From: Sasha Levin Date: Sun, 8 Sep 2024 13:22:05 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v4.19.322~65 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=82efe387dd98205b1f2e03bf848a7af5788c57f6;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/af_unix-remove-put_pid-put_cred-in-copy_peercred.patch b/queue-4.19/af_unix-remove-put_pid-put_cred-in-copy_peercred.patch new file mode 100644 index 00000000000..0220157afac --- /dev/null +++ b/queue-4.19/af_unix-remove-put_pid-put_cred-in-copy_peercred.patch @@ -0,0 +1,58 @@ +From 7c73b1f6112b34fa59ae87eef37a90332d1f339e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jun 2024 13:56:22 -0700 +Subject: af_unix: Remove put_pid()/put_cred() in copy_peercred(). + +From: Kuniyuki Iwashima + +[ Upstream commit e4bd881d987121dbf1a288641491955a53d9f8f7 ] + +When (AF_UNIX, SOCK_STREAM) socket connect()s to a listening socket, +the listener's sk_peer_pid/sk_peer_cred are copied to the client in +copy_peercred(). + +Then, the client's sk_peer_pid and sk_peer_cred are always NULL, so +we need not call put_pid() and put_cred() there. + +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index dfcafbb8cd0e..24fb6f00f597 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -610,9 +610,6 @@ static void init_peercred(struct sock *sk) + + static void copy_peercred(struct sock *sk, struct sock *peersk) + { +- const struct cred *old_cred; +- struct pid *old_pid; +- + if (sk < peersk) { + spin_lock(&sk->sk_peer_lock); + spin_lock_nested(&peersk->sk_peer_lock, SINGLE_DEPTH_NESTING); +@@ -620,16 +617,12 @@ static void copy_peercred(struct sock *sk, struct sock *peersk) + spin_lock(&peersk->sk_peer_lock); + spin_lock_nested(&sk->sk_peer_lock, SINGLE_DEPTH_NESTING); + } +- old_pid = sk->sk_peer_pid; +- old_cred = sk->sk_peer_cred; ++ + sk->sk_peer_pid = get_pid(peersk->sk_peer_pid); + sk->sk_peer_cred = get_cred(peersk->sk_peer_cred); + + spin_unlock(&sk->sk_peer_lock); + spin_unlock(&peersk->sk_peer_lock); +- +- put_pid(old_pid); +- put_cred(old_cred); + } + + static int unix_listen(struct socket *sock, int backlog) +-- +2.43.0 + diff --git a/queue-4.19/alsa-hda-add-input-value-sanity-checks-to-hdmi-chann.patch b/queue-4.19/alsa-hda-add-input-value-sanity-checks-to-hdmi-chann.patch new file mode 100644 index 00000000000..1591958e06a --- /dev/null +++ b/queue-4.19/alsa-hda-add-input-value-sanity-checks-to-hdmi-chann.patch @@ -0,0 +1,61 @@ +From 3a12136c5addfaa0f6fd31ff1eac4c6246137dd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Jun 2024 09:34:47 +0200 +Subject: ALSA: hda: Add input value sanity checks to HDMI channel map controls + +From: Takashi Iwai + +[ Upstream commit 6278056e42d953e207e2afd416be39d09ed2d496 ] + +Add a simple sanity check to HD-audio HDMI Channel Map controls. +Although the value might not be accepted for the actual connection, we +can filter out some bogus values beforehand, and that should be enough +for making kselftest happier. + +Reviewed-by: Jaroslav Kysela +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/20240616073454.16512-7-tiwai@suse.de +Signed-off-by: Sasha Levin +--- + sound/hda/hdmi_chmap.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/sound/hda/hdmi_chmap.c b/sound/hda/hdmi_chmap.c +index acbe61b8db7b..4463992d2102 100644 +--- a/sound/hda/hdmi_chmap.c ++++ b/sound/hda/hdmi_chmap.c +@@ -752,6 +752,20 @@ static int hdmi_chmap_ctl_get(struct snd_kcontrol *kcontrol, + return 0; + } + ++/* a simple sanity check for input values to chmap kcontrol */ ++static int chmap_value_check(struct hdac_chmap *hchmap, ++ const struct snd_ctl_elem_value *ucontrol) ++{ ++ int i; ++ ++ for (i = 0; i < hchmap->channels_max; i++) { ++ if (ucontrol->value.integer.value[i] < 0 || ++ ucontrol->value.integer.value[i] > SNDRV_CHMAP_LAST) ++ return -EINVAL; ++ } ++ return 0; ++} ++ + static int hdmi_chmap_ctl_put(struct snd_kcontrol *kcontrol, + struct snd_ctl_elem_value *ucontrol) + { +@@ -763,6 +777,10 @@ static int hdmi_chmap_ctl_put(struct snd_kcontrol *kcontrol, + unsigned char chmap[8], per_pin_chmap[8]; + int i, err, ca, prepared = 0; + ++ err = chmap_value_check(hchmap, ucontrol); ++ if (err < 0) ++ return err; ++ + /* No monitor is connected in dyn_pcm_assign. + * It's invalid to setup the chmap + */ +-- +2.43.0 + diff --git a/queue-4.19/ata-pata_macio-use-warn-instead-of-bug.patch b/queue-4.19/ata-pata_macio-use-warn-instead-of-bug.patch new file mode 100644 index 00000000000..239d47a81d4 --- /dev/null +++ b/queue-4.19/ata-pata_macio-use-warn-instead-of-bug.patch @@ -0,0 +1,53 @@ +From eb3b81ebc6e21ee1490ef5ce6d7fd27bc9896dd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2024 13:04:07 +1000 +Subject: ata: pata_macio: Use WARN instead of BUG + +From: Michael Ellerman + +[ Upstream commit d4bc0a264fb482b019c84fbc7202dd3cab059087 ] + +The overflow/underflow conditions in pata_macio_qc_prep() should never +happen. But if they do there's no need to kill the system entirely, a +WARN and failing the IO request should be sufficient and might allow the +system to keep running. + +Signed-off-by: Michael Ellerman +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_macio.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/pata_macio.c b/drivers/ata/pata_macio.c +index 765b99319d3c..7beb5dd9ff87 100644 +--- a/drivers/ata/pata_macio.c ++++ b/drivers/ata/pata_macio.c +@@ -537,7 +537,8 @@ static enum ata_completion_errors pata_macio_qc_prep(struct ata_queued_cmd *qc) + + while (sg_len) { + /* table overflow should never happen */ +- BUG_ON (pi++ >= MAX_DCMDS); ++ if (WARN_ON_ONCE(pi >= MAX_DCMDS)) ++ return AC_ERR_SYSTEM; + + len = (sg_len < MAX_DBDMA_SEG) ? sg_len : MAX_DBDMA_SEG; + table->command = cpu_to_le16(write ? OUTPUT_MORE: INPUT_MORE); +@@ -549,11 +550,13 @@ static enum ata_completion_errors pata_macio_qc_prep(struct ata_queued_cmd *qc) + addr += len; + sg_len -= len; + ++table; ++ ++pi; + } + } + + /* Should never happen according to Tejun */ +- BUG_ON(!pi); ++ if (WARN_ON_ONCE(!pi)) ++ return AC_ERR_SYSTEM; + + /* Convert the last command to an input/output */ + table--; +-- +2.43.0 + diff --git a/queue-4.19/bridge-switchdev-allow-clearing-fdb-entry-offload-in.patch b/queue-4.19/bridge-switchdev-allow-clearing-fdb-entry-offload-in.patch new file mode 100644 index 00000000000..2d790ce6be3 --- /dev/null +++ b/queue-4.19/bridge-switchdev-allow-clearing-fdb-entry-offload-in.patch @@ -0,0 +1,221 @@ +From 71bc0073585860561dd2f2e5de51a8e4806455ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Oct 2018 08:53:29 +0000 +Subject: bridge: switchdev: Allow clearing FDB entry offload indication + +From: Ido Schimmel + +[ Upstream commit e9ba0fbc7dd23a74e77960c98c988f59a1ff75aa ] + +Currently, an FDB entry only ceases being offloaded when it is deleted. +This changes with VxLAN encapsulation. + +Devices capable of performing VxLAN encapsulation usually have only one +FDB table, unlike the software data path which has two - one in the +bridge driver and another in the VxLAN driver. + +Therefore, bridge FDB entries pointing to a VxLAN device are only +offloaded if there is a corresponding entry in the VxLAN FDB. + +Allow clearing the offload indication in case the corresponding entry +was deleted from the VxLAN FDB. + +Signed-off-by: Ido Schimmel +Reviewed-by: Petr Machata +Signed-off-by: David S. Miller +Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 9 +++++---- + drivers/net/ethernet/rocker/rocker_main.c | 1 + + include/net/switchdev.h | 3 ++- + net/bridge/br.c | 4 ++-- + net/bridge/br_fdb.c | 4 ++-- + net/bridge/br_private.h | 2 +- + net/bridge/br_switchdev.c | 9 ++++++--- + net/dsa/slave.c | 1 + + 8 files changed, 20 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c +index 8d556eb37b7a..c0c73b76f6c7 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c +@@ -2072,12 +2072,13 @@ void mlxsw_sp_port_bridge_leave(struct mlxsw_sp_port *mlxsw_sp_port, + static void + mlxsw_sp_fdb_call_notifiers(enum switchdev_notifier_type type, + const char *mac, u16 vid, +- struct net_device *dev) ++ struct net_device *dev, bool offloaded) + { + struct switchdev_notifier_fdb_info info; + + info.addr = mac; + info.vid = vid; ++ info.offloaded = offloaded; + call_switchdev_notifiers(type, dev, &info.info); + } + +@@ -2129,7 +2130,7 @@ static void mlxsw_sp_fdb_notify_mac_process(struct mlxsw_sp *mlxsw_sp, + if (!do_notification) + return; + type = adding ? SWITCHDEV_FDB_ADD_TO_BRIDGE : SWITCHDEV_FDB_DEL_TO_BRIDGE; +- mlxsw_sp_fdb_call_notifiers(type, mac, vid, bridge_port->dev); ++ mlxsw_sp_fdb_call_notifiers(type, mac, vid, bridge_port->dev, adding); + + return; + +@@ -2189,7 +2190,7 @@ static void mlxsw_sp_fdb_notify_mac_lag_process(struct mlxsw_sp *mlxsw_sp, + if (!do_notification) + return; + type = adding ? SWITCHDEV_FDB_ADD_TO_BRIDGE : SWITCHDEV_FDB_DEL_TO_BRIDGE; +- mlxsw_sp_fdb_call_notifiers(type, mac, vid, bridge_port->dev); ++ mlxsw_sp_fdb_call_notifiers(type, mac, vid, bridge_port->dev, adding); + + return; + +@@ -2294,7 +2295,7 @@ static void mlxsw_sp_switchdev_event_work(struct work_struct *work) + break; + mlxsw_sp_fdb_call_notifiers(SWITCHDEV_FDB_OFFLOADED, + fdb_info->addr, +- fdb_info->vid, dev); ++ fdb_info->vid, dev, true); + break; + case SWITCHDEV_FDB_DEL_TO_DEVICE: + fdb_info = &switchdev_work->fdb_info; +diff --git a/drivers/net/ethernet/rocker/rocker_main.c b/drivers/net/ethernet/rocker/rocker_main.c +index b13ab4eee4c7..7d81de57b6f4 100644 +--- a/drivers/net/ethernet/rocker/rocker_main.c ++++ b/drivers/net/ethernet/rocker/rocker_main.c +@@ -2728,6 +2728,7 @@ rocker_fdb_offload_notify(struct rocker_port *rocker_port, + + info.addr = recv_info->addr; + info.vid = recv_info->vid; ++ info.offloaded = true; + call_switchdev_notifiers(SWITCHDEV_FDB_OFFLOADED, + rocker_port->dev, &info.info); + } +diff --git a/include/net/switchdev.h b/include/net/switchdev.h +index d574ce63bf22..435bb79925b2 100644 +--- a/include/net/switchdev.h ++++ b/include/net/switchdev.h +@@ -155,7 +155,8 @@ struct switchdev_notifier_fdb_info { + struct switchdev_notifier_info info; /* must be first */ + const unsigned char *addr; + u16 vid; +- bool added_by_user; ++ u8 added_by_user:1, ++ offloaded:1; + }; + + static inline struct net_device * +diff --git a/net/bridge/br.c b/net/bridge/br.c +index b0a0b82e2d91..a175f5557873 100644 +--- a/net/bridge/br.c ++++ b/net/bridge/br.c +@@ -151,7 +151,7 @@ static int br_switchdev_event(struct notifier_block *unused, + break; + } + br_fdb_offloaded_set(br, p, fdb_info->addr, +- fdb_info->vid); ++ fdb_info->vid, true); + break; + case SWITCHDEV_FDB_DEL_TO_BRIDGE: + fdb_info = ptr; +@@ -163,7 +163,7 @@ static int br_switchdev_event(struct notifier_block *unused, + case SWITCHDEV_FDB_OFFLOADED: + fdb_info = ptr; + br_fdb_offloaded_set(br, p, fdb_info->addr, +- fdb_info->vid); ++ fdb_info->vid, fdb_info->offloaded); + break; + } + +diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c +index 1714f4e91fca..a659e7c4ee43 100644 +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -1156,7 +1156,7 @@ int br_fdb_external_learn_del(struct net_bridge *br, struct net_bridge_port *p, + } + + void br_fdb_offloaded_set(struct net_bridge *br, struct net_bridge_port *p, +- const unsigned char *addr, u16 vid) ++ const unsigned char *addr, u16 vid, bool offloaded) + { + struct net_bridge_fdb_entry *fdb; + +@@ -1164,7 +1164,7 @@ void br_fdb_offloaded_set(struct net_bridge *br, struct net_bridge_port *p, + + fdb = br_fdb_find(br, addr, vid); + if (fdb) +- fdb->offloaded = 1; ++ fdb->offloaded = offloaded; + + spin_unlock_bh(&br->hash_lock); + } +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 4e0c6f9d9c16..f5e258ca3043 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -565,7 +565,7 @@ int br_fdb_external_learn_del(struct net_bridge *br, struct net_bridge_port *p, + const unsigned char *addr, u16 vid, + bool swdev_notify); + void br_fdb_offloaded_set(struct net_bridge *br, struct net_bridge_port *p, +- const unsigned char *addr, u16 vid); ++ const unsigned char *addr, u16 vid, bool offloaded); + + /* br_forward.c */ + enum br_pkt_type { +diff --git a/net/bridge/br_switchdev.c b/net/bridge/br_switchdev.c +index d77f807420c4..b993df770675 100644 +--- a/net/bridge/br_switchdev.c ++++ b/net/bridge/br_switchdev.c +@@ -103,7 +103,7 @@ int br_switchdev_set_port_flag(struct net_bridge_port *p, + static void + br_switchdev_fdb_call_notifiers(bool adding, const unsigned char *mac, + u16 vid, struct net_device *dev, +- bool added_by_user) ++ bool added_by_user, bool offloaded) + { + struct switchdev_notifier_fdb_info info; + unsigned long notifier_type; +@@ -111,6 +111,7 @@ br_switchdev_fdb_call_notifiers(bool adding, const unsigned char *mac, + info.addr = mac; + info.vid = vid; + info.added_by_user = added_by_user; ++ info.offloaded = offloaded; + notifier_type = adding ? SWITCHDEV_FDB_ADD_TO_DEVICE : SWITCHDEV_FDB_DEL_TO_DEVICE; + call_switchdev_notifiers(notifier_type, dev, &info.info); + } +@@ -126,13 +127,15 @@ br_switchdev_fdb_notify(const struct net_bridge_fdb_entry *fdb, int type) + br_switchdev_fdb_call_notifiers(false, fdb->key.addr.addr, + fdb->key.vlan_id, + fdb->dst->dev, +- fdb->added_by_user); ++ fdb->added_by_user, ++ fdb->offloaded); + break; + case RTM_NEWNEIGH: + br_switchdev_fdb_call_notifiers(true, fdb->key.addr.addr, + fdb->key.vlan_id, + fdb->dst->dev, +- fdb->added_by_user); ++ fdb->added_by_user, ++ fdb->offloaded); + break; + } + } +diff --git a/net/dsa/slave.c b/net/dsa/slave.c +index f7c122357a96..9b74e439809f 100644 +--- a/net/dsa/slave.c ++++ b/net/dsa/slave.c +@@ -1464,6 +1464,7 @@ static void dsa_slave_switchdev_event_work(struct work_struct *work) + netdev_dbg(dev, "fdb add failed err=%d\n", err); + break; + } ++ fdb_info->offloaded = true; + call_switchdev_notifiers(SWITCHDEV_FDB_OFFLOADED, dev, + &fdb_info->info); + break; +-- +2.43.0 + diff --git a/queue-4.19/btrfs-clean-up-our-handling-of-refs-0-in-snapshot-de.patch b/queue-4.19/btrfs-clean-up-our-handling-of-refs-0-in-snapshot-de.patch new file mode 100644 index 00000000000..e0102217776 --- /dev/null +++ b/queue-4.19/btrfs-clean-up-our-handling-of-refs-0-in-snapshot-de.patch @@ -0,0 +1,90 @@ +From e10df5bfd7212ca9487a51e9a10c268eaaed0a31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 14:12:13 -0400 +Subject: btrfs: clean up our handling of refs == 0 in snapshot delete + +From: Josef Bacik + +[ Upstream commit b8ccef048354074a548f108e51d0557d6adfd3a3 ] + +In reada we BUG_ON(refs == 0), which could be unkind since we aren't +holding a lock on the extent leaf and thus could get a transient +incorrect answer. In walk_down_proc we also BUG_ON(refs == 0), which +could happen if we have extent tree corruption. Change that to return +-EUCLEAN. In do_walk_down() we catch this case and handle it correctly, +however we return -EIO, which -EUCLEAN is a more appropriate error code. +Finally in walk_up_proc we have the same BUG_ON(refs == 0), so convert +that to proper error handling. Also adjust the error message so we can +actually do something with the information. + +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent-tree.