From 1a6101b6c23cb0fb16a9479b8fd119ef8874ba68 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 26 Mar 2023 19:04:14 -0400 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- ...-tolino-shine2hd-fix-usbotg1-pinctrl.patch | 34 +++ ...s-imx6sll-e60k02-fix-usbotg1-pinctrl.patch | 34 +++ ...-specify-sound-dai-cells-for-sai-nod.patch | 69 ++++++ ...252-fix-kmemleak-when-rmmod-idt77252.patch | 92 +++++++ ...smd-fix-command-timeout-after-settin.patch | 74 ++++++ ...-fix-use-after-free-bug-in-btsdio_re.patch | 39 +++ ...p-fix-responding-with-wrong-pdu-type.patch | 226 ++++++++++++++++++ ...ig-fix-testcase-to-increase-max-node.patch | 59 +++++ ...t-insufficient-default-bpf_jit_limit.patch | 78 ++++++ ...orm-uc-late-init-after-probe-error-i.patch | 49 ++++ ...use-skb_mac_header-in-ndo_start_xmit.patch | 122 ++++++++++ ...e-cache-link_speed-value-from-device.patch | 47 ++++ ...concurrent-accesses-to-the-shared-ri.patch | 147 ++++++++++++ ...e-the-completion-interrupt-to-finish.patch | 47 ++++ ...eck-only-for-enabled-interrupt-flags.patch | 47 ++++ ...w-director-packet-filter-programming.patch | 44 ++++ .../iavf-fix-hang-on-reboot-with-ice.patch | 88 +++++++ ...d-rx-hash-condition-leading-to-disab.patch | 44 ++++ ...neled-ipv6-udp-packet-type-and-hashi.patch | 48 ++++ ...gbvf-regard-vf-reset-nack-as-success.patch | 62 +++++ ...idation-logic-for-taprio-s-gate-list.patch | 76 ++++++ ...-irq-on-the-error-path-in-igbvf_requ.patch | 54 +++++ ...e-key-in-task-struct-if-key-is-reque.patch | 64 +++++ ...und-validation-to-fsctl_query_alloca.patch | 52 ++++ ...und-validation-to-fsctl_set_zero_dat.patch | 41 ++++ ...-possible-refcount-leak-in-smb2_open.patch | 41 ++++ ...dsa-b53-mmap-fix-device-tree-support.patch | 40 ++++ ...ove-enabling-disabling-core-clock-to.patch | 91 +++++++ ...ove-lowering-trgmii-driving-to-mt753.patch | 100 ++++++++ ...ove-setting-ssc_delta-to-phy_interfa.patch | 55 +++++ ...cm-legacy-fix-daisy-chained-switches.patch | 75 ++++++ ...er-field-for-mdio-buses-registered-u.patch | 152 ++++++++++++ ...eld-for-mdio-buses-registered-u.patch-9507 | 87 +++++++ ...hunder-add-missing-fwnode_handle_put.patch | 36 +++ ...h-fix-an-oops-in-error-handling-code.patch | 38 +++ .../net-mlx5-fix-steering-rules-cleanup.patch | 65 +++++ ...e-tc-mapping-of-all-priorities-on-et.patch | 51 ++++ ...-mlx5e-set-uplink-rep-as-netns_local.patch | 49 ++++ ...tate-transitions-are-processed-from-.patch | 91 +++++++ ...-ps3_gelic_net-fix-rx-sk_buff-length.patch | 106 ++++++++ ...-ps3_gelic_net-use-dma_mapping_error.patch | 89 +++++++ ...x-use-after-free-bug-in-emac_remove-.patch | 63 +++++ ...se-dma_mapping_error-for-error-check.patch | 49 ++++ ...c95xx-limit-packet-length-to-skb-len.patch | 43 ++++ ...-fix-nvme_tcp_term_pdu-to-match-spec.patch | 44 ++++ ...vf-add-missing-free-for-alloc_percpu.patch | 47 ++++ ...cros_ec_chardev-fix-kernel-data-leak.patch | 41 ++++ ...4190-fix-use-after-free-bug-in-bq241.patch | 56 +++++ ...4190_charger-using-pm_runtime_resume.patch | 191 +++++++++++++++ ...150-fix-use-after-free-bug-in-da9150.patch | 55 +++++ ...ard-against-null-derefs-from-qed_iov.patch | 51 ++++ ...a-fix-memleak-for-qdata-in-alua_acti.patch | 61 +++++ queue-5.15/series | 54 +++++ ...use-after-free-bug-in-xirc2ps_detach.patch | 58 +++++ ...ssing-overflow-check-in-xdp_umem_reg.patch | 64 +++++ 55 files changed, 3780 insertions(+) create mode 100644 queue-5.15/arm-dts-imx6sl-tolino-shine2hd-fix-usbotg1-pinctrl.patch create mode 100644 queue-5.15/arm-dts-imx6sll-e60k02-fix-usbotg1-pinctrl.patch create mode 100644 queue-5.15/arm64-dts-imx8mn-specify-sound-dai-cells-for-sai-nod.patch create mode 100644 queue-5.15/atm-idt77252-fix-kmemleak-when-rmmod-idt77252.patch create mode 100644 queue-5.15/bluetooth-btqcomsmd-fix-command-timeout-after-settin.patch create mode 100644 queue-5.15/bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch create mode 100644 queue-5.15/bluetooth-l2cap-fix-responding-with-wrong-pdu-type.patch create mode 100644 queue-5.15/bootconfig-fix-testcase-to-increase-max-node.patch create mode 100644 queue-5.15/bpf-adjust-insufficient-default-bpf_jit_limit.patch create mode 100644 queue-5.15/drm-i915-gt-perform-uc-late-init-after-probe-error-i.patch create mode 100644 queue-5.15/erspan-do-not-use-skb_mac_header-in-ndo_start_xmit.patch create mode 100644 queue-5.15/gve-cache-link_speed-value-from-device.patch create mode 100644 queue-5.15/hvc-xen-prevent-concurrent-accesses-to-the-shared-ri.patch create mode 100644 queue-5.15/i2c-hisi-only-use-the-completion-interrupt-to-finish.patch create mode 100644 queue-5.15/i2c-imx-lpi2c-check-only-for-enabled-interrupt-flags.patch create mode 100644 queue-5.15/i40e-fix-flow-director-packet-filter-programming.patch create mode 100644 queue-5.15/iavf-fix-hang-on-reboot-with-ice.patch create mode 100644 queue-5.15/iavf-fix-inverted-rx-hash-condition-leading-to-disab.patch create mode 100644 queue-5.15/iavf-fix-non-tunneled-ipv6-udp-packet-type-and-hashi.patch create mode 100644 queue-5.15/igbvf-regard-vf-reset-nack-as-success.patch create mode 100644 queue-5.15/igc-fix-the-validation-logic-for-taprio-s-gate-list.patch create mode 100644 queue-5.15/intel-igbvf-free-irq-on-the-error-path-in-igbvf_requ.patch create mode 100644 queue-5.15/keys-do-not-cache-key-in-task-struct-if-key-is-reque.patch create mode 100644 queue-5.15/ksmbd-add-low-bound-validation-to-fsctl_query_alloca.patch create mode 100644 queue-5.15/ksmbd-add-low-bound-validation-to-fsctl_set_zero_dat.patch create mode 100644 queue-5.15/ksmbd-fix-possible-refcount-leak-in-smb2_open.patch create mode 100644 queue-5.15/net-dsa-b53-mmap-fix-device-tree-support.patch create mode 100644 queue-5.15/net-dsa-mt7530-move-enabling-disabling-core-clock-to.patch create mode 100644 queue-5.15/net-dsa-mt7530-move-lowering-trgmii-driving-to-mt753.patch create mode 100644 queue-5.15/net-dsa-mt7530-move-setting-ssc_delta-to-phy_interfa.patch create mode 100644 queue-5.15/net-dsa-tag_brcm-legacy-fix-daisy-chained-switches.patch create mode 100644 queue-5.15/net-mdio-fix-owner-field-for-mdio-buses-registered-u.patch create mode 100644 queue-5.15/net-mdio-fix-owner-field-for-mdio-buses-registered-u.patch-9507 create mode 100644 queue-5.15/net-mdio-thunder-add-missing-fwnode_handle_put.patch create mode 100644 queue-5.15/net-mlx5-e-switch-fix-an-oops-in-error-handling-code.patch create mode 100644 queue-5.15/net-mlx5-fix-steering-rules-cleanup.patch create mode 100644 queue-5.15/net-mlx5-read-the-tc-mapping-of-all-priorities-on-et.patch create mode 100644 queue-5.15/net-mlx5e-set-uplink-rep-as-netns_local.patch create mode 100644 queue-5.15/net-phy-ensure-state-transitions-are-processed-from-.patch create mode 100644 queue-5.15/net-ps3_gelic_net-fix-rx-sk_buff-length.patch create mode 100644 queue-5.15/net-ps3_gelic_net-use-dma_mapping_error.patch create mode 100644 queue-5.15/net-qcom-emac-fix-use-after-free-bug-in-emac_remove-.patch create mode 100644 queue-5.15/net-sonic-use-dma_mapping_error-for-error-check.patch create mode 100644 queue-5.15/net-usb-smsc95xx-limit-packet-length-to-skb-len.patch create mode 100644 queue-5.15/nvme-tcp-fix-nvme_tcp_term_pdu-to-match-spec.patch create mode 100644 queue-5.15/octeontx2-vf-add-missing-free-for-alloc_percpu.patch create mode 100644 queue-5.15/platform-chrome-cros_ec_chardev-fix-kernel-data-leak.patch create mode 100644 queue-5.15/power-supply-bq24190-fix-use-after-free-bug-in-bq241.patch create mode 100644 queue-5.15/power-supply-bq24190_charger-using-pm_runtime_resume.patch create mode 100644 queue-5.15/power-supply-da9150-fix-use-after-free-bug-in-da9150.patch create mode 100644 queue-5.15/qed-qed_sriov-guard-against-null-derefs-from-qed_iov.patch create mode 100644 queue-5.15/scsi-scsi_dh_alua-fix-memleak-for-qdata-in-alua_acti.patch create mode 100644 queue-5.15/xirc2ps_cs-fix-use-after-free-bug-in-xirc2ps_detach.patch create mode 100644 queue-5.15/xsk-add-missing-overflow-check-in-xdp_umem_reg.patch diff --git a/queue-5.15/arm-dts-imx6sl-tolino-shine2hd-fix-usbotg1-pinctrl.patch b/queue-5.15/arm-dts-imx6sl-tolino-shine2hd-fix-usbotg1-pinctrl.patch new file mode 100644 index 00000000000..e10409856cc --- /dev/null +++ b/queue-5.15/arm-dts-imx6sl-tolino-shine2hd-fix-usbotg1-pinctrl.patch @@ -0,0 +1,34 @@ +From 208978af974ed79d377e7d4347aa773288313a38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Feb 2023 21:12:14 +0800 +Subject: ARM: dts: imx6sl: tolino-shine2hd: fix usbotg1 pinctrl + +From: Peng Fan + +[ Upstream commit 1cd489e1ada1cffa56bd06fd4609f5a60a985d43 ] + +usb@2184000: 'pinctrl-0' is a dependency of 'pinctrl-names' + +Signed-off-by: Peng Fan +Fixes: 9c7016f1ca6d ("ARM: dts: imx: add devicetree for Tolino Shine 2 HD") +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6sl-tolino-shine2hd.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/imx6sl-tolino-shine2hd.dts b/arch/arm/boot/dts/imx6sl-tolino-shine2hd.dts +index a17b8bbbdb956..f2231cb1e32df 100644 +--- a/arch/arm/boot/dts/imx6sl-tolino-shine2hd.dts ++++ b/arch/arm/boot/dts/imx6sl-tolino-shine2hd.dts +@@ -597,6 +597,7 @@ &usdhc3 { + + &usbotg1 { + pinctrl-names = "default"; ++ pinctrl-0 = <&pinctrl_usbotg1>; + disable-over-current; + srp-disable; + hnp-disable; +-- +2.39.2 + diff --git a/queue-5.15/arm-dts-imx6sll-e60k02-fix-usbotg1-pinctrl.patch b/queue-5.15/arm-dts-imx6sll-e60k02-fix-usbotg1-pinctrl.patch new file mode 100644 index 00000000000..10efb389fb3 --- /dev/null +++ b/queue-5.15/arm-dts-imx6sll-e60k02-fix-usbotg1-pinctrl.patch @@ -0,0 +1,34 @@ +From 5353c3b23e215b4b55856a9bb31a8101daa57878 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Feb 2023 21:12:13 +0800 +Subject: ARM: dts: imx6sll: e60k02: fix usbotg1 pinctrl + +From: Peng Fan + +[ Upstream commit 957c04e9784c7c757e8cc293d7fb2a60cdf461b6 ] + +usb@2184000: 'pinctrl-0' is a dependency of 'pinctrl-names' + +Signed-off-by: Peng Fan +Fixes: c100ea86e6ab ("ARM: dts: add Netronix E60K02 board common file") +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/e60k02.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/e60k02.dtsi b/arch/arm/boot/dts/e60k02.dtsi +index cfb239d5186ac..54b4de6a5925d 100644 +--- a/arch/arm/boot/dts/e60k02.dtsi ++++ b/arch/arm/boot/dts/e60k02.dtsi +@@ -302,6 +302,7 @@ &usdhc3 { + + &usbotg1 { + pinctrl-names = "default"; ++ pinctrl-0 = <&pinctrl_usbotg1>; + disable-over-current; + srp-disable; + hnp-disable; +-- +2.39.2 + diff --git a/queue-5.15/arm64-dts-imx8mn-specify-sound-dai-cells-for-sai-nod.patch b/queue-5.15/arm64-dts-imx8mn-specify-sound-dai-cells-for-sai-nod.patch new file mode 100644 index 00000000000..b253f2b70f9 --- /dev/null +++ b/queue-5.15/arm64-dts-imx8mn-specify-sound-dai-cells-for-sai-nod.patch @@ -0,0 +1,69 @@ +From 284b5ba7006a14e264c998da77678c936315480a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Feb 2023 22:52:44 +0100 +Subject: arm64: dts: imx8mn: specify #sound-dai-cells for SAI nodes + +From: Marek Vasut + +[ Upstream commit 62fb54148cd6eb456ff031be8fb447c98cf0bd9b ] + +Add #sound-dai-cells properties to SAI nodes. + +Reviewed-by: Adam Ford +Reviewed-by: Fabio Estevam +Fixes: 9e9860069725 ("arm64: dts: imx8mn: Add SAI nodes") +Signed-off-by: Marek Vasut +Reviewed-by: Marco Felsch +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mn.dtsi | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mn.dtsi b/arch/arm64/boot/dts/freescale/imx8mn.dtsi +index 0c47ff2426410..16a5efba17f39 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mn.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mn.dtsi +@@ -265,6 +265,7 @@ spba2: spba-bus@30000000 { + sai2: sai@30020000 { + compatible = "fsl,imx8mn-sai", "fsl,imx8mq-sai"; + reg = <0x30020000 0x10000>; ++ #sound-dai-cells = <0>; + interrupts = ; + clocks = <&clk IMX8MN_CLK_SAI2_IPG>, + <&clk IMX8MN_CLK_DUMMY>, +@@ -279,6 +280,7 @@ sai2: sai@30020000 { + sai3: sai@30030000 { + compatible = "fsl,imx8mn-sai", "fsl,imx8mq-sai"; + reg = <0x30030000 0x10000>; ++ #sound-dai-cells = <0>; + interrupts = ; + clocks = <&clk IMX8MN_CLK_SAI3_IPG>, + <&clk IMX8MN_CLK_DUMMY>, +@@ -293,6 +295,7 @@ sai3: sai@30030000 { + sai5: sai@30050000 { + compatible = "fsl,imx8mn-sai", "fsl,imx8mq-sai"; + reg = <0x30050000 0x10000>; ++ #sound-dai-cells = <0>; + interrupts = ; + clocks = <&clk IMX8MN_CLK_SAI5_IPG>, + <&clk IMX8MN_CLK_DUMMY>, +@@ -309,6 +312,7 @@ sai5: sai@30050000 { + sai6: sai@30060000 { + compatible = "fsl,imx8mn-sai", "fsl,imx8mq-sai"; + reg = <0x30060000 0x10000>; ++ #sound-dai-cells = <0>; + interrupts = ; + clocks = <&clk IMX8MN_CLK_SAI6_IPG>, + <&clk IMX8MN_CLK_DUMMY>, +@@ -366,6 +370,7 @@ spdif1: spdif@30090000 { + sai7: sai@300b0000 { + compatible = "fsl,imx8mn-sai", "fsl,imx8mq-sai"; + reg = <0x300b0000 0x10000>; ++ #sound-dai-cells = <0>; + interrupts = ; + clocks = <&clk IMX8MN_CLK_SAI7_IPG>, + <&clk IMX8MN_CLK_DUMMY>, +-- +2.39.2 + diff --git a/queue-5.15/atm-idt77252-fix-kmemleak-when-rmmod-idt77252.patch b/queue-5.15/atm-idt77252-fix-kmemleak-when-rmmod-idt77252.patch new file mode 100644 index 00000000000..65986ac23d1 --- /dev/null +++ b/queue-5.15/atm-idt77252-fix-kmemleak-when-rmmod-idt77252.patch @@ -0,0 +1,92 @@ +From 124f8aea34e70dc2b687e9a3d84dc063d313a4d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Mar 2023 14:33:18 +0000 +Subject: atm: idt77252: fix kmemleak when rmmod idt77252 + +From: Li Zetao + +[ Upstream commit 4fe3c88552a3fbe1944426a4506a18cdeb457b5a ] + +There are memory leaks reported by kmemleak: + + unreferenced object 0xffff888106500800 (size 128): + comm "modprobe", pid 1017, jiffies 4297787785 (age 67.152s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000970ce626>] __kmem_cache_alloc_node+0x20c/0x380 + [<00000000fb5f78d9>] kmalloc_trace+0x2f/0xb0 + [<000000000e947e2a>] idt77252_init_one+0x2847/0x3c90 [idt77252] + [<000000006efb048e>] local_pci_probe+0xeb/0x1a0 + ... + + unreferenced object 0xffff888106500b00 (size 128): + comm "modprobe", pid 1017, jiffies 4297787785 (age 67.152s) + hex dump (first 32 bytes): + 00 20 3d 01 80 88 ff ff 00 20 3d 01 80 88 ff ff . =...... =..... + f0 23 3d 01 80 88 ff ff 00 20 3d 01 00 00 00 00 .#=...... =..... + backtrace: + [<00000000970ce626>] __kmem_cache_alloc_node+0x20c/0x380 + [<00000000fb5f78d9>] kmalloc_trace+0x2f/0xb0 + [<00000000f451c5be>] alloc_scq.constprop.0+0x4a/0x400 [idt77252] + [<00000000e6313849>] idt77252_init_one+0x28cf/0x3c90 [idt77252] + +The root cause is traced to the vc_maps which alloced in open_card_oam() +are not freed in close_card_oam(). The vc_maps are used to record +open connections, so when close a vc_map in close_card_oam(), the memory +should be freed. Moreover, the ubr0 is not closed when close a idt77252 +device, leading to the memory leak of vc_map and scq_info. + +Fix them by adding kfree in close_card_oam() and implementing new +close_card_ubr0() to close ubr0. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Li Zetao +Reviewed-by: Francois Romieu +Link: https://lore.kernel.org/r/20230320143318.2644630-1-lizetao1@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/atm/idt77252.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c +index 681cb3786794d..49cb4537344aa 100644 +--- a/drivers/atm/idt77252.c ++++ b/drivers/atm/idt77252.c +@@ -2909,6 +2909,7 @@ close_card_oam(struct idt77252_dev *card) + + recycle_rx_pool_skb(card, &vc->rcv.rx_pool); + } ++ kfree(vc); + } + } + } +@@ -2952,6 +2953,15 @@ open_card_ubr0(struct idt77252_dev *card) + return 0; + } + ++static void ++close_card_ubr0(struct idt77252_dev *card) ++{ ++ struct vc_map *vc = card->vcs[0]; ++ ++ free_scq(card, vc->scq); ++ kfree(vc); ++} ++ + static int + idt77252_dev_open(struct idt77252_dev *card) + { +@@ -3001,6 +3011,7 @@ static void idt77252_dev_close(struct atm_dev *dev) + struct idt77252_dev *card = dev->dev_data; + u32 conf; + ++ close_card_ubr0(card); + close_card_oam(card); + + conf = SAR_CFG_RXPTH | /* enable receive path */ +-- +2.39.2 + diff --git a/queue-5.15/bluetooth-btqcomsmd-fix-command-timeout-after-settin.patch b/queue-5.15/bluetooth-btqcomsmd-fix-command-timeout-after-settin.patch new file mode 100644 index 00000000000..db6530e9c27 --- /dev/null +++ b/queue-5.15/bluetooth-btqcomsmd-fix-command-timeout-after-settin.patch @@ -0,0 +1,74 @@ +From ab82c517fe59bd7a7580f1751ba3a5498bfb6e1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 14:31:55 +0100 +Subject: Bluetooth: btqcomsmd: Fix command timeout after setting BD address + +From: Stephan Gerhold + +[ Upstream commit 5d44ab9e204200a78ad55cdf185aa2bb109b5950 ] + +On most devices using the btqcomsmd driver (e.g. the DragonBoard 410c +and other devices based on the Qualcomm MSM8916/MSM8909/... SoCs) +the Bluetooth firmware seems to become unresponsive for a while after +setting the BD address. On recent kernel versions (at least 5.17+) +this often causes timeouts for subsequent commands, e.g. the HCI reset +sent by the Bluetooth core during initialization: + + Bluetooth: hci0: Opcode 0x c03 failed: -110 + +Unfortunately this behavior does not seem to be documented anywhere. +Experimentation suggests that the minimum necessary delay to avoid +the problem is ~150us. However, to be sure add a sleep for > 1ms +in case it is a bit longer on other firmware versions. + +Older kernel versions are likely also affected, although perhaps with +slightly different errors or less probability. Side effects can easily +hide the issue in most cases, e.g. unrelated incoming interrupts that +cause the necessary delay. + +Fixes: 1511cc750c3d ("Bluetooth: Introduce Qualcomm WCNSS SMD based HCI driver") +Signed-off-by: Stephan Gerhold +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqcomsmd.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btqcomsmd.c b/drivers/bluetooth/btqcomsmd.c +index 2acb719e596f5..11c7e04bf3947 100644 +--- a/drivers/bluetooth/btqcomsmd.c ++++ b/drivers/bluetooth/btqcomsmd.c +@@ -122,6 +122,21 @@ static int btqcomsmd_setup(struct hci_dev *hdev) + return 0; + } + ++static int btqcomsmd_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr) ++{ ++ int ret; ++ ++ ret = qca_set_bdaddr_rome(hdev, bdaddr); ++ if (ret) ++ return ret; ++ ++ /* The firmware stops responding for a while after setting the bdaddr, ++ * causing timeouts for subsequent commands. Sleep a bit to avoid this. ++ */ ++ usleep_range(1000, 10000); ++ return 0; ++} ++ + static int btqcomsmd_probe(struct platform_device *pdev) + { + struct btqcomsmd *btq; +@@ -162,7 +177,7 @@ static int btqcomsmd_probe(struct platform_device *pdev) + hdev->close = btqcomsmd_close; + hdev->send = btqcomsmd_send; + hdev->setup = btqcomsmd_setup; +- hdev->set_bdaddr = qca_set_bdaddr_rome; ++ hdev->set_bdaddr = btqcomsmd_set_bdaddr; + + ret = hci_register_dev(hdev); + if (ret < 0) +-- +2.39.2 + diff --git a/queue-5.15/bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch b/queue-5.15/bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch new file mode 100644 index 00000000000..8f45dcabf5d --- /dev/null +++ b/queue-5.15/bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch @@ -0,0 +1,39 @@ +From 501fd3292d68099ebbc47f1dc8b35122d1c2c011 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Mar 2023 16:07:39 +0800 +Subject: Bluetooth: btsdio: fix use after free bug in btsdio_remove due to + unfinished work + +From: Zheng Wang + +[ Upstream commit 1e9ac114c4428fdb7ff4635b45d4f46017e8916f ] + +In btsdio_probe, &data->work was bound with btsdio_work.In +btsdio_send_frame, it was started by schedule_work. + +If we call btsdio_remove with an unfinished job, there may +be a race condition and cause UAF bug on hdev. + +Fixes: ddbaf13e3609 ("[Bluetooth] Add generic driver for Bluetooth SDIO devices") +Signed-off-by: Zheng Wang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btsdio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c +index 199e8f7d426d9..7050a16e7efeb 100644 +--- a/drivers/bluetooth/btsdio.c ++++ b/drivers/bluetooth/btsdio.c +@@ -352,6 +352,7 @@ static void btsdio_remove(struct sdio_func *func) + + BT_DBG("func %p", func); + ++ cancel_work_sync(&data->work); + if (!data) + return; + +-- +2.39.2 + diff --git a/queue-5.15/bluetooth-l2cap-fix-responding-with-wrong-pdu-type.patch b/queue-5.15/bluetooth-l2cap-fix-responding-with-wrong-pdu-type.patch new file mode 100644 index 00000000000..5478b0213d9 --- /dev/null +++ b/queue-5.15/bluetooth-l2cap-fix-responding-with-wrong-pdu-type.patch @@ -0,0 +1,226 @@ +From 32d9e5e39c5b5903911ce3dbdcddd5c4780423fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 14:20:34 -0800 +Subject: Bluetooth: L2CAP: Fix responding with wrong PDU type + +From: Luiz Augusto von Dentz + +[ Upstream commit 9aa9d9473f1550d1936c31259720b3f1f4690576 ] + +L2CAP_ECRED_CONN_REQ shall be responded with L2CAP_ECRED_CONN_RSP not +L2CAP_LE_CONN_RSP: + +L2CAP LE EATT Server - Reject - run + Listening for connections + New client connection with handle 0x002a + Sending L2CAP Request from client + Client received response code 0x15 + Unexpected L2CAP response code (expected 0x18) +L2CAP LE EATT Server - Reject - test failed + +> ACL Data RX: Handle 42 flags 0x02 dlen 26 + LE L2CAP: Enhanced Credit Connection Request (0x17) ident 1 len 18 + PSM: 39 (0x0027) + MTU: 64 + MPS: 64 + Credits: 5 + Source CID: 65 + Source CID: 66 + Source CID: 67 + Source CID: 68 + Source CID: 69 +< ACL Data TX: Handle 42 flags 0x00 dlen 16 + LE L2CAP: LE Connection Response (0x15) ident 1 len 8 + invalid size + 00 00 00 00 00 00 06 00 + +L2CAP LE EATT Server - Reject - run + Listening for connections + New client connection with handle 0x002a + Sending L2CAP Request from client + Client received response code 0x18 +L2CAP LE EATT Server - Reject - test passed + +Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 117 +++++++++++++++++++++++++------------ + 1 file changed, 79 insertions(+), 38 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index a21e086d69d0e..0194c25b8dc57 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -708,6 +708,17 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err) + } + EXPORT_SYMBOL_GPL(l2cap_chan_del); + ++static void __l2cap_chan_list_id(struct l2cap_conn *conn, u16 id, ++ l2cap_chan_func_t func, void *data) ++{ ++ struct l2cap_chan *chan, *l; ++ ++ list_for_each_entry_safe(chan, l, &conn->chan_l, list) { ++ if (chan->ident == id) ++ func(chan, data); ++ } ++} ++ + static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func, + void *data) + { +@@ -775,23 +786,9 @@ static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan) + + static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan) + { +- struct l2cap_conn *conn = chan->conn; +- struct l2cap_ecred_conn_rsp rsp; +- u16 result; +- +- if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) +- result = L2CAP_CR_LE_AUTHORIZATION; +- else +- result = L2CAP_CR_LE_BAD_PSM; +- + l2cap_state_change(chan, BT_DISCONN); + +- memset(&rsp, 0, sizeof(rsp)); +- +- rsp.result = cpu_to_le16(result); +- +- l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), +- &rsp); ++ __l2cap_ecred_conn_rsp_defer(chan); + } + + static void l2cap_chan_connect_reject(struct l2cap_chan *chan) +@@ -846,7 +843,7 @@ void l2cap_chan_close(struct l2cap_chan *chan, int reason) + break; + case L2CAP_MODE_EXT_FLOWCTL: + l2cap_chan_ecred_connect_reject(chan); +- break; ++ return; + } + } + } +@@ -3938,43 +3935,86 @@ void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan) + &rsp); + } + +-void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan) ++static void l2cap_ecred_list_defer(struct l2cap_chan *chan, void *data) + { ++ int *result = data; ++ ++ if (*result || test_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags)) ++ return; ++ ++ switch (chan->state) { ++ case BT_CONNECT2: ++ /* If channel still pending accept add to result */ ++ (*result)++; ++ return; ++ case BT_CONNECTED: ++ return; ++ default: ++ /* If not connected or pending accept it has been refused */ ++ *result = -ECONNREFUSED; ++ return; ++ } ++} ++ ++struct l2cap_ecred_rsp_data { + struct { + struct l2cap_ecred_conn_rsp rsp; +- __le16 dcid[5]; ++ __le16 scid[L2CAP_ECRED_MAX_CID]; + } __packed pdu; ++ int count; ++}; ++ ++static void l2cap_ecred_rsp_defer(struct l2cap_chan *chan, void *data) ++{ ++ struct l2cap_ecred_rsp_data *rsp = data; ++ ++ if (test_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags)) ++ return; ++ ++ /* Reset ident so only one response is sent */ ++ chan->ident = 0; ++ ++ /* Include all channels pending with the same ident */ ++ if (!rsp->pdu.rsp.result) ++ rsp->pdu.rsp.dcid[rsp->count++] = cpu_to_le16(chan->scid); ++ else ++ l2cap_chan_del(chan, ECONNRESET); ++} ++ ++void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan) ++{ + struct l2cap_conn *conn = chan->conn; +- u16 ident = chan->ident; +- int i = 0; ++ struct l2cap_ecred_rsp_data data; ++ u16 id = chan->ident; ++ int result = 0; + +- if (!ident) ++ if (!id) + return; + +- BT_DBG("chan %p ident %d", chan, ident); ++ BT_DBG("chan %p id %d", chan, id); + +- pdu.rsp.mtu = cpu_to_le16(chan->imtu); +- pdu.rsp.mps = cpu_to_le16(chan->mps); +- pdu.rsp.credits = cpu_to_le16(chan->rx_credits); +- pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS); ++ memset(&data, 0, sizeof(data)); + +- mutex_lock(&conn->chan_lock); ++ data.pdu.rsp.mtu = cpu_to_le16(chan->imtu); ++ data.pdu.rsp.mps = cpu_to_le16(chan->mps); ++ data.pdu.rsp.credits = cpu_to_le16(chan->rx_credits); ++ data.pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS); + +- list_for_each_entry(chan, &conn->chan_l, list) { +- if (chan->ident != ident) +- continue; ++ /* Verify that all channels are ready */ ++ __l2cap_chan_list_id(conn, id, l2cap_ecred_list_defer, &result); + +- /* Reset ident so only one response is sent */ +- chan->ident = 0; ++ if (result > 0) ++ return; + +- /* Include all channels pending with the same ident */ +- pdu.dcid[i++] = cpu_to_le16(chan->scid); +- } ++ if (result < 0) ++ data.pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_AUTHORIZATION); + +- mutex_unlock(&conn->chan_lock); ++ /* Build response */ ++ __l2cap_chan_list_id(conn, id, l2cap_ecred_rsp_defer, &data); + +- l2cap_send_cmd(conn, ident, L2CAP_ECRED_CONN_RSP, +- sizeof(pdu.rsp) + i * sizeof(__le16), &pdu); ++ l2cap_send_cmd(conn, id, L2CAP_ECRED_CONN_RSP, ++ sizeof(data.pdu.rsp) + (data.count * sizeof(__le16)), ++ &data.pdu); + } + + void __l2cap_connect_rsp_defer(struct l2cap_chan *chan) +@@ -6078,6 +6118,7 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn, + __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); + + chan->ident = cmd->ident; ++ chan->mode = L2CAP_MODE_EXT_FLOWCTL; + + if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { + l2cap_state_change(chan, BT_CONNECT2); +-- +2.39.2 + diff --git a/queue-5.15/bootconfig-fix-testcase-to-increase-max-node.patch b/queue-5.15/bootconfig-fix-testcase-to-increase-max-node.patch new file mode 100644 index 00000000000..c2f201889b9 --- /dev/null +++ b/queue-5.15/bootconfig-fix-testcase-to-increase-max-node.patch @@ -0,0 +1,59 @@ +From b3fce2673f77ac27eaefde14d242c60249aca6d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 22:54:08 +0900 +Subject: bootconfig: Fix testcase to increase max node + +From: Masami Hiramatsu (Google) + +[ Upstream commit b69245126a48e50882021180fa5d264dc7149ccc ] + +Since commit 6c40624930c5 ("bootconfig: Increase max nodes of bootconfig +from 1024 to 8192 for DCC support") increased the max number of bootconfig +node to 8192, the bootconfig testcase of the max number of nodes fails. +To fix this issue, we can not simply increase the number in the test script +because the test bootconfig file becomes too big (>32KB). To fix that, we +can use a combination of three alphabets (26^3 = 17576). But with that, +we can not express the 8193 (just one exceed from the limitation) because +it also exceeds the max size of bootconfig. So, the first 26 nodes will just +use one alphabet. + +With this fix, test-bootconfig.sh passes all tests. + +Link: https://lore.kernel.org/all/167888844790.791176.670805252426835131.stgit@devnote2/ + +Reported-by: Heinz Wiesinger +Link: https://lore.kernel.org/all/2463802.XAFRqVoOGU@amaterasu.liwjatan.org +Fixes: 6c40624930c5 ("bootconfig: Increase max nodes of bootconfig from 1024 to 8192 for DCC support") +Signed-off-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + tools/bootconfig/test-bootconfig.sh | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/tools/bootconfig/test-bootconfig.sh b/tools/bootconfig/test-bootconfig.sh +index f68e2e9eef8b2..a2c484c243f5d 100755 +--- a/tools/bootconfig/test-bootconfig.sh ++++ b/tools/bootconfig/test-bootconfig.sh +@@ -87,10 +87,14 @@ xfail grep -i "error" $OUTFILE + + echo "Max node number check" + +-echo -n > $TEMPCONF +-for i in `seq 1 1024` ; do +- echo "node$i" >> $TEMPCONF +-done ++awk ' ++BEGIN { ++ for (i = 0; i < 26; i += 1) ++ printf("%c\n", 65 + i % 26) ++ for (i = 26; i < 8192; i += 1) ++ printf("%c%c%c\n", 65 + i % 26, 65 + (i / 26) % 26, 65 + (i / 26 / 26)) ++} ++' > $TEMPCONF + xpass $BOOTCONF -a $TEMPCONF $INITRD + + echo "badnode" >> $TEMPCONF +-- +2.39.2 + diff --git a/queue-5.15/bpf-adjust-insufficient-default-bpf_jit_limit.patch b/queue-5.15/bpf-adjust-insufficient-default-bpf_jit_limit.patch new file mode 100644 index 00000000000..d9e4f2f1a2e --- /dev/null +++ b/queue-5.15/bpf-adjust-insufficient-default-bpf_jit_limit.patch @@ -0,0 +1,78 @@ +From 7f84fdf46e5d00de55797de9cc5ab74984bc684b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Mar 2023 15:37:25 +0100 +Subject: bpf: Adjust insufficient default bpf_jit_limit + +From: Daniel Borkmann + +[ Upstream commit 10ec8ca8ec1a2f04c4ed90897225231c58c124a7 ] + +We've seen recent AWS EKS (Kubernetes) user reports like the following: + + After upgrading EKS nodes from v20230203 to v20230217 on our 1.24 EKS + clusters after a few days a number of the nodes have containers stuck + in ContainerCreating state or liveness/readiness probes reporting the + following error: + + Readiness probe errored: rpc error: code = Unknown desc = failed to + exec in container: failed to start exec "4a11039f730203ffc003b7[...]": + OCI runtime exec failed: exec failed: unable to start container process: + unable to init seccomp: error loading seccomp filter into kernel: + error loading seccomp filter: errno 524: unknown + + However, we had not been seeing this issue on previous AMIs and it only + started to occur on v20230217 (following the upgrade from kernel 5.4 to + 5.10) with no other changes to the underlying cluster or workloads. + + We tried the suggestions from that issue (sysctl net.core.bpf_jit_limit=452534528) + which helped to immediately allow containers to be created and probes to + execute but after approximately a day the issue returned and the value + returned by cat /proc/vmallocinfo | grep bpf_jit | awk '{s+=$2} END {print s}' + was steadily increasing. + +I tested bpf tree to observe bpf_jit_charge_modmem, bpf_jit_uncharge_modmem +their sizes passed in as well as bpf_jit_current under tcpdump BPF filter, +seccomp BPF and native (e)BPF programs, and the behavior all looks sane +and expected, that is nothing "leaking" from an upstream perspective. + +The bpf_jit_limit knob was originally added in order to avoid a situation +where unprivileged applications loading BPF programs (e.g. seccomp BPF +policies) consuming all the module memory space via BPF JIT such that loading +of kernel modules would be prevented. The default limit was defined back in +2018 and while good enough back then, we are generally seeing far more BPF +consumers today. + +Adjust the limit for the BPF JIT pool from originally 1/4 to now 1/2 of the +module memory space to better reflect today's needs and avoid more users +running into potentially hard to debug issues. + +Fixes: fdadd04931c2 ("bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K") +Reported-by: Stephen Haynes +Reported-by: Lefteris Alexakis +Signed-off-by: Daniel Borkmann +Link: https://github.com/awslabs/amazon-eks-ami/issues/1179 +Link: https://github.com/awslabs/amazon-eks-ami/issues/1219 +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230320143725.8394-1-daniel@iogearbox.net +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index cea0d1296599c..f7c27c1cc593b 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -829,7 +829,7 @@ static int __init bpf_jit_charge_init(void) + { + /* Only used as heuristic here to derive limit. */ + bpf_jit_limit_max = bpf_jit_alloc_exec_limit(); +- bpf_jit_limit = min_t(u64, round_up(bpf_jit_limit_max >> 2, ++ bpf_jit_limit = min_t(u64, round_up(bpf_jit_limit_max >> 1, + PAGE_SIZE), LONG_MAX); + return 0; + } +-- +2.39.2 + diff --git a/queue-5.15/drm-i915-gt-perform-uc-late-init-after-probe-error-i.patch b/queue-5.15/drm-i915-gt-perform-uc-late-init-after-probe-error-i.patch new file mode 100644 index 00000000000..4785859c05f --- /dev/null +++ b/queue-5.15/drm-i915-gt-perform-uc-late-init-after-probe-error-i.patch @@ -0,0 +1,49 @@ +From adde3b1c5de955793f2b472b9a051b99aef6d9b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 16:19:20 +0100 +Subject: drm/i915/gt: perform uc late init after probe error injection + +From: Andrzej Hajda + +[ Upstream commit 150784f9285e656373cf3953ef4a7663f1e1a0f2 ] + +Probe pseudo errors should be injected only in places where real errors +can be encountered, otherwise unwinding code can be broken. +Placing intel_uc_init_late before i915_inject_probe_error violated +this rule, resulting in following bug: +__intel_gt_disable:655 GEM_BUG_ON(intel_gt_pm_is_awake(gt)) + +Fixes: 481d458caede ("drm/i915/guc: Add golden context to GuC ADS") +Acked-by: Nirmoy Das +Reviewed-by: Andi Shyti +Signed-off-by: Andrzej Hajda +Link: https://patchwork.freedesktop.org/patch/msgid/20230314151920.1065847-1-andrzej.hajda@intel.com +(cherry picked from commit c4252a11131c7f27a158294241466e2a4e7ff94e) +Signed-off-by: Jani Nikula +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/intel_gt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/gt/intel_gt.c b/drivers/gpu/drm/i915/gt/intel_gt.c +index 952e7177409ba..b2a003127d319 100644 +--- a/drivers/gpu/drm/i915/gt/intel_gt.c ++++ b/drivers/gpu/drm/i915/gt/intel_gt.c +@@ -709,12 +709,12 @@ int intel_gt_init(struct intel_gt *gt) + if (err) + goto err_gt; + +- intel_uc_init_late(>->uc); +- + err = i915_inject_probe_error(gt->i915, -EIO); + if (err) + goto err_gt; + ++ intel_uc_init_late(>->uc); ++ + intel_migrate_init(>->migrate, gt); + + goto out_fw; +-- +2.39.2 + diff --git a/queue-5.15/erspan-do-not-use-skb_mac_header-in-ndo_start_xmit.patch b/queue-5.15/erspan-do-not-use-skb_mac_header-in-ndo_start_xmit.patch new file mode 100644 index 00000000000..a89376d36f6 --- /dev/null +++ b/queue-5.15/erspan-do-not-use-skb_mac_header-in-ndo_start_xmit.patch @@ -0,0 +1,122 @@ +From 78fd85a65d28ba7714d85ff1f6094f5af7206cc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Mar 2023 16:34:27 +0000 +Subject: erspan: do not use skb_mac_header() in ndo_start_xmit() + +From: Eric Dumazet + +[ Upstream commit 8e50ed774554f93d55426039b27b1e38d7fa64d8 ] + +Drivers should not assume skb_mac_header(skb) == skb->data in their +ndo_start_xmit(). + +Use skb_network_offset() and skb_transport_offset() which +better describe what is needed in erspan_fb_xmit() and +ip6erspan_tunnel_xmit() + +syzbot reported: +WARNING: CPU: 0 PID: 5083 at include/linux/skbuff.h:2873 skb_mac_header include/linux/skbuff.h:2873 [inline] +WARNING: CPU: 0 PID: 5083 at include/linux/skbuff.h:2873 ip6erspan_tunnel_xmit+0x1d9c/0x2d90 net/ipv6/ip6_gre.c:962 +Modules linked in: +CPU: 0 PID: 5083 Comm: syz-executor406 Not tainted 6.3.0-rc2-syzkaller-00866-gd4671cb96fa3 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 +RIP: 0010:skb_mac_header include/linux/skbuff.h:2873 [inline] +RIP: 0010:ip6erspan_tunnel_xmit+0x1d9c/0x2d90 net/ipv6/ip6_gre.c:962 +Code: 04 02 41 01 de 84 c0 74 08 3c 03 0f 8e 1c 0a 00 00 45 89 b4 24 c8 00 00 00 c6 85 77 fe ff ff 01 e9 33 e7 ff ff e8 b4 27 a1 f8 <0f> 0b e9 b6 e7 ff ff e8 a8 27 a1 f8 49 8d bf f0 0c 00 00 48 b8 00 +RSP: 0018:ffffc90003b2f830 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: 000000000000ffff RCX: 0000000000000000 +RDX: ffff888021273a80 RSI: ffffffff88e1bd4c RDI: 0000000000000003 +RBP: ffffc90003b2f9d8 R08: 0000000000000003 R09: 000000000000ffff +R10: 000000000000ffff R11: 0000000000000000 R12: ffff88802b28da00 +R13: 00000000000000d0 R14: ffff88807e25b6d0 R15: ffff888023408000 +FS: 0000555556a61300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000055e5b11eb6e8 CR3: 0000000027c1b000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +__netdev_start_xmit include/linux/netdevice.h:4900 [inline] +netdev_start_xmit include/linux/netdevice.h:4914 [inline] +__dev_direct_xmit+0x504/0x730 net/core/dev.c:4300 +dev_direct_xmit include/linux/netdevice.h:3088 [inline] +packet_xmit+0x20a/0x390 net/packet/af_packet.c:285 +packet_snd net/packet/af_packet.c:3075 [inline] +packet_sendmsg+0x31a0/0x5150 net/packet/af_packet.c:3107 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg+0xde/0x190 net/socket.c:747 +__sys_sendto+0x23a/0x340 net/socket.c:2142 +__do_sys_sendto net/socket.c:2154 [inline] +__se_sys_sendto net/socket.c:2150 [inline] +__x64_sys_sendto+0xe1/0x1b0 net/socket.c:2150 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f123aaa1039 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffc15d12058 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f123aaa1039 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 +RBP: 0000000000000000 R08: 0000000020000040 R09: 0000000000000014 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f123aa648c0 +R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 + +Fixes: 1baf5ebf8954 ("erspan: auto detect truncated packets.") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230320163427.8096-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 4 ++-- + net/ipv6/ip6_gre.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index 454c4357a2979..c094963a86f1e 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -552,7 +552,7 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev) + truncate = true; + } + +- nhoff = skb_network_header(skb) - skb_mac_header(skb); ++ nhoff = skb_network_offset(skb); + if (skb->protocol == htons(ETH_P_IP) && + (ntohs(ip_hdr(skb)->tot_len) > skb->len - nhoff)) + truncate = true; +@@ -561,7 +561,7 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev) + int thoff; + + if (skb_transport_header_was_set(skb)) +- thoff = skb_transport_header(skb) - skb_mac_header(skb); ++ thoff = skb_transport_offset(skb); + else + thoff = nhoff + sizeof(struct ipv6hdr); + if (ntohs(ipv6_hdr(skb)->payload_len) > skb->len - thoff) +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 13b1748b8b465..a91f93ec7d2b4 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -959,7 +959,7 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + truncate = true; + } + +- nhoff = skb_network_header(skb) - skb_mac_header(skb); ++ nhoff = skb_network_offset(skb); + if (skb->protocol == htons(ETH_P_IP) && + (ntohs(ip_hdr(skb)->tot_len) > skb->len - nhoff)) + truncate = true; +@@ -968,7 +968,7 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + int thoff; + + if (skb_transport_header_was_set(skb)) +- thoff = skb_transport_header(skb) - skb_mac_header(skb); ++ thoff = skb_transport_offset(skb); + else + thoff = nhoff + sizeof(struct ipv6hdr); + if (ntohs(ipv6_hdr(skb)->payload_len) > skb->len - thoff) +-- +2.39.2 + diff --git a/queue-5.15/gve-cache-link_speed-value-from-device.patch b/queue-5.15/gve-cache-link_speed-value-from-device.patch new file mode 100644 index 00000000000..30e8b2c78b3 --- /dev/null +++ b/queue-5.15/gve-cache-link_speed-value-from-device.patch @@ -0,0 +1,47 @@ +From 65ddd78f705acfec2337628985c02de53b077e39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Mar 2023 10:23:32 -0700 +Subject: gve: Cache link_speed value from device + +From: Joshua Washington + +[ Upstream commit 68c3e4fc8628b1487c965aabb29207249657eb5f ] + +The link speed is never changed for the uptime of a VM, and the current +implementation sends an admin queue command for each call. Admin queue +command invocations have nontrivial overhead (e.g., VM exits), which can +be disruptive to users if triggered frequently. Our telemetry data shows +that there are VMs that make frequent calls to this admin queue command. +Caching the result of the original admin queue command would eliminate +the need to send multiple admin queue commands on subsequent calls to +retrieve link speed. + +Fixes: 7e074d5a76ca ("gve: Enable Link Speed Reporting in the driver.") +Signed-off-by: Joshua Washington +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230321172332.91678-1-joshwash@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_ethtool.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/google/gve/gve_ethtool.c b/drivers/net/ethernet/google/gve/gve_ethtool.c +index 878329ddcf8df..6a0663aadd1e9 100644 +--- a/drivers/net/ethernet/google/gve/gve_ethtool.c ++++ b/drivers/net/ethernet/google/gve/gve_ethtool.c +@@ -526,7 +526,10 @@ static int gve_get_link_ksettings(struct net_device *netdev, + struct ethtool_link_ksettings *cmd) + { + struct gve_priv *priv = netdev_priv(netdev); +- int err = gve_adminq_report_link_speed(priv); ++ int err = 0; ++ ++ if (priv->link_speed == 0) ++ err = gve_adminq_report_link_speed(priv); + + cmd->base.speed = priv->link_speed; + return err; +-- +2.39.2 + diff --git a/queue-5.15/hvc-xen-prevent-concurrent-accesses-to-the-shared-ri.patch b/queue-5.15/hvc-xen-prevent-concurrent-accesses-to-the-shared-ri.patch new file mode 100644 index 00000000000..bb0bfd24b4d --- /dev/null +++ b/queue-5.15/hvc-xen-prevent-concurrent-accesses-to-the-shared-ri.patch @@ -0,0 +1,147 @@ +From a2c7ab457a3a73039448065f45c7210a1cbe3d6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Nov 2022 16:09:11 +0100 +Subject: hvc/xen: prevent concurrent accesses to the shared ring +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Roger Pau Monne + +[ Upstream commit 6214894f49a967c749ee6c07cb00f9cede748df4 ] + +The hvc machinery registers both a console and a tty device based on +the hv ops provided by the specific implementation. Those two +interfaces however have different locks, and there's no single locks +that's shared between the tty and the console implementations, hence +the driver needs to protect itself against concurrent accesses. +Otherwise concurrent calls using the split interfaces are likely to +corrupt the ring indexes, leaving the console unusable. + +Introduce a lock to xencons_info to serialize accesses to the shared +ring. This is only required when using the shared memory console, +concurrent accesses to the hypercall based console implementation are +not an issue. + +Note the conditional logic in domU_read_console() is slightly modified +so the notify_daemon() call can be done outside of the locked region: +it's an hypercall and there's no need for it to be done with the lock +held. + +Fixes: b536b4b96230 ('xen: use the hvc console infrastructure for Xen console') +Signed-off-by: Roger Pau Monné +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/20221130150919.13935-1-roger.pau@citrix.com +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/tty/hvc/hvc_xen.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/hvc/hvc_xen.c b/drivers/tty/hvc/hvc_xen.c +index 609a51137e96f..f2f066ce8d9ef 100644 +--- a/drivers/tty/hvc/hvc_xen.c ++++ b/drivers/tty/hvc/hvc_xen.c +@@ -43,6 +43,7 @@ struct xencons_info { + int irq; + int vtermno; + grant_ref_t gntref; ++ spinlock_t ring_lock; + }; + + static LIST_HEAD(xenconsoles); +@@ -89,12 +90,15 @@ static int __write_console(struct xencons_info *xencons, + XENCONS_RING_IDX cons, prod; + struct xencons_interface *intf = xencons->intf; + int sent = 0; ++ unsigned long flags; + ++ spin_lock_irqsave(&xencons->ring_lock, flags); + cons = intf->out_cons; + prod = intf->out_prod; + mb(); /* update queue values before going on */ + + if ((prod - cons) > sizeof(intf->out)) { ++ spin_unlock_irqrestore(&xencons->ring_lock, flags); + pr_err_once("xencons: Illegal ring page indices"); + return -EINVAL; + } +@@ -104,6 +108,7 @@ static int __write_console(struct xencons_info *xencons, + + wmb(); /* write ring before updating pointer */ + intf->out_prod = prod; ++ spin_unlock_irqrestore(&xencons->ring_lock, flags); + + if (sent) + notify_daemon(xencons); +@@ -146,16 +151,19 @@ static int domU_read_console(uint32_t vtermno, char *buf, int len) + int recv = 0; + struct xencons_info *xencons = vtermno_to_xencons(vtermno); + unsigned int eoiflag = 0; ++ unsigned long flags; + + if (xencons == NULL) + return -EINVAL; + intf = xencons->intf; + ++ spin_lock_irqsave(&xencons->ring_lock, flags); + cons = intf->in_cons; + prod = intf->in_prod; + mb(); /* get pointers before reading ring */ + + if ((prod - cons) > sizeof(intf->in)) { ++ spin_unlock_irqrestore(&xencons->ring_lock, flags); + pr_err_once("xencons: Illegal ring page indices"); + return -EINVAL; + } +@@ -179,10 +187,13 @@ static int domU_read_console(uint32_t vtermno, char *buf, int len) + xencons->out_cons = intf->out_cons; + xencons->out_cons_same = 0; + } ++ if (!recv && xencons->out_cons_same++ > 1) { ++ eoiflag = XEN_EOI_FLAG_SPURIOUS; ++ } ++ spin_unlock_irqrestore(&xencons->ring_lock, flags); ++ + if (recv) { + notify_daemon(xencons); +- } else if (xencons->out_cons_same++ > 1) { +- eoiflag = XEN_EOI_FLAG_SPURIOUS; + } + + xen_irq_lateeoi(xencons->irq, eoiflag); +@@ -239,6 +250,7 @@ static int xen_hvm_console_init(void) + info = kzalloc(sizeof(struct xencons_info), GFP_KERNEL); + if (!info) + return -ENOMEM; ++ spin_lock_init(&info->ring_lock); + } else if (info->intf != NULL) { + /* already configured */ + return 0; +@@ -275,6 +287,7 @@ static int xen_hvm_console_init(void) + + static int xencons_info_pv_init(struct xencons_info *info, int vtermno) + { ++ spin_lock_init(&info->ring_lock); + info->evtchn = xen_start_info->console.domU.evtchn; + /* GFN == MFN for PV guest */ + info->intf = gfn_to_virt(xen_start_info->console.domU.mfn); +@@ -325,6 +338,7 @@ static int xen_initial_domain_console_init(void) + info = kzalloc(sizeof(struct xencons_info), GFP_KERNEL); + if (!info) + return -ENOMEM; ++ spin_lock_init(&info->ring_lock); + } + + info->irq = bind_virq_to_irq(VIRQ_CONSOLE, 0, false); +@@ -482,6 +496,7 @@ static int xencons_probe(struct xenbus_device *dev, + info = kzalloc(sizeof(struct xencons_info), GFP_KERNEL); + if (!info) + return -ENOMEM; ++ spin_lock_init(&info->ring_lock); + dev_set_drvdata(&dev->dev, info); + info->xbdev = dev; + info->vtermno = xenbus_devid_to_vtermno(devid); +-- +2.39.2 + diff --git a/queue-5.15/i2c-hisi-only-use-the-completion-interrupt-to-finish.patch b/queue-5.15/i2c-hisi-only-use-the-completion-interrupt-to-finish.patch new file mode 100644 index 00000000000..6100ec620ad --- /dev/null +++ b/queue-5.15/i2c-hisi-only-use-the-completion-interrupt-to-finish.patch @@ -0,0 +1,47 @@ +From 761f47aafd9b65d8daf8328c50acde69ad1a414a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 15:45:52 +0800 +Subject: i2c: hisi: Only use the completion interrupt to finish the transfer + +From: Yicong Yang + +[ Upstream commit d98263512684a47e81bcb72a5408958ecd1e60b0 ] + +The controller will always generate a completion interrupt when the +transfer is finished normally or not. Currently we use either error or +completion interrupt to finish, this may result the completion +interrupt unhandled and corrupt the next transfer, especially at low +speed mode. Since on error case, the error interrupt will come first +then is the completion interrupt. So only use the completion interrupt +to finish the whole transfer process. + +Fixes: d62fbdb99a85 ("i2c: add support for HiSilicon I2C controller") +Reported-by: Sheng Feng +Signed-off-by: Sheng Feng +Signed-off-by: Yicong Yang +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-hisi.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-hisi.c b/drivers/i2c/busses/i2c-hisi.c +index acf3948120613..72e43ecaff133 100644 +--- a/drivers/i2c/busses/i2c-hisi.c ++++ b/drivers/i2c/busses/i2c-hisi.c +@@ -340,7 +340,11 @@ static irqreturn_t hisi_i2c_irq(int irq, void *context) + hisi_i2c_read_rx_fifo(ctlr); + + out: +- if (int_stat & HISI_I2C_INT_TRANS_CPLT || ctlr->xfer_err) { ++ /* ++ * Only use TRANS_CPLT to indicate the completion. On error cases we'll ++ * get two interrupts, INT_ERR first then TRANS_CPLT. ++ */ ++ if (int_stat & HISI_I2C_INT_TRANS_CPLT) { + hisi_i2c_disable_int(ctlr, HISI_I2C_INT_ALL); + hisi_i2c_clear_int(ctlr, HISI_I2C_INT_ALL); + complete(ctlr->completion); +-- +2.39.2 + diff --git a/queue-5.15/i2c-imx-lpi2c-check-only-for-enabled-interrupt-flags.patch b/queue-5.15/i2c-imx-lpi2c-check-only-for-enabled-interrupt-flags.patch new file mode 100644 index 00000000000..f62e8e51965 --- /dev/null +++ b/queue-5.15/i2c-imx-lpi2c-check-only-for-enabled-interrupt-flags.patch @@ -0,0 +1,47 @@ +From 1944eae1de117b336846fe8a0ef285edd88f49b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 16:32:47 +0100 +Subject: i2c: imx-lpi2c: check only for enabled interrupt flags + +From: Alexander Stein + +[ Upstream commit 1c7885004567e8951d65a983be095f254dd20bef ] + +When reading from I2C, the Tx watermark is set to 0. Unfortunately the +TDF (transmit data flag) is enabled when Tx FIFO entries is equal or less +than watermark. So it is set in every case, hence the reset default of 1. +This results in the MSR_RDF _and_ MSR_TDF flags to be set thus trying +to send Tx data on a read message. +Mask the IRQ status to filter for wanted flags only. + +Fixes: a55fa9d0e42e ("i2c: imx-lpi2c: add low power i2c bus driver") +Signed-off-by: Alexander Stein +Tested-by: Emanuele Ghidoli +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-imx-lpi2c.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-imx-lpi2c.c b/drivers/i2c/busses/i2c-imx-lpi2c.c +index 8b9ba055c4186..2018dbcf241e9 100644 +--- a/drivers/i2c/busses/i2c-imx-lpi2c.c ++++ b/drivers/i2c/busses/i2c-imx-lpi2c.c +@@ -502,10 +502,14 @@ static int lpi2c_imx_xfer(struct i2c_adapter *adapter, + static irqreturn_t lpi2c_imx_isr(int irq, void *dev_id) + { + struct lpi2c_imx_struct *lpi2c_imx = dev_id; ++ unsigned int enabled; + unsigned int temp; + ++ enabled = readl(lpi2c_imx->base + LPI2C_MIER); ++ + lpi2c_imx_intctrl(lpi2c_imx, 0); + temp = readl(lpi2c_imx->base + LPI2C_MSR); ++ temp &= enabled; + + if (temp & MSR_RDF) + lpi2c_imx_read_rxfifo(lpi2c_imx); +-- +2.39.2 + diff --git a/queue-5.15/i40e-fix-flow-director-packet-filter-programming.patch b/queue-5.15/i40e-fix-flow-director-packet-filter-programming.patch new file mode 100644 index 00000000000..443d4e13d77 --- /dev/null +++ b/queue-5.15/i40e-fix-flow-director-packet-filter-programming.patch @@ -0,0 +1,44 @@ +From 3ba627ccc92f4a4ec506fc9cce171e8297e12e93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 15:07:33 +0100 +Subject: i40e: fix flow director packet filter programming + +From: Radoslaw Tyl + +[ Upstream commit c672297bbc0e86dbf88396b8053e2fbb173f16ff ] + +Initialize to zero structures to build a valid +Tx Packet used for the filter programming. + +Fixes: a9219b332f52 ("i40e: VLAN field for flow director") +Signed-off-by: Radoslaw Tyl +Reviewed-by: Michal Swiatkowski +Tested-by: Arpana Arland (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index 8f5aad9bbba33..9787e794eeda6 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -170,10 +170,10 @@ static char *i40e_create_dummy_packet(u8 *dummy_packet, bool ipv4, u8 l4proto, + struct i40e_fdir_filter *data) + { + bool is_vlan = !!data->vlan_tag; +- struct vlan_hdr vlan; +- struct ipv6hdr ipv6; +- struct ethhdr eth; +- struct iphdr ip; ++ struct vlan_hdr vlan = {}; ++ struct ipv6hdr ipv6 = {}; ++ struct ethhdr eth = {}; ++ struct iphdr ip = {}; + u8 *tmp; + + if (ipv4) { +-- +2.39.2 + diff --git a/queue-5.15/iavf-fix-hang-on-reboot-with-ice.patch b/queue-5.15/iavf-fix-hang-on-reboot-with-ice.patch new file mode 100644 index 00000000000..b7076943590 --- /dev/null +++ b/queue-5.15/iavf-fix-hang-on-reboot-with-ice.patch @@ -0,0 +1,88 @@ +From e9e2cf943764a8a61066341db7f7a21b528f80ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 17:06:45 +0100 +Subject: iavf: fix hang on reboot with ice + +From: Stefan Assmann + +[ Upstream commit 4e264be98b88a6d6f476c11087fe865696e8bef5 ] + +When a system with E810 with existing VFs gets rebooted the following +hang may be observed. + + Pid 1 is hung in iavf_remove(), part of a network driver: + PID: 1 TASK: ffff965400e5a340 CPU: 24 COMMAND: "systemd-shutdow" + #0 [ffffaad04005fa50] __schedule at ffffffff8b3239cb + #1 [ffffaad04005fae8] schedule at ffffffff8b323e2d + #2 [ffffaad04005fb00] schedule_hrtimeout_range_clock at ffffffff8b32cebc + #3 [ffffaad04005fb80] usleep_range_state at ffffffff8b32c930 + #4 [ffffaad04005fbb0] iavf_remove at ffffffffc12b9b4c [iavf] + #5 [ffffaad04005fbf0] pci_device_remove at ffffffff8add7513 + #6 [ffffaad04005fc10] device_release_driver_internal at ffffffff8af08baa + #7 [ffffaad04005fc40] pci_stop_bus_device at ffffffff8adcc5fc + #8 [ffffaad04005fc60] pci_stop_and_remove_bus_device at ffffffff8adcc81e + #9 [ffffaad04005fc70] pci_iov_remove_virtfn at ffffffff8adf9429 + #10 [ffffaad04005fca8] sriov_disable at ffffffff8adf98e4 + #11 [ffffaad04005fcc8] ice_free_vfs at ffffffffc04bb2c8 [ice] + #12 [ffffaad04005fd10] ice_remove at ffffffffc04778fe [ice] + #13 [ffffaad04005fd38] ice_shutdown at ffffffffc0477946 [ice] + #14 [ffffaad04005fd50] pci_device_shutdown at ffffffff8add58f1 + #15 [ffffaad04005fd70] device_shutdown at ffffffff8af05386 + #16 [ffffaad04005fd98] kernel_restart at ffffffff8a92a870 + #17 [ffffaad04005fda8] __do_sys_reboot at ffffffff8a92abd6 + #18 [ffffaad04005fee0] do_syscall_64 at ffffffff8b317159 + #19 [ffffaad04005ff08] __context_tracking_enter at ffffffff8b31b6fc + #20 [ffffaad04005ff18] syscall_exit_to_user_mode at ffffffff8b31b50d + #21 [ffffaad04005ff28] do_syscall_64 at ffffffff8b317169 + #22 [ffffaad04005ff50] entry_SYSCALL_64_after_hwframe at ffffffff8b40009b + RIP: 00007f1baa5c13d7 RSP: 00007fffbcc55a98 RFLAGS: 00000202 + RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1baa5c13d7 + RDX: 0000000001234567 RSI: 0000000028121969 RDI: 00000000fee1dead + RBP: 00007fffbcc55ca0 R8: 0000000000000000 R9: 00007fffbcc54e90 + R10: 00007fffbcc55050 R11: 0000000000000202 R12: 0000000000000005 + R13: 0000000000000000 R14: 00007fffbcc55af0 R15: 0000000000000000 + ORIG_RAX: 00000000000000a9 CS: 0033 SS: 002b + +During reboot all drivers PM shutdown callbacks are invoked. +In iavf_shutdown() the adapter state is changed to __IAVF_REMOVE. +In ice_shutdown() the call chain above is executed, which at some point +calls iavf_remove(). However iavf_remove() expects the VF to be in one +of the states __IAVF_RUNNING, __IAVF_DOWN or __IAVF_INIT_FAILED. If +that's not the case it sleeps forever. +So if iavf_shutdown() gets invoked before iavf_remove() the system will +hang indefinitely because the adapter is already in state __IAVF_REMOVE. + +Fix this by returning from iavf_remove() if the state is __IAVF_REMOVE, +as we already went through iavf_shutdown(). + +Fixes: 974578017fc1 ("iavf: Add waiting so the port is initialized in remove") +Fixes: a8417330f8a5 ("iavf: Fix race condition between iavf_shutdown and iavf_remove") +Reported-by: Marius Cornea +Signed-off-by: Stefan Assmann +Reviewed-by: Michal Kubiak +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 82c4f1190e41c..f5e6ae2c683f4 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -4213,6 +4213,11 @@ static void iavf_remove(struct pci_dev *pdev) + mutex_unlock(&adapter->crit_lock); + break; + } ++ /* Simply return if we already went through iavf_shutdown */ ++ if (adapter->state == __IAVF_REMOVE) { ++ mutex_unlock(&adapter->crit_lock); ++ return; ++ } + + mutex_unlock(&adapter->crit_lock); + usleep_range(500, 1000); +-- +2.39.2 + diff --git a/queue-5.15/iavf-fix-inverted-rx-hash-condition-leading-to-disab.patch b/queue-5.15/iavf-fix-inverted-rx-hash-condition-leading-to-disab.patch new file mode 100644 index 00000000000..54bcfcb159c --- /dev/null +++ b/queue-5.15/iavf-fix-inverted-rx-hash-condition-leading-to-disab.patch @@ -0,0 +1,44 @@ +From 65710502fff434276ed5661f9a86c963a51c993d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Mar 2023 12:59:07 +0100 +Subject: iavf: fix inverted Rx hash condition leading to disabled hash + +From: Alexander Lobakin + +[ Upstream commit 32d57f667f871bc5a8babbe27ea4c5e668ee0ea8 ] + +Condition, which checks whether the netdev has hashing enabled is +inverted. Basically, the tagged commit effectively disabled passing flow +hash from descriptor to skb, unless user *disables* it via Ethtool. +Commit a876c3ba59a6 ("i40e/i40evf: properly report Rx packet hash") +fixed this problem, but only for i40e. +Invert the condition now in iavf and unblock passing hash to skbs again. + +Fixes: 857942fd1aa1 ("i40e: Fix Rx hash reported to the stack by our driver") +Reviewed-by: Larysa Zaremba +Reviewed-by: Michal Kubiak +Signed-off-by: Alexander Lobakin +Tested-by: Rafal Romanowski +Reviewed-by: Leon Romanovsky +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_txrx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.c b/drivers/net/ethernet/intel/iavf/iavf_txrx.c +index e76e3df3e2d9e..643dbe5bf9973 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_txrx.