Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.4/be2net-fix-potential-memory-leak-in-be_xmit.patch b/queue-5.4/be2net-fix-potential-memory-leak-in-be_xmit.patch
new file mode 100644 (file)
index 0000000..19cc70d
--- /dev/null
+++ b/queue-5.4/be2net-fix-potential-memory-leak-in-be_xmit.patch
@@ -0,0 +1,61 @@
+From 8ffd15a20d01b67ece27b1c3b00436310659a7f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 22:48:02 +0800
+Subject: be2net: fix potential memory leak in be_xmit()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit e4dd8bfe0f6a23acd305f9b892c00899089bd621 ]
+
+The be_xmit() returns NETDEV_TX_OK without freeing skb
+in case of be_xmit_enqueue() fails, add dev_kfree_skb_any() to fix it.
+
+Fixes: 760c295e0e8d ("be2net: Support for OS2BMC.")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Message-ID: <20241015144802.12150-1-wanghai38@huawei.com>
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/emulex/benet/be_main.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
+index a7a3e2ee06768..51dddf63d40f7 100644
+--- a/drivers/net/ethernet/emulex/benet/be_main.c
++++ b/drivers/net/ethernet/emulex/benet/be_main.c
+@@ -1383,10 +1383,8 @@ static netdev_tx_t be_xmit(struct sk_buff *skb, struct net_device *netdev)
+       be_get_wrb_params_from_skb(adapter, skb, &wrb_params);
+ 
+       wrb_cnt = be_xmit_enqueue(adapter, txo, skb, &wrb_params);
+-      if (unlikely(!wrb_cnt)) {
+-              dev_kfree_skb_any(skb);
+-              goto drop;
+-      }
++      if (unlikely(!wrb_cnt))
++              goto drop_skb;
+ 
+       /* if os2bmc is enabled and if the pkt is destined to bmc,
+        * enqueue the pkt a 2nd time with mgmt bit set.
+@@ -1395,7 +1393,7 @@ static netdev_tx_t be_xmit(struct sk_buff *skb, struct net_device *netdev)
+               BE_WRB_F_SET(wrb_params.features, OS2BMC, 1);
+               wrb_cnt = be_xmit_enqueue(adapter, txo, skb, &wrb_params);
+               if (unlikely(!wrb_cnt))
+-                      goto drop;
++                      goto drop_skb;
+               else
+                       skb_get(skb);
+       }
+@@ -1409,6 +1407,8 @@ static netdev_tx_t be_xmit(struct sk_buff *skb, struct net_device *netdev)
+               be_xmit_flush(adapter, txo);
+ 
+       return NETDEV_TX_OK;
++drop_skb:
++      dev_kfree_skb_any(skb);
+ drop:
+       tx_stats(txo)->tx_drv_drops++;
+       /* Flush the already enqueued tx requests */
+-- 
+2.43.0
+

diff --git a/queue-5.4/dt-bindings-power-add-r8a774b1-sysc-power-domain-def.patch b/queue-5.4/dt-bindings-power-add-r8a774b1-sysc-power-domain-def.patch
new file mode 100644 (file)
index 0000000..1d26e28
--- /dev/null
+++ b/queue-5.4/dt-bindings-power-add-r8a774b1-sysc-power-domain-def.patch
@@ -0,0 +1,57 @@
+From 578bd0a3851ba5352f529adbee00bf943c7ba22b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2019 07:52:06 +0100
+Subject: dt-bindings: power: Add r8a774b1 SYSC power domain definitions
+
+From: Biju Das <biju.das@bp.renesas.com>
+
+[ Upstream commit be67c41781cb4c06a4acb0b92db0cbb728e955e2 ]
+
+This patch adds power domain indices for the RZ/G2N (a.k.a r8a774b1)
+SoC.
+
+Signed-off-by: Biju Das <biju.das@bp.renesas.com>
+Link: https://lore.kernel.org/r/1567666326-27373-1-git-send-email-biju.das@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Stable-dep-of: 8a7d12d674ac ("net: usb: usbnet: fix name regression")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/dt-bindings/power/r8a774b1-sysc.h | 26 +++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+ create mode 100644 include/dt-bindings/power/r8a774b1-sysc.h
+
+diff --git a/include/dt-bindings/power/r8a774b1-sysc.h b/include/dt-bindings/power/r8a774b1-sysc.h
+new file mode 100644
+index 0000000000000..373736402f048
+--- /dev/null
++++ b/include/dt-bindings/power/r8a774b1-sysc.h
+@@ -0,0 +1,26 @@
++/* SPDX-License-Identifier: GPL-2.0
++ *
++ * Copyright (C) 2019 Renesas Electronics Corp.
