From: Greg Kroah-Hartman Date: Fri, 5 Apr 2024 07:27:30 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.15.154~113 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a842e0f80c7d1d8154052b08f176f818870c9657;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: arm64-dts-qcom-sc7180-trogdor-mark-bluetooth-address-as-broken.patch bluetooth-fix-toctou-in-hci-debugfs-implementation.patch bluetooth-hci_event-set-the-conn-encrypted-before-conn-establishes.patch locking-rwsem-disable-preemption-while-trying-for-rwsem-lock.patch net-rds-fix-possible-cp-null-dereference.patch r8169-fix-issue-caused-by-buggy-bios-on-certain-boards-with-rtl8168d.patch x86-cpufeatures-add-cpuid_lnx_5-to-track-recently-added-linux-defined-word.patch x86-cpufeatures-add-new-word-for-scattered-features.patch xen-netfront-add-missing-skb_mark_for_recycle.patch --- diff --git a/queue-5.15/arm64-dts-qcom-sc7180-trogdor-mark-bluetooth-address-as-broken.patch b/queue-5.15/arm64-dts-qcom-sc7180-trogdor-mark-bluetooth-address-as-broken.patch new file mode 100644 index 00000000000..206a6a7c61f --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-sc7180-trogdor-mark-bluetooth-address-as-broken.patch @@ -0,0 +1,50 @@ +From e12e28009e584c8f8363439f6a928ec86278a106 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 20 Mar 2024 08:55:52 +0100 +Subject: arm64: dts: qcom: sc7180-trogdor: mark bluetooth address as broken + +From: Johan Hovold + +commit e12e28009e584c8f8363439f6a928ec86278a106 upstream. + +Several Qualcomm Bluetooth controllers lack persistent storage for the +device address and instead one can be provided by the boot firmware +using the 'local-bd-address' devicetree property. + +The Bluetooth bindings clearly states that the address should be +specified in little-endian order, but due to a long-standing bug in the +Qualcomm driver which reversed the address some boot firmware has been +providing the address in big-endian order instead. + +The boot firmware in SC7180 Trogdor Chromebooks is known to be affected +so mark the 'local-bd-address' property as broken to maintain backwards +compatibility with older firmware when fixing the underlying driver bug. + +Note that ChromeOS always updates the kernel and devicetree in lockstep +so that there is no need to handle backwards compatibility with older +devicetrees. + +Fixes: 7ec3e67307f8 ("arm64: dts: qcom: sc7180-trogdor: add initial trogdor and lazor dt") +Cc: stable@vger.kernel.org # 5.10 +Cc: Rob Clark +Reviewed-by: Douglas Anderson +Signed-off-by: Johan Hovold +Acked-by: Bjorn Andersson +Reviewed-by: Bjorn Andersson +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sc7180-trogdor.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/boot/dts/qcom/sc7180-trogdor.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc7180-trogdor.dtsi +@@ -911,6 +911,8 @@ ap_spi_fp: &spi10 { + vddrf-supply = <&pp1300_l2c>; + vddch0-supply = <&pp3300_l10c>; + max-speed = <3200000>; ++ ++ qcom,local-bd-address-broken; + }; + }; + diff --git a/queue-5.15/bluetooth-fix-toctou-in-hci-debugfs-implementation.patch b/queue-5.15/bluetooth-fix-toctou-in-hci-debugfs-implementation.patch new file mode 100644 index 00000000000..6a5e73e7a7d --- /dev/null +++ b/queue-5.15/bluetooth-fix-toctou-in-hci-debugfs-implementation.patch @@ -0,0 +1,192 @@ +From 7835fcfd132eb88b87e8eb901f88436f63ab60f7 Mon Sep 17 00:00:00 2001 +From: Bastien Nocera +Date: Wed, 27 Mar 2024 15:24:56 +0100 +Subject: Bluetooth: Fix TOCTOU in HCI debugfs implementation + +From: Bastien Nocera + +commit 7835fcfd132eb88b87e8eb901f88436f63ab60f7 upstream. + +struct hci_dev members conn_info_max_age, conn_info_min_age, +le_conn_max_interval, le_conn_min_interval, le_adv_max_interval, +and le_adv_min_interval can be modified from the HCI core