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 635d51c8098d..6b8ece5175ef 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -8409,7 +8409,15 @@ static noinline void reada_walk_down(struct btrfs_trans_handle *trans, + /* We don't care about errors in readahead. */ + if (ret < 0) + continue; +- BUG_ON(refs == 0); ++ ++ /* ++ * This could be racey, it's conceivable that we raced and end ++ * up with a bogus refs count, if that's the case just skip, if ++ * we are actually corrupt we will notice when we look up ++ * everything again with our locks. ++ */ ++ if (refs == 0) ++ continue; + + if (wc->stage == DROP_REFERENCE) { + if (refs == 1) +@@ -8476,7 +8484,11 @@ static noinline int walk_down_proc(struct btrfs_trans_handle *trans, + BUG_ON(ret == -ENOMEM); + if (ret) + return ret; +- BUG_ON(wc->refs[level] == 0); ++ if (unlikely(wc->refs[level] == 0)) { ++ btrfs_err(fs_info, "bytenr %llu has 0 references, expect > 0", ++ eb->start); ++ return -EUCLEAN; ++ } + } + + if (wc->stage == DROP_REFERENCE) { +@@ -8584,8 +8596,9 @@ static noinline int do_walk_down(struct btrfs_trans_handle *trans, + goto out_unlock; + + if (unlikely(wc->refs[level - 1] == 0)) { +- btrfs_err(fs_info, "Missing references."); +- ret = -EIO; ++ btrfs_err(fs_info, "bytenr %llu has 0 references, expect > 0", ++ bytenr); ++ ret = -EUCLEAN; + goto out_unlock; + } + *lookup_info = 0; +@@ -8753,7 +8766,12 @@ static noinline int walk_up_proc(struct btrfs_trans_handle *trans, + path->locks[level] = 0; + return ret; + } +- BUG_ON(wc->refs[level] == 0); ++ if (unlikely(wc->refs[level] == 0)) { ++ btrfs_tree_unlock_rw(eb, path->locks[level]); ++ btrfs_err(fs_info, "bytenr %llu has 0 references, expect > 0", ++ eb->start); ++ return -EUCLEAN; ++ } + if (wc->refs[level] == 1) { + btrfs_tree_unlock_rw(eb, path->locks[level]); + path->locks[level] = 0; +-- +2.43.0 + diff --git a/queue-4.19/btrfs-initialize-location-to-fix-wmaybe-uninitialize.patch b/queue-4.19/btrfs-initialize-location-to-fix-wmaybe-uninitialize.patch new file mode 100644 index 00000000000..e7ba3ba36cf --- /dev/null +++ b/queue-4.19/btrfs-initialize-location-to-fix-wmaybe-uninitialize.patch @@ -0,0 +1,56 @@ +From d2744c2f15f98b9e94c2f6bf5890a0afa461fd2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 21:59:24 +0200 +Subject: btrfs: initialize location to fix -Wmaybe-uninitialized in + btrfs_lookup_dentry() + +From: David Sterba + +[ Upstream commit b8e947e9f64cac9df85a07672b658df5b2bcff07 ] + +Some arch + compiler combinations report a potentially unused variable +location in btrfs_lookup_dentry(). This is a false alert as the variable +is passed by value and always valid or there's an error. The compilers +cannot probably reason about that although btrfs_inode_by_name() is in +the same file. + + > + /kisskb/src/fs/btrfs/inode.c: error: 'location.objectid' may be used + +uninitialized in this function [-Werror=maybe-uninitialized]: => 5603:9 + > + /kisskb/src/fs/btrfs/inode.c: error: 'location.type' may be used + +uninitialized in this function [-Werror=maybe-uninitialized]: => 5674:5 + + m68k-gcc8/m68k-allmodconfig + mips-gcc8/mips-allmodconfig + powerpc-gcc5/powerpc-all{mod,yes}config + powerpc-gcc5/ppc64_defconfig + +Initialize it to zero, this should fix the warnings and won't change the +behaviour as btrfs_inode_by_name() accepts only a root or inode item +types, otherwise returns an error. + +Reported-by: Geert Uytterhoeven +Tested-by: Geert Uytterhoeven +Link: https://lore.kernel.org/linux-btrfs/bd4e9928-17b3-9257-8ba7-6b7f9bbb639a@linux-m68k.org/ +Reviewed-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 15ebebed4005..22059aa5eb26 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -5869,7 +5869,7 @@ struct inode *btrfs_lookup_dentry(struct inode *dir, struct dentry *dentry) + struct inode *inode; + struct btrfs_root *root = BTRFS_I(dir)->root; + struct btrfs_root *sub_root = root; +- struct btrfs_key location; ++ struct btrfs_key location = { 0 }; + u8 di_type = 0; + int index; + int ret = 0; +-- +2.43.0 + diff --git a/queue-4.19/btrfs-replace-bug_on-with-assert-in-walk_down_proc.patch b/queue-4.19/btrfs-replace-bug_on-with-assert-in-walk_down_proc.patch new file mode 100644 index 00000000000..c2ef5b44e59 --- /dev/null +++ b/queue-4.19/btrfs-replace-bug_on-with-assert-in-walk_down_proc.patch @@ -0,0 +1,46 @@ +From ede6627af477cf92c6e10807d9e82d983c416d35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 14:12:12 -0400 +Subject: btrfs: replace BUG_ON with ASSERT in walk_down_proc() + +From: Josef Bacik + +[ Upstream commit 1f9d44c0a12730a24f8bb75c5e1102207413cc9b ] + +We have a couple of areas where we check to make sure the tree block is +locked before looking up or messing with references. This is old code +so it has this as BUG_ON(). Convert this to ASSERT() for developers. + +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent-tree.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 51f21cd61422..635d51c8098d 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -8468,7 +8468,7 @@ static noinline int walk_down_proc(struct btrfs_trans_handle *trans, + if (lookup_info && + ((wc->stage == DROP_REFERENCE && wc->refs[level] != 1) || + (wc->stage == UPDATE_BACKREF && !(wc->flags[level] & flag)))) { +- BUG_ON(!path->locks[level]); ++ ASSERT(path->locks[level]); + ret = btrfs_lookup_extent_info(trans, fs_info, + eb->start, level, 1, + &wc->refs[level], +@@ -8492,7 +8492,7 @@ static noinline int walk_down_proc(struct btrfs_trans_handle *trans, + + /* wc->stage == UPDATE_BACKREF */ + if (!(wc->flags[level] & flag)) { +- BUG_ON(!path->locks[level]); ++ ASSERT(path->locks[level]); + ret = btrfs_inc_ref(trans, root, eb, 1); + BUG_ON(ret); /* -ENOMEM */ + ret = btrfs_dec_ref(trans, root, eb, 0); +-- +2.43.0 + diff --git a/queue-4.19/can-bcm-remove-proc-entry-when-dev-is-unregistered.patch b/queue-4.19/can-bcm-remove-proc-entry-when-dev-is-unregistered.patch new file mode 100644 index 00000000000..3a251e8a7fe --- /dev/null +++ b/queue-4.19/can-bcm-remove-proc-entry-when-dev-is-unregistered.patch @@ -0,0 +1,99 @@ +From f06613b021bf39ff362d0aabb0851caf8374a56f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 12:28:42 -0700 +Subject: can: bcm: Remove proc entry when dev is unregistered. + +From: Kuniyuki Iwashima + +[ Upstream commit 76fe372ccb81b0c89b6cd2fec26e2f38c958be85 ] + +syzkaller reported a warning in bcm_connect() below. [0] + +The repro calls connect() to vxcan1, removes vxcan1, and calls +connect() with ifindex == 0. + +Calling connect() for a BCM socket allocates a proc entry. +Then, bcm_sk(sk)->bound is set to 1 to prevent further connect(). + +However, removing the bound device resets bcm_sk(sk)->bound to 0 +in bcm_notify(). + +The 2nd connect() tries to allocate a proc entry with the same +name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the +original proc entry. + +Since the proc entry is available only for connect()ed sockets, +let's clean up the entry when the bound netdev is unregistered. + +[0]: +proc_dir_entry 'can-bcm/2456' already registered +WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375 +Modules linked in: +CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375 +Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48 +RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246 +RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 +RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0 +R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec +FS: 00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + + proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220 + bcm_connect+0x472/0x840 net/can/bcm.c:1673 + __sys_connect_file net/socket.c:2049 [inline] + __sys_connect+0x5d2/0x690 net/socket.c:2066 + __do_sys_connect net/socket.c:2076 [inline] + __se_sys_connect net/socket.c:2073 [inline] + __x64_sys_connect+0x8f/0x100 net/socket.c:2073 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 +RIP: 0033:0x7fbd708b0e5d +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 +RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d +RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 +RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040 +R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098 +R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000 + +remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456' + +Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/all/20240722192842.37421-1-kuniyu@amazon.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/bcm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/can/bcm.c b/net/can/bcm.c +index 1c9953c68f09..095f68536c14 100644 +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -1422,6 +1422,10 @@ static void bcm_notify(struct bcm_sock *bo, unsigned long msg, + + /* remove device reference, if this is our bound device */ + if (bo->bound && bo->ifindex == dev->ifindex) { ++#if IS_ENABLED(CONFIG_PROC_FS) ++ if (sock_net(sk)->can.bcmproc_dir && bo->bcm_proc_read) ++ remove_proc_entry(bo->procname, sock_net(sk)->can.bcmproc_dir); ++#endif + bo->bound = 0; + bo->ifindex = 0; + notify_enodev = 1; +-- +2.43.0 + diff --git a/queue-4.19/cgroup-protect-css-cgroup-write-under-css_set_lock.patch b/queue-4.19/cgroup-protect-css-cgroup-write-under-css_set_lock.patch new file mode 100644 index 00000000000..57f419d9979 --- /dev/null +++ b/queue-4.19/cgroup-protect-css-cgroup-write-under-css_set_lock.patch @@ -0,0 +1,45 @@ +From a0bded996c9cec5a6645def0c0f9117be38e55ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jul 2024 14:52:29 -0400 +Subject: cgroup: Protect css->cgroup write under css_set_lock + +From: Waiman Long + +[ Upstream commit 57b56d16800e8961278ecff0dc755d46c4575092 ] + +The writing of css->cgroup associated with the cgroup root in +rebind_subsystems() is currently protected only by cgroup_mutex. +However, the reading of css->cgroup in both proc_cpuset_show() and +proc_cgroup_show() is protected just by css_set_lock. That makes the +readers susceptible to racing problems like data tearing or caching. +It is also a problem that can be reported by KCSAN. + +This can be fixed by using READ_ONCE() and WRITE_ONCE() to access +css->cgroup. Alternatively, the writing of css->cgroup can be moved +under css_set_lock as well which is done by this patch. + +Signed-off-by: Waiman Long +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cgroup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 6322b56529e9..30c058806702 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -1712,9 +1712,9 @@ int rebind_subsystems(struct cgroup_root *dst_root, u16 ss_mask) + RCU_INIT_POINTER(scgrp->subsys[ssid], NULL); + rcu_assign_pointer(dcgrp->subsys[ssid], css); + ss->root = dst_root; +- css->cgroup = dcgrp; + + spin_lock_irq(&css_set_lock); ++ css->cgroup = dcgrp; + WARN_ON(!list_empty(&dcgrp->e_csets[ss->id])); + list_for_each_entry_safe(cset, cset_pos, &scgrp->e_csets[ss->id], + e_cset_node[ss->id]) { +-- +2.43.0 + diff --git a/queue-4.19/cx82310_eth-re-enable-ethernet-mode-after-router-reb.patch b/queue-4.19/cx82310_eth-re-enable-ethernet-mode-after-router-reb.patch new file mode 100644 index 00000000000..c61d233746b --- /dev/null +++ b/queue-4.19/cx82310_eth-re-enable-ethernet-mode-after-router-reb.patch @@ -0,0 +1,146 @@ +From 01914725d5d1c61e812869bf0142c8e1cbf73ca0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Oct 2020 16:00:46 +0200 +Subject: cx82310_eth: re-enable ethernet mode after router reboot + +From: Ondrej Zary + +[ Upstream commit ca139d76b0d9e59d18f2d2ec8f0d81b82acd6808 ] + +When the router is rebooted without a power cycle, the USB device +remains connected but its configuration is reset. This results in +a non-working ethernet connection with messages like this in syslog: + usb 2-2: RX packet too long: 65535 B + +Re-enable ethernet mode when receiving a packet with invalid size of +0xffff. + +Signed-off-by: Ondrej Zary +Signed-off-by: Jakub Kicinski +Stable-dep-of: bab8eb0dd4cb ("usbnet: modern method to get random MAC") +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cx82310_eth.c | 50 ++++++++++++++++++++++++++++++----- + 1 file changed, 44 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/usb/cx82310_eth.c b/drivers/net/usb/cx82310_eth.c +index dfbdea22fbad..6a9a5e540b09 100644 +--- a/drivers/net/usb/cx82310_eth.c ++++ b/drivers/net/usb/cx82310_eth.c +@@ -52,6 +52,11 @@ enum cx82310_status { + #define CX82310_MTU 1514 + #define CMD_EP 0x01 + ++struct cx82310_priv { ++ struct work_struct reenable_work; ++ struct usbnet *dev; ++}; ++ + /* + * execute control command + * - optionally send some data (command parameters) +@@ -127,6 +132,23 @@ static int cx82310_cmd(struct usbnet *dev, enum cx82310_cmd cmd, bool reply, + return ret; + } + ++static int cx82310_enable_ethernet(struct usbnet *dev) ++{ ++ int ret = cx82310_cmd(dev, CMD_ETHERNET_MODE, true, "\x01", 1, NULL, 0); ++ ++ if (ret) ++ netdev_err(dev->net, "unable to enable ethernet mode: %d\n", ++ ret); ++ return ret; ++} ++ ++static void cx82310_reenable_work(struct work_struct *work) ++{ ++ struct cx82310_priv *priv = container_of(work, struct cx82310_priv, ++ reenable_work); ++ cx82310_enable_ethernet(priv->dev); ++} ++ + #define partial_len data[0] /* length of partial packet data */ + #define partial_rem data[1] /* remaining (missing) data length */ + #define partial_data data[2] /* partial packet data */ +@@ -138,6 +160,7 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf) + struct usb_device *udev = dev->udev; + u8 link[3]; + int timeout = 50; ++ struct cx82310_priv *priv; + + /* avoid ADSL modems - continue only if iProduct is "USB NET CARD" */ + if (usb_string(udev, udev->descriptor.iProduct, buf, sizeof(buf)) > 0 +@@ -164,6 +187,15 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf) + if (!dev->partial_data) + return -ENOMEM; + ++ priv = kzalloc(sizeof(*priv), GFP_KERNEL); ++ if (!priv) { ++ ret = -ENOMEM; ++ goto err_partial; ++ } ++ dev->driver_priv = priv; ++ INIT_WORK(&priv->reenable_work, cx82310_reenable_work); ++ priv->dev = dev; ++ + /* wait for firmware to become ready (indicated by the link being up) */ + while (--timeout) { + ret = cx82310_cmd(dev, CMD_GET_LINK_STATUS, true, NULL, 0, +@@ -180,12 +212,8 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf) + } + + /* enable ethernet mode (?) */ +- ret = cx82310_cmd(dev, CMD_ETHERNET_MODE, true, "\x01", 1, NULL, 0); +- if (ret) { +- dev_err(&udev->dev, "unable to enable ethernet mode: %d\n", +- ret); ++ if (cx82310_enable_ethernet(dev)) + goto err; +- } + + /* get the MAC address */ + ret = cx82310_cmd(dev, CMD_GET_MAC_ADDR, true, NULL, 0, +@@ -202,13 +230,19 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf) + + return 0; + err: ++ kfree(dev->driver_priv); ++err_partial: + kfree((void *)dev->partial_data); + return ret; + } + + static void cx82310_unbind(struct usbnet *dev, struct usb_interface *intf) + { ++ struct cx82310_priv *priv = dev->driver_priv; ++ + kfree((void *)dev->partial_data); ++ cancel_work_sync(&priv->reenable_work); ++ kfree(dev->driver_priv); + } + + /* +@@ -223,6 +257,7 @@ static int cx82310_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + { + int len; + struct sk_buff *skb2; ++ struct cx82310_priv *priv = dev->driver_priv; + + /* + * If the last skb ended with an incomplete packet, this skb contains +@@ -257,7 +292,10 @@ static int cx82310_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + break; + } + +- if (len > CX82310_MTU) { ++ if (len == 0xffff) { ++ netdev_info(dev->net, "router was rebooted, re-enabling ethernet mode"); ++ schedule_work(&priv->reenable_work); ++ } else if (len > CX82310_MTU) { + dev_err(&dev->udev->dev, "RX packet too long: %d B\n", + len); + return 0; +-- +2.43.0 + diff --git a/queue-4.19/devres-initialize-an-uninitialized-struct-member.patch b/queue-4.19/devres-initialize-an-uninitialized-struct-member.patch new file mode 100644 index 00000000000..068137cfbfe --- /dev/null +++ b/queue-4.19/devres-initialize-an-uninitialized-struct-member.patch @@ -0,0 +1,35 @@ +From c8c191dd6b56e7d328f4635bf7830e331908daab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 22:51:52 +0800 +Subject: devres: Initialize an uninitialized struct member + +From: Zijun Hu + +[ Upstream commit 56a20ad349b5c51909cf8810f7c79b288864ad33 ] + +Initialize an uninitialized struct member for driver API +devres_open_group(). + +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/1719931914-19035-4-git-send-email-quic_zijuhu@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/devres.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/base/devres.c b/drivers/base/devres.c +index a64f70a62e28..f9e5deb72db6 100644 +--- a/drivers/base/devres.c ++++ b/drivers/base/devres.c +@@ -559,6 +559,7 @@ void * devres_open_group(struct device *dev, void *id, gfp_t gfp) + grp->id = grp; + if (id) + grp->id = id; ++ grp->color = 0; + + spin_lock_irqsave(&dev->devres_lock, flags); + add_dr(dev, &grp->node[0]); +-- +2.43.0 + diff --git a/queue-4.19/drivers-net-usb-remove-all-strcpy-uses.patch b/queue-4.19/drivers-net-usb-remove-all-strcpy-uses.patch new file mode 100644 index 00000000000..16bc24726ba --- /dev/null +++ b/queue-4.19/drivers-net-usb-remove-all-strcpy-uses.patch @@ -0,0 +1,68 @@ +From efc299d391cc20499434c54bdde3de33e429b0b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Aug 2021 19:12:26 +0200 +Subject: drivers/net/usb: Remove all strcpy() uses + +From: Len Baker + +[ Upstream commit 493c3ca6bd754d8587604496eb814f72e933075d ] + +strcpy() performs no bounds checking on the destination buffer. This +could result in linear overflows beyond the end of the buffer, leading +to all kinds of misbehaviors. The safe replacement is strscpy(). + +Signed-off-by: Len Baker +Signed-off-by: David S. Miller +Stable-dep-of: bab8eb0dd4cb ("usbnet: modern method to get random MAC") +Signed-off-by: Sasha Levin +--- + drivers/net/usb/ipheth.c | 2 +- + drivers/net/usb/usbnet.c | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c +index cea005cc7b2a..5e8fd2aa1888 100644 +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -497,7 +497,7 @@ static int ipheth_probe(struct usb_interface *intf, + + netdev->netdev_ops = &ipheth_netdev_ops; + netdev->watchdog_timeo = IPHETH_TX_TIMEOUT; +- strcpy(netdev->name, "eth%d"); ++ strscpy(netdev->name, "eth%d", sizeof(netdev->name)); + + dev = netdev_priv(netdev); + dev->udev = udev; +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index f7f037b399a7..8065af844410 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1722,7 +1722,7 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod) + dev->interrupt_count = 0; + + dev->net = net; +- strcpy (net->name, "usb%d"); ++ strscpy(net->name, "usb%d", sizeof(net->name)); + memcpy (net->dev_addr, node_id, sizeof node_id); + + /* rx and tx sides can use different message sizes; +@@ -1749,13 +1749,13 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod) + if ((dev->driver_info->flags & FLAG_ETHER) != 0 && + ((dev->driver_info->flags & FLAG_POINTTOPOINT) == 0 || + (net->dev_addr [0] & 0x02) == 0)) +- strcpy (net->name, "eth%d"); ++ strscpy(net->name, "eth%d", sizeof(net->name)); + /* WLAN devices should always be named "wlan%d" */ + if ((dev->driver_info->flags & FLAG_WLAN) != 0) +- strcpy(net->name, "wlan%d"); ++ strscpy(net->name, "wlan%d", sizeof(net->name)); + /* WWAN devices should always be named "wwan%d" */ + if ((dev->driver_info->flags & FLAG_WWAN) != 0) +- strcpy(net->name, "wwan%d"); ++ strscpy(net->name, "wwan%d", sizeof(net->name)); + + /* devices that cannot do ARP */ + if ((dev->driver_info->flags & FLAG_NOARP) != 0) +-- +2.43.0 + diff --git a/queue-4.19/hid-cougar-fix-slab-out-of-bounds-read-in-cougar_rep.patch b/queue-4.19/hid-cougar-fix-slab-out-of-bounds-read-in-cougar_rep.patch new file mode 100644 index 00000000000..952e0dae826 --- /dev/null +++ b/queue-4.19/hid-cougar-fix-slab-out-of-bounds-read-in-cougar_rep.patch @@ -0,0 +1,38 @@ +From 24d17d1dc590adfda223967dd8bf3e7904c4ac8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 19:42:43 -0400 +Subject: HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup + +From: Camila Alvarez + +[ Upstream commit a6e9c391d45b5865b61e569146304cff72821a5d ] + +report_fixup for the Cougar 500k Gaming Keyboard was not verifying +that the report descriptor size was correct before accessing it + +Reported-by: syzbot+24c0361074799d02c452@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=24c0361074799d02c452 +Signed-off-by: Camila Alvarez +Reviewed-by: Silvan Jegen +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-cougar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-cougar.c b/drivers/hid/hid-cougar.c +index ad2e87de7dc5..d58a108a96c0 100644 +--- a/drivers/hid/hid-cougar.c ++++ b/drivers/hid/hid-cougar.c +@@ -104,7 +104,7 @@ static void cougar_fix_g6_mapping(struct hid_device *hdev) + static __u8 *cougar_report_fixup(struct hid_device *hdev, __u8 *rdesc, + unsigned int *rsize) + { +- if (rdesc[2] == 0x09 && rdesc[3] == 0x02 && ++ if (*rsize >= 117 && rdesc[2] == 0x09 && rdesc[3] == 0x02 && + (rdesc[115] | rdesc[116] << 8) >= HID_MAX_USAGES) { + hid_info(hdev, + "usage count exceeds max: fixing up report descriptor\n"); +-- +2.43.0 + diff --git a/queue-4.19/hwmon-adc128d818-fix-underflows-seen-when-writing-li.patch b/queue-4.19/hwmon-adc128d818-fix-underflows-seen-when-writing-li.patch new file mode 100644 index 00000000000..68c648f58ba --- /dev/null +++ b/queue-4.19/hwmon-adc128d818-fix-underflows-seen-when-writing-li.patch @@ -0,0 +1,44 @@ +From 7cb38035c940e0065b58fa9d17c6d5cc329e9e03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Jul 2024 23:43:04 -0700 +Subject: hwmon: (adc128d818) Fix underflows seen when writing limit attributes + +From: Guenter Roeck + +[ Upstream commit 8cad724c8537fe3e0da8004646abc00290adae40 ] + +DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large +negative number such as -9223372036854775808 is provided by the user. +Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations. + +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/adc128d818.