From: Sasha Levin Date: Mon, 26 Feb 2024 22:21:34 +0000 (-0500) Subject: Fixes for 5.10 X-Git-Tag: v4.19.308~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1f2b2ce99993a80dafd65a14be3b906bbf3eb4c8;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/afs-increase-buffer-size-in-afs_update_volume_status.patch b/queue-5.10/afs-increase-buffer-size-in-afs_update_volume_status.patch new file mode 100644 index 00000000000..11fa605a11e --- /dev/null +++ b/queue-5.10/afs-increase-buffer-size-in-afs_update_volume_status.patch @@ -0,0 +1,53 @@ +From bd1ad4f7a865a672be65072e7513419d17a5a8e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 14:39:03 +0000 +Subject: afs: Increase buffer size in afs_update_volume_status() + +From: Daniil Dulov + +[ Upstream commit 6ea38e2aeb72349cad50e38899b0ba6fbcb2af3d ] + +The max length of volume->vid value is 20 characters. +So increase idbuf[] size up to 24 to avoid overflow. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +[DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()] + +Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") +Signed-off-by: Daniil Dulov +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/20240211150442.3416-1-d.dulov@aladdin.ru/ # v1 +Link: https://lore.kernel.org/r/20240212083347.10742-1-d.dulov@aladdin.ru/ # v2 +Link: https://lore.kernel.org/r/20240219143906.138346-3-dhowells@redhat.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/afs/volume.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/afs/volume.c b/fs/afs/volume.c +index f84194b791d3e..fb19c69284ab2 100644 +--- a/fs/afs/volume.c ++++ b/fs/afs/volume.c +@@ -302,7 +302,7 @@ static int afs_update_volume_status(struct afs_volume *volume, struct key *key) + { + struct afs_server_list *new, *old, *discard; + struct afs_vldb_entry *vldb; +- char idbuf[16]; ++ char idbuf[24]; + int ret, idsz; + + _enter(""); +@@ -310,7 +310,7 @@ static int afs_update_volume_status(struct afs_volume *volume, struct key *key) + /* We look up an ID by passing it as a decimal string in the + * operation's name parameter. + */ +- idsz = sprintf(idbuf, "%llu", volume->vid); ++ idsz = snprintf(idbuf, sizeof(idbuf), "%llu", volume->vid); + + vldb = afs_vl_lookup_vldb(volume->cell, key, idbuf, idsz); + if (IS_ERR(vldb)) { +-- +2.43.0 + diff --git a/queue-5.10/arm64-dts-rockchip-set-num-cs-property-for-spi-on-px.patch b/queue-5.10/arm64-dts-rockchip-set-num-cs-property-for-spi-on-px.patch new file mode 100644 index 00000000000..2bb1492a934 --- /dev/null +++ b/queue-5.10/arm64-dts-rockchip-set-num-cs-property-for-spi-on-px.patch @@ -0,0 +1,50 @@ +From ab629e7ba90ac41fe434c9f7b11ee4c96ea2810c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jan 2024 11:16:56 +0100 +Subject: arm64: dts: rockchip: set num-cs property for spi on px30 + +From: Heiko Stuebner + +[ Upstream commit 334bf0710c98d391f4067b72f535d6c4c84dfb6f ] + +The px30 has two spi controllers with two chip-selects each. +The num-cs property is specified as the total number of chip +selects a controllers has and is used since 2020 to find uses +of chipselects outside that range in the Rockchip spi driver. + +Without the property set, the default is 1, so spi devices +using the second chipselect will not be created. + +Fixes: eb1262e3cc8b ("spi: spi-rockchip: use num-cs property and ctlr->enable_gpiods") +Signed-off-by: Heiko Stuebner +Reviewed-by: Quentin Schulz +Link: https://lore.kernel.org/r/20240119101656.965744-1-heiko@sntech.de +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/px30.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/rockchip/px30.dtsi b/arch/arm64/boot/dts/rockchip/px30.dtsi +index 0d6761074b11a..f241e7c318bcd 100644 +--- a/arch/arm64/boot/dts/rockchip/px30.dtsi ++++ b/arch/arm64/boot/dts/rockchip/px30.dtsi +@@ -577,6 +577,7 @@ + clock-names = "spiclk", "apb_pclk"; + dmas = <&dmac 12>, <&dmac 13>; + dma-names = "tx", "rx"; ++ num-cs = <2>; + pinctrl-names = "default"; + pinctrl-0 = <&spi0_clk &spi0_csn &spi0_miso &spi0_mosi>; + #address-cells = <1>; +@@ -592,6 +593,7 @@ + clock-names = "spiclk", "apb_pclk"; + dmas = <&dmac 14>, <&dmac 15>; + dma-names = "tx", "rx"; ++ num-cs = <2>; + pinctrl-names = "default"; + pinctrl-0 = <&spi1_clk &spi1_csn0 &spi1_csn1 &spi1_miso &spi1_mosi>; + #address-cells = <1>; +-- +2.43.0 + diff --git a/queue-5.10/bpf-scripts-correct-gpl-license-name.patch b/queue-5.10/bpf-scripts-correct-gpl-license-name.patch new file mode 100644 index 00000000000..bcdb4c73928 --- /dev/null +++ b/queue-5.10/bpf-scripts-correct-gpl-license-name.patch @@ -0,0 +1,41 @@ +From e6c8ae8bb08a16afb41ff103119b132883ed187f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 23:05:46 +0000 +Subject: bpf, scripts: Correct GPL license name + +From: Gianmarco Lusvardi + +[ Upstream commit e37243b65d528a8a9f8b9a57a43885f8e8dfc15c ] + +The bpf_doc script refers to the GPL as the "GNU Privacy License". +I strongly suspect that the author wanted to refer to the GNU General +Public License, under which the Linux kernel is released, as, to the +best of my knowledge, there is no license named "GNU Privacy License". +This patch corrects the license name in the script accordingly. + +Fixes: 56a092c89505 ("bpf: add script and prepare bpf.h for new helpers documentation") +Signed-off-by: Gianmarco Lusvardi +Signed-off-by: Daniel Borkmann +Reviewed-by: Quentin Monnet +Link: https://lore.kernel.org/bpf/20240213230544.930018-3-glusvardi@posteo.net +Signed-off-by: Sasha Levin +--- + scripts/bpf_helpers_doc.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/bpf_helpers_doc.py b/scripts/bpf_helpers_doc.py +index 31484377b8b11..806240dda6090 100755 +--- a/scripts/bpf_helpers_doc.py ++++ b/scripts/bpf_helpers_doc.py +@@ -284,7 +284,7 @@ eBPF programs can have an associated license, passed along with the bytecode + instructions to the kernel when the programs are loaded. The format for that + string is identical to the one in use for kernel modules (Dual licenses, such + as "Dual BSD/GPL", may be used). Some helper functions are only accessible to +-programs that are compatible with the GNU Privacy License (GPL). ++programs that are compatible with the GNU General Public License (GNU GPL). + + In order to use such helpers, the eBPF program must be loaded with the correct + license string passed (via **attr**) to the **bpf**\ () system call, and this +-- +2.43.0 + diff --git a/queue-5.10/drm-amd-display-fix-memory-leak-in-dm_sw_fini.patch b/queue-5.10/drm-amd-display-fix-memory-leak-in-dm_sw_fini.patch new file mode 100644 index 00000000000..e7265b99b26 --- /dev/null +++ b/queue-5.10/drm-amd-display-fix-memory-leak-in-dm_sw_fini.patch @@ -0,0 +1,60 @@ +From 33a9efe01168894afc99dc5009ec2e0109f30866 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 01:50:50 +0100 +Subject: drm/amd/display: Fix memory leak in dm_sw_fini() + +From: Armin Wolf + +[ Upstream commit bae67893578d608e35691dcdfa90c4957debf1d3 ] + +After destroying dmub_srv, the memory associated