From: Sasha Levin Date: Fri, 21 Feb 2025 16:51:13 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v6.6.80~27^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=737e7370a08e6eb051e709a65358e13237c4965e;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/alsa-hda-realtek-add-type-for-alc287.patch b/queue-5.4/alsa-hda-realtek-add-type-for-alc287.patch new file mode 100644 index 0000000000..4dd16d7d69 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-add-type-for-alc287.patch @@ -0,0 +1,64 @@ +From f3ef29ea2fbeafcd9136f2fe8d661dbcba4d28ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jul 2021 09:09:37 +0800 +Subject: ALSA: hda/realtek - Add type for ALC287 + +From: Kailang Yang + +[ Upstream commit 99cee034c28947fc122799b0b7714e01b047f3f3 ] + +Add independent type for ALC287. + +Signed-off-by: Kailang Yang +Link: https://lore.kernel.org/r/2b7539c3e96f41a4ab458d53ea5f5784@realtek.com +Signed-off-by: Takashi Iwai +Stable-dep-of: 174448badb44 ("ALSA: hda/realtek: Fixup ALC225 depop procedure") +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 9b344b80f950a..069515b065386 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3111,6 +3111,7 @@ enum { + ALC269_TYPE_ALC257, + ALC269_TYPE_ALC215, + ALC269_TYPE_ALC225, ++ ALC269_TYPE_ALC287, + ALC269_TYPE_ALC294, + ALC269_TYPE_ALC300, + ALC269_TYPE_ALC623, +@@ -3147,6 +3148,7 @@ static int alc269_parse_auto_config(struct hda_codec *codec) + case ALC269_TYPE_ALC257: + case ALC269_TYPE_ALC215: + case ALC269_TYPE_ALC225: ++ case ALC269_TYPE_ALC287: + case ALC269_TYPE_ALC294: + case ALC269_TYPE_ALC300: + case ALC269_TYPE_ALC623: +@@ -9342,7 +9344,6 @@ static int patch_alc269(struct hda_codec *codec) + case 0x10ec0215: + case 0x10ec0245: + case 0x10ec0285: +- case 0x10ec0287: + case 0x10ec0289: + spec->codec_variant = ALC269_TYPE_ALC215; + spec->shutup = alc225_shutup; +@@ -9357,6 +9358,12 @@ static int patch_alc269(struct hda_codec *codec) + spec->init_hook = alc225_init; + spec->gen.mixer_nid = 0; /* no loopback on ALC225, ALC295 and ALC299 */ + break; ++ case 0x10ec0287: ++ spec->codec_variant = ALC269_TYPE_ALC287; ++ spec->shutup = alc225_shutup; ++ spec->init_hook = alc225_init; ++ spec->gen.mixer_nid = 0; /* no loopback on ALC287 */ ++ break; + case 0x10ec0234: + case 0x10ec0274: + case 0x10ec0294: +-- +2.39.5 + diff --git a/queue-5.4/alsa-hda-realtek-fixup-alc225-depop-procedure.patch b/queue-5.4/alsa-hda-realtek-fixup-alc225-depop-procedure.patch new file mode 100644 index 0000000000..27c89d2294 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-fixup-alc225-depop-procedure.patch @@ -0,0 +1,36 @@ +From 62eb5d6f0fa1b2c026aeeb912ca8d49eb2ff1cfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 14:40:46 +0800 +Subject: ALSA: hda/realtek: Fixup ALC225 depop procedure + +From: Kailang Yang + +[ Upstream commit 174448badb4409491bfba2e6b46f7aa078741c5e ] + +Headset MIC will no function when power_save=0. + +Fixes: 1fd50509fe14 ("ALSA: hda/realtek: Update ALC225 depop procedure") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219743 +Signed-off-by: Kailang Yang +Link: https://lore.kernel.org/0474a095ab0044d0939ec4bf4362423d@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 069515b065386..755a93ad65500 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3658,6 +3658,7 @@ static void alc225_init(struct hda_codec *codec) + AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE); + + msleep(75); ++ alc_update_coef_idx(codec, 0x4a, 3 << 10, 0); + alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x4); /* Hight power */ + } + } +-- +2.39.5 + diff --git a/queue-5.4/crypto-testmgr-fix-version-number-of-rsa-tests.patch b/queue-5.4/crypto-testmgr-fix-version-number-of-rsa-tests.patch new file mode 100644 index 0000000000..9defc90ee8 --- /dev/null +++ b/queue-5.4/crypto-testmgr-fix-version-number-of-rsa-tests.patch @@ -0,0 +1,59 @@ +From 1f68ceb981c758409b8b1421fc435b1cf901b93b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jun 2022 18:06:25 +0800 +Subject: crypto: testmgr - fix version number of RSA tests + +From: lei he + +[ Upstream commit 0bb8f125253843c445b70fc6ef4fb21aa7b25625 ] + +According to PKCS#1 standard, the 'otherPrimeInfos' field contains +the information for the additional primes r_3, ..., r_u, in order. +It shall be omitted if the version is 0 and shall contain at least +one instance of OtherPrimeInfo if the version is 1, see: + https://www.rfc-editor.org/rfc/rfc3447#page-44 + +Replace the version number '1' with 0, otherwise, some drivers may +not pass the run-time tests. + +Signed-off-by: lei he +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/testmgr.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/crypto/testmgr.h b/crypto/testmgr.h +index 7cda2f88ef434..f3722c66530da 100644 +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -178,7 +178,7 @@ static const struct akcipher_testvec rsa_tv_template[] = { + #ifndef CONFIG_CRYPTO_FIPS + .key = + "\x30\x81\x9A" /* sequence of 154 bytes */ +- "\x02\x01\x01" /* version - integer of 1 byte */ ++ "\x02\x01\x00" /* version - integer of 1 byte */ + "\x02\x41" /* modulus - integer of 65 bytes */ + "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F" + "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5" +@@ -208,7 +208,7 @@ static const struct akcipher_testvec rsa_tv_template[] = { + }, { + .key = + "\x30\x82\x01\x1D" /* sequence of 285 bytes */ +- "\x02\x01\x01" /* version - integer of 1 byte */ ++ "\x02\x01\x00" /* version - integer of 1 byte */ + "\x02\x81\x81" /* modulus - integer of 129 bytes */ + "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71" + "\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5" +@@ -252,7 +252,7 @@ static const struct akcipher_testvec rsa_tv_template[] = { + #endif + .key = + "\x30\x82\x02\x20" /* sequence of 544 bytes */ +- "\x02\x01\x01" /* version - integer of 1 byte */ ++ "\x02\x01\x00" /* version - integer of 1 byte */ + "\x02\x82\x01\x01\x00" /* modulus - integer of 256 bytes */ + "\xDB\x10\x1A\xC2\xA3\xF1\xDC\xFF\x13\x6B\xED\x44\xDF\xF0\x02\x6D" + "\x13\xC7\x88\xDA\x70\x6B\x54\xF1\xE8\x27\xDC\xC3\x0F\x99\x6A\xFA" +-- +2.39.5 + diff --git a/queue-5.4/crypto-testmgr-fix-wrong-key-length-for-pkcs1pad.patch b/queue-5.4/crypto-testmgr-fix-wrong-key-length-for-pkcs1pad.patch new file mode 100644 index 0000000000..05573c8d7c --- /dev/null +++ b/queue-5.4/crypto-testmgr-fix-wrong-key-length-for-pkcs1pad.patch @@ -0,0 +1,35 @@ +From 48f075e46f5927f7c0d5a00ff2bff76c38c024c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Oct 2021 20:44:43 +0800 +Subject: crypto: testmgr - fix wrong key length for pkcs1pad + +From: Lei He + +[ Upstream commit 39ef08517082a424b5b65c3dbaa6c0fa9d3303b9 ] + +Fix wrong test data at testmgr.h, it seems to be caused +by ignoring the last '\0' when calling sizeof. + +Signed-off-by: Lei He +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/testmgr.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/testmgr.h b/crypto/testmgr.h +index ef7d21f39d4a9..27ce9f94a3246 100644 +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -771,7 +771,7 @@ static const struct akcipher_testvec pkcs1pad_rsa_tv_template[] = { + "\xd1\x86\x48\x55\xce\x83\xee\x8e\x51\xc7\xde\x32\x12\x47\x7d\x46" + "\xb8\x35\xdf\x41\x02\x01\x00\x02\x01\x00\x02\x01\x00\x02\x01\x00" + "\x02\x01\x00", +- .key_len = 804, ++ .key_len = 803, + /* + * m is SHA256 hash of following message: + * "\x49\x41\xbe\x0a\x0c\xc9\xf6\x35\x51\xe4\x27\x56\x13\x71\x4b\xd0" +-- +2.39.5 + diff --git a/queue-5.4/crypto-testmgr-fix-wrong-test-case-of-rsa.patch b/queue-5.4/crypto-testmgr-fix-wrong-test-case-of-rsa.patch new file mode 100644 index 0000000000..5b1ec4f25a --- /dev/null +++ b/queue-5.4/crypto-testmgr-fix-wrong-test-case-of-rsa.patch @@ -0,0 +1,56 @@ +From 433b65410d17464f4faa044cc0196d46e2b24158 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 20:25:31 +0800 +Subject: crypto: testmgr - Fix wrong test case of RSA + +From: Lei He + +[ Upstream commit a9887010ed2da3fddaff83ceec80e2b71be8a966 ] + +According to the BER encoding rules, integer value should be encoded +as two's complement, and if the highest bit of a positive integer +is 1, should add a leading zero-octet. + +The kernel's built-in RSA algorithm cannot recognize negative numbers +when parsing keys, so it can pass this test case. + +Export the key to file and run the following command to verify the +fix result: + + openssl asn1parse -inform DER -in /path/to/key/file + +Signed-off-by: Lei He +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/testmgr.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/crypto/testmgr.h b/crypto/testmgr.h +index 27ce9f94a3246..7cda2f88ef434 100644 +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -251,9 +251,9 @@ static const struct akcipher_testvec rsa_tv_template[] = { + }, { + #endif + .key = +- "\x30\x82\x02\x1F" /* sequence of 543 bytes */ ++ "\x30\x82\x02\x20" /* sequence of 544 bytes */ + "\x02\x01\x01" /* version - integer of 1 byte */ +- "\x02\x82\x01\x00" /* modulus - integer of 256 bytes */ ++ "\x02\x82\x01\x01\x00" /* modulus - integer of 256 bytes */ + "\xDB\x10\x1A\xC2\xA3\xF1\xDC\xFF\x13\x6B\xED\x44\xDF\xF0\x02\x6D" + "\x13\xC7\x88\xDA\x70\x6B\x54\xF1\xE8\x27\xDC\xC3\x0F\x99\x6A\xFA" + "\xC6\x67\xFF\x1D\x1E\x3C\x1D\xC1\xB5\x5F\x6C\xC0\xB2\x07\x3A\x6D" +@@ -293,7 +293,7 @@ static const struct akcipher_testvec rsa_tv_template[] = { + "\x02\x01\x00" /* exponent1 - integer of 1 byte */ + "\x02\x01\x00" /* exponent2 - integer of 1 byte */ + "\x02\x01\x00", /* coefficient - integer of 1 byte */ +- .key_len = 547, ++ .key_len = 548, + .m = "\x54\x85\x9b\x34\x2c\x49\xea\x2a", + .c = + "\xb2\x97\x76\xb4\xae\x3e\x38\x3c\x7e\x64\x1f\xcc\xa2\x7f\xf6\xbe" +-- +2.39.5 + diff --git a/queue-5.4/crypto-testmgr-populate-rsa-crt-parameters-in-rsa-te.patch b/queue-5.4/crypto-testmgr-populate-rsa-crt-parameters-in-rsa-te.patch new file mode 100644 index 0000000000..040c138ec4 --- /dev/null +++ b/queue-5.4/crypto-testmgr-populate-rsa-crt-parameters-in-rsa-te.patch @@ -0,0 +1,206 @@ +From b83a60041751bbb39b4f31b8c828507a66413c5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Jul 2022 11:38:40 +0100 +Subject: crypto: testmgr - populate RSA CRT parameters in RSA test vectors + +From: Ignat Korchagin + +[ Upstream commit 79e6e2f3f3ff345947075341781e900e4f70db81 ] + +Changes from v1: + * replace some accidental spaces with tabs + +In commit f145d411a67e ("crypto: rsa - implement Chinese Remainder Theorem +for faster private key operations") we have started to use the additional +primes and coefficients for RSA private key operations. However, these +additional parameters are not present (defined as 0 integers) in the RSA +test vectors. + +Some parameters were borrowed from OpenSSL, so I was able to find the +source. I could not find the public source for 1 vector though, so had to +recover the parameters by implementing Appendix C from [1]. + +[1]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br1.pdf + +Fixes: f145d411a67e ("crypto: rsa - implement Chinese Remainder Theorem for faster private key operations") +Reported-by: Tasmiya Nalatwad +Signed-off-by: Ignat Korchagin +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/testmgr.h | 121 +++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 100 insertions(+), 21 deletions(-) + +diff --git a/crypto/testmgr.h b/crypto/testmgr.h +index f3722c66530da..d57c911649180 100644 +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -177,7 +177,7 @@ static const struct akcipher_testvec rsa_tv_template[] = { + { + #ifndef CONFIG_CRYPTO_FIPS + .key = +- "\x30\x81\x9A" /* sequence of 154 bytes */ ++ "\x30\x82\x01\x38" /* sequence of 312 bytes */ + "\x02\x01\x00" /* version - integer of 1 byte */ + "\x02\x41" /* modulus - integer of 65 bytes */ + "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F" +@@ -191,23 +191,36 @@ static const struct akcipher_testvec rsa_tv_template[] = { + "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64" + "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9" + "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51" +- "\x02\x01\x00" /* prime1 - integer of 1 byte */ +- "\x02\x01\x00" /* prime2 - integer of 1 byte */ +- "\x02\x01\x00" /* exponent1 - integer of 1 byte */ +- "\x02\x01\x00" /* exponent2 - integer of 1 byte */ +- "\x02\x01\x00", /* coefficient - integer of 1 byte */ ++ "\x02\x21" /* prime1 - integer of 33 bytes */ ++ "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" ++ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12" ++ "\x0D" ++ "\x02\x21" /* prime2 - integer of 33 bytes */ ++ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" ++ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" ++ "\x89" ++ "\x02\x20" /* exponent1 - integer of 32 bytes */ ++ "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF" ++ "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05" ++ "\x02\x21" /* exponent2 - integer of 33 bytes */ ++ "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99" ++ "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D" ++ "\x51" ++ "\x02\x20" /* coefficient - integer of 32 bytes */ ++ "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8" ++ "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26", + .m = "\x54\x85\x9b\x34\x2c\x49\xea\x2a", + .c = + "\x63\x1c\xcd\x7b\xe1\x7e\xe4\xde\xc9\xa8\x89\xa1\x74\xcb\x3c\x63" + "\x7d\x24\xec\x83\xc3\x15\xe4\x7f\x73\x05\x34\xd1\xec\x22\xbb\x8a" + "\x5e\x32\x39\x6d\xc1\x1d\x7d\x50\x3b\x9f\x7a\xad\xf0\x2e\x25\x53" + "\x9f\x6e\xbd\x4c\x55\x84\x0c\x9b\xcf\x1a\x4b\x51\x1e\x9e\x0c\x06", +- .key_len = 157, ++ .key_len = 316, + .m_size = 8, + .c_size = 64, + }, { + .key = +- "\x30\x82\x01\x1D" /* sequence of 285 bytes */ ++ "\x30\x82\x02\x5B" /* sequence of 603 bytes */ + "\x02\x01\x00" /* version - integer of 1 byte */ + "\x02\x81\x81" /* modulus - integer of 129 bytes */ + "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71" +@@ -230,12 +243,35 @@ static const struct akcipher_testvec rsa_tv_template[] = { + "\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94" + "\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3" + "\xC1" +- "\x02\x01\x00" /* prime1 - integer of 1 byte */ +- "\x02\x01\x00" /* prime2 - integer of 1 byte */ +- "\x02\x01\x00" /* exponent1 - integer of 1 byte */ +- "\x02\x01\x00" /* exponent2 - integer of 1 byte */ +- "\x02\x01\x00", /* coefficient - integer of 1 byte */ +- .key_len = 289, ++ "\x02\x41" /* prime1 - integer of 65 bytes */ ++ "\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60" ++ "\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6" ++ "\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A" ++ "\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65" ++ "\x99" ++ "\x02\x41" /* prime2 - integer of 65 bytes */ ++ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" ++ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" ++ "\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" ++ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15" ++ "\x03" ++ "\x02\x40" /* exponent1 - integer of 64 bytes */ ++ "\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A" ++ "\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E" ++ "\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E" ++ "\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81" ++ "\x02\x40" /* exponent2 - integer of 64 bytes */ ++ "\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9" ++ "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7" ++ "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D" ++ "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D" ++ "\x02\x41", /* coefficient - integer of 65 bytes */ ++ "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23" ++ "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11" ++ "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E" ++ "\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39" ++ "\xF7", ++ .key_len = 607, + .m = "\x54\x85\x9b\x34\x2c\x49\xea\x2a", + .c = + "\x74\x1b\x55\xac\x47\xb5\x08\x0a\x6e\x2b\x2d\xf7\x94\xb8\x8a\x95" +@@ -251,7 +287,7 @@ static const struct akcipher_testvec rsa_tv_template[] = { + }, { + #endif + .key = +- "\x30\x82\x02\x20" /* sequence of 544 bytes */ ++ "\x30\x82\x04\xA3" /* sequence of 1187 bytes */ + "\x02\x01\x00" /* version - integer of 1 byte */ + "\x02\x82\x01\x01\x00" /* modulus - integer of 256 bytes */ + "\xDB\x10\x1A\xC2\xA3\xF1\xDC\xFF\x13\x6B\xED\x44\xDF\xF0\x02\x6D" +@@ -288,12 +324,55 @@ static const struct akcipher_testvec rsa_tv_template[] = { + "\x62\xFF\xE9\x46\xB8\xD8\x44\xDB\xA5\xCC\x31\x54\x34\xCE\x3E\x82" + "\xD6\xBF\x7A\x0B\x64\x21\x6D\x88\x7E\x5B\x45\x12\x1E\x63\x8D\x49" + "\xA7\x1D\xD9\x1E\x06\xCD\xE8\xBA\x2C\x8C\x69\x32\xEA\xBE\x60\x71" +- "\x02\x01\x00" /* prime1 - integer of 1 byte */ +- "\x02\x01\x00" /* prime2 - integer of 1 byte */ +- "\x02\x01\x00" /* exponent1 - integer of 1 byte */ +- "\x02\x01\x00" /* exponent2 - integer of 1 byte */ +- "\x02\x01\x00", /* coefficient - integer of 1 byte */ +- .key_len = 548, ++ "\x02\x81\x81" /* prime1 - integer of 129 bytes */ ++ "\x00\xFA\xAC\xE1\x37\x5E\x32\x11\x34\xC6\x72\x58\x2D\x91\x06\x3E" ++ "\x77\xE7\x11\x21\xCD\x4A\xF8\xA4\x3F\x0F\xEF\x31\xE3\xF3\x55\xA0" ++ "\xB9\xAC\xB6\xCB\xBB\x41\xD0\x32\x81\x9A\x8F\x7A\x99\x30\x77\x6C" ++ "\x68\x27\xE2\x96\xB5\x72\xC9\xC3\xD4\x42\xAA\xAA\xCA\x95\x8F\xFF" ++ "\xC9\x9B\x52\x34\x30\x1D\xCF\xFE\xCF\x3C\x56\x68\x6E\xEF\xE7\x6C" ++ "\xD7\xFB\x99\xF5\x4A\xA5\x21\x1F\x2B\xEA\x93\xE8\x98\x26\xC4\x6E" ++ "\x42\x21\x5E\xA0\xA1\x2A\x58\x35\xBB\x10\xE7\xBA\x27\x0A\x3B\xB3" ++ "\xAF\xE2\x75\x36\x04\xAC\x56\xA0\xAB\x52\xDE\xCE\xDD\x2C\x28\x77" ++ "\x03" ++ "\x02\x81\x81" /* prime2 - integer of 129 bytes */ ++ "\x00\xDF\xB7\x52\xB6\xD7\xC0\xE2\x96\xE7\xC9\xFE\x5D\x71\x5A\xC4" ++ "\x40\x96\x2F\xE5\x87\xEA\xF3\xA5\x77\x11\x67\x3C\x8D\x56\x08\xA7" ++ "\xB5\x67\xFA\x37\xA8\xB8\xCF\x61\xE8\x63\xD8\x38\x06\x21\x2B\x92" ++ "\x09\xA6\x39\x3A\xEA\xA8\xB4\x45\x4B\x36\x10\x4C\xE4\x00\x66\x71" ++ "\x65\xF8\x0B\x94\x59\x4F\x8C\xFD\xD5\x34\xA2\xE7\x62\x84\x0A\xA7" ++ "\xBB\xDB\xD9\x8A\xCD\x05\xE1\xCC\x57\x7B\xF1\xF1\x1F\x11\x9D\xBA" ++ "\x3E\x45\x18\x99\x1B\x41\x64\x43\xEE\x97\x5D\x77\x13\x5B\x74\x69" ++ "\x73\x87\x95\x05\x07\xBE\x45\x07\x17\x7E\x4A\x69\x22\xF3\xDB\x05" ++ "\x39" ++ "\x02\x81\x80" /* exponent1 - integer of 128 bytes */ ++ "\x5E\xD8\xDC\xDA\x53\x44\xC4\x67\xE0\x92\x51\x34\xE4\x83\xA5\x4D" ++ "\x3E\xDB\xA7\x9B\x82\xBB\x73\x81\xFC\xE8\x77\x4B\x15\xBE\x17\x73" ++ "\x49\x9B\x5C\x98\xBC\xBD\x26\xEF\x0C\xE9\x2E\xED\x19\x7E\x86\x41" ++ "\x1E\x9E\x48\x81\xDD\x2D\xE4\x6F\xC2\xCD\xCA\x93\x9E\x65\x7E\xD5" ++ "\xEC\x73\xFD\x15\x1B\xA2\xA0\x7A\x0F\x0D\x6E\xB4\x53\x07\x90\x92" ++ "\x64\x3B\x8B\xA9\x33\xB3\xC5\x94\x9B\x4C\x5D\x9C\x7C\x46\xA4\xA5" ++ "\x56\xF4\xF3\xF8\x27\x0A\x7B\x42\x0D\x92\x70\x47\xE7\x42\x51\xA9" ++ "\xC2\x18\xB1\x58\xB1\x50\x91\xB8\x61\x41\xB6\xA9\xCE\xD4\x7C\xBB" ++ "\x02\x81\x80" /* exponent2 - integer of 128 bytes */ ++ "\x54\x09\x1F\x0F\x03\xD8\xB6\xC5\x0C\xE8\xB9\x9E\x0C\x38\x96\x43" ++ "\xD4\xA6\xC5\x47\xDB\x20\x0E\xE5\xBD\x29\xD4\x7B\x1A\xF8\x41\x57" ++ "\x49\x69\x9A\x82\xCC\x79\x4A\x43\xEB\x4D\x8B\x2D\xF2\x43\xD5\xA5" ++ "\xBE\x44\xFD\x36\xAC\x8C\x9B\x02\xF7\x9A\x03\xE8\x19\xA6\x61\xAE" ++ "\x76\x10\x93\x77\x41\x04\xAB\x4C\xED\x6A\xCC\x14\x1B\x99\x8D\x0C" ++ "\x6A\x37\x3B\x86\x6C\x51\x37\x5B\x1D\x79\xF2\xA3\x43\x10\xC6\xA7" ++ "\x21\x79\x6D\xF9\xE9\x04\x6A\xE8\x32\xFF\xAE\xFD\x1C\x7B\x8C\x29" ++ "\x13\xA3\x0C\xB2\xAD\xEC\x6C\x0F\x8D\x27\x12\x7B\x48\xB2\xDB\x31" ++ "\x02\x81\x81", /* coefficient - integer of 129 bytes */ ++ "\x00\x8D\x1B\x05\xCA\x24\x1F\x0C\x53\x19\x52\x74\x63\x21\xFA\x78" ++ "\x46\x79\xAF\x5C\xDE\x30\xA4\x6C\x20\x38\xE6\x97\x39\xB8\x7A\x70" ++ "\x0D\x8B\x6C\x6D\x13\x74\xD5\x1C\xDE\xA9\xF4\x60\x37\xFE\x68\x77" ++ "\x5E\x0B\x4E\x5E\x03\x31\x30\xDF\xD6\xAE\x85\xD0\x81\xBB\x61\xC7" ++ "\xB1\x04\x5A\xC4\x6D\x56\x1C\xD9\x64\xE7\x85\x7F\x88\x91\xC9\x60" ++ "\x28\x05\xE2\xC6\x24\x8F\xDD\x61\x64\xD8\x09\xDE\x7E\xD3\x4A\x61" ++ "\x1A\xD3\x73\x58\x4B\xD8\xA0\x54\x25\x48\x83\x6F\x82\x6C\xAF\x36" ++ "\x51\x2A\x5D\x14\x2F\x41\x25\x00\xDD\xF8\xF3\x95\xFE\x31\x25\x50" ++ "\x12", ++ .key_len = 1191, + .m = "\x54\x85\x9b\x34\x2c\x49\xea\x2a", + .c = + "\xb2\x97\x76\xb4\xae\x3e\x38\x3c\x7e\x64\x1f\xcc\xa2\x7f\xf6\xbe" +-- +2.39.5 + diff --git a/queue-5.4/crypto-testmgr-some-more-fixes-to-rsa-test-vectors.patch b/queue-5.4/crypto-testmgr-some-more-fixes-to-rsa-test-vectors.patch new file mode 100644 index 0000000000..7d5992e2bb --- /dev/null +++ b/queue-5.4/crypto-testmgr-some-more-fixes-to-rsa-test-vectors.patch @@ -0,0 +1,163 @@ +From 9d98a8fbec85565f95f3e7484f884b58b7d10145 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Jul 2022 14:37:46 +0100 +Subject: crypto: testmgr - some more fixes to RSA test vectors + +From: Ignat Korchagin + +[ Upstream commit 9d2bb9a74b2877f100637d6ab5685bcd33c69d44 ] + +Two more fixes: + + * some test vectors in commit 79e6e2f3f3ff ("crypto: testmgr - populate + RSA CRT parameters in RSA test vectors") had misplaced commas, which + break the test and trigger KASAN warnings at least on x86-64 + + * pkcs1pad test vector did not have its CRT parameters + +Fixes: 79e6e2f3f3ff ("crypto: testmgr - populate RSA CRT parameters in RSA test vectors") +Reported-by: Eric Biggers +Signed-off-by: Ignat Korchagin +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/testmgr.h | 102 +++++++++++++++++++++++++++++------------------ + 1 file changed, 63 insertions(+), 39 deletions(-) + +diff --git a/crypto/testmgr.h b/crypto/testmgr.h +index d57c911649180..601cbee29cca9 100644 +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -265,7 +265,7 @@ static const struct akcipher_testvec rsa_tv_template[] = { + "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7" + "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D" + "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D" +- "\x02\x41", /* coefficient - integer of 65 bytes */ ++ "\x02\x41" /* coefficient - integer of 65 bytes */ + "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23" + "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11" + "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E" +@@ -362,7 +362,7 @@ static const struct akcipher_testvec rsa_tv_template[] = { + "\x6A\x37\x3B\x86\x6C\x51\x37\x5B\x1D\x79\xF2\xA3\x43\x10\xC6\xA7" + "\x21\x79\x6D\xF9\xE9\x04\x6A\xE8\x32\xFF\xAE\xFD\x1C\x7B\x8C\x29" + "\x13\xA3\x0C\xB2\xAD\xEC\x6C\x0F\x8D\x27\x12\x7B\x48\xB2\xDB\x31" +- "\x02\x81\x81", /* coefficient - integer of 129 bytes */ ++ "\x02\x81\x81" /* coefficient - integer of 129 bytes */ + "\x00\x8D\x1B\x05\xCA\x24\x1F\x0C\x53\x19\x52\x74\x63\x21\xFA\x78" + "\x46\x79\xAF\x5C\xDE\x30\xA4\x6C\x20\x38\xE6\x97\x39\xB8\x7A\x70" + "\x0D\x8B\x6C\x6D\x13\x74\xD5\x1C\xDE\xA9\xF4\x60\x37\xFE\x68\x77" +@@ -799,7 +799,7 @@ static const struct akcipher_testvec ecrdsa_tv_template[] = { + static const struct akcipher_testvec pkcs1pad_rsa_tv_template[] = { + { + .key = +- "\x30\x82\x03\x1f\x02\x01\x00\x02\x82\x01\x01\x00\xd7\x1e\x77\x82" ++ "\x30\x82\x04\xa5\x02\x01\x00\x02\x82\x01\x01\x00\xd7\x1e\x77\x82" + "\x8c\x92\x31\xe7\x69\x02\xa2\xd5\x5c\x78\xde\xa2\x0c\x8f\xfe\x28" + "\x59\x31\xdf\x40\x9c\x60\x61\x06\xb9\x2f\x62\x40\x80\x76\xcb\x67" + "\x4a\xb5\x59\x56\x69\x17\x07\xfa\xf9\x4c\xbd\x6c\x37\x7a\x46\x7d" +@@ -815,42 +815,66 @@ static const struct akcipher_testvec pkcs1pad_rsa_tv_template[] = { + "\x9e\x49\x63\x6e\x02\xc1\xc9\x3a\x9b\xa5\x22\x1b\x07\x95\xd6\x10" + "\x02\x50\xfd\xfd\xd1\x9b\xbe\xab\xc2\xc0\x74\xd7\xec\x00\xfb\x11" + "\x71\xcb\x7a\xdc\x81\x79\x9f\x86\x68\x46\x63\x82\x4d\xb7\xf1\xe6" +- "\x16\x6f\x42\x63\xf4\x94\xa0\xca\x33\xcc\x75\x13\x02\x82\x01\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x01" +- "\x02\x82\x01\x00\x62\xb5\x60\x31\x4f\x3f\x66\x16\xc1\x60\xac\x47" +- "\x2a\xff\x6b\x69\x00\x4a\xb2\x5c\xe1\x50\xb9\x18\x74\xa8\xe4\xdc" +- "\xa8\xec\xcd\x30\xbb\xc1\xc6\xe3\xc6\xac\x20\x2a\x3e\x5e\x8b\x12" +- "\xe6\x82\x08\x09\x38\x0b\xab\x7c\xb3\xcc\x9c\xce\x97\x67\xdd\xef" +- "\x95\x40\x4e\x92\xe2\x44\xe9\x1d\xc1\x14\xfd\xa9\xb1\xdc\x71\x9c" +- "\x46\x21\xbd\x58\x88\x6e\x22\x15\x56\xc1\xef\xe0\xc9\x8d\xe5\x80" +- "\x3e\xda\x7e\x93\x0f\x52\xf6\xf5\xc1\x91\x90\x9e\x42\x49\x4f\x8d" +- "\x9c\xba\x38\x83\xe9\x33\xc2\x50\x4f\xec\xc2\xf0\xa8\xb7\x6e\x28" +- "\x25\x56\x6b\x62\x67\xfe\x08\xf1\x56\xe5\x6f\x0e\x99\xf1\xe5\x95" +- "\x7b\xef\xeb\x0a\x2c\x92\x97\x57\x23\x33\x36\x07\xdd\xfb\xae\xf1" +- "\xb1\xd8\x33\xb7\x96\x71\x42\x36\xc5\xa4\xa9\x19\x4b\x1b\x52\x4c" +- "\x50\x69\x91\xf0\x0e\xfa\x80\x37\x4b\xb5\xd0\x2f\xb7\x44\x0d\xd4" +- "\xf8\x39\x8d\xab\x71\x67\x59\x05\x88\x3d\xeb\x48\x48\x33\x88\x4e" +- "\xfe\xf8\x27\x1b\xd6\x55\x60\x5e\x48\xb7\x6d\x9a\xa8\x37\xf9\x7a" +- "\xde\x1b\xcd\x5d\x1a\x30\xd4\xe9\x9e\x5b\x3c\x15\xf8\x9c\x1f\xda" +- "\xd1\x86\x48\x55\xce\x83\xee\x8e\x51\xc7\xde\x32\x12\x47\x7d\x46" +- "\xb8\x35\xdf\x41\x02\x01\x00\x02\x01\x00\x02\x01\x00\x02\x01\x00" +- "\x02\x01\x00", +- .key_len = 803, ++ "\x16\x6f\x42\x63\xf4\x94\xa0\xca\x33\xcc\x75\x13\x02\x03\x01\x00" ++ "\x01\x02\x82\x01\x00\x62\xb5\x60\x31\x4f\x3f\x66\x16\xc1\x60\xac" ++ "\x47\x2a\xff\x6b\x69\x00\x4a\xb2\x5c\xe1\x50\xb9\x18\x74\xa8\xe4" ++ "\xdc\xa8\xec\xcd\x30\xbb\xc1\xc6\xe3\xc6\xac\x20\x2a\x3e\x5e\x8b" ++ "\x12\xe6\x82\x08\x09\x38\x0b\xab\x7c\xb3\xcc\x9c\xce\x97\x67\xdd" ++ "\xef\x95\x40\x4e\x92\xe2\x44\xe9\x1d\xc1\x14\xfd\xa9\xb1\xdc\x71" ++ "\x9c\x46\x21\xbd\x58\x88\x6e\x22\x15\x56\xc1\xef\xe0\xc9\x8d\xe5" ++ "\x80\x3e\xda\x7e\x93\x0f\x52\xf6\xf5\xc1\x91\x90\x9e\x42\x49\x4f" ++ "\x8d\x9c\xba\x38\x83\xe9\x33\xc2\x50\x4f\xec\xc2\xf0\xa8\xb7\x6e" ++ "\x28\x25\x56\x6b\x62\x67\xfe\x08\xf1\x56\xe5\x6f\x0e\x99\xf1\xe5" ++ "\x95\x7b\xef\xeb\x0a\x2c\x92\x97\x57\x23\x33\x36\x07\xdd\xfb\xae" ++ "\xf1\xb1\xd8\x33\xb7\x96\x71\x42\x36\xc5\xa4\xa9\x19\x4b\x1b\x52" ++ "\x4c\x50\x69\x91\xf0\x0e\xfa\x80\x37\x4b\xb5\xd0\x2f\xb7\x44\x0d" ++ "\xd4\xf8\x39\x8d\xab\x71\x67\x59\x05\x88\x3d\xeb\x48\x48\x33\x88" ++ "\x4e\xfe\xf8\x27\x1b\xd6\x55\x60\x5e\x48\xb7\x6d\x9a\xa8\x37\xf9" ++ "\x7a\xde\x1b\xcd\x5d\x1a\x30\xd4\xe9\x9e\x5b\x3c\x15\xf8\x9c\x1f" ++ "\xda\xd1\x86\x48\x55\xce\x83\xee\x8e\x51\xc7\xde\x32\x12\x47\x7d" ++ "\x46\xb8\x35\xdf\x41\x02\x81\x81\x00\xe4\x4c\xae\xde\x16\xfd\x9f" ++ "\x83\x55\x5b\x84\x4a\xcf\x1c\xf1\x37\x95\xad\xca\x29\x7f\x2d\x6e" ++ "\x32\x81\xa4\x2b\x26\x14\x96\x1d\x40\x05\xec\x0c\xaf\x3f\x2c\x6f" ++ "\x2c\xe8\xbf\x1d\xee\xd0\xb3\xef\x7c\x5b\x9e\x88\x4f\x2a\x8b\x0e" ++ "\x4a\xbd\xb7\x8c\xfa\x10\x0e\x3b\xda\x68\xad\x41\x2b\xe4\x96\xfa" ++ "\x7f\x80\x52\x5f\x07\x9f\x0e\x3b\x5e\x96\x45\x1a\x13\x2b\x94\xce" ++ "\x1f\x07\x69\x85\x35\xfc\x69\x63\x5b\xf8\xf8\x3f\xce\x9d\x40\x1e" ++ "\x7c\xad\xfb\x9e\xce\xe0\x01\xf8\xef\x59\x5d\xdc\x00\x79\xab\x8a" ++ "\x3f\x80\xa2\x76\x32\x94\xa9\xea\x65\x02\x81\x81\x00\xf1\x38\x60" ++ "\x90\x0d\x0c\x2e\x3d\x34\xe5\x90\xea\x21\x43\x1f\x68\x63\x16\x7b" ++ "\x25\x8d\xde\x82\x2b\x52\xf8\xa3\xfd\x0f\x39\xe7\xe9\x5e\x32\x75" ++ "\x15\x7d\xd0\xc9\xce\x06\xe5\xfb\xa9\xcb\x22\xe5\xdb\x49\x09\xf2" ++ "\xe6\xb7\xa5\xa7\x75\x2e\x91\x2d\x2b\x5d\xf1\x48\x61\x45\x43\xd7" ++ "\xbd\xfc\x11\x73\xb5\x11\x9f\xb2\x18\x3a\x6f\x36\xa7\xc2\xd3\x18" ++ "\x4d\xf0\xc5\x1f\x70\x8c\x9b\xc5\x1d\x95\xa8\x5a\x9e\x8c\xb1\x4b" ++ "\x6a\x2a\x84\x76\x2c\xd8\x4f\x47\xb0\x81\x84\x02\x45\xf0\x85\xf8" ++ "\x0c\x6d\xa7\x0c\x4d\x2c\xb2\x5b\x81\x70\xfd\x6e\x17\x02\x81\x81" ++ "\x00\x8d\x07\xc5\xfa\x92\x4f\x48\xcb\xd3\xdd\xfe\x02\x4c\xa1\x7f" ++ "\x6d\xab\xfc\x38\xe7\x9b\x95\xcf\xfe\x49\x51\xc6\x09\xf7\x2b\xa8" ++ "\x94\x15\x54\x75\x9d\x88\xb4\x05\x55\xc3\xcd\xd4\x4a\xe4\x08\x53" ++ "\xc8\x09\xbd\x0c\x4d\x83\x65\x75\x85\xbc\x5e\xf8\x2a\xbd\xe2\x5d" ++ "\x1d\x16\x0e\xf9\x34\x89\x38\xaf\x34\x36\x6c\x2c\x22\x44\x22\x81" ++ "\x90\x73\xd9\xea\x3a\xaf\x70\x74\x48\x7c\xc6\xb5\xb0\xdc\xe5\xa9" ++ "\xa8\x76\x4b\xbc\xf7\x00\xf3\x4c\x22\x0f\x44\x62\x1d\x40\x0a\x57" ++ "\xe2\x5b\xdd\x7c\x7b\x9a\xad\xda\x70\x52\x21\x8a\x4c\xc2\xc3\x98" ++ "\x75\x02\x81\x81\x00\xed\x24\x5c\xa2\x21\x81\xa1\x0f\xa1\x2a\x33" ++ "\x0e\x49\xc7\x00\x60\x92\x51\x6e\x9d\x9b\xdc\x6d\x22\x04\x7e\xd6" ++ "\x51\x19\x9f\xf6\xe3\x91\x2c\x8f\xb8\xa2\x29\x19\xcc\x47\x31\xdf" ++ "\xf8\xab\xf0\xd2\x02\x83\xca\x99\x16\xc2\xe2\xc3\x3f\x4b\x99\x83" ++ "\xcb\x87\x9e\x86\x66\xc2\x3e\x91\x21\x80\x66\xf3\xd6\xc5\xcd\xb6" ++ "\xbb\x64\xef\x22\xcf\x48\x94\x58\xe7\x7e\xd5\x7c\x34\x1c\xb7\xa2" ++ "\xd0\x93\xe9\x9f\xb5\x11\x61\xd7\x5f\x37\x0f\x64\x52\x70\x11\x78" ++ "\xcc\x08\x77\xeb\xf8\x30\x1e\xb4\x9e\x1b\x4a\xc7\xa8\x33\x51\xe0" ++ "\xed\xdf\x53\xf6\xdf\x02\x81\x81\x00\x86\xd9\x4c\xee\x65\x61\xc1" ++ "\x19\xa9\xd5\x74\x9b\xd5\xca\xf6\x83\x2b\x06\xb4\x20\xfe\x45\x29" ++ "\xe8\xe3\xfa\xe1\x4f\x28\x8e\x63\x2f\x74\xc3\x3a\x5c\x9a\xf5\x9e" ++ "\x0e\x0d\xc5\xfe\xa0\x4c\x00\xce\x7b\xa4\x19\x17\x59\xaf\x13\x3a" ++ "\x03\x8f\x54\xf5\x60\x39\x2e\xd9\x06\xb3\x7c\xd6\x90\x06\x41\x77" ++ "\xf3\x93\xe1\x7a\x01\x41\xc1\x8f\xfe\x4c\x88\x39\xdb\xde\x71\x9e" ++ "\x58\xd1\x49\x50\x80\xb2\x5a\x4f\x69\x8b\xb8\xfe\x63\xd4\x42\x3d" ++ "\x37\x61\xa8\x4c\xff\xb6\x99\x4c\xf4\x51\xe0\x44\xaa\x69\x79\x3f" ++ "\x81\xa4\x61\x3d\x26\xe9\x04\x52\x64", ++ .key_len = 1193, + /* + * m is SHA256 hash of following message: + * "\x49\x41\xbe\x0a\x0c\xc9\xf6\x35\x51\xe4\x27\x56\x13\x71\x4b\xd0" +-- +2.39.5 + diff --git a/queue-5.4/flow_dissector-fix-handling-of-mixed-port-and-port-r.patch b/queue-5.4/flow_dissector-fix-handling-of-mixed-port-and-port-r.patch new file mode 100644 index 0000000000..62041038b9 --- /dev/null +++ b/queue-5.4/flow_dissector-fix-handling-of-mixed-port-and-port-r.patch @@ -0,0 +1,94 @@ +From c71b5ea24d51dcd3e28e4bed44bc390160f3a771 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 20:32:07 -0800 +Subject: flow_dissector: Fix handling of mixed port and port-range keys + +From: Cong Wang + +[ Upstream commit 3e5796862c692ea608d96f0a1437f9290f44953a ] + +This patch fixes a bug in TC flower filter where rules combining a +specific destination port with a source port range weren't working +correctly. + +The specific case was when users tried to configure rules like: + +tc filter add dev ens38 ingress protocol ip flower ip_proto udp \ +dst_port 5000 src_port 2000-3000 action drop + +The root cause was in the flow dissector code. While both +FLOW_DISSECTOR_KEY_PORTS and FLOW_DISSECTOR_KEY_PORTS_RANGE flags +were being set correctly in the classifier, the __skb_flow_dissect_ports() +function was only populating one of them: whichever came first in +the enum check. This meant that when the code needed both a specific +port and a port range, one of them would be left as 0, causing the +filter to not match packets as expected. + +Fix it by removing the either/or logic and instead checking and +populating both key types independently when they're in use. + +Fixes: 8ffb055beae5 ("cls_flower: Fix the behavior using port ranges with hw-offload") +Reported-by: Qiang Zhang +Closes: https://lore.kernel.org/netdev/CAPx+-5uvFxkhkz4=j_Xuwkezjn9U6kzKTD5jz4tZ9msSJ0fOJA@mail.gmail.com/ +Cc: Yoshiki Komachi +Cc: Jamal Hadi Salim +Cc: Jiri Pirko +Signed-off-by: Cong Wang +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20250218043210.732959-2-xiyou.wangcong@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/flow_dissector.c | 31 +++++++++++++++++++------------ + 1 file changed, 19 insertions(+), 12 deletions(-) + +diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c +index 5daa72a930a9c..f4cc3710be94a 100644 +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -705,23 +705,30 @@ __skb_flow_dissect_ports(const struct sk_buff *skb, + void *target_container, void *data, int nhoff, + u8 ip_proto, int hlen) + { +- enum flow_dissector_key_id dissector_ports = FLOW_DISSECTOR_KEY_MAX; +- struct flow_dissector_key_ports *key_ports; ++ struct flow_dissector_key_ports_range *key_ports_range = NULL; ++ struct flow_dissector_key_ports *key_ports = NULL; ++ __be32 ports; + + if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS)) +- dissector_ports = FLOW_DISSECTOR_KEY_PORTS; +- else if (dissector_uses_key(flow_dissector, +- FLOW_DISSECTOR_KEY_PORTS_RANGE)) +- dissector_ports = FLOW_DISSECTOR_KEY_PORTS_RANGE; ++ key_ports = skb_flow_dissector_target(flow_dissector, ++ FLOW_DISSECTOR_KEY_PORTS, ++ target_container); ++ ++ if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS_RANGE)) ++ key_ports_range = skb_flow_dissector_target(flow_dissector, ++ FLOW_DISSECTOR_KEY_PORTS_RANGE, ++ target_container); + +- if (dissector_ports == FLOW_DISSECTOR_KEY_MAX) ++ if (!key_ports && !key_ports_range) + return; + +- key_ports = skb_flow_dissector_target(flow_dissector, +- dissector_ports, +- target_container); +- key_ports->ports = __skb_flow_get_ports(skb, nhoff, ip_proto, +- data, hlen); ++ ports = __skb_flow_get_ports(skb, nhoff, ip_proto, data, hlen); ++ ++ if (key_ports) ++ key_ports->ports = ports; ++ ++ if (key_ports_range) ++ key_ports_range->tp.ports = ports; + } + + static void +-- +2.39.5 + diff --git a/queue-5.4/flow_dissector-fix-port-range-key-handling-in-bpf-co.patch b/queue-5.4/flow_dissector-fix-port-range-key-handling-in-bpf-co.patch new file mode 100644 index 0000000000..973892851f --- /dev/null +++ b/queue-5.4/flow_dissector-fix-port-range-key-handling-in-bpf-co.patch @@ -0,0 +1,76 @@ +From a2651a948b2718dea5b1d78eb8dbac723f8e4883 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 20:32:09 -0800 +Subject: flow_dissector: Fix port range key handling in BPF conversion + +From: Cong Wang + +[ Upstream commit 69ab34f705fbfabcace64b5d53bb7a4450fac875 ] + +Fix how port range keys are handled in __skb_flow_bpf_to_target() by: +- Separating PORTS and PORTS_RANGE key handling +- Using correct key_ports_range structure for range keys +- Properly initializing both key types independently + +This ensures port range information is correctly stored in its dedicated +structure rather than incorrectly using the regular ports key structure. + +Fixes: 59fb9b62fb6c ("flow_dissector: Fix to use new variables for port ranges in bpf hook") +Reported-by: Qiang Zhang +Closes: https://lore.kernel.org/netdev/CAPx+-5uvFxkhkz4=j_Xuwkezjn9U6kzKTD5jz4tZ9msSJ0fOJA@mail.gmail.com/ +Cc: Yoshiki Komachi +Cc: Jamal Hadi Salim +Cc: Jiri Pirko +Signed-off-by: Cong Wang +Link: https://patch.msgid.link/20250218043210.732959-4-xiyou.wangcong@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/flow_dissector.