From: Sasha Levin Date: Sun, 19 Mar 2023 12:04:24 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.14.311~65 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=78a2509ccf1eb810b532ab9c442de2becf30c752;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/alsa-hda-add-alderlake-s-pci-id-and-hdmi-codec-vid.patch b/queue-5.4/alsa-hda-add-alderlake-s-pci-id-and-hdmi-codec-vid.patch new file mode 100644 index 00000000000..58ffd9cc0de --- /dev/null +++ b/queue-5.4/alsa-hda-add-alderlake-s-pci-id-and-hdmi-codec-vid.patch @@ -0,0 +1,52 @@ +From d501e1c90455417071987959b9456f48ec90c763 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Nov 2020 16:19:55 +0200 +Subject: ALSA: hda: Add Alderlake-S PCI ID and HDMI codec vid + +From: Kai Vehmanen + +[ Upstream commit d78359b25f7c6759a23189145be8141b6fdfe385 ] + +Add HD Audio PCI ID and HDMI codec vendor ID for Intel Alder Lake. + +Signed-off-by: Kai Vehmanen +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Guennadi Liakhovetski +Link: https://lore.kernel.org/r/20201116141955.2091240-1-kai.vehmanen@linux.intel.com +Signed-off-by: Takashi Iwai +Stable-dep-of: ff447886e675 ("ALSA: hda: Match only Intel devices with CONTROLLER_IN_GPU()") +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 3 +++ + sound/pci/hda/patch_hdmi.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 6a44ad513a965..bc70a6ca18d0d 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2505,6 +2505,9 @@ static const struct pci_device_id azx_ids[] = { + /* DG1 */ + { PCI_DEVICE(0x8086, 0x490d), + .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, ++ /* Alderlake-S */ ++ { PCI_DEVICE(0x8086, 0x7ad0), ++ .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, + /* Elkhart Lake */ + { PCI_DEVICE(0x8086, 0x4b55), + .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index bfa11073d9624..5ee3ae267cf3b 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -4221,6 +4221,7 @@ HDA_CODEC_ENTRY(0x8086280d, "Geminilake HDMI", patch_i915_glk_hdmi), + HDA_CODEC_ENTRY(0x8086280f, "Icelake HDMI", patch_i915_icl_hdmi), + HDA_CODEC_ENTRY(0x80862812, "Tigerlake HDMI", patch_i915_tgl_hdmi), + HDA_CODEC_ENTRY(0x80862814, "DG1 HDMI", patch_i915_tgl_hdmi), ++HDA_CODEC_ENTRY(0x80862815, "Alderlake HDMI", patch_i915_tgl_hdmi), + HDA_CODEC_ENTRY(0x80862816, "Rocketlake HDMI", patch_i915_tgl_hdmi), + HDA_CODEC_ENTRY(0x8086281a, "Jasperlake HDMI", patch_i915_icl_hdmi), + HDA_CODEC_ENTRY(0x80862880, "CedarTrail HDMI", patch_generic_hdmi), +-- +2.39.2 + diff --git a/queue-5.4/alsa-hda-add-intel-dg1-pci-and-hdmi-ids.patch b/queue-5.4/alsa-hda-add-intel-dg1-pci-and-hdmi-ids.patch new file mode 100644 index 00000000000..05ae4a97229 --- /dev/null +++ b/queue-5.4/alsa-hda-add-intel-dg1-pci-and-hdmi-ids.patch @@ -0,0 +1,51 @@ +From 1e500a1c66730370d3af6b6d8ff4173b27ae59c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 17:17:38 +0300 +Subject: ALSA: hda - add Intel DG1 PCI and HDMI ids + +From: Kai Vehmanen + +[ Upstream commit 69b08bdfa8181bc7babd7d81c93dc60142c4bfd3 ] + +Add Intel DG1 PCI id to list of supported HDA controllers and +add its HDMI id as well. + +Signed-off-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20200921141741.2983072-2-kai.vehmanen@linux.intel.com +Signed-off-by: Takashi Iwai +Stable-dep-of: ff447886e675 ("ALSA: hda: Match only Intel devices with CONTROLLER_IN_GPU()") +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 3 +++ + sound/pci/hda/patch_hdmi.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index e387e8db65d22..c0b8844a2d5bd 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2501,6 +2501,9 @@ static const struct pci_device_id azx_ids[] = { + /* Tigerlake-H */ + { PCI_DEVICE(0x8086, 0x43c8), + .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, ++ /* DG1 */ ++ { PCI_DEVICE(0x8086, 0x490d), ++ .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, + /* Elkhart Lake */ + { PCI_DEVICE(0x8086, 0x4b55), + .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 54c67d8b7b493..bfa11073d9624 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -4220,6 +4220,7 @@ HDA_CODEC_ENTRY(0x8086280c, "Cannonlake HDMI", patch_i915_glk_hdmi), + HDA_CODEC_ENTRY(0x8086280d, "Geminilake HDMI", patch_i915_glk_hdmi), + HDA_CODEC_ENTRY(0x8086280f, "Icelake HDMI", patch_i915_icl_hdmi), + HDA_CODEC_ENTRY(0x80862812, "Tigerlake HDMI", patch_i915_tgl_hdmi), ++HDA_CODEC_ENTRY(0x80862814, "DG1 HDMI", patch_i915_tgl_hdmi), + HDA_CODEC_ENTRY(0x80862816, "Rocketlake HDMI", patch_i915_tgl_hdmi), + HDA_CODEC_ENTRY(0x8086281a, "Jasperlake HDMI", patch_i915_icl_hdmi), + HDA_CODEC_ENTRY(0x80862880, "CedarTrail HDMI", patch_generic_hdmi), +-- +2.39.2 + diff --git a/queue-5.4/alsa-hda-add-intel-dg2-pci-id-and-hdmi-codec-vid.patch b/queue-5.4/alsa-hda-add-intel-dg2-pci-id-and-hdmi-codec-vid.patch new file mode 100644 index 00000000000..0819569ac22 --- /dev/null +++ b/queue-5.4/alsa-hda-add-intel-dg2-pci-id-and-hdmi-codec-vid.patch @@ -0,0 +1,67 @@ +From 9ed12e5f2755c3b03bf91e3682489e5cc3500bb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 14:47:31 +0200 +Subject: ALSA: hda: Add Intel DG2 PCI ID and HDMI codec vid + +From: Kai Vehmanen + +[ Upstream commit d85ffff5302b1509efc482e8877c253b0a668b33 ] + +Add HD Audio PCI ID and HDMI codec vendor ID for Intel DG2. + +Reviewed-by: Uma Shankar +Signed-off-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20211130124732.696896-1-kai.vehmanen@linux.intel.com +Signed-off-by: Takashi Iwai +Stable-dep-of: ff447886e675 ("ALSA: hda: Match only Intel devices with CONTROLLER_IN_GPU()") +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 12 +++++++++++- + sound/pci/hda/patch_hdmi.c | 1 + + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index bc70a6ca18d0d..018005b29931f 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -367,7 +367,10 @@ enum { + ((pci)->device == 0x0c0c) || \ + ((pci)->device == 0x0d0c) || \ + ((pci)->device == 0x160c) || \ +- ((pci)->device == 0x490d)) ++ ((pci)->device == 0x490d) || \ ++ ((pci)->device == 0x4f90) || \ ++ ((pci)->device == 0x4f91) || \ ++ ((pci)->device == 0x4f92)) + + #define IS_BXT(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x5a98) + #define IS_CFL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa348) +@@ -2505,6 +2508,13 @@ static const struct pci_device_id azx_ids[] = { + /* DG1 */ + { PCI_DEVICE(0x8086, 0x490d), + .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, ++ /* DG2 */ ++ { PCI_DEVICE(0x8086, 0x4f90), ++ .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, ++ { PCI_DEVICE(0x8086, 0x4f91), ++ .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, ++ { PCI_DEVICE(0x8086, 0x4f92), ++ .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, + /* Alderlake-S */ + { PCI_DEVICE(0x8086, 0x7ad0), + .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 5ee3ae267cf3b..58e9a0171fe13 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -4223,6 +4223,7 @@ HDA_CODEC_ENTRY(0x80862812, "Tigerlake HDMI", patch_i915_tgl_hdmi), + HDA_CODEC_ENTRY(0x80862814, "DG1 HDMI", patch_i915_tgl_hdmi), + HDA_CODEC_ENTRY(0x80862815, "Alderlake HDMI", patch_i915_tgl_hdmi), + HDA_CODEC_ENTRY(0x80862816, "Rocketlake HDMI", patch_i915_tgl_hdmi), ++HDA_CODEC_ENTRY(0x80862819, "DG2 HDMI", patch_i915_tgl_hdmi), + HDA_CODEC_ENTRY(0x8086281a, "Jasperlake HDMI", patch_i915_icl_hdmi), + HDA_CODEC_ENTRY(0x80862880, "CedarTrail HDMI", patch_generic_hdmi), + HDA_CODEC_ENTRY(0x80862882, "Valleyview2 HDMI", patch_i915_byt_hdmi), +-- +2.39.2 + diff --git a/queue-5.4/alsa-hda-controller-is-in-gpu-on-the-dg1.patch b/queue-5.4/alsa-hda-controller-is-in-gpu-on-the-dg1.patch new file mode 100644 index 00000000000..cdc54abb62f --- /dev/null +++ b/queue-5.4/alsa-hda-controller-is-in-gpu-on-the-dg1.patch @@ -0,0 +1,38 @@ +From d58da93848c53bc5039a0583baa556f703837cc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 17:17:39 +0300 +Subject: ALSA: hda - controller is in GPU on the DG1 + +From: Kai Vehmanen + +[ Upstream commit 1bee263dfda57e45ad39c59a663c123a357ce38b ] + +Add Intel DG1 to the CONTROLLER_IN_GPU list to ensure audio power is +requested whenever programming the controller. + +Signed-off-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20200921141741.2983072-3-kai.vehmanen@linux.intel.com +Signed-off-by: Takashi Iwai +Stable-dep-of: ff447886e675 ("ALSA: hda: Match only Intel devices with CONTROLLER_IN_GPU()") +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index c0b8844a2d5bd..6a44ad513a965 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -366,7 +366,8 @@ enum { + #define CONTROLLER_IN_GPU(pci) (((pci)->device == 0x0a0c) || \ + ((pci)->device == 0x0c0c) || \ + ((pci)->device == 0x0d0c) || \ +- ((pci)->device == 0x160c)) ++ ((pci)->device == 0x160c) || \ ++ ((pci)->device == 0x490d)) + + #define IS_BXT(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x5a98) + #define IS_CFL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa348) +-- +2.39.2 + diff --git a/queue-5.4/alsa-hda-match-only-intel-devices-with-controller_in.patch b/queue-5.4/alsa-hda-match-only-intel-devices-with-controller_in.patch new file mode 100644 index 00000000000..f24eebd8368 --- /dev/null +++ b/queue-5.4/alsa-hda-match-only-intel-devices-with-controller_in.patch @@ -0,0 +1,50 @@ +From 529aa406277e2d0e6ccc4fab3512591cd4cc5afd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 15:40:54 -0600 +Subject: ALSA: hda: Match only Intel devices with CONTROLLER_IN_GPU() + +From: Bjorn Helgaas + +[ Upstream commit ff447886e675979d66b2bc01810035d3baea1b3a ] + +CONTROLLER_IN_GPU() is clearly intended to match only Intel devices, but +previously it checked only the PCI Device ID, not the Vendor ID, so it +could match devices from other vendors that happened to use the same Device +ID. + +Update CONTROLLER_IN_GPU() so it matches only Intel devices. + +Fixes: 535115b5ff51 ("ALSA: hda - Abort the probe without i915 binding for HSW/B") +Signed-off-by: Bjorn Helgaas +Link: https://lore.kernel.org/r/20230307214054.886721-1-helgaas@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 018005b29931f..9b7a345233cf6 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -363,14 +363,15 @@ enum { + #define needs_eld_notify_link(chip) false + #endif + +-#define CONTROLLER_IN_GPU(pci) (((pci)->device == 0x0a0c) || \ ++#define CONTROLLER_IN_GPU(pci) (((pci)->vendor == 0x8086) && \ ++ (((pci)->device == 0x0a0c) || \ + ((pci)->device == 0x0c0c) || \ + ((pci)->device == 0x0d0c) || \ + ((pci)->device == 0x160c) || \ + ((pci)->device == 0x490d) || \ + ((pci)->device == 0x4f90) || \ + ((pci)->device == 0x4f91) || \ +- ((pci)->device == 0x4f92)) ++ ((pci)->device == 0x4f92))) + + #define IS_BXT(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x5a98) + #define IS_CFL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa348) +-- +2.39.2 + diff --git a/queue-5.4/block-sunvdc-add-check-for-mdesc_grab-returning-null.patch b/queue-5.4/block-sunvdc-add-check-for-mdesc_grab-returning-null.patch new file mode 100644 index 00000000000..300f375c44f --- /dev/null +++ b/queue-5.4/block-sunvdc-add-check-for-mdesc_grab-returning-null.patch @@ -0,0 +1,38 @@ +From 80074e3e64e395f134272af71a0bbac5b1709f3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 14:20:32 +0800 +Subject: block: sunvdc: add check for mdesc_grab() returning NULL + +From: Liang He + +[ Upstream commit 6030363199e3a6341afb467ddddbed56640cbf6a ] + +In vdc_port_probe(), we should check the return value of mdesc_grab() as +it may return NULL, which can cause potential NPD bug. + +Fixes: 43fdf27470b2 ("[SPARC64]: Abstract out mdesc accesses for better MD update handling.") +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20230315062032.1741692-1-windhl@126.com +[axboe: style cleanup] +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/sunvdc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c +index 6b2fd630de852..6622dd1aa07b2 100644 +--- a/drivers/block/sunvdc.c ++++ b/drivers/block/sunvdc.c +@@ -983,6 +983,8 @@ static int vdc_port_probe(struct vio_dev *vdev, const struct vio_device_id *id) + print_version(); + + hp = mdesc_grab(); ++ if (!hp) ++ return -ENODEV; + + err = -ENODEV; + if ((vdev->dev_no << PARTITION_SHIFT) & ~(u64)MINORMASK) { +-- +2.39.2 + diff --git a/queue-5.4/cifs-move-the-in_send-statistic-to-__smb_send_rqst.patch b/queue-5.4/cifs-move-the-in_send-statistic-to-__smb_send_rqst.patch new file mode 100644 index 00000000000..2627b40c4fa --- /dev/null +++ b/queue-5.4/cifs-move-the-in_send-statistic-to-__smb_send_rqst.patch @@ -0,0 +1,117 @@ +From 7a268afa249d03bd67d2a61b6cd34ceaf61e3e1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 11:11:36 +0800 +Subject: cifs: Move the in_send statistic to __smb_send_rqst() + +From: Zhang Xiaoxu + +[ Upstream commit d0dc41119905f740e8d5594adce277f7c0de8c92 ] + +When send SMB_COM_NT_CANCEL and RFC1002_SESSION_REQUEST, the +in_send statistic was lost. + +Let's move the in_send statistic to the send function to avoid +this scenario. + +Fixes: 7ee1af765dfa ("[CIFS]") +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/transport.c | 21 +++++++++------------ + 1 file changed, 9 insertions(+), 12 deletions(-) + +diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c +index b98ae69edb8fe..60141a7468b00 100644 +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -312,7 +312,7 @@ static int + __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst, + struct smb_rqst *rqst) + { +- int rc = 0; ++ int rc; + struct kvec *iov; + int n_vec; + unsigned int send_length = 0; +@@ -324,6 +324,7 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst, + int val = 1; + __be32 rfc1002_marker; + ++ cifs_in_send_inc(server); + if (cifs_rdma_enabled(server)) { + /* return -EAGAIN when connecting or reconnecting */ + rc = -EAGAIN; +@@ -332,14 +333,17 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst, + goto smbd_done; + } + ++ rc = -EAGAIN; + if (ssocket == NULL) +- return -EAGAIN; ++ goto out; + ++ rc = -ERESTARTSYS; + if (fatal_signal_pending(current)) { + cifs_dbg(FYI, "signal pending before send request\n"); +- return -ERESTARTSYS; ++ goto out; + } + ++ rc = 0; + /* cork the socket */ + kernel_setsockopt(ssocket, SOL_TCP, TCP_CORK, + (char *)&val, sizeof(val)); +@@ -453,7 +457,8 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst, + rc); + else if (rc > 0) + rc = 0; +- ++out: ++ cifs_in_send_dec(server); + return rc; + } + +@@ -830,9 +835,7 @@ cifs_call_async(struct TCP_Server_Info *server, struct smb_rqst *rqst, + * I/O response may come back and free the mid entry on another thread. + */ + cifs_save_when_sent(mid); +- cifs_in_send_inc(server); + rc = smb_send_rqst(server, 1, rqst, flags); +- cifs_in_send_dec(server); + + if (rc < 0) { + revert_current_mid(server, mid->credits); +@@ -1095,9 +1098,7 @@ compound_send_recv(const unsigned int xid, struct cifs_ses *ses, + else + midQ[i]->callback = cifs_compound_last_callback; + } +- cifs_in_send_inc(server); + rc = smb_send_rqst(server, num_rqst, rqst, flags); +- cifs_in_send_dec(server); + + for (i = 0; i < num_rqst; i++) + cifs_save_when_sent(midQ[i]); +@@ -1332,9 +1333,7 @@ SendReceive(const unsigned int xid, struct cifs_ses *ses, + + midQ->mid_state = MID_REQUEST_SUBMITTED; + +- cifs_in_send_inc(server); + rc = smb_send(server, in_buf, len); +- cifs_in_send_dec(server); + cifs_save_when_sent(midQ); + + if (rc < 0) +@@ -1471,9 +1470,7 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifs_tcon *tcon, + } + + midQ->mid_state = MID_REQUEST_SUBMITTED; +- cifs_in_send_inc(server); + rc = smb_send(server, in_buf, len); +- cifs_in_send_dec(server); + cifs_save_when_sent(midQ); + + if (rc < 0) +-- +2.39.2 + diff --git a/queue-5.4/clk-hi655x-select-regmap-instead-of-depending-on-it.patch b/queue-5.4/clk-hi655x-select-regmap-instead-of-depending-on-it.patch new file mode 100644 index 00000000000..384aad0ee4a --- /dev/null +++ b/queue-5.4/clk-hi655x-select-regmap-instead-of-depending-on-it.patch @@ -0,0 +1,47 @@ +From b8f960377a6c0169d71d85aa49f68a61201c0759 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Feb 2023 21:39:47 -0800 +Subject: clk: HI655X: select REGMAP instead of depending on it + +From: Randy Dunlap + +[ Upstream commit 0ffad67784a097beccf34d297ddd1b0773b3b8a3 ] + +REGMAP is a hidden (not user visible) symbol. Users cannot set it +directly thru "make *config", so drivers should select it instead of +depending on it if they need it. + +Consistently using "select" or "depends on" can also help reduce +Kconfig circular dependency issues. + +Therefore, change the use of "depends on REGMAP" to "select REGMAP". + +Fixes: 3a49afb84ca0 ("clk: enable hi655x common clk automatically") +Signed-off-by: Randy Dunlap +Cc: Riku Voipio +Cc: Stephen Boyd +Cc: Michael Turquette +Cc: linux-clk@vger.kernel.org +Link: https://lore.kernel.org/r/20230226053953.4681-3-rdunlap@infradead.org +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/Kconfig b/drivers/clk/Kconfig +index c44247d0b83e8..cc871ae3a1792 100644 +--- a/drivers/clk/Kconfig ++++ b/drivers/clk/Kconfig +@@ -63,7 +63,7 @@ config COMMON_CLK_RK808 + config COMMON_CLK_HI655X + tristate "Clock driver for Hi655x" if EXPERT + depends on (MFD_HI655X_PMIC || COMPILE_TEST) +- depends on REGMAP ++ select REGMAP + default MFD_HI655X_PMIC + ---help--- + This driver supports the hi655x PMIC clock. This +-- +2.39.2 + diff --git a/queue-5.4/docs-correct-missing-d_-prefix-for-dentry_operations.patch b/queue-5.4/docs-correct-missing-d_-prefix-for-dentry_operations.patch new file mode 100644 index 00000000000..1c9688bfc12 --- /dev/null +++ b/queue-5.4/docs-correct-missing-d_-prefix-for-dentry_operations.patch @@ -0,0 +1,39 @@ +From 3737ae81f94578faac700c4078b40bb9d6292ccc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 12:40:42 -0600 +Subject: docs: Correct missing "d_" prefix for dentry_operations member + d_weak_revalidate + +From: Glenn Washburn + +[ Upstream commit 74596085796fae0cfce3e42ee46bf4f8acbdac55 ] + +The details for struct dentry_operations member d_weak_revalidate is +missing a "d_" prefix. + +Fixes: af96c1e304f7 ("docs: filesystems: vfs: Convert vfs.txt to RST") +Signed-off-by: Glenn Washburn +Reviewed-by: Matthew Wilcox (Oracle) +Link: https://lore.kernel.org/r/20230227184042.2375235-1-development@efficientek.com +Signed-off-by: Jonathan Corbet +Signed-off-by: Sasha Levin +--- + Documentation/filesystems/vfs.