code, as well +through debugfs. + +The debugfs implementation, that's only available to privileged users, +will check for boundaries, making sure that the minimum value being set +is strictly above the maximum value that already exists, and vice-versa. + +However, as both minimum and maximum values can be changed concurrently +to us modifying them, we need to make sure that the value we check is +the value we end up using. + +For example, with ->conn_info_max_age set to 10, conn_info_min_age_set() +gets called from vfs handlers to set conn_info_min_age to 8. + +In conn_info_min_age_set(), this goes through: + if (val == 0 || val > hdev->conn_info_max_age) + return -EINVAL; + +Concurrently, conn_info_max_age_set() gets called to set to set the +conn_info_max_age to 7: + if (val == 0 || val > hdev->conn_info_max_age) + return -EINVAL; +That check will also pass because we used the old value (10) for +conn_info_max_age. + +After those checks that both passed, the struct hci_dev access +is mutex-locked, disabling concurrent access, but that does not matter +because the invalid value checks both passed, and we'll end up with +conn_info_min_age = 8 and conn_info_max_age = 7 + +To fix this problem, we need to lock the structure access before so the +check and assignment are not interrupted. + +This fix was originally devised by the BassCheck[1] team, and +considered the problem to be an atomicity one. This isn't the case as +there aren't any concerns about the variable changing while we check it, +but rather after we check it parallel to another change. + +This patch fixes CVE-2024-24858 and CVE-2024-24857. + +[1] https://sites.google.com/view/basscheck/ + +Co-developed-by: Gui-Dong Han <2045gemini@gmail.com> +Signed-off-by: Gui-Dong Han <2045gemini@gmail.com> +Link: https://lore.kernel.org/linux-bluetooth/20231222161317.6255-1-2045gemini@gmail.com/ +Link: https://nvd.nist.gov/vuln/detail/CVE-2024-24858 +Link: https://lore.kernel.org/linux-bluetooth/20231222162931.6553-1-2045gemini@gmail.com/ +Link: https://lore.kernel.org/linux-bluetooth/20231222162310.6461-1-2045gemini@gmail.com/ +Link: https://nvd.nist.gov/vuln/detail/CVE-2024-24857 +Fixes: 31ad169148df ("Bluetooth: Add conn info lifetime parameters to debugfs") +Fixes: 729a1051da6f ("Bluetooth: Expose default LE advertising interval via debugfs") +Fixes: 71c3b60ec6d2 ("Bluetooth: Move BR/EDR debugfs file creation into hci_debugfs.c") +Signed-off-by: Bastien Nocera +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_debugfs.c | 48 +++++++++++++++++++++++++++++--------------- + 1 file changed, 32 insertions(+), 16 deletions(-) + +--- a/net/bluetooth/hci_debugfs.c ++++ b/net/bluetooth/hci_debugfs.c +@@ -216,10 +216,12 @@ static int conn_info_min_age_set(void *d + { + struct hci_dev *hdev = data; + +- if (val == 0 || val > hdev->conn_info_max_age) ++ hci_dev_lock(hdev); ++ if (val == 0 || val > hdev->conn_info_max_age) { ++ hci_dev_unlock(hdev); + return -EINVAL; ++ } + +- hci_dev_lock(hdev); + hdev->conn_info_min_age = val; + hci_dev_unlock(hdev); + +@@ -244,10 +246,12 @@ static int conn_info_max_age_set(void *d + { + struct hci_dev *hdev = data; + +- if (val == 0 || val < hdev->conn_info_min_age) ++ hci_dev_lock(hdev); ++ if (val == 0 || val < hdev->conn_info_min_age) { ++ hci_dev_unlock(hdev); + return -EINVAL; ++ } + +- hci_dev_lock(hdev); + hdev->conn_info_max_age = val; + hci_dev_unlock(hdev); + +@@ -565,10 +569,12 @@ static int sniff_min_interval_set(void * + { + struct hci_dev *hdev = data; + +- if (val == 0 || val % 2 || val > hdev->sniff_max_interval) ++ hci_dev_lock(hdev); ++ if (val == 0 || val % 2 || val > hdev->sniff_max_interval) { ++ hci_dev_unlock(hdev); + return -EINVAL; ++ } + +- hci_dev_lock(hdev); + hdev->sniff_min_interval = val; + hci_dev_unlock(hdev); + +@@ -593,10 +599,12 @@ static int sniff_max_interval_set(void * + { + struct hci_dev *hdev = data; + +- if (val == 0 || val % 2 || val < hdev->sniff_min_interval) ++ hci_dev_lock(hdev); ++ if (val == 0 || val % 2 || val < hdev->sniff_min_interval) { ++ hci_dev_unlock(hdev); + return -EINVAL; ++ } + +- hci_dev_lock(hdev); + hdev->sniff_max_interval = val; + hci_dev_unlock(hdev); + +@@ -848,10 +856,12 @@ static int conn_min_interval_set(void *d + { + struct hci_dev *hdev = data; + +- if (val < 0x0006 || val > 0x0c80 || val > hdev->le_conn_max_interval) ++ hci_dev_lock(hdev); ++ if (val < 0x0006 || val > 0x0c80 || val > hdev->le_conn_max_interval) { ++ hci_dev_unlock(hdev); + return -EINVAL; ++ } + +- hci_dev_lock(hdev); + hdev->le_conn_min_interval = val; + hci_dev_unlock(hdev); + +@@ -876,10 +886,12 @@ static int conn_max_interval_set(void *d + { + struct hci_dev *hdev = data; + +- if (val < 0x0006 || val > 0x0c80 || val < hdev->le_conn_min_interval) ++ hci_dev_lock(hdev); ++ if (val < 0x0006 || val > 0x0c80 || val < hdev->le_conn_min_interval) { ++ hci_dev_unlock(hdev); + return -EINVAL; ++ } + +- hci_dev_lock(hdev); + hdev->le_conn_max_interval = val; + hci_dev_unlock(hdev); + +@@ -988,10 +1000,12 @@ static int adv_min_interval_set(void *da + { + struct hci_dev *hdev = data; + +- if (val < 0x0020 || val > 0x4000 || val > hdev->le_adv_max_interval) ++ hci_dev_lock(hdev); ++ if (val < 0x0020 || val > 0x4000 || val > hdev->le_adv_max_interval) { ++ hci_dev_unlock(hdev); + return -EINVAL; ++ } + +- hci_dev_lock(hdev); + hdev->le_adv_min_interval = val; + hci_dev_unlock(hdev); + +@@ -1016,10 +1030,12 @@ static int adv_max_interval_set(void *da + { + struct hci_dev *hdev = data; + +- if (val < 0x0020 || val > 0x4000 || val < hdev->le_adv_min_interval) ++ hci_dev_lock(hdev); ++ if (val < 0x0020 || val > 0x4000 || val < hdev->le_adv_min_interval) { ++ hci_dev_unlock(hdev); + return -EINVAL; ++ } + +- hci_dev_lock(hdev); + hdev->le_adv_max_interval = val; + hci_dev_unlock(hdev); + diff --git a/queue-5.15/bluetooth-hci_event-set-the-conn-encrypted-before-conn-establishes.patch b/queue-5.15/bluetooth-hci_event-set-the-conn-encrypted-before-conn-establishes.patch new file mode 100644 index 00000000000..262d2fbe60c --- /dev/null +++ b/queue-5.15/bluetooth-hci_event-set-the-conn-encrypted-before-conn-establishes.patch @@ -0,0 +1,108 @@ +From c569242cd49287d53b73a94233db40097d838535 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Wed, 27 Mar 2024 12:30:30 +0800 +Subject: Bluetooth: hci_event: set the conn encrypted before conn establishes + +From: Hui Wang + +commit c569242cd49287d53b73a94233db40097d838535 upstream. + +We have a BT headset (Lenovo Thinkplus XT99), the pairing and +connecting has no problem, once this headset is paired, bluez will +remember this device and will auto re-connect it whenever the device +is powered on. The auto re-connecting works well with Windows and +Android, but with Linux, it always fails. Through debugging, we found +at the rfcomm connection stage, the bluetooth stack reports +"Connection refused - security block (0x0003)". + +For this device, the re-connecting negotiation process is different +from other BT headsets, it sends the Link_KEY_REQUEST command before +the CONNECT_REQUEST completes, and it doesn't send ENCRYPT_CHANGE +command during the negotiation. When the device sends the "connect +complete" to hci, the ev->encr_mode is 1. + +So here in the conn_complete_evt(), if ev->encr_mode is 1, link type +is ACL and HCI_CONN_ENCRYPT is not set, we set HCI_CONN_ENCRYPT to +this conn, and update conn->enc_key_size accordingly. + +After this change, this BT headset could re-connect with Linux +successfully. This is the btmon log after applying the patch, after +receiving the "Connect