From dad7c528727405309af950315c24263fd9ded73a Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 27 Nov 2022 14:07:03 -0500 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...of-list_del-corruption-in-p9_fd_canc.patch | 75 +++++++++ ...end_acquire-race-with-pfkey_register.patch | 147 ++++++++++++++++++ ...cm-953-define-fixed-regulators-in-ro.patch | 66 ++++++++ ...m9g20ek-enable-udc-vbus-gpio-pinctrl.patch | 57 +++++++ ...-fix-memory-leak-in-mxs_machine_init.patch | 40 +++++ ...eset-the-chip_clk_ctrl-reg-on-remove.patch | 48 ++++++ ...vice-refcount-leak-in-bnx2x_vf_is_pc.patch | 58 +++++++ ...s-sunxi-rsb-support-atomic-transfers.patch | 92 +++++++++++ ...addr-on-failure-after-inet6-_hash_co.patch | 113 ++++++++++++++ ...-fix-double-free-in-the-error-path-o.patch | 53 +++++++ ...-fix-possible-memory-leak-in-vmbus_d.patch | 41 +++++ ...lx4-check-retval-of-mlx4_bitmap_init.patch | 43 +++++ ...-fix-fw-tracer-timestamp-calculation.patch | 38 +++++ ...pci-device-refcount-leak-while-modul.patch | 60 +++++++ ...potential-memleak-in-pch_gbe_tx_queu.patch | 38 +++++ ...fix-potential-memleak-in-ql3xxx_send.patch | 36 +++++ ...et-thunderx-fix-the-acpi-memory-leak.patch | 41 +++++ ...ix-memory-leak-in-nci_rx_data_packet.patch | 61 ++++++++ ...ci-fix-race-with-opening-and-closing.patch | 42 +++++ ...ncorrect-validating-logic-in-evt_tra.patch | 41 +++++ ...-fix-memory-leaks-in-evt_transaction.patch | 42 +++++ ...dump-fix-tod-programmable-field-size.patch | 61 ++++++++ ...no-record-found-for-raw_track_access.patch | 75 +++++++++ queue-4.19/series | 27 ++++ ...an-extra-conn_get-in-tipc_conn_alloc.patch | 84 ++++++++++ ...inearize-return-value-in-tipc_disc_r.patch | 41 +++++ ...tipc-set-con-sock-in-tipc_conn_alloc.patch | 106 +++++++++++++ ...x-ignored-return-value-in-xfrm6_init.patch | 59 +++++++ 28 files changed, 1685 insertions(+) create mode 100644 queue-4.19/9p-fd-fix-issue-of-list_del-corruption-in-p9_fd_canc.patch create mode 100644 queue-4.19/af_key-fix-send_acquire-race-with-pfkey_register.patch create mode 100644 queue-4.19/arm-dts-am335x-pcm-953-define-fixed-regulators-in-ro.patch create mode 100644 queue-4.19/arm-dts-at91-sam9g20ek-enable-udc-vbus-gpio-pinctrl.patch create mode 100644 queue-4.19/arm-mxs-fix-memory-leak-in-mxs_machine_init.patch create mode 100644 queue-4.19/asoc-sgtl5000-reset-the-chip_clk_ctrl-reg-on-remove.patch create mode 100644 queue-4.19/bnx2x-fix-pci-device-refcount-leak-in-bnx2x_vf_is_pc.patch create mode 100644 queue-4.19/bus-sunxi-rsb-support-atomic-transfers.patch create mode 100644 queue-4.19/dccp-tcp-reset-saddr-on-failure-after-inet6-_hash_co.patch create mode 100644 queue-4.19/drivers-hv-vmbus-fix-double-free-in-the-error-path-o.patch create mode 100644 queue-4.19/drivers-hv-vmbus-fix-possible-memory-leak-in-vmbus_d.patch create mode 100644 queue-4.19/net-mlx4-check-retval-of-mlx4_bitmap_init.patch create mode 100644 queue-4.19/net-mlx5-fix-fw-tracer-timestamp-calculation.patch create mode 100644 queue-4.19/net-pch_gbe-fix-pci-device-refcount-leak-while-modul.patch create mode 100644 queue-4.19/net-pch_gbe-fix-potential-memleak-in-pch_gbe_tx_queu.patch create mode 100644 queue-4.19/net-qla3xxx-fix-potential-memleak-in-ql3xxx_send.patch create mode 100644 queue-4.19/net-thunderx-fix-the-acpi-memory-leak.patch create mode 100644 queue-4.19/nfc-nci-fix-memory-leak-in-nci_rx_data_packet.patch create mode 100644 queue-4.19/nfc-nci-fix-race-with-opening-and-closing.patch create mode 100644 queue-4.19/nfc-st-nci-fix-incorrect-validating-logic-in-evt_tra.patch create mode 100644 queue-4.19/nfc-st-nci-fix-memory-leaks-in-evt_transaction.patch create mode 100644 queue-4.19/s390-crashdump-fix-tod-programmable-field-size.patch create mode 100644 queue-4.19/s390-dasd-fix-no-record-found-for-raw_track_access.patch create mode 100644 queue-4.19/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch create mode 100644 queue-4.19/tipc-check-skb_linearize-return-value-in-tipc_disc_r.patch create mode 100644 queue-4.19/tipc-set-con-sock-in-tipc_conn_alloc.patch create mode 100644 queue-4.19/xfrm-fix-ignored-return-value-in-xfrm6_init.patch diff --git a/queue-4.19/9p-fd-fix-issue-of-list_del-corruption-in-p9_fd_canc.patch b/queue-4.19/9p-fd-fix-issue-of-list_del-corruption-in-p9_fd_canc.patch new file mode 100644 index 00000000000..0413381f43f --- /dev/null +++ b/queue-4.19/9p-fd-fix-issue-of-list_del-corruption-in-p9_fd_canc.patch @@ -0,0 +1,75 @@ +From 8a42038b74bdf2d3323c2cb07a7d969fa81d3477 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 20:26:06 +0800 +Subject: 9p/fd: fix issue of list_del corruption in p9_fd_cancel() + +From: Zhengchao Shao + +[ Upstream commit 11c10956515b8ec44cf4f2a7b9d8bf8b9dc05ec4 ] + +Syz reported the following issue: +kernel BUG at lib/list_debug.c:53! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +RIP: 0010:__list_del_entry_valid.cold+0x5c/0x72 +Call Trace: + +p9_fd_cancel+0xb1/0x270 +p9_client_rpc+0x8ea/0xba0 +p9_client_create+0x9c0/0xed0 +v9fs_session_init+0x1e0/0x1620 +v9fs_mount+0xba/0xb80 +legacy_get_tree+0x103/0x200 +vfs_get_tree+0x89/0x2d0 +path_mount+0x4c0/0x1ac0 +__x64_sys_mount+0x33b/0x430 +do_syscall_64+0x35/0x80 +entry_SYSCALL_64_after_hwframe+0x46/0xb0 + + +The process is as follows: +Thread A: Thread B: +p9_poll_workfn() p9_client_create() +... ... + p9_conn_cancel() p9_fd_cancel() + list_del() ... + ... list_del() //list_del + corruption +There is no lock protection when deleting list in p9_conn_cancel(). After +deleting list in Thread A, thread B will delete the same list again. It +will cause issue of list_del corruption. + +Setting req->status to REQ_STATUS_ERROR under lock prevents other +cleanup paths from trying to manipulate req_list. +The other thread can safely check req->status because it still holds a +reference to req at this point. + +Link: https://lkml.kernel.org/r/20221110122606.383352-1-shaozhengchao@huawei.com +Fixes: 52f1c45dde91 ("9p: trans_fd/p9_conn_cancel: drop client lock earlier") +Reported-by: syzbot+9b69b8d10ab4a7d88056@syzkaller.appspotmail.com +Signed-off-by: Zhengchao Shao +[Dominique: add description of the fix in commit message] +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_fd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c +index 7194ffa58d3e..6aba06a8261c 100644 +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -215,9 +215,11 @@ static void p9_conn_cancel(struct p9_conn *m, int err) + + list_for_each_entry_safe(req, rtmp, &m->req_list, req_list) { + list_move(&req->req_list, &cancel_list); ++ req->status = REQ_STATUS_ERROR; + } + list_for_each_entry_safe(req, rtmp, &m->unsent_req_list, req_list) { + list_move(&req->req_list, &cancel_list); ++ req->status = REQ_STATUS_ERROR; + } + + spin_unlock(&m->client->lock); +-- +2.35.1 + diff --git a/queue-4.19/af_key-fix-send_acquire-race-with-pfkey_register.patch b/queue-4.19/af_key-fix-send_acquire-race-with-pfkey_register.patch new file mode 100644 index 00000000000..b3ae3fb3ebb --- /dev/null +++ b/queue-4.19/af_key-fix-send_acquire-race-with-pfkey_register.patch @@ -0,0 +1,147 @@ +From 358c149749359b4209269b4c8b9c8f0819a048ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Oct 2022 14:06:48 +0800 +Subject: af_key: Fix send_acquire race with pfkey_register + +From: Herbert Xu + +[ Upstream commit 7f57f8165cb6d2c206e2b9ada53b9e2d6d8af42f ] + +The function pfkey_send_acquire may race with pfkey_register +(which could even be in a different name space). This may result +in a buffer overrun. + +Allocating the maximum amount of memory that could be used prevents +this. + +Reported-by: syzbot+1e9af9185d8850e2c2fa@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Herbert Xu +Reviewed-by: Sabrina Dubroca +Reviewed-by: Eric Dumazet +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 32 ++++++++++++++++++++++---------- + 1 file changed, 22 insertions(+), 10 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 337c6bc8211e..976b67089ac1 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -2915,7 +2915,7 @@ static int count_ah_combs(const struct xfrm_tmpl *t) + break; + if (!aalg->pfkey_supported) + continue; +- if (aalg_tmpl_set(t, aalg) && aalg->available) ++ if (aalg_tmpl_set(t, aalg)) + sz += sizeof(struct sadb_comb); + } + return sz + sizeof(struct sadb_prop); +@@ -2933,7 +2933,7 @@ static int count_esp_combs(const struct xfrm_tmpl *t) + if (!ealg->pfkey_supported) + continue; + +- if (!