Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.4/alsa-hda-realtek-add-type-for-alc287.patch b/queue-5.4/alsa-hda-realtek-add-type-for-alc287.patch
new file mode 100644 (file)
index 0000000..4dd16d7
--- /dev/null
+++ b/queue-5.4/alsa-hda-realtek-add-type-for-alc287.patch
@@ -0,0 +1,64 @@
+From f3ef29ea2fbeafcd9136f2fe8d661dbcba4d28ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 09:09:37 +0800
+Subject: ALSA: hda/realtek - Add type for ALC287
+
+From: Kailang Yang <kailang@realtek.com>
+
+[ Upstream commit 99cee034c28947fc122799b0b7714e01b047f3f3 ]
+
+Add independent type for ALC287.
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Link: https://lore.kernel.org/r/2b7539c3e96f41a4ab458d53ea5f5784@realtek.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Stable-dep-of: 174448badb44 ("ALSA: hda/realtek: Fixup ALC225 depop procedure")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 9b344b80f950a..069515b065386 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -3111,6 +3111,7 @@ enum {
+       ALC269_TYPE_ALC257,
+       ALC269_TYPE_ALC215,
+       ALC269_TYPE_ALC225,
++      ALC269_TYPE_ALC287,
+       ALC269_TYPE_ALC294,
+       ALC269_TYPE_ALC300,
+       ALC269_TYPE_ALC623,
+@@ -3147,6 +3148,7 @@ static int alc269_parse_auto_config(struct hda_codec *codec)
+       case ALC269_TYPE_ALC257:
+       case ALC269_TYPE_ALC215:
+       case ALC269_TYPE_ALC225:
++      case ALC269_TYPE_ALC287:
+       case ALC269_TYPE_ALC294:
+       case ALC269_TYPE_ALC300:
+       case ALC269_TYPE_ALC623:
+@@ -9342,7 +9344,6 @@ static int patch_alc269(struct hda_codec *codec)
+       case 0x10ec0215:
+       case 0x10ec0245:
+       case 0x10ec0285:
+-      case 0x10ec0287:
+       case 0x10ec0289:
+               spec->codec_variant = ALC269_TYPE_ALC215;
+               spec->shutup = alc225_shutup;
+@@ -9357,6 +9358,12 @@ static int patch_alc269(struct hda_codec *codec)
+               spec->init_hook = alc225_init;
+               spec->gen.mixer_nid = 0; /* no loopback on ALC225, ALC295 and ALC299 */
+               break;
++      case 0x10ec0287:
++              spec->codec_variant = ALC269_TYPE_ALC287;
++              spec->shutup = alc225_shutup;
++              spec->init_hook = alc225_init;
++              spec->gen.mixer_nid = 0; /* no loopback on ALC287 */
++              break;
+       case 0x10ec0234:
+       case 0x10ec0274:
+       case 0x10ec0294:
+-- 
+2.39.5
+

diff --git a/queue-5.4/alsa-hda-realtek-fixup-alc225-depop-procedure.patch b/queue-5.4/alsa-hda-realtek-fixup-alc225-depop-procedure.patch
new file mode 100644 (file)
index 0000000..27c89d2
--- /dev/null
+++ b/queue-5.4/alsa-hda-realtek-fixup-alc225-depop-procedure.patch
@@ -0,0 +1,36 @@
+From 62eb5d6f0fa1b2c026aeeb912ca8d49eb2ff1cfe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Feb 2025 14:40:46 +0800
+Subject: ALSA: hda/realtek: Fixup ALC225 depop procedure
+
+From: Kailang Yang <kailang@realtek.com>
+
+[ Upstream commit 174448badb4409491bfba2e6b46f7aa078741c5e ]
+
+Headset MIC will no function when power_save=0.
+
+Fixes: 1fd50509fe14 ("ALSA: hda/realtek: Update ALC225 depop procedure")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=219743
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Link: https://lore.kernel.org/0474a095ab0044d0939ec4bf4362423d@realtek.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 069515b065386..755a93ad65500 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -3658,6 +3658,7 @@ static void alc225_init(struct hda_codec *codec)
+                                   AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE);
+ 
+               msleep(75);
++              alc_update_coef_idx(codec, 0x4a, 3 << 10, 0);
+               alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x4); /* Hight power */
+       }
+ }
+-- 
+2.39.5
+

diff --git a/queue-5.4/crypto-testmgr-fix-version-number-of-rsa-tests.patch b/queue-5.4/crypto-testmgr-fix-version-number-of-rsa-tests.patch
new file mode 100644 (file)
index 0000000..9defc90
--- /dev/null
+++ b/queue-5.4/crypto-testmgr-fix-version-number-of-rsa-tests.patch
@@ -0,0 +1,59 @@
+From 1f68ceb981c758409b8b1421fc435b1cf901b93b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jun 2022 18:06:25 +0800
+Subject: crypto: testmgr - fix version number of RSA tests
+
+From: lei he <helei.sig11@bytedance.com>
+
+[ Upstream commit 0bb8f125253843c445b70fc6ef4fb21aa7b25625 ]
+
+According to PKCS#1 standard, the 'otherPrimeInfos' field contains
+the information for the additional primes r_3, ..., r_u, in order.
+It shall be omitted if the version is 0 and shall contain at least
+one instance of OtherPrimeInfo if the version is 1, see:
+       https://www.rfc-editor.org/rfc/rfc3447#page-44
+
+Replace the version number '1' with 0, otherwise, some drivers may
+not pass the run-time tests.
+
+Signed-off-by: lei he <helei.sig11@bytedance.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/testmgr.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/testmgr.h b/crypto/testmgr.h
+index 7cda2f88ef434..f3722c66530da 100644
+--- a/crypto/testmgr.h
++++ b/crypto/testmgr.h
+@@ -178,7 +178,7 @@ static const struct akcipher_testvec rsa_tv_template[] = {
+ #ifndef CONFIG_CRYPTO_FIPS
+       .key =
+       "\x30\x81\x9A" /* sequence of 154 bytes */
+-      "\x02\x01\x01" /* version - integer of 1 byte */
++      "\x02\x01\x00" /* version - integer of 1 byte */
+       "\x02\x41" /* modulus - integer of 65 bytes */
+       "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
+       "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5"
+@@ -208,7 +208,7 @@ static const struct akcipher_testvec rsa_tv_template[] = {
+       }, {
+       .key =
+       "\x30\x82\x01\x1D" /* sequence of 285 bytes */
+-      "\x02\x01\x01" /* version - integer of 1 byte */
++      "\x02\x01\x00" /* version - integer of 1 byte */
+       "\x02\x81\x81" /* modulus - integer of 129 bytes */
+       "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
+       "\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
+@@ -252,7 +252,7 @@ static const struct akcipher_testvec rsa_tv_template[] = {
+ #endif
+       .key =
+       "\x30\x82\x02\x20" /* sequence of 544 bytes */
+-      "\x02\x01\x01" /* version - integer of 1 byte */
++      "\x02\x01\x00" /* version - integer of 1 byte */
+       "\x02\x82\x01\x01\x00" /* modulus - integer of 256 bytes */
+       "\xDB\x10\x1A\xC2\xA3\xF1\xDC\xFF\x13\x6B\xED\x44\xDF\xF0\x02\x6D"
+       "\x13\xC7\x88\xDA\x70\x6B\x54\xF1\xE8\x27\xDC\xC3\x0F\x99\x6A\xFA"
+-- 
+2.39.5
+

diff --git a/queue-5.4/crypto-testmgr-fix-wrong-key-length-for-pkcs1pad.patch b/queue-5.4/crypto-testmgr-fix-wrong-key-length-for-pkcs1pad.patch
new file mode 100644 (file)
index 0000000..05573c8
--- /dev/null
+++ b/queue-5.4/crypto-testmgr-fix-wrong-key-length-for-pkcs1pad.patch
@@ -0,0 +1,35 @@
+From 48f075e46f5927f7c0d5a00ff2bff76c38c024c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Oct 2021 20:44:43 +0800
+Subject: crypto: testmgr - fix wrong key length for pkcs1pad
+
+From: Lei He <helei.sig11@bytedance.com>
+
+[ Upstream commit 39ef08517082a424b5b65c3dbaa6c0fa9d3303b9 ]
+
+Fix wrong test data at testmgr.h, it seems to be caused
+by ignoring the last '\0' when calling sizeof.
+
+Signed-off-by: Lei He <helei.sig11@bytedance.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/testmgr.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/testmgr.h b/crypto/testmgr.h
+index ef7d21f39d4a9..27ce9f94a3246 100644
+--- a/crypto/testmgr.h
++++ b/crypto/testmgr.h
+@@ -771,7 +771,7 @@ static const struct akcipher_testvec pkcs1pad_rsa_tv_template[] = {
+       "\xd1\x86\x48\x55\xce\x83\xee\x8e\x51\xc7\xde\x32\x12\x47\x7d\x46"
+       "\xb8\x35\xdf\x41\x02\x01\x00\x02\x01\x00\x02\x01\x00\x02\x01\x00"
+       "\x02\x01\x00",
+-      .key_len = 804,
++      .key_len = 803,
+       /*
+        * m is SHA256 hash of following message:
+        * "\x49\x41\xbe\x0a\x0c\xc9\xf6\x35\x51\xe4\x27\x56\x13\x71\x4b\xd0"
+-- 
+2.39.5
+

diff --git a/queue-5.4/crypto-testmgr-fix-wrong-test-case-of-rsa.patch b/queue-5.4/crypto-testmgr-fix-wrong-test-case-of-rsa.patch
new file mode 100644 (file)
index 0000000..5b1ec4f
--- /dev/null
+++ b/queue-5.4/crypto-testmgr-fix-wrong-test-case-of-rsa.patch
@@ -0,0 +1,56 @@
+From 433b65410d17464f4faa044cc0196d46e2b24158 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 20:25:31 +0800
+Subject: crypto: testmgr - Fix wrong test case of RSA
+
+From: Lei He <helei.sig11@bytedance.com>
+
+[ Upstream commit a9887010ed2da3fddaff83ceec80e2b71be8a966 ]
+
+According to the BER encoding rules, integer value should be encoded
+as two's complement, and if the highest bit of a positive integer
+is 1, should add a leading zero-octet.
+
+The kernel's built-in RSA algorithm cannot recognize negative numbers
+when parsing keys, so it can pass this test case.
+
+Export the key to file and run the following command to verify the
+fix result:
+
+  openssl asn1parse -inform DER -in /path/to/key/file
+
+Signed-off-by: Lei He <helei.sig11@bytedance.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/testmgr.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/testmgr.h b/crypto/testmgr.h
+index 27ce9f94a3246..7cda2f88ef434 100644
+--- a/crypto/testmgr.h
++++ b/crypto/testmgr.h
+@@ -251,9 +251,9 @@ static const struct akcipher_testvec rsa_tv_template[] = {
+       }, {
+ #endif
+       .key =
+-      "\x30\x82\x02\x1F" /* sequence of 543 bytes */
++      "\x30\x82\x02\x20" /* sequence of 544 bytes */
+       "\x02\x01\x01" /* version - integer of 1 byte */
+-      "\x02\x82\x01\x00" /* modulus - integer of 256 bytes */
++      "\x02\x82\x01\x01\x00" /* modulus - integer of 256 bytes */
+       "\xDB\x10\x1A\xC2\xA3\xF1\xDC\xFF\x13\x6B\xED\x44\xDF\xF0\x02\x6D"
+       "\x13\xC7\x88\xDA\x70\x6B\x54\xF1\xE8\x27\xDC\xC3\x0F\x99\x6A\xFA"
+       "\xC6\x67\xFF\x1D\x1E\x3C\x1D\xC1\xB5\x5F\x6C\xC0\xB2\x07\x3A\x6D"
+@@ -293,7 +293,7 @@ static const struct akcipher_testvec rsa_tv_template[] = {
+       "\x02\x01\x00" /* exponent1 - integer of 1 byte */
+       "\x02\x01\x00" /* exponent2 - integer of 1 byte */
+       "\x02\x01\x00", /* coefficient - integer of 1 byte */
+-      .key_len = 547,
++      .key_len = 548,
+       .m = "\x54\x85\x9b\x34\x2c\x49\xea\x2a",
+       .c =
+       "\xb2\x97\x76\xb4\xae\x3e\x38\x3c\x7e\x64\x1f\xcc\xa2\x7f\xf6\xbe"
+-- 
+2.39.5
+