with it is +not freed, causing a memory leak: + +unreferenced object 0xffff896302b45800 (size 1024): + comm "(udev-worker)", pid 222, jiffies 4294894636 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace (crc 6265fd77): + [] kmalloc_trace+0x29d/0x340 + [] dm_dmub_sw_init+0xb4/0x450 [amdgpu] + [] dm_sw_init+0x15/0x2b0 [amdgpu] + [] amdgpu_device_init+0x1417/0x24e0 [amdgpu] + [] amdgpu_driver_load_kms+0x15/0x190 [amdgpu] + [] amdgpu_pci_probe+0x187/0x4e0 [amdgpu] + [] local_pci_probe+0x3e/0x90 + [] pci_device_probe+0xc3/0x230 + [] really_probe+0xe2/0x480 + [] __driver_probe_device+0x78/0x160 + [] driver_probe_device+0x1f/0x90 + [] __driver_attach+0xce/0x1c0 + [] bus_for_each_dev+0x70/0xc0 + [] bus_add_driver+0x112/0x210 + [] driver_register+0x55/0x100 + [] do_one_initcall+0x41/0x300 + +Fix this by freeing dmub_srv after destroying it. + +Fixes: 743b9786b14a ("drm/amd/display: Hook up the DMUB service in DM") +Signed-off-by: Armin Wolf +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 54d6b4128721e..3578e3b3536e3 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -1456,6 +1456,7 @@ static int dm_sw_fini(void *handle) + + if (adev->dm.dmub_srv) { + dmub_srv_destroy(adev->dm.dmub_srv); ++ kfree(adev->dm.dmub_srv); + adev->dm.dmub_srv = NULL; + } + +-- +2.43.0 + diff --git a/queue-5.10/drm-syncobj-call-drm_syncobj_fence_add_wait-when-wai.patch b/queue-5.10/drm-syncobj-call-drm_syncobj_fence_add_wait-when-wai.patch new file mode 100644 index 00000000000..6a52544d2ab --- /dev/null +++ b/queue-5.10/drm-syncobj-call-drm_syncobj_fence_add_wait-when-wai.patch @@ -0,0 +1,75 @@ +From ef2e0216b4ed60d93d523ae0e8bc19b189338d60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jan 2024 08:32:06 -0800 +Subject: drm/syncobj: call drm_syncobj_fence_add_wait when WAIT_AVAILABLE flag + is set + +From: Erik Kurzinger + +[ Upstream commit 3c43177ffb54ea5be97505eb8e2690e99ac96bc9 ] + +When waiting for a syncobj timeline point whose fence has not yet been +submitted with the WAIT_FOR_SUBMIT flag, a callback is registered using +drm_syncobj_fence_add_wait and the thread is put to sleep until the +timeout expires. If the fence is submitted before then, +drm_syncobj_add_point will wake up the sleeping thread immediately which +will proceed to wait for the fence to be signaled. + +However, if the WAIT_AVAILABLE flag is used instead, +drm_syncobj_fence_add_wait won't get called, meaning the waiting thread +will always sleep for the full timeout duration, even if the fence gets +submitted earlier. If it turns out that the fence *has* been submitted +by the time it eventually wakes up, it will still indicate to userspace +that the wait completed successfully (it won't return -ETIME), but it +will have taken much longer than it should have. + +To fix this, we must call drm_syncobj_fence_add_wait if *either* the +WAIT_FOR_SUBMIT flag or the WAIT_AVAILABLE flag is set. The only +difference being that with WAIT_FOR_SUBMIT we will also wait for the +fence to be signaled after it has been submitted while with +WAIT_AVAILABLE we will return immediately. + +IGT test patch: https://lists.freedesktop.org/archives/igt-dev/2024-January/067537.html + +v1 -> v2: adjust lockdep_assert_none_held_once condition + +(cherry picked from commit 8c44ea81634a4a337df70a32621a5f3791be23df) + +Fixes: 01d6c3578379 ("drm/syncobj: add support for timeline point wait v8") +Signed-off-by: Erik Kurzinger +Signed-off-by: Simon Ser +Reviewed-by: Daniel Vetter +Reviewed-by: Simon Ser +Link: https://patchwork.freedesktop.org/patch/msgid/20240119163208.3723457-1-ekurzinger@nvidia.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_syncobj.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c +index 4c3c8f8da0215..6ce446cc88780 100644 +--- a/drivers/gpu/drm/drm_syncobj.c ++++ b/drivers/gpu/drm/drm_syncobj.c +@@ -960,7 +960,8 @@ static signed long drm_syncobj_array_wait_timeout(struct drm_syncobj **syncobjs, + uint64_t *points; + uint32_t signaled_count, i; + +- if (flags & DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT) ++ if (flags & (DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT | ++ DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE)) + lockdep_assert_none_held_once(); + + points = kmalloc_array(count, sizeof(*points), GFP_KERNEL); +@@ -1029,7 +1030,8 @@ static signed long drm_syncobj_array_wait_timeout(struct drm_syncobj **syncobjs, + * fallthough and try a 0 timeout wait! + */ + +- if (flags & DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT) { ++ if (flags & (DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT | ++ DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE)) { + for (i = 0; i < count; ++i) + drm_syncobj_fence_add_wait(syncobjs[i], &entries[i]); + } +-- +2.43.0 + diff --git a/queue-5.10/drm-syncobj-make-lockdep-complain-on-wait_for_submit.patch b/queue-5.10/drm-syncobj-make-lockdep-complain-on-wait_for_submit.patch new file mode 100644 index 00000000000..910456398ec --- /dev/null +++ b/queue-5.10/drm-syncobj-make-lockdep-complain-on-wait_for_submit.patch @@ -0,0 +1,91 @@ +From f2191e653330dbf2c480af1b1a1e231723da7f3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jan 2021 14:32:39 +0100 +Subject: drm/syncobj: make lockdep complain on WAIT_FOR_SUBMIT v3 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +[ Upstream commit 7621350c6bb20fb6ab7eb988833ab96eac3dcbef ] + +DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT can't be used when we hold locks +since we are basically waiting for userspace to do something. + +Holding a lock while doing so can trivial deadlock with page faults +etc... + +So make lockdep complain when a driver tries to do this. + +v2: Add lockdep_assert_none_held() macro. +v3: Add might_sleep() and also use lockdep_assert_none_held() in the + IOCTL path. + +Signed-off-by: Christian König +Reviewed-by: Daniel Vetter +Acked-by: Peter Zijlstra (Intel) +Link: https://patchwork.freedesktop.org/patch/414944/ +Stable-dep-of: 3c43177ffb54 ("drm/syncobj: call drm_syncobj_fence_add_wait when WAIT_AVAILABLE flag is set") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_syncobj.c | 12 ++++++++++++ + include/linux/lockdep.h | 5 +++++ + 2 files changed, 17 insertions(+) + +diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c +index 738e60139db90..4c3c8f8da0215 100644 +--- a/drivers/gpu/drm/drm_syncobj.c ++++ b/drivers/gpu/drm/drm_syncobj.c +@@ -387,6 +387,15 @@ int drm_syncobj_find_fence(struct drm_file *file_private, + if (!syncobj) + return -ENOENT; + ++ /* Waiting for userspace with locks help is illegal cause that can ++ * trivial deadlock with page faults for example. Make lockdep complain ++ * about it early on. ++ */ ++ if (flags & DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT) { ++ might_sleep(); ++ lockdep_assert_none_held_once(); ++ } ++ + *fence = drm_syncobj_fence_get(syncobj); + + if (*fence) { +@@ -951,6 +960,9 @@ static signed long drm_syncobj_array_wait_timeout(struct