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c +index f4cc3710be94a..96d2635aaae07 100644 +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -781,6 +781,7 @@ static void __skb_flow_bpf_to_target(const struct bpf_flow_keys *flow_keys, + struct flow_dissector *flow_dissector, + void *target_container) + { ++ struct flow_dissector_key_ports_range *key_ports_range = NULL; + struct flow_dissector_key_ports *key_ports = NULL; + struct flow_dissector_key_control *key_control; + struct flow_dissector_key_basic *key_basic; +@@ -825,20 +826,21 @@ static void __skb_flow_bpf_to_target(const struct bpf_flow_keys *flow_keys, + key_control->addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS; + } + +- if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS)) ++ if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS)) { + key_ports = skb_flow_dissector_target(flow_dissector, + FLOW_DISSECTOR_KEY_PORTS, + target_container); +- else if (dissector_uses_key(flow_dissector, +- FLOW_DISSECTOR_KEY_PORTS_RANGE)) +- key_ports = skb_flow_dissector_target(flow_dissector, +- FLOW_DISSECTOR_KEY_PORTS_RANGE, +- target_container); +- +- if (key_ports) { + key_ports->src = flow_keys->sport; + key_ports->dst = flow_keys->dport; + } ++ if (dissector_uses_key(flow_dissector, ++ FLOW_DISSECTOR_KEY_PORTS_RANGE)) { ++ key_ports_range = skb_flow_dissector_target(flow_dissector, ++ FLOW_DISSECTOR_KEY_PORTS_RANGE, ++ target_container); ++ key_ports_range->tp.src = flow_keys->sport; ++ key_ports_range->tp.dst = flow_keys->dport; ++ } + + if (dissector_uses_key(flow_dissector, + FLOW_DISSECTOR_KEY_FLOW_LABEL)) { +-- +2.39.5 + diff --git a/queue-5.4/geneve-fix-use-after-free-in-geneve_find_dev.patch b/queue-5.4/geneve-fix-use-after-free-in-geneve_find_dev.patch new file mode 100644 index 0000000000..c0a7929a2c --- /dev/null +++ b/queue-5.4/geneve-fix-use-after-free-in-geneve_find_dev.patch @@ -0,0 +1,200 @@ +From 5137f3ceb63f85f98f4b6490d91b909ff1658429 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2025 13:33:54 +0900 +Subject: geneve: Fix use-after-free in geneve_find_dev(). + +From: Kuniyuki Iwashima + +[ Upstream commit 9593172d93b9f91c362baec4643003dc29802929 ] + +syzkaller reported a use-after-free in geneve_find_dev() [0] +without repro. + +geneve_configure() links struct geneve_dev.next to +net_generic(net, geneve_net_id)->geneve_list. + +The net here could differ from dev_net(dev) if IFLA_NET_NS_PID, +IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set. + +When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally +calls unregister_netdevice_queue() for each dev in the netns, +and later the dev is freed. + +However, its geneve_dev.next is still linked to the backend UDP +socket netns. + +Then, use-after-free will occur when another geneve dev is created +in the netns. + +Let's call geneve_dellink() instead in geneve_destroy_tunnels(). + +[0]: +BUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline] +BUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 +Read of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441 + +CPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d +Hardware name: linux,dummy-virt (DT) +Call trace: + show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C) + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0x16c/0x6f0 mm/kasan/report.c:489 + kasan_report+0xc0/0x120 mm/kasan/report.c:602 + __asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379 + geneve_find_dev drivers/net/geneve.c:1295 [inline] + geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 + geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634 + rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795 + __rtnl_newlink net/core/rtnetlink.c:3906 [inline] + rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 + rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 + netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 + rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 + netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] + netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348 + netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892 + sock_sendmsg_nosec net/socket.c:713 [inline] + __sock_sendmsg net/socket.c:728 [inline] + ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568 + ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622 + __sys_sendmsg net/socket.c:2654 [inline] + __do_sys_sendmsg net/socket.c:2659 [inline] + __se_sys_sendmsg net/socket.c:2657 [inline] + __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657 + __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] + invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 + el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 + do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 + el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 + el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 + el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 + +Allocated by task 13247: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x30/0x68 mm/kasan/common.c:68 + kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 + poison_kmalloc_redzone mm/kasan/common.c:377 [inline] + __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __do_kmalloc_node mm/slub.c:4298 [inline] + __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304 + __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645 + alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470 + rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604 + rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780 + __rtnl_newlink net/core/rtnetlink.c:3906 [inline] + rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 + rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 + netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 + rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 + netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] + netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348 + netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892 + sock_sendmsg_nosec net/socket.c:713 [inline] + __sock_sendmsg net/socket.c:728 [inline] + ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568 + ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622 + __sys_sendmsg net/socket.c:2654 [inline] + __do_sys_sendmsg net/socket.c:2659 [inline] + __se_sys_sendmsg net/socket.c:2657 [inline] + __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657 + __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] + invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 + el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 + do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 + el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 + el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 + el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 + +Freed by task 45: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x30/0x68 mm/kasan/common.c:68 + kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:582 + poison_slab_object mm/kasan/common.c:247 [inline] + __kasan_slab_free+0x48/0x68 mm/kasan/common.c:264 + kasan_slab_free include/linux/kasan.h:233 [inline] + slab_free_hook mm/slub.c:2353 [inline] + slab_free mm/slub.c:4613 [inline] + kfree+0x140/0x420 mm/slub.c:4761 + kvfree+0x4c/0x68 mm/util.c:688 + netdev_release+0x94/0xc8 net/core/net-sysfs.c:2065 + device_release+0x98/0x1c0 + kobject_cleanup lib/kobject.c:689 [inline] + kobject_release lib/kobject.c:720 [inline] + kref_put include/linux/kref.h:65 [inline] + kobject_put+0x2b0/0x438 lib/kobject.c:737 + netdev_run_todo+0xe5c/0xfc8 net/core/dev.c:11185 + rtnl_unlock+0x20/0x38 net/core/rtnetlink.c:151 + cleanup_net+0x4fc/0x8c0 net/core/net_namespace.c:648 + process_one_work+0x700/0x1398 kernel/workqueue.c:3236 + process_scheduled_works kernel/workqueue.c:3317 [inline] + worker_thread+0x8c4/0xe10 kernel/workqueue.c:3398 + kthread+0x4bc/0x608 kernel/kthread.c:464 + ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862 + +The buggy address belongs to the object at ffff000054d6e000 + which belongs to the cache kmalloc-cg-4k of size 4096 +The buggy address is located 3620 bytes inside of + freed 4096-byte region [ffff000054d6e000, ffff000054d6f000) + +The buggy address belongs to the physical page: +page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x94d68 +head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +memcg:ffff000016276181 +flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) +page_type: f5(slab) +raw: 03fffe0000000040 ffff0000c000f500 dead000000000122 0000000000000000 +raw: 0000000000000000 0000000000040004 00000001f5000000 ffff000016276181 +head: 03fffe0000000040 ffff0000c000f500 dead000000000122 0000000000000000 +head: 0000000000000000 0000000000040004 00000001f5000000 ffff000016276181 +head: 03fffe0000000003 fffffdffc1535a01 ffffffffffffffff 0000000000000000 +head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff000054d6ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff000054d6ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff000054d6ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff000054d6ee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff000054d6ef00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250213043354.91368-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/geneve.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c +index 961cbd2b377d1..3e8b96de72a74 100644 +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -1872,16 +1872,11 @@ static void geneve_destroy_tunnels(struct net *net, struct list_head *head) + /* gather any geneve devices that were moved into this ns */ + for_each_netdev_safe(net, dev, aux) + if (dev->rtnl_link_ops == &geneve_link_ops) +- unregister_netdevice_queue(dev, head); ++ geneve_dellink(dev, head); + + /* now gather any other geneve devices that were created in this ns */ +- list_for_each_entry_safe(geneve, next, &gn->geneve_list, next) { +- /* If geneve->dev is in the same netns, it was already added +- * to the list by the previous loop. +- */ +- if (!net_eq(dev_net(geneve->dev), net)) +- unregister_netdevice_queue(geneve->dev, head); +- } ++ list_for_each_entry_safe(geneve, next, &gn->geneve_list, next) ++ geneve_dellink(geneve->dev, head); + } + + static void __net_exit geneve_exit_batch_net(struct list_head *net_list) +-- +2.39.5 + diff --git a/queue-5.4/geneve-suppress-list-corruption-splat-in-geneve_dest.patch b/queue-5.4/geneve-suppress-list-corruption-splat-in-geneve_dest.patch new file mode 100644 index 0000000000..e7d21feaea --- /dev/null +++ b/queue-5.4/geneve-suppress-list-corruption-splat-in-geneve_dest.patch @@ -0,0 +1,50 @@ +From 0e185ed1d30bcf1f6cb8721b7767b3c3ced9810f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 12:37:05 -0800 +Subject: geneve: Suppress list corruption splat in geneve_destroy_tunnels(). + +From: Kuniyuki Iwashima + +[ Upstream commit 62fab6eef61f245dc8797e3a6a5b890ef40e8628 ] + +As explained in the previous patch, iterating for_each_netdev() and +gn->geneve_list during ->exit_batch_rtnl() could trigger ->dellink() +twice for the same device. + +If CONFIG_DEBUG_LIST is enabled, we will see a list_del() corruption +splat in the 2nd call of geneve_dellink(). + +Let's remove for_each_netdev() in geneve_destroy_tunnels() and delegate +that part to default_device_exit_batch(). + +Fixes: 9593172d93b9 ("geneve: Fix use-after-free in geneve_find_dev().") +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250217203705.40342-3-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/geneve.