From: Sasha Levin Date: Mon, 9 Dec 2024 11:18:32 +0000 (-0500) Subject: Fixes for 5.10 X-Git-Tag: v6.6.65~46 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0500d4599099b0f36de6bea26929b34605f7ff04;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/can-j1939-j1939_session_new-fix-skb-reference-counti.patch b/queue-5.10/can-j1939-j1939_session_new-fix-skb-reference-counti.patch new file mode 100644 index 00000000000..ac964b62f4d --- /dev/null +++ b/queue-5.10/can-j1939-j1939_session_new-fix-skb-reference-counti.patch @@ -0,0 +1,43 @@ +From f85e1d482acd2a9ef9f36929b2553cd8e9e4793d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2024 12:48:23 +0300 +Subject: can: j1939: j1939_session_new(): fix skb reference counting + +From: Dmitry Antipov + +[ Upstream commit a8c695005bfe6569acd73d777ca298ddddd66105 ] + +Since j1939_session_skb_queue() does an extra skb_get() for each new +skb, do the same for the initial one in j1939_session_new() to avoid +refcount underflow. + +Reported-by: syzbot+d4e8dc385d9258220c31@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=d4e8dc385d9258220c31 +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Dmitry Antipov +Tested-by: Oleksij Rempel +Acked-by: Oleksij Rempel +Link: https://patch.msgid.link/20241105094823.2403806-1-dmantipov@yandex.ru +[mkl: clean up commit message] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c +index a86256ab14022..84d63fb29ca1f 100644 +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1489,7 +1489,7 @@ static struct j1939_session *j1939_session_new(struct j1939_priv *priv, + session->state = J1939_SESSION_NEW; + + skb_queue_head_init(&session->skb_queue); +- skb_queue_tail(&session->skb_queue, skb); ++ skb_queue_tail(&session->skb_queue, skb_get(skb)); + + skcb = j1939_skb_to_cb(skb); + memcpy(&session->skcb, skcb, sizeof(session->skcb)); +-- +2.43.0 + diff --git a/queue-5.10/can-sun4i_can-sun4i_can_err-call-can_change_state-ev.patch b/queue-5.10/can-sun4i_can-sun4i_can_err-call-can_change_state-ev.patch new file mode 100644 index 00000000000..d98b7a87da2 --- /dev/null +++ b/queue-5.10/can-sun4i_can-sun4i_can_err-call-can_change_state-ev.patch @@ -0,0 +1,47 @@ +From 9dd7b855d91b6781d88a884a7c249a3a8097525f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 23:15:43 +0100 +Subject: can: sun4i_can: sun4i_can_err(): call can_change_state() even if cf + is NULL + +From: Dario Binacchi + +[ Upstream commit ee6bf3677ae03569d833795064e17f605c2163c7 ] + +Call the function can_change_state() if the allocation of the skb +fails, as it handles the cf parameter when it is null. + +Additionally, this ensures that the statistics related to state error +counters (i. e. warning, passive, and bus-off) are updated. + +Fixes: 0738eff14d81 ("can: Allwinner A10/A20 CAN Controller support - Kernel module") +Signed-off-by: Dario Binacchi +Link: https://patch.msgid.link/20241122221650.633981-3-dario.binacchi@amarulasolutions.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/sun4i_can.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/can/sun4i_can.c b/drivers/net/can/sun4i_can.c +index 39ddb3d849dd8..e9fa3921efbed 100644 +--- a/drivers/net/can/sun4i_can.c ++++ b/drivers/net/can/sun4i_can.c +@@ -613,10 +613,10 @@ static int sun4i_can_err(struct net_device *dev, u8 isrc, u8 status) + tx_state = txerr >= rxerr ? state : 0; + rx_state = txerr <= rxerr ? state : 0; + +- if (likely(skb)) +- can_change_state(dev, cf, tx_state, rx_state); +- else +- priv->can.state = state; ++ /* The skb allocation might fail, but can_change_state() ++ * handles cf == NULL. ++ */ ++ can_change_state(dev, cf, tx_state, rx_state); + if (state == CAN_STATE_BUS_OFF) + can_bus_off(dev); + } +-- +2.43.0 + diff --git a/queue-5.10/can-sun4i_can-sun4i_can_err-fix-rx-tx-_errors-statis.patch b/queue-5.10/can-sun4i_can-sun4i_can_err-fix-rx-tx-_errors-statis.patch new file mode 100644 index 00000000000..f3a10ef06f0 --- /dev/null +++ b/queue-5.10/can-sun4i_can-sun4i_can_err-fix-rx-tx-_errors-statis.patch @@ -0,0 +1,63 @@ +From d6a17e42080d74efe5282ff68f547934c97a9e6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 23:15:51 +0100 +Subject: can: sun4i_can: sun4i_can_err(): fix {rx,tx}_errors statistics + +From: Dario Binacchi + +[ Upstream commit 595a81988a6fe06eb5849e972c8b9cb21c4e0d54 ] + +The sun4i_can_err() function only incremented the receive error counter +and never the transmit error counter, even if the STA_ERR_DIR flag +reported that an error had occurred during transmission. + +Increment the receive/transmit error counter based on the value of the +STA_ERR_DIR flag. + +Fixes: 0738eff14d81 ("can: Allwinner A10/A20 CAN Controller support - Kernel module") +Signed-off-by: Dario Binacchi +Link: https://patch.msgid.link/20241122221650.633981-11-dario.binacchi@amarulasolutions.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/sun4i_can.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/can/sun4i_can.c b/drivers/net/can/sun4i_can.c +index e9fa3921efbed..89796691917b3 100644 +--- a/drivers/net/can/sun4i_can.c ++++ b/drivers/net/can/sun4i_can.c +@@ -563,11 +563,9 @@ static int sun4i_can_err(struct net_device *dev, u8 isrc, u8 status) + /* bus error interrupt */ + netdev_dbg(dev, "bus error interrupt\n"); + priv->can.can_stats.bus_error++; +- stats->rx_errors++; ++ ecc = readl(priv->base + SUN4I_REG_STA_ADDR); + + if (likely(skb)) { +- ecc = readl(priv->base + SUN4I_REG_STA_ADDR); +- + cf->can_id |= CAN_ERR_PROT | CAN_ERR_BUSERROR; + + switch (ecc & SUN4I_STA_MASK_ERR) { +@@ -585,9 +583,15 @@ static int sun4i_can_err(struct net_device *dev, u8 isrc, u8 status) + >> 16; + break; + } +- /* error occurred during transmission? */ +- if ((ecc & SUN4I_STA_ERR_DIR) == 0) ++ } ++ ++ /* error occurred during transmission? */ ++ if ((ecc & SUN4I_STA_ERR_DIR) == 0) { ++ if (likely(skb)) + cf->data[2] |= CAN_ERR_PROT_TX; ++ stats->tx_errors++; ++ } else { ++ stats->rx_errors++; + } + } + if (isrc & SUN4I_INT_ERR_PASSIVE) { +-- +2.43.0 + diff --git a/queue-5.10/dccp-fix-memory-leak-in-dccp_feat_change_recv.patch b/queue-5.10/dccp-fix-memory-leak-in-dccp_feat_change_recv.patch new file mode 100644 index 00000000000..c62b94c17eb --- /dev/null +++ b/queue-5.10/dccp-fix-memory-leak-in-dccp_feat_change_recv.patch @@ -0,0 +1,78 @@ +From bac0b6e9520cfb31877f0427b0560e117c0d6d96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Nov 2024 17:39:02 +0300 +Subject: dccp: Fix memory leak in dccp_feat_change_recv + +From: Ivan Solodovnikov + +[ Upstream commit 22be4727a8f898442066bcac34f8a1ad0bc72e14 ] + +If dccp_feat_push_confirm() fails after new value for SP feature was accepted +without reconciliation ('entry == NULL' branch), memory allocated for that value +with dccp_feat_clone_sp_val() is never freed. + +Here is the kmemleak stack for this: + +unreferenced object 0xffff88801d4ab488 (size 8): + comm "syz-executor310", pid 1127, jiffies 4295085598 (age 41.666s) + hex dump (first 8 bytes): + 01 b4 4a 1d 80 88 ff ff ..J..... + backtrace: + [<00000000db7cabfe>] kmemdup+0x23/0x50 mm/util.c:128 + [<0000000019b38405>] kmemdup include/linux/string.h:465 [inline] + [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:371 [inline] + [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:367 [inline] + [<0000000019b38405>] dccp_feat_change_recv net/dccp/feat.c:1145 [inline] + [<0000000019b38405>] dccp_feat_parse_options+0x1196/0x2180 net/dccp/feat.c:1416 + [<00000000b1f6d94a>] dccp_parse_options+0xa2a/0x1260 net/dccp/options.c:125 + [<0000000030d7b621>] dccp_rcv_state_process+0x197/0x13d0 net/dccp/input.c:650 + [<000000001f74c72e>] dccp_v4_do_rcv+0xf9/0x1a0 net/dccp/ipv4.c:688 + [<00000000a6c24128>] sk_backlog_rcv include/net/sock.h:1041 [inline] + [<00000000a6c24128>] __release_sock+0x139/0x3b0 net/core/sock.c:2570 + [<00000000cf1f3a53>] release_sock+0x54/0x1b0 net/core/sock.c:3111 + [<000000008422fa23>] inet_wait_for_connect net/ipv4/af_inet.c:603 [inline] + [<000000008422fa23>] __inet_stream_connect+0x5d0/0xf70 net/ipv4/af_inet.c:696 + [<0000000015b6f64d>] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:735 + [<0000000010122488>] __sys_connect_file+0x15c/0x1a0 net/socket.c:1865 + [<00000000b4b70023>] __sys_connect+0x165/0x1a0 net/socket.c:1882 + [<00000000f4cb3815>] __do_sys_connect net/socket.c:1892 [inline] + [<00000000f4cb3815>] __se_sys_connect net/socket.c:1889 [inline] + [<00000000f4cb3815>] __x64_sys_connect+0x6e/0xb0 net/socket.c:1889 + [<00000000e7b1e839>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 + [<0000000055e91434>] entry_SYSCALL_64_after_hwframe+0x67/0xd1 + +Clean up the allocated memory in case of dccp_feat_push_confirm() failure +and bail out with an error reset code. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: e77b8363b2ea ("dccp: Process incoming Change feature-negotiation options") +Signed-off-by: Ivan Solodovnikov +Link: https://patch.msgid.link/20241126143902.190853-1-solodovnikov.ia@phystech.edu +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/dccp/feat.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/dccp/feat.c b/net/dccp/feat.c +index 788dd629c4204..e9cc7415ba484 100644 +--- a/net/dccp/feat.c ++++ b/net/dccp/feat.c +@@ -1160,8 +1160,12 @@ static u8 dccp_feat_change_recv(struct list_head *fn, u8 is_mandatory, u8 opt, + goto not_valid_or_not_known; + } + +- return dccp_feat_push_confirm(fn, feat, local, &fval); ++ if (dccp_feat_push_confirm(fn, feat, local, &fval)) { ++ kfree(fval.sp.vec); ++ return DCCP_RESET_CODE_TOO_BUSY; ++ } + ++ return 0; + } else if (entry->state == FEAT_UNSTABLE) { /* 6.6.2 */ + return 0; + } +-- +2.43.0 + diff --git a/queue-5.10/dt-bindings-serial-rs485-fix-rs485-rts-delay-propert.patch b/queue-5.10/dt-bindings-serial-rs485-fix-rs485-rts-delay-propert.patch new file mode 100644 index 00000000000..0e9af89aaa3 --- /dev/null +++ b/queue-5.10/dt-bindings-serial-rs485-fix-rs485-rts-delay-propert.patch @@ -0,0 +1,57 @@ +From f5f6590ffb2a122d2388a90e2ca9de4132308b88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2024 11:53:06 +0200 +Subject: dt-bindings: serial: rs485: Fix rs485-rts-delay property + +From: Michal Simek + +[ Upstream commit 12b3642b6c242061d3ba84e6e3050c3141ded14c ] + +Code expects array only with 2 items which should be checked. +But also item checking is not working as it should likely because of +incorrect items description. + +Fixes: d50f974c4f7f ("dt-bindings: serial: Convert rs485 bindings to json-schema") +Signed-off-by: Michal Simek +Cc: stable@vger.kernel.org +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/820c639b9e22fe037730ed44d1b044cdb6d28b75.1726480384.git.michal.simek@amd.