diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-12-28 06:51:44 -0500 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-12-28 06:51:44 -0500 |
commit | 29cc65a8d97cc664a2ff985703a1a5b61472f307 (patch) | |
tree | e7693355f7312b743d37e8e62fcaafa85f44ed05 | |
parent | a7d9774c8cebab9b3755a10a320fb45499cb6ee3 (diff) | |
download | queue-3.18-29cc65a8d97cc664a2ff985703a1a5b61472f307.tar.gz |
more patches
-rw-r--r-- | af_packet-set-defaule-value-for-tmo.patch | 54 | ||||
-rw-r--r-- | mod_devicetable-fix-phy-module-format.patch | 43 | ||||
-rw-r--r-- | net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch | 76 | ||||
-rw-r--r-- | sctp-fully-initialize-v4-addr-in-some-functions.patch | 99 | ||||
-rw-r--r-- | series | 4 |
5 files changed, 276 insertions, 0 deletions
diff --git a/af_packet-set-defaule-value-for-tmo.patch b/af_packet-set-defaule-value-for-tmo.patch new file mode 100644 index 0000000..badf7ba --- /dev/null +++ b/af_packet-set-defaule-value-for-tmo.patch @@ -0,0 +1,54 @@ +From foo@baz Sat 28 Dec 2019 06:10:39 AM EST +From: Mao Wenan <maowenan@huawei.com> +Date: Mon, 9 Dec 2019 21:31:25 +0800 +Subject: af_packet: set defaule value for tmo + +From: Mao Wenan <maowenan@huawei.com> + +[ Upstream commit b43d1f9f7067c6759b1051e8ecb84e82cef569fe ] + +There is softlockup when using TPACKET_V3: +... +NMI watchdog: BUG: soft lockup - CPU#2 stuck for 60010ms! +(__irq_svc) from [<c0558a0c>] (_raw_spin_unlock_irqrestore+0x44/0x54) +(_raw_spin_unlock_irqrestore) from [<c027b7e8>] (mod_timer+0x210/0x25c) +(mod_timer) from [<c0549c30>] +(prb_retire_rx_blk_timer_expired+0x68/0x11c) +(prb_retire_rx_blk_timer_expired) from [<c027a7ac>] +(call_timer_fn+0x90/0x17c) +(call_timer_fn) from [<c027ab6c>] (run_timer_softirq+0x2d4/0x2fc) +(run_timer_softirq) from [<c021eaf4>] (__do_softirq+0x218/0x318) +(__do_softirq) from [<c021eea0>] (irq_exit+0x88/0xac) +(irq_exit) from [<c0240130>] (msa_irq_exit+0x11c/0x1d4) +(msa_irq_exit) from [<c0209cf0>] (handle_IPI+0x650/0x7f4) +(handle_IPI) from [<c02015bc>] (gic_handle_irq+0x108/0x118) +(gic_handle_irq) from [<c0558ee4>] (__irq_usr+0x44/0x5c) +... + +If __ethtool_get_link_ksettings() is failed in +prb_calc_retire_blk_tmo(), msec and tmo will be zero, so tov_in_jiffies +is zero and the timer expire for retire_blk_timer is turn to +mod_timer(&pkc->retire_blk_timer, jiffies + 0), +which will trigger cpu usage of softirq is 100%. + +Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") +Tested-by: Xiao Jiangfeng <xiaojiangfeng@huawei.com> +Signed-off-by: Mao Wenan <maowenan@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/packet/af_packet.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -584,7 +584,8 @@ static int prb_calc_retire_blk_tmo(struc + msec = 1; + div = speed / 1000; + } +- } ++ } else ++ return DEFAULT_PRB_RETIRE_TOV; + + mbits = (blk_size_in_bytes * 8) / (1024 * 1024); + diff --git a/mod_devicetable-fix-phy-module-format.patch b/mod_devicetable-fix-phy-module-format.patch new file mode 100644 index 0000000..00cd8ad --- /dev/null +++ b/mod_devicetable-fix-phy-module-format.patch @@ -0,0 +1,43 @@ +From foo@baz Sat 28 Dec 2019 06:10:39 AM EST +From: Russell King <rmk+kernel@armlinux.org.uk> +Date: Thu, 19 Dec 2019 23:24:47 +0000 +Subject: mod_devicetable: fix PHY module format + +From: Russell King <rmk+kernel@armlinux.org.uk> + +[ Upstream commit d2ed49cf6c13e379c5819aa5ac20e1f9674ebc89 ] + +When a PHY is probed, if the top bit is set, we end up requesting a +module with the string "mdio:-10101110000000100101000101010001" - +the top bit is printed to a signed -1 value. This leads to the module +not being loaded. + +Fix the module format string and the macro generating the values for +it to ensure that we only print unsigned types and the top bit is +always 0/1. We correctly end up with +"mdio:10101110000000100101000101010001". + +Fixes: 8626d3b43280 ("phylib: Support phy module autoloading") +Reviewed-by: Andrew Lunn <andrew@lunn.ch> +Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> +Reviewed-by: Florian Fainelli <f.fainelli@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + include/linux/mod_devicetable.