Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.4/af_unix-remove-put_pid-put_cred-in-copy_peercred.patch b/queue-5.4/af_unix-remove-put_pid-put_cred-in-copy_peercred.patch
new file mode 100644 (file)
index 0000000..3a9e979
--- /dev/null
+++ b/queue-5.4/af_unix-remove-put_pid-put_cred-in-copy_peercred.patch
@@ -0,0 +1,58 @@
+From 0fc6fdfc3e01c8528ca63bd27ff72e33b100e08c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Jun 2024 13:56:22 -0700
+Subject: af_unix: Remove put_pid()/put_cred() in copy_peercred().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit e4bd881d987121dbf1a288641491955a53d9f8f7 ]
+
+When (AF_UNIX, SOCK_STREAM) socket connect()s to a listening socket,
+the listener's sk_peer_pid/sk_peer_cred are copied to the client in
+copy_peercred().
+
+Then, the client's sk_peer_pid and sk_peer_cred are always NULL, so
+we need not call put_pid() and put_cred() there.
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index ae6aae983b8c..c47a734e1f2d 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -605,9 +605,6 @@ static void init_peercred(struct sock *sk)
+ 
+ static void copy_peercred(struct sock *sk, struct sock *peersk)
+ {
+-      const struct cred *old_cred;
+-      struct pid *old_pid;
+-
+       if (sk < peersk) {
+               spin_lock(&sk->sk_peer_lock);
+               spin_lock_nested(&peersk->sk_peer_lock, SINGLE_DEPTH_NESTING);
+@@ -615,16 +612,12 @@ static void copy_peercred(struct sock *sk, struct sock *peersk)
+               spin_lock(&peersk->sk_peer_lock);
+               spin_lock_nested(&sk->sk_peer_lock, SINGLE_DEPTH_NESTING);
+       }
+-      old_pid = sk->sk_peer_pid;
+-      old_cred = sk->sk_peer_cred;
++
+       sk->sk_peer_pid  = get_pid(peersk->sk_peer_pid);
+       sk->sk_peer_cred = get_cred(peersk->sk_peer_cred);
+ 
+       spin_unlock(&sk->sk_peer_lock);
+       spin_unlock(&peersk->sk_peer_lock);
+-
+-      put_pid(old_pid);
+-      put_cred(old_cred);
+ }
+ 
+ static int unix_listen(struct socket *sock, int backlog)
+-- 
+2.43.0
+

diff --git a/queue-5.4/alsa-hda-add-input-value-sanity-checks-to-hdmi-chann.patch b/queue-5.4/alsa-hda-add-input-value-sanity-checks-to-hdmi-chann.patch
new file mode 100644 (file)
index 0000000..43c9c8d
--- /dev/null
+++ b/queue-5.4/alsa-hda-add-input-value-sanity-checks-to-hdmi-chann.patch
@@ -0,0 +1,61 @@
+From a4f54e602087aae6903d899559d578ba6554a61f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Jun 2024 09:34:47 +0200
+Subject: ALSA: hda: Add input value sanity checks to HDMI channel map controls
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 6278056e42d953e207e2afd416be39d09ed2d496 ]
+
+Add a simple sanity check to HD-audio HDMI Channel Map controls.
+Although the value might not be accepted for the actual connection, we
+can filter out some bogus values beforehand, and that should be enough
+for making kselftest happier.
+
+Reviewed-by: Jaroslav Kysela <perex@perex.cz>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://lore.kernel.org/20240616073454.16512-7-tiwai@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/hdmi_chmap.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/sound/hda/hdmi_chmap.c b/sound/hda/hdmi_chmap.c
+index 2efee794cac6..79ccec2da387 100644
+--- a/sound/hda/hdmi_chmap.c
++++ b/sound/hda/hdmi_chmap.c
+@@ -753,6 +753,20 @@ static int hdmi_chmap_ctl_get(struct snd_kcontrol *kcontrol,
+       return 0;
+ }
+ 
++/* a simple sanity check for input values to chmap kcontrol */
++static int chmap_value_check(struct hdac_chmap *hchmap,
++                           const struct snd_ctl_elem_value *ucontrol)
++{
++      int i;
++
++      for (i = 0; i < hchmap->channels_max; i++) {
++              if (ucontrol->value.integer.value[i] < 0 ||
++                  ucontrol->value.integer.value[i] > SNDRV_CHMAP_LAST)
++                      return -EINVAL;
++      }
++      return 0;
++}
++
+ static int hdmi_chmap_ctl_put(struct snd_kcontrol *kcontrol,
+                             struct snd_ctl_elem_value *ucontrol)
+ {
+@@ -764,6 +778,10 @@ static int hdmi_chmap_ctl_put(struct snd_kcontrol *kcontrol,
+       unsigned char chmap[8], per_pin_chmap[8];
+       int i, err, ca, prepared = 0;
+ 
++      err = chmap_value_check(hchmap, ucontrol);
++      if (err < 0)
++              return err;
++
+       /* No monitor is connected in dyn_pcm_assign.
+        * It's invalid to setup the chmap
+        */
+-- 
+2.43.0
+

diff --git a/queue-5.4/asoc-topology-properly-initialize-soc_enum-values.patch b/queue-5.4/asoc-topology-properly-initialize-soc_enum-values.patch
new file mode 100644 (file)
index 0000000..7987c33
--- /dev/null
+++ b/queue-5.4/asoc-topology-properly-initialize-soc_enum-values.patch
@@ -0,0 +1,38 @@
+From d584e272a2f9cf9a63e7a6483c70d70392546fbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Jun 2024 12:18:40 +0200
+Subject: ASoC: topology: Properly initialize soc_enum values
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+
+[ Upstream commit 8ec2a2643544ce352f012ad3d248163199d05dfc ]
+
+soc_tplg_denum_create_values() should properly set its values field.
+
+Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Link: https://patch.msgid.link/20240627101850.2191513-4-amadeuszx.slawinski@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-topology.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
+index 870b00229353..df8a1cd09193 100644
+--- a/sound/soc/soc-topology.c
++++ b/sound/soc/soc-topology.c
+@@ -993,6 +993,8 @@ static int soc_tplg_denum_create_values(struct soc_enum *se,
+               se->dobj.control.dvalues[i] = le32_to_cpu(ec->values[i]);
+       }
+ 
++      se->items = le32_to_cpu(ec->items);
++      se->values = (const unsigned int *)se->dobj.control.dvalues;
+       return 0;
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.4/ata-pata_macio-use-warn-instead-of-bug.patch b/queue-5.4/ata-pata_macio-use-warn-instead-of-bug.patch
new file mode 100644 (file)
index 0000000..d70c11d
--- /dev/null
+++ b/queue-5.4/ata-pata_macio-use-warn-instead-of-bug.patch
@@ -0,0 +1,53 @@
+From 3de750947e0fc912660bda04b5db6bdab3c6a355 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 13:04:07 +1000
+Subject: ata: pata_macio: Use WARN instead of BUG
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit d4bc0a264fb482b019c84fbc7202dd3cab059087 ]
+
+The overflow/underflow conditions in pata_macio_qc_prep() should never
+happen. But if they do there's no need to kill the system entirely, a
+WARN and failing the IO request should be sufficient and might allow the
+system to keep running.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/pata_macio.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ata/pata_macio.c b/drivers/ata/pata_macio.c
+index 1bfd0154dad5..a601768956e8 100644
+--- a/drivers/ata/pata_macio.c
++++ b/drivers/ata/pata_macio.c
+@@ -540,7 +540,8 @@ static enum ata_completion_errors pata_macio_qc_prep(struct ata_queued_cmd *qc)
+ 
+               while (sg_len) {
+                       /* table overflow should never happen */
+-                      BUG_ON (pi++ >= MAX_DCMDS);
++                      if (WARN_ON_ONCE(pi >= MAX_DCMDS))
++                              return AC_ERR_SYSTEM;
+ 
+                       len = (sg_len < MAX_DBDMA_SEG) ? sg_len : MAX_DBDMA_SEG;
+                       table->command = cpu_to_le16(write ? OUTPUT_MORE: INPUT_MORE);
+@@ -552,11 +553,13 @@ static enum ata_completion_errors pata_macio_qc_prep(struct ata_queued_cmd *qc)
+                       addr += len;
+                       sg_len -= len;
+                       ++table;
++                      ++pi;
+               }
+       }
+ 
+       /* Should never happen according to Tejun */
+-      BUG_ON(!pi);
++      if (WARN_ON_ONCE(!pi))
++              return AC_ERR_SYSTEM;
+ 
+       /* Convert the last command to an input/output */
+       table--;
+-- 
+2.43.0
+

diff --git a/queue-5.4/btrfs-clean-up-our-handling-of-refs-0-in-snapshot-de.patch b/queue-5.4/btrfs-clean-up-our-handling-of-refs-0-in-snapshot-de.patch
new file mode 100644 (file)
index 0000000..6cfa2cf
--- /dev/null
+++ b/queue-5.4/btrfs-clean-up-our-handling-of-refs-0-in-snapshot-de.patch
@@ -0,0 +1,90 @@
+From 736eb98fcb3dcb81d4d8962f556c6ebddbe6394a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 May 2024 14:12:13 -0400
+Subject: btrfs: clean up our handling of refs == 0 in snapshot delete
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit b8ccef048354074a548f108e51d0557d6adfd3a3 ]
+
+In reada we BUG_ON(refs == 0), which could be unkind since we aren't
+holding a lock on the extent leaf and thus could get a transient
+incorrect answer.  In walk_down_proc we also BUG_ON(refs == 0), which
+could happen if we have extent tree corruption.  Change that to return
+-EUCLEAN.  In do_walk_down() we catch this case and handle it correctly,
+however we return -EIO, which -EUCLEAN is a more appropriate error code.
+Finally in walk_up_proc we have the same BUG_ON(refs == 0), so convert
+that to proper error handling.  Also adjust the error message so we can
+actually do something with the information.
+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/extent-tree.c | 28 +++++++++++++++++++++++-----
+ 1 file changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index 202e6b6e2add..7e5ac187463e 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -4684,7 +4684,15 @@ static noinline void reada_walk_down(struct btrfs_trans_handle *trans,
+               /* We don't care about errors in readahead. */
+               if (ret < 0)
+                       continue;
+-              BUG_ON(refs == 0);
++
++              /*
++               * This could be racey, it's conceivable that we raced and end
++               * up with a bogus refs count, if that's the case just skip, if
++               * we are actually corrupt we will notice when we look up
++               * everything again with our locks.
++               */
++              if (refs == 0)
++                      continue;
+ 
+               if (wc->stage == DROP_REFERENCE) {
+                       if (refs == 1)
+@@ -4751,7 +4759,11 @@ static noinline int walk_down_proc(struct btrfs_trans_handle *trans,
+               BUG_ON(ret == -ENOMEM);
+               if (ret)
+                       return ret;
+-              BUG_ON(wc->refs[level] == 0);
++              if (unlikely(wc->refs[level] == 0)) {
++                      btrfs_err(fs_info, "bytenr %llu has 0 references, expect > 0",
++                                eb->start);
++                      return -EUCLEAN;
++              }
+       }
+ 
+       if (wc->stage == DROP_REFERENCE) {
+@@ -4885,8 +4897,9 @@ static noinline int do_walk_down(struct btrfs_trans_handle *trans,
+               goto out_unlock;
+ 
+       if (unlikely(wc->refs[level - 1] == 0)) {
+-              btrfs_err(fs_info, "Missing references.");
+-              ret = -EIO;
++              btrfs_err(fs_info, "bytenr %llu has 0 references, expect > 0",
++                        bytenr);
++              ret = -EUCLEAN;
+               goto out_unlock;
+       }
+       *lookup_info = 0;
+@@ -5088,7 +5101,12 @@ static noinline int walk_up_proc(struct btrfs_trans_handle *trans,
+                               path->locks[level] = 0;
+                               return ret;
+                       }
+-                      BUG_ON(wc->refs[level] == 0);
++                      if (unlikely(wc->refs[level] == 0)) {
++                              btrfs_tree_unlock_rw(eb, path->locks[level]);
++                              btrfs_err(fs_info, "bytenr %llu has 0 references, expect > 0",
++                                        eb->start);
++                              return -EUCLEAN;
++                      }
+                       if (wc->refs[level] == 1) {
+                               btrfs_tree_unlock_rw(eb, path->locks[level]);
+                               path->locks[level] = 0;
+-- 
+2.43.0
+

diff --git a/queue-5.4/btrfs-initialize-location-to-fix-wmaybe-uninitialize.patch b/queue-5.4/btrfs-initialize-location-to-fix-wmaybe-uninitialize.patch
new file mode 100644 (file)
index 0000000..8dc16ca
--- /dev/null
+++ b/queue-5.4/btrfs-initialize-location-to-fix-wmaybe-uninitialize.patch
@@ -0,0 +1,56 @@
+From 0bf399dec5a3469d7d7b20c1ff99ac7371b70b56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 21:59:24 +0200
+Subject: btrfs: initialize location to fix -Wmaybe-uninitialized in
+ btrfs_lookup_dentry()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit b8e947e9f64cac9df85a07672b658df5b2bcff07 ]
+
+Some arch + compiler combinations report a potentially unused variable
+location in btrfs_lookup_dentry(). This is a false alert as the variable
+is passed by value and always valid or there's an error. The compilers
+cannot probably reason about that although btrfs_inode_by_name() is in
+the same file.
+
+   >  + /kisskb/src/fs/btrfs/inode.c: error: 'location.objectid' may be used
+   +uninitialized in this function [-Werror=maybe-uninitialized]:  => 5603:9
+   >  + /kisskb/src/fs/btrfs/inode.c: error: 'location.type' may be used
+   +uninitialized in this function [-Werror=maybe-uninitialized]:  => 5674:5
+
+   m68k-gcc8/m68k-allmodconfig
+   mips-gcc8/mips-allmodconfig
+   powerpc-gcc5/powerpc-all{mod,yes}config
+   powerpc-gcc5/ppc64_defconfig
+
+Initialize it to zero, this should fix the warnings and won't change the
+behaviour as btrfs_inode_by_name() accepts only a root or inode item
+types, otherwise returns an error.
+
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/linux-btrfs/bd4e9928-17b3-9257-8ba7-6b7f9bbb639a@linux-m68k.org/
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index d2a988bf9c89..cd72409ccc94 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -6087,7 +6087,7 @@ struct inode *btrfs_lookup_dentry(struct inode *dir, struct dentry *dentry)
+       struct inode *inode;
+       struct btrfs_root *root = BTRFS_I(dir)->root;
+       struct btrfs_root *sub_root = root;
+-      struct btrfs_key location;
++      struct btrfs_key location = { 0 };
+       u8 di_type = 0;
+       int index;
+       int ret = 0;
+-- 
+2.43.0
+

diff --git a/queue-5.4/btrfs-replace-bug_on-with-assert-in-walk_down_proc.patch b/queue-5.4/btrfs-replace-bug_on-with-assert-in-walk_down_proc.patch
new file mode 100644 (file)
index 0000000..defd92a
--- /dev/null
+++ b/queue-5.4/btrfs-replace-bug_on-with-assert-in-walk_down_proc.patch
@@ -0,0 +1,46 @@
+From 0bc0d70e96db47bb8844d171d9e5891c94fdfaa8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 May 2024 14:12:12 -0400
+Subject: btrfs: replace BUG_ON with ASSERT in walk_down_proc()
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 1f9d44c0a12730a24f8bb75c5e1102207413cc9b ]
+
+We have a couple of areas where we check to make sure the tree block is
+locked before looking up or messing with references.  This is old code
+so it has this as BUG_ON().  Convert this to ASSERT() for developers.
+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/extent-tree.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index a28b0eafb65a..202e6b6e2add 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -4743,7 +4743,7 @@ static noinline int walk_down_proc(struct btrfs_trans_handle *trans,
+       if (lookup_info &&
+           ((wc->stage == DROP_REFERENCE && wc->refs[level] != 1) ||
+            (wc->stage == UPDATE_BACKREF && !(wc->flags[level] & flag)))) {
+-              BUG_ON(!path->locks[level]);
++              ASSERT(path->locks[level]);
+               ret = btrfs_lookup_extent_info(trans, fs_info,
+                                              eb->start, level, 1,
+                                              &wc->refs[level],
+@@ -4767,7 +4767,7 @@ static noinline int walk_down_proc(struct btrfs_trans_handle *trans,
+ 
+       /* wc->stage == UPDATE_BACKREF */
+       if (!(wc->flags[level] & flag)) {
+-              BUG_ON(!path->locks[level]);
++              ASSERT(path->locks[level]);
+               ret = btrfs_inc_ref(trans, root, eb, 1);
+               BUG_ON(ret); /* -ENOMEM */
+               ret = btrfs_dec_ref(trans, root, eb, 0);
+-- 
+2.43.0
+

diff --git a/queue-5.4/can-bcm-remove-proc-entry-when-dev-is-unregistered.patch b/queue-5.4/can-bcm-remove-proc-entry-when-dev-is-unregistered.patch
new file mode 100644 (file)
index 0000000..fd4c496
--- /dev/null
+++ b/queue-5.4/can-bcm-remove-proc-entry-when-dev-is-unregistered.patch
@@ -0,0 +1,99 @@
+From 9e435e3be88bc75a9f44dee02a7fcba9ab937ed5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 12:28:42 -0700
+Subject: can: bcm: Remove proc entry when dev is unregistered.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 76fe372ccb81b0c89b6cd2fec26e2f38c958be85 ]
+
+syzkaller reported a warning in bcm_connect() below. [0]
+
+The repro calls connect() to vxcan1, removes vxcan1, and calls
+connect() with ifindex == 0.
+
+Calling connect() for a BCM socket allocates a proc entry.
+Then, bcm_sk(sk)->bound is set to 1 to prevent further connect().
+
+However, removing the bound device resets bcm_sk(sk)->bound to 0
+in bcm_notify().
+
+The 2nd connect() tries to allocate a proc entry with the same
+name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the
+original proc entry.
+
+Since the proc entry is available only for connect()ed sockets,
+let's clean up the entry when the bound netdev is unregistered.
+
+[0]:
+proc_dir_entry 'can-bcm/2456' already registered
+WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375
+Modules linked in:
+CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
+RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375
+Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48
+RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246
+RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
+RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0
+R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec
+FS:  00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ <TASK>
+ proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220
+ bcm_connect+0x472/0x840 net/can/bcm.c:1673
+ __sys_connect_file net/socket.c:2049 [inline]
+ __sys_connect+0x5d2/0x690 net/socket.c:2066
+ __do_sys_connect net/socket.c:2076 [inline]
+ __se_sys_connect net/socket.c:2073 [inline]
+ __x64_sys_connect+0x8f/0x100 net/socket.c:2073
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+RIP: 0033:0x7fbd708b0e5d
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48
+RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d
+RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040
+R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098
+R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000
+ </TASK>
+remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456'
+
+Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/all/20240722192842.37421-1-kuniyu@amazon.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/bcm.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 5cb4b6129263..cc7fb30eafc0 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -1425,6 +1425,10 @@ static void bcm_notify(struct bcm_sock *bo, unsigned long msg,
+ 
+               /* remove device reference, if this is our bound device */
+               if (bo->bound && bo->ifindex == dev->ifindex) {
++#if IS_ENABLED(CONFIG_PROC_FS)
++                      if (sock_net(sk)->can.bcmproc_dir && bo->bcm_proc_read)
++                              remove_proc_entry(bo->procname, sock_net(sk)->can.bcmproc_dir);
++#endif
+                       bo->bound   = 0;
+                       bo->ifindex = 0;
+                       notify_enodev = 1;
+-- 
+2.43.0
+

diff --git a/queue-5.4/cgroup-protect-css-cgroup-write-under-css_set_lock.patch b/queue-5.4/cgroup-protect-css-cgroup-write-under-css_set_lock.patch
new file mode 100644 (file)
index 0000000..8b22b99
--- /dev/null
+++ b/queue-5.4/cgroup-protect-css-cgroup-write-under-css_set_lock.patch
@@ -0,0 +1,45 @@
+From c38d6da7e4bc2f7a244a07514d9d3645b954a35b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 14:52:29 -0400
+Subject: cgroup: Protect css->cgroup write under css_set_lock
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit 57b56d16800e8961278ecff0dc755d46c4575092 ]
+
+The writing of css->cgroup associated with the cgroup root in
+rebind_subsystems() is currently protected only by cgroup_mutex.
+However, the reading of css->cgroup in both proc_cpuset_show() and
+proc_cgroup_show() is protected just by css_set_lock. That makes the
+readers susceptible to racing problems like data tearing or caching.
+It is also a problem that can be reported by KCSAN.
+
+This can be fixed by using READ_ONCE() and WRITE_ONCE() to access
+css->cgroup. Alternatively, the writing of css->cgroup can be moved
+under css_set_lock as well which is done by this patch.
+
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cgroup/cgroup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
+index 62a7a5075014..16ae86894121 100644
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -1783,9 +1783,9 @@ int rebind_subsystems(struct cgroup_root *dst_root, u16 ss_mask)
+               RCU_INIT_POINTER(scgrp->subsys[ssid], NULL);
+               rcu_assign_pointer(dcgrp->subsys[ssid], css);
+               ss->root = dst_root;
+-              css->cgroup = dcgrp;
+ 
+               spin_lock_irq(&css_set_lock);
++              css->cgroup = dcgrp;
+               WARN_ON(!list_empty(&dcgrp->e_csets[ss->id]));
+               list_for_each_entry_safe(cset, cset_pos, &scgrp->e_csets[ss->id],
+                                        e_cset_node[ss->id]) {
+-- 
+2.43.0
+

diff --git a/queue-5.4/cx82310_eth-re-enable-ethernet-mode-after-router-reb.patch b/queue-5.4/cx82310_eth-re-enable-ethernet-mode-after-router-reb.patch
new file mode 100644 (file)
index 0000000..e6baee3
--- /dev/null
+++ b/queue-5.4/cx82310_eth-re-enable-ethernet-mode-after-router-reb.patch
@@ -0,0 +1,146 @@
+From 21e2de211e78226703a19f0ad07ecd3686cd2731 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Oct 2020 16:00:46 +0200
+Subject: cx82310_eth: re-enable ethernet mode after router reboot
+
+From: Ondrej Zary <linux@zary.sk>
+
+[ Upstream commit ca139d76b0d9e59d18f2d2ec8f0d81b82acd6808 ]
+
+When the router is rebooted without a power cycle, the USB device
+remains connected but its configuration is reset. This results in
+a non-working ethernet connection with messages like this in syslog:
+       usb 2-2: RX packet too long: 65535 B
+
+Re-enable ethernet mode when receiving a packet with invalid size of
+0xffff.
+
+Signed-off-by: Ondrej Zary <linux@zary.sk>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: bab8eb0dd4cb ("usbnet: modern method to get random MAC")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cx82310_eth.c | 50 ++++++++++++++++++++++++++++++-----
+ 1 file changed, 44 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/usb/cx82310_eth.c b/drivers/net/usb/cx82310_eth.c
+index 32b08b18e120..043679311399 100644
+--- a/drivers/net/usb/cx82310_eth.c
++++ b/drivers/net/usb/cx82310_eth.c
+@@ -40,6 +40,11 @@ enum cx82310_status {
+ #define CX82310_MTU   1514
+ #define CMD_EP                0x01
+ 
++struct cx82310_priv {
++      struct work_struct reenable_work;
++      struct usbnet *dev;
++};
++
+ /*
+  * execute control command
+  *  - optionally send some data (command parameters)
+@@ -115,6 +120,23 @@ static int cx82310_cmd(struct usbnet *dev, enum cx82310_cmd cmd, bool reply,
+       return ret;
+ }
+ 
++static int cx82310_enable_ethernet(struct usbnet *dev)
++{
++      int ret = cx82310_cmd(dev, CMD_ETHERNET_MODE, true, "\x01", 1, NULL, 0);
++
++      if (ret)
++              netdev_err(dev->net, "unable to enable ethernet mode: %d\n",
++                         ret);
++      return ret;
++}
++
++static void cx82310_reenable_work(struct work_struct *work)
++{
++      struct cx82310_priv *priv = container_of(work, struct cx82310_priv,
++                                               reenable_work);
++      cx82310_enable_ethernet(priv->dev);
++}
++
+ #define partial_len   data[0]         /* length of partial packet data */
+ #define partial_rem   data[1]         /* remaining (missing) data length */
+ #define partial_data  data[2]         /* partial packet data */
+@@ -126,6 +148,7 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf)
+       struct usb_device *udev = dev->udev;
+       u8 link[3];
+       int timeout = 50;
++      struct cx82310_priv *priv;
+ 
+       /* avoid ADSL modems - continue only if iProduct is "USB NET CARD" */
+       if (usb_string(udev, udev->descriptor.iProduct, buf, sizeof(buf)) > 0
+@@ -152,6 +175,15 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf)
+       if (!dev->partial_data)
+               return -ENOMEM;
+ 
++      priv = kzalloc(sizeof(*priv), GFP_KERNEL);
++      if (!priv) {
++              ret = -ENOMEM;
++              goto err_partial;
++      }
++      dev->driver_priv = priv;
++      INIT_WORK(&priv->reenable_work, cx82310_reenable_work);
++      priv->dev = dev;
++
+       /* wait for firmware to become ready (indicated by the link being up) */
+       while (--timeout) {
+               ret = cx82310_cmd(dev, CMD_GET_LINK_STATUS, true, NULL, 0,
+@@ -168,12 +200,8 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf)
+       }
+ 
+       /* enable ethernet mode (?) */
+-      ret = cx82310_cmd(dev, CMD_ETHERNET_MODE, true, "\x01", 1, NULL, 0);
+-      if (ret) {
+-              dev_err(&udev->dev, "unable to enable ethernet mode: %d\n",
+-                      ret);
++      if (cx82310_enable_ethernet(dev))
+               goto err;
+-      }
+ 
+       /* get the MAC address */
+       ret = cx82310_cmd(dev, CMD_GET_MAC_ADDR, true, NULL, 0,
+@@ -190,13 +218,19 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf)
+ 
+       return 0;
+ err:
++      kfree(dev->driver_priv);
++err_partial:
+       kfree((void *)dev->partial_data);
+       return ret;
+ }
+ 
+ static void cx82310_unbind(struct usbnet *dev, struct usb_interface *intf)
+ {
++      struct cx82310_priv *priv = dev->driver_priv;
++
+       kfree((void *)dev->partial_data);
++      cancel_work_sync(&priv->reenable_work);
++      kfree(dev->driver_priv);
+ }
+ 
+ /*
+@@ -211,6 +245,7 @@ static int cx82310_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+ {
+       int len;
+       struct sk_buff *skb2;
++      struct cx82310_priv *priv = dev->driver_priv;
+ 
+       /*
+        * If the last skb ended with an incomplete packet, this skb contains
+@@ -245,7 +280,10 @@ static int cx82310_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+                       break;
+               }
+ 
+-              if (len > CX82310_MTU) {
++              if (len == 0xffff) {
++                      netdev_info(dev->net, "router was rebooted, re-enabling ethernet mode");
++                      schedule_work(&priv->reenable_work);
++              } else if (len > CX82310_MTU) {
+                       dev_err(&dev->udev->dev, "RX packet too long: %d B\n",
+                               len);
+                       return 0;
+-- 
+2.43.0
+

diff --git a/queue-5.4/devres-initialize-an-uninitialized-struct-member.patch b/queue-5.4/devres-initialize-an-uninitialized-struct-member.patch
new file mode 100644 (file)
index 0000000..c9acd43
--- /dev/null
+++ b/queue-5.4/devres-initialize-an-uninitialized-struct-member.patch
@@ -0,0 +1,35 @@
+From b6dc5b054e8babeddc43867db240d5bdc36b5cfc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 22:51:52 +0800
+Subject: devres: Initialize an uninitialized struct member
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+[ Upstream commit 56a20ad349b5c51909cf8810f7c79b288864ad33 ]
+
+Initialize an uninitialized struct member for driver API
+devres_open_group().
+
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/1719931914-19035-4-git-send-email-quic_zijuhu@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/devres.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/base/devres.c b/drivers/base/devres.c
+index 5a84bafae328..be87133d2cf1 100644
+--- a/drivers/base/devres.c
++++ b/drivers/base/devres.c
+@@ -561,6 +561,7 @@ void * devres_open_group(struct device *dev, void *id, gfp_t gfp)
+       grp->id = grp;
+       if (id)
+               grp->id = id;
++      grp->color = 0;
+ 
+       spin_lock_irqsave(&dev->devres_lock, flags);
+       add_dr(dev, &grp->node[0]);
+-- 
+2.43.0
+

diff --git a/queue-5.4/dm-init-handle-minors-larger-than-255.patch b/queue-5.4/dm-init-handle-minors-larger-than-255.patch
new file mode 100644 (file)
index 0000000..a294816
--- /dev/null
+++ b/queue-5.4/dm-init-handle-minors-larger-than-255.patch
@@ -0,0 +1,43 @@
+From acd7f7623d8832a1b7eb5bf370311bd87ce7e80e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 12:13:24 +0200
+Subject: dm init: Handle minors larger than 255
+
+From: Benjamin Marzinski <bmarzins@redhat.com>
+
+[ Upstream commit 140ce37fd78a629105377e17842465258a5459ef ]
+
+dm_parse_device_entry() simply copies the minor number into dmi.dev, but
+the dev_t format splits the minor number between the lowest 8 bytes and
+highest 12 bytes. If the minor number is larger than 255, part of it
+will end up getting treated as the major number
+
+Fix this by checking that the minor number is valid and then encoding it
+as a dev_t.
+
+Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-init.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/dm-init.c b/drivers/md/dm-init.c
+index b869316d3722..4a8bbe0391a2 100644
+--- a/drivers/md/dm-init.c
++++ b/drivers/md/dm-init.c
+@@ -207,8 +207,10 @@ static char __init *dm_parse_device_entry(struct dm_device *dev, char *str)
+       strscpy(dev->dmi.uuid, field[1], sizeof(dev->dmi.uuid));
+       /* minor */
+       if (strlen(field[2])) {
+-              if (kstrtoull(field[2], 0, &dev->dmi.dev))
++              if (kstrtoull(field[2], 0, &dev->dmi.dev) ||
++                  dev->dmi.dev >= (1 << MINORBITS))
+                       return ERR_PTR(-EINVAL);
++              dev->dmi.dev = huge_encode_dev((dev_t)dev->dmi.dev);
+               dev->dmi.flags |= DM_PERSISTENT_DEV_FLAG;
+       }
+       /* flags */
+-- 
+2.43.0
+

diff --git a/queue-5.4/drivers-net-usb-remove-all-strcpy-uses.patch b/queue-5.4/drivers-net-usb-remove-all-strcpy-uses.patch
new file mode 100644 (file)
index 0000000..4ad915d
--- /dev/null
+++ b/queue-5.4/drivers-net-usb-remove-all-strcpy-uses.patch
@@ -0,0 +1,68 @@
+From e1179dc57505fab627795a72fa2b1f062cbfa154 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Aug 2021 19:12:26 +0200
+Subject: drivers/net/usb: Remove all strcpy() uses
+
+From: Len Baker <len.baker@gmx.com>
+
+[ Upstream commit 493c3ca6bd754d8587604496eb814f72e933075d ]
+
+strcpy() performs no bounds checking on the destination buffer. This
+could result in linear overflows beyond the end of the buffer, leading
+to all kinds of misbehaviors. The safe replacement is strscpy().
+
+Signed-off-by: Len Baker <len.baker@gmx.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: bab8eb0dd4cb ("usbnet: modern method to get random MAC")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/ipheth.c | 2 +-
+ drivers/net/usb/usbnet.c | 8 ++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
+index 73ad78f47763..9887eb282beb 100644
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -443,7 +443,7 @@ static int ipheth_probe(struct usb_interface *intf,
+ 
+       netdev->netdev_ops = &ipheth_netdev_ops;
+       netdev->watchdog_timeo = IPHETH_TX_TIMEOUT;
+-      strcpy(netdev->name, "eth%d");
++      strscpy(netdev->name, "eth%d", sizeof(netdev->name));
+ 
+       dev = netdev_priv(netdev);
+       dev->udev = udev;
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index bc37e268a15e..bf018f7ca445 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1711,7 +1711,7 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod)
+       dev->interrupt_count = 0;
+ 
+       dev->net = net;
+-      strcpy (net->name, "usb%d");
++      strscpy(net->name, "usb%d", sizeof(net->name));
+       memcpy (net->dev_addr, node_id, sizeof node_id);
+ 
+       /* rx and tx sides can use different message sizes;
+@@ -1738,13 +1738,13 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod)
+               if ((dev->driver_info->flags & FLAG_ETHER) != 0 &&
+                   ((dev->driver_info->flags & FLAG_POINTTOPOINT) == 0 ||
+                    (net->dev_addr [0] & 0x02) == 0))
+-                      strcpy (net->name, "eth%d");
++                      strscpy(net->name, "eth%d", sizeof(net->name));
+               /* WLAN devices should always be named "wlan%d" */
+               if ((dev->driver_info->flags & FLAG_WLAN) != 0)
+-                      strcpy(net->name, "wlan%d");
++                      strscpy(net->name, "wlan%d", sizeof(net->name));
+               /* WWAN devices should always be named "wwan%d" */
+               if ((dev->driver_info->flags & FLAG_WWAN) != 0)
+-                      strcpy(net->name, "wwan%d");
++                      strscpy(net->name, "wwan%d", sizeof(net->name));
+ 
+               /* devices that cannot do ARP */
+               if ((dev->driver_info->flags & FLAG_NOARP) != 0)
+-- 
+2.43.0
+

diff --git a/queue-5.4/hid-cougar-fix-slab-out-of-bounds-read-in-cougar_rep.patch b/queue-5.4/hid-cougar-fix-slab-out-of-bounds-read-in-cougar_rep.patch
new file mode 100644 (file)
index 0000000..be86ca9
--- /dev/null
+++ b/queue-5.4/hid-cougar-fix-slab-out-of-bounds-read-in-cougar_rep.patch
@@ -0,0 +1,38 @@
+From 075b9c2c65eb188b0e448893f651b97ce2db5f6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 19:42:43 -0400
+Subject: HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup
+
+From: Camila Alvarez <cam.alvarez.i@gmail.com>
+
+[ Upstream commit a6e9c391d45b5865b61e569146304cff72821a5d ]
+
+report_fixup for the Cougar 500k Gaming Keyboard was not verifying
+that the report descriptor size was correct before accessing it
+
+Reported-by: syzbot+24c0361074799d02c452@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=24c0361074799d02c452
+Signed-off-by: Camila Alvarez <cam.alvarez.i@gmail.com>
+Reviewed-by: Silvan Jegen <s.jegen@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-cougar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-cougar.c b/drivers/hid/hid-cougar.c
+index 4ff3bc1d25e2..5294299afb26 100644
+--- a/drivers/hid/hid-cougar.c
++++ b/drivers/hid/hid-cougar.c
+@@ -106,7 +106,7 @@ static void cougar_fix_g6_mapping(void)
+ static __u8 *cougar_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+                                unsigned int *rsize)
+ {
+-      if (rdesc[2] == 0x09 && rdesc[3] == 0x02 &&
++      if (*rsize >= 117 && rdesc[2] == 0x09 && rdesc[3] == 0x02 &&
+           (rdesc[115] | rdesc[116] << 8) >= HID_MAX_USAGES) {
+               hid_info(hdev,
+                       "usage count exceeds max: fixing up report descriptor\n");
+-- 
+2.43.0
+

diff --git a/queue-5.4/hwmon-adc128d818-fix-underflows-seen-when-writing-li.patch b/queue-5.4/hwmon-adc128d818-fix-underflows-seen-when-writing-li.patch
new file mode 100644 (file)
index 0000000..a3046b1
--- /dev/null
+++ b/queue-5.4/hwmon-adc128d818-fix-underflows-seen-when-writing-li.patch
@@ -0,0 +1,44 @@
+From 59345411fa17f8a110ba1f84f8784eb09750d35d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Jul 2024 23:43:04 -0700
+Subject: hwmon: (adc128d818) Fix underflows seen when writing limit attributes
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 8cad724c8537fe3e0da8004646abc00290adae40 ]
+
+DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
+negative number such as -9223372036854775808 is provided by the user.
+Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/adc128d818.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/adc128d818.c b/drivers/hwmon/adc128d818.c
+index f9edec195c35..08d8bd72ec0e 100644
+--- a/drivers/hwmon/adc128d818.c
++++ b/drivers/hwmon/adc128d818.c
+@@ -176,7 +176,7 @@ static ssize_t adc128_in_store(struct device *dev,
+ 
+       mutex_lock(&data->update_lock);
+       /* 10 mV LSB on limit registers */
+-      regval = clamp_val(DIV_ROUND_CLOSEST(val, 10), 0, 255);
++      regval = DIV_ROUND_CLOSEST(clamp_val(val, 0, 2550), 10);
+       data->in[index][nr] = regval << 4;
+       reg = index == 1 ? ADC128_REG_IN_MIN(nr) : ADC128_REG_IN_MAX(nr);
+       i2c_smbus_write_byte_data(data->client, reg, regval);
+@@ -214,7 +214,7 @@ static ssize_t adc128_temp_store(struct device *dev,
+               return err;
+ 
+       mutex_lock(&data->update_lock);
+-      regval = clamp_val(DIV_ROUND_CLOSEST(val, 1000), -128, 127);
++      regval = DIV_ROUND_CLOSEST(clamp_val(val, -128000, 127000), 1000);
+       data->temp[index] = regval << 1;
+       i2c_smbus_write_byte_data(data->client,
+                                 index == 1 ? ADC128_REG_TEMP_MAX
+-- 
+2.43.0
+

diff --git a/queue-5.4/hwmon-lm95234-fix-underflows-seen-when-writing-limit.patch b/queue-5.4/hwmon-lm95234-fix-underflows-seen-when-writing-limit.patch
new file mode 100644 (file)
index 0000000..22dd3da
--- /dev/null
+++ b/queue-5.4/hwmon-lm95234-fix-underflows-seen-when-writing-limit.patch
@@ -0,0 +1,63 @@
+From 6b23c7a6b8d7d6ccf5fc40aa6e93f7a47184d552 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Jul 2024 23:48:42 -0700
+Subject: hwmon: (lm95234) Fix underflows seen when writing limit attributes
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit af64e3e1537896337405f880c1e9ac1f8c0c6198 ]
+
+DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
+negative number such as -9223372036854775808 is provided by the user.
+Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/lm95234.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/hwmon/lm95234.c b/drivers/hwmon/lm95234.c
+index 8a2a2a490496..c49aaf0d710f 100644
+--- a/drivers/hwmon/lm95234.c
++++ b/drivers/hwmon/lm95234.c
+@@ -301,7 +301,8 @@ static ssize_t tcrit2_store(struct device *dev, struct device_attribute *attr,
+       if (ret < 0)
+               return ret;
+ 
+-      val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, index ? 255 : 127);
++      val = DIV_ROUND_CLOSEST(clamp_val(val, 0, (index ? 255 : 127) * 1000),
++                              1000);
+ 
+       mutex_lock(&data->update_lock);
+       data->tcrit2[index] = val;
+@@ -350,7 +351,7 @@ static ssize_t tcrit1_store(struct device *dev, struct device_attribute *attr,
+       if (ret < 0)
+               return ret;
+ 
+-      val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 255);
++      val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 255000), 1000);
+ 
+       mutex_lock(&data->update_lock);
+       data->tcrit1[index] = val;
+@@ -391,7 +392,7 @@ static ssize_t tcrit1_hyst_store(struct device *dev,
+       if (ret < 0)
+               return ret;
+ 
+-      val = DIV_ROUND_CLOSEST(val, 1000);
++      val = DIV_ROUND_CLOSEST(clamp_val(val, -255000, 255000), 1000);
+       val = clamp_val((int)data->tcrit1[index] - val, 0, 31);
+ 
+       mutex_lock(&data->update_lock);
+@@ -431,7 +432,7 @@ static ssize_t offset_store(struct device *dev, struct device_attribute *attr,
+               return ret;
+ 
+       /* Accuracy is 1/2 degrees C */
+-      val = clamp_val(DIV_ROUND_CLOSEST(val, 500), -128, 127);
++      val = DIV_ROUND_CLOSEST(clamp_val(val, -64000, 63500), 500);
+ 
+       mutex_lock(&data->update_lock);
+       data->toffset[index] = val;
+-- 
+2.43.0
+

diff --git a/queue-5.4/hwmon-nct6775-core-fix-underflows-seen-when-writing-.patch b/queue-5.4/hwmon-nct6775-core-fix-underflows-seen-when-writing-.patch
new file mode 100644 (file)
index 0000000..2f685cc
--- /dev/null
+++ b/queue-5.4/hwmon-nct6775-core-fix-underflows-seen-when-writing-.patch
@@ -0,0 +1,36 @@
+From 501290f0b7fa2636c1e7f8428076adc28bb3e75c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Jul 2024 23:50:08 -0700
+Subject: hwmon: (nct6775-core) Fix underflows seen when writing limit
+ attributes
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 0403e10bf0824bf0ec2bb135d4cf1c0cc3bf4bf0 ]
+
+DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
+negative number such as -9223372036854775808 is provided by the user.
+Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/nct6775.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c
+index ba9b96973e80..da6bbfca15fe 100644
+--- a/drivers/hwmon/nct6775.c
++++ b/drivers/hwmon/nct6775.c
+@@ -2374,7 +2374,7 @@ store_temp_offset(struct device *dev, struct device_attribute *attr,
+       if (err < 0)
+               return err;
+ 
+-      val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), -128, 127);
++      val = DIV_ROUND_CLOSEST(clamp_val(val, -128000, 127000), 1000);
+ 
+       mutex_lock(&data->update_lock);
+       data->temp_offset[nr] = val;
+-- 
+2.43.0
+

diff --git a/queue-5.4/hwmon-w83627ehf-fix-underflows-seen-when-writing-lim.patch b/queue-5.4/hwmon-w83627ehf-fix-underflows-seen-when-writing-lim.patch
new file mode 100644 (file)
index 0000000..a155125
--- /dev/null
+++ b/queue-5.4/hwmon-w83627ehf-fix-underflows-seen-when-writing-lim.patch
@@ -0,0 +1,44 @@
+From e56e3490d954f2dafcc90d7971bbb6ae9731ceb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Jul 2024 23:51:34 -0700
+Subject: hwmon: (w83627ehf) Fix underflows seen when writing limit attributes
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 5c1de37969b7bc0abcb20b86e91e70caebbd4f89 ]
+
+DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
+negative number such as -9223372036854775808 is provided by the user.
+Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/w83627ehf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/w83627ehf.c b/drivers/hwmon/w83627ehf.c
+index eb171d15ac48..e4e5bb911558 100644
+--- a/drivers/hwmon/w83627ehf.c
++++ b/drivers/hwmon/w83627ehf.c
+@@ -1506,7 +1506,7 @@ store_target_temp(struct device *dev, struct device_attribute *attr,
+       if (err < 0)
+               return err;
+ 
+-      val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 127);
++      val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 127000), 1000);
+ 
+       mutex_lock(&data->update_lock);
+       data->target_temp[nr] = val;
+@@ -1532,7 +1532,7 @@ store_tolerance(struct device *dev, struct device_attribute *attr,
+               return err;
+ 
+       /* Limit the temp to 0C - 15C */
+-      val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 15);
++      val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 15000), 1000);
+ 
+       mutex_lock(&data->update_lock);
+       if (sio_data->kind == nct6775 || sio_data->kind == nct6776) {
+-- 
+2.43.0
+

diff --git a/queue-5.4/igb-fix-not-clearing-timesync-interrupts-for-82580.patch b/queue-5.4/igb-fix-not-clearing-timesync-interrupts-for-82580.patch
new file mode 100644 (file)
index 0000000..e756870
--- /dev/null
+++ b/queue-5.4/igb-fix-not-clearing-timesync-interrupts-for-82580.patch
@@ -0,0 +1,70 @@
+From 0c730d287e1aa27f872e39062faf42711a30e62c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Aug 2024 21:55:53 -0700
+Subject: igb: Fix not clearing TimeSync interrupts for 82580
+
+From: Daiwei Li <daiweili@google.com>
+
+[ Upstream commit ba8cf80724dbc09825b52498e4efacb563935408 ]
+
+82580 NICs have a hardware bug that makes it
+necessary to write into the TSICR (TimeSync Interrupt Cause) register
+to clear it:
+https://lore.kernel.org/all/CDCB8BE0.1EC2C%25matthew.vick@intel.com/
+
+Add a conditional so only for 82580 we write into the TSICR register,
+so we don't risk losing events for other models.
+
+Without this change, when running ptp4l with an Intel 82580 card,
+I get the following output:
+
+> timed out while polling for tx timestamp increasing tx_timestamp_timeout or
+> increasing kworker priority may correct this issue, but a driver bug likely
+> causes it
+
+This goes away with this change.
+
+This (partially) reverts commit ee14cc9ea19b ("igb: Fix missing time sync events").
+
+Fixes: ee14cc9ea19b ("igb: Fix missing time sync events")
+Closes: https://lore.kernel.org/intel-wired-lan/CAN0jFd1kO0MMtOh8N2Ztxn6f7vvDKp2h507sMryobkBKe=xk=w@mail.gmail.com/
+Tested-by: Daiwei Li <daiweili@google.com>
+Suggested-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: Daiwei Li <daiweili@google.com>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Reviewed-by: Kurt Kanzenbach <kurt@linutronix.de>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index cceff1515ea1..884beeb67a1f 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -6522,10 +6522,20 @@ static void igb_extts(struct igb_adapter *adapter, int tsintr_tt)
+ 
+ static void igb_tsync_interrupt(struct igb_adapter *adapter)
+ {
++      const u32 mask = (TSINTR_SYS_WRAP | E1000_TSICR_TXTS |
++                        TSINTR_TT0 | TSINTR_TT1 |
++                        TSINTR_AUTT0 | TSINTR_AUTT1);
+       struct e1000_hw *hw = &adapter->hw;
+       u32 tsicr = rd32(E1000_TSICR);
+       struct ptp_clock_event event;
+ 
++      if (hw->mac.type == e1000_82580) {
++              /* 82580 has a hardware bug that requires an explicit
++               * write to clear the TimeSync interrupt cause.
++               */
++              wr32(E1000_TSICR, tsicr & mask);
++      }
++
+       if (tsicr & TSINTR_SYS_WRAP) {
+               event.type = PTP_CLOCK_PPS;
+               if (adapter->ptp_caps.pps)
+-- 
+2.43.0
+

diff --git a/queue-5.4/input-uinput-reject-requests-with-unreasonable-numbe.patch b/queue-5.4/input-uinput-reject-requests-with-unreasonable-numbe.patch
new file mode 100644 (file)
index 0000000..0111013
--- /dev/null
+++ b/queue-5.4/input-uinput-reject-requests-with-unreasonable-numbe.patch
@@ -0,0 +1,59 @@
+From e512db86cd675f0766861663efcc7eb977fb4fa5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Aug 2024 17:50:25 -0700
+Subject: Input: uinput - reject requests with unreasonable number of slots
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit 206f533a0a7c683982af473079c4111f4a0f9f5e ]
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+When exercising uinput interface syzkaller may try setting up device
+with a really large number of slots, which causes memory allocation
+failure in input_mt_init_slots(). While this allocation failure is
+handled properly and request is rejected, it results in syzkaller
+reports. Additionally, such request may put undue burden on the
+system which will try to free a lot of memory for a bogus request.
+
+Fix it by limiting allowed number of slots to 100. This can easily
+be extended if we see devices that can track more than 100 contacts.
+
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+0122fa359a69694395d5@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=0122fa359a69694395d5
+Link: https://lore.kernel.org/r/Zqgi7NYEbpRsJfa2@google.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/uinput.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
+index 002654ec7040..e707da0b1fe2 100644
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -416,6 +416,20 @@ static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code,
+               return -EINVAL;
+       }
+ 
++      /*
++       * Limit number of contacts to a reasonable value (100). This
++       * ensures that we need less than 2 pages for struct input_mt
++       * (we are not using in-kernel slot assignment so not going to
++       * allocate memory for the "red" table), and we should have no
++       * trouble getting this much memory.
++       */
++      if (code == ABS_MT_SLOT && max > 99) {
++              printk(KERN_DEBUG
++                     "%s: unreasonably large number of slots requested: %d\n",
++                     UINPUT_NAME, max);
++              return -EINVAL;
++      }
++
+       return 0;
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.4/iommu-vt-d-handle-volatile-descriptor-status-read.patch b/queue-5.4/iommu-vt-d-handle-volatile-descriptor-status-read.patch
new file mode 100644 (file)
index 0000000..cd6e33d
--- /dev/null
+++ b/queue-5.4/iommu-vt-d-handle-volatile-descriptor-status-read.patch
@@ -0,0 +1,56 @@
+From 3aa672eb89bb2a000c6649085242bedb95719805 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 21:08:33 +0800
+Subject: iommu/vt-d: Handle volatile descriptor status read
+
+From: Jacob Pan <jacob.jun.pan@linux.intel.com>
+
+[ Upstream commit b5e86a95541cea737394a1da967df4cd4d8f7182 ]
+
+Queued invalidation wait descriptor status is volatile in that IOMMU
+hardware writes the data upon completion.
+
+Use READ_ONCE() to prevent compiler optimizations which ensures memory
+reads every time. As a side effect, READ_ONCE() also enforces strict
+types and may add an extra instruction. But it should not have negative
+performance impact since we use cpu_relax anyway and the extra time(by
+adding an instruction) may allow IOMMU HW request cacheline ownership
+easier.
+
+e.g. gcc 12.3
+BEFORE:
+       81 38 ad de 00 00       cmpl   $0x2,(%rax)
+
+AFTER (with READ_ONCE())
+    772f:       8b 00                   mov    (%rax),%eax
+    7731:       3d ad de 00 00          cmp    $0x2,%eax
+                                        //status data is 32 bit
+
+Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Reviewed-by: Yi Liu <yi.l.liu@intel.com>
+Link: https://lore.kernel.org/r/20240607173817.3914600-1-jacob.jun.pan@linux.intel.com
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/20240702130839.108139-2-baolu.lu@linux.intel.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/dmar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c
+index 36900d65386f..a4805d17317d 100644
+--- a/drivers/iommu/dmar.c
++++ b/drivers/iommu/dmar.c
+@@ -1294,7 +1294,7 @@ int qi_submit_sync(struct qi_desc *desc, struct intel_iommu *iommu)
+        */
+       writel(qi->free_head << shift, iommu->reg + DMAR_IQT_REG);
+ 
+-      while (qi->desc_status[wait_index] != QI_DONE) {
++      while (READ_ONCE(qi->desc_status[wait_index]) != QI_DONE) {
+               /*
+                * We will leave the interrupts disabled, to prevent interrupt
+                * context to queue another cmd while a cmd is already submitted
+-- 
+2.43.0
+

diff --git a/queue-5.4/irqchip-armada-370-xp-do-not-allow-mapping-irq-0-and.patch b/queue-5.4/irqchip-armada-370-xp-do-not-allow-mapping-irq-0-and.patch
new file mode 100644 (file)
index 0000000..e5a8c4e
--- /dev/null
+++ b/queue-5.4/irqchip-armada-370-xp-do-not-allow-mapping-irq-0-and.patch
@@ -0,0 +1,46 @@
+From 522637fadc576a550e392ab791936c57b4e1f89e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jun 2024 11:38:28 +0200
+Subject: irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 3cef738208e5c3cb7084e208caf9bbf684f24feb ]
+
+IRQs 0 (IPI) and 1 (MSI) are handled internally by this driver,
+generic_handle_domain_irq() is never called for these IRQs.
+
+Disallow mapping these IRQs.
+
+[ Marek: changed commit message ]
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-armada-370-xp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/irqchip/irq-armada-370-xp.c b/drivers/irqchip/irq-armada-370-xp.c
+index 0fd428db3aa4..73c386aba368 100644
+--- a/drivers/irqchip/irq-armada-370-xp.c
++++ b/drivers/irqchip/irq-armada-370-xp.c
+@@ -346,6 +346,10 @@ static struct irq_chip armada_370_xp_irq_chip = {
+ static int armada_370_xp_mpic_irq_map(struct irq_domain *h,
+                                     unsigned int virq, irq_hw_number_t hw)
+ {
++      /* IRQs 0 and 1 cannot be mapped, they are handled internally */
++      if (hw <= 1)
++              return -EINVAL;
++
+       armada_370_xp_irq_mask(irq_get_irq_data(virq));
+       if (!is_percpu_irq(hw))
+               writel(hw, per_cpu_int_base +
+-- 
+2.43.0
+

diff --git a/queue-5.4/lib-generic-radix-tree.c-fix-rare-race-in-__genradix.patch b/queue-5.4/lib-generic-radix-tree.c-fix-rare-race-in-__genradix.patch
new file mode 100644 (file)
index 0000000..63fd08c
--- /dev/null
+++ b/queue-5.4/lib-generic-radix-tree.c-fix-rare-race-in-__genradix.patch
@@ -0,0 +1,39 @@
+From 8922670c3684aed10adac15b451011b9458ca156 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Aug 2024 21:04:35 -0400
+Subject: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()
+
+From: Kent Overstreet <kent.overstreet@linux.dev>
+
+[ Upstream commit b2f11c6f3e1fc60742673b8675c95b78447f3dae ]
+
+If we need to increase the tree depth, allocate a new node, and then
+race with another thread that increased the tree depth before us, we'll
+still have a preallocated node that might be used later.
+
+If we then use that node for a new non-root node, it'll still have a
+pointer to the old root instead of being zeroed - fix this by zeroing it
+in the cmpxchg failure path.
+
+Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/generic-radix-tree.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/generic-radix-tree.c b/lib/generic-radix-tree.c
+index f25eb111c051..34d3ac52de89 100644
+--- a/lib/generic-radix-tree.c
++++ b/lib/generic-radix-tree.c
+@@ -131,6 +131,8 @@ void *__genradix_ptr_alloc(struct __genradix *radix, size_t offset,
+               if ((v = cmpxchg_release(&radix->root, r, new_root)) == r) {
+                       v = new_root;
+                       new_node = NULL;
++              } else {
++                      new_node->children[0] = NULL;
+               }
+       }
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.4/libbpf-add-null-checks-to-bpf_object__-prev_map-next.patch b/queue-5.4/libbpf-add-null-checks-to-bpf_object__-prev_map-next.patch
new file mode 100644 (file)
index 0000000..b947ab6
--- /dev/null
+++ b/queue-5.4/libbpf-add-null-checks-to-bpf_object__-prev_map-next.patch
@@ -0,0 +1,59 @@
+From 968c8a59204a33610ccbf4fdd21f873428d415b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 10:34:36 +0200
+Subject: libbpf: Add NULL checks to bpf_object__{prev_map,next_map}
+
+From: Andreas Ziegler <ziegler.andreas@siemens.com>
+
+[ Upstream commit cedc12c5b57f7efa6dbebfb2b140e8675f5a2616 ]
+
+In the current state, an erroneous call to
+bpf_object__find_map_by_name(NULL, ...) leads to a segmentation
+fault through the following call chain:
+
+  bpf_object__find_map_by_name(obj = NULL, ...)
+  -> bpf_object__for_each_map(pos, obj = NULL)
+  -> bpf_object__next_map((obj = NULL), NULL)
+  -> return (obj = NULL)->maps
+
+While calling bpf_object__find_map_by_name with obj = NULL is
+obviously incorrect, this should not lead to a segmentation
+fault but rather be handled gracefully.
+
+As __bpf_map__iter already handles this situation correctly, we
+can delegate the check for the regular case there and only add
+a check in case the prev or next parameter is NULL.
+
+Signed-off-by: Andreas Ziegler <ziegler.andreas@siemens.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20240703083436.505124-1-ziegler.andreas@siemens.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index b8849812449c..98e34c517267 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -4754,7 +4754,7 @@ __bpf_map__iter(const struct bpf_map *m, const struct bpf_object *obj, int i)
+ struct bpf_map *
+ bpf_map__next(const struct bpf_map *prev, const struct bpf_object *obj)
+ {
+-      if (prev == NULL)
++      if (prev == NULL && obj != NULL)
+               return obj->maps;
+ 
+       return __bpf_map__iter(prev, obj, 1);
+@@ -4763,7 +4763,7 @@ bpf_map__next(const struct bpf_map *prev, const struct bpf_object *obj)
+ struct bpf_map *
+ bpf_map__prev(const struct bpf_map *next, const struct bpf_object *obj)
+ {
+-      if (next == NULL) {
++      if (next == NULL && obj != NULL) {
+               if (!obj->nr_maps)
+                       return NULL;
+               return obj->maps + obj->nr_maps - 1;
+-- 
+2.43.0
+

diff --git a/queue-5.4/media-qcom-camss-add-check-for-v4l2_fwnode_endpoint_.patch b/queue-5.4/media-qcom-camss-add-check-for-v4l2_fwnode_endpoint_.patch
new file mode 100644 (file)
index 0000000..367811c
--- /dev/null
+++ b/queue-5.4/media-qcom-camss-add-check-for-v4l2_fwnode_endpoint_.patch
@@ -0,0 +1,39 @@
+From 191377faf1a9503021c1735e46d477cdc23002c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jun 2024 09:35:22 +0800
+Subject: media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+[ Upstream commit 4caf6d93d9f2c11d6441c64e1c549c445fa322ed ]
+
+Add check for the return value of v4l2_fwnode_endpoint_parse() and
+return the error if it fails in order to catch the error.
+
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/camss/camss.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/qcom/camss/camss.c b/drivers/media/platform/qcom/camss/camss.c
+index 2483641799df..2db9229d5601 100644
+--- a/drivers/media/platform/qcom/camss/camss.c
++++ b/drivers/media/platform/qcom/camss/camss.c
+@@ -431,8 +431,11 @@ static int camss_of_parse_endpoint_node(struct device *dev,
+       struct v4l2_fwnode_bus_mipi_csi2 *mipi_csi2;
+       struct v4l2_fwnode_endpoint vep = { { 0 } };
+       unsigned int i;
++      int ret;
+ 
+-      v4l2_fwnode_endpoint_parse(of_fwnode_handle(node), &vep);
++      ret = v4l2_fwnode_endpoint_parse(of_fwnode_handle(node), &vep);
++      if (ret)
++              return ret;
+ 
+       csd->interface.csiphy_id = vep.base.port;
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.4/net-bridge-br_fdb_external_learn_add-always-set-ext_.patch b/queue-5.4/net-bridge-br_fdb_external_learn_add-always-set-ext_.patch
new file mode 100644 (file)
index 0000000..fb891cb
--- /dev/null
+++ b/queue-5.4/net-bridge-br_fdb_external_learn_add-always-set-ext_.patch
@@ -0,0 +1,58 @@
+From cbeb723023d3ec0f6fdf3cc97a4492e4477c20cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 10:19:57 +0200
+Subject: net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN
+
+From: Jonas Gorski <jonas.gorski@bisdn.de>
+
+[ Upstream commit bee2ef946d3184e99077be526567d791c473036f ]
+
+When userspace wants to take over a fdb entry by setting it as
+EXTERN_LEARNED, we set both flags BR_FDB_ADDED_BY_EXT_LEARN and
+BR_FDB_ADDED_BY_USER in br_fdb_external_learn_add().
+
+If the bridge updates the entry later because its port changed, we clear
+the BR_FDB_ADDED_BY_EXT_LEARN flag, but leave the BR_FDB_ADDED_BY_USER
+flag set.
+
+If userspace then wants to take over the entry again,
+br_fdb_external_learn_add() sees that BR_FDB_ADDED_BY_USER and skips
+setting the BR_FDB_ADDED_BY_EXT_LEARN flags, thus silently ignores the
+update.
+
+Fix this by always allowing to set BR_FDB_ADDED_BY_EXT_LEARN regardless
+if this was a user fdb entry or not.
+
+Fixes: 710ae7287737 ("net: bridge: Mark FDB entries that were added by user as such")
+Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20240903081958.29951-1-jonas.gorski@bisdn.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_fdb.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index 83d6be3f87f1..89e0a6808d30 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -1138,12 +1138,10 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+                       modified = true;
+               }
+ 
+-              if (test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) {
++              if (test_and_set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) {
+                       /* Refresh entry */
+                       fdb->used = jiffies;
+-              } else if (!test_bit(BR_FDB_ADDED_BY_USER, &fdb->flags)) {
+-                      /* Take over SW learned entry */
+-                      set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags);
++              } else {
+                       modified = true;
+               }
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.4/net-bridge-fdb-convert-added_by_external_learn-to-us.patch b/queue-5.4/net-bridge-fdb-convert-added_by_external_learn-to-us.patch
new file mode 100644 (file)
index 0000000..90d53c5
--- /dev/null
+++ b/queue-5.4/net-bridge-fdb-convert-added_by_external_learn-to-us.patch
@@ -0,0 +1,128 @@
+From 08367e277341b581ca8cb565b21b2629d30f720d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2019 13:45:57 +0200
+Subject: net: bridge: fdb: convert added_by_external_learn to use bitops
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit b5cd9f7c42480ede119a390607a9dbe6263f6795 ]
+
+Convert the added_by_external_learn field to a flag and use bitops.
+
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_fdb.c     | 19 +++++++++----------
+ net/bridge/br_private.h |  4 ++--
+ 2 files changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index 6f00cca4afc8..83d6be3f87f1 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -76,7 +76,7 @@ static inline int has_expired(const struct net_bridge *br,
+                                 const struct net_bridge_fdb_entry *fdb)
+ {
+       return !test_bit(BR_FDB_STATIC, &fdb->flags) &&
+-             !fdb->added_by_external_learn &&
++             !test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags) &&
+              time_before_eq(fdb->updated + hold_time(br), jiffies);
+ }
+ 
+@@ -352,7 +352,7 @@ void br_fdb_cleanup(struct work_struct *work)
+               unsigned long this_timer;
+ 
+               if (test_bit(BR_FDB_STATIC, &f->flags) ||
+-                  f->added_by_external_learn)
++                  test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &f->flags))
+                       continue;
+               this_timer = f->updated + delay;
+               if (time_after(this_timer, now)) {
+@@ -506,7 +506,6 @@ static struct net_bridge_fdb_entry *fdb_create(struct net_bridge *br,
+                       set_bit(BR_FDB_LOCAL, &fdb->flags);
+               if (is_static)
+                       set_bit(BR_FDB_STATIC, &fdb->flags);
+-              fdb->added_by_external_learn = 0;
+               fdb->offloaded = 0;
+               fdb->updated = fdb->used = jiffies;
+               if (rhashtable_lookup_insert_fast(&br->fdb_hash_tbl,
+@@ -593,8 +592,8 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
+                               fdb->dst = source;
+                               fdb_modified = true;
+                               /* Take over HW learned entry */
+-                              if (unlikely(fdb->added_by_external_learn))
+-                                      fdb->added_by_external_learn = 0;
++                              test_and_clear_bit(BR_FDB_ADDED_BY_EXT_LEARN,
++                                                 &fdb->flags);
+                       }
+                       if (now != fdb->updated)
+                               fdb->updated = now;
+@@ -659,7 +658,7 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br,
+ 
+       if (fdb->offloaded)
+               ndm->ndm_flags |= NTF_OFFLOADED;
+-      if (fdb->added_by_external_learn)
++      if (test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags))
+               ndm->ndm_flags |= NTF_EXT_LEARNED;
+       if (test_bit(BR_FDB_STICKY, &fdb->flags))
+               ndm->ndm_flags |= NTF_STICKY;
+@@ -1129,7 +1128,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+               }
+               if (swdev_notify)
+                       set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags);
+-              fdb->added_by_external_learn = 1;
++              set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags);
+               fdb_notify(br, fdb, RTM_NEWNEIGH, swdev_notify);
+       } else {
+               fdb->updated = jiffies;
+@@ -1139,12 +1138,12 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+                       modified = true;
+               }
+ 
+-              if (fdb->added_by_external_learn) {
++              if (test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) {
+                       /* Refresh entry */
+                       fdb->used = jiffies;
+               } else if (!test_bit(BR_FDB_ADDED_BY_USER, &fdb->flags)) {
+                       /* Take over SW learned entry */
+-                      fdb->added_by_external_learn = 1;
++                      set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags);
+                       modified = true;
+               }
+ 
+@@ -1171,7 +1170,7 @@ int br_fdb_external_learn_del(struct net_bridge *br, struct net_bridge_port *p,
+       spin_lock_bh(&br->hash_lock);
+ 
+       fdb = br_fdb_find(br, addr, vid);
+-      if (fdb && fdb->added_by_external_learn)
++      if (fdb && test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags))
+               fdb_delete(br, fdb, swdev_notify);
+       else
+               err = -ENOENT;
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index a439e0cfc686..5ba4620727a7 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -178,6 +178,7 @@ enum {
+       BR_FDB_STATIC,
+       BR_FDB_STICKY,
+       BR_FDB_ADDED_BY_USER,
++      BR_FDB_ADDED_BY_EXT_LEARN,
+ };
+ 
+ struct net_bridge_fdb_key {
+@@ -192,8 +193,7 @@ struct net_bridge_fdb_entry {
+       struct net_bridge_fdb_key       key;
+       struct hlist_node               fdb_node;
+       unsigned long                   flags;
+-      unsigned char                   added_by_external_learn:1,
+-                                      offloaded:1;
++      unsigned char                   offloaded:1;
+ 
+       /* write-heavy members should not affect lookups */
+       unsigned long                   updated ____cacheline_aligned_in_smp;
+-- 
+2.43.0
+

diff --git a/queue-5.4/net-bridge-fdb-convert-added_by_user-to-bitops.patch b/queue-5.4/net-bridge-fdb-convert-added_by_user-to-bitops.patch
new file mode 100644 (file)
index 0000000..f2a8c25
--- /dev/null
+++ b/queue-5.4/net-bridge-fdb-convert-added_by_user-to-bitops.patch
@@ -0,0 +1,188 @@
+From 025a3a1da3d2e0375e87996e987525feb163bc74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2019 13:45:56 +0200
+Subject: net: bridge: fdb: convert added_by_user to bitops
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit ac3ca6af443aa495c7907e5010ac77fbd2450eaa ]
+
+Straight-forward convert of the added_by_user field to bitops.
+
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_fdb.c       | 25 ++++++++++++-------------
+ net/bridge/br_private.h   |  4 ++--
+ net/bridge/br_switchdev.c |  6 ++++--
+ 3 files changed, 18 insertions(+), 17 deletions(-)
+
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index 3645c1172b50..6f00cca4afc8 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -225,7 +225,7 @@ static void fdb_delete_local(struct net_bridge *br,
+               if (op != p && ether_addr_equal(op->dev->dev_addr, addr) &&
+                   (!vid || br_vlan_find(vg, vid))) {
+                       f->dst = op;
+-                      f->added_by_user = 0;
++                      clear_bit(BR_FDB_ADDED_BY_USER, &f->flags);
+                       return;
+               }
+       }
+@@ -236,7 +236,7 @@ static void fdb_delete_local(struct net_bridge *br,
+       if (p && ether_addr_equal(br->dev->dev_addr, addr) &&
+           (!vid || (v && br_vlan_should_use(v)))) {
+               f->dst = NULL;
+-              f->added_by_user = 0;
++              clear_bit(BR_FDB_ADDED_BY_USER, &f->flags);
+               return;
+       }
+ 
+@@ -252,7 +252,7 @@ void br_fdb_find_delete_local(struct net_bridge *br,
+       spin_lock_bh(&br->hash_lock);
+       f = br_fdb_find(br, addr, vid);
+       if (f && test_bit(BR_FDB_LOCAL, &f->flags) &&
+-          !f->added_by_user && f->dst == p)
++          !test_bit(BR_FDB_ADDED_BY_USER, &f->flags) && f->dst == p)
+               fdb_delete_local(br, p, f);
+       spin_unlock_bh(&br->hash_lock);
+ }
+@@ -268,7 +268,7 @@ void br_fdb_changeaddr(struct net_bridge_port *p, const unsigned char *newaddr)
+       vg = nbp_vlan_group(p);
+       hlist_for_each_entry(f, &br->fdb_list, fdb_node) {
+               if (f->dst == p && test_bit(BR_FDB_LOCAL, &f->flags) &&
+-                  !f->added_by_user) {
++                  !test_bit(BR_FDB_ADDED_BY_USER, &f->flags)) {
+                       /* delete old one */
+                       fdb_delete_local(br, p, f);
+ 
+@@ -310,7 +310,7 @@ void br_fdb_change_mac_address(struct net_bridge *br, const u8 *newaddr)
+       /* If old entry was unassociated with any port, then delete it. */
+       f = br_fdb_find(br, br->dev->dev_addr, 0);
+       if (f && test_bit(BR_FDB_LOCAL, &f->flags) &&
+-          !f->dst && !f->added_by_user)
++          !f->dst && !test_bit(BR_FDB_ADDED_BY_USER, &f->flags))
+               fdb_delete_local(br, NULL, f);
+ 
+       fdb_insert(br, NULL, newaddr, 0);
+@@ -326,7 +326,7 @@ void br_fdb_change_mac_address(struct net_bridge *br, const u8 *newaddr)
+                       continue;
+               f = br_fdb_find(br, br->dev->dev_addr, v->vid);
+               if (f && test_bit(BR_FDB_LOCAL, &f->flags) &&
+-                  !f->dst && !f->added_by_user)
++                  !f->dst && !test_bit(BR_FDB_ADDED_BY_USER, &f->flags))
+                       fdb_delete_local(br, NULL, f);
+               fdb_insert(br, NULL, newaddr, v->vid);
+       }
+@@ -506,7 +506,6 @@ static struct net_bridge_fdb_entry *fdb_create(struct net_bridge *br,
+                       set_bit(BR_FDB_LOCAL, &fdb->flags);
+               if (is_static)
+                       set_bit(BR_FDB_STATIC, &fdb->flags);
+-              fdb->added_by_user = 0;
+               fdb->added_by_external_learn = 0;
+               fdb->offloaded = 0;
+               fdb->updated = fdb->used = jiffies;
+@@ -600,7 +599,7 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
+                       if (now != fdb->updated)
+                               fdb->updated = now;
+                       if (unlikely(added_by_user))
+-                              fdb->added_by_user = 1;
++                              set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags);
+                       if (unlikely(fdb_modified)) {
+                               trace_br_fdb_update(br, source, addr, vid, added_by_user);
+                               fdb_notify(br, fdb, RTM_NEWNEIGH, true);
+@@ -611,7 +610,7 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
+               fdb = fdb_create(br, source, addr, vid, 0, 0);
+               if (fdb) {
+                       if (unlikely(added_by_user))
+-                              fdb->added_by_user = 1;
++                              set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags);
+                       trace_br_fdb_update(br, source, addr, vid,
+                                           added_by_user);
+                       fdb_notify(br, fdb, RTM_NEWNEIGH, true);
+@@ -871,7 +870,7 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+               modified = true;
+       }
+ 
+-      fdb->added_by_user = 1;
++      set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags);
+ 
+       fdb->used = jiffies;
+       if (modified) {
+@@ -1129,7 +1128,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+                       goto err_unlock;
+               }
+               if (swdev_notify)
+-                      fdb->added_by_user = 1;
++                      set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags);
+               fdb->added_by_external_learn = 1;
+               fdb_notify(br, fdb, RTM_NEWNEIGH, swdev_notify);
+       } else {
+@@ -1143,14 +1142,14 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+               if (fdb->added_by_external_learn) {
+                       /* Refresh entry */
+                       fdb->used = jiffies;
+-              } else if (!fdb->added_by_user) {
++              } else if (!test_bit(BR_FDB_ADDED_BY_USER, &fdb->flags)) {
+                       /* Take over SW learned entry */
+                       fdb->added_by_external_learn = 1;
+                       modified = true;
+               }
+ 
+               if (swdev_notify)
+-                      fdb->added_by_user = 1;
++                      set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags);
+ 
+               if (modified)
+                       fdb_notify(br, fdb, RTM_NEWNEIGH, swdev_notify);
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index b495778911a2..a439e0cfc686 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -177,6 +177,7 @@ enum {
+       BR_FDB_LOCAL,
+       BR_FDB_STATIC,
+       BR_FDB_STICKY,
++      BR_FDB_ADDED_BY_USER,
+ };
+ 
+ struct net_bridge_fdb_key {
+@@ -191,8 +192,7 @@ struct net_bridge_fdb_entry {
+       struct net_bridge_fdb_key       key;
+       struct hlist_node               fdb_node;
+       unsigned long                   flags;
+-      unsigned char                   added_by_user:1,
+-                                      added_by_external_learn:1,
++      unsigned char                   added_by_external_learn:1,
+                                       offloaded:1;
+ 
+       /* write-heavy members should not affect lookups */
+diff --git a/net/bridge/br_switchdev.c b/net/bridge/br_switchdev.c
+index 921310d3cbae..5010fbf74778 100644
+--- a/net/bridge/br_switchdev.c
++++ b/net/bridge/br_switchdev.c
+@@ -129,14 +129,16 @@ br_switchdev_fdb_notify(const struct net_bridge_fdb_entry *fdb, int type)
+               br_switchdev_fdb_call_notifiers(false, fdb->key.addr.addr,
+                                               fdb->key.vlan_id,
+                                               fdb->dst->dev,
+-                                              fdb->added_by_user,
++                                              test_bit(BR_FDB_ADDED_BY_USER,
++                                                       &fdb->flags),
+                                               fdb->offloaded);
+               break;
+       case RTM_NEWNEIGH:
+               br_switchdev_fdb_call_notifiers(true, fdb->key.addr.addr,
+                                               fdb->key.vlan_id,
+                                               fdb->dst->dev,
+-                                              fdb->added_by_user,
++                                              test_bit(BR_FDB_ADDED_BY_USER,
++                                                       &fdb->flags),
+                                               fdb->offloaded);
+               break;
+       }
+-- 
+2.43.0
+

diff --git a/queue-5.4/net-bridge-fdb-convert-is_local-to-bitops.patch b/queue-5.4/net-bridge-fdb-convert-is_local-to-bitops.patch
new file mode 100644 (file)
index 0000000..6744f2a
--- /dev/null
+++ b/queue-5.4/net-bridge-fdb-convert-is_local-to-bitops.patch
@@ -0,0 +1,188 @@
+From 879f237c5be034fc0d58e9b3f7671703bb948fec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2019 13:45:53 +0200
+Subject: net: bridge: fdb: convert is_local to bitops
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit 6869c3b02b596eba931a754f56875d2e2ac612db ]
+
+The patch adds a new fdb flags field in the hole between the two cache
+lines and uses it to convert is_local to bitops.
+
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_fdb.c     | 32 +++++++++++++++++++-------------
+ net/bridge/br_input.c   |  2 +-
+ net/bridge/br_private.h |  9 +++++++--
+ 3 files changed, 27 insertions(+), 16 deletions(-)
+
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index b1d3248c0252..e67d5eb8bc1d 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -250,7 +250,8 @@ void br_fdb_find_delete_local(struct net_bridge *br,
+ 
+       spin_lock_bh(&br->hash_lock);
+       f = br_fdb_find(br, addr, vid);
+-      if (f && f->is_local && !f->added_by_user && f->dst == p)
++      if (f && test_bit(BR_FDB_LOCAL, &f->flags) &&
++          !f->added_by_user && f->dst == p)
+               fdb_delete_local(br, p, f);
+       spin_unlock_bh(&br->hash_lock);
+ }
+@@ -265,7 +266,8 @@ void br_fdb_changeaddr(struct net_bridge_port *p, const unsigned char *newaddr)
+       spin_lock_bh(&br->hash_lock);
+       vg = nbp_vlan_group(p);
+       hlist_for_each_entry(f, &br->fdb_list, fdb_node) {
+-              if (f->dst == p && f->is_local && !f->added_by_user) {
++              if (f->dst == p && test_bit(BR_FDB_LOCAL, &f->flags) &&
++                  !f->added_by_user) {
+                       /* delete old one */
+                       fdb_delete_local(br, p, f);
+ 
+@@ -306,7 +308,8 @@ void br_fdb_change_mac_address(struct net_bridge *br, const u8 *newaddr)
+ 
+       /* If old entry was unassociated with any port, then delete it. */
+       f = br_fdb_find(br, br->dev->dev_addr, 0);
+-      if (f && f->is_local && !f->dst && !f->added_by_user)
++      if (f && test_bit(BR_FDB_LOCAL, &f->flags) &&
++          !f->dst && !f->added_by_user)
+               fdb_delete_local(br, NULL, f);
+ 
+       fdb_insert(br, NULL, newaddr, 0);
+@@ -321,7 +324,8 @@ void br_fdb_change_mac_address(struct net_bridge *br, const u8 *newaddr)
+               if (!br_vlan_should_use(v))
+                       continue;
+               f = br_fdb_find(br, br->dev->dev_addr, v->vid);
+-              if (f && f->is_local && !f->dst && !f->added_by_user)
++              if (f && test_bit(BR_FDB_LOCAL, &f->flags) &&
++                  !f->dst && !f->added_by_user)
+                       fdb_delete_local(br, NULL, f);
+               fdb_insert(br, NULL, newaddr, v->vid);
+       }
+@@ -400,7 +404,7 @@ void br_fdb_delete_by_port(struct net_bridge *br,
+                       if (f->is_static || (vid && f->key.vlan_id != vid))
+                               continue;
+ 
+-              if (f->is_local)
++              if (test_bit(BR_FDB_LOCAL, &f->flags))
+                       fdb_delete_local(br, p, f);
+               else
+                       fdb_delete(br, f, true);
+@@ -469,7 +473,7 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf,
+               fe->port_no = f->dst->port_no;
+               fe->port_hi = f->dst->port_no >> 8;
+ 
+-              fe->is_local = f->is_local;
++              fe->is_local = test_bit(BR_FDB_LOCAL, &f->flags);
+               if (!f->is_static)
+                       fe->ageing_timer_value = jiffies_delta_to_clock_t(jiffies - f->updated);
+               ++fe;
+@@ -494,7 +498,9 @@ static struct net_bridge_fdb_entry *fdb_create(struct net_bridge *br,
+               memcpy(fdb->key.addr.addr, addr, ETH_ALEN);
+               fdb->dst = source;
+               fdb->key.vlan_id = vid;
+-              fdb->is_local = is_local;
++              fdb->flags = 0;
++              if (is_local)
++                      set_bit(BR_FDB_LOCAL, &fdb->flags);
+               fdb->is_static = is_static;
+               fdb->added_by_user = 0;
+               fdb->added_by_external_learn = 0;
+@@ -526,7 +532,7 @@ static int fdb_insert(struct net_bridge *br, struct net_bridge_port *source,
+               /* it is okay to have multiple ports with same
+                * address, just use the first one.
+                */
+-              if (fdb->is_local)
++              if (test_bit(BR_FDB_LOCAL, &fdb->flags))
+                       return 0;
+               br_warn(br, "adding interface %s with same address as a received packet (addr:%pM, vlan:%u)\n",
+                      source ? source->dev->name : br->dev->name, addr, vid);
+@@ -572,7 +578,7 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
+       fdb = fdb_find_rcu(&br->fdb_hash_tbl, addr, vid);
+       if (likely(fdb)) {
+               /* attempt to update an entry for a local interface */
+-              if (unlikely(fdb->is_local)) {
++              if (unlikely(test_bit(BR_FDB_LOCAL, &fdb->flags))) {
+                       if (net_ratelimit())
+                               br_warn(br, "received packet on %s with own address as source address (addr:%pM, vlan:%u)\n",
+                                       source->dev->name, addr, vid);
+@@ -616,7 +622,7 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
+ static int fdb_to_nud(const struct net_bridge *br,
+                     const struct net_bridge_fdb_entry *fdb)
+ {
+-      if (fdb->is_local)
++      if (test_bit(BR_FDB_LOCAL, &fdb->flags))
+               return NUD_PERMANENT;
+       else if (fdb->is_static)
+               return NUD_NOARP;
+@@ -840,19 +846,19 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+ 
+       if (fdb_to_nud(br, fdb) != state) {
+               if (state & NUD_PERMANENT) {
+-                      fdb->is_local = 1;
++                      set_bit(BR_FDB_LOCAL, &fdb->flags);
+                       if (!fdb->is_static) {
+                               fdb->is_static = 1;
+                               fdb_add_hw_addr(br, addr);
+                       }
+               } else if (state & NUD_NOARP) {
+-                      fdb->is_local = 0;
++                      clear_bit(BR_FDB_LOCAL, &fdb->flags);
+                       if (!fdb->is_static) {
+                               fdb->is_static = 1;
+                               fdb_add_hw_addr(br, addr);
+                       }
+               } else {
+-                      fdb->is_local = 0;
++                      clear_bit(BR_FDB_LOCAL, &fdb->flags);
+                       if (fdb->is_static) {
+                               fdb->is_static = 0;
+                               fdb_del_hw_addr(br, addr);
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+index 3d07dedd93bd..22271b279063 100644
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -158,7 +158,7 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
+       if (dst) {
+               unsigned long now = jiffies;
+ 
+-              if (dst->is_local)
++              if (test_bit(BR_FDB_LOCAL, &dst->flags))
+                       return br_pass_frame_up(skb);
+ 
+               if (now != dst->used)
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index c83d3a954b5f..92e0ee4c8253 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -172,6 +172,11 @@ struct net_bridge_vlan_group {
+       u16                             pvid;
+ };
+ 
++/* bridge fdb flags */
++enum {
++      BR_FDB_LOCAL,
++};
++
+ struct net_bridge_fdb_key {
+       mac_addr addr;
+       u16 vlan_id;
+@@ -183,8 +188,8 @@ struct net_bridge_fdb_entry {
+ 
+       struct net_bridge_fdb_key       key;
+       struct hlist_node               fdb_node;
+-      unsigned char                   is_local:1,
+-                                      is_static:1,
++      unsigned long                   flags;
++      unsigned char                   is_static:1,
+                                       is_sticky:1,
+                                       added_by_user:1,
+                                       added_by_external_learn:1,
+-- 
+2.43.0
+

diff --git a/queue-5.4/net-bridge-fdb-convert-is_static-to-bitops.patch b/queue-5.4/net-bridge-fdb-convert-is_static-to-bitops.patch
new file mode 100644 (file)
index 0000000..7f68c88
--- /dev/null
+++ b/queue-5.4/net-bridge-fdb-convert-is_static-to-bitops.patch
@@ -0,0 +1,181 @@
+From a8625548f68be24e2e3e0c07f878a6ac9e030cbd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2019 13:45:54 +0200
+Subject: net: bridge: fdb: convert is_static to bitops
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit 29e63fffd666f1945756882d4b02bc7bec132101 ]
+
+Convert the is_static to bitops, make use of the combined
+test_and_set/clear_bit to simplify expressions in fdb_add_entry.
+
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_fdb.c     | 40 +++++++++++++++++++---------------------
+ net/bridge/br_private.h |  4 ++--
+ 2 files changed, 21 insertions(+), 23 deletions(-)
+
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index e67d5eb8bc1d..1c890e2d694b 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -75,8 +75,9 @@ static inline unsigned long hold_time(const struct net_bridge *br)
+ static inline int has_expired(const struct net_bridge *br,
+                                 const struct net_bridge_fdb_entry *fdb)
+ {
+-      return !fdb->is_static && !fdb->added_by_external_learn &&
+-              time_before_eq(fdb->updated + hold_time(br), jiffies);
++      return !test_bit(BR_FDB_STATIC, &fdb->flags) &&
++             !fdb->added_by_external_learn &&
++             time_before_eq(fdb->updated + hold_time(br), jiffies);
+ }
+ 
+ static void fdb_rcu_free(struct rcu_head *head)
+@@ -197,7 +198,7 @@ static void fdb_delete(struct net_bridge *br, struct net_bridge_fdb_entry *f,
+ {
+       trace_fdb_delete(br, f);
+ 
+-      if (f->is_static)
++      if (test_bit(BR_FDB_STATIC, &f->flags))
+               fdb_del_hw_addr(br, f->key.addr.addr);
+ 
+       hlist_del_init_rcu(&f->fdb_node);
+@@ -350,7 +351,8 @@ void br_fdb_cleanup(struct work_struct *work)
+       hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) {
+               unsigned long this_timer;
+ 
+-              if (f->is_static || f->added_by_external_learn)
++              if (test_bit(BR_FDB_STATIC, &f->flags) ||
++                  f->added_by_external_learn)
+                       continue;
+               this_timer = f->updated + delay;
+               if (time_after(this_timer, now)) {
+@@ -377,7 +379,7 @@ void br_fdb_flush(struct net_bridge *br)
+ 
+       spin_lock_bh(&br->hash_lock);
+       hlist_for_each_entry_safe(f, tmp, &br->fdb_list, fdb_node) {
+-              if (!f->is_static)
++              if (!test_bit(BR_FDB_STATIC, &f->flags))
+                       fdb_delete(br, f, true);
+       }
+       spin_unlock_bh(&br->hash_lock);
+@@ -401,7 +403,8 @@ void br_fdb_delete_by_port(struct net_bridge *br,
+                       continue;
+ 
+               if (!do_all)
+-                      if (f->is_static || (vid && f->key.vlan_id != vid))
++                      if (test_bit(BR_FDB_STATIC, &f->flags) ||
++                          (vid && f->key.vlan_id != vid))
+                               continue;
+ 
+               if (test_bit(BR_FDB_LOCAL, &f->flags))
+@@ -474,7 +477,7 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf,
+               fe->port_hi = f->dst->port_no >> 8;
+ 
+               fe->is_local = test_bit(BR_FDB_LOCAL, &f->flags);
+-              if (!f->is_static)
++              if (!test_bit(BR_FDB_STATIC, &f->flags))
+                       fe->ageing_timer_value = jiffies_delta_to_clock_t(jiffies - f->updated);
+               ++fe;
+               ++num;
+@@ -501,7 +504,8 @@ static struct net_bridge_fdb_entry *fdb_create(struct net_bridge *br,
+               fdb->flags = 0;
+               if (is_local)
+                       set_bit(BR_FDB_LOCAL, &fdb->flags);
+-              fdb->is_static = is_static;
++              if (is_static)
++                      set_bit(BR_FDB_STATIC, &fdb->flags);
+               fdb->added_by_user = 0;
+               fdb->added_by_external_learn = 0;
+               fdb->offloaded = 0;
+@@ -624,7 +628,7 @@ static int fdb_to_nud(const struct net_bridge *br,
+ {
+       if (test_bit(BR_FDB_LOCAL, &fdb->flags))
+               return NUD_PERMANENT;
+-      else if (fdb->is_static)
++      else if (test_bit(BR_FDB_STATIC, &fdb->flags))
+               return NUD_NOARP;
+       else if (has_expired(br, fdb))
+               return NUD_STALE;
+@@ -847,22 +851,16 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+       if (fdb_to_nud(br, fdb) != state) {
+               if (state & NUD_PERMANENT) {
+                       set_bit(BR_FDB_LOCAL, &fdb->flags);
+-                      if (!fdb->is_static) {
+-                              fdb->is_static = 1;
++                      if (!test_and_set_bit(BR_FDB_STATIC, &fdb->flags))
+                               fdb_add_hw_addr(br, addr);
+-                      }
+               } else if (state & NUD_NOARP) {
+                       clear_bit(BR_FDB_LOCAL, &fdb->flags);
+-                      if (!fdb->is_static) {
+-                              fdb->is_static = 1;
++                      if (!test_and_set_bit(BR_FDB_STATIC, &fdb->flags))
+                               fdb_add_hw_addr(br, addr);
+-                      }
+               } else {
+                       clear_bit(BR_FDB_LOCAL, &fdb->flags);
+-                      if (fdb->is_static) {
+-                              fdb->is_static = 0;
++                      if (test_and_clear_bit(BR_FDB_STATIC, &fdb->flags))
+                               fdb_del_hw_addr(br, addr);
+-                      }
+               }
+ 
+               modified = true;
+@@ -1070,7 +1068,7 @@ int br_fdb_sync_static(struct net_bridge *br, struct net_bridge_port *p)
+       rcu_read_lock();
+       hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) {
+               /* We only care for static entries */
+-              if (!f->is_static)
++              if (!test_bit(BR_FDB_STATIC, &f->flags))
+                       continue;
+               err = dev_uc_add(p->dev, f->key.addr.addr);
+               if (err)
+@@ -1084,7 +1082,7 @@ int br_fdb_sync_static(struct net_bridge *br, struct net_bridge_port *p)
+ rollback:
+       hlist_for_each_entry_rcu(tmp, &br->fdb_list, fdb_node) {
+               /* We only care for static entries */
+-              if (!tmp->is_static)
++              if (!test_bit(BR_FDB_STATIC, &tmp->flags))
+                       continue;
+               if (tmp == f)
+                       break;
+@@ -1103,7 +1101,7 @@ void br_fdb_unsync_static(struct net_bridge *br, struct net_bridge_port *p)
+       rcu_read_lock();
+       hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) {
+               /* We only care for static entries */
+-              if (!f->is_static)
++              if (!test_bit(BR_FDB_STATIC, &f->flags))
+                       continue;
+ 
+               dev_uc_del(p->dev, f->key.addr.addr);
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index 92e0ee4c8253..7b46323584be 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -175,6 +175,7 @@ struct net_bridge_vlan_group {
+ /* bridge fdb flags */
+ enum {
+       BR_FDB_LOCAL,
++      BR_FDB_STATIC,
+ };
+ 
+ struct net_bridge_fdb_key {
+@@ -189,8 +190,7 @@ struct net_bridge_fdb_entry {
+       struct net_bridge_fdb_key       key;
+       struct hlist_node               fdb_node;
+       unsigned long                   flags;
+-      unsigned char                   is_static:1,
+-                                      is_sticky:1,
++      unsigned char                   is_sticky:1,
+                                       added_by_user:1,
+                                       added_by_external_learn:1,
+                                       offloaded:1;
+-- 
+2.43.0
+

diff --git a/queue-5.4/net-bridge-fdb-convert-is_sticky-to-bitops.patch b/queue-5.4/net-bridge-fdb-convert-is_sticky-to-bitops.patch
new file mode 100644 (file)
index 0000000..b5dddc4
--- /dev/null
+++ b/queue-5.4/net-bridge-fdb-convert-is_sticky-to-bitops.patch
@@ -0,0 +1,96 @@
+From 1e8321becdece1d0d2f06e07e6ce55be7adf180f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2019 13:45:55 +0200
+Subject: net: bridge: fdb: convert is_sticky to bitops
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit e0458d9a733ba71a2821d0c3fc0745baac697db0 ]
+
+Straight-forward convert of the is_sticky field to bitops.
+
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_fdb.c     | 12 ++++++------
+ net/bridge/br_private.h |  4 ++--
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index 1c890e2d694b..3645c1172b50 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -509,7 +509,6 @@ static struct net_bridge_fdb_entry *fdb_create(struct net_bridge *br,
+               fdb->added_by_user = 0;
+               fdb->added_by_external_learn = 0;
+               fdb->offloaded = 0;
+-              fdb->is_sticky = 0;
+               fdb->updated = fdb->used = jiffies;
+               if (rhashtable_lookup_insert_fast(&br->fdb_hash_tbl,
+                                                 &fdb->rhnode,
+@@ -590,7 +589,8 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
+                       unsigned long now = jiffies;
+ 
+                       /* fastpath: update of existing entry */
+-                      if (unlikely(source != fdb->dst && !fdb->is_sticky)) {
++                      if (unlikely(source != fdb->dst &&
++                                   !test_bit(BR_FDB_STICKY, &fdb->flags))) {
+                               fdb->dst = source;
+                               fdb_modified = true;
+                               /* Take over HW learned entry */
+@@ -662,7 +662,7 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br,
+               ndm->ndm_flags |= NTF_OFFLOADED;
+       if (fdb->added_by_external_learn)
+               ndm->ndm_flags |= NTF_EXT_LEARNED;
+-      if (fdb->is_sticky)
++      if (test_bit(BR_FDB_STICKY, &fdb->flags))
+               ndm->ndm_flags |= NTF_STICKY;
+ 
+       if (nla_put(skb, NDA_LLADDR, ETH_ALEN, &fdb->key.addr))
+@@ -809,7 +809,7 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+                        const u8 *addr, u16 state, u16 flags, u16 vid,
+                        u8 ndm_flags)
+ {
+-      u8 is_sticky = !!(ndm_flags & NTF_STICKY);
++      bool is_sticky = !!(ndm_flags & NTF_STICKY);
+       struct net_bridge_fdb_entry *fdb;
+       bool modified = false;
+ 
+@@ -866,8 +866,8 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+               modified = true;
+       }
+ 
+-      if (is_sticky != fdb->is_sticky) {
+-              fdb->is_sticky = is_sticky;
++      if (is_sticky != test_bit(BR_FDB_STICKY, &fdb->flags)) {
++              change_bit(BR_FDB_STICKY, &fdb->flags);
+               modified = true;
+       }
+ 
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index 7b46323584be..b495778911a2 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -176,6 +176,7 @@ struct net_bridge_vlan_group {
+ enum {
+       BR_FDB_LOCAL,
+       BR_FDB_STATIC,
++      BR_FDB_STICKY,
+ };
+ 
+ struct net_bridge_fdb_key {
+@@ -190,8 +191,7 @@ struct net_bridge_fdb_entry {
+       struct net_bridge_fdb_key       key;
+       struct hlist_node               fdb_node;
+       unsigned long                   flags;
+-      unsigned char                   is_sticky:1,
+-                                      added_by_user:1,
++      unsigned char                   added_by_user:1,
+                                       added_by_external_learn:1,
+                                       offloaded:1;
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.4/net-dsa-vsc73xx-fix-possible-subblocks-range-of-capt.patch b/queue-5.4/net-dsa-vsc73xx-fix-possible-subblocks-range-of-capt.patch
new file mode 100644 (file)
index 0000000..f1186c6
--- /dev/null
+++ b/queue-5.4/net-dsa-vsc73xx-fix-possible-subblocks-range-of-capt.patch
@@ -0,0 +1,62 @@
+From 343aefb36935c4c33a5cdd68fda2c60f9b0da7c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 22:33:41 +0200
+Subject: net: dsa: vsc73xx: fix possible subblocks range of CAPT block
+
+From: Pawel Dembicki <paweldembicki@gmail.com>
+
+[ Upstream commit 8e69c96df771ab469cec278edb47009351de4da6 ]
+
+CAPT block (CPU Capture Buffer) have 7 sublocks: 0-3, 4, 6, 7.
+Function 'vsc73xx_is_addr_valid' allows to use only block 0 at this
+moment.
+
+This patch fix it.
+
+Fixes: 05bd97fc559d ("net: dsa: Add Vitesse VSC73xx DSA router driver")
+Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20240903203340.1518789-1-paweldembicki@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/vitesse-vsc73xx-core.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/vitesse-vsc73xx-core.c b/drivers/net/dsa/vitesse-vsc73xx-core.c
+index a1dd82d25ce3..b95e7920f273 100644
+--- a/drivers/net/dsa/vitesse-vsc73xx-core.c
++++ b/drivers/net/dsa/vitesse-vsc73xx-core.c
+@@ -34,7 +34,7 @@
+ #define VSC73XX_BLOCK_ANALYZER        0x2 /* Only subblock 0 */
+ #define VSC73XX_BLOCK_MII     0x3 /* Subblocks 0 and 1 */
+ #define VSC73XX_BLOCK_MEMINIT 0x3 /* Only subblock 2 */
+-#define VSC73XX_BLOCK_CAPTURE 0x4 /* Only subblock 2 */
++#define VSC73XX_BLOCK_CAPTURE 0x4 /* Subblocks 0-4, 6, 7 */
+ #define VSC73XX_BLOCK_ARBITER 0x5 /* Only subblock 0 */
+ #define VSC73XX_BLOCK_SYSTEM  0x7 /* Only subblock 0 */
+ 
+@@ -360,13 +360,19 @@ int vsc73xx_is_addr_valid(u8 block, u8 subblock)
+               break;
+ 
+       case VSC73XX_BLOCK_MII:
+-      case VSC73XX_BLOCK_CAPTURE:
+       case VSC73XX_BLOCK_ARBITER:
+               switch (subblock) {
+               case 0 ... 1:
+                       return 1;
+               }
+               break;
++      case VSC73XX_BLOCK_CAPTURE:
++              switch (subblock) {
++              case 0 ... 4:
++              case 6 ... 7:
++                      return 1;
++              }
++              break;
+       }
+ 
+       return 0;
+-- 
+2.43.0
+

diff --git a/queue-5.4/net-usb-don-t-write-directly-to-netdev-dev_addr.patch b/queue-5.4/net-usb-don-t-write-directly-to-netdev-dev_addr.patch
new file mode 100644 (file)
index 0000000..3bdaadf
--- /dev/null
+++ b/queue-5.4/net-usb-don-t-write-directly-to-netdev-dev_addr.patch
@@ -0,0 +1,236 @@
+From 5dea180b7059715ea4534f2aa27153493edd3e01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Oct 2021 06:12:06 -0700
+Subject: net: usb: don't write directly to netdev->dev_addr
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 2674e7ea22ba0e22a2d1603bd51e0b8f6442a267 ]
+
+Commit 406f42fa0d3c ("net-next: When a bond have a massive amount
+of VLANs...") introduced a rbtree for faster Ethernet address look
+up. To maintain netdev->dev_addr in this tree we need to make all
+the writes to it got through appropriate helpers.
+
+Manually fix all net/usb drivers without separate maintainers.
+
+v2: catc does DMA to the buffer, leave the conversion to Oliver
+
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: bab8eb0dd4cb ("usbnet: modern method to get random MAC")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/ch9200.c      | 4 +++-
+ drivers/net/usb/cx82310_eth.c | 5 +++--
+ drivers/net/usb/kaweth.c      | 3 +--
+ drivers/net/usb/mcs7830.c     | 4 +++-
+ drivers/net/usb/sierra_net.c  | 6 ++++--
+ drivers/net/usb/sr9700.c      | 4 +++-
+ drivers/net/usb/sr9800.c      | 5 +++--
+ drivers/net/usb/usbnet.c      | 6 ++++--
+ 8 files changed, 24 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/usb/ch9200.c b/drivers/net/usb/ch9200.c
+index 9df3c1ffff35..6ed8da85b081 100644
+--- a/drivers/net/usb/ch9200.c
++++ b/drivers/net/usb/ch9200.c
+@@ -338,6 +338,7 @@ static int ch9200_bind(struct usbnet *dev, struct usb_interface *intf)
+ {
+       int retval = 0;
+       unsigned char data[2];
++      u8 addr[ETH_ALEN];
+ 
+       retval = usbnet_get_endpoints(dev, intf);
+       if (retval)
+@@ -385,7 +386,8 @@ static int ch9200_bind(struct usbnet *dev, struct usb_interface *intf)
+       retval = control_write(dev, REQUEST_WRITE, 0, MAC_REG_CTRL, data, 0x02,
+                              CONTROL_TIMEOUT_MS);
+ 
+-      retval = get_mac_address(dev, dev->net->dev_addr);
++      retval = get_mac_address(dev, addr);
++      eth_hw_addr_set(dev->net, addr);
+ 
+       return retval;
+ }
+diff --git a/drivers/net/usb/cx82310_eth.c b/drivers/net/usb/cx82310_eth.c
+index 043679311399..e21780a61bad 100644
+--- a/drivers/net/usb/cx82310_eth.c
++++ b/drivers/net/usb/cx82310_eth.c
+@@ -149,6 +149,7 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf)
+       u8 link[3];
+       int timeout = 50;
+       struct cx82310_priv *priv;
++      u8 addr[ETH_ALEN];
+ 
+       /* avoid ADSL modems - continue only if iProduct is "USB NET CARD" */
+       if (usb_string(udev, udev->descriptor.iProduct, buf, sizeof(buf)) > 0
+@@ -204,12 +205,12 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf)
+               goto err;
+ 
+       /* get the MAC address */
+-      ret = cx82310_cmd(dev, CMD_GET_MAC_ADDR, true, NULL, 0,
+-                        dev->net->dev_addr, ETH_ALEN);
++      ret = cx82310_cmd(dev, CMD_GET_MAC_ADDR, true, NULL, 0, addr, ETH_ALEN);
+       if (ret) {
+               dev_err(&udev->dev, "unable to read MAC address: %d\n", ret);
+               goto err;
+       }
++      eth_hw_addr_set(dev->net, addr);
+ 
+       /* start (does not seem to have any effect?) */
+       ret = cx82310_cmd(dev, CMD_START, false, NULL, 0, NULL, 0);
+diff --git a/drivers/net/usb/kaweth.c b/drivers/net/usb/kaweth.c
+index 8e210ba4a313..243e2b55aabe 100644
+--- a/drivers/net/usb/kaweth.c
++++ b/drivers/net/usb/kaweth.c
+@@ -1127,8 +1127,7 @@ static int kaweth_probe(
+               goto err_all_but_rxbuf;
+ 
+       memcpy(netdev->broadcast, &bcast_addr, sizeof(bcast_addr));
+-      memcpy(netdev->dev_addr, &kaweth->configuration.hw_addr,
+-               sizeof(kaweth->configuration.hw_addr));
++      eth_hw_addr_set(netdev, (u8 *)&kaweth->configuration.hw_addr);
+ 
+       netdev->netdev_ops = &kaweth_netdev_ops;
+       netdev->watchdog_timeo = KAWETH_TX_TIMEOUT;
+diff --git a/drivers/net/usb/mcs7830.c b/drivers/net/usb/mcs7830.c
+index 7e40e2e2f372..57281296ba2c 100644
+--- a/drivers/net/usb/mcs7830.c
++++ b/drivers/net/usb/mcs7830.c
+@@ -480,17 +480,19 @@ static const struct net_device_ops mcs7830_netdev_ops = {
+ static int mcs7830_bind(struct usbnet *dev, struct usb_interface *udev)
+ {
+       struct net_device *net = dev->net;
++      u8 addr[ETH_ALEN];
+       int ret;
+       int retry;
+ 
+       /* Initial startup: Gather MAC address setting from EEPROM */
+       ret = -EINVAL;
+       for (retry = 0; retry < 5 && ret; retry++)
+-              ret = mcs7830_hif_get_mac_address(dev, net->dev_addr);
++              ret = mcs7830_hif_get_mac_address(dev, addr);
+       if (ret) {
+               dev_warn(&dev->udev->dev, "Cannot read MAC address\n");
+               goto out;
+       }
++      eth_hw_addr_set(net, addr);
+ 
+       mcs7830_data_set_multicast(net);
+ 
+diff --git a/drivers/net/usb/sierra_net.c b/drivers/net/usb/sierra_net.c
+index 34c1eaba536c..6f9ec5ce61dc 100644
+--- a/drivers/net/usb/sierra_net.c
++++ b/drivers/net/usb/sierra_net.c
+@@ -674,6 +674,7 @@ static int sierra_net_bind(struct usbnet *dev, struct usb_interface *intf)
+               0x00, 0x00, SIERRA_NET_HIP_MSYNC_ID, 0x00};
+       static const u8 shdwn_tmplate[sizeof(priv->shdwn_msg)] = {
+               0x00, 0x00, SIERRA_NET_HIP_SHUTD_ID, 0x00};
++      u8 mod[2];
+ 
+       dev_dbg(&dev->udev->dev, "%s", __func__);
+ 
+@@ -703,8 +704,9 @@ static int sierra_net_bind(struct usbnet *dev, struct usb_interface *intf)
+       dev->net->netdev_ops = &sierra_net_device_ops;
+ 
+       /* change MAC addr to include, ifacenum, and to be unique */
+-      dev->net->dev_addr[ETH_ALEN-2] = atomic_inc_return(&iface_counter);
+-      dev->net->dev_addr[ETH_ALEN-1] = ifacenum;
++      mod[0] = atomic_inc_return(&iface_counter);
++      mod[1] = ifacenum;
++      dev_addr_mod(dev->net, ETH_ALEN - 2, mod, 2);
+ 
+       /* prepare shutdown message template */
+       memcpy(priv->shdwn_msg, shdwn_tmplate, sizeof(priv->shdwn_msg));
+diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c
+index 8d2e3daf03cf..1ec11a08820d 100644
+--- a/drivers/net/usb/sr9700.c
++++ b/drivers/net/usb/sr9700.c
+@@ -326,6 +326,7 @@ static int sr9700_bind(struct usbnet *dev, struct usb_interface *intf)
+ {
+       struct net_device *netdev;
+       struct mii_if_info *mii;
++      u8 addr[ETH_ALEN];
+       int ret;
+ 
+       ret = usbnet_get_endpoints(dev, intf);
+@@ -356,11 +357,12 @@ static int sr9700_bind(struct usbnet *dev, struct usb_interface *intf)
+        * EEPROM automatically to PAR. In case there is no EEPROM externally,
+        * a default MAC address is stored in PAR for making chip work properly.
+        */
+-      if (sr_read(dev, SR_PAR, ETH_ALEN, netdev->dev_addr) < 0) {
++      if (sr_read(dev, SR_PAR, ETH_ALEN, addr) < 0) {
+               netdev_err(netdev, "Error reading MAC address\n");
+               ret = -ENODEV;
+               goto out;
+       }
++      eth_hw_addr_set(netdev, addr);
+ 
+       /* power up and reset phy */
+       sr_write_reg(dev, SR_PRR, PRR_PHY_RST);
+diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c
+index a5332e99102a..351e0edcda2a 100644
+--- a/drivers/net/usb/sr9800.c
++++ b/drivers/net/usb/sr9800.c
+@@ -731,6 +731,7 @@ static int sr9800_bind(struct usbnet *dev, struct usb_interface *intf)
+       struct sr_data *data = (struct sr_data *)&dev->data;
+       u16 led01_mux, led23_mux;
+       int ret, embd_phy;
++      u8 addr[ETH_ALEN];
+       u32 phyid;
+       u16 rx_ctl;
+ 
+@@ -756,12 +757,12 @@ static int sr9800_bind(struct usbnet *dev, struct usb_interface *intf)
+       }
+ 
+       /* Get the MAC address */
+-      ret = sr_read_cmd(dev, SR_CMD_READ_NODE_ID, 0, 0, ETH_ALEN,
+-                        dev->net->dev_addr);
++      ret = sr_read_cmd(dev, SR_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, addr);
+       if (ret < 0) {
+               netdev_dbg(dev->net, "Failed to read MAC address: %d\n", ret);
+               return ret;
+       }
++      eth_hw_addr_set(dev->net, addr);
+       netdev_dbg(dev->net, "mac addr : %pM\n", dev->net->dev_addr);
+ 
+       /* Initialize MII structure */
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index bf018f7ca445..58e6eade1b04 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -151,12 +151,13 @@ EXPORT_SYMBOL_GPL(usbnet_get_endpoints);
+ 
+ int usbnet_get_ethernet_addr(struct usbnet *dev, int iMACAddress)
+ {
++      u8              addr[ETH_ALEN];
+       int             tmp = -1, ret;
+       unsigned char   buf [13];
+ 
+       ret = usb_string(dev->udev, iMACAddress, buf, sizeof buf);
+       if (ret == 12)
+-              tmp = hex2bin(dev->net->dev_addr, buf, 6);
++              tmp = hex2bin(addr, buf, 6);
+       if (tmp < 0) {
+               dev_dbg(&dev->udev->dev,
+                       "bad MAC string %d fetch, %d\n", iMACAddress, tmp);
+@@ -164,6 +165,7 @@ int usbnet_get_ethernet_addr(struct usbnet *dev, int iMACAddress)
+                       ret = -EINVAL;
+               return ret;
+       }
++      eth_hw_addr_set(dev->net, addr);
+       return 0;
+ }
+ EXPORT_SYMBOL_GPL(usbnet_get_ethernet_addr);
+@@ -1712,7 +1714,7 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod)
+ 
+       dev->net = net;
+       strscpy(net->name, "usb%d", sizeof(net->name));
+-      memcpy (net->dev_addr, node_id, sizeof node_id);
++      eth_hw_addr_set(net, node_id);
+ 
+       /* rx and tx sides can use different message sizes;
+        * bind() should set rx_urb_size in that case.
+-- 
+2.43.0
+

diff --git a/queue-5.4/netfilter-nf_conncount-fix-wrong-variable-type.patch b/queue-5.4/netfilter-nf_conncount-fix-wrong-variable-type.patch
new file mode 100644 (file)
index 0000000..910394d
--- /dev/null
+++ b/queue-5.4/netfilter-nf_conncount-fix-wrong-variable-type.patch
@@ -0,0 +1,70 @@
+From 1028de7df286fab54acd7ca1588c13606ddf570e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 May 2024 11:48:47 +0800
+Subject: netfilter: nf_conncount: fix wrong variable type
+
+From: Yunjian Wang <wangyunjian@huawei.com>
+
+[ Upstream commit 0b88d1654d556264bcd24a9cb6383f0888e30131 ]
+
+Now there is a issue is that code checks reports a warning: implicit
+narrowing conversion from type 'unsigned int' to small type 'u8' (the
+'keylen' variable). Fix it by removing the 'keylen' variable.
+
+Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conncount.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
+index 82f36beb2e76..0ce12a33ffda 100644
+--- a/net/netfilter/nf_conncount.c
++++ b/net/netfilter/nf_conncount.c
+@@ -310,7 +310,6 @@ insert_tree(struct net *net,
+       struct nf_conncount_rb *rbconn;
+       struct nf_conncount_tuple *conn;
+       unsigned int count = 0, gc_count = 0;
+-      u8 keylen = data->keylen;
+       bool do_gc = true;
+ 
+       spin_lock_bh(&nf_conncount_locks[hash]);
+@@ -322,7 +321,7 @@ insert_tree(struct net *net,
+               rbconn = rb_entry(*rbnode, struct nf_conncount_rb, node);
+ 
+               parent = *rbnode;
+-              diff = key_diff(key, rbconn->key, keylen);
++              diff = key_diff(key, rbconn->key, data->keylen);
+               if (diff < 0) {
+                       rbnode = &((*rbnode)->rb_left);
+               } else if (diff > 0) {
+@@ -367,7 +366,7 @@ insert_tree(struct net *net,
+ 
+       conn->tuple = *tuple;
+       conn->zone = *zone;
+-      memcpy(rbconn->key, key, sizeof(u32) * keylen);
++      memcpy(rbconn->key, key, sizeof(u32) * data->keylen);
+ 
+       nf_conncount_list_init(&rbconn->list);
+       list_add(&conn->node, &rbconn->list.head);
+@@ -392,7 +391,6 @@ count_tree(struct net *net,
+       struct rb_node *parent;
+       struct nf_conncount_rb *rbconn;
+       unsigned int hash;
+-      u8 keylen = data->keylen;
+ 
+       hash = jhash2(key, data->keylen, conncount_rnd) % CONNCOUNT_SLOTS;
+       root = &data->root[hash];
+@@ -403,7 +401,7 @@ count_tree(struct net *net,
+ 
+               rbconn = rb_entry(parent, struct nf_conncount_rb, node);
+ 
+-              diff = key_diff(key, rbconn->key, keylen);
++              diff = key_diff(key, rbconn->key, data->keylen);
+               if (diff < 0) {
+                       parent = rcu_dereference_raw(parent->rb_left);
+               } else if (diff > 0) {
+-- 
+2.43.0
+

diff --git a/queue-5.4/nfsv4-add-missing-rescheduling-points-in-nfs_client_.patch b/queue-5.4/nfsv4-add-missing-rescheduling-points-in-nfs_client_.patch
new file mode 100644 (file)
index 0000000..471c5b3
--- /dev/null
+++ b/queue-5.4/nfsv4-add-missing-rescheduling-points-in-nfs_client_.patch
@@ -0,0 +1,44 @@
+From 194387bd02324f152195491e20179613022eeed5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 14:05:00 -0400
+Subject: NFSv4: Add missing rescheduling points in
+ nfs_client_return_marked_delegations
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit a017ad1313fc91bdf235097fd0a02f673fc7bb11 ]
+
+We're seeing reports of soft lockups when iterating through the loops,
+so let's add rescheduling points.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/super.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index c7ca8cdc8801..98fbd2c5d7b7 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -47,6 +47,7 @@
+ #include <linux/vfs.h>
+ #include <linux/inet.h>
+ #include <linux/in6.h>
++#include <linux/sched.h>
+ #include <linux/slab.h>
+ #include <net/ipv6.h>
+ #include <linux/netdevice.h>
+@@ -454,6 +455,7 @@ static int __nfs_list_for_each_server(struct list_head *head,
+               ret = fn(server, data);
+               if (ret)
+                       goto out;
++              cond_resched();
+               rcu_read_lock();
+       }
+       rcu_read_unlock();
+-- 
+2.43.0
+

diff --git a/queue-5.4/of-irq-prevent-device-address-out-of-bounds-read-in-.patch b/queue-5.4/of-irq-prevent-device-address-out-of-bounds-read-in-.patch
new file mode 100644 (file)
index 0000000..8fe1ece
--- /dev/null
+++ b/queue-5.4/of-irq-prevent-device-address-out-of-bounds-read-in-.patch
@@ -0,0 +1,131 @@
+From 3b085aad88923ef00c55b8007723aefb4ea7b71c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 12:06:51 +0200
+Subject: of/irq: Prevent device address out-of-bounds read in interrupt map
+ walk
+
+From: Stefan Wiehler <stefan.wiehler@nokia.com>
+
+[ Upstream commit b739dffa5d570b411d4bdf4bb9b8dfd6b7d72305 ]
+
+When of_irq_parse_raw() is invoked with a device address smaller than
+the interrupt parent node (from #address-cells property), KASAN detects
+the following out-of-bounds read when populating the initial match table
+(dyndbg="func of_irq_parse_* +p"):
+
+  OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0
+  OF:  parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2
+  OF:  intspec=4
+  OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2
+  OF:  -> addrsize=3
+  ==================================================================
+  BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0
+  Read of size 4 at addr ffffff81beca5608 by task bash/764
+
+  CPU: 1 PID: 764 Comm: bash Tainted: G           O       6.1.67-484c613561-nokia_sm_arm64 #1
+  Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023
+  Call trace:
+   dump_backtrace+0xdc/0x130
+   show_stack+0x1c/0x30
+   dump_stack_lvl+0x6c/0x84
+   print_report+0x150/0x448
+   kasan_report+0x98/0x140
+   __asan_load4+0x78/0xa0
+   of_irq_parse_raw+0x2b8/0x8d0
+   of_irq_parse_one+0x24c/0x270
+   parse_interrupts+0xc0/0x120
+   of_fwnode_add_links+0x100/0x2d0
+   fw_devlink_parse_fwtree+0x64/0xc0
+   device_add+0xb38/0xc30
+   of_device_add+0x64/0x90
+   of_platform_device_create_pdata+0xd0/0x170
+   of_platform_bus_create+0x244/0x600
+   of_platform_notify+0x1b0/0x254
+   blocking_notifier_call_chain+0x9c/0xd0
+   __of_changeset_entry_notify+0x1b8/0x230
+   __of_changeset_apply_notify+0x54/0xe4
+   of_overlay_fdt_apply+0xc04/0xd94
+   ...
+
+  The buggy address belongs to the object at ffffff81beca5600
+   which belongs to the cache kmalloc-128 of size 128
+  The buggy address is located 8 bytes inside of
+   128-byte region [ffffff81beca5600, ffffff81beca5680)
+
+  The buggy address belongs to the physical page:
+  page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4
+  head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0
+  flags: 0x8000000000010200(slab|head|zone=2)
+  raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300
+  raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
+  page dumped because: kasan: bad access detected
+
+  Memory state around the buggy address:
+   ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+   ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+  >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+                        ^
+   ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+   ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
+  ==================================================================
+  OF:  -> got it !
+
+Prevent the out-of-bounds read by copying the device address into a
+buffer of sufficient size.
+
+Signed-off-by: Stefan Wiehler <stefan.wiehler@nokia.com>
+Link: https://lore.kernel.org/r/20240812100652.3800963-1-stefan.wiehler@nokia.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/irq.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/of/irq.c b/drivers/of/irq.c
+index 352e14b007e7..ad0cb49e233a 100644
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -288,7 +288,8 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar
+       struct device_node *p;
+       const __be32 *addr;
+       u32 intsize;
+-      int i, res;
++      int i, res, addr_len;
++      __be32 addr_buf[3] = { 0 };
+ 
+       pr_debug("of_irq_parse_one: dev=%pOF, index=%d\n", device, index);
+ 
+@@ -297,13 +298,19 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar
+               return of_irq_parse_oldworld(device, index, out_irq);
+ 
+       /* Get the reg property (if any) */
+-      addr = of_get_property(device, "reg", NULL);
++      addr = of_get_property(device, "reg", &addr_len);
++
++      /* Prevent out-of-bounds read in case of longer interrupt parent address size */
++      if (addr_len > (3 * sizeof(__be32)))
++              addr_len = 3 * sizeof(__be32);
++      if (addr)
++              memcpy(addr_buf, addr, addr_len);
+ 
+       /* Try the new-style interrupts-extended first */
+       res = of_parse_phandle_with_args(device, "interrupts-extended",
+                                       "#interrupt-cells", index, out_irq);
+       if (!res)
+-              return of_irq_parse_raw(addr, out_irq);
++              return of_irq_parse_raw(addr_buf, out_irq);
+ 
+       /* Look for the interrupt parent. */
+       p = of_irq_find_parent(device);
+@@ -333,7 +340,7 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar
+ 
+ 
+       /* Check if there are any interrupt-map translations to process */
+-      res = of_irq_parse_raw(addr, out_irq);
++      res = of_irq_parse_raw(addr_buf, out_irq);
+  out:
+       of_node_put(p);
+       return res;
+-- 
+2.43.0
+

diff --git a/queue-5.4/pci-add-missing-bridge-lock-to-pci_bus_lock.patch b/queue-5.4/pci-add-missing-bridge-lock-to-pci_bus_lock.patch
new file mode 100644 (file)
index 0000000..796ef22
--- /dev/null
+++ b/queue-5.4/pci-add-missing-bridge-lock-to-pci_bus_lock.patch
@@ -0,0 +1,163 @@
+From fa35ff58a35200b1f5e898d40ad4f05baa852965 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 May 2024 18:04:35 -0700
+Subject: PCI: Add missing bridge lock to pci_bus_lock()
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+[ Upstream commit a4e772898f8bf2e7e1cf661a12c60a5612c4afab ]
+
+One of the true positives that the cfg_access_lock lockdep effort
+identified is this sequence:
+
+  WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70
+  RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70
+  Call Trace:
+   <TASK>
+   ? __warn+0x8c/0x190
+   ? pci_bridge_secondary_bus_reset+0x5d/0x70
+   ? report_bug+0x1f8/0x200
+   ? handle_bug+0x3c/0x70
+   ? exc_invalid_op+0x18/0x70
+   ? asm_exc_invalid_op+0x1a/0x20
+   ? pci_bridge_secondary_bus_reset+0x5d/0x70
+   pci_reset_bus+0x1d8/0x270
+   vmd_probe+0x778/0xa10
+   pci_device_probe+0x95/0x120
+
+Where pci_reset_bus() users are triggering unlocked secondary bus resets.
+Ironically pci_bus_reset(), several calls down from pci_reset_bus(), uses
+pci_bus_lock() before issuing the reset which locks everything *but* the
+bridge itself.
+
+For the same motivation as adding:
+
+  bridge = pci_upstream_bridge(dev);
+  if (bridge)
+    pci_dev_lock(bridge);
+
+to pci_reset_function() for the "bus" and "cxl_bus" reset cases, add
+pci_dev_lock() for @bus->self to pci_bus_lock().
+
+Link: https://lore.kernel.org/r/171711747501.1628941.15217746952476635316.stgit@dwillia2-xfh.jf.intel.com
+Reported-by: Imre Deak <imre.deak@intel.com>
+Closes: http://lore.kernel.org/r/6657833b3b5ae_14984b29437@dwillia2-xfh.jf.intel.com.notmuch
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+[bhelgaas: squash in recursive locking deadlock fix from Keith Busch:
+https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Hans de Goede <hdegoede@redhat.com>
+Tested-by: Kalle Valo <kvalo@kernel.org>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 35 +++++++++++++++++++++--------------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index deafd229ef8b..41050a35631f 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -5200,10 +5200,12 @@ static void pci_bus_lock(struct pci_bus *bus)
+ {
+       struct pci_dev *dev;
+ 
++      pci_dev_lock(bus->self);
+       list_for_each_entry(dev, &bus->devices, bus_list) {
+-              pci_dev_lock(dev);
+               if (dev->subordinate)
+                       pci_bus_lock(dev->subordinate);
++              else
++                      pci_dev_lock(dev);
+       }
+ }
+ 
+@@ -5215,8 +5217,10 @@ static void pci_bus_unlock(struct pci_bus *bus)
+       list_for_each_entry(dev, &bus->devices, bus_list) {
+               if (dev->subordinate)
+                       pci_bus_unlock(dev->subordinate);
+-              pci_dev_unlock(dev);
++              else
++                      pci_dev_unlock(dev);
+       }
++      pci_dev_unlock(bus->self);
+ }
+ 
+ /* Return 1 on successful lock, 0 on contention */
+@@ -5224,15 +5228,15 @@ static int pci_bus_trylock(struct pci_bus *bus)
+ {
+       struct pci_dev *dev;
+ 
++      if (!pci_dev_trylock(bus->self))
++              return 0;
++
+       list_for_each_entry(dev, &bus->devices, bus_list) {
+-              if (!pci_dev_trylock(dev))
+-                      goto unlock;
+               if (dev->subordinate) {
+-                      if (!pci_bus_trylock(dev->subordinate)) {
+-                              pci_dev_unlock(dev);
++                      if (!pci_bus_trylock(dev->subordinate))
+                               goto unlock;
+-                      }
+-              }
++              } else if (!pci_dev_trylock(dev))
++                      goto unlock;
+       }
+       return 1;
+ 
+@@ -5240,8 +5244,10 @@ static int pci_bus_trylock(struct pci_bus *bus)
+       list_for_each_entry_continue_reverse(dev, &bus->devices, bus_list) {
+               if (dev->subordinate)
+                       pci_bus_unlock(dev->subordinate);
+-              pci_dev_unlock(dev);
++              else
++                      pci_dev_unlock(dev);
+       }
++      pci_dev_unlock(bus->self);
+       return 0;
+ }
+ 
+@@ -5273,9 +5279,10 @@ static void pci_slot_lock(struct pci_slot *slot)
+       list_for_each_entry(dev, &slot->bus->devices, bus_list) {
+               if (!dev->slot || dev->slot != slot)
+                       continue;
+-              pci_dev_lock(dev);
+               if (dev->subordinate)
+                       pci_bus_lock(dev->subordinate);
++              else
++                      pci_dev_lock(dev);
+       }
+ }
+ 
+@@ -5301,14 +5308,13 @@ static int pci_slot_trylock(struct pci_slot *slot)
+       list_for_each_entry(dev, &slot->bus->devices, bus_list) {
+               if (!dev->slot || dev->slot != slot)
+                       continue;
+-              if (!pci_dev_trylock(dev))
+-                      goto unlock;
+               if (dev->subordinate) {
+                       if (!pci_bus_trylock(dev->subordinate)) {
+                               pci_dev_unlock(dev);
+                               goto unlock;
+                       }
+-              }
++              } else if (!pci_dev_trylock(dev))
++                      goto unlock;
+       }
+       return 1;
+ 
+@@ -5319,7 +5325,8 @@ static int pci_slot_trylock(struct pci_slot *slot)
+                       continue;
+               if (dev->subordinate)
+                       pci_bus_unlock(dev->subordinate);
+-              pci_dev_unlock(dev);
++              else
++                      pci_dev_unlock(dev);
+       }
+       return 0;
+ }
+-- 
+2.43.0
+

diff --git a/queue-5.4/pci-hotplug-pnv_php-fix-hotplug-driver-crash-on-powe.patch b/queue-5.4/pci-hotplug-pnv_php-fix-hotplug-driver-crash-on-powe.patch
new file mode 100644 (file)
index 0000000..1e9bcce
--- /dev/null
+++ b/queue-5.4/pci-hotplug-pnv_php-fix-hotplug-driver-crash-on-powe.patch
@@ -0,0 +1,58 @@
+From 579e1d2e8d3455d92528317dca64df0facbfb32c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jul 2024 13:15:06 +0530
+Subject: pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv
+
+From: Krishna Kumar <krishnak@linux.ibm.com>
+
+[ Upstream commit 335e35b748527f0c06ded9eebb65387f60647fda ]
+
+The hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel
+crash when we try to hot-unplug/disable the PCIe switch/bridge from
+the PHB.
+
+The crash occurs because although the MSI data structure has been
+released during disable/hot-unplug path and it has been assigned
+with NULL, still during unregistration the code was again trying to
+explicitly disable the MSI which causes the NULL pointer dereference and
+kernel crash.
+
+The patch fixes the check during unregistration path to prevent invoking
+pci_disable_msi/msix() since its data structure is already freed.
+
+Reported-by: Timothy Pearson <tpearson@raptorengineering.com>
+Closes: https://lore.kernel.org/all/1981605666.2142272.1703742465927.JavaMail.zimbra@raptorengineeringinc.com/
+Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Shawn Anastasio <sanastasio@raptorengineering.com>
+Signed-off-by: Krishna Kumar <krishnak@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20240701074513.94873-2-krishnak@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/hotplug/pnv_php.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c
+index d7b2b47bc33e..382494261830 100644
+--- a/drivers/pci/hotplug/pnv_php.c
++++ b/drivers/pci/hotplug/pnv_php.c
+@@ -35,7 +35,6 @@ static void pnv_php_disable_irq(struct pnv_php_slot *php_slot,
+                               bool disable_device)
+ {
+       struct pci_dev *pdev = php_slot->pdev;
+-      int irq = php_slot->irq;
+       u16 ctrl;
+ 
+       if (php_slot->irq > 0) {
+@@ -54,7 +53,7 @@ static void pnv_php_disable_irq(struct pnv_php_slot *php_slot,
+               php_slot->wq = NULL;
+       }
+ 
+-      if (disable_device || irq > 0) {
++      if (disable_device) {
+               if (pdev->msix_enabled)
+                       pci_disable_msix(pdev);
+               else if (pdev->msi_enabled)
+-- 
+2.43.0
+

diff --git a/queue-5.4/pci-keystone-add-workaround-for-errata-i2037-am65x-s.patch b/queue-5.4/pci-keystone-add-workaround-for-errata-i2037-am65x-s.patch
new file mode 100644 (file)
index 0000000..6ad5822
--- /dev/null
+++ b/queue-5.4/pci-keystone-add-workaround-for-errata-i2037-am65x-s.patch
@@ -0,0 +1,129 @@
+From 91d3ae024e37a553c00fb3d9202a9bfc96d01a44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Jun 2024 13:45:29 +0200
+Subject: PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kishon Vijay Abraham I <kishon@ti.com>
+
+[ Upstream commit 86f271f22bbb6391410a07e08d6ca3757fda01fa ]
+
+Errata #i2037 in AM65x/DRA80xM Processors Silicon Revision 1.0
+(SPRZ452D_July 2018_Revised December 2019 [1]) mentions when an
+inbound PCIe TLP spans more than two internal AXI 128-byte bursts,
+the bus may corrupt the packet payload and the corrupt data may
+cause associated applications or the processor to hang.
+
+The workaround for Errata #i2037 is to limit the maximum read
+request size and maximum payload size to 128 bytes. Add workaround
+for Errata #i2037 here.
+
+The errata and workaround is applicable only to AM65x SR 1.0 and
+later versions of the silicon will have this fixed.
+
+[1] -> https://www.ti.com/lit/er/sprz452i/sprz452i.pdf
+
+Link: https://lore.kernel.org/linux-pci/16e1fcae-1ea7-46be-b157-096e05661b15@siemens.com
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Achal Verma <a-verma1@ti.com>
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Reviewed-by: Siddharth Vadapalli <s-vadapalli@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pci-keystone.c | 44 ++++++++++++++++++++++-
+ 1 file changed, 43 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/dwc/pci-keystone.c b/drivers/pci/controller/dwc/pci-keystone.c
+index b18ddb2b9ef8..a16fe2a558c7 100644
+--- a/drivers/pci/controller/dwc/pci-keystone.c
++++ b/drivers/pci/controller/dwc/pci-keystone.c
+@@ -35,6 +35,11 @@
+ #define PCIE_DEVICEID_SHIFT   16
+ 
+ /* Application registers */
++#define PID                           0x000
++#define RTL                           GENMASK(15, 11)
++#define RTL_SHIFT                     11
++#define AM6_PCI_PG1_RTL_VER           0x15
++
+ #define CMD_STATUS                    0x004
+ #define LTSSM_EN_VAL                  BIT(0)
+ #define OB_XLAT_EN_VAL                        BIT(1)
+@@ -107,6 +112,8 @@
+ 
+ #define to_keystone_pcie(x)           dev_get_drvdata((x)->dev)
+ 
++#define PCI_DEVICE_ID_TI_AM654X               0xb00c
++
+ struct ks_pcie_of_data {
+       enum dw_pcie_device_mode mode;
+       const struct dw_pcie_host_ops *host_ops;
+@@ -534,7 +541,11 @@ static int ks_pcie_start_link(struct dw_pcie *pci)
+ static void ks_pcie_quirk(struct pci_dev *dev)
+ {
+       struct pci_bus *bus = dev->bus;
++      struct keystone_pcie *ks_pcie;
++      struct device *bridge_dev;
+       struct pci_dev *bridge;
++      u32 val;
++
+       static const struct pci_device_id rc_pci_devids[] = {
+               { PCI_DEVICE(PCI_VENDOR_ID_TI, PCIE_RC_K2HK),
+                .class = PCI_CLASS_BRIDGE_PCI << 8, .class_mask = ~0, },
+@@ -546,6 +557,11 @@ static void ks_pcie_quirk(struct pci_dev *dev)
+                .class = PCI_CLASS_BRIDGE_PCI << 8, .class_mask = ~0, },
+               { 0, },
+       };
++      static const struct pci_device_id am6_pci_devids[] = {
++              { PCI_DEVICE(PCI_VENDOR_ID_TI, PCI_DEVICE_ID_TI_AM654X),
++               .class = PCI_CLASS_BRIDGE_PCI << 8, .class_mask = ~0, },
++              { 0, },
++      };
+ 
+       if (pci_is_root_bus(bus))
+               bridge = dev;
+@@ -567,10 +583,36 @@ static void ks_pcie_quirk(struct pci_dev *dev)
+        */
+       if (pci_match_id(rc_pci_devids, bridge)) {
+               if (pcie_get_readrq(dev) > 256) {
+-                      dev_info(&dev->dev, "limiting MRRS to 256\n");
++                      dev_info(&dev->dev, "limiting MRRS to 256 bytes\n");
+                       pcie_set_readrq(dev, 256);
+               }
+       }
++
++      /*
++       * Memory transactions fail with PCI controller in AM654 PG1.0
++       * when MRRS is set to more than 128 bytes. Force the MRRS to
++       * 128 bytes in all downstream devices.
++       */
++      if (pci_match_id(am6_pci_devids, bridge)) {
++              bridge_dev = pci_get_host_bridge_device(dev);
++              if (!bridge_dev && !bridge_dev->parent)
++                      return;
++
++              ks_pcie = dev_get_drvdata(bridge_dev->parent);
++              if (!ks_pcie)
++                      return;
++
++              val = ks_pcie_app_readl(ks_pcie, PID);
++              val &= RTL;
++              val >>= RTL_SHIFT;
++              if (val != AM6_PCI_PG1_RTL_VER)
++                      return;
++
++              if (pcie_get_readrq(dev) > 128) {
++                      dev_info(&dev->dev, "limiting MRRS to 128 bytes\n");
++                      pcie_set_readrq(dev, 128);
++              }
++      }
+ }
+ DECLARE_PCI_FIXUP_ENABLE(PCI_ANY_ID, PCI_ANY_ID, ks_pcie_quirk);
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.4/pcmcia-use-resource_size-function-on-resource-object.patch b/queue-5.4/pcmcia-use-resource_size-function-on-resource-object.patch
new file mode 100644 (file)
index 0000000..a18b7b7
--- /dev/null
+++ b/queue-5.4/pcmcia-use-resource_size-function-on-resource-object.patch
@@ -0,0 +1,46 @@
+From 293c4a694a90967494016095a31ab5b773e8cc8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 May 2024 23:31:21 +0100
+Subject: pcmcia: Use resource_size function on resource object
+
+From: Jules Irenge <jbi.octave@gmail.com>
+
+[ Upstream commit 24a025497e7e883bd2adef5d0ece1e9b9268009f ]
+
+Cocinnele reports a warning
+
+WARNING: Suspicious code. resource_size is maybe missing with root
+
+The root cause is the function resource_size is not used when needed
+
+Use resource_size() on variable "root" of type resource
+
+Signed-off-by: Jules Irenge <jbi.octave@gmail.com>
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pcmcia/yenta_socket.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pcmcia/yenta_socket.c b/drivers/pcmcia/yenta_socket.c
+index 810761ab8e9d..ba82ccb40db7 100644
+--- a/drivers/pcmcia/yenta_socket.c
++++ b/drivers/pcmcia/yenta_socket.c
+@@ -637,11 +637,11 @@ static int yenta_search_one_res(struct resource *root, struct resource *res,
+               start = PCIBIOS_MIN_CARDBUS_IO;
+               end = ~0U;
+       } else {
+-              unsigned long avail = root->end - root->start;
++              unsigned long avail = resource_size(root);
+               int i;
+               size = BRIDGE_MEM_MAX;
+-              if (size > avail/8) {
+-                      size = (avail+1)/8;
++              if (size > (avail - 1) / 8) {
++                      size = avail / 8;
+                       /* round size down to next power of 2 */
+                       i = 0;
+                       while ((size /= 2) != 0)
+-- 
+2.43.0
+

diff --git a/queue-5.4/platform-x86-dell-smbios-fix-error-path-in-dell_smbi.patch b/queue-5.4/platform-x86-dell-smbios-fix-error-path-in-dell_smbi.patch
new file mode 100644 (file)
index 0000000..6c6e9e4
--- /dev/null
+++ b/queue-5.4/platform-x86-dell-smbios-fix-error-path-in-dell_smbi.patch
@@ -0,0 +1,54 @@
+From d1f85c32fca9b884895e4cd817d86747995dc57c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 09:54:28 +0300
+Subject: platform/x86: dell-smbios: Fix error path in dell_smbios_init()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Aleksandr Mishin <amishin@t-argos.ru>
+
+[ Upstream commit ffc17e1479e8e9459b7afa80e5d9d40d0dd78abb ]
+
+In case of error in build_tokens_sysfs(), all the memory that has been
+allocated is freed at end of this function. But then free_group() is
+called which performs memory deallocation again.
+
+Also, instead of free_group() call, there should be exit_dell_smbios_smm()
+and exit_dell_smbios_wmi() calls, since there is initialization, but there
+is no release of resources in case of an error.
+
+Fix these issues by replacing free_group() call with
+exit_dell_smbios_wmi() and exit_dell_smbios_smm().
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 33b9ca1e53b4 ("platform/x86: dell-smbios: Add a sysfs interface for SMBIOS tokens")
+Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
+Link: https://lore.kernel.org/r/20240830065428.9544-1-amishin@t-argos.ru
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/dell-smbios-base.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/dell-smbios-base.c b/drivers/platform/x86/dell-smbios-base.c
+index ceb8e701028d..2f9c3c1f76f1 100644
+--- a/drivers/platform/x86/dell-smbios-base.c
++++ b/drivers/platform/x86/dell-smbios-base.c
+@@ -610,7 +610,10 @@ static int __init dell_smbios_init(void)
+       return 0;
+ 
+ fail_sysfs:
+-      free_group(platform_device);
++      if (!wmi)
++              exit_dell_smbios_wmi();
++      if (!smm)
++              exit_dell_smbios_smm();
+ 
+ fail_create_group:
+       platform_device_del(platform_device);
+-- 
+2.43.0
+

diff --git a/queue-5.4/series b/queue-5.4/series
index 8f773c03c3cdf4cf3348a226a4e0bf0626f34884..30744c96fde01c74e637adc0203c6e31d131e010 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -41,3 +41,55 @@ ila-call-nf_unregister_net_hooks-sooner.patch
 sched-sch_cake-fix-bulk-flow-accounting-logic-for-host-fairness.patch
 nilfs2-fix-missing-cleanup-on-rollforward-recovery-error.patch
 nilfs2-fix-state-management-in-error-path-of-log-writing-function.patch
+alsa-hda-add-input-value-sanity-checks-to-hdmi-chann.patch
+smack-unix-sockets-fix-accept-ed-socket-label.patch
+irqchip-armada-370-xp-do-not-allow-mapping-irq-0-and.patch
+af_unix-remove-put_pid-put_cred-in-copy_peercred.patch
+netfilter-nf_conncount-fix-wrong-variable-type.patch
+udf-avoid-excessive-partition-lengths.patch
+wifi-brcmsmac-advertise-mfp_capable-to-enable-wpa3.patch
+usb-uas-set-host-status-byte-on-data-completion-erro.patch
+pci-keystone-add-workaround-for-errata-i2037-am65x-s.patch
+media-qcom-camss-add-check-for-v4l2_fwnode_endpoint_.patch
+pcmcia-use-resource_size-function-on-resource-object.patch
+can-bcm-remove-proc-entry-when-dev-is-unregistered.patch
+igb-fix-not-clearing-timesync-interrupts-for-82580.patch
+platform-x86-dell-smbios-fix-error-path-in-dell_smbi.patch
+tcp_bpf-fix-return-value-of-tcp_bpf_sendmsg.patch-3796
+cx82310_eth-re-enable-ethernet-mode-after-router-reb.patch
+drivers-net-usb-remove-all-strcpy-uses.patch
+net-usb-don-t-write-directly-to-netdev-dev_addr.patch
+usbnet-modern-method-to-get-random-mac.patch
+net-bridge-fdb-convert-is_local-to-bitops.patch
+net-bridge-fdb-convert-is_static-to-bitops.patch
+net-bridge-fdb-convert-is_sticky-to-bitops.patch
+net-bridge-fdb-convert-added_by_user-to-bitops.patch
+net-bridge-fdb-convert-added_by_external_learn-to-us.patch
+net-bridge-br_fdb_external_learn_add-always-set-ext_.patch
+net-dsa-vsc73xx-fix-possible-subblocks-range-of-capt.patch
+asoc-topology-properly-initialize-soc_enum-values.patch
+dm-init-handle-minors-larger-than-255.patch
+iommu-vt-d-handle-volatile-descriptor-status-read.patch
+cgroup-protect-css-cgroup-write-under-css_set_lock.patch
+um-line-always-fill-error_out-in-setup_one_line.patch
+devres-initialize-an-uninitialized-struct-member.patch
+pci-hotplug-pnv_php-fix-hotplug-driver-crash-on-powe.patch
+hwmon-adc128d818-fix-underflows-seen-when-writing-li.patch
+hwmon-lm95234-fix-underflows-seen-when-writing-limit.patch
+hwmon-nct6775-core-fix-underflows-seen-when-writing-.patch
+hwmon-w83627ehf-fix-underflows-seen-when-writing-lim.patch
+libbpf-add-null-checks-to-bpf_object__-prev_map-next.patch
+wifi-mwifiex-do-not-return-unused-priv-in-mwifiex_ge.patch
+smp-add-missing-destroy_work_on_stack-call-in-smp_ca.patch
+btrfs-replace-bug_on-with-assert-in-walk_down_proc.patch
+btrfs-clean-up-our-handling-of-refs-0-in-snapshot-de.patch
+pci-add-missing-bridge-lock-to-pci_bus_lock.patch
+btrfs-initialize-location-to-fix-wmaybe-uninitialize.patch
+hid-cougar-fix-slab-out-of-bounds-read-in-cougar_rep.patch
+input-uinput-reject-requests-with-unreasonable-numbe.patch
+usbnet-ipheth-race-between-ipheth_close-and-error-ha.patch
+squashfs-sanity-check-symbolic-link-size.patch
+of-irq-prevent-device-address-out-of-bounds-read-in-.patch
+lib-generic-radix-tree.c-fix-rare-race-in-__genradix.patch
+ata-pata_macio-use-warn-instead-of-bug.patch
+nfsv4-add-missing-rescheduling-points-in-nfs_client_.patch

diff --git a/queue-5.4/smack-unix-sockets-fix-accept-ed-socket-label.patch b/queue-5.4/smack-unix-sockets-fix-accept-ed-socket-label.patch
new file mode 100644 (file)
index 0000000..3f981cf
--- /dev/null
+++ b/queue-5.4/smack-unix-sockets-fix-accept-ed-socket-label.patch
@@ -0,0 +1,60 @@
+From f8fd6f2c32eb11ff72711e7c536063abc3d57fc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 01:44:30 +0300
+Subject: smack: unix sockets: fix accept()ed socket label
+
+From: Konstantin Andreev <andreev@swemel.ru>
+
+[ Upstream commit e86cac0acdb1a74f608bacefe702f2034133a047 ]
+
+When a process accept()s connection from a unix socket
+(either stream or seqpacket)
+it gets the socket with the label of the connecting process.
+
+For example, if a connecting process has a label 'foo',
+the accept()ed socket will also have 'in' and 'out' labels 'foo',
+regardless of the label of the listener process.
+
+This is because kernel creates unix child sockets
+in the context of the connecting process.
+
+I do not see any obvious way for the listener to abuse
+alien labels coming with the new socket, but,
+to be on the safe side, it's better fix new socket labels.
+
+Signed-off-by: Konstantin Andreev <andreev@swemel.ru>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smack_lsm.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 7d04b21737cf..a9582737c230 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -3640,12 +3640,18 @@ static int smack_unix_stream_connect(struct sock *sock,
+               }
+       }
+ 
+-      /*
+-       * Cross reference the peer labels for SO_PEERSEC.
+-       */
+       if (rc == 0) {
++              /*
++               * Cross reference the peer labels for SO_PEERSEC.
++               */
+               nsp->smk_packet = ssp->smk_out;
+               ssp->smk_packet = osp->smk_out;
++
++              /*
++               * new/child/established socket must inherit listening socket labels
++               */
++              nsp->smk_out = osp->smk_out;
++              nsp->smk_in  = osp->smk_in;
+       }
+ 
+       return rc;
+-- 
+2.43.0
+

diff --git a/queue-5.4/smp-add-missing-destroy_work_on_stack-call-in-smp_ca.patch b/queue-5.4/smp-add-missing-destroy_work_on_stack-call-in-smp_ca.patch
new file mode 100644 (file)
index 0000000..1ca7e20
--- /dev/null
+++ b/queue-5.4/smp-add-missing-destroy_work_on_stack-call-in-smp_ca.patch
@@ -0,0 +1,45 @@
+From 2c0a56b2c8708dc0d03fd28eece950261f78b859 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jul 2024 14:52:13 +0800
+Subject: smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()
+
+From: Zqiang <qiang.zhang1211@gmail.com>
+
+[ Upstream commit 77aeb1b685f9db73d276bad4bb30d48505a6fd23 ]
+
+For CONFIG_DEBUG_OBJECTS_WORK=y kernels sscs.work defined by
+INIT_WORK_ONSTACK() is initialized by debug_object_init_on_stack() for
+the debug check in __init_work() to work correctly.
+
+But this lacks the counterpart to remove the tracked object from debug
+objects again, which will cause a debug object warning once the stack is
+freed.
+
+Add the missing destroy_work_on_stack() invocation to cure that.
+
+[ tglx: Massaged changelog ]
+
+Signed-off-by: Zqiang <qiang.zhang1211@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Paul E. McKenney <paulmck@kernel.org>
+Link: https://lore.kernel.org/r/20240704065213.13559-1-qiang.zhang1211@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/smp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/smp.c b/kernel/smp.c
+index be65b76cb803..76de88dc1699 100644
+--- a/kernel/smp.c
++++ b/kernel/smp.c
+@@ -813,6 +813,7 @@ int smp_call_on_cpu(unsigned int cpu, int (*func)(void *), void *par, bool phys)
+ 
+       queue_work_on(cpu, system_wq, &sscs.work);
+       wait_for_completion(&sscs.done);
++      destroy_work_on_stack(&sscs.work);
+ 
+       return sscs.ret;
+ }
+-- 
+2.43.0
+

diff --git a/queue-5.4/squashfs-sanity-check-symbolic-link-size.patch b/queue-5.4/squashfs-sanity-check-symbolic-link-size.patch
new file mode 100644 (file)
index 0000000..2e0b995
--- /dev/null
+++ b/queue-5.4/squashfs-sanity-check-symbolic-link-size.patch
@@ -0,0 +1,68 @@
+From 21e290959102979501f6ae3a2b4d652af77708d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 00:28:21 +0100
+Subject: Squashfs: sanity check symbolic link size
+
+From: Phillip Lougher <phillip@squashfs.org.uk>
+
+[ Upstream commit 810ee43d9cd245d138a2733d87a24858a23f577d ]
+
+Syzkiller reports a "KMSAN: uninit-value in pick_link" bug.
+
+This is caused by an uninitialised page, which is ultimately caused
+by a corrupted symbolic link size read from disk.
+
+The reason why the corrupted symlink size causes an uninitialised
+page is due to the following sequence of events:
+
+1. squashfs_read_inode() is called to read the symbolic
+   link from disk.  This assigns the corrupted value
+   3875536935 to inode->i_size.
+
+2. Later squashfs_symlink_read_folio() is called, which assigns
+   this corrupted value to the length variable, which being a
+   signed int, overflows producing a negative number.
+
+3. The following loop that fills in the page contents checks that
+   the copied bytes is less than length, which being negative means
+   the loop is skipped, producing an uninitialised page.
+
+This patch adds a sanity check which checks that the symbolic
+link size is not larger than expected.
+
+--
+
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+Link: https://lore.kernel.org/r/20240811232821.13903-1-phillip@squashfs.org.uk
+Reported-by: Lizhi Xu <lizhi.xu@windriver.com>
+Reported-by: syzbot+24ac24ff58dc5b0d26b9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/000000000000a90e8c061e86a76b@google.com/
+V2: fix spelling mistake.
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/squashfs/inode.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c
+index 24463145b351..f31649080a88 100644
+--- a/fs/squashfs/inode.c
++++ b/fs/squashfs/inode.c
+@@ -276,8 +276,13 @@ int squashfs_read_inode(struct inode *inode, long long ino)
+               if (err < 0)
+                       goto failed_read;
+ 
+-              set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
+               inode->i_size = le32_to_cpu(sqsh_ino->symlink_size);
++              if (inode->i_size > PAGE_SIZE) {
++                      ERROR("Corrupted symlink\n");
++                      return -EINVAL;
++              }
++
++              set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
+               inode->i_op = &squashfs_symlink_inode_ops;
+               inode_nohighmem(inode);
+               inode->i_data.a_ops = &squashfs_symlink_aops;
+-- 
+2.43.0
+

diff --git a/queue-5.4/tcp_bpf-fix-return-value-of-tcp_bpf_sendmsg.patch-3796 b/queue-5.4/tcp_bpf-fix-return-value-of-tcp_bpf_sendmsg.patch-3796
new file mode 100644 (file)
index 0000000..34664b2
--- /dev/null
+++ b/queue-5.4/tcp_bpf-fix-return-value-of-tcp_bpf_sendmsg.patch-3796
@@ -0,0 +1,96 @@
+From 539a4e35b413c37dc2ae898aa32747201fc0515f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 20:07:44 -0700
+Subject: tcp_bpf: fix return value of tcp_bpf_sendmsg()
+
+From: Cong Wang <cong.wang@bytedance.com>
+
+[ Upstream commit fe1910f9337bd46a9343967b547ccab26b4b2c6e ]
+
+When we cork messages in psock->cork, the last message triggers the
+flushing will result in sending a sk_msg larger than the current
+message size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes
+negative at least in the following case:
+
+468         case __SK_DROP:
+469         default:
+470                 sk_msg_free_partial(sk, msg, tosend);
+471                 sk_msg_apply_bytes(psock, tosend);
+472                 *copied -= (tosend + delta); // <==== HERE
+473                 return -EACCES;
+
+Therefore, it could lead to the following BUG with a proper value of
+'copied' (thanks to syzbot). We should not use negative 'copied' as a
+return value here.
+
+  ------------[ cut here ]------------
+  kernel BUG at net/socket.c:733!
+  Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
+  Modules linked in:
+  CPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0
+  Hardware name: linux,dummy-virt (DT)
+  pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
+  pc : sock_sendmsg_nosec net/socket.c:733 [inline]
+  pc : sock_sendmsg_nosec net/socket.c:728 [inline]
+  pc : __sock_sendmsg+0x5c/0x60 net/socket.c:745
+  lr : sock_sendmsg_nosec net/socket.c:730 [inline]
+  lr : __sock_sendmsg+0x54/0x60 net/socket.c:745
+  sp : ffff800088ea3b30
+  x29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000
+  x26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000
+  x23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90
+  x20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001
+  x17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf
+  x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
+  x11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0
+  x8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000
+  x5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900
+  x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef
+  Call trace:
+   sock_sendmsg_nosec net/socket.c:733 [inline]
+   __sock_sendmsg+0x5c/0x60 net/socket.c:745
+   ____sys_sendmsg+0x274/0x2ac net/socket.c:2597
+   ___sys_sendmsg+0xac/0x100 net/socket.c:2651
+   __sys_sendmsg+0x84/0xe0 net/socket.c:2680
+   __do_sys_sendmsg net/socket.c:2689 [inline]
+   __se_sys_sendmsg net/socket.c:2687 [inline]
+   __arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687
+   __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
+   invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49
+   el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
+   do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
+   el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712
+   el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
+   el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
+  Code: f9404463 d63f0060 3108441f 54fffe81 (d4210000)
+  ---[ end trace 0000000000000000 ]---
+
+Fixes: 4f738adba30a ("bpf: create tcp_bpf_ulp allowing BPF to monitor socket TX/RX data")
+Reported-by: syzbot+58c03971700330ce14d8@syzkaller.appspotmail.com
+Cc: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: Cong Wang <cong.wang@bytedance.com>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://patch.msgid.link/20240821030744.320934-1-xiyou.wangcong@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index 7adefee59cef..6736d0e6b1c6 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -506,7 +506,7 @@ static int tcp_bpf_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
+               err = sk_stream_error(sk, msg->msg_flags, err);
+       release_sock(sk);
+       sk_psock_put(sk, psock);
+-      return copied ? copied : err;
++      return copied > 0 ? copied : err;
+ }
+ 
+ static int tcp_bpf_sendpage(struct sock *sk, struct page *page, int offset,
+-- 
+2.43.0
+

diff --git a/queue-5.4/udf-avoid-excessive-partition-lengths.patch b/queue-5.4/udf-avoid-excessive-partition-lengths.patch
new file mode 100644 (file)
index 0000000..a4c739d
--- /dev/null
+++ b/queue-5.4/udf-avoid-excessive-partition-lengths.patch
@@ -0,0 +1,63 @@
+From ebad30800894de88ec35cf1b75751467cfae9aee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Jun 2024 12:52:17 +0200
+Subject: udf: Avoid excessive partition lengths
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit ebbe26fd54a9621994bc16b14f2ba8f84c089693 ]
+
+Avoid mounting filesystems where the partition would overflow the
+32-bits used for block number. Also refuse to mount filesystems where
+the partition length is so large we cannot safely index bits in a
+block bitmap.
+
+Link: https://patch.msgid.link/20240620130403.14731-1-jack@suse.cz
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/super.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/fs/udf/super.c b/fs/udf/super.c
+index df0d10215225..a1962c93bd26 100644
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -1090,12 +1090,19 @@ static int udf_fill_partdesc_info(struct super_block *sb,
+       struct udf_part_map *map;
+       struct udf_sb_info *sbi = UDF_SB(sb);
+       struct partitionHeaderDesc *phd;
++      u32 sum;
+       int err;
+ 
+       map = &sbi->s_partmaps[p_index];
+ 
+       map->s_partition_len = le32_to_cpu(p->partitionLength); /* blocks */
+       map->s_partition_root = le32_to_cpu(p->partitionStartingLocation);
++      if (check_add_overflow(map->s_partition_root, map->s_partition_len,
++                             &sum)) {
++              udf_err(sb, "Partition %d has invalid location %u + %u\n",
++                      p_index, map->s_partition_root, map->s_partition_len);
++              return -EFSCORRUPTED;
++      }
+ 
+       if (p->accessType == cpu_to_le32(PD_ACCESS_TYPE_READ_ONLY))
+               map->s_partition_flags |= UDF_PART_FLAG_READ_ONLY;
+@@ -1151,6 +1158,14 @@ static int udf_fill_partdesc_info(struct super_block *sb,
+               bitmap->s_extPosition = le32_to_cpu(
+                               phd->unallocSpaceBitmap.extPosition);
+               map->s_partition_flags |= UDF_PART_FLAG_UNALLOC_BITMAP;
++              /* Check whether math over bitmap won't overflow. */
++              if (check_add_overflow(map->s_partition_len,
++                                     sizeof(struct spaceBitmapDesc) << 3,
++                                     &sum)) {
++                      udf_err(sb, "Partition %d is too long (%u)\n", p_index,
++                              map->s_partition_len);
++                      return -EFSCORRUPTED;
++              }
+               udf_debug("unallocSpaceBitmap (part %d) @ %u\n",
+                         p_index, bitmap->s_extPosition);
+       }
+-- 
+2.43.0
+

diff --git a/queue-5.4/um-line-always-fill-error_out-in-setup_one_line.patch b/queue-5.4/um-line-always-fill-error_out-in-setup_one_line.patch
new file mode 100644 (file)
index 0000000..aa67782
--- /dev/null
+++ b/queue-5.4/um-line-always-fill-error_out-in-setup_one_line.patch
@@ -0,0 +1,44 @@
+From f268c811dfde3ad206d8b7fecdd8db141f0d2d83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 17:22:36 +0200
+Subject: um: line: always fill *error_out in setup_one_line()
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 824ac4a5edd3f7494ab1996826c4f47f8ef0f63d ]
+
+The pointer isn't initialized by callers, but I have
+encountered cases where it's still printed; initialize
+it in all possible cases in setup_one_line().
+
+Link: https://patch.msgid.link/20240703172235.ad863568b55f.Iaa1eba4db8265d7715ba71d5f6bb8c7ff63d27e9@changeid
+Acked-By: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/drivers/line.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/um/drivers/line.c b/arch/um/drivers/line.c
+index d6a78c3548a5..de0ab2e455b0 100644
+--- a/arch/um/drivers/line.c
++++ b/arch/um/drivers/line.c
+@@ -383,6 +383,7 @@ int setup_one_line(struct line *lines, int n, char *init,
+                       parse_chan_pair(NULL, line, n, opts, error_out);
+                       err = 0;
+               }
++              *error_out = "configured as 'none'";
+       } else {
+               char *new = kstrdup(init, GFP_KERNEL);
+               if (!new) {
+@@ -406,6 +407,7 @@ int setup_one_line(struct line *lines, int n, char *init,
+                       }
+               }
+               if (err) {
++                      *error_out = "failed to parse channel pair";
+                       line->init_str = NULL;
+                       line->valid = 0;
+                       kfree(new);
+-- 
+2.43.0
+

diff --git a/queue-5.4/usb-uas-set-host-status-byte-on-data-completion-erro.patch b/queue-5.4/usb-uas-set-host-status-byte-on-data-completion-erro.patch
new file mode 100644 (file)
index 0000000..00961e9
--- /dev/null
+++ b/queue-5.4/usb-uas-set-host-status-byte-on-data-completion-erro.patch
@@ -0,0 +1,41 @@
+From 89825ec760bbb17ebc0b6c59ad7c9b7b82c64927 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jun 2024 23:32:57 -0400
+Subject: usb: uas: set host status byte on data completion error
+
+From: Shantanu Goel <sgoel01@yahoo.com>
+
+[ Upstream commit 9d32685a251a754f1823d287df233716aa23bcb9 ]
+
+Set the host status byte when a data completion error is encountered
+otherwise the upper layer may end up using the invalid zero'ed data.
+The following output was observed from scsi/sd.c prior to this fix.
+
+[   11.872824] sd 0:0:0:1: [sdf] tag#9 data cmplt err -75 uas-tag 1 inflight:
+[   11.872826] sd 0:0:0:1: [sdf] tag#9 CDB: Read capacity(16) 9e 10 00 00 00 00 00 00 00 00 00 00 00 20 00 00
+[   11.872830] sd 0:0:0:1: [sdf] Sector size 0 reported, assuming 512.
+
+Signed-off-by: Shantanu Goel <sgoel01@yahoo.com>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/87msnx4ec6.fsf@yahoo.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/storage/uas.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
+index 678903d1ce4d..7493b4d9d1f5 100644
+--- a/drivers/usb/storage/uas.c
++++ b/drivers/usb/storage/uas.c
+@@ -424,6 +424,7 @@ static void uas_data_cmplt(struct urb *urb)
+                       uas_log_cmd_state(cmnd, "data cmplt err", status);
+               /* error: no data transfered */
+               scsi_set_resid(cmnd, sdb->length);
++              set_host_byte(cmnd, DID_ERROR);
+       } else {
+               scsi_set_resid(cmnd, sdb->length - urb->actual_length);
+       }
+-- 
+2.43.0
+

diff --git a/queue-5.4/usbnet-ipheth-race-between-ipheth_close-and-error-ha.patch b/queue-5.4/usbnet-ipheth-race-between-ipheth_close-and-error-ha.patch
new file mode 100644 (file)
index 0000000..9c4911f
--- /dev/null
+++ b/queue-5.4/usbnet-ipheth-race-between-ipheth_close-and-error-ha.patch
@@ -0,0 +1,44 @@
+From 2c47cec8b874bf69218d9c3182c7c4b12de1bc64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 19:28:05 +0200
+Subject: usbnet: ipheth: race between ipheth_close and error handling
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit e5876b088ba03a62124266fa20d00e65533c7269 ]
+
+ipheth_sndbulk_callback() can submit carrier_work
+as a part of its error handling. That means that
+the driver must make sure that the work is cancelled
+after it has made sure that no more URB can terminate
+with an error condition.
+
+Hence the order of actions in ipheth_close() needs
+to be inverted.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Foster Snowhill <forst@pen.gy>
+Tested-by: Georgi Valkov <gvalkov@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/ipheth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
+index 9887eb282beb..05576f66f73d 100644
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -353,8 +353,8 @@ static int ipheth_close(struct net_device *net)
+ {
+       struct ipheth_device *dev = netdev_priv(net);
+ 
+-      cancel_delayed_work_sync(&dev->carrier_work);
+       netif_stop_queue(net);
++      cancel_delayed_work_sync(&dev->carrier_work);
+       return 0;
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.4/usbnet-modern-method-to-get-random-mac.patch b/queue-5.4/usbnet-modern-method-to-get-random-mac.patch
new file mode 100644 (file)
index 0000000..52a7254
--- /dev/null
+++ b/queue-5.4/usbnet-modern-method-to-get-random-mac.patch
@@ -0,0 +1,75 @@
+From baa5e91bc6040446583050df21ad3dc7d6f3a69e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 19:50:55 +0200
+Subject: usbnet: modern method to get random MAC
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit bab8eb0dd4cb995caa4a0529d5655531c2ec5e8e ]
+
+The driver generates a random MAC once on load
+and uses it over and over, including on two devices
+needing a random MAC at the same time.
+
+Jakub suggested revamping the driver to the modern
+API for setting a random MAC rather than fixing
+the old stuff.
+
+The bug is as old as the driver.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Link: https://patch.msgid.link/20240829175201.670718-1-oneukum@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/usbnet.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index 58e6eade1b04..240511b4246d 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -67,9 +67,6 @@
+ 
+ /*-------------------------------------------------------------------------*/
+ 
+-// randomly generated ethernet address
+-static u8     node_id [ETH_ALEN];
+-
+ /* use ethtool to change the level for any given device */
+ static int msg_level = -1;
+ module_param (msg_level, int, 0);
+@@ -1714,7 +1711,6 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod)
+ 
+       dev->net = net;
+       strscpy(net->name, "usb%d", sizeof(net->name));
+-      eth_hw_addr_set(net, node_id);
+ 
+       /* rx and tx sides can use different message sizes;
+        * bind() should set rx_urb_size in that case.
+@@ -1788,9 +1784,9 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod)
+               goto out4;
+       }
+ 
+-      /* let userspace know we have a random address */
+-      if (ether_addr_equal(net->dev_addr, node_id))
+-              net->addr_assign_type = NET_ADDR_RANDOM;
++      /* this flags the device for user space */
++      if (!is_valid_ether_addr(net->dev_addr))
++              eth_hw_addr_random(net);
+ 
+       if ((dev->driver_info->flags & FLAG_WLAN) != 0)
+               SET_NETDEV_DEVTYPE(net, &wlan_type);
+@@ -2200,7 +2196,6 @@ static int __init usbnet_init(void)
+       BUILD_BUG_ON(
+               FIELD_SIZEOF(struct sk_buff, cb) < sizeof(struct skb_data));
+ 
+-      eth_random_addr(node_id);
+       return 0;
+ }
+ module_init(usbnet_init);
+-- 
+2.43.0
+

diff --git a/queue-5.4/wifi-brcmsmac-advertise-mfp_capable-to-enable-wpa3.patch b/queue-5.4/wifi-brcmsmac-advertise-mfp_capable-to-enable-wpa3.patch
new file mode 100644 (file)
index 0000000..dd3ab35
--- /dev/null
+++ b/queue-5.4/wifi-brcmsmac-advertise-mfp_capable-to-enable-wpa3.patch
@@ -0,0 +1,38 @@
+From 9011ced84401b35ea44c2b4c0ad2add73bdf98ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 14:26:09 +0200
+Subject: wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3
+
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+
+[ Upstream commit dbb5265a5d7cca1cdba7736dba313ab7d07bc19d ]
+
+After being asked about support for WPA3 for BCM43224 chipset it
+was found that all it takes is setting the MFP_CAPABLE flag and
+mac80211 will take care of all that is needed [1].
+
+Link: https://lore.kernel.org/linux-wireless/20200526155909.5807-2-Larry.Finger@lwfinger.net/ [1]
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Tested-by: Reijer Boekhoff <reijerboekhoff@protonmail.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20240617122609.349582-1-arend.vanspriel@broadcom.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+index 288d4d4d4454..eb735b054790 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+@@ -1091,6 +1091,7 @@ static int ieee_hw_init(struct ieee80211_hw *hw)
+       ieee80211_hw_set(hw, AMPDU_AGGREGATION);
+       ieee80211_hw_set(hw, SIGNAL_DBM);
+       ieee80211_hw_set(hw, REPORTS_TX_ACK_STATUS);
++      ieee80211_hw_set(hw, MFP_CAPABLE);
+ 
+       hw->extra_tx_headroom = brcms_c_get_header_len();
+       hw->queues = N_TX_QUEUES;
+-- 
+2.43.0
+

diff --git a/queue-5.4/wifi-mwifiex-do-not-return-unused-priv-in-mwifiex_ge.patch b/queue-5.4/wifi-mwifiex-do-not-return-unused-priv-in-mwifiex_ge.patch
new file mode 100644 (file)
index 0000000..11dba14
--- /dev/null
+++ b/queue-5.4/wifi-mwifiex-do-not-return-unused-priv-in-mwifiex_ge.patch
@@ -0,0 +1,112 @@
+From 31950551059545c6cb359fb0c2243bd27572793e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 09:24:09 +0200
+Subject: wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()
+
+From: Sascha Hauer <s.hauer@pengutronix.de>
+
+[ Upstream commit c145eea2f75ff7949392aebecf7ef0a81c1f6c14 ]
+
+mwifiex_get_priv_by_id() returns the priv pointer corresponding to
+the bss_num and bss_type, but without checking if the priv is actually
+currently in use.
+Unused priv pointers do not have a wiphy attached to them which can
+lead to NULL pointer dereferences further down the callstack.  Fix
+this by returning only used priv pointers which have priv->bss_mode
+set to something else than NL80211_IFTYPE_UNSPECIFIED.
+
+Said NULL pointer dereference happened when an Accesspoint was started
+with wpa_supplicant -i mlan0 with this config:
+
+network={
+        ssid="somessid"
+        mode=2
+        frequency=2412
+        key_mgmt=WPA-PSK WPA-PSK-SHA256
+        proto=RSN
+        group=CCMP
+        pairwise=CCMP
+        psk="12345678"
+}
+
+When waiting for the AP to be established, interrupting wpa_supplicant
+with <ctrl-c> and starting it again this happens:
+
+| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140
+| Mem abort info:
+|   ESR = 0x0000000096000004
+|   EC = 0x25: DABT (current EL), IL = 32 bits
+|   SET = 0, FnV = 0
+|   EA = 0, S1PTW = 0
+|   FSC = 0x04: level 0 translation fault
+| Data abort info:
+|   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
+|   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+|   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+| user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000
+| [0000000000000140] pgd=0000000000000000, p4d=0000000000000000
+| Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
+| Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio
++mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs
++imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6
+| CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18
+| Hardware name: somemachine (DT)
+| Workqueue: events sdio_irq_work
+| pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+| pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex]
+| lr : mwifiex_get_cfp+0x34/0x15c [mwifiex]
+| sp : ffff8000818b3a70
+| x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004
+| x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9
+| x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000
+| x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000
+| x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517
+| x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1
+| x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157
+| x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124
+| x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000
+| x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000
+| Call trace:
+|  mwifiex_get_cfp+0xd8/0x15c [mwifiex]
+|  mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex]
+|  mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex]
+|  mwifiex_process_sta_event+0x298/0xf0c [mwifiex]
+|  mwifiex_process_event+0x110/0x238 [mwifiex]
+|  mwifiex_main_process+0x428/0xa44 [mwifiex]
+|  mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio]
+|  process_sdio_pending_irqs+0x64/0x1b8
+|  sdio_irq_work+0x4c/0x7c
+|  process_one_work+0x148/0x2a0
+|  worker_thread+0x2fc/0x40c
+|  kthread+0x110/0x114
+|  ret_from_fork+0x10/0x20
+| Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000)
+| ---[ end trace 0000000000000000 ]---
+
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Acked-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20240703072409.556618-1-s.hauer@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/main.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/main.h b/drivers/net/wireless/marvell/mwifiex/main.h
+index fa5634af40f7..2e7f31bf3800 100644
+--- a/drivers/net/wireless/marvell/mwifiex/main.h
++++ b/drivers/net/wireless/marvell/mwifiex/main.h
+@@ -1307,6 +1307,9 @@ mwifiex_get_priv_by_id(struct mwifiex_adapter *adapter,
+ 
+       for (i = 0; i < adapter->priv_num; i++) {
+               if (adapter->priv[i]) {
++                      if (adapter->priv[i]->bss_mode == NL80211_IFTYPE_UNSPECIFIED)
++                              continue;
++
+                       if ((adapter->priv[i]->bss_num == bss_num) &&
+                           (adapter->priv[i]->bss_type == bss_type))
+                               break;
+-- 
+2.43.0
+