drm_syncobj **syncobjs, + uint64_t *points; + uint32_t signaled_count, i; + ++ if (flags & DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT) ++ lockdep_assert_none_held_once(); ++ + points = kmalloc_array(count, sizeof(*points), GFP_KERNEL); + if (points == NULL) + return -ENOMEM; +diff --git a/include/linux/lockdep.h b/include/linux/lockdep.h +index 2c2586312b447..3eca9f91b9a56 100644 +--- a/include/linux/lockdep.h ++++ b/include/linux/lockdep.h +@@ -321,6 +321,10 @@ extern void lock_unpin_lock(struct lockdep_map *lock, struct pin_cookie); + WARN_ON_ONCE(debug_locks && !lockdep_is_held(l)); \ + } while (0) + ++#define lockdep_assert_none_held_once() do { \ ++ WARN_ON_ONCE(debug_locks && current->lockdep_depth); \ ++ } while (0) ++ + #define lockdep_recursing(tsk) ((tsk)->lockdep_recursion) + + #define lockdep_pin_lock(l) lock_pin_lock(&(l)->dep_map) +@@ -394,6 +398,7 @@ static inline void lockdep_unregister_key(struct lock_class_key *key) + #define lockdep_assert_held_write(l) do { (void)(l); } while (0) + #define lockdep_assert_held_read(l) do { (void)(l); } while (0) + #define lockdep_assert_held_once(l) do { (void)(l); } while (0) ++#define lockdep_assert_none_held_once() do { } while (0) + + #define lockdep_recursing(tsk) (0) + +-- +2.43.0 + diff --git a/queue-5.10/ib-hfi1-fix-a-memleak-in-init_credit_return.patch b/queue-5.10/ib-hfi1-fix-a-memleak-in-init_credit_return.patch new file mode 100644 index 00000000000..7de688160f0 --- /dev/null +++ b/queue-5.10/ib-hfi1-fix-a-memleak-in-init_credit_return.patch @@ -0,0 +1,51 @@ +From 1bd6c838f23df565ce78b58796f91bb12bee1398 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jan 2024 16:55:23 +0800 +Subject: IB/hfi1: Fix a memleak in init_credit_return + +From: Zhipeng Lu + +[ Upstream commit 809aa64ebff51eb170ee31a95f83b2d21efa32e2 ] + +When dma_alloc_coherent fails to allocate dd->cr_base[i].va, +init_credit_return should deallocate dd->cr_base and +dd->cr_base[i] that allocated before. Or those resources +would be never freed and a memleak is triggered. + +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Signed-off-by: Zhipeng Lu +Link: https://lore.kernel.org/r/20240112085523.3731720-1-alexious@zju.edu.cn +Acked-by: Dennis Dalessandro +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/pio.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hfi1/pio.c b/drivers/infiniband/hw/hfi1/pio.c +index 60eb3a64518f3..969004258692b 100644 +--- a/drivers/infiniband/hw/hfi1/pio.c ++++ b/drivers/infiniband/hw/hfi1/pio.c +@@ -2131,7 +2131,7 @@ int init_credit_return(struct hfi1_devdata *dd) + "Unable to allocate credit return DMA range for NUMA %d\n", + i); + ret = -ENOMEM; +- goto done; ++ goto free_cr_base; + } + } + set_dev_node(&dd->pcidev->dev, dd->node); +@@ -2139,6 +2139,10 @@ int init_credit_return(struct hfi1_devdata *dd) + ret = 0; + done: + return ret; ++ ++free_cr_base: ++ free_credit_return(dd); ++ goto done; + } + + void free_credit_return(struct hfi1_devdata *dd) +-- +2.43.0 + diff --git a/queue-5.10/ipv4-properly-combine-dev_base_seq-and-ipv4.dev_addr.patch b/queue-5.10/ipv4-properly-combine-dev_base_seq-and-ipv4.dev_addr.patch new file mode 100644 index 00000000000..3c3a88dbb57 --- /dev/null +++ b/queue-5.10/ipv4-properly-combine-dev_base_seq-and-ipv4.dev_addr.patch @@ -0,0 +1,73 @@ +From 61afdef34708847a676ee5a555c0e9bab50b1aac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 17:21:06 +0000 +Subject: ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid + +From: Eric Dumazet + +[ Upstream commit 081a0e3b0d4c061419d3f4679dec9f68725b17e4 ] + +net->dev_base_seq and ipv4.dev_addr_genid are monotonically increasing. + +If we XOR their values, we could miss to detect if both values +were changed with the same amount. + +Fixes: 0465277f6b3f ("ipv4: provide addr and netconf dump consistency info") +Signed-off-by: Eric Dumazet +Cc: Nicolas Dichtel +Acked-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index da1ca8081c035..9ac7d47d27b81 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -1798,6 +1798,21 @@ static int in_dev_dump_addr(struct in_device *in_dev, struct sk_buff *skb, + return err; + } + ++/* Combine dev_addr_genid and dev_base_seq to detect changes. ++ */ ++static u32 inet_base_seq(const struct net *net) ++{ ++ u32 res = atomic_read(&net->ipv4.dev_addr_genid) + ++ net->dev_base_seq; ++ ++ /* Must not return 0 (see nl_dump_check_consistent()). ++ * Chose a value far away from 0. ++ */ ++ if (!res) ++ res = 0x80000000; ++ return res; ++} ++ + static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb) + { + const struct nlmsghdr *nlh = cb->nlh; +@@ -1849,8 +1864,7 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb) + idx = 0; + head = &tgt_net->dev_index_head[h]; + rcu_read_lock(); +- cb->seq = atomic_read(&tgt_net->ipv4.dev_addr_genid) ^ +- tgt_net->dev_base_seq; ++ cb->seq = inet_base_seq(tgt_net); + hlist_for_each_entry_rcu(dev, head, index_hlist) { + if (idx < s_idx) + goto cont; +@@ -2249,8 +2263,7 @@ static int inet_netconf_dump_devconf(struct sk_buff *skb, + idx = 0; + head = &net->dev_index_head[h]; + rcu_read_lock(); +- cb->seq = atomic_read(&net->ipv4.dev_addr_genid) ^ +- net->dev_base_seq; ++ cb->seq = inet_base_seq(net); + hlist_for_each_entry_rcu(dev, head, index_hlist) { + if (idx < s_idx) + goto cont; +-- +2.43.0 + diff --git a/queue-5.10/ipv6-properly-combine-dev_base_seq-and-ipv6.dev_addr.patch b/queue-5.10/ipv6-properly-combine-dev_base_seq-and-ipv6.dev_addr.patch new file mode 100644 index 00000000000..5f3c460bbe5 --- /dev/null +++ b/queue-5.10/ipv6-properly-combine-dev_base_seq-and-ipv6.dev_addr.patch @@ -0,0 +1,75 @@ +From 0085fffe948ea0730c0e4d0be2c7bfcba7784698 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 17:21:07 +0000 +Subject: ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid + +From: Eric Dumazet + +[ Upstream commit e898e4cd1aab271ca414f9ac6e08e4c761f6913c ] + +net->dev_base_seq and ipv6.dev_addr_genid are monotonically increasing. + +If we XOR their values, we could miss to detect if both values +were changed with the same amount. + +Fixes: 63998ac24f83 ("ipv6: provide addr and netconf dump consistency info") +Signed-off-by: Eric Dumazet +Cc: Nicolas Dichtel + +Signed-off-by: Eric Dumazet +Acked-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 79787a1f5ab34..150c2f71ec89f 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -698,6 +698,22 @@ static int inet6_netconf_get_devconf(struct sk_buff *in_skb, + return err; + } + ++/* Combine dev_addr_genid and dev_base_seq to detect changes. ++ */ ++static u32 inet6_base_seq(const struct net *net) ++{ ++ u32 res = atomic_read(&net->ipv6.dev_addr_genid) + ++ net->dev_base_seq; ++ ++ /* Must not return 0 (see nl_dump_check_consistent()). ++ * Chose a value far away from 0. ++ */ ++ if (!res) ++ res = 0x80000000; ++ return res; ++} ++ ++ + static int inet6_netconf_dump_devconf(struct sk_buff *skb, + struct netlink_callback *cb) + { +@@ -731,8 +747,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb, + idx = 0; + head = &net->dev_index_head[h]; + rcu_read_lock(); +- cb->seq = atomic_read(&net->ipv6.dev_addr_genid) ^ +- net->dev_base_seq; ++ cb->seq = inet6_base_seq(net); + hlist_for_each_entry_rcu(dev, head, index_hlist) { + if (idx < s_idx) + goto cont; +@@ -5288,7 +5303,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb, + } + + rcu_read_lock(); +- cb->seq = atomic_read(&tgt_net->ipv6.dev_addr_genid) ^ tgt_net->dev_base_seq; ++ cb->seq = inet6_base_seq(tgt_net); + for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) { + idx = 0; + head = &tgt_net->dev_index_head[h]; +-- +2.43.0 + diff --git a/queue-5.10/ipv6-sr-fix-possible-use-after-free-and-null-ptr-der.patch b/queue-5.10/ipv6-sr-fix-possible-use-after-free-and-null-ptr-der.patch new file mode 100644 index 00000000000..033b8598d3b --- /dev/null +++ b/queue-5.10/ipv6-sr-fix-possible-use-after-free-and-null-ptr-der.patch @@ -0,0 +1,74 @@ +From ecae4a4eef812366d18f2cb5e106bd65a1c26627 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 23:27:17 +0300 +Subject: ipv6: sr: fix possible use-after-free and null-ptr-deref + +From: Vasiliy Kovalev + +[ Upstream commit 5559cea2d5aa3018a5f00dd2aca3427ba09b386b ] + +The pernet operations structure for the subsystem must be registered +before registering the generic netlink family. + +Fixes: 915d7e5e5930 ("ipv6: sr: add code base for control plane support of SR-IPv6") +Signed-off-by: Vasiliy Kovalev +Link: https://lore.kernel.org/r/20240215202717.29815-1-kovalev@altlinux.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c +index 2278c0234c497..a8439fded12dc 100644 +--- a/net/ipv6/seg6.c ++++ b/net/ipv6/seg6.c +@@ -451,22 +451,24 @@ int __init seg6_init(void) + { + int err; + +- err = genl_register_family(&seg6_genl_family); ++ err = register_pernet_subsys(&ip6_segments_ops); + if (err) + goto out; + +- err = register_pernet_subsys(&ip6_segments_ops); ++ err = genl_register_family(&seg6_genl_family); + if (err) +- goto out_unregister_genl; ++ goto out_unregister_pernet; + + #ifdef CONFIG_IPV6_SEG6_LWTUNNEL + err = seg6_iptunnel_init(); + if (err) +- goto out_unregister_pernet; ++ goto out_unregister_genl; + + err = seg6_local_init(); +- if (err) +- goto out_unregister_pernet; ++ if (err) { ++ seg6_iptunnel_exit(); ++ goto out_unregister_genl; ++ } + #endif + + #ifdef CONFIG_IPV6_SEG6_HMAC +@@ -487,11 +489,11 @@ int __init seg6_init(void) + #endif + #endif + #ifdef CONFIG_IPV6_SEG6_LWTUNNEL +-out_unregister_pernet: +- unregister_pernet_subsys(&ip6_segments_ops); +-#endif + out_unregister_genl: + genl_unregister_family(&seg6_genl_family); ++#endif ++out_unregister_pernet: ++ unregister_pernet_subsys(&ip6_segments_ops); + goto out; + } + +-- +2.43.0 + diff --git a/queue-5.10/net-dev-convert-sa_data-to-flexible-array-in-struct-.patch b/queue-5.10/net-dev-convert-sa_data-to-flexible-array-in-struct-.patch new file mode 100644 index 00000000000..32d978c174c --- /dev/null +++ b/queue-5.10/net-dev-convert-sa_data-to-flexible-array-in-struct-.patch @@ -0,0 +1,135 @@ +From 554fb5bc0ff976c2b6effffcf0190f0525e1127a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 02:56:03 -0700 +Subject: net: dev: Convert sa_data to flexible array in struct sockaddr + +From: Kees Cook + +[ Upstream commit b5f0de6df6dce8d641ef58ef7012f3304dffb9a1 ] + +One of the worst offenders of "fake flexible arrays" is struct sockaddr, +as it is the classic example of why GCC and Clang have been traditionally +forced to treat all trailing arrays as fake flexible arrays: in the +distant misty past, sa_data became too small, and code started just +treating it as a flexible array, even though it was fixed-size. The +special case by the compiler is specifically that sizeof(sa->sa_data) +and FORTIFY_SOURCE (which uses __builtin_object_size(sa->sa_data, 1)) +do not agree (14 and -1 respectively), which makes FORTIFY_SOURCE treat +it as a flexible array. + +However, the coming -fstrict-flex-arrays compiler flag will remove +these special cases so that FORTIFY_SOURCE can gain coverage over all +the trailing arrays in the kernel that are _not_ supposed to be treated +as a flexible array. To deal with this change, convert sa_data to a true +flexible array. To keep the structure size the same, move sa_data into +a union with a newly introduced sa_data_min with the original size. The +result is that FORTIFY_SOURCE can continue to have no idea how large +sa_data may actually be, but anything using sizeof(sa->sa_data) must +switch to sizeof(sa->sa_data_min). + +Cc: Jens Axboe +Cc: Pavel Begunkov +Cc: David Ahern +Cc: Dylan Yudaken +Cc: Yajun Deng +Cc: Petr Machata +Cc: Hangbin Liu +Cc: Leon Romanovsky +Cc: syzbot +Cc: Willem de Bruijn +Cc: Pablo Neira Ayuso +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20221018095503.never.671-kees@kernel.org +Signed-off-by: Jakub Kicinski +Stable-dep-of: a7d6027790ac ("arp: Prevent overflow in arp_req_get().") +Signed-off-by: Sasha Levin +--- + include/linux/socket.h | 5 ++++- + net/core/dev.c | 2 +- + net/core/dev_ioctl.c | 2 +- + net/packet/af_packet.c | 10 +++++----- + 4 files changed, 11 insertions(+), 8 deletions(-) + +diff --git a/include/linux/socket.h b/include/linux/socket.h +index c3b35d18bcd30..daf51fef5a8d1 100644 +--- a/include/linux/socket.h ++++ b/include/linux/socket.h +@@ -31,7 +31,10 @@ typedef __kernel_sa_family_t sa_family_t; + + struct sockaddr { + sa_family_t sa_family; /* address family, AF_xxx */ +- char sa_data[14]; /* 14 bytes of protocol address */ ++ union { ++ char sa_data_min[14]; /* Minimum 14 bytes of protocol address */ ++ DECLARE_FLEX_ARRAY(char, sa_data); ++ }; + }; + + struct linger { +diff --git a/net/core/dev.c b/net/core/dev.c +index fc881d60a9dcc..0619d2253aa24 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -8787,7 +8787,7 @@ EXPORT_SYMBOL(dev_set_mac_address_user); + + int dev_get_mac_address(struct sockaddr *sa, struct net *net, char *dev_name) + { +- size_t size = sizeof(sa->sa_data); ++ size_t size = sizeof(sa->sa_data_min); + struct net_device *dev; + int ret = 0; + +diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c +index 993420da29307..60e815a71909a 100644 +--- a/net/core/dev_ioctl.c ++++ b/net/core/dev_ioctl.c +@@ -245,7 +245,7 @@ static int dev_ifsioc(struct net *net, struct ifreq *ifr, unsigned int cmd) + if (ifr->ifr_hwaddr.sa_family != dev->type) + return -EINVAL; + memcpy(dev->broadcast, ifr->ifr_hwaddr.sa_data, +- min(sizeof(ifr->ifr_hwaddr.sa_data), ++ min(sizeof(ifr->ifr_hwaddr.sa_data_min), + (size_t)dev->addr_len)); + call_netdevice_notifiers(NETDEV_CHANGEADDR, dev); + return 0; +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 1052cbcdd3c8d..6cc054dd53b6e 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3252,7 +3252,7 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr, + int addr_len) + { + struct sock *sk = sock->sk; +- char name[sizeof(uaddr->sa_data) + 1]; ++ char name[sizeof(uaddr->sa_data_min) + 1]; + + /* + * Check legality +@@ -3263,8 +3263,8 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr, + /* uaddr->sa_data comes from the userspace, it's not guaranteed to be + * zero-terminated. + */ +- memcpy(name, uaddr->sa_data, sizeof(uaddr->sa_data)); +- name[sizeof(uaddr->sa_data)] = 0; ++ memcpy(name, uaddr->sa_data, sizeof(uaddr->sa_data_min)); ++ name[sizeof(uaddr->sa_data_min)] = 0; + + return packet_do_bind(sk, name, 0, 0); + } +@@ -3536,11 +3536,11 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr, + return -EOPNOTSUPP; + + uaddr->sa_family = AF_PACKET; +- memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data)); ++ memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data_min)); + rcu_read_lock(); + dev = dev_get_by_index_rcu(sock_net(sk), READ_ONCE(pkt_sk(sk)->ifindex)); + if (dev) +- strscpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data)); ++ strscpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data_min)); + rcu_read_unlock(); + + return sizeof(*uaddr); +-- +2.43.0 + diff --git a/queue-5.10/netfilter-nf_tables-set-dormant-flag-on-hook-registe.patch b/queue-5.10/netfilter-nf_tables-set-dormant-flag-on-hook-registe.patch new file mode 100644 index 00000000000..6c7a58cb1c2 --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-set-dormant-flag-on-hook-registe.patch @@ -0,0 +1,42 @@ +From 4dea3a4a05802c5033c0e8328b2a5672536ec385 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 16:58:04 +0100 +Subject: netfilter: nf_tables: set dormant flag on hook register failure + +From: Florian Westphal + +[ Upstream commit bccebf64701735533c8db37773eeacc6566cc8ec ] + +We need to set the dormant flag again if we fail to register +the hooks. + +During memory pressure hook registration can fail and we end up +with a table marked as active but no registered hooks. + +On table/base chain deletion, nf_tables will attempt to unregister +the hook again which yields a warn splat from the nftables core. + +Reported-and-tested-by: syzbot+de4025c006ec68ac56fc@syzkaller.appspotmail.com +Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index f586e8b3c6cfa..73b0a6925304c 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1132,6 +1132,7 @@ static int nf_tables_updtable(struct nft_ctx *ctx) + return 0; + + err_register_hooks: ++ ctx->table->flags |= NFT_TABLE_F_DORMANT; + nft_trans_destroy(trans); + return ret; + } +-- +2.43.0 + diff --git a/queue-5.10/nouveau-fix-function-cast-warnings.patch b/queue-5.10/nouveau-fix-function-cast-warnings.patch new file mode 100644 index 00000000000..955952e3bd6 --- /dev/null +++ b/queue-5.10/nouveau-fix-function-cast-warnings.patch @@ -0,0 +1,54 @@ +From 5c13f200683a6b11574412716bfa8d8778d29dc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 10:57:37 +0100 +Subject: nouveau: fix function cast warnings + +From: Arnd Bergmann + +[ Upstream commit 0affdba22aca5573f9d989bcb1d71d32a6a03efe ] + +clang-16 warns about casting between incompatible function types: + +drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadow.c:161:10: error: cast from 'void (*)(const struct firmware *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 161 | .fini = (void(*)(void *))release_firmware, + +This one was done to use the generic shadow_fw_release() function as a +callback for struct nvbios_source. Change it to use the same prototype +as the other five instances, with a trivial helper function that actually +calls release_firmware. + +Fixes: 70c0f263cc2e ("drm/nouveau/bios: pull in basic vbios subdev, more to come later") +Signed-off-by: Arnd Bergmann +Signed-off-by: Danilo Krummrich +Link: https://patchwork.freedesktop.org/patch/msgid/20240213095753.455062-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadow.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadow.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadow.c +index 4b571cc6bc70f..6597def18627e 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadow.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadow.c +@@ -154,11 +154,17 @@ shadow_fw_init(struct nvkm_bios *bios, const char *name) + return (void *)fw; + } + ++static void ++shadow_fw_release(void *fw) ++{ ++ release_firmware(fw); ++} ++ + static const struct nvbios_source + shadow_fw = { + .name = "firmware", + .init = shadow_fw_init, +- .fini = (void(*)(void *))release_firmware, ++ .fini = shadow_fw_release, + .read = shadow_fw_read, + .rw = false, + }; +-- +2.43.0 + diff --git a/queue-5.10/packet-move-from-strlcpy-with-unused-retval-to-strsc.patch b/queue-5.10/packet-move-from-strlcpy-with-unused-retval-to-strsc.patch new file mode 100644 index 00000000000..3addfc3ff5b --- /dev/null +++ b/queue-5.10/packet-move-from-strlcpy-with-unused-retval-to-strsc.patch @@ -0,0 +1,48 @@ +From fc003522b4fb8e0f4247d1dc68f68e16391a652b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 23:02:27 +0200 +Subject: packet: move from strlcpy with unused retval to strscpy + +From: Wolfram Sang + +[ Upstream commit 8fc9d51ea2d32a05f7d7cf86a25cc86ecc57eb45 ] + +Follow the advice of the below link and prefer 'strscpy' in this +subsystem. Conversion is 1:1 because the return value is not used. +Generated by a coccinelle script. + +Link: https://lore.kernel.org/r/CAHk-=wgfRnXz0W3D37d01q3JFkr_i_uTL=V6A6G1oUZcprmknw@mail.gmail.com/ +Signed-off-by: Wolfram Sang +Link: https://lore.kernel.org/r/20220818210227.8611-1-wsa+renesas@sang-engineering.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: a7d6027790ac ("arp: Prevent overflow in arp_req_get().") +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index b292d58fdcc4c..1052cbcdd3c8d 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -1871,7 +1871,7 @@ static int packet_rcv_spkt(struct sk_buff *skb, struct net_device *dev, + */ + + spkt->spkt_family = dev->type; +- strlcpy(spkt->spkt_device, dev->name, sizeof(spkt->spkt_device)); ++ strscpy(spkt->spkt_device, dev->name, sizeof(spkt->spkt_device)); + spkt->spkt_protocol = skb->protocol; + + /* +@@ -3540,7 +3540,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr, + rcu_read_lock(); + dev = dev_get_by_index_rcu(sock_net(sk), READ_ONCE(pkt_sk(sk)->ifindex)); + if (dev) +- strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data)); ++ strscpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data)); + rcu_read_unlock(); + + return sizeof(*uaddr); +-- +2.43.0 + diff --git a/queue-5.10/rdma-bnxt_re-return-error-for-srq-resize.patch b/queue-5.10/rdma-bnxt_re-return-error-for-srq-resize.patch new file mode 100644 index 00000000000..cd0a83bb8ff --- /dev/null +++ b/queue-5.10/rdma-bnxt_re-return-error-for-srq-resize.patch @@ -0,0 +1,53 @@ +From faabb7c5c34f64e3330454a064a787ad494c75a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jan 2024 20:54:36 -0800 +Subject: RDMA/bnxt_re: Return error for SRQ resize + +From: Kalesh AP + +[ Upstream commit 3687b450c5f32e80f179ce4b09e0454da1449eac ] + +SRQ resize is not supported in the driver. But driver is not +returning error from bnxt_re_modify_srq() for SRQ resize. + +Fixes: 37cb11acf1f7 ("RDMA/bnxt_re: Add SRQ support for Broadcom adapters") +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Link: https://lore.kernel.org/r/1705985677-15551-5-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index 2a973a1390a4a..a0d7777acb6d4 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -1711,7 +1711,7 @@ int bnxt_re_modify_srq(struct ib_srq *ib_srq, struct ib_srq_attr *srq_attr, + switch (srq_attr_mask) { + case IB_SRQ_MAX_WR: + /* SRQ resize is not supported */ +- break; ++ return -EINVAL; + case IB_SRQ_LIMIT: + /* Change the SRQ threshold */ + if (srq_attr->srq_limit > srq->qplib_srq.max_wqe) +@@ -1726,13 +1726,12 @@ int bnxt_re_modify_srq(struct ib_srq *ib_srq, struct ib_srq_attr *srq_attr, + /* On success, update the shadow */ + srq->srq_limit = srq_attr->srq_limit; + /* No need to Build and send response back to udata */ +- break; ++ return 0; + default: + ibdev_err(&rdev->ibdev, + "Unsupported srq_attr_mask 0x%x", srq_attr_mask); + return -EINVAL; + } +- return 0; + } + + int bnxt_re_query_srq(struct ib_srq *ib_srq, struct ib_srq_attr *srq_attr) +-- +2.43.0 + diff --git a/queue-5.10/rdma-qedr-fix-qedr_create_user_qp-error-flow.patch b/queue-5.10/rdma-qedr-fix-qedr_create_user_qp-error-flow.patch new file mode 100644 index 00000000000..6c3cd791cc4 --- /dev/null +++ b/queue-5.10/rdma-qedr-fix-qedr_create_user_qp-error-flow.patch @@ -0,0 +1,109 @@ +From 811a2b34bc2fdf1948cced353f2fb0302ad3a65a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Feb 2024 17:36:28 -0500 +Subject: RDMA/qedr: Fix qedr_create_user_qp error flow + +From: Kamal Heib + +[ Upstream commit 5ba4e6d5863c53e937f49932dee0ecb004c65928 ] + +Avoid the following warning by making sure to free the allocated +resources in case that qedr_init_user_queue() fail. + +-----------[ cut here ]----------- +WARNING: CPU: 0 PID: 143192 at drivers/infiniband/core/rdma_core.c:874 uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs] +Modules linked in: tls target_core_user uio target_core_pscsi target_core_file target_core_iblock ib_srpt ib_srp scsi_transport_srp nfsd nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs 8021q garp mrp stp llc ext4 mbcache jbd2 opa_vnic ib_umad ib_ipoib sunrpc rdma_ucm ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm hfi1 intel_rapl_msr intel_rapl_common mgag200 qedr sb_edac drm_shmem_helper rdmavt x86_pkg_temp_thermal drm_kms_helper intel_powerclamp ib_uverbs coretemp i2c_algo_bit kvm_intel dell_wmi_descriptor ipmi_ssif sparse_keymap kvm ib_core rfkill syscopyarea sysfillrect video sysimgblt irqbypass ipmi_si ipmi_devintf fb_sys_fops rapl iTCO_wdt mxm_wmi iTCO_vendor_support intel_cstate pcspkr dcdbas intel_uncore ipmi_msghandler lpc_ich acpi_power_meter mei_me mei fuse drm xfs libcrc32c qede sd_mod ahci libahci t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel qed libata tg3 +ghash_clmulni_intel megaraid_sas crc8 wmi [last unloaded: ib_srpt] +CPU: 0 PID: 143192 Comm: fi_rdm_tagged_p Kdump: loaded Not tainted 5.14.0-408.el9.x86_64 #1 +Hardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 2.14.0 01/25/2022 +RIP: 0010:uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs] +Code: 5d 41 5c 41 5d 41 5e e9 0f 26 1b dd 48 89 df e8 67 6a ff ff 49 8b 86 10 01 00 00 48 85 c0 74 9c 4c 89 e7 e8 83 c0 cb dd eb 92 <0f> 0b eb be 0f 0b be 04 00 00 00 48 89 df e8 8e f5 ff ff e9 6d ff +RSP: 0018:ffffb7c6cadfbc60 EFLAGS: 00010286 +RAX: ffff8f0889ee3f60 RBX: ffff8f088c1a5200 RCX: 00000000802a0016 +RDX: 00000000802a0017 RSI: 0000000000000001 RDI: ffff8f0880042600 +RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000 +R10: ffff8f11fffd5000 R11: 0000000000039000 R12: ffff8f0d5b36cd80 +R13: ffff8f088c1a5250 R14: ffff8f1206d91000 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffff8f11d7c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000147069200e20 CR3: 00000001c7210002 CR4: 00000000001706f0 +Call Trace: + +? show_trace_log_lvl+0x1c4/0x2df +? show_trace_log_lvl+0x1c4/0x2df +? ib_uverbs_close+0x1f/0xb0 [ib_uverbs] +? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs] +? __warn+0x81/0x110 +? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs] +? report_bug+0x10a/0x140 +? handle_bug+0x3c/0x70 +? exc_invalid_op+0x14/0x70 +? asm_exc_invalid_op+0x16/0x20 +? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs] +ib_uverbs_close+0x1f/0xb0 [ib_uverbs] +__fput+0x94/0x250 +task_work_run+0x5c/0x90 +do_exit+0x270/0x4a0 +do_group_exit+0x2d/0x90 +get_signal+0x87c/0x8c0 +arch_do_signal_or_restart+0x25/0x100 +? ib_uverbs_ioctl+0xc2/0x110 [ib_uverbs] +exit_to_user_mode_loop+0x9c/0x130 +exit_to_user_mode_prepare+0xb6/0x100 +syscall_exit_to_user_mode+0x12/0x40 +do_syscall_64+0x69/0x90 +? syscall_exit_work+0x103/0x130 +? syscall_exit_to_user_mode+0x22/0x40 +? do_syscall_64+0x69/0x90 +? syscall_exit_work+0x103/0x130 +? syscall_exit_to_user_mode+0x22/0x40 +? do_syscall_64+0x69/0x90 +? do_syscall_64+0x69/0x90 +? common_interrupt+0x43/0xa0 +entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x1470abe3ec6b +Code: Unable to access opcode bytes at RIP 0x1470abe3ec41. +RSP: 002b:00007fff13ce9108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: fffffffffffffffc RBX: 00007fff13ce9218 RCX: 00001470abe3ec6b +RDX: 00007fff13ce9200 RSI: 00000000c0181b01 RDI: 0000000000000004 +RBP: 00007fff13ce91e0 R08: 0000558d9655da10 R09: 0000558d9655dd00 +R10: 00007fff13ce95c0 R11: 0000000000000246 R12: 00007fff13ce9358 +R13: 0000000000000013 R14: 0000558d9655db50 R15: 00007fff13ce9470 + +--[ end trace 888a9b92e04c5c97 ]-- + +Fixes: df15856132bc ("RDMA/qedr: restructure functions that create/destroy QPs") +Signed-off-by: Kamal Heib +Link: https://lore.kernel.org/r/20240208223628.2040841-1-kheib@redhat.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/verbs.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c +index 3543b9af10b7a..d382ac21159c2 100644 +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -1865,8 +1865,17 @@ static int qedr_create_user_qp(struct qedr_dev *dev, + /* RQ - read access only (0) */ + rc = qedr_init_user_queue(udata, dev, &qp->urq, ureq.rq_addr, + ureq.rq_len, true, 0, alloc_and_init); +- if (rc) ++ if (rc) { ++ ib_umem_release(qp->usq.umem); ++ qp->usq.umem = NULL; ++ if (rdma_protocol_roce(&dev->ibdev, 1)) { ++ qedr_free_pbl(dev, &qp->usq.pbl_info, ++ qp->usq.pbl_tbl); ++ } else { ++ kfree(qp->usq.pbl_tbl); ++ } + return rc; ++ } + } + + memset(&in_params, 0, sizeof(in_params)); +-- +2.43.0 + diff --git a/queue-5.10/rdma-srpt-fix-function-pointer-cast-warnings.patch b/queue-5.10/rdma-srpt-fix-function-pointer-cast-warnings.patch new file mode 100644 index 00000000000..03ab2133e8d --- /dev/null +++ b/queue-5.10/rdma-srpt-fix-function-pointer-cast-warnings.patch @@ -0,0 +1,60 @@ +From 3bccbbca8c1aeda32c16464d46718ff62b9cd5de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 11:07:13 +0100 +Subject: RDMA/srpt: fix function pointer cast