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/adc128d818.c b/drivers/hwmon/adc128d818.c +index bd2ca315c9d8..5abb28cd81bf 100644 +--- a/drivers/hwmon/adc128d818.c ++++ b/drivers/hwmon/adc128d818.c +@@ -184,7 +184,7 @@ static ssize_t adc128_set_in(struct device *dev, struct device_attribute *attr, + + mutex_lock(&data->update_lock); + /* 10 mV LSB on limit registers */ +- regval = clamp_val(DIV_ROUND_CLOSEST(val, 10), 0, 255); ++ regval = DIV_ROUND_CLOSEST(clamp_val(val, 0, 2550), 10); + data->in[index][nr] = regval << 4; + reg = index == 1 ? ADC128_REG_IN_MIN(nr) : ADC128_REG_IN_MAX(nr); + i2c_smbus_write_byte_data(data->client, reg, regval); +@@ -222,7 +222,7 @@ static ssize_t adc128_set_temp(struct device *dev, + return err; + + mutex_lock(&data->update_lock); +- regval = clamp_val(DIV_ROUND_CLOSEST(val, 1000), -128, 127); ++ regval = DIV_ROUND_CLOSEST(clamp_val(val, -128000, 127000), 1000); + data->temp[index] = regval << 1; + i2c_smbus_write_byte_data(data->client, + index == 1 ? ADC128_REG_TEMP_MAX +-- +2.43.0 + diff --git a/queue-4.19/hwmon-lm95234-fix-underflows-seen-when-writing-limit.patch b/queue-4.19/hwmon-lm95234-fix-underflows-seen-when-writing-limit.patch new file mode 100644 index 00000000000..b848906f7f9 --- /dev/null +++ b/queue-4.19/hwmon-lm95234-fix-underflows-seen-when-writing-limit.patch @@ -0,0 +1,63 @@ +From eb0a221d0a2ecdf526ac4769a9f59999fa109e0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Jul 2024 23:48:42 -0700 +Subject: hwmon: (lm95234) Fix underflows seen when writing limit attributes + +From: Guenter Roeck + +[ Upstream commit af64e3e1537896337405f880c1e9ac1f8c0c6198 ] + +DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large +negative number such as -9223372036854775808 is provided by the user. +Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations. + +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/lm95234.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/hwmon/lm95234.c b/drivers/hwmon/lm95234.c +index c7fcc9e7f57a..13912ac7c69f 100644 +--- a/drivers/hwmon/lm95234.c ++++ b/drivers/hwmon/lm95234.c +@@ -310,7 +310,8 @@ static ssize_t set_tcrit2(struct device *dev, struct device_attribute *attr, + if (ret < 0) + return ret; + +- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, index ? 255 : 127); ++ val = DIV_ROUND_CLOSEST(clamp_val(val, 0, (index ? 255 : 127) * 1000), ++ 1000); + + mutex_lock(&data->update_lock); + data->tcrit2[index] = val; +@@ -359,7 +360,7 @@ static ssize_t set_tcrit1(struct device *dev, struct device_attribute *attr, + if (ret < 0) + return ret; + +- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 255); ++ val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 255000), 1000); + + mutex_lock(&data->update_lock); + data->tcrit1[index] = val; +@@ -400,7 +401,7 @@ static ssize_t set_tcrit1_hyst(struct device *dev, + if (ret < 0) + return ret; + +- val = DIV_ROUND_CLOSEST(val, 1000); ++ val = DIV_ROUND_CLOSEST(clamp_val(val, -255000, 255000), 1000); + val = clamp_val((int)data->tcrit1[index] - val, 0, 31); + + mutex_lock(&data->update_lock); +@@ -440,7 +441,7 @@ static ssize_t set_offset(struct device *dev, struct device_attribute *attr, + return ret; + + /* Accuracy is 1/2 degrees C */ +- val = clamp_val(DIV_ROUND_CLOSEST(val, 500), -128, 127); ++ val = DIV_ROUND_CLOSEST(clamp_val(val, -64000, 63500), 500); + + mutex_lock(&data->update_lock); + data->toffset[index] = val; +-- +2.43.0 + diff --git a/queue-4.19/hwmon-nct6775-core-fix-underflows-seen-when-writing-.patch b/queue-4.19/hwmon-nct6775-core-fix-underflows-seen-when-writing-.patch new file mode 100644 index 00000000000..191714d3100 --- /dev/null +++ b/queue-4.19/hwmon-nct6775-core-fix-underflows-seen-when-writing-.patch @@ -0,0 +1,36 @@ +From c6d7ec84788dd80d1d643d985179ea84d9539315 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Jul 2024 23:50:08 -0700 +Subject: hwmon: (nct6775-core) Fix underflows seen when writing limit + attributes + +From: Guenter Roeck + +[ Upstream commit 0403e10bf0824bf0ec2bb135d4cf1c0cc3bf4bf0 ] + +DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large +negative number such as -9223372036854775808 is provided by the user. +Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations. + +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/nct6775.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c +index 559101a1c136..23581dc62246 100644 +--- a/drivers/hwmon/nct6775.c ++++ b/drivers/hwmon/nct6775.c +@@ -2264,7 +2264,7 @@ store_temp_offset(struct device *dev, struct device_attribute *attr, + if (err < 0) + return err; + +- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), -128, 127); ++ val = DIV_ROUND_CLOSEST(clamp_val(val, -128000, 127000), 1000); + + mutex_lock(&data->update_lock); + data->temp_offset[nr] = val; +-- +2.43.0 + diff --git a/queue-4.19/hwmon-w83627ehf-fix-underflows-seen-when-writing-lim.patch b/queue-4.19/hwmon-w83627ehf-fix-underflows-seen-when-writing-lim.patch new file mode 100644 index 00000000000..f341ba0dccb --- /dev/null +++ b/queue-4.19/hwmon-w83627ehf-fix-underflows-seen-when-writing-lim.patch @@ -0,0 +1,44 @@ +From aa56abda1b37c777d7fddf9f32d1b194ecbf7aaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Jul 2024 23:51:34 -0700 +Subject: hwmon: (w83627ehf) Fix underflows seen when writing limit attributes + +From: Guenter Roeck + +[ Upstream commit 5c1de37969b7bc0abcb20b86e91e70caebbd4f89 ] + +DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large +negative number such as -9223372036854775808 is provided by the user. +Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations. + +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/w83627ehf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/w83627ehf.c b/drivers/hwmon/w83627ehf.c +index ad68b6d9ff17..8da5f77b8987 100644 +--- a/drivers/hwmon/w83627ehf.c ++++ b/drivers/hwmon/w83627ehf.c +@@ -1519,7 +1519,7 @@ store_target_temp(struct device *dev, struct device_attribute *attr, + if (err < 0) + return err; + +- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 127); ++ val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 127000), 1000); + + mutex_lock(&data->update_lock); + data->target_temp[nr] = val; +@@ -1545,7 +1545,7 @@ store_tolerance(struct device *dev, struct device_attribute *attr, + return err; + + /* Limit the temp to 0C - 15C */ +- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 15); ++ val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 15000), 1000); + + mutex_lock(&data->update_lock); + if (sio_data->kind == nct6775 || sio_data->kind == nct6776) { +-- +2.43.0 + diff --git a/queue-4.19/igb-fix-not-clearing-timesync-interrupts-for-82580.patch b/queue-4.19/igb-fix-not-clearing-timesync-interrupts-for-82580.patch new file mode 100644 index 00000000000..c7a443e2abd --- /dev/null +++ b/queue-4.19/igb-fix-not-clearing-timesync-interrupts-for-82580.patch @@ -0,0 +1,70 @@ +From 0b11af75acf01db075cd27f7e0cde5c58fc816dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Aug 2024 21:55:53 -0700 +Subject: igb: Fix not clearing TimeSync interrupts for 82580 + +From: Daiwei Li + +[ Upstream commit ba8cf80724dbc09825b52498e4efacb563935408 ] + +82580 NICs have a hardware bug that makes it +necessary to write into the TSICR (TimeSync Interrupt Cause) register +to clear it: +https://lore.kernel.org/all/CDCB8BE0.1EC2C%25matthew.vick@intel.com/ + +Add a conditional so only for 82580 we write into the TSICR register, +so we don't risk losing events for other models. + +Without this change, when running ptp4l with an Intel 82580 card, +I get the following output: + +> timed out while polling for tx timestamp increasing tx_timestamp_timeout or +> increasing kworker priority may correct this issue, but a driver bug likely +> causes it + +This goes away with this change. + +This (partially) reverts commit ee14cc9ea19b ("igb: Fix missing time sync events"). + +Fixes: ee14cc9ea19b ("igb: Fix missing time sync events") +Closes: https://lore.kernel.org/intel-wired-lan/CAN0jFd1kO0MMtOh8N2Ztxn6f7vvDKp2h507sMryobkBKe=xk=w@mail.gmail.com/ +Tested-by: Daiwei Li +Suggested-by: Vinicius Costa Gomes +Signed-off-by: Daiwei Li +Acked-by: Vinicius Costa Gomes +Reviewed-by: Kurt Kanzenbach +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 5d8d5915bc27..01138fc93ea1 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -6554,10 +6554,20 @@ static void igb_extts(struct igb_adapter *adapter, int tsintr_tt) + + static void igb_tsync_interrupt(struct igb_adapter *adapter) + { ++ const u32 mask = (TSINTR_SYS_WRAP | E1000_TSICR_TXTS | ++ TSINTR_TT0 | TSINTR_TT1 | ++ TSINTR_AUTT0 | TSINTR_AUTT1); + struct e1000_hw *hw = &adapter->hw; + u32 tsicr = rd32(E1000_TSICR); + struct ptp_clock_event event; + ++ if (hw->mac.type == e1000_82580) { ++ /* 82580 has a hardware bug that requires an explicit ++ * write to clear the TimeSync interrupt cause. ++ */ ++ wr32(E1000_TSICR, tsicr & mask); ++ } ++ + if (tsicr & TSINTR_SYS_WRAP) { + event.type = PTP_CLOCK_PPS; + if (adapter->ptp_caps.pps) +-- +2.43.0 + diff --git a/queue-4.19/input-uinput-reject-requests-with-unreasonable-numbe.patch b/queue-4.19/input-uinput-reject-requests-with-unreasonable-numbe.patch new file mode 100644 index 00000000000..16edf5cc79d --- /dev/null +++ b/queue-4.19/input-uinput-reject-requests-with-unreasonable-numbe.patch @@ -0,0 +1,59 @@ +From ed0a4c60527dbf9bb5ea4975232dffbbc39049cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Aug 2024 17:50:25 -0700 +Subject: Input: uinput - reject requests with unreasonable number of slots + +From: Dmitry Torokhov + +[ Upstream commit 206f533a0a7c683982af473079c4111f4a0f9f5e ] + +From: Dmitry Torokhov + +When exercising uinput interface syzkaller may try setting up device +with a really large number of slots, which causes memory allocation +failure in input_mt_init_slots(). While this allocation failure is +handled properly and request is rejected, it results in syzkaller +reports. Additionally, such request may put undue burden on the +system which will try to free a lot of memory for a bogus request. + +Fix it by limiting allowed number of slots to 100. This can easily +be extended if we see devices that can track more than 100 contacts. + +Reported-by: Tetsuo Handa +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=0122fa359a69694395d5 +Link: https://lore.kernel.org/r/Zqgi7NYEbpRsJfa2@google.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/uinput.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c +index e746920872a4..50839c902518 100644 +--- a/drivers/input/misc/uinput.c ++++ b/drivers/input/misc/uinput.c +@@ -429,6 +429,20 @@ static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code, + return -EINVAL; + } + ++ /* ++ * Limit number of contacts to a reasonable value (100). This ++ * ensures that we need less than 2 pages for struct input_mt ++ * (we are not using in-kernel slot assignment so not going to ++ * allocate memory for the "red" table), and we should have no ++ * trouble getting this much memory. ++ */ ++ if (code == ABS_MT_SLOT && max > 99) { ++ printk(KERN_DEBUG ++ "%s: unreasonably large number of slots requested: %d\n", ++ UINPUT_NAME, max); ++ return -EINVAL; ++ } ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-4.19/iommu-vt-d-handle-volatile-descriptor-status-read.patch b/queue-4.19/iommu-vt-d-handle-volatile-descriptor-status-read.patch new file mode 100644 index 00000000000..a890d7ce4eb --- /dev/null +++ b/queue-4.19/iommu-vt-d-handle-volatile-descriptor-status-read.patch @@ -0,0 +1,56 @@ +From 04b39be3f04c1d792a0122a64a560285b0e83234 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 21:08:33 +0800 +Subject: iommu/vt-d: Handle volatile descriptor status read + +From: Jacob Pan + +[ Upstream commit b5e86a95541cea737394a1da967df4cd4d8f7182 ] + +Queued invalidation wait descriptor status is volatile in that IOMMU +hardware writes the data upon completion. + +Use READ_ONCE() to prevent compiler optimizations which ensures memory +reads every time. As a side effect, READ_ONCE() also enforces strict +types and may add an extra instruction. But it should not have negative +performance impact since we use cpu_relax anyway and the extra time(by +adding an instruction) may allow IOMMU HW request cacheline ownership +easier. + +e.g. gcc 12.3 +BEFORE: + 81 38 ad de 00 00 cmpl $0x2,(%rax) + +AFTER (with READ_ONCE()) + 772f: 8b 00 mov (%rax),%eax + 7731: 3d ad de 00 00 cmp $0x2,%eax + //status data is 32 bit + +Signed-off-by: Jacob Pan +Reviewed-by: Kevin Tian +Reviewed-by: Yi Liu +Link: https://lore.kernel.org/r/20240607173817.3914600-1-jacob.jun.pan@linux.intel.com +Signed-off-by: Lu Baolu +Link: https://lore.kernel.org/r/20240702130839.108139-2-baolu.lu@linux.intel.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/dmar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c +index 3ea851583724..865847546f8e 100644 +--- a/drivers/iommu/dmar.c ++++ b/drivers/iommu/dmar.c +@@ -1292,7 +1292,7 @@ int qi_submit_sync(struct qi_desc *desc, struct intel_iommu *iommu) + */ + writel(qi->free_head << DMAR_IQ_SHIFT, iommu->reg + DMAR_IQT_REG); + +- while (qi->desc_status[wait_index] != QI_DONE) { ++ while (READ_ONCE(qi->desc_status[wait_index]) != QI_DONE) { + /* + * We will leave the interrupts disabled, to prevent interrupt + * context to queue another cmd while a cmd is already submitted +-- +2.43.0 + diff --git a/queue-4.19/irqchip-armada-370-xp-do-not-allow-mapping-irq-0-and.patch b/queue-4.19/irqchip-armada-370-xp-do-not-allow-mapping-irq-0-and.patch new file mode 100644 index 00000000000..c42c471dd2f --- /dev/null +++ b/queue-4.19/irqchip-armada-370-xp-do-not-allow-mapping-irq-0-and.patch @@ -0,0 +1,46 @@ +From 547d0900c62518a1ad32538f30044d192ccef78a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jun 2024 11:38:28 +0200 +Subject: irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 3cef738208e5c3cb7084e208caf9bbf684f24feb ] + +IRQs 0 (IPI) and 1 (MSI) are handled internally by this driver, +generic_handle_domain_irq() is never called for these IRQs. + +Disallow mapping these IRQs. + +[ Marek: changed commit message ] + +Signed-off-by: Pali Rohár +Signed-off-by: Marek Behún +Signed-off-by: Thomas Gleixner +Reviewed-by: Andrew Lunn +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-armada-370-xp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/irqchip/irq-armada-370-xp.c b/drivers/irqchip/irq-armada-370-xp.c +index 0fd428db3aa4..73c386aba368 100644 +--- a/drivers/irqchip/irq-armada-370-xp.c ++++ b/drivers/irqchip/irq-armada-370-xp.c +@@ -346,6 +346,10 @@ static struct irq_chip armada_370_xp_irq_chip = { + static int armada_370_xp_mpic_irq_map(struct irq_domain *h, + unsigned int virq, irq_hw_number_t hw) + { ++ /* IRQs 0 and 1 cannot be mapped, they are handled internally */ ++ if (hw <= 1) ++ return -EINVAL; ++ + armada_370_xp_irq_mask(irq_get_irq_data(virq)); + if (!is_percpu_irq(hw)) + writel(hw, per_cpu_int_base + +-- +2.43.0 + diff --git a/queue-4.19/media-qcom-camss-add-check-for-v4l2_fwnode_endpoint_.patch b/queue-4.19/media-qcom-camss-add-check-for-v4l2_fwnode_endpoint_.patch new file mode 100644 index 00000000000..14a2c405751 --- /dev/null +++ b/queue-4.19/media-qcom-camss-add-check-for-v4l2_fwnode_endpoint_.patch @@ -0,0 +1,39 @@ +From ac1e3874c82a3176b455cc721b9edef2de5e8526 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jun 2024 09:35:22 +0800 +Subject: media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse + +From: Chen Ni + +[ Upstream commit 4caf6d93d9f2c11d6441c64e1c549c445fa322ed ] + +Add check for the return value of v4l2_fwnode_endpoint_parse() and +return the error if it fails in order to catch the error. + +Signed-off-by: Chen Ni +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/camss/camss.