]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
Fixes for 5.10
authorSasha Levin <sashal@kernel.org>
Sun, 20 Aug 2023 23:42:07 +0000 (19:42 -0400)
committerSasha Levin <sashal@kernel.org>
Sun, 20 Aug 2023 23:42:07 +0000 (19:42 -0400)
Signed-off-by: Sasha Levin <sashal@kernel.org>
38 files changed:
queue-5.10/alsa-hda-realtek-remodified-3k-pull-low-procedure.patch [new file with mode: 0644]
queue-5.10/arm64-dts-rockchip-add-es8316-codec-for-rock-pi-4.patch [new file with mode: 0644]
queue-5.10/arm64-dts-rockchip-add-spdif-node-for-rock-pi-4.patch [new file with mode: 0644]
queue-5.10/arm64-dts-rockchip-disable-hs400-for-emmc-on-rock-pi.patch [new file with mode: 0644]
queue-5.10/arm64-dts-rockchip-fix-regulator-name-on-rk3399-rock.patch [new file with mode: 0644]
queue-5.10/arm64-dts-rockchip-fix-supplies-on-rk3399-rock-pi-4.patch [new file with mode: 0644]
queue-5.10/arm64-dts-rockchip-sort-nodes-properties-on-rk3399-r.patch [new file with mode: 0644]
queue-5.10/arm64-dts-rockchip-use-usb-host-by-default-on-rk3399.patch [new file with mode: 0644]
queue-5.10/asoc-meson-axg-tdm-formatter-fix-channel-slot-alloca.patch [new file with mode: 0644]
queue-5.10/asoc-rt5665-add-missed-regulator_bulk_disable.patch [new file with mode: 0644]
queue-5.10/bus-ti-sysc-flush-posted-write-on-enable-before-rese.patch [new file with mode: 0644]
queue-5.10/drm-panel-simple-fix-auo-g121ean01-panel-timings-acc.patch [new file with mode: 0644]
queue-5.10/i40e-fix-misleading-debug-logs.patch [new file with mode: 0644]
queue-5.10/ip6_vti-fix-slab-use-after-free-in-decode_session6.patch [new file with mode: 0644]
queue-5.10/ip_vti-fix-potential-slab-use-after-free-in-decode_s.patch [new file with mode: 0644]
queue-5.10/ipvs-fix-racy-memcpy-in-proc_do_sync_threshold.patch [new file with mode: 0644]
queue-5.10/net-af_key-fix-sadb_x_filter-validation.patch [new file with mode: 0644]
queue-5.10/net-do-not-allow-gso_size-to-be-set-to-gso_by_frags.patch [new file with mode: 0644]
queue-5.10/net-dsa-mv88e6xxx-wait-for-eeprom-done-before-hw-res.patch [new file with mode: 0644]
queue-5.10/net-phy-broadcom-stub-c45-read-write-for-54810.patch [new file with mode: 0644]
queue-5.10/net-xfrm-amend-xfrma_sec_ctx-nla_policy-structure.patch [new file with mode: 0644]
queue-5.10/net-xfrm-fix-xfrm_address_filter-oob-read.patch [new file with mode: 0644]
queue-5.10/netfilter-nft_dynset-disallow-object-maps.patch [new file with mode: 0644]
queue-5.10/riscv-__asm_copy_to-from_user-optimize-unaligned-mem.patch [new file with mode: 0644]
queue-5.10/riscv-lib-uaccess-fix-csr_status-sr_sum-bit.patch [new file with mode: 0644]
queue-5.10/riscv-lib-uaccess-fold-fixups-into-body.patch [new file with mode: 0644]
queue-5.10/riscv-uaccess-return-the-number-of-bytes-effectively.patch [new file with mode: 0644]
queue-5.10/selftests-mirror_gre_changes-tighten-up-the-ttl-test.patch [new file with mode: 0644]
queue-5.10/series
queue-5.10/sock-fix-misuse-of-sk_under_memory_pressure.patch [new file with mode: 0644]
queue-5.10/team-fix-incorrect-deletion-of-eth_p_8021ad-protocol.patch [new file with mode: 0644]
queue-5.10/x86-cpu-fix-up-srso_safe_ret-and-__x86_return_thunk.patch [new file with mode: 0644]
queue-5.10/x86-srso-correct-the-mitigation-status-when-smt-is-d.patch [new file with mode: 0644]
queue-5.10/x86-srso-disable-the-mitigation-on-unaffected-config.patch [new file with mode: 0644]
queue-5.10/x86-static_call-fix-__static_call_fixup.patch [new file with mode: 0644]
queue-5.10/xfrm-add-forgotten-nla_policy-for-xfrma_mtimer_thres.patch [new file with mode: 0644]
queue-5.10/xfrm-add-null-check-in-xfrm_update_ae_params.patch [new file with mode: 0644]
queue-5.10/xfrm-fix-slab-use-after-free-in-decode_session6.patch [new file with mode: 0644]

diff --git a/queue-5.10/alsa-hda-realtek-remodified-3k-pull-low-procedure.patch b/queue-5.10/alsa-hda-realtek-remodified-3k-pull-low-procedure.patch
new file mode 100644 (file)
index 0000000..0b89a7f
--- /dev/null
@@ -0,0 +1,63 @@
+From 1b59dd2ae783d41b768182545329928d490cb509 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Aug 2023 15:54:23 +0800
+Subject: ALSA: hda/realtek - Remodified 3k pull low procedure
+
+From: Kailang Yang <kailang@realtek.com>
+
+[ Upstream commit 46cdff2369cbdf8d78081a22526e77bd1323f563 ]
+
+Set spec->en_3kpull_low default to true.
+Then fillback ALC236 and ALC257 to false.
+
+Additional note: this addresses a regression caused by the previous
+fix 69ea4c9d02b7 ("ALSA: hda/realtek - remove 3k pull low procedure").
+The previous workaround was applied too widely without necessity,
+which resulted in the pop noise at PM again.  This patch corrects the
+condition and restores the old behavior for the devices that don't
+suffer from the original problem.
+
+Fixes: 69ea4c9d02b7 ("ALSA: hda/realtek - remove 3k pull low procedure")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=217732
+Link: https://lore.kernel.org/r/01e212a538fc407ca6edd10b81ff7b05@realtek.com
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 09a9e21675341..adfab80b8189d 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10006,6 +10006,7 @@ static int patch_alc269(struct hda_codec *codec)
+       spec = codec->spec;
+       spec->gen.shared_mic_vref_pin = 0x18;
+       codec->power_save_node = 0;
++      spec->en_3kpull_low = true;
+ #ifdef CONFIG_PM
+       codec->patch_ops.suspend = alc269_suspend;
+@@ -10088,14 +10089,16 @@ static int patch_alc269(struct hda_codec *codec)
+               spec->shutup = alc256_shutup;
+               spec->init_hook = alc256_init;
+               spec->gen.mixer_nid = 0; /* ALC256 does not have any loopback mixer path */
+-              if (codec->bus->pci->vendor == PCI_VENDOR_ID_AMD)
+-                      spec->en_3kpull_low = true;
++              if (codec->core.vendor_id == 0x10ec0236 &&
++                  codec->bus->pci->vendor != PCI_VENDOR_ID_AMD)
++                      spec->en_3kpull_low = false;
+               break;
+       case 0x10ec0257:
+               spec->codec_variant = ALC269_TYPE_ALC257;
+               spec->shutup = alc256_shutup;
+               spec->init_hook = alc256_init;
+               spec->gen.mixer_nid = 0;
++              spec->en_3kpull_low = false;
+               break;
+       case 0x10ec0215:
+       case 0x10ec0245:
+-- 
+2.40.1
+
diff --git a/queue-5.10/arm64-dts-rockchip-add-es8316-codec-for-rock-pi-4.patch b/queue-5.10/arm64-dts-rockchip-add-es8316-codec-for-rock-pi-4.patch
new file mode 100644 (file)
index 0000000..a7b736a
--- /dev/null
@@ -0,0 +1,78 @@
+From 7f0bb29b4d39f90bac56676adf984b316b91da86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 20:12:55 +0200
+Subject: arm64: dts: rockchip: add ES8316 codec for ROCK Pi 4
+
+From: Alex Bee <knaerzche@gmail.com>
+
+[ Upstream commit 65bd2b8bdb3bddc37bea695789713916327e1c1f ]
+
+ROCK Pi 4 boards have the codec connected to i2s0 and it is accessible
+via i2c1 address 0x11.
+Add an audio-graph-card for it.
+
+Signed-off-by: Alex Bee <knaerzche@gmail.com>
+Link: https://lore.kernel.org/r/20210618181256.27992-5-knaerzche@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Stable-dep-of: cee572756aa2 ("arm64: dts: rockchip: Disable HS400 for eMMC on ROCK Pi 4")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/rockchip/rk3399-rock-pi-4.dtsi   | 28 +++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
+index 6dc6dee6c13e2..f80cdb021f7fc 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
+@@ -31,6 +31,12 @@
+               reset-gpios = <&gpio0 RK_PB2 GPIO_ACTIVE_LOW>;
+       };
++      sound {
++              compatible = "audio-graph-card";
++              label = "Analog";
++              dais = <&i2s0_p0>;
++      };
++
+       vcc12v_dcin: dc-12v {
+               compatible = "regulator-fixed";
+               regulator-name = "vcc12v_dcin";
+@@ -417,6 +423,20 @@
+       i2c-scl-rising-time-ns = <300>;
+       i2c-scl-falling-time-ns = <15>;
+       status = "okay";
++
++      es8316: codec@11 {
++              compatible = "everest,es8316";
++              reg = <0x11>;
++              clocks = <&cru SCLK_I2S_8CH_OUT>;
++              clock-names = "mclk";
++              #sound-dai-cells = <0>;
++
++              port {
++                      es8316_p0_0: endpoint {
++                              remote-endpoint = <&i2s0_p0_0>;
++                      };
++              };
++      };
+ };
+ &i2c3 {
+@@ -435,6 +455,14 @@
+       rockchip,playback-channels = <8>;
+       rockchip,capture-channels = <8>;
+       status = "okay";
++
++      i2s0_p0: port {
++              i2s0_p0_0: endpoint {
++                      dai-format = "i2s";
++                      mclk-fs = <256>;
++                      remote-endpoint = <&es8316_p0_0>;
++              };
++      };
+ };
+ &i2s1 {
+-- 
+2.40.1
+
diff --git a/queue-5.10/arm64-dts-rockchip-add-spdif-node-for-rock-pi-4.patch b/queue-5.10/arm64-dts-rockchip-add-spdif-node-for-rock-pi-4.patch
new file mode 100644 (file)
index 0000000..672f98d
--- /dev/null
@@ -0,0 +1,72 @@
+From 884c9a41e838342f01297cd47da2aad55d87c9bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 20:12:56 +0200
+Subject: arm64: dts: rockchip: add SPDIF node for ROCK Pi 4
+
+From: Alex Bee <knaerzche@gmail.com>
+
+[ Upstream commit 697dd494cb1cf56acfb764214a1e4788e4d1a983 ]
+
+Add a SPDIF audio-graph-card to ROCK Pi 4 device tree.
+
+It's not enabled by default since all dma channels are used by
+the (already) enabled i2s0/1/2 and the pin is muxed with GPIO4_C5
+which might be in use already.
+If enabled SPDIF_TX will be available at pin #15.
+
+Signed-off-by: Alex Bee <knaerzche@gmail.com>
+Link: https://lore.kernel.org/r/20210618181256.27992-6-knaerzche@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Stable-dep-of: cee572756aa2 ("arm64: dts: rockchip: Disable HS400 for eMMC on ROCK Pi 4")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/rockchip/rk3399-rock-pi-4.dtsi   | 26 +++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
+index f80cdb021f7fc..fcd8eeabf53b6 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
+@@ -37,6 +37,23 @@
+               dais = <&i2s0_p0>;
+       };
++      sound-dit {
++              compatible = "audio-graph-card";
++              label = "SPDIF";
++              dais = <&spdif_p0>;
++      };
++
++      spdif-dit {
++              compatible = "linux,spdif-dit";
++              #sound-dai-cells = <0>;
++
++              port {
++                      dit_p0_0: endpoint {
++                              remote-endpoint = <&spdif_p0_0>;
++                      };
++              };
++      };
++
+       vcc12v_dcin: dc-12v {
+               compatible = "regulator-fixed";
+               regulator-name = "vcc12v_dcin";
+@@ -625,6 +642,15 @@
+       status = "okay";
+ };
++&spdif {
++
++      spdif_p0: port {
++              spdif_p0_0: endpoint {
++                      remote-endpoint = <&dit_p0_0>;
++              };
++      };
++};
++
+ &tcphy0 {
+       status = "okay";
+ };
+-- 
+2.40.1
+
diff --git a/queue-5.10/arm64-dts-rockchip-disable-hs400-for-emmc-on-rock-pi.patch b/queue-5.10/arm64-dts-rockchip-disable-hs400-for-emmc-on-rock-pi.patch
new file mode 100644 (file)
index 0000000..6e3d68e
--- /dev/null
@@ -0,0 +1,68 @@
+From af0a6087bb3ab10c3acd269d9de28a25eda255ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jul 2023 15:42:54 +0100
+Subject: arm64: dts: rockchip: Disable HS400 for eMMC on ROCK Pi 4
+
+From: Christopher Obbard <chris.obbard@collabora.com>
+
+[ Upstream commit cee572756aa2cb46e959e9797ad4b730b78a050b ]
+
+There is some instablity with some eMMC modules on ROCK Pi 4 SBCs running
+in HS400 mode. This ends up resulting in some block errors after a while
+or after a "heavy" operation utilising the eMMC (e.g. resizing a
+filesystem). An example of these errors is as follows:
+
+    [  289.171014] mmc1: running CQE recovery
+    [  290.048972] mmc1: running CQE recovery
+    [  290.054834] mmc1: running CQE recovery
+    [  290.060817] mmc1: running CQE recovery
+    [  290.061337] blk_update_request: I/O error, dev mmcblk1, sector 1411072 op 0x1:(WRITE) flags 0x800 phys_seg 36 prio class 0
+    [  290.061370] EXT4-fs warning (device mmcblk1p1): ext4_end_bio:348: I/O error 10 writing to inode 29547 starting block 176466)
+    [  290.061484] Buffer I/O error on device mmcblk1p1, logical block 172288
+    [  290.061531] Buffer I/O error on device mmcblk1p1, logical block 172289
+    [  290.061551] Buffer I/O error on device mmcblk1p1, logical block 172290
+    [  290.061574] Buffer I/O error on device mmcblk1p1, logical block 172291
+    [  290.061592] Buffer I/O error on device mmcblk1p1, logical block 172292
+    [  290.061615] Buffer I/O error on device mmcblk1p1, logical block 172293
+    [  290.061632] Buffer I/O error on device mmcblk1p1, logical block 172294
+    [  290.061654] Buffer I/O error on device mmcblk1p1, logical block 172295
+    [  290.061673] Buffer I/O error on device mmcblk1p1, logical block 172296
+    [  290.061695] Buffer I/O error on device mmcblk1p1, logical block 172297
+
+Disabling the Command Queue seems to stop the CQE recovery from running,
+but doesn't seem to improve the I/O errors. Until this can be investigated
+further, disable HS400 mode on the ROCK Pi 4 SBCs to at least stop I/O
+errors from occurring.
+
+While we are here, set the eMMC maximum clock frequency to 1.5MHz to
+follow the ROCK 4C+.
+
+Fixes: 1b5715c602fd ("arm64: dts: rockchip: add ROCK Pi 4 DTS support")
+Signed-off-by: Christopher Obbard <chris.obbard@collabora.com>
+Tested-By: Folker Schwesinger <dev@folker-schwesinger.de>
+Link: https://lore.kernel.org/r/20230705144255.115299-2-chris.obbard@collabora.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
+index 360a31d2c56cc..2f52b91b72152 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
+@@ -607,9 +607,9 @@
+ };
+ &sdhci {
++      max-frequency = <150000000>;
+       bus-width = <8>;
+-      mmc-hs400-1_8v;
+-      mmc-hs400-enhanced-strobe;
++      mmc-hs200-1_8v;
+       non-removable;
+       status = "okay";
+ };
+-- 
+2.40.1
+
diff --git a/queue-5.10/arm64-dts-rockchip-fix-regulator-name-on-rk3399-rock.patch b/queue-5.10/arm64-dts-rockchip-fix-regulator-name-on-rk3399-rock.patch
new file mode 100644 (file)
index 0000000..6f68a7d
--- /dev/null
@@ -0,0 +1,111 @@
+From fe253c5c2d42bfcf0c7588f5d2e14c4dfb31ff6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 19:50:04 +0000
+Subject: arm64: dts: rockchip: fix regulator name on rk3399-rock-4
+
+From: FUKAUMI Naoki <naoki@radxa.com>
+
+[ Upstream commit 69448624b770aa88a71536a16900dd3cc6002919 ]
+
+fix regulator name
+
+ref:
+ https://dl.radxa.com/rockpi4/docs/hw/rockpi4/rockpi4_v13_sch_20181112.pdf
+
+Signed-off-by: FUKAUMI Naoki <naoki@radxa.com>
+Link: https://lore.kernel.org/r/20220909195006.127957-4-naoki@radxa.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Stable-dep-of: cee572756aa2 ("arm64: dts: rockchip: Disable HS400 for eMMC on ROCK Pi 4")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/rockchip/rk3399-rock-pi-4.dtsi   | 25 ++++++++++---------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
+index fcd8eeabf53b6..4e1c1f970aba1 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
+@@ -116,24 +116,25 @@
+               vin-supply = <&vcc5v0_sys>;
+       };
+-      vcc5v0_typec: vcc5v0-typec-regulator {
++      vbus_typec: vbus-typec-regulator {
+               compatible = "regulator-fixed";
+               enable-active-high;
+               gpio = <&gpio1 RK_PA3 GPIO_ACTIVE_HIGH>;
+               pinctrl-names = "default";
+               pinctrl-0 = <&vcc5v0_typec_en>;
+-              regulator-name = "vcc5v0_typec";
++              regulator-name = "vbus_typec";
+               regulator-always-on;
+               vin-supply = <&vcc5v0_sys>;
+       };
+-      vcc_lan: vcc3v3-phy-regulator {
++      vcc3v3_lan: vcc3v3-lan-regulator {
+               compatible = "regulator-fixed";
+-              regulator-name = "vcc_lan";
++              regulator-name = "vcc3v3_lan";
+               regulator-always-on;
+               regulator-boot-on;
+               regulator-min-microvolt = <3300000>;
+               regulator-max-microvolt = <3300000>;
++              vin-supply = <&vcc3v3_sys>;
+       };
+       vdd_log: vdd-log {
+@@ -180,7 +181,7 @@
+       assigned-clocks = <&cru SCLK_RMII_SRC>;
+       assigned-clock-parents = <&clkin_gmac>;
+       clock_in_out = "input";
+-      phy-supply = <&vcc_lan>;
++      phy-supply = <&vcc3v3_lan>;
+       phy-mode = "rgmii";
+       pinctrl-names = "default";
+       pinctrl-0 = <&rgmii_pins>;
+@@ -285,8 +286,8 @@
+                               };
+                       };
+-                      vcc1v8_codec: LDO_REG1 {
+-                              regulator-name = "vcc1v8_codec";
++                      vcca1v8_codec: LDO_REG1 {
++                              regulator-name = "vcca1v8_codec";
+                               regulator-always-on;
+                               regulator-boot-on;
+                               regulator-min-microvolt = <1800000>;
+@@ -296,8 +297,8 @@
+                               };
+                       };
+-                      vcc1v8_hdmi: LDO_REG2 {
+-                              regulator-name = "vcc1v8_hdmi";
++                      vcca1v8_hdmi: LDO_REG2 {
++                              regulator-name = "vcca1v8_hdmi";
+                               regulator-always-on;
+                               regulator-boot-on;
+                               regulator-min-microvolt = <1800000>;
+@@ -354,8 +355,8 @@
+                               };
+                       };
+-                      vcc0v9_hdmi: LDO_REG7 {
+-                              regulator-name = "vcc0v9_hdmi";
++                      vcca0v9_hdmi: LDO_REG7 {
++                              regulator-name = "vcca0v9_hdmi";
+                               regulator-always-on;
+                               regulator-boot-on;
+                               regulator-min-microvolt = <900000>;
+@@ -495,7 +496,7 @@
+       status = "okay";
+       bt656-supply = <&vcc_3v0>;
+-      audio-supply = <&vcc1v8_codec>;
++      audio-supply = <&vcca1v8_codec>;
+       sdmmc-supply = <&vcc_sdio>;
+       gpio1830-supply = <&vcc_3v0>;
+ };
+-- 
+2.40.1
+
diff --git a/queue-5.10/arm64-dts-rockchip-fix-supplies-on-rk3399-rock-pi-4.patch b/queue-5.10/arm64-dts-rockchip-fix-supplies-on-rk3399-rock-pi-4.patch
new file mode 100644 (file)
index 0000000..da2cc21
--- /dev/null
@@ -0,0 +1,65 @@
+From d1fdb27abf8b9fc7f24b766f799ecf0e09ac5bde Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Dec 2020 16:41:30 +0100
+Subject: arm64: dts: rockchip: fix supplies on rk3399-rock-pi-4
+
+From: Vicente Bergas <vicencb@gmail.com>
+
+[ Upstream commit 328c6112787bf7562dbea638840366cd197868d6 ]
+
+Based on the board schematics at
+https://dl.radxa.com/rockpi4/docs/hw/rockpi4/rockpi_4c_v12_sch_20200620.pdf
+on page 18:
+vcc_lan is not controllable by software, it is just an analog LC filter.
+Because of this, it can not be turned off-in-suspend.
+
+and on page 17:
+vcc_cam and vcc_mipi are not voltage regulators, they are just switches.
+So, the voltage range is not applicable.
+This silences an error message about not being able to adjust the voltage.
+
+Signed-off-by: Vicente Bergas <vicencb@gmail.com>
+Link: https://lore.kernel.org/r/20201201154132.1286-2-vicencb@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Stable-dep-of: cee572756aa2 ("arm64: dts: rockchip: Disable HS400 for eMMC on ROCK Pi 4")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
+index 64df643391194..98f52fac13535 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
+@@ -111,10 +111,6 @@
+               regulator-boot-on;
+               regulator-min-microvolt = <3300000>;
+               regulator-max-microvolt = <3300000>;
+-
+-              regulator-state-mem {
+-                      regulator-off-in-suspend;
+-              };
+       };
+       vdd_log: vdd-log {
+@@ -362,8 +358,6 @@
+                               regulator-name = "vcc_cam";
+                               regulator-always-on;
+                               regulator-boot-on;
+-                              regulator-min-microvolt = <3300000>;
+-                              regulator-max-microvolt = <3300000>;
+                               regulator-state-mem {
+                                       regulator-off-in-suspend;
+                               };
+@@ -373,8 +367,6 @@
+                               regulator-name = "vcc_mipi";
+                               regulator-always-on;
+                               regulator-boot-on;
+-                              regulator-min-microvolt = <3300000>;
+-                              regulator-max-microvolt = <3300000>;
+                               regulator-state-mem {
+                                       regulator-off-in-suspend;
+                               };
+-- 
+2.40.1
+
diff --git a/queue-5.10/arm64-dts-rockchip-sort-nodes-properties-on-rk3399-r.patch b/queue-5.10/arm64-dts-rockchip-sort-nodes-properties-on-rk3399-r.patch
new file mode 100644 (file)
index 0000000..a9e1a0b
--- /dev/null
@@ -0,0 +1,246 @@
+From 736c82f6bf4f818580758ff387b0d7288481fcd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 19:50:05 +0000
+Subject: arm64: dts: rockchip: sort nodes/properties on rk3399-rock-4
+
+From: FUKAUMI Naoki <naoki@radxa.com>
+
+[ Upstream commit 06c5b5690a578514b3fe8f11a47a3c37d3af3696 ]
+
+sort nodes/properties alphabetically
+
+Signed-off-by: FUKAUMI Naoki <naoki@radxa.com>
+Link: https://lore.kernel.org/r/20220909195006.127957-5-naoki@radxa.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Stable-dep-of: cee572756aa2 ("arm64: dts: rockchip: Disable HS400 for eMMC on ROCK Pi 4")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/rockchip/rk3399-rock-pi-4.dtsi   | 124 +++++++++---------
+ 1 file changed, 61 insertions(+), 63 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
+index 4e1c1f970aba1..360a31d2c56cc 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
+@@ -54,32 +54,33 @@
+               };
+       };
+-      vcc12v_dcin: dc-12v {
++      vbus_typec: vbus-typec-regulator {
+               compatible = "regulator-fixed";
+-              regulator-name = "vcc12v_dcin";
++              enable-active-high;
++              gpio = <&gpio1 RK_PA3 GPIO_ACTIVE_HIGH>;
++              pinctrl-names = "default";
++              pinctrl-0 = <&vcc5v0_typec_en>;
++              regulator-name = "vbus_typec";
+               regulator-always-on;
+-              regulator-boot-on;
+-              regulator-min-microvolt = <12000000>;
+-              regulator-max-microvolt = <12000000>;
++              vin-supply = <&vcc5v0_sys>;
+       };
+-      vcc5v0_sys: vcc-sys {
++      vcc12v_dcin: dc-12v {
+               compatible = "regulator-fixed";
+-              regulator-name = "vcc5v0_sys";
++              regulator-name = "vcc12v_dcin";
+               regulator-always-on;
+               regulator-boot-on;
+-              regulator-min-microvolt = <5000000>;
+-              regulator-max-microvolt = <5000000>;
+-              vin-supply = <&vcc12v_dcin>;
++              regulator-min-microvolt = <12000000>;
++              regulator-max-microvolt = <12000000>;
+       };
+-      vcc_0v9: vcc-0v9 {
++      vcc3v3_lan: vcc3v3-lan-regulator {
+               compatible = "regulator-fixed";
+-              regulator-name = "vcc_0v9";
++              regulator-name = "vcc3v3_lan";
+               regulator-always-on;
+               regulator-boot-on;
+-              regulator-min-microvolt = <900000>;
+-              regulator-max-microvolt = <900000>;
++              regulator-min-microvolt = <3300000>;
++              regulator-max-microvolt = <3300000>;
+               vin-supply = <&vcc3v3_sys>;
+       };
+@@ -116,24 +117,23 @@
+               vin-supply = <&vcc5v0_sys>;
+       };
+-      vbus_typec: vbus-typec-regulator {
++      vcc5v0_sys: vcc-sys {
+               compatible = "regulator-fixed";
+-              enable-active-high;
+-              gpio = <&gpio1 RK_PA3 GPIO_ACTIVE_HIGH>;
+-              pinctrl-names = "default";
+-              pinctrl-0 = <&vcc5v0_typec_en>;
+-              regulator-name = "vbus_typec";
++              regulator-name = "vcc5v0_sys";
+               regulator-always-on;
+-              vin-supply = <&vcc5v0_sys>;
++              regulator-boot-on;
++              regulator-min-microvolt = <5000000>;
++              regulator-max-microvolt = <5000000>;
++              vin-supply = <&vcc12v_dcin>;
+       };
+-      vcc3v3_lan: vcc3v3-lan-regulator {
++      vcc_0v9: vcc-0v9 {
+               compatible = "regulator-fixed";
+-              regulator-name = "vcc3v3_lan";
++              regulator-name = "vcc_0v9";
+               regulator-always-on;
+               regulator-boot-on;
+-              regulator-min-microvolt = <3300000>;
+-              regulator-max-microvolt = <3300000>;
++              regulator-min-microvolt = <900000>;
++              regulator-max-microvolt = <900000>;
+               vin-supply = <&vcc3v3_sys>;
+       };
+@@ -493,21 +493,10 @@
+ };
+ &io_domains {
+-      status = "okay";
+-
+-      bt656-supply = <&vcc_3v0>;
+       audio-supply = <&vcca1v8_codec>;
+-      sdmmc-supply = <&vcc_sdio>;
++      bt656-supply = <&vcc_3v0>;
+       gpio1830-supply = <&vcc_3v0>;
+-};
+-
+-&pmu_io_domains {
+-      status = "okay";
+-
+-      pmu1830-supply = <&vcc_3v0>;
+-};
+-
+-&pcie_phy {
++      sdmmc-supply = <&vcc_sdio>;
+       status = "okay";
+ };
+@@ -523,6 +512,10 @@
+       status = "okay";
+ };
++&pcie_phy {
++      status = "okay";
++};
++
+ &pinctrl {
+       bt {
+               bt_enable_h: bt-enable-h {
+@@ -544,6 +537,20 @@
+               };
+       };
++      pmic {
++              pmic_int_l: pmic-int-l {
++                      rockchip,pins = <1 RK_PC5 RK_FUNC_GPIO &pcfg_pull_up>;
++              };
++
++              vsel1_pin: vsel1-pin {
++                      rockchip,pins = <1 RK_PC1 RK_FUNC_GPIO &pcfg_pull_down>;
++              };
++
++              vsel2_pin: vsel2-pin {
++                      rockchip,pins = <1 RK_PB6 RK_FUNC_GPIO &pcfg_pull_down>;
++              };
++      };
++
+       sdio0 {
+               sdio0_bus4: sdio0-bus4 {
+                       rockchip,pins = <2 RK_PC4 1 &pcfg_pull_up_20ma>,
+@@ -561,20 +568,6 @@
+               };
+       };
+-      pmic {
+-              pmic_int_l: pmic-int-l {
+-                      rockchip,pins = <1 RK_PC5 RK_FUNC_GPIO &pcfg_pull_up>;
+-              };
+-
+-              vsel1_pin: vsel1-pin {
+-                      rockchip,pins = <1 RK_PC1 RK_FUNC_GPIO &pcfg_pull_down>;
+-              };
+-
+-              vsel2_pin: vsel2-pin {
+-                      rockchip,pins = <1 RK_PB6 RK_FUNC_GPIO &pcfg_pull_down>;
+-              };
+-      };
+-
+       usb-typec {
+               vcc5v0_typec_en: vcc5v0-typec-en {
+                       rockchip,pins = <1 RK_PA3 RK_FUNC_GPIO &pcfg_pull_up>;
+@@ -598,6 +591,11 @@
+       };
+ };
++&pmu_io_domains {
++      pmu1830-supply = <&vcc_3v0>;
++      status = "okay";
++};
++
+ &pwm2 {
+       status = "okay";
+ };
+@@ -608,6 +606,14 @@
+       vref-supply = <&vcc_1v8>;
+ };
++&sdhci {
++      bus-width = <8>;
++      mmc-hs400-1_8v;
++      mmc-hs400-enhanced-strobe;
++      non-removable;
++      status = "okay";
++};
++
+ &sdio0 {
+       #address-cells = <1>;
+       #size-cells = <0>;
+@@ -635,14 +641,6 @@
+       status = "okay";
+ };
+-&sdhci {
+-      bus-width = <8>;
+-      mmc-hs400-1_8v;
+-      mmc-hs400-enhanced-strobe;
+-      non-removable;
+-      status = "okay";
+-};
+-
+ &spdif {
+       spdif_p0: port {
+@@ -724,13 +722,13 @@
+       status = "okay";
+ };
+-&usbdrd_dwc3_0 {
++&usbdrd3_1 {
+       status = "okay";
+-      dr_mode = "host";
+ };
+-&usbdrd3_1 {
++&usbdrd_dwc3_0 {
+       status = "okay";
++      dr_mode = "host";
+ };
+ &usbdrd_dwc3_1 {
+-- 
+2.40.1
+
diff --git a/queue-5.10/arm64-dts-rockchip-use-usb-host-by-default-on-rk3399.patch b/queue-5.10/arm64-dts-rockchip-use-usb-host-by-default-on-rk3399.patch
new file mode 100644 (file)
index 0000000..93f0872
--- /dev/null
@@ -0,0 +1,43 @@
+From e421e34a063dc5712cdbd7e5d8e323a5bde4e609 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Dec 2020 16:41:32 +0100
+Subject: arm64: dts: rockchip: use USB host by default on rk3399-rock-pi-4
+
+From: Vicente Bergas <vicencb@gmail.com>
+
+[ Upstream commit e12f67fe83446432ef16704c22ec23bd1dbcd094 ]
+
+Based on the board schematics at
+https://dl.radxa.com/rockpi4/docs/hw/rockpi4/rockpi_4c_v12_sch_20200620.pdf
+on page 19 there is an USB Type-A receptacle being used as an USB-OTG port.
+
+But the Type-A connector is not valid for OTG operation, for this reason
+there is a switch to select host or device role.
+This is non-compliant and error prone because switching is manual.
+So, use host mode as it corresponds for a Type-A receptacle.
+
+Signed-off-by: Vicente Bergas <vicencb@gmail.com>
+Link: https://lore.kernel.org/r/20201201154132.1286-4-vicencb@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Stable-dep-of: cee572756aa2 ("arm64: dts: rockchip: Disable HS400 for eMMC on ROCK Pi 4")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
+index 98f52fac13535..6dc6dee6c13e2 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
+@@ -671,7 +671,7 @@
+ &usbdrd_dwc3_0 {
+       status = "okay";
+-      dr_mode = "otg";
++      dr_mode = "host";
+ };
+ &usbdrd3_1 {
+-- 
+2.40.1
+
diff --git a/queue-5.10/asoc-meson-axg-tdm-formatter-fix-channel-slot-alloca.patch b/queue-5.10/asoc-meson-axg-tdm-formatter-fix-channel-slot-alloca.patch
new file mode 100644 (file)
index 0000000..c45abd3
--- /dev/null
@@ -0,0 +1,110 @@
+From 1fd47e39988e04678db42cbd84710bb9a3f55756 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Aug 2023 19:19:31 +0200
+Subject: ASoC: meson: axg-tdm-formatter: fix channel slot allocation
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit c1f848f12103920ca165758aedb1c10904e193e1 ]
+
+When the tdm lane mask is computed, the driver currently fills the 1st lane
+before moving on to the next. If the stream has less channels than the
+lanes can accommodate, slots will be disabled on the last lanes.
