This is the start of the stable review cycle for the 4.19.239 release.
There are 32 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 20 Apr 2022 12:11:14 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.239-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 4.19.239-rc1
Martin Povišer <[email protected]>
i2c: pasemi: Wait for write xfers to finish
Nadav Amit <[email protected]>
smp: Fix offline cpu check in flush_smp_call_function_queue()
Nathan Chancellor <[email protected]>
ARM: davinci: da850-evm: Avoid NULL pointer dereference
Nicolas Dichtel <[email protected]>
ipv6: fix panic when forwarding a pkt with no in6 dev
Fabio M. De Francesco <[email protected]>
ALSA: pcm: Test for "silence" field in struct "pcm_format_data"
Tim Crawford <[email protected]>
ALSA: hda/realtek: Add quirk for Clevo PD50PNT
Jason A. Donenfeld <[email protected]>
gcc-plugins: latent_entropy: use /dev/urandom
Oliver Upton <[email protected]>
KVM: Don't create VM debugfs files outside of the VM directory
Patrick Wang <[email protected]>
mm: kmemleak: take a full lowmem check in kmemleak_*_phys()
Juergen Gross <[email protected]>
mm, page_alloc: fix build_zonerefs_node()
Duoming Zhou <[email protected]>
drivers: net: slip: fix NPD bug in sl_tx_timeout()
Alexey Galakhov <[email protected]>
scsi: mvsas: Add PCI ID of RocketRaid 2640
Roman Li <[email protected]>
drm/amd/display: Fix allocate_mst_payload assert on resume
Joey Gouly <[email protected]>
arm64: alternatives: mark patch_alternative() as `noinstr`
Leo Ruan <[email protected]>
gpu: ipu-v3: Fix dev_dbg frequency output
Christian Lamparter <[email protected]>
ata: libata-core: Disable READ LOG DMA EXT for Samsung 840 EVOs
Randy Dunlap <[email protected]>
net: micrel: fix KS8851_MLL Kconfig
Tyrel Datwyler <[email protected]>
scsi: ibmvscsis: Increase INITIAL_SRP_LIMIT to 1024
Xiaoguang Wang <[email protected]>
scsi: target: tcmu: Fix possible page UAF
Michael Kelley <[email protected]>
Drivers: hv: vmbus: Prevent load re-ordering when reading ring buffer
QintaoShen <[email protected]>
drm/amdkfd: Check for potential null return of kmalloc_array()
Aurabindo Pillai <[email protected]>
drm/amd: Add USBC connector ID
Harshit Mogalapalli <[email protected]>
cifs: potential buffer overflow in handling symlinks
Lin Ma <[email protected]>
nfc: nci: add flush_workqueue to prevent uaf
Athira Rajeev <[email protected]>
testing/selftests/mqueue: Fix mq_perf_tests to free the allocated cpu set
Petr Malat <[email protected]>
sctp: Initialize daddr on peeled off socket
Dinh Nguyen <[email protected]>
net: ethernet: stmmac: fix altr_tse_pcs function when using a fixed-link
Vadim Pasternak <[email protected]>
mlxsw: i2c: Fix initialization error flow
Linus Torvalds <[email protected]>
gpiolib: acpi: use correct format characters
Guillaume Nault <[email protected]>
veth: Ensure eth header is in skb's linear part
Vlad Buslov <[email protected]>
net/sched: flower: fix parsing of ethertype following VLAN header
Miaoqian Lin <[email protected]>
memory: atmel-ebi: Fix missing of_node_put in atmel_ebi_probe
-------------
Diffstat:
Makefile | 4 +-
arch/arm/mach-davinci/board-da850-evm.c | 4 +-
arch/arm64/kernel/alternative.c | 6 +--
drivers/ata/libata-core.c | 3 ++
drivers/gpio/gpiolib-acpi.c | 4 +-
drivers/gpu/drm/amd/amdgpu/ObjectID.h | 1 +
drivers/gpu/drm/amd/amdkfd/kfd_events.c | 2 +
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +-
drivers/gpu/ipu-v3/ipu-di.c | 5 ++-
drivers/hv/ring_buffer.c | 11 +++++-
drivers/i2c/busses/i2c-pasemi.c | 6 +++
drivers/memory/atmel-ebi.c | 23 ++++++++---
drivers/net/ethernet/mellanox/mlxsw/i2c.c | 1 +
drivers/net/ethernet/micrel/Kconfig | 1 +
drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.c | 8 ----
drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.h | 4 ++
.../net/ethernet/stmicro/stmmac/dwmac-socfpga.c | 13 +++----
drivers/net/slip/slip.c | 2 +-
drivers/net/veth.c | 2 +-
drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 2 +-
drivers/scsi/mvsas/mv_init.c | 1 +
drivers/target/target_core_user.c | 3 +-
fs/cifs/link.c | 3 ++
include/net/flow_dissector.h | 2 +
kernel/smp.c | 2 +-
mm/kmemleak.c | 8 ++--
mm/page_alloc.c | 2 +-
net/core/flow_dissector.c | 1 +
net/ipv6/ip6_output.c | 2 +-
net/nfc/nci/core.c | 4 ++
net/sched/cls_flower.c | 18 ++++++---
net/sctp/socket.c | 2 +-
scripts/gcc-plugins/latent_entropy_plugin.c | 44 +++++++++++++---------
sound/core/pcm_misc.c | 2 +-
sound/pci/hda/patch_realtek.c | 1 +
tools/testing/selftests/mqueue/mq_perf_tests.c | 25 ++++++++----
virt/kvm/kvm_main.c | 8 +++-
37 files changed, 155 insertions(+), 78 deletions(-)
From: Joey Gouly <[email protected]>
[ Upstream commit a2c0b0fbe01419f8f5d1c0b9c581631f34ffce8b ]
The alternatives code must be `noinstr` such that it does not patch itself,
as the cache invalidation is only performed after all the alternatives have
been applied.
