From 7900c2c461cad5e4b803f090c52921ebecfbc623 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 22 Oct 2024 13:39:29 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...37-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch | 42 +++ ...s-fix-uprobes-for-big-endian-kernels.patch | 176 +++++++++++++ ...x-the-uprobe-swbp_insn-in-big-endian.patch | 96 +++++++ ...ix-wild-memory-access-in-proto_unreg.patch | 50 ++++ ...32-bit-signed-integer-extension-in-p.patch | 47 ++++ .../genetlink-hold-rcu-in-genlmsg_mcast.patch | 241 ++++++++++++++++++ ...give-an-ipv4-dev-to-blackhole_netdev.patch | 112 ++++++++ ...-check-if-guest-address-is-in-memslo.patch | 125 +++++++++ ...access-cleanup-access-to-guest-pages.patch | 75 ++++++ ...-refactor-access-address-range-check.patch | 233 +++++++++++++++++ ...-refactor-gpa-and-length-calculation.patch | 93 +++++++ ...crement-counters-for-an-unrelated-sa.patch | 83 ++++++ ...oflex-fix-potential-memory-leak-in-g.patch | 47 ++++ ...ix-potential-memory-leak-in-bcm_sysp.patch | 36 +++ ...-incorrect-avid-type-in-wqe-structur.patch | 47 ++++ ...bnxt_re-return-more-meaningful-error.patch | 41 +++ ...dma_cm_event_unreachable-error-for-i.patch | 65 +++++ queue-5.4/series | 19 ++ ...obs-when-building-smb2_ioctl-request.patch | 107 ++++++++ ...mode-should-keep-reference-to-parent.patch | 130 ++++++++++ 20 files changed, 1865 insertions(+) create mode 100644 queue-5.4/arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch create mode 100644 queue-5.4/arm64-probes-fix-uprobes-for-big-endian-kernels.patch create mode 100644 queue-5.4/arm64-uprobe-fix-the-uprobe-swbp_insn-in-big-endian.patch create mode 100644 queue-5.4/bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch create mode 100644 queue-5.4/drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch create mode 100644 queue-5.4/genetlink-hold-rcu-in-genlmsg_mcast.patch create mode 100644 queue-5.4/ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch create mode 100644 queue-5.4/kvm-s390-gaccess-check-if-guest-address-is-in-memslo.patch create mode 100644 queue-5.4/kvm-s390-gaccess-cleanup-access-to-guest-pages.patch create mode 100644 queue-5.4/kvm-s390-gaccess-refactor-access-address-range-check.patch create mode 100644 queue-5.4/kvm-s390-gaccess-refactor-gpa-and-length-calculation.patch create mode 100644 queue-5.4/macsec-don-t-increment-counters-for-an-unrelated-sa.patch create mode 100644 queue-5.4/net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch create mode 100644 queue-5.4/net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch create mode 100644 queue-5.4/rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch create mode 100644 queue-5.4/rdma-bnxt_re-return-more-meaningful-error.patch create mode 100644 queue-5.4/rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch create mode 100644 queue-5.4/smb-client-fix-oobs-when-building-smb2_ioctl-request.patch create mode 100644 queue-5.4/usb-typec-altmode-should-keep-reference-to-parent.patch diff --git a/queue-5.4/arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch b/queue-5.4/arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch new file mode 100644 index 00000000000..20fa84338f1 --- /dev/null +++ b/queue-5.4/arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch @@ -0,0 +1,42 @@ +From 8a4e39d9ec1351a9d4e071b82d8564474e581395 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jul 2024 02:03:11 +0300 +Subject: ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin + +From: Florian Klink + +[ Upstream commit dc7785e4723510616d776862ddb4c08857a1bdb2 ] + +HDMI_HPD_N_1V8 is connected to GPIO pin 0, not 1. + +This fixes HDMI hotplug/output detection. + +See https://datasheets.raspberrypi.com/cm/cm3-schematics.pdf + +Signed-off-by: Florian Klink +Reviewed-by: Stefan Wahren +Link: https://lore.kernel.org/r/20240715230311.685641-1-flokli@flokli.de +Reviewed-by: Stefan Wahren +Fixes: a54fe8a6cf66 ("ARM: dts: add Raspberry Pi Compute Module 3 and IO board") +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm2837-rpi-cm3-io3.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/bcm2837-rpi-cm3-io3.dts b/arch/arm/boot/dts/bcm2837-rpi-cm3-io3.dts +index 3dfce4312dfc4..a2ef43c2105aa 100644 +--- a/arch/arm/boot/dts/bcm2837-rpi-cm3-io3.dts ++++ b/arch/arm/boot/dts/bcm2837-rpi-cm3-io3.dts +@@ -77,7 +77,7 @@ + }; + + &hdmi { +- hpd-gpios = <&expgpio 1 GPIO_ACTIVE_LOW>; ++ hpd-gpios = <&expgpio 0 GPIO_ACTIVE_LOW>; + power-domains = <&power RPI_POWER_DOMAIN_HDMI>; + status = "okay"; + }; +-- +2.43.0 + diff --git a/queue-5.4/arm64-probes-fix-uprobes-for-big-endian-kernels.patch b/queue-5.4/arm64-probes-fix-uprobes-for-big-endian-kernels.patch new file mode 100644 index 00000000000..323926796a4 --- /dev/null +++ b/queue-5.4/arm64-probes-fix-uprobes-for-big-endian-kernels.patch @@ -0,0 +1,176 @@ +From b9b1e743b1c71e13a23e34b82a9660184700800c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 16:58:48 +0100 +Subject: arm64: probes: Fix uprobes for big-endian kernels + +From: Mark Rutland + +[ Upstream commit 13f8f1e05f1dc36dbba6cba0ae03354c0dafcde7 ] + +The arm64 uprobes code is broken for big-endian kernels as it doesn't +convert the in-memory instruction encoding (which is always +little-endian) into the kernel's native endianness before analyzing and +simulating instructions. This may result in a few distinct problems: + +* The kernel may may erroneously reject probing an instruction which can + safely be probed. + +* The kernel may erroneously erroneously permit stepping an + instruction out-of-line when that instruction cannot be stepped + out-of-line safely. + +* The kernel may erroneously simulate instruction incorrectly dur to + interpretting the byte-swapped encoding. + +The endianness mismatch isn't caught by the compiler or sparse because: + +* The arch_uprobe::{insn,ixol} fields are encoded as arrays of u8, so + the compiler and sparse have no idea these contain a little-endian + 32-bit value. The core uprobes code populates these with a memcpy() + which similarly does not handle endianness. + +* While the uprobe_opcode_t type is an alias for __le32, both + arch_uprobe_analyze_insn() and arch_uprobe_skip_sstep() cast from u8[] + to the similarly-named probe_opcode_t, which is an alias for u32. + Hence there is no endianness conversion warning. + +Fix this by changing the arch_uprobe::{insn,ixol} fields to __le32 and +adding the appropriate __le32_to_cpu() conversions prior to consuming +the instruction encoding. The core uprobes copies these fields as opaque +ranges of bytes, and so is unaffected by this change. + +At the same time, remove MAX_UINSN_BYTES and consistently use +AARCH64_INSN_SIZE for clarity. + +Tested with the following: + +| #include +| #include +| +| #define noinline __attribute__((noinline)) +| +| static noinline void *adrp_self(void) +| { +| void *addr; +| +| asm volatile( +| " adrp %x0, adrp_self\n" +| " add %x0, %x0, :lo12:adrp_self\n" +| : "=r" (addr)); +| } +| +| +| int main(int argc, char *argv) +| { +| void *ptr = adrp_self(); +| bool equal = (ptr == adrp_self); +| +| printf("adrp_self => %p\n" +| "adrp_self() => %p\n" +| "%s\n", +| adrp_self, ptr, equal ? "EQUAL" : "NOT EQUAL"); +| +| return 0; +| } + +.... where the adrp_self() function was compiled to: + +| 00000000004007e0 : +| 4007e0: 90000000 adrp x0, 400000 <__ehdr_start> +| 4007e4: 911f8000 add x0, x0, #0x7e0 +| 4007e8: d65f03c0 ret + +Before this patch, the ADRP is not recognized, and is assumed to be +steppable, resulting in corruption of the result: + +| # ./adrp-self +| adrp_self => 0x4007e0 +| adrp_self() => 0x4007e0 +| EQUAL +| # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events +| # echo 1 > /sys/kernel/tracing/events/uprobes/enable +| # ./adrp-self +| adrp_self => 0x4007e0 +| adrp_self() => 0xffffffffff7e0 +| NOT EQUAL + +After this patch, the ADRP is correctly recognized and simulated: + +| # ./adrp-self +| adrp_self => 0x4007e0 +| adrp_self() => 0x4007e0 +| EQUAL +| # +| # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events +| # echo 1 > /sys/kernel/tracing/events/uprobes/enable +| # ./adrp-self +| adrp_self => 0x4007e0 +| adrp_self() => 0x4007e0 +| EQUAL + +Fixes: 9842ceae9fa8 ("arm64: Add uprobe support") +Cc: stable@vger.kernel.org +Signed-off-by: Mark Rutland +Cc: Catalin Marinas +Cc: Will Deacon +Link: https://lore.kernel.org/r/20241008155851.801546-4-mark.rutland@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/uprobes.h | 8 +++----- + arch/arm64/kernel/probes/uprobes.c | 4 ++-- + 2 files changed, 5 insertions(+), 7 deletions(-) + +diff --git a/arch/arm64/include/asm/uprobes.h b/arch/arm64/include/asm/uprobes.h +index ba4bff5ca6749..98f29a43bfe89 100644 +--- a/arch/arm64/include/asm/uprobes.h ++++ b/arch/arm64/include/asm/uprobes.h +@@ -10,11 +10,9 @@ + #include + #include + +-#define MAX_UINSN_BYTES AARCH64_INSN_SIZE +- + #define UPROBE_SWBP_INSN cpu_to_le32(BRK64_OPCODE_UPROBES) + #define UPROBE_SWBP_INSN_SIZE AARCH64_INSN_SIZE +-#define UPROBE_XOL_SLOT_BYTES MAX_UINSN_BYTES ++#define UPROBE_XOL_SLOT_BYTES AARCH64_INSN_SIZE + + typedef u32 uprobe_opcode_t; + +@@ -23,8 +21,8 @@ struct arch_uprobe_task { + + struct arch_uprobe { + union { +- u8 insn[MAX_UINSN_BYTES]; +- u8 ixol[MAX_UINSN_BYTES]; ++ __le32 insn; ++ __le32 ixol; + }; + struct arch_probe_insn api; + bool simulate; +diff --git a/arch/arm64/kernel/probes/uprobes.c b/arch/arm64/kernel/probes/uprobes.c +index 2c247634552b1..8a02c549e57fd 100644 +--- a/arch/arm64/kernel/probes/uprobes.c ++++ b/arch/arm64/kernel/probes/uprobes.c +@@ -42,7 +42,7 @@ int arch_uprobe_analyze_insn(struct arch_uprobe *auprobe, struct mm_struct *mm, + else if (!IS_ALIGNED(addr, AARCH64_INSN_SIZE)) + return -EINVAL; + +- insn = *(probe_opcode_t *)(&auprobe->insn[0]); ++ insn = le32_to_cpu(auprobe->insn); + + switch (arm_probe_decode_insn(insn, &auprobe->api)) { + case INSN_REJECTED: +@@ -108,7 +108,7 @@ bool arch_uprobe_skip_sstep(struct arch_uprobe *auprobe, struct pt_regs *regs) + if (!auprobe->simulate) + return false; + +- insn = *(probe_opcode_t *)(&auprobe->insn[0]); ++ insn = le32_to_cpu(auprobe->insn); + addr = instruction_pointer(regs); + + if (auprobe->api.handler) +-- +2.43.0 + diff --git a/queue-5.4/arm64-uprobe-fix-the-uprobe-swbp_insn-in-big-endian.patch b/queue-5.4/arm64-uprobe-fix-the-uprobe-swbp_insn-in-big-endian.patch new file mode 100644 index 00000000000..3b51cc33715 --- /dev/null +++ b/queue-5.4/arm64-uprobe-fix-the-uprobe-swbp_insn-in-big-endian.patch @@ -0,0 +1,96 @@ +From c68b34331279a950f45fd22efdc4e9bd19222135 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 15:11:10 +0800 +Subject: arm64:uprobe fix the uprobe SWBP_INSN in big-endian +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: junhua huang + +[ Upstream commit 60f07e22a73d318cddaafa5ef41a10476807cc07 ] + +We use uprobe in aarch64_be, which we found the tracee task would exit +due to SIGILL when we enable the uprobe trace. +We can see the replace inst from uprobe is not correct in aarch big-endian. +As in Armv8-A, instruction fetches are always treated as little-endian, +we should treat the UPROBE_SWBP_INSN as little-endian。 + +The test case is as following。 +bash-4.4# ./mqueue_test_aarchbe 1 1 2 1 10 > /dev/null & +bash-4.4# cd /sys/kernel/debug/tracing/ +bash-4.4# echo 'p:test /mqueue_test_aarchbe:0xc30 %x0 %x1' > uprobe_events +bash-4.4# echo 1 > events/uprobes/enable +bash-4.4# +bash-4.4# ps + PID TTY TIME CMD + 140 ? 00:00:01 bash + 237 ? 00:00:00 ps +[1]+ Illegal instruction ./mqueue_test_aarchbe 1 1 2 1 100 > /dev/null + +which we debug use gdb as following: + +bash-4.4# gdb attach 155 +(gdb) disassemble send +Dump of assembler code for function send: + 0x0000000000400c30 <+0>: .inst 0xa00020d4 ; undefined + 0x0000000000400c34 <+4>: mov x29, sp + 0x0000000000400c38 <+8>: str w0, [sp, #28] + 0x0000000000400c3c <+12>: strb w1, [sp, #27] + 0x0000000000400c40 <+16>: str xzr, [sp, #40] + 0x0000000000400c44 <+20>: str xzr, [sp, #48] + 0x0000000000400c48 <+24>: add x0, sp, #0x1b + 0x0000000000400c4c <+28>: mov w3, #0x0 // #0 + 0x0000000000400c50 <+32>: mov x2, #0x1 // #1 + 0x0000000000400c54 <+36>: mov x1, x0 + 0x0000000000400c58 <+40>: ldr w0, [sp, #28] + 0x0000000000400c5c <+44>: bl 0x405e10 + 0x0000000000400c60 <+48>: str w0, [sp, #60] + 0x0000000000400c64 <+52>: ldr w0, [sp, #60] + 0x0000000000400c68 <+56>: ldp x29, x30, [sp], #64 + 0x0000000000400c6c <+60>: ret +End of assembler dump. +(gdb) info b +No breakpoints or watchpoints. +(gdb) c +Continuing. + +Program received signal SIGILL, Illegal instruction. +0x0000000000400c30 in send () +(gdb) x/10x 0x400c30 +0x400c30 : 0xd42000a0 0xfd030091 0xe01f00b9 0xe16f0039 +0x400c40 : 0xff1700f9 0xff1b00f9 0xe06f0091 0x03008052 +0x400c50 : 0x220080d2 0xe10300aa +(gdb) disassemble 0x400c30 +Dump of assembler code for function send: +=> 0x0000000000400c30 <+0>: .inst 0xa00020d4 ; undefined + 0x0000000000400c34 <+4>: mov x29, sp + 0x0000000000400c38 <+8>: str w0, [sp, #28] + 0x0000000000400c3c <+12>: strb w1, [sp, #27] + 0x0000000000400c40 <+16>: str xzr, [sp, #40] + +Signed-off-by: junhua huang +Link: https://lore.kernel.org/r/202212021511106844809@zte.com.cn +Signed-off-by: Will Deacon +Stable-dep-of: 13f8f1e05f1d ("arm64: probes: Fix uprobes for big-endian kernels") +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/uprobes.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/include/asm/uprobes.h b/arch/arm64/include/asm/uprobes.h +index 315eef654e39a..ba4bff5ca6749 100644 +--- a/arch/arm64/include/asm/uprobes.h ++++ b/arch/arm64/include/asm/uprobes.h +@@ -12,7 +12,7 @@ + + #define MAX_UINSN_BYTES AARCH64_INSN_SIZE + +-#define UPROBE_SWBP_INSN BRK64_OPCODE_UPROBES ++#define UPROBE_SWBP_INSN cpu_to_le32(BRK64_OPCODE_UPROBES) + #define UPROBE_SWBP_INSN_SIZE AARCH64_INSN_SIZE + #define UPROBE_XOL_SLOT_BYTES MAX_UINSN_BYTES + +-- +2.43.0 + diff --git a/queue-5.4/bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch b/queue-5.4/bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch new file mode 100644 index 00000000000..41cdb97acb2 --- /dev/null +++ b/queue-5.4/bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch @@ -0,0 +1,50 @@ +From 13b9d26cfe3f033871d57f771658f120c0c9abd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 17:07:08 +0800 +Subject: Bluetooth: bnep: fix wild-memory-access in proto_unregister + +From: Ye Bin + +[ Upstream commit 64a90991ba8d4e32e3173ddd83d0b24167a5668c ] + +There's issue as follows: + KASAN: maybe wild-memory-access in range [0xdead...108-0xdead...10f] + CPU: 3 UID: 0 PID: 2805 Comm: rmmod Tainted: G W + RIP: 0010:proto_unregister+0xee/0x400 + Call Trace: + + __do_sys_delete_module+0x318/0x580 + do_syscall_64+0xc1/0x1d0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +As bnep_init() ignore bnep_sock_init()'s return value, and bnep_sock_init() +will cleanup all resource. Then when remove bnep module will call +bnep_sock_cleanup() to cleanup sock's resource. +To solve above issue just return bnep_sock_init()'s return value in +bnep_exit(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Ye Bin +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/bnep/core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c +index 089160361dded..d05beafd29527 100644 +--- a/net/bluetooth/bnep/core.c ++++ b/net/bluetooth/bnep/core.c +@@ -745,8 +745,7 @@ static int __init bnep_init(void) + if (flt[0]) + BT_INFO("BNEP filters: %s", flt); + +- bnep_sock_init(); +- return 0; ++ return bnep_sock_init(); + } + + static void __exit bnep_exit(void) +-- +2.43.0 + diff --git a/queue-5.4/drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch b/queue-5.4/drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch new file mode 100644 index 00000000000..1fecbad3dfe --- /dev/null +++ b/queue-5.4/drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch @@ -0,0 +1,47 @@ +From b6e43c7aebf365eb2bbbf4b2ee58dbe5660db124 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 01:01:49 -0400 +Subject: drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate + calculation + +From: Jonathan Marek + +[ Upstream commit 358b762400bd94db2a14a72dfcef74c7da6bd845 ] + +When (mode->clock * 1000) is larger than (1<<31), int to unsigned long +conversion will sign extend the int to 64 bits and the pclk_rate value +will be incorrect. + +Fix this by making the result of the multiplication unsigned. + +Note that above (1<<32) would still be broken and require more changes, but +its unlikely anyone will need that anytime soon. + +Fixes: c4d8cfe516dc ("drm/msm/dsi: add implementation for helper functions") +Signed-off-by: Jonathan Marek +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/618434/ +Link: https://lore.kernel.org/r/20241007050157.26855-2-jonathan@marek.ca +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index 419cad31830ea..41b68047bf61b 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -663,7 +663,7 @@ static u32 dsi_get_pclk_rate(struct msm_dsi_host *msm_host, bool is_dual_dsi) + struct drm_display_mode *mode = msm_host->mode; + u32 pclk_rate; + +- pclk_rate = mode->clock * 1000; ++ pclk_rate = mode->clock * 1000u; + + /* + * For dual DSI mode, the current DRM mode has the complete width of the +-- +2.43.0 + diff --git a/queue-5.4/genetlink-hold-rcu-in-genlmsg_mcast.patch b/queue-5.4/genetlink-hold-rcu-in-genlmsg_mcast.patch new file mode 100644 index 00000000000..743155db7fd --- /dev/null +++ b/queue-5.4/genetlink-hold-rcu-in-genlmsg_mcast.patch @@ -0,0 +1,241 @@ +From ebdd3e0e3f50f025619677dd64642224523e1f86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 17:12:17 +0000 +Subject: genetlink: hold RCU in genlmsg_mcast() + +From: Eric Dumazet + +[ Upstream commit 56440d7ec28d60f8da3bfa09062b3368ff9b16db ] + +While running net selftests with CONFIG_PROVE_RCU_LIST=y I saw +one lockdep splat [1]. + +genlmsg_mcast() uses for_each_net_rcu(), and must therefore hold RCU. + +Instead of letting all callers guard genlmsg_multicast_allns() +with a rcu_read_lock()/rcu_read_unlock() pair, do it in genlmsg_mcast(). + +This also means the @flags parameter is useless, we need to always use +GFP_ATOMIC. + +[1] +[10882.424136] ============================= +[10882.424166] WARNING: suspicious RCU usage +[10882.424309] 6.12.0-rc2-virtme #1156 Not tainted +[10882.424400] ----------------------------- +[10882.424423] net/netlink/genetlink.c:1940 RCU-list traversed in non-reader section!! +[10882.424469] +other info that might help us debug this: + +[10882.424500] +rcu_scheduler_active = 2, debug_locks = 1 +[10882.424744] 2 locks held by ip/15677: +[10882.424791] #0: ffffffffb6b491b0 (cb_lock){++++}-{3:3}, at: genl_rcv (net/netlink/genetlink.c:1219) +[10882.426334] #1: ffffffffb6b49248 (genl_mutex){+.