+
+Unfortunately, the HW distribute channels in a different way. It distribute
+channels in pair on each lanes before moving on the next slots.
+
+This difference leads to problems if a device has an interface with more
+than 1 lane and with more than 2 slots per lane.
+
+For example: a playback interface with 2 lanes and 4 slots each (total 8
+slots - zero based numbering)
+- Playing a 8ch stream:
+  - All slots activated by the driver
+  - channel #2 will be played on lane #1 - slot #0 following HW placement
+- Playing a 4ch stream:
+  - Lane #1 disabled by the driver
+  - channel #2 will be played on lane #0 - slot #2
+
+This behaviour is obviously not desirable.
+
+Change the way slots are activated on the TDM lanes to follow what the HW
+does and make sure each channel always get mapped to the same slot/lane.
+
+Fixes: 1a11d88f499c ("ASoC: meson: add tdm formatter base driver")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Link: https://lore.kernel.org/r/20230809171931.1244502-1-jbrunet@baylibre.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/axg-tdm-formatter.c | 42 ++++++++++++++++++-----------
+ 1 file changed, 26 insertions(+), 16 deletions(-)
+
+diff --git a/sound/soc/meson/axg-tdm-formatter.c b/sound/soc/meson/axg-tdm-formatter.c
+index cab7fa2851aa8..4834cfd163c03 100644
+--- a/sound/soc/meson/axg-tdm-formatter.c
++++ b/sound/soc/meson/axg-tdm-formatter.c
+@@ -30,27 +30,32 @@ int axg_tdm_formatter_set_channel_masks(struct regmap *map,
+                                       struct axg_tdm_stream *ts,
+                                       unsigned int offset)
+ {
+-      unsigned int val, ch = ts->channels;
+-      unsigned long mask;
+-      int i, j;
++      unsigned int ch = ts->channels;
++      u32 val[AXG_TDM_NUM_LANES];
++      int i, j, k;
++
++      /*
++       * We need to mimick the slot distribution used by the HW to keep the
++       * channel placement consistent regardless of the number of channel
++       * in the stream. This is why the odd algorithm below is used.
++       */
++      memset(val, 0, sizeof(*val) * AXG_TDM_NUM_LANES);
+       /*
+        * Distribute the channels of the stream over the available slots
+-       * of each TDM lane
++       * of each TDM lane. We need to go over the 32 slots ...
+        */
+-      for (i = 0; i < AXG_TDM_NUM_LANES; i++) {
+-              val = 0;
+-              mask = ts->mask[i];
+-
+-              for (j = find_first_bit(&mask, 32);
+-                   (j < 32) && ch;
+-                   j = find_next_bit(&mask, 32, j + 1)) {
+-                      val |= 1 << j;
+-                      ch -= 1;
++      for (i = 0; (i < 32) && ch; i += 2) {
++              /* ... of all the lanes ... */
++              for (j = 0; j < AXG_TDM_NUM_LANES; j++) {
++                      /* ... then distribute the channels in pairs */
++                      for (k = 0; k < 2; k++) {
++                              if ((BIT(i + k) & ts->mask[j]) && ch) {
++                                      val[j] |= BIT(i + k);
++                                      ch -= 1;
++                              }
++                      }
+               }
+-
+-              regmap_write(map, offset, val);
+-              offset += regmap_get_reg_stride(map);
+       }
+       /*
+@@ -63,6 +68,11 @@ int axg_tdm_formatter_set_channel_masks(struct regmap *map,
+               return -EINVAL;
+       }
++      for (i = 0; i < AXG_TDM_NUM_LANES; i++) {
++              regmap_write(map, offset, val[i]);
++              offset += regmap_get_reg_stride(map);
++      }
++
+       return 0;
+ }
+ EXPORT_SYMBOL_GPL(axg_tdm_formatter_set_channel_masks);
+-- 
+2.40.1
+
diff --git a/queue-5.10/asoc-rt5665-add-missed-regulator_bulk_disable.patch b/queue-5.10/asoc-rt5665-add-missed-regulator_bulk_disable.patch
new file mode 100644 (file)
index 0000000..9966308
--- /dev/null
@@ -0,0 +1,38 @@
+From 31484b33c2192260dfde46ef400bb182c8260fb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Aug 2023 23:59:11 +0800
+Subject: ASoC: rt5665: add missed regulator_bulk_disable
+
+From: Zhang Shurong <zhang_shurong@foxmail.com>
+
+[ Upstream commit c163108e706909570f8aa9aa5bcf6806e2b4c98c ]
+
+The driver forgets to call regulator_bulk_disable()
+
+Add the missed call to fix it.
+
+Fixes: 33ada14a26c8 ("ASoC: add rt5665 codec driver")
+Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
+Link: https://lore.kernel.org/r/tencent_A560D01E3E0A00A85A12F137E4B5205B3508@qq.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt5665.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/codecs/rt5665.c b/sound/soc/codecs/rt5665.c
+index 8a915cdce0fe9..8b73c2d7f1f10 100644
+--- a/sound/soc/codecs/rt5665.c
++++ b/sound/soc/codecs/rt5665.c
+@@ -4472,6 +4472,8 @@ static void rt5665_remove(struct snd_soc_component *component)
+       struct rt5665_priv *rt5665 = snd_soc_component_get_drvdata(component);
+       regmap_write(rt5665->regmap, RT5665_RESET, 0);
++
++      regulator_bulk_disable(ARRAY_SIZE(rt5665->supplies), rt5665->supplies);
+ }
+ #ifdef CONFIG_PM
+-- 
+2.40.1
+
diff --git a/queue-5.10/bus-ti-sysc-flush-posted-write-on-enable-before-rese.patch b/queue-5.10/bus-ti-sysc-flush-posted-write-on-enable-before-rese.patch
new file mode 100644 (file)
index 0000000..ba9bc47
--- /dev/null
@@ -0,0 +1,48 @@
+From cd1470fe750e929e44333639ebb6231e17903994 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jun 2023 10:18:23 +0300
+Subject: bus: ti-sysc: Flush posted write on enable before reset
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 34539b442b3bc7d5bf10164750302b60b91f18a7 ]
+
+The am335x devices started producing boot errors for resetting musb module
+in because of subtle timing changes:
+
+Unhandled fault: external abort on non-linefetch (0x1008)
+...
+sysc_poll_reset_sysconfig from sysc_reset+0x109/0x12
+sysc_reset from sysc_probe+0xa99/0xeb0
+...
+
+The fix is to flush posted write after enable before reset during
+probe. Note that some devices also need to specify the delay after enable
+with ti,sysc-delay-us, but this is not needed for musb on am335x based on
+my tests.
+
+Reported-by: kernelci.org bot <bot@kernelci.org>
+Closes: https://storage.kernelci.org/next/master/next-20230614/arm/multi_v7_defconfig+CONFIG_THUMB2_KERNEL=y/gcc-10/lab-cip/baseline-beaglebone-black.html
+Fixes: 596e7955692b ("bus: ti-sysc: Add support for software reset")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/ti-sysc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c
+index 4b1641fe30dba..fcfe4d16cc149 100644
+--- a/drivers/bus/ti-sysc.c
++++ b/drivers/bus/ti-sysc.c
+@@ -2078,6 +2078,8 @@ static int sysc_reset(struct sysc *ddata)
+               sysc_val = sysc_read_sysconfig(ddata);
+               sysc_val |= sysc_mask;
+               sysc_write(ddata, sysc_offset, sysc_val);
++              /* Flush posted write */
++              sysc_val = sysc_read_sysconfig(ddata);
+       }
+       if (ddata->cfg.srst_udelay)
+-- 
+2.40.1
+
diff --git a/queue-5.10/drm-panel-simple-fix-auo-g121ean01-panel-timings-acc.patch b/queue-5.10/drm-panel-simple-fix-auo-g121ean01-panel-timings-acc.patch
new file mode 100644 (file)
index 0000000..e87e32a
--- /dev/null
@@ -0,0 +1,78 @@
+From dc0a6100e345e3671a658ca8bcbe5ac7291609e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Aug 2023 17:12:39 +0200
+Subject: drm/panel: simple: Fix AUO G121EAN01 panel timings according to the
+ docs
+
+From: Luca Ceresoli <luca.ceresoli@bootlin.com>
+
+[ Upstream commit e8470c0a7bcaa82f78ad34282d662dd7bd9630c2 ]
+
+Commit 03e909acd95a ("drm/panel: simple: Add support for AUO G121EAN01.4
+panel") added support for this panel model, but the timings it implements
+are very different from what the datasheet describes. I checked both the
+G121EAN01.0 datasheet from [0] and the G121EAN01.4 one from [1] and they
+all have the same timings: for example the LVDS clock typical value is 74.4
+MHz, not 66.7 MHz as implemented.
+
+Replace the timings with the ones from the documentation. These timings
+have been tested and the clock frequencies verified with an oscilloscope to
+ensure they are correct.
+
+Also use struct display_timing instead of struct drm_display_mode in order
+to also specify the minimum and maximum values.
+
+[0] https://embedded.avnet.com/product/g121ean01-0/
+[1] https://embedded.avnet.com/product/g121ean01-4/
+
+Fixes: 03e909acd95a ("drm/panel: simple: Add support for AUO G121EAN01.4 panel")
+Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230804151239.835216-1-luca.ceresoli@bootlin.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-simple.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
+index 7b69f81444ebd..e40321d798981 100644
+--- a/drivers/gpu/drm/panel/panel-simple.c
++++ b/drivers/gpu/drm/panel/panel-simple.c
+@@ -1010,21 +1010,21 @@ static const struct panel_desc auo_g104sn02 = {
+       },
+ };
+-static const struct drm_display_mode auo_g121ean01_mode = {
+-      .clock = 66700,
+-      .hdisplay = 1280,
+-      .hsync_start = 1280 + 58,
+-      .hsync_end = 1280 + 58 + 8,
+-      .htotal = 1280 + 58 + 8 + 70,
+-      .vdisplay = 800,
+-      .vsync_start = 800 + 6,
+-      .vsync_end = 800 + 6 + 4,
+-      .vtotal = 800 + 6 + 4 + 10,
++static const struct display_timing auo_g121ean01_timing = {
++      .pixelclock = { 60000000, 74400000, 90000000 },
++      .hactive = { 1280, 1280, 1280 },
++      .hfront_porch = { 20, 50, 100 },
++      .hback_porch = { 20, 50, 100 },
++      .hsync_len = { 30, 100, 200 },
++      .vactive = { 800, 800, 800 },
++      .vfront_porch = { 2, 10, 25 },
++      .vback_porch = { 2, 10, 25 },
++      .vsync_len = { 4, 18, 50 },
+ };
+ static const struct panel_desc auo_g121ean01 = {
+-      .modes = &auo_g121ean01_mode,
+-      .num_modes = 1,
++      .timings = &auo_g121ean01_timing,
++      .num_timings = 1,
+       .bpc = 8,
+       .size = {
+               .width = 261,
+-- 
+2.40.1
+
diff --git a/queue-5.10/i40e-fix-misleading-debug-logs.patch b/queue-5.10/i40e-fix-misleading-debug-logs.patch
new file mode 100644 (file)
index 0000000..ad0c5a1
--- /dev/null
@@ -0,0 +1,67 @@
+From 7b3046d3adbb3c8f7a495385241c0b8ca237a3c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Aug 2023 09:47:32 +0200
+Subject: i40e: fix misleading debug logs
+
+From: Andrii Staikov <andrii.staikov@intel.com>
+
+[ Upstream commit 2f2beb8874cb0844e84ad26e990f05f4f13ff63f ]
+
+Change "write" into the actual "read" word.
+Change parameters description.
+
+Fixes: 7073f46e443e ("i40e: Add AQ commands for NVM Update for X722")
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Andrii Staikov <andrii.staikov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_nvm.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_nvm.c b/drivers/net/ethernet/intel/i40e/i40e_nvm.c
+index 7164f4ad81202..6b1996451a4bd 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_nvm.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_nvm.c
+@@ -210,11 +210,11 @@ static i40e_status i40e_read_nvm_word_srctl(struct i40e_hw *hw, u16 offset,
+  * @hw: pointer to the HW structure.
+  * @module_pointer: module pointer location in words from the NVM beginning
+  * @offset: offset in words from module start
+- * @words: number of words to write
+- * @data: buffer with words to write to the Shadow RAM
++ * @words: number of words to read
++ * @data: buffer with words to read to the Shadow RAM
+  * @last_command: tells the AdminQ that this is the last command
+  *
+- * Writes a 16 bit words buffer to the Shadow RAM using the admin command.
++ * Reads a 16 bit words buffer to the Shadow RAM using the admin command.
+  **/
+ static i40e_status i40e_read_nvm_aq(struct i40e_hw *hw,
+                                   u8 module_pointer, u32 offset,
+@@ -234,18 +234,18 @@ static i40e_status i40e_read_nvm_aq(struct i40e_hw *hw,
+        */
+       if ((offset + words) > hw->nvm.sr_size)
+               i40e_debug(hw, I40E_DEBUG_NVM,
+-                         "NVM write error: offset %d beyond Shadow RAM limit %d\n",
++                         "NVM read error: offset %d beyond Shadow RAM limit %d\n",
+                          (offset + words), hw->nvm.sr_size);
+       else if (words > I40E_SR_SECTOR_SIZE_IN_WORDS)
+-              /* We can write only up to 4KB (one sector), in one AQ write */
++              /* We can read only up to 4KB (one sector), in one AQ write */
+               i40e_debug(hw, I40E_DEBUG_NVM,
+-                         "NVM write fail error: tried to write %d words, limit is %d.\n",
++                         "NVM read fail error: tried to read %d words, limit is %d.\n",
+                          words, I40E_SR_SECTOR_SIZE_IN_WORDS);
+       else if (((offset + (words - 1)) / I40E_SR_SECTOR_SIZE_IN_WORDS)
+                != (offset / I40E_SR_SECTOR_SIZE_IN_WORDS))
+-              /* A single write cannot spread over two sectors */
++              /* A single read cannot spread over two sectors */
+               i40e_debug(hw, I40E_DEBUG_NVM,
+-                         "NVM write error: cannot spread over two sectors in a single write offset=%d words=%d\n",
++                         "NVM read error: cannot spread over two sectors in a single read offset=%d words=%d\n",
+                          offset, words);
+       else
+               ret_code = i40e_aq_read_nvm(hw, module_pointer,
+-- 
+2.40.1
+
diff --git a/queue-5.10/ip6_vti-fix-slab-use-after-free-in-decode_session6.patch b/queue-5.10/ip6_vti-fix-slab-use-after-free-in-decode_session6.patch
new file mode 100644 (file)
index 0000000..5a73bc9
--- /dev/null
@@ -0,0 +1,117 @@
+From 5c0e8772282b98a8ba5174305bb454c374f5cff4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Jul 2023 17:40:52 +0800
+Subject: ip6_vti: fix slab-use-after-free in decode_session6
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 9fd41f1ba638938c9a1195d09bc6fa3be2712f25 ]
+
+When ipv6_vti device is set to the qdisc of the sfb type, the cb field
+of the sent skb may be modified during enqueuing. Then,
+slab-use-after-free may occur when ipv6_vti device sends IPv6 packets.
