March 2020 - Linux-stable-mirror

[PATCH AUTOSEL 4.4 01/12] bnxt_en: reinitialize IRQs when MTU is modified

by Sasha Levin

From: Vasundhara Volam <vasundhara-v.volam(a)broadcom.com> [ Upstream commit a9b952d267e59a3b405e644930f46d252cea7122 ] MTU changes may affect the number of IRQs so we must call bnxt_close_nic()/bnxt_open_nic() with the irq_re_init parameter set to true. The reason is that a larger MTU may require aggregation rings not needed with smaller MTU. We may not be able to allocate the required number of aggregation rings and so we reduce the number of channels which will change the number of IRQs. Without this patch, it may crash eventually in pci_disable_msix() when the IRQs are not properly unwound. Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") Signed-off-by: Vasundhara Volam <vasundhara-v.volam(a)broadcom.com> Signed-off-by: Michael Chan <michael.chan(a)broadcom.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c index 81282b811a6cd..d91953eabfeb4 100644 --- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c @@ -5310,13 +5310,13 @@ static int bnxt_change_mtu(struct net_device *dev, int new_mtu) return -EINVAL; if (netif_running(dev)) - bnxt_close_nic(bp, false, false); + bnxt_close_nic(bp, true, false); dev->mtu = new_mtu; bnxt_set_ring_params(bp); if (netif_running(dev)) - return bnxt_open_nic(bp, false, false); + return bnxt_open_nic(bp, true, false); return 0; } -- 2.20.1

4 years, 9 months

1
11
0 0

[PATCH AUTOSEL 4.9 01/15] batman-adv: Don't schedule OGM for disabled interface

by Sasha Levin

From: Sven Eckelmann <sven(a)narfation.org> [ Upstream commit 8e8ce08198de193e3d21d42e96945216e3d9ac7f ] A transmission scheduling for an interface which is currently dropped by batadv_iv_ogm_iface_disable could still be in progress. The B.A.T.M.A.N. V is simply cancelling the workqueue item in an synchronous way but this is not possible with B.A.T.M.A.N. IV because the OGM submissions are intertwined. Instead it has to stop submitting the OGM when it detect that the buffer pointer is set to NULL. Reported-by: syzbot+a98f2016f40b9cd3818a(a)syzkaller.appspotmail.com Reported-by: syzbot+ac36b6a33c28a491e929(a)syzkaller.appspotmail.com Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") Signed-off-by: Sven Eckelmann <sven(a)narfation.org> Cc: Hillf Danton <hdanton(a)sina.com> Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/batman-adv/bat_iv_ogm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c index 780700fcbe63e..b08e3b331c503 100644 --- a/net/batman-adv/bat_iv_ogm.c +++ b/net/batman-adv/bat_iv_ogm.c @@ -934,6 +934,10 @@ static void batadv_iv_ogm_schedule(struct batadv_hard_iface *hard_iface) (hard_iface->if_status == BATADV_IF_TO_BE_REMOVED)) return; + /* interface already disabled by batadv_iv_ogm_iface_disable */ + if (!*ogm_buff) + return; + /* the interface gets activated here to avoid race conditions between * the moment of activating the interface in * hardif_activate_interface() where the originator mac is set and -- 2.20.1

4 years, 9 months

1
14
0 0

[PATCH AUTOSEL 4.14 01/28] cgroup-v1: cgroup_pidlist_next should update position index

by Sasha Levin

From: Vasily Averin <vvs(a)virtuozzo.com> [ Upstream commit db8dd9697238be70a6b4f9d0284cd89f59c0e070 ] if seq_file .next fuction does not change position index, read after some lseek can generate unexpected output. # mount | grep cgroup # dd if=/mnt/cgroup.procs bs=1 # normal output ... 1294 1295 1296 1304 1382 584+0 records in 584+0 records out 584 bytes copied dd: /mnt/cgroup.procs: cannot skip to specified offset 83 <<< generates end of last line 1383 <<< ... and whole last line once again 0+1 records in 0+1 records out 8 bytes copied dd: /mnt/cgroup.procs: cannot skip to specified offset 1386 <<< generates last line anyway 0+1 records in 0+1 records out 5 bytes copied https://bugzilla.kernel.org/show_bug.cgi?id=206283 Signed-off-by: Vasily Averin <vvs(a)virtuozzo.com> Signed-off-by: Tejun Heo <tj(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/cgroup/cgroup-v1.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c index a2c05d2476ac5..d148965180893 100644 --- a/kernel/cgroup/cgroup-v1.c +++ b/kernel/cgroup/cgroup-v1.c @@ -501,6 +501,7 @@ static void *cgroup_pidlist_next(struct seq_file *s, void *v, loff_t *pos) */ p++; if (p >= end) { + (*pos)++; return NULL; } else { *pos = *p; -- 2.20.1

