2019-12-03 22:38:44

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 00/46] 5.4.2-stable review

This is the start of the stable review cycle for the 5.4.2 release.
There are 46 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.

Responses should be made by Thu, 05 Dec 2019 21:20:36 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.2-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <[email protected]>
Linux 5.4.2-rc1

Hans de Goede <[email protected]>
platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size

Hans de Goede <[email protected]>
platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer

Candle Sun <[email protected]>
HID: core: check whether Usage Page item is after Usage ID items

Herbert Xu <[email protected]>
crypto: talitos - Fix build error by selecting LIB_DES

Joel Stanley <[email protected]>
Revert "jffs2: Fix possible null-pointer dereferences in jffs2_add_frag_to_fragtree()"

Theodore Ts'o <[email protected]>
ext4: add more paranoia checking in ext4_expand_extra_isize handling

Heiner Kallweit <[email protected]>
r8169: fix resume on cable plug-in

Heiner Kallweit <[email protected]>
r8169: fix jumbo configuration for RTL8168evl

Thadeu Lima de Souza Cascardo <[email protected]>
selftests: pmtu: use -oneline for ip route list cache

John Rutherford <[email protected]>
tipc: fix link name length check

Jakub Kicinski <[email protected]>
selftests: bpf: correct perror strings

Jakub Kicinski <[email protected]>
selftests: bpf: test_sockmap: handle file creation failures gracefully

Jakub Kicinski <[email protected]>
net/tls: use sg_next() to walk sg entries

Jakub Kicinski <[email protected]>
net/tls: remove the dead inplace_crypto code

Jakub Kicinski <[email protected]>
selftests/tls: add a test for fragmented messages

Jakub Kicinski <[email protected]>
net: skmsg: fix TLS 1.3 crash with full sk_msg

Jakub Kicinski <[email protected]>
net/tls: free the record on encryption error

Jakub Kicinski <[email protected]>
net/tls: take into account that bpf_exec_tx_verdict() may free the record

Paolo Abeni <[email protected]>
openvswitch: remove another BUG_ON()

Paolo Abeni <[email protected]>
openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info()

Xin Long <[email protected]>
sctp: cache netns in sctp_ep_common

Jouni Hogander <[email protected]>
slip: Fix use-after-free Read in slip_open

Navid Emamdoost <[email protected]>
sctp: Fix memory leak in sctp_sf_do_5_2_4_dupcook

Paolo Abeni <[email protected]>
openvswitch: fix flow command message size

Dust Li <[email protected]>
net: sched: fix `tc -s class show` no bstats on class with nolock subqueues

Nikolay Aleksandrov <[email protected]>
net: psample: fix skb_over_panic

Chuhong Yuan <[email protected]>
net: macb: add missed tasklet_kill

Oleksij Rempel <[email protected]>
net: dsa: sja1105: fix sja1105_parse_rgmii_delays()

David Bauer <[email protected]>
mdio_bus: don't use managed reset-controller

Menglong Dong <[email protected]>
macvlan: schedule bc_work even if error

Jeroen de Borst <[email protected]>
gve: Fix the queue page list allocated pages count

Sebastian Andrzej Siewior <[email protected]>
x86/fpu: Don't cache access to fpu_fpregs_owner_ctx

Mika Westerberg <[email protected]>
thunderbolt: Power cycle the router if NVM authentication fails

Alexander Usyskin <[email protected]>
mei: me: add comet point V device id

Alexander Usyskin <[email protected]>
mei: bus: prefix device names on bus with the bus name

Fabio D'Urso <[email protected]>
USB: serial: ftdi_sio: add device IDs for U-Blox C099-F9P

Hans de Goede <[email protected]>
staging: rtl8723bs: Add 024c:0525 to the list of SDIO device-ids

Hans de Goede <[email protected]>
staging: rtl8723bs: Drop ACPI device ids

Pan Bian <[email protected]>
staging: rtl8192e: fix potential use after free

Ajay Singh <[email protected]>
staging: wilc1000: fix illegal memory access in wilc_parse_join_bss_param()

Mathias Kresin <[email protected]>
usb: dwc2: use a longer core rest timeout in dwc2_core_reset()

Sami Tolvanen <[email protected]>
driver core: platform: use the correct callback type for bus_find_device

Pascal van Leeuwen <[email protected]>
crypto: inside-secure - Fix stability issue with Macchiatobin

Jens Axboe <[email protected]>
net: disallow ancillary data for __sys_{send,recv}msg_file()

Jens Axboe <[email protected]>
net: separate out the msghdr copy from ___sys_{send,recv}msg()

Jens Axboe <[email protected]>
io_uring: async workers should inherit the user creds


-------------

Diffstat:

Makefile | 4 +-
arch/x86/include/asm/fpu/internal.h | 2 +-
drivers/base/platform.c | 7 +-
drivers/crypto/Kconfig | 1 +
drivers/crypto/inside-secure/safexcel.c | 4 +-
drivers/hid/hid-core.c | 51 +++++++-
drivers/misc/mei/bus.c | 9 +-
drivers/misc/mei/hw-me-regs.h | 1 +
drivers/misc/mei/pci-me.c | 1 +
drivers/net/dsa/sja1105/sja1105_main.c | 10 +-
drivers/net/ethernet/cadence/macb_main.c | 1 +
drivers/net/ethernet/google/gve/gve_main.c | 3 +-
drivers/net/ethernet/realtek/r8169_main.c | 3 +-
drivers/net/macvlan.c | 3 +-
drivers/net/phy/mdio_bus.c | 6 +-
drivers/net/slip/slip.c | 1 +
drivers/platform/x86/hp-wmi.c | 10 +-
drivers/staging/rtl8192e/rtl8192e/rtl_core.c | 5 +-
drivers/staging/rtl8723bs/os_dep/sdio_intf.c | 7 +-
drivers/staging/wilc1000/wilc_hif.c | 25 ++--
drivers/thunderbolt/switch.c | 54 ++++++--
drivers/usb/dwc2/core.c | 2 +-
drivers/usb/serial/ftdi_sio.c | 3 +
drivers/usb/serial/ftdi_sio_ids.h | 7 +
fs/ext4/inode.c | 15 +++
fs/ext4/super.c | 21 +--
fs/io_uring.c | 23 +++-
fs/jffs2/nodelist.c | 2 +-
include/linux/skmsg.h | 26 ++--
include/net/sctp/structs.h | 3 +
include/net/tls.h | 3 +-
net/core/filter.c | 8 +-
net/core/skmsg.c | 2 +-
net/ipv4/tcp_bpf.c | 2 +-
net/openvswitch/datapath.c | 17 ++-
net/psample/psample.c | 2 +-
net/sched/sch_mq.c | 3 +-
net/sched/sch_mqprio.c | 4 +-
net/sched/sch_multiq.c | 2 +-
net/sched/sch_prio.c | 2 +-
net/sctp/associola.c | 1 +
net/sctp/endpointola.c | 1 +
net/sctp/input.c | 4 +-
net/sctp/sm_statefuns.c | 4 +-
net/socket.c | 184 +++++++++++++++++++--------
net/tipc/netlink_compat.c | 4 +-
net/tls/tls_main.c | 13 +-
net/tls/tls_sw.c | 32 +++--
tools/testing/selftests/bpf/test_sockmap.c | 47 ++++---
tools/testing/selftests/bpf/xdping.c | 2 +-
tools/testing/selftests/net/pmtu.sh | 5 +-
tools/testing/selftests/net/tls.c | 60 +++++++++
52 files changed, 505 insertions(+), 207 deletions(-)



2019-12-03 22:38:45

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 18/46] mdio_bus: dont use managed reset-controller

From: David Bauer <[email protected]>

[ Upstream commit 32085f25d7b68404055f3525c780142fc72e543f ]

Geert Uytterhoeven reported that using devm_reset_controller_get leads
to a WARNING when probing a reset-controlled PHY. This is because the
device devm_reset_controller_get gets supplied is not actually the
one being probed.

Acquire an unmanaged reset-control as well as free the reset_control on
unregister to fix this.

Reported-by: Geert Uytterhoeven <[email protected]>
CC: Andrew Lunn <[email protected]>
Signed-off-by: David Bauer <[email protected]>
Reviewed-by: Andrew Lunn <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/phy/mdio_bus.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/net/phy/mdio_bus.c
+++ b/drivers/net/phy/mdio_bus.c
@@ -62,8 +62,8 @@ static int mdiobus_register_reset(struct
struct reset_control *reset = NULL;

if (mdiodev->dev.of_node)
- reset = devm_reset_control_get_exclusive(&mdiodev->dev,
- "phy");
+ reset = of_reset_control_get_exclusive(mdiodev->dev.of_node,
+ "phy");
if (IS_ERR(reset)) {
if (PTR_ERR(reset) == -ENOENT || PTR_ERR(reset) == -ENOTSUPP)
reset = NULL;
@@ -107,6 +107,8 @@ int mdiobus_unregister_device(struct mdi
if (mdiodev->bus->mdio_map[mdiodev->addr] != mdiodev)
return -EINVAL;

+ reset_control_put(mdiodev->reset_ctrl);
+
mdiodev->bus->mdio_map[mdiodev->addr] = NULL;

return 0;


2019-12-03 22:38:46

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 09/46] staging: rtl8723bs: Drop ACPI device ids

From: Hans de Goede <[email protected]>

commit 2d9d2491530a156b9a5614adf9dc79285e35d55e upstream.

The driver only binds by SDIO device-ids, all the ACPI device-id does
is causing the driver to load unnecessarily on devices where the DSDT
contains a bogus OBDA8723 device.

Signed-off-by: Hans de Goede <[email protected]>
Cc: stable <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/staging/rtl8723bs/os_dep/sdio_intf.c | 6 ------
1 file changed, 6 deletions(-)

--- a/drivers/staging/rtl8723bs/os_dep/sdio_intf.c
+++ b/drivers/staging/rtl8723bs/os_dep/sdio_intf.c
@@ -23,13 +23,7 @@ static const struct sdio_device_id sdio_
{ SDIO_DEVICE(0x024c, 0xb723), },
{ /* end: all zeroes */ },
};
-static const struct acpi_device_id acpi_ids[] = {
- {"OBDA8723", 0x0000},
- {}
-};
-
MODULE_DEVICE_TABLE(sdio, sdio_ids);
-MODULE_DEVICE_TABLE(acpi, acpi_ids);

static int rtw_drv_init(struct sdio_func *func, const struct sdio_device_id *id);
static void rtw_dev_remove(struct sdio_func *func);


2019-12-03 22:38:47

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 19/46] net: dsa: sja1105: fix sja1105_parse_rgmii_delays()

From: Oleksij Rempel <[email protected]>

[ Upstream commit 9bca3a0a923fc3f0fb9e41391be1d0f291e86858 ]

This function was using configuration of port 0 in devicetree for all ports.
In case CPU port was not 0, the delay settings was ignored. This resulted not
working communication between CPU and the switch.

Fixes: f5b8631c293b ("net: dsa: sja1105: Error out if RGMII delays are requested in DT")
Signed-off-by: Oleksij Rempel <[email protected]>
Reviewed-by: Vladimir Oltean <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/dsa/sja1105/sja1105_main.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/net/dsa/sja1105/sja1105_main.c
+++ b/drivers/net/dsa/sja1105/sja1105_main.c
@@ -594,15 +594,15 @@ static int sja1105_parse_rgmii_delays(st
int i;

for (i = 0; i < SJA1105_NUM_PORTS; i++) {
- if (ports->role == XMII_MAC)
+ if (ports[i].role == XMII_MAC)
continue;

- if (ports->phy_mode == PHY_INTERFACE_MODE_RGMII_RXID ||
- ports->phy_mode == PHY_INTERFACE_MODE_RGMII_ID)
+ if (ports[i].phy_mode == PHY_INTERFACE_MODE_RGMII_RXID ||
+ ports[i].phy_mode == PHY_INTERFACE_MODE_RGMII_ID)
priv->rgmii_rx_delay[i] = true;

- if (ports->phy_mode == PHY_INTERFACE_MODE_RGMII_TXID ||
- ports->phy_mode == PHY_INTERFACE_MODE_RGMII_ID)
+ if (ports[i].phy_mode == PHY_INTERFACE_MODE_RGMII_TXID ||
+ ports[i].phy_mode == PHY_INTERFACE_MODE_RGMII_ID)
priv->rgmii_tx_delay[i] = true;

if ((priv->rgmii_rx_delay[i] || priv->rgmii_tx_delay[i]) &&


2019-12-03 22:38:56

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 21/46] net: psample: fix skb_over_panic

From: Nikolay Aleksandrov <[email protected]>

[ Upstream commit 7eb9d7675c08937cd11d32b0b40442d4d731c5ee ]

We need to calculate the skb size correctly otherwise we risk triggering
skb_over_panic[1]. The issue is that data_len is added to the skb in a
nl attribute, but we don't account for its header size (nlattr 4 bytes)
and alignment. We account for it when calculating the total size in
the > PSAMPLE_MAX_PACKET_SIZE comparison correctly, but not when
allocating after that. The fix is simple - use nla_total_size() for
data_len when allocating.

To reproduce:
$ tc qdisc add dev eth1 clsact
$ tc filter add dev eth1 egress matchall action sample rate 1 group 1 trunc 129
$ mausezahn eth1 -b bcast -a rand -c 1 -p 129
< skb_over_panic BUG(), tail is 4 bytes past skb->end >

[1] Trace:
[ 50.459526][ T3480] skbuff: skb_over_panic: text:(____ptrval____) len:196 put:136 head:(____ptrval____) data:(____ptrval____) tail:0xc4 end:0xc0 dev:<NULL>
[ 50.474339][ T3480] ------------[ cut here ]------------
[ 50.481132][ T3480] kernel BUG at net/core/skbuff.c:108!
[ 50.486059][ T3480] invalid opcode: 0000 [#1] PREEMPT SMP
[ 50.489463][ T3480] CPU: 3 PID: 3480 Comm: mausezahn Not tainted 5.4.0-rc7 #108
[ 50.492844][ T3480] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
[ 50.496551][ T3480] RIP: 0010:skb_panic+0x79/0x7b
[ 50.498261][ T3480] Code: bc 00 00 00 41 57 4c 89 e6 48 c7 c7 90 29 9a 83 4c 8b 8b c0 00 00 00 50 8b 83 b8 00 00 00 50 ff b3 c8 00 00 00 e8 ae ef c0 fe <0f> 0b e8 2f df c8 fe 48 8b 55 08 44 89 f6 4c 89 e7 48 c7 c1 a0 22
[ 50.504111][ T3480] RSP: 0018:ffffc90000447a10 EFLAGS: 00010282
[ 50.505835][ T3480] RAX: 0000000000000087 RBX: ffff888039317d00 RCX: 0000000000000000
[ 50.507900][ T3480] RDX: 0000000000000000 RSI: ffffffff812716e1 RDI: 00000000ffffffff
[ 50.509820][ T3480] RBP: ffffc90000447a60 R08: 0000000000000001 R09: 0000000000000000
[ 50.511735][ T3480] R10: ffffffff81d4f940 R11: 0000000000000000 R12: ffffffff834a22b0
[ 50.513494][ T3480] R13: ffffffff82c10433 R14: 0000000000000088 R15: ffffffff838a8084
[ 50.515222][ T3480] FS: 00007f3536462700(0000) GS:ffff88803eac0000(0000) knlGS:0000000000000000
[ 50.517135][ T3480] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 50.518583][ T3480] CR2: 0000000000442008 CR3: 000000003b222000 CR4: 00000000000006e0
[ 50.520723][ T3480] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 50.522709][ T3480] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 50.524450][ T3480] Call Trace:
[ 50.525214][ T3480] skb_put.cold+0x1b/0x1b
[ 50.526171][ T3480] psample_sample_packet+0x1d3/0x340
[ 50.527307][ T3480] tcf_sample_act+0x178/0x250
[ 50.528339][ T3480] tcf_action_exec+0xb1/0x190
[ 50.529354][ T3480] mall_classify+0x67/0x90
[ 50.530332][ T3480] tcf_classify+0x72/0x160
[ 50.531286][ T3480] __dev_queue_xmit+0x3db/0xd50
[ 50.532327][ T3480] dev_queue_xmit+0x18/0x20
[ 50.533299][ T3480] packet_sendmsg+0xee7/0x2090
[ 50.534331][ T3480] sock_sendmsg+0x54/0x70
[ 50.535271][ T3480] __sys_sendto+0x148/0x1f0
[ 50.536252][ T3480] ? tomoyo_file_ioctl+0x23/0x30
[ 50.537334][ T3480] ? ksys_ioctl+0x5e/0xb0
[ 50.540068][ T3480] __x64_sys_sendto+0x2a/0x30
[ 50.542810][ T3480] do_syscall_64+0x73/0x1f0
[ 50.545383][ T3480] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 50.548477][ T3480] RIP: 0033:0x7f35357d6fb3
[ 50.551020][ T3480] Code: 48 8b 0d 18 90 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 d3 20 00 00 75 13 49 89 ca b8 2c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 34 c3 48 83 ec 08 e8 eb f6 ff ff 48 89 04 24
[ 50.558547][ T3480] RSP: 002b:00007ffe0c7212c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 50.561870][ T3480] RAX: ffffffffffffffda RBX: 0000000001dac010 RCX: 00007f35357d6fb3
[ 50.565142][ T3480] RDX: 0000000000000082 RSI: 0000000001dac2a2 RDI: 0000000000000003
[ 50.568469][ T3480] RBP: 00007ffe0c7212f0 R08: 00007ffe0c7212d0 R09: 0000000000000014
[ 50.571731][ T3480] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000082
[ 50.574961][ T3480] R13: 0000000001dac2a2 R14: 0000000000000001 R15: 0000000000000003
[ 50.578170][ T3480] Modules linked in: sch_ingress virtio_net
[ 50.580976][ T3480] ---[ end trace 61a515626a595af6 ]---