+
+The stack information is as follows:
+BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890
+Read of size 1 at addr ffff88802e08edc2 by task swapper/0/0
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0-next-20230707-00001-g84e2cad7f979 #410
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
+Call Trace:
+<IRQ>
+dump_stack_lvl+0xd9/0x150
+print_address_description.constprop.0+0x2c/0x3c0
+kasan_report+0x11d/0x130
+decode_session6+0x103f/0x1890
+__xfrm_decode_session+0x54/0xb0
+vti6_tnl_xmit+0x3e6/0x1ee0
+dev_hard_start_xmit+0x187/0x700
+sch_direct_xmit+0x1a3/0xc30
+__qdisc_run+0x510/0x17a0
+__dev_queue_xmit+0x2215/0x3b10
+neigh_connected_output+0x3c2/0x550
+ip6_finish_output2+0x55a/0x1550
+ip6_finish_output+0x6b9/0x1270
+ip6_output+0x1f1/0x540
+ndisc_send_skb+0xa63/0x1890
+ndisc_send_rs+0x132/0x6f0
+addrconf_rs_timer+0x3f1/0x870
+call_timer_fn+0x1a0/0x580
+expire_timers+0x29b/0x4b0
+run_timer_softirq+0x326/0x910
+__do_softirq+0x1d4/0x905
+irq_exit_rcu+0xb7/0x120
+sysvec_apic_timer_interrupt+0x97/0xc0
+</IRQ>
+Allocated by task 9176:
+kasan_save_stack+0x22/0x40
+kasan_set_track+0x25/0x30
+__kasan_slab_alloc+0x7f/0x90
+kmem_cache_alloc_node+0x1cd/0x410
+kmalloc_reserve+0x165/0x270
+__alloc_skb+0x129/0x330
+netlink_sendmsg+0x9b1/0xe30
+sock_sendmsg+0xde/0x190
+____sys_sendmsg+0x739/0x920
+___sys_sendmsg+0x110/0x1b0
+__sys_sendmsg+0xf7/0x1c0
+do_syscall_64+0x39/0xb0
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+Freed by task 9176:
+kasan_save_stack+0x22/0x40
+kasan_set_track+0x25/0x30
+kasan_save_free_info+0x2b/0x40
+____kasan_slab_free+0x160/0x1c0
+slab_free_freelist_hook+0x11b/0x220
+kmem_cache_free+0xf0/0x490
+skb_free_head+0x17f/0x1b0
+skb_release_data+0x59c/0x850
+consume_skb+0xd2/0x170
+netlink_unicast+0x54f/0x7f0
+netlink_sendmsg+0x926/0xe30
+sock_sendmsg+0xde/0x190
+____sys_sendmsg+0x739/0x920
+___sys_sendmsg+0x110/0x1b0
+__sys_sendmsg+0xf7/0x1c0
+do_syscall_64+0x39/0xb0
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+The buggy address belongs to the object at ffff88802e08ed00
+which belongs to the cache skbuff_small_head of size 640
+The buggy address is located 194 bytes inside of
+freed 640-byte region [ffff88802e08ed00, ffff88802e08ef80)
+
+As commit f855691975bb ("xfrm6: Fix the nexthdr offset in
+_decode_session6.") showed, xfrm_decode_session was originally intended
+only for the receive path. IP6CB(skb)->nhoff is not set during
+transmission. Therefore, set the cb field in the skb to 0 before
+sending packets.
+
+Fixes: f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_vti.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
+index 99f2dc802e366..162ba065d4764 100644
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -567,12 +567,12 @@ vti6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
+                   vti6_addr_conflict(t, ipv6_hdr(skb)))
+                       goto tx_err;
+-              xfrm_decode_session(skb, &fl, AF_INET6);
+               memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
++              xfrm_decode_session(skb, &fl, AF_INET6);
+               break;
+       case htons(ETH_P_IP):
+-              xfrm_decode_session(skb, &fl, AF_INET);
+               memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
++              xfrm_decode_session(skb, &fl, AF_INET);
+               break;
+       default:
+               goto tx_err;
+-- 
+2.40.1
+
diff --git a/queue-5.10/ip_vti-fix-potential-slab-use-after-free-in-decode_s.patch b/queue-5.10/ip_vti-fix-potential-slab-use-after-free-in-decode_s.patch
new file mode 100644 (file)
index 0000000..0a3afd8
--- /dev/null
@@ -0,0 +1,48 @@
+From 80b8cd01fdca399a7ed9c52db6b6a456fe4c21d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Jul 2023 17:40:53 +0800
+Subject: ip_vti: fix potential slab-use-after-free in decode_session6
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 6018a266279b1a75143c7c0804dd08a5fc4c3e0b ]
+
+When ip_vti device is set to the qdisc of the sfb type, the cb field
+of the sent skb may be modified during enqueuing. Then,
+slab-use-after-free may occur when ip_vti device sends IPv6 packets.
+As commit f855691975bb ("xfrm6: Fix the nexthdr offset in
+_decode_session6.") showed, xfrm_decode_session was originally intended
+only for the receive path. IP6CB(skb)->nhoff is not set during
+transmission. Therefore, set the cb field in the skb to 0 before
+sending packets.
+
+Fixes: f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_vti.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
+index 84a818b09beeb..90f349be4848d 100644
+--- a/net/ipv4/ip_vti.c
++++ b/net/ipv4/ip_vti.c
+@@ -285,12 +285,12 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
+       switch (skb->protocol) {
+       case htons(ETH_P_IP):
+-              xfrm_decode_session(skb, &fl, AF_INET);
+               memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
++              xfrm_decode_session(skb, &fl, AF_INET);
+               break;
+       case htons(ETH_P_IPV6):
+-              xfrm_decode_session(skb, &fl, AF_INET6);
+               memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
++              xfrm_decode_session(skb, &fl, AF_INET6);
+               break;
+       default:
+               goto tx_err;
+-- 
+2.40.1
+
diff --git a/queue-5.10/ipvs-fix-racy-memcpy-in-proc_do_sync_threshold.patch b/queue-5.10/ipvs-fix-racy-memcpy-in-proc_do_sync_threshold.patch
new file mode 100644 (file)
index 0000000..893e620
--- /dev/null
@@ -0,0 +1,69 @@
+From 4fc0a95107efb58065990ec09861df8104b8df6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Aug 2023 15:12:42 -0400
+Subject: ipvs: fix racy memcpy in proc_do_sync_threshold
+
+From: Sishuai Gong <sishuai.system@gmail.com>
+
+[ Upstream commit 5310760af1d4fbea1452bfc77db5f9a680f7ae47 ]
+
+When two threads run proc_do_sync_threshold() in parallel,
+data races could happen between the two memcpy():
+
+Thread-1                       Thread-2
+memcpy(val, valp, sizeof(val));
+                               memcpy(valp, val, sizeof(val));
+
+This race might mess up the (struct ctl_table *) table->data,
+so we add a mutex lock to serialize them.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Link: https://lore.kernel.org/netdev/B6988E90-0A1E-4B85-BF26-2DAF6D482433@gmail.com/
+Signed-off-by: Sishuai Gong <sishuai.system@gmail.com>
+Acked-by: Simon Horman <horms@kernel.org>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 29ec3ef63edc7..d0b64c36471d5 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -1802,6 +1802,7 @@ static int
+ proc_do_sync_threshold(struct ctl_table *table, int write,
+                      void *buffer, size_t *lenp, loff_t *ppos)
+ {
++      struct netns_ipvs *ipvs = table->extra2;
+       int *valp = table->data;
+       int val[2];
+       int rc;
+@@ -1811,6 +1812,7 @@ proc_do_sync_threshold(struct ctl_table *table, int write,
+               .mode = table->mode,
+       };
++      mutex_lock(&ipvs->sync_mutex);
+       memcpy(val, valp, sizeof(val));
+       rc = proc_dointvec(&tmp, write, buffer, lenp, ppos);
+       if (write) {
+@@ -1820,6 +1822,7 @@ proc_do_sync_threshold(struct ctl_table *table, int write,
+               else
+                       memcpy(valp, val, sizeof(val));
+       }
++      mutex_unlock(&ipvs->sync_mutex);
+       return rc;
+ }
+@@ -4077,6 +4080,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs)
+       ipvs->sysctl_sync_threshold[0] = DEFAULT_SYNC_THRESHOLD;
+       ipvs->sysctl_sync_threshold[1] = DEFAULT_SYNC_PERIOD;
+       tbl[idx].data = &ipvs->sysctl_sync_threshold;
++      tbl[idx].extra2 = ipvs;
+       tbl[idx++].maxlen = sizeof(ipvs->sysctl_sync_threshold);
+       ipvs->sysctl_sync_refresh_period = DEFAULT_SYNC_REFRESH_PERIOD;
+       tbl[idx++].data = &ipvs->sysctl_sync_refresh_period;
+-- 
+2.40.1
+
diff --git a/queue-5.10/net-af_key-fix-sadb_x_filter-validation.patch b/queue-5.10/net-af_key-fix-sadb_x_filter-validation.patch
new file mode 100644 (file)
index 0000000..5783f12
--- /dev/null
@@ -0,0 +1,41 @@
+From 302fafe5da4d9c8d0a276473984955083d657ba1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jun 2023 11:39:54 +0800
+Subject: net: af_key: fix sadb_x_filter validation
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit 75065a8929069bc93181848818e23f147a73f83a ]
+
+When running xfrm_state_walk_init(), the xfrm_address_filter being used
+is okay to have a splen/dplen that equals to sizeof(xfrm_address_t)<<3.
+This commit replaces >= to > to make sure the boundary checking is
+correct.
+
+Fixes: 37bd22420f85 ("af_key: pfkey_dump needs parameter validation")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/key/af_key.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index fff2bd5f03e37..f42854973ba8d 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -1852,9 +1852,9 @@ static int pfkey_dump(struct sock *sk, struct sk_buff *skb, const struct sadb_ms
+       if (ext_hdrs[SADB_X_EXT_FILTER - 1]) {
+               struct sadb_x_filter *xfilter = ext_hdrs[SADB_X_EXT_FILTER - 1];
+-              if ((xfilter->sadb_x_filter_splen >=
++              if ((xfilter->sadb_x_filter_splen >
+                       (sizeof(xfrm_address_t) << 3)) ||
+-                  (xfilter->sadb_x_filter_dplen >=
++                  (xfilter->sadb_x_filter_dplen >
+                       (sizeof(xfrm_address_t) << 3))) {
+                       mutex_unlock(&pfk->dump_lock);
+                       return -EINVAL;
+-- 
+2.40.1
+
diff --git a/queue-5.10/net-do-not-allow-gso_size-to-be-set-to-gso_by_frags.patch b/queue-5.10/net-do-not-allow-gso_size-to-be-set-to-gso_by_frags.patch
new file mode 100644 (file)
index 0000000..c397286
--- /dev/null
@@ -0,0 +1,90 @@
+From b5a024814ca74c72c7bfc83bf314365e39f2781a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Aug 2023 14:21:58 +0000
+Subject: net: do not allow gso_size to be set to GSO_BY_FRAGS
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b616be6b97688f2f2bd7c4a47ab32f27f94fb2a9 ]
+
+One missing check in virtio_net_hdr_to_skb() allowed
+syzbot to crash kernels again [1]
+
+Do not allow gso_size to be set to GSO_BY_FRAGS (0xffff),
+because this magic value is used by the kernel.
+
+[1]
+general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
+CPU: 0 PID: 5039 Comm: syz-executor401 Not tainted 6.5.0-rc5-next-20230809-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
+RIP: 0010:skb_segment+0x1a52/0x3ef0 net/core/skbuff.c:4500
+Code: 00 00 00 e9 ab eb ff ff e8 6b 96 5d f9 48 8b 84 24 00 01 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e ea 21 00 00 48 8b 84 24 00 01
+RSP: 0018:ffffc90003d3f1c8 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: 000000000001fffe RCX: 0000000000000000
+RDX: 000000000000000e RSI: ffffffff882a3115 RDI: 0000000000000070
+RBP: ffffc90003d3f378 R08: 0000000000000005 R09: 000000000000ffff
+R10: 000000000000ffff R11: 5ee4a93e456187d6 R12: 000000000001ffc6
+R13: dffffc0000000000 R14: 0000000000000008 R15: 000000000000ffff
+FS: 00005555563f2380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020020000 CR3: 000000001626d000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+<TASK>
+udp6_ufo_fragment+0x9d2/0xd50 net/ipv6/udp_offload.c:109
+ipv6_gso_segment+0x5c4/0x17b0 net/ipv6/ip6_offload.c:120
+skb_mac_gso_segment+0x292/0x610 net/core/gso.c:53
+__skb_gso_segment+0x339/0x710 net/core/gso.c:124
+skb_gso_segment include/net/gso.h:83 [inline]
+validate_xmit_skb+0x3a5/0xf10 net/core/dev.c:3625
+__dev_queue_xmit+0x8f0/0x3d60 net/core/dev.c:4329
+dev_queue_xmit include/linux/netdevice.h:3082 [inline]
+packet_xmit+0x257/0x380 net/packet/af_packet.c:276
+packet_snd net/packet/af_packet.c:3087 [inline]
+packet_sendmsg+0x24c7/0x5570 net/packet/af_packet.c:3119
+sock_sendmsg_nosec net/socket.c:727 [inline]
+sock_sendmsg+0xd9/0x180 net/socket.c:750
+____sys_sendmsg+0x6ac/0x940 net/socket.c:2496
+___sys_sendmsg+0x135/0x1d0 net/socket.c:2550
+__sys_sendmsg+0x117/0x1e0 net/socket.c:2579
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x7ff27cdb34d9
+
+Fixes: 3953c46c3ac7 ("sk_buff: allow segmenting based on frag sizes")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Xin Long <lucien.xin@gmail.com>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20230816142158.1779798-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/virtio_net.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h
+index a960de68ac69e..6047058d67037 100644
+--- a/include/linux/virtio_net.h
++++ b/include/linux/virtio_net.h
+@@ -148,6 +148,10 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb,
+               if (gso_type & SKB_GSO_UDP)
+                       nh_off -= thlen;
++              /* Kernel has a special handling for GSO_BY_FRAGS. */
++              if (gso_size == GSO_BY_FRAGS)
++                      return -EINVAL;
++
+               /* Too small packets are not really GSO ones. */
+               if (skb->len - nh_off > gso_size) {
+                       shinfo->gso_size = gso_size;
+-- 
+2.40.1
+
diff --git a/queue-5.10/net-dsa-mv88e6xxx-wait-for-eeprom-done-before-hw-res.patch b/queue-5.10/net-dsa-mv88e6xxx-wait-for-eeprom-done-before-hw-res.patch
new file mode 100644 (file)
index 0000000..b4c6dbf
--- /dev/null
@@ -0,0 +1,49 @@
+From 75136daa6a560bd6b5e93b727712f45eee39da77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Aug 2023 17:13:23 -0700
+Subject: net: dsa: mv88e6xxx: Wait for EEPROM done before HW reset
+
+From: Alfred Lee <l00g33k@gmail.com>
+
+[ Upstream commit 23d775f12dcd23d052a4927195f15e970e27ab26 ]
+
+If the switch is reset during active EEPROM transactions, as in
+just after an SoC reset after power up, the I2C bus transaction
+may be cut short leaving the EEPROM internal I2C state machine
+in the wrong state.  When the switch is reset again, the bad
+state machine state may result in data being read from the wrong
+memory location causing the switch to enter unexpected mode
+rendering it inoperational.
+
+Fixes: a3dcb3e7e70c ("net: dsa: mv88e6xxx: Wait for EEPROM done after HW reset")
+Signed-off-by: Alfred Lee <l00g33k@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20230815001323.24739-1-l00g33k@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
+index 8b2c8546f4c99..177151298d72a 100644
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -2310,6 +2310,14 @@ static void mv88e6xxx_hardware_reset(struct mv88e6xxx_chip *chip)
+       /* If there is a GPIO connected to the reset pin, toggle it */
+       if (gpiod) {
++              /* If the switch has just been reset and not yet completed
++               * loading EEPROM, the reset may interrupt the I2C transaction
++               * mid-byte, causing the first EEPROM read after the reset
++               * from the wrong location resulting in the switch booting
++               * to wrong mode and inoperable.
++               */
++              mv88e6xxx_g1_wait_eeprom_done(chip);
++
+               gpiod_set_value_cansleep(gpiod, 1);
+               usleep_range(10000, 20000);
+               gpiod_set_value_cansleep(gpiod, 0);
+-- 
+2.40.1
+
diff --git a/queue-5.10/net-phy-broadcom-stub-c45-read-write-for-54810.patch b/queue-5.10/net-phy-broadcom-stub-c45-read-write-for-54810.patch
new file mode 100644 (file)
index 0000000..637de08
--- /dev/null
@@ -0,0 +1,58 @@
+From 857a4b0886758e21211bb270bd5cc89443768349 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Aug 2023 21:41:47 -0700
+Subject: net: phy: broadcom: stub c45 read/write for 54810
+
+From: Justin Chen <justin.chen@broadcom.com>
+
+[ Upstream commit 096516d092d54604d590827d05b1022c8f326639 ]
+
+The 54810 does not support c45. The mmd_phy_indirect accesses return
+arbirtary values leading to odd behavior like saying it supports EEE
+when it doesn't. We also see that reading/writing these non-existent
+MMD registers leads to phy instability in some cases.
