Refresh patches. Remove upstreamed patches: - backport/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch - backport/096-v4.20-netfilter-ipv6-Preserve-link-scope-traffic-original-.patch - backport/424-v4.20-net-dsa-fix-88e6060-roaming.patch - hack/100-mtd-rawnand-qcom-fix-memory-corruption-that-causes-p.patch - pending/510-f2fs-fix-sanity_check_raw_super-on-big-endian-machines.patch Update patch that no longer applies: - backport/343-netfilter-nft_flow_offload-handle-netdevice-events-f.patch Compile-tested: mesongx Runtime-tested: mesongx Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>master
parent
76cc766521
commit
a37098a2d0
@ -1,119 +0,0 @@ |
||||
From adcc81f148d733b7e8e641300c5590a2cdc13bf3 Mon Sep 17 00:00:00 2001
|
||||
From: Paul Burton <paul.burton@mips.com>
|
||||
Date: Thu, 20 Dec 2018 17:45:43 +0000
|
||||
Subject: MIPS: math-emu: Write-protect delay slot emulation pages
|
||||
|
||||
Mapping the delay slot emulation page as both writeable & executable
|
||||
presents a security risk, in that if an exploit can write to & jump into
|
||||
the page then it can be used as an easy way to execute arbitrary code.
|
||||
|
||||
Prevent this by mapping the page read-only for userland, and using
|
||||
access_process_vm() with the FOLL_FORCE flag to write to it from
|
||||
mips_dsemul().
|
||||
|
||||
This will likely be less efficient due to copy_to_user_page() performing
|
||||
cache maintenance on a whole page, rather than a single line as in the
|
||||
previous use of flush_cache_sigtramp(). However this delay slot
|
||||
emulation code ought not to be running in any performance critical paths
|
||||
anyway so this isn't really a problem, and we can probably do better in
|
||||
copy_to_user_page() anyway in future.
|
||||
|
||||
A major advantage of this approach is that the fix is small & simple to
|
||||
backport to stable kernels.
|
||||
|
||||
Reported-by: Andy Lutomirski <luto@kernel.org>
|
||||
Signed-off-by: Paul Burton <paul.burton@mips.com>
|
||||
Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions")
|
||||
Cc: stable@vger.kernel.org # v4.8+
|
||||
Cc: linux-mips@vger.kernel.org
|
||||
Cc: linux-kernel@vger.kernel.org
|
||||
Cc: Rich Felker <dalias@libc.org>
|
||||
Cc: David Daney <david.daney@cavium.com>
|
||||
---
|
||||
arch/mips/kernel/vdso.c | 4 ++--
|
||||
arch/mips/math-emu/dsemul.c | 38 ++++++++++++++++++++------------------
|
||||
2 files changed, 22 insertions(+), 20 deletions(-)
|
||||
|
||||
--- a/arch/mips/kernel/vdso.c
|
||||
+++ b/arch/mips/kernel/vdso.c
|
||||
@@ -126,8 +126,8 @@ int arch_setup_additional_pages(struct l
|
||||
|
||||
/* Map delay slot emulation page */
|
||||
base = mmap_region(NULL, STACK_TOP, PAGE_SIZE,
|
||||
- VM_READ|VM_WRITE|VM_EXEC|
|
||||
- VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
|
||||
+ VM_READ | VM_EXEC |
|
||||
+ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
|
||||
0, NULL);
|
||||
if (IS_ERR_VALUE(base)) {
|
||||
ret = base;
|
||||
--- a/arch/mips/math-emu/dsemul.c
|
||||
+++ b/arch/mips/math-emu/dsemul.c
|
||||
@@ -214,8 +214,9 @@ int mips_dsemul(struct pt_regs *regs, mi
|
||||
{
|
||||
int isa16 = get_isa16_mode(regs->cp0_epc);
|
||||
mips_instruction break_math;
|
||||
- struct emuframe __user *fr;
|
||||
- int err, fr_idx;
|
||||
+ unsigned long fr_uaddr;
|
||||
+ struct emuframe fr;
|
||||
+ int fr_idx, ret;
|
||||
|
||||
/* NOP is easy */
|
||||
if (ir == 0)
|
||||
@@ -250,27 +251,31 @@ int mips_dsemul(struct pt_regs *regs, mi
|
||||
fr_idx = alloc_emuframe();
|
||||
if (fr_idx == BD_EMUFRAME_NONE)
|
||||
return SIGBUS;
|
||||
- fr = &dsemul_page()[fr_idx];
|
||||
|
||||