4 years, 9 months

1
27
0 0

[PATCH AUTOSEL 4.19 01/37] cgroup-v1: cgroup_pidlist_next should update position index

by Sasha Levin

From: Vasily Averin <vvs(a)virtuozzo.com> [ Upstream commit db8dd9697238be70a6b4f9d0284cd89f59c0e070 ] if seq_file .next fuction does not change position index, read after some lseek can generate unexpected output. # mount | grep cgroup # dd if=/mnt/cgroup.procs bs=1 # normal output ... 1294 1295 1296 1304 1382 584+0 records in 584+0 records out 584 bytes copied dd: /mnt/cgroup.procs: cannot skip to specified offset 83 <<< generates end of last line 1383 <<< ... and whole last line once again 0+1 records in 0+1 records out 8 bytes copied dd: /mnt/cgroup.procs: cannot skip to specified offset 1386 <<< generates last line anyway 0+1 records in 0+1 records out 5 bytes copied https://bugzilla.kernel.org/show_bug.cgi?id=206283 Signed-off-by: Vasily Averin <vvs(a)virtuozzo.com> Signed-off-by: Tejun Heo <tj(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/cgroup/cgroup-v1.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c index 51063e7a93c28..c9628b9a41d23 100644 --- a/kernel/cgroup/cgroup-v1.c +++ b/kernel/cgroup/cgroup-v1.c @@ -501,6 +501,7 @@ static void *cgroup_pidlist_next(struct seq_file *s, void *v, loff_t *pos) */ p++; if (p >= end) { + (*pos)++; return NULL; } else { *pos = *p; -- 2.20.1

4 years, 9 months

1
36
0 0

FAILED: patch "[PATCH] batman-adv: Don't schedule OGM for disabled interface" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 8e8ce08198de193e3d21d42e96945216e3d9ac7f Mon Sep 17 00:00:00 2001 From: Sven Eckelmann <sven(a)narfation.org> Date: Sun, 16 Feb 2020 13:02:06 +0100 Subject: [PATCH] batman-adv: Don't schedule OGM for disabled interface A transmission scheduling for an interface which is currently dropped by batadv_iv_ogm_iface_disable could still be in progress. The B.A.T.M.A.N. V is simply cancelling the workqueue item in an synchronous way but this is not possible with B.A.T.M.A.N. IV because the OGM submissions are intertwined. Instead it has to stop submitting the OGM when it detect that the buffer pointer is set to NULL. Reported-by: syzbot+a98f2016f40b9cd3818a(a)syzkaller.appspotmail.com Reported-by: syzbot+ac36b6a33c28a491e929(a)syzkaller.appspotmail.com Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") Signed-off-by: Sven Eckelmann <sven(a)narfation.org> Cc: Hillf Danton <hdanton(a)sina.com> Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de> diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c index f0209505e41a..a7c8dd7ae513 100644 --- a/net/batman-adv/bat_iv_ogm.c +++ b/net/batman-adv/bat_iv_ogm.c @@ -789,6 +789,10 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface) lockdep_assert_held(&hard_iface->bat_iv.ogm_buff_mutex); + /* interface already disabled by batadv_iv_ogm_iface_disable */ + if (!*ogm_buff) + return; + /* the interface gets activated here to avoid race conditions between * the moment of activating the interface in * hardif_activate_interface() where the originator mac is set and

4 years, 9 months

4
4
0 0

[PATCH AUTOSEL 5.5 01/84] cgroup-v1: cgroup_pidlist_next should update position index