(ealg_tmpl_set(t, ealg) && ealg->available)) ++ if (!(ealg_tmpl_set(t, ealg))) + continue; + + for (k = 1; ; k++) { +@@ -2944,16 +2944,17 @@ static int count_esp_combs(const struct xfrm_tmpl *t) + if (!aalg->pfkey_supported) + continue; + +- if (aalg_tmpl_set(t, aalg) && aalg->available) ++ if (aalg_tmpl_set(t, aalg)) + sz += sizeof(struct sadb_comb); + } + } + return sz + sizeof(struct sadb_prop); + } + +-static void dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) ++static int dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) + { + struct sadb_prop *p; ++ int sz = 0; + int i; + + p = skb_put(skb, sizeof(struct sadb_prop)); +@@ -2981,13 +2982,17 @@ static void dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) + c->sadb_comb_soft_addtime = 20*60*60; + c->sadb_comb_hard_usetime = 8*60*60; + c->sadb_comb_soft_usetime = 7*60*60; ++ sz += sizeof(*c); + } + } ++ ++ return sz + sizeof(*p); + } + +-static void dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) ++static int dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) + { + struct sadb_prop *p; ++ int sz = 0; + int i, k; + + p = skb_put(skb, sizeof(struct sadb_prop)); +@@ -3029,8 +3034,11 @@ static void dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) + c->sadb_comb_soft_addtime = 20*60*60; + c->sadb_comb_hard_usetime = 8*60*60; + c->sadb_comb_soft_usetime = 7*60*60; ++ sz += sizeof(*c); + } + } ++ ++ return sz + sizeof(*p); + } + + static int key_notify_policy_expire(struct xfrm_policy *xp, const struct km_event *c) +@@ -3160,6 +3168,7 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct + struct sadb_x_sec_ctx *sec_ctx; + struct xfrm_sec_ctx *xfrm_ctx; + int ctx_size = 0; ++ int alg_size = 0; + + sockaddr_size = pfkey_sockaddr_size(x->props.family); + if (!sockaddr_size) +@@ -3171,16 +3180,16 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct + sizeof(struct sadb_x_policy); + + if (x->id.proto == IPPROTO_AH) +- size += count_ah_combs(t); ++ alg_size = count_ah_combs(t); + else if (x->id.proto == IPPROTO_ESP) +- size += count_esp_combs(t); ++ alg_size = count_esp_combs(t); + + if ((xfrm_ctx = x->security)) { + ctx_size = PFKEY_ALIGN8(xfrm_ctx->ctx_len); + size += sizeof(struct sadb_x_sec_ctx) + ctx_size; + } + +- skb = alloc_skb(size + 16, GFP_ATOMIC); ++ skb = alloc_skb(size + alg_size + 16, GFP_ATOMIC); + if (skb == NULL) + return -ENOMEM; + +@@ -3234,10 +3243,13 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct + pol->sadb_x_policy_priority = xp->priority; + + /* Set sadb_comb's. */ ++ alg_size = 0; + if (x->id.proto == IPPROTO_AH) +- dump_ah_combs(skb, t); ++ alg_size = dump_ah_combs(skb, t); + else if (x->id.proto == IPPROTO_ESP) +- dump_esp_combs(skb, t); ++ alg_size = dump_esp_combs(skb, t); ++ ++ hdr->sadb_msg_len += alg_size / 8; + + /* security context */ + if (xfrm_ctx) { +-- +2.35.1 + diff --git a/queue-4.19/arm-dts-am335x-pcm-953-define-fixed-regulators-in-ro.patch b/queue-4.19/arm-dts-am335x-pcm-953-define-fixed-regulators-in-ro.patch new file mode 100644 index 00000000000..fd7714ec283 --- /dev/null +++ b/queue-4.19/arm-dts-am335x-pcm-953-define-fixed-regulators-in-ro.patch @@ -0,0 +1,66 @@ +From d45e38d37c1bfd39b547a4ef56f7f180d0c2d47b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Oct 2022 16:31:15 +0200 +Subject: ARM: dts: am335x-pcm-953: Define fixed regulators in root node + +From: Dominik Haller + +[ Upstream commit 8950f345a67d8046d2472dd6ea81fa18ef5b4844 ] + +Remove the regulators node and define fixed regulators in the root node. +Prevents the sdhci-omap driver from waiting in probe deferral forever +because of the missing vmmc-supply and keeps am335x-pcm-953 consistent with +the other Phytec AM335 boards. + +Fixes: bb07a829ec38 ("ARM: dts: Add support for phyCORE-AM335x PCM-953 carrier board") +Signed-off-by: Dominik Haller +Message-Id: <20221011143115.248003-1-d.haller@phytec.de> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/am335x-pcm-953.dtsi | 28 +++++++++++++-------------- + 1 file changed, 13 insertions(+), 15 deletions(-) + +diff --git a/arch/arm/boot/dts/am335x-pcm-953.dtsi b/arch/arm/boot/dts/am335x-pcm-953.dtsi +index 572fbd254690..495c55e5b5db 100644 +--- a/arch/arm/boot/dts/am335x-pcm-953.dtsi ++++ b/arch/arm/boot/dts/am335x-pcm-953.dtsi +@@ -15,22 +15,20 @@ / { + compatible = "phytec,am335x-pcm-953", "phytec,am335x-phycore-som", "ti,am33xx"; + + /* Power */ +- regulators { +- vcc3v3: fixedregulator@1 { +- compatible = "regulator-fixed"; +- regulator-name = "vcc3v3"; +- regulator-min-microvolt = <3300000>; +- regulator-max-microvolt = <3300000>; +- regulator-boot-on; +- }; ++ vcc3v3: fixedregulator1 { ++ compatible = "regulator-fixed"; ++ regulator-name = "vcc3v3"; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; ++ regulator-boot-on; ++ }; + +- vcc1v8: fixedregulator@2 { +- compatible = "regulator-fixed"; +- regulator-name = "vcc1v8"; +- regulator-min-microvolt = <1800000>; +- regulator-max-microvolt = <1800000>; +- regulator-boot-on; +- }; ++ vcc1v8: fixedregulator2 { ++ compatible = "regulator-fixed"; ++ regulator-name = "vcc1v8"; ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <1800000>; ++ regulator-boot-on; + }; + + /* User IO */ +-- +2.35.1 + diff --git a/queue-4.19/arm-dts-at91-sam9g20ek-enable-udc-vbus-gpio-pinctrl.patch b/queue-4.19/arm-dts-at91-sam9g20ek-enable-udc-vbus-gpio-pinctrl.patch new file mode 100644 index 00000000000..755e6fc3b50 --- /dev/null +++ b/queue-4.19/arm-dts-at91-sam9g20ek-enable-udc-vbus-gpio-pinctrl.patch @@ -0,0 +1,57 @@ +From a0d0ec89be33306e690c9852d06638d2e1eea657 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 19:59:23 +0100 +Subject: ARM: dts: at91: sam9g20ek: enable udc vbus gpio pinctrl + +From: Michael Grzeschik + +[ Upstream commit 40a2226e8bfacb79dd154dea68febeead9d847e9 ] + +We set the PIOC to GPIO mode. This way the pin becomes an +input signal will be usable by the controller. Without +this change the udc on the 9g20ek does not work. + +Cc: nicolas.ferre@microchip.com +Cc: ludovic.desroches@microchip.com +Cc: alexandre.belloni@bootlin.com +Cc: linux-arm-kernel@lists.infradead.org +Cc: kernel@pengutronix.de +Fixes: 5cb4e73575e3 ("ARM: at91: add at91sam9g20ek boards dt support") +Signed-off-by: Michael Grzeschik +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20221114185923.1023249-3-m.grzeschik@pengutronix.de +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/at91sam9g20ek_common.dtsi | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/arch/arm/boot/dts/at91sam9g20ek_common.dtsi b/arch/arm/boot/dts/at91sam9g20ek_common.dtsi +index ec1f17ab6753..0b990761d80a 100644 +--- a/arch/arm/boot/dts/at91sam9g20ek_common.dtsi ++++ b/arch/arm/boot/dts/at91sam9g20ek_common.dtsi +@@ -39,6 +39,13 @@ pinctrl_pck0_as_mck: pck0_as_mck { + + }; + ++ usb1 { ++ pinctrl_usb1_vbus_gpio: usb1_vbus_gpio { ++ atmel,pins = ++ ; /* PC5 GPIO */ ++ }; ++ }; ++ + mmc0_slot1 { + pinctrl_board_mmc0_slot1: mmc0_slot1-board { + atmel,pins = +@@ -84,6 +91,8 @@ macb0: ethernet@fffc4000 { + }; + + usb1: gadget@fffa4000 { ++ pinctrl-0 = <&pinctrl_usb1_vbus_gpio>; ++ pinctrl-names = "default"; + atmel,vbus-gpio = <&pioC 5 GPIO_ACTIVE_HIGH>; + status = "okay"; + }; +-- +2.35.1 + diff --git a/queue-4.19/arm-mxs-fix-memory-leak-in-mxs_machine_init.patch b/queue-4.19/arm-mxs-fix-memory-leak-in-mxs_machine_init.patch new file mode 100644 index 00000000000..feb3582c933 --- /dev/null +++ b/queue-4.19/arm-mxs-fix-memory-leak-in-mxs_machine_init.patch @@ -0,0 +1,40 @@ +From 480d6ca73a7211d2094345771e42c652d2305773 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 06:20:11 +0000 +Subject: ARM: mxs: fix memory leak in