/* Retrieve the appropriately encoded break instruction */
|
||||
break_math = BREAK_MATH(isa16);
|
||||
|
||||
/* Write the instructions to the frame */
|
||||
if (isa16) {
|
||||
- err = __put_user(ir >> 16,
|
||||
- (u16 __user *)(&fr->emul));
|
||||
- err |= __put_user(ir & 0xffff,
|
||||
- (u16 __user *)((long)(&fr->emul) + 2));
|
||||
- err |= __put_user(break_math >> 16,
|
||||
- (u16 __user *)(&fr->badinst));
|
||||
- err |= __put_user(break_math & 0xffff,
|
||||
- (u16 __user *)((long)(&fr->badinst) + 2));
|
||||
+ union mips_instruction _emul = {
|
||||
+ .halfword = { ir >> 16, ir }
|
||||
+ };
|
||||
+ union mips_instruction _badinst = {
|
||||
+ .halfword = { break_math >> 16, break_math }
|
||||
+ };
|
||||
+
|
||||
+ fr.emul = _emul.word;
|
||||
+ fr.badinst = _badinst.word;
|
||||
} else {
|
||||
- err = __put_user(ir, &fr->emul);
|
||||
- err |= __put_user(break_math, &fr->badinst);
|
||||
+ fr.emul = ir;
|
||||
+ fr.badinst = break_math;
|
||||
}
|
||||
|
||||
- if (unlikely(err)) {
|
||||
+ /* Write the frame to user memory */
|
||||
+ fr_uaddr = (unsigned long)&dsemul_page()[fr_idx];
|
||||
+ ret = access_process_vm(current, fr_uaddr, &fr, sizeof(fr),
|
||||
+ FOLL_FORCE | FOLL_WRITE);
|
||||
+ if (unlikely(ret != sizeof(fr))) {
|
||||
MIPS_FPU_EMU_INC_STATS(errors);
|
||||
free_emuframe(fr_idx, current->mm);
|
||||
return SIGBUS;
|
||||
@@ -282,10 +287,7 @@ int mips_dsemul(struct pt_regs *regs, mi
|
||||
atomic_set(¤t->thread.bd_emu_frame, fr_idx);
|
||||
|
||||
/* Change user register context to execute the frame */
|
||||
- regs->cp0_epc = (unsigned long)&fr->emul | isa16;
|
||||
-
|
||||
- /* Ensure the icache observes our newly written frame */
|
||||
- flush_cache_sigtramp((unsigned long)&fr->emul);
|
||||
+ regs->cp0_epc = fr_uaddr | isa16;
|
||||
|
||||
return 0;
|
||||
}
|
@ -1,32 +0,0 @@ |
||||
From 508b09046c0f21678652fb66fd1e9959d55591d2 Mon Sep 17 00:00:00 2001
|
||||
From: Alin Nastac <alin.nastac@gmail.com>
|
||||
Date: Wed, 21 Nov 2018 14:00:30 +0100
|
||||
Subject: [PATCH] netfilter: ipv6: Preserve link scope traffic original oif
|
||||
|
||||
When ip6_route_me_harder is invoked, it resets outgoing interface of:
|
||||
- link-local scoped packets sent by neighbor discovery
|
||||
- multicast packets sent by MLD host
|
||||
- multicast packets send by MLD proxy daemon that sets outgoing
|
||||
interface through IPV6_PKTINFO ipi6_ifindex
|
||||
|
||||
Link-local and multicast packets must keep their original oif after
|
||||
ip6_route_me_harder is called.
|
||||
|
||||
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
net/ipv6/netfilter.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/net/ipv6/netfilter.c
|
||||
+++ b/net/ipv6/netfilter.c
|
||||
@@ -24,7 +24,8 @@ int ip6_route_me_harder(struct net *net,
|
||||
unsigned int hh_len;
|
||||
struct dst_entry *dst;
|
||||
struct flowi6 fl6 = {
|
||||
- .flowi6_oif = sk ? sk->sk_bound_dev_if : 0,
|
||||
+ .flowi6_oif = sk && sk->sk_bound_dev_if ? sk->sk_bound_dev_if :
|
||||
+ rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0,
|
||||
.flowi6_mark = skb->mark,
|
||||
.flowi6_uid = sock_net_uid(net, sk),
|
||||
.daddr = iph->daddr,
|
@ -1,44 +0,0 @@ |
||||
From a74515604a7b171f2702bdcbd1e231225fb456d0 Mon Sep 17 00:00:00 2001
|
||||
From: Anderson Luiz Alves <alacn1@gmail.com>
|
||||
Date: Fri, 30 Nov 2018 21:58:36 -0200
|
||||
Subject: [PATCH] mv88e6060: disable hardware level MAC learning
|
||||
|
||||
Disable hardware level MAC learning because it breaks station roaming.
|
||||
When enabled it drops all frames that arrive from a MAC address
|
||||
that is on a different port at learning table.
|
||||
|
||||
Signed-off-by: Anderson Luiz Alves <alacn1@gmail.com>
|
||||
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/net/dsa/mv88e6060.c | 10 +++-------
|
||||
1 file changed, 3 insertions(+), 7 deletions(-)
|
||||
|
||||
--- a/drivers/net/dsa/mv88e6060.c
|
||||
+++ b/drivers/net/dsa/mv88e6060.c
|
||||
@@ -116,8 +116,7 @@ static int mv88e6060_switch_reset(struct
|
||||
/* Reset the switch. */
|
||||
REG_WRITE(REG_GLOBAL, GLOBAL_ATU_CONTROL,
|
||||
GLOBAL_ATU_CONTROL_SWRESET |
|
||||
- GLOBAL_ATU_CONTROL_ATUSIZE_1024 |
|
||||
- GLOBAL_ATU_CONTROL_ATE_AGE_5MIN);
|
||||
+ GLOBAL_ATU_CONTROL_LEARNDIS);
|
||||
|
||||
/* Wait up to one second for reset to complete. */
|
||||
timeout = jiffies + 1 * HZ;
|
||||
@@ -142,13 +141,10 @@ static int mv88e6060_setup_global(struct
|
||||
*/
|
||||
REG_WRITE(REG_GLOBAL, GLOBAL_CONTROL, GLOBAL_CONTROL_MAX_FRAME_1536);
|
||||
|
||||
- /* Enable automatic address learning, set the address
|
||||
- * database size to 1024 entries, and set the default aging
|
||||
- * time to 5 minutes.
|
||||
+ /* Disable automatic address learning.
|
||||
*/
|
||||
REG_WRITE(REG_GLOBAL, GLOBAL_ATU_CONTROL,
|
||||
- GLOBAL_ATU_CONTROL_ATUSIZE_1024 |
|
||||
- GLOBAL_ATU_CONTROL_ATE_AGE_5MIN);
|
||||
+ GLOBAL_ATU_CONTROL_LEARNDIS);
|
||||
|
||||
return 0;
|
||||
}
|
@ -1,83 +0,0 @@ |
||||
From c942c462411e4757aafba73bf13b5e5c7a4b62ca Mon Sep 17 00:00:00 2001
|
||||
From: Christian Lamparter <chunkeey@gmail.com>
|
||||
Date: Sun, 23 Dec 2018 00:38:55 +0100
|
||||
Subject: [PATCH] mtd: rawnand: qcom: fix memory corruption that causes panic
|
||||
|
||||
This patch fixes a memory corruption that occured in the
|
||||
qcom-nandc driver since it was converted to nand_scan().
|
||||
|
||||
On boot, an affected device will panic from a NPE at a weird place:
|
||||
| Unable to handle kernel NULL pointer dereference at virtual address 00000000
|
||||
| pgd = (ptrval)
|
||||
| [00000000] *pgd=00000000
|
||||
| Internal error: Oops: 80000005 [#1] SMP ARM
|
||||
| CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.9 #0
|
||||
| Hardware name: Generic DT based system
|
||||
| PC is at (null)
|
||||
| LR is at nand_block_isbad+0x90/0xa4
|
||||
| pc : [<00000000>] lr : [<c0592240>] psr: 80000013
|
||||
| sp : cf839d40 ip : 00000000 fp : cfae9e20
|
||||
| r10: cf815810 r9 : 00000000 r8 : 00000000
|
||||
| r7 : 00000000 r6 : 00000000 r5 : 00000001 r4 : cf815810
|
||||
| r3 : 00000000 r2 : cfae9810 r1 : ffffffff r0 : cf815810
|
||||
| Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
|
||||
| Control: 10c5387d Table: 8020406a DAC: 00000051
|
||||
| Process swapper/0 (pid: 1, stack limit = 0x(ptrval))
|
||||
| [<c0592240>] (nand_block_isbad) from [<c0580a94>] (allocate_partition+0x7a0/0x7dc)
|
||||
| [<c0580a94>] (allocate_partition) from [<c05811e4>] (add_mtd_partitions+0x58/0x10c)
|
||||
| [<c05811e4>] (add_mtd_partitions) from [<c0581164>] (parse_mtd_partitions+0x310/0x338)
|
||||
| [<c0581164>] (parse_mtd_partitions) from [<c057def4>] (mtd_device_parse_register+0x60/0x15c)
|
||||
| [<c057def4>] (mtd_device_parse_register) from [<c059d274>] (qcom_nandc_probe+0x770/0x8f4)
|
||||
| [<c059d274>] (qcom_nandc_probe) from [<c0567f00>] (platform_drv_probe+0x34/0x70)
|
||||
|
||||
The problem is that the nand_scan()'s qcom_nand_attach_chip callback
|
||||
is updating the nandc->max_cwperpage from 1 to 4. This causes the
|
||||
sg_init_table of clear_bam_transaction() in the driver's
|
||||
qcom_nandc_block_bad() to memset much more than what was initially
|
||||
allocated by alloc_bam_transaction().
|
||||
|
||||
Hence, this patch restores the old behavior by performing the
|
||||
alloc_bam_transaction() after the chip was identified.
|
||||
|
||||
Fixes: 6a3cec64f18c ("mtd: rawnand: qcom: convert driver to nand_scan()")
|
||||
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
|
||||
---
|
||||
drivers/mtd/nand/raw/qcom_nandc.c | 20 ++++++++++----------
|
||||
1 file changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
--- a/drivers/mtd/nand/raw/qcom_nandc.c
|
||||
+++ b/drivers/mtd/nand/raw/qcom_nandc.c
|
||||
@@ -2839,6 +2839,16 @@ static int qcom_nand_host_init_and_regis
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
+ if (nandc->props->is_bam) {
|
||||
+ free_bam_transaction(nandc);
|
||||
+ nandc->bam_txn = alloc_bam_transaction(nandc);
|
||||
+ if (!nandc->bam_txn) {
|
||||
+ dev_err(nandc->dev,
|
||||
+ "failed to allocate bam transaction\n");
|
||||
+ return -ENOMEM;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
ret = mtd_device_register(mtd, NULL, 0);
|
||||
if (ret)
|
||||
nand_cleanup(chip);
|
||||
@@ -2853,16 +2863,6 @@ static int qcom_probe_nand_devices(struc
|
||||
struct qcom_nand_host *host;
|
||||
int ret;
|
||||
|
||||
- if (nandc->props->is_bam) {
|
||||
- free_bam_transaction(nandc);
|
||||
- nandc->bam_txn = alloc_bam_transaction(nandc);
|
||||
- if (!nandc->bam_txn) {
|
||||
- dev_err(nandc->dev,
|
||||
- "failed to allocate bam transaction\n");
|
||||
- return -ENOMEM;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
for_each_available_child_of_node(dn, child) {
|
||||
host = devm_kzalloc(dev, sizeof(*host), GFP_KERNEL);
|
||||
if (!host) {
|
@ -1,49 +0,0 @@ |
||||
From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
|
||||
Subject: [PATCH v2 1/1] f2fs: fix validation of the block count in
|
||||
sanity_check_raw_super
|
||||
Date: Sat, 22 Dec 2018 11:22:26 +0100
|
||||
Message-Id: <20181222102226.10050-2-martin.blumenstingl@googlemail.com>
|
||||
|
||||
Treat "block_count" from struct f2fs_super_block as 64-bit little endian
|
||||
value in sanity_check_raw_super() because struct f2fs_super_block
|
||||
declares "block_count" as "__le64".
|
||||
|
||||
This fixes a bug where the superblock validation fails on big endian
|
||||
devices with the following error:
|
||||
F2FS-fs (sda1): Wrong segment_count / block_count (61439 > 0)
|
||||
F2FS-fs (sda1): Can't find valid F2FS filesystem in 1th superblock
|
||||
F2FS-fs (sda1): Wrong segment_count / block_count (61439 > 0)
|
||||
F2FS-fs (sda1): Can't find valid F2FS filesystem in 2th superblock
|
||||
As result of this the partition cannot be mounted.
|
||||
|
||||
With this patch applied the superblock validation works fine and the
|
||||
partition can be mounted again:
|
||||
F2FS-fs (sda1): Mounted with checkpoint version = 7c84
|
||||
|
||||
My little endian x86-64 hardware was able to mount the partition without
|
||||
this fix.
|
||||
To confirm that mounting f2fs filesystems works on big endian machines
|
||||
again I tested this on a 32-bit MIPS big endian (lantiq) device.
|
||||
|
||||
Fixes: 0cfe75c5b01199 ("f2fs: enhance sanity_check_raw_super() to avoid potential overflows")
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
|
||||
Reviewed-by: Chao Yu <yuchao0@huawei.com>
|
||||
---
|
||||
|
||||
--- a/fs/f2fs/super.c
|
||||
+++ b/fs/f2fs/super.c
|
||||
@@ -2267,10 +2267,10 @@ static int sanity_check_raw_super(struct
|
||||
return 1;
|
||||
}
|
||||
|
||||
- if (segment_count > (le32_to_cpu(raw_super->block_count) >> 9)) {
|
||||
+ if (segment_count > (le64_to_cpu(raw_super->block_count) >> 9)) {
|
||||
f2fs_msg(sb, KERN_INFO,
|
||||
- "Wrong segment_count / block_count (%u > %u)",
|
||||
- segment_count, le32_to_cpu(raw_super->block_count));
|
||||
+ "Wrong segment_count / block_count (%u > %llu)",
|
||||
+ segment_count, le64_to_cpu(raw_super->block_count));
|
||||
return 1;
|
||||
}
|
||||
|
Loading…
Reference in new issue