From: Greg Kroah-Hartman Date: Mon, 4 Jul 2022 13:25:37 +0000 (+0200) Subject: 5.18-stable patches X-Git-Tag: v4.9.322~43 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3a5efa9d3d0c3c35979accbd1fd8433eaae28150;p=thirdparty%2Fkernel%2Fstable-queue.git 5.18-stable patches added patches: caif_virtio-fix-race-between-virtio_device_ready-and-ndo_open.patch cpufreq-qcom-hw-don-t-do-lmh-things-without-a-throttle-interrupt.patch epic100-fix-use-after-free-on-rmmod.patch io_uring-ensure-that-send-sendmsg-and-recv-recvmsg-check-sqe-ioprio.patch lib-sbitmap-fix-invalid-loop-in-__sbitmap_queue_get_batch.patch net-asix-fix-can-t-send-until-first-packet-is-send-issue.patch net-bonding-fix-possible-null-deref-in-rlb-code.patch net-bonding-fix-use-after-free-after-802.3ad-slave-unbind.patch net-dsa-felix-fix-race-between-reading-psfp-stats-and-port-stats.patch net-dsa-hirschmann-add-missing-of_node_get-in-hellcreek_led_setup.patch net-phy-ax88772a-fix-lost-pause-advertisement-configuration.patch net-sched-act_api-notify-user-space-if-any-actions-were-flushed-before-error.patch netfilter-nft_dynset-restore-set-element-counter-when-failing-to-update.patch nfc-nfcmrvl-fix-irq_of_parse_and_map-return-value.patch nfc-nxp-nci-don-t-issue-a-zero-length-i2c_master_read.patch nvmet-tcp-fix-regression-in-data_digest-calculation.patch platform-x86-ideapad-laptop-add-ideapad-5-15itl05-to-ideapad_dytc_v4_allow_table.patch platform-x86-thinkpad_acpi-fix-a-memory-leak-of-efch-mmio-resource.patch pm-devfreq-exynos-ppmu-fix-refcount-leak-in-of_get_devfreq_events.patch powerpc-memhotplug-add-add_pages-override-for-ppc.patch s390-remove-unneeded-select-build_bin2c.patch selftests-net-fix-kselftest-net-fatal-error.patch tcp-add-a-missing-nf_reset_ct-in-3whs-handling.patch tipc-move-bc-link-creation-back-to-tipc_node_create.patch vdpa-mlx5-update-control-vq-callback-information.patch vfs-fix-copy_file_range-regression-in-cross-fs-copies.patch --- diff --git a/queue-5.18/caif_virtio-fix-race-between-virtio_device_ready-and-ndo_open.patch b/queue-5.18/caif_virtio-fix-race-between-virtio_device_ready-and-ndo_open.patch new file mode 100644 index 00000000000..558e31edbd9 --- /dev/null +++ b/queue-5.18/caif_virtio-fix-race-between-virtio_device_ready-and-ndo_open.patch @@ -0,0 +1,54 @@ +From 11a37eb66812ce6a06b79223ad530eb0e1d7294d Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Mon, 20 Jun 2022 13:11:14 +0800 +Subject: caif_virtio: fix race between virtio_device_ready() and ndo_open() + +From: Jason Wang + +commit 11a37eb66812ce6a06b79223ad530eb0e1d7294d upstream. + +We currently depend on probe() calling virtio_device_ready() - +which happens after netdev +registration. Since ndo_open() can be called immediately +after register_netdev, this means there exists a race between +ndo_open() and virtio_device_ready(): the driver may start to use the +device (e.g. TX) before DRIVER_OK which violates the spec. + +Fix this by switching to use register_netdevice() and protect the +virtio_device_ready() with rtnl_lock() to make sure ndo_open() can +only be called after virtio_device_ready(). + +Fixes: 0d2e1a2926b18 ("caif_virtio: Introduce caif over virtio") +Signed-off-by: Jason Wang +Message-Id: <20220620051115.3142-3-jasowang@redhat.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/caif/caif_virtio.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/net/caif/caif_virtio.c ++++ b/drivers/net/caif/caif_virtio.c +@@ -721,13 +721,21 @@ static int cfv_probe(struct virtio_devic + /* Carrier is off until netdevice is opened */ + netif_carrier_off(netdev); + ++ /* serialize netdev register + virtio_device_ready() with ndo_open() */ ++ rtnl_lock(); ++ + /* register Netdev */ +- err = register_netdev(netdev); ++ err = register_netdevice(netdev); + if (err) { ++ rtnl_unlock(); + dev_err(&vdev->dev, "Unable to register netdev (%d)\n", err); + goto err; + } + ++ virtio_device_ready(vdev); ++ ++ rtnl_unlock(); ++ + debugfs_init(cfv); + + return 0; diff --git a/queue-5.18/cpufreq-qcom-hw-don-t-do-lmh-things-without-a-throttle-interrupt.patch b/queue-5.18/cpufreq-qcom-hw-don-t-do-lmh-things-without-a-throttle-interrupt.patch new file mode 100644 index 00000000000..531cc760b0b --- /dev/null +++ b/queue-5.18/cpufreq-qcom-hw-don-t-do-lmh-things-without-a-throttle-interrupt.patch @@ -0,0 +1,59 @@ +From 668a7a12ded7077d4fd7ad1305667e559907e5bb Mon Sep 17 00:00:00 2001 +From: Stephen Boyd +Date: Thu, 16 Jun 2022 15:45:31 -0700 +Subject: cpufreq: qcom-hw: Don't do lmh things without a throttle interrupt + +From: Stephen Boyd + +commit 668a7a12ded7077d4fd7ad1305667e559907e5bb upstream. + +Offlining cpu6 and cpu7 and then onlining cpu6 hangs on +sc7180-trogdor-lazor because the throttle interrupt doesn't exist. +Similarly, things go sideways when suspend/resume runs. That's because +the qcom_cpufreq_hw_cpu_online() and qcom_cpufreq_hw_lmh_exit() +functions are calling genirq APIs with an interrupt value of '-6', i.e. +-ENXIO, and that isn't good. + +Check the value of the throttle interrupt like we already do in other +functions in this file and bail out early from lmh code to fix the hang. + +Reported-by: Rob Clark +Cc: Vladimir Zapolskiy +Cc: Bjorn Andersson +Cc: Dmitry Baryshkov +Fixes: a1eb080a0447 ("cpufreq: qcom-hw: provide online/offline operations") +Signed-off-by: Stephen Boyd +Reviewed-by: Vladimir Zapolskiy +Signed-off-by: Viresh Kumar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/qcom-cpufreq-hw.