mxs_machine_init() + +From: Zheng Yongjun + +[ Upstream commit f31e3c204d1844b8680a442a48868af5ac3d5481 ] + +If of_property_read_string() failed, 'soc_dev_attr' should be +freed before return. Otherwise there is a memory leak. + +Fixes: 2046338dcbc6 ("ARM: mxs: Use soc bus infrastructure") +Signed-off-by: Zheng Yongjun +Reviewed-by: Marco Felsch +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/mach-mxs/mach-mxs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-mxs/mach-mxs.c b/arch/arm/mach-mxs/mach-mxs.c +index 1c6062d240c8..4063fc1f435b 100644 +--- a/arch/arm/mach-mxs/mach-mxs.c ++++ b/arch/arm/mach-mxs/mach-mxs.c +@@ -393,8 +393,10 @@ static void __init mxs_machine_init(void) + + root = of_find_node_by_path("/"); + ret = of_property_read_string(root, "model", &soc_dev_attr->machine); +- if (ret) ++ if (ret) { ++ kfree(soc_dev_attr); + return; ++ } + + soc_dev_attr->family = "Freescale MXS Family"; + soc_dev_attr->soc_id = mxs_get_soc_id(); +-- +2.35.1 + diff --git a/queue-4.19/asoc-sgtl5000-reset-the-chip_clk_ctrl-reg-on-remove.patch b/queue-4.19/asoc-sgtl5000-reset-the-chip_clk_ctrl-reg-on-remove.patch new file mode 100644 index 00000000000..32f3d6727e0 --- /dev/null +++ b/queue-4.19/asoc-sgtl5000-reset-the-chip_clk_ctrl-reg-on-remove.patch @@ -0,0 +1,48 @@ +From 9f00dc72a542143fcdb5a705d2bcdf53fd655dee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 14:06:12 -0500 +Subject: ASoC: sgtl5000: Reset the CHIP_CLK_CTRL reg on remove + +From: Detlev Casanova + +[ Upstream commit 0bb8e9b36b5b7f2e77892981ff6c27ee831d8026 ] + +Since commit bf2aebccddef ("ASoC: sgtl5000: Fix noise on shutdown/remove"), +the device power control registers are reset when the driver is +removed/shutdown. + +This is an issue when the device is configured to use the PLL clock. The +device will stop responding if it is still configured to use the PLL +clock but the PLL clock is powered down. + +When rebooting linux, the probe function will show: +sgtl5000 0-000a: Error reading chip id -11 + +Make sure that the CHIP_CLK_CTRL is reset to its default value before +powering down the device. + +Fixes: bf2aebccddef ("ASoC: sgtl5000: Fix noise on shutdown/remove") +Signed-off-by: Detlev Casanova +Reviewed-by: Fabio Estevam +Link: https://lore.kernel.org/r/20221110190612.1341469-1-detlev.casanova@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/sgtl5000.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/codecs/sgtl5000.c b/sound/soc/codecs/sgtl5000.c +index 13e752f8b3f7..0708b5019910 100644 +--- a/sound/soc/codecs/sgtl5000.c ++++ b/sound/soc/codecs/sgtl5000.c +@@ -1769,6 +1769,7 @@ static int sgtl5000_i2c_remove(struct i2c_client *client) + { + struct sgtl5000_priv *sgtl5000 = i2c_get_clientdata(client); + ++ regmap_write(sgtl5000->regmap, SGTL5000_CHIP_CLK_CTRL, SGTL5000_CHIP_CLK_CTRL_DEFAULT); + regmap_write(sgtl5000->regmap, SGTL5000_CHIP_DIG_POWER, SGTL5000_DIG_POWER_DEFAULT); + regmap_write(sgtl5000->regmap, SGTL5000_CHIP_ANA_POWER, SGTL5000_ANA_POWER_DEFAULT); + +-- +2.35.1 + diff --git a/queue-4.19/bnx2x-fix-pci-device-refcount-leak-in-bnx2x_vf_is_pc.patch b/queue-4.19/bnx2x-fix-pci-device-refcount-leak-in-bnx2x_vf_is_pc.patch new file mode 100644 index 00000000000..f2e182b9c6e --- /dev/null +++ b/queue-4.19/bnx2x-fix-pci-device-refcount-leak-in-bnx2x_vf_is_pc.patch @@ -0,0 +1,58 @@ +From 64f5a60d1cabc25f3eaa8681b142f10a70063c4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Nov 2022 15:02:02 +0800 +Subject: bnx2x: fix pci device refcount leak in bnx2x_vf_is_pcie_pending() + +From: Yang Yingliang + +[ Upstream commit 3637a29ccbb6461b7268c5c5db525935d510afc6 ] + +As comment of pci_get_domain_bus_and_slot() says, it returns +a pci device with refcount increment, when finish using it, +the caller must decrement the reference count by calling +pci_dev_put(). Call pci_dev_put() before returning from +bnx2x_vf_is_pcie_pending() to avoid refcount leak. + +Fixes: b56e9670ffa4 ("bnx2x: Prepare device and initialize VF database") +Suggested-by: Jakub Kicinski +Signed-off-by: Yang Yingliang +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20221119070202.1407648-1-yangyingliang@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c +index b3ff8d13c31a..83868f49b6c7 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c +@@ -806,16 +806,20 @@ static void bnx2x_vf_enable_traffic(struct bnx2x *bp, struct bnx2x_virtf *vf) + + static u8 bnx2x_vf_is_pcie_pending(struct bnx2x *bp, u8 abs_vfid) + { +- struct pci_dev *dev; + struct bnx2x_virtf *vf = bnx2x_vf_by_abs_fid(bp, abs_vfid); ++ struct pci_dev *dev; ++ bool pending; + + if (!vf) + return false; + + dev = pci_get_domain_bus_and_slot(vf->domain, vf->bus, vf->devfn); +- if (dev) +- return bnx2x_is_pcie_pending(dev); +- return false; ++ if (!dev) ++ return false; ++ pending = bnx2x_is_pcie_pending(dev); ++ pci_dev_put(dev); ++ ++ return pending; + } + + int bnx2x_vf_flr_clnup_epilog(struct bnx2x *bp, u8 abs_vfid) +-- +2.35.1 + diff --git a/queue-4.19/bus-sunxi-rsb-support-atomic-transfers.patch b/queue-4.19/bus-sunxi-rsb-support-atomic-transfers.patch new file mode 100644 index 00000000000..285a1f8d621 --- /dev/null +++ b/queue-4.19/bus-sunxi-rsb-support-atomic-transfers.patch @@ -0,0 +1,92 @@ +From 53965a1d2688e659e3b4f2300508960eae1a7558 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Nov 2022 19:57:48 -0600 +Subject: bus: sunxi-rsb: Support atomic transfers + +From: Samuel Holland + +[ Upstream commit 077686da0e2162c4ea5ae0df205849c2a7a84479 ] + +When communicating with a PMIC during system poweroff (pm_power_off()), +IRQs are disabled and we are in a RCU read-side critical section, so we +cannot use wait_for_completion_io_timeout(). Instead, poll the status +register for transfer completion. + +Fixes: d787dcdb9c8f ("bus: sunxi-rsb: Add driver for Allwinner Reduced Serial Bus") +Signed-off-by: Samuel Holland +Reviewed-by: Jernej Skrabec +Link: https://lore.kernel.org/r/20221114015749.28490-3-samuel@sholland.org +Signed-off-by: Jernej Skrabec +Signed-off-by: Sasha Levin +--- + drivers/bus/sunxi-rsb.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +diff --git a/drivers/bus/sunxi-rsb.c b/drivers/bus/sunxi-rsb.c +index b85d013a9185..d3fb350dc9ee 100644 +--- a/drivers/bus/sunxi-rsb.c ++++ b/drivers/bus/sunxi-rsb.c +@@ -268,6 +268,9 @@ EXPORT_SYMBOL_GPL(sunxi_rsb_driver_register); + /* common code that starts a transfer */ + static int _sunxi_rsb_run_xfer(struct sunxi_rsb *rsb) + { ++ u32 int_mask, status; ++ bool timeout; ++ + if (readl(rsb->regs + RSB_CTRL) & RSB_CTRL_START_TRANS) { + dev_dbg(rsb->dev, "RSB transfer still in progress\n"); + return -EBUSY; +@@ -275,13 +278,23 @@ static int _sunxi_rsb_run_xfer(struct sunxi_rsb *rsb) + + reinit_completion(&rsb->complete); + +- writel(RSB_INTS_LOAD_BSY | RSB_INTS_TRANS_ERR | RSB_INTS_TRANS_OVER, +- rsb->regs + RSB_INTE); ++ int_mask = RSB_INTS_LOAD_BSY | RSB_INTS_TRANS_ERR | RSB_INTS_TRANS_OVER; ++ writel(int_mask, rsb->regs + RSB_INTE); + writel(RSB_CTRL_START_TRANS | RSB_CTRL_GLOBAL_INT_ENB, + rsb->regs + RSB_CTRL); + +- if (!wait_for_completion_io_timeout(&rsb->complete, +- msecs_to_jiffies(100))) { ++ if (irqs_disabled()) { ++ timeout = readl_poll_timeout_atomic(rsb->regs + RSB_INTS, ++ status, (status & int_mask), ++ 10, 100000); ++ writel(status, rsb->regs + RSB_INTS); ++ } else { ++ timeout = !wait_for_completion_io_timeout(&rsb->complete, ++ msecs_to_jiffies(100)); ++ status = rsb->status; ++ } ++ ++ if (timeout) { + dev_dbg(rsb->dev, "RSB timeout\n"); + + /* abort the transfer */ +@@ -293,18 +306,18 @@ static int _sunxi_rsb_run_xfer(struct sunxi_rsb *rsb) + return -ETIMEDOUT; + } + +- if (rsb->status & RSB_INTS_LOAD_BSY) { ++ if (status & RSB_INTS_LOAD_BSY) { + dev_dbg(rsb->dev, "RSB busy\n"); + return -EBUSY; + } + +- if (rsb->status & RSB_INTS_TRANS_ERR) { +- if (rsb->status & RSB_INTS_TRANS_ERR_ACK) { ++ if (status & RSB_INTS_TRANS_ERR) { ++ if (status & RSB_INTS_TRANS_ERR_ACK) { + dev_dbg(rsb->dev, "RSB slave nack\n"); + return -EINVAL; + } + +- if (rsb->status & RSB_INTS_TRANS_ERR_DATA) { ++ if (status & RSB_INTS_TRANS_ERR_DATA) { + dev_dbg(rsb->dev, "RSB transfer data error\n"); + return -EIO; + } +-- +2.35.1 + diff --git a/queue-4.19/dccp-tcp-reset-saddr-on-failure-after-inet6-_hash_co.patch b/queue-4.19/dccp-tcp-reset-saddr-on-failure-after-inet6-_hash_co.patch new file mode 100644 index 00000000000..458264dc338 --- /dev/null +++ b/queue-4.19/dccp-tcp-reset-saddr-on-failure-after-inet6-_hash_co.patch @@ -0,0 +1,113 @@ +From 89e4e404fe37163acefed67be3410791f055cb42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 17:49:11 -0800 +Subject: dccp/tcp: Reset saddr on failure after inet6?