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/qcom/camss/camss.c b/drivers/media/platform/qcom/camss/camss.c +index 669615fff6a0..0fc7951640e2 100644 +--- a/drivers/media/platform/qcom/camss/camss.c ++++ b/drivers/media/platform/qcom/camss/camss.c +@@ -431,8 +431,11 @@ static int camss_of_parse_endpoint_node(struct device *dev, + struct v4l2_fwnode_bus_mipi_csi2 *mipi_csi2; + struct v4l2_fwnode_endpoint vep = { { 0 } }; + unsigned int i; ++ int ret; + +- v4l2_fwnode_endpoint_parse(of_fwnode_handle(node), &vep); ++ ret = v4l2_fwnode_endpoint_parse(of_fwnode_handle(node), &vep); ++ if (ret) ++ return ret; + + csd->interface.csiphy_id = vep.base.port; + +-- +2.43.0 + diff --git a/queue-4.19/net-bridge-add-support-for-sticky-fdb-entries.patch b/queue-4.19/net-bridge-add-support-for-sticky-fdb-entries.patch new file mode 100644 index 00000000000..2d04ad087eb --- /dev/null +++ b/queue-4.19/net-bridge-add-support-for-sticky-fdb-entries.patch @@ -0,0 +1,116 @@ +From 9e6fd9468dcfe3a5e21af3c6a4f0895ab1f352c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Sep 2018 09:39:53 +0300 +Subject: net: bridge: add support for sticky fdb entries + +From: Nikolay Aleksandrov + +[ Upstream commit 435f2e7cc0b783615d7fbcf08f5f00d289f9caeb ] + +Add support for entries which are "sticky", i.e. will not change their port +if they show up from a different one. A new ndm flag is introduced for that +purpose - NTF_STICKY. We allow to set it only to non-local entries. + +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN") +Signed-off-by: Sasha Levin +--- + include/uapi/linux/neighbour.h | 1 + + net/bridge/br_fdb.c | 19 ++++++++++++++++--- + net/bridge/br_private.h | 1 + + 3 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h +index 904db6148476..998155444e0d 100644 +--- a/include/uapi/linux/neighbour.h ++++ b/include/uapi/linux/neighbour.h +@@ -43,6 +43,7 @@ enum { + #define NTF_PROXY 0x08 /* == ATF_PUBL */ + #define NTF_EXT_LEARNED 0x10 + #define NTF_OFFLOADED 0x20 ++#define NTF_STICKY 0x40 + #define NTF_ROUTER 0x80 + + /* +diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c +index 4d4b9b5ea1c1..1714f4e91fca 100644 +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -584,7 +584,7 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source, + unsigned long now = jiffies; + + /* fastpath: update of existing entry */ +- if (unlikely(source != fdb->dst)) { ++ if (unlikely(source != fdb->dst && !fdb->is_sticky)) { + fdb->dst = source; + fdb_modified = true; + /* Take over HW learned entry */ +@@ -656,6 +656,8 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br, + ndm->ndm_flags |= NTF_OFFLOADED; + if (fdb->added_by_external_learn) + ndm->ndm_flags |= NTF_EXT_LEARNED; ++ if (fdb->is_sticky) ++ ndm->ndm_flags |= NTF_STICKY; + + if (nla_put(skb, NDA_LLADDR, ETH_ALEN, &fdb->key.addr)) + goto nla_put_failure; +@@ -772,8 +774,10 @@ int br_fdb_dump(struct sk_buff *skb, + + /* Update (create or replace) forwarding database entry */ + static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source, +- const __u8 *addr, __u16 state, __u16 flags, __u16 vid) ++ const u8 *addr, u16 state, u16 flags, u16 vid, ++ u8 ndm_flags) + { ++ u8 is_sticky = !!(ndm_flags & NTF_STICKY); + struct net_bridge_fdb_entry *fdb; + bool modified = false; + +@@ -789,6 +793,9 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source, + return -EINVAL; + } + ++ if (is_sticky && (state & NUD_PERMANENT)) ++ return -EINVAL; ++ + fdb = br_fdb_find(br, addr, vid); + if (fdb == NULL) { + if (!(flags & NLM_F_CREATE)) +@@ -832,6 +839,12 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source, + + modified = true; + } ++ ++ if (is_sticky != fdb->is_sticky) { ++ fdb->is_sticky = is_sticky; ++ modified = true; ++ } ++ + fdb->added_by_user = 1; + + fdb->used = jiffies; +@@ -865,7 +878,7 @@ static int __br_fdb_add(struct ndmsg *ndm, struct net_bridge *br, + } else { + spin_lock_bh(&br->hash_lock); + err = fdb_add_entry(br, p, addr, ndm->ndm_state, +- nlh_flags, vid); ++ nlh_flags, vid, ndm->ndm_flags); + spin_unlock_bh(&br->hash_lock); + } + +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 7ca3b469242e..4e0c6f9d9c16 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -181,6 +181,7 @@ struct net_bridge_fdb_entry { + struct hlist_node fdb_node; + unsigned char is_local:1, + is_static:1, ++ is_sticky:1, + added_by_user:1, + added_by_external_learn:1, + offloaded:1; +-- +2.43.0 + diff --git a/queue-4.19/net-bridge-br_fdb_external_learn_add-always-set-ext_.patch b/queue-4.19/net-bridge-br_fdb_external_learn_add-always-set-ext_.patch new file mode 100644 index 00000000000..8c2d6cd0471 --- /dev/null +++ b/queue-4.19/net-bridge-br_fdb_external_learn_add-always-set-ext_.patch @@ -0,0 +1,58 @@ +From c7736c920541cfb90a21bc42e5132084d924b90d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 10:19:57 +0200 +Subject: net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN + +From: Jonas Gorski + +[ Upstream commit bee2ef946d3184e99077be526567d791c473036f ] + +When userspace wants to take over a fdb entry by setting it as +EXTERN_LEARNED, we set both flags BR_FDB_ADDED_BY_EXT_LEARN and +BR_FDB_ADDED_BY_USER in br_fdb_external_learn_add(). + +If the bridge updates the entry later because its port changed, we clear +the BR_FDB_ADDED_BY_EXT_LEARN flag, but leave the BR_FDB_ADDED_BY_USER +flag set. + +If userspace then wants to take over the entry again, +br_fdb_external_learn_add() sees that BR_FDB_ADDED_BY_USER and skips +setting the BR_FDB_ADDED_BY_EXT_LEARN flags, thus silently ignores the +update. + +Fix this by always allowing to set BR_FDB_ADDED_BY_EXT_LEARN regardless +if this was a user fdb entry or not. + +Fixes: 710ae7287737 ("net: bridge: Mark FDB entries that were added by user as such") +Signed-off-by: Jonas Gorski +Acked-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20240903081958.29951-1-jonas.gorski@bisdn.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_fdb.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c +index d898e3814f91..a6e4901909e3 100644 +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -1116,12 +1116,10 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, + modified = true; + } + +- if (test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) { ++ if (test_and_set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) { + /* Refresh entry */ + fdb->used = jiffies; +- } else if (!test_bit(BR_FDB_ADDED_BY_USER, &fdb->flags)) { +- /* Take over SW learned entry */ +- set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags); ++ } else { + modified = true; + } + +-- +2.43.0 + diff --git a/queue-4.19/net-bridge-fdb-convert-added_by_external_learn-to-us.patch b/queue-4.19/net-bridge-fdb-convert-added_by_external_learn-to-us.patch new file mode 100644 index 00000000000..58ef7cc8c1c --- /dev/null +++ b/queue-4.19/net-bridge-fdb-convert-added_by_external_learn-to-us.patch @@ -0,0 +1,128 @@ +From dc1f456da5eb374dc1da7fb85a45ddaa1a8cf58f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2019 13:45:57 +0200 +Subject: net: bridge: fdb: convert added_by_external_learn to use bitops + +From: Nikolay Aleksandrov + +[ Upstream commit b5cd9f7c42480ede119a390607a9dbe6263f6795 ] + +Convert the added_by_external_learn field to a flag and use bitops. + +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN") +Signed-off-by: Sasha Levin +--- + net/bridge/br_fdb.c | 19 +++++++++---------- + net/bridge/br_private.h | 4 ++-- + 2 files changed, 11 insertions(+), 12 deletions(-) + +diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c +index 7ae27569ced9..d898e3814f91 100644 +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -81,7 +81,7 @@ static inline int has_expired(const struct net_bridge *br, + const struct net_bridge_fdb_entry *fdb) + { + return !test_bit(BR_FDB_STATIC, &fdb->flags) && +- !fdb->added_by_external_learn && ++ !test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags) && + time_before_eq(fdb->updated + hold_time(br), jiffies); + } + +@@ -357,7 +357,7 @@ void br_fdb_cleanup(struct work_struct *work) + unsigned long this_timer; + + if (test_bit(BR_FDB_STATIC, &f->flags) || +- f->added_by_external_learn) ++ test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &f->flags)) + continue; + this_timer = f->updated + delay; + if (time_after(this_timer, now)) { +@@ -511,7 +511,6 @@ static struct net_bridge_fdb_entry *fdb_create(struct net_bridge *br, + set_bit(BR_FDB_LOCAL, &fdb->flags); + if (is_static) + set_bit(BR_FDB_STATIC, &fdb->flags); +- fdb->added_by_external_learn = 0; + fdb->offloaded = 0; + fdb->updated = fdb->used = jiffies; + if (rhashtable_lookup_insert_fast(&br->fdb_hash_tbl, +@@ -598,8 +597,8 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source, + fdb->dst = source; + fdb_modified = true; + /* Take over HW learned entry */ +- if (unlikely(fdb->added_by_external_learn)) +- fdb->added_by_external_learn = 0; ++ test_and_clear_bit(BR_FDB_ADDED_BY_EXT_LEARN, ++ &fdb->flags); + } + if (now != fdb->updated) + fdb->updated = now; +@@ -664,7 +663,7 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br, + + if (fdb->offloaded) + ndm->ndm_flags |= NTF_OFFLOADED; +- if (fdb->added_by_external_learn) ++ if (test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) + ndm->ndm_flags |= NTF_EXT_LEARNED; + if (test_bit(BR_FDB_STICKY, &fdb->flags)) + ndm->ndm_flags |= NTF_STICKY; +@@ -1107,7 +1106,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, + } + if (swdev_notify) + set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags); +- fdb->added_by_external_learn = 1; ++ set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags); + fdb_notify(br, fdb, RTM_NEWNEIGH, swdev_notify); + } else { + fdb->updated = jiffies; +@@ -1117,12 +1116,12 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, + modified = true; + } + +- if (fdb->added_by_external_learn) { ++ if (test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) { + /* Refresh entry */ + fdb->used = jiffies; + } else if (!test_bit(BR_FDB_ADDED_BY_USER, &fdb->flags)) { + /* Take over SW learned entry */ +- fdb->added_by_external_learn = 1; ++ set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags); + modified = true; + } + +@@ -1149,7 +1148,7 @@ int br_fdb_external_learn_del(struct net_bridge *br, struct net_bridge_port *p, + spin_lock_bh(&br->hash_lock); + + fdb = br_fdb_find(br, addr, vid); +- if (fdb && fdb->added_by_external_learn) ++ if (fdb && test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) + fdb_delete(br, fdb, swdev_notify); + else + err = -ENOENT; +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 9132f11db683..4ff5e3c96e57 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -174,6 +174,7 @@ enum { + BR_FDB_STATIC, + BR_FDB_STICKY, + BR_FDB_ADDED_BY_USER, ++ BR_FDB_ADDED_BY_EXT_LEARN, + }; + + struct net_bridge_fdb_key { +@@ -188,8 +189,7 @@ struct net_bridge_fdb_entry { + struct net_bridge_fdb_key key; + struct hlist_node fdb_node; + unsigned long flags; +- unsigned char added_by_external_learn:1, +- offloaded:1; ++ unsigned char offloaded:1; + + /* write-heavy members should not affect lookups */ + unsigned long updated ____cacheline_aligned_in_smp; +-- +2.43.0 + diff --git a/queue-4.19/net-bridge-fdb-convert-added_by_user-to-bitops.patch b/queue-4.19/net-bridge-fdb-convert-added_by_user-to-bitops.patch new file mode 100644 index 00000000000..79d25596824 --- /dev/null +++ b/queue-4.19/net-bridge-fdb-convert-added_by_user-to-bitops.patch @@ -0,0 +1,188 @@ +From 6645f22ae5692c550b1e2f51cbdd5506bd1681bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2019 13:45:56 +0200 +Subject: net: bridge: fdb: convert added_by_user to bitops + +From: Nikolay Aleksandrov + +[ Upstream commit ac3ca6af443aa495c7907e5010ac77fbd2450eaa ] + +Straight-forward convert of the added_by_user field to bitops. + +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN") +Signed-off-by: Sasha Levin +--- + net/bridge/br_fdb.c | 25 ++++++++++++------------- + net/bridge/br_private.h | 4 ++-- + net/bridge/br_switchdev.c | 6 ++++-- + 3 files changed, 18 insertions(+), 17 deletions(-) + +diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c +index 25aeaedce762..7ae27569ced9 100644 +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -230,7 +230,7 @@ static void fdb_delete_local(struct net_bridge *br, + if (op != p && ether_addr_equal(op->dev->dev_addr, addr) && + (!vid || br_vlan_find(vg, vid))) { + f->dst = op; +- f->added_by_user = 0; ++ clear_bit(BR_FDB_ADDED_BY_USER, &f->flags); + return; + } + } +@@ -241,7 +241,7 @@ static void fdb_delete_local(struct net_bridge *br, + if (p && ether_addr_equal(br->dev->dev_addr, addr) && + (!vid || (v && br_vlan_should_use(v)))) { + f->dst = NULL; +- f->added_by_user = 0; ++ clear_bit(BR_FDB_ADDED_BY_USER, &f->flags); + return; + } + +@@ -257,7 +257,7 @@ void br_fdb_find_delete_local(struct net_bridge *br, + spin_lock_bh(&br->hash_lock); + f = br_fdb_find(br, addr, vid); + if (f && test_bit(BR_FDB_LOCAL, &f->flags) && +- !f->added_by_user && f->dst == p) ++ !test_bit(BR_FDB_ADDED_BY_USER, &f->flags) && f->dst == p) + fdb_delete_local(br, p, f); + spin_unlock_bh(&br->hash_lock); + } +@@ -273,7 +273,7 @@ void br_fdb_changeaddr(struct net_bridge_port *p, const unsigned char *newaddr) + vg = nbp_vlan_group(p); + hlist_for_each_entry(f, &br->fdb_list, fdb_node) { + if (f->dst == p && test_bit(BR_FDB_LOCAL, &f->flags) && +- !f->added_by_user) { ++ !test_bit(BR_FDB_ADDED_BY_USER, &f->flags)) { + /* delete old one */ + fdb_delete_local(br, p, f); + +@@ -315,7 +315,7 @@ void br_fdb_change_mac_address(struct net_bridge *br, const u8 *newaddr) + /* If old entry was unassociated with any port, then delete it. */ + f = br_fdb_find(br, br->dev->dev_addr, 0); + if (f && test_bit(BR_FDB_LOCAL, &f->flags) && +- !f->dst && !f->added_by_user) ++ !f->dst && !test_bit(BR_FDB_ADDED_BY_USER, &f->flags)) + fdb_delete_local(br, NULL, f); + + fdb_insert(br, NULL, newaddr, 0); +@@ -331,7 +331,7 @@ void br_fdb_change_mac_address(struct net_bridge *br, const u8 *newaddr) + continue; + f = br_fdb_find(br, br->dev->dev_addr, v->vid); + if (f && test_bit(BR_FDB_LOCAL, &f->flags) && +- !f->dst && !f->added_by_user) ++ !f->dst && !test_bit(BR_FDB_ADDED_BY_USER, &f->flags)) + fdb_delete_local(br, NULL, f); + fdb_insert(br, NULL, newaddr, v->vid); + } +@@ -511,7 +511,6 @@ static struct net_bridge_fdb_entry *fdb_create(struct net_bridge *br, + set_bit(BR_FDB_LOCAL, &fdb->flags); + if (is_static) + set_bit(BR_FDB_STATIC, &fdb->flags); +- fdb->added_by_user = 0; + fdb->added_by_external_learn = 0; + fdb->offloaded = 0; + fdb->updated = fdb->used = jiffies; +@@ -605,7 +604,7 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source, + if (now != fdb->updated) + fdb->updated = now; + if (unlikely(added_by_user)) +- fdb->added_by_user = 1; ++ set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags); + if (unlikely(fdb_modified)) { + trace_br_fdb_update(br, source, addr, vid, added_by_user); + fdb_notify(br, fdb, RTM_NEWNEIGH, true); +@@ -616,7 +615,7 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source, + fdb = fdb_create(br, source, addr, vid, 0, 0); + if (fdb) { + if (unlikely(added_by_user)) +- fdb->added_by_user = 1; ++ set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags); + trace_br_fdb_update(br, source, addr, vid, + added_by_user); + fdb_notify(br, fdb, RTM_NEWNEIGH, true); +@@ -850,7 +849,7 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source, + modified = true; + } + +- fdb->added_by_user = 1; ++ set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags); + + fdb->used = jiffies; + if (modified) { +@@ -1107,7 +1106,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, + goto err_unlock; + } + if (swdev_notify) +- fdb->added_by_user = 1; ++ set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags); + fdb->added_by_external_learn = 1; + fdb_notify(br, fdb, RTM_NEWNEIGH, swdev_notify); + } else { +@@ -1121,14 +1120,14 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, + if (fdb->added_by_external_learn) { + /* Refresh entry */ + fdb->used = jiffies; +- } else if (!fdb->added_by_user) { ++ } else if (!test_bit(BR_FDB_ADDED_BY_USER, &fdb->flags)) { + /* Take over SW learned entry */ + fdb->added_by_external_learn = 1; + modified = true; + } + + if (swdev_notify) +- fdb->added_by_user = 1; ++ set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags); + + if (modified) + fdb_notify(br, fdb, RTM_NEWNEIGH, swdev_notify); +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 131e5be58468..9132f11db683 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -173,6 +173,7 @@ enum { + BR_FDB_LOCAL, + BR_FDB_STATIC, + BR_FDB_STICKY, ++ BR_FDB_ADDED_BY_USER, + }; + + struct net_bridge_fdb_key { +@@ -187,8 +188,7 @@ struct net_bridge_fdb_entry { + struct net_bridge_fdb_key key; + struct hlist_node fdb_node; + unsigned long flags; +- unsigned char added_by_user:1, +- added_by_external_learn:1, ++ unsigned char added_by_external_learn:1, + offloaded:1; + + /* write-heavy members should not affect lookups */ +diff --git a/net/bridge/br_switchdev.c b/net/bridge/br_switchdev.c +index b993df770675..e8948d49e5fc 100644 +--- a/net/bridge/br_switchdev.c ++++ b/net/bridge/br_switchdev.c +@@ -127,14 +127,16 @@ br_switchdev_fdb_notify(const struct net_bridge_fdb_entry *fdb, int type) + br_switchdev_fdb_call_notifiers(false, fdb->key.addr.addr, + fdb->key.vlan_id, + fdb->dst->dev, +- fdb->added_by_user, ++ test_bit(BR_FDB_ADDED_BY_USER, ++ &fdb->flags), + fdb->offloaded); + break; + case RTM_NEWNEIGH: + br_switchdev_fdb_call_notifiers(true, fdb->key.addr.addr, + fdb->key.vlan_id, + fdb->dst->dev, +- fdb->added_by_user, ++ test_bit(BR_FDB_ADDED_BY_USER, ++ &fdb->flags), + fdb->offloaded); + break; + } +-- +2.43.0 + diff --git a/queue-4.19/net-bridge-fdb-convert-is_local-to-bitops.patch b/queue-4.19/net-bridge-fdb-convert-is_local-to-bitops.patch new file mode 100644 index 00000000000..1ed91098c18 --- /dev/null +++ b/queue-4.19/net-bridge-fdb-convert-is_local-to-bitops.patch @@ -0,0 +1,188 @@ +From 4a11fea46194f2d1ab7a579c7e892262708ac9fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2019 13:45:53 +0200 +Subject: net: bridge: fdb: convert is_local to bitops + +From: Nikolay Aleksandrov + +[ Upstream commit 6869c3b02b596eba931a754f56875d2e2ac612db ] + +The patch adds a new fdb flags field in the hole between the two cache +lines and uses it to convert is_local to bitops. + +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN") +Signed-off-by: Sasha Levin +--- + net/bridge/br_fdb.c | 32 +++++++++++++++++++------------- + net/bridge/br_input.c | 2 +- + net/bridge/br_private.h | 9 +++++++-- + 3 files changed, 27 insertions(+), 16 deletions(-) + +diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c +index a659e7c4ee43..f01ccf6ca4f4 100644 +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -255,7 +255,8 @@ void br_fdb_find_delete_local(struct net_bridge *br, + + spin_lock_bh(&br->hash_lock); + f = br_fdb_find(br, addr, vid); +- if (f && f->is_local && !f->added_by_user && f->dst == p) ++ if (f && test_bit(BR_FDB_LOCAL, &f->flags) && ++ !f->added_by_user && f->dst == p) + fdb_delete_local(br, p, f); + spin_unlock_bh(&br->hash_lock); + } +@@ -270,7 +271,8 @@ void br_fdb_changeaddr(struct net_bridge_port *p, const unsigned char *newaddr) + spin_lock_bh(&br->hash_lock); + vg = nbp_vlan_group(p); + hlist_for_each_entry(f, &br->fdb_list, fdb_node) { +- if (f->dst == p && f->is_local && !f->added_by_user) { ++ if (f->dst == p && test_bit(BR_FDB_LOCAL, &f->flags) && ++ !f->added_by_user) { + /* delete old one */ + fdb_delete_local(br, p, f); + +@@ -311,7 +313,8 @@ void br_fdb_change_mac_address(struct net_bridge *br, const u8 *newaddr) + + /* If old entry was unassociated with any port, then delete it. */ + f = br_fdb_find(br, br->dev->dev_addr, 0); +- if (f && f->is_local && !f->dst && !f->added_by_user) ++ if (f && test_bit(BR_FDB_LOCAL, &f->flags) && ++ !f->dst && !f->added_by_user) + fdb_delete_local(br, NULL, f); + + fdb_insert(br, NULL, newaddr, 0); +@@ -326,7 +329,8 @@ void br_fdb_change_mac_address(struct net_bridge *br, const u8 *newaddr) + if (!br_vlan_should_use(v)) + continue; + f = br_fdb_find(br, br->dev->dev_addr, v->vid); +- if (f && f->is_local && !f->dst && !f->added_by_user) ++ if (f && test_bit(BR_FDB_LOCAL, &f->flags) && ++ !f->dst && !f->added_by_user) + fdb_delete_local(br, NULL, f); + fdb_insert(br, NULL, newaddr, v->vid); + } +@@ -405,7 +409,7 @@ void br_fdb_delete_by_port(struct net_bridge *br, + if (f->is_static || (vid && f->key.vlan_id != vid)) + continue; + +- if (f->is_local) ++ if (test_bit(BR_FDB_LOCAL, &f->flags)) + fdb_delete_local(br, p, f); + else + fdb_delete(br, f, true); +@@ -474,7 +478,7 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf, + fe->port_no = f->dst->port_no; + fe->port_hi = f->dst->port_no >> 8; + +- fe->is_local = f->is_local; ++ fe->is_local = test_bit(BR_FDB_LOCAL, &f->flags); + if (!f->is_static) + fe->ageing_timer_value = jiffies_delta_to_clock_t(jiffies - f->updated); + ++fe; +@@ -499,7 +503,9 @@ static struct net_bridge_fdb_entry *fdb_create(struct net_bridge *br, + memcpy(fdb->key.addr.addr, addr, ETH_ALEN); + fdb->dst = source; + fdb->key.vlan_id = vid; +- fdb->is_local = is_local; ++ fdb->flags = 0; ++ if (is_local) ++ set_bit(BR_FDB_LOCAL, &fdb->flags); + fdb->is_static = is_static; + fdb->added_by_user = 0; + fdb->added_by_external_learn = 0; +@@ -530,7 +536,7 @@ static int fdb_insert(struct net_bridge *br, struct net_bridge_port *source, + /* it is okay to have multiple ports with same + * address, just use the first one. + */ +- if (fdb->is_local) ++ if (test_bit(BR_FDB_LOCAL, &fdb->flags)) + return 0; + br_warn(br, "adding interface %s with same address as a received packet (addr:%pM, vlan:%u)\n", + source ? source->dev->name : br->dev->name, addr, vid); +@@ -576,7 +582,7 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source, + fdb = fdb_find_rcu(&br->fdb_hash_tbl, addr, vid); + if (likely(fdb)) { + /* attempt to update an entry for a local interface */ +- if (unlikely(fdb->is_local)) { ++ if (unlikely(test_bit(BR_FDB_LOCAL, &fdb->flags))) { + if (net_ratelimit()) + br_warn(br, "received packet on %s with own address as source address (addr:%pM, vlan:%u)\n", + source->dev->name, addr, vid); +@@ -620,7 +626,7 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source, + static int fdb_to_nud(const struct net_bridge *br, + const struct net_bridge_fdb_entry *fdb) + { +- if (fdb->is_local) ++ if (test_bit(BR_FDB_LOCAL, &fdb->flags)) + return NUD_PERMANENT; + else if (fdb->is_static) + return NUD_NOARP; +@@ -818,19 +824,19 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source, + + if (fdb_to_nud(br, fdb) != state) { + if (state & NUD_PERMANENT) { +- fdb->is_local = 1; ++ set_bit(BR_FDB_LOCAL, &fdb->flags); + if (!fdb->is_static) { + fdb->is_static = 1; + fdb_add_hw_addr(br, addr); + } + } else if (state & NUD_NOARP) { +- fdb->is_local = 0; ++ clear_bit(BR_FDB_LOCAL, &fdb->flags); + if (!fdb->is_static) { + fdb->is_static = 1; + fdb_add_hw_addr(br, addr); + } + } else { +- fdb->is_local = 0; ++ clear_bit(BR_FDB_LOCAL, &fdb->flags); + if (fdb->is_static) { + fdb->is_static = 0; + fdb_del_hw_addr(br, addr); +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index f3938337ff87..e126ba0bd486 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -163,7 +163,7 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb + if (dst) { + unsigned long now = jiffies; + +- if (dst->is_local) ++ if (test_bit(BR_FDB_LOCAL, &dst->flags)) + return br_pass_frame_up(skb); + + if (now != dst->used) +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index f5e258ca3043..6a38ea247a9e 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -168,6 +168,11 @@ struct net_bridge_vlan_group { + u16 pvid; + }; + ++/* bridge fdb flags */ ++enum { ++ BR_FDB_LOCAL, ++}; ++ + struct net_bridge_fdb_key { + mac_addr addr; + u16 vlan_id; +@@ -179,8 +184,8 @@ struct net_bridge_fdb_entry { + + struct net_bridge_fdb_key key; + struct hlist_node fdb_node; +- unsigned char is_local:1, +- is_static:1, ++ unsigned long flags; ++ unsigned char is_static:1, + is_sticky:1, + added_by_user:1, + added_by_external_learn:1, +-- +2.43.0 + diff --git a/queue-4.19/net-bridge-fdb-convert-is_static-to-bitops.patch b/queue-4.19/net-bridge-fdb-convert-is_static-to-bitops.patch new file mode 100644 index 00000000000..418a2c45842 --- /dev/null +++ b/queue-4.19/net-bridge-fdb-convert-is_static-to-bitops.patch @@ -0,0 +1,181 @@ +From d5ff0a245bce53431e5a7b4214a7961f90e225a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2019 13:45:54 +0200 +Subject: net: bridge: fdb: convert is_static to bitops + +From: Nikolay Aleksandrov + +[ Upstream commit 29e63fffd666f1945756882d4b02bc7bec132101 ] + +Convert the is_static to bitops, make use of the combined +test_and_set/clear_bit to simplify expressions in fdb_add_entry. + +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN") +Signed-off-by: Sasha Levin +--- + net/bridge/br_fdb.c | 40 +++++++++++++++++++--------------------- + net/bridge/br_private.h | 4 ++-- + 2 files changed, 21 insertions(+), 23 deletions(-) + +diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c +index f01ccf6ca4f4..2639cc744bca 100644 +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -80,8 +80,9 @@ static inline unsigned long hold_time(const struct net_bridge *br) + static inline int has_expired(const struct net_bridge *br, + const struct net_bridge_fdb_entry *fdb) + { +- return !fdb->is_static && !fdb->added_by_external_learn && +- time_before_eq(fdb->updated + hold_time(br), jiffies); ++ return !test_bit(BR_FDB_STATIC, &fdb->flags) && ++ !fdb->added_by_external_learn && ++ time_before_eq(fdb->updated + hold_time(br), jiffies); + } + + static void fdb_rcu_free(struct rcu_head *head) +@@ -202,7 +203,7 @@ static void fdb_delete(struct net_bridge *br, struct net_bridge_fdb_entry *f, + { + trace_fdb_delete(br, f); + +- if (f->is_static) ++ if (test_bit(BR_FDB_STATIC, &f->flags)) + fdb_del_hw_addr(br, f->key.addr.addr); + + hlist_del_init_rcu(&f->fdb_node); +@@ -355,7 +356,8 @@ void br_fdb_cleanup(struct work_struct *work) + hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) { + unsigned long this_timer; + +- if (f->is_static || f->added_by_external_learn) ++ if (test_bit(BR_FDB_STATIC, &f->flags) || ++ f->added_by_external_learn) + continue; + this_timer = f->updated + delay; + if (time_after(this_timer, now)) { +@@ -382,7 +384,7 @@ void br_fdb_flush(struct net_bridge *br) + + spin_lock_bh(&br->hash_lock); + hlist_for_each_entry_safe(f, tmp, &br->fdb_list, fdb_node) { +- if (!f->is_static) ++ if (!test_bit(BR_FDB_STATIC, &f->flags)) + fdb_delete(br, f, true); + } + spin_unlock_bh(&br->hash_lock); +@@ -406,7 +408,8 @@ void br_fdb_delete_by_port(struct net_bridge *br, + continue; + + if (!do_all) +- if (f->is_static || (vid && f->key.vlan_id != vid)) ++ if (test_bit(BR_FDB_STATIC, &f->flags) || ++ (vid && f->key.vlan_id != vid)) + continue; + + if (test_bit(BR_FDB_LOCAL, &f->flags)) +@@ -479,7 +482,7 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf, + fe->port_hi = f->dst->port_no >> 8; + + fe->is_local = test_bit(BR_FDB_LOCAL, &f->flags); +- if (!f->is_static) ++ if (!test_bit(BR_FDB_STATIC, &f->flags)) + fe->ageing_timer_value = jiffies_delta_to_clock_t(jiffies - f->updated); + ++fe; + ++num; +@@ -506,7 +509,8 @@ static struct net_bridge_fdb_entry *fdb_create(struct net_bridge *br, + fdb->flags = 0; + if (is_local) + set_bit(BR_FDB_LOCAL, &fdb->flags); +- fdb->is_static = is_static; ++ if (is_static) ++ set_bit(BR_FDB_STATIC, &fdb->flags); + fdb->added_by_user = 0; + fdb->added_by_external_learn = 0; + fdb->offloaded = 0; +@@ -628,7 +632,7 @@ static int fdb_to_nud(const struct net_bridge *br, + { + if (test_bit(BR_FDB_LOCAL, &fdb->flags)) + return NUD_PERMANENT; +- else if (fdb->is_static) ++ else if (test_bit(BR_FDB_STATIC, &fdb->flags)) + return NUD_NOARP; + else if (has_expired(br, fdb)) + return NUD_STALE; +@@ -825,22 +829,16 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source, + if (fdb_to_nud(br, fdb) != state) { + if (state & NUD_PERMANENT) { + set_bit(BR_FDB_LOCAL, &fdb->flags); +- if (!fdb->is_static) { +- fdb->is_static = 1; ++ if (!test_and_set_bit(BR_FDB_STATIC, &fdb->flags)) + fdb_add_hw_addr(br, addr); +- } + } else if (state & NUD_NOARP) { + clear_bit(BR_FDB_LOCAL, &fdb->flags); +- if (!fdb->is_static) { +- fdb->is_static = 1; ++ if (!test_and_set_bit(BR_FDB_STATIC, &fdb->flags)) + fdb_add_hw_addr(br, addr); +- } + } else { + clear_bit(BR_FDB_LOCAL, &fdb->flags); +- if (fdb->is_static) { +- fdb->is_static = 0; ++ if (test_and_clear_bit(BR_FDB_STATIC, &fdb->flags)) + fdb_del_hw_addr(br, addr); +- } + } + + modified = true; +@@ -1047,7 +1045,7 @@ int br_fdb_sync_static(struct net_bridge *br, struct net_bridge_port *p) + rcu_read_lock(); + hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) { + /* We only care for static entries */ +- if (!f->is_static) ++ if (!test_bit(BR_FDB_STATIC, &f->flags)) + continue; + err = dev_uc_add(p->dev, f->key.addr.addr); + if (err) +@@ -1061,7 +1059,7 @@ int br_fdb_sync_static(struct net_bridge *br, struct net_bridge_port *p) + rollback: + hlist_for_each_entry_rcu(tmp, &br->fdb_list, fdb_node) { + /* We only care for static entries */ +- if (!tmp->is_static) ++ if (!test_bit(BR_FDB_STATIC, &tmp->flags)) + continue; + if (tmp == f) + break; +@@ -1080,7 +1078,7 @@ void br_fdb_unsync_static(struct net_bridge *br, struct net_bridge_port *p) + rcu_read_lock(); + hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) { + /* We only care for static entries */ +- if (!f->is_static) ++ if (!test_bit(BR_FDB_STATIC, &f->flags)) + continue; + + dev_uc_del(p->dev, f->key.addr.addr); +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 6a38ea247a9e..c3160d73e6ed 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -171,6 +171,7 @@ struct net_bridge_vlan_group { + /* bridge fdb flags */ + enum { + BR_FDB_LOCAL, ++ BR_FDB_STATIC, + }; + + struct net_bridge_fdb_key { +@@ -185,8 +186,7 @@ struct net_bridge_fdb_entry { + struct net_bridge_fdb_key key; + struct hlist_node fdb_node; + unsigned long flags; +- unsigned char is_static:1, +- is_sticky:1, ++ unsigned char is_sticky:1, + added_by_user:1, + added_by_external_learn:1, + offloaded:1; +-- +2.43.0 + diff --git a/queue-4.19/net-bridge-fdb-convert-is_sticky-to-bitops.patch b/queue-4.19/net-bridge-fdb-convert-is_sticky-to-bitops.patch new file mode 100644 index 00000000000..0f823e4982f --- /dev/null +++ b/queue-4.19/net-bridge-fdb-convert-is_sticky-to-bitops.patch @@ -0,0 +1,88 @@ +From fa3c4f543d01a62e2eae4b7d147b40ecf5fdd496 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2019 13:45:55 +0200 +Subject: net: bridge: fdb: convert is_sticky to bitops + +From: Nikolay Aleksandrov + +[ Upstream commit e0458d9a733ba71a2821d0c3fc0745baac697db0 ] + +Straight-forward convert of the is_sticky field to bitops. + +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN") +Signed-off-by: Sasha Levin +--- + net/bridge/br_fdb.c | 11 ++++++----- + net/bridge/br_private.h | 4 ++-- + 2 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c +index 2639cc744bca..25aeaedce762 100644 +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -594,7 +594,8 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source, + unsigned long now = jiffies; + + /* fastpath: update of existing entry */ +- if (unlikely(source != fdb->dst && !fdb->is_sticky)) { ++ if (unlikely(source != fdb->dst && ++ !test_bit(BR_FDB_STICKY, &fdb->flags))) { + fdb->dst = source; + fdb_modified = true; + /* Take over HW learned entry */ +@@ -666,7 +667,7 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br, + ndm->ndm_flags |= NTF_OFFLOADED; + if (fdb->added_by_external_learn) + ndm->ndm_flags |= NTF_EXT_LEARNED; +- if (fdb->is_sticky) ++ if (test_bit(BR_FDB_STICKY, &fdb->flags)) + ndm->ndm_flags |= NTF_STICKY; + + if (nla_put(skb, NDA_LLADDR, ETH_ALEN, &fdb->key.addr)) +@@ -787,7 +788,7 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source, + const u8 *addr, u16 state, u16 flags, u16 vid, + u8 ndm_flags) + { +- u8 is_sticky = !!(ndm_flags & NTF_STICKY); ++ bool is_sticky = !!(ndm_flags & NTF_STICKY); + struct net_bridge_fdb_entry *fdb; + bool modified = false; + +@@ -844,8 +845,8 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source, + modified = true; + } + +- if (is_sticky != fdb->is_sticky) { +- fdb->is_sticky = is_sticky; ++ if (is_sticky != test_bit(BR_FDB_STICKY, &fdb->flags)) { ++ change_bit(BR_FDB_STICKY, &fdb->flags); + modified = true; + } + +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index c3160d73e6ed..131e5be58468 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -172,6 +172,7 @@ struct net_bridge_vlan_group { + enum { + BR_FDB_LOCAL, + BR_FDB_STATIC, ++ BR_FDB_STICKY, + }; + + struct net_bridge_fdb_key { +@@ -186,8 +187,7 @@ struct net_bridge_fdb_entry { + struct net_bridge_fdb_key key; + struct hlist_node fdb_node; + unsigned long flags; +- unsigned char is_sticky:1, +- added_by_user:1, ++ unsigned char added_by_user:1, + added_by_external_learn:1, + offloaded:1; + +-- +2.43.0 + diff --git a/queue-4.19/net-dsa-vsc73xx-fix-possible-subblocks-range-of-capt.patch b/queue-4.19/net-dsa-vsc73xx-fix-possible-subblocks-range-of-capt.patch new file mode 100644 index 00000000000..dc21b7bdf2e --- /dev/null +++ b/queue-4.19/net-dsa-vsc73xx-fix-possible-subblocks-range-of-capt.patch @@ -0,0 +1,62 @@ +From f98e716168ad5cbd0b5e73369112406fdfa15037 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 22:33:41 +0200 +Subject: net: dsa: vsc73xx: fix possible subblocks range of CAPT block + +From: Pawel Dembicki + +[ Upstream commit 8e69c96df771ab469cec278edb47009351de4da6 ] + +CAPT block (CPU Capture Buffer) have 7 sublocks: 0-3, 4, 6, 7. +Function 'vsc73xx_is_addr_valid' allows to use only block 0 at this +moment. + +This patch fix it. + +Fixes: 05bd97fc559d ("net: dsa: Add Vitesse VSC73xx DSA router driver") +Signed-off-by: Pawel Dembicki +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20240903203340.1518789-1-paweldembicki@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/vitesse-vsc73xx.