--- /dev/null
+From 78cfd17142ef70599d6409cbd709d94b3da58659 Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Tue, 7 May 2024 12:39:28 +0200
+Subject: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+commit 78cfd17142ef70599d6409cbd709d94b3da58659 upstream.
+
+Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called
+with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.
+In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called.
+roundup_pow_of_two is documented as undefined for 0.
+
+Fix it in the one caller that had this combination.
+
+The undefined behavior was detected by UBSAN:
+ UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
+ shift exponent 64 is too large for 64-bit type 'long unsigned int'
+ CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4
+ Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x5d/0x80
+ ubsan_epilogue+0x5/0x30
+ __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec
+ __roundup_pow_of_two+0x25/0x35 [bnxt_re]
+ bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]
+ bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]
+ bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? __kmalloc+0x1b6/0x4f0
+ ? create_qp.part.0+0x128/0x1c0 [ib_core]
+ ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]
+ create_qp.part.0+0x128/0x1c0 [ib_core]
+ ib_create_qp_kernel+0x50/0xd0 [ib_core]
+ create_mad_qp+0x8e/0xe0 [ib_core]
+ ? __pfx_qp_event_handler+0x10/0x10 [ib_core]
+ ib_mad_init_device+0x2be/0x680 [ib_core]
+ add_client_context+0x10d/0x1a0 [ib_core]
+ enable_device_and_get+0xe0/0x1d0 [ib_core]
+ ib_register_device+0x53c/0x630 [ib_core]
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ bnxt_re_probe+0xbd8/0xe50 [bnxt_re]
+ ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]
+ auxiliary_bus_probe+0x49/0x80
+ ? driver_sysfs_add+0x57/0xc0
+ really_probe+0xde/0x340
+ ? pm_runtime_barrier+0x54/0x90
+ ? __pfx___driver_attach+0x10/0x10
+ __driver_probe_device+0x78/0x110
+ driver_probe_device+0x1f/0xa0
+ __driver_attach+0xba/0x1c0
+ bus_for_each_dev+0x8f/0xe0
+ bus_add_driver+0x146/0x220
+ driver_register+0x72/0xd0
+ __auxiliary_driver_register+0x6e/0xd0
+ ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
+ bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]
+ ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
+ do_one_initcall+0x5b/0x310
+ do_init_module+0x90/0x250
+ init_module_from_file+0x86/0xc0
+ idempotent_init_module+0x121/0x2b0
+ __x64_sys_finit_module+0x5e/0xb0
+ do_syscall_64+0x82/0x160
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? syscall_exit_to_user_mode_prepare+0x149/0x170
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? syscall_exit_to_user_mode+0x75/0x230
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? do_syscall_64+0x8e/0x160
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? __count_memcg_events+0x69/0x100
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? count_memcg_events.constprop.0+0x1a/0x30
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? handle_mm_fault+0x1f0/0x300
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? do_user_addr_fault+0x34e/0x640
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ RIP: 0033:0x7f4e5132821d
+ Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48
+ RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+ RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d
+ RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b
+ RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0
+ R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d
+ R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60
+ </TASK>
+ ---[ end trace ]---
+
+Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Link: https://lore.kernel.org/r/20240507103929.30003-1-mschmidt@redhat.com
+Acked-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+@@ -1014,7 +1014,8 @@ int bnxt_qplib_create_qp(struct bnxt_qpl
+ hwq_attr.stride = sizeof(struct sq_sge);
+ hwq_attr.depth = bnxt_qplib_get_depth(sq);
+ hwq_attr.aux_stride = psn_sz;
+- hwq_attr.aux_depth = bnxt_qplib_set_sq_size(sq, qp->wqe_mode);
++ hwq_attr.aux_depth = psn_sz ? bnxt_qplib_set_sq_size(sq, qp->wqe_mode)
++ : 0;
+ hwq_attr.type = HWQ_TYPE_QUEUE;
+ rc = bnxt_qplib_alloc_init_hwq(&sq->hwq, &hwq_attr);
+ if (rc)
--- /dev/null
+From 6e4b4f0eca88e47def703f90a403fef5b96730d5 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@kernel.org>
+Date: Thu, 12 Jan 2023 19:51:50 +0000
+Subject: kselftest/arm64: Initialise current at build time in signal tests
+
+From: Mark Brown <broonie@kernel.org>
+
+commit 6e4b4f0eca88e47def703f90a403fef5b96730d5 upstream.
+
+When building with clang the toolchain refuses to link the signals
+testcases since the assembly code has a reference to current which has
+no initialiser so is placed in the BSS:
+
+ /tmp/signals-af2042.o: in function `fake_sigreturn':
+ <unknown>:51:(.text+0x40): relocation truncated to fit: R_AARCH64_LD_PREL_LO19 against symbol `current' defined in .bss section in /tmp/test_signals-ec1160.o
+
+Since the first statement in main() initialises current we may as well
+fix this by moving the initialisation to build time so the variable
+doesn't end up in the BSS.