_hash_connect(). + +From: Kuniyuki Iwashima + +[ Upstream commit 77934dc6db0d2b111a8f2759e9ad2fb67f5cffa5 ] + +When connect() is called on a socket bound to the wildcard address, +we change the socket's saddr to a local address. If the socket +fails to connect() to the destination, we have to reset the saddr. + +However, when an error occurs after inet_hash6?_connect() in +(dccp|tcp)_v[46]_conect(), we forget to reset saddr and leave +the socket bound to the address. + +From the user's point of view, whether saddr is reset or not varies +with errno. Let's fix this inconsistent behaviour. + +Note that after this patch, the repro [0] will trigger the WARN_ON() +in inet_csk_get_port() again, but this patch is not buggy and rather +fixes a bug papering over the bhash2's bug for which we need another +fix. + +For the record, the repro causes -EADDRNOTAVAIL in inet_hash6_connect() +by this sequence: + + s1 = socket() + s1.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1) + s1.bind(('127.0.0.1', 10000)) + s1.sendto(b'hello', MSG_FASTOPEN, (('127.0.0.1', 10000))) + # or s1.connect(('127.0.0.1', 10000)) + + s2 = socket() + s2.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1) + s2.bind(('0.0.0.0', 10000)) + s2.connect(('127.0.0.1', 10000)) # -EADDRNOTAVAIL + + s2.listen(32) # WARN_ON(inet_csk(sk)->icsk_bind2_hash != tb2); + +[0]: https://syzkaller.appspot.com/bug?extid=015d756bbd1f8b5c8f09 + +Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6") +Fixes: 7c657876b63c ("[DCCP]: Initial implementation") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Acked-by: Joanne Koong +Reviewed-by: Eric Dumazet +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dccp/ipv4.c | 2 ++ + net/dccp/ipv6.c | 2 ++ + net/ipv4/tcp_ipv4.c | 2 ++ + net/ipv6/tcp_ipv6.c | 2 ++ + 4 files changed, 8 insertions(+) + +diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c +index 7e93087d1366..c021d5dde8f7 100644 +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -134,6 +134,8 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) + * This unhashes the socket and releases the local port, if necessary. + */ + dccp_set_state(sk, DCCP_CLOSED); ++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK)) ++ inet_reset_saddr(sk); + ip_rt_put(rt); + sk->sk_route_caps = 0; + inet->inet_dport = 0; +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index ae4851fdbe9e..72803e1ea10a 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -957,6 +957,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr, + + late_failure: + dccp_set_state(sk, DCCP_CLOSED); ++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK)) ++ inet_reset_saddr(sk); + __sk_dst_reset(sk); + failure: + inet->inet_dport = 0; +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 6549e07ce19c..bd374eac9a75 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -328,6 +328,8 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) + * if necessary. + */ + tcp_set_state(sk, TCP_CLOSE); ++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK)) ++ inet_reset_saddr(sk); + ip_rt_put(rt); + sk->sk_route_caps = 0; + inet->inet_dport = 0; +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 7a5a7a4265cf..babf69b2403b 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -327,6 +327,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr, + + late_failure: + tcp_set_state(sk, TCP_CLOSE); ++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK)) ++ inet_reset_saddr(sk); + failure: + inet->inet_dport = 0; + sk->sk_route_caps = 0; +-- +2.35.1 + diff --git a/queue-4.19/drivers-hv-vmbus-fix-double-free-in-the-error-path-o.patch b/queue-4.19/drivers-hv-vmbus-fix-double-free-in-the-error-path-o.patch new file mode 100644 index 00000000000..06c11618db0 --- /dev/null +++ b/queue-4.19/drivers-hv-vmbus-fix-double-free-in-the-error-path-o.patch @@ -0,0 +1,53 @@ +From 80b5df01ca538aa0718717a33f880e47c5c5ad19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Nov 2022 16:11:34 +0800 +Subject: Drivers: hv: vmbus: fix double free in the error path of + vmbus_add_channel_work() + +From: Yang Yingliang + +[ Upstream commit f92a4b50f0bd7fd52391dc4bb9a309085d278f91 ] + +In the error path of vmbus_device_register(), device_unregister() +is called, which calls vmbus_device_release(). The latter frees +the struct hv_device that was passed in to vmbus_device_register(). +So remove the kfree() in vmbus_add_channel_work() to avoid a double +free. + +Fixes: c2e5df616e1a ("vmbus: add per-channel sysfs info") +Suggested-by: Michael Kelley +Signed-off-by: Yang Yingliang +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/20221119081135.1564691-2-yangyingliang@huawei.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/channel_mgmt.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c +index a3f6933f94e3..ccfa5ceb43c0 100644 +--- a/drivers/hv/channel_mgmt.c ++++ b/drivers/hv/channel_mgmt.c +@@ -508,13 +508,17 @@ static void vmbus_add_channel_work(struct work_struct *work) + * Add the new device to the bus. This will kick off device-driver + * binding which eventually invokes the device driver's AddDevice() + * method. ++ * ++ * If vmbus_device_register() fails, the 'device_obj' is freed in ++ * vmbus_device_release() as called by device_unregister() in the ++ * error path of vmbus_device_register(). In the outside error ++ * path, there's no need to free it. + */ + ret = vmbus_device_register(newchannel->device_obj); + + if (ret != 0) { + pr_err("unable to add child device object (relid %d)\n", + newchannel->offermsg.child_relid); +- kfree(newchannel->device_obj); + goto err_deq_chan; + } + +-- +2.35.1 + diff --git a/queue-4.19/drivers-hv-vmbus-fix-possible-memory-leak-in-vmbus_d.patch b/queue-4.19/drivers-hv-vmbus-fix-possible-memory-leak-in-vmbus_d.patch new file mode 100644 index 00000000000..5606dd6fe81 --- /dev/null +++ b/queue-4.19/drivers-hv-vmbus-fix-possible-memory-leak-in-vmbus_d.patch @@ -0,0 +1,41 @@ +From 9b35834e3c1a253cdf125dd6d31111b2aa49068d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Nov 2022 16:11:35 +0800 +Subject: Drivers: hv: vmbus: fix possible memory leak in + vmbus_device_register() + +From: Yang Yingliang + +[ Upstream commit 25c94b051592c010abe92c85b0485f1faedc83f3 ] + +If device_register() returns error in vmbus_device_register(), +the name allocated by dev_set_name() must be freed. As comment +of device_register() says, it should use put_device() to give +up the reference in the error path. So fix this by calling +put_device(), then the name can be freed in kobject_cleanup(). + +Fixes: 09d50ff8a233 ("Staging: hv: make the Hyper-V virtual bus code build") +Signed-off-by: Yang Yingliang +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/20221119081135.1564691-3-yangyingliang@huawei.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/vmbus_drv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 9cbe0b00ebf7..a2a304e7d10c 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -1634,6 +1634,7 @@ int vmbus_device_register(struct hv_device *child_device_obj) + ret = device_register(&child_device_obj->device); + if (ret) { + pr_err("Unable to register child device\n"); ++ put_device(&child_device_obj->device); + return ret; + } + +-- +2.35.1 + diff --git a/queue-4.19/net-mlx4-check-retval-of-mlx4_bitmap_init.patch b/queue-4.19/net-mlx4-check-retval-of-mlx4_bitmap_init.patch new file mode 100644 index 00000000000..673524d0184 --- /dev/null +++ b/queue-4.19/net-mlx4-check-retval-of-mlx4_bitmap_init.patch @@ -0,0 +1,43 @@ +From 0d9c24133b8d4eabe0ce132cff20a17d826a205c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 18:28:06 +0300 +Subject: net/mlx4: Check retval of mlx4_bitmap_init + +From: Peter Kosyh + +[ Upstream commit 594c61ffc77de0a197934aa0f1df9285c68801c6 ] + +If mlx4_bitmap_init fails, mlx4_bitmap_alloc_range will dereference +the NULL pointer (bitmap->table). + +Make sure, that mlx4_bitmap_alloc_range called in no error case. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: d57febe1a478 ("net/mlx4: Add A0 hybrid steering") +Reviewed-by: Tariq Toukan +Signed-off-by: Peter Kosyh +Link: https://lore.kernel.org/r/20221117152806.278072-1-pkosyh@yandex.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/qp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/qp.c b/drivers/net/ethernet/mellanox/mlx4/qp.c +index 427e7a31862c..d7f2890c254f 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/qp.c ++++ b/drivers/net/ethernet/mellanox/mlx4/qp.c +@@ -697,7 +697,8 @@ static int mlx4_create_zones(struct mlx4_dev *dev, + err = mlx4_bitmap_init(*bitmap + k, 1, + MLX4_QP_TABLE_RAW_ETH_SIZE - 1, 0, + 0); +- mlx4_bitmap_alloc_range(*bitmap + k, 1, 1, 0); ++ if (!err) ++ mlx4_bitmap_alloc_range(*bitmap + k, 1, 1, 0); + } + + if (err) +-- +2.35.1 + diff --git a/queue-4.19/net-mlx5-fix-fw-tracer-timestamp-calculation.patch b/queue-4.19/net-mlx5-fix-fw-tracer-timestamp-calculation.patch new file mode 100644 index 00000000000..77d4952a3c4 --- /dev/null +++ b/queue-4.19/net-mlx5-fix-fw-tracer-timestamp-calculation.patch @@ -0,0 +1,38 @@ +From 44ce38c8a0865f9cebb0500376eecc85403c0043 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Oct 2022 12:25:59 +0300 +Subject: net/mlx5: Fix FW tracer timestamp calculation + +From: Moshe Shemesh + +[ Upstream commit 61db3d7b99a367416e489ccf764cc5f9b00d62a1 ] + +Fix a bug in calculation of FW tracer timestamp. Decreasing one in the +calculation should effect only bits 52_7 and not effect bits 6_0 of the +timestamp, otherwise bits 6_0 are always set in this calculation. + +Fixes: 70dd6fdb8987 ("net/mlx5: FW tracer, parse traces and kernel tracing support") +Signed-off-by: Moshe Shemesh +Reviewed-by: Feras Daoud +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +index a22e932a00b0..ef9f932f0226 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +@@ -600,7 +600,7 @@ static void mlx5_tracer_handle_timestamp_trace(struct mlx5_fw_tracer *tracer, + trace_timestamp = (timestamp_event.timestamp & MASK_52_7) | + (str_frmt->timestamp & MASK_6_0); + else +- trace_timestamp = ((timestamp_event.timestamp & MASK_52_7) - 1) | ++ trace_timestamp = ((timestamp_event.timestamp - 1) & MASK_52_7) | + (str_frmt->timestamp & MASK_6_0); + + mlx5_tracer_print_trace(str_frmt, dev, trace_timestamp); +-- +2.35.1 + diff --git a/queue-4.19/net-pch_gbe-fix-pci-device-refcount-leak-while-modul.patch b/queue-4.19/net-pch_gbe-fix-pci-device-refcount-leak-while-modul.patch new file mode 100644 index 00000000000..8268be366c4 --- /dev/null +++ b/queue-4.19/net-pch_gbe-fix-pci-device-refcount-leak-while-modul.patch @@ -0,0 +1,60 @@ +From 017d5e8cda7c28924d3271ee2ce40f97a380047c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 21:51:48 +0800 +Subject: net: pch_gbe: fix pci device refcount leak while module exiting + +From: Yang Yingliang + +[ Upstream commit 5619537284f1017e9f6c7500b02b859b3830a06d ] + +As comment of pci_get_domain_bus_and_slot() says, it returns +a pci device with refcount increment, when finish using it, +the caller must decrement the reference count by calling +pci_dev_put(). + +In pch_gbe_probe(), pci_get_domain_bus_and_slot() is called, +so in error path in probe() and remove() function, pci_dev_put() +should be called to avoid refcount leak. Compile tested only. + +Fixes: 1a0bdadb4e36 ("net/pch_gbe: supports eg20t ptp clock") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221117135148.301014-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +index 9cbed8fa505a..d85d51201e36 100644 +--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c ++++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +@@ -2492,6 +2492,7 @@ static void pch_gbe_remove(struct pci_dev *pdev) + unregister_netdev(netdev); + + pch_gbe_phy_hw_reset(&adapter->hw); ++ pci_dev_put(adapter->ptp_pdev); + + free_netdev(netdev); + } +@@ -2573,7 +2574,7 @@ static int pch_gbe_probe(struct pci_dev *pdev, + /* setup the private structure */ + ret = pch_gbe_sw_init(adapter); + if (ret) +- goto err_free_netdev; ++ goto err_put_dev; + + /* Initialize PHY */ + ret = pch_gbe_init_phy(adapter); +@@ -2631,6 +2632,8 @@ static int pch_gbe_probe(struct pci_dev *pdev, + + err_free_adapter: + pch_gbe_phy_hw_reset(&adapter->hw); ++err_put_dev: ++ pci_dev_put(adapter->ptp_pdev); + err_free_netdev: + free_netdev(netdev); + return ret; +-- +2.35.1 + diff --git a/queue-4.19/net-pch_gbe-fix-potential-memleak-in-pch_gbe_tx_queu.patch b/queue-4.19/net-pch_gbe-fix-potential-memleak-in-pch_gbe_tx_queu.patch new file mode 100644 index 00000000000..a88107fec17 --- /dev/null +++ b/queue-4.19/net-pch_gbe-fix-potential-memleak-in-pch_gbe_tx_queu.patch @@ -0,0 +1,38 @@ +From 08c192dd3dc6a36051cf32fcbe315d99b2b67e72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 14:55:27 +0800 +Subject: net: pch_gbe: fix potential memleak in pch_gbe_tx_queue() + +From: Wang Hai + +[ Upstream commit 2360f9b8c4e81d242d4cbf99d630a2fffa681fab ] + +In pch_gbe_xmit_frame(), NETDEV_TX_OK will be returned whether +pch_gbe_tx_queue() sends data successfully or not, so pch_gbe_tx_queue() +needs to free skb before returning. But pch_gbe_tx_queue() returns without +freeing skb in case of dma_map_single() fails. Add dev_kfree_skb_any() +to fix it. + +Fixes: 77555ee72282 ("net: Add Gigabit Ethernet driver of Topcliff PCH") +Signed-off-by: Wang Hai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +index 5a45648e3124..9cbed8fa505a 100644 +--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c ++++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +@@ -1177,6 +1177,7 @@ static void pch_gbe_tx_queue(struct pch_gbe_adapter *adapter, + buffer_info->dma = 0; + buffer_info->time_stamp = 0; + tx_ring->next_to_use = ring_num; ++ dev_kfree_skb_any(skb); + return; + } + buffer_info->mapped = true; +-- +2.35.1 + diff --git a/queue-4.19/net-qla3xxx-fix-potential-memleak-in-ql3xxx_send.patch b/queue-4.19/net-qla3xxx-fix-potential-memleak-in-ql3xxx_send.patch new file mode 100644 index 00000000000..edbc596c74c --- /dev/null +++ b/queue-4.19/net-qla3xxx-fix-potential-memleak-in-ql3xxx_send.patch @@ -0,0 +1,36 @@ +From e69f8a14b948593af7c096cec31dc0b3b79d6e47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 16:50:38 +0800 +Subject: net/qla3xxx: fix potential memleak in ql3xxx_send() + +From: Zhang Changzhong + +[ Upstream commit 62a7311fb96c61d281da9852dbee4712fc8c3277 ] + +The ql3xxx_send() returns NETDEV_TX_OK without freeing skb in error +handling case, add dev_kfree_skb_any() to fix it. + +Fixes: bd36b0ac5d06 ("qla3xxx: Add support for Qlogic 4032 chip.") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/r/1668675039-21138-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c +index 51e17a635d4b..7a65a1534e41 100644 +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -2477,6 +2477,7 @@ static netdev_tx_t ql3xxx_send(struct sk_buff *skb, + skb_shinfo(skb)->nr_frags); + if (tx_cb->seg_count == -1) { + netdev_err(ndev, "%s: invalid segment count!