CC: Yotam Gigi <[email protected]>
CC: Jiri Pirko <[email protected]>
CC: Jamal Hadi Salim <[email protected]>
CC: Simon Horman <[email protected]>
CC: Roopa Prabhu <[email protected]>
Fixes: 6ae0a6286171 ("net: Introduce psample, a new genetlink channel for packet sampling")
Signed-off-by: Nikolay Aleksandrov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/psample/psample.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/psample/psample.c
+++ b/net/psample/psample.c
@@ -229,7 +229,7 @@ void psample_sample_packet(struct psampl
data_len = PSAMPLE_MAX_PACKET_SIZE - meta_len - NLA_HDRLEN
- NLA_ALIGNTO;

- nl_skb = genlmsg_new(meta_len + data_len, GFP_ATOMIC);
+ nl_skb = genlmsg_new(meta_len + nla_total_size(data_len), GFP_ATOMIC);
if (unlikely(!nl_skb))
return;



2019-12-03 22:39:08

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 25/46] slip: Fix use-after-free Read in slip_open

From: Jouni Hogander <[email protected]>

[ Upstream commit e58c1912418980f57ba2060017583067f5f71e52 ]

Slip_open doesn't clean-up device which registration failed from the
slip_devs device list. On next open after failure this list is iterated
and freed device is accessed. Fix this by calling sl_free_netdev in error
path.

Here is the trace from the Syzbot:

__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:634
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
sl_sync drivers/net/slip/slip.c:725 [inline]
slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
tiocsetd drivers/tty/tty_io.c:2334 [inline]
tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: 3b5a39979daf ("slip: Fix memory leak in slip_open error path")
Reported-by: [email protected]
Cc: David Miller <[email protected]>
Cc: Oliver Hartkopp <[email protected]>
Cc: Lukas Bulwahn <[email protected]>
Signed-off-by: Jouni Hogander <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/slip/slip.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/net/slip/slip.c
+++ b/drivers/net/slip/slip.c
@@ -855,6 +855,7 @@ err_free_chan:
sl->tty = NULL;
tty->disc_data = NULL;
clear_bit(SLF_INUSE, &sl->flags);
+ sl_free_netdev(sl->dev);
free_netdev(sl->dev);

err_exit:


2019-12-03 22:39:22

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 04/46] crypto: inside-secure - Fix stability issue with Macchiatobin

From: Pascal van Leeuwen <[email protected]>

commit b8c5d882c8334d05754b69dcdf1cfd6bc48a9e12 upstream.

This patch corrects an error in the Transform Record Cache initialization
code that was causing intermittent stability problems on the Macchiatobin
board.

Unfortunately, due to HW platform specifics, the problem could not happen
on the main development platform, being the VCU118 Xilinx development
board. And since it was a problem with hash table access, it was very
dependent on the actual physical context record DMA buffers being used,
i.e. with some (bad) luck it could seemingly work quit stable for a while.

Signed-off-by: Pascal van Leeuwen <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/crypto/inside-secure/safexcel.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/crypto/inside-secure/safexcel.c
+++ b/drivers/crypto/inside-secure/safexcel.c
@@ -221,9 +221,9 @@ static void eip197_trc_cache_init(struct
/* Step #3: Determine log2 of hash table size */
cs_ht_sz = __fls(asize - cs_rc_max) - 2;
/* Step #4: determine current size of hash table in dwords */
- cs_ht_wc = 16<<cs_ht_sz; /* dwords, not admin words */
+ cs_ht_wc = 16 << cs_ht_sz; /* dwords, not admin words */
/* Step #5: add back excess words and see if we can fit more records */
- cs_rc_max = min_t(uint, cs_rc_abs_max, asize - (cs_ht_wc >> 4));
+ cs_rc_max = min_t(uint, cs_rc_abs_max, asize - (cs_ht_wc >> 2));

/* Clear the cache RAMs */
eip197_trc_cache_clear(priv, cs_rc_max, cs_ht_wc);


2019-12-03 22:39:28

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 05/46] driver core: platform: use the correct callback type for bus_find_device

From: Sami Tolvanen <[email protected]>

commit 492c88720d36eb662f9f10c1633f7726fbb07fc4 upstream.

platform_find_device_by_driver calls bus_find_device and passes
platform_match as the callback function. Casting the function to a
mismatching type trips indirect call Control-Flow Integrity (CFI) checking.

This change adds a callback function with the correct type and instead
of casting the function, explicitly casts the second parameter to struct
device_driver* as expected by platform_match.

Fixes: 36f3313d6bff9 ("platform: Add platform_find_device_by_driver() helper")
Signed-off-by: Sami Tolvanen <[email protected]>
Reviewed-by: Kees Cook <[email protected]>
Cc: stable <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/base/platform.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/base/platform.c
+++ b/drivers/base/platform.c
@@ -1278,6 +1278,11 @@ struct bus_type platform_bus_type = {
};
EXPORT_SYMBOL_GPL(platform_bus_type);

+static inline int __platform_match(struct device *dev, const void *drv)
+{
+ return platform_match(dev, (struct device_driver *)drv);
+}
+
/**
* platform_find_device_by_driver - Find a platform device with a given
* driver.
@@ -1288,7 +1293,7 @@ struct device *platform_find_device_by_d
const struct device_driver *drv)
{
return bus_find_device(&platform_bus_type, start, drv,
- (void *)platform_match);
+ __platform_match);
}
EXPORT_SYMBOL_GPL(platform_find_device_by_driver);



2019-12-03 22:39:29

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 30/46] net/tls: free the record on encryption error

From: Jakub Kicinski <[email protected]>

[ Upstream commit d10523d0b3d78153ee58d19853ced26c9004c8c4 ]

When tls_do_encryption() fails the SG lists are left with the
SG_END and SG_CHAIN marks in place. One could hope that once
encryption fails we will never see the record again, but that
is in fact not true. Commit d3b18ad31f93 ("tls: add bpf support
to sk_msg handling") added special handling to ENOMEM and ENOSPC
errors which mean we may see the same record re-submitted.

As suggested by John free the record, the BPF code is already
doing just that.

Reported-by: [email protected]
Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
Signed-off-by: Jakub Kicinski <[email protected]>
Reviewed-by: Simon Horman <[email protected]>
Acked-by: John Fastabend <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/tls/tls_sw.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)

--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -766,8 +766,14 @@ static int bpf_exec_tx_verdict(struct sk

policy = !(flags & MSG_SENDPAGE_NOPOLICY);
psock = sk_psock_get(sk);
- if (!psock || !policy)
- return tls_push_record(sk, flags, record_type);
+ if (!psock || !policy) {
+ err = tls_push_record(sk, flags, record_type);
+ if (err) {
+ *copied -= sk_msg_free(sk, msg);
+ tls_free_open_rec(sk);
+ }
+ return err;
+ }
more_data:
enospc = sk_msg_full(msg);
if (psock->eval == __SK_NONE) {


2019-12-03 22:39:31

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 31/46] net: skmsg: fix TLS 1.3 crash with full sk_msg

From: Jakub Kicinski <[email protected]>

[ Upstream commit 031097d9e079e40dce401031d1012e83d80eaf01 ]

TLS 1.3 started using the entry at the end of the SG array
for chaining-in the single byte content type entry. This mostly
works:

[ E E E E E E . . ]
^ ^
start end

E < content type
/
[ E E E E E E C . ]
^ ^
start end

(Where E denotes a populated SG entry; C denotes a chaining entry.)

If the array is full, however, the end will point to the start:

[ E E E E E E E E ]
^
start
end

And we end up overwriting the start:

E < content type
/
[ C E E E E E E E ]
^
start
end

The sg array is supposed to be a circular buffer with start and
end markers pointing anywhere. In case where start > end
(i.e. the circular buffer has "wrapped") there is an extra entry
reserved at the end to chain the two halves together.

[ E E E E E E . . l ]

(Where l is the reserved entry for "looping" back to front.

As suggested by John, let's reserve another entry for chaining
SG entries after the main circular buffer. Note that this entry
has to be pointed to by the end entry so its position is not fixed.

Examples of full messages:

[ E E E E E E E E . l ]
^ ^
start end

<---------------.
[ E E . E E E E E E l ]
^ ^
end start

Now the end will always point to an unused entry, so TLS 1.3
can always use it.

Fixes: 130b392c6cd6 ("net: tls: Add tls 1.3 support")
Signed-off-by: Jakub Kicinski <[email protected]>
Reviewed-by: Simon Horman <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/linux/skmsg.h | 26 +++++++++++++-------------
net/core/filter.c | 8 ++++----
net/core/skmsg.c | 2 +-
net/ipv4/tcp_bpf.c | 2 +-
4 files changed, 19 insertions(+), 19 deletions(-)

--- a/include/linux/skmsg.h
+++ b/include/linux/skmsg.h
@@ -14,6 +14,7 @@
#include <net/strparser.h>

#define MAX_MSG_FRAGS MAX_SKB_FRAGS
+#define NR_MSG_FRAG_IDS (MAX_MSG_FRAGS + 1)

enum __sk_action {
__SK_DROP = 0,
@@ -29,11 +30,13 @@ struct sk_msg_sg {
u32 size;
u32 copybreak;
bool copy[MAX_MSG_FRAGS];
- /* The extra element is used for chaining the front and sections when
- * the list becomes partitioned (e.g. end < start). The crypto APIs
- * require the chaining.
+ /* The extra two elements:
+ * 1) used for chaining the front and sections when the list becomes
+ * partitioned (e.g. end < start). The crypto APIs require the
+ * chaining;
+ * 2) to chain tailer SG entries after the message.
*/
- struct scatterlist data[MAX_MSG_FRAGS + 1];
+ struct scatterlist data[MAX_MSG_FRAGS + 2];
};

/* UAPI in filter.c depends on struct sk_msg_sg being first element. */
@@ -141,13 +144,13 @@ static inline void sk_msg_apply_bytes(st

static inline u32 sk_msg_iter_dist(u32 start, u32 end)
{
- return end >= start ? end - start : end + (MAX_MSG_FRAGS - start);
+ return end >= start ? end - start : end + (NR_MSG_FRAG_IDS - start);
}

#define sk_msg_iter_var_prev(var) \
do { \
if (var == 0) \
- var = MAX_MSG_FRAGS - 1; \
+ var = NR_MSG_FRAG_IDS - 1; \
else \
var--; \
} while (0)
@@ -155,7 +158,7 @@ static inline u32 sk_msg_iter_dist(u32 s
#define sk_msg_iter_var_next(var) \
do { \
var++; \
- if (var == MAX_MSG_FRAGS) \
+ if (var == NR_MSG_FRAG_IDS) \
var = 0; \
} while (0)

@@ -172,9 +175,9 @@ static inline void sk_msg_clear_meta(str

static inline void sk_msg_init(struct sk_msg *msg)
{
- BUILD_BUG_ON(ARRAY_SIZE(msg->sg.data) - 1 != MAX_MSG_FRAGS);
+ BUILD_BUG_ON(ARRAY_SIZE(msg->sg.data) - 1 != NR_MSG_FRAG_IDS);
memset(msg, 0, sizeof(*msg));
- sg_init_marker(msg->sg.data, MAX_MSG_FRAGS);
+ sg_init_marker(msg->sg.data, NR_MSG_FRAG_IDS);
}

static inline void sk_msg_xfer(struct sk_msg *dst, struct sk_msg *src,
@@ -195,14 +198,11 @@ static inline void sk_msg_xfer_full(stru

static inline bool sk_msg_full(const struct sk_msg *msg)
{
- return (msg->sg.end == msg->sg.start) && msg->sg.size;
+ return sk_msg_iter_dist(msg->sg.start, msg->sg.end) == MAX_MSG_FRAGS;
}

static inline u32 sk_msg_elem_used(const struct sk_msg *msg)
{
- if (sk_msg_full(msg))
- return MAX_MSG_FRAGS;
-
return sk_msg_iter_dist(msg->sg.start, msg->sg.end);
}

--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2299,7 +2299,7 @@ BPF_CALL_4(bpf_msg_pull_data, struct sk_
WARN_ON_ONCE(last_sge == first_sge);
shift = last_sge > first_sge ?
last_sge - first_sge - 1 :
- MAX_SKB_FRAGS - first_sge + last_sge - 1;
+ NR_MSG_FRAG_IDS - first_sge + last_sge - 1;
if (!shift)
goto out;

@@ -2308,8 +2308,8 @@ BPF_CALL_4(bpf_msg_pull_data, struct sk_
do {
u32 move_from;

- if (i + shift >= MAX_MSG_FRAGS)
- move_from = i + shift - MAX_MSG_FRAGS;
+ if (i + shift >= NR_MSG_FRAG_IDS)
+ move_from = i + shift - NR_MSG_FRAG_IDS;
else
move_from = i + shift;
if (move_from == msg->sg.end)
@@ -2323,7 +2323,7 @@ BPF_CALL_4(bpf_msg_pull_data, struct sk_
} while (1);

msg->sg.end = msg->sg.end - shift > msg->sg.end ?
- msg->sg.end - shift + MAX_MSG_FRAGS :
+ msg->sg.end - shift + NR_MSG_FRAG_IDS :
msg->sg.end - shift;
out:
msg->data = sg_virt(&msg->sg.data[first_sge]) + start - offset;
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -421,7 +421,7 @@ static int sk_psock_skb_ingress(struct s
copied = skb->len;
msg->sg.start = 0;
msg->sg.size = copied;
- msg->sg.end = num_sge == MAX_MSG_FRAGS ? 0 : num_sge;
+ msg->sg.end = num_sge;
msg->skb = skb;

sk_psock_queue_msg(psock, msg);
--- a/net/ipv4/tcp_bpf.c
+++ b/net/ipv4/tcp_bpf.c
@@ -301,7 +301,7 @@ EXPORT_SYMBOL_GPL(tcp_bpf_sendmsg_redir)
static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock,
struct sk_msg *msg, int *copied, int flags)
{
- bool cork = false, enospc = msg->sg.start == msg->sg.end;
+ bool cork = false, enospc = sk_msg_full(msg);
struct sock *sk_redir;
u32 tosend, delta = 0;
int ret;


2019-12-03 22:39:34

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 32/46] selftests/tls: add a test for fragmented messages

From: Jakub Kicinski <[email protected]>

[ Upstream commit 65190f77424d7b82c4aad7326c9cce6bd91a2fcc ]

Add a sendmsg test with very fragmented messages. This should
fill up sk_msg and test the boundary conditions.

