From: Sasha Levin Date: Mon, 3 Jun 2024 11:42:15 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v6.1.93~54 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=24025bb226d2f4aad2b7b283da39255eb9065d8b;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/arm64-asm-bug-add-.align-2-to-the-end-of-__bug_entry.patch b/queue-5.4/arm64-asm-bug-add-.align-2-to-the-end-of-__bug_entry.patch new file mode 100644 index 00000000000..ca505f3ae81 --- /dev/null +++ b/queue-5.4/arm64-asm-bug-add-.align-2-to-the-end-of-__bug_entry.patch @@ -0,0 +1,160 @@ +From 9fc3049e99a34f1d2e8a15e62ddbda3ebc64cb24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 May 2024 21:34:37 +0800 +Subject: arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY + +From: Jiangfeng Xiao + +[ Upstream commit ffbf4fb9b5c12ff878a10ea17997147ea4ebea6f ] + +When CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes +to bug_table entries, and as a result the last entry in a bug table will +be ignored, potentially leading to an unexpected panic(). All prior +entries in the table will be handled correctly. + +The arm64 ABI requires that struct fields of up to 8 bytes are +naturally-aligned, with padding added within a struct such that struct +are suitably aligned within arrays. + +When CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is: + + struct bug_entry { + signed int bug_addr_disp; // 4 bytes + signed int file_disp; // 4 bytes + unsigned short line; // 2 bytes + unsigned short flags; // 2 bytes + } + +... with 12 bytes total, requiring 4-byte alignment. + +When CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is: + + struct bug_entry { + signed int bug_addr_disp; // 4 bytes + unsigned short flags; // 2 bytes + < implicit padding > // 2 bytes + } + +... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing +padding, requiring 4-byte alginment. + +When we create a bug_entry in assembly, we align the start of the entry +to 4 bytes, which implicitly handles padding for any prior entries. +However, we do not align the end of the entry, and so when +CONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding +bytes. + +For the main kernel image this is not a problem as find_bug() doesn't +depend on the trailing padding bytes when searching for entries: + + for (bug = __start___bug_table; bug < __stop___bug_table; ++bug) + if (bugaddr == bug_addr(bug)) + return bug; + +However for modules, module_bug_finalize() depends on the trailing +bytes when calculating the number of entries: + + mod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry); + +... and as the last bug_entry lacks the necessary padding bytes, this entry +will not be counted, e.g. in the case of a single entry: + + sechdrs[i].sh_size == 6 + sizeof(struct bug_entry) == 8; + + sechdrs[i].sh_size / sizeof(struct bug_entry) == 0; + +Consequently module_find_bug() will miss the last bug_entry when it does: + + for (i = 0; i < mod->num_bugs; ++i, ++bug) + if (bugaddr == bug_addr(bug)) + goto out; + +... which can lead to a kenrel panic due to an unhandled bug. + +This can be demonstrated with the following module: + + static int __init buginit(void) + { + WARN(1, "hello\n"); + return 0; + } + + static void __exit bugexit(void) + { + } + + module_init(buginit); + module_exit(bugexit); + MODULE_LICENSE("GPL"); + +... which will trigger a kernel panic when loaded: + + ------------[ cut here ]------------ + hello + Unexpected kernel BRK exception at EL1 + Internal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP + Modules linked in: hello(O+) + CPU: 0 PID: 50 Comm: insmod Tainted: G O 6.9.1 #8 + Hardware name: linux,dummy-virt (DT) + pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : buginit+0x18/0x1000 [hello] + lr : buginit+0x18/0x1000 [hello] + sp : ffff800080533ae0 + x29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000 + x26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58 + x23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0 + x20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006 + x17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720 + x14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312 + x11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8 + x8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000 + x5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000 + x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0 + Call trace: + buginit+0x18/0x1000 [hello] + do_one_initcall+0x80/0x1c8 + do_init_module+0x60/0x218 + load_module+0x1ba4/0x1d70 + __do_sys_init_module+0x198/0x1d0 + __arm64_sys_init_module+0x1c/0x28 + invoke_syscall+0x48/0x114 + el0_svc_common.constprop.0+0x40/0xe0 + do_el0_svc+0x1c/0x28 + el0_svc+0x34/0xd8 + el0t_64_sync_handler+0x120/0x12c + el0t_64_sync+0x190/0x194 + Code: d0ffffe0 910003fd 91000000 9400000b (d4210000) + ---[ end trace 0000000000000000 ]--- + Kernel panic - not syncing: BRK handler: Fatal exception + +Fix this by always aligning the end of a bug_entry to 4 bytes, which is +correct regardless of CONFIG_DEBUG_BUGVERBOSE. + +Fixes: 9fb7410f955f ("arm64/BUG: Use BRK instruction for generic BUG traps") + +Signed-off-by: Yuanbin Xie +Signed-off-by: Jiangfeng Xiao +Reviewed-by: Mark Rutland +Link: https://lore.kernel.org/r/1716212077-43826-1-git-send-email-xiaojiangfeng@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/asm-bug.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/include/asm/asm-bug.h b/arch/arm64/include/asm/asm-bug.h +index 03f52f84a4f3f..bc2dcc8a00009 100644 +--- a/arch/arm64/include/asm/asm-bug.h ++++ b/arch/arm64/include/asm/asm-bug.h +@@ -28,6 +28,7 @@ + 14470: .long 14471f - 14470b; \ + _BUGVERBOSE_LOCATION(__FILE__, __LINE__) \ + .short flags; \ ++ .align 2; \ + .popsection; \ + 14471: + #else +-- +2.43.0 + diff --git a/queue-5.4/drm-msm-dpu-always-flush-the-slave-intf-on-the-ctl.patch b/queue-5.4/drm-msm-dpu-always-flush-the-slave-intf-on-the-ctl.patch new file mode 100644 index 00000000000..7c05bb073c6 --- /dev/null +++ b/queue-5.4/drm-msm-dpu-always-flush-the-slave-intf-on-the-ctl.patch @@ -0,0 +1,49 @@ +From 93c431f9979466cb5e5d3600470fb026ac8e6fac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Apr 2024 01:57:43 +0200 +Subject: drm/msm/dpu: Always flush the slave INTF on the CTL + +From: Marijn Suijten + +[ Upstream commit 2b938c3ab0a69ec6ea587bbf6fc2aec3db4a8736 ] + +As we can clearly see in a downstream kernel [1], flushing the slave INTF +is skipped /only if/ the PPSPLIT topology is active. + +However, when DPU was originally submitted to mainline PPSPLIT was no +longer part of it (seems to have been ripped out before submission), but +this clause was incorrectly ported from the original SDE driver. Given +that there is no support for PPSPLIT (currently), flushing the slave +INTF should /never/ be skipped (as the `if (ppsplit && !master) goto +skip;` clause downstream never becomes true). + +[1]: https://git.codelinaro.org/clo/la/platform/vendor/opensource/display-drivers/-/blob/display-kernel.lnx.5.4.r1-rel/msm/sde/sde_encoder_phys_cmd.c?ref_type=heads#L1131-1139 + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Marijn Suijten +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/589901/ +Link: https://lore.kernel.org/r/20240417-drm-msm-initial-dualpipe-dsc-fixes-v1-3-78ae3ee9a697@somainline.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c +index 2923b63d95fec..34b39a475e3e6 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c +@@ -479,9 +479,6 @@ static void dpu_encoder_phys_cmd_enable_helper( + + _dpu_encoder_phys_cmd_pingpong_config(phys_enc); + +- if (!dpu_encoder_phys_cmd_is_master(phys_enc)) +- return; +- + ctl = phys_enc->hw_ctl; + ctl->ops.get_bitmask_intf(ctl, &flush_mask, phys_enc->intf_idx); + ctl->ops.update_pending_flush(ctl, flush_mask); +-- +2.43.0 + diff --git a/queue-5.4/input-ims-pcu-fix-printf-string-overflow.patch b/queue-5.4/input-ims-pcu-fix-printf-string-overflow.patch new file mode 100644 index 00000000000..92a11514ca6 --- /dev/null +++ b/queue-5.4/input-ims-pcu-fix-printf-string-overflow.patch @@ -0,0 +1,43 @@ +From de5f6a2687d5c86fc4ce0d1ae2e4412efde80bf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 13:28:56 -0700 +Subject: Input: ims-pcu - fix printf string overflow + +From: Arnd Bergmann + +[ Upstream commit bf32bceedd0453c70d9d022e2e29f98e446d7161 ] + +clang warns about a string overflow in this driver + +drivers/input/misc/ims-pcu.c:1802:2: error: 'snprintf' will always be truncated; specified size is 10, but format string expands to at least 12 [-Werror,-Wformat-truncation] +drivers/input/misc/ims-pcu.c:1814:2: error: 'snprintf' will always be truncated; specified size is 10, but format string expands to at least 12 [-Werror,-Wformat-truncation] + +Make the buffer a little longer to ensure it always fits. + +Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20240326223825.4084412-7-arnd@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/ims-pcu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c +index d8dbfc030d0fa..4dfed127952d3 100644 +--- a/drivers/input/misc/ims-pcu.c ++++ b/drivers/input/misc/ims-pcu.c +@@ -42,8 +42,8 @@ struct ims_pcu_backlight { + #define IMS_PCU_PART_NUMBER_LEN 15 + #define IMS_PCU_SERIAL_NUMBER_LEN 8 + #define IMS_PCU_DOM_LEN 8 +-#define IMS_PCU_FW_VERSION_LEN (9 + 1) +-#define IMS_PCU_BL_VERSION_LEN (9 + 1) ++#define IMS_PCU_FW_VERSION_LEN 16 ++#define IMS_PCU_BL_VERSION_LEN 16 + #define IMS_PCU_BL_RESET_REASON_LEN (2 + 1) + + #define IMS_PCU_PCU_B_DEVICE_ID 5 +-- +2.43.0 + diff --git a/queue-5.4/input-pm8xxx-vibrator-correct-vib_max_levels-calcula.patch b/queue-5.4/input-pm8xxx-vibrator-correct-vib_max_levels-calcula.patch new file mode 100644 index 00000000000..2fe00734eab --- /dev/null +++ b/queue-5.4/input-pm8xxx-vibrator-correct-vib_max_levels-calcula.patch @@ -0,0 +1,55 @@ +From cf278b83d10bcffead4010a05ca2d207a4ab7df7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 16:03:40 -0700 +Subject: Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation + +From: Fenglin Wu + +[ Upstream commit 48c0687a322d54ac7e7a685c0b6db78d78f593af ] + +The output voltage is inclusive hence the max level calculation is +off-by-one-step. Correct it. + +iWhile we are at it also add a define for the step size instead of +using the magic value. + +Fixes: 11205bb63e5c ("Input: add support for pm8xxx based vibrator driver") +Signed-off-by: Fenglin Wu +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20240412-pm8xxx-vibrator-new-design-v10-1-0ec0ad133866@quicinc.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/pm8xxx-vibrator.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/input/misc/pm8xxx-vibrator.c b/drivers/input/misc/pm8xxx-vibrator.c +index 53ad25eaf1a28..8bfe5c7b1244c 100644 +--- a/drivers/input/misc/pm8xxx-vibrator.c ++++ b/drivers/input/misc/pm8xxx-vibrator.c +@@ -14,7 +14,8 @@ + + #define VIB_MAX_LEVEL_mV (3100) + #define VIB_MIN_LEVEL_mV (1200) +-#define VIB_MAX_LEVELS (VIB_MAX_LEVEL_mV - VIB_MIN_LEVEL_mV) ++#define VIB_PER_STEP_mV (100) ++#define VIB_MAX_LEVELS (VIB_MAX_LEVEL_mV - VIB_MIN_LEVEL_mV + VIB_PER_STEP_mV) + + #define MAX_FF_SPEED 0xff + +@@ -118,10 +119,10 @@ static void pm8xxx_work_handler(struct work_struct *work) + vib->active = true; + vib->level = ((VIB_MAX_LEVELS * vib->speed) / MAX_FF_SPEED) + + VIB_MIN_LEVEL_mV; +- vib->level /= 100; ++ vib->level /= VIB_PER_STEP_mV; + } else { + vib->active = false; +- vib->level = VIB_MIN_LEVEL_mV / 100; ++ vib->level = VIB_MIN_LEVEL_mV / VIB_PER_STEP_mV; + } + + pm8xxx_vib_set(vib, vib->active); +-- +2.43.0 + diff --git a/queue-5.4/ipv6-sr-fix-memleak-in-seg6_hmac_init_algo.patch b/queue-5.4/ipv6-sr-fix-memleak-in-seg6_hmac_init_algo.patch new file mode 100644 index 00000000000..6263ae541dc --- /dev/null +++ b/queue-5.4/ipv6-sr-fix-memleak-in-seg6_hmac_init_algo.patch @@ -0,0 +1,125 @@ +From 2eabb6159947223f344401391dd70ed0e5b25281 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 May 2024 08:54:35 +0800 +Subject: ipv6: sr: fix memleak in seg6_hmac_init_algo + +From: Hangbin Liu + +[ Upstream commit efb9f4f19f8e37fde43dfecebc80292d179f56c6 ] + +seg6_hmac_init_algo returns without cleaning up the previous allocations +if one fails, so it's going to leak all that memory and the crypto tfms. + +Update seg6_hmac_exit to only free the memory when allocated, so we can +reuse the code directly. + +Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support") +Reported-by: Sabrina Dubroca +Closes: https://lore.kernel.org/netdev/Zj3bh-gE7eT6V6aH@hog/ +Signed-off-by: Hangbin Liu +Reviewed-by: Simon Horman +Reviewed-by: Sabrina Dubroca +Link: https://lore.kernel.org/r/20240517005435.2600277-1-liuhangbin@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6_hmac.c | 42 ++++++++++++++++++++++++++++-------------- + 1 file changed, 28 insertions(+), 14 deletions(-) + +diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c +index 65394abf4736b..b3b2aa92e60d4 100644 +--- a/net/ipv6/seg6_hmac.c ++++ b/net/ipv6/seg6_hmac.c +@@ -356,6 +356,7 @@ static int seg6_hmac_init_algo(void) + struct crypto_shash *tfm; + struct shash_desc *shash; + int i, alg_count, cpu; ++ int ret = -ENOMEM; + + alg_count = ARRAY_SIZE(hmac_algos); + +@@ -366,12 +367,14 @@ static int seg6_hmac_init_algo(void) + algo = &hmac_algos[i]; + algo->tfms = alloc_percpu(struct crypto_shash *); + if (!algo->tfms) +- return -ENOMEM; ++ goto error_out; + + for_each_possible_cpu(cpu) { + tfm = crypto_alloc_shash(algo->name, 0, 0); +- if (IS_ERR(tfm)) +- return PTR_ERR(tfm); ++ if (IS_ERR(tfm)) { ++ ret = PTR_ERR(tfm); ++ goto error_out; ++ } + p_tfm = per_cpu_ptr(algo->tfms, cpu); + *p_tfm = tfm; + } +@@ -383,18 +386,22 @@ static int seg6_hmac_init_algo(void) + + algo->shashs = alloc_percpu(struct shash_desc *); + if (!algo->shashs) +- return -ENOMEM; ++ goto error_out; + + for_each_possible_cpu(cpu) { + shash = kzalloc_node(shsize, GFP_KERNEL, + cpu_to_node(cpu)); + if (!shash) +- return -ENOMEM; ++ goto error_out; + *per_cpu_ptr(algo->shashs, cpu) = shash; + } + } + + return 0; ++ ++error_out: ++ seg6_hmac_exit(); ++ return ret; + } + + int __init seg6_hmac_init(void) +@@ -414,22 +421,29 @@ int __net_init seg6_hmac_net_init(struct net *net) + void seg6_hmac_exit(void) + { + struct seg6_hmac_algo *algo = NULL; ++ struct crypto_shash *tfm; ++ struct shash_desc *shash; + int i, alg_count, cpu; + + alg_count = ARRAY_SIZE(hmac_algos); + for (i = 0; i < alg_count; i++) { + algo = &hmac_algos[i]; +- for_each_possible_cpu(cpu) { +- struct crypto_shash *tfm; +- struct shash_desc *shash; + +- shash = *per_cpu_ptr(algo->shashs, cpu); +- kfree(shash); +- tfm = *per_cpu_ptr(algo->tfms, cpu); +- crypto_free_shash(tfm); ++ if (algo->shashs) { ++ for_each_possible_cpu(cpu) { ++ shash = *per_cpu_ptr(algo->shashs, cpu); ++ kfree(shash); ++ } ++ free_percpu(algo->shashs); ++ } ++ ++ if (algo->tfms) { ++ for_each_possible_cpu(cpu) { ++ tfm = *per_cpu_ptr(algo->tfms, cpu); ++ crypto_free_shash(tfm); ++ } ++ free_percpu(algo->tfms); + } +- free_percpu(algo->tfms); +- free_percpu(algo->shashs); + } + } + EXPORT_SYMBOL(seg6_hmac_exit); +-- +2.43.0 + diff --git a/queue-5.4/media-cec-cec-adap-always-cancel-work-in-cec_transmi.patch b/queue-5.4/media-cec-cec-adap-always-cancel-work-in-cec_transmi.patch new file mode 100644 index 00000000000..dae4532fb85 --- /dev/null +++ b/queue-5.4/media-cec-cec-adap-always-cancel-work-in-cec_transmi.patch @@ -0,0 +1,39 @@ +From ca7964ec30988a24ea9ed0330684ae9e275cfad9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 12:24:38 +0000 +Subject: media: cec: cec-adap: always cancel work in cec_transmit_msg_fh + +From: Hans Verkuil + +[ Upstream commit 9fe2816816a3c765dff3b88af5b5c3d9bbb911ce ] + +Do not check for !data->completed, just always call +cancel_delayed_work_sync(). This fixes a small race condition. + +Signed-off-by: Hans Verkuil +Reported-by: Yang, Chenyuan +Closes: https://lore.kernel.org/linux-media/PH7PR11MB57688E64ADE4FE82E658D86DA09EA@PH7PR11MB5768.namprd11.prod.outlook.com/ +Fixes: 490d84f6d73c ("media: cec: forgot to cancel delayed work") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/cec/cec-adap.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c +index 4c1770b8128cb..94ddaca496c94 100644 +--- a/drivers/media/cec/cec-adap.c ++++ b/drivers/media/cec/cec-adap.c +@@ -908,8 +908,7 @@ int cec_transmit_msg_fh(struct cec_adapter *adap, struct cec_msg *msg, + */ + mutex_unlock(&adap->lock); + wait_for_completion_killable(&data->c); +- if (!data->completed) +- cancel_delayed_work_sync(&data->work); ++ cancel_delayed_work_sync(&data->work); + mutex_lock(&adap->lock); + + /* Cancel the transmit if it was interrupted */ +-- +2.43.0 + diff --git a/queue-5.4/media-cec-cec-api-add-locking-in-cec_release.patch b/queue-5.4/media-cec-cec-api-add-locking-in-cec_release.patch new file mode 100644 index 00000000000..8cb21b1cc8c --- /dev/null +++ b/queue-5.4/media-cec-cec-api-add-locking-in-cec_release.patch @@ -0,0 +1,46 @@ +From 067f3cf836a912899497f300cf6547b62d702e22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 12:25:55 +0000 +Subject: media: cec: cec-api: add locking in cec_release() + +From: Hans Verkuil + +[ Upstream commit 42bcaacae924bf18ae387c3f78c202df0b739292 ] + +When cec_release() uses fh->msgs it has to take fh->lock, +otherwise the list can get corrupted. + +Signed-off-by: Hans Verkuil +Reported-by: Yang, Chenyuan +Closes: https://lore.kernel.org/linux-media/PH7PR11MB57688E64ADE4FE82E658D86DA09EA@PH7PR11MB5768.namprd11.prod.outlook.com/ +Fixes: ca684386e6e2 ("[media] cec: add HDMI CEC framework (api)") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/cec/cec-api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/cec/cec-api.c b/drivers/media/cec/cec-api.c +index ed75636a6fb34..90e90234f5bd8 100644 +--- a/drivers/media/cec/cec-api.c ++++ b/drivers/media/cec/cec-api.c +@@ -652,6 +652,8 @@ static int cec_release(struct inode *inode, struct file *filp) + list_del(&data->xfer_list); + } + mutex_unlock(&adap->lock); ++ ++ mutex_lock(&fh->lock); + while (!list_empty(&fh->msgs)) { + struct cec_msg_entry *entry = + list_first_entry(&fh->msgs, struct cec_msg_entry, list); +@@ -669,6 +671,7 @@ static int cec_release(struct inode *inode, struct file *filp) + kfree(entry); + } + } ++ mutex_unlock(&fh->lock); + kfree(fh); + + cec_put_device(devnode); +-- +2.43.0 + diff --git a/queue-5.4/media-stk1160-fix-bounds-checking-in-stk1160_copy_vi.patch b/queue-5.4/media-stk1160-fix-bounds-checking-in-stk1160_copy_vi.patch new file mode 100644 index 00000000000..ff2f501ca78 --- /dev/null +++ b/queue-5.4/media-stk1160-fix-bounds-checking-in-stk1160_copy_vi.patch @@ -0,0 +1,84 @@ +From cea3f7e37430b8f0965b6560823226808d1cfb1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 12:32:44 +0300 +Subject: media: stk1160: fix bounds checking in stk1160_copy_video() + +From: Dan Carpenter + +[ Upstream commit faa4364bef2ec0060de381ff028d1d836600a381 ] + +The subtract in this condition is reversed. The ->length is the length +of the buffer. The ->bytesused is how many bytes we have copied thus +far. When the condition is reversed that means the result of the +subtraction is always negative but since it's unsigned then the result +is a very high positive value. That means the overflow check is never +true. + +Additionally, the ->bytesused doesn't actually work for this purpose +because we're not writing to "buf->mem + buf->bytesused". Instead, the +math to calculate the destination where we are writing is a bit +involved. You calculate the number of full lines already written, +multiply by two, skip a line if necessary so that we start on an odd +numbered line, and add the offset into the line. + +To fix this buffer overflow, just take the actual destination where we +are writing, if the offset is already out of bounds print an error and +return. Otherwise, write up to buf->length bytes. + +Fixes: 9cb2173e6ea8 ("[media] media: Add stk1160 new driver (easycap replacement)") +Signed-off-by: Dan Carpenter +Reviewed-by: Ricardo Ribalda +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/stk1160/stk1160-video.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/usb/stk1160/stk1160-video.c b/drivers/media/usb/stk1160/stk1160-video.c +index 4cf540d1b2501..2a5a90311e0cc 100644 +--- a/drivers/media/usb/stk1160/stk1160-video.c ++++ b/drivers/media/usb/stk1160/stk1160-video.c +@@ -99,7 +99,7 @@ void stk1160_buffer_done(struct stk1160 *dev) + static inline + void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len) + { +- int linesdone, lineoff, lencopy; ++ int linesdone, lineoff, lencopy, offset; + int bytesperline = dev->width * 2; + struct stk1160_buffer *buf = dev->isoc_ctl.buf; + u8 *dst = buf->mem; +@@ -139,8 +139,13 @@ void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len) + * Check if we have enough space left in the buffer. + * In that case, we force loop exit after copy. + */ +- if (lencopy > buf->bytesused - buf->length) { +- lencopy = buf->bytesused - buf->length; ++ offset = dst - (u8 *)buf->mem; ++ if (offset > buf->length) { ++ dev_warn_ratelimited(dev->dev, "out of bounds offset\n"); ++ return; ++ } ++ if (lencopy > buf->length - offset) { ++ lencopy = buf->length - offset; + remain = lencopy; + } + +@@ -182,8 +187,13 @@ void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len) + * Check if we have enough space left in the buffer. + * In that case, we force loop exit after copy. + */ +- if (lencopy > buf->bytesused - buf->length) { +- lencopy = buf->bytesused - buf->length; ++ offset = dst - (u8 *)buf->mem; ++ if (offset > buf->length) { ++ dev_warn_ratelimited(dev->dev, "offset out of bounds\n"); ++ return; ++ } ++ if (lencopy > buf->length - offset) { ++ lencopy = buf->length - offset; + remain = lencopy; + } + +-- +2.43.0 + diff --git a/queue-5.4/net-fec-avoid-lock-evasion-when-reading-pps_enable.patch b/queue-5.4/net-fec-avoid-lock-evasion-when-reading-pps_enable.patch new file mode 100644 index 00000000000..d0253a822dd --- /dev/null +++ b/queue-5.4/net-fec-avoid-lock-evasion-when-reading-pps_enable.patch @@ -0,0 +1,62 @@ +From 21b1d9b8845ae28ad121619a940156deff81105d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 May 2024 10:38:00 +0800 +Subject: net: fec: avoid lock evasion when reading pps_enable + +From: Wei Fang + +[ Upstream commit 3b1c92f8e5371700fada307cc8fd2c51fa7bc8c1 ] + +The assignment of pps_enable is protected by tmreg_lock, but the read +operation of pps_enable is not. So the Coverity tool reports a lock +evasion warning which may cause data race to occur when running in a +multithread environment. Although this issue is almost impossible to +occur, we'd better fix it, at least it seems more logically reasonable, +and it also prevents Coverity from continuing to issue warnings. + +Fixes: 278d24047891 ("net: fec: ptp: Enable PPS output based on ptp clock") +Signed-off-by: Wei Fang +Link: https://lore.kernel.org/r/20240521023800.17102-1-wei.fang@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_ptp.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c +index 6fd0c73b327e2..37b8ad29b5b30 100644 +--- a/drivers/net/ethernet/freescale/fec_ptp.c ++++ b/drivers/net/ethernet/freescale/fec_ptp.c +@@ -108,14 +108,13 @@ static int fec_ptp_enable_pps(struct fec_enet_private *fep, uint enable) + return -EINVAL; + } + +- if (fep->pps_enable == enable) +- return 0; +- +- fep->pps_channel = DEFAULT_PPS_CHANNEL; +- fep->reload_period = PPS_OUPUT_RELOAD_PERIOD; +- + spin_lock_irqsave(&fep->tmreg_lock, flags); + ++ if (fep->pps_enable == enable) { ++ spin_unlock_irqrestore(&fep->tmreg_lock, flags); ++ return 0; ++ } ++ + if (enable) { + /* clear capture or output compare interrupt status if have. + */ +@@ -446,6 +445,9 @@ static int fec_ptp_enable(struct ptp_clock_info *ptp, + int ret = 0; + + if (rq->type == PTP_CLK_REQ_PPS) { ++ fep->pps_channel = DEFAULT_PPS_CHANNEL; ++ fep->reload_period = PPS_OUPUT_RELOAD_PERIOD; ++ + ret = fec_ptp_enable_pps(fep, on); + + return ret; +-- +2.43.0 + diff --git a/queue-5.4/nfc-nci-fix-handling-of-zero-length-payload-packets-.patch b/queue-5.4/nfc-nci-fix-handling-of-zero-length-payload-packets-.patch new file mode 100644 index 00000000000..9b434378d4b --- /dev/null +++ b/queue-5.4/nfc-nci-fix-handling-of-zero-length-payload-packets-.patch @@ -0,0 +1,42 @@ +From 479a9c4172f38764f0c7338a7f7635a50b123008 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 May 2024 00:34:42 +0900 +Subject: nfc: nci: Fix handling of zero-length payload packets in + nci_rx_work() + +From: Ryosuke Yasuoka + +[ Upstream commit 6671e352497ca4bb07a96c48e03907065ff77d8a ] + +When nci_rx_work() receives a zero-length payload packet, it should not +discard the packet and exit the loop. Instead, it should continue +processing subsequent packets. + +Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet") +Signed-off-by: Ryosuke Yasuoka +Reviewed-by: Simon Horman +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20240521153444.535399-1-ryasuoka@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/nfc/nci/core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index ebf1b511d8e3b..58ac4c80495ef 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -1514,8 +1514,7 @@ static void nci_rx_work(struct work_struct *work) + + if (!nci_valid_size(skb)) { + kfree_skb(skb); +- kcov_remote_stop(); +- break; ++ continue; + } + + /* Process frame */ +-- +2.43.0 + diff --git a/queue-5.4/nfc-nci-fix-kcov-check-in-nci_rx_work.patch b/queue-5.4/nfc-nci-fix-kcov-check-in-nci_rx_work.patch new file mode 100644 index 00000000000..94538be24bf --- /dev/null +++ b/queue-5.4/nfc-nci-fix-kcov-check-in-nci_rx_work.patch @@ -0,0 +1,45 @@ +From a52538596b0b5b9aba344e2465cc28a5d495c84b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 May 2024 19:36:49 +0900 +Subject: nfc: nci: Fix kcov check in nci_rx_work() + +From: Tetsuo Handa + +[ Upstream commit 19e35f24750ddf860c51e51c68cf07ea181b4881 ] + +Commit 7e8cdc97148c ("nfc: Add KCOV annotations") added +kcov_remote_start_common()/kcov_remote_stop() pair into nci_rx_work(), +with an assumption that kcov_remote_stop() is called upon continue of +the for loop. But commit d24b03535e5e ("nfc: nci: Fix uninit-value in +nci_dev_up and nci_ntf_packet") forgot to call kcov_remote_stop() before +break of the for loop. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=0438378d6f157baae1a2 +Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet") +Suggested-by: Andrey Konovalov +Signed-off-by: Tetsuo Handa +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/6d10f829-5a0c-405a-b39a-d7266f3a1a0b@I-love.SAKURA.ne.jp +Signed-off-by: Jakub Kicinski +Stable-dep-of: 6671e352497c ("nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()") +Signed-off-by: Sasha Levin +--- + net/nfc/nci/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index 61b12281ec47c..ebf1b511d8e3b 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -1514,6 +1514,7 @@ static void nci_rx_work(struct work_struct *work) + + if (!nci_valid_size(skb)) { + kfree_skb(skb); ++ kcov_remote_stop(); + break; + } + +-- +2.43.0 + diff --git a/queue-5.4/nfc-nci-fix-uninit-value-in-nci_rx_work.patch b/queue-5.4/nfc-nci-fix-uninit-value-in-nci_rx_work.patch new file mode 100644 index 00000000000..9264a410206 --- /dev/null +++ b/queue-5.4/nfc-nci-fix-uninit-value-in-nci_rx_work.patch @@ -0,0 +1,63 @@ +From 8346101962fd5877a55950d4cc0b3769e16cc1b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 May 2024 18:43:03 +0900 +Subject: nfc: nci: Fix uninit-value in nci_rx_work + +From: Ryosuke Yasuoka + +[ Upstream commit e4a87abf588536d1cdfb128595e6e680af5cf3ed ] + +syzbot reported the following uninit-value access issue [1] + +nci_rx_work() parses received packet from ndev->rx_q. It should be +validated header size, payload size and total packet size before +processing the packet. If an invalid packet is detected, it should be +silently discarded. + +Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet") +Reported-and-tested-by: syzbot+d7b4dc6cd50410152534@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=d7b4dc6cd50410152534 [1] +Signed-off-by: Ryosuke Yasuoka +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nfc/nci/core.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index 701c3752bda09..61b12281ec47c 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -1449,6 +1449,19 @@ int nci_core_ntf_packet(struct nci_dev *ndev, __u16 opcode, + ndev->ops->n_core_ops); + } + ++static bool nci_valid_size(struct sk_buff *skb) ++{ ++ BUILD_BUG_ON(NCI_CTRL_HDR_SIZE != NCI_DATA_HDR_SIZE); ++ unsigned int hdr_size = NCI_CTRL_HDR_SIZE; ++ ++ if (skb->len < hdr_size || ++ !nci_plen(skb->data) || ++ skb->len < hdr_size + nci_plen(skb->data)) { ++ return false; ++ } ++ return true; ++} ++ + /* ---- NCI TX Data worker thread ---- */ + + static void nci_tx_work(struct work_struct *work) +@@ -1499,7 +1512,7 @@ static void nci_rx_work(struct work_struct *work) + nfc_send_to_raw_sock(ndev->nfc_dev, skb, + RAW_PAYLOAD_NCI, NFC_DIRECTION_RX); + +- if (!nci_plen(skb->data)) { ++ if (!nci_valid_size(skb)) { + kfree_skb(skb); + break; + } +-- +2.43.0 + diff --git a/queue-5.4/null_blk-fix-the-warning-modpost-missing-module_desc.patch b/queue-5.4/null_blk-fix-the-warning-modpost-missing-module_desc.patch new file mode 100644 index 00000000000..76232d99a58 --- /dev/null +++ b/queue-5.4/null_blk-fix-the-warning-modpost-missing-module_desc.patch @@ -0,0 +1,34 @@ +From 3c5f6ee6b81bd34304abb6403464cdce5ab7f6c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 09:55:38 +0200 +Subject: null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION() + +From: Zhu Yanjun + +[ Upstream commit 9e6727f824edcdb8fdd3e6e8a0862eb49546e1cd ] + +No functional changes intended. + +Fixes: f2298c0403b0 ("null_blk: multi queue aware block test driver") +Signed-off-by: Zhu Yanjun +Reviewed-by: Chaitanya Kulkarni +Link: https://lore.kernel.org/r/20240506075538.6064-1-yanjun.zhu@linux.dev +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/null_blk_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/block/null_blk_main.c b/drivers/block/null_blk_main.c +index b6210bf0724d5..218658df77ae5 100644 +--- a/drivers/block/null_blk_main.c ++++ b/drivers/block/null_blk_main.c +@@ -1876,4 +1876,5 @@ module_init(null_init); + module_exit(null_exit); + + MODULE_AUTHOR("Jens Axboe "); ++MODULE_DESCRIPTION("multi queue aware block test driver"); + MODULE_LICENSE("GPL"); +-- +2.43.0 + diff --git a/queue-5.4/openvswitch-set-the-skbuff-pkt_type-for-proper-pmtud.patch b/queue-5.4/openvswitch-set-the-skbuff-pkt_type-for-proper-pmtud.patch new file mode 100644 index 00000000000..995cd3b67c1 --- /dev/null +++ b/queue-5.4/openvswitch-set-the-skbuff-pkt_type-for-proper-pmtud.patch @@ -0,0 +1,101 @@ +From 9624528578e70ebc4a73d128565e7e88cc8718eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 May 2024 16:09:41 -0400 +Subject: openvswitch: Set the skbuff pkt_type for proper pmtud support. + +From: Aaron Conole + +[ Upstream commit 30a92c9e3d6b073932762bef2ac66f4ee784c657 ] + +Open vSwitch is originally intended to switch at layer 2, only dealing with +Ethernet frames. With the introduction of l3 tunnels support, it crossed +into the realm of needing to care a bit about some routing details when +making forwarding decisions. If an oversized packet would need to be +fragmented during this forwarding decision, there is a chance for pmtu +to get involved and generate a routing exception. This is gated by the +skbuff->pkt_type field. + +When a flow is already loaded into the openvswitch module this field is +set up and transitioned properly as a packet moves from one port to +another. In the case that a packet execute is invoked after a flow is +newly installed this field is not properly initialized. This causes the +pmtud mechanism to omit sending the required exception messages across +the tunnel boundary and a second attempt needs to be made to make sure +that the routing exception is properly setup. To fix this, we set the +outgoing packet's pkt_type to PACKET_OUTGOING, since it can only get +to the openvswitch module via a port device or packet command. + +Even for bridge ports as users, the pkt_type needs to be reset when +doing the transmit as the packet is truly outgoing and routing needs +to get involved post packet transformations, in the case of +VXLAN/GENEVE/udp-tunnel packets. In general, the pkt_type on output +gets ignored, since we go straight to the driver, but in the case of +tunnel ports they go through IP routing layer. + +This issue is periodically encountered in complex setups, such as large +openshift deployments, where multiple sets of tunnel traversal occurs. +A way to recreate this is with the ovn-heater project that can setup +a networking environment which mimics such large deployments. We need +larger environments for this because we need to ensure that flow +misses occur. In these environment, without this patch, we can see: + + ./ovn_cluster.sh start + podman exec ovn-chassis-1 ip r a 170.168.0.5/32 dev eth1 mtu 1200 + podman exec ovn-chassis-1 ip netns exec sw01p1 ip r flush cache + podman exec ovn-chassis-1 ip netns exec sw01p1 \ + ping 21.0.0.3 -M do -s 1300 -c2 + PING 21.0.0.3 (21.0.0.3) 1300(1328) bytes of data. + From 21.0.0.3 icmp_seq=2 Frag needed and DF set (mtu = 1142) + + --- 21.0.0.3 ping statistics --- + ... + +Using tcpdump, we can also see the expected ICMP FRAG_NEEDED message is not +sent into the server. + +With this patch, setting the pkt_type, we see the following: + + podman exec ovn-chassis-1 ip netns exec sw01p1 \ + ping 21.0.0.3 -M do -s 1300 -c2 + PING 21.0.0.3 (21.0.0.3) 1300(1328) bytes of data. + From 21.0.0.3 icmp_seq=1 Frag needed and DF set (mtu = 1222) + ping: local error: message too long, mtu=1222 + + --- 21.0.0.3 ping statistics --- + ... + +In this case, the first ping request receives the FRAG_NEEDED message and +a local routing exception is created. + +Tested-by: Jaime Caamano +Reported-at: https://issues.redhat.com/browse/FDP-164 +Fixes: 58264848a5a7 ("openvswitch: Add vxlan tunneling support.") +Signed-off-by: Aaron Conole +Acked-by: Eelco Chaudron +Link: https://lore.kernel.org/r/20240516200941.16152-1-aconole@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/openvswitch/actions.