warnings + +From: Arnd Bergmann + +[ Upstream commit eb5c7465c3240151cd42a55c7ace9da0026308a1 ] + +clang-16 notices that srpt_qp_event() gets called through an incompatible +pointer here: + +drivers/infiniband/ulp/srpt/ib_srpt.c:1815:5: error: cast from 'void (*)(struct ib_event *, struct srpt_rdma_ch *)' to 'void (*)(struct ib_event *, void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 1815 | = (void(*)(struct ib_event *, void*))srpt_qp_event; + +Change srpt_qp_event() to use the correct prototype and adjust the +argument inside of it. + +Fixes: a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20240213100728.458348-1-arnd@kernel.org +Reviewed-by: Bart Van Assche +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c +index 80e99e9e97172..41abf9cf11c67 100644 +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -214,10 +214,12 @@ static const char *get_ch_state_name(enum rdma_ch_state s) + /** + * srpt_qp_event - QP event callback function + * @event: Description of the event that occurred. +- * @ch: SRPT RDMA channel. ++ * @ptr: SRPT RDMA channel. + */ +-static void srpt_qp_event(struct ib_event *event, struct srpt_rdma_ch *ch) ++static void srpt_qp_event(struct ib_event *event, void *ptr) + { ++ struct srpt_rdma_ch *ch = ptr; ++ + pr_debug("QP event %d on ch=%p sess_name=%s-%d state=%s\n", + event->event, ch, ch->sess_name, ch->qp->qp_num, + get_ch_state_name(ch->state)); +@@ -1807,8 +1809,7 @@ static int srpt_create_ch_ib(struct srpt_rdma_ch *ch) + ch->cq_size = ch->rq_size + sq_size; + + qp_init->qp_context = (void *)ch; +- qp_init->event_handler +- = (void(*)(struct ib_event *, void*))srpt_qp_event; ++ qp_init->event_handler = srpt_qp_event; + qp_init->send_cq = ch->cq; + qp_init->recv_cq = ch->cq; + qp_init->sq_sig_type = IB_SIGNAL_REQ_WR; +-- +2.43.0 + diff --git a/queue-5.10/rdma-srpt-support-specifying-the-srpt_service_guid-p.patch b/queue-5.10/rdma-srpt-support-specifying-the-srpt_service_guid-p.patch new file mode 100644 index 00000000000..e1d939ebedf --- /dev/null +++ b/queue-5.10/rdma-srpt-support-specifying-the-srpt_service_guid-p.patch @@ -0,0 +1,62 @@ +From 2251ee1cba8a100bc9b5f93fbbe8c1c4e5074bb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Feb 2024 16:42:07 -0800 +Subject: RDMA/srpt: Support specifying the srpt_service_guid parameter + +From: Bart Van Assche + +[ Upstream commit fdfa083549de5d50ebf7f6811f33757781e838c0 ] + +Make loading ib_srpt with this parameter set work. The current behavior is +that setting that parameter while loading the ib_srpt kernel module +triggers the following kernel crash: + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +Call Trace: + + parse_one+0x18c/0x1d0 + parse_args+0xe1/0x230 + load_module+0x8de/0xa60 + init_module_from_file+0x8b/0xd0 + idempotent_init_module+0x181/0x240 + __x64_sys_finit_module+0x5a/0xb0 + do_syscall_64+0x5f/0xe0 + entry_SYSCALL_64_after_hwframe+0x6e/0x76 + +Cc: LiHonggang +Reported-by: LiHonggang +Fixes: a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1") +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20240205004207.17031-1-bvanassche@acm.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c +index 983f59c87b79f..80e99e9e97172 100644 +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -79,12 +79,16 @@ module_param(srpt_srq_size, int, 0444); + MODULE_PARM_DESC(srpt_srq_size, + "Shared receive queue (SRQ) size."); + ++static int srpt_set_u64_x(const char *buffer, const struct kernel_param *kp) ++{ ++ return kstrtou64(buffer, 16, (u64 *)kp->arg); ++} + static int srpt_get_u64_x(char *buffer, const struct kernel_param *kp) + { + return sprintf(buffer, "0x%016llx\n", *(u64 *)kp->arg); + } +-module_param_call(srpt_service_guid, NULL, srpt_get_u64_x, &srpt_service_guid, +- 0444); ++module_param_call(srpt_service_guid, srpt_set_u64_x, srpt_get_u64_x, ++ &srpt_service_guid, 0444); + MODULE_PARM_DESC(srpt_service_guid, + "Using this value for ioc_guid, id_ext, and cm_listen_id instead of using the node_guid of the first HCA."); + +-- +2.43.0 + diff --git a/queue-5.10/s390-use-the-correct-count-for-__iowrite64_copy.patch b/queue-5.10/s390-use-the-correct-count-for-__iowrite64_copy.patch new file mode 100644 index 00000000000..8965887fe85 --- /dev/null +++ b/queue-5.10/s390-use-the-correct-count-for-__iowrite64_copy.patch @@ -0,0 +1,39 @@ +From 79a038f24a5ab822b89c79c767ad21a5d96949ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 20:48:14 -0400 +Subject: s390: use the correct count for __iowrite64_copy() + +From: Jason Gunthorpe + +[ Upstream commit 723a2cc8d69d4342b47dfddbfe6c19f1b135f09b ] + +The signature for __iowrite64_copy() requires the number of 64 bit +quantities, not bytes. Multiple by 8 to get to a byte length before +invoking zpci_memcpy_toio() + +Fixes: 87bc359b9822 ("s390/pci: speed up __iowrite64_copy by using pci store block insn") +Acked-by: Niklas Schnelle +Signed-off-by: Jason Gunthorpe +Link: https://lore.kernel.org/r/0-v1-9223d11a7662+1d7785-s390_iowrite64_jgg@nvidia.com +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/pci/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/pci/pci.c b/arch/s390/pci/pci.c +index 74799439b2598..beecc36c30276 100644 +--- a/arch/s390/pci/pci.c ++++ b/arch/s390/pci/pci.c +@@ -225,7 +225,7 @@ resource_size_t pcibios_align_resource(void *data, const struct resource *res, + /* combine single writes by using store-block insn */ + void __iowrite64_copy(void __iomem *to, const void *from, size_t count) + { +- zpci_memcpy_toio(to, from, count); ++ zpci_memcpy_toio(to, from, count * 8); + } + + static void __iomem *__ioremap(phys_addr_t addr, size_t size, pgprot_t prot) +-- +2.43.0 + diff --git a/queue-5.10/scsi-jazz_esp-only-build-if-scsi-core-is-builtin.patch b/queue-5.10/scsi-jazz_esp-only-build-if-scsi-core-is-builtin.patch new file mode 100644 index 00000000000..8a491375cbf --- /dev/null +++ b/queue-5.10/scsi-jazz_esp-only-build-if-scsi-core-is-builtin.patch @@ -0,0 +1,54 @@ +From d913a1121f29fbd416fb52c1cde6133f52de22c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 21:59:53 -0800 +Subject: scsi: jazz_esp: Only build if SCSI core is builtin + +From: Randy Dunlap + +[ Upstream commit 9ddf190a7df77b77817f955fdb9c2ae9d1c9c9a3 ] + +JAZZ_ESP is a bool kconfig symbol that selects SCSI_SPI_ATTRS. When +CONFIG_SCSI=m, this results in SCSI_SPI_ATTRS=m while JAZZ_ESP=y, which +causes many undefined symbol linker errors. + +Fix this by only offering to build this driver when CONFIG_SCSI=y. + +[mkp: JAZZ_ESP is unique in that it does not support being compiled as a +module unlike the remaining SPI SCSI HBA drivers] + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/r/20240214055953.9612-1-rdunlap@infradead.org +Cc: Thomas Bogendoerfer +Cc: linux-mips@vger.kernel.org +Cc: Arnd Bergmann +Cc: Masahiro Yamada +Cc: Nicolas Schier +Cc: James E.J. Bottomley +Cc: Martin K. Petersen +Cc: linux-scsi@vger.kernel.org +Cc: Geert Uytterhoeven +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202402112222.Gl0udKyU-lkp@intel.com/ +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/Kconfig b/drivers/scsi/Kconfig +index 6524e1fe54d2e..f59c9002468cc 100644 +--- a/drivers/scsi/Kconfig ++++ b/drivers/scsi/Kconfig +@@ -1289,7 +1289,7 @@ source "drivers/scsi/arm/Kconfig" + + config JAZZ_ESP + bool "MIPS JAZZ FAS216 SCSI support" +- depends on MACH_JAZZ && SCSI ++ depends on MACH_JAZZ && SCSI=y + select SCSI_SPI_ATTRS + help + This is the driver for the onboard SCSI host adapter of MIPS Magnum +-- +2.43.