+.}-{3:3}, at: genl_rcv_msg (net/netlink/genetlink.c:61 net/netlink/genetlink.c:57 net/netlink/genetlink.c:1209) +[10882.426465] +stack backtrace: +[10882.426805] CPU: 14 UID: 0 PID: 15677 Comm: ip Not tainted 6.12.0-rc2-virtme #1156 +[10882.426919] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[10882.427046] Call Trace: +[10882.427131] +[10882.427244] dump_stack_lvl (lib/dump_stack.c:123) +[10882.427335] lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822) +[10882.427387] genlmsg_multicast_allns (net/netlink/genetlink.c:1940 (discriminator 7) net/netlink/genetlink.c:1977 (discriminator 7)) +[10882.427436] l2tp_tunnel_notify.constprop.0 (net/l2tp/l2tp_netlink.c:119) l2tp_netlink +[10882.427683] l2tp_nl_cmd_tunnel_create (net/l2tp/l2tp_netlink.c:253) l2tp_netlink +[10882.427748] genl_family_rcv_msg_doit (net/netlink/genetlink.c:1115) +[10882.427834] genl_rcv_msg (net/netlink/genetlink.c:1195 net/netlink/genetlink.c:1210) +[10882.427877] ? __pfx_l2tp_nl_cmd_tunnel_create (net/l2tp/l2tp_netlink.c:186) l2tp_netlink +[10882.427927] ? __pfx_genl_rcv_msg (net/netlink/genetlink.c:1201) +[10882.427959] netlink_rcv_skb (net/netlink/af_netlink.c:2551) +[10882.428069] genl_rcv (net/netlink/genetlink.c:1220) +[10882.428095] netlink_unicast (net/netlink/af_netlink.c:1332 net/netlink/af_netlink.c:1357) +[10882.428140] netlink_sendmsg (net/netlink/af_netlink.c:1901) +[10882.428210] ____sys_sendmsg (net/socket.c:729 (discriminator 1) net/socket.c:744 (discriminator 1) net/socket.c:2607 (discriminator 1)) + +Fixes: 33f72e6f0c67 ("l2tp : multicast notification to the registered listeners") +Signed-off-by: Eric Dumazet +Cc: James Chapman +Cc: Tom Parkin +Cc: Johannes Berg +Link: https://patch.msgid.link/20241011171217.3166614-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_user.c | 2 +- + include/net/genetlink.h | 3 +-- + net/l2tp/l2tp_netlink.c | 4 ++-- + net/netlink/genetlink.c | 28 ++++++++++++++-------------- + net/wireless/nl80211.c | 8 ++------ + 5 files changed, 20 insertions(+), 25 deletions(-) + +diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c +index 077c56cbed4e1..aa187672cf99e 100644 +--- a/drivers/target/target_core_user.c ++++ b/drivers/target/target_core_user.c +@@ -1788,7 +1788,7 @@ static int tcmu_netlink_event_send(struct tcmu_dev *udev, + } + + ret = genlmsg_multicast_allns(&tcmu_genl_family, skb, 0, +- TCMU_MCGRP_CONFIG, GFP_KERNEL); ++ TCMU_MCGRP_CONFIG); + + /* Wait during an add as the listener may not be up yet */ + if (ret == 0 || +diff --git a/include/net/genetlink.h b/include/net/genetlink.h +index 2d52776def52c..19d51689a8212 100644 +--- a/include/net/genetlink.h ++++ b/include/net/genetlink.h +@@ -299,13 +299,12 @@ static inline int genlmsg_multicast(const struct genl_family *family, + * @skb: netlink message as socket buffer + * @portid: own netlink portid to avoid sending to yourself + * @group: offset of multicast group in groups array +- * @flags: allocation flags + * + * This function must hold the RTNL or rcu_read_lock(). + */ + int genlmsg_multicast_allns(const struct genl_family *family, + struct sk_buff *skb, u32 portid, +- unsigned int group, gfp_t flags); ++ unsigned int group); + + /** + * genlmsg_unicast - unicast a netlink message +diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c +index ebb381c3f1b99..733f59822f8f8 100644 +--- a/net/l2tp/l2tp_netlink.c ++++ b/net/l2tp/l2tp_netlink.c +@@ -117,7 +117,7 @@ static int l2tp_tunnel_notify(struct genl_family *family, + NLM_F_ACK, tunnel, cmd); + + if (ret >= 0) { +- ret = genlmsg_multicast_allns(family, msg, 0, 0, GFP_ATOMIC); ++ ret = genlmsg_multicast_allns(family, msg, 0, 0); + /* We don't care if no one is listening */ + if (ret == -ESRCH) + ret = 0; +@@ -145,7 +145,7 @@ static int l2tp_session_notify(struct genl_family *family, + NLM_F_ACK, session, cmd); + + if (ret >= 0) { +- ret = genlmsg_multicast_allns(family, msg, 0, 0, GFP_ATOMIC); ++ ret = genlmsg_multicast_allns(family, msg, 0, 0); + /* We don't care if no one is listening */ + if (ret == -ESRCH) + ret = 0; +diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c +index a03e16e06e29d..e56994104eed4 100644 +--- a/net/netlink/genetlink.c ++++ b/net/netlink/genetlink.c +@@ -949,15 +949,11 @@ static int genl_ctrl_event(int event, const struct genl_family *family, + if (IS_ERR(msg)) + return PTR_ERR(msg); + +- if (!family->netnsok) { ++ if (!family->netnsok) + genlmsg_multicast_netns(&genl_ctrl, &init_net, msg, 0, + 0, GFP_KERNEL); +- } else { +- rcu_read_lock(); +- genlmsg_multicast_allns(&genl_ctrl, msg, 0, +- 0, GFP_ATOMIC); +- rcu_read_unlock(); +- } ++ else ++ genlmsg_multicast_allns(&genl_ctrl, msg, 0, 0); + + return 0; + } +@@ -1093,23 +1089,23 @@ struct nlattr **genl_family_attrbuf(const struct genl_family *family) + } + EXPORT_SYMBOL(genl_family_attrbuf); + +-static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group, +- gfp_t flags) ++static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group) + { + struct sk_buff *tmp; + struct net *net, *prev = NULL; + bool delivered = false; + int err; + ++ rcu_read_lock(); + for_each_net_rcu(net) { + if (prev) { +- tmp = skb_clone(skb, flags); ++ tmp = skb_clone(skb, GFP_ATOMIC); + if (!tmp) { + err = -ENOMEM; + goto error; + } + err = nlmsg_multicast(prev->genl_sock, tmp, +- portid, group, flags); ++ portid, group, GFP_ATOMIC); + if (!err) + delivered = true; + else if (err != -ESRCH) +@@ -1118,26 +1114,30 @@ static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group, + + prev = net; + } ++ err = nlmsg_multicast(prev->genl_sock, skb, portid, group, GFP_ATOMIC); ++ ++ rcu_read_unlock(); + +- err = nlmsg_multicast(prev->genl_sock, skb, portid, group, flags); + if (!err) + delivered = true; + else if (err != -ESRCH) + return err; + return delivered ? 0 : -ESRCH; + error: ++ rcu_read_unlock(); ++ + kfree_skb(skb); + return err; + } + + int genlmsg_multicast_allns(const struct genl_family *family, + struct sk_buff *skb, u32 portid, +- unsigned int group, gfp_t flags) ++ unsigned int group) + { + if (WARN_ON_ONCE(group >= family->n_mcgrps)) + return -EINVAL; + group = family->mcgrp_offset + group; +- return genlmsg_mcast(skb, portid, group, flags); ++ return genlmsg_mcast(skb, portid, group); + } + EXPORT_SYMBOL(genlmsg_multicast_allns); + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 77edb69384637..a27b2fae4843f 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -15072,10 +15072,8 @@ void nl80211_common_reg_change_event(enum nl80211_commands cmd_id, + + genlmsg_end(msg, hdr); + +- rcu_read_lock(); + genlmsg_multicast_allns(&nl80211_fam, msg, 0, +- NL80211_MCGRP_REGULATORY, GFP_ATOMIC); +- rcu_read_unlock(); ++ NL80211_MCGRP_REGULATORY); + + return; + +@@ -15574,10 +15572,8 @@ void nl80211_send_beacon_hint_event(struct wiphy *wiphy, + + genlmsg_end(msg, hdr); + +- rcu_read_lock(); + genlmsg_multicast_allns(&nl80211_fam, msg, 0, +- NL80211_MCGRP_REGULATORY, GFP_ATOMIC); +- rcu_read_unlock(); ++ NL80211_MCGRP_REGULATORY); + + return; + +-- +2.43.0 + diff --git a/queue-5.4/ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch b/queue-5.4/ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch new file mode 100644 index 00000000000..38e6d7ee5af --- /dev/null +++ b/queue-5.4/ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch @@ -0,0 +1,112 @@ +From b0ba299f80df0e47f3d39c4fa4d49ae05a699ba1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 14:47:13 -0400 +Subject: ipv4: give an IPv4 dev to blackhole_netdev + +From: Xin Long + +[ Upstream commit 22600596b6756b166fd052d5facb66287e6f0bad ] + +After commit 8d7017fd621d ("blackhole_netdev: use blackhole_netdev to +invalidate dst entries"), blackhole_netdev was introduced to invalidate +dst cache entries on the TX path whenever the cache times out or is +flushed. + +When two UDP sockets (sk1 and sk2) send messages to the same destination +simultaneously, they are using the same dst cache. If the dst cache is +invalidated on one path (sk2) while the other (sk1) is still transmitting, +sk1 may try to use the invalid dst entry. + + CPU1 CPU2 + + udp_sendmsg(sk1) udp_sendmsg(sk2) + udp_send_skb() + ip_output() + <--- dst timeout or flushed + dst_dev_put() + ip_finish_output2() + ip_neigh_for_gw() + +This results in a scenario where ip_neigh_for_gw() returns -EINVAL because +blackhole_dev lacks an in_dev, which is needed to initialize the neigh in +arp_constructor(). This error is then propagated back to userspace, +breaking the UDP application. + +The patch fixes this issue by assigning an in_dev to blackhole_dev for +IPv4, similar to what was done for IPv6 in commit e5f80fcf869a ("ipv6: +give an IPv6 dev to blackhole_netdev"). This ensures that even when the +dst entry is invalidated with blackhole_dev, it will not fail to create +the neigh entry. + +As devinet_init() is called ealier than blackhole_netdev_init() in system +booting, it can not assign the in_dev to blackhole_dev in devinet_init(). +As Paolo suggested, add a separate late_initcall() in devinet.c to ensure +inet_blackhole_dev_init() is called after blackhole_netdev_init(). + +Fixes: 8d7017fd621d ("blackhole_netdev: use blackhole_netdev to invalidate dst entries") +Signed-off-by: Xin Long +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/3000792d45ca44e16c785ebe2b092e610e5b3df1.1728499633.