From: Sasha Levin Date: Sun, 16 Apr 2023 11:53:26 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v4.14.313~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3a620f4a42093b0a05bc95587d792dd11fed5fea;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/9p-xen-fix-use-after-free-bug-in-xen_9pfs_front_remo.patch b/queue-5.10/9p-xen-fix-use-after-free-bug-in-xen_9pfs_front_remo.patch new file mode 100644 index 00000000000..10d3e30de69 --- /dev/null +++ b/queue-5.10/9p-xen-fix-use-after-free-bug-in-xen_9pfs_front_remo.patch @@ -0,0 +1,61 @@ +From b2a091291626be9565b6c056157a7c4eaa8ba78d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 22:43:25 +0800 +Subject: 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race + condition + +From: Zheng Wang + +[ Upstream commit ea4f1009408efb4989a0f139b70fb338e7f687d0 ] + +In xen_9pfs_front_probe, it calls xen_9pfs_front_alloc_dataring +to init priv->rings and bound &ring->work with p9_xen_response. + +When it calls xen_9pfs_front_event_handler to handle IRQ requests, +it will finally call schedule_work to start the work. + +When we call xen_9pfs_front_remove to remove the driver, there +may be a sequence as follows: + +Fix it by finishing the work before cleanup in xen_9pfs_front_free. + +Note that, this bug is found by static analysis, which might be +false positive. + +CPU0 CPU1 + + |p9_xen_response +xen_9pfs_front_remove| + xen_9pfs_front_free| +kfree(priv) | +//free priv | + |p9_tag_lookup + |//use priv->client + +Fixes: 71ebd71921e4 ("xen/9pfs: connect to the backend") +Signed-off-by: Zheng Wang +Reviewed-by: Michal Swiatkowski +Signed-off-by: Eric Van Hensbergen +Signed-off-by: Sasha Levin +--- + net/9p/trans_xen.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c +index 220e8f4ac0cfe..da056170849bf 100644 +--- a/net/9p/trans_xen.c ++++ b/net/9p/trans_xen.c +@@ -300,6 +300,10 @@ static void xen_9pfs_front_free(struct xen_9pfs_front_priv *priv) + write_unlock(&xen_9pfs_lock); + + for (i = 0; i < priv->num_rings; i++) { ++ struct xen_9pfs_dataring *ring = &priv->rings[i]; ++ ++ cancel_work_sync(&ring->work); ++ + if (!priv->rings[i].intf) + break; + if (priv->rings[i].irq > 0) +-- +2.39.2 + diff --git a/queue-5.10/asymmetric_keys-log-on-fatal-failures-in-pe-pkcs7.patch b/queue-5.10/asymmetric_keys-log-on-fatal-failures-in-pe-pkcs7.patch new file mode 100644 index 00000000000..f9e9b1139c7 --- /dev/null +++ b/queue-5.10/asymmetric_keys-log-on-fatal-failures-in-pe-pkcs7.patch @@ -0,0 +1,158 @@ +From e6cffa61278e8329d612d6c66640d723c067ff32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Feb 2023 12:12:54 -0500 +Subject: asymmetric_keys: log on fatal failures in PE/pkcs7 + +From: Robbie Harwood + +[ Upstream commit 3584c1dbfffdabf8e3dc1dd25748bb38dd01cd43 ] + +These particular errors can be encountered while trying to kexec when +secureboot lockdown is in place. Without this change, even with a +signed debug build, one still needs to reboot the machine to add the +appropriate dyndbg parameters (since lockdown blocks debugfs). + +Accordingly, upgrade all pr_debug() before fatal error into pr_warn(). + +Signed-off-by: Robbie Harwood +Signed-off-by: David Howells +cc: Jarkko Sakkinen +cc: Eric Biederman +cc: Herbert Xu +cc: keyrings@vger.kernel.org +cc: linux-crypto@vger.kernel.org +cc: kexec@lists.infradead.org +Link: https://lore.kernel.org/r/20230220171254.592347-3-rharwood@redhat.com/ # v2 +Signed-off-by: Sasha Levin +--- + crypto/asymmetric_keys/pkcs7_verify.c | 10 +++++----- + crypto/asymmetric_keys/verify_pefile.c | 24 ++++++++++++------------ + 2 files changed, 17 insertions(+), 17 deletions(-) + +diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c +index ce49820caa97f..01e54450c846f 100644 +--- a/crypto/asymmetric_keys/pkcs7_verify.c ++++ b/crypto/asymmetric_keys/pkcs7_verify.c +@@ -79,16 +79,16 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, + } + + if (sinfo->msgdigest_len != sig->digest_size) { +- pr_debug("Sig %u: Invalid digest size (%u)\n", +- sinfo->index, sinfo->msgdigest_len); ++ pr_warn("Sig %u: Invalid digest size (%u)\n", ++ sinfo->index, sinfo->msgdigest_len); + ret = -EBADMSG; + goto error; + } + + if (memcmp(sig->digest, sinfo->msgdigest, + sinfo->msgdigest_len) != 0) { +- pr_debug("Sig %u: Message digest doesn't match\n", +- sinfo->index); ++ pr_warn("Sig %u: Message digest doesn't match\n", ++ sinfo->index); + ret = -EKEYREJECTED; + goto error; + } +@@ -488,7 +488,7 @@ int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7, + const void *data, size_t datalen) + { + if (pkcs7->data) { +- pr_debug("Data already supplied\n"); ++ pr_warn("Data already supplied\n"); + return -EINVAL; + } + pkcs7->data = data; +diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c +index fe1bb374239d7..22beaf2213a22 100644 +--- a/crypto/asymmetric_keys/verify_pefile.c ++++ b/crypto/asymmetric_keys/verify_pefile.c +@@ -74,7 +74,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, + break; + + default: +- pr_debug("Unknown PEOPT magic = %04hx\n", pe32->magic); ++ pr_warn("Unknown PEOPT magic = %04hx\n", pe32->magic); + return -ELIBBAD; + } + +@@ -95,7 +95,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, + ctx->certs_size = ddir->certs.size; + + if (!ddir->certs.virtual_address || !ddir->certs.size) { +- pr_debug("Unsigned PE binary\n"); ++ pr_warn("Unsigned PE binary\n"); + return -ENODATA; + } + +@@ -127,7 +127,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, + unsigned len; + + if (ctx->sig_len < sizeof(wrapper)) { +- pr_debug("Signature wrapper too short\n"); ++ pr_warn("Signature wrapper too short\n"); + return -ELIBBAD; + } + +@@ -142,16 +142,16 @@ static int pefile_strip_sig_wrapper(const void *pebuf, + * rounded up since 0.110. + */ + if (wrapper.length > ctx->sig_len) { +- pr_debug("Signature wrapper bigger than sig len (%x > %x)\n", +- ctx->sig_len, wrapper.length); ++ pr_warn("Signature wrapper bigger than sig len (%x > %x)\n", ++ ctx->sig_len, wrapper.length); + return -ELIBBAD; + } + if (wrapper.revision != WIN_CERT_REVISION_2_0) { +- pr_debug("Signature is not revision 2.0\n"); ++ pr_warn("Signature is not revision 2.0\n"); + return -ENOTSUPP; + } + if (wrapper.cert_type != WIN_CERT_TYPE_PKCS_SIGNED_DATA) { +- pr_debug("Signature certificate type is not PKCS\n"); ++ pr_warn("Signature certificate type is not PKCS\n"); + return -ENOTSUPP; + } + +@@ -164,7 +164,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, + ctx->sig_offset += sizeof(wrapper); + ctx->sig_len -= sizeof(wrapper); + if (ctx->sig_len < 4) { +- pr_debug("Signature data missing\n"); ++ pr_warn("Signature data missing\n"); + return -EKEYREJECTED; + } + +@@ -198,7 +198,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, + return 0; + } + not_pkcs7: +- pr_debug("Signature data not PKCS#7\n"); ++ pr_warn("Signature data not PKCS#7\n"); + return -ELIBBAD; + } + +@@ -341,8 +341,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, + digest_size = crypto_shash_digestsize(tfm); + + if (digest_size != ctx->digest_len) { +- pr_debug("Digest size mismatch (%zx != %x)\n", +- digest_size, ctx->digest_len); ++ pr_warn("Digest size mismatch (%zx != %x)\n", ++ digest_size, ctx->digest_len); + ret = -EBADMSG; + goto error_no_desc; + } +@@ -373,7 +373,7 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, + * PKCS#7 certificate. + */ + if (memcmp(digest, ctx->digest, ctx->digest_len) != 0) { +- pr_debug("Digest mismatch\n"); ++ pr_warn("Digest mismatch\n"); + ret = -EKEYREJECTED; + } else { + pr_debug("The digests match!\n"); +-- +2.39.2 + diff --git a/queue-5.10/clk-sprd-set-max_register-according-to-mapping-range.patch b/queue-5.10/clk-sprd-set-max_register-according-to-mapping-range.patch new file mode 100644 index 00000000000..b8368f0a2ae --- /dev/null +++ b/queue-5.10/clk-sprd-set-max_register-according-to-mapping-range.patch @@ -0,0 +1,63 @@ +From d1b814c966e7edac9761ac1db6dc12b62d5fd007 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 10:36:24 +0800 +Subject: clk: sprd: set max_register according to mapping range + +From: Chunyan Zhang + +[ Upstream commit 47d43086531f10539470a63e8ad92803e686a3dd ] + +In sprd clock driver, regmap_config.max_register was set to a fixed value +which is likely larger than the address range configured in device tree, +when reading registers through debugfs it would cause access violation. + +Fixes: d41f59fd92f2 ("clk: sprd: Add common infrastructure") +Signed-off-by: Chunyan Zhang +Link: https://lore.kernel.org/r/20230316023624.758204-1-chunyan.zhang@unisoc.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/sprd/common.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/sprd/common.c b/drivers/clk/sprd/common.c +index ce81e4087a8fc..2bfbab8db94bf 100644 +--- a/drivers/clk/sprd/common.c ++++ b/drivers/clk/sprd/common.c +@@ -17,7 +17,6 @@ static const struct regmap_config sprdclk_regmap_config = { + .reg_bits = 32, + .reg_stride = 4, + .val_bits = 32, +- .max_register = 0xffff, + .fast_io = true, + }; + +@@ -43,6 +42,8 @@ int sprd_clk_regmap_init(struct platform_device *pdev, + struct device *dev = &pdev->dev; + struct device_node *node = dev->of_node, *np; + struct regmap *regmap; ++ struct resource *res; ++ struct regmap_config reg_config = sprdclk_regmap_config; + + if (of_find_property(node, "sprd,syscon", NULL)) { + regmap = syscon_regmap_lookup_by_phandle(node, "sprd,syscon"); +@@ -59,12 +60,14 @@ int sprd_clk_regmap_init(struct platform_device *pdev, + return PTR_ERR(regmap); + } + } else { +- base = devm_platform_ioremap_resource(pdev, 0); ++ base = devm_platform_get_and_ioremap_resource(pdev, 0, &res); + if (IS_ERR(base)) + return PTR_ERR(base); + ++ reg_config.max_register = resource_size(res) - reg_config.reg_stride; ++ + regmap = devm_regmap_init_mmio(&pdev->dev, base, +- &sprdclk_regmap_config); ++ ®_config); + if (IS_ERR(regmap)) { + pr_err("failed to init regmap\n"); + return PTR_ERR(regmap); +-- +2.39.2 + diff --git a/queue-5.10/drm-armada-fix-a-potential-double-free-in-an-error-h.patch b/queue-5.10/drm-armada-fix-a-potential-double-free-in-an-error-h.patch new file mode 100644 index 00000000000..df958baf573 --- /dev/null +++ b/queue-5.10/drm-armada-fix-a-potential-double-free-in-an-error-h.patch @@ -0,0 +1,36 @@ +From 21f74a701c1abc4574e227e8b0eb5530b377c7f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Dec 2021 17:34:16 +0100 +Subject: drm/armada: Fix a potential double free in an error handling path + +From: Christophe JAILLET + +[ Upstream commit b89ce1177d42d5c124e83f3858818cd4e6a2c46f ] + +'priv' is a managed resource, so there is no need to free it explicitly or +there will be a double free(). + +Fixes: 90ad200b4cbc ("drm/armada: Use devm_drm_dev_alloc") +Signed-off-by: Christophe JAILLET +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/c4f3c9207a9fce35cb6dd2cc60e755275961588a.1640536364.