Complete" with "Encryption: Enabled", will send +the command to read encryption key size: +> HCI Event: Connect Request (0x04) plen 10 + Address: 8C:3C:AA:D8:11:67 (OUI 8C-3C-AA) + Class: 0x240404 + Major class: Audio/Video (headset, speaker, stereo, video, vcr) + Minor class: Wearable Headset Device + Rendering (Printing, Speaker) + Audio (Speaker, Microphone, Headset) + Link type: ACL (0x01) +... +> HCI Event: Link Key Request (0x17) plen 6 + Address: 8C:3C:AA:D8:11:67 (OUI 8C-3C-AA) +< HCI Command: Link Key Request Reply (0x01|0x000b) plen 22 + Address: 8C:3C:AA:D8:11:67 (OUI 8C-3C-AA) + Link key: ${32-hex-digits-key} +... +> HCI Event: Connect Complete (0x03) plen 11 + Status: Success (0x00) + Handle: 256 + Address: 8C:3C:AA:D8:11:67 (OUI 8C-3C-AA) + Link type: ACL (0x01) + Encryption: Enabled (0x01) +< HCI Command: Read Encryption Key... (0x05|0x0008) plen 2 + Handle: 256 +< ACL Data TX: Handle 256 flags 0x00 dlen 10 + L2CAP: Information Request (0x0a) ident 1 len 2 + Type: Extended features supported (0x0002) +> HCI Event: Command Complete (0x0e) plen 7 + Read Encryption Key Size (0x05|0x0008) ncmd 1 + Status: Success (0x00) + Handle: 256 + Key size: 16 + +Cc: stable@vger.kernel.org +Link: https://github.com/bluez/bluez/issues/704 +Reviewed-by: Paul Menzel +Reviewed-by: Luiz Augusto von Dentz +Signed-off-by: Hui Wang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_event.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -2729,6 +2729,31 @@ static void hci_conn_complete_evt(struct + if (test_bit(HCI_ENCRYPT, &hdev->flags)) + set_bit(HCI_CONN_ENCRYPT, &conn->flags); + ++ /* "Link key request" completed ahead of "connect request" completes */ ++ if (ev->encr_mode == 1 && !test_bit(HCI_CONN_ENCRYPT, &conn->flags) && ++ ev->link_type == ACL_LINK) { ++ struct link_key *key; ++ struct hci_cp_read_enc_key_size cp; ++ ++ key = hci_find_link_key(hdev, &ev->bdaddr); ++ if (key) { ++ set_bit(HCI_CONN_ENCRYPT, &conn->flags); ++ ++ if (!(hdev->commands[20] & 0x10)) { ++ conn->enc_key_size = HCI_LINK_KEY_SIZE; ++ } else { ++ cp.handle = cpu_to_le16(conn->handle); ++ if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE, ++ sizeof(cp), &cp)) { ++ bt_dev_err(hdev, "sending read key size failed"); ++ conn->enc_key_size = HCI_LINK_KEY_SIZE; ++ } ++ } ++ ++ hci_encrypt_cfm(conn, ev->status); ++ } ++ } ++ + /* Get remote features */ + if (conn->type == ACL_LINK) { + struct hci_cp_read_remote_features cp; diff --git a/queue-5.15/locking-rwsem-disable-preemption-while-trying-for-rwsem-lock.patch b/queue-5.15/locking-rwsem-disable-preemption-while-trying-for-rwsem-lock.patch new file mode 100644 index 00000000000..dc7aa2d6d1a --- /dev/null +++ b/queue-5.15/locking-rwsem-disable-preemption-while-trying-for-rwsem-lock.patch @@ -0,0 +1,92 @@ +From 48dfb5d2560d36fb16c7d430c229d1604ea7d185 Mon Sep 17 00:00:00 2001 +From: Gokul krishna Krishnakumar +Date: Thu, 8 Sep 2022 23:54:27 +0530 +Subject: locking/rwsem: Disable preemption while trying for rwsem lock + +From: Gokul krishna Krishnakumar + +commit 48dfb5d2560d36fb16c7d430c229d1604ea7d185 upstream. + +Make the region inside the rwsem_write_trylock non preemptible. + +We observe RT task is hogging CPU when trying to acquire rwsem lock +which was acquired by a kworker task but before the rwsem owner was set. + +Here is the scenario: +1. CFS task (affined to a particular CPU) takes rwsem lock. + +2. CFS task gets preempted by a RT task before setting owner. + +3. RT task (FIFO) is trying to acquire the lock, but spinning until +RT throttling happens for the lock as the lock was taken by CFS task. + +This patch attempts to fix the above issue by disabling preemption +until owner is set for the lock. While at it also fix the issues +at the places where rwsem_{set,clear}_owner() are called. + +This also adds lockdep annotation of preemption disable in +rwsem_{set,clear}_owner() on Peter Z. suggestion. + +Signed-off-by: Gokul krishna Krishnakumar +Signed-off-by: Mukesh Ojha +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Waiman Long +Link: https://lore.kernel.org/r/1662661467-24203-1-git-send-email-quic_mojha@quicinc.com +Cc: Aaro Koskinen +Signed-off-by: Greg Kroah-Hartman +--- + kernel/locking/rwsem.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/kernel/locking/rwsem.c ++++ b/kernel/locking/rwsem.c +@@ -133,14 +133,19 @@ + * the owner value concurrently without lock. Read from owner, however, + * may not need READ_ONCE() as long as the pointer value is only used + * for comparison and isn't being dereferenced. ++ * ++ * Both rwsem_{set,clear}_owner() functions should be in the same ++ * preempt disable section as the atomic op that changes sem->count. + */ + static inline void rwsem_set_owner(struct rw_semaphore *sem) + { ++ lockdep_assert_preemption_disabled(); + atomic_long_set(&sem->owner, (long)current); + } + + static inline void rwsem_clear_owner(struct rw_semaphore *sem) + { ++ lockdep_assert_preemption_disabled(); + atomic_long_set(&sem->owner, 0); + } + +@@ -251,13 +256,16 @@ static inline bool rwsem_read_trylock(st + static inline bool rwsem_write_trylock(struct rw_semaphore *sem) + { + long tmp = RWSEM_UNLOCKED_VALUE; ++ bool ret = false; + ++ preempt_disable(); + if (atomic_long_try_cmpxchg_acquire(&sem->count, &tmp, RWSEM_WRITER_LOCKED)) { + rwsem_set_owner(sem); +- return true; ++ ret = true; + } + +- return false; ++ preempt_enable(); ++ return ret; + } + + /* +@@ -1341,8 +1349,10 @@ static inline void __up_write(struct rw_ + DEBUG_RWSEMS_WARN_ON((rwsem_owner(sem) != current) && + !rwsem_test_oflags(sem, RWSEM_NONSPINNABLE), sem); + ++ preempt_disable(); + rwsem_clear_owner(sem); + tmp = atomic_long_fetch_add_release(-RWSEM_WRITER_LOCKED, &sem->count); ++ preempt_enable(); + if (unlikely(tmp & RWSEM_FLAG_WAITERS)) + rwsem_wake(sem); + } diff --git a/queue-5.15/net-rds-fix-possible-cp-null-dereference.patch b/queue-5.15/net-rds-fix-possible-cp-null-dereference.patch new file mode 100644 index 00000000000..d49821fd971 --- /dev/null +++ b/queue-5.15/net-rds-fix-possible-cp-null-dereference.patch @@ -0,0 +1,66 @@ +From 62fc3357e079a07a22465b9b6ef71bb6ea75ee4b Mon Sep 17 00:00:00 2001 +From: Mahmoud Adam +Date: Tue, 26 Mar 2024 16:31:33 +0100 +Subject: net/rds: fix possible cp null dereference + +From: Mahmoud Adam + +commit 62fc3357e079a07a22465b9b6ef71bb6ea75ee4b upstream. + +cp might be null, calling cp->cp_conn would produce null dereference + +[Simon Horman adds:] + +Analysis: + +* cp is a parameter of __rds_rdma_map and is not reassigned. + +* The following call-sites pass a NULL cp argument to __rds_rdma_map() + + - rds_get_mr() + - rds_get_mr_for_dest + +* Prior to the code above, the following assumes that cp may be NULL + (which is indicative, but could itself be unnecessary) + + trans_private = rs->rs_transport->get_mr( + sg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL, + args->vec.addr, args->vec.bytes, + need_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED); + +* The code modified by this patch is guarded by IS_ERR(trans_private), + where trans_private is assigned as per the previous point in this analysis. + + The only implementation of get_mr that I could locate is rds_ib_get_mr() + which can return an ERR_PTR if the conn (4th) argument is NULL. + +* ret is set to PTR_ERR(trans_private). + rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL. + Thus ret may be -ENODEV in which case the code in question will execute. + +Conclusion: +* cp may be NULL at the point where this patch adds a check; + this patch does seem to address a possible bug + +Fixes: c055fc00c07b ("net/rds: fix WARNING in rds_conn_connect_if_down") +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Mahmoud Adam +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240326153132.55580-1-mngyadam@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/rdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/rds/rdma.c ++++ b/net/rds/rdma.c +@@ -302,7 +302,7 @@ static int __rds_rdma_map(struct rds_soc + } + ret = PTR_ERR(trans_private); + /* Trigger connection so that its ready for the next retry */ +- if (ret == -ENODEV) ++ if (ret == -ENODEV && cp) + rds_conn_connect_if_down(cp->cp_conn); + goto out; + } diff --git a/queue-5.15/r8169-fix-issue-caused-by-buggy-bios-on-certain-boards-with-rtl8168d.patch b/queue-5.15/r8169-fix-issue-caused-by-buggy-bios-on-certain-boards-with-rtl8168d.patch new file mode 100644 index 00000000000..e7fe848ba2f --- /dev/null +++ b/queue-5.15/r8169-fix-issue-caused-by-buggy-bios-on-certain-boards-with-rtl8168d.patch @@ -0,0 +1,43 @@ +From 5d872c9f46bd2ea3524af3c2420a364a13667135 Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Sat, 30 Mar 2024 12:49:02 +0100 +Subject: r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d + +From: Heiner Kallweit + +commit 5d872c9f46bd2ea3524af3c2420a364a13667135 upstream. + +On some boards with this chip version the BIOS is buggy and misses +to reset the PHY page selector. This results in the PHY ID read +accessing registers on a different page, returning a more or +less random value. Fix this by resetting the page selector first. + +Fixes: f1e911d5d0df ("r8169: add basic phylib support") +Cc: stable@vger.kernel.org +Signed-off-by: Heiner Kallweit +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/64f2055e-98b8-45ec-8568-665e3d54d4e6@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169_main.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -5138,6 +5138,15 @@ static int r8169_mdio_register(struct rt + struct mii_bus *new_bus; + int ret; + ++ /* On some boards with this chip version the BIOS is buggy and misses ++ * to reset the PHY page selector. This results in the PHY ID read ++ * accessing registers on a different page, returning a more or ++ * less random value. Fix this by resetting the page selector first. ++ */ ++ if (tp->mac_version == RTL_GIGA_MAC_VER_25 || ++ tp->mac_version == RTL_GIGA_MAC_VER_26) ++ r8169_mdio_write(tp, 0x1f, 0); ++ + new_bus = devm_mdiobus_alloc(&pdev->dev); + if (!new_bus) + return -ENOMEM; diff --git a/queue-5.15/series b/queue-5.15/series index 17ffec0d438..3aab2eeac41 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -618,3 +618,12 @@ mlxbf_gige-call-request_irq-after-napi-initialized.patch bpf-protect-against-int-overflow-for-stack-access-si.patch octeontx2-af-fix-pause-frame-configuration-in-gmp-mo.patch dm-integrity-fix-out-of-range-warning.patch +r8169-fix-issue-caused-by-buggy-bios-on-certain-boards-with-rtl8168d.patch +x86-cpufeatures-add-new-word-for-scattered-features.patch +x86-cpufeatures-add-cpuid_lnx_5-to-track-recently-added-linux-defined-word.patch +arm64-dts-qcom-sc7180-trogdor-mark-bluetooth-address-as-broken.patch +bluetooth-hci_event-set-the-conn-encrypted-before-conn-establishes.patch +bluetooth-fix-toctou-in-hci-debugfs-implementation.patch +xen-netfront-add-missing-skb_mark_for_recycle.patch +net-rds-fix-possible-cp-null-dereference.patch +locking-rwsem-disable-preemption-while-trying-for-rwsem-lock.patch diff --git a/queue-5.15/x86-cpufeatures-add-cpuid_lnx_5-to-track-recently-added-linux-defined-word.patch b/queue-5.15/x86-cpufeatures-add-cpuid_lnx_5-to-track-recently-added-linux-defined-word.patch new file mode 100644 index 00000000000..ef4cdf0df0d --- /dev/null +++ b/queue-5.15/x86-cpufeatures-add-cpuid_lnx_5-to-track-recently-added-linux-defined-word.patch @@ -0,0 +1,59 @@ +From 8cb4a9a82b21623dbb4b3051dd30d98356cf95bc Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 4 Apr 2024 17:16:14 -0700 +Subject: x86/cpufeatures: Add CPUID_LNX_5 to track recently added Linux-defined word + +From: Sean Christopherson + +commit 8cb4a9a82b21623dbb4b3051dd30d98356cf95bc upstream. + +Add CPUID_LNX_5 to track cpufeatures' word 21, and add the appropriate +compile-time assert in KVM to prevent direct lookups on the features in +CPUID_LNX_5. KVM uses X86_FEATURE_* flags to manage guest CPUID, and so +must translate features that are scattered by Linux from the Linux-defined +bit to the hardware-defined bit, i.e. should never try to directly access +scattered features in guest CPUID. + +Opportunistically add NR_CPUID_WORDS to enum cpuid_leafs, along with a +compile-time assert in KVM's CPUID infrastructure to ensure that future +additions update cpuid_leafs along with NCAPINTS. + +No functional change intended. + +Fixes: 7f274e609f3d ("x86/cpufeatures: Add new word for scattered features") +Cc: Sandipan Das +Signed-off-by: Sean Christopherson +Acked-by: Dave Hansen +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/cpufeature.h | 2 ++ + arch/x86/kvm/reverse_cpuid.h | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/arch/x86/include/asm/cpufeature.h ++++ b/arch/x86/include/asm/cpufeature.h +@@ -33,6 +33,8 @@ enum cpuid_leafs + CPUID_7_EDX, + CPUID_8000_001F_EAX, + CPUID_8000_0021_EAX, ++ CPUID_LNX_5, ++ NR_CPUID_WORDS, + }; + + #ifdef CONFIG_X86_FEATURE_NAMES +--- a/arch/x86/kvm/reverse_cpuid.h ++++ b/arch/x86/kvm/reverse_cpuid.h +@@ -83,10 +83,12 @@ static const struct cpuid_reg reverse_cp + */ + static __always_inline void reverse_cpuid_check(unsigned int x86_leaf) + { ++ BUILD_BUG_ON(NR_CPUID_WORDS != NCAPINTS); + BUILD_BUG_ON(x86_leaf == CPUID_LNX_1); + BUILD_BUG_ON(x86_leaf == CPUID_LNX_2); + BUILD_BUG_ON(x86_leaf == CPUID_LNX_3); + BUILD_BUG_ON(x86_leaf == CPUID_LNX_4); ++ BUILD_BUG_ON(x86_leaf == CPUID_LNX_5); + BUILD_BUG_ON(x86_leaf >= ARRAY_SIZE(reverse_cpuid)); + BUILD_BUG_ON(reverse_cpuid[x86_leaf].function == 0); + } diff --git a/queue-5.15/x86-cpufeatures-add-new-word-for-scattered-features.patch b/queue-5.15/x86-cpufeatures-add-new-word-for-scattered-features.patch new file mode 100644 index 00000000000..44a7dbf5f7a --- /dev/null +++ b/queue-5.15/x86-cpufeatures-add-new-word-for-scattered-features.patch @@ -0,0 +1,80 @@ +From 7f274e609f3d5f45c22b1dd59053f6764458b492 Mon Sep 17 00:00:00 2001 +From: Sandipan Das +Date: Mon, 25 Mar 2024 13:01:44 +0530 +Subject: x86/cpufeatures: Add new word for scattered features + +From: Sandipan Das + +commit 7f274e609f3d5f45c22b1dd59053f6764458b492 upstream. + +Add a new word for scattered features because all free bits among the +existing Linux-defined auxiliary flags have been exhausted. + +Signed-off-by: Sandipan Das +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/8380d2a0da469a1f0ad75b8954a79fb689599ff6.1711091584.git.sandipan.das@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/cpufeature.h | 6 ++++-- + arch/x86/include/asm/cpufeatures.h | 2 +- + arch/x86/include/asm/disabled-features.h | 3 ++- + arch/x86/include/asm/required-features.h | 3 ++- + 4 files changed, 9 insertions(+), 5 deletions(-) + +--- a/arch/x86/include/asm/cpufeature.h ++++ b/arch/x86/include/asm/cpufeature.h +@@ -93,8 +93,9 @@ extern const char * const x86_bug_flags[ + CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 18, feature_bit) || \ + CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 19, feature_bit) || \ + CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 20, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 21, feature_bit) || \ + REQUIRED_MASK_CHECK || \ +- BUILD_BUG_ON_ZERO(NCAPINTS != 21)) ++ BUILD_BUG_ON_ZERO(NCAPINTS != 22)) + + #define DISABLED_MASK_BIT_SET(feature_bit) \ + ( CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 0, feature_bit) || \ +@@ -118,8 +119,9 @@ extern const char * const x86_bug_flags[ + CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 18, feature_bit) || \ + CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 19, feature_bit) || \ + CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 20, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 21, feature_bit) || \ + DISABLED_MASK_CHECK || \ +- BUILD_BUG_ON_ZERO(NCAPINTS != 21)) ++ BUILD_BUG_ON_ZERO(NCAPINTS != 22)) + + #define cpu_has(c, bit) \ + (__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 : \ +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -13,7 +13,7 @@ + /* + * Defines x86 CPU feature bits + */ +-#define NCAPINTS 21 /* N 32-bit words worth of info */ ++#define NCAPINTS 22 /* N 32-bit words worth of info */ + #define NBUGINTS 2 /* N 32-bit bug flags */ + + /* +--- a/arch/x86/include/asm/disabled-features.h ++++ b/arch/x86/include/asm/disabled-features.h +@@ -109,6 +109,7 @@ + #define DISABLED_MASK18 0 + #define DISABLED_MASK19 0 + #define DISABLED_MASK20 0 +-#define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 21) ++#define DISABLED_MASK21 0 ++#define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 22) + + #endif /* _ASM_X86_DISABLED_FEATURES_H */ +--- a/arch/x86/include/asm/required-features.h ++++ b/arch/x86/include/asm/required-features.h +@@ -103,6 +103,7 @@ + #define REQUIRED_MASK18 0 + #define REQUIRED_MASK19 0 + #define REQUIRED_MASK20 0 +-#define REQUIRED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 21) ++#define REQUIRED_MASK21 0 ++#define REQUIRED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 22) + + #endif /* _ASM_X86_REQUIRED_FEATURES_H */ diff --git a/queue-5.15/xen-netfront-add-missing-skb_mark_for_recycle.patch b/queue-5.15/xen-netfront-add-missing-skb_mark_for_recycle.patch new file mode 100644 index 00000000000..817f4dfbdac --- /dev/null +++ b/queue-5.15/xen-netfront-add-missing-skb_mark_for_recycle.patch @@ -0,0 +1,45 @@ +From 037965402a010898d34f4e35327d22c0a95cd51f Mon Sep 17 00:00:00 2001 +From: Jesper Dangaard Brouer +Date: Wed, 27 Mar 2024 13:14:56 +0100 +Subject: xen-netfront: Add missing skb_mark_for_recycle + +From: Jesper Dangaard Brouer + +commit 037965402a010898d34f4e35327d22c0a95cd51f upstream. + +Notice that skb_mark_for_recycle() is introduced later than fixes tag in +commit 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling"). + +It is believed that fixes tag were missing a call to page_pool_release_page() +between v5.9 to v5.14, after which is should have used skb_mark_for_recycle(). +Since v6.6 the call page_pool_release_page() were removed (in +commit 535b9c61bdef ("net: page_pool: hide page_pool_release_page()") +and remaining callers converted (in commit 6bfef2ec0172 ("Merge branch +'net-page_pool-remove-page_pool_release_page'")). + +This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool: catch +page_pool memory leaks"). + +Cc: stable@vger.kernel.org +Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront") +Reported-by: Leonidas Spyropoulos +Link: https://bugzilla.kernel.org/show_bug.cgi?id=218654 +Reported-by: Arthur Borsboom +Signed-off-by: Jesper Dangaard Brouer +Link: https://lore.kernel.org/r/171154167446.2671062.9127105384591237363.stgit@firesoul +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netfront.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -287,6 +287,7 @@ static struct sk_buff *xennet_alloc_one_ + return NULL; + } + skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE); ++ skb_mark_for_recycle(skb); + + /* Align ip header to a 16 bytes boundary */ + skb_reserve(skb, NET_IP_ALIGN);