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/cpufreq/qcom-cpufreq-hw.c b/drivers/cpufreq/qcom-cpufreq-hw.c +index 0253731d6d25..36c79580fba2 100644 +--- a/drivers/cpufreq/qcom-cpufreq-hw.c ++++ b/drivers/cpufreq/qcom-cpufreq-hw.c +@@ -442,6 +442,9 @@ static int qcom_cpufreq_hw_cpu_online(struct cpufreq_policy *policy) + struct platform_device *pdev = cpufreq_get_driver_data(); + int ret; + ++ if (data->throttle_irq <= 0) ++ return 0; ++ + ret = irq_set_affinity_hint(data->throttle_irq, policy->cpus); + if (ret) + dev_err(&pdev->dev, "Failed to set CPU affinity of %s[%d]\n", +@@ -469,6 +472,9 @@ static int qcom_cpufreq_hw_cpu_offline(struct cpufreq_policy *policy) + + static void qcom_cpufreq_hw_lmh_exit(struct qcom_cpufreq_data *data) + { ++ if (data->throttle_irq <= 0) ++ return; ++ + free_irq(data->throttle_irq, data); + } + +-- +2.37.0 + diff --git a/queue-5.18/epic100-fix-use-after-free-on-rmmod.patch b/queue-5.18/epic100-fix-use-after-free-on-rmmod.patch new file mode 100644 index 00000000000..ddde8ff1d80 --- /dev/null +++ b/queue-5.18/epic100-fix-use-after-free-on-rmmod.patch @@ -0,0 +1,50 @@ +From 8ee9d82cd0a45e7d050ade598c9f33032a0f2891 Mon Sep 17 00:00:00 2001 +From: Tong Zhang +Date: Sun, 26 Jun 2022 21:33:48 -0700 +Subject: epic100: fix use after free on rmmod + +From: Tong Zhang + +commit 8ee9d82cd0a45e7d050ade598c9f33032a0f2891 upstream. + +epic_close() calls epic_rx() and uses dma buffer, but in epic_remove_one() +we already freed the dma buffer. To fix this issue, reorder function calls +like in the .probe function. + +BUG: KASAN: use-after-free in epic_rx+0xa6/0x7e0 [epic100] +Call Trace: + epic_rx+0xa6/0x7e0 [epic100] + epic_close+0xec/0x2f0 [epic100] + unregister_netdev+0x18/0x20 + epic_remove_one+0xaa/0xf0 [epic100] + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Yilun Wu +Signed-off-by: Tong Zhang +Reviewed-by: Francois Romieu +Link: https://lore.kernel.org/r/20220627043351.25615-1-ztong0001@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/smsc/epic100.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/smsc/epic100.c ++++ b/drivers/net/ethernet/smsc/epic100.c +@@ -1515,14 +1515,14 @@ static void epic_remove_one(struct pci_d + struct net_device *dev = pci_get_drvdata(pdev); + struct epic_private *ep = netdev_priv(dev); + ++ unregister_netdev(dev); + dma_free_coherent(&pdev->dev, TX_TOTAL_SIZE, ep->tx_ring, + ep->tx_ring_dma); + dma_free_coherent(&pdev->dev, RX_TOTAL_SIZE, ep->rx_ring, + ep->rx_ring_dma); +- unregister_netdev(dev); + pci_iounmap(pdev, ep->ioaddr); +- pci_release_regions(pdev); + free_netdev(dev); ++ pci_release_regions(pdev); + pci_disable_device(pdev); + /* pci_power_off(pdev, -1); */ + } diff --git a/queue-5.18/io_uring-ensure-that-send-sendmsg-and-recv-recvmsg-check-sqe-ioprio.patch b/queue-5.18/io_uring-ensure-that-send-sendmsg-and-recv-recvmsg-check-sqe-ioprio.patch new file mode 100644 index 00000000000..e16e69aaf7b --- /dev/null +++ b/queue-5.18/io_uring-ensure-that-send-sendmsg-and-recv-recvmsg-check-sqe-ioprio.patch @@ -0,0 +1,44 @@ +From foo@baz Mon Jul 4 03:23:34 PM CEST 2022 +From: Jens Axboe +Date: Thu, 30 Jun 2022 14:38:45 -0600 +Subject: io_uring: ensure that send/sendmsg and recv/recvmsg check sqe->ioprio + +From: Jens Axboe + +commit 73911426aaaadbae54fa72359b33a7b6a56947db upstream. + +All other opcodes correctly check if this is set and -EINVAL if it is +and they don't support that field, for some reason the these were +forgotten. + +This was unified a bit differently in the upstream tree, but had the +same effect as making sure we error on this field. Rather than have +a painful backport of the upstream commit, just fixup the mentioned +opcodes. + +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -5254,7 +5254,7 @@ static int io_sendmsg_prep(struct io_kio + + if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL)) + return -EINVAL; +- if (unlikely(sqe->addr2 || sqe->file_index)) ++ if (unlikely(sqe->addr2 || sqe->file_index || sqe->ioprio)) + return -EINVAL; + + sr->umsg = u64_to_user_ptr(READ_ONCE(sqe->addr)); +@@ -5467,7 +5467,7 @@ static int io_recvmsg_prep(struct io_kio + + if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL)) + return -EINVAL; +- if (unlikely(sqe->addr2 || sqe->file_index)) ++ if (unlikely(sqe->addr2 || sqe->file_index || sqe->ioprio)) + return -EINVAL; + + sr->umsg = u64_to_user_ptr(READ_ONCE(sqe->addr)); diff --git a/queue-5.18/lib-sbitmap-fix-invalid-loop-in-__sbitmap_queue_get_batch.patch b/queue-5.18/lib-sbitmap-fix-invalid-loop-in-__sbitmap_queue_get_batch.patch new file mode 100644 index 00000000000..ea30a0b6c66 --- /dev/null +++ b/queue-5.18/lib-sbitmap-fix-invalid-loop-in-__sbitmap_queue_get_batch.patch @@ -0,0 +1,56 @@ +From fbb564a557809466c171b95f8d593a0972450ff2 Mon Sep 17 00:00:00 2001 +From: wuchi +Date: Sun, 5 Jun 2022 22:58:35 +0800 +Subject: lib/sbitmap: Fix invalid loop in __sbitmap_queue_get_batch() + +From: wuchi + +commit fbb564a557809466c171b95f8d593a0972450ff2 upstream. + +1. Getting next index before continue branch. +2. Checking free bits when setting the target bits. Otherwise, +it may reuse the busying bits. + +Signed-off-by: wuchi +Reviewed-by: Martin Wilck +Link: https://lore.kernel.org/r/20220605145835.26916-1-wuchi.zero@gmail.com +Fixes: 9672b0d43782 ("sbitmap: add __sbitmap_queue_get_batch()") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + lib/sbitmap.