Signed-off-by: Jakub Kicinski <[email protected]>
Reviewed-by: Simon Horman <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
tools/testing/selftests/net/tls.c | 60 ++++++++++++++++++++++++++++++++++++++
1 file changed, 60 insertions(+)

--- a/tools/testing/selftests/net/tls.c
+++ b/tools/testing/selftests/net/tls.c
@@ -268,6 +268,38 @@ TEST_F(tls, sendmsg_single)
EXPECT_EQ(memcmp(buf, test_str, send_len), 0);
}

+#define MAX_FRAGS 64
+#define SEND_LEN 13
+TEST_F(tls, sendmsg_fragmented)
+{
+ char const *test_str = "test_sendmsg";
+ char buf[SEND_LEN * MAX_FRAGS];
+ struct iovec vec[MAX_FRAGS];
+ struct msghdr msg;
+ int i, frags;
+
+ for (frags = 1; frags <= MAX_FRAGS; frags++) {
+ for (i = 0; i < frags; i++) {
+ vec[i].iov_base = (char *)test_str;
+ vec[i].iov_len = SEND_LEN;
+ }
+
+ memset(&msg, 0, sizeof(struct msghdr));
+ msg.msg_iov = vec;
+ msg.msg_iovlen = frags;
+
+ EXPECT_EQ(sendmsg(self->fd, &msg, 0), SEND_LEN * frags);
+ EXPECT_EQ(recv(self->cfd, buf, SEND_LEN * frags, MSG_WAITALL),
+ SEND_LEN * frags);
+
+ for (i = 0; i < frags; i++)
+ EXPECT_EQ(memcmp(buf + SEND_LEN * i,
+ test_str, SEND_LEN), 0);
+ }
+}
+#undef MAX_FRAGS
+#undef SEND_LEN
+
TEST_F(tls, sendmsg_large)
{
void *mem = malloc(16384);
@@ -694,6 +726,34 @@ TEST_F(tls, recv_lowat)
EXPECT_EQ(memcmp(send_mem, recv_mem + 10, 5), 0);
}

+TEST_F(tls, recv_rcvbuf)
+{
+ char send_mem[4096];
+ char recv_mem[4096];
+ int rcv_buf = 1024;
+
+ memset(send_mem, 0x1c, sizeof(send_mem));
+
+ EXPECT_EQ(setsockopt(self->cfd, SOL_SOCKET, SO_RCVBUF,
+ &rcv_buf, sizeof(rcv_buf)), 0);
+
+ EXPECT_EQ(send(self->fd, send_mem, 512, 0), 512);
+ memset(recv_mem, 0, sizeof(recv_mem));
+ EXPECT_EQ(recv(self->cfd, recv_mem, sizeof(recv_mem), 0), 512);
+ EXPECT_EQ(memcmp(send_mem, recv_mem, 512), 0);
+
+ if (self->notls)
+ return;
+
+ EXPECT_EQ(send(self->fd, send_mem, 4096, 0), 4096);
+ memset(recv_mem, 0, sizeof(recv_mem));
+ EXPECT_EQ(recv(self->cfd, recv_mem, sizeof(recv_mem), 0), -1);
+ EXPECT_EQ(errno, EMSGSIZE);
+
+ EXPECT_EQ(recv(self->cfd, recv_mem, sizeof(recv_mem), 0), -1);
+ EXPECT_EQ(errno, EMSGSIZE);
+}
+
TEST_F(tls, bidir)
{
char const *test_str = "test_read";


2019-12-03 22:39:40

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 34/46] net/tls: use sg_next() to walk sg entries

From: Jakub Kicinski <[email protected]>

[ Upstream commit c5daa6cccdc2f94aca2c9b3fa5f94e4469997293 ]

Partially sent record cleanup path increments an SG entry
directly instead of using sg_next(). This should not be a
problem today, as encrypted messages should be always
allocated as arrays. But given this is a cleanup path it's
easy to miss was this ever to change. Use sg_next(), and
simplify the code.

Signed-off-by: Jakub Kicinski <[email protected]>
Reviewed-by: Simon Horman <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/net/tls.h | 2 +-
net/tls/tls_main.c | 13 ++-----------
net/tls/tls_sw.c | 3 ++-
3 files changed, 5 insertions(+), 13 deletions(-)

--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -395,7 +395,7 @@ int tls_push_sg(struct sock *sk, struct
int flags);
int tls_push_partial_record(struct sock *sk, struct tls_context *ctx,
int flags);
-bool tls_free_partial_record(struct sock *sk, struct tls_context *ctx);
+void tls_free_partial_record(struct sock *sk, struct tls_context *ctx);

static inline struct tls_msg *tls_msg(struct sk_buff *skb)
{
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -209,24 +209,15 @@ int tls_push_partial_record(struct sock
return tls_push_sg(sk, ctx, sg, offset, flags);
}

-bool tls_free_partial_record(struct sock *sk, struct tls_context *ctx)
+void tls_free_partial_record(struct sock *sk, struct tls_context *ctx)
{
struct scatterlist *sg;

- sg = ctx->partially_sent_record;
- if (!sg)
- return false;
-
- while (1) {
+ for (sg = ctx->partially_sent_record; sg; sg = sg_next(sg)) {
put_page(sg_page(sg));
sk_mem_uncharge(sk, sg->length);
-
- if (sg_is_last(sg))
- break;
- sg++;
}
ctx->partially_sent_record = NULL;
- return true;
}

static void tls_write_space(struct sock *sk)
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -2084,7 +2084,8 @@ void tls_sw_release_resources_tx(struct
/* Free up un-sent records in tx_list. First, free
* the partially sent record if any at head of tx_list.
*/
- if (tls_free_partial_record(sk, tls_ctx)) {
+ if (tls_ctx->partially_sent_record) {
+ tls_free_partial_record(sk, tls_ctx);
rec = list_first_entry(&ctx->tx_list,
struct tls_rec, list);
list_del(&rec->list);


2019-12-03 22:39:46

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 35/46] selftests: bpf: test_sockmap: handle file creation failures gracefully

From: Jakub Kicinski <[email protected]>

[ Upstream commit 4b67c515036313f3c3ecba3cb2babb9cbddb3f85 ]

test_sockmap creates a temporary file to use for sendpage.
this may fail for various reasons. Handle the error rather
than segfault.

Signed-off-by: Jakub Kicinski <[email protected]>
Reviewed-by: Simon Horman <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
tools/testing/selftests/bpf/test_sockmap.c | 9 +++++++++
1 file changed, 9 insertions(+)

--- a/tools/testing/selftests/bpf/test_sockmap.c
+++ b/tools/testing/selftests/bpf/test_sockmap.c
@@ -332,6 +332,10 @@ static int msg_loop_sendpage(int fd, int
int i, fp;

file = fopen(".sendpage_tst.tmp", "w+");
+ if (!file) {
+ perror("create file for sendpage");
+ return 1;
+ }
for (i = 0; i < iov_length * cnt; i++, k++)
fwrite(&k, sizeof(char), 1, file);
fflush(file);
@@ -339,6 +343,11 @@ static int msg_loop_sendpage(int fd, int
fclose(file);

fp = open(".sendpage_tst.tmp", O_RDONLY);
+ if (fp < 0) {
+ perror("reopen file for sendpage");
+ return 1;
+ }
+
clock_gettime(CLOCK_MONOTONIC, &s->start);
for (i = 0; i < cnt; i++) {
int sent = sendfile(fd, fp, NULL, iov_length);


2019-12-03 22:39:49

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 36/46] selftests: bpf: correct perror strings

From: Jakub Kicinski <[email protected]>

[ Upstream commit e5dc9dd3258098bf8b5ceb75fc3433b41eff618a ]

perror(str) is basically equivalent to
print("%s: %s\n", str, strerror(errno)).
New line or colon at the end of str is
a mistake/breaks formatting.

Signed-off-by: Jakub Kicinski <[email protected]>
Reviewed-by: Simon Horman <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
tools/testing/selftests/bpf/test_sockmap.c | 38 ++++++++++++++---------------
tools/testing/selftests/bpf/xdping.c | 2 -
2 files changed, 20 insertions(+), 20 deletions(-)

--- a/tools/testing/selftests/bpf/test_sockmap.c
+++ b/tools/testing/selftests/bpf/test_sockmap.c
@@ -240,14 +240,14 @@ static int sockmap_init_sockets(int verb
addr.sin_port = htons(S1_PORT);
err = bind(s1, (struct sockaddr *)&addr, sizeof(addr));
if (err < 0) {
- perror("bind s1 failed()\n");
+ perror("bind s1 failed()");
return errno;
}

addr.sin_port = htons(S2_PORT);
err = bind(s2, (struct sockaddr *)&addr, sizeof(addr));
if (err < 0) {
- perror("bind s2 failed()\n");
+ perror("bind s2 failed()");
return errno;
}

@@ -255,14 +255,14 @@ static int sockmap_init_sockets(int verb
addr.sin_port = htons(S1_PORT);
err = listen(s1, 32);
if (err < 0) {
- perror("listen s1 failed()\n");
+ perror("listen s1 failed()");
return errno;
}

addr.sin_port = htons(S2_PORT);
err = listen(s2, 32);
if (err < 0) {
- perror("listen s1 failed()\n");
+ perror("listen s1 failed()");
return errno;
}

@@ -270,14 +270,14 @@ static int sockmap_init_sockets(int verb
addr.sin_port = htons(S1_PORT);
err = connect(c1, (struct sockaddr *)&addr, sizeof(addr));
if (err < 0 && errno != EINPROGRESS) {
- perror("connect c1 failed()\n");
+ perror("connect c1 failed()");
return errno;
}

addr.sin_port = htons(S2_PORT);
err = connect(c2, (struct sockaddr *)&addr, sizeof(addr));
if (err < 0 && errno != EINPROGRESS) {
- perror("connect c2 failed()\n");
+ perror("connect c2 failed()");
return errno;
} else if (err < 0) {
err = 0;
@@ -286,13 +286,13 @@ static int sockmap_init_sockets(int verb
/* Accept Connecrtions */
p1 = accept(s1, NULL, NULL);
if (p1 < 0) {
- perror("accept s1 failed()\n");
+ perror("accept s1 failed()");
return errno;
}

p2 = accept(s2, NULL, NULL);
if (p2 < 0) {
- perror("accept s1 failed()\n");
+ perror("accept s1 failed()");
return errno;
}

@@ -353,7 +353,7 @@ static int msg_loop_sendpage(int fd, int
int sent = sendfile(fd, fp, NULL, iov_length);

if (!drop && sent < 0) {
- perror("send loop error:");
+ perror("send loop error");
close(fp);
return sent;
} else if (drop && sent >= 0) {
@@ -472,7 +472,7 @@ static int msg_loop(int fd, int iov_coun
int sent = sendmsg(fd, &msg, flags);

if (!drop && sent < 0) {
- perror("send loop error:");
+ perror("send loop error");
goto out_errno;
} else if (drop && sent >= 0) {
printf("send loop error expected: %i\n", sent);
@@ -508,7 +508,7 @@ static int msg_loop(int fd, int iov_coun
total_bytes -= txmsg_pop_total;
err = clock_gettime(CLOCK_MONOTONIC, &s->start);
if (err < 0)
- perror("recv start time: ");
+ perror("recv start time");
while (s->bytes_recvd < total_bytes) {
if (txmsg_cork) {
timeout.tv_sec = 0;
@@ -552,7 +552,7 @@ static int msg_loop(int fd, int iov_coun
if (recv < 0) {
if (errno != EWOULDBLOCK) {
clock_gettime(CLOCK_MONOTONIC, &s->end);
- perror("recv failed()\n");
+ perror("recv failed()");
goto out_errno;
}
}
@@ -566,7 +566,7 @@ static int msg_loop(int fd, int iov_coun

errno = msg_verify_data(&msg, recv, chunk_sz);
if (errno) {
- perror("data verify msg failed\n");
+ perror("data verify msg failed");
goto out_errno;
}
if (recvp) {
@@ -574,7 +574,7 @@ static int msg_loop(int fd, int iov_coun
recvp,
chunk_sz);
if (errno) {
- perror("data verify msg_peek failed\n");
+ perror("data verify msg_peek failed");
goto out_errno;
}
}
@@ -663,7 +663,7 @@ static int sendmsg_test(struct sockmap_o
err = 0;
exit(err ? 1 : 0);
} else if (rxpid == -1) {
- perror("msg_loop_rx: ");
+ perror("msg_loop_rx");
return errno;
}

@@ -690,7 +690,7 @@ static int sendmsg_test(struct sockmap_o
s.bytes_recvd, recvd_Bps, recvd_Bps/giga);
exit(err ? 1 : 0);
} else if (txpid == -1) {
- perror("msg_loop_tx: ");
+ perror("msg_loop_tx");
return errno;
}

@@ -724,7 +724,7 @@ static int forever_ping_pong(int rate, s
/* Ping/Pong data from client to server */
sc = send(c1, buf, sizeof(buf), 0);
if (sc < 0) {
- perror("send failed()\n");
+ perror("send failed()");
return sc;
}

@@ -757,7 +757,7 @@ static int forever_ping_pong(int rate, s
rc = recv(i, buf, sizeof(buf), 0);
if (rc < 0) {
if (errno != EWOULDBLOCK) {
- perror("recv failed()\n");
+ perror("recv failed()");
return rc;
}
}
@@ -769,7 +769,7 @@ static int forever_ping_pong(int rate, s

sc = send(i, buf, rc, 0);
if (sc < 0) {
- perror("send failed()\n");
+ perror("send failed()");
return sc;
}
}
--- a/tools/testing/selftests/bpf/xdping.c
+++ b/tools/testing/selftests/bpf/xdping.c
@@ -45,7 +45,7 @@ static int get_stats(int fd, __u16 count
printf("\nXDP RTT data:\n");

if (bpf_map_lookup_elem(fd, &raddr, &pinginfo)) {
- perror("bpf_map_lookup elem: ");
+ perror("bpf_map_lookup elem");
return 1;
}



2019-12-03 22:39:51

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 37/46] tipc: fix link name length check

From: John Rutherford <[email protected]>

[ Upstream commit fd567ac20cb0377ff466d3337e6e9ac5d0cb15e4 ]

In commit 4f07b80c9733 ("tipc: check msg->req data len in
tipc_nl_compat_bearer_disable") the same patch code was copied into
routines: tipc_nl_compat_bearer_disable(),
tipc_nl_compat_link_stat_dump() and tipc_nl_compat_link_reset_stats().
The two link routine occurrences should have been modified to check
the maximum link name length and not bearer name length.

Fixes: 4f07b80c9733 ("tipc: check msg->reg data len in tipc_nl_compat_bearer_disable")
Signed-off-by: John Rutherford <[email protected]>
Acked-by: Jon Maloy <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/tipc/netlink_compat.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -550,7 +550,7 @@ static int tipc_nl_compat_link_stat_dump
if (len <= 0)
return -EINVAL;

- len = min_t(int, len, TIPC_MAX_BEARER_NAME);
+ len = min_t(int, len, TIPC_MAX_LINK_NAME);
if (!string_is_valid(name, len))
return -EINVAL;

@@ -822,7 +822,7 @@ static int tipc_nl_compat_link_reset_sta
if (len <= 0)
return -EINVAL;

- len = min_t(int, len, TIPC_MAX_BEARER_NAME);
+ len = min_t(int, len, TIPC_MAX_LINK_NAME);
if (!string_is_valid(name, len))
return -EINVAL;



2019-12-03 22:39:53

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 20/46] net: macb: add missed tasklet_kill

From: Chuhong Yuan <[email protected]>

[ Upstream commit 61183b056b49e2937ff92a1424291ba36a6f6d05 ]

This driver forgets to kill tasklet in remove.
Add the call to fix it.

Fixes: 032dc41ba6e2 ("net: macb: Handle HRESP error")
Signed-off-by: Chuhong Yuan <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/ethernet/cadence/macb_main.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/net/ethernet/cadence/macb_main.c
+++ b/drivers/net/ethernet/cadence/macb_main.c
@@ -4392,6 +4392,7 @@ static int macb_remove(struct platform_d
mdiobus_free(bp->mii_bus);

unregister_netdev(dev);
+ tasklet_kill(&bp->hresp_err_tasklet);
pm_runtime_disable(&pdev->dev);
pm_runtime_dont_use_autosuspend(&pdev->dev);
if (!pm_runtime_suspended(&pdev->dev)) {


2019-12-03 22:39:56

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 22/46] net: sched: fix `tc -s class show` no bstats on class with nolock subqueues

From: Dust Li <[email protected]>

[ Upstream commit 14e54ab9143fa60794d13ea0a66c792a2046a8f3 ]

When a classful qdisc's child qdisc has set the flag
TCQ_F_CPUSTATS (pfifo_fast for example), the child qdisc's
cpu_bstats should be passed to gnet_stats_copy_basic(),
but many classful qdisc didn't do that. As a result,
`tc -s class show dev DEV` always return 0 for bytes and
packets in this case.

