From: Sasha Levin Date: Fri, 21 Feb 2025 16:51:13 +0000 (-0500) Subject: Fixes for 5.10 X-Git-Tag: v6.6.80~27^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d3da04ec072b59fe017f86bc14bad0238ad6b407;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/alsa-hda-realtek-fixup-alc225-depop-procedure.patch b/queue-5.10/alsa-hda-realtek-fixup-alc225-depop-procedure.patch new file mode 100644 index 0000000000..69e62d9f24 --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-fixup-alc225-depop-procedure.patch @@ -0,0 +1,36 @@ +From 51254639fd15e9c83349d4517439a2cdb4e25cf0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 14:40:46 +0800 +Subject: ALSA: hda/realtek: Fixup ALC225 depop procedure + +From: Kailang Yang + +[ Upstream commit 174448badb4409491bfba2e6b46f7aa078741c5e ] + +Headset MIC will no function when power_save=0. + +Fixes: 1fd50509fe14 ("ALSA: hda/realtek: Update ALC225 depop procedure") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219743 +Signed-off-by: Kailang Yang +Link: https://lore.kernel.org/0474a095ab0044d0939ec4bf4362423d@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 2df73f59aea91..18730b0934fe1 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3713,6 +3713,7 @@ static void alc225_init(struct hda_codec *codec) + AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE); + + msleep(75); ++ alc_update_coef_idx(codec, 0x4a, 3 << 10, 0); + alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x4); /* Hight power */ + } + } +-- +2.39.5 + diff --git a/queue-5.10/batman-adv-add-new-include-for-min-max-helpers.patch b/queue-5.10/batman-adv-add-new-include-for-min-max-helpers.patch new file mode 100644 index 0000000000..dede4c2911 --- /dev/null +++ b/queue-5.10/batman-adv-add-new-include-for-min-max-helpers.patch @@ -0,0 +1,142 @@ +From 82018a8f8823dc95c5c6fcc081730dfb5b25170e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Oct 2020 21:01:59 +0100 +Subject: batman-adv: Add new include for min/max helpers + +From: Sven Eckelmann + +[ Upstream commit fcd193e1dfa6842e2783b04d98345767fe99cf31 ] + +The commit b296a6d53339 ("kernel.h: split out min()/max() et al. helpers") +moved the min/max helper functionality from kernel.h to minmax.h. Adjust +the kernel code accordingly to avoid fragile indirect includes. + +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Stable-dep-of: 8c8ecc98f5c6 ("batman-adv: Drop unmanaged ELP metric worker") +Signed-off-by: Sasha Levin +--- + net/batman-adv/bat_v.c | 1 + + net/batman-adv/bat_v_elp.c | 1 + + net/batman-adv/bat_v_ogm.c | 1 + + net/batman-adv/fragmentation.c | 2 +- + net/batman-adv/hard-interface.c | 1 + + net/batman-adv/icmp_socket.c | 1 + + net/batman-adv/main.c | 1 + + net/batman-adv/netlink.c | 1 + + net/batman-adv/tp_meter.c | 1 + + 9 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/net/batman-adv/bat_v.c b/net/batman-adv/bat_v.c +index 0ecaf1bb0068d..e91d2c0720c4c 100644 +--- a/net/batman-adv/bat_v.c ++++ b/net/batman-adv/bat_v.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c +index 980badecf2514..fb76b8861f098 100644 +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c +index c451694fdb42f..aff877203cd23 100644 +--- a/net/batman-adv/bat_v_ogm.c ++++ b/net/batman-adv/bat_v_ogm.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c +index 895d834d479d1..0eb94024addb6 100644 +--- a/net/batman-adv/fragmentation.c ++++ b/net/batman-adv/fragmentation.c +@@ -14,8 +14,8 @@ + #include + #include + #include +-#include + #include ++#include + #include + #include + #include +diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c +index fe79bfc6d2dd1..bc2c19a43d15b 100644 +--- a/net/batman-adv/hard-interface.c ++++ b/net/batman-adv/hard-interface.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/net/batman-adv/icmp_socket.c b/net/batman-adv/icmp_socket.c +index 8bdabc03b0b23..56de4bf21aa5e 100644 +--- a/net/batman-adv/icmp_socket.c ++++ b/net/batman-adv/icmp_socket.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/net/batman-adv/main.c b/net/batman-adv/main.c +index 9f267b190779f..d9719d807d6a2 100644 +--- a/net/batman-adv/main.c ++++ b/net/batman-adv/main.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/net/batman-adv/netlink.c b/net/batman-adv/netlink.c +index 931bc3b5c6df0..0b5cb03859b25 100644 +--- a/net/batman-adv/netlink.c ++++ b/net/batman-adv/netlink.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c +index 00d62a6c5e0ef..3bbfa8ee6deac 100644 +--- a/net/batman-adv/tp_meter.c ++++ b/net/batman-adv/tp_meter.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + #include + #include + #include +-- +2.39.5 + diff --git a/queue-5.10/batman-adv-drop-initialization-of-flexible-ethtool_l.patch b/queue-5.10/batman-adv-drop-initialization-of-flexible-ethtool_l.patch new file mode 100644 index 0000000000..08dea5fbc4 --- /dev/null +++ b/queue-5.10/batman-adv-drop-initialization-of-flexible-ethtool_l.patch @@ -0,0 +1,45 @@ +From 11c8d798782c6929fe910118db37a45f44f32087 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Aug 2022 09:32:50 +0200 +Subject: batman-adv: Drop initialization of flexible ethtool_link_ksettings + +From: Sven Eckelmann + +[ Upstream commit 813e62a6fe7539fdf0d8e018d4f157b57bdaeedd ] + +The commit 94dfc73e7cf4 ("treewide: uapi: Replace zero-length arrays with +flexible-array members") changed various structures from using 0-length +arrays to flexible arrays + + net/batman-adv/bat_v_elp.c: note: in included file: + ./include/linux/ethtool.h:148:38: warning: nested flexible array + net/batman-adv/bat_v_elp.c:128:9: warning: using sizeof on a flexible structure + +In theory, this could be worked around by using {} as initializer for the +variable on the stack. But this variable doesn't has to be initialized at +all by the caller of __ethtool_get_link_ksettings - everything will be +initialized by the callee when no error occurs. + +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Stable-dep-of: 8c8ecc98f5c6 ("batman-adv: Drop unmanaged ELP metric worker") +Signed-off-by: Sasha Levin +--- + net/batman-adv/bat_v_elp.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c +index fb76b8861f098..81b9dfec7151a 100644 +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -141,7 +141,6 @@ static bool batadv_v_elp_get_throughput(struct batadv_hardif_neigh_node *neigh, + /* if not a wifi interface, check if this device provides data via + * ethtool (e.g. an Ethernet adapter) + */ +- memset(&link_settings, 0, sizeof(link_settings)); + rtnl_lock(); + ret = __ethtool_get_link_ksettings(hard_iface->net_dev, &link_settings); + rtnl_unlock(); +-- +2.39.5 + diff --git a/queue-5.10/batman-adv-drop-unmanaged-elp-metric-worker.patch b/queue-5.10/batman-adv-drop-unmanaged-elp-metric-worker.patch new file mode 100644 index 0000000000..2e2c9fa47c --- /dev/null +++ b/queue-5.10/batman-adv-drop-unmanaged-elp-metric-worker.patch @@ -0,0 +1,263 @@ +From 21e3228cc2eae61dff42667a081d79555e96257b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jan 2025 00:06:11 +0100 +Subject: batman-adv: Drop unmanaged ELP metric worker + +From: Sven Eckelmann + +[ Upstream commit 8c8ecc98f5c65947b0070a24bac11e12e47cc65d ] + +The ELP worker needs to calculate new metric values for all neighbors +"reachable" over an interface. Some of the used metric sources require +locks which might need to sleep. This sleep is incompatible with the RCU +list iterator used for the recorded neighbors. The initial approach to work +around of this problem was to queue another work item per neighbor and then +run this in a new context. + +Even when this solved the RCU vs might_sleep() conflict, it has a major +problems: Nothing was stopping the work item in case it is not needed +anymore - for example because one of the related interfaces was removed or +the batman-adv module was unloaded - resulting in potential invalid memory +accesses. + +Directly canceling the metric worker also has various problems: + +* cancel_work_sync for a to-be-deactivated interface is called with + rtnl_lock held. But the code in the ELP metric worker also tries to use + rtnl_lock() - which will never return in this case. This also means that + cancel_work_sync would never return because it is waiting for the worker + to finish. +* iterating over the neighbor list for the to-be-deactivated interface is + currently done using the RCU specific methods. Which means that it is + possible to miss items when iterating over it without the associated + spinlock - a behaviour which is acceptable for a periodic metric check + but not for a cleanup routine (which must "stop" all still running + workers) + +The better approch is to get rid of the per interface neighbor metric +worker and handle everything in the interface worker. The original problems +are solved by: + +* creating a list of neighbors which require new metric information inside + the RCU protected context, gathering the metric according to the new list + outside the RCU protected context +* only use rcu_trylock inside metric gathering code to avoid a deadlock + when the cancel_delayed_work_sync is called in the interface removal code + (which is called with the rtnl_lock held) + +Cc: stable@vger.kernel.org +Fixes: c833484e5f38 ("batman-adv: ELP - compute the metric based on the estimated throughput") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bat_v.c | 2 -- + net/batman-adv/bat_v_elp.c | 71 ++++++++++++++++++++++++++------------ + net/batman-adv/bat_v_elp.h | 2 -- + net/batman-adv/types.h | 3 -- + 4 files changed, 48 insertions(+), 30 deletions(-) + +diff --git a/net/batman-adv/bat_v.c b/net/batman-adv/bat_v.c +index e91d2c0720c4c..6dc39fc0350e6 100644 +--- a/net/batman-adv/bat_v.c ++++ b/net/batman-adv/bat_v.c +@@ -116,8 +116,6 @@ static void + batadv_v_hardif_neigh_init(struct batadv_hardif_neigh_node *hardif_neigh) + { + ewma_throughput_init(&hardif_neigh->bat_v.throughput); +- INIT_WORK(&hardif_neigh->bat_v.metric_work, +- batadv_v_elp_throughput_metric_update); + } + + #ifdef CONFIG_BATMAN_ADV_DEBUGFS +diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c +index 81b9dfec7151a..eacf53161304a 100644 +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -27,6 +28,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -42,6 +44,18 @@ + #include "routing.h" + #include "send.h" + ++/** ++ * struct batadv_v_metric_queue_entry - list of hardif neighbors which require ++ * and metric update ++ */ ++struct batadv_v_metric_queue_entry { ++ /** @hardif_neigh: hardif neighbor scheduled for metric update */ ++ struct batadv_hardif_neigh_node *hardif_neigh; ++ ++ /** @list: list node for metric_queue */ ++ struct list_head list; ++}; ++ + /** + * batadv_v_elp_start_timer() - restart timer for ELP periodic work + * @hard_iface: the interface for which the timer has to be reset +@@ -138,10 +152,17 @@ static bool batadv_v_elp_get_throughput(struct batadv_hardif_neigh_node *neigh, + goto default_throughput; + } + ++ /* only use rtnl_trylock because the elp worker will be cancelled while ++ * the rntl_lock is held. the cancel_delayed_work_sync() would otherwise ++ * wait forever when the elp work_item was started and it is then also ++ * trying to rtnl_lock ++ */ ++ if (!rtnl_trylock()) ++ return false; ++ + /* if not a wifi interface, check if this device provides data via + * ethtool (e.g. an Ethernet adapter) + */ +- rtnl_lock(); + ret = __ethtool_get_link_ksettings(hard_iface->net_dev, &link_settings); + rtnl_unlock(); + if (ret == 0) { +@@ -176,31 +197,19 @@ static bool batadv_v_elp_get_throughput(struct batadv_hardif_neigh_node *neigh, + /** + * batadv_v_elp_throughput_metric_update() - worker updating the throughput + * metric of a single hop neighbour +- * @work: the work queue item ++ * @neigh: the neighbour to probe + */ +-void batadv_v_elp_throughput_metric_update(struct work_struct *work) ++static void ++batadv_v_elp_throughput_metric_update(struct batadv_hardif_neigh_node *neigh) + { +- struct batadv_hardif_neigh_node_bat_v *neigh_bat_v; +- struct batadv_hardif_neigh_node *neigh; + u32 throughput; + bool valid; + +- neigh_bat_v = container_of(work, struct batadv_hardif_neigh_node_bat_v, +- metric_work); +- neigh = container_of(neigh_bat_v, struct batadv_hardif_neigh_node, +- bat_v); +- + valid = batadv_v_elp_get_throughput(neigh, &throughput); + if (!valid) +- goto put_neigh; ++ return; + + ewma_throughput_add(&neigh->bat_v.throughput, throughput); +- +-put_neigh: +- /* decrement refcounter to balance increment performed before scheduling +- * this task +- */ +- batadv_hardif_neigh_put(neigh); + } + + /** +@@ -274,14 +283,16 @@ batadv_v_elp_wifi_neigh_probe(struct batadv_hardif_neigh_node *neigh) + */ + static void batadv_v_elp_periodic_work(struct work_struct *work) + { ++ struct batadv_v_metric_queue_entry *metric_entry; ++ struct batadv_v_metric_queue_entry *metric_safe; + struct batadv_hardif_neigh_node *hardif_neigh; + struct batadv_hard_iface *hard_iface; + struct batadv_hard_iface_bat_v *bat_v; + struct batadv_elp_packet *elp_packet; ++ struct list_head metric_queue; + struct batadv_priv *bat_priv; + struct sk_buff *skb; + u32 elp_interval; +- bool ret; + + bat_v = container_of(work, struct batadv_hard_iface_bat_v, elp_wq.work); + hard_iface = container_of(bat_v, struct batadv_hard_iface, bat_v); +@@ -317,6 +328,8 @@ static void batadv_v_elp_periodic_work(struct work_struct *work) + + atomic_inc(&hard_iface->bat_v.elp_seqno); + ++ INIT_LIST_HEAD(&metric_queue); ++ + /* The throughput metric is updated on each sent packet. This way, if a + * node is dead and no longer sends packets, batman-adv is still able to + * react timely to its death. +@@ -341,16 +354,28 @@ static void batadv_v_elp_periodic_work(struct work_struct *work) + + /* Reading the estimated throughput from cfg80211 is a task that + * may sleep and that is not allowed in an rcu protected +- * context. Therefore schedule a task for that. ++ * context. Therefore add it to metric_queue and process it ++ * outside rcu protected context. + */ +- ret = queue_work(batadv_event_workqueue, +- &hardif_neigh->bat_v.metric_work); +- +- if (!ret) ++ metric_entry = kzalloc(sizeof(*metric_entry), GFP_ATOMIC); ++ if (!metric_entry) { + batadv_hardif_neigh_put(hardif_neigh); ++ continue; ++ } ++ ++ metric_entry->hardif_neigh = hardif_neigh; ++ list_add(&metric_entry->list, &metric_queue); + } + rcu_read_unlock(); + ++ list_for_each_entry_safe(metric_entry, metric_safe, &metric_queue, list) { ++ batadv_v_elp_throughput_metric_update(metric_entry->hardif_neigh); ++ ++ batadv_hardif_neigh_put(metric_entry->hardif_neigh); ++ list_del(&metric_entry->list); ++ kfree(metric_entry); ++ } ++ + restart_timer: + batadv_v_elp_start_timer(hard_iface); + out: +diff --git a/net/batman-adv/bat_v_elp.h b/net/batman-adv/bat_v_elp.h +index 4358d436be2a8..f814f87f3a6a4 100644 +--- a/net/batman-adv/bat_v_elp.h ++++ b/net/batman-adv/bat_v_elp.h +@@ -10,7 +10,6 @@ + #include "main.h" + + #include +-#include + + int batadv_v_elp_iface_enable(struct batadv_hard_iface *hard_iface); + void batadv_v_elp_iface_disable(struct batadv_hard_iface *hard_iface); +@@ -19,6 +18,5 @@ void batadv_v_elp_iface_activate(struct batadv_hard_iface *primary_iface, + void batadv_v_elp_primary_iface_set(struct batadv_hard_iface *primary_iface); + int batadv_v_elp_packet_recv(struct sk_buff *skb, + struct batadv_hard_iface *if_incoming); +-void batadv_v_elp_throughput_metric_update(struct work_struct *work); + + #endif /* _NET_BATMAN_ADV_BAT_V_ELP_H_ */ +diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h +index 7d47fe7534c18..cc3334afbdd05 100644 +--- a/net/batman-adv/types.h ++++ b/net/batman-adv/types.h +@@ -606,9 +606,6 @@ struct batadv_hardif_neigh_node_bat_v { + * neighbor + */ + unsigned long last_unicast_tx; +- +- /** @metric_work: work queue callback item for metric update */ +- struct work_struct metric_work; + }; + + /** +-- +2.39.5 + diff --git a/queue-5.10/crypto-testmgr-fix-version-number-of-rsa-tests.patch b/queue-5.10/crypto-testmgr-fix-version-number-of-rsa-tests.patch new file mode 100644 index 0000000000..16c13a76d7 --- /dev/null +++ b/queue-5.10/crypto-testmgr-fix-version-number-of-rsa-tests.patch @@ -0,0 +1,59 @@ +From 2df71ab755977f8da62091fb86dee3d7fe248f2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jun 2022 18:06:25 +0800 +Subject: crypto: testmgr - fix version number of RSA tests + +From: lei he + +[ Upstream commit 0bb8f125253843c445b70fc6ef4fb21aa7b25625 ] + +According to PKCS#1 standard, the 'otherPrimeInfos' field contains +the information for the additional primes r_3, ..., r_u, in order. +It shall be omitted if the version is 0 and shall contain at least +one instance of OtherPrimeInfo if the version is 1, see: + https://www.rfc-editor.org/rfc/rfc3447#page-44 + +Replace the version number '1' with 0, otherwise, some drivers may +not pass the run-time tests. + +Signed-off-by: lei he +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/testmgr.