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c +index 3e8b96de72a74..8fa466b879384 100644 +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -1867,14 +1867,7 @@ static void geneve_destroy_tunnels(struct net *net, struct list_head *head) + { + struct geneve_net *gn = net_generic(net, geneve_net_id); + struct geneve_dev *geneve, *next; +- struct net_device *dev, *aux; + +- /* gather any geneve devices that were moved into this ns */ +- for_each_netdev_safe(net, dev, aux) +- if (dev->rtnl_link_ops == &geneve_link_ops) +- geneve_dellink(dev, head); +- +- /* now gather any other geneve devices that were created in this ns */ + list_for_each_entry_safe(geneve, next, &gn->geneve_list, next) + geneve_dellink(geneve->dev, head); + } +-- +2.39.5 + diff --git a/queue-5.4/gtp-suppress-list-corruption-splat-in-gtp_net_exit_b.patch b/queue-5.4/gtp-suppress-list-corruption-splat-in-gtp_net_exit_b.patch new file mode 100644 index 0000000000..8c049b683b --- /dev/null +++ b/queue-5.4/gtp-suppress-list-corruption-splat-in-gtp_net_exit_b.patch @@ -0,0 +1,121 @@ +From 333f79277f25f36966146bbce7b7d4987604b1ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 12:37:04 -0800 +Subject: gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl(). + +From: Kuniyuki Iwashima + +[ Upstream commit 4ccacf86491d33d2486b62d4d44864d7101b299d ] + +Brad Spengler reported the list_del() corruption splat in +gtp_net_exit_batch_rtnl(). [0] + +Commit eb28fd76c0a0 ("gtp: Destroy device along with udp socket's netns +dismantle.") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl() +to destroy devices in each netns as done in geneve and ip tunnels. + +However, this could trigger ->dellink() twice for the same device during +->exit_batch_rtnl(). + +Say we have two netns A & B and gtp device B that resides in netns B but +whose UDP socket is in netns A. + + 1. cleanup_net() processes netns A and then B. + + 2. gtp_net_exit_batch_rtnl() finds the device B while iterating + netns A's gn->gtp_dev_list and calls ->dellink(). + + [ device B is not yet unlinked from netns B + as unregister_netdevice_many() has not been called. ] + + 3. gtp_net_exit_batch_rtnl() finds the device B while iterating + netns B's for_each_netdev() and calls ->dellink(). + +gtp_dellink() cleans up the device's hash table, unlinks the dev from +gn->gtp_dev_list, and calls unregister_netdevice_queue(). + +Basically, calling gtp_dellink() multiple times is fine unless +CONFIG_DEBUG_LIST is enabled. + +Let's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and +delegate the destruction to default_device_exit_batch() as done +in bareudp. + +[0]: +list_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04) +kernel BUG at lib/list_debug.c:58! +Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN +CPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1 +Tainted: [T]=RANDSTRUCT +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Workqueue: netns cleanup_net +RIP: 0010:[] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 +Code: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc <0f> 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60 +RSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283 +RAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054 +RDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000 +RBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32 +R10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4 +R13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08 +RBX: kasan shadow of 0x0 +RCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554 +RDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 +RSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71 +RBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object] +RSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ] +R09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ] +R10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ] +R15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object] +FS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0 +Stack: + 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00 + ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005 + 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d +Call Trace: + + [] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28 + [] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28 + [] list_del include/linux/list.h:262 [inline] fffffe8040b4fc28 + [] gtp_dellink+0x16d/0x360 drivers/net/gtp.c:1557 fffffe8040b4fc28 + [] gtp_net_exit_batch_rtnl+0x124/0x2c0 drivers/net/gtp.c:2495 fffffe8040b4fc88 + [] cleanup_net+0x5a4/0xbe0 net/core/net_namespace.c:635 fffffe8040b4fcd0 + [] process_one_work+0xbd7/0x2160 kernel/workqueue.c:3326 fffffe8040b4fd88 + [] process_scheduled_works kernel/workqueue.c:3407 [inline] fffffe8040b4fec0 + [] worker_thread+0x6b5/0xfa0 kernel/workqueue.c:3488 fffffe8040b4fec0 + [] kthread+0x360/0x4c0 kernel/kthread.c:397 fffffe8040b4ff78 + [] ret_from_fork+0x74/0xe0 arch/x86/kernel/process.c:172 fffffe8040b4ffb8 + [] ret_from_fork_asm+0x29/0xc0 arch/x86/entry/entry_64.S:399 fffffe8040b4ffe8 + +Modules linked in: + +Fixes: eb28fd76c0a0 ("gtp: Destroy device along with udp socket's netns dismantle.") +Reported-by: Brad Spengler +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250217203705.40342-2-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index 68698457add0a..fa43b0f26bfb1 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -1366,11 +1366,6 @@ static void __net_exit gtp_net_exit_batch_rtnl(struct list_head *net_list, + list_for_each_entry(net, net_list, exit_list) { + struct gtp_net *gn = net_generic(net, gtp_net_id); + struct gtp_dev *gtp, *gtp_next; +- struct net_device *dev; +- +- for_each_netdev(net, dev) +- if (dev->rtnl_link_ops == >p_link_ops) +- gtp_dellink(dev, dev_to_kill); + + list_for_each_entry_safe(gtp, gtp_next, &gn->gtp_dev_list, list) + gtp_dellink(gtp->dev, dev_to_kill); +-- +2.39.5 + diff --git a/queue-5.4/memcg-fix-soft-lockup-in-the-oom-process.patch b/queue-5.4/memcg-fix-soft-lockup-in-the-oom-process.patch new file mode 100644 index 0000000000..717ad099a8 --- /dev/null +++ b/queue-5.4/memcg-fix-soft-lockup-in-the-oom-process.patch @@ -0,0 +1,128 @@ +From 2f2854c7e7ed45eed5cff7ce55156939a86c9c40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Dec 2024 02:52:38 +0000 +Subject: memcg: fix soft lockup in the OOM process +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen Ridong + +[ Upstream commit ade81479c7dda1ce3eedb215c78bc615bbd04f06 ] + +A soft lockup issue was found in the product with about 56,000 tasks were +in the OOM cgroup, it was traversing them when the soft lockup was +triggered. + +watchdog: BUG: soft lockup - CPU#2 stuck for 23s! [VM Thread:1503066] +CPU: 2 PID: 1503066 Comm: VM Thread Kdump: loaded Tainted: G +Hardware name: Huawei Cloud OpenStack Nova, BIOS +RIP: 0010:console_unlock+0x343/0x540 +RSP: 0000:ffffb751447db9a0 EFLAGS: 00000247 ORIG_RAX: ffffffffffffff13 +RAX: 0000000000000001 RBX: 0000000000000000 RCX: 00000000ffffffff +RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000247 +RBP: ffffffffafc71f90 R08: 0000000000000000 R09: 0000000000000040 +R10: 0000000000000080 R11: 0000000000000000 R12: ffffffffafc74bd0 +R13: ffffffffaf60a220 R14: 0000000000000247 R15: 0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f2fe6ad91f0 CR3: 00000004b2076003 CR4: 0000000000360ee0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + vprintk_emit+0x193/0x280 + printk+0x52/0x6e + dump_task+0x114/0x130 + mem_cgroup_scan_tasks+0x76/0x100 + dump_header+0x1fe/0x210 + oom_kill_process+0xd1/0x100 + out_of_memory+0x125/0x570 + mem_cgroup_out_of_memory+0xb5/0xd0 + try_charge+0x720/0x770 + mem_cgroup_try_charge+0x86/0x180 + mem_cgroup_try_charge_delay+0x1c/0x40 + do_anonymous_page+0xb5/0x390 + handle_mm_fault+0xc4/0x1f0 + +This is because thousands of processes are in the OOM cgroup, it takes a +long time to traverse all of them. As a result, this lead to soft lockup +in the OOM process. + +To fix this issue, call 'cond_resched' in the 'mem_cgroup_scan_tasks' +function per 1000 iterations. For global OOM, call +'touch_softlockup_watchdog' per 1000 iterations to avoid this issue. + +Link: https://lkml.kernel.org/r/20241224025238.3768787-1-chenridong@huaweicloud.com +Fixes: 9cbb78bb3143 ("mm, memcg: introduce own oom handler to iterate only over its own threads") +Signed-off-by: Chen Ridong +Acked-by: Michal Hocko +Cc: Roman Gushchin +Cc: Johannes Weiner +Cc: Shakeel Butt +Cc: Muchun Song +Cc: Michal Koutný +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + mm/memcontrol.c | 7 ++++++- + mm/oom_kill.c | 8 +++++++- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index 5ac119509335d..6f5565553e5f0 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -1221,6 +1221,7 @@ int mem_cgroup_scan_tasks(struct mem_cgroup *memcg, + { + struct mem_cgroup *iter; + int ret = 0; ++ int i = 0; + + BUG_ON(memcg == root_mem_cgroup); + +@@ -1229,8 +1230,12 @@ int mem_cgroup_scan_tasks(struct mem_cgroup *memcg, + struct task_struct *task; + + css_task_iter_start(&iter->css, CSS_TASK_ITER_PROCS, &it); +- while (!ret && (task = css_task_iter_next(&it))) ++ while (!ret && (task = css_task_iter_next(&it))) { ++ /* Avoid potential softlockup warning */ ++ if ((++i & 1023) == 0) ++ cond_resched(); + ret = fn(task, arg); ++ } + css_task_iter_end(&it); + if (ret) { + mem_cgroup_iter_break(memcg, iter); +diff --git a/mm/oom_kill.c b/mm/oom_kill.c +index 42b546c7b74b5..a1a32864fdf80 100644 +--- a/mm/oom_kill.c ++++ b/mm/oom_kill.c +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + + #include + #include "internal.h" +@@ -430,10 +431,15 @@ static void dump_tasks(struct oom_control *oc) + mem_cgroup_scan_tasks(oc->memcg, dump_task, oc); + else { + struct task_struct *p; ++ int i = 0; + + rcu_read_lock(); +- for_each_process(p) ++ for_each_process(p) { ++ /* Avoid potential softlockup warning */ ++ if ((++i & 1023) == 0) ++ touch_softlockup_watchdog(); + dump_task(p, oc); ++ } + rcu_read_unlock(); + } + } +-- +2.39.5 + diff --git a/queue-5.4/mm-update-mark_victim-tracepoints-fields.patch b/queue-5.4/mm-update-mark_victim-tracepoints-fields.patch new file