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/mod_devicetable.h ++++ b/include/linux/mod_devicetable.h +@@ -497,9 +497,9 @@ struct platform_device_id { + + #define MDIO_MODULE_PREFIX "mdio:" + +-#define MDIO_ID_FMT "%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d" ++#define MDIO_ID_FMT "%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u" + #define MDIO_ID_ARGS(_id) \ +- (_id)>>31, ((_id)>>30) & 1, ((_id)>>29) & 1, ((_id)>>28) & 1, \ ++ ((_id)>>31) & 1, ((_id)>>30) & 1, ((_id)>>29) & 1, ((_id)>>28) & 1, \ + ((_id)>>27) & 1, ((_id)>>26) & 1, ((_id)>>25) & 1, ((_id)>>24) & 1, \ + ((_id)>>23) & 1, ((_id)>>22) & 1, ((_id)>>21) & 1, ((_id)>>20) & 1, \ + ((_id)>>19) & 1, ((_id)>>18) & 1, ((_id)>>17) & 1, ((_id)>>16) & 1, \ diff --git a/net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch b/net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch new file mode 100644 index 0000000..3a937b3 --- /dev/null +++ b/net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch @@ -0,0 +1,76 @@ +From foo@baz Sat 28 Dec 2019 06:10:39 AM EST +From: Ben Hutchings <ben@decadent.org.uk> +Date: Tue, 17 Dec 2019 01:57:40 +0000 +Subject: net: qlogic: Fix error paths in ql_alloc_large_buffers() + +From: Ben Hutchings <ben@decadent.org.uk> + +[ Upstream commit cad46039e4c99812db067c8ac22a864960e7acc4 ] + +ql_alloc_large_buffers() has the usual RX buffer allocation +loop where it allocates skbs and maps them for DMA. It also +treats failure as a fatal error. + +There are (at least) three bugs in the error paths: + +1. ql_free_large_buffers() assumes that the lrg_buf[] entry for the +first buffer that couldn't be allocated will have .skb == NULL. +But the qla_buf[] array is not zero-initialised. + +2. ql_free_large_buffers() DMA-unmaps all skbs in lrg_buf[]. This is +incorrect for the last allocated skb, if DMA mapping failed. + +3. Commit 1acb8f2a7a9f ("net: qlogic: Fix memory leak in +ql_alloc_large_buffers") added a direct call to dev_kfree_skb_any() +after the skb is recorded in lrg_buf[], so ql_free_large_buffers() +will double-free it. + +The bugs are somewhat inter-twined, so fix them all at once: + +* Clear each entry in qla_buf[] before attempting to allocate + an skb for it. This goes half-way to fixing bug 1. +* Set the .skb field only after the skb is DMA-mapped. This + fixes the rest. + +Fixes: 1357bfcf7106 ("qla3xxx: Dynamically size the rx buffer queue ...") +Fixes: 0f8ab89e825f ("qla3xxx: Check return code from pci_map_single() ...") +Fixes: 1acb8f2a7a9f ("net: qlogic: Fix memory leak in ql_alloc_large_buffers") +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -2756,6 +2756,9 @@ static int ql_alloc_large_buffers(struct + int err; + + for (i = 0; i < qdev->num_large_buffers; i++) { ++ lrg_buf_cb = &qdev->lrg_buf[i]; ++ memset(lrg_buf_cb, 0, sizeof(struct ql_rcv_buf_cb)); ++ + skb = netdev_alloc_skb(qdev->ndev, + qdev->lrg_buffer_len); + if (unlikely(!skb)) { +@@ -2766,11 +2769,7 @@ static int ql_alloc_large_buffers(struct + ql_free_large_buffers(qdev); + return -ENOMEM; + } else { +- +- lrg_buf_cb = &qdev->lrg_buf[i]; +- memset(lrg_buf_cb, 0, sizeof(struct ql_rcv_buf_cb)); + lrg_buf_cb->index = i; +- lrg_buf_cb->skb = skb; + /* + * We save some space to copy the ethhdr from first + * buffer +@@ -2792,6 +2791,7 @@ static int ql_alloc_large_buffers(struct + return -ENOMEM; + } + ++ lrg_buf_cb->skb = skb; + dma_unmap_addr_set(lrg_buf_cb, mapaddr, map); + dma_unmap_len_set(lrg_buf_cb, maplen, + qdev->lrg_buffer_len - diff --git a/sctp-fully-initialize-v4-addr-in-some-functions.patch b/sctp-fully-initialize-v4-addr-in-some-functions.patch new file mode 100644 index 0000000..abdb2e7 --- /dev/null +++ b/sctp-fully-initialize-v4-addr-in-some-functions.patch @@ -0,0 +1,99 @@ +From foo@baz Sat 28 Dec 2019 06:10:39 AM EST +From: Xin Long <lucien.xin@gmail.com> +Date: Mon, 9 Dec 2019 13:45:54 +0800 +Subject: sctp: fully initialize v4 addr in some functions + +From: Xin Long <lucien.xin@gmail.com> + +[ Upstream commit b6f3320b1d5267e7b583a6d0c88dda518101740c ] + +Syzbot found a crash: + + BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:112 [inline] + BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline] + BUG: KMSAN: uninit-value in __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202 + Call Trace: + crc32_body lib/crc32.c:112 [inline] + crc32_le_generic lib/crc32.c:179 [inline] + __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202 + chksum_update+0xb2/0x110 crypto/crc32c_generic.c:90 + crypto_shash_update+0x4c5/0x530 crypto/shash.c:107 + crc32c+0x150/0x220 lib/libcrc32c.c:47 + sctp_csum_update+0x89/0xa0 include/net/sctp/checksum.h:36 + __skb_checksum+0x1297/0x12a0 net/core/skbuff.c:2640 + sctp_compute_cksum include/net/sctp/checksum.h:59 [inline] + sctp_packet_pack net/sctp/output.c:528 [inline] + sctp_packet_transmit+0x40fb/0x4250 net/sctp/output.c:597 + sctp_outq_flush_transports net/sctp/outqueue.c:1146 [inline] + sctp_outq_flush+0x1823/0x5d80 net/sctp/outqueue.c:1194 + sctp_outq_uncork+0xd0/0xf0 net/sctp/outqueue.c:757 + sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1781 [inline] + sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline] + sctp_do_sm+0x8fe1/0x9720 net/sctp/sm_sideeffect.c:1155 + sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185 + sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433 + sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline] + sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672 + +The issue was caused by transport->ipaddr set with uninit addr param, which +was passed by: + + sctp_transport_init net/sctp/transport.c:47 [inline] + sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100 + sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611 + sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline] + +where 'addr' is set by sctp_v4_from_addr_param(), and it doesn't initialize +the padding of addr->v4. + +Later when calling sctp_make_heartbeat(), hbinfo.daddr(=transport->ipaddr) +will become the part of skb, and the issue occurs. + +This patch is to fix it by initializing the padding of addr->v4 in +sctp_v4_from_addr_param(), as well as other functions that do the similar +thing, and these functions shouldn't trust that the caller initializes the +memory, as Marcelo suggested. + +Reported-by: syzbot+6dcbfea81cd3d4dd0b02@syzkaller.appspotmail.com +Signed-off-by: Xin Long <lucien.xin@gmail.com> +Acked-by: Neil Horman <nhorman@tuxdriver.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/sctp/protocol.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -253,6 +253,7 @@ static void sctp_v4_from_sk(union sctp_a + addr->v4.sin_family = AF_INET; + addr->v4.sin_port = 0; + addr->v4.sin_addr.s_addr = inet_sk(sk)->inet_rcv_saddr; ++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); + } + + /* Initialize sk->sk_rcv_saddr from sctp_addr. */ +@@ -275,6 +276,7 @@ static void sctp_v4_from_addr_param(unio + addr->v4.sin_family = AF_INET; + addr->v4.sin_port = port; + addr->v4.sin_addr.s_addr = param->v4.addr.s_addr; ++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); + } + + /* Initialize an address parameter from a sctp_addr and return the length +@@ -299,6 +301,7 @@ static void sctp_v4_dst_saddr(union sctp + saddr->v4.sin_family = AF_INET; + saddr->v4.sin_port = port; + saddr->v4.sin_addr.s_addr = fl4->saddr; ++ memset(saddr->v4.sin_zero, 0, sizeof(saddr->v4.sin_zero)); + } + + /* Compare two addresses exactly. */ +@@ -321,6 +324,7 @@ static void sctp_v4_inaddr_any(union sct + addr->v4.sin_family = AF_INET; + addr->v4.sin_addr.s_addr = htonl(INADDR_ANY); + addr->v4.sin_port = port; ++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); + } + + /* Is this a wildcard address? */ @@ -68,3 +68,7 @@ alsa-pcm-avoid-possible-info-leaks-from-pcm-stream-buffers.patch alsa-hda-ca0132-keep-power-on-during-processing-dsp-response.patch alsa-hda-ca0132-avoid-endless-loop.patch +af_packet-set-defaule-value-for-tmo.patch +mod_devicetable-fix-phy-module-format.patch +net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch +sctp-fully-initialize-v4-addr-in-some-functions.patch |