--- /dev/null
+From efe7cf828039aedb297c1f9920b638fffee6aabc Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Fri, 20 Oct 2023 15:38:14 +0200
+Subject: can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit efe7cf828039aedb297c1f9920b638fffee6aabc upstream.
+
+Lock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...)
+modifies jsk->filters while receiving packets.
+
+Following trace was seen on affected system:
+ ==================================================================
+ BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
+ Read of size 4 at addr ffff888012144014 by task j1939/350
+
+ CPU: 0 PID: 350 Comm: j1939 Tainted: G W OE 6.5.0-rc5 #1
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+ Call Trace:
+ print_report+0xd3/0x620
+ ? kasan_complete_mode_report_info+0x7d/0x200
+ ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
+ kasan_report+0xc2/0x100
+ ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
+ __asan_load4+0x84/0xb0
+ j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
+ j1939_sk_recv+0x20b/0x320 [can_j1939]
+ ? __kasan_check_write+0x18/0x20
+ ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939]
+ ? j1939_simple_recv+0x69/0x280 [can_j1939]
+ ? j1939_ac_recv+0x5e/0x310 [can_j1939]
+ j1939_can_recv+0x43f/0x580 [can_j1939]
+ ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]
+ ? raw_rcv+0x42/0x3c0 [can_raw]
+ ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]
+ can_rcv_filter+0x11f/0x350 [can]
+ can_receive+0x12f/0x190 [can]
+ ? __pfx_can_rcv+0x10/0x10 [can]
+ can_rcv+0xdd/0x130 [can]
+ ? __pfx_can_rcv+0x10/0x10 [can]
+ __netif_receive_skb_one_core+0x13d/0x150
+ ? __pfx___netif_receive_skb_one_core+0x10/0x10
+ ? __kasan_check_write+0x18/0x20
+ ? _raw_spin_lock_irq+0x8c/0xe0
+ __netif_receive_skb+0x23/0xb0
+ process_backlog+0x107/0x260
+ __napi_poll+0x69/0x310
+ net_rx_action+0x2a1/0x580
+ ? __pfx_net_rx_action+0x10/0x10
+ ? __pfx__raw_spin_lock+0x10/0x10
+ ? handle_irq_event+0x7d/0xa0
+ __do_softirq+0xf3/0x3f8
+ do_softirq+0x53/0x80
+ </IRQ>
+ <TASK>
+ __local_bh_enable_ip+0x6e/0x70
+ netif_rx+0x16b/0x180
+ can_send+0x32b/0x520 [can]
+ ? __pfx_can_send+0x10/0x10 [can]
+ ? __check_object_size+0x299/0x410
+ raw_sendmsg+0x572/0x6d0 [can_raw]
+ ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]
+ ? apparmor_socket_sendmsg+0x2f/0x40
+ ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]
+ sock_sendmsg+0xef/0x100
+ sock_write_iter+0x162/0x220
+ ? __pfx_sock_write_iter+0x10/0x10
+ ? __rtnl_unlock+0x47/0x80
+ ? security_file_permission+0x54/0x320
+ vfs_write+0x6ba/0x750
+ ? __pfx_vfs_write+0x10/0x10
+ ? __fget_light+0x1ca/0x1f0
+ ? __rcu_read_unlock+0x5b/0x280
+ ksys_write+0x143/0x170
+ ? __pfx_ksys_write+0x10/0x10
+ ? __kasan_check_read+0x15/0x20
+ ? fpregs_assert_state_consistent+0x62/0x70
+ __x64_sys_write+0x47/0x60
+ do_syscall_64+0x60/0x90
+ ? do_syscall_64+0x6d/0x90
+ ? irqentry_exit+0x3f/0x50
+ ? exc_page_fault+0x79/0xf0
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+ Allocated by task 348:
+ kasan_save_stack+0x2a/0x50
+ kasan_set_track+0x29/0x40
+ kasan_save_alloc_info+0x1f/0x30
+ __kasan_kmalloc+0xb5/0xc0
+ __kmalloc_node_track_caller+0x67/0x160
+ j1939_sk_setsockopt+0x284/0x450 [can_j1939]
+ __sys_setsockopt+0x15c/0x2f0
+ __x64_sys_setsockopt+0x6b/0x80
+ do_syscall_64+0x60/0x90
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+ Freed by task 349:
+ kasan_save_stack+0x2a/0x50
+ kasan_set_track+0x29/0x40
+ kasan_save_free_info+0x2f/0x50
+ __kasan_slab_free+0x12e/0x1c0
+ __kmem_cache_free+0x1b9/0x380
+ kfree+0x7a/0x120