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + .../devicetree/bindings/serial/rs485.yaml | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +diff --git a/Documentation/devicetree/bindings/serial/rs485.yaml b/Documentation/devicetree/bindings/serial/rs485.yaml +index 518949737c86e..bc43670c69fa9 100644 +--- a/Documentation/devicetree/bindings/serial/rs485.yaml ++++ b/Documentation/devicetree/bindings/serial/rs485.yaml +@@ -18,16 +18,15 @@ properties: + description: prop-encoded-array + $ref: /schemas/types.yaml#/definitions/uint32-array + items: +- items: +- - description: Delay between rts signal and beginning of data sent in +- milliseconds. It corresponds to the delay before sending data. +- default: 0 +- maximum: 100 +- - description: Delay between end of data sent and rts signal in milliseconds. +- It corresponds to the delay after sending data and actual release +- of the line. +- default: 0 +- maximum: 100 ++ - description: Delay between rts signal and beginning of data sent in ++ milliseconds. It corresponds to the delay before sending data. ++ default: 0 ++ maximum: 100 ++ - description: Delay between end of data sent and rts signal in milliseconds. ++ It corresponds to the delay after sending data and actual release ++ of the line. ++ default: 0 ++ maximum: 100 + + rs485-rts-active-low: + description: drive RTS low when sending (default is high). +-- +2.43.0 + diff --git a/queue-5.10/dt_bindings-rs485-correct-delay-values.patch b/queue-5.10/dt_bindings-rs485-correct-delay-values.patch new file mode 100644 index 00000000000..a9c44381a4f --- /dev/null +++ b/queue-5.10/dt_bindings-rs485-correct-delay-values.patch @@ -0,0 +1,54 @@ +From 16346244b822dfa3186923ea579f558ce5ccd0a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Jul 2022 18:44:40 +0200 +Subject: dt_bindings: rs485: Correct delay values + +From: Lino Sanfilippo + +[ Upstream commit 885dcb08c93d75b784468e65fd4f1f82d5313061 ] + +Currently the documentation claims that a maximum of 1000 msecs is allowed +for RTS delays. However nothing actually checks the values read from device +tree/ACPI and so it is possible to set much higher values. + +There is already a maximum of 100 ms enforced for RTS delays that are set +via the UART TIOCSRS485 ioctl. To be consistent with that use the same +limit for DT/ACPI values. + +Although this change is visible to userspace the risk of breaking anything +when reducing the max delays from 1000 to 100 ms should be very low, since +100 ms is already a very high maximum for delays that are usually rather in +the usecs range. + +Acked-by: Rob Herring +Signed-off-by: Lino Sanfilippo +Link: https://lore.kernel.org/r/20220710164442.2958979-7-LinoSanfilippo@gmx.de +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 12b3642b6c24 ("dt-bindings: serial: rs485: Fix rs485-rts-delay property") +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/serial/rs485.yaml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Documentation/devicetree/bindings/serial/rs485.yaml b/Documentation/devicetree/bindings/serial/rs485.yaml +index 0c9fa694f85c8..518949737c86e 100644 +--- a/Documentation/devicetree/bindings/serial/rs485.yaml ++++ b/Documentation/devicetree/bindings/serial/rs485.yaml +@@ -22,12 +22,12 @@ properties: + - description: Delay between rts signal and beginning of data sent in + milliseconds. It corresponds to the delay before sending data. + default: 0 +- maximum: 1000 ++ maximum: 100 + - description: Delay between end of data sent and rts signal in milliseconds. + It corresponds to the delay after sending data and actual release + of the line. + default: 0 +- maximum: 1000 ++ maximum: 100 + + rs485-rts-active-low: + description: drive RTS low when sending (default is high). +-- +2.43.0 + diff --git a/queue-5.10/ethtool-fix-wrong-mod-state-in-case-of-verbose-and-n.patch b/queue-5.10/ethtool-fix-wrong-mod-state-in-case-of-verbose-and-n.patch new file mode 100644 index 00000000000..fcd64b4f8c2 --- /dev/null +++ b/queue-5.10/ethtool-fix-wrong-mod-state-in-case-of-verbose-and-n.patch @@ -0,0 +1,127 @@ +From fe257e98c9605e974f9e53ec67b085f7048d46c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Dec 2024 16:33:57 +0100 +Subject: ethtool: Fix wrong mod state in case of verbose and no_mask bitset + +From: Kory Maincent + +[ Upstream commit 910c4788d6155b2202ec88273376cd7ecdc24f0a ] + +A bitset without mask in a _SET request means we want exactly the bits in +the bitset to be set. This works correctly for compact format but when +verbose format is parsed, ethnl_update_bitset32_verbose() only sets the +bits present in the request bitset but does not clear the rest. The commit +6699170376ab ("ethtool: fix application of verbose no_mask bitset") fixes +this issue by clearing the whole target bitmap before we start iterating. +The solution proposed brought an issue with the behavior of the mod +variable. As the bitset is always cleared the old value will always +differ to the new value. + +Fix it by adding a new function to compare bitmaps and a temporary variable +which save the state of the old bitmap. + +Fixes: 6699170376ab ("ethtool: fix application of verbose no_mask bitset") +Signed-off-by: Kory Maincent +Link: https://patch.msgid.link/20241202153358.1142095-1-kory.maincent@bootlin.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ethtool/bitset.c | 48 ++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 44 insertions(+), 4 deletions(-) + +diff --git a/net/ethtool/bitset.c b/net/ethtool/bitset.c +index 0515d6604b3b9..f0883357d12e5 100644 +--- a/net/ethtool/bitset.c ++++ b/net/ethtool/bitset.c +@@ -425,12 +425,32 @@ static int ethnl_parse_bit(unsigned int *index, bool *val, unsigned int nbits, + return 0; + } + ++/** ++ * ethnl_bitmap32_equal() - Compare two bitmaps ++ * @map1: first bitmap ++ * @map2: second bitmap ++ * @nbits: bit size to compare ++ * ++ * Return: true if first @nbits are equal, false if not ++ */ ++static bool ethnl_bitmap32_equal(const u32 *map1, const u32 *map2, ++ unsigned int nbits) ++{ ++ if (memcmp(map1, map2, nbits / 32 * sizeof(u32))) ++ return false; ++ if (nbits % 32 == 0) ++ return true; ++ return !((map1[nbits / 32] ^ map2[nbits / 32]) & ++ ethnl_lower_bits(nbits % 32)); ++} ++ + static int + ethnl_update_bitset32_verbose(u32 *bitmap, unsigned int nbits, + const struct nlattr *attr, struct nlattr **tb, + ethnl_string_array_t names, + struct netlink_ext_ack *extack, bool *mod) + { ++ u32 *saved_bitmap = NULL; + struct nlattr *bit_attr; + bool no_mask; + int rem; +@@ -448,8 +468,20 @@ ethnl_update_bitset32_verbose(u32 *bitmap, unsigned int nbits, + } + + no_mask = tb[ETHTOOL_A_BITSET_NOMASK]; +- if (no_mask) +- ethnl_bitmap32_clear(bitmap, 0, nbits, mod); ++ if (no_mask) { ++ unsigned int nwords = DIV_ROUND_UP(nbits, 32); ++ unsigned int nbytes = nwords * sizeof(u32); ++ bool dummy; ++ ++ /* The bitmap size is only the size of the map part without ++ * its mask part. ++ */ ++ saved_bitmap = kcalloc(nwords, sizeof(u32), GFP_KERNEL); ++ if (!saved_bitmap) ++ return -ENOMEM; ++ memcpy(saved_bitmap, bitmap, nbytes); ++ ethnl_bitmap32_clear(bitmap, 0, nbits, &dummy); ++ } + + nla_for_each_nested(bit_attr, tb[ETHTOOL_A_BITSET_BITS], rem) { + bool old_val, new_val; +@@ -458,22 +490,30 @@ ethnl_update_bitset32_verbose(u32 *bitmap, unsigned int nbits, + if (nla_type(bit_attr) != ETHTOOL_A_BITSET_BITS_BIT) { + NL_SET_ERR_MSG_ATTR(extack, bit_attr, + "only ETHTOOL_A_BITSET_BITS_BIT allowed in ETHTOOL_A_BITSET_BITS"); ++ kfree(saved_bitmap); + return -EINVAL; + } + ret = ethnl_parse_bit(&idx, &new_val, nbits, bit_attr, no_mask, + names, extack); +- if (ret < 0) ++ if (ret < 0) { ++ kfree(saved_bitmap); + return ret; ++ } + old_val = bitmap[idx / 32] & ((u32)1 << (idx % 32)); + if (new_val != old_val) { + if (new_val) + bitmap[idx / 32] |= ((u32)1 << (idx % 32)); + else + bitmap[idx / 32] &= ~((u32)1 << (idx % 32)); +- *mod = true; ++ if (!no_mask) ++ *mod = true; + } + } + ++ if (no_mask && !ethnl_bitmap32_equal(saved_bitmap, bitmap, nbits)) ++ *mod = true; ++ ++ kfree(saved_bitmap); + return 0; + } + +-- +2.43.0 + diff --git a/queue-5.10/geneve-do-not-assume-mac-header-is-set-in-geneve_xmi.patch b/queue-5.10/geneve-do-not-assume-mac-header-is-set-in-geneve_xmi.patch new file mode 100644 index 00000000000..5255495ab5b --- /dev/null +++ b/queue-5.10/geneve-do-not-assume-mac-header-is-set-in-geneve_xmi.patch @@ -0,0 +1,85 @@ +From 2a6719b0d5c379817aff6117cead7f6db43c841c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 18:21:21 +0000 +Subject: geneve: do not assume mac header is set in geneve_xmit_skb() + +From: Eric Dumazet + +[ Upstream commit 8588c99c7d47448fcae39e3227d6e2bb97aad86d ] + +We should not assume mac header is set in output path. + +Use skb_eth_hdr() instead of eth_hdr() to fix the issue. + +sysbot reported the following : + + WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 skb_mac_header include/linux/skbuff.h:3052 [inline] + WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 eth_hdr include/linux/if_ether.h:24 [inline] + WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 geneve_xmit_skb drivers/net/geneve.c:898 [inline] + WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 geneve_xmit+0x4c38/0x5730 drivers/net/geneve.c:1039 +Modules linked in: +CPU: 0 UID: 0 PID: 11635 Comm: syz.4.1423 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 + RIP: 0010:skb_mac_header include/linux/skbuff.h:3052 [inline] + RIP: 0010:eth_hdr include/linux/if_ether.h:24 [inline] + RIP: 0010:geneve_xmit_skb drivers/net/geneve.c:898 [inline] + RIP: 0010:geneve_xmit+0x4c38/0x5730 drivers/net/geneve.c:1039 +Code: 21 c6 02 e9 35 d4 ff ff e8 a5 48 4c fb 90 0f 0b 90 e9 fd f5 ff ff e8 97 48 4c fb 90 0f 0b 90 e9 d8 f5 ff ff e8 89 48 4c fb 90 <0f> 0b 90 e9 41 e4 ff ff e8 7b 48 4c fb 90 0f 0b 90 e9 cd e7 ff ff +RSP: 0018:ffffc90003b2f870 EFLAGS: 00010283 +RAX: 000000000000037a RBX: 000000000000ffff RCX: ffffc9000dc3d000 +RDX: 0000000000080000 RSI: ffffffff86428417 RDI: 0000000000000003 +RBP: ffffc90003b2f9f0 R08: 0000000000000003 R09: 000000000000ffff +R10: 000000000000ffff R11: 0000000000000002 R12: ffff88806603c000 +R13: 0000000000000000 R14: ffff8880685b2780 R15: 0000000000000e23 +FS: 00007fdc2deed6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b30a1dff8 CR3: 0000000056b8c000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + __netdev_start_xmit include/linux/netdevice.h:5002 [inline] + netdev_start_xmit include/linux/netdevice.h:5011 [inline] + __dev_direct_xmit+0x58a/0x720 net/core/dev.c:4490 + dev_direct_xmit include/linux/netdevice.h:3181 [inline] + packet_xmit+0x1e4/0x360 net/packet/af_packet.c:285 + packet_snd net/packet/af_packet.c:3146 [inline] + packet_sendmsg+0x2700/0x5660 net/packet/af_packet.c:3178 + sock_sendmsg_nosec net/socket.c:711 [inline] + __sock_sendmsg net/socket.c:726 [inline] + __sys_sendto+0x488/0x4f0 net/socket.c:2197 + __do_sys_sendto net/socket.c:2204 [inline] + __se_sys_sendto net/socket.c:2200 [inline] + __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2200 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: a025fb5f49ad ("geneve: Allow configuration of DF behaviour") +Reported-by: syzbot+3ec5271486d7cb2d242a@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/674f4b72.050a0220.17bd51.004a.