Mark patch_alternative() as `noinstr`. Mark branch_insn_requires_update()
and get_alt_insn() with `__always_inline` since they are both only called
through patch_alternative().
Booting a kernel in QEMU TCG with KCSAN=y and ARM64_USE_LSE_ATOMICS=y caused
a boot hang:
[ 0.241121] CPU: All CPU(s) started at EL2
The alternatives code was patching the atomics in __tsan_read4() from LL/SC
atomics to LSE atomics.
The following fragment is using LL/SC atomics in the .text section:
| <__tsan_unaligned_read4+304>: ldxr x6, [x2]
| <__tsan_unaligned_read4+308>: add x6, x6, x5
| <__tsan_unaligned_read4+312>: stxr w7, x6, [x2]
| <__tsan_unaligned_read4+316>: cbnz w7, <__tsan_unaligned_read4+304>
This LL/SC atomic sequence was to be replaced with LSE atomics. However since
the alternatives code was instrumentable, __tsan_read4() was being called after
only the first instruction was replaced, which led to the following code in memory:
| <__tsan_unaligned_read4+304>: ldadd x5, x6, [x2]
| <__tsan_unaligned_read4+308>: add x6, x6, x5
| <__tsan_unaligned_read4+312>: stxr w7, x6, [x2]
| <__tsan_unaligned_read4+316>: cbnz w7, <__tsan_unaligned_read4+304>
This caused an infinite loop as the `stxr` instruction never completed successfully,
so `w7` was always 0.
Signed-off-by: Joey Gouly <[email protected]>
Cc: Mark Rutland <[email protected]>
Cc: Catalin Marinas <[email protected]>
Cc: Will Deacon <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Will Deacon <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
arch/arm64/kernel/alternative.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/kernel/alternative.c b/arch/arm64/kernel/alternative.c
index 0d345622bbba..3747c8d87bdb 100644
--- a/arch/arm64/kernel/alternative.c
+++ b/arch/arm64/kernel/alternative.c
@@ -42,7 +42,7 @@ struct alt_region {
/*
* Check if the target PC is within an alternative block.
*/
-static bool branch_insn_requires_update(struct alt_instr *alt, unsigned long pc)
+static __always_inline bool branch_insn_requires_update(struct alt_instr *alt, unsigned long pc)
{
unsigned long replptr = (unsigned long)ALT_REPL_PTR(alt);
return !(pc >= replptr && pc <= (replptr + alt->alt_len));
@@ -50,7 +50,7 @@ static bool branch_insn_requires_update(struct alt_instr *alt, unsigned long pc)
#define align_down(x, a) ((unsigned long)(x) & ~(((unsigned long)(a)) - 1))
-static u32 get_alt_insn(struct alt_instr *alt, __le32 *insnptr, __le32 *altinsnptr)
+static __always_inline u32 get_alt_insn(struct alt_instr *alt, __le32 *insnptr, __le32 *altinsnptr)
{
u32 insn;
@@ -95,7 +95,7 @@ static u32 get_alt_insn(struct alt_instr *alt, __le32 *insnptr, __le32 *altinsnp
return insn;
}
-static void patch_alternative(struct alt_instr *alt,
+static noinstr void patch_alternative(struct alt_instr *alt,
__le32 *origptr, __le32 *updptr, int nr_inst)
{
__le32 *replptr;
--
2.35.1
From: Aurabindo Pillai <[email protected]>
[ Upstream commit c5c948aa894a831f96fccd025e47186b1ee41615 ]
[Why&How] Add a dedicated AMDGPU specific ID for use with
newer ASICs that support USB-C output
Signed-off-by: Aurabindo Pillai <[email protected]>
Reviewed-by: Alex Deucher <[email protected]>
Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/gpu/drm/amd/amdgpu/ObjectID.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/ObjectID.h b/drivers/gpu/drm/amd/amdgpu/ObjectID.h
index 5b393622f592..a0f0a17e224f 100644
--- a/drivers/gpu/drm/amd/amdgpu/ObjectID.h
+++ b/drivers/gpu/drm/amd/amdgpu/ObjectID.h
@@ -119,6 +119,7 @@
#define CONNECTOR_OBJECT_ID_eDP 0x14
#define CONNECTOR_OBJECT_ID_MXM 0x15
#define CONNECTOR_OBJECT_ID_LVDS_eDP 0x16
+#define CONNECTOR_OBJECT_ID_USBC 0x17
/* deleted */
--
2.35.1
From: Miaoqian Lin <[email protected]>
[ Upstream commit 6f296a9665ba5ac68937bf11f96214eb9de81baa ]
The device_node pointer is returned by of_parse_phandle() with refcount
incremented. We should use of_node_put() on it when done.