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/crypto/testmgr.h b/crypto/testmgr.h +index 24bc1924edb72..8a31946899f05 100644 +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -184,7 +184,7 @@ static const struct akcipher_testvec rsa_tv_template[] = { + #ifndef CONFIG_CRYPTO_FIPS + .key = + "\x30\x81\x9A" /* sequence of 154 bytes */ +- "\x02\x01\x01" /* version - integer of 1 byte */ ++ "\x02\x01\x00" /* version - integer of 1 byte */ + "\x02\x41" /* modulus - integer of 65 bytes */ + "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F" + "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5" +@@ -214,7 +214,7 @@ static const struct akcipher_testvec rsa_tv_template[] = { + }, { + .key = + "\x30\x82\x01\x1D" /* sequence of 285 bytes */ +- "\x02\x01\x01" /* version - integer of 1 byte */ ++ "\x02\x01\x00" /* version - integer of 1 byte */ + "\x02\x81\x81" /* modulus - integer of 129 bytes */ + "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71" + "\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5" +@@ -258,7 +258,7 @@ static const struct akcipher_testvec rsa_tv_template[] = { + #endif + .key = + "\x30\x82\x02\x20" /* sequence of 544 bytes */ +- "\x02\x01\x01" /* version - integer of 1 byte */ ++ "\x02\x01\x00" /* version - integer of 1 byte */ + "\x02\x82\x01\x01\x00" /* modulus - integer of 256 bytes */ + "\xDB\x10\x1A\xC2\xA3\xF1\xDC\xFF\x13\x6B\xED\x44\xDF\xF0\x02\x6D" + "\x13\xC7\x88\xDA\x70\x6B\x54\xF1\xE8\x27\xDC\xC3\x0F\x99\x6A\xFA" +-- +2.39.5 + diff --git a/queue-5.10/crypto-testmgr-fix-wrong-key-length-for-pkcs1pad.patch b/queue-5.10/crypto-testmgr-fix-wrong-key-length-for-pkcs1pad.patch new file mode 100644 index 0000000000..72f92f5fdd --- /dev/null +++ b/queue-5.10/crypto-testmgr-fix-wrong-key-length-for-pkcs1pad.patch @@ -0,0 +1,35 @@ +From 8c8303778c03455b12b23c4782b6ce4878b75440 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Oct 2021 20:44:43 +0800 +Subject: crypto: testmgr - fix wrong key length for pkcs1pad + +From: Lei He + +[ Upstream commit 39ef08517082a424b5b65c3dbaa6c0fa9d3303b9 ] + +Fix wrong test data at testmgr.h, it seems to be caused +by ignoring the last '\0' when calling sizeof. + +Signed-off-by: Lei He +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/testmgr.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/testmgr.h b/crypto/testmgr.h +index 8c83811c0e351..b04e9943c8c7f 100644 +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -777,7 +777,7 @@ static const struct akcipher_testvec pkcs1pad_rsa_tv_template[] = { + "\xd1\x86\x48\x55\xce\x83\xee\x8e\x51\xc7\xde\x32\x12\x47\x7d\x46" + "\xb8\x35\xdf\x41\x02\x01\x00\x02\x01\x00\x02\x01\x00\x02\x01\x00" + "\x02\x01\x00", +- .key_len = 804, ++ .key_len = 803, + /* + * m is SHA256 hash of following message: + * "\x49\x41\xbe\x0a\x0c\xc9\xf6\x35\x51\xe4\x27\x56\x13\x71\x4b\xd0" +-- +2.39.5 + diff --git a/queue-5.10/crypto-testmgr-fix-wrong-test-case-of-rsa.patch b/queue-5.10/crypto-testmgr-fix-wrong-test-case-of-rsa.patch new file mode 100644 index 0000000000..e373e3e77b --- /dev/null +++ b/queue-5.10/crypto-testmgr-fix-wrong-test-case-of-rsa.patch @@ -0,0 +1,56 @@ +From 1f08efc0f621c195df3bdd0840a965647936c6b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 20:25:31 +0800 +Subject: crypto: testmgr - Fix wrong test case of RSA + +From: Lei He + +[ Upstream commit a9887010ed2da3fddaff83ceec80e2b71be8a966 ] + +According to the BER encoding rules, integer value should be encoded +as two's complement, and if the highest bit of a positive integer +is 1, should add a leading zero-octet. + +The kernel's built-in RSA algorithm cannot recognize negative numbers +when parsing keys, so it can pass this test case. + +Export the key to file and run the following command to verify the +fix result: + + openssl asn1parse -inform DER -in /path/to/key/file + +Signed-off-by: Lei He +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/testmgr.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/crypto/testmgr.h b/crypto/testmgr.h +index b04e9943c8c7f..24bc1924edb72 100644 +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -257,9 +257,9 @@ static const struct akcipher_testvec rsa_tv_template[] = { + }, { + #endif + .key = +- "\x30\x82\x02\x1F" /* sequence of 543 bytes */ ++ "\x30\x82\x02\x20" /* sequence of 544 bytes */ + "\x02\x01\x01" /* version - integer of 1 byte */ +- "\x02\x82\x01\x00" /* modulus - integer of 256 bytes */ ++ "\x02\x82\x01\x01\x00" /* modulus - integer of 256 bytes */ + "\xDB\x10\x1A\xC2\xA3\xF1\xDC\xFF\x13\x6B\xED\x44\xDF\xF0\x02\x6D" + "\x13\xC7\x88\xDA\x70\x6B\x54\xF1\xE8\x27\xDC\xC3\x0F\x99\x6A\xFA" + "\xC6\x67\xFF\x1D\x1E\x3C\x1D\xC1\xB5\x5F\x6C\xC0\xB2\x07\x3A\x6D" +@@ -299,7 +299,7 @@ static const struct akcipher_testvec rsa_tv_template[] = { + "\x02\x01\x00" /* exponent1 - integer of 1 byte */ + "\x02\x01\x00" /* exponent2 - integer of 1 byte */ + "\x02\x01\x00", /* coefficient - integer of 1 byte */ +- .key_len = 547, ++ .key_len = 548, + .m = "\x54\x85\x9b\x34\x2c\x49\xea\x2a", + .c = + "\xb2\x97\x76\xb4\xae\x3e\x38\x3c\x7e\x64\x1f\xcc\xa2\x7f\xf6\xbe" +-- +2.39.5 + diff --git a/queue-5.10/crypto-testmgr-populate-rsa-crt-parameters-in-rsa-te.patch b/queue-5.10/crypto-testmgr-populate-rsa-crt-parameters-in-rsa-te.patch new file mode 100644 index 0000000000..9807a2add2 --- /dev/null +++ b/queue-5.10/crypto-testmgr-populate-rsa-crt-parameters-in-rsa-te.patch @@ -0,0 +1,206 @@ +From fb49818fbe4ab83ff1baf4f7a56ea9791cbb3c3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Jul 2022 11:38:40 +0100 +Subject: crypto: testmgr - populate RSA CRT parameters in RSA test vectors + +From: Ignat Korchagin + +[ Upstream commit 79e6e2f3f3ff345947075341781e900e4f70db81 ] + +Changes from v1: + * replace some accidental spaces with tabs + +In commit f145d411a67e ("crypto: rsa - implement Chinese Remainder Theorem +for faster private key operations") we have started to use the additional +primes and coefficients for RSA private key operations. However, these +additional parameters are not present (defined as 0 integers) in the RSA +test vectors. + +Some parameters were borrowed from OpenSSL, so I was able to find the +source. I could not find the public source for 1 vector though, so had to +recover the parameters by implementing Appendix C from [1]. + +[1]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br1.pdf + +Fixes: f145d411a67e ("crypto: rsa - implement Chinese Remainder Theorem for faster private key operations") +Reported-by: Tasmiya Nalatwad +Signed-off-by: Ignat Korchagin +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/testmgr.h | 121 +++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 100 insertions(+), 21 deletions(-) + +diff --git a/crypto/testmgr.h b/crypto/testmgr.h +index 8a31946899f05..fd2376af5af01 100644 +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -183,7 +183,7 @@ static const struct akcipher_testvec rsa_tv_template[] = { + { + #ifndef CONFIG_CRYPTO_FIPS + .key = +- "\x30\x81\x9A" /* sequence of 154 bytes */ ++ "\x30\x82\x01\x38" /* sequence of 312 bytes */ + "\x02\x01\x00" /* version - integer of 1 byte */ + "\x02\x41" /* modulus - integer of 65 bytes */ + "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F" +@@ -197,23 +197,36 @@ static const struct akcipher_testvec rsa_tv_template[] = { + "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64" + "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9" + "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51" +- "\x02\x01\x00" /* prime1 - integer of 1 byte */ +- "\x02\x01\x00" /* prime2 - integer of 1 byte */ +- "\x02\x01\x00" /* exponent1 - integer of 1 byte */ +- "\x02\x01\x00" /* exponent2 - integer of 1 byte */ +- "\x02\x01\x00", /* coefficient - integer of 1 byte */ ++ "\x02\x21" /* prime1 - integer of 33 bytes */ ++ "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" ++ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12" ++ "\x0D" ++ "\x02\x21" /* prime2 - integer of 33 bytes */ ++ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" ++ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" ++ "\x89" ++ "\x02\x20" /* exponent1 - integer of 32 bytes */ ++ "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF" ++ "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05" ++ "\x02\x21" /* exponent2 - integer of 33 bytes */ ++ "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99" ++ "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D" ++ "\x51" ++ "\x02\x20" /* coefficient - integer of 32 bytes */ ++ "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8" ++ "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26", + .m = "\x54\x85\x9b\x34\x2c\x49\xea\x2a", + .c = + "\x63\x1c\xcd\x7b\xe1\x7e\xe4\xde\xc9\xa8\x89\xa1\x74\xcb\x3c\x63" + "\x7d\x24\xec\x83\xc3\x15\xe4\x7f\x73\x05\x34\xd1\xec\x22\xbb\x8a" + "\x5e\x32\x39\x6d\xc1\x1d\x7d\x50\x3b\x9f\x7a\xad\xf0\x2e\x25\x53" + "\x9f\x6e\xbd\x4c\x55\x84\x0c\x9b\xcf\x1a\x4b\x51\x1e\x9e\x0c\x06", +- .key_len = 157, ++ .key_len = 316, + .m_size = 8, + .c_size = 64, + }, { + .key = +- "\x30\x82\x01\x1D" /* sequence of 285 bytes */ ++ "\x30\x82\x02\x5B" /* sequence of 603 bytes */ + "\x02\x01\x00" /* version - integer of 1 byte */ + "\x02\x81\x81" /* modulus - integer of 129 bytes */ + "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71" +@@ -236,12 +249,35 @@ static const struct akcipher_testvec rsa_tv_template[] = { + "\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94" + "\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3" + "\xC1" +- "\x02\x01\x00" /* prime1 - integer of 1 byte */ +- "\x02\x01\x00" /* prime2 - integer of 1 byte */ +- "\x02\x01\x00" /* exponent1 - integer of 1 byte */ +- "\x02\x01\x00" /* exponent2 - integer of 1 byte */ +- "\x02\x01\x00", /* coefficient - integer of 1 byte */ +- .key_len = 289, ++ "\x02\x41" /* prime1 - integer of 65 bytes */ ++ "\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60" ++ "\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6" ++ "\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A" ++ "\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65" ++ "\x99" ++ "\x02\x41" /* prime2 - integer of 65 bytes */ ++ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" ++ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" ++ "\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" ++ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15" ++ "\x03" ++ "\x02\x40" /* exponent1 - integer of 64 bytes */ ++ "\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A" ++ "\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E" ++ "\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E" ++ "\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81" ++ "\x02\x40" /* exponent2 - integer of 64 bytes */ ++ "\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9" ++ "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7" ++ "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D" ++ "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D" ++ "\x02\x41", /* coefficient - integer of 65 bytes */ ++ "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23" ++ "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11" ++ "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E" ++ "\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39" ++ "\xF7", ++ .key_len = 607, + .m = "\x54\x85\x9b\x34\x2c\x49\xea\x2a", + .c = + "\x74\x1b\x55\xac\x47\xb5\x08\x0a\x6e\x2b\x2d\xf7\x94\xb8\x8a\x95" +@@ -257,7 +293,7 @@ static const struct akcipher_testvec rsa_tv_template[] = { + }, { + #endif + .key = +- "\x30\x82\x02\x20" /* sequence of 544 bytes */ ++ "\x30\x82\x04\xA3" /* sequence of 1187 bytes */ + "\x02\x01\x00" /* version - integer of 1 byte */ + "\x02\x82\x01\x01\x00" /* modulus - integer of 256 bytes */ + "\xDB\x10\x1A\xC2\xA3\xF1\xDC\xFF\x13\x6B\xED\x44\xDF\xF0\x02\x6D" +@@ -294,12 +330,55 @@ static const struct akcipher_testvec rsa_tv_template[] = { + "\x62\xFF\xE9\x46\xB8\xD8\x44\xDB\xA5\xCC\x31\x54\x34\xCE\x3E\x82" + "\xD6\xBF\x7A\x0B\x64\x21\x6D\x88\x7E\x5B\x45\x12\x1E\x63\x8D\x49" + "\xA7\x1D\xD9\x1E\x06\xCD\xE8\xBA\x2C\x8C\x69\x32\xEA\xBE\x60\x71" +- "\x02\x01\x00" /* prime1 - integer of 1 byte */ +- "\x02\x01\x00" /* prime2 - integer of 1 byte */ +- "\x02\x01\x00" /* exponent1 - integer of 1 byte */ +- "\x02\x01\x00" /* exponent2 - integer of 1 byte */ +- "\x02\x01\x00", /* coefficient - integer of 1 byte */ +- .key_len = 548, ++ "\x02\x81\x81" /* prime1 - integer of 129 bytes */ ++ "\x00\xFA\xAC\xE1\x37\x5E\x32\x11\x34\xC6\x72\x58\x2D\x91\x06\x3E" ++ "\x77\xE7\x11\x21\xCD\x4A\xF8\xA4\x3F\x0F\xEF\x31\xE3\xF3\x55\xA0" ++ "\xB9\xAC\xB6\xCB\xBB\x41\xD0\x32\x81\x9A\x8F\x7A\x99\x30\x77\x6C" ++ "\x68\x27\xE2\x96\xB5\x72\xC9\xC3\xD4\x42\xAA\xAA\xCA\x95\x8F\xFF" ++ "\xC9\x9B\x52\x34\x30\x1D\xCF\xFE\xCF\x3C\x56\x68\x6E\xEF\xE7\x6C" ++ "\xD7\xFB\x99\xF5\x4A\xA5\x21\x1F\x2B\xEA\x93\xE8\x98\x26\xC4\x6E" ++ "\x42\x21\x5E\xA0\xA1\x2A\x58\x35\xBB\x10\xE7\xBA\x27\x0A\x3B\xB3" ++ "\xAF\xE2\x75\x36\x04\xAC\x56\xA0\xAB\x52\xDE\xCE\xDD\x2C\x28\x77" ++ "\x03" ++ "\x02\x81\x81" /* prime2 - integer of 129 bytes */ ++ "\x00\xDF\xB7\x52\xB6\xD7\xC0\xE2\x96\xE7\xC9\xFE\x5D\x71\x5A\xC4" ++ "\x40\x96\x2F\xE5\x87\xEA\xF3\xA5\x77\x11\x67\x3C\x8D\x56\x08\xA7" ++ "\xB5\x67\xFA\x37\xA8\xB8\xCF\x61\xE8\x63\xD8\x38\x06\x21\x2B\x92" ++ "\x09\xA6\x39\x3A\xEA\xA8\xB4\x45\x4B\x36\x10\x4C\xE4\x00\x66\x71" ++ "\x65\xF8\x0B\x94\x59\x4F\x8C\xFD\xD5\x34\xA2\xE7\x62\x84\x0A\xA7" ++ "\xBB\xDB\xD9\x8A\xCD\x05\xE1\xCC\x57\x7B\xF1\xF1\x1F\x11\x9D\xBA" ++ "\x3E\x45\x18\x99\x1B\x41\x64\x43\xEE\x97\x5D\x77\x13\x5B\x74\x69" ++ "\x73\x87\x95\x05\x07\xBE\x45\x07\x17\x7E\x4A\x69\x22\xF3\xDB\x05" ++ "\x39" ++ "\x02\x81\x80" /* exponent1 - integer of 128 bytes */ ++ "\x5E\xD8\xDC\xDA\x53\x44\xC4\x67\xE0\x92\x51\x34\xE4\x83\xA5\x4D" ++ "\x3E\xDB\xA7\x9B\x82\xBB\x73\x81\xFC\xE8\x77\x4B\x15\xBE\x17\x73" ++ "\x49\x9B\x5C\x98\xBC\xBD\x26\xEF\x0C\xE9\x2E\xED\x19\x7E\x86\x41" ++ "\x1E\x9E\x48\x81\xDD\x2D\xE4\x6F\xC2\xCD\xCA\x93\x9E\x65\x7E\xD5" ++ "\xEC\x73\xFD\x15\x1B\xA2\xA0\x7A\x0F\x0D\x6E\xB4\x53\x07\x90\x92" ++ "\x64\x3B\x8B\xA9\x33\xB3\xC5\x94\x9B\x4C\x5D\x9C\x7C\x46\xA4\xA5" ++ "\x56\xF4\xF3\xF8\x27\x0A\x7B\x42\x0D\x92\x70\x47\xE7\x42\x51\xA9" ++ "\xC2\x18\xB1\x58\xB1\x50\x91\xB8\x61\x41\xB6\xA9\xCE\xD4\x7C\xBB" ++ "\x02\x81\x80" /* exponent2 - integer of 128 bytes */ ++ "\x54\x09\x1F\x0F\x03\xD8\xB6\xC5\x0C\xE8\xB9\x9E\x0C\x38\x96\x43" ++ "\xD4\xA6\xC5\x47\xDB\x20\x0E\xE5\xBD\x29\xD4\x7B\x1A\xF8\x41\x57" ++ "\x49\x69\x9A\x82\xCC\x79\x4A\x43\xEB\x4D\x8B\x2D\xF2\x43\xD5\xA5" ++ "\xBE\x44\xFD\x36\xAC\x8C\x9B\x02\xF7\x9A\x03\xE8\x19\xA6\x61\xAE" ++ "\x76\x10\x93\x77\x41\x04\xAB\x4C\xED\x6A\xCC\x14\x1B\x99\x8D\x0C" ++ "\x6A\x37\x3B\x86\x6C\x51\x37\x5B\x1D\x79\xF2\xA3\x43\x10\xC6\xA7" ++ "\x21\x79\x6D\xF9\xE9\x04\x6A\xE8\x32\xFF\xAE\xFD\x1C\x7B\x8C\x29" ++ "\x13\xA3\x0C\xB2\xAD\xEC\x6C\x0F\x8D\x27\x12\x7B\x48\xB2\xDB\x31" ++ "\x02\x81\x81", /* coefficient - integer of 129 bytes */ ++ "\x00\x8D\x1B\x05\xCA\x24\x1F\x0C\x53\x19\x52\x74\x63\x21\xFA\x78" ++ "\x46\x79\xAF\x5C\xDE\x30\xA4\x6C\x20\x38\xE6\x97\x39\xB8\x7A\x70" ++ "\x0D\x8B\x6C\x6D\x13\x74\xD5\x1C\xDE\xA9\xF4\x60\x37\xFE\x68\x77" ++ "\x5E\x0B\x4E\x5E\x03\x31\x30\xDF\xD6\xAE\x85\xD0\x81\xBB\x61\xC7" ++ "\xB1\x04\x5A\xC4\x6D\x56\x1C\xD9\x64\xE7\x85\x7F\x88\x91\xC9\x60" ++ "\x28\x05\xE2\xC6\x24\x8F\xDD\x61\x64\xD8\x09\xDE\x7E\xD3\x4A\x61" ++ "\x1A\xD3\x73\x58\x4B\xD8\xA0\x54\x25\x48\x83\x6F\x82\x6C\xAF\x36" ++ "\x51\x2A\x5D\x14\x2F\x41\x25\x00\xDD\xF8\xF3\x95\xFE\x31\x25\x50" ++ "\x12", ++ .key_len = 1191, + .m = "\x54\x85\x9b\x34\x2c\x49\xea\x2a", + .c = + "\xb2\x97\x76\xb4\xae\x3e\x38\x3c\x7e\x64\x1f\xcc\xa2\x7f\xf6\xbe" +-- +2.39.5 + diff --git a/queue-5.10/crypto-testmgr-some-more-fixes-to-rsa-test-vectors.patch b/queue-5.10/crypto-testmgr-some-more-fixes-to-rsa-test-vectors.patch new file mode 100644 index 0000000000..0d7b2f4dcb --- /dev/null +++ b/queue-5.10/crypto-testmgr-some-more-fixes-to-rsa-test-vectors.patch @@ -0,0 +1,163 @@ +From 37608460a85803c20531264a7341ac7234bc7f3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Jul 2022 14:37:46 +0100 +Subject: crypto: testmgr - some more fixes to RSA test vectors + +From: Ignat Korchagin + +[ Upstream commit 9d2bb9a74b2877f100637d6ab5685bcd33c69d44 ] + +Two more fixes: + + * some test vectors in commit 79e6e2f3f3ff ("crypto: testmgr - populate + RSA CRT parameters in RSA test vectors") had misplaced commas, which + break the test and trigger KASAN warnings at least on x86-64 + + * pkcs1pad test vector did not have its CRT parameters + +Fixes: 79e6e2f3f3ff ("crypto: testmgr - populate RSA CRT parameters in RSA test vectors") +Reported-by: Eric Biggers +Signed-off-by: Ignat Korchagin +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/testmgr.h | 102 +++++++++++++++++++++++++++++------------------ + 1 file changed, 63 insertions(+), 39 deletions(-) + +diff --git a/crypto/testmgr.h b/crypto/testmgr.h +index fd2376af5af01..2c9f9f555929c 100644 +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -271,7 +271,7 @@ static const struct akcipher_testvec rsa_tv_template[] = { + "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7" + "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D" + "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D" +- "\x02\x41", /* coefficient - integer of 65 bytes */ ++ "\x02\x41" /* coefficient - integer of 65 bytes */ + "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23" + "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11" + "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E" +@@ -368,7 +368,7 @@ static const struct akcipher_testvec rsa_tv_template[] = { + "\x6A\x37\x3B\x86\x6C\x51\x37\x5B\x1D\x79\xF2\xA3\x43\x10\xC6\xA7" + "\x21\x79\x6D\xF9\xE9\x04\x6A\xE8\x32\xFF\xAE\xFD\x1C\x7B\x8C\x29" + "\x13\xA3\x0C\xB2\xAD\xEC\x6C\x0F\x8D\x27\x12\x7B\x48\xB2\xDB\x31" +- "\x02\x81\x81", /* coefficient - integer of 129 bytes */ ++ "\x02\x81\x81" /* coefficient - integer of 129 bytes */ + "\x00\x8D\x1B\x05\xCA\x24\x1F\x0C\x53\x19\x52\x74\x63\x21\xFA\x78" + "\x46\x79\xAF\x5C\xDE\x30\xA4\x6C\x20\x38\xE6\x97\x39\xB8\x7A\x70" + "\x0D\x8B\x6C\x6D\x13\x74\xD5\x1C\xDE\xA9\xF4\x60\x37\xFE\x68\x77" +@@ -805,7 +805,7 @@ static const struct akcipher_testvec ecrdsa_tv_template[] = { + static const struct akcipher_testvec pkcs1pad_rsa_tv_template[] = { + { + .key = +- "\x30\x82\x03\x1f\x02\x01\x00\x02\x82\x01\x01\x00\xd7\x1e\x77\x82" ++ "\x30\x82\x04\xa5\x02\x01\x00\x02\x82\x01\x01\x00\xd7\x1e\x77\x82" + "\x8c\x92\x31\xe7\x69\x02\xa2\xd5\x5c\x78\xde\xa2\x0c\x8f\xfe\x28" + "\x59\x31\xdf\x40\x9c\x60\x61\x06\xb9\x2f\x62\x40\x80\x76\xcb\x67" + "\x4a\xb5\x59\x56\x69\x17\x07\xfa\xf9\x4c\xbd\x6c\x37\x7a\x46\x7d" +@@ -821,42 +821,66 @@ static const struct akcipher_testvec pkcs1pad_rsa_tv_template[] = { + "\x9e\x49\x63\x6e\x02\xc1\xc9\x3a\x9b\xa5\x22\x1b\x07\x95\xd6\x10" + "\x02\x50\xfd\xfd\xd1\x9b\xbe\xab\xc2\xc0\x74\xd7\xec\x00\xfb\x11" + "\x71\xcb\x7a\xdc\x81\x79\x9f\x86\x68\x46\x63\x82\x4d\xb7\xf1\xe6" +- "\x16\x6f\x42\x63\xf4\x94\xa0\xca\x33\xcc\x75\x13\x02\x82\x01\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x01" +- "\x02\x82\x01\x00\x62\xb5\x60\x31\x4f\x3f\x66\x16\xc1\x60\xac\x47" +- "\x2a\xff\x6b\x69\x00\x4a\xb2\x5c\xe1\x50\xb9\x18\x74\xa8\xe4\xdc" +- "\xa8\xec\xcd\x30\xbb\xc1\xc6\xe3\xc6\xac\x20\x2a\x3e\x5e\x8b\x12" +- "\xe6\x82\x08\x09\x38\x0b\xab\x7c\xb3\xcc\x9c\xce\x97\x67\xdd\xef" +- "\x95\x40\x4e\x92\xe2\x44\xe9\x1d\xc1\x14\xfd\xa9\xb1\xdc\x71\x9c" +- "\x46\x21\xbd\x58\x88\x6e\x22\x15\x56\xc1\xef\xe0\xc9\x8d\xe5\x80" +- "\x3e\xda\x7e\x93\x0f\x52\xf6\xf5\xc1\x91\x90\x9e\x42\x49\x4f\x8d" +- "\x9c\xba\x38\x83\xe9\x33\xc2\x50\x4f\xec\xc2\xf0\xa8\xb7\x6e\x28" +- "\x25\x56\x6b\x62\x67\xfe\x08\xf1\x56\xe5\x6f\x0e\x99\xf1\xe5\x95" +- "\x7b\xef\xeb\x0a\x2c\x92\x97\x57\x23\x33\x36\x07\xdd\xfb\xae\xf1" +- "\xb1\xd8\x33\xb7\x96\x71\x42\x36\xc5\xa4\xa9\x19\x4b\x1b\x52\x4c" +- "\x50\x69\x91\xf0\x0e\xfa\x80\x37\x4b\xb5\xd0\x2f\xb7\x44\x0d\xd4" +- "\xf8\x39\x8d\xab\x71\x67\x59\x05\x88\x3d\xeb\x48\x48\x33\x88\x4e" +- "\xfe\xf8\x27\x1b\xd6\x55\x60\x5e\x48\xb7\x6d\x9a\xa8\x37\xf9\x7a" +- "\xde\x1b\xcd\x5d\x1a\x30\xd4\xe9\x9e\x5b\x3c\x15\xf8\x9c\x1f\xda" +- "\xd1\x86\x48\x55\xce\x83\xee\x8e\x51\xc7\xde\x32\x12\x47\x7d\x46" +- "\xb8\x35\xdf\x41\x02\x01\x00\x02\x01\x00\x02\x01\x00\x02\x01\x00" +- "\x02\x01\x00", +- .key_len = 803, ++ "\x16\x6f\x42\x63\xf4\x94\xa0\xca\x33\xcc\x75\x13\x02\x03\x01\x00" ++ "\x01\x02\x82\x01\x00\x62\xb5\x60\x31\x4f\x3f\x66\x16\xc1\x60\xac" ++ "\x47\x2a\xff\x6b\x69\x00\x4a\xb2\x5c\xe1\x50\xb9\x18\x74\xa8\xe4" ++ "\xdc\xa8\xec\xcd\x30\xbb\xc1\xc6\xe3\xc6\xac\x20\x2a\x3e\x5e\x8b" ++ "\x12\xe6\x82\x08\x09\x38\x0b\xab\x7c\xb3\xcc\x9c\xce\x97\x67\xdd" ++ "\xef\x95\x40\x4e\x92\xe2\x44\xe9\x1d\xc1\x14\xfd\xa9\xb1\xdc\x71" ++ "\x9c\x46\x21\xbd\x58\x88\x6e\x22\x15\x56\xc1\xef\xe0\xc9\x8d\xe5" ++ "\x80\x3e\xda\x7e\x93\x0f\x52\xf6\xf5\xc1\x91\x90\x9e\x42\x49\x4f" ++ "\x8d\x9c\xba\x38\x83\xe9\x33\xc2\x50\x4f\xec\xc2\xf0\xa8\xb7\x6e" ++ "\x28\x25\x56\x6b\x62\x67\xfe\x08\xf1\x56\xe5\x6f\x0e\x99\xf1\xe5" ++ "\x95\x7b\xef\xeb\x0a\x2c\x92\x97\x57\x23\x33\x36\x07\xdd\xfb\xae" ++ "\xf1\xb1\xd8\x33\xb7\x96\x71\x42\x36\xc5\xa4\xa9\x19\x4b\x1b\x52" ++ "\x4c\x50\x69\x91\xf0\x0e\xfa\x80\x37\x4b\xb5\xd0\x2f\xb7\x44\x0d" ++ "\xd4\xf8\x39\x8d\xab\x71\x67\x59\x05\x88\x3d\xeb\x48\x48\x33\x88" ++ "\x4e\xfe\xf8\x27\x1b\xd6\x55\x60\x5e\x48\xb7\x6d\x9a\xa8\x37\xf9" ++ "\x7a\xde\x1b\xcd\x5d\x1a\x30\xd4\xe9\x9e\x5b\x3c\x15\xf8\x9c\x1f" ++ "\xda\xd1\x86\x48\x55\xce\x83\xee\x8e\x51\xc7\xde\x32\x12\x47\x7d" ++ "\x46\xb8\x35\xdf\x41\x02\x81\x81\x00\xe4\x4c\xae\xde\x16\xfd\x9f" ++ "\x83\x55\x5b\x84\x4a\xcf\x1c\xf1\x37\x95\xad\xca\x29\x7f\x2d\x6e" ++ "\x32\x81\xa4\x2b\x26\x14\x96\x1d\x40\x05\xec\x0c\xaf\x3f\x2c\x6f" ++ "\x2c\xe8\xbf\x1d\xee\xd0\xb3\xef\x7c\x5b\x9e\x88\x4f\x2a\x8b\x0e" ++ "\x4a\xbd\xb7\x8c\xfa\x10\x0e\x3b\xda\x68\xad\x41\x2b\xe4\x96\xfa" ++ "\x7f\x80\x52\x5f\x07\x9f\x0e\x3b\x5e\x96\x45\x1a\x13\x2b\x94\xce" ++ "\x1f\x07\x69\x85\x35\xfc\x69\x63\x5b\xf8\xf8\x3f\xce\x9d\x40\x1e" ++ "\x7c\xad\xfb\x9e\xce\xe0\x01\xf8\xef\x59\x5d\xdc\x00\x79\xab\x8a" ++ "\x3f\x80\xa2\x76\x32\x94\xa9\xea\x65\x02\x81\x81\x00\xf1\x38\x60" ++ "\x90\x0d\x0c\x2e\x3d\x34\xe5\x90\xea\x21\x43\x1f\x68\x63\x16\x7b" ++ "\x25\x8d\xde\x82\x2b\x52\xf8\xa3\xfd\x0f\x39\xe7\xe9\x5e\x32\x75" ++ "\x15\x7d\xd0\xc9\xce\x06\xe5\xfb\xa9\xcb\x22\xe5\xdb\x49\x09\xf2" ++ "\xe6\xb7\xa5\xa7\x75\x2e\x91\x2d\x2b\x5d\xf1\x48\x61\x45\x43\xd7" ++ "\xbd\xfc\x11\x73\xb5\x11\x9f\xb2\x18\x3a\x6f\x36\xa7\xc2\xd3\x18" ++ "\x4d\xf0\xc5\x1f\x70\x8c\x9b\xc5\x1d\x95\xa8\x5a\x9e\x8c\xb1\x4b" ++ "\x6a\x2a\x84\x76\x2c\xd8\x4f\x47\xb0\x81\x84\x02\x45\xf0\x85\xf8" ++ "\x0c\x6d\xa7\x0c\x4d\x2c\xb2\x5b\x81\x70\xfd\x6e\x17\x02\x81\x81" ++ "\x00\x8d\x07\xc5\xfa\x92\x4f\x48\xcb\xd3\xdd\xfe\x02\x4c\xa1\x7f" ++ "\x6d\xab\xfc\x38\xe7\x9b\x95\xcf\xfe\x49\x51\xc6\x09\xf7\x2b\xa8" ++ "\x94\x15\x54\x75\x9d\x88\xb4\x05\x55\xc3\xcd\xd4\x4a\xe4\x08\x53" ++ "\xc8\x09\xbd\x0c\x4d\x83\x65\x75\x85\xbc\x5e\xf8\x2a\xbd\xe2\x5d" ++ "\x1d\x16\x0e\xf9\x34\x89\x38\xaf\x34\x36\x6c\x2c\x22\x44\x22\x81" ++ "\x90\x73\xd9\xea\x3a\xaf\x70\x74\x48\x7c\xc6\xb5\xb0\xdc\xe5\xa9" ++ "\xa8\x76\x4b\xbc\xf7\x00\xf3\x4c\x22\x0f\x44\x62\x1d\x40\x0a\x57" ++ "\xe2\x5b\xdd\x7c\x7b\x9a\xad\xda\x70\x52\x21\x8a\x4c\xc2\xc3\x98" ++ "\x75\x02\x81\x81\x00\xed\x24\x5c\xa2\x21\x81\xa1\x0f\xa1\x2a\x33" ++ "\x0e\x49\xc7\x00\x60\x92\x51\x6e\x9d\x9b\xdc\x6d\x22\x04\x7e\xd6" ++ "\x51\x19\x9f\xf6\xe3\x91\x2c\x8f\xb8\xa2\x29\x19\xcc\x47\x31\xdf" ++ "\xf8\xab\xf0\xd2\x02\x83\xca\x99\x16\xc2\xe2\xc3\x3f\x4b\x99\x83" ++ "\xcb\x87\x9e\x86\x66\xc2\x3e\x91\x21\x80\x66\xf3\xd6\xc5\xcd\xb6" ++ "\xbb\x64\xef\x22\xcf\x48\x94\x58\xe7\x7e\xd5\x7c\x34\x1c\xb7\xa2" ++ "\xd0\x93\xe9\x9f\xb5\x11\x61\xd7\x5f\x37\x0f\x64\x52\x70\x11\x78" ++ "\xcc\x08\x77\xeb\xf8\x30\x1e\xb4\x9e\x1b\x4a\xc7\xa8\x33\x51\xe0" ++ "\xed\xdf\x53\xf6\xdf\x02\x81\x81\x00\x86\xd9\x4c\xee\x65\x61\xc1" ++ "\x19\xa9\xd5\x74\x9b\xd5\xca\xf6\x83\x2b\x06\xb4\x20\xfe\x45\x29" ++ "\xe8\xe3\xfa\xe1\x4f\x28\x8e\x63\x2f\x74\xc3\x3a\x5c\x9a\xf5\x9e" ++ "\x0e\x0d\xc5\xfe\xa0\x4c\x00\xce\x7b\xa4\x19\x17\x59\xaf\x13\x3a" ++ "\x03\x8f\x54\xf5\x60\x39\x2e\xd9\x06\xb3\x7c\xd6\x90\x06\x41\x77" ++ "\xf3\x93\xe1\x7a\x01\x41\xc1\x8f\xfe\x4c\x88\x39\xdb\xde\x71\x9e" ++ "\x58\xd1\x49\x50\x80\xb2\x5a\x4f\x69\x8b\xb8\xfe\x63\xd4\x42\x3d" ++ "\x37\x61\xa8\x4c\xff\xb6\x99\x4c\xf4\x51\xe0\x44\xaa\x69\x79\x3f" ++ "\x81\xa4\x61\x3d\x26\xe9\x04\x52\x64", ++ .key_len = 1193, + /* + * m is SHA256 hash of following message: + * "\x49\x41\xbe\x0a\x0c\xc9\xf6\x35\x51\xe4\x27\x56\x13\x71\x4b\xd0" +-- +2.39.5 + diff --git a/queue-5.10/drm-probe-helper-create-a-hpd-irq-event-helper-for-a.patch b/queue-5.10/drm-probe-helper-create-a-hpd-irq-event-helper-for-a.patch new file mode 100644 index 0000000000..fa772ee2db --- /dev/null +++ b/queue-5.10/drm-probe-helper-create-a-hpd-irq-event-helper-for-a.patch @@ -0,0 +1,203 @@ +From 6dde0fe9861520464ec53c3573755e5138cef6a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 12:17:23 +0200 +Subject: drm/probe-helper: Create a HPD IRQ event helper for a single + connector + +From: Maxime Ripard + +[ Upstream commit 0464ed1a79b818d5e3eda1ac3c23a057ac0cc7c3 ] + +The drm_helper_hpd_irq_event() function is iterating over all the +connectors when an hotplug event is detected. + +During that iteration, it will call each connector detect function and +figure out if its status changed. + +Finally, if any connector changed, it will notify the user-space and the +clients that something changed on the DRM device. + +This is supposed to be used for drivers that don't have a hotplug +interrupt for individual connectors. However, drivers that can use an +interrupt for a single connector are left in the dust and can either +reimplement the logic used during the iteration for each connector or +use that helper and iterate over all connectors all the time. + +Since both are suboptimal, let's create a helper that will only perform +the status detection on a single connector. + +Signed-off-by: Maxime Ripard +Reviewed-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20210914101724.266570-2-maxime@cerno.tech +Stable-dep-of: 666e19604641 ("drm/rockchip: cdn-dp: Use drm_connector_helper_hpd_irq_event()") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_probe_helper.c | 116 +++++++++++++++++++++-------- + include/drm/drm_probe_helper.h | 1 + + 2 files changed, 86 insertions(+), 31 deletions(-) + +diff --git a/drivers/gpu/drm/drm_probe_helper.c b/drivers/gpu/drm/drm_probe_helper.c +index d3f0d048594e7..1421768a4f333 100644 +--- a/drivers/gpu/drm/drm_probe_helper.c ++++ b/drivers/gpu/drm/drm_probe_helper.c +@@ -795,6 +795,86 @@ void drm_kms_helper_poll_fini(struct drm_device *dev) + } + EXPORT_SYMBOL(drm_kms_helper_poll_fini); + ++static bool check_connector_changed(struct drm_connector *connector) ++{ ++ struct drm_device *dev = connector->dev; ++ enum drm_connector_status old_status; ++ u64 old_epoch_counter; ++ ++ /* Only handle HPD capable connectors. */ ++ drm_WARN_ON(dev, !