From: Sasha Levin Date: Sat, 22 Apr 2023 01:03:18 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.14.314~78 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=64bd949a2eaf95ec677dbc19ee34d208bb00d482;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/arm-dts-rockchip-fix-a-typo-error-for-rk3288-spdif-n.patch b/queue-4.14/arm-dts-rockchip-fix-a-typo-error-for-rk3288-spdif-n.patch new file mode 100644 index 00000000000..0e6490165ca --- /dev/null +++ b/queue-4.14/arm-dts-rockchip-fix-a-typo-error-for-rk3288-spdif-n.patch @@ -0,0 +1,37 @@ +From a11a4cb26c9ad7e7f1ad6dbf3005bf2024d2ce52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Feb 2023 17:14:11 +0800 +Subject: ARM: dts: rockchip: fix a typo error for rk3288 spdif node + +From: Jianqun Xu + +[ Upstream commit 02c84f91adb9a64b75ec97d772675c02a3e65ed7 ] + +Fix the address in the spdif node name. + +Fixes: 874e568e500a ("ARM: dts: rockchip: Add SPDIF transceiver for RK3288") +Signed-off-by: Jianqun Xu +Reviewed-by: Sjoerd Simons +Link: https://lore.kernel.org/r/20230208091411.1603142-1-jay.xu@rock-chips.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3288.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/rk3288.dtsi b/arch/arm/boot/dts/rk3288.dtsi +index c3440adc763ce..c1329359359a0 100644 +--- a/arch/arm/boot/dts/rk3288.dtsi ++++ b/arch/arm/boot/dts/rk3288.dtsi +@@ -910,7 +910,7 @@ + status = "disabled"; + }; + +- spdif: sound@ff88b0000 { ++ spdif: sound@ff8b0000 { + compatible = "rockchip,rk3288-spdif", "rockchip,rk3066-spdif"; + reg = <0x0 0xff8b0000 0x0 0x10000>; + #sound-dai-cells = <0>; +-- +2.39.2 + diff --git a/queue-4.14/e1000e-disable-tso-on-i219-lm-card-to-increase-speed.patch b/queue-4.14/e1000e-disable-tso-on-i219-lm-card-to-increase-speed.patch new file mode 100644 index 00000000000..798750f01d3 --- /dev/null +++ b/queue-4.14/e1000e-disable-tso-on-i219-lm-card-to-increase-speed.patch @@ -0,0 +1,100 @@ +From f37d52f208aff7ab5f6f515992e8b577fa127844 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 13:53:45 -0700 +Subject: e1000e: Disable TSO on i219-LM card to increase speed + +From: Sebastian Basierski + +[ Upstream commit 67d47b95119ad589b0a0b16b88b1dd9a04061ced ] + +While using i219-LM card currently it was only possible to achieve +about 60% of maximum speed due to regression introduced in Linux 5.8. +This was caused by TSO not being disabled by default despite commit +f29801030ac6 ("e1000e: Disable TSO for buffer overrun workaround"). +Fix that by disabling TSO during driver probe. + +Fixes: f29801030ac6 ("e1000e: Disable TSO for buffer overrun workaround") +Signed-off-by: Sebastian Basierski +Signed-off-by: Mateusz Palczewski +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230417205345.1030801-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 51 +++++++++++----------- + 1 file changed, 26 insertions(+), 25 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index cb3ff3c2fb03f..d41ebc50eeaa2 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -5250,31 +5250,6 @@ static void e1000_watchdog_task(struct work_struct *work) + ew32(TARC(0), tarc0); + } + +- /* disable TSO for pcie and 10/100 speeds, to avoid +- * some hardware issues +- */ +- if (!(adapter->flags & FLAG_TSO_FORCE)) { +- switch (adapter->link_speed) { +- case SPEED_10: +- case SPEED_100: +- e_info("10/100 speed: disabling TSO\n"); +- netdev->features &= ~NETIF_F_TSO; +- netdev->features &= ~NETIF_F_TSO6; +- break; +- case SPEED_1000: +- netdev->features |= NETIF_F_TSO; +- netdev->features |= NETIF_F_TSO6; +- break; +- default: +- /* oops */ +- break; +- } +- if (hw->mac.type == e1000_pch_spt) { +- netdev->features &= ~NETIF_F_TSO; +- netdev->features &= ~NETIF_F_TSO6; +- } +- } +- + /* enable transmits in the hardware, need to do this + * after setting TARC(0) + */ +@@ -7211,6 +7186,32 @@ static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + NETIF_F_RXCSUM | + NETIF_F_HW_CSUM); + ++ /* disable TSO for pcie and 10/100 speeds to avoid ++ * some hardware issues and for i219 to fix transfer ++ * speed being capped at 60% ++ */ ++ if (!