+
+Fixes: b14995ac2527 ("net: phy: broadcom: Add BCM54810 PHY entry")
+Signed-off-by: Justin Chen <justin.chen@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://lore.kernel.org/r/1691901708-28650-1-git-send-email-justin.chen@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/broadcom.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/drivers/net/phy/broadcom.c b/drivers/net/phy/broadcom.c
+index 0cde17bd743f3..a664faa8f01f6 100644
+--- a/drivers/net/phy/broadcom.c
++++ b/drivers/net/phy/broadcom.c
+@@ -404,6 +404,17 @@ static int bcm54xx_resume(struct phy_device *phydev)
+       return bcm54xx_config_init(phydev);
+ }
++static int bcm54810_read_mmd(struct phy_device *phydev, int devnum, u16 regnum)
++{
++      return -EOPNOTSUPP;
++}
++
++static int bcm54810_write_mmd(struct phy_device *phydev, int devnum, u16 regnum,
++                            u16 val)
++{
++      return -EOPNOTSUPP;
++}
++
+ static int bcm54811_config_init(struct phy_device *phydev)
+ {
+       int err, reg;
+@@ -841,6 +852,8 @@ static struct phy_driver broadcom_drivers[] = {
+       .phy_id_mask    = 0xfffffff0,
+       .name           = "Broadcom BCM54810",
+       /* PHY_GBIT_FEATURES */
++      .read_mmd       = bcm54810_read_mmd,
++      .write_mmd      = bcm54810_write_mmd,
+       .config_init    = bcm54xx_config_init,
+       .config_aneg    = bcm5481_config_aneg,
+       .ack_interrupt  = bcm_phy_ack_intr,
+-- 
+2.40.1
+
diff --git a/queue-5.10/net-xfrm-amend-xfrma_sec_ctx-nla_policy-structure.patch b/queue-5.10/net-xfrm-amend-xfrma_sec_ctx-nla_policy-structure.patch
new file mode 100644 (file)
index 0000000..bc00e4b
--- /dev/null
@@ -0,0 +1,62 @@
+From 61c8a7d34dba05e621ca8edd0cde462b082d9e75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Jun 2023 16:19:11 +0800
+Subject: net: xfrm: Amend XFRMA_SEC_CTX nla_policy structure
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit d1e0e61d617ba17aa516db707aa871387566bbf7 ]
+
+According to all consumers code of attrs[XFRMA_SEC_CTX], like
+
+* verify_sec_ctx_len(), convert to xfrm_user_sec_ctx*
+* xfrm_state_construct(), call security_xfrm_state_alloc whose prototype
+is int security_xfrm_state_alloc(.., struct xfrm_user_sec_ctx *sec_ctx);
+* copy_from_user_sec_ctx(), convert to xfrm_user_sec_ctx *
+...
+
+It seems that the expected parsing result for XFRMA_SEC_CTX should be
+structure xfrm_user_sec_ctx, and the current xfrm_sec_ctx is confusing
+and misleading (Luckily, they happen to have same size 8 bytes).
+
+This commit amend the policy structure to xfrm_user_sec_ctx to avoid
+ambiguity.
+
+Fixes: cf5cb79f6946 ("[XFRM] netlink: Establish an attribute policy")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_compat.c | 2 +-
+ net/xfrm/xfrm_user.c   | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/xfrm/xfrm_compat.c b/net/xfrm/xfrm_compat.c
+index 8cbf45a8bcdc2..655fe4ff86212 100644
+--- a/net/xfrm/xfrm_compat.c
++++ b/net/xfrm/xfrm_compat.c
+@@ -108,7 +108,7 @@ static const struct nla_policy compat_policy[XFRMA_MAX+1] = {
+       [XFRMA_ALG_COMP]        = { .len = sizeof(struct xfrm_algo) },
+       [XFRMA_ENCAP]           = { .len = sizeof(struct xfrm_encap_tmpl) },
+       [XFRMA_TMPL]            = { .len = sizeof(struct xfrm_user_tmpl) },
+-      [XFRMA_SEC_CTX]         = { .len = sizeof(struct xfrm_sec_ctx) },
++      [XFRMA_SEC_CTX]         = { .len = sizeof(struct xfrm_user_sec_ctx) },
+       [XFRMA_LTIME_VAL]       = { .len = sizeof(struct xfrm_lifetime_cur) },
+       [XFRMA_REPLAY_VAL]      = { .len = sizeof(struct xfrm_replay_state) },
+       [XFRMA_REPLAY_THRESH]   = { .type = NLA_U32 },
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 025401bfa3e1e..0de7d0cf7be0f 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -2737,7 +2737,7 @@ const struct nla_policy xfrma_policy[XFRMA_MAX+1] = {
+       [XFRMA_ALG_COMP]        = { .len = sizeof(struct xfrm_algo) },
+       [XFRMA_ENCAP]           = { .len = sizeof(struct xfrm_encap_tmpl) },
+       [XFRMA_TMPL]            = { .len = sizeof(struct xfrm_user_tmpl) },
+-      [XFRMA_SEC_CTX]         = { .len = sizeof(struct xfrm_sec_ctx) },
++      [XFRMA_SEC_CTX]         = { .len = sizeof(struct xfrm_user_sec_ctx) },
+       [XFRMA_LTIME_VAL]       = { .len = sizeof(struct xfrm_lifetime_cur) },
+       [XFRMA_REPLAY_VAL]      = { .len = sizeof(struct xfrm_replay_state) },
+       [XFRMA_REPLAY_THRESH]   = { .type = NLA_U32 },
+-- 
+2.40.1
+
diff --git a/queue-5.10/net-xfrm-fix-xfrm_address_filter-oob-read.patch b/queue-5.10/net-xfrm-fix-xfrm_address_filter-oob-read.patch
new file mode 100644 (file)
index 0000000..1f44691
--- /dev/null
@@ -0,0 +1,202 @@
+From 388e032679b1110f397d3761fafc0627681985ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jun 2023 11:31:38 +0800
+Subject: net: xfrm: Fix xfrm_address_filter OOB read
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit dfa73c17d55b921e1d4e154976de35317e43a93a ]
+
+We found below OOB crash:
+
+[   44.211730] ==================================================================
+[   44.212045] BUG: KASAN: slab-out-of-bounds in memcmp+0x8b/0xb0
+[   44.212045] Read of size 8 at addr ffff88800870f320 by task poc.xfrm/97
+[   44.212045]
+[   44.212045] CPU: 0 PID: 97 Comm: poc.xfrm Not tainted 6.4.0-rc7-00072-gdad9774deaf1-dirty #4
+[   44.212045] Call Trace:
+[   44.212045]  <TASK>
+[   44.212045]  dump_stack_lvl+0x37/0x50
+[   44.212045]  print_report+0xcc/0x620
+[   44.212045]  ? __virt_addr_valid+0xf3/0x170
+[   44.212045]  ? memcmp+0x8b/0xb0
+[   44.212045]  kasan_report+0xb2/0xe0
+[   44.212045]  ? memcmp+0x8b/0xb0
+[   44.212045]  kasan_check_range+0x39/0x1c0
+[   44.212045]  memcmp+0x8b/0xb0
+[   44.212045]  xfrm_state_walk+0x21c/0x420
+[   44.212045]  ? __pfx_dump_one_state+0x10/0x10
+[   44.212045]  xfrm_dump_sa+0x1e2/0x290
+[   44.212045]  ? __pfx_xfrm_dump_sa+0x10/0x10
+[   44.212045]  ? __kernel_text_address+0xd/0x40
+[   44.212045]  ? kasan_unpoison+0x27/0x60
+[   44.212045]  ? mutex_lock+0x60/0xe0
+[   44.212045]  ? __pfx_mutex_lock+0x10/0x10
+[   44.212045]  ? kasan_save_stack+0x22/0x50
+[   44.212045]  netlink_dump+0x322/0x6c0
+[   44.212045]  ? __pfx_netlink_dump+0x10/0x10
+[   44.212045]  ? mutex_unlock+0x7f/0xd0
+[   44.212045]  ? __pfx_mutex_unlock+0x10/0x10
+[   44.212045]  __netlink_dump_start+0x353/0x430
+[   44.212045]  xfrm_user_rcv_msg+0x3a4/0x410
+[   44.212045]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+[   44.212045]  ? __pfx_xfrm_user_rcv_msg+0x10/0x10
+[   44.212045]  ? __pfx_xfrm_dump_sa+0x10/0x10
+[   44.212045]  ? __pfx_xfrm_dump_sa_done+0x10/0x10
+[   44.212045]  ? __stack_depot_save+0x382/0x4e0
+[   44.212045]  ? filter_irq_stacks+0x1c/0x70
+[   44.212045]  ? kasan_save_stack+0x32/0x50
+[   44.212045]  ? kasan_save_stack+0x22/0x50
+[   44.212045]  ? kasan_set_track+0x25/0x30
+[   44.212045]  ? __kasan_slab_alloc+0x59/0x70
+[   44.212045]  ? kmem_cache_alloc_node+0xf7/0x260
+[   44.212045]  ? kmalloc_reserve+0xab/0x120
+[   44.212045]  ? __alloc_skb+0xcf/0x210
+[   44.212045]  ? netlink_sendmsg+0x509/0x700
+[   44.212045]  ? sock_sendmsg+0xde/0xe0
+[   44.212045]  ? __sys_sendto+0x18d/0x230
+[   44.212045]  ? __x64_sys_sendto+0x71/0x90
+[   44.212045]  ? do_syscall_64+0x3f/0x90
+[   44.212045]  ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
+[   44.212045]  ? netlink_sendmsg+0x509/0x700
+[   44.212045]  ? sock_sendmsg+0xde/0xe0
+[   44.212045]  ? __sys_sendto+0x18d/0x230
+[   44.212045]  ? __x64_sys_sendto+0x71/0x90
+[   44.212045]  ? do_syscall_64+0x3f/0x90
+[   44.212045]  ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
+[   44.212045]  ? kasan_save_stack+0x22/0x50
+[   44.212045]  ? kasan_set_track+0x25/0x30
+[   44.212045]  ? kasan_save_free_info+0x2e/0x50
+[   44.212045]  ? __kasan_slab_free+0x10a/0x190
+[   44.212045]  ? kmem_cache_free+0x9c/0x340
+[   44.212045]  ? netlink_recvmsg+0x23c/0x660
+[   44.212045]  ? sock_recvmsg+0xeb/0xf0
+[   44.212045]  ? __sys_recvfrom+0x13c/0x1f0
+[   44.212045]  ? __x64_sys_recvfrom+0x71/0x90
+[   44.212045]  ? do_syscall_64+0x3f/0x90
+[   44.212045]  ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
+[   44.212045]  ? copyout+0x3e/0x50
+[   44.212045]  netlink_rcv_skb+0xd6/0x210
+[   44.212045]  ? __pfx_xfrm_user_rcv_msg+0x10/0x10
+[   44.212045]  ? __pfx_netlink_rcv_skb+0x10/0x10
+[   44.212045]  ? __pfx_sock_has_perm+0x10/0x10
+[   44.212045]  ? mutex_lock+0x8d/0xe0
+[   44.212045]  ? __pfx_mutex_lock+0x10/0x10
+[   44.212045]  xfrm_netlink_rcv+0x44/0x50
+[   44.212045]  netlink_unicast+0x36f/0x4c0
+[   44.212045]  ? __pfx_netlink_unicast+0x10/0x10
+[   44.212045]  ? netlink_recvmsg+0x500/0x660
+[   44.212045]  netlink_sendmsg+0x3b7/0x700
+[   44.212045]  ? __pfx_netlink_sendmsg+0x10/0x10
+[   44.212045]  ? __pfx_netlink_sendmsg+0x10/0x10
+[   44.212045]  sock_sendmsg+0xde/0xe0
+[   44.212045]  __sys_sendto+0x18d/0x230
+[   44.212045]  ? __pfx___sys_sendto+0x10/0x10
+[   44.212045]  ? rcu_core+0x44a/0xe10
+[   44.212045]  ? __rseq_handle_notify_resume+0x45b/0x740
+[   44.212045]  ? _raw_spin_lock_irq+0x81/0xe0
+[   44.212045]  ? __pfx___rseq_handle_notify_resume+0x10/0x10
+[   44.212045]  ? __pfx_restore_fpregs_from_fpstate+0x10/0x10
+[   44.212045]  ? __pfx_blkcg_maybe_throttle_current+0x10/0x10
+[   44.212045]  ? __pfx_task_work_run+0x10/0x10
+[   44.212045]  __x64_sys_sendto+0x71/0x90
+[   44.212045]  do_syscall_64+0x3f/0x90
+[   44.212045]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
+[   44.212045] RIP: 0033:0x44b7da
+[   44.212045] RSP: 002b:00007ffdc8838548 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+[   44.212045] RAX: ffffffffffffffda RBX: 00007ffdc8839978 RCX: 000000000044b7da
+[   44.212045] RDX: 0000000000000038 RSI: 00007ffdc8838770 RDI: 0000000000000003
+[   44.212045] RBP: 00007ffdc88385b0 R08: 00007ffdc883858c R09: 000000000000000c
+[   44.212045] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
+[   44.212045] R13: 00007ffdc8839968 R14: 00000000004c37d0 R15: 0000000000000001
+[   44.212045]  </TASK>
+[   44.212045]
+[   44.212045] Allocated by task 97:
+[   44.212045]  kasan_save_stack+0x22/0x50
+[   44.212045]  kasan_set_track+0x25/0x30
+[   44.212045]  __kasan_kmalloc+0x7f/0x90
+[   44.212045]  __kmalloc_node_track_caller+0x5b/0x140
+[   44.212045]  kmemdup+0x21/0x50
+[   44.212045]  xfrm_dump_sa+0x17d/0x290
+[   44.212045]  netlink_dump+0x322/0x6c0
+[   44.212045]  __netlink_dump_start+0x353/0x430
+[   44.212045]  xfrm_user_rcv_msg+0x3a4/0x410
+[   44.212045]  netlink_rcv_skb+0xd6/0x210
+[   44.212045]  xfrm_netlink_rcv+0x44/0x50
+[   44.212045]  netlink_unicast+0x36f/0x4c0
+[   44.212045]  netlink_sendmsg+0x3b7/0x700
+[   44.212045]  sock_sendmsg+0xde/0xe0
+[   44.212045]  __sys_sendto+0x18d/0x230
+[   44.212045]  __x64_sys_sendto+0x71/0x90
+[   44.212045]  do_syscall_64+0x3f/0x90
+[   44.212045]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
+[   44.212045]
+[   44.212045] The buggy address belongs to the object at ffff88800870f300
+[   44.212045]  which belongs to the cache kmalloc-64 of size 64
+[   44.212045] The buggy address is located 32 bytes inside of
+[   44.212045]  allocated 36-byte region [ffff88800870f300, ffff88800870f324)
+[   44.212045]
+[   44.212045] The buggy address belongs to the physical page:
+[   44.212045] page:00000000e4de16ee refcount:1 mapcount:0 mapping:000000000 ...
+[   44.212045] flags: 0x100000000000200(slab|node=0|zone=1)
+[   44.212045] page_type: 0xffffffff()
+[   44.212045] raw: 0100000000000200 ffff888004c41640 dead000000000122 0000000000000000
+[   44.212045] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
+[   44.212045] page dumped because: kasan: bad access detected
+[   44.212045]
+[   44.212045] Memory state around the buggy address:
+[   44.212045]  ffff88800870f200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[   44.212045]  ffff88800870f280: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
+[   44.212045] >ffff88800870f300: 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc
+[   44.212045]                                ^
+[   44.212045]  ffff88800870f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[   44.212045]  ffff88800870f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[   44.212045] ==================================================================
+
+By investigating the code, we find the root cause of this OOB is the lack
+of checks in xfrm_dump_sa(). The buggy code allows a malicious user to pass
+arbitrary value of filter->splen/dplen. Hence, with crafted xfrm states,
+the attacker can achieve 8 bytes heap OOB read, which causes info leak.
+
+  if (attrs[XFRMA_ADDRESS_FILTER]) {
+    filter = kmemdup(nla_data(attrs[XFRMA_ADDRESS_FILTER]),
+        sizeof(*filter), GFP_KERNEL);
+    if (filter == NULL)
+      return -ENOMEM;
+    // NO MORE CHECKS HERE !!!
+  }
+
+This patch fixes the OOB by adding necessary boundary checks, just like
+the code in pfkey_dump() function.
+
+Fixes: d3623099d350 ("ipsec: add support of limited SA dump")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index c6bf3898d1bf0..025401bfa3e1e 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1062,6 +1062,15 @@ static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb)
+                                        sizeof(*filter), GFP_KERNEL);
+                       if (filter == NULL)
+                               return -ENOMEM;
++
++                      /* see addr_match(), (prefix length >> 5) << 2
++                       * will be used to compare xfrm_address_t
++                       */
++                      if (filter->splen > (sizeof(xfrm_address_t) << 3) ||
++                          filter->dplen > (sizeof(xfrm_address_t) << 3)) {
++                              kfree(filter);
++                              return -EINVAL;
++                      }
+               }
+               if (attrs[XFRMA_PROTO])
+-- 
+2.40.1
+
diff --git a/queue-5.10/netfilter-nft_dynset-disallow-object-maps.patch b/queue-5.10/netfilter-nft_dynset-disallow-object-maps.patch
new file mode 100644 (file)
index 0000000..1d575d4
--- /dev/null
@@ -0,0 +1,36 @@
+From de17599ec492b78c9e4e85ddfd7f34875e7ede83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Aug 2023 15:39:02 +0200
+Subject: netfilter: nft_dynset: disallow object maps
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 23185c6aed1ffb8fc44087880ba2767aba493779 ]
+
+Do not allow to insert elements from datapath to objects maps.
