after-free-for-realloc-...-0.patch net-dsa-lan9303-add-vlan-ids-to-master-device.patch net-dsa-lan9303-fix-reset-on-probe.patch net-ieee802154-ca8210-fix-lifs-sifs-periods.patch netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch --- ...x-data-races-around-agg_select_timer.patch | 138 ++++++++++++++++++ ...-carrier-update-when-releasing-slave.patch | 49 +++++++ ...ropmon_net_event-trace_napi_poll_hit.patch | 103 +++++++++++++ ...i-pcie-fix-locking-when-hw-not-ready.patch | 34 +++++ ...e-gen2-fix-locking-when-hw-not-ready.patch | 34 +++++ ...fix-use-after-free-for-realloc-...-0.patch | 66 +++++++++ ...an9303-add-vlan-ids-to-master-device.patch | 75 ++++++++++ .../net-dsa-lan9303-fix-reset-on-probe.patch | 36 +++++ ...e802154-ca8210-fix-lifs-sifs-periods.patch | 36 +++++ ...-unregister-hooks-on-init-error-path.patch | 32 ++++ ...he-dif-and-sdif-check-in-ping_lookup.patch | 78 ++++++++++ queue-5.4/series | 11 ++ 12 files changed, 692 insertions(+) create mode 100644 queue-5.4/bonding-fix-data-races-around-agg_select_timer.patch create mode 100644 queue-5.4/bonding-force-carrier-update-when-releasing-slave.patch create mode 100644 queue-5.4/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch create mode 100644 queue-5.4/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch create mode 100644 queue-5.4/iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch create mode 100644 queue-5.4/libsubcmd-fix-use-after-free-for-realloc-...-0.patch create mode 100644 queue-5.4/net-dsa-lan9303-add-vlan-ids-to-master-device.patch create mode 100644 queue-5.4/net-dsa-lan9303-fix-reset-on-probe.patch create mode 100644 queue-5.4/net-ieee802154-ca8210-fix-lifs-sifs-periods.patch create mode 100644 queue-5.4/netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch create mode 100644 queue-5.4/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch diff --git a/queue-5.4/bonding-fix-data-races-around-agg_select_timer.patch b/queue-5.4/bonding-fix-data-races-around-agg_select_timer.patch new file mode 100644 index 00000000000..f4cdc4fd2e3 --- /dev/null +++ b/queue-5.4/bonding-fix-data-races-around-agg_select_timer.patch @@ -0,0 +1,138 @@ +From 9ceaf6f76b203682bb6100e14b3d7da4c0bedde8 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 14 Feb 2022 11:15:53 -0800 +Subject: bonding: fix data-races around agg_select_timer + +From: Eric Dumazet + +commit 9ceaf6f76b203682bb6100e14b3d7da4c0bedde8 upstream. + +syzbot reported that two threads might write over agg_select_timer +at the same time. Make agg_select_timer atomic to fix the races. + +BUG: KCSAN: data-race in bond_3ad_initiate_agg_selection / bond_3ad_state_machine_handler + +read to 0xffff8881242aea90 of 4 bytes by task 1846 on cpu 1: + bond_3ad_state_machine_handler+0x99/0x2810 drivers/net/bonding/bond_3ad.c:2317 + process_one_work+0x3f6/0x960 kernel/workqueue.c:2307 + worker_thread+0x616/0xa70 kernel/workqueue.c:2454 + kthread+0x1bf/0x1e0 kernel/kthread.c:377 + ret_from_fork+0x1f/0x30 + +write to 0xffff8881242aea90 of 4 bytes by task 25910 on cpu 0: + bond_3ad_initiate_agg_selection+0x18/0x30 drivers/net/bonding/bond_3ad.c:1998 + bond_open+0x658/0x6f0 drivers/net/bonding/bond_main.c:3967 + __dev_open+0x274/0x3a0 net/core/dev.c:1407 + dev_open+0x54/0x190 net/core/dev.c:1443 + bond_enslave+0xcef/0x3000 drivers/net/bonding/bond_main.c:1937 + do_set_master net/core/rtnetlink.c:2532 [inline] + do_setlink+0x94f/0x2500 net/core/rtnetlink.c:2736 + __rtnl_newlink net/core/rtnetlink.c:3414 [inline] + rtnl_newlink+0xfeb/0x13e0 net/core/rtnetlink.c:3529 + rtnetlink_rcv_msg+0x745/0x7e0 net/core/rtnetlink.c:5594 + netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494 + rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg net/socket.c:725 [inline] + ____sys_sendmsg+0x39a/0x510 net/socket.c:2413 + ___sys_sendmsg net/socket.c:2467 [inline] + __sys_sendmsg+0x195/0x230 net/socket.c:2496 + __do_sys_sendmsg net/socket.c:2505 [inline] + __se_sys_sendmsg net/socket.c:2503 [inline] + __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x00000050 -> 0x0000004f + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 25910 Comm: syz-executor.1 Tainted: G W 5.17.0-rc4-syzkaller-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Jay Vosburgh +Cc: Veaceslav Falico +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_3ad.c | 30 +++++++++++++++++++++++++----- + include/net/bond_3ad.h | 2 +- + 2 files changed, 26 insertions(+), 6 deletions(-) + +--- a/drivers/net/bonding/bond_3ad.c ++++ b/drivers/net/bonding/bond_3ad.c +@@ -233,7 +233,7 @@ static inline int __check_agg_selection_ + if (bond == NULL) + return 0; + +- return BOND_AD_INFO(bond).agg_select_timer ? 1 : 0; ++ return atomic_read(&BOND_AD_INFO(bond).agg_select_timer) ? 1 : 0; + } + + /** +@@ -1985,7 +1985,7 @@ static void ad_marker_response_received( + */ + void bond_3ad_initiate_agg_selection(struct bonding *bond, int timeout) + { +- BOND_AD_INFO(bond).agg_select_timer = timeout; ++ atomic_set(&BOND_AD_INFO(bond).agg_select_timer, timeout); + } + + /** +@@ -2269,6 +2269,28 @@ void bond_3ad_update_ad_actor_settings(s + } + + /** ++ * bond_agg_timer_advance - advance agg_select_timer ++ * @bond: bonding structure ++ * ++ * Return true when agg_select_timer reaches 0. ++ */ ++static bool bond_agg_timer_advance(struct bonding *bond) ++{ ++ int val, nval; ++ ++ while (1) { ++ val = atomic_read(&BOND_AD_INFO(bond).agg_select_timer); ++ if (!val) ++ return false; ++ nval = val - 1; ++ if (atomic_cmpxchg(&BOND_AD_INFO(bond).agg_select_timer, ++ val, nval) == val) ++ break; ++ } ++ return nval == 0; ++} ++ ++/** + * bond_3ad_state_machine_handler - handle state machines timeout + * @bond: bonding struct to work on + * +@@ -2303,9 +2325,7 @@ void bond_3ad_state_machine_handler(stru + if (!bond_has_slaves(bond)) + goto re_arm; + +- /* check if agg_select_timer timer after initialize is timed out */ +- if (BOND_AD_INFO(bond).agg_select_timer && +- !(--BOND_AD_INFO(bond).agg_select_timer)) { ++ if (bond_agg_timer_advance(bond)) { + slave = bond_first_slave_rcu(bond); + port = slave ? &(SLAVE_AD_INFO(slave)->port) : NULL; + +--- a/include/net/bond_3ad.h ++++ b/include/net/bond_3ad.h +@@ -262,7 +262,7 @@ struct ad_system { + struct ad_bond_info { + struct ad_system system; /* 802.3ad system structure */ + struct bond_3ad_stats stats; +- u32 agg_select_timer; /* Timer to select aggregator after all adapter's hand shakes */ ++ atomic_t agg_select_timer; /* Timer to select aggregator after all adapter's hand shakes */ + u16 aggregator_identifier; + }; + diff --git a/queue-5.4/bonding-force-carrier-update-when-releasing-slave.patch b/queue-5.4/bonding-force-carrier-update-when-releasing-slave.patch new file mode 100644 index 00000000000..462e4ff3f76 --- /dev/null +++ b/queue-5.4/bonding-force-carrier-update-when-releasing-slave.patch @@ -0,0 +1,49 @@ +From a6ab75cec1e461f8a35559054c146c21428430b8 