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/filesystems/vfs.rst b/Documentation/filesystems/vfs.rst +index 7d4d09dd5e6de..241e312006434 100644 +--- a/Documentation/filesystems/vfs.rst ++++ b/Documentation/filesystems/vfs.rst +@@ -1173,7 +1173,7 @@ defined: + return + -ECHILD and it will be called again in ref-walk mode. + +-``_weak_revalidate`` ++``d_weak_revalidate`` + called when the VFS needs to revalidate a "jumped" dentry. This + is called when a path-walk ends at dentry that was not acquired + by doing a lookup in the parent directory. This includes "/", +-- +2.39.2 + diff --git a/queue-5.4/drm-meson-fix-1px-pink-line-on-gxm-when-scaling-vide.patch b/queue-5.4/drm-meson-fix-1px-pink-line-on-gxm-when-scaling-vide.patch new file mode 100644 index 00000000000..e4c7a932137 --- /dev/null +++ b/queue-5.4/drm-meson-fix-1px-pink-line-on-gxm-when-scaling-vide.patch @@ -0,0 +1,45 @@ +From d13ecf812a828726aeecea19f06119d624eb2403 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Mar 2023 12:33:12 +0000 +Subject: drm/meson: fix 1px pink line on GXM when scaling video overlay + +From: Christian Hewitt + +[ Upstream commit 5c8cf1664f288098a971a1d1e65716a2b6a279e1 ] + +Playing media with a resolution smaller than the crtc size requires the +video overlay to be scaled for output and GXM boards display a 1px pink +line on the bottom of the scaled overlay. Comparing with the downstream +vendor driver revealed VPP_DUMMY_DATA not being set [0]. + +Setting VPP_DUMMY_DATA prevents the 1px pink line from being seen. + +[0] https://github.com/endlessm/linux-s905x/blob/master/drivers/amlogic/amports/video.c#L7869 + +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Suggested-by: Martin Blumenstingl +Signed-off-by: Christian Hewitt +Acked-by: Martin Blumenstingl +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230303123312.155164-1-christianshewitt@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_vpp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/meson/meson_vpp.c b/drivers/gpu/drm/meson/meson_vpp.c +index 154837688ab0d..5df1957c8e41f 100644 +--- a/drivers/gpu/drm/meson/meson_vpp.c ++++ b/drivers/gpu/drm/meson/meson_vpp.c +@@ -100,6 +100,8 @@ void meson_vpp_init(struct meson_drm *priv) + priv->io_base + _REG(VPP_DOLBY_CTRL)); + writel_relaxed(0x1020080, + priv->io_base + _REG(VPP_DUMMY_DATA1)); ++ writel_relaxed(0x42020, ++ priv->io_base + _REG(VPP_DUMMY_DATA)); + } else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A)) + writel_relaxed(0xf, priv->io_base + _REG(DOLBY_PATH_CTRL)); + +-- +2.39.2 + diff --git a/queue-5.4/drm-panfrost-don-t-sync-rpm-suspension-after-mmu-flu.patch b/queue-5.4/drm-panfrost-don-t-sync-rpm-suspension-after-mmu-flu.patch new file mode 100644 index 00000000000..b18b8390980 --- /dev/null +++ b/queue-5.4/drm-panfrost-don-t-sync-rpm-suspension-after-mmu-flu.patch @@ -0,0 +1,38 @@ +From 16ef310195174db565c48c4b1a23e5b39983509c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 04:40:38 +0300 +Subject: drm/panfrost: Don't sync rpm suspension after mmu flushing + +From: Dmitry Osipenko + +[ Upstream commit ba3be66f11c3c49afaa9f49b99e21d88756229ef ] + +Lockdep warns about potential circular locking dependency of devfreq +with the fs_reclaim caused by immediate device suspension when mapping is +released by shrinker. Fix it by doing the suspension asynchronously. + +Reviewed-by: Steven Price +Fixes: ec7eba47da86 ("drm/panfrost: Rework page table flushing and runtime PM interaction") +Signed-off-by: Dmitry Osipenko +Link: https://lore.kernel.org/all/20230108210445.3948344-3-dmitry.osipenko@collabora.com/ +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panfrost/panfrost_mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panfrost/panfrost_mmu.c b/drivers/gpu/drm/panfrost/panfrost_mmu.c +index 8a014dc115712..f1007c50565b6 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_mmu.c ++++ b/drivers/gpu/drm/panfrost/panfrost_mmu.c +@@ -233,7 +233,7 @@ static void panfrost_mmu_flush_range(struct panfrost_device *pfdev, + if (pm_runtime_active(pfdev->dev)) + mmu_hw_do_operation(pfdev, mmu, iova, size, AS_COMMAND_FLUSH_PT); + +- pm_runtime_put_sync_autosuspend(pfdev->dev); ++ pm_runtime_put_autosuspend(pfdev->dev); + } + + static int mmu_map_sg(struct panfrost_device *pfdev, struct panfrost_mmu *mmu, +-- +2.39.2 + diff --git a/queue-5.4/ethernet-sun-add-check-for-the-mdesc_grab.patch b/queue-5.4/ethernet-sun-add-check-for-the-mdesc_grab.patch new file mode 100644 index 00000000000..d7ed82914fe --- /dev/null +++ b/queue-5.4/ethernet-sun-add-check-for-the-mdesc_grab.patch @@ -0,0 +1,55 @@ +From fc150c7b7959029f26431e4de68695ba2625e01d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 14:00:21 +0800 +Subject: ethernet: sun: add check for the mdesc_grab() + +From: Liang He + +[ Upstream commit 90de546d9a0b3c771667af18bb3f80567eabb89b ] + +In vnet_port_probe() and vsw_port_probe(), we should +check the return value of mdesc_grab() as it may +return NULL which can caused NPD bugs. + +Fixes: 5d01fa0c6bd8 ("ldmvsw: Add ldmvsw.c driver code") +Fixes: 43fdf27470b2 ("[SPARC64]: Abstract out mdesc accesses for better MD update handling.") +Signed-off-by: Liang He +Reviewed-by: Piotr Raczynski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/ldmvsw.c | 3 +++ + drivers/net/ethernet/sun/sunvnet.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/sun/ldmvsw.c b/drivers/net/ethernet/sun/ldmvsw.c +index 01ea0d6f88193..934a4b54784b8 100644 +--- a/drivers/net/ethernet/sun/ldmvsw.c ++++ b/drivers/net/ethernet/sun/ldmvsw.c +@@ -290,6 +290,9 @@ static int vsw_port_probe(struct vio_dev *vdev, const struct vio_device_id *id) + + hp = mdesc_grab(); + ++ if (!hp) ++ return -ENODEV; ++ + rmac = mdesc_get_property(hp, vdev->mp, remote_macaddr_prop, &len); + err = -ENODEV; + if (!rmac) { +diff --git a/drivers/net/ethernet/sun/sunvnet.c b/drivers/net/ethernet/sun/sunvnet.c +index 96b883f965f63..b6c03adf1e762 100644 +--- a/drivers/net/ethernet/sun/sunvnet.c ++++ b/drivers/net/ethernet/sun/sunvnet.c +@@ -431,6 +431,9 @@ static int vnet_port_probe(struct vio_dev *vdev, const struct vio_device_id *id) + + hp = mdesc_grab(); + ++ if (!hp) ++ return -ENODEV; ++ + vp = vnet_find_parent(hp, vdev->mp, vdev); + if (IS_ERR(vp)) { + pr_err("Cannot find port parent vnet\n"); +-- +2.39.2 + diff --git a/queue-5.4/i40e-fix-kernel-crash-during-reboot-when-adapter-is-.patch b/queue-5.4/i40e-fix-kernel-crash-during-reboot-when-adapter-is-.patch new file mode 100644 index 00000000000..e57b7eb411c --- /dev/null +++ b/queue-5.4/i40e-fix-kernel-crash-during-reboot-when-adapter-is-.patch @@ -0,0 +1,91 @@ +From 91dac1794e6c9bb14e04697304e0f78965a19e9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Mar 2023 10:45:09 -0800 +Subject: i40e: Fix kernel crash during reboot when adapter is in recovery mode + +From: Ivan Vecera + +[ Upstream commit 7e4f8a0c495413a50413e8c9f1032ce1bc633bae ] + +If the driver detects during probe that firmware is in recovery +mode then i40e_init_recovery_mode() is called and the rest of +probe function is skipped including pci_set_drvdata(). Subsequent +i40e_shutdown() called during shutdown/reboot dereferences NULL +pointer as pci_get_drvdata() returns NULL. + +To fix call pci_set_drvdata() also during entering to recovery mode. + +Reproducer: +1) Lets have i40e NIC with firmware in recovery mode +2) Run reboot + +Result: +[ 139.084698] i40e: Intel(R) Ethernet Connection XL710 Network Driver +[ 139.090959] i40e: Copyright (c) 2013 - 2019 Intel Corporation. +[ 139.108438] i40e 0000:02:00.0: Firmware recovery mode detected. Limiting functionality. +[ 139.116439] i40e 0000:02:00.0: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode. +[ 139.129499] i40e 0000:02:00.0: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a] +[ 139.215932] i40e 0000:02:00.0 