From 5e2be28f5bd0372aaef7b29066280e51a4b93e01 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 21 Apr 2023 21:03:13 -0400 Subject: [PATCH] Fixes for 6.1 Signed-off-by: Sasha Levin --- ...-fix-a-typo-error-for-rk3288-spdif-n.patch | 37 ++ ...imx8mm-evk-correct-pmic-clock-source.patch | 36 ++ ...s-imx8mm-verdin-correct-off-on-delay.patch | 44 ++ ...s-imx8mp-verdin-correct-off-on-delay.patch | 58 +++ ...on-g12-common-specify-full-dmc-range.patch | 44 ++ ...dts-qcom-hk10-use-okay-instead-of-ok.patch | 79 ++++ ...pq8074-hk01-enable-qmp-device-not-th.patch | 44 ++ ...pq8074-hk10-enable-qmp-device-not-th.patch | 44 ++ ...c8280xp-pmics-fix-pon-compatible-and.patch | 52 +++ ...ip-lower-sd-speed-on-rk3566-soquartz.patch | 42 ++ ...-initialize-ptp-on-older-p3-p4-chips.patch | 48 ++ ...ry-leak-when-changing-bond-type-to-e.patch | 141 ++++++ ...t-verifier-pruning-due-to-missing-re.patch | 425 ++++++++++++++++++ ...tor-fix-buddy-allocator-init-on-32-b.patch | 57 +++ ...t-fix-32-bit-issue-in-drm_buddy_test.patch | 52 +++ ...so-on-i219-lm-card-to-increase-speed.patch | 100 +++++ ..._truncate_partial_nodes-ftrace-event.patch | 47 ++ ...ng-vsi-active_filters-without-holdin.patch | 49 ++ ...40e_setup_misc_vector-error-handling.patch | 43 ++ ...ull-ptr-deref-in-mlxfw_mfa2_tlv_next.patch | 45 ++ ...possible-crash-during-initialization.patch | 62 +++ ...memory-leak-when-using-debugfs_looku.patch | 103 +++++ ...hdev-don-t-notify-fdb-entries-with-m.patch | 104 +++++ queue-6.1/net-dsa-b53-mmap-add-phy-ops.patch | 59 +++ ...-rpl-fix-rpl-header-size-calculation.patch | 47 ++ ...q-prevent-slab-out-of-bounds-in-qfq_.patch | 134 ++++++ ...filter-fix-recent-physdev-match-brea.patch | 71 +++ ...les-fix-ifdef-to-also-consider-nf_ta.patch | 47 ++ ...les-modify-nla_memdup-s-flag-to-gfp_.patch | 36 ++ ...les-tighten-netlink-attribute-requir.patch | 37 ++ ...bles-validate-catch-all-set-elements.patch | 177 ++++++++ ...ossible-uaf-when-failing-to-allocate.patch | 157 +++++++ ...s-nb-wmi-add-quirk_asus_tablet_mode-.patch | 39 ++ ...abyte-wmi-add-support-for-a320m-s2h-.patch | 39 ++ ...abyte-wmi-add-support-for-b650-aorus.patch | 40 ++ ...abyte-wmi-add-support-for-x570s-aoru.patch | 34 ++ ...el-vsec-fix-a-memory-leak-in-intel_v.patch | 40 ++ ...53555-explicitly-include-bits-header.patch | 59 +++ ...tor-fan53555-fix-wrong-tcs_slew_mask.patch | 40 ++ ...r-fix-requierments-requirements-typo.patch | 39 ++ ...ptrace_get_last_break-error-handling.patch | 49 ++ ...core-improve-scsi_vpd_inquiry-checks.patch | 60 +++ ...egaraid_sas-fix-fw_crash_buffer_show.patch | 36 ++ ...tests-sigaltstack-fix-wuninitialized.patch | 95 ++++ queue-6.1/series | 48 ++ ...-use-after-free-due-to-selftest_work.patch | 90 ++++ ...-fix-missing-unwind-goto-in-rockchip.patch | 40 ++ ...x-overflow-inside-xdp_linearize_page.patch | 59 +++ ...-same-error-messages-for-same-errors.patch | 42 ++ 49 files changed, 3370 insertions(+) create mode 100644 queue-6.1/arm-dts-rockchip-fix-a-typo-error-for-rk3288-spdif-n.patch create mode 100644 queue-6.1/arm64-dts-imx8mm-evk-correct-pmic-clock-source.patch create mode 100644 queue-6.1/arm64-dts-imx8mm-verdin-correct-off-on-delay.patch create mode 100644 queue-6.1/arm64-dts-imx8mp-verdin-correct-off-on-delay.patch create mode 100644 queue-6.1/arm64-dts-meson-g12-common-specify-full-dmc-range.patch create mode 100644 queue-6.1/arm64-dts-qcom-hk10-use-okay-instead-of-ok.patch create mode 100644 queue-6.1/arm64-dts-qcom-ipq8074-hk01-enable-qmp-device-not-th.patch create mode 100644 queue-6.1/arm64-dts-qcom-ipq8074-hk10-enable-qmp-device-not-th.patch create mode 100644 queue-6.1/arm64-dts-qcom-sc8280xp-pmics-fix-pon-compatible-and.patch create mode 100644 queue-6.1/arm64-dts-rockchip-lower-sd-speed-on-rk3566-soquartz.patch create mode 100644 queue-6.1/bnxt_en-do-not-initialize-ptp-on-older-p3-p4-chips.patch create mode 100644 queue-6.1/bonding-fix-memory-leak-when-changing-bond-type-to-e.patch create mode 100644 queue-6.1/bpf-fix-incorrect-verifier-pruning-due-to-missing-re.patch create mode 100644 queue-6.1/drm-buddy_allocator-fix-buddy-allocator-init-on-32-b.patch create mode 100644 queue-6.1/drm-test-fix-32-bit-issue-in-drm_buddy_test.patch create mode 100644 queue-6.1/e1000e-disable-tso-on-i219-lm-card-to-increase-speed.patch create mode 100644 queue-6.1/f2fs-fix-f2fs_truncate_partial_nodes-ftrace-event.patch create mode 100644 queue-6.1/i40e-fix-accessing-vsi-active_filters-without-holdin.patch create mode 100644 queue-6.1/i40e-fix-i40e_setup_misc_vector-error-handling.patch create mode 100644 queue-6.1/mlxfw-fix-null-ptr-deref-in-mlxfw_mfa2_tlv_next.patch create mode 100644 queue-6.1/mlxsw-pci-fix-possible-crash-during-initialization.patch create mode 100644 queue-6.1/mtd-spi-nor-fix-memory-leak-when-using-debugfs_looku.patch create mode 100644 queue-6.1/net-bridge-switchdev-don-t-notify-fdb-entries-with-m.patch create mode 100644 queue-6.1/net-dsa-b53-mmap-add-phy-ops.patch create mode 100644 queue-6.1/net-rpl-fix-rpl-header-size-calculation.patch create mode 100644 queue-6.1/net-sched-sch_qfq-prevent-slab-out-of-bounds-in-qfq_.patch create mode 100644 queue-6.1/netfilter-br_netfilter-fix-recent-physdev-match-brea.patch create mode 100644 queue-6.1/netfilter-nf_tables-fix-ifdef-to-also-consider-nf_ta.patch create mode 100644 queue-6.1/netfilter-nf_tables-modify-nla_memdup-s-flag-to-gfp_.patch create mode 100644 queue-6.1/netfilter-nf_tables-tighten-netlink-attribute-requir.patch create mode 100644 queue-6.1/netfilter-nf_tables-validate-catch-all-set-elements.patch create mode 100644 queue-6.1/nvme-tcp-fix-a-possible-uaf-when-failing-to-allocate.patch create mode 100644 queue-6.1/platform-x86-asus-nb-wmi-add-quirk_asus_tablet_mode-.patch create mode 100644 queue-6.1/platform-x86-gigabyte-wmi-add-support-for-a320m-s2h-.patch create mode 100644 queue-6.1/platform-x86-gigabyte-wmi-add-support-for-b650-aorus.patch create mode 100644 queue-6.1/platform-x86-gigabyte-wmi-add-support-for-x570s-aoru.patch create mode 100644 queue-6.1/platform-x86-intel-vsec-fix-a-memory-leak-in-intel_v.patch create mode 100644 queue-6.1/regulator-fan53555-explicitly-include-bits-header.patch create mode 100644 queue-6.1/regulator-fan53555-fix-wrong-tcs_slew_mask.patch create mode 100644 queue-6.1/rust-str-fix-requierments-requirements-typo.patch create mode 100644 queue-6.1/s390-ptrace-fix-ptrace_get_last_break-error-handling.patch create mode 100644 queue-6.1/scsi-core-improve-scsi_vpd_inquiry-checks.patch create mode 100644 queue-6.1/scsi-megaraid_sas-fix-fw_crash_buffer_show.patch create mode 100644 queue-6.1/selftests-sigaltstack-fix-wuninitialized.patch create mode 100644 queue-6.1/series create mode 100644 queue-6.1/sfc-fix-use-after-free-due-to-selftest_work.patch create mode 100644 queue-6.1/spi-spi-rockchip-fix-missing-unwind-goto-in-rockchip.patch create mode 100644 queue-6.1/virtio_net-bugfix-overflow-inside-xdp_linearize_page.patch create mode 100644 queue-6.1/xen-netback-use-same-error-messages-for-same-errors.patch diff --git a/queue-6.1/arm-dts-rockchip-fix-a-typo-error-for-rk3288-spdif-n.patch b/queue-6.1/arm-dts-rockchip-fix-a-typo-error-for-rk3288-spdif-n.patch new file mode 100644 index 00000000000..d5e71097311 --- /dev/null +++ b/queue-6.1/arm-dts-rockchip-fix-a-typo-error-for-rk3288-spdif-n.patch @@ -0,0 +1,37 @@ +From 2b6e8b2191cf35180d4b8de5535441ca7d5c57df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Feb 2023 17:14:11 +0800 +Subject: ARM: dts: rockchip: fix a typo error for rk3288 spdif node + +From: Jianqun Xu + +[ Upstream commit 02c84f91adb9a64b75ec97d772675c02a3e65ed7 ] + +Fix the address in the spdif node name. + +Fixes: 874e568e500a ("ARM: dts: rockchip: Add SPDIF transceiver for RK3288") +Signed-off-by: Jianqun Xu +Reviewed-by: Sjoerd Simons +Link: https://lore.kernel.org/r/20230208091411.1603142-1-jay.xu@rock-chips.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3288.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/rk3288.dtsi b/arch/arm/boot/dts/rk3288.dtsi +index 2ca76b69add78..511ca864c1b2d 100644 +--- a/arch/arm/boot/dts/rk3288.dtsi ++++ b/arch/arm/boot/dts/rk3288.dtsi +@@ -942,7 +942,7 @@ + status = "disabled"; + }; + +- spdif: sound@ff88b0000 { ++ spdif: sound@ff8b0000 { + compatible = "rockchip,rk3288-spdif", "rockchip,rk3066-spdif"; + reg = <0x0 0xff8b0000 0x0 0x10000>; + #sound-dai-cells = <0>; +-- +2.39.2 + diff --git a/queue-6.1/arm64-dts-imx8mm-evk-correct-pmic-clock-source.patch b/queue-6.1/arm64-dts-imx8mm-evk-correct-pmic-clock-source.patch new file mode 100644 index 00000000000..96e85c81b06 --- /dev/null +++ b/queue-6.1/arm64-dts-imx8mm-evk-correct-pmic-clock-source.patch @@ -0,0 +1,36 @@ +From 439aa5a748c8e7cfba7a1c0861297752d47c0f60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Mar 2023 18:03:21 +0800 +Subject: arm64: dts: imx8mm-evk: correct pmic clock source + +From: Peng Fan + +[ Upstream commit 85af7ffd24da38e416a14bd6bf207154d94faa83 ] + +The osc_32k supports #clock-cells as 0, using an id is wrong, drop it. + +Fixes: a6a355ede574 ("arm64: dts: imx8mm-evk: Add 32.768 kHz clock to PMIC") +Signed-off-by: Peng Fan +Reviewed-by: Marco Felsch +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mm-evk.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-evk.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-evk.dtsi +index 7d6317d95b131..1dd0617477fdf 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-evk.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-evk.dtsi +@@ -193,7 +193,7 @@ + rohm,reset-snvs-powered; + + #clock-cells = <0>; +- clocks = <&osc_32k 0>; ++ clocks = <&osc_32k>; + clock-output-names = "clk-32k-out"; + + regulators { +-- +2.39.2 + diff --git a/queue-6.1/arm64-dts-imx8mm-verdin-correct-off-on-delay.patch b/queue-6.1/arm64-dts-imx8mm-verdin-correct-off-on-delay.patch new file mode 100644 index 00000000000..fcbc3aa0ea3 --- /dev/null +++ b/queue-6.1/arm64-dts-imx8mm-verdin-correct-off-on-delay.patch @@ -0,0 +1,44 @@ +From 2f58bdcd1de9403e234ae05df4ceda9c01ec4faa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 14:19:04 +0800 +Subject: arm64: dts: imx8mm-verdin: correct off-on-delay + +From: Peng Fan + +[ Upstream commit 130c1f4306d56301216baaea68afdd909892c73f ] + +The property should be off-on-delay-us, not off-on-delay + +Fixes: 6a57f224f734 ("arm64: dts: freescale: add initial support for verdin imx8m mini") +Signed-off-by: Peng Fan +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi +index 59445f916d7fa..b4aef79650c69 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi +@@ -95,7 +95,7 @@ + compatible = "regulator-fixed"; + enable-active-high; + gpio = <&gpio2 20 GPIO_ACTIVE_HIGH>; /* PMIC_EN_ETH */ +- off-on-delay = <500000>; ++ off-on-delay-us = <500000>; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_reg_eth>; + regulator-always-on; +@@ -135,7 +135,7 @@ + enable-active-high; + /* Verdin SD_1_PWR_EN (SODIMM 76) */ + gpio = <&gpio3 5 GPIO_ACTIVE_HIGH>; +- off-on-delay = <100000>; ++ off-on-delay-us = <100000>; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_usdhc2_pwr_en>; + regulator-max-microvolt = <3300000>; +-- +2.39.2 + diff --git a/queue-6.1/arm64-dts-imx8mp-verdin-correct-off-on-delay.patch b/queue-6.1/arm64-dts-imx8mp-verdin-correct-off-on-delay.patch new file mode 100644 index 00000000000..b9876124318 --- /dev/null +++ b/queue-6.1/arm64-dts-imx8mp-verdin-correct-off-on-delay.patch @@ -0,0 +1,58 @@ +From 8f2d4db9216a5b785b019ae4a1e0029c3586c0e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 14:19:05 +0800 +Subject: arm64: dts: imx8mp-verdin: correct off-on-delay + +From: Peng Fan + +[ Upstream commit 02c447a0d79f0c966563e5095a017cbf9477ca6d ] + +The property should be off-on-delay-us, not off-on-delay + +Fixes: a39ed23bdf6e ("arm64: dts: freescale: add initial support for verdin imx8m plus") +Signed-off-by: Peng Fan +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mp-verdin-dev.dtsi | 2 +- + arch/arm64/boot/dts/freescale/imx8mp-verdin.dtsi | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mp-verdin-dev.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-verdin-dev.dtsi +index cefabe65b2520..c8b521d45fca1 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mp-verdin-dev.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mp-verdin-dev.dtsi +@@ -12,7 +12,7 @@ + compatible = "regulator-fixed"; + enable-active-high; + gpio = <&gpio_expander_21 4 GPIO_ACTIVE_HIGH>; /* ETH_PWR_EN */ +- off-on-delay = <500000>; ++ off-on-delay-us = <500000>; + regulator-max-microvolt = <3300000>; + regulator-min-microvolt = <3300000>; + regulator-name = "+V3.3_ETH"; +diff --git a/arch/arm64/boot/dts/freescale/imx8mp-verdin.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-verdin.dtsi +index 5dcd1de586b52..371144eb40188 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mp-verdin.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mp-verdin.dtsi +@@ -86,7 +86,7 @@ + compatible = "regulator-fixed"; + enable-active-high; + gpio = <&gpio2 20 GPIO_ACTIVE_HIGH>; /* PMIC_EN_ETH */ +- off-on-delay = <500000>; ++ off-on-delay-us = <500000>; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_reg_eth>; + regulator-always-on; +@@ -127,7 +127,7 @@ + enable-active-high; + /* Verdin SD_1_PWR_EN (SODIMM 76) */ + gpio = <&gpio4 22 GPIO_ACTIVE_HIGH>; +- off-on-delay = <100000>; ++ off-on-delay-us = <100000>; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_usdhc2_pwr_en>; + regulator-max-microvolt = <3300000>; +-- +2.39.2 + diff --git a/queue-6.1/arm64-dts-meson-g12-common-specify-full-dmc-range.patch b/queue-6.1/arm64-dts-meson-g12-common-specify-full-dmc-range.patch new file mode 100644 index 00000000000..c7aad860ed8 --- /dev/null +++ b/queue-6.1/arm64-dts-meson-g12-common-specify-full-dmc-range.patch @@ -0,0 +1,44 @@ +From dde99e6d3ed62d060d14d6156abbe9f3599df78f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Mar 2023 14:09:30 +0200 +Subject: arm64: dts: meson-g12-common: specify full DMC range + +From: Marc Gonzalez + +[ Upstream commit aec4353114a408b3a831a22ba34942d05943e462 ] + +According to S905X2 Datasheet - Revision 07: +DRAM Memory Controller (DMC) register area spans ff638000-ff63a000. + +According to DeviceTree Specification - Release v0.4-rc1: +simple-bus nodes do not require reg property. + +Fixes: 1499218c80c99a ("arm64: dts: move common G12A & G12B modes to meson-g12-common.dtsi") +Signed-off-by: Marc Gonzalez +Reviewed-by: Martin Blumenstingl +Link: https://lore.kernel.org/r/20230327120932.2158389-2-mgonzalez@freebox.fr +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi b/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi +index 131a8a5a9f5a0..88b848c65b0d2 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi +@@ -1571,10 +1571,9 @@ + + dmc: bus@38000 { + compatible = "simple-bus"; +- reg = <0x0 0x38000 0x0 0x400>; + #address-cells = <2>; + #size-cells = <2>; +- ranges = <0x0 0x0 0x0 0x38000 0x0 0x400>; ++ ranges = <0x0 0x0 0x0 0x38000 0x0 0x2000>; + + canvas: video-lut@48 { + compatible = "amlogic,canvas"; +-- +2.39.2 + diff --git a/queue-6.1/arm64-dts-qcom-hk10-use-okay-instead-of-ok.patch b/queue-6.1/arm64-dts-qcom-hk10-use-okay-instead-of-ok.patch new file mode 100644 index 00000000000..5ffeab1f14e --- /dev/null +++ b/queue-6.1/arm64-dts-qcom-hk10-use-okay-instead-of-ok.patch @@ -0,0 +1,79 @@ +From 70a6f67afc6723ff3561f0d4bc04ec07e8ed4ae2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 10:29:28 +0100 +Subject: arm64: dts: qcom: hk10: use "okay" instead of "ok" + +From: Robert Marko + +[ Upstream commit 7284a3943909606016128b79fb18dd107bc0fe26 ] + +Use "okay" instead of "ok" in USB nodes as "ok" is deprecated. + +Signed-off-by: Robert Marko +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20221107092930.33325-1-robimarko@gmail.com +Stable-dep-of: 1dc40551f206 ("arm64: dts: qcom: ipq8074-hk10: enable QMP device, not the PHY node") +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/ipq8074-hk10.dtsi | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/ipq8074-hk10.dtsi b/arch/arm64/boot/dts/qcom/ipq8074-hk10.dtsi +index db4b87944cdf2..262b937e0bc62 100644 +--- a/arch/arm64/boot/dts/qcom/ipq8074-hk10.dtsi ++++ b/arch/arm64/boot/dts/qcom/ipq8074-hk10.dtsi +@@ -22,7 +22,7 @@ + }; + + &blsp1_spi1 { +- status = "ok"; ++ status = "okay"; + + flash@0 { + #address-cells = <1>; +@@ -34,33 +34,33 @@ + }; + + &blsp1_uart5 { +- status = "ok"; ++ status = "okay"; + }; + + &pcie0 { +- status = "ok"; ++ status = "okay"; + perst-gpios = <&tlmm 58 0x1>; + }; + + &pcie1 { +- status = "ok"; ++ status = "okay"; + perst-gpios = <&tlmm 61 0x1>; + }; + + &pcie_phy0 { +- status = "ok"; ++ status = "okay"; + }; + + &pcie_phy1 { +- status = "ok"; ++ status = "okay"; + }; + + &qpic_bam { +- status = "ok"; ++ status = "okay"; + }; + + &qpic_nand { +- status = "ok"; ++ status = "okay"; + + nand@0 { + reg = <0>; +-- +2.39.2 + diff --git a/queue-6.1/arm64-dts-qcom-ipq8074-hk01-enable-qmp-device-not-th.patch b/queue-6.1/arm64-dts-qcom-ipq8074-hk01-enable-qmp-device-not-th.patch new file mode 100644 index 00000000000..38e6105f96f --- /dev/null +++ b/queue-6.1/arm64-dts-qcom-ipq8074-hk01-enable-qmp-device-not-th.patch @@ -0,0 +1,44 @@ +From 0f470e92d8004f2ba7f6d36cefb9038167ba320b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 05:16:50 +0300 +Subject: arm64: dts: qcom: ipq8074-hk01: enable QMP device, not the PHY node + +From: Dmitry Baryshkov + +[ Upstream commit 72630ba422b70ea0874fc90d526353cf71c72488 ] + +Correct PCIe PHY enablement to refer the QMP device nodes rather than +PHY device nodes. QMP nodes have 'status = "disabled"' property in the +ipq8074.dtsi, while PHY nodes do not correspond to the actual device and +do not have the status property. + +Fixes: e8a7fdc505bb ("arm64: dts: ipq8074: qcom: Re-arrange dts nodes based on address") +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230324021651.1799969-1-dmitry.baryshkov@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/ipq8074-hk01.