Mon Sep 17 00:00:00 2001 +From: Zhang Changzhong +Date: Wed, 16 Feb 2022 22:18:08 +0800 +Subject: bonding: force carrier update when releasing slave + +From: Zhang Changzhong + +commit a6ab75cec1e461f8a35559054c146c21428430b8 upstream. + +In __bond_release_one(), bond_set_carrier() is only called when bond +device has no slave. Therefore, if we remove the up slave from a master +with two slaves and keep the down slave, the master will remain up. + +Fix this by moving bond_set_carrier() out of if (!bond_has_slaves(bond)) +statement. + +Reproducer: +$ insmod bonding.ko mode=0 miimon=100 max_bonds=2 +$ ifconfig bond0 up +$ ifenslave bond0 eth0 eth1 +$ ifconfig eth0 down +$ ifenslave -d bond0 eth1 +$ cat /proc/net/bonding/bond0 + +Fixes: ff59c4563a8d ("[PATCH] bonding: support carrier state for master") +Signed-off-by: Zhang Changzhong +Acked-by: Jay Vosburgh +Link: https://lore.kernel.org/r/1645021088-38370-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1979,10 +1979,9 @@ static int __bond_release_one(struct net + bond_select_active_slave(bond); + } + +- if (!bond_has_slaves(bond)) { +- bond_set_carrier(bond); ++ bond_set_carrier(bond); ++ if (!bond_has_slaves(bond)) + eth_hw_addr_random(bond_dev); +- } + + unblock_netpoll_tx(); + synchronize_rcu(); diff --git a/queue-5.4/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch b/queue-5.4/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch new file mode 100644 index 00000000000..e5a482fcfcc --- /dev/null +++ b/queue-5.4/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch @@ -0,0 +1,103 @@ +From dcd54265c8bc14bd023815e36e2d5f9d66ee1fee Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 10 Feb 2022 09:13:31 -0800 +Subject: drop_monitor: fix data-race in dropmon_net_event / trace_napi_poll_hit + +From: Eric Dumazet + +commit dcd54265c8bc14bd023815e36e2d5f9d66ee1fee upstream. + +trace_napi_poll_hit() is reading stat->dev while another thread can write +on it from dropmon_net_event() + +Use READ_ONCE()/WRITE_ONCE() here, RCU rules are properly enforced already, +we only have to take care of load/store tearing. + +BUG: KCSAN: data-race in dropmon_net_event / trace_napi_poll_hit + +write to 0xffff88816f3ab9c0 of 8 bytes by task 20260 on cpu 1: + dropmon_net_event+0xb8/0x2b0 net/core/drop_monitor.c:1579 + notifier_call_chain kernel/notifier.c:84 [inline] + raw_notifier_call_chain+0x53/0xb0 kernel/notifier.c:392 + call_netdevice_notifiers_info net/core/dev.c:1919 [inline] + call_netdevice_notifiers_extack net/core/dev.c:1931 [inline] + call_netdevice_notifiers net/core/dev.c:1945 [inline] + unregister_netdevice_many+0x867/0xfb0 net/core/dev.c:10415 + ip_tunnel_delete_nets+0x24a/0x280 net/ipv4/ip_tunnel.c:1123 + vti_exit_batch_net+0x2a/0x30 net/ipv4/ip_vti.c:515 + ops_exit_list net/core/net_namespace.c:173 [inline] + cleanup_net+0x4dc/0x8d0 net/core/net_namespace.c:597 + process_one_work+0x3f6/0x960 kernel/workqueue.c:2307 + worker_thread+0x616/0xa70 kernel/workqueue.c:2454 + kthread+0x1bf/0x1e0 kernel/kthread.c:377 + ret_from_fork+0x1f/0x30 + +read to 0xffff88816f3ab9c0 of 8 bytes by interrupt on cpu 0: + trace_napi_poll_hit+0x89/0x1c0 net/core/drop_monitor.c:292 + trace_napi_poll include/trace/events/napi.h:14 [inline] + __napi_poll+0x36b/0x3f0 net/core/dev.c:6366 + napi_poll net/core/dev.c:6432 [inline] + net_rx_action+0x29e/0x650 net/core/dev.c:6519 + __do_softirq+0x158/0x2de kernel/softirq.c:558 + do_softirq+0xb1/0xf0 kernel/softirq.c:459 + __local_bh_enable_ip+0x68/0x70 kernel/softirq.c:383 + __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] + _raw_spin_unlock_bh+0x33/0x40 kernel/locking/spinlock.c:210 + spin_unlock_bh include/linux/spinlock.h:394 [inline] + ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline] + wg_packet_decrypt_worker+0x73c/0x780 drivers/net/wireguard/receive.c:506 + process_one_work+0x3f6/0x960 kernel/workqueue.c:2307 + worker_thread+0x616/0xa70 kernel/workqueue.c:2454 + kthread+0x1bf/0x1e0 kernel/kthread.c:377 + ret_from_fork+0x1f/0x30 + +value changed: 0xffff88815883e000 -> 0x0000000000000000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 26435 Comm: kworker/0:1 Not tainted 5.17.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: wg-crypt-wg2 wg_packet_decrypt_worker + +Fixes: 4ea7e38696c7 ("dropmon: add ability to detect when hardware dropsrxpackets") +Signed-off-by: Eric Dumazet +Cc: Neil Horman +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/drop_monitor.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/core/drop_monitor.c ++++ b/net/core/drop_monitor.c +@@ -277,13 +277,17 @@ static void trace_napi_poll_hit(void *ig + + rcu_read_lock(); + list_for_each_entry_rcu(new_stat, &hw_stats_list, list) { ++ struct net_device *dev; ++ + /* + * only add a note to our monitor buffer if: + * 1) this is the dev we received on + * 2) its after the last_rx delta + * 3) our rx_dropped count has gone up + */ +- if ((new_stat->dev == napi->dev) && ++ /* Paired with WRITE_ONCE() in dropmon_net_event() */ ++ dev = READ_ONCE(new_stat->dev); ++ if ((dev == napi->dev) && + (time_after(jiffies, new_stat->last_rx + dm_hw_check_delta)) && + (napi->dev->stats.rx_dropped != new_stat->last_drop_val)) { + trace_drop_common(NULL, NULL); +@@ -1497,7 +1501,10 @@ static int dropmon_net_event(struct noti + mutex_lock(&net_dm_mutex); + list_for_each_entry_safe(new_stat, tmp, &hw_stats_list, list) { + if (new_stat->dev == dev) { +- new_stat->dev = NULL; ++ ++ /* Paired with READ_ONCE() in trace_napi_poll_hit() */ ++ WRITE_ONCE(new_stat->dev, NULL); ++ + if (trace_state == TRACE_OFF) { + list_del_rcu(&new_stat->list); + kfree_rcu(new_stat, rcu); diff --git a/queue-5.4/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch b/queue-5.4/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch new file mode 100644 index 00000000000..a780081d3d1 --- /dev/null +++ b/queue-5.4/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch @@ -0,0 +1,34 @@ +From e9848aed147708a06193b40d78493b0ef6abccf2 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 28 Jan 2022 14:30:52 +0200 +Subject: iwlwifi: pcie: fix locking when "HW not ready" + +From: Johannes Berg + +commit e9848aed147708a06193b40d78493b0ef6abccf2 upstream. + +If we run into this error path, we shouldn't unlock the mutex +since it's not locked since. Fix this. + +Fixes: a6bd005fe92d ("iwlwifi: pcie: fix RF-Kill vs. firmware load race") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20220128142706.5d16821d1433.Id259699ddf9806459856d6aefbdbe54477aecffd@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -1335,8 +1335,7 @@ static int iwl_trans_pcie_start_fw(struc + /* This may fail if AMT took ownership of the device */ + if (iwl_pcie_prepare_card_hw(trans)) { + IWL_WARN(trans, "Exit HW not ready\n"); +- ret = -EIO; +- goto out; ++ return -EIO; + } + + iwl_enable_rfkill_int(trans); diff --git