+
+Fixes: 8aeff920dcc9 ("netfilter: nf_tables: add stateful object reference to set elements")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_dynset.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
+index 8d47782b778f1..408b7f5faa5e5 100644
+--- a/net/netfilter/nft_dynset.c
++++ b/net/netfilter/nft_dynset.c
+@@ -138,6 +138,9 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
+       if (IS_ERR(set))
+               return PTR_ERR(set);
++      if (set->flags & NFT_SET_OBJECT)
++              return -EOPNOTSUPP;
++
+       if (set->ops->update == NULL)
+               return -EOPNOTSUPP;
+-- 
+2.40.1
+
diff --git a/queue-5.10/riscv-__asm_copy_to-from_user-optimize-unaligned-mem.patch b/queue-5.10/riscv-__asm_copy_to-from_user-optimize-unaligned-mem.patch
new file mode 100644 (file)
index 0000000..d9bb80a
--- /dev/null
@@ -0,0 +1,255 @@
+From 9566c2298b24e0c594a2f5402474ecb3137134e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 21:40:39 +0900
+Subject: riscv: __asm_copy_to-from_user: Optimize unaligned memory access and
+ pipeline stall
+
+From: Akira Tsukamoto <akira.tsukamoto@gmail.com>
+
+[ Upstream commit ca6eaaa210deec0e41cbfc380bf89cf079203569 ]
+
+This patch will reduce cpu usage dramatically in kernel space especially
+for application which use sys-call with large buffer size, such as
+network applications. The main reason behind this is that every
+unaligned memory access will raise exceptions and switch between s-mode
+and m-mode causing large overhead.
+
+First copy in bytes until reaches the first word aligned boundary in
+destination memory address. This is the preparation before the bulk
+aligned word copy.
+
+The destination address is aligned now, but oftentimes the source
+address is not in an aligned boundary. To reduce the unaligned memory
+access, it reads the data from source in aligned boundaries, which will
+cause the data to have an offset, and then combines the data in the next
+iteration by fixing offset with shifting before writing to destination.
+The majority of the improving copy speed comes from this shift copy.
+
+In the lucky situation that the both source and destination address are
+on the aligned boundary, perform load and store with register size to
+copy the data. Without the unrolling, it will reduce the speed since the
+next store instruction for the same register using from the load will
+stall the pipeline.
+
+At last, copying the remainder in one byte at a time.
+
+Signed-off-by: Akira Tsukamoto <akira.tsukamoto@gmail.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Stable-dep-of: 4b05b993900d ("riscv: uaccess: Return the number of bytes effectively not copied")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/lib/uaccess.S | 181 +++++++++++++++++++++++++++++++--------
+ 1 file changed, 146 insertions(+), 35 deletions(-)
+
+diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
+index fceaeb18cc640..bceb0629e440e 100644
+--- a/arch/riscv/lib/uaccess.S
++++ b/arch/riscv/lib/uaccess.S
+@@ -19,50 +19,161 @@ ENTRY(__asm_copy_from_user)
+       li t6, SR_SUM
+       csrs CSR_STATUS, t6
+-      add a3, a1, a2
+-      /* Use word-oriented copy only if low-order bits match */
+-      andi t0, a0, SZREG-1
+-      andi t1, a1, SZREG-1
+-      bne t0, t1, 2f
++      /* Save for return value */
++      mv      t5, a2
+-      addi t0, a1, SZREG-1
+-      andi t1, a3, ~(SZREG-1)
+-      andi t0, t0, ~(SZREG-1)
+       /*
+-       * a3: terminal address of source region
+-       * t0: lowest XLEN-aligned address in source
+-       * t1: highest XLEN-aligned address in source
++       * Register allocation for code below:
++       * a0 - start of uncopied dst
++       * a1 - start of uncopied src
++       * a2 - size
++       * t0 - end of uncopied dst
+        */
+-      bgeu t0, t1, 2f
+-      bltu a1, t0, 4f
++      add     t0, a0, a2
++      bgtu    a0, t0, 5f
++
++      /*
++       * Use byte copy only if too small.
++       */
++      li      a3, 8*SZREG /* size must be larger than size in word_copy */
++      bltu    a2, a3, .Lbyte_copy_tail
++
++      /*
++       * Copy first bytes until dst is align to word boundary.
++       * a0 - start of dst
++       * t1 - start of aligned dst
++       */
++      addi    t1, a0, SZREG-1
++      andi    t1, t1, ~(SZREG-1)
++      /* dst is already aligned, skip */
++      beq     a0, t1, .Lskip_first_bytes
+ 1:
+-      fixup REG_L, t2, (a1), 10f
+-      fixup REG_S, t2, (a0), 10f
+-      addi a1, a1, SZREG
+-      addi a0, a0, SZREG
+-      bltu a1, t1, 1b
++      /* a5 - one byte for copying data */
++      fixup lb      a5, 0(a1), 10f
++      addi    a1, a1, 1       /* src */
++      fixup sb      a5, 0(a0), 10f
++      addi    a0, a0, 1       /* dst */
++      bltu    a0, t1, 1b      /* t1 - start of aligned dst */
++
++.Lskip_first_bytes:
++      /*
++       * Now dst is aligned.
++       * Use shift-copy if src is misaligned.
++       * Use word-copy if both src and dst are aligned because
++       * can not use shift-copy which do not require shifting
++       */
++      /* a1 - start of src */
++      andi    a3, a1, SZREG-1
++      bnez    a3, .Lshift_copy
++
++.Lword_copy:
++        /*
++       * Both src and dst are aligned, unrolled word copy
++       *
++       * a0 - start of aligned dst
++       * a1 - start of aligned src
++       * a3 - a1 & mask:(SZREG-1)
++       * t0 - end of aligned dst
++       */
++      addi    t0, t0, -(8*SZREG-1) /* not to over run */
+ 2:
+-      bltu a1, a3, 5f
++      fixup REG_L   a4,        0(a1), 10f
++      fixup REG_L   a5,    SZREG(a1), 10f
++      fixup REG_L   a6,  2*SZREG(a1), 10f
++      fixup REG_L   a7,  3*SZREG(a1), 10f
++      fixup REG_L   t1,  4*SZREG(a1), 10f
++      fixup REG_L   t2,  5*SZREG(a1), 10f
++      fixup REG_L   t3,  6*SZREG(a1), 10f
++      fixup REG_L   t4,  7*SZREG(a1), 10f
++      fixup REG_S   a4,        0(a0), 10f
++      fixup REG_S   a5,    SZREG(a0), 10f
++      fixup REG_S   a6,  2*SZREG(a0), 10f
++      fixup REG_S   a7,  3*SZREG(a0), 10f
++      fixup REG_S   t1,  4*SZREG(a0), 10f
++      fixup REG_S   t2,  5*SZREG(a0), 10f
++      fixup REG_S   t3,  6*SZREG(a0), 10f
++      fixup REG_S   t4,  7*SZREG(a0), 10f
++      addi    a0, a0, 8*SZREG
++      addi    a1, a1, 8*SZREG
++      bltu    a0, t0, 2b
++
++      addi    t0, t0, 8*SZREG-1 /* revert to original value */
++      j       .Lbyte_copy_tail
++
++.Lshift_copy:
++
++      /*
++       * Word copy with shifting.
++       * For misaligned copy we still perform aligned word copy, but
++       * we need to use the value fetched from the previous iteration and
++       * do some shifts.
++       * This is safe because reading less than a word size.
++       *
++       * a0 - start of aligned dst
++       * a1 - start of src
++       * a3 - a1 & mask:(SZREG-1)
++       * t0 - end of uncopied dst
++       * t1 - end of aligned dst
++       */
++      /* calculating aligned word boundary for dst */
++      andi    t1, t0, ~(SZREG-1)
++      /* Converting unaligned src to aligned arc */
++      andi    a1, a1, ~(SZREG-1)
++
++      /*
++       * Calculate shifts
++       * t3 - prev shift
++       * t4 - current shift
++       */
++      slli    t3, a3, LGREG
++      li      a5, SZREG*8
++      sub     t4, a5, t3
++
++      /* Load the first word to combine with seceond word */
++      fixup REG_L   a5, 0(a1), 10f
+ 3:
++      /* Main shifting copy
++       *
++       * a0 - start of aligned dst
++       * a1 - start of aligned src
++       * t1 - end of aligned dst
++       */
++
++      /* At least one iteration will be executed */
++      srl     a4, a5, t3
++      fixup REG_L   a5, SZREG(a1), 10f
++      addi    a1, a1, SZREG
++      sll     a2, a5, t4
++      or      a2, a2, a4
++      fixup REG_S   a2, 0(a0), 10f
++      addi    a0, a0, SZREG
++      bltu    a0, t1, 3b
++
++      /* Revert src to original unaligned value  */
++      add     a1, a1, a3
++
++.Lbyte_copy_tail:
++      /*
++       * Byte copy anything left.
++       *
++       * a0 - start of remaining dst
++       * a1 - start of remaining src
++       * t0 - end of remaining dst
++       */
++      bgeu    a0, t0, 5f
++4:
++      fixup lb      a5, 0(a1), 10f
++      addi    a1, a1, 1       /* src */
++      fixup sb      a5, 0(a0), 10f
++      addi    a0, a0, 1       /* dst */
++      bltu    a0, t0, 4b      /* t0 - end of dst */
++
++5:
+       /* Disable access to user memory */
+       csrc CSR_STATUS, t6
+-      li a0, 0
++      li      a0, 0
+       ret
+-4: /* Edge case: unalignment */
+-      fixup lbu, t2, (a1), 10f
+-      fixup sb, t2, (a0), 10f
+-      addi a1, a1, 1
+-      addi a0, a0, 1
+-      bltu a1, t0, 4b
+-      j 1b
+-5: /* Edge case: remainder */
+-      fixup lbu, t2, (a1), 10f
+-      fixup sb, t2, (a0), 10f
+-      addi a1, a1, 1
+-      addi a0, a0, 1
+-      bltu a1, a3, 5b
+-      j 3b
+ ENDPROC(__asm_copy_to_user)
+ ENDPROC(__asm_copy_from_user)
+ EXPORT_SYMBOL(__asm_copy_to_user)
+@@ -117,7 +228,7 @@ EXPORT_SYMBOL(__clear_user)
+ 10:
+       /* Disable access to user memory */
+       csrs CSR_STATUS, t6
+-      mv a0, a2
++      mv a0, t5
+       ret
+ 11:
+       csrs CSR_STATUS, t6
+-- 
+2.40.1
+
diff --git a/queue-5.10/riscv-lib-uaccess-fix-csr_status-sr_sum-bit.patch b/queue-5.10/riscv-lib-uaccess-fix-csr_status-sr_sum-bit.patch
new file mode 100644 (file)
index 0000000..cb2dc8c
--- /dev/null
@@ -0,0 +1,54 @@
+From e1e850d6f778aa4f1a5485647020999e39e6483e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jun 2022 09:47:14 +0800
+Subject: riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit
+
+From: Chen Lifu <chenlifu@huawei.com>
+
+[ Upstream commit c08b4848f596fd95543197463b5162bd7bab2442 ]
+
+Since commit 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
+and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code"),
+if __clear_user and __copy_user return from an fixup branch,
+CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
+S-mode memory accesses to pages that are accessible by U-mode will success.
+Disable S-mode access to U-mode memory should clear SR_SUM bit.
+
+Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
+Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")
+Signed-off-by: Chen Lifu <chenlifu@huawei.com>
+Reviewed-by: Ben Dooks <ben.dooks@codethink.co.uk>
+Link: https://lore.kernel.org/r/20220615014714.1650349-1-chenlifu@huawei.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Stable-dep-of: 4b05b993900d ("riscv: uaccess: Return the number of bytes effectively not copied")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/lib/uaccess.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
+index baddd6a0d0229..039050172d083 100644
+--- a/arch/riscv/lib/uaccess.S
++++ b/arch/riscv/lib/uaccess.S
+@@ -178,7 +178,7 @@ ENTRY(__asm_copy_from_user)
+       /* Exception fixup code */
+ 10:
+       /* Disable access to user memory */
+-      csrs CSR_STATUS, t6
++      csrc CSR_STATUS, t6
+       mv a0, t5
+       ret
+ ENDPROC(__asm_copy_to_user)
+@@ -230,7 +230,7 @@ ENTRY(__clear_user)
+       /* Exception fixup code */
+ 11:
+       /* Disable access to user memory */
+-      csrs CSR_STATUS, t6
++      csrc CSR_STATUS, t6
+       mv a0, a1
+       ret
+ ENDPROC(__clear_user)
+-- 
+2.40.1
+
diff --git a/queue-5.10/riscv-lib-uaccess-fold-fixups-into-body.patch b/queue-5.10/riscv-lib-uaccess-fold-fixups-into-body.patch
new file mode 100644 (file)
index 0000000..b5edcf6
--- /dev/null
@@ -0,0 +1,71 @@
+From 525c66da537d4229207c1ed8365e0f5c834844b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Nov 2021 19:25:14 +0800
+Subject: riscv: lib: uaccess: fold fixups into body
+
+From: Jisheng Zhang <jszhang@kernel.org>
+
+[ Upstream commit 9d504f9aa5c1b76673018da9503e76b351a24b8c ]
+
+uaccess functions such __asm_copy_to_user(),  __arch_copy_from_user()
+and __clear_user() place their exception fixups in the `.fixup` section
+without any clear association with themselves. If we backtrace the
+fixup code, it will be symbolized as an offset from the nearest prior
+symbol.
+
+Similar as arm64 does, we must move fixups into the body of the
+functions themselves, after the usual fast-path returns.
+
+Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Stable-dep-of: 4b05b993900d ("riscv: uaccess: Return the number of bytes effectively not copied")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/lib/uaccess.S | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
+index bceb0629e440e..baddd6a0d0229 100644
+--- a/arch/riscv/lib/uaccess.S
++++ b/arch/riscv/lib/uaccess.S
+@@ -174,6 +174,13 @@ ENTRY(__asm_copy_from_user)
+       csrc CSR_STATUS, t6
+       li      a0, 0
+       ret
++
++      /* Exception fixup code */
++10:
++      /* Disable access to user memory */
++      csrs CSR_STATUS, t6
++      mv a0, t5
++      ret
+ ENDPROC(__asm_copy_to_user)
+ ENDPROC(__asm_copy_from_user)
+ EXPORT_SYMBOL(__asm_copy_to_user)
+@@ -219,19 +226,12 @@ ENTRY(__clear_user)
+       addi a0, a0, 1
+       bltu a0, a3, 5b
+       j 3b
+-ENDPROC(__clear_user)
+-EXPORT_SYMBOL(__clear_user)
+-      .section .fixup,"ax"
+-      .balign 4
+-      /* Fixup code for __copy_user(10) and __clear_user(11) */
+-10:
+-      /* Disable access to user memory */
+-      csrs CSR_STATUS, t6
+-      mv a0, t5
+-      ret
++      /* Exception fixup code */
+ 11:
++      /* Disable access to user memory */
+       csrs CSR_STATUS, t6
+       mv a0, a1
+       ret
+-      .previous
++ENDPROC(__clear_user)
++EXPORT_SYMBOL(__clear_user)
+-- 
+2.40.1
+
diff --git a/queue-5.10/riscv-uaccess-return-the-number-of-bytes-effectively.patch b/queue-5.10/riscv-uaccess-return-the-number-of-bytes-effectively.patch
new file mode 100644 (file)
index 0000000..d20d758
--- /dev/null
@@ -0,0 +1,91 @@
+From df655fd08a44881aa74234e48b5b24cd2bd32dd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Aug 2023 17:06:04 +0200
+Subject: riscv: uaccess: Return the number of bytes effectively not copied
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+
+[ Upstream commit 4b05b993900dd3eba0fc83ef5c5ddc7d65d786c6 ]
+
+It was reported that the riscv kernel hangs while executing the test
+in [1].
+
+Indeed, the test hangs when trying to write a buffer to a file. The
+problem is that the riscv implementation of raw_copy_from_user() does not
+return the correct number of bytes not written when an exception happens
+and is fixed up, instead it always returns the initial size to copy,
+even if some bytes were actually copied.
+
+generic_perform_write() pre-faults the user pages and bails out if nothing
+can be written, otherwise it will access the userspace buffer: here the
+riscv implementation keeps returning it was not able to copy any byte
+though the pre-faulting indicates otherwise. So generic_perform_write()
+keeps retrying to access the user memory and ends up in an infinite
+loop.
+
+Note that before the commit mentioned in [1] that introduced this
+regression, it worked because generic_perform_write() would bail out if
+only one byte could not be written.
+
+So fix this by returning the number of bytes effectively not written in
+__asm_copy_[to|from]_user() and __clear_user(), as it is expected.
+
+Link: https://lore.kernel.org/linux-riscv/20230309151841.bomov6hq3ybyp42a@debian/ [1]
+Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")
+Reported-by: Bo YU <tsu.yubo@gmail.com>
+Closes: https://lore.kernel.org/linux-riscv/20230309151841.bomov6hq3ybyp42a@debian/#t
+Reported-by: Aurelien Jarno <aurelien@aurel32.net>
+Closes: https://lore.kernel.org/linux-riscv/ZNOnCakhwIeue3yr@aurel32.net/
+Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Reviewed-by: Björn Töpel <bjorn@rivosinc.com>
+Tested-by: Aurelien Jarno <aurelien@aurel32.net>
+Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
+Link: https://lore.kernel.org/r/20230811150604.1621784-1-alexghiti@rivosinc.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/lib/uaccess.S | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
+index 039050172d083..80866dea07418 100644
+--- a/arch/riscv/lib/uaccess.S
++++ b/arch/riscv/lib/uaccess.S
+@@ -19,8 +19,11 @@ ENTRY(__asm_copy_from_user)
+       li t6, SR_SUM
+       csrs CSR_STATUS, t6
+-      /* Save for return value */
+-      mv      t5, a2
++      /*
++       * Save the terminal address which will be used to compute the number
++       * of bytes copied in case of a fixup exception.
++       */
++      add     t5, a0, a2
+       /*
+        * Register allocation for code below:
+@@ -179,7 +182,7 @@ ENTRY(__asm_copy_from_user)
+ 10:
+       /* Disable access to user memory */
+       csrc CSR_STATUS, t6
+-      mv a0, t5
++      sub a0, t5, a0
+       ret
+ ENDPROC(__asm_copy_to_user)
+ ENDPROC(__asm_copy_from_user)
+@@ -231,7 +234,7 @@ ENTRY(__clear_user)
+ 11:
+       /* Disable access to user memory */
+       csrc CSR_STATUS, t6
+-      mv a0, a1
++      sub a0, a3, a0
+       ret
+ ENDPROC(__clear_user)
+ EXPORT_SYMBOL(__clear_user)
+-- 
+2.40.1
+
diff --git a/queue-5.10/selftests-mirror_gre_changes-tighten-up-the-ttl-test.patch b/queue-5.10/selftests-mirror_gre_changes-tighten-up-the-ttl-test.patch
new file mode 100644 (file)
index 0000000..7d2eec5
--- /dev/null
@@ -0,0 +1,48 @@
+From 42d31b23748fb085b25fa5c9723a2ae71af06ebc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Aug 2023 17:59:27 +0200
+Subject: selftests: mirror_gre_changes: Tighten up the TTL test match
+
+From: Petr Machata <petrm@nvidia.com>
+
+[ Upstream commit 855067defa36b1f9effad8c219d9a85b655cf500 ]
+
+This test verifies whether the encapsulated packets have the correct
+configured TTL. It does so by sending ICMP packets through the test
+topology and mirroring them to a gretap netdevice. On a busy host
+however, more than just the test ICMP packets may end up flowing
+through the topology, get mirrored, and counted. This leads to
+potential spurious failures as the test observes much more mirrored
+packets than the sent test packets, and assumes a bug.
+
+Fix this by tightening up the mirror action match. Change it from
+matchall to a flower classifier matching on ICMP packets specifically.
+
+Fixes: 45315673e0c5 ("selftests: forwarding: Test changes in mirror-to-gretap")
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Tested-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/forwarding/mirror_gre_changes.sh | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/forwarding/mirror_gre_changes.sh b/tools/testing/selftests/net/forwarding/mirror_gre_changes.sh
+index 472bd023e2a5f..b501b366367f7 100755
+--- a/tools/testing/selftests/net/forwarding/mirror_gre_changes.sh
++++ b/tools/testing/selftests/net/forwarding/mirror_gre_changes.sh
+@@ -72,7 +72,8 @@ test_span_gre_ttl()
+       RET=0
+-      mirror_install $swp1 ingress $tundev "matchall $tcflags"
++      mirror_install $swp1 ingress $tundev \
++              "prot ip flower $tcflags ip_prot icmp"
+       tc filter add dev $h3 ingress pref 77 prot $prot \
+               flower ip_ttl 50 action pass
+-- 
+2.40.1
+
index 8c2d2d63636801c2d0b41d44347e6be2bd174765..e62204bd5be88dd47f5a3ecb3fbea62b1049c671 100644 (file)
@@ -76,3 +76,40 @@ tty-n_gsm-fix-the-uaf-caused-by-race-condition-in-gsm_cleanup_mux.patch
 tty-serial-fsl_lpuart-clear-the-error-flags-by-writing-1-for-lpuart32-platforms.patch
 btrfs-fix-bug_on-condition-in-btrfs_cancel_balance.patch
 i2c-designware-handle-invalid-smbus-block-data-response-length-value.patch
+net-xfrm-fix-xfrm_address_filter-oob-read.patch
+net-af_key-fix-sadb_x_filter-validation.patch
+net-xfrm-amend-xfrma_sec_ctx-nla_policy-structure.patch
+xfrm-fix-slab-use-after-free-in-decode_session6.patch
+ip6_vti-fix-slab-use-after-free-in-decode_session6.patch
+ip_vti-fix-potential-slab-use-after-free-in-decode_s.patch
+xfrm-add-null-check-in-xfrm_update_ae_params.patch
+xfrm-add-forgotten-nla_policy-for-xfrma_mtimer_thres.patch
+selftests-mirror_gre_changes-tighten-up-the-ttl-test.patch
+drm-panel-simple-fix-auo-g121ean01-panel-timings-acc.patch
+ipvs-fix-racy-memcpy-in-proc_do_sync_threshold.patch
+netfilter-nft_dynset-disallow-object-maps.patch
+net-phy-broadcom-stub-c45-read-write-for-54810.patch
+team-fix-incorrect-deletion-of-eth_p_8021ad-protocol.patch
+i40e-fix-misleading-debug-logs.patch
+net-dsa-mv88e6xxx-wait-for-eeprom-done-before-hw-res.patch
+sock-fix-misuse-of-sk_under_memory_pressure.patch
+net-do-not-allow-gso_size-to-be-set-to-gso_by_frags.patch
+bus-ti-sysc-flush-posted-write-on-enable-before-rese.patch
+arm64-dts-rockchip-fix-supplies-on-rk3399-rock-pi-4.patch
+arm64-dts-rockchip-use-usb-host-by-default-on-rk3399.patch
+arm64-dts-rockchip-add-es8316-codec-for-rock-pi-4.patch
+arm64-dts-rockchip-add-spdif-node-for-rock-pi-4.patch
+arm64-dts-rockchip-fix-regulator-name-on-rk3399-rock.patch
+arm64-dts-rockchip-sort-nodes-properties-on-rk3399-r.patch
+arm64-dts-rockchip-disable-hs400-for-emmc-on-rock-pi.patch
+asoc-rt5665-add-missed-regulator_bulk_disable.patch
+asoc-meson-axg-tdm-formatter-fix-channel-slot-alloca.patch
+x86-srso-disable-the-mitigation-on-unaffected-config.patch
+x86-cpu-fix-up-srso_safe_ret-and-__x86_return_thunk.patch
+alsa-hda-realtek-remodified-3k-pull-low-procedure.patch
+riscv-__asm_copy_to-from_user-optimize-unaligned-mem.patch
+riscv-lib-uaccess-fold-fixups-into-body.patch
+riscv-lib-uaccess-fix-csr_status-sr_sum-bit.patch
+riscv-uaccess-return-the-number-of-bytes-effectively.patch
+x86-static_call-fix-__static_call_fixup.patch
+x86-srso-correct-the-mitigation-status-when-smt-is-d.patch
diff --git a/queue-5.10/sock-fix-misuse-of-sk_under_memory_pressure.patch b/queue-5.10/sock-fix-misuse-of-sk_under_memory_pressure.patch
new file mode 100644 (file)
index 0000000..c3cf632
--- /dev/null
@@ -0,0 +1,74 @@
+From 2ec30284d6fa7e5dbc93234fe2ab8f0fe5f15092 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Aug 2023 17:12:22 +0800
+Subject: sock: Fix misuse of sk_under_memory_pressure()
+
+From: Abel Wu <wuyun.abel@bytedance.com>
+
+[ Upstream commit 2d0c88e84e483982067a82073f6125490ddf3614 ]
+
+The status of global socket memory pressure is updated when:
+
+  a) __sk_mem_raise_allocated():
+
+       enter: sk_memory_allocated(sk) >  sysctl_mem[1]
+       leave: sk_memory_allocated(sk) <= sysctl_mem[0]
+
+  b) __sk_mem_reduce_allocated():
+
+       leave: sk_under_memory_pressure(sk) &&
+               sk_memory_allocated(sk) < sysctl_mem[0]
+
+So the conditions of leaving global pressure are inconstant, which
+may lead to the situation that one pressured net-memcg prevents the
+global pressure from being cleared when there is indeed no global
+pressure, thus the global constrains are still in effect unexpectedly
+on the other sockets.
+
+This patch fixes this by ignoring the net-memcg's pressure when
+deciding whether should leave global memory pressure.
+
+Fixes: e1aab161e013 ("socket: initial cgroup code.")
+Signed-off-by: Abel Wu <wuyun.abel@bytedance.com>
+Acked-by: Shakeel Butt <shakeelb@google.com>
+Link: https://lore.kernel.org/r/20230816091226.1542-1-wuyun.abel@bytedance.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 6 ++++++
+ net/core/sock.c    | 2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 1fb5c535537c1..665e388593752 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1346,6 +1346,12 @@ static inline bool sk_has_memory_pressure(const struct sock *sk)
+       return sk->sk_prot->memory_pressure != NULL;
+ }
++static inline bool sk_under_global_memory_pressure(const struct sock *sk)
++{
++      return sk->sk_prot->memory_pressure &&
++              !!*sk->sk_prot->memory_pressure;
++}
++
+ static inline bool sk_under_memory_pressure(const struct sock *sk)
+ {
+       if (!sk->sk_prot->memory_pressure)
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 98f4b4a80de42..742356cfd07c4 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2724,7 +2724,7 @@ void __sk_mem_reduce_allocated(struct sock *sk, int amount)
+       if (mem_cgroup_sockets_enabled && sk->sk_memcg)
+               mem_cgroup_uncharge_skmem(sk->sk_memcg, amount);
+-      if (sk_under_memory_pressure(sk) &&
++      if (sk_under_global_memory_pressure(sk) &&
+           (sk_memory_allocated(sk) < sk_prot_mem_limits(sk, 0)))
+               sk_leave_memory_pressure(sk);
+ }
+-- 
+2.40.1
+
diff --git a/queue-5.10/team-fix-incorrect-deletion-of-eth_p_8021ad-protocol.patch b/queue-5.10/team-fix-incorrect-deletion-of-eth_p_8021ad-protocol.patch
new file mode 100644 (file)
index 0000000..4c9f474
--- /dev/null
@@ -0,0 +1,54 @@
+From e56de8b2576592e597be0a997822eb93e37a33b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Aug 2023 11:23:01 +0800
+Subject: team: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit dafcbce07136d799edc4c67f04f9fd69ff1eac1f ]
+
+Similar to commit 01f4fd270870 ("bonding: Fix incorrect deletion of
+ETH_P_8021AD protocol vid from slaves"), we can trigger BUG_ON(!vlan_info)
+in unregister_vlan_dev() with the following testcase:
+
+  # ip netns add ns1
+  # ip netns exec ns1 ip link add team1 type team
+  # ip netns exec ns1 ip link add team_slave type veth peer veth2
+  # ip netns exec ns1 ip link set team_slave master team1
+  # ip netns exec ns1 ip link add link team_slave name team_slave.10 type vlan id 10 protocol 802.1ad
+  # ip netns exec ns1 ip link add link team1 name team1.10 type vlan id 10 protocol 802.1ad
+  # ip netns exec ns1 ip link set team_slave nomaster
+  # ip netns del ns1
+
+Add S-VLAN tag related features support to team driver. So the team driver
+will always propagate the VLAN info to its slaves.
+
+Fixes: 8ad227ff89a7 ("net: vlan: add 802.1ad support")
+Suggested-by: Ido Schimmel <idosch@idosch.org>
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20230814032301.2804971-1-william.xuanziyang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/team/team.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
+index 36c7eae776d44..721b536ce8861 100644
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2195,7 +2195,9 @@ static void team_setup(struct net_device *dev)
+       dev->hw_features = TEAM_VLAN_FEATURES |
+                          NETIF_F_HW_VLAN_CTAG_RX |
+-                         NETIF_F_HW_VLAN_CTAG_FILTER;
++                         NETIF_F_HW_VLAN_CTAG_FILTER |
++                         NETIF_F_HW_VLAN_STAG_RX |
++                         NETIF_F_HW_VLAN_STAG_FILTER;
+       dev->hw_features |= NETIF_F_GSO_ENCAP_ALL | NETIF_F_GSO_UDP_L4;
+       dev->features |= dev->hw_features;
+-- 
+2.40.1
+
diff --git a/queue-5.10/x86-cpu-fix-up-srso_safe_ret-and-__x86_return_thunk.patch b/queue-5.10/x86-cpu-fix-up-srso_safe_ret-and-__x86_return_thunk.patch
new file mode 100644 (file)
index 0000000..37d6e90
--- /dev/null
@@ -0,0 +1,53 @@
+From 21aec79a18bf0bfd55dc28a6f75e40139a009e7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Aug 2023 13:44:28 +0200
+Subject: x86/cpu: Fix up srso_safe_ret() and __x86_return_thunk()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit af023ef335f13c8b579298fc432daeef609a9e60 ]
+
+  vmlinux.o: warning: objtool: srso_untrain_ret() falls through to next function __x86_return_skl()
+  vmlinux.o: warning: objtool: __x86_return_thunk() falls through to next function __x86_return_skl()
+
+This is because these functions (can) end with CALL, which objtool
+does not consider a terminating instruction. Therefore, replace the
+INT3 instruction (which is a non-fatal trap) with UD2 (which is a
+fatal-trap).
+
+This indicates execution will not continue past this point.
+
+Fixes: fb3bd914b3ec ("x86/srso: Add a Speculative RAS Overflow mitigation")
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/r/20230814121148.637802730@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/lib/retpoline.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S
+index 5f7eed97487ec..a0fa45e8a87cd 100644
+--- a/arch/x86/lib/retpoline.S
++++ b/arch/x86/lib/retpoline.S
+@@ -199,7 +199,7 @@ SYM_INNER_LABEL(srso_safe_ret, SYM_L_GLOBAL)
+       int3
+       lfence
+       call srso_safe_ret
+-      int3
++      ud2
+ SYM_CODE_END(srso_safe_ret)
+ SYM_FUNC_END(srso_untrain_ret)
+ __EXPORT_THUNK(srso_untrain_ret)
+@@ -207,7 +207,7 @@ __EXPORT_THUNK(srso_untrain_ret)
+ SYM_FUNC_START(__x86_return_thunk)
+       ALTERNATIVE_2 "jmp __ret", "call srso_safe_ret", X86_FEATURE_SRSO, \
+                       "call srso_safe_ret_alias", X86_FEATURE_SRSO_ALIAS
+-      int3
++      ud2
+ SYM_CODE_END(__x86_return_thunk)
+ EXPORT_SYMBOL(__x86_return_thunk)
+-- 
+2.40.1
+
diff --git a/queue-5.10/x86-srso-correct-the-mitigation-status-when-smt-is-d.patch b/queue-5.10/x86-srso-correct-the-mitigation-status-when-smt-is-d.patch
new file mode 100644 (file)
index 0000000..a809ab4
--- /dev/null
@@ -0,0 +1,48 @@
+From 64b84382738484038b4f27175158e1dff2f3044f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Aug 2023 11:53:13 +0200
+Subject: x86/srso: Correct the mitigation status when SMT is disabled
+
+From: Borislav Petkov (AMD) <bp@alien8.de>
+
+[ Upstream commit 6405b72e8d17bd1875a56ae52d23ec3cd51b9d66 ]
+
+Specify how is SRSO mitigated when SMT is disabled. Also, correct the
+SMT check for that.
+
+Fixes: e9fbc47b818b ("x86/srso: Disable the mitigation on unaffected configurations")
+Suggested-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Link: https://lore.kernel.org/r/20230814200813.p5czl47zssuej7nv@treble
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/bugs.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index 876fb0d24602d..ac6c7a7b4fcae 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -2318,8 +2318,7 @@ static void __init srso_select_mitigation(void)
+                * Zen1/2 with SMT off aren't vulnerable after the right
+                * IBPB microcode has been applied.