Fixes: 87108dc78eb8 ("memory: atmel-ebi: Enable the SMC clock if specified")
Signed-off-by: Miaoqian Lin <[email protected]>
Reviewed-by: Claudiu Beznea <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Krzysztof Kozlowski <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/memory/atmel-ebi.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/drivers/memory/atmel-ebi.c b/drivers/memory/atmel-ebi.c
index 2b9283d4fcb1..8e7b5a1d2983 100644
--- a/drivers/memory/atmel-ebi.c
+++ b/drivers/memory/atmel-ebi.c
@@ -524,20 +524,27 @@ static int atmel_ebi_probe(struct platform_device *pdev)
smc_np = of_parse_phandle(dev->of_node, "atmel,smc", 0);
ebi->smc.regmap = syscon_node_to_regmap(smc_np);
- if (IS_ERR(ebi->smc.regmap))
- return PTR_ERR(ebi->smc.regmap);
+ if (IS_ERR(ebi->smc.regmap)) {
+ ret = PTR_ERR(ebi->smc.regmap);
+ goto put_node;
+ }
ebi->smc.layout = atmel_hsmc_get_reg_layout(smc_np);
- if (IS_ERR(ebi->smc.layout))
- return PTR_ERR(ebi->smc.layout);
+ if (IS_ERR(ebi->smc.layout)) {
+ ret = PTR_ERR(ebi->smc.layout);
+ goto put_node;
+ }
ebi->smc.clk = of_clk_get(smc_np, 0);
if (IS_ERR(ebi->smc.clk)) {
- if (PTR_ERR(ebi->smc.clk) != -ENOENT)
- return PTR_ERR(ebi->smc.clk);
+ if (PTR_ERR(ebi->smc.clk) != -ENOENT) {
+ ret = PTR_ERR(ebi->smc.clk);
+ goto put_node;
+ }
ebi->smc.clk = NULL;
}
+ of_node_put(smc_np);
ret = clk_prepare_enable(ebi->smc.clk);
if (ret)
return ret;
@@ -587,6 +594,10 @@ static int atmel_ebi_probe(struct platform_device *pdev)
}
return of_platform_populate(np, NULL, NULL, dev);
+
+put_node:
+ of_node_put(smc_np);
+ return ret;
}
static __maybe_unused int atmel_ebi_resume(struct device *dev)
--
2.35.1
On 4/18/22 6:13 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.239 release.
> There are 32 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 20 Apr 2022 12:11:14 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.239-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <[email protected]>
thanks,
-- Shuah
Hi!
> This is the start of the stable review cycle for the 4.19.239 release.
> There are 32 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 20 Apr 2022 12:11:14 +0000.
> Anything received after that time might be too late.
We have some problems with testing, but it seems there are real
failures there, too.
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/pipelines/518905412
We seem to have ethernet failure on siemends-de0-nano:
https://lava.ciplatform.org/scheduler/job/664854
[ 0.000000] Linux version 4.19.239-rc1-g6124afa49867 (root@runner-vacchx9n-project-14394223-concurrent-1f2btv) (gcc version 8.3.0 (Debian 8.3.0-2)) #1 SMP Mon Apr 18 14:05:18 UTC 2022
[ 0.000000] CPU: ARMv7 Processor [413fc090] revision 0 (ARMv7), cr=10c5387d
...
[ 1.210887] mmc0: new high speed SDHC card at address 59b4
[ 1.217318] mmcblk0: mmc0:59b4 SD 3.75 GiB
[ 1.223255] mmcblk0: p1 p2
[ 1.279623] Micrel KSZ9031 Gigabit PHY stmmac-0:01: attached PHY driver [Micrel KSZ9031 Gigabit PHY] (mii_bus:phy_addr=stmmac-0:01, irq=POLL)
[ 1.303607] socfpga-dwmac ff702000.ethernet eth0: No Safety Features support found
[ 1.311339] socfpga-dwmac ff702000.ethernet eth0: registered PTP clock
[ 1.318187] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 4.484377] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[ 4.492433] pgd = (ptrval)
[ 4.495145] [00000000] *pgd=00000000
[ 4.498714] Internal error: Oops: 805 [#1] SMP ARM
[ 4.503483] Modules linked in:
[ 4.506531] CPU: 1 PID: 266 Comm: kworker/1:1 Not tainted 4.19.239-rc1-g6124afa49867 #1
[ 4.514496] Hardware name: Altera SOCFPGA
[ 4.518500] Workqueue: events_power_efficient phy_state_machine
[ 4.524400] PC is at socfpga_dwmac_fix_mac_speed+0x3c/0xbc
[ 4.529864] LR is at arm_heavy_mb+0x2c/0x48
[ 4.534028] pc : [<c05d992c>] lr : [<c01182e8>] psr: 60000013
[ 4.540265] sp : ee9c5e58 ip : ee9c5e48 fp : ee9c5e7c
[ 4.545465] r10: 00000001 r9 : ef243800 r8 : 00000000
[ 4.550665] r7 : 00000000 r6 : 000003e8 r5 : eebec000 r4 : eeb0f880
[ 4.557163] r3 : 00000001 r2 : 00000730 r1 : 00000000 r0 : eeb0f880
[ 4.563660] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
[ 4.570762] Control: 10c5387d Table: 0000404a DAC: 00000051