Pass the child qdisc's cpu_bstats to gnet_stats_copy_basic()
to fix this issue.

The qstats also has this problem, but it has been fixed
in 5dd431b6b9 ("net: sched: introduce and use qstats read...")
and bstats still remains buggy.

Fixes: 22e0f8b9322c ("net: sched: make bstats per cpu and estimator RCU safe")
Signed-off-by: Dust Li <[email protected]>
Signed-off-by: Tony Lu <[email protected]>
Acked-by: Cong Wang <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/sched/sch_mq.c | 3 ++-
net/sched/sch_mqprio.c | 4 ++--
net/sched/sch_multiq.c | 2 +-
net/sched/sch_prio.c | 2 +-
4 files changed, 6 insertions(+), 5 deletions(-)

--- a/net/sched/sch_mq.c
+++ b/net/sched/sch_mq.c
@@ -245,7 +245,8 @@ static int mq_dump_class_stats(struct Qd
struct netdev_queue *dev_queue = mq_queue_get(sch, cl);

sch = dev_queue->qdisc_sleeping;
- if (gnet_stats_copy_basic(&sch->running, d, NULL, &sch->bstats) < 0 ||
+ if (gnet_stats_copy_basic(&sch->running, d, sch->cpu_bstats,
+ &sch->bstats) < 0 ||
qdisc_qstats_copy(d, sch) < 0)
return -1;
return 0;
--- a/net/sched/sch_mqprio.c
+++ b/net/sched/sch_mqprio.c
@@ -557,8 +557,8 @@ static int mqprio_dump_class_stats(struc
struct netdev_queue *dev_queue = mqprio_queue_get(sch, cl);

sch = dev_queue->qdisc_sleeping;
- if (gnet_stats_copy_basic(qdisc_root_sleeping_running(sch),
- d, NULL, &sch->bstats) < 0 ||
+ if (gnet_stats_copy_basic(qdisc_root_sleeping_running(sch), d,
+ sch->cpu_bstats, &sch->bstats) < 0 ||
qdisc_qstats_copy(d, sch) < 0)
return -1;
}
--- a/net/sched/sch_multiq.c
+++ b/net/sched/sch_multiq.c
@@ -339,7 +339,7 @@ static int multiq_dump_class_stats(struc

cl_q = q->queues[cl - 1];
if (gnet_stats_copy_basic(qdisc_root_sleeping_running(sch),
- d, NULL, &cl_q->bstats) < 0 ||
+ d, cl_q->cpu_bstats, &cl_q->bstats) < 0 ||
qdisc_qstats_copy(d, cl_q) < 0)
return -1;

--- a/net/sched/sch_prio.c
+++ b/net/sched/sch_prio.c
@@ -356,7 +356,7 @@ static int prio_dump_class_stats(struct

cl_q = q->queues[cl - 1];
if (gnet_stats_copy_basic(qdisc_root_sleeping_running(sch),
- d, NULL, &cl_q->bstats) < 0 ||
+ d, cl_q->cpu_bstats, &cl_q->bstats) < 0 ||
qdisc_qstats_copy(d, cl_q) < 0)
return -1;



2019-12-03 22:39:58

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 23/46] openvswitch: fix flow command message size

From: Paolo Abeni <[email protected]>

[ Upstream commit 4e81c0b3fa93d07653e2415fa71656b080a112fd ]

When user-space sets the OVS_UFID_F_OMIT_* flags, and the relevant
flow has no UFID, we can exceed the computed size, as
ovs_nla_put_identifier() will always dump an OVS_FLOW_ATTR_KEY
attribute.
Take the above in account when computing the flow command message
size.

Fixes: 74ed7ab9264c ("openvswitch: Add support for unique flow IDs.")
Reported-by: Qi Jun Ding <[email protected]>
Signed-off-by: Paolo Abeni <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/openvswitch/datapath.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -704,9 +704,13 @@ static size_t ovs_flow_cmd_msg_size(cons
{
size_t len = NLMSG_ALIGN(sizeof(struct ovs_header));

- /* OVS_FLOW_ATTR_UFID */
+ /* OVS_FLOW_ATTR_UFID, or unmasked flow key as fallback
+ * see ovs_nla_put_identifier()
+ */
if (sfid && ovs_identifier_is_ufid(sfid))
len += nla_total_size(sfid->ufid_len);
+ else
+ len += nla_total_size(ovs_key_attr_size());

/* OVS_FLOW_ATTR_KEY */
if (!sfid || should_fill_key(sfid, ufid_flags))


2019-12-03 22:40:08

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 41/46] ext4: add more paranoia checking in ext4_expand_extra_isize handling

From: Theodore Ts'o <[email protected]>

commit 4ea99936a1630f51fc3a2d61a58ec4a1c4b7d55a upstream.

It's possible to specify a non-zero s_want_extra_isize via debugging
option, and this can cause bad things(tm) to happen when using a file
system with an inode size of 128 bytes.

Add better checking when the file system is mounted, as well as when
we are actually doing the trying to do the inode expansion.

Link: https://lore.kernel.org/r/[email protected]
Reported-by: [email protected]
Reported-by: [email protected]
Reported-by: [email protected]
Signed-off-by: Theodore Ts'o <[email protected]>
Cc: [email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/ext4/inode.c | 15 +++++++++++++++
fs/ext4/super.c | 21 ++++++++++++---------
2 files changed, 27 insertions(+), 9 deletions(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5912,8 +5912,23 @@ static int __ext4_expand_extra_isize(str
{
struct ext4_inode *raw_inode;
struct ext4_xattr_ibody_header *header;
+ unsigned int inode_size = EXT4_INODE_SIZE(inode->i_sb);
+ struct ext4_inode_info *ei = EXT4_I(inode);
int error;

+ /* this was checked at iget time, but double check for good measure */
+ if ((EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize > inode_size) ||
+ (ei->i_extra_isize & 3)) {
+ EXT4_ERROR_INODE(inode, "bad extra_isize %u (inode size %u)",
+ ei->i_extra_isize,
+ EXT4_INODE_SIZE(inode->i_sb));
+ return -EFSCORRUPTED;
+ }
+ if ((new_extra_isize < ei->i_extra_isize) ||
+ (new_extra_isize < 4) ||
+ (new_extra_isize > inode_size - EXT4_GOOD_OLD_INODE_SIZE))
+ return -EINVAL; /* Should never happen */
+
raw_inode = ext4_raw_inode(iloc);

header = IHDR(inode, raw_inode);
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3555,12 +3555,15 @@ static void ext4_clamp_want_extra_isize(
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
struct ext4_super_block *es = sbi->s_es;
+ unsigned def_extra_isize = sizeof(struct ext4_inode) -
+ EXT4_GOOD_OLD_INODE_SIZE;

- /* determine the minimum size of new large inodes, if present */
- if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE &&
- sbi->s_want_extra_isize == 0) {
- sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
- EXT4_GOOD_OLD_INODE_SIZE;
+ if (sbi->s_inode_size == EXT4_GOOD_OLD_INODE_SIZE) {
+ sbi->s_want_extra_isize = 0;
+ return;
+ }
+ if (sbi->s_want_extra_isize < 4) {
+ sbi->s_want_extra_isize = def_extra_isize;
if (ext4_has_feature_extra_isize(sb)) {
if (sbi->s_want_extra_isize <
le16_to_cpu(es->s_want_extra_isize))
@@ -3573,10 +3576,10 @@ static void ext4_clamp_want_extra_isize(
}
}
/* Check if enough inode space is available */
- if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize >
- sbi->s_inode_size) {
- sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
- EXT4_GOOD_OLD_INODE_SIZE;
+ if ((sbi->s_want_extra_isize > sbi->s_inode_size) ||
+ (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize >
+ sbi->s_inode_size)) {
+ sbi->s_want_extra_isize = def_extra_isize;
ext4_msg(sb, KERN_INFO,
"required extra inode space not available");
}


2019-12-03 22:40:09

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 42/46] Revert "jffs2: Fix possible null-pointer dereferences in jffs2_add_frag_to_fragtree()"

From: Joel Stanley <[email protected]>

commit 6e78c01fde9023e0701f3af880c1fd9de6e4e8e3 upstream.

This reverts commit f2538f999345405f7d2e1194c0c8efa4e11f7b3a. The patch
stopped JFFS2 from being able to mount an existing filesystem with the
following errors:

jffs2: error: (77) jffs2_build_inode_fragtree: Add node to tree failed -22
jffs2: error: (77) jffs2_do_read_inode_internal: Failed to build final fragtree for inode #5377: error -22

Fixes: f2538f999345 ("jffs2: Fix possible null-pointer dereferences...")
Cc: [email protected]
Suggested-by: Hou Tao <[email protected]>
Signed-off-by: Joel Stanley <[email protected]>
Signed-off-by: Richard Weinberger <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/jffs2/nodelist.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/jffs2/nodelist.c
+++ b/fs/jffs2/nodelist.c
@@ -226,7 +226,7 @@ static int jffs2_add_frag_to_fragtree(st
lastend = this->ofs + this->size;
} else {
dbg_fragtree2("lookup gave no frag\n");
- return -EINVAL;
+ lastend = 0;
}

/* See if we ran off the end of the fragtree */


2019-12-03 22:40:17

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 44/46] HID: core: check whether Usage Page item is after Usage ID items

From: Candle Sun <[email protected]>

commit 1cb0d2aee26335d0bccf29100c7bed00ebece851 upstream.

Upstream commit 58e75155009c ("HID: core: move Usage Page concatenation
to Main item") adds support for Usage Page item after Usage ID items
(such as keyboards manufactured by Primax).

Usage Page concatenation in Main item works well for following report
descriptor patterns:

USAGE_PAGE (Keyboard) 05 07
USAGE_MINIMUM (Keyboard LeftControl) 19 E0
USAGE_MAXIMUM (Keyboard Right GUI) 29 E7
LOGICAL_MINIMUM (0) 15 00
LOGICAL_MAXIMUM (1) 25 01
REPORT_SIZE (1) 75 01
REPORT_COUNT (8) 95 08
INPUT (Data,Var,Abs) 81 02

-------------

USAGE_MINIMUM (Keyboard LeftControl) 19 E0
USAGE_MAXIMUM (Keyboard Right GUI) 29 E7
LOGICAL_MINIMUM (0) 15 00
LOGICAL_MAXIMUM (1) 25 01
REPORT_SIZE (1) 75 01
REPORT_COUNT (8) 95 08
USAGE_PAGE (Keyboard) 05 07
INPUT (Data,Var,Abs) 81 02

But it makes the parser act wrong for the following report
descriptor pattern(such as some Gamepads):

USAGE_PAGE (Button) 05 09
USAGE (Button 1) 09 01
USAGE (Button 2) 09 02
USAGE (Button 4) 09 04
USAGE (Button 5) 09 05
USAGE (Button 7) 09 07
USAGE (Button 8) 09 08
USAGE (Button 14) 09 0E
USAGE (Button 15) 09 0F
USAGE (Button 13) 09 0D
USAGE_PAGE (Consumer Devices) 05 0C
USAGE (Back) 0a 24 02
USAGE (HomePage) 0a 23 02
LOGICAL_MINIMUM (0) 15 00
LOGICAL_MAXIMUM (1) 25 01
REPORT_SIZE (1) 75 01
REPORT_COUNT (11) 95 0B
INPUT (Data,Var,Abs) 81 02

With Usage Page concatenation in Main item, parser recognizes all the
11 Usages as consumer keys, it is not the HID device's real intention.

This patch checks whether Usage Page is really defined after Usage ID
items by comparing usage page using status.

Usage Page concatenation on currently defined Usage Page will always
do in local parsing when Usage ID items encountered.

When Main item is parsing, concatenation will do again with last
defined Usage Page if this page has not been used in the previous
usages concatenation.

Signed-off-by: Candle Sun <[email protected]>
Signed-off-by: Nianfu Bai <[email protected]>
Cc: Benjamin Tissoires <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>
Cc: Siarhei Vishniakou <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/hid/hid-core.c | 51 +++++++++++++++++++++++++++++++++++++++++++------
1 file changed, 45 insertions(+), 6 deletions(-)

--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -212,6 +212,18 @@ static unsigned hid_lookup_collection(st
}

/*
+ * Concatenate usage which defines 16 bits or less with the
+ * currently defined usage page to form a 32 bit usage
+ */
+
+static void complete_usage(struct hid_parser *parser, unsigned int index)
+{
+ parser->local.usage[index] &= 0xFFFF;
+ parser->local.usage[index] |=
+ (parser->global.usage_page & 0xFFFF) << 16;
+}
+
+/*
* Add a usage to the temporary parser table.
*/

@@ -222,6 +234,14 @@ static int hid_add_usage(struct hid_pars
return -1;
}
parser->local.usage[parser->local.usage_index] = usage;
+
+ /*
+ * If Usage item only includes usage id, concatenate it with
+ * currently defined usage page
+ */
+ if (size <= 2)
+ complete_usage(parser, parser->local.usage_index);
+
parser->local.usage_size[parser->local.usage_index] = size;
parser->local.collection_index[parser->local.usage_index] =
parser->collection_stack_ptr ?
@@ -543,13 +563,32 @@ static int hid_parser_local(struct hid_p
* usage value."
*/

-static void hid_concatenate_usage_page(struct hid_parser *parser)
+static void hid_concatenate_last_usage_page(struct hid_parser *parser)
{
int i;
+ unsigned int usage_page;
+ unsigned int current_page;
+
+ if (!parser->local.usage_index)
+ return;

- for (i = 0; i < parser->local.usage_index; i++)
- if (parser->local.usage_size[i] <= 2)
- parser->local.usage[i] += parser->global.usage_page << 16;
+ usage_page = parser->global.usage_page;
+
+ /*
+ * Concatenate usage page again only if last declared Usage Page
+ * has not been already used in previous usages concatenation
+ */
+ for (i = parser->local.usage_index - 1; i >= 0; i--) {
+ if (parser->local.usage_size[i] > 2)
+ /* Ignore extended usages */
+ continue;
+
+ current_page = parser->local.usage[i] >> 16;
+ if (current_page == usage_page)
+ break;
+
+ complete_usage(parser, i);
+ }
}

/*
@@ -561,7 +600,7 @@ static int hid_parser_main(struct hid_pa
__u32 data;
int ret;

- hid_concatenate_usage_page(parser);
+ hid_concatenate_last_usage_page(parser);

data = item_udata(item);

@@ -772,7 +811,7 @@ static int hid_scan_main(struct hid_pars
__u32 data;
int i;

- hid_concatenate_usage_page(parser);
+ hid_concatenate_last_usage_page(parser);

data = item_udata(item);



2019-12-03 22:40:20

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 27/46] openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info()

From: Paolo Abeni <[email protected]>

[ Upstream commit 8ffeb03fbba3b599690b361467bfd2373e8c450f ]

All the callers of ovs_flow_cmd_build_info() already deal with
error return code correctly, so we can handle the error condition
in a more gracefull way. Still dump a warning to preserve
debuggability.

v1 -> v2:
- clarify the commit message
- clean the skb and report the error (DaveM)

Fixes: ccb1352e76cf ("net: Add Open vSwitch kernel components.")
Signed-off-by: Paolo Abeni <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/openvswitch/datapath.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -886,7 +886,10 @@ static struct sk_buff *ovs_flow_cmd_buil
retval = ovs_flow_cmd_fill_info(flow, dp_ifindex, skb,
info->snd_portid, info->snd_seq, 0,
cmd, ufid_flags);
- BUG_ON(retval < 0);
+ if (WARN_ON_ONCE(retval < 0)) {
+ kfree_skb(skb);
+ skb = ERR_PTR(retval);
+ }
return skb;
}



2019-12-03 22:40:21

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 29/46] net/tls: take into account that bpf_exec_tx_verdict() may free the record

From: Jakub Kicinski <[email protected]>

[ Upstream commit c329ef9684de9517d82af5b4758c9e1b64a8a11a ]

bpf_exec_tx_verdict() may free the record if tls_push_record()
fails, or if the entire record got consumed by BPF. Re-check
ctx->open_rec before touching the data.

Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
Signed-off-by: Jakub Kicinski <[email protected]>
Reviewed-by: Simon Horman <[email protected]>
Acked-by: John Fastabend <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/tls/tls_sw.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)

--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -979,7 +979,7 @@ alloc_encrypted:
num_async++;
else if (ret == -ENOMEM)
goto wait_for_memory;
- else if (ret == -ENOSPC)
+ else if (ctx->open_rec && ret == -ENOSPC)
goto rollback_iter;
else if (ret != -EAGAIN)
goto send_end;
@@ -1048,11 +1048,12 @@ wait_for_memory:
ret = sk_stream_wait_memory(sk, &timeo);
if (ret) {
trim_sgl:
- tls_trim_both_msgs(sk, orig_size);
+ if (ctx->open_rec)
+ tls_trim_both_msgs(sk, orig_size);
goto send_end;
}

- if (msg_en->sg.size < required_size)
+ if (ctx->open_rec && msg_en->sg.size < required_size)
goto alloc_encrypted;
}

@@ -1185,11 +1186,13 @@ wait_for_sndbuf:
wait_for_memory:
ret = sk_stream_wait_memory(sk, &timeo);
if (ret) {
- tls_trim_both_msgs(sk, msg_pl->sg.size);
+ if (ctx->open_rec)
+ tls_trim_both_msgs(sk, msg_pl->sg.size);
goto sendpage_end;
}

- goto alloc_payload;
+ if (ctx->open_rec)
+ goto alloc_payload;
}

if (num_async) {


2019-12-03 22:40:24

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 28/46] openvswitch: remove another BUG_ON()

From: Paolo Abeni <[email protected]>

[ Upstream commit 8a574f86652a4540a2433946ba826ccb87f398cc ]

If we can't build the flow del notification, we can simply delete
the flow, no need to crash the kernel. Still keep a WARN_ON to
preserve debuggability.

Note: the BUG_ON() predates the Fixes tag, but this change
can be applied only after the mentioned commit.

v1 -> v2:
- do not leak an skb on error

Fixes: aed067783e50 ("openvswitch: Minimize ovs_flow_cmd_del critical section.")
Signed-off-by: Paolo Abeni <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/openvswitch/datapath.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -1353,7 +1353,10 @@ static int ovs_flow_cmd_del(struct sk_bu
OVS_FLOW_CMD_DEL,
ufid_flags);
rcu_read_unlock();
- BUG_ON(err < 0);
+ if (WARN_ON_ONCE(err < 0)) {
+ kfree_skb(reply);
+ goto out_free;
+ }

ovs_notify(&dp_flow_genl_family, reply, info);
} else {
@@ -1361,6 +1364,7 @@ static int ovs_flow_cmd_del(struct sk_bu
}
}

+out_free:
ovs_flow_free(flow, true);
return 0;
unlock:


2019-12-03 22:40:30

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 13/46] mei: me: add comet point V device id

From: Alexander Usyskin <[email protected]>

commit 82b29b9f72afdccb40ea5f3c13c6a3cb65a597bc upstream.

Comet Point (Comet Lake) V device id.

Cc: <[email protected]>
Signed-off-by: Alexander Usyskin <[email protected]>
Signed-off-by: Tomas Winkler <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/misc/mei/hw-me-regs.h | 1 +
drivers/misc/mei/pci-me.c | 1 +
2 files changed, 2 insertions(+)

--- a/drivers/misc/mei/hw-me-regs.h
+++ b/drivers/misc/mei/hw-me-regs.h
@@ -81,6 +81,7 @@

#define MEI_DEV_ID_CMP_LP 0x02e0 /* Comet Point LP */
#define MEI_DEV_ID_CMP_LP_3 0x02e4 /* Comet Point LP 3 (iTouch) */
+#define MEI_DEV_ID_CMP_V 0xA3BA /* Comet Point Lake V */

#define MEI_DEV_ID_ICP_LP 0x34E0 /* Ice Lake Point LP */

--- a/drivers/misc/mei/pci-me.c
+++ b/drivers/misc/mei/pci-me.c
@@ -98,6 +98,7 @@ static const struct pci_device_id mei_me

{MEI_PCI_DEVICE(MEI_DEV_ID_CMP_LP, MEI_ME_PCH12_CFG)},
{MEI_PCI_DEVICE(MEI_DEV_ID_CMP_LP_3, MEI_ME_PCH8_CFG)},
+ {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_V, MEI_ME_PCH12_CFG)},

{MEI_PCI_DEVICE(MEI_DEV_ID_ICP_LP, MEI_ME_PCH12_CFG)},



2019-12-03 22:40:34

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 33/46] net/tls: remove the dead inplace_crypto code

From: Jakub Kicinski <[email protected]>

[ Upstream commit 9e5ffed37df68d0ccfb2fdc528609e23a1e70ebe ]

Looks like when BPF support was added by commit d3b18ad31f93
("tls: add bpf support to sk_msg handling") and
commit d829e9c4112b ("tls: convert to generic sk_msg interface")
it broke/removed the support for in-place crypto as added by
commit 4e6d47206c32 ("tls: Add support for inplace records
encryption").

The inplace_crypto member of struct tls_rec is dead, inited
to zero, and sometimes set to zero again. It used to be
set to 1 when record was allocated, but the skmsg code doesn't
seem to have been written with the idea of in-place crypto
in mind.

Since non trivial effort is required to bring the feature back
and we don't really have the HW to measure the benefit just
remove the left over support for now to avoid confusing readers.

Signed-off-by: Jakub Kicinski <[email protected]>
Reviewed-by: Simon Horman <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/net/tls.h | 1 -
net/tls/tls_sw.c | 6 +-----
2 files changed, 1 insertion(+), 6 deletions(-)

--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -122,7 +122,6 @@ struct tls_rec {
struct list_head list;
int tx_ready;
int tx_flags;
- int inplace_crypto;

struct sk_msg msg_plaintext;
struct sk_msg msg_encrypted;
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -705,8 +705,7 @@ static int tls_push_record(struct sock *
}

i = msg_pl->sg.start;
- sg_chain(rec->sg_aead_in, 2, rec->inplace_crypto ?
- &msg_en->sg.data[i] : &msg_pl->sg.data[i]);
+ sg_chain(rec->sg_aead_in, 2, &msg_pl->sg.data[i]);

i = msg_en->sg.end;
sk_msg_iter_var_prev(i);
@@ -971,8 +970,6 @@ alloc_encrypted:
if (ret)
goto fallback_to_reg_send;

- rec->inplace_crypto = 0;
-
num_zc++;
copied += try_to_copy;

@@ -1171,7 +1168,6 @@ alloc_payload:

tls_ctx->pending_open_record_frags = true;
if (full_record || eor || sk_msg_full(msg_pl)) {
- rec->inplace_crypto = 0;
ret = bpf_exec_tx_verdict(msg_pl, sk, full_record,
record_type, &copied, flags);
if (ret) {


2019-12-03 22:40:36

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 43/46] crypto: talitos - Fix build error by selecting LIB_DES

From: Herbert Xu <[email protected]>

commit dbc2e87bd8b6d3cc79730b3a49c5163b4c386b49 upstream.

The talitos driver needs to select LIB_DES as it needs calls
des_expand_key.

Fixes: 9d574ae8ebc1 ("crypto: talitos/des - switch to new...")
Cc: <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
Acked-by: Ard Biesheuvel <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/crypto/Kconfig | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/crypto/Kconfig
+++ b/drivers/crypto/Kconfig
@@ -287,6 +287,7 @@ config CRYPTO_DEV_TALITOS
select CRYPTO_AUTHENC
select CRYPTO_BLKCIPHER
select CRYPTO_HASH
+ select CRYPTO_LIB_DES
select HW_RANDOM
depends on FSL_SOC
help


2019-12-03 22:40:36

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 15/46] x86/fpu: Dont cache access to fpu_fpregs_owner_ctx

From: Sebastian Andrzej Siewior <[email protected]>

commit 59c4bd853abcea95eccc167a7d7fd5f1a5f47b98 upstream.

The state/owner of the FPU is saved to fpu_fpregs_owner_ctx by pointing
to the context that is currently loaded. It never changed during the
lifetime of a task - it remained stable/constant.

After deferred FPU registers loading until return to userland was
implemented, the content of fpu_fpregs_owner_ctx may change during
preemption and must not be cached.

This went unnoticed for some time and was now noticed, in particular
since gcc 9 is caching that load in copy_fpstate_to_sigframe() and
reusing it in the retry loop:

copy_fpstate_to_sigframe()
load fpu_fpregs_owner_ctx and save on stack
fpregs_lock()
copy_fpregs_to_sigframe() /* failed */
fpregs_unlock()
*** PREEMPTION, another uses FPU, changes fpu_fpregs_owner_ctx ***

fault_in_pages_writeable() /* succeed, retry */

fpregs_lock()
__fpregs_load_activate()
fpregs_state_valid() /* uses fpu_fpregs_owner_ctx from stack */
copy_fpregs_to_sigframe() /* succeeds, random FPU content */

This is a comparison of the assembly produced by gcc 9, without vs with this
patch:

| # arch/x86/kernel/fpu/signal.c:173: if (!access_ok(buf, size))
| cmpq %rdx, %rax # tmp183, _4
| jb .L190 #,
|-# arch/x86/include/asm/fpu/internal.h:512: return fpu == this_cpu_read_stable(fpu_fpregs_owner_ctx) && cpu == fpu->last_cpu;
|-#APP
|-# 512 "arch/x86/include/asm/fpu/internal.h" 1
|- movq %gs:fpu_fpregs_owner_ctx,%rax #, pfo_ret__
|-# 0 "" 2
|-#NO_APP
|- movq %rax, -88(%rbp) # pfo_ret__, %sfp

|-# arch/x86/include/asm/fpu/internal.h:512: return fpu == this_cpu_read_stable(fpu_fpregs_owner_ctx) && cpu == fpu->last_cpu;
|- movq -88(%rbp), %rcx # %sfp, pfo_ret__
|- cmpq %rcx, -64(%rbp) # pfo_ret__, %sfp
|+# arch/x86/include/asm/fpu/internal.h:512: return fpu == this_cpu_read(fpu_fpregs_owner_ctx) && cpu == fpu->last_cpu;
|+#APP
|+# 512 "arch/x86/include/asm/fpu/internal.h" 1
|+ movq %gs:fpu_fpregs_owner_ctx(%rip),%rax # fpu_fpregs_owner_ctx, pfo_ret__
|+# 0 "" 2
|+# arch/x86/include/asm/fpu/internal.h:512: return fpu == this_cpu_read(fpu_fpregs_owner_ctx) && cpu == fpu->last_cpu;
|+#NO_APP
|+ cmpq %rax, -64(%rbp) # pfo_ret__, %sfp

Use this_cpu_read() instead this_cpu_read_stable() to avoid caching of
fpu_fpregs_owner_ctx during preemption points.

The Fixes: tag points to the commit where deferred FPU loading was
added. Since this commit, the compiler is no longer allowed to move the
load of fpu_fpregs_owner_ctx somewhere else / outside of the locked
section. A task preemption will change its value and stale content will
be observed.

[ bp: Massage. ]

Debugged-by: Austin Clements <[email protected]>
Debugged-by: David Chase <[email protected]>
Debugged-by: Ian Lance Taylor <[email protected]>
Fixes: 5f409e20b7945 ("x86/fpu: Defer FPU state load until return to userspace")
Signed-off-by: Sebastian Andrzej Siewior <[email protected]>
Signed-off-by: Borislav Petkov <[email protected]>
Reviewed-by: Rik van Riel <[email protected]>
Tested-by: Borislav Petkov <[email protected]>
Cc: Aubrey Li <[email protected]>
Cc: Austin Clements <[email protected]>
Cc: Barret Rhoden <[email protected]>
Cc: Dave Hansen <[email protected]>
Cc: David Chase <[email protected]>
Cc: "H. Peter Anvin" <[email protected]>
Cc: [email protected]
Cc: Ingo Molnar <[email protected]>
Cc: Josh Bleecher Snyder <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: x86-ml <[email protected]>
Link: https://lkml.kernel.org/r/[email protected]
Link: https://bugzilla.kernel.org/show_bug.cgi?id=205663
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
arch/x86/include/asm/fpu/internal.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/include/asm/fpu/internal.h
+++ b/arch/x86/include/asm/fpu/internal.h
@@ -509,7 +509,7 @@ static inline void __fpu_invalidate_fpre

static inline int fpregs_state_valid(struct fpu *fpu, unsigned int cpu)
{
- return fpu == this_cpu_read_stable(fpu_fpregs_owner_ctx) && cpu == fpu->last_cpu;
+ return fpu == this_cpu_read(fpu_fpregs_owner_ctx) && cpu == fpu->last_cpu;
}

/*


2019-12-03 22:40:38

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 14/46] thunderbolt: Power cycle the router if NVM authentication fails

From: Mika Westerberg <[email protected]>

commit 7a7ebfa85f4fac349f3ab219538c44efe18b0cf6 upstream.

On zang's Dell XPS 13 9370 after Thunderbolt NVM firmware upgrade the
Thunderbolt controller did not come back as expected. Only after the
system was rebooted it became available again. It is not entirely clear
what happened but I suspect the new NVM firmware image authentication
failed for some reason. Regardless of this the router needs to be power
cycled if NVM authentication fails in order to get it fully functional
again.

This modifies the driver to issue a power cycle in case the NVM
authentication fails immediately when dma_port_flash_update_auth()
returns. We also need to call tb_switch_set_uuid() earlier to be able to
fetch possible NVM authentication failure when DMA port is added.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=205457
Reported-by: zang <[email protected]>
Cc: stable <[email protected]>
Signed-off-by: Mika Westerberg <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/thunderbolt/switch.c | 54 +++++++++++++++++++++++++++++++++----------
1 file changed, 42 insertions(+), 12 deletions(-)

--- a/drivers/thunderbolt/switch.c
+++ b/drivers/thunderbolt/switch.c
@@ -168,7 +168,7 @@ static int nvm_validate_and_write(struct

static int nvm_authenticate_host(struct tb_switch *sw)
{
- int ret;
+ int ret = 0;

/*
* Root switch NVM upgrade requires that we disconnect the
@@ -176,6 +176,8 @@ static int nvm_authenticate_host(struct
* already).
*/
if (!sw->safe_mode) {
+ u32 status;
+
ret = tb_domain_disconnect_all_paths(sw->tb);
if (ret)
return ret;
@@ -184,7 +186,16 @@ static int nvm_authenticate_host(struct
* everything goes well so getting timeout is expected.
*/
ret = dma_port_flash_update_auth(sw->dma_port);
- return ret == -ETIMEDOUT ? 0 : ret;
+ if (!ret || ret == -ETIMEDOUT)
+ return 0;
+
+ /*
+ * Any error from update auth operation requires power
+ * cycling of the host router.
+ */
+ tb_sw_warn(sw, "failed to authenticate NVM, power cycling\n");
+ if (dma_port_flash_update_auth_status(sw->dma_port, &status) > 0)
+ nvm_set_auth_status(sw, status);
}

/*
@@ -192,7 +203,7 @@ static int nvm_authenticate_host(struct
* switch.
*/
dma_port_power_cycle(sw->dma_port);
- return 0;
+ return ret;
}

static int nvm_authenticate_device(struct tb_switch *sw)
@@ -200,8 +211,16 @@ static int nvm_authenticate_device(struc
int ret, retries = 10;

ret = dma_port_flash_update_auth(sw->dma_port);
- if (ret && ret != -ETIMEDOUT)
+ switch (ret) {
+ case 0:
+ case -ETIMEDOUT:
+ case -EACCES:
+ case -EINVAL:
+ /* Power cycle is required */
+ break;
+ default:
return ret;
+ }

/*
* Poll here for the authentication status. It takes some time
@@ -1246,8 +1265,6 @@ static ssize_t nvm_authenticate_store(st
*/
nvm_authenticate_start(sw);
ret = nvm_authenticate_host(sw);
- if (ret)
- nvm_authenticate_complete(sw);
} else {
ret = nvm_authenticate_device(sw);
}
@@ -1690,13 +1707,16 @@ static int tb_switch_add_dma_port(struct
int ret;

switch (sw->generation) {
- case 3:
- break;
-
case 2:
/* Only root switch can be upgraded */
if (tb_route(sw))
return 0;
+
+ /* fallthrough */
+ case 3:
+ ret = tb_switch_set_uuid(sw);
+ if (ret)
+ return ret;
break;

default:
@@ -1721,6 +1741,19 @@ static int tb_switch_add_dma_port(struct
return 0;

/*
+ * If there is status already set then authentication failed
+ * when the dma_port_flash_update_auth() returned. Power cycling
+ * is not needed (it was done already) so only thing we do here
+ * is to unblock runtime PM of the root port.
+ */
+ nvm_get_auth_status(sw, &status);
+ if (status) {
+ if (!tb_route(sw))
+ nvm_authenticate_complete(sw);
+ return 0;
+ }
+
+ /*
* Check status of the previous flash authentication. If there
* is one we need to power cycle the switch in any case to make
* it functional again.
@@ -1735,9 +1768,6 @@ static int tb_switch_add_dma_port(struct

if (status) {
tb_sw_info(sw, "switch flash authentication failed\n");
- ret = tb_switch_set_uuid(sw);
- if (ret)
- return ret;
nvm_set_auth_status(sw, status);
}



2019-12-03 22:40:55

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 38/46] selftests: pmtu: use -oneline for ip route list cache

From: Thadeu Lima de Souza Cascardo <[email protected]>

[ Upstream commit 2745aea6750ff0d2c48285d25bdb00e5b636ec8b ]

Some versions of iproute2 will output more than one line per entry, which
will cause the test to fail, like:

TEST: ipv6: list and flush cached exceptions [FAIL]
can't list cached exceptions

That happens, for example, with iproute2 4.15.0. When using the -oneline
option, this will work just fine:

TEST: ipv6: list and flush cached exceptions [ OK ]

This also works just fine with a more recent version of iproute2, like
5.4.0.