++ */
++#ifndef __DT_BINDINGS_POWER_R8A774B1_SYSC_H__
++#define __DT_BINDINGS_POWER_R8A774B1_SYSC_H__
++
++/*
++ * These power domain indices match the numbers of the interrupt bits
++ * representing the power areas in the various Interrupt Registers
++ * (e.g. SYSCISR, Interrupt Status Register)
++ */
++
++#define R8A774B1_PD_CA57_CPU0          0
++#define R8A774B1_PD_CA57_CPU1          1
++#define R8A774B1_PD_A3VP               9
++#define R8A774B1_PD_CA57_SCU          12
++#define R8A774B1_PD_A3VC              14
++#define R8A774B1_PD_3DG_A             17
++#define R8A774B1_PD_3DG_B             18
++#define R8A774B1_PD_A2VC1             26
++
++/* Always-on power area */
++#define R8A774B1_PD_ALWAYS_ON         32
++
++#endif /* __DT_BINDINGS_POWER_R8A774B1_SYSC_H__ */
+-- 
+2.43.0
+

diff --git a/queue-5.4/net-sched-fix-use-after-free-in-taprio_change.patch b/queue-5.4/net-sched-fix-use-after-free-in-taprio_change.patch
new file mode 100644 (file)
index 0000000..34fe1d6
--- /dev/null
+++ b/queue-5.4/net-sched-fix-use-after-free-in-taprio_change.patch
@@ -0,0 +1,45 @@
+From b1b87ba7de0e0a4521dc5f6ec0929caf7e9c5eec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2024 08:13:38 +0300
+Subject: net: sched: fix use-after-free in taprio_change()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit f504465970aebb2467da548f7c1efbbf36d0f44b ]
+
+In 'taprio_change()', 'admin' pointer may become dangling due to sched
+switch / removal caused by 'advance_sched()', and critical section
+protected by 'q->current_entry_lock' is too small to prevent from such
+a scenario (which causes use-after-free detected by KASAN). Fix this
+by prefer 'rcu_replace_pointer()' over 'rcu_assign_pointer()' to update
+'admin' immediately before an attempt to schedule freeing.
+
+Fixes: a3d43c0d56f1 ("taprio: Add support adding an admin schedule")
+Reported-by: syzbot+b65e0af58423fc8a73aa@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Link: https://patch.msgid.link/20241018051339.418890-1-dmantipov@yandex.ru
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_taprio.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
+index b8e26013bd75f..8fccb30e3ee9b 100644
+--- a/net/sched/sch_taprio.c
++++ b/net/sched/sch_taprio.c
+@@ -1591,7 +1591,8 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt,
+ 
+               taprio_start_sched(sch, start, new_admin);
+ 
+-              rcu_assign_pointer(q->admin_sched, new_admin);
++              admin = rcu_replace_pointer(q->admin_sched, new_admin,
++                                          lockdep_rtnl_is_held());
+               if (admin)
+                       call_rcu(&admin->rcu, taprio_free_sched_cb);
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.4/net-sun3_82586-fix-potential-memory-leak-in-sun3_825.patch b/queue-5.4/net-sun3_82586-fix-potential-memory-leak-in-sun3_825.patch
new file mode 100644 (file)
index 0000000..16a302d
--- /dev/null
+++ b/queue-5.4/net-sun3_82586-fix-potential-memory-leak-in-sun3_825.patch
@@ -0,0 +1,37 @@
+From d7a678cca0f7b0b5695343c0a2d7827f82378c3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 22:41:48 +0800
+Subject: net/sun3_82586: fix potential memory leak in sun3_82586_send_packet()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 2cb3f56e827abb22c4168ad0c1bbbf401bb2f3b8 ]
+
+The sun3_82586_send_packet() returns NETDEV_TX_OK without freeing skb
+in case of skb->len being too long, add dev_kfree_skb() to fix it.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Message-ID: <20241015144148.7918-1-wanghai38@huawei.com>
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/i825xx/sun3_82586.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/i825xx/sun3_82586.c b/drivers/net/ethernet/i825xx/sun3_82586.c