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/vitesse-vsc73xx.c b/drivers/net/dsa/vitesse-vsc73xx.c +index eaafb1c30c91..c91f989165ad 100644 +--- a/drivers/net/dsa/vitesse-vsc73xx.c ++++ b/drivers/net/dsa/vitesse-vsc73xx.c +@@ -38,7 +38,7 @@ + #define VSC73XX_BLOCK_ANALYZER 0x2 /* Only subblock 0 */ + #define VSC73XX_BLOCK_MII 0x3 /* Subblocks 0 and 1 */ + #define VSC73XX_BLOCK_MEMINIT 0x3 /* Only subblock 2 */ +-#define VSC73XX_BLOCK_CAPTURE 0x4 /* Only subblock 2 */ ++#define VSC73XX_BLOCK_CAPTURE 0x4 /* Subblocks 0-4, 6, 7 */ + #define VSC73XX_BLOCK_ARBITER 0x5 /* Only subblock 0 */ + #define VSC73XX_BLOCK_SYSTEM 0x7 /* Only subblock 0 */ + +@@ -385,13 +385,19 @@ static int vsc73xx_is_addr_valid(u8 block, u8 subblock) + break; + + case VSC73XX_BLOCK_MII: +- case VSC73XX_BLOCK_CAPTURE: + case VSC73XX_BLOCK_ARBITER: + switch (subblock) { + case 0 ... 1: + return 1; + } + break; ++ case VSC73XX_BLOCK_CAPTURE: ++ switch (subblock) { ++ case 0 ... 4: ++ case 6 ... 7: ++ return 1; ++ } ++ break; + } + + return 0; +-- +2.43.0 + diff --git a/queue-4.19/net-usb-don-t-write-directly-to-netdev-dev_addr.patch b/queue-4.19/net-usb-don-t-write-directly-to-netdev-dev_addr.patch new file mode 100644 index 00000000000..aff54de1c24 --- /dev/null +++ b/queue-4.19/net-usb-don-t-write-directly-to-netdev-dev_addr.patch @@ -0,0 +1,236 @@ +From be4250bcf98b5355c0c81c7ad4f546ea2abdad7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Oct 2021 06:12:06 -0700 +Subject: net: usb: don't write directly to netdev->dev_addr + +From: Jakub Kicinski + +[ Upstream commit 2674e7ea22ba0e22a2d1603bd51e0b8f6442a267 ] + +Commit 406f42fa0d3c ("net-next: When a bond have a massive amount +of VLANs...") introduced a rbtree for faster Ethernet address look +up. To maintain netdev->dev_addr in this tree we need to make all +the writes to it got through appropriate helpers. + +Manually fix all net/usb drivers without separate maintainers. + +v2: catc does DMA to the buffer, leave the conversion to Oliver + +Signed-off-by: Jakub Kicinski +Stable-dep-of: bab8eb0dd4cb ("usbnet: modern method to get random MAC") +Signed-off-by: Sasha Levin +--- + drivers/net/usb/ch9200.c | 4 +++- + drivers/net/usb/cx82310_eth.c | 5 +++-- + drivers/net/usb/kaweth.c | 3 +-- + drivers/net/usb/mcs7830.c | 4 +++- + drivers/net/usb/sierra_net.c | 6 ++++-- + drivers/net/usb/sr9700.c | 4 +++- + drivers/net/usb/sr9800.c | 5 +++-- + drivers/net/usb/usbnet.c | 6 ++++-- + 8 files changed, 24 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/usb/ch9200.c b/drivers/net/usb/ch9200.c +index 9df3c1ffff35..6ed8da85b081 100644 +--- a/drivers/net/usb/ch9200.c ++++ b/drivers/net/usb/ch9200.c +@@ -338,6 +338,7 @@ static int ch9200_bind(struct usbnet *dev, struct usb_interface *intf) + { + int retval = 0; + unsigned char data[2]; ++ u8 addr[ETH_ALEN]; + + retval = usbnet_get_endpoints(dev, intf); + if (retval) +@@ -385,7 +386,8 @@ static int ch9200_bind(struct usbnet *dev, struct usb_interface *intf) + retval = control_write(dev, REQUEST_WRITE, 0, MAC_REG_CTRL, data, 0x02, + CONTROL_TIMEOUT_MS); + +- retval = get_mac_address(dev, dev->net->dev_addr); ++ retval = get_mac_address(dev, addr); ++ eth_hw_addr_set(dev->net, addr); + + return retval; + } +diff --git a/drivers/net/usb/cx82310_eth.c b/drivers/net/usb/cx82310_eth.c +index 6a9a5e540b09..2efa33eb1f73 100644 +--- a/drivers/net/usb/cx82310_eth.c ++++ b/drivers/net/usb/cx82310_eth.c +@@ -161,6 +161,7 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf) + u8 link[3]; + int timeout = 50; + struct cx82310_priv *priv; ++ u8 addr[ETH_ALEN]; + + /* avoid ADSL modems - continue only if iProduct is "USB NET CARD" */ + if (usb_string(udev, udev->descriptor.iProduct, buf, sizeof(buf)) > 0 +@@ -216,12 +217,12 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf) + goto err; + + /* get the MAC address */ +- ret = cx82310_cmd(dev, CMD_GET_MAC_ADDR, true, NULL, 0, +- dev->net->dev_addr, ETH_ALEN); ++ ret = cx82310_cmd(dev, CMD_GET_MAC_ADDR, true, NULL, 0, addr, ETH_ALEN); + if (ret) { + dev_err(&udev->dev, "unable to read MAC address: %d\n", ret); + goto err; + } ++ eth_hw_addr_set(dev->net, addr); + + /* start (does not seem to have any effect?) */ + ret = cx82310_cmd(dev, CMD_START, false, NULL, 0, NULL, 0); +diff --git a/drivers/net/usb/kaweth.c b/drivers/net/usb/kaweth.c +index 913e50bab0a2..b05154fad3ce 100644 +--- a/drivers/net/usb/kaweth.c ++++ b/drivers/net/usb/kaweth.c +@@ -1139,8 +1139,7 @@ static int kaweth_probe( + goto err_all_but_rxbuf; + + memcpy(netdev->broadcast, &bcast_addr, sizeof(bcast_addr)); +- memcpy(netdev->dev_addr, &kaweth->configuration.hw_addr, +- sizeof(kaweth->configuration.hw_addr)); ++ eth_hw_addr_set(netdev, (u8 *)&kaweth->configuration.hw_addr); + + netdev->netdev_ops = &kaweth_netdev_ops; + netdev->watchdog_timeo = KAWETH_TX_TIMEOUT; +diff --git a/drivers/net/usb/mcs7830.c b/drivers/net/usb/mcs7830.c +index c0f52a622964..c304ce4abaa4 100644 +--- a/drivers/net/usb/mcs7830.c ++++ b/drivers/net/usb/mcs7830.c +@@ -493,17 +493,19 @@ static const struct net_device_ops mcs7830_netdev_ops = { + static int mcs7830_bind(struct usbnet *dev, struct usb_interface *udev) + { + struct net_device *net = dev->net; ++ u8 addr[ETH_ALEN]; + int ret; + int retry; + + /* Initial startup: Gather MAC address setting from EEPROM */ + ret = -EINVAL; + for (retry = 0; retry < 5 && ret; retry++) +- ret = mcs7830_hif_get_mac_address(dev, net->dev_addr); ++ ret = mcs7830_hif_get_mac_address(dev, addr); + if (ret) { + dev_warn(&dev->udev->dev, "Cannot read MAC address\n"); + goto out; + } ++ eth_hw_addr_set(net, addr); + + mcs7830_data_set_multicast(net); + +diff --git a/drivers/net/usb/sierra_net.c b/drivers/net/usb/sierra_net.c +index c43087e06696..4226ad0f11f3 100644 +--- a/drivers/net/usb/sierra_net.c ++++ b/drivers/net/usb/sierra_net.c +@@ -686,6 +686,7 @@ static int sierra_net_bind(struct usbnet *dev, struct usb_interface *intf) + 0x00, 0x00, SIERRA_NET_HIP_MSYNC_ID, 0x00}; + static const u8 shdwn_tmplate[sizeof(priv->shdwn_msg)] = { + 0x00, 0x00, SIERRA_NET_HIP_SHUTD_ID, 0x00}; ++ u8 mod[2]; + + dev_dbg(&dev->udev->dev, "%s", __func__); + +@@ -715,8 +716,9 @@ static int sierra_net_bind(struct usbnet *dev, struct usb_interface *intf) + dev->net->netdev_ops = &sierra_net_device_ops; + + /* change MAC addr to include, ifacenum, and to be unique */ +- dev->net->dev_addr[ETH_ALEN-2] = atomic_inc_return(&iface_counter); +- dev->net->dev_addr[ETH_ALEN-1] = ifacenum; ++ mod[0] = atomic_inc_return(&iface_counter); ++ mod[1] = ifacenum; ++ dev_addr_mod(dev->net, ETH_ALEN - 2, mod, 2); + + /* prepare shutdown message template */ + memcpy(priv->shdwn_msg, shdwn_tmplate, sizeof(priv->shdwn_msg)); +diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c +index 1f11c56ccd5c..1f4b2fabb5e6 100644 +--- a/drivers/net/usb/sr9700.c ++++ b/drivers/net/usb/sr9700.c +@@ -326,6 +326,7 @@ static int sr9700_bind(struct usbnet *dev, struct usb_interface *intf) + { + struct net_device *netdev; + struct mii_if_info *mii; ++ u8 addr[ETH_ALEN]; + int ret; + + ret = usbnet_get_endpoints(dev, intf); +@@ -356,11 +357,12 @@ static int sr9700_bind(struct usbnet *dev, struct usb_interface *intf) + * EEPROM automatically to PAR. In case there is no EEPROM externally, + * a default MAC address is stored in PAR for making chip work properly. + */ +- if (sr_read(dev, SR_PAR, ETH_ALEN, netdev->dev_addr) < 0) { ++ if (sr_read(dev, SR_PAR, ETH_ALEN, addr) < 0) { + netdev_err(netdev, "Error reading MAC address\n"); + ret = -ENODEV; + goto out; + } ++ eth_hw_addr_set(netdev, addr); + + /* power up and reset phy */ + sr_write_reg(dev, SR_PRR, PRR_PHY_RST); +diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c +index a5ff7df10505..485a50d9f281 100644 +--- a/drivers/net/usb/sr9800.c ++++ b/drivers/net/usb/sr9800.c +@@ -732,6 +732,7 @@ static int sr9800_bind(struct usbnet *dev, struct usb_interface *intf) + struct sr_data *data = (struct sr_data *)&dev->data; + u16 led01_mux, led23_mux; + int ret, embd_phy; ++ u8 addr[ETH_ALEN]; + u32 phyid; + u16 rx_ctl; + +@@ -757,12 +758,12 @@ static int sr9800_bind(struct usbnet *dev, struct usb_interface *intf) + } + + /* Get the MAC address */ +- ret = sr_read_cmd(dev, SR_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, +- dev->net->dev_addr); ++ ret = sr_read_cmd(dev, SR_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, addr); + if (ret < 0) { + netdev_dbg(dev->net, "Failed to read MAC address: %d\n", ret); + return ret; + } ++ eth_hw_addr_set(dev->net, addr); + netdev_dbg(dev->net, "mac addr : %pM\n", dev->net->dev_addr); + + /* Initialize MII structure */ +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index 8065af844410..16225654d88c 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -163,12 +163,13 @@ EXPORT_SYMBOL_GPL(usbnet_get_endpoints); + + int usbnet_get_ethernet_addr(struct usbnet *dev, int iMACAddress) + { ++ u8 addr[ETH_ALEN]; + int tmp = -1, ret; + unsigned char buf [13]; + + ret = usb_string(dev->udev, iMACAddress, buf, sizeof buf); + if (ret == 12) +- tmp = hex2bin(dev->net->dev_addr, buf, 6); ++ tmp = hex2bin(addr, buf, 6); + if (tmp < 0) { + dev_dbg(&dev->udev->dev, + "bad MAC string %d fetch, %d\n", iMACAddress, tmp); +@@ -176,6 +177,7 @@ int usbnet_get_ethernet_addr(struct usbnet *dev, int iMACAddress) + ret = -EINVAL; + return ret; + } ++ eth_hw_addr_set(dev->net, addr); + return 0; + } + EXPORT_SYMBOL_GPL(usbnet_get_ethernet_addr); +@@ -1723,7 +1725,7 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod) + + dev->net = net; + strscpy(net->name, "usb%d", sizeof(net->name)); +- memcpy (net->dev_addr, node_id, sizeof node_id); ++ eth_hw_addr_set(net, node_id); + + /* rx and tx sides can use different message sizes; + * bind() should set rx_urb_size in that case. +-- +2.43.0 + diff --git a/queue-4.19/netfilter-nf_conncount-fix-wrong-variable-type.patch b/queue-4.19/netfilter-nf_conncount-fix-wrong-variable-type.patch new file mode 100644 index 00000000000..64f8f67f04c --- /dev/null +++ b/queue-4.19/netfilter-nf_conncount-fix-wrong-variable-type.patch @@ -0,0 +1,70 @@ +From 3b3c970a589416fd2a8020c46f97521c30b4f760 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 May 2024 11:48:47 +0800 +Subject: netfilter: nf_conncount: fix wrong variable type + +From: Yunjian Wang + +[ Upstream commit 0b88d1654d556264bcd24a9cb6383f0888e30131 ] + +Now there is a issue is that code checks reports a warning: implicit +narrowing conversion from type 'unsigned int' to small type 'u8' (the +'keylen' variable). Fix it by removing the 'keylen' variable. + +Signed-off-by: Yunjian Wang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conncount.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c +index 7554c56b2e63..d189ca7c2c02 100644 +--- a/net/netfilter/nf_conncount.c ++++ b/net/netfilter/nf_conncount.c +@@ -309,7 +309,6 @@ insert_tree(struct net *net, + struct nf_conncount_rb *rbconn; + struct nf_conncount_tuple *conn; + unsigned int count = 0, gc_count = 0; +- u8 keylen = data->keylen; + bool do_gc = true; + + spin_lock_bh(&nf_conncount_locks[hash]); +@@ -321,7 +320,7 @@ insert_tree(struct net *net, + rbconn = rb_entry(*rbnode, struct nf_conncount_rb, node); + + parent = *rbnode; +- diff = key_diff(key, rbconn->key, keylen); ++ diff = key_diff(key, rbconn->key, data->keylen); + if (diff < 0) { + rbnode = &((*rbnode)->rb_left); + } else if (diff > 0) { +@@ -366,7 +365,7 @@ insert_tree(struct net *net, + + conn->tuple = *tuple; + conn->zone = *zone; +- memcpy(rbconn->key, key, sizeof(u32) * keylen); ++ memcpy(rbconn->key, key, sizeof(u32) * data->keylen); + + nf_conncount_list_init(&rbconn->list); + list_add(&conn->node, &rbconn->list.head); +@@ -391,7 +390,6 @@ count_tree(struct net *net, + struct rb_node *parent; + struct nf_conncount_rb *rbconn; + unsigned int hash; +- u8 keylen = data->keylen; + + hash = jhash2(key, data->keylen, conncount_rnd) % CONNCOUNT_SLOTS; + root = &data->root[hash]; +@@ -402,7 +400,7 @@ count_tree(struct net *net, + + rbconn = rb_entry(parent, struct nf_conncount_rb, node); + +- diff = key_diff(key, rbconn->key, keylen); ++ diff = key_diff(key, rbconn->key, data->keylen); + if (diff < 0) { + parent = rcu_dereference_raw(parent->rb_left); + } else if (diff > 0) { +-- +2.43.0 + diff --git a/queue-4.19/of-irq-prevent-device-address-out-of-bounds-read-in-.patch b/queue-4.19/of-irq-prevent-device-address-out-of-bounds-read-in-.patch new file mode 100644 index 00000000000..3959d67cb95 --- /dev/null +++ b/queue-4.19/of-irq-prevent-device-address-out-of-bounds-read-in-.patch @@ -0,0 +1,131 @@ +From 85c1ce76b09b121e9bc264c228aafe0a666f47ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2024 12:06:51 +0200 +Subject: of/irq: Prevent device address out-of-bounds read in interrupt map + walk + +From: Stefan Wiehler + +[ Upstream commit b739dffa5d570b411d4bdf4bb9b8dfd6b7d72305 ] + +When of_irq_parse_raw() is invoked with a device address smaller than +the interrupt parent node (from #address-cells property), KASAN detects +the following out-of-bounds read when populating the initial match table +(dyndbg="func of_irq_parse_* +p"): + + OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0 + OF: parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2 + OF: intspec=4 + OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2 + OF: -> addrsize=3 + ================================================================== + BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0 + Read of size 4 at addr ffffff81beca5608 by task bash/764 + + CPU: 1 PID: 764 Comm: bash Tainted: G O 6.1.67-484c613561-nokia_sm_arm64 #1 + Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023 + Call trace: + dump_backtrace+0xdc/0x130 + show_stack+0x1c/0x30 + dump_stack_lvl+0x6c/0x84 + print_report+0x150/0x448 + kasan_report+0x98/0x140 + __asan_load4+0x78/0xa0 + of_irq_parse_raw+0x2b8/0x8d0 + of_irq_parse_one+0x24c/0x270 + parse_interrupts+0xc0/0x120 + of_fwnode_add_links+0x100/0x2d0 + fw_devlink_parse_fwtree+0x64/0xc0 + device_add+0xb38/0xc30 + of_device_add+0x64/0x90 + of_platform_device_create_pdata+0xd0/0x170 + of_platform_bus_create+0x244/0x600 + of_platform_notify+0x1b0/0x254 + blocking_notifier_call_chain+0x9c/0xd0 + __of_changeset_entry_notify+0x1b8/0x230 + __of_changeset_apply_notify+0x54/0xe4 + of_overlay_fdt_apply+0xc04/0xd94 + ... + + The buggy address belongs to the object at ffffff81beca5600 + which belongs to the cache kmalloc-128 of size 128 + The buggy address is located 8 bytes inside of + 128-byte region [ffffff81beca5600, ffffff81beca5680) + + The buggy address belongs to the physical page: + page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4 + head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0 + flags: 0x8000000000010200(slab|head|zone=2) + raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300 + raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc + ================================================================== + OF: -> got it ! + +Prevent the out-of-bounds read by copying the device address into a +buffer of sufficient size. + +Signed-off-by: Stefan Wiehler +Link: https://lore.kernel.org/r/20240812100652.3800963-1-stefan.wiehler@nokia.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Sasha Levin +--- + drivers/of/irq.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/of/irq.c b/drivers/of/irq.c +index 02ad93a304a4..f06c9df60e34 100644 +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -289,7 +289,8 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar + struct device_node *p; + const __be32 *addr; + u32 intsize; +- int i, res; ++ int i, res, addr_len; ++ __be32 addr_buf[3] = { 0 }; + + pr_debug("of_irq_parse_one: dev=%pOF, index=%d\n", device, index); + +@@ -298,13 +299,19 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar + return of_irq_parse_oldworld(device, index, out_irq); + + /* Get the reg property (if any) */ +- addr = of_get_property(device, "reg", NULL); ++ addr = of_get_property(device, "reg", &addr_len); ++ ++ /* Prevent out-of-bounds read in case of longer interrupt parent address size */ ++ if (addr_len > (3 * sizeof(__be32))) ++ addr_len = 3 * sizeof(__be32); ++ if (addr) ++ memcpy(addr_buf, addr, addr_len); + + /* Try the new-style interrupts-extended first */ + res = of_parse_phandle_with_args(device, "interrupts-extended", + "#interrupt-cells", index, out_irq); + if (!res) +- return of_irq_parse_raw(addr, out_irq); ++ return of_irq_parse_raw(addr_buf, out_irq); + + /* Look for the interrupt parent. */ + p = of_irq_find_parent(device); +@@ -334,7 +341,7 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar + + + /* Check if there are any interrupt-map translations to process */ +- res = of_irq_parse_raw(addr, out_irq); ++ res = of_irq_parse_raw(addr_buf, out_irq); + out: + of_node_put(p); + return res; +-- +2.43.0 + diff --git a/queue-4.19/pci-add-missing-bridge-lock-to-pci_bus_lock.patch b/queue-4.19/pci-add-missing-bridge-lock-to-pci_bus_lock.patch new file mode 100644 index 00000000000..30bc54604bf --- /dev/null +++ b/queue-4.19/pci-add-missing-bridge-lock-to-pci_bus_lock.patch @@ -0,0 +1,163 @@ +From 4d91de223cc71feffb1ee50efd2dfc52b9e831b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 May 2024 18:04:35 -0700 +Subject: PCI: Add missing bridge lock to pci_bus_lock() + +From: Dan Williams + +[ Upstream commit a4e772898f8bf2e7e1cf661a12c60a5612c4afab ] + +One of the true positives that the cfg_access_lock lockdep effort +identified is this sequence: + + WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70 + RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70 + Call Trace: + + ? __warn+0x8c/0x190 + ? pci_bridge_secondary_bus_reset+0x5d/0x70 + ? report_bug+0x1f8/0x200 + ? handle_bug+0x3c/0x70 + ? exc_invalid_op+0x18/0x70 + ? asm_exc_invalid_op+0x1a/0x20 + ? pci_bridge_secondary_bus_reset+0x5d/0x70 + pci_reset_bus+0x1d8/0x270 + vmd_probe+0x778/0xa10 + pci_device_probe+0x95/0x120 + +Where pci_reset_bus() users are triggering unlocked secondary bus resets. +Ironically pci_bus_reset(), several calls down from pci_reset_bus(), uses +pci_bus_lock() before issuing the reset which locks everything *but* the +bridge itself. + +For the same motivation as adding: + + bridge = pci_upstream_bridge(dev); + if (bridge) + pci_dev_lock(bridge); + +to pci_reset_function() for the "bus" and "cxl_bus" reset cases, add +pci_dev_lock() for @bus->self to pci_bus_lock(). + +Link: https://lore.kernel.org/r/171711747501.1628941.15217746952476635316.stgit@dwillia2-xfh.jf.intel.com +Reported-by: Imre Deak +Closes: http://lore.kernel.org/r/6657833b3b5ae_14984b29437@dwillia2-xfh.jf.intel.com.notmuch +Signed-off-by: Dan Williams +Signed-off-by: Keith Busch +[bhelgaas: squash in recursive locking deadlock fix from Keith Busch: +https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com] +Signed-off-by: Bjorn Helgaas +Tested-by: Hans de Goede +Tested-by: Kalle Valo +Reviewed-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 35 +++++++++++++++++++++-------------- + 1 file changed, 21 insertions(+), 14 deletions(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 4f229cb5d2a9..aa2be8d81504 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -4957,10 +4957,12 @@ static void pci_bus_lock(struct pci_bus *bus) + { + struct pci_dev *dev; + ++ pci_dev_lock(bus->self); + list_for_each_entry(dev, &bus->devices, bus_list) { +- pci_dev_lock(dev); + if (dev->subordinate) + pci_bus_lock(dev->subordinate); ++ else ++ pci_dev_lock(dev); + } + } + +@@ -4972,8 +4974,10 @@ static void pci_bus_unlock(struct pci_bus *bus) + list_for_each_entry(dev, &bus->devices, bus_list) { + if (dev->subordinate) + pci_bus_unlock(dev->subordinate); +- pci_dev_unlock(dev); ++ else ++ pci_dev_unlock(dev); + } ++ pci_dev_unlock(bus->self); + } + + /* Return 1 on successful lock, 0 on contention */ +@@ -4981,15 +4985,15 @@ static int pci_bus_trylock(struct pci_bus *bus) + { + struct pci_dev *dev; + ++ if (!pci_dev_trylock(bus->self)) ++ return 0; ++ + list_for_each_entry(dev, &bus->devices, bus_list) { +- if (!pci_dev_trylock(dev)) +- goto unlock; + if (dev->subordinate) { +- if (!pci_bus_trylock(dev->subordinate)) { +- pci_dev_unlock(dev); ++ if (!pci_bus_trylock(dev->subordinate)) + goto unlock; +- } +- } ++ } else if (!pci_dev_trylock(dev)) ++ goto unlock; + } + return 1; + +@@ -4997,8 +5001,10 @@ static int pci_bus_trylock(struct pci_bus *bus) + list_for_each_entry_continue_reverse(dev, &bus->devices, bus_list) { + if (dev->subordinate) + pci_bus_unlock(dev->subordinate); +- pci_dev_unlock(dev); ++ else ++ pci_dev_unlock(dev); + } ++ pci_dev_unlock(bus->self); + return 0; + } + +@@ -5030,9 +5036,10 @@ static void pci_slot_lock(struct pci_slot *slot) + list_for_each_entry(dev, &slot->bus->devices, bus_list) { + if (!dev->slot || dev->slot != slot) + continue; +- pci_dev_lock(dev); + if (dev->subordinate) + pci_bus_lock(dev->subordinate); ++ else ++ pci_dev_lock(dev); + } + } + +@@ -5058,14 +5065,13 @@ static int pci_slot_trylock(struct pci_slot *slot) + list_for_each_entry(dev, &slot->bus->devices, bus_list) { + if (!dev->slot || dev->slot != slot) + continue; +- if (!pci_dev_trylock(dev)) +- goto unlock; + if (dev->subordinate) { + if (!pci_bus_trylock(dev->subordinate)) { + pci_dev_unlock(dev); + goto unlock; + } +- } ++ } else if (!pci_dev_trylock(dev)) ++ goto unlock; + } + return 1; + +@@ -5076,7 +5082,8 @@ static int pci_slot_trylock(struct pci_slot *slot) + continue; + if (dev->subordinate) + pci_bus_unlock(dev->subordinate); +- pci_dev_unlock(dev); ++ else ++ pci_dev_unlock(dev); + } + return 0; + } +-- +2.43.0 + diff --git a/queue-4.19/pci-hotplug-pnv_php-fix-hotplug-driver-crash-on-powe.patch b/queue-4.19/pci-hotplug-pnv_php-fix-hotplug-driver-crash-on-powe.patch new file mode 100644 index 00000000000..2c67590af55 --- /dev/null +++ b/queue-4.19/pci-hotplug-pnv_php-fix-hotplug-driver-crash-on-powe.patch @@ -0,0 +1,58 @@ +From 823beebb5b49ac29c3848a23870a545e7a97ad8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jul 2024 13:15:06 +0530 +Subject: pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv + +From: Krishna Kumar + +[ Upstream commit 335e35b748527f0c06ded9eebb65387f60647fda ] + +The hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel +crash when we try to hot-unplug/disable the PCIe switch/bridge from +the PHB. + +The crash occurs because although the MSI data structure has been +released during disable/hot-unplug path and it has been assigned +with NULL, still during unregistration the code was again trying to +explicitly disable the MSI which causes the NULL pointer dereference and +kernel crash. + +The patch fixes the check during unregistration path to prevent invoking +pci_disable_msi/msix() since its data structure is already freed. + +Reported-by: Timothy Pearson +Closes: https://lore.kernel.org/all/1981605666.2142272.1703742465927.JavaMail.zimbra@raptorengineeringinc.com/ +Acked-by: Bjorn Helgaas +Tested-by: Shawn Anastasio +Signed-off-by: Krishna Kumar +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240701074513.94873-2-krishnak@linux.ibm.com +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/pnv_php.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c +index 3276a5e4c430..486fad430958 100644 +--- a/drivers/pci/hotplug/pnv_php.c ++++ b/drivers/pci/hotplug/pnv_php.c +@@ -35,7 +35,6 @@ static void pnv_php_disable_irq(struct pnv_php_slot *php_slot, + bool disable_device) + { + struct pci_dev *pdev = php_slot->pdev; +- int irq = php_slot->irq; + u16 ctrl; + + if (php_slot->irq > 0) { +@@ -54,7 +53,7 @@ static void pnv_php_disable_irq(struct pnv_php_slot *php_slot, + php_slot->wq = NULL; + } + +- if (disable_device || irq > 0) { ++ if (disable_device) { + if (pdev->msix_enabled) + pci_disable_msix(pdev); + else if (pdev->msi_enabled) +-- +2.43.0 + diff --git a/queue-4.19/pcmcia-use-resource_size-function-on-resource-object.patch b/queue-4.19/pcmcia-use-resource_size-function-on-resource-object.patch new file mode 100644 index 00000000000..a77324355ed --- /dev/null +++ b/queue-4.19/pcmcia-use-resource_size-function-on-resource-object.patch @@ -0,0 +1,46 @@ +From 16cfe918cb3d51f5e1d250d11c5bd4393d11d9ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 May 2024 23:31:21 +0100 +Subject: pcmcia: Use resource_size function on resource object + +From: Jules Irenge + +[ Upstream commit 24a025497e7e883bd2adef5d0ece1e9b9268009f ] + +Cocinnele reports a warning + +WARNING: Suspicious code. resource_size is maybe missing with root + +The root cause is the function resource_size is not used when needed + +Use resource_size() on variable "root" of type resource + +Signed-off-by: Jules Irenge +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/yenta_socket.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/pcmcia/yenta_socket.c b/drivers/pcmcia/yenta_socket.c +index ac6a3f46b1e6..738660002ef3 100644 +--- a/drivers/pcmcia/yenta_socket.c ++++ b/drivers/pcmcia/yenta_socket.c +@@ -636,11 +636,11 @@ static int yenta_search_one_res(struct resource *root, struct resource *res, + start = PCIBIOS_MIN_CARDBUS_IO; + end = ~0U; + } else { +- unsigned long avail = root->end - root->start; ++ unsigned long avail = resource_size(root); + int i; + size = BRIDGE_MEM_MAX; +- if (size > avail/8) { +- size = (avail+1)/8; ++ if (size > (avail - 1) / 8) { ++ size = avail / 8; + /* round size down to next power of 2 */ + i = 0; + while ((size /= 2) != 0) +-- +2.43.0 + diff --git a/queue-4.19/platform-x86-dell-smbios-fix-error-path-in-dell_smbi.patch b/queue-4.19/platform-x86-dell-smbios-fix-error-path-in-dell_smbi.patch new file mode 100644 index 00000000000..8019990955d --- /dev/null +++ b/queue-4.19/platform-x86-dell-smbios-fix-error-path-in-dell_smbi.patch @@ -0,0 +1,54 @@ +From 771fa6701953729486c11a6fec437286f4ad154a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Aug 2024 09:54:28 +0300 +Subject: platform/x86: dell-smbios: Fix error path in dell_smbios_init() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Aleksandr Mishin + +[ Upstream commit ffc17e1479e8e9459b7afa80e5d9d40d0dd78abb ] + +In case of error in build_tokens_sysfs(), all the memory that has been +allocated is freed at end of this function. But then free_group() is +called which performs memory deallocation again. + +Also, instead of free_group() call, there should be exit_dell_smbios_smm() +and exit_dell_smbios_wmi() calls, since there is initialization, but there +is no release of resources in case of an error. + +Fix these issues by replacing free_group() call with +exit_dell_smbios_wmi() and exit_dell_smbios_smm(). + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 33b9ca1e53b4 ("platform/x86: dell-smbios: Add a sysfs interface for SMBIOS tokens") +Signed-off-by: Aleksandr Mishin +Link: https://lore.kernel.org/r/20240830065428.9544-1-amishin@t-argos.ru +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell-smbios-base.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/dell-smbios-base.c b/drivers/platform/x86/dell-smbios-base.c +index 9e9fc5155789..f5299edb83f5 100644 +--- a/drivers/platform/x86/dell-smbios-base.c ++++ b/drivers/platform/x86/dell-smbios-base.c +@@ -613,7 +613,10 @@ static int __init dell_smbios_init(void) + return 0; + + fail_sysfs: +- free_group(platform_device); ++ if (!wmi) ++ exit_dell_smbios_wmi(); ++ if (!smm) ++ exit_dell_smbios_smm(); + + fail_create_group: + platform_device_del(platform_device); +-- +2.43.0 + diff --git a/queue-4.19/rfkill-fix-spelling-mistake-contidion-to-condition.patch b/queue-4.19/rfkill-fix-spelling-mistake-contidion-to-condition.patch new file mode 100644 index 00000000000..85649a2720c --- /dev/null +++ b/queue-4.19/rfkill-fix-spelling-mistake-contidion-to-condition.patch @@ -0,0 +1,39 @@ +From d432b55ecd36ea63222b2e0082991f8561ef1ef4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jul 2018 15:41:38 -0400 +Subject: rfkill: fix spelling mistake contidion to condition + +From: Richard Guy Briggs + +[ Upstream commit f404c3ecc401b3617c454c06a3d36a43a01f1aaf ] + +This came about while trying to determine if there would be any pattern +match on contid, a new audit container identifier internal variable. +This was the only one. + +Signed-off-by: Richard Guy Briggs +Signed-off-by: Johannes Berg +Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN") +Signed-off-by: Sasha Levin +--- + net/rfkill/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/rfkill/core.c b/net/rfkill/core.c +index d6467cbf5c4f..d138a2123d70 100644 +--- a/net/rfkill/core.c ++++ b/net/rfkill/core.c +@@ -510,8 +510,8 @@ void rfkill_remove_epo_lock(void) + /** + * rfkill_is_epo_lock_active - returns true EPO is active + * +- * Returns 0 (false) if there is NOT an active EPO contidion, +- * and 1 (true) if there is an active EPO contition, which ++ * Returns 0 (false) if there is NOT an active EPO condition, ++ * and 1 (true) if there is an active EPO condition, which + * locks all radios in one of the BLOCKED states. + * + * Can be called in atomic context. +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 322b69eb91d..87c1ef5b2f1 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -23,3 +23,50 @@ fuse-use-unsigned-type-for-getxattr-listxattr-size-truncation.patch clk-qcom-clk-alpha-pll-fix-the-pll-post-div-mask.patch nilfs2-fix-missing-cleanup-on-rollforward-recovery-error.patch nilfs2-fix-state-management-in-error-path-of-log-writing-function.patch +alsa-hda-add-input-value-sanity-checks-to-hdmi-chann.patch +smack-unix-sockets-fix-accept-ed-socket-label.patch +irqchip-armada-370-xp-do-not-allow-mapping-irq-0-and.patch +af_unix-remove-put_pid-put_cred-in-copy_peercred.patch +netfilter-nf_conncount-fix-wrong-variable-type.patch +udf-avoid-excessive-partition-lengths.patch +wifi-brcmsmac-advertise-mfp_capable-to-enable-wpa3.patch +media-qcom-camss-add-check-for-v4l2_fwnode_endpoint_.patch +pcmcia-use-resource_size-function-on-resource-object.patch +can-bcm-remove-proc-entry-when-dev-is-unregistered.patch +igb-fix-not-clearing-timesync-interrupts-for-82580.patch +platform-x86-dell-smbios-fix-error-path-in-dell_smbi.patch +cx82310_eth-re-enable-ethernet-mode-after-router-reb.patch +drivers-net-usb-remove-all-strcpy-uses.patch +net-usb-don-t-write-directly-to-netdev-dev_addr.patch +usbnet-modern-method-to-get-random-mac.patch +rfkill-fix-spelling-mistake-contidion-to-condition.patch +net-bridge-add-support-for-sticky-fdb-entries.patch +bridge-switchdev-allow-clearing-fdb-entry-offload-in.patch +net-bridge-fdb-convert-is_local-to-bitops.patch +net-bridge-fdb-convert-is_static-to-bitops.patch +net-bridge-fdb-convert-is_sticky-to-bitops.patch +net-bridge-fdb-convert-added_by_user-to-bitops.patch +net-bridge-fdb-convert-added_by_external_learn-to-us.patch +net-bridge-br_fdb_external_learn_add-always-set-ext_.patch +net-dsa-vsc73xx-fix-possible-subblocks-range-of-capt.patch +iommu-vt-d-handle-volatile-descriptor-status-read.patch +cgroup-protect-css-cgroup-write-under-css_set_lock.patch +um-line-always-fill-error_out-in-setup_one_line.patch +devres-initialize-an-uninitialized-struct-member.patch +pci-hotplug-pnv_php-fix-hotplug-driver-crash-on-powe.patch +hwmon-adc128d818-fix-underflows-seen-when-writing-li.patch +hwmon-lm95234-fix-underflows-seen-when-writing-limit.patch +hwmon-nct6775-core-fix-underflows-seen-when-writing-.patch +hwmon-w83627ehf-fix-underflows-seen-when-writing-lim.patch +wifi-mwifiex-do-not-return-unused-priv-in-mwifiex_ge.patch +smp-add-missing-destroy_work_on_stack-call-in-smp_ca.patch +btrfs-replace-bug_on-with-assert-in-walk_down_proc.patch +btrfs-clean-up-our-handling-of-refs-0-in-snapshot-de.patch +pci-add-missing-bridge-lock-to-pci_bus_lock.patch +btrfs-initialize-location-to-fix-wmaybe-uninitialize.patch +hid-cougar-fix-slab-out-of-bounds-read-in-cougar_rep.patch +input-uinput-reject-requests-with-unreasonable-numbe.patch +usbnet-ipheth-race-between-ipheth_close-and-error-ha.patch +squashfs-sanity-check-symbolic-link-size.patch +of-irq-prevent-device-address-out-of-bounds-read-in-.patch +ata-pata_macio-use-warn-instead-of-bug.patch diff --git a/queue-4.19/smack-unix-sockets-fix-accept-ed-socket-label.patch b/queue-4.19/smack-unix-sockets-fix-accept-ed-socket-label.patch new file mode 100644 index 00000000000..aeb0d4348ed --- /dev/null +++ b/queue-4.19/smack-unix-sockets-fix-accept-ed-socket-label.patch @@ -0,0 +1,60 @@ +From c1aba40e51ac08449b1036a1b57f3ed993f69175 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 01:44:30 +0300 +Subject: smack: unix sockets: fix accept()ed socket label + +From: Konstantin Andreev + +[ Upstream commit e86cac0acdb1a74f608bacefe702f2034133a047 ] + +When a process accept()s connection from a unix socket +(either stream or seqpacket) +it gets the socket with the label of the connecting process. + +For example, if a connecting process has a label 'foo', +the accept()ed socket will also have 'in' and 'out' labels 'foo', +regardless of the label of the listener process. + +This is because kernel creates unix child sockets +in the context of the connecting process. + +I do not see any obvious way for the listener to abuse +alien labels coming with the new socket, but, +to be on the safe side, it's better fix new socket labels. + +Signed-off-by: Konstantin Andreev +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smack_lsm.