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Reviewed-by: Stefano Brivio +Link: https://patch.msgid.link/20241203182122.2725517-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/geneve.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c +index d0b7d1b922218..e7412edb84dcd 100644 +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -983,7 +983,7 @@ static int geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev, + if (geneve->cfg.df == GENEVE_DF_SET) { + df = htons(IP_DF); + } else if (geneve->cfg.df == GENEVE_DF_INHERIT) { +- struct ethhdr *eth = eth_hdr(skb); ++ struct ethhdr *eth = skb_eth_hdr(skb); + + if (ntohs(eth->h_proto) == ETH_P_IPV6) { + df = htons(IP_DF); +-- +2.43.0 + diff --git a/queue-5.10/gpio-grgpio-add-null-check-in-grgpio_probe.patch b/queue-5.10/gpio-grgpio-add-null-check-in-grgpio_probe.patch new file mode 100644 index 00000000000..b6580787414 --- /dev/null +++ b/queue-5.10/gpio-grgpio-add-null-check-in-grgpio_probe.patch @@ -0,0 +1,41 @@ +From 667f17dab82b3fd9b98c8bfc39d0ce80780589b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2024 17:18:22 +0800 +Subject: gpio: grgpio: Add NULL check in grgpio_probe + +From: Charles Han + +[ Upstream commit 050b23d081da0f29474de043e9538c1f7a351b3b ] + +devm_kasprintf() can return a NULL pointer on failure,but this +returned value in grgpio_probe is not checked. +Add NULL check in grgpio_probe, to handle kernel NULL +pointer dereference error. + +Cc: stable@vger.kernel.org +Fixes: 7eb6ce2f2723 ("gpio: Convert to using %pOF instead of full_name") +Signed-off-by: Charles Han +Link: https://lore.kernel.org/r/20241114091822.78199-1-hanchunchao@inspur.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-grgpio.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpio/gpio-grgpio.c b/drivers/gpio/gpio-grgpio.c +index ca3bf8d51d5aa..506891115bb3e 100644 +--- a/drivers/gpio/gpio-grgpio.c ++++ b/drivers/gpio/gpio-grgpio.c +@@ -363,6 +363,9 @@ static int grgpio_probe(struct platform_device *ofdev) + gc->owner = THIS_MODULE; + gc->to_irq = grgpio_to_irq; + gc->label = devm_kasprintf(dev, GFP_KERNEL, "%pOF", np); ++ if (!gc->label) ++ return -ENOMEM; ++ + gc->base = -1; + + err = of_property_read_u32(np, "nbits", &prop); +-- +2.43.0 + diff --git a/queue-5.10/gpio-grgpio-use-a-helper-variable-to-store-the-addre.patch b/queue-5.10/gpio-grgpio-use-a-helper-variable-to-store-the-addre.patch new file mode 100644 index 00000000000..404e8af4e9e --- /dev/null +++ b/queue-5.10/gpio-grgpio-use-a-helper-variable-to-store-the-addre.patch @@ -0,0 +1,115 @@ +From bf7ab2a34402e472e1b75c2f757176c2a8375d84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 15:18:31 +0200 +Subject: gpio: grgpio: use a helper variable to store the address of + ofdev->dev + +From: Bartosz Golaszewski + +[ Upstream commit d036ae41cebdfae92666024163c109b8fef516fa ] + +Instead of dereferencing the platform device pointer repeatedly, just +store its address in a helper variable. + +Link: https://lore.kernel.org/r/20241015131832.44678-3-brgl@bgdev.pl +Signed-off-by: Bartosz Golaszewski +Stable-dep-of: 050b23d081da ("gpio: grgpio: Add NULL check in grgpio_probe") +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-grgpio.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/drivers/gpio/gpio-grgpio.c b/drivers/gpio/gpio-grgpio.c +index f954359c9544e..ca3bf8d51d5aa 100644 +--- a/drivers/gpio/gpio-grgpio.c ++++ b/drivers/gpio/gpio-grgpio.c +@@ -328,6 +328,7 @@ static const struct irq_domain_ops grgpio_irq_domain_ops = { + static int grgpio_probe(struct platform_device *ofdev) + { + struct device_node *np = ofdev->dev.of_node; ++ struct device *dev = &ofdev->dev; + void __iomem *regs; + struct gpio_chip *gc; + struct grgpio_priv *priv; +@@ -337,7 +338,7 @@ static int grgpio_probe(struct platform_device *ofdev) + int size; + int i; + +- priv = devm_kzalloc(&ofdev->dev, sizeof(*priv), GFP_KERNEL); ++ priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL); + if (!priv) + return -ENOMEM; + +@@ -346,29 +347,29 @@ static int grgpio_probe(struct platform_device *ofdev) + return PTR_ERR(regs); + + gc = &priv->gc; +- err = bgpio_init(gc, &ofdev->dev, 4, regs + GRGPIO_DATA, ++ err = bgpio_init(gc, dev, 4, regs + GRGPIO_DATA, + regs + GRGPIO_OUTPUT, NULL, regs + GRGPIO_DIR, NULL, + BGPIOF_BIG_ENDIAN_BYTE_ORDER); + if (err) { +- dev_err(&ofdev->dev, "bgpio_init() failed\n"); ++ dev_err(dev, "bgpio_init() failed\n"); + return err; + } + + priv->regs = regs; + priv->imask = gc->read_reg(regs + GRGPIO_IMASK); +- priv->dev = &ofdev->dev; ++ priv->dev = dev; + + gc->of_node = np; + gc->owner = THIS_MODULE; + gc->to_irq = grgpio_to_irq; +- gc->label = devm_kasprintf(&ofdev->dev, GFP_KERNEL, "%pOF", np); ++ gc->label = devm_kasprintf(dev, GFP_KERNEL, "%pOF", np); + gc->base = -1; + + err = of_property_read_u32(np, "nbits", &prop); + if (err || prop <= 0 || prop > GRGPIO_MAX_NGPIO) { + gc->ngpio = GRGPIO_MAX_NGPIO; +- dev_dbg(&ofdev->dev, +- "No or invalid nbits property: assume %d\n", gc->ngpio); ++ dev_dbg(dev, "No or invalid nbits property: assume %d\n", ++ gc->ngpio); + } else { + gc->ngpio = prop; + } +@@ -380,7 +381,7 @@ static int grgpio_probe(struct platform_device *ofdev) + irqmap = (s32 *)of_get_property(np, "irqmap", &size); + if (irqmap) { + if (size < gc->ngpio) { +- dev_err(&ofdev->dev, ++ dev_err(dev, + "irqmap shorter than ngpio (%d < %d)\n", + size, gc->ngpio); + return -EINVAL; +@@ -390,7 +391,7 @@ static int grgpio_probe(struct platform_device *ofdev) + &grgpio_irq_domain_ops, + priv); + if (!priv->domain) { +- dev_err(&ofdev->dev, "Could not add irq domain\n"); ++ dev_err(dev, "Could not add irq domain\n"); + return -EINVAL; + } + +@@ -420,13 +421,13 @@ static int grgpio_probe(struct platform_device *ofdev) + + err = gpiochip_add_data(gc, priv); + if (err) { +- dev_err(&ofdev->dev, "Could not add gpiochip\n"); ++ dev_err(dev, "Could not add gpiochip\n"); + if (priv->domain) + irq_domain_remove(priv->domain); + return err; + } + +- dev_info(&ofdev->dev, "regs=0x%p, base=%d, ngpio=%d, irqs=%s\n", ++ dev_info(dev, "regs=0x%p, base=%d, ngpio=%d, irqs=%s\n", + priv->regs, gc->base, gc->ngpio, priv->domain ? "on" : "off"); + + return 0; +-- +2.43.0 + diff --git a/queue-5.10/i3c-fix-incorrect-address-slot-lookup-on-64-bit.patch b/queue-5.10/i3c-fix-incorrect-address-slot-lookup-on-64-bit.patch new file mode 100644 index 00000000000..c6b88c04b66 --- /dev/null +++ b/queue-5.10/i3c-fix-incorrect-address-slot-lookup-on-64-bit.patch @@ -0,0 +1,43 @@ +From b9f2c5db335935ab90ffa3c1e19a0d4727ea8809 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Sep 2021 17:56:00 +0100 +Subject: i3c: fix incorrect address slot lookup on 64-bit + +From: Jamie Iles + +[ Upstream commit f18f98110f2b179792cb70d85cba697320a3790f ] + +The address slot bitmap is an array of unsigned long's which are the +same size as an int on 32-bit platforms but not 64-bit. Loading the +bitmap into an int could result in the incorrect status being returned +for a slot and slots being reported as the wrong status. + +Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure") +Cc: Boris Brezillon +Cc: Alexandre Belloni +Signed-off-by: Jamie Iles +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20210922165600.179394-1-quic_jiles@quicinc.com +Stable-dep-of: 851bd21cdb55 ("i3c: master: Fix dynamic address leak when 'assigned-address' is present") +Signed-off-by: Sasha Levin +--- + drivers/i3c/master.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c +index 2527965a6f24d..63c79b3cd7d4f 100644 +--- a/drivers/i3c/master.c ++++ b/drivers/i3c/master.c +@@ -347,7 +347,8 @@ struct bus_type i3c_bus_type = { + static enum i3c_addr_slot_status + i3c_bus_get_addr_slot_status(struct i3c_bus *bus, u16 addr) + { +- int status, bitpos = addr * 2; ++ unsigned long status; ++ int bitpos = addr * 2; + + if (addr > I2C_MAX_ADDR) + return I3C_ADDR_SLOT_RSVD; +-- +2.43.0 + diff --git a/queue-5.10/i3c-master-extend-address-status-bit-to-4-and-add-i3.patch b/queue-5.10/i3c-master-extend-address-status-bit-to-4-and-add-i3.patch new file mode 100644 index 00000000000..d654ee73d3c --- /dev/null +++ b/queue-5.10/i3c-master-extend-address-status-bit-to-4-and-add-i3.patch @@ -0,0 +1,197 @@ +From 8de661d61946f704b487eb0af0f7864c2cca87d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2024 11:45:07 -0400 +Subject: i3c: master: Extend address status bit to 4 and add + I3C_ADDR_SLOT_EXT_DESIRED +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Frank Li + +[ Upstream commit 2f552fa280590e61bd3dbe66a7b54b99caa642a4 ] + +Extend the address status bit to 4 and introduce the +I3C_ADDR_SLOT_EXT_DESIRED macro to indicate that a device prefers a +specific address. This is generally set by the 'assigned-address' in the +device tree source (dts) file. + + ┌────┬─────────────┬───┬─────────┬───┐ + │S/Sr│ 7'h7E RnW=0 │ACK│ ENTDAA │ T ├────┐ + └────┴─────────────┴───┴─────────┴───┘ │ + ┌─────────────────────────────────────────┘ + │ ┌──┬─────────────┬───┬─────────────────┬────────────────┬───┬─────────┐ + └─►│Sr│7'h7E RnW=1 │ACK│48bit UID BCR DCR│Assign 7bit Addr│PAR│ ACK/NACK│ + └──┴─────────────┴───┴─────────────────┴────────────────┴───┴─────────┘ + +Some master controllers (such as HCI) need to prepare the entire above +transaction before sending it out to the I3C bus. This means that a 7-bit +dynamic address needs to be allocated before knowing the target device's +UID information. + +However, some I3C targets may request specific addresses (called as +"init_dyn_addr"), which is typically specified by the DT-'s +assigned-address property. Lower addresses having higher IBI priority. If +it is available, i3c_bus_get_free_addr() preferably return a free address +that is not in the list of desired addresses (called as "init_dyn_addr"). +This allows the device with the "init_dyn_addr" to switch to its +"init_dyn_addr" when it hot-joins the I3C bus. Otherwise, if the +"init_dyn_addr" is already in use by another I3C device, the target device +will not be able to switch to its desired address. + +If the previous step fails, fallback returning one of the remaining +unassigned address, regardless of its state in the desired list. + +Reviewed-by: Miquel Raynal +Signed-off-by: Frank Li +Link: https://lore.kernel.org/r/20241021-i3c_dts_assign-v8-2-4098b8bde01e@nxp.com +Signed-off-by: Alexandre Belloni +Stable-dep-of: 851bd21cdb55 ("i3c: master: Fix dynamic address leak when 'assigned-address' is present") +Signed-off-by: Sasha Levin +--- + drivers/i3c/master.c | 65 +++++++++++++++++++++++++++++++------- + include/linux/i3c/master.h | 7 ++-- + 2 files changed, 59 insertions(+), 13 deletions(-) + +diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c +index 49a744577f4ea..b86e1119df21d 100644 +--- a/drivers/i3c/master.c ++++ b/drivers/i3c/master.c +@@ -345,7 +345,7 @@ struct bus_type i3c_bus_type = { + }; + + static enum i3c_addr_slot_status +-i3c_bus_get_addr_slot_status(struct i3c_bus *bus, u16 