enp2s0f0: renamed from eth0 +[ 139.223292] i40e 0000:02:00.1: Firmware recovery mode detected. Limiting functionality. +[ 139.231292] i40e 0000:02:00.1: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode. +[ 139.244406] i40e 0000:02:00.1: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a] +[ 139.329209] i40e 0000:02:00.1 enp2s0f1: renamed from eth0 +... +[ 156.311376] BUG: kernel NULL pointer dereference, address: 00000000000006c2 +[ 156.318330] #PF: supervisor write access in kernel mode +[ 156.323546] #PF: error_code(0x0002) - not-present page +[ 156.328679] PGD 0 P4D 0 +[ 156.331210] Oops: 0002 [#1] PREEMPT SMP NOPTI +[ 156.335567] CPU: 26 PID: 15119 Comm: reboot Tainted: G E 6.2.0+ #1 +[ 156.343126] Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.4 04/13/2022 +[ 156.353369] RIP: 0010:i40e_shutdown+0x15/0x130 [i40e] +[ 156.358430] Code: c1 fc ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 55 48 89 fd 53 48 8b 9f 48 01 00 00 80 8b c2 06 00 00 04 f0 80 8b c0 06 00 00 08 48 8d bb 08 08 00 +[ 156.377168] RSP: 0018:ffffb223c8447d90 EFLAGS: 00010282 +[ 156.382384] RAX: ffffffffc073ee70 RBX: 0000000000000000 RCX: 0000000000000001 +[ 156.389510] RDX: 0000000080000001 RSI: 0000000000000246 RDI: ffff95db49988000 +[ 156.396634] RBP: ffff95db49988000 R08: ffffffffffffffff R09: ffffffff8bd17d40 +[ 156.403759] R10: 0000000000000001 R11: ffffffff8a5e3d28 R12: ffff95db49988000 +[ 156.410882] R13: ffffffff89a6fe17 R14: ffff95db49988150 R15: 0000000000000000 +[ 156.418007] FS: 00007fe7c0cc3980(0000) GS:ffff95ea8ee80000(0000) knlGS:0000000000000000 +[ 156.426083] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 156.431819] CR2: 00000000000006c2 CR3: 00000003092fc005 CR4: 0000000000770ee0 +[ 156.438944] PKRU: 55555554 +[ 156.441647] Call Trace: +[ 156.444096] +[ 156.446199] pci_device_shutdown+0x38/0x60 +[ 156.450297] device_shutdown+0x163/0x210 +[ 156.454215] kernel_restart+0x12/0x70 +[ 156.457872] __do_sys_reboot+0x1ab/0x230 +[ 156.461789] ? vfs_writev+0xa6/0x1a0 +[ 156.465362] ? __pfx_file_free_rcu+0x10/0x10 +[ 156.469635] ? __call_rcu_common.constprop.85+0x109/0x5a0 +[ 156.475034] do_syscall_64+0x3e/0x90 +[ 156.478611] entry_SYSCALL_64_after_hwframe+0x72/0xdc +[ 156.483658] RIP: 0033:0x7fe7bff37ab7 + +Fixes: 4ff0ee1af016 ("i40e: Introduce recovery mode support") +Signed-off-by: Ivan Vecera +Tested-by: Arpana Arland (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20230309184509.984639-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 3f983d69f10eb..05f2f5637d3df 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -14823,6 +14823,7 @@ static int i40e_init_recovery_mode(struct i40e_pf *pf, struct i40e_hw *hw) + int err; + int v_idx; + ++ pci_set_drvdata(pf->pdev, pf); + pci_save_state(pf->pdev); + + /* set up periodic task facility */ +-- +2.39.2 + diff --git a/queue-5.4/ipv4-fix-incorrect-table-id-in-ioctl-path.patch b/queue-5.4/ipv4-fix-incorrect-table-id-in-ioctl-path.patch new file mode 100644 index 00000000000..df8b71e4bd7 --- /dev/null +++ b/queue-5.4/ipv4-fix-incorrect-table-id-in-ioctl-path.patch @@ -0,0 +1,74 @@ +From d550fb4fd58c286714303034c251e359590ac72e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 14:40:09 +0200 +Subject: ipv4: Fix incorrect table ID in IOCTL path + +From: Ido Schimmel + +[ Upstream commit 8a2618e14f81604a9b6ad305d57e0c8da939cd65 ] + +Commit f96a3d74554d ("ipv4: Fix incorrect route flushing when source +address is deleted") started to take the table ID field in the FIB info +structure into account when determining if two structures are identical +or not. This field is initialized using the 'fc_table' field in the +route configuration structure, which is not set when adding a route via +IOCTL. + +The above can result in user space being able to install two identical +routes that only differ in the table ID field of their associated FIB +info. + +Fix by initializing the table ID field in the route configuration +structure in the IOCTL path. + +Before the fix: + + # ip route add default via 192.0.2.2 + # route add default gw 192.0.2.2 + # ip -4 r show default + # default via 192.0.2.2 dev dummy10 + # default via 192.0.2.2 dev dummy10 + +After the fix: + + # ip route add default via 192.0.2.2 + # route add default gw 192.0.2.2 + SIOCADDRT: File exists + # ip -4 r show default + default via 192.0.2.2 dev dummy10 + +Audited the code paths to ensure there are no other paths that do not +properly initialize the route configuration structure when installing a +route. + +Fixes: 5a56a0b3a45d ("net: Don't delete routes in different VRFs") +Fixes: f96a3d74554d ("ipv4: Fix incorrect route flushing when source address is deleted") +Reported-by: gaoxingwang +Link: https://lore.kernel.org/netdev/20230314144159.2354729-1-gaoxingwang1@huawei.com/ +Tested-by: gaoxingwang +Signed-off-by: Ido Schimmel +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20230315124009.4015212-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_frontend.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index be31eeacb0beb..c31003d8c22f8 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -583,6 +583,9 @@ static int rtentry_to_fib_config(struct net *net, int cmd, struct rtentry *rt, + cfg->fc_scope = RT_SCOPE_UNIVERSE; + } + ++ if (!cfg->fc_table) ++ cfg->fc_table = RT_TABLE_MAIN; ++ + if (cmd == SIOCDELRT) + return 0; + +-- +2.39.2 + diff --git a/queue-5.4/ipvlan-make-skb-skb_iif-track-skb-dev-for-l3s-mode.patch b/queue-5.4/ipvlan-make-skb-skb_iif-track-skb-dev-for-l3s-mode.patch new file mode 100644 index 00000000000..b398e089fe9 --- /dev/null +++ b/queue-5.4/ipvlan-make-skb-skb_iif-track-skb-dev-for-l3s-mode.patch @@ -0,0 +1,49 @@ +From 45a0388b81b46f469b8a71f8bcad5ea4cfda9400 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Mar 2023 10:03:36 +0800 +Subject: ipvlan: Make skb->skb_iif track skb->dev for l3s mode + +From: Jianguo Wu + +[ Upstream commit 59a0b022aa249e3f5735d93de0849341722c4754 ] + +For l3s mode, skb->dev is set to ipvlan interface in ipvlan_nf_input(): + skb->dev = addr->master->dev +but, skb->skb_iif remain unchanged, this will cause socket lookup failed +if a target socket is bound to a interface, like the following example: + + ip link add ipvlan0 link eth0 type ipvlan mode l3s + ip addr add dev ipvlan0 192.168.124.111/24 + ip link set ipvlan0 up + + ping -c 1 -I ipvlan0 8.8.8.8 + 100% packet loss + +This is because there is no match sk in __raw_v4_lookup() as sk->sk_bound_dev_if != dif(skb->skb_iif). +Fix this by make skb->skb_iif track skb->dev in ipvlan_nf_input(). + +Fixes: c675e06a98a4 ("ipvlan: decouple l3s mode dependencies from other modes") +Signed-off-by: Jianguo Wu +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/29865b1f-6db7-c07a-de89-949d3721ea30@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan_l3s.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ipvlan/ipvlan_l3s.c b/drivers/net/ipvlan/ipvlan_l3s.c +index 943d26cbf39f5..71712ea25403d 100644 +--- a/drivers/net/ipvlan/ipvlan_l3s.c ++++ b/drivers/net/ipvlan/ipvlan_l3s.c +@@ -101,6 +101,7 @@ static unsigned int ipvlan_nf_input(void *priv, struct sk_buff *skb, + goto out; + + skb->dev = addr->master->dev; ++ skb->skb_iif = skb->dev->ifindex; + len = skb->len + ETH_HLEN; + ipvlan_count_rx(addr->master, len, true, false); + out: +-- +2.39.2 + diff --git a/queue-5.4/net-iucv-fix-size-of-interrupt-data.patch b/queue-5.4/net-iucv-fix-size-of-interrupt-data.patch new file mode 100644 index 00000000000..0406805827d --- /dev/null +++ b/queue-5.4/net-iucv-fix-size-of-interrupt-data.patch @@ -0,0 +1,105 @@ +From 565998ddb6b1df3e6c9efee2317a4eebc084521f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 14:14:35 +0100 +Subject: net/iucv: Fix size of interrupt data + +From: Alexandra Winter + +[ Upstream commit 3d87debb8ed2649608ff432699e7c961c0c6f03b ] + +iucv_irq_data needs to be 4 bytes larger. +These bytes are not used by the iucv module, but written by +the z/VM hypervisor in case a CPU is deconfigured. + +Reported as: +BUG dma-kmalloc-64 (Not tainted): kmalloc Redzone overwritten +----------------------------------------------------------------------------- +0x0000000000400564-0x0000000000400567 @offset=1380. First byte 0x80 instead of 0xcc +Allocated in iucv_cpu_prepare+0x44/0xd0 age=167839 cpu=2 pid=1 +__kmem_cache_alloc_node+0x166/0x450 +kmalloc_node_trace+0x3a/0x70 +iucv_cpu_prepare+0x44/0xd0 +cpuhp_invoke_callback+0x156/0x2f0 +cpuhp_issue_call+0xf0/0x298 +__cpuhp_setup_state_cpuslocked+0x136/0x338 +__cpuhp_setup_state+0xf4/0x288 +iucv_init+0xf4/0x280 +do_one_initcall+0x78/0x390 +do_initcalls+0x11a/0x140 +kernel_init_freeable+0x25e/0x2a0 +kernel_init+0x2e/0x170 +__ret_from_fork+0x3c/0x58 +ret_from_fork+0xa/0x40 +Freed in iucv_init+0x92/0x280 age=167839 cpu=2 pid=1 +__kmem_cache_free+0x308/0x358 +iucv_init+0x92/0x280 +do_one_initcall+0x78/0x390 +do_initcalls+0x11a/0x140 +kernel_init_freeable+0x25e/0x2a0 +kernel_init+0x2e/0x170 +__ret_from_fork+0x3c/0x58 +ret_from_fork+0xa/0x40 +Slab 0x0000037200010000 objects=32 used=30 fp=0x0000000000400640 flags=0x1ffff00000010200(slab|head|node=0|zone=0| +Object 0x0000000000400540 @offset=1344 fp=0x0000000000000000 +Redzone 0000000000400500: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Redzone 0000000000400510: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Redzone 0000000000400520: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Redzone 0000000000400530: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Object 0000000000400540: 00 01 00 03 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object 0000000000400550: f3 86 81 f2 f4 82 f8 82 f0 f0 f0 f0 f0 f0 f0 f2 ................ +Object 0000000000400560: 00 00 00 00 80 00 00 00 cc cc cc cc cc cc cc cc ................ +Object 0000000000400570: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Redzone 0000000000400580: cc cc cc cc cc cc cc cc ........ +Padding 00000000004005d4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ +Padding 00000000004005e4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ +Padding 00000000004005f4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ +CPU: 6 PID: 121030 Comm: 116-pai-crypto. Not tainted 6.3.0-20230221.rc0.git4.99b8246b2d71.300.fc37.s390x+debug #1 +Hardware name: IBM 3931 A01 704 (z/VM 7.3.0) +Call Trace: +[<000000032aa034ec>] dump_stack_lvl+0xac/0x100 +[<0000000329f5a6cc>] check_bytes_and_report+0x104/0x140 +[<0000000329f5aa78>] check_object+0x370/0x3c0 +[<0000000329f5ede6>] free_debug_processing+0x15e/0x348 +[<0000000329f5f06a>] free_to_partial_list+0x9a/0x2f0 +[<0000000329f5f4a4>] __slab_free+0x1e4/0x3a8 +[<0000000329f61768>] __kmem_cache_free+0x308/0x358 +[<000000032a91465c>] iucv_cpu_dead+0x6c/0x88 +[<0000000329c2fc66>] cpuhp_invoke_callback+0x156/0x2f0 +[<000000032aa062da>] _cpu_down.constprop.0+0x22a/0x5e0 +[<0000000329c3243e>] cpu_device_down+0x4e/0x78 +[<000000032a61dee0>] device_offline+0xc8/0x118 +[<000000032a61e048>] online_store+0x60/0xe0 +[<000000032a08b6b0>] kernfs_fop_write_iter+0x150/0x1e8 +[<0000000329fab65c>] vfs_write+0x174/0x360 +[<0000000329fab9fc>] ksys_write+0x74/0x100 +[<000000032aa03a5a>] __do_syscall+0x1da/0x208 +[<000000032aa177b2>] system_call+0x82/0xb0 +INFO: lockdep is turned off. +FIX dma-kmalloc-64: Restoring kmalloc Redzone 0x0000000000400564-0x0000000000400567=0xcc +FIX dma-kmalloc-64: Object at 0x0000000000400540 not freed + +Fixes: 2356f4cb1911 ("[S390]: Rewrite of the IUCV base code, part 2") +Signed-off-by: Alexandra Winter +Link: https://lore.kernel.org/r/20230315131435.4113889-1-wintera@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/iucv/iucv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c +index a4d1b5b7a1543..392f8ddf97191 100644 +--- a/net/iucv/iucv.c ++++ b/net/iucv/iucv.c +@@ -106,7 +106,7 @@ struct iucv_irq_data { + u16 ippathid; + u8 ipflags1; + u8 iptype; +- u32 res2[8]; ++ u32 res2[9]; + }; + + struct iucv_irq_list { +-- +2.39.2 + diff --git a/queue-5.4/net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch b/queue-5.4/net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch new file mode 100644 index 00000000000..e595b341759 --- /dev/null +++ b/queue-5.4/net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch @@ -0,0 +1,44 @@ +From 2a1223f679c5ca8a9ef05af75a47eaefb82ce5d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Mar 2023 19:34:45 +0100 +Subject: net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status + fails + +From: Heiner Kallweit + +[ Upstream commit c22c3bbf351e4ce905f082649cffa1ff893ea8c1 ] + +If genphy_read_status fails then further access to the PHY may result +in unpredictable behavior. To prevent this bail out immediately if +genphy_read_status fails. + +Fixes: 4223dbffed9f ("net: phy: smsc: Re-enable EDPD mode for LAN87xx") +Signed-off-by: Heiner Kallweit +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/026aa4f2-36f5-1c10-ab9f-cdb17dda6ac4@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/smsc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c +index b732982507939..e387c219f17d2 100644 +--- a/drivers/net/phy/smsc.c ++++ b/drivers/net/phy/smsc.c +@@ -108,8 +108,11 @@ static int lan911x_config_init(struct phy_device *phydev) + static int lan87xx_read_status(struct phy_device *phydev) + { + struct smsc_phy_priv *priv = phydev->priv; ++ int err; + +- int err = genphy_read_status(phydev); ++ err = genphy_read_status(phydev); ++ if (err) ++ return err; + + if (!phydev->link && priv->energy_enable) { + int i; +-- +2.39.2 + diff --git a/queue-5.4/net-tunnels-annotate-lockless-accesses-to-dev-needed.patch b/queue-5.4/net-tunnels-annotate-lockless-accesses-to-dev-needed.patch new file mode 100644 index 00000000000..3c2ad319a19 --- /dev/null +++ b/queue-5.4/net-tunnels-annotate-lockless-accesses-to-dev-needed.patch @@ -0,0 +1,252 @@ +From e577a2cdb98cacda2c18a6021512f979ce05aadb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Mar 2023 19:11:09 +0000 +Subject: net: tunnels: annotate lockless accesses to dev->needed_headroom + +From: Eric Dumazet + +[ Upstream commit 4b397c06cb987935b1b097336532aa6b4210e091 ] + +IP tunnels can apparently update dev->needed_headroom +in their xmit path. + +This patch takes care of three tunnels xmit, and also the +core LL_RESERVED_SPACE() and LL_RESERVED_SPACE_EXTRA() +helpers. + +More changes might be needed for completeness. + +BUG: KCSAN: data-race in ip_tunnel_xmit / ip_tunnel_xmit + +read to 0xffff88815b9da0ec of 2 bytes by task 888 on cpu 1: +ip_tunnel_xmit+0x1270/0x1730 net/ipv4/ip_tunnel.c:803 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 + +write to 0xffff88815b9da0ec of 2 bytes by task 2379 on cpu 0: +ip_tunnel_xmit+0x1294/0x1730 net/ipv4/ip_tunnel.c:804 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip6_finish_output2+0x9bc/0xc50 net/ipv6/ip6_output.c:134 +__ip6_finish_output net/ipv6/ip6_output.c:195 [inline] +ip6_finish_output+0x39a/0x4e0 net/ipv6/ip6_output.c:206 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip6_output+0xeb/0x220 net/ipv6/ip6_output.c:227 +dst_output include/net/dst.h:444 [inline] +NF_HOOK include/linux/netfilter.h:302 [inline] +mld_sendpack+0x438/0x6a0 net/ipv6/mcast.c:1820 +mld_send_cr net/ipv6/mcast.c:2121 [inline] +mld_ifc_work+0x519/0x7b0 net/ipv6/mcast.c:2653 +process_one_work+0x3e6/0x750 kernel/workqueue.c:2390 +worker_thread+0x5f2/0xa10 kernel/workqueue.c:2537 +kthread+0x1ac/0x1e0 kernel/kthread.c:376 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +value changed: 0x0dd4 -> 0x0e14 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 2379 Comm: kworker/0:0 Not tainted 6.3.0-rc1-syzkaller-00002-g8ca09d5fa354-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 +Workqueue: mld mld_ifc_work + +Fixes: 8eb30be0352d ("ipv6: Create ip6_tnl_xmit") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230310191109.2384387-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 6 ++++-- + net/ipv4/ip_tunnel.c | 12 ++++++------ + net/ipv6/ip6_tunnel.c | 4 ++-- + 3 files changed, 12 insertions(+), 10 deletions(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 73bc0f53303f9..14183cbf0f0d0 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -265,9 +265,11 @@ struct hh_cache { + * relationship HH alignment <= LL alignment. + */ + #define LL_RESERVED_SPACE(dev) \ +- ((((dev)->hard_header_len+(dev)->needed_headroom)&~(HH_DATA_MOD - 1)) + HH_DATA_MOD) ++ ((((dev)->hard_header_len + READ_ONCE((dev)->needed_headroom)) \ ++ & ~(HH_DATA_MOD - 1)) + HH_DATA_MOD) + #define LL_RESERVED_SPACE_EXTRA(dev,extra) \ +- ((((dev)->hard_header_len+(dev)->needed_headroom+(extra))&~(HH_DATA_MOD - 1)) + HH_DATA_MOD) ++ ((((dev)->hard_header_len + READ_ONCE((dev)->needed_headroom) + (extra)) \ ++ & ~(HH_DATA_MOD - 1)) + HH_DATA_MOD) + + struct header_ops { + int (*create) (struct sk_buff *skb, struct net_device *dev, +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c +index 38d3095ef9793..4559edad8cec5 100644 +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -620,10 +620,10 @@ void ip_md_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, + } + + headroom += LL_RESERVED_SPACE(rt->dst.dev) + rt->dst.header_len; +- if (headroom > dev->needed_headroom) +- dev->needed_headroom = headroom; ++ if (headroom > READ_ONCE(dev->needed_headroom)) ++ WRITE_ONCE(dev->needed_headroom, headroom); + +- if (skb_cow_head(skb, dev->needed_headroom)) { ++ if (skb_cow_head(skb, READ_ONCE(dev->needed_headroom))) { + ip_rt_put(rt); + goto tx_dropped; + } +@@ -804,10 +804,10 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, + + max_headroom = LL_RESERVED_SPACE(rt->dst.dev) + sizeof(struct iphdr) + + rt->dst.header_len + ip_encap_hlen(&tunnel->encap); +- if (max_headroom > dev->needed_headroom) +- dev->needed_headroom = max_headroom; ++ if (max_headroom > READ_ONCE(dev->needed_headroom)) ++ WRITE_ONCE(dev->needed_headroom, max_headroom); + +- if (skb_cow_head(skb, dev->needed_headroom)) { ++ if (skb_cow_head(skb, READ_ONCE(dev->needed_headroom))) { + ip_rt_put(rt); + dev->stats.tx_dropped++; + kfree_skb(skb); +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index acc75975edded..b97611894882d 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -1201,8 +1201,8 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield, + */ + max_headroom = LL_RESERVED_SPACE(dst->dev) + sizeof(struct ipv6hdr) + + dst->header_len + t->hlen; +- if (max_headroom > dev->needed_headroom) +- dev->needed_headroom = max_headroom; ++ if (max_headroom > READ_ONCE(dev->needed_headroom)) ++ WRITE_ONCE(dev->needed_headroom, max_headroom); + + err = ip6_tnl_encap(skb, t, &proto, fl6); + if (err) +-- +2.39.2 + diff --git a/queue-5.4/net-usb-smsc75xx-limit-packet-length-to-skb-len.patch b/queue-5.4/net-usb-smsc75xx-limit-packet-length-to-skb-len.patch new file mode 100644 index 00000000000..f67359e7f32 --- /dev/null +++ b/queue-5.4/net-usb-smsc75xx-limit-packet-length-to-skb-len.patch @@ -0,0 +1,39 @@ +From 985b1a4693024a3355e1ca479e8692ccbac9db32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 23:00:45 +0100 +Subject: net: usb: smsc75xx: Limit packet length to skb->len + +From: Szymon Heidrich + +[ Upstream commit d8b228318935044dafe3a5bc07ee71a1f1424b8d ] + +Packet length retrieved from skb data may be larger than +the actual socket buffer length (up to 9026 bytes). In such +case the cloned skb passed up the network stack will leak +kernel memory contents. + +Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver") +Signed-off-by: Szymon Heidrich +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc75xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index aa848be459ec7..229ff92e41cd9 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -2210,7 +2210,8 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + dev->net->stats.rx_frame_errors++; + } else { + /* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */ +- if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) { ++ if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) || ++ size > skb->len)) { + netif_dbg(dev, rx_err, dev->net, + "size err rx_cmd_a=0x%08x\n", + rx_cmd_a); +-- +2.39.2 + diff --git a/queue-5.4/net-usb-smsc75xx-move-packet-length-check-to-prevent.patch b/queue-5.4/net-usb-smsc75xx-move-packet-length-check-to-prevent.patch new file mode 100644 index 00000000000..21439d1a9b7 --- /dev/null +++ b/queue-5.4/net-usb-smsc75xx-move-packet-length-check-to-prevent.patch @@ -0,0 +1,54 @@ +From 6e331767b7e078a1d93aa7d29b5455921ac1029b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 12:05:40 +0100 +Subject: net: usb: smsc75xx: Move packet length check to prevent kernel panic + in skb_pull + +From: Szymon Heidrich + +[ Upstream commit 43ffe6caccc7a1bb9d7442fbab521efbf6c1378c ] + +Packet length check needs to be located after size and align_count +calculation to prevent kernel panic in skb_pull() in case +rx_cmd_a & RX_CMD_A_RED evaluates to true. + +Fixes: d8b228318935 ("net: usb: smsc75xx: Limit packet length to skb->len") +Signed-off-by: Szymon Heidrich +Link: https://lore.kernel.org/r/20230316110540.77531-1-szymon.heidrich@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc75xx.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index 229ff92e41cd9..bd533827af8b1 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -2198,6 +2198,13 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + size = (rx_cmd_a & RX_CMD_A_LEN) - RXW_PADDING; + align_count = (4 - ((size + RXW_PADDING) % 4)) % 4; + ++ if (unlikely(size > skb->len)) { ++ netif_dbg(dev, rx_err, dev->net, ++ "size err rx_cmd_a=0x%08x\n", ++ rx_cmd_a); ++ return 0; ++ } ++ + if (unlikely(rx_cmd_a & RX_CMD_A_RED)) { + netif_dbg(dev, rx_err, dev->net, + "Error rx_cmd_a=0x%08x\n", rx_cmd_a); +@@ -2210,8 +2217,7 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + dev->net->stats.rx_frame_errors++; + } else { + /* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */ +- if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) || +- size > skb->len)) { ++ if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) { + netif_dbg(dev, rx_err, dev->net, + "size err rx_cmd_a=0x%08x\n", + rx_cmd_a); +-- +2.39.2 + diff --git a/queue-5.4/netfilter-nft_redir-correct-value-of-inet-type-.maxa.patch b/queue-5.4/netfilter-nft_redir-correct-value-of-inet-type-.maxa.patch new file mode 100644 index 00000000000..707480bf80c --- /dev/null +++ b/queue-5.4/netfilter-nft_redir-correct-value-of-inet-type-.maxa.patch @@ -0,0 +1,37 @@ +From 64d02e1c6eb21148dda9767f93c07bd51f4ca4a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 23:22:59 +0000 +Subject: netfilter: nft_redir: correct value of inet type `.maxattrs` + +From: Jeremy Sowden + +[ Upstream commit 493924519b1fe3faab13ee621a43b0d0939abab1 ] + +`nft_redir_inet_type.maxattrs` was being set, presumably because of a +cut-and-paste error, to `NFTA_MASQ_MAX`, instead of `NFTA_REDIR_MAX`. + +Fixes: 63ce3940f3ab ("netfilter: nft_redir: add inet support") +Signed-off-by: Jeremy Sowden +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_redir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c +index 43eeb1f609f13..d75de63189b61 100644 +--- a/net/netfilter/nft_redir.c ++++ b/net/netfilter/nft_redir.c +@@ -236,7 +236,7 @@ static struct nft_expr_type nft_redir_inet_type __read_mostly = { + .name = "redir", + .ops = &nft_redir_inet_ops, + .policy = nft_redir_policy, +- .maxattr = NFTA_MASQ_MAX, ++ .maxattr = NFTA_REDIR_MAX, + .owner = THIS_MODULE, + }; + +-- +2.39.2 + diff --git a/queue-5.4/nfc-pn533-initialize-struct-pn533_out_arg-properly.patch b/queue-5.4/nfc-pn533-initialize-struct-pn533_out_arg-properly.patch new file mode 100644 index 00000000000..32896005e9a --- /dev/null +++ b/queue-5.4/nfc-pn533-initialize-struct-pn533_out_arg-properly.patch @@ -0,0 +1,65 @@ +From 24430aa35c04ce0ab1ba3388cb940bacc31b8429 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Mar 2023 19:50:50 +0300 +Subject: nfc: pn533: initialize struct pn533_out_arg properly + +From: Fedor Pchelkin + +[ Upstream commit 484b7059796e3bc1cb527caa61dfc60da649b4f6 ] + +struct pn533_out_arg used as a temporary context for out_urb is not +initialized properly. Its uninitialized 'phy' field can be dereferenced in +error cases inside pn533_out_complete() callback function. It causes the +following failure: + +general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.2.0-rc3-next-20230110-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +RIP: 0010:pn533_out_complete.cold+0x15/0x44 drivers/nfc/pn533/usb.c:441 +Call Trace: + + __usb_hcd_giveback_urb+0x2b6/0x5c0 drivers/usb/core/hcd.c:1671 + usb_hcd_giveback_urb+0x384/0x430 drivers/usb/core/hcd.c:1754 + dummy_timer+0x1203/0x32d0 drivers/usb/gadget/udc/dummy_hcd.c:1988 + call_timer_fn+0x1da/0x800 kernel/time/timer.c:1700 + expire_timers+0x234/0x330 kernel/time/timer.c:1751 + __run_timers kernel/time/timer.c:2022 [inline] + __run_timers kernel/time/timer.c:1995 [inline] + run_timer_softirq+0x326/0x910 kernel/time/timer.c:2035 + __do_softirq+0x1fb/0xaf6 kernel/softirq.c:571 + invoke_softirq kernel/softirq.c:445 [inline] + __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650 + irq_exit_rcu+0x9/0x20 kernel/softirq.c:662 + sysvec_apic_timer_interrupt+0x97/0xc0 arch/x86/kernel/apic/apic.c:1107 + +Initialize the field with the pn533_usb_phy currently used. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 9dab880d675b ("nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()") +Reported-by: syzbot+1e608ba4217c96d1952f@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230309165050.207390-1-pchelkin@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/pn533/usb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nfc/pn533/usb.c b/drivers/nfc/pn533/usb.c +index 82e5b7dbaee9f..2021a9d31f4ab 100644 +--- a/drivers/nfc/pn533/usb.c ++++ b/drivers/nfc/pn533/usb.c +@@ -175,6 +175,7 @@ static int pn533_usb_send_frame(struct pn533 *dev, + print_hex_dump_debug("PN533 TX: ", DUMP_PREFIX_NONE, 16, 1, + out->data, out->len, false); + ++ arg.phy = phy; + init_completion(&arg.done); + cntx = phy->out_urb->context; + phy->out_urb->context = &arg; +-- +2.39.2 + diff --git a/queue-5.4/nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch b/queue-5.4/nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch new file mode 100644 index 00000000000..c481d3fcb58 --- /dev/null +++ b/queue-5.4/nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch @@ -0,0 +1,72 @@ +From a2e045fe2be712ac8111510fa55ab62e797f985b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 00:08:37 +0800 +Subject: nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition + +From: Zheng Wang + +[ Upstream commit 5000fe6c27827a61d8250a7e4a1d26c3298ef4f6 ] + +This bug influences both st_nci_i2c_remove and st_nci_spi_remove. +Take st_nci_i2c_remove as an example. + +In st_nci_i2c_probe, it called ndlc_probe and bound &ndlc->sm_work +with llt_ndlc_sm_work. + +When it calls ndlc_recv or timeout handler, it will finally call +schedule_work to start the work. + +When we call st_nci_i2c_remove to remove the driver, there +may be a sequence as follows: + +Fix it by finishing the work before cleanup in ndlc_remove + +CPU0 CPU1 + + |llt_ndlc_sm_work +st_nci_i2c_remove | + ndlc_remove | + st_nci_remove | + nci_free_device| + kfree(ndev) | +//free ndlc->ndev | + |llt_ndlc_rcv_queue + |nci_recv_frame + |//use ndlc->ndev + +Fixes: 35630df68d60 ("NFC: st21nfcb: Add driver for STMicroelectronics ST21NFCB NFC chip") +Signed-off-by: Zheng Wang +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20230312160837.2040857-1-zyytlz.wz@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/st-nci/ndlc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/nfc/st-nci/ndlc.c b/drivers/nfc/st-nci/ndlc.c +index 5d74c674368a5..8ccf5a86ad1bb 100644 +--- a/drivers/nfc/st-nci/ndlc.c ++++ b/drivers/nfc/st-nci/ndlc.c +@@ -286,13 +286,15 @@ EXPORT_SYMBOL(ndlc_probe); + + void ndlc_remove(struct llt_ndlc *ndlc) + { +- st_nci_remove(ndlc->ndev); +- + /* cancel timers */ + del_timer_sync(&ndlc->t1_timer); + del_timer_sync(&ndlc->t2_timer); + ndlc->t2_active = false; + ndlc->t1_active = false; ++ /* cancel work */ ++ cancel_work_sync(&ndlc->sm_work); ++ ++ st_nci_remove(ndlc->ndev); + + skb_queue_purge(&ndlc->rcv_q); + skb_queue_purge(&ndlc->send_q); +-- +2.39.2 + diff --git a/queue-5.4/nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch b/queue-5.4/nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch new file mode 100644 index 00000000000..671d589cbbc --- /dev/null +++ b/queue-5.4/nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch @@ -0,0 +1,46 @@ +From b7f8b04d97f5fda2558a082626fe2b60b6a73898 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 10:13:13 +0900 +Subject: nvmet: avoid potential UAF in nvmet_req_complete() + +From: Damien Le Moal + +[ Upstream commit 6173a77b7e9d3e202bdb9897b23f2a8afe7bf286 ] + +An nvme target ->queue_response() operation implementation may free the +request passed as argument. Such implementation potentially could result +in a use after free of the request pointer when percpu_ref_put() is +called in nvmet_req_complete(). + +Avoid such problem by using a local variable to save the sq pointer +before calling __nvmet_req_complete(), thus avoiding dereferencing the +req pointer after that function call. + +Fixes: a07b4970f464 ("nvmet: add a generic NVMe target") +Signed-off-by: Damien Le Moal +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index ff206faae775c..d109333b95b81 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -728,8 +728,10 @@ static void __nvmet_req_complete(struct nvmet_req *req, u16 status) + + void nvmet_req_complete(struct nvmet_req *req, u16 status) + { ++ struct nvmet_sq *sq = req->sq; ++ + __nvmet_req_complete(req, status); +- percpu_ref_put(&req->sq->ref); ++ percpu_ref_put(&sq->ref); + } + EXPORT_SYMBOL_GPL(nvmet_req_complete); + +-- +2.39.2 + diff --git a/queue-5.4/qed-qed_dev-guard-against-a-possible-division-by-zer.patch b/queue-5.4/qed-qed_dev-guard-against-a-possible-division-by-zer.patch new file mode 100644 index 00000000000..150cc240549 --- /dev/null +++ b/queue-5.4/qed-qed_dev-guard-against-a-possible-division-by-zer.patch @@ -0,0 +1,46 @@ +From 70a2fb860a9e87967b76b944a6ba8cf70aa6fcf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Mar 2023 23:15:56 +0300 +Subject: qed/qed_dev: guard against a possible division by zero + +From: Daniil Tatianin + +[ Upstream commit 1a9dc5610ef89d807acdcfbff93a558f341a44da ] + +Previously we would divide total_left_rate by zero if num_vports +happened to be 1 because non_requested_count is calculated as +num_vports - req_count. Guard against this by validating num_vports at +the beginning and returning an error otherwise. + +Found by Linux Verification Center (linuxtesting.org) with the SVACE +static analysis tool. + +Fixes: bcd197c81f63 ("qed: Add vport WFQ configuration APIs") +Signed-off-by: Daniil Tatianin +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230309201556.191392-1-d-tatianin@yandex-team.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_dev.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c +index a923c65532702..35119778cf1f1 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c +@@ -5139,6 +5139,11 @@ static int qed_init_wfq_param(struct qed_hwfn *p_hwfn, + + num_vports = p_hwfn->qm_info.num_vports; + ++ if (num_vports < 2) { ++ DP_NOTICE(p_hwfn, "Unexpected num_vports: %d\n", num_vports); ++ return -EINVAL; ++ } ++ + /* Accounting for the vports which are configured for WFQ explicitly */ + for (i = 0; i < num_vports; i++) { + u32 tmp_speed; +-- +2.39.2 + diff --git a/queue-5.4/scsi-core-fix-a-comment-in-function-scsi_host_dev_re.patch b/queue-5.4/scsi-core-fix-a-comment-in-function-scsi_host_dev_re.patch new file mode 100644 index 00000000000..cdb56b5898b --- /dev/null +++ b/queue-5.4/scsi-core-fix-a-comment-in-function-scsi_host_dev_re.patch @@ -0,0 +1,38 @@ +From 19e320e5d6d12940f065aca1a384a68932bdf0dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 19:35:26 +0800 +Subject: scsi: core: Fix a comment in function scsi_host_dev_release() + +From: Xiang Chen + +[ Upstream commit 2dde5c8d912efea43be94d6a83ac9cb74879fa12 ] + +Commit 3be8828fc507 ("scsi: core: Avoid that ATA error handling can +trigger a kernel hang or oops") moved rcu to scsi_cmnd instead of +shost. Modify "shost->rcu" to "scmd->rcu" in a comment. + +Link: https://lore.kernel.org/r/1620646526-193154-1-git-send-email-chenxiang66@hisilicon.com +Signed-off-by: Xiang Chen +Signed-off-by: Martin K. Petersen +Stable-dep-of: be03df3d4bfe ("scsi: core: Fix a procfs host directory removal regression") +Signed-off-by: Sasha Levin +--- + drivers/scsi/hosts.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c +index b08d963013db6..d3a63961b98a9 100644 +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -322,7 +322,7 @@ static void scsi_host_dev_release(struct device *dev) + /* In case scsi_remove_host() has not been called. */ + scsi_proc_hostdir_rm(shost->hostt); + +- /* Wait for functions invoked through call_rcu(&shost->rcu, ...) */ ++ /* Wait for functions invoked through call_rcu(&scmd->rcu, ...) */ + rcu_barrier(); + + if (shost->tmf_work_q) +-- +2.39.2 + diff --git a/queue-5.4/scsi-core-fix-a-procfs-host-directory-removal-regres.patch b/queue-5.4/scsi-core-fix-a-procfs-host-directory-removal-regres.patch new file mode 100644 index 00000000000..3113e68f538 --- /dev/null +++ b/queue-5.4/scsi-core-fix-a-procfs-host-directory-removal-regres.patch @@ -0,0 +1,47 @@ +From 37249dcd49fece1460feb6bbf014751ac2b5e70c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 13:44:28 -0800 +Subject: scsi: core: Fix a procfs host directory removal regression + +From: Bart Van Assche + +[ Upstream commit be03df3d4bfe7e8866d4aa43d62e648ffe884f5f ] + +scsi_proc_hostdir_rm() decreases a reference counter and hence must only be +called once per host that is removed. This change does not require a +scsi_add_host_with_dma() change since scsi_add_host_with_dma() will return +0 (success) if scsi_proc_host_add() is called. + +Fixes: fc663711b944 ("scsi: core: Remove the /proc/scsi/${proc_name} directory earlier") +Cc: John Garry +Reported-by: John Garry +Link: https://lore.kernel.org/all/ed6b8027-a9d9-1b45-be8e-df4e8c6c4605@oracle.com/ +Reported-by: syzbot+645a4616b87a2f10e398@syzkaller.appspotmail.com +Link: https://lore.kernel.org/linux-scsi/000000000000890fab05f65342b6@google.com/ +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20230307214428.3703498-1-bvanassche@acm.org +Tested-by: John Garry +Tested-by: Shin'ichiro Kawasaki +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hosts.