by Sasha Levin

From: Vasily Averin <vvs(a)virtuozzo.com> [ Upstream commit db8dd9697238be70a6b4f9d0284cd89f59c0e070 ] if seq_file .next fuction does not change position index, read after some lseek can generate unexpected output. # mount | grep cgroup # dd if=/mnt/cgroup.procs bs=1 # normal output ... 1294 1295 1296 1304 1382 584+0 records in 584+0 records out 584 bytes copied dd: /mnt/cgroup.procs: cannot skip to specified offset 83 <<< generates end of last line 1383 <<< ... and whole last line once again 0+1 records in 0+1 records out 8 bytes copied dd: /mnt/cgroup.procs: cannot skip to specified offset 1386 <<< generates last line anyway 0+1 records in 0+1 records out 5 bytes copied https://bugzilla.kernel.org/show_bug.cgi?id=206283 Signed-off-by: Vasily Averin <vvs(a)virtuozzo.com> Signed-off-by: Tejun Heo <tj(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/cgroup/cgroup-v1.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c index 09f3a413f6f89..84bedb87ae137 100644 --- a/kernel/cgroup/cgroup-v1.c +++ b/kernel/cgroup/cgroup-v1.c @@ -473,6 +473,7 @@ static void *cgroup_pidlist_next(struct seq_file *s, void *v, loff_t *pos) */ p++; if (p >= end) { + (*pos)++; return NULL; } else { *pos = *p; -- 2.20.1

4 years, 9 months

1
7
0 0

[PATCH 4.4 00/48] batman-adv: Pending fixes

by Sven Eckelmann

Hi, we were asked by Greg KH to check the failed backport of some recent fix to linux 4.4.y and provide backports for it when required. I've found a lot more missing patches than I've expected in this process and queued them up here. Kind regards, Sven Andrew Lunn (1): batman-adv: Avoid endless loop in bat-on-bat netdevice check Florian Westphal (1): batman-adv: fix skb deref after free Linus Lüssing (5): batman-adv: Avoid duplicate neigh_node additions batman-adv: Fix transmission of final, 16th fragment batman-adv: fix TT sync flag inconsistencies batman-adv: Fix TT sync flags for intermediate TT responses batman-adv: Avoid storing non-TT-sync flags on singular entries too Marek Lindner (2): batman-adv: init neigh node last seen field batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs Matthias Schiffer (1): batman-adv: update data pointers after skb_cow() Simon Wunderlich (1): batman-adv: lock crc access in bridge loop avoidance Sven Eckelmann (37): batman-adv: Fix invalid read while copying bat_iv.bcast_own batman-adv: Only put gw_node list reference when removed batman-adv: Only put orig_node_vlan list reference when removed batman-adv: Fix unexpected free of bcast_own on add_if error batman-adv: Fix integer overflow in batadv_iv_ogm_calc_tq batman-adv: Deactivate TO_BE_ACTIVATED hardif on shutdown batman-adv: Drop reference to netdevice on last reference batman-adv: Fix reference counting of vlan object for tt_local_entry batman-adv: Fix use-after-free/double-free of tt_req_node batman-adv: Fix ICMP RR ethernet access after skb_linearize batman-adv: Clean up untagged vlan when destroying via rtnl-link batman-adv: Avoid nullptr dereference in bla after vlan_insert_tag batman-adv: Avoid nullptr dereference in dat after vlan_insert_tag batman-adv: Fix orig_node_vlan leak on orig_node_release batman-adv: Fix non-atomic bla_claim::backbone_gw access batman-adv: Fix reference leak in batadv_find_router batman-adv: Free last_bonding_candidate on release of orig_node batman-adv: Fix speedy join in gateway client mode batman-adv: Add missing refcnt for last_candidate batman-adv: Fix double free during fragment merge error batman-adv: Fix rx packet/bytes stats on local ARP reply batman-adv: Fix lock for ogm cnt access in batadv_iv_ogm_calc_tq batman-adv: Fix internal interface indices types batman-adv: Fix skbuff rcsum on packet reroute batman-adv: Avoid race in TT TVLV allocator helper batman-adv: Fix debugfs path for renamed hardif batman-adv: Fix debugfs path for renamed softif batman-adv: Prevent duplicated gateway_node entry batman-adv: Prevent duplicated nc_node entry batman-adv: Prevent duplicated global TT entry batman-adv: Prevent duplicated tvlv handler batman-adv: Reduce claim hash refcnt only for removed entry batman-adv: Reduce tt_local hash refcnt only for removed entry batman-adv: Reduce tt_global hash refcnt only for removed entry batman-adv: Only read OGM tvlv_len after buffer len check batman-adv: Avoid free/alloc race when handling OGM buffer batman-adv: Don't schedule OGM for disabled interface net/batman-adv/bat_iv_ogm.c | 115 +++++++++--- net/batman-adv/bridge_loop_avoidance.c | 152 ++++++++++++--- net/batman-adv/debugfs.c | 40 ++++ net/batman-adv/debugfs.h | 11 ++ net/batman-adv/distributed-arp-table.c | 15 +- net/batman-adv/fragmentation.c | 14 +- net/batman-adv/gateway_client.c | 18 +- net/batman-adv/hard-interface.c | 89 +++++++-- net/batman-adv/hard-interface.h | 6 +- net/batman-adv/main.c | 8 +- net/batman-adv/network-coding.c | 33 ++-- net/batman-adv/originator.c | 26 ++- net/batman-adv/originator.h | 4 +- net/batman-adv/routing.c | 111 ++++++++--- net/batman-adv/send.c | 4 +- net/batman-adv/soft-interface.c | 9 + net/batman-adv/translation-table.c | 249 +++++++++++++++++-------- net/batman-adv/types.h | 23 ++- 18 files changed, 707 insertions(+), 220 deletions(-) -- 2.20.1

4 years, 9 months

2
49
0 0

[PATCH 4.9 0/3] batman-adv: Pending fixes; part 2

by Sven Eckelmann

Hi, I've already send a couple of missing patches for stable linux-4.9.y. But I've noticed that there were some other ones which I skipped but which I now saw while checking for missing patches in linux-4.4.y. Kind regards, Sven Matthias Schiffer (1): batman-adv: update data pointers after skb_cow() Sven Eckelmann (2): batman-adv: Avoid probe ELP information leak batman-adv: Use explicit tvlv padding for ELP packets net/batman-adv/bat_v_elp.c | 12 ++++++++---- net/batman-adv/routing.c | 5 ++++- 2 files changed, 12 insertions(+), 5 deletions(-) -- 2.20.1

4 years, 9 months

2
4
0 0

FAILED: patch "[PATCH] pinctrl: qcom: Assign irq_eoi conditionally" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 1cada2f307665e208a486d7ac2294ed9a6f74a6f Mon Sep 17 00:00:00 2001 From: Linus Walleij <linus.walleij(a)linaro.org> Date: Mon, 9 Mar 2020 16:26:04 +0100 Subject: [PATCH] pinctrl: qcom: Assign irq_eoi conditionally The hierarchical parts of MSM pinctrl/GPIO is only used when the device tree has a "wakeup-parent" as a phandle, but the .irq_eoi is anyway assigned leading to semantic problems on elder Qualcomm chipsets. When the drivers/mfd/qcom-pm8xxx.c driver calls chained_irq_exit() that call will in turn call chip->irq_eoi() which is set to irq_chip_eoi_parent() by default on a hierachical IRQ chip, and the parent is pinctrl-msm.c so that will in turn unconditionally call irq_chip_eoi_parent() again, but its parent is invalid so we get the following crash: Unnable to handle kernel NULL pointer dereference at virtual address 00000010 pgd = (ptrval) [00000010] *pgd=00000000 Internal error: Oops: 5 [#1] PREEMPT SMP ARM (...) PC is at irq_chip_eoi_parent+0x4/0x10 LR is at pm8xxx_irq_handler+0x1b4/0x2d8 If we solve this crash by avoiding to call up to irq_chip_eoi_parent(), the machine will hang and get reset by the watchdog, because of semantic issues, probably inside irq_chip. As a solution, just assign the .irq_eoi conditionally if we are actually using a wakeup parent. Cc: David Heidelberg <david(a)ixit.cz> Cc: Bjorn Andersson <bjorn.andersson(a)linaro.org> Cc: Lina Iyer <ilina(a)codeaurora.org> Cc: Stephen Boyd <swboyd(a)chromium.org> Cc: stable(a)vger.kernel.org Fixes: e35a6ae0eb3a ("pinctrl/msm: Setup GPIO chip in hierarchy") Link: https://lore.kernel.org/r/20200306121221.1231296-1-linus.walleij@linaro.org Link: https://lore.kernel.org/r/20200309125207.571840-1-linus.walleij@linaro.org Link: https://lore.kernel.org/r/20200309152604.585112-1-linus.walleij@linaro.org Tested-by: David Heidelberg <david(a)ixit.cz> Acked-by: Marc Zyngier <maz(a)kernel.org> Signed-off-by: Linus Walleij <linus.walleij(a)linaro.org> diff --git a/drivers/pinctrl/qcom/pinctrl-msm.c b/drivers/pinctrl/qcom/pinctrl-msm.c index 9a8daa256a32..1a948c3f54b7 100644 --- a/drivers/pinctrl/qcom/pinctrl-msm.c +++ b/drivers/pinctrl/qcom/pinctrl-msm.c @@ -1104,7 +1104,6 @@ static int msm_gpio_init(struct msm_pinctrl *pctrl) pctrl->irq_chip.irq_mask = msm_gpio_irq_mask; pctrl->irq_chip.irq_unmask = msm_gpio_irq_unmask; pctrl->irq_chip.irq_ack = msm_gpio_irq_ack; - pctrl->irq_chip.irq_eoi = irq_chip_eoi_parent; pctrl->irq_chip.irq_set_type = msm_gpio_irq_set_type; pctrl->irq_chip.irq_set_wake = msm_gpio_irq_set_wake; pctrl->irq_chip.irq_request_resources = msm_gpio_irq_reqres; @@ -1118,7 +1117,7 @@ static int msm_gpio_init(struct msm_pinctrl *pctrl) if (!chip->irq.parent_domain) return -EPROBE_DEFER; chip->irq.child_to_parent_hwirq = msm_gpio_wakeirq; - + pctrl->irq_chip.irq_eoi = irq_chip_eoi_parent; /* * Let's skip handling the GPIOs, if the parent irqchip * is handling the direct connect IRQ of the GPIO.

4 years, 9 months

3
2
0 0

[PATCH v3 1/5] kmod: make request_module() return an error when autoloading is disabled

by Eric Biggers

From: Eric Biggers <ebiggers(a)google.com> It's long been possible to disable kernel module autoloading completely (while still allowing manual module insertion) by setting /proc/sys/kernel/modprobe to the empty string. This can be preferable to setting it to a nonexistent file since it avoids the overhead of an attempted execve(), avoids potential deadlocks, and avoids the call to security_kernel_module_request() and thus on SELinux-based systems eliminates the need to write SELinux rules to dontaudit module_request. However, when module autoloading is disabled in this way, request_module() returns 0. This is broken because callers expect 0 to mean that the module was successfully loaded. Apparently this was never noticed because this method of disabling module autoloading isn't used much, and also most callers don't use the return value of request_module() since it's always necessary to check whether the module registered its functionality or not anyway. But improperly returning 0 can indeed confuse a few callers, for example get_fs_type() in fs/filesystems.c where it causes a WARNING to be hit: if (!fs && (request_module("fs-%.*s", len, name) == 0)) { fs = __get_fs_type(name, len); WARN_ONCE(!fs, "request_module fs-%.*s succeeded, but still no fs?\n", len, name); } This is easily reproduced with: echo > /proc/sys/kernel/modprobe mount -t NONEXISTENT none / It causes: request_module fs-NONEXISTENT succeeded, but still no fs? WARNING: CPU: 1 PID: 1106 at fs/filesystems.c:275 get_fs_type+0xd6/0xf0 [...] This should actually use pr_warn_once() rather than WARN_ONCE(), since it's also user-reachable if userspace immediately unloads the module. Regardless, request_module() should correctly return an error when it fails. So let's make it return -ENOENT, which matches the error when the modprobe binary doesn't exist. I've also sent patches to document and test this case. Acked-by: Luis Chamberlain <mcgrof(a)kernel.org> Cc: stable(a)vger.kernel.org Cc: Alexei Starovoitov <ast(a)kernel.org> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Jeff Vander Stoep <jeffv(a)google.com> Cc: Jessica Yu <jeyu(a)kernel.org> Cc: Kees Cook <keescook(a)chromium.org> Cc: NeilBrown <neilb(a)suse.com> Signed-off-by: Eric Biggers <ebiggers(a)google.com> --- kernel/kmod.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/kmod.c b/kernel/kmod.c index bc6addd9152b4..a2de58de6ab62 100644 --- a/kernel/kmod.c +++ b/kernel/kmod.c @@ -120,7 +120,7 @@ static int call_modprobe(char *module_name, int wait) * invoke it. * * If module auto-loading support is disabled then this function - * becomes a no-operation. + * simply returns -ENOENT. */ int __request_module(bool wait, const char *fmt, ...) { @@ -137,7 +137,7 @@ int __request_module(bool wait, const char *fmt, ...) WARN_ON_ONCE(wait && current_is_async()); if (!modprobe_path[0]) - return 0; + return -ENOENT; va_start(args, fmt); ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); -- 2.25.1

4 years, 9 months

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror March 2020