[ 4.576482] Process kworker/1:1 (pid: 266, stack limit = 0x(ptrval))
[ 4.582807] Stack: (0xee9c5e58 to 0xee9c6000)
[ 4.587146] 5e40: ef243800 eebec000
[ 4.595288] 5e60: eebed000 eebec538 00610c8c eebec500 ee9c5eb4 ee9c5e80 c05ccf84 c05d98fc
[ 4.603430] 5e80: c0705800 c018fabc eebec000 ef243800 eebec000 ef243a90 00000000 00000000
[ 4.611572] 5ea0: c0c77830 00000000 ee9c5ecc ee9c5eb8 c05bae3c c05ccdf0 ef243a64 ef243800
[ 4.619715] 5ec0: ee9c5ef4 ee9c5ed0 c05b911c c05bae08 ef243a64 ef182200 ef7e1fc0 ef7e5500
[ 4.627857] 5ee0: 00000000 c0c77830 ee9c5f34 ee9c5ef8 c013e18c c05b8de0 ef7e1fc0 ef7e1fc0
[ 4.635998] 5f00: 00000008 ef7e1fd8 c0c02d00 ef182200 ef182214 ef7e1fc0 00000008 ef7e1fd8
[ 4.644141] 5f20: c0c02d00 ef7e1fc0 ee9c5f74 ee9c5f38 c013f178 c013df74 c013f118 c09e2128
[ 4.652283] 5f40: c0c77250 ffffe000 ee9c5f74 ef188400 ef1885c0 00000000 ee9c4000 ef182200
[ 4.660425] 5f60: c013f118 ef14be74 ee9c5fac ee9c5f78 c0144ac8 c013f124 ef18841c ef18841c
[ 4.668567] 5f80: ee9c5fac ef1885c0 c014495c 00000000 00000000 00000000 00000000 00000000
[ 4.676709] 5fa0: 00000000 ee9c5fb0 c01010e8 c0144968 00000000 00000000 00000000 00000000
[ 4.684850] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 4.692991] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
[ 4.701128] Backtrace:
[ 4.703578] [<c05d98f0>] (socfpga_dwmac_fix_mac_speed) from [<c05ccf84>] (stmmac_adjust_link+0x1a0/0x21c)
[ 4.713104] r9:eebec500 r8:00610c8c r7:eebec538 r6:eebed000 r5:eebec000 r4:ef243800
[ 4.720818] [<c05ccde4>] (stmmac_adjust_link) from [<c05bae3c>] (phy_link_change+0x40/0x4c)
[ 4.729133] r10:00000000 r9:c0c77830 r8:00000000 r7:00000000 r6:ef243a90 r5:eebec000
[ 4.736925] r4:ef243800
[ 4.739452] [<c05badfc>] (phy_link_change) from [<c05b911c>] (phy_state_machine+0x348/0x580)
[ 4.747850] r5:ef243800 r4:ef243a64
[ 4.751418] [<c05b8dd4>] (phy_state_machine) from [<c013e18c>] (process_one_work+0x224/0x518)
[ 4.759905] r9:c0c77830 r8:00000000 r7:ef7e5500 r6:ef7e1fc0 r5:ef182200 r4:ef243a64
[ 4.767619] [<c013df68>] (process_one_work) from [<c013f178>] (worker_thread+0x60/0x5ac)
[ 4.775674] r10:ef7e1fc0 r9:c0c02d00 r8:ef7e1fd8 r7:00000008 r6:ef7e1fc0 r5:ef182214
[ 4.783466] r4:ef182200
[ 4.785994] [<c013f118>] (worker_thread) from [<c0144ac8>] (kthread+0x16c/0x174)
[ 4.793358] r10:ef14be74 r9:c013f118 r8:ef182200 r7:ee9c4000 r6:00000000 r5:ef1885c0
[ 4.801149] r4:ef188400
[ 4.803675] [<c014495c>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
[ 4.810863] Exception stack(0xee9c5fb0 to 0xee9c5ff8)
[ 4.815892] 5fa0: 00000000 00000000 00000000 00000000
[ 4.824033] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 4.832172] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
[ 4.838759] r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:c014495c
[ 4.846550] r4:ef1885c0
[ 4.849075] Code: e59394b8 f57ff04e ebecfa64 e3a03001 (e1c830b0)
[ 4.855171] ---[ end trace d50de8fdda236faf ]---
[ 4.859852] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
Matched prompt #3: Stack:\s+(.*\s+-+\[ end trace (\w*) \]-+)
login-action: trace
[login-action] Waiting for messages, (timeout 00:09:06)
[ 4.883589] Sending DHCP requests ...... timed out!
[ 205.043594] random: fast init done
[ 418.243624] random: crng init done
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Hi Greg,
On Mon, Apr 18, 2022 at 02:13:40PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.239 release.
> There are 32 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 20 Apr 2022 12:11:14 +0000.
> Anything received after that time might be too late.
Build test:
mips (gcc version 11.2.1 20220314): 63 configs -> no failure
arm (gcc version 11.2.1 20220314): 116 configs -> no new failure
arm64 (gcc version 11.2.1 20220314): 2 configs -> no failure
x86_64 (gcc version 11.2.1 20220314): 4 configs -> no failure
Boot test:
x86_64: Booted on my test laptop. No regression.
x86_64: Booted on qemu. No regression. [1]
[1]. https://openqa.qa.codethink.co.uk/tests/1035
Tested-by: Sudip Mukherjee <[email protected]>
--
Regards
Sudip
From: Tim Crawford <[email protected]>
commit 9eb6f5c388060d8cef3c8b616cc31b765e022359 upstream.
Fixes speaker output and headset detection on Clevo PD50PNT.