+index e0c9fee4e1e65..7948d59b96282 100644
+--- a/drivers/net/ethernet/i825xx/sun3_82586.c
++++ b/drivers/net/ethernet/i825xx/sun3_82586.c
+@@ -1015,6 +1015,7 @@ sun3_82586_send_packet(struct sk_buff *skb, struct net_device *dev)
+       if(skb->len > XMIT_BUFF_SIZE)
+       {
+               printk("%s: Sorry, max. framelength is %d bytes. The length of your frame is %d bytes.\n",dev->name,XMIT_BUFF_SIZE,skb->len);
++              dev_kfree_skb(skb);
+               return NETDEV_TX_OK;
+       }
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.4/net-usb-usbnet-fix-name-regression.patch b/queue-5.4/net-usb-usbnet-fix-name-regression.patch
new file mode 100644 (file)
index 0000000..2c9fa2f
--- /dev/null
+++ b/queue-5.4/net-usb-usbnet-fix-name-regression.patch
@@ -0,0 +1,46 @@
+From 908619874dd450b7eafd115c5e04c037e6c414d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Oct 2024 09:18:37 +0200
+Subject: net: usb: usbnet: fix name regression
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit 8a7d12d674ac6f2147c18f36d1e15f1a48060edf ]
+
+The fix for MAC addresses broke detection of the naming convention
+because it gave network devices no random MAC before bind()
+was called. This means that the check for the local assignment bit
+was always negative as the address was zeroed from allocation,
+instead of from overwriting the MAC with a unique hardware address.
+
+The correct check for whether bind() has altered the MAC is
+done with is_zero_ether_addr
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: Greg Thelen <gthelen@google.com>
+Diagnosed-by: John Sperbeck <jsperbeck@google.com>
+Fixes: bab8eb0dd4cb9 ("usbnet: modern method to get random MAC")
+Link: https://patch.msgid.link/20241017071849.389636-1-oneukum@suse.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/usbnet.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index 240511b4246db..7439f4ab72c57 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1735,7 +1735,8 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod)
+               // can rename the link if it knows better.
+               if ((dev->driver_info->flags & FLAG_ETHER) != 0 &&
+                   ((dev->driver_info->flags & FLAG_POINTTOPOINT) == 0 ||
+-                   (net->dev_addr [0] & 0x02) == 0))
++                   /* somebody touched it*/
++                   !is_zero_ether_addr(net->dev_addr)))
+                       strscpy(net->name, "eth%d", sizeof(net->name));
+               /* WLAN devices should always be named "wlan%d" */
+               if ((dev->driver_info->flags & FLAG_WLAN) != 0)
+-- 
+2.43.0
+

diff --git a/queue-5.4/posix-clock-posix-clock-fix-unbalanced-locking-in-pc.patch b/queue-5.4/posix-clock-posix-clock-fix-unbalanced-locking-in-pc.patch
new file mode 100644 (file)
index 0000000..0ce614a
--- /dev/null
+++ b/queue-5.4/posix-clock-posix-clock-fix-unbalanced-locking-in-pc.patch
@@ -0,0 +1,58 @@
+From 57564d903d9b247fb54ae662f8d1a8621226df6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2024 18:07:48 +0800
+Subject: posix-clock: posix-clock: Fix unbalanced locking in
+ pc_clock_settime()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 6e62807c7fbb3c758d233018caf94dfea9c65dbd ]
+
+If get_clock_desc() succeeds, it calls fget() for the clockid's fd,
+and get the clk->rwsem read lock, so the error path should release
+the lock to make the lock balance and fput the clockid's fd to make
+the refcount balance and release the fd related resource.
+
+However the below commit left the error path locked behind resulting in
+unbalanced locking. Check timespec64_valid_strict() before
+get_clock_desc() to fix it, because the "ts" is not changed
+after that.
+
+Fixes: d8794ac20a29 ("posix-clock: Fix missing timespec64 check in pc_clock_settime()")
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Acked-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
+[pabeni@redhat.com: fixed commit message typo]
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/posix-clock.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/time/posix-clock.c b/kernel/time/posix-clock.c
+index 369bb5caa8e3a..d123478a32c43 100644
+--- a/kernel/time/posix-clock.c
++++ b/kernel/time/posix-clock.c
+@@ -290,6 +290,9 @@ static int pc_clock_settime(clockid_t id, const struct timespec64 *ts)
+       struct posix_clock_desc cd;
+       int err;
+ 
++      if (!timespec64_valid_strict(ts))
++              return -EINVAL;
++
+       err = get_clock_desc(id, &cd);
+       if (err)
+               return err;
+@@ -299,9 +302,6 @@ static int pc_clock_settime(clockid_t id, const struct timespec64 *ts)
+               goto out;
+       }
+ 
+-      if (!timespec64_valid_strict(ts))
+-              return -EINVAL;
+-
+       if (cd.clk->ops.clock_settime)
+               err = cd.clk->ops.clock_settime(cd.clk, ts);
+       else
+-- 
+2.43.0
+

diff --git a/queue-5.4/r8169-avoid-unsolicited-interrupts.patch b/queue-5.4/r8169-avoid-unsolicited-interrupts.patch
new file mode 100644 (file)
index 0000000..56af479
--- /dev/null
+++ b/queue-5.4/r8169-avoid-unsolicited-interrupts.patch
@@ -0,0 +1,49 @@
+From e711400e44092cb1b3e0d7770eaaabbbac14d390 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2024 11:08:16 +0200
+Subject: r8169: avoid unsolicited interrupts
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 10ce0db787004875f4dba068ea952207d1d8abeb ]
+
+It was reported that after resume from suspend a PCI error is logged
+and connectivity is broken. Error message is:
+PCI error (cmd = 0x0407, status_errs = 0x0000)
+The message seems to be a red herring as none of the error bits is set,
+and the PCI command register value also is normal. Exception handling
+for a PCI error includes a chip reset what apparently brakes connectivity
+here. The interrupt status bit triggering the PCI error handling isn't
+actually used on PCIe chip versions, so it's not clear why this bit is
+set by the chip. Fix this by ignoring this bit on PCIe chip versions.
+
+Fixes: 0e4851502f84 ("r8169: merge with version 8.001.00 of Realtek's r8168 driver")
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219388
+Tested-by: Atlas Yu <atlas.yu@canonical.com>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/78e2f535-438f-4212-ad94-a77637ac6c9c@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index bb5f70ce63b3d..14bac7c0e6f90 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -6237,7 +6237,9 @@ static irqreturn_t rtl8169_interrupt(int irq, void *dev_instance)
+           !(status & tp->irq_mask))
+               return IRQ_NONE;
+ 
+-      if (unlikely(status & SYSErr)) {
++      /* At least RTL8168fp may unexpectedly set the SYSErr bit */
++      if (unlikely(status & SYSErr &&
++          tp->mac_version <= RTL_GIGA_MAC_VER_06)) {
+               rtl8169_pcierr_interrupt(tp->dev);
+               goto out;
+       }
+-- 
+2.43.0
+

diff --git a/queue-5.4/series b/queue-5.4/series
index 80e37cd56ee7da3d52d1c58e0856ff967c2f2f41..81ea99df32229c764dd6a3bcec8846056825f9c6 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -405,3 +405,10 @@ drm-vboxvideo-replace-fake-vla-at-end-of-vbva_mouse_.patch
 udf-fix-uninit-value-use-in-udf_get_fileshortad.patch
 jfs-fix-sanity-check-in-dbmount.patch
 tracing-consider-the-null-character-when-validating-.patch
+net-sun3_82586-fix-potential-memory-leak-in-sun3_825.patch
+be2net-fix-potential-memory-leak-in-be_xmit.patch
+dt-bindings-power-add-r8a774b1-sysc-power-domain-def.patch
+net-usb-usbnet-fix-name-regression.patch
+net-sched-fix-use-after-free-in-taprio_change.patch
+r8169-avoid-unsolicited-interrupts.patch
+posix-clock-posix-clock-fix-unbalanced-locking-in-pc.patch