\n", __func__); ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + +-- +2.35.1 + diff --git a/queue-4.19/net-thunderx-fix-the-acpi-memory-leak.patch b/queue-4.19/net-thunderx-fix-the-acpi-memory-leak.patch new file mode 100644 index 00000000000..ab285b81ec0 --- /dev/null +++ b/queue-4.19/net-thunderx-fix-the-acpi-memory-leak.patch @@ -0,0 +1,41 @@ +From ac4d360d5434308867bbeb89d831b7f30891503d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 16:22:36 +0800 +Subject: net: thunderx: Fix the ACPI memory leak + +From: Yu Liao + +[ Upstream commit 661e5ebbafd26d9d2e3c749f5cf591e55c7364f5 ] + +The ACPI buffer memory (string.pointer) should be freed as the buffer is +not used after returning from bgx_acpi_match_id(), free it to prevent +memory leak. + +Fixes: 46b903a01c05 ("net, thunder, bgx: Add support to get MAC address from ACPI.") +Signed-off-by: Yu Liao +Link: https://lore.kernel.org/r/20221123082237.1220521-1-liaoyu15@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index e5fc89813852..3cde9a2a0ab7 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1447,8 +1447,10 @@ static acpi_status bgx_acpi_match_id(acpi_handle handle, u32 lvl, + return AE_OK; + } + +- if (strncmp(string.pointer, bgx_sel, 4)) ++ if (strncmp(string.pointer, bgx_sel, 4)) { ++ kfree(string.pointer); + return AE_OK; ++ } + + acpi_walk_namespace(ACPI_TYPE_DEVICE, handle, 1, + bgx_acpi_register_phy, NULL, bgx, NULL); +-- +2.35.1 + diff --git a/queue-4.19/nfc-nci-fix-memory-leak-in-nci_rx_data_packet.patch b/queue-4.19/nfc-nci-fix-memory-leak-in-nci_rx_data_packet.patch new file mode 100644 index 00000000000..87b79a467df --- /dev/null +++ b/queue-4.19/nfc-nci-fix-memory-leak-in-nci_rx_data_packet.patch @@ -0,0 +1,61 @@ +From 886b5b4c1bbdb78823553d4f213b88e6e3124594 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 16:24:19 +0800 +Subject: NFC: nci: fix memory leak in nci_rx_data_packet() + +From: Liu Shixin + +[ Upstream commit 53270fb0fd77fe786d8c07a0793981d797836b93 ] + +Syzbot reported a memory leak about skb: + +unreferenced object 0xffff88810e144e00 (size 240): + comm "syz-executor284", pid 3701, jiffies 4294952403 (age 12.620s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:497 + [] alloc_skb include/linux/skbuff.h:1267 [inline] + [] virtual_ncidev_write+0x24/0xe0 drivers/nfc/virtual_ncidev.c:116 + [] do_loop_readv_writev fs/read_write.c:759 [inline] + [] do_loop_readv_writev fs/read_write.c:743 [inline] + [] do_iter_write+0x253/0x300 fs/read_write.c:863 + [] vfs_writev+0xdd/0x240 fs/read_write.c:934 + [] do_writev+0xa6/0x1c0 fs/read_write.c:977 + [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + [] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +In nci_rx_data_packet(), if we don't get a valid conn_info, we will return +directly but forget to release the skb. + +Reported-by: syzbot+cdb9a427d1bc08815104@syzkaller.appspotmail.com +Fixes: 4aeee6871e8c ("NFC: nci: Add dynamic logical connections support") +Signed-off-by: Liu Shixin +Link: https://lore.kernel.org/r/20221118082419.239475-1-liushixin2@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/nfc/nci/data.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c +index 9e3f9460f14f..5d46d8dfad72 100644 +--- a/net/nfc/nci/data.c ++++ b/net/nfc/nci/data.c +@@ -291,8 +291,10 @@ void nci_rx_data_packet(struct nci_dev *ndev, struct sk_buff *skb) + nci_plen(skb->data)); + + conn_info = nci_get_conn_info_by_conn_id(ndev, nci_conn_id(skb->data)); +- if (!conn_info) ++ if (!conn_info) { ++ kfree_skb(skb); + return; ++ } + + /* strip the nci data header */ + skb_pull(skb, NCI_DATA_HDR_SIZE); +-- +2.35.1 + diff --git a/queue-4.19/nfc-nci-fix-race-with-opening-and-closing.patch b/queue-4.19/nfc-nci-fix-race-with-opening-and-closing.patch new file mode 100644 index 00000000000..79a4db30012 --- /dev/null +++ b/queue-4.19/nfc-nci-fix-race-with-opening-and-closing.patch @@ -0,0 +1,42 @@ +From e4ed256db35654f4e22807be1ea3d55f625be2d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 21:02:49 +0800 +Subject: nfc/nci: fix race with opening and closing + +From: Lin Ma + +[ Upstream commit 0ad6bded175e829c2ca261529c9dce39a32a042d ] + +Previously we leverage NCI_UNREG and the lock inside nci_close_device to +prevent the race condition between opening a device and closing a +device. However, it still has problem because a failed opening command +will erase the NCI_UNREG flag and allow another opening command to +bypass the status checking. + +This fix corrects that by making sure the NCI_UNREG is held. + +Reported-by: syzbot+43475bf3cfbd6e41f5b7@syzkaller.appspotmail.com +Fixes: 48b71a9e66c2 ("NFC: add NCI_UNREG flag to eliminate the race") +Signed-off-by: Lin Ma +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nfc/nci/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index 0580e5326641..66608e6c5b0e 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -542,7 +542,7 @@ static int nci_open_device(struct nci_dev *ndev) + skb_queue_purge(&ndev->tx_q); + + ndev->ops->close(ndev); +- ndev->flags = 0; ++ ndev->flags &= BIT(NCI_UNREG); + } + + done: +-- +2.35.1 + diff --git a/queue-4.19/nfc-st-nci-fix-incorrect-validating-logic-in-evt_tra.patch b/queue-4.19/nfc-st-nci-fix-incorrect-validating-logic-in-evt_tra.patch new file mode 100644 index 00000000000..dccb0613cb3 --- /dev/null +++ b/queue-4.19/nfc-st-nci-fix-incorrect-validating-logic-in-evt_tra.patch @@ -0,0 +1,41 @@ +From 3036ca57ebc62b5876c63264a2245129537c5456 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 18:42:44 -0600 +Subject: nfc: st-nci: fix incorrect validating logic in EVT_TRANSACTION + +From: Martin Faltesek + +[ Upstream commit c60c152230828825c06e62a8f1ce956d4b659266 ] + +The first validation check for EVT_TRANSACTION has two different checks +tied together with logical AND. One is a check for minimum packet length, +and the other is for a valid aid_tag. If either condition is true (fails), +then an error should be triggered. The fix is to change && to ||. + +Reported-by: Denis Efremov +Reviewed-by: Guenter Roeck +Fixes: 5d1ceb7f5e56 ("NFC: st21nfcb: Add HCI transaction event support") +Signed-off-by: Martin Faltesek +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/st-nci/se.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c +index 5d6e7e931bc6..7774a7196bb3 100644 +--- a/drivers/nfc/st-nci/se.c ++++ b/drivers/nfc/st-nci/se.c +@@ -338,7 +338,7 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev, + * AID 81 5 to 16 + * PARAMETERS 82 0 to 255 + */ +- if (skb->len < NFC_MIN_AID_LENGTH + 2 && ++ if (skb->len < NFC_MIN_AID_LENGTH + 2 || + skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG) + return -EPROTO; + +-- +2.35.1 + diff --git a/queue-4.19/nfc-st-nci-fix-memory-leaks-in-evt_transaction.patch b/queue-4.19/nfc-st-nci-fix-memory-leaks-in-evt_transaction.patch new file mode 100644 index 00000000000..0d7f0c9883e --- /dev/null +++ b/queue-4.19/nfc-st-nci-fix-memory-leaks-in-evt_transaction.patch @@ -0,0 +1,42 @@ +From a6d4bb150f6057fecb3748a7c44ef5876a31c39d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 18:42:45 -0600 +Subject: nfc: st-nci: fix memory leaks in EVT_TRANSACTION + +From: Martin Faltesek + +[ Upstream commit 440f2ae9c9f06e26f5dcea697a53717fc61a318c ] + +Error path does not free previously allocated memory. Add devm_kfree() to +the failure path. + +Reported-by: Denis Efremov +Reviewed-by: Guenter Roeck +Fixes: 5d1ceb7f5e56 ("NFC: st21nfcb: Add HCI transaction event support") +Signed-off-by: Martin Faltesek +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/st-nci/se.