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index 158f4df39be4..00d8e1b53b2a 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -3745,12 +3745,18 @@ static int smack_unix_stream_connect(struct sock *sock, + } + } + +- /* +- * Cross reference the peer labels for SO_PEERSEC. +- */ + if (rc == 0) { ++ /* ++ * Cross reference the peer labels for SO_PEERSEC. ++ */ + nsp->smk_packet = ssp->smk_out; + ssp->smk_packet = osp->smk_out; ++ ++ /* ++ * new/child/established socket must inherit listening socket labels ++ */ ++ nsp->smk_out = osp->smk_out; ++ nsp->smk_in = osp->smk_in; + } + + return rc; +-- +2.43.0 + diff --git a/queue-4.19/smp-add-missing-destroy_work_on_stack-call-in-smp_ca.patch b/queue-4.19/smp-add-missing-destroy_work_on_stack-call-in-smp_ca.patch new file mode 100644 index 00000000000..a107465bf6f --- /dev/null +++ b/queue-4.19/smp-add-missing-destroy_work_on_stack-call-in-smp_ca.patch @@ -0,0 +1,45 @@ +From edf302a33a65a39f2cf59fbcf328b070fe1a4f99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jul 2024 14:52:13 +0800 +Subject: smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu() + +From: Zqiang + +[ Upstream commit 77aeb1b685f9db73d276bad4bb30d48505a6fd23 ] + +For CONFIG_DEBUG_OBJECTS_WORK=y kernels sscs.work defined by +INIT_WORK_ONSTACK() is initialized by debug_object_init_on_stack() for +the debug check in __init_work() to work correctly. + +But this lacks the counterpart to remove the tracked object from debug +objects again, which will cause a debug object warning once the stack is +freed. + +Add the missing destroy_work_on_stack() invocation to cure that. + +[ tglx: Massaged changelog ] + +Signed-off-by: Zqiang +Signed-off-by: Thomas Gleixner +Tested-by: Paul E. McKenney +Link: https://lore.kernel.org/r/20240704065213.13559-1-qiang.zhang1211@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/smp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/smp.c b/kernel/smp.c +index 9fa2fe6c0c05..c5f333258ecf 100644 +--- a/kernel/smp.c ++++ b/kernel/smp.c +@@ -791,6 +791,7 @@ int smp_call_on_cpu(unsigned int cpu, int (*func)(void *), void *par, bool phys) + + queue_work_on(cpu, system_wq, &sscs.work); + wait_for_completion(&sscs.done); ++ destroy_work_on_stack(&sscs.work); + + return sscs.ret; + } +-- +2.43.0 + diff --git a/queue-4.19/squashfs-sanity-check-symbolic-link-size.patch b/queue-4.19/squashfs-sanity-check-symbolic-link-size.patch new file mode 100644 index 00000000000..d9add0674ff --- /dev/null +++ b/queue-4.19/squashfs-sanity-check-symbolic-link-size.patch @@ -0,0 +1,68 @@ +From a320717e1c8364d5bbbf8d25b0648c5af828579a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2024 00:28:21 +0100 +Subject: Squashfs: sanity check symbolic link size + +From: Phillip Lougher + +[ Upstream commit 810ee43d9cd245d138a2733d87a24858a23f577d ] + +Syzkiller reports a "KMSAN: uninit-value in pick_link" bug. + +This is caused by an uninitialised page, which is ultimately caused +by a corrupted symbolic link size read from disk. + +The reason why the corrupted symlink size causes an uninitialised +page is due to the following sequence of events: + +1. squashfs_read_inode() is called to read the symbolic + link from disk. This assigns the corrupted value + 3875536935 to inode->i_size. + +2. Later squashfs_symlink_read_folio() is called, which assigns + this corrupted value to the length variable, which being a + signed int, overflows producing a negative number. + +3. The following loop that fills in the page contents checks that + the copied bytes is less than length, which being negative means + the loop is skipped, producing an uninitialised page. + +This patch adds a sanity check which checks that the symbolic +link size is not larger than expected. + +-- + +Signed-off-by: Phillip Lougher +Link: https://lore.kernel.org/r/20240811232821.13903-1-phillip@squashfs.org.uk +Reported-by: Lizhi Xu +Reported-by: syzbot+24ac24ff58dc5b0d26b9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/000000000000a90e8c061e86a76b@google.com/ +V2: fix spelling mistake. +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/squashfs/inode.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c +index e9793b1e49a5..89ac1c6de97b 100644 +--- a/fs/squashfs/inode.c ++++ b/fs/squashfs/inode.c +@@ -289,8 +289,13 @@ int squashfs_read_inode(struct inode *inode, long long ino) + if (err < 0) + goto failed_read; + +- set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); + inode->i_size = le32_to_cpu(sqsh_ino->symlink_size); ++ if (inode->i_size > PAGE_SIZE) { ++ ERROR("Corrupted symlink\n"); ++ return -EINVAL; ++ } ++ ++ set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); + inode->i_op = &squashfs_symlink_inode_ops; + inode_nohighmem(inode); + inode->i_data.a_ops = &squashfs_symlink_aops; +-- +2.43.0 + diff --git a/queue-4.19/udf-avoid-excessive-partition-lengths.patch b/queue-4.19/udf-avoid-excessive-partition-lengths.patch new file mode 100644 index 00000000000..a8a79066076 --- /dev/null +++ b/queue-4.19/udf-avoid-excessive-partition-lengths.patch @@ -0,0 +1,63 @@ +From 1a59891920072f81361ee978bc692ea6a8776ff2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jun 2024 12:52:17 +0200 +Subject: udf: Avoid excessive partition lengths + +From: Jan Kara + +[ Upstream commit ebbe26fd54a9621994bc16b14f2ba8f84c089693 ] + +Avoid mounting filesystems where the partition would overflow the +32-bits used for block number. Also refuse to mount filesystems where +the partition length is so large we cannot safely index bits in a +block bitmap. + +Link: https://patch.msgid.link/20240620130403.14731-1-jack@suse.cz +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/super.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/fs/udf/super.c b/fs/udf/super.c +index 6273ffd312cc..22c76a33f6f3 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -1054,12 +1054,19 @@ static int udf_fill_partdesc_info(struct super_block *sb, + struct udf_part_map *map; + struct udf_sb_info *sbi = UDF_SB(sb); + struct partitionHeaderDesc *phd; ++ u32 sum; + int err; + + map = &sbi->s_partmaps[p_index]; + + map->s_partition_len = le32_to_cpu(p->partitionLength); /* blocks */ + map->s_partition_root = le32_to_cpu(p->partitionStartingLocation); ++ if (check_add_overflow(map->s_partition_root, map->s_partition_len, ++ &sum)) { ++ udf_err(sb, "Partition %d has invalid location %u + %u\n", ++ p_index, map->s_partition_root, map->s_partition_len); ++ return -EFSCORRUPTED; ++ } + + if (p->accessType == cpu_to_le32(PD_ACCESS_TYPE_READ_ONLY)) + map->s_partition_flags |= UDF_PART_FLAG_READ_ONLY; +@@ -1115,6 +1122,14 @@ static int udf_fill_partdesc_info(struct super_block *sb, + bitmap->s_extPosition = le32_to_cpu( + phd->unallocSpaceBitmap.extPosition); + map->s_partition_flags |= UDF_PART_FLAG_UNALLOC_BITMAP; ++ /* Check whether math over bitmap won't overflow. */ ++ if (check_add_overflow(map->s_partition_len, ++ sizeof(struct spaceBitmapDesc) << 3, ++ &sum)) { ++ udf_err(sb, "Partition %d is too long (%u)\n", p_index, ++ map->s_partition_len); ++ return -EFSCORRUPTED; ++ } + udf_debug("unallocSpaceBitmap (part %d) @ %u\n", + p_index, bitmap->s_extPosition); + } +-- +2.43.0 + diff --git a/queue-4.19/um-line-always-fill-error_out-in-setup_one_line.patch b/queue-4.19/um-line-always-fill-error_out-in-setup_one_line.patch new file mode 100644 index 00000000000..9429325735b --- /dev/null +++ b/queue-4.19/um-line-always-fill-error_out-in-setup_one_line.patch @@ -0,0 +1,44 @@ +From 1f91b37f9214d5f193bd13532e0c5e58238f60c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jul 2024 17:22:36 +0200 +Subject: um: line: always fill *error_out in setup_one_line() + +From: Johannes Berg + +[ Upstream commit 824ac4a5edd3f7494ab1996826c4f47f8ef0f63d ] + +The pointer isn't initialized by callers, but I have +encountered cases where it's still printed; initialize +it in all possible cases in setup_one_line(). + +Link: https://patch.msgid.link/20240703172235.ad863568b55f.Iaa1eba4db8265d7715ba71d5f6bb8c7ff63d27e9@changeid +Acked-By: Anton Ivanov +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/drivers/line.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/um/drivers/line.c b/arch/um/drivers/line.c +index 71e26488dfde..b5c3bc0e6bce 100644 +--- a/arch/um/drivers/line.c ++++ b/arch/um/drivers/line.c +@@ -391,6 +391,7 @@ int setup_one_line(struct line *lines, int n, char *init, + parse_chan_pair(NULL, line, n, opts, error_out); + err = 0; + } ++ *error_out = "configured as 'none'"; + } else { + char *new = kstrdup(init, GFP_KERNEL); + if (!new) { +@@ -414,6 +415,7 @@ int setup_one_line(struct line *lines, int n, char *init, + } + } + if (err) { ++ *error_out = "failed to parse channel pair"; + line->init_str = NULL; + line->valid = 0; + kfree(new); +-- +2.43.0 + diff --git a/queue-4.19/usbnet-ipheth-race-between-ipheth_close-and-error-ha.patch b/queue-4.19/usbnet-ipheth-race-between-ipheth_close-and-error-ha.patch new file mode 100644 index 00000000000..e118b11c2c0 --- /dev/null +++ b/queue-4.19/usbnet-ipheth-race-between-ipheth_close-and-error-ha.patch @@ -0,0 +1,44 @@ +From c5d35898da82e150c68498ff30cfeb6db0154daf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Aug 2024 19:28:05 +0200 +Subject: usbnet: ipheth: race between ipheth_close and error handling + +From: Oliver Neukum + +[ Upstream commit e5876b088ba03a62124266fa20d00e65533c7269 ] + +ipheth_sndbulk_callback() can submit carrier_work +as a part of its error handling. That means that +the driver must make sure that the work is cancelled +after it has made sure that no more URB can terminate +with an error condition. + +Hence the order of actions in ipheth_close() needs +to be inverted. + +Signed-off-by: Oliver Neukum +Signed-off-by: Foster Snowhill +Tested-by: Georgi Valkov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/ipheth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c +index 5e8fd2aa1888..0a86ba028c4d 100644 +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -407,8 +407,8 @@ static int ipheth_close(struct net_device *net) + { + struct ipheth_device *dev = netdev_priv(net); + +- cancel_delayed_work_sync(&dev->carrier_work); + netif_stop_queue(net); ++ cancel_delayed_work_sync(&dev->carrier_work); + return 0; + } + +-- +2.43.0 + diff --git a/queue-4.19/usbnet-modern-method-to-get-random-mac.patch b/queue-4.19/usbnet-modern-method-to-get-random-mac.patch new file mode 100644 index 00000000000..231cd00aa50 --- /dev/null +++ b/queue-4.19/usbnet-modern-method-to-get-random-mac.patch @@ -0,0 +1,75 @@ +From 20ed0ddfce3f26d1e7b00073c8360a407aee0417 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 19:50:55 +0200 +Subject: usbnet: modern method to get random MAC + +From: Oliver Neukum + +[ Upstream commit bab8eb0dd4cb995caa4a0529d5655531c2ec5e8e ] + +The driver generates a random MAC once on load +and uses it over and over, including on two devices +needing a random MAC at the same time. + +Jakub suggested revamping the driver to the modern +API for setting a random MAC rather than fixing +the old stuff. + +The bug is as old as the driver. + +Signed-off-by: Oliver Neukum +Reviewed-by: Simon Horman +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://patch.msgid.link/20240829175201.670718-1-oneukum@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/usbnet.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index 16225654d88c..938335f4738d 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -79,9 +79,6 @@ + + /*-------------------------------------------------------------------------*/ + +-// randomly generated ethernet address +-static u8 node_id [ETH_ALEN]; +- + /* use ethtool to change the level for any given device */ + static int msg_level = -1; + module_param (msg_level, int, 0); +@@ -1725,7 +1722,6 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod) + + dev->net = net; + strscpy(net->name, "usb%d", sizeof(net->name)); +- eth_hw_addr_set(net, node_id); + + /* rx and tx sides can use different message sizes; + * bind() should set rx_urb_size in that case. +@@ -1799,9 +1795,9 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod) + goto out4; + } + +- /* let userspace know we have a random address */ +- if (ether_addr_equal(net->dev_addr, node_id)) +- net->addr_assign_type = NET_ADDR_RANDOM; ++ /* this flags the device for user space */ ++ if (!is_valid_ether_addr(net->dev_addr)) ++ eth_hw_addr_random(net); + + if ((dev->driver_info->flags & FLAG_WLAN) != 0) + SET_NETDEV_DEVTYPE(net, &wlan_type); +@@ -2211,7 +2207,6 @@ static int __init usbnet_init(void) + BUILD_BUG_ON( + FIELD_SIZEOF(struct sk_buff, cb) < sizeof(struct skb_data)); + +- eth_random_addr(node_id); + return 0; + } + module_init(usbnet_init); +-- +2.43.0 + diff --git a/queue-4.19/wifi-brcmsmac-advertise-mfp_capable-to-enable-wpa3.patch b/queue-4.19/wifi-brcmsmac-advertise-mfp_capable-to-enable-wpa3.patch new file mode 100644 index 00000000000..806ff0e8d4b --- /dev/null +++ b/queue-4.19/wifi-brcmsmac-advertise-mfp_capable-to-enable-wpa3.patch @@ -0,0 +1,38 @@ +From 1d3f0ff64c6c2fd83774e00003afa930d537ba09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 14:26:09 +0200 +Subject: wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3 + +From: Arend van Spriel + +[ Upstream commit dbb5265a5d7cca1cdba7736dba313ab7d07bc19d ] + +After being asked about support for WPA3 for BCM43224 chipset it +was found that all it takes is setting the MFP_CAPABLE flag and +mac80211 will take care of all that is needed [1]. + +Link: https://lore.kernel.org/linux-wireless/20200526155909.5807-2-Larry.Finger@lwfinger.net/ [1] +Signed-off-by: Arend van Spriel +Tested-by: Reijer Boekhoff +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20240617122609.349582-1-arend.vanspriel@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c +index 288d4d4d4454..eb735b054790 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c +@@ -1091,6 +1091,7 @@ static int ieee_hw_init(struct ieee80211_hw *hw) + ieee80211_hw_set(hw, AMPDU_AGGREGATION); + ieee80211_hw_set(hw, SIGNAL_DBM); + ieee80211_hw_set(hw, REPORTS_TX_ACK_STATUS); ++ ieee80211_hw_set(hw, MFP_CAPABLE); + + hw->extra_tx_headroom = brcms_c_get_header_len(); + hw->queues = N_TX_QUEUES; +-- +2.43.0 + diff --git a/queue-4.19/wifi-mwifiex-do-not-return-unused-priv-in-mwifiex_ge.patch b/queue-4.19/wifi-mwifiex-do-not-return-unused-priv-in-mwifiex_ge.patch new file mode 100644 index 00000000000..341137ada68 --- /dev/null +++ b/queue-4.19/wifi-mwifiex-do-not-return-unused-priv-in-mwifiex_ge.patch @@ -0,0 +1,112 @@ +From 19c184dec1f1bee2c5664827177b3917ff1701af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jul 2024 09:24:09 +0200 +Subject: wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() + +From: Sascha Hauer + +[ Upstream commit c145eea2f75ff7949392aebecf7ef0a81c1f6c14 ] + +mwifiex_get_priv_by_id() returns the priv pointer corresponding to +the bss_num and bss_type, but without checking if the priv is actually +currently in use. +Unused priv pointers do not have a wiphy attached to them which can +lead to NULL pointer dereferences further down the callstack. Fix +this by returning only used priv pointers which have priv->bss_mode +set to something else than NL80211_IFTYPE_UNSPECIFIED. + +Said NULL pointer dereference happened when an Accesspoint was started +with wpa_supplicant -i mlan0 with this config: + +network={ + ssid="somessid" + mode=2 + frequency=2412 + key_mgmt=WPA-PSK WPA-PSK-SHA256 + proto=RSN + group=CCMP + pairwise=CCMP + psk="12345678" +} + +When waiting for the AP to be established, interrupting wpa_supplicant +with and starting it again this happens: + +| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140 +| Mem abort info: +| ESR = 0x0000000096000004 +| EC = 0x25: DABT (current EL), IL = 32 bits +| SET = 0, FnV = 0 +| EA = 0, S1PTW = 0 +| FSC = 0x04: level 0 translation fault +| Data abort info: +| ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 +| CM = 0, WnR = 0, TnD = 0, TagAccess = 0 +| GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +| user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000 +| [0000000000000140] pgd=0000000000000000, p4d=0000000000000000 +| Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP +| Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio ++mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs ++imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6 +| CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18 +| Hardware name: somemachine (DT) +| Workqueue: events sdio_irq_work +| pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +| pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex] +| lr : mwifiex_get_cfp+0x34/0x15c [mwifiex] +| sp : ffff8000818b3a70 +| x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004 +| x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9 +| x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000 +| x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000 +| x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517 +| x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1 +| x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157 +| x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124 +| x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000 +| x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000 +| Call trace: +| mwifiex_get_cfp+0xd8/0x15c [mwifiex] +| mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex] +| mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex] +| mwifiex_process_sta_event+0x298/0xf0c [mwifiex] +| mwifiex_process_event+0x110/0x238 [mwifiex] +| mwifiex_main_process+0x428/0xa44 [mwifiex] +| mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio] +| process_sdio_pending_irqs+0x64/0x1b8 +| sdio_irq_work+0x4c/0x7c +| process_one_work+0x148/0x2a0 +| worker_thread+0x2fc/0x40c +| kthread+0x110/0x114 +| ret_from_fork+0x10/0x20 +| Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000) +| ---[ end trace 0000000000000000 ]--- + +Signed-off-by: Sascha Hauer +Acked-by: Brian Norris +Reviewed-by: Francesco Dolcini +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20240703072409.556618-1-s.hauer@pengutronix.de +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/main.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/main.h b/drivers/net/wireless/marvell/mwifiex/main.h +index 7e526014b638..89774e0316bd 100644 +--- a/drivers/net/wireless/marvell/mwifiex/main.h ++++ b/drivers/net/wireless/marvell/mwifiex/main.h +@@ -1306,6 +1306,9 @@ mwifiex_get_priv_by_id(struct mwifiex_adapter *adapter, + + for (i = 0; i < adapter->priv_num; i++) { + if (adapter->priv[i]) { ++ if (adapter->priv[i]->bss_mode == NL80211_IFTYPE_UNSPECIFIED) ++ continue; ++ + if ((adapter->priv[i]->bss_num == bss_num) && + (adapter->priv[i]->bss_type == bss_type)) + break; +-- +2.43.0 +