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/armada/armada_drv.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/armada/armada_drv.c b/drivers/gpu/drm/armada/armada_drv.c +index 980d3f1f8f16e..2d1e1e48f0eec 100644 +--- a/drivers/gpu/drm/armada/armada_drv.c ++++ b/drivers/gpu/drm/armada/armada_drv.c +@@ -102,7 +102,6 @@ static int armada_drm_bind(struct device *dev) + if (ret) { + dev_err(dev, "[" DRM_NAME ":%s] can't kick out simple-fb: %d\n", + __func__, ret); +- kfree(priv); + return ret; + } + +-- +2.39.2 + diff --git a/queue-5.10/drm-panel-orientation-quirks-add-quirk-for-lenovo-yo.patch b/queue-5.10/drm-panel-orientation-quirks-add-quirk-for-lenovo-yo.patch new file mode 100644 index 00000000000..3fd68c04ac4 --- /dev/null +++ b/queue-5.10/drm-panel-orientation-quirks-add-quirk-for-lenovo-yo.patch @@ -0,0 +1,55 @@ +From 8ee05c7cf634651b7281e104a7fbd73b74af95a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Mar 2023 10:52:18 +0100 +Subject: drm: panel-orientation-quirks: Add quirk for Lenovo Yoga Book X90F + +From: Hans de Goede + +[ Upstream commit 03aecb1acbcd7a660f97d645ca6c09d9de27ff9d ] + +Like the Windows Lenovo Yoga Book X91F/L the Android Lenovo Yoga Book +X90F/L has a portrait 1200x1920 screen used in landscape mode, +add a quirk for this. + +When the quirk for the X91F/L was initially added it was written to +also apply to the X90F/L but this does not work because the Android +version of the Yoga Book uses completely different DMI strings. +Also adjust the X91F/L quirk to reflect that it only applies to +the X91F/L models. + +Signed-off-by: Hans de Goede +Reviewed-by: Javier Martinez Canillas +Link: https://patchwork.freedesktop.org/patch/msgid/20230301095218.28457-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index 8768073794fbf..6106fa7c43028 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -284,10 +284,17 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "IdeaPad Duet 3 10IGL5"), + }, + .driver_data = (void *)&lcd1200x1920_rightside_up, +- }, { /* Lenovo Yoga Book X90F / X91F / X91L */ ++ }, { /* Lenovo Yoga Book X90F / X90L */ + .matches = { +- /* Non exact match to match all versions */ +- DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X9"), ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Intel Corporation"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "CHERRYVIEW D1 PLATFORM"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "YETI-11"), ++ }, ++ .driver_data = (void *)&lcd1200x1920_rightside_up, ++ }, { /* Lenovo Yoga Book X91F / X91L */ ++ .matches = { ++ /* Non exact match to match F + L versions */ ++ DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X91"), + }, + .driver_data = (void *)&lcd1200x1920_rightside_up, + }, { /* OneGX1 Pro */ +-- +2.39.2 + diff --git a/queue-5.10/efi-sysfb_efi-add-quirk-for-lenovo-yoga-book-x91f-l.patch b/queue-5.10/efi-sysfb_efi-add-quirk-for-lenovo-yoga-book-x91f-l.patch new file mode 100644 index 00000000000..51c54ca4197 --- /dev/null +++ b/queue-5.10/efi-sysfb_efi-add-quirk-for-lenovo-yoga-book-x91f-l.patch @@ -0,0 +1,43 @@ +From 63f1a3c0418d422c049c6a2cc026f47360d5e053 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 13:31:03 +0100 +Subject: efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L + +From: Hans de Goede + +[ Upstream commit 5ed213dd64681f84a01ceaa82fb336cf7d59ddcf ] + +Another Lenovo convertable which reports a landscape resolution of +1920x1200 with a pitch of (1920 * 4) bytes, while the actual framebuffer +has a resolution of 1200x1920 with a pitch of (1200 * 4) bytes. + +Signed-off-by: Hans de Goede +Reviewed-by: Javier Martinez Canillas +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/sysfb_efi.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/x86/kernel/sysfb_efi.c b/arch/x86/kernel/sysfb_efi.c +index 9ea65611fba0b..fff04d2859765 100644 +--- a/arch/x86/kernel/sysfb_efi.c ++++ b/arch/x86/kernel/sysfb_efi.c +@@ -272,6 +272,14 @@ static const struct dmi_system_id efifb_dmi_swap_width_height[] __initconst = { + "IdeaPad Duet 3 10IGL5"), + }, + }, ++ { ++ /* Lenovo Yoga Book X91F / X91L */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ /* Non exact match to match F + L versions */ ++ DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X91"), ++ }, ++ }, + {}, + }; + +-- +2.39.2 + diff --git a/queue-5.10/i2c-imx-lpi2c-clean-rx-tx-buffers-upon-new-message.patch b/queue-5.10/i2c-imx-lpi2c-clean-rx-tx-buffers-upon-new-message.patch new file mode 100644 index 00000000000..570cd5a5810 --- /dev/null +++ b/queue-5.10/i2c-imx-lpi2c-clean-rx-tx-buffers-upon-new-message.patch @@ -0,0 +1,36 @@ +From a1086382abf84ed0b321ea9eb16ccbfbc3baea5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 16:32:46 +0100 +Subject: i2c: imx-lpi2c: clean rx/tx buffers upon new message + +From: Alexander Stein + +[ Upstream commit 987dd36c0141f6ab9f0fbf14d6b2ec3342dedb2f ] + +When start sending a new message clear the Rx & Tx buffer pointers in +order to avoid using stale pointers. + +Signed-off-by: Alexander Stein +Tested-by: Emanuele Ghidoli +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-imx-lpi2c.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-imx-lpi2c.c b/drivers/i2c/busses/i2c-imx-lpi2c.c +index 2018dbcf241e9..d45ec26d51cb9 100644 +--- a/drivers/i2c/busses/i2c-imx-lpi2c.c ++++ b/drivers/i2c/busses/i2c-imx-lpi2c.c +@@ -462,6 +462,8 @@ static int lpi2c_imx_xfer(struct i2c_adapter *adapter, + if (num == 1 && msgs[0].len == 0) + goto stop; + ++ lpi2c_imx->rx_buf = NULL; ++ lpi2c_imx->tx_buf = NULL; + lpi2c_imx->delivered = 0; + lpi2c_imx->msglen = msgs[i].len; + init_completion(&lpi2c_imx->complete); +-- +2.39.2 + diff --git a/queue-5.10/ib-mlx5-add-support-for-400g_8x-lane-speed.patch b/queue-5.10/ib-mlx5-add-support-for-400g_8x-lane-speed.patch new file mode 100644 index 00000000000..e45745a7d72 --- /dev/null +++ b/queue-5.10/ib-mlx5-add-support-for-400g_8x-lane-speed.patch @@ -0,0 +1,46 @@ +From 7c90487035c0530669fab59daf304581e542216d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 15:40:49 +0200 +Subject: IB/mlx5: Add support for 400G_8X lane speed + +From: Maher Sanalla + +[ Upstream commit 88c9483faf15ada14eca82714114656893063458 ] + +Currently, when driver queries PTYS to report which link speed is being +used on its RoCE ports, it does not check the case of having 400Gbps +transmitted over 8 lanes. Thus it fails to report the said speed and +instead it defaults to report 10G over 4 lanes. + +Add a check for the said speed when querying PTYS and report it back +correctly when needed. + +Fixes: 08e8676f1607 ("IB/mlx5: Add support for 50Gbps per lane link modes") +Signed-off-by: Maher Sanalla +Reviewed-by: Aya Levin +Reviewed-by: Saeed Mahameed +Link: https://lore.kernel.org/r/ec9040548d119d22557d6a4b4070d6f421701fd4.1678973994.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index 638da09ff8380..5ef37902e96b5 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -437,6 +437,10 @@ static int translate_eth_ext_proto_oper(u32 eth_proto_oper, u16 *active_speed, + *active_width = IB_WIDTH_2X; + *active_speed = IB_SPEED_NDR; + break; ++ case MLX5E_PROT_MASK(MLX5E_400GAUI_8): ++ *active_width = IB_WIDTH_8X; ++ *active_speed = IB_SPEED_HDR; ++ break; + case MLX5E_PROT_MASK(MLX5E_400GAUI_4_400GBASE_CR4_KR4): + *active_width = IB_WIDTH_4X; + *active_speed = IB_SPEED_NDR; +-- +2.39.2 + diff --git a/queue-5.10/ib-mlx5-add-support-for-ndr-link-speed.patch b/queue-5.10/ib-mlx5-add-support-for-ndr-link-speed.patch new file mode 100644 index 00000000000..aa46f0d2526 --- /dev/null +++ b/queue-5.10/ib-mlx5-add-support-for-ndr-link-speed.patch @@ -0,0 +1,54 @@ +From fc5e01154dde8900e960bd8ecd046450e5ab895f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Oct 2020 15:37:38 +0200 +Subject: IB/mlx5: Add support for NDR link speed + +From: Meir Lichtinger + +[ Upstream commit f946e45f59ef01ff54ffb3b1eba3a8e7915e7326 ] + +The IBTA specification has new speed - NDR. That speed supports signaling +rate of 100Gb. mlx5 IB driver translates link modes reported by ConnectX +device to IB speed and width. Added translation of new 100Gb, 200Gb and +400Gb link modes to NDR IB type and width of x1, x2 or x4 respectively. + +Link: https://lore.kernel.org/r/20201026133738.1340432-3-leon@kernel.org +Signed-off-by: Meir Lichtinger +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Stable-dep-of: 88c9483faf15 ("IB/mlx5: Add support for 400G_8X lane speed") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/main.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index eb69bec77e5d4..638da09ff8380 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -425,10 +425,22 @@ static int translate_eth_ext_proto_oper(u32 eth_proto_oper, u16 *active_speed, + *active_width = IB_WIDTH_2X; + *active_speed = IB_SPEED_HDR; + break; ++ case MLX5E_PROT_MASK(MLX5E_100GAUI_1_100GBASE_CR_KR): ++ *active_width = IB_WIDTH_1X; ++ *active_speed = IB_SPEED_NDR; ++ break; + case MLX5E_PROT_MASK(MLX5E_200GAUI_4_200GBASE_CR4_KR4): + *active_width = IB_WIDTH_4X; + *active_speed = IB_SPEED_HDR; + break; ++ case MLX5E_PROT_MASK(MLX5E_200GAUI_2_200GBASE_CR2_KR2): ++ *active_width = IB_WIDTH_2X; ++ *active_speed = IB_SPEED_NDR; ++ break; ++ case MLX5E_PROT_MASK(MLX5E_400GAUI_4_400GBASE_CR4_KR4): ++ *active_width = IB_WIDTH_4X; ++ *active_speed = IB_SPEED_NDR; ++ break; + default: + return -EINVAL; + } +-- +2.39.2 + diff --git a/queue-5.10/ipv4-shrink-netns_ipv4-with-sysctl-conversions.patch b/queue-5.10/ipv4-shrink-netns_ipv4-with-sysctl-conversions.patch new file mode 100644 index 00000000000..e4ea70b8cef --- /dev/null +++ b/queue-5.10/ipv4-shrink-netns_ipv4-with-sysctl-conversions.patch @@ -0,0 +1,259 @@ +From c74886310a10e619bf6fa9d78044c4233594106e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 11:08:14 -0700 +Subject: ipv4: shrink netns_ipv4 with sysctl conversions + +From: Eric Dumazet + +[ Upstream commit 4b6bbf17d4e1939afa72821879fc033d725e9491 ] + +These sysctls that can fit in one byte instead of one int +are converted to save space and thus reduce cache line misses. + + - icmp_echo_ignore_all, icmp_echo_ignore_broadcasts, + - icmp_ignore_bogus_error_responses, icmp_errors_use_inbound_ifaddr + - tcp_ecn, tcp_ecn_fallback + - ip_default_ttl, ip_no_pmtu_disc, ip_fwd_use_pmtu + - ip_nonlocal_bind, ip_autobind_reuse + - ip_dynaddr, ip_early_demux, raw_l3mdev_accept + - nexthop_compat_mode, fwmark_reflect + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Stable-dep-of: dc5110c2d959 ("tcp: restrict net.ipv4.tcp_app_win") +Signed-off-by: Sasha Levin +--- + include/net/netns/ipv4.h | 32 +++++++++---------- + net/ipv4/sysctl_net_ipv4.c | 64 +++++++++++++++++++------------------- + 2 files changed, 48 insertions(+), 48 deletions(-) + +diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h +index 75484f425e558..92e3d8fe954ab 100644 +--- a/include/net/netns/ipv4.h ++++ b/include/net/netns/ipv4.h +@@ -84,36 +84,36 @@ struct netns_ipv4 { + struct xt_table *nat_table; + #endif + +- int sysctl_icmp_echo_ignore_all; +- int sysctl_icmp_echo_ignore_broadcasts; +- int sysctl_icmp_ignore_bogus_error_responses; ++ u8 sysctl_icmp_echo_ignore_all; ++ u8 sysctl_icmp_echo_ignore_broadcasts; ++ u8 sysctl_icmp_ignore_bogus_error_responses; ++ u8 sysctl_icmp_errors_use_inbound_ifaddr; + int sysctl_icmp_ratelimit; + int sysctl_icmp_ratemask; +- int sysctl_icmp_errors_use_inbound_ifaddr; + + struct local_ports ip_local_ports; + +- int sysctl_tcp_ecn; +- int sysctl_tcp_ecn_fallback; ++ u8 sysctl_tcp_ecn; ++ u8 sysctl_tcp_ecn_fallback; + +- int sysctl_ip_default_ttl; +- int sysctl_ip_no_pmtu_disc; +- int sysctl_ip_fwd_use_pmtu; ++ u8 sysctl_ip_default_ttl; ++ u8 sysctl_ip_no_pmtu_disc; ++ u8 sysctl_ip_fwd_use_pmtu; + int sysctl_ip_fwd_update_priority; +- int sysctl_ip_nonlocal_bind; +- int sysctl_ip_autobind_reuse; ++ u8 sysctl_ip_nonlocal_bind; ++ u8 sysctl_ip_autobind_reuse; + /* Shall we try to damage output packets if routing dev changes? */ +- int sysctl_ip_dynaddr; +- int sysctl_ip_early_demux; ++ u8 sysctl_ip_dynaddr; ++ u8 sysctl_ip_early_demux; + #ifdef CONFIG_NET_L3_MASTER_DEV +- int sysctl_raw_l3mdev_accept; ++ u8 sysctl_raw_l3mdev_accept; + #endif + int sysctl_tcp_early_demux; + int sysctl_udp_early_demux; + +- int sysctl_nexthop_compat_mode; ++ u8 sysctl_nexthop_compat_mode; + +- int sysctl_fwmark_reflect; ++ u8 sysctl_fwmark_reflect; + int sysctl_tcp_fwmark_accept; + #ifdef CONFIG_NET_L3_MASTER_DEV + int sysctl_tcp_l3mdev_accept; +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 439970e02ac65..cb587bdd683a6 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -540,30 +540,30 @@ static struct ctl_table ipv4_net_table[] = { + { + .procname = "icmp_echo_ignore_all", + .data = &init_net.ipv4.sysctl_icmp_echo_ignore_all, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "icmp_echo_ignore_broadcasts", + .data = &init_net.ipv4.sysctl_icmp_echo_ignore_broadcasts, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "icmp_ignore_bogus_error_responses", + .data = &init_net.ipv4.sysctl_icmp_ignore_bogus_error_responses, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "icmp_errors_use_inbound_ifaddr", + .data = &init_net.ipv4.sysctl_icmp_errors_use_inbound_ifaddr, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "icmp_ratelimit", +@@ -590,9 +590,9 @@ static struct ctl_table ipv4_net_table[] = { + { + .procname = "raw_l3mdev_accept", + .data = &init_net.ipv4.sysctl_raw_l3mdev_accept, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec_minmax, ++ .proc_handler = proc_dou8vec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, +@@ -600,30 +600,30 @@ static struct ctl_table ipv4_net_table[] = { + { + .procname = "tcp_ecn", + .data = &init_net.ipv4.sysctl_tcp_ecn, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_ecn_fallback", + .data = &init_net.ipv4.sysctl_tcp_ecn_fallback, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "ip_dynaddr", + .data = &init_net.ipv4.sysctl_ip_dynaddr, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "ip_early_demux", + .data = &init_net.ipv4.sysctl_ip_early_demux, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "udp_early_demux", +@@ -642,18 +642,18 @@ static struct ctl_table ipv4_net_table[] = { + { + .procname = "nexthop_compat_mode", + .data = &init_net.ipv4.sysctl_nexthop_compat_mode, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec_minmax, ++ .proc_handler = proc_dou8vec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, + { + .procname = "ip_default_ttl", + .data = &init_net.ipv4.sysctl_ip_default_ttl, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec_minmax, ++ .proc_handler = proc_dou8vec_minmax, + .extra1 = &ip_ttl_min, + .extra2 = &ip_ttl_max, + }, +@@ -674,16 +674,16 @@ static struct ctl_table ipv4_net_table[] = { + { + .procname = "ip_no_pmtu_disc", + .data = &init_net.ipv4.sysctl_ip_no_pmtu_disc, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "ip_forward_use_pmtu", + .data = &init_net.ipv4.sysctl_ip_fwd_use_pmtu, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec, ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "ip_forward_update_priority", +@@ -697,25 +697,25 @@ static struct ctl_table ipv4_net_table[] = { + { + .procname = "ip_nonlocal_bind", + .data = &init_net.ipv4.sysctl_ip_nonlocal_bind, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "ip_autobind_reuse", + .data = &init_net.ipv4.sysctl_ip_autobind_reuse, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec_minmax, ++ .proc_handler = proc_dou8vec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, + { + .procname = "fwmark_reflect", + .data = &init_net.ipv4.sysctl_fwmark_reflect, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec, ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_fwmark_accept", +-- +2.39.2 + diff --git a/queue-5.10/libbpf-fix-single-line-struct-definition-output-in-b.patch b/queue-5.10/libbpf-fix-single-line-struct-definition-output-in-b.patch new file mode 100644 index 00000000000..7e74a31dbcc --- /dev/null +++ b/queue-5.10/libbpf-fix-single-line-struct-definition-output-in-b.patch @@ -0,0 +1,49 @@ +From c21c1362c6c79eb16c8685f44da9b730df83a03d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Dec 2022 13:15:00 -0800 +Subject: libbpf: Fix single-line struct definition output in btf_dump + +From: Andrii Nakryiko + +[ Upstream commit 872aec4b5f635d94111d48ec3c57fbe078d64e7d ] + +btf_dump APIs emit unnecessary tabs when emitting struct/union +definition that fits on the single line. Before this patch we'd get: + +struct blah {}; + +This patch fixes this and makes sure that we get more natural: + +struct blah {}; + +Fixes: 44a726c3f23c ("bpftool: Print newline before '}' for struct with padding only fields") +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20221212211505.558851-2-andrii@kernel.org +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/btf_dump.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/lib/bpf/btf_dump.c b/tools/lib/bpf/btf_dump.c +index 6a8d8ed34b760..61aa2c47fbd5e 100644 +--- a/tools/lib/bpf/btf_dump.c ++++ b/tools/lib/bpf/btf_dump.c +@@ -973,9 +973,12 @@ static void btf_dump_emit_struct_def(struct btf_dump *d, + * Keep `struct empty {}` on a single line, + * only print newline when there are regular or padding fields. + */ +- if (vlen || t->size) ++ if (vlen || t->size) { + btf_dump_printf(d, "\n"); +- btf_dump_printf(d, "%s}", pfx(lvl)); ++ btf_dump_printf(d, "%s}", pfx(lvl)); ++ } else { ++ btf_dump_printf(d, "}"); ++ } + if (packed) + btf_dump_printf(d, " __attribute__((packed))"); + } +-- +2.39.2 + diff --git a/queue-5.10/net-macb-fix-a-memory-corruption-in-extended-buffer-.patch b/queue-5.10/net-macb-fix-a-memory-corruption-in-extended-buffer-.patch new file mode 100644 index 00000000000..31ce561cbf0 --- /dev/null +++ b/queue-5.10/net-macb-fix-a-memory-corruption-in-extended-buffer-.patch @@ -0,0 +1,150 @@ +From 45b9369f779d5c299d91f484d6a137d19928f553 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Apr 2023 16:21:44 -0700 +Subject: net: macb: fix a memory corruption in extended buffer descriptor mode + +From: Roman Gushchin + +[ Upstream commit e8b74453555872851bdd7ea43a7c0ec39659834f ] + +For quite some time we were chasing a bug which looked like a sudden +permanent failure of networking and mmc on some of our devices. +The bug was very sensitive to any software changes and even more to +any kernel debug options. + +Finally we got a setup where the problem was reproducible with +CONFIG_DMA_API_DEBUG=y and it revealed the issue with the rx dma: + +[ 16.992082] ------------[ cut here ]------------ +[ 16.996779] DMA-API: macb ff0b0000.ethernet: device driver tries to free DMA memory it has not allocated [device address=0x0000000875e3e244] [size=1536 bytes] +[ 17.011049] WARNING: CPU: 0 PID: 85 at kernel/dma/debug.c:1011 check_unmap+0x6a0/0x900 +[ 17.018977] Modules linked in: xxxxx +[ 17.038823] CPU: 0 PID: 85 Comm: irq/55-8000f000 Not tainted 5.4.0 #28 +[ 17.045345] Hardware name: xxxxx +[ 17.049528] pstate: 60000005 (nZCv daif -PAN -UAO) +[ 17.054322] pc : check_unmap+0x6a0/0x900 +[ 17.058243] lr : check_unmap+0x6a0/0x900 +[ 17.062163] sp : ffffffc010003c40 +[ 17.065470] x29: ffffffc010003c40 x28: 000000004000c03c +[ 17.070783] x27: ffffffc010da7048 x26: ffffff8878e38800 +[ 17.076095] x25: ffffff8879d22810 x24: ffffffc010003cc8 +[ 17.081407] x23: 0000000000000000 x22: ffffffc010a08750 +[ 17.086719] x21: ffffff8878e3c7c0 x20: ffffffc010acb000 +[ 17.092032] x19: 0000000875e3e244 x18: 0000000000000010 +[ 17.097343] x17: 0000000000000000 x16: 0000000000000000 +[ 17.102647] x15: ffffff8879e4a988 x14: 0720072007200720 +[ 17.107959] x13: 0720072007200720 x12: 0720072007200720 +[ 17.113261] x11: 0720072007200720 x10: 0720072007200720 +[ 17.118565] x9 : 0720072007200720 x8 : 000000000000022d +[ 17.123869] x7 : 0000000000000015 x6 : 0000000000000098 +[ 17.129173] x5 : 0000000000000000 x4 : 0000000000000000 +[ 17.134475] x3 : 00000000ffffffff x2 : ffffffc010a1d370 +[ 17.139778] x1 : b420c9d75d27bb00 x0 : 0000000000000000 +[ 17.145082] Call trace: +[ 17.147524] check_unmap+0x6a0/0x900 +[ 17.151091] debug_dma_unmap_page+0x88/0x90 +[ 17.155266] gem_rx+0x114/0x2f0 +[ 17.158396] macb_poll+0x58/0x100 +[ 17.161705] net_rx_action+0x118/0x400 +[ 17.165445] __do_softirq+0x138/0x36c +[ 17.169100] irq_exit+0x98/0xc0 +[ 17.172234] __handle_domain_irq+0x64/0xc0 +[ 17.176320] gic_handle_irq+0x5c/0xc0 +[ 17.179974] el1_irq+0xb8/0x140 +[ 17.183109] xiic_process+0x5c/0xe30 +[ 17.186677] irq_thread_fn+0x28/0x90 +[ 17.190244] irq_thread+0x208/0x2a0 +[ 17.193724] kthread+0x130/0x140 +[ 17.196945] ret_from_fork+0x10/0x20 +[ 17.200510] ---[ end trace 7240980785f81d6f ]--- + +[ 237.021490] ------------[ cut here ]------------ +[ 237.026129] DMA-API: exceeded 7 overlapping mappings of cacheline 0x0000000021d79e7b +[ 237.033886] WARNING: CPU: 0 PID: 0 at kernel/dma/debug.c:499 add_dma_entry+0x214/0x240 +[ 237.041802] Modules linked in: xxxxx +[ 237.061637] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.4.0 #28 +[ 237.068941] Hardware name: xxxxx +[ 237.073116] pstate: 80000085 (Nzcv daIf -PAN -UAO) +[ 237.077900] pc : add_dma_entry+0x214/0x240 +[ 237.081986] lr : add_dma_entry+0x214/0x240 +[ 237.086072] sp : ffffffc010003c30 +[ 237.089379] x29: ffffffc010003c30 x28: ffffff8878a0be00 +[ 237.094683] x27: 0000000000000180 x26: ffffff8878e387c0 +[ 237.099987] x25: 0000000000000002 x24: 0000000000000000 +[ 237.105290] x23: 000000000000003b x22: ffffffc010a0fa00 +[ 237.110594] x21: 0000000021d79e7b x20: ffffffc010abe600 +[ 237.115897] x19: 00000000ffffffef x18: 0000000000000010 +[ 237.121201] x17: 0000000000000000 x16: 0000000000000000 +[ 237.126504] x15: ffffffc010a0fdc8 x14: 0720072007200720 +[ 237.131807] x13: 0720072007200720 x12: 0720072007200720 +[ 237.137111] x11: 0720072007200720 x10: 0720072007200720 +[ 237.142415] x9 : 0720072007200720 x8 : 0000000000000259 +[ 237.147718] x7 : 0000000000000001 x6 : 0000000000000000 +[ 237.153022] x5 : ffffffc010003a20 x4 : 0000000000000001 +[ 237.158325] x3 : 0000000000000006 x2 : 0000000000000007 +[ 237.163628] x1 : 8ac721b3a7dc1c00 x0 : 0000000000000000 +[ 237.168932] Call trace: +[ 237.171373] add_dma_entry+0x214/0x240 +[ 237.175115] debug_dma_map_page+0xf8/0x120 +[ 237.179203] gem_rx_refill+0x190/0x280 +[ 237.182942] gem_rx+0x224/0x2f0 +[ 237.186075] macb_poll+0x58/0x100 +[ 237.189384] net_rx_action+0x118/0x400 +[ 237.193125] __do_softirq+0x138/0x36c +[ 237.196780] irq_exit+0x98/0xc0 +[ 237.199914] __handle_domain_irq+0x64/0xc0 +[ 237.204000] gic_handle_irq+0x5c/0xc0 +[ 237.207654] el1_irq+0xb8/0x140 +[ 237.210789] arch_cpu_idle+0x40/0x200 +[ 237.214444] default_idle_call+0x18/0x30 +[ 237.218359] do_idle+0x200/0x280 +[ 237.221578] cpu_startup_entry+0x20/0x30 +[ 237.225493] rest_init+0xe4/0xf0 +[ 237.228713] arch_call_rest_init+0xc/0x14 +[ 237.232714] start_kernel+0x47c/0x4a8 +[ 237.236367] ---[ end trace 7240980785f81d70 ]--- + +Lars was fast to find an explanation: according to the datasheet +bit 2 of the rx buffer descriptor entry has a different meaning in the +extended mode: + Address [2] of beginning of buffer, or + in extended buffer descriptor mode (DMA configuration register [28] = 1), + indicates a valid timestamp in the buffer descriptor entry. + +The macb driver didn't mask this bit while getting an address and it +eventually caused a memory corruption and a dma failure. + +The problem is resolved by explicitly clearing the problematic bit +if hw timestamping is used. + +Fixes: 7b4296148066 ("net: macb: Add support for PTP timestamps in DMA descriptors") +Signed-off-by: Roman Gushchin +Co-developed-by: Lars-Peter Clausen +Signed-off-by: Lars-Peter Clausen +Acked-by: Nicolas Ferre +Reviewed-by: Jacob Keller +Link: https://lore.kernel.org/r/20230412232144.770336-1-roman.gushchin@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index e0d62e2513879..70d57ef95fb15 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -884,6 +884,10 @@ static dma_addr_t macb_get_addr(struct macb *bp, struct macb_dma_desc *desc) + } + #endif + addr |= MACB_BF(RX_WADDR, MACB_BFEXT(RX_WADDR, desc->addr)); ++#ifdef CONFIG_MACB_USE_HWSTAMP ++ if (bp->hw_dma_cap & HW_DMA_CAP_PTP) ++ addr &= ~GEM_BIT(DMA_RXVALID); ++#endif + return addr; + } + +-- +2.39.2 + diff --git a/queue-5.10/net-qrtr-fix-an-uninit-variable-access-bug-in-qrtr_t.patch b/queue-5.10/net-qrtr-fix-an-uninit-variable-access-bug-in-qrtr_t.patch new file mode 100644 index 00000000000..71be818024c --- /dev/null +++ b/queue-5.10/net-qrtr-fix-an-uninit-variable-access-bug-in-qrtr_t.patch @@ -0,0 +1,103 @@ +From 4de6fa7ec1b1938415a8ea7b9129491022033537 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Apr 2023 09:23:52 +0800 +Subject: net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume() + +From: Ziyang Xuan + +[ Upstream commit 6417070918de3bcdbe0646e7256dae58fd8083ba ] + +Syzbot reported a bug as following: + +===================================================== +BUG: KMSAN: uninit-value in qrtr_tx_resume+0x185/0x1f0 net/qrtr/af_qrtr.c:230 + qrtr_tx_resume+0x185/0x1f0 net/qrtr/af_qrtr.c:230 + qrtr_endpoint_post+0xf85/0x11b0 net/qrtr/af_qrtr.c:519 + qrtr_tun_write_iter+0x270/0x400 net/qrtr/tun.c:108 + call_write_iter include/linux/fs.h:2189 [inline] + aio_write+0x63a/0x950 fs/aio.c:1600 + io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019 + __do_sys_io_submit fs/aio.c:2078 [inline] + __se_sys_io_submit+0x293/0x770 fs/aio.c:2048 + __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:766 [inline] + slab_alloc_node mm/slub.c:3452 [inline] + __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491 + __do_kmalloc_node mm/slab_common.c:967 [inline] + __kmalloc_node_track_caller+0x114/0x3b0 mm/slab_common.c:988 + kmalloc_reserve net/core/skbuff.c:492 [inline] + __alloc_skb+0x3af/0x8f0 net/core/skbuff.c:565 + __netdev_alloc_skb+0x120/0x7d0 net/core/skbuff.c:630 + qrtr_endpoint_post+0xbd/0x11b0 net/qrtr/af_qrtr.c:446 + qrtr_tun_write_iter+0x270/0x400 net/qrtr/tun.c:108 + call_write_iter include/linux/fs.h:2189 [inline] + aio_write+0x63a/0x950 fs/aio.c:1600 + io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019 + __do_sys_io_submit fs/aio.c:2078 [inline] + __se_sys_io_submit+0x293/0x770 fs/aio.c:2048 + __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +It is because that skb->len requires at least sizeof(struct qrtr_ctrl_pkt) +in qrtr_tx_resume(). And skb->len equals to size in qrtr_endpoint_post(). +But size is less than sizeof(struct qrtr_ctrl_pkt) when qrtr_cb->type +equals to QRTR_TYPE_RESUME_TX in qrtr_endpoint_post() under the syzbot +scenario. This triggers the uninit variable access bug. + +Add size check when qrtr_cb->type equals to QRTR_TYPE_RESUME_TX in +qrtr_endpoint_post() to fix the bug. + +Fixes: 5fdeb0d372ab ("net: qrtr: Implement outgoing flow control") +Reported-by: syzbot+4436c9630a45820fda76@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=c14607f0963d27d5a3d5f4c8639b500909e43540 +Suggested-by: Manivannan Sadhasivam +Signed-off-by: Ziyang Xuan +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230410012352.3997823-1-william.xuanziyang@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/qrtr/af_qrtr.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/net/qrtr/af_qrtr.c b/net/qrtr/af_qrtr.c +index d0f0b2b8dce2f..71c2295d4a573 100644 +--- a/net/qrtr/af_qrtr.c ++++ b/net/qrtr/af_qrtr.c +@@ -492,6 +492,11 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len) + if (!size || len != ALIGN(size, 4) + hdrlen) + goto err; + ++ if ((cb->type == QRTR_TYPE_NEW_SERVER || ++ cb->type == QRTR_TYPE_RESUME_TX) && ++ size < sizeof(struct qrtr_ctrl_pkt)) ++ goto err; ++ + if (cb->dst_port != QRTR_PORT_CTRL && cb->type != QRTR_TYPE_DATA && + cb->type != QRTR_TYPE_RESUME_TX) + goto err; +@@ -500,6 +505,14 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len) + + qrtr_node_assign(node, cb->src_node); + ++ if (cb->type == QRTR_TYPE_NEW_SERVER) { ++ /* Remote node endpoint can bridge other distant nodes */ ++ const struct qrtr_ctrl_pkt *pkt; ++ ++ pkt = data + hdrlen; ++ qrtr_node_assign(node, le32_to_cpu(pkt->server.node)); ++ } ++ + if (cb->type == QRTR_TYPE_RESUME_TX) { + qrtr_tx_resume(node, skb); + } else { +-- +2.39.2 + diff --git a/queue-5.10/niu-fix-missing-unwind-goto-in-niu_alloc_channels.patch b/queue-5.10/niu-fix-missing-unwind-goto-in-niu_alloc_channels.patch new file mode 100644 index 00000000000..8008521c118 --- /dev/null +++ b/queue-5.10/niu-fix-missing-unwind-goto-in-niu_alloc_channels.patch @@ -0,0 +1,42 @@ +From 8c06d1958a0181ad19ef92ddddb30342b6d03500 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Apr 2023 23:31:18 -0700 +Subject: niu: Fix missing unwind goto in niu_alloc_channels() + +From: Harshit Mogalapalli + +[ Upstream commit 8ce07be703456acb00e83d99f3b8036252c33b02 ] + +Smatch reports: drivers/net/ethernet/sun/niu.c:4525 + niu_alloc_channels() warn: missing unwind goto? + +If niu_rbr_fill() fails, then we are directly returning 'err' without +freeing the channels. + +Fix this by changing direct return to a goto 'out_err'. + +Fixes: a3138df9f20e ("[NIU]: Add Sun Neptune ethernet driver.") +Signed-off-by: Harshit Mogalapalli +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/niu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c +index 860644d182ab0..1a269fa8c1a07 100644 +--- a/drivers/net/ethernet/sun/niu.c ++++ b/drivers/net/ethernet/sun/niu.c +@@ -4503,7 +4503,7 @@ static int niu_alloc_channels(struct niu *np) + + err = niu_rbr_fill(np, rp, GFP_KERNEL); + if (err) +- return err; ++ goto out_err; + } + + tx_rings = kcalloc(num_tx_rings, sizeof(struct tx_ring_info), +-- +2.39.2 + diff --git a/queue-5.10/power-supply-cros_usbpd-reclassify-default-case-as-d.patch b/queue-5.10/power-supply-cros_usbpd-reclassify-default-case-as-d.patch new file mode 100644 index 00000000000..b091bd9c92e --- /dev/null +++ b/queue-5.10/power-supply-cros_usbpd-reclassify-default-case-as-d.patch @@ -0,0 +1,42 @@ +From 6443b16c42dc7b680c140e17cf5f23ba95b56ebb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Dec 2022 13:38:57 -0800 +Subject: power: supply: cros_usbpd: reclassify "default case!" as debug + +From: Grant Grundler + +[ Upstream commit 14c76b2e75bca4d96e2b85a0c12aa43e84fe3f74 ] + +This doesn't need to be printed every second as an error: +... +<3>[17438.628385] cros-usbpd-charger cros-usbpd-charger.3.auto: Port 1: default case! +<3>[17439.634176] cros-usbpd-charger cros-usbpd-charger.3.auto: Port 1: default case! +<3>[17440.640298] cros-usbpd-charger cros-usbpd-charger.3.auto: Port 1: default case! +... + +Reduce priority from ERROR to DEBUG. + +Signed-off-by: Grant Grundler +Reviewed-by: Guenter Roeck +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/cros_usbpd-charger.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/supply/cros_usbpd-charger.c b/drivers/power/supply/cros_usbpd-charger.c +index d89e08efd2ad0..0a4f02e4ae7ba 100644 +--- a/drivers/power/supply/cros_usbpd-charger.c ++++ b/drivers/power/supply/cros_usbpd-charger.c +@@ -276,7 +276,7 @@ static int cros_usbpd_charger_get_power_info(struct port_data *port) + port->psy_current_max = 0; + break; + default: +- dev_err(dev, "Port %d: default case!\n", port->port_number); ++ dev_dbg(dev, "Port %d: default case!\n", port->port_number); + port->psy_usb_type = POWER_SUPPLY_USB_TYPE_SDP; + } + +-- +2.39.2 + diff --git a/queue-5.10/qlcnic-check-pci_reset_function-result.patch b/queue-5.10/qlcnic-check-pci_reset_function-result.patch new file mode 100644 index 00000000000..a580fa79cf5 --- /dev/null +++ b/queue-5.10/qlcnic-check-pci_reset_function-result.patch @@ -0,0 +1,49 @@ +From 4f9d67c179efcb6f1638a4c357501a0a3fb962a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Apr 2023 10:18:49 +0300 +Subject: qlcnic: check pci_reset_function result + +From: Denis Plotnikov + +[ Upstream commit 7573099e10ca69c3be33995c1fcd0d241226816d ] + +Static code analyzer complains to unchecked return value. +The result of pci_reset_function() is unchecked. +Despite, the issue is on the FLR supported code path and in that +case reset can be done with pcie_flr(), the patch uses less invasive +approach by adding the result check of pci_reset_function(). + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 7e2cf4feba05 ("qlcnic: change driver hardware interface mechanism") +Signed-off-by: Denis Plotnikov +Reviewed-by: Simon Horman +Reviewed-by: Bjorn Helgaas +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c +index 87f76bac2e463..eb827b86ecae8 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c +@@ -628,7 +628,13 @@ int qlcnic_fw_create_ctx(struct qlcnic_adapter *dev) + int i, err, ring; + + if (dev->flags & QLCNIC_NEED_FLR) { +- pci_reset_function(dev->pdev); ++ err = pci_reset_function(dev->pdev); ++ if (err) { ++ dev_err(&dev->pdev->dev, ++ "Adapter reset failed (%d). Please reboot\n", ++ err); ++ return err; ++ } + dev->flags &= ~QLCNIC_NEED_FLR; + } + +-- +2.39.2 + diff --git a/queue-5.10/rdma-cma-allow-ud-qp_type-to-join-multicast-only.patch b/queue-5.10/rdma-cma-allow-ud-qp_type-to-join-multicast-only.patch new file mode 100644 index 00000000000..2e866610e95 --- /dev/null +++ b/queue-5.10/rdma-cma-allow-ud-qp_type-to-join-multicast-only.patch @@ -0,0 +1,208 @@ +From bfd5a489ad581cb2f02cbba46ea384d66427508a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Mar 2023 12:59:55 +0200 +Subject: RDMA/cma: Allow UD qp_type to join multicast only + +From: Mark Zhang + +[ Upstream commit 58e84f6b3e84e46524b7e5a916b53c1ad798bc8f ] + +As for multicast: +- The SIDR is the only mode that makes sense; +- Besides PS_UDP, other port spaces like PS_IB is also allowed, as it is + UD compatible. In this case qkey also needs to be set [1]. + +This patch allows only UD qp_type to join multicast, and set qkey to +default if it's not set, to fix an uninit-value error: the ib->rec.qkey +field is accessed without being initialized. + +===================================================== +BUG: KMSAN: uninit-value in cma_set_qkey drivers/infiniband/core/cma.c:510 [inline] +BUG: KMSAN: uninit-value in cma_make_mc_event+0xb73/0xe00 drivers/infiniband/core/cma.c:4570 + cma_set_qkey drivers/infiniband/core/cma.c:510 [inline] + cma_make_mc_event+0xb73/0xe00 drivers/infiniband/core/cma.c:4570 + cma_iboe_join_multicast drivers/infiniband/core/cma.c:4782 [inline] + rdma_join_multicast+0x2b83/0x30a0 drivers/infiniband/core/cma.c:4814 + ucma_process_join+0xa76/0xf60 drivers/infiniband/core/ucma.c:1479 + ucma_join_multicast+0x1e3/0x250 drivers/infiniband/core/ucma.c:1546 + ucma_write+0x639/0x6d0 drivers/infiniband/core/ucma.c:1732 + vfs_write+0x8ce/0x2030 fs/read_write.c:588 + ksys_write+0x28c/0x520 fs/read_write.c:643 + __do_sys_write fs/read_write.c:655 [inline] + __se_sys_write fs/read_write.c:652 [inline] + __ia32_sys_write+0xdb/0x120 fs/read_write.c:652 + do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline] + __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180 + do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205 + do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c + +Local variable ib.i created at: +cma_iboe_join_multicast drivers/infiniband/core/cma.c:4737 [inline] +rdma_join_multicast+0x586/0x30a0 drivers/infiniband/core/cma.c:4814 +ucma_process_join+0xa76/0xf60 drivers/infiniband/core/ucma.c:1479 + +CPU: 0 PID: 29874 Comm: syz-executor.3 Not tainted 5.16.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +===================================================== + +[1] https://lore.kernel.org/linux-rdma/20220117183832.GD84788@nvidia.com/ + +Fixes: b5de0c60cc30 ("RDMA/cma: Fix use after free race in roce multicast join") +Reported-by: syzbot+8fcbb77276d43cc8b693@syzkaller.appspotmail.com +Signed-off-by: Mark Zhang +Link: https://lore.kernel.org/r/58a4a98323b5e6b1282e83f6b76960d06e43b9fa.1679309909.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 60 ++++++++++++++++++++--------------- + 1 file changed, 34 insertions(+), 26 deletions(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 9ed5de38e372f..fdcad8d6a5a07 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -505,22 +505,11 @@ static inline unsigned short cma_family(struct rdma_id_private *id_priv) + return id_priv->id.route.addr.src_addr.ss_family; + } + +-static int cma_set_qkey(struct rdma_id_private *id_priv, u32 qkey) ++static int cma_set_default_qkey(struct rdma_id_private *id_priv) + { + struct ib_sa_mcmember_rec rec; + int ret = 0; + +- if (id_priv->qkey) { +- if (qkey && id_priv->qkey != qkey) +- return -EINVAL; +- return 0; +- } +- +- if (qkey) { +- id_priv->qkey = qkey; +- return 0; +- } +- + switch (id_priv->id.ps) { + case RDMA_PS_UDP: + case RDMA_PS_IB: +@@ -540,6 +529,16 @@ static int cma_set_qkey(struct rdma_id_private *id_priv, u32 qkey) + return ret; + } + ++static int cma_set_qkey(struct rdma_id_private *id_priv, u32 qkey) ++{ ++ if (!qkey || ++ (id_priv->qkey && (id_priv->qkey != qkey))) ++ return -EINVAL; ++ ++ id_priv->qkey = qkey; ++ return 0; ++} ++ + static void cma_translate_ib(struct sockaddr_ib *sib, struct rdma_dev_addr *dev_addr) + { + dev_addr->dev_type = ARPHRD_INFINIBAND; +@@ -1107,7 +1106,7 @@ static int cma_ib_init_qp_attr(struct rdma_id_private *id_priv, + *qp_attr_mask = IB_QP_STATE | IB_QP_PKEY_INDEX | IB_QP_PORT; + + if (id_priv->id.qp_type == IB_QPT_UD) { +- ret = cma_set_qkey(id_priv, 0); ++ ret = cma_set_default_qkey(id_priv); + if (ret) + return ret; + +@@ -4312,7 +4311,10 @@ static int cma_send_sidr_rep(struct rdma_id_private *id_priv, + memset(&rep, 0, sizeof rep); + rep.status = status; + if (status == IB_SIDR_SUCCESS) { +- ret = cma_set_qkey(id_priv, qkey); ++ if (qkey) ++ ret = cma_set_qkey(id_priv, qkey); ++ else ++ ret = cma_set_default_qkey(id_priv); + if (ret) + return ret; + rep.qp_num = id_priv->qp_num; +@@ -4516,9 +4518,7 @@ static void cma_make_mc_event(int status, struct rdma_id_private *id_priv, + enum ib_gid_type gid_type; + struct net_device *ndev; + +- if (!status) +- status = cma_set_qkey(id_priv, be32_to_cpu(multicast->rec.qkey)); +- else ++ if (status) + pr_debug_ratelimited("RDMA CM: MULTICAST_ERROR: failed to join multicast. status %d\n", + status); + +@@ -4546,7 +4546,7 @@ static void cma_make_mc_event(int status, struct rdma_id_private *id_priv, + } + + event->param.ud.qp_num = 0xFFFFFF; +- event->param.ud.qkey = be32_to_cpu(multicast->rec.qkey); ++ event->param.ud.qkey = id_priv->qkey; + + out: + if (ndev) +@@ -4565,8 +4565,11 @@ static int cma_ib_mc_handler(int status, struct ib_sa_multicast *multicast) + READ_ONCE(id_priv->state) == RDMA_CM_DESTROYING) + goto out; + +- cma_make_mc_event(status, id_priv, multicast, &event, mc); +- ret = cma_cm_event_handler(id_priv, &event); ++ ret = cma_set_qkey(id_priv, be32_to_cpu(multicast->rec.qkey)); ++ if (!ret) { ++ cma_make_mc_event(status, id_priv, multicast, &event, mc); ++ ret = cma_cm_event_handler(id_priv, &event); ++ } + rdma_destroy_ah_attr(&event.param.ud.ah_attr); + WARN_ON(ret); + +@@ -4619,9 +4622,11 @@ static int cma_join_ib_multicast(struct rdma_id_private *id_priv, + if (ret) + return ret; + +- ret = cma_set_qkey(id_priv, 0); +- if (ret) +- return ret; ++ if (!id_priv->qkey) { ++ ret = cma_set_default_qkey(id_priv); ++ if (ret) ++ return ret; ++ } + + cma_set_mgid(id_priv, (struct sockaddr *) &mc->addr, &rec.mgid); + rec.qkey = cpu_to_be32(id_priv->qkey); +@@ -4709,9 +4714,6 @@ static int cma_iboe_join_multicast(struct rdma_id_private *id_priv, + cma_iboe_set_mgid(addr, &ib.rec.mgid, gid_type); + + ib.rec.pkey = cpu_to_be16(0xffff); +- if (id_priv->id.ps == RDMA_PS_UDP) +- ib.rec.qkey = cpu_to_be32(RDMA_UDP_QKEY); +- + if (dev_addr->bound_dev_if) + ndev = dev_get_by_index(dev_addr->net, dev_addr->bound_dev_if); + if (!ndev) +@@ -4737,6 +4739,9 @@ static int cma_iboe_join_multicast(struct rdma_id_private *id_priv, + if (err || !ib.rec.mtu) + return err ?: -EINVAL; + ++ if (!id_priv->qkey) ++ cma_set_default_qkey(id_priv); ++ + rdma_ip2gid((struct sockaddr *)&id_priv->id.route.addr.src_addr, + &ib.rec.port_gid); + INIT_WORK(&mc->iboe_join.work, cma_iboe_join_work_handler); +@@ -4762,6 +4767,9 @@ int rdma_join_multicast(struct rdma_cm_id *id, struct sockaddr *addr, + READ_ONCE(id_priv->state) != RDMA_CM_ADDR_RESOLVED)) + return -EINVAL; + ++ if (id_priv->id.qp_type != IB_QPT_UD) ++ return -EINVAL; ++ + mc = kzalloc(sizeof(*mc), GFP_KERNEL); + if (!mc) + return -ENOMEM; +-- +2.39.2 + diff --git a/queue-5.10/rdma-core-fix-gid-entry-ref-leak-when-create_ah-fail.patch b/queue-5.10/rdma-core-fix-gid-entry-ref-leak-when-create_ah-fail.patch new file mode 100644 index 00000000000..1c147e24ee3 --- /dev/null +++ b/queue-5.10/rdma-core-fix-gid-entry-ref-leak-when-create_ah-fail.patch @@ -0,0 +1,38 @@ +From 0ccd4690523cca95282e69f8e64f26e9215f5b24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Mar 2023 23:34:24 -0700 +Subject: RDMA/core: Fix GID entry ref leak when create_ah fails + +From: Saravanan Vajravel + +[ Upstream commit aca3b0fa3d04b40c96934d86cc224cccfa7ea8e0 ] + +If AH create request fails, release sgid_attr to avoid GID entry +referrence leak reported while releasing GID table + +Fixes: 1a1f460ff151 ("RDMA: Hold the sgid_attr inside the struct ib_ah/qp") +Link: https://lore.kernel.org/r/20230401063424.342204-1-saravanan.vajravel@broadcom.com +Reviewed-by: Selvin Xavier +Signed-off-by: Saravanan Vajravel +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/verbs.