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/ipq8074-hk01.dts b/arch/arm64/boot/dts/qcom/ipq8074-hk01.dts +index 7143c936de61e..bb0a838891f64 100644 +--- a/arch/arm64/boot/dts/qcom/ipq8074-hk01.dts ++++ b/arch/arm64/boot/dts/qcom/ipq8074-hk01.dts +@@ -59,11 +59,11 @@ + perst-gpios = <&tlmm 58 0x1>; + }; + +-&pcie_phy0 { ++&pcie_qmp0 { + status = "okay"; + }; + +-&pcie_phy1 { ++&pcie_qmp1 { + status = "okay"; + }; + +-- +2.39.2 + diff --git a/queue-6.1/arm64-dts-qcom-ipq8074-hk10-enable-qmp-device-not-th.patch b/queue-6.1/arm64-dts-qcom-ipq8074-hk10-enable-qmp-device-not-th.patch new file mode 100644 index 00000000000..9fcd67af331 --- /dev/null +++ b/queue-6.1/arm64-dts-qcom-ipq8074-hk10-enable-qmp-device-not-th.patch @@ -0,0 +1,44 @@ +From dede0c7da4aaba4da2478d9303058b0875b06ab8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 05:16:51 +0300 +Subject: arm64: dts: qcom: ipq8074-hk10: enable QMP device, not the PHY node + +From: Dmitry Baryshkov + +[ Upstream commit 1dc40551f206d20b7e46ea7dd538dcdd928451c6 ] + +Correct PCIe PHY enablement to refer the QMP device nodes rather than +PHY device nodes. QMP nodes have 'status = "disabled"' property in the +ipq8074.dtsi, while PHY nodes do not correspond to the actual device and +do not have the status property. + +Fixes: 1ed34da63a37 ("arm64: dts: qcom: Add board support for HK10") +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230324021651.1799969-2-dmitry.baryshkov@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/ipq8074-hk10.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/ipq8074-hk10.dtsi b/arch/arm64/boot/dts/qcom/ipq8074-hk10.dtsi +index 262b937e0bc62..a695686afadfc 100644 +--- a/arch/arm64/boot/dts/qcom/ipq8074-hk10.dtsi ++++ b/arch/arm64/boot/dts/qcom/ipq8074-hk10.dtsi +@@ -47,11 +47,11 @@ + perst-gpios = <&tlmm 61 0x1>; + }; + +-&pcie_phy0 { ++&pcie_qmp0 { + status = "okay"; + }; + +-&pcie_phy1 { ++&pcie_qmp1 { + status = "okay"; + }; + +-- +2.39.2 + diff --git a/queue-6.1/arm64-dts-qcom-sc8280xp-pmics-fix-pon-compatible-and.patch b/queue-6.1/arm64-dts-qcom-sc8280xp-pmics-fix-pon-compatible-and.patch new file mode 100644 index 00000000000..d30965ec9fc --- /dev/null +++ b/queue-6.1/arm64-dts-qcom-sc8280xp-pmics-fix-pon-compatible-and.patch @@ -0,0 +1,52 @@ +From ff2f73a0abda9ea8b50531852e1255ad635e09f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Mar 2023 14:29:48 +0200 +Subject: arm64: dts: qcom: sc8280xp-pmics: fix pon compatible and registers + +From: Johan Hovold + +[ Upstream commit ad8cd35c58ca3ec5e93f52a0124899627b98efb2 ] + +The pmk8280 PMIC PON peripheral is gen3 and uses two sets of registers; +hlos and pbs. + +This specifically fixes the following error message during boot when the +pbs registers are not defined: + + PON_PBS address missing, can't read HW debounce time + +Note that this also enables the spurious interrupt workaround introduced +by commit 0b65118e6ba3 ("Input: pm8941-pwrkey - add software key press +debouncing support") (which may or may not be needed). + +Fixes: ccd3517faf18 ("arm64: dts: qcom: sc8280xp: Add reference device") +Signed-off-by: Johan Hovold +Reviewed-by: Dmitry Baryshkov +Tested-by: Steev Klimaszewski #Thinkpad X13s +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230327122948.4323-1-johan+linaro@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sc8280xp-pmics.dtsi | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sc8280xp-pmics.dtsi b/arch/arm64/boot/dts/qcom/sc8280xp-pmics.dtsi +index 24836b6b9bbc9..be0df0856df9b 100644 +--- a/arch/arm64/boot/dts/qcom/sc8280xp-pmics.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc8280xp-pmics.dtsi +@@ -15,8 +15,9 @@ + #size-cells = <0>; + + pmk8280_pon: pon@1300 { +- compatible = "qcom,pm8998-pon"; +- reg = <0x1300>; ++ compatible = "qcom,pmk8350-pon"; ++ reg = <0x1300>, <0x800>; ++ reg-names = "hlos", "pbs"; + + pmk8280_pon_pwrkey: pwrkey { + compatible = "qcom,pmk8350-pwrkey"; +-- +2.39.2 + diff --git a/queue-6.1/arm64-dts-rockchip-lower-sd-speed-on-rk3566-soquartz.patch b/queue-6.1/arm64-dts-rockchip-lower-sd-speed-on-rk3566-soquartz.patch new file mode 100644 index 00000000000..b310366a6df --- /dev/null +++ b/queue-6.1/arm64-dts-rockchip-lower-sd-speed-on-rk3566-soquartz.patch @@ -0,0 +1,42 @@ +From 09385f41209ce413e70124a040ea55b205aa779c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Mar 2023 17:41:35 +0100 +Subject: arm64: dts: rockchip: Lower sd speed on rk3566-soquartz + +From: Dan Johansen + +[ Upstream commit 5912b647bd0732ae8c78a6e5b259c82efd177d93 ] + +Just like the Quartz64 Model B the previously stated speed of sdr-104 +in soquartz is too high for the hardware to reliably communicate with +some fast SD cards. +Especially on some carrierboards. + +Lower this to sd-uhs-sdr50 to fix this. + +Fixes: 5859b5a9c3ac ("arm64: dts: rockchip: add SoQuartz CM4IO dts") +Signed-off-by: Dan Johansen +Acked-by: Peter Geis +Link: https://lore.kernel.org/r/20230304164135.28430-1-strit@manjaro.org +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi b/arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi +index 5bcd4be329643..4d494b53a71ab 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi +@@ -540,7 +540,7 @@ + non-removable; + pinctrl-names = "default"; + pinctrl-0 = <&sdmmc1_bus4 &sdmmc1_cmd &sdmmc1_clk>; +- sd-uhs-sdr104; ++ sd-uhs-sdr50; + vmmc-supply = <&vcc3v3_sys>; + vqmmc-supply = <&vcc_1v8>; + status = "okay"; +-- +2.39.2 + diff --git a/queue-6.1/bnxt_en-do-not-initialize-ptp-on-older-p3-p4-chips.patch b/queue-6.1/bnxt_en-do-not-initialize-ptp-on-older-p3-p4-chips.patch new file mode 100644 index 00000000000..bfe7bed7f85 --- /dev/null +++ b/queue-6.1/bnxt_en-do-not-initialize-ptp-on-older-p3-p4-chips.patch @@ -0,0 +1,48 @@ +From 8520075971deb6e6077d37641270ba537e6b0c92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Apr 2023 23:58:18 -0700 +Subject: bnxt_en: Do not initialize PTP on older P3/P4 chips + +From: Michael Chan + +[ Upstream commit e8b51a1a15d5a3cce231e0669f6a161dc5bb9b75 ] + +The driver does not support PTP on these older chips and it is assuming +that firmware on these older chips will not return the +PORT_MAC_PTP_QCFG_RESP_FLAGS_HWRM_ACCESS flag in __bnxt_hwrm_ptp_qcfg(), +causing the function to abort quietly. + +But newer firmware now sets this flag and so __bnxt_hwrm_ptp_qcfg() +will proceed further. Eventually it will fail in bnxt_ptp_init() -> +bnxt_map_ptp_regs() because there is no code to support the older chips. +The driver will then complain: + +"PTP initialization failed.\n" + +Fix it so that we abort quietly earlier without going through the +unnecessary steps and alarming the user with the warning log. + +Fixes: ae5c42f0b92c ("bnxt_en: Get PTP hardware capability from firmware") +Signed-off-by: Michael Chan +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index c6e36603bd2db..e3e5a427222f6 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -7597,7 +7597,7 @@ static int __bnxt_hwrm_ptp_qcfg(struct bnxt *bp) + u8 flags; + int rc; + +- if (bp->hwrm_spec_code < 0x10801) { ++ if (bp->hwrm_spec_code < 0x10801 || !BNXT_CHIP_P5_THOR(bp)) { + rc = -ENODEV; + goto no_ptp; + } +-- +2.39.2 + diff --git a/queue-6.1/bonding-fix-memory-leak-when-changing-bond-type-to-e.patch b/queue-6.1/bonding-fix-memory-leak-when-changing-bond-type-to-e.patch new file mode 100644 index 00000000000..1d912abde6e --- /dev/null +++ b/queue-6.1/bonding-fix-memory-leak-when-changing-bond-type-to-e.patch @@ -0,0 +1,141 @@ +From 6acb1da30c2c91fa953cc5ad0b6c11a839a7818d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 09:12:16 +0300 +Subject: bonding: Fix memory leak when changing bond type to Ethernet + +From: Ido Schimmel + +[ Upstream commit c484fcc058bada604d7e4e5228d4affb646ddbc2 ] + +When a net device is put administratively up, its 'IFF_UP' flag is set +(if not set already) and a 'NETDEV_UP' notification is emitted, which +causes the 8021q driver to add VLAN ID 0 on the device. The reverse +happens when a net device is put administratively down. + +When changing the type of a bond to Ethernet, its 'IFF_UP' flag is +incorrectly cleared, resulting in the kernel skipping the above process +and VLAN ID 0 being leaked [1]. + +Fix by restoring the flag when changing the type to Ethernet, in a +similar fashion to the restoration of the 'IFF_SLAVE' flag. + +The issue can be reproduced using the script in [2], with example out +before and after the fix in [3]. + +[1] +unreferenced object 0xffff888103479900 (size 256): + comm "ip", pid 329, jiffies 4294775225 (age 28.561s) + hex dump (first 32 bytes): + 00 a0 0c 15 81 88 ff ff 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmalloc_trace+0x2a/0xe0 + [] vlan_vid_add+0x30c/0x790 + [] vlan_device_event+0x1491/0x21a0 + [] notifier_call_chain+0xbe/0x1f0 + [] call_netdevice_notifiers_info+0xba/0x150 + [] __dev_notify_flags+0x132/0x2e0 + [] dev_change_flags+0x11f/0x180 + [] do_setlink+0xb96/0x4060 + [] __rtnl_newlink+0xc0a/0x18a0 + [] rtnl_newlink+0x6c/0xa0 + [] rtnetlink_rcv_msg+0x43e/0xe00 + [] netlink_rcv_skb+0x170/0x440 + [] netlink_unicast+0x53f/0x810 + [] netlink_sendmsg+0x96b/0xe90 + [] ____sys_sendmsg+0x30f/0xa70 + [] ___sys_sendmsg+0x13a/0x1e0 +unreferenced object 0xffff88810f6a83e0 (size 32): + comm "ip", pid 329, jiffies 4294775225 (age 28.561s) + hex dump (first 32 bytes): + a0 99 47 03 81 88 ff ff a0 99 47 03 81 88 ff ff ..G.......G..... + 81 00 00 00 01 00 00 00 cc cc cc cc cc cc cc cc ................ + backtrace: + [] kmalloc_trace+0x2a/0xe0 + [] vlan_vid_add+0x409/0x790 + [] vlan_device_event+0x1491/0x21a0 + [] notifier_call_chain+0xbe/0x1f0 + [] call_netdevice_notifiers_info+0xba/0x150 + [] __dev_notify_flags+0x132/0x2e0 + [] dev_change_flags+0x11f/0x180 + [] do_setlink+0xb96/0x4060 + [] __rtnl_newlink+0xc0a/0x18a0 + [] rtnl_newlink+0x6c/0xa0 + [] rtnetlink_rcv_msg+0x43e/0xe00 + [] netlink_rcv_skb+0x170/0x440 + [] netlink_unicast+0x53f/0x810 + [] netlink_sendmsg+0x96b/0xe90 + [] ____sys_sendmsg+0x30f/0xa70 + [] ___sys_sendmsg+0x13a/0x1e0 + +[2] +ip link add name t-nlmon type nlmon +ip link add name t-dummy type dummy +ip link add name t-bond type bond mode active-backup + +ip link set dev t-bond up +ip link set dev t-nlmon master t-bond +ip link set dev t-nlmon nomaster +ip link show dev t-bond +ip link set dev t-dummy master t-bond +ip link show dev t-bond + +ip link del dev t-bond +ip link del dev t-dummy +ip link del dev t-nlmon + +[3] +Before: + +12: t-bond: mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000 + link/netlink +12: t-bond: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 + link/ether 46:57:39:a4:46:a2 brd ff:ff:ff:ff:ff:ff + +After: + +12: t-bond: mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000 + link/netlink +12: t-bond: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 + link/ether 66:48:7b:74:b6:8a brd ff:ff:ff:ff:ff:ff + +Fixes: e36b9d16c6a6 ("bonding: clean muticast addresses when device changes type") +Fixes: 75c78500ddad ("bonding: remap muticast addresses without using dev_close() and dev_open()") +Fixes: 9ec7eb60dcbc ("bonding: restore IFF_MASTER/SLAVE flags on bond enslave ether type change") +Reported-by: Mirsad Goran Todorovac +Link: https://lore.kernel.org/netdev/78a8a03b-6070-3e6b-5042-f848dab16fb8@alu.unizg.hr/ +Tested-by: Mirsad Goran Todorovac +Signed-off-by: Ido Schimmel +Acked-by: Jay Vosburgh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 9f6824a6537bc..9f44c86a591dd 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1776,14 +1776,15 @@ void bond_lower_state_changed(struct slave *slave) + + /* The bonding driver uses ether_setup() to convert a master bond device + * to ARPHRD_ETHER, that resets the target netdevice's flags so we always +- * have to restore the IFF_MASTER flag, and only restore IFF_SLAVE if it was set ++ * have to restore the IFF_MASTER flag, and only restore IFF_SLAVE and IFF_UP ++ * if they were set + */ + static void bond_ether_setup(struct net_device *bond_dev) + { +- unsigned int slave_flag = bond_dev->flags & IFF_SLAVE; ++ unsigned int flags = bond_dev->flags & (IFF_SLAVE | IFF_UP); + + ether_setup(bond_dev); +- bond_dev->flags |= IFF_MASTER | slave_flag; ++ bond_dev->flags |= IFF_MASTER | flags; + bond_dev->priv_flags &= ~IFF_TX_SKB_SHARING; + } + +-- +2.39.2 + diff --git a/queue-6.1/bpf-fix-incorrect-verifier-pruning-due-to-missing-re.patch b/queue-6.1/bpf-fix-incorrect-verifier-pruning-due-to-missing-re.patch new file mode 100644 index 00000000000..8e43ce18856 --- /dev/null +++ b/queue-6.1/bpf-fix-incorrect-verifier-pruning-due-to-missing-re.patch @@ -0,0 +1,425 @@ +From f23fb9d2189e0bdee3cf7dd2fd41355c41e3b61f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Apr 2023 15:24:13 +0000 +Subject: bpf: Fix incorrect verifier pruning due to missing register precision + taints + +From: Daniel Borkmann + +[ Upstream commit 71b547f561247897a0a14f3082730156c0533fed ] + +Juan Jose et al reported an issue found via fuzzing where the verifier's +pruning logic prematurely marks a program path as safe. + +Consider the following program: + + 0: (b7) r6 = 1024 + 1: (b7) r7 = 0 + 2: (b7) r8 = 0 + 3: (b7) r9 = -2147483648 + 4: (97) r6 %= 1025 + 5: (05) goto pc+0 + 6: (bd) if r6 <= r9 goto pc+2 + 7: (97) r6 %= 1 + 8: (b7) r9 = 0 + 9: (bd) if r6 <= r9 goto pc+1 + 10: (b7) r6 = 0 + 11: (b7) r0 = 0 + 12: (63) *(u32 *)(r10 -4) = r0 + 13: (18) r4 = 0xffff888103693400 // map_ptr(ks=4,vs=48) + 15: (bf) r1 = r4 + 16: (bf) r2 = r10 + 17: (07) r2 += -4 + 18: (85) call bpf_map_lookup_elem#1 + 19: (55) if r0 != 0x0 goto pc+1 + 20: (95) exit + 21: (77) r6 >>= 10 + 22: (27) r6 *= 8192 + 23: (bf) r1 = r0 + 24: (0f) r0 += r6 + 25: (79) r3 = *(u64 *)(r0 +0) + 26: (7b) *(u64 *)(r1 +0) = r3 + 27: (95) exit + +The verifier treats this as safe, leading to oob read/write access due +to an incorrect verifier conclusion: + + func#0 @0 + 0: R1=ctx(off=0,imm=0) R10=fp0 + 0: (b7) r6 = 1024 ; R6_w=1024 + 1: (b7) r7 = 0 ; R7_w=0 + 2: (b7) r8 = 0 ; R8_w=0 + 3: (b7) r9 = -2147483648 ; R9_w=-2147483648 + 4: (97) r6 %= 1025 ; R6_w=scalar() + 5: (05) goto pc+0 + 6: (bd) if r6 <= r9 goto pc+2 ; R6_w=scalar(umin=18446744071562067969,var_off=(0xffffffff00000000; 0xffffffff)) R9_w=-2147483648 + 7: (97) r6 %= 1 ; R6_w=scalar() + 8: (b7) r9 = 0 ; R9=0 + 9: (bd) if r6 <= r9 goto pc+1 ; R6=scalar(umin=1) R9=0 + 10: (b7) r6 = 0 ; R6_w=0 + 11: (b7) r0 = 0 ; R0_w=0 + 12: (63) *(u32 *)(r10 -4) = r0 + last_idx 12 first_idx 9 + regs=1 stack=0 before 11: (b7) r0 = 0 + 13: R0_w=0 R10=fp0 fp-8=0000???? + 13: (18) r4 = 0xffff8ad3886c2a00 ; R4_w=map_ptr(off=0,ks=4,vs=48,imm=0) + 15: (bf) r1 = r4 ; R1_w=map_ptr(off=0,ks=4,vs=48,imm=0) R4_w=map_ptr(off=0,ks=4,vs=48,imm=0) + 16: (bf) r2 = r10 ; R2_w=fp0 R10=fp0 + 17: (07) r2 += -4 ; R2_w=fp-4 + 18: (85) call bpf_map_lookup_elem#1 ; R0=map_value_or_null(id=1,off=0,ks=4,vs=48,imm=0) + 19: (55) if r0 != 0x0 goto pc+1 ; R0=0 + 20: (95) exit + + from 19 to 21: R0=map_value(off=0,ks=4,vs=48,imm=0) R6=0 R7=0 R8=0 R9=0 R10=fp0 fp-8=mmmm???? + 21: (77) r6 >>= 10 ; R6_w=0 + 22: (27) r6 *= 8192 ; R6_w=0 + 23: (bf) r1 = r0 ; R0=map_value(off=0,ks=4,vs=48,imm=0) R1_w=map_value(off=0,ks=4,vs=48,imm=0) + 24: (0f) r0 += r6 + last_idx 24 first_idx 19 + regs=40 stack=0 before 23: (bf) r1 = r0 + regs=40 stack=0 before 22: (27) r6 *= 8192 + regs=40 stack=0 before 21: (77) r6 >>= 10 + regs=40 stack=0 before 19: (55) if r0 != 0x0 goto pc+1 + parent didn't have regs=40 stack=0 marks: R0_rw=map_value_or_null(id=1,off=0,ks=4,vs=48,imm=0) R6_rw=P0 R7=0 R8=0 R9=0 R10=fp0 fp-8=mmmm???? + last_idx 18 first_idx 9 + regs=40 stack=0 before 18: (85) call bpf_map_lookup_elem#1 + regs=40 stack=0 before 17: (07) r2 += -4 + regs=40 stack=0 before 16: (bf) r2 = r10 + regs=40 stack=0 before 15: (bf) r1 = r4 + regs=40 stack=0 before 13: (18) r4 = 0xffff8ad3886c2a00 + regs=40 stack=0 before 12: (63) *(u32 *)(r10 -4) = r0 + regs=40 stack=0 before 11: (b7) r0 = 0 + regs=40 stack=0 before 10: (b7) r6 = 0 + 25: (79) r3 = *(u64 *)(r0 +0) ; R0_w=map_value(off=0,ks=4,vs=48,imm=0) R3_w=scalar() + 26: (7b) *(u64 *)(r1 +0) = r3 ; R1_w=map_value(off=0,ks=4,vs=48,imm=0) R3_w=scalar() + 27: (95) exit + + from 9 to 11: R1=ctx(off=0,imm=0) R6=0 R7=0 R8=0 R9=0 R10=fp0 + 11: (b7) r0 = 0 ; R0_w=0 + 12: (63) *(u32 *)(r10 -4) = r0 + last_idx 12 first_idx 11 + regs=1 stack=0 before 11: (b7) r0 = 0 + 13: R0_w=0 R10=fp0 fp-8=0000???? + 13: (18) r4 = 0xffff8ad3886c2a00 ; R4_w=map_ptr(off=0,ks=4,vs=48,imm=0) + 15: (bf) r1 = r4 ; R1_w=map_ptr(off=0,ks=4,vs=48,imm=0) R4_w=map_ptr(off=0,ks=4,vs=48,imm=0) + 16: (bf) r2 = r10 ; R2_w=fp0 R10=fp0 + 17: (07) r2 += -4 ; R2_w=fp-4 + 18: (85) call bpf_map_lookup_elem#1 + frame 0: propagating r6 + last_idx 19 first_idx 11 + regs=40 stack=0 before 18: (85) call bpf_map_lookup_elem#1 + regs=40 stack=0 before 17: (07) r2 += -4 + regs=40 stack=0 before 16: (bf) r2 = r10 + regs=40 stack=0 before 15: (bf) r1 = r4 + regs=40 stack=0 before 13: (18) r4 = 0xffff8ad3886c2a00 + regs=40 stack=0 before 12: (63) *(u32 *)(r10 -4) = r0 + regs=40 stack=0 before 11: (b7) r0 = 0 + parent didn't have regs=40 stack=0 marks: R1=ctx(off=0,imm=0) R6_r=P0 R7=0 R8=0 R9=0 R10=fp0 + last_idx 9 first_idx 9 + regs=40 stack=0 before 9: (bd) if r6 <= r9 goto pc+1 + parent didn't have regs=40 stack=0 marks: R1=ctx(off=0,imm=0) R6_rw=Pscalar() R7_w=0 R8_w=0 R9_rw=0 R10=fp0 + last_idx 8 first_idx 0 + regs=40 stack=0 before 8: (b7) r9 = 0 + regs=40 stack=0 before 7: (97) r6 %= 1 + regs=40 stack=0 before 6: (bd) if r6 <= r9 goto pc+2 + regs=40 stack=0 before 5: (05) goto pc+0 + regs=40 stack=0 before 4: (97) r6 %= 1025 + regs=40 stack=0 before 3: (b7) r9 = -2147483648 + regs=40 stack=0 before 2: (b7) r8 = 0 + regs=40 stack=0 before 1: (b7) r7 = 0 + regs=40 stack=0 before 0: (b7) r6 = 1024 + 19: safe + frame 0: propagating r6 + last_idx 9 first_idx 0 + regs=40 stack=0 before 6: (bd) if r6 <= r9 goto pc+2 + regs=40 stack=0 before 5: (05) goto pc+0 + regs=40 stack=0 before 4: (97) r6 %= 1025 + regs=40 stack=0 before 3: (b7) r9 = -2147483648 + regs=40 stack=0 before 2: (b7) r8 = 0 + regs=40 stack=0 before 1: (b7) r7 = 0 + regs=40 stack=0 before 0: (b7) r6 = 1024 + + from 6 to 9: safe + verification time 110 usec + stack depth 4 + processed 36 insns (limit 1000000) max_states_per_insn 0 total_states 3 peak_states 3 mark_read 2 + +The verifier considers this program as safe by mistakenly pruning unsafe +code paths. In the above func#0, code lines 0-10 are of interest. In line +0-3 registers r6 to r9 are initialized with known scalar values. In line 4 +the register r6 is reset to an unknown scalar given the verifier does not +track modulo operations. Due to this, the verifier can also not determine +precisely which branches in line 6 and 9 are taken, therefore it needs to +explore them both. + +As can be seen, the verifier starts with exploring the false/fall-through +paths first. The 'from 19 to 21' path has both r6=0 and r9=0 and the pointer +arithmetic on r0 += r6 is therefore considered safe. Given the arithmetic, +r6 is correctly marked for precision tracking where backtracking kicks in +where it walks back the current path all the way where r6 was set to 0 in +the fall-through branch. + +Next, the pruning logics pops the path 'from 9 to 11' from the stack. Also +here, the state of the registers is the same, that is, r6=0 and r9=0, so +that at line 19 the path can be pruned as it is considered safe. It is +interesting to note that the conditional in line 9 turned r6 into a more +precise state, that is, in the fall-through path at the beginning of line +10, it is R6=scalar(umin=1), and in the branch-taken path (which is analyzed +here) at the beginning of line 11, r6 turned into a known const r6=0 as +r9=0 prior to that and therefore (unsigned) r6 <= 0 concludes that r6 must +be 0 (**): + + [...] ; R6_w=scalar() + 9: (bd) if r6 <= r9 goto pc+1 ; R6=scalar(umin=1) R9=0 + [...] + + from 9 to 11: R1=ctx(off=0,imm=0) R6=0 R7=0 R8=0 R9=0 R10=fp0 + [...] + +The next path is 'from 6 to 9'. The verifier considers the old and current +state equivalent, and therefore prunes the search incorrectly. Looking into +the two states which are being compared by the pruning logic at line 9, the +old state consists of R6_rwD=Pscalar() R9_rwD=0 R10=fp0 and the new state +consists of R1=ctx(off=0,imm=0) R6_w=scalar(umax=18446744071562067968) +R7_w=0 R8_w=0 R9_w=-2147483648 R10=fp0. While r6 had the reg->precise flag +correctly set in the old state, r9 did not. Both r6'es are considered as +equivalent given the old one is a superset of the current, more precise one, +however, r9's actual values (0 vs 0x80000000) mismatch. Given the old r9 +did not have reg->precise flag set, the verifier does not consider the +register as contributing to the precision state of r6, and therefore it +considered both r9 states as equivalent. However, for this specific pruned +path (which is also the actual path taken at runtime), register r6 will be +0x400 and r9 0x80000000 when reaching line 21, thus oob-accessing the map. + +The purpose of precision tracking is to initially mark registers (including +spilled ones) as imprecise to help verifier's pruning logic finding equivalent +states it can then prune if they don't contribute to the program's safety +aspects. For example, if registers are used for pointer arithmetic or to pass +constant length to a helper, then the verifier sets reg->precise flag and +backtracks the BPF program instruction sequence and chain of verifier states +to ensure that the given register or stack slot including their dependencies +are marked as precisely tracked scalar. This also includes any other registers +and slots that contribute to a tracked state of given registers/stack slot. +This backtracking relies on recorded jmp_history and is able to traverse +entire chain of parent states. This process ends only when all the necessary +registers/slots and their transitive dependencies are marked as precise. + +The backtrack_insn() is called from the current instruction up to the first +instruction, and its purpose is to compute a bitmask of registers and stack +slots that need precision tracking in the parent's verifier state. For example, +if a current instruction is r6 = r7, then r6 needs precision after this +instruction and r7 needs precision before this instruction, that is, in the +parent state. Hence for the latter r7 is marked and r6 unmarked. + +For the class of jmp/jmp32 instructions, backtrack_insn() today only looks +at call and exit instructions and for all other conditionals the masks +remain as-is. However, in the given situation register r6 has a dependency +on r9 (as described above in **), so also that one needs to be marked for +precision tracking. In other words, if an imprecise register influences a +precise one, then the imprecise register should also be marked precise. +Meaning, in the parent state both dest and src register need to be tracked +for precision and therefore the marking must be more conservative by setting +reg->precise flag for both. The precision propagation needs to cover both +for the conditional: if the src reg was marked but not the dst reg and vice +versa. + +After the fix the program is correctly rejected: + + func#0 @0 + 0: R1=ctx(off=0,imm=0) R10=fp0 + 0: (b7) r6 = 1024 ; R6_w=1024 + 1: (b7) r7 = 0 ; R7_w=0 + 2: (b7) r8 = 0 ; R8_w=0 + 3: (b7) r9 = -2147483648 ; R9_w=-2147483648 + 4: (97) r6 %= 1025 ; R6_w=scalar() + 5: (05) goto pc+0 + 6: (bd) if r6 <= r9 goto pc+2 ; R6_w=scalar(umin=18446744071562067969,var_off=(0xffffffff80000000; 0x7fffffff),u32_min=-2147483648) R9_w=-2147483648 + 7: (97) r6 %= 1 ; R6_w=scalar() + 8: (b7) r9 = 0 ; R9=0 + 9: (bd) if r6 <= r9 goto pc+1 ; R6=scalar(umin=1) R9=0 + 10: (b7) r6 = 0 ; R6_w=0 + 11: (b7) r0 = 0 ; R0_w=0 + 12: (63) *(u32 *)(r10 -4) = r0 + last_idx 12 first_idx 9 + regs=1 stack=0 before 11: (b7) r0 = 0 + 13: R0_w=0 R10=fp0 fp-8=0000???? + 13: (18) r4 = 0xffff9290dc5bfe00 ; R4_w=map_ptr(off=0,ks=4,vs=48,imm=0) + 15: (bf) r1 = r4 ; R1_w=map_ptr(off=0,ks=4,vs=48,imm=0) R4_w=map_ptr(off=0,ks=4,vs=48,imm=0) + 16: (bf) r2 = r10 ; R2_w=fp0 R10=fp0 + 17: (07) r2 += -4 ; R2_w=fp-4 + 18: (85) call bpf_map_lookup_elem#1 ; R0=map_value_or_null(id=1,off=0,ks=4,vs=48,imm=0) + 19: (55) if r0 != 0x0 goto pc+1 ; R0=0 + 20: (95) exit + + from 19 to 21: R0=map_value(off=0,ks=4,vs=48,imm=0) R6=0 R7=0 R8=0 R9=0 R10=fp0 fp-8=mmmm???? + 21: (77) r6 >>= 10 ; R6_w=0 + 22: (27) r6 *= 8192 ; R6_w=0 + 23: (bf) r1 = r0 ; R0=map_value(off=0,ks=4,vs=48,imm=0) R1_w=map_value(off=0,ks=4,vs=48,imm=0) + 24: (0f) r0 += r6 + last_idx 24 first_idx 19 + regs=40 stack=0 before 23: (bf) r1 = r0 + regs=40 stack=0 before 22: (27) r6 *= 8192 + regs=40 stack=0 before 21: (77) r6 >>= 10 + regs=40 stack=0 before 19: (55) if r0 != 0x0 goto pc+1 + parent didn't have regs=40 stack=0 marks: R0_rw=map_value_or_null(id=1,off=0,ks=4,vs=48,imm=0) R6_rw=P0 R7=0 R8=0 R9=0 R10=fp0 fp-8=mmmm???? + last_idx 18 first_idx 9 + regs=40 stack=0 before 18: (85) call bpf_map_lookup_elem#1 + regs=40 stack=0 before 17: (07) r2 += -4 + regs=40 stack=0 before 16: (bf) r2 = r10 + regs=40 stack=0 before 15: (bf) r1 = r4 + regs=40 stack=0 before 13: (18) r4 = 0xffff9290dc5bfe00 + regs=40 stack=0 before 12: (63) *(u32 *)(r10 -4) = r0 + regs=40 stack=0 before 11: (b7) r0 = 0 + regs=40 stack=0 before 10: (b7) r6 = 0 + 25: (79) r3 = *(u64 *)(r0 +0) ; R0_w=map_value(off=0,ks=4,vs=48,imm=0) R3_w=scalar() + 26: (7b) *(u64 *)(r1 +0) = r3 ; R1_w=map_value(off=0,ks=4,vs=48,imm=0) R3_w=scalar() + 27: (95) exit + + from 9 to 11: R1=ctx(off=0,imm=0) R6=0 R7=0 R8=0 R9=0 R10=fp0 + 11: (b7) r0 = 0 ; R0_w=0 + 12: (63) *(u32 *)(r10 -4) = r0 + last_idx 12 first_idx 11 + regs=1 stack=0 before 11: (b7) r0 = 0 + 13: R0_w=0 R10=fp0 fp-8=0000???? + 13: (18) r4 = 0xffff9290dc5bfe00 ; R4_w=map_ptr(off=0,ks=4,vs=48,imm=0) + 15: (bf) r1 = r4 ; R1_w=map_ptr(off=0,ks=4,vs=48,imm=0) R4_w=map_ptr(off=0,ks=4,vs=48,imm=0) + 16: (bf) r2 = r10 ; R2_w=fp0 R10=fp0 + 17: (07) r2 += -4 ; R2_w=fp-4 + 18: (85) call bpf_map_lookup_elem#1 + frame 0: propagating r6 + last_idx 19 first_idx 11 + regs=40 stack=0 before 18: (85) call bpf_map_lookup_elem#1 + regs=40 stack=0 before 17: (07) r2 += -4 + regs=40 stack=0 before 16: (bf) r2 = r10 + regs=40 stack=0 before 15: (bf) r1 = r4 + regs=40 stack=0 before 13: (18) r4 = 0xffff9290dc5bfe00 + regs=40 stack=0 before 12: (63) *(u32 *)(r10 -4) = r0 + regs=40 stack=0 before 11: (b7) r0 = 0 + parent didn't have regs=40 stack=0 marks: R1=ctx(off=0,imm=0) R6_r=P0 R7=0 R8=0 R9=0 R10=fp0 + last_idx 9 first_idx 9 + regs=40 stack=0 before 9: (bd) if r6 <= r9 goto pc+1 + parent didn't have regs=240 stack=0 marks: R1=ctx(off=0,imm=0) R6_rw=Pscalar() R7_w=0 R8_w=0 R9_rw=P0 R10=fp0 + last_idx 8 first_idx 0 + regs=240 stack=0 before 8: (b7) r9 = 0 + regs=40 stack=0 before 7: (97) r6 %= 1 + regs=40 stack=0 before 6: (bd) if r6 <= r9 goto pc+2 + regs=240 stack=0 before 5: (05) goto pc+0 + regs=240 stack=0 before 4: (97) r6 %= 1025 + regs=240 stack=0 before 3: (b7) r9 = -2147483648 + regs=40 stack=0 before 2: (b7) r8 = 0 + regs=40 stack=0 before 1: (b7) r7 = 0 + regs=40 stack=0 before 0: (b7) r6 = 1024 + 19: safe + + from 6 to 9: R1=ctx(off=0,imm=0) R6_w=scalar(umax=18446744071562067968) R7_w=0 R8_w=0 R9_w=-2147483648 R10=fp0 + 9: (bd) if r6 <= r9 goto pc+1 + last_idx 9 first_idx 0 + regs=40 stack=0 before 6: (bd) if r6 <= r9 goto pc+2 + regs=240 stack=0 before 5: (05) goto pc+0 + regs=240 stack=0 before 4: (97) r6 %= 1025 + regs=240 stack=0 before 3: (b7) r9 = -2147483648 + regs=40 stack=0 before 2: (b7) r8 = 0 + regs=40 stack=0 before 1: (b7) r7 = 0 + regs=40 stack=0 before 0: (b7) r6 = 1024 + last_idx 9 first_idx 0 + regs=200 stack=0 before 6: (bd) if r6 <= r9 goto pc+2 + regs=240 stack=0 before 5: (05) goto pc+0 + regs=240 stack=0 before 4: (97) r6 %= 1025 + regs=240 stack=0 before 3: (b7) r9 = -2147483648 + regs=40 stack=0 before 2: (b7) r8 = 0 + regs=40 stack=0 before 1: (b7) r7 = 0 + regs=40 stack=0 before 0: (b7) r6 = 1024 + 11: R6=scalar(umax=18446744071562067968) R9=-2147483648 + 11: (b7) r0 = 0 ; R0_w=0 + 12: (63) *(u32 *)(r10 -4) = r0 + last_idx 12 first_idx 11 + regs=1 stack=0 before 11: (b7) r0 = 0 + 13: R0_w=0 R10=fp0 fp-8=0000???? + 13: (18) r4 = 0xffff9290dc5bfe00 ; R4_w=map_ptr(off=0,ks=4,vs=48,imm=0) + 15: (bf) r1 = r4 ; R1_w=map_ptr(off=0,ks=4,vs=48,imm=0) R4_w=map_ptr(off=0,ks=4,vs=48,imm=0) + 16: (bf) r2 = r10 ; R2_w=fp0 R10=fp0 + 17: (07) r2 += -4 ; R2_w=fp-4 + 18: (85) call bpf_map_lookup_elem#1 ; R0_w=map_value_or_null(id=3,off=0,ks=4,vs=48,imm=0) + 19: (55) if r0 != 0x0 goto pc+1 ; R0_w=0 + 20: (95) exit + + from 19 to 21: R0=map_value(off=0,ks=4,vs=48,imm=0) R6=scalar(umax=18446744071562067968) R7=0 R8=0 R9=-2147483648 R10=fp0 fp-8=mmmm???? + 21: (77) r6 >>= 10 ; R6_w=scalar(umax=18014398507384832,var_off=(0x0; 0x3fffffffffffff)) + 22: (27) r6 *= 8192 ; R6_w=scalar(smax=9223372036854767616,umax=18446744073709543424,var_off=(0x0; 0xffffffffffffe000),s32_max=2147475456,u32_max=-8192) + 23: (bf) r1 = r0 ; R0=map_value(off=0,ks=4,vs=48,imm=0) R1_w=map_value(off=0,ks=4,vs=48,imm=0) + 24: (0f) r0 += r6 + last_idx 24 first_idx 21 + regs=40 stack=0 before 23: (bf) r1 = r0 + regs=40 stack=0 before 22: (27) r6 *= 8192 + regs=40 stack=0 before 21: (77) r6 >>= 10 + parent didn't have regs=40 stack=0 marks: R0_rw=map_value(off=0,ks=4,vs=48,imm=0) R6_r=Pscalar(umax=18446744071562067968) R7=0 R8=0 R9=-2147483648 R10=fp0 fp-8=mmmm???? + last_idx 19 first_idx 11 + regs=40 stack=0 before 19: (55) if r0 != 0x0 goto pc+1 + regs=40 stack=0 before 18: (85) call bpf_map_lookup_elem#1 + regs=40 stack=0 before 17: (07) r2 += -4 + regs=40 stack=0 before 16: (bf) r2 = r10 + regs=40 stack=0 before 15: (bf) r1 = r4 + regs=40 stack=0 before 13: (18) r4 = 0xffff9290dc5bfe00 + regs=40 stack=0 before 12: (63) *(u32 *)(r10 -4) = r0 + regs=40 stack=0 before 11: (b7) r0 = 0 + parent didn't have regs=40 stack=0 marks: R1=ctx(off=0,imm=0) R6_rw=Pscalar(umax=18446744071562067968) R7_w=0 R8_w=0 R9_w=-2147483648 R10=fp0 + last_idx 9 first_idx 0 + regs=40 stack=0 before 9: (bd) if r6 <= r9 goto pc+1 + regs=240 stack=0 before 6: (bd) if r6 <= r9 goto pc+2 + regs=240 stack=0 before 5: (05) goto pc+0 + regs=240 stack=0 before 4: (97) r6 %= 1025 + regs=240 stack=0 before 3: (b7) r9 = -2147483648 + regs=40 stack=0 before 2: (b7) r8 = 0 + regs=40 stack=0 before 1: (b7) r7 = 0 + regs=40 stack=0 before 0: (b7) r6 = 1024 + math between map_value pointer and register with unbounded min value is not allowed + verification time 886 usec + stack depth 4 + processed 49 insns (limit 1000000) max_states_per_insn 1 total_states 5 peak_states 5 mark_read 2 + +Fixes: b5dc0163d8fd ("bpf: precise scalar_value tracking") +Reported-by: Juan Jose Lopez Jaimez +Reported-by: Meador Inge +Reported-by: Simon Scannell +Reported-by: Nenad Stojanovski +Signed-off-by: Daniel Borkmann +Co-developed-by: Andrii Nakryiko +Signed-off-by: Andrii Nakryiko +Reviewed-by: John Fastabend +Reviewed-by: Juan Jose Lopez Jaimez +Reviewed-by: Meador Inge +Reviewed-by: Simon Scannell +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index ea21e008bf856..8db2ed564939b 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2682,6 +2682,21 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, + } + } else if (opcode == BPF_EXIT) { + return -ENOTSUPP; ++ } else if (BPF_SRC(insn->code) == BPF_X) { ++ if (!(*reg_mask & (dreg | sreg))) ++ return 0; ++ /* dreg sreg ++ * Both dreg and sreg need precision before ++ * this insn. If only sreg was marked precise ++ * before it would be equally necessary to ++ * propagate it to dreg. ++ */ ++ *reg_mask |= (sreg | dreg); ++ /* else dreg K ++ * Only dreg still needs precision before ++ * this insn, so for the K-based conditional ++ * there is nothing new to be marked. ++ */ + } + } else if (class == BPF_LD) { + if (!(*reg_mask & dreg)) +-- +2.39.2 + diff --git a/queue-6.1/drm-buddy_allocator-fix-buddy-allocator-init-on-32-b.patch b/queue-6.1/drm-buddy_allocator-fix-buddy-allocator-init-on-32-b.patch new file mode 100644 index 00000000000..85a25c0744f --- /dev/null +++ b/queue-6.1/drm-buddy_allocator-fix-buddy-allocator-init-on-32-b.patch @@ -0,0 +1,57 @@ +From 5ece0a80c9982b3d9d5bc3efb711f78595c62b0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Mar 2023 14:55:32 +0800 +Subject: drm: buddy_allocator: Fix buddy allocator init on 32-bit systems +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Gow + +[ Upstream commit 4453545b5b4c3eff941f69a5530f916d899db025 ] + +The drm buddy allocator tests were broken on 32-bit systems, as +rounddown_pow_of_two() takes a long, and the buddy allocator handles +64-bit sizes even on 32-bit systems. + +This can be reproduced with the drm_buddy_allocator KUnit tests on i386: + ./tools/testing/kunit/kunit.py run --arch i386 \ + --kunitconfig ./drivers/gpu/drm/tests drm_buddy + +(It results in kernel BUG_ON() when too many blocks are created, due to +the block size being too small.) + +This was independently uncovered (and fixed) by Luís Mendes, whose patch +added a new u64 variant of rounddown_pow_of_two(). This version instead +recalculates the size based on the order. + +Reported-by: Luís Mendes +Link: https://lore.kernel.org/lkml/CAEzXK1oghXAB_KpKpm=-CviDQbNaH0qfgYTSSjZgvvyj4U78AA@mail.gmail.com/T/ +Signed-off-by: David Gow +Acked-by: Christian König +Reviewed-by: Arunpravin Paneer Selvam +Link: https://patchwork.freedesktop.org/patch/msgid/20230329065532.2122295-1-davidgow@google.com +Signed-off-by: Christian König +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_buddy.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c +index 3d1f50f481cfd..7098f125b54a9 100644 +--- a/drivers/gpu/drm/drm_buddy.c ++++ b/drivers/gpu/drm/drm_buddy.c +@@ -146,8 +146,8 @@ int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size) + unsigned int order; + u64 root_size; + +- root_size = rounddown_pow_of_two(size); +- order = ilog2(root_size) - ilog2(chunk_size); ++ order = ilog2(size) - ilog2(chunk_size); ++ root_size = chunk_size << order; + + root = drm_block_alloc(mm, NULL, order, offset); + if (!root) +-- +2.39.2 + diff --git a/queue-6.1/drm-test-fix-32-bit-issue-in-drm_buddy_test.patch b/queue-6.1/drm-test-fix-32-bit-issue-in-drm_buddy_test.patch new file mode 100644 index 00000000000..1ba5a263742 --- /dev/null +++ b/queue-6.1/drm-test-fix-32-bit-issue-in-drm_buddy_test.patch @@ -0,0 +1,52 @@ +From 4f3da9bd79b92c1e239af36ba8b8a45a72089f12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Mar 2023 14:55:34 +0800 +Subject: drm: test: Fix 32-bit issue in drm_buddy_test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Gow + +[ Upstream commit 25bbe844ef5c4fb4d7d8dcaa0080f922b7cd3a16 ] + +The drm_buddy_test KUnit tests verify that returned blocks have sizes +which are powers of two using is_power_of_2(). However, is_power_of_2() +operations on a 'long', but the block size is a u64. So on systems where +long is 32-bit, this can sometimes fail even on correctly sized blocks. + +This only reproduces randomly, as the parameters passed to the buddy +allocator in this test are random. The seed 0xb2e06022 reproduced it +fine here. + +For now, just hardcode an is_power_of_2() implementation using +x & (x - 1). + +Signed-off-by: David Gow +Acked-by: Christian König +Reviewed-by: Maíra Canal +Reviewed-by: Arunpravin Paneer Selvam +Link: https://patchwork.freedesktop.org/patch/msgid/20230329065532.2122295-2-davidgow@google.com +Signed-off-by: Christian König +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tests/drm_buddy_test.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tests/drm_buddy_test.c b/drivers/gpu/drm/tests/drm_buddy_test.c +index 62f69589a72d3..a699fc0dc8579 100644 +--- a/drivers/gpu/drm/tests/drm_buddy_test.c ++++ b/drivers/gpu/drm/tests/drm_buddy_test.c +@@ -89,7 +89,8 @@ static int check_block(struct kunit *test, struct drm_buddy *mm, + err = -EINVAL; + } + +- if (!is_power_of_2(block_size)) { ++ /* We can't use is_power_of_2() for a u64 on 32-bit systems. */ ++ if (block_size & (block_size - 1)) { + kunit_err(test, "block size not power of two\n"); + err = -EINVAL; + } +-- +2.39.2 + diff --git a/queue-6.1/e1000e-disable-tso-on-i219-lm-card-to-increase-speed.patch b/queue-6.1/e1000e-disable-tso-on-i219-lm-card-to-increase-speed.patch new file mode 100644 index 00000000000..50e5a065271 --- /dev/null +++ b/queue-6.1/e1000e-disable-tso-on-i219-lm-card-to-increase-speed.patch @@ -0,0 +1,100 @@ +From 5f3003e3d4eb7f4a9bf7bbc7784f8c7d09752444 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 13:53:45 -0700 +Subject: e1000e: Disable TSO on i219-LM card to increase speed + +From: Sebastian Basierski + +[ Upstream commit 67d47b95119ad589b0a0b16b88b1dd9a04061ced ] + +While using i219-LM card currently it was only possible to achieve +about 60% of maximum speed due to regression introduced in Linux 5.8. +This was caused by TSO not being disabled by default despite commit +f29801030ac6 ("e1000e: Disable TSO for buffer overrun workaround"). +Fix that by disabling TSO during driver probe. + +Fixes: f29801030ac6 ("e1000e: Disable TSO for buffer overrun workaround") +Signed-off-by: Sebastian Basierski +Signed-off-by: Mateusz Palczewski +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230417205345.1030801-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 51 +++++++++++----------- + 1 file changed, 26 insertions(+), 25 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index 55cf2f62bb308..db8e06157da29 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -5293,31 +5293,6 @@ static void e1000_watchdog_task(struct work_struct *work) + ew32(TARC(0), tarc0); + } + +- /* disable TSO for pcie and 10/100 speeds, to avoid +- * some hardware issues +- */ +- if (!(adapter->flags & FLAG_TSO_FORCE)) { +- switch (adapter->link_speed) { +- case SPEED_10: +- case SPEED_100: +- e_info("10/100 speed: disabling TSO\n"); +- netdev->features &= ~NETIF_F_TSO; +- netdev->features &= ~NETIF_F_TSO6; +- break; +- case SPEED_1000: +- netdev->features |= NETIF_F_TSO; +- netdev->features |= NETIF_F_TSO6; +- break; +- default: +- /* oops */ +- break; +- } +- if (hw->mac.type == e1000_pch_spt) { +- netdev->features &= ~NETIF_F_TSO; +- netdev->features &= ~NETIF_F_TSO6; +- } +- } +- + /* enable transmits in the hardware, need to do this + * after setting TARC(0) + */ +@@ -7532,6 +7507,32 @@ static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + NETIF_F_RXCSUM | + NETIF_F_HW_CSUM); + ++ /* disable TSO for pcie and 10/100 speeds to avoid ++ * some hardware issues and for i219 to fix transfer ++ * speed being capped at 60% ++ */ ++ if (!(adapter->flags & FLAG_TSO_FORCE)) { ++ switch (adapter->link_speed) { ++ case SPEED_10: ++ case SPEED_100: ++ e_info("10/100 speed: disabling TSO\n"); ++ netdev->features &= ~NETIF_F_TSO; ++ netdev->features &= ~NETIF_F_TSO6; ++ break; ++ case SPEED_1000: ++ netdev->features |= NETIF_F_TSO; ++ netdev->features |= NETIF_F_TSO6; ++ break; ++ default: ++ /* oops */ ++ break; ++ } ++ if (hw->mac.type == e1000_pch_spt) { ++ netdev->features &= ~NETIF_F_TSO; ++ netdev->features &= ~NETIF_F_TSO6; ++ } ++ } ++ + /* Set user-changeable features (subset of all device features) */ + netdev->hw_features = netdev->features; + netdev->hw_features |= NETIF_F_RXFCS; +-- +2.39.2 + diff --git a/queue-6.1/f2fs-fix-f2fs_truncate_partial_nodes-ftrace-event.patch b/queue-6.1/f2fs-fix-f2fs_truncate_partial_nodes-ftrace-event.patch new file mode 100644 index 00000000000..611ed61554d --- /dev/null +++ b/queue-6.1/f2fs-fix-f2fs_truncate_partial_nodes-ftrace-event.patch @@ -0,0 +1,47 @@ +From 68146e343e4d87220f310896181fcb8211585202 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 12:25:49 +0000 +Subject: f2fs: Fix f2fs_truncate_partial_nodes ftrace event + +From: Douglas Raillard + +[ Upstream commit 0b04d4c0542e8573a837b1d81b94209e48723b25 ] + +Fix the nid_t field so that its size is correctly reported in the text +format embedded in trace.dat files. As it stands, it is reported as +being of size 4: + + field:nid_t nid[3]; offset:24; size:4; signed:0; + +Instead of 12: + + field:nid_t nid[3]; offset:24; size:12; signed:0; + +This also fixes the reported offset of subsequent fields so that they +match with the actual struct layout. + +Signed-off-by: Douglas Raillard +Reviewed-by: Mukesh Ojha +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + include/trace/events/f2fs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/trace/events/f2fs.h b/include/trace/events/f2fs.h +index e57f867191ef1..eb53e96b7a29c 100644 +--- a/include/trace/events/f2fs.h ++++ b/include/trace/events/f2fs.h +@@ -505,7 +505,7 @@ TRACE_EVENT(f2fs_truncate_partial_nodes, + TP_STRUCT__entry( + __field(dev_t, dev) + __field(ino_t, ino) +- __field(nid_t, nid[3]) ++ __array(nid_t, nid, 3) + __field(int, depth) + __field(int, err) + ), +-- +2.39.2 + diff --git a/queue-6.1/i40e-fix-accessing-vsi-active_filters-without-holdin.patch b/queue-6.1/i40e-fix-accessing-vsi-active_filters-without-holdin.patch new file mode 100644 index 00000000000..3e7bab82765 --- /dev/null +++ b/queue-6.1/i40e-fix-accessing-vsi-active_filters-without-holdin.patch @@ -0,0 +1,49 @@ +From 89c6c859c1f83e1c366a1cdafb5a3ed5fb5b5692 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 18:16:38 +0100 +Subject: i40e: fix accessing vsi->active_filters without holding lock + +From: Aleksandr Loktionov + +[ Upstream commit 8485d093b076e59baff424552e8aecfc5bd2d261 ] + +Fix accessing vsi->active_filters without holding the mac_filter_hash_lock. +Move vsi->active_filters = 0 inside critical section and +move clear_bit(__I40E_VSI_OVERFLOW_PROMISC, vsi->state) after the critical +section to ensure the new filters from other threads can be added only after +filters cleaning in the critical section is finished. + +Fixes: 278e7d0b9d68 ("i40e: store MAC/VLAN filters in a hash with the MAC Address as key") +Signed-off-by: Aleksandr Loktionov +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index da0cf87d3a1ca..a3119a180a346 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -14098,15 +14098,15 @@ static int i40e_add_vsi(struct i40e_vsi *vsi) + vsi->id = ctxt.vsi_number; + } + +- vsi->active_filters = 0; +- clear_bit(__I40E_VSI_OVERFLOW_PROMISC, vsi->state); + spin_lock_bh(&vsi->mac_filter_hash_lock); ++ vsi->active_filters = 0; + /* If macvlan filters already exist, force them to get loaded */ + hash_for_each_safe(vsi->mac_filter_hash, bkt, h, f, hlist) { + f->state = I40E_FILTER_NEW; + f_count++; + } + spin_unlock_bh(&vsi->mac_filter_hash_lock); ++ clear_bit(__I40E_VSI_OVERFLOW_PROMISC, vsi->state); + + if (f_count) { + vsi->flags |= I40E_VSI_FLAG_FILTER_CHANGED; +-- +2.39.2 + diff --git a/queue-6.1/i40e-fix-i40e_setup_misc_vector-error-handling.patch b/queue-6.1/i40e-fix-i40e_setup_misc_vector-error-handling.patch new file mode 100644 index 00000000000..97e56292938 --- /dev/null +++ b/queue-6.1/i40e-fix-i40e_setup_misc_vector-error-handling.patch @@ -0,0 +1,43 @@ +From db2d90bdc0733a63716f00e28ba93f5c379786df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 07:13:18 +0200 +Subject: i40e: fix i40e_setup_misc_vector() error handling + +From: Aleksandr Loktionov + +[ Upstream commit c86c00c6935505929cc9adb29ddb85e48c71f828 ] + +Add error handling of i40e_setup_misc_vector() in i40e_rebuild(). +In case interrupt vectors setup fails do not re-open vsi-s and +do not bring up vf-s, we have no interrupts to serve a traffic +anyway. + +Fixes: 41c445ff0f48 ("i40e: main driver core") +Signed-off-by: Aleksandr Loktionov +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index a3119a180a346..68f390ce4f6e2 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -11058,8 +11058,11 @@ static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired) + pf->hw.aq.asq_last_status)); + } + /* reinit the misc interrupt */ +- if (pf->flags & I40E_FLAG_MSIX_ENABLED) ++ if (pf->flags & I40E_FLAG_MSIX_ENABLED) { + ret = i40e_setup_misc_vector(pf); ++ if (ret) ++ goto end_unlock; ++ } + + /* Add a filter to drop all Flow control frames from any VSI from being + * transmitted. By doing so we stop a malicious VF from sending out +-- +2.39.2 + diff --git a/queue-6.1/mlxfw-fix-null-ptr-deref-in-mlxfw_mfa2_tlv_next.patch b/queue-6.1/mlxfw-fix-null-ptr-deref-in-mlxfw_mfa2_tlv_next.patch new file mode 100644 index 00000000000..ce56616de08 --- /dev/null +++ b/queue-6.1/mlxfw-fix-null-ptr-deref-in-mlxfw_mfa2_tlv_next.patch @@ -0,0 +1,45 @@ +From 0a9858cc6c6aefad4ff5cc708d9bc40e21d0d74f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 05:07:18 -0700 +Subject: mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next() + +From: Nikita Zhandarovich + +[ Upstream commit c0e73276f0fcbbd3d4736ba975d7dc7a48791b0c ] + +Function mlxfw_mfa2_tlv_multi_get() returns NULL if 'tlv' in +question does not pass checks in mlxfw_mfa2_tlv_payload_get(). This +behaviour may lead to NULL pointer dereference in 'multi->total_len'. +Fix this issue by testing mlxfw_mfa2_tlv_multi_get()'s return value +against NULL. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 410ed13cae39 ("Add the mlxfw module for Mellanox firmware flash process") +Co-developed-by: Natalia Petrova +Signed-off-by: Nikita Zhandarovich +Reviewed-by: Ido Schimmel +Link: https://lore.kernel.org/r/20230417120718.52325-1-n.zhandarovich@fintech.ru +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c b/drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c +index 017d68f1e1232..972c571b41587 100644 +--- a/drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c ++++ b/drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c +@@ -31,6 +31,8 @@ mlxfw_mfa2_tlv_next(const struct mlxfw_mfa2_file *mfa2_file, + + if (tlv->type == MLXFW_MFA2_TLV_MULTI_PART) { + multi = mlxfw_mfa2_tlv_multi_get(mfa2_file, tlv); ++ if (!multi) ++ return NULL; + tlv_len = NLA_ALIGN(tlv_len + be16_to_cpu(multi->total_len)); + } + +-- +2.39.2 + diff --git a/queue-6.1/mlxsw-pci-fix-possible-crash-during-initialization.patch b/queue-6.1/mlxsw-pci-fix-possible-crash-during-initialization.patch new file mode 100644 index 00000000000..8c4337e3bde --- /dev/null +++ b/queue-6.1/mlxsw-pci-fix-possible-crash-during-initialization.patch @@ -0,0 +1,62 @@ +From 26779ef22114430960b6ff50f9a18fe9cba3c8cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 18:52:51 +0200 +Subject: mlxsw: pci: Fix possible crash during initialization + +From: Ido Schimmel + +[ Upstream commit 1f64757ee2bb22a93ec89b4c71707297e8cca0ba ] + +During initialization the driver issues a reset command via its command +interface in order to remove previous configuration from the device. + +After issuing the reset, the driver waits for 200ms before polling on +the "system_status" register using memory-mapped IO until the device +reaches a ready state (0x5E). The wait is necessary because the reset +command only triggers the reset, but the reset itself happens +asynchronously. If the driver starts polling too soon, the read of the +"system_status" register will never return and the system will crash +[1]. + +The issue was discovered when the device was flashed with a development +firmware version where the reset routine took longer to complete. The +issue was fixed in the firmware, but it exposed the fact that the +current wait time is borderline. + +Fix by increasing the wait time from 200ms to 400ms. With this patch and +the buggy firmware version, the issue did not reproduce in 10 reboots +whereas without the patch the issue is reproduced quite consistently. + +[1] +mce: CPUs not responding to MCE broadcast (may include false positives): 0,4 +mce: CPUs not responding to MCE broadcast (may include false positives): 0,4 +Kernel panic - not syncing: Timeout: Not all CPUs entered broadcast exception handler +Shutting down cpus with NMI +Kernel Offset: 0x12000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) + +Fixes: ac004e84164e ("mlxsw: pci: Wait longer before accessing the device after reset") +Signed-off-by: Ido Schimmel +Reviewed-by: Petr Machata +Signed-off-by: Petr Machata +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/pci_hw.