For some reason, two lines are printed for the IPv4 test no matter what
version of iproute2 is used. Use the same -oneline parameter there instead
of counting the lines twice.

Fixes: b964641e9925 ("selftests: pmtu: Make list_flush_ipv6_exception test more demanding")
Signed-off-by: Thadeu Lima de Souza Cascardo <[email protected]>
Acked-by: Stefano Brivio <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
tools/testing/selftests/net/pmtu.sh | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

--- a/tools/testing/selftests/net/pmtu.sh
+++ b/tools/testing/selftests/net/pmtu.sh
@@ -1249,8 +1249,7 @@ test_list_flush_ipv4_exception() {
done
run_cmd ${ns_a} ping -q -M want -i 0.1 -c 2 -s 1800 "${dst2}"

- # Each exception is printed as two lines
- if [ "$(${ns_a} ip route list cache | wc -l)" -ne 202 ]; then
+ if [ "$(${ns_a} ip -oneline route list cache | wc -l)" -ne 101 ]; then
err " can't list cached exceptions"
fail=1
fi
@@ -1300,7 +1299,7 @@ test_list_flush_ipv6_exception() {
run_cmd ${ns_a} ping -q -M want -i 0.1 -w 1 -s 1800 "${dst_prefix1}${i}"
done
run_cmd ${ns_a} ping -q -M want -i 0.1 -w 1 -s 1800 "${dst2}"
- if [ "$(${ns_a} ip -6 route list cache | wc -l)" -ne 101 ]; then
+ if [ "$(${ns_a} ip -oneline -6 route list cache | wc -l)" -ne 101 ]; then
err " can't list cached exceptions"
fail=1
fi


2019-12-03 22:40:58

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 39/46] r8169: fix jumbo configuration for RTL8168evl

From: Heiner Kallweit <[email protected]>

[ Upstream commit 14012c9f3bb922b9e0751ba43d15cc580a6049bf ]

Alan reported [0] that network is broken since the referenced commit
when using jumbo frames. This commit isn't wrong, it just revealed
another issue that has been existing before. According to the vendor
driver the RTL8168e-specific jumbo config doesn't apply for RTL8168evl.

[0] https://lkml.org/lkml/2019/11/30/119

Fixes: 4ebcb113edcc ("r8169: fix jumbo packet handling on resume from suspend")
Reported-by: Alan J. Wylie <[email protected]>
Tested-by: Alan J. Wylie <[email protected]>
Signed-off-by: Heiner Kallweit <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/ethernet/realtek/r8169_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/realtek/r8169_main.c
+++ b/drivers/net/ethernet/realtek/r8169_main.c
@@ -4118,7 +4118,7 @@ static void rtl_hw_jumbo_enable(struct r
case RTL_GIGA_MAC_VER_27 ... RTL_GIGA_MAC_VER_28:
r8168dp_hw_jumbo_enable(tp);
break;
- case RTL_GIGA_MAC_VER_31 ... RTL_GIGA_MAC_VER_34:
+ case RTL_GIGA_MAC_VER_31 ... RTL_GIGA_MAC_VER_33:
r8168e_hw_jumbo_enable(tp);
break;
default:


2019-12-03 22:41:02

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 40/46] r8169: fix resume on cable plug-in

From: Heiner Kallweit <[email protected]>

[ Upstream commit 398fd408ccfb5e44b1cbe73a209d2281d3efa83c ]

It was reported [0] that network doesn't wake up on cable plug-in with
certain chip versions. Reason is that on these chip versions the PHY
doesn't detect cable plug-in when being in power-down mode. So prevent
the PHY from powering down if WoL is enabled.

[0] https://bugzilla.kernel.org/show_bug.cgi?id=202103

Fixes: 95fb8bb3181b ("net: phy: force phy suspend when calling phy_stop")
Reported-by: jhdskag3 <[email protected]>
Tested-by: jhdskag3 <[email protected]>
Signed-off-by: Heiner Kallweit <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/ethernet/realtek/r8169_main.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/net/ethernet/realtek/r8169_main.c
+++ b/drivers/net/ethernet/realtek/r8169_main.c
@@ -1516,6 +1516,7 @@ static void __rtl8169_set_wol(struct rtl
rtl_lock_config_regs(tp);

device_set_wakeup_enable(tp_to_dev(tp), wolopts);
+ tp->dev->wol_enabled = wolopts ? 1 : 0;
}

static int rtl8169_set_wol(struct net_device *dev, struct ethtool_wolinfo *wol)


2019-12-03 23:14:06

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 08/46] staging: rtl8192e: fix potential use after free

From: Pan Bian <[email protected]>

commit b7aa39a2ed0112d07fc277ebd24a08a7b2368ab9 upstream.

The variable skb is released via kfree_skb() when the return value of
_rtl92e_tx is not zero. However, after that, skb is accessed again to
read its length, which may result in a use after free bug. This patch
fixes the bug by moving the release operation to where skb is never
used later.

Signed-off-by: Pan Bian <[email protected]>
Reviewed-by: Dan Carpenter <[email protected]>
Cc: stable <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/staging/rtl8192e/rtl8192e/rtl_core.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c
+++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c
@@ -1616,14 +1616,15 @@ static void _rtl92e_hard_data_xmit(struc
memcpy((unsigned char *)(skb->cb), &dev, sizeof(dev));
skb_push(skb, priv->rtllib->tx_headroom);
ret = _rtl92e_tx(dev, skb);
- if (ret != 0)
- kfree_skb(skb);

if (queue_index != MGNT_QUEUE) {
priv->rtllib->stats.tx_bytes += (skb->len -
priv->rtllib->tx_headroom);
priv->rtllib->stats.tx_packets++;
}
+
+ if (ret != 0)
+ kfree_skb(skb);
}

static int _rtl92e_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)


2019-12-03 23:14:27

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 11/46] USB: serial: ftdi_sio: add device IDs for U-Blox C099-F9P

From: Fabio D'Urso <[email protected]>

commit c1a1f273d0825774c80896b8deb1c9ea1d0b91e3 upstream.

This device presents itself as a USB hub with three attached devices:
- An ACM serial port connected to the GPS module (not affected by this
commit)
- An FTDI serial port connected to the GPS module (1546:0502)
- Another FTDI serial port connected to the ODIN-W2 radio module
(1546:0503)

This commit registers U-Blox's VID and the PIDs of the second and third
devices.

Datasheet: https://www.u-blox.com/sites/default/files/C099-F9P-AppBoard-Mbed-OS3-FW_UserGuide_%28UBX-18063024%29.pdf

Signed-off-by: Fabio D'Urso <[email protected]>
Cc: stable <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/usb/serial/ftdi_sio.c | 3 +++
drivers/usb/serial/ftdi_sio_ids.h | 7 +++++++
2 files changed, 10 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1033,6 +1033,9 @@ static const struct usb_device_id id_tab
/* Sienna devices */
{ USB_DEVICE(FTDI_VID, FTDI_SIENNA_PID) },
{ USB_DEVICE(ECHELON_VID, ECHELON_U20_PID) },
+ /* U-Blox devices */
+ { USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ZED_PID) },
+ { USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ODIN_PID) },
{ } /* Terminating entry */
};

--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -1558,3 +1558,10 @@
*/
#define UNJO_VID 0x22B7
#define UNJO_ISODEBUG_V1_PID 0x150D
+
+/*
+ * U-Blox products (http://www.u-blox.com).
+ */
+#define UBLOX_VID 0x1546
+#define UBLOX_C099F9P_ZED_PID 0x0502
+#define UBLOX_C099F9P_ODIN_PID 0x0503


2019-12-03 23:14:28

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 45/46] platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer

From: Hans de Goede <[email protected]>

commit 16245db1489cd9aa579506f64afeeeb13d825a93 upstream.

The HP WMI calls may take up to 128 bytes of data as input, and
the AML methods implementing the WMI calls, declare a couple of fields for
accessing input in different sizes, specifycally the HWMC method contains:

CreateField (Arg1, 0x80, 0x0400, D128)

Even though we do not use any of the WMI command-types which need a buffer
of this size, the APCI interpreter still tries to create it as it is
declared in generoc code at the top of the HWMC method which runs before
the code looks at which command-type is requested.

This results in many of these errors on many different HP laptop models:

[ 14.459261] ACPI Error: Field [D128] at 1152 exceeds Buffer [NULL] size 160 (bits) (20170303/dsopcode-236)
[ 14.459268] ACPI Error: Method parse/execution failed [\HWMC] (Node ffff8edcc61507f8), AE_AML_BUFFER_LIMIT (20170303/psparse-543)
[ 14.459279] ACPI Error: Method parse/execution failed [\_SB.WMID.WMAA] (Node ffff8edcc61523c0), AE_AML_BUFFER_LIMIT (20170303/psparse-543)

This commit increases the size of the data element of the bios_args struct
to 128 bytes fixing these errors.

Cc: [email protected]
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=197007
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=201981
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1520703
Signed-off-by: Hans de Goede <[email protected]>
Signed-off-by: Andy Shevchenko <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/platform/x86/hp-wmi.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/platform/x86/hp-wmi.c
+++ b/drivers/platform/x86/hp-wmi.c
@@ -65,7 +65,7 @@ struct bios_args {
u32 command;
u32 commandtype;
u32 datasize;
- u32 data;
+ u8 data[128];
};

enum hp_wmi_commandtype {
@@ -216,7 +216,7 @@ static int hp_wmi_perform_query(int quer
.command = command,
.commandtype = query,
.datasize = insize,
- .data = 0,
+ .data = { 0 },
};
struct acpi_buffer input = { sizeof(struct bios_args), &args };
struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL };
@@ -228,7 +228,7 @@ static int hp_wmi_perform_query(int quer

if (WARN_ON(insize > sizeof(args.data)))
return -EINVAL;
- memcpy(&args.data, buffer, insize);
+ memcpy(&args.data[0], buffer, insize);

wmi_evaluate_method(HPWMI_BIOS_GUID, 0, mid, &input, &output);



2019-12-03 23:14:40

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 46/46] platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size

From: Hans de Goede <[email protected]>

commit f3e4f3fc8ee9729c4b1b27a478c68b713df53c0c upstream.

The AML code implementing the WMI methods creates a variable length
field to hold the input data we pass like this:

CreateDWordField (Arg1, 0x0C, DSZI)
Local5 = DSZI /* \HWMC.DSZI */
CreateField (Arg1, 0x80, (Local5 * 0x08), DAIN)

If we pass 0 as bios_args.datasize argument then (Local5 * 0x08)
is 0 which results in these errors:

[ 71.973305] ACPI BIOS Error (bug): Attempt to CreateField of length zero (20190816/dsopcode-133)
[ 71.973332] ACPI Error: Aborting method \HWMC due to previous error (AE_AML_OPERAND_VALUE) (20190816/psparse-529)
[ 71.973413] ACPI Error: Aborting method \_SB.WMID.WMAA due to previous error (AE_AML_OPERAND_VALUE) (20190816/psparse-529)

And in our HPWMI_WIRELESS2_QUERY calls always failing. for read commands
like HPWMI_WIRELESS2_QUERY the DSZI value is not used / checked, except for
read commands where extra input is needed to specify exactly what to read.

So for HPWMI_WIRELESS2_QUERY we can safely pass the size of the expected
output as insize to hp_wmi_perform_query(), as we are already doing for all
other HPWMI_READ commands we send. Doing so fixes these errors.

Cc: [email protected]
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=197007
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=201981
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1520703
Signed-off-by: Hans de Goede <[email protected]>
Signed-off-by: Andy Shevchenko <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/platform/x86/hp-wmi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/platform/x86/hp-wmi.c
+++ b/drivers/platform/x86/hp-wmi.c
@@ -380,7 +380,7 @@ static int hp_wmi_rfkill2_refresh(void)
int err, i;

err = hp_wmi_perform_query(HPWMI_WIRELESS2_QUERY, HPWMI_READ, &state,
- 0, sizeof(state));
+ sizeof(state), sizeof(state));
if (err)
return err;

@@ -778,7 +778,7 @@ static int __init hp_wmi_rfkill2_setup(s
int err, i;

err = hp_wmi_perform_query(HPWMI_WIRELESS2_QUERY, HPWMI_READ, &state,
- 0, sizeof(state));
+ sizeof(state), sizeof(state));
if (err)
return err < 0 ? err : -EINVAL;



2019-12-03 23:14:41

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 12/46] mei: bus: prefix device names on bus with the bus name

From: Alexander Usyskin <[email protected]>

commit 7a2b9e6ec84588b0be65cc0ae45a65bac431496b upstream.

Add parent device name to the name of devices on bus to avoid
device names collisions for same client UUID available
from different MEI heads. Namely this prevents sysfs collision under
/sys/bus/mei/device/

In the device part leave just UUID other parameters that are
required for device matching are not required here and are
just bloating the name.

Cc: <[email protected]>
Signed-off-by: Alexander Usyskin <[email protected]>
Signed-off-by: Tomas Winkler <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/misc/mei/bus.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/misc/mei/bus.c
+++ b/drivers/misc/mei/bus.c
@@ -873,15 +873,16 @@ static const struct device_type mei_cl_d

/**
* mei_cl_bus_set_name - set device name for me client device
+ * <controller>-<client device>
+ * Example: 0000:00:16.0-55213584-9a29-4916-badf-0fb7ed682aeb
*
* @cldev: me client device
*/
static inline void mei_cl_bus_set_name(struct mei_cl_device *cldev)
{
- dev_set_name(&cldev->dev, "mei:%s:%pUl:%02X",
- cldev->name,
- mei_me_cl_uuid(cldev->me_cl),
- mei_me_cl_ver(cldev->me_cl));
+ dev_set_name(&cldev->dev, "%s-%pUl",
+ dev_name(cldev->bus->dev),
+ mei_me_cl_uuid(cldev->me_cl));
}

/**


2019-12-03 23:15:00

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 16/46] gve: Fix the queue page list allocated pages count

From: Jeroen de Borst <[email protected]>

[ Upstream commit a95069ecb7092d03b2ea1c39ee04514fe9627540 ]

In gve_alloc_queue_page_list(), when a page allocation fails,
qpl->num_entries will be wrong. In this case priv->num_registered_pages
can underflow in gve_free_queue_page_list(), causing subsequent calls
to gve_alloc_queue_page_list() to fail.