Signed-off-by: Tim Crawford <[email protected]>
Cc: <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -2552,6 +2552,7 @@ static const struct snd_pci_quirk alc882
SND_PCI_QUIRK(0x1558, 0x65e1, "Clevo PB51[ED][DF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
SND_PCI_QUIRK(0x1558, 0x65e5, "Clevo PC50D[PRS](?:-D|-G)?", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
SND_PCI_QUIRK(0x1558, 0x65f1, "Clevo PC50HS", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
+ SND_PCI_QUIRK(0x1558, 0x65f5, "Clevo PD50PN[NRT]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
SND_PCI_QUIRK(0x1558, 0x67d1, "Clevo PB71[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
SND_PCI_QUIRK(0x1558, 0x67e1, "Clevo PB71[DE][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
SND_PCI_QUIRK(0x1558, 0x67e5, "Clevo PC70D[PRS](?:-D|-G)?", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
From: Martin Povišer <[email protected]>
commit bd8963e602c77adc76dbbbfc3417c3cf14fed76b upstream.
Wait for completion of write transfers before returning from the driver.
At first sight it may seem advantageous to leave write transfers queued
for the controller to carry out on its own time, but there's a couple of
issues with it:
* Driver doesn't check for FIFO space.
* The queued writes can complete while the driver is in its I2C read
transfer path which means it will get confused by the raising of
XEN (the 'transaction ended' signal). This can cause a spurious
ENODATA error due to premature reading of the MRXFIFO register.
Adding the wait fixes some unreliability issues with the driver. There's
some efficiency cost to it (especially with pasemi_smb_waitready doing
its polling), but that will be alleviated once the driver receives
interrupt support.
Fixes: beb58aa39e6e ("i2c: PA Semi SMBus driver")
Signed-off-by: Martin Povišer <[email protected]>
Reviewed-by: Sven Peter <[email protected]>
Signed-off-by: Wolfram Sang <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/i2c/busses/i2c-pasemi.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/i2c/busses/i2c-pasemi.c
+++ b/drivers/i2c/busses/i2c-pasemi.c
@@ -145,6 +145,12 @@ static int pasemi_i2c_xfer_msg(struct i2
TXFIFO_WR(smbus, msg->buf[msg->len-1] |
(stop ? MTXFIFO_STOP : 0));
+
+ if (stop) {
+ err = pasemi_smb_waitready(smbus);
+ if (err)
+ goto reset_out;
+ }
}
return 0;
From: Nicolas Dichtel <[email protected]>
commit e3fa461d8b0e185b7da8a101fe94dfe6dd500ac0 upstream.
kongweibin reported a kernel panic in ip6_forward() when input interface
has no in6 dev associated.
The following tc commands were used to reproduce this panic:
tc qdisc del dev vxlan100 root
tc qdisc add dev vxlan100 root netem corrupt 5%
CC: [email protected]
Fixes: ccd27f05ae7b ("ipv6: fix 'disable_policy' for fwd packets")
Reported-by: kongweibin <[email protected]>
Signed-off-by: Nicolas Dichtel <[email protected]>
Reviewed-by: David Ahern <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv6/ip6_output.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -460,7 +460,7 @@ int ip6_forward(struct sk_buff *skb)
goto drop;
if (!net->ipv6.devconf_all->disable_policy &&
- !idev->cnf.disable_policy &&
+ (!idev || !idev->cnf.disable_policy) &&
!xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) {
__IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS);
goto drop;
From: Petr Malat <[email protected]>
[ Upstream commit 8467dda0c26583547731e7f3ea73fc3856bae3bf ]
Function sctp_do_peeloff() wrongly initializes daddr of the original
socket instead of the peeled off socket, which makes getpeername()
return zeroes instead of the primary address. Initialize the new socket
instead.
Fixes: d570ee490fb1 ("[SCTP]: Correctly set daddr for IPv6 sockets during peeloff")
Signed-off-by: Petr Malat <[email protected]>
Acked-by: Marcelo Ricardo Leitner <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
net/sctp/socket.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index d429d5922804..8901bb7afa2b 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -5333,7 +5333,7 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
* Set the daddr and initialize id to something more random and also
* copy over any ip options.
*/
- sp->pf->to_sk_daddr(&asoc->peer.primary_addr, sk);
+ sp->pf->to_sk_daddr(&asoc->peer.primary_addr, sock->sk);
sp->pf->copy_ip_options(sk, sock->sk);
/* Populate the fields of the newsk from the oldsk and migrate the
--
2.35.1
From: Xiaoguang Wang <[email protected]>
[ Upstream commit a6968f7a367f128d120447360734344d5a3d5336 ]
tcmu_try_get_data_page() looks up pages under cmdr_lock, but it does not
take refcount properly and just returns page pointer. When
tcmu_try_get_data_page() returns, the returned page may have been freed by
tcmu_blocks_release().
We need to get_page() under cmdr_lock to avoid concurrent
tcmu_blocks_release().
Link: https://lore.kernel.org/r/[email protected]
Reviewed-by: Bodo Stroesser <[email protected]>
Signed-off-by: Xiaoguang Wang <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/target/target_core_user.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
index dd7307375504..f29d600357f3 100644
--- a/drivers/target/target_core_user.c
+++ b/drivers/target/target_core_user.c
@@ -1499,6 +1499,7 @@ static struct page *tcmu_try_get_block_page(struct tcmu_dev *udev, uint32_t dbi)
mutex_lock(&udev->cmdr_lock);
page = tcmu_get_block_page(udev, dbi);
if (likely(page)) {
+ get_page(page);
mutex_unlock(&udev->cmdr_lock);
return page;
}
@@ -1537,6 +1538,7 @@ static vm_fault_t tcmu_vma_fault(struct vm_fault *vmf)
/* For the vmalloc()ed cmd area pages */
addr = (void *)(unsigned long)info->mem[mi].addr + offset;
page = vmalloc_to_page(addr);
+ get_page(page);
} else {
uint32_t dbi;
@@ -1547,7 +1549,6 @@ static vm_fault_t tcmu_vma_fault(struct vm_fault *vmf)
return VM_FAULT_SIGBUS;
}
- get_page(page);
vmf->page = page;
return 0;
}
--
2.35.1
From: Lin Ma <[email protected]>
[ Upstream commit ef27324e2cb7bb24542d6cb2571740eefe6b00dc ]
Our detector found a concurrent use-after-free bug when detaching an
NCI device. The main reason for this bug is the unexpected scheduling
between the used delayed mechanism (timer and workqueue).
The race can be demonstrated below:
Thread-1 Thread-2
| nci_dev_up()
| nci_open_device()
| __nci_request(nci_reset_req)
| nci_send_cmd
| queue_work(cmd_work)
nci_unregister_device() |
nci_close_device() | ...
del_timer_sync(cmd_timer)[1] |
... | Worker
nci_free_device() | nci_cmd_work()
kfree(ndev)[3] | mod_timer(cmd_timer)[2]
In short, the cleanup routine thought that the cmd_timer has already
been detached by [1] but the mod_timer can re-attach the timer [2], even
it is already released [3], resulting in UAF.
This UAF is easy to trigger, crash trace by POC is like below
[ 66.703713] ==================================================================
[ 66.703974] BUG: KASAN: use-after-free in enqueue_timer+0x448/0x490
[ 66.703974] Write of size 8 at addr ffff888009fb7058 by task kworker/u4:1/33
[ 66.703974]
[ 66.703974] CPU: 1 PID: 33 Comm: kworker/u4:1 Not tainted 5.18.0-rc2 #5
[ 66.703974] Workqueue: nfc2_nci_cmd_wq nci_cmd_work
[ 66.703974] Call Trace:
[ 66.703974] <TASK>
[ 66.703974] dump_stack_lvl+0x57/0x7d
[ 66.703974] print_report.cold+0x5e/0x5db
[ 66.703974] ? enqueue_timer+0x448/0x490
[ 66.703974] kasan_report+0xbe/0x1c0
[ 66.703974] ? enqueue_timer+0x448/0x490
[ 66.703974] enqueue_timer+0x448/0x490
[ 66.703974] __mod_timer+0x5e6/0xb80
[ 66.703974] ? mark_held_locks+0x9e/0xe0
[ 66.703974] ? try_to_del_timer_sync+0xf0/0xf0
[ 66.703974] ? lockdep_hardirqs_on_prepare+0x17b/0x410
[ 66.703974] ? queue_work_on+0x61/0x80
[ 66.703974] ? lockdep_hardirqs_on+0xbf/0x130
[ 66.703974] process_one_work+0x8bb/0x1510
[ 66.703974] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 66.703974] ? pwq_dec_nr_in_flight+0x230/0x230
[ 66.703974] ? rwlock_bug.part.0+0x90/0x90
[ 66.703974] ? _raw_spin_lock_irq+0x41/0x50
[ 66.703974] worker_thread+0x575/0x1190
[ 66.703974] ? process_one_work+0x1510/0x1510
[ 66.703974] kthread+0x2a0/0x340
[ 66.703974] ? kthread_complete_and_exit+0x20/0x20
[ 66.703974] ret_from_fork+0x22/0x30
[ 66.703974] </TASK>
[ 66.703974]
[ 66.703974] Allocated by task 267:
[ 66.703974] kasan_save_stack+0x1e/0x40
[ 66.703974] __kasan_kmalloc+0x81/0xa0
[ 66.703974] nci_allocate_device+0xd3/0x390
[ 66.703974] nfcmrvl_nci_register_dev+0x183/0x2c0
[ 66.703974] nfcmrvl_nci_uart_open+0xf2/0x1dd
[ 66.703974] nci_uart_tty_ioctl+0x2c3/0x4a0
[ 66.703974] tty_ioctl+0x764/0x1310
[ 66.703974] __x64_sys_ioctl+0x122/0x190
[ 66.703974] do_syscall_64+0x3b/0x90
[ 66.703974] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 66.703974]
[ 66.703974] Freed by task 406:
[ 66.703974] kasan_save_stack+0x1e/0x40
[ 66.703974] kasan_set_track+0x21/0x30
[ 66.703974] kasan_set_free_info+0x20/0x30
[ 66.703974] __kasan_slab_free+0x108/0x170
[ 66.703974] kfree+0xb0/0x330
[ 66.703974] nfcmrvl_nci_unregister_dev+0x90/0xd0
[ 66.703974] nci_uart_tty_close+0xdf/0x180
[ 66.703974] tty_ldisc_kill+0x73/0x110
[ 66.703974] tty_ldisc_hangup+0x281/0x5b0
[ 66.703974] __tty_hangup.part.0+0x431/0x890
[ 66.703974] tty_release+0x3a8/0xc80
[ 66.703974] __fput+0x1f0/0x8c0
[ 66.703974] task_work_run+0xc9/0x170
[ 66.703974] exit_to_user_mode_prepare+0x194/0x1a0
[ 66.703974] syscall_exit_to_user_mode+0x19/0x50
[ 66.703974] do_syscall_64+0x48/0x90
[ 66.703974] entry_SYSCALL_64_after_hwframe+0x44/0xae
To fix the UAF, this patch adds flush_workqueue() to ensure the
nci_cmd_work is finished before the following del_timer_sync.
This combination will promise the timer is actually detached.
Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
Signed-off-by: Lin Ma <[email protected]>
Reviewed-by: Krzysztof Kozlowski <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
net/nfc/nci/core.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
index 0e0dff72a9e4..0580e5326641 100644
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -560,6 +560,10 @@ static int nci_close_device(struct nci_dev *ndev)
mutex_lock(&ndev->req_lock);
if (!test_and_clear_bit(NCI_UP, &ndev->flags)) {
+ /* Need to flush the cmd wq in case
+ * there is a queued/running cmd_work
+ */
+ flush_workqueue(ndev->cmd_wq);
del_timer_sync(&ndev->cmd_timer);
del_timer_sync(&ndev->data_timer);
mutex_unlock(&ndev->req_lock);
--
2.35.1
From: Duoming Zhou <[email protected]>
[ Upstream commit ec4eb8a86ade4d22633e1da2a7d85a846b7d1798 ]
When a slip driver is detaching, the slip_close() will act to
cleanup necessary resources and sl->tty is set to NULL in
slip_close(). Meanwhile, the packet we transmit is blocked,
sl_tx_timeout() will be called. Although slip_close() and
sl_tx_timeout() use sl->lock to synchronize, we don`t judge
whether sl->tty equals to NULL in sl_tx_timeout() and the
null pointer dereference bug will happen.
(Thread 1) | (Thread 2)
| slip_close()
| spin_lock_bh(&sl->lock)
| ...
... | sl->tty = NULL //(1)
sl_tx_timeout() | spin_unlock_bh(&sl->lock)
spin_lock(&sl->lock); |
... | ...
tty_chars_in_buffer(sl->tty)|
if (tty->ops->..) //(2) |
... | synchronize_rcu()
We set NULL to sl->tty in position (1) and dereference sl->tty
in position (2).
This patch adds check in sl_tx_timeout(). If sl->tty equals to
NULL, sl_tx_timeout() will goto out.
Signed-off-by: Duoming Zhou <[email protected]>
Reviewed-by: Jiri Slaby <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/slip/slip.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c
index 5d864f812955..3ec8d16a4633 100644
--- a/drivers/net/slip/slip.c
+++ b/drivers/net/slip/slip.c
@@ -471,7 +471,7 @@ static void sl_tx_timeout(struct net_device *dev)
spin_lock(&sl->lock);
if (netif_queue_stopped(dev)) {
- if (!netif_running(dev))
+ if (!netif_running(dev) || !sl->tty)
goto out;
/* May be we must check transmitter timeout here ?
--
2.35.1
On Mon, 18 Apr 2022 at 18:16, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 4.19.239 release.
> There are 32 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 20 Apr 2022 12:11:14 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.239-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <[email protected]>
## Build
* kernel: 4.19.239-rc1
* git: https://gitlab.com/Linaro/lkft/mirrors/stable/linux-stable-rc
* git branch: linux-4.19.y
* git commit: 6124afa49867cbf9d4266132d020c7bfd11b768d
* git describe: v4.19.238-33-g6124afa49867
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.19.y/build/v4.19.238-33-g6124afa49867
## Test Regressions (compared to v4.19.237-258-g1376b0e9d231)
No test regressions found.
## Metric Regressions (compared to v4.19.237-258-g1376b0e9d231)
No metric regressions found.
## Test Fixes (compared to v4.19.237-258-g1376b0e9d231)
No test fixes found.
## Metric Fixes (compared to v4.19.237-258-g1376b0e9d231)
No metric fixes found.
NOTE:
kernel deadlock warning on x86 with kselftest merge configs still noticed
this was reported yesterday from the previous stable rc review [1].
This needs to be bisected.