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.c +@@ -1061,7 +1061,7 @@ static inline void iavf_rx_hash(struct iavf_ring *ring, + cpu_to_le64((u64)IAVF_RX_DESC_FLTSTAT_RSS_HASH << + IAVF_RX_DESC_STATUS_FLTSTAT_SHIFT); + +- if (ring->netdev->features & NETIF_F_RXHASH) ++ if (!(ring->netdev->features & NETIF_F_RXHASH)) + return; + + if ((rx_desc->wb.qword1.status_error_len & rss_mask) == rss_mask) { +-- +2.39.2 + diff --git a/queue-5.15/iavf-fix-non-tunneled-ipv6-udp-packet-type-and-hashi.patch b/queue-5.15/iavf-fix-non-tunneled-ipv6-udp-packet-type-and-hashi.patch new file mode 100644 index 00000000000..91086a70244 --- /dev/null +++ b/queue-5.15/iavf-fix-non-tunneled-ipv6-udp-packet-type-and-hashi.patch @@ -0,0 +1,48 @@ +From 60b0e803afcd2f253ee01821d4e42b14a1427428 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Mar 2023 12:59:08 +0100 +Subject: iavf: fix non-tunneled IPv6 UDP packet type and hashing + +From: Alexander Lobakin + +[ Upstream commit de58647b4301fe181f9c38e8b46f7021584ae427 ] + +Currently, IAVF's decode_rx_desc_ptype() correctly reports payload type +of L4 for IPv4 UDP packets and IPv{4,6} TCP, but only L3 for IPv6 UDP. +Originally, i40e, ice and iavf were affected. +Commit 73df8c9e3e3d ("i40e: Correct UDP packet header for non_tunnel-ipv6") +fixed that in i40e, then +commit 638a0c8c8861 ("ice: fix incorrect payload indicator on PTYPE") +fixed that for ice. +IPv6 UDP is L4 obviously. Fix it and make iavf report correct L4 hash +type for such packets, so that the stack won't calculate it on CPU when +needs it. + +Fixes: 206812b5fccb ("i40e/i40evf: i40e implementation for skb_set_hash") +Reviewed-by: Larysa Zaremba +Reviewed-by: Michal Kubiak +Signed-off-by: Alexander Lobakin +Tested-by: Rafal Romanowski +Reviewed-by: Leon Romanovsky +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_common.c b/drivers/net/ethernet/intel/iavf/iavf_common.c +index e9cc7f6ddc466..c423e73c2d026 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_common.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_common.c +@@ -661,7 +661,7 @@ struct iavf_rx_ptype_decoded iavf_ptype_lookup[BIT(8)] = { + /* Non Tunneled IPv6 */ + IAVF_PTT(88, IP, IPV6, FRG, NONE, NONE, NOF, NONE, PAY3), + IAVF_PTT(89, IP, IPV6, NOF, NONE, NONE, NOF, NONE, PAY3), +- IAVF_PTT(90, IP, IPV6, NOF, NONE, NONE, NOF, UDP, PAY3), ++ IAVF_PTT(90, IP, IPV6, NOF, NONE, NONE, NOF, UDP, PAY4), + IAVF_PTT_UNUSED_ENTRY(91), + IAVF_PTT(92, IP, IPV6, NOF, NONE, NONE, NOF, TCP, PAY4), + IAVF_PTT(93, IP, IPV6, NOF, NONE, NONE, NOF, SCTP, PAY4), +-- +2.39.2 + diff --git a/queue-5.15/igbvf-regard-vf-reset-nack-as-success.patch b/queue-5.15/igbvf-regard-vf-reset-nack-as-success.patch new file mode 100644 index 00000000000..b33581cd242 --- /dev/null +++ b/queue-5.15/igbvf-regard-vf-reset-nack-as-success.patch @@ -0,0 +1,62 @@ +From 841f14cbea3b015e9d63b6382c8cb8b9af357909 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 19:20:03 +0900 +Subject: igbvf: Regard vf reset nack as success + +From: Akihiko Odaki + +[ Upstream commit 02c83791ef969c6a8a150b4927193d0d0e50fb23 ] + +vf reset nack actually represents the reset operation itself is +performed but no address is assigned. Therefore, e1000_reset_hw_vf +should fill the "perm_addr" with the zero address and return success on +such an occasion. This prevents its callers in netdev.c from saying PF +still resetting, and instead allows them to correctly report that no +address is assigned. + +Fixes: 6ddbc4cf1f4d ("igb: Indicate failure on vf reset for empty mac address") +Signed-off-by: Akihiko Odaki +Reviewed-by: Leon Romanovsky +Tested-by: Marek Szlosek +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igbvf/vf.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igbvf/vf.c b/drivers/net/ethernet/intel/igbvf/vf.c +index b8ba3f94c3632..a47a2e3e548cf 100644 +--- a/drivers/net/ethernet/intel/igbvf/vf.c ++++ b/drivers/net/ethernet/intel/igbvf/vf.c +@@ -1,6 +1,8 @@ + // SPDX-License-Identifier: GPL-2.0 + /* Copyright(c) 2009 - 2018 Intel Corporation. */ + ++#include ++ + #include "vf.h" + + static s32 e1000_check_for_link_vf(struct e1000_hw *hw); +@@ -131,11 +133,16 @@ static s32 e1000_reset_hw_vf(struct e1000_hw *hw) + /* set our "perm_addr" based on info provided by PF */ + ret_val = mbx->ops.read_posted(hw, msgbuf, 3); + if (!ret_val) { +- if (msgbuf[0] == (E1000_VF_RESET | +- E1000_VT_MSGTYPE_ACK)) ++ switch (msgbuf[0]) { ++ case E1000_VF_RESET | E1000_VT_MSGTYPE_ACK: + memcpy(hw->mac.perm_addr, addr, ETH_ALEN); +- else ++ break; ++ case E1000_VF_RESET | E1000_VT_MSGTYPE_NACK: ++ eth_zero_addr(hw->mac.perm_addr); ++ break; ++ default: + ret_val = -E1000_ERR_MAC_INIT; ++ } + } + } + +-- +2.39.2 + diff --git a/queue-5.15/igc-fix-the-validation-logic-for-taprio-s-gate-list.patch b/queue-5.15/igc-fix-the-validation-logic-for-taprio-s-gate-list.patch new file mode 100644 index 00000000000..b13484da77f --- /dev/null +++ b/queue-5.15/igc-fix-the-validation-logic-for-taprio-s-gate-list.patch @@ -0,0 +1,76 @@ +From 66b6f59c46b19faef8b94897fa48ae1a3ba0a218 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 15:45:31 +0900 +Subject: igc: fix the validation logic for taprio's gate list + +From: AKASHI Takahiro + +[ Upstream commit 2b4cc3d3f4d8ec42961e98568a0afeee96a943ab ] + +The check introduced in the commit a5fd39464a40 ("igc: Lift TAPRIO schedule +restriction") can detect a false positive error in some corner case. +For instance, + tc qdisc replace ... taprio num_tc 4 + ... + sched-entry S 0x01 100000 # slot#1 + sched-entry S 0x03 100000 # slot#2 + sched-entry S 0x04 100000 # slot#3 + sched-entry S 0x08 200000 # slot#4 + flags 0x02 # hardware offload + +Here the queue#0 (the first queue) is on at the slot#1 and #2, +and off at the slot#3 and #4. Under the current logic, when the slot#4 +is examined, validate_schedule() returns *false* since the enablement +count for the queue#0 is two and it is already off at the previous slot +(i.e. #3). But this definition is truely correct. + +Let's fix the logic to enforce a strict validation for consecutively-opened +slots. + +Fixes: a5fd39464a40 ("igc: Lift TAPRIO schedule restriction") +Signed-off-by: AKASHI Takahiro +Reviewed-by: Kurt Kanzenbach +Acked-by: Vinicius Costa Gomes +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index bde3fea2c442e..e255b0a004f88 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -5951,18 +5951,18 @@ static bool validate_schedule(struct igc_adapter *adapter, + if (e->command != TC_TAPRIO_CMD_SET_GATES) + return false; + +- for (i = 0; i < adapter->num_tx_queues; i++) { +- if (e->gate_mask & BIT(i)) ++ for (i = 0; i < adapter->num_tx_queues; i++) ++ if (e->gate_mask & BIT(i)) { + queue_uses[i]++; + +- /* There are limitations: A single queue cannot be +- * opened and closed multiple times per cycle unless the +- * gate stays open. Check for it. +- */ +- if (queue_uses[i] > 1 && +- !(prev->gate_mask & BIT(i))) +- return false; +- } ++ /* There are limitations: A single queue cannot ++ * be opened and closed multiple times per cycle ++ * unless the gate stays open. Check for it. ++ */ ++ if (queue_uses[i] > 1 && ++ !(prev->gate_mask & BIT(i))) ++ return false; ++ } + } + + return true; +-- +2.39.2 + diff --git a/queue-5.15/intel-igbvf-free-irq-on-the-error-path-in-igbvf_requ.patch b/queue-5.15/intel-igbvf-free-irq-on-the-error-path-in-igbvf_requ.patch new file mode 100644 index 00000000000..11fc2a197df --- /dev/null +++ b/queue-5.15/intel-igbvf-free-irq-on-the-error-path-in-igbvf_requ.patch @@ -0,0 +1,54 @@ +From cea5ef4d6d7784a93a5423d632f7f88d6671a626 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 10:28:52 +0800 +Subject: intel/igbvf: free irq on the error path in igbvf_request_msix() + +From: Gaosheng Cui + +[ Upstream commit 85eb39bb39cbb5c086df1e19ba67cc1366693a77 ] + +In igbvf_request_msix(), irqs have not been freed on the err path, +we need to free it. Fix it. + +Fixes: d4e0fe01a38a ("igbvf: add new driver to support 82576 virtual functions") +Signed-off-by: Gaosheng Cui +Reviewed-by: Maciej Fijalkowski +Tested-by: Marek Szlosek +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igbvf/netdev.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igbvf/netdev.c b/drivers/net/ethernet/intel/igbvf/netdev.c +index d051918dfdff9..ebd6d464fa0cf 100644 +--- a/drivers/net/ethernet/intel/igbvf/netdev.c ++++ b/drivers/net/ethernet/intel/igbvf/netdev.c +@@ -1074,7 +1074,7 @@ static int igbvf_request_msix(struct igbvf_adapter *adapter) + igbvf_intr_msix_rx, 0, adapter->rx_ring->name, + netdev); + if (err) +- goto out; ++ goto free_irq_tx; + + adapter->rx_ring->itr_register = E1000_EITR(vector); + adapter->rx_ring->itr_val = adapter->current_itr; +@@ -1083,10 +1083,14 @@ static int igbvf_request_msix(struct igbvf_adapter *adapter) + err = request_irq(adapter->msix_entries[vector].vector, + igbvf_msix_other, 0, netdev->name, netdev); + if (err) +- goto out; ++ goto free_irq_rx; + + igbvf_configure_msix(adapter); + return 0; ++free_irq_rx: ++ free_irq(adapter->msix_entries[--vector].vector, netdev); ++free_irq_tx: ++ free_irq(adapter->msix_entries[--vector].vector, netdev); + out: + return err; + } +-- +2.39.2 + diff --git a/queue-5.15/keys-do-not-cache-key-in-task-struct-if-key-is-reque.patch b/queue-5.15/keys-do-not-cache-key-in-task-struct-if-key-is-reque.patch new file mode 100644 index 00000000000..03fa6ac10df --- /dev/null +++ b/queue-5.15/keys-do-not-cache-key-in-task-struct-if-key-is-reque.patch @@ -0,0 +1,64 @@ +From 2d2976fabdb1ae6b49f0bc9e4fc168f6d706b68a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 15:15:18 +0000 +Subject: keys: Do not cache key in task struct if key is requested from kernel + thread + +From: David Howells + +[ Upstream commit 47f9e4c924025c5be87959d3335e66fcbb7f6b5c ] + +The key which gets cached in task structure from a kernel thread does not +get invalidated even after expiry. Due to which, a new key request from +kernel thread will be served with the cached key if it's present in task +struct irrespective of the key validity. The change is to not cache key in +task_struct when key requested from kernel thread so that kernel thread +gets a valid key on every key request. + +The problem has been seen with the cifs module doing DNS lookups from a +kernel thread and the results getting pinned by being attached to that +kernel thread's cache - and thus not something that can be easily got rid +of. The cache would ordinarily be cleared by notify-resume, but kernel +threads don't do that. + +This isn't seen with AFS because AFS is doing request_key() within the +kernel half of a user thread - which will do notify-resume. + +Fixes: 7743c48e54ee ("keys: Cache result of request_key*() temporarily in task_struct") +Signed-off-by: Bharath SM +Signed-off-by: David Howells +Reviewed-by: Jarkko Sakkinen +cc: Shyam Prasad N +cc: Steve French +cc: keyrings@vger.kernel.org +cc: linux-cifs@vger.kernel.org +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/CAGypqWw951d=zYRbdgNR4snUDvJhWL=q3=WOyh7HhSJupjz2vA@mail.gmail.com/ +Signed-off-by: Sasha Levin +--- + security/keys/request_key.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/security/keys/request_key.c b/security/keys/request_key.c +index 2da4404276f0f..07a0ef2baacd8 100644 +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -38,9 +38,12 @@ static void cache_requested_key(struct key *key) + #ifdef CONFIG_KEYS_REQUEST_CACHE + struct task_struct *t = current; + +- key_put(t->cached_requested_key); +- t->cached_requested_key = key_get(key); +- set_tsk_thread_flag(t, TIF_NOTIFY_RESUME); ++ /* Do not cache key if it is a kernel thread */ ++ if (!(t->flags & PF_KTHREAD)) { ++ key_put(t->cached_requested_key); ++ t->cached_requested_key = key_get(key); ++ set_tsk_thread_flag(t, TIF_NOTIFY_RESUME); ++ } + #endif + } + +-- +2.39.2 + diff --git a/queue-5.15/ksmbd-add-low-bound-validation-to-fsctl_query_alloca.patch b/queue-5.15/ksmbd-add-low-bound-validation-to-fsctl_query_alloca.patch new file mode 100644 index 00000000000..3133104dbb8 --- /dev/null +++ b/queue-5.15/ksmbd-add-low-bound-validation-to-fsctl_query_alloca.patch @@ -0,0 +1,52 @@ +From 408cf459b8fdeb20b1ee2302ebfb40a8476b8b6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 21:56:07 +0900 +Subject: ksmbd: add low bound validation to FSCTL_QUERY_ALLOCATED_RANGES + +From: Namjae Jeon + +[ Upstream commit 342edb60dcda7a409430359b0cac2864bb9dfe44 ] + +Smatch static checker warning: + fs/ksmbd/vfs.c:1040 ksmbd_vfs_fqar_lseek() warn: no lower bound on 'length' + fs/ksmbd/vfs.c:1041 ksmbd_vfs_fqar_lseek() warn: no lower bound on 'start' + +Fix unexpected result that could caused from negative start and length. + +Fixes: f44158485826 ("cifsd: add file operations") +Reported-by: Dan Carpenter +Signed-off-by: Namjae Jeon +Reviewed-by: Sergey Senozhatsky +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/ksmbd/smb2pdu.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c +index 305313abbc24b..45e7c854e1d4b 100644 +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -7415,13 +7415,16 @@ static int fsctl_query_allocated_ranges(struct ksmbd_work *work, u64 id, + if (in_count == 0) + return -EINVAL; + ++ start = le64_to_cpu(qar_req->file_offset); ++ length = le64_to_cpu(qar_req->length); ++ ++ if (start < 0 || length < 0) ++ return -EINVAL; ++ + fp = ksmbd_lookup_fd_fast(work, id); + if (!fp) + return -ENOENT; + +- start = le64_to_cpu(qar_req->file_offset); +- length = le64_to_cpu(qar_req->length); +- + ret = ksmbd_vfs_fqar_lseek(fp, start, length, + qar_rsp, in_count, out_count); + if (ret && ret != -E2BIG) +-- +2.39.2 + diff --git a/queue-5.15/ksmbd-add-low-bound-validation-to-fsctl_set_zero_dat.patch b/queue-5.15/ksmbd-add-low-bound-validation-to-fsctl_set_zero_dat.patch new file mode 100644 index 00000000000..897a239f750 --- /dev/null +++ b/queue-5.15/ksmbd-add-low-bound-validation-to-fsctl_set_zero_dat.patch @@ -0,0 +1,41 @@ +From 4e1aa4d4c95f617c89a2ffe733086b2a049d340d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Mar 2023 21:04:00 +0900 +Subject: ksmbd: add low bound validation to FSCTL_SET_ZERO_DATA + +From: Namjae Jeon + +[ Upstream commit 2d74ec97131b1179a373b6d521f195c84e894eb6 ] + +Smatch static checker warning: + fs/ksmbd/smb2pdu.c:7759 smb2_ioctl() + warn: no lower bound on 'off' + +Fix unexpected result that could caused from negative off and bfz. + +Fixes: b5e5f9dfc915 ("ksmbd: check invalid FileOffset and BeyondFinalZero in FSCTL_ZERO_DATA") +Reported-by: Dan Carpenter +Signed-off-by: Namjae Jeon +Reviewed-by: Sergey Senozhatsky +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/ksmbd/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c +index ac029dfd23ab8..305313abbc24b 100644 +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -7725,7 +7725,7 @@ int smb2_ioctl(struct ksmbd_work *work) + + off = le64_to_cpu(zero_data->FileOffset); + bfz = le64_to_cpu(zero_data->BeyondFinalZero); +- if (off > bfz) { ++ if (off < 0 || bfz < 0 || off > bfz) { + ret = -EINVAL; + goto out; + } +-- +2.39.2 + diff --git a/queue-5.15/ksmbd-fix-possible-refcount-leak-in-smb2_open.patch b/queue-5.15/ksmbd-fix-possible-refcount-leak-in-smb2_open.patch new file mode 100644 index 00000000000..767d1b1c1f4 --- /dev/null +++ b/queue-5.15/ksmbd-fix-possible-refcount-leak-in-smb2_open.patch @@ -0,0 +1,41 @@ +From 36deeb861c167214602fc8c4ad0757c94a8e990e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Mar 2023 21:58:04 +0800 +Subject: ksmbd: fix possible refcount leak in smb2_open() + +From: ChenXiaoSong + +[ Upstream commit 2624b445544ffc1472ccabfb6ec867c199d4c95c ] + +Reference count of acls will leak when memory allocation fails. Fix this +by adding the missing posix_acl_release(). + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Signed-off-by: ChenXiaoSong +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/ksmbd/smb2pdu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c +index 45e7c854e1d4b..733a3d851e4ce 100644 +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -2979,8 +2979,11 @@ int smb2_open(struct ksmbd_work *work) + sizeof(struct smb_acl) + + sizeof(struct smb_ace) * ace_num * 2, + GFP_KERNEL); +- if (!pntsd) ++ if (!pntsd) { ++ posix_acl_release(fattr.cf_acls); ++ posix_acl_release(fattr.cf_dacls); + goto err_out; ++ } + + rc = build_sec_desc(user_ns, + pntsd, NULL, 0, +-- +2.39.2 + diff --git a/queue-5.15/net-dsa-b53-mmap-fix-device-tree-support.patch b/queue-5.15/net-dsa-b53-mmap-fix-device-tree-support.patch new file mode 100644 index 00000000000..0f53d4e133c --- /dev/null +++ b/queue-5.15/net-dsa-b53-mmap-fix-device-tree-support.patch @@ -0,0 +1,40 @@ +From 8153275da2e26e9580d4f3ff908b3b6f8c12ec71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 18:28:07 +0100 +Subject: net: dsa: b53: mmap: fix device tree support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 30796d0dcb6e41c6558a07950f2ce60c209da867 ] + +CPU port should also be enabled in order to get a working switch. + +Fixes: a5538a777b73 ("net: dsa: b53: mmap: Add device tree support") +Signed-off-by: Álvaro Fernández Rojas +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20230316172807.460146-1-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_mmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/b53/b53_mmap.c b/drivers/net/dsa/b53/b53_mmap.c +index ae4c79d39bc04..3388f620fac99 100644 +--- a/drivers/net/dsa/b53/b53_mmap.c ++++ b/drivers/net/dsa/b53/b53_mmap.c +@@ -263,7 +263,7 @@ static int b53_mmap_probe_of(struct platform_device *pdev, + if (of_property_read_u32(of_port, "reg", ®)) + continue; + +- if (reg < B53_CPU_PORT) ++ if (reg < B53_N_PORTS) + pdata->enabled_ports |= BIT(reg); + } + +-- +2.39.2 + diff --git a/queue-5.15/net-dsa-mt7530-move-enabling-disabling-core-clock-to.patch b/queue-5.15/net-dsa-mt7530-move-enabling-disabling-core-clock-to.patch new file mode 100644 index 00000000000..7583342cc16 --- /dev/null +++ b/queue-5.15/net-dsa-mt7530-move-enabling-disabling-core-clock-to.patch @@ -0,0 +1,91 @@ +From f08ca53eb4ef05a1ff963dab208fea475d7abb53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Mar 2023 22:05:18 +0300 +Subject: net: dsa: mt7530: move enabling disabling core clock to + mt7530_pll_setup() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arınç ÜNAL + +[ Upstream commit 8f058a6ef99f0b88a177b58cc46a44ff5112e40a ] + +Split the code that enables and disables TRGMII clocks and core clock. +Move enabling and disabling core clock to mt7530_pll_setup() as it's +supposed to be run there. + +Add 20 ms delay before enabling the core clock as seen on the U-Boot +MediaTek ethernet driver. + +Change the comment for enabling and disabling TRGMII clocks as the code +seems to affect both TXC and RXC. + +Tested rgmii and trgmii modes of port 6 and rgmii mode of port 5 on MCM +MT7530 on MT7621AT Unielec U7621-06 and standalone MT7530 on MT7623NI +Bananapi BPI-R2. + +Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch") +Link: https://source.denx.de/u-boot/u-boot/-/blob/29a48bf9ccba45a5e560bb564bbe76e42629325f/drivers/net/mtk_eth.c#L589 +Tested-by: Arınç ÜNAL +Signed-off-by: Arınç ÜNAL +Link: https://lore.kernel.org/r/20230320190520.124513-1-arinc.unal@arinc9.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mt7530.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c +index 793992c378559..1ad6c8b44183c 100644 +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -391,6 +391,9 @@ mt7530_fdb_write(struct mt7530_priv *priv, u16 vid, + /* Set up switch core clock for MT7530 */ + static void mt7530_pll_setup(struct mt7530_priv *priv) + { ++ /* Disable core clock */ ++ core_clear(priv, CORE_TRGMII_GSW_CLK_CG, REG_GSWCK_EN); ++ + /* Disable PLL */ + core_write(priv, CORE_GSWPLL_GRP1, 0); + +@@ -404,6 +407,11 @@ static void mt7530_pll_setup(struct mt7530_priv *priv) + RG_GSWPLL_EN_PRE | + RG_GSWPLL_POSDIV_200M(2) | + RG_GSWPLL_FBKDIV_200M(32)); ++ ++ udelay(20); ++ ++ /* Enable core clock */ ++ core_set(priv, CORE_TRGMII_GSW_CLK_CG, REG_GSWCK_EN); + } + + /* Setup TX circuit including relevant PAD and driving */ +@@ -461,9 +469,8 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface) + mt7530_write(priv, MT7530_TRGMII_TD_ODT(i), + TD_DM_DRVP(8) | TD_DM_DRVN(8)); + +- /* Disable MT7530 core and TRGMII Tx clocks */ +- core_clear(priv, CORE_TRGMII_GSW_CLK_CG, +- REG_GSWCK_EN | REG_TRGMIICK_EN); ++ /* Disable the MT7530 TRGMII clocks */ ++ core_clear(priv, CORE_TRGMII_GSW_CLK_CG, REG_TRGMIICK_EN); + + /* Setup the MT7530 TRGMII Tx Clock */ + core_write(priv, CORE_PLL_GROUP5, RG_LCDDS_PCW_NCPO1(ncpo1)); +@@ -480,9 +487,8 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface) + RG_LCDDS_PCW_NCPO_CHG | RG_LCCDS_C(3) | + RG_LCDDS_PWDB | RG_LCDDS_ISO_EN); + +- /* Enable MT7530 core and TRGMII Tx clocks */ +- core_set(priv, CORE_TRGMII_GSW_CLK_CG, +- REG_GSWCK_EN | REG_TRGMIICK_EN); ++ /* Enable the MT7530 TRGMII clocks */ ++ core_set(priv, CORE_TRGMII_GSW_CLK_CG, REG_TRGMIICK_EN); + } else { + for (i = 0 ; i < NUM_TRGMII_CTRL; i++) + mt7530_rmw(priv, MT7530_TRGMII_RD(i), +-- +2.39.2 + diff --git a/queue-5.15/net-dsa-mt7530-move-lowering-trgmii-driving-to-mt753.patch b/queue-5.15/net-dsa-mt7530-move-lowering-trgmii-driving-to-mt753.patch new file mode 100644 index 00000000000..39408d9403a --- /dev/null +++ b/queue-5.15/net-dsa-mt7530-move-lowering-trgmii-driving-to-mt753.patch @@ -0,0 +1,100 @@ +From 2843f67b72ae99983f15f64a643fcc103c3f6d24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Mar 2023 22:05:19 +0300 +Subject: net: dsa: mt7530: move lowering TRGMII driving to mt7530_setup() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arınç ÜNAL + +[ Upstream commit fdcc8ccd823740c18e803b886cec461bc0e64201 ] + +Move lowering the TRGMII Tx clock driving to mt7530_setup(), after setting +the core clock, as seen on the U-Boot MediaTek ethernet driver. + +Move the code which looks like it lowers the TRGMII Rx clock driving to +after the TRGMII Tx clock driving is lowered. This is run after lowering +the Tx clock driving on the U-Boot MediaTek ethernet driver as well. + +This way, the switch should consume less power regardless of port 6 being +used. + +Update the comment explaining mt7530_pad_clk_setup(). + +Tested rgmii and trgmii modes of port 6 and rgmii mode of port 5 on MCM +MT7530 on MT7621AT Unielec U7621-06 and standalone MT7530 on MT7623NI +Bananapi BPI-R2. + +Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch") +Link: https://source.denx.de/u-boot/u-boot/-/blob/29a48bf9ccba45a5e560bb564bbe76e42629325f/drivers/net/mtk_eth.c#L682 +Tested-by: Arınç ÜNAL +Signed-off-by: Arınç ÜNAL +Link: https://lore.kernel.org/r/20230320190520.124513-2-arinc.unal@arinc9.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mt7530.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c +index 1ad6c8b44183c..314770515018c 100644 +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -414,12 +414,12 @@ static void mt7530_pll_setup(struct mt7530_priv *priv) + core_set(priv, CORE_TRGMII_GSW_CLK_CG, REG_GSWCK_EN); + } + +-/* Setup TX circuit including relevant PAD and driving */ ++/* Setup port 6 interface mode and TRGMII TX circuit */ + static int + mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface) + { + struct mt7530_priv *priv = ds->priv; +- u32 ncpo1, ssc_delta, trgint, i, xtal; ++ u32 ncpo1, ssc_delta, trgint, xtal; + + xtal = mt7530_read(priv, MT7530_MHWTRAP) & HWTRAP_XTAL_MASK; + +@@ -464,11 +464,6 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface) + P6_INTF_MODE(trgint)); + + if (trgint) { +- /* Lower Tx Driving for TRGMII path */ +- for (i = 0 ; i < NUM_TRGMII_CTRL ; i++) +- mt7530_write(priv, MT7530_TRGMII_TD_ODT(i), +- TD_DM_DRVP(8) | TD_DM_DRVN(8)); +- + /* Disable the MT7530 TRGMII clocks */ + core_clear(priv, CORE_TRGMII_GSW_CLK_CG, REG_TRGMIICK_EN); + +@@ -489,10 +484,6 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface) + + /* Enable the MT7530 TRGMII clocks */ + core_set(priv, CORE_TRGMII_GSW_CLK_CG, REG_TRGMIICK_EN); +- } else { +- for (i = 0 ; i < NUM_TRGMII_CTRL; i++) +- mt7530_rmw(priv, MT7530_TRGMII_RD(i), +- RD_TAP_MASK, RD_TAP(16)); + } + + return 0; +@@ -2174,6 +2165,15 @@ mt7530_setup(struct dsa_switch *ds) + + mt7530_pll_setup(priv); + ++ /* Lower Tx driving for TRGMII path */ ++ for (i = 0; i < NUM_TRGMII_CTRL; i++) ++ mt7530_write(priv, MT7530_TRGMII_TD_ODT(i), ++ TD_DM_DRVP(8) | TD_DM_DRVN(8)); ++ ++ for (i = 0; i < NUM_TRGMII_CTRL; i++) ++ mt7530_rmw(priv, MT7530_TRGMII_RD(i), ++ RD_TAP_MASK, RD_TAP(16)); ++ + /* Enable port 6 */ + val = mt7530_read(priv, MT7530_MHWTRAP); + val &= ~MHWTRAP_P6_DIS & ~MHWTRAP_PHY_ACCESS; +-- +2.39.2 + diff --git a/queue-5.15/net-dsa-mt7530-move-setting-ssc_delta-to-phy_interfa.patch b/queue-5.15/net-dsa-mt7530-move-setting-ssc_delta-to-phy_interfa.patch new file mode 100644 index 00000000000..e13f5c416a6 --- /dev/null +++ b/queue-5.15/net-dsa-mt7530-move-setting-ssc_delta-to-phy_interfa.patch @@ -0,0 +1,55 @@ +From 678e97d788d527d727a38a52e8820501197d9c01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Mar 2023 22:05:20 +0300 +Subject: net: dsa: mt7530: move setting ssc_delta to PHY_INTERFACE_MODE_TRGMII + case +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arınç ÜNAL + +[ Upstream commit 407b508bdd70b6848993843d96ed49ac4108fb52 ] + +Move setting the ssc_delta variable to under the PHY_INTERFACE_MODE_TRGMII +case as it's only needed when trgmii is used. + +Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch") +Signed-off-by: Arınç ÜNAL +Link: https://lore.kernel.org/r/20230320190520.124513-3-arinc.unal@arinc9.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mt7530.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c +index 314770515018c..dfea2ab0c297f 100644 +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -436,6 +436,10 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface) + break; + case PHY_INTERFACE_MODE_TRGMII: + trgint = 1; ++ if (xtal == HWTRAP_XTAL_25MHZ) ++ ssc_delta = 0x57; ++ else ++ ssc_delta = 0x87; + if (priv->id == ID_MT7621) { + /* PLL frequency: 150MHz: 1.2GBit */ + if (xtal == HWTRAP_XTAL_40MHZ) +@@ -455,11 +459,6 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface) + return -EINVAL; + } + +- if (xtal == HWTRAP_XTAL_25MHZ) +- ssc_delta = 0x57; +- else +- ssc_delta = 0x87; +- + mt7530_rmw(priv, MT7530_P6ECR, P6_INTF_MODE_MASK, + P6_INTF_MODE(trgint)); + +-- +2.39.2 + diff --git a/queue-5.15/net-dsa-tag_brcm-legacy-fix-daisy-chained-switches.patch b/queue-5.15/net-dsa-tag_brcm-legacy-fix-daisy-chained-switches.patch new file mode 100644 index 00000000000..deeab8b933c --- /dev/null +++ b/queue-5.15/net-dsa-tag_brcm-legacy-fix-daisy-chained-switches.patch @@ -0,0 +1,75 @@ +From 74058c1289af3efd5d5fc8d22b91f41935e293aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Mar 2023 10:55:40 +0100 +Subject: net: dsa: tag_brcm: legacy: fix daisy-chained switches +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 032a954061afd4b7426c3eb6bfd2952ef1e9a384 ] + +When BCM63xx internal switches are connected to switches with a 4-byte +Broadcom tag, it does not identify the packet as VLAN tagged, so it adds one +based on its PVID (which is likely 0). +Right now, the packet is received by the BCM63xx internal switch and the 6-byte +tag is properly processed. The next step would to decode the corresponding +4-byte tag. However, the internal switch adds an invalid VLAN tag after the +6-byte tag and the 4-byte tag handling fails. +In order to fix this we need to remove the invalid VLAN tag after the 6-byte +tag before passing it to the 4-byte tag decoding. + +Fixes: 964dbf186eaa ("net: dsa: tag_brcm: add support for legacy tags") +Signed-off-by: Álvaro Fernández Rojas +Reviewed-by: Michal Swiatkowski +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20230319095540.239064-1-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dsa/tag_brcm.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/dsa/tag_brcm.c b/net/dsa/tag_brcm.c +index 96dbb8ee2fee1..ed5f68c4f1dad 100644 +--- a/net/dsa/tag_brcm.c ++++ b/net/dsa/tag_brcm.c +@@ -7,6 +7,7 @@ + + #include + #include ++#include + #include + #include + +@@ -248,6 +249,7 @@ static struct sk_buff *brcm_leg_tag_xmit(struct sk_buff *skb, + static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb, + struct net_device *dev) + { ++ int len = BRCM_LEG_TAG_LEN; + int source_port; + u8 *brcm_tag; + +@@ -262,12 +264,16 @@ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb, + if (!skb->dev) + return NULL; + ++ /* VLAN tag is added by BCM63xx internal switch */ ++ if (netdev_uses_dsa(skb->dev)) ++ len += VLAN_HLEN; ++ + /* Remove Broadcom tag and update checksum */ +- skb_pull_rcsum(skb, BRCM_LEG_TAG_LEN); ++ skb_pull_rcsum(skb, len); + + dsa_default_offload_fwd_mark(skb); + +- dsa_strip_etype_header(skb, BRCM_LEG_TAG_LEN); ++ dsa_strip_etype_header(skb, len); + + return skb; + } +-- +2.39.2 + diff --git a/queue-5.15/net-mdio-fix-owner-field-for-mdio-buses-registered-u.patch b/queue-5.15/net-mdio-fix-owner-field-for-mdio-buses-registered-u.patch new file mode 100644 index 00000000000..61907b6ab90 --- /dev/null +++ b/queue-5.15/net-mdio-fix-owner-field-for-mdio-buses-registered-u.patch @@ -0,0 +1,152 @@ +From 7f7b78fb00920caec2f104451435a729627e04f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 16:33:16 -0700 +Subject: net: mdio: fix owner field for mdio buses registered using + device-tree + +From: Maxime Bizon + +[ Upstream commit 99669259f3361d759219811e670b7e0742668556 ] + +Bus ownership is wrong when using of_mdiobus_register() to register an mdio +bus. That function is not inline, so when it calls mdiobus_register() the wrong +THIS_MODULE value is captured. + +Signed-off-by: Maxime Bizon +Fixes: 90eff9096c01 ("net: phy: Allow splitting MDIO bus/device support from PHYs") +[florian: fix kdoc, added Fixes tag] +Signed-off-by: Florian Fainelli +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/of_mdio.c | 12 +++++++----- + drivers/net/phy/mdio_devres.c | 11 ++++++----- + include/linux/of_mdio.h | 22 +++++++++++++++++++--- + 3 files changed, 32 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/mdio/of_mdio.c b/drivers/net/mdio/of_mdio.c +index 510822d6d0d90..1e46e39f5f46a 100644 +--- a/drivers/net/mdio/of_mdio.c ++++ b/drivers/net/mdio/of_mdio.c +@@ -139,21 +139,23 @@ bool of_mdiobus_child_is_phy(struct device_node *child) + EXPORT_SYMBOL(of_mdiobus_child_is_phy); + + /** +- * of_mdiobus_register - Register mii_bus and create PHYs from the device tree ++ * __of_mdiobus_register - Register mii_bus and create PHYs from the device tree + * @mdio: pointer to mii_bus structure + * @np: pointer to device_node of MDIO bus. ++ * @owner: module owning the @mdio object. + * + * This function registers the mii_bus structure and registers a phy_device + * for each child node of @np. + */ +-int of_mdiobus_register(struct mii_bus *mdio, struct device_node *np) ++int __of_mdiobus_register(struct mii_bus *mdio, struct device_node *np, ++ struct module *owner) + { + struct device_node *child; + bool scanphys = false; + int addr, rc; + + if (!np) +- return mdiobus_register(mdio); ++ return __mdiobus_register(mdio, owner); + + /* Do not continue if the node is disabled */ + if (!of_device_is_available(np)) +@@ -172,7 +174,7 @@ int of_mdiobus_register(struct mii_bus *mdio, struct device_node *np) + of_property_read_u32(np, "reset-post-delay-us", &mdio->reset_post_delay_us); + + /* Register the MDIO bus */ +- rc = mdiobus_register(mdio); ++ rc = __mdiobus_register(mdio, owner); + if (rc) + return rc; + +@@ -236,7 +238,7 @@ int of_mdiobus_register(struct mii_bus *mdio, struct device_node *np) + mdiobus_unregister(mdio); + return rc; + } +-EXPORT_SYMBOL(of_mdiobus_register); ++EXPORT_SYMBOL(__of_mdiobus_register); + + /** + * of_mdio_find_device - Given a device tree node, find the mdio_device +diff --git a/drivers/net/phy/mdio_devres.c b/drivers/net/phy/mdio_devres.c +index b560e99695dfd..69b829e6ab35b 100644 +--- a/drivers/net/phy/mdio_devres.c ++++ b/drivers/net/phy/mdio_devres.c +@@ -98,13 +98,14 @@ EXPORT_SYMBOL(__devm_mdiobus_register); + + #if IS_ENABLED(CONFIG_OF_MDIO) + /** +- * devm_of_mdiobus_register - Resource managed variant of of_mdiobus_register() ++ * __devm_of_mdiobus_register - Resource managed variant of of_mdiobus_register() + * @dev: Device to register mii_bus for + * @mdio: MII bus structure to register + * @np: Device node to parse ++ * @owner: Owning module + */ +-int devm_of_mdiobus_register(struct device *dev, struct mii_bus *mdio, +- struct device_node *np) ++int __devm_of_mdiobus_register(struct device *dev, struct mii_bus *mdio, ++ struct device_node *np, struct module *owner) + { + struct mdiobus_devres *dr; + int ret; +@@ -117,7 +118,7 @@ int devm_of_mdiobus_register(struct device *dev, struct mii_bus *mdio, + if (!dr) + return -ENOMEM; + +- ret = of_mdiobus_register(mdio, np); ++ ret = __of_mdiobus_register(mdio, np, owner); + if (ret) { + devres_free(dr); + return ret; +@@ -127,7 +128,7 @@ int devm_of_mdiobus_register(struct device *dev, struct mii_bus *mdio, + devres_add(dev, dr); + return 0; + } +-EXPORT_SYMBOL(devm_of_mdiobus_register); ++EXPORT_SYMBOL(__devm_of_mdiobus_register); + #endif /* CONFIG_OF_MDIO */ + + MODULE_LICENSE("GPL"); +diff --git a/include/linux/of_mdio.h b/include/linux/of_mdio.h +index da633d34ab866..8a52ef2e6fa6b 100644 +--- a/include/linux/of_mdio.h ++++ b/include/linux/of_mdio.h +@@ -14,9 +14,25 @@ + + #if IS_ENABLED(CONFIG_OF_MDIO) + bool of_mdiobus_child_is_phy(struct device_node *child); +-int of_mdiobus_register(struct mii_bus *mdio, struct device_node *np); +-int devm_of_mdiobus_register(struct device *dev, struct mii_bus *mdio, +- struct device_node *np); ++int __of_mdiobus_register(struct mii_bus *mdio, struct device_node *np, ++ struct module *owner); ++ ++static inline int of_mdiobus_register(struct mii_bus *mdio, ++ struct device_node *np) ++{ ++ return __of_mdiobus_register(mdio, np, THIS_MODULE); ++} ++ ++int __devm_of_mdiobus_register(struct device *dev, struct mii_bus *mdio, ++ struct device_node *np, struct module *owner); ++ ++static inline int devm_of_mdiobus_register(struct device *dev, ++ struct mii_bus *mdio, ++ struct device_node *np) ++{ ++ return __devm_of_mdiobus_register(dev, mdio, np, THIS_MODULE); ++} ++ + struct mdio_device *of_mdio_find_device(struct device_node *np); + struct phy_device *of_phy_find_device(struct device_node *phy_np); + struct phy_device * +-- +2.39.2 + diff --git a/queue-5.15/net-mdio-fix-owner-field-for-mdio-buses-registered-u.patch-9507 b/queue-5.15/net-mdio-fix-owner-field-for-mdio-buses-registered-u.patch-9507 new file mode 100644 index 