5.19-stable patches

added patches:
	bluetooth-use-hdev-workqueue-when-queuing-hdev-cmd-ncmd-_timer-works.patch
	bpf-fix-resetting-logic-for-unreferenced-kptrs.patch
	bpf-gate-dynptr-api-behind-cap_bpf.patch
	net-ethernet-mtk_eth_soc-fix-state-in-__mtk_foe_entry_clear.patch

diff --git a/queue-5.19/bluetooth-use-hdev-workqueue-when-queuing-hdev-cmd-ncmd-_timer-works.patch b/queue-5.19/bluetooth-use-hdev-workqueue-when-queuing-hdev-cmd-ncmd-_timer-works.patch
new file mode 100644 (file)
index 0000000..833a5af
--- /dev/null
+++ b/queue-5.19/bluetooth-use-hdev-workqueue-when-queuing-hdev-cmd-ncmd-_timer-works.patch
@@ -0,0 +1,91 @@
+From deee93d13d385103205879a8a0915036ecd83261 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 2 Sep 2022 20:23:48 +0900
+Subject: Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit deee93d13d385103205879a8a0915036ecd83261 upstream.
+
+syzbot is reporting attempt to schedule hdev->cmd_work work from system_wq
+WQ into hdev->workqueue WQ which is under draining operation [1], for
+commit c8efcc2589464ac7 ("workqueue: allow chained queueing during
+destruction") does not allow such operation.
+
+The check introduced by commit 877afadad2dce8aa ("Bluetooth: When HCI work
+queue is drained, only queue chained work") was incomplete.
+
+Use hdev->workqueue WQ when queuing hdev->{cmd,ncmd}_timer works because
+hci_{cmd,ncmd}_timeout() calls queue_work(hdev->workqueue). Also, protect
+the queuing operation with RCU read lock in order to avoid calling
+queue_delayed_work() after cancel_delayed_work() completed.
+
+Link: https://syzkaller.appspot.com/bug?extid=243b7d89777f90f7613b [1]
+Reported-by: syzbot <syzbot+243b7d89777f90f7613b@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Fixes: 877afadad2dce8aa ("Bluetooth: When HCI work queue is drained, only queue chained work")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_core.c  |   15 +++++++++++++--
+ net/bluetooth/hci_event.c |    6 ++++--
+ 2 files changed, 17 insertions(+), 4 deletions(-)
+
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -596,6 +596,15 @@ static int hci_dev_do_reset(struct hci_d
+ 
+       /* Cancel these to avoid queueing non-chained pending work */
+       hci_dev_set_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
++      /* Wait for
++       *
++       *    if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
++       *        queue_delayed_work(&hdev->{cmd,ncmd}_timer)
++       *
++       * inside RCU section to see the flag or complete scheduling.
++       */
++      synchronize_rcu();
++      /* Explicitly cancel works in case scheduled after setting the flag. */
+       cancel_delayed_work(&hdev->cmd_timer);
+       cancel_delayed_work(&hdev->ncmd_timer);
+ 
+@@ -3871,12 +3880,14 @@ static void hci_cmd_work(struct work_str
+                       if (res < 0)
+                               __hci_cmd_sync_cancel(hdev, -res);
+ 
++                      rcu_read_lock();
+                       if (test_bit(HCI_RESET, &hdev->flags) ||
+                           hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
+                               cancel_delayed_work(&hdev->cmd_timer);
+                       else
+-                              schedule_delayed_work(&hdev->cmd_timer,
+-                                                    HCI_CMD_TIMEOUT);
++                              queue_delayed_work(hdev->workqueue, &hdev->cmd_timer,
++                                                 HCI_CMD_TIMEOUT);
++                      rcu_read_unlock();
+               } else {
+                       skb_queue_head(&hdev->cmd_q, skb);
+                       queue_work(hdev->workqueue, &hdev->cmd_work);
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -3763,16 +3763,18 @@ static inline void handle_cmd_cnt_and_ti
+ {
+       cancel_delayed_work(&hdev->cmd_timer);
+ 
++      rcu_read_lock();
+       if (!test_bit(HCI_RESET, &hdev->flags)) {
+               if (ncmd) {
+                       cancel_delayed_work(&hdev->ncmd_timer);
+                       atomic_set(&hdev->cmd_cnt, 1);
+               } else {
+                       if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
+-                              schedule_delayed_work(&hdev->ncmd_timer,
+-                                                    HCI_NCMD_TIMEOUT);
++                              queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer,
++                                                 HCI_NCMD_TIMEOUT);
+               }
+       }
++      rcu_read_unlock();
+ }
+ 
+ #define HCI_CC_VL(_op, _func, _min, _max) \

diff --git a/queue-5.19/bpf-fix-resetting-logic-for-unreferenced-kptrs.patch b/queue-5.19/bpf-fix-resetting-logic-for-unreferenced-kptrs.patch
new file mode 100644 (file)
index 0000000..6bad510
--- /dev/null
+++ b/queue-5.19/bpf-fix-resetting-logic-for-unreferenced-kptrs.patch
@@ -0,0 +1,40 @@
+From 9fad7fe5b29803584c7f17a2abe6c2936fec6828 Mon Sep 17 00:00:00 2001
+From: Jules Irenge <jbi.octave@gmail.com>
+Date: Wed, 7 Sep 2022 16:24:20 +0100
+Subject: bpf: Fix resetting logic for unreferenced kptrs
+
+From: Jules Irenge <jbi.octave@gmail.com>
+
+commit 9fad7fe5b29803584c7f17a2abe6c2936fec6828 upstream.
+
+Sparse reported a warning at bpf_map_free_kptrs()
+"warning: Using plain integer as NULL pointer"
+During the process of fixing this warning, it was discovered that the current
+code erroneously writes to the pointer variable instead of deferencing and
+writing to the actual kptr. Hence, Sparse tool accidentally helped to uncover
+this problem. Fix this by doing WRITE_ONCE(*p, 0) instead of WRITE_ONCE(p, 0).
+
+Note that the effect of this bug is that unreferenced kptrs will not be cleared
+during check_and_free_fields. It is not a problem if the clearing is not done
+during map_free stage, as there is nothing to free for them.
+
+Fixes: 14a324f6a67e ("bpf: Wire up freeing of referenced kptr")
+Signed-off-by: Jules Irenge <jbi.octave@gmail.com>
+Link: https://lore.kernel.org/r/Yxi3pJaK6UDjVJSy@playground
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/syscall.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -578,7 +578,7 @@ void bpf_map_free_kptrs(struct bpf_map *
+               if (off_desc->type == BPF_KPTR_UNREF) {
+                       u64 *p = (u64 *)btf_id_ptr;
+ 
+-                      WRITE_ONCE(p, 0);
++                      WRITE_ONCE(*p, 0);
+                       continue;
+               }
+               old_ptr = xchg(btf_id_ptr, 0);

diff --git a/queue-5.19/bpf-gate-dynptr-api-behind-cap_bpf.patch b/queue-5.19/bpf-gate-dynptr-api-behind-cap_bpf.patch
new file mode 100644 (file)
index 0000000..503a7a2
--- /dev/null
+++ b/queue-5.19/bpf-gate-dynptr-api-behind-cap_bpf.patch
@@ -0,0 +1,85 @@
+From 8addbfc7b308d591f8a5f2f6bb24d08d9d79dfbb Mon Sep 17 00:00:00 2001
+From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Date: Wed, 21 Sep 2022 16:35:50 +0200
+Subject: bpf: Gate dynptr API behind CAP_BPF
+
+From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+
+commit 8addbfc7b308d591f8a5f2f6bb24d08d9d79dfbb upstream.
+
+This has been enabled for unprivileged programs for only one kernel
+release, hence the expected annoyances due to this move are low. Users
+using ringbuf can stick to non-dynptr APIs. The actual use cases dynptr
+is meant to serve may not make sense in unprivileged BPF programs.
+
+Hence, gate these helpers behind CAP_BPF and limit use to privileged
+BPF programs.
+
+Fixes: 263ae152e962 ("bpf: Add bpf_dynptr_from_mem for local dynptrs")
+Fixes: bc34dee65a65 ("bpf: Dynptr support for ring buffers")
+Fixes: 13bbbfbea759 ("bpf: Add bpf_dynptr_read and bpf_dynptr_write")
+Fixes: 34d4ef5775f7 ("bpf: Add dynptr data slices")
+Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Link: https://lore.kernel.org/r/20220921143550.30247-1-memxor@gmail.com
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/helpers.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
+index 1f961f9982d2..3814b0fd3a2c 100644
+--- a/kernel/bpf/helpers.c
++++ b/kernel/bpf/helpers.c
+@@ -1627,26 +1627,12 @@ bpf_base_func_proto(enum bpf_func_id func_id)
+               return &bpf_ringbuf_discard_proto;
+       case BPF_FUNC_ringbuf_query:
+               return &bpf_ringbuf_query_proto;
+-      case BPF_FUNC_ringbuf_reserve_dynptr:
+-              return &bpf_ringbuf_reserve_dynptr_proto;
+-      case BPF_FUNC_ringbuf_submit_dynptr:
+-              return &bpf_ringbuf_submit_dynptr_proto;
+-      case BPF_FUNC_ringbuf_discard_dynptr:
+-              return &bpf_ringbuf_discard_dynptr_proto;
+       case BPF_FUNC_for_each_map_elem:
+               return &bpf_for_each_map_elem_proto;
+       case BPF_FUNC_loop:
+               return &bpf_loop_proto;
+       case BPF_FUNC_strncmp:
+               return &bpf_strncmp_proto;
+-      case BPF_FUNC_dynptr_from_mem:
+-              return &bpf_dynptr_from_mem_proto;
+-      case BPF_FUNC_dynptr_read:
+-              return &bpf_dynptr_read_proto;
+-      case BPF_FUNC_dynptr_write:
+-              return &bpf_dynptr_write_proto;
+-      case BPF_FUNC_dynptr_data:
+-              return &bpf_dynptr_data_proto;
+       default:
+               break;
+       }
+@@ -1675,6 +1661,20 @@ bpf_base_func_proto(enum bpf_func_id func_id)
+               return &bpf_timer_cancel_proto;
+       case BPF_FUNC_kptr_xchg:
+               return &bpf_kptr_xchg_proto;
++      case BPF_FUNC_ringbuf_reserve_dynptr:
++              return &bpf_ringbuf_reserve_dynptr_proto;
++      case BPF_FUNC_ringbuf_submit_dynptr:
++              return &bpf_ringbuf_submit_dynptr_proto;
++      case BPF_FUNC_ringbuf_discard_dynptr:
++              return &bpf_ringbuf_discard_dynptr_proto;
++      case BPF_FUNC_dynptr_from_mem:
++              return &bpf_dynptr_from_mem_proto;
++      case BPF_FUNC_dynptr_read:
++              return &bpf_dynptr_read_proto;
++      case BPF_FUNC_dynptr_write:
++              return &bpf_dynptr_write_proto;
++      case BPF_FUNC_dynptr_data:
++              return &bpf_dynptr_data_proto;
+       default:
+               break;
+       }
+-- 
+2.38.0
+

diff --git a/queue-5.19/net-ethernet-mtk_eth_soc-fix-state-in-__mtk_foe_entry_clear.patch b/queue-5.19/net-ethernet-mtk_eth_soc-fix-state-in-__mtk_foe_entry_clear.patch
new file mode 100644 (file)
index 0000000..04929f2
--- /dev/null
+++ b/queue-5.19/net-ethernet-mtk_eth_soc-fix-state-in-__mtk_foe_entry_clear.patch
@@ -0,0 +1,41 @@
+From ae3ed15da5889263de372ff9df2e83e16acca4cb Mon Sep 17 00:00:00 2001
+From: Daniel Golle <daniel@makrotopia.org>
+Date: Fri, 30 Sep 2022 01:56:53 +0100
+Subject: net: ethernet: mtk_eth_soc: fix state in __mtk_foe_entry_clear
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+commit ae3ed15da5889263de372ff9df2e83e16acca4cb upstream.
+
+Setting ib1 state to MTK_FOE_STATE_UNBIND in __mtk_foe_entry_clear
+routine as done by commit 0e80707d94e4c8 ("net: ethernet: mtk_eth_soc:
+fix typo in __mtk_foe_entry_clear") breaks flow offloading, at least
+on older MTK_NETSYS_V1 SoCs, OpenWrt users have confirmed the bug on
+MT7622 and MT7621 systems.
+Felix Fietkau suggested to use MTK_FOE_STATE_INVALID instead which
+works well on both, MTK_NETSYS_V1 and MTK_NETSYS_V2.
+
+Tested on MT7622 (Linksys E8450) and MT7986 (BananaPi BPI-R3).
+
+Suggested-by: Felix Fietkau <nbd@nbd.name>
+Fixes: 0e80707d94e4c8 ("net: ethernet: mtk_eth_soc: fix typo in __mtk_foe_entry_clear")
+Fixes: 33fc42de33278b ("net: ethernet: mtk_eth_soc: support creating mac address based offload entries")
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Link: https://lore.kernel.org/r/YzY+1Yg0FBXcnrtc@makrotopia.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mediatek/mtk_ppe.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mediatek/mtk_ppe.c
++++ b/drivers/net/ethernet/mediatek/mtk_ppe.c
+@@ -412,7 +412,7 @@ __mtk_foe_entry_clear(struct mtk_ppe *pp
+       if (entry->hash != 0xffff) {
+               ppe->foe_table[entry->hash].ib1 &= ~MTK_FOE_IB1_STATE;
+               ppe->foe_table[entry->hash].ib1 |= FIELD_PREP(MTK_FOE_IB1_STATE,
+-                                                            MTK_FOE_STATE_UNBIND);
++                                                            MTK_FOE_STATE_INVALID);
+               dma_wmb();
+       }
+       entry->hash = 0xffff;

diff --git a/queue-5.19/series b/queue-5.19/series
index 49d44fadaac926d88f4ffee2789f7cb54b62039d..820030ad493ed59d52f9511eb650120b8ef50192 100644 (file)
--- a/queue-5.19/series
+++ b/queue-5.19/series
@@ -42,3 +42,7 @@ gpiolib-acpi-add-a-quirk-for-asus-um325uaz.patch
 mmc-core-replace-with-already-defined-values-for-readability.patch
 mmc-core-terminate-infinite-loop-in-sd-uhs-voltage-switch.patch
 rpmsg-qcom-glink-replace-strncpy-with-strscpy_pad.patch
+bpf-gate-dynptr-api-behind-cap_bpf.patch
+net-ethernet-mtk_eth_soc-fix-state-in-__mtk_foe_entry_clear.patch
+bpf-fix-resetting-logic-for-unreferenced-kptrs.patch
+bluetooth-use-hdev-workqueue-when-queuing-hdev-cmd-ncmd-_timer-works.patch