addr) ++i3c_bus_get_addr_slot_status_mask(struct i3c_bus *bus, u16 addr, u32 mask) + { + unsigned long status; + int bitpos = addr * I3C_ADDR_SLOT_STATUS_BITS; +@@ -356,11 +356,17 @@ i3c_bus_get_addr_slot_status(struct i3c_bus *bus, u16 addr) + status = bus->addrslots[bitpos / BITS_PER_LONG]; + status >>= bitpos % BITS_PER_LONG; + +- return status & I3C_ADDR_SLOT_STATUS_MASK; ++ return status & mask; + } + +-static void i3c_bus_set_addr_slot_status(struct i3c_bus *bus, u16 addr, +- enum i3c_addr_slot_status status) ++static enum i3c_addr_slot_status ++i3c_bus_get_addr_slot_status(struct i3c_bus *bus, u16 addr) ++{ ++ return i3c_bus_get_addr_slot_status_mask(bus, addr, I3C_ADDR_SLOT_STATUS_MASK); ++} ++ ++static void i3c_bus_set_addr_slot_status_mask(struct i3c_bus *bus, u16 addr, ++ enum i3c_addr_slot_status status, u32 mask) + { + int bitpos = addr * I3C_ADDR_SLOT_STATUS_BITS; + unsigned long *ptr; +@@ -369,9 +375,14 @@ static void i3c_bus_set_addr_slot_status(struct i3c_bus *bus, u16 addr, + return; + + ptr = bus->addrslots + (bitpos / BITS_PER_LONG); +- *ptr &= ~((unsigned long)I3C_ADDR_SLOT_STATUS_MASK << +- (bitpos % BITS_PER_LONG)); +- *ptr |= (unsigned long)status << (bitpos % BITS_PER_LONG); ++ *ptr &= ~((unsigned long)mask << (bitpos % BITS_PER_LONG)); ++ *ptr |= ((unsigned long)status & mask) << (bitpos % BITS_PER_LONG); ++} ++ ++static void i3c_bus_set_addr_slot_status(struct i3c_bus *bus, u16 addr, ++ enum i3c_addr_slot_status status) ++{ ++ i3c_bus_set_addr_slot_status_mask(bus, addr, status, I3C_ADDR_SLOT_STATUS_MASK); + } + + static bool i3c_bus_dev_addr_is_avail(struct i3c_bus *bus, u8 addr) +@@ -383,13 +394,44 @@ static bool i3c_bus_dev_addr_is_avail(struct i3c_bus *bus, u8 addr) + return status == I3C_ADDR_SLOT_FREE; + } + ++/* ++ * ┌────┬─────────────┬───┬─────────┬───┐ ++ * │S/Sr│ 7'h7E RnW=0 │ACK│ ENTDAA │ T ├────┐ ++ * └────┴─────────────┴───┴─────────┴───┘ │ ++ * ┌─────────────────────────────────────────┘ ++ * │ ┌──┬─────────────┬───┬─────────────────┬────────────────┬───┬─────────┐ ++ * └─►│Sr│7'h7E RnW=1 │ACK│48bit UID BCR DCR│Assign 7bit Addr│PAR│ ACK/NACK│ ++ * └──┴─────────────┴───┴─────────────────┴────────────────┴───┴─────────┘ ++ * Some master controllers (such as HCI) need to prepare the entire above transaction before ++ * sending it out to the I3C bus. This means that a 7-bit dynamic address needs to be allocated ++ * before knowing the target device's UID information. ++ * ++ * However, some I3C targets may request specific addresses (called as "init_dyn_addr"), which is ++ * typically specified by the DT-'s assigned-address property. Lower addresses having higher IBI ++ * priority. If it is available, i3c_bus_get_free_addr() preferably return a free address that is ++ * not in the list of desired addresses (called as "init_dyn_addr"). This allows the device with ++ * the "init_dyn_addr" to switch to its "init_dyn_addr" when it hot-joins the I3C bus. Otherwise, ++ * if the "init_dyn_addr" is already in use by another I3C device, the target device will not be ++ * able to switch to its desired address. ++ * ++ * If the previous step fails, fallback returning one of the remaining unassigned address, ++ * regardless of its state in the desired list. ++ */ + static int i3c_bus_get_free_addr(struct i3c_bus *bus, u8 start_addr) + { + enum i3c_addr_slot_status status; + u8 addr; + + for (addr = start_addr; addr < I3C_MAX_ADDR; addr++) { +- status = i3c_bus_get_addr_slot_status(bus, addr); ++ status = i3c_bus_get_addr_slot_status_mask(bus, addr, ++ I3C_ADDR_SLOT_EXT_STATUS_MASK); ++ if (status == I3C_ADDR_SLOT_FREE) ++ return addr; ++ } ++ ++ for (addr = start_addr; addr < I3C_MAX_ADDR; addr++) { ++ status = i3c_bus_get_addr_slot_status_mask(bus, addr, ++ I3C_ADDR_SLOT_STATUS_MASK); + if (status == I3C_ADDR_SLOT_FREE) + return addr; + } +@@ -1765,9 +1807,10 @@ static int i3c_master_bus_init(struct i3c_master_controller *master) + goto err_rstdaa; + } + +- i3c_bus_set_addr_slot_status(&master->bus, +- i3cboardinfo->init_dyn_addr, +- I3C_ADDR_SLOT_I3C_DEV); ++ i3c_bus_set_addr_slot_status_mask(&master->bus, ++ i3cboardinfo->init_dyn_addr, ++ I3C_ADDR_SLOT_I3C_DEV | I3C_ADDR_SLOT_EXT_DESIRED, ++ I3C_ADDR_SLOT_EXT_STATUS_MASK); + + /* + * Only try to create/attach devices that have a static +diff --git a/include/linux/i3c/master.h b/include/linux/i3c/master.h +index 06cba906e4e41..ea3781d730064 100644 +--- a/include/linux/i3c/master.h ++++ b/include/linux/i3c/master.h +@@ -276,7 +276,8 @@ enum i3c_bus_mode { + * @I3C_ADDR_SLOT_I2C_DEV: address is assigned to an I2C device + * @I3C_ADDR_SLOT_I3C_DEV: address is assigned to an I3C device + * @I3C_ADDR_SLOT_STATUS_MASK: address slot mask +- * ++ * @I3C_ADDR_SLOT_EXT_DESIRED: the bitmask represents addresses that are preferred by some devices, ++ * such as the "assigned-address" property in a device tree source. + * On an I3C bus, addresses are assigned dynamically, and we need to know which + * addresses are free to use and which ones are already assigned. + * +@@ -289,9 +290,11 @@ enum i3c_addr_slot_status { + I3C_ADDR_SLOT_I2C_DEV, + I3C_ADDR_SLOT_I3C_DEV, + I3C_ADDR_SLOT_STATUS_MASK = 3, ++ I3C_ADDR_SLOT_EXT_STATUS_MASK = 7, ++ I3C_ADDR_SLOT_EXT_DESIRED = BIT(2), + }; + +-#define I3C_ADDR_SLOT_STATUS_BITS 2 ++#define I3C_ADDR_SLOT_STATUS_BITS 4 + + /** + * struct i3c_bus - I3C bus object +-- +2.43.0 + diff --git a/queue-5.10/i3c-master-fix-dynamic-address-leak-when-assigned-ad.patch b/queue-5.10/i3c-master-fix-dynamic-address-leak-when-assigned-ad.patch new file mode 100644 index 00000000000..25075cd876f --- /dev/null +++ b/queue-5.10/i3c-master-fix-dynamic-address-leak-when-assigned-ad.patch @@ -0,0 +1,104 @@ +From 7c7a7a55772d0cd6fb22f25c9e5bb9995034e25a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2024 11:45:08 -0400 +Subject: i3c: master: Fix dynamic address leak when 'assigned-address' is + present + +From: Frank Li + +[ Upstream commit 851bd21cdb55e727ab29280bc9f6b678164f802a ] + +If the DTS contains 'assigned-address', a dynamic address leak occurs +during hotjoin events. + +Assume a device have assigned-address 0xb. + - Device issue Hotjoin + - Call i3c_master_do_daa() + - Call driver xxx_do_daa() + - Call i3c_master_get_free_addr() to get dynamic address 0x9 + - i3c_master_add_i3c_dev_locked(0x9) + - expected_dyn_addr = newdev->boardinfo->init_dyn_addr (0xb); + - i3c_master_reattach_i3c_dev(newdev(0xb), old_dyn_addr(0x9)); + - if (dev->info.dyn_addr != old_dyn_addr && + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 0xb != 0x9 -> TRUE + (!dev->boardinfo || + ^^^^^^^^^^^^^^^ -> FALSE + dev->info.dyn_addr != dev->boardinfo->init_dyn_addr)) { + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + 0xb != 0xb -> FALSE + ... + i3c_bus_set_addr_slot_status(&master->bus, old_dyn_addr, + I3C_ADDR_SLOT_FREE); + ^^^ + This will be skipped. So old_dyn_addr never free + } + + - i3c_master_get_free_addr() will return increased sequence number. + +Remove dev->info.dyn_addr != dev->boardinfo->init_dyn_addr condition check. +dev->info.dyn_addr should be checked before calling this function because +i3c_master_setnewda_locked() has already been called and the target device +has already accepted dyn_addr. It is too late to check if dyn_addr is free +in i3c_master_reattach_i3c_dev(). + +Add check to ensure expected_dyn_addr is free before +i3c_master_setnewda_locked(). + +Fixes: cc3a392d69b6 ("i3c: master: fix for SETDASA and DAA process") +Cc: stable@kernel.org +Reviewed-by: Miquel Raynal +Signed-off-by: Frank Li +Link: https://lore.kernel.org/r/20241021-i3c_dts_assign-v8-3-4098b8bde01e@nxp.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/master.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c +index b86e1119df21d..0ade1ce2bbc89 100644 +--- a/drivers/i3c/master.c ++++ b/drivers/i3c/master.c +@@ -1413,16 +1413,9 @@ static int i3c_master_reattach_i3c_dev(struct i3c_dev_desc *dev, + u8 old_dyn_addr) + { + struct i3c_master_controller *master = i3c_dev_get_master(dev); +- enum i3c_addr_slot_status status; + int ret; + +- if (dev->info.dyn_addr != old_dyn_addr && +- (!dev->boardinfo || +- dev->info.dyn_addr != dev->boardinfo->init_dyn_addr)) { +- status = i3c_bus_get_addr_slot_status(&master->bus, +- dev->info.dyn_addr); +- if (status != I3C_ADDR_SLOT_FREE) +- return -EBUSY; ++ if (dev->info.dyn_addr != old_dyn_addr) { + i3c_bus_set_addr_slot_status(&master->bus, + dev->info.dyn_addr, + I3C_ADDR_SLOT_I3C_DEV); +@@ -1807,9 +1800,10 @@ static int i3c_master_bus_init(struct i3c_master_controller *master) + goto err_rstdaa; + } + ++ /* Do not mark as occupied until real device exist in bus */ + i3c_bus_set_addr_slot_status_mask(&master->bus, + i3cboardinfo->init_dyn_addr, +- I3C_ADDR_SLOT_I3C_DEV | I3C_ADDR_SLOT_EXT_DESIRED, ++ I3C_ADDR_SLOT_EXT_DESIRED, + I3C_ADDR_SLOT_EXT_STATUS_MASK); + + /* +@@ -1977,7 +1971,8 @@ int i3c_master_add_i3c_dev_locked(struct i3c_master_controller *master, + else + expected_dyn_addr = newdev->info.dyn_addr; + +- if (newdev->info.dyn_addr != expected_dyn_addr) { ++ if (newdev->info.dyn_addr != expected_dyn_addr && ++ i3c_bus_get_addr_slot_status(&master->bus, expected_dyn_addr) == I3C_ADDR_SLOT_FREE) { + /* + * Try to apply the expected dynamic address. If it fails, keep + * the address assigned by the master. +-- +2.43.0 + diff --git a/queue-5.10/i3c-master-replace-hard-code-2-with-macro-i3c_addr_s.patch b/queue-5.10/i3c-master-replace-hard-code-2-with-macro-i3c_addr_s.patch new file mode 100644 index 00000000000..da4d5d68c02 --- /dev/null +++ b/queue-5.10/i3c-master-replace-hard-code-2-with-macro-i3c_addr_s.patch @@ -0,0 +1,72 @@ +From be146242721933863010b4d5a5b681a6f768e431 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2024 11:45:06 -0400 +Subject: i3c: master: Replace hard code 2 with macro I3C_ADDR_SLOT_STATUS_BITS + +From: Frank Li + +[ Upstream commit 16aed0a6520ba01b7d22c32e193fc1ec674f92d4 ] + +Replace the hardcoded value 2, which indicates 2 bits for I3C address +status, with the predefined macro I3C_ADDR_SLOT_STATUS_BITS. + +Improve maintainability and extensibility of the code. + +Reviewed-by: Miquel Raynal +Signed-off-by: Frank Li +Link: https://lore.kernel.org/r/20241021-i3c_dts_assign-v8-1-4098b8bde01e@nxp.com +Signed-off-by: Alexandre Belloni +Stable-dep-of: 851bd21cdb55 ("i3c: master: Fix dynamic address leak when 'assigned-address' is present") +Signed-off-by: Sasha Levin +--- + drivers/i3c/master.c | 4 ++-- + include/linux/i3c/master.h | 4 +++- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c +index 63c79b3cd7d4f..49a744577f4ea 100644 +--- a/drivers/i3c/master.c ++++ b/drivers/i3c/master.c +@@ -348,7 +348,7 @@ static enum i3c_addr_slot_status + i3c_bus_get_addr_slot_status(struct i3c_bus *bus, u16 addr) + { + unsigned long status; +- int bitpos = addr * 2; ++ int bitpos = addr * I3C_ADDR_SLOT_STATUS_BITS; + + if (addr > I2C_MAX_ADDR) + return I3C_ADDR_SLOT_RSVD; +@@ -362,7 +362,7 @@ i3c_bus_get_addr_slot_status(struct