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/pci_hw.h b/drivers/net/ethernet/mellanox/mlxsw/pci_hw.h +index 48dbfea0a2a1d..7cdf0ce24f288 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/pci_hw.h ++++ b/drivers/net/ethernet/mellanox/mlxsw/pci_hw.h +@@ -26,7 +26,7 @@ + #define MLXSW_PCI_CIR_TIMEOUT_MSECS 1000 + + #define MLXSW_PCI_SW_RESET_TIMEOUT_MSECS 900000 +-#define MLXSW_PCI_SW_RESET_WAIT_MSECS 200 ++#define MLXSW_PCI_SW_RESET_WAIT_MSECS 400 + #define MLXSW_PCI_FW_READY 0xA1844 + #define MLXSW_PCI_FW_READY_MASK 0xFFFF + #define MLXSW_PCI_FW_READY_MAGIC 0x5E +-- +2.39.2 + diff --git a/queue-6.1/mtd-spi-nor-fix-memory-leak-when-using-debugfs_looku.patch b/queue-6.1/mtd-spi-nor-fix-memory-leak-when-using-debugfs_looku.patch new file mode 100644 index 00000000000..0c8ac912381 --- /dev/null +++ b/queue-6.1/mtd-spi-nor-fix-memory-leak-when-using-debugfs_looku.patch @@ -0,0 +1,103 @@ +From 4d90cf5ad20e373c87723d3b09c0dd765418b83e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Feb 2023 17:02:30 +0100 +Subject: mtd: spi-nor: fix memory leak when using debugfs_lookup() + +From: Greg Kroah-Hartman + +[ Upstream commit ec738ca127d07ecac6afae36e2880341ec89150e ] + +When calling debugfs_lookup() the result must have dput() called on it, +otherwise the memory will leak over time. To solve this, remove the +lookup and create the directory on the first device found, and then +remove it when the module is unloaded. + +Cc: Tudor Ambarus +Cc: Pratyush Yadav +Cc: Miquel Raynal +Cc: Richard Weinberger +Cc: Vignesh Raghavendra +Cc: linux-mtd@lists.infradead.org +Reviewed-by: Michael Walle +Link: https://lore.kernel.org/r/20230208160230.2179905-1-gregkh@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/mtd/spi-nor/core.c | 14 +++++++++++++- + drivers/mtd/spi-nor/core.h | 2 ++ + drivers/mtd/spi-nor/debugfs.c | 11 ++++++++--- + 3 files changed, 23 insertions(+), 4 deletions(-) + +diff --git a/drivers/mtd/spi-nor/core.c b/drivers/mtd/spi-nor/core.c +index cda57cb863089..75e694791d8d9 100644 +--- a/drivers/mtd/spi-nor/core.c ++++ b/drivers/mtd/spi-nor/core.c +@@ -3272,7 +3272,19 @@ static struct spi_mem_driver spi_nor_driver = { + .remove = spi_nor_remove, + .shutdown = spi_nor_shutdown, + }; +-module_spi_mem_driver(spi_nor_driver); ++ ++static int __init spi_nor_module_init(void) ++{ ++ return spi_mem_driver_register(&spi_nor_driver); ++} ++module_init(spi_nor_module_init); ++ ++static void __exit spi_nor_module_exit(void) ++{ ++ spi_mem_driver_unregister(&spi_nor_driver); ++ spi_nor_debugfs_shutdown(); ++} ++module_exit(spi_nor_module_exit); + + MODULE_LICENSE("GPL v2"); + MODULE_AUTHOR("Huang Shijie "); +diff --git a/drivers/mtd/spi-nor/core.h b/drivers/mtd/spi-nor/core.h +index d18dafeb020ab..00bf0d0e955a0 100644 +--- a/drivers/mtd/spi-nor/core.h ++++ b/drivers/mtd/spi-nor/core.h +@@ -709,8 +709,10 @@ static inline struct spi_nor *mtd_to_spi_nor(struct mtd_info *mtd) + + #ifdef CONFIG_DEBUG_FS + void spi_nor_debugfs_register(struct spi_nor *nor); ++void spi_nor_debugfs_shutdown(void); + #else + static inline void spi_nor_debugfs_register(struct spi_nor *nor) {} ++static inline void spi_nor_debugfs_shutdown(void) {} + #endif + + #endif /* __LINUX_MTD_SPI_NOR_INTERNAL_H */ +diff --git a/drivers/mtd/spi-nor/debugfs.c b/drivers/mtd/spi-nor/debugfs.c +index df76cb5de3f93..5f56b23205d8b 100644 +--- a/drivers/mtd/spi-nor/debugfs.c ++++ b/drivers/mtd/spi-nor/debugfs.c +@@ -226,13 +226,13 @@ static void spi_nor_debugfs_unregister(void *data) + nor->debugfs_root = NULL; + } + ++static struct dentry *rootdir; ++ + void spi_nor_debugfs_register(struct spi_nor *nor) + { +- struct dentry *rootdir, *d; ++ struct dentry *d; + int ret; + +- /* Create rootdir once. Will never be deleted again. */ +- rootdir = debugfs_lookup(SPI_NOR_DEBUGFS_ROOT, NULL); + if (!rootdir) + rootdir = debugfs_create_dir(SPI_NOR_DEBUGFS_ROOT, NULL); + +@@ -247,3 +247,8 @@ void spi_nor_debugfs_register(struct spi_nor *nor) + debugfs_create_file("capabilities", 0444, d, nor, + &spi_nor_capabilities_fops); + } ++ ++void spi_nor_debugfs_shutdown(void) ++{ ++ debugfs_remove(rootdir); ++} +-- +2.39.2 + diff --git a/queue-6.1/net-bridge-switchdev-don-t-notify-fdb-entries-with-m.patch b/queue-6.1/net-bridge-switchdev-don-t-notify-fdb-entries-with-m.patch new file mode 100644 index 00000000000..ee59a8d7aab --- /dev/null +++ b/queue-6.1/net-bridge-switchdev-don-t-notify-fdb-entries-with-m.patch @@ -0,0 +1,104 @@ +From d4f598102bb9702aa0f1c5aafbc47c7046bb53cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 18:59:02 +0300 +Subject: net: bridge: switchdev: don't notify FDB entries with "master + dynamic" + +From: Vladimir Oltean + +[ Upstream commit 927cdea5d2095287ddd5246e5aa68eb5d68db2be ] + +There is a structural problem in switchdev, where the flag bits in +struct switchdev_notifier_fdb_info (added_by_user, is_local etc) only +represent a simplified / denatured view of what's in struct +net_bridge_fdb_entry :: flags (BR_FDB_ADDED_BY_USER, BR_FDB_LOCAL etc). +Each time we want to pass more information about struct +net_bridge_fdb_entry :: flags to struct switchdev_notifier_fdb_info +(here, BR_FDB_STATIC), we find that FDB entries were already notified to +switchdev with no regard to this flag, and thus, switchdev drivers had +no indication whether the notified entries were static or not. + +For example, this command: + +ip link add br0 type bridge && ip link set swp0 master br0 +bridge fdb add dev swp0 00:01:02:03:04:05 master dynamic + +has never worked as intended with switchdev. It causes a struct +net_bridge_fdb_entry to be passed to br_switchdev_fdb_notify() which has +a single flag set: BR_FDB_ADDED_BY_USER. + +This is further passed to the switchdev notifier chain, where interested +drivers have no choice but to assume this is a static (does not age) and +sticky (does not migrate) FDB entry. So currently, all drivers offload +it to hardware as such, as can be seen below ("offload" is set). + +bridge fdb get 00:01:02:03:04:05 dev swp0 master +00:01:02:03:04:05 dev swp0 offload master br0 + +The software FDB entry expires $ageing_time centiseconds after the +kernel last sees a packet with this MAC SA, and the bridge notifies its +deletion as well, so it eventually disappears from hardware too. + +This is a problem, because it is actually desirable to start offloading +"master dynamic" FDB entries correctly - they should expire $ageing_time +centiseconds after the *hardware* port last sees a packet with this +MAC SA - and this is how the current incorrect behavior was discovered. +With an offloaded data plane, it can be expected that software only sees +exception path packets, so an otherwise active dynamic FDB entry would +be aged out by software sooner than it should. + +With the change in place, these FDB entries are no longer offloaded: + +bridge fdb get 00:01:02:03:04:05 dev swp0 master +00:01:02:03:04:05 dev swp0 master br0 + +and this also constitutes a better way (assuming a backport to stable +kernels) for user space to determine whether the kernel has the +capability of doing something sane with these or not. + +As opposed to "master dynamic" FDB entries, on the current behavior of +which no one currently depends on (which can be deduced from the lack of +kselftests), Ido Schimmel explains that entries with the "extern_learn" +flag (BR_FDB_ADDED_BY_EXT_LEARN) should still be notified to switchdev, +since the spectrum driver listens to them (and this is kind of okay, +because although they are treated identically to "static", they are +expected to not age, and to roam). + +Fixes: 6b26b51b1d13 ("net: bridge: Add support for notifying devices about FDB add/del") +Link: https://lore.kernel.org/netdev/20230327115206.jk5q5l753aoelwus@skbuf/ +Signed-off-by: Vladimir Oltean +Reviewed-by: Jesse Brandeburg +Reviewed-by: Ido Schimmel +Tested-by: Ido Schimmel +Link: https://lore.kernel.org/r/20230418155902.898627-1-vladimir.oltean@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/bridge/br_switchdev.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/net/bridge/br_switchdev.c b/net/bridge/br_switchdev.c +index 8f3d76c751dd0..4b3982c368b35 100644 +--- a/net/bridge/br_switchdev.c ++++ b/net/bridge/br_switchdev.c +@@ -146,6 +146,17 @@ br_switchdev_fdb_notify(struct net_bridge *br, + { + struct switchdev_notifier_fdb_info item; + ++ /* Entries with these flags were created using ndm_state == NUD_REACHABLE, ++ * ndm_flags == NTF_MASTER( | NTF_STICKY), ext_flags == 0 by something ++ * equivalent to 'bridge fdb add ... master dynamic (sticky)'. ++ * Drivers don't know how to deal with these, so don't notify them to ++ * avoid confusing them. ++ */ ++ if (test_bit(BR_FDB_ADDED_BY_USER, &fdb->flags) && ++ !test_bit(BR_FDB_STATIC, &fdb->flags) && ++ !test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) ++ return; ++ + br_switchdev_fdb_populate(br, &item, fdb, NULL); + + switch (type) { +-- +2.39.2 + diff --git a/queue-6.1/net-dsa-b53-mmap-add-phy-ops.patch b/queue-6.1/net-dsa-b53-mmap-add-phy-ops.patch new file mode 100644 index 00000000000..543ea9a7d4d --- /dev/null +++ b/queue-6.1/net-dsa-b53-mmap-add-phy-ops.patch @@ -0,0 +1,59 @@ +From f3ba863ad6d11d19593156b8a45e8d266f5f77f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Mar 2023 20:48:41 +0100 +Subject: net: dsa: b53: mmap: add phy ops +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 45977e58ce65ed0459edc9a0466d9dfea09463f5 ] + +Implement phy_read16() and phy_write16() ops for B53 MMAP to avoid accessing +B53_PORT_MII_PAGE registers which hangs the device. +This access should be done through the MDIO Mux bus controller. + +Signed-off-by: Álvaro Fernández Rojas +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_mmap.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_mmap.c b/drivers/net/dsa/b53/b53_mmap.c +index 70887e0aece33..d9434ed9450df 100644 +--- a/drivers/net/dsa/b53/b53_mmap.c ++++ b/drivers/net/dsa/b53/b53_mmap.c +@@ -216,6 +216,18 @@ static int b53_mmap_write64(struct b53_device *dev, u8 page, u8 reg, + return 0; + } + ++static int b53_mmap_phy_read16(struct b53_device *dev, int addr, int reg, ++ u16 *value) ++{ ++ return -EIO; ++} ++ ++static int b53_mmap_phy_write16(struct b53_device *dev, int addr, int reg, ++ u16 value) ++{ ++ return -EIO; ++} ++ + static const struct b53_io_ops b53_mmap_ops = { + .read8 = b53_mmap_read8, + .read16 = b53_mmap_read16, +@@ -227,6 +239,8 @@ static const struct b53_io_ops b53_mmap_ops = { + .write32 = b53_mmap_write32, + .write48 = b53_mmap_write48, + .write64 = b53_mmap_write64, ++ .phy_read16 = b53_mmap_phy_read16, ++ .phy_write16 = b53_mmap_phy_write16, + }; + + static int b53_mmap_probe_of(struct platform_device *pdev, +-- +2.39.2 + diff --git a/queue-6.1/net-rpl-fix-rpl-header-size-calculation.patch b/queue-6.1/net-rpl-fix-rpl-header-size-calculation.patch new file mode 100644 index 00000000000..bd23ccd8f11 --- /dev/null +++ b/queue-6.1/net-rpl-fix-rpl-header-size-calculation.patch @@ -0,0 +1,47 @@ +From 6b18001671ccd8b8fdde677fb143452f3d03893f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 09:00:52 -0400 +Subject: net: rpl: fix rpl header size calculation + +From: Alexander Aring + +[ Upstream commit 4e006c7a6dac0ead4c1bf606000aa90a372fc253 ] + +This patch fixes a missing 8 byte for the header size calculation. The +ipv6_rpl_srh_size() is used to check a skb_pull() on skb->data which +points to skb_transport_header(). Currently we only check on the +calculated addresses fields using CmprI and CmprE fields, see: + +https://www.rfc-editor.org/rfc/rfc6554#section-3 + +there is however a missing 8 byte inside the calculation which stands +for the fields before the addresses field. Those 8 bytes are represented +by sizeof(struct ipv6_rpl_sr_hdr) expression. + +Fixes: 8610c7c6e3bd ("net: ipv6: add support for rpl sr exthdr") +Signed-off-by: Alexander Aring +Reported-by: maxpl0it +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/rpl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/rpl.c b/net/ipv6/rpl.c +index 488aec9e1a74f..d1876f1922255 100644 +--- a/net/ipv6/rpl.c ++++ b/net/ipv6/rpl.c +@@ -32,7 +32,8 @@ static void *ipv6_rpl_segdata_pos(const struct ipv6_rpl_sr_hdr *hdr, int i) + size_t ipv6_rpl_srh_size(unsigned char n, unsigned char cmpri, + unsigned char cmpre) + { +- return (n * IPV6_PFXTAIL_LEN(cmpri)) + IPV6_PFXTAIL_LEN(cmpre); ++ return sizeof(struct ipv6_rpl_sr_hdr) + (n * IPV6_PFXTAIL_LEN(cmpri)) + ++ IPV6_PFXTAIL_LEN(cmpre); + } + + void ipv6_rpl_srh_decompress(struct ipv6_rpl_sr_hdr *outhdr, +-- +2.39.2 + diff --git a/queue-6.1/net-sched-sch_qfq-prevent-slab-out-of-bounds-in-qfq_.patch b/queue-6.1/net-sched-sch_qfq-prevent-slab-out-of-bounds-in-qfq_.patch new file mode 100644 index 00000000000..52e33d208ef --- /dev/null +++ b/queue-6.1/net-sched-sch_qfq-prevent-slab-out-of-bounds-in-qfq_.patch @@ -0,0 +1,134 @@ +From f109baa4aad42b98338550a7c647f9d55f22fe88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 19:35:54 +0900 +Subject: net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg + +From: Gwangun Jung + +[ Upstream commit 3037933448f60f9acb705997eae62013ecb81e0d ] + +If the TCA_QFQ_LMAX value is not offered through nlattr, lmax is determined by the MTU value of the network device. +The MTU of the loopback device can be set up to 2^31-1. +As a result, it is possible to have an lmax value that exceeds QFQ_MIN_LMAX. + +Due to the invalid lmax value, an index is generated that exceeds the QFQ_MAX_INDEX(=24) value, causing out-of-bounds read/write errors. + +The following reports a oob access: + +[ 84.582666] BUG: KASAN: slab-out-of-bounds in qfq_activate_agg.constprop.0 (net/sched/sch_qfq.c:1027 net/sched/sch_qfq.c:1060 net/sched/sch_qfq.c:1313) +[ 84.583267] Read of size 4 at addr ffff88810f676948 by task ping/301 +[ 84.583686] +[ 84.583797] CPU: 3 PID: 301 Comm: ping Not tainted 6.3.0-rc5 #1 +[ 84.584164] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +[ 84.584644] Call Trace: +[ 84.584787] +[ 84.584906] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) +[ 84.585108] print_report (mm/kasan/report.c:320 mm/kasan/report.c:430) +[ 84.585570] kasan_report (mm/kasan/report.c:538) +[ 84.585988] qfq_activate_agg.constprop.0 (net/sched/sch_qfq.c:1027 net/sched/sch_qfq.c:1060 net/sched/sch_qfq.c:1313) +[ 84.586599] qfq_enqueue (net/sched/sch_qfq.c:1255) +[ 84.587607] dev_qdisc_enqueue (net/core/dev.c:3776) +[ 84.587749] __dev_queue_xmit (./include/net/sch_generic.h:186 net/core/dev.c:3865 net/core/dev.c:4212) +[ 84.588763] ip_finish_output2 (./include/net/neighbour.h:546 net/ipv4/ip_output.c:228) +[ 84.589460] ip_output (net/ipv4/ip_output.c:430) +[ 84.590132] ip_push_pending_frames (./include/net/dst.h:444 net/ipv4/ip_output.c:126 net/ipv4/ip_output.c:1586 net/ipv4/ip_output.c:1606) +[ 84.590285] raw_sendmsg (net/ipv4/raw.c:649) +[ 84.591960] sock_sendmsg (net/socket.c:724 net/socket.c:747) +[ 84.592084] __sys_sendto (net/socket.c:2142) +[ 84.593306] __x64_sys_sendto (net/socket.c:2150) +[ 84.593779] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) +[ 84.593902] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) +[ 84.594070] RIP: 0033:0x7fe568032066 +[ 84.594192] Code: 0e 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c09[ 84.594796] RSP: 002b:00007ffce388b4e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c + +Code starting with the faulting instruction +=========================================== +[ 84.595047] RAX: ffffffffffffffda RBX: 00007ffce388cc70 RCX: 00007fe568032066 +[ 84.595281] RDX: 0000000000000040 RSI: 00005605fdad6d10 RDI: 0000000000000003 +[ 84.595515] RBP: 00005605fdad6d10 R08: 00007ffce388eeec R09: 0000000000000010 +[ 84.595749] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 +[ 84.595984] R13: 00007ffce388cc30 R14: 00007ffce388b4f0 R15: 0000001d00000001 +[ 84.596218] +[ 84.596295] +[ 84.596351] Allocated by task 291: +[ 84.596467] kasan_save_stack (mm/kasan/common.c:46) +[ 84.596597] kasan_set_track (mm/kasan/common.c:52) +[ 84.596725] __kasan_kmalloc (mm/kasan/common.c:384) +[ 84.596852] __kmalloc_node (./include/linux/kasan.h:196 mm/slab_common.c:967 mm/slab_common.c:974) +[ 84.596979] qdisc_alloc (./include/linux/slab.h:610 ./include/linux/slab.h:731 net/sched/sch_generic.c:938) +[ 84.597100] qdisc_create (net/sched/sch_api.c:1244) +[ 84.597222] tc_modify_qdisc (net/sched/sch_api.c:1680) +[ 84.597357] rtnetlink_rcv_msg (net/core/rtnetlink.c:6174) +[ 84.597495] netlink_rcv_skb (net/netlink/af_netlink.c:2574) +[ 84.597627] netlink_unicast (net/netlink/af_netlink.c:1340 net/netlink/af_netlink.c:1365) +[ 84.597759] netlink_sendmsg (net/netlink/af_netlink.c:1942) +[ 84.597891] sock_sendmsg (net/socket.c:724 net/socket.c:747) +[ 84.598016] ____sys_sendmsg (net/socket.c:2501) +[ 84.598147] ___sys_sendmsg (net/socket.c:2557) +[ 84.598275] __sys_sendmsg (./include/linux/file.h:31 net/socket.c:2586) +[ 84.598399] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) +[ 84.598520] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) +[ 84.598688] +[ 84.598744] The buggy address belongs to the object at ffff88810f674000 +[ 84.598744] which belongs to the cache kmalloc-8k of size 8192 +[ 84.599135] The buggy address is located 2664 bytes to the right of +[ 84.599135] allocated 7904-byte region [ffff88810f674000, ffff88810f675ee0) +[ 84.599544] +[ 84.599598] The buggy address belongs to the physical page: +[ 84.599777] page:00000000e638567f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10f670 +[ 84.600074] head:00000000e638567f order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +[ 84.600330] flags: 0x200000000010200(slab|head|node=0|zone=2) +[ 84.600517] raw: 0200000000010200 ffff888100043180 dead000000000122 0000000000000000 +[ 84.600764] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 +[ 84.601009] page dumped because: kasan: bad access detected +[ 84.601187] +[ 84.601241] Memory state around the buggy address: +[ 84.601396] ffff88810f676800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 84.601620] ffff88810f676880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 84.601845] >ffff88810f676900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 84.602069] ^ +[ 84.602243] ffff88810f676980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 84.602468] ffff88810f676a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 84.602693] ================================================================== +[ 84.602924] Disabling lock debugging due to kernel taint + +Fixes: 3015f3d2a3cd ("pkt_sched: enable QFQ to support TSO/GSO") +Reported-by: Gwangun Jung +Signed-off-by: Gwangun Jung +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index cf5ebe43b3b4e..02098a02943eb 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -421,15 +421,16 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + } else + weight = 1; + +- if (tb[TCA_QFQ_LMAX]) { ++ if (tb[TCA_QFQ_LMAX]) + lmax = nla_get_u32(tb[TCA_QFQ_LMAX]); +- if (lmax < QFQ_MIN_LMAX || lmax > (1UL << QFQ_MTU_SHIFT)) { +- pr_notice("qfq: invalid max length %u\n", lmax); +- return -EINVAL; +- } +- } else ++ else + lmax = psched_mtu(qdisc_dev(sch)); + ++ if (lmax < QFQ_MIN_LMAX || lmax > (1UL << QFQ_MTU_SHIFT)) { ++ pr_notice("qfq: invalid max length %u\n", lmax); ++ return -EINVAL; ++ } ++ + inv_w = ONE_FP / weight; + weight = ONE_FP / inv_w; + +-- +2.39.2 + diff --git a/queue-6.1/netfilter-br_netfilter-fix-recent-physdev-match-brea.patch b/queue-6.1/netfilter-br_netfilter-fix-recent-physdev-match-brea.patch new file mode 100644 index 00000000000..79736a21e92 --- /dev/null +++ b/queue-6.1/netfilter-br_netfilter-fix-recent-physdev-match-brea.patch @@ -0,0 +1,71 @@ +From ec69b0ed008090441c367aabc31d03ba67de01a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 13:54:37 +0200 +Subject: netfilter: br_netfilter: fix recent physdev match breakage + +From: Florian Westphal + +[ Upstream commit 94623f579ce338b5fa61b5acaa5beb8aa657fb9e ] + +Recent attempt to ensure PREROUTING hook is executed again when a +decrypted ipsec packet received on a bridge passes through the network +stack a second time broke the physdev match in INPUT hook. + +We can't discard the nf_bridge info strct from sabotage_in hook, as +this is needed by the physdev match. + +Keep the struct around and handle this with another conditional instead. + +Fixes: 2b272bb558f1 ("netfilter: br_netfilter: disable sabotage_in hook after first suppression") +Reported-and-tested-by: Farid BENAMROUCHE +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/linux/skbuff.h | 1 + + net/bridge/br_netfilter_hooks.c | 17 +++++++++++------ + 2 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index 7be5bb4c94b6d..a0d271581b964 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -291,6 +291,7 @@ struct nf_bridge_info { + u8 pkt_otherhost:1; + u8 in_prerouting:1; + u8 bridged_dnat:1; ++ u8 sabotage_in_done:1; + __u16 frag_max_size; + struct net_device *physindev; + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 9554abcfd5b4e..812bd7e1750b6 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -868,12 +868,17 @@ static unsigned int ip_sabotage_in(void *priv, + { + struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); + +- if (nf_bridge && !nf_bridge->in_prerouting && +- !netif_is_l3_master(skb->dev) && +- !netif_is_l3_slave(skb->dev)) { +- nf_bridge_info_free(skb); +- state->okfn(state->net, state->sk, skb); +- return NF_STOLEN; ++ if (nf_bridge) { ++ if (nf_bridge->sabotage_in_done) ++ return NF_ACCEPT; ++ ++ if (!nf_bridge->in_prerouting && ++ !netif_is_l3_master(skb->dev) && ++ !netif_is_l3_slave(skb->dev)) { ++ nf_bridge->sabotage_in_done = 1; ++ state->okfn(state->net, state->sk, skb); ++ return NF_STOLEN; ++ } + } + + return NF_ACCEPT; +-- +2.39.2 + diff --git a/queue-6.1/netfilter-nf_tables-fix-ifdef-to-also-consider-nf_ta.patch b/queue-6.1/netfilter-nf_tables-fix-ifdef-to-also-consider-nf_ta.patch new file mode 100644 index 00000000000..702abc38735 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-fix-ifdef-to-also-consider-nf_ta.patch @@ -0,0 +1,47 @@ +From 6efe3ea7ea9ddc88ea414d4b104ad1adf1ad1aee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 10:21:36 +0200 +Subject: netfilter: nf_tables: fix ifdef to also consider nf_tables=m + +From: Florian Westphal + +[ Upstream commit c55c0e91c813589dc55bea6bf9a9fbfaa10ae41d ] + +nftables can be built as a module, so fix the preprocessor conditional +accordingly. + +Fixes: 478b360a47b7 ("netfilter: nf_tables: fix nf_trace always-on with XT_TRACE=n") +Reported-by: Florian Fainelli +Reported-by: Jakub Kicinski +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/linux/skbuff.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index a0d271581b964..20ca1613f2e3e 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -4685,7 +4685,7 @@ static inline void nf_reset_ct(struct sk_buff *skb) + + static inline void nf_reset_trace(struct sk_buff *skb) + { +-#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) || defined(CONFIG_NF_TABLES) ++#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) || IS_ENABLED(CONFIG_NF_TABLES) + skb->nf_trace = 0; + #endif + } +@@ -4705,7 +4705,7 @@ static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src, + dst->_nfct = src->_nfct; + nf_conntrack_get(skb_nfct(src)); + #endif +-#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) || defined(CONFIG_NF_TABLES) ++#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) || IS_ENABLED(CONFIG_NF_TABLES) + if (copy) + dst->nf_trace = src->nf_trace; + #endif +-- +2.39.2 + diff --git a/queue-6.1/netfilter-nf_tables-modify-nla_memdup-s-flag-to-gfp_.patch b/queue-6.1/netfilter-nf_tables-modify-nla_memdup-s-flag-to-gfp_.patch new file mode 100644 index 00000000000..77260016fc1 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-modify-nla_memdup-s-flag-to-gfp_.patch @@ -0,0 +1,36 @@ +From e1eba4e7da7973fb4d4f26d395d4499fc883703f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Apr 2023 12:01:51 +0800 +Subject: netfilter: nf_tables: Modify nla_memdup's flag to GFP_KERNEL_ACCOUNT + +From: Chen Aotian + +[ Upstream commit af0acf22aea359e04412237d68787401f96bb583 ] + +For memory alloc that store user data from nla[NFTA_OBJ_USERDATA], +use GFP_KERNEL_ACCOUNT is more suitable. + +Fixes: 33758c891479 ("memcg: enable accounting for nft objects") +Signed-off-by: Chen Aotian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 1a9d759d0a026..ee052a5874fc3 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6980,7 +6980,7 @@ static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info, + } + + if (nla[NFTA_OBJ_USERDATA]) { +- obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL); ++ obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT); + if (obj->udata == NULL) + goto err_userdata; + +-- +2.39.2 + diff --git a/queue-6.1/netfilter-nf_tables-tighten-netlink-attribute-requir.patch b/queue-6.1/netfilter-nf_tables-tighten-netlink-attribute-requir.patch new file mode 100644 index 00000000000..dca196d3f94 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-tighten-netlink-attribute-requir.patch @@ -0,0 +1,37 @@ +From 77b1b4ff0a376261720ef5bc70a59e2bf81448d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 17:50:28 +0200 +Subject: netfilter: nf_tables: tighten netlink attribute requirements for + catch-all elements + +From: Pablo Neira Ayuso + +[ Upstream commit d4eb7e39929a3b1ff30fb751b4859fc2410702a0 ] + +If NFT_SET_ELEM_CATCHALL is set on, then userspace provides no set element +key. Otherwise, bail out with -EINVAL. + +Fixes: aaa31047a6d2 ("netfilter: nftables: add catch-all set element support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 251f4a9fbdb5a..12d815b9aa131 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6040,7 +6040,8 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, + if (err < 0) + return err; + +- if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) ++ if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) || ++ (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY])) + return -EINVAL; + + if (flags != 0) { +-- +2.39.2 + diff --git a/queue-6.1/netfilter-nf_tables-validate-catch-all-set-elements.patch b/queue-6.1/netfilter-nf_tables-validate-catch-all-set-elements.patch new file mode 100644 index 00000000000..e1a44cb56e0 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-validate-catch-all-set-elements.patch @@ -0,0 +1,177 @@ +From 50e57d72443a402c5adf92feafb0a8054c364615 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 12:14:29 +0200 +Subject: netfilter: nf_tables: validate catch-all set elements + +From: Pablo Neira Ayuso + +[ Upstream commit d46fc894147cf98dd6e8210aa99ed46854191840 ] + +catch-all set element might jump/goto to chain that uses expressions +that require validation. + +Fixes: aaa31047a6d2 ("netfilter: nftables: add catch-all set element support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 4 ++ + net/netfilter/nf_tables_api.c | 64 ++++++++++++++++++++++++++++--- + net/netfilter/nft_lookup.c | 36 ++--------------- + 3 files changed, 66 insertions(+), 38 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index 1daededfa75ed..6bacbf57ac175 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -1078,6 +1078,10 @@ struct nft_chain { + }; + + int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain); ++int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set, ++ const struct nft_set_iter *iter, ++ struct nft_set_elem *elem); ++int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set); + + enum nft_chain_types { + NFT_CHAIN_T_DEFAULT = 0, +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index ee052a5874fc3..251f4a9fbdb5a 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3391,6 +3391,64 @@ static int nft_table_validate(struct net *net, const struct nft_table *table) + return 0; + } + ++int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set, ++ const struct nft_set_iter *iter, ++ struct nft_set_elem *elem) ++{ ++ const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); ++ struct nft_ctx *pctx = (struct nft_ctx *)ctx; ++ const struct nft_data *data; ++ int err; ++ ++ if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && ++ *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) ++ return 0; ++ ++ data = nft_set_ext_data(ext); ++ switch (data->verdict.code) { ++ case NFT_JUMP: ++ case NFT_GOTO: ++ pctx->level++; ++ err = nft_chain_validate(ctx, data->verdict.chain); ++ if (err < 0) ++ return err; ++ pctx->level--; ++ break; ++ default: ++ break; ++ } ++ ++ return 0; ++} ++ ++struct nft_set_elem_catchall { ++ struct list_head list; ++ struct rcu_head rcu; ++ void *elem; ++}; ++ ++int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set) ++{ ++ u8 genmask = nft_genmask_next(ctx->net); ++ struct nft_set_elem_catchall *catchall; ++ struct nft_set_elem elem; ++ struct nft_set_ext *ext; ++ int ret = 0; ++ ++ list_for_each_entry_rcu(catchall, &set->catchall_list, list) { ++ ext = nft_set_elem_ext(set, catchall->elem); ++ if (!nft_set_elem_active(ext, genmask)) ++ continue; ++ ++ elem.priv = catchall->elem; ++ ret = nft_setelem_validate(ctx, set, NULL, &elem); ++ if (ret < 0) ++ return ret; ++ } ++ ++ return ret; ++} ++ + static struct nft_rule *nft_rule_lookup_byid(const struct net *net, + const struct nft_chain *chain, + const struct nlattr *nla); +@@ -4695,12 +4753,6 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, + return err; + } + +-struct nft_set_elem_catchall { +- struct list_head list; +- struct rcu_head rcu; +- void *elem; +-}; +- + static void nft_set_catchall_destroy(const struct nft_ctx *ctx, + struct nft_set *set) + { +diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c +index dfae12759c7cd..d9ad1aa818564 100644 +--- a/net/netfilter/nft_lookup.c ++++ b/net/netfilter/nft_lookup.c +@@ -198,37 +198,6 @@ static int nft_lookup_dump(struct sk_buff *skb, const struct nft_expr *expr) + return -1; + } + +-static int nft_lookup_validate_setelem(const struct nft_ctx *ctx, +- struct nft_set *set, +- const struct nft_set_iter *iter, +- struct nft_set_elem *elem) +-{ +- const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); +- struct nft_ctx *pctx = (struct nft_ctx *)ctx; +- const struct nft_data *data; +- int err; +- +- if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && +- *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) +- return 0; +- +- data = nft_set_ext_data(ext); +- switch (data->verdict.code) { +- case NFT_JUMP: +- case NFT_GOTO: +- pctx->level++; +- err = nft_chain_validate(ctx, data->verdict.chain); +- if (err < 0) +- return err; +- pctx->level--; +- break; +- default: +- break; +- } +- +- return 0; +-} +- + static int nft_lookup_validate(const struct nft_ctx *ctx, + const struct nft_expr *expr, + const struct nft_data **d) +@@ -244,9 +213,12 @@ static int nft_lookup_validate(const struct nft_ctx *ctx, + iter.skip = 0; + iter.count = 0; + iter.err = 0; +- iter.fn = nft_lookup_validate_setelem; ++ iter.fn = nft_setelem_validate; + + priv->set->ops->walk(ctx, priv->set, &iter); ++ if (!iter.err) ++ iter.err = nft_set_catchall_validate(ctx, priv->set); ++ + if (iter.err < 0) + return iter.err; + +-- +2.39.2 + diff --git a/queue-6.1/nvme-tcp-fix-a-possible-uaf-when-failing-to-allocate.patch b/queue-6.1/nvme-tcp-fix-a-possible-uaf-when-failing-to-allocate.patch new file mode 100644 index 00000000000..94165ea3f56 --- /dev/null +++ b/queue-6.1/nvme-tcp-fix-a-possible-uaf-when-failing-to-allocate.patch @@ -0,0 +1,157 @@ +From be3a568a1dabe886ab00a179478ae14b67a8845e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Mar 2023 15:33:34 +0200 +Subject: nvme-tcp: fix a possible UAF when failing to allocate an io queue + +From: Sagi Grimberg + +[ Upstream commit 88eaba80328b31ef81813a1207b4056efd7006a6 ] + +When we allocate a nvme-tcp queue, we set the data_ready callback before +we actually need to use it. This creates the potential that if a stray +controller sends us data on the socket before we connect, we can trigger +the io_work and start consuming the socket. + +In this case reported: we failed to allocate one of the io queues, and +as we start releasing the queues that we already allocated, we get +a UAF [1] from the io_work which is running before it should really. + +Fix this by setting the socket ops callbacks only before we start the +queue, so that we can't accidentally schedule the io_work in the +initialization phase before the queue started. While we are at it, +rename nvme_tcp_restore_sock_calls to pair with nvme_tcp_setup_sock_ops. + +[1]: +[16802.107284] nvme nvme4: starting error recovery +[16802.109166] nvme nvme4: Reconnecting in 10 seconds... +[16812.173535] nvme nvme4: failed to connect socket: -111 +[16812.173745] nvme nvme4: Failed reconnect attempt 1 +[16812.173747] nvme nvme4: Reconnecting in 10 seconds... +[16822.413555] nvme nvme4: failed to connect socket: -111 +[16822.413762] nvme nvme4: Failed reconnect attempt 2 +[16822.413765] nvme nvme4: Reconnecting in 10 seconds... +[16832.661274] nvme nvme4: creating 32 I/O queues. +[16833.919887] BUG: kernel NULL pointer dereference, address: 0000000000000088 +[16833.920068] nvme nvme4: Failed reconnect attempt 3 +[16833.920094] #PF: supervisor write access in kernel mode +[16833.920261] nvme nvme4: Reconnecting in 10 seconds... +[16833.920368] #PF: error_code(0x0002) - not-present page +[16833.921086] Workqueue: nvme_tcp_wq nvme_tcp_io_work [nvme_tcp] +[16833.921191] RIP: 0010:_raw_spin_lock_bh+0x17/0x30 +... +[16833.923138] Call Trace: +[16833.923271] +[16833.923402] lock_sock_nested+0x1e/0x50 +[16833.923545] nvme_tcp_try_recv+0x40/0xa0 [nvme_tcp] +[16833.923685] nvme_tcp_io_work+0x68/0xa0 [nvme_tcp] +[16833.923824] process_one_work+0x1e8/0x390 +[16833.923969] worker_thread+0x53/0x3d0 +[16833.924104] ? process_one_work+0x390/0x390 +[16833.924240] kthread+0x124/0x150 +[16833.924376] ? set_kthread_struct+0x50/0x50 +[16833.924518] ret_from_fork+0x1f/0x30 +[16833.924655] + +Reported-by: Yanjun Zhang +Signed-off-by: Sagi Grimberg +Tested-by: Yanjun Zhang +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/tcp.c | 46 +++++++++++++++++++++++------------------ + 1 file changed, 26 insertions(+), 20 deletions(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index bb80192c16b6b..8f17cbec5a0e4 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -1604,22 +1604,7 @@ static int nvme_tcp_alloc_queue(struct nvme_ctrl *nctrl, int qid) + if (ret) + goto err_init_connect; + +- queue->rd_enabled = true; + set_bit(NVME_TCP_Q_ALLOCATED, &queue->flags); +- nvme_tcp_init_recv_ctx(queue); +- +- write_lock_bh(&queue->sock->sk->sk_callback_lock); +- queue->sock->sk->sk_user_data = queue; +- queue->state_change = queue->sock->sk->sk_state_change; +- queue->data_ready = queue->sock->sk->sk_data_ready; +- queue->write_space = queue->sock->sk->sk_write_space; +- queue->sock->sk->sk_data_ready = nvme_tcp_data_ready; +- queue->sock->sk->sk_state_change = nvme_tcp_state_change; +- queue->sock->sk->sk_write_space = nvme_tcp_write_space; +-#ifdef CONFIG_NET_RX_BUSY_POLL +- queue->sock->sk->sk_ll_usec = 1; +-#endif +- write_unlock_bh(&queue->sock->sk->sk_callback_lock); + + return 0; + +@@ -1639,7 +1624,7 @@ static int nvme_tcp_alloc_queue(struct nvme_ctrl *nctrl, int qid) + return ret; + } + +-static void nvme_tcp_restore_sock_calls(struct nvme_tcp_queue *queue) ++static void nvme_tcp_restore_sock_ops(struct nvme_tcp_queue *queue) + { + struct socket *sock = queue->sock; + +@@ -1654,7 +1639,7 @@ static void nvme_tcp_restore_sock_calls(struct nvme_tcp_queue *queue) + static void __nvme_tcp_stop_queue(struct nvme_tcp_queue *queue) + { + kernel_sock_shutdown(queue->sock, SHUT_RDWR); +- nvme_tcp_restore_sock_calls(queue); ++ nvme_tcp_restore_sock_ops(queue); + cancel_work_sync(&queue->io_work); + } + +@@ -1672,21 +1657,42 @@ static void nvme_tcp_stop_queue(struct nvme_ctrl *nctrl, int qid) + mutex_unlock(&queue->queue_lock); + } + ++static void nvme_tcp_setup_sock_ops(struct nvme_tcp_queue *queue) ++{ ++ write_lock_bh(&queue->sock->sk->sk_callback_lock); ++ queue->sock->sk->sk_user_data = queue; ++ queue->state_change = queue->sock->sk->sk_state_change; ++ queue->data_ready = queue->sock->sk->sk_data_ready; ++ queue->write_space = queue->sock->sk->sk_write_space; ++ queue->sock->sk->sk_data_ready = nvme_tcp_data_ready; ++ queue->sock->sk->sk_state_change = nvme_tcp_state_change; ++ queue->sock->sk->sk_write_space = nvme_tcp_write_space; ++#ifdef CONFIG_NET_RX_BUSY_POLL ++ queue->sock->sk->sk_ll_usec = 1; ++#endif ++ write_unlock_bh(&queue->sock->sk->sk_callback_lock); ++} ++ + static int nvme_tcp_start_queue(struct nvme_ctrl *nctrl, int idx) + { + struct nvme_tcp_ctrl *ctrl = to_tcp_ctrl(nctrl); ++ struct nvme_tcp_queue *queue = &ctrl->queues[idx]; + int ret; + ++ queue->rd_enabled = true; ++ nvme_tcp_init_recv_ctx(queue); ++ nvme_tcp_setup_sock_ops(queue); ++ + if (idx) + ret = nvmf_connect_io_queue(nctrl, idx); + else + ret = nvmf_connect_admin_queue(nctrl); + + if (!ret) { +- set_bit(NVME_TCP_Q_LIVE, &ctrl->queues[idx].flags); ++ set_bit(NVME_TCP_Q_LIVE, &queue->flags); + } else { +- if (test_bit(NVME_TCP_Q_ALLOCATED, &ctrl->queues[idx].flags)) +- __nvme_tcp_stop_queue(&ctrl->queues[idx]); ++ if (test_bit(NVME_TCP_Q_ALLOCATED, &queue->flags)) ++ __nvme_tcp_stop_queue(queue); + dev_err(nctrl->device, + "failed to connect queue: %d ret=%d\n", idx, ret); + } +-- +2.39.2 + diff --git a/queue-6.1/platform-x86-asus-nb-wmi-add-quirk_asus_tablet_mode-.patch b/queue-6.1/platform-x86-asus-nb-wmi-add-quirk_asus_tablet_mode-.patch new file mode 100644 index 00000000000..de0545a0f5e --- /dev/null +++ b/queue-6.1/platform-x86-asus-nb-wmi-add-quirk_asus_tablet_mode-.patch @@ -0,0 +1,39 @@ +From 9442e030b0f7a70ccddeb8253b6663c07a16ec1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 19:49:43 +0800 +Subject: platform/x86: asus-nb-wmi: Add quirk_asus_tablet_mode to other ROG + Flow X13 models + +From: weiliang1503 + +[ Upstream commit e352d685fde427a8fc9beb2ba30888f5d6f2e5e6 ] + +Make quirk_asus_tablet_mode apply on other ROG Flow X13 devices, +which only affects the GV301Q model before. + +Signed-off-by: weiliang1503 +Link: https://lore.kernel.org/r/20230330114943.15057-1-weiliang1503@gmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-nb-wmi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c +index cb15acdf14a30..e2c9a68d12df9 100644 +--- a/drivers/platform/x86/asus-nb-wmi.c ++++ b/drivers/platform/x86/asus-nb-wmi.c +@@ -464,7 +464,8 @@ static const struct dmi_system_id asus_quirks[] = { + .ident = "ASUS ROG FLOW X13", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), +- DMI_MATCH(DMI_PRODUCT_NAME, "GV301Q"), ++ /* Match GV301** */ ++ DMI_MATCH(DMI_PRODUCT_NAME, "GV301"), + }, + .driver_data = &quirk_asus_tablet_mode, + }, +-- +2.39.2 + diff --git a/queue-6.1/platform-x86-gigabyte-wmi-add-support-for-a320m-s2h-.patch b/queue-6.1/platform-x86-gigabyte-wmi-add-support-for-a320m-s2h-.patch new file mode 100644 index 00000000000..fd2c305936e --- /dev/null +++ b/queue-6.1/platform-x86-gigabyte-wmi-add-support-for-a320m-s2h-.patch @@ -0,0 +1,39 @@ +From f3c782d8f48714c8ad3836668f8644fa60b5a181 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Mar 2023 20:14:41 +1100 +Subject: platform/x86 (gigabyte-wmi): Add support for A320M-S2H V2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Frank Crawford + +[ Upstream commit b7c994f8c35e916e27c60803bb21457bc1373500 ] + +Add support for A320M-S2H V2. Tested using module force_load option. + +Signed-off-by: Frank Crawford +Acked-by: Thomas Weißschuh +Link: https://lore.kernel.org/r/20230318091441.1240921-1-frank@crawford.emu.id.au +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/gigabyte-wmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/gigabyte-wmi.c b/drivers/platform/x86/gigabyte-wmi.c +index 322cfaeda17ba..4dd39ab6ecfa2 100644 +--- a/drivers/platform/x86/gigabyte-wmi.c ++++ b/drivers/platform/x86/gigabyte-wmi.c +@@ -140,6 +140,7 @@ static u8 gigabyte_wmi_detect_sensor_usability(struct wmi_device *wdev) + }} + + static const struct dmi_system_id gigabyte_wmi_known_working_platforms[] = { ++ DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("A320M-S2H V2-CF"), + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B450M DS3H-CF"), + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B450M DS3H WIFI-CF"), + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B450M S2H V2"), +-- +2.39.2 + diff --git a/queue-6.1/platform-x86-gigabyte-wmi-add-support-for-b650-aorus.patch b/queue-6.1/platform-x86-gigabyte-wmi-add-support-for-b650-aorus.patch new file mode 100644 index 00000000000..c71c3c65421 --- /dev/null +++ b/queue-6.1/platform-x86-gigabyte-wmi-add-support-for-b650-aorus.patch @@ -0,0 +1,40 @@ +From b89e5ab79b49a5eea43b092e9b30f49ef033dc71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Mar 2023 13:05:02 +0000 +Subject: platform/x86: gigabyte-wmi: add support for B650 AORUS ELITE AX +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 441d901fbf669f6360566a4437b1e563b854de4a ] + +This has been reported as working. + +Suggested-by: got3nks +Link: https://github.com/t-8ch/linux-gigabyte-wmi-driver/issues/15#issuecomment-1483942966 +Signed-off-by: Thomas Weißschuh +Link: https://lore.kernel.org/r/20230327-gigabyte-wmi-b650-elite-ax-v1-1-d4d645c21d0b@weissschuh.net +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/gigabyte-wmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/gigabyte-wmi.c b/drivers/platform/x86/gigabyte-wmi.c +index 4dd39ab6ecfa2..5e5b17c50eb67 100644 +--- a/drivers/platform/x86/gigabyte-wmi.c ++++ b/drivers/platform/x86/gigabyte-wmi.c +@@ -151,6 +151,7 @@ static const struct dmi_system_id gigabyte_wmi_known_working_platforms[] = { + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B550I AORUS PRO AX"), + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B550M AORUS PRO-P"), + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B550M DS3H"), ++ DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B650 AORUS ELITE AX"), + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B660 GAMING X DDR4"), + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B660I AORUS PRO DDR4"), + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("Z390 I AORUS PRO WIFI-CF"), +-- +2.39.2 + diff --git a/queue-6.1/platform-x86-gigabyte-wmi-add-support-for-x570s-aoru.patch b/queue-6.1/platform-x86-gigabyte-wmi-add-support-for-x570s-aoru.patch new file mode 100644 index 00000000000..afb8b701987 --- /dev/null +++ b/queue-6.1/platform-x86-gigabyte-wmi-add-support-for-x570s-aoru.patch @@ -0,0 +1,34 @@ +From 5078997685e71dc9879dceb0fa4c1028ac2c241c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Mar 2023 19:31:48 +0200 +Subject: platform/x86: gigabyte-wmi: add support for X570S AORUS ELITE + +From: Hans de Goede + +[ Upstream commit 52f91e51944808d83dfe2d5582601b5e84e472cc ] + +Add "X570S AORUS ELITE" to known working boards + +Reported-by: Brandon Nielsen +Link: https://lore.kernel.org/r/20230331014902.7864-1-nielsenb@jetfuse.net +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/gigabyte-wmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/gigabyte-wmi.c b/drivers/platform/x86/gigabyte-wmi.c +index 5e5b17c50eb67..2a426040f749e 100644 +--- a/drivers/platform/x86/gigabyte-wmi.c ++++ b/drivers/platform/x86/gigabyte-wmi.c +@@ -161,6 +161,7 @@ static const struct dmi_system_id gigabyte_wmi_known_working_platforms[] = { + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("X570 GAMING X"), + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("X570 I AORUS PRO WIFI"), + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("X570 UD"), ++ DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("X570S AORUS ELITE"), + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("Z690M AORUS ELITE AX DDR4"), + { } + }; +-- +2.39.2 + diff --git a/queue-6.1/platform-x86-intel-vsec-fix-a-memory-leak-in-intel_v.patch b/queue-6.1/platform-x86-intel-vsec-fix-a-memory-leak-in-intel_v.patch new file mode 100644 index 00000000000..b31e53e090c --- /dev/null +++ b/queue-6.1/platform-x86-intel-vsec-fix-a-memory-leak-in-intel_v.patch @@ -0,0 +1,40 @@ +From 2701574fc76331668eb62b6c1a95b4530f4888f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Mar 2023 12:01:07 +0800 +Subject: platform/x86/intel: vsec: Fix a memory leak in intel_vsec_add_aux + +From: Dongliang Mu + +[ Upstream commit da0ba0ccce54059d6c6b788a75099bfce95126da ] + +The first error handling code in intel_vsec_add_aux misses the +deallocation of intel_vsec_dev->resource. + +Fix this by adding kfree(intel_vsec_dev->resource) in the error handling +code. + +Reviewed-by: David E. Box +Signed-off-by: Dongliang Mu +Link: https://lore.kernel.org/r/20230309040107.534716-4-dzm91@hust.edu.cn +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/vsec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/intel/vsec.c b/drivers/platform/x86/intel/vsec.c +index bb81b8b1f7e9b..483bb65651665 100644 +--- a/drivers/platform/x86/intel/vsec.c ++++ b/drivers/platform/x86/intel/vsec.c +@@ -141,6 +141,7 @@ static int intel_vsec_add_aux(struct pci_dev *pdev, struct intel_vsec_device *in + + ret = ida_alloc(intel_vsec_dev->ida, GFP_KERNEL); + if (ret < 0) { ++ kfree(intel_vsec_dev->resource); + kfree(intel_vsec_dev); + return ret; + } +-- +2.39.2 + diff --git a/queue-6.1/regulator-fan53555-explicitly-include-bits-header.patch b/queue-6.1/regulator-fan53555-explicitly-include-bits-header.patch new file mode 100644 index 00000000000..af8b5fd963c --- /dev/null +++ b/queue-6.1/regulator-fan53555-explicitly-include-bits-header.patch @@ -0,0 +1,59 @@ +From 284209f531d7ed834098ac84cfbb7798c2c9018f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Apr 2023 20:18:00 +0300 +Subject: regulator: fan53555: Explicitly include bits header + +From: Cristian Ciocaltea + +[ Upstream commit 4fb9a5060f73627303bc531ceaab1b19d0a24aef ] + +Since commit f2a9eb975ab2 ("regulator: fan53555: Add support for +FAN53526") the driver makes use of the BIT() macro, but relies on the +bits header being implicitly included. + +Explicitly pull the header in to avoid potential build failures in some +configurations. + +While here, reorder include directives alphabetically. + +Fixes: f2a9eb975ab2 ("regulator: fan53555: Add support for FAN53526") +Signed-off-by: Cristian Ciocaltea +Link: https://lore.kernel.org/r/20230406171806.948290-3-cristian.ciocaltea@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/fan53555.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/regulator/fan53555.c b/drivers/regulator/fan53555.c +index dac1fb584fa35..df53464afe3a0 100644 +--- a/drivers/regulator/fan53555.c ++++ b/drivers/regulator/fan53555.c +@@ -8,18 +8,19 @@ + // Copyright (c) 2012 Marvell Technology Ltd. + // Yunfan Zhang + ++#include ++#include ++#include + #include ++#include + #include +-#include + #include ++#include + #include ++#include + #include + #include +-#include +-#include + #include +-#include +-#include + + /* Voltage setting */ + #define FAN53555_VSEL0 0x00 +-- +2.39.2 + diff --git a/queue-6.1/regulator-fan53555-fix-wrong-tcs_slew_mask.patch b/queue-6.1/regulator-fan53555-fix-wrong-tcs_slew_mask.patch new file mode 100644 index 00000000000..954129a972e --- /dev/null +++ b/queue-6.1/regulator-fan53555-fix-wrong-tcs_slew_mask.patch @@ -0,0 +1,40 @@ +From 59395a099d31099870be0e597025a30b417f1203 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Apr 2023 20:18:01 +0300 +Subject: regulator: fan53555: Fix wrong TCS_SLEW_MASK + +From: Cristian Ciocaltea + +[ Upstream commit c5d5b55b3c1a314137a251efc1001dfd435c6242 ] + +The support for TCS4525 regulator has been introduced with a wrong +ramp-rate mask, which has been defined as a logical expression instead +of a bit shift operation. + +For clarity, fix it using GENMASK() macro. + +Fixes: 914df8faa7d6 ("regulator: fan53555: Add TCS4525 DCDC support") +Signed-off-by: Cristian Ciocaltea +Link: https://lore.kernel.org/r/20230406171806.948290-4-cristian.ciocaltea@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/fan53555.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/fan53555.c b/drivers/regulator/fan53555.c +index df53464afe3a0..ecd5a50c61660 100644 +--- a/drivers/regulator/fan53555.c ++++ b/drivers/regulator/fan53555.c +@@ -61,7 +61,7 @@ + #define TCS_VSEL1_MODE (1 << 6) + + #define TCS_SLEW_SHIFT 3 +-#define TCS_SLEW_MASK (0x3 < 3) ++#define TCS_SLEW_MASK GENMASK(4, 3) + + enum fan53555_vendor { + FAN53526_VENDOR_FAIRCHILD = 0, +-- +2.39.2 + diff --git a/queue-6.1/rust-str-fix-requierments-requirements-typo.patch b/queue-6.1/rust-str-fix-requierments-requirements-typo.patch new file mode 100644 index 00000000000..6872f3ab46e --- /dev/null +++ b/queue-6.1/rust-str-fix-requierments-requirements-typo.patch @@ -0,0 +1,39 @@ +From 4405ad903d04d4553d5547292e131a0715ae9f68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Mar 2023 20:06:29 +0100 +Subject: rust: str: fix requierments->requirements typo + +From: Patrick Blass + +[ Upstream commit 88e8c2ec4ab84f9f05ed5af9693a3972baf386c4 ] + +Fix a trivial spelling error in the `rust/kernel/str.rs` file. + +Fixes: 247b365dc8dc ("rust: add `kernel` crate") +Reported-by: Miguel Ojeda +Link: https://github.com/Rust-for-Linux/linux/issues/978 +Signed-off-by: Patrick Blass +Reviewed-by: Vincenzo Palazzo +[Reworded slightly] +Signed-off-by: Miguel Ojeda +Signed-off-by: Sasha Levin +--- + rust/kernel/str.rs | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rust/kernel/str.rs b/rust/kernel/str.rs +index e45ff220ae50f..2c4b4bac28f42 100644 +--- a/rust/kernel/str.rs ++++ b/rust/kernel/str.rs +@@ -29,7 +29,7 @@ impl RawFormatter { + /// If `pos` is less than `end`, then the region between `pos` (inclusive) and `end` + /// (exclusive) must be valid for writes for the lifetime of the returned [`RawFormatter`]. + pub(crate) unsafe fn from_ptrs(pos: *mut u8, end: *mut u8) -> Self { +- // INVARIANT: The safety requierments guarantee the type invariants. ++ // INVARIANT: The safety requirements guarantee the type invariants. + Self { + beg: pos as _, + pos: pos as _, +-- +2.39.2 + diff --git a/queue-6.1/s390-ptrace-fix-ptrace_get_last_break-error-handling.patch b/queue-6.1/s390-ptrace-fix-ptrace_get_last_break-error-handling.patch new file mode 100644 index 00000000000..231d89ef9dc --- /dev/null +++ b/queue-6.1/s390-ptrace-fix-ptrace_get_last_break-error-handling.patch @@ -0,0 +1,49 @@ +From 44db384d335fab9cb46ad871cbf9921dcab8d7f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 12:31:30 +0100 +Subject: s390/ptrace: fix PTRACE_GET_LAST_BREAK error handling + +From: Heiko Carstens + +[ Upstream commit f9bbf25e7b2b74b52b2f269216a92657774f239c ] + +Return -EFAULT if put_user() for the PTRACE_GET_LAST_BREAK +request fails, instead of silently ignoring it. + +Reviewed-by: Sven Schnelle +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/ptrace.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c +index 53e0209229f87..092b16b4dd4f6 100644 +--- a/arch/s390/kernel/ptrace.c ++++ b/arch/s390/kernel/ptrace.c +@@ -474,9 +474,7 @@ long arch_ptrace(struct task_struct *child, long request, + } + return 0; + case PTRACE_GET_LAST_BREAK: +- put_user(child->thread.last_break, +- (unsigned long __user *) data); +- return 0; ++ return put_user(child->thread.last_break, (unsigned long __user *)data); + case PTRACE_ENABLE_TE: + if (!MACHINE_HAS_TE) + return -EIO; +@@ -824,9 +822,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, + } + return 0; + case PTRACE_GET_LAST_BREAK: +- put_user(child->thread.last_break, +- (unsigned int __user *) data); +- return 0; ++ return put_user(child->thread.last_break, (unsigned int __user *)data); + } + return compat_ptrace_request(child, request, addr, data); + } +-- +2.39.2 + diff --git a/queue-6.1/scsi-core-improve-scsi_vpd_inquiry-checks.patch b/queue-6.1/scsi-core-improve-scsi_vpd_inquiry-checks.patch new file mode 100644 index 00000000000..207ac967406 --- /dev/null +++ b/queue-6.1/scsi-core-improve-scsi_vpd_inquiry-checks.patch @@ -0,0 +1,60 @@ +From ba730f47f4f43cfdc55ea9956e6b93c3ce59df95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 11:22:11 +0900 +Subject: scsi: core: Improve scsi_vpd_inquiry() checks + +From: Damien Le Moal + +[ Upstream commit f0aa59a33d2ac2267d260fe21eaf92500df8e7b4 ] + +Some USB-SATA adapters have broken behavior when an unsupported VPD page is +probed: Depending on the VPD page number, a 4-byte header with a valid VPD +page number but with a 0 length is returned. Currently, scsi_vpd_inquiry() +only checks that the page number is valid to determine if the page is +valid, which results in receiving only the 4-byte header for the +non-existent page. This error manifests itself very often with page 0xb9 +for the Concurrent Positioning Ranges detection done by sd_read_cpr(), +resulting in the following error message: + +sd 0:0:0:0: [sda] Invalid Concurrent Positioning Ranges VPD page + +Prevent such misleading error message by adding a check in +scsi_vpd_inquiry() to verify that the page length is not 0. + +Signed-off-by: Damien Le Moal +Link: https://lore.kernel.org/r/20230322022211.116327-1-damien.lemoal@opensource.wdc.com +Reviewed-by: Benjamin Block +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c +index 24c4c92543599..3cda5d26b66ca 100644 +--- a/drivers/scsi/scsi.c ++++ b/drivers/scsi/scsi.c +@@ -314,11 +314,18 @@ static int scsi_vpd_inquiry(struct scsi_device *sdev, unsigned char *buffer, + if (result) + return -EIO; + +- /* Sanity check that we got the page back that we asked for */ ++ /* ++ * Sanity check that we got the page back that we asked for and that ++ * the page size is not 0. ++ */ + if (buffer[1] != page) + return -EIO; + +- return get_unaligned_be16(&buffer[2]) + 4; ++ result = get_unaligned_be16(&buffer[2]); ++ if (!result) ++ return -EIO; ++ ++ return result + 4; + } + + static int scsi_get_vpd_size(struct scsi_device *sdev, u8 page) +-- +2.39.2 + diff --git a/queue-6.1/scsi-megaraid_sas-fix-fw_crash_buffer_show.patch b/queue-6.1/scsi-megaraid_sas-fix-fw_crash_buffer_show.patch new file mode 100644 index 00000000000..deda82bab36 --- /dev/null +++ b/queue-6.1/scsi-megaraid_sas-fix-fw_crash_buffer_show.patch @@ -0,0 +1,36 @@ +From 7225368744822bbe97fbea9a79186d94636755fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 14:52:49 +0100 +Subject: scsi: megaraid_sas: Fix fw_crash_buffer_show() + +From: Tomas Henzl + +[ Upstream commit 0808ed6ebbc292222ca069d339744870f6d801da ] + +If crash_dump_buf is not allocated then crash dump can't be available. +Replace logical 'and' with 'or'. + +Signed-off-by: Tomas Henzl +Link: https://lore.kernel.org/r/20230324135249.9733-1-thenzl@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c +index d265a2d9d0824..13ee8e4c4f570 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -3299,7 +3299,7 @@ fw_crash_buffer_show(struct device *cdev, + + spin_lock_irqsave(&instance->crashdump_lock, flags); + buff_offset = instance->fw_crash_buffer_offset; +- if (!instance->crash_dump_buf && ++ if (!instance->crash_dump_buf || + !((instance->fw_crash_state == AVAILABLE) || + (instance->fw_crash_state == COPYING))) { + dev_err(&instance->pdev->dev, +-- +2.39.2 + diff --git a/queue-6.1/selftests-sigaltstack-fix-wuninitialized.patch b/queue-6.1/selftests-sigaltstack-fix-wuninitialized.patch new file mode 100644 index 00000000000..2a93ba8298d --- /dev/null +++ b/queue-6.1/selftests-sigaltstack-fix-wuninitialized.patch @@ -0,0 +1,95 @@ +From ea35c6f761cc83429081bd49617e9474fc99fecb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 11:59:33 -0800 +Subject: selftests: sigaltstack: fix -Wuninitialized + +From: Nick Desaulniers + +[ Upstream commit 05107edc910135d27fe557267dc45be9630bf3dd ] + +Building sigaltstack with clang via: +$ ARCH=x86 make LLVM=1 -C tools/testing/selftests/sigaltstack/ + +produces the following warning: + warning: variable 'sp' is uninitialized when used here [-Wuninitialized] + if (sp < (unsigned long)sstack || + ^~ + +Clang expects these to be declared at global scope; we've fixed this in +the kernel proper by using the macro `current_stack_pointer`. This is +defined in different headers for different target architectures, so just +create a new header that defines the arch-specific register names for +the stack pointer register, and define it for more targets (at least the +ones that support current_stack_pointer/ARCH_HAS_CURRENT_STACK_POINTER). + +Reported-by: Linux Kernel Functional Testing +Link: https://lore.kernel.org/lkml/CA+G9fYsi3OOu7yCsMutpzKDnBMAzJBCPimBp86LhGBa0eCnEpA@mail.gmail.com/ +Signed-off-by: Nick Desaulniers +Reviewed-by: Kees Cook +Tested-by: Linux Kernel Functional Testing +Tested-by: Anders Roxell +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../sigaltstack/current_stack_pointer.h | 23 +++++++++++++++++++ + tools/testing/selftests/sigaltstack/sas.c | 7 +----- + 2 files changed, 24 insertions(+), 6 deletions(-) + create mode 100644 tools/testing/selftests/sigaltstack/current_stack_pointer.h + +diff --git a/tools/testing/selftests/sigaltstack/current_stack_pointer.h b/tools/testing/selftests/sigaltstack/current_stack_pointer.h +new file mode 100644 +index 0000000000000..ea9bdf3a90b16 +--- /dev/null ++++ b/tools/testing/selftests/sigaltstack/current_stack_pointer.h +@@ -0,0 +1,23 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++ ++#if __alpha__ ++register unsigned long sp asm("$30"); ++#elif __arm__ || __aarch64__ || __csky__ || __m68k__ || __mips__ || __riscv ++register unsigned long sp asm("sp"); ++#elif __i386__ ++register unsigned long sp asm("esp"); ++#elif __loongarch64 ++register unsigned long sp asm("$sp"); ++#elif __ppc__ ++register unsigned long sp asm("r1"); ++#elif __s390x__ ++register unsigned long sp asm("%15"); ++#elif __sh__ ++register unsigned long sp asm("r15"); ++#elif __x86_64__ ++register unsigned long sp asm("rsp"); ++#elif __XTENSA__ ++register unsigned long sp asm("a1"); ++#else ++#error "implement current_stack_pointer equivalent" ++#endif +diff --git a/tools/testing/selftests/sigaltstack/sas.c b/tools/testing/selftests/sigaltstack/sas.c +index c53b070755b65..98d37cb744fb2 100644 +--- a/tools/testing/selftests/sigaltstack/sas.c ++++ b/tools/testing/selftests/sigaltstack/sas.c +@@ -20,6 +20,7 @@ + #include + + #include "../kselftest.h" ++#include "current_stack_pointer.h" + + #ifndef SS_AUTODISARM + #define SS_AUTODISARM (1U << 31) +@@ -46,12 +47,6 @@ void my_usr1(int sig, siginfo_t *si, void *u) + stack_t stk; + struct stk_data *p; + +-#if __s390x__ +- register unsigned long sp asm("%15"); +-#else +- register unsigned long sp asm("sp"); +-#endif +- + if (sp < (unsigned long)sstack || + sp >= (unsigned long)sstack + stack_size) { + ksft_exit_fail_msg("SP is not on sigaltstack\n"); +-- +2.39.2 + diff --git a/queue-6.1/series b/queue-6.1/series new file mode 100644 index 00000000000..9f0a4e1afd2 --- /dev/null +++ b/queue-6.1/series @@ -0,0 +1,48 @@ +arm-dts-rockchip-fix-a-typo-error-for-rk3288-spdif-n.patch +arm64-dts-rockchip-lower-sd-speed-on-rk3566-soquartz.patch +arm64-dts-qcom-ipq8074-hk01-enable-qmp-device-not-th.patch +arm64-dts-qcom-hk10-use-okay-instead-of-ok.patch +arm64-dts-qcom-ipq8074-hk10-enable-qmp-device-not-th.patch +arm64-dts-meson-g12-common-specify-full-dmc-range.patch +arm64-dts-qcom-sc8280xp-pmics-fix-pon-compatible-and.patch +arm64-dts-imx8mm-evk-correct-pmic-clock-source.patch +arm64-dts-imx8mm-verdin-correct-off-on-delay.patch +arm64-dts-imx8mp-verdin-correct-off-on-delay.patch +netfilter-br_netfilter-fix-recent-physdev-match-brea.patch +netfilter-nf_tables-modify-nla_memdup-s-flag-to-gfp_.patch +rust-str-fix-requierments-requirements-typo.patch +regulator-fan53555-explicitly-include-bits-header.patch +regulator-fan53555-fix-wrong-tcs_slew_mask.patch +net-sched-sch_qfq-prevent-slab-out-of-bounds-in-qfq_.patch +virtio_net-bugfix-overflow-inside-xdp_linearize_page.patch +sfc-fix-use-after-free-due-to-selftest_work.patch +netfilter-nf_tables-fix-ifdef-to-also-consider-nf_ta.patch +i40e-fix-accessing-vsi-active_filters-without-holdin.patch +i40e-fix-i40e_setup_misc_vector-error-handling.patch +netfilter-nf_tables-validate-catch-all-set-elements.patch +netfilter-nf_tables-tighten-netlink-attribute-requir.patch +bnxt_en-do-not-initialize-ptp-on-older-p3-p4-chips.patch +mlxfw-fix-null-ptr-deref-in-mlxfw_mfa2_tlv_next.patch +bonding-fix-memory-leak-when-changing-bond-type-to-e.patch +net-rpl-fix-rpl-header-size-calculation.patch +mlxsw-pci-fix-possible-crash-during-initialization.patch +spi-spi-rockchip-fix-missing-unwind-goto-in-rockchip.patch +bpf-fix-incorrect-verifier-pruning-due-to-missing-re.patch +e1000e-disable-tso-on-i219-lm-card-to-increase-speed.patch +net-bridge-switchdev-don-t-notify-fdb-entries-with-m.patch +f2fs-fix-f2fs_truncate_partial_nodes-ftrace-event.patch +platform-x86-intel-vsec-fix-a-memory-leak-in-intel_v.patch +platform-x86-gigabyte-wmi-add-support-for-a320m-s2h-.patch +selftests-sigaltstack-fix-wuninitialized.patch +scsi-megaraid_sas-fix-fw_crash_buffer_show.patch +scsi-core-improve-scsi_vpd_inquiry-checks.patch +net-dsa-b53-mmap-add-phy-ops.patch +platform-x86-gigabyte-wmi-add-support-for-b650-aorus.patch +s390-ptrace-fix-ptrace_get_last_break-error-handling.patch +drm-buddy_allocator-fix-buddy-allocator-init-on-32-b.patch +drm-test-fix-32-bit-issue-in-drm_buddy_test.patch +nvme-tcp-fix-a-possible-uaf-when-failing-to-allocate.patch +xen-netback-use-same-error-messages-for-same-errors.patch +platform-x86-gigabyte-wmi-add-support-for-x570s-aoru.patch +platform-x86-asus-nb-wmi-add-quirk_asus_tablet_mode-.patch +mtd-spi-nor-fix-memory-leak-when-using-debugfs_looku.patch diff --git a/queue-6.1/sfc-fix-use-after-free-due-to-selftest_work.patch b/queue-6.1/sfc-fix-use-after-free-due-to-selftest_work.patch new file mode 100644 index 00000000000..44fb2ee1c96 --- /dev/null +++ b/queue-6.1/sfc-fix-use-after-free-due-to-selftest_work.patch @@ -0,0 +1,90 @@ +From a3db8f67af7b8e6dad3d309ac859f3ab5d2a596e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Apr 2023 23:23:06 +0800 +Subject: sfc: Fix use-after-free due to selftest_work + +From: Ding Hui + +[ Upstream commit a80bb8e7233b2ad6ff119646b6e33fb3edcec37b ] + +There is a use-after-free scenario that is: + +When the NIC is down, user set mac address or vlan tag to VF, +the xxx_set_vf_mac() or xxx_set_vf_vlan() will invoke efx_net_stop() +and efx_net_open(), since netif_running() is false, the port will not +start and keep port_enabled false, but selftest_work is scheduled +in efx_net_open(). + +If we remove the device before selftest_work run, the efx_stop_port() +will not be called since the NIC is down, and then efx is freed, +we will soon get a UAF in run_timer_softirq() like this: + +[ 1178.907941] ================================================================== +[ 1178.907948] BUG: KASAN: use-after-free in run_timer_softirq+0xdea/0xe90 +[ 1178.907950] Write of size 8 at addr ff11001f449cdc80 by task swapper/47/0 +[ 1178.907950] +[ 1178.907953] CPU: 47 PID: 0 Comm: swapper/47 Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 +[ 1178.907954] Hardware name: SANGFOR X620G40/WI2HG-208T1061A, BIOS SPYH051032-U01 04/01/2022 +[ 1178.907955] Call Trace: +[ 1178.907956] +[ 1178.907960] dump_stack+0x71/0xab +[ 1178.907963] print_address_description+0x6b/0x290 +[ 1178.907965] ? run_timer_softirq+0xdea/0xe90 +[ 1178.907967] kasan_report+0x14a/0x2b0 +[ 1178.907968] run_timer_softirq+0xdea/0xe90 +[ 1178.907971] ? init_timer_key+0x170/0x170 +[ 1178.907973] ? hrtimer_cancel+0x20/0x20 +[ 1178.907976] ? sched_clock+0x5/0x10 +[ 1178.907978] ? sched_clock_cpu+0x18/0x170 +[ 1178.907981] __do_softirq+0x1c8/0x5fa +[ 1178.907985] irq_exit+0x213/0x240 +[ 1178.907987] smp_apic_timer_interrupt+0xd0/0x330 +[ 1178.907989] apic_timer_interrupt+0xf/0x20 +[ 1178.907990] +[ 1178.907991] RIP: 0010:mwait_idle+0xae/0x370 + +If the NIC is not actually brought up, there is no need to schedule +selftest_work, so let's move invoking efx_selftest_async_start() +into efx_start_all(), and it will be canceled by broughting down. + +Fixes: dd40781e3a4e ("sfc: Run event/IRQ self-test asynchronously when interface is brought up") +Fixes: e340be923012 ("sfc: add ndo_set_vf_mac() function for EF10") +Debugged-by: Huang Cun +Cc: Donglin Peng +Suggested-by: Martin Habets +Signed-off-by: Ding Hui +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/efx.c | 1 - + drivers/net/ethernet/sfc/efx_common.c | 2 ++ + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sfc/efx.c b/drivers/net/ethernet/sfc/efx.c +index 6a1bff54bc6c3..e6aedd8ebd750 100644 +--- a/drivers/net/ethernet/sfc/efx.c ++++ b/drivers/net/ethernet/sfc/efx.c +@@ -541,7 +541,6 @@ int efx_net_open(struct net_device *net_dev) + else + efx->state = STATE_NET_UP; + +- efx_selftest_async_start(efx); + return 0; + } + +diff --git a/drivers/net/ethernet/sfc/efx_common.c b/drivers/net/ethernet/sfc/efx_common.c +index c2224e41a694d..ee1cabe3e2429 100644 +--- a/drivers/net/ethernet/sfc/efx_common.c ++++ b/drivers/net/ethernet/sfc/efx_common.c +@@ -544,6 +544,8 @@ void efx_start_all(struct efx_nic *efx) + /* Start the hardware monitor if there is one */ + efx_start_monitor(efx); + ++ efx_selftest_async_start(efx); ++ + /* Link state detection is normally event-driven; we have + * to poll now because we could have missed a change + */ +-- +2.39.2 + diff --git a/queue-6.1/spi-spi-rockchip-fix-missing-unwind-goto-in-rockchip.patch b/queue-6.1/spi-spi-rockchip-fix-missing-unwind-goto-in-rockchip.patch new file mode 100644 index 00000000000..2dbc870d7fe --- /dev/null +++ b/queue-6.1/spi-spi-rockchip-fix-missing-unwind-goto-in-rockchip.patch @@ -0,0 +1,40 @@ +From d40e7bedb715ac4a4d76fb5972ce35c20d4038d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Apr 2023 07:50:29 -0400 +Subject: spi: spi-rockchip: Fix missing unwind goto in rockchip_sfc_probe() + +From: Li Lanzhe + +[ Upstream commit 359f5b0d4e26b7a7bcc574d6148b31a17cefe47d ] + +If devm_request_irq() fails, then we are directly return 'ret' without +clk_disable_unprepare(sfc->clk) and clk_disable_unprepare(sfc->hclk). + +Fix this by changing direct return to a goto 'err_irq'. + +Fixes: 0b89fc0a367e ("spi: rockchip-sfc: add rockchip serial flash controller") +Signed-off-by: Li Lanzhe +Reviewed-by: Dongliang Mu +Link: https://lore.kernel.org/r/20230419115030.6029-1-u202212060@hust.edu.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-rockchip-sfc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-rockchip-sfc.c b/drivers/spi/spi-rockchip-sfc.c +index bd87d3c92dd33..69347b6bf60cd 100644 +--- a/drivers/spi/spi-rockchip-sfc.c ++++ b/drivers/spi/spi-rockchip-sfc.c +@@ -632,7 +632,7 @@ static int rockchip_sfc_probe(struct platform_device *pdev) + if (ret) { + dev_err(dev, "Failed to request irq\n"); + +- return ret; ++ goto err_irq; + } + + ret = rockchip_sfc_init(sfc); +-- +2.39.2 + diff --git a/queue-6.1/virtio_net-bugfix-overflow-inside-xdp_linearize_page.patch b/queue-6.1/virtio_net-bugfix-overflow-inside-xdp_linearize_page.patch new file mode 100644 index 00000000000..d74921fa37e --- /dev/null +++ b/queue-6.1/virtio_net-bugfix-overflow-inside-xdp_linearize_page.patch @@ -0,0 +1,59 @@ +From 41fc19a19e3156a690da26112bc3934589c83771 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Apr 2023 14:08:35 +0800 +Subject: virtio_net: bugfix overflow inside xdp_linearize_page() + +From: Xuan Zhuo + +[ Upstream commit 853618d5886bf94812f31228091cd37d308230f7 ] + +Here we copy the data from the original buf to the new page. But we +not check that it may be overflow. + +As long as the size received(including vnethdr) is greater than 3840 +(PAGE_SIZE -VIRTIO_XDP_HEADROOM). Then the memcpy will overflow. + +And this is completely possible, as long as the MTU is large, such +as 4096. In our test environment, this will cause crash. Since crash is +caused by the written memory, it is meaningless, so I do not include it. + +Fixes: 72979a6c3590 ("virtio_net: xdp, add slowpath case for non contiguous buffers") +Signed-off-by: Xuan Zhuo +Acked-by: Jason Wang +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 20b1b34a092ad..3f1883814ce21 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -724,8 +724,13 @@ static struct page *xdp_linearize_page(struct receive_queue *rq, + int page_off, + unsigned int *len) + { +- struct page *page = alloc_page(GFP_ATOMIC); ++ int tailroom = SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); ++ struct page *page; + ++ if (page_off + *len + tailroom > PAGE_SIZE) ++ return NULL; ++ ++ page = alloc_page(GFP_ATOMIC); + if (!page) + return NULL; + +@@ -733,7 +738,6 @@ static struct page *xdp_linearize_page(struct receive_queue *rq, + page_off += *len; + + while (--*num_buf) { +- int tailroom = SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); + unsigned int buflen; + void *buf; + int off; +-- +2.39.2 + diff --git a/queue-6.1/xen-netback-use-same-error-messages-for-same-errors.patch b/queue-6.1/xen-netback-use-same-error-messages-for-same-errors.patch new file mode 100644 index 00000000000..03f029eecf5 --- /dev/null +++ b/queue-6.1/xen-netback-use-same-error-messages-for-same-errors.patch @@ -0,0 +1,42 @@ +From bc4e453cf52109201871db018a718d52f922a6c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Mar 2023 10:02:59 +0200 +Subject: xen/netback: use same error messages for same errors + +From: Juergen Gross + +[ Upstream commit 2eca98e5b24d01c02b46c67be05a5f98cc9789b1 ] + +Issue the same error message in case an illegal page boundary crossing +has been detected in both cases where this is tested. + +Suggested-by: Jan Beulich +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Link: https://lore.kernel.org/r/20230329080259.14823-1-jgross@suse.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netback/netback.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c +index 5c266062c08f0..c35c085dbc877 100644 +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -996,10 +996,8 @@ static void xenvif_tx_build_gops(struct xenvif_queue *queue, + + /* No crossing a page as the payload mustn't fragment. */ + if (unlikely((txreq.offset + txreq.size) > XEN_PAGE_SIZE)) { +- netdev_err(queue->vif->dev, +- "txreq.offset: %u, size: %u, end: %lu\n", +- txreq.offset, txreq.size, +- (unsigned long)(txreq.offset&~XEN_PAGE_MASK) + txreq.size); ++ netdev_err(queue->vif->dev, "Cross page boundary, txreq.offset: %u, size: %u\n", ++ txreq.offset, txreq.size); + xenvif_fatal_tx_err(queue->vif); + break; + } +-- +2.39.2 + -- 2.47.3