diff --git a/queue-5.4/crypto-testmgr-populate-rsa-crt-parameters-in-rsa-te.patch b/queue-5.4/crypto-testmgr-populate-rsa-crt-parameters-in-rsa-te.patch
new file mode 100644 (file)
index 0000000..040c138
--- /dev/null
+++ b/queue-5.4/crypto-testmgr-populate-rsa-crt-parameters-in-rsa-te.patch
@@ -0,0 +1,206 @@
+From b83a60041751bbb39b4f31b8c828507a66413c5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Jul 2022 11:38:40 +0100
+Subject: crypto: testmgr - populate RSA CRT parameters in RSA test vectors
+
+From: Ignat Korchagin <ignat@cloudflare.com>
+
+[ Upstream commit 79e6e2f3f3ff345947075341781e900e4f70db81 ]
+
+Changes from v1:
+  * replace some accidental spaces with tabs
+
+In commit f145d411a67e ("crypto: rsa - implement Chinese Remainder Theorem
+for faster private key operations") we have started to use the additional
+primes and coefficients for RSA private key operations. However, these
+additional parameters are not present (defined as 0 integers) in the RSA
+test vectors.
+
+Some parameters were borrowed from OpenSSL, so I was able to find the
+source. I could not find the public source for 1 vector though, so had to
+recover the parameters by implementing Appendix C from [1].
+
+[1]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br1.pdf
+
+Fixes: f145d411a67e ("crypto: rsa - implement Chinese Remainder Theorem for faster private key operations")
+Reported-by: Tasmiya Nalatwad <tasmiya@linux.vnet.ibm.com>
+Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/testmgr.h | 121 +++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 100 insertions(+), 21 deletions(-)
+
+diff --git a/crypto/testmgr.h b/crypto/testmgr.h
+index f3722c66530da..d57c911649180 100644
+--- a/crypto/testmgr.h
++++ b/crypto/testmgr.h
+@@ -177,7 +177,7 @@ static const struct akcipher_testvec rsa_tv_template[] = {
+       {
+ #ifndef CONFIG_CRYPTO_FIPS
+       .key =
+-      "\x30\x81\x9A" /* sequence of 154 bytes */
++      "\x30\x82\x01\x38" /* sequence of 312 bytes */
+       "\x02\x01\x00" /* version - integer of 1 byte */
+       "\x02\x41" /* modulus - integer of 65 bytes */
+       "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
+@@ -191,23 +191,36 @@ static const struct akcipher_testvec rsa_tv_template[] = {
+       "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64"
+       "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9"
+       "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51"
+-      "\x02\x01\x00" /* prime1 - integer of 1 byte */
+-      "\x02\x01\x00" /* prime2 - integer of 1 byte */
+-      "\x02\x01\x00" /* exponent1 - integer of 1 byte */
+-      "\x02\x01\x00" /* exponent2 - integer of 1 byte */
+-      "\x02\x01\x00", /* coefficient - integer of 1 byte */
++      "\x02\x21" /* prime1 - integer of 33 bytes */
++      "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
++      "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12"
++      "\x0D"
++      "\x02\x21" /* prime2 - integer of 33 bytes */
++      "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
++      "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
++      "\x89"
++      "\x02\x20" /* exponent1 - integer of 32 bytes */
++      "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF"
++      "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05"
++      "\x02\x21" /* exponent2 - integer of 33 bytes */
++      "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99"
++      "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D"
++      "\x51"
++      "\x02\x20" /* coefficient - integer of 32 bytes */
++      "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8"
++      "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26",
+       .m = "\x54\x85\x9b\x34\x2c\x49\xea\x2a",
+       .c =
+       "\x63\x1c\xcd\x7b\xe1\x7e\xe4\xde\xc9\xa8\x89\xa1\x74\xcb\x3c\x63"
+       "\x7d\x24\xec\x83\xc3\x15\xe4\x7f\x73\x05\x34\xd1\xec\x22\xbb\x8a"
+       "\x5e\x32\x39\x6d\xc1\x1d\x7d\x50\x3b\x9f\x7a\xad\xf0\x2e\x25\x53"
+       "\x9f\x6e\xbd\x4c\x55\x84\x0c\x9b\xcf\x1a\x4b\x51\x1e\x9e\x0c\x06",
+-      .key_len = 157,
++      .key_len = 316,
+       .m_size = 8,
+       .c_size = 64,
+       }, {
+       .key =
+-      "\x30\x82\x01\x1D" /* sequence of 285 bytes */
++      "\x30\x82\x02\x5B" /* sequence of 603 bytes */
+       "\x02\x01\x00" /* version - integer of 1 byte */
+       "\x02\x81\x81" /* modulus - integer of 129 bytes */
+       "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
+@@ -230,12 +243,35 @@ static const struct akcipher_testvec rsa_tv_template[] = {
+       "\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
+       "\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
+       "\xC1"
+-      "\x02\x01\x00" /* prime1 - integer of 1 byte */
+-      "\x02\x01\x00" /* prime2 - integer of 1 byte */
+-      "\x02\x01\x00" /* exponent1 - integer of 1 byte */
+-      "\x02\x01\x00" /* exponent2 - integer of 1 byte */
+-      "\x02\x01\x00", /* coefficient - integer of 1 byte */
+-      .key_len = 289,
++      "\x02\x41" /* prime1 - integer of 65 bytes */
++      "\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
++      "\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
++      "\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
++      "\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
++      "\x99"
++      "\x02\x41" /* prime2 - integer of 65 bytes */
++      "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
++      "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
++      "\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
++      "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
++      "\x03"
++      "\x02\x40" /* exponent1 - integer of 64 bytes */
++      "\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
++      "\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
++      "\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
++      "\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81"
++      "\x02\x40" /* exponent2 - integer of 64 bytes */
++      "\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
++      "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
++      "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
++      "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D"
++      "\x02\x41", /* coefficient - integer of 65 bytes */
++      "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
++      "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
++      "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
++      "\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
++      "\xF7",
++      .key_len = 607,
+       .m = "\x54\x85\x9b\x34\x2c\x49\xea\x2a",
+       .c =
+       "\x74\x1b\x55\xac\x47\xb5\x08\x0a\x6e\x2b\x2d\xf7\x94\xb8\x8a\x95"
+@@ -251,7 +287,7 @@ static const struct akcipher_testvec rsa_tv_template[] = {
+       }, {
+ #endif
+       .key =
+-      "\x30\x82\x02\x20" /* sequence of 544 bytes */
++      "\x30\x82\x04\xA3" /* sequence of 1187 bytes */
+       "\x02\x01\x00" /* version - integer of 1 byte */
+       "\x02\x82\x01\x01\x00" /* modulus - integer of 256 bytes */
+       "\xDB\x10\x1A\xC2\xA3\xF1\xDC\xFF\x13\x6B\xED\x44\xDF\xF0\x02\x6D"
+@@ -288,12 +324,55 @@ static const struct akcipher_testvec rsa_tv_template[] = {
+       "\x62\xFF\xE9\x46\xB8\xD8\x44\xDB\xA5\xCC\x31\x54\x34\xCE\x3E\x82"
+       "\xD6\xBF\x7A\x0B\x64\x21\x6D\x88\x7E\x5B\x45\x12\x1E\x63\x8D\x49"
+       "\xA7\x1D\xD9\x1E\x06\xCD\xE8\xBA\x2C\x8C\x69\x32\xEA\xBE\x60\x71"
+-      "\x02\x01\x00" /* prime1 - integer of 1 byte */
+-      "\x02\x01\x00" /* prime2 - integer of 1 byte */
+-      "\x02\x01\x00" /* exponent1 - integer of 1 byte */
+-      "\x02\x01\x00" /* exponent2 - integer of 1 byte */
+-      "\x02\x01\x00", /* coefficient - integer of 1 byte */
+-      .key_len = 548,
++      "\x02\x81\x81" /* prime1 - integer of 129 bytes */
++      "\x00\xFA\xAC\xE1\x37\x5E\x32\x11\x34\xC6\x72\x58\x2D\x91\x06\x3E"
++      "\x77\xE7\x11\x21\xCD\x4A\xF8\xA4\x3F\x0F\xEF\x31\xE3\xF3\x55\xA0"
++      "\xB9\xAC\xB6\xCB\xBB\x41\xD0\x32\x81\x9A\x8F\x7A\x99\x30\x77\x6C"
++      "\x68\x27\xE2\x96\xB5\x72\xC9\xC3\xD4\x42\xAA\xAA\xCA\x95\x8F\xFF"
++      "\xC9\x9B\x52\x34\x30\x1D\xCF\xFE\xCF\x3C\x56\x68\x6E\xEF\xE7\x6C"
++      "\xD7\xFB\x99\xF5\x4A\xA5\x21\x1F\x2B\xEA\x93\xE8\x98\x26\xC4\x6E"
++      "\x42\x21\x5E\xA0\xA1\x2A\x58\x35\xBB\x10\xE7\xBA\x27\x0A\x3B\xB3"
++      "\xAF\xE2\x75\x36\x04\xAC\x56\xA0\xAB\x52\xDE\xCE\xDD\x2C\x28\x77"
++      "\x03"
++      "\x02\x81\x81" /* prime2 - integer of 129 bytes */
++      "\x00\xDF\xB7\x52\xB6\xD7\xC0\xE2\x96\xE7\xC9\xFE\x5D\x71\x5A\xC4"
++      "\x40\x96\x2F\xE5\x87\xEA\xF3\xA5\x77\x11\x67\x3C\x8D\x56\x08\xA7"
++      "\xB5\x67\xFA\x37\xA8\xB8\xCF\x61\xE8\x63\xD8\x38\x06\x21\x2B\x92"
++      "\x09\xA6\x39\x3A\xEA\xA8\xB4\x45\x4B\x36\x10\x4C\xE4\x00\x66\x71"
++      "\x65\xF8\x0B\x94\x59\x4F\x8C\xFD\xD5\x34\xA2\xE7\x62\x84\x0A\xA7"
++      "\xBB\xDB\xD9\x8A\xCD\x05\xE1\xCC\x57\x7B\xF1\xF1\x1F\x11\x9D\xBA"
++      "\x3E\x45\x18\x99\x1B\x41\x64\x43\xEE\x97\x5D\x77\x13\x5B\x74\x69"
++      "\x73\x87\x95\x05\x07\xBE\x45\x07\x17\x7E\x4A\x69\x22\xF3\xDB\x05"
++      "\x39"
++      "\x02\x81\x80" /* exponent1 - integer of 128 bytes */
++      "\x5E\xD8\xDC\xDA\x53\x44\xC4\x67\xE0\x92\x51\x34\xE4\x83\xA5\x4D"
++      "\x3E\xDB\xA7\x9B\x82\xBB\x73\x81\xFC\xE8\x77\x4B\x15\xBE\x17\x73"
++      "\x49\x9B\x5C\x98\xBC\xBD\x26\xEF\x0C\xE9\x2E\xED\x19\x7E\x86\x41"
++      "\x1E\x9E\x48\x81\xDD\x2D\xE4\x6F\xC2\xCD\xCA\x93\x9E\x65\x7E\xD5"
++      "\xEC\x73\xFD\x15\x1B\xA2\xA0\x7A\x0F\x0D\x6E\xB4\x53\x07\x90\x92"
++      "\x64\x3B\x8B\xA9\x33\xB3\xC5\x94\x9B\x4C\x5D\x9C\x7C\x46\xA4\xA5"
++      "\x56\xF4\xF3\xF8\x27\x0A\x7B\x42\x0D\x92\x70\x47\xE7\x42\x51\xA9"
++      "\xC2\x18\xB1\x58\xB1\x50\x91\xB8\x61\x41\xB6\xA9\xCE\xD4\x7C\xBB"
++      "\x02\x81\x80" /* exponent2 - integer of 128 bytes */
++      "\x54\x09\x1F\x0F\x03\xD8\xB6\xC5\x0C\xE8\xB9\x9E\x0C\x38\x96\x43"
++      "\xD4\xA6\xC5\x47\xDB\x20\x0E\xE5\xBD\x29\xD4\x7B\x1A\xF8\x41\x57"
++      "\x49\x69\x9A\x82\xCC\x79\x4A\x43\xEB\x4D\x8B\x2D\xF2\x43\xD5\xA5"
++      "\xBE\x44\xFD\x36\xAC\x8C\x9B\x02\xF7\x9A\x03\xE8\x19\xA6\x61\xAE"
++      "\x76\x10\x93\x77\x41\x04\xAB\x4C\xED\x6A\xCC\x14\x1B\x99\x8D\x0C"
++      "\x6A\x37\x3B\x86\x6C\x51\x37\x5B\x1D\x79\xF2\xA3\x43\x10\xC6\xA7"
++      "\x21\x79\x6D\xF9\xE9\x04\x6A\xE8\x32\xFF\xAE\xFD\x1C\x7B\x8C\x29"
++      "\x13\xA3\x0C\xB2\xAD\xEC\x6C\x0F\x8D\x27\x12\x7B\x48\xB2\xDB\x31"
++      "\x02\x81\x81", /* coefficient - integer of 129 bytes */
++      "\x00\x8D\x1B\x05\xCA\x24\x1F\x0C\x53\x19\x52\x74\x63\x21\xFA\x78"
++      "\x46\x79\xAF\x5C\xDE\x30\xA4\x6C\x20\x38\xE6\x97\x39\xB8\x7A\x70"
++      "\x0D\x8B\x6C\x6D\x13\x74\xD5\x1C\xDE\xA9\xF4\x60\x37\xFE\x68\x77"
++      "\x5E\x0B\x4E\x5E\x03\x31\x30\xDF\xD6\xAE\x85\xD0\x81\xBB\x61\xC7"
++      "\xB1\x04\x5A\xC4\x6D\x56\x1C\xD9\x64\xE7\x85\x7F\x88\x91\xC9\x60"
++      "\x28\x05\xE2\xC6\x24\x8F\xDD\x61\x64\xD8\x09\xDE\x7E\xD3\x4A\x61"
++      "\x1A\xD3\x73\x58\x4B\xD8\xA0\x54\x25\x48\x83\x6F\x82\x6C\xAF\x36"
++      "\x51\x2A\x5D\x14\x2F\x41\x25\x00\xDD\xF8\xF3\x95\xFE\x31\x25\x50"
++      "\x12",
++      .key_len = 1191,
+       .m = "\x54\x85\x9b\x34\x2c\x49\xea\x2a",
+       .c =
+       "\xb2\x97\x76\xb4\xae\x3e\x38\x3c\x7e\x64\x1f\xcc\xa2\x7f\xf6\xbe"
+-- 
+2.39.5
+