mode 100644 index 0000000000..e1e227cb77 --- /dev/null +++ b/queue-5.4/mm-update-mark_victim-tracepoints-fields.patch @@ -0,0 +1,150 @@ +From e0a3abe688dded43f2e9eb3f8754f9029096ceb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 17:32:49 +0000 +Subject: mm: update mark_victim tracepoints fields +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Carlos Galo + +[ Upstream commit 72ba14deb40a9e9668ec5e66a341ed657e5215c2 ] + +The current implementation of the mark_victim tracepoint provides only the +process ID (pid) of the victim process. This limitation poses challenges +for userspace tools requiring real-time OOM analysis and intervention. +Although this information is available from the kernel logs, it’s not +the appropriate format to provide OOM notifications. In Android, BPF +programs are used with the mark_victim trace events to notify userspace of +an OOM kill. For consistency, update the trace event to include the same +information about the OOMed victim as the kernel logs. + +- UID + In Android each installed application has a unique UID. Including + the `uid` assists in correlating OOM events with specific apps. + +- Process Name (comm) + Enables identification of the affected process. + +- OOM Score + Will allow userspace to get additional insight of the relative kill + priority of the OOM victim. In Android, the oom_score_adj is used to + categorize app state (foreground, background, etc.), which aids in + analyzing user-perceptible impacts of OOM events [1]. + +- Total VM, RSS Stats, and pgtables + Amount of memory used by the victim that will, potentially, be freed up + by killing it. + +[1] https://cs.android.com/android/platform/superproject/main/+/246dc8fc95b6d93afcba5c6d6c133307abb3ac2e:frameworks/base/services/core/java/com/android/server/am/ProcessList.java;l=188-283 +Signed-off-by: Carlos Galo +Reviewed-by: Steven Rostedt +Cc: Suren Baghdasaryan +Cc: Michal Hocko +Cc: "Masami Hiramatsu (Google)" +Cc: Mathieu Desnoyers +Signed-off-by: Andrew Morton +Stable-dep-of: ade81479c7dd ("memcg: fix soft lockup in the OOM process") +Signed-off-by: Sasha Levin +--- + include/trace/events/oom.h | 36 ++++++++++++++++++++++++++++++++---- + mm/oom_kill.c | 6 +++++- + 2 files changed, 37 insertions(+), 5 deletions(-) + +diff --git a/include/trace/events/oom.h b/include/trace/events/oom.h +index 26a11e4a2c361..b799f3bcba823 100644 +--- a/include/trace/events/oom.h ++++ b/include/trace/events/oom.h +@@ -7,6 +7,8 @@ + #include + #include + ++#define PG_COUNT_TO_KB(x) ((x) << (PAGE_SHIFT - 10)) ++ + TRACE_EVENT(oom_score_adj_update, + + TP_PROTO(struct task_struct *task), +@@ -72,19 +74,45 @@ TRACE_EVENT(reclaim_retry_zone, + ); + + TRACE_EVENT(mark_victim, +- TP_PROTO(int pid), ++ TP_PROTO(struct task_struct *task, uid_t uid), + +- TP_ARGS(pid), ++ TP_ARGS(task, uid), + + TP_STRUCT__entry( + __field(int, pid) ++ __string(comm, task->comm) ++ __field(unsigned long, total_vm) ++ __field(unsigned long, anon_rss) ++ __field(unsigned long, file_rss) ++ __field(unsigned long, shmem_rss) ++ __field(uid_t, uid) ++ __field(unsigned long, pgtables) ++ __field(short, oom_score_adj) + ), + + TP_fast_assign( +- __entry->pid = pid; ++ __entry->pid = task->pid; ++ __assign_str(comm, task->comm); ++ __entry->total_vm = PG_COUNT_TO_KB(task->mm->total_vm); ++ __entry->anon_rss = PG_COUNT_TO_KB(get_mm_counter(task->mm, MM_ANONPAGES)); ++ __entry->file_rss = PG_COUNT_TO_KB(get_mm_counter(task->mm, MM_FILEPAGES)); ++ __entry->shmem_rss = PG_COUNT_TO_KB(get_mm_counter(task->mm, MM_SHMEMPAGES)); ++ __entry->uid = uid; ++ __entry->pgtables = mm_pgtables_bytes(task->mm) >> 10; ++ __entry->oom_score_adj = task->signal->oom_score_adj; + ), + +- TP_printk("pid=%d", __entry->pid) ++ TP_printk("pid=%d comm=%s total-vm=%lukB anon-rss=%lukB file-rss:%lukB shmem-rss:%lukB uid=%u pgtables=%lukB oom_score_adj=%hd", ++ __entry->pid, ++ __get_str(comm), ++ __entry->total_vm, ++ __entry->anon_rss, ++ __entry->file_rss, ++ __entry->shmem_rss, ++ __entry->uid, ++ __entry->pgtables, ++ __entry->oom_score_adj ++ ) + ); + + TRACE_EVENT(wake_reaper, +diff --git a/mm/oom_kill.c b/mm/oom_kill.c +index ee927ffeb718d..42b546c7b74b5 100644 +--- a/mm/oom_kill.c ++++ b/mm/oom_kill.c +@@ -42,6 +42,7 @@ + #include + #include + #include ++#include + + #include + #include "internal.h" +@@ -721,6 +722,7 @@ static inline void queue_oom_reaper(struct task_struct *tsk) + */ + static void mark_oom_victim(struct task_struct *tsk) + { ++ const struct cred *cred; + struct mm_struct *mm = tsk->mm; + + WARN_ON(oom_killer_disabled); +@@ -742,7 +744,9 @@ static void mark_oom_victim(struct task_struct *tsk) + */ + __thaw_task(tsk); + atomic_inc(&oom_victims); +- trace_mark_victim(tsk->pid); ++ cred = get_task_cred(tsk); ++ trace_mark_victim(tsk, cred->uid.val); ++ put_cred(cred); + } + + /** +-- +2.39.5 + diff --git a/queue-5.4/net-extract-port-range-fields-from-fl_flow_key.patch b/queue-5.4/net-extract-port-range-fields-from-fl_flow_key.patch new file mode 100644 index 0000000000..c87eeab05e --- /dev/null +++ b/queue-5.4/net-extract-port-range-fields-from-fl_flow_key.patch @@ -0,0 +1,115 @@ +From b9df2cfbf7139ec29f7d293505ba50cfe2679c70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 18:09:07 +0300 +Subject: net: extract port range fields from fl_flow_key + +From: Maksym Glubokiy + +[ Upstream commit 83d85bb069152b790caad905fa53e6d50cd3734d ] + +So it can be used for port range filter offloading. + +Co-developed-by: Volodymyr Mytnyk +Signed-off-by: Volodymyr Mytnyk +Signed-off-by: Maksym Glubokiy +Signed-off-by: David S. Miller +Stable-dep-of: 3e5796862c69 ("flow_dissector: Fix handling of mixed port and port-range keys") +Signed-off-by: Sasha Levin +--- + include/net/flow_dissector.h | 16 ++++++++++++++++ + include/net/flow_offload.h | 6 ++++++ + net/core/flow_offload.c | 7 +++++++ + net/sched/cls_flower.c | 8 +------- + 4 files changed, 30 insertions(+), 7 deletions(-) + +diff --git a/include/net/flow_dissector.h b/include/net/flow_dissector.h +index 02171416c68eb..efd7987982a8c 100644 +--- a/include/net/flow_dissector.h ++++ b/include/net/flow_dissector.h +@@ -158,6 +158,22 @@ struct flow_dissector_key_ports { + }; + }; + ++/** ++ * struct flow_dissector_key_ports_range ++ * @tp: port number from packet ++ * @tp_min: min port number in range ++ * @tp_max: max port number in range ++ */ ++struct flow_dissector_key_ports_range { ++ union { ++ struct flow_dissector_key_ports tp; ++ struct { ++ struct flow_dissector_key_ports tp_min; ++ struct flow_dissector_key_ports tp_max; ++ }; ++ }; ++}; ++ + /** + * flow_dissector_key_icmp: + * @ports: type and code of ICMP header +diff --git a/include/net/flow_offload.h b/include/net/flow_offload.h +index c6f7bd22db609..dc4274dcdec7f 100644 +--- a/include/net/flow_offload.h ++++ b/include/net/flow_offload.h +@@ -48,6 +48,10 @@ struct flow_match_ports { + struct flow_dissector_key_ports *key, *mask; + }; + ++struct flow_match_ports_range { ++ struct flow_dissector_key_ports_range *key, *mask; ++}; ++ + struct flow_match_icmp { + struct flow_dissector_key_icmp *key, *mask; + }; +@@ -90,6 +94,8 @@ void flow_rule_match_ip(const struct flow_rule *rule, + struct flow_match_ip *out); + void flow_rule_match_ports(const struct flow_rule *rule, + struct flow_match_ports *out); ++void flow_rule_match_ports_range(const struct flow_rule *rule, ++ struct flow_match_ports_range *out); + void flow_rule_match_tcp(const struct flow_rule *rule, + struct flow_match_tcp *out); + void flow_rule_match_icmp(const struct flow_rule *rule, +diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c +index 45b6a59ac1243..3d54eca5960dc 100644 +--- a/net/core/flow_offload.c ++++ b/net/core/flow_offload.c +@@ -97,6 +97,13 @@ void flow_rule_match_ports(const struct flow_rule *rule, + } + EXPORT_SYMBOL(flow_rule_match_ports); + ++void flow_rule_match_ports_range(const struct flow_rule *rule, ++ struct flow_match_ports_range *out) ++{ ++ FLOW_DISSECTOR_MATCH(rule, FLOW_DISSECTOR_KEY_PORTS_RANGE, out); ++} ++EXPORT_SYMBOL(flow_rule_match_ports_range); ++ + void flow_rule_match_tcp(const struct flow_rule *rule, + struct flow_match_tcp *out) + { +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index c92318f68f92d..803107b30814e 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -54,13 +54,7 @@ struct fl_flow_key { + struct flow_dissector_key_ip ip; + struct flow_dissector_key_ip enc_ip; + struct flow_dissector_key_enc_opts enc_opts; +- union { +- struct flow_dissector_key_ports tp; +- struct { +- struct flow_dissector_key_ports tp_min; +- struct flow_dissector_key_ports tp_max; +- }; +- } tp_range; ++ struct flow_dissector_key_ports_range tp_range; + struct flow_dissector_key_ct ct; + } __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */ + +-- +2.39.5 + diff --git a/queue-5.4/powerpc-64s-mm-move-__real_pte-stubs-into-hash-4k.h.patch b/queue-5.4/powerpc-64s-mm-move-__real_pte-stubs-into-hash-4k.h.patch new file mode 100644 index 0000000000..081c6e3c5a --- /dev/null +++ b/queue-5.4/powerpc-64s-mm-move-__real_pte-stubs-into-hash-4k.h.patch @@ -0,0 +1,92 @@ +From 2a8cfcd3c35d9c785357f41c0522367f6aed7e40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 18:07:29 +1000 +Subject: powerpc/64s/mm: Move __real_pte stubs into hash-4k.h + +From: Michael Ellerman + +[ Upstream commit 8ae4f16f7d7b59cca55aeca6db7c9636ffe7fbaa ] + +The stub versions of __real_pte() etc are only used with HPT & 4K pages, +so move them into the hash-4k.h header. + +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240821080729.872034-1-mpe@ellerman.id.au +Stable-dep-of: 61bcc752d1b8 ("powerpc/64s: Rewrite __real_pte() and __rpte_to_hidx() as static inline") +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/book3s/64/hash-4k.h | 20 +++++++++++++++ + arch/powerpc/include/asm/book3s/64/pgtable.h | 26 -------------------- + 2 files changed, 20 insertions(+), 26 deletions(-) + +diff --git a/arch/powerpc/include/asm/book3s/64/hash-4k.h b/arch/powerpc/include/asm/book3s/64/hash-4k.h +index 80c9534148821..3e35a7d7dfbaf 100644 +--- a/arch/powerpc/include/asm/book3s/64/hash-4k.h ++++ b/arch/powerpc/include/asm/book3s/64/hash-4k.h +@@ -83,6 +83,26 @@ static inline int hash__hugepd_ok(hugepd_t hpd) + } + #endif + ++/* ++ * With 4K page size the real_pte machinery is all nops. ++ */ ++#define __real_pte(e, p, o) ((real_pte_t){(e)}) ++#define __rpte_to_pte(r) ((r).pte) ++#define __rpte_to_hidx(r,index) (pte_val(__rpte_to_pte(r)) >> H_PAGE_F_GIX_SHIFT) ++ ++#define pte_iterate_hashed_subpages(rpte, psize, va, index, shift) \ ++ do { \ ++ index = 0; \ ++ shift = mmu_psize_defs[psize].shift; \ ++ ++#define pte_iterate_hashed_end() } while(0) ++ ++/* ++ * We expect this to be called only for user addresses or kernel virtual ++ * addresses other than the linear mapping. ++ */ ++#define pte_pagesize_index(mm, addr, pte) MMU_PAGE_4K ++ + /* + * 4K PTE format is different from 64K PTE format. Saving the hash_slot is just + * a matter of returning the PTE bits that need to be modified. On 64K PTE, +diff --git a/arch/powerpc/include/asm/book3s/64/pgtable.h b/arch/powerpc/include/asm/book3s/64/pgtable.h +index e1eb8aa9cfbbb..712bba181359b 100644 +--- a/arch/powerpc/include/asm/book3s/64/pgtable.h ++++ b/arch/powerpc/include/asm/book3s/64/pgtable.h +@@ -324,32 +324,6 @@ extern unsigned long pci_io_base; + + #ifndef __ASSEMBLY__ + +-/* +- * This is the default implementation of various PTE accessors, it's +- * used in all cases except Book3S with 64K pages where we have a +- * concept of sub-pages +- */ +-#ifndef __real_pte +- +-#define __real_pte(e, p, o) ((real_pte_t){(e)}) +-#define __rpte_to_pte(r) ((r).pte) +-#define __rpte_to_hidx(r,index) (pte_val(__rpte_to_pte(r)) >> H_PAGE_F_GIX_SHIFT) +- +-#define pte_iterate_hashed_subpages(rpte, psize, va, index, shift) \ +- do { \ +- index = 0; \ +- shift = mmu_psize_defs[psize].shift; \ +- +-#define pte_iterate_hashed_end() } while(0) +- +-/* +- * We expect this to be called only for user addresses or kernel virtual +- * addresses other than the linear mapping. +- */ +-#define pte_pagesize_index(mm, addr, pte) MMU_PAGE_4K +- +-#endif /* __real_pte */ +- + static inline unsigned long pte_update(struct mm_struct *mm, unsigned long addr, + pte_t *ptep, unsigned long clr, + unsigned long set, int huge) +-- +2.39.5 + diff --git a/queue-5.4/powerpc-64s-rewrite-__real_pte-and-__rpte_to_hidx-as.patch b/queue-5.4/powerpc-64s-rewrite-__real_pte-and-__rpte_to_hidx-as.patch new file mode 100644 index 0000000000..c110e37c33 --- /dev/null +++ b/queue-5.4/powerpc-64s-rewrite-__real_pte-and-__rpte_to_hidx-as.patch @@ -0,0 +1,64 @@ +From 6ebb6652cfb88811d0329bd72547bb22dc5f7356 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jan 2025 19:24:46 +0100 +Subject: powerpc/64s: Rewrite __real_pte() and __rpte_to_hidx() as static + inline + +From: Christophe Leroy + +[ Upstream commit 61bcc752d1b81fde3cae454ff20c1d3c359df500 ] + +Rewrite __real_pte() and __rpte_to_hidx() as static inline in order to +avoid following warnings/errors when building with 4k page size: + + CC arch/powerpc/mm/book3s64/hash_tlb.o + arch/powerpc/mm/book3s64/hash_tlb.c: In function 'hpte_need_flush': + arch/powerpc/mm/book3s64/hash_tlb.c:49:16: error: variable 'offset' set but not used [-Werror=unused-but-set-variable] + 49 | int i, offset; + | ^~~~~~ + + CC arch/powerpc/mm/book3s64/hash_native.o + arch/powerpc/mm/book3s64/hash_native.c: In function 'native_flush_hash_range': + arch/powerpc/mm/book3s64/hash_native.c:782:29: error: variable 'index' set but not used [-Werror=unused-but-set-variable] + 782 | unsigned long hash, index, hidx, shift, slot; + | ^~~~~ + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202501081741.AYFwybsq-lkp@intel.com/ +Fixes: ff31e105464d ("powerpc/mm/hash64: Store the slot information at the right offset for hugetlb") +Signed-off-by: Christophe Leroy +Reviewed-by: Ritesh Harjani (IBM) +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/e0d340a5b7bd478ecbf245d826e6ab2778b74e06.1736706263.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/book3s/64/hash-4k.h | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/include/asm/book3s/64/hash-4k.h b/arch/powerpc/include/asm/book3s/64/hash-4k.h +index 3e35a7d7dfbaf..864743b46f45a 100644 +--- a/arch/powerpc/include/asm/book3s/64/hash-4k.h ++++ b/arch/powerpc/include/asm/book3s/64/hash-4k.h +@@ -86,9 +86,17 @@ static inline int hash__hugepd_ok(hugepd_t hpd) + /* + * With 4K page size the real_pte machinery is all nops. + */ +-#define __real_pte(e, p, o) ((real_pte_t){(e)}) ++static inline real_pte_t __real_pte(pte_t pte, pte_t *ptep, int offset) ++{ ++ return (real_pte_t){pte}; ++} ++ + #define __rpte_to_pte(r) ((r).pte) +-#define __rpte_to_hidx(r,index) (pte_val(__rpte_to_pte(r)) >> H_PAGE_F_GIX_SHIFT) ++ ++static inline unsigned long __rpte_to_hidx(real_pte_t rpte, unsigned long index) ++{ ++ return pte_val(__rpte_to_pte(rpte)) >> H_PAGE_F_GIX_SHIFT; ++} + + #define pte_iterate_hashed_subpages(rpte, psize, va, index, shift) \ + do { \ +-- +2.39.5 + diff --git a/queue-5.4/powerpc-code-patching-fix-kasan-hit-by-not-flagging-.patch b/queue-5.4/powerpc-code-patching-fix-kasan-hit-by-not-flagging-.patch new file mode 100644 index 0000000000..07c973045b --- /dev/null +++ b/queue-5.4/powerpc-code-patching-fix-kasan-hit-by-not-flagging-.patch @@ -0,0 +1,112 @@ +From 39a1bad10afa8f3c014f17c569d6e26edf9356f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 07:46:28 +0100 +Subject: powerpc/code-patching: Fix KASAN hit by not flagging text patching + area as VM_ALLOC + +From: Christophe Leroy + +[ Upstream commit d262a192d38e527faa5984629aabda2e0d1c4f54 ] + +Erhard reported the following KASAN hit while booting his PowerMac G4 +with a KASAN-enabled kernel 6.13-rc6: + + BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8 + Write of size 8 at addr f1000000 by task chronyd/1293 + + CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2 + Tainted: [W]=WARN + Hardware name: PowerMac3,6 7455 0x80010303 PowerMac + Call Trace: + [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable) + [c24375b0] [c0504998] print_report+0xdc/0x504 + [c2437610] [c050475c] kasan_report+0xf8/0x108 + [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c + [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8 + [c24376c0] [c004c014] patch_instructions+0x15c/0x16c + [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c + [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac + [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec + [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478 + [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14 + [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4 + [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890 + [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420 + [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c + --- interrupt: c00 at 0x5a1274 + NIP: 005a1274 LR: 006a3b3c CTR: 005296c8 + REGS: c2437f40 TRAP: 0c00 Tainted: G W (6.13.0-rc6-PMacG4) + MSR: 0200f932 CR: 24004422 XER: 00000000 + + GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932 + GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57 + GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002 + GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001 + NIP [005a1274] 0x5a1274 + LR [006a3b3c] 0x6a3b3c + --- interrupt: c00 + + The buggy address belongs to the virtual mapping at + [f1000000, f1002000) created by: + text_area_cpu_up+0x20/0x190 + + The buggy address belongs to the physical page: + page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30 + flags: 0x80000000(zone=2) + raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001 + raw: 00000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + >f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ^ + f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ================================================================== + +f8 corresponds to KASAN_VMALLOC_INVALID which means the area is not +initialised hence not supposed to be used yet. + +Powerpc text patching infrastructure allocates a virtual memory area +using get_vm_area() and flags it as VM_ALLOC. But that flag is meant +to be used for vmalloc() and vmalloc() allocated memory is not +supposed to be used before a call to __vmalloc_node_range() which is +never called for that area. + +That went undetected until commit e4137f08816b ("mm, kasan, kmsan: +instrument copy_from/to_kernel_nofault") + +The area allocated by text_area_cpu_up() is not vmalloc memory, it is +mapped directly on demand when needed by map_kernel_page(). There is +no VM flag corresponding to such usage, so just pass no flag. That way +the area will be unpoisonned and usable immediately. + +Reported-by: Erhard Furtner +Closes: https://lore.kernel.org/all/20250112135832.57c92322@yea/ +Fixes: 37bc3e5fd764 ("powerpc/lib/code-patching: Use alternate map for patch_instruction()") +Signed-off-by: Christophe Leroy +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/06621423da339b374f48c0886e3a5db18e896be8.1739342693.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/lib/code-patching.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/lib/code-patching.c b/arch/powerpc/lib/code-patching.c +index a05f289e613ed..f1eab35bab603 100644 +--- a/arch/powerpc/lib/code-patching.c ++++ b/arch/powerpc/lib/code-patching.c +@@ -45,7 +45,7 @@ static int text_area_cpu_up(unsigned int cpu) + { + struct vm_struct *area; + +- area = get_vm_area(PAGE_SIZE, VM_ALLOC); ++ area = get_vm_area(PAGE_SIZE, 0); + if (!area) { + WARN_ONCE(1, "Failed to create text area for cpu %d\n", + cpu); +-- +2.39.5 + diff --git a/queue-5.4/series b/queue-5.4/series index 83210db7f9..22e175a52b 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -217,3 +217,26 @@ vlan-introduce-vlan_dev_free_egress_priority.patch vlan-move-dev_put-into-vlan_dev_uninit.patch scsi-storvsc-set-correct-data-length-for-sending-scsi-command-without-payload.patch driver-core-bus-fix-double-free-in-driver-api-bus_register.patch +crypto-testmgr-fix-wrong-key-length-for-pkcs1pad.patch +crypto-testmgr-fix-wrong-test-case-of-rsa.patch +crypto-testmgr-fix-version-number-of-rsa-tests.patch +crypto-testmgr-populate-rsa-crt-parameters-in-rsa-te.patch +crypto-testmgr-some-more-fixes-to-rsa-test-vectors.patch +mm-update-mark_victim-tracepoints-fields.patch +memcg-fix-soft-lockup-in-the-oom-process.patch +usb-dwc3-increase-dwc3-controller-halt-timeout.patch +usb-dwc3-fix-timeout-issue-during-controller-enter-e.patch +usb-gadget-f_midi-convert-tasklets-to-use-new-taskle.patch +usb-gadget-f_midi-replace-tasklet-with-work.patch +usb-gadget-f_midi-f_midi_complete-to-call-queue_work.patch +powerpc-64s-mm-move-__real_pte-stubs-into-hash-4k.h.patch +powerpc-64s-rewrite-__real_pte-and-__rpte_to_hidx-as.patch +alsa-hda-realtek-add-type-for-alc287.patch +alsa-hda-realtek-fixup-alc225-depop-procedure.patch +powerpc-code-patching-fix-kasan-hit-by-not-flagging-.patch +geneve-fix-use-after-free-in-geneve_find_dev.patch +gtp-suppress-list-corruption-splat-in-gtp_net_exit_b.patch +geneve-suppress-list-corruption-splat-in-geneve_dest.patch +net-extract-port-range-fields-from-fl_flow_key.patch +flow_dissector-fix-handling-of-mixed-port-and-port-r.patch +flow_dissector-fix-port-range-key-handling-in-bpf-co.patch diff --git a/queue-5.4/usb-dwc3-fix-timeout-issue-during-controller-enter-e.patch b/queue-5.4/usb-dwc3-fix-timeout-issue-during-controller-enter-e.patch new file mode 100644 index 0000000000..8f947d84c6 --- /dev/null +++ b/queue-5.4/usb-dwc3-fix-timeout-issue-during-controller-enter-e.patch @@ -0,0 +1,98 @@ +From 924d7750c49917c0699ffa0c3e563c00531d34af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Feb 2025 22:09:02 +0530 +Subject: usb: dwc3: Fix timeout issue during controller enter/exit from halt + state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Selvarasu Ganesan + +[ Upstream commit d3a8c28426fc1fb3252753a9f1db0d691ffc21b0 ] + +There is a frequent timeout during controller enter/exit from halt state +after toggling the run_stop bit by SW. This timeout occurs when +performing frequent role switches between host and device, causing +device enumeration issues due to the timeout. This issue was not present +when USB2 suspend PHY was disabled by passing the SNPS quirks +(snps,dis_u2_susphy_quirk and snps,dis_enblslpm_quirk) from the DTS. +However, there is a requirement to enable USB2 suspend PHY by setting of +GUSB2PHYCFG.ENBLSLPM and GUSB2PHYCFG.SUSPHY bits when controller starts +in gadget or host mode results in the timeout issue. + +This commit addresses this timeout issue by ensuring that the bits +GUSB2PHYCFG.ENBLSLPM and GUSB2PHYCFG.SUSPHY are cleared before starting +the dwc3_gadget_run_stop sequence and restoring them after the +dwc3_gadget_run_stop sequence is completed. + +Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") +Cc: stable +Signed-off-by: Selvarasu Ganesan +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20250201163903.459-1-selvarasu.g@samsung.