(adapter->flags & FLAG_TSO_FORCE)) { ++ switch (adapter->link_speed) { ++ case SPEED_10: ++ case SPEED_100: ++ e_info("10/100 speed: disabling TSO\n"); ++ netdev->features &= ~NETIF_F_TSO; ++ netdev->features &= ~NETIF_F_TSO6; ++ break; ++ case SPEED_1000: ++ netdev->features |= NETIF_F_TSO; ++ netdev->features |= NETIF_F_TSO6; ++ break; ++ default: ++ /* oops */ ++ break; ++ } ++ if (hw->mac.type == e1000_pch_spt) { ++ netdev->features &= ~NETIF_F_TSO; ++ netdev->features &= ~NETIF_F_TSO6; ++ } ++ } ++ + /* Set user-changeable features (subset of all device features) */ + netdev->hw_features = netdev->features; + netdev->hw_features |= NETIF_F_RXFCS; +-- +2.39.2 + diff --git a/queue-4.14/f2fs-fix-f2fs_truncate_partial_nodes-ftrace-event.patch b/queue-4.14/f2fs-fix-f2fs_truncate_partial_nodes-ftrace-event.patch new file mode 100644 index 00000000000..278bd3741d6 --- /dev/null +++ b/queue-4.14/f2fs-fix-f2fs_truncate_partial_nodes-ftrace-event.patch @@ -0,0 +1,47 @@ +From 9fb63ff66a15e1419f659490da200c71e1e521d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 12:25:49 +0000 +Subject: f2fs: Fix f2fs_truncate_partial_nodes ftrace event + +From: Douglas Raillard + +[ Upstream commit 0b04d4c0542e8573a837b1d81b94209e48723b25 ] + +Fix the nid_t field so that its size is correctly reported in the text +format embedded in trace.dat files. As it stands, it is reported as +being of size 4: + + field:nid_t nid[3]; offset:24; size:4; signed:0; + +Instead of 12: + + field:nid_t nid[3]; offset:24; size:12; signed:0; + +This also fixes the reported offset of subsequent fields so that they +match with the actual struct layout. + +Signed-off-by: Douglas Raillard +Reviewed-by: Mukesh Ojha +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + include/trace/events/f2fs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/trace/events/f2fs.h b/include/trace/events/f2fs.h +index 7ab40491485bc..8ecfc8e68507d 100644 +--- a/include/trace/events/f2fs.h ++++ b/include/trace/events/f2fs.h +@@ -485,7 +485,7 @@ TRACE_EVENT(f2fs_truncate_partial_nodes, + TP_STRUCT__entry( + __field(dev_t, dev) + __field(ino_t, ino) +- __field(nid_t, nid[3]) ++ __array(nid_t, nid, 3) + __field(int, depth) + __field(int, err) + ), +-- +2.39.2 + diff --git a/queue-4.14/i40e-fix-accessing-vsi-active_filters-without-holdin.patch b/queue-4.14/i40e-fix-accessing-vsi-active_filters-without-holdin.patch new file mode 100644 index 00000000000..8890e388d17 --- /dev/null +++ b/queue-4.14/i40e-fix-accessing-vsi-active_filters-without-holdin.patch @@ -0,0 +1,49 @@ +From ab2f23c53402b5c7ee808673229d3b6c5cf9aa65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 18:16:38 +0100 +Subject: i40e: fix accessing vsi->active_filters without holding lock + +From: Aleksandr Loktionov + +[ Upstream commit 8485d093b076e59baff424552e8aecfc5bd2d261 ] + +Fix accessing vsi->active_filters without holding the mac_filter_hash_lock. +Move vsi->active_filters = 0 inside critical section and +move clear_bit(__I40E_VSI_OVERFLOW_PROMISC, vsi->state) after the critical +section to ensure the new filters from other threads can be added only after +filters cleaning in the critical section is finished. + +Fixes: 278e7d0b9d68 ("i40e: store MAC/VLAN filters in a hash with the MAC Address as key") +Signed-off-by: Aleksandr Loktionov +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index de8a713db078f..929e85b2eb21d 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -10078,15 +10078,15 @@ static int i40e_add_vsi(struct i40e_vsi *vsi) + vsi->id = ctxt.vsi_number; + } + +- vsi->active_filters = 0; +- clear_bit(__I40E_VSI_OVERFLOW_PROMISC, vsi->state); + spin_lock_bh(&vsi->mac_filter_hash_lock); ++ vsi->active_filters = 0; + /* If macvlan filters already exist, force them to get loaded */ + hash_for_each_safe(vsi->mac_filter_hash, bkt, h, f, hlist) { + f->state = I40E_FILTER_NEW; + f_count++; + } + spin_unlock_bh(&vsi->mac_filter_hash_lock); ++ clear_bit(__I40E_VSI_OVERFLOW_PROMISC, vsi->state); + + if (f_count) { + vsi->flags |= I40E_VSI_FLAG_FILTER_CHANGED; +-- +2.39.2 + diff --git a/queue-4.14/i40e-fix-i40e_setup_misc_vector-error-handling.patch b/queue-4.14/i40e-fix-i40e_setup_misc_vector-error-handling.patch new file mode 100644 index 00000000000..83b3bea4be1 --- /dev/null +++ b/queue-4.14/i40e-fix-i40e_setup_misc_vector-error-handling.patch @@ -0,0 +1,43 @@ +From 9609f151bd5c1ab3e87c2eec439bee0bbd934d72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 07:13:18 +0200 +Subject: i40e: fix i40e_setup_misc_vector() error handling + +From: Aleksandr Loktionov + +[ Upstream commit c86c00c6935505929cc9adb29ddb85e48c71f828 ] + +Add error handling of i40e_setup_misc_vector() in i40e_rebuild(). +In case interrupt vectors setup fails do not re-open vsi-s and +do not bring up vf-s, we have no interrupts to serve a traffic +anyway. + +Fixes: 41c445ff0f48 ("i40e: main driver core") +Signed-off-by: Aleksandr Loktionov +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 929e85b2eb21d..50aa53988b483 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -7378,8 +7378,11 @@ static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired) + pf->hw.aq.asq_last_status)); + } + /* reinit the misc interrupt */ +- if (pf->flags & I40E_FLAG_MSIX_ENABLED) ++ if (pf->flags & I40E_FLAG_MSIX_ENABLED) { + ret = i40e_setup_misc_vector(pf); ++ if (ret) ++ goto end_unlock; ++ } + + /* Add a filter to drop all Flow control frames from any VSI from being + * transmitted. By doing so we stop a malicious VF from sending out +-- +2.39.2 + diff --git a/queue-4.14/mlxfw-fix-null-ptr-deref-in-mlxfw_mfa2_tlv_next.patch b/queue-4.14/mlxfw-fix-null-ptr-deref-in-mlxfw_mfa2_tlv_next.patch new file mode 100644 index 00000000000..8bae6a484b6 --- /dev/null +++ b/queue-4.14/mlxfw-fix-null-ptr-deref-in-mlxfw_mfa2_tlv_next.patch @@ -0,0 +1,45 @@ +From dd4120ef07e90801f44bc6b0df0248299d874f4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 05:07:18 -0700 +Subject: mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next() + +From: Nikita Zhandarovich + +[ Upstream commit c0e73276f0fcbbd3d4736ba975d7dc7a48791b0c ] + +Function mlxfw_mfa2_tlv_multi_get() returns NULL if 'tlv' in +question does not pass checks in mlxfw_mfa2_tlv_payload_get(). This +behaviour may lead to NULL pointer dereference in 'multi->total_len'. +Fix this issue by testing mlxfw_mfa2_tlv_multi_get()'s return value +against NULL. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 410ed13cae39 ("Add the mlxfw module for Mellanox firmware flash process") +Co-developed-by: Natalia Petrova +Signed-off-by: Nikita Zhandarovich +Reviewed-by: Ido Schimmel +Link: https://lore.kernel.org/r/20230417120718.52325-1-n.zhandarovich@fintech.ru +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c b/drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c +index 0094b92a233ba..31c0d6ee81b16 100644 +--- a/drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c ++++ b/drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c +@@ -62,6 +62,8 @@ mlxfw_mfa2_tlv_next(const struct mlxfw_mfa2_file *mfa2_file, + + if (tlv->type == MLXFW_MFA2_TLV_MULTI_PART) { + multi = mlxfw_mfa2_tlv_multi_get(mfa2_file, tlv); ++ if (!multi) ++ return NULL; + tlv_len = NLA_ALIGN(tlv_len + be16_to_cpu(multi->total_len)); + } + +-- +2.39.2 + diff --git a/queue-4.14/net-dsa-b53-mmap-add-phy-ops.patch b/queue-4.14/net-dsa-b53-mmap-add-phy-ops.patch new file mode 100644 index 00000000000..d6a05c51d23 --- /dev/null +++ b/queue-4.14/net-dsa-b53-mmap-add-phy-ops.patch @@ -0,0 +1,59 @@ +From b2f5e92438ebe0f7dfa45a9bde00d22e49e7fe2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Mar 2023 20:48:41 +0100 +Subject: net: dsa: b53: mmap: add phy ops +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 45977e58ce65ed0459edc9a0466d9dfea09463f5 ] + +Implement phy_read16() and phy_write16() ops for B53 MMAP to avoid accessing +B53_PORT_MII_PAGE registers which hangs the device. +This access should be done through the MDIO Mux bus controller. + +Signed-off-by: Álvaro Fernández Rojas +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_mmap.