From d0f8787407f3496b0ad85366df635a15d16914ff Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 27 Mar 2024 15:52:18 +0100 Subject: [PATCH] 6.7-stable patches added patches: cgroup-cpuset-fix-a-memory-leak-in-update_exclusive_cpumask.patch cgroup-cpuset-fix-retval-in-update_cpumask.patch crypto-rk3288-fix-use-after-free-in-unprepare.patch crypto-sun8i-ce-fix-use-after-free-in-unprepare.patch drivers-hv-vmbus-calculate-ring-buffer-size-for-more-efficient-use-of-memory.patch drm-nouveau-fix-stale-locked-mutex-in-nouveau_gem_ioctl_pushbuf.patch mm-mmap-fix-vma_merge-case-7-with-vma_ops-close.patch netfilter-nf_tables-disallow-anonymous-set-with-timeout-flag.patch netfilter-nf_tables-mark-set-as-dead-when-unbinding-anonymous-set-with-timeout.patch netfilter-nf_tables-reject-constant-set-with-timeout.patch nouveau-lock-the-client-object-tree.patch revert-crypto-pkcs7-remove-sha1-support.patch selftests-mptcp-diag-return-ksft_fail-not-test_cnt.patch thunderbolt-fix-null-pointer-dereference-in-tb_port_update_credits.patch usb-typec-tpcm-fix-port_reset-behavior-for-self-powered-devices.patch xfrm-avoid-clang-fortify-warning-in-copy_to_user_tmpl.patch --- ...ory-leak-in-update_exclusive_cpumask.patch | 46 +++ ...-cpuset-fix-retval-in-update_cpumask.patch | 37 +++ ...3288-fix-use-after-free-in-unprepare.patch | 40 +++ ...i-ce-fix-use-after-free-in-unprepare.patch | 150 ++++++++++ ...ize-for-more-efficient-use-of-memory.patch | 89 ++++++ ...d-mutex-in-nouveau_gem_ioctl_pushbuf.patch | 37 +++ ...-vma_merge-case-7-with-vma_ops-close.patch | 104 +++++++ ...llow-anonymous-set-with-timeout-flag.patch | 33 +++ ...unbinding-anonymous-set-with-timeout.patch | 45 +++ ...les-reject-constant-set-with-timeout.patch | 34 +++ .../nouveau-lock-the-client-object-tree.patch | 163 +++++++++++ ...ert-crypto-pkcs7-remove-sha1-support.patch | 273 ++++++++++++++++++ ...p-diag-return-ksft_fail-not-test_cnt.patch | 52 ++++ queue-6.7/series | 16 + ...ereference-in-tb_port_update_credits.patch | 65 +++++ ...et-behavior-for-self-powered-devices.patch | 59 ++++ ...fortify-warning-in-copy_to_user_tmpl.patch | 56 ++++ 17 files changed, 1299 insertions(+) create mode 100644 queue-6.7/cgroup-cpuset-fix-a-memory-leak-in-update_exclusive_cpumask.patch create mode 100644 queue-6.7/cgroup-cpuset-fix-retval-in-update_cpumask.patch create mode 100644 queue-6.7/crypto-rk3288-fix-use-after-free-in-unprepare.patch create mode 100644 queue-6.7/crypto-sun8i-ce-fix-use-after-free-in-unprepare.patch create mode 100644 queue-6.7/drivers-hv-vmbus-calculate-ring-buffer-size-for-more-efficient-use-of-memory.patch create mode 100644 queue-6.7/drm-nouveau-fix-stale-locked-mutex-in-nouveau_gem_ioctl_pushbuf.patch create mode 100644 queue-6.7/mm-mmap-fix-vma_merge-case-7-with-vma_ops-close.patch create mode 100644 queue-6.7/netfilter-nf_tables-disallow-anonymous-set-with-timeout-flag.patch create mode 100644 queue-6.7/netfilter-nf_tables-mark-set-as-dead-when-unbinding-anonymous-set-with-timeout.patch create mode 100644 queue-6.7/netfilter-nf_tables-reject-constant-set-with-timeout.patch create mode 100644 queue-6.7/nouveau-lock-the-client-object-tree.patch create mode 100644 queue-6.7/revert-crypto-pkcs7-remove-sha1-support.patch create mode 100644 queue-6.7/selftests-mptcp-diag-return-ksft_fail-not-test_cnt.patch create mode 100644 queue-6.7/thunderbolt-fix-null-pointer-dereference-in-tb_port_update_credits.patch create mode 100644 queue-6.7/usb-typec-tpcm-fix-port_reset-behavior-for-self-powered-devices.patch create mode 100644 queue-6.7/xfrm-avoid-clang-fortify-warning-in-copy_to_user_tmpl.patch diff --git a/queue-6.7/cgroup-cpuset-fix-a-memory-leak-in-update_exclusive_cpumask.patch b/queue-6.7/cgroup-cpuset-fix-a-memory-leak-in-update_exclusive_cpumask.patch new file mode 100644 index 00000000000..240beaf8c02 --- /dev/null +++ b/queue-6.7/cgroup-cpuset-fix-a-memory-leak-in-update_exclusive_cpumask.patch @@ -0,0 +1,46 @@ +From 66f40b926dd249f74334a22162c09e7ec1ec5b07 Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Tue, 27 Feb 2024 19:58:01 -0500 +Subject: cgroup/cpuset: Fix a memory leak in update_exclusive_cpumask() + +From: Waiman Long + +commit 66f40b926dd249f74334a22162c09e7ec1ec5b07 upstream. + +Fix a possible memory leak in update_exclusive_cpumask() by moving the +alloc_cpumasks() down after the validate_change() check which can fail +and still before the temporary cpumasks are needed. + +Fixes: e2ffe502ba45 ("cgroup/cpuset: Add cpuset.cpus.exclusive for v2") +Reported-and-tested-by: Mirsad Todorovac +Closes: https://lore.kernel.org/lkml/14915689-27a3-4cd8-80d2-9c30d0c768b6@alu.unizg.hr +Signed-off-by: Waiman Long +Signed-off-by: Tejun Heo +Cc: stable@vger.kernel.org # v6.7+ +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cpuset.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -2502,9 +2502,6 @@ static int update_exclusive_cpumask(stru + if (cpumask_equal(cs->exclusive_cpus, trialcs->exclusive_cpus)) + return 0; + +- if (alloc_cpumasks(NULL, &tmp)) +- return -ENOMEM; +- + if (*buf) + compute_effective_exclusive_cpumask(trialcs, NULL); + +@@ -2519,6 +2516,9 @@ static int update_exclusive_cpumask(stru + if (retval) + return retval; + ++ if (alloc_cpumasks(NULL, &tmp)) ++ return -ENOMEM; ++ + if (old_prs) { + if (cpumask_empty(trialcs->effective_xcpus)) { + invalidate = true; diff --git a/queue-6.7/cgroup-cpuset-fix-retval-in-update_cpumask.patch b/queue-6.7/cgroup-cpuset-fix-retval-in-update_cpumask.patch new file mode 100644 index 00000000000..84eb296f859 --- /dev/null +++ b/queue-6.7/cgroup-cpuset-fix-retval-in-update_cpumask.patch @@ -0,0 +1,37 @@ +From 25125a4762835d62ba1e540c1351d447fc1f6c7c Mon Sep 17 00:00:00 2001 +From: Kamalesh Babulal +Date: Thu, 29 Feb 2024 15:41:14 +0530 +Subject: cgroup/cpuset: Fix retval in update_cpumask() + +From: Kamalesh Babulal + +commit 25125a4762835d62ba1e540c1351d447fc1f6c7c upstream. + +The update_cpumask(), checks for newly requested cpumask by calling +validate_change(), which returns an error on passing an invalid set +of cpu(s). Independent of the error returned, update_cpumask() always +returns zero, suppressing the error and returning success to the user +on writing an invalid cpu range for a cpuset. Fix it by returning +retval instead, which is returned by validate_change(). + +Fixes: 99fe36ba6fc1 ("cgroup/cpuset: Improve temporary cpumasks handling") +Signed-off-by: Kamalesh Babulal +Reviewed-by: Waiman Long +Cc: stable@vger.kernel.org # v6.6+ +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cpuset.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -2466,7 +2466,7 @@ static int update_cpumask(struct cpuset + update_partition_sd_lb(cs, old_prs); + out_free: + free_cpumasks(NULL, &tmp); +- return 0; ++ return retval; + } + + /** diff --git a/queue-6.7/crypto-rk3288-fix-use-after-free-in-unprepare.patch b/queue-6.7/crypto-rk3288-fix-use-after-free-in-unprepare.patch new file mode 100644 index 00000000000..8562be7c398 --- /dev/null +++ b/queue-6.7/crypto-rk3288-fix-use-after-free-in-unprepare.patch @@ -0,0 +1,40 @@ +From c0afb6b88fbbc177fa322a835f874be217bffe45 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Wed, 28 Feb 2024 17:13:16 +0800 +Subject: crypto: rk3288 - Fix use after free in unprepare + +From: Herbert Xu + +commit c0afb6b88fbbc177fa322a835f874be217bffe45 upstream. + +The unprepare call must be carried out before the finalize call +as the latter can free the request. + +Fixes: c66c17a0f69b ("crypto: rk3288 - Remove prepare/unprepare request") +Reported-by: Andrey Skvortsov +Cc: +Signed-off-by: Herbert Xu +Reviewed-by: Andrey Skvortsov +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/rockchip/rk3288_crypto_ahash.