a/queue-5.4/iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch b/queue-5.4/iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch new file mode 100644 index 00000000000..5603a5ed620 --- /dev/null +++ b/queue-5.4/iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch @@ -0,0 +1,34 @@ +From 4c29c1e27a1e178a219b3877d055e6dd643bdfda Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 28 Jan 2022 14:30:53 +0200 +Subject: iwlwifi: pcie: gen2: fix locking when "HW not ready" + +From: Johannes Berg + +commit 4c29c1e27a1e178a219b3877d055e6dd643bdfda upstream. + +If we run into this error path, we shouldn't unlock the mutex +since it's not locked since. Fix this in the gen2 code as well. + +Fixes: eda50cde58de ("iwlwifi: pcie: add context information support") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20220128142706.b8b0dfce16ef.Ie20f0f7b23e5911350a2766524300d2915e7b677@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c +@@ -292,8 +292,7 @@ int iwl_trans_pcie_gen2_start_fw(struct + /* This may fail if AMT took ownership of the device */ + if (iwl_pcie_prepare_card_hw(trans)) { + IWL_WARN(trans, "Exit HW not ready\n"); +- ret = -EIO; +- goto out; ++ return -EIO; + } + + iwl_enable_rfkill_int(trans); diff --git a/queue-5.4/libsubcmd-fix-use-after-free-for-realloc-...-0.patch b/queue-5.4/libsubcmd-fix-use-after-free-for-realloc-...-0.patch new file mode 100644 index 00000000000..23bfaebab85 --- /dev/null +++ b/queue-5.4/libsubcmd-fix-use-after-free-for-realloc-...-0.patch @@ -0,0 +1,66 @@ +From 52a9dab6d892763b2a8334a568bd4e2c1a6fde66 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Sun, 13 Feb 2022 10:24:43 -0800 +Subject: libsubcmd: Fix use-after-free for realloc(..., 0) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +commit 52a9dab6d892763b2a8334a568bd4e2c1a6fde66 upstream. + +GCC 12 correctly reports a potential use-after-free condition in the +xrealloc helper. Fix the warning by avoiding an implicit "free(ptr)" +when size == 0: + +In file included from help.c:12: +In function 'xrealloc', + inlined from 'add_cmdname' at help.c:24:2: subcmd-util.h:56:23: error: pointer may be used after 'realloc' [-Werror=use-after-free] + 56 | ret = realloc(ptr, size); + | ^~~~~~~~~~~~~~~~~~ +subcmd-util.h:52:21: note: call to 'realloc' here + 52 | void *ret = realloc(ptr, size); + | ^~~~~~~~~~~~~~~~~~ +subcmd-util.h:58:31: error: pointer may be used after 'realloc' [-Werror=use-after-free] + 58 | ret = realloc(ptr, 1); + | ^~~~~~~~~~~~~~~ +subcmd-util.h:52:21: note: call to 'realloc' here + 52 | void *ret = realloc(ptr, size); + | ^~~~~~~~~~~~~~~~~~ + +Fixes: 2f4ce5ec1d447beb ("perf tools: Finalize subcmd independence") +Reported-by: Valdis Klētnieks +Signed-off-by: Kees Kook +Tested-by: Valdis Klētnieks +Tested-by: Justin M. Forbes +Acked-by: Josh Poimboeuf +Cc: linux-hardening@vger.kernel.org +Cc: Valdis Klētnieks +Link: http://lore.kernel.org/lkml/20220213182443.4037039-1-keescook@chromium.