+ j1939_sk_setsockopt+0x3b2/0x450 [can_j1939]
+ __sys_setsockopt+0x15c/0x2f0
+ __x64_sys_setsockopt+0x6b/0x80
+ do_syscall_64+0x60/0x90
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+Fixes: 9d71dd0c70099 ("can: add support of SAE J1939 protocol")
+Reported-by: Sili Luo <rootlab@huawei.com>
+Suggested-by: Sili Luo <rootlab@huawei.com>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/all/20231020133814.383996-1-o.rempel@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/j1939-priv.h | 1 +
+ net/can/j1939/socket.c | 22 ++++++++++++++++++----
+ 2 files changed, 19 insertions(+), 4 deletions(-)
+
+--- a/net/can/j1939/j1939-priv.h
++++ b/net/can/j1939/j1939-priv.h
+@@ -297,6 +297,7 @@ struct j1939_sock {
+
+ int ifindex;
+ struct j1939_addr addr;
++ spinlock_t filters_lock;
+ struct j1939_filter *filters;
+ int nfilters;
+ pgn_t pgn_rx_filter;
+--- a/net/can/j1939/socket.c
++++ b/net/can/j1939/socket.c
+@@ -262,12 +262,17 @@ static bool j1939_sk_match_dst(struct j1
+ static bool j1939_sk_match_filter(struct j1939_sock *jsk,
+ const struct j1939_sk_buff_cb *skcb)
+ {
+- const struct j1939_filter *f = jsk->filters;
+- int nfilter = jsk->nfilters;
++ const struct j1939_filter *f;
++ int nfilter;
++
++ spin_lock_bh(&jsk->filters_lock);
++
++ f = jsk->filters;
++ nfilter = jsk->nfilters;
+
+ if (!nfilter)
+ /* receive all when no filters are assigned */
+- return true;
++ goto filter_match_found;
+
+ for (; nfilter; ++f, --nfilter) {
+ if ((skcb->addr.pgn & f->pgn_mask) != f->pgn)
+@@ -276,9 +281,15 @@ static bool j1939_sk_match_filter(struct
+ continue;
+ if ((skcb->addr.src_name & f->name_mask) != f->name)
+ continue;
+- return true;
++ goto filter_match_found;
+ }
++
++ spin_unlock_bh(&jsk->filters_lock);
+ return false;
++
++filter_match_found:
++ spin_unlock_bh(&jsk->filters_lock);
++ return true;
+ }
+
+ static bool j1939_sk_recv_match_one(struct j1939_sock *jsk,
+@@ -401,6 +412,7 @@ static int j1939_sk_init(struct sock *sk
+ atomic_set(&jsk->skb_pending, 0);
+ spin_lock_init(&jsk->sk_session_queue_lock);
+ INIT_LIST_HEAD(&jsk->sk_session_queue);
++ spin_lock_init(&jsk->filters_lock);
+
+ /* j1939_sk_sock_destruct() depends on SOCK_RCU_FREE flag */
+ sock_set_flag(sk, SOCK_RCU_FREE);
+@@ -703,9 +715,11 @@ static int j1939_sk_setsockopt(struct so
+ }
+
+ lock_sock(&jsk->sk);
++ spin_lock_bh(&jsk->filters_lock);
+ ofilters = jsk->filters;
+ jsk->filters = filters;
+ jsk->nfilters = count;
++ spin_unlock_bh(&jsk->filters_lock);
+ release_sock(&jsk->sk);
+ kfree(ofilters);
+ return 0;
--- /dev/null
+From cda4672da1c26835dcbd7aec2bfed954eda9b5ef Mon Sep 17 00:00:00 2001
+From: Rishabh Dave <ridave@redhat.com>
+Date: Thu, 1 Feb 2024 17:07:16 +0530
+Subject: ceph: prevent use-after-free in encode_cap_msg()
+
+From: Rishabh Dave <ridave@redhat.com>
+
+commit cda4672da1c26835dcbd7aec2bfed954eda9b5ef upstream.
+
+In fs/ceph/caps.c, in encode_cap_msg(), "use after free" error was
+caught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This
+implies before the refcount could be increment here, it was freed.
+
+In same file, in "handle_cap_grant()" refcount is decremented by this
+line - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race
+occurred and resource was freed by the latter line before the former
+line could increment it.
+
+encode_cap_msg() is called by __send_cap() and __send_cap() is called by
+ceph_check_caps() after calling __prep_cap(). __prep_cap() is where
+arg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where
+the refcount must be increased to prevent "use after free" error.
+
+Cc: stable@vger.kernel.org
+Link: https://tracker.ceph.com/issues/59259
+Signed-off-by: Rishabh Dave <ridave@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Xiubo Li <xiubli@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/caps.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ceph/caps.c
++++ b/fs/ceph/caps.c
+@@ -1402,7 +1402,7 @@ static void __prep_cap(struct cap_msg_ar
+ if (flushing & CEPH_CAP_XATTR_EXCL) {
+ arg->old_xattr_buf = __ceph_build_xattrs_blob(ci);
+ arg->xattr_version = ci->i_xattrs.version;
+- arg->xattr_buf = ci->i_xattrs.blob;
++ arg->xattr_buf = ceph_buffer_get(ci->i_xattrs.blob);
+ } else {
+ arg->xattr_buf = NULL;
+ arg->old_xattr_buf = NULL;
+@@ -1468,6 +1468,7 @@ static void __send_cap(struct cap_msg_ar
+ encode_cap_msg(msg, arg);
+ ceph_con_send(&arg->session->s_con, msg);
+ ceph_buffer_put(arg->old_xattr_buf);
++ ceph_buffer_put(arg->xattr_buf);
+ if (arg->wake)
+ wake_up_all(&ci->i_cap_wq);
+ }
--- /dev/null
+From ccb88e9549e7cfd8bcd511c538f437e20026e983 Mon Sep 17 00:00:00 2001
+From: Kim Phillips <kim.phillips@amd.com>
+Date: Thu, 25 Jan 2024 17:12:53 -0600
+Subject: crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked
+
+From: Kim Phillips <kim.phillips@amd.com>
+
+commit ccb88e9549e7cfd8bcd511c538f437e20026e983 upstream.
+
+The SEV platform device can be shutdown with a null psp_master,
+e.g., using DEBUG_TEST_DRIVER_REMOVE. Found using KASAN:
+
+[ 137.148210] ccp 0000:23:00.1: enabling device (0000 -> 0002)
+[ 137.162647] ccp 0000:23:00.1: no command queues available
+[ 137.170598] ccp 0000:23:00.1: sev enabled
+[ 137.174645] ccp 0000:23:00.1: psp enabled
+[ 137.178890] general protection fault, probably for non-canonical address 0xdffffc000000001e: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI
+[ 137.182693] KASAN: null-ptr-deref in range [0x00000000000000f0-0x00000000000000f7]
+[ 137.182693] CPU: 93 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc1+ #311
+[ 137.182693] RIP: 0010:__sev_platform_shutdown_locked+0x51/0x180
+[ 137.182693] Code: 08 80 3c 08 00 0f 85 0e 01 00 00 48 8b 1d 67 b6 01 08 48 b8 00 00 00 00 00 fc ff df 48 8d bb f0 00 00 00 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 fe 00 00 00 48 8b 9b f0 00 00 00 48 85 db 74 2c
+[ 137.182693] RSP: 0018:ffffc900000cf9b0 EFLAGS: 00010216
+[ 137.182693] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 000000000000001e
+[ 137.182693] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 00000000000000f0
+[ 137.182693] RBP: ffffc900000cf9c8 R08: 0000000000000000 R09: fffffbfff58f5a66
+[ 137.182693] R10: ffffc900000cf9c8 R11: ffffffffac7ad32f R12: ffff8881e5052c28
+[ 137.182693] R13: ffff8881e5052c28 R14: ffff8881758e43e8 R15: ffffffffac64abf8
+[ 137.182693] FS: 0000000000000000(0000) GS:ffff889de7000000(0000) knlGS:0000000000000000
+[ 137.182693] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 137.182693] CR2: 0000000000000000 CR3: 0000001cf7c7e000 CR4: 0000000000350ef0
+[ 137.182693] Call Trace:
+[ 137.182693] <TASK>
+[ 137.182693] ? show_regs+0x6c/0x80
+[ 137.182693] ? __die_body+0x24/0x70
+[ 137.182693] ? die_addr+0x4b/0x80
+[ 137.182693] ? exc_general_protection+0x126/0x230
+[ 137.182693] ? asm_exc_general_protection+0x2b/0x30
+[ 137.182693] ? __sev_platform_shutdown_locked+0x51/0x180
+[ 137.182693] sev_firmware_shutdown.isra.0+0x1e/0x80
+[ 137.182693] sev_dev_destroy+0x49/0x100
+[ 137.182693] psp_dev_destroy+0x47/0xb0
+[ 137.182693] sp_destroy+0xbb/0x240
+[ 137.182693] sp_pci_remove+0x45/0x60
+[ 137.182693] pci_device_remove+0xaa/0x1d0
+[ 137.182693] device_remove+0xc7/0x170
+[ 137.182693] really_probe+0x374/0xbe0
+[ 137.182693] ? srso_return_thunk+0x5/0x5f
+[ 137.182693] __driver_probe_device+0x199/0x460
+[ 137.182693] driver_probe_device+0x4e/0xd0
+[ 137.182693] __driver_attach+0x191/0x3d0
+[ 137.182693] ? __pfx___driver_attach+0x10/0x10
+[ 137.182693] bus_for_each_dev+0x100/0x190
+[ 137.182693] ? __pfx_bus_for_each_dev+0x10/0x10
+[ 137.182693] ? __kasan_check_read+0x15/0x20
+[ 137.182693] ? srso_return_thunk+0x5/0x5f
+[ 137.182693] ? _raw_spin_unlock+0x27/0x50
+[ 137.182693] driver_attach+0x41/0x60
+[ 137.182693] bus_add_driver+0x2a8/0x580
+[ 137.182693] driver_register+0x141/0x480
+[ 137.182693] __pci_register_driver+0x1d6/0x2a0
+[ 137.182693] ? srso_return_thunk+0x5/0x5f
+[ 137.182693] ? esrt_sysfs_init+0x1cd/0x5d0
+[ 137.182693] ? __pfx_sp_mod_init+0x10/0x10
+[ 137.182693] sp_pci_init+0x22/0x30
+[ 137.182693] sp_mod_init+0x14/0x30
+[ 137.182693] ? __pfx_sp_mod_init+0x10/0x10
+[ 137.182693] do_one_initcall+0xd1/0x470
+[ 137.182693] ? __pfx_do_one_initcall+0x10/0x10
+[ 137.182693] ? parameq+0x80/0xf0
+[ 137.182693] ? srso_return_thunk+0x5/0x5f
+[ 137.182693] ? __kmalloc+0x3b0/0x4e0
+[ 137.182693] ? kernel_init_freeable+0x92d/0x1050
+[ 137.182693] ? kasan_populate_vmalloc_pte+0x171/0x190
+[ 137.182693] ? srso_return_thunk+0x5/0x5f
+[ 137.182693] kernel_init_freeable+0xa64/0x1050
+[ 137.182693] ? __pfx_kernel_init+0x10/0x10
+[ 137.182693] kernel_init+0x24/0x160
+[ 137.182693] ? __switch_to_asm+0x3e/0x70
+[ 137.182693] ret_from_fork+0x40/0x80
+[ 137.182693] ? __pfx_kernel_init+0x10/0x10
+[ 137.182693] ret_from_fork_asm+0x1b/0x30
+[ 137.182693] </TASK>
+[ 137.182693] Modules linked in:
+[ 137.538483] ---[ end trace 0000000000000000 ]---
+
+Fixes: 1b05ece0c931 ("crypto: ccp - During shutdown, check SEV data pointer before using")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Kim Phillips <kim.phillips@amd.com>
+Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
+Acked-by: John Allen <john.allen@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/ccp/sev-dev.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/ccp/sev-dev.c
++++ b/drivers/crypto/ccp/sev-dev.c
+@@ -304,10 +304,16 @@ EXPORT_SYMBOL_GPL(sev_platform_init);
+
+ static int __sev_platform_shutdown_locked(int *error)
+ {
+- struct sev_device *sev = psp_master->sev_data;
++ struct psp_device *psp = psp_master;
++ struct sev_device *sev;
+ int ret;
+
+- if (!sev || sev->state == SEV_STATE_UNINIT)
++ if (!psp || !psp->sev_data)
++ return 0;
++
++ sev = psp->sev_data;
++
++ if (sev->state == SEV_STATE_UNINIT)
+ return 0;
+
+ ret = __sev_do_cmd_locked(SEV_CMD_SHUTDOWN, NULL, error);
--- /dev/null
+From af9acbfc2c4b72c378d0b9a2ee023ed01055d3e2 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Tue, 13 Feb 2024 10:12:06 +0000
+Subject: irqchip/gic-v3-its: Fix GICv4.1 VPE affinity update
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit af9acbfc2c4b72c378d0b9a2ee023ed01055d3e2 upstream.
+
+When updating the affinity of a VPE, the VMOVP command is currently skipped
+if the two CPUs are part of the same VPE affinity.
+
+But this is wrong, as the doorbell corresponding to this VPE is still
+delivered on the 'old' CPU, which screws up the balancing. Furthermore,
+offlining that 'old' CPU results in doorbell interrupts generated for this
+VPE being discarded.
+
+The harsh reality is that VMOVP cannot be elided when a set_affinity()
+request occurs. It needs to be obeyed, and if an optimisation is to be
+made, it is at the point where the affinity change request is made (such as
+in KVM).
+
+Drop the VMOVP elision altogether, and only use the vpe_table_mask
+to try and stay within the same ITS affinity group if at all possible.
+
+Fixes: dd3f050a216e (irqchip/gic-v4.1: Implement the v4.1 flavour of VMOVP)
+Reported-by: Kunkun Jiang <jiangkunkun@huawei.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240213101206.2137483-4-maz@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -3782,8 +3782,9 @@ static int its_vpe_set_affinity(struct i
+ bool force)
+ {
+ struct its_vpe *vpe = irq_data_get_irq_chip_data(d);
+- int from, cpu = cpumask_first(mask_val);
++ struct cpumask common, *table_mask;
+ unsigned long flags;
++ int from, cpu;
+
+ /*
+ * Changing affinity is mega expensive, so let's be as lazy as
+@@ -3799,19 +3800,22 @@ static int its_vpe_set_affinity(struct i
+ * taken on any vLPI handling path that evaluates vpe->col_idx.
+ */
+ from = vpe_to_cpuid_lock(vpe, &flags);
+- if (from == cpu)
+- goto out;
+-
+- vpe->col_idx = cpu;
++ table_mask = gic_data_rdist_cpu(from)->vpe_table_mask;
+
+ /*
+- * GICv4.1 allows us to skip VMOVP if moving to a cpu whose RD
+- * is sharing its VPE table with the current one.
++ * If we are offered another CPU in the same GICv4.1 ITS
++ * affinity, pick this one. Otherwise, any CPU will do.
+ */
+- if (gic_data_rdist_cpu(cpu)->vpe_table_mask &&
+- cpumask_test_cpu(from, gic_data_rdist_cpu(cpu)->vpe_table_mask))
++ if (table_mask && cpumask_and(&common, mask_val, table_mask))
++ cpu = cpumask_test_cpu(from, &common) ? from : cpumask_first(&common);
++ else
++ cpu = cpumask_first(mask_val);
++
++ if (from == cpu)
+ goto out;
+
++ vpe->col_idx = cpu;
++
+ its_send_vmovp(vpe);
+ its_vpe_db_proxy_move(vpe, from, cpu);
+
--- /dev/null
+From b0344d6854d25a8b3b901c778b1728885dd99007 Mon Sep 17 00:00:00 2001
+From: Doug Berger <opendmb@gmail.com>
+Date: Fri, 9 Feb 2024 17:24:49 -0800
+Subject: irqchip/irq-brcmstb-l2: Add write memory barrier before exit
+
+From: Doug Berger <opendmb@gmail.com>
+
+commit b0344d6854d25a8b3b901c778b1728885dd99007 upstream.
+
+It was observed on Broadcom devices that use GIC v3 architecture L1
+interrupt controllers as the parent of brcmstb-l2 interrupt controllers
+that the deactivation of the parent interrupt could happen before the
+brcmstb-l2 deasserted its output. This would lead the GIC to reactivate the
+interrupt only to find that no L2 interrupt was pending. The result was a
+spurious interrupt invoking handle_bad_irq() with its associated
+messaging. While this did not create a functional problem it is a waste of
+cycles.
+
+The hazard exists because the memory mapped bus writes to the brcmstb-l2
+registers are buffered and the GIC v3 architecture uses a very efficient
+system register write to deactivate the interrupt.
+
+Add a write memory barrier prior to invoking chained_irq_exit() to
+introduce a dsb(st) on those systems to ensure the system register write
+cannot be executed until the memory mapped writes are visible to the
+system.
+
+[ florian: Added Fixes tag ]
+
+Fixes: 7f646e92766e ("irqchip: brcmstb-l2: Add Broadcom Set Top Box Level-2 interrupt controller")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240210012449.3009125-1-florian.fainelli@broadcom.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-brcmstb-l2.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/irqchip/irq-brcmstb-l2.c
++++ b/drivers/irqchip/irq-brcmstb-l2.c
+@@ -2,7 +2,7 @@
+ /*
+ * Generic Broadcom Set Top Box Level 2 Interrupt controller driver
+ *
+- * Copyright (C) 2014-2017 Broadcom
++ * Copyright (C) 2014-2024 Broadcom
+ */
+
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+@@ -113,6 +113,9 @@ static void brcmstb_l2_intc_irq_handle(s
+ generic_handle_irq(irq_linear_revmap(b->domain, irq));
+ } while (status);
+ out:
++ /* Don't ack parent before all device writes are done */
++ wmb();
++
+ chained_irq_exit(chip, desc);
+ }
+
--- /dev/null
+From 1a1c13303ff6d64e6f718dc8aa614e580ca8d9b4 Mon Sep 17 00:00:00 2001
+From: Daniel de Villiers <daniel.devilliers@corigine.com>
+Date: Fri, 2 Feb 2024 13:37:18 +0200
+Subject: nfp: flower: prevent re-adding mac index for bonded port
+
+From: Daniel de Villiers <daniel.devilliers@corigine.com>
+
+commit 1a1c13303ff6d64e6f718dc8aa614e580ca8d9b4 upstream.
+
+When physical ports are reset (either through link failure or manually
+toggled down and up again) that are slaved to a Linux bond with a tunnel
+endpoint IP address on the bond device, not all tunnel packets arriving
+on the bond port are decapped as expected.
+
+The bond dev assigns the same MAC address to itself and each of its
+slaves. When toggling a slave device, the same MAC address is therefore
+offloaded to the NFP multiple times with different indexes.
+
+The issue only occurs when re-adding the shared mac. The
+nfp_tunnel_add_shared_mac() function has a conditional check early on
+that checks if a mac entry already exists and if that mac entry is
+global: (entry && nfp_tunnel_is_mac_idx_global(entry->index)). In the
+case of a bonded device (For example br-ex), the mac index is obtained,
+and no new index is assigned.
+
+We therefore modify the conditional in nfp_tunnel_add_shared_mac() to
+check if the port belongs to the LAG along with the existing checks to
+prevent a new global mac index from being re-assigned to the slave port.
+
+Fixes: 20cce8865098 ("nfp: flower: enable MAC address sharing for offloadable devs")
+CC: stable@vger.kernel.org # 5.1+
+Signed-off-by: Daniel de Villiers <daniel.devilliers@corigine.com>
+Signed-off-by: Louis Peens <louis.peens@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c
++++ b/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c
+@@ -927,7 +927,7 @@ nfp_tunnel_add_shared_mac(struct nfp_app
+ u16 nfp_mac_idx = 0;
+
+ entry = nfp_tunnel_lookup_offloaded_macs(app, netdev->dev_addr);
+- if (entry && nfp_tunnel_is_mac_idx_global(entry->index)) {
++ if (entry && (nfp_tunnel_is_mac_idx_global(entry->index) || netif_is_lag_port(netdev))) {
+ if (entry->bridge_count ||
+ !nfp_flower_is_supported_bridge(netdev)) {
+ nfp_tunnel_offloaded_macs_inc_ref_and_link(entry,
--- /dev/null
+From b3d4f7f2288901ed2392695919b3c0e24c1b4084 Mon Sep 17 00:00:00 2001
+From: Daniel Basilio <daniel.basilio@corigine.com>
+Date: Fri, 2 Feb 2024 13:37:17 +0200
+Subject: nfp: use correct macro for LengthSelect in BAR config
+
+From: Daniel Basilio <daniel.basilio@corigine.com>
+
+commit b3d4f7f2288901ed2392695919b3c0e24c1b4084 upstream.
+
+The 1st and 2nd expansion BAR configuration registers are configured,
+when the driver starts up, in variables 'barcfg_msix_general' and
+'barcfg_msix_xpb', respectively. The 'LengthSelect' field is ORed in
+from bit 0, which is incorrect. The 'LengthSelect' field should
+start from bit 27.
+
+This has largely gone un-noticed because
+NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT happens to be 0.
+
+Fixes: 4cb584e0ee7d ("nfp: add CPP access core")
+Cc: stable@vger.kernel.org # 4.11+
+Signed-off-by: Daniel Basilio <daniel.basilio@corigine.com>
+Signed-off-by: Louis Peens <louis.peens@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c
++++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c
+@@ -542,11 +542,13 @@ static int enable_bars(struct nfp6000_pc
+ const u32 barcfg_msix_general =
+ NFP_PCIE_BAR_PCIE2CPP_MapType(
+ NFP_PCIE_BAR_PCIE2CPP_MapType_GENERAL) |
+- NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT;
++ NFP_PCIE_BAR_PCIE2CPP_LengthSelect(
++ NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT);
+ const u32 barcfg_msix_xpb =
+ NFP_PCIE_BAR_PCIE2CPP_MapType(
+ NFP_PCIE_BAR_PCIE2CPP_MapType_BULK) |
+- NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT |
++ NFP_PCIE_BAR_PCIE2CPP_LengthSelect(
++ NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT) |
+ NFP_PCIE_BAR_PCIE2CPP_Target_BaseAddress(
+ NFP_CPP_TARGET_ISLAND_XPB);
+ const u32 barcfg_explicit[4] = {
--- /dev/null
+From 8f7e917907385e112a845d668ae2832f41e64bf5 Mon Sep 17 00:00:00 2001
+From: Nuno Sa <nuno.sa@analog.com>
+Date: Tue, 23 Jan 2024 16:14:22 +0100
+Subject: of: property: fix typo in io-channels
+
+From: Nuno Sa <nuno.sa@analog.com>
+
+commit 8f7e917907385e112a845d668ae2832f41e64bf5 upstream.
+
+The property is io-channels and not io-channel. This was effectively
+preventing the devlink creation.
+
+Fixes: 8e12257dead7 ("of: property: Add device link support for iommus, mboxes and io-channels")
+Cc: stable@vger.kernel.org
+Signed-off-by: Nuno Sa <nuno.sa@analog.com>
+Reviewed-by: Saravana Kannan <saravanak@google.com>
+Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Link: https://lore.kernel.org/r/20240123-iio-backend-v7-1-1bff236b8693@analog.com
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/property.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/of/property.c
++++ b/drivers/of/property.c
+@@ -1306,7 +1306,7 @@ DEFINE_SIMPLE_PROP(clocks, "clocks", "#c
+ DEFINE_SIMPLE_PROP(interconnects, "interconnects", "#interconnect-cells")
+ DEFINE_SIMPLE_PROP(iommus, "iommus", "#iommu-cells")
+ DEFINE_SIMPLE_PROP(mboxes, "mboxes", "#mbox-cells")
+-DEFINE_SIMPLE_PROP(io_channels, "io-channel", "#io-channel-cells")
++DEFINE_SIMPLE_PROP(io_channels, "io-channels", "#io-channel-cells")
+ DEFINE_SIMPLE_PROP(interrupt_parent, "interrupt-parent", NULL)
+ DEFINE_SIMPLE_PROP(dmas, "dmas", "#dma-cells")
+ DEFINE_SIMPLE_PROP(power_domains, "power-domains", "#power-domain-cells")
--- /dev/null
+From 741ba0134fa7822fcf4e4a0a537a5c4cfd706b20 Mon Sep 17 00:00:00 2001
+From: Konrad Dybcio <konrad.dybcio@linaro.org>
+Date: Wed, 27 Dec 2023 16:21:24 +0100
+Subject: pmdomain: core: Move the unused cleanup to a _sync initcall
+
+From: Konrad Dybcio <konrad.dybcio@linaro.org>
+
+commit 741ba0134fa7822fcf4e4a0a537a5c4cfd706b20 upstream.
+
+The unused clock cleanup uses the _sync initcall to give all users at
+earlier initcalls time to probe. Do the same to avoid leaving some PDs
+dangling at "on" (which actually happened on qcom!).
+
+Fixes: 2fe71dcdfd10 ("PM / domains: Add late_initcall to disable unused PM domains")
+Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20231227-topic-pmdomain_sync_cleanup-v1-1-5f36769d538b@linaro.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/power/domain.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/power/domain.c
++++ b/drivers/base/power/domain.c
+@@ -958,7 +958,7 @@ static int __init genpd_power_off_unused
+
+ return 0;
+ }
+-late_initcall(genpd_power_off_unused);
++late_initcall_sync(genpd_power_off_unused);
+
+ #ifdef CONFIG_PM_SLEEP
+
--- /dev/null
+From 2fe8a236436fe40d8d26a1af8d150fc80f04ee1a Mon Sep 17 00:00:00 2001
+From: Alexandra Winter <wintera@linux.ibm.com>
+Date: Tue, 6 Feb 2024 09:58:49 +0100
+Subject: s390/qeth: Fix potential loss of L3-IP@ in case of network issues
+
+From: Alexandra Winter <wintera@linux.ibm.com>
+
+commit 2fe8a236436fe40d8d26a1af8d150fc80f04ee1a upstream.
+
+Symptom:
+In case of a bad cable connection (e.g. dirty optics) a fast sequence of
+network DOWN-UP-DOWN-UP could happen. UP triggers recovery of the qeth
+interface. In case of a second DOWN while recovery is still ongoing, it
+can happen that the IP@ of a Layer3 qeth interface is lost and will not
+be recovered by the second UP.
+
+Problem:
+When registration of IP addresses with Layer 3 qeth devices fails, (e.g.
+because of bad address format) the respective IP address is deleted from
+its hash-table in the driver. If registration fails because of a ENETDOWN
+condition, the address should stay in the hashtable, so a subsequent
+recovery can restore it.
+
+3caa4af834df ("qeth: keep ip-address after LAN_OFFLINE failure")
+fixes this for registration failures during normal operation, but not
+during recovery.
+
+Solution:
+Keep L3-IP address in case of ENETDOWN in qeth_l3_recover_ip(). For
+consistency with qeth_l3_add_ip() we also keep it in case of EADDRINUSE,
+i.e. for some reason the card already/still has this address registered.
+
+Fixes: 4a71df50047f ("qeth: new qeth device driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexandra Winter <wintera@linux.ibm.com>
+Link: https://lore.kernel.org/r/20240206085849.2902775-1-wintera@linux.ibm.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_l3_main.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/s390/net/qeth_l3_main.c
++++ b/drivers/s390/net/qeth_l3_main.c
+@@ -257,9 +257,10 @@ static void qeth_l3_clear_ip_htable(stru
+ if (!recover) {
+ hash_del(&addr->hnode);
+ kfree(addr);
+- continue;
++ } else {
++ /* prepare for recovery */
++ addr->disp_flag = QETH_DISP_ADDR_ADD;
+ }
+- addr->disp_flag = QETH_DISP_ADDR_ADD;
+ }
+
+ mutex_unlock(&card->ip_lock);
+@@ -280,9 +281,11 @@ static void qeth_l3_recover_ip(struct qe
+ if (addr->disp_flag == QETH_DISP_ADDR_ADD) {
+ rc = qeth_l3_register_addr_entry(card, addr);
+
+- if (!rc) {
++ if (!rc || rc == -EADDRINUSE || rc == -ENETDOWN) {
++ /* keep it in the records */
+ addr->disp_flag = QETH_DISP_ADDR_DO_NOTHING;
+ } else {
++ /* bad address */
+ hash_del(&addr->hnode);
+ kfree(addr);
+ }
alsa-hda-conexant-add-quirk-for-sws-js201d.patch
nilfs2-fix-data-corruption-in-dsync-block-recovery-for-small-block-sizes.patch
nilfs2-fix-hang-in-nilfs_lookup_dirty_data_buffers.patch
+crypto-ccp-fix-null-pointer-dereference-in-__sev_platform_shutdown_locked.patch
+nfp-use-correct-macro-for-lengthselect-in-bar-config.patch
+nfp-flower-prevent-re-adding-mac-index-for-bonded-port.patch
+wifi-mac80211-reload-info-pointer-in-ieee80211_tx_dequeue.patch
+irqchip-irq-brcmstb-l2-add-write-memory-barrier-before-exit.patch
+irqchip-gic-v3-its-fix-gicv4.1-vpe-affinity-update.patch
+s390-qeth-fix-potential-loss-of-l3-ip-in-case-of-network-issues.patch
+ceph-prevent-use-after-free-in-encode_cap_msg.patch
+of-property-fix-typo-in-io-channels.patch
+can-j1939-fix-uaf-in-j1939_sk_match_filter-during-setsockopt-so_j1939_filter.patch
+pmdomain-core-move-the-unused-cleanup-to-a-_sync-initcall.patch
--- /dev/null
+From c98d8836b817d11fdff4ca7749cbbe04ff7f0c64 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 31 Jan 2024 16:49:10 +0100
+Subject: wifi: mac80211: reload info pointer in ieee80211_tx_dequeue()
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit c98d8836b817d11fdff4ca7749cbbe04ff7f0c64 upstream.
+
+This pointer can change here since the SKB can change, so we
+actually later open-coded IEEE80211_SKB_CB() again. Reload
+the pointer where needed, so the monitor-mode case using it
+gets fixed, and then use info-> later as well.
+
+Cc: stable@vger.kernel.org
+Fixes: 531682159092 ("mac80211: fix VLAN handling with TXQs")
+Link: https://msgid.link/20240131164910.b54c28d583bc.I29450cec84ea6773cff5d9c16ff92b836c331471@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/tx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3721,6 +3721,7 @@ begin:
+ goto begin;
+
+ skb = __skb_dequeue(&tx.skbs);
++ info = IEEE80211_SKB_CB(skb);
+
+ if (!skb_queue_empty(&tx.skbs)) {
+ spin_lock_bh(&fq->lock);
+@@ -3765,7 +3766,7 @@ begin:
+ }
+
+ encap_out:
+- IEEE80211_SKB_CB(skb)->control.vif = vif;
++ info->control.vif = vif;
+
+ if (vif &&
+ wiphy_ext_feature_isset(local->hw.wiphy, NL80211_EXT_FEATURE_AQL)) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