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 35 +++++++++++++++++++++++++---------- + 1 file changed, 25 insertions(+), 10 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index dec884bf73f05..9910844c890ba 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -273,17 +273,19 @@ static struct in_device *inetdev_init(struct net_device *dev) + /* Account for reference dev->ip_ptr (below) */ + refcount_set(&in_dev->refcnt, 1); + +- err = devinet_sysctl_register(in_dev); +- if (err) { +- in_dev->dead = 1; +- neigh_parms_release(&arp_tbl, in_dev->arp_parms); +- in_dev_put(in_dev); +- in_dev = NULL; +- goto out; ++ if (dev != blackhole_netdev) { ++ err = devinet_sysctl_register(in_dev); ++ if (err) { ++ in_dev->dead = 1; ++ neigh_parms_release(&arp_tbl, in_dev->arp_parms); ++ in_dev_put(in_dev); ++ in_dev = NULL; ++ goto out; ++ } ++ ip_mc_init_dev(in_dev); ++ if (dev->flags & IFF_UP) ++ ip_mc_up(in_dev); + } +- ip_mc_init_dev(in_dev); +- if (dev->flags & IFF_UP) +- ip_mc_up(in_dev); + + /* we can receive as soon as ip_ptr is set -- do this last */ + rcu_assign_pointer(dev->ip_ptr, in_dev); +@@ -328,6 +330,19 @@ static void inetdev_destroy(struct in_device *in_dev) + call_rcu(&in_dev->rcu_head, in_dev_rcu_put); + } + ++static int __init inet_blackhole_dev_init(void) ++{ ++ int err = 0; ++ ++ rtnl_lock(); ++ if (!inetdev_init(blackhole_netdev)) ++ err = -ENOMEM; ++ rtnl_unlock(); ++ ++ return err; ++} ++late_initcall(inet_blackhole_dev_init); ++ + int inet_addr_onlink(struct in_device *in_dev, __be32 a, __be32 b) + { + const struct in_ifaddr *ifa; +-- +2.43.0 + diff --git a/queue-5.4/kvm-s390-gaccess-check-if-guest-address-is-in-memslo.patch b/queue-5.4/kvm-s390-gaccess-check-if-guest-address-is-in-memslo.patch new file mode 100644 index 00000000000..a6360a5525e --- /dev/null +++ b/queue-5.4/kvm-s390-gaccess-check-if-guest-address-is-in-memslo.patch @@ -0,0 +1,125 @@ +From 4ec875243403f7329718f322210b4be8380adb3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Sep 2024 17:18:33 +0200 +Subject: KVM: s390: gaccess: Check if guest address is in memslot + +From: Nico Boehr + +[ Upstream commit e8061f06185be0a06a73760d6526b8b0feadfe52 ] + +Previously, access_guest_page() did not check whether the given guest +address is inside of a memslot. This is not a problem, since +kvm_write_guest_page/kvm_read_guest_page return -EFAULT in this case. + +However, -EFAULT is also returned when copy_to/from_user fails. + +When emulating a guest instruction, the address being outside a memslot +usually means that an addressing exception should be injected into the +guest. + +Failure in copy_to/from_user however indicates that something is wrong +in userspace and hence should be handled there. + +To be able to distinguish these two cases, return PGM_ADDRESSING in +access_guest_page() when the guest address is outside guest memory. In +access_guest_real(), populate vcpu->arch.pgm.code such that +kvm_s390_inject_prog_cond() can be used in the caller for injecting into +the guest (if applicable). + +Since this adds a new return value to access_guest_page(), we need to make +sure that other callers are not confused by the new positive return value. + +There are the following users of access_guest_page(): +- access_guest_with_key() does the checking itself (in + guest_range_to_gpas()), so this case should never happen. Even if, the + handling is set up properly. +- access_guest_real() just passes the return code to its callers, which + are: + - read_guest_real() - see below + - write_guest_real() - see below + +There are the following users of read_guest_real(): +- ar_translation() in gaccess.c which already returns PGM_* +- setup_apcb10(), setup_apcb00(), setup_apcb11() in vsie.c which always + return -EFAULT on read_guest_read() nonzero return - no change +- shadow_crycb(), handle_stfle() always present this as validity, this + could be handled better but doesn't change current behaviour - no change + +There are the following users of write_guest_real(): +- kvm_s390_store_status_unloaded() always returns -EFAULT on + write_guest_real() failure. + +Fixes: 2293897805c2 ("KVM: s390: add architecture compliant guest access functions") +Cc: stable@vger.kernel.org +Signed-off-by: Nico Boehr +Reviewed-by: Heiko Carstens +Link: https://lore.kernel.org/r/20240917151904.74314-2-nrb@linux.ibm.com +Acked-by: Janosch Frank +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/gaccess.c | 4 ++++ + arch/s390/kvm/gaccess.h | 14 ++++++++------ + 2 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/arch/s390/kvm/gaccess.c b/arch/s390/kvm/gaccess.c +index 6ba82fe0776f8..11ddac5e3e923 100644 +--- a/arch/s390/kvm/gaccess.c ++++ b/arch/s390/kvm/gaccess.c +@@ -873,6 +873,8 @@ static int access_guest_page(struct kvm *kvm, enum gacc_mode mode, gpa_t gpa, + const gfn_t gfn = gpa_to_gfn(gpa); + int rc; + ++ if (!gfn_to_memslot(kvm, gfn)) ++ return PGM_ADDRESSING; + if (mode == GACC_STORE) + rc = kvm_write_guest_page(kvm, gfn, data, offset, len); + else +@@ -936,6 +938,8 @@ int access_guest_real(struct kvm_vcpu *vcpu, unsigned long gra, + gra += fragment_len; + data += fragment_len; + } ++ if (rc > 0) ++ vcpu->arch.pgm.code = rc; + return rc; + } + +diff --git a/arch/s390/kvm/gaccess.h b/arch/s390/kvm/gaccess.h +index 4c56de5429608..6c97cde8623a4 100644 +--- a/arch/s390/kvm/gaccess.h ++++ b/arch/s390/kvm/gaccess.h +@@ -344,11 +344,12 @@ int read_guest_abs(struct kvm_vcpu *vcpu, unsigned long gpa, void *data, + * @len: number of bytes to copy + * + * Copy @len bytes from @data (kernel space) to @gra (guest real address). +- * It is up to the caller to ensure that the entire guest memory range is +- * valid memory before calling this function. + * Guest low address and key protection are not checked. + * +- * Returns zero on success or -EFAULT on error. ++ * Returns zero on success, -EFAULT when copying from @data failed, or ++ * PGM_ADRESSING in case @gra is outside a memslot. In this case, pgm check info ++ * is also stored to allow injecting into the guest (if applicable) using ++ * kvm_s390_inject_prog_cond(). + * + * If an error occurs data may have been copied partially to guest memory. + */ +@@ -367,11 +368,12 @@ int write_guest_real(struct kvm_vcpu *vcpu, unsigned long gra, void *data, + * @len: number of bytes to copy + * + * Copy @len bytes from @gra (guest real address) to @data (kernel space). +- * It is up to the caller to ensure that the entire guest memory range is +- * valid memory before calling this function. + * Guest key protection is not checked. + * +- * Returns zero on success or -EFAULT on error. ++ * Returns zero on success, -EFAULT when copying to @data failed, or ++ * PGM_ADRESSING in case @gra is outside a memslot. In this case, pgm check info ++ * is also stored to allow injecting into the guest (if applicable) using ++ * kvm_s390_inject_prog_cond(). + * + * If an error occurs data may have been copied partially to kernel space. + */ +-- +2.43.0 + diff --git a/queue-5.4/kvm-s390-gaccess-cleanup-access-to-guest-pages.patch b/queue-5.4/kvm-s390-gaccess-cleanup-access-to-guest-pages.patch new file mode 100644 index 00000000000..309b8bb02cd --- /dev/null +++ b/queue-5.4/kvm-s390-gaccess-cleanup-access-to-guest-pages.patch @@ -0,0 +1,75 @@ +From 94ec6fde8f87bdc73488ec3a6658c2c93eab8502 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Nov 2021 17:45:49 +0100 +Subject: KVM: s390: gaccess: Cleanup access to guest pages + +From: Janis Schoetterl-Glausch + +[ Upstream commit bad13799e0305deb258372b7298a86be4c78aaba ] + +Introduce a helper function for guest frame access. + +Signed-off-by: Janis Schoetterl-Glausch +Reviewed-by: Janosch Frank +Reviewed-by: David Hildenbrand +Reviewed-by: Claudio Imbrenda +Message-Id: <20211126164549.7046-4-scgl@linux.ibm.com> +Signed-off-by: Janosch Frank +Stable-dep-of: e8061f06185b ("KVM: s390: gaccess: Check if guest address is in memslot") +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/gaccess.