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c +index d3a63961b98a9..b97e046c6a6e1 100644 +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -319,9 +319,6 @@ static void scsi_host_dev_release(struct device *dev) + struct Scsi_Host *shost = dev_to_shost(dev); + struct device *parent = dev->parent; + +- /* In case scsi_remove_host() has not been called. */ +- scsi_proc_hostdir_rm(shost->hostt); +- + /* Wait for functions invoked through call_rcu(&scmd->rcu, ...) */ + rcu_barrier(); + +-- +2.39.2 + diff --git a/queue-5.4/scsi-mpt3sas-fix-null-pointer-access-in-mpt3sas_tran.patch b/queue-5.4/scsi-mpt3sas-fix-null-pointer-access-in-mpt3sas_tran.patch new file mode 100644 index 00000000000..51a5266fcdd --- /dev/null +++ b/queue-5.4/scsi-mpt3sas-fix-null-pointer-access-in-mpt3sas_tran.patch @@ -0,0 +1,77 @@ +From ef1a2b08bb09e27a7842c407a32c3b044c33d97a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Feb 2023 18:01:36 +0800 +Subject: scsi: mpt3sas: Fix NULL pointer access in + mpt3sas_transport_port_add() + +From: Wenchao Hao + +[ Upstream commit d3c57724f1569311e4b81e98fad0931028b9bdcd ] + +Port is allocated by sas_port_alloc_num() and rphy is allocated by either +sas_end_device_alloc() or sas_expander_alloc(), all of which may return +NULL. So we need to check the rphy to avoid possible NULL pointer access. + +If sas_rphy_add() returned with failure, rphy is set to NULL. We would +access the rphy in the following lines which would also result NULL pointer +access. + +Fixes: 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()") +Signed-off-by: Wenchao Hao +Link: https://lore.kernel.org/r/20230225100135.2109330-1-haowenchao2@huawei.com +Acked-by: Sathya Prakash Veerichetty +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_transport.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c +index b909cf100ea48..ebe78ec42da8b 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_transport.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c +@@ -670,7 +670,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, + goto out_fail; + } + port = sas_port_alloc_num(sas_node->parent_dev); +- if ((sas_port_add(port))) { ++ if (!port || (sas_port_add(port))) { + ioc_err(ioc, "failure at %s:%d/%s()!\n", + __FILE__, __LINE__, __func__); + goto out_fail; +@@ -695,6 +695,12 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, + rphy = sas_expander_alloc(port, + mpt3sas_port->remote_identify.device_type); + ++ if (!rphy) { ++ ioc_err(ioc, "failure at %s:%d/%s()!\n", ++ __FILE__, __LINE__, __func__); ++ goto out_delete_port; ++ } ++ + rphy->identify = mpt3sas_port->remote_identify; + + if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) { +@@ -714,6 +720,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, + __FILE__, __LINE__, __func__); + sas_rphy_free(rphy); + rphy = NULL; ++ goto out_delete_port; + } + + if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) { +@@ -741,7 +748,10 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, + rphy_to_expander_device(rphy)); + return mpt3sas_port; + +- out_fail: ++out_delete_port: ++ sas_port_delete(port); ++ ++out_fail: + list_for_each_entry_safe(mpt3sas_phy, next, &mpt3sas_port->phy_list, + port_siblings) + list_del(&mpt3sas_phy->port_siblings); +-- +2.39.2 + diff --git a/queue-5.4/series b/queue-5.4/series index 3718ee38d00..3c2351b3f88 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1 +1,31 @@ ext4-fix-cgroup-writeback-accounting-with-fs-layer-encryption.patch +xfrm-allow-transport-mode-states-with-af_unspec-sele.patch +drm-panfrost-don-t-sync-rpm-suspension-after-mmu-flu.patch +cifs-move-the-in_send-statistic-to-__smb_send_rqst.patch +drm-meson-fix-1px-pink-line-on-gxm-when-scaling-vide.patch +clk-hi655x-select-regmap-instead-of-depending-on-it.patch +docs-correct-missing-d_-prefix-for-dentry_operations.patch +scsi-mpt3sas-fix-null-pointer-access-in-mpt3sas_tran.patch +alsa-hda-add-intel-dg1-pci-and-hdmi-ids.patch +alsa-hda-controller-is-in-gpu-on-the-dg1.patch +alsa-hda-add-alderlake-s-pci-id-and-hdmi-codec-vid.patch +alsa-hda-add-intel-dg2-pci-id-and-hdmi-codec-vid.patch +alsa-hda-match-only-intel-devices-with-controller_in.patch +netfilter-nft_redir-correct-value-of-inet-type-.maxa.patch +scsi-core-fix-a-comment-in-function-scsi_host_dev_re.patch +scsi-core-fix-a-procfs-host-directory-removal-regres.patch +tcp-tcp_make_synack-can-be-called-from-process-conte.patch +nfc-pn533-initialize-struct-pn533_out_arg-properly.patch +ipvlan-make-skb-skb_iif-track-skb-dev-for-l3s-mode.patch +i40e-fix-kernel-crash-during-reboot-when-adapter-is-.patch +qed-qed_dev-guard-against-a-possible-division-by-zer.patch +net-tunnels-annotate-lockless-accesses-to-dev-needed.patch +net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch +nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch +net-usb-smsc75xx-limit-packet-length-to-skb-len.patch +nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch +block-sunvdc-add-check-for-mdesc_grab-returning-null.patch +ipv4-fix-incorrect-table-id-in-ioctl-path.patch +net-usb-smsc75xx-move-packet-length-check-to-prevent.patch +net-iucv-fix-size-of-interrupt-data.patch +ethernet-sun-add-check-for-the-mdesc_grab.patch diff --git a/queue-5.4/tcp-tcp_make_synack-can-be-called-from-process-conte.patch b/queue-5.4/tcp-tcp_make_synack-can-be-called-from-process-conte.patch new file mode 100644 index 00000000000..2018645e359 --- /dev/null +++ b/queue-5.4/tcp-tcp_make_synack-can-be-called-from-process-conte.patch @@ -0,0 +1,64 @@ +From f9945e13851a7887316667714e94e6009fe1b869 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 11:07:45 -0800 +Subject: tcp: tcp_make_synack() can be called from process context + +From: Breno Leitao + +[ Upstream commit bced3f7db95ff2e6ca29dc4d1c9751ab5e736a09 ] + +tcp_rtx_synack() now could be called in process context as explained in +0a375c822497 ("tcp: tcp_rtx_synack() can be called from process +context"). + +tcp_rtx_synack() might call tcp_make_synack(), which will touch per-CPU +variables with preemption enabled. This causes the following BUG: + + BUG: using __this_cpu_add() in preemptible [00000000] code: ThriftIO1/5464 + caller is tcp_make_synack+0x841/0xac0 + Call Trace: + + dump_stack_lvl+0x10d/0x1a0 + check_preemption_disabled+0x104/0x110 + tcp_make_synack+0x841/0xac0 + tcp_v6_send_synack+0x5c/0x450 + tcp_rtx_synack+0xeb/0x1f0 + inet_rtx_syn_ack+0x34/0x60 + tcp_check_req+0x3af/0x9e0 + tcp_rcv_state_process+0x59b/0x2030 + tcp_v6_do_rcv+0x5f5/0x700 + release_sock+0x3a/0xf0 + tcp_sendmsg+0x33/0x40 + ____sys_sendmsg+0x2f2/0x490 + __sys_sendmsg+0x184/0x230 + do_syscall_64+0x3d/0x90 + +Avoid calling __TCP_INC_STATS() with will touch per-cpu variables. Use +TCP_INC_STATS() which is safe to be called from context switch. + +Fixes: 8336886f786f ("tcp: TCP Fast Open Server - support TFO listeners") +Signed-off-by: Breno Leitao +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230308190745.780221-1-leitao@debian.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index b4a9f6948cb52..6ac84b273ffbb 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3374,7 +3374,7 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst, + th->window = htons(min(req->rsk_rcv_wnd, 65535U)); + tcp_options_write((__be32 *)(th + 1), NULL, &opts); + th->doff = (tcp_header_size >> 2); +- __TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS); ++ TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS); + + #ifdef CONFIG_TCP_MD5SIG + /* Okay, we have all we need - do the md5 hash if needed */ +-- +2.39.2 + diff --git a/queue-5.4/xfrm-allow-transport-mode-states-with-af_unspec-sele.patch b/queue-5.4/xfrm-allow-transport-mode-states-with-af_unspec-sele.patch new file mode 100644 index 00000000000..affcd48b2f1 --- /dev/null +++ b/queue-5.4/xfrm-allow-transport-mode-states-with-af_unspec-sele.patch @@ -0,0 +1,44 @@ +From 941fcf8bb15a3f24591d2959240a2627ff5780c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Feb 2023 13:54:00 +0800 +Subject: xfrm: Allow transport-mode states with AF_UNSPEC selector + +From: Herbert Xu + +[ Upstream commit c276a706ea1f51cf9723ed8484feceaf961b8f89 ] + +xfrm state selectors are matched against the inner-most flow +which can be of any address family. Therefore middle states +in nested configurations need to carry a wildcard selector in +order to work at all. + +However, this is currently forbidden for transport-mode states. + +Fix this by removing the unnecessary check. + +Fixes: 13996378e658 ("[IPSEC]: Rename mode to outer_mode and add inner_mode") +Reported-by: David George +Signed-off-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index bee1a8143d75f..e8be18bff0960 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -2511,9 +2511,6 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload) + if (inner_mode == NULL) + goto error; + +- if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) +- goto error; +- + x->inner_mode = *inner_mode; + + if (x->props.family == AF_INET) +-- +2.39.2 +