Fixes: f5cedc84a30d ("gve: Add transmit and receive support")
Signed-off-by: Jeroen de Borst <[email protected]>
Reviewed-by: Catherine Sullivan <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/ethernet/google/gve/gve_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/google/gve/gve_main.c
+++ b/drivers/net/ethernet/google/gve/gve_main.c
@@ -544,7 +544,7 @@ static int gve_alloc_queue_page_list(str
}

qpl->id = id;
- qpl->num_entries = pages;
+ qpl->num_entries = 0;
qpl->pages = kvzalloc(pages * sizeof(*qpl->pages), GFP_KERNEL);
/* caller handles clean up */
if (!qpl->pages)
@@ -562,6 +562,7 @@ static int gve_alloc_queue_page_list(str
/* caller handles clean up */
if (err)
return -ENOMEM;
+ qpl->num_entries++;
}
priv->num_registered_pages += pages;



2019-12-03 23:15:04

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 10/46] staging: rtl8723bs: Add 024c:0525 to the list of SDIO device-ids

From: Hans de Goede <[email protected]>

commit 3d5f1eedbfd22ceea94b39989d6021b1958181f4 upstream.

Add 024c:0525 to the list of SDIO device-ids, based on a patch found
in the Android X86 kernels. According to that patch this device id is
used on the Alcatel Plus 10 device.

Reported-and-tested-by: youling257 <[email protected]>
Signed-off-by: Hans de Goede <[email protected]>
Cc: stable <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/staging/rtl8723bs/os_dep/sdio_intf.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/staging/rtl8723bs/os_dep/sdio_intf.c
+++ b/drivers/staging/rtl8723bs/os_dep/sdio_intf.c
@@ -18,6 +18,7 @@
static const struct sdio_device_id sdio_ids[] =
{
{ SDIO_DEVICE(0x024c, 0x0523), },
+ { SDIO_DEVICE(0x024c, 0x0525), },
{ SDIO_DEVICE(0x024c, 0x0623), },
{ SDIO_DEVICE(0x024c, 0x0626), },
{ SDIO_DEVICE(0x024c, 0xb723), },


2019-12-03 23:15:31

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 24/46] sctp: Fix memory leak in sctp_sf_do_5_2_4_dupcook

From: Navid Emamdoost <[email protected]>

[ Upstream commit b6631c6031c746ed004c4221ec0616d7a520f441 ]

In the implementation of sctp_sf_do_5_2_4_dupcook() the allocated
new_asoc is leaked if security_sctp_assoc_request() fails. Release it
via sctp_association_free().

Fixes: 2277c7cd75e3 ("sctp: Add LSM hooks")
Signed-off-by: Navid Emamdoost <[email protected]>
Acked-by: Marcelo Ricardo Leitner <[email protected]>
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/sctp/sm_statefuns.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -2160,8 +2160,10 @@ enum sctp_disposition sctp_sf_do_5_2_4_d

/* Update socket peer label if first association. */
if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
- chunk->skb))
+ chunk->skb)) {
+ sctp_association_free(new_asoc);
return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+ }

/* Set temp so that it won't be added into hashtable */
new_asoc->temp = 1;


2019-12-03 23:15:53

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 26/46] sctp: cache netns in sctp_ep_common

From: Xin Long <[email protected]>

[ Upstream commit 312434617cb16be5166316cf9d08ba760b1042a1 ]

This patch is to fix a data-race reported by syzbot:

BUG: KCSAN: data-race in sctp_assoc_migrate / sctp_hash_obj

write to 0xffff8880b67c0020 of 8 bytes by task 18908 on cpu 1:
sctp_assoc_migrate+0x1a6/0x290 net/sctp/associola.c:1091
sctp_sock_migrate+0x8aa/0x9b0 net/sctp/socket.c:9465
sctp_accept+0x3c8/0x470 net/sctp/socket.c:4916
inet_accept+0x7f/0x360 net/ipv4/af_inet.c:734
__sys_accept4+0x224/0x430 net/socket.c:1754
__do_sys_accept net/socket.c:1795 [inline]
__se_sys_accept net/socket.c:1792 [inline]
__x64_sys_accept+0x4e/0x60 net/socket.c:1792
do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9

read to 0xffff8880b67c0020 of 8 bytes by task 12003 on cpu 0:
sctp_hash_obj+0x4f/0x2d0 net/sctp/input.c:894
rht_key_get_hash include/linux/rhashtable.h:133 [inline]
rht_key_hashfn include/linux/rhashtable.h:159 [inline]
rht_head_hashfn include/linux/rhashtable.h:174 [inline]
head_hashfn lib/rhashtable.c:41 [inline]
rhashtable_rehash_one lib/rhashtable.c:245 [inline]
rhashtable_rehash_chain lib/rhashtable.c:276 [inline]
rhashtable_rehash_table lib/rhashtable.c:316 [inline]
rht_deferred_worker+0x468/0xab0 lib/rhashtable.c:420
process_one_work+0x3d4/0x890 kernel/workqueue.c:2269
worker_thread+0xa0/0x800 kernel/workqueue.c:2415
kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352

It was caused by rhashtable access asoc->base.sk when sctp_assoc_migrate
is changing its value. However, what rhashtable wants is netns from asoc
base.sk, and for an asoc, its netns won't change once set. So we can
simply fix it by caching netns since created.

Fixes: d6c0256a60e6 ("sctp: add the rhashtable apis for sctp global transport hashtable")
Reported-by: [email protected]
Signed-off-by: Xin Long <[email protected]>
Acked-by: Marcelo Ricardo Leitner <[email protected]>
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/net/sctp/structs.h | 3 +++
net/sctp/associola.c | 1 +
net/sctp/endpointola.c | 1 +
net/sctp/input.c | 4 ++--
4 files changed, 7 insertions(+), 2 deletions(-)

--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -1239,6 +1239,9 @@ struct sctp_ep_common {
/* What socket does this endpoint belong to? */
struct sock *sk;

+ /* Cache netns and it won't change once set */
+ struct net *net;
+
/* This is where we receive inbound chunks. */
struct sctp_inq inqueue;

--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -64,6 +64,7 @@ static struct sctp_association *sctp_ass
/* Discarding const is appropriate here. */
asoc->ep = (struct sctp_endpoint *)ep;
asoc->base.sk = (struct sock *)sk;
+ asoc->base.net = sock_net(sk);

sctp_endpoint_hold(asoc->ep);
sock_hold(asoc->base.sk);
--- a/net/sctp/endpointola.c
+++ b/net/sctp/endpointola.c
@@ -110,6 +110,7 @@ static struct sctp_endpoint *sctp_endpoi

/* Remember who we are attached to. */
ep->base.sk = sk;
+ ep->base.net = sock_net(sk);
sock_hold(ep->base.sk);

return ep;
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -882,7 +882,7 @@ static inline int sctp_hash_cmp(struct r
if (!sctp_transport_hold(t))
return err;

- if (!net_eq(sock_net(t->asoc->base.sk), x->net))
+ if (!net_eq(t->asoc->base.net, x->net))
goto out;
if (x->lport != htons(t->asoc->base.bind_addr.port))
goto out;
@@ -897,7 +897,7 @@ static inline __u32 sctp_hash_obj(const
{
const struct sctp_transport *t = data;

- return sctp_hashfn(sock_net(t->asoc->base.sk),
+ return sctp_hashfn(t->asoc->base.net,
htons(t->asoc->base.bind_addr.port),
&t->ipaddr, seed);
}


2019-12-03 23:20:46

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 17/46] macvlan: schedule bc_work even if error

From: Menglong Dong <[email protected]>

[ Upstream commit 1d7ea55668878bb350979c377fc72509dd6f5b21 ]

While enqueueing a broadcast skb to port->bc_queue, schedule_work()
is called to add port->bc_work, which processes the skbs in
bc_queue, to "events" work queue. If port->bc_queue is full, the
skb will be discarded and schedule_work(&port->bc_work) won't be
called. However, if port->bc_queue is full and port->bc_work is not
running or pending, port->bc_queue will keep full and schedule_work()
won't be called any more, and all broadcast skbs to macvlan will be
discarded. This case can happen:

macvlan_process_broadcast() is the pending function of port->bc_work,
it moves all the skbs in port->bc_queue to the queue "list", and
processes the skbs in "list". During this, new skbs will keep being
added to port->bc_queue in macvlan_broadcast_enqueue(), and
port->bc_queue may already full when macvlan_process_broadcast()
return. This may happen, especially when there are a lot of real-time
threads and the process is preempted.

Fix this by calling schedule_work(&port->bc_work) even if
port->bc_work is full in macvlan_broadcast_enqueue().

Fixes: 412ca1550cbe ("macvlan: Move broadcasts into a work queue")
Signed-off-by: Menglong Dong <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/macvlan.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -359,10 +359,11 @@ static void macvlan_broadcast_enqueue(st
}
spin_unlock(&port->bc_queue.lock);

+ schedule_work(&port->bc_work);
+
if (err)
goto free_nskb;

- schedule_work(&port->bc_work);
return;

free_nskb:


2019-12-04 10:27:41

by Jon Hunter

[permalink] [raw]
Subject: Re: [PATCH 5.4 00/46] 5.4.2-stable review


On 03/12/2019 22:35, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.2 release.
> There are 46 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 05 Dec 2019 21:20:36 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.2-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
> -------------


No new regressions for Tegra. Still one warning test failing, but that
is expected.

Test results for stable-v5.4:
13 builds: 13 pass, 0 fail
22 boots: 22 pass, 0 fail
38 tests: 37 pass, 1 fail

Linux version: 5.4.2-rc1-g3eb35d2ecc30
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra194-p2972-0000, tegra20-ventana,
tegra210-p2371-2180, tegra30-cardhu-a04

Cheers
Jon

--
nvpublic

2019-12-04 13:24:29

by Amol Grover

[permalink] [raw]
Subject: Re: [PATCH 5.4 00/46] 5.4.2-stable review

On Tue, Dec 03, 2019 at 11:35:20PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.2 release.
> There are 46 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 05 Dec 2019 21:20:36 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.2-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
> -------------
> Pseudo-Shortlog of commits:
>
> Greg Kroah-Hartman <[email protected]>
> Linux 5.4.2-rc1
>
> Hans de Goede <[email protected]>
> platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size
>
> Hans de Goede <[email protected]>
> platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer
>
> Candle Sun <[email protected]>
> HID: core: check whether Usage Page item is after Usage ID items
>
> Herbert Xu <[email protected]>
> crypto: talitos - Fix build error by selecting LIB_DES
>
> Joel Stanley <[email protected]>
> Revert "jffs2: Fix possible null-pointer dereferences in jffs2_add_frag_to_fragtree()"
>
> Theodore Ts'o <[email protected]>
> ext4: add more paranoia checking in ext4_expand_extra_isize handling
>
> Heiner Kallweit <[email protected]>
> r8169: fix resume on cable plug-in
>
> Heiner Kallweit <[email protected]>
> r8169: fix jumbo configuration for RTL8168evl
>
> Thadeu Lima de Souza Cascardo <[email protected]>
> selftests: pmtu: use -oneline for ip route list cache
>
> John Rutherford <[email protected]>
> tipc: fix link name length check
>
> Jakub Kicinski <[email protected]>
> selftests: bpf: correct perror strings
>
> Jakub Kicinski <[email protected]>
> selftests: bpf: test_sockmap: handle file creation failures gracefully
>
> Jakub Kicinski <[email protected]>
> net/tls: use sg_next() to walk sg entries
>
> Jakub Kicinski <[email protected]>
> net/tls: remove the dead inplace_crypto code
>
> Jakub Kicinski <[email protected]>
> selftests/tls: add a test for fragmented messages
>

Hi,
I'm not sure if this is relevant but I tested out the latest revision
of tools/testing/selftests/net/tls (run as sudo) with 5.3.9, 5.3.13,
and 5.4.1, and all of them resulted in Oops. I'm not sure that it
happens only on my PC but the old version worked fine on all 3 kernels.

More information available in this thread:
https://lore.kernel.org/stable/20191203171817.GA24581@workstation-portable/

Thanks
Amol

> Jakub Kicinski <[email protected]>
> net: skmsg: fix TLS 1.3 crash with full sk_msg
>
> Jakub Kicinski <[email protected]>
> net/tls: free the record on encryption error
>
> Jakub Kicinski <[email protected]>
> net/tls: take into account that bpf_exec_tx_verdict() may free the record
>
> Paolo Abeni <[email protected]>
> openvswitch: remove another BUG_ON()
>
> Paolo Abeni <[email protected]>
> openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info()
>
> Xin Long <[email protected]>
> sctp: cache netns in sctp_ep_common
>
> Jouni Hogander <[email protected]>
> slip: Fix use-after-free Read in slip_open
>
> Navid Emamdoost <[email protected]>
> sctp: Fix memory leak in sctp_sf_do_5_2_4_dupcook
>
> Paolo Abeni <[email protected]>
> openvswitch: fix flow command message size
>
> Dust Li <[email protected]>
> net: sched: fix `tc -s class show` no bstats on class with nolock subqueues
>
> Nikolay Aleksandrov <[email protected]>
> net: psample: fix skb_over_panic
>
> Chuhong Yuan <[email protected]>
> net: macb: add missed tasklet_kill
>
> Oleksij Rempel <[email protected]>
> net: dsa: sja1105: fix sja1105_parse_rgmii_delays()
>
> David Bauer <[email protected]>
> mdio_bus: don't use managed reset-controller
>
> Menglong Dong <[email protected]>
> macvlan: schedule bc_work even if error
>
> Jeroen de Borst <[email protected]>
> gve: Fix the queue page list allocated pages count
>
> Sebastian Andrzej Siewior <[email protected]>
> x86/fpu: Don't cache access to fpu_fpregs_owner_ctx
>
> Mika Westerberg <[email protected]>
> thunderbolt: Power cycle the router if NVM authentication fails
>
> Alexander Usyskin <[email protected]>
> mei: me: add comet point V device id
>
> Alexander Usyskin <[email protected]>
> mei: bus: prefix device names on bus with the bus name
>
> Fabio D'Urso <[email protected]>
> USB: serial: ftdi_sio: add device IDs for U-Blox C099-F9P
>
> Hans de Goede <[email protected]>
> staging: rtl8723bs: Add 024c:0525 to the list of SDIO device-ids
>
> Hans de Goede <[email protected]>
> staging: rtl8723bs: Drop ACPI device ids
>
> Pan Bian <[email protected]>
> staging: rtl8192e: fix potential use after free
>
> Ajay Singh <[email protected]>
> staging: wilc1000: fix illegal memory access in wilc_parse_join_bss_param()
>
> Mathias Kresin <[email protected]>
> usb: dwc2: use a longer core rest timeout in dwc2_core_reset()
>
> Sami Tolvanen <[email protected]>
> driver core: platform: use the correct callback type for bus_find_device
>
> Pascal van Leeuwen <[email protected]>
> crypto: inside-secure - Fix stability issue with Macchiatobin
>
> Jens Axboe <[email protected]>
> net: disallow ancillary data for __sys_{send,recv}msg_file()
>
> Jens Axboe <[email protected]>
> net: separate out the msghdr copy from ___sys_{send,recv}msg()
>
> Jens Axboe <[email protected]>
> io_uring: async workers should inherit the user creds
>
>
> -------------
>
> Diffstat:
>
> Makefile | 4 +-
> arch/x86/include/asm/fpu/internal.h | 2 +-
> drivers/base/platform.c | 7 +-
> drivers/crypto/Kconfig | 1 +
> drivers/crypto/inside-secure/safexcel.c | 4 +-
> drivers/hid/hid-core.c | 51 +++++++-
> drivers/misc/mei/bus.c | 9 +-
> drivers/misc/mei/hw-me-regs.h | 1 +
> drivers/misc/mei/pci-me.c | 1 +
> drivers/net/dsa/sja1105/sja1105_main.c | 10 +-
> drivers/net/ethernet/cadence/macb_main.c | 1 +
> drivers/net/ethernet/google/gve/gve_main.c | 3 +-
> drivers/net/ethernet/realtek/r8169_main.c | 3 +-
> drivers/net/macvlan.c | 3 +-
> drivers/net/phy/mdio_bus.c | 6 +-
> drivers/net/slip/slip.c | 1 +
> drivers/platform/x86/hp-wmi.c | 10 +-
> drivers/staging/rtl8192e/rtl8192e/rtl_core.c | 5 +-
> drivers/staging/rtl8723bs/os_dep/sdio_intf.c | 7 +-
> drivers/staging/wilc1000/wilc_hif.c | 25 ++--
> drivers/thunderbolt/switch.c | 54 ++++++--
> drivers/usb/dwc2/core.c | 2 +-
> drivers/usb/serial/ftdi_sio.c | 3 +
> drivers/usb/serial/ftdi_sio_ids.h | 7 +
> fs/ext4/inode.c | 15 +++
> fs/ext4/super.c | 21 +--
> fs/io_uring.c | 23 +++-
> fs/jffs2/nodelist.c | 2 +-
> include/linux/skmsg.h | 26 ++--
> include/net/sctp/structs.h | 3 +
> include/net/tls.h | 3 +-
> net/core/filter.c | 8 +-
> net/core/skmsg.c | 2 +-
> net/ipv4/tcp_bpf.c | 2 +-
> net/openvswitch/datapath.c | 17 ++-
> net/psample/psample.c | 2 +-
> net/sched/sch_mq.c | 3 +-
> net/sched/sch_mqprio.c | 4 +-
> net/sched/sch_multiq.c | 2 +-
> net/sched/sch_prio.c | 2 +-
> net/sctp/associola.c | 1 +
> net/sctp/endpointola.c | 1 +
> net/sctp/input.c | 4 +-
> net/sctp/sm_statefuns.c | 4 +-
> net/socket.c | 184 +++++++++++++++++++--------
> net/tipc/netlink_compat.c | 4 +-
> net/tls/tls_main.c | 13 +-
> net/tls/tls_sw.c | 32 +++--
> tools/testing/selftests/bpf/test_sockmap.c | 47 ++++---
> tools/testing/selftests/bpf/xdping.c | 2 +-
> tools/testing/selftests/net/pmtu.sh | 5 +-
> tools/testing/selftests/net/tls.c | 60 +++++++++
> 52 files changed, 505 insertions(+), 207 deletions(-)
>
>