+
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Link: https://lore.kernel.org/r/20230111-arm64-kselftest-clang-v1-4-89c69d377727@kernel.org
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Mahmoud Adam <mngyadam@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/arm64/signal/test_signals.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/tools/testing/selftests/arm64/signal/test_signals.c
++++ b/tools/testing/selftests/arm64/signal/test_signals.c
+@@ -12,12 +12,10 @@
+ #include "test_signals.h"
+ #include "test_signals_utils.h"
+
+-struct tdescr *current;
++struct tdescr *current = &tde;
+
+ int main(int argc, char *argv[])
+ {
+- current = &tde;
+-
+ ksft_print_msg("%s :: %s\n", current->name, current->descr);
+ if (test_setup(current) && test_init(current)) {
+ test_run(current);
--- /dev/null
+From ecf2b43018da9579842c774b7f35dbe11b5c38dd Mon Sep 17 00:00:00 2001
+From: Benoit Sevens <bsevens@google.com>
+Date: Thu, 7 Nov 2024 14:22:02 +0000
+Subject: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format
+
+From: Benoit Sevens <bsevens@google.com>
+
+commit ecf2b43018da9579842c774b7f35dbe11b5c38dd upstream.
+
+This can lead to out of bounds writes since frames of this type were not
+taken into account when calculating the size of the frames buffer in
+uvc_parse_streaming.
+
+Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
+Signed-off-by: Benoit Sevens <bsevens@google.com>
+Cc: stable@vger.kernel.org
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -368,7 +368,7 @@ static int uvc_parse_format(struct uvc_d
+ * Parse the frame descriptors. Only uncompressed, MJPEG and frame
+ * based formats have frame descriptors.
+ */
+- while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE &&
++ while (ftype && buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE &&
+ buffer[2] == ftype) {
+ frame = &format->frame[format->nframes];
+ if (ftype != UVC_VS_FRAME_FRAME_BASED)
--- /dev/null
+From ac888d58869bb99753e7652be19a151df9ecb35d Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 8 Oct 2024 14:31:10 +0000
+Subject: net: do not delay dst_entries_add() in dst_release()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit ac888d58869bb99753e7652be19a151df9ecb35d upstream.
+
+dst_entries_add() uses per-cpu data that might be freed at netns
+dismantle from ip6_route_net_exit() calling dst_entries_destroy()
+
+Before ip6_route_net_exit() can be called, we release all
+the dsts associated with this netns, via calls to dst_release(),
+which waits an rcu grace period before calling dst_destroy()
+
+dst_entries_add() use in dst_destroy() is racy, because
+dst_entries_destroy() could have been called already.
+
+Decrementing the number of dsts must happen sooner.
+
+Notes:
+
+1) in CONFIG_XFRM case, dst_destroy() can call
+ dst_release_immediate(child), this might also cause UAF
+ if the child does not have DST_NOCOUNT set.
+ IPSEC maintainers might take a look and see how to address this.
+
+2) There is also discussion about removing this count of dst,
+ which might happen in future kernels.
+
+Fixes: f88649721268 ("ipv4: fix dst race in sk_dst_get()")
+Closes: https://lore.kernel.org/lkml/CANn89iLCCGsP7SFn9HKpvnKu96Td4KD08xf7aGtiYgZnkjaL=w@mail.gmail.com/T/
+Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Xin Long <lucien.xin@gmail.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Link: https://patch.msgid.link/20241008143110.1064899-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+[ resolved conflict due to bc9d3a9f2afc ("net: dst: Switch to rcuref_t
+ reference counting") is not in the tree ]
+Signed-off-by: Abdelkareem Abdelsaamad <kareemem@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dst.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/net/core/dst.c
++++ b/net/core/dst.c
+@@ -108,9 +108,6 @@ struct dst_entry *dst_destroy(struct dst
+ child = xdst->child;
+ }
+ #endif
+- if (!(dst->flags & DST_NOCOUNT))
+- dst_entries_add(dst->ops, -1);
+-
+ if (dst->ops->destroy)
+ dst->ops->destroy(dst);
+ netdev_put(dst->dev, &dst->dev_tracker);