[ 18.504172] WARNING: inconsistent lock state
[ 18.508451] 4.19.238 #1 Not tainted
<>
[ 18.691758] Possible unsafe locking scenario:
[ 18.691758]
[ 18.697689] CPU0
[ 18.700137] ----
[ 18.702586] lock(&(&xprt->transport_lock)->rlock);
[ 18.707562] <Interrupt>
[ 18.710184] lock(&(&xprt->transport_lock)->rlock);
[ 18.715335]
[ 18.715335] *** DEADLOCK ***
[ 18.715335]
[ 18.721270] 2 locks held by kworker/u12:3/60:
[ 18.725633] #0: (____ptrval____)
((wq_completion)\"rpciod\"){+.+.}, at: process_one_work+0x1e0/0x6c0
[ 18.734711] #1: (____ptrval____)
((work_completion)(&task->u.tk_work)){+.+.}, at:
process_one_work+0x1e0/0x6c0
[1] https://lore.kernel.org/stable/CA+G9fYvgzFW7sMZVdw5r970QNNg4OK8=pbQV0kDfbOX-rXu5Rw@mail.gmail.com/
## Test result summary
total: 83824, pass: 67955, fail: 882, skip: 13136, xfail: 1851
## Build Summary
* arm: 281 total, 275 passed, 6 failed
* arm64: 39 total, 39 passed, 0 failed
* i386: 18 total, 18 passed, 0 failed
* mips: 27 total, 27 passed, 0 failed
* powerpc: 36 total, 36 passed, 0 failed
* s390: 12 total, 12 passed, 0 failed
* sparc: 12 total, 12 passed, 0 failed
* x86_64: 38 total, 38 passed, 0 failed
## Test suites summary
* fwts
* igt-gpu-tools
* kselftest-android
* kselftest-arm64
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-drivers
* kselftest-efivarfs
* kselftest-filesystems
* kselftest-firmware
* kselftest-fpu
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-membarrier
* kselftest-memfd
* kselftest-memory-hotplug
* kselftest-mincore
* kselftest-mount
* kselftest-mqueue
* kselftest-net
* kselftest-netfilter
* kselftest-nsfs
* kselftest-openat2
* kselftest-pid_namespace
* kselftest-pidfd
* kselftest-proc
* kselftest-pstore
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-splice
* kselftest-static_keys
* kselftest-sync
* kselftest-sysctl
* kselftest-tc-testing
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-vm
* kselftest-x86
* kselftest-zram
* kvm-unit-tests
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* network-basic-tests
* packetdrill
* rcutorture
* ssuite
* v4l2-compliance
* vdso
--
Linaro LKFT
https://lkft.linaro.org
From: Roman Li <[email protected]>
[ Upstream commit f4346fb3edf7720db3f7f5e1cab1f667cd024280 ]
[Why]
On resume we do link detection for all non-MST connectors.
MST is handled separately. However the condition for telling
if connector is on mst branch is not enough for mst hub case.
Link detection for mst branch link leads to mst topology reset.
That causes assert in dc_link_allocate_mst_payload()
[How]
Use link type as indicator for mst link.
Reviewed-by: Wayne Lin <[email protected]>
Acked-by: Alex Hung <[email protected]>
Signed-off-by: Roman Li <[email protected]>
Tested-by: Daniel Wheeler <[email protected]>
Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index b2835cd41d3e..57678e6dcdc4 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -777,7 +777,8 @@ static int dm_resume(void *handle)
* this is the case when traversing through already created
* MST connectors, should be skipped
*/
- if (aconnector->mst_port)
+ if (aconnector->dc_link &&
+ aconnector->dc_link->type == dc_connection_mst_branch)
continue;
mutex_lock(&aconnector->hpd_lock);
--
2.35.1
On Mon, Apr 18, 2022 at 02:13:40PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.239 release.
> There are 32 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 20 Apr 2022 12:11:14 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 156 pass: 156 fail: 0
Qemu test results:
total: 425 pass: 425 fail: 0
Tested-by: Guenter Roeck <[email protected]>
Guenter
From: Guillaume Nault <[email protected]>
[ Upstream commit 726e2c5929de841fdcef4e2bf995680688ae1b87 ]
After feeding a decapsulated packet to a veth device with act_mirred,
skb_headlen() may be 0. But veth_xmit() calls __dev_forward_skb(),
which expects at least ETH_HLEN byte of linear data (as
__dev_forward_skb2() calls eth_type_trans(), which pulls ETH_HLEN bytes
unconditionally).
Use pskb_may_pull() to ensure veth_xmit() respects this constraint.
kernel BUG at include/linux/skbuff.h:2328!
RIP: 0010:eth_type_trans+0xcf/0x140
Call Trace:
<IRQ>
__dev_forward_skb2+0xe3/0x160
veth_xmit+0x6e/0x250 [veth]
dev_hard_start_xmit+0xc7/0x200
__dev_queue_xmit+0x47f/0x520
? skb_ensure_writable+0x85/0xa0
? skb_mpls_pop+0x98/0x1c0
tcf_mirred_act+0x442/0x47e [act_mirred]
tcf_action_exec+0x86/0x140
fl_classify+0x1d8/0x1e0 [cls_flower]
? dma_pte_clear_level+0x129/0x1a0
? dma_pte_clear_level+0x129/0x1a0
? prb_fill_curr_block+0x2f/0xc0
? skb_copy_bits+0x11a/0x220
__tcf_classify+0x58/0x110
tcf_classify_ingress+0x6b/0x140
__netif_receive_skb_core.constprop.0+0x47d/0xfd0
? __iommu_dma_unmap_swiotlb+0x44/0x90
__netif_receive_skb_one_core+0x3d/0xa0
netif_receive_skb+0x116/0x170
be_process_rx+0x22f/0x330 [be2net]
be_poll+0x13c/0x370 [be2net]
__napi_poll+0x2a/0x170
net_rx_action+0x22f/0x2f0
__do_softirq+0xca/0x2a8
__irq_exit_rcu+0xc1/0xe0
common_interrupt+0x83/0xa0
Fixes: e314dbdc1c0d ("[NET]: Virtual ethernet device driver.")
Signed-off-by: Guillaume Nault <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/veth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/veth.c b/drivers/net/veth.c
index 76e834ca54e7..ea999a663933 100644
--- a/drivers/net/veth.c
+++ b/drivers/net/veth.c
@@ -188,7 +188,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev)
rcu_read_lock();
rcv = rcu_dereference(priv->peer);
- if (unlikely(!rcv)) {
+ if (unlikely(!rcv) || !pskb_may_pull(skb, ETH_HLEN)) {
kfree_skb(skb);
goto drop;
}
--
2.35.1