diff --git a/queue-5.4/crypto-testmgr-some-more-fixes-to-rsa-test-vectors.patch b/queue-5.4/crypto-testmgr-some-more-fixes-to-rsa-test-vectors.patch
new file mode 100644 (file)
index 0000000..7d5992e
--- /dev/null
+++ b/queue-5.4/crypto-testmgr-some-more-fixes-to-rsa-test-vectors.patch
@@ -0,0 +1,163 @@
+From 9d98a8fbec85565f95f3e7484f884b58b7d10145 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Jul 2022 14:37:46 +0100
+Subject: crypto: testmgr - some more fixes to RSA test vectors
+
+From: Ignat Korchagin <ignat@cloudflare.com>
+
+[ Upstream commit 9d2bb9a74b2877f100637d6ab5685bcd33c69d44 ]
+
+Two more fixes:
+
+  * some test vectors in commit 79e6e2f3f3ff ("crypto: testmgr - populate
+    RSA CRT parameters in RSA test vectors") had misplaced commas, which
+    break the test and trigger KASAN warnings at least on x86-64
+
+  * pkcs1pad test vector did not have its CRT parameters
+
+Fixes: 79e6e2f3f3ff ("crypto: testmgr - populate RSA CRT parameters in RSA test vectors")
+Reported-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/testmgr.h | 102 +++++++++++++++++++++++++++++------------------
+ 1 file changed, 63 insertions(+), 39 deletions(-)
+
+diff --git a/crypto/testmgr.h b/crypto/testmgr.h
+index d57c911649180..601cbee29cca9 100644
+--- a/crypto/testmgr.h
++++ b/crypto/testmgr.h
+@@ -265,7 +265,7 @@ static const struct akcipher_testvec rsa_tv_template[] = {
+       "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
+       "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
+       "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D"
+-      "\x02\x41", /* coefficient - integer of 65 bytes */
++      "\x02\x41" /* coefficient - integer of 65 bytes */
+       "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
+       "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
+       "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
+@@ -362,7 +362,7 @@ static const struct akcipher_testvec rsa_tv_template[] = {
+       "\x6A\x37\x3B\x86\x6C\x51\x37\x5B\x1D\x79\xF2\xA3\x43\x10\xC6\xA7"
+       "\x21\x79\x6D\xF9\xE9\x04\x6A\xE8\x32\xFF\xAE\xFD\x1C\x7B\x8C\x29"
+       "\x13\xA3\x0C\xB2\xAD\xEC\x6C\x0F\x8D\x27\x12\x7B\x48\xB2\xDB\x31"
+-      "\x02\x81\x81", /* coefficient - integer of 129 bytes */
++      "\x02\x81\x81" /* coefficient - integer of 129 bytes */
+       "\x00\x8D\x1B\x05\xCA\x24\x1F\x0C\x53\x19\x52\x74\x63\x21\xFA\x78"
+       "\x46\x79\xAF\x5C\xDE\x30\xA4\x6C\x20\x38\xE6\x97\x39\xB8\x7A\x70"
+       "\x0D\x8B\x6C\x6D\x13\x74\xD5\x1C\xDE\xA9\xF4\x60\x37\xFE\x68\x77"
+@@ -799,7 +799,7 @@ static const struct akcipher_testvec ecrdsa_tv_template[] = {
+ static const struct akcipher_testvec pkcs1pad_rsa_tv_template[] = {
+       {
+       .key =
+-      "\x30\x82\x03\x1f\x02\x01\x00\x02\x82\x01\x01\x00\xd7\x1e\x77\x82"
++      "\x30\x82\x04\xa5\x02\x01\x00\x02\x82\x01\x01\x00\xd7\x1e\x77\x82"
+       "\x8c\x92\x31\xe7\x69\x02\xa2\xd5\x5c\x78\xde\xa2\x0c\x8f\xfe\x28"
+       "\x59\x31\xdf\x40\x9c\x60\x61\x06\xb9\x2f\x62\x40\x80\x76\xcb\x67"
+       "\x4a\xb5\x59\x56\x69\x17\x07\xfa\xf9\x4c\xbd\x6c\x37\x7a\x46\x7d"
+@@ -815,42 +815,66 @@ static const struct akcipher_testvec pkcs1pad_rsa_tv_template[] = {
+       "\x9e\x49\x63\x6e\x02\xc1\xc9\x3a\x9b\xa5\x22\x1b\x07\x95\xd6\x10"
+       "\x02\x50\xfd\xfd\xd1\x9b\xbe\xab\xc2\xc0\x74\xd7\xec\x00\xfb\x11"
+       "\x71\xcb\x7a\xdc\x81\x79\x9f\x86\x68\x46\x63\x82\x4d\xb7\xf1\xe6"
+-      "\x16\x6f\x42\x63\xf4\x94\xa0\xca\x33\xcc\x75\x13\x02\x82\x01\x00"
+-      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+-      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+-      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+-      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+-      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+-      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+-      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+-      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+-      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+-      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+-      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+-      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+-      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+-      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+-      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+-      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x01"
+-      "\x02\x82\x01\x00\x62\xb5\x60\x31\x4f\x3f\x66\x16\xc1\x60\xac\x47"
+-      "\x2a\xff\x6b\x69\x00\x4a\xb2\x5c\xe1\x50\xb9\x18\x74\xa8\xe4\xdc"
+-      "\xa8\xec\xcd\x30\xbb\xc1\xc6\xe3\xc6\xac\x20\x2a\x3e\x5e\x8b\x12"
+-      "\xe6\x82\x08\x09\x38\x0b\xab\x7c\xb3\xcc\x9c\xce\x97\x67\xdd\xef"
+-      "\x95\x40\x4e\x92\xe2\x44\xe9\x1d\xc1\x14\xfd\xa9\xb1\xdc\x71\x9c"
+-      "\x46\x21\xbd\x58\x88\x6e\x22\x15\x56\xc1\xef\xe0\xc9\x8d\xe5\x80"
+-      "\x3e\xda\x7e\x93\x0f\x52\xf6\xf5\xc1\x91\x90\x9e\x42\x49\x4f\x8d"
+-      "\x9c\xba\x38\x83\xe9\x33\xc2\x50\x4f\xec\xc2\xf0\xa8\xb7\x6e\x28"
+-      "\x25\x56\x6b\x62\x67\xfe\x08\xf1\x56\xe5\x6f\x0e\x99\xf1\xe5\x95"
+-      "\x7b\xef\xeb\x0a\x2c\x92\x97\x57\x23\x33\x36\x07\xdd\xfb\xae\xf1"
+-      "\xb1\xd8\x33\xb7\x96\x71\x42\x36\xc5\xa4\xa9\x19\x4b\x1b\x52\x4c"
+-      "\x50\x69\x91\xf0\x0e\xfa\x80\x37\x4b\xb5\xd0\x2f\xb7\x44\x0d\xd4"
+-      "\xf8\x39\x8d\xab\x71\x67\x59\x05\x88\x3d\xeb\x48\x48\x33\x88\x4e"
+-      "\xfe\xf8\x27\x1b\xd6\x55\x60\x5e\x48\xb7\x6d\x9a\xa8\x37\xf9\x7a"
+-      "\xde\x1b\xcd\x5d\x1a\x30\xd4\xe9\x9e\x5b\x3c\x15\xf8\x9c\x1f\xda"
+-      "\xd1\x86\x48\x55\xce\x83\xee\x8e\x51\xc7\xde\x32\x12\x47\x7d\x46"
+-      "\xb8\x35\xdf\x41\x02\x01\x00\x02\x01\x00\x02\x01\x00\x02\x01\x00"
+-      "\x02\x01\x00",
+-      .key_len = 803,
++      "\x16\x6f\x42\x63\xf4\x94\xa0\xca\x33\xcc\x75\x13\x02\x03\x01\x00"
++      "\x01\x02\x82\x01\x00\x62\xb5\x60\x31\x4f\x3f\x66\x16\xc1\x60\xac"
++      "\x47\x2a\xff\x6b\x69\x00\x4a\xb2\x5c\xe1\x50\xb9\x18\x74\xa8\xe4"
++      "\xdc\xa8\xec\xcd\x30\xbb\xc1\xc6\xe3\xc6\xac\x20\x2a\x3e\x5e\x8b"
++      "\x12\xe6\x82\x08\x09\x38\x0b\xab\x7c\xb3\xcc\x9c\xce\x97\x67\xdd"
++      "\xef\x95\x40\x4e\x92\xe2\x44\xe9\x1d\xc1\x14\xfd\xa9\xb1\xdc\x71"
++      "\x9c\x46\x21\xbd\x58\x88\x6e\x22\x15\x56\xc1\xef\xe0\xc9\x8d\xe5"
++      "\x80\x3e\xda\x7e\x93\x0f\x52\xf6\xf5\xc1\x91\x90\x9e\x42\x49\x4f"
++      "\x8d\x9c\xba\x38\x83\xe9\x33\xc2\x50\x4f\xec\xc2\xf0\xa8\xb7\x6e"
++      "\x28\x25\x56\x6b\x62\x67\xfe\x08\xf1\x56\xe5\x6f\x0e\x99\xf1\xe5"
++      "\x95\x7b\xef\xeb\x0a\x2c\x92\x97\x57\x23\x33\x36\x07\xdd\xfb\xae"
++      "\xf1\xb1\xd8\x33\xb7\x96\x71\x42\x36\xc5\xa4\xa9\x19\x4b\x1b\x52"
++      "\x4c\x50\x69\x91\xf0\x0e\xfa\x80\x37\x4b\xb5\xd0\x2f\xb7\x44\x0d"
++      "\xd4\xf8\x39\x8d\xab\x71\x67\x59\x05\x88\x3d\xeb\x48\x48\x33\x88"
++      "\x4e\xfe\xf8\x27\x1b\xd6\x55\x60\x5e\x48\xb7\x6d\x9a\xa8\x37\xf9"
++      "\x7a\xde\x1b\xcd\x5d\x1a\x30\xd4\xe9\x9e\x5b\x3c\x15\xf8\x9c\x1f"
++      "\xda\xd1\x86\x48\x55\xce\x83\xee\x8e\x51\xc7\xde\x32\x12\x47\x7d"
++      "\x46\xb8\x35\xdf\x41\x02\x81\x81\x00\xe4\x4c\xae\xde\x16\xfd\x9f"
++      "\x83\x55\x5b\x84\x4a\xcf\x1c\xf1\x37\x95\xad\xca\x29\x7f\x2d\x6e"
++      "\x32\x81\xa4\x2b\x26\x14\x96\x1d\x40\x05\xec\x0c\xaf\x3f\x2c\x6f"
++      "\x2c\xe8\xbf\x1d\xee\xd0\xb3\xef\x7c\x5b\x9e\x88\x4f\x2a\x8b\x0e"
++      "\x4a\xbd\xb7\x8c\xfa\x10\x0e\x3b\xda\x68\xad\x41\x2b\xe4\x96\xfa"
++      "\x7f\x80\x52\x5f\x07\x9f\x0e\x3b\x5e\x96\x45\x1a\x13\x2b\x94\xce"
++      "\x1f\x07\x69\x85\x35\xfc\x69\x63\x5b\xf8\xf8\x3f\xce\x9d\x40\x1e"
++      "\x7c\xad\xfb\x9e\xce\xe0\x01\xf8\xef\x59\x5d\xdc\x00\x79\xab\x8a"
++      "\x3f\x80\xa2\x76\x32\x94\xa9\xea\x65\x02\x81\x81\x00\xf1\x38\x60"
++      "\x90\x0d\x0c\x2e\x3d\x34\xe5\x90\xea\x21\x43\x1f\x68\x63\x16\x7b"
++      "\x25\x8d\xde\x82\x2b\x52\xf8\xa3\xfd\x0f\x39\xe7\xe9\x5e\x32\x75"
++      "\x15\x7d\xd0\xc9\xce\x06\xe5\xfb\xa9\xcb\x22\xe5\xdb\x49\x09\xf2"
++      "\xe6\xb7\xa5\xa7\x75\x2e\x91\x2d\x2b\x5d\xf1\x48\x61\x45\x43\xd7"
++      "\xbd\xfc\x11\x73\xb5\x11\x9f\xb2\x18\x3a\x6f\x36\xa7\xc2\xd3\x18"
++      "\x4d\xf0\xc5\x1f\x70\x8c\x9b\xc5\x1d\x95\xa8\x5a\x9e\x8c\xb1\x4b"
++      "\x6a\x2a\x84\x76\x2c\xd8\x4f\x47\xb0\x81\x84\x02\x45\xf0\x85\xf8"
++      "\x0c\x6d\xa7\x0c\x4d\x2c\xb2\x5b\x81\x70\xfd\x6e\x17\x02\x81\x81"
++      "\x00\x8d\x07\xc5\xfa\x92\x4f\x48\xcb\xd3\xdd\xfe\x02\x4c\xa1\x7f"
++      "\x6d\xab\xfc\x38\xe7\x9b\x95\xcf\xfe\x49\x51\xc6\x09\xf7\x2b\xa8"
++      "\x94\x15\x54\x75\x9d\x88\xb4\x05\x55\xc3\xcd\xd4\x4a\xe4\x08\x53"
++      "\xc8\x09\xbd\x0c\x4d\x83\x65\x75\x85\xbc\x5e\xf8\x2a\xbd\xe2\x5d"
++      "\x1d\x16\x0e\xf9\x34\x89\x38\xaf\x34\x36\x6c\x2c\x22\x44\x22\x81"
++      "\x90\x73\xd9\xea\x3a\xaf\x70\x74\x48\x7c\xc6\xb5\xb0\xdc\xe5\xa9"
++      "\xa8\x76\x4b\xbc\xf7\x00\xf3\x4c\x22\x0f\x44\x62\x1d\x40\x0a\x57"
++      "\xe2\x5b\xdd\x7c\x7b\x9a\xad\xda\x70\x52\x21\x8a\x4c\xc2\xc3\x98"
++      "\x75\x02\x81\x81\x00\xed\x24\x5c\xa2\x21\x81\xa1\x0f\xa1\x2a\x33"
++      "\x0e\x49\xc7\x00\x60\x92\x51\x6e\x9d\x9b\xdc\x6d\x22\x04\x7e\xd6"
++      "\x51\x19\x9f\xf6\xe3\x91\x2c\x8f\xb8\xa2\x29\x19\xcc\x47\x31\xdf"
++      "\xf8\xab\xf0\xd2\x02\x83\xca\x99\x16\xc2\xe2\xc3\x3f\x4b\x99\x83"
++      "\xcb\x87\x9e\x86\x66\xc2\x3e\x91\x21\x80\x66\xf3\xd6\xc5\xcd\xb6"
++      "\xbb\x64\xef\x22\xcf\x48\x94\x58\xe7\x7e\xd5\x7c\x34\x1c\xb7\xa2"
++      "\xd0\x93\xe9\x9f\xb5\x11\x61\xd7\x5f\x37\x0f\x64\x52\x70\x11\x78"
++      "\xcc\x08\x77\xeb\xf8\x30\x1e\xb4\x9e\x1b\x4a\xc7\xa8\x33\x51\xe0"
++      "\xed\xdf\x53\xf6\xdf\x02\x81\x81\x00\x86\xd9\x4c\xee\x65\x61\xc1"
++      "\x19\xa9\xd5\x74\x9b\xd5\xca\xf6\x83\x2b\x06\xb4\x20\xfe\x45\x29"
++      "\xe8\xe3\xfa\xe1\x4f\x28\x8e\x63\x2f\x74\xc3\x3a\x5c\x9a\xf5\x9e"
++      "\x0e\x0d\xc5\xfe\xa0\x4c\x00\xce\x7b\xa4\x19\x17\x59\xaf\x13\x3a"
++      "\x03\x8f\x54\xf5\x60\x39\x2e\xd9\x06\xb3\x7c\xd6\x90\x06\x41\x77"
++      "\xf3\x93\xe1\x7a\x01\x41\xc1\x8f\xfe\x4c\x88\x39\xdb\xde\x71\x9e"
++      "\x58\xd1\x49\x50\x80\xb2\x5a\x4f\x69\x8b\xb8\xfe\x63\xd4\x42\x3d"
++      "\x37\x61\xa8\x4c\xff\xb6\x99\x4c\xf4\x51\xe0\x44\xaa\x69\x79\x3f"
++      "\x81\xa4\x61\x3d\x26\xe9\x04\x52\x64",
++      .key_len = 1193,
+       /*
+        * m is SHA256 hash of following message:
+        * "\x49\x41\xbe\x0a\x0c\xc9\xf6\x35\x51\xe4\x27\x56\x13\x71\x4b\xd0"
+-- 
+2.39.5
+