i3c_bus *bus, u16 addr) + static void i3c_bus_set_addr_slot_status(struct i3c_bus *bus, u16 addr, + enum i3c_addr_slot_status status) + { +- int bitpos = addr * 2; ++ int bitpos = addr * I3C_ADDR_SLOT_STATUS_BITS; + unsigned long *ptr; + + if (addr > I2C_MAX_ADDR) +diff --git a/include/linux/i3c/master.h b/include/linux/i3c/master.h +index 9cb39d901cd5f..06cba906e4e41 100644 +--- a/include/linux/i3c/master.h ++++ b/include/linux/i3c/master.h +@@ -291,6 +291,8 @@ enum i3c_addr_slot_status { + I3C_ADDR_SLOT_STATUS_MASK = 3, + }; + ++#define I3C_ADDR_SLOT_STATUS_BITS 2 ++ + /** + * struct i3c_bus - I3C bus object + * @cur_master: I3C master currently driving the bus. Since I3C is multi-master +@@ -332,7 +334,7 @@ enum i3c_addr_slot_status { + struct i3c_bus { + struct i3c_dev_desc *cur_master; + int id; +- unsigned long addrslots[((I2C_MAX_ADDR + 1) * 2) / BITS_PER_LONG]; ++ unsigned long addrslots[((I2C_MAX_ADDR + 1) * I3C_ADDR_SLOT_STATUS_BITS) / BITS_PER_LONG]; + enum i3c_bus_mode mode; + struct { + unsigned long i3c; +-- +2.43.0 + diff --git a/queue-5.10/igb-fix-potential-invalid-memory-access-in-igb_init_.patch b/queue-5.10/igb-fix-potential-invalid-memory-access-in-igb_init_.patch new file mode 100644 index 00000000000..5ee764b673a --- /dev/null +++ b/queue-5.10/igb-fix-potential-invalid-memory-access-in-igb_init_.patch @@ -0,0 +1,40 @@ +From d9ba2fbfc2561fb7ee8bc4612a05694070e93a85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2024 20:10:48 +0800 +Subject: igb: Fix potential invalid memory access in igb_init_module() + +From: Yuan Can + +[ Upstream commit 0566f83d206c7a864abcd741fe39d6e0ae5eef29 ] + +The pci_register_driver() can fail and when this happened, the dca_notifier +needs to be unregistered, otherwise the dca_notifier can be called when +igb fails to install, resulting to invalid memory access. + +Fixes: bbd98fe48a43 ("igb: Fix DCA errors and do not use context index for 82576") +Signed-off-by: Yuan Can +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 17cdda3fe415a..7b89dadd41baf 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -666,6 +666,10 @@ static int __init igb_init_module(void) + dca_register_notify(&dca_notifier); + #endif + ret = pci_register_driver(&igb_driver); ++#ifdef CONFIG_IGB_DCA ++ if (ret) ++ dca_unregister_notify(&dca_notifier); ++#endif + return ret; + } + +-- +2.43.0 + diff --git a/queue-5.10/ipvs-fix-ub-due-to-uninitialized-stack-access-in-ip_.patch b/queue-5.10/ipvs-fix-ub-due-to-uninitialized-stack-access-in-ip_.patch new file mode 100644 index 00000000000..b59e6807124 --- /dev/null +++ b/queue-5.10/ipvs-fix-ub-due-to-uninitialized-stack-access-in-ip_.patch @@ -0,0 +1,117 @@ +From e8fe082581a44e49f79acc3131647245cc37edbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Nov 2024 03:42:56 -0600 +Subject: ipvs: fix UB due to uninitialized stack access in + ip_vs_protocol_init() + +From: Jinghao Jia + +[ Upstream commit 146b6f1112eb30a19776d6c323c994e9d67790db ] + +Under certain kernel configurations when building with Clang/LLVM, the +compiler does not generate a return or jump as the terminator +instruction for ip_vs_protocol_init(), triggering the following objtool +warning during build time: + + vmlinux.o: warning: objtool: ip_vs_protocol_init() falls through to next function __initstub__kmod_ip_vs_rr__935_123_ip_vs_rr_init6() + +At runtime, this either causes an oops when trying to load the ipvs +module or a boot-time panic if ipvs is built-in. This same issue has +been reported by the Intel kernel test robot previously. + +Digging deeper into both LLVM and the kernel code reveals this to be a +undefined behavior problem. ip_vs_protocol_init() uses a on-stack buffer +of 64 chars to store the registered protocol names and leaves it +uninitialized after definition. The function calls strnlen() when +concatenating protocol names into the buffer. With CONFIG_FORTIFY_SOURCE +strnlen() performs an extra step to check whether the last byte of the +input char buffer is a null character (commit 3009f891bb9f ("fortify: +Allow strlen() and strnlen() to pass compile-time known lengths")). +This, together with possibly other configurations, cause the following +IR to be generated: + + define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #5 section ".init.text" align 16 !kcfi_type !29 { + %1 = alloca [64 x i8], align 16 + ... + + 14: ; preds = %11 + %15 = getelementptr inbounds i8, ptr %1, i64 63 + %16 = load i8, ptr %15, align 1 + %17 = tail call i1 @llvm.is.constant.i8(i8 %16) + %18 = icmp eq i8 %16, 0 + %19 = select i1 %17, i1 %18, i1 false + br i1 %19, label %20, label %23 + + 20: ; preds = %14 + %21 = call i64 @strlen(ptr noundef nonnull dereferenceable(1) %1) #23 + ... + + 23: ; preds = %14, %11, %20 + %24 = call i64 @strnlen(ptr noundef nonnull dereferenceable(1) %1, i64 noundef 64) #24 + ... + } + +The above code calculates the address of the last char in the buffer +(value %15) and then loads from it (value %16). Because the buffer is +never initialized, the LLVM GVN pass marks value %16 as undefined: + + %13 = getelementptr inbounds i8, ptr %1, i64 63 + br i1 undef, label %14, label %17 + +This gives later passes (SCCP, in particular) more DCE opportunities by +propagating the undef value further, and eventually removes everything +after the load on the uninitialized stack location: + + define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #0 section ".init.text" align 16 !kcfi_type !11 { + %1 = alloca [64 x i8], align 16 + ... + + 12: ; preds = %11 + %13 = getelementptr inbounds i8, ptr %1, i64 63 + unreachable + } + +In this way, the generated native code will just fall through to the +next function, as LLVM does not generate any code for the unreachable IR +instruction and leaves the function without a terminator. + +Zero the on-stack buffer to avoid this possible UB. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202402100205.PWXIz1ZK-lkp@intel.com/ +Co-developed-by: Ruowen Qin +Signed-off-by: Ruowen Qin +Signed-off-by: Jinghao Jia +Acked-by: Julian Anastasov +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_proto.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/netfilter/ipvs/ip_vs_proto.c b/net/netfilter/ipvs/ip_vs_proto.c +index f100da4ba3bc3..a9fd1d3fc2cbf 100644 +--- a/net/netfilter/ipvs/ip_vs_proto.c ++++ b/net/netfilter/ipvs/ip_vs_proto.c +@@ -340,7 +340,7 @@ void __net_exit ip_vs_protocol_net_cleanup(struct netns_ipvs *ipvs) + + int __init ip_vs_protocol_init(void) + { +- char protocols[64]; ++ char protocols[64] = { 0 }; + #define REGISTER_PROTOCOL(p) \ + do { \ + register_ip_vs_protocol(p); \ +@@ -348,8 +348,6 @@ int __init ip_vs_protocol_init(void) + strcat(protocols, (p)->name); \ + } while (0) + +- protocols[0] = '\0'; +- protocols[2] = '\0'; + #ifdef CONFIG_IP_VS_PROTO_TCP + REGISTER_PROTOCOL(&ip_vs_protocol_tcp); + #endif +-- +2.43.0 + diff --git a/queue-5.10/itco_wdt-mask-nmi_now-bit-for-update_no_reboot_bit-c.patch b/queue-5.10/itco_wdt-mask-nmi_now-bit-for-update_no_reboot_bit-c.patch new file mode 100644 index 00000000000..ad330944e09 --- /dev/null +++ b/queue-5.10/itco_wdt-mask-nmi_now-bit-for-update_no_reboot_bit-c.patch @@ -0,0 +1,85 @@ +From fc6249c11ed03c3b4e060467f87fb64df6a7296e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2024 12:14:03 -0700 +Subject: iTCO_wdt: mask NMI_NOW bit for update_no_reboot_bit() call + +From: Oleksandr Ocheretnyi + +[ Upstream commit daa814d784ac034c62ab3fb0ef83daeafef527e2 ] + +Commit da23b6faa8bf ("watchdog: iTCO: Add support for Cannon Lake +PCH iTCO") does not mask NMI_NOW bit during TCO1_CNT register's +value comparison for update_no_reboot_bit() call causing following +failure: + + ... + iTCO_vendor_support: vendor-support=0 + iTCO_wdt iTCO_wdt: unable to reset NO_REBOOT flag, device + disabled by hardware/BIOS + ... + +and this can lead to unexpected NMIs later during regular +crashkernel's workflow because of watchdog probe call failures. + +This change masks NMI_NOW bit for TCO1_CNT register values to +avoid unexpected NMI_NOW bit inversions. + +Fixes: da23b6faa8bf ("watchdog: iTCO: Add support for Cannon Lake PCH iTCO") +Signed-off-by: Oleksandr Ocheretnyi +Reviewed-by: Guenter Roeck +Reviewed-by: Mika Westerberg +Link: https://lore.kernel.org/r/20240913191403.2560805-1-oocheret@cisco.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/iTCO_wdt.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/drivers/watchdog/iTCO_wdt.c b/drivers/watchdog/iTCO_wdt.c +index 50c874d488607..5f5586b0dd676 100644 +--- a/drivers/watchdog/iTCO_wdt.c ++++ b/drivers/watchdog/iTCO_wdt.c +@@ -84,6 +84,13 @@ + #define TCO2_CNT(p) (TCOBASE(p) + 0x0a) /* TCO2 Control Register */ + #define TCOv2_TMR(p) (TCOBASE(p) + 0x12) /* TCOv2 Timer Initial Value*/ + ++/* ++ * NMI_NOW is bit 8 of TCO1_CNT register ++ * Read/Write ++ * This bit is implemented as RW but has no effect on HW. ++ */ ++#define NMI_NOW BIT(8) ++ + /* internal variables */ + struct iTCO_wdt_private { + struct watchdog_device wddev; +@@ -222,13 +229,23 @@ static int update_no_reboot_bit_cnt(void *priv, bool set) + struct iTCO_wdt_private *p = priv; + u16 val, newval; + +- val = inw(TCO1_CNT(p)); ++ /* ++ * writing back 1b1 to NMI_NOW of TCO1_CNT register ++ * causes NMI_NOW bit inversion what consequently does ++ * not allow to perform the register's value comparison ++ * properly. ++ * ++ * NMI_NOW bit masking for TCO1_CNT register values ++ * helps to avoid possible NMI_NOW bit inversions on ++ * following write operation. ++ */ ++ val = inw(TCO1_CNT(p)) & ~NMI_NOW; + if (set) + val |= BIT(0); + else + val &= ~BIT(0); + outw(val, TCO1_CNT(p)); +- newval = inw(TCO1_CNT(p)); ++ newval = inw(TCO1_CNT(p)) & ~NMI_NOW; + + /* make sure the update is successful */ + return val != newval ? -EIO : 0; +-- +2.43.0 + diff --git a/queue-5.10/net-hsr-avoid-potential-out-of-bound-access-in-fill_.patch b/queue-5.10/net-hsr-avoid-potential-out-of-bound-access-in-fill_.patch new file mode 100644 index 00000000000..8860a512544 --- /dev/null +++ b/queue-5.10/net-hsr-avoid-potential-out-of-bound-access-in-fill_.patch @@ -0,0 +1,95 @@ +From 4042c78da0e27bb2acd10e8b901ea0e4be97491e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Nov 2024 14:43:44 +0000 +Subject: net: hsr: avoid potential out-of-bound access in fill_frame_info() + +From: Eric Dumazet + +[ Upstream commit b9653d19e556c6afd035602927a93d100a0d7644 ] + +syzbot is able to feed a packet with 14 bytes, pretending +it is a vlan one. + +Since fill_frame_info() is relying on skb->mac_len already, +extend the check to cover this case. + +BUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:709 [inline] + BUG: KMSAN: uninit-value in hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724 + fill_frame_info net/hsr/hsr_forward.c:709 [inline] + hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724 + hsr_dev_xmit+0x2f0/0x350 net/hsr/hsr_device.c:235 + __netdev_start_xmit include/linux/netdevice.h:5002 [inline] + netdev_start_xmit include/linux/netdevice.h:5011 [inline] + xmit_one net/core/dev.c:3590 [inline] + dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3606 + __dev_queue_xmit+0x366a/0x57d0 net/core/dev.c:4434 + dev_queue_xmit include/linux/netdevice.h:3168 [inline] + packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 + packet_snd net/packet/af_packet.c:3146 [inline] + packet_sendmsg+0x91ae/0xa6f0 net/packet/af_packet.c:3178 + sock_sendmsg_nosec net/socket.c:711 [inline] + __sock_sendmsg+0x30f/0x380 net/socket.c:726 + __sys_sendto+0x594/0x750 net/socket.c:2197 + __do_sys_sendto net/socket.c:2204 [inline] + __se_sys_sendto net/socket.c:2200 [inline] + __x64_sys_sendto+0x125/0x1d0 net/socket.c:2200 + x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:4091 [inline] + slab_alloc_node mm/slub.c:4134 [inline] + kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186 + kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587 + __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678 + alloc_skb include/linux/skbuff.h:1323 [inline] + alloc_skb_with_frags+0xc8/0xd00 net/core/skbuff.c:6612 + sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2881 + packet_alloc_skb net/packet/af_packet.c:2995 [inline] + packet_snd net/packet/af_packet.c:3089 [inline] + packet_sendmsg+0x74c6/0xa6f0 net/packet/af_packet.c:3178 + sock_sendmsg_nosec net/socket.c:711 [inline] + __sock_sendmsg+0x30f/0x380 net/socket.c:726 + __sys_sendto+0x594/0x750 net/socket.c:2197 + __do_sys_sendto net/socket.c:2204 [inline] + __se_sys_sendto net/socket.c:2200 [inline] + __x64_sys_sendto+0x125/0x1d0 net/socket.c:2200 + x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 48b491a5cc74 ("net: hsr: fix mac_len checks") +Reported-by: syzbot+671e2853f9851d039551@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6745dc7f.050a0220.21d33d.0018.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: WingMan Kwok +Cc: Murali Karicheri +Cc: MD Danish Anwar +Cc: Jiri Pirko +Cc: George McCollister +Link: https://patch.msgid.link/20241126144344.4177332-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/hsr/hsr_forward.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c +index 0c115d8ded03c..a58c0be64272b 100644 +--- a/net/hsr/hsr_forward.c ++++ b/net/hsr/hsr_forward.c +@@ -525,6 +525,8 @@ static int fill_frame_info(struct hsr_frame_info *frame, + frame->is_vlan = true; + + if (frame->is_vlan) { ++ if (skb->mac_len < offsetofend(struct hsr_vlan_ethhdr, vlanhdr)) ++ return -EINVAL; + vlan_hdr = (struct hsr_vlan_ethhdr *)ethhdr; + proto = vlan_hdr->vlanhdr.h_vlan_encapsulated_proto; + /* FIXME: */ +-- +2.43.0 + diff --git a/queue-5.10/net-ipv6-release-expired-exception-dst-cached-in-soc.patch b/queue-5.10/net-ipv6-release-expired-exception-dst-cached-in-soc.patch new file mode 100644 index 00000000000..2ac35d6e191 --- /dev/null +++ b/queue-5.10/net-ipv6-release-expired-exception-dst-cached-in-soc.patch @@ -0,0 +1,85 @@ +From 5d779ac9808489408ab69d1e3a8d6a7d430b098b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Nov 2024 09:59:50 +0100 +Subject: net/ipv6: release expired exception dst cached in socket + +From: Jiri Wiesner + +[ Upstream commit 3301ab7d5aeb0fe270f73a3d4810c9d1b6a9f045 ] + +Dst objects get leaked in ip6_negative_advice() when this function is +executed for an expired IPv6 route located in the exception table. There +are several conditions that must be fulfilled for the leak to occur: +* an ICMPv6 packet indicating a change of the MTU for the path is received, + resulting in an exception dst being created +* a TCP connection that uses the exception dst for routing packets must + start timing out so that TCP begins retransmissions +* after the exception dst expires, the FIB6 garbage collector must not run + before TCP executes ip6_negative_advice() for the expired exception dst + +When TCP executes ip6_negative_advice() for an exception dst that has +expired and if no other socket holds a reference to the exception dst, the +refcount of the exception dst is 2, which corresponds to the increment +made by dst_init() and the increment made by the TCP socket for which the +connection is timing out. The refcount made by the socket is never +released. The refcount of the dst is decremented in sk_dst_reset() but +that decrement is counteracted by a dst_hold() intentionally placed just +before the sk_dst_reset() in ip6_negative_advice(). After +ip6_negative_advice() has finished, there is no other object tied to the +dst. The socket lost its reference stored in sk_dst_cache and the dst is +no longer in the exception table. The exception dst becomes a leaked +object. + +As a result of this dst leak, an unbalanced refcount is reported for the +loopback device of a net namespace being destroyed under kernels that do +not contain e5f80fcf869a ("ipv6: give an IPv6 dev to blackhole_netdev"): +unregister_netdevice: waiting for lo to become free. Usage count = 2 + +Fix the dst leak by removing the dst_hold() in ip6_negative_advice(). The +patch that introduced the dst_hold() in ip6_negative_advice() was +92f1655aa2b22 ("net: fix __dst_negative_advice() race"). But 92f1655aa2b22 +merely refactored the code with regards to the dst refcount so the issue +was present even before 92f1655aa2b22. The bug was introduced in +54c1a859efd9f ("ipv6: Don't drop cache route entry unless timer actually +expired.") where the expired cached route is deleted and the sk_dst_cache +member of the socket is set to NULL by calling dst_negative_advice() but +the refcount belonging to the socket is left unbalanced. + +The IPv4 version - ipv4_negative_advice() - is not affected by this bug. +When the TCP connection times out ipv4_negative_advice() merely resets the +sk_dst_cache of the socket while decrementing the refcount of the +exception dst. + +Fixes: 92f1655aa2b22 ("net: fix __dst_negative_advice() race") +Fixes: 54c1a859efd9f ("ipv6: Don't drop cache route entry unless timer actually expired.") +Link: https://lore.kernel.org/netdev/20241113105611.GA6723@incl/T/#u +Signed-off-by: Jiri Wiesner +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241128085950.GA4505@incl +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 37e05a77fe49e..5dbf60dd4aa2c 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -2641,10 +2641,10 @@ static void ip6_negative_advice(struct sock *sk, + if (rt->rt6i_flags & RTF_CACHE) { + rcu_read_lock(); + if (rt6_check_expired(rt)) { +- /* counteract the dst_release() in sk_dst_reset() */ +- dst_hold(dst); ++ /* rt/dst can not be destroyed yet, ++ * because of rcu_read_lock() ++ */ + sk_dst_reset(sk); +- + rt6_remove_exception_rt(rt); + } + rcu_read_unlock(); +-- +2.43.0 + diff --git a/queue-5.10/net-qed-allow-old-cards-not-supporting-num_images-to.patch b/queue-5.10/net-qed-allow-old-cards-not-supporting-num_images-to.patch new file mode 100644 index 00000000000..3d432d60351 --- /dev/null +++ b/queue-5.10/net-qed-allow-old-cards-not-supporting-num_images-to.patch @@ -0,0 +1,48 @@ +From 83b1db5694b4454da38cfa11d01729002721ff7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Nov 2024 09:33:58 +0100 +Subject: net/qed: allow old cards not supporting "num_images" to work + +From: Louis Leseur + +[ Upstream commit 7a0ea70da56ee8c2716d0b79e9959d3c47efab62 ] + +Commit 43645ce03e00 ("qed: Populate nvm image attribute shadow.") +added support for populating flash image attributes, notably +"num_images". However, some cards were not able to return this +information. In such cases, the driver would return EINVAL, causing the +driver to exit. + +Add check to return EOPNOTSUPP instead of EINVAL when the card is not +able to return these information. The caller function already handles +EOPNOTSUPP without error. + +Fixes: 43645ce03e00 ("qed: Populate nvm image attribute shadow.") +Co-developed-by: Florian Forestier +Signed-off-by: Florian Forestier +Signed-off-by: Louis Leseur +Link: https://patch.msgid.link/20241128083633.26431-1-louis.leseur@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_mcp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_mcp.c b/drivers/net/ethernet/qlogic/qed/qed_mcp.c +index 2cd14ee95c1ff..a0c09a9172dc0 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c +@@ -3262,7 +3262,9 @@ int qed_mcp_bist_nvm_get_num_images(struct qed_hwfn *p_hwfn, + if (rc) + return rc; + +- if (((rsp & FW_MSG_CODE_MASK) != FW_MSG_CODE_OK)) ++ if (((rsp & FW_MSG_CODE_MASK) == FW_MSG_CODE_UNSUPPORTED)) ++ rc = -EOPNOTSUPP; ++ else if (((rsp & FW_MSG_CODE_MASK) != FW_MSG_CODE_OK)) + rc = -EINVAL; + + return rc; +-- +2.43.0 + diff --git a/queue-5.10/net-sched-fix-erspan_opt-settings-in-cls_flower.patch b/queue-5.10/net-sched-fix-erspan_opt-settings-in-cls_flower.patch new file mode 100644 index 00000000000..5252aa59ede --- /dev/null +++ b/queue-5.10/net-sched-fix-erspan_opt-settings-in-cls_flower.patch @@ -0,0 +1,68 @@ +From 5b65fd2c4b87864e13e621b0270d932a092657fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Dec 2024 10:21:38 -0500 +Subject: net: sched: fix erspan_opt settings in cls_flower + +From: Xin Long + +[ Upstream commit 292207809486d99c78068d3f459cbbbffde88415 ] + +When matching erspan_opt in cls_flower, only the (version, dir, hwid) +fields are relevant. However, in fl_set_erspan_opt() it initializes +all bits of erspan_opt and its mask to 1. This inadvertently requires +packets to match not only the (version, dir, hwid) fields but also the +other fields that are unexpectedly set to 1. + +This patch resolves the issue by ensuring that only the (version, dir, +hwid) fields are configured in fl_set_erspan_opt(), leaving the other +fields to 0 in erspan_opt. + +Fixes: 79b1011cb33d ("net: sched: allow flower to match erspan options") +Reported-by: Shuang Li +Signed-off-by: Xin Long +Reviewed-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_flower.