From 052e4981e194f466985fb442cec6d155d952341f Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 10 Oct 2022 08:49:57 +0200
Subject: [PATCH] 5.19-stable patches

added patches:
	bluetooth-use-hdev-workqueue-when-queuing-hdev-cmd-ncmd-_timer-works.patch
	bpf-fix-resetting-logic-for-unreferenced-kptrs.patch
	bpf-gate-dynptr-api-behind-cap_bpf.patch
	net-ethernet-mtk_eth_soc-fix-state-in-__mtk_foe_entry_clear.patch
---
 ...n-queuing-hdev-cmd-ncmd-_timer-works.patch | 91 +++++++++++++++++++
 ...setting-logic-for-unreferenced-kptrs.patch | 40 ++++++++
 .../bpf-gate-dynptr-api-behind-cap_bpf.patch  | 85 +++++++++++++++++
 ...c-fix-state-in-__mtk_foe_entry_clear.patch | 41 +++++++++
 queue-5.19/series                             |  4 +
 5 files changed, 261 insertions(+)
 create mode 100644 queue-5.19/bluetooth-use-hdev-workqueue-when-queuing-hdev-cmd-ncmd-_timer-works.patch
 create mode 100644 queue-5.19/bpf-fix-resetting-logic-for-unreferenced-kptrs.patch
 create mode 100644 queue-5.19/bpf-gate-dynptr-api-behind-cap_bpf.patch
 create mode 100644 queue-5.19/net-ethernet-mtk_eth_soc-fix-state-in-__mtk_foe_entry_clear.patch

diff --git a/queue-5.19/bluetooth-use-hdev-workqueue-when-queuing-hdev-cmd-ncmd-_timer-works.patch b/queue-5.19/bluetooth-use-hdev-workqueue-when-queuing-hdev-cmd-ncmd-_timer-works.patch
new file mode 100644
index 00000000000..833a5af3597
--- /dev/null
+++ b/queue-5.19/bluetooth-use-hdev-workqueue-when-queuing-hdev-cmd-ncmd-_timer-works.patch
@@ -0,0 +1,91 @@
+From deee93d13d385103205879a8a0915036ecd83261 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 2 Sep 2022 20:23:48 +0900
+Subject: Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit deee93d13d385103205879a8a0915036ecd83261 upstream.
+
+syzbot is reporting attempt to schedule hdev->cmd_work work from system_wq
+WQ into hdev->workqueue WQ which is under draining operation [1], for
+commit c8efcc2589464ac7 ("workqueue: allow chained queueing during
+destruction") does not allow such operation.
+
+The check introduced by commit 877afadad2dce8aa ("Bluetooth: When HCI work
+queue is drained, only queue chained work") was incomplete.
+
+Use hdev->workqueue WQ when queuing hdev->{cmd,ncmd}_timer works because
+hci_{cmd,ncmd}_timeout() calls queue_work(hdev->workqueue). Also, protect
+the queuing operation with RCU read lock in order to avoid calling
+queue_delayed_work() after cancel_delayed_work() completed.
+
+Link: https://syzkaller.appspot.com/bug?extid=243b7d89777f90f7613b [1]
+Reported-by: syzbot <syzbot+243b7d89777f90f7613b@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Fixes: 877afadad2dce8aa ("Bluetooth: When HCI work queue is drained, only queue chained work")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_core.c  |   15 +++++++++++++--
+ net/bluetooth/hci_event.c |    6 ++++--
+ 2 files changed, 17 insertions(+), 4 deletions(-)
+
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -596,6 +596,15 @@ static int hci_dev_do_reset(struct hci_d
+ 
+ 	/* Cancel these to avoid queueing non-chained pending work */
+ 	hci_dev_set_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
++	/* Wait for
++	 *
++	 *    if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
++	 *        queue_delayed_work(&hdev->{cmd,ncmd}_timer)
++	 *
++	 * inside RCU section to see the flag or complete scheduling.