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 60be1fe1f43..7d210bdace4 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -93,3 +93,26 @@ usb-gadget-ncm-avoid-dropping-datagrams-of-properly-parsed-ntbs.patch usb-roles-fix-null-pointer-issue-when-put-module-s-reference.patch usb-roles-don-t-get-set_role-when-usb_role_switch-is-unregistered.patch mptcp-fix-lockless-access-in-subflow-ulp-diag.patch +ib-hfi1-fix-a-memleak-in-init_credit_return.patch +rdma-bnxt_re-return-error-for-srq-resize.patch +rdma-srpt-support-specifying-the-srpt_service_guid-p.patch +rdma-qedr-fix-qedr_create_user_qp-error-flow.patch +arm64-dts-rockchip-set-num-cs-property-for-spi-on-px.patch +rdma-srpt-fix-function-pointer-cast-warnings.patch +bpf-scripts-correct-gpl-license-name.patch +scsi-jazz_esp-only-build-if-scsi-core-is-builtin.patch +nouveau-fix-function-cast-warnings.patch +ipv4-properly-combine-dev_base_seq-and-ipv4.dev_addr.patch +ipv6-properly-combine-dev_base_seq-and-ipv6.dev_addr.patch +afs-increase-buffer-size-in-afs_update_volume_status.patch +ipv6-sr-fix-possible-use-after-free-and-null-ptr-der.patch +packet-move-from-strlcpy-with-unused-retval-to-strsc.patch +net-dev-convert-sa_data-to-flexible-array-in-struct-.patch +s390-use-the-correct-count-for-__iowrite64_copy.patch +tls-rx-jump-to-a-more-appropriate-label.patch +tls-rx-drop-pointless-else-after-goto.patch +tls-stop-recv-if-initial-process_rx_list-gave-us-non.patch +netfilter-nf_tables-set-dormant-flag-on-hook-registe.patch +drm-syncobj-make-lockdep-complain-on-wait_for_submit.patch +drm-syncobj-call-drm_syncobj_fence_add_wait-when-wai.patch +drm-amd-display-fix-memory-leak-in-dm_sw_fini.patch diff --git a/queue-5.10/tls-rx-drop-pointless-else-after-goto.patch b/queue-5.10/tls-rx-drop-pointless-else-after-goto.patch new file mode 100644 index 00000000000..c303b28425b --- /dev/null +++ b/queue-5.10/tls-rx-drop-pointless-else-after-goto.patch @@ -0,0 +1,39 @@ +From 3d83bbaf7caf8c6f83619d83334b228d1fdc7a9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 20:38:15 -0700 +Subject: tls: rx: drop pointless else after goto + +From: Jakub Kicinski + +[ Upstream commit d5123edd10cf9d324fcb88e276bdc7375f3c5321 ] + +Pointless else branch after goto makes the code harder to refactor +down the line. + +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Stable-dep-of: fdfbaec5923d ("tls: stop recv() if initial process_rx_list gave us non-DATA") +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index d11094a81ee6c..732f96b7bafc8 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -1783,10 +1783,9 @@ int tls_sw_recvmsg(struct sock *sk, + if (err < 0) { + tls_err_abort(sk, err); + goto end; +- } else { +- copied = err; + } + ++ copied = err; + if (len <= copied) + goto end; + +-- +2.43.0 + diff --git a/queue-5.10/tls-rx-jump-to-a-more-appropriate-label.patch b/queue-5.10/tls-rx-jump-to-a-more-appropriate-label.patch new file mode 100644 index 00000000000..374bd1a09d0 --- /dev/null +++ b/queue-5.10/tls-rx-jump-to-a-more-appropriate-label.patch @@ -0,0 +1,64 @@ +From 038355817f4082d8b7dfb0803dc18ef5975efee3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 20:38:14 -0700 +Subject: tls: rx: jump to a more appropriate label + +From: Jakub Kicinski + +[ Upstream commit bfc06e1aaa130b86a81ce3c41ec71a2f5e191690 ] + +'recv_end:' checks num_async and decrypted, and is then followed +by the 'end' label. Since we know that decrypted and num_async +are 0 at the start we can jump to 'end'. + +Move the init of decrypted and num_async to let the compiler +catch if I'm wrong. + +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Stable-dep-of: fdfbaec5923d ("tls: stop recv() if initial process_rx_list gave us non-DATA") +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index dd980438f201f..d11094a81ee6c 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -1754,6 +1754,7 @@ int tls_sw_recvmsg(struct sock *sk, + struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); + struct tls_prot_info *prot = &tls_ctx->prot_info; + struct sk_psock *psock; ++ int num_async, pending; + unsigned char control = 0; + ssize_t decrypted = 0; + struct strp_msg *rxm; +@@ -1766,8 +1767,6 @@ int tls_sw_recvmsg(struct sock *sk, + bool is_kvec = iov_iter_is_kvec(&msg->msg_iter); + bool is_peek = flags & MSG_PEEK; + bool bpf_strp_enabled; +- int num_async = 0; +- int pending; + + flags |= nonblock; + +@@ -1789,12 +1788,14 @@ int tls_sw_recvmsg(struct sock *sk, + } + + if (len <= copied) +- goto recv_end; ++ goto end; + + target = sock_rcvlowat(sk, flags & MSG_WAITALL, len); + len = len - copied; + timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); + ++ decrypted = 0; ++ num_async = 0; + while (len && (decrypted + copied < target || ctx->recv_pkt)) { + bool retain_skb = false; + bool zc = false; +-- +2.43.0 + diff --git a/queue-5.10/tls-stop-recv-if-initial-process_rx_list-gave-us-non.patch b/queue-5.10/tls-stop-recv-if-initial-process_rx_list-gave-us-non.patch new file mode 100644 index 00000000000..27bee3b6f5f --- /dev/null +++ b/queue-5.10/tls-stop-recv-if-initial-process_rx_list-gave-us-non.patch @@ -0,0 +1,44 @@ +From 14ad74437e4160d50a5bce71d64fa24686b2733c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 17:17:30 +0100 +Subject: tls: stop recv() if initial process_rx_list gave us non-DATA + +From: Sabrina Dubroca + +[ Upstream commit fdfbaec5923d9359698cbb286bc0deadbb717504 ] + +If we have a non-DATA record on the rx_list and another record of the +same type still on the queue, we will end up merging them: + - process_rx_list copies the non-DATA record + - we start the loop and process the first available record since it's + of the same type + - we break out of the loop since the record was not DATA + +Just check the record type and jump to the end in case process_rx_list +did some work. + +Fixes: 692d7b5d1f91 ("tls: Fix recvmsg() to be able to peek across multiple records") +Signed-off-by: Sabrina Dubroca +Link: https://lore.kernel.org/r/bd31449e43bd4b6ff546f5c51cf958c31c511deb.1708007371.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index 732f96b7bafc8..46f1c19f7c60b 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -1786,7 +1786,7 @@ int tls_sw_recvmsg(struct sock *sk, + } + + copied = err; +- if (len <= copied) ++ if (len <= copied || (copied && control != TLS_RECORD_TYPE_DATA)) + goto end; + + target = sock_rcvlowat(sk, flags & MSG_WAITALL, len); +-- +2.43.0 +