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/rockchip/rk3288_crypto_ahash.c ++++ b/drivers/crypto/rockchip/rk3288_crypto_ahash.c +@@ -332,12 +332,12 @@ static int rk_hash_run(struct crypto_eng + theend: + pm_runtime_put_autosuspend(rkc->dev); + ++ rk_hash_unprepare(engine, breq); ++ + local_bh_disable(); + crypto_finalize_hash_request(engine, breq, err); + local_bh_enable(); + +- rk_hash_unprepare(engine, breq); +- + return 0; + } + diff --git a/queue-6.7/crypto-sun8i-ce-fix-use-after-free-in-unprepare.patch b/queue-6.7/crypto-sun8i-ce-fix-use-after-free-in-unprepare.patch new file mode 100644 index 00000000000..fa6e528bbb0 --- /dev/null +++ b/queue-6.7/crypto-sun8i-ce-fix-use-after-free-in-unprepare.patch @@ -0,0 +1,150 @@ +From 183420038444547c149a0fc5f58e792c2752860c Mon Sep 17 00:00:00 2001 +From: Andrey Skvortsov +Date: Tue, 27 Feb 2024 00:53:57 +0300 +Subject: crypto: sun8i-ce - Fix use after free in unprepare + +From: Andrey Skvortsov + +commit 183420038444547c149a0fc5f58e792c2752860c upstream. + +sun8i_ce_cipher_unprepare should be called before +crypto_finalize_skcipher_request, because client callbacks may +immediately free memory, that isn't needed anymore. But it will be +used by unprepare after free. Before removing prepare/unprepare +callbacks it was handled by crypto engine in crypto_finalize_request. + +Usually that results in a pointer dereference problem during a in +crypto selftest. + Unable to handle kernel NULL pointer dereference at + virtual address 0000000000000030 + Mem abort info: + ESR = 0x0000000096000004 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x04: level 0 translation fault + Data abort info: + ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 + CM = 0, WnR = 0, TnD = 0, TagAccess = 0 + GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 + user pgtable: 4k pages, 48-bit VAs, pgdp=000000004716d000 + [0000000000000030] pgd=0000000000000000, p4d=0000000000000000 + Internal error: Oops: 0000000096000004 [#1] SMP + +This problem is detected by KASAN as well. + ================================================================== + BUG: KASAN: slab-use-after-free in sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce] + Read of size 8 at addr ffff00000dcdc040 by task 1c15000.crypto-/373 + + Hardware name: Pine64 PinePhone (1.2) (DT) + Call trace: + dump_backtrace+0x9c/0x128 + show_stack+0x20/0x38 + dump_stack_lvl+0x48/0x60 + print_report+0xf8/0x5d8 + kasan_report+0x90/0xd0 + __asan_load8+0x9c/0xc0 + sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce] + crypto_pump_work+0x354/0x620 [crypto_engine] + kthread_worker_fn+0x244/0x498 + kthread+0x168/0x178 + ret_from_fork+0x10/0x20 + + Allocated by task 379: + kasan_save_stack+0x3c/0x68 + kasan_set_track+0x2c/0x40 + kasan_save_alloc_info+0x24/0x38 + __kasan_kmalloc+0xd4/0xd8 + __kmalloc+0x74/0x1d0 + alg_test_skcipher+0x90/0x1f0 + alg_test+0x24c/0x830 + cryptomgr_test+0x38/0x60 + kthread+0x168/0x178 + ret_from_fork+0x10/0x20 + + Freed by task 379: + kasan_save_stack+0x3c/0x68 + kasan_set_track+0x2c/0x40 + kasan_save_free_info+0x38/0x60 + __kasan_slab_free+0x100/0x170 + slab_free_freelist_hook+0xd4/0x1e8 + __kmem_cache_free+0x15c/0x290 + kfree+0x74/0x100 + kfree_sensitive+0x80/0xb0 + alg_test_skcipher+0x12c/0x1f0 + alg_test+0x24c/0x830 + cryptomgr_test+0x38/0x60 + kthread+0x168/0x178 + ret_from_fork+0x10/0x20 + + The buggy address belongs to the object at ffff00000dcdc000 + which belongs to the cache kmalloc-256 of size 256 + The buggy address is located 64 bytes inside of + freed 256-byte region [ffff00000dcdc000, ffff00000dcdc100) + +Signed-off-by: Andrey Skvortsov +Fixes: 4136212ab18e ("crypto: sun8i-ce - Remove prepare/unprepare request") +Cc: +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 34 ++++++++++---------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c ++++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c +@@ -299,22 +299,6 @@ theend: + return err; + } + +-static void sun8i_ce_cipher_run(struct crypto_engine *engine, void *areq) +-{ +- struct skcipher_request *breq = container_of(areq, struct skcipher_request, base); +- struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(breq); +- struct sun8i_cipher_tfm_ctx *op = crypto_skcipher_ctx(tfm); +- struct sun8i_ce_dev *ce = op->ce; +- struct sun8i_cipher_req_ctx *rctx = skcipher_request_ctx(breq); +- int flow, err; +- +- flow = rctx->flow; +- err = sun8i_ce_run_task(ce, flow, crypto_tfm_alg_name(breq->base.tfm)); +- local_bh_disable(); +- crypto_finalize_skcipher_request(engine, breq, err); +- local_bh_enable(); +-} +- + static void sun8i_ce_cipher_unprepare(struct crypto_engine *engine, + void *async_req) + { +@@ -360,6 +344,23 @@ static void sun8i_ce_cipher_unprepare(st + dma_unmap_single(ce->dev, rctx->addr_key, op->keylen, DMA_TO_DEVICE); + } + ++static void sun8i_ce_cipher_run(struct crypto_engine *engine, void *areq) ++{ ++ struct skcipher_request *breq = container_of(areq, struct skcipher_request, base); ++ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(breq); ++ struct sun8i_cipher_tfm_ctx *op = crypto_skcipher_ctx(tfm); ++ struct sun8i_ce_dev *ce = op->ce; ++ struct sun8i_cipher_req_ctx *rctx = skcipher_request_ctx(breq); ++ int flow, err; ++ ++ flow = rctx->flow; ++ err = sun8i_ce_run_task(ce, flow, crypto_tfm_alg_name(breq->base.tfm)); ++ sun8i_ce_cipher_unprepare(engine, areq); ++ local_bh_disable(); ++ crypto_finalize_skcipher_request(engine, breq, err); ++ local_bh_enable(); ++} ++ + int sun8i_ce_cipher_do_one(struct crypto_engine *engine, void *areq) + { + int err = sun8i_ce_cipher_prepare(engine, areq); +@@ -368,7 +369,6 @@ int sun8i_ce_cipher_do_one(struct crypto + return err; + + sun8i_ce_cipher_run(engine, areq); +- sun8i_ce_cipher_unprepare(engine, areq); + return 0; + } + diff --git a/queue-6.7/drivers-hv-vmbus-calculate-ring-buffer-size-for-more-efficient-use-of-memory.patch b/queue-6.7/drivers-hv-vmbus-calculate-ring-buffer-size-for-more-efficient-use-of-memory.patch new file mode 100644 index 00000000000..9de3d300cac --- /dev/null +++ b/queue-6.7/drivers-hv-vmbus-calculate-ring-buffer-size-for-more-efficient-use-of-memory.patch @@ -0,0 +1,89 @@ +From b8209544296edbd1af186e2ea9c648642c37b18c Mon Sep 17 00:00:00 2001 +From: Michael Kelley +Date: Wed, 28 Feb 2024 16:45:33 -0800 +Subject: Drivers: hv: vmbus: Calculate ring buffer size for more efficient use of memory + +From: Michael Kelley + +commit b8209544296edbd1af186e2ea9c648642c37b18c upstream. + +The VMBUS_RING_SIZE macro adds space for a ring buffer header to the +requested ring buffer size. The header size is always 1 page, and so +its size varies based