From ed82ee18c1c13d2417f1f4ddcd2c038a88e3d7cf Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 28 Mar 2022 11:10:14 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ..._zero-flag-for-compose_sadb_supporte.patch | 43 +++++++ ...e-the-coherent-when-failing-in-probi.patch | 47 +++++++ ...platform_get_irq-to-get-the-interrup.patch | 60 +++++++++ queue-4.19/series | 7 ++ ...i-fix-erroneous-sgs-value-with-min_t.patch | 59 +++++++++ queue-4.19/spi-fix-invalid-sgs-value.patch | 47 +++++++ ...sole-break-out-of-buf-poll-on-remove.patch | 55 +++++++++ ...-tunnel-model-fragmentation-behavior.patch | 115 ++++++++++++++++++ 8 files changed, 433 insertions(+) create mode 100644 queue-4.19/af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch create mode 100644 queue-4.19/ethernet-sun-free-the-coherent-when-failing-in-probi.patch create mode 100644 queue-4.19/net-mcf8390-use-platform_get_irq-to-get-the-interrup.patch create mode 100644 queue-4.19/spi-fix-erroneous-sgs-value-with-min_t.patch create mode 100644 queue-4.19/spi-fix-invalid-sgs-value.patch create mode 100644 queue-4.19/virtio_console-break-out-of-buf-poll-on-remove.patch create mode 100644 queue-4.19/xfrm-fix-tunnel-model-fragmentation-behavior.patch diff --git a/queue-4.19/af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch b/queue-4.19/af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch new file mode 100644 index 00000000000..6de18c5dc22 --- /dev/null +++ b/queue-4.19/af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch @@ -0,0 +1,43 @@ +From b42f0c5503e271b505fa3fa8da6f916bd9ab8808 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 11:20:28 +0800 +Subject: af_key: add __GFP_ZERO flag for compose_sadb_supported in function + pfkey_register + +From: Haimin Zhang + +[ Upstream commit 9a564bccb78a76740ea9d75a259942df8143d02c ] + +Add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register +to initialize the buffer of supp_skb to fix a kernel-info-leak issue. +1) Function pfkey_register calls compose_sadb_supported to request +a sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate +a sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then +compose_sadb_supported treats the memory as a struct sadb_supported and +begins to initialize. But it just initializes the field sadb_supported_len +and field sadb_supported_exttype without field sadb_supported_reserved. + +Reported-by: TCS Robot +Signed-off-by: Haimin Zhang +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 388910cf0978..03266e1f5913 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1709,7 +1709,7 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sad + + xfrm_probe_algs(); + +- supp_skb = compose_sadb_supported(hdr, GFP_KERNEL); ++ supp_skb = compose_sadb_supported(hdr, GFP_KERNEL | __GFP_ZERO); + if (!supp_skb) { + if (hdr->sadb_msg_satype != SADB_SATYPE_UNSPEC) + pfk->registered &= ~(1<sadb_msg_satype); +-- +2.34.1 + diff --git a/queue-4.19/ethernet-sun-free-the-coherent-when-failing-in-probi.patch b/queue-4.19/ethernet-sun-free-the-coherent-when-failing-in-probi.patch new file mode 100644 index 00000000000..4c7f34c1d7a --- /dev/null +++ b/queue-4.19/ethernet-sun-free-the-coherent-when-failing-in-probi.patch @@ -0,0 +1,47 @@ +From bbc5458b004d40c5e83d831e1ab3bdc9992c710e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 14:55:04 +0000 +Subject: ethernet: sun: Free the coherent when failing in probing + +From: Zheyu Ma + +[ Upstream commit bb77bd31c281f70ec77c9c4f584950a779e05cf8 ] + +When the driver fails to register net device, it should free the DMA +region first, and then do other cleanup. + +Signed-off-by: Zheyu Ma +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/sunhme.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sun/sunhme.c b/drivers/net/ethernet/sun/sunhme.c +index 06da2f59fcbf..882908e74cc9 100644 +--- a/drivers/net/ethernet/sun/sunhme.c ++++ b/drivers/net/ethernet/sun/sunhme.c +@@ -3164,7 +3164,7 @@ static int happy_meal_pci_probe(struct pci_dev *pdev, + if (err) { + printk(KERN_ERR "happymeal(PCI): Cannot register net device, " + "aborting.\n"); +- goto err_out_iounmap; ++ goto err_out_free_coherent; + } + + pci_set_drvdata(pdev, hp); +@@ -3197,6 +3197,10 @@ static int happy_meal_pci_probe(struct pci_dev *pdev, + + return 0; + ++err_out_free_coherent: ++ dma_free_coherent(hp->dma_dev, PAGE_SIZE, ++ hp->happy_block, hp->hblock_dvma); ++ + err_out_iounmap: + iounmap(hp->gregs); + +-- +2.34.1 + diff --git a/queue-4.19/net-mcf8390-use-platform_get_irq-to-get-the-interrup.patch b/queue-4.19/net-mcf8390-use-platform_get_irq-to-get-the-interrup.patch new file mode 100644 index 00000000000..f613896bbc9 --- /dev/null +++ b/queue-4.19/net-mcf8390-use-platform_get_irq-to-get-the-interrup.patch @@ -0,0 +1,60 @@ +From f56044e5d2687a2acd881699800ec766af4da1c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 06:43:09 +0000 +Subject: net:mcf8390: Use platform_get_irq() to get the interrupt + +From: Minghao Chi (CGEL ZTE) + +[ Upstream commit 2a760554dcba450d3ad61b32375b50ed6d59a87c ] + +It is not recommened to use platform_get_resource(pdev, IORESOURCE_IRQ) +for requesting IRQ's resources any more, as they can be not ready yet in +case of DT-booting. + +platform_get_irq() instead is a recommended way for getting IRQ even if +it was not retrieved earlier. + +It also makes code simpler because we're getting "int" value right away +and no conversion from resource to int is required. + +Reported-by: Zeal Robot +Signed-off-by: Minghao Chi (CGEL ZTE) +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/8390/mcf8390.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/8390/mcf8390.c b/drivers/net/ethernet/8390/mcf8390.c +index 4ad8031ab669..065fdbe66c42 100644 +--- a/drivers/net/ethernet/8390/mcf8390.c ++++ b/drivers/net/ethernet/8390/mcf8390.c +@@ -406,12 +406,12 @@ static int mcf8390_init(struct net_device *dev) + static int mcf8390_probe(struct platform_device *pdev) + { + struct net_device *dev; +- struct resource *mem, *irq; ++ struct resource *mem; + resource_size_t msize; +- int ret; ++ int ret, irq; + +- irq = platform_get_resource(pdev, IORESOURCE_IRQ, 0); +- if (irq == NULL) { ++ irq = platform_get_irq(pdev, 0); ++ if (irq < 0) { + dev_err(&pdev->dev, "no IRQ specified?\n"); + return -ENXIO; + } +@@ -434,7 +434,7 @@ static int mcf8390_probe(struct platform_device *pdev) + SET_NETDEV_DEV(dev, &pdev->dev); + platform_set_drvdata(pdev, dev); + +- dev->irq = irq->start; ++ dev->irq = irq; + dev->base_addr = mem->start; + + ret = mcf8390_init(dev); +-- +2.34.1 + diff --git a/queue-4.19/series b/queue-4.19/series index c276d554964..acab2de2d6f 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -2,3 +2,10 @@ usb-serial-pl2303-add-ibm-device-ids.patch usb-serial-simple-add-nokia-phone-driver.patch hv-utils-add-ptp_1588_clock-to-kconfig-to-fix-build.patch netdevice-add-the-case-if-dev-is-null.patch +xfrm-fix-tunnel-model-fragmentation-behavior.patch +virtio_console-break-out-of-buf-poll-on-remove.patch +ethernet-sun-free-the-coherent-when-failing-in-probi.patch +spi-fix-invalid-sgs-value.patch +net-mcf8390-use-platform_get_irq-to-get-the-interrup.patch +spi-fix-erroneous-sgs-value-with-min_t.patch +af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch diff --git a/queue-4.19/spi-fix-erroneous-sgs-value-with-min_t.patch b/queue-4.19/spi-fix-erroneous-sgs-value-with-min_t.patch new file mode 100644 index 00000000000..d6d912a95ec --- /dev/null +++ b/queue-4.19/spi-fix-erroneous-sgs-value-with-min_t.patch @@ -0,0 +1,59 @@ +From 668b6b054e865df718ff60d365010150acda3daf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Mar 2022 17:53:17 +0000 +Subject: spi: Fix erroneous sgs value with min_t() + +From: Biju Das + +[ Upstream commit ebc4cb43ea5ada3db46c80156fca58a54b9bbca8 ] + +While computing sgs in spi_map_buf(), the data type +used in min_t() for max_seg_size is 'unsigned int' where +as that of ctlr->max_dma_len is 'size_t'. + +min_t(unsigned int,x,y) gives wrong results if one of x/y is +'size_t' + +Consider the below examples on a 64-bit machine (ie size_t is +64-bits, and unsigned int is 32-bit). + case 1) min_t(unsigned int, 5, 0x100000001); + case 2) min_t(size_t, 5, 0x100000001); + +Case 1 returns '1', where as case 2 returns '5'. As you can see +the result from case 1 is wrong. + +This patch fixes the above issue by using the data type of the +parameters that are used in min_t with maximum data length. + +Fixes: commit 1a4e53d2fc4f68aa ("spi: Fix invalid sgs value") +Reported-by: Linus Torvalds +Suggested-by: Geert Uytterhoeven +Signed-off-by: Biju Das +Reviewed-by: Lad Prabhakar +Link: https://lore.kernel.org/r/20220316175317.465-1-biju.das.jz@bp.renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index 518c8e0eef7f..3bcd6f178f73 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -779,10 +779,10 @@ int spi_map_buf(struct spi_controller *ctlr, struct device *dev, + int i, ret; + + if (vmalloced_buf || kmap_buf) { +- desc_len = min_t(unsigned int, max_seg_size, PAGE_SIZE); ++ desc_len = min_t(unsigned long, max_seg_size, PAGE_SIZE); + sgs = DIV_ROUND_UP(len + offset_in_page(buf), desc_len); + } else if (virt_addr_valid(buf)) { +- desc_len = min_t(unsigned int, max_seg_size, ctlr->max_dma_len); ++ desc_len = min_t(size_t, max_seg_size, ctlr->max_dma_len); + sgs = DIV_ROUND_UP(len, desc_len); + } else { + return -EINVAL; +-- +2.34.1 + diff --git a/queue-4.19/spi-fix-invalid-sgs-value.patch b/queue-4.19/spi-fix-invalid-sgs-value.patch new file mode 100644 index 00000000000..ee4eca12f45 --- /dev/null +++ b/queue-4.19/spi-fix-invalid-sgs-value.patch @@ -0,0 +1,47 @@ +From 2a487f13e03bc6d1aaed381b08d5aa4a91927af6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 18:48:43 +0000 +Subject: spi: Fix invalid sgs value + +From: Biju Das + +[ Upstream commit 1a4e53d2fc4f68aa654ad96d13ad042e1a8e8a7d ] + +max_seg_size is unsigned int and it can have a value up to 2^32 +(for eg:-RZ_DMAC driver sets dma_set_max_seg_size as U32_MAX) +When this value is used in min_t() as an integer type, it becomes +-1 and the value of sgs becomes 0. + +Fix this issue by replacing the 'int' data type with 'unsigned int' +in min_t(). + +Signed-off-by: Biju Das +Reviewed-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20220307184843.9994-1-biju.das.jz@bp.renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index 49f592e433a8..518c8e0eef7f 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -779,10 +779,10 @@ int spi_map_buf(struct spi_controller *ctlr, struct device *dev, + int i, ret; + + if (vmalloced_buf || kmap_buf) { +- desc_len = min_t(int, max_seg_size, PAGE_SIZE); ++ desc_len = min_t(unsigned int, max_seg_size, PAGE_SIZE); + sgs = DIV_ROUND_UP(len + offset_in_page(buf), desc_len); + } else if (virt_addr_valid(buf)) { +- desc_len = min_t(int, max_seg_size, ctlr->max_dma_len); ++ desc_len = min_t(unsigned int, max_seg_size, ctlr->max_dma_len); + sgs = DIV_ROUND_UP(len, desc_len); + } else { + return -EINVAL; +-- +2.34.1 + diff --git a/queue-4.19/virtio_console-break-out-of-buf-poll-on-remove.patch b/queue-4.19/virtio_console-break-out-of-buf-poll-on-remove.patch new file mode 100644 index 00000000000..ada112875fa --- /dev/null +++ b/queue-4.19/virtio_console-break-out-of-buf-poll-on-remove.patch @@ -0,0 +1,55 @@ +From c94d213062ee10422881347f0df1774fc6a31e3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 03:04:10 -0400 +Subject: virtio_console: break out of buf poll on remove + +From: Michael S. Tsirkin + +[ Upstream commit 0e7174b9d5877130fec41fb4a16e0c2ee4958d44 ] + +A common pattern for device reset is currently: +vdev->config->reset(vdev); +.. cleanup .. + +reset prevents new interrupts from arriving and waits for interrupt +handlers to finish. + +However if - as is common - the handler queues a work request which is +flushed during the cleanup stage, we have code adding buffers / trying +to get buffers while device is reset. Not good. + +This was reproduced by running + modprobe virtio_console + modprobe -r virtio_console +in a loop. + +Fix this up by calling virtio_break_device + flush before reset. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1786239 +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/char/virtio_console.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c +index cdf441942bae..ac0b84afabe7 100644 +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -1985,6 +1985,13 @@ static void virtcons_remove(struct virtio_device *vdev) + list_del(&portdev->list); + spin_unlock_irq(&pdrvdata_lock); + ++ /* Device is going away, exit any polling for buffers */ ++ virtio_break_device(vdev); ++ if (use_multiport(portdev)) ++ flush_work(&portdev->control_work); ++ else ++ flush_work(&portdev->config_work); ++ + /* Disable interrupts for vqs */ + vdev->config->reset(vdev); + /* Finish up work that's lined up */ +-- +2.34.1 + diff --git a/queue-4.19/xfrm-fix-tunnel-model-fragmentation-behavior.patch b/queue-4.19/xfrm-fix-tunnel-model-fragmentation-behavior.patch new file mode 100644 index 00000000000..8358a118271 --- /dev/null +++ b/queue-4.19/xfrm-fix-tunnel-model-fragmentation-behavior.patch @@ -0,0 +1,115 @@ +From ecfe4201c55fd08ba0c8efd18802626b3cc832a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Feb 2022 15:48:01 +0800 +Subject: xfrm: fix tunnel model fragmentation behavior + +From: Lina Wang + +[ Upstream commit 4ff2980b6bd2aa6b4ded3ce3b7c0ccfab29980af ] + +in tunnel mode, if outer interface(ipv4) is less, it is easily to let +inner IPV6 mtu be less than 1280. If so, a Packet Too Big ICMPV6 message +is received. When send again, packets are fragmentized with 1280, they +are still rejected with ICMPV6(Packet Too Big) by xfrmi_xmit2(). + +According to RFC4213 Section3.2.2: +if (IPv4 path MTU - 20) is less than 1280 + if packet is larger than 1280 bytes + Send ICMPv6 "packet too big" with MTU=1280 + Drop packet + else + Encapsulate but do not set the Don't Fragment + flag in the IPv4 header. The resulting IPv4 + packet might be fragmented by the IPv4 layer + on the encapsulator or by some router along + the IPv4 path. + endif +else + if packet is larger than (IPv4 path MTU - 20) + Send ICMPv6 "packet too big" with + MTU = (IPv4 path MTU - 20). + Drop packet. + else + Encapsulate and set the Don't Fragment flag + in the IPv4 header. + endif +endif +Packets should be fragmentized with ipv4 outer interface, so change it. + +After it is fragemtized with ipv4, there will be double fragmenation. +No.48 & No.51 are ipv6 fragment packets, No.48 is double fragmentized, +then tunneled with IPv4(No.49& No.50), which obey spec. And received peer +cannot decrypt it rightly. + +48 2002::10 2002::11 1296(length) IPv6 fragment (off=0 more=y ident=0xa20da5bc nxt=50) +49 0x0000 (0) 2002::10 2002::11 1304 IPv6 fragment (off=0 more=y ident=0x7448042c nxt=44) +50 0x0000 (0) 2002::10 2002::11 200 ESP (SPI=0x00035000) +51 2002::10 2002::11 180 Echo (ping) request +52 0x56dc 2002::10 2002::11 248 IPv6 fragment (off=1232 more=n ident=0xa20da5bc nxt=50) + +xfrm6_noneed_fragment has fixed above issues. Finally, it acted like below: +1 0x6206 192.168.1.138 192.168.1.1 1316 Fragmented IP protocol (proto=Encap Security Payload 50, off=0, ID=6206) [Reassembled in #2] +2 0x6206 2002::10 2002::11 88 IPv6 fragment (off=0 more=y ident=0x1f440778 nxt=50) +3 0x0000 2002::10 2002::11 248 ICMPv6 Echo (ping) request + +Signed-off-by: Lina Wang +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv6/xfrm6_output.c | 16 ++++++++++++++++ + net/xfrm/xfrm_interface.c | 5 ++++- + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c +index b5941c9475f3..fbcec4827071 100644 +--- a/net/ipv6/xfrm6_output.c ++++ b/net/ipv6/xfrm6_output.c +@@ -142,6 +142,19 @@ static int __xfrm6_output_finish(struct net *net, struct sock *sk, struct sk_buf + return x->outer_mode->afinfo->output_finish(sk, skb); + } + ++static int xfrm6_noneed_fragment(struct sk_buff *skb) ++{ ++ struct frag_hdr *fh; ++ u8 prevhdr = ipv6_hdr(skb)->nexthdr; ++ ++ if (prevhdr != NEXTHDR_FRAGMENT) ++ return 0; ++ fh = (struct frag_hdr *)(skb->data + sizeof(struct ipv6hdr)); ++ if (fh->nexthdr == NEXTHDR_ESP || fh->nexthdr == NEXTHDR_AUTH) ++ return 1; ++ return 0; ++} ++ + static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb) + { + struct dst_entry *dst = skb_dst(skb); +@@ -170,6 +183,9 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb) + xfrm6_local_rxpmtu(skb, mtu); + kfree_skb(skb); + return -EMSGSIZE; ++ } else if (toobig && xfrm6_noneed_fragment(skb)) { ++ skb->ignore_df = 1; ++ goto skip_frag; + } else if (!skb->ignore_df && toobig && skb->sk) { + xfrm_local_error(skb, mtu); + kfree_skb(skb); +diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c +index 1ae8caca28a0..3c642328a117 100644 +--- a/net/xfrm/xfrm_interface.c ++++ b/net/xfrm/xfrm_interface.c +@@ -300,7 +300,10 @@ xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl) + if (mtu < IPV6_MIN_MTU) + mtu = IPV6_MIN_MTU; + +- icmpv6_ndo_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); ++ if (skb->len > 1280) ++ icmpv6_ndo_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); ++ else ++ goto xmit; + } else { + if (!(ip_hdr(skb)->frag_off & htons(IP_DF))) + goto xmit; +-- +2.34.1 + -- 2.47.3