diff --git a/queue-5.4/flow_dissector-fix-handling-of-mixed-port-and-port-r.patch b/queue-5.4/flow_dissector-fix-handling-of-mixed-port-and-port-r.patch
new file mode 100644 (file)
index 0000000..6204103
--- /dev/null
+++ b/queue-5.4/flow_dissector-fix-handling-of-mixed-port-and-port-r.patch
@@ -0,0 +1,94 @@
+From c71b5ea24d51dcd3e28e4bed44bc390160f3a771 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Feb 2025 20:32:07 -0800
+Subject: flow_dissector: Fix handling of mixed port and port-range keys
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 3e5796862c692ea608d96f0a1437f9290f44953a ]
+
+This patch fixes a bug in TC flower filter where rules combining a
+specific destination port with a source port range weren't working
+correctly.
+
+The specific case was when users tried to configure rules like:
+
+tc filter add dev ens38 ingress protocol ip flower ip_proto udp \
+dst_port 5000 src_port 2000-3000 action drop
+
+The root cause was in the flow dissector code. While both
+FLOW_DISSECTOR_KEY_PORTS and FLOW_DISSECTOR_KEY_PORTS_RANGE flags
+were being set correctly in the classifier, the __skb_flow_dissect_ports()
+function was only populating one of them: whichever came first in
+the enum check. This meant that when the code needed both a specific
+port and a port range, one of them would be left as 0, causing the
+filter to not match packets as expected.
+
+Fix it by removing the either/or logic and instead checking and
+populating both key types independently when they're in use.
+
+Fixes: 8ffb055beae5 ("cls_flower: Fix the behavior using port ranges with hw-offload")
+Reported-by: Qiang Zhang <dtzq01@gmail.com>
+Closes: https://lore.kernel.org/netdev/CAPx+-5uvFxkhkz4=j_Xuwkezjn9U6kzKTD5jz4tZ9msSJ0fOJA@mail.gmail.com/
+Cc: Yoshiki Komachi <komachi.yoshiki@gmail.com>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20250218043210.732959-2-xiyou.wangcong@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/flow_dissector.c | 31 +++++++++++++++++++------------
+ 1 file changed, 19 insertions(+), 12 deletions(-)
+
+diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
+index 5daa72a930a9c..f4cc3710be94a 100644
+--- a/net/core/flow_dissector.c
++++ b/net/core/flow_dissector.c
+@@ -705,23 +705,30 @@ __skb_flow_dissect_ports(const struct sk_buff *skb,
+                        void *target_container, void *data, int nhoff,
+                        u8 ip_proto, int hlen)
+ {
+-      enum flow_dissector_key_id dissector_ports = FLOW_DISSECTOR_KEY_MAX;
+-      struct flow_dissector_key_ports *key_ports;
++      struct flow_dissector_key_ports_range *key_ports_range = NULL;
++      struct flow_dissector_key_ports *key_ports = NULL;
++      __be32 ports;
+ 
+       if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS))
+-              dissector_ports = FLOW_DISSECTOR_KEY_PORTS;
+-      else if (dissector_uses_key(flow_dissector,
+-                                  FLOW_DISSECTOR_KEY_PORTS_RANGE))
+-              dissector_ports = FLOW_DISSECTOR_KEY_PORTS_RANGE;
++              key_ports = skb_flow_dissector_target(flow_dissector,
++                                                    FLOW_DISSECTOR_KEY_PORTS,
++                                                    target_container);
++
++      if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS_RANGE))
++              key_ports_range = skb_flow_dissector_target(flow_dissector,
++                                                          FLOW_DISSECTOR_KEY_PORTS_RANGE,
++                                                          target_container);
+ 
+-      if (dissector_ports == FLOW_DISSECTOR_KEY_MAX)
++      if (!key_ports && !key_ports_range)
+               return;
+ 
+-      key_ports = skb_flow_dissector_target(flow_dissector,
+-                                            dissector_ports,
+-                                            target_container);
+-      key_ports->ports = __skb_flow_get_ports(skb, nhoff, ip_proto,
+-                                              data, hlen);
++      ports = __skb_flow_get_ports(skb, nhoff, ip_proto, data, hlen);
++
++      if (key_ports)
++              key_ports->ports = ports;
++
++      if (key_ports_range)
++              key_ports_range->tp.ports = ports;
+ }
+ 
+ static void
+-- 
+2.39.5
+

diff --git a/queue-5.4/flow_dissector-fix-port-range-key-handling-in-bpf-co.patch b/queue-5.4/flow_dissector-fix-port-range-key-handling-in-bpf-co.patch
new file mode 100644 (file)
index 0000000..9738928
--- /dev/null
+++ b/queue-5.4/flow_dissector-fix-port-range-key-handling-in-bpf-co.patch
@@ -0,0 +1,76 @@
+From a2651a948b2718dea5b1d78eb8dbac723f8e4883 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Feb 2025 20:32:09 -0800
+Subject: flow_dissector: Fix port range key handling in BPF conversion
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 69ab34f705fbfabcace64b5d53bb7a4450fac875 ]
+
+Fix how port range keys are handled in __skb_flow_bpf_to_target() by:
+- Separating PORTS and PORTS_RANGE key handling
+- Using correct key_ports_range structure for range keys
+- Properly initializing both key types independently
+
+This ensures port range information is correctly stored in its dedicated
+structure rather than incorrectly using the regular ports key structure.
+
+Fixes: 59fb9b62fb6c ("flow_dissector: Fix to use new variables for port ranges in bpf hook")
+Reported-by: Qiang Zhang <dtzq01@gmail.com>
+Closes: https://lore.kernel.org/netdev/CAPx+-5uvFxkhkz4=j_Xuwkezjn9U6kzKTD5jz4tZ9msSJ0fOJA@mail.gmail.com/
+Cc: Yoshiki Komachi <komachi.yoshiki@gmail.com>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Link: https://patch.msgid.link/20250218043210.732959-4-xiyou.wangcong@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/flow_dissector.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
+index f4cc3710be94a..96d2635aaae07 100644
+--- a/net/core/flow_dissector.c
++++ b/net/core/flow_dissector.c
+@@ -781,6 +781,7 @@ static void __skb_flow_bpf_to_target(const struct bpf_flow_keys *flow_keys,
+                                    struct flow_dissector *flow_dissector,
+                                    void *target_container)
+ {
++      struct flow_dissector_key_ports_range *key_ports_range = NULL;
+       struct flow_dissector_key_ports *key_ports = NULL;
+       struct flow_dissector_key_control *key_control;
+       struct flow_dissector_key_basic *key_basic;
+@@ -825,20 +826,21 @@ static void __skb_flow_bpf_to_target(const struct bpf_flow_keys *flow_keys,
+               key_control->addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
+       }
+ 
+-      if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS))
++      if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS)) {
+               key_ports = skb_flow_dissector_target(flow_dissector,
+                                                     FLOW_DISSECTOR_KEY_PORTS,
+                                                     target_container);
+-      else if (dissector_uses_key(flow_dissector,
+-                                  FLOW_DISSECTOR_KEY_PORTS_RANGE))
+-              key_ports = skb_flow_dissector_target(flow_dissector,
+-                                                    FLOW_DISSECTOR_KEY_PORTS_RANGE,
+-                                                    target_container);
+-
+-      if (key_ports) {
+               key_ports->src = flow_keys->sport;
+               key_ports->dst = flow_keys->dport;
+       }
++      if (dissector_uses_key(flow_dissector,
++                             FLOW_DISSECTOR_KEY_PORTS_RANGE)) {
++              key_ports_range = skb_flow_dissector_target(flow_dissector,
++                                                          FLOW_DISSECTOR_KEY_PORTS_RANGE,
++                                                          target_container);
++              key_ports_range->tp.src = flow_keys->sport;
++              key_ports_range->tp.dst = flow_keys->dport;
++      }
+ 
+       if (dissector_uses_key(flow_dissector,
+                              FLOW_DISSECTOR_KEY_FLOW_LABEL)) {
+-- 
+2.39.5
+

diff --git a/queue-5.4/geneve-fix-use-after-free-in-geneve_find_dev.patch b/queue-5.4/geneve-fix-use-after-free-in-geneve_find_dev.patch
new file mode 100644 (file)
index 0000000..c0a7929
--- /dev/null
+++ b/queue-5.4/geneve-fix-use-after-free-in-geneve_find_dev.patch
@@ -0,0 +1,200 @@
+From 5137f3ceb63f85f98f4b6490d91b909ff1658429 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Feb 2025 13:33:54 +0900
+Subject: geneve: Fix use-after-free in geneve_find_dev().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 9593172d93b9f91c362baec4643003dc29802929 ]
+
+syzkaller reported a use-after-free in geneve_find_dev() [0]
+without repro.
+
+geneve_configure() links struct geneve_dev.next to
+net_generic(net, geneve_net_id)->geneve_list.
+
+The net here could differ from dev_net(dev) if IFLA_NET_NS_PID,
+IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set.
+
+When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally
+calls unregister_netdevice_queue() for each dev in the netns,
+and later the dev is freed.
+
+However, its geneve_dev.next is still linked to the backend UDP
+socket netns.
+
+Then, use-after-free will occur when another geneve dev is created
+in the netns.
+
+Let's call geneve_dellink() instead in geneve_destroy_tunnels().
+
+[0]:
+BUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline]
+BUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343
+Read of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441
+
+CPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d
+Hardware name: linux,dummy-virt (DT)
+Call trace:
+ show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C)
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0x16c/0x6f0 mm/kasan/report.c:489
+ kasan_report+0xc0/0x120 mm/kasan/report.c:602
+ __asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379
+ geneve_find_dev drivers/net/geneve.c:1295 [inline]
+ geneve_configure+0x234/0x858 drivers/net/geneve.c:1343
+ geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634
+ rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795
+ __rtnl_newlink net/core/rtnetlink.c:3906 [inline]
+ rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021
+ rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911
+ netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543
+ rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938
+ netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
+ netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348
+ netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892
+ sock_sendmsg_nosec net/socket.c:713 [inline]
+ __sock_sendmsg net/socket.c:728 [inline]
+ ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568
+ ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622
+ __sys_sendmsg net/socket.c:2654 [inline]
+ __do_sys_sendmsg net/socket.c:2659 [inline]
+ __se_sys_sendmsg net/socket.c:2657 [inline]
+ __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657
+ __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
+ invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49
+ el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132
+ do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151
+ el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744
+ el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762
+ el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600
+
+Allocated by task 13247:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x30/0x68 mm/kasan/common.c:68
+ kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568
+ poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
+ __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394
+ kasan_kmalloc include/linux/kasan.h:260 [inline]
+ __do_kmalloc_node mm/slub.c:4298 [inline]
+ __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304
+ __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645
+ alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470
+ rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604
+ rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780
+ __rtnl_newlink net/core/rtnetlink.c:3906 [inline]
+ rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021
+ rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911
+ netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543
+ rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938
+ netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
+ netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348
+ netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892
+ sock_sendmsg_nosec net/socket.c:713 [inline]
+ __sock_sendmsg net/socket.c:728 [inline]
+ ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568
+ ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622
+ __sys_sendmsg net/socket.c:2654 [inline]
+ __do_sys_sendmsg net/socket.c:2659 [inline]
+ __se_sys_sendmsg net/socket.c:2657 [inline]
+ __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657
+ __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
+ invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49
+ el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132
+ do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151
+ el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744
+ el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762
+ el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600
+
+Freed by task 45:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x30/0x68 mm/kasan/common.c:68
+ kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:582
+ poison_slab_object mm/kasan/common.c:247 [inline]
+ __kasan_slab_free+0x48/0x68 mm/kasan/common.c:264
+ kasan_slab_free include/linux/kasan.h:233 [inline]
+ slab_free_hook mm/slub.c:2353 [inline]
+ slab_free mm/slub.c:4613 [inline]
+ kfree+0x140/0x420 mm/slub.c:4761
+ kvfree+0x4c/0x68 mm/util.c:688
+ netdev_release+0x94/0xc8 net/core/net-sysfs.c:2065
+ device_release+0x98/0x1c0
+ kobject_cleanup lib/kobject.c:689 [inline]
+ kobject_release lib/kobject.c:720 [inline]
+ kref_put include/linux/kref.h:65 [inline]
+ kobject_put+0x2b0/0x438 lib/kobject.c:737
+ netdev_run_todo+0xe5c/0xfc8 net/core/dev.c:11185
+ rtnl_unlock+0x20/0x38 net/core/rtnetlink.c:151
+ cleanup_net+0x4fc/0x8c0 net/core/net_namespace.c:648
+ process_one_work+0x700/0x1398 kernel/workqueue.c:3236
+ process_scheduled_works kernel/workqueue.c:3317 [inline]
+ worker_thread+0x8c4/0xe10 kernel/workqueue.c:3398
+ kthread+0x4bc/0x608 kernel/kthread.c:464
+ ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862
+
+The buggy address belongs to the object at ffff000054d6e000
+ which belongs to the cache kmalloc-cg-4k of size 4096
+The buggy address is located 3620 bytes inside of
+ freed 4096-byte region [ffff000054d6e000, ffff000054d6f000)
+
+The buggy address belongs to the physical page:
+page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x94d68
+head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+memcg:ffff000016276181
+flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff)
+page_type: f5(slab)
+raw: 03fffe0000000040 ffff0000c000f500 dead000000000122 0000000000000000
+raw: 0000000000000000 0000000000040004 00000001f5000000 ffff000016276181
+head: 03fffe0000000040 ffff0000c000f500 dead000000000122 0000000000000000
+head: 0000000000000000 0000000000040004 00000001f5000000 ffff000016276181
+head: 03fffe0000000003 fffffdffc1535a01 ffffffffffffffff 0000000000000000
+head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff000054d6ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff000054d6ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff000054d6ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+                               ^
+ ffff000054d6ee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff000054d6ef00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://patch.msgid.link/20250213043354.91368-1-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/geneve.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
+index 961cbd2b377d1..3e8b96de72a74 100644
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -1872,16 +1872,11 @@ static void geneve_destroy_tunnels(struct net *net, struct list_head *head)
+       /* gather any geneve devices that were moved into this ns */
+       for_each_netdev_safe(net, dev, aux)
+               if (dev->rtnl_link_ops == &geneve_link_ops)
+-                      unregister_netdevice_queue(dev, head);
++                      geneve_dellink(dev, head);
+ 
+       /* now gather any other geneve devices that were created in this ns */
+-      list_for_each_entry_safe(geneve, next, &gn->geneve_list, next) {
+-              /* If geneve->dev is in the same netns, it was already added
+-               * to the list by the previous loop.
+-               */
+-              if (!net_eq(dev_net(geneve->dev), net))
+-                      unregister_netdevice_queue(geneve->dev, head);
+-      }
++      list_for_each_entry_safe(geneve, next, &gn->geneve_list, next)
++              geneve_dellink(geneve->dev, head);
+ }
+ 
+ static void __net_exit geneve_exit_batch_net(struct list_head *net_list)
+-- 
+2.39.5
+

diff --git a/queue-5.4/geneve-suppress-list-corruption-splat-in-geneve_dest.patch b/queue-5.4/geneve-suppress-list-corruption-splat-in-geneve_dest.patch
new file mode 100644 (file)
index 0000000..e7d21fe
--- /dev/null
+++ b/queue-5.4/geneve-suppress-list-corruption-splat-in-geneve_dest.patch
@@ -0,0 +1,50 @@
+From 0e185ed1d30bcf1f6cb8721b7767b3c3ced9810f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Feb 2025 12:37:05 -0800
+Subject: geneve: Suppress list corruption splat in geneve_destroy_tunnels().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 62fab6eef61f245dc8797e3a6a5b890ef40e8628 ]
+
+As explained in the previous patch, iterating for_each_netdev() and
+gn->geneve_list during ->exit_batch_rtnl() could trigger ->dellink()
+twice for the same device.
+
+If CONFIG_DEBUG_LIST is enabled, we will see a list_del() corruption
+splat in the 2nd call of geneve_dellink().
+
+Let's remove for_each_netdev() in geneve_destroy_tunnels() and delegate
+that part to default_device_exit_batch().
+
+Fixes: 9593172d93b9 ("geneve: Fix use-after-free in geneve_find_dev().")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://patch.msgid.link/20250217203705.40342-3-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/geneve.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
+index 3e8b96de72a74..8fa466b879384 100644
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -1867,14 +1867,7 @@ static void geneve_destroy_tunnels(struct net *net, struct list_head *head)
+ {
+       struct geneve_net *gn = net_generic(net, geneve_net_id);
+       struct geneve_dev *geneve, *next;
+-      struct net_device *dev, *aux;
+ 
+-      /* gather any geneve devices that were moved into this ns */
+-      for_each_netdev_safe(net, dev, aux)
+-              if (dev->rtnl_link_ops == &geneve_link_ops)
+-                      geneve_dellink(dev, head);
+-
+-      /* now gather any other geneve devices that were created in this ns */
+       list_for_each_entry_safe(geneve, next, &gn->geneve_list, next)
+               geneve_dellink(geneve->dev, head);
+ }
+-- 
+2.39.5
+

diff --git a/queue-5.4/gtp-suppress-list-corruption-splat-in-gtp_net_exit_b.patch b/queue-5.4/gtp-suppress-list-corruption-splat-in-gtp_net_exit_b.patch
new file mode 100644 (file)
index 0000000..8c049b6
--- /dev/null
+++ b/queue-5.4/gtp-suppress-list-corruption-splat-in-gtp_net_exit_b.patch
@@ -0,0 +1,121 @@
+From 333f79277f25f36966146bbce7b7d4987604b1ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Feb 2025 12:37:04 -0800
+Subject: gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 4ccacf86491d33d2486b62d4d44864d7101b299d ]
+
+Brad Spengler reported the list_del() corruption splat in
+gtp_net_exit_batch_rtnl(). [0]
+
+Commit eb28fd76c0a0 ("gtp: Destroy device along with udp socket's netns
+dismantle.") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl()
+to destroy devices in each netns as done in geneve and ip tunnels.
+
+However, this could trigger ->dellink() twice for the same device during
+->exit_batch_rtnl().
+
+Say we have two netns A & B and gtp device B that resides in netns B but
+whose UDP socket is in netns A.
+
+  1. cleanup_net() processes netns A and then B.
+
+  2. gtp_net_exit_batch_rtnl() finds the device B while iterating
+     netns A's gn->gtp_dev_list and calls ->dellink().
+
+  [ device B is not yet unlinked from netns B
+    as unregister_netdevice_many() has not been called. ]
+
+  3. gtp_net_exit_batch_rtnl() finds the device B while iterating
+     netns B's for_each_netdev() and calls ->dellink().
+
+gtp_dellink() cleans up the device's hash table, unlinks the dev from
+gn->gtp_dev_list, and calls unregister_netdevice_queue().
+
+Basically, calling gtp_dellink() multiple times is fine unless
+CONFIG_DEBUG_LIST is enabled.
+
+Let's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and
+delegate the destruction to default_device_exit_batch() as done
+in bareudp.
+
+[0]:
+list_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04)
+kernel BUG at lib/list_debug.c:58!
+Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN
+CPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G                T   6.12.13-grsec-full-20250211091339 #1
+Tainted: [T]=RANDSTRUCT
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+Workqueue: netns cleanup_net
+RIP: 0010:[<ffffffff84947381>] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58
+Code: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc <0f> 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60
+RSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283
+RAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054
+RDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000
+RBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32
+R10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4
+R13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08
+RBX: kasan shadow of 0x0
+RCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554
+RDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58
+RSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71
+RBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]
+RSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ]
+R09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ]
+R10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ]
+R15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object]
+FS:  0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0
+Stack:
+ 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00
+ ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005
+ 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d
+Call Trace:
+ <TASK>
+ [<ffffffff8a0c360d>] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28
+ [<ffffffff8a0c360d>] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28
+ [<ffffffff8a0c360d>] list_del include/linux/list.h:262 [inline] fffffe8040b4fc28
+ [<ffffffff8a0c360d>] gtp_dellink+0x16d/0x360 drivers/net/gtp.c:1557 fffffe8040b4fc28
+ [<ffffffff8a0d0404>] gtp_net_exit_batch_rtnl+0x124/0x2c0 drivers/net/gtp.c:2495 fffffe8040b4fc88
+ [<ffffffff8e705b24>] cleanup_net+0x5a4/0xbe0 net/core/net_namespace.c:635 fffffe8040b4fcd0
+ [<ffffffff81754c97>] process_one_work+0xbd7/0x2160 kernel/workqueue.c:3326 fffffe8040b4fd88
+ [<ffffffff81757195>] process_scheduled_works kernel/workqueue.c:3407 [inline] fffffe8040b4fec0
+ [<ffffffff81757195>] worker_thread+0x6b5/0xfa0 kernel/workqueue.c:3488 fffffe8040b4fec0
+ [<ffffffff817782a0>] kthread+0x360/0x4c0 kernel/kthread.c:397 fffffe8040b4ff78
+ [<ffffffff814d8594>] ret_from_fork+0x74/0xe0 arch/x86/kernel/process.c:172 fffffe8040b4ffb8
+ [<ffffffff8110f509>] ret_from_fork_asm+0x29/0xc0 arch/x86/entry/entry_64.S:399 fffffe8040b4ffe8
+ </TASK>
+Modules linked in:
+
+Fixes: eb28fd76c0a0 ("gtp: Destroy device along with udp socket's netns dismantle.")
+Reported-by: Brad Spengler <spender@grsecurity.net>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://patch.msgid.link/20250217203705.40342-2-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index 68698457add0a..fa43b0f26bfb1 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -1366,11 +1366,6 @@ static void __net_exit gtp_net_exit_batch_rtnl(struct list_head *net_list,
+       list_for_each_entry(net, net_list, exit_list) {
+               struct gtp_net *gn = net_generic(net, gtp_net_id);
+               struct gtp_dev *gtp, *gtp_next;
+-              struct net_device *dev;
+-
+-              for_each_netdev(net, dev)
+-                      if (dev->rtnl_link_ops == &gtp_link_ops)
+-                              gtp_dellink(dev, dev_to_kill);
+ 
+               list_for_each_entry_safe(gtp, gtp_next, &gn->gtp_dev_list, list)
+                       gtp_dellink(gtp->dev, dev_to_kill);
+-- 
+2.39.5
+

diff --git a/queue-5.4/memcg-fix-soft-lockup-in-the-oom-process.patch b/queue-5.4/memcg-fix-soft-lockup-in-the-oom-process.patch
new file mode 100644 (file)
index 0000000..717ad09
--- /dev/null
+++ b/queue-5.4/memcg-fix-soft-lockup-in-the-oom-process.patch
@@ -0,0 +1,128 @@
+From 2f2854c7e7ed45eed5cff7ce55156939a86c9c40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Dec 2024 02:52:38 +0000
+Subject: memcg: fix soft lockup in the OOM process
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chen Ridong <chenridong@huawei.com>
+
+[ Upstream commit ade81479c7dda1ce3eedb215c78bc615bbd04f06 ]
+
+A soft lockup issue was found in the product with about 56,000 tasks were
+in the OOM cgroup, it was traversing them when the soft lockup was
+triggered.
+
+watchdog: BUG: soft lockup - CPU#2 stuck for 23s! [VM Thread:1503066]
+CPU: 2 PID: 1503066 Comm: VM Thread Kdump: loaded Tainted: G
+Hardware name: Huawei Cloud OpenStack Nova, BIOS
+RIP: 0010:console_unlock+0x343/0x540
+RSP: 0000:ffffb751447db9a0 EFLAGS: 00000247 ORIG_RAX: ffffffffffffff13
+RAX: 0000000000000001 RBX: 0000000000000000 RCX: 00000000ffffffff
+RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000247
+RBP: ffffffffafc71f90 R08: 0000000000000000 R09: 0000000000000040
+R10: 0000000000000080 R11: 0000000000000000 R12: ffffffffafc74bd0
+R13: ffffffffaf60a220 R14: 0000000000000247 R15: 0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f2fe6ad91f0 CR3: 00000004b2076003 CR4: 0000000000360ee0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ vprintk_emit+0x193/0x280
+ printk+0x52/0x6e
+ dump_task+0x114/0x130
+ mem_cgroup_scan_tasks+0x76/0x100
+ dump_header+0x1fe/0x210
+ oom_kill_process+0xd1/0x100
+ out_of_memory+0x125/0x570
+ mem_cgroup_out_of_memory+0xb5/0xd0
+ try_charge+0x720/0x770
+ mem_cgroup_try_charge+0x86/0x180
+ mem_cgroup_try_charge_delay+0x1c/0x40
+ do_anonymous_page+0xb5/0x390
+ handle_mm_fault+0xc4/0x1f0
+
+This is because thousands of processes are in the OOM cgroup, it takes a
+long time to traverse all of them.  As a result, this lead to soft lockup
+in the OOM process.
+
+To fix this issue, call 'cond_resched' in the 'mem_cgroup_scan_tasks'
+function per 1000 iterations.  For global OOM, call
+'touch_softlockup_watchdog' per 1000 iterations to avoid this issue.
+
+Link: https://lkml.kernel.org/r/20241224025238.3768787-1-chenridong@huaweicloud.com
+Fixes: 9cbb78bb3143 ("mm, memcg: introduce own oom handler to iterate only over its own threads")
+Signed-off-by: Chen Ridong <chenridong@huawei.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Roman Gushchin <roman.gushchin@linux.dev>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Shakeel Butt <shakeelb@google.com>
+Cc: Muchun Song <songmuchun@bytedance.com>
+Cc: Michal Koutný <mkoutny@suse.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/memcontrol.c | 7 ++++++-
+ mm/oom_kill.c   | 8 +++++++-
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/mm/memcontrol.c b/mm/memcontrol.c
+index 5ac119509335d..6f5565553e5f0 100644
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -1221,6 +1221,7 @@ int mem_cgroup_scan_tasks(struct mem_cgroup *memcg,
+ {
+       struct mem_cgroup *iter;
+       int ret = 0;
++      int i = 0;
+ 
+       BUG_ON(memcg == root_mem_cgroup);
+ 
+@@ -1229,8 +1230,12 @@ int mem_cgroup_scan_tasks(struct mem_cgroup *memcg,
+               struct task_struct *task;
+ 
+               css_task_iter_start(&iter->css, CSS_TASK_ITER_PROCS, &it);
+-              while (!ret && (task = css_task_iter_next(&it)))
++              while (!ret && (task = css_task_iter_next(&it))) {
++                      /* Avoid potential softlockup warning */
++                      if ((++i & 1023) == 0)
++                              cond_resched();
+                       ret = fn(task, arg);
++              }
+               css_task_iter_end(&it);
+               if (ret) {
+                       mem_cgroup_iter_break(memcg, iter);
+diff --git a/mm/oom_kill.c b/mm/oom_kill.c
+index 42b546c7b74b5..a1a32864fdf80 100644
+--- a/mm/oom_kill.c
++++ b/mm/oom_kill.c
+@@ -43,6 +43,7 @@
+ #include <linux/init.h>
+ #include <linux/mmu_notifier.h>
+ #include <linux/cred.h>
++#include <linux/nmi.h>
+ 
+ #include <asm/tlb.h>
+ #include "internal.h"
+@@ -430,10 +431,15 @@ static void dump_tasks(struct oom_control *oc)
+               mem_cgroup_scan_tasks(oc->memcg, dump_task, oc);
+       else {
+               struct task_struct *p;
++              int i = 0;
+ 
+               rcu_read_lock();
+-              for_each_process(p)
++              for_each_process(p) {
++                      /* Avoid potential softlockup warning */
++                      if ((++i & 1023) == 0)
++                              touch_softlockup_watchdog();
+                       dump_task(p, oc);
++              }
+               rcu_read_unlock();
+       }
+ }
+-- 
+2.39.5
+