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c +index 7774a7196bb3..cdf9e915c974 100644 +--- a/drivers/nfc/st-nci/se.c ++++ b/drivers/nfc/st-nci/se.c +@@ -352,8 +352,10 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev, + + /* Check next byte is PARAMETERS tag (82) */ + if (skb->data[transaction->aid_len + 2] != +- NFC_EVT_TRANSACTION_PARAMS_TAG) ++ NFC_EVT_TRANSACTION_PARAMS_TAG) { ++ devm_kfree(dev, transaction); + return -EPROTO; ++ } + + transaction->params_len = skb->data[transaction->aid_len + 3]; + memcpy(transaction->params, skb->data + +-- +2.35.1 + diff --git a/queue-4.19/s390-crashdump-fix-tod-programmable-field-size.patch b/queue-4.19/s390-crashdump-fix-tod-programmable-field-size.patch new file mode 100644 index 00000000000..c0649154323 --- /dev/null +++ b/queue-4.19/s390-crashdump-fix-tod-programmable-field-size.patch @@ -0,0 +1,61 @@ +From 20ced5645aff31b6f296b5f590073fdb62e09f94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 13:05:39 +0100 +Subject: s390/crashdump: fix TOD programmable field size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Heiko Carstens + +[ Upstream commit f44e07a8afdd713ddc1a8832c39372fe5dd86895 ] + +The size of the TOD programmable field was incorrectly increased from +four to eight bytes with commit 1a2c5840acf9 ("s390/dump: cleanup CPU +save area handling"). +This leads to an elf notes section NT_S390_TODPREG which has a size of +eight instead of four bytes in case of kdump, however even worse is +that the contents is incorrect: it is supposed to contain only the +contents of the TOD programmable field, but in fact contains a mix of +the TOD programmable field (32 bit upper bits) and parts of the CPU +timer register (lower 32 bits). + +Fix this by simply changing the size of the todpreg field within the +save area structure. This will implicitly also fix the size of the +corresponding elf notes sections. + +This also gets rid of this compile time warning: + +in function ‘fortify_memcpy_chk’, + inlined from ‘save_area_add_regs’ at arch/s390/kernel/crash_dump.c:99:2: +./include/linux/fortify-string.h:413:25: error: call to ‘__read_overflow2_field’ + declared with attribute warning: detected read beyond size of field + (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning] + 413 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Fixes: 1a2c5840acf9 ("s390/dump: cleanup CPU save area handling") +Reviewed-by: Christian Borntraeger +Signed-off-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/crash_dump.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/crash_dump.c b/arch/s390/kernel/crash_dump.c +index 376f6b6dfb3c..7fb7d4dc18dc 100644 +--- a/arch/s390/kernel/crash_dump.c ++++ b/arch/s390/kernel/crash_dump.c +@@ -45,7 +45,7 @@ struct save_area { + u64 fprs[16]; + u32 fpc; + u32 prefix; +- u64 todpreg; ++ u32 todpreg; + u64 timer; + u64 todcmp; + u64 vxrs_low[16]; +-- +2.35.1 + diff --git a/queue-4.19/s390-dasd-fix-no-record-found-for-raw_track_access.patch b/queue-4.19/s390-dasd-fix-no-record-found-for-raw_track_access.patch new file mode 100644 index 00000000000..da5751137f0 --- /dev/null +++ b/queue-4.19/s390-dasd-fix-no-record-found-for-raw_track_access.patch @@ -0,0 +1,75 @@ +From 778aa8a9cae8e34b8a3c71c4abc2a4d8878973bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 17:07:18 +0100 +Subject: s390/dasd: fix no record found for raw_track_access + +From: Stefan Haberland + +[ Upstream commit 590ce6d96d6a224b470a3862c33a483d5022bfdb ] + +For DASD devices in raw_track_access mode only full track images are +read and written. +For this purpose it is not necessary to do search operation in the +locate record extended function. The documentation even states that +this might fail if the searched record is not found on a track. + +Currently the driver sets a value of 1 in the search field for the first +record after record zero. This is the default for disks not in +raw_track_access mode but record 1 might be missing on a completely +empty track. + +There has not been any problem with this on IBM storage servers but it +might lead to errors with DASD devices on other vendors storage servers. + +Fix this by setting the search field to 0. Record zero is always available +even on a completely empty track. + +Fixes: e4dbb0f2b5dd ("[S390] dasd: Add support for raw ECKD access.") +Signed-off-by: Stefan Haberland +Reviewed-by: Jan Hoeppner +Link: https://lore.kernel.org/r/20221123160719.3002694-4-sth@linux.ibm.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/s390/block/dasd_eckd.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c +index a2e34c853ca9..4d6fd3205be7 100644 +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -3788,7 +3788,6 @@ static struct dasd_ccw_req *dasd_eckd_build_cp_raw(struct dasd_device *startdev, + struct dasd_device *basedev; + struct req_iterator iter; + struct dasd_ccw_req *cqr; +- unsigned int first_offs; + unsigned int trkcount; + unsigned long *idaws; + unsigned int size; +@@ -3822,7 +3821,6 @@ static struct dasd_ccw_req *dasd_eckd_build_cp_raw(struct dasd_device *startdev, + last_trk = (blk_rq_pos(req) + blk_rq_sectors(req) - 1) / + DASD_RAW_SECTORS_PER_TRACK; + trkcount = last_trk - first_trk + 1; +- first_offs = 0; + + if (rq_data_dir(req) == READ) + cmd = DASD_ECKD_CCW_READ_TRACK; +@@ -3866,13 +3864,13 @@ static struct dasd_ccw_req *dasd_eckd_build_cp_raw(struct dasd_device *startdev, + + if (use_prefix) { + prefix_LRE(ccw++, data, first_trk, last_trk, cmd, basedev, +- startdev, 1, first_offs + 1, trkcount, 0, 0); ++ startdev, 1, 0, trkcount, 0, 0); + } else { + define_extent(ccw++, data, first_trk, last_trk, cmd, basedev, 0); + ccw[-1].flags |= CCW_FLAG_CC; + + data += sizeof(struct DE_eckd_data); +- locate_record_ext(ccw++, data, first_trk, first_offs + 1, ++ locate_record_ext(ccw++, data, first_trk, 0, + trkcount, cmd, basedev, 0, 0); + } + +-- +2.35.1 + diff --git a/queue-4.19/series b/queue-4.19/series index bf54aa36d8d..a8a4c3b1051 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -5,3 +5,30 @@ spi-stm32-fix-stm32_spi_prepare_mbr-that-halves-spi-.patch drm-panel-orientation-quirks-add-quirk-for-acer-swit.patch risc-v-vdso-do-not-add-missing-symbols-to-version-se.patch mips-pic32-treat-port-as-signed-integer.patch +af_key-fix-send_acquire-race-with-pfkey_register.patch +arm-dts-am335x-pcm-953-define-fixed-regulators-in-ro.patch +asoc-sgtl5000-reset-the-chip_clk_ctrl-reg-on-remove.patch +bus-sunxi-rsb-support-atomic-transfers.patch +arm-dts-at91-sam9g20ek-enable-udc-vbus-gpio-pinctrl.patch +nfc-nci-fix-race-with-opening-and-closing.patch +net-pch_gbe-fix-potential-memleak-in-pch_gbe_tx_queu.patch +9p-fd-fix-issue-of-list_del-corruption-in-p9_fd_canc.patch +arm-mxs-fix-memory-leak-in-mxs_machine_init.patch +net-mlx4-check-retval-of-mlx4_bitmap_init.patch +net-qla3xxx-fix-potential-memleak-in-ql3xxx_send.patch +net-pch_gbe-fix-pci-device-refcount-leak-while-modul.patch +drivers-hv-vmbus-fix-double-free-in-the-error-path-o.patch +drivers-hv-vmbus-fix-possible-memory-leak-in-vmbus_d.patch +net-mlx5-fix-fw-tracer-timestamp-calculation.patch +tipc-set-con-sock-in-tipc_conn_alloc.patch +tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch +tipc-check-skb_linearize-return-value-in-tipc_disc_r.patch +xfrm-fix-ignored-return-value-in-xfrm6_init.patch +nfc-nci-fix-memory-leak-in-nci_rx_data_packet.patch +bnx2x-fix-pci-device-refcount-leak-in-bnx2x_vf_is_pc.patch +dccp-tcp-reset-saddr-on-failure-after-inet6-_hash_co.patch +s390-dasd-fix-no-record-found-for-raw_track_access.patch +nfc-st-nci-fix-incorrect-validating-logic-in-evt_tra.patch +nfc-st-nci-fix-memory-leaks-in-evt_transaction.patch +net-thunderx-fix-the-acpi-memory-leak.patch +s390-crashdump-fix-tod-programmable-field-size.patch diff --git a/queue-4.19/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch b/queue-4.19/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch new file mode 100644 index 00000000000..015564a8afb --- /dev/null +++ b/queue-4.19/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch @@ -0,0 +1,84 @@ +From 85c5c8a11f29589eddb858851f179ea75a3e05df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 16:45:01 -0500 +Subject: tipc: add an extra conn_get in tipc_conn_alloc + +From: Xin Long + +[ Upstream commit a7b42969d63f47320853a802efd879fbdc4e010e ] + +One extra conn_get() is needed in tipc_conn_alloc(), as after +tipc_conn_alloc() is called, tipc_conn_close() may free this +con before deferencing it in tipc_topsrv_accept(): + + tipc_conn_alloc(); + newsk = newsock->sk; + <---- tipc_conn_close(); + write_lock_bh(&sk->sk_callback_lock); + newsk->sk_data_ready = tipc_conn_data_ready; + +Then an uaf issue can be triggered: + + BUG: KASAN: use-after-free in tipc_topsrv_accept+0x1e7/0x370 [tipc] + Call Trace: + + dump_stack_lvl+0x33/0x46 + print_report+0x178/0x4b0 + kasan_report+0x8c/0x100 + kasan_check_range+0x179/0x1e0 + tipc_topsrv_accept+0x1e7/0x370 [tipc] + process_one_work+0x6a3/0x1030 + worker_thread+0x8a/0xdf0 + +This patch fixes it by holding it in tipc_conn_alloc(), then after +all accessing in tipc_topsrv_accept() releasing it. Note when does +this in tipc_topsrv_kern_subscr(), as tipc_conn_rcv_sub() returns +0 or -1 only, we don't need to check for "> 0". + +Fixes: c5fa7b3cf3cb ("tipc: introduce new TIPC server infrastructure") +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/topsrv.