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/lib/subcmd/subcmd-util.h | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +--- a/tools/lib/subcmd/subcmd-util.h ++++ b/tools/lib/subcmd/subcmd-util.h +@@ -50,15 +50,8 @@ static NORETURN inline void die(const ch + static inline void *xrealloc(void *ptr, size_t size) + { + void *ret = realloc(ptr, size); +- if (!ret && !size) +- ret = realloc(ptr, 1); +- if (!ret) { +- ret = realloc(ptr, size); +- if (!ret && !size) +- ret = realloc(ptr, 1); +- if (!ret) +- die("Out of memory, realloc failed"); +- } ++ if (!ret) ++ die("Out of memory, realloc failed"); + return ret; + } + diff --git a/queue-5.4/net-dsa-lan9303-add-vlan-ids-to-master-device.patch b/queue-5.4/net-dsa-lan9303-add-vlan-ids-to-master-device.patch new file mode 100644 index 00000000000..32f22f8936c --- /dev/null +++ b/queue-5.4/net-dsa-lan9303-add-vlan-ids-to-master-device.patch @@ -0,0 +1,75 @@ +From 430065e2671905ac675f97b7af240cc255964e93 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Wed, 16 Feb 2022 20:48:18 +0000 +Subject: net: dsa: lan9303: add VLAN IDs to master device + +From: Mans Rullgard + +commit 430065e2671905ac675f97b7af240cc255964e93 upstream. + +If the master device does VLAN filtering, the IDs used by the switch +must be added for any frames to be received. Do this in the +port_enable() function, and remove them in port_disable(). + +Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303") +Signed-off-by: Mans Rullgard +Reviewed-by: Florian Fainelli +Reviewed-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20220216204818.28746-1-mans@mansr.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/Kconfig | 1 + + drivers/net/dsa/lan9303-core.c | 11 +++++++++-- + 2 files changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/net/dsa/Kconfig ++++ b/drivers/net/dsa/Kconfig +@@ -76,6 +76,7 @@ config NET_DSA_REALTEK_SMI + + config NET_DSA_SMSC_LAN9303 + tristate ++ depends on VLAN_8021Q || VLAN_8021Q=n + select NET_DSA_TAG_LAN9303 + select REGMAP + ---help--- +--- a/drivers/net/dsa/lan9303-core.c ++++ b/drivers/net/dsa/lan9303-core.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + + #include "lan9303.h" +@@ -1083,21 +1084,27 @@ static void lan9303_adjust_link(struct d + static int lan9303_port_enable(struct dsa_switch *ds, int port, + struct phy_device *phy) + { ++ struct dsa_port *dp = dsa_to_port(ds, port); + struct lan9303 *chip = ds->priv; + +- if (!dsa_is_user_port(ds, port)) ++ if (!dsa_port_is_user(dp)) + return 0; + ++ vlan_vid_add(dp->cpu_dp->master, htons(ETH_P_8021Q), port); ++ + return lan9303_enable_processing_port(chip, port); + } + + static void lan9303_port_disable(struct dsa_switch *ds, int port) + { ++ struct dsa_port *dp = dsa_to_port(ds, port); + struct lan9303 *chip = ds->priv; + +- if (!dsa_is_user_port(ds, port)) ++ if (!dsa_port_is_user(dp)) + return; + ++ vlan_vid_del(dp->cpu_dp->master, htons(ETH_P_8021Q), port); ++ + lan9303_disable_processing_port(chip, port); + lan9303_phy_write(ds, chip->phy_addr_base + port, MII_BMCR, BMCR_PDOWN); + } diff --git a/queue-5.4/net-dsa-lan9303-fix-reset-on-probe.patch b/queue-5.4/net-dsa-lan9303-fix-reset-on-probe.patch new file mode 100644 index 00000000000..66063caf618 --- /dev/null +++ b/queue-5.4/net-dsa-lan9303-fix-reset-on-probe.patch @@ -0,0 +1,36 @@ +From 6bb9681a43f34f2cab4aad6e2a02da4ce54d13c5 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Wed, 9 Feb 2022 14:54:54 +0000 +Subject: net: dsa: lan9303: fix reset on probe + +From: Mans Rullgard + +commit 6bb9681a43f34f2cab4aad6e2a02da4ce54d13c5 upstream. + +The reset input to the LAN9303 chip is active low, and devicetree +gpio handles reflect this. Therefore, the gpio should be requested +with an initial state of high in order for the reset signal to be +asserted. Other uses of the gpio already use the correct polarity. + +Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303") +Signed-off-by: Mans Rullgard +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fianelil +Link: https://lore.kernel.org/r/20220209145454.19749-1-mans@mansr.