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c +index 9e8a5c4862d04..7cef078304c3d 100644 +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -931,6 +931,12 @@ static void do_output(struct datapath *dp, struct sk_buff *skb, int out_port, + pskb_trim(skb, ovs_mac_header_len(key)); + } + ++ /* Need to set the pkt_type to involve the routing layer. The ++ * packet movement through the OVS datapath doesn't generally ++ * use routing, but this is needed for tunnel cases. ++ */ ++ skb->pkt_type = PACKET_OUTGOING; ++ + if (likely(!mru || + (skb->len <= mru + vport->dev->hard_header_len))) { + ovs_vport_send(vport, skb, ovs_key_mac_proto(key)); +-- +2.43.0 + diff --git a/queue-5.4/params-lift-param_set_uint_minmax-to-common-code.patch b/queue-5.4/params-lift-param_set_uint_minmax-to-common-code.patch new file mode 100644 index 00000000000..7c9e37f84c9 --- /dev/null +++ b/queue-5.4/params-lift-param_set_uint_minmax-to-common-code.patch @@ -0,0 +1,99 @@ +From 96f29f134760042c04d07e3ed92a6b9d4dc6aaf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 14:19:33 -0700 +Subject: params: lift param_set_uint_minmax to common code + +From: Sagi Grimberg + +[ Upstream commit 2a14c9ae15a38148484a128b84bff7e9ffd90d68 ] + +It is a useful helper hence move it to common code so others can enjoy +it. + +Suggested-by: Christoph Hellwig +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Hannes Reinecke +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Stable-dep-of: 3ebc46ca8675 ("tcp: Fix shift-out-of-bounds in dctcp_update_alpha().") +Signed-off-by: Sasha Levin +--- + include/linux/moduleparam.h | 2 ++ + kernel/params.c | 18 ++++++++++++++++++ + net/sunrpc/xprtsock.c | 18 ------------------ + 3 files changed, 20 insertions(+), 18 deletions(-) + +diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h +index 5ba250d9172ac..4d5a851cafe8b 100644 +--- a/include/linux/moduleparam.h ++++ b/include/linux/moduleparam.h +@@ -359,6 +359,8 @@ extern int param_get_int(char *buffer, const struct kernel_param *kp); + extern const struct kernel_param_ops param_ops_uint; + extern int param_set_uint(const char *val, const struct kernel_param *kp); + extern int param_get_uint(char *buffer, const struct kernel_param *kp); ++int param_set_uint_minmax(const char *val, const struct kernel_param *kp, ++ unsigned int min, unsigned int max); + #define param_check_uint(name, p) __param_check(name, p, unsigned int) + + extern const struct kernel_param_ops param_ops_long; +diff --git a/kernel/params.c b/kernel/params.c +index 8e56f8b12d8f7..b638476d12de1 100644 +--- a/kernel/params.c ++++ b/kernel/params.c +@@ -242,6 +242,24 @@ STANDARD_PARAM_DEF(long, long, "%li", kstrtol); + STANDARD_PARAM_DEF(ulong, unsigned long, "%lu", kstrtoul); + STANDARD_PARAM_DEF(ullong, unsigned long long, "%llu", kstrtoull); + ++int param_set_uint_minmax(const char *val, const struct kernel_param *kp, ++ unsigned int min, unsigned int max) ++{ ++ unsigned int num; ++ int ret; ++ ++ if (!val) ++ return -EINVAL; ++ ret = kstrtouint(val, 0, &num); ++ if (ret) ++ return ret; ++ if (num < min || num > max) ++ return -EINVAL; ++ *((unsigned int *)kp->arg) = num; ++ return 0; ++} ++EXPORT_SYMBOL_GPL(param_set_uint_minmax); ++ + int param_set_charp(const char *val, const struct kernel_param *kp) + { + if (strlen(val) > 1024) { +diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c +index 3095442b03822..39d0a3c434829 100644 +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -3302,24 +3302,6 @@ void cleanup_socket_xprt(void) + xprt_unregister_transport(&xs_bc_tcp_transport); + } + +-static int param_set_uint_minmax(const char *val, +- const struct kernel_param *kp, +- unsigned int min, unsigned int max) +-{ +- unsigned int num; +- int ret; +- +- if (!val) +- return -EINVAL; +- ret = kstrtouint(val, 0, &num); +- if (ret) +- return ret; +- if (num < min || num > max) +- return -EINVAL; +- *((unsigned int *)kp->arg) = num; +- return 0; +-} +- + static int param_set_portnr(const char *val, const struct kernel_param *kp) + { + return param_set_uint_minmax(val, kp, +-- +2.43.0 + diff --git a/queue-5.4/powerpc-pseries-add-failure-related-checks-for-h_get.patch b/queue-5.4/powerpc-pseries-add-failure-related-checks-for-h_get.patch new file mode 100644 index 00000000000..7ceb74bd0dc --- /dev/null +++ b/queue-5.4/powerpc-pseries-add-failure-related-checks-for-h_get.patch @@ -0,0 +1,86 @@ +From 0489a0ad073cdd9949a16571919d07dae1df4802 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 14:50:47 +0530 +Subject: powerpc/pseries: Add failure related checks for h_get_mpp and + h_get_ppp + +From: Shrikanth Hegde + +[ Upstream commit 6d4341638516bf97b9a34947e0bd95035a8230a5 ] + +Couple of Minor fixes: + +- hcall return values are long. Fix that for h_get_mpp, h_get_ppp and +parse_ppp_data + +- If hcall fails, values set should be at-least zero. It shouldn't be +uninitialized values. Fix that for h_get_mpp and h_get_ppp + +Signed-off-by: Shrikanth Hegde +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240412092047.455483-3-sshegde@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/hvcall.h | 2 +- + arch/powerpc/platforms/pseries/lpar.c | 6 +++--- + arch/powerpc/platforms/pseries/lparcfg.c | 6 +++--- + 3 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h +index 11112023e327d..0826c4ed83770 100644 +--- a/arch/powerpc/include/asm/hvcall.h ++++ b/arch/powerpc/include/asm/hvcall.h +@@ -444,7 +444,7 @@ struct hvcall_mpp_data { + unsigned long backing_mem; + }; + +-int h_get_mpp(struct hvcall_mpp_data *); ++long h_get_mpp(struct hvcall_mpp_data *mpp_data); + + struct hvcall_mpp_x_data { + unsigned long coalesced_bytes; +diff --git a/arch/powerpc/platforms/pseries/lpar.c b/arch/powerpc/platforms/pseries/lpar.c +index 52e466d4a33ca..d5700ef27e36c 100644 +--- a/arch/powerpc/platforms/pseries/lpar.c ++++ b/arch/powerpc/platforms/pseries/lpar.c +@@ -1871,10 +1871,10 @@ void __trace_hcall_exit(long opcode, long retval, unsigned long *retbuf) + * h_get_mpp + * H_GET_MPP hcall returns info in 7 parms + */ +-int h_get_mpp(struct hvcall_mpp_data *mpp_data) ++long h_get_mpp(struct hvcall_mpp_data *mpp_data) + { +- int rc; +- unsigned long retbuf[PLPAR_HCALL9_BUFSIZE]; ++ unsigned long retbuf[PLPAR_HCALL9_BUFSIZE] = {0}; ++ long rc; + + rc = plpar_hcall9(H_GET_MPP, retbuf); + +diff --git a/arch/powerpc/platforms/pseries/lparcfg.c b/arch/powerpc/platforms/pseries/lparcfg.c +index e12cf62357f29..676a60927dad9 100644 +--- a/arch/powerpc/platforms/pseries/lparcfg.c ++++ b/arch/powerpc/platforms/pseries/lparcfg.c +@@ -112,8 +112,8 @@ struct hvcall_ppp_data { + */ + static unsigned int h_get_ppp(struct hvcall_ppp_data *ppp_data) + { +- unsigned long rc; +- unsigned long retbuf[PLPAR_HCALL9_BUFSIZE]; ++ unsigned long retbuf[PLPAR_HCALL9_BUFSIZE] = {0}; ++ long rc; + + rc = plpar_hcall9(H_GET_PPP, retbuf); + +@@ -159,7 +159,7 @@ static void parse_ppp_data(struct seq_file *m) + struct hvcall_ppp_data ppp_data; + struct device_node *root; + const __be32 *perf_level; +- int rc; ++ long rc; + + rc = h_get_ppp(&ppp_data); + if (rc) +-- +2.43.0 + diff --git a/queue-5.4/scsi-qla2xxx-replace-all-non-returning-strlcpy-with-.patch b/queue-5.4/scsi-qla2xxx-replace-all-non-returning-strlcpy-with-.patch new file mode 100644 index 00000000000..2fc2b3ff07e --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-replace-all-non-returning-strlcpy-with-.patch @@ -0,0 +1,117 @@ +From 436205c00c978a7e65afebbf78503bd74f87df26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 02:54:04 +0000 +Subject: scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy() + +From: Azeem Shaikh + +[ Upstream commit 37f1663c91934f664fb850306708094a324c227c ] + +strlcpy() reads the entire source buffer first. This read may exceed the +destination size limit. This is both inefficient and can lead to linear +read overflows if a source string is not NUL-terminated [1]. In an effort +to remove strlcpy() completely [2], replace strlcpy() here with strscpy(). +No return values were used, so direct replacement is safe. + +[1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy +[2] https://github.com/KSPP/linux/issues/89 + +Signed-off-by: Azeem Shaikh +Link: https://lore.kernel.org/r/20230516025404.2843867-1-azeemshaikh38@gmail.com +Reviewed-by: Kees Cook +Signed-off-by: Martin K. Petersen +Stable-dep-of: c3408c4ae041 ("scsi: qla2xxx: Avoid possible run-time warning with long model_num") +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_init.c | 8 ++++---- + drivers/scsi/qla2xxx/qla_mr.c | 20 ++++++++++---------- + 2 files changed, 14 insertions(+), 14 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 8a0ac87f70a9d..11ee2c7487b2a 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -4479,7 +4479,7 @@ qla2x00_set_model_info(scsi_qla_host_t *vha, uint8_t *model, size_t len, + if (use_tbl && + ha->pdev->subsystem_vendor == PCI_VENDOR_ID_QLOGIC && + index < QLA_MODEL_NAMES) +- strlcpy(ha->model_desc, ++ strscpy(ha->model_desc, + qla2x00_model_name[index * 2 + 1], + sizeof(ha->model_desc)); + } else { +@@ -4487,14 +4487,14 @@ qla2x00_set_model_info(scsi_qla_host_t *vha, uint8_t *model, size_t len, + if (use_tbl && + ha->pdev->subsystem_vendor == PCI_VENDOR_ID_QLOGIC && + index < QLA_MODEL_NAMES) { +- strlcpy(ha->model_number, ++ strscpy(ha->model_number, + qla2x00_model_name[index * 2], + sizeof(ha->model_number)); +- strlcpy(ha->model_desc, ++ strscpy(ha->model_desc, + qla2x00_model_name[index * 2 + 1], + sizeof(ha->model_desc)); + } else { +- strlcpy(ha->model_number, def, ++ strscpy(ha->model_number, def, + sizeof(ha->model_number)); + } + } +diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c +index badd09c5dd429..6b44be4ce5bd4 100644 +--- a/drivers/scsi/qla2xxx/qla_mr.c ++++ b/drivers/scsi/qla2xxx/qla_mr.c +@@ -693,7 +693,7 @@ qlafx00_pci_info_str(struct scsi_qla_host *vha, char *str, size_t str_len) + struct qla_hw_data *ha = vha->hw; + + if (pci_is_pcie(ha->pdev)) +- strlcpy(str, "PCIe iSA", str_len); ++ strscpy(str, "PCIe iSA", str_len); + return str; + } + +@@ -1854,21 +1854,21 @@ qlafx00_fx_disc(scsi_qla_host_t *vha, fc_port_t *fcport, uint16_t fx_type) + phost_info = &preg_hsi->hsi; + memset(preg_hsi, 0, sizeof(struct register_host_info)); + phost_info->os_type = OS_TYPE_LINUX; +- strlcpy(phost_info->sysname, p_sysid->sysname, ++ strscpy(phost_info->sysname, p_sysid->sysname, + sizeof(phost_info->sysname)); +- strlcpy(phost_info->nodename, p_sysid->nodename, ++ strscpy(phost_info->nodename, p_sysid->nodename, + sizeof(phost_info->nodename)); + if (!strcmp(phost_info->nodename, "(none)")) + ha->mr.host_info_resend = true; +- strlcpy(phost_info->release, p_sysid->release, ++ strscpy(phost_info->release, p_sysid->release, + sizeof(phost_info->release)); +- strlcpy(phost_info->version, p_sysid->version, ++ strscpy(phost_info->version, p_sysid->version, + sizeof(phost_info->version)); +- strlcpy(phost_info->machine, p_sysid->machine, ++ strscpy(phost_info->machine, p_sysid->machine, + sizeof(phost_info->machine)); +- strlcpy(phost_info->domainname, p_sysid->domainname, ++ strscpy(phost_info->domainname, p_sysid->domainname, + sizeof(phost_info->domainname)); +- strlcpy(phost_info->hostdriver, QLA2XXX_VERSION, ++ strscpy(phost_info->hostdriver, QLA2XXX_VERSION, + sizeof(phost_info->hostdriver)); + preg_hsi->utc = (uint64_t)ktime_get_real_seconds(); + ql_dbg(ql_dbg_init, vha, 0x0149, +@@ -1914,9 +1914,9 @@ qlafx00_fx_disc(scsi_qla_host_t *vha, fc_port_t *fcport, uint16_t fx_type) + if (fx_type == FXDISC_GET_CONFIG_INFO) { + struct config_info_data *pinfo = + (struct config_info_data *) fdisc->u.fxiocb.rsp_addr; +- strlcpy(vha->hw->model_number, pinfo->model_num, ++ strscpy(vha->hw->model_number, pinfo->model_num, + ARRAY_SIZE(vha->hw->model_number)); +- strlcpy(vha->hw->model_desc, pinfo->model_description, ++ strscpy(vha->hw->model_desc, pinfo->model_description, + ARRAY_SIZE(vha->hw->model_desc)); + memcpy(&vha->hw->mr.symbolic_name, pinfo->symbolic_name, + sizeof(vha->hw->mr.symbolic_name)); +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index dedfec5bb5d..d612a56d04c 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -122,3 +122,28 @@ f2fs-fix-to-release-node-block-count-in-error-path-o.patch serial-sh-sci-protect-invalidating-rxdma-on-shutdown.patch libsubcmd-fix-parse-options-memory-leak.patch perf-stat-don-t-display-metric-header-for-non-leader.patch +input-ims-pcu-fix-printf-string-overflow.patch +input-pm8xxx-vibrator-correct-vib_max_levels-calcula.patch +drm-msm-dpu-always-flush-the-slave-intf-on-the-ctl.patch +um-fix-return-value-in-ubd_init.patch +um-add-winch-to-winch_handlers-before-registering-wi.patch +media-stk1160-fix-bounds-checking-in-stk1160_copy_vi.patch +scsi-qla2xxx-replace-all-non-returning-strlcpy-with-.patch +powerpc-pseries-add-failure-related-checks-for-h_get.patch +um-fix-the-wmissing-prototypes-warning-for-__switch_.patch +media-cec-cec-adap-always-cancel-work-in-cec_transmi.patch +media-cec-cec-api-add-locking-in-cec_release.patch +null_blk-fix-the-warning-modpost-missing-module_desc.patch +x86-kconfig-select-arch_want_frame_pointers-again-wh.patch +nfc-nci-fix-uninit-value-in-nci_rx_work.patch +sunrpc-fix-nfsacl-rpc-retry-on-soft-mount.patch +ipv6-sr-fix-memleak-in-seg6_hmac_init_algo.patch +params-lift-param_set_uint_minmax-to-common-code.patch +tcp-fix-shift-out-of-bounds-in-dctcp_update_alpha.patch +openvswitch-set-the-skbuff-pkt_type-for-proper-pmtud.patch +arm64-asm-bug-add-.align-2-to-the-end-of-__bug_entry.patch +virtio-delete-vq-in-vp_find_vqs_msix-when-request_ir.patch +net-fec-avoid-lock-evasion-when-reading-pps_enable.patch +tcp-remove-64-kbyte-limit-for-initial-tp-rcv_wnd-val.patch +nfc-nci-fix-kcov-check-in-nci_rx_work.patch +nfc-nci-fix-handling-of-zero-length-payload-packets-.patch diff --git a/queue-5.4/sunrpc-fix-nfsacl-rpc-retry-on-soft-mount.patch b/queue-5.4/sunrpc-fix-nfsacl-rpc-retry-on-soft-mount.patch new file mode 100644 index 00000000000..ee8c1fbb8a9 --- /dev/null +++ b/queue-5.4/sunrpc-fix-nfsacl-rpc-retry-on-soft-mount.patch @@ -0,0 +1,55 @@ +From 9e42b8b18d3303498abce01fcd9b4e29c46dc105 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 13:49:38 +0300 +Subject: sunrpc: fix NFSACL RPC retry on soft mount + +From: Dan Aloni + +[ Upstream commit 0dc9f430027b8bd9073fdafdfcdeb1a073ab5594 ] + +It used to be quite awhile ago since 1b63a75180c6 ('SUNRPC: Refactor +rpc_clone_client()'), in 2012, that `cl_timeout` was copied in so that +all mount parameters propagate to NFSACL clients. However since that +change, if mount options as follows are given: + + soft,timeo=50,retrans=16,vers=3 + +The resultant NFSACL client receives: + + cl_softrtry: 1 + cl_timeout: to_initval=60000, to_maxval=60000, to_increment=0, to_retries=2, to_exponential=0 + +These values lead to NFSACL operations not being retried under the +condition of transient network outages with soft mount. Instead, getacl +call fails after 60 seconds with EIO. + +The simple fix is to pass the existing client's `cl_timeout` as the new +client timeout. + +Cc: Chuck Lever +Cc: Benjamin Coddington +Link: https://lore.kernel.org/all/20231105154857.ryakhmgaptq3hb6b@gmail.com/T/ +Fixes: 1b63a75180c6 ('SUNRPC: Refactor rpc_clone_client()') +Signed-off-by: Dan Aloni +Reviewed-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/clnt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index c6fe108845e8b..dc3226edf22fb 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -964,6 +964,7 @@ struct rpc_clnt *rpc_bind_new_program(struct rpc_clnt *old, + .authflavor = old->cl_auth->au_flavor, + .cred = old->cl_cred, + .stats = old->cl_stats, ++ .timeout = old->cl_timeout, + }; + struct rpc_clnt *clnt; + int err; +-- +2.43.0 + diff --git a/queue-5.4/tcp-fix-shift-out-of-bounds-in-dctcp_update_alpha.patch b/queue-5.4/tcp-fix-shift-out-of-bounds-in-dctcp_update_alpha.patch new file mode 100644 index 00000000000..75bd5890182 --- /dev/null +++ b/queue-5.4/tcp-fix-shift-out-of-bounds-in-dctcp_update_alpha.patch @@ -0,0 +1,125 @@ +From 531ebbaf180be8a57647c0be0e9977491c972210 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 May 2024 18:16:26 +0900 +Subject: tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). + +From: Kuniyuki Iwashima + +[ Upstream commit 3ebc46ca8675de6378e3f8f40768e180bb8afa66 ] + +In dctcp_update_alpha(), we use a module parameter dctcp_shift_g +as follows: + + alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g); + ... + delivered_ce <<= (10 - dctcp_shift_g); + +It seems syzkaller started fuzzing module parameters and triggered +shift-out-of-bounds [0] by setting 100 to dctcp_shift_g: + + memcpy((void*)0x20000080, + "/sys/module/tcp_dctcp/parameters/dctcp_shift_g\000", 47); + res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul, + /*flags=*/2ul, /*mode=*/0ul); + memcpy((void*)0x20000000, "100\000", 4); + syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul); + +Let's limit the max value of dctcp_shift_g by param_set_uint_minmax(). + +With this patch: + + # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g + # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g + 10 + # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g + -bash: echo: write error: Invalid argument + +[0]: +UBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12 +shift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int') +CPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.13.0-1ubuntu1.1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114 + ubsan_epilogue lib/ubsan.c:231 [inline] + __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468 + dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143 + tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline] + tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948 + tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711 + tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937 + sk_backlog_rcv include/net/sock.h:1106 [inline] + __release_sock+0x20f/0x350 net/core/sock.c:2983 + release_sock+0x61/0x1f0 net/core/sock.c:3549 + mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907 + mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976 + __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072 + mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127 + inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437 + __sock_release net/socket.c:659 [inline] + sock_close+0xc0/0x240 net/socket.c:1421 + __fput+0x41b/0x890 fs/file_table.c:422 + task_work_run+0x23b/0x300 kernel/task_work.c:180 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0x9c8/0x2540 kernel/exit.c:878 + do_group_exit+0x201/0x2b0 kernel/exit.c:1027 + __do_sys_exit_group kernel/exit.c:1038 [inline] + __se_sys_exit_group kernel/exit.c:1036 [inline] + __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x67/0x6f +RIP: 0033:0x7f6c2b5005b6 +Code: Unable to access opcode bytes at 0x7f6c2b50058c. +RSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6 +RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 +RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0 +R10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0 +R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 + + +Reported-by: syzkaller +Reported-by: Yue Sun +Reported-by: xingwei lee +Closes: https://lore.kernel.org/netdev/CAEkJfYNJM=cw-8x7_Vmj1J6uYVCWMbbvD=EFmDPVBGpTsqOxEA@mail.gmail.com/ +Fixes: e3118e8359bb ("net: tcp: add DCTCP congestion control algorithm") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240517091626.32772-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_dctcp.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_dctcp.c b/net/ipv4/tcp_dctcp.c +index 79f705450c162..be2c97e907ae2 100644 +--- a/net/ipv4/tcp_dctcp.c ++++ b/net/ipv4/tcp_dctcp.c +@@ -55,7 +55,18 @@ struct dctcp { + }; + + static unsigned int dctcp_shift_g __read_mostly = 4; /* g = 1/2^4 */ +-module_param(dctcp_shift_g, uint, 0644); ++ ++static int dctcp_shift_g_set(const char *val, const struct kernel_param *kp) ++{ ++ return param_set_uint_minmax(val, kp, 0, 10); ++} ++ ++static const struct kernel_param_ops dctcp_shift_g_ops = { ++ .set = dctcp_shift_g_set, ++ .get = param_get_uint, ++}; ++ ++module_param_cb(dctcp_shift_g, &dctcp_shift_g_ops, &dctcp_shift_g, 0644); + MODULE_PARM_DESC(dctcp_shift_g, "parameter g for updating dctcp_alpha"); + + static unsigned int dctcp_alpha_on_init __read_mostly = DCTCP_MAX_ALPHA; +-- +2.43.0 + diff --git a/queue-5.4/tcp-remove-64-kbyte-limit-for-initial-tp-rcv_wnd-val.patch b/queue-5.4/tcp-remove-64-kbyte-limit-for-initial-tp-rcv_wnd-val.patch new file mode 100644 index 00000000000..c9056ef56d8 --- /dev/null +++ b/queue-5.4/tcp-remove-64-kbyte-limit-for-initial-tp-rcv_wnd-val.patch @@ -0,0 +1,76 @@ +From 762d05acb3aca8988bd532e1b002382d28d6d6c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 May 2024 21:42:20 +0800 +Subject: tcp: remove 64 KByte limit for initial tp->rcv_wnd value + +From: Jason Xing + +[ Upstream commit 378979e94e953c2070acb4f0e0c98d29260bd09d ] + +Recently, we had some servers upgraded to the latest kernel and noticed +the indicator from the user side showed worse results than before. It is +caused by the limitation of tp->rcv_wnd. + +In 2018 commit a337531b942b ("tcp: up initial rmem to 128KB and SYN rwin +to around 64KB") limited the initial value of tp->rcv_wnd to 65535, most +CDN teams would not benefit from this change because they cannot have a +large window to receive a big packet, which will be slowed down especially +in long RTT. Small rcv_wnd means slow transfer speed, to some extent. It's +the side effect for the latency/time-sensitive users. + +To avoid future confusion, current change doesn't affect the initial +receive window on the wire in a SYN or SYN+ACK packet which are set within +65535 bytes according to RFC 7323 also due to the limit in +__tcp_transmit_skb(): + + th->window = htons(min(tp->rcv_wnd, 65535U)); + +In one word, __tcp_transmit_skb() already ensures that constraint is +respected, no matter how large tp->rcv_wnd is. The change doesn't violate +RFC. + +Let me provide one example if with or without the patch: +Before: +client --- SYN: rwindow=65535 ---> server +client <--- SYN+ACK: rwindow=65535 ---- server +client --- ACK: rwindow=65536 ---> server +Note: for the last ACK, the calculation is 512 << 7. + +After: +client --- SYN: rwindow=65535 ---> server +client <--- SYN+ACK: rwindow=65535 ---- server +client --- ACK: rwindow=175232 ---> server +Note: I use the following command to make it work: +ip route change default via [ip] dev eth0 metric 100 initrwnd 120 +For the last ACK, the calculation is 1369 << 7. + +When we apply such a patch, having a large rcv_wnd if the user tweak this +knob can help transfer data more rapidly and save some rtts. + +Fixes: a337531b942b ("tcp: up initial rmem to 128KB and SYN rwin to around 64KB") +Signed-off-by: Jason Xing +Reviewed-by: Eric Dumazet +Acked-by: Neal Cardwell +Link: https://lore.kernel.org/r/20240521134220.12510-1-kerneljasonxing@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 4f203cbbc99b5..7884b0619762f 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -231,7 +231,7 @@ void tcp_select_initial_window(const struct sock *sk, int __space, __u32 mss, + if (sock_net(sk)->ipv4.sysctl_tcp_workaround_signed_windows) + (*rcv_wnd) = min(space, MAX_TCP_WINDOW); + else +- (*rcv_wnd) = min_t(u32, space, U16_MAX); ++ (*rcv_wnd) = space; + + if (init_rcv_wnd) + *rcv_wnd = min(*rcv_wnd, init_rcv_wnd * mss); +-- +2.43.0 + diff --git a/queue-5.4/um-add-winch-to-winch_handlers-before-registering-wi.patch b/queue-5.4/um-add-winch-to-winch_handlers-before-registering-wi.patch new file mode 100644 index 00000000000..8a896823cfb --- /dev/null +++ b/queue-5.4/um-add-winch-to-winch_handlers-before-registering-wi.patch @@ -0,0 +1,68 @@ +From 7050e92cd7871c4782ff025200263263ff2ed9b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 11:49:26 +0100 +Subject: um: Add winch to winch_handlers before registering winch IRQ + +From: Roberto Sassu + +[ Upstream commit a0fbbd36c156b9f7b2276871d499c9943dfe5101 ] + +Registering a winch IRQ is racy, an interrupt may occur before the winch is +added to the winch_handlers list. + +If that happens, register_winch_irq() adds to that list a winch that is +scheduled to be (or has already been) freed, causing a panic later in +winch_cleanup(). + +Avoid the race by adding the winch to the winch_handlers list before +registering the IRQ, and rolling back if um_request_irq() fails. + +Fixes: 42a359e31a0e ("uml: SIGIO support cleanup") +Signed-off-by: Roberto Sassu +Reviewed-by: Johannes Berg +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/drivers/line.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/arch/um/drivers/line.c b/arch/um/drivers/line.c +index 4f2a4ac8a82bb..d6a78c3548a55 100644 +--- a/arch/um/drivers/line.c ++++ b/arch/um/drivers/line.c +@@ -673,24 +673,26 @@ void register_winch_irq(int fd, int tty_fd, int pid, struct tty_port *port, + goto cleanup; + } + +- *winch = ((struct winch) { .list = LIST_HEAD_INIT(winch->list), +- .fd = fd, ++ *winch = ((struct winch) { .fd = fd, + .tty_fd = tty_fd, + .pid = pid, + .port = port, + .stack = stack }); + ++ spin_lock(&winch_handler_lock); ++ list_add(&winch->list, &winch_handlers); ++ spin_unlock(&winch_handler_lock); ++ + if (um_request_irq(WINCH_IRQ, fd, IRQ_READ, winch_interrupt, + IRQF_SHARED, "winch", winch) < 0) { + printk(KERN_ERR "register_winch_irq - failed to register " + "IRQ\n"); ++ spin_lock(&winch_handler_lock); ++ list_del(&winch->list); ++ spin_unlock(&winch_handler_lock); + goto out_free; + } + +- spin_lock(&winch_handler_lock); +- list_add(&winch->list, &winch_handlers); +- spin_unlock(&winch_handler_lock); +- + return; + + out_free: +-- +2.43.0 + diff --git a/queue-5.4/um-fix-return-value-in-ubd_init.patch b/queue-5.4/um-fix-return-value-in-ubd_init.patch new file mode 100644 index 00000000000..6b4f1669ab4 --- /dev/null +++ b/queue-5.4/um-fix-return-value-in-ubd_init.patch @@ -0,0 +1,46 @@ +From e41835942e5f5fceae48f91f978bbe6e3348b007 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Mar 2024 17:12:59 +0800 +Subject: um: Fix return value in ubd_init() + +From: Duoming Zhou + +[ Upstream commit 31a5990ed253a66712d7ddc29c92d297a991fdf2 ] + +When kmalloc_array() fails to allocate memory, the ubd_init() +should return -ENOMEM instead of -1. So, fix it. + +Fixes: f88f0bdfc32f ("um: UBD Improvements") +Signed-off-by: Duoming Zhou +Reviewed-by: Johannes Berg +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/drivers/ubd_kern.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/um/drivers/ubd_kern.c b/arch/um/drivers/ubd_kern.c +index 4e59ab817d3e7..a4e531f0e3b96 100644 +--- a/arch/um/drivers/ubd_kern.c ++++ b/arch/um/drivers/ubd_kern.c +@@ -1157,7 +1157,7 @@ static int __init ubd_init(void) + + if (irq_req_buffer == NULL) { + printk(KERN_ERR "Failed to initialize ubd buffering\n"); +- return -1; ++ return -ENOMEM; + } + io_req_buffer = kmalloc_array(UBD_REQ_BUFFER_SIZE, + sizeof(struct io_thread_req *), +@@ -1168,7 +1168,7 @@ static int __init ubd_init(void) + + if (io_req_buffer == NULL) { + printk(KERN_ERR "Failed to initialize ubd buffering\n"); +- return -1; ++ return -ENOMEM; + } + platform_driver_register(&ubd_driver); + mutex_lock(&ubd_lock); +-- +2.43.0 + diff --git a/queue-5.4/um-fix-the-wmissing-prototypes-warning-for-__switch_.patch b/queue-5.4/um-fix-the-wmissing-prototypes-warning-for-__switch_.patch new file mode 100644 index 00000000000..0c56ed0cab4 --- /dev/null +++ b/queue-5.4/um-fix-the-wmissing-prototypes-warning-for-__switch_.patch @@ -0,0 +1,48 @@ +From 7a3a858ac56317ae827c74c0b7cd137715556a1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 20:58:53 +0800 +Subject: um: Fix the -Wmissing-prototypes warning for __switch_mm + +From: Tiwei Bie + +[ Upstream commit 2cbade17b18c0f0fd9963f26c9fc9b057eb1cb3a ] + +The __switch_mm function is defined in the user code, and is called +by the kernel code. It should be declared in a shared header. + +Fixes: 4dc706c2f292 ("um: take um_mmu.h to asm/mmu.h, clean asm/mmu_context.h a bit") +Signed-off-by: Tiwei Bie +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/include/asm/mmu.h | 2 -- + arch/um/include/shared/skas/mm_id.h | 2 ++ + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/um/include/asm/mmu.h b/arch/um/include/asm/mmu.h +index 5b072aba5b658..a7cb380c0b5c0 100644 +--- a/arch/um/include/asm/mmu.h ++++ b/arch/um/include/asm/mmu.h +@@ -15,8 +15,6 @@ typedef struct mm_context { + struct page *stub_pages[2]; + } mm_context_t; + +-extern void __switch_mm(struct mm_id * mm_idp); +- + /* Avoid tangled inclusion with asm/ldt.h */ + extern long init_new_ldt(struct mm_context *to_mm, struct mm_context *from_mm); + extern void free_ldt(struct mm_context *mm); +diff --git a/arch/um/include/shared/skas/mm_id.h b/arch/um/include/shared/skas/mm_id.h +index 4337b4ced0954..9bd159649705a 100644 +--- a/arch/um/include/shared/skas/mm_id.h ++++ b/arch/um/include/shared/skas/mm_id.h +@@ -14,4 +14,6 @@ struct mm_id { + unsigned long stack; + }; + ++void __switch_mm(struct mm_id *mm_idp); ++ + #endif +-- +2.43.0 + diff --git a/queue-5.4/virtio-delete-vq-in-vp_find_vqs_msix-when-request_ir.patch b/queue-5.4/virtio-delete-vq-in-vp_find_vqs_msix-when-request_ir.patch new file mode 100644 index 00000000000..b7dcca9449f --- /dev/null +++ b/queue-5.4/virtio-delete-vq-in-vp_find_vqs_msix-when-request_ir.patch @@ -0,0 +1,94 @@ +From 5307bcb9c3c75f2f342e0858cef0bd43b95a6b3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 17:08:45 +0200 +Subject: virtio: delete vq in vp_find_vqs_msix() when request_irq() fails + +From: Jiri Pirko + +[ Upstream commit 89875151fccdd024d571aa884ea97a0128b968b6 ] + +When request_irq() fails, error path calls vp_del_vqs(). There, as vq is +present in the list, free_irq() is called for the same vector. That +causes following splat: + +[ 0.414355] Trying to free already-free IRQ 27 +[ 0.414403] WARNING: CPU: 1 PID: 1 at kernel/irq/manage.c:1899 free_irq+0x1a1/0x2d0 +[ 0.414510] Modules linked in: +[ 0.414540] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc4+ #27 +[ 0.414540] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014 +[ 0.414540] RIP: 0010:free_irq+0x1a1/0x2d0 +[ 0.414540] Code: 1e 00 48 83 c4 08 48 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 90 8b 74 24 04 48 c7 c7 98 80 6c b1 e8 00 c9 f7 ff 90 <0f> 0b 90 90 48 89 ee 4c 89 ef e8 e0 20 b8 00 49 8b 47 40 48 8b 40 +[ 0.414540] RSP: 0000:ffffb71480013ae0 EFLAGS: 00010086 +[ 0.414540] RAX: 0000000000000000 RBX: ffffa099c2722000 RCX: 0000000000000000 +[ 0.414540] RDX: 0000000000000000 RSI: ffffb71480013998 RDI: 0000000000000001 +[ 0.414540] RBP: 0000000000000246 R08: 00000000ffffdfff R09: 0000000000000001 +[ 0.414540] R10: 00000000ffffdfff R11: ffffffffb18729c0 R12: ffffa099c1c91760 +[ 0.414540] R13: ffffa099c1c916a4 R14: ffffa099c1d2f200 R15: ffffa099c1c91600 +[ 0.414540] FS: 0000000000000000(0000) GS:ffffa099fec40000(0000) knlGS:0000000000000000 +[ 0.414540] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 0.414540] CR2: 0000000000000000 CR3: 0000000008e3e001 CR4: 0000000000370ef0 +[ 0.414540] Call Trace: +[ 0.414540] +[ 0.414540] ? __warn+0x80/0x120 +[ 0.414540] ? free_irq+0x1a1/0x2d0 +[ 0.414540] ? report_bug+0x164/0x190 +[ 0.414540] ? handle_bug+0x3b/0x70 +[ 0.414540] ? exc_invalid_op+0x17/0x70 +[ 0.414540] ? asm_exc_invalid_op+0x1a/0x20 +[ 0.414540] ? free_irq+0x1a1/0x2d0 +[ 0.414540] vp_del_vqs+0xc1/0x220 +[ 0.414540] vp_find_vqs_msix+0x305/0x470 +[ 0.414540] vp_find_vqs+0x3e/0x1a0 +[ 0.414540] vp_modern_find_vqs+0x1b/0x70 +[ 0.414540] init_vqs+0x387/0x600 +[ 0.414540] virtnet_probe+0x50a/0xc80 +[ 0.414540] virtio_dev_probe+0x1e0/0x2b0 +[ 0.414540] really_probe+0xc0/0x2c0 +[ 0.414540] ? __pfx___driver_attach+0x10/0x10 +[ 0.414540] __driver_probe_device+0x73/0x120 +[ 0.414540] driver_probe_device+0x1f/0xe0 +[ 0.414540] __driver_attach+0x88/0x180 +[ 0.414540] bus_for_each_dev+0x85/0xd0 +[ 0.414540] bus_add_driver+0xec/0x1f0 +[ 0.414540] driver_register+0x59/0x100 +[ 0.414540] ? __pfx_virtio_net_driver_init+0x10/0x10 +[ 0.414540] virtio_net_driver_init+0x90/0xb0 +[ 0.414540] do_one_initcall+0x58/0x230 +[ 0.414540] kernel_init_freeable+0x1a3/0x2d0 +[ 0.414540] ? __pfx_kernel_init+0x10/0x10 +[ 0.414540] kernel_init+0x1a/0x1c0 +[ 0.414540] ret_from_fork+0x31/0x50 +[ 0.414540] ? __pfx_kernel_init+0x10/0x10 +[ 0.414540] ret_from_fork_asm+0x1a/0x30 +[ 0.414540] + +Fix this by calling deleting the current vq when request_irq() fails. + +Fixes: 0b0f9dc52ed0 ("Revert "virtio_pci: use shared interrupts for virtqueues"") +Signed-off-by: Jiri Pirko +Message-Id: <20240426150845.3999481-1-jiri@resnulli.us> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/virtio/virtio_pci_common.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c +index 1e890ef176873..a6f375417fd54 100644 +--- a/drivers/virtio/virtio_pci_common.c ++++ b/drivers/virtio/virtio_pci_common.c +@@ -339,8 +339,10 @@ static int vp_find_vqs_msix(struct virtio_device *vdev, unsigned nvqs, + vring_interrupt, 0, + vp_dev->msix_names[msix_vec], + vqs[i]); +- if (err) ++ if (err) { ++ vp_del_vq(vqs[i]); + goto error_find; ++ } + } + return 0; + +-- +2.43.0 + diff --git a/queue-5.4/x86-kconfig-select-arch_want_frame_pointers-again-wh.patch b/queue-5.4/x86-kconfig-select-arch_want_frame_pointers-again-wh.patch new file mode 100644 index 00000000000..f156376d7e3 --- /dev/null +++ b/queue-5.4/x86-kconfig-select-arch_want_frame_pointers-again-wh.patch @@ -0,0 +1,63 @@ +From 9dd82e734c40e582c4be1b8f40a5a7389de9aeb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Feb 2024 21:20:03 +0900 +Subject: x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when + UNWINDER_FRAME_POINTER=y + +From: Masahiro Yamada + +[ Upstream commit 66ee3636eddcc82ab82b539d08b85fb5ac1dff9b ] + +It took me some time to understand the purpose of the tricky code at +the end of arch/x86/Kconfig.debug. + +Without it, the following would be shown: + + WARNING: unmet direct dependencies detected for FRAME_POINTER + +because + + 81d387190039 ("x86/kconfig: Consolidate unwinders into multiple choice selection") + +removed 'select ARCH_WANT_FRAME_POINTERS'. + +The correct and more straightforward approach should have been to move +it where 'select FRAME_POINTER' is located. + +Several architectures properly handle the conditional selection of +ARCH_WANT_FRAME_POINTERS. For example, 'config UNWINDER_FRAME_POINTER' +in arch/arm/Kconfig.debug. + +Fixes: 81d387190039 ("x86/kconfig: Consolidate unwinders into multiple choice selection") +Signed-off-by: Masahiro Yamada +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Josh Poimboeuf +Link: https://lore.kernel.org/r/20240204122003.53795-1-masahiroy@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/Kconfig.debug | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug +index bf9cd83de7773..3abac9327b643 100644 +--- a/arch/x86/Kconfig.debug ++++ b/arch/x86/Kconfig.debug +@@ -307,6 +307,7 @@ config UNWINDER_ORC + + config UNWINDER_FRAME_POINTER + bool "Frame pointer unwinder" ++ select ARCH_WANT_FRAME_POINTERS + select FRAME_POINTER + ---help--- + This option enables the frame pointer unwinder for unwinding kernel +@@ -334,7 +335,3 @@ config UNWINDER_GUESS + overhead. + + endchoice +- +-config FRAME_POINTER +- depends on !UNWINDER_ORC && !UNWINDER_GUESS +- bool +-- +2.43.0 +