+                */
+-              if ((boot_cpu_data.x86 < 0x19) &&
+-                  (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) {
++              if (boot_cpu_data.x86 < 0x19 && !cpu_smt_possible()) {
+                       setup_force_cpu_cap(X86_FEATURE_SRSO_NO);
+                       return;
+               }
+@@ -2605,7 +2604,7 @@ static ssize_t gds_show_state(char *buf)
+ static ssize_t srso_show_state(char *buf)
+ {
+       if (boot_cpu_has(X86_FEATURE_SRSO_NO))
+-              return sysfs_emit(buf, "Not affected\n");
++              return sysfs_emit(buf, "Mitigation: SMT disabled\n");
+       return sysfs_emit(buf, "%s%s\n",
+                         srso_strings[srso_mitigation],
+-- 
+2.40.1
+
diff --git a/queue-5.10/x86-srso-disable-the-mitigation-on-unaffected-config.patch b/queue-5.10/x86-srso-disable-the-mitigation-on-unaffected-config.patch
new file mode 100644 (file)
index 0000000..2813aeb
--- /dev/null
@@ -0,0 +1,50 @@
+From c3c3fa15ae8db4a256697757311a78c6116fd4d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Aug 2023 12:39:34 +0200
+Subject: x86/srso: Disable the mitigation on unaffected configurations
+
+From: Borislav Petkov (AMD) <bp@alien8.de>
+
+[ Upstream commit e9fbc47b818b964ddff5df5b2d5c0f5f32f4a147 ]
+
+Skip the srso cmd line parsing which is not needed on Zen1/2 with SMT
+disabled and with the proper microcode applied (latter should be the
+case anyway) as those are not affected.
+
+Fixes: 5a15d8348881 ("x86/srso: Tie SBPB bit setting to microcode patch detection")
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/r/20230813104517.3346-1-bp@alien8.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/bugs.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index d31639e3ce282..876fb0d24602d 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -2319,8 +2319,10 @@ static void __init srso_select_mitigation(void)
+                * IBPB microcode has been applied.
+                */
+               if ((boot_cpu_data.x86 < 0x19) &&
+-                  (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED)))
++                  (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) {
+                       setup_force_cpu_cap(X86_FEATURE_SRSO_NO);
++                      return;
++              }
+       }
+       if (retbleed_mitigation == RETBLEED_MITIGATION_IBPB) {
+@@ -2602,6 +2604,9 @@ static ssize_t gds_show_state(char *buf)
+ static ssize_t srso_show_state(char *buf)
+ {
++      if (boot_cpu_has(X86_FEATURE_SRSO_NO))
++              return sysfs_emit(buf, "Not affected\n");
++
+       return sysfs_emit(buf, "%s%s\n",
+                         srso_strings[srso_mitigation],
+                         (cpu_has_ibpb_brtype_microcode() ? "" : ", no microcode"));
+-- 
+2.40.1
+
diff --git a/queue-5.10/x86-static_call-fix-__static_call_fixup.patch b/queue-5.10/x86-static_call-fix-__static_call_fixup.patch
new file mode 100644 (file)
index 0000000..4563a05
--- /dev/null
@@ -0,0 +1,56 @@
+From a680d27b6225238d25e06d9f5713dc7f6757b790 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Aug 2023 12:44:19 +0200
+Subject: x86/static_call: Fix __static_call_fixup()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 54097309620ef0dc2d7083783dc521c6a5fef957 ]
+
+Christian reported spurious module load crashes after some of Song's
+module memory layout patches.
+
+Turns out that if the very last instruction on the very last page of the
+module is a 'JMP __x86_return_thunk' then __static_call_fixup() will
+trip a fault and die.
+
+And while the module rework made this slightly more likely to happen,
+it's always been possible.
+
+Fixes: ee88d363d156 ("x86,static_call: Use alternative RET encoding")
+Reported-by: Christian Bricart <christian@bricart.de>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Link: https://lkml.kernel.org/r/20230816104419.GA982867@hirez.programming.kicks-ass.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/static_call.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/arch/x86/kernel/static_call.c b/arch/x86/kernel/static_call.c
+index 2973b3fb0ec1a..759b986b7f033 100644
+--- a/arch/x86/kernel/static_call.c
++++ b/arch/x86/kernel/static_call.c
+@@ -123,6 +123,19 @@ EXPORT_SYMBOL_GPL(arch_static_call_transform);
+  */
+ bool __static_call_fixup(void *tramp, u8 op, void *dest)
+ {
++      unsigned long addr = (unsigned long)tramp;
++      /*
++       * Not all .return_sites are a static_call trampoline (most are not).
++       * Check if the 3 bytes after the return are still kernel text, if not,
++       * then this definitely is not a trampoline and we need not worry
++       * further.
++       *
++       * This avoids the memcmp() below tripping over pagefaults etc..
++       */
++      if (((addr >> PAGE_SHIFT) != ((addr + 7) >> PAGE_SHIFT)) &&
++          !kernel_text_address(addr + 7))
++              return false;
++
+       if (memcmp(tramp+5, tramp_ud, 3)) {
+               /* Not a trampoline site, not our problem. */
+               return false;
+-- 
+2.40.1
+
diff --git a/queue-5.10/xfrm-add-forgotten-nla_policy-for-xfrma_mtimer_thres.patch b/queue-5.10/xfrm-add-forgotten-nla_policy-for-xfrma_mtimer_thres.patch
new file mode 100644 (file)
index 0000000..0cb61ca
--- /dev/null
@@ -0,0 +1,54 @@
+From 6dfa5d641a3cc8ae757f20a7678e015f87fd824b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Jul 2023 15:41:10 +0800
+Subject: xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit 5e2424708da7207087934c5c75211e8584d553a0 ]
+
+The previous commit 4e484b3e969b ("xfrm: rate limit SA mapping change
+message to user space") added one additional attribute named
+XFRMA_MTIMER_THRESH and described its type at compat_policy
+(net/xfrm/xfrm_compat.c).
+
+However, the author forgot to also describe the nla_policy at
+xfrma_policy (net/xfrm/xfrm_user.c). Hence, this suppose NLA_U32 (4
+bytes) value can be faked as empty (0 bytes) by a malicious user, which
+leads to 4 bytes overflow read and heap information leak when parsing
+nlattrs.
+
+To exploit this, one malicious user can spray the SLUB objects and then
+leverage this 4 bytes OOB read to leak the heap data into
+x->mapping_maxage (see xfrm_update_ae_params(...)), and leak it to
+userspace via copy_to_user_state_extra(...).
+
+The above bug is assigned CVE-2023-3773. To fix it, this commit just
+completes the nla_policy description for XFRMA_MTIMER_THRESH, which
+enforces the length check and avoids such OOB read.
+
+Fixes: 4e484b3e969b ("xfrm: rate limit SA mapping change message to user space")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index d093b4d684a61..8fce2e93bb3b3 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -2757,6 +2757,7 @@ const struct nla_policy xfrma_policy[XFRMA_MAX+1] = {
+       [XFRMA_SET_MARK]        = { .type = NLA_U32 },
+       [XFRMA_SET_MARK_MASK]   = { .type = NLA_U32 },
+       [XFRMA_IF_ID]           = { .type = NLA_U32 },
++      [XFRMA_MTIMER_THRESH]   = { .type = NLA_U32 },
+ };
+ EXPORT_SYMBOL_GPL(xfrma_policy);
+-- 
+2.40.1
+
diff --git a/queue-5.10/xfrm-add-null-check-in-xfrm_update_ae_params.patch b/queue-5.10/xfrm-add-null-check-in-xfrm_update_ae_params.patch
new file mode 100644 (file)
index 0000000..afecc8b
--- /dev/null
@@ -0,0 +1,104 @@
+From 98bfcd0e40c8899eb77df6100892c10890ad012f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jul 2023 22:51:03 +0800
+Subject: xfrm: add NULL check in xfrm_update_ae_params
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit 00374d9b6d9f932802b55181be9831aa948e5b7c ]
+
+Normally, x->replay_esn and x->preplay_esn should be allocated at
+xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the
+xfrm_update_ae_params(...) is okay to update them. However, the current
+implementation of xfrm_new_ae(...) allows a malicious user to directly
+dereference a NULL pointer and crash the kernel like below.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+PGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0
+Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI
+CPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774deaf1 #8
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4
+RIP: 0010:memcpy_orig+0xad/0x140
+Code: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c
+RSP: 0018:ffff888008f57658 EFLAGS: 00000202
+RAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571
+RDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818
+R13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000
+FS:  00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0
+Call Trace:
+ <TASK>
+ ? __die+0x1f/0x70
+ ? page_fault_oops+0x1e8/0x500
+ ? __pfx_is_prefetch.constprop.0+0x10/0x10
+ ? __pfx_page_fault_oops+0x10/0x10
+ ? _raw_spin_unlock_irqrestore+0x11/0x40
+ ? fixup_exception+0x36/0x460
+ ? _raw_spin_unlock_irqrestore+0x11/0x40
+ ? exc_page_fault+0x5e/0xc0
+ ? asm_exc_page_fault+0x26/0x30
+ ? xfrm_update_ae_params+0xd1/0x260
+ ? memcpy_orig+0xad/0x140
+ ? __pfx__raw_spin_lock_bh+0x10/0x10
+ xfrm_update_ae_params+0xe7/0x260
+ xfrm_new_ae+0x298/0x4e0
+ ? __pfx_xfrm_new_ae+0x10/0x10
+ ? __pfx_xfrm_new_ae+0x10/0x10
+ xfrm_user_rcv_msg+0x25a/0x410
+ ? __pfx_xfrm_user_rcv_msg+0x10/0x10
+ ? __alloc_skb+0xcf/0x210
+ ? stack_trace_save+0x90/0xd0
+ ? filter_irq_stacks+0x1c/0x70
+ ? __stack_depot_save+0x39/0x4e0
+ ? __kasan_slab_free+0x10a/0x190
+ ? kmem_cache_free+0x9c/0x340
+ ? netlink_recvmsg+0x23c/0x660
+ ? sock_recvmsg+0xeb/0xf0
+ ? __sys_recvfrom+0x13c/0x1f0
+ ? __x64_sys_recvfrom+0x71/0x90
+ ? do_syscall_64+0x3f/0x90
+ ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
+ ? copyout+0x3e/0x50
+ netlink_rcv_skb+0xd6/0x210
+ ? __pfx_xfrm_user_rcv_msg+0x10/0x10
+ ? __pfx_netlink_rcv_skb+0x10/0x10
+ ? __pfx_sock_has_perm+0x10/0x10
+ ? mutex_lock+0x8d/0xe0
+ ? __pfx_mutex_lock+0x10/0x10
+ xfrm_netlink_rcv+0x44/0x50
+ netlink_unicast+0x36f/0x4c0
+ ? __pfx_netlink_unicast+0x10/0x10
+ ? netlink_recvmsg+0x500/0x660
+ netlink_sendmsg+0x3b7/0x700
+
+This Null-ptr-deref bug is assigned CVE-2023-3772. And this commit
+adds additional NULL check in xfrm_update_ae_params to fix the NPD.
+
+Fixes: d8647b79c3b7 ("xfrm: Add user interface for esn and big anti-replay windows")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 0de7d0cf7be0f..d093b4d684a61 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -527,7 +527,7 @@ static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs,
+       struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
+       struct nlattr *mt = attrs[XFRMA_MTIMER_THRESH];
+-      if (re) {
++      if (re && x->replay_esn && x->preplay_esn) {
+               struct xfrm_replay_state_esn *replay_esn;
+               replay_esn = nla_data(re);
+               memcpy(x->replay_esn, replay_esn,
+-- 
+2.40.1
+
diff --git a/queue-5.10/xfrm-fix-slab-use-after-free-in-decode_session6.patch b/queue-5.10/xfrm-fix-slab-use-after-free-in-decode_session6.patch
new file mode 100644 (file)
index 0000000..ef8fc43
--- /dev/null
@@ -0,0 +1,122 @@
+From 75b2421a4d831c05eea1b0c7616fcc0cd8df7bbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Jul 2023 17:40:51 +0800
+Subject: xfrm: fix slab-use-after-free in decode_session6
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 53223f2ed1ef5c90dad814daaaefea4e68a933c8 ]
+
+When the xfrm device is set to the qdisc of the sfb type, the cb field
+of the sent skb may be modified during enqueuing. Then,
+slab-use-after-free may occur when the xfrm device sends IPv6 packets.
+
+The stack information is as follows:
+BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890
+Read of size 1 at addr ffff8881111458ef by task swapper/3/0
+CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.4.0-next-20230707 #409
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
+Call Trace:
+<IRQ>
+dump_stack_lvl+0xd9/0x150
+print_address_description.constprop.0+0x2c/0x3c0
+kasan_report+0x11d/0x130
+decode_session6+0x103f/0x1890
+__xfrm_decode_session+0x54/0xb0
+xfrmi_xmit+0x173/0x1ca0
+dev_hard_start_xmit+0x187/0x700
+sch_direct_xmit+0x1a3/0xc30
+__qdisc_run+0x510/0x17a0
+__dev_queue_xmit+0x2215/0x3b10
+neigh_connected_output+0x3c2/0x550
+ip6_finish_output2+0x55a/0x1550
+ip6_finish_output+0x6b9/0x1270
+ip6_output+0x1f1/0x540
+ndisc_send_skb+0xa63/0x1890
+ndisc_send_rs+0x132/0x6f0
+addrconf_rs_timer+0x3f1/0x870
+call_timer_fn+0x1a0/0x580
+expire_timers+0x29b/0x4b0
+run_timer_softirq+0x326/0x910
+__do_softirq+0x1d4/0x905
+irq_exit_rcu+0xb7/0x120
+sysvec_apic_timer_interrupt+0x97/0xc0
+</IRQ>
+<TASK>
+asm_sysvec_apic_timer_interrupt+0x1a/0x20
+RIP: 0010:intel_idle_hlt+0x23/0x30
+Code: 1f 84 00 00 00 00 00 f3 0f 1e fa 41 54 41 89 d4 0f 1f 44 00 00 66 90 0f 1f 44 00 00 0f 00 2d c4 9f ab 00 0f 1f 44 00 00 fb f4 <fa> 44 89 e0 41 5c c3 66 0f 1f 44 00 00 f3 0f 1e fa 41 54 41 89 d4
+RSP: 0018:ffffc90000197d78 EFLAGS: 00000246
+RAX: 00000000000a83c3 RBX: ffffe8ffffd09c50 RCX: ffffffff8a22d8e5
+RDX: 0000000000000001 RSI: ffffffff8d3f8080 RDI: ffffe8ffffd09c50
+RBP: ffffffff8d3f8080 R08: 0000000000000001 R09: ffffed1026ba6d9d
+R10: ffff888135d36ceb R11: 0000000000000001 R12: 0000000000000001
+R13: ffffffff8d3f8100 R14: 0000000000000001 R15: 0000000000000000
+cpuidle_enter_state+0xd3/0x6f0
+cpuidle_enter+0x4e/0xa0
+do_idle+0x2fe/0x3c0
+cpu_startup_entry+0x18/0x20
+start_secondary+0x200/0x290
+secondary_startup_64_no_verify+0x167/0x16b
+</TASK>
+Allocated by task 939:
+kasan_save_stack+0x22/0x40
+kasan_set_track+0x25/0x30
+__kasan_slab_alloc+0x7f/0x90
+kmem_cache_alloc_node+0x1cd/0x410
+kmalloc_reserve+0x165/0x270
+__alloc_skb+0x129/0x330
+inet6_ifa_notify+0x118/0x230
+__ipv6_ifa_notify+0x177/0xbe0
+addrconf_dad_completed+0x133/0xe00
+addrconf_dad_work+0x764/0x1390
+process_one_work+0xa32/0x16f0
+worker_thread+0x67d/0x10c0
+kthread+0x344/0x440
+ret_from_fork+0x1f/0x30
+The buggy address belongs to the object at ffff888111145800
+which belongs to the cache skbuff_small_head of size 640
+The buggy address is located 239 bytes inside of
+freed 640-byte region [ffff888111145800, ffff888111145a80)
+
+As commit f855691975bb ("xfrm6: Fix the nexthdr offset in
+_decode_session6.") showed, xfrm_decode_session was originally intended
+only for the receive path. IP6CB(skb)->nhoff is not set during
+transmission. Therefore, set the cb field in the skb to 0 before
+sending packets.
+
+Fixes: f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_interface_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/xfrm/xfrm_interface_core.c b/net/xfrm/xfrm_interface_core.c
+index e4f21a6924153..4eeec33675754 100644
+--- a/net/xfrm/xfrm_interface_core.c
++++ b/net/xfrm/xfrm_interface_core.c
+@@ -403,8 +403,8 @@ static netdev_tx_t xfrmi_xmit(struct sk_buff *skb, struct net_device *dev)
+       switch (skb->protocol) {
+       case htons(ETH_P_IPV6):
+-              xfrm_decode_session(skb, &fl, AF_INET6);
+               memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
++              xfrm_decode_session(skb, &fl, AF_INET6);
+               if (!dst) {
+                       fl.u.ip6.flowi6_oif = dev->ifindex;
+                       fl.u.ip6.flowi6_flags |= FLOWI_FLAG_ANYSRC;
+@@ -418,8 +418,8 @@ static netdev_tx_t xfrmi_xmit(struct sk_buff *skb, struct net_device *dev)
+               }
+               break;
+       case htons(ETH_P_IP):
+-              xfrm_decode_session(skb, &fl, AF_INET);
+               memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
++              xfrm_decode_session(skb, &fl, AF_INET);
+               if (!dst) {
+                       struct rtable *rt;
+-- 
+2.40.1
+