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/sbitmap.c b/lib/sbitmap.c +index ae4fd4de9ebe..29eb0484215a 100644 +--- a/lib/sbitmap.c ++++ b/lib/sbitmap.c +@@ -528,7 +528,7 @@ unsigned long __sbitmap_queue_get_batch(struct sbitmap_queue *sbq, int nr_tags, + + sbitmap_deferred_clear(map); + if (map->word == (1UL << (map_depth - 1)) - 1) +- continue; ++ goto next; + + nr = find_first_zero_bit(&map->word, map_depth); + if (nr + nr_tags <= map_depth) { +@@ -539,6 +539,8 @@ unsigned long __sbitmap_queue_get_batch(struct sbitmap_queue *sbq, int nr_tags, + get_mask = ((1UL << map_tags) - 1) << nr; + do { + val = READ_ONCE(map->word); ++ if ((val & ~get_mask) != val) ++ goto next; + ret = atomic_long_cmpxchg(ptr, val, get_mask | val); + } while (ret != val); + get_mask = (get_mask & ~ret) >> nr; +@@ -549,6 +551,7 @@ unsigned long __sbitmap_queue_get_batch(struct sbitmap_queue *sbq, int nr_tags, + return get_mask; + } + } ++next: + /* Jump to next index. */ + if (++index >= sb->map_nr) + index = 0; +-- +2.37.0 + diff --git a/queue-5.18/net-asix-fix-can-t-send-until-first-packet-is-send-issue.patch b/queue-5.18/net-asix-fix-can-t-send-until-first-packet-is-send-issue.patch new file mode 100644 index 00000000000..ccf95bfe769 --- /dev/null +++ b/queue-5.18/net-asix-fix-can-t-send-until-first-packet-is-send-issue.patch @@ -0,0 +1,41 @@ +From 805206e66fab4ba1e0ebd19402006d62cd1d4902 Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Fri, 24 Jun 2022 09:51:38 +0200 +Subject: net: asix: fix "can't send until first packet is send" issue + +From: Oleksij Rempel + +commit 805206e66fab4ba1e0ebd19402006d62cd1d4902 upstream. + +If cable is attached after probe sequence, the usbnet framework would +not automatically start processing RX packets except at least one +packet was transmitted. + +On systems with any kind of address auto configuration this issue was +not detected, because some packets are send immediately after link state +is changed to "running". + +With this patch we will notify usbnet about link status change provided by the +PHYlib. + +Fixes: e532a096be0e ("net: usb: asix: ax88772: add phylib support") +Reported-by: Anton Lundin +Signed-off-by: Oleksij Rempel +Tested-by: Anton Lundin +Link: https://lore.kernel.org/r/20220624075139.3139300-1-o.rempel@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/asix_common.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/asix_common.c ++++ b/drivers/net/usb/asix_common.c +@@ -431,6 +431,7 @@ void asix_adjust_link(struct net_device + + asix_write_medium_mode(dev, mode, 0); + phy_print_status(phydev); ++ usbnet_link_change(dev, phydev->link, 0); + } + + int asix_write_gpio(struct usbnet *dev, u16 value, int sleep, int in_pm) diff --git a/queue-5.18/net-bonding-fix-possible-null-deref-in-rlb-code.patch b/queue-5.18/net-bonding-fix-possible-null-deref-in-rlb-code.patch new file mode 100644 index 00000000000..807905105c7 --- /dev/null +++ b/queue-5.18/net-bonding-fix-possible-null-deref-in-rlb-code.patch @@ -0,0 +1,140 @@ +From ab84db251c04d38b8dc7ee86e13d4050bedb1c88 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 27 Jun 2022 10:28:13 +0000 +Subject: net: bonding: fix possible NULL deref in rlb code + +From: Eric Dumazet + +commit ab84db251c04d38b8dc7ee86e13d4050bedb1c88 upstream. + +syzbot has two reports involving the same root cause. + +bond_alb_initialize() must not set bond->alb_info.rlb_enabled +if a memory allocation error is detected. + +Report 1: + +general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] +CPU: 0 PID: 12276 Comm: kworker/u4:10 Not tainted 5.19.0-rc3-syzkaller-00132-g3b89b511ea0c #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: netns cleanup_net +RIP: 0010:rlb_clear_slave+0x10e/0x690 drivers/net/bonding/bond_alb.c:393 +Code: 8e fc 83 fb ff 0f 84 74 02 00 00 e8 cc 2a 8e fc 48 8b 44 24 08 89 dd 48 c1 e5 06 4c 8d 34 28 49 8d 7e 14 48 89 f8 48 c1 e8 03 <42> 0f b6 14 20 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 +RSP: 0018:ffffc90018a8f678 EFLAGS: 00010203 +RAX: 0000000000000002 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: ffff88803375bb00 RSI: ffffffff84ec4ac4 RDI: 0000000000000014 +RBP: 0000000000000000 R08: 0000000000000005 R09: 00000000ffffffff +R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000 +R13: ffff8880ac889000 R14: 0000000000000000 R15: ffff88815a668c80 +FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00005597077e10b0 CR3: 0000000026668000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +bond_alb_deinit_slave+0x43c/0x6b0 drivers/net/bonding/bond_alb.c:1663 +__bond_release_one.cold+0x383/0xd53 drivers/net/bonding/bond_main.c:2370 +bond_slave_netdev_event drivers/net/bonding/bond_main.c:3778 [inline] +bond_netdev_event+0x993/0xad0 drivers/net/bonding/bond_main.c:3889 +notifier_call_chain+0xb5/0x200 kernel/notifier.c:87 +call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1945 +call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] +call_netdevice_notifiers net/core/dev.c:1997 [inline] +unregister_netdevice_many+0x948/0x18b0 net/core/dev.c:10839 +default_device_exit_batch+0x449/0x590 net/core/dev.c:11333 +ops_exit_list+0x125/0x170 net/core/net_namespace.c:167 +cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:594 +process_one_work+0x996/0x1610 kernel/workqueue.c:2289 +worker_thread+0x665/0x1080 kernel/workqueue.c:2436 +kthread+0x2e9/0x3a0 kernel/kthread.c:376 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 + + +Report 2: + +general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] +CPU: 1 PID: 5206 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-12108-g58f9d52ff689 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:rlb_req_update_slave_clients+0x109/0x2f0 drivers/net/bonding/bond_alb.c:502 +Code: 5d 18 8f fc 41 80 3e 00 0f 85 a5 01 00 00 89 d8 48 c1 e0 06 49 03 84 24 68 01 00 00 48 8d 78 30 49 89 c7 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 98 01 00 00 4d 39 6f 30 75 83 e8 22 18 8f fc 49 +RSP: 0018:ffffc9000300ee80 EFLAGS: 00010206 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90016c11000 +RDX: 0000000000000006 RSI: ffffffff84eb6bf3 RDI: 0000000000000030 +RBP: dffffc0000000000 R08: 0000000000000005 R09: 00000000ffffffff +R10: 0000000000000000 R11: 0000000000000000 R12: ffff888027c80c80 +R13: ffff88807d7ff800 R14: ffffed1004f901bd R15: 0000000000000000 +FS: 00007f6f46c58700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020010000 CR3: 00000000516cc000 CR4: 00000000003506e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + alb_fasten_mac_swap+0x886/0xa80 drivers/net/bonding/bond_alb.c:1070 + bond_alb_handle_active_change+0x624/0x1050 drivers/net/bonding/bond_alb.c:1765 + bond_change_active_slave+0xfa1/0x29b0 drivers/net/bonding/bond_main.c:1173 + bond_select_active_slave+0x23f/0xa50 drivers/net/bonding/bond_main.c:1253 + bond_enslave+0x3b34/0x53b0 drivers/net/bonding/bond_main.c:2159 + do_set_master+0x1c8/0x220 net/core/rtnetlink.c:2577 + rtnl_newlink_create net/core/rtnetlink.c:3380 [inline] + __rtnl_newlink+0x13ac/0x17e0 net/core/rtnetlink.c:3580 + rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3593 + rtnetlink_rcv_msg+0x43a/0xc90 net/core/rtnetlink.c:6089 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] + netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:734 + ____sys_sendmsg+0x6eb/0x810 net/socket.c:2492 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2546 + __sys_sendmsg net/socket.c:2575 [inline] + __do_sys_sendmsg net/socket.c:2584 [inline] + __se_sys_sendmsg net/socket.c:2582 [inline] + __x64_sys_sendmsg+0x132/0x220 net/socket.c:2582 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 +RIP: 0033:0x7f6f45a89109 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f6f46c58168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007f6f45b9c030 RCX: 00007f6f45a89109 +RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000006 +RBP: 00007f6f45ae308d R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007ffed99029af R14: 00007f6f46c58300 R15: 0000000000022000 + + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Jay Vosburgh +Cc: Veaceslav Falico +Cc: Andy Gospodarek +Acked-by: Jay Vosburgh +Link: https://lore.kernel.org/r/20220627102813.126264-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_alb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_alb.c ++++ b/drivers/net/bonding/bond_alb.c +@@ -1302,12 +1302,12 @@ int bond_alb_initialize(struct bonding * + return res; + + if (rlb_enabled) { +- bond->alb_info.rlb_enabled = 1; + res = rlb_initialize(bond); + if (res) { + tlb_deinitialize(bond); + return res; + } ++ bond->alb_info.rlb_enabled = 1; + } else { + bond->alb_info.rlb_enabled = 0; + } diff --git a/queue-5.18/net-bonding-fix-use-after-free-after-802.3ad-slave-unbind.patch b/queue-5.18/net-bonding-fix-use-after-free-after-802.3ad-slave-unbind.patch new file mode 100644 index 00000000000..855c88d8227 --- /dev/null +++ b/queue-5.18/net-bonding-fix-use-after-free-after-802.3ad-slave-unbind.patch @@ -0,0 +1,63 @@ +From 050133e1aa2cb49bb17be847d48a4431598ef562 Mon Sep 17 00:00:00 2001 +From: Yevhen Orlov +Date: Wed, 29 Jun 2022 04:29:14 +0300 +Subject: net: bonding: fix use-after-free after 802.3ad slave unbind + +From: Yevhen Orlov + +commit 050133e1aa2cb49bb17be847d48a4431598ef562 upstream. + +commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection"), +resolve case, when there is several aggregation groups in the same bond. +bond_3ad_unbind_slave will invalidate (clear) aggregator when +__agg_active_ports return zero. So, ad_clear_agg can be executed even, when +num_of_ports!