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/lan9303-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/dsa/lan9303-core.c ++++ b/drivers/net/dsa/lan9303-core.c +@@ -1303,7 +1303,7 @@ static int lan9303_probe_reset_gpio(stru + struct device_node *np) + { + chip->reset_gpio = devm_gpiod_get_optional(chip->dev, "reset", +- GPIOD_OUT_LOW); ++ GPIOD_OUT_HIGH); + if (IS_ERR(chip->reset_gpio)) + return PTR_ERR(chip->reset_gpio); + diff --git a/queue-5.4/net-ieee802154-ca8210-fix-lifs-sifs-periods.patch b/queue-5.4/net-ieee802154-ca8210-fix-lifs-sifs-periods.patch new file mode 100644 index 00000000000..4c28459e879 --- /dev/null +++ b/queue-5.4/net-ieee802154-ca8210-fix-lifs-sifs-periods.patch @@ -0,0 +1,36 @@ +From bdc120a2bcd834e571ce4115aaddf71ab34495de Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Tue, 1 Feb 2022 19:06:26 +0100 +Subject: net: ieee802154: ca8210: Fix lifs/sifs periods + +From: Miquel Raynal + +commit bdc120a2bcd834e571ce4115aaddf71ab34495de upstream. + +These periods are expressed in time units (microseconds) while 40 and 12 +are the number of symbol durations these periods will last. We need to +multiply them both with the symbol_duration in order to get these +values in microseconds. + +Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/r/20220201180629.93410-2-miquel.raynal@bootlin.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ieee802154/ca8210.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -2976,8 +2976,8 @@ static void ca8210_hw_setup(struct ieee8 + ca8210_hw->phy->cca.opt = NL802154_CCA_OPT_ENERGY_CARRIER_AND; + ca8210_hw->phy->cca_ed_level = -9800; + ca8210_hw->phy->symbol_duration = 16; +- ca8210_hw->phy->lifs_period = 40; +- ca8210_hw->phy->sifs_period = 12; ++ ca8210_hw->phy->lifs_period = 40 * ca8210_hw->phy->symbol_duration; ++ ca8210_hw->phy->sifs_period = 12 * ca8210_hw->phy->symbol_duration; + ca8210_hw->flags = + IEEE802154_HW_AFILT | + IEEE802154_HW_OMIT_CKSUM | diff --git a/queue-5.4/netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch b/queue-5.4/netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch new file mode 100644 index 00000000000..09b328a824a --- /dev/null +++ b/queue-5.4/netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch @@ -0,0 +1,32 @@ +From 2b4e5fb4d3776c391e40fb33673ba946dd96012d Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 10 Feb 2022 10:06:42 +0100 +Subject: netfilter: nft_synproxy: unregister hooks on init error path + +From: Pablo Neira Ayuso + +commit 2b4e5fb4d3776c391e40fb33673ba946dd96012d upstream. + +Disable the IPv4 hooks if the IPv6 hooks fail to be registered. + +Fixes: ad49d86e07a4 ("netfilter: nf_tables: Add synproxy support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_synproxy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nft_synproxy.c ++++ b/net/netfilter/nft_synproxy.c +@@ -191,8 +191,10 @@ static int nft_synproxy_do_init(const st + if (err) + goto nf_ct_failure; + err = nf_synproxy_ipv6_init(snet, ctx->net); +- if (err) ++ if (err) { ++ nf_synproxy_ipv4_fini(snet, ctx->net); + goto nf_ct_failure; ++ } + break; + } + diff --git a/queue-5.4/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch b/queue-5.4/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch new file mode 100644 index 00000000000..555d5c0b58d --- /dev/null +++ b/queue-5.4/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch @@ -0,0 +1,78 @@ +From 35a79e64de29e8d57a5989aac57611c0cd29e13e Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Wed, 16 Feb 2022 00:20:52 -0500 +Subject: ping: fix the dif and sdif check in ping_lookup + +From: Xin Long + +commit 35a79e64de29e8d57a5989aac57611c0cd29e13e upstream. + +When 'ping' changes to use PING socket instead of RAW socket by: + + # sysctl -w net.ipv4.ping_group_range="0 100" + +There is another regression caused when matching sk_bound_dev_if +and dif, RAW socket is using inet_iif() while PING socket lookup +is using skb->dev->ifindex, the cmd below fails due to this: + + # ip link add dummy0 type dummy + # ip link set dummy0 up + # ip addr add 192.168.111.1/24 dev dummy0 + # ping -I dummy0 192.168.111.1 -c1 + +The issue was also reported on: + + https://github.com/iputils/iputils/issues/104 + +But fixed in iputils in a wrong way by not binding to device when +destination IP is on device, and it will cause some of kselftests +to fail, as Jianlin noticed. + +This patch is to use inet(6)_iif and inet(6)_sdif to get dif and +sdif for PING socket, and keep consistent with RAW socket. + +Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") +Reported-by: Jianlin Shi +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ping.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -172,16 +172,23 @@ static struct sock *ping_lookup(struct n + struct sock *sk = NULL; + struct inet_sock *isk; + struct hlist_nulls_node *hnode; +- int dif = skb->dev->ifindex; ++ int dif, sdif; + + if (skb->protocol == htons(ETH_P_IP)) { ++ dif = inet_iif(skb); ++ sdif = inet_sdif(skb); + pr_debug("try to find: num = %d, daddr = %pI4, dif = %d\n", + (int)ident, &ip_hdr(skb)->daddr, dif); + #if IS_ENABLED(CONFIG_IPV6) + } else if (skb->protocol == htons(ETH_P_IPV6)) { ++ dif = inet6_iif(skb); ++ sdif = inet6_sdif(skb); + pr_debug("try to find: num = %d, daddr = %pI6c, dif = %d\n", + (int)ident, &ipv6_hdr(skb)->daddr, dif); + #endif ++ } else { ++ pr_err("ping: protocol(%x) is not supported\n", ntohs(skb->protocol)); ++ return NULL; + } + + read_lock_bh(&ping_table.lock); +@@ -221,7 +228,7 @@ static struct sock *ping_lookup(struct n + } + + if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif && +- sk->sk_bound_dev_if != inet_sdif(skb)) ++ sk->sk_bound_dev_if != sdif) + continue; + + sock_hold(sk); diff --git a/queue-5.4/series b/queue-5.4/series index 5503a48bacf..81175500fc2 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -33,3 +33,14 @@ taskstats-cleanup-the-use-of-task-exit_code.patch dmaengine-at_xdmac-start-transfer-for-cyclic-channels-in-issue_pending.patch vsock-remove-vsock-from-connected-table-when-connect-is-interrupted-by-a-signal.patch mmc-block-fix-read-single-on-recovery-logic.patch +iwlwifi-pcie-fix-locking-when-hw-not-ready.patch +iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch +netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch +net-dsa-lan9303-fix-reset-on-probe.patch +net-dsa-lan9303-add-vlan-ids-to-master-device.patch +net-ieee802154-ca8210-fix-lifs-sifs-periods.patch +ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch +bonding-force-carrier-update-when-releasing-slave.patch +drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch +bonding-fix-data-races-around-agg_select_timer.patch +libsubcmd-fix-use-after-free-for-realloc-...-0.patch -- 2.47.3