From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D4FB1C43334 for ; Tue, 5 Jul 2022 11:59:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231899AbiGEL7Z (ORCPT ); Tue, 5 Jul 2022 07:59:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41368 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231770AbiGEL7X (ORCPT ); Tue, 5 Jul 2022 07:59:23 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CFF7526EA; Tue, 5 Jul 2022 04:59:22 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 6767561786; Tue, 5 Jul 2022 11:59:22 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 738BDC341C7; Tue, 5 Jul 2022 11:59:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022361; bh=qOI3ZxHHACL3+QQiOQ3xfjJlVfbHoZv8uvwUZcnjSYc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lc8rGL4ODglQspiE4oHmTEKn8xXmsvCRfcM5/THkB0+iD5OrEPWolqkdyuvspOqSv aSPpgg3Q9LE0QCnlcc9LhDcPCbTi05g5J0il/jpmakpiVAqKlWTDCoTYmo9Bwh4Fyz XViXZz4Ozp8NaTXA/oZplNBxG0WRhEMl/JWgZXtM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mikulas Patocka , Mike Snitzer Subject: [PATCH 4.9 01/29] dm raid: fix KASAN warning in raid5_add_disks Date: Tue, 5 Jul 2022 13:57:42 +0200 Message-Id: <20220705115605.787481910@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Mikulas Patocka commit 617b365872a247480e9dcd50a32c8d1806b21861 upstream. There's a KASAN warning in raid5_add_disk when running the LVM testsuite. The warning happens in the test lvconvert-raid-reshape-linear_to_raid6-single-type.sh. We fix the warning by verifying that rdev->saved_raid_disk is within limits. Cc: stable@vger.kernel.org Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/md/raid5.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/md/raid5.c +++ b/drivers/md/raid5.c @@ -7322,6 +7322,7 @@ static int raid5_add_disk(struct mddev * */ if (rdev->saved_raid_disk >=3D 0 && rdev->saved_raid_disk >=3D first && + rdev->saved_raid_disk <=3D last && conf->disks[rdev->saved_raid_disk].rdev =3D=3D NULL) first =3D rdev->saved_raid_disk; From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57685C433EF for ; Tue, 5 Jul 2022 12:00:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232788AbiGEMAJ (ORCPT ); Tue, 5 Jul 2022 08:00:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42226 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232700AbiGEMAE (ORCPT ); Tue, 5 Jul 2022 08:00:04 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6FC5517E1B; Tue, 5 Jul 2022 04:59:53 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0CD96617B1; Tue, 5 Jul 2022 11:59:53 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 19755C341C7; Tue, 5 Jul 2022 11:59:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022392; bh=edsKe0FVOvsRAYwbS5XjA2Hdnp3PFY86vrBZUlfMG/g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZtOJqFpoR3naKG3/umhGm7DDnU+GUiDE8pN2OmSRwjv1jGpKPgDKAfiO9TlgSbzo4 p4Od0PGzEI+Uu8+hdQPxx6Bw2owtyMq9GrM+9oq+Fcy34fJNSwmndDeIeNhuSnXmwI kZLTVe8Xjq2panhlbLRombNA1XX7qNZ+KYADTok8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Bruce Fields , Zorro Lang , Chuck Lever Subject: [PATCH 4.9 02/29] SUNRPC: Fix READ_PLUS crasher Date: Tue, 5 Jul 2022 13:57:43 +0200 Message-Id: <20220705115605.816369937@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Chuck Lever commit a23dd544debcda4ee4a549ec7de59e85c3c8345c upstream. Looks like there are still cases when "space_left - frag1bytes" can legitimately exceed PAGE_SIZE. Ensure that xdr->end always remains within the current encode buffer. Reported-by: Bruce Fields Reported-by: Zorro Lang Link: https://bugzilla.kernel.org/show_bug.cgi?id=3D216151 Fixes: 6c254bf3b637 ("SUNRPC: Fix the calculation of xdr->end in xdr_get_ne= xt_encode_buffer()") Signed-off-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- net/sunrpc/xdr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/sunrpc/xdr.c +++ b/net/sunrpc/xdr.c @@ -544,7 +544,7 @@ static __be32 *xdr_get_next_encode_buffe */ xdr->p =3D (void *)p + frag2bytes; space_left =3D xdr->buf->buflen - xdr->buf->len; - if (space_left - nbytes >=3D PAGE_SIZE) + if (space_left - frag1bytes >=3D PAGE_SIZE) xdr->end =3D (void *)p + PAGE_SIZE; else xdr->end =3D (void *)p + space_left - frag1bytes; From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9DE19C433EF for ; Tue, 5 Jul 2022 12:00:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232921AbiGEMA1 (ORCPT ); Tue, 5 Jul 2022 08:00:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42348 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232719AbiGEMAH (ORCPT ); Tue, 5 Jul 2022 08:00:07 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5D3FC1834B; Tue, 5 Jul 2022 05:00:03 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E8DA2B817DE; Tue, 5 Jul 2022 12:00:01 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4BDF7C341CD; Tue, 5 Jul 2022 12:00:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022400; bh=Z6JznfyhDfsBq1+fXRlVXSp+QZd9YIVqhiz08sWlkzU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zssH5ffkj9hWVw8qw1GKu8RxQdB2FzUX5e0Q8Q/4jM+YfDrWWJ4aeR62KrtdDPh0o kmMPnI25CuYeeT4tGgeh8iH9IMeUnsJhj+qgm93wiUiKXg2v8gXOUNAS+iTndqzol/ NA29Ws7TWRAdoxfg6TShTVn/gxtx/VnUHEpx/9yE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Duoming Zhou , Paolo Abeni Subject: [PATCH 4.9 03/29] net: rose: fix UAF bugs caused by timer handler Date: Tue, 5 Jul 2022 13:57:44 +0200 Message-Id: <20220705115605.846177444@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Duoming Zhou commit 9cc02ede696272c5271a401e4f27c262359bc2f6 upstream. There are UAF bugs in rose_heartbeat_expiry(), rose_timer_expiry() and rose_idletimer_expiry(). The root cause is that del_timer() could not stop the timer handler that is running and the refcount of sock is not managed properly. One of the UAF bugs is shown below: (thread 1) | (thread 2) | rose_bind | rose_connect | rose_start_heartbeat rose_release | (wait a time) case ROSE_STATE_0 | rose_destroy_socket | rose_heartbeat_expiry rose_stop_heartbeat | sock_put(sk) | ... sock_put(sk) // FREE | | bh_lock_sock(sk) // USE The sock is deallocated by sock_put() in rose_release() and then used by bh_lock_sock() in rose_heartbeat_expiry(). Although rose_destroy_socket() calls rose_stop_heartbeat(), it could not stop the timer that is running. The KASAN report triggered by POC is shown below: BUG: KASAN: use-after-free in _raw_spin_lock+0x5a/0x110 Write of size 4 at addr ffff88800ae59098 by task swapper/3/0 ... Call Trace: dump_stack_lvl+0xbf/0xee print_address_description+0x7b/0x440 print_report+0x101/0x230 ? irq_work_single+0xbb/0x140 ? _raw_spin_lock+0x5a/0x110 kasan_report+0xed/0x120 ? _raw_spin_lock+0x5a/0x110 kasan_check_range+0x2bd/0x2e0 _raw_spin_lock+0x5a/0x110 rose_heartbeat_expiry+0x39/0x370 ? rose_start_heartbeat+0xb0/0xb0 call_timer_fn+0x2d/0x1c0 ? rose_start_heartbeat+0xb0/0xb0 expire_timers+0x1f3/0x320 __run_timers+0x3ff/0x4d0 run_timer_softirq+0x41/0x80 __do_softirq+0x233/0x544 irq_exit_rcu+0x41/0xa0 sysvec_apic_timer_interrupt+0x8c/0xb0 asm_sysvec_apic_timer_interrupt+0x1b/0x20 RIP: 0010:default_idle+0xb/0x10 RSP: 0018:ffffc9000012fea0 EFLAGS: 00000202 RAX: 000000000000bcae RBX: ffff888006660f00 RCX: 000000000000bcae RDX: 0000000000000001 RSI: ffffffff843a11c0 RDI: ffffffff843a1180 RBP: dffffc0000000000 R08: dffffc0000000000 R09: ffffed100da36d46 R10: dfffe9100da36d47 R11: ffffffff83cf0950 R12: 0000000000000000 R13: 1ffff11000ccc1e0 R14: ffffffff8542af28 R15: dffffc0000000000 ... Allocated by task 146: __kasan_kmalloc+0xc4/0xf0 sk_prot_alloc+0xdd/0x1a0 sk_alloc+0x2d/0x4e0 rose_create+0x7b/0x330 __sock_create+0x2dd/0x640 __sys_socket+0xc7/0x270 __x64_sys_socket+0x71/0x80 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Freed by task 152: kasan_set_track+0x4c/0x70 kasan_set_free_info+0x1f/0x40 ____kasan_slab_free+0x124/0x190 kfree+0xd3/0x270 __sk_destruct+0x314/0x460 rose_release+0x2fa/0x3b0 sock_close+0xcb/0x230 __fput+0x2d9/0x650 task_work_run+0xd6/0x160 exit_to_user_mode_loop+0xc7/0xd0 exit_to_user_mode_prepare+0x4e/0x80 syscall_exit_to_user_mode+0x20/0x40 do_syscall_64+0x4f/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 This patch adds refcount of sock when we use functions such as rose_start_heartbeat() and so on to start timer, and decreases the refcount of sock when timer is finished or deleted by functions such as rose_stop_heartbeat() and so on. As a result, the UAF bugs could be mitigated. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Duoming Zhou Tested-by: Duoming Zhou Link: https://lore.kernel.org/r/20220629002640.5693-1-duoming@zju.edu.cn Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- net/rose/rose_timer.c | 34 +++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) --- a/net/rose/rose_timer.c +++ b/net/rose/rose_timer.c @@ -34,95 +34,95 @@ static void rose_idletimer_expiry(unsign =20 void rose_start_heartbeat(struct sock *sk) { - del_timer(&sk->sk_timer); + sk_stop_timer(sk, &sk->sk_timer); =20 sk->sk_timer.data =3D (unsigned long)sk; sk->sk_timer.function =3D &rose_heartbeat_expiry; sk->sk_timer.expires =3D jiffies + 5 * HZ; =20 - add_timer(&sk->sk_timer); + sk_reset_timer(sk, &sk->sk_timer, sk->sk_timer.expires); } =20 void rose_start_t1timer(struct sock *sk) { struct rose_sock *rose =3D rose_sk(sk); =20 - del_timer(&rose->timer); + sk_stop_timer(sk, &rose->timer); =20 rose->timer.data =3D (unsigned long)sk; rose->timer.function =3D &rose_timer_expiry; rose->timer.expires =3D jiffies + rose->t1; =20 - add_timer(&rose->timer); + sk_reset_timer(sk, &rose->timer, rose->timer.expires); } =20 void rose_start_t2timer(struct sock *sk) { struct rose_sock *rose =3D rose_sk(sk); =20 - del_timer(&rose->timer); + sk_stop_timer(sk, &rose->timer); =20 rose->timer.data =3D (unsigned long)sk; rose->timer.function =3D &rose_timer_expiry; rose->timer.expires =3D jiffies + rose->t2; =20 - add_timer(&rose->timer); + sk_reset_timer(sk, &rose->timer, rose->timer.expires); } =20 void rose_start_t3timer(struct sock *sk) { struct rose_sock *rose =3D rose_sk(sk); =20 - del_timer(&rose->timer); + sk_stop_timer(sk, &rose->timer); =20 rose->timer.data =3D (unsigned long)sk; rose->timer.function =3D &rose_timer_expiry; rose->timer.expires =3D jiffies + rose->t3; =20 - add_timer(&rose->timer); + sk_reset_timer(sk, &rose->timer, rose->timer.expires); } =20 void rose_start_hbtimer(struct sock *sk) { struct rose_sock *rose =3D rose_sk(sk); =20 - del_timer(&rose->timer); + sk_stop_timer(sk, &rose->timer); =20 rose->timer.data =3D (unsigned long)sk; rose->timer.function =3D &rose_timer_expiry; rose->timer.expires =3D jiffies + rose->hb; =20 - add_timer(&rose->timer); + sk_reset_timer(sk, &rose->timer, rose->timer.expires); } =20 void rose_start_idletimer(struct sock *sk) { struct rose_sock *rose =3D rose_sk(sk); =20 - del_timer(&rose->idletimer); + sk_stop_timer(sk, &rose->timer); =20 if (rose->idle > 0) { rose->idletimer.data =3D (unsigned long)sk; rose->idletimer.function =3D &rose_idletimer_expiry; rose->idletimer.expires =3D jiffies + rose->idle; =20 - add_timer(&rose->idletimer); + sk_reset_timer(sk, &rose->idletimer, rose->idletimer.expires); } } =20 void rose_stop_heartbeat(struct sock *sk) { - del_timer(&sk->sk_timer); + sk_stop_timer(sk, &sk->sk_timer); } =20 void rose_stop_timer(struct sock *sk) { - del_timer(&rose_sk(sk)->timer); + sk_stop_timer(sk, &rose_sk(sk)->timer); } =20 void rose_stop_idletimer(struct sock *sk) { - del_timer(&rose_sk(sk)->idletimer); + sk_stop_timer(sk, &rose_sk(sk)->idletimer); } =20 static void rose_heartbeat_expiry(unsigned long param) @@ -139,6 +139,7 @@ static void rose_heartbeat_expiry(unsign (sk->sk_state =3D=3D TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) { bh_unlock_sock(sk); rose_destroy_socket(sk); + sock_put(sk); return; } break; @@ -161,6 +162,7 @@ static void rose_heartbeat_expiry(unsign =20 rose_start_heartbeat(sk); bh_unlock_sock(sk); + sock_put(sk); } =20 static void rose_timer_expiry(unsigned long param) @@ -190,6 +192,7 @@ static void rose_timer_expiry(unsigned l break; } bh_unlock_sock(sk); + sock_put(sk); } =20 static void rose_idletimer_expiry(unsigned long param) @@ -213,4 +216,5 @@ static void rose_idletimer_expiry(unsign sock_set_flag(sk, SOCK_DEAD); } bh_unlock_sock(sk); + sock_put(sk); } From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CE25CC433EF for ; Tue, 5 Jul 2022 12:00:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232944AbiGEMAc (ORCPT ); Tue, 5 Jul 2022 08:00:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42262 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232776AbiGEMAH (ORCPT ); Tue, 5 Jul 2022 08:00:07 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 81A7A1582A; Tue, 5 Jul 2022 05:00:04 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0E471617B2; Tue, 5 Jul 2022 12:00:04 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 12B29C341CB; Tue, 5 Jul 2022 12:00:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022403; bh=sSruqaRk5RZXPQmGv4QciIzzmQdPhAhykAjv1OiQnKA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GoQzNdqGphfGjgK14TQvKIxrj7bZoksBGibxfY5XHcvT4x061gIjprp6a9BXAocmc 3ywEefil8MUp7kzB4FA0Hs/SPlxQFLHN2debm2Y/nmkHNd+7tSiqQNuxD6Dp/gOBV5 Mm+TiQ5PPv5CrkPOYJAMx6PYJfATfb9CO6cGymgE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jose Alonso , Paolo Abeni Subject: [PATCH 4.9 04/29] net: usb: ax88179_178a: Fix packet receiving Date: Tue, 5 Jul 2022 13:57:45 +0200 Message-Id: <20220705115605.875383356@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jose Alonso commit f8ebb3ac881b17712e1d5967c97ab1806b16d3d6 upstream. This patch corrects packet receiving in ax88179_rx_fixup. - problem observed: ifconfig shows allways a lot of 'RX Errors' while packets are received normally. This occurs because ax88179_rx_fixup does not recognise properly the usb urb received. The packets are normally processed and at the end, the code exits with 'return 0', generating RX Errors. (pkt_cnt=3D=3D-2 and ptk_hdr over field rx_hdr trying to identify another packet there) This is a usb urb received by "tcpdump -i usbmon2 -X" on a little-endian CPU: 0x0000: eeee f8e3 3b19 87a0 94de 80e3 daac 0800 ^ packet 1 start (pkt_len =3D 0x05ec) ^^^^ IP alignment pseudo header ^ ethernet packet start last byte ethernet packet v padding (8-bytes aligned) vvvv vvvv 0x05e0: c92d d444 1420 8a69 83dd 272f e82b 9811 0x05f0: eeee f8e3 3b19 87a0 94de 80e3 daac 0800 ... ^ packet 2 0x0be0: eeee f8e3 3b19 87a0 94de 80e3 daac 0800 ... 