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_mmap.c b/drivers/net/dsa/b53/b53_mmap.c +index ef63d24fef814..985eb0bbf7dbd 100644 +--- a/drivers/net/dsa/b53/b53_mmap.c ++++ b/drivers/net/dsa/b53/b53_mmap.c +@@ -207,6 +207,18 @@ static int b53_mmap_write64(struct b53_device *dev, u8 page, u8 reg, + return 0; + } + ++static int b53_mmap_phy_read16(struct b53_device *dev, int addr, int reg, ++ u16 *value) ++{ ++ return -EIO; ++} ++ ++static int b53_mmap_phy_write16(struct b53_device *dev, int addr, int reg, ++ u16 value) ++{ ++ return -EIO; ++} ++ + static const struct b53_io_ops b53_mmap_ops = { + .read8 = b53_mmap_read8, + .read16 = b53_mmap_read16, +@@ -218,6 +230,8 @@ static const struct b53_io_ops b53_mmap_ops = { + .write32 = b53_mmap_write32, + .write48 = b53_mmap_write48, + .write64 = b53_mmap_write64, ++ .phy_read16 = b53_mmap_phy_read16, ++ .phy_write16 = b53_mmap_phy_write16, + }; + + static int b53_mmap_probe(struct platform_device *pdev) +-- +2.39.2 + diff --git a/queue-4.14/net-sched-sch_qfq-prevent-slab-out-of-bounds-in-qfq_.patch b/queue-4.14/net-sched-sch_qfq-prevent-slab-out-of-bounds-in-qfq_.patch new file mode 100644 index 00000000000..4e2ac5242b5 --- /dev/null +++ b/queue-4.14/net-sched-sch_qfq-prevent-slab-out-of-bounds-in-qfq_.patch @@ -0,0 +1,134 @@ +From ba5421ae6dc4cd4dc22f283774f924a9c103111e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 19:35:54 +0900 +Subject: net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg + +From: Gwangun Jung + +[ Upstream commit 3037933448f60f9acb705997eae62013ecb81e0d ] + +If the TCA_QFQ_LMAX value is not offered through nlattr, lmax is determined by the MTU value of the network device. +The MTU of the loopback device can be set up to 2^31-1. +As a result, it is possible to have an lmax value that exceeds QFQ_MIN_LMAX. + +Due to the invalid lmax value, an index is generated that exceeds the QFQ_MAX_INDEX(=24) value, causing out-of-bounds read/write errors. + +The following reports a oob access: + +[ 84.582666] BUG: KASAN: slab-out-of-bounds in qfq_activate_agg.constprop.0 (net/sched/sch_qfq.c:1027 net/sched/sch_qfq.c:1060 net/sched/sch_qfq.c:1313) +[ 84.583267] Read of size 4 at addr ffff88810f676948 by task ping/301 +[ 84.583686] +[ 84.583797] CPU: 3 PID: 301 Comm: ping Not tainted 6.3.0-rc5 #1 +[ 84.584164] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +[ 84.584644] Call Trace: +[ 84.584787] +[ 84.584906] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) +[ 84.585108] print_report (mm/kasan/report.c:320 mm/kasan/report.c:430) +[ 84.585570] kasan_report (mm/kasan/report.c:538) +[ 84.585988] qfq_activate_agg.constprop.0 (net/sched/sch_qfq.c:1027 net/sched/sch_qfq.c:1060 net/sched/sch_qfq.c:1313) +[ 84.586599] qfq_enqueue (net/sched/sch_qfq.c:1255) +[ 84.587607] dev_qdisc_enqueue (net/core/dev.c:3776) +[ 84.587749] __dev_queue_xmit (./include/net/sch_generic.h:186 net/core/dev.c:3865 net/core/dev.c:4212) +[ 84.588763] ip_finish_output2 (./include/net/neighbour.h:546 net/ipv4/ip_output.c:228) +[ 84.589460] ip_output (net/ipv4/ip_output.c:430) +[ 84.590132] ip_push_pending_frames (./include/net/dst.h:444 net/ipv4/ip_output.c:126 net/ipv4/ip_output.c:1586 net/ipv4/ip_output.c:1606) +[ 84.590285] raw_sendmsg (net/ipv4/raw.c:649) +[ 84.591960] sock_sendmsg (net/socket.c:724 net/socket.c:747) +[ 84.592084] __sys_sendto (net/socket.c:2142) +[ 84.593306] __x64_sys_sendto (net/socket.c:2150) +[ 84.593779] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) +[ 84.593902] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) +[ 84.594070] RIP: 0033:0x7fe568032066 +[ 84.594192] Code: 0e 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c09[ 84.594796] RSP: 002b:00007ffce388b4e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c + +Code starting with the faulting instruction +=========================================== +[ 84.595047] RAX: ffffffffffffffda RBX: 00007ffce388cc70 RCX: 00007fe568032066 +[ 84.595281] RDX: 0000000000000040 RSI: 00005605fdad6d10 RDI: 0000000000000003 +[ 84.595515] RBP: 00005605fdad6d10 R08: 00007ffce388eeec R09: 0000000000000010 +[ 84.595749] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 +[ 84.595984] R13: 00007ffce388cc30 R14: 00007ffce388b4f0 R15: 0000001d00000001 +[ 84.596218] +[ 84.596295] +[ 84.596351] Allocated by task 291: +[ 84.596467] kasan_save_stack (mm/kasan/common.c:46) +[ 84.596597] kasan_set_track (mm/kasan/common.c:52) +[ 84.596725] __kasan_kmalloc (mm/kasan/common.c:384) +[ 84.596852] __kmalloc_node (./include/linux/kasan.h:196 mm/slab_common.c:967 mm/slab_common.c:974) +[ 84.596979] qdisc_alloc (./include/linux/slab.h:610 ./include/linux/slab.h:731 net/sched/sch_generic.c:938) +[ 84.597100] qdisc_create (net/sched/sch_api.c:1244) +[ 84.597222] tc_modify_qdisc (net/sched/sch_api.c:1680) +[ 84.597357] rtnetlink_rcv_msg (net/core/rtnetlink.c:6174) +[ 84.597495] netlink_rcv_skb (net/netlink/af_netlink.c:2574) +[ 84.597627] netlink_unicast (net/netlink/af_netlink.c:1340 net/netlink/af_netlink.c:1365) +[ 84.597759] netlink_sendmsg (net/netlink/af_netlink.c:1942) +[ 84.597891] sock_sendmsg (net/socket.c:724 net/socket.c:747) +[ 84.598016] ____sys_sendmsg (net/socket.c:2501) +[ 84.598147] ___sys_sendmsg (net/socket.c:2557) +[ 84.598275] __sys_sendmsg (./include/linux/file.h:31 net/socket.c:2586) +[ 84.598399] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) +[ 84.598520] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) +[ 84.598688] +[ 84.598744] The buggy address belongs to the object at ffff88810f674000 +[ 84.598744] which belongs to the cache kmalloc-8k of size 8192 +[ 84.599135] The buggy address is located 2664 bytes to the right of +[ 84.599135] allocated 7904-byte region [ffff88810f674000, ffff88810f675ee0) +[ 84.599544] +[ 84.599598] The buggy address belongs to the physical page: +[ 84.599777] page:00000000e638567f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10f670 +[ 84.600074] head:00000000e638567f order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +[ 84.600330] flags: 0x200000000010200(slab|head|node=0|zone=2) +[ 84.600517] raw: 0200000000010200 ffff888100043180 dead000000000122 0000000000000000 +[ 84.600764] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 +[ 84.601009] page dumped because: kasan: bad access detected +[ 84.601187] +[ 84.601241] Memory state around the buggy address: +[ 84.601396] ffff88810f676800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 84.601620] ffff88810f676880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 84.601845] >ffff88810f676900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 84.602069] ^ +[ 84.602243] ffff88810f676980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 84.602468] ffff88810f676a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 84.602693] ================================================================== +[ 84.602924] Disabling lock debugging due to kernel taint + +Fixes: 3015f3d2a3cd ("pkt_sched: enable QFQ to support TSO/GSO") +Reported-by: Gwangun Jung +Signed-off-by: Gwangun Jung +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 4701019768955..2832e16b6c2e1 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -432,15 +432,16 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + } else + weight = 1; + +- if (tb[TCA_QFQ_LMAX]) { ++ if (tb[TCA_QFQ_LMAX]) + lmax = nla_get_u32(tb[TCA_QFQ_LMAX]); +- if (lmax < QFQ_MIN_LMAX || lmax > (1UL << QFQ_MTU_SHIFT)) { +- pr_notice("qfq: invalid max length %u\n", lmax); +- return -EINVAL; +- } +- } else ++ else + lmax = psched_mtu(qdisc_dev(sch)); + ++ if (lmax < QFQ_MIN_LMAX || lmax > (1UL << QFQ_MTU_SHIFT)) { ++ pr_notice("qfq: invalid max length %u\n", lmax); ++ return -EINVAL; ++ } ++ + inv_w = ONE_FP / weight; + weight = ONE_FP / inv_w; + +-- +2.39.2 + diff --git a/queue-4.14/s390-ptrace-fix-ptrace_get_last_break-error-handling.patch b/queue-4.14/s390-ptrace-fix-ptrace_get_last_break-error-handling.patch new file mode 100644 index 00000000000..04b4f91c288 --- /dev/null +++ b/queue-4.14/s390-ptrace-fix-ptrace_get_last_break-error-handling.patch @@ -0,0 +1,49 @@ +From 657da1b0ec1432be9d58b9575a4b07b9a96bd9b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 12:31:30 +0100 +Subject: s390/ptrace: fix PTRACE_GET_LAST_BREAK error handling + +From: Heiko Carstens + +[ Upstream commit f9bbf25e7b2b74b52b2f269216a92657774f239c ] + +Return -EFAULT if put_user() for the PTRACE_GET_LAST_BREAK +request fails, instead of silently ignoring it. + +Reviewed-by: Sven Schnelle +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/ptrace.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c +index 42e4cd20fbbed..7c635e4328b87 100644 +--- a/arch/s390/kernel/ptrace.c ++++ b/arch/s390/kernel/ptrace.c +@@ -500,9 +500,7 @@ long arch_ptrace(struct task_struct *child, long request, + } + return 0; + case PTRACE_GET_LAST_BREAK: +- put_user(child->thread.last_break, +- (unsigned long __user *) data); +- return 0; ++ return put_user(child->thread.last_break, (unsigned long __user *)data); + case PTRACE_ENABLE_TE: + if (!MACHINE_HAS_TE) + return -EIO; +@@ -854,9 +852,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, + } + return 0; + case PTRACE_GET_LAST_BREAK: +- put_user(child->thread.last_break, +- (unsigned int __user *) data); +- return 0; ++ return put_user(child->thread.last_break, (unsigned int __user *)data); + } + return compat_ptrace_request(child, request, addr, data); + } +-- +2.39.2 + diff --git a/queue-4.14/scsi-core-improve-scsi_vpd_inquiry-checks.patch b/queue-4.14/scsi-core-improve-scsi_vpd_inquiry-checks.patch new file mode 100644 index 00000000000..90d65145bf5 --- /dev/null +++ b/queue-4.14/scsi-core-improve-scsi_vpd_inquiry-checks.patch @@ -0,0 +1,60 @@ +From a13985c088f19252514fc3661a021a7ccaf57e87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 11:22:11 +0900 +Subject: scsi: core: Improve scsi_vpd_inquiry() checks + +From: Damien Le Moal + +[ Upstream commit f0aa59a33d2ac2267d260fe21eaf92500df8e7b4 ] + +Some USB-SATA adapters have broken behavior when an unsupported VPD page is +probed: Depending on the VPD page number, a 4-byte header with a valid VPD +page number but with a 0 length is returned. Currently, scsi_vpd_inquiry() +only checks that the page number is valid to determine if the page is +valid, which results in receiving only the 4-byte header for the +non-existent page. This error manifests itself very often with page 0xb9 +for the Concurrent Positioning Ranges detection done by sd_read_cpr(), +resulting in the following error message: + +sd 0:0:0:0: [sda] Invalid Concurrent Positioning Ranges VPD page + +Prevent such misleading error message by adding a check in +scsi_vpd_inquiry() to verify that the page length is not 0. + +Signed-off-by: Damien Le Moal +Link: https://lore.kernel.org/r/20230322022211.116327-1-damien.lemoal@opensource.wdc.com +Reviewed-by: Benjamin Block +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c +index 80ab7ef027247..5f18599b0e5fd 100644 +--- a/drivers/scsi/scsi.c ++++ b/drivers/scsi/scsi.c +@@ -351,11 +351,18 @@ static int scsi_vpd_inquiry(struct scsi_device *sdev, unsigned char *buffer, + if (result) + return -EIO; + +- /* Sanity check that we got the page back that we asked for */ ++ /* ++ * Sanity check that we got the page back that we asked for and that ++ * the page size is not 0. ++ */ + if (buffer[1] != page) + return -EIO; + +- return get_unaligned_be16(&buffer[2]) + 4; ++ result = get_unaligned_be16(&buffer[2]); ++ if (!result) ++ return -EIO; ++ ++ return result + 4; + } + + /** +-- +2.39.2 + diff --git a/queue-4.14/scsi-megaraid_sas-fix-fw_crash_buffer_show.patch b/queue-4.14/scsi-megaraid_sas-fix-fw_crash_buffer_show.patch new file mode 100644 index 00000000000..9fdee9e82c6 --- /dev/null +++ b/queue-4.14/scsi-megaraid_sas-fix-fw_crash_buffer_show.patch @@ -0,0 +1,36 @@ +From de322cbcba65f0a42d2c105a0225467663d19728 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 14:52:49 +0100 +Subject: scsi: megaraid_sas: Fix fw_crash_buffer_show() + +From: Tomas Henzl + +[ Upstream commit 0808ed6ebbc292222ca069d339744870f6d801da ] + +If crash_dump_buf is not allocated then crash dump can't be available. +Replace logical 'and' with 'or'. + +Signed-off-by: Tomas Henzl +Link: https://lore.kernel.org/r/20230324135249.9733-1-thenzl@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c +index 42d876034741c..bdd06b26e2de1 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -2983,7 +2983,7 @@ megasas_fw_crash_buffer_show(struct device *cdev, + + spin_lock_irqsave(&instance->crashdump_lock, flags); + buff_offset = instance->fw_crash_buffer_offset; +- if (!instance->crash_dump_buf && ++ if (!instance->crash_dump_buf || + !((instance->fw_crash_state == AVAILABLE) || + (instance->fw_crash_state == COPYING))) { + dev_err(&instance->pdev->dev, +-- +2.39.2 + diff --git a/queue-4.14/selftests-sigaltstack-fix-wuninitialized.patch b/queue-4.14/selftests-sigaltstack-fix-wuninitialized.patch new file mode 100644 index 00000000000..a87aeb5b91d --- /dev/null +++ b/queue-4.14/selftests-sigaltstack-fix-wuninitialized.patch @@ -0,0 +1,95 @@ +From 329e0ac555820913a52621a5300a120088c1e7fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 11:59:33 -0800 +Subject: selftests: sigaltstack: fix -Wuninitialized + +From: Nick Desaulniers + +[ Upstream commit 05107edc910135d27fe557267dc45be9630bf3dd ] + +Building sigaltstack with clang via: +$ ARCH=x86 make LLVM=1 -C tools/testing/selftests/sigaltstack/ + +produces the following warning: + warning: variable 'sp' is uninitialized when used here [-Wuninitialized] + if (sp < (unsigned long)sstack || + ^~ + +Clang expects these to be declared at global scope; we've fixed this in +the kernel proper by using the macro `current_stack_pointer`. This is +defined in different headers for different target architectures, so just +create a new header that defines the arch-specific register names for +the stack pointer register, and define it for more targets (at least the +ones that support current_stack_pointer/ARCH_HAS_CURRENT_STACK_POINTER). + +Reported-by: Linux Kernel Functional Testing +Link: https://lore.kernel.org/lkml/CA+G9fYsi3OOu7yCsMutpzKDnBMAzJBCPimBp86LhGBa0eCnEpA@mail.gmail.com/ +Signed-off-by: Nick Desaulniers +Reviewed-by: Kees Cook +Tested-by: Linux Kernel Functional Testing +Tested-by: Anders Roxell +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../sigaltstack/current_stack_pointer.h | 23 +++++++++++++++++++ + tools/testing/selftests/sigaltstack/sas.c | 7 +----- + 2 files changed, 24 insertions(+), 6 deletions(-) + create mode 100644 tools/testing/selftests/sigaltstack/current_stack_pointer.h + +diff --git a/tools/testing/selftests/sigaltstack/current_stack_pointer.h b/tools/testing/selftests/sigaltstack/current_stack_pointer.h +new file mode 100644 +index 0000000000000..ea9bdf3a90b16 +--- /dev/null ++++ b/tools/testing/selftests/sigaltstack/current_stack_pointer.h +@@ -0,0 +1,23 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++ ++#if __alpha__ ++register unsigned long sp asm("$30"); ++#elif __arm__ || __aarch64__ || __csky__ || __m68k__ || __mips__ || __riscv ++register unsigned long sp asm("sp"); ++#elif __i386__ ++register unsigned long sp asm("esp"); ++#elif __loongarch64 ++register unsigned long sp asm("$sp"); ++#elif __ppc__ ++register unsigned long sp asm("r1"); ++#elif __s390x__ ++register unsigned long sp asm("%15"); ++#elif __sh__ ++register unsigned long sp asm("r15"); ++#elif __x86_64__ ++register unsigned long sp asm("rsp"); ++#elif __XTENSA__ ++register unsigned long sp asm("a1"); ++#else ++#error "implement current_stack_pointer equivalent" ++#endif +diff --git a/tools/testing/selftests/sigaltstack/sas.c b/tools/testing/selftests/sigaltstack/sas.c +index 228c2ae47687d..6069d97bf5063 100644 +--- a/tools/testing/selftests/sigaltstack/sas.c ++++ b/tools/testing/selftests/sigaltstack/sas.c +@@ -19,6 +19,7 @@ + #include + + #include "../kselftest.h" ++#include "current_stack_pointer.h" + + #ifndef SS_AUTODISARM + #define SS_AUTODISARM (1U << 31) +@@ -40,12 +41,6 @@ void my_usr1(int sig, siginfo_t *si, void *u) + stack_t stk; + struct stk_data *p; + +-#if __s390x__ +- register unsigned long sp asm("%15"); +-#else +- register unsigned long sp asm("sp"); +-#endif +- + if (sp < (unsigned long)sstack || + sp >= (unsigned long)sstack + SIGSTKSZ) { + ksft_exit_fail_msg("SP is not on sigaltstack\n"); +-- +2.39.2 + diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..644a9c64252 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,14 @@ +arm-dts-rockchip-fix-a-typo-error-for-rk3288-spdif-n.patch +net-sched-sch_qfq-prevent-slab-out-of-bounds-in-qfq_.patch +virtio_net-bugfix-overflow-inside-xdp_linearize_page.patch +i40e-fix-accessing-vsi-active_filters-without-holdin.patch +i40e-fix-i40e_setup_misc_vector-error-handling.patch +mlxfw-fix-null-ptr-deref-in-mlxfw_mfa2_tlv_next.patch +e1000e-disable-tso-on-i219-lm-card-to-increase-speed.patch +f2fs-fix-f2fs_truncate_partial_nodes-ftrace-event.patch +selftests-sigaltstack-fix-wuninitialized.patch +scsi-megaraid_sas-fix-fw_crash_buffer_show.patch +scsi-core-improve-scsi_vpd_inquiry-checks.patch +net-dsa-b53-mmap-add-phy-ops.patch +s390-ptrace-fix-ptrace_get_last_break-error-handling.patch +xen-netback-use-same-error-messages-for-same-errors.patch diff --git a/queue-4.14/virtio_net-bugfix-overflow-inside-xdp_linearize_page.patch b/queue-4.14/virtio_net-bugfix-overflow-inside-xdp_linearize_page.patch new file mode 100644 index 00000000000..f43d7f9ef2f --- /dev/null +++ b/queue-4.14/virtio_net-bugfix-overflow-inside-xdp_linearize_page.patch @@ -0,0 +1,51 @@ +From a86095697d9569abb36e11e7eafa44956f48473b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Apr 2023 14:08:35 +0800 +Subject: virtio_net: bugfix overflow inside xdp_linearize_page() + +From: Xuan Zhuo + +[ Upstream commit 853618d5886bf94812f31228091cd37d308230f7 ] + +Here we copy the data from the original buf to the new page. But we +not check that it may be overflow. + +As long as the size received(including vnethdr) is greater than 3840 +(PAGE_SIZE -VIRTIO_XDP_HEADROOM). Then the memcpy will overflow. + +And this is completely possible, as long as the MTU is large, such +as 4096. In our test environment, this will cause crash. Since crash is +caused by the written memory, it is meaningless, so I do not include it. + +Fixes: 72979a6c3590 ("virtio_net: xdp, add slowpath case for non contiguous buffers") +Signed-off-by: Xuan Zhuo +Acked-by: Jason Wang +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 9e18389309cf4..067ebdd0d5898 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -452,8 +452,13 @@ static struct page *xdp_linearize_page(struct receive_queue *rq, + int page_off, + unsigned int *len) + { +- struct page *page = alloc_page(GFP_ATOMIC); ++ int tailroom = SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); ++ struct page *page; + ++ if (page_off + *len + tailroom > PAGE_SIZE) ++ return NULL; ++ ++ page = alloc_page(GFP_ATOMIC); + if (!page) + return NULL; + +-- +2.39.2 + diff --git a/queue-4.14/xen-netback-use-same-error-messages-for-same-errors.patch b/queue-4.14/xen-netback-use-same-error-messages-for-same-errors.patch new file mode 100644 index 00000000000..f9f68fcbad5 --- /dev/null +++ b/queue-4.14/xen-netback-use-same-error-messages-for-same-errors.patch @@ -0,0 +1,42 @@ +From 163d654b5c7aab4dacb6ff982cc1b293c1af101d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Mar 2023 10:02:59 +0200 +Subject: xen/netback: use same error messages for same errors + +From: Juergen Gross + +[ Upstream commit 2eca98e5b24d01c02b46c67be05a5f98cc9789b1 ] + +Issue the same error message in case an illegal page boundary crossing +has been detected in both cases where this is tested. + +Suggested-by: Jan Beulich +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Link: https://lore.kernel.org/r/20230329080259.14823-1-jgross@suse.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netback/netback.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c +index 252414a9293db..a141db3f0dc7c 100644 +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -991,10 +991,8 @@ static void xenvif_tx_build_gops(struct xenvif_queue *queue, + + /* No crossing a page as the payload mustn't fragment. */ + if (unlikely((txreq.offset + txreq.size) > XEN_PAGE_SIZE)) { +- netdev_err(queue->vif->dev, +- "txreq.offset: %u, size: %u, end: %lu\n", +- txreq.offset, txreq.size, +- (unsigned long)(txreq.offset&~XEN_PAGE_MASK) + txreq.size); ++ netdev_err(queue->vif->dev, "Cross page boundary, txreq.offset: %u, size: %u\n", ++ txreq.offset, txreq.size); + xenvif_fatal_tx_err(queue->vif); + break; + } +-- +2.39.2 +