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index dcf21d99f132c..10d3dde238c6c 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -1218,7 +1218,6 @@ static int fl_set_erspan_opt(const struct nlattr *nla, struct fl_flow_key *key, + int err; + + md = (struct erspan_metadata *)&key->enc_opts.data[key->enc_opts.len]; +- memset(md, 0xff, sizeof(*md)); + md->version = 1; + + if (!depth) +@@ -1247,9 +1246,9 @@ static int fl_set_erspan_opt(const struct nlattr *nla, struct fl_flow_key *key, + NL_SET_ERR_MSG(extack, "Missing tunnel key erspan option index"); + return -EINVAL; + } ++ memset(&md->u.index, 0xff, sizeof(md->u.index)); + if (tb[TCA_FLOWER_KEY_ENC_OPT_ERSPAN_INDEX]) { + nla = tb[TCA_FLOWER_KEY_ENC_OPT_ERSPAN_INDEX]; +- memset(&md->u, 0x00, sizeof(md->u)); + md->u.index = nla_get_be32(nla); + } + } else if (md->version == 2) { +@@ -1258,10 +1257,12 @@ static int fl_set_erspan_opt(const struct nlattr *nla, struct fl_flow_key *key, + NL_SET_ERR_MSG(extack, "Missing tunnel key erspan option dir or hwid"); + return -EINVAL; + } ++ md->u.md2.dir = 1; + if (tb[TCA_FLOWER_KEY_ENC_OPT_ERSPAN_DIR]) { + nla = tb[TCA_FLOWER_KEY_ENC_OPT_ERSPAN_DIR]; + md->u.md2.dir = nla_get_u8(nla); + } ++ set_hwid(&md->u.md2, 0xff); + if (tb[TCA_FLOWER_KEY_ENC_OPT_ERSPAN_HWID]) { + nla = tb[TCA_FLOWER_KEY_ENC_OPT_ERSPAN_HWID]; + set_hwid(&md->u.md2, nla_get_u8(nla)); +-- +2.43.0 + diff --git a/queue-5.10/net-sched-tbf-correct-backlog-statistic-for-gso-pack.patch b/queue-5.10/net-sched-tbf-correct-backlog-statistic-for-gso-pack.patch new file mode 100644 index 00000000000..79209d7bd7f --- /dev/null +++ b/queue-5.10/net-sched-tbf-correct-backlog-statistic-for-gso-pack.patch @@ -0,0 +1,90 @@ +From 195217385b8704792b680983b287fc64a74ec041 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2024 18:46:07 +0100 +Subject: net/sched: tbf: correct backlog statistic for GSO packets + +From: Martin Ottens + +[ Upstream commit 1596a135e3180c92e42dd1fbcad321f4fb3e3b17 ] + +When the length of a GSO packet in the tbf qdisc is larger than the burst +size configured the packet will be segmented by the tbf_segment function. +Whenever this function is used to enqueue SKBs, the backlog statistic of +the tbf is not increased correctly. This can lead to underflows of the +'backlog' byte-statistic value when these packets are dequeued from tbf. + +Reproduce the bug: +Ensure that the sender machine has GSO enabled. Configured the tbf on +the outgoing interface of the machine as follows (burstsize = 1 MTU): +$ tc qdisc add dev root handle 1: tbf rate 50Mbit burst 1514 latency 50ms + +Send bulk TCP traffic out via this interface, e.g., by running an iPerf3 +client on this machine. Check the qdisc statistics: +$ tc -s qdisc show dev + +The 'backlog' byte-statistic has incorrect values while traffic is +transferred, e.g., high values due to u32 underflows. When the transfer +is stopped, the value is != 0, which should never happen. + +This patch fixes this bug by updating the statistics correctly, even if +single SKBs of a GSO SKB cannot be enqueued. + +Fixes: e43ac79a4bc6 ("sch_tbf: segment too big GSO packets") +Signed-off-by: Martin Ottens +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241125174608.1484356-1-martin.ottens@fau.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_tbf.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c +index 7461e5c67d50a..5f50fdeaafa8d 100644 +--- a/net/sched/sch_tbf.c ++++ b/net/sched/sch_tbf.c +@@ -193,7 +193,7 @@ static int tbf_segment(struct sk_buff *skb, struct Qdisc *sch, + struct tbf_sched_data *q = qdisc_priv(sch); + struct sk_buff *segs, *nskb; + netdev_features_t features = netif_skb_features(skb); +- unsigned int len = 0, prev_len = qdisc_pkt_len(skb); ++ unsigned int len = 0, prev_len = qdisc_pkt_len(skb), seg_len; + int ret, nb; + + segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK); +@@ -204,21 +204,27 @@ static int tbf_segment(struct sk_buff *skb, struct Qdisc *sch, + nb = 0; + skb_list_walk_safe(segs, segs, nskb) { + skb_mark_not_on_list(segs); +- qdisc_skb_cb(segs)->pkt_len = segs->len; +- len += segs->len; ++ seg_len = segs->len; ++ qdisc_skb_cb(segs)->pkt_len = seg_len; + ret = qdisc_enqueue(segs, q->qdisc, to_free); + if (ret != NET_XMIT_SUCCESS) { + if (net_xmit_drop_count(ret)) + qdisc_qstats_drop(sch); + } else { + nb++; ++ len += seg_len; + } + } + sch->q.qlen += nb; +- if (nb > 1) ++ sch->qstats.backlog += len; ++ if (nb > 0) { + qdisc_tree_reduce_backlog(sch, 1 - nb, prev_len - len); +- consume_skb(skb); +- return nb > 0 ? NET_XMIT_SUCCESS : NET_XMIT_DROP; ++ consume_skb(skb); ++ return NET_XMIT_SUCCESS; ++ } ++ ++ kfree_skb(skb); ++ return NET_XMIT_DROP; + } + + static int tbf_enqueue(struct sk_buff *skb, struct Qdisc *sch, +-- +2.43.0 + diff --git a/queue-5.10/netfilter-ipset-hold-module-reference-while-requesti.patch b/queue-5.10/netfilter-ipset-hold-module-reference-while-requesti.patch new file mode 100644 index 00000000000..f4f22447f61 --- /dev/null +++ b/queue-5.10/netfilter-ipset-hold-module-reference-while-requesti.patch @@ -0,0 +1,49 @@ +From 7cdd3e9a7624f4b7186d3cb6c03988f0789018ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Nov 2024 16:30:38 +0100 +Subject: netfilter: ipset: Hold module reference while requesting a module + +From: Phil Sutter + +[ Upstream commit 456f010bfaefde84d3390c755eedb1b0a5857c3c ] + +User space may unload ip_set.ko while it is itself requesting a set type +backend module, leading to a kernel crash. The race condition may be +provoked by inserting an mdelay() right after the nfnl_unlock() call. + +Fixes: a7b4f989a629 ("netfilter: ipset: IP set core support") +Signed-off-by: Phil Sutter +Acked-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c +index bac92369a5436..a265efd31ba96 100644 +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -104,14 +104,19 @@ find_set_type(const char *name, u8 family, u8 revision) + static bool + load_settype(const char *name) + { ++ if (!try_module_get(THIS_MODULE)) ++ return false; ++ + nfnl_unlock(NFNL_SUBSYS_IPSET); + pr_debug("try to load ip_set_%s\n", name); + if (request_module("ip_set_%s", name) < 0) { + pr_warn("Can't find ip_set type %s\n", name); + nfnl_lock(NFNL_SUBSYS_IPSET); ++ module_put(THIS_MODULE); + return false; + } + nfnl_lock(NFNL_SUBSYS_IPSET); ++ module_put(THIS_MODULE); + return true; + } + +-- +2.43.0 + diff --git a/queue-5.10/netfilter-nft_set_hash-skip-duplicated-elements-pend.patch b/queue-5.10/netfilter-nft_set_hash-skip-duplicated-elements-pend.patch new file mode 100644 index 00000000000..5e93ae09ea7 --- /dev/null +++ b/queue-5.10/netfilter-nft_set_hash-skip-duplicated-elements-pend.patch @@ -0,0 +1,97 @@ +From b8ac8f4babc25ba4b8aac78b35a0aeacf0049235 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Dec 2024 00:04:49 +0100 +Subject: netfilter: nft_set_hash: skip duplicated elements pending gc run + +From: Pablo Neira Ayuso + +[ Upstream commit 7ffc7481153bbabf3332c6a19b289730c7e1edf5 ] + +rhashtable does not provide stable walk, duplicated elements are +possible in case of resizing. I considered that checking for errors when +calling rhashtable_walk_next() was sufficient to detect the resizing. +However, rhashtable_walk_next() returns -EAGAIN only at the end of the +iteration, which is too late, because a gc work containing duplicated +elements could have been already scheduled for removal to the worker. + +Add a u32 gc worker sequence number per set, bump it on every workqueue +run. Annotate gc worker sequence number on the expired element. Use it +to skip those already seen in this gc workqueue run. + +Note that this new field is never reset in case gc transaction fails, so +next gc worker run on the expired element overrides it. Wraparound of gc +worker sequence number should not be an issue with stale gc worker +sequence number in the element, that would just postpone the element +removal in one gc run. + +Note that it is not possible to use flags to annotate that element is +pending gc run to detect duplicates, given that gc transaction can be +invalidated in case of update from the control plane, therefore, not +allowing to clear such flag. + +On x86_64, pahole reports no changes in the size of nft_rhash_elem. + +Fixes: f6c383b8c31a ("netfilter: nf_tables: adapt set backend to use GC transaction API") +Reported-by: Laurent Fasnacht +Tested-by: Laurent Fasnacht +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_hash.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c +index 2499d25a5c85f..8656cb61dd211 100644 +--- a/net/netfilter/nft_set_hash.c ++++ b/net/netfilter/nft_set_hash.c +@@ -27,10 +27,12 @@ extern unsigned int nf_tables_net_id; + struct nft_rhash { + struct rhashtable ht; + struct delayed_work gc_work; ++ u32 wq_gc_seq; + }; + + struct nft_rhash_elem { + struct rhash_head node; ++ u32 wq_gc_seq; + struct nft_set_ext ext; + }; + +@@ -325,6 +327,10 @@ static void nft_rhash_gc(struct work_struct *work) + if (!gc) + goto done; + ++ /* Elements never collected use a zero gc worker sequence number. */ ++ if (unlikely(++priv->wq_gc_seq == 0)) ++ priv->wq_gc_seq++; ++ + rhashtable_walk_enter(&priv->ht, &hti); + rhashtable_walk_start(&hti); + +@@ -342,6 +348,14 @@ static void nft_rhash_gc(struct work_struct *work) + goto try_later; + } + ++ /* rhashtable walk is unstable, already seen in this gc run? ++ * Then, skip this element. In case of (unlikely) sequence ++ * wraparound and stale element wq_gc_seq, next gc run will ++ * just find this expired element. ++ */ ++ if (he->wq_gc_seq == priv->wq_gc_seq) ++ continue; ++ + if (nft_set_elem_is_dead(&he->ext)) + goto dead_elem; + +@@ -362,6 +376,8 @@ static void nft_rhash_gc(struct work_struct *work) + if (!gc) + goto try_later; + ++ /* annotate gc sequence for this attempt. */ ++ he->wq_gc_seq = priv->wq_gc_seq; + nft_trans_gc_elem_add(gc, he); + } + +-- +2.43.0 + diff --git a/queue-5.10/netfilter-x_tables-fix-led-id-check-in-led_tg_check.patch b/queue-5.10/netfilter-x_tables-fix-led-id-check-in-led_tg_check.patch new file mode 100644 index 00000000000..e7c69b8b732 --- /dev/null +++ b/queue-5.10/netfilter-x_tables-fix-led-id-check-in-led_tg_check.patch @@ -0,0 +1,109 @@ +From b0a906ed9174df54172ebb9b38fd29de437e2bfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2024 09:55:42 +0300 +Subject: netfilter: x_tables: fix LED ID check in led_tg_check() + +From: Dmitry Antipov + +[ Upstream commit 04317f4eb2aad312ad85c1a17ad81fe75f1f9bc7 ] + +Syzbot has reported the following BUG detected by KASAN: + +BUG: KASAN: slab-out-of-bounds in strlen+0x58/0x70 +Read of size 1 at addr ffff8881022da0c8 by task repro/5879 +... +Call Trace: + + dump_stack_lvl+0x241/0x360 + ? __pfx_dump_stack_lvl+0x10/0x10 + ? __pfx__printk+0x10/0x10 + ? _printk+0xd5/0x120 + ? __virt_addr_valid+0x183/0x530 + ? __virt_addr_valid+0x183/0x530 + print_report+0x169/0x550 + ? __virt_addr_valid+0x183/0x530 + ? __virt_addr_valid+0x183/0x530 + ? __virt_addr_valid+0x45f/0x530 + ? __phys_addr+0xba/0x170 + ? strlen+0x58/0x70 + kasan_report+0x143/0x180 + ? strlen+0x58/0x70 + strlen+0x58/0x70 + kstrdup+0x20/0x80 + led_tg_check+0x18b/0x3c0 + xt_check_target+0x3bb/0xa40 + ? __pfx_xt_check_target+0x10/0x10 + ? stack_depot_save_flags+0x6e4/0x830 + ? nft_target_init+0x174/0xc30 + nft_target_init+0x82d/0xc30 + ? __pfx_nft_target_init+0x10/0x10 + ? nf_tables_newrule+0x1609/0x2980 + ? nf_tables_newrule+0x1609/0x2980 + ? rcu_is_watching+0x15/0xb0 + ? nf_tables_newrule+0x1609/0x2980 + ? nf_tables_newrule+0x1609/0x2980 + ? __kmalloc_noprof+0x21a/0x400 + nf_tables_newrule+0x1860/0x2980 + ? __pfx_nf_tables_newrule+0x10/0x10 + ? __nla_parse+0x40/0x60 + nfnetlink_rcv+0x14e5/0x2ab0 + ? __pfx_validate_chain+0x10/0x10 + ? __pfx_nfnetlink_rcv+0x10/0x10 + ? __lock_acquire+0x1384/0x2050 + ? netlink_deliver_tap+0x2e/0x1b0 + ? __pfx_lock_release+0x10/0x10 + ? netlink_deliver_tap+0x2e/0x1b0 + netlink_unicast+0x7f8/0x990 + ? __pfx_netlink_unicast+0x10/0x10 + ? __virt_addr_valid+0x183/0x530 + ? __check_object_size+0x48e/0x900 + netlink_sendmsg+0x8e4/0xcb0 + ? __pfx_netlink_sendmsg+0x10/0x10 + ? aa_sock_msg_perm+0x91/0x160 + ? __pfx_netlink_sendmsg+0x10/0x10 + __sock_sendmsg+0x223/0x270 + ____sys_sendmsg+0x52a/0x7e0 + ? __pfx_____sys_sendmsg+0x10/0x10 + __sys_sendmsg+0x292/0x380 + ? __pfx___sys_sendmsg+0x10/0x10 + ? lockdep_hardirqs_on_prepare+0x43d/0x780 + ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 + ? exc_page_fault+0x590/0x8c0 + ? do_syscall_64+0xb6/0x230 + do_syscall_64+0xf3/0x230 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +... + + +Since an invalid (without '\0' byte at all) byte sequence may be passed +from userspace, add an extra check to ensure that such a sequence is +rejected as possible ID and so never passed to 'kstrdup()' and further. + +Reported-by: syzbot+6c8215822f35fdb35667@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=6c8215822f35fdb35667 +Fixes: 268cb38e1802 ("netfilter: x_tables: add LED trigger target") +Signed-off-by: Dmitry Antipov +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_LED.