00000000000..295a35f7471 --- /dev/null +++ b/queue-5.15/net-mdio-fix-owner-field-for-mdio-buses-registered-u.patch-9507 @@ -0,0 +1,87 @@ +From 3386b3498bf6fbf256812debe8e70e97ef95375c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 16:33:17 -0700 +Subject: net: mdio: fix owner field for mdio buses registered using ACPI + +From: Florian Fainelli + +[ Upstream commit 30b605b8501e321f79e19c3238aa6ca31da6087c ] + +Bus ownership is wrong when using acpi_mdiobus_register() to register an +mdio bus. That function is not inline, so when it calls +mdiobus_register() the wrong THIS_MODULE value is captured. + +CC: Maxime Bizon +Fixes: 803ca24d2f92 ("net: mdio: Add ACPI support code for mdio") +Signed-off-by: Florian Fainelli +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/acpi_mdio.c | 10 ++++++---- + include/linux/acpi_mdio.h | 9 ++++++++- + 2 files changed, 14 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/mdio/acpi_mdio.c b/drivers/net/mdio/acpi_mdio.c +index d77c987fda9cd..4630dde019749 100644 +--- a/drivers/net/mdio/acpi_mdio.c ++++ b/drivers/net/mdio/acpi_mdio.c +@@ -18,16 +18,18 @@ MODULE_AUTHOR("Calvin Johnson "); + MODULE_LICENSE("GPL"); + + /** +- * acpi_mdiobus_register - Register mii_bus and create PHYs from the ACPI ASL. ++ * __acpi_mdiobus_register - Register mii_bus and create PHYs from the ACPI ASL. + * @mdio: pointer to mii_bus structure + * @fwnode: pointer to fwnode of MDIO bus. This fwnode is expected to represent ++ * @owner: module owning this @mdio object. + * an ACPI device object corresponding to the MDIO bus and its children are + * expected to correspond to the PHY devices on that bus. + * + * This function registers the mii_bus structure and registers a phy_device + * for each child node of @fwnode. + */ +-int acpi_mdiobus_register(struct mii_bus *mdio, struct fwnode_handle *fwnode) ++int __acpi_mdiobus_register(struct mii_bus *mdio, struct fwnode_handle *fwnode, ++ struct module *owner) + { + struct fwnode_handle *child; + u32 addr; +@@ -35,7 +37,7 @@ int acpi_mdiobus_register(struct mii_bus *mdio, struct fwnode_handle *fwnode) + + /* Mask out all PHYs from auto probing. */ + mdio->phy_mask = GENMASK(31, 0); +- ret = mdiobus_register(mdio); ++ ret = __mdiobus_register(mdio, owner); + if (ret) + return ret; + +@@ -55,4 +57,4 @@ int acpi_mdiobus_register(struct mii_bus *mdio, struct fwnode_handle *fwnode) + } + return 0; + } +-EXPORT_SYMBOL(acpi_mdiobus_register); ++EXPORT_SYMBOL(__acpi_mdiobus_register); +diff --git a/include/linux/acpi_mdio.h b/include/linux/acpi_mdio.h +index 0a24ab7cb66fa..8e2eefa9fbc0f 100644 +--- a/include/linux/acpi_mdio.h ++++ b/include/linux/acpi_mdio.h +@@ -9,7 +9,14 @@ + #include + + #if IS_ENABLED(CONFIG_ACPI_MDIO) +-int acpi_mdiobus_register(struct mii_bus *mdio, struct fwnode_handle *fwnode); ++int __acpi_mdiobus_register(struct mii_bus *mdio, struct fwnode_handle *fwnode, ++ struct module *owner); ++ ++static inline int ++acpi_mdiobus_register(struct mii_bus *mdio, struct fwnode_handle *handle) ++{ ++ return __acpi_mdiobus_register(mdio, handle, THIS_MODULE); ++} + #else /* CONFIG_ACPI_MDIO */ + static inline int + acpi_mdiobus_register(struct mii_bus *mdio, struct fwnode_handle *fwnode) +-- +2.39.2 + diff --git a/queue-5.15/net-mdio-thunder-add-missing-fwnode_handle_put.patch b/queue-5.15/net-mdio-thunder-add-missing-fwnode_handle_put.patch new file mode 100644 index 00000000000..295994378d1 --- /dev/null +++ b/queue-5.15/net-mdio-thunder-add-missing-fwnode_handle_put.patch @@ -0,0 +1,36 @@ +From 8a7a0945663a534ff407c4784882b77b364e1749 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 14:20:57 +0800 +Subject: net: mdio: thunder: Add missing fwnode_handle_put() + +From: Liang He + +[ Upstream commit b1de5c78ebe9858ccec9d49af2f76724f1d47e3e ] + +In device_for_each_child_node(), we should add fwnode_handle_put() +when break out of the iteration device_for_each_child_node() +as it will automatically increase and decrease the refcounter. + +Fixes: 379d7ac7ca31 ("phy: mdio-thunder: Add driver for Cavium Thunder SoC MDIO buses.") +Signed-off-by: Liang He +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/mdio-thunder.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/mdio/mdio-thunder.c b/drivers/net/mdio/mdio-thunder.c +index 822d2cdd2f359..394b864aaa372 100644 +--- a/drivers/net/mdio/mdio-thunder.c ++++ b/drivers/net/mdio/mdio-thunder.c +@@ -104,6 +104,7 @@ static int thunder_mdiobus_pci_probe(struct pci_dev *pdev, + if (i >= ARRAY_SIZE(nexus->buses)) + break; + } ++ fwnode_handle_put(fwn); + return 0; + + err_release_regions: +-- +2.39.2 + diff --git a/queue-5.15/net-mlx5-e-switch-fix-an-oops-in-error-handling-code.patch b/queue-5.15/net-mlx5-e-switch-fix-an-oops-in-error-handling-code.patch new file mode 100644 index 00000000000..cf347fea0b6 --- /dev/null +++ b/queue-5.15/net-mlx5-e-switch-fix-an-oops-in-error-handling-code.patch @@ -0,0 +1,38 @@ +From ebd4eccc1906ebde9fba4070d8e8bdffdccecaec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 14:16:10 +0300 +Subject: net/mlx5: E-Switch, Fix an Oops in error handling code + +From: Dan Carpenter + +[ Upstream commit 640fcdbcf27fc62de9223f958ceb4e897a00e791 ] + +The error handling dereferences "vport". There is nothing we can do if +it is an error pointer except returning the error code. + +Fixes: 133dcfc577ea ("net/mlx5: E-Switch, Alloc and free unique metadata for match") +Signed-off-by: Dan Carpenter +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c +index 39e948bc12041..34a6542c03f61 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c +@@ -301,8 +301,7 @@ int mlx5_esw_acl_ingress_vport_bond_update(struct mlx5_eswitch *esw, u16 vport_n + + if (WARN_ON_ONCE(IS_ERR(vport))) { + esw_warn(esw->dev, "vport(%d) invalid!\n", vport_num); +- err = PTR_ERR(vport); +- goto out; ++ return PTR_ERR(vport); + } + + esw_acl_ingress_ofld_rules_destroy(esw, vport); +-- +2.39.2 + diff --git a/queue-5.15/net-mlx5-fix-steering-rules-cleanup.patch b/queue-5.15/net-mlx5-fix-steering-rules-cleanup.patch new file mode 100644 index 00000000000..2dde48e1e85 --- /dev/null +++ b/queue-5.15/net-mlx5-fix-steering-rules-cleanup.patch @@ -0,0 +1,65 @@ +From 19ba55da59c8eee2ec4c6900fd1271e0d0b5c8f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Jan 2023 14:07:03 +0200 +Subject: net/mlx5: Fix steering rules cleanup + +From: Lama Kayal + +[ Upstream commit 922f56e9a795d6f3dd72d3428ebdd7ee040fa855 ] + +vport's mc, uc and multicast rules are not deleted in teardown path when +EEH happens. Since the vport's promisc settings(uc, mc and all) in +firmware are reset after EEH, mlx5 driver will try to delete the above +rules in the initialization path. This cause kernel crash because these +software rules are no longer valid. + +Fix by nullifying these rules right after delete to avoid accessing any dangling +pointers. + +Call Trace: +__list_del_entry_valid+0xcc/0x100 (unreliable) +tree_put_node+0xf4/0x1b0 [mlx5_core] +tree_remove_node+0x30/0x70 [mlx5_core] +mlx5_del_flow_rules+0x14c/0x1f0 [mlx5_core] +esw_apply_vport_rx_mode+0x10c/0x200 [mlx5_core] +esw_update_vport_rx_mode+0xb4/0x180 [mlx5_core] +esw_vport_change_handle_locked+0x1ec/0x230 [mlx5_core] +esw_enable_vport+0x130/0x260 [mlx5_core] +mlx5_eswitch_enable_sriov+0x2a0/0x2f0 [mlx5_core] +mlx5_device_enable_sriov+0x74/0x440 [mlx5_core] +mlx5_load_one+0x114c/0x1550 [mlx5_core] +mlx5_pci_resume+0x68/0xf0 [mlx5_core] +eeh_report_resume+0x1a4/0x230 +eeh_pe_dev_traverse+0x98/0x170 +eeh_handle_normal_event+0x3e4/0x640 +eeh_handle_event+0x4c/0x370 +eeh_event_handler+0x14c/0x210 +kthread+0x168/0x1b0 +ret_from_kernel_thread+0x5c/0x84 + +Fixes: a35f71f27a61 ("net/mlx5: E-Switch, Implement promiscuous rx modes vf request handling") +Signed-off-by: Huy Nguyen +Signed-off-by: Lama Kayal +Reviewed-by: Tariq Toukan +Reviewed-by: Maor Dickman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 2b9278002354c..7315bf447e061 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -918,6 +918,7 @@ void mlx5_esw_vport_disable(struct mlx5_eswitch *esw, u16 vport_num) + */ + esw_vport_change_handle_locked(vport); + vport->enabled_events = 0; ++ esw_apply_vport_rx_mode(esw, vport, false, false); + esw_vport_cleanup(esw, vport); + esw->enabled_vports--; + +-- +2.39.2 + diff --git a/queue-5.15/net-mlx5-read-the-tc-mapping-of-all-priorities-on-et.patch b/queue-5.15/net-mlx5-read-the-tc-mapping-of-all-priorities-on-et.patch new file mode 100644 index 00000000000..d4e7b7763b7 --- /dev/null +++ b/queue-5.15/net-mlx5-read-the-tc-mapping-of-all-priorities-on-et.patch @@ -0,0 +1,51 @@ +From 433a99658a3c1fcdf9aed008a4044f1362b442ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 11:04:38 +0200 +Subject: net/mlx5: Read the TC mapping of all priorities on ETS query + +From: Maher Sanalla + +[ Upstream commit 44d553188c38ac74b799dfdcebafef2f7bb70942 ] + +When ETS configurations are queried by the user to get the mapping +assignment between packet priority and traffic class, only priorities up +to maximum TCs are queried from QTCT register in FW to retrieve their +assigned TC, leaving the rest of the priorities mapped to the default +TC #0 which might be misleading. + +Fix by querying the TC mapping of all priorities on each ETS query, +regardless of the maximum number of TCs configured in FW. + +Fixes: 820c2c5e773d ("net/mlx5e: Read ETS settings directly from firmware") +Signed-off-by: Maher Sanalla +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c +index 72e08559e0d05..f2862100d1a2e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c +@@ -117,12 +117,14 @@ static int mlx5e_dcbnl_ieee_getets(struct net_device *netdev, + if (!MLX5_CAP_GEN(priv->mdev, ets)) + return -EOPNOTSUPP; + +- ets->ets_cap = mlx5_max_tc(priv->mdev) + 1; +- for (i = 0; i < ets->ets_cap; i++) { ++ for (i = 0; i < IEEE_8021QAZ_MAX_TCS; i++) { + err = mlx5_query_port_prio_tc(mdev, i, &ets->prio_tc[i]); + if (err) + return err; ++ } + ++ ets->ets_cap = mlx5_max_tc(priv->mdev) + 1; ++ for (i = 0; i < ets->ets_cap; i++) { + err = mlx5_query_port_tc_group(mdev, i, &tc_group[i]); + if (err) + return err; +-- +2.39.2 + diff --git a/queue-5.15/net-mlx5e-set-uplink-rep-as-netns_local.patch b/queue-5.15/net-mlx5e-set-uplink-rep-as-netns_local.patch new file mode 100644 index 00000000000..d05c5ba52e4 --- /dev/null +++ b/queue-5.15/net-mlx5e-set-uplink-rep-as-netns_local.patch @@ -0,0 +1,49 @@ +From 0706f7e2e559b99da2e66b046ebdc2cc2910418a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 04:15:40 +0200 +Subject: net/mlx5e: Set uplink rep as NETNS_LOCAL + +From: Gavin Li + +[ Upstream commit c83172b0639c8a005c0dd3b36252dc22ddd9f19c ] + +Previously, NETNS_LOCAL was not set for uplink representors, inconsistent +with VF representors, and allowed the uplink representor to be moved +between net namespaces and separated from the VF representors it shares +the core device with. Such usage would break the isolation model of +namespaces, as devices in different namespaces would have access to +shared memory. + +To solve this issue, set NETNS_LOCAL for uplink representors if eswitch is +in switchdev mode. + +Fixes: 7a9fb35e8c3a ("net/mlx5e: Do not reload ethernet ports when changing eswitch mode") +Signed-off-by: Gavin Li +Reviewed-by: Gavi Teitz +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index f1dd966e2bdbf..ec1c667bd145a 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3527,8 +3527,12 @@ static netdev_features_t mlx5e_fix_features(struct net_device *netdev, + netdev_warn(netdev, "Disabling rxhash, not supported when CQE compress is active\n"); + } + +- if (mlx5e_is_uplink_rep(priv)) ++ if (mlx5e_is_uplink_rep(priv)) { + features = mlx5e_fix_uplink_rep_features(netdev, features); ++ features |= NETIF_F_NETNS_LOCAL; ++ } else { ++ features &= ~NETIF_F_NETNS_LOCAL; ++ } + + mutex_unlock(&priv->state_lock); + +-- +2.39.2 + diff --git a/queue-5.15/net-phy-ensure-state-transitions-are-processed-from-.patch b/queue-5.15/net-phy-ensure-state-transitions-are-processed-from-.patch new file mode 100644 index 00000000000..015400bb281 --- /dev/null +++ b/queue-5.15/net-phy-ensure-state-transitions-are-processed-from-.patch @@ -0,0 +1,91 @@ +From c3e6ce06f5f214b4d7fb3eb82b4d1f9ada431bf0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 13:33:24 -0700 +Subject: net: phy: Ensure state transitions are processed from phy_stop() + +From: Florian Fainelli + +[ Upstream commit 4203d84032e28f893594a453bd8bc9c3b15c7334 ] + +In the phy_disconnect() -> phy_stop() path, we will be forcibly setting +the PHY state machine to PHY_HALTED. This invalidates the old_state != +phydev->state condition in phy_state_machine() such that we will neither +display the state change for debugging, nor will we invoke the +link_change_notify() callback. + +Factor the code by introducing phy_process_state_change(), and ensure +that we process the state change from phy_stop() as well. + +Fixes: 5c5f626bcace ("net: phy: improve handling link_change_notify callback") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/phy/phy.c b/drivers/net/phy/phy.c +index 2fc851082e7b4..1135e63a4a76e 100644 +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -57,6 +57,18 @@ static const char *phy_state_to_str(enum phy_state st) + return NULL; + } + ++static void phy_process_state_change(struct phy_device *phydev, ++ enum phy_state old_state) ++{ ++ if (old_state != phydev->state) { ++ phydev_dbg(phydev, "PHY state change %s -> %s\n", ++ phy_state_to_str(old_state), ++ phy_state_to_str(phydev->state)); ++ if (phydev->drv && phydev->drv->link_change_notify) ++ phydev->drv->link_change_notify(phydev); ++ } ++} ++ + static void phy_link_up(struct phy_device *phydev) + { + phydev->phy_link_change(phydev, true); +@@ -1061,6 +1073,7 @@ EXPORT_SYMBOL(phy_free_interrupt); + void phy_stop(struct phy_device *phydev) + { + struct net_device *dev = phydev->attached_dev; ++ enum phy_state old_state; + + if (!phy_is_started(phydev) && phydev->state != PHY_DOWN) { + WARN(1, "called from state %s\n", +@@ -1069,6 +1082,7 @@ void phy_stop(struct phy_device *phydev) + } + + mutex_lock(&phydev->lock); ++ old_state = phydev->state; + + if (phydev->state == PHY_CABLETEST) { + phy_abort_cable_test(phydev); +@@ -1079,6 +1093,7 @@ void phy_stop(struct phy_device *phydev) + sfp_upstream_stop(phydev->sfp_bus); + + phydev->state = PHY_HALTED; ++ phy_process_state_change(phydev, old_state); + + mutex_unlock(&phydev->lock); + +@@ -1196,13 +1211,7 @@ void phy_state_machine(struct work_struct *work) + if (err < 0) + phy_error(phydev); + +- if (old_state != phydev->state) { +- phydev_dbg(phydev, "PHY state change %s -> %s\n", +- phy_state_to_str(old_state), +- phy_state_to_str(phydev->state)); +- if (phydev->drv && phydev->drv->link_change_notify) +- phydev->drv->link_change_notify(phydev); +- } ++ phy_process_state_change(phydev, old_state); + + /* Only re-schedule a PHY state machine change if we are polling the + * PHY, if PHY_MAC_INTERRUPT is set, then we will be moving +-- +2.39.2 + diff --git a/queue-5.15/net-ps3_gelic_net-fix-rx-sk_buff-length.patch b/queue-5.15/net-ps3_gelic_net-fix-rx-sk_buff-length.patch new file mode 100644 index 00000000000..ac2f9720403 --- /dev/null +++ b/queue-5.15/net-ps3_gelic_net-fix-rx-sk_buff-length.patch @@ -0,0 +1,106 @@ +From cad32b8ec2b5e05b6430f56c777cf4ebb49942f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Mar 2023 17:39:16 +0000 +Subject: net/ps3_gelic_net: Fix RX sk_buff length + +From: Geoff Levand + +[ Upstream commit 19b3bb51c3bc288b3f2c6f8c4450b0f548320625 ] + +The Gelic Ethernet device needs to have the RX sk_buffs aligned to +GELIC_NET_RXBUF_ALIGN, and also the length of the RX sk_buffs must +be a multiple of GELIC_NET_RXBUF_ALIGN. + +The current Gelic Ethernet driver was not allocating sk_buffs large +enough to allow for this alignment. + +Also, correct the maximum and minimum MTU sizes, and add a new +preprocessor macro for the maximum frame size, GELIC_NET_MAX_FRAME. + +Fixes various randomly occurring runtime network errors. + +Fixes: 02c1889166b4 ("ps3: gigabit ethernet driver for PS3, take3") +Signed-off-by: Geoff Levand +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/toshiba/ps3_gelic_net.c | 19 ++++++++++--------- + drivers/net/ethernet/toshiba/ps3_gelic_net.h | 5 +++-- + 2 files changed, 13 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/toshiba/ps3_gelic_net.c b/drivers/net/ethernet/toshiba/ps3_gelic_net.c +index 55e652624bd76..bd1316db2d944 100644 +--- a/drivers/net/ethernet/toshiba/ps3_gelic_net.c ++++ b/drivers/net/ethernet/toshiba/ps3_gelic_net.c +@@ -365,26 +365,27 @@ static int gelic_card_init_chain(struct gelic_card *card, + * + * allocates a new rx skb, iommu-maps it and attaches it to the descriptor. + * Activate the descriptor state-wise ++ * ++ * Gelic RX sk_buffs must be aligned to GELIC_NET_RXBUF_ALIGN and the length ++ * must be a multiple of GELIC_NET_RXBUF_ALIGN. + */ + static int gelic_descr_prepare_rx(struct gelic_card *card, + struct gelic_descr *descr) + { ++ static const unsigned int rx_skb_size = ++ ALIGN(GELIC_NET_MAX_FRAME, GELIC_NET_RXBUF_ALIGN) + ++ GELIC_NET_RXBUF_ALIGN - 1; + int offset; +- unsigned int bufsize; + + if (gelic_descr_get_status(descr) != GELIC_DESCR_DMA_NOT_IN_USE) + dev_info(ctodev(card), "%s: ERROR status\n", __func__); +- /* we need to round up the buffer size to a multiple of 128 */ +- bufsize = ALIGN(GELIC_NET_MAX_MTU, GELIC_NET_RXBUF_ALIGN); + +- /* and we need to have it 128 byte aligned, therefore we allocate a +- * bit more */ +- descr->skb = dev_alloc_skb(bufsize + GELIC_NET_RXBUF_ALIGN - 1); ++ descr->skb = netdev_alloc_skb(*card->netdev, rx_skb_size); + if (!descr->skb) { + descr->buf_addr = 0; /* tell DMAC don't touch memory */ + return -ENOMEM; + } +- descr->buf_size = cpu_to_be32(bufsize); ++ descr->buf_size = cpu_to_be32(rx_skb_size); + descr->dmac_cmd_status = 0; + descr->result_size = 0; + descr->valid_size = 0; +@@ -397,7 +398,7 @@ static int gelic_descr_prepare_rx(struct gelic_card *card, + /* io-mmu-map the skb */ + descr->buf_addr = cpu_to_be32(dma_map_single(ctodev(card), + descr->skb->data, +- GELIC_NET_MAX_MTU, ++ GELIC_NET_MAX_FRAME, + DMA_FROM_DEVICE)); + if (!descr->buf_addr) { + dev_kfree_skb_any(descr->skb); +@@ -915,7 +916,7 @@ static void gelic_net_pass_skb_up(struct gelic_descr *descr, + data_error = be32_to_cpu(descr->data_error); + /* unmap skb buffer */ + dma_unmap_single(ctodev(card), be32_to_cpu(descr->buf_addr), +- GELIC_NET_MAX_MTU, ++ GELIC_NET_MAX_FRAME, + DMA_FROM_DEVICE); + + skb_put(skb, be32_to_cpu(descr->valid_size)? +diff --git a/drivers/net/ethernet/toshiba/ps3_gelic_net.h b/drivers/net/ethernet/toshiba/ps3_gelic_net.h +index 68f324ed4eaf0..0d98defb011ed 100644 +--- a/drivers/net/ethernet/toshiba/ps3_gelic_net.h ++++ b/drivers/net/ethernet/toshiba/ps3_gelic_net.h +@@ -19,8 +19,9 @@ + #define GELIC_NET_RX_DESCRIPTORS 128 /* num of descriptors */ + #define GELIC_NET_TX_DESCRIPTORS 128 /* num of descriptors */ + +-#define GELIC_NET_MAX_MTU VLAN_ETH_FRAME_LEN +-#define GELIC_NET_MIN_MTU VLAN_ETH_ZLEN ++#define GELIC_NET_MAX_FRAME 2312 ++#define GELIC_NET_MAX_MTU 2294 ++#define GELIC_NET_MIN_MTU 64 + #define GELIC_NET_RXBUF_ALIGN 128 + #define GELIC_CARD_RX_CSUM_DEFAULT 1 /* hw chksum */ + #define GELIC_NET_WATCHDOG_TIMEOUT 5*HZ +-- +2.39.2 + diff --git a/queue-5.15/net-ps3_gelic_net-use-dma_mapping_error.patch b/queue-5.15/net-ps3_gelic_net-use-dma_mapping_error.patch new file mode 100644 index 00000000000..b99058aba69 --- /dev/null +++ b/queue-5.15/net-ps3_gelic_net-use-dma_mapping_error.patch @@ -0,0 +1,89 @@ +From 48f3c79b629d4888a4a05c26b895f6c1bd5f57f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Mar 2023 17:39:16 +0000 +Subject: net/ps3_gelic_net: Use dma_mapping_error + +From: Geoff Levand + +[ Upstream commit bebe933d35a63d4f042fbf4dce4f22e689ba0fcd ] + +The current Gelic Etherenet driver was checking the return value of its +dma_map_single call, and not using the dma_mapping_error() routine. + +Fixes runtime problems like these: + + DMA-API: ps3_gelic_driver sb_05: device driver failed to check map error + WARNING: CPU: 0 PID: 0 at kernel/dma/debug.c:1027 .check_unmap+0x888/0x8dc + +Fixes: 02c1889166b4 ("ps3: gigabit ethernet driver for PS3, take3") +Reviewed-by: Alexander Duyck +Signed-off-by: Geoff Levand +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/toshiba/ps3_gelic_net.c | 24 +++++++++++--------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/toshiba/ps3_gelic_net.c b/drivers/net/ethernet/toshiba/ps3_gelic_net.c +index bd1316db2d944..78e484ea279bc 100644 +--- a/drivers/net/ethernet/toshiba/ps3_gelic_net.c ++++ b/drivers/net/ethernet/toshiba/ps3_gelic_net.c +@@ -317,15 +317,17 @@ static int gelic_card_init_chain(struct gelic_card *card, + + /* set up the hardware pointers in each descriptor */ + for (i = 0; i < no; i++, descr++) { ++ dma_addr_t cpu_addr; ++ + gelic_descr_set_status(descr, GELIC_DESCR_DMA_NOT_IN_USE); +- descr->bus_addr = +- dma_map_single(ctodev(card), descr, +- GELIC_DESCR_SIZE, +- DMA_BIDIRECTIONAL); + +- if (!descr->bus_addr) ++ cpu_addr = dma_map_single(ctodev(card), descr, ++ GELIC_DESCR_SIZE, DMA_BIDIRECTIONAL); ++ ++ if (dma_mapping_error(ctodev(card), cpu_addr)) + goto iommu_error; + ++ descr->bus_addr = cpu_to_be32(cpu_addr); + descr->next = descr + 1; + descr->prev = descr - 1; + } +@@ -375,6 +377,7 @@ static int gelic_descr_prepare_rx(struct gelic_card *card, + static const unsigned int rx_skb_size = + ALIGN(GELIC_NET_MAX_FRAME, GELIC_NET_RXBUF_ALIGN) + + GELIC_NET_RXBUF_ALIGN - 1; ++ dma_addr_t cpu_addr; + int offset; + + if (gelic_descr_get_status(descr) != GELIC_DESCR_DMA_NOT_IN_USE) +@@ -396,11 +399,10 @@ static int gelic_descr_prepare_rx(struct gelic_card *card, + if (offset) + skb_reserve(descr->skb, GELIC_NET_RXBUF_ALIGN - offset); + /* io-mmu-map the skb */ +- descr->buf_addr = cpu_to_be32(dma_map_single(ctodev(card), +- descr->skb->data, +- GELIC_NET_MAX_FRAME, +- DMA_FROM_DEVICE)); +- if (!descr->buf_addr) { ++ cpu_addr = dma_map_single(ctodev(card), descr->skb->data, ++ GELIC_NET_MAX_FRAME, DMA_FROM_DEVICE); ++ descr->buf_addr = cpu_to_be32(cpu_addr); ++ if (dma_mapping_error(ctodev(card), cpu_addr)) { + dev_kfree_skb_any(descr->skb); + descr->skb = NULL; + dev_info(ctodev(card), +@@ -780,7 +782,7 @@ static int gelic_descr_prepare_tx(struct gelic_card *card, + + buf = dma_map_single(ctodev(card), skb->data, skb->len, DMA_TO_DEVICE); + +- if (!buf) { ++ if (dma_mapping_error(ctodev(card), buf)) { + dev_err(ctodev(card), + "dma map 2 failed (%p, %i). Dropping packet\n", + skb->data, skb->len); +-- +2.39.2 + diff --git a/queue-5.15/net-qcom-emac-fix-use-after-free-bug-in-emac_remove-.patch b/queue-5.15/net-qcom-emac-fix-use-after-free-bug-in-emac_remove-.patch new file mode 100644 index 00000000000..73787657c37 --- /dev/null +++ b/queue-5.15/net-qcom-emac-fix-use-after-free-bug-in-emac_remove-.patch @@ -0,0 +1,63 @@ +From a947e344f1768355d4f470ace18a5162438b1713 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Mar 2023 16:05:26 +0800 +Subject: net: qcom/emac: Fix use after free bug in emac_remove due to race + condition + +From: Zheng Wang + +[ Upstream commit 6b6bc5b8bd2d4ca9e1efa9ae0f98a0b0687ace75 ] + +In emac_probe, &adpt->work_thread is bound with +emac_work_thread. Then it will be started by timeout +handler emac_tx_timeout or a IRQ handler emac_isr. + +If we remove the driver which will call emac_remove + to make cleanup, there may be a unfinished work. + +The possible sequence is as follows: + +Fix it by finishing the work before cleanup in the emac_remove +and disable timeout response. + +CPU0 CPU1 + + |emac_work_thread +emac_remove | +free_netdev | +kfree(netdev); | + |emac_reinit_locked + |emac_mac_down + |//use netdev +Fixes: b9b17debc69d ("net: emac: emac gigabit ethernet controller driver") +Signed-off-by: Zheng Wang + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qualcomm/emac/emac.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/qualcomm/emac/emac.c b/drivers/net/ethernet/qualcomm/emac/emac.c +index 9015a38eaced8..bb7f3286824f4 100644 +--- a/drivers/net/ethernet/qualcomm/emac/emac.c ++++ b/drivers/net/ethernet/qualcomm/emac/emac.c +@@ -728,9 +728,15 @@ static int emac_remove(struct platform_device *pdev) + struct net_device *netdev = dev_get_drvdata(&pdev->dev); + struct emac_adapter *adpt = netdev_priv(netdev); + ++ netif_carrier_off(netdev); ++ netif_tx_disable(netdev); ++ + unregister_netdev(netdev); + netif_napi_del(&adpt->rx_q.napi); + ++ free_irq(adpt->irq.irq, &adpt->irq); ++ cancel_work_sync(&adpt->work_thread); ++ + emac_clks_teardown(adpt); + + put_device(&adpt->phydev->mdio.dev); +-- +2.39.2 + diff --git a/queue-5.15/net-sonic-use-dma_mapping_error-for-error-check.patch b/queue-5.15/net-sonic-use-dma_mapping_error-for-error-check.patch new file mode 100644 index 00000000000..e70298c2de2 --- /dev/null +++ b/queue-5.15/net-sonic-use-dma_mapping_error-for-error-check.patch @@ -0,0 +1,49 @@ +From 92be82ab64a899582a8a1d5da737e335f4a422e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Mar 2023 14:45:43 +1100 +Subject: net/sonic: use dma_mapping_error() for error check + +From: Zhang Changzhong + +[ Upstream commit 4107b8746d93ace135b8c4da4f19bbae81db785f ] + +The DMA address returned by dma_map_single() should be checked with +dma_mapping_error(). Fix it accordingly. + +Fixes: efcce839360f ("[PATCH] macsonic/jazzsonic network drivers update") +Signed-off-by: Zhang Changzhong +Tested-by: Stan Johnson +Signed-off-by: Finn Thain +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/6645a4b5c1e364312103f48b7b36783b94e197a2.1679370343.git.fthain@linux-m68k.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/natsemi/sonic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/natsemi/sonic.c b/drivers/net/ethernet/natsemi/sonic.c +index d17d1b4f2585f..825356ee3492e 100644 +--- a/drivers/net/ethernet/natsemi/sonic.c ++++ b/drivers/net/ethernet/natsemi/sonic.c +@@ -292,7 +292,7 @@ static int sonic_send_packet(struct sk_buff *skb, struct net_device *dev) + */ + + laddr = dma_map_single(lp->device, skb->data, length, DMA_TO_DEVICE); +- if (!laddr) { ++ if (dma_mapping_error(lp->device, laddr)) { + pr_err_ratelimited("%s: failed to map tx DMA buffer.\n", dev->name); + dev_kfree_skb_any(skb); + return NETDEV_TX_OK; +@@ -509,7 +509,7 @@ static bool sonic_alloc_rb(struct net_device *dev, struct sonic_local *lp, + + *new_addr = dma_map_single(lp->device, skb_put(*new_skb, SONIC_RBSIZE), + SONIC_RBSIZE, DMA_FROM_DEVICE); +- if (!*new_addr) { ++ if (dma_mapping_error(lp->device, *new_addr)) { + dev_kfree_skb(*new_skb); + *new_skb = NULL; + return false; +-- +2.39.2 + diff --git a/queue-5.15/net-usb-smsc95xx-limit-packet-length-to-skb-len.patch b/queue-5.15/net-usb-smsc95xx-limit-packet-length-to-skb-len.patch new file mode 100644 index 00000000000..4bdf69d824d --- /dev/null +++ b/queue-5.15/net-usb-smsc95xx-limit-packet-length-to-skb-len.patch @@ -0,0 +1,43 @@ +From 16ad3d4b26a89371c09764925e06fc7f1223fecb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 11:19:54 +0100 +Subject: net: usb: smsc95xx: Limit packet length to skb->len + +From: Szymon Heidrich + +[ Upstream commit ff821092cf02a70c2bccd2d19269f01e29aa52cf ] + +Packet length retrieved from descriptor may be larger than +the actual socket buffer length. In such case the cloned +skb passed up the network stack will leak kernel memory contents. + +Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver") +Signed-off-by: Szymon Heidrich +Reviewed-by: Jakub Kicinski +Link: https://lore.kernel.org/r/20230316101954.75836-1-szymon.heidrich@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc95xx.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index 7cf9206638c37..649d9f9af6e67 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -1808,6 +1808,12 @@ static int smsc95xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + size = (u16)((header & RX_STS_FL_) >> 16); + align_count = (4 - ((size + NET_IP_ALIGN) % 4)) % 4; + ++ if (unlikely(size > skb->len)) { ++ netif_dbg(dev, rx_err, dev->net, ++ "size err header=0x%08x\n", header); ++ return 0; ++ } ++ + if (unlikely(header & RX_STS_ES_)) { + netif_dbg(dev, rx_err, dev->net, + "Error header=0x%08x\n", header); +-- +2.39.2 + diff --git a/queue-5.15/nvme-tcp-fix-nvme_tcp_term_pdu-to-match-spec.patch b/queue-5.15/nvme-tcp-fix-nvme_tcp_term_pdu-to-match-spec.patch new file mode 100644 index 00000000000..cf780c5a3c9 --- /dev/null +++ b/queue-5.15/nvme-tcp-fix-nvme_tcp_term_pdu-to-match-spec.patch @@ -0,0 +1,44 @@ +From 52260d9253994318d42472137784ddc14505c682 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Mar 2023 09:57:36 -0600 +Subject: nvme-tcp: fix nvme_tcp_term_pdu to match spec + +From: Caleb Sander + +[ Upstream commit aa01c67de5926fdb276793180564f172c55fb0d7 ] + +The FEI field of C2HTermReq/H2CTermReq is 4 bytes but not 4-byte-aligned +in the NVMe/TCP specification (it is located at offset 10 in the PDU). +Split it into two 16-bit integers in struct nvme_tcp_term_pdu +so no padding is inserted. There should also be 10 reserved bytes after. +There are currently no users of this type. + +Fixes: fc221d05447aa6db ("nvme-tcp: Add protocol header") +Reported-by: Geert Uytterhoeven +Signed-off-by: Caleb Sander +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + include/linux/nvme-tcp.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/include/linux/nvme-tcp.h b/include/linux/nvme-tcp.h +index 959e0bd9a913e..73364ae916890 100644 +--- a/include/linux/nvme-tcp.h ++++ b/include/linux/nvme-tcp.h +@@ -114,8 +114,9 @@ struct nvme_tcp_icresp_pdu { + struct nvme_tcp_term_pdu { + struct nvme_tcp_hdr hdr; + __le16 fes; +- __le32 fei; +- __u8 rsvd[8]; ++ __le16 feil; ++ __le16 feiu; ++ __u8 rsvd[10]; + }; + + /** +-- +2.39.2 + diff --git a/queue-5.15/octeontx2-vf-add-missing-free-for-alloc_percpu.patch b/queue-5.15/octeontx2-vf-add-missing-free-for-alloc_percpu.patch new file mode 100644 index 00000000000..640175b095a --- /dev/null +++ b/queue-5.15/octeontx2-vf-add-missing-free-for-alloc_percpu.patch @@ -0,0 +1,47 @@ +From 411e006a6b2a0115caddaecc232140ad0b13e1ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Mar 2023 14:43:37 +0800 +Subject: octeontx2-vf: Add missing free for alloc_percpu + +From: Jiasheng Jiang + +[ Upstream commit f038f3917baf04835ba2b7bcf2a04ac93fbf8a9c ] + +Add the free_percpu for the allocated "vf->hw.lmt_info" in order to avoid +memory leak, same as the "pf->hw.lmt_info" in +`drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c`. + +Fixes: 5c0512072f65 ("octeontx2-pf: cn10k: Use runtime allocated LMTLINE region") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Michal Swiatkowski +Acked-by: Geethasowjanya Akula +Link: https://lore.kernel.org/r/20230317064337.18198-1-jiasheng@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c +index 03b4ec630432b..9822db362c88e 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c +@@ -704,6 +704,7 @@ static int otx2vf_probe(struct pci_dev *pdev, const struct pci_device_id *id) + err_unreg_netdev: + unregister_netdev(netdev); + err_detach_rsrc: ++ free_percpu(vf->hw.lmt_info); + if (test_bit(CN10K_LMTST, &vf->hw.cap_flag)) + qmem_free(vf->dev, vf->dync_lmt); + otx2_detach_resources(&vf->mbox); +@@ -738,6 +739,7 @@ static void otx2vf_remove(struct pci_dev *pdev) + destroy_workqueue(vf->otx2_wq); + otx2vf_disable_mbox_intr(vf); + otx2_detach_resources(&vf->mbox); ++ free_percpu(vf->hw.lmt_info); + if (test_bit(CN10K_LMTST, &vf->hw.cap_flag)) + qmem_free(vf->dev, vf->dync_lmt); + otx2vf_vfaf_mbox_destroy(vf); +-- +2.39.2 + diff --git a/queue-5.15/platform-chrome-cros_ec_chardev-fix-kernel-data-leak.patch b/queue-5.15/platform-chrome-cros_ec_chardev-fix-kernel-data-leak.patch new file mode 100644 index 00000000000..b08ab18abf2 --- /dev/null +++ b/queue-5.15/platform-chrome-cros_ec_chardev-fix-kernel-data-leak.patch @@ -0,0 +1,41 @@ +From a2eb82d76c5874c00ea3d120f3dbfc0f5c1b2cc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 09:06:58 +0800 +Subject: platform/chrome: cros_ec_chardev: fix kernel data leak from ioctl + +From: Tzung-Bi Shih + +[ Upstream commit b20cf3f89c56b5f6a38b7f76a8128bf9f291bbd3 ] + +It is possible to peep kernel page's data by providing larger `insize` +in struct cros_ec_command[1] when invoking EC host commands. + +Fix it by using zeroed memory. + +[1]: https://elixir.bootlin.com/linux/v6.2/source/include/linux/platform_data/cros_ec_proto.h#L74 + +Fixes: eda2e30c6684 ("mfd / platform: cros_ec: Miscellaneous character device to talk with the EC") +Signed-off-by: Tzung-Bi Shih +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20230324010658.1082361-1-tzungbi@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/platform/chrome/cros_ec_chardev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/chrome/cros_ec_chardev.c b/drivers/platform/chrome/cros_ec_chardev.c +index 0de7c255254e0..d6de5a2941282 100644 +--- a/drivers/platform/chrome/cros_ec_chardev.c ++++ b/drivers/platform/chrome/cros_ec_chardev.c +@@ -284,7 +284,7 @@ static long cros_ec_chardev_ioctl_xcmd(struct cros_ec_dev *ec, void __user *arg) + u_cmd.insize > EC_MAX_MSG_BYTES) + return -EINVAL; + +- s_cmd = kmalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize), ++ s_cmd = kzalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize), + GFP_KERNEL); + if (!s_cmd) + return -ENOMEM; +-- +2.39.2 + diff --git a/queue-5.15/power-supply-bq24190-fix-use-after-free-bug-in-bq241.patch b/queue-5.15/power-supply-bq24190-fix-use-after-free-bug-in-bq241.patch new file mode 100644 index 00000000000..c70eab5c331 --- /dev/null +++ b/queue-5.15/power-supply-bq24190-fix-use-after-free-bug-in-bq241.patch @@ -0,0 +1,56 @@ +From 20ff4da4cccae28f994709954d7a38b68db85400 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Mar 2023 01:47:28 +0800 +Subject: power: supply: bq24190: Fix use after free bug in bq24190_remove due + to race condition + +From: Zheng Wang + +[ Upstream commit 47c29d69212911f50bdcdd0564b5999a559010d4 ] + +In bq24190_probe, &bdi->input_current_limit_work is bound +with bq24190_input_current_limit_work. When external power +changed, it will call bq24190_charger_external_power_changed + to start the work. + +If we remove the module which will call bq24190_remove to make +cleanup, there may be a unfinished work. The possible +sequence is as follows: + +CPU0 CPUc1 + + |bq24190_input_current_limit_work +bq24190_remove | +power_supply_unregister | +device_unregister | +power_supply_dev_release| +kfree(psy) | + | + | power_supply_get_property_from_supplier + | //use + +Fix it by finishing the work before cleanup in the bq24190_remove + +Fixes: 97774672573a ("power_supply: Initialize changed_work before calling device_add") +Signed-off-by: Zheng Wang +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/bq24190_charger.