0x1130: 9d41 9171 8a38 0ec5 eeee f8e3 3b19 87a0 ... 0x1720: 8cfc 15ff 5e4c e85c eeee f8e3 3b19 87a0 ... 0x1d10: ecfa 2a3a 19ab c78c eeee f8e3 3b19 87a0 ... 0x2070: eeee f8e3 3b19 87a0 94de 80e3 daac 0800 ... ^ packet 7 0x2120: 7c88 4ca5 5c57 7dcc 0d34 7577 f778 7e0a 0x2130: f032 e093 7489 0740 3008 ec05 0000 0080 =3D=3D=3D=3D1=3D=3D=3D=3D =3D=3D=3D=3D2=3D= =3D=3D=3D hdr_off ^ pkt_len =3D 0x05ec ^^^^ AX_RXHDR_*=3D0x00830 ^^^^ ^ pkt_len =3D 0 ^^^^ AX_RXHDR_DROP_ERR=3D0x80000000 ^^^^ ^ 0x2140: 3008 ec05 0000 0080 3008 5805 0000 0080 0x2150: 3008 ec05 0000 0080 3008 ec05 0000 0080 0x2160: 3008 5803 0000 0080 3008 c800 0000 0080 =3D=3D=3D11=3D=3D=3D=3D =3D=3D=3D12=3D=3D=3D=3D =3D=3D=3D13=3D= =3D=3D=3D =3D=3D=3D14=3D=3D=3D=3D 0x2170: 0000 0000 0e00 3821 ^^^^ ^^^^ rx_hdr ^^^^ pkt_cnt=3D14 ^^^^ hdr_off=3D0x2138 ^^^^ ^^^^ padding The dump shows that pkt_cnt is the number of entrys in the per-packet metadata. It is "2 * packet count". Each packet have two entrys. The first have a valid value (pkt_len and AX_RXHDR_*) and the second have a dummy-header 0x80000000 (pkt_len=3D0 with AX_RXHDR_DROP_ERR). Why exists dummy-header for each packet?!? My guess is that this was done probably to align the entry for each packet to 64-bits and maintain compatibility with old firmware. There is also a padding (0x00000000) before the rx_hdr to align the end of rx_hdr to 64-bit. Note that packets have a alignment of 64-bits (8-bytes). This patch assumes that the dummy-header and the last padding are optional. So it preserves semantics and recognises the same valid packets as the current code. This patch was made using only the dumpfile information and tested with only one device: 0b95:1790 ASIX Electronics Corp. AX88179 Gigabit Ethernet Fixes: 57bc3d3ae8c1 ("net: usb: ax88179_178a: Fix out-of-bounds accesses in= RX fixup") Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabi= t ethernet adapter driver") Signed-off-by: Jose Alonso Acked-by: Paolo Abeni Link: https://lore.kernel.org/r/d6970bb04bf67598af4d316eaeb1792040b18cfd.ca= mel@gmail.com Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/net/usb/ax88179_178a.c | 101 ++++++++++++++++++++++++++++++------= ----- 1 file changed, 76 insertions(+), 25 deletions(-) --- a/drivers/net/usb/ax88179_178a.c +++ b/drivers/net/usb/ax88179_178a.c @@ -1373,6 +1373,42 @@ static int ax88179_rx_fixup(struct usbne * are bundled into this buffer and where we can find an array of * per-packet metadata (which contains elements encoded into u16). */ + + /* SKB contents for current firmware: + * + * ... + * + * + * ... + * + * + * + * where: + * contains pkt_len bytes: + * 2 bytes of IP alignment pseudo header + * packet received + * contains 4 bytes: + * pkt_len and fields AX_RXHDR_* + * 0-7 bytes to terminate at + * 8 bytes boundary (64-bit). + * 4 bytes to make rx_hdr terminate at + * 8 bytes boundary (64-bit) + * contains 4 bytes: + * pkt_len=3D0 and AX_RXHDR_DROP_ERR + * contains 4 bytes: + * pkt_cnt and hdr_off (offset of + * ) + * + * pkt_cnt is number of entrys in the per-packet metadata. + * In current firmware there is 2 entrys per packet. + * The first points to the packet and the + * second is a dummy header. + * This was done probably to align fields in 64-bit and + * maintain compatibility with old firmware. + * This code assumes that and are + * optional. + */ + if (skb->len < 4) return 0; skb_trim(skb, skb->len - 4); @@ -1387,51 +1423,66 @@ static int ax88179_rx_fixup(struct usbne /* Make sure that the bounds of the metadata array are inside the SKB * (and in front of the counter at the end). */ - if (pkt_cnt * 2 + hdr_off > skb->len) + if (pkt_cnt * 4 + hdr_off > skb->len) return 0; pkt_hdr =3D (u32 *)(skb->data + hdr_off); =20 /* Packets must not overlap the metadata array */ skb_trim(skb, hdr_off); =20 - for (; ; pkt_cnt--, pkt_hdr++) { + for (; pkt_cnt > 0; pkt_cnt--, pkt_hdr++) { + u16 pkt_len_plus_padd; u16 pkt_len; =20 le32_to_cpus(pkt_hdr); pkt_len =3D (*pkt_hdr >> 16) & 0x1fff; + pkt_len_plus_padd =3D (pkt_len + 7) & 0xfff8; =20 - if (pkt_len > skb->len) + /* Skip dummy header used for alignment + */ + if (pkt_len =3D=3D 0) + continue; + + if (pkt_len_plus_padd > skb->len) return 0; =20 /* Check CRC or runt packet */ - if (((*pkt_hdr & (AX_RXHDR_CRC_ERR | AX_RXHDR_DROP_ERR)) =3D=3D 0) && - pkt_len >=3D 2 + ETH_HLEN) { - bool last =3D (pkt_cnt =3D=3D 0); - - if (last) { - ax_skb =3D skb; - } else { - ax_skb =3D skb_clone(skb, GFP_ATOMIC); - if (!ax_skb) - return 0; - } - ax_skb->len =3D pkt_len; - /* Skip IP alignment pseudo header */ - skb_pull(ax_skb, 2); - skb_set_tail_pointer(ax_skb, ax_skb->len); - ax_skb->truesize =3D pkt_len + sizeof(struct sk_buff); - ax88179_rx_checksum(ax_skb, pkt_hdr); + if ((*pkt_hdr & (AX_RXHDR_CRC_ERR | AX_RXHDR_DROP_ERR)) || + pkt_len < 2 + ETH_HLEN) { + dev->net->stats.rx_errors++; + skb_pull(skb, pkt_len_plus_padd); + continue; + } =20 - if (last) - return 1; + /* last packet */ + if (pkt_len_plus_padd =3D=3D skb->len) { + skb_trim(skb, pkt_len); =20 - usbnet_skb_return(dev, ax_skb); + /* Skip IP alignment pseudo header */ + skb_pull(skb, 2); + + skb->truesize =3D SKB_TRUESIZE(pkt_len_plus_padd); + ax88179_rx_checksum(skb, pkt_hdr); + return 1; } =20 - /* Trim this packet away from the SKB */ - if (!skb_pull(skb, (pkt_len + 7) & 0xFFF8)) + ax_skb =3D skb_clone(skb, GFP_ATOMIC); + if (!ax_skb) return 0; + skb_trim(ax_skb, pkt_len); + + /* Skip IP alignment pseudo header */ + skb_pull(ax_skb, 2); + + skb->truesize =3D pkt_len_plus_padd + + SKB_DATA_ALIGN(sizeof(struct sk_buff)); + ax88179_rx_checksum(ax_skb, pkt_hdr); + usbnet_skb_return(dev, ax_skb); + + skb_pull(skb, pkt_len_plus_padd); } + + return 0; } =20 static struct sk_buff * From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C191AC43334 for ; Tue, 5 Jul 2022 12:00:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232958AbiGEMAg (ORCPT ); Tue, 5 Jul 2022 08:00:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42272 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232803AbiGEMAL (ORCPT ); Tue, 5 Jul 2022 08:00:11 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1F7CA17E1A; Tue, 5 Jul 2022 05:00:07 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B0134617B0; Tue, 5 Jul 2022 12:00:06 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B7F33C341C7; Tue, 5 Jul 2022 12:00:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022406; bh=ZN8+uRs5APM5boRIUc32C4EweShCfPrlV3ERh7NNzEI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BLztnbHSAvktNbR9PaXzq5Kqkt2G6pz2BhoXwdrJ2zmIi7ZceQPsK1dSobjEZgoju hyIeWfe3b98je69XAAgl3ZEVnH1M3swZOmuff7jtDNxQWAR3J1y4FK0nzxtWSbzrfD teehVweEM9GN5VXTGoQL88OL+m9GXybi1y5zFnPc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org Subject: [PATCH 4.9 05/29] usbnet: make sure no NULL pointer is passed through Date: Tue, 5 Jul 2022 13:57:46 +0200 Message-Id: <20220705115605.903898317@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Oliver Neukum commit 6c22fce07c97f765af1808ec3be007847e0b47d1 upstream. Coverity reports: ** CID 751368: Null pointer dereferences (FORWARD_NULL) /drivers/net/usb/usbnet.c: 1925 in __usbnet_read_cmd() ___________________________________________________________________________= _____________________________ Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/net/usb/usbnet.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -1951,7 +1951,7 @@ static int __usbnet_read_cmd(struct usbn " value=3D0x%04x index=3D0x%04x size=3D%d\n", cmd, reqtype, value, index, size); =20 - if (data) { + if (size) { buf =3D kmalloc(size, GFP_KERNEL); if (!buf) goto out; @@ -1960,8 +1960,13 @@ static int __usbnet_read_cmd(struct usbn err =3D usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0), cmd, reqtype, value, index, buf, size, USB_CTRL_GET_TIMEOUT); - if (err > 0 && err <=3D size) - memcpy(data, buf, err); + if (err > 0 && err <=3D size) { + if (data) + memcpy(data, buf, err); + else + netdev_dbg(dev->net, + "Huh? Data requested but thrown away.\n"); + } kfree(buf); out: return err; @@ -1982,7 +1987,13 @@ static int __usbnet_write_cmd(struct usb buf =3D kmemdup(data, size, GFP_KERNEL); if (!buf) goto out; - } + } else { + if (size) { + WARN_ON_ONCE(1); + err =3D -EINVAL; + goto out; + } + } =20 err =3D usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0), cmd, reqtype, value, index, buf, size, From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD528C43334 for ; Tue, 5 Jul 2022 12:00:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232972AbiGEMAl (ORCPT ); Tue, 5 Jul 2022 08:00:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42522 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232759AbiGEMAO (ORCPT ); Tue, 5 Jul 2022 08:00:14 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B2FE317E34; Tue, 5 Jul 2022 05:00:11 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 2D317B817D4; Tue, 5 Jul 2022 12:00:10 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 958FEC341CD; Tue, 5 Jul 2022 12:00:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022408; bh=MDRErYeUWSJwKsBCQCGe+p0aMtjXUNffMWGsG7Pl+a8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=o8cyUgyEuBD8O86NMNxSE5OiwAlsZgiDqWqCfm62axmP4KGxoOGxSRPCjs42ubQya f6pBbLeR/6oaDuFG0CtV65ItK0BV4XCYnugvLkbFfC5vOIwdctKmUFSQHx3V4HHQ9w 1YuJEf7ZOq9AYdOnJYWFChtJNXzHpLj7ka1rmgeU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Oliver Neukum , Jakub Kicinski Subject: [PATCH 4.9 06/29] usbnet: fix memory allocation in helpers Date: Tue, 5 Jul 2022 13:57:47 +0200 Message-Id: <20220705115605.933108860@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Oliver Neukum commit e65af5403e462ccd7dff6a045a886c64da598c2e upstream. usbnet provides some helper functions that are also used in the context of reset() operations. During a reset the other drivers on a device are unable to operate. As that can be block drivers, a driver for another interface cannot use paging in its memory allocations without risking a deadlock. Use GFP_NOIO in the helpers. Fixes: 877bd862f32b8 ("usbnet: introduce usbnet 3 command helpers") Signed-off-by: Oliver Neukum Link: https://lore.kernel.org/r/20220628093517.7469-1-oneukum@suse.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/net/usb/usbnet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -1952,7 +1952,7 @@ static int __usbnet_read_cmd(struct usbn cmd, reqtype, value, index, size); =20 if (size) { - buf =3D kmalloc(size, GFP_KERNEL); + buf =3D kmalloc(size, GFP_NOIO); if (!buf) goto out; } @@ -1984,7 +1984,7 @@ static int __usbnet_write_cmd(struct usb cmd, reqtype, value, index, size); =20 if (data) { - buf =3D kmemdup(data, size, GFP_KERNEL); + buf =3D kmemdup(data, size, GFP_NOIO); if (!buf) goto out; } else { From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 741B1C433EF for ; Tue, 5 Jul 2022 12:00:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232871AbiGEMAp (ORCPT ); Tue, 5 Jul 2022 08:00:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42662 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232868AbiGEMAU (ORCPT ); Tue, 5 Jul 2022 08:00:20 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A47F817E3C; Tue, 5 Jul 2022 05:00:12 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 4475A6174B; Tue, 5 Jul 2022 12:00:12 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 515A6C341C7; Tue, 5 Jul 2022 12:00:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022411; bh=n/mTbhU8QDjkSe4pvnDYG+KfiE9r0l3gwSQizEQnMv8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ekbDXyYSMTaUGX2BGYSUuQ4+xNCjZBQhdMSeX4ee7+H0OX7ydZXxxPoShjcFvScOe 9zVfIAXgt1GxwL1usYs4PS8Et4o7Z14xHG8cZVn1eJ3FpaDOKWM/wqzhLq9P15GW2C RiOvAJyI1jGtWxQFWrq5ZQxkghGtOArG+L/DDBQc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Jason A. Donenfeld" , Christophe Leroy , Michael Ellerman Subject: [PATCH 4.9 07/29] powerpc/powernv: wire up rng during setup_arch Date: Tue, 5 Jul 2022 13:57:48 +0200 Message-Id: <20220705115605.962876047@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jason A. Donenfeld commit f3eac426657d985b97c92fa5f7ae1d43f04721f3 upstream. The platform's RNG must be available before random_init() in order to be useful for initial seeding, which in turn means that it needs to be called from setup_arch(), rather than from an init call. Complicating things, however, is that POWER8 systems need some per-cpu state and kmalloc, which isn't available at this stage. So we split things up into an early phase and a later opportunistic phase. This commit also removes some noisy log messages that don't add much. Fixes: a4da0d50b2a0 ("powerpc: Implement arch_get_random_long/int() for pow= ernv") Cc: stable@vger.kernel.org # v3.13+ Signed-off-by: Jason A. Donenfeld Reviewed-by: Christophe Leroy [mpe: Add of_node_put(), use pnv naming, minor change log editing] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220621140849.127227-1-Jason@zx2c4.com Signed-off-by: Jason A. Donenfeld Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/powerpc/include/asm/ppc-opcode.h | 4 + arch/powerpc/platforms/powernv/powernv.h | 2=20 arch/powerpc/platforms/powernv/rng.c | 91 ++++++++++++++++++++++++++= ----- arch/powerpc/platforms/powernv/setup.c | 2=20 4 files changed, 85 insertions(+), 14 deletions(-) --- a/arch/powerpc/include/asm/ppc-opcode.h +++ b/arch/powerpc/include/asm/ppc-opcode.h @@ -134,6 +134,7 @@ #define PPC_INST_COPY 0x7c00060c #define PPC_INST_COPY_FIRST 0x7c20060c #define PPC_INST_CP_ABORT 0x7c00068c +#define PPC_INST_DARN 0x7c0005e6 #define PPC_INST_DCBA 0x7c0005ec #define PPC_INST_DCBA_MASK 0xfc0007fe #define PPC_INST_DCBAL 0x7c2005ec @@ -328,6 +329,9 @@ =20 /* Deal with instructions that older assemblers aren't aware of */ #define PPC_CP_ABORT stringify_in_c(.long PPC_INST_CP_ABORT) +#define PPC_DARN(t, l) stringify_in_c(.long PPC_INST_DARN | \ + ___PPC_RT(t) | \ + (((l) & 0x3) << 16)) #define PPC_DCBAL(a, b) stringify_in_c(.long PPC_INST_DCBAL | \ __PPC_RA(a) | __PPC_RB(b)) #define PPC_DCBZL(a, b) stringify_in_c(.long PPC_INST_DCBZL | \ --- a/arch/powerpc/platforms/powernv/powernv.h +++ b/arch/powerpc/platforms/powernv/powernv.h @@ -27,4 +27,6 @@ extern void opal_event_shutdown(void); =20 bool cpu_core_split_required(void); =20 +void pnv_rng_init(void); + #endif /* _POWERNV_H */ --- a/arch/powerpc/platforms/powernv/rng.c +++ b/arch/powerpc/platforms/powernv/rng.c @@ -16,11 +16,14 @@ #include #include #include +#include #include #include #include #include +#include "powernv.h" =20 +#define DARN_ERR 0xFFFFFFFFFFFFFFFFul =20 struct powernv_rng { void __iomem *regs; @@ -30,7 +33,6 @@ struct powernv_rng { =20 static DEFINE_PER_CPU(struct powernv_rng *, powernv_rng); =20 - int powernv_hwrng_present(void) { struct powernv_rng *rng; @@ -45,7 +47,11 @@ static unsigned long rng_whiten(struct p unsigned long parity; =20 /* Calculate the parity of the value */ - asm ("popcntd %0,%1" : "=3Dr" (parity) : "r" (val)); + asm (".machine push; \ + .machine power7; \ + popcntd %0,%1; \ + .machine pop;" + : "=3Dr" (parity) : "r" (val)); =20 /* xor our value with the previous mask */ val ^=3D rng->mask; @@ -67,6 +73,38 @@ int powernv_get_random_real_mode(unsigne return 1; } =20 +static int powernv_get_random_darn(unsigned long *v) +{ + unsigned long val; + + /* Using DARN with L=3D1 - 64-bit conditioned random number */ + asm volatile(PPC_DARN(%0, 1) : "=3Dr"(val)); + + if (val =3D=3D DARN_ERR) + return 0; + + *v =3D val; + + return 1; +} + +static int __init initialise_darn(void) +{ + unsigned long val; + int i; + + if (!cpu_has_feature(CPU_FTR_ARCH_300)) + return -ENODEV; + + for (i =3D 0; i < 10; i++) { + if (powernv_get_random_darn(&val)) { + ppc_md.get_random_seed =3D powernv_get_random_darn; + return 0; + } + } + return -EIO; +} + int powernv_get_random_long(unsigned long *v) { struct powernv_rng *rng; @@ -88,7 +126,7 @@ static __init void rng_init_per_cpu(stru =20 chip_id =3D of_get_ibm_chip_id(dn); if (chip_id =3D=3D -1) - pr_warn("No ibm,chip-id found for %s.\n", dn->full_name); + pr_warn("No ibm,chip-id found for %pOF.\n", dn); =20 for_each_possible_cpu(cpu) { if (per_cpu(powernv_rng, cpu) =3D=3D NULL || @@ -126,30 +164,55 @@ static __init int rng_create(struct devi =20 rng_init_per_cpu(rng, dn); =20 - pr_info_once("Registering arch random hook.\n"); - ppc_md.get_random_seed =3D powernv_get_random_long; =20 return 0; } =20 -static __init int rng_init(void) +static int __init pnv_get_random_long_early(unsigned long *v) { struct device_node *dn; - int rc; + + if (!slab_is_available()) + return 0; + + if (cmpxchg(&ppc_md.get_random_seed, pnv_get_random_long_early, + NULL) !=3D pnv_get_random_long_early) + return 0; =20 for_each_compatible_node(dn, NULL, "ibm,power-rng") { - rc =3D rng_create(dn); - if (rc) { - pr_err("Failed creating rng for %s (%d).\n", - dn->full_name, rc); + if (rng_create(dn)) continue; - } - /* Create devices for hwrng driver */ of_platform_device_create(dn, NULL, NULL); } =20 + if (!ppc_md.get_random_seed) + return 0; + return ppc_md.get_random_seed(v); +} + +void __init pnv_rng_init(void) +{ + struct device_node *dn; + + /* Prefer darn over the rest. */ + if (!initialise_darn()) + return; + + dn =3D of_find_compatible_node(NULL, NULL, "ibm,power-rng"); + if (dn) + ppc_md.get_random_seed =3D pnv_get_random_long_early; + + of_node_put(dn); +} + +static int __init pnv_rng_late_init(void) +{ + unsigned long v; + /* In case it wasn't called during init for some other reason. */ + if (ppc_md.get_random_seed =3D=3D pnv_get_random_long_early) + pnv_get_random_long_early(&v); return 0; } -machine_subsys_initcall(powernv, rng_init); +machine_subsys_initcall(powernv, pnv_rng_late_init); --- a/arch/powerpc/platforms/powernv/setup.c +++ b/arch/powerpc/platforms/powernv/setup.c @@ -168,6 +168,8 @@ static void __init pnv_setup_arch(void) powersave_nap =3D 1; =20 /* XXX PMCS */ + + pnv_rng_init(); } =20 static void __init pnv_init(void) From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F304DCCA47B for ; Tue, 5 Jul 2022 12:00:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232917AbiGEMAx (ORCPT ); Tue, 5 Jul 2022 08:00:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42220 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232882AbiGEMAW (ORCPT ); Tue, 5 Jul 2022 08:00:22 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EE69718358; Tue, 5 Jul 2022 05:00:16 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 868ACB817DA; Tue, 5 Jul 2022 12:00:15 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F193AC385A2; Tue, 5 Jul 2022 12:00:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022414; bh=v40g/hBBeQmr4W1jpD2WWBoeCsbWUBpQuUMf2B4Nk+o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wgidaf9VJ7+W87LqiftK2vUYNb3Pe+UD1ANiDnN3VQGbeUpvfjRi344FMtjbLps4t 8iIYDBcH5HNJRSjit4XQehiueaEithfTXUpqyggdiqnQ4Zu1Bb8echq/qm5bJ8X/8n w6k5zUDRjGI+HQrPwjwnQUOxzWjpIJeyBXI8zTMY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jason Wang , "Michael S. Tsirkin" Subject: [PATCH 4.9 08/29] caif_virtio: fix race between virtio_device_ready() and ndo_open() Date: Tue, 5 Jul 2022 13:57:49 +0200 Message-Id: <20220705115605.993354698@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jason Wang commit 11a37eb66812ce6a06b79223ad530eb0e1d7294d upstream. We currently depend on probe() calling virtio_device_ready() - which happens after netdev registration. Since ndo_open() can be called immediately after register_netdev, this means there exists a race between ndo_open() and virtio_device_ready(): the driver may start to use the device (e.g. TX) before DRIVER_OK which violates the spec. Fix this by switching to use register_netdevice() and protect the virtio_device_ready() with rtnl_lock() to make sure ndo_open() can only be called after virtio_device_ready(). Fixes: 0d2e1a2926b18 ("caif_virtio: Introduce caif over virtio") Signed-off-by: Jason Wang Message-Id: <20220620051115.3142-3-jasowang@redhat.com> Signed-off-by: Michael S. Tsirkin Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/net/caif/caif_virtio.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) --- a/drivers/net/caif/caif_virtio.c +++ b/drivers/net/caif/caif_virtio.c @@ -727,13 +727,21 @@ static int cfv_probe(struct virtio_devic /* Carrier is off until netdevice is opened */ netif_carrier_off(netdev); =20 + /* serialize netdev register + virtio_device_ready() with ndo_open() */ + rtnl_lock(); + /* register Netdev */ - err =3D register_netdev(netdev); + err =3D register_netdevice(netdev); if (err) { + rtnl_unlock(); dev_err(&vdev->dev, "Unable to register netdev (%d)\n", err); goto err; } =20 + virtio_device_ready(vdev); + + rtnl_unlock(); + debugfs_init(cfv); =20 return 0; From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 63712CCA47C for ; Tue, 5 Jul 2022 12:00:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232720AbiGEMAv (ORCPT ); Tue, 5 Jul 2022 08:00:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42336 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232880AbiGEMAW (ORCPT ); Tue, 5 Jul 2022 08:00:22 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0302B18345; Tue, 5 Jul 2022 05:00:18 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 973A66174B; Tue, 5 Jul 2022 12:00:17 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A8CFBC341CF; Tue, 5 Jul 2022 12:00:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022417; bh=vsaObZd+iZWcxwNohc0sJZuInhfDdn+IkzqXWqIs19g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VPSaSnGxrc5Z/vaWbf60bTZLyJ0hhkJ91Rm35XTphygWFV3F8WTfXPJX/iEGr5JSH ypKK80MgRNhOwRABNZQ8XvC8wYo/HE2vl6nHPpp56J/pFvbIWItXDzEFSUh5c4NxZX vUKhOZAq3VTomN754stumfecnYEiFnQ90e/LmCv8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pablo Neira Ayuso Subject: [PATCH 4.9 09/29] netfilter: nft_dynset: restore set element counter when failing to update Date: Tue, 5 Jul 2022 13:57:50 +0200 Message-Id: <20220705115606.021430942@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Pablo Neira Ayuso commit 05907f10e235680cc7fb196810e4ad3215d5e648 upstream. This patch fixes a race condition. nft_rhash_update() might fail for two reasons: - Element already exists in the hashtable. - Another packet won race to insert an entry in the hashtable. In both cases, new() has already bumped the counter via atomic_add_unless(), therefore, decrement the set element counter. Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set upd= ates") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- net/netfilter/nft_set_hash.c | 2 ++ 1 file changed, 2 insertions(+) --- a/net/netfilter/nft_set_hash.c +++ b/net/netfilter/nft_set_hash.c @@ -121,6 +121,7 @@ static bool nft_hash_update(struct nft_s /* Another cpu may race to insert the element with the same key */ if (prev) { nft_set_elem_destroy(set, he, true); + atomic_dec(&set->nelems); he =3D prev; } =20 @@ -130,6 +131,7 @@ out: =20 err2: nft_set_elem_destroy(set, he, true); + atomic_dec(&set->nelems); err1: return false; } From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2A826C43334 for ; Tue, 5 Jul 2022 11:59:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232245AbiGEL7b (ORCPT ); Tue, 5 Jul 2022 07:59:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41592 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232069AbiGEL73 (ORCPT ); Tue, 5 Jul 2022 07:59:29 -0400 Received: from sin.source.kernel.org (sin.source.kernel.org [IPv6:2604:1380:40e1:4800::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E3BAA13D43; Tue, 5 Jul 2022 04:59:27 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 0F5E2CE0B30; Tue, 5 Jul 2022 11:59:26 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2257EC341C7; Tue, 5 Jul 2022 11:59:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022364; bh=e4iEvqzp2JAXgd6NxzJ2eFzi6ssM7Yqbx1pNMBPQhKc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ir76rD/5QuMiIUOFzxijQrN71k+pHd5HFuY1K8owcywMqD53yCERidnfgopDqmSU9 qPmSXMN19Ceji3a0FMD/PzS51mzVh4p5SoerZo5XZmamDnzCIvNA6gWpq9Uq1jcBje 86U+Lwx1UVQSZwuRuSPo8sk3rY93ebIp3B2k+9JA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot , Eric Dumazet , Jay Vosburgh , Veaceslav Falico , Andy Gospodarek , Jay Vosburgh , Paolo Abeni Subject: [PATCH 4.9 10/29] net: bonding: fix possible NULL deref in rlb code Date: Tue, 5 Jul 2022 13:57:51 +0200 Message-Id: <20220705115606.050750013@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Eric Dumazet commit ab84db251c04d38b8dc7ee86e13d4050bedb1c88 upstream. syzbot has two reports involving the same root cause. bond_alb_initialize() must not set bond->alb_info.rlb_enabled if a memory allocation error is detected. Report 1: general protection fault, probably for non-canonical address 0xdffffc000000= 0002: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 0 PID: 12276 Comm: kworker/u4:10 Not tainted 5.19.0-rc3-syzkaller-0013= 2-g3b89b511ea0c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Goo= gle 01/01/2011 Workqueue: netns cleanup_net RIP: 0010:rlb_clear_slave+0x10e/0x690 drivers/net/bonding/bond_alb.c:393 Code: 8e fc 83 fb ff 0f 84 74 02 00 00 e8 cc 2a 8e fc 48 8b 44 24 08 89 dd = 48 c1 e5 06 4c 8d 34 28 49 8d 7e 14 48 89 f8 48 c1 e8 03 <42> 0f b6 14 20 4= 8 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 RSP: 0018:ffffc90018a8f678 EFLAGS: 00010203 RAX: 0000000000000002 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88803375bb00 RSI: ffffffff84ec4ac4 RDI: 0000000000000014 RBP: 0000000000000000 R08: 0000000000000005 R09: 00000000ffffffff R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000 R13: ffff8880ac889000 R14: 0000000000000000 R15: ffff88815a668c80 FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005597077e10b0 CR3: 0000000026668000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: bond_alb_deinit_slave+0x43c/0x6b0 drivers/net/bonding/bond_alb.c:1663 __bond_release_one.cold+0x383/0xd53 drivers/net/bonding/bond_main.c:2370 bond_slave_netdev_event drivers/net/bonding/bond_main.c:3778 [inline] bond_netdev_event+0x993/0xad0 drivers/net/bonding/bond_main.c:3889 notifier_call_chain+0xb5/0x200 kernel/notifier.c:87 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1945 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] call_netdevice_notifiers net/core/dev.c:1997 [inline] unregister_netdevice_many+0x948/0x18b0 net/core/dev.c:10839 default_device_exit_batch+0x449/0x590 net/core/dev.c:11333 ops_exit_list+0x125/0x170 net/core/net_namespace.c:167 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:594 process_one_work+0x996/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 Report 2: general protection fault, probably for non-canonical address 0xdffffc000000= 0006: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] CPU: 1 PID: 5206 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-12108-g5= 8f9d52ff689 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Goo= gle 01/01/2011 RIP: 0010:rlb_req_update_slave_clients+0x109/0x2f0 drivers/net/bonding/bond= _alb.c:502 Code: 5d 18 8f fc 41 80 3e 00 0f 85 a5 01 00 00 89 d8 48 c1 e0 06 49 03 84 = 24 68 01 00 00 48 8d 78 30 49 89 c7 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 8= 5 98 01 00 00 4d 39 6f 30 75 83 e8 22 18 8f fc 49 RSP: 0018:ffffc9000300ee80 EFLAGS: 00010206 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90016c11000 RDX: 0000000000000006 RSI: ffffffff84eb6bf3 RDI: 0000000000000030 RBP: dffffc0000000000 R08: 0000000000000005 R09: 00000000ffffffff R10: 0000000000000000 R11: 0000000000000000 R12: ffff888027c80c80 R13: ffff88807d7ff800 R14: ffffed1004f901bd R15: 0000000000000000 FS: 00007f6f46c58700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020010000 CR3: 00000000516cc000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: alb_fasten_mac_swap+0x886/0xa80 drivers/net/bonding/bond_alb.c:1070 bond_alb_handle_active_change+0x624/0x1050 drivers/net/bonding/bond_alb.c:= 1765 bond_change_active_slave+0xfa1/0x29b0 drivers/net/bonding/bond_main.c:1173 bond_select_active_slave+0x23f/0xa50 drivers/net/bonding/bond_main.c:1253 bond_enslave+0x3b34/0x53b0 drivers/net/bonding/bond_main.c:2159 do_set_master+0x1c8/0x220 net/core/rtnetlink.c:2577 rtnl_newlink_create net/core/rtnetlink.c:3380 [inline] __rtnl_newlink+0x13ac/0x17e0 net/core/rtnetlink.c:3580 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3593 rtnetlink_rcv_msg+0x43a/0xc90 net/core/rtnetlink.c:6089 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:734 ____sys_sendmsg+0x6eb/0x810 net/socket.c:2492 ___sys_sendmsg+0xf3/0x170 net/socket.c:2546 __sys_sendmsg net/socket.c:2575 [inline] __do_sys_sendmsg net/socket.c:2584 [inline] __se_sys_sendmsg net/socket.c:2582 [inline] __x64_sys_sendmsg+0x132/0x220 net/socket.c:2582 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f6f45a89109 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 = 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff f= f 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6f46c58168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f6f45b9c030 RCX: 00007f6f45a89109 RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000006 RBP: 00007f6f45ae308d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffed99029af R14: 00007f6f46c58300 R15: 0000000000022000 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot Signed-off-by: Eric Dumazet Cc: Jay Vosburgh Cc: Veaceslav Falico Cc: Andy Gospodarek Acked-by: Jay Vosburgh Link: https://lore.kernel.org/r/20220627102813.126264-1-edumazet@google.com Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/net/bonding/bond_alb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/net/bonding/bond_alb.c +++ b/drivers/net/bonding/bond_alb.c @@ -1264,12 +1264,12 @@ int bond_alb_initialize(struct bonding * return res; =20 if (rlb_enabled) { - bond->alb_info.rlb_enabled =3D 1; res =3D rlb_initialize(bond); if (res) { tlb_deinitialize(bond); return res; } + bond->alb_info.rlb_enabled =3D 1; } else { bond->alb_info.rlb_enabled =3D 0; } From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 194AFC433EF for ; Tue, 5 Jul 2022 11:59:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232355AbiGEL7f (ORCPT ); Tue, 5 Jul 2022 07:59:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41594 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232108AbiGEL73 (ORCPT ); Tue, 5 Jul 2022 07:59:29 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 795DB13D4A; Tue, 5 Jul 2022 04:59:28 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 15E4F61786; Tue, 5 Jul 2022 11:59:28 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E2F9CC341CD; Tue, 5 Jul 2022 11:59:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022367; bh=FOBNPPodyH/TMIDj76qQ14K5FL2EGD2LPkWSmv5o+DM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kKOEkrSUiFRNQXTKWt7IkWNT1hMMgMjS5ArzkNhTF0meFv65SAEs1vzzctqzbrAd+ GmJtnD7OZTwMMzcxQTyr1vmAq5MF6NpxVnhUxPUY7hHcdGgFnmwSOtCvn8ie73kWUb HFo+UpaC4Eyy7Oh/zuwe7G250Poc6NHncLu0QSNk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Maksym Glubokiy , Yevhen Orlov , Jay Vosburgh , Jakub Kicinski Subject: [PATCH 4.9 11/29] net: bonding: fix use-after-free after 802.3ad slave unbind Date: Tue, 5 Jul 2022 13:57:52 +0200 Message-Id: <20220705115606.080241374@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Yevhen Orlov commit 050133e1aa2cb49bb17be847d48a4431598ef562 upstream. commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection"), resolve case, when there is several aggregation groups in the same bond. bond_3ad_unbind_slave will invalidate (clear) aggregator when __agg_active_ports return zero. So, ad_clear_agg can be executed even, when num_of_ports!=3D0. Than bond_3ad_unbind_slave can be executed again for, previously cleared aggregator. NOTE: at this time bond_3ad_unbind_slave will not update slave ports list, because lag_ports=3D=3DNULL. So, here we got slave ports, pointing to freed aggregator memory. Fix with checking actual number of ports in group (as was before commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") ), before ad_clear_agg(). The KASAN logs are as follows: [ 767.617392] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D [ 767.630776] BUG: KASAN: use-after-free in bond_3ad_state_machine_handler= +0x13dc/0x1470 [ 767.638764] Read of size 2 at addr ffff00011ba9d430 by task kworker/u8:7= /767 [ 767.647361] CPU: 3 PID: 767 Comm: kworker/u8:7 Tainted: G O 5.= 15.11 #15 [ 767.655329] Hardware name: DNI AmazonGo1 A7040 board (DT) [ 767.660760] Workqueue: lacp_1 bond_3ad_state_machine_handler [ 767.666468] Call trace: [ 767.668930] dump_backtrace+0x0/0x2d0 [ 767.672625] show_stack+0x24/0x30 [ 767.675965] dump_stack_lvl+0x68/0x84 [ 767.679659] print_address_description.constprop.0+0x74/0x2b8 [ 767.685451] kasan_report+0x1f0/0x260 [ 767.689148] __asan_load2+0x94/0xd0 [ 767.692667] bond_3ad_state_machine_handler+0x13dc/0x1470 Fixes: 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") Co-developed-by: Maksym Glubokiy Signed-off-by: Maksym Glubokiy Signed-off-by: Yevhen Orlov Acked-by: Jay Vosburgh Link: https://lore.kernel.org/r/20220629012914.361-1-yevhen.orlov@plvision.= eu Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/net/bonding/bond_3ad.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/drivers/net/bonding/bond_3ad.c +++ b/drivers/net/bonding/bond_3ad.c @@ -2163,7 +2163,8 @@ void bond_3ad_unbind_slave(struct slave temp_aggregator->num_of_ports--; if (__agg_active_ports(temp_aggregator) =3D=3D 0) { select_new_active_agg =3D temp_aggregator->is_active; - ad_clear_agg(temp_aggregator); + if (temp_aggregator->num_of_ports =3D=3D 0) + ad_clear_agg(temp_aggregator); if (select_new_active_agg) { netdev_info(bond->dev, "Removing an active aggregator\n"); /* select new active aggregator */ From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8FDBCCA47C for ; Tue, 5 Jul 2022 11:59:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232493AbiGEL7j (ORCPT ); Tue, 5 Jul 2022 07:59:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41674 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232322AbiGEL7d (ORCPT ); Tue, 5 Jul 2022 07:59:33 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F0C002678; Tue, 5 Jul 2022 04:59:32 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 9BEDCB817D2; Tue, 5 Jul 2022 11:59:31 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C5E44C341C7; Tue, 5 Jul 2022 11:59:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022370; bh=lNTWFd29FeHei074LkrRifrXHa5SjoBLx0HBvMGgLLs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HfW4fKzgUMsnt6mQVLCqyeKjWdemWGXOHB9RHMwxAFDDzoivVdny0+nzddxS5kUEQ 1J6kBZft9vplFbPfGRK/XIGLG5xxepBRHdvPqBI9/ZWryL6Y+AXHIAFK2fDoXHicPt YX5x1OcP1QGwSJ/Bcxhm0ixRAkj+diHp/hfWoSRE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lv Ruyi , Krzysztof Kozlowski , Jakub Kicinski Subject: [PATCH 4.9 12/29] nfc: nfcmrvl: Fix irq_of_parse_and_map() return value Date: Tue, 5 Jul 2022 13:57:53 +0200 Message-Id: <20220705115606.110327439@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Krzysztof Kozlowski commit 5a478a653b4cca148d5c89832f007ec0809d7e6d upstream. The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO. Reported-by: Lv Ruyi Fixes: caf6e49bf6d0 ("NFC: nfcmrvl: add spi driver") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20220627124048.296253-1-krzysztof.kozlowski= @linaro.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/nfc/nfcmrvl/i2c.c | 6 +++--- drivers/nfc/nfcmrvl/spi.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) --- a/drivers/nfc/nfcmrvl/i2c.c +++ b/drivers/nfc/nfcmrvl/i2c.c @@ -186,9 +186,9 @@ static int nfcmrvl_i2c_parse_dt(struct d pdata->irq_polarity =3D IRQF_TRIGGER_RISING; =20 ret =3D irq_of_parse_and_map(node, 0); - if (ret < 0) { - pr_err("Unable to get irq, error: %d\n", ret); - return ret; + if (!ret) { + pr_err("Unable to get irq\n"); + return -EINVAL; } pdata->irq =3D ret; =20 --- a/drivers/nfc/nfcmrvl/spi.c +++ b/drivers/nfc/nfcmrvl/spi.c @@ -130,9 +130,9 @@ static int nfcmrvl_spi_parse_dt(struct d } =20 ret =3D irq_of_parse_and_map(node, 0); - if (ret < 0) { - pr_err("Unable to get irq, error: %d\n", ret); - return ret; + if (!ret) { + pr_err("Unable to get irq\n"); + return -EINVAL; } pdata->irq =3D ret; From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B9D2FC433EF for ; Tue, 5 Jul 2022 11:59:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232556AbiGEL7l (ORCPT ); Tue, 5 Jul 2022 07:59:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41706 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232108AbiGEL7g (ORCPT ); Tue, 5 Jul 2022 07:59:36 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9FFFC1582A; Tue, 5 Jul 2022 04:59:35 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 61EF0B817CC; Tue, 5 Jul 2022 11:59:34 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B0EA6C341C7; Tue, 5 Jul 2022 11:59:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022373; bh=tpiyEXn88fsmM6J9Y6FUx7OOFUOVV+53Ew27/QlsE4U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Zj3cdy5kbcszhckQvqqaR7nnmvFjKWcmZT3rhl6L2DmYLMAjVjQgFdCl1D6vwQ17C uHWYRno8k8Hx4GuFuZFqJVAcbi2zAgbQ9oGIpmcOWl7ovioTsxCnrZ8M5x/wO/HSal ZcPqk/teWH/mioRGY3WbWnbas2G5AHuE83oV7/Mg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Michael Walle , Krzysztof Kozlowski , "David S. Miller" Subject: [PATCH 4.9 13/29] NFC: nxp-nci: Dont issue a zero length i2c_master_read() Date: Tue, 5 Jul 2022 13:57:54 +0200 Message-Id: <20220705115606.139233334@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Michael Walle commit eddd95b9423946aaacb55cac6a9b2cea8ab944fc upstream. There are packets which doesn't have a payload. In that case, the second i2c_master_read() will have a zero length. But because the NFC controller doesn't have any data left, it will NACK the I2C read and -ENXIO will be returned. In case there is no payload, just skip the second i2c master read. Fixes: 6be88670fc59 ("NFC: nxp-nci_i2c: Add I2C support to NXP NCI driver") Signed-off-by: Michael Walle Reviewed-by: Krzysztof Kozlowski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/nfc/nxp-nci/i2c.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/nfc/nxp-nci/i2c.c +++ b/drivers/nfc/nxp-nci/i2c.c @@ -180,6 +180,9 @@ static int nxp_nci_i2c_nci_read(struct n memcpy(skb_put(*skb, NCI_CTRL_HDR_SIZE), (void *) &header, NCI_CTRL_HDR_SIZE); =20 + if (!header.plen) + return 0; + r =3D i2c_master_recv(client, skb_put(*skb, header.plen), header.plen); if (r !=3D header.plen) { nfc_err(&client->dev, From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 78D06CCA47B for ; Tue, 5 Jul 2022 11:59:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232108AbiGEL7q (ORCPT ); Tue, 5 Jul 2022 07:59:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41760 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232496AbiGEL7j (ORCPT ); Tue, 5 Jul 2022 07:59:39 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 69FBB17A9C; Tue, 5 Jul 2022 04:59:38 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 2029BB817D2; Tue, 5 Jul 2022 11:59:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6D00DC341C7; Tue, 5 Jul 2022 11:59:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022375; bh=NZ6/S0VUSdnhx1r9Waq2YSYijrWtj5mKy+JGsLsh7wE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jaDUsNOm4RRwWVlI2AUKQofOWBNeTzb1771y3VshwKZFc/SrD8MTTfIHahlpyCtl+ Uja8imYc2frZbQW1c+CRDmVGrZEIeiMpKiNla1dhg3XoJvVke5wG6ZvXeCbsE1YTAC SAenmOfJsMBBkYQtJ3kTa2n8mO48oH+bsfGvWo2A= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Demi Marie Obenour , Juergen Gross Subject: [PATCH 4.9 14/29] xen/gntdev: Avoid blocking in unmap_grant_pages() Date: Tue, 5 Jul 2022 13:57:55 +0200 Message-Id: <20220705115606.168668005@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Demi Marie Obenour commit dbe97cff7dd9f0f75c524afdd55ad46be3d15295 upstream. unmap_grant_pages() currently waits for the pages to no longer be used. In https://github.com/QubesOS/qubes-issues/issues/7481, this lead to a deadlock against i915: i915 was waiting for gntdev's MMU notifier to finish, while gntdev was waiting for i915 to free its pages. I also believe this is responsible for various deadlocks I have experienced in the past. Avoid these problems by making unmap_grant_pages async. This requires making it return void, as any errors will not be available when the function returns. Fortunately, the only use of the return value is a WARN_ON(), which can be replaced by a WARN_ON when the error is detected. Additionally, a failed call will not prevent further calls from being made, but this is harmless. Because unmap_grant_pages is now async, the grant handle will be sent to INVALID_GRANT_HANDLE too late to prevent multiple unmaps of the same handle. Instead, a separate bool array is allocated for this purpose. This wastes memory, but stuffing this information in padding bytes is too fragile. Furthermore, it is necessary to grab a reference to the map before making the asynchronous call, and release the reference when the call returns. It is also necessary to guard against reentrancy in gntdev_map_put(), and to handle the case where userspace tries to map a mapping whose contents have not all been freed yet. Fixes: 745282256c75 ("xen/gntdev: safely unmap grants in case they are stil= l in use") Cc: stable@vger.kernel.org Signed-off-by: Demi Marie Obenour Reviewed-by: Juergen Gross Link: https://lore.kernel.org/r/20220622022726.2538-1-demi@invisiblethingsl= ab.com Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/xen/gntdev.c | 144 ++++++++++++++++++++++++++++++++++++----------= ----- 1 file changed, 102 insertions(+), 42 deletions(-) --- a/drivers/xen/gntdev.c +++ b/drivers/xen/gntdev.c @@ -57,6 +57,7 @@ MODULE_PARM_DESC(limit, "Maximum number =20 static atomic_t pages_mapped =3D ATOMIC_INIT(0); =20 +/* True in PV mode, false otherwise */ static int use_ptemod; #define populate_freeable_maps use_ptemod =20 @@ -92,11 +93,16 @@ struct grant_map { struct gnttab_unmap_grant_ref *unmap_ops; struct gnttab_map_grant_ref *kmap_ops; struct gnttab_unmap_grant_ref *kunmap_ops; + bool *being_removed; struct page **pages; unsigned long pages_vm_start; + /* Number of live grants */ + atomic_t live_grants; + /* Needed to avoid allocation in unmap_grant_pages */ + struct gntab_unmap_queue_data unmap_data; }; =20 -static int unmap_grant_pages(struct grant_map *map, int offset, int pages); +static void unmap_grant_pages(struct grant_map *map, int offset, int pages= ); =20 /* ------------------------------------------------------------------ */ =20 @@ -127,6 +133,7 @@ static void gntdev_free_map(struct grant kfree(map->unmap_ops); kfree(map->kmap_ops); kfree(map->kunmap_ops); + kfree(map->being_removed); kfree(map); } =20 @@ -145,12 +152,15 @@ static struct grant_map *gntdev_alloc_ma add->kmap_ops =3D kcalloc(count, sizeof(add->kmap_ops[0]), GFP_KERNEL); add->kunmap_ops =3D kcalloc(count, sizeof(add->kunmap_ops[0]), GFP_KERNEL= ); add->pages =3D kcalloc(count, sizeof(add->pages[0]), GFP_KERNEL); + add->being_removed =3D + kcalloc(count, sizeof(add->being_removed[0]), GFP_KERNEL); if (NULL =3D=3D add->grants || NULL =3D=3D add->map_ops || NULL =3D=3D add->unmap_ops || NULL =3D=3D add->kmap_ops || NULL =3D=3D add->kunmap_ops || - NULL =3D=3D add->pages) + NULL =3D=3D add->pages || + NULL =3D=3D add->being_removed) goto err; =20 if (gnttab_alloc_pages(count, add->pages)) @@ -215,6 +225,34 @@ static void gntdev_put_map(struct gntdev return; =20 atomic_sub(map->count, &pages_mapped); + if (map->pages && !use_ptemod) { + /* + * Increment the reference count. This ensures that the + * subsequent call to unmap_grant_pages() will not wind up + * re-entering itself. It *can* wind up calling + * gntdev_put_map() recursively, but such calls will be with a + * reference count greater than 1, so they will return before + * this code is reached. The recursion depth is thus limited to + * 1. + */ + atomic_set(&map->users, 1); + + /* + * Unmap the grants. This may or may not be asynchronous, so it + * is possible that the reference count is 1 on return, but it + * could also be greater than 1. + */ + unmap_grant_pages(map, 0, map->count); + + /* Check if the memory now needs to be freed */ + if (!atomic_dec_and_test(&map->users)) + return; + + /* + * All pages have been returned to the hypervisor, so free the + * map. + */ + } =20 if (map->notify.flags & UNMAP_NOTIFY_SEND_EVENT) { notify_remote_via_evtchn(map->notify.event); @@ -272,6 +310,7 @@ static int set_grant_ptes_as_special(pte =20 static int map_grant_pages(struct grant_map *map) { + size_t alloced =3D 0; int i, err =3D 0; =20 if (!use_ptemod) { @@ -320,85 +359,107 @@ static int map_grant_pages(struct grant_ map->pages, map->count); =20 for (i =3D 0; i < map->count; i++) { - if (map->map_ops[i].status =3D=3D GNTST_okay) + if (map->map_ops[i].status =3D=3D GNTST_okay) { map->unmap_ops[i].handle =3D map->map_ops[i].handle; - else if (!err) + if (!use_ptemod) + alloced++; + } else if (!err) err =3D -EINVAL; =20 if (map->flags & GNTMAP_device_map) map->unmap_ops[i].dev_bus_addr =3D map->map_ops[i].dev_bus_addr; =20 if (use_ptemod) { - if (map->kmap_ops[i].status =3D=3D GNTST_okay) + if (map->kmap_ops[i].status =3D=3D GNTST_okay) { + if (map->map_ops[i].status =3D=3D GNTST_okay) + alloced++; map->kunmap_ops[i].handle =3D map->kmap_ops[i].handle; - else if (!err) + } else if (!err) err =3D -EINVAL; } } + atomic_add(alloced, &map->live_grants); return err; } =20 -static int __unmap_grant_pages(struct grant_map *map, int offset, int page= s) +static void __unmap_grant_pages_done(int result, + struct gntab_unmap_queue_data *data) { - int i, err =3D 0; - struct gntab_unmap_queue_data unmap_data; + unsigned int i; + struct grant_map *map =3D data->data; + unsigned int offset =3D data->unmap_ops - map->unmap_ops; + + for (i =3D 0; i < data->count; i++) { + WARN_ON(map->unmap_ops[offset+i].status); + pr_debug("unmap handle=3D%d st=3D%d\n", + map->unmap_ops[offset+i].handle, + map->unmap_ops[offset+i].status); + map->unmap_ops[offset+i].handle =3D -1; + } + /* + * Decrease the live-grant counter. This must happen after the loop to + * prevent premature reuse of the grants by gnttab_mmap(). + */ + atomic_sub(data->count, &map->live_grants); + + /* Release reference taken by unmap_grant_pages */ + gntdev_put_map(NULL, map); +} =20 +static void __unmap_grant_pages(struct grant_map *map, int offset, int pag= es) +{ if (map->notify.flags & UNMAP_NOTIFY_CLEAR_BYTE) { int pgno =3D (map->notify.addr >> PAGE_SHIFT); + if (pgno >=3D offset && pgno < offset + pages) { /* No need for kmap, pages are in lowmem */ uint8_t *tmp =3D pfn_to_kaddr(page_to_pfn(map->pages[pgno])); + tmp[map->notify.addr & (PAGE_SIZE-1)] =3D 0; map->notify.flags &=3D ~UNMAP_NOTIFY_CLEAR_BYTE; } } =20 - unmap_data.unmap_ops =3D map->unmap_ops + offset; - unmap_data.kunmap_ops =3D use_ptemod ? map->kunmap_ops + offset : NULL; - unmap_data.pages =3D map->pages + offset; - unmap_data.count =3D pages; + map->unmap_data.unmap_ops =3D map->unmap_ops + offset; + map->unmap_data.kunmap_ops =3D use_ptemod ? map->kunmap_ops + offset : NU= LL; + map->unmap_data.pages =3D map->pages + offset; + map->unmap_data.count =3D pages; + map->unmap_data.done =3D __unmap_grant_pages_done; + map->unmap_data.data =3D map; + atomic_inc(&map->users); /* to keep map alive during async call below */ =20 - err =3D gnttab_unmap_refs_sync(&unmap_data); - if (err) - return err; - - for (i =3D 0; i < pages; i++) { - if (map->unmap_ops[offset+i].status) - err =3D -EINVAL; - pr_debug("unmap handle=3D%d st=3D%d\n", - map->unmap_ops[offset+i].handle, - map->unmap_ops[offset+i].status); - map->unmap_ops[offset+i].handle =3D -1; - } - return err; + gnttab_unmap_refs_async(&map->unmap_data); } =20 -static int unmap_grant_pages(struct grant_map *map, int offset, int pages) +static void unmap_grant_pages(struct grant_map *map, int offset, int pages) { - int range, err =3D 0; + int range; + + if (atomic_read(&map->live_grants) =3D=3D 0) + return; /* Nothing to do */ =20 pr_debug("unmap %d+%d [%d+%d]\n", map->index, map->count, offset, pages); =20 /* It is possible the requested range will have a "hole" where we * already unmapped some of the grants. Only unmap valid ranges. */ - while (pages && !err) { - while (pages && map->unmap_ops[offset].handle =3D=3D -1) { + while (pages) { + while (pages && map->being_removed[offset]) { offset++; pages--; } range =3D 0; while (range < pages) { - if (map->unmap_ops[offset+range].handle =3D=3D -1) + if (map->being_removed[offset + range]) break; + map->being_removed[offset + range] =3D true; range++; } - err =3D __unmap_grant_pages(map, offset, range); + if (range) + __unmap_grant_pages(map, offset, range); offset +=3D range; pages -=3D range; } - - return err; } =20 /* ------------------------------------------------------------------ */ @@ -454,7 +515,6 @@ static void unmap_if_in_range(struct gra unsigned long start, unsigned long end) { unsigned long mstart, mend; - int err; =20 if (!map->vma) return; @@ -468,10 +528,9 @@ static void unmap_if_in_range(struct gra map->index, map->count, map->vma->vm_start, map->vma->vm_end, start, end, mstart, mend); - err =3D unmap_grant_pages(map, + unmap_grant_pages(map, (mstart - map->vma->vm_start) >> PAGE_SHIFT, (mend - mstart) >> PAGE_SHIFT); - WARN_ON(err); } =20 static void mn_invl_range_start(struct mmu_notifier *mn, @@ -503,7 +562,6 @@ static void mn_release(struct mmu_notifi { struct gntdev_priv *priv =3D container_of(mn, struct gntdev_priv, mn); struct grant_map *map; - int err; =20 mutex_lock(&priv->lock); list_for_each_entry(map, &priv->maps, next) { @@ -512,8 +570,7 @@ static void mn_release(struct mmu_notifi pr_debug("map %d+%d (%lx %lx)\n", map->index, map->count, map->vma->vm_start, map->vma->vm_end); - err =3D unmap_grant_pages(map, /* offset */ 0, map->count); - WARN_ON(err); + unmap_grant_pages(map, /* offset */ 0, map->count); } list_for_each_entry(map, &priv->freeable_maps, next) { if (!map->vma) @@ -521,8 +578,7 @@ static void mn_release(struct mmu_notifi pr_debug("map %d+%d (%lx %lx)\n", map->index, map->count, map->vma->vm_start, map->vma->vm_end); - err =3D unmap_grant_pages(map, /* offset */ 0, map->count); - WARN_ON(err); + unmap_grant_pages(map, /* offset */ 0, map->count); } mutex_unlock(&priv->lock); } @@ -1012,6 +1068,10 @@ static int gntdev_mmap(struct file *flip goto unlock_out; } =20 + if (atomic_read(&map->live_grants)) { + err =3D -EAGAIN; + goto unlock_out; + } atomic_inc(&map->users); =20 vma->vm_ops =3D &gntdev_vmops; From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 44A82C43334 for ; Tue, 5 Jul 2022 11:59:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232648AbiGEL7u (ORCPT ); Tue, 5 Jul 2022 07:59:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41798 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232576AbiGEL7m (ORCPT ); Tue, 5 Jul 2022 07:59:42 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3F13017AA4; Tue, 5 Jul 2022 04:59:41 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E004BB817DB; Tue, 5 Jul 2022 11:59:39 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2B438C341CB; Tue, 5 Jul 2022 11:59:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022378; bh=CQl6euab5xGbNlx53hUvYix1BiHS9rLNvUdVGXVQJ1E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TUix//m/gDRrnnjV2IGYjMNC3ymutWZOB0H+1+l3cuMtdr33s4Ht10TbGlS0zQHKa De/5FR76ZNqEEgZbjRBwj5nAAgX32pSnLy+A/7OrgpR0Re86E5ywzmbdoSu91zrV0K 4ix7YvRprwTt4WXB39zSRvubE9SY4PDGA+daIg6M= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Yang Yingliang , Guenter Roeck , Sasha Levin Subject: [PATCH 4.9 15/29] hwmon: (ibmaem) dont call platform_device_del() if platform_device_add() fails Date: Tue, 5 Jul 2022 13:57:56 +0200 Message-Id: <20220705115606.198393714@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Yang Yingliang [ Upstream commit d0e51022a025ca5350fafb8e413a6fe5d4baf833 ] If platform_device_add() fails, it no need to call platform_device_del(), s= plit platform_device_unregister() into platform_device_del/put(), so platform_de= vice_put() can be called separately. Fixes: 8808a793f052 ("ibmaem: new driver for power/energy/temp meters in IB= M System X hardware") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20220701074153.4021556-1-yangyingliang@huaw= ei.com Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/hwmon/ibmaem.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) --- a/drivers/hwmon/ibmaem.c +++ b/drivers/hwmon/ibmaem.c @@ -563,7 +563,7 @@ static int aem_init_aem1_inst(struct aem =20 res =3D platform_device_add(data->pdev); if (res) - goto ipmi_err; + goto dev_add_err; =20 platform_set_drvdata(data->pdev, data); =20 @@ -611,7 +611,9 @@ hwmon_reg_err: ipmi_destroy_user(data->ipmi.user); ipmi_err: platform_set_drvdata(data->pdev, NULL); - platform_device_unregister(data->pdev); + platform_device_del(data->pdev); +dev_add_err: + platform_device_put(data->pdev); dev_err: ida_simple_remove(&aem_ida, data->id); id_err: @@ -703,7 +705,7 @@ static int aem_init_aem2_inst(struct aem =20 res =3D platform_device_add(data->pdev); if (res) - goto ipmi_err; + goto dev_add_err; =20 platform_set_drvdata(data->pdev, data); =20 @@ -751,7 +753,9 @@ hwmon_reg_err: ipmi_destroy_user(data->ipmi.user); ipmi_err: platform_set_drvdata(data->pdev, NULL); - platform_device_unregister(data->pdev); + platform_device_del(data->pdev); +dev_add_err: + platform_device_put(data->pdev); dev_err: ida_simple_remove(&aem_ida, data->id); id_err: From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EFF9BC43334 for ; Tue, 5 Jul 2022 11:59:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232665AbiGEL74 (ORCPT ); Tue, 5 Jul 2022 07:59:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41848 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232619AbiGEL7p (ORCPT ); Tue, 5 Jul 2022 07:59:45 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A019F17AAA; Tue, 5 Jul 2022 04:59:42 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3FDF161791; Tue, 5 Jul 2022 11:59:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 49361C341C7; Tue, 5 Jul 2022 11:59:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022381; bh=8S7fmxJW1z0SoBquh6YRBSffHhlVz4I2j/kKs9IFuXQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZEbbIgjIVoaTa/7r3K3NWN70JbVXN9OP6S0CWaS/KbVupfIcbsVQz0P7+QyYh5Dzy oLniTOLr/T29RskJDY9enUlXyAwxaX2aQ47InPec72Kwmh2zwp2CNT/Cji90TJBMFx mxcasKW8G7S+U/oMN6OKywVqY5MwT31fDv9CQODE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Doug Berger , Florian Fainelli , Jakub Kicinski Subject: [PATCH 4.9 16/29] net: dsa: bcm_sf2: force pause link settings Date: Tue, 5 Jul 2022 13:57:57 +0200 Message-Id: <20220705115606.227964792@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Doug Berger commit 7c97bc0128b2eecc703106112679a69d446d1a12 upstream. The pause settings reported by the PHY should also be applied to the GMII p= ort status override otherwise the switch will not generate pause frames towards= the link partner despite the advertisement saying otherwise. Fixes: 246d7f773c13 ("net: dsa: add Broadcom SF2 switch driver") Signed-off-by: Doug Berger Signed-off-by: Florian Fainelli Link: https://lore.kernel.org/r/20220623030204.1966851-1-f.fainelli@gmail.c= om Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/net/dsa/bcm_sf2.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/drivers/net/dsa/bcm_sf2.c +++ b/drivers/net/dsa/bcm_sf2.c @@ -671,6 +671,11 @@ force_link: reg |=3D LINK_STS; if (phydev->duplex =3D=3D DUPLEX_FULL) reg |=3D DUPLX_MODE; + if (phydev->pause) { + if (phydev->asym_pause) + reg |=3D TXFLOW_CNTL; + reg |=3D RXFLOW_CNTL; + } =20 core_writel(priv, reg, CORE_STS_OVERRIDE_GMIIP_PORT(port)); From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28CA6C43334 for ; Tue, 5 Jul 2022 12:00:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232677AbiGEL77 (ORCPT ); Tue, 5 Jul 2022 07:59:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41860 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232622AbiGEL7p (ORCPT ); Tue, 5 Jul 2022 07:59:45 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 537361091; Tue, 5 Jul 2022 04:59:45 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E4B54617B2; Tue, 5 Jul 2022 11:59:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F3416C341C7; Tue, 5 Jul 2022 11:59:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022384; bh=xy/zpNF28Nl4sccHc2YYbTctrPGisl++k7Cccms5UtU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SUxsAtpLkn7QhPCdgOCKnklzGEwnB6yBCnsIGEWKgmL8WoYJYRfZ6sHuRzInfce8c oj3nSsNO3GR1HW5pvGx8sOVgh9Aw3ar2xUw0ZSyeLnfbSAcoA7+rjeVgBXmPAPNRzA UeoqG2Yny6kBka4VBXvQLThTrCSh3CM6dK1NctJ0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Denis Efremov , kernel test robot , David Ahern , "David S. Miller" Subject: [PATCH 4.9 17/29] sit: use min Date: Tue, 5 Jul 2022 13:57:58 +0200 Message-Id: <20220705115606.256584701@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: kernel test robot commit 284fda1eff8a8b27d2cafd7dc8fb423d13720f21 upstream. Opportunity for min() Generated by: scripts/coccinelle/misc/minmax.cocci CC: Denis Efremov Reported-by: kernel test robot Signed-off-by: kernel test robot Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- net/ipv6/sit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -310,7 +310,7 @@ static int ipip6_tunnel_get_prl(struct i =20 rcu_read_lock(); =20 - ca =3D t->prl_count < cmax ? t->prl_count : cmax; + ca =3D min(t->prl_count, cmax); =20 if (!kp) { /* We don't try hard to allocate much memory for From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E1F4EC43334 for ; Tue, 5 Jul 2022 12:00:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232649AbiGEMAG (ORCPT ); Tue, 5 Jul 2022 08:00:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41914 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232643AbiGEL7t (ORCPT ); Tue, 5 Jul 2022 07:59:49 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 01AC31091; Tue, 5 Jul 2022 04:59:48 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 929626179A; Tue, 5 Jul 2022 11:59:47 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A00C2C36AE3; Tue, 5 Jul 2022 11:59:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022387; bh=8yXwt5fDYM0Ni43eWkCW3PtpY1Ok5HaaZ+H9RI5f51c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DjsSw/8GVHQ08Ef+qA45vIxuUVRECBNHTmZij+Q6U3kgbb9voluPVQ79qtwPFEv66 MFkT3XlktN73vXVCVl4xuoVbio5sRWya3ChjkGq3eP+9Knx1jFDDlO1KE+d21M4rzu K4jEWKpI0dyMZ4UJAkc3NiMAxebbaPl0GB8nVU34= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, katrinzhou , Eric Dumazet , David Ahern , Jakub Kicinski Subject: [PATCH 4.9 18/29] ipv6/sit: fix ipip6_tunnel_get_prl return value Date: Tue, 5 Jul 2022 13:57:59 +0200 Message-Id: <20220705115606.285853914@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: katrinzhou commit adabdd8f6acabc0c3fdbba2e7f5a2edd9c5ef22d upstream. When kcalloc fails, ipip6_tunnel_get_prl() should return -ENOMEM. Move the position of label "out" to return correctly. Addresses-Coverity: ("Unused value") Fixes: 300aaeeaab5f ("[IPV6] SIT: Add SIOCGETPRL ioctl to get/dump PRL.") Signed-off-by: katrinzhou Reviewed-by: Eric Dumazet Reviewed-by: David Ahern Link: https://lore.kernel.org/r/20220628035030.1039171-1-zys.zljxml@gmail.c= om Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- net/ipv6/sit.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -308,8 +308,6 @@ static int ipip6_tunnel_get_prl(struct i kcalloc(cmax, sizeof(*kp), GFP_KERNEL) : NULL; =20 - rcu_read_lock(); - ca =3D min(t->prl_count, cmax); =20 if (!kp) { @@ -325,7 +323,7 @@ static int ipip6_tunnel_get_prl(struct i } } =20 - c =3D 0; + rcu_read_lock(); for_each_prl_rcu(t->prl) { if (c >=3D cmax) break; @@ -337,7 +335,7 @@ static int ipip6_tunnel_get_prl(struct i if (kprl.addr !=3D htonl(INADDR_ANY)) break; } -out: + rcu_read_unlock(); =20 len =3D sizeof(*kp) * c; @@ -346,7 +344,7 @@ out: ret =3D -EFAULT; =20 kfree(kp); - +out: return ret; } From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F42EC433EF for ; Tue, 5 Jul 2022 12:00:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232821AbiGEMAM (ORCPT ); Tue, 5 Jul 2022 08:00:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42204 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232682AbiGEMAD (ORCPT ); Tue, 5 Jul 2022 08:00:03 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A635817E02; Tue, 5 Jul 2022 04:59:50 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 433996174B; Tue, 5 Jul 2022 11:59:50 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 56841C341CD; Tue, 5 Jul 2022 11:59:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022389; bh=nH/iHHTgnKhb3862t/o5lYm7uKzkZ4FjTsdDg0b0vZ8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LomNs9icWo6Ir/bCREsK1cDpFkM5EW+qBNP5hiSrhInU2+LAz5KxOazOVEcf6kmsJ yeDO+1bQqt6zZqY4o8ovY97eCw2Wcn7p3PmuzirZJ1WT2EAzNP3MNGlmmu4h/qR4O6 jmLnKBAaZ0hKnfWrukvt890gj0lXKjDC1RNlkbZ0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ilya Lesokhin , Boris Pismenny , "David S. Miller" Subject: [PATCH 4.9 19/29] net: Rename and export copy_skb_header Date: Tue, 5 Jul 2022 13:58:00 +0200 Message-Id: <20220705115606.315387213@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Ilya Lesokhin commit 08303c189581c985e60f588ad92a041e46b6e307 upstream. [ jgross@suse.com: added as needed by XSA-403 mitigation ] copy_skb_header is renamed to skb_copy_header and exported. Exposing this function give more flexibility in copying SKBs. skb_copy and skb_copy_expand do not give enough control over which parts are copied. Signed-off-by: Ilya Lesokhin Signed-off-by: Boris Pismenny Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- include/linux/skbuff.h | 1 + net/core/skbuff.c | 9 +++++---- 2 files changed, 6 insertions(+), 4 deletions(-) --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -975,6 +975,7 @@ static inline struct sk_buff *alloc_skb_ struct sk_buff *skb_morph(struct sk_buff *dst, struct sk_buff *src); int skb_copy_ubufs(struct sk_buff *skb, gfp_t gfp_mask); struct sk_buff *skb_clone(struct sk_buff *skb, gfp_t priority); +void skb_copy_header(struct sk_buff *new, const struct sk_buff *old); struct sk_buff *skb_copy(const struct sk_buff *skb, gfp_t priority); struct sk_buff *__pskb_copy_fclone(struct sk_buff *skb, int headroom, gfp_t gfp_mask, bool fclone); --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -1071,7 +1071,7 @@ static void skb_headers_offset_update(st skb->inner_mac_header +=3D off; } =20 -static void copy_skb_header(struct sk_buff *new, const struct sk_buff *old) +void skb_copy_header(struct sk_buff *new, const struct sk_buff *old) { __copy_skb_header(new, old); =20 @@ -1079,6 +1079,7 @@ static void copy_skb_header(struct sk_bu skb_shinfo(new)->gso_segs =3D skb_shinfo(old)->gso_segs; skb_shinfo(new)->gso_type =3D skb_shinfo(old)->gso_type; } +EXPORT_SYMBOL(skb_copy_header); =20 static inline int skb_alloc_rx_flag(const struct sk_buff *skb) { @@ -1122,7 +1123,7 @@ struct sk_buff *skb_copy(const struct sk if (skb_copy_bits(skb, -headerlen, n->head, headerlen + skb->len)) BUG(); =20 - copy_skb_header(n, skb); + skb_copy_header(n, skb); return n; } EXPORT_SYMBOL(skb_copy); @@ -1185,7 +1186,7 @@ struct sk_buff *__pskb_copy_fclone(struc skb_clone_fraglist(n); } =20 - copy_skb_header(n, skb); + skb_copy_header(n, skb); out: return n; } @@ -1356,7 +1357,7 @@ struct sk_buff *skb_copy_expand(const st skb->len + head_copy_len)) BUG(); =20 - copy_skb_header(n, skb); + skb_copy_header(n, skb); =20 skb_headers_offset_update(n, newheadroom - oldheadroom); From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3B816C433EF for ; Tue, 5 Jul 2022 12:00:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232841AbiGEMAP (ORCPT ); Tue, 5 Jul 2022 08:00:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42186 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232622AbiGEMAE (ORCPT ); Tue, 5 Jul 2022 08:00:04 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BCF0217A9C; Tue, 5 Jul 2022 04:59:57 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 6B227B817D2; Tue, 5 Jul 2022 11:59:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C1FCBC341C7; Tue, 5 Jul 2022 11:59:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022395; bh=jmPj2WZDXpsuAE6DASFX1pJaBVolC/E8gMSSeLFsgBk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=d3JncEp1IIoTlbZ4N+cKczvk9mX8qOW01eXp1a92G4+P6NlMRBEoG2fOcAcrFX6K6 pY2RWrRT91mwqhdgdyhQzy4yIxJUIH4ZZevPG3fjwsdgO0pflrNa2sLh82984/29dK lgLPgUTP5WCckDSdOONjXRhyGxkmWiaFeDX2GMT4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Jan Beulich , Juergen Gross Subject: [PATCH 4.9 20/29] xen/blkfront: fix leaking data in shared pages Date: Tue, 5 Jul 2022 13:58:01 +0200 Message-Id: <20220705115606.344468678@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Roger Pau Monne commit 2f446ffe9d737e9a844b97887919c4fda18246e7 upstream. When allocating pages to be used for shared communication with the backend always zero them, this avoids leaking unintended data present on the pages. This is CVE-2022-26365, part of XSA-403. Signed-off-by: Roger Pau Monn=C3=A9 Reviewed-by: Jan Beulich Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/block/xen-blkfront.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/drivers/block/xen-blkfront.c +++ b/drivers/block/xen-blkfront.c @@ -297,7 +297,7 @@ static int fill_grant_buffer(struct blkf goto out_of_memory; =20 if (info->feature_persistent) { - granted_page =3D alloc_page(GFP_NOIO); + granted_page =3D alloc_page(GFP_NOIO | __GFP_ZERO); if (!granted_page) { kfree(gnt_list_entry); goto out_of_memory; @@ -1729,7 +1729,7 @@ static int setup_blkring(struct xenbus_d for (i =3D 0; i < info->nr_ring_pages; i++) rinfo->ring_ref[i] =3D GRANT_INVALID_REF; =20 - sring =3D alloc_pages_exact(ring_size, GFP_NOIO); + sring =3D alloc_pages_exact(ring_size, GFP_NOIO | __GFP_ZERO); if (!sring) { xenbus_dev_fatal(dev, -ENOMEM, "allocating shared ring"); return -ENOMEM; @@ -2311,7 +2311,8 @@ static int blkfront_setup_indirect(struc =20 BUG_ON(!list_empty(&rinfo->indirect_pages)); for (i =3D 0; i < num; i++) { - struct page *indirect_page =3D alloc_page(GFP_NOIO); + struct page *indirect_page =3D alloc_page(GFP_NOIO | + __GFP_ZERO); if (!indirect_page) goto out_of_memory; list_add(&indirect_page->lru, &rinfo->indirect_pages); From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 317ADC43334 for ; Tue, 5 Jul 2022 12:00:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232865AbiGEMAR (ORCPT ); Tue, 5 Jul 2022 08:00:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42286 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232680AbiGEMAF (ORCPT ); Tue, 5 Jul 2022 08:00:05 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AED4917E3C; Tue, 5 Jul 2022 05:00:00 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 43D31B817D3; Tue, 5 Jul 2022 11:59:59 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 91DB9C341C7; Tue, 5 Jul 2022 11:59:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022398; bh=AZoMAuQ6OxD3h/PpP37DVLqlgzQlS/JHVB1+uwEHFWU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zTbmRxmQyTX81I/IYiks6QPfpP9mXohJbxXvPxj+QH/rZgs7nKmPXn3elzLAhS+6I 3hvBlcefWLtAc7iu94rwmGBCPrTzohB/nkcTwMzWERyWROPNtbB4tDufy/WmW9QLLD 6KV/JeXOg+YqlydDeBh46t9M6fswfGOBQPKPYYNM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Jan Beulich , Juergen Gross Subject: [PATCH 4.9 21/29] xen/netfront: fix leaking data in shared pages Date: Tue, 5 Jul 2022 13:58:02 +0200 Message-Id: <20220705115606.373332495@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Roger Pau Monne commit 307c8de2b02344805ebead3440d8feed28f2f010 upstream. When allocating pages to be used for shared communication with the backend always zero them, this avoids leaking unintended data present on the pages. This is CVE-2022-33740, part of XSA-403. Signed-off-by: Roger Pau Monn=C3=A9 Reviewed-by: Jan Beulich Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/net/xen-netfront.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -260,7 +260,7 @@ static struct sk_buff *xennet_alloc_one_ if (unlikely(!skb)) return NULL; =20 - page =3D alloc_page(GFP_ATOMIC | __GFP_NOWARN); + page =3D alloc_page(GFP_ATOMIC | __GFP_NOWARN | __GFP_ZERO); if (!page) { kfree_skb(skb); return NULL; From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1DD0CCCA47B for ; Tue, 5 Jul 2022 12:01:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233072AbiGEMBi (ORCPT ); Tue, 5 Jul 2022 08:01:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43180 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232876AbiGEMAp (ORCPT ); Tue, 5 Jul 2022 08:00:45 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 83CBF17E3D; Tue, 5 Jul 2022 05:00:44 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 0AE08B817CC; Tue, 5 Jul 2022 12:00:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7429CC341C7; Tue, 5 Jul 2022 12:00:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022441; bh=OnkOPmowCXAmM9/VNhjBkkv3GcPDvhbCYZ+m0220cKE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GFnuYshGRlJ5fAW3fJCoAZUmvQgVO83Uz6A0SM6L9Maf0qwECqCmXO4nUMRNIUMI4 +xORjX0eZj+Ggt4ZF7STq+8x+arFIdFK6RiSMbqv7OJmHZDObIV4KDASzs+sXF4BAX i84P+3QgWWt7rLSTXbYDWDeOOzrBXJLd88TisCeA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Juergen Gross Subject: [PATCH 4.9 22/29] xen/netfront: force data bouncing when backend is untrusted Date: Tue, 5 Jul 2022 13:58:03 +0200 Message-Id: <20220705115606.402578956@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Roger Pau Monne commit 4491001c2e0fa69efbb748c96ec96b100a5cdb7e upstream. Bounce all data on the skbs to be transmitted into zeroed pages if the backend is untrusted. This avoids leaking data present in the pages shared with the backend but not part of the skb fragments. This requires introducing a new helper in order to allocate skbs with a size multiple of XEN_PAGE_SIZE so we don't leak contiguous data on the granted pages. Reporting whether the backend is to be trusted can be done using a module parameter, or from the xenstore frontend path as set by the toolstack when adding the device. This is CVE-2022-33741, part of XSA-403. Signed-off-by: Roger Pau Monn=C3=A9 Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/net/xen-netfront.c | 53 ++++++++++++++++++++++++++++++++++++++++= +++-- 1 file changed, 51 insertions(+), 2 deletions(-) --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -62,6 +62,10 @@ module_param_named(max_queues, xennet_ma MODULE_PARM_DESC(max_queues, "Maximum number of queues per virtual interface"); =20 +static bool __read_mostly xennet_trusted =3D true; +module_param_named(trusted, xennet_trusted, bool, 0644); +MODULE_PARM_DESC(trusted, "Is the backend trusted"); + #define XENNET_TIMEOUT (5 * HZ) =20 static const struct ethtool_ops xennet_ethtool_ops; @@ -162,6 +166,9 @@ struct netfront_info { /* Is device behaving sane? */ bool broken; =20 + /* Should skbs be bounced into a zeroed buffer? */ + bool bounce; + atomic_t rx_gso_checksum_fixup; }; =20 @@ -591,6 +598,34 @@ static void xennet_mark_tx_pending(struc queue->tx_link[i] =3D TX_PENDING; } =20 +struct sk_buff *bounce_skb(const struct sk_buff *skb) +{ + unsigned int headerlen =3D skb_headroom(skb); + /* Align size to allocate full pages and avoid contiguous data leaks */ + unsigned int size =3D ALIGN(skb_end_offset(skb) + skb->data_len, + XEN_PAGE_SIZE); + struct sk_buff *n =3D alloc_skb(size, GFP_ATOMIC | __GFP_ZERO); + + if (!n) + return NULL; + + if (!IS_ALIGNED((uintptr_t)n->head, XEN_PAGE_SIZE)) { + WARN_ONCE(1, "misaligned skb allocated\n"); + kfree_skb(n); + return NULL; + } + + /* Set the data pointer */ + skb_reserve(n, headerlen); + /* Set the tail pointer and length */ + skb_put(n, skb->len); + + BUG_ON(skb_copy_bits(skb, -headerlen, n->head, headerlen + skb->len)); + + skb_copy_header(n, skb); + return n; +} + #define MAX_XEN_SKB_FRAGS (65536 / XEN_PAGE_SIZE + 1) =20 static int xennet_start_xmit(struct sk_buff *skb, struct net_device *dev) @@ -643,9 +678,13 @@ static int xennet_start_xmit(struct sk_b =20 /* The first req should be at least ETH_HLEN size or the packet will be * dropped by netback. + * + * If the backend is not trusted bounce all data to zeroed pages to + * avoid exposing contiguous data on the granted page not belonging to + * the skb. */ - if (unlikely(PAGE_SIZE - offset < ETH_HLEN)) { - nskb =3D skb_copy(skb, GFP_ATOMIC); + if (np->bounce || unlikely(PAGE_SIZE - offset < ETH_HLEN)) { + nskb =3D bounce_skb(skb); if (!nskb) goto drop; dev_kfree_skb_any(skb); @@ -1962,9 +2001,16 @@ static int talk_to_netback(struct xenbus unsigned int max_queues =3D 0; struct netfront_queue *queue =3D NULL; unsigned int num_queues =3D 1; + unsigned int trusted; =20 info->netdev->irq =3D 0; =20 + /* Check if backend is trusted. */ + err =3D xenbus_scanf(XBT_NIL, dev->nodename, "trusted", "%u", &trusted); + if (err < 0) + trusted =3D 1; + info->bounce =3D !xennet_trusted || !trusted; + /* Check if backend supports multiple queues */ err =3D xenbus_scanf(XBT_NIL, info->xbdev->otherend, "multi-queue-max-queues", "%u", &max_queues); @@ -2129,6 +2175,9 @@ static int xennet_connect(struct net_dev err =3D talk_to_netback(np->xbdev, np); if (err) return err; + if (np->bounce) + dev_info(&np->xbdev->dev, + "bouncing transmitted data to zeroed pages\n"); =20 /* talk_to_netback() sets the correct number of queues */ num_queues =3D dev->real_num_tx_queues; From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 41AE6C43334 for ; Tue, 5 Jul 2022 12:01:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230062AbiGEMBF (ORCPT ); Tue, 5 Jul 2022 08:01:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42424 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232915AbiGEMAZ (ORCPT ); Tue, 5 Jul 2022 08:00:25 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A0CA617AA9; Tue, 5 Jul 2022 05:00:23 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3D9B0615BA; Tue, 5 Jul 2022 12:00:23 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3F36FC341CB; Tue, 5 Jul 2022 12:00:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022422; bh=tzDjnjlaKhKTSC3fvhSwqoYA+PawvDQB5b1YDrEt7Pg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SL9VglNEID8k9r82/Qe0j7FmvlvTvTOnSItmiJ6MJex28TZEOxpbDyGSYYWabPamF LHKIEZ9YnctY5caEQPAtMTTpDe4LM9L7UJKV678wLmMhz92UheEoPaS6JDjMG9IxN5 cEREC9Wfn9fn7R9GW0+3N82vwEFXRQ+SuYD13kIM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Juergen Gross Subject: [PATCH 4.9 23/29] xen/blkfront: force data bouncing when backend is untrusted Date: Tue, 5 Jul 2022 13:58:04 +0200 Message-Id: <20220705115606.431125807@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Roger Pau Monne commit 2400617da7eebf9167d71a46122828bc479d64c9 upstream. Split the current bounce buffering logic used with persistent grants into it's own option, and allow enabling it independently of persistent grants. This allows to reuse the same code paths to perform the bounce buffering required to avoid leaking contiguous data in shared pages not part of the request fragments. Reporting whether the backend is to be trusted can be done using a module parameter, or from the xenstore frontend path as set by the toolstack when adding the device. This is CVE-2022-33742, part of XSA-403. Signed-off-by: Roger Pau Monn=C3=A9 Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/block/xen-blkfront.c | 45 ++++++++++++++++++++++++++++----------= ----- 1 file changed, 30 insertions(+), 15 deletions(-) --- a/drivers/block/xen-blkfront.c +++ b/drivers/block/xen-blkfront.c @@ -144,6 +144,10 @@ static unsigned int xen_blkif_max_ring_o module_param_named(max_ring_page_order, xen_blkif_max_ring_order, int, S_I= RUGO); MODULE_PARM_DESC(max_ring_page_order, "Maximum order of pages to be used f= or the shared ring"); =20 +static bool __read_mostly xen_blkif_trusted =3D true; +module_param_named(trusted, xen_blkif_trusted, bool, 0644); +MODULE_PARM_DESC(trusted, "Is the backend trusted"); + #define BLK_RING_SIZE(info) \ __CONST_RING_SIZE(blkif, XEN_PAGE_SIZE * (info)->nr_ring_pages) =20 @@ -206,6 +210,7 @@ struct blkfront_info unsigned int discard_granularity; unsigned int discard_alignment; unsigned int feature_persistent:1; + unsigned int bounce:1; /* Number of 4KB segments handled */ unsigned int max_indirect_segments; int is_ready; @@ -296,7 +301,7 @@ static int fill_grant_buffer(struct blkf if (!gnt_list_entry) goto out_of_memory; =20 - if (info->feature_persistent) { + if (info->bounce) { granted_page =3D alloc_page(GFP_NOIO | __GFP_ZERO); if (!granted_page) { kfree(gnt_list_entry); @@ -316,7 +321,7 @@ out_of_memory: list_for_each_entry_safe(gnt_list_entry, n, &rinfo->grants, node) { list_del(&gnt_list_entry->node); - if (info->feature_persistent) + if (info->bounce) __free_page(gnt_list_entry->page); kfree(gnt_list_entry); i--; @@ -362,7 +367,7 @@ static struct grant *get_grant(grant_ref /* Assign a gref to this page */ gnt_list_entry->gref =3D gnttab_claim_grant_reference(gref_head); BUG_ON(gnt_list_entry->gref =3D=3D -ENOSPC); - if (info->feature_persistent) + if (info->bounce) grant_foreign_access(gnt_list_entry, info); else { /* Grant access to the GFN passed by the caller */ @@ -386,7 +391,7 @@ static struct grant *get_indirect_grant( /* Assign a gref to this page */ gnt_list_entry->gref =3D gnttab_claim_grant_reference(gref_head); BUG_ON(gnt_list_entry->gref =3D=3D -ENOSPC); - if (!info->feature_persistent) { + if (!info->bounce) { struct page *indirect_page; =20 /* Fetch a pre-allocated page to use for indirect grefs */ @@ -701,7 +706,7 @@ static int blkif_queue_rw_req(struct req .grant_idx =3D 0, .segments =3D NULL, .rinfo =3D rinfo, - .need_copy =3D rq_data_dir(req) && info->feature_persistent, + .need_copy =3D rq_data_dir(req) && info->bounce, }; =20 /* @@ -1015,11 +1020,12 @@ static void xlvbd_flush(struct blkfront_ { blk_queue_write_cache(info->rq, info->feature_flush ? true : false, info->feature_fua ? true : false); - pr_info("blkfront: %s: %s %s %s %s %s\n", + pr_info("blkfront: %s: %s %s %s %s %s %s %s\n", info->gd->disk_name, flush_info(info), "persistent grants:", info->feature_persistent ? "enabled;" : "disabled;", "indirect descriptors:", - info->max_indirect_segments ? "enabled;" : "disabled;"); + info->max_indirect_segments ? "enabled;" : "disabled;", + "bounce buffer:", info->bounce ? "enabled" : "disabled;"); } =20 static int xen_translate_vdev(int vdevice, int *minor, unsigned int *offse= t) @@ -1254,7 +1260,7 @@ static void blkif_free_ring(struct blkfr if (!list_empty(&rinfo->indirect_pages)) { struct page *indirect_page, *n; =20 - BUG_ON(info->feature_persistent); + BUG_ON(info->bounce); list_for_each_entry_safe(indirect_page, n, &rinfo->indirect_pages, lru) { list_del(&indirect_page->lru); __free_page(indirect_page); @@ -1271,7 +1277,7 @@ static void blkif_free_ring(struct blkfr continue; =20 rinfo->persistent_gnts_c--; - if (info->feature_persistent) + if (info->bounce) __free_page(persistent_gnt->page); kfree(persistent_gnt); } @@ -1291,7 +1297,7 @@ static void blkif_free_ring(struct blkfr for (j =3D 0; j < segs; j++) { persistent_gnt =3D rinfo->shadow[i].grants_used[j]; gnttab_end_foreign_access(persistent_gnt->gref, 0, 0UL); - if (info->feature_persistent) + if (info->bounce) __free_page(persistent_gnt->page); kfree(persistent_gnt); } @@ -1481,7 +1487,7 @@ static int blkif_completion(unsigned lon data.s =3D s; num_sg =3D s->num_sg; =20 - if (bret->operation =3D=3D BLKIF_OP_READ && info->feature_persistent) { + if (bret->operation =3D=3D BLKIF_OP_READ && info->bounce) { for_each_sg(s->sg, sg, num_sg, i) { BUG_ON(sg->offset + sg->length > PAGE_SIZE); =20 @@ -1540,7 +1546,7 @@ static int blkif_completion(unsigned lon * Add the used indirect page back to the list of * available pages for indirect grefs. */ - if (!info->feature_persistent) { + if (!info->bounce) { indirect_page =3D s->indirect_grants[i]->page; list_add(&indirect_page->lru, &rinfo->indirect_pages); } @@ -1822,6 +1828,13 @@ static int talk_to_blkback(struct xenbus int err; unsigned int i, max_page_order =3D 0; unsigned int ring_page_order =3D 0; + unsigned int trusted; + + /* Check if backend is trusted. */ + err =3D xenbus_scanf(XBT_NIL, dev->nodename, "trusted", "%u", &trusted); + if (err < 0) + trusted =3D 1; + info->bounce =3D !xen_blkif_trusted || !trusted; =20 err =3D xenbus_scanf(XBT_NIL, info->xbdev->otherend, "max-ring-page-order", "%u", &max_page_order); @@ -2301,10 +2314,10 @@ static int blkfront_setup_indirect(struc if (err) goto out_of_memory; =20 - if (!info->feature_persistent && info->max_indirect_segments) { + if (!info->bounce && info->max_indirect_segments) { /* - * We are using indirect descriptors but not persistent - * grants, we need to allocate a set of pages that can be + * We are using indirect descriptors but don't have a bounce + * buffer, we need to allocate a set of pages that can be * used for mapping indirect grefs */ int num =3D INDIRECT_GREFS(grants) * BLK_RING_SIZE(info); @@ -2410,6 +2423,8 @@ static void blkfront_gather_backend_feat info->feature_persistent =3D 0; else info->feature_persistent =3D persistent; + if (info->feature_persistent) + info->bounce =3D true; =20 err =3D xenbus_scanf(XBT_NIL, info->xbdev->otherend, "feature-max-indirect-segments", "%u", From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 890F4C433EF for ; Tue, 5 Jul 2022 12:01:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231574AbiGEMBP (ORCPT ); Tue, 5 Jul 2022 08:01:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42820 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232929AbiGEMA3 (ORCPT ); Tue, 5 Jul 2022 08:00:29 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2753417E1B; Tue, 5 Jul 2022 05:00:28 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C627AB817D3; Tue, 5 Jul 2022 12:00:26 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 13662C385A9; Tue, 5 Jul 2022 12:00:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022425; bh=k4N6KH1YWbQV3DGzZLvNHzX7b6DSgKb1L14QGC7GHeU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CZfzmbevALRRtZq4+ftOeeqPwXSS+vD5fUAHMt7bAonTW0aCLgK56P2lPujLQFYh4 gspx574yR6EXuzZlidSFXtqd+L4rpFp4+cg0mgT1XchlgeqPJpwD/AEYk6TEjLcbX+ RmbUeFpJWMY83AHexZLPk1VevgTnsW0rw+dmZ89o= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Oleksandr Tyshchenko , Stefano Stabellini , Juergen Gross Subject: [PATCH 4.9 24/29] xen/arm: Fix race in RB-tree based P2M accounting Date: Tue, 5 Jul 2022 13:58:05 +0200 Message-Id: <20220705115606.459789095@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Oleksandr Tyshchenko commit b75cd218274e01d026dc5240e86fdeb44bbed0c8 upstream. During the PV driver life cycle the mappings are added to the RB-tree by set_foreign_p2m_mapping(), which is called from gnttab_map_refs() and are removed by clear_foreign_p2m_mapping() which is called from gnttab_unmap_refs(). As both functions end up calling __set_phys_to_machine_multi() which updates the RB-tree, this function can be called concurrently. There is already a "p2m_lock" to protect against concurrent accesses, but the problem is that the first read of "phys_to_mach.rb_node" in __set_phys_to_machine_multi() is not covered by it, so this might lead to the incorrect mappings update (removing in our case) in RB-tree. In my environment the related issue happens rarely and only when PV net backend is running, the xen_add_phys_to_mach_entry() claims that it cannot add new pfn <-> mfn mapping to the tree since it is already exists which results in a failure when mapping foreign pages. But there might be other bad consequences related to the non-protected root reads such use-after-free, etc. While at it, also fix the similar usage in __pfn_to_mfn(), so initialize "struct rb_node *n" with the "p2m_lock" held in both functions to avoid possible bad consequences. This is CVE-2022-33744 / XSA-406. Signed-off-by: Oleksandr Tyshchenko Reviewed-by: Stefano Stabellini Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/arm/xen/p2m.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/arch/arm/xen/p2m.c +++ b/arch/arm/xen/p2m.c @@ -61,11 +61,12 @@ out: =20 unsigned long __pfn_to_mfn(unsigned long pfn) { - struct rb_node *n =3D phys_to_mach.rb_node; + struct rb_node *n; struct xen_p2m_entry *entry; unsigned long irqflags; =20 read_lock_irqsave(&p2m_lock, irqflags); + n =3D phys_to_mach.rb_node; while (n) { entry =3D rb_entry(n, struct xen_p2m_entry, rbnode_phys); if (entry->pfn <=3D pfn && @@ -151,10 +152,11 @@ bool __set_phys_to_machine_multi(unsigne int rc; unsigned long irqflags; struct xen_p2m_entry *p2m_entry; - struct rb_node *n =3D phys_to_mach.rb_node; + struct rb_node *n; =20 if (mfn =3D=3D INVALID_P2M_ENTRY) { write_lock_irqsave(&p2m_lock, irqflags); + n =3D phys_to_mach.rb_node; while (n) { p2m_entry =3D rb_entry(n, struct xen_p2m_entry, rbnode_phys); if (p2m_entry->pfn <=3D pfn && From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1FA5C43334 for ; Tue, 5 Jul 2022 12:01:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232682AbiGEMBT (ORCPT ); Tue, 5 Jul 2022 08:01:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42830 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232930AbiGEMA3 (ORCPT ); Tue, 5 Jul 2022 08:00:29 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 20E6917E1E; Tue, 5 Jul 2022 05:00:29 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B24E96174B; Tue, 5 Jul 2022 12:00:28 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BFEC7C341C7; Tue, 5 Jul 2022 12:00:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022428; bh=HG4R9376kqUl5heoDz1IozNmzD8Czn1YD5tSkHrgoyA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=y3aFLZNc5YXbu0xYiUQF7sCLGZ762/uAO+9zKj2N5f0EqvBKBLrS26FF1N8Fn7TEJ ULTZCTNI1ix0NT3jR+UB/chR9Sd19Qdr8ntAbqTL6bmn8rT9vYcSwAdRRjkIJNBayr Ylb/fgI8cxhqNkAVdCPQvTRLfI0KpHVkFkW0r5GU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?J=C3=B6rgen=20Storvist?= , =?UTF-8?q?Bj=C3=B8rn=20Mork?= , "David S. Miller" Subject: [PATCH 4.9 25/29] qmi_wwan: Added support for Telit LN940 series Date: Tue, 5 Jul 2022 13:58:06 +0200 Message-Id: <20220705115606.489959288@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: J=C3=B6rgen Storvist commit 1986af16e8ed355822600c24b3d2f0be46b573df upstream. Added support for the Telit LN940 series cellular modules QMI interface. QMI_QUIRK_SET_DTR quirk requied for Qualcomm MDM9x40 chipset. Signed-off-by: J=C3=B6rgen Storvist Acked-by: Bj=C3=B8rn Mork Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/net/usb/qmi_wwan.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/net/usb/qmi_wwan.c +++ b/drivers/net/usb/qmi_wwan.c @@ -932,6 +932,7 @@ static const struct usb_device_id produc {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */ {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1201, 2)}, /* Telit LE920, LE920A4 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1900, 1)}, /* Telit LN940 series */ {QMI_FIXED_INTF(0x1c9e, 0x9801, 3)}, /* Telewell TW-3G HSPA+ */ {QMI_FIXED_INTF(0x1c9e, 0x9803, 4)}, /* Telewell TW-3G HSPA+ */ {QMI_FIXED_INTF(0x1c9e, 0x9b01, 3)}, /* XS Stick W100-2 from 4G Systems */ From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 56BD2CCA47C for ; Tue, 5 Jul 2022 12:01:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232759AbiGEMBV (ORCPT ); Tue, 5 Jul 2022 08:01:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42860 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232943AbiGEMAc (ORCPT ); Tue, 5 Jul 2022 08:00:32 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DE40817E25; Tue, 5 Jul 2022 05:00:31 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 7B7CC6174B; Tue, 5 Jul 2022 12:00:31 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 84832C341C7; Tue, 5 Jul 2022 12:00:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022430; bh=bqczC0954NPOOwFFOj5u/kLcD0QDMkBG40kqKIzBGJ0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2Mtiv/uHuZi6KyL5t9fL4jGSxd6+4JCsCQ7p5ED7bE2c4KBh9Nn8Te7rmQGSSCCTU M4v4jslwwofkA4y2iE7IHPdGEogBgSc/lWvIqJyxSjmGJ/Rld9MPM5YDlcGIly/u1a jZEAvJHLPro8Ovz1CN88i5phA6OuVcy0sXb4y7Hg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniele Palmas , =?UTF-8?q?Bj=C3=B8rn=20Mork?= , "David S. Miller" , Fabio Porcedda Subject: [PATCH 4.9 26/29] net: usb: qmi_wwan: add Telit 0x1260 and 0x1261 compositions Date: Tue, 5 Jul 2022 13:58:07 +0200 Message-Id: <20220705115606.518579727@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Daniele Palmas commit b4e467c82f8c12af78b6f6fa5730cb7dea7af1b4 upstream. Added support for Telit LE910Cx 0x1260 and 0x1261 compositions. Signed-off-by: Daniele Palmas Acked-by: Bj=C3=B8rn Mork Signed-off-by: David S. Miller Cc: Fabio Porcedda Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/net/usb/qmi_wwan.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/net/usb/qmi_wwan.c +++ b/drivers/net/usb/qmi_wwan.c @@ -932,6 +932,8 @@ static const struct usb_device_id produc {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */ {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1201, 2)}, /* Telit LE920, LE920A4 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1260, 2)}, /* Telit LE910Cx */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1261, 2)}, /* Telit LE910Cx */ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1900, 1)}, /* Telit LN940 series */ {QMI_FIXED_INTF(0x1c9e, 0x9801, 3)}, /* Telewell TW-3G HSPA+ */ {QMI_FIXED_INTF(0x1c9e, 0x9803, 4)}, /* Telewell TW-3G HSPA+ */ From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6FC9ECCA47C for ; Tue, 5 Jul 2022 12:01:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232983AbiGEMBY (ORCPT ); Tue, 5 Jul 2022 08:01:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42924 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232954AbiGEMAf (ORCPT ); Tue, 5 Jul 2022 08:00:35 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C0F4118348; Tue, 5 Jul 2022 05:00:34 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5D41F61800; Tue, 5 Jul 2022 12:00:34 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6178AC341C7; Tue, 5 Jul 2022 12:00:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022433; bh=3nJCu3XF3u1j7pd95g7zrXkSf3FjKVBZpQOXXQb5M68=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DTVxOEYpR8GehNKSs8GPQV4cQRJ73orOlyHgwOHtcG7xYCO87BXWHyTbhFaT6cVSW sy8Fkn0+agFRT+vjA2Vr27nzZUqu1fMnhFmFa1zzk4GcHC1aBZ1x5NW0KS4YRJXdq0 f+UDA9314W0BS+Opk5JG0YOnUYfOFENLVyuOv4Xg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniele Palmas , =?UTF-8?q?Bj=C3=B8rn=20Mork?= , Jakub Kicinski , Fabio Porcedda Subject: [PATCH 4.9 27/29] net: usb: qmi_wwan: add Telit LE910Cx 0x1230 composition Date: Tue, 5 Jul 2022 13:58:08 +0200 Message-Id: <20220705115606.548189717@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Daniele Palmas commit 5fd8477ed8ca77e64b93d44a6dae4aa70c191396 upstream. Add support for Telit LE910Cx 0x1230 composition: 0x1230: tty, adb, rmnet, audio, tty, tty, tty, tty Signed-off-by: Daniele Palmas Acked-by: Bj=C3=B8rn Mork Link: https://lore.kernel.org/r/20201102110108.17244-1-dnlplm@gmail.com Signed-off-by: Jakub Kicinski Cc: Fabio Porcedda Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/net/usb/qmi_wwan.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/net/usb/qmi_wwan.c +++ b/drivers/net/usb/qmi_wwan.c @@ -932,6 +932,7 @@ static const struct usb_device_id produc {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */ {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1201, 2)}, /* Telit LE920, LE920A4 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1230, 2)}, /* Telit LE910Cx */ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1260, 2)}, /* Telit LE910Cx */ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1261, 2)}, /* Telit LE910Cx */ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1900, 1)}, /* Telit LN940 series */ From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 692D6C43334 for ; Tue, 5 Jul 2022 12:01:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230182AbiGEMB1 (ORCPT ); Tue, 5 Jul 2022 08:01:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42990 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232964AbiGEMAh (ORCPT ); Tue, 5 Jul 2022 08:00:37 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 680031835F; Tue, 5 Jul 2022 05:00:37 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 04FE9617C5; Tue, 5 Jul 2022 12:00:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 13C50C341C7; Tue, 5 Jul 2022 12:00:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022436; bh=8Yb1uyozjJ88c+brf2lCHNvlq2u5Oe+HhcCSdwJRJ2E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hhgD3hv/tRaJZlLUOaP8hJJmtAYgY5jqa+HN5f/QtP2mdn1sxStzd00b2LVwhyVU0 KrY6z2SEf+ZCIkWy5qEuLCyAnLcwEUBrzSUR6buGWYdILt/Qhldl2s7+eSPmm4OIKL 48H2EDcMWiJMaETWUJt6OdpZnrCkAWI+OH6qEjFA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Carlo Lobrano , "David S. Miller" , Fabio Porcedda Subject: [PATCH 4.9 28/29] net: usb: qmi_wwan: add Telit 0x1060 composition Date: Tue, 5 Jul 2022 13:58:09 +0200 Message-Id: <20220705115606.577210161@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Carlo Lobrano commit 8d17a33b076d24aa4861f336a125c888fb918605 upstream. This patch adds support for Telit LN920 0x1060 composition 0x1060: tty, adb, rmnet, tty, tty, tty, tty Signed-off-by: Carlo Lobrano Signed-off-by: David S. Miller Cc: Fabio Porcedda Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/net/usb/qmi_wwan.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/net/usb/qmi_wwan.c +++ b/drivers/net/usb/qmi_wwan.c @@ -928,6 +928,7 @@ static const struct usb_device_id produc {QMI_QUIRK_SET_DTR(0x1bc7, 0x1031, 3)}, /* Telit LE910C1-EUX */ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1040, 2)}, /* Telit LE922A */ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1050, 2)}, /* Telit FN980 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1060, 2)}, /* Telit LN920 */ {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */ {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */ {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ From nobody Sun Apr 19 05:31:23 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 05EECC43334 for ; Tue, 5 Jul 2022 12:01:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233144AbiGEMB3 (ORCPT ); Tue, 5 Jul 2022 08:01:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42242 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232824AbiGEMAk (ORCPT ); Tue, 5 Jul 2022 08:00:40 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1684A17E2A; Tue, 5 Jul 2022 05:00:40 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id AA4AC617C5; Tue, 5 Jul 2022 12:00:39 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B9137C341C7; Tue, 5 Jul 2022 12:00:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657022439; bh=zGmblS+FrK0VDkwQInY9uj8k/zVbc6cUinVRvQHClQw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=p3BnXrsr1wcmaSLw//U5uhr6P+dQ0m3rxyBGdIBKg6XnTGfMyus0xW/PP8NJCmZfC CLkxMTQ41LHnEjC5PF+zKEwS0p++d+dvTaOE821d/iR4/gyf0QMNG5vn4B4jcuYyyn 0CyXJDyHLhJMNty/fM/qghalGJdPE3MnpFhN15K0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniele Palmas , =?UTF-8?q?Bj=C3=B8rn=20Mork?= , Jakub Kicinski , Fabio Porcedda Subject: [PATCH 4.9 29/29] net: usb: qmi_wwan: add Telit 0x1070 composition Date: Tue, 5 Jul 2022 13:58:10 +0200 Message-Id: <20220705115606.606621072@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115605.742248854@linuxfoundation.org> References: <20220705115605.742248854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Daniele Palmas commit 94f2a444f28a649926c410eb9a38afb13a83ebe0 upstream. Add the following Telit FN990 composition: 0x1070: tty, adb, rmnet, tty, tty, tty, tty Signed-off-by: Daniele Palmas Acked-by: Bj=C3=B8rn Mork Link: https://lore.kernel.org/r/20211210095722.22269-1-dnlplm@gmail.com Signed-off-by: Jakub Kicinski Cc: Fabio Porcedda Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/net/usb/qmi_wwan.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/net/usb/qmi_wwan.c +++ b/drivers/net/usb/qmi_wwan.c @@ -929,6 +929,7 @@ static const struct usb_device_id produc {QMI_QUIRK_SET_DTR(0x1bc7, 0x1040, 2)}, /* Telit LE922A */ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1050, 2)}, /* Telit FN980 */ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1060, 2)}, /* Telit LN920 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1070, 2)}, /* Telit FN990 */ {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */ {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */ {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */