From 391aef9f9658ce5619e134ea9f0d71b50d75c4d3 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 11 Nov 2023 21:50:15 -0500 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...ty_inet_conn_request-after-setting-i.patch | 59 ++++++++ ...curity_inet_conn_request-after-setti.patch | 85 +++++++++++ ...rmi4-fix-use-after-free-in-rmi_unreg.patch | 43 ++++++ ...fy-mac-len-before-reading-mac-header.patch | 113 ++++++++++++++ ...e-multicast-filter-for-rtl8168h-and-.patch | 43 ++++++ ...ling-sock-under-state-smc_appfinclos.patch | 111 ++++++++++++++ .../net-smc-postpone-release-of-clcsock.patch | 100 +++++++++++++ ...-pending-work-before-clcsock-release.patch | 139 ++++++++++++++++++ ...ent-fix-increase-ipv6-literal-buffer.patch | 49 ++++++ ...ize-appropriate-clock-apis-in-suspen.patch | 51 +++++++ .../pwm-sti-avoid-conditional-gotos.patch | 93 ++++++++++++ ...umber-of-allocations-and-drop-usage-.patch | 116 +++++++++++++++ .../r8169-improve-rtl_set_rx_mode.patch | 112 ++++++++++++++ ...ct-userspace-disabling-iff_multicast.patch | 42 ++++++ queue-4.19/series | 16 ++ ...down-device-only-on-system_power_off.patch | 46 ++++++ ...policy-for-bearer-related-names-to-n.patch | 111 ++++++++++++++ 17 files changed, 1329 insertions(+) create mode 100644 queue-4.19/dccp-call-security_inet_conn_request-after-setting-i.patch create mode 100644 queue-4.19/dccp-tcp-call-security_inet_conn_request-after-setti.patch create mode 100644 queue-4.19/input-synaptics-rmi4-fix-use-after-free-in-rmi_unreg.patch create mode 100644 queue-4.19/llc-verify-mac-len-before-reading-mac-header.patch create mode 100644 queue-4.19/net-r8169-disable-multicast-filter-for-rtl8168h-and-.patch create mode 100644 queue-4.19/net-smc-fix-dangling-sock-under-state-smc_appfinclos.patch create mode 100644 queue-4.19/net-smc-postpone-release-of-clcsock.patch create mode 100644 queue-4.19/net-smc-wait-for-pending-work-before-clcsock-release.patch create mode 100644 queue-4.19/netfilter-xt_recent-fix-increase-ipv6-literal-buffer.patch create mode 100644 queue-4.19/pwm-brcmstb-utilize-appropriate-clock-apis-in-suspen.patch create mode 100644 queue-4.19/pwm-sti-avoid-conditional-gotos.patch create mode 100644 queue-4.19/pwm-sti-reduce-number-of-allocations-and-drop-usage-.patch create mode 100644 queue-4.19/r8169-improve-rtl_set_rx_mode.patch create mode 100644 queue-4.19/r8169-respect-userspace-disabling-iff_multicast.patch create mode 100644 queue-4.19/tg3-power-down-device-only-on-system_power_off.patch create mode 100644 queue-4.19/tipc-change-nla_policy-for-bearer-related-names-to-n.patch diff --git a/queue-4.19/dccp-call-security_inet_conn_request-after-setting-i.patch b/queue-4.19/dccp-call-security_inet_conn_request-after-setting-i.patch new file mode 100644 index 00000000000..abda91ae292 --- /dev/null +++ b/queue-4.19/dccp-call-security_inet_conn_request-after-setting-i.patch @@ -0,0 +1,59 @@ +From 381685868efb48ba05622ea307149c7708d8774b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Oct 2023 13:10:41 -0700 +Subject: dccp: Call security_inet_conn_request() after setting IPv4 addresses. + +From: Kuniyuki Iwashima + +[ Upstream commit fa2df45af13091f76b89adb84a28f13818d5d631 ] + +Initially, commit 4237c75c0a35 ("[MLSXFRM]: Auto-labeling of child +sockets") introduced security_inet_conn_request() in some functions +where reqsk is allocated. The hook is added just after the allocation, +so reqsk's IPv4 remote address was not initialised then. + +However, SELinux/Smack started to read it in netlbl_req_setattr() +after the cited commits. + +This bug was partially fixed by commit 284904aa7946 ("lsm: Relocate +the IPv4 security_inet_conn_request() hooks"). + +This patch fixes the last bug in DCCPv4. + +Fixes: 389fb800ac8b ("netlabel: Label incoming TCP connections correctly in SELinux") +Fixes: 07feee8f812f ("netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections") +Signed-off-by: Kuniyuki Iwashima +Acked-by: Paul Moore +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/dccp/ipv4.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c +index 892fbd1f650da..5281ac3260f6f 100644 +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -612,9 +612,6 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) + if (dccp_parse_options(sk, dreq, skb)) + goto drop_and_free; + +- if (security_inet_conn_request(sk, skb, req)) +- goto drop_and_free; +- + ireq = inet_rsk(req); + sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr); + sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr); +@@ -622,6 +619,9 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) + ireq->ireq_family = AF_INET; + ireq->ir_iif = sk->sk_bound_dev_if; + ++ if (security_inet_conn_request(sk, skb, req)) ++ goto drop_and_free; ++ + /* + * Step 3: Process LISTEN state + * +-- +2.42.0 + diff --git a/queue-4.19/dccp-tcp-call-security_inet_conn_request-after-setti.patch b/queue-4.19/dccp-tcp-call-security_inet_conn_request-after-setti.patch new file mode 100644 index 00000000000..eb1f8ef1eeb --- /dev/null +++ b/queue-4.19/dccp-tcp-call-security_inet_conn_request-after-setti.patch @@ -0,0 +1,85 @@ +From d61c5670d499d6a1fe64da7d59d106d5e4b45d37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Oct 2023 13:10:42 -0700 +Subject: dccp/tcp: Call security_inet_conn_request() after setting IPv6 + addresses. + +From: Kuniyuki Iwashima + +[ Upstream commit 23be1e0e2a83a8543214d2599a31d9a2185a796b ] + +Initially, commit 4237c75c0a35 ("[MLSXFRM]: Auto-labeling of child +sockets") introduced security_inet_conn_request() in some functions +where reqsk is allocated. The hook is added just after the allocation, +so reqsk's IPv6 remote address was not initialised then. + +However, SELinux/Smack started to read it in netlbl_req_setattr() +after commit e1adea927080 ("calipso: Allow request sockets to be +relabelled by the lsm."). + +Commit 284904aa7946 ("lsm: Relocate the IPv4 security_inet_conn_request() +hooks") fixed that kind of issue only in TCPv4 because IPv6 labeling was +not supported at that time. Finally, the same issue was introduced again +in IPv6. + +Let's apply the same fix on DCCPv6 and TCPv6. + +Fixes: e1adea927080 ("calipso: Allow request sockets to be relabelled by the lsm.") +Signed-off-by: Kuniyuki Iwashima +Acked-by: Paul Moore +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/dccp/ipv6.c | 6 +++--- + net/ipv6/syncookies.c | 7 ++++--- + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index 9b8c6cf0e5eee..72ceefbf23120 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -349,15 +349,15 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) + if (dccp_parse_options(sk, dreq, skb)) + goto drop_and_free; + +- if (security_inet_conn_request(sk, skb, req)) +- goto drop_and_free; +- + ireq = inet_rsk(req); + ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr; + ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr; + ireq->ireq_family = AF_INET6; + ireq->ir_mark = inet_request_mark(sk, skb); + ++ if (security_inet_conn_request(sk, skb, req)) ++ goto drop_and_free; ++ + if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) || + np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo || + np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) { +diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c +index ca291e342900c..ab073ac3d7ace 100644 +--- a/net/ipv6/syncookies.c ++++ b/net/ipv6/syncookies.c +@@ -184,14 +184,15 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb) + treq->af_specific = &tcp_request_sock_ipv6_ops; + treq->tfo_listener = false; + +- if (security_inet_conn_request(sk, skb, req)) +- goto out_free; +- + req->mss = mss; + ireq->ir_rmt_port = th->source; + ireq->ir_num = ntohs(th->dest); + ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr; + ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr; ++ ++ if (security_inet_conn_request(sk, skb, req)) ++ goto out_free; ++ + if (ipv6_opt_accepted(sk, skb, &TCP_SKB_CB(skb)->header.h6) || + np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo || + np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) { +-- +2.42.0 + diff --git a/queue-4.19/input-synaptics-rmi4-fix-use-after-free-in-rmi_unreg.patch b/queue-4.19/input-synaptics-rmi4-fix-use-after-free-in-rmi_unreg.patch new file mode 100644 index 00000000000..9b905e62161 --- /dev/null +++ b/queue-4.19/input-synaptics-rmi4-fix-use-after-free-in-rmi_unreg.patch @@ -0,0 +1,43 @@ +From 3e79df4a633309b4f9e37ce966e762b80c39a752 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Oct 2023 02:53:36 +0000 +Subject: Input: synaptics-rmi4 - fix use after free in + rmi_unregister_function() + +From: Dan Carpenter + +[ Upstream commit eb988e46da2e4eae89f5337e047ce372fe33d5b1 ] + +The put_device() calls rmi_release_function() which frees "fn" so the +dereference on the next line "fn->num_of_irqs" is a use after free. +Move the put_device() to the end to fix this. + +Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/706efd36-7561-42f3-adfa-dd1d0bd4f5a1@moroto.mountain +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/rmi4/rmi_bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/rmi4/rmi_bus.c b/drivers/input/rmi4/rmi_bus.c +index bd0d5ff01b08f..02408487b4423 100644 +--- a/drivers/input/rmi4/rmi_bus.c ++++ b/drivers/input/rmi4/rmi_bus.c +@@ -279,11 +279,11 @@ void rmi_unregister_function(struct rmi_function *fn) + + device_del(&fn->dev); + of_node_put(fn->dev.of_node); +- put_device(&fn->dev); + + for (i = 0; i < fn->num_of_irqs; i++) + irq_dispose_mapping(fn->irq[i]); + ++ put_device(&fn->dev); + } + + /** +-- +2.42.0 + diff --git a/queue-4.19/llc-verify-mac-len-before-reading-mac-header.patch b/queue-4.19/llc-verify-mac-len-before-reading-mac-header.patch new file mode 100644 index 00000000000..b58c2f25d79 --- /dev/null +++ b/queue-4.19/llc-verify-mac-len-before-reading-mac-header.patch @@ -0,0 +1,113 @@ +From 81f75739a333c75f600b9e9e814baa3577eb142b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Oct 2023 19:42:38 -0400 +Subject: llc: verify mac len before reading mac header + +From: Willem de Bruijn + +[ Upstream commit 7b3ba18703a63f6fd487183b9262b08e5632da1b ] + +LLC reads the mac header with eth_hdr without verifying that the skb +has an Ethernet header. + +Syzbot was able to enter llc_rcv on a tun device. Tun can insert +packets without mac len and with user configurable skb->protocol +(passing a tun_pi header when not configuring IFF_NO_PI). + + BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline] + BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111 + llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline] + llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111 + llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218 + __netif_receive_skb_one_core net/core/dev.c:5523 [inline] + __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637 + netif_receive_skb_internal net/core/dev.c:5723 [inline] + netif_receive_skb+0x58/0x660 net/core/dev.c:5782 + tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 + tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002 + +Add a mac_len test before all three eth_hdr(skb) calls under net/llc. + +There are further uses in include/net/llc_pdu.h. All these are +protected by a test skb->protocol == ETH_P_802_2. Which does not +protect against this tun scenario. + +But the mac_len test added in this patch in llc_fixup_skb will +indirectly protect those too. That is called from llc_rcv before any +other LLC code. + +It is tempting to just add a blanket mac_len check in llc_rcv, but +not sure whether that could break valid LLC paths that do not assume +an Ethernet header. 802.2 LLC may be used on top of non-802.3 +protocols in principle. The below referenced commit shows that used +to, on top of Token Ring. + +At least one of the three eth_hdr uses goes back to before the start +of git history. But the one that syzbot exercises is introduced in +this commit. That commit is old enough (2008), that effectively all +stable kernels should receive this. + +Fixes: f83f1768f833 ("[LLC]: skb allocation size for responses") +Reported-by: syzbot+a8c7be6dee0de1b669cc@syzkaller.appspotmail.com +Signed-off-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20231025234251.3796495-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/llc/llc_input.c | 10 ++++++++-- + net/llc/llc_s_ac.c | 3 +++ + net/llc/llc_station.c | 3 +++ + 3 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c +index f9e801cc50f5e..f4fb309185ced 100644 +--- a/net/llc/llc_input.c ++++ b/net/llc/llc_input.c +@@ -127,8 +127,14 @@ static inline int llc_fixup_skb(struct sk_buff *skb) + skb->transport_header += llc_len; + skb_pull(skb, llc_len); + if (skb->protocol == htons(ETH_P_802_2)) { +- __be16 pdulen = eth_hdr(skb)->h_proto; +- s32 data_size = ntohs(pdulen) - llc_len; ++ __be16 pdulen; ++ s32 data_size; ++ ++ if (skb->mac_len < ETH_HLEN) ++ return 0; ++ ++ pdulen = eth_hdr(skb)->h_proto; ++ data_size = ntohs(pdulen) - llc_len; + + if (data_size < 0 || + !pskb_may_pull(skb, data_size)) +diff --git a/net/llc/llc_s_ac.c b/net/llc/llc_s_ac.c +index 9fa3342c7a829..df26557a02448 100644 +--- a/net/llc/llc_s_ac.c ++++ b/net/llc/llc_s_ac.c +@@ -153,6 +153,9 @@ int llc_sap_action_send_test_r(struct llc_sap *sap, struct sk_buff *skb) + int rc = 1; + u32 data_size; + ++ if (skb->mac_len < ETH_HLEN) ++ return 1; ++ + llc_pdu_decode_sa(skb, mac_da); + llc_pdu_decode_da(skb, mac_sa); + llc_pdu_decode_ssap(skb, &dsap); +diff --git a/net/llc/llc_station.c b/net/llc/llc_station.c +index c29170e767a8c..64e2c67e16ba3 100644 +--- a/net/llc/llc_station.c ++++ b/net/llc/llc_station.c +@@ -77,6 +77,9 @@ static int llc_station_ac_send_test_r(struct sk_buff *skb) + u32 data_size; + struct sk_buff *nskb; + ++ if (skb->mac_len < ETH_HLEN) ++ goto out; ++ + /* The test request command is type U (llc_len = 3) */ + data_size = ntohs(eth_hdr(skb)->h_proto) - 3; + nskb = llc_alloc_frame(NULL, skb->dev, LLC_PDU_TYPE_U, data_size); +-- +2.42.0 + diff --git a/queue-4.19/net-r8169-disable-multicast-filter-for-rtl8168h-and-.patch b/queue-4.19/net-r8169-disable-multicast-filter-for-rtl8168h-and-.patch new file mode 100644 index 00000000000..42a77444e53 --- /dev/null +++ b/queue-4.19/net-r8169-disable-multicast-filter-for-rtl8168h-and-.patch @@ -0,0 +1,43 @@ +From bcd2912edad5acd8890074d4f025a91d51c019bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Oct 2023 16:50:14 -0400 +Subject: net: r8169: Disable multicast filter for RTL8168H and RTL8107E + +From: Patrick Thompson + +[ Upstream commit efa5f1311c4998e9e6317c52bc5ee93b3a0f36df ] + +RTL8168H and RTL8107E ethernet adapters erroneously filter unicast +eapol packets unless allmulti is enabled. These devices correspond to +RTL_GIGA_MAC_VER_46 and VER_48. Add an exception for VER_46 and VER_48 +in the same way that VER_35 has an exception. + +Fixes: 6e1d0b898818 ("r8169:add support for RTL8168H and RTL8107E") +Signed-off-by: Patrick Thompson +Reviewed-by: Jacob Keller +Reviewed-by: Heiner Kallweit +Link: https://lore.kernel.org/r/20231030205031.177855-1-ptf@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 2a59087364808..69d01b68cf6b7 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4626,7 +4626,9 @@ static void rtl_set_rx_mode(struct net_device *dev) + rx_mode |= AcceptAllPhys; + } else if (netdev_mc_count(dev) > MC_FILTER_LIMIT || + dev->flags & IFF_ALLMULTI || +- tp->mac_version == RTL_GIGA_MAC_VER_35) { ++ tp->mac_version == RTL_GIGA_MAC_VER_35 || ++ tp->mac_version == RTL_GIGA_MAC_VER_46 || ++ tp->mac_version == RTL_GIGA_MAC_VER_48) { + /* accept all multicasts */ + } else if (netdev_mc_empty(dev)) { + rx_mode &= ~AcceptMulticast; +-- +2.42.0 + diff --git a/queue-4.19/net-smc-fix-dangling-sock-under-state-smc_appfinclos.patch b/queue-4.19/net-smc-fix-dangling-sock-under-state-smc_appfinclos.patch new file mode 100644 index 00000000000..4aeaee14621 --- /dev/null +++ b/queue-4.19/net-smc-fix-dangling-sock-under-state-smc_appfinclos.patch @@ -0,0 +1,111 @@ +From 4f124bee513e45ec5b3452314080be37b1dea1f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 14:07:38 +0800 +Subject: net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT + +From: D. Wythe + +[ Upstream commit 5211c9729484c923f8d2e06bd29f9322cc42bb8f ] + +Considering scenario: + + smc_cdc_rx_handler +__smc_release + sock_set_flag +smc_close_active() +sock_set_flag + +__set_bit(DEAD) __set_bit(DONE) + +Dues to __set_bit is not atomic, the DEAD or DONE might be lost. +if the DEAD flag lost, the state SMC_CLOSED will be never be reached +in smc_close_passive_work: + +if (sock_flag(sk, SOCK_DEAD) && + smc_close_sent_any_close(conn)) { + sk->sk_state = SMC_CLOSED; +} else { + /* just shutdown, but not yet closed locally */ + sk->sk_state = SMC_APPFINCLOSEWAIT; +} + +Replace sock_set_flags or __set_bit to set_bit will fix this problem. +Since set_bit is atomic. + +Fixes: b38d732477e4 ("smc: socket closing and linkgroup cleanup") +Signed-off-by: D. Wythe +Reviewed-by: Dust Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 4 ++-- + net/smc/smc.h | 5 +++++ + net/smc/smc_cdc.c | 2 +- + net/smc/smc_close.c | 2 +- + 4 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 6b30bec54b624..ad0ac657fe12c 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -141,7 +141,7 @@ static int smc_release(struct socket *sock) + + if (!smc->use_fallback) { + rc = smc_close_active(smc); +- sock_set_flag(sk, SOCK_DEAD); ++ smc_sock_set_flag(sk, SOCK_DEAD); + sk->sk_shutdown |= SHUTDOWN_MASK; + } else { + if (sk->sk_state != SMC_LISTEN && sk->sk_state != SMC_INIT) +@@ -852,7 +852,7 @@ static int smc_clcsock_accept(struct smc_sock *lsmc, struct smc_sock **new_smc) + if (new_clcsock) + sock_release(new_clcsock); + new_sk->sk_state = SMC_CLOSED; +- sock_set_flag(new_sk, SOCK_DEAD); ++ smc_sock_set_flag(new_sk, SOCK_DEAD); + sock_put(new_sk); /* final */ + *new_smc = NULL; + goto out; +diff --git a/net/smc/smc.h b/net/smc/smc.h +index adbdf195eb085..c3b0e1e3f505d 100644 +--- a/net/smc/smc.h ++++ b/net/smc/smc.h +@@ -268,4 +268,9 @@ static inline bool using_ipsec(struct smc_sock *smc) + struct sock *smc_accept_dequeue(struct sock *parent, struct socket *new_sock); + void smc_close_non_accepted(struct sock *sk); + ++static inline void smc_sock_set_flag(struct sock *sk, enum sock_flags flag) ++{ ++ set_bit(flag, &sk->sk_flags); ++} ++ + #endif /* __SMC_H */ +diff --git a/net/smc/smc_cdc.c b/net/smc/smc_cdc.c +index 333e4353498f8..c657fd29ff5d0 100644 +--- a/net/smc/smc_cdc.c ++++ b/net/smc/smc_cdc.c +@@ -304,7 +304,7 @@ static void smc_cdc_msg_recv_action(struct smc_sock *smc, + smc->sk.sk_shutdown |= RCV_SHUTDOWN; + if (smc->clcsock && smc->clcsock->sk) + smc->clcsock->sk->sk_shutdown |= RCV_SHUTDOWN; +- sock_set_flag(&smc->sk, SOCK_DONE); ++ smc_sock_set_flag(&smc->sk, SOCK_DONE); + sock_hold(&smc->sk); /* sock_put in close_work */ + if (!schedule_work(&conn->close_work)) + sock_put(&smc->sk); +diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c +index cac0773f5ebd9..4ea28ec7ad135 100644 +--- a/net/smc/smc_close.c ++++ b/net/smc/smc_close.c +@@ -164,7 +164,7 @@ static void smc_close_active_abort(struct smc_sock *smc) + break; + } + +- sock_set_flag(sk, SOCK_DEAD); ++ smc_sock_set_flag(sk, SOCK_DEAD); + sk->sk_state_change(sk); + } + +-- +2.42.0 + diff --git a/queue-4.19/net-smc-postpone-release-of-clcsock.patch b/queue-4.19/net-smc-postpone-release-of-clcsock.patch new file mode 100644 index 00000000000..9a3c830c2d2 --- /dev/null +++ b/queue-4.19/net-smc-postpone-release-of-clcsock.patch @@ -0,0 +1,100 @@ +From d120c8370a609dfe9ea110e7b1c9aad12d3510de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Feb 2019 15:56:15 +0100 +Subject: net/smc: postpone release of clcsock + +From: Ursula Braun + +[ Upstream commit b03faa1fafc8018295401dc558bdc76362d860a4 ] + +According to RFC7609 (http://www.rfc-editor.org/info/rfc7609) +first the SMC-R connection is shut down and then the normal TCP +connection FIN processing drives cleanup of the internal TCP connection. +The unconditional release of the clcsock during active socket closing +has to be postponed if the peer has not yet signalled socket closing. + +Signed-off-by: Ursula Braun +Signed-off-by: David S. Miller +Stable-dep-of: 5211c9729484 ("net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT") +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 33 +++++++++++++++++---------------- + net/smc/smc_close.c | 7 ++++++- + 2 files changed, 23 insertions(+), 17 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index dcd00b514c3f9..6f342f6cc4876 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -143,32 +143,33 @@ static int smc_release(struct socket *sock) + rc = smc_close_active(smc); + sock_set_flag(sk, SOCK_DEAD); + sk->sk_shutdown |= SHUTDOWN_MASK; +- } +- +- sk->sk_prot->unhash(sk); +- +- if (smc->clcsock) { +- if (smc->use_fallback && sk->sk_state == SMC_LISTEN) { ++ } else { ++ if (sk->sk_state != SMC_LISTEN && sk->sk_state != SMC_INIT) ++ sock_put(sk); /* passive closing */ ++ if (sk->sk_state == SMC_LISTEN) { + /* wake up clcsock accept */ + rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR); + } +- mutex_lock(&smc->clcsock_release_lock); +- sock_release(smc->clcsock); +- smc->clcsock = NULL; +- mutex_unlock(&smc->clcsock_release_lock); +- } +- if (smc->use_fallback) { +- if (sk->sk_state != SMC_LISTEN && sk->sk_state != SMC_INIT) +- sock_put(sk); /* passive closing */ + sk->sk_state = SMC_CLOSED; + sk->sk_state_change(sk); + } + ++ sk->sk_prot->unhash(sk); ++ ++ if (sk->sk_state == SMC_CLOSED) { ++ if (smc->clcsock) { ++ mutex_lock(&smc->clcsock_release_lock); ++ sock_release(smc->clcsock); ++ smc->clcsock = NULL; ++ mutex_unlock(&smc->clcsock_release_lock); ++ } ++ if (!smc->use_fallback) ++ smc_conn_free(&smc->conn); ++ } ++ + /* detach socket */ + sock_orphan(sk); + sock->sk = NULL; +- if (!smc->use_fallback && sk->sk_state == SMC_CLOSED) +- smc_conn_free(&smc->conn); + release_sock(sk); + + sock_put(sk); /* final sock_put */ +diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c +index 092696d738c00..3e7858793d485 100644 +--- a/net/smc/smc_close.c ++++ b/net/smc/smc_close.c +@@ -415,8 +415,13 @@ static void smc_close_passive_work(struct work_struct *work) + if (old_state != sk->sk_state) { + sk->sk_state_change(sk); + if ((sk->sk_state == SMC_CLOSED) && +- (sock_flag(sk, SOCK_DEAD) || !sk->sk_socket)) ++ (sock_flag(sk, SOCK_DEAD) || !sk->sk_socket)) { + smc_conn_free(conn); ++ if (smc->clcsock) { ++ sock_release(smc->clcsock); ++ smc->clcsock = NULL; ++ } ++ } + } + release_sock(sk); + sock_put(sk); /* sock_hold done by schedulers of close_work */ +-- +2.42.0 + diff --git a/queue-4.19/net-smc-wait-for-pending-work-before-clcsock-release.patch b/queue-4.19/net-smc-wait-for-pending-work-before-clcsock-release.patch new file mode 100644 index 00000000000..45aeea4eae0 --- /dev/null +++ b/queue-4.19/net-smc-wait-for-pending-work-before-clcsock-release.patch @@ -0,0 +1,139 @@ +From d22709c558721a5d95c7e9de0c123c3c17ceada0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2019 11:17:30 +0200 +Subject: net/smc: wait for pending work before clcsock release_sock + +From: Karsten Graul + +[ Upstream commit fd57770dd198f5b2ddd5b9e6bf282cf98d63adb9 ] + +When the clcsock is already released using sock_release() and a pending +smc_listen_work accesses the clcsock than that will fail. Solve this +by canceling and waiting for the work to complete first. Because the +work holds the sock_lock it must make sure that the lock is not hold +before the new helper smc_clcsock_release() is invoked. And before the +smc_listen_work starts working check if the parent listen socket is +still valid, otherwise stop the work early. + +Signed-off-by: Karsten Graul +Signed-off-by: Ursula Braun +Signed-off-by: David S. Miller +Stable-dep-of: 5211c9729484 ("net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT") +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 14 ++++++++------ + net/smc/smc_close.c | 25 +++++++++++++++++++++---- + net/smc/smc_close.h | 1 + + 3 files changed, 30 insertions(+), 10 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 6f342f6cc4876..6b30bec54b624 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -158,10 +158,9 @@ static int smc_release(struct socket *sock) + + if (sk->sk_state == SMC_CLOSED) { + if (smc->clcsock) { +- mutex_lock(&smc->clcsock_release_lock); +- sock_release(smc->clcsock); +- smc->clcsock = NULL; +- mutex_unlock(&smc->clcsock_release_lock); ++ release_sock(sk); ++ smc_clcsock_release(smc); ++ lock_sock(sk); + } + if (!smc->use_fallback) + smc_conn_free(&smc->conn); +@@ -1014,13 +1013,13 @@ static void smc_listen_out(struct smc_sock *new_smc) + struct smc_sock *lsmc = new_smc->listen_smc; + struct sock *newsmcsk = &new_smc->sk; + +- lock_sock_nested(&lsmc->sk, SINGLE_DEPTH_NESTING); + if (lsmc->sk.sk_state == SMC_LISTEN) { ++ lock_sock_nested(&lsmc->sk, SINGLE_DEPTH_NESTING); + smc_accept_enqueue(&lsmc->sk, newsmcsk); ++ release_sock(&lsmc->sk); + } else { /* no longer listening */ + smc_close_non_accepted(newsmcsk); + } +- release_sock(&lsmc->sk); + + /* Wake up accept */ + lsmc->sk.sk_data_ready(&lsmc->sk); +@@ -1216,6 +1215,9 @@ static void smc_listen_work(struct work_struct *work) + int rc = 0; + u8 ibport; + ++ if (new_smc->listen_smc->sk.sk_state != SMC_LISTEN) ++ return smc_listen_out_err(new_smc); ++ + if (new_smc->use_fallback) { + smc_listen_out_connected(new_smc); + return; +diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c +index 3e7858793d485..cac0773f5ebd9 100644 +--- a/net/smc/smc_close.c ++++ b/net/smc/smc_close.c +@@ -21,6 +21,22 @@ + + #define SMC_CLOSE_WAIT_LISTEN_CLCSOCK_TIME (5 * HZ) + ++/* release the clcsock that is assigned to the smc_sock */ ++void smc_clcsock_release(struct smc_sock *smc) ++{ ++ struct socket *tcp; ++ ++ if (smc->listen_smc && current_work() != &smc->smc_listen_work) ++ cancel_work_sync(&smc->smc_listen_work); ++ mutex_lock(&smc->clcsock_release_lock); ++ if (smc->clcsock) { ++ tcp = smc->clcsock; ++ smc->clcsock = NULL; ++ sock_release(tcp); ++ } ++ mutex_unlock(&smc->clcsock_release_lock); ++} ++ + static void smc_close_cleanup_listen(struct sock *parent) + { + struct sock *sk; +@@ -331,6 +347,7 @@ static void smc_close_passive_work(struct work_struct *work) + close_work); + struct smc_sock *smc = container_of(conn, struct smc_sock, conn); + struct smc_cdc_conn_state_flags *rxflags; ++ bool release_clcsock = false; + struct sock *sk = &smc->sk; + int old_state; + +@@ -417,13 +434,13 @@ static void smc_close_passive_work(struct work_struct *work) + if ((sk->sk_state == SMC_CLOSED) && + (sock_flag(sk, SOCK_DEAD) || !sk->sk_socket)) { + smc_conn_free(conn); +- if (smc->clcsock) { +- sock_release(smc->clcsock); +- smc->clcsock = NULL; +- } ++ if (smc->clcsock) ++ release_clcsock = true; + } + } + release_sock(sk); ++ if (release_clcsock) ++ smc_clcsock_release(smc); + sock_put(sk); /* sock_hold done by schedulers of close_work */ + } + +diff --git a/net/smc/smc_close.h b/net/smc/smc_close.h +index 19eb6a211c23c..e0e3b5df25d24 100644 +--- a/net/smc/smc_close.h ++++ b/net/smc/smc_close.h +@@ -23,5 +23,6 @@ void smc_close_wake_tx_prepared(struct smc_sock *smc); + int smc_close_active(struct smc_sock *smc); + int smc_close_shutdown_write(struct smc_sock *smc); + void smc_close_init(struct smc_sock *smc); ++void smc_clcsock_release(struct smc_sock *smc); + + #endif /* SMC_CLOSE_H */ +-- +2.42.0 + diff --git a/queue-4.19/netfilter-xt_recent-fix-increase-ipv6-literal-buffer.patch b/queue-4.19/netfilter-xt_recent-fix-increase-ipv6-literal-buffer.patch new file mode 100644 index 00000000000..51005603b02 --- /dev/null +++ b/queue-4.19/netfilter-xt_recent-fix-increase-ipv6-literal-buffer.patch @@ -0,0 +1,49 @@ +From 7d8c0562c7eeac71e0cb1bc90955fbdb98e5293a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Nov 2023 11:56:00 -0800 +Subject: netfilter: xt_recent: fix (increase) ipv6 literal buffer length +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +[ Upstream commit 7b308feb4fd2d1c06919445c65c8fbf8e9fd1781 ] + +in6_pton() supports 'low-32-bit dot-decimal representation' +(this is useful with DNS64/NAT64 networks for example): + + # echo +aaaa:bbbb:cccc:dddd:eeee:ffff:1.2.3.4 > /proc/self/net/xt_recent/DEFAULT + # cat /proc/self/net/xt_recent/DEFAULT + src=aaaa:bbbb:cccc:dddd:eeee:ffff:0102:0304 ttl: 0 last_seen: 9733848829 oldest_pkt: 1 9733848829 + +but the provided buffer is too short: + + # echo +aaaa:bbbb:cccc:dddd:eeee:ffff:255.255.255.255 > /proc/self/net/xt_recent/DEFAULT + -bash: echo: write error: Invalid argument + +Fixes: 079aa88fe717 ("netfilter: xt_recent: IPv6 support") +Signed-off-by: Maciej Żenczykowski +Reviewed-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_recent.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c +index cb58bc7ae30d3..2dbf92346a7e5 100644 +--- a/net/netfilter/xt_recent.c ++++ b/net/netfilter/xt_recent.c +@@ -566,7 +566,7 @@ recent_mt_proc_write(struct file *file, const char __user *input, + { + struct recent_table *t = PDE_DATA(file_inode(file)); + struct recent_entry *e; +- char buf[sizeof("+b335:1d35:1e55:dead:c0de:1715:5afe:c0de")]; ++ char buf[sizeof("+b335:1d35:1e55:dead:c0de:1715:255.255.255.255")]; + const char *c = buf; + union nf_inet_addr addr = {}; + u_int16_t family; +-- +2.42.0 + diff --git a/queue-4.19/pwm-brcmstb-utilize-appropriate-clock-apis-in-suspen.patch b/queue-4.19/pwm-brcmstb-utilize-appropriate-clock-apis-in-suspen.patch new file mode 100644 index 00000000000..ad6f0400a72 --- /dev/null +++ b/queue-4.19/pwm-brcmstb-utilize-appropriate-clock-apis-in-suspen.patch @@ -0,0 +1,51 @@ +From ed7b681bb9ee7f3abe837321d259d22b6e8be596 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 10:54:14 -0700 +Subject: pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Florian Fainelli + +[ Upstream commit e9bc4411548aaa738905d37851a0146c16b3bb21 ] + +The suspend/resume functions currently utilize +clk_disable()/clk_enable() respectively which may be no-ops with certain +clock providers such as SCMI. Fix this to use clk_disable_unprepare() +and clk_prepare_enable() respectively as we should. + +Fixes: 3a9f5957020f ("pwm: Add Broadcom BCM7038 PWM controller support") +Signed-off-by: Florian Fainelli +Acked-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-brcmstb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/pwm/pwm-brcmstb.c b/drivers/pwm/pwm-brcmstb.c +index 8063cffa1c960..5d7842a62d594 100644 +--- a/drivers/pwm/pwm-brcmstb.c ++++ b/drivers/pwm/pwm-brcmstb.c +@@ -307,7 +307,7 @@ static int brcmstb_pwm_suspend(struct device *dev) + { + struct brcmstb_pwm *p = dev_get_drvdata(dev); + +- clk_disable(p->clk); ++ clk_disable_unprepare(p->clk); + + return 0; + } +@@ -316,7 +316,7 @@ static int brcmstb_pwm_resume(struct device *dev) + { + struct brcmstb_pwm *p = dev_get_drvdata(dev); + +- clk_enable(p->clk); ++ clk_prepare_enable(p->clk); + + return 0; + } +-- +2.42.0 + diff --git a/queue-4.19/pwm-sti-avoid-conditional-gotos.patch b/queue-4.19/pwm-sti-avoid-conditional-gotos.patch new file mode 100644 index 00000000000..17d2ba17943 --- /dev/null +++ b/queue-4.19/pwm-sti-avoid-conditional-gotos.patch @@ -0,0 +1,93 @@ +From b47cefe5ec054279ffa143f22c2a834fd30d4324 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Nov 2020 19:24:29 +0100 +Subject: pwm: sti: Avoid conditional gotos +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thierry Reding + +[ Upstream commit fd3ae02bb66f091e55f363d32eca7b4039977bf5 ] + +Using gotos for conditional code complicates this code significantly. +Convert the code to simple conditional blocks to increase readability. + +Suggested-by: Uwe Kleine-König +Acked-by: Uwe Kleine-König +Acked-by: Lee Jones +Signed-off-by: Thierry Reding +Stable-dep-of: 2d6812b41e0d ("pwm: sti: Reduce number of allocations and drop usage of chip_data") +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-sti.c | 48 ++++++++++++++++++++----------------------- + 1 file changed, 22 insertions(+), 26 deletions(-) + +diff --git a/drivers/pwm/pwm-sti.c b/drivers/pwm/pwm-sti.c +index 2b7c31c9d1ab2..f413b41dc69d8 100644 +--- a/drivers/pwm/pwm-sti.c ++++ b/drivers/pwm/pwm-sti.c +@@ -599,38 +599,34 @@ static int sti_pwm_probe(struct platform_device *pdev) + if (ret) + return ret; + +- if (!cdata->pwm_num_devs) +- goto skip_pwm; +- +- pc->pwm_clk = of_clk_get_by_name(dev->of_node, "pwm"); +- if (IS_ERR(pc->pwm_clk)) { +- dev_err(dev, "failed to get PWM clock\n"); +- return PTR_ERR(pc->pwm_clk); +- } ++ if (cdata->pwm_num_devs) { ++ pc->pwm_clk = of_clk_get_by_name(dev->of_node, "pwm"); ++ if (IS_ERR(pc->pwm_clk)) { ++ dev_err(dev, "failed to get PWM clock\n"); ++ return PTR_ERR(pc->pwm_clk); ++ } + +- ret = clk_prepare(pc->pwm_clk); +- if (ret) { +- dev_err(dev, "failed to prepare clock\n"); +- return ret; ++ ret = clk_prepare(pc->pwm_clk); ++ if (ret) { ++ dev_err(dev, "failed to prepare clock\n"); ++ return ret; ++ } + } + +-skip_pwm: +- if (!cdata->cpt_num_devs) +- goto skip_cpt; +- +- pc->cpt_clk = of_clk_get_by_name(dev->of_node, "capture"); +- if (IS_ERR(pc->cpt_clk)) { +- dev_err(dev, "failed to get PWM capture clock\n"); +- return PTR_ERR(pc->cpt_clk); +- } ++ if (cdata->cpt_num_devs) { ++ pc->cpt_clk = of_clk_get_by_name(dev->of_node, "capture"); ++ if (IS_ERR(pc->cpt_clk)) { ++ dev_err(dev, "failed to get PWM capture clock\n"); ++ return PTR_ERR(pc->cpt_clk); ++ } + +- ret = clk_prepare(pc->cpt_clk); +- if (ret) { +- dev_err(dev, "failed to prepare clock\n"); +- return ret; ++ ret = clk_prepare(pc->cpt_clk); ++ if (ret) { ++ dev_err(dev, "failed to prepare clock\n"); ++ return ret; ++ } + } + +-skip_cpt: + pc->chip.dev = dev; + pc->chip.ops = &sti_pwm_ops; + pc->chip.base = -1; +-- +2.42.0 + diff --git a/queue-4.19/pwm-sti-reduce-number-of-allocations-and-drop-usage-.patch b/queue-4.19/pwm-sti-reduce-number-of-allocations-and-drop-usage-.patch new file mode 100644 index 00000000000..51dcdb06ccd --- /dev/null +++ b/queue-4.19/pwm-sti-reduce-number-of-allocations-and-drop-usage-.patch @@ -0,0 +1,116 @@ +From f19753c15a801e93ecad0fba3f4ba40598d14ab4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 10:06:48 +0200 +Subject: pwm: sti: Reduce number of allocations and drop usage of chip_data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 2d6812b41e0d832919d72c72ebddf361df53ba1b ] + +Instead of using one allocation per capture channel, use a single one. Also +store it in driver data instead of chip data. + +This has several advantages: + + - driver data isn't cleared when pwm_put() is called + - Reduces memory fragmentation + +Also register the pwm chip only after the per capture channel data is +initialized as the capture callback relies on this initialization and it +might be called even before pwmchip_add() returns. + +It would be still better to have struct sti_pwm_compat_data and the +per-channel data struct sti_cpt_ddata in a single memory chunk, but that's +not easily possible because the number of capture channels isn't known yet +when the driver data struct is allocated. + +Fixes: e926b12c611c ("pwm: Clear chip_data in pwm_put()") +Reported-by: George Stark +Fixes: c97267ae831d ("pwm: sti: Add PWM capture callback") +Link: https://lore.kernel.org/r/20230705080650.2353391-7-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-sti.c | 29 ++++++++++++++--------------- + 1 file changed, 14 insertions(+), 15 deletions(-) + +diff --git a/drivers/pwm/pwm-sti.c b/drivers/pwm/pwm-sti.c +index f413b41dc69d8..059650d8118e0 100644 +--- a/drivers/pwm/pwm-sti.c ++++ b/drivers/pwm/pwm-sti.c +@@ -83,6 +83,7 @@ struct sti_pwm_compat_data { + unsigned int cpt_num_devs; + unsigned int max_pwm_cnt; + unsigned int max_prescale; ++ struct sti_cpt_ddata *ddata; + }; + + struct sti_pwm_chip { +@@ -318,7 +319,7 @@ static int sti_pwm_capture(struct pwm_chip *chip, struct pwm_device *pwm, + { + struct sti_pwm_chip *pc = to_sti_pwmchip(chip); + struct sti_pwm_compat_data *cdata = pc->cdata; +- struct sti_cpt_ddata *ddata = pwm_get_chip_data(pwm); ++ struct sti_cpt_ddata *ddata = &cdata->ddata[pwm->hwpwm]; + struct device *dev = pc->dev; + unsigned int effective_ticks; + unsigned long long high, low; +@@ -421,7 +422,7 @@ static irqreturn_t sti_pwm_interrupt(int irq, void *data) + while (cpt_int_stat) { + devicenum = ffs(cpt_int_stat) - 1; + +- ddata = pwm_get_chip_data(&pc->chip.pwms[devicenum]); ++ ddata = &pc->cdata->ddata[devicenum]; + + /* + * Capture input: +@@ -625,6 +626,10 @@ static int sti_pwm_probe(struct platform_device *pdev) + dev_err(dev, "failed to prepare clock\n"); + return ret; + } ++ ++ cdata->ddata = devm_kzalloc(dev, cdata->cpt_num_devs * sizeof(*cdata->ddata), GFP_KERNEL); ++ if (!cdata->ddata) ++ return -ENOMEM; + } + + pc->chip.dev = dev; +@@ -632,24 +637,18 @@ static int sti_pwm_probe(struct platform_device *pdev) + pc->chip.base = -1; + pc->chip.npwm = pc->cdata->pwm_num_devs; + +- ret = pwmchip_add(&pc->chip); +- if (ret < 0) { +- clk_unprepare(pc->pwm_clk); +- clk_unprepare(pc->cpt_clk); +- return ret; +- } +- + for (i = 0; i < cdata->cpt_num_devs; i++) { +- struct sti_cpt_ddata *ddata; +- +- ddata = devm_kzalloc(dev, sizeof(*ddata), GFP_KERNEL); +- if (!ddata) +- return -ENOMEM; ++ struct sti_cpt_ddata *ddata = &cdata->ddata[i]; + + init_waitqueue_head(&ddata->wait); + mutex_init(&ddata->lock); ++ } + +- pwm_set_chip_data(&pc->chip.pwms[i], ddata); ++ ret = pwmchip_add(&pc->chip); ++ if (ret < 0) { ++ clk_unprepare(pc->pwm_clk); ++ clk_unprepare(pc->cpt_clk); ++ return ret; + } + + platform_set_drvdata(pdev, pc); +-- +2.42.0 + diff --git a/queue-4.19/r8169-improve-rtl_set_rx_mode.patch b/queue-4.19/r8169-improve-rtl_set_rx_mode.patch new file mode 100644 index 00000000000..b9a4ae76d3d --- /dev/null +++ b/queue-4.19/r8169-improve-rtl_set_rx_mode.patch @@ -0,0 +1,112 @@ +From 4665552afcf6462286649e4818f3b4fb3c7c5525 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jul 2019 23:34:45 +0200 +Subject: r8169: improve rtl_set_rx_mode + +From: Heiner Kallweit + +[ Upstream commit 81cd17a4121d7dc7cad28e51251f31ff12b1de2b ] + +This patch improves and simplifies rtl_set_rx_mode a little. +No functional change intended. + +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Stable-dep-of: efa5f1311c49 ("net: r8169: Disable multicast filter for RTL8168H and RTL8107E") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 52 ++++++++++------------- + 1 file changed, 22 insertions(+), 30 deletions(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 92875a935eb13..2a59087364808 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -66,7 +66,7 @@ + + /* Maximum number of multicast addresses to filter (vs. Rx-all-multicast). + The RTL chips use a 64 element hash table based on the Ethernet CRC. */ +-static const int multicast_filter_limit = 32; ++#define MC_FILTER_LIMIT 32 + + #define TX_DMA_BURST 7 /* Maximum PCI burst, '7' is unlimited */ + #define InterFrameGap 0x03 /* 3 means InterFrameGap = the shortest one */ +@@ -4614,54 +4614,46 @@ static void rtl8169_set_magic_reg(struct rtl8169_private *tp, unsigned mac_versi + + static void rtl_set_rx_mode(struct net_device *dev) + { ++ u32 rx_mode = AcceptBroadcast | AcceptMyPhys | AcceptMulticast; ++ /* Multicast hash filter */ ++ u32 mc_filter[2] = { 0xffffffff, 0xffffffff }; + struct rtl8169_private *tp = netdev_priv(dev); +- u32 mc_filter[2]; /* Multicast hash filter */ +- int rx_mode; +- u32 tmp = 0; ++ u32 tmp; + + if (dev->flags & IFF_PROMISC) { + /* Unconditionally log net taps. */ + netif_notice(tp, link, dev, "Promiscuous mode enabled\n"); +- rx_mode = +- AcceptBroadcast | AcceptMulticast | AcceptMyPhys | +- AcceptAllPhys; +- mc_filter[1] = mc_filter[0] = 0xffffffff; +- } else if ((netdev_mc_count(dev) > multicast_filter_limit) || +- (dev->flags & IFF_ALLMULTI)) { +- /* Too many to filter perfectly -- accept all multicasts. */ +- rx_mode = AcceptBroadcast | AcceptMulticast | AcceptMyPhys; +- mc_filter[1] = mc_filter[0] = 0xffffffff; ++ rx_mode |= AcceptAllPhys; ++ } else if (netdev_mc_count(dev) > MC_FILTER_LIMIT || ++ dev->flags & IFF_ALLMULTI || ++ tp->mac_version == RTL_GIGA_MAC_VER_35) { ++ /* accept all multicasts */ ++ } else if (netdev_mc_empty(dev)) { ++ rx_mode &= ~AcceptMulticast; + } else { + struct netdev_hw_addr *ha; + +- rx_mode = AcceptBroadcast | AcceptMyPhys; + mc_filter[1] = mc_filter[0] = 0; + netdev_for_each_mc_addr(ha, dev) { +- int bit_nr = ether_crc(ETH_ALEN, ha->addr) >> 26; +- mc_filter[bit_nr >> 5] |= 1 << (bit_nr & 31); +- rx_mode |= AcceptMulticast; ++ u32 bit_nr = ether_crc(ETH_ALEN, ha->addr) >> 26; ++ mc_filter[bit_nr >> 5] |= BIT(bit_nr & 31); ++ } ++ ++ if (tp->mac_version > RTL_GIGA_MAC_VER_06) { ++ tmp = mc_filter[0]; ++ mc_filter[0] = swab32(mc_filter[1]); ++ mc_filter[1] = swab32(tmp); + } + } + + if (dev->features & NETIF_F_RXALL) + rx_mode |= (AcceptErr | AcceptRunt); + +- tmp = (RTL_R32(tp, RxConfig) & ~RX_CONFIG_ACCEPT_MASK) | rx_mode; +- +- if (tp->mac_version > RTL_GIGA_MAC_VER_06) { +- u32 data = mc_filter[0]; +- +- mc_filter[0] = swab32(mc_filter[1]); +- mc_filter[1] = swab32(data); +- } +- +- if (tp->mac_version == RTL_GIGA_MAC_VER_35) +- mc_filter[1] = mc_filter[0] = 0xffffffff; +- + RTL_W32(tp, MAR0 + 4, mc_filter[1]); + RTL_W32(tp, MAR0 + 0, mc_filter[0]); + +- RTL_W32(tp, RxConfig, tmp); ++ tmp = RTL_R32(tp, RxConfig); ++ RTL_W32(tp, RxConfig, (tmp & ~RX_CONFIG_ACCEPT_MASK) | rx_mode); + } + + static void rtl_hw_start(struct rtl8169_private *tp) +-- +2.42.0 + diff --git a/queue-4.19/r8169-respect-userspace-disabling-iff_multicast.patch b/queue-4.19/r8169-respect-userspace-disabling-iff_multicast.patch new file mode 100644 index 00000000000..56ad4e442ec --- /dev/null +++ b/queue-4.19/r8169-respect-userspace-disabling-iff_multicast.patch @@ -0,0 +1,42 @@ +From 63651b496cb36afa612516d817aa57805c05db0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Nov 2023 23:43:36 +0100 +Subject: r8169: respect userspace disabling IFF_MULTICAST + +From: Heiner Kallweit + +[ Upstream commit 8999ce4cfc87e61b4143ec2e7b93d8e92e11fa7f ] + +So far we ignore the setting of IFF_MULTICAST. Fix this and clear bit +AcceptMulticast if IFF_MULTICAST isn't set. + +Note: Based on the implementations I've seen it doesn't seem to be 100% clear +what a driver is supposed to do if IFF_ALLMULTI is set but IFF_MULTICAST +is not. This patch is based on the understanding that IFF_MULTICAST has +precedence. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Heiner Kallweit +Link: https://lore.kernel.org/r/4a57ba02-d52d-4369-9f14-3565e6c1f7dc@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 69d01b68cf6b7..d6b01f34cfa4f 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4624,6 +4624,8 @@ static void rtl_set_rx_mode(struct net_device *dev) + /* Unconditionally log net taps. */ + netif_notice(tp, link, dev, "Promiscuous mode enabled\n"); + rx_mode |= AcceptAllPhys; ++ } else if (!(dev->flags & IFF_MULTICAST)) { ++ rx_mode &= ~AcceptMulticast; + } else if (netdev_mc_count(dev) > MC_FILTER_LIMIT || + dev->flags & IFF_ALLMULTI || + tp->mac_version == RTL_GIGA_MAC_VER_35 || +-- +2.42.0 + diff --git a/queue-4.19/series b/queue-4.19/series index cfd7a3a7a1c..a5ddb458551 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -65,3 +65,19 @@ pcmcia-ds-fix-possible-name-leak-in-error-path-in-pc.patch media-bttv-fix-use-after-free-error-due-to-btv-timeo.patch media-s3c-camif-avoid-inappropriate-kfree.patch media-dvb-usb-v2-af9035-fix-missing-unlock.patch +pwm-sti-avoid-conditional-gotos.patch +pwm-sti-reduce-number-of-allocations-and-drop-usage-.patch +pwm-brcmstb-utilize-appropriate-clock-apis-in-suspen.patch +input-synaptics-rmi4-fix-use-after-free-in-rmi_unreg.patch +llc-verify-mac-len-before-reading-mac-header.patch +tipc-change-nla_policy-for-bearer-related-names-to-n.patch +dccp-call-security_inet_conn_request-after-setting-i.patch +dccp-tcp-call-security_inet_conn_request-after-setti.patch +r8169-improve-rtl_set_rx_mode.patch +net-r8169-disable-multicast-filter-for-rtl8168h-and-.patch +net-smc-postpone-release-of-clcsock.patch +net-smc-wait-for-pending-work-before-clcsock-release.patch +net-smc-fix-dangling-sock-under-state-smc_appfinclos.patch +tg3-power-down-device-only-on-system_power_off.patch +r8169-respect-userspace-disabling-iff_multicast.patch +netfilter-xt_recent-fix-increase-ipv6-literal-buffer.patch diff --git a/queue-4.19/tg3-power-down-device-only-on-system_power_off.patch b/queue-4.19/tg3-power-down-device-only-on-system_power_off.patch new file mode 100644 index 00000000000..2f6c02c0e4e --- /dev/null +++ b/queue-4.19/tg3-power-down-device-only-on-system_power_off.patch @@ -0,0 +1,46 @@ +From b2f03e4dc631dc6cf850251451c5bc5942eccc60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 13:50:29 +0200 +Subject: tg3: power down device only on SYSTEM_POWER_OFF + +From: George Shuklin + +[ Upstream commit 9fc3bc7643341dc5be7d269f3d3dbe441d8d7ac3 ] + +Dell R650xs servers hangs on reboot if tg3 driver calls +tg3_power_down. + +This happens only if network adapters (BCM5720 for R650xs) were +initialized using SNP (e.g. by booting ipxe.efi). + +The actual problem is on Dell side, but this fix allows servers +to come back alive after reboot. + +Signed-off-by: George Shuklin +Fixes: 2ca1c94ce0b6 ("tg3: Disable tg3 device on system reboot to avoid triggering AER") +Reviewed-by: Pavan Chebbi +Reviewed-by: Michael Chan +Link: https://lore.kernel.org/r/20231103115029.83273-1-george.shuklin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/tg3.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index 43b83a3a28049..f0b5c8a4d29f5 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -18217,7 +18217,8 @@ static void tg3_shutdown(struct pci_dev *pdev) + if (netif_running(dev)) + dev_close(dev); + +- tg3_power_down(tp); ++ if (system_state == SYSTEM_POWER_OFF) ++ tg3_power_down(tp); + + rtnl_unlock(); + +-- +2.42.0 + diff --git a/queue-4.19/tipc-change-nla_policy-for-bearer-related-names-to-n.patch b/queue-4.19/tipc-change-nla_policy-for-bearer-related-names-to-n.patch new file mode 100644 index 00000000000..278005e5b24 --- /dev/null +++ b/queue-4.19/tipc-change-nla_policy-for-bearer-related-names-to-n.patch @@ -0,0 +1,111 @@ +From ea964a6d49cee65f948734fbd3b6a5d236c846ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Oct 2023 16:55:40 +0900 +Subject: tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING + +From: Shigeru Yoshida + +[ Upstream commit 19b3f72a41a8751e26bffc093bb7e1cef29ad579 ] + +syzbot reported the following uninit-value access issue [1]: + +===================================================== +BUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline] +BUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756 + strlen lib/string.c:418 [inline] + strstr+0xb8/0x2f0 lib/string.c:756 + tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595 + genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline] + genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline] + genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066 + netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545 + genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075 + netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] + netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368 + netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 + sock_sendmsg_nosec net/socket.c:730 [inline] + sock_sendmsg net/socket.c:753 [inline] + ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 + __sys_sendmsg net/socket.c:2624 [inline] + __do_sys_sendmsg net/socket.c:2633 [inline] + __se_sys_sendmsg net/socket.c:2631 [inline] + __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: + slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 + slab_alloc_node mm/slub.c:3478 [inline] + kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 + kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559 + __alloc_skb+0x318/0x740 net/core/skbuff.c:650 + alloc_skb include/linux/skbuff.h:1286 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline] + netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885 + sock_sendmsg_nosec net/socket.c:730 [inline] + sock_sendmsg net/socket.c:753 [inline] + ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 + __sys_sendmsg net/socket.c:2624 [inline] + __do_sys_sendmsg net/socket.c:2633 [inline] + __se_sys_sendmsg net/socket.c:2631 [inline] + __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +TIPC bearer-related names including link names must be null-terminated +strings. If a link name which is not null-terminated is passed through +netlink, strstr() and similar functions can cause buffer overrun. This +causes the above issue. + +This patch changes the nla_policy for bearer-related names from NLA_STRING +to NLA_NUL_STRING. This resolves the issue by ensuring that only +null-terminated strings are accepted as bearer-related names. + +syzbot reported similar uninit-value issue related to bearer names [2]. The +root cause of this issue is that a non-null-terminated bearer name was +passed. This patch also resolved this issue. + +Fixes: 7be57fc69184 ("tipc: add link get/dump to new netlink api") +Fixes: 0655f6a8635b ("tipc: add bearer disable/enable to new netlink api") +Reported-and-tested-by: syzbot+5138ca807af9d2b42574@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=5138ca807af9d2b42574 [1] +Reported-and-tested-by: syzbot+9425c47dccbcb4c17d51@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=9425c47dccbcb4c17d51 [2] +Signed-off-by: Shigeru Yoshida +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20231030075540.3784537-1-syoshida@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/netlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c +index 9b36163d951eb..bf11d57ef3aea 100644 +--- a/net/tipc/netlink.c ++++ b/net/tipc/netlink.c +@@ -87,7 +87,7 @@ const struct nla_policy tipc_nl_net_policy[TIPC_NLA_NET_MAX + 1] = { + + const struct nla_policy tipc_nl_link_policy[TIPC_NLA_LINK_MAX + 1] = { + [TIPC_NLA_LINK_UNSPEC] = { .type = NLA_UNSPEC }, +- [TIPC_NLA_LINK_NAME] = { .type = NLA_STRING, ++ [TIPC_NLA_LINK_NAME] = { .type = NLA_NUL_STRING, + .len = TIPC_MAX_LINK_NAME }, + [TIPC_NLA_LINK_MTU] = { .type = NLA_U32 }, + [TIPC_NLA_LINK_BROADCAST] = { .type = NLA_FLAG }, +@@ -116,7 +116,7 @@ const struct nla_policy tipc_nl_prop_policy[TIPC_NLA_PROP_MAX + 1] = { + + const struct nla_policy tipc_nl_bearer_policy[TIPC_NLA_BEARER_MAX + 1] = { + [TIPC_NLA_BEARER_UNSPEC] = { .type = NLA_UNSPEC }, +- [TIPC_NLA_BEARER_NAME] = { .type = NLA_STRING, ++ [TIPC_NLA_BEARER_NAME] = { .type = NLA_NUL_STRING, + .len = TIPC_MAX_BEARER_NAME }, + [TIPC_NLA_BEARER_PROP] = { .type = NLA_NESTED }, + [TIPC_NLA_BEARER_DOMAIN] = { .type = NLA_U32 } +-- +2.42.0 + -- 2.47.3