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c +index 0371c387b0d1f..13a2b5820b34b 100644 +--- a/net/netfilter/xt_LED.c ++++ b/net/netfilter/xt_LED.c +@@ -97,7 +97,9 @@ static int led_tg_check(const struct xt_tgchk_param *par) + struct xt_led_info_internal *ledinternal; + int err; + +- if (ledinfo->id[0] == '\0') ++ /* Bail out if empty string or not a string at all. */ ++ if (ledinfo->id[0] == '\0' || ++ !memchr(ledinfo->id, '\0', sizeof(ledinfo->id))) + return -EINVAL; + + mutex_lock(&xt_led_mutex); +-- +2.43.0 + diff --git a/queue-5.10/ptp-add-error-handling-for-adjfine-callback-in-ptp_c.patch b/queue-5.10/ptp-add-error-handling-for-adjfine-callback-in-ptp_c.patch new file mode 100644 index 00000000000..d8701fcaccc --- /dev/null +++ b/queue-5.10/ptp-add-error-handling-for-adjfine-callback-in-ptp_c.patch @@ -0,0 +1,42 @@ +From f2d6a38562ba4f517a96556a3209596ffde7302d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2024 10:59:54 +0000 +Subject: ptp: Add error handling for adjfine callback in ptp_clock_adjtime + +From: Ajay Kaher + +[ Upstream commit 98337d7c87577ded71114f6976edb70a163e27bc ] + +ptp_clock_adjtime sets ptp->dialed_frequency even when adjfine +callback returns an error. This causes subsequent reads to return +an incorrect value. + +Fix this by adding error check before ptp->dialed_frequency is set. + +Fixes: 39a8cbd9ca05 ("ptp: remember the adjusted frequency") +Signed-off-by: Ajay Kaher +Acked-by: Richard Cochran +Link: https://patch.msgid.link/20241125105954.1509971-1-ajay.kaher@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/ptp/ptp_clock.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c +index ed766943a3563..4d775cd8ee3ce 100644 +--- a/drivers/ptp/ptp_clock.c ++++ b/drivers/ptp/ptp_clock.c +@@ -146,7 +146,8 @@ static int ptp_clock_adjtime(struct posix_clock *pc, struct __kernel_timex *tx) + err = ops->adjfine(ops, tx->freq); + else + err = ops->adjfreq(ops, ppb); +- ptp->dialed_frequency = tx->freq; ++ if (!err) ++ ptp->dialed_frequency = tx->freq; + } else if (tx->modes & ADJ_OFFSET) { + if (ops->adjphase) { + s32 offset = tx->offset; +-- +2.43.0 + diff --git a/queue-5.10/series b/queue-5.10/series index b5001a0b768..5167fb81dc2 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -324,3 +324,31 @@ nfsd-make-sure-exp-active-before-svc_export_show.patch nfsd-fix-nfs4_openowner-leak-when-concurrent-nfsd4_open-occur.patch btrfs-don-t-bug_on-on-enomem-from-btrfs_lookup_extent_info-in-walk_down_proc.patch drm-etnaviv-flush-shader-l1-cache-after-user-commandstream.patch +itco_wdt-mask-nmi_now-bit-for-update_no_reboot_bit-c.patch +watchdog-mediatek-make-sure-system-reset-gets-assert.patch +can-sun4i_can-sun4i_can_err-call-can_change_state-ev.patch +can-sun4i_can-sun4i_can_err-fix-rx-tx-_errors-statis.patch +ipvs-fix-ub-due-to-uninitialized-stack-access-in-ip_.patch +netfilter-x_tables-fix-led-id-check-in-led_tg_check.patch +ptp-add-error-handling-for-adjfine-callback-in-ptp_c.patch +net-sched-tbf-correct-backlog-statistic-for-gso-pack.patch +net-hsr-avoid-potential-out-of-bound-access-in-fill_.patch +can-j1939-j1939_session_new-fix-skb-reference-counti.patch +net-ipv6-release-expired-exception-dst-cached-in-soc.patch +dccp-fix-memory-leak-in-dccp_feat_change_recv.patch +tipc-fix-use-after-free-of-kernel-socket-in-cleanup_.patch +net-qed-allow-old-cards-not-supporting-num_images-to.patch +igb-fix-potential-invalid-memory-access-in-igb_init_.patch +net-sched-fix-erspan_opt-settings-in-cls_flower.patch +netfilter-ipset-hold-module-reference-while-requesti.patch +netfilter-nft_set_hash-skip-duplicated-elements-pend.patch +ethtool-fix-wrong-mod-state-in-case-of-verbose-and-n.patch +geneve-do-not-assume-mac-header-is-set-in-geneve_xmi.patch +gpio-grgpio-use-a-helper-variable-to-store-the-addre.patch +gpio-grgpio-add-null-check-in-grgpio_probe.patch +dt_bindings-rs485-correct-delay-values.patch +dt-bindings-serial-rs485-fix-rs485-rts-delay-propert.patch +i3c-fix-incorrect-address-slot-lookup-on-64-bit.patch +i3c-master-replace-hard-code-2-with-macro-i3c_addr_s.patch +i3c-master-extend-address-status-bit-to-4-and-add-i3.patch +i3c-master-fix-dynamic-address-leak-when-assigned-ad.patch diff --git a/queue-5.10/tipc-fix-use-after-free-of-kernel-socket-in-cleanup_.patch b/queue-5.10/tipc-fix-use-after-free-of-kernel-socket-in-cleanup_.patch new file mode 100644 index 00000000000..044376d5e8e --- /dev/null +++ b/queue-5.10/tipc-fix-use-after-free-of-kernel-socket-in-cleanup_.patch @@ -0,0 +1,107 @@ +From 11584f5fa61caa92f6f06ebe1d3b71454455a122 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2024 14:05:12 +0900 +Subject: tipc: Fix use-after-free of kernel socket in cleanup_bearer(). + +From: Kuniyuki Iwashima + +[ Upstream commit 6a2fa13312e51a621f652d522d7e2df7066330b6 ] + +syzkaller reported a use-after-free of UDP kernel socket +in cleanup_bearer() without repro. [0][1] + +When bearer_disable() calls tipc_udp_disable(), cleanup +of the UDP kernel socket is deferred by work calling +cleanup_bearer(). + +tipc_net_stop() waits for such works to finish by checking +tipc_net(net)->wq_count. However, the work decrements the +count too early before releasing the kernel socket, +unblocking cleanup_net() and resulting in use-after-free. + +Let's move the decrement after releasing the socket in +cleanup_bearer(). + +[0]: +ref_tracker: net notrefcnt@000000009b3d1faf has 1/1 users at + sk_alloc+0x438/0x608 + inet_create+0x4c8/0xcb0 + __sock_create+0x350/0x6b8 + sock_create_kern+0x58/0x78 + udp_sock_create4+0x68/0x398 + udp_sock_create+0x88/0xc8 + tipc_udp_enable+0x5e8/0x848 + __tipc_nl_bearer_enable+0x84c/0xed8 + tipc_nl_bearer_enable+0x38/0x60 + genl_family_rcv_msg_doit+0x170/0x248 + genl_rcv_msg+0x400/0x5b0 + netlink_rcv_skb+0x1dc/0x398 + genl_rcv+0x44/0x68 + netlink_unicast+0x678/0x8b0 + netlink_sendmsg+0x5e4/0x898 + ____sys_sendmsg+0x500/0x830 + +[1]: +BUG: KMSAN: use-after-free in udp_hashslot include/net/udp.h:85 [inline] +BUG: KMSAN: use-after-free in udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979 + udp_hashslot include/net/udp.h:85 [inline] + udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979 + sk_common_release+0xaf/0x3f0 net/core/sock.c:3820 + inet_release+0x1e0/0x260 net/ipv4/af_inet.c:437 + inet6_release+0x6f/0xd0 net/ipv6/af_inet6.c:489 + __sock_release net/socket.c:658 [inline] + sock_release+0xa0/0x210 net/socket.c:686 + cleanup_bearer+0x42d/0x4c0 net/tipc/udp_media.c:819 + process_one_work kernel/workqueue.c:3229 [inline] + process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310 + worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391 + kthread+0x531/0x6b0 kernel/kthread.c:389 + ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244 + +Uninit was created at: + slab_free_hook mm/slub.c:2269 [inline] + slab_free mm/slub.c:4580 [inline] + kmem_cache_free+0x207/0xc40 mm/slub.c:4682 + net_free net/core/net_namespace.c:454 [inline] + cleanup_net+0x16f2/0x19d0 net/core/net_namespace.c:647 + process_one_work kernel/workqueue.c:3229 [inline] + process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310 + worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391 + kthread+0x531/0x6b0 kernel/kthread.c:389 + ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244 + +CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.12.0-rc1-00131-gf66ebf37d69c #7 91723d6f74857f70725e1583cba3cf4adc716cfa +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +Workqueue: events cleanup_bearer + +Fixes: 26abe14379f8 ("net: Modify sk_alloc to not reference count the netns of kernel sockets.") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20241127050512.28438-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tipc/udp_media.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c +index ec6d7730b8522..d54b5c1d3c83c 100644 +--- a/net/tipc/udp_media.c ++++ b/net/tipc/udp_media.c +@@ -810,10 +810,10 @@ static void cleanup_bearer(struct work_struct *work) + kfree_rcu(rcast, rcu); + } + +- atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count); + dst_cache_destroy(&ub->rcast.dst_cache); + udp_tunnel_sock_release(ub->ubsock); + synchronize_net(); ++ atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count); + kfree(ub); + } + +-- +2.43.0 + diff --git a/queue-5.10/watchdog-mediatek-make-sure-system-reset-gets-assert.patch b/queue-5.10/watchdog-mediatek-make-sure-system-reset-gets-assert.patch new file mode 100644 index 00000000000..ee2c6940542 --- /dev/null +++ b/queue-5.10/watchdog-mediatek-make-sure-system-reset-gets-assert.patch @@ -0,0 +1,48 @@ +From 038144cf9514b0cedf6e4582f2156e43f8e83a73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Nov 2024 10:47:51 +0000 +Subject: watchdog: mediatek: Make sure system reset gets asserted in + mtk_wdt_restart() + +From: Yassine Oudjana + +[ Upstream commit a1495a21e0b8aad92132dfcf9c6fffc1bde9d5b2 ] + +Clear the IRQ enable bit of WDT_MODE before asserting software reset +in order to make TOPRGU issue a system reset signal instead of an IRQ. + +Fixes: a44a45536f7b ("watchdog: Add driver for Mediatek watchdog") +Signed-off-by: Yassine Oudjana +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20241106104738.195968-2-y.oudjana@protonmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/mtk_wdt.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/watchdog/mtk_wdt.c b/drivers/watchdog/mtk_wdt.c +index d6a6393f609d1..2cc668b295fd9 100644 +--- a/drivers/watchdog/mtk_wdt.c ++++ b/drivers/watchdog/mtk_wdt.c +@@ -153,9 +153,15 @@ static int mtk_wdt_restart(struct watchdog_device *wdt_dev, + { + struct mtk_wdt_dev *mtk_wdt = watchdog_get_drvdata(wdt_dev); + void __iomem *wdt_base; ++ u32 reg; + + wdt_base = mtk_wdt->wdt_base; + ++ /* Enable reset in order to issue a system reset instead of an IRQ */ ++ reg = readl(wdt_base + WDT_MODE); ++ reg &= ~WDT_MODE_IRQ_EN; ++ writel(reg | WDT_MODE_KEY, wdt_base + WDT_MODE); ++ + while (1) { + writel(WDT_SWRST_KEY, wdt_base + WDT_SWRST); + mdelay(5); +-- +2.43.0 +