From: Sasha Levin Date: Sun, 11 Feb 2024 03:04:51 +0000 (-0500) Subject: Fixes for 5.15 X-Git-Tag: v6.1.78~65 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1c3a90208bbd6334dcae32e5a2bb5dc44fca65a1;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/af_unix-call-kfree_skb-for-dead-unix_-sk-oob_skb-in-.patch b/queue-5.15/af_unix-call-kfree_skb-for-dead-unix_-sk-oob_skb-in-.patch new file mode 100644 index 00000000000..fdb8c1368a2 --- /dev/null +++ b/queue-5.15/af_unix-call-kfree_skb-for-dead-unix_-sk-oob_skb-in-.patch @@ -0,0 +1,112 @@ +From e34a62a71eafd14c4a00705f651d7a2f21e98a96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Feb 2024 10:31:49 -0800 +Subject: af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. + +From: Kuniyuki Iwashima + +[ Upstream commit 1279f9d9dec2d7462823a18c29ad61359e0a007d ] + +syzbot reported a warning [0] in __unix_gc() with a repro, which +creates a socketpair and sends one socket's fd to itself using the +peer. + + socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0 + sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\360", iov_len=1}], + msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET, + cmsg_type=SCM_RIGHTS, cmsg_data=[3]}], + msg_controllen=24, msg_flags=0}, MSG_OOB|MSG_PROBE|MSG_DONTWAIT|MSG_ZEROCOPY) = 1 + +This forms a self-cyclic reference that GC should finally untangle +but does not due to lack of MSG_OOB handling, resulting in memory +leak. + +Recently, commit 11498715f266 ("af_unix: Remove io_uring code for +GC.") removed io_uring's dead code in GC and revealed the problem. + +The code was executed at the final stage of GC and unconditionally +moved all GC candidates from gc_candidates to gc_inflight_list. +That papered over the reported problem by always making the following +WARN_ON_ONCE(!list_empty(&gc_candidates)) false. + +The problem has been there since commit 2aab4b969002 ("af_unix: fix +struct pid leaks in OOB support") added full scm support for MSG_OOB +while fixing another bug. + +To fix this problem, we must call kfree_skb() for unix_sk(sk)->oob_skb +if the socket still exists in gc_candidates after purging collected skb. + +Then, we need to set NULL to oob_skb before calling kfree_skb() because +it calls last fput() and triggers unix_release_sock(), where we call +duplicate kfree_skb(u->oob_skb) if not NULL. + +Note that the leaked socket remained being linked to a global list, so +kmemleak also could not detect it. We need to check /proc/net/protocol +to notice the unfreed socket. + +[0]: +WARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345 +Modules linked in: +CPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 +Workqueue: events_unbound __unix_gc +RIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345 +Code: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8 +RSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e +RDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30 +RBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66 +R10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000 +R13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001 +FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + process_one_work+0x889/0x15e0 kernel/workqueue.c:2633 + process_scheduled_works kernel/workqueue.c:2706 [inline] + worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787 + kthread+0x2c6/0x3b0 kernel/kthread.c:388 + ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242 + + +Reported-by: syzbot+fa3ef895554bdbfd1183@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=fa3ef895554bdbfd1183 +Fixes: 2aab4b969002 ("af_unix: fix struct pid leaks in OOB support") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240203183149.63573-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/unix/garbage.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/net/unix/garbage.c b/net/unix/garbage.c +index dc2763540393..767b338a7a2d 100644 +--- a/net/unix/garbage.c ++++ b/net/unix/garbage.c +@@ -314,6 +314,17 @@ void unix_gc(void) + /* Here we are. Hitlist is filled. Die. */ + __skb_queue_purge(&hitlist); + ++#if IS_ENABLED(CONFIG_AF_UNIX_OOB) ++ list_for_each_entry_safe(u, next, &gc_candidates, link) { ++ struct sk_buff *skb = u->oob_skb; ++ ++ if (skb) { ++ u->oob_skb = NULL; ++ kfree_skb(skb); ++ } ++ } ++#endif ++ + spin_lock(&unix_gc_lock); + + /* There could be io_uring registered files, just push them back to +-- +2.43.0 + diff --git a/queue-5.15/atm-idt77252-fix-a-memleak-in-open_card_ubr0.patch b/queue-5.15/atm-idt77252-fix-a-memleak-in-open_card_ubr0.patch new file mode 100644 index 00000000000..944e77ac2e7 --- /dev/null +++ b/queue-5.15/atm-idt77252-fix-a-memleak-in-open_card_ubr0.patch @@ -0,0 +1,46 @@ +From 5b32148eb428e3ee81e0aca3f77f71f99f4a080f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Feb 2024 20:41:05 +0800 +Subject: atm: idt77252: fix a memleak in open_card_ubr0 + +From: Zhipeng Lu + +[ Upstream commit f3616173bf9be9bf39d131b120d6eea4e6324cb5 ] + +When alloc_scq fails, card->vcs[0] (i.e. vc) should be freed. Otherwise, +in the following call chain: + +idt77252_init_one + |-> idt77252_dev_open + |-> open_card_ubr0 + |-> alloc_scq [failed] + |-> deinit_card + |-> vfree(card->vcs); + +card->vcs is freed and card->vcs[0] is leaked. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Zhipeng Lu +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/idt77252.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c +index 49cb4537344a..2daf50d4cd47 100644 +--- a/drivers/atm/idt77252.c ++++ b/drivers/atm/idt77252.c +@@ -2930,6 +2930,8 @@ open_card_ubr0(struct idt77252_dev *card) + vc->scq = alloc_scq(card, vc->class); + if (!vc->scq) { + printk("%s: can't get SCQ.\n", card->name); ++ kfree(card->vcs[0]); ++ card->vcs[0] = NULL; + return -ENOMEM; + } + +-- +2.43.0 + diff --git a/queue-5.15/drm-amd-display-fix-multiple-memory-leaks-reported-b.patch b/queue-5.15/drm-amd-display-fix-multiple-memory-leaks-reported-b.patch new file mode 100644 index 00000000000..36a08919339 --- /dev/null +++ b/queue-5.15/drm-amd-display-fix-multiple-memory-leaks-reported-b.patch @@ -0,0 +1,111 @@ +From 31cdbfbe9eb17cafa1f50f88494ab0f56abbc7a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Aug 2021 13:41:13 -0400 +Subject: drm/amd/display: Fix multiple memory leaks reported by coverity + +From: Anson Jacob + +[ Upstream commit 7b89bf83181363a84f86da787159ddbbef505b8c ] + +coccinelle patch used: + +@@ expression enc1,vpg,afmt; @@ +- if (!enc1 || !vpg || !afmt) ++ if (!enc1 || !vpg || !afmt) { ++ kfree(enc1); ++ kfree(vpg); ++ kfree(afmt); + return NULL; ++ } + +Addresses-Coverity-ID: 1466017: ("Resource leaks") + +Reviewed-by: Aurabindo Jayamohanan Pillai +Acked-by: Mikita Lipski +Signed-off-by: Anson Jacob +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Stable-dep-of: 58fca355ad37 ("drm/amd/display: Implement bounds check for stream encoder creation in DCN301") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c | 6 +++++- + drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c | 6 +++++- + drivers/gpu/drm/amd/display/dc/dcn302/dcn302_resource.c | 6 +++++- + drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c | 6 +++++- + 4 files changed, 20 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c +index 735c92a5aa36..e8d4a8044d1f 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c +@@ -1164,8 +1164,12 @@ struct stream_encoder *dcn30_stream_encoder_create( + vpg = dcn30_vpg_create(ctx, vpg_inst); + afmt = dcn30_afmt_create(ctx, afmt_inst); + +- if (!enc1 || !vpg || !afmt) ++ if (!enc1 || !vpg || !afmt) { ++ kfree(enc1); ++ kfree(vpg); ++ kfree(afmt); + return NULL; ++ } + + dcn30_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios, + eng_id, vpg, afmt, +diff --git a/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c b/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c +index dea358b01791..b6c363b462a7 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c +@@ -1195,8 +1195,12 @@ struct stream_encoder *dcn301_stream_encoder_create( + vpg = dcn301_vpg_create(ctx, vpg_inst); + afmt = dcn301_afmt_create(ctx, afmt_inst); + +- if (!enc1 || !vpg || !afmt) ++ if (!enc1 || !vpg || !afmt) { ++ kfree(enc1); ++ kfree(vpg); ++ kfree(afmt); + return NULL; ++ } + + dcn30_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios, + eng_id, vpg, afmt, +diff --git a/drivers/gpu/drm/amd/display/dc/dcn302/dcn302_resource.c b/drivers/gpu/drm/amd/display/dc/dcn302/dcn302_resource.c +index 2292bb82026e..7f04042d2213 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn302/dcn302_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn302/dcn302_resource.c +@@ -542,8 +542,12 @@ static struct stream_encoder *dcn302_stream_encoder_create(enum engine_id eng_id + vpg = dcn302_vpg_create(ctx, vpg_inst); + afmt = dcn302_afmt_create(ctx, afmt_inst); + +- if (!enc1 || !vpg || !afmt) ++ if (!enc1 || !vpg || !afmt) { ++ kfree(enc1); ++ kfree(vpg); ++ kfree(afmt); + return NULL; ++ } + + dcn30_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios, eng_id, vpg, afmt, &stream_enc_regs[eng_id], + &se_shift, &se_mask); +diff --git a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c +index e224c5213258..4f7bc8829b20 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c +@@ -1291,8 +1291,12 @@ static struct stream_encoder *dcn31_stream_encoder_create( + vpg = dcn31_vpg_create(ctx, vpg_inst); + afmt = dcn31_afmt_create(ctx, afmt_inst); + +- if (!enc1 || !vpg || !afmt) ++ if (!enc1 || !vpg || !afmt) { ++ kfree(enc1); ++ kfree(vpg); ++ kfree(afmt); + return NULL; ++ } + + dcn30_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios, + eng_id, vpg, afmt, +-- +2.43.0 + diff --git a/queue-5.15/drm-amd-display-implement-bounds-check-for-stream-en.patch b/queue-5.15/drm-amd-display-implement-bounds-check-for-stream-en.patch new file mode 100644 index 00000000000..6088e811791 --- /dev/null +++ b/queue-5.15/drm-amd-display-implement-bounds-check-for-stream-en.patch @@ -0,0 +1,55 @@ +From f7e00e77a4ee1177eb873dab720b0322a7349451 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Feb 2024 10:20:57 +0530 +Subject: drm/amd/display: Implement bounds check for stream encoder creation + in DCN301 + +From: Srinivasan Shanmugam + +[ Upstream commit 58fca355ad37dcb5f785d9095db5f748b79c5dc2 ] + +'stream_enc_regs' array is an array of dcn10_stream_enc_registers +structures. The array is initialized with four elements, corresponding +to the four calls to stream_enc_regs() in the array initializer. This +means that valid indices for this array are 0, 1, 2, and 3. + +The error message 'stream_enc_regs' 4 <= 5 below, is indicating that +there is an attempt to access this array with an index of 5, which is +out of bounds. This could lead to undefined behavior + +Here, eng_id is used as an index to access the stream_enc_regs array. If +eng_id is 5, this would result in an out-of-bounds access on the +stream_enc_regs array. + +Thus fixing Buffer overflow error in dcn301_stream_encoder_create +reported by Smatch: +drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn301/dcn301_resource.c:1011 dcn301_stream_encoder_create() error: buffer overflow 'stream_enc_regs' 4 <= 5 + +Fixes: 3a83e4e64bb1 ("drm/amd/display: Add dcn3.01 support to DC (v2)") +Cc: Roman Li +Cc: Rodrigo Siqueira +Cc: Aurabindo Pillai +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Roman Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c b/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c +index b6c363b462a7..a24f1c215da9 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c +@@ -1195,7 +1195,7 @@ struct stream_encoder *dcn301_stream_encoder_create( + vpg = dcn301_vpg_create(ctx, vpg_inst); + afmt = dcn301_afmt_create(ctx, afmt_inst); + +- if (!enc1 || !vpg || !afmt) { ++ if (!enc1 || !vpg || !afmt || eng_id >= ARRAY_SIZE(stream_enc_regs)) { + kfree(enc1); + kfree(vpg); + kfree(afmt); +-- +2.43.0 + diff --git a/queue-5.15/drm-msm-dp-return-correct-colorimetry-for-dp_test_dy.patch b/queue-5.15/drm-msm-dp-return-correct-colorimetry-for-dp_test_dy.patch new file mode 100644 index 00000000000..40e69f4e234 --- /dev/null +++ b/queue-5.15/drm-msm-dp-return-correct-colorimetry-for-dp_test_dy.patch @@ -0,0 +1,92 @@ +From b3eef5e59048186667ff6fa4681219b170f0d262 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jan 2024 13:13:30 -0800 +Subject: drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA + case + +From: Kuogee Hsieh + +[ Upstream commit fcccdafd91f8bdde568b86ff70848cf83f029add ] + +MSA MISC0 bit 1 to 7 contains Colorimetry Indicator Field. +dp_link_get_colorimetry_config() returns wrong colorimetry value +in the DP_TEST_DYNAMIC_RANGE_CEA case in the current implementation. +Hence fix this problem by having dp_link_get_colorimetry_config() +return defined CEA RGB colorimetry value in the case of +DP_TEST_DYNAMIC_RANGE_CEA. + +Changes in V2: +-- drop retrieving colorimetry from colorspace +-- drop dr = link->dp_link.test_video.test_dyn_range assignment + +Changes in V3: +-- move defined MISCr0a Colorimetry vale to dp_reg.h +-- rewording commit title +-- rewording commit text to more precise describe this patch + +Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support") +Signed-off-by: Kuogee Hsieh +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/574888/ +Link: https://lore.kernel.org/r/1705526010-597-1-git-send-email-quic_khsieh@quicinc.com +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_link.c | 12 +++++++----- + drivers/gpu/drm/msm/dp/dp_reg.h | 3 +++ + 2 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_link.c b/drivers/gpu/drm/msm/dp/dp_link.c +index d4d31e5bda07..0b4539be0685 100644 +--- a/drivers/gpu/drm/msm/dp/dp_link.c ++++ b/drivers/gpu/drm/msm/dp/dp_link.c +@@ -7,6 +7,7 @@ + + #include + ++#include "dp_reg.h" + #include "dp_link.h" + #include "dp_panel.h" + +@@ -1064,7 +1065,7 @@ int dp_link_process_request(struct dp_link *dp_link) + + int dp_link_get_colorimetry_config(struct dp_link *dp_link) + { +- u32 cc; ++ u32 cc = DP_MISC0_COLORIMERY_CFG_LEGACY_RGB; + struct dp_link_private *link; + + if (!dp_link) { +@@ -1078,10 +1079,11 @@ int dp_link_get_colorimetry_config(struct dp_link *dp_link) + * Unless a video pattern CTS test is ongoing, use RGB_VESA + * Only RGB_VESA and RGB_CEA supported for now + */ +- if (dp_link_is_video_pattern_requested(link)) +- cc = link->dp_link.test_video.test_dyn_range; +- else +- cc = DP_TEST_DYNAMIC_RANGE_VESA; ++ if (dp_link_is_video_pattern_requested(link)) { ++ if (link->dp_link.test_video.test_dyn_range & ++ DP_TEST_DYNAMIC_RANGE_CEA) ++ cc = DP_MISC0_COLORIMERY_CFG_CEA_RGB; ++ } + + return cc; + } +diff --git a/drivers/gpu/drm/msm/dp/dp_reg.h b/drivers/gpu/drm/msm/dp/dp_reg.h +index 268602803d9a..176a503ece9c 100644 +--- a/drivers/gpu/drm/msm/dp/dp_reg.h ++++ b/drivers/gpu/drm/msm/dp/dp_reg.h +@@ -129,6 +129,9 @@ + #define DP_MISC0_COLORIMETRY_CFG_SHIFT (0x00000001) + #define DP_MISC0_TEST_BITS_DEPTH_SHIFT (0x00000005) + ++#define DP_MISC0_COLORIMERY_CFG_LEGACY_RGB (0) ++#define DP_MISC0_COLORIMERY_CFG_CEA_RGB (0x04) ++ + #define REG_DP_VALID_BOUNDARY (0x00000030) + #define REG_DP_VALID_BOUNDARY_2 (0x00000034) + +-- +2.43.0 + diff --git a/queue-5.15/fs-ntfs3-fix-an-null-dereference-bug.patch b/queue-5.15/fs-ntfs3-fix-an-null-dereference-bug.patch new file mode 100644 index 00000000000..748937bd3aa --- /dev/null +++ b/queue-5.15/fs-ntfs3-fix-an-null-dereference-bug.patch @@ -0,0 +1,40 @@ +From 2b0c04fb66f872f83c6c117e12d2ffb7a54fd18d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Oct 2023 17:04:39 +0300 +Subject: fs/ntfs3: Fix an NULL dereference bug + +From: Dan Carpenter + +[ Upstream commit b2dd7b953c25ffd5912dda17e980e7168bebcf6c ] + +The issue here is when this is called from ntfs_load_attr_list(). The +"size" comes from le32_to_cpu(attr->res.data_size) so it can't overflow +on a 64bit systems but on 32bit systems the "+ 1023" can overflow and +the result is zero. This means that the kmalloc will succeed by +returning the ZERO_SIZE_PTR and then the memcpy() will crash with an +Oops on the next line. + +Fixes: be71b5cba2e6 ("fs/ntfs3: Add attrib operations") +Signed-off-by: Dan Carpenter +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/ntfs_fs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ntfs3/ntfs_fs.h b/fs/ntfs3/ntfs_fs.h +index 510ed2ea1c48..981276500043 100644 +--- a/fs/ntfs3/ntfs_fs.h ++++ b/fs/ntfs3/ntfs_fs.h +@@ -468,7 +468,7 @@ bool al_delete_le(struct ntfs_inode *ni, enum ATTR_TYPE type, CLST vcn, + int al_update(struct ntfs_inode *ni, int sync); + static inline size_t al_aligned(size_t size) + { +- return (size + 1023) & ~(size_t)1023; ++ return size_add(size, 1023) & ~(size_t)1023; + } + + /* Globals from bitfunc.c */ +-- +2.43.0 + diff --git a/queue-5.15/hwmon-aspeed-pwm-tacho-mutex-for-tach-reading.patch b/queue-5.15/hwmon-aspeed-pwm-tacho-mutex-for-tach-reading.patch new file mode 100644 index 00000000000..78b369ccfd4 --- /dev/null +++ b/queue-5.15/hwmon-aspeed-pwm-tacho-mutex-for-tach-reading.patch @@ -0,0 +1,65 @@ +From 6d034deea7c77f3e5b6f36a109ed3ccb56d7a626 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 11:30:55 +0100 +Subject: hwmon: (aspeed-pwm-tacho) mutex for tach reading + +From: Loic Prylli + +[ Upstream commit 1168491e7f53581ba7b6014a39a49cfbbb722feb ] + +the ASPEED_PTCR_RESULT Register can only hold the result for a +single fan input. Adding a mutex to protect the register until the +reading is done. + +Signed-off-by: Loic Prylli +Signed-off-by: Alexander Hansen +Fixes: 2d7a548a3eff ("drivers: hwmon: Support for ASPEED PWM/Fan tach") +Link: https://lore.kernel.org/r/121d888762a1232ef403cf35230ccf7b3887083a.1699007401.git.alexander.hansen@9elements.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/aspeed-pwm-tacho.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/hwmon/aspeed-pwm-tacho.c b/drivers/hwmon/aspeed-pwm-tacho.c +index 3cb88d6fbec0..424613e5b14f 100644 +--- a/drivers/hwmon/aspeed-pwm-tacho.c ++++ b/drivers/hwmon/aspeed-pwm-tacho.c +@@ -194,6 +194,8 @@ struct aspeed_pwm_tacho_data { + u8 fan_tach_ch_source[16]; + struct aspeed_cooling_device *cdev[8]; + const struct attribute_group *groups[3]; ++ /* protects access to shared ASPEED_PTCR_RESULT */ ++ struct mutex tach_lock; + }; + + enum type { TYPEM, TYPEN, TYPEO }; +@@ -528,6 +530,8 @@ static int aspeed_get_fan_tach_ch_rpm(struct aspeed_pwm_tacho_data *priv, + u8 fan_tach_ch_source, type, mode, both; + int ret; + ++ mutex_lock(&priv->tach_lock); ++ + regmap_write(priv->regmap, ASPEED_PTCR_TRIGGER, 0); + regmap_write(priv->regmap, ASPEED_PTCR_TRIGGER, 0x1 << fan_tach_ch); + +@@ -545,6 +549,8 @@ static int aspeed_get_fan_tach_ch_rpm(struct aspeed_pwm_tacho_data *priv, + ASPEED_RPM_STATUS_SLEEP_USEC, + usec); + ++ mutex_unlock(&priv->tach_lock); ++ + /* return -ETIMEDOUT if we didn't get an answer. */ + if (ret) + return ret; +@@ -904,6 +910,7 @@ static int aspeed_pwm_tacho_probe(struct platform_device *pdev) + priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL); + if (!priv) + return -ENOMEM; ++ mutex_init(&priv->tach_lock); + priv->regmap = devm_regmap_init(dev, NULL, (__force void *)regs, + &aspeed_pwm_tacho_regmap_config); + if (IS_ERR(priv->regmap)) +-- +2.43.0 + diff --git a/queue-5.15/hwmon-coretemp-fix-bogus-core_id-to-attr-name-mappin.patch b/queue-5.15/hwmon-coretemp-fix-bogus-core_id-to-attr-name-mappin.patch new file mode 100644 index 00000000000..b4c4c9c7315 --- /dev/null +++ b/queue-5.15/hwmon-coretemp-fix-bogus-core_id-to-attr-name-mappin.patch @@ -0,0 +1,148 @@ +From 7f17f0cf6048f6fea8baa1485d9f6b37370c2bb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 17:21:35 +0800 +Subject: hwmon: (coretemp) Fix bogus core_id to attr name mapping + +From: Zhang Rui + +[ Upstream commit fdaf0c8629d4524a168cb9e4ad4231875749b28c ] + +Before commit 7108b80a542b ("hwmon/coretemp: Handle large core ID +value"), there is a fixed mapping between +1. cpu_core_id +2. the index in pdata->core_data[] array +3. the sysfs attr name, aka "tempX_" +The later two always equal cpu_core_id + 2. + +After the commit, pdata->core_data[] index is got from ida so that it +can handle sparse core ids and support more cores within a package. + +However, the commit erroneously maps the sysfs attr name to +pdata->core_data[] index instead of cpu_core_id + 2. + +As a result, the code is not aligned with the comments, and brings user +visible changes in hwmon sysfs on systems with sparse core id. + +For example, before commit 7108b80a542b ("hwmon/coretemp: Handle large +core ID value"), +/sys/class/hwmon/hwmon2/temp2_label:Core 0 +/sys/class/hwmon/hwmon2/temp3_label:Core 1 +/sys/class/hwmon/hwmon2/temp4_label:Core 2 +/sys/class/hwmon/hwmon2/temp5_label:Core 3 +/sys/class/hwmon/hwmon2/temp6_label:Core 4 +/sys/class/hwmon/hwmon3/temp10_label:Core 8 +/sys/class/hwmon/hwmon3/temp11_label:Core 9 +after commit, +/sys/class/hwmon/hwmon2/temp2_label:Core 0 +/sys/class/hwmon/hwmon2/temp3_label:Core 1 +/sys/class/hwmon/hwmon2/temp4_label:Core 2 +/sys/class/hwmon/hwmon2/temp5_label:Core 3 +/sys/class/hwmon/hwmon2/temp6_label:Core 4 +/sys/class/hwmon/hwmon2/temp7_label:Core 8 +/sys/class/hwmon/hwmon2/temp8_label:Core 9 + +Restore the previous behavior and rework the code, comments and variable +names to avoid future confusions. + +Fixes: 7108b80a542b ("hwmon/coretemp: Handle large core ID value") +Signed-off-by: Zhang Rui +Link: https://lore.kernel.org/r/20240202092144.71180-3-rui.zhang@intel.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/coretemp.c | 32 +++++++++++++++++++------------- + 1 file changed, 19 insertions(+), 13 deletions(-) + +diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c +index 7f6615ef8c88..d67d972d18aa 100644 +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -380,7 +380,7 @@ static int get_tjmax(struct cpuinfo_x86 *c, u32 id, struct device *dev) + } + + static int create_core_attrs(struct temp_data *tdata, struct device *dev, +- int attr_no) ++ int index) + { + int i; + static ssize_t (*const rd_ptr[TOTAL_ATTRS]) (struct device *dev, +@@ -392,13 +392,20 @@ static int create_core_attrs(struct temp_data *tdata, struct device *dev, + }; + + for (i = 0; i < tdata->attr_size; i++) { ++ /* ++ * We map the attr number to core id of the CPU ++ * The attr number is always core id + 2 ++ * The Pkgtemp will always show up as temp1_*, if available ++ */ ++ int attr_no = tdata->is_pkg_data ? 1 : tdata->cpu_core_id + 2; ++ + snprintf(tdata->attr_name[i], CORETEMP_NAME_LENGTH, + "temp%d_%s", attr_no, suffixes[i]); + sysfs_attr_init(&tdata->sd_attrs[i].dev_attr.attr); + tdata->sd_attrs[i].dev_attr.attr.name = tdata->attr_name[i]; + tdata->sd_attrs[i].dev_attr.attr.mode = 0444; + tdata->sd_attrs[i].dev_attr.show = rd_ptr[i]; +- tdata->sd_attrs[i].index = attr_no; ++ tdata->sd_attrs[i].index = index; + tdata->attrs[i] = &tdata->sd_attrs[i].dev_attr.attr; + } + tdata->attr_group.attrs = tdata->attrs; +@@ -456,23 +463,22 @@ static int create_core_data(struct platform_device *pdev, unsigned int cpu, + struct platform_data *pdata = platform_get_drvdata(pdev); + struct cpuinfo_x86 *c = &cpu_data(cpu); + u32 eax, edx; +- int err, index, attr_no; ++ int err, index; + + /* +- * Find attr number for sysfs: +- * We map the attr number to core id of the CPU +- * The attr number is always core id + 2 +- * The Pkgtemp will always show up as temp1_*, if available ++ * Get the index of tdata in pdata->core_data[] ++ * tdata for package: pdata->core_data[1] ++ * tdata for core: pdata->core_data[2] .. pdata->core_data[NUM_REAL_CORES + 1] + */ + if (pkg_flag) { +- attr_no = PKG_SYSFS_ATTR_NO; ++ index = PKG_SYSFS_ATTR_NO; + } else { + index = ida_alloc_max(&pdata->ida, NUM_REAL_CORES - 1, GFP_KERNEL); + if (index < 0) + return index; + + pdata->cpu_map[index] = topology_core_id(cpu); +- attr_no = index + BASE_SYSFS_ATTR_NO; ++ index += BASE_SYSFS_ATTR_NO; + } + + tdata = init_temp_data(cpu, pkg_flag); +@@ -504,20 +510,20 @@ static int create_core_data(struct platform_device *pdev, unsigned int cpu, + } + } + +- pdata->core_data[attr_no] = tdata; ++ pdata->core_data[index] = tdata; + + /* Create sysfs interfaces */ +- err = create_core_attrs(tdata, pdata->hwmon_dev, attr_no); ++ err = create_core_attrs(tdata, pdata->hwmon_dev, index); + if (err) + goto exit_free; + + return 0; + exit_free: +- pdata->core_data[attr_no] = NULL; ++ pdata->core_data[index] = NULL; + kfree(tdata); + ida_free: + if (!pkg_flag) +- ida_free(&pdata->ida, index); ++ ida_free(&pdata->ida, index - BASE_SYSFS_ATTR_NO); + return err; + } + +-- +2.43.0 + diff --git a/queue-5.15/hwmon-coretemp-fix-out-of-bounds-memory-access.patch b/queue-5.15/hwmon-coretemp-fix-out-of-bounds-memory-access.patch new file mode 100644 index 00000000000..509787e3b06 --- /dev/null +++ b/queue-5.15/hwmon-coretemp-fix-out-of-bounds-memory-access.patch @@ -0,0 +1,52 @@ +From 3f69735820398c131e57696a9ecb4f7aeee5fc1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 17:21:34 +0800 +Subject: hwmon: (coretemp) Fix out-of-bounds memory access + +From: Zhang Rui + +[ Upstream commit 4e440abc894585a34c2904a32cd54af1742311b3 ] + +Fix a bug that pdata->cpu_map[] is set before out-of-bounds check. +The problem might be triggered on systems with more than 128 cores per +package. + +Fixes: 7108b80a542b ("hwmon/coretemp: Handle large core ID value") +Signed-off-by: Zhang Rui +Cc: +Link: https://lore.kernel.org/r/20240202092144.71180-2-rui.zhang@intel.com +Signed-off-by: Guenter Roeck +Stable-dep-of: fdaf0c8629d4 ("hwmon: (coretemp) Fix bogus core_id to attr name mapping") +Signed-off-by: Sasha Levin +--- + drivers/hwmon/coretemp.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c +index 5b2057ce5a59..7f6615ef8c88 100644 +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -467,18 +467,14 @@ static int create_core_data(struct platform_device *pdev, unsigned int cpu, + if (pkg_flag) { + attr_no = PKG_SYSFS_ATTR_NO; + } else { +- index = ida_alloc(&pdata->ida, GFP_KERNEL); ++ index = ida_alloc_max(&pdata->ida, NUM_REAL_CORES - 1, GFP_KERNEL); + if (index < 0) + return index; ++ + pdata->cpu_map[index] = topology_core_id(cpu); + attr_no = index + BASE_SYSFS_ATTR_NO; + } + +- if (attr_no > MAX_CORE_DATA - 1) { +- err = -ERANGE; +- goto ida_free; +- } +- + tdata = init_temp_data(cpu, pkg_flag); + if (!tdata) { + err = -ENOMEM; +-- +2.43.0 + diff --git a/queue-5.15/inet-read-sk-sk_family-once-in-inet_recv_error.patch b/queue-5.15/inet-read-sk-sk_family-once-in-inet_recv_error.patch new file mode 100644 index 00000000000..25e3e694984 --- /dev/null +++ b/queue-5.15/inet-read-sk-sk_family-once-in-inet_recv_error.patch @@ -0,0 +1,46 @@ +From 719fe0f08db7b80a77735eb8b22351a304f6fb2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 09:54:04 +0000 +Subject: inet: read sk->sk_family once in inet_recv_error() + +From: Eric Dumazet + +[ Upstream commit eef00a82c568944f113f2de738156ac591bbd5cd ] + +inet_recv_error() is called without holding the socket lock. + +IPv6 socket could mutate to IPv4 with IPV6_ADDRFORM +socket option and trigger a KCSAN warning. + +Fixes: f4713a3dfad0 ("net-timestamp: make tcp_recvmsg call ipv6_recv_error for AF_INET6 socks") +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Reviewed-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/af_inet.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index 6f6c05f198da..487f75993bf4 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -1605,10 +1605,12 @@ EXPORT_SYMBOL(inet_current_timestamp); + + int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + { +- if (sk->sk_family == AF_INET) ++ unsigned int family = READ_ONCE(sk->sk_family); ++ ++ if (family == AF_INET) + return ip_recv_error(sk, msg, len, addr_len); + #if IS_ENABLED(CONFIG_IPV6) +- if (sk->sk_family == AF_INET6) ++ if (family == AF_INET6) + return pingv6_ops.ipv6_recv_error(sk, msg, len, addr_len); + #endif + return -EINVAL; +-- +2.43.0 + diff --git a/queue-5.15/net-stmmac-xgmac-fix-handling-of-dpp-safety-error-fo.patch b/queue-5.15/net-stmmac-xgmac-fix-handling-of-dpp-safety-error-fo.patch new file mode 100644 index 00000000000..e2f44b1bb25 --- /dev/null +++ b/queue-5.15/net-stmmac-xgmac-fix-handling-of-dpp-safety-error-fo.patch @@ -0,0 +1,158 @@ +From 7f59bbdab1faf9eefdb657870b9e5c40a0a96336 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jan 2024 10:08:28 +0800 +Subject: net: stmmac: xgmac: fix handling of DPP safety error for DMA channels + +From: Furong Xu <0x1207@gmail.com> + +[ Upstream commit 46eba193d04f8bd717e525eb4110f3c46c12aec3 ] + +Commit 56e58d6c8a56 ("net: stmmac: Implement Safety Features in +XGMAC core") checks and reports safety errors, but leaves the +Data Path Parity Errors for each channel in DMA unhandled at all, lead to +a storm of interrupt. +Fix it by checking and clearing the DMA_DPP_Interrupt_Status register. + +Fixes: 56e58d6c8a56 ("net: stmmac: Implement Safety Features in XGMAC core") +Signed-off-by: Furong Xu <0x1207@gmail.com> +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/common.h | 1 + + .../net/ethernet/stmicro/stmmac/dwxgmac2.h | 3 + + .../ethernet/stmicro/stmmac/dwxgmac2_core.c | 57 ++++++++++++++++++- + 3 files changed, 60 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/common.h b/drivers/net/ethernet/stmicro/stmmac/common.h +index c03ac229e936..d9e8602f866d 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/common.h ++++ b/drivers/net/ethernet/stmicro/stmmac/common.h +@@ -209,6 +209,7 @@ struct stmmac_safety_stats { + unsigned long mac_errors[32]; + unsigned long mtl_errors[32]; + unsigned long dma_errors[32]; ++ unsigned long dma_dpp_errors[32]; + }; + + /* Number of fields in Safety Stats */ +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h +index 880a75bf2eb1..e67a880ebf64 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h ++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h +@@ -282,6 +282,8 @@ + #define XGMAC_RXCEIE BIT(4) + #define XGMAC_TXCEIE BIT(0) + #define XGMAC_MTL_ECC_INT_STATUS 0x000010cc ++#define XGMAC_MTL_DPP_CONTROL 0x000010e0 ++#define XGMAC_DDPP_DISABLE BIT(0) + #define XGMAC_MTL_TXQ_OPMODE(x) (0x00001100 + (0x80 * (x))) + #define XGMAC_TQS GENMASK(25, 16) + #define XGMAC_TQS_SHIFT 16 +@@ -364,6 +366,7 @@ + #define XGMAC_DCEIE BIT(1) + #define XGMAC_TCEIE BIT(0) + #define XGMAC_DMA_ECC_INT_STATUS 0x0000306c ++#define XGMAC_DMA_DPP_INT_STATUS 0x00003074 + #define XGMAC_DMA_CH_CONTROL(x) (0x00003100 + (0x80 * (x))) + #define XGMAC_SPH BIT(24) + #define XGMAC_PBLx8 BIT(16) +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c +index c2181c277291..c24cd019460a 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c +@@ -789,6 +789,43 @@ static const struct dwxgmac3_error_desc dwxgmac3_dma_errors[32]= { + { false, "UNKNOWN", "Unknown Error" }, /* 31 */ + }; + ++static const char * const dpp_rx_err = "Read Rx Descriptor Parity checker Error"; ++static const char * const dpp_tx_err = "Read Tx Descriptor Parity checker Error"; ++static const struct dwxgmac3_error_desc dwxgmac3_dma_dpp_errors[32] = { ++ { true, "TDPES0", dpp_tx_err }, ++ { true, "TDPES1", dpp_tx_err }, ++ { true, "TDPES2", dpp_tx_err }, ++ { true, "TDPES3", dpp_tx_err }, ++ { true, "TDPES4", dpp_tx_err }, ++ { true, "TDPES5", dpp_tx_err }, ++ { true, "TDPES6", dpp_tx_err }, ++ { true, "TDPES7", dpp_tx_err }, ++ { true, "TDPES8", dpp_tx_err }, ++ { true, "TDPES9", dpp_tx_err }, ++ { true, "TDPES10", dpp_tx_err }, ++ { true, "TDPES11", dpp_tx_err }, ++ { true, "TDPES12", dpp_tx_err }, ++ { true, "TDPES13", dpp_tx_err }, ++ { true, "TDPES14", dpp_tx_err }, ++ { true, "TDPES15", dpp_tx_err }, ++ { true, "RDPES0", dpp_rx_err }, ++ { true, "RDPES1", dpp_rx_err }, ++ { true, "RDPES2", dpp_rx_err }, ++ { true, "RDPES3", dpp_rx_err }, ++ { true, "RDPES4", dpp_rx_err }, ++ { true, "RDPES5", dpp_rx_err }, ++ { true, "RDPES6", dpp_rx_err }, ++ { true, "RDPES7", dpp_rx_err }, ++ { true, "RDPES8", dpp_rx_err }, ++ { true, "RDPES9", dpp_rx_err }, ++ { true, "RDPES10", dpp_rx_err }, ++ { true, "RDPES11", dpp_rx_err }, ++ { true, "RDPES12", dpp_rx_err }, ++ { true, "RDPES13", dpp_rx_err }, ++ { true, "RDPES14", dpp_rx_err }, ++ { true, "RDPES15", dpp_rx_err }, ++}; ++ + static void dwxgmac3_handle_dma_err(struct net_device *ndev, + void __iomem *ioaddr, bool correctable, + struct stmmac_safety_stats *stats) +@@ -800,6 +837,13 @@ static void dwxgmac3_handle_dma_err(struct net_device *ndev, + + dwxgmac3_log_error(ndev, value, correctable, "DMA", + dwxgmac3_dma_errors, STAT_OFF(dma_errors), stats); ++ ++ value = readl(ioaddr + XGMAC_DMA_DPP_INT_STATUS); ++ writel(value, ioaddr + XGMAC_DMA_DPP_INT_STATUS); ++ ++ dwxgmac3_log_error(ndev, value, false, "DMA_DPP", ++ dwxgmac3_dma_dpp_errors, ++ STAT_OFF(dma_dpp_errors), stats); + } + + static int +@@ -838,6 +882,12 @@ dwxgmac3_safety_feat_config(void __iomem *ioaddr, unsigned int asp, + value |= XGMAC_TMOUTEN; /* FSM Timeout Feature */ + writel(value, ioaddr + XGMAC_MAC_FSM_CONTROL); + ++ /* 5. Enable Data Path Parity Protection */ ++ value = readl(ioaddr + XGMAC_MTL_DPP_CONTROL); ++ /* already enabled by default, explicit enable it again */ ++ value &= ~XGMAC_DDPP_DISABLE; ++ writel(value, ioaddr + XGMAC_MTL_DPP_CONTROL); ++ + return 0; + } + +@@ -871,7 +921,11 @@ static int dwxgmac3_safety_feat_irq_status(struct net_device *ndev, + ret |= !corr; + } + +- err = dma & (XGMAC_DEUIS | XGMAC_DECIS); ++ /* DMA_DPP_Interrupt_Status is indicated by MCSIS bit in ++ * DMA_Safety_Interrupt_Status, so we handle DMA Data Path ++ * Parity Errors here ++ */ ++ err = dma & (XGMAC_DEUIS | XGMAC_DECIS | XGMAC_MCSIS); + corr = dma & XGMAC_DECIS; + if (err) { + dwxgmac3_handle_dma_err(ndev, ioaddr, corr, stats); +@@ -887,6 +941,7 @@ static const struct dwxgmac3_error { + { dwxgmac3_mac_errors }, + { dwxgmac3_mtl_errors }, + { dwxgmac3_dma_errors }, ++ { dwxgmac3_dma_dpp_errors }, + }; + + static int dwxgmac3_safety_feat_dump(struct stmmac_safety_stats *stats, +-- +2.43.0 + diff --git a/queue-5.15/netfilter-nft_compat-reject-unused-compat-flag.patch b/queue-5.15/netfilter-nft_compat-reject-unused-compat-flag.patch new file mode 100644 index 00000000000..fc13e501205 --- /dev/null +++ b/queue-5.15/netfilter-nft_compat-reject-unused-compat-flag.patch @@ -0,0 +1,53 @@ +From 6dd55b80a7ebe96b9c2317cfe6aa661cee6fc842 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Feb 2024 23:33:29 +0100 +Subject: netfilter: nft_compat: reject unused compat flag + +From: Pablo Neira Ayuso + +[ Upstream commit 292781c3c5485ce33bd22b2ef1b2bed709b4d672 ] + +Flag (1 << 0) is ignored is set, never used, reject it it with EINVAL +instead. + +Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/uapi/linux/netfilter/nf_tables.h | 2 ++ + net/netfilter/nft_compat.c | 3 ++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h +index 07871c8a0601..62cc780a168a 100644 +--- a/include/uapi/linux/netfilter/nf_tables.h ++++ b/include/uapi/linux/netfilter/nf_tables.h +@@ -266,9 +266,11 @@ enum nft_rule_attributes { + /** + * enum nft_rule_compat_flags - nf_tables rule compat flags + * ++ * @NFT_RULE_COMPAT_F_UNUSED: unused + * @NFT_RULE_COMPAT_F_INV: invert the check result + */ + enum nft_rule_compat_flags { ++ NFT_RULE_COMPAT_F_UNUSED = (1 << 0), + NFT_RULE_COMPAT_F_INV = (1 << 1), + NFT_RULE_COMPAT_F_MASK = NFT_RULE_COMPAT_F_INV, + }; +diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c +index 3fb8d7fb21af..4ef664a2bbe6 100644 +--- a/net/netfilter/nft_compat.c ++++ b/net/netfilter/nft_compat.c +@@ -212,7 +212,8 @@ static int nft_parse_compat(const struct nlattr *attr, u16 *proto, bool *inv) + return -EINVAL; + + flags = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_FLAGS])); +- if (flags & ~NFT_RULE_COMPAT_F_MASK) ++ if (flags & NFT_RULE_COMPAT_F_UNUSED || ++ flags & ~NFT_RULE_COMPAT_F_MASK) + return -EINVAL; + if (flags & NFT_RULE_COMPAT_F_INV) + *inv = true; +-- +2.43.0 + diff --git a/queue-5.15/netfilter-nft_compat-restrict-match-target-protocol-.patch b/queue-5.15/netfilter-nft_compat-restrict-match-target-protocol-.patch new file mode 100644 index 00000000000..451491bc80c --- /dev/null +++ b/queue-5.15/netfilter-nft_compat-restrict-match-target-protocol-.patch @@ -0,0 +1,51 @@ +From 1b13c1d6ae8a41088ecb46d62118409a53b762d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 00:05:23 +0100 +Subject: netfilter: nft_compat: restrict match/target protocol to u16 + +From: Pablo Neira Ayuso + +[ Upstream commit d694b754894c93fb4d71a7f3699439dec111decc ] + +xt_check_{match,target} expects u16, but NFTA_RULE_COMPAT_PROTO is u32. + +NLA_POLICY_MAX(NLA_BE32, 65535) cannot be used because .max in +nla_policy is s16, see 3e48be05f3c7 ("netlink: add attribute range +validation to policy"). + +Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_compat.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c +index 4ef664a2bbe6..64a2a5f19589 100644 +--- a/net/netfilter/nft_compat.c ++++ b/net/netfilter/nft_compat.c +@@ -200,6 +200,7 @@ static const struct nla_policy nft_rule_compat_policy[NFTA_RULE_COMPAT_MAX + 1] + static int nft_parse_compat(const struct nlattr *attr, u16 *proto, bool *inv) + { + struct nlattr *tb[NFTA_RULE_COMPAT_MAX+1]; ++ u32 l4proto; + u32 flags; + int err; + +@@ -218,7 +219,12 @@ static int nft_parse_compat(const struct nlattr *attr, u16 *proto, bool *inv) + if (flags & NFT_RULE_COMPAT_F_INV) + *inv = true; + +- *proto = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_PROTO])); ++ l4proto = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_PROTO])); ++ if (l4proto > U16_MAX) ++ return -EINVAL; ++ ++ *proto = l4proto; ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-5.15/netfilter-nft_ct-reject-direction-for-ct-id.patch b/queue-5.15/netfilter-nft_ct-reject-direction-for-ct-id.patch new file mode 100644 index 00000000000..49678c34b20 --- /dev/null +++ b/queue-5.15/netfilter-nft_ct-reject-direction-for-ct-id.patch @@ -0,0 +1,36 @@ +From 2bf3959305bc94280e2c47a0e5a01129e43f3c92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Feb 2024 14:59:24 +0100 +Subject: netfilter: nft_ct: reject direction for ct id + +From: Pablo Neira Ayuso + +[ Upstream commit 38ed1c7062ada30d7c11e7a7acc749bf27aa14aa ] + +Direction attribute is ignored, reject it in case this ever needs to be +supported + +Fixes: 3087c3f7c23b ("netfilter: nft_ct: Add ct id support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_ct.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c +index d8fd7e487e47..7c667629c514 100644 +--- a/net/netfilter/nft_ct.c ++++ b/net/netfilter/nft_ct.c +@@ -483,6 +483,9 @@ static int nft_ct_get_init(const struct nft_ctx *ctx, + break; + #endif + case NFT_CT_ID: ++ if (tb[NFTA_CT_DIRECTION]) ++ return -EINVAL; ++ + len = sizeof(u32); + break; + default: +-- +2.43.0 + diff --git a/queue-5.15/netfilter-nft_set_pipapo-add-helper-to-release-pcpu-.patch b/queue-5.15/netfilter-nft_set_pipapo-add-helper-to-release-pcpu-.patch new file mode 100644 index 00000000000..d1ba893809c --- /dev/null +++ b/queue-5.15/netfilter-nft_set_pipapo-add-helper-to-release-pcpu-.patch @@ -0,0 +1,98 @@ +From 34366fb46184dec6471229babb6438ce93a39a20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Feb 2024 21:52:47 +0100 +Subject: netfilter: nft_set_pipapo: add helper to release pcpu scratch area + +From: Florian Westphal + +[ Upstream commit 47b1c03c3c1a119435480a1e73f27197dc59131d ] + +After next patch simple kfree() is not enough anymore, so add +a helper for it. + +Reviewed-by: Stefano Brivio +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Stable-dep-of: 5a8cdf6fd860 ("netfilter: nft_set_pipapo: remove scratch_aligned pointer") +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index fbd0dbf9b965..977bf724fb7e 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1101,6 +1101,24 @@ static void pipapo_map(struct nft_pipapo_match *m, + f->mt[map[i].to + j].e = e; + } + ++/** ++ * pipapo_free_scratch() - Free per-CPU map at original (not aligned) address ++ * @m: Matching data ++ * @cpu: CPU number ++ */ ++static void pipapo_free_scratch(const struct nft_pipapo_match *m, unsigned int cpu) ++{ ++ struct nft_pipapo_scratch *s; ++ void *mem; ++ ++ s = *per_cpu_ptr(m->scratch, cpu); ++ if (!s) ++ return; ++ ++ mem = s; ++ kfree(mem); ++} ++ + /** + * pipapo_realloc_scratch() - Reallocate scratch maps for partial match results + * @clone: Copy of matching data with pending insertions and deletions +@@ -1133,7 +1151,7 @@ static int pipapo_realloc_scratch(struct nft_pipapo_match *clone, + return -ENOMEM; + } + +- kfree(*per_cpu_ptr(clone->scratch, i)); ++ pipapo_free_scratch(clone, i); + + *per_cpu_ptr(clone->scratch, i) = scratch; + +@@ -1359,7 +1377,7 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old) + } + out_scratch_realloc: + for_each_possible_cpu(i) +- kfree(*per_cpu_ptr(new->scratch, i)); ++ pipapo_free_scratch(new, i); + #ifdef NFT_PIPAPO_ALIGN + free_percpu(new->scratch_aligned); + #endif +@@ -1647,7 +1665,7 @@ static void pipapo_free_match(struct nft_pipapo_match *m) + int i; + + for_each_possible_cpu(i) +- kfree(*per_cpu_ptr(m->scratch, i)); ++ pipapo_free_scratch(m, i); + + #ifdef NFT_PIPAPO_ALIGN + free_percpu(m->scratch_aligned); +@@ -2249,7 +2267,7 @@ static void nft_pipapo_destroy(const struct nft_ctx *ctx, + free_percpu(m->scratch_aligned); + #endif + for_each_possible_cpu(cpu) +- kfree(*per_cpu_ptr(m->scratch, cpu)); ++ pipapo_free_scratch(m, cpu); + free_percpu(m->scratch); + pipapo_free_fields(m); + kfree(m); +@@ -2266,7 +2284,7 @@ static void nft_pipapo_destroy(const struct nft_ctx *ctx, + free_percpu(priv->clone->scratch_aligned); + #endif + for_each_possible_cpu(cpu) +- kfree(*per_cpu_ptr(priv->clone->scratch, cpu)); ++ pipapo_free_scratch(priv->clone, cpu); + free_percpu(priv->clone->scratch); + + pipapo_free_fields(priv->clone); +-- +2.43.0 + diff --git a/queue-5.15/netfilter-nft_set_pipapo-remove-scratch_aligned-poin.patch b/queue-5.15/netfilter-nft_set_pipapo-remove-scratch_aligned-poin.patch new file mode 100644 index 00000000000..fcfc8b035ed --- /dev/null +++ b/queue-5.15/netfilter-nft_set_pipapo-remove-scratch_aligned-poin.patch @@ -0,0 +1,202 @@ +From 480ad75126b856f29bcb9a60e61a7e27be406aca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Feb 2024 10:31:29 +0100 +Subject: netfilter: nft_set_pipapo: remove scratch_aligned pointer + +From: Florian Westphal + +[ Upstream commit 5a8cdf6fd860ac5e6d08d72edbcecee049a7fec4 ] + +use ->scratch for both avx2 and the generic implementation. + +After previous change the scratch->map member is always aligned properly +for AVX2, so we can just use scratch->map in AVX2 too. + +The alignoff delta is stored in the scratchpad so we can reconstruct +the correct address to free the area again. + +Fixes: 7400b063969b ("nft_set_pipapo: Introduce AVX2-based lookup implementation") +Reviewed-by: Stefano Brivio +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 41 +++++------------------------ + net/netfilter/nft_set_pipapo.h | 6 ++--- + net/netfilter/nft_set_pipapo_avx2.c | 2 +- + 3 files changed, 10 insertions(+), 39 deletions(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index 977bf724fb7e..e1969209b3ab 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1116,6 +1116,7 @@ static void pipapo_free_scratch(const struct nft_pipapo_match *m, unsigned int c + return; + + mem = s; ++ mem -= s->align_off; + kfree(mem); + } + +@@ -1135,6 +1136,7 @@ static int pipapo_realloc_scratch(struct nft_pipapo_match *clone, + struct nft_pipapo_scratch *scratch; + #ifdef NFT_PIPAPO_ALIGN + void *scratch_aligned; ++ u32 align_off; + #endif + scratch = kzalloc_node(struct_size(scratch, map, + bsize_max * 2) + +@@ -1153,8 +1155,6 @@ static int pipapo_realloc_scratch(struct nft_pipapo_match *clone, + + pipapo_free_scratch(clone, i); + +- *per_cpu_ptr(clone->scratch, i) = scratch; +- + #ifdef NFT_PIPAPO_ALIGN + /* Align &scratch->map (not the struct itself): the extra + * %NFT_PIPAPO_ALIGN_HEADROOM bytes passed to kzalloc_node() +@@ -1166,8 +1166,12 @@ static int pipapo_realloc_scratch(struct nft_pipapo_match *clone, + + scratch_aligned = NFT_PIPAPO_LT_ALIGN(&scratch->map); + scratch_aligned -= offsetof(struct nft_pipapo_scratch, map); +- *per_cpu_ptr(clone->scratch_aligned, i) = scratch_aligned; ++ align_off = scratch_aligned - (void *)scratch; ++ ++ scratch = scratch_aligned; ++ scratch->align_off = align_off; + #endif ++ *per_cpu_ptr(clone->scratch, i) = scratch; + } + + return 0; +@@ -1321,11 +1325,6 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old) + if (!new->scratch) + goto out_scratch; + +-#ifdef NFT_PIPAPO_ALIGN +- new->scratch_aligned = alloc_percpu(*new->scratch_aligned); +- if (!new->scratch_aligned) +- goto out_scratch; +-#endif + for_each_possible_cpu(i) + *per_cpu_ptr(new->scratch, i) = NULL; + +@@ -1378,9 +1377,6 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old) + out_scratch_realloc: + for_each_possible_cpu(i) + pipapo_free_scratch(new, i); +-#ifdef NFT_PIPAPO_ALIGN +- free_percpu(new->scratch_aligned); +-#endif + out_scratch: + free_percpu(new->scratch); + kfree(new); +@@ -1667,11 +1663,7 @@ static void pipapo_free_match(struct nft_pipapo_match *m) + for_each_possible_cpu(i) + pipapo_free_scratch(m, i); + +-#ifdef NFT_PIPAPO_ALIGN +- free_percpu(m->scratch_aligned); +-#endif + free_percpu(m->scratch); +- + pipapo_free_fields(m); + + kfree(m); +@@ -2167,16 +2159,6 @@ static int nft_pipapo_init(const struct nft_set *set, + for_each_possible_cpu(i) + *per_cpu_ptr(m->scratch, i) = NULL; + +-#ifdef NFT_PIPAPO_ALIGN +- m->scratch_aligned = alloc_percpu(struct nft_pipapo_scratch *); +- if (!m->scratch_aligned) { +- err = -ENOMEM; +- goto out_free; +- } +- for_each_possible_cpu(i) +- *per_cpu_ptr(m->scratch_aligned, i) = NULL; +-#endif +- + rcu_head_init(&m->rcu); + + nft_pipapo_for_each_field(f, i, m) { +@@ -2207,9 +2189,6 @@ static int nft_pipapo_init(const struct nft_set *set, + return 0; + + out_free: +-#ifdef NFT_PIPAPO_ALIGN +- free_percpu(m->scratch_aligned); +-#endif + free_percpu(m->scratch); + out_scratch: + kfree(m); +@@ -2263,9 +2242,6 @@ static void nft_pipapo_destroy(const struct nft_ctx *ctx, + + nft_set_pipapo_match_destroy(ctx, set, m); + +-#ifdef NFT_PIPAPO_ALIGN +- free_percpu(m->scratch_aligned); +-#endif + for_each_possible_cpu(cpu) + pipapo_free_scratch(m, cpu); + free_percpu(m->scratch); +@@ -2280,9 +2256,6 @@ static void nft_pipapo_destroy(const struct nft_ctx *ctx, + if (priv->dirty) + nft_set_pipapo_match_destroy(ctx, set, m); + +-#ifdef NFT_PIPAPO_ALIGN +- free_percpu(priv->clone->scratch_aligned); +-#endif + for_each_possible_cpu(cpu) + pipapo_free_scratch(priv->clone, cpu); + free_percpu(priv->clone->scratch); +diff --git a/net/netfilter/nft_set_pipapo.h b/net/netfilter/nft_set_pipapo.h +index de96e1a01dc0..30a3d092cd84 100644 +--- a/net/netfilter/nft_set_pipapo.h ++++ b/net/netfilter/nft_set_pipapo.h +@@ -133,10 +133,12 @@ struct nft_pipapo_field { + /** + * struct nft_pipapo_scratch - percpu data used for lookup and matching + * @map_index: Current working bitmap index, toggled between field matches ++ * @align_off: Offset to get the originally allocated address + * @map: store partial matching results during lookup + */ + struct nft_pipapo_scratch { + u8 map_index; ++ u32 align_off; + unsigned long map[]; + }; + +@@ -144,16 +146,12 @@ struct nft_pipapo_scratch { + * struct nft_pipapo_match - Data used for lookup and matching + * @field_count Amount of fields in set + * @scratch: Preallocated per-CPU maps for partial matching results +- * @scratch_aligned: Version of @scratch aligned to NFT_PIPAPO_ALIGN bytes + * @bsize_max: Maximum lookup table bucket size of all fields, in longs + * @rcu Matching data is swapped on commits + * @f: Fields, with lookup and mapping tables + */ + struct nft_pipapo_match { + int field_count; +-#ifdef NFT_PIPAPO_ALIGN +- struct nft_pipapo_scratch * __percpu *scratch_aligned; +-#endif + struct nft_pipapo_scratch * __percpu *scratch; + size_t bsize_max; + struct rcu_head rcu; +diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c +index e608973587ee..0d9f8e79eb00 100644 +--- a/net/netfilter/nft_set_pipapo_avx2.c ++++ b/net/netfilter/nft_set_pipapo_avx2.c +@@ -1141,7 +1141,7 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set, + */ + kernel_fpu_begin_mask(0); + +- scratch = *raw_cpu_ptr(m->scratch_aligned); ++ scratch = *raw_cpu_ptr(m->scratch); + if (unlikely(!scratch)) { + kernel_fpu_end(); + return false; +-- +2.43.0 + diff --git a/queue-5.15/netfilter-nft_set_pipapo-store-index-in-scratch-maps.patch b/queue-5.15/netfilter-nft_set_pipapo-store-index-in-scratch-maps.patch new file mode 100644 index 00000000000..930b07fc18e --- /dev/null +++ b/queue-5.15/netfilter-nft_set_pipapo-store-index-in-scratch-maps.patch @@ -0,0 +1,266 @@ +From bef1e44f5d354be44d54d2b20b4b1f27db2bda1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Feb 2024 21:52:46 +0100 +Subject: netfilter: nft_set_pipapo: store index in scratch maps + +From: Florian Westphal + +[ Upstream commit 76313d1a4aa9e30d5b43dee5efd8bcd4d8250006 ] + +Pipapo needs a scratchpad area to keep state during matching. +This state can be large and thus cannot reside on stack. + +Each set preallocates percpu areas for this. + +On each match stage, one scratchpad half starts with all-zero and the other +is inited to all-ones. + +At the end of each stage, the half that starts with all-ones is +always zero. Before next field is tested, pointers to the two halves +are swapped, i.e. resmap pointer turns into fill pointer and vice versa. + +After the last field has been processed, pipapo stashes the +index toggle in a percpu variable, with assumption that next packet +will start with the all-zero half and sets all bits in the other to 1. + +This isn't reliable. + +There can be multiple sets and we can't be sure that the upper +and lower half of all set scratch map is always in sync (lookups +can be conditional), so one set might have swapped, but other might +not have been queried. + +Thus we need to keep the index per-set-and-cpu, just like the +scratchpad. + +Note that this bug fix is incomplete, there is a related issue. + +avx2 and normal implementation might use slightly different areas of the +map array space due to the avx2 alignment requirements, so +m->scratch (generic/fallback implementation) and ->scratch_aligned +(avx) may partially overlap. scratch and scratch_aligned are not distinct +objects, the latter is just the aligned address of the former. + +After this change, write to scratch_align->map_index may write to +scratch->map, so this issue becomes more prominent, we can set to 1 +a bit in the supposedly-all-zero area of scratch->map[]. + +A followup patch will remove the scratch_aligned and makes generic and +avx code use the same (aligned) area. + +Its done in a separate change to ease review. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Reviewed-by: Stefano Brivio +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 41 ++++++++++++++++++----------- + net/netfilter/nft_set_pipapo.h | 14 ++++++++-- + net/netfilter/nft_set_pipapo_avx2.c | 15 +++++------ + 3 files changed, 44 insertions(+), 26 deletions(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index 4e1cc31729b8..fbd0dbf9b965 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -342,9 +342,6 @@ + #include "nft_set_pipapo_avx2.h" + #include "nft_set_pipapo.h" + +-/* Current working bitmap index, toggled between field matches */ +-static DEFINE_PER_CPU(bool, nft_pipapo_scratch_index); +- + /** + * pipapo_refill() - For each set bit, set bits from selected mapping table item + * @map: Bitmap to be scanned for set bits +@@ -412,6 +409,7 @@ bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set, + const u32 *key, const struct nft_set_ext **ext) + { + struct nft_pipapo *priv = nft_set_priv(set); ++ struct nft_pipapo_scratch *scratch; + unsigned long *res_map, *fill_map; + u8 genmask = nft_genmask_cur(net); + const u8 *rp = (const u8 *)key; +@@ -422,15 +420,17 @@ bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set, + + local_bh_disable(); + +- map_index = raw_cpu_read(nft_pipapo_scratch_index); +- + m = rcu_dereference(priv->match); + + if (unlikely(!m || !*raw_cpu_ptr(m->scratch))) + goto out; + +- res_map = *raw_cpu_ptr(m->scratch) + (map_index ? m->bsize_max : 0); +- fill_map = *raw_cpu_ptr(m->scratch) + (map_index ? 0 : m->bsize_max); ++ scratch = *raw_cpu_ptr(m->scratch); ++ ++ map_index = scratch->map_index; ++ ++ res_map = scratch->map + (map_index ? m->bsize_max : 0); ++ fill_map = scratch->map + (map_index ? 0 : m->bsize_max); + + memset(res_map, 0xff, m->bsize_max * sizeof(*res_map)); + +@@ -460,7 +460,7 @@ bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set, + b = pipapo_refill(res_map, f->bsize, f->rules, fill_map, f->mt, + last); + if (b < 0) { +- raw_cpu_write(nft_pipapo_scratch_index, map_index); ++ scratch->map_index = map_index; + local_bh_enable(); + + return false; +@@ -477,7 +477,7 @@ bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set, + * current inactive bitmap is clean and can be reused as + * *next* bitmap (not initial) for the next packet. + */ +- raw_cpu_write(nft_pipapo_scratch_index, map_index); ++ scratch->map_index = map_index; + local_bh_enable(); + + return true; +@@ -1114,12 +1114,12 @@ static int pipapo_realloc_scratch(struct nft_pipapo_match *clone, + int i; + + for_each_possible_cpu(i) { +- unsigned long *scratch; ++ struct nft_pipapo_scratch *scratch; + #ifdef NFT_PIPAPO_ALIGN +- unsigned long *scratch_aligned; ++ void *scratch_aligned; + #endif +- +- scratch = kzalloc_node(bsize_max * sizeof(*scratch) * 2 + ++ scratch = kzalloc_node(struct_size(scratch, map, ++ bsize_max * 2) + + NFT_PIPAPO_ALIGN_HEADROOM, + GFP_KERNEL, cpu_to_node(i)); + if (!scratch) { +@@ -1138,7 +1138,16 @@ static int pipapo_realloc_scratch(struct nft_pipapo_match *clone, + *per_cpu_ptr(clone->scratch, i) = scratch; + + #ifdef NFT_PIPAPO_ALIGN +- scratch_aligned = NFT_PIPAPO_LT_ALIGN(scratch); ++ /* Align &scratch->map (not the struct itself): the extra ++ * %NFT_PIPAPO_ALIGN_HEADROOM bytes passed to kzalloc_node() ++ * above guarantee we can waste up to those bytes in order ++ * to align the map field regardless of its offset within ++ * the struct. ++ */ ++ BUILD_BUG_ON(offsetof(struct nft_pipapo_scratch, map) > NFT_PIPAPO_ALIGN_HEADROOM); ++ ++ scratch_aligned = NFT_PIPAPO_LT_ALIGN(&scratch->map); ++ scratch_aligned -= offsetof(struct nft_pipapo_scratch, map); + *per_cpu_ptr(clone->scratch_aligned, i) = scratch_aligned; + #endif + } +@@ -2132,7 +2141,7 @@ static int nft_pipapo_init(const struct nft_set *set, + m->field_count = field_count; + m->bsize_max = 0; + +- m->scratch = alloc_percpu(unsigned long *); ++ m->scratch = alloc_percpu(struct nft_pipapo_scratch *); + if (!m->scratch) { + err = -ENOMEM; + goto out_scratch; +@@ -2141,7 +2150,7 @@ static int nft_pipapo_init(const struct nft_set *set, + *per_cpu_ptr(m->scratch, i) = NULL; + + #ifdef NFT_PIPAPO_ALIGN +- m->scratch_aligned = alloc_percpu(unsigned long *); ++ m->scratch_aligned = alloc_percpu(struct nft_pipapo_scratch *); + if (!m->scratch_aligned) { + err = -ENOMEM; + goto out_free; +diff --git a/net/netfilter/nft_set_pipapo.h b/net/netfilter/nft_set_pipapo.h +index 25a75591583e..de96e1a01dc0 100644 +--- a/net/netfilter/nft_set_pipapo.h ++++ b/net/netfilter/nft_set_pipapo.h +@@ -130,6 +130,16 @@ struct nft_pipapo_field { + union nft_pipapo_map_bucket *mt; + }; + ++/** ++ * struct nft_pipapo_scratch - percpu data used for lookup and matching ++ * @map_index: Current working bitmap index, toggled between field matches ++ * @map: store partial matching results during lookup ++ */ ++struct nft_pipapo_scratch { ++ u8 map_index; ++ unsigned long map[]; ++}; ++ + /** + * struct nft_pipapo_match - Data used for lookup and matching + * @field_count Amount of fields in set +@@ -142,9 +152,9 @@ struct nft_pipapo_field { + struct nft_pipapo_match { + int field_count; + #ifdef NFT_PIPAPO_ALIGN +- unsigned long * __percpu *scratch_aligned; ++ struct nft_pipapo_scratch * __percpu *scratch_aligned; + #endif +- unsigned long * __percpu *scratch; ++ struct nft_pipapo_scratch * __percpu *scratch; + size_t bsize_max; + struct rcu_head rcu; + struct nft_pipapo_field f[]; +diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c +index 6f4116e72958..e608973587ee 100644 +--- a/net/netfilter/nft_set_pipapo_avx2.c ++++ b/net/netfilter/nft_set_pipapo_avx2.c +@@ -71,9 +71,6 @@ + #define NFT_PIPAPO_AVX2_ZERO(reg) \ + asm volatile("vpxor %ymm" #reg ", %ymm" #reg ", %ymm" #reg) + +-/* Current working bitmap index, toggled between field matches */ +-static DEFINE_PER_CPU(bool, nft_pipapo_avx2_scratch_index); +- + /** + * nft_pipapo_avx2_prepare() - Prepare before main algorithm body + * +@@ -1122,11 +1119,12 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set, + const u32 *key, const struct nft_set_ext **ext) + { + struct nft_pipapo *priv = nft_set_priv(set); +- unsigned long *res, *fill, *scratch; ++ struct nft_pipapo_scratch *scratch; + u8 genmask = nft_genmask_cur(net); + const u8 *rp = (const u8 *)key; + struct nft_pipapo_match *m; + struct nft_pipapo_field *f; ++ unsigned long *res, *fill; + bool map_index; + int i, ret = 0; + +@@ -1148,10 +1146,11 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set, + kernel_fpu_end(); + return false; + } +- map_index = raw_cpu_read(nft_pipapo_avx2_scratch_index); + +- res = scratch + (map_index ? m->bsize_max : 0); +- fill = scratch + (map_index ? 0 : m->bsize_max); ++ map_index = scratch->map_index; ++ ++ res = scratch->map + (map_index ? m->bsize_max : 0); ++ fill = scratch->map + (map_index ? 0 : m->bsize_max); + + /* Starting map doesn't need to be set for this implementation */ + +@@ -1223,7 +1222,7 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set, + + out: + if (i % 2) +- raw_cpu_write(nft_pipapo_avx2_scratch_index, !map_index); ++ scratch->map_index = !map_index; + kernel_fpu_end(); + + return ret >= 0; +-- +2.43.0 + diff --git a/queue-5.15/octeontx2-pf-fix-a-memleak-otx2_sq_init.patch b/queue-5.15/octeontx2-pf-fix-a-memleak-otx2_sq_init.patch new file mode 100644 index 00000000000..3ef2e7fbfcf --- /dev/null +++ b/queue-5.15/octeontx2-pf-fix-a-memleak-otx2_sq_init.patch @@ -0,0 +1,57 @@ +From 5c1b4ca428ff057cdc7857f8fadeed1a434f0c4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Feb 2024 20:47:13 +0800 +Subject: octeontx2-pf: Fix a memleak otx2_sq_init + +From: Zhipeng Lu + +[ Upstream commit b09b58e31b0f43d76f79b9943da3fb7c2843dcbb ] + +When qmem_alloc and pfvf->hw_ops->sq_aq_init fails, sq->sg should be +freed to prevent memleak. + +Fixes: c9c12d339d93 ("octeontx2-pf: Add support for PTP clock") +Signed-off-by: Zhipeng Lu +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/octeontx2/nic/otx2_common.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c +index 572c981171ba..6b024d29eaf3 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c +@@ -856,8 +856,11 @@ static int otx2_sq_init(struct otx2_nic *pfvf, u16 qidx, u16 sqb_aura) + if (pfvf->ptp) { + err = qmem_alloc(pfvf->dev, &sq->timestamps, qset->sqe_cnt, + sizeof(*sq->timestamps)); +- if (err) ++ if (err) { ++ kfree(sq->sg); ++ sq->sg = NULL; + return err; ++ } + } + + sq->head = 0; +@@ -872,7 +875,14 @@ static int otx2_sq_init(struct otx2_nic *pfvf, u16 qidx, u16 sqb_aura) + sq->stats.bytes = 0; + sq->stats.pkts = 0; + +- return pfvf->hw_ops->sq_aq_init(pfvf, qidx, sqb_aura); ++ err = pfvf->hw_ops->sq_aq_init(pfvf, qidx, sqb_aura); ++ if (err) { ++ kfree(sq->sg); ++ sq->sg = NULL; ++ return err; ++ } ++ ++ return 0; + + } + +-- +2.43.0 + diff --git a/queue-5.15/ppp_async-limit-mru-to-64k.patch b/queue-5.15/ppp_async-limit-mru-to-64k.patch new file mode 100644 index 00000000000..f1186a5ddae --- /dev/null +++ b/queue-5.15/ppp_async-limit-mru-to-64k.patch @@ -0,0 +1,91 @@ +From 59cb8f3e8284f601d222cd13716a2e8adcdc3735 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Feb 2024 17:10:04 +0000 +Subject: ppp_async: limit MRU to 64K + +From: Eric Dumazet + +[ Upstream commit cb88cb53badb8aeb3955ad6ce80b07b598e310b8 ] + +syzbot triggered a warning [1] in __alloc_pages(): + +WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp) + +Willem fixed a similar issue in commit c0a2a1b0d631 ("ppp: limit MRU to 64K") + +Adopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU) + +[1]: + + WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 +Modules linked in: +CPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 +Workqueue: events_unbound flush_to_ldisc +pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 + lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537 +sp : ffff800093967580 +x29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000 +x26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0 +x23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8 +x20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120 +x17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005 +x14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000 +x11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001 +x8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f +x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020 +x2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0 +Call trace: + __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 + __alloc_pages_node include/linux/gfp.h:238 [inline] + alloc_pages_node include/linux/gfp.h:261 [inline] + __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926 + __do_kmalloc_node mm/slub.c:3969 [inline] + __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001 + kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590 + __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651 + __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715 + netdev_alloc_skb include/linux/skbuff.h:3235 [inline] + dev_alloc_skb include/linux/skbuff.h:3248 [inline] + ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline] + ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341 + tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390 + tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37 + receive_buf drivers/tty/tty_buffer.c:444 [inline] + flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494 + process_one_work+0x694/0x1204 kernel/workqueue.c:2633 + process_scheduled_works kernel/workqueue.c:2706 [inline] + worker_thread+0x938/0xef4 kernel/workqueue.c:2787 + kthread+0x288/0x310 kernel/kthread.c:388 + ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: syzbot+c5da1f087c9e4ec6c933@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20240205171004.1059724-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_async.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ppp/ppp_async.c b/drivers/net/ppp/ppp_async.c +index 29a93d6bfe37..4a5c749ba223 100644 +--- a/drivers/net/ppp/ppp_async.c ++++ b/drivers/net/ppp/ppp_async.c +@@ -471,6 +471,10 @@ ppp_async_ioctl(struct ppp_channel *chan, unsigned int cmd, unsigned long arg) + case PPPIOCSMRU: + if (get_user(val, p)) + break; ++ if (val > U16_MAX) { ++ err = -EINVAL; ++ break; ++ } + if (val < PPP_MRU) + val = PPP_MRU; + ap->mru = val; +-- +2.43.0 + diff --git a/queue-5.15/rxrpc-fix-response-to-ping-response-acks-to-a-dead-c.patch b/queue-5.15/rxrpc-fix-response-to-ping-response-acks-to-a-dead-c.patch new file mode 100644 index 00000000000..e70a1f11f5b --- /dev/null +++ b/queue-5.15/rxrpc-fix-response-to-ping-response-acks-to-a-dead-c.patch @@ -0,0 +1,50 @@ +From 8f812cdc51b7b938bd83e2907878b9fdccf684a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 15:19:15 +0000 +Subject: rxrpc: Fix response to PING RESPONSE ACKs to a dead call + +From: David Howells + +[ Upstream commit 6f769f22822aa4124b556339781b04d810f0e038 ] + +Stop rxrpc from sending a DUP ACK in response to a PING RESPONSE ACK on a +dead call. We may have initiated the ping but the call may have beaten the +response to completion. + +Fixes: 18bfeba50dfd ("rxrpc: Perform terminal call ACK/ABORT retransmission from conn processor") +Signed-off-by: David Howells +cc: Marc Dionne +cc: "David S. Miller" +cc: Eric Dumazet +cc: Jakub Kicinski +cc: Paolo Abeni +cc: linux-afs@lists.infradead.org +cc: netdev@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rxrpc/conn_event.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c +index aab069701398..5d91ef562ff7 100644 +--- a/net/rxrpc/conn_event.c ++++ b/net/rxrpc/conn_event.c +@@ -41,6 +41,14 @@ static void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn, + + _enter("%d", conn->debug_id); + ++ if (sp && sp->hdr.type == RXRPC_PACKET_TYPE_ACK) { ++ if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), ++ &pkt.ack, sizeof(pkt.ack)) < 0) ++ return; ++ if (pkt.ack.reason == RXRPC_ACK_PING_RESPONSE) ++ return; ++ } ++ + chan = &conn->channels[channel]; + + /* If the last call got moved on whilst we were waiting to run, just +-- +2.43.0 + diff --git a/queue-5.15/scsi-core-move-scsi_host_busy-out-of-host-lock-if-it.patch b/queue-5.15/scsi-core-move-scsi_host_busy-out-of-host-lock-if-it.patch new file mode 100644 index 00000000000..fb67c1e3942 --- /dev/null +++ b/queue-5.15/scsi-core-move-scsi_host_busy-out-of-host-lock-if-it.patch @@ -0,0 +1,69 @@ +From ce9321ad94b67c553aa54021e1d75c4a6bef8695 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Feb 2024 10:45:21 +0800 +Subject: scsi: core: Move scsi_host_busy() out of host lock if it is for + per-command + +From: Ming Lei + +[ Upstream commit 4e6c9011990726f4d175e2cdfebe5b0b8cce4839 ] + +Commit 4373534a9850 ("scsi: core: Move scsi_host_busy() out of host lock +for waking up EH handler") intended to fix a hard lockup issue triggered by +EH. The core idea was to move scsi_host_busy() out of the host lock when +processing individual commands for EH. However, a suggested style change +inadvertently caused scsi_host_busy() to remain under the host lock. Fix +this by calling scsi_host_busy() outside the lock. + +Fixes: 4373534a9850 ("scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler") +Cc: Sathya Prakash Veerichetty +Cc: Bart Van Assche +Cc: Ewan D. Milne +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20240203024521.2006455-1-ming.lei@redhat.com +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_error.c | 3 ++- + drivers/scsi/scsi_lib.c | 4 +++- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c +index ffd3d8df3d82..2d5dc488f511 100644 +--- a/drivers/scsi/scsi_error.c ++++ b/drivers/scsi/scsi_error.c +@@ -276,11 +276,12 @@ static void scsi_eh_inc_host_failed(struct rcu_head *head) + { + struct scsi_cmnd *scmd = container_of(head, typeof(*scmd), rcu); + struct Scsi_Host *shost = scmd->device->host; ++ unsigned int busy = scsi_host_busy(shost); + unsigned long flags; + + spin_lock_irqsave(shost->host_lock, flags); + shost->host_failed++; +- scsi_eh_wakeup(shost, scsi_host_busy(shost)); ++ scsi_eh_wakeup(shost, busy); + spin_unlock_irqrestore(shost->host_lock, flags); + } + +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index e9ab87335115..0389bf281f4b 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -281,9 +281,11 @@ static void scsi_dec_host_busy(struct Scsi_Host *shost, struct scsi_cmnd *cmd) + rcu_read_lock(); + __clear_bit(SCMD_STATE_INFLIGHT, &cmd->state); + if (unlikely(scsi_host_in_recovery(shost))) { ++ unsigned int busy = scsi_host_busy(shost); ++ + spin_lock_irqsave(shost->host_lock, flags); + if (shost->host_failed || shost->host_eh_scheduled) +- scsi_eh_wakeup(shost, scsi_host_busy(shost)); ++ scsi_eh_wakeup(shost, busy); + spin_unlock_irqrestore(shost->host_lock, flags); + } + rcu_read_unlock(); +-- +2.43.0 + diff --git a/queue-5.15/selftests-net-avoid-just-another-constant-wait.patch b/queue-5.15/selftests-net-avoid-just-another-constant-wait.patch new file mode 100644 index 00000000000..effde168126 --- /dev/null +++ b/queue-5.15/selftests-net-avoid-just-another-constant-wait.patch @@ -0,0 +1,69 @@ +From 98ef3c9dc1ebb34220152317a7cf2029a95dc799 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Feb 2024 19:42:41 +0100 +Subject: selftests: net: avoid just another constant wait + +From: Paolo Abeni + +[ Upstream commit 691bb4e49c98a47bc643dd808453136ce78b15b4 ] + +Using hard-coded constant timeout to wait for some expected +event is deemed to fail sooner or later, especially in slow +env. + +Our CI has spotted another of such race: + # TEST: ipv6: cleanup of cached exceptions - nexthop objects [FAIL] + # can't delete veth device in a timely manner, PMTU dst likely leaked + +Replace the crude sleep with a loop looking for the expected condition +at low interval for a much longer range. + +Fixes: b3cc4f8a8a41 ("selftests: pmtu: add explicit tests for PMTU exceptions cleanup") +Signed-off-by: Paolo Abeni +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/fd5c745e9bb665b724473af6a9373a8c2a62b247.1706812005.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/pmtu.sh | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/tools/testing/selftests/net/pmtu.sh b/tools/testing/selftests/net/pmtu.sh +index 8797f7b5fb83..31e3d0db7a12 100755 +--- a/tools/testing/selftests/net/pmtu.sh ++++ b/tools/testing/selftests/net/pmtu.sh +@@ -1795,6 +1795,13 @@ check_command() { + return 0 + } + ++check_running() { ++ pid=${1} ++ cmd=${2} ++ ++ [ "$(cat /proc/${pid}/cmdline 2>/dev/null | tr -d '\0')" = "{cmd}" ] ++} ++ + test_cleanup_vxlanX_exception() { + outer="${1}" + encap="vxlan" +@@ -1825,11 +1832,12 @@ test_cleanup_vxlanX_exception() { + + ${ns_a} ip link del dev veth_A-R1 & + iplink_pid=$! +- sleep 1 +- if [ "$(cat /proc/${iplink_pid}/cmdline 2>/dev/null | tr -d '\0')" = "iplinkdeldevveth_A-R1" ]; then +- err " can't delete veth device in a timely manner, PMTU dst likely leaked" +- return 1 +- fi ++ for i in $(seq 1 20); do ++ check_running ${iplink_pid} "iplinkdeldevveth_A-R1" || return 0 ++ sleep 0.1 ++ done ++ err " can't delete veth device in a timely manner, PMTU dst likely leaked" ++ return 1 + } + + test_cleanup_ipv6_exception() { +-- +2.43.0 + diff --git a/queue-5.15/selftests-net-cut-more-slack-for-gro-fwd-tests.patch b/queue-5.15/selftests-net-cut-more-slack-for-gro-fwd-tests.patch new file mode 100644 index 00000000000..2349fe592f0 --- /dev/null +++ b/queue-5.15/selftests-net-cut-more-slack-for-gro-fwd-tests.patch @@ -0,0 +1,100 @@ +From 6a4a17cd5c61309f89be48f9a2a6b25b5579e3a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Feb 2024 19:42:38 +0100 +Subject: selftests: net: cut more slack for gro fwd tests. + +From: Paolo Abeni + +[ Upstream commit cb9f4a30fb85e1f4f149ada595a67899adb3db19 ] + +The udpgro_fwd.sh self-tests are somewhat unstable. There are +a few timing constraints the we struggle to meet on very slow +environments. + +Instead of skipping the whole tests in such envs, increase the +test resilience WRT very slow hosts: increase the inter-packets +timeouts, avoid resetting the counters every second and finally +disable reduce the background traffic noise. + +Tested with: + +for I in $(seq 1 100); do + ./tools/testing/selftests/kselftest_install/run_kselftest.sh \ + -t net:udpgro_fwd.sh || exit -1 +done + +in a slow environment. + +Fixes: a062260a9d5f ("selftests: net: add UDP GRO forwarding self-tests") +Signed-off-by: Paolo Abeni +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/f4b6b11064a0d39182a9ae6a853abae3e9b4426a.1706812005.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/udpgro_fwd.sh | 14 ++++++++++++-- + tools/testing/selftests/net/udpgso_bench_rx.c | 2 +- + 2 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/net/udpgro_fwd.sh b/tools/testing/selftests/net/udpgro_fwd.sh +index 1bcd82e1f662..fa5aa588e53f 100755 +--- a/tools/testing/selftests/net/udpgro_fwd.sh ++++ b/tools/testing/selftests/net/udpgro_fwd.sh +@@ -36,6 +36,10 @@ create_ns() { + for ns in $NS_SRC $NS_DST; do + ip netns add $ns + ip -n $ns link set dev lo up ++ ++ # disable route solicitations to decrease 'noise' traffic ++ ip netns exec $ns sysctl -qw net.ipv6.conf.default.router_solicitations=0 ++ ip netns exec $ns sysctl -qw net.ipv6.conf.all.router_solicitations=0 + done + + ip link add name veth$SRC type veth peer name veth$DST +@@ -77,6 +81,12 @@ create_vxlan_pair() { + create_vxlan_endpoint $BASE$ns veth$ns $BM_NET_V6$((3 - $ns)) vxlan6$ns 6 + ip -n $BASE$ns addr add dev vxlan6$ns $OL_NET_V6$ns/24 nodad + done ++ ++ # preload neighbur cache, do avoid some noisy traffic ++ local addr_dst=$(ip -j -n $BASE$DST link show dev vxlan6$DST |jq -r '.[]["address"]') ++ local addr_src=$(ip -j -n $BASE$SRC link show dev vxlan6$SRC |jq -r '.[]["address"]') ++ ip -n $BASE$DST neigh add dev vxlan6$DST lladdr $addr_src $OL_NET_V6$SRC ++ ip -n $BASE$SRC neigh add dev vxlan6$SRC lladdr $addr_dst $OL_NET_V6$DST + } + + is_ipv6() { +@@ -116,7 +126,7 @@ run_test() { + # not enable GRO + ip netns exec $NS_DST $ipt -A INPUT -p udp --dport 4789 + ip netns exec $NS_DST $ipt -A INPUT -p udp --dport 8000 +- ip netns exec $NS_DST ./udpgso_bench_rx -C 1000 -R 10 -n 10 -l 1300 $rx_args & ++ ip netns exec $NS_DST ./udpgso_bench_rx -C 2000 -R 100 -n 10 -l 1300 $rx_args & + local spid=$! + sleep 0.1 + ip netns exec $NS_SRC ./udpgso_bench_tx $family -M 1 -s 13000 -S 1300 -D $dst +@@ -165,7 +175,7 @@ run_bench() { + # bind the sender and the receiver to different CPUs to try + # get reproducible results + ip netns exec $NS_DST bash -c "echo 2 > /sys/class/net/veth$DST/queues/rx-0/rps_cpus" +- ip netns exec $NS_DST taskset 0x2 ./udpgso_bench_rx -C 1000 -R 10 & ++ ip netns exec $NS_DST taskset 0x2 ./udpgso_bench_rx -C 2000 -R 100 & + local spid=$! + sleep 0.1 + ip netns exec $NS_SRC taskset 0x1 ./udpgso_bench_tx $family -l 3 -S 1300 -D $dst +diff --git a/tools/testing/selftests/net/udpgso_bench_rx.c b/tools/testing/selftests/net/udpgso_bench_rx.c +index f35a924d4a30..1cbadd267c96 100644 +--- a/tools/testing/selftests/net/udpgso_bench_rx.c ++++ b/tools/testing/selftests/net/udpgso_bench_rx.c +@@ -375,7 +375,7 @@ static void do_recv(void) + do_flush_udp(fd); + + tnow = gettimeofday_ms(); +- if (tnow > treport) { ++ if (!cfg_expected_pkt_nr && tnow > treport) { + if (packets) + fprintf(stderr, + "%s rx: %6lu MB/s %8lu calls/s\n", +-- +2.43.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 55e7d7b3f9e..8cde13d2c77 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -308,3 +308,28 @@ dmaengine-fsl-qdma-fix-a-memory-leak-related-to-the-.patch-14066 phy-renesas-rcar-gen3-usb2-fix-returning-wrong-error.patch dmaengine-fix-is_slave_direction-return-false-when-d.patch phy-ti-phy-omap-usb2-fix-null-pointer-dereference-fo.patch +drm-msm-dp-return-correct-colorimetry-for-dp_test_dy.patch +net-stmmac-xgmac-fix-handling-of-dpp-safety-error-fo.patch +selftests-net-cut-more-slack-for-gro-fwd-tests.patch +selftests-net-avoid-just-another-constant-wait.patch +tunnels-fix-out-of-bounds-access-when-building-ipv6-.patch +atm-idt77252-fix-a-memleak-in-open_card_ubr0.patch +octeontx2-pf-fix-a-memleak-otx2_sq_init.patch +hwmon-aspeed-pwm-tacho-mutex-for-tach-reading.patch +hwmon-coretemp-fix-out-of-bounds-memory-access.patch +hwmon-coretemp-fix-bogus-core_id-to-attr-name-mappin.patch +inet-read-sk-sk_family-once-in-inet_recv_error.patch +rxrpc-fix-response-to-ping-response-acks-to-a-dead-c.patch +tipc-check-the-bearer-type-before-calling-tipc_udp_n.patch +af_unix-call-kfree_skb-for-dead-unix_-sk-oob_skb-in-.patch +ppp_async-limit-mru-to-64k.patch +netfilter-nft_compat-reject-unused-compat-flag.patch +netfilter-nft_compat-restrict-match-target-protocol-.patch +drm-amd-display-fix-multiple-memory-leaks-reported-b.patch +drm-amd-display-implement-bounds-check-for-stream-en.patch +netfilter-nft_ct-reject-direction-for-ct-id.patch +netfilter-nft_set_pipapo-store-index-in-scratch-maps.patch +netfilter-nft_set_pipapo-add-helper-to-release-pcpu-.patch +netfilter-nft_set_pipapo-remove-scratch_aligned-poin.patch +fs-ntfs3-fix-an-null-dereference-bug.patch +scsi-core-move-scsi_host_busy-out-of-host-lock-if-it.patch diff --git a/queue-5.15/tipc-check-the-bearer-type-before-calling-tipc_udp_n.patch b/queue-5.15/tipc-check-the-bearer-type-before-calling-tipc_udp_n.patch new file mode 100644 index 00000000000..dded05221f6 --- /dev/null +++ b/queue-5.15/tipc-check-the-bearer-type-before-calling-tipc_udp_n.patch @@ -0,0 +1,80 @@ +From dd44c4fda3fdd71c5d78aed24ab1693b8536133b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Feb 2024 00:23:09 +0900 +Subject: tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() + +From: Shigeru Yoshida + +[ Upstream commit 3871aa01e1a779d866fa9dfdd5a836f342f4eb87 ] + +syzbot reported the following general protection fault [1]: + +general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087] +... +RIP: 0010:tipc_udp_is_known_peer+0x9c/0x250 net/tipc/udp_media.c:291 +... +Call Trace: + + tipc_udp_nl_bearer_add+0x212/0x2f0 net/tipc/udp_media.c:646 + tipc_nl_bearer_add+0x21e/0x360 net/tipc/bearer.c:1089 + genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972 + genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline] + genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067 + netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2544 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 + netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] + netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367 + netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1909 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0xd5/0x180 net/socket.c:745 + ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 + ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 + __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +The cause of this issue is that when tipc_nl_bearer_add() is called with +the TIPC_NLA_BEARER_UDP_OPTS attribute, tipc_udp_nl_bearer_add() is called +even if the bearer is not UDP. + +tipc_udp_is_known_peer() called by tipc_udp_nl_bearer_add() assumes that +the media_ptr field of the tipc_bearer has an udp_bearer type object, so +the function goes crazy for non-UDP bearers. + +This patch fixes the issue by checking the bearer type before calling +tipc_udp_nl_bearer_add() in tipc_nl_bearer_add(). + +Fixes: ef20cd4dd163 ("tipc: introduce UDP replicast") +Reported-and-tested-by: syzbot+5142b87a9abc510e14fa@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=5142b87a9abc510e14fa [1] +Signed-off-by: Shigeru Yoshida +Reviewed-by: Tung Nguyen +Link: https://lore.kernel.org/r/20240131152310.4089541-1-syoshida@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tipc/bearer.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c +index dcbae29aa7e0..17e8e6e3670a 100644 +--- a/net/tipc/bearer.c ++++ b/net/tipc/bearer.c +@@ -1088,6 +1088,12 @@ int tipc_nl_bearer_add(struct sk_buff *skb, struct genl_info *info) + + #ifdef CONFIG_TIPC_MEDIA_UDP + if (attrs[TIPC_NLA_BEARER_UDP_OPTS]) { ++ if (b->media->type_id != TIPC_MEDIA_TYPE_UDP) { ++ rtnl_unlock(); ++ NL_SET_ERR_MSG(info->extack, "UDP option is unsupported"); ++ return -EINVAL; ++ } ++ + err = tipc_udp_nl_bearer_add(b, + attrs[TIPC_NLA_BEARER_UDP_OPTS]); + if (err) { +-- +2.43.0 + diff --git a/queue-5.15/tunnels-fix-out-of-bounds-access-when-building-ipv6-.patch b/queue-5.15/tunnels-fix-out-of-bounds-access-when-building-ipv6-.patch new file mode 100644 index 00000000000..6dd42276a0d --- /dev/null +++ b/queue-5.15/tunnels-fix-out-of-bounds-access-when-building-ipv6-.patch @@ -0,0 +1,54 @@ +From 78f1589a403faf28526e6a99268fbe9c520e8cbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Feb 2024 09:38:15 +0100 +Subject: tunnels: fix out of bounds access when building IPv6 PMTU error + +From: Antoine Tenart + +[ Upstream commit d75abeec401f8c86b470e7028a13fcdc87e5dd06 ] + +If the ICMPv6 error is built from a non-linear skb we get the following +splat, + + BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240 + Read of size 4 at addr ffff88811d402c80 by task netperf/820 + CPU: 0 PID: 820 Comm: netperf Not tainted 6.8.0-rc1+ #543 + ... + kasan_report+0xd8/0x110 + do_csum+0x220/0x240 + csum_partial+0xc/0x20 + skb_tunnel_check_pmtu+0xeb9/0x3280 + vxlan_xmit_one+0x14c2/0x4080 + vxlan_xmit+0xf61/0x5c00 + dev_hard_start_xmit+0xfb/0x510 + __dev_queue_xmit+0x7cd/0x32a0 + br_dev_queue_push_xmit+0x39d/0x6a0 + +Use skb_checksum instead of csum_partial who cannot deal with non-linear +SKBs. + +Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets") +Signed-off-by: Antoine Tenart +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_tunnel_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c +index d3275d1ed260..50ddbd7021f0 100644 +--- a/net/ipv4/ip_tunnel_core.c ++++ b/net/ipv4/ip_tunnel_core.c +@@ -332,7 +332,7 @@ static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu) + }; + skb_reset_network_header(skb); + +- csum = csum_partial(icmp6h, len, 0); ++ csum = skb_checksum(skb, skb_transport_offset(skb), len, 0); + icmp6h->icmp6_cksum = csum_ipv6_magic(&nip6h->saddr, &nip6h->daddr, len, + IPPROTO_ICMPV6, csum); + +-- +2.43.0 +