diff --git a/queue-5.4/mm-update-mark_victim-tracepoints-fields.patch b/queue-5.4/mm-update-mark_victim-tracepoints-fields.patch
new file mode 100644 (file)
index 0000000..e1e227c
--- /dev/null
+++ b/queue-5.4/mm-update-mark_victim-tracepoints-fields.patch
@@ -0,0 +1,150 @@
+From e0a3abe688dded43f2e9eb3f8754f9029096ceb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Feb 2024 17:32:49 +0000
+Subject: mm: update mark_victim tracepoints fields
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Carlos Galo <carlosgalo@google.com>
+
+[ Upstream commit 72ba14deb40a9e9668ec5e66a341ed657e5215c2 ]
+
+The current implementation of the mark_victim tracepoint provides only the
+process ID (pid) of the victim process.  This limitation poses challenges
+for userspace tools requiring real-time OOM analysis and intervention.
+Although this information is available from the kernel logs, it’s not
+the appropriate format to provide OOM notifications.  In Android, BPF
+programs are used with the mark_victim trace events to notify userspace of
+an OOM kill.  For consistency, update the trace event to include the same
+information about the OOMed victim as the kernel logs.
+
+- UID
+   In Android each installed application has a unique UID. Including
+   the `uid` assists in correlating OOM events with specific apps.
+
+- Process Name (comm)
+   Enables identification of the affected process.
+
+- OOM Score
+  Will allow userspace to get additional insight of the relative kill
+  priority of the OOM victim. In Android, the oom_score_adj is used to
+  categorize app state (foreground, background, etc.), which aids in
+  analyzing user-perceptible impacts of OOM events [1].
+
+- Total VM, RSS Stats, and pgtables
+  Amount of memory used by the victim that will, potentially, be freed up
+  by killing it.
+
+[1] https://cs.android.com/android/platform/superproject/main/+/246dc8fc95b6d93afcba5c6d6c133307abb3ac2e:frameworks/base/services/core/java/com/android/server/am/ProcessList.java;l=188-283
+Signed-off-by: Carlos Galo <carlosgalo@google.com>
+Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: ade81479c7dd ("memcg: fix soft lockup in the OOM process")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/oom.h | 36 ++++++++++++++++++++++++++++++++----
+ mm/oom_kill.c              |  6 +++++-
+ 2 files changed, 37 insertions(+), 5 deletions(-)
+
+diff --git a/include/trace/events/oom.h b/include/trace/events/oom.h
+index 26a11e4a2c361..b799f3bcba823 100644
+--- a/include/trace/events/oom.h
++++ b/include/trace/events/oom.h
+@@ -7,6 +7,8 @@
+ #include <linux/tracepoint.h>
+ #include <trace/events/mmflags.h>
+ 
++#define PG_COUNT_TO_KB(x) ((x) << (PAGE_SHIFT - 10))
++
+ TRACE_EVENT(oom_score_adj_update,
+ 
+       TP_PROTO(struct task_struct *task),
+@@ -72,19 +74,45 @@ TRACE_EVENT(reclaim_retry_zone,
+ );
+ 
+ TRACE_EVENT(mark_victim,
+-      TP_PROTO(int pid),
++      TP_PROTO(struct task_struct *task, uid_t uid),
+ 
+-      TP_ARGS(pid),
++      TP_ARGS(task, uid),
+ 
+       TP_STRUCT__entry(
+               __field(int, pid)
++              __string(comm, task->comm)
++              __field(unsigned long, total_vm)
++              __field(unsigned long, anon_rss)
++              __field(unsigned long, file_rss)
++              __field(unsigned long, shmem_rss)
++              __field(uid_t, uid)
++              __field(unsigned long, pgtables)
++              __field(short, oom_score_adj)
+       ),
+ 
+       TP_fast_assign(
+-              __entry->pid = pid;
++              __entry->pid = task->pid;
++              __assign_str(comm, task->comm);
++              __entry->total_vm = PG_COUNT_TO_KB(task->mm->total_vm);
++              __entry->anon_rss = PG_COUNT_TO_KB(get_mm_counter(task->mm, MM_ANONPAGES));
++              __entry->file_rss = PG_COUNT_TO_KB(get_mm_counter(task->mm, MM_FILEPAGES));
++              __entry->shmem_rss = PG_COUNT_TO_KB(get_mm_counter(task->mm, MM_SHMEMPAGES));
++              __entry->uid = uid;
++              __entry->pgtables = mm_pgtables_bytes(task->mm) >> 10;
++              __entry->oom_score_adj = task->signal->oom_score_adj;
+       ),
+ 
+-      TP_printk("pid=%d", __entry->pid)
++      TP_printk("pid=%d comm=%s total-vm=%lukB anon-rss=%lukB file-rss:%lukB shmem-rss:%lukB uid=%u pgtables=%lukB oom_score_adj=%hd",
++              __entry->pid,
++              __get_str(comm),
++              __entry->total_vm,
++              __entry->anon_rss,
++              __entry->file_rss,
++              __entry->shmem_rss,
++              __entry->uid,
++              __entry->pgtables,
++              __entry->oom_score_adj
++      )
+ );
+ 
+ TRACE_EVENT(wake_reaper,
+diff --git a/mm/oom_kill.c b/mm/oom_kill.c
+index ee927ffeb718d..42b546c7b74b5 100644
+--- a/mm/oom_kill.c
++++ b/mm/oom_kill.c
+@@ -42,6 +42,7 @@
+ #include <linux/kthread.h>
+ #include <linux/init.h>
+ #include <linux/mmu_notifier.h>
++#include <linux/cred.h>
+ 
+ #include <asm/tlb.h>
+ #include "internal.h"
+@@ -721,6 +722,7 @@ static inline void queue_oom_reaper(struct task_struct *tsk)
+  */
+ static void mark_oom_victim(struct task_struct *tsk)
+ {
++      const struct cred *cred;
+       struct mm_struct *mm = tsk->mm;
+ 
+       WARN_ON(oom_killer_disabled);
+@@ -742,7 +744,9 @@ static void mark_oom_victim(struct task_struct *tsk)
+        */
+       __thaw_task(tsk);
+       atomic_inc(&oom_victims);
+-      trace_mark_victim(tsk->pid);
++      cred = get_task_cred(tsk);
++      trace_mark_victim(tsk, cred->uid.val);
++      put_cred(cred);
+ }
+ 
+ /**
+-- 
+2.39.5
+

diff --git a/queue-5.4/net-extract-port-range-fields-from-fl_flow_key.patch b/queue-5.4/net-extract-port-range-fields-from-fl_flow_key.patch
new file mode 100644 (file)
index 0000000..c87eeab
--- /dev/null
+++ b/queue-5.4/net-extract-port-range-fields-from-fl_flow_key.patch
@@ -0,0 +1,115 @@
+From b9df2cfbf7139ec29f7d293505ba50cfe2679c70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Jul 2022 18:09:07 +0300
+Subject: net: extract port range fields from fl_flow_key
+
+From: Maksym Glubokiy <maksym.glubokiy@plvision.eu>
+
+[ Upstream commit 83d85bb069152b790caad905fa53e6d50cd3734d ]
+
+So it can be used for port range filter offloading.
+
+Co-developed-by: Volodymyr Mytnyk <volodymyr.mytnyk@plvision.eu>
+Signed-off-by: Volodymyr Mytnyk <volodymyr.mytnyk@plvision.eu>
+Signed-off-by: Maksym Glubokiy <maksym.glubokiy@plvision.eu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 3e5796862c69 ("flow_dissector: Fix handling of mixed port and port-range keys")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/flow_dissector.h | 16 ++++++++++++++++
+ include/net/flow_offload.h   |  6 ++++++
+ net/core/flow_offload.c      |  7 +++++++
+ net/sched/cls_flower.c       |  8 +-------
+ 4 files changed, 30 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/flow_dissector.h b/include/net/flow_dissector.h
+index 02171416c68eb..efd7987982a8c 100644
+--- a/include/net/flow_dissector.h
++++ b/include/net/flow_dissector.h
+@@ -158,6 +158,22 @@ struct flow_dissector_key_ports {
+       };
+ };
+ 
++/**
++ * struct flow_dissector_key_ports_range
++ * @tp: port number from packet
++ * @tp_min: min port number in range
++ * @tp_max: max port number in range
++ */
++struct flow_dissector_key_ports_range {
++      union {
++              struct flow_dissector_key_ports tp;
++              struct {
++                      struct flow_dissector_key_ports tp_min;
++                      struct flow_dissector_key_ports tp_max;
++              };
++      };
++};
++
+ /**
+  * flow_dissector_key_icmp:
+  *    @ports: type and code of ICMP header
+diff --git a/include/net/flow_offload.h b/include/net/flow_offload.h
+index c6f7bd22db609..dc4274dcdec7f 100644
+--- a/include/net/flow_offload.h
++++ b/include/net/flow_offload.h
+@@ -48,6 +48,10 @@ struct flow_match_ports {
+       struct flow_dissector_key_ports *key, *mask;
+ };
+ 
++struct flow_match_ports_range {
++      struct flow_dissector_key_ports_range *key, *mask;
++};
++
+ struct flow_match_icmp {
+       struct flow_dissector_key_icmp *key, *mask;
+ };
+@@ -90,6 +94,8 @@ void flow_rule_match_ip(const struct flow_rule *rule,
+                       struct flow_match_ip *out);
+ void flow_rule_match_ports(const struct flow_rule *rule,
+                          struct flow_match_ports *out);
++void flow_rule_match_ports_range(const struct flow_rule *rule,
++                               struct flow_match_ports_range *out);
+ void flow_rule_match_tcp(const struct flow_rule *rule,
+                        struct flow_match_tcp *out);
+ void flow_rule_match_icmp(const struct flow_rule *rule,
+diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c
+index 45b6a59ac1243..3d54eca5960dc 100644
+--- a/net/core/flow_offload.c
++++ b/net/core/flow_offload.c
+@@ -97,6 +97,13 @@ void flow_rule_match_ports(const struct flow_rule *rule,
+ }
+ EXPORT_SYMBOL(flow_rule_match_ports);
+ 
++void flow_rule_match_ports_range(const struct flow_rule *rule,
++                               struct flow_match_ports_range *out)
++{
++      FLOW_DISSECTOR_MATCH(rule, FLOW_DISSECTOR_KEY_PORTS_RANGE, out);
++}
++EXPORT_SYMBOL(flow_rule_match_ports_range);
++
+ void flow_rule_match_tcp(const struct flow_rule *rule,
+                        struct flow_match_tcp *out)
+ {
+diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
+index c92318f68f92d..803107b30814e 100644
+--- a/net/sched/cls_flower.c
++++ b/net/sched/cls_flower.c
+@@ -54,13 +54,7 @@ struct fl_flow_key {
+       struct flow_dissector_key_ip ip;
+       struct flow_dissector_key_ip enc_ip;
+       struct flow_dissector_key_enc_opts enc_opts;
+-      union {
+-              struct flow_dissector_key_ports tp;
+-              struct {
+-                      struct flow_dissector_key_ports tp_min;
+-                      struct flow_dissector_key_ports tp_max;
+-              };
+-      } tp_range;
++      struct flow_dissector_key_ports_range tp_range;
+       struct flow_dissector_key_ct ct;
+ } __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */
+ 
+-- 
+2.39.5
+

diff --git a/queue-5.4/powerpc-64s-mm-move-__real_pte-stubs-into-hash-4k.h.patch b/queue-5.4/powerpc-64s-mm-move-__real_pte-stubs-into-hash-4k.h.patch
new file mode 100644 (file)
index 0000000..081c6e3
--- /dev/null
+++ b/queue-5.4/powerpc-64s-mm-move-__real_pte-stubs-into-hash-4k.h.patch
@@ -0,0 +1,92 @@
+From 2a8cfcd3c35d9c785357f41c0522367f6aed7e40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 18:07:29 +1000
+Subject: powerpc/64s/mm: Move __real_pte stubs into hash-4k.h
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit 8ae4f16f7d7b59cca55aeca6db7c9636ffe7fbaa ]
+
+The stub versions of __real_pte() etc are only used with HPT & 4K pages,
+so move them into the hash-4k.h header.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20240821080729.872034-1-mpe@ellerman.id.au
+Stable-dep-of: 61bcc752d1b8 ("powerpc/64s: Rewrite __real_pte() and __rpte_to_hidx() as static inline")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/book3s/64/hash-4k.h | 20 +++++++++++++++
+ arch/powerpc/include/asm/book3s/64/pgtable.h | 26 --------------------
+ 2 files changed, 20 insertions(+), 26 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/book3s/64/hash-4k.h b/arch/powerpc/include/asm/book3s/64/hash-4k.h
+index 80c9534148821..3e35a7d7dfbaf 100644
+--- a/arch/powerpc/include/asm/book3s/64/hash-4k.h
++++ b/arch/powerpc/include/asm/book3s/64/hash-4k.h
+@@ -83,6 +83,26 @@ static inline int hash__hugepd_ok(hugepd_t hpd)
+ }
+ #endif
+ 
++/*
++ * With 4K page size the real_pte machinery is all nops.
++ */
++#define __real_pte(e, p, o)           ((real_pte_t){(e)})
++#define __rpte_to_pte(r)      ((r).pte)
++#define __rpte_to_hidx(r,index)       (pte_val(__rpte_to_pte(r)) >> H_PAGE_F_GIX_SHIFT)
++
++#define pte_iterate_hashed_subpages(rpte, psize, va, index, shift)       \
++      do {                                                             \
++              index = 0;                                               \
++              shift = mmu_psize_defs[psize].shift;                     \
++
++#define pte_iterate_hashed_end() } while(0)
++
++/*
++ * We expect this to be called only for user addresses or kernel virtual
++ * addresses other than the linear mapping.
++ */
++#define pte_pagesize_index(mm, addr, pte)     MMU_PAGE_4K
++
+ /*
+  * 4K PTE format is different from 64K PTE format. Saving the hash_slot is just
+  * a matter of returning the PTE bits that need to be modified. On 64K PTE,
+diff --git a/arch/powerpc/include/asm/book3s/64/pgtable.h b/arch/powerpc/include/asm/book3s/64/pgtable.h
+index e1eb8aa9cfbbb..712bba181359b 100644
+--- a/arch/powerpc/include/asm/book3s/64/pgtable.h
++++ b/arch/powerpc/include/asm/book3s/64/pgtable.h
+@@ -324,32 +324,6 @@ extern unsigned long pci_io_base;
+ 
+ #ifndef __ASSEMBLY__
+ 
+-/*
+- * This is the default implementation of various PTE accessors, it's
+- * used in all cases except Book3S with 64K pages where we have a
+- * concept of sub-pages
+- */
+-#ifndef __real_pte
+-
+-#define __real_pte(e, p, o)           ((real_pte_t){(e)})
+-#define __rpte_to_pte(r)      ((r).pte)
+-#define __rpte_to_hidx(r,index)       (pte_val(__rpte_to_pte(r)) >> H_PAGE_F_GIX_SHIFT)
+-
+-#define pte_iterate_hashed_subpages(rpte, psize, va, index, shift)       \
+-      do {                                                             \
+-              index = 0;                                               \
+-              shift = mmu_psize_defs[psize].shift;                     \
+-
+-#define pte_iterate_hashed_end() } while(0)
+-
+-/*
+- * We expect this to be called only for user addresses or kernel virtual
+- * addresses other than the linear mapping.
+- */
+-#define pte_pagesize_index(mm, addr, pte)     MMU_PAGE_4K
+-
+-#endif /* __real_pte */
+-
+ static inline unsigned long pte_update(struct mm_struct *mm, unsigned long addr,
+                                      pte_t *ptep, unsigned long clr,
+                                      unsigned long set, int huge)
+-- 
+2.39.5
+

diff --git a/queue-5.4/powerpc-64s-rewrite-__real_pte-and-__rpte_to_hidx-as.patch b/queue-5.4/powerpc-64s-rewrite-__real_pte-and-__rpte_to_hidx-as.patch
new file mode 100644 (file)
index 0000000..c110e37
--- /dev/null
+++ b/queue-5.4/powerpc-64s-rewrite-__real_pte-and-__rpte_to_hidx-as.patch
@@ -0,0 +1,64 @@
+From 6ebb6652cfb88811d0329bd72547bb22dc5f7356 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Jan 2025 19:24:46 +0100
+Subject: powerpc/64s: Rewrite __real_pte() and __rpte_to_hidx() as static
+ inline
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 61bcc752d1b81fde3cae454ff20c1d3c359df500 ]
+
+Rewrite __real_pte() and __rpte_to_hidx() as static inline in order to
+avoid following warnings/errors when building with 4k page size:
+
+         CC      arch/powerpc/mm/book3s64/hash_tlb.o
+       arch/powerpc/mm/book3s64/hash_tlb.c: In function 'hpte_need_flush':
+       arch/powerpc/mm/book3s64/hash_tlb.c:49:16: error: variable 'offset' set but not used [-Werror=unused-but-set-variable]
+          49 |         int i, offset;
+             |                ^~~~~~
+
+         CC      arch/powerpc/mm/book3s64/hash_native.o
+       arch/powerpc/mm/book3s64/hash_native.c: In function 'native_flush_hash_range':
+       arch/powerpc/mm/book3s64/hash_native.c:782:29: error: variable 'index' set but not used [-Werror=unused-but-set-variable]
+         782 |         unsigned long hash, index, hidx, shift, slot;
+             |                             ^~~~~
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202501081741.AYFwybsq-lkp@intel.com/
+Fixes: ff31e105464d ("powerpc/mm/hash64: Store the slot information at the right offset for hugetlb")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/e0d340a5b7bd478ecbf245d826e6ab2778b74e06.1736706263.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/book3s/64/hash-4k.h | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/book3s/64/hash-4k.h b/arch/powerpc/include/asm/book3s/64/hash-4k.h
+index 3e35a7d7dfbaf..864743b46f45a 100644
+--- a/arch/powerpc/include/asm/book3s/64/hash-4k.h
++++ b/arch/powerpc/include/asm/book3s/64/hash-4k.h
+@@ -86,9 +86,17 @@ static inline int hash__hugepd_ok(hugepd_t hpd)
+ /*
+  * With 4K page size the real_pte machinery is all nops.
+  */
+-#define __real_pte(e, p, o)           ((real_pte_t){(e)})
++static inline real_pte_t __real_pte(pte_t pte, pte_t *ptep, int offset)
++{
++      return (real_pte_t){pte};
++}
++
+ #define __rpte_to_pte(r)      ((r).pte)
+-#define __rpte_to_hidx(r,index)       (pte_val(__rpte_to_pte(r)) >> H_PAGE_F_GIX_SHIFT)
++
++static inline unsigned long __rpte_to_hidx(real_pte_t rpte, unsigned long index)
++{
++      return pte_val(__rpte_to_pte(rpte)) >> H_PAGE_F_GIX_SHIFT;
++}
+ 
+ #define pte_iterate_hashed_subpages(rpte, psize, va, index, shift)       \
+       do {                                                             \
+-- 
+2.39.5
+

diff --git a/queue-5.4/powerpc-code-patching-fix-kasan-hit-by-not-flagging-.patch b/queue-5.4/powerpc-code-patching-fix-kasan-hit-by-not-flagging-.patch
new file mode 100644 (file)
index 0000000..07c9730
--- /dev/null
+++ b/queue-5.4/powerpc-code-patching-fix-kasan-hit-by-not-flagging-.patch
@@ -0,0 +1,112 @@
+From 39a1bad10afa8f3c014f17c569d6e26edf9356f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Feb 2025 07:46:28 +0100
+Subject: powerpc/code-patching: Fix KASAN hit by not flagging text patching
+ area as VM_ALLOC
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit d262a192d38e527faa5984629aabda2e0d1c4f54 ]
+
+Erhard reported the following KASAN hit while booting his PowerMac G4
+with a KASAN-enabled kernel 6.13-rc6:
+
+  BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8
+  Write of size 8 at addr f1000000 by task chronyd/1293
+
+  CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G        W          6.13.0-rc6-PMacG4 #2
+  Tainted: [W]=WARN
+  Hardware name: PowerMac3,6 7455 0x80010303 PowerMac
+  Call Trace:
+  [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable)
+  [c24375b0] [c0504998] print_report+0xdc/0x504
+  [c2437610] [c050475c] kasan_report+0xf8/0x108
+  [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c
+  [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8
+  [c24376c0] [c004c014] patch_instructions+0x15c/0x16c
+  [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c
+  [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac
+  [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec
+  [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478
+  [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14
+  [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4
+  [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890
+  [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420
+  [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c
+  --- interrupt: c00 at 0x5a1274
+  NIP:  005a1274 LR: 006a3b3c CTR: 005296c8
+  REGS: c2437f40 TRAP: 0c00   Tainted: G        W           (6.13.0-rc6-PMacG4)
+  MSR:  0200f932 <VEC,EE,PR,FP,ME,IR,DR,RI>  CR: 24004422  XER: 00000000
+
+  GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932
+  GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57
+  GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002
+  GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001
+  NIP [005a1274] 0x5a1274
+  LR [006a3b3c] 0x6a3b3c
+  --- interrupt: c00
+
+  The buggy address belongs to the virtual mapping at
+   [f1000000, f1002000) created by:
+   text_area_cpu_up+0x20/0x190
+
+  The buggy address belongs to the physical page:
+  page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30
+  flags: 0x80000000(zone=2)
+  raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001
+  raw: 00000000
+  page dumped because: kasan: bad access detected
+
+  Memory state around the buggy address:
+   f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  >f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+             ^
+   f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+   f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+  ==================================================================
+
+f8 corresponds to KASAN_VMALLOC_INVALID which means the area is not
+initialised hence not supposed to be used yet.
+
+Powerpc text patching infrastructure allocates a virtual memory area
+using get_vm_area() and flags it as VM_ALLOC. But that flag is meant
+to be used for vmalloc() and vmalloc() allocated memory is not
+supposed to be used before a call to __vmalloc_node_range() which is
+never called for that area.
+
+That went undetected until commit e4137f08816b ("mm, kasan, kmsan:
+instrument copy_from/to_kernel_nofault")
+
+The area allocated by text_area_cpu_up() is not vmalloc memory, it is
+mapped directly on demand when needed by map_kernel_page(). There is
+no VM flag corresponding to such usage, so just pass no flag. That way
+the area will be unpoisonned and usable immediately.
+
+Reported-by: Erhard Furtner <erhard_f@mailbox.org>
+Closes: https://lore.kernel.org/all/20250112135832.57c92322@yea/
+Fixes: 37bc3e5fd764 ("powerpc/lib/code-patching: Use alternate map for patch_instruction()")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/06621423da339b374f48c0886e3a5db18e896be8.1739342693.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/lib/code-patching.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/lib/code-patching.c b/arch/powerpc/lib/code-patching.c
+index a05f289e613ed..f1eab35bab603 100644
+--- a/arch/powerpc/lib/code-patching.c
++++ b/arch/powerpc/lib/code-patching.c
+@@ -45,7 +45,7 @@ static int text_area_cpu_up(unsigned int cpu)
+ {
+       struct vm_struct *area;
+ 
+-      area = get_vm_area(PAGE_SIZE, VM_ALLOC);
++      area = get_vm_area(PAGE_SIZE, 0);
+       if (!area) {
+               WARN_ONCE(1, "Failed to create text area for cpu %d\n",
+                       cpu);
+-- 
+2.39.5
+

diff --git a/queue-5.4/series b/queue-5.4/series
index 83210db7f91dd8ac1f9985137a76ab5d172def7b..22e175a52b1e9f7161a1a5fec6246d8f2fc18aaa 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -217,3 +217,26 @@ vlan-introduce-vlan_dev_free_egress_priority.patch
 vlan-move-dev_put-into-vlan_dev_uninit.patch
 scsi-storvsc-set-correct-data-length-for-sending-scsi-command-without-payload.patch
 driver-core-bus-fix-double-free-in-driver-api-bus_register.patch
+crypto-testmgr-fix-wrong-key-length-for-pkcs1pad.patch
+crypto-testmgr-fix-wrong-test-case-of-rsa.patch
+crypto-testmgr-fix-version-number-of-rsa-tests.patch
+crypto-testmgr-populate-rsa-crt-parameters-in-rsa-te.patch
+crypto-testmgr-some-more-fixes-to-rsa-test-vectors.patch
+mm-update-mark_victim-tracepoints-fields.patch
+memcg-fix-soft-lockup-in-the-oom-process.patch
+usb-dwc3-increase-dwc3-controller-halt-timeout.patch
+usb-dwc3-fix-timeout-issue-during-controller-enter-e.patch
+usb-gadget-f_midi-convert-tasklets-to-use-new-taskle.patch
+usb-gadget-f_midi-replace-tasklet-with-work.patch
+usb-gadget-f_midi-f_midi_complete-to-call-queue_work.patch
+powerpc-64s-mm-move-__real_pte-stubs-into-hash-4k.h.patch
+powerpc-64s-rewrite-__real_pte-and-__rpte_to_hidx-as.patch
+alsa-hda-realtek-add-type-for-alc287.patch
+alsa-hda-realtek-fixup-alc225-depop-procedure.patch
+powerpc-code-patching-fix-kasan-hit-by-not-flagging-.patch
+geneve-fix-use-after-free-in-geneve_find_dev.patch
+gtp-suppress-list-corruption-splat-in-gtp_net_exit_b.patch
+geneve-suppress-list-corruption-splat-in-geneve_dest.patch
+net-extract-port-range-fields-from-fl_flow_key.patch
+flow_dissector-fix-handling-of-mixed-port-and-port-r.patch
+flow_dissector-fix-port-range-key-handling-in-bpf-co.patch