on the PAGE_SIZE for which the kernel is built. +If the requested ring buffer size is a large power-of-2 size and the header +size is small, the resulting size is inefficient in its use of memory. +For example, a 512 Kbyte ring buffer with a 4 Kbyte page size results in +a 516 Kbyte allocation, which is rounded to up 1 Mbyte by the memory +allocator, and wastes 508 Kbytes of memory. + +In such situations, the exact size of the ring buffer isn't that important, +and it's OK to allocate the 4 Kbyte header at the beginning of the 512 +Kbytes, leaving the ring buffer itself with just 508 Kbytes. The memory +allocation can be 512 Kbytes instead of 1 Mbyte and nothing is wasted. + +Update VMBUS_RING_SIZE to implement this approach for "large" ring buffer +sizes. "Large" is somewhat arbitrarily defined as 8 times the size of +the ring buffer header (which is of size PAGE_SIZE). For example, for +4 Kbyte PAGE_SIZE, ring buffers of 32 Kbytes and larger use the first +4 Kbytes as the ring buffer header. For 64 Kbyte PAGE_SIZE, ring buffers +of 512 Kbytes and larger use the first 64 Kbytes as the ring buffer +header. In both cases, smaller sizes add space for the header so +the ring size isn't reduced too much by using part of the space for +the header. For example, with a 64 Kbyte page size, we don't want +a 128 Kbyte ring buffer to be reduced to 64 Kbytes by allocating half +of the space for the header. In such a case, the memory allocation +is less efficient, but it's the best that can be done. + +While the new algorithm slightly changes the amount of space allocated +for ring buffers by drivers that use VMBUS_RING_SIZE, the devices aren't +known to be sensitive to small changes in ring buffer size, so there +shouldn't be any effect. + +Fixes: c1135c7fd0e9 ("Drivers: hv: vmbus: Introduce types of GPADL") +Fixes: 6941f67ad37d ("hv_netvsc: Calculate correct ring size when PAGE_SIZE is not 4 Kbytes") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218502 +Cc: stable@vger.kernel.org +Signed-off-by: Michael Kelley +Reviewed-by: Saurabh Sengar +Reviewed-by: Dexuan Cui +Tested-by: Souradeep Chakrabarti +Link: https://lore.kernel.org/r/20240229004533.313662-1-mhklinux@outlook.com +Signed-off-by: Wei Liu +Message-ID: <20240229004533.313662-1-mhklinux@outlook.com> +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/hyperv.h | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +--- a/include/linux/hyperv.h ++++ b/include/linux/hyperv.h +@@ -164,8 +164,28 @@ struct hv_ring_buffer { + u8 buffer[]; + } __packed; + ++ ++/* ++ * If the requested ring buffer size is at least 8 times the size of the ++ * header, steal space from the ring buffer for the header. Otherwise, add ++ * space for the header so that is doesn't take too much of the ring buffer ++ * space. ++ * ++ * The factor of 8 is somewhat arbitrary. The goal is to prevent adding a ++ * relatively small header (4 Kbytes on x86) to a large-ish power-of-2 ring ++ * buffer size (such as 128 Kbytes) and so end up making a nearly twice as ++ * large allocation that will be almost half wasted. As a contrasting example, ++ * on ARM64 with 64 Kbyte page size, we don't want to take 64 Kbytes for the ++ * header from a 128 Kbyte allocation, leaving only 64 Kbytes for the ring. ++ * In this latter case, we must add 64 Kbytes for the header and not worry ++ * about what's wasted. ++ */ ++#define VMBUS_HEADER_ADJ(payload_sz) \ ++ ((payload_sz) >= 8 * sizeof(struct hv_ring_buffer) ? \ ++ 0 : sizeof(struct hv_ring_buffer)) ++ + /* Calculate the proper size of a ringbuffer, it must be page-aligned */ +-#define VMBUS_RING_SIZE(payload_sz) PAGE_ALIGN(sizeof(struct hv_ring_buffer) + \ ++#define VMBUS_RING_SIZE(payload_sz) PAGE_ALIGN(VMBUS_HEADER_ADJ(payload_sz) + \ + (payload_sz)) + + struct hv_ring_buffer_info { diff --git a/queue-6.7/drm-nouveau-fix-stale-locked-mutex-in-nouveau_gem_ioctl_pushbuf.patch b/queue-6.7/drm-nouveau-fix-stale-locked-mutex-in-nouveau_gem_ioctl_pushbuf.patch new file mode 100644 index 00000000000..641565b3e8f --- /dev/null +++ b/queue-6.7/drm-nouveau-fix-stale-locked-mutex-in-nouveau_gem_ioctl_pushbuf.patch @@ -0,0 +1,37 @@ +From daf8739c3322a762ce84f240f50e0c39181a41ab Mon Sep 17 00:00:00 2001 +From: Karol Herbst +Date: Tue, 5 Mar 2024 14:38:52 +0100 +Subject: drm/nouveau: fix stale locked mutex in nouveau_gem_ioctl_pushbuf + +From: Karol Herbst + +commit daf8739c3322a762ce84f240f50e0c39181a41ab upstream. + +If VM_BIND is enabled on the client the legacy submission ioctl can't be +used, however if a client tries to do so regardless it will return an +error. In this case the clients mutex remained unlocked leading to a +deadlock inside nouveau_drm_postclose or any other nouveau ioctl call. + +Fixes: b88baab82871 ("drm/nouveau: implement new VM_BIND uAPI") +Cc: Danilo Krummrich +Cc: # v6.6+ +Signed-off-by: Karol Herbst +Reviewed-by: Lyude Paul +Reviewed-by: Danilo Krummrich +Link: https://patchwork.freedesktop.org/patch/msgid/20240305133853.2214268-1-kherbst@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_gem.c ++++ b/drivers/gpu/drm/nouveau/nouveau_gem.c +@@ -758,7 +758,7 @@ nouveau_gem_ioctl_pushbuf(struct drm_dev + return -ENOMEM; + + if (unlikely(nouveau_cli_uvmm(cli))) +- return -ENOSYS; ++ return nouveau_abi16_put(abi16, -ENOSYS); + + list_for_each_entry(temp, &abi16->channels, head) { + if (temp->chan->chid == req->channel) { diff --git a/queue-6.7/mm-mmap-fix-vma_merge-case-7-with-vma_ops-close.patch b/queue-6.7/mm-mmap-fix-vma_merge-case-7-with-vma_ops-close.patch new file mode 100644 index 00000000000..02888dc32a8 --- /dev/null +++ b/queue-6.7/mm-mmap-fix-vma_merge-case-7-with-vma_ops-close.patch @@ -0,0 +1,104 @@ +From fc0c8f9089c20d198d8fe51ddc28bfa1af588dce Mon Sep 17 00:00:00 2001 +From: Vlastimil Babka +Date: Thu, 22 Feb 2024 22:59:31 +0100 +Subject: mm, mmap: fix vma_merge() case 7 with vma_ops->close + +From: Vlastimil Babka + +commit fc0c8f9089c20d198d8fe51ddc28bfa1af588dce upstream. + +When debugging issues with a workload using SysV shmem, Michal Hocko has +come up with a reproducer that shows how a series of mprotect() operations +can result in an elevated shm_nattch and thus leak of the resource. + +The problem is caused by wrong assumptions in vma_merge() commit +714965ca8252 ("mm/mmap: start distinguishing if vma can be removed in +mergeability test"). The shmem vmas have a vma_ops->close callback that +decrements shm_nattch, and we remove the vma without calling it. + +vma_merge() has thus historically avoided merging vma's with +vma_ops->close and commit 714965ca8252 was supposed to keep it that way. +It relaxed the checks for vma_ops->close in can_vma_merge_after() assuming +that it is never called on a vma that would be a candidate for removal. +However, the vma_merge() code does also use the result of this check in +the decision to remove a different vma in the merge case 7. + +A robust solution would be to refactor vma_merge() code in a way that the +vma_ops->close check is only done for vma's that are actually going to be +removed, and not as part of the preliminary checks. That would both solve +the existing bug, and also allow additional merges that the checks +currently prevent unnecessarily in some cases. + +However to fix the existing bug first with a minimized risk, and for +easier stable backports, this patch only adds a vma_ops->close check to +the buggy case 7 specifically. All other cases of vma removal are covered +by the can_vma_merge_before() check that includes the test for +vma_ops->close. + +The reproducer code, adapted from Michal Hocko's code: + +int main(int argc, char *argv[]) { + int segment_id; + size_t segment_size = 20 * PAGE_SIZE; + char * sh_mem; + struct shmid_ds shmid_ds; + + key_t key = 0x1234; + segment_id = shmget(key, segment_size, + IPC_CREAT | IPC_EXCL | S_IRUSR | S_IWUSR); + sh_mem = (char *)shmat(segment_id, NULL, 0); + + mprotect(sh_mem + 2*PAGE_SIZE, PAGE_SIZE, PROT_NONE); + + mprotect(sh_mem + PAGE_SIZE, PAGE_SIZE, PROT_WRITE); + + mprotect(sh_mem + 2*PAGE_SIZE, PAGE_SIZE, PROT_WRITE); + + shmdt(sh_mem); + + shmctl(segment_id, IPC_STAT, &shmid_ds); + printf("nattch after shmdt(): %lu (expected: 0)\n", shmid_ds.shm_nattch); + + if (shmctl(segment_id, IPC_RMID, 0)) + printf("IPCRM failed %d\n", errno); + return (shmid_ds.shm_nattch) ? 1 : 0; +} + +Link: https://lkml.kernel.org/r/20240222215930.14637-2-vbabka@suse.cz +Fixes: 714965ca8252 ("mm/mmap: start distinguishing if vma can be removed in mergeability test") +Signed-off-by: Vlastimil Babka +Reported-by: Michal Hocko +Reviewed-by: Lorenzo Stoakes +Reviewed-by: Liam R. Howlett +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/mmap.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -954,13 +954,21 @@ static struct vm_area_struct + } else if (merge_prev) { /* case 2 */ + if (curr) { + vma_start_write(curr); +- err = dup_anon_vma(prev, curr, &anon_dup); + if (end == curr->vm_end) { /* case 7 */ ++ /* ++ * can_vma_merge_after() assumed we would not be ++ * removing prev vma, so it skipped the check ++ * for vm_ops->close, but we are removing curr ++ */ ++ if (curr->vm_ops && curr->vm_ops->close) ++ err = -EINVAL; + remove = curr; + } else { /* case 5 */ + adjust = curr; + adj_start = (end - curr->vm_start); + } ++ if (!err) ++ err = dup_anon_vma(prev, curr, &anon_dup); + } + } else { /* merge_next */ + vma_start_write(next); diff --git a/queue-6.7/netfilter-nf_tables-disallow-anonymous-set-with-timeout-flag.patch b/queue-6.7/netfilter-nf_tables-disallow-anonymous-set-with-timeout-flag.patch new file mode 100644 index 00000000000..57324f20a49 --- /dev/null +++ b/queue-6.7/netfilter-nf_tables-disallow-anonymous-set-with-timeout-flag.patch @@ -0,0 +1,33 @@ +From 16603605b667b70da974bea8216c93e7db043bf1 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Fri, 1 Mar 2024 00:11:10 +0100 +Subject: netfilter: nf_tables: disallow anonymous set with timeout flag + +From: Pablo Neira Ayuso + +commit 16603605b667b70da974bea8216c93e7db043bf1 upstream. + +Anonymous sets are never used with timeout from userspace, reject this. +Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work. + +Cc: stable@vger.kernel.org +Fixes: 761da2935d6e ("netfilter: nf_tables: add set timeout API support") +Reported-by: lonial con +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5000,6 +5000,9 @@ static int nf_tables_newset(struct sk_bu + if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) == + (NFT_SET_EVAL | NFT_SET_OBJECT)) + return -EOPNOTSUPP; ++ if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) == ++ (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT)) ++ return -EOPNOTSUPP; + } + + desc.dtype = 0; diff --git a/queue-6.7/netfilter-nf_tables-mark-set-as-dead-when-unbinding-anonymous-set-with-timeout.patch b/queue-6.7/netfilter-nf_tables-mark-set-as-dead-when-unbinding-anonymous-set-with-timeout.patch new file mode 100644 index 00000000000..cd9ff434692 --- /dev/null +++ b/queue-6.7/netfilter-nf_tables-mark-set-as-dead-when-unbinding-anonymous-set-with-timeout.patch @@ -0,0 +1,45 @@ +From 552705a3650bbf46a22b1adedc1b04181490fc36 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 4 Mar 2024 14:22:12 +0100 +Subject: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout + +From: Pablo Neira Ayuso + +commit 552705a3650bbf46a22b1adedc1b04181490fc36 upstream. + +While the rhashtable set gc runs asynchronously, a race allows it to +collect elements from anonymous sets with timeouts while it is being +released from the commit path. + +Mingi Cho originally reported this issue in a different path in 6.1.x +with a pipapo set with low timeouts which is not possible upstream since +7395dfacfff6 ("netfilter: nf_tables: use timestamp to check for set +element timeout"). + +Fix this by setting on the dead flag for anonymous sets to skip async gc +in this case. + +According to 08e4c8c5919f ("netfilter: nf_tables: mark newset as dead on +transaction abort"), Florian plans to accelerate abort path by releasing +objects via workqueue, therefore, this sets on the dead flag for abort +path too. + +Cc: stable@vger.kernel.org +Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane") +Reported-by: Mingi Cho +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5423,6 +5423,7 @@ static void nf_tables_unbind_set(const s + + if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) { + list_del_rcu(&set->list); ++ set->dead = 1; + if (event) + nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, + GFP_KERNEL); diff --git a/queue-6.7/netfilter-nf_tables-reject-constant-set-with-timeout.patch b/queue-6.7/netfilter-nf_tables-reject-constant-set-with-timeout.patch new file mode 100644 index 00000000000..3834400455b --- /dev/null +++ b/queue-6.7/netfilter-nf_tables-reject-constant-set-with-timeout.patch @@ -0,0 +1,34 @@ +From 5f4fc4bd5cddb4770ab120ce44f02695c4505562 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Fri, 1 Mar 2024 01:04:11 +0100 +Subject: netfilter: nf_tables: reject constant set with timeout + +From: Pablo Neira Ayuso + +commit 5f4fc4bd5cddb4770ab120ce44f02695c4505562 upstream. + +This set combination is weird: it allows for elements to be +added/deleted, but once bound to the rule it cannot be updated anymore. +Eventually, all elements expire, leading to an empty set which cannot +be updated anymore. Reject this flags combination. + +Cc: stable@vger.kernel.org +Fixes: 761da2935d6e ("netfilter: nf_tables: add set timeout API support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5003,6 +5003,9 @@ static int nf_tables_newset(struct sk_bu + if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) == + (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT)) + return -EOPNOTSUPP; ++ if ((flags & (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) == ++ (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) ++ return -EOPNOTSUPP; + } + + desc.dtype = 0; diff --git a/queue-6.7/nouveau-lock-the-client-object-tree.patch b/queue-6.7/nouveau-lock-the-client-object-tree.patch new file mode 100644 index 00000000000..0340049a3aa --- /dev/null +++ b/queue-6.7/nouveau-lock-the-client-object-tree.patch @@ -0,0 +1,163 @@ +From b7cc4ff787a572edf2c55caeffaa88cd801eb135 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Wed, 28 Feb 2024 16:19:47 +1000 +Subject: nouveau: lock the client object tree. + +From: Dave Airlie + +commit b7cc4ff787a572edf2c55caeffaa88cd801eb135 upstream. + +It appears the client object tree has no locking unless I've missed +something else. Fix races around adding/removing client objects, +mostly vram bar mappings. + + 4562.099306] general protection fault, probably for non-canonical address 0x6677ed422bceb80c: 0000 [#1] PREEMPT SMP PTI +[ 4562.099314] CPU: 2 PID: 23171 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27 +[ 4562.099324] Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021 +[ 4562.099330] RIP: 0010:nvkm_object_search+0x1d/0x70 [nouveau] +[ 4562.099503] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 48 89 f8 48 85 f6 74 39 48 8b 87 a0 00 00 00 48 85 c0 74 12 <48> 8b 48 f8 48 39 ce 73 15 48 8b 40 10 48 85 c0 75 ee 48 c7 c0 fe +[ 4562.099506] RSP: 0000:ffffa94cc420bbf8 EFLAGS: 00010206 +[ 4562.099512] RAX: 6677ed422bceb814 RBX: ffff98108791f400 RCX: ffff9810f26b8f58 +[ 4562.099517] RDX: 0000000000000000 RSI: ffff9810f26b9158 RDI: ffff98108791f400 +[ 4562.099519] RBP: ffff9810f26b9158 R08: 0000000000000000 R09: 0000000000000000 +[ 4562.099521] R10: ffffa94cc420bc48 R11: 0000000000000001 R12: ffff9810f02a7cc0 +[ 4562.099526] R13: 0000000000000000 R14: 00000000000000ff R15: 0000000000000007 +[ 4562.099528] FS: 00007f629c5017c0(0000) GS:ffff98142c700000(0000) knlGS:0000000000000000 +[ 4562.099534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 4562.099536] CR2: 00007f629a882000 CR3: 000000017019e004 CR4: 00000000003706f0 +[ 4562.099541] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 4562.099542] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 4562.099544] Call Trace: +[ 4562.099555] +[ 4562.099573] ? die_addr+0x36/0x90 +[ 4562.099583] ? exc_general_protection+0x246/0x4a0 +[ 4562.099593] ? asm_exc_general_protection+0x26/0x30 +[ 4562.099600] ? nvkm_object_search+0x1d/0x70 [nouveau] +[ 4562.099730] nvkm_ioctl+0xa1/0x250 [nouveau] +[ 4562.099861] nvif_object_map_handle+0xc8/0x180 [nouveau] +[ 4562.099986] nouveau_ttm_io_mem_reserve+0x122/0x270 [nouveau] +[ 4562.100156] ? dma_resv_test_signaled+0x26/0xb0 +[ 4562.100163] ttm_bo_vm_fault_reserved+0x97/0x3c0 [ttm] +[ 4562.100182] ? __mutex_unlock_slowpath+0x2a/0x270 +[ 4562.100189] nouveau_ttm_fault+0x69/0xb0 [nouveau] +[ 4562.100356] __do_fault+0x32/0x150 +[ 4562.100362] do_fault+0x7c/0x560 +[ 4562.100369] __handle_mm_fault+0x800/0xc10 +[ 4562.100382] handle_mm_fault+0x17c/0x3e0 +[ 4562.100388] do_user_addr_fault+0x208/0x860 +[ 4562.100395] exc_page_fault+0x7f/0x200 +[ 4562.100402] asm_exc_page_fault+0x26/0x30 +[ 4562.100412] RIP: 0033:0x9b9870 +[ 4562.100419] Code: 85 a8 f7 ff ff 8b 8d 80 f7 ff ff 89 08 e9 18 f2 ff ff 0f 1f 84 00 00 00 00 00 44 89 32 e9 90 fa ff ff 0f 1f 84 00 00 00 00 00 <44> 89 32 e9 f8 f1 ff ff 0f 1f 84 00 00 00 00 00 66 44 89 32 e9 e7 +[ 4562.100422] RSP: 002b:00007fff9ba2dc70 EFLAGS: 00010246 +[ 4562.100426] RAX: 0000000000000004 RBX: 000000000dd65e10 RCX: 000000fff0000000 +[ 4562.100428] RDX: 00007f629a882000 RSI: 00007f629a882000 RDI: 0000000000000066 +[ 4562.100432] RBP: 00007fff9ba2e570 R08: 0000000000000000 R09: 0000000123ddf000 +[ 4562.100434] R10: 0000000000000001 R11: 0000000000000246 R12: 000000007fffffff +[ 4562.100436] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 4562.100446] +[ 4562.100448] Modules linked in: nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink cmac bnep sunrpc iwlmvm intel_rapl_msr intel_rapl_common snd_sof_pci_intel_cnl x86_pkg_temp_thermal intel_powerclamp snd_sof_intel_hda_common mac80211 coretemp snd_soc_acpi_intel_match kvm_intel snd_soc_acpi snd_soc_hdac_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof_intel_hda_mlink snd_sof_intel_hda snd_sof kvm snd_sof_utils snd_soc_core snd_hda_codec_realtek libarc4 snd_hda_codec_generic snd_compress snd_hda_ext_core vfat fat snd_hda_intel snd_intel_dspcfg irqbypass iwlwifi snd_hda_codec snd_hwdep snd_hda_core btusb btrtl mei_hdcp iTCO_wdt rapl mei_pxp btintel snd_seq iTCO_vendor_support btbcm snd_seq_device intel_cstate bluetooth snd_pcm cfg80211 intel_wmi_thunderbolt wmi_bmof intel_uncore snd_timer mei_me snd ecdh_generic i2c_i801 +[ 4562.100541] ecc mei i2c_smbus soundcore rfkill intel_pch_thermal acpi_pad zram nouveau drm_ttm_helper ttm gpu_sched i2c_algo_bit drm_gpuvm drm_exec mxm_wmi drm_display_helper drm_kms_helper drm crct10dif_pclmul crc32_pclmul nvme e1000e crc32c_intel nvme_core ghash_clmulni_intel video wmi pinctrl_cannonlake ip6_tables ip_tables fuse +[ 4562.100616] ---[ end trace 0000000000000000 ]--- + +Signed-off-by: Dave Airlie +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/include/nvkm/core/client.h | 1 + drivers/gpu/drm/nouveau/nvkm/core/client.c | 1 + drivers/gpu/drm/nouveau/nvkm/core/object.c | 26 ++++++++++++++++----- + 3 files changed, 22 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/nouveau/include/nvkm/core/client.h ++++ b/drivers/gpu/drm/nouveau/include/nvkm/core/client.h +@@ -11,6 +11,7 @@ struct nvkm_client { + u32 debug; + + struct rb_root objroot; ++ spinlock_t obj_lock; + + void *data; + int (*event)(u64 token, void *argv, u32 argc); +--- a/drivers/gpu/drm/nouveau/nvkm/core/client.c ++++ b/drivers/gpu/drm/nouveau/nvkm/core/client.c +@@ -180,6 +180,7 @@ nvkm_client_new(const char *name, u64 de + client->device = device; + client->debug = nvkm_dbgopt(dbg, "CLIENT"); + client->objroot = RB_ROOT; ++ spin_lock_init(&client->obj_lock); + client->event = event; + INIT_LIST_HEAD(&client->umem); + spin_lock_init(&client->lock); +--- a/drivers/gpu/drm/nouveau/nvkm/core/object.c ++++ b/drivers/gpu/drm/nouveau/nvkm/core/object.c +@@ -30,8 +30,10 @@ nvkm_object_search(struct nvkm_client *c + const struct nvkm_object_func *func) + { + struct nvkm_object *object; ++ unsigned long flags; + + if (handle) { ++ spin_lock_irqsave(&client->obj_lock, flags); + struct rb_node *node = client->objroot.rb_node; + while (node) { + object = rb_entry(node, typeof(*object), node); +@@ -40,9 +42,12 @@ nvkm_object_search(struct nvkm_client *c + else + if (handle > object->object) + node = node->rb_right; +- else ++ else { ++ spin_unlock_irqrestore(&client->obj_lock, flags); + goto done; ++ } + } ++ spin_unlock_irqrestore(&client->obj_lock, flags); + return ERR_PTR(-ENOENT); + } else { + object = &client->object; +@@ -57,30 +62,39 @@ done: + void + nvkm_object_remove(struct nvkm_object *object) + { ++ unsigned long flags; ++ ++ spin_lock_irqsave(&object->client->obj_lock, flags); + if (!RB_EMPTY_NODE(&object->node)) + rb_erase(&object->node, &object->client->objroot); ++ spin_unlock_irqrestore(&object->client->obj_lock, flags); + } + + bool + nvkm_object_insert(struct nvkm_object *object) + { +- struct rb_node **ptr = &object->client->objroot.rb_node; ++ struct rb_node **ptr; + struct rb_node *parent = NULL; ++ unsigned long flags; + ++ spin_lock_irqsave(&object->client->obj_lock, flags); ++ ptr = &object->client->objroot.rb_node; + while (*ptr) { + struct nvkm_object *this = rb_entry(*ptr, typeof(*this), node); + parent = *ptr; +- if (object->object < this->object) ++ if (object->object < this->object) { + ptr = &parent->rb_left; +- else +- if (object->object > this->object) ++ } else if (object->object > this->object) { + ptr = &parent->rb_right; +- else ++ } else { ++ spin_unlock_irqrestore(&object->client->obj_lock, flags); + return false; ++ } + } + + rb_link_node(&object->node, parent, ptr); + rb_insert_color(&object->node, &object->client->objroot); ++ spin_unlock_irqrestore(&object->client->obj_lock, flags); + return true; + } + diff --git a/queue-6.7/revert-crypto-pkcs7-remove-sha1-support.patch b/queue-6.7/revert-crypto-pkcs7-remove-sha1-support.patch new file mode 100644 index 00000000000..2e5dd62083d --- /dev/null +++ b/queue-6.7/revert-crypto-pkcs7-remove-sha1-support.patch @@ -0,0 +1,273 @@ +From 203a6763ab699da0568fd2b76303d03bb121abd4 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 13 Mar 2024 16:32:27 -0700 +Subject: Revert "crypto: pkcs7 - remove sha1 support" + +From: Eric Biggers + +commit 203a6763ab699da0568fd2b76303d03bb121abd4 upstream. + +This reverts commit 16ab7cb5825fc3425c16ad2c6e53d827f382d7c6 because it +broke iwd. iwd uses the KEYCTL_PKEY_* UAPIs via its dependency libell, +and apparently it is relying on SHA-1 signature support. These UAPIs +are fairly obscure, and their documentation does not mention which +algorithms they support. iwd really should be using a properly +supported userspace crypto library instead. Regardless, since something +broke we have to revert the change. + +It may be possible that some parts of this commit can be reinstated +without breaking iwd (e.g. probably the removal of MODULE_SIG_SHA1), but +for now this just does a full revert to get things working again. + +Reported-by: Karel Balej +Closes: https://lore.kernel.org/r/CZSHRUIJ4RKL.34T4EASV5DNJM@matfyz.cz +Cc: Dimitri John Ledkov +Signed-off-by: Eric Biggers +Tested-by: Karel Balej +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + crypto/asymmetric_keys/mscode_parser.c | 3 + + crypto/asymmetric_keys/pkcs7_parser.c | 4 + + crypto/asymmetric_keys/public_key.c | 3 - + crypto/asymmetric_keys/signature.c | 2 + crypto/asymmetric_keys/x509_cert_parser.c | 8 +++ + crypto/testmgr.h | 80 ++++++++++++++++++++++++++++++ + include/linux/oid_registry.h | 4 + + kernel/module/Kconfig | 5 + + 8 files changed, 107 insertions(+), 2 deletions(-) + +--- a/crypto/asymmetric_keys/mscode_parser.c ++++ b/crypto/asymmetric_keys/mscode_parser.c +@@ -75,6 +75,9 @@ int mscode_note_digest_algo(void *contex + + oid = look_up_OID(value, vlen); + switch (oid) { ++ case OID_sha1: ++ ctx->digest_algo = "sha1"; ++ break; + case OID_sha256: + ctx->digest_algo = "sha256"; + break; +--- a/crypto/asymmetric_keys/pkcs7_parser.c ++++ b/crypto/asymmetric_keys/pkcs7_parser.c +@@ -227,6 +227,9 @@ int pkcs7_sig_note_digest_algo(void *con + struct pkcs7_parse_context *ctx = context; + + switch (ctx->last_oid) { ++ case OID_sha1: ++ ctx->sinfo->sig->hash_algo = "sha1"; ++ break; + case OID_sha256: + ctx->sinfo->sig->hash_algo = "sha256"; + break; +@@ -278,6 +281,7 @@ int pkcs7_sig_note_pkey_algo(void *conte + ctx->sinfo->sig->pkey_algo = "rsa"; + ctx->sinfo->sig->encoding = "pkcs1"; + break; ++ case OID_id_ecdsa_with_sha1: + case OID_id_ecdsa_with_sha224: + case OID_id_ecdsa_with_sha256: + case OID_id_ecdsa_with_sha384: +--- a/crypto/asymmetric_keys/public_key.c ++++ b/crypto/asymmetric_keys/public_key.c +@@ -115,7 +115,8 @@ software_key_determine_akcipher(const st + */ + if (!hash_algo) + return -EINVAL; +- if (strcmp(hash_algo, "sha224") != 0 && ++ if (strcmp(hash_algo, "sha1") != 0 && ++ strcmp(hash_algo, "sha224") != 0 && + strcmp(hash_algo, "sha256") != 0 && + strcmp(hash_algo, "sha384") != 0 && + strcmp(hash_algo, "sha512") != 0 && +--- a/crypto/asymmetric_keys/signature.c ++++ b/crypto/asymmetric_keys/signature.c +@@ -115,7 +115,7 @@ EXPORT_SYMBOL_GPL(decrypt_blob); + * Sign the specified data blob using the private key specified by params->key. + * The signature is wrapped in an encoding if params->encoding is specified + * (eg. "pkcs1"). If the encoding needs to know the digest type, this can be +- * passed through params->hash_algo (eg. "sha512"). ++ * passed through params->hash_algo (eg. "sha1"). + * + * Returns the length of the data placed in the signature buffer or an error. + */ +--- a/crypto/asymmetric_keys/x509_cert_parser.c ++++ b/crypto/asymmetric_keys/x509_cert_parser.c +@@ -198,6 +198,10 @@ int x509_note_sig_algo(void *context, si + default: + return -ENOPKG; /* Unsupported combination */ + ++ case OID_sha1WithRSAEncryption: ++ ctx->cert->sig->hash_algo = "sha1"; ++ goto rsa_pkcs1; ++ + case OID_sha256WithRSAEncryption: + ctx->cert->sig->hash_algo = "sha256"; + goto rsa_pkcs1; +@@ -214,6 +218,10 @@ int x509_note_sig_algo(void *context, si + ctx->cert->sig->hash_algo = "sha224"; + goto rsa_pkcs1; + ++ case OID_id_ecdsa_with_sha1: ++ ctx->cert->sig->hash_algo = "sha1"; ++ goto ecdsa; ++ + case OID_id_rsassa_pkcs1_v1_5_with_sha3_256: + ctx->cert->sig->hash_algo = "sha3-256"; + goto rsa_pkcs1; +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -653,6 +653,30 @@ static const struct akcipher_testvec rsa + static const struct akcipher_testvec ecdsa_nist_p192_tv_template[] = { + { + .key = ++ "\x04\xf7\x46\xf8\x2f\x15\xf6\x22\x8e\xd7\x57\x4f\xcc\xe7\xbb\xc1" ++ "\xd4\x09\x73\xcf\xea\xd0\x15\x07\x3d\xa5\x8a\x8a\x95\x43\xe4\x68" ++ "\xea\xc6\x25\xc1\xc1\x01\x25\x4c\x7e\xc3\x3c\xa6\x04\x0a\xe7\x08" ++ "\x98", ++ .key_len = 49, ++ .params = ++ "\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48" ++ "\xce\x3d\x03\x01\x01", ++ .param_len = 21, ++ .m = ++ "\xcd\xb9\xd2\x1c\xb7\x6f\xcd\x44\xb3\xfd\x63\xea\xa3\x66\x7f\xae" ++ "\x63\x85\xe7\x82", ++ .m_size = 20, ++ .algo = OID_id_ecdsa_with_sha1, ++ .c = ++ "\x30\x35\x02\x19\x00\xba\xe5\x93\x83\x6e\xb6\x3b\x63\xa0\x27\x91" ++ "\xc6\xf6\x7f\xc3\x09\xad\x59\xad\x88\x27\xd6\x92\x6b\x02\x18\x10" ++ "\x68\x01\x9d\xba\xce\x83\x08\xef\x95\x52\x7b\xa0\x0f\xe4\x18\x86" ++ "\x80\x6f\xa5\x79\x77\xda\xd0", ++ .c_size = 55, ++ .public_key_vec = true, ++ .siggen_sigver_test = true, ++ }, { ++ .key = + "\x04\xb6\x4b\xb1\xd1\xac\xba\x24\x8f\x65\xb2\x60\x00\x90\xbf\xbd" + "\x78\x05\x73\xe9\x79\x1d\x6f\x7c\x0b\xd2\xc3\x93\xa7\x28\xe1\x75" + "\xf7\xd5\x95\x1d\x28\x10\xc0\x75\x50\x5c\x1a\x4f\x3f\x8f\xa5\xee" +@@ -756,6 +780,32 @@ static const struct akcipher_testvec ecd + static const struct akcipher_testvec ecdsa_nist_p256_tv_template[] = { + { + .key = ++ "\x04\xb9\x7b\xbb\xd7\x17\x64\xd2\x7e\xfc\x81\x5d\x87\x06\x83\x41" ++ "\x22\xd6\x9a\xaa\x87\x17\xec\x4f\x63\x55\x2f\x94\xba\xdd\x83\xe9" ++ "\x34\x4b\xf3\xe9\x91\x13\x50\xb6\xcb\xca\x62\x08\xe7\x3b\x09\xdc" ++ "\xc3\x63\x4b\x2d\xb9\x73\x53\xe4\x45\xe6\x7c\xad\xe7\x6b\xb0\xe8" ++ "\xaf", ++ .key_len = 65, ++ .params = ++ "\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48" ++ "\xce\x3d\x03\x01\x07", ++ .param_len = 21, ++ .m = ++ "\xc2\x2b\x5f\x91\x78\x34\x26\x09\x42\x8d\x6f\x51\xb2\xc5\xaf\x4c" ++ "\x0b\xde\x6a\x42", ++ .m_size = 20, ++ .algo = OID_id_ecdsa_with_sha1, ++ .c = ++ "\x30\x46\x02\x21\x00\xf9\x25\xce\x9f\x3a\xa6\x35\x81\xcf\xd4\xe7" ++ "\xb7\xf0\x82\x56\x41\xf7\xd4\xad\x8d\x94\x5a\x69\x89\xee\xca\x6a" ++ "\x52\x0e\x48\x4d\xcc\x02\x21\x00\xd7\xe4\xef\x52\x66\xd3\x5b\x9d" ++ "\x8a\xfa\x54\x93\x29\xa7\x70\x86\xf1\x03\x03\xf3\x3b\xe2\x73\xf7" ++ "\xfb\x9d\x8b\xde\xd4\x8d\x6f\xad", ++ .c_size = 72, ++ .public_key_vec = true, ++ .siggen_sigver_test = true, ++ }, { ++ .key = + "\x04\x8b\x6d\xc0\x33\x8e\x2d\x8b\x67\xf5\xeb\xc4\x7f\xa0\xf5\xd9" + "\x7b\x03\xa5\x78\x9a\xb5\xea\x14\xe4\x23\xd0\xaf\xd7\x0e\x2e\xa0" + "\xc9\x8b\xdb\x95\xf8\xb3\xaf\xac\x00\x2c\x2c\x1f\x7a\xfd\x95\x88" +@@ -866,6 +916,36 @@ static const struct akcipher_testvec ecd + + static const struct akcipher_testvec ecdsa_nist_p384_tv_template[] = { + { ++ .key = /* secp384r1(sha1) */ ++ "\x04\x89\x25\xf3\x97\x88\xcb\xb0\x78\xc5\x72\x9a\x14\x6e\x7a\xb1" ++ "\x5a\xa5\x24\xf1\x95\x06\x9e\x28\xfb\xc4\xb9\xbe\x5a\x0d\xd9\x9f" ++ "\xf3\xd1\x4d\x2d\x07\x99\xbd\xda\xa7\x66\xec\xbb\xea\xba\x79\x42" ++ "\xc9\x34\x89\x6a\xe7\x0b\xc3\xf2\xfe\x32\x30\xbe\xba\xf9\xdf\x7e" ++ "\x4b\x6a\x07\x8e\x26\x66\x3f\x1d\xec\xa2\x57\x91\x51\xdd\x17\x0e" ++ "\x0b\x25\xd6\x80\x5c\x3b\xe6\x1a\x98\x48\x91\x45\x7a\x73\xb0\xc3" ++ "\xf1", ++ .key_len = 97, ++ .params = ++ "\x30\x10\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x05\x2b\x81\x04" ++ "\x00\x22", ++ .param_len = 18, ++ .m = ++ "\x12\x55\x28\xf0\x77\xd5\xb6\x21\x71\x32\x48\xcd\x28\xa8\x25\x22" ++ "\x3a\x69\xc1\x93", ++ .m_size = 20, ++ .algo = OID_id_ecdsa_with_sha1, ++ .c = ++ "\x30\x66\x02\x31\x00\xf5\x0f\x24\x4c\x07\x93\x6f\x21\x57\x55\x07" ++ "\x20\x43\x30\xde\xa0\x8d\x26\x8e\xae\x63\x3f\xbc\x20\x3a\xc6\xf1" ++ "\x32\x3c\xce\x70\x2b\x78\xf1\x4c\x26\xe6\x5b\x86\xcf\xec\x7c\x7e" ++ "\xd0\x87\xd7\xd7\x6e\x02\x31\x00\xcd\xbb\x7e\x81\x5d\x8f\x63\xc0" ++ "\x5f\x63\xb1\xbe\x5e\x4c\x0e\xa1\xdf\x28\x8c\x1b\xfa\xf9\x95\x88" ++ "\x74\xa0\x0f\xbf\xaf\xc3\x36\x76\x4a\xa1\x59\xf1\x1c\xa4\x58\x26" ++ "\x79\x12\x2a\xb7\xc5\x15\x92\xc5", ++ .c_size = 104, ++ .public_key_vec = true, ++ .siggen_sigver_test = true, ++ }, { + .key = /* secp384r1(sha224) */ + "\x04\x69\x6c\xcf\x62\xee\xd0\x0d\xe5\xb5\x2f\x70\x54\xcf\x26\xa0" + "\xd9\x98\x8d\x92\x2a\xab\x9b\x11\xcb\x48\x18\xa1\xa9\x0d\xd5\x18" +--- a/include/linux/oid_registry.h ++++ b/include/linux/oid_registry.h +@@ -17,10 +17,12 @@ + * build_OID_registry.pl to generate the data for look_up_OID(). + */ + enum OID { ++ OID_id_dsa_with_sha1, /* 1.2.840.10030.4.3 */ + OID_id_dsa, /* 1.2.840.10040.4.1 */ + OID_id_ecPublicKey, /* 1.2.840.10045.2.1 */ + OID_id_prime192v1, /* 1.2.840.10045.3.1.1 */ + OID_id_prime256v1, /* 1.2.840.10045.3.1.7 */ ++ OID_id_ecdsa_with_sha1, /* 1.2.840.10045.4.1 */ + OID_id_ecdsa_with_sha224, /* 1.2.840.10045.4.3.1 */ + OID_id_ecdsa_with_sha256, /* 1.2.840.10045.4.3.2 */ + OID_id_ecdsa_with_sha384, /* 1.2.840.10045.4.3.3 */ +@@ -28,6 +30,7 @@ enum OID { + + /* PKCS#1 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)} */ + OID_rsaEncryption, /* 1.2.840.113549.1.1.1 */ ++ OID_sha1WithRSAEncryption, /* 1.2.840.113549.1.1.5 */ + OID_sha256WithRSAEncryption, /* 1.2.840.113549.1.1.11 */ + OID_sha384WithRSAEncryption, /* 1.2.840.113549.1.1.12 */ + OID_sha512WithRSAEncryption, /* 1.2.840.113549.1.1.13 */ +@@ -64,6 +67,7 @@ enum OID { + OID_PKU2U, /* 1.3.5.1.5.2.7 */ + OID_Scram, /* 1.3.6.1.5.5.14 */ + OID_certAuthInfoAccess, /* 1.3.6.1.5.5.7.1.1 */ ++ OID_sha1, /* 1.3.14.3.2.26 */ + OID_id_ansip384r1, /* 1.3.132.0.34 */ + OID_sha256, /* 2.16.840.1.101.3.4.2.1 */ + OID_sha384, /* 2.16.840.1.101.3.4.2.2 */ +--- a/kernel/module/Kconfig ++++ b/kernel/module/Kconfig +@@ -236,6 +236,10 @@ choice + possible to load a signed module containing the algorithm to check + the signature on that module. + ++config MODULE_SIG_SHA1 ++ bool "Sign modules with SHA-1" ++ select CRYPTO_SHA1 ++ + config MODULE_SIG_SHA256 + bool "Sign modules with SHA-256" + select CRYPTO_SHA256 +@@ -265,6 +269,7 @@ endchoice + config MODULE_SIG_HASH + string + depends on MODULE_SIG || IMA_APPRAISE_MODSIG ++ default "sha1" if MODULE_SIG_SHA1 + default "sha256" if MODULE_SIG_SHA256 + default "sha384" if MODULE_SIG_SHA384 + default "sha512" if MODULE_SIG_SHA512 diff --git a/queue-6.7/selftests-mptcp-diag-return-ksft_fail-not-test_cnt.patch b/queue-6.7/selftests-mptcp-diag-return-ksft_fail-not-test_cnt.patch new file mode 100644 index 00000000000..bb945ab4eaf --- /dev/null +++ b/queue-6.7/selftests-mptcp-diag-return-ksft_fail-not-test_cnt.patch @@ -0,0 +1,52 @@ +From 45bcc0346561daa3f59e19a753cc7f3e08e8dff1 Mon Sep 17 00:00:00 2001 +From: Geliang Tang +Date: Fri, 1 Mar 2024 18:11:22 +0100 +Subject: selftests: mptcp: diag: return KSFT_FAIL not test_cnt + +From: Geliang Tang + +commit 45bcc0346561daa3f59e19a753cc7f3e08e8dff1 upstream. + +The test counter 'test_cnt' should not be returned in diag.sh, e.g. what +if only the 4th test fail? Will do 'exit 4' which is 'exit ${KSFT_SKIP}', +the whole test will be marked as skipped instead of 'failed'! + +So we should do ret=${KSFT_FAIL} instead. + +Fixes: df62f2ec3df6 ("selftests/mptcp: add diag interface tests") +Cc: stable@vger.kernel.org +Fixes: 42fb6cddec3b ("selftests: mptcp: more stable diag tests") +Signed-off-by: Geliang Tang +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/diag.sh | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/diag.sh ++++ b/tools/testing/selftests/net/mptcp/diag.sh +@@ -69,7 +69,7 @@ __chk_nr() + else + echo "[ fail ] expected $expected found $nr" + mptcp_lib_result_fail "${msg}" +- ret=$test_cnt ++ ret=${KSFT_FAIL} + fi + else + echo "[ ok ]" +@@ -115,11 +115,11 @@ wait_msk_nr() + if [ $i -ge $timeout ]; then + echo "[ fail ] timeout while expecting $expected max $max last $nr" + mptcp_lib_result_fail "${msg} # timeout" +- ret=$test_cnt ++ ret=${KSFT_FAIL} + elif [ $nr != $expected ]; then + echo "[ fail ] expected $expected found $nr" + mptcp_lib_result_fail "${msg} # unexpected result" +- ret=$test_cnt ++ ret=${KSFT_FAIL} + else + echo "[ ok ]" + mptcp_lib_result_pass "${msg}" diff --git a/queue-6.7/series b/queue-6.7/series index 96fa2ffb04b..685788b82bb 100644 --- a/queue-6.7/series +++ b/queue-6.7/series @@ -231,3 +231,19 @@ drm-bridge-lt8912b-clear-the-edid-property-on-failur.patch drm-bridge-lt8912b-do-not-return-negative-values-fro.patch workqueue-shorten-events_freezable_power_efficient-name.patch drm-amd-display-use-freesync-when-drm_edid_feature_continuous_freq-found.patch +netfilter-nf_tables-mark-set-as-dead-when-unbinding-anonymous-set-with-timeout.patch +netfilter-nf_tables-disallow-anonymous-set-with-timeout-flag.patch +netfilter-nf_tables-reject-constant-set-with-timeout.patch +drivers-hv-vmbus-calculate-ring-buffer-size-for-more-efficient-use-of-memory.patch +nouveau-lock-the-client-object-tree.patch +drm-nouveau-fix-stale-locked-mutex-in-nouveau_gem_ioctl_pushbuf.patch +crypto-rk3288-fix-use-after-free-in-unprepare.patch +crypto-sun8i-ce-fix-use-after-free-in-unprepare.patch +revert-crypto-pkcs7-remove-sha1-support.patch +xfrm-avoid-clang-fortify-warning-in-copy_to_user_tmpl.patch +mm-mmap-fix-vma_merge-case-7-with-vma_ops-close.patch +selftests-mptcp-diag-return-ksft_fail-not-test_cnt.patch +usb-typec-tpcm-fix-port_reset-behavior-for-self-powered-devices.patch +thunderbolt-fix-null-pointer-dereference-in-tb_port_update_credits.patch +cgroup-cpuset-fix-retval-in-update_cpumask.patch +cgroup-cpuset-fix-a-memory-leak-in-update_exclusive_cpumask.patch diff --git a/queue-6.7/thunderbolt-fix-null-pointer-dereference-in-tb_port_update_credits.patch b/queue-6.7/thunderbolt-fix-null-pointer-dereference-in-tb_port_update_credits.patch new file mode 100644 index 00000000000..a635d9a5cf1 --- /dev/null +++ b/queue-6.7/thunderbolt-fix-null-pointer-dereference-in-tb_port_update_credits.patch @@ -0,0 +1,65 @@ +From d3d17e23d1a0d1f959b4fa55b35f1802d9c584fa Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Mon, 12 Feb 2024 13:03:34 +0200 +Subject: thunderbolt: Fix NULL pointer dereference in tb_port_update_credits() + +From: Mika Westerberg + +commit d3d17e23d1a0d1f959b4fa55b35f1802d9c584fa upstream. + +Olliver reported that his system crashes when plugging in Thunderbolt 1 +device: + + BUG: kernel NULL pointer dereference, address: 0000000000000020 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + RIP: 0010:tb_port_do_update_credits+0x1b/0x130 [thunderbolt] + Call Trace: + + ? __die+0x23/0x70 + ? page_fault_oops+0x171/0x4e0 + ? exc_page_fault+0x7f/0x180 + ? asm_exc_page_fault+0x26/0x30 + ? tb_port_do_update_credits+0x1b/0x130 + ? tb_switch_update_link_attributes+0x83/0xd0 + tb_switch_add+0x7a2/0xfe0 + tb_scan_port+0x236/0x6f0 + tb_handle_hotplug+0x6db/0x900 + process_one_work+0x171/0x340 + worker_thread+0x27b/0x3a0 + ? __pfx_worker_thread+0x10/0x10 + kthread+0xe5/0x120 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x31/0x50 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1b/0x30 + + +This is due the fact that some Thunderbolt 1 devices only have one lane +adapter. Fix this by checking for the lane 1 before we read its credits. + +Reported-by: Olliver Schinagl +Closes: https://lore.kernel.org/linux-usb/c24c7882-6254-4e68-8f22-f3e8f65dc84f@schinagl.nl/ +Fixes: 81af2952e606 ("thunderbolt: Add support for asymmetric link") +Cc: stable@vger.kernel.org +Cc: Gil Fine +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/switch.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/thunderbolt/switch.c ++++ b/drivers/thunderbolt/switch.c +@@ -1265,6 +1265,9 @@ int tb_port_update_credits(struct tb_por + ret = tb_port_do_update_credits(port); + if (ret) + return ret; ++ ++ if (!port->dual_link_port) ++ return 0; + return tb_port_do_update_credits(port->dual_link_port); + } + diff --git a/queue-6.7/usb-typec-tpcm-fix-port_reset-behavior-for-self-powered-devices.patch b/queue-6.7/usb-typec-tpcm-fix-port_reset-behavior-for-self-powered-devices.patch new file mode 100644 index 00000000000..8028f65da92 --- /dev/null +++ b/queue-6.7/usb-typec-tpcm-fix-port_reset-behavior-for-self-powered-devices.patch @@ -0,0 +1,59 @@ +From 197331b27ac890d0209232d5f669830cd00e8918 Mon Sep 17 00:00:00 2001 +From: Badhri Jagan Sridharan +Date: Wed, 28 Feb 2024 00:05:12 +0000 +Subject: usb: typec: tpcm: Fix PORT_RESET behavior for self powered devices + +From: Badhri Jagan Sridharan + +commit 197331b27ac890d0209232d5f669830cd00e8918 upstream. + +While commit 69f89168b310 ("usb: typec: tpcm: Fix issues with power being +removed during reset") fixes the boot issues for bus powered devices such +as LibreTech Renegade Elite/Firefly, it trades off the CC pins NOT being +Hi-Zed during errory recovery (i.e PORT_RESET) for devices which are NOT +bus powered(a.k.a self powered). This change Hi-Zs the CC pins only for +self powered devices, thus preventing brown out for bus powered devices + +Adhering to spec is gaining more importance due to the Common charger +initiative enforced by the European Union. + +Quoting from the spec: + 4.5.2.2.2.1 ErrorRecovery State Requirements + The port shall not drive VBUS or VCONN, and shall present a + high-impedance to ground (above zOPEN) on its CC1 and CC2 pins. + +Hi-Zing the CC pins is the inteded behavior for PORT_RESET. +CC pins are set to default state after tErrorRecovery in +PORT_RESET_WAIT_OFF. + + 4.5.2.2.2.2 Exiting From ErrorRecovery State + A Sink shall transition to Unattached.SNK after tErrorRecovery. + A Source shall transition to Unattached.SRC after tErrorRecovery. + +Fixes: 69f89168b310 ("usb: typec: tpcm: Fix issues with power being removed during reset") +Cc: stable@vger.kernel.org +Cc: Mark Brown +Signed-off-by: Badhri Jagan Sridharan +Tested-by: Mark Brown +Link: https://lore.kernel.org/r/20240228000512.746252-1-badhri@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpm.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -4859,8 +4859,11 @@ static void run_state_machine(struct tcp + break; + case PORT_RESET: + tcpm_reset_port(port); +- tcpm_set_cc(port, tcpm_default_state(port) == SNK_UNATTACHED ? +- TYPEC_CC_RD : tcpm_rp_cc(port)); ++ if (port->self_powered) ++ tcpm_set_cc(port, TYPEC_CC_OPEN); ++ else ++ tcpm_set_cc(port, tcpm_default_state(port) == SNK_UNATTACHED ? ++ TYPEC_CC_RD : tcpm_rp_cc(port)); + tcpm_set_state(port, PORT_RESET_WAIT_OFF, + PD_T_ERROR_RECOVERY); + break; diff --git a/queue-6.7/xfrm-avoid-clang-fortify-warning-in-copy_to_user_tmpl.patch b/queue-6.7/xfrm-avoid-clang-fortify-warning-in-copy_to_user_tmpl.patch new file mode 100644 index 00000000000..9806d57d2ed --- /dev/null +++ b/queue-6.7/xfrm-avoid-clang-fortify-warning-in-copy_to_user_tmpl.patch @@ -0,0 +1,56 @@ +From 1a807e46aa93ebad1dfbed4f82dc3bf779423a6e Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 21 Feb 2024 14:46:21 -0700 +Subject: xfrm: Avoid clang fortify warning in copy_to_user_tmpl() + +From: Nathan Chancellor + +commit 1a807e46aa93ebad1dfbed4f82dc3bf779423a6e upstream. + +After a couple recent changes in LLVM, there is a warning (or error with +CONFIG_WERROR=y or W=e) from the compile time fortify source routines, +specifically the memset() in copy_to_user_tmpl(). + + In file included from net/xfrm/xfrm_user.c:14: + ... + include/linux/fortify-string.h:438:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] + 438 | __write_overflow_field(p_size_field, size); + | ^ + 1 error generated. + +While ->xfrm_nr has been validated against XFRM_MAX_DEPTH when its value +is first assigned in copy_templates() by calling validate_tmpl() first +(so there should not be any issue in practice), LLVM/clang cannot really +deduce that across the boundaries of these functions. Without that +knowledge, it cannot assume that the loop stops before i is greater than +XFRM_MAX_DEPTH, which would indeed result a stack buffer overflow in the +memset(). + +To make the bounds of ->xfrm_nr clear to the compiler and add additional +defense in case copy_to_user_tmpl() is ever used in a path where +->xfrm_nr has not been properly validated against XFRM_MAX_DEPTH first, +add an explicit bound check and early return, which clears up the +warning. + +Cc: stable@vger.kernel.org +Link: https://github.com/ClangBuiltLinux/linux/issues/1985 +Signed-off-by: Nathan Chancellor +Reviewed-by: Kees Cook +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_user.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -2017,6 +2017,9 @@ static int copy_to_user_tmpl(struct xfrm + if (xp->xfrm_nr == 0) + return 0; + ++ if (xp->xfrm_nr > XFRM_MAX_DEPTH) ++ return -ENOBUFS; ++ + for (i = 0; i < xp->xfrm_nr; i++) { + struct xfrm_user_tmpl *up = &vec[i]; + struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; -- 2.47.2