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 34 ++++++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index f9232c099f494..fd8b986794d0d 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1967,10 +1967,38 @@ static int dwc3_gadget_run_stop(struct dwc3 *dwc, int is_on, int suspend) + { + u32 reg; + u32 timeout = 2000; ++ u32 saved_config = 0; + + if (pm_runtime_suspended(dwc->dev)) + return 0; + ++ /* ++ * When operating in USB 2.0 speeds (HS/FS), ensure that ++ * GUSB2PHYCFG.ENBLSLPM and GUSB2PHYCFG.SUSPHY are cleared before starting ++ * or stopping the controller. This resolves timeout issues that occur ++ * during frequent role switches between host and device modes. ++ * ++ * Save and clear these settings, then restore them after completing the ++ * controller start or stop sequence. ++ * ++ * This solution was discovered through experimentation as it is not ++ * mentioned in the dwc3 programming guide. It has been tested on an ++ * Exynos platforms. ++ */ ++ reg = dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)); ++ if (reg & DWC3_GUSB2PHYCFG_SUSPHY) { ++ saved_config |= DWC3_GUSB2PHYCFG_SUSPHY; ++ reg &= ~DWC3_GUSB2PHYCFG_SUSPHY; ++ } ++ ++ if (reg & DWC3_GUSB2PHYCFG_ENBLSLPM) { ++ saved_config |= DWC3_GUSB2PHYCFG_ENBLSLPM; ++ reg &= ~DWC3_GUSB2PHYCFG_ENBLSLPM; ++ } ++ ++ if (saved_config) ++ dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg); ++ + reg = dwc3_readl(dwc->regs, DWC3_DCTL); + if (is_on) { + if (dwc->revision <= DWC3_REVISION_187A) { +@@ -2003,6 +2031,12 @@ static int dwc3_gadget_run_stop(struct dwc3 *dwc, int is_on, int suspend) + reg &= DWC3_DSTS_DEVCTRLHLT; + } while (--timeout && !(!is_on ^ !reg)); + ++ if (saved_config) { ++ reg = dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)); ++ reg |= saved_config; ++ dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg); ++ } ++ + if (!timeout) + return -ETIMEDOUT; + +-- +2.39.5 + diff --git a/queue-5.4/usb-dwc3-increase-dwc3-controller-halt-timeout.patch b/queue-5.4/usb-dwc3-increase-dwc3-controller-halt-timeout.patch new file mode 100644 index 0000000000..8825a21505 --- /dev/null +++ b/queue-5.4/usb-dwc3-increase-dwc3-controller-halt-timeout.patch @@ -0,0 +1,47 @@ +From 9fee28e325247cfef1b7cdd40366be4d2ee4c11c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 12:36:23 -0700 +Subject: usb: dwc3: Increase DWC3 controller halt timeout + +From: Wesley Cheng + +[ Upstream commit 461ee467507cb98a348fa91ff8460908bb0ea423 ] + +Since EP0 transactions need to be completed before the controller halt +sequence is finished, this may take some time depending on the host and the +enabled functions. Increase the controller halt timeout, so that we give +the controller sufficient time to handle EP0 transfers. + +Signed-off-by: Wesley Cheng +Link: https://lore.kernel.org/r/20220901193625.8727-4-quic_wcheng@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: d3a8c28426fc ("usb: dwc3: Fix timeout issue during controller enter/exit from halt state") +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 6caedef5575d7..f9232c099f494 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1966,7 +1966,7 @@ static void dwc3_stop_active_transfers(struct dwc3 *dwc) + static int dwc3_gadget_run_stop(struct dwc3 *dwc, int is_on, int suspend) + { + u32 reg; +- u32 timeout = 500; ++ u32 timeout = 2000; + + if (pm_runtime_suspended(dwc->dev)) + return 0; +@@ -1998,6 +1998,7 @@ static int dwc3_gadget_run_stop(struct dwc3 *dwc, int is_on, int suspend) + dwc3_writel(dwc->regs, DWC3_DCTL, reg); + + do { ++ usleep_range(1000, 2000); + reg = dwc3_readl(dwc->regs, DWC3_DSTS); + reg &= DWC3_DSTS_DEVCTRLHLT; + } while (--timeout && !(!is_on ^ !reg)); +-- +2.39.5 + diff --git a/queue-5.4/usb-gadget-f_midi-convert-tasklets-to-use-new-taskle.patch b/queue-5.4/usb-gadget-f_midi-convert-tasklets-to-use-new-taskle.patch new file mode 100644 index 0000000000..e2819a0212 --- /dev/null +++ b/queue-5.4/usb-gadget-f_midi-convert-tasklets-to-use-new-taskle.patch @@ -0,0 +1,52 @@ +From e43373c965ec60d7adda4e724a9175acd7aa2868 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 14:32:06 +0530 +Subject: usb/gadget: f_midi: convert tasklets to use new tasklet_setup() API + +From: Allen Pais + +[ Upstream commit 6148c10f6b62a6df782d26522921f70cc8bf1d7f ] + +In preparation for unconditionally passing the +struct tasklet_struct pointer to all tasklet +callbacks, switch to using the new tasklet_setup() +and from_tasklet() to pass the tasklet pointer explicitly. + +Signed-off-by: Romain Perier +Signed-off-by: Allen Pais +Link: https://lore.kernel.org/r/20200817090209.26351-5-allen.cryptic@gmail.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 4ab37fcb4283 ("USB: gadget: f_midi: f_midi_complete to call queue_work") +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_midi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c +index 54a09da8a7384..71aeaa2302edd 100644 +--- a/drivers/usb/gadget/function/f_midi.c ++++ b/drivers/usb/gadget/function/f_midi.c +@@ -698,9 +698,9 @@ static void f_midi_transmit(struct f_midi *midi) + f_midi_drop_out_substreams(midi); + } + +-static void f_midi_in_tasklet(unsigned long data) ++static void f_midi_in_tasklet(struct tasklet_struct *t) + { +- struct f_midi *midi = (struct f_midi *) data; ++ struct f_midi *midi = from_tasklet(midi, t, tasklet); + f_midi_transmit(midi); + } + +@@ -875,7 +875,7 @@ static int f_midi_bind(struct usb_configuration *c, struct usb_function *f) + int status, n, jack = 1, i = 0, endpoint_descriptor_index = 0; + + midi->gadget = cdev->gadget; +- tasklet_init(&midi->tasklet, f_midi_in_tasklet, (unsigned long) midi); ++ tasklet_setup(&midi->tasklet, f_midi_in_tasklet); + status = f_midi_register_card(midi); + if (status < 0) + goto fail_register; +-- +2.39.5 + diff --git a/queue-5.4/usb-gadget-f_midi-f_midi_complete-to-call-queue_work.patch b/queue-5.4/usb-gadget-f_midi-f_midi_complete-to-call-queue_work.patch new file mode 100644 index 0000000000..7455d66e06 --- /dev/null +++ b/queue-5.4/usb-gadget-f_midi-f_midi_complete-to-call-queue_work.patch @@ -0,0 +1,42 @@ +From 0b77160d9a3f3e7e930bf0209139d711b1d8f20f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Feb 2025 10:48:05 -0700 +Subject: USB: gadget: f_midi: f_midi_complete to call queue_work + +From: Jill Donahue + +[ Upstream commit 4ab37fcb42832cdd3e9d5e50653285ca84d6686f ] + +When using USB MIDI, a lock is attempted to be acquired twice through a +re-entrant call to f_midi_transmit, causing a deadlock. + +Fix it by using queue_work() to schedule the inner f_midi_transmit() via +a high priority work queue from the completion handler. + +Link: https://lore.kernel.org/all/CAArt=LjxU0fUZOj06X+5tkeGT+6RbXzpWg1h4t4Fwa_KGVAX6g@mail.gmail.com/ +Fixes: d5daf49b58661 ("USB: gadget: midi: add midi function driver") +Cc: stable +Signed-off-by: Jill Donahue +Link: https://lore.kernel.org/r/20250211174805.1369265-1-jdonahue@fender.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_midi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c +index 01c5736d381ef..3e8ea1bbe429a 100644 +--- a/drivers/usb/gadget/function/f_midi.c ++++ b/drivers/usb/gadget/function/f_midi.c +@@ -282,7 +282,7 @@ f_midi_complete(struct usb_ep *ep, struct usb_request *req) + /* Our transmit completed. See if there's more to go. + * f_midi_transmit eats req, don't queue it again. */ + req->length = 0; +- f_midi_transmit(midi); ++ queue_work(system_highpri_wq, &midi->work); + return; + } + break; +-- +2.39.5 + diff --git a/queue-5.4/usb-gadget-f_midi-replace-tasklet-with-work.patch b/queue-5.4/usb-gadget-f_midi-replace-tasklet-with-work.patch new file mode 100644 index 0000000000..fe0737f4d3 --- /dev/null +++ b/queue-5.4/usb-gadget-f_midi-replace-tasklet-with-work.patch @@ -0,0 +1,81 @@ +From 2da9d545c53c48d6a441242a8de0f88efc2238af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Jan 2021 20:28:55 -0800 +Subject: usb/gadget: f_midi: Replace tasklet with work + +From: Davidlohr Bueso + +[ Upstream commit 8653d71ce3763aedcf3d2331f59beda3fecd79e4 ] + +Currently a tasklet is used to transmit input substream buffer +data. However, tasklets have long been deprecated as being too +heavy on the system by running in irq context - and this is not +a performance critical path. If a higher priority process wants +to run, it must wait for the tasklet to finish before doing so. + +Deferring work to a workqueue and executing in process context +should be fine considering the callback already does +f_midi_do_transmit() under the transmit_lock and thus changes in +semantics are ok regarding concurrency - tasklets being serialized +against itself. + +Cc: Takashi Iwai +Reviewed-by: Takashi Iwai +Acked-by: Felipe Balbi +Signed-off-by: Davidlohr Bueso +Link: https://lore.kernel.org/r/20210111042855.73289-1-dave@stgolabs.net +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 4ab37fcb4283 ("USB: gadget: f_midi: f_midi_complete to call queue_work") +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_midi.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c +index 71aeaa2302edd..01c5736d381ef 100644 +--- a/drivers/usb/gadget/function/f_midi.c ++++ b/drivers/usb/gadget/function/f_midi.c +@@ -87,7 +87,7 @@ struct f_midi { + struct snd_rawmidi_substream *out_substream[MAX_PORTS]; + + unsigned long out_triggered; +- struct tasklet_struct tasklet; ++ struct work_struct work; + unsigned int in_ports; + unsigned int out_ports; + int index; +@@ -698,9 +698,11 @@ static void f_midi_transmit(struct f_midi *midi) + f_midi_drop_out_substreams(midi); + } + +-static void f_midi_in_tasklet(struct tasklet_struct *t) ++static void f_midi_in_work(struct work_struct *work) + { +- struct f_midi *midi = from_tasklet(midi, t, tasklet); ++ struct f_midi *midi; ++ ++ midi = container_of(work, struct f_midi, work); + f_midi_transmit(midi); + } + +@@ -737,7 +739,7 @@ static void f_midi_in_trigger(struct snd_rawmidi_substream *substream, int up) + VDBG(midi, "%s() %d\n", __func__, up); + midi->in_ports_array[substream->number].active = up; + if (up) +- tasklet_hi_schedule(&midi->tasklet); ++ queue_work(system_highpri_wq, &midi->work); + } + + static int f_midi_out_open(struct snd_rawmidi_substream *substream) +@@ -875,7 +877,7 @@ static int f_midi_bind(struct usb_configuration *c, struct usb_function *f) + int status, n, jack = 1, i = 0, endpoint_descriptor_index = 0; + + midi->gadget = cdev->gadget; +- tasklet_setup(&midi->tasklet, f_midi_in_tasklet); ++ INIT_WORK(&midi->work, f_midi_in_work); + status = f_midi_register_card(midi); + if (status < 0) + goto fail_register; +-- +2.39.5 +