diff --git a/queue-5.4/usb-dwc3-fix-timeout-issue-during-controller-enter-e.patch b/queue-5.4/usb-dwc3-fix-timeout-issue-during-controller-enter-e.patch
new file mode 100644 (file)
index 0000000..8f947d8
--- /dev/null
+++ b/queue-5.4/usb-dwc3-fix-timeout-issue-during-controller-enter-e.patch
@@ -0,0 +1,98 @@
+From 924d7750c49917c0699ffa0c3e563c00531d34af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Feb 2025 22:09:02 +0530
+Subject: usb: dwc3: Fix timeout issue during controller enter/exit from halt
+ state
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Selvarasu Ganesan <selvarasu.g@samsung.com>
+
+[ Upstream commit d3a8c28426fc1fb3252753a9f1db0d691ffc21b0 ]
+
+There is a frequent timeout during controller enter/exit from halt state
+after toggling the run_stop bit by SW. This timeout occurs when
+performing frequent role switches between host and device, causing
+device enumeration issues due to the timeout. This issue was not present
+when USB2 suspend PHY was disabled by passing the SNPS quirks
+(snps,dis_u2_susphy_quirk and snps,dis_enblslpm_quirk) from the DTS.
+However, there is a requirement to enable USB2 suspend PHY by setting of
+GUSB2PHYCFG.ENBLSLPM and GUSB2PHYCFG.SUSPHY bits when controller starts
+in gadget or host mode results in the timeout issue.
+
+This commit addresses this timeout issue by ensuring that the bits
+GUSB2PHYCFG.ENBLSLPM and GUSB2PHYCFG.SUSPHY are cleared before starting
+the dwc3_gadget_run_stop sequence and restoring them after the
+dwc3_gadget_run_stop sequence is completed.
+
+Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Selvarasu Ganesan <selvarasu.g@samsung.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/20250201163903.459-1-selvarasu.g@samsung.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/gadget.c | 34 ++++++++++++++++++++++++++++++++++
+ 1 file changed, 34 insertions(+)
+
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index f9232c099f494..fd8b986794d0d 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -1967,10 +1967,38 @@ static int dwc3_gadget_run_stop(struct dwc3 *dwc, int is_on, int suspend)
+ {
+       u32                     reg;
+       u32                     timeout = 2000;
++      u32                     saved_config = 0;
+ 
+       if (pm_runtime_suspended(dwc->dev))
+               return 0;
+ 
++      /*
++       * When operating in USB 2.0 speeds (HS/FS), ensure that
++       * GUSB2PHYCFG.ENBLSLPM and GUSB2PHYCFG.SUSPHY are cleared before starting
++       * or stopping the controller. This resolves timeout issues that occur
++       * during frequent role switches between host and device modes.
++       *
++       * Save and clear these settings, then restore them after completing the
++       * controller start or stop sequence.
++       *
++       * This solution was discovered through experimentation as it is not
++       * mentioned in the dwc3 programming guide. It has been tested on an
++       * Exynos platforms.
++       */
++      reg = dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0));
++      if (reg & DWC3_GUSB2PHYCFG_SUSPHY) {
++              saved_config |= DWC3_GUSB2PHYCFG_SUSPHY;
++              reg &= ~DWC3_GUSB2PHYCFG_SUSPHY;
++      }
++
++      if (reg & DWC3_GUSB2PHYCFG_ENBLSLPM) {
++              saved_config |= DWC3_GUSB2PHYCFG_ENBLSLPM;
++              reg &= ~DWC3_GUSB2PHYCFG_ENBLSLPM;
++      }
++
++      if (saved_config)
++              dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg);
++
+       reg = dwc3_readl(dwc->regs, DWC3_DCTL);
+       if (is_on) {
+               if (dwc->revision <= DWC3_REVISION_187A) {
+@@ -2003,6 +2031,12 @@ static int dwc3_gadget_run_stop(struct dwc3 *dwc, int is_on, int suspend)
+               reg &= DWC3_DSTS_DEVCTRLHLT;
+       } while (--timeout && !(!is_on ^ !reg));
+ 
++      if (saved_config) {
++              reg = dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0));
++              reg |= saved_config;
++              dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg);
++      }
++
+       if (!timeout)
+               return -ETIMEDOUT;
+ 
+-- 
+2.39.5
+

diff --git a/queue-5.4/usb-dwc3-increase-dwc3-controller-halt-timeout.patch b/queue-5.4/usb-dwc3-increase-dwc3-controller-halt-timeout.patch
new file mode 100644 (file)
index 0000000..8825a21
--- /dev/null
+++ b/queue-5.4/usb-dwc3-increase-dwc3-controller-halt-timeout.patch
@@ -0,0 +1,47 @@
+From 9fee28e325247cfef1b7cdd40366be4d2ee4c11c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 12:36:23 -0700
+Subject: usb: dwc3: Increase DWC3 controller halt timeout
+
+From: Wesley Cheng <quic_wcheng@quicinc.com>
+
+[ Upstream commit 461ee467507cb98a348fa91ff8460908bb0ea423 ]
+
+Since EP0 transactions need to be completed before the controller halt
+sequence is finished, this may take some time depending on the host and the
+enabled functions.  Increase the controller halt timeout, so that we give
+the controller sufficient time to handle EP0 transfers.
+
+Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
+Link: https://lore.kernel.org/r/20220901193625.8727-4-quic_wcheng@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: d3a8c28426fc ("usb: dwc3: Fix timeout issue during controller enter/exit from halt state")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/gadget.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index 6caedef5575d7..f9232c099f494 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -1966,7 +1966,7 @@ static void dwc3_stop_active_transfers(struct dwc3 *dwc)
+ static int dwc3_gadget_run_stop(struct dwc3 *dwc, int is_on, int suspend)
+ {
+       u32                     reg;
+-      u32                     timeout = 500;
++      u32                     timeout = 2000;
+ 
+       if (pm_runtime_suspended(dwc->dev))
+               return 0;
+@@ -1998,6 +1998,7 @@ static int dwc3_gadget_run_stop(struct dwc3 *dwc, int is_on, int suspend)
+       dwc3_writel(dwc->regs, DWC3_DCTL, reg);
+ 
+       do {
++              usleep_range(1000, 2000);
+               reg = dwc3_readl(dwc->regs, DWC3_DSTS);
+               reg &= DWC3_DSTS_DEVCTRLHLT;
+       } while (--timeout && !(!is_on ^ !reg));
+-- 
+2.39.5
+

diff --git a/queue-5.4/usb-gadget-f_midi-convert-tasklets-to-use-new-taskle.patch b/queue-5.4/usb-gadget-f_midi-convert-tasklets-to-use-new-taskle.patch
new file mode 100644 (file)
index 0000000..e2819a0
--- /dev/null
+++ b/queue-5.4/usb-gadget-f_midi-convert-tasklets-to-use-new-taskle.patch
@@ -0,0 +1,52 @@
+From e43373c965ec60d7adda4e724a9175acd7aa2868 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Aug 2020 14:32:06 +0530
+Subject: usb/gadget: f_midi: convert tasklets to use new tasklet_setup() API
+
+From: Allen Pais <allen.lkml@gmail.com>
+
+[ Upstream commit 6148c10f6b62a6df782d26522921f70cc8bf1d7f ]
+
+In preparation for unconditionally passing the
+struct tasklet_struct pointer to all tasklet
+callbacks, switch to using the new tasklet_setup()
+and from_tasklet() to pass the tasklet pointer explicitly.
+
+Signed-off-by: Romain Perier <romain.perier@gmail.com>
+Signed-off-by: Allen Pais <allen.lkml@gmail.com>
+Link: https://lore.kernel.org/r/20200817090209.26351-5-allen.cryptic@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 4ab37fcb4283 ("USB: gadget: f_midi: f_midi_complete to call queue_work")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_midi.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c
+index 54a09da8a7384..71aeaa2302edd 100644
+--- a/drivers/usb/gadget/function/f_midi.c
++++ b/drivers/usb/gadget/function/f_midi.c
+@@ -698,9 +698,9 @@ static void f_midi_transmit(struct f_midi *midi)
+       f_midi_drop_out_substreams(midi);
+ }
+ 
+-static void f_midi_in_tasklet(unsigned long data)
++static void f_midi_in_tasklet(struct tasklet_struct *t)
+ {
+-      struct f_midi *midi = (struct f_midi *) data;
++      struct f_midi *midi = from_tasklet(midi, t, tasklet);
+       f_midi_transmit(midi);
+ }
+ 
+@@ -875,7 +875,7 @@ static int f_midi_bind(struct usb_configuration *c, struct usb_function *f)
+       int status, n, jack = 1, i = 0, endpoint_descriptor_index = 0;
+ 
+       midi->gadget = cdev->gadget;
+-      tasklet_init(&midi->tasklet, f_midi_in_tasklet, (unsigned long) midi);
++      tasklet_setup(&midi->tasklet, f_midi_in_tasklet);
+       status = f_midi_register_card(midi);
+       if (status < 0)
+               goto fail_register;
+-- 
+2.39.5
+

diff --git a/queue-5.4/usb-gadget-f_midi-f_midi_complete-to-call-queue_work.patch b/queue-5.4/usb-gadget-f_midi-f_midi_complete-to-call-queue_work.patch
new file mode 100644 (file)
index 0000000..7455d66
--- /dev/null
+++ b/queue-5.4/usb-gadget-f_midi-f_midi_complete-to-call-queue_work.patch
@@ -0,0 +1,42 @@
+From 0b77160d9a3f3e7e930bf0209139d711b1d8f20f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Feb 2025 10:48:05 -0700
+Subject: USB: gadget: f_midi: f_midi_complete to call queue_work
+
+From: Jill Donahue <jilliandonahue58@gmail.com>
+
+[ Upstream commit 4ab37fcb42832cdd3e9d5e50653285ca84d6686f ]
+
+When using USB MIDI, a lock is attempted to be acquired twice through a
+re-entrant call to f_midi_transmit, causing a deadlock.
+
+Fix it by using queue_work() to schedule the inner f_midi_transmit() via
+a high priority work queue from the completion handler.
+
+Link: https://lore.kernel.org/all/CAArt=LjxU0fUZOj06X+5tkeGT+6RbXzpWg1h4t4Fwa_KGVAX6g@mail.gmail.com/
+Fixes: d5daf49b58661 ("USB: gadget: midi: add midi function driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Jill Donahue <jilliandonahue58@gmail.com>
+Link: https://lore.kernel.org/r/20250211174805.1369265-1-jdonahue@fender.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_midi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c
+index 01c5736d381ef..3e8ea1bbe429a 100644
+--- a/drivers/usb/gadget/function/f_midi.c
++++ b/drivers/usb/gadget/function/f_midi.c
+@@ -282,7 +282,7 @@ f_midi_complete(struct usb_ep *ep, struct usb_request *req)
+                       /* Our transmit completed. See if there's more to go.
+                        * f_midi_transmit eats req, don't queue it again. */
+                       req->length = 0;
+-                      f_midi_transmit(midi);
++                      queue_work(system_highpri_wq, &midi->work);
+                       return;
+               }
+               break;
+-- 
+2.39.5
+

diff --git a/queue-5.4/usb-gadget-f_midi-replace-tasklet-with-work.patch b/queue-5.4/usb-gadget-f_midi-replace-tasklet-with-work.patch
new file mode 100644 (file)
index 0000000..fe0737f
--- /dev/null
+++ b/queue-5.4/usb-gadget-f_midi-replace-tasklet-with-work.patch
@@ -0,0 +1,81 @@
+From 2da9d545c53c48d6a441242a8de0f88efc2238af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Jan 2021 20:28:55 -0800
+Subject: usb/gadget: f_midi: Replace tasklet with work
+
+From: Davidlohr Bueso <dave@stgolabs.net>
+
+[ Upstream commit 8653d71ce3763aedcf3d2331f59beda3fecd79e4 ]
+
+Currently a tasklet is used to transmit input substream buffer
+data. However, tasklets have long been deprecated as being too
+heavy on the system by running in irq context - and this is not
+a performance critical path. If a higher priority process wants
+to run, it must wait for the tasklet to finish before doing so.
+
+Deferring work to a workqueue and executing in process context
+should be fine considering the callback already does
+f_midi_do_transmit() under the transmit_lock and thus changes in
+semantics are ok regarding concurrency - tasklets being serialized
+against itself.
+
+Cc: Takashi Iwai <tiwai@suse.de>
+Reviewed-by: Takashi Iwai <tiwai@suse.de>
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
+Link: https://lore.kernel.org/r/20210111042855.73289-1-dave@stgolabs.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 4ab37fcb4283 ("USB: gadget: f_midi: f_midi_complete to call queue_work")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_midi.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c
+index 71aeaa2302edd..01c5736d381ef 100644
+--- a/drivers/usb/gadget/function/f_midi.c
++++ b/drivers/usb/gadget/function/f_midi.c
+@@ -87,7 +87,7 @@ struct f_midi {
+       struct snd_rawmidi_substream *out_substream[MAX_PORTS];
+ 
+       unsigned long           out_triggered;
+-      struct tasklet_struct   tasklet;
++      struct work_struct      work;
+       unsigned int in_ports;
+       unsigned int out_ports;
+       int index;
+@@ -698,9 +698,11 @@ static void f_midi_transmit(struct f_midi *midi)
+       f_midi_drop_out_substreams(midi);
+ }
+ 
+-static void f_midi_in_tasklet(struct tasklet_struct *t)
++static void f_midi_in_work(struct work_struct *work)
+ {
+-      struct f_midi *midi = from_tasklet(midi, t, tasklet);
++      struct f_midi *midi;
++
++      midi = container_of(work, struct f_midi, work);
+       f_midi_transmit(midi);
+ }
+ 
+@@ -737,7 +739,7 @@ static void f_midi_in_trigger(struct snd_rawmidi_substream *substream, int up)
+       VDBG(midi, "%s() %d\n", __func__, up);
+       midi->in_ports_array[substream->number].active = up;
+       if (up)
+-              tasklet_hi_schedule(&midi->tasklet);
++              queue_work(system_highpri_wq, &midi->work);
+ }
+ 
+ static int f_midi_out_open(struct snd_rawmidi_substream *substream)
+@@ -875,7 +877,7 @@ static int f_midi_bind(struct usb_configuration *c, struct usb_function *f)
+       int status, n, jack = 1, i = 0, endpoint_descriptor_index = 0;
+ 
+       midi->gadget = cdev->gadget;
+-      tasklet_setup(&midi->tasklet, f_midi_in_tasklet);
++      INIT_WORK(&midi->work, f_midi_in_work);
+       status = f_midi_register_card(midi);
+       if (status < 0)
+               goto fail_register;
+-- 
+2.39.5
+