(connector->polled & DRM_CONNECTOR_POLL_HPD)); ++ ++ drm_WARN_ON(dev, !mutex_is_locked(&dev->mode_config.mutex)); ++ ++ old_status = connector->status; ++ old_epoch_counter = connector->epoch_counter; ++ connector->status = drm_helper_probe_detect(connector, NULL, false); ++ ++ if (old_epoch_counter == connector->epoch_counter) { ++ drm_dbg_kms(dev, "[CONNECTOR:%d:%s] Same epoch counter %llu\n", ++ connector->base.id, ++ connector->name, ++ connector->epoch_counter); ++ ++ return false; ++ } ++ ++ drm_dbg_kms(dev, "[CONNECTOR:%d:%s] status updated from %s to %s\n", ++ connector->base.id, ++ connector->name, ++ drm_get_connector_status_name(old_status), ++ drm_get_connector_status_name(connector->status)); ++ ++ drm_dbg_kms(dev, "[CONNECTOR:%d:%s] Changed epoch counter %llu => %llu\n", ++ connector->base.id, ++ connector->name, ++ old_epoch_counter, ++ connector->epoch_counter); ++ ++ return true; ++} ++ ++/** ++ * drm_connector_helper_hpd_irq_event - hotplug processing ++ * @connector: drm_connector ++ * ++ * Drivers can use this helper function to run a detect cycle on a connector ++ * which has the DRM_CONNECTOR_POLL_HPD flag set in its &polled member. ++ * ++ * This helper function is useful for drivers which can track hotplug ++ * interrupts for a single connector. Drivers that want to send a ++ * hotplug event for all connectors or can't track hotplug interrupts ++ * per connector need to use drm_helper_hpd_irq_event(). ++ * ++ * This function must be called from process context with no mode ++ * setting locks held. ++ * ++ * Note that a connector can be both polled and probed from the hotplug ++ * handler, in case the hotplug interrupt is known to be unreliable. ++ * ++ * Returns: ++ * A boolean indicating whether the connector status changed or not ++ */ ++bool drm_connector_helper_hpd_irq_event(struct drm_connector *connector) ++{ ++ struct drm_device *dev = connector->dev; ++ bool changed; ++ ++ mutex_lock(&dev->mode_config.mutex); ++ changed = check_connector_changed(connector); ++ mutex_unlock(&dev->mode_config.mutex); ++ ++ if (changed) { ++ drm_kms_helper_hotplug_event(dev); ++ drm_dbg_kms(dev, "[CONNECTOR:%d:%s] Sent hotplug event\n", ++ connector->base.id, ++ connector->name); ++ } ++ ++ return changed; ++} ++EXPORT_SYMBOL(drm_connector_helper_hpd_irq_event); ++ + /** + * drm_helper_hpd_irq_event - hotplug processing + * @dev: drm_device +@@ -808,9 +888,10 @@ EXPORT_SYMBOL(drm_kms_helper_poll_fini); + * interrupts for each connector. + * + * Drivers which support hotplug interrupts for each connector individually and +- * which have a more fine-grained detect logic should bypass this code and +- * directly call drm_kms_helper_hotplug_event() in case the connector state +- * changed. ++ * which have a more fine-grained detect logic can use ++ * drm_connector_helper_hpd_irq_event(). Alternatively, they should bypass this ++ * code and directly call drm_kms_helper_hotplug_event() in case the connector ++ * state changed. + * + * This function must be called from process context with no mode + * setting locks held. +@@ -822,9 +903,7 @@ bool drm_helper_hpd_irq_event(struct drm_device *dev) + { + struct drm_connector *connector; + struct drm_connector_list_iter conn_iter; +- enum drm_connector_status old_status; + bool changed = false; +- u64 old_epoch_counter; + + if (!dev->mode_config.poll_enabled) + return false; +@@ -836,33 +915,8 @@ bool drm_helper_hpd_irq_event(struct drm_device *dev) + if (!(connector->polled & DRM_CONNECTOR_POLL_HPD)) + continue; + +- old_status = connector->status; +- +- old_epoch_counter = connector->epoch_counter; +- +- DRM_DEBUG_KMS("[CONNECTOR:%d:%s] Old epoch counter %llu\n", connector->base.id, +- connector->name, +- old_epoch_counter); +- +- connector->status = drm_helper_probe_detect(connector, NULL, false); +- DRM_DEBUG_KMS("[CONNECTOR:%d:%s] status updated from %s to %s\n", +- connector->base.id, +- connector->name, +- drm_get_connector_status_name(old_status), +- drm_get_connector_status_name(connector->status)); +- +- DRM_DEBUG_KMS("[CONNECTOR:%d:%s] New epoch counter %llu\n", +- connector->base.id, +- connector->name, +- connector->epoch_counter); +- +- /* +- * Check if epoch counter had changed, meaning that we need +- * to send a uevent. +- */ +- if (old_epoch_counter != connector->epoch_counter) ++ if (check_connector_changed(connector)) + changed = true; +- + } + drm_connector_list_iter_end(&conn_iter); + mutex_unlock(&dev->mode_config.mutex); +diff --git a/include/drm/drm_probe_helper.h b/include/drm/drm_probe_helper.h +index 8d3ed2834d345..04c57564c397d 100644 +--- a/include/drm/drm_probe_helper.h ++++ b/include/drm/drm_probe_helper.h +@@ -18,6 +18,7 @@ int drm_helper_probe_detect(struct drm_connector *connector, + void drm_kms_helper_poll_init(struct drm_device *dev); + void drm_kms_helper_poll_fini(struct drm_device *dev); + bool drm_helper_hpd_irq_event(struct drm_device *dev); ++bool drm_connector_helper_hpd_irq_event(struct drm_connector *connector); + void drm_kms_helper_hotplug_event(struct drm_device *dev); + + void drm_kms_helper_poll_disable(struct drm_device *dev); +-- +2.39.5 + diff --git a/queue-5.10/drm-rockchip-cdn-dp-use-drm_connector_helper_hpd_irq.patch b/queue-5.10/drm-rockchip-cdn-dp-use-drm_connector_helper_hpd_irq.patch new file mode 100644 index 0000000000..9b2c931abc --- /dev/null +++ b/queue-5.10/drm-rockchip-cdn-dp-use-drm_connector_helper_hpd_irq.patch @@ -0,0 +1,78 @@ +From e431f57f0fba0f3433233fdb42389cea632bc984 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2024 14:38:16 +0100 +Subject: drm/rockchip: cdn-dp: Use drm_connector_helper_hpd_irq_event() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Zimmermann + +[ Upstream commit 666e1960464140cc4bc9203c203097e70b54c95a ] + +The code for detecting and updating the connector status in +cdn_dp_pd_event_work() has a number of problems. + +- It does not aquire the locks to call the detect helper and update +the connector status. These are struct drm_mode_config.connection_mutex +and struct drm_mode_config.mutex. + +- It does not use drm_helper_probe_detect(), which helps with the +details of locking and detection. + +- It uses the connector's status field to determine a change to +the connector status. The epoch_counter field is the correct one. The +field signals a change even if the connector status' value did not +change. + +Replace the code with a call to drm_connector_helper_hpd_irq_event(), +which fixes all these problems. + +Signed-off-by: Thomas Zimmermann +Fixes: 81632df69772 ("drm/rockchip: cdn-dp: do not use drm_helper_hpd_irq_event") +Cc: Chris Zhong +Cc: Guenter Roeck +Cc: Sandy Huang +Cc: "Heiko Stübner" +Cc: Andy Yan +Cc: dri-devel@lists.freedesktop.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-rockchip@lists.infradead.org +Cc: # v4.11+ +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20241105133848.480407-1-tzimmermann@suse.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/cdn-dp-core.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/cdn-dp-core.c b/drivers/gpu/drm/rockchip/cdn-dp-core.c +index 53cad1003ad77..a36646e234aec 100644 +--- a/drivers/gpu/drm/rockchip/cdn-dp-core.c ++++ b/drivers/gpu/drm/rockchip/cdn-dp-core.c +@@ -915,9 +915,6 @@ static void cdn_dp_pd_event_work(struct work_struct *work) + { + struct cdn_dp_device *dp = container_of(work, struct cdn_dp_device, + event_work); +- struct drm_connector *connector = &dp->connector; +- enum drm_connector_status old_status; +- + int ret; + + mutex_lock(&dp->lock); +@@ -979,11 +976,7 @@ static void cdn_dp_pd_event_work(struct work_struct *work) + + out: + mutex_unlock(&dp->lock); +- +- old_status = connector->status; +- connector->status = connector->funcs->detect(connector, false); +- if (old_status != connector->status) +- drm_kms_helper_hotplug_event(dp->drm_dev); ++ drm_connector_helper_hpd_irq_event(&dp->connector); + } + + static int cdn_dp_pd_event(struct notifier_block *nb, +-- +2.39.5 + diff --git a/queue-5.10/flow_dissector-fix-handling-of-mixed-port-and-port-r.patch b/queue-5.10/flow_dissector-fix-handling-of-mixed-port-and-port-r.patch new file mode 100644 index 0000000000..e00bc56032 --- /dev/null +++ b/queue-5.10/flow_dissector-fix-handling-of-mixed-port-and-port-r.patch @@ -0,0 +1,94 @@ +From 2db777d73715a4b97a2c38c8e45f982b3e6675e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 20:32:07 -0800 +Subject: flow_dissector: Fix handling of mixed port and port-range keys + +From: Cong Wang + +[ Upstream commit 3e5796862c692ea608d96f0a1437f9290f44953a ] + +This patch fixes a bug in TC flower filter where rules combining a +specific destination port with a source port range weren't working +correctly. + +The specific case was when users tried to configure rules like: + +tc filter add dev ens38 ingress protocol ip flower ip_proto udp \ +dst_port 5000 src_port 2000-3000 action drop + +The root cause was in the flow dissector code. While both +FLOW_DISSECTOR_KEY_PORTS and FLOW_DISSECTOR_KEY_PORTS_RANGE flags +were being set correctly in the classifier, the __skb_flow_dissect_ports() +function was only populating one of them: whichever came first in +the enum check. This meant that when the code needed both a specific +port and a port range, one of them would be left as 0, causing the +filter to not match packets as expected. + +Fix it by removing the either/or logic and instead checking and +populating both key types independently when they're in use. + +Fixes: 8ffb055beae5 ("cls_flower: Fix the behavior using port ranges with hw-offload") +Reported-by: Qiang Zhang +Closes: https://lore.kernel.org/netdev/CAPx+-5uvFxkhkz4=j_Xuwkezjn9U6kzKTD5jz4tZ9msSJ0fOJA@mail.gmail.com/ +Cc: Yoshiki Komachi +Cc: Jamal Hadi Salim +Cc: Jiri Pirko +Signed-off-by: Cong Wang +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20250218043210.732959-2-xiyou.wangcong@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/flow_dissector.c | 31 +++++++++++++++++++------------ + 1 file changed, 19 insertions(+), 12 deletions(-) + +diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c +index 3d5192177560d..3f90f70d30060 100644 +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -716,23 +716,30 @@ __skb_flow_dissect_ports(const struct sk_buff *skb, + void *target_container, void *data, int nhoff, + u8 ip_proto, int hlen) + { +- enum flow_dissector_key_id dissector_ports = FLOW_DISSECTOR_KEY_MAX; +- struct flow_dissector_key_ports *key_ports; ++ struct flow_dissector_key_ports_range *key_ports_range = NULL; ++ struct flow_dissector_key_ports *key_ports = NULL; ++ __be32 ports; + + if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS)) +- dissector_ports = FLOW_DISSECTOR_KEY_PORTS; +- else if (dissector_uses_key(flow_dissector, +- FLOW_DISSECTOR_KEY_PORTS_RANGE)) +- dissector_ports = FLOW_DISSECTOR_KEY_PORTS_RANGE; ++ key_ports = skb_flow_dissector_target(flow_dissector, ++ FLOW_DISSECTOR_KEY_PORTS, ++ target_container); ++ ++ if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS_RANGE)) ++ key_ports_range = skb_flow_dissector_target(flow_dissector, ++ FLOW_DISSECTOR_KEY_PORTS_RANGE, ++ target_container); + +- if (dissector_ports == FLOW_DISSECTOR_KEY_MAX) ++ if (!key_ports && !key_ports_range) + return; + +- key_ports = skb_flow_dissector_target(flow_dissector, +- dissector_ports, +- target_container); +- key_ports->ports = __skb_flow_get_ports(skb, nhoff, ip_proto, +- data, hlen); ++ ports = __skb_flow_get_ports(skb, nhoff, ip_proto, data, hlen); ++ ++ if (key_ports) ++ key_ports->ports = ports; ++ ++ if (key_ports_range) ++ key_ports_range->tp.ports = ports; + } + + static void +-- +2.39.5 + diff --git a/queue-5.10/flow_dissector-fix-port-range-key-handling-in-bpf-co.patch b/queue-5.10/flow_dissector-fix-port-range-key-handling-in-bpf-co.patch new file mode 100644 index 0000000000..ac0df37db8 --- /dev/null +++ b/queue-5.10/flow_dissector-fix-port-range-key-handling-in-bpf-co.patch @@ -0,0 +1,76 @@ +From 3e9c6cfd0cde71b79f6aab8d7c6752171e3daffe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 20:32:09 -0800 +Subject: flow_dissector: Fix port range key handling in BPF conversion + +From: Cong Wang + +[ Upstream commit 69ab34f705fbfabcace64b5d53bb7a4450fac875 ] + +Fix how port range keys are handled in __skb_flow_bpf_to_target() by: +- Separating PORTS and PORTS_RANGE key handling +- Using correct key_ports_range structure for range keys +- Properly initializing both key types independently + +This ensures port range information is correctly stored in its dedicated +structure rather than incorrectly using the regular ports key structure. + +Fixes: 59fb9b62fb6c ("flow_dissector: Fix to use new variables for port ranges in bpf hook") +Reported-by: Qiang Zhang +Closes: https://lore.kernel.org/netdev/CAPx+-5uvFxkhkz4=j_Xuwkezjn9U6kzKTD5jz4tZ9msSJ0fOJA@mail.gmail.com/ +Cc: Yoshiki Komachi +Cc: Jamal Hadi Salim +Cc: Jiri Pirko +Signed-off-by: Cong Wang +Link: https://patch.msgid.link/20250218043210.732959-4-xiyou.wangcong@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/flow_dissector.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c +index 3f90f70d30060..cc9c63987dc36 100644 +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -792,6 +792,7 @@ static void __skb_flow_bpf_to_target(const struct bpf_flow_keys *flow_keys, + struct flow_dissector *flow_dissector, + void *target_container) + { ++ struct flow_dissector_key_ports_range *key_ports_range = NULL; + struct flow_dissector_key_ports *key_ports = NULL; + struct flow_dissector_key_control *key_control; + struct flow_dissector_key_basic *key_basic; +@@ -836,20 +837,21 @@ static void __skb_flow_bpf_to_target(const struct bpf_flow_keys *flow_keys, + key_control->addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS; + } + +- if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS)) ++ if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS)) { + key_ports = skb_flow_dissector_target(flow_dissector, + FLOW_DISSECTOR_KEY_PORTS, + target_container); +- else if (dissector_uses_key(flow_dissector, +- FLOW_DISSECTOR_KEY_PORTS_RANGE)) +- key_ports = skb_flow_dissector_target(flow_dissector, +- FLOW_DISSECTOR_KEY_PORTS_RANGE, +- target_container); +- +- if (key_ports) { + key_ports->src = flow_keys->sport; + key_ports->dst = flow_keys->dport; + } ++ if (dissector_uses_key(flow_dissector, ++ FLOW_DISSECTOR_KEY_PORTS_RANGE)) { ++ key_ports_range = skb_flow_dissector_target(flow_dissector, ++ FLOW_DISSECTOR_KEY_PORTS_RANGE, ++ target_container); ++ key_ports_range->tp.src = flow_keys->sport; ++ key_ports_range->tp.dst = flow_keys->dport; ++ } + + if (dissector_uses_key(flow_dissector, + FLOW_DISSECTOR_KEY_FLOW_LABEL)) { +-- +2.39.5 + diff --git a/queue-5.10/geneve-fix-use-after-free-in-geneve_find_dev.patch b/queue-5.10/geneve-fix-use-after-free-in-geneve_find_dev.patch new file mode 100644 index 0000000000..f6a1d56afa --- /dev/null +++ b/queue-5.10/geneve-fix-use-after-free-in-geneve_find_dev.patch @@ -0,0 +1,200 @@ +From 4024bda86db794468a43a80deb935a5b18a63138 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2025 13:33:54 +0900 +Subject: geneve: Fix use-after-free in geneve_find_dev(). + +From: Kuniyuki Iwashima + +[ Upstream commit 9593172d93b9f91c362baec4643003dc29802929 ] + +syzkaller reported a use-after-free in geneve_find_dev() [0] +without repro. + +geneve_configure() links struct