+@@ -160,6 +157,12 @@ void dst_dev_put(struct dst_entry *dst)
+ }
+ EXPORT_SYMBOL(dst_dev_put);
+
++static void dst_count_dec(struct dst_entry *dst)
++{
++ if (!(dst->flags & DST_NOCOUNT))
++ dst_entries_add(dst->ops, -1);
++}
++
+ void dst_release(struct dst_entry *dst)
+ {
+ if (dst) {
+@@ -169,8 +172,10 @@ void dst_release(struct dst_entry *dst)
+ if (WARN_ONCE(newrefcnt < 0, "dst_release underflow"))
+ net_warn_ratelimited("%s: dst:%p refcnt:%d\n",
+ __func__, dst, newrefcnt);
+- if (!newrefcnt)
++ if (!newrefcnt){
++ dst_count_dec(dst);
+ call_rcu(&dst->rcu_head, dst_destroy_rcu);
++ }
+ }
+ }
+ EXPORT_SYMBOL(dst_release);
+@@ -184,8 +189,10 @@ void dst_release_immediate(struct dst_en
+ if (WARN_ONCE(newrefcnt < 0, "dst_release_immediate underflow"))
+ net_warn_ratelimited("%s: dst:%p refcnt:%d\n",
+ __func__, dst, newrefcnt);
+- if (!newrefcnt)
++ if (!newrefcnt){
++ dst_count_dec(dst);
+ dst_destroy(dst);
++ }
+ }
+ }
+ EXPORT_SYMBOL(dst_release_immediate);
--- /dev/null
+From b16c79dcfd1f0c92b817e6f39e5880d34581dd63 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sun, 10 Nov 2024 06:02:40 +0100
+Subject: Revert "wifi: mac80211: fix RCU list iterations"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+This reverts commit b0b2dc1eaa7ec509e07a78c9974097168ae565b7 which is
+commit ac35180032fbc5d80b29af00ba4881815ceefcb6 upstream.
+
+It should not have been backported here due to lack of other rcu
+changes in the stable branches.
+
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Cc: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/chan.c | 4 +---
+ net/mac80211/mlme.c | 2 +-
+ net/mac80211/scan.c | 2 +-
+ net/mac80211/util.c | 4 +---
+ 4 files changed, 4 insertions(+), 8 deletions(-)
+
+--- a/net/mac80211/chan.c
++++ b/net/mac80211/chan.c
+@@ -245,9 +245,7 @@ ieee80211_get_max_required_bw(struct iee
+ enum nl80211_chan_width max_bw = NL80211_CHAN_WIDTH_20_NOHT;
+ struct sta_info *sta;
+
+- lockdep_assert_wiphy(sdata->local->hw.wiphy);
+-
+- list_for_each_entry(sta, &sdata->local->sta_list, list) {
++ list_for_each_entry_rcu(sta, &sdata->local->sta_list, list) {
+ if (sdata != sta->sdata &&
+ !(sta->sdata->bss && sta->sdata->bss == sdata->bss))
+ continue;
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -660,7 +660,7 @@ static bool ieee80211_add_vht_ie(struct
+ bool disable_mu_mimo = false;
+ struct ieee80211_sub_if_data *other;
+
+- list_for_each_entry(other, &local->interfaces, list) {
++ list_for_each_entry_rcu(other, &local->interfaces, list) {
+ if (other->vif.bss_conf.mu_mimo_owner) {
+ disable_mu_mimo = true;
+ break;
+--- a/net/mac80211/scan.c
++++ b/net/mac80211/scan.c
+@@ -501,7 +501,7 @@ static void __ieee80211_scan_completed(s
+ * the scan was in progress; if there was none this will
+ * just be a no-op for the particular interface.
+ */
+- list_for_each_entry(sdata, &local->interfaces, list) {
++ list_for_each_entry_rcu(sdata, &local->interfaces, list) {
+ if (ieee80211_sdata_running(sdata))
+ ieee80211_queue_work(&sdata->local->hw, &sdata->work);
+ }
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -767,9 +767,7 @@ static void __iterate_interfaces(struct
+ struct ieee80211_sub_if_data *sdata;
+ bool active_only = iter_flags & IEEE80211_IFACE_ITER_ACTIVE;
+
+- list_for_each_entry_rcu(sdata, &local->interfaces, list,
+- lockdep_is_held(&local->iflist_mtx) ||
+- lockdep_is_held(&local->hw.wiphy->mtx)) {
++ list_for_each_entry_rcu(sdata, &local->interfaces, list) {
+ switch (sdata->vif.type) {
+ case NL80211_IFTYPE_MONITOR:
+ if (!(sdata->u.mntr.flags & MONITOR_FLAG_ACTIVE))
arm64-kconfig-make-sme-depend-on-broken-for-now.patch
btrfs-reinitialize-delayed-ref-list-after-deleting-it-from-the-list.patch
riscv-purgatory-align-riscv_kernel_entry.patch
+bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib_alloc_init_hwq.patch
+revert-wifi-mac80211-fix-rcu-list-iterations.patch
+net-do-not-delay-dst_entries_add-in-dst_release.patch
+kselftest-arm64-initialise-current-at-build-time-in-signal-tests.patch
+media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