2019-12-04 13:58:39

by Naresh Kamboju

[permalink] [raw]
Subject: Re: [PATCH 5.4 00/46] 5.4.2-stable review

On Wed, 4 Dec 2019 at 04:07, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 5.4.2 release.
> There are 46 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 05 Dec 2019 21:20:36 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.2-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Summary
------------------------------------------------------------------------

kernel: 5.4.2-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-5.4.y
git commit: 3eb35d2ecc30a984db487889b72703a12cb97e88
git describe: v5.4.1-47-g3eb35d2ecc30
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-5.4-oe/build/v5.4.1-47-g3eb35d2ecc30

No regressions (compared to build v5.4.1)

No fixes (compared to build v5.4.1)

Ran 19155 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c
- hi6220-hikey
- i386
- juno-r2
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15
- x86

Test Suites
-----------
* build
* install-android-platform-tools-r2600
* libgpiod
* linux-log-parser
* kselftest
* libhugetlbfs
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* network-basic-tests
* perf
* spectre-meltdown-checker-test
* v4l2-compliance
* kvm-unit-tests
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none
* ssuite

--
Linaro LKFT
https://lkft.linaro.org

2019-12-04 17:22:34

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH 5.4 00/46] 5.4.2-stable review

On Wed, Dec 04, 2019 at 06:53:18PM +0530, Amol Grover wrote:
> On Tue, Dec 03, 2019 at 11:35:20PM +0100, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.4.2 release.
> > There are 46 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Thu, 05 Dec 2019 21:20:36 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.2-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
> >
> > -------------
> > Pseudo-Shortlog of commits:
> >
> > Greg Kroah-Hartman <[email protected]>
> > Linux 5.4.2-rc1
> >
> > Hans de Goede <[email protected]>
> > platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size
> >
> > Hans de Goede <[email protected]>
> > platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer
> >
> > Candle Sun <[email protected]>
> > HID: core: check whether Usage Page item is after Usage ID items
> >
> > Herbert Xu <[email protected]>
> > crypto: talitos - Fix build error by selecting LIB_DES
> >
> > Joel Stanley <[email protected]>
> > Revert "jffs2: Fix possible null-pointer dereferences in jffs2_add_frag_to_fragtree()"
> >
> > Theodore Ts'o <[email protected]>
> > ext4: add more paranoia checking in ext4_expand_extra_isize handling
> >
> > Heiner Kallweit <[email protected]>
> > r8169: fix resume on cable plug-in
> >
> > Heiner Kallweit <[email protected]>
> > r8169: fix jumbo configuration for RTL8168evl
> >
> > Thadeu Lima de Souza Cascardo <[email protected]>
> > selftests: pmtu: use -oneline for ip route list cache
> >
> > John Rutherford <[email protected]>
> > tipc: fix link name length check
> >
> > Jakub Kicinski <[email protected]>
> > selftests: bpf: correct perror strings
> >
> > Jakub Kicinski <[email protected]>
> > selftests: bpf: test_sockmap: handle file creation failures gracefully
> >
> > Jakub Kicinski <[email protected]>
> > net/tls: use sg_next() to walk sg entries
> >
> > Jakub Kicinski <[email protected]>
> > net/tls: remove the dead inplace_crypto code
> >
> > Jakub Kicinski <[email protected]>
> > selftests/tls: add a test for fragmented messages
> >
>
> Hi,
> I'm not sure if this is relevant but I tested out the latest revision
> of tools/testing/selftests/net/tls (run as sudo) with 5.3.9, 5.3.13,
> and 5.4.1, and all of them resulted in Oops. I'm not sure that it
> happens only on my PC but the old version worked fine on all 3 kernels.
>
> More information available in this thread:
> https://lore.kernel.org/stable/20191203171817.GA24581@workstation-portable/

Any specific commit cause this issue? Should I drop one/any of these?

thanks,

greg k-h

2019-12-04 17:51:11

by Shuah Khan

[permalink] [raw]
Subject: Re: [PATCH 5.4 00/46] 5.4.2-stable review

On 12/3/19 3:35 PM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.2 release.
> There are 46 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 05 Dec 2019 21:20:36 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.2-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah

2019-12-04 19:32:39

by Guenter Roeck

[permalink] [raw]
Subject: Re: [PATCH 5.4 00/46] 5.4.2-stable review

On Tue, Dec 03, 2019 at 11:35:20PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.2 release.
> There are 46 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 05 Dec 2019 21:20:36 +0000.
> Anything received after that time might be too late.
>

Build results:
total: 158 pass: 157 fail: 1
Failed builds:
mips:allmodconfig
Qemu test results:
total: 394 pass: 394 fail: 0

No regressions.

Guenter

2019-12-04 20:39:06

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH 5.4 00/46] 5.4.2-stable review

On Wed, Dec 04, 2019 at 11:05:43AM -0800, Guenter Roeck wrote:
> On Tue, Dec 03, 2019 at 11:35:20PM +0100, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.4.2 release.
> > There are 46 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Thu, 05 Dec 2019 21:20:36 +0000.
> > Anything received after that time might be too late.
> >
>
> Build results:
> total: 158 pass: 157 fail: 1
> Failed builds:
> mips:allmodconfig
> Qemu test results:
> total: 394 pass: 394 fail: 0

Thanks for testing all of these and letting me know.

greg k-h

2019-12-04 20:39:18

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH 5.4 00/46] 5.4.2-stable review

On Wed, Dec 04, 2019 at 07:26:23PM +0530, Naresh Kamboju wrote:
> On Wed, 4 Dec 2019 at 04:07, Greg Kroah-Hartman
> <[email protected]> wrote:
> >
> > This is the start of the stable review cycle for the 5.4.2 release.
> > There are 46 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Thu, 05 Dec 2019 21:20:36 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.2-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
>
> Results from Linaro’s test farm.
> No regressions on arm64, arm, x86_64, and i386.

Thanks for testing these and letting me know.

greg k-h

2019-12-04 20:40:20

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH 5.4 00/46] 5.4.2-stable review

On Wed, Dec 04, 2019 at 10:50:06AM -0700, shuah wrote:
> On 12/3/19 3:35 PM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.4.2 release.
> > There are 46 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Thu, 05 Dec 2019 21:20:36 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.2-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
> >
>
> Compiled and booted on my test system. No dmesg regressions.

Thanks for testing these and letting me know.

greg k-h

2019-12-05 18:05:28

by Amol Grover

[permalink] [raw]
Subject: Re: [PATCH 5.4 00/46] 5.4.2-stable review

On Wed, Dec 04, 2019 at 06:13:22PM +0100, Greg Kroah-Hartman wrote:
> On Wed, Dec 04, 2019 at 06:53:18PM +0530, Amol Grover wrote:
> > On Tue, Dec 03, 2019 at 11:35:20PM +0100, Greg Kroah-Hartman wrote:
> > > This is the start of the stable review cycle for the 5.4.2 release.
> > > There are 46 patches in this series, all will be posted as a response
> > > to this one. If anyone has any issues with these being applied, please
> > > let me know.
> > >
> > > Responses should be made by Thu, 05 Dec 2019 21:20:36 +0000.
> > > Anything received after that time might be too late.
> > >
> > > The whole patch series can be found in one patch at:
> > > https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.2-rc1.gz
> > > or in the git tree and branch at:
> > > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> > > and the diffstat can be found below.
> > >
> > > thanks,
> > >
> > > greg k-h
> > >
> > > -------------
> > > Pseudo-Shortlog of commits:
> > >
> > > Greg Kroah-Hartman <[email protected]>
> > > Linux 5.4.2-rc1
> > >
> > > Hans de Goede <[email protected]>
> > > platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size
> > >
> > > Hans de Goede <[email protected]>
> > > platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer
> > >
> > > Candle Sun <[email protected]>
> > > HID: core: check whether Usage Page item is after Usage ID items
> > >
> > > Herbert Xu <[email protected]>
> > > crypto: talitos - Fix build error by selecting LIB_DES
> > >
> > > Joel Stanley <[email protected]>
> > > Revert "jffs2: Fix possible null-pointer dereferences in jffs2_add_frag_to_fragtree()"
> > >
> > > Theodore Ts'o <[email protected]>
> > > ext4: add more paranoia checking in ext4_expand_extra_isize handling
> > >
> > > Heiner Kallweit <[email protected]>
> > > r8169: fix resume on cable plug-in
> > >
> > > Heiner Kallweit <[email protected]>
> > > r8169: fix jumbo configuration for RTL8168evl
> > >
> > > Thadeu Lima de Souza Cascardo <[email protected]>
> > > selftests: pmtu: use -oneline for ip route list cache
> > >
> > > John Rutherford <[email protected]>
> > > tipc: fix link name length check
> > >
> > > Jakub Kicinski <[email protected]>
> > > selftests: bpf: correct perror strings
> > >
> > > Jakub Kicinski <[email protected]>
> > > selftests: bpf: test_sockmap: handle file creation failures gracefully
> > >
> > > Jakub Kicinski <[email protected]>
> > > net/tls: use sg_next() to walk sg entries
> > >
> > > Jakub Kicinski <[email protected]>
> > > net/tls: remove the dead inplace_crypto code
> > >
> > > Jakub Kicinski <[email protected]>
> > > selftests/tls: add a test for fragmented messages
> > >
> >
> > Hi,
> > I'm not sure if this is relevant but I tested out the latest revision
> > of tools/testing/selftests/net/tls (run as sudo) with 5.3.9, 5.3.13,
> > and 5.4.1, and all of them resulted in Oops. I'm not sure that it
> > happens only on my PC but the old version worked fine on all 3 kernels.
> >
> > More information available in this thread:
> > https://lore.kernel.org/stable/20191203171817.GA24581@workstation-portable/
>
> Any specific commit cause this issue? Should I drop one/any of these?
>

The specific commit I'm talking about is the 32nd patch in this series
[PATCH 5.4 32/46] selftests/tls: add a test for fragmented messages
[ Upstream commit 65190f77424d7b82c4aad7326c9cce6bd91a2fcc ]

But it looks like everything is working fine for everyone, so maybe,
it could be a problem specific to my distro/hardware/settings.

Thanks
Amol

> thanks,
>
> greg k-h

2019-12-06 13:06:41

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH 5.4 00/46] 5.4.2-stable review

On Thu, Dec 05, 2019 at 10:13:12PM +0530, Amol Grover wrote:
> On Wed, Dec 04, 2019 at 06:13:22PM +0100, Greg Kroah-Hartman wrote:
> > On Wed, Dec 04, 2019 at 06:53:18PM +0530, Amol Grover wrote:
> > > On Tue, Dec 03, 2019 at 11:35:20PM +0100, Greg Kroah-Hartman wrote:
> > > > This is the start of the stable review cycle for the 5.4.2 release.
> > > > There are 46 patches in this series, all will be posted as a response
> > > > to this one. If anyone has any issues with these being applied, please
> > > > let me know.
> > > >
> > > > Responses should be made by Thu, 05 Dec 2019 21:20:36 +0000.
> > > > Anything received after that time might be too late.
> > > >
> > > > The whole patch series can be found in one patch at:
> > > > https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.2-rc1.gz
> > > > or in the git tree and branch at:
> > > > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> > > > and the diffstat can be found below.
> > > >
> > > > thanks,
> > > >
> > > > greg k-h
> > > >
> > > > -------------
> > > > Pseudo-Shortlog of commits:
> > > >
> > > > Greg Kroah-Hartman <[email protected]>
> > > > Linux 5.4.2-rc1
> > > >
> > > > Hans de Goede <[email protected]>
> > > > platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size
> > > >
> > > > Hans de Goede <[email protected]>
> > > > platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer
> > > >
> > > > Candle Sun <[email protected]>
> > > > HID: core: check whether Usage Page item is after Usage ID items
> > > >
> > > > Herbert Xu <[email protected]>
> > > > crypto: talitos - Fix build error by selecting LIB_DES
> > > >
> > > > Joel Stanley <[email protected]>
> > > > Revert "jffs2: Fix possible null-pointer dereferences in jffs2_add_frag_to_fragtree()"
> > > >
> > > > Theodore Ts'o <[email protected]>
> > > > ext4: add more paranoia checking in ext4_expand_extra_isize handling
> > > >
> > > > Heiner Kallweit <[email protected]>
> > > > r8169: fix resume on cable plug-in
> > > >
> > > > Heiner Kallweit <[email protected]>
> > > > r8169: fix jumbo configuration for RTL8168evl
> > > >
> > > > Thadeu Lima de Souza Cascardo <[email protected]>
> > > > selftests: pmtu: use -oneline for ip route list cache
> > > >
> > > > John Rutherford <[email protected]>
> > > > tipc: fix link name length check
> > > >
> > > > Jakub Kicinski <[email protected]>
> > > > selftests: bpf: correct perror strings
> > > >
> > > > Jakub Kicinski <[email protected]>
> > > > selftests: bpf: test_sockmap: handle file creation failures gracefully
> > > >
> > > > Jakub Kicinski <[email protected]>
> > > > net/tls: use sg_next() to walk sg entries
> > > >
> > > > Jakub Kicinski <[email protected]>
> > > > net/tls: remove the dead inplace_crypto code
> > > >
> > > > Jakub Kicinski <[email protected]>
> > > > selftests/tls: add a test for fragmented messages
> > > >
> > >
> > > Hi,
> > > I'm not sure if this is relevant but I tested out the latest revision
> > > of tools/testing/selftests/net/tls (run as sudo) with 5.3.9, 5.3.13,
> > > and 5.4.1, and all of them resulted in Oops. I'm not sure that it
> > > happens only on my PC but the old version worked fine on all 3 kernels.
> > >
> > > More information available in this thread:
> > > https://lore.kernel.org/stable/20191203171817.GA24581@workstation-portable/
> >
> > Any specific commit cause this issue? Should I drop one/any of these?
> >
>
> The specific commit I'm talking about is the 32nd patch in this series
> [PATCH 5.4 32/46] selftests/tls: add a test for fragmented messages
> [ Upstream commit 65190f77424d7b82c4aad7326c9cce6bd91a2fcc ]
>
> But it looks like everything is working fine for everyone, so maybe,
> it could be a problem specific to my distro/hardware/settings.

Does running Linus's tree right now with this commit in it also cause
problems for you?

thanks,

greg k-h