geneve_dev.next to +net_generic(net, geneve_net_id)->geneve_list. + +The net here could differ from dev_net(dev) if IFLA_NET_NS_PID, +IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set. + +When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally +calls unregister_netdevice_queue() for each dev in the netns, +and later the dev is freed. + +However, its geneve_dev.next is still linked to the backend UDP +socket netns. + +Then, use-after-free will occur when another geneve dev is created +in the netns. + +Let's call geneve_dellink() instead in geneve_destroy_tunnels(). + +[0]: +BUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline] +BUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 +Read of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441 + +CPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d +Hardware name: linux,dummy-virt (DT) +Call trace: + show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C) + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0x16c/0x6f0 mm/kasan/report.c:489 + kasan_report+0xc0/0x120 mm/kasan/report.c:602 + __asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379 + geneve_find_dev drivers/net/geneve.c:1295 [inline] + geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 + geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634 + rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795 + __rtnl_newlink net/core/rtnetlink.c:3906 [inline] + rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 + rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 + netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 + rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 + netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] + netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348 + netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892 + sock_sendmsg_nosec net/socket.c:713 [inline] + __sock_sendmsg net/socket.c:728 [inline] + ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568 + ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622 + __sys_sendmsg net/socket.c:2654 [inline] + __do_sys_sendmsg net/socket.c:2659 [inline] + __se_sys_sendmsg net/socket.c:2657 [inline] + __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657 + __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] + invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 + el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 + do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 + el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 + el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 + el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 + +Allocated by task 13247: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x30/0x68 mm/kasan/common.c:68 + kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 + poison_kmalloc_redzone mm/kasan/common.c:377 [inline] + __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __do_kmalloc_node mm/slub.c:4298 [inline] + __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304 + __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645 + alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470 + rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604 + rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780 + __rtnl_newlink net/core/rtnetlink.c:3906 [inline] + rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 + rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 + netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 + rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 + netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] + netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348 + netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892 + sock_sendmsg_nosec net/socket.c:713 [inline] + __sock_sendmsg net/socket.c:728 [inline] + ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568 + ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622 + __sys_sendmsg net/socket.c:2654 [inline] + __do_sys_sendmsg net/socket.c:2659 [inline] + __se_sys_sendmsg net/socket.c:2657 [inline] + __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657 + __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] + invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 + el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 + do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 + el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 + el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 + el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 + +Freed by task 45: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x30/0x68 mm/kasan/common.c:68 + kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:582 + poison_slab_object mm/kasan/common.c:247 [inline] + __kasan_slab_free+0x48/0x68 mm/kasan/common.c:264 + kasan_slab_free include/linux/kasan.h:233 [inline] + slab_free_hook mm/slub.c:2353 [inline] + slab_free mm/slub.c:4613 [inline] + kfree+0x140/0x420 mm/slub.c:4761 + kvfree+0x4c/0x68 mm/util.c:688 + netdev_release+0x94/0xc8 net/core/net-sysfs.c:2065 + device_release+0x98/0x1c0 + kobject_cleanup lib/kobject.c:689 [inline] + kobject_release lib/kobject.c:720 [inline] + kref_put include/linux/kref.h:65 [inline] + kobject_put+0x2b0/0x438 lib/kobject.c:737 + netdev_run_todo+0xe5c/0xfc8 net/core/dev.c:11185 + rtnl_unlock+0x20/0x38 net/core/rtnetlink.c:151 + cleanup_net+0x4fc/0x8c0 net/core/net_namespace.c:648 + process_one_work+0x700/0x1398 kernel/workqueue.c:3236 + process_scheduled_works kernel/workqueue.c:3317 [inline] + worker_thread+0x8c4/0xe10 kernel/workqueue.c:3398 + kthread+0x4bc/0x608 kernel/kthread.c:464 + ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862 + +The buggy address belongs to the object at ffff000054d6e000 + which belongs to the cache kmalloc-cg-4k of size 4096 +The buggy address is located 3620 bytes inside of + freed 4096-byte region [ffff000054d6e000, ffff000054d6f000) + +The buggy address belongs to the physical page: +page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x94d68 +head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +memcg:ffff000016276181 +flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) +page_type: f5(slab) +raw: 03fffe0000000040 ffff0000c000f500 dead000000000122 0000000000000000 +raw: 0000000000000000 0000000000040004 00000001f5000000 ffff000016276181 +head: 03fffe0000000040 ffff0000c000f500 dead000000000122 0000000000000000 +head: 0000000000000000 0000000000040004 00000001f5000000 ffff000016276181 +head: 03fffe0000000003 fffffdffc1535a01 ffffffffffffffff 0000000000000000 +head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff000054d6ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff000054d6ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff000054d6ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff000054d6ee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff000054d6ef00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250213043354.91368-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/geneve.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c +index e7412edb84dcd..a79cebd7041be 100644 +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -1968,16 +1968,11 @@ static void geneve_destroy_tunnels(struct net *net, struct list_head *head) + /* gather any geneve devices that were moved into this ns */ + for_each_netdev_safe(net, dev, aux) + if (dev->rtnl_link_ops == &geneve_link_ops) +- unregister_netdevice_queue(dev, head); ++ geneve_dellink(dev, head); + + /* now gather any other geneve devices that were created in this ns */ +- list_for_each_entry_safe(geneve, next, &gn->geneve_list, next) { +- /* If geneve->dev is in the same netns, it was already added +- * to the list by the previous loop. +- */ +- if (!net_eq(dev_net(geneve->dev), net)) +- unregister_netdevice_queue(geneve->dev, head); +- } ++ list_for_each_entry_safe(geneve, next, &gn->geneve_list, next) ++ geneve_dellink(geneve->dev, head); + } + + static void __net_exit geneve_exit_batch_net(struct list_head *net_list) +-- +2.39.5 + diff --git a/queue-5.10/geneve-suppress-list-corruption-splat-in-geneve_dest.patch b/queue-5.10/geneve-suppress-list-corruption-splat-in-geneve_dest.patch new file mode 100644 index 0000000000..0df2468f2e --- /dev/null +++ b/queue-5.10/geneve-suppress-list-corruption-splat-in-geneve_dest.patch @@ -0,0 +1,50 @@ +From fba9d42b3df703a8086f5c847ee52a6198f0fbf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 12:37:05 -0800 +Subject: geneve: Suppress list corruption splat in geneve_destroy_tunnels(). + +From: Kuniyuki Iwashima + +[ Upstream commit 62fab6eef61f245dc8797e3a6a5b890ef40e8628 ] + +As explained in the previous patch, iterating for_each_netdev() and +gn->geneve_list during ->exit_batch_rtnl() could trigger ->dellink() +twice for the same device. + +If CONFIG_DEBUG_LIST is enabled, we will see a list_del() corruption +splat in the 2nd call of geneve_dellink(). + +Let's remove for_each_netdev() in geneve_destroy_tunnels() and delegate +that part to default_device_exit_batch(). + +Fixes: 9593172d93b9 ("geneve: Fix use-after-free in geneve_find_dev().") +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250217203705.40342-3-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/geneve.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c +index a79cebd7041be..4dfe0dfb84e83 100644 +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -1963,14 +1963,7 @@ static void geneve_destroy_tunnels(struct net *net, struct list_head *head) + { + struct geneve_net *gn = net_generic(net, geneve_net_id); + struct geneve_dev *geneve, *next; +- struct net_device *dev, *aux; + +- /* gather any geneve devices that were moved into this ns */ +- for_each_netdev_safe(net, dev, aux) +- if (dev->rtnl_link_ops == &geneve_link_ops) +- geneve_dellink(dev, head); +- +- /* now gather any other geneve devices that were created in this ns */ + list_for_each_entry_safe(geneve, next, &gn->geneve_list, next) + geneve_dellink(geneve->dev, head); + } +-- +2.39.5 + diff --git a/queue-5.10/gtp-suppress-list-corruption-splat-in-gtp_net_exit_b.patch b/queue-5.10/gtp-suppress-list-corruption-splat-in-gtp_net_exit_b.patch new file mode 100644 index 0000000000..0bf870345d --- /dev/null +++ b/queue-5.10/gtp-suppress-list-corruption-splat-in-gtp_net_exit_b.patch @@ -0,0 +1,121 @@ +From cc2f0c89c6ad09e61efe0690fc64c047552e7891 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 12:37:04 -0800 +Subject: gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl(). + +From: Kuniyuki Iwashima + +[ Upstream commit 4ccacf86491d33d2486b62d4d44864d7101b299d ] + +Brad Spengler reported the list_del() corruption splat in +gtp_net_exit_batch_rtnl(). [0] + +Commit eb28fd76c0a0 ("gtp: Destroy device along with udp socket's netns +dismantle.") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl() +to destroy devices in each netns as done in geneve and ip tunnels. + +However, this could trigger ->dellink() twice for the same device during +->exit_batch_rtnl(). + +Say we have two netns A & B and gtp device B that resides in netns B but +whose UDP socket is in netns A. + + 1. cleanup_net() processes netns A and then B. + + 2. gtp_net_exit_batch_rtnl() finds the device B while iterating + netns A's gn->gtp_dev_list and calls ->dellink(). + + [ device B is not yet unlinked from netns B + as unregister_netdevice_many() has not been called. ] + + 3. gtp_net_exit_batch_rtnl() finds the device B while iterating + netns B's for_each_netdev() and calls ->dellink(). + +gtp_dellink() cleans up the device's hash table, unlinks the dev from +gn->gtp_dev_list, and calls unregister_netdevice_queue(). + +Basically, calling gtp_dellink() multiple times is fine unless +CONFIG_DEBUG_LIST is enabled. + +Let's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and +delegate the destruction to default_device_exit_batch() as done +in bareudp. + +[0]: +list_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04) +kernel BUG at lib/list_debug.c:58! +Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN +CPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1 +Tainted: [T]=RANDSTRUCT +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Workqueue: netns cleanup_net +RIP: 0010:[] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 +Code: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc <0f> 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60 +RSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283 +RAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054 +RDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000 +RBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32 +R10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4 +R13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08 +RBX: kasan shadow of 0x0 +RCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554 +RDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 +RSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71 +RBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object] +RSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ] +R09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ] +R10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ] +R15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object] +FS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0 +Stack: + 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00 + ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005 + 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d +Call Trace: + + [] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28 + [] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28 + [] list_del include/linux/list.h:262 [inline] fffffe8040b4fc28 + [] gtp_dellink+0x16d/0x360 drivers/net/gtp.c:1557 fffffe8040b4fc28 + [] gtp_net_exit_batch_rtnl+0x124/0x2c0 drivers/net/gtp.c:2495 fffffe8040b4fc88 + [] cleanup_net+0x5a4/0xbe0 net/core/net_namespace.c:635 fffffe8040b4fcd0 + [] process_one_work+0xbd7/0x2160 kernel/workqueue.c:3326 fffffe8040b4fd88 + [] process_scheduled_works kernel/workqueue.c:3407 [inline] fffffe8040b4fec0 + [] worker_thread+0x6b5/0xfa0 kernel/workqueue.c:3488 fffffe8040b4fec0 + [] kthread+0x360/0x4c0 kernel/kthread.c:397 fffffe8040b4ff78 + [] ret_from_fork+0x74/0xe0 arch/x86/kernel/process.c:172 fffffe8040b4ffb8 + [] ret_from_fork_asm+0x29/0xc0 arch/x86/entry/entry_64.S:399 fffffe8040b4ffe8 + +Modules linked in: + +Fixes: eb28fd76c0a0 ("gtp: Destroy device along with udp socket's netns dismantle.") +Reported-by: Brad Spengler +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250217203705.40342-2-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index dda9b4503e9ce..155ae9b1e4d9a 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -1398,11 +1398,6 @@ static void __net_exit gtp_net_exit_batch_rtnl(struct list_head *net_list, + list_for_each_entry(net, net_list, exit_list) { + struct gtp_net *gn = net_generic(net, gtp_net_id); + struct gtp_dev *gtp, *gtp_next; +- struct net_device *dev; +- +- for_each_netdev(net, dev) +- if (dev->rtnl_link_ops == >p_link_ops) +- gtp_dellink(dev, dev_to_kill); + + list_for_each_entry_safe(gtp, gtp_next, &gn->gtp_dev_list, list) + gtp_dellink(gtp->dev, dev_to_kill); +-- +2.39.5 + diff --git a/queue-5.10/memcg-fix-soft-lockup-in-the-oom-process.patch b/queue-5.10/memcg-fix-soft-lockup-in-the-oom-process.patch new file mode 100644 index 0000000000..76200209ad --- /dev/null +++ b/queue-5.10/memcg-fix-soft-lockup-in-the-oom-process.patch @@ -0,0 +1,128 @@ +From 7f44820a4bbf228dfc7d6b2674a827857403b1d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Dec 2024 02:52:38 +0000 +Subject: memcg: fix soft lockup in the OOM process +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen Ridong + +[ Upstream commit ade81479c7dda1ce3eedb215c78bc615bbd04f06 ] + +A soft lockup issue was found in the product with about 56,000 tasks were +in the OOM cgroup, it was traversing them when the soft lockup was +triggered. + +watchdog: BUG: soft lockup - CPU#2 stuck for 23s! [VM Thread:1503066] +CPU: 2 PID: 1503066 Comm: VM Thread Kdump: loaded Tainted: G +Hardware name: Huawei Cloud OpenStack Nova, BIOS +RIP: 0010:console_unlock+0x343/0x540 +RSP: 0000:ffffb751447db9a0 EFLAGS: 00000247 ORIG_RAX: ffffffffffffff13 +RAX: 0000000000000001 RBX: 0000000000000000 RCX: 00000000ffffffff +RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000247 +RBP: ffffffffafc71f90 R08: 0000000000000000 R09: 0000000000000040 +R10: 0000000000000080 R11: 0000000000000000 R12: ffffffffafc74bd0 +R13: ffffffffaf60a220 R14: 0000000000000247 R15: 0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f2fe6ad91f0 CR3: 00000004b2076003 CR4: 0000000000360ee0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + vprintk_emit+0x193/0x280 + printk+0x52/0x6e + dump_task+0x114/0x130 + mem_cgroup_scan_tasks+0x76/0x100 + dump_header+0x1fe/0x210 + oom_kill_process+0xd1/0x100 + out_of_memory+0x125/0x570 + mem_cgroup_out_of_memory+0xb5/0xd0 + try_charge+0x720/0x770 + mem_cgroup_try_charge+0x86/0x180 + mem_cgroup_try_charge_delay+0x1c/0x40 + do_anonymous_page+0xb5/0x390 + handle_mm_fault+0xc4/0x1f0 + +This is because thousands of processes are in the OOM cgroup, it takes a +long time to traverse all of them. As a result, this lead to soft lockup +in the OOM process. + +To fix this issue, call 'cond_resched' in the 'mem_cgroup_scan_tasks' +function per 1000 iterations. For global OOM, call +'touch_softlockup_watchdog' per 1000 iterations to avoid this issue. + +Link: https://lkml.kernel.org/r/20241224025238.3768787-1-chenridong@huaweicloud.com +Fixes: 9cbb78bb3143 ("mm, memcg: introduce own oom handler to iterate only over its own threads") +Signed-off-by: Chen Ridong +Acked-by: Michal Hocko +Cc: Roman Gushchin +Cc: Johannes Weiner +Cc: Shakeel Butt +Cc: Muchun Song +Cc: Michal Koutný +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + mm/memcontrol.c | 7 ++++++- + mm/oom_kill.c | 8 +++++++- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index 8de7c72ae0258..14f26b3b0204c 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -1312,6 +1312,7 @@ int mem_cgroup_scan_tasks(struct mem_cgroup *memcg, + { + struct mem_cgroup *iter; + int ret = 0; ++ int i = 0; + + BUG_ON(memcg == root_mem_cgroup); + +@@ -1320,8 +1321,12 @@ int mem_cgroup_scan_tasks(struct mem_cgroup *memcg, + struct task_struct *task; + + css_task_iter_start(&iter->css, CSS_TASK_ITER_PROCS, &it); +- while (!ret && (task = css_task_iter_next(&it))) ++ while (!ret && (task = css_task_iter_next(&it))) { ++ /* Avoid potential softlockup warning */ ++ if ((++i & 1023) == 0) ++ cond_resched(); + ret = fn(task, arg); ++ } + css_task_iter_end(&it); + if (ret) { + mem_cgroup_iter_break(memcg, iter); +diff --git a/mm/oom_kill.c b/mm/oom_kill.c +index 32ed968e5c2d4..94ad257eb2067 100644 +--- a/mm/oom_kill.c ++++ b/mm/oom_kill.c +@@ -44,6 +44,7 @@ + #include + #include + #include ++#include + + #include + #include "internal.h" +@@ -431,10 +432,15 @@ static void dump_tasks(struct oom_control *oc) + mem_cgroup_scan_tasks(oc->memcg, dump_task, oc); + else { + struct task_struct *p; ++ int i = 0; + + rcu_read_lock(); +- for_each_process(p) ++ for_each_process(p) { ++ /* Avoid potential softlockup warning */ ++ if ((++i & 1023) == 0) ++ touch_softlockup_watchdog(); + dump_task(p, oc); ++ } + rcu_read_unlock(); + } + } +-- +2.39.5 + diff --git a/queue-5.10/mm-update-mark_victim-tracepoints-fields.patch b/queue-5.10/mm-update-mark_victim-tracepoints-fields.patch new file mode 100644 index 0000000000..e045f130ea --- /dev/null +++ b/queue-5.10/mm-update-mark_victim-tracepoints-fields.patch @@ -0,0 +1,150 @@ +From 68f8bf63ada200664ab4d51df1cfb159626de092 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 17:32:49 +0000 +Subject: mm: update mark_victim tracepoints fields +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Carlos Galo + +[ Upstream commit 72ba14deb40a9e9668ec5e66a341ed657e5215c2 ] + +The current implementation of the mark_victim tracepoint provides only the +process ID (pid) of the victim process. This limitation poses challenges +for userspace tools requiring real-time OOM analysis and intervention. +Although this information is available from the kernel logs, it’s not +the appropriate format to provide OOM notifications. In Android, BPF +programs are used with the mark_victim trace events to notify userspace of +an OOM kill. For consistency, update the trace event to include the same +information about the OOMed victim as the kernel logs. + +- UID + In Android each installed application has a unique UID. Including + the `uid` assists in correlating OOM events with specific apps. + +- Process Name (comm) + Enables identification of the affected process. + +- OOM Score + Will allow userspace to get additional insight of the relative kill + priority of the OOM victim. In Android, the oom_score_adj is used to + categorize app state (foreground, background, etc.), which aids in + analyzing user-perceptible impacts of OOM events [1]. + +- Total VM, RSS Stats, and pgtables + Amount of memory used by the victim that will, potentially, be freed up + by killing it. + +[1] https://cs.android.com/android/platform/superproject/main/+/246dc8fc95b6d93afcba5c6d6c133307abb3ac2e:frameworks/base/services/core/java/com/android/server/am/ProcessList.java;l=188-283 +Signed-off-by: Carlos Galo +Reviewed-by: Steven Rostedt +Cc: Suren Baghdasaryan +Cc: Michal Hocko +Cc: "Masami Hiramatsu (Google)" +Cc: Mathieu Desnoyers +Signed-off-by: Andrew Morton +Stable-dep-of: ade81479c7dd ("memcg: fix soft lockup in the OOM process") +Signed-off-by: Sasha Levin +--- + include/trace/events/oom.h | 36 ++++++++++++++++++++++++++++++++---- + mm/oom_kill.c | 6 +++++- + 2 files changed, 37 insertions(+), 5 deletions(-) + +diff --git a/include/trace/events/oom.h b/include/trace/events/oom.h +index 26a11e4a2c361..b799f3bcba823 100644 +--- a/include/trace/events/oom.h ++++ b/include/trace/events/oom.h +@@ -7,6 +7,8 @@ + #include + #include + ++#define PG_COUNT_TO_KB(x) ((x) << (PAGE_SHIFT - 10)) ++ + TRACE_EVENT(oom_score_adj_update, + + TP_PROTO(struct task_struct *task), +@@ -72,19 +74,45 @@ TRACE_EVENT(reclaim_retry_zone, + ); + + TRACE_EVENT(mark_victim, +- TP_PROTO(int pid), ++ TP_PROTO(struct task_struct *task, uid_t uid), + +- TP_ARGS(pid), ++ TP_ARGS(task, uid), + + TP_STRUCT__entry( + __field(int, pid) ++ __string(comm, task->comm) ++ __field(unsigned long, total_vm) ++ __field(unsigned long, anon_rss) ++ __field(unsigned long, file_rss) ++ __field(unsigned long, shmem_rss) ++ __field(uid_t, uid) ++ __field(unsigned long, pgtables) ++ __field(short, oom_score_adj) + ), + + TP_fast_assign( +- __entry->pid = pid; ++ __entry->pid = task->pid; ++ __assign_str(comm, task->comm); ++ __entry->total_vm = PG_COUNT_TO_KB(task->mm->total_vm); ++ __entry->anon_rss = PG_COUNT_TO_KB(get_mm_counter(task->mm, MM_ANONPAGES)); ++ __entry->file_rss = PG_COUNT_TO_KB(get_mm_counter(task->mm, MM_FILEPAGES)); ++ __entry->shmem_rss = PG_COUNT_TO_KB(get_mm_counter(task->mm, MM_SHMEMPAGES)); ++ __entry->uid = uid; ++ __entry->pgtables = mm_pgtables_bytes(task->mm) >> 10; ++ __entry->oom_score_adj = task->signal->oom_score_adj; + ), + +- TP_printk("pid=%d", __entry->pid) ++ TP_printk("pid=%d comm=%s total-vm=%lukB anon-rss=%lukB file-rss:%lukB shmem-rss:%lukB uid=%u pgtables=%lukB oom_score_adj=%hd", ++ __entry->pid, ++ __get_str(comm), ++ __entry->total_vm, ++ __entry->anon_rss, ++ __entry->file_rss, ++ __entry->shmem_rss, ++ __entry->uid, ++ __entry->pgtables, ++ __entry->oom_score_adj ++ ) + ); + + TRACE_EVENT(wake_reaper, +diff --git a/mm/oom_kill.c b/mm/oom_kill.c +index 3d7c557fb70c9..32ed968e5c2d4 100644 +--- a/mm/oom_kill.c ++++ b/mm/oom_kill.c +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + + #include + #include "internal.h" +@@ -723,6 +724,7 @@ static inline void queue_oom_reaper(struct task_struct *tsk) + */ + static void mark_oom_victim(struct task_struct *tsk) + { ++ const struct cred *cred; + struct mm_struct *mm = tsk->mm; + + WARN_ON(oom_killer_disabled); +@@ -744,7 +746,9 @@ static void mark_oom_victim(struct task_struct *tsk) + */ + __thaw_task(tsk); + atomic_inc(&oom_victims); +- trace_mark_victim(tsk->pid); ++ cred = get_task_cred(tsk); ++ trace_mark_victim(tsk, cred->uid.val); ++ put_cred(cred); + } + + /** +-- +2.39.5 + diff --git a/queue-5.10/net-extract-port-range-fields-from-fl_flow_key.patch b/queue-5.10/net-extract-port-range-fields-from-fl_flow_key.patch new file mode 100644 index 0000000000..3bba9b9f2f --- /dev/null +++ b/queue-5.10/net-extract-port-range-fields-from-fl_flow_key.patch @@ -0,0 +1,115 @@ +From 22b6126958afe4bf0ea9062f9e324e4d93da0c40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 18:09:07 +0300 +Subject: net: extract port range fields from fl_flow_key + +From: Maksym Glubokiy + +[ Upstream commit 83d85bb069152b790caad905fa53e6d50cd3734d ] + +So it can be used for port range filter offloading. + +Co-developed-by: Volodymyr Mytnyk +Signed-off-by: Volodymyr Mytnyk +Signed-off-by: Maksym Glubokiy +Signed-off-by: David S. Miller +Stable-dep-of: 3e5796862c69 ("flow_dissector: Fix handling of mixed port and port-range keys") +Signed-off-by: Sasha Levin +--- + include/net/flow_dissector.h | 16 ++++++++++++++++ + include/net/flow_offload.h | 6 ++++++ + net/core/flow_offload.c | 7 +++++++ + net/sched/cls_flower.c | 8 +------- + 4 files changed, 30 insertions(+), 7 deletions(-) + +diff --git a/include/net/flow_dissector.h b/include/net/flow_dissector.h +index 5eecf44369659..4036063d047c2 100644 +--- a/include/net/flow_dissector.h ++++ b/include/net/flow_dissector.h +@@ -178,6 +178,22 @@ struct flow_dissector_key_ports { + }; + }; + ++/** ++ * struct flow_dissector_key_ports_range ++ * @tp: port number from packet ++ * @tp_min: min port number in range ++ * @tp_max: max port number in range ++ */ ++struct flow_dissector_key_ports_range { ++ union { ++ struct flow_dissector_key_ports tp; ++ struct { ++ struct flow_dissector_key_ports tp_min; ++ struct flow_dissector_key_ports tp_max; ++ }; ++ }; ++}; ++ + /** + * flow_dissector_key_icmp: + * type: ICMP type +diff --git a/include/net/flow_offload.h b/include/net/flow_offload.h +index 9a58274e62173..1ecb19a7ab071 100644 +--- a/include/net/flow_offload.h ++++ b/include/net/flow_offload.h +@@ -48,6 +48,10 @@ struct flow_match_ports { + struct flow_dissector_key_ports *key, *mask; + }; + ++struct flow_match_ports_range { ++ struct flow_dissector_key_ports_range *key, *mask; ++}; ++ + struct flow_match_icmp { + struct flow_dissector_key_icmp *key, *mask; + }; +@@ -94,6 +98,8 @@ void flow_rule_match_ip(const struct flow_rule *rule, + struct flow_match_ip *out); + void flow_rule_match_ports(const struct flow_rule *rule, + struct flow_match_ports *out); ++void flow_rule_match_ports_range(const struct flow_rule *rule, ++ struct flow_match_ports_range *out); + void flow_rule_match_tcp(const struct flow_rule *rule, + struct flow_match_tcp *out); + void flow_rule_match_icmp(const struct flow_rule *rule, +diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c +index 8d958290b7d22..1e618398b9e81 100644 +--- a/net/core/flow_offload.c ++++ b/net/core/flow_offload.c +@@ -104,6 +104,13 @@ void flow_rule_match_ports(const struct flow_rule *rule, + } + EXPORT_SYMBOL(flow_rule_match_ports); + ++void flow_rule_match_ports_range(const struct flow_rule *rule, ++ struct flow_match_ports_range *out) ++{ ++ FLOW_DISSECTOR_MATCH(rule, FLOW_DISSECTOR_KEY_PORTS_RANGE, out); ++} ++EXPORT_SYMBOL(flow_rule_match_ports_range); ++ + void flow_rule_match_tcp(const struct flow_rule *rule, + struct flow_match_tcp *out) + { +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index 10d3dde238c6c..98f333aa0aac9 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -61,13 +61,7 @@ struct fl_flow_key { + struct flow_dissector_key_ip ip; + struct flow_dissector_key_ip enc_ip; + struct flow_dissector_key_enc_opts enc_opts; +- union { +- struct flow_dissector_key_ports tp; +- struct { +- struct flow_dissector_key_ports tp_min; +- struct flow_dissector_key_ports tp_max; +- }; +- } tp_range; ++ struct flow_dissector_key_ports_range tp_range; + struct flow_dissector_key_ct ct; + struct flow_dissector_key_hash hash; + } __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */ +-- +2.39.5 + diff --git a/queue-5.10/powerpc-64s-mm-move-__real_pte-stubs-into-hash-4k.h.patch b/queue-5.10/powerpc-64s-mm-move-__real_pte-stubs-into-hash-4k.h.patch new file mode 100644 index 0000000000..e58e923520 --- /dev/null +++ b/queue-5.10/powerpc-64s-mm-move-__real_pte-stubs-into-hash-4k.h.patch @@ -0,0 +1,92 @@ +From d6b68a59715e366d21999212f630947cd5f62624 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 18:07:29 +1000 +Subject: powerpc/64s/mm: Move __real_pte stubs into hash-4k.h + +From: Michael Ellerman + +[ Upstream commit 8ae4f16f7d7b59cca55aeca6db7c9636ffe7fbaa ] + +The stub versions of __real_pte() etc are only used with HPT & 4K pages, +so move them into the hash-4k.h header. + +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240821080729.872034-1-mpe@ellerman.id.au +Stable-dep-of: 61bcc752d1b8 ("powerpc/64s: Rewrite __real_pte() and __rpte_to_hidx() as static inline") +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/book3s/64/hash-4k.h | 20 +++++++++++++++ + arch/powerpc/include/asm/book3s/64/pgtable.h | 26 -------------------- + 2 files changed, 20 insertions(+), 26 deletions(-) + +diff --git a/arch/powerpc/include/asm/book3s/64/hash-4k.h b/arch/powerpc/include/asm/book3s/64/hash-4k.h +index b6ac4f86c87b4..5a79dd66b2ed0 100644 +--- a/arch/powerpc/include/asm/book3s/64/hash-4k.h ++++ b/arch/powerpc/include/asm/book3s/64/hash-4k.h +@@ -89,6 +89,26 @@ static inline int hash__hugepd_ok(hugepd_t hpd) + } + #endif + ++/* ++ * With 4K page size the real_pte machinery is all nops. ++ */ ++#define __real_pte(e, p, o) ((real_pte_t){(e)}) ++#define __rpte_to_pte(r) ((r).pte) ++#define __rpte_to_hidx(r,index) (pte_val(__rpte_to_pte(r)) >> H_PAGE_F_GIX_SHIFT) ++ ++#define pte_iterate_hashed_subpages(rpte, psize, va, index, shift) \ ++ do { \ ++ index = 0; \ ++ shift = mmu_psize_defs[psize].shift; \ ++ ++#define pte_iterate_hashed_end() } while(0) ++ ++/* ++ * We expect this to be called only for user addresses or kernel virtual ++ * addresses other than the linear mapping. ++ */ ++#define pte_pagesize_index(mm, addr, pte) MMU_PAGE_4K ++ + /* + * 4K PTE format is different from 64K PTE format. Saving the hash_slot is just + * a matter of returning the PTE bits that need to be modified. On 64K PTE, +diff --git a/arch/powerpc/include/asm/book3s/64/pgtable.h b/arch/powerpc/include/asm/book3s/64/pgtable.h +index 2b4af824bdc55..91ef9d47029b1 100644 +--- a/arch/powerpc/include/asm/book3s/64/pgtable.h ++++ b/arch/powerpc/include/asm/book3s/64/pgtable.h +@@ -332,32 +332,6 @@ extern unsigned long pci_io_base; + + #ifndef __ASSEMBLY__ + +-/* +- * This is the default implementation of various PTE accessors, it's +- * used in all cases except Book3S with 64K pages where we have a +- * concept of sub-pages +- */ +-#ifndef __real_pte +- +-#define __real_pte(e, p, o) ((real_pte_t){(e)}) +-#define __rpte_to_pte(r) ((r).pte) +-#define __rpte_to_hidx(r,index) (pte_val(__rpte_to_pte(r)) >> H_PAGE_F_GIX_SHIFT) +- +-#define pte_iterate_hashed_subpages(rpte, psize, va, index, shift) \ +- do { \ +- index = 0; \ +- shift = mmu_psize_defs[psize].shift; \ +- +-#define pte_iterate_hashed_end() } while(0) +- +-/* +- * We expect this to be called only for user addresses or kernel virtual +- * addresses other than the linear mapping. +- */ +-#define pte_pagesize_index(mm, addr, pte) MMU_PAGE_4K +- +-#endif /* __real_pte */ +- + static inline unsigned long pte_update(struct mm_struct *mm, unsigned long addr, + pte_t *ptep, unsigned long clr, + unsigned long set, int huge) +-- +2.39.5 + diff --git a/queue-5.10/powerpc-64s-rewrite-__real_pte-and-__rpte_to_hidx-as.patch b/queue-5.10/powerpc-64s-rewrite-__real_pte-and-__rpte_to_hidx-as.patch new file mode 100644 index 0000000000..5185fe8c62 --- /dev/null +++ b/queue-5.10/powerpc-64s-rewrite-__real_pte-and-__rpte_to_hidx-as.patch @@ -0,0 +1,64 @@ +From 1ed2581869d593f15d41c72ce6720fb0d43ecc39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jan 2025 19:24:46 +0100 +Subject: powerpc/64s: Rewrite __real_pte() and __rpte_to_hidx() as static + inline + +From: Christophe Leroy + +[ Upstream commit 61bcc752d1b81fde3cae454ff20c1d3c359df500 ] + +Rewrite __real_pte() and __rpte_to_hidx() as static inline in order to +avoid following warnings/errors when building with 4k page size: + + CC arch/powerpc/mm/book3s64/hash_tlb.o + arch/powerpc/mm/book3s64/hash_tlb.c: In function 'hpte_need_flush': + arch/powerpc/mm/book3s64/hash_tlb.c:49:16: error: variable 'offset' set but not used [-Werror=unused-but-set-variable] + 49 | int i, offset; + | ^~~~~~ + + CC arch/powerpc/mm/book3s64/hash_native.o + arch/powerpc/mm/book3s64/hash_native.c: In function 'native_flush_hash_range': + arch/powerpc/mm/book3s64/hash_native.c:782:29: error: variable 'index' set but not used [-Werror=unused-but-set-variable] + 782 | unsigned long hash, index, hidx, shift, slot; + | ^~~~~ + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202501081741.AYFwybsq-lkp@intel.com/ +Fixes: ff31e105464d ("powerpc/mm/hash64: Store the slot information at the right offset for hugetlb") +Signed-off-by: Christophe Leroy +Reviewed-by: Ritesh Harjani (IBM) +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/e0d340a5b7bd478ecbf245d826e6ab2778b74e06.1736706263.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/book3s/64/hash-4k.h | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/include/asm/book3s/64/hash-4k.h b/arch/powerpc/include/asm/book3s/64/hash-4k.h +index 5a79dd66b2ed0..433d164374cb6 100644 +--- a/arch/powerpc/include/asm/book3s/64/hash-4k.h ++++ b/arch/powerpc/include/asm/book3s/64/hash-4k.h +@@ -92,9 +92,17 @@ static inline int hash__hugepd_ok(hugepd_t hpd) + /* + * With 4K page size the real_pte machinery is all nops. + */ +-#define __real_pte(e, p, o) ((real_pte_t){(e)}) ++static inline real_pte_t __real_pte(pte_t pte, pte_t *ptep, int offset) ++{ ++ return (real_pte_t){pte}; ++} ++ + #define __rpte_to_pte(r) ((r).pte) +-#define __rpte_to_hidx(r,index) (pte_val(__rpte_to_pte(r)) >> H_PAGE_F_GIX_SHIFT) ++ ++static inline unsigned long __rpte_to_hidx(real_pte_t rpte, unsigned long index) ++{ ++ return pte_val(__rpte_to_pte(rpte)) >> H_PAGE_F_GIX_SHIFT; ++} + + #define pte_iterate_hashed_subpages(rpte, psize, va, index, shift) \ + do { \ +-- +2.39.5 + diff --git a/queue-5.10/powerpc-code-patching-fix-kasan-hit-by-not-flagging-.patch b/queue-5.10/powerpc-code-patching-fix-kasan-hit-by-not-flagging-.patch new file mode 100644 index 0000000000..505ed9b80d --- /dev/null +++ b/queue-5.10/powerpc-code-patching-fix-kasan-hit-by-not-flagging-.patch @@ -0,0 +1,112 @@ +From c501771ae3d7002a0471bd3ab25d341f0a40d3fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 07:46:28 +0100 +Subject: powerpc/code-patching: Fix KASAN hit by not flagging text patching + area as VM_ALLOC + +From: Christophe Leroy + +[ Upstream commit d262a192d38e527faa5984629aabda2e0d1c4f54 ] + +Erhard reported the following KASAN hit while booting his PowerMac G4 +with a KASAN-enabled kernel 6.13-rc6: + + BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8 + Write of size 8 at addr f1000000 by task chronyd/1293 + + CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2 + Tainted: [W]=WARN + Hardware name: PowerMac3,6 7455 0x80010303 PowerMac + Call Trace: + [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable) + [c24375b0] [c0504998] print_report+0xdc/0x504 + [c2437610] [c050475c] kasan_report+0xf8/0x108 + [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c + [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8 + [c24376c0] [c004c014] patch_instructions+0x15c/0x16c + [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c + [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac + [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec + [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478 + [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14 + [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4 + [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890 + [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420 + [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c + --- interrupt: c00 at 0x5a1274 + NIP: 005a1274 LR: 006a3b3c CTR: 005296c8 + REGS: c2437f40 TRAP: 0c00 Tainted: G W (6.13.0-rc6-PMacG4) + MSR: 0200f932 CR: 24004422 XER: 00000000 + + GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932 + GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57 + GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002 + GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001 + NIP [005a1274] 0x5a1274 + LR [006a3b3c] 0x6a3b3c + --- interrupt: c00 + + The buggy address belongs to the virtual mapping at + [f1000000, f1002000) created by: + text_area_cpu_up+0x20/0x190 + + The buggy address belongs to the physical page: + page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30 + flags: 0x80000000(zone=2) + raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001 + raw: 00000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + >f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ^ + f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ================================================================== + +f8 corresponds to KASAN_VMALLOC_INVALID which means the area is not +initialised hence not supposed to be used yet. + +Powerpc text patching infrastructure allocates a virtual memory area +using get_vm_area() and flags it as VM_ALLOC. But that flag is meant +to be used for vmalloc() and vmalloc() allocated memory is not +supposed to be used before a call to __vmalloc_node_range() which is +never called for that area. + +That went undetected until commit e4137f08816b ("mm, kasan, kmsan: +instrument copy_from/to_kernel_nofault") + +The area allocated by text_area_cpu_up() is not vmalloc memory, it is +mapped directly on demand when needed by map_kernel_page(). There is +no VM flag corresponding to such usage, so just pass no flag. That way +the area will be unpoisonned and usable immediately. + +Reported-by: Erhard Furtner +Closes: https://lore.kernel.org/all/20250112135832.57c92322@yea/ +Fixes: 37bc3e5fd764 ("powerpc/lib/code-patching: Use alternate map for patch_instruction()") +Signed-off-by: Christophe Leroy +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/06621423da339b374f48c0886e3a5db18e896be8.1739342693.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/lib/code-patching.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/lib/code-patching.c b/arch/powerpc/lib/code-patching.c +index a2e4f864b63d2..0af30b0977833 100644 +--- a/arch/powerpc/lib/code-patching.c ++++ b/arch/powerpc/lib/code-patching.c +@@ -47,7 +47,7 @@ static int text_area_cpu_up(unsigned int cpu) + { + struct vm_struct *area; + +- area = get_vm_area(PAGE_SIZE, VM_ALLOC); ++ area = get_vm_area(PAGE_SIZE, 0); + if (!area) { + WARN_ONCE(1, "Failed to create text area for cpu %d\n", + cpu); +-- +2.39.5 + diff --git a/queue-5.10/series b/queue-5.10/series index 2900a11f89..62e2194d31 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -324,3 +324,31 @@ vlan-introduce-vlan_dev_free_egress_priority.patch vlan-move-dev_put-into-vlan_dev_uninit.patch nvme-pci-fix-multiple-races-in-nvme_setup_io_queues.patch arm64-mte-do-not-allow-prot_mte-on-map_hugetlb-user-mappings.patch +crypto-testmgr-fix-wrong-key-length-for-pkcs1pad.patch +crypto-testmgr-fix-wrong-test-case-of-rsa.patch +crypto-testmgr-fix-version-number-of-rsa-tests.patch +crypto-testmgr-populate-rsa-crt-parameters-in-rsa-te.patch +crypto-testmgr-some-more-fixes-to-rsa-test-vectors.patch +mm-update-mark_victim-tracepoints-fields.patch +memcg-fix-soft-lockup-in-the-oom-process.patch +drm-probe-helper-create-a-hpd-irq-event-helper-for-a.patch +drm-rockchip-cdn-dp-use-drm_connector_helper_hpd_irq.patch +tpm-use-managed-allocation-for-bios-event-log.patch +tpm-change-to-kvalloc-in-eventlog-acpi.c.patch +batman-adv-add-new-include-for-min-max-helpers.patch +batman-adv-drop-initialization-of-flexible-ethtool_l.patch +batman-adv-drop-unmanaged-elp-metric-worker.patch +usb-dwc3-increase-dwc3-controller-halt-timeout.patch +usb-dwc3-fix-timeout-issue-during-controller-enter-e.patch +usb-gadget-f_midi-replace-tasklet-with-work.patch +usb-gadget-f_midi-f_midi_complete-to-call-queue_work.patch +powerpc-64s-mm-move-__real_pte-stubs-into-hash-4k.h.patch +powerpc-64s-rewrite-__real_pte-and-__rpte_to_hidx-as.patch +alsa-hda-realtek-fixup-alc225-depop-procedure.patch +powerpc-code-patching-fix-kasan-hit-by-not-flagging-.patch +geneve-fix-use-after-free-in-geneve_find_dev.patch +gtp-suppress-list-corruption-splat-in-gtp_net_exit_b.patch +geneve-suppress-list-corruption-splat-in-geneve_dest.patch +net-extract-port-range-fields-from-fl_flow_key.patch +flow_dissector-fix-handling-of-mixed-port-and-port-r.patch +flow_dissector-fix-port-range-key-handling-in-bpf-co.patch diff --git a/queue-5.10/tpm-change-to-kvalloc-in-eventlog-acpi.c.patch b/queue-5.10/tpm-change-to-kvalloc-in-eventlog-acpi.c.patch new file mode 100644 index 0000000000..818c8ec6fa --- /dev/null +++ b/queue-5.10/tpm-change-to-kvalloc-in-eventlog-acpi.c.patch @@ -0,0 +1,89 @@ +From bc3ed3ebfa858368bea3b8fc5bc3333160ea3779 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Dec 2024 17:39:09 +0200 +Subject: tpm: Change to kvalloc() in eventlog/acpi.c + +From: Jarkko Sakkinen + +[ Upstream commit a3a860bc0fd6c07332e4911cf9a238d20de90173 ] + +The following failure was reported on HPE ProLiant D320: + +[ 10.693310][ T1] tpm_tis STM0925:00: 2.0 TPM (device-id 0x3, rev-id 0) +[ 10.848132][ T1] ------------[ cut here ]------------ +[ 10.853559][ T1] WARNING: CPU: 59 PID: 1 at mm/page_alloc.c:4727 __alloc_pages_noprof+0x2ca/0x330 +[ 10.862827][ T1] Modules linked in: +[ 10.866671][ T1] CPU: 59 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-lp155.2.g52785e2-default #1 openSUSE Tumbleweed (unreleased) 588cd98293a7c9eba9013378d807364c088c9375 +[ 10.882741][ T1] Hardware name: HPE ProLiant DL320 Gen12/ProLiant DL320 Gen12, BIOS 1.20 10/28/2024 +[ 10.892170][ T1] RIP: 0010:__alloc_pages_noprof+0x2ca/0x330 +[ 10.898103][ T1] Code: 24 08 e9 4a fe ff ff e8 34 36 fa ff e9 88 fe ff ff 83 fe 0a 0f 86 b3 fd ff ff 80 3d 01 e7 ce 01 00 75 09 c6 05 f8 e6 ce 01 01 <0f> 0b 45 31 ff e9 e5 fe ff ff f7 c2 00 00 08 00 75 42 89 d9 80 e1 +[ 10.917750][ T1] RSP: 0000:ffffb7cf40077980 EFLAGS: 00010246 +[ 10.923777][ T1] RAX: 0000000000000000 RBX: 0000000000040cc0 RCX: 0000000000000000 +[ 10.931727][ T1] RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000040cc0 + +The above transcript shows that ACPI pointed a 16 MiB buffer for the log +events because RSI maps to the 'order' parameter of __alloc_pages_noprof(). +Address the bug by moving from devm_kmalloc() to devm_add_action() and +kvmalloc() and devm_add_action(). + +Suggested-by: Ard Biesheuvel +Cc: stable@vger.kernel.org # v2.6.16+ +Fixes: 55a82ab3181b ("[PATCH] tpm: add bios measurement log") +Reported-by: Andy Liang +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219495 +Reviewed-by: Ard Biesheuvel +Reviewed-by: Stefan Berger +Reviewed-by: Takashi Iwai +Tested-by: Andy Liang +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/eventlog/acpi.