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c +index 5123be0ab02f5..4fcabe5a84bee 100644 +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -535,6 +535,8 @@ static struct ib_ah *_rdma_create_ah(struct ib_pd *pd, + + ret = device->ops.create_ah(ah, &init_attr, udata); + if (ret) { ++ if (ah->sgid_attr) ++ rdma_put_gid_attr(ah->sgid_attr); + kfree(ah); + return ERR_PTR(ret); + } +-- +2.39.2 + diff --git a/queue-5.10/sctp-fix-a-potential-overflow-in-sctp_ifwdtsn_skip.patch b/queue-5.10/sctp-fix-a-potential-overflow-in-sctp_ifwdtsn_skip.patch new file mode 100644 index 00000000000..e9c6e899806 --- /dev/null +++ b/queue-5.10/sctp-fix-a-potential-overflow-in-sctp_ifwdtsn_skip.patch @@ -0,0 +1,44 @@ +From b933019e02d305c40ff66debc1620f41b2b64600 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Apr 2023 15:43:30 -0400 +Subject: sctp: fix a potential overflow in sctp_ifwdtsn_skip + +From: Xin Long + +[ Upstream commit 32832a2caf82663870126c5186cf8f86c8b2a649 ] + +Currently, when traversing ifwdtsn skips with _sctp_walk_ifwdtsn, it only +checks the pos against the end of the chunk. However, the data left for +the last pos may be < sizeof(struct sctp_ifwdtsn_skip), and dereference +it as struct sctp_ifwdtsn_skip may cause coverflow. + +This patch fixes it by checking the pos against "the end of the chunk - +sizeof(struct sctp_ifwdtsn_skip)" in sctp_ifwdtsn_skip, similar to +sctp_fwdtsn_skip. + +Fixes: 0fc2ea922c8a ("sctp: implement validate_ftsn for sctp_stream_interleave") +Signed-off-by: Xin Long +Link: https://lore.kernel.org/r/2a71bffcd80b4f2c61fac6d344bb2f11c8fd74f7.1681155810.git.lucien.xin@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sctp/stream_interleave.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sctp/stream_interleave.c b/net/sctp/stream_interleave.c +index 6b13f737ebf2e..e3aad75cb11d9 100644 +--- a/net/sctp/stream_interleave.c ++++ b/net/sctp/stream_interleave.c +@@ -1162,7 +1162,8 @@ static void sctp_generate_iftsn(struct sctp_outq *q, __u32 ctsn) + + #define _sctp_walk_ifwdtsn(pos, chunk, end) \ + for (pos = chunk->subh.ifwdtsn_hdr->skip; \ +- (void *)pos < (void *)chunk->subh.ifwdtsn_hdr->skip + (end); pos++) ++ (void *)pos <= (void *)chunk->subh.ifwdtsn_hdr->skip + (end) - \ ++ sizeof(struct sctp_ifwdtsn_skip); pos++) + + #define sctp_walk_ifwdtsn(pos, ch) \ + _sctp_walk_ifwdtsn((pos), (ch), ntohs((ch)->chunk_hdr->length) - \ +-- +2.39.2 + diff --git a/queue-5.10/series b/queue-5.10/series index 6c2d74feba5..eafa2bf292a 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -65,3 +65,28 @@ mtdblock-tolerate-corrected-bit-flips.patch mtd-rawnand-meson-fix-bitmask-for-length-in-command-word.patch mtd-rawnand-stm32_fmc2-remove-unsupported-edo-mode.patch mtd-rawnand-stm32_fmc2-use-timings.mode-instead-of-checking-trc_min.patch +clk-sprd-set-max_register-according-to-mapping-range.patch +ib-mlx5-add-support-for-ndr-link-speed.patch +ib-mlx5-add-support-for-400g_8x-lane-speed.patch +rdma-cma-allow-ud-qp_type-to-join-multicast-only.patch +9p-xen-fix-use-after-free-bug-in-xen_9pfs_front_remo.patch +niu-fix-missing-unwind-goto-in-niu_alloc_channels.patch +sysctl-add-proc_dou8vec_minmax.patch +ipv4-shrink-netns_ipv4-with-sysctl-conversions.patch +tcp-convert-elligible-sysctls-to-u8.patch +tcp-restrict-net.ipv4.tcp_app_win.patch +drm-armada-fix-a-potential-double-free-in-an-error-h.patch +qlcnic-check-pci_reset_function-result.patch +net-qrtr-fix-an-uninit-variable-access-bug-in-qrtr_t.patch +sctp-fix-a-potential-overflow-in-sctp_ifwdtsn_skip.patch +rdma-core-fix-gid-entry-ref-leak-when-create_ah-fail.patch +udp6-fix-potential-access-to-stale-information.patch +net-macb-fix-a-memory-corruption-in-extended-buffer-.patch +libbpf-fix-single-line-struct-definition-output-in-b.patch +power-supply-cros_usbpd-reclassify-default-case-as-d.patch +wifi-mwifiex-mark-of-related-data-as-maybe-unused.patch +i2c-imx-lpi2c-clean-rx-tx-buffers-upon-new-message.patch +efi-sysfb_efi-add-quirk-for-lenovo-yoga-book-x91f-l.patch +drm-panel-orientation-quirks-add-quirk-for-lenovo-yo.patch +verify_pefile-relax-wrapper-length-check.patch +asymmetric_keys-log-on-fatal-failures-in-pe-pkcs7.patch diff --git a/queue-5.10/sysctl-add-proc_dou8vec_minmax.patch b/queue-5.10/sysctl-add-proc_dou8vec_minmax.patch new file mode 100644 index 00000000000..ca661eb1b3e --- /dev/null +++ b/queue-5.10/sysctl-add-proc_dou8vec_minmax.patch @@ -0,0 +1,149 @@ +From 0da0da145f7b2cfaf21882667de732e515b01f69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 11:08:13 -0700 +Subject: sysctl: add proc_dou8vec_minmax() + +From: Eric Dumazet + +[ Upstream commit cb9444130662c6c13022579c861098f212db2562 ] + +Networking has many sysctls that could fit in one u8. + +This patch adds proc_dou8vec_minmax() for this purpose. + +Note that the .extra1 and .extra2 fields are pointing +to integers, because it makes conversions easier. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Stable-dep-of: dc5110c2d959 ("tcp: restrict net.ipv4.tcp_app_win") +Signed-off-by: Sasha Levin +--- + fs/proc/proc_sysctl.c | 6 ++++ + include/linux/sysctl.h | 2 ++ + kernel/sysctl.c | 65 ++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 73 insertions(+) + +diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c +index cd7c6c4af83ad..1655b7b2a5abe 100644 +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -1106,6 +1106,11 @@ static int sysctl_check_table_array(const char *path, struct ctl_table *table) + err |= sysctl_err(path, table, "array not allowed"); + } + ++ if (table->proc_handler == proc_dou8vec_minmax) { ++ if (table->maxlen != sizeof(u8)) ++ err |= sysctl_err(path, table, "array not allowed"); ++ } ++ + return err; + } + +@@ -1121,6 +1126,7 @@ static int sysctl_check_table(const char *path, struct ctl_table *table) + (table->proc_handler == proc_douintvec) || + (table->proc_handler == proc_douintvec_minmax) || + (table->proc_handler == proc_dointvec_minmax) || ++ (table->proc_handler == proc_dou8vec_minmax) || + (table->proc_handler == proc_dointvec_jiffies) || + (table->proc_handler == proc_dointvec_userhz_jiffies) || + (table->proc_handler == proc_dointvec_ms_jiffies) || +diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h +index 161eba9fd9122..4393de94cb32d 100644 +--- a/include/linux/sysctl.h ++++ b/include/linux/sysctl.h +@@ -53,6 +53,8 @@ int proc_douintvec(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_dointvec_minmax(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_douintvec_minmax(struct ctl_table *table, int write, void *buffer, + size_t *lenp, loff_t *ppos); ++int proc_dou8vec_minmax(struct ctl_table *table, int write, void *buffer, ++ size_t *lenp, loff_t *ppos); + int proc_dointvec_jiffies(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_dointvec_userhz_jiffies(struct ctl_table *, int, void *, size_t *, + loff_t *); +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index d8b7b28463135..43e907f4cac79 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -1061,6 +1061,65 @@ int proc_douintvec_minmax(struct ctl_table *table, int write, + do_proc_douintvec_minmax_conv, ¶m); + } + ++/** ++ * proc_dou8vec_minmax - read a vector of unsigned chars with min/max values ++ * @table: the sysctl table ++ * @write: %TRUE if this is a write to the sysctl file ++ * @buffer: the user buffer ++ * @lenp: the size of the user buffer ++ * @ppos: file position ++ * ++ * Reads/writes up to table->maxlen/sizeof(u8) unsigned chars ++ * values from/to the user buffer, treated as an ASCII string. Negative ++ * strings are not allowed. ++ * ++ * This routine will ensure the values are within the range specified by ++ * table->extra1 (min) and table->extra2 (max). ++ * ++ * Returns 0 on success or an error on write when the range check fails. ++ */ ++int proc_dou8vec_minmax(struct ctl_table *table, int write, ++ void *buffer, size_t *lenp, loff_t *ppos) ++{ ++ struct ctl_table tmp; ++ unsigned int min = 0, max = 255U, val; ++ u8 *data = table->data; ++ struct do_proc_douintvec_minmax_conv_param param = { ++ .min = &min, ++ .max = &max, ++ }; ++ int res; ++ ++ /* Do not support arrays yet. */ ++ if (table->maxlen != sizeof(u8)) ++ return -EINVAL; ++ ++ if (table->extra1) { ++ min = *(unsigned int *) table->extra1; ++ if (min > 255U) ++ return -EINVAL; ++ } ++ if (table->extra2) { ++ max = *(unsigned int *) table->extra2; ++ if (max > 255U) ++ return -EINVAL; ++ } ++ ++ tmp = *table; ++ ++ tmp.maxlen = sizeof(val); ++ tmp.data = &val; ++ val = *data; ++ res = do_proc_douintvec(&tmp, write, buffer, lenp, ppos, ++ do_proc_douintvec_minmax_conv, ¶m); ++ if (res) ++ return res; ++ if (write) ++ *data = val; ++ return 0; ++} ++EXPORT_SYMBOL_GPL(proc_dou8vec_minmax); ++ + static int do_proc_dopipe_max_size_conv(unsigned long *lvalp, + unsigned int *valp, + int write, void *data) +@@ -1612,6 +1671,12 @@ int proc_douintvec_minmax(struct ctl_table *table, int write, + return -ENOSYS; + } + ++int proc_dou8vec_minmax(struct ctl_table *table, int write, ++ void *buffer, size_t *lenp, loff_t *ppos) ++{ ++ return -ENOSYS; ++} ++ + int proc_dointvec_jiffies(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +-- +2.39.2 + diff --git a/queue-5.10/tcp-convert-elligible-sysctls-to-u8.patch b/queue-5.10/tcp-convert-elligible-sysctls-to-u8.patch new file mode 100644 index 00000000000..c4f2315ab58 --- /dev/null +++ b/queue-5.10/tcp-convert-elligible-sysctls-to-u8.patch @@ -0,0 +1,491 @@ +From 87d6780bf2fa3632b925497a56017a08e237ac77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 11:08:17 -0700 +Subject: tcp: convert elligible sysctls to u8 + +From: Eric Dumazet + +[ Upstream commit 4ecc1baf362c5df2dcabe242511e38ee28486545 ] + +Many tcp sysctls are either bools or small ints that can fit into u8. + +Reducing space taken by sysctls can save few cache line misses +when sending/receiving data while cpu caches are empty, +for example after cpu idle period. + +This is hard to measure with typical network performance tests, +but after this patch, struct netns_ipv4 has shrunk +by three cache lines. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Stable-dep-of: dc5110c2d959 ("tcp: restrict net.ipv4.tcp_app_win") +Signed-off-by: Sasha Levin +--- + include/net/netns/ipv4.h | 68 +++++++++---------- + net/ipv4/sysctl_net_ipv4.c | 136 ++++++++++++++++++------------------- + 2 files changed, 102 insertions(+), 102 deletions(-) + +diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h +index 92e3d8fe954ab..d8b320cf54ba0 100644 +--- a/include/net/netns/ipv4.h ++++ b/include/net/netns/ipv4.h +@@ -114,11 +114,11 @@ struct netns_ipv4 { + u8 sysctl_nexthop_compat_mode; + + u8 sysctl_fwmark_reflect; +- int sysctl_tcp_fwmark_accept; ++ u8 sysctl_tcp_fwmark_accept; + #ifdef CONFIG_NET_L3_MASTER_DEV +- int sysctl_tcp_l3mdev_accept; ++ u8 sysctl_tcp_l3mdev_accept; + #endif +- int sysctl_tcp_mtu_probing; ++ u8 sysctl_tcp_mtu_probing; + int sysctl_tcp_mtu_probe_floor; + int sysctl_tcp_base_mss; + int sysctl_tcp_min_snd_mss; +@@ -126,46 +126,47 @@ struct netns_ipv4 { + u32 sysctl_tcp_probe_interval; + + int sysctl_tcp_keepalive_time; +- int sysctl_tcp_keepalive_probes; + int sysctl_tcp_keepalive_intvl; ++ u8 sysctl_tcp_keepalive_probes; + +- int sysctl_tcp_syn_retries; +- int sysctl_tcp_synack_retries; +- int sysctl_tcp_syncookies; ++ u8 sysctl_tcp_syn_retries; ++ u8 sysctl_tcp_synack_retries; ++ u8 sysctl_tcp_syncookies; + int sysctl_tcp_reordering; +- int sysctl_tcp_retries1; +- int sysctl_tcp_retries2; +- int sysctl_tcp_orphan_retries; ++ u8 sysctl_tcp_retries1; ++ u8 sysctl_tcp_retries2; ++ u8 sysctl_tcp_orphan_retries; ++ u8 sysctl_tcp_tw_reuse; + int sysctl_tcp_fin_timeout; + unsigned int sysctl_tcp_notsent_lowat; +- int sysctl_tcp_tw_reuse; +- int sysctl_tcp_sack; +- int sysctl_tcp_window_scaling; +- int sysctl_tcp_timestamps; +- int sysctl_tcp_early_retrans; +- int sysctl_tcp_recovery; +- int sysctl_tcp_thin_linear_timeouts; +- int sysctl_tcp_slow_start_after_idle; +- int sysctl_tcp_retrans_collapse; +- int sysctl_tcp_stdurg; +- int sysctl_tcp_rfc1337; +- int sysctl_tcp_abort_on_overflow; +- int sysctl_tcp_fack; ++ u8 sysctl_tcp_sack; ++ u8 sysctl_tcp_window_scaling; ++ u8 sysctl_tcp_timestamps; ++ u8 sysctl_tcp_early_retrans; ++ u8 sysctl_tcp_recovery; ++ u8 sysctl_tcp_thin_linear_timeouts; ++ u8 sysctl_tcp_slow_start_after_idle; ++ u8 sysctl_tcp_retrans_collapse; ++ u8 sysctl_tcp_stdurg; ++ u8 sysctl_tcp_rfc1337; ++ u8 sysctl_tcp_abort_on_overflow; ++ u8 sysctl_tcp_fack; /* obsolete */ + int sysctl_tcp_max_reordering; +- int sysctl_tcp_dsack; +- int sysctl_tcp_app_win; + int sysctl_tcp_adv_win_scale; +- int sysctl_tcp_frto; +- int sysctl_tcp_nometrics_save; +- int sysctl_tcp_no_ssthresh_metrics_save; +- int sysctl_tcp_moderate_rcvbuf; +- int sysctl_tcp_tso_win_divisor; +- int sysctl_tcp_workaround_signed_windows; ++ u8 sysctl_tcp_dsack; ++ u8 sysctl_tcp_app_win; ++ u8 sysctl_tcp_frto; ++ u8 sysctl_tcp_nometrics_save; ++ u8 sysctl_tcp_no_ssthresh_metrics_save; ++ u8 sysctl_tcp_moderate_rcvbuf; ++ u8 sysctl_tcp_tso_win_divisor; ++ u8 sysctl_tcp_workaround_signed_windows; + int sysctl_tcp_limit_output_bytes; + int sysctl_tcp_challenge_ack_limit; +- int sysctl_tcp_min_tso_segs; + int sysctl_tcp_min_rtt_wlen; +- int sysctl_tcp_autocorking; ++ u8 sysctl_tcp_min_tso_segs; ++ u8 sysctl_tcp_autocorking; ++ u8 sysctl_tcp_reflect_tos; + int sysctl_tcp_invalid_ratelimit; + int sysctl_tcp_pacing_ss_ratio; + int sysctl_tcp_pacing_ca_ratio; +@@ -183,7 +184,6 @@ struct netns_ipv4 { + unsigned int sysctl_tcp_fastopen_blackhole_timeout; + atomic_t tfo_active_disable_times; + unsigned long tfo_active_disable_stamp; +- int sysctl_tcp_reflect_tos; + + int sysctl_udp_wmem_min; + int sysctl_udp_rmem_min; +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index cb587bdd683a6..1a2506f795d4e 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -720,17 +720,17 @@ static struct ctl_table ipv4_net_table[] = { + { + .procname = "tcp_fwmark_accept", + .data = &init_net.ipv4.sysctl_tcp_fwmark_accept, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec, ++ .proc_handler = proc_dou8vec_minmax, + }, + #ifdef CONFIG_NET_L3_MASTER_DEV + { + .procname = "tcp_l3mdev_accept", + .data = &init_net.ipv4.sysctl_tcp_l3mdev_accept, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec_minmax, ++ .proc_handler = proc_dou8vec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, +@@ -738,9 +738,9 @@ static struct ctl_table ipv4_net_table[] = { + { + .procname = "tcp_mtu_probing", + .data = &init_net.ipv4.sysctl_tcp_mtu_probing, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec, ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_base_mss", +@@ -842,9 +842,9 @@ static struct ctl_table ipv4_net_table[] = { + { + .procname = "tcp_keepalive_probes", + .data = &init_net.ipv4.sysctl_tcp_keepalive_probes, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_keepalive_intvl", +@@ -856,26 +856,26 @@ static struct ctl_table ipv4_net_table[] = { + { + .procname = "tcp_syn_retries", + .data = &init_net.ipv4.sysctl_tcp_syn_retries, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec_minmax, ++ .proc_handler = proc_dou8vec_minmax, + .extra1 = &tcp_syn_retries_min, + .extra2 = &tcp_syn_retries_max + }, + { + .procname = "tcp_synack_retries", + .data = &init_net.ipv4.sysctl_tcp_synack_retries, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + #ifdef CONFIG_SYN_COOKIES + { + .procname = "tcp_syncookies", + .data = &init_net.ipv4.sysctl_tcp_syncookies, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + #endif + { +@@ -888,24 +888,24 @@ static struct ctl_table ipv4_net_table[] = { + { + .procname = "tcp_retries1", + .data = &init_net.ipv4.sysctl_tcp_retries1, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec_minmax, ++ .proc_handler = proc_dou8vec_minmax, + .extra2 = &tcp_retr1_max + }, + { + .procname = "tcp_retries2", + .data = &init_net.ipv4.sysctl_tcp_retries2, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_orphan_retries", + .data = &init_net.ipv4.sysctl_tcp_orphan_retries, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_fin_timeout", +@@ -924,9 +924,9 @@ static struct ctl_table ipv4_net_table[] = { + { + .procname = "tcp_tw_reuse", + .data = &init_net.ipv4.sysctl_tcp_tw_reuse, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec_minmax, ++ .proc_handler = proc_dou8vec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = &two, + }, +@@ -1012,88 +1012,88 @@ static struct ctl_table ipv4_net_table[] = { + { + .procname = "tcp_sack", + .data = &init_net.ipv4.sysctl_tcp_sack, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_window_scaling", + .data = &init_net.ipv4.sysctl_tcp_window_scaling, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_timestamps", + .data = &init_net.ipv4.sysctl_tcp_timestamps, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_early_retrans", + .data = &init_net.ipv4.sysctl_tcp_early_retrans, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec_minmax, ++ .proc_handler = proc_dou8vec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = &four, + }, + { + .procname = "tcp_recovery", + .data = &init_net.ipv4.sysctl_tcp_recovery, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec, ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_thin_linear_timeouts", + .data = &init_net.ipv4.sysctl_tcp_thin_linear_timeouts, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_slow_start_after_idle", + .data = &init_net.ipv4.sysctl_tcp_slow_start_after_idle, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_retrans_collapse", + .data = &init_net.ipv4.sysctl_tcp_retrans_collapse, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_stdurg", + .data = &init_net.ipv4.sysctl_tcp_stdurg, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_rfc1337", + .data = &init_net.ipv4.sysctl_tcp_rfc1337, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_abort_on_overflow", + .data = &init_net.ipv4.sysctl_tcp_abort_on_overflow, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_fack", + .data = &init_net.ipv4.sysctl_tcp_fack, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_max_reordering", +@@ -1105,16 +1105,16 @@ static struct ctl_table ipv4_net_table[] = { + { + .procname = "tcp_dsack", + .data = &init_net.ipv4.sysctl_tcp_dsack, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_app_win", + .data = &init_net.ipv4.sysctl_tcp_app_win, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_adv_win_scale", +@@ -1128,46 +1128,46 @@ static struct ctl_table ipv4_net_table[] = { + { + .procname = "tcp_frto", + .data = &init_net.ipv4.sysctl_tcp_frto, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_no_metrics_save", + .data = &init_net.ipv4.sysctl_tcp_nometrics_save, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec, ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_no_ssthresh_metrics_save", + .data = &init_net.ipv4.sysctl_tcp_no_ssthresh_metrics_save, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec_minmax, ++ .proc_handler = proc_dou8vec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, + { + .procname = "tcp_moderate_rcvbuf", + .data = &init_net.ipv4.sysctl_tcp_moderate_rcvbuf, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec, ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_tso_win_divisor", + .data = &init_net.ipv4.sysctl_tcp_tso_win_divisor, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec, ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_workaround_signed_windows", + .data = &init_net.ipv4.sysctl_tcp_workaround_signed_windows, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dou8vec_minmax, + }, + { + .procname = "tcp_limit_output_bytes", +@@ -1186,9 +1186,9 @@ static struct ctl_table ipv4_net_table[] = { + { + .procname = "tcp_min_tso_segs", + .data = &init_net.ipv4.sysctl_tcp_min_tso_segs, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec_minmax, ++ .proc_handler = proc_dou8vec_minmax, + .extra1 = SYSCTL_ONE, + .extra2 = &gso_max_segs, + }, +@@ -1204,9 +1204,9 @@ static struct ctl_table ipv4_net_table[] = { + { + .procname = "tcp_autocorking", + .data = &init_net.ipv4.sysctl_tcp_autocorking, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec_minmax, ++ .proc_handler = proc_dou8vec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, +@@ -1277,9 +1277,9 @@ static struct ctl_table ipv4_net_table[] = { + { + .procname = "tcp_reflect_tos", + .data = &init_net.ipv4.sysctl_tcp_reflect_tos, +- .maxlen = sizeof(int), ++ .maxlen = sizeof(u8), + .mode = 0644, +- .proc_handler = proc_dointvec_minmax, ++ .proc_handler = proc_dou8vec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, +-- +2.39.2 + diff --git a/queue-5.10/tcp-restrict-net.ipv4.tcp_app_win.patch b/queue-5.10/tcp-restrict-net.ipv4.tcp_app_win.patch new file mode 100644 index 00000000000..53255d8e802 --- /dev/null +++ b/queue-5.10/tcp-restrict-net.ipv4.tcp_app_win.patch @@ -0,0 +1,74 @@ +From a2c8482238375934282b977a86ccf1188123c02e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Apr 2023 14:34:50 +0800 +Subject: tcp: restrict net.ipv4.tcp_app_win + +From: YueHaibing + +[ Upstream commit dc5110c2d959c1707e12df5f792f41d90614adaa ] + +UBSAN: shift-out-of-bounds in net/ipv4/tcp_input.c:555:23 +shift exponent 255 is too large for 32-bit type 'int' +CPU: 1 PID: 7907 Comm: ssh Not tainted 6.3.0-rc4-00161-g62bad54b26db-dirty #206 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Call Trace: + + dump_stack_lvl+0x136/0x150 + __ubsan_handle_shift_out_of_bounds+0x21f/0x5a0 + tcp_init_transfer.cold+0x3a/0xb9 + tcp_finish_connect+0x1d0/0x620 + tcp_rcv_state_process+0xd78/0x4d60 + tcp_v4_do_rcv+0x33d/0x9d0 + __release_sock+0x133/0x3b0 + release_sock+0x58/0x1b0 + +'maxwin' is int, shifting int for 32 or more bits is undefined behaviour. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: YueHaibing +Reviewed-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + Documentation/networking/ip-sysctl.rst | 2 ++ + net/ipv4/sysctl_net_ipv4.c | 3 +++ + 2 files changed, 5 insertions(+) + +diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst +index 0158dff638873..df26cf4110ef5 100644 +--- a/Documentation/networking/ip-sysctl.rst ++++ b/Documentation/networking/ip-sysctl.rst +@@ -272,6 +272,8 @@ tcp_app_win - INTEGER + Reserve max(window/2^tcp_app_win, mss) of window for application + buffer. Value 0 is special, it means that nothing is reserved. + ++ Possible values are [0, 31], inclusive. ++ + Default: 31 + + tcp_autocorking - BOOLEAN +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 1a2506f795d4e..3a34e9768bff0 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -37,6 +37,7 @@ static int ip_local_port_range_min[] = { 1, 1 }; + static int ip_local_port_range_max[] = { 65535, 65535 }; + static int tcp_adv_win_scale_min = -31; + static int tcp_adv_win_scale_max = 31; ++static int tcp_app_win_max = 31; + static int tcp_min_snd_mss_min = TCP_MIN_SND_MSS; + static int tcp_min_snd_mss_max = 65535; + static int ip_privileged_port_min; +@@ -1115,6 +1116,8 @@ static struct ctl_table ipv4_net_table[] = { + .maxlen = sizeof(u8), + .mode = 0644, + .proc_handler = proc_dou8vec_minmax, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = &tcp_app_win_max, + }, + { + .procname = "tcp_adv_win_scale", +-- +2.39.2 + diff --git a/queue-5.10/udp6-fix-potential-access-to-stale-information.patch b/queue-5.10/udp6-fix-potential-access-to-stale-information.patch new file mode 100644 index 00000000000..5702e0f9ed4 --- /dev/null +++ b/queue-5.10/udp6-fix-potential-access-to-stale-information.patch @@ -0,0 +1,68 @@ +From 00a804ad043951bc1fe1a5251c90de0dce8aae42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Apr 2023 13:03:08 +0000 +Subject: udp6: fix potential access to stale information +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric Dumazet + +[ Upstream commit 1c5950fc6fe996235f1d18539b9c6b64b597f50f ] + +lena wang reported an issue caused by udpv6_sendmsg() +mangling msg->msg_name and msg->msg_namelen, which +are later read from ____sys_sendmsg() : + + /* + * If this is sendmmsg() and sending to current destination address was + * successful, remember it. + */ + if (used_address && err >= 0) { + used_address->name_len = msg_sys->msg_namelen; + if (msg_sys->msg_name) + memcpy(&used_address->name, msg_sys->msg_name, + used_address->name_len); + } + +udpv6_sendmsg() wants to pretend the remote address family +is AF_INET in order to call udp_sendmsg(). + +A fix would be to modify the address in-place, instead +of using a local variable, but this could have other side effects. + +Instead, restore initial values before we return from udpv6_sendmsg(). + +Fixes: c71d8ebe7a44 ("net: Fix security_socket_sendmsg() bypass problem.") +Reported-by: lena wang +Signed-off-by: Eric Dumazet +Reviewed-by: Maciej Å»enczykowski +Link: https://lore.kernel.org/r/20230412130308.1202254-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/udp.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 1805cc5f7418b..20cc08210c700 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1340,9 +1340,11 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + msg->msg_name = &sin; + msg->msg_namelen = sizeof(sin); + do_udp_sendmsg: +- if (__ipv6_only_sock(sk)) +- return -ENETUNREACH; +- return udp_sendmsg(sk, msg, len); ++ err = __ipv6_only_sock(sk) ? ++ -ENETUNREACH : udp_sendmsg(sk, msg, len); ++ msg->msg_name = sin6; ++ msg->msg_namelen = addr_len; ++ return err; + } + } + +-- +2.39.2 + diff --git a/queue-5.10/verify_pefile-relax-wrapper-length-check.patch b/queue-5.10/verify_pefile-relax-wrapper-length-check.patch new file mode 100644 index 00000000000..34a6e453d0d --- /dev/null +++ b/queue-5.10/verify_pefile-relax-wrapper-length-check.patch @@ -0,0 +1,61 @@ +From 27b2dacdcf03da550f1b262507d0919da6ff1a07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Feb 2023 12:12:53 -0500 +Subject: verify_pefile: relax wrapper length check + +From: Robbie Harwood + +[ Upstream commit 4fc5c74dde69a7eda172514aaeb5a7df3600adb3 ] + +The PE Format Specification (section "The Attribute Certificate Table +(Image Only)") states that `dwLength` is to be rounded up to 8-byte +alignment when used for traversal. Therefore, the field is not required +to be an 8-byte multiple in the first place. + +Accordingly, pesign has not performed this alignment since version +0.110. This causes kexec failure on pesign'd binaries with "PEFILE: +Signature wrapper len wrong". Update the comment and relax the check. + +Signed-off-by: Robbie Harwood +Signed-off-by: David Howells +cc: Jarkko Sakkinen +cc: Eric Biederman +cc: Herbert Xu +cc: keyrings@vger.kernel.org +cc: linux-crypto@vger.kernel.org +cc: kexec@lists.infradead.org +Link: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#the-attribute-certificate-table-image-only +Link: https://github.com/rhboot/pesign +Link: https://lore.kernel.org/r/20230220171254.592347-2-rharwood@redhat.com/ # v2 +Signed-off-by: Sasha Levin +--- + crypto/asymmetric_keys/verify_pefile.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c +index 7553ab18db898..fe1bb374239d7 100644 +--- a/crypto/asymmetric_keys/verify_pefile.c ++++ b/crypto/asymmetric_keys/verify_pefile.c +@@ -135,11 +135,15 @@ static int pefile_strip_sig_wrapper(const void *pebuf, + pr_debug("sig wrapper = { %x, %x, %x }\n", + wrapper.length, wrapper.revision, wrapper.cert_type); + +- /* Both pesign and sbsign round up the length of certificate table +- * (in optional header data directories) to 8 byte alignment. ++ /* sbsign rounds up the length of certificate table (in optional ++ * header data directories) to 8 byte alignment. However, the PE ++ * specification states that while entries are 8-byte aligned, this is ++ * not included in their length, and as a result, pesign has not ++ * rounded up since 0.110. + */ +- if (round_up(wrapper.length, 8) != ctx->sig_len) { +- pr_debug("Signature wrapper len wrong\n"); ++ if (wrapper.length > ctx->sig_len) { ++ pr_debug("Signature wrapper bigger than sig len (%x > %x)\n", ++ ctx->sig_len, wrapper.length); + return -ELIBBAD; + } + if (wrapper.revision != WIN_CERT_REVISION_2_0) { +-- +2.39.2 + diff --git a/queue-5.10/wifi-mwifiex-mark-of-related-data-as-maybe-unused.patch b/queue-5.10/wifi-mwifiex-mark-of-related-data-as-maybe-unused.patch new file mode 100644 index 00000000000..3eb0b17754d --- /dev/null +++ b/queue-5.10/wifi-mwifiex-mark-of-related-data-as-maybe-unused.patch @@ -0,0 +1,57 @@ +From baa21c57f0120b1ae6fa0f694efcdfca56583aba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Mar 2023 14:25:23 +0100 +Subject: wifi: mwifiex: mark OF related data as maybe unused +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krzysztof Kozlowski + +[ Upstream commit 139f6973bf140c65d4d1d4bde5485badb4454d7a ] + +The driver can be compile tested with !CONFIG_OF making certain data +unused: + + drivers/net/wireless/marvell/mwifiex/sdio.c:498:34: error: ‘mwifiex_sdio_of_match_table’ defined but not used [-Werror=unused-const-variable=] + drivers/net/wireless/marvell/mwifiex/pcie.c:175:34: error: ‘mwifiex_pcie_of_match_table’ defined but not used [-Werror=unused-const-variable=] + +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230312132523.352182-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/pcie.c | 2 +- + drivers/net/wireless/marvell/mwifiex/sdio.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wireless/marvell/mwifiex/pcie.c +index b0024893a1cba..50c34630ca302 100644 +--- a/drivers/net/wireless/marvell/mwifiex/pcie.c ++++ b/drivers/net/wireless/marvell/mwifiex/pcie.c +@@ -183,7 +183,7 @@ static const struct mwifiex_pcie_device mwifiex_pcie8997 = { + .can_ext_scan = true, + }; + +-static const struct of_device_id mwifiex_pcie_of_match_table[] = { ++static const struct of_device_id mwifiex_pcie_of_match_table[] __maybe_unused = { + { .compatible = "pci11ab,2b42" }, + { .compatible = "pci1b4b,2b42" }, + { } +diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.c b/drivers/net/wireless/marvell/mwifiex/sdio.c +index 7fb6eef409285..b09e60fedeb16 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sdio.c ++++ b/drivers/net/wireless/marvell/mwifiex/sdio.c +@@ -484,7 +484,7 @@ static struct memory_type_mapping mem_type_mapping_tbl[] = { + {"EXTLAST", NULL, 0, 0xFE}, + }; + +-static const struct of_device_id mwifiex_sdio_of_match_table[] = { ++static const struct of_device_id mwifiex_sdio_of_match_table[] __maybe_unused = { + { .compatible = "marvell,sd8787" }, + { .compatible = "marvell,sd8897" }, + { .compatible = "marvell,sd8997" }, +-- +2.39.2 +