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/power/supply/bq24190_charger.c b/drivers/power/supply/bq24190_charger.c +index 0d262fe9780ca..ebb5ba7f8bb63 100644 +--- a/drivers/power/supply/bq24190_charger.c ++++ b/drivers/power/supply/bq24190_charger.c +@@ -1832,6 +1832,7 @@ static int bq24190_remove(struct i2c_client *client) + struct bq24190_dev_info *bdi = i2c_get_clientdata(client); + int error; + ++ cancel_delayed_work_sync(&bdi->input_current_limit_work); + error = pm_runtime_resume_and_get(bdi->dev); + if (error < 0) + dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error); +-- +2.39.2 + diff --git a/queue-5.15/power-supply-bq24190_charger-using-pm_runtime_resume.patch b/queue-5.15/power-supply-bq24190_charger-using-pm_runtime_resume.patch new file mode 100644 index 00000000000..a60cff5adc6 --- /dev/null +++ b/queue-5.15/power-supply-bq24190_charger-using-pm_runtime_resume.patch @@ -0,0 +1,191 @@ +From 0dad65698150f2ec0a3f4726b1edaf8062eada53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 08:30:44 +0000 +Subject: power: supply: bq24190_charger: using pm_runtime_resume_and_get + instead of pm_runtime_get_sync + +From: Minghao Chi + +[ Upstream commit d96a89407e5f682d1cb22569d91784506c784863 ] + +Using pm_runtime_resume_and_get is more appropriate +for simplifing code + +Reported-by: Zeal Robot +Signed-off-by: Minghao Chi +Signed-off-by: Sebastian Reichel +Stable-dep-of: 47c29d692129 ("power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition") +Signed-off-by: Sasha Levin +--- + drivers/power/supply/bq24190_charger.c | 63 +++++++++----------------- + 1 file changed, 21 insertions(+), 42 deletions(-) + +diff --git a/drivers/power/supply/bq24190_charger.c b/drivers/power/supply/bq24190_charger.c +index 16c4876fe5afb..0d262fe9780ca 100644 +--- a/drivers/power/supply/bq24190_charger.c ++++ b/drivers/power/supply/bq24190_charger.c +@@ -446,11 +446,9 @@ static ssize_t bq24190_sysfs_show(struct device *dev, + if (!info) + return -EINVAL; + +- ret = pm_runtime_get_sync(bdi->dev); +- if (ret < 0) { +- pm_runtime_put_noidle(bdi->dev); ++ ret = pm_runtime_resume_and_get(bdi->dev); ++ if (ret < 0) + return ret; +- } + + ret = bq24190_read_mask(bdi, info->reg, info->mask, info->shift, &v); + if (ret) +@@ -481,11 +479,9 @@ static ssize_t bq24190_sysfs_store(struct device *dev, + if (ret < 0) + return ret; + +- ret = pm_runtime_get_sync(bdi->dev); +- if (ret < 0) { +- pm_runtime_put_noidle(bdi->dev); ++ ret = pm_runtime_resume_and_get(bdi->dev); ++ if (ret < 0) + return ret; +- } + + ret = bq24190_write_mask(bdi, info->reg, info->mask, info->shift, v); + if (ret) +@@ -504,10 +500,9 @@ static int bq24190_set_charge_mode(struct regulator_dev *dev, u8 val) + struct bq24190_dev_info *bdi = rdev_get_drvdata(dev); + int ret; + +- ret = pm_runtime_get_sync(bdi->dev); ++ ret = pm_runtime_resume_and_get(bdi->dev); + if (ret < 0) { + dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", ret); +- pm_runtime_put_noidle(bdi->dev); + return ret; + } + +@@ -537,10 +532,9 @@ static int bq24190_vbus_is_enabled(struct regulator_dev *dev) + int ret; + u8 val; + +- ret = pm_runtime_get_sync(bdi->dev); ++ ret = pm_runtime_resume_and_get(bdi->dev); + if (ret < 0) { + dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", ret); +- pm_runtime_put_noidle(bdi->dev); + return ret; + } + +@@ -1081,11 +1075,9 @@ static int bq24190_charger_get_property(struct power_supply *psy, + + dev_dbg(bdi->dev, "prop: %d\n", psp); + +- ret = pm_runtime_get_sync(bdi->dev); +- if (ret < 0) { +- pm_runtime_put_noidle(bdi->dev); ++ ret = pm_runtime_resume_and_get(bdi->dev); ++ if (ret < 0) + return ret; +- } + + switch (psp) { + case POWER_SUPPLY_PROP_CHARGE_TYPE: +@@ -1155,11 +1147,9 @@ static int bq24190_charger_set_property(struct power_supply *psy, + + dev_dbg(bdi->dev, "prop: %d\n", psp); + +- ret = pm_runtime_get_sync(bdi->dev); +- if (ret < 0) { +- pm_runtime_put_noidle(bdi->dev); ++ ret = pm_runtime_resume_and_get(bdi->dev); ++ if (ret < 0) + return ret; +- } + + switch (psp) { + case POWER_SUPPLY_PROP_ONLINE: +@@ -1418,11 +1408,9 @@ static int bq24190_battery_get_property(struct power_supply *psy, + dev_warn(bdi->dev, "warning: /sys/class/power_supply/bq24190-battery is deprecated\n"); + dev_dbg(bdi->dev, "prop: %d\n", psp); + +- ret = pm_runtime_get_sync(bdi->dev); +- if (ret < 0) { +- pm_runtime_put_noidle(bdi->dev); ++ ret = pm_runtime_resume_and_get(bdi->dev); ++ if (ret < 0) + return ret; +- } + + switch (psp) { + case POWER_SUPPLY_PROP_STATUS: +@@ -1466,11 +1454,9 @@ static int bq24190_battery_set_property(struct power_supply *psy, + dev_warn(bdi->dev, "warning: /sys/class/power_supply/bq24190-battery is deprecated\n"); + dev_dbg(bdi->dev, "prop: %d\n", psp); + +- ret = pm_runtime_get_sync(bdi->dev); +- if (ret < 0) { +- pm_runtime_put_noidle(bdi->dev); ++ ret = pm_runtime_resume_and_get(bdi->dev); ++ if (ret < 0) + return ret; +- } + + switch (psp) { + case POWER_SUPPLY_PROP_ONLINE: +@@ -1624,10 +1610,9 @@ static irqreturn_t bq24190_irq_handler_thread(int irq, void *data) + int error; + + bdi->irq_event = true; +- error = pm_runtime_get_sync(bdi->dev); ++ error = pm_runtime_resume_and_get(bdi->dev); + if (error < 0) { + dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error); +- pm_runtime_put_noidle(bdi->dev); + return IRQ_NONE; + } + bq24190_check_status(bdi); +@@ -1847,11 +1832,9 @@ static int bq24190_remove(struct i2c_client *client) + struct bq24190_dev_info *bdi = i2c_get_clientdata(client); + int error; + +- error = pm_runtime_get_sync(bdi->dev); +- if (error < 0) { ++ error = pm_runtime_resume_and_get(bdi->dev); ++ if (error < 0) + dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error); +- pm_runtime_put_noidle(bdi->dev); +- } + + bq24190_register_reset(bdi); + if (bdi->battery) +@@ -1900,11 +1883,9 @@ static __maybe_unused int bq24190_pm_suspend(struct device *dev) + struct bq24190_dev_info *bdi = i2c_get_clientdata(client); + int error; + +- error = pm_runtime_get_sync(bdi->dev); +- if (error < 0) { ++ error = pm_runtime_resume_and_get(bdi->dev); ++ if (error < 0) + dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error); +- pm_runtime_put_noidle(bdi->dev); +- } + + bq24190_register_reset(bdi); + +@@ -1925,11 +1906,9 @@ static __maybe_unused int bq24190_pm_resume(struct device *dev) + bdi->f_reg = 0; + bdi->ss_reg = BQ24190_REG_SS_VBUS_STAT_MASK; /* impossible state */ + +- error = pm_runtime_get_sync(bdi->dev); +- if (error < 0) { ++ error = pm_runtime_resume_and_get(bdi->dev); ++ if (error < 0) + dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error); +- pm_runtime_put_noidle(bdi->dev); +- } + + bq24190_register_reset(bdi); + bq24190_set_config(bdi); +-- +2.39.2 + diff --git a/queue-5.15/power-supply-da9150-fix-use-after-free-bug-in-da9150.patch b/queue-5.15/power-supply-da9150-fix-use-after-free-bug-in-da9150.patch new file mode 100644 index 00000000000..8f951bbf142 --- /dev/null +++ b/queue-5.15/power-supply-da9150-fix-use-after-free-bug-in-da9150.patch @@ -0,0 +1,55 @@ +From a4d80054e5e2c11cd371ccf8a3f73c62cea12c70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Mar 2023 01:46:50 +0800 +Subject: power: supply: da9150: Fix use after free bug in + da9150_charger_remove due to race condition + +From: Zheng Wang + +[ Upstream commit 06615d11cc78162dfd5116efb71f29eb29502d37 ] + +In da9150_charger_probe, &charger->otg_work is bound with +da9150_charger_otg_work. da9150_charger_otg_ncb may be +called to start the work. + +If we remove the module which will call da9150_charger_remove +to make cleanup, there may be a unfinished work. The possible +sequence is as follows: + +Fix it by canceling the work before cleanup in the da9150_charger_remove + +CPU0 CPUc1 + + |da9150_charger_otg_work +da9150_charger_remove | +power_supply_unregister | +device_unregister | +power_supply_dev_release| +kfree(psy) | + | + | power_supply_changed(charger->usb); + | //use + +Fixes: c1a281e34dae ("power: Add support for DA9150 Charger") +Signed-off-by: Zheng Wang +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/da9150-charger.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/power/supply/da9150-charger.c b/drivers/power/supply/da9150-charger.c +index f9314cc0cd75f..6b987da586556 100644 +--- a/drivers/power/supply/da9150-charger.c ++++ b/drivers/power/supply/da9150-charger.c +@@ -662,6 +662,7 @@ static int da9150_charger_remove(struct platform_device *pdev) + + if (!IS_ERR_OR_NULL(charger->usb_phy)) + usb_unregister_notifier(charger->usb_phy, &charger->otg_nb); ++ cancel_work_sync(&charger->otg_work); + + power_supply_unregister(charger->battery); + power_supply_unregister(charger->usb); +-- +2.39.2 + diff --git a/queue-5.15/qed-qed_sriov-guard-against-null-derefs-from-qed_iov.patch b/queue-5.15/qed-qed_sriov-guard-against-null-derefs-from-qed_iov.patch new file mode 100644 index 00000000000..2a845ab787f --- /dev/null +++ b/queue-5.15/qed-qed_sriov-guard-against-null-derefs-from-qed_iov.patch @@ -0,0 +1,51 @@ +From 034f966ec1058a31216c77af7c6aaba8d764e6b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 13:29:21 +0300 +Subject: qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info + +From: Daniil Tatianin + +[ Upstream commit 25143b6a01d0cc5319edd3de22ffa2578b045550 ] + +We have to make sure that the info returned by the helper is valid +before using it. + +Found by Linux Verification Center (linuxtesting.org) with the SVACE +static analysis tool. + +Fixes: f990c82c385b ("qed*: Add support for ndo_set_vf_trust") +Fixes: 733def6a04bf ("qed*: IOV link control") +Signed-off-by: Daniil Tatianin +Reviewed-by: Michal Swiatkowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_sriov.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_sriov.c b/drivers/net/ethernet/qlogic/qed/qed_sriov.c +index 3eb05376e7c3e..bf0ba3855da1d 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c +@@ -4378,6 +4378,9 @@ qed_iov_configure_min_tx_rate(struct qed_dev *cdev, int vfid, u32 rate) + } + + vf = qed_iov_get_vf_info(QED_LEADING_HWFN(cdev), (u16)vfid, true); ++ if (!vf) ++ return -EINVAL; ++ + vport_id = vf->vport_id; + + return qed_configure_vport_wfq(cdev, vport_id, rate); +@@ -5124,7 +5127,7 @@ static void qed_iov_handle_trust_change(struct qed_hwfn *hwfn) + + /* Validate that the VF has a configured vport */ + vf = qed_iov_get_vf_info(hwfn, i, true); +- if (!vf->vport_instance) ++ if (!vf || !vf->vport_instance) + continue; + + memset(¶ms, 0, sizeof(params)); +-- +2.39.2 + diff --git a/queue-5.15/scsi-scsi_dh_alua-fix-memleak-for-qdata-in-alua_acti.patch b/queue-5.15/scsi-scsi_dh_alua-fix-memleak-for-qdata-in-alua_acti.patch new file mode 100644 index 00000000000..04026ae2c76 --- /dev/null +++ b/queue-5.15/scsi-scsi_dh_alua-fix-memleak-for-qdata-in-alua_acti.patch @@ -0,0 +1,61 @@ +From b1b451e4eed56b7f80dd49d6666a9001e41b573d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 14:21:54 +0800 +Subject: scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate() + +From: Yu Kuai + +[ Upstream commit a13faca032acbf2699293587085293bdfaafc8ae ] + +If alua_rtpg_queue() failed from alua_activate(), then 'qdata' is not +freed, which will cause following memleak: + +unreferenced object 0xffff88810b2c6980 (size 32): + comm "kworker/u16:2", pid 635322, jiffies 4355801099 (age 1216426.076s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 40 39 24 c1 ff ff ff ff 00 f8 ea 0a 81 88 ff ff @9$............. + backtrace: + [<0000000098f3a26d>] alua_activate+0xb0/0x320 + [<000000003b529641>] scsi_dh_activate+0xb2/0x140 + [<000000007b296db3>] activate_path_work+0xc6/0xe0 [dm_multipath] + [<000000007adc9ace>] process_one_work+0x3c5/0x730 + [<00000000c457a985>] worker_thread+0x93/0x650 + [<00000000cb80e628>] kthread+0x1ba/0x210 + [<00000000a1e61077>] ret_from_fork+0x22/0x30 + +Fix the problem by freeing 'qdata' in error path. + +Fixes: 625fe857e4fa ("scsi: scsi_dh_alua: Check scsi_device_get() return value") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20230315062154.668812-1-yukuai1@huaweicloud.com +Reviewed-by: Benjamin Block +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/device_handler/scsi_dh_alua.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c +index 1d9be771f3ee0..a9c4a5e2ccb90 100644 +--- a/drivers/scsi/device_handler/scsi_dh_alua.c ++++ b/drivers/scsi/device_handler/scsi_dh_alua.c +@@ -1117,10 +1117,12 @@ static int alua_activate(struct scsi_device *sdev, + rcu_read_unlock(); + mutex_unlock(&h->init_mutex); + +- if (alua_rtpg_queue(pg, sdev, qdata, true)) ++ if (alua_rtpg_queue(pg, sdev, qdata, true)) { + fn = NULL; +- else ++ } else { ++ kfree(qdata); + err = SCSI_DH_DEV_OFFLINED; ++ } + kref_put(&pg->kref, release_port_group); + out: + if (fn) +-- +2.39.2 + diff --git a/queue-5.15/series b/queue-5.15/series index e5a1d6d13f2..635a4dd3673 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -13,3 +13,57 @@ kthread-add-the-helper-function-kthread_run_on_cpu.patch trace-hwlat-make-use-of-the-helper-function-kthread_.patch trace-hwlat-do-not-start-per-cpu-thread-if-it-is-alr.patch net-tls-fix-possible-race-condition-between-do_tls_g.patch +power-supply-bq24190_charger-using-pm_runtime_resume.patch +power-supply-bq24190-fix-use-after-free-bug-in-bq241.patch +power-supply-da9150-fix-use-after-free-bug-in-da9150.patch +arm-dts-imx6sll-e60k02-fix-usbotg1-pinctrl.patch +arm-dts-imx6sl-tolino-shine2hd-fix-usbotg1-pinctrl.patch +arm64-dts-imx8mn-specify-sound-dai-cells-for-sai-nod.patch +xsk-add-missing-overflow-check-in-xdp_umem_reg.patch +iavf-fix-inverted-rx-hash-condition-leading-to-disab.patch +iavf-fix-non-tunneled-ipv6-udp-packet-type-and-hashi.patch +intel-igbvf-free-irq-on-the-error-path-in-igbvf_requ.patch +igbvf-regard-vf-reset-nack-as-success.patch +igc-fix-the-validation-logic-for-taprio-s-gate-list.patch +i2c-imx-lpi2c-check-only-for-enabled-interrupt-flags.patch +i2c-hisi-only-use-the-completion-interrupt-to-finish.patch +scsi-scsi_dh_alua-fix-memleak-for-qdata-in-alua_acti.patch +net-dsa-b53-mmap-fix-device-tree-support.patch +net-usb-smsc95xx-limit-packet-length-to-skb-len.patch +qed-qed_sriov-guard-against-null-derefs-from-qed_iov.patch +xirc2ps_cs-fix-use-after-free-bug-in-xirc2ps_detach.patch +net-phy-ensure-state-transitions-are-processed-from-.patch +net-mdio-fix-owner-field-for-mdio-buses-registered-u.patch +net-mdio-fix-owner-field-for-mdio-buses-registered-u.patch-9507 +drm-i915-gt-perform-uc-late-init-after-probe-error-i.patch +net-qcom-emac-fix-use-after-free-bug-in-emac_remove-.patch +net-ps3_gelic_net-fix-rx-sk_buff-length.patch +net-ps3_gelic_net-use-dma_mapping_error.patch +octeontx2-vf-add-missing-free-for-alloc_percpu.patch +bootconfig-fix-testcase-to-increase-max-node.patch +keys-do-not-cache-key-in-task-struct-if-key-is-reque.patch +iavf-fix-hang-on-reboot-with-ice.patch +i40e-fix-flow-director-packet-filter-programming.patch +bpf-adjust-insufficient-default-bpf_jit_limit.patch +net-mlx5e-set-uplink-rep-as-netns_local.patch +net-mlx5-fix-steering-rules-cleanup.patch +net-mlx5-read-the-tc-mapping-of-all-priorities-on-et.patch +net-mlx5-e-switch-fix-an-oops-in-error-handling-code.patch +net-dsa-tag_brcm-legacy-fix-daisy-chained-switches.patch +atm-idt77252-fix-kmemleak-when-rmmod-idt77252.patch +erspan-do-not-use-skb_mac_header-in-ndo_start_xmit.patch +net-sonic-use-dma_mapping_error-for-error-check.patch +nvme-tcp-fix-nvme_tcp_term_pdu-to-match-spec.patch +hvc-xen-prevent-concurrent-accesses-to-the-shared-ri.patch +ksmbd-add-low-bound-validation-to-fsctl_set_zero_dat.patch +ksmbd-add-low-bound-validation-to-fsctl_query_alloca.patch +ksmbd-fix-possible-refcount-leak-in-smb2_open.patch +gve-cache-link_speed-value-from-device.patch +net-dsa-mt7530-move-enabling-disabling-core-clock-to.patch +net-dsa-mt7530-move-lowering-trgmii-driving-to-mt753.patch +net-dsa-mt7530-move-setting-ssc_delta-to-phy_interfa.patch +net-mdio-thunder-add-missing-fwnode_handle_put.patch +bluetooth-btqcomsmd-fix-command-timeout-after-settin.patch +bluetooth-l2cap-fix-responding-with-wrong-pdu-type.patch +bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch +platform-chrome-cros_ec_chardev-fix-kernel-data-leak.patch diff --git a/queue-5.15/xirc2ps_cs-fix-use-after-free-bug-in-xirc2ps_detach.patch b/queue-5.15/xirc2ps_cs-fix-use-after-free-bug-in-xirc2ps_detach.patch new file mode 100644 index 00000000000..7524d45c28c --- /dev/null +++ b/queue-5.15/xirc2ps_cs-fix-use-after-free-bug-in-xirc2ps_detach.patch @@ -0,0 +1,58 @@ +From b58122d0fa0ce5def57fbd073bbd298a29628d27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Mar 2023 00:15:26 +0800 +Subject: xirc2ps_cs: Fix use after free bug in xirc2ps_detach + +From: Zheng Wang + +[ Upstream commit e8d20c3ded59a092532513c9bd030d1ea66f5f44 ] + +In xirc2ps_probe, the local->tx_timeout_task was bounded +with xirc2ps_tx_timeout_task. When timeout occurs, +it will call xirc_tx_timeout->schedule_work to start the +work. + +When we call xirc2ps_detach to remove the driver, there +may be a sequence as follows: + +Stop responding to timeout tasks and complete scheduled +tasks before cleanup in xirc2ps_detach, which will fix +the problem. + +CPU0 CPU1 + + |xirc2ps_tx_timeout_task +xirc2ps_detach | + free_netdev | + kfree(dev); | + | + | do_reset + | //use dev + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Zheng Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xircom/xirc2ps_cs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/xircom/xirc2ps_cs.c b/drivers/net/ethernet/xircom/xirc2ps_cs.c +index ae611e46da6af..f8bbd1489af15 100644 +--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c ++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c +@@ -503,6 +503,11 @@ static void + xirc2ps_detach(struct pcmcia_device *link) + { + struct net_device *dev = link->priv; ++ struct local_info *local = netdev_priv(dev); ++ ++ netif_carrier_off(dev); ++ netif_tx_disable(dev); ++ cancel_work_sync(&local->tx_timeout_task); + + dev_dbg(&link->dev, "detach\n"); + +-- +2.39.2 + diff --git a/queue-5.15/xsk-add-missing-overflow-check-in-xdp_umem_reg.patch b/queue-5.15/xsk-add-missing-overflow-check-in-xdp_umem_reg.patch new file mode 100644 index 00000000000..71bfebeffa4 --- /dev/null +++ b/queue-5.15/xsk-add-missing-overflow-check-in-xdp_umem_reg.patch @@ -0,0 +1,64 @@ +From 23b4a12c159219dd5232df7459b12e8a5d0ccdac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 18:40:13 +0100 +Subject: xsk: Add missing overflow check in xdp_umem_reg + +From: Kal Conley + +[ Upstream commit c7df4813b149362248d6ef7be41a311e27bf75fe ] + +The number of chunks can overflow u32. Make sure to return -EINVAL on +overflow. Also remove a redundant u32 cast assigning umem->npgs. + +Fixes: bbff2f321a86 ("xsk: new descriptor addressing scheme") +Signed-off-by: Kal Conley +Signed-off-by: Daniel Borkmann +Acked-by: Magnus Karlsson +Link: https://lore.kernel.org/bpf/20230308174013.1114745-1-kal.conley@dectris.com +Signed-off-by: Sasha Levin +--- + net/xdp/xdp_umem.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c +index f01ef6bda3909..65f918d29531d 100644 +--- a/net/xdp/xdp_umem.c ++++ b/net/xdp/xdp_umem.c +@@ -152,10 +152,11 @@ static int xdp_umem_account_pages(struct xdp_umem *umem) + + static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr) + { +- u32 npgs_rem, chunk_size = mr->chunk_size, headroom = mr->headroom; + bool unaligned_chunks = mr->flags & XDP_UMEM_UNALIGNED_CHUNK_FLAG; +- u64 npgs, addr = mr->addr, size = mr->len; +- unsigned int chunks, chunks_rem; ++ u32 chunk_size = mr->chunk_size, headroom = mr->headroom; ++ u64 addr = mr->addr, size = mr->len; ++ u32 chunks_rem, npgs_rem; ++ u64 chunks, npgs; + int err; + + if (chunk_size < XDP_UMEM_MIN_CHUNK_SIZE || chunk_size > PAGE_SIZE) { +@@ -190,8 +191,8 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr) + if (npgs > U32_MAX) + return -EINVAL; + +- chunks = (unsigned int)div_u64_rem(size, chunk_size, &chunks_rem); +- if (chunks == 0) ++ chunks = div_u64_rem(size, chunk_size, &chunks_rem); ++ if (!chunks || chunks > U32_MAX) + return -EINVAL; + + if (!unaligned_chunks && chunks_rem) +@@ -204,7 +205,7 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr) + umem->headroom = headroom; + umem->chunk_size = chunk_size; + umem->chunks = chunks; +- umem->npgs = (u32)npgs; ++ umem->npgs = npgs; + umem->pgs = NULL; + umem->user = NULL; + umem->flags = mr->flags; +-- +2.39.2 + -- 2.47.3