++	 */
++	synchronize_rcu();
++	/* Explicitly cancel works in case scheduled after setting the flag. */
+ 	cancel_delayed_work(&hdev->cmd_timer);
+ 	cancel_delayed_work(&hdev->ncmd_timer);
+ 
+@@ -3871,12 +3880,14 @@ static void hci_cmd_work(struct work_str
+ 			if (res < 0)
+ 				__hci_cmd_sync_cancel(hdev, -res);
+ 
++			rcu_read_lock();
+ 			if (test_bit(HCI_RESET, &hdev->flags) ||
+ 			    hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
+ 				cancel_delayed_work(&hdev->cmd_timer);
+ 			else
+-				schedule_delayed_work(&hdev->cmd_timer,
+-						      HCI_CMD_TIMEOUT);
++				queue_delayed_work(hdev->workqueue, &hdev->cmd_timer,
++						   HCI_CMD_TIMEOUT);
++			rcu_read_unlock();
+ 		} else {
+ 			skb_queue_head(&hdev->cmd_q, skb);
+ 			queue_work(hdev->workqueue, &hdev->cmd_work);
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -3763,16 +3763,18 @@ static inline void handle_cmd_cnt_and_ti
+ {
+ 	cancel_delayed_work(&hdev->cmd_timer);
+ 
++	rcu_read_lock();
+ 	if (!test_bit(HCI_RESET, &hdev->flags)) {
+ 		if (ncmd) {
+ 			cancel_delayed_work(&hdev->ncmd_timer);
+ 			atomic_set(&hdev->cmd_cnt, 1);
+ 		} else {
+ 			if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
+-				schedule_delayed_work(&hdev->ncmd_timer,
+-						      HCI_NCMD_TIMEOUT);
++				queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer,
++						   HCI_NCMD_TIMEOUT);
+ 		}
+ 	}
++	rcu_read_unlock();
+ }
+ 
+ #define HCI_CC_VL(_op, _func, _min, _max) \
diff --git a/queue-5.19/bpf-fix-resetting-logic-for-unreferenced-kptrs.patch b/queue-5.19/bpf-fix-resetting-logic-for-unreferenced-kptrs.patch
new file mode 100644
index 00000000000..6bad51043d8
--- /dev/null
+++ b/queue-5.19/bpf-fix-resetting-logic-for-unreferenced-kptrs.patch
@@ -0,0 +1,40 @@
+From 9fad7fe5b29803584c7f17a2abe6c2936fec6828 Mon Sep 17 00:00:00 2001
+From: Jules Irenge <jbi.octave@gmail.com>
+Date: Wed, 7 Sep 2022 16:24:20 +0100
+Subject: bpf: Fix resetting logic for unreferenced kptrs
+
+From: Jules Irenge <jbi.octave@gmail.com>
+
+commit 9fad7fe5b29803584c7f17a2abe6c2936fec6828 upstream.
+
+Sparse reported a warning at bpf_map_free_kptrs()
+"warning: Using plain integer as NULL pointer"
+During the process of fixing this warning, it was discovered that the current
+code erroneously writes to the pointer variable instead of deferencing and
+writing to the actual kptr. Hence, Sparse tool accidentally helped to uncover
+this problem. Fix this by doing WRITE_ONCE(*p, 0) instead of WRITE_ONCE(p, 0).
+
+Note that the effect of this bug is that unreferenced kptrs will not be cleared
+during check_and_free_fields. It is not a problem if the clearing is not done
+during map_free stage, as there is nothing to free for them.
+
+Fixes: 14a324f6a67e ("bpf: Wire up freeing of referenced kptr")
+Signed-off-by: Jules Irenge <jbi.octave@gmail.com>
+Link: https://lore.kernel.org/r/Yxi3pJaK6UDjVJSy@playground
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/syscall.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -578,7 +578,7 @@ void bpf_map_free_kptrs(struct bpf_map *
+ 		if (off_desc->type == BPF_KPTR_UNREF) {
+ 			u64 *p = (u64 *)btf_id_ptr;
+ 
+-			WRITE_ONCE(p, 0);
++			WRITE_ONCE(*p, 0);
+ 			continue;
+ 		}
+ 		old_ptr = xchg(btf_id_ptr, 0);
diff --git a/queue-5.19/bpf-gate-dynptr-api-behind-cap_bpf.patch b/queue-5.19/bpf-gate-dynptr-api-behind-cap_bpf.patch
new file mode 100644
index 00000000000..503a7a2fdbd
--- /dev/null
+++ b/queue-5.19/bpf-gate-dynptr-api-behind-cap_bpf.patch
@@ -0,0 +1,85 @@
+From 8addbfc7b308d591f8a5f2f6bb24d08d9d79dfbb Mon Sep 17 00:00:00 2001
+From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Date: Wed, 21 Sep 2022 16:35:50 +0200
+Subject: bpf: Gate dynptr API behind CAP_BPF
+
+From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+
+commit 8addbfc7b308d591f8a5f2f6bb24d08d9d79dfbb upstream.