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/arch/s390/kvm/gaccess.c b/arch/s390/kvm/gaccess.c +index d4fe5db5984dd..6ba82fe0776f8 100644 +--- a/arch/s390/kvm/gaccess.c ++++ b/arch/s390/kvm/gaccess.c +@@ -866,6 +866,20 @@ static int guest_range_to_gpas(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, + return 0; + } + ++static int access_guest_page(struct kvm *kvm, enum gacc_mode mode, gpa_t gpa, ++ void *data, unsigned int len) ++{ ++ const unsigned int offset = offset_in_page(gpa); ++ const gfn_t gfn = gpa_to_gfn(gpa); ++ int rc; ++ ++ if (mode == GACC_STORE) ++ rc = kvm_write_guest_page(kvm, gfn, data, offset, len); ++ else ++ rc = kvm_read_guest_page(kvm, gfn, data, offset, len); ++ return rc; ++} ++ + int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data, + unsigned long len, enum gacc_mode mode) + { +@@ -896,10 +910,7 @@ int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data, + rc = guest_range_to_gpas(vcpu, ga, ar, gpas, len, asce, mode); + for (idx = 0; idx < nr_pages && !rc; idx++) { + fragment_len = min(PAGE_SIZE - offset_in_page(gpas[idx]), len); +- if (mode == GACC_STORE) +- rc = kvm_write_guest(vcpu->kvm, gpas[idx], data, fragment_len); +- else +- rc = kvm_read_guest(vcpu->kvm, gpas[idx], data, fragment_len); ++ rc = access_guest_page(vcpu->kvm, mode, gpas[idx], data, fragment_len); + len -= fragment_len; + data += fragment_len; + } +@@ -920,10 +931,7 @@ int access_guest_real(struct kvm_vcpu *vcpu, unsigned long gra, + while (len && !rc) { + gpa = kvm_s390_real_to_abs(vcpu, gra); + fragment_len = min(PAGE_SIZE - offset_in_page(gpa), len); +- if (mode) +- rc = write_guest_abs(vcpu, gpa, data, fragment_len); +- else +- rc = read_guest_abs(vcpu, gpa, data, fragment_len); ++ rc = access_guest_page(vcpu->kvm, mode, gpa, data, fragment_len); + len -= fragment_len; + gra += fragment_len; + data += fragment_len; +-- +2.43.0 + diff --git a/queue-5.4/kvm-s390-gaccess-refactor-access-address-range-check.patch b/queue-5.4/kvm-s390-gaccess-refactor-access-address-range-check.patch new file mode 100644 index 00000000000..86d86d18201 --- /dev/null +++ b/queue-5.4/kvm-s390-gaccess-refactor-access-address-range-check.patch @@ -0,0 +1,233 @@ +From a42fb1d7666abe368d2b57ef076664ba5c54ec1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Nov 2021 17:45:48 +0100 +Subject: KVM: s390: gaccess: Refactor access address range check + +From: Janis Schoetterl-Glausch + +[ Upstream commit 7faa543df19bf62d4583a64d3902705747f2ad29 ] + +Do not round down the first address to the page boundary, just translate +it normally, which gives the value we care about in the first place. +Given this, translating a single address is just the special case of +translating a range spanning a single page. + +Make the output optional, so the function can be used to just check a +range. + +Signed-off-by: Janis Schoetterl-Glausch +Reviewed-by: Janosch Frank +Reviewed-by: Claudio Imbrenda +Message-Id: <20211126164549.7046-3-scgl@linux.ibm.com> +Signed-off-by: Janosch Frank +Stable-dep-of: e8061f06185b ("KVM: s390: gaccess: Check if guest address is in memslot") +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/gaccess.c | 122 +++++++++++++++++++++++----------------- + 1 file changed, 69 insertions(+), 53 deletions(-) + +diff --git a/arch/s390/kvm/gaccess.c b/arch/s390/kvm/gaccess.c +index b184749ffc5ae..d4fe5db5984dd 100644 +--- a/arch/s390/kvm/gaccess.c ++++ b/arch/s390/kvm/gaccess.c +@@ -794,35 +794,74 @@ static int low_address_protection_enabled(struct kvm_vcpu *vcpu, + return 1; + } + +-static int guest_page_range(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, +- unsigned long *pages, unsigned long nr_pages, +- const union asce asce, enum gacc_mode mode) ++/** ++ * guest_range_to_gpas() - Calculate guest physical addresses of page fragments ++ * covering a logical range ++ * @vcpu: virtual cpu ++ * @ga: guest address, start of range ++ * @ar: access register ++ * @gpas: output argument, may be NULL ++ * @len: length of range in bytes ++ * @asce: address-space-control element to use for translation ++ * @mode: access mode ++ * ++ * Translate a logical range to a series of guest absolute addresses, ++ * such that the concatenation of page fragments starting at each gpa make up ++ * the whole range. ++ * The translation is performed as if done by the cpu for the given @asce, @ar, ++ * @mode and state of the @vcpu. ++ * If the translation causes an exception, its program interruption code is ++ * returned and the &struct kvm_s390_pgm_info pgm member of @vcpu is modified ++ * such that a subsequent call to kvm_s390_inject_prog_vcpu() will inject ++ * a correct exception into the guest. ++ * The resulting gpas are stored into @gpas, unless it is NULL. ++ * ++ * Note: All fragments except the first one start at the beginning of a page. ++ * When deriving the boundaries of a fragment from a gpa, all but the last ++ * fragment end at the end of the page. ++ * ++ * Return: ++ * * 0 - success ++ * * <0 - translation could not be performed, for example if guest ++ * memory could not be accessed ++ * * >0 - an access exception occurred. In this case the returned value ++ * is the program interruption code and the contents of pgm may ++ * be used to inject an exception into the guest. ++ */ ++static int guest_range_to_gpas(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, ++ unsigned long *gpas, unsigned long len, ++ const union asce asce, enum gacc_mode mode) + { + psw_t *psw = &vcpu->arch.sie_block->gpsw; ++ unsigned int offset = offset_in_page(ga); ++ unsigned int fragment_len; + int lap_enabled, rc = 0; + enum prot_type prot; ++ unsigned long gpa; + + lap_enabled = low_address_protection_enabled(vcpu, asce); +- while (nr_pages) { ++ while (min(PAGE_SIZE - offset, len) > 0) { ++ fragment_len = min(PAGE_SIZE - offset, len); + ga = kvm_s390_logical_to_effective(vcpu, ga); + if (mode == GACC_STORE && lap_enabled && is_low_address(ga)) + return trans_exc(vcpu, PGM_PROTECTION, ga, ar, mode, + PROT_TYPE_LA); +- ga &= PAGE_MASK; + if (psw_bits(*psw).dat) { +- rc = guest_translate(vcpu, ga, pages, asce, mode, &prot); ++ rc = guest_translate(vcpu, ga, &gpa, asce, mode, &prot); + if (rc < 0) + return rc; + } else { +- *pages = kvm_s390_real_to_abs(vcpu, ga); +- if (kvm_is_error_gpa(vcpu->kvm, *pages)) ++ gpa = kvm_s390_real_to_abs(vcpu, ga); ++ if (kvm_is_error_gpa(vcpu->kvm, gpa)) + rc = PGM_ADDRESSING; + } + if (rc) + return trans_exc(vcpu, rc, ga, ar, mode, prot); +- ga += PAGE_SIZE; +- pages++; +- nr_pages--; ++ if (gpas) ++ *gpas++ = gpa; ++ offset = 0; ++ ga += fragment_len; ++ len -= fragment_len; + } + return 0; + } +@@ -831,10 +870,10 @@ int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data, + unsigned long len, enum gacc_mode mode) + { + psw_t *psw = &vcpu->arch.sie_block->gpsw; +- unsigned long nr_pages, gpa, idx; +- unsigned long pages_array[2]; ++ unsigned long nr_pages, idx; ++ unsigned long gpa_array[2]; + unsigned int fragment_len; +- unsigned long *pages; ++ unsigned long *gpas; + int need_ipte_lock; + union asce asce; + int rc; +@@ -846,30 +885,28 @@ int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data, + if (rc) + return rc; + nr_pages = (((ga & ~PAGE_MASK) + len - 1) >> PAGE_SHIFT) + 1; +- pages = pages_array; +- if (nr_pages > ARRAY_SIZE(pages_array)) +- pages = vmalloc(array_size(nr_pages, sizeof(unsigned long))); +- if (!pages) ++ gpas = gpa_array; ++ if (nr_pages > ARRAY_SIZE(gpa_array)) ++ gpas = vmalloc(array_size(nr_pages, sizeof(unsigned long))); ++ if (!gpas) + return -ENOMEM; + need_ipte_lock = psw_bits(*psw).dat && !asce.r; + if (need_ipte_lock) + ipte_lock(vcpu); +- rc = guest_page_range(vcpu, ga, ar, pages, nr_pages, asce, mode); ++ rc = guest_range_to_gpas(vcpu, ga, ar, gpas, len, asce, mode); + for (idx = 0; idx < nr_pages && !rc; idx++) { +- gpa = pages[idx] + offset_in_page(ga); +- fragment_len = min(PAGE_SIZE - offset_in_page(gpa), len); ++ fragment_len = min(PAGE_SIZE - offset_in_page(gpas[idx]), len); + if (mode == GACC_STORE) +- rc = kvm_write_guest(vcpu->kvm, gpa, data, fragment_len); ++ rc = kvm_write_guest(vcpu->kvm, gpas[idx], data, fragment_len); + else +- rc = kvm_read_guest(vcpu->kvm, gpa, data, fragment_len); ++ rc = kvm_read_guest(vcpu->kvm, gpas[idx], data, fragment_len); + len -= fragment_len; +- ga += fragment_len; + data += fragment_len; + } + if (need_ipte_lock) + ipte_unlock(vcpu); +- if (nr_pages > ARRAY_SIZE(pages_array)) +- vfree(pages); ++ if (nr_pages > ARRAY_SIZE(gpa_array)) ++ vfree(gpas); + return rc; + } + +@@ -906,8 +943,6 @@ int access_guest_real(struct kvm_vcpu *vcpu, unsigned long gra, + int guest_translate_address(struct kvm_vcpu *vcpu, unsigned long gva, u8 ar, + unsigned long *gpa, enum gacc_mode mode) + { +- psw_t *psw = &vcpu->arch.sie_block->gpsw; +- enum prot_type prot; + union asce asce; + int rc; + +@@ -915,23 +950,7 @@ int guest_translate_address(struct kvm_vcpu *vcpu, unsigned long gva, u8 ar, + rc = get_vcpu_asce(vcpu, &asce, gva, ar, mode); + if (rc) + return rc; +- if (is_low_address(gva) && low_address_protection_enabled(vcpu, asce)) { +- if (mode == GACC_STORE) +- return trans_exc(vcpu, PGM_PROTECTION, gva, 0, +- mode, PROT_TYPE_LA); +- } +- +- if (psw_bits(*psw).dat && !asce.r) { /* Use DAT? */ +- rc = guest_translate(vcpu, gva, gpa, asce, mode, &prot); +- if (rc > 0) +- return trans_exc(vcpu, rc, gva, 0, mode, prot); +- } else { +- *gpa = kvm_s390_real_to_abs(vcpu, gva); +- if (kvm_is_error_gpa(vcpu->kvm, *gpa)) +- return trans_exc(vcpu, rc, gva, PGM_ADDRESSING, mode, 0); +- } +- +- return rc; ++ return guest_range_to_gpas(vcpu, gva, ar, gpa, 1, asce, mode); + } + + /** +@@ -940,17 +959,14 @@ int guest_translate_address(struct kvm_vcpu *vcpu, unsigned long gva, u8 ar, + int check_gva_range(struct kvm_vcpu *vcpu, unsigned long gva, u8 ar, + unsigned long length, enum gacc_mode mode) + { +- unsigned long gpa; +- unsigned long currlen; ++ union asce asce; + int rc = 0; + ++ rc = get_vcpu_asce(vcpu, &asce, gva, ar, mode); ++ if (rc) ++ return rc; + ipte_lock(vcpu); +- while (length > 0 && !rc) { +- currlen = min(length, PAGE_SIZE - (gva % PAGE_SIZE)); +- rc = guest_translate_address(vcpu, gva, ar, &gpa, mode); +- gva += currlen; +- length -= currlen; +- } ++ rc = guest_range_to_gpas(vcpu, gva, ar, NULL, length, asce, mode); + ipte_unlock(vcpu); + + return rc; +-- +2.43.0 + diff --git a/queue-5.4/kvm-s390-gaccess-refactor-gpa-and-length-calculation.patch b/queue-5.4/kvm-s390-gaccess-refactor-gpa-and-length-calculation.patch new file mode 100644 index 00000000000..58f5acd396f --- /dev/null +++ b/queue-5.4/kvm-s390-gaccess-refactor-gpa-and-length-calculation.patch @@ -0,0 +1,93 @@ +From ac0a14f6c58b22f0ea3eadb9e1a4a0096742c4e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Nov 2021 17:45:47 +0100 +Subject: KVM: s390: gaccess: Refactor gpa and length calculation + +From: Janis Schoetterl-Glausch + +[ Upstream commit 416e7f0c9d613bf84e182eba9547ae8f9f5bfa4c ] + +Improve readability by renaming the length variable and +not calculating the offset manually. + +Signed-off-by: Janis Schoetterl-Glausch +Reviewed-by: Janosch Frank +Reviewed-by: David Hildenbrand +Reviewed-by: Claudio Imbrenda +Message-Id: <20211126164549.7046-2-scgl@linux.ibm.com> +Signed-off-by: Janosch Frank +Stable-dep-of: e8061f06185b ("KVM: s390: gaccess: Check if guest address is in memslot") +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/gaccess.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +diff --git a/arch/s390/kvm/gaccess.c b/arch/s390/kvm/gaccess.c +index 07d30ffcfa412..b184749ffc5ae 100644 +--- a/arch/s390/kvm/gaccess.c ++++ b/arch/s390/kvm/gaccess.c +@@ -831,8 +831,9 @@ int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data, + unsigned long len, enum gacc_mode mode) + { + psw_t *psw = &vcpu->arch.sie_block->gpsw; +- unsigned long _len, nr_pages, gpa, idx; ++ unsigned long nr_pages, gpa, idx; + unsigned long pages_array[2]; ++ unsigned int fragment_len; + unsigned long *pages; + int need_ipte_lock; + union asce asce; +@@ -855,15 +856,15 @@ int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data, + ipte_lock(vcpu); + rc = guest_page_range(vcpu, ga, ar, pages, nr_pages, asce, mode); + for (idx = 0; idx < nr_pages && !rc; idx++) { +- gpa = *(pages + idx) + (ga & ~PAGE_MASK); +- _len = min(PAGE_SIZE - (gpa & ~PAGE_MASK), len); ++ gpa = pages[idx] + offset_in_page(ga); ++ fragment_len = min(PAGE_SIZE - offset_in_page(gpa), len); + if (mode == GACC_STORE) +- rc = kvm_write_guest(vcpu->kvm, gpa, data, _len); ++ rc = kvm_write_guest(vcpu->kvm, gpa, data, fragment_len); + else +- rc = kvm_read_guest(vcpu->kvm, gpa, data, _len); +- len -= _len; +- ga += _len; +- data += _len; ++ rc = kvm_read_guest(vcpu->kvm, gpa, data, fragment_len); ++ len -= fragment_len; ++ ga += fragment_len; ++ data += fragment_len; + } + if (need_ipte_lock) + ipte_unlock(vcpu); +@@ -875,19 +876,20 @@ int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data, + int access_guest_real(struct kvm_vcpu *vcpu, unsigned long gra, + void *data, unsigned long len, enum gacc_mode mode) + { +- unsigned long _len, gpa; ++ unsigned int fragment_len; ++ unsigned long gpa; + int rc = 0; + + while (len && !rc) { + gpa = kvm_s390_real_to_abs(vcpu, gra); +- _len = min(PAGE_SIZE - (gpa & ~PAGE_MASK), len); ++ fragment_len = min(PAGE_SIZE - offset_in_page(gpa), len); + if (mode) +- rc = write_guest_abs(vcpu, gpa, data, _len); ++ rc = write_guest_abs(vcpu, gpa, data, fragment_len); + else +- rc = read_guest_abs(vcpu, gpa, data, _len); +- len -= _len; +- gra += _len; +- data += _len; ++ rc = read_guest_abs(vcpu, gpa, data, fragment_len); ++ len -= fragment_len; ++ gra += fragment_len; ++ data += fragment_len; + } + return rc; + } +-- +2.43.0 + diff --git a/queue-5.4/macsec-don-t-increment-counters-for-an-unrelated-sa.patch b/queue-5.4/macsec-don-t-increment-counters-for-an-unrelated-sa.patch new file mode 100644 index 00000000000..ba81e939245 --- /dev/null +++ b/queue-5.4/macsec-don-t-increment-counters-for-an-unrelated-sa.patch @@ -0,0 +1,83 @@ +From 0bc5cc71c803800efdb843d985edae057b4f3946 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 17:16:37 +0200 +Subject: macsec: don't increment counters for an unrelated SA + +From: Sabrina Dubroca + +[ Upstream commit cf58aefb1332db322060cad4a330d5f9292b0f41 ] + +On RX, we shouldn't be incrementing the stats for an arbitrary SA in +case the actual SA hasn't been set up. Those counters are intended to +track packets for their respective AN when the SA isn't currently +configured. Due to the way MACsec is implemented, we don't keep +counters unless the SA is configured, so we can't track those packets, +and those counters will remain at 0. + +The RXSC's stats keeps track of those packets without telling us which +AN they belonged to. We could add counters for non-existent SAs, and +then find a way to integrate them in the dump to userspace, but I +don't think it's worth the effort. + +Fixes: 91ec9bd57f35 ("macsec: Fix traffic counters/statistics") +Reported-by: Paolo Abeni +Signed-off-by: Sabrina Dubroca +Link: https://patch.msgid.link/f5ac92aaa5b89343232615f4c03f9f95042c6aa0.1728657709.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 18 ------------------ + 1 file changed, 18 deletions(-) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index d5f2d895dba21..d1c1cbc324b13 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -317,19 +317,6 @@ static struct macsec_rx_sa *macsec_rxsa_get(struct macsec_rx_sa __rcu *ptr) + return sa; + } + +-static struct macsec_rx_sa *macsec_active_rxsa_get(struct macsec_rx_sc *rx_sc) +-{ +- struct macsec_rx_sa *sa = NULL; +- int an; +- +- for (an = 0; an < MACSEC_NUM_AN; an++) { +- sa = macsec_rxsa_get(rx_sc->sa[an]); +- if (sa) +- break; +- } +- return sa; +-} +- + static void free_rx_sc_rcu(struct rcu_head *head) + { + struct macsec_rx_sc *rx_sc = container_of(head, struct macsec_rx_sc, rcu_head); +@@ -1202,15 +1189,12 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + /* If validateFrames is Strict or the C bit in the + * SecTAG is set, discard + */ +- struct macsec_rx_sa *active_rx_sa = macsec_active_rxsa_get(rx_sc); + if (hdr->tci_an & MACSEC_TCI_C || + secy->validate_frames == MACSEC_VALIDATE_STRICT) { + u64_stats_update_begin(&rxsc_stats->syncp); + rxsc_stats->stats.InPktsNotUsingSA++; + u64_stats_update_end(&rxsc_stats->syncp); + DEV_STATS_INC(secy->netdev, rx_errors); +- if (active_rx_sa) +- this_cpu_inc(active_rx_sa->stats->InPktsNotUsingSA); + goto drop_nosa; + } + +@@ -1220,8 +1204,6 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + u64_stats_update_begin(&rxsc_stats->syncp); + rxsc_stats->stats.InPktsUnusedSA++; + u64_stats_update_end(&rxsc_stats->syncp); +- if (active_rx_sa) +- this_cpu_inc(active_rx_sa->stats->InPktsUnusedSA); + goto deliver; + } + +-- +2.43.0 + diff --git a/queue-5.4/net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch b/queue-5.4/net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch new file mode 100644 index 00000000000..6e2bd2ecb93 --- /dev/null +++ b/queue-5.4/net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch @@ -0,0 +1,47 @@ +From 04bf25ab43bc44e2482d962206e13b86032d8ec0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Oct 2024 19:04:34 +0800 +Subject: net: ethernet: aeroflex: fix potential memory leak in + greth_start_xmit_gbit() + +From: Wang Hai + +[ Upstream commit cf57b5d7a2aad456719152ecd12007fe031628a3 ] + +The greth_start_xmit_gbit() returns NETDEV_TX_OK without freeing skb +in case of skb->len being too long, add dev_kfree_skb() to fix it. + +Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver") +Signed-off-by: Wang Hai +Reviewed-by: Gerhard Engleder +Link: https://patch.msgid.link/20241012110434.49265-1-wanghai38@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aeroflex/greth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c +index 19e2b838750cb..9e437aebc7907 100644 +--- a/drivers/net/ethernet/aeroflex/greth.c ++++ b/drivers/net/ethernet/aeroflex/greth.c +@@ -484,7 +484,7 @@ greth_start_xmit_gbit(struct sk_buff *skb, struct net_device *dev) + + if (unlikely(skb->len > MAX_FRAME_SIZE)) { + dev->stats.tx_errors++; +- goto out; ++ goto len_error; + } + + /* Save skb pointer. */ +@@ -575,6 +575,7 @@ greth_start_xmit_gbit(struct sk_buff *skb, struct net_device *dev) + map_error: + if (net_ratelimit()) + dev_warn(greth->dev, "Could not create TX DMA mapping\n"); ++len_error: + dev_kfree_skb(skb); + out: + return err; +-- +2.43.0 + diff --git a/queue-5.4/net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch b/queue-5.4/net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch new file mode 100644 index 00000000000..054c74618cc --- /dev/null +++ b/queue-5.4/net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch @@ -0,0 +1,36 @@ +From 8d852c6a878508d3b53287db1173131436a4f65d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 22:51:15 +0800 +Subject: net: systemport: fix potential memory leak in bcm_sysport_xmit() + +From: Wang Hai + +[ Upstream commit c401ed1c709948e57945485088413e1bb5e94bd1 ] + +The bcm_sysport_xmit() returns NETDEV_TX_OK without freeing skb +in case of dma_map_single() fails, add dev_kfree_skb() to fix it. + +Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver") +Signed-off-by: Wang Hai +Link: https://patch.msgid.link/20241014145115.44977-1-wanghai38@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c +index 5a2094a281e15..4db355a0c7868 100644 +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -1316,6 +1316,7 @@ static netdev_tx_t bcm_sysport_xmit(struct sk_buff *skb, + netif_err(priv, tx_err, dev, "DMA map failed at %p (len=%d)\n", + skb->data, skb_len); + ret = NETDEV_TX_OK; ++ dev_kfree_skb_any(skb); + goto out; + } + +-- +2.43.0 + diff --git a/queue-5.4/rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch b/queue-5.4/rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch new file mode 100644 index 00000000000..8c8853c1167 --- /dev/null +++ b/queue-5.4/rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch @@ -0,0 +1,47 @@ +From c1e63805ac0949048daf26c098d3795ef46d3cae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2024 20:05:57 -0700 +Subject: RDMA/bnxt_re: Fix incorrect AVID type in WQE structure + +From: Saravanan Vajravel + +[ Upstream commit 9ab20f76ae9fad55ebaf36bdff04aea1c2552374 ] + +Driver uses internal data structure to construct WQE frame. +It used avid type as u16 which can accommodate up to 64K AVs. +When outstanding AVID crosses 64K, driver truncates AVID and +hence it uses incorrect AVID to WR. This leads to WR failure +due to invalid AV ID and QP is moved to error state with reason +set to 19 (INVALID AVID). When RDMA CM path is used, this issue +hits QP1 and it is moved to error state + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://patch.msgid.link/r/1726715161-18941-3-git-send-email-selvin.xavier@broadcom.com +Reviewed-by: Selvin Xavier +Reviewed-by: Chandramohan Akula +Signed-off-by: Saravanan Vajravel +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.h b/drivers/infiniband/hw/bnxt_re/qplib_fp.h +index ff0f7b1095070..bdc3a4f969c7e 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.h ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.h +@@ -150,7 +150,7 @@ struct bnxt_qplib_swqe { + }; + u32 q_key; + u32 dst_qp; +- u16 avid; ++ u32 avid; + } send; + + /* Send Raw Ethernet and QP1 */ +-- +2.43.0 + diff --git a/queue-5.4/rdma-bnxt_re-return-more-meaningful-error.patch b/queue-5.4/rdma-bnxt_re-return-more-meaningful-error.patch new file mode 100644 index 00000000000..93a7d5aeb1b --- /dev/null +++ b/queue-5.4/rdma-bnxt_re-return-more-meaningful-error.patch @@ -0,0 +1,41 @@ +From 5edd972c52111f0ae595fbdddce0d43fad9043a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 00:41:36 -0700 +Subject: RDMA/bnxt_re: Return more meaningful error + +From: Kalesh AP + +[ Upstream commit 98647df0178df215b8239c5c365537283b2852a6 ] + +When the HWRM command fails, driver currently returns -EFAULT(Bad +address). This does not look correct. + +Modified to return -EIO(I/O error). + +Fixes: cc1ec769b87c ("RDMA/bnxt_re: Fixing the Control path command and response handling") +Fixes: 65288a22ddd8 ("RDMA/bnxt_re: use shadow qd while posting non blocking rcfw command") +Link: https://patch.msgid.link/r/1728373302-19530-5-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +index 5cdfa84faf85e..e74fb7c4d0335 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +@@ -244,7 +244,7 @@ int bnxt_qplib_rcfw_send_message(struct bnxt_qplib_rcfw *rcfw, + /* failed with status */ + dev_err(&rcfw->pdev->dev, "cmdq[%#x]=%#x status %#x\n", + cookie, opcode, evnt->status); +- rc = -EFAULT; ++ rc = -EIO; + } + + return rc; +-- +2.43.0 + diff --git a/queue-5.4/rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch b/queue-5.4/rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch new file mode 100644 index 00000000000..c374853dc84 --- /dev/null +++ b/queue-5.4/rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch @@ -0,0 +1,65 @@ +From 9a45ae675175f911f89bbc2c3dfc945eaa4c1016 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 18:53:11 +0530 +Subject: RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP + +From: Anumula Murali Mohan Reddy + +[ Upstream commit c659b405b82ead335bee6eb33f9691bf718e21e8 ] + +ip_dev_find() always returns real net_device address, whether traffic is +running on a vlan or real device, if traffic is over vlan, filling +endpoint struture with real ndev and an attempt to send a connect request +will results in RDMA_CM_EVENT_UNREACHABLE error. This patch fixes the +issue by using vlan_dev_real_dev(). + +Fixes: 830662f6f032 ("RDMA/cxgb4: Add support for active and passive open connection with IPv6 address") +Link: https://patch.msgid.link/r/20241007132311.70593-1-anumula@chelsio.com +Signed-off-by: Anumula Murali Mohan Reddy +Signed-off-by: Potnuri Bharat Teja +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/cm.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index 01750eb5458e0..38e2fbf84e276 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -2086,7 +2086,7 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip, + err = -ENOMEM; + if (n->dev->flags & IFF_LOOPBACK) { + if (iptype == 4) +- pdev = ip_dev_find(&init_net, *(__be32 *)peer_ip); ++ pdev = __ip_dev_find(&init_net, *(__be32 *)peer_ip, false); + else if (IS_ENABLED(CONFIG_IPV6)) + for_each_netdev(&init_net, pdev) { + if (ipv6_chk_addr(&init_net, +@@ -2101,12 +2101,12 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip, + err = -ENODEV; + goto out; + } ++ if (is_vlan_dev(pdev)) ++ pdev = vlan_dev_real_dev(pdev); + ep->l2t = cxgb4_l2t_get(cdev->rdev.lldi.l2t, + n, pdev, rt_tos2priority(tos)); +- if (!ep->l2t) { +- dev_put(pdev); ++ if (!ep->l2t) + goto out; +- } + ep->mtu = pdev->mtu; + ep->tx_chan = cxgb4_port_chan(pdev); + ep->smac_idx = ((struct port_info *)netdev_priv(pdev))->smt_idx; +@@ -2119,7 +2119,6 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip, + ep->rss_qid = cdev->rdev.lldi.rxq_ids[ + cxgb4_port_idx(pdev) * step]; + set_tcp_window(ep, (struct port_info *)netdev_priv(pdev)); +- dev_put(pdev); + } else { + pdev = get_real_dev(n->dev); + ep->l2t = cxgb4_l2t_get(cdev->rdev.lldi.l2t, +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 15767054f97..18069dd1e8d 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -382,3 +382,22 @@ x86-apic-always-explicitly-disarm-tsc-deadline-timer.patch nilfs2-propagate-directory-read-errors-from-nilfs_find_entry.patch erofs-fix-lz4-inplace-decompression.patch mac80211-fix-null-ptr-deref-for-injected-rate-info.patch +rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch +arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch +rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch +ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch +rdma-bnxt_re-return-more-meaningful-error.patch +drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch +macsec-don-t-increment-counters-for-an-unrelated-sa.patch +net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch +net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch +genetlink-hold-rcu-in-genlmsg_mcast.patch +smb-client-fix-oobs-when-building-smb2_ioctl-request.patch +usb-typec-altmode-should-keep-reference-to-parent.patch +bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch +arm64-uprobe-fix-the-uprobe-swbp_insn-in-big-endian.patch +arm64-probes-fix-uprobes-for-big-endian-kernels.patch +kvm-s390-gaccess-refactor-gpa-and-length-calculation.patch +kvm-s390-gaccess-refactor-access-address-range-check.patch +kvm-s390-gaccess-cleanup-access-to-guest-pages.patch +kvm-s390-gaccess-check-if-guest-address-is-in-memslo.patch diff --git a/queue-5.4/smb-client-fix-oobs-when-building-smb2_ioctl-request.patch b/queue-5.4/smb-client-fix-oobs-when-building-smb2_ioctl-request.patch new file mode 100644 index 00000000000..b6a5b7eb48b --- /dev/null +++ b/queue-5.4/smb-client-fix-oobs-when-building-smb2_ioctl-request.patch @@ -0,0 +1,107 @@ +From 5502638ac354d6b1f52d9000942185cdb3781180 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 19:04:04 -0300 +Subject: smb: client: fix OOBs when building SMB2_IOCTL request + +From: Paulo Alcantara + +[ Upstream commit 1ab60323c5201bef25f2a3dc0ccc404d9aca77f1 ] + +When using encryption, either enforced by the server or when using +'seal' mount option, the client will squash all compound request buffers +down for encryption into a single iov in smb2_set_next_command(). + +SMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the +SMB2_IOCTL request in the first iov, and if the user passes an input +buffer that is greater than 328 bytes, smb2_set_next_command() will +end up writing off the end of @rqst->iov[0].iov_base as shown below: + + mount.cifs //srv/share /mnt -o ...,seal + ln -s $(perl -e "print('a')for 1..1024") /mnt/link + + BUG: KASAN: slab-out-of-bounds in + smb2_set_next_command.cold+0x1d6/0x24c [cifs] + Write of size 4116 at addr ffff8881148fcab8 by task ln/859 + + CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS + 1.16.3-2.fc40 04/01/2014 + Call Trace: + + dump_stack_lvl+0x5d/0x80 + ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] + print_report+0x156/0x4d9 + ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] + ? __virt_addr_valid+0x145/0x310 + ? __phys_addr+0x46/0x90 + ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] + kasan_report+0xda/0x110 + ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] + kasan_check_range+0x10f/0x1f0 + __asan_memcpy+0x3c/0x60 + smb2_set_next_command.cold+0x1d6/0x24c [cifs] + smb2_compound_op+0x238c/0x3840 [cifs] + ? kasan_save_track+0x14/0x30 + ? kasan_save_free_info+0x3b/0x70 + ? vfs_symlink+0x1a1/0x2c0 + ? do_symlinkat+0x108/0x1c0 + ? __pfx_smb2_compound_op+0x10/0x10 [cifs] + ? kmem_cache_free+0x118/0x3e0 + ? cifs_get_writable_path+0xeb/0x1a0 [cifs] + smb2_get_reparse_inode+0x423/0x540 [cifs] + ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs] + ? rcu_is_watching+0x20/0x50 + ? __kmalloc_noprof+0x37c/0x480 + ? smb2_create_reparse_symlink+0x257/0x490 [cifs] + ? smb2_create_reparse_symlink+0x38f/0x490 [cifs] + smb2_create_reparse_symlink+0x38f/0x490 [cifs] + ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs] + ? find_held_lock+0x8a/0xa0 + ? hlock_class+0x32/0xb0 + ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs] + cifs_symlink+0x24f/0x960 [cifs] + ? __pfx_make_vfsuid+0x10/0x10 + ? __pfx_cifs_symlink+0x10/0x10 [cifs] + ? make_vfsgid+0x6b/0xc0 + ? generic_permission+0x96/0x2d0 + vfs_symlink+0x1a1/0x2c0 + do_symlinkat+0x108/0x1c0 + ? __pfx_do_symlinkat+0x10/0x10 + ? strncpy_from_user+0xaa/0x160 + __x64_sys_symlinkat+0xb9/0xf0 + do_syscall_64+0xbb/0x1d0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + RIP: 0033:0x7f08d75c13bb + +Reported-by: David Howells +Fixes: e77fe73c7e38 ("cifs: we can not use small padding iovs together with encryption") +Signed-off-by: Paulo Alcantara (Red Hat) +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2pdu.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index 667528132b692..cc5555636ed07 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -2730,6 +2730,15 @@ SMB2_ioctl_init(struct cifs_tcon *tcon, struct smb_rqst *rqst, + return rc; + + if (indatalen) { ++ unsigned int len; ++ ++ if (WARN_ON_ONCE(smb3_encryption_required(tcon) && ++ (check_add_overflow(total_len - 1, ++ ALIGN(indatalen, 8), &len) || ++ len > MAX_CIFS_SMALL_BUFFER_SIZE))) { ++ cifs_small_buf_release(req); ++ return -EIO; ++ } + /* + * indatalen is usually small at a couple of bytes max, so + * just allocate through generic pool +-- +2.43.0 + diff --git a/queue-5.4/usb-typec-altmode-should-keep-reference-to-parent.patch b/queue-5.4/usb-typec-altmode-should-keep-reference-to-parent.patch new file mode 100644 index 00000000000..37aafc71d00 --- /dev/null +++ b/queue-5.4/usb-typec-altmode-should-keep-reference-to-parent.patch @@ -0,0 +1,130 @@ +From 6d68a6093e1d67b6fc8397b6c82aef35fb93a767 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2024 09:37:38 -0300 +Subject: usb: typec: altmode should keep reference to parent + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit befab3a278c59db0cc88c8799638064f6d3fd6f8 ] + +The altmode device release refers to its parent device, but without keeping +a reference to it. + +When registering the altmode, get a reference to the parent and put it in +the release function. + +Before this fix, when using CONFIG_DEBUG_KOBJECT_RELEASE, we see issues +like this: + +[ 43.572860] kobject: 'port0.0' (ffff8880057ba008): kobject_release, parent 0000000000000000 (delayed 3000) +[ 43.573532] kobject: 'port0.1' (ffff8880057bd008): kobject_release, parent 0000000000000000 (delayed 1000) +[ 43.574407] kobject: 'port0' (ffff8880057b9008): kobject_release, parent 0000000000000000 (delayed 3000) +[ 43.575059] kobject: 'port1.0' (ffff8880057ca008): kobject_release, parent 0000000000000000 (delayed 4000) +[ 43.575908] kobject: 'port1.1' (ffff8880057c9008): kobject_release, parent 0000000000000000 (delayed 4000) +[ 43.576908] kobject: 'typec' (ffff8880062dbc00): kobject_release, parent 0000000000000000 (delayed 4000) +[ 43.577769] kobject: 'port1' (ffff8880057bf008): kobject_release, parent 0000000000000000 (delayed 3000) +[ 46.612867] ================================================================== +[ 46.613402] BUG: KASAN: slab-use-after-free in typec_altmode_release+0x38/0x129 +[ 46.614003] Read of size 8 at addr ffff8880057b9118 by task kworker/2:1/48 +[ 46.614538] +[ 46.614668] CPU: 2 UID: 0 PID: 48 Comm: kworker/2:1 Not tainted 6.12.0-rc1-00138-gedbae730ad31 #535 +[ 46.615391] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +[ 46.616042] Workqueue: events kobject_delayed_cleanup +[ 46.616446] Call Trace: +[ 46.616648] +[ 46.616820] dump_stack_lvl+0x5b/0x7c +[ 46.617112] ? typec_altmode_release+0x38/0x129 +[ 46.617470] print_report+0x14c/0x49e +[ 46.617769] ? rcu_read_unlock_sched+0x56/0x69 +[ 46.618117] ? __virt_addr_valid+0x19a/0x1ab +[ 46.618456] ? kmem_cache_debug_flags+0xc/0x1d +[ 46.618807] ? typec_altmode_release+0x38/0x129 +[ 46.619161] kasan_report+0x8d/0xb4 +[ 46.619447] ? typec_altmode_release+0x38/0x129 +[ 46.619809] ? process_scheduled_works+0x3cb/0x85f +[ 46.620185] typec_altmode_release+0x38/0x129 +[ 46.620537] ? process_scheduled_works+0x3cb/0x85f +[ 46.620907] device_release+0xaf/0xf2 +[ 46.621206] kobject_delayed_cleanup+0x13b/0x17a +[ 46.621584] process_scheduled_works+0x4f6/0x85f +[ 46.621955] ? __pfx_process_scheduled_works+0x10/0x10 +[ 46.622353] ? hlock_class+0x31/0x9a +[ 46.622647] ? lock_acquired+0x361/0x3c3 +[ 46.622956] ? move_linked_works+0x46/0x7d +[ 46.623277] worker_thread+0x1ce/0x291 +[ 46.623582] ? __kthread_parkme+0xc8/0xdf +[ 46.623900] ? __pfx_worker_thread+0x10/0x10 +[ 46.624236] kthread+0x17e/0x190 +[ 46.624501] ? kthread+0xfb/0x190 +[ 46.624756] ? __pfx_kthread+0x10/0x10 +[ 46.625015] ret_from_fork+0x20/0x40 +[ 46.625268] ? __pfx_kthread+0x10/0x10 +[ 46.625532] ret_from_fork_asm+0x1a/0x30 +[ 46.625805] +[ 46.625953] +[ 46.626056] Allocated by task 678: +[ 46.626287] kasan_save_stack+0x24/0x44 +[ 46.626555] kasan_save_track+0x14/0x2d +[ 46.626811] __kasan_kmalloc+0x3f/0x4d +[ 46.627049] __kmalloc_noprof+0x1bf/0x1f0 +[ 46.627362] typec_register_port+0x23/0x491 +[ 46.627698] cros_typec_probe+0x634/0xbb6 +[ 46.628026] platform_probe+0x47/0x8c +[ 46.628311] really_probe+0x20a/0x47d +[ 46.628605] device_driver_attach+0x39/0x72 +[ 46.628940] bind_store+0x87/0xd7 +[ 46.629213] kernfs_fop_write_iter+0x1aa/0x218 +[ 46.629574] vfs_write+0x1d6/0x29b +[ 46.629856] ksys_write+0xcd/0x13b +[ 46.630128] do_syscall_64+0xd4/0x139 +[ 46.630420] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 46.630820] +[ 46.630946] Freed by task 48: +[ 46.631182] kasan_save_stack+0x24/0x44 +[ 46.631493] kasan_save_track+0x14/0x2d +[ 46.631799] kasan_save_free_info+0x3f/0x4d +[ 46.632144] __kasan_slab_free+0x37/0x45 +[ 46.632474] kfree+0x1d4/0x252 +[ 46.632725] device_release+0xaf/0xf2 +[ 46.633017] kobject_delayed_cleanup+0x13b/0x17a +[ 46.633388] process_scheduled_works+0x4f6/0x85f +[ 46.633764] worker_thread+0x1ce/0x291 +[ 46.634065] kthread+0x17e/0x190 +[ 46.634324] ret_from_fork+0x20/0x40 +[ 46.634621] ret_from_fork_asm+0x1a/0x30 + +Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes") +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Heikki Krogerus +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20241004123738.2964524-1-cascardo@igalia.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/class.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c +index 371e010e0e859..c30740165b364 100644 +--- a/drivers/usb/typec/class.c ++++ b/drivers/usb/typec/class.c +@@ -471,6 +471,7 @@ static void typec_altmode_release(struct device *dev) + typec_altmode_put_partner(alt); + + altmode_id_remove(alt->adev.dev.parent, alt->id); ++ put_device(alt->adev.dev.parent); + kfree(alt); + } + +@@ -520,6 +521,8 @@ typec_register_altmode(struct device *parent, + alt->adev.dev.type = &typec_altmode_dev_type; + dev_set_name(&alt->adev.dev, "%s.%u", dev_name(parent), id); + ++ get_device(alt->adev.dev.parent); ++ + /* Link partners and plugs with the ports */ + if (is_port) + BLOCKING_INIT_NOTIFIER_HEAD(&alt->nh); +-- +2.43.0 + -- 2.47.2