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/char/tpm/eventlog/acpi.c b/drivers/char/tpm/eventlog/acpi.c +index bd757d836c5cf..1a5644051d310 100644 +--- a/drivers/char/tpm/eventlog/acpi.c ++++ b/drivers/char/tpm/eventlog/acpi.c +@@ -63,6 +63,11 @@ static bool tpm_is_tpm2_log(void *bios_event_log, u64 len) + return n == 0; + } + ++static void tpm_bios_log_free(void *data) ++{ ++ kvfree(data); ++} ++ + /* read binary bios log */ + int tpm_read_log_acpi(struct tpm_chip *chip) + { +@@ -136,7 +141,7 @@ int tpm_read_log_acpi(struct tpm_chip *chip) + } + + /* malloc EventLog space */ +- log->bios_event_log = devm_kmalloc(&chip->dev, len, GFP_KERNEL); ++ log->bios_event_log = kvmalloc(len, GFP_KERNEL); + if (!log->bios_event_log) + return -ENOMEM; + +@@ -162,10 +167,16 @@ int tpm_read_log_acpi(struct tpm_chip *chip) + goto err; + } + ++ ret = devm_add_action(&chip->dev, tpm_bios_log_free, log->bios_event_log); ++ if (ret) { ++ log->bios_event_log = NULL; ++ goto err; ++ } ++ + return format; + + err: +- devm_kfree(&chip->dev, log->bios_event_log); ++ tpm_bios_log_free(log->bios_event_log); + log->bios_event_log = NULL; + return ret; + } +-- +2.39.5 + diff --git a/queue-5.10/tpm-use-managed-allocation-for-bios-event-log.patch b/queue-5.10/tpm-use-managed-allocation-for-bios-event-log.patch new file mode 100644 index 0000000000..cd781b98ab --- /dev/null +++ b/queue-5.10/tpm-use-managed-allocation-for-bios-event-log.patch @@ -0,0 +1,138 @@ +From 03d58168faac58cca44aecb1f70f1fc33cc5a94b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 15:08:09 -0600 +Subject: tpm: Use managed allocation for bios event log + +From: Eddie James + +[ Upstream commit 441b7152729f4a2bdb100135a58625fa0aeb69e4 ] + +Since the bios event log is freed in the device release function, +let devres handle the deallocation. This will allow other memory +allocation/mapping functions to be used for the bios event log. + +Signed-off-by: Eddie James +Tested-by: Jarkko Sakkinen +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Stable-dep-of: a3a860bc0fd6 ("tpm: Change to kvalloc() in eventlog/acpi.c") +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/eventlog/acpi.c | 5 +++-- + drivers/char/tpm/eventlog/efi.c | 13 +++++++------ + drivers/char/tpm/eventlog/of.c | 3 ++- + drivers/char/tpm/tpm-chip.c | 1 - + 4 files changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/char/tpm/eventlog/acpi.c b/drivers/char/tpm/eventlog/acpi.c +index cd266021d0103..bd757d836c5cf 100644 +--- a/drivers/char/tpm/eventlog/acpi.c ++++ b/drivers/char/tpm/eventlog/acpi.c +@@ -14,6 +14,7 @@ + * Access to the event log extended by the TCG BIOS of PC platform + */ + ++#include + #include + #include + #include +@@ -135,7 +136,7 @@ int tpm_read_log_acpi(struct tpm_chip *chip) + } + + /* malloc EventLog space */ +- log->bios_event_log = kmalloc(len, GFP_KERNEL); ++ log->bios_event_log = devm_kmalloc(&chip->dev, len, GFP_KERNEL); + if (!log->bios_event_log) + return -ENOMEM; + +@@ -164,7 +165,7 @@ int tpm_read_log_acpi(struct tpm_chip *chip) + return format; + + err: +- kfree(log->bios_event_log); ++ devm_kfree(&chip->dev, log->bios_event_log); + log->bios_event_log = NULL; + return ret; + } +diff --git a/drivers/char/tpm/eventlog/efi.c b/drivers/char/tpm/eventlog/efi.c +index e6cb9d525e30c..4e9d7c2bf32ee 100644 +--- a/drivers/char/tpm/eventlog/efi.c ++++ b/drivers/char/tpm/eventlog/efi.c +@@ -6,6 +6,7 @@ + * Thiebaud Weksteen + */ + ++#include + #include + #include + +@@ -55,7 +56,7 @@ int tpm_read_log_efi(struct tpm_chip *chip) + } + + /* malloc EventLog space */ +- log->bios_event_log = kmemdup(log_tbl->log, log_size, GFP_KERNEL); ++ log->bios_event_log = devm_kmemdup(&chip->dev, log_tbl->log, log_size, GFP_KERNEL); + if (!log->bios_event_log) { + ret = -ENOMEM; + goto out; +@@ -76,7 +77,7 @@ int tpm_read_log_efi(struct tpm_chip *chip) + MEMREMAP_WB); + if (!final_tbl) { + pr_err("Could not map UEFI TPM final log\n"); +- kfree(log->bios_event_log); ++ devm_kfree(&chip->dev, log->bios_event_log); + ret = -ENOMEM; + goto out; + } +@@ -91,11 +92,11 @@ int tpm_read_log_efi(struct tpm_chip *chip) + * Allocate memory for the 'combined log' where we will append the + * 'final events log' to. + */ +- tmp = krealloc(log->bios_event_log, +- log_size + final_events_log_size, +- GFP_KERNEL); ++ tmp = devm_krealloc(&chip->dev, log->bios_event_log, ++ log_size + final_events_log_size, ++ GFP_KERNEL); + if (!tmp) { +- kfree(log->bios_event_log); ++ devm_kfree(&chip->dev, log->bios_event_log); + ret = -ENOMEM; + goto out; + } +diff --git a/drivers/char/tpm/eventlog/of.c b/drivers/char/tpm/eventlog/of.c +index a9ce66d09a754..741ab2204b11a 100644 +--- a/drivers/char/tpm/eventlog/of.c ++++ b/drivers/char/tpm/eventlog/of.c +@@ -10,6 +10,7 @@ + * Read the event log created by the firmware on PPC64 + */ + ++#include + #include + #include + #include +@@ -65,7 +66,7 @@ int tpm_read_log_of(struct tpm_chip *chip) + return -EIO; + } + +- log->bios_event_log = kmemdup(__va(base), size, GFP_KERNEL); ++ log->bios_event_log = devm_kmemdup(&chip->dev, __va(base), size, GFP_KERNEL); + if (!log->bios_event_log) + return -ENOMEM; + +diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c +index ed600473ad7e3..1e4f1a5049a55 100644 +--- a/drivers/char/tpm/tpm-chip.c ++++ b/drivers/char/tpm/tpm-chip.c +@@ -267,7 +267,6 @@ static void tpm_dev_release(struct device *dev) + idr_remove(&dev_nums_idr, chip->dev_num); + mutex_unlock(&idr_lock); + +- kfree(chip->log.bios_event_log); + kfree(chip->work_space.context_buf); + kfree(chip->work_space.session_buf); + kfree(chip->allocated_banks); +-- +2.39.5 + diff --git a/queue-5.10/usb-dwc3-fix-timeout-issue-during-controller-enter-e.patch b/queue-5.10/usb-dwc3-fix-timeout-issue-during-controller-enter-e.patch new file mode 100644 index 0000000000..8d323bf33d --- /dev/null +++ b/queue-5.10/usb-dwc3-fix-timeout-issue-during-controller-enter-e.patch @@ -0,0 +1,98 @@ +From b79f1cc0e5d906b47eec5bf986bfe7c5d6a12c5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Feb 2025 22:09:02 +0530 +Subject: usb: dwc3: Fix timeout issue during controller enter/exit from halt + state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Selvarasu Ganesan + +[ Upstream commit d3a8c28426fc1fb3252753a9f1db0d691ffc21b0 ] + +There is a frequent timeout during controller enter/exit from halt state +after toggling the run_stop bit by SW. This timeout occurs when +performing frequent role switches between host and device, causing +device enumeration issues due to the timeout. This issue was not present +when USB2 suspend PHY was disabled by passing the SNPS quirks +(snps,dis_u2_susphy_quirk and snps,dis_enblslpm_quirk) from the DTS. +However, there is a requirement to enable USB2 suspend PHY by setting of +GUSB2PHYCFG.ENBLSLPM and GUSB2PHYCFG.SUSPHY bits when controller starts +in gadget or host mode results in the timeout issue. + +This commit addresses this timeout issue by ensuring that the bits +GUSB2PHYCFG.ENBLSLPM and GUSB2PHYCFG.SUSPHY are cleared before starting +the dwc3_gadget_run_stop sequence and restoring them after the +dwc3_gadget_run_stop sequence is completed. + +Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") +Cc: stable +Signed-off-by: Selvarasu Ganesan +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20250201163903.459-1-selvarasu.g@samsung.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 34 ++++++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index a13d1e2c5bde0..97e6c6fb49dff 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2105,10 +2105,38 @@ static int dwc3_gadget_run_stop(struct dwc3 *dwc, int is_on, int suspend) + { + u32 reg; + u32 timeout = 2000; ++ u32 saved_config = 0; + + if (pm_runtime_suspended(dwc->dev)) + return 0; + ++ /* ++ * When operating in USB 2.0 speeds (HS/FS), ensure that ++ * GUSB2PHYCFG.ENBLSLPM and GUSB2PHYCFG.SUSPHY are cleared before starting ++ * or stopping the controller. This resolves timeout issues that occur ++ * during frequent role switches between host and device modes. ++ * ++ * Save and clear these settings, then restore them after completing the ++ * controller start or stop sequence. ++ * ++ * This solution was discovered through experimentation as it is not ++ * mentioned in the dwc3 programming guide. It has been tested on an ++ * Exynos platforms. ++ */ ++ reg = dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)); ++ if (reg & DWC3_GUSB2PHYCFG_SUSPHY) { ++ saved_config |= DWC3_GUSB2PHYCFG_SUSPHY; ++ reg &= ~DWC3_GUSB2PHYCFG_SUSPHY; ++ } ++ ++ if (reg & DWC3_GUSB2PHYCFG_ENBLSLPM) { ++ saved_config |= DWC3_GUSB2PHYCFG_ENBLSLPM; ++ reg &= ~DWC3_GUSB2PHYCFG_ENBLSLPM; ++ } ++ ++ if (saved_config) ++ dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg); ++ + reg = dwc3_readl(dwc->regs, DWC3_DCTL); + if (is_on) { + if (DWC3_VER_IS_WITHIN(DWC3, ANY, 187A)) { +@@ -2141,6 +2169,12 @@ static int dwc3_gadget_run_stop(struct dwc3 *dwc, int is_on, int suspend) + reg &= DWC3_DSTS_DEVCTRLHLT; + } while (--timeout && !(!is_on ^ !reg)); + ++ if (saved_config) { ++ reg = dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)); ++ reg |= saved_config; ++ dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg); ++ } ++ + if (!timeout) + return -ETIMEDOUT; + +-- +2.39.5 + diff --git a/queue-5.10/usb-dwc3-increase-dwc3-controller-halt-timeout.patch b/queue-5.10/usb-dwc3-increase-dwc3-controller-halt-timeout.patch new file mode 100644 index 0000000000..6e7e1eccc0 --- /dev/null +++ b/queue-5.10/usb-dwc3-increase-dwc3-controller-halt-timeout.patch @@ -0,0 +1,47 @@ +From 312d9a4252d77956d80c4f0406d614b9d6f217e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 12:36:23 -0700 +Subject: usb: dwc3: Increase DWC3 controller halt timeout + +From: Wesley Cheng + +[ Upstream commit 461ee467507cb98a348fa91ff8460908bb0ea423 ] + +Since EP0 transactions need to be completed before the controller halt +sequence is finished, this may take some time depending on the host and the +enabled functions. Increase the controller halt timeout, so that we give +the controller sufficient time to handle EP0 transfers. + +Signed-off-by: Wesley Cheng +Link: https://lore.kernel.org/r/20220901193625.8727-4-quic_wcheng@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: d3a8c28426fc ("usb: dwc3: Fix timeout issue during controller enter/exit from halt state") +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index e1e18a4f0d071..a13d1e2c5bde0 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2104,7 +2104,7 @@ static void dwc3_stop_active_transfers(struct dwc3 *dwc) + static int dwc3_gadget_run_stop(struct dwc3 *dwc, int is_on, int suspend) + { + u32 reg; +- u32 timeout = 500; ++ u32 timeout = 2000; + + if (pm_runtime_suspended(dwc->dev)) + return 0; +@@ -2136,6 +2136,7 @@ static int dwc3_gadget_run_stop(struct dwc3 *dwc, int is_on, int suspend) + dwc3_gadget_dctl_write_safe(dwc, reg); + + do { ++ usleep_range(1000, 2000); + reg = dwc3_readl(dwc->regs, DWC3_DSTS); + reg &= DWC3_DSTS_DEVCTRLHLT; + } while (--timeout && !(!is_on ^ !reg)); +-- +2.39.5 + diff --git a/queue-5.10/usb-gadget-f_midi-f_midi_complete-to-call-queue_work.patch b/queue-5.10/usb-gadget-f_midi-f_midi_complete-to-call-queue_work.patch new file mode 100644 index 0000000000..dad394a98a --- /dev/null +++ b/queue-5.10/usb-gadget-f_midi-f_midi_complete-to-call-queue_work.patch @@ -0,0 +1,42 @@ +From 210b6fa7d875c3970b288589c69b425c3cc0c313 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Feb 2025 10:48:05 -0700 +Subject: USB: gadget: f_midi: f_midi_complete to call queue_work + +From: Jill Donahue + +[ Upstream commit 4ab37fcb42832cdd3e9d5e50653285ca84d6686f ] + +When using USB MIDI, a lock is attempted to be acquired twice through a +re-entrant call to f_midi_transmit, causing a deadlock. + +Fix it by using queue_work() to schedule the inner f_midi_transmit() via +a high priority work queue from the completion handler. + +Link: https://lore.kernel.org/all/CAArt=LjxU0fUZOj06X+5tkeGT+6RbXzpWg1h4t4Fwa_KGVAX6g@mail.gmail.com/ +Fixes: d5daf49b58661 ("USB: gadget: midi: add midi function driver") +Cc: stable +Signed-off-by: Jill Donahue +Link: https://lore.kernel.org/r/20250211174805.1369265-1-jdonahue@fender.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_midi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c +index 01c5736d381ef..3e8ea1bbe429a 100644 +--- a/drivers/usb/gadget/function/f_midi.c ++++ b/drivers/usb/gadget/function/f_midi.c +@@ -282,7 +282,7 @@ f_midi_complete(struct usb_ep *ep, struct usb_request *req) + /* Our transmit completed. See if there's more to go. + * f_midi_transmit eats req, don't queue it again. */ + req->length = 0; +- f_midi_transmit(midi); ++ queue_work(system_highpri_wq, &midi->work); + return; + } + break; +-- +2.39.5 + diff --git a/queue-5.10/usb-gadget-f_midi-replace-tasklet-with-work.patch b/queue-5.10/usb-gadget-f_midi-replace-tasklet-with-work.patch new file mode 100644 index 0000000000..44c6175357 --- /dev/null +++ b/queue-5.10/usb-gadget-f_midi-replace-tasklet-with-work.patch @@ -0,0 +1,81 @@ +From c4f2ea7dfafff7329f88dfb59b82c50404880f2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Jan 2021 20:28:55 -0800 +Subject: usb/gadget: f_midi: Replace tasklet with work + +From: Davidlohr Bueso + +[ Upstream commit 8653d71ce3763aedcf3d2331f59beda3fecd79e4 ] + +Currently a tasklet is used to transmit input substream buffer +data. However, tasklets have long been deprecated as being too +heavy on the system by running in irq context - and this is not +a performance critical path. If a higher priority process wants +to run, it must wait for the tasklet to finish before doing so. + +Deferring work to a workqueue and executing in process context +should be fine considering the callback already does +f_midi_do_transmit() under the transmit_lock and thus changes in +semantics are ok regarding concurrency - tasklets being serialized +against itself. + +Cc: Takashi Iwai +Reviewed-by: Takashi Iwai +Acked-by: Felipe Balbi +Signed-off-by: Davidlohr Bueso +Link: https://lore.kernel.org/r/20210111042855.73289-1-dave@stgolabs.net +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 4ab37fcb4283 ("USB: gadget: f_midi: f_midi_complete to call queue_work") +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_midi.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c +index 71aeaa2302edd..01c5736d381ef 100644 +--- a/drivers/usb/gadget/function/f_midi.c ++++ b/drivers/usb/gadget/function/f_midi.c +@@ -87,7 +87,7 @@ struct f_midi { + struct snd_rawmidi_substream *out_substream[MAX_PORTS]; + + unsigned long out_triggered; +- struct tasklet_struct tasklet; ++ struct work_struct work; + unsigned int in_ports; + unsigned int out_ports; + int index; +@@ -698,9 +698,11 @@ static void f_midi_transmit(struct f_midi *midi) + f_midi_drop_out_substreams(midi); + } + +-static void f_midi_in_tasklet(struct tasklet_struct *t) ++static void f_midi_in_work(struct work_struct *work) + { +- struct f_midi *midi = from_tasklet(midi, t, tasklet); ++ struct f_midi *midi; ++ ++ midi = container_of(work, struct f_midi, work); + f_midi_transmit(midi); + } + +@@ -737,7 +739,7 @@ static void f_midi_in_trigger(struct snd_rawmidi_substream *substream, int up) + VDBG(midi, "%s() %d\n", __func__, up); + midi->in_ports_array[substream->number].active = up; + if (up) +- tasklet_hi_schedule(&midi->tasklet); ++ queue_work(system_highpri_wq, &midi->work); + } + + static int f_midi_out_open(struct snd_rawmidi_substream *substream) +@@ -875,7 +877,7 @@ static int f_midi_bind(struct usb_configuration *c, struct usb_function *f) + int status, n, jack = 1, i = 0, endpoint_descriptor_index = 0; + + midi->gadget = cdev->gadget; +- tasklet_setup(&midi->tasklet, f_midi_in_tasklet); ++ INIT_WORK(&midi->work, f_midi_in_work); + status = f_midi_register_card(midi); + if (status < 0) + goto fail_register; +-- +2.39.5 +