+
+This has been enabled for unprivileged programs for only one kernel
+release, hence the expected annoyances due to this move are low. Users
+using ringbuf can stick to non-dynptr APIs. The actual use cases dynptr
+is meant to serve may not make sense in unprivileged BPF programs.
+
+Hence, gate these helpers behind CAP_BPF and limit use to privileged
+BPF programs.
+
+Fixes: 263ae152e962 ("bpf: Add bpf_dynptr_from_mem for local dynptrs")
+Fixes: bc34dee65a65 ("bpf: Dynptr support for ring buffers")
+Fixes: 13bbbfbea759 ("bpf: Add bpf_dynptr_read and bpf_dynptr_write")
+Fixes: 34d4ef5775f7 ("bpf: Add dynptr data slices")
+Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Link: https://lore.kernel.org/r/20220921143550.30247-1-memxor@gmail.com
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/helpers.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
+index 1f961f9982d2..3814b0fd3a2c 100644
+--- a/kernel/bpf/helpers.c
++++ b/kernel/bpf/helpers.c
+@@ -1627,26 +1627,12 @@ bpf_base_func_proto(enum bpf_func_id func_id)
+ 		return &bpf_ringbuf_discard_proto;
+ 	case BPF_FUNC_ringbuf_query:
+ 		return &bpf_ringbuf_query_proto;
+-	case BPF_FUNC_ringbuf_reserve_dynptr:
+-		return &bpf_ringbuf_reserve_dynptr_proto;
+-	case BPF_FUNC_ringbuf_submit_dynptr:
+-		return &bpf_ringbuf_submit_dynptr_proto;
+-	case BPF_FUNC_ringbuf_discard_dynptr:
+-		return &bpf_ringbuf_discard_dynptr_proto;
+ 	case BPF_FUNC_for_each_map_elem:
+ 		return &bpf_for_each_map_elem_proto;
+ 	case BPF_FUNC_loop:
+ 		return &bpf_loop_proto;
+ 	case BPF_FUNC_strncmp:
+ 		return &bpf_strncmp_proto;
+-	case BPF_FUNC_dynptr_from_mem:
+-		return &bpf_dynptr_from_mem_proto;
+-	case BPF_FUNC_dynptr_read:
+-		return &bpf_dynptr_read_proto;
+-	case BPF_FUNC_dynptr_write:
+-		return &bpf_dynptr_write_proto;
+-	case BPF_FUNC_dynptr_data:
+-		return &bpf_dynptr_data_proto;
+ 	default:
+ 		break;
+ 	}
+@@ -1675,6 +1661,20 @@ bpf_base_func_proto(enum bpf_func_id func_id)
+ 		return &bpf_timer_cancel_proto;
+ 	case BPF_FUNC_kptr_xchg:
+ 		return &bpf_kptr_xchg_proto;
++	case BPF_FUNC_ringbuf_reserve_dynptr:
++		return &bpf_ringbuf_reserve_dynptr_proto;
++	case BPF_FUNC_ringbuf_submit_dynptr:
++		return &bpf_ringbuf_submit_dynptr_proto;
++	case BPF_FUNC_ringbuf_discard_dynptr:
++		return &bpf_ringbuf_discard_dynptr_proto;
++	case BPF_FUNC_dynptr_from_mem:
++		return &bpf_dynptr_from_mem_proto;
++	case BPF_FUNC_dynptr_read:
++		return &bpf_dynptr_read_proto;
++	case BPF_FUNC_dynptr_write:
++		return &bpf_dynptr_write_proto;
++	case BPF_FUNC_dynptr_data:
++		return &bpf_dynptr_data_proto;
+ 	default:
+ 		break;
+ 	}
+-- 
+2.38.0
+