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c +index 8ac27bd786f3..d3bb19cd0ec0 100644 +--- a/net/tipc/topsrv.c ++++ b/net/tipc/topsrv.c +@@ -214,6 +214,7 @@ static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s, struct socket *s + set_bit(CF_CONNECTED, &con->flags); + con->server = s; + con->sock = sock; ++ conn_get(con); + spin_unlock_bh(&s->idr_lock); + + return con; +@@ -491,6 +492,7 @@ static void tipc_topsrv_accept(struct work_struct *work) + + /* Wake up receive process in case of 'SYN+' message */ + newsk->sk_data_ready(newsk); ++ conn_put(con); + } + } + +@@ -590,10 +592,11 @@ bool tipc_topsrv_kern_subscr(struct net *net, u32 port, u32 type, u32 lower, + + *conid = con->conid; + rc = tipc_conn_rcv_sub(tipc_topsrv(net), con, &sub); +- if (rc >= 0) +- return true; ++ if (rc) ++ conn_put(con); ++ + conn_put(con); +- return false; ++ return !rc; + } + + void tipc_topsrv_kern_unsubscr(struct net *net, int conid) +-- +2.35.1 + diff --git a/queue-4.19/tipc-check-skb_linearize-return-value-in-tipc_disc_r.patch b/queue-4.19/tipc-check-skb_linearize-return-value-in-tipc_disc_r.patch new file mode 100644 index 00000000000..75c9a8a0d0a --- /dev/null +++ b/queue-4.19/tipc-check-skb_linearize-return-value-in-tipc_disc_r.patch @@ -0,0 +1,41 @@ +From 5fce9706da668dfc9a7264ad0586933228c67532 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Nov 2022 15:28:32 +0800 +Subject: tipc: check skb_linearize() return value in tipc_disc_rcv() + +From: YueHaibing + +[ Upstream commit cd0f6421162201e4b22ce757a1966729323185eb ] + +If skb_linearize() fails in tipc_disc_rcv(), we need to free the skb instead of +handle it. + +Fixes: 25b0b9c4e835 ("tipc: handle collisions of 32-bit node address hash values") +Signed-off-by: YueHaibing +Acked-by: Jon Maloy +Link: https://lore.kernel.org/r/20221119072832.7896-1-yuehaibing@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/discover.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/discover.c b/net/tipc/discover.c +index 0006c9f87199..0436c8f2967d 100644 +--- a/net/tipc/discover.c ++++ b/net/tipc/discover.c +@@ -208,7 +208,10 @@ void tipc_disc_rcv(struct net *net, struct sk_buff *skb, + u32 self; + int err; + +- skb_linearize(skb); ++ if (skb_linearize(skb)) { ++ kfree_skb(skb); ++ return; ++ } + hdr = buf_msg(skb); + + if (caps & TIPC_NODE_ID128) +-- +2.35.1 + diff --git a/queue-4.19/tipc-set-con-sock-in-tipc_conn_alloc.patch b/queue-4.19/tipc-set-con-sock-in-tipc_conn_alloc.patch new file mode 100644 index 00000000000..2f9f03bd133 --- /dev/null +++ b/queue-4.19/tipc-set-con-sock-in-tipc_conn_alloc.patch @@ -0,0 +1,106 @@ +From fdcea4ae0a3651f5e413f2aa881a435b69920bda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 16:45:00 -0500 +Subject: tipc: set con sock in tipc_conn_alloc + +From: Xin Long + +[ Upstream commit 0e5d56c64afcd6fd2d132ea972605b66f8a7d3c4 ] + +A crash was reported by Wei Chen: + + BUG: kernel NULL pointer dereference, address: 0000000000000018 + RIP: 0010:tipc_conn_close+0x12/0x100 + Call Trace: + tipc_topsrv_exit_net+0x139/0x320 + ops_exit_list.isra.9+0x49/0x80 + cleanup_net+0x31a/0x540 + process_one_work+0x3fa/0x9f0 + worker_thread+0x42/0x5c0 + +It was caused by !con->sock in tipc_conn_close(). In tipc_topsrv_accept(), +con is allocated in conn_idr then its sock is set: + + con = tipc_conn_alloc(); + ... <----[1] + con->sock = newsock; + +If tipc_conn_close() is called in anytime of [1], the null-pointer-def +is triggered by con->sock->sk due to con->sock is not yet set. + +This patch fixes it by moving the con->sock setting to tipc_conn_alloc() +under s->idr_lock. So that con->sock can never be NULL when getting the +con from s->conn_idr. It will be also safer to move con->server and flag +CF_CONNECTED setting under s->idr_lock, as they should all be set before +tipc_conn_alloc() is called. + +Fixes: c5fa7b3cf3cb ("tipc: introduce new TIPC server infrastructure") +Reported-by: Wei Chen +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/topsrv.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c +index 5a88a93e67ef..8ac27bd786f3 100644 +--- a/net/tipc/topsrv.c ++++ b/net/tipc/topsrv.c +@@ -184,7 +184,7 @@ static void tipc_conn_close(struct tipc_conn *con) + conn_put(con); + } + +-static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s) ++static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s, struct socket *sock) + { + struct tipc_conn *con; + int ret; +@@ -210,10 +210,11 @@ static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s) + } + con->conid = ret; + s->idr_in_use++; +- spin_unlock_bh(&s->idr_lock); + + set_bit(CF_CONNECTED, &con->flags); + con->server = s; ++ con->sock = sock; ++ spin_unlock_bh(&s->idr_lock); + + return con; + } +@@ -474,7 +475,7 @@ static void tipc_topsrv_accept(struct work_struct *work) + ret = kernel_accept(lsock, &newsock, O_NONBLOCK); + if (ret < 0) + return; +- con = tipc_conn_alloc(srv); ++ con = tipc_conn_alloc(srv, newsock); + if (IS_ERR(con)) { + ret = PTR_ERR(con); + sock_release(newsock); +@@ -486,7 +487,6 @@ static void tipc_topsrv_accept(struct work_struct *work) + newsk->sk_data_ready = tipc_conn_data_ready; + newsk->sk_write_space = tipc_conn_write_space; + newsk->sk_user_data = con; +- con->sock = newsock; + write_unlock_bh(&newsk->sk_callback_lock); + + /* Wake up receive process in case of 'SYN+' message */ +@@ -584,12 +584,11 @@ bool tipc_topsrv_kern_subscr(struct net *net, u32 port, u32 type, u32 lower, + sub.filter = filter; + *(u64 *)&sub.usr_handle = (u64)port; + +- con = tipc_conn_alloc(tipc_topsrv(net)); ++ con = tipc_conn_alloc(tipc_topsrv(net), NULL); + if (IS_ERR(con)) + return false; + + *conid = con->conid; +- con->sock = NULL; + rc = tipc_conn_rcv_sub(tipc_topsrv(net), con, &sub); + if (rc >= 0) + return true; +-- +2.35.1 + diff --git a/queue-4.19/xfrm-fix-ignored-return-value-in-xfrm6_init.patch b/queue-4.19/xfrm-fix-ignored-return-value-in-xfrm6_init.patch new file mode 100644 index 00000000000..03e3b321243 --- /dev/null +++ b/queue-4.19/xfrm-fix-ignored-return-value-in-xfrm6_init.patch @@ -0,0 +1,59 @@ +From c418243d707c33ef0af360ee5db9fb517baa9be1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 17:07:13 +0800 +Subject: xfrm: Fix ignored return value in xfrm6_init() + +From: Chen Zhongjin + +[ Upstream commit 40781bfb836eda57d19c0baa37c7e72590e05fdc ] + +When IPv6 module initializing in xfrm6_init(), register_pernet_subsys() +is possible to fail but its return value is ignored. + +If IPv6 initialization fails later and xfrm6_fini() is called, +removing uninitialized list in xfrm6_net_ops will cause null-ptr-deref: + +KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] +CPU: 1 PID: 330 Comm: insmod +RIP: 0010:unregister_pernet_operations+0xc9/0x450 +Call Trace: + + unregister_pernet_subsys+0x31/0x3e + xfrm6_fini+0x16/0x30 [ipv6] + ip6_route_init+0xcd/0x128 [ipv6] + inet6_init+0x29c/0x602 [ipv6] + ... + +Fix it by catching the error return value of register_pernet_subsys(). + +Fixes: 8d068875caca ("xfrm: make gc_thresh configurable in all namespaces") +Signed-off-by: Chen Zhongjin +Reviewed-by: Leon Romanovsky +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv6/xfrm6_policy.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c +index 30232591cf2b..1925fb91e514 100644 +--- a/net/ipv6/xfrm6_policy.c ++++ b/net/ipv6/xfrm6_policy.c +@@ -416,9 +416,13 @@ int __init xfrm6_init(void) + if (ret) + goto out_state; + +- register_pernet_subsys(&xfrm6_net_ops); ++ ret = register_pernet_subsys(&xfrm6_net_ops); ++ if (ret) ++ goto out_protocol; + out: + return ret; ++out_protocol: ++ xfrm6_protocol_fini(); + out_state: + xfrm6_state_fini(); + out_policy: +-- +2.35.1 + -- 2.47.3