=0. Than bond_3ad_unbind_slave can be executed again for, +previously cleared aggregator. NOTE: at this time bond_3ad_unbind_slave +will not update slave ports list, because lag_ports==NULL. So, here we +got slave ports, pointing to freed aggregator memory. + +Fix with checking actual number of ports in group (as was before +commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") ), +before ad_clear_agg(). + +The KASAN logs are as follows: + +[ 767.617392] ================================================================== +[ 767.630776] BUG: KASAN: use-after-free in bond_3ad_state_machine_handler+0x13dc/0x1470 +[ 767.638764] Read of size 2 at addr ffff00011ba9d430 by task kworker/u8:7/767 +[ 767.647361] CPU: 3 PID: 767 Comm: kworker/u8:7 Tainted: G O 5.15.11 #15 +[ 767.655329] Hardware name: DNI AmazonGo1 A7040 board (DT) +[ 767.660760] Workqueue: lacp_1 bond_3ad_state_machine_handler +[ 767.666468] Call trace: +[ 767.668930] dump_backtrace+0x0/0x2d0 +[ 767.672625] show_stack+0x24/0x30 +[ 767.675965] dump_stack_lvl+0x68/0x84 +[ 767.679659] print_address_description.constprop.0+0x74/0x2b8 +[ 767.685451] kasan_report+0x1f0/0x260 +[ 767.689148] __asan_load2+0x94/0xd0 +[ 767.692667] bond_3ad_state_machine_handler+0x13dc/0x1470 + +Fixes: 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") +Co-developed-by: Maksym Glubokiy +Signed-off-by: Maksym Glubokiy +Signed-off-by: Yevhen Orlov +Acked-by: Jay Vosburgh +Link: https://lore.kernel.org/r/20220629012914.361-1-yevhen.orlov@plvision.eu +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_3ad.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_3ad.c ++++ b/drivers/net/bonding/bond_3ad.c +@@ -2228,7 +2228,8 @@ void bond_3ad_unbind_slave(struct slave + temp_aggregator->num_of_ports--; + if (__agg_active_ports(temp_aggregator) == 0) { + select_new_active_agg = temp_aggregator->is_active; +- ad_clear_agg(temp_aggregator); ++ if (temp_aggregator->num_of_ports == 0) ++ ad_clear_agg(temp_aggregator); + if (select_new_active_agg) { + slave_info(bond->dev, slave->dev, "Removing an active aggregator\n"); + /* select new active aggregator */ diff --git a/queue-5.18/net-dsa-felix-fix-race-between-reading-psfp-stats-and-port-stats.patch b/queue-5.18/net-dsa-felix-fix-race-between-reading-psfp-stats-and-port-stats.patch new file mode 100644 index 00000000000..644e4cf4c06 --- /dev/null +++ b/queue-5.18/net-dsa-felix-fix-race-between-reading-psfp-stats-and-port-stats.patch @@ -0,0 +1,48 @@ +From 58bf4db695287c4bb2a5fc9fc12c78fdd4c36894 Mon Sep 17 00:00:00 2001 +From: Vladimir Oltean +Date: Wed, 29 Jun 2022 21:30:07 +0300 +Subject: net: dsa: felix: fix race between reading PSFP stats and port stats + +From: Vladimir Oltean + +commit 58bf4db695287c4bb2a5fc9fc12c78fdd4c36894 upstream. + +Both PSFP stats and the port stats read by ocelot_check_stats_work() are +indirectly read through the same mechanism - write to STAT_CFG:STAT_VIEW, +read from SYS:STAT:CNT[n]. + +It's just that for port stats, we write STAT_VIEW with the index of the +port, and for PSFP stats, we write STAT_VIEW with the filter index. + +So if we allow them to run concurrently, ocelot_check_stats_work() may +change the view from vsc9959_psfp_counters_get(), and vice versa. + +Fixes: 7d4b564d6add ("net: dsa: felix: support psfp filter on vsc9959") +Signed-off-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20220629183007.3808130-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/ocelot/felix_vsc9959.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/dsa/ocelot/felix_vsc9959.c ++++ b/drivers/net/dsa/ocelot/felix_vsc9959.c +@@ -1883,6 +1883,8 @@ static void vsc9959_psfp_sgi_table_del(s + static void vsc9959_psfp_counters_get(struct ocelot *ocelot, u32 index, + struct felix_stream_filter_counters *counters) + { ++ mutex_lock(&ocelot->stats_lock); ++ + ocelot_rmw(ocelot, SYS_STAT_CFG_STAT_VIEW(index), + SYS_STAT_CFG_STAT_VIEW_M, + SYS_STAT_CFG); +@@ -1897,6 +1899,8 @@ static void vsc9959_psfp_counters_get(st + SYS_STAT_CFG_STAT_VIEW(index) | + SYS_STAT_CFG_STAT_CLEAR_SHOT(0x10), + SYS_STAT_CFG); ++ ++ mutex_unlock(&ocelot->stats_lock); + } + + static int vsc9959_psfp_filter_add(struct ocelot *ocelot, int port, diff --git a/queue-5.18/net-dsa-hirschmann-add-missing-of_node_get-in-hellcreek_led_setup.patch b/queue-5.18/net-dsa-hirschmann-add-missing-of_node_get-in-hellcreek_led_setup.patch new file mode 100644 index 00000000000..e36e98f9693 --- /dev/null +++ b/queue-5.18/net-dsa-hirschmann-add-missing-of_node_get-in-hellcreek_led_setup.patch @@ -0,0 +1,31 @@ +From 16d584d2fc8f4ea36203af45a76becd7093586f1 Mon Sep 17 00:00:00 2001 +From: Liang He +Date: Wed, 22 Jun 2022 12:06:21 +0800 +Subject: net/dsa/hirschmann: Add missing of_node_get() in hellcreek_led_setup() + +From: Liang He + +commit 16d584d2fc8f4ea36203af45a76becd7093586f1 upstream. + +of_find_node_by_name() will decrease the refcount of its first arg and +we need a of_node_get() to keep refcount balance. + +Fixes: 7d9ee2e8ff15 ("net: dsa: hellcreek: Add PTP status LEDs") +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220622040621.4094304-1-windhl@126.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/hirschmann/hellcreek_ptp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/dsa/hirschmann/hellcreek_ptp.c ++++ b/drivers/net/dsa/hirschmann/hellcreek_ptp.c +@@ -300,6 +300,7 @@ static int hellcreek_led_setup(struct he + const char *label, *state; + int ret = -EINVAL; + ++ of_node_get(hellcreek->dev->of_node); + leds = of_find_node_by_name(hellcreek->dev->of_node, "leds"); + if (!leds) { + dev_err(hellcreek->dev, "No LEDs specified in device tree!