diff --git a/queue-5.19/net-ethernet-mtk_eth_soc-fix-state-in-__mtk_foe_entry_clear.patch b/queue-5.19/net-ethernet-mtk_eth_soc-fix-state-in-__mtk_foe_entry_clear.patch
new file mode 100644
index 00000000000..04929f250b0
--- /dev/null
+++ b/queue-5.19/net-ethernet-mtk_eth_soc-fix-state-in-__mtk_foe_entry_clear.patch
@@ -0,0 +1,41 @@
+From ae3ed15da5889263de372ff9df2e83e16acca4cb Mon Sep 17 00:00:00 2001
+From: Daniel Golle <daniel@makrotopia.org>
+Date: Fri, 30 Sep 2022 01:56:53 +0100
+Subject: net: ethernet: mtk_eth_soc: fix state in __mtk_foe_entry_clear
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+commit ae3ed15da5889263de372ff9df2e83e16acca4cb upstream.
+
+Setting ib1 state to MTK_FOE_STATE_UNBIND in __mtk_foe_entry_clear
+routine as done by commit 0e80707d94e4c8 ("net: ethernet: mtk_eth_soc:
+fix typo in __mtk_foe_entry_clear") breaks flow offloading, at least
+on older MTK_NETSYS_V1 SoCs, OpenWrt users have confirmed the bug on
+MT7622 and MT7621 systems.
+Felix Fietkau suggested to use MTK_FOE_STATE_INVALID instead which
+works well on both, MTK_NETSYS_V1 and MTK_NETSYS_V2.
+
+Tested on MT7622 (Linksys E8450) and MT7986 (BananaPi BPI-R3).
+
+Suggested-by: Felix Fietkau <nbd@nbd.name>
+Fixes: 0e80707d94e4c8 ("net: ethernet: mtk_eth_soc: fix typo in __mtk_foe_entry_clear")
+Fixes: 33fc42de33278b ("net: ethernet: mtk_eth_soc: support creating mac address based offload entries")
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Link: https://lore.kernel.org/r/YzY+1Yg0FBXcnrtc@makrotopia.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mediatek/mtk_ppe.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mediatek/mtk_ppe.c
++++ b/drivers/net/ethernet/mediatek/mtk_ppe.c
+@@ -412,7 +412,7 @@ __mtk_foe_entry_clear(struct mtk_ppe *pp
+ 	if (entry->hash != 0xffff) {
+ 		ppe->foe_table[entry->hash].ib1 &= ~MTK_FOE_IB1_STATE;
+ 		ppe->foe_table[entry->hash].ib1 |= FIELD_PREP(MTK_FOE_IB1_STATE,
+-							      MTK_FOE_STATE_UNBIND);
++							      MTK_FOE_STATE_INVALID);
+ 		dma_wmb();
+ 	}
+ 	entry->hash = 0xffff;
diff --git a/queue-5.19/series b/queue-5.19/series
index 49d44fadaac..820030ad493 100644
--- a/queue-5.19/series
+++ b/queue-5.19/series
@@ -42,3 +42,7 @@ gpiolib-acpi-add-a-quirk-for-asus-um325uaz.patch
 mmc-core-replace-with-already-defined-values-for-readability.patch
 mmc-core-terminate-infinite-loop-in-sd-uhs-voltage-switch.patch
 rpmsg-qcom-glink-replace-strncpy-with-strscpy_pad.patch
+bpf-gate-dynptr-api-behind-cap_bpf.patch
+net-ethernet-mtk_eth_soc-fix-state-in-__mtk_foe_entry_clear.patch
+bpf-fix-resetting-logic-for-unreferenced-kptrs.patch
+bluetooth-use-hdev-workqueue-when-queuing-hdev-cmd-ncmd-_timer-works.patch
-- 
2.47.3