\n"); diff --git a/queue-5.18/net-phy-ax88772a-fix-lost-pause-advertisement-configuration.patch b/queue-5.18/net-phy-ax88772a-fix-lost-pause-advertisement-configuration.patch new file mode 100644 index 00000000000..92d18c5de44 --- /dev/null +++ b/queue-5.18/net-phy-ax88772a-fix-lost-pause-advertisement-configuration.patch @@ -0,0 +1,39 @@ +From fa152f626b24ec2ca3489100d8c5c0a0bce4e2ef Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Tue, 28 Jun 2022 13:43:49 +0200 +Subject: net: phy: ax88772a: fix lost pause advertisement configuration + +From: Oleksij Rempel + +commit fa152f626b24ec2ca3489100d8c5c0a0bce4e2ef upstream. + +In case of asix_ax88772a_link_change_notify() workaround, we run soft +reset which will automatically clear MII_ADVERTISE configuration. The +PHYlib framework do not know about changed configuration state of the +PHY, so we need use phy_init_hw() to reinit PHY configuration. + +Fixes: dde258469257 ("net: usb/phy: asix: add support for ax88772A/C PHYs") +Signed-off-by: Oleksij Rempel +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20220628114349.3929928-1-o.rempel@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/ax88796b.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/phy/ax88796b.c ++++ b/drivers/net/phy/ax88796b.c +@@ -88,8 +88,10 @@ static void asix_ax88772a_link_change_no + /* Reset PHY, otherwise MII_LPA will provide outdated information. + * This issue is reproducible only with some link partner PHYs + */ +- if (phydev->state == PHY_NOLINK && phydev->drv->soft_reset) +- phydev->drv->soft_reset(phydev); ++ if (phydev->state == PHY_NOLINK) { ++ phy_init_hw(phydev); ++ phy_start_aneg(phydev); ++ } + } + + static struct phy_driver asix_driver[] = { diff --git a/queue-5.18/net-sched-act_api-notify-user-space-if-any-actions-were-flushed-before-error.patch b/queue-5.18/net-sched-act_api-notify-user-space-if-any-actions-were-flushed-before-error.patch new file mode 100644 index 00000000000..dd5361e03f8 --- /dev/null +++ b/queue-5.18/net-sched-act_api-notify-user-space-if-any-actions-were-flushed-before-error.patch @@ -0,0 +1,81 @@ +From 76b39b94382f9e0a639e1c70c3253de248cc4c83 Mon Sep 17 00:00:00 2001 +From: Victor Nogueira +Date: Thu, 23 Jun 2022 11:07:41 -0300 +Subject: net/sched: act_api: Notify user space if any actions were flushed before error + +From: Victor Nogueira + +commit 76b39b94382f9e0a639e1c70c3253de248cc4c83 upstream. + +If during an action flush operation one of the actions is still being +referenced, the flush operation is aborted and the kernel returns to +user space with an error. However, if the kernel was able to flush, for +example, 3 actions and failed on the fourth, the kernel will not notify +user space that it deleted 3 actions before failing. + +This patch fixes that behaviour by notifying user space of how many +actions were deleted before flush failed and by setting extack with a +message describing what happened. + +Fixes: 55334a5db5cd ("net_sched: act: refuse to remove bound action outside") +Signed-off-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_api.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +--- a/net/sched/act_api.c ++++ b/net/sched/act_api.c +@@ -588,7 +588,8 @@ static int tcf_idr_release_unsafe(struct + } + + static int tcf_del_walker(struct tcf_idrinfo *idrinfo, struct sk_buff *skb, +- const struct tc_action_ops *ops) ++ const struct tc_action_ops *ops, ++ struct netlink_ext_ack *extack) + { + struct nlattr *nest; + int n_i = 0; +@@ -604,20 +605,25 @@ static int tcf_del_walker(struct tcf_idr + if (nla_put_string(skb, TCA_KIND, ops->kind)) + goto nla_put_failure; + ++ ret = 0; + mutex_lock(&idrinfo->lock); + idr_for_each_entry_ul(idr, p, tmp, id) { + if (IS_ERR(p)) + continue; + ret = tcf_idr_release_unsafe(p); +- if (ret == ACT_P_DELETED) { ++ if (ret == ACT_P_DELETED) + module_put(ops->owner); +- n_i++; +- } else if (ret < 0) { +- mutex_unlock(&idrinfo->lock); +- goto nla_put_failure; +- } ++ else if (ret < 0) ++ break; ++ n_i++; + } + mutex_unlock(&idrinfo->lock); ++ if (ret < 0) { ++ if (n_i) ++ NL_SET_ERR_MSG(extack, "Unable to flush all TC actions"); ++ else ++ goto nla_put_failure; ++ } + + ret = nla_put_u32(skb, TCA_FCNT, n_i); + if (ret) +@@ -638,7 +644,7 @@ int tcf_generic_walker(struct tc_action_ + struct tcf_idrinfo *idrinfo = tn->idrinfo; + + if (type == RTM_DELACTION) { +- return tcf_del_walker(idrinfo, skb, ops); ++ return tcf_del_walker(idrinfo, skb, ops, extack); + } else if (type == RTM_GETACTION) { + return tcf_dump_walker(idrinfo, skb, cb); + } else { diff --git a/queue-5.18/netfilter-nft_dynset-restore-set-element-counter-when-failing-to-update.patch b/queue-5.18/netfilter-nft_dynset-restore-set-element-counter-when-failing-to-update.patch new file mode 100644 index 00000000000..73c6da09a08 --- /dev/null +++ b/queue-5.18/netfilter-nft_dynset-restore-set-element-counter-when-failing-to-update.patch @@ -0,0 +1,44 @@ +From 05907f10e235680cc7fb196810e4ad3215d5e648 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 21 Jun 2022 14:01:41 +0200 +Subject: netfilter: nft_dynset: restore set element counter when failing to update + +From: Pablo Neira Ayuso + +commit 05907f10e235680cc7fb196810e4ad3215d5e648 upstream. + +This patch fixes a race condition. + +nft_rhash_update() might fail for two reasons: + +- Element already exists in the hashtable. +- Another packet won race to insert an entry in the hashtable. + +In both cases, new() has already bumped the counter via atomic_add_unless(), +therefore, decrement the set element counter. + +Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_set_hash.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/netfilter/nft_set_hash.c ++++ b/net/netfilter/nft_set_hash.c +@@ -143,6 +143,7 @@ static bool nft_rhash_update(struct nft_ + /* Another cpu may race to insert the element with the same key */ + if (prev) { + nft_set_elem_destroy(set, he, true); ++ atomic_dec(&set->nelems); + he = prev; + } + +@@ -152,6 +153,7 @@ out: + + err2: + nft_set_elem_destroy(set, he, true); ++ atomic_dec(&set->nelems); + err1: + return false; + } diff --git a/queue-5.18/nfc-nfcmrvl-fix-irq_of_parse_and_map-return-value.patch b/queue-5.18/nfc-nfcmrvl-fix-irq_of_parse_and_map-return-value.patch new file mode 100644 index 00000000000..bf5de40a877 --- /dev/null +++ b/queue-5.18/nfc-nfcmrvl-fix-irq_of_parse_and_map-return-value.patch @@ -0,0 +1,52 @@ +From 5a478a653b4cca148d5c89832f007ec0809d7e6d Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 27 Jun 2022 14:40:48 +0200 +Subject: nfc: nfcmrvl: Fix irq_of_parse_and_map() return value + +From: Krzysztof Kozlowski + +commit 5a478a653b4cca148d5c89832f007ec0809d7e6d upstream. + +The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO. + +Reported-by: Lv Ruyi +Fixes: caf6e49bf6d0 ("NFC: nfcmrvl: add spi driver") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220627124048.296253-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/nfcmrvl/i2c.c | 6 +++--- + drivers/nfc/nfcmrvl/spi.c | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/nfc/nfcmrvl/i2c.c ++++ b/drivers/nfc/nfcmrvl/i2c.c +@@ -167,9 +167,9 @@ static int nfcmrvl_i2c_parse_dt(struct d + pdata->irq_polarity = IRQF_TRIGGER_RISING; + + ret = irq_of_parse_and_map(node, 0); +- if (ret < 0) { +- pr_err("Unable to get irq, error: %d\n", ret); +- return ret; ++ if (!ret) { ++ pr_err("Unable to get irq\n"); ++ return -EINVAL; + } + pdata->irq = ret; + +--- a/drivers/nfc/nfcmrvl/spi.c ++++ b/drivers/nfc/nfcmrvl/spi.c +@@ -115,9 +115,9 @@ static int nfcmrvl_spi_parse_dt(struct d + } + + ret = irq_of_parse_and_map(node, 0); +- if (ret < 0) { +- pr_err("Unable to get irq, error: %d\n", ret); +- return ret; ++ if (!ret) { ++ pr_err("Unable to get irq\n"); ++ return -EINVAL; + } + pdata->irq = ret; + diff --git a/queue-5.18/nfc-nxp-nci-don-t-issue-a-zero-length-i2c_master_read.patch b/queue-5.18/nfc-nxp-nci-don-t-issue-a-zero-length-i2c_master_read.patch new file mode 100644 index 00000000000..8386b25761d --- /dev/null +++ b/queue-5.18/nfc-nxp-nci-don-t-issue-a-zero-length-i2c_master_read.patch @@ -0,0 +1,36 @@ +From eddd95b9423946aaacb55cac6a9b2cea8ab944fc Mon Sep 17 00:00:00 2001 +From: Michael Walle +Date: Mon, 27 Jun 2022 19:06:42 +0200 +Subject: NFC: nxp-nci: Don't issue a zero length i2c_master_read() + +From: Michael Walle + +commit eddd95b9423946aaacb55cac6a9b2cea8ab944fc upstream. + +There are packets which doesn't have a payload. In that case, the second +i2c_master_read() will have a zero length. But because the NFC +controller doesn't have any data left, it will NACK the I2C read and +-ENXIO will be returned. In case there is no payload, just skip the +second i2c master read. + +Fixes: 6be88670fc59 ("NFC: nxp-nci_i2c: Add I2C support to NXP NCI driver") +Signed-off-by: Michael Walle +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/nxp-nci/i2c.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/nfc/nxp-nci/i2c.c ++++ b/drivers/nfc/nxp-nci/i2c.c +@@ -162,6 +162,9 @@ static int nxp_nci_i2c_nci_read(struct n + + skb_put_data(*skb, (void *)&header, NCI_CTRL_HDR_SIZE); + ++ if (!header.plen) ++ return 0; ++ + r = i2c_master_recv(client, skb_put(*skb, header.plen), header.plen); + if (r != header.plen) { + nfc_err(&client->dev, diff --git a/queue-5.18/nvmet-tcp-fix-regression-in-data_digest-calculation.patch b/queue-5.18/nvmet-tcp-fix-regression-in-data_digest-calculation.patch new file mode 100644 index 00000000000..a4ae03b60f6 --- /dev/null +++ b/queue-5.18/nvmet-tcp-fix-regression-in-data_digest-calculation.patch @@ -0,0 +1,81 @@ +From ed0691cf55140ce0f3fb100225645d902cce904b Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Fri, 24 Jun 2022 00:49:53 +0300 +Subject: nvmet-tcp: fix regression in data_digest calculation + +From: Sagi Grimberg + +commit ed0691cf55140ce0f3fb100225645d902cce904b upstream. + +Data digest calculation iterates over command mapped iovec. However +since commit bac04454ef9f we unmap the iovec before we handle the data +digest, and since commit 69b85e1f1d1d we clear nr_mapped when we unmap +the iov. + +Instead of open-coding the command iov traversal, simply call +crypto_ahash_digest with the command sg that is already allocated (we +already do that for the send path). Rename nvmet_tcp_send_ddgst to +nvmet_tcp_calc_ddgst and call it from send and recv paths. + +Fixes: 69b85e1f1d1d ("nvmet-tcp: add an helper to free the cmd buffers") +Fixes: bac04454ef9f ("nvmet-tcp: fix kmap leak when data digest in use") +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/tcp.c | 23 +++-------------------- + 1 file changed, 3 insertions(+), 20 deletions(-) + +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -405,7 +405,7 @@ err: + return NVME_SC_INTERNAL; + } + +-static void nvmet_tcp_send_ddgst(struct ahash_request *hash, ++static void nvmet_tcp_calc_ddgst(struct ahash_request *hash, + struct nvmet_tcp_cmd *cmd) + { + ahash_request_set_crypt(hash, cmd->req.sg, +@@ -413,23 +413,6 @@ static void nvmet_tcp_send_ddgst(struct + crypto_ahash_digest(hash); + } + +-static void nvmet_tcp_recv_ddgst(struct ahash_request *hash, +- struct nvmet_tcp_cmd *cmd) +-{ +- struct scatterlist sg; +- struct kvec *iov; +- int i; +- +- crypto_ahash_init(hash); +- for (i = 0, iov = cmd->iov; i < cmd->nr_mapped; i++, iov++) { +- sg_init_one(&sg, iov->iov_base, iov->iov_len); +- ahash_request_set_crypt(hash, &sg, NULL, iov->iov_len); +- crypto_ahash_update(hash); +- } +- ahash_request_set_crypt(hash, NULL, (void *)&cmd->exp_ddgst, 0); +- crypto_ahash_final(hash); +-} +- + static void nvmet_setup_c2h_data_pdu(struct nvmet_tcp_cmd *cmd) + { + struct nvme_tcp_data_pdu *pdu = cmd->data_pdu; +@@ -454,7 +437,7 @@ static void nvmet_setup_c2h_data_pdu(str + + if (queue->data_digest) { + pdu->hdr.flags |= NVME_TCP_F_DDGST; +- nvmet_tcp_send_ddgst(queue->snd_hash, cmd); ++ nvmet_tcp_calc_ddgst(queue->snd_hash, cmd); + } + + if (cmd->queue->hdr_digest) { +@@ -1137,7 +1120,7 @@ static void nvmet_tcp_prep_recv_ddgst(st + { + struct nvmet_tcp_queue *queue = cmd->queue; + +- nvmet_tcp_recv_ddgst(queue->rcv_hash, cmd); ++ nvmet_tcp_calc_ddgst(queue->rcv_hash, cmd); + queue->offset = 0; + queue->left = NVME_TCP_DIGEST_LENGTH; + queue->rcv_state = NVMET_TCP_RECV_DDGST; diff --git a/queue-5.18/platform-x86-ideapad-laptop-add-ideapad-5-15itl05-to-ideapad_dytc_v4_allow_table.patch b/queue-5.18/platform-x86-ideapad-laptop-add-ideapad-5-15itl05-to-ideapad_dytc_v4_allow_table.patch new file mode 100644 index 00000000000..31aee85f719 --- /dev/null +++ b/queue-5.18/platform-x86-ideapad-laptop-add-ideapad-5-15itl05-to-ideapad_dytc_v4_allow_table.patch @@ -0,0 +1,45 @@ +From 8853e8ce9b576e0a3aad8381e19a117964d445fa Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 27 Jun 2022 15:08:50 +0200 +Subject: platform/x86: ideapad-laptop: Add Ideapad 5 15ITL05 to ideapad_dytc_v4_allow_table[] + +From: Hans de Goede + +commit 8853e8ce9b576e0a3aad8381e19a117964d445fa upstream. + +The Ideapad 5 15ITL05 uses DYTC version 4 for platform-profile +control. This has been tested successfully with the ideapad-laptop +DYTC version 5 code; Add the Ideapad 5 15ITL05 to the +ideapad_dytc_v4_allow_table[]. + +Fixes: 599482c58ebd ("platform/x86: ideapad-laptop: Add platform support for Ideapad 5 Pro 16ACH6-82L5") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=213297 +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20220627130850.313537-1-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/ideapad-laptop.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/platform/x86/ideapad-laptop.c ++++ b/drivers/platform/x86/ideapad-laptop.c +@@ -871,12 +871,18 @@ static void dytc_profile_refresh(struct + static const struct dmi_system_id ideapad_dytc_v4_allow_table[] = { + { + /* Ideapad 5 Pro 16ACH6 */ +- .ident = "LENOVO 82L5", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "82L5") + } + }, ++ { ++ /* Ideapad 5 15ITL05 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "IdeaPad 5 15ITL05") ++ } ++ }, + {} + }; + diff --git a/queue-5.18/platform-x86-thinkpad_acpi-fix-a-memory-leak-of-efch-mmio-resource.patch b/queue-5.18/platform-x86-thinkpad_acpi-fix-a-memory-leak-of-efch-mmio-resource.patch new file mode 100644 index 00000000000..e462975cbbf --- /dev/null +++ b/queue-5.18/platform-x86-thinkpad_acpi-fix-a-memory-leak-of-efch-mmio-resource.patch @@ -0,0 +1,42 @@ +From d2f33f0c3ad7b0d5262d9b986f1353265fad7a08 Mon Sep 17 00:00:00 2001 +From: Jean Delvare +Date: Tue, 21 Jun 2022 15:55:11 +0200 +Subject: platform/x86: thinkpad_acpi: Fix a memory leak of EFCH MMIO resource + +From: Jean Delvare + +commit d2f33f0c3ad7b0d5262d9b986f1353265fad7a08 upstream. + +Unlike release_mem_region(), a call to release_resource() does not +free the resource, so it has to be freed explicitly to avoid a memory +leak. + +Signed-off-by: Jean Delvare +Fixes: 455cd867b85b ("platform/x86: thinkpad_acpi: Add a s2idle resume quirk for a number of laptops") +Cc: Mario Limonciello +Cc: Henrique de Moraes Holschuh +Cc: Hans de Goede +Cc: Mark Gross +Reviewed-by: Mario Limonciello +Link: https://lore.kernel.org/r/20220621155511.5b266395@endymion.delvare +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/thinkpad_acpi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c +index e6cb4a14cdd4..aa6ffeaa3932 100644 +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -4529,6 +4529,7 @@ static void thinkpad_acpi_amd_s2idle_restore(void) + iounmap(addr); + cleanup_resource: + release_resource(res); ++ kfree(res); + } + + static struct acpi_s2idle_dev_ops thinkpad_acpi_s2idle_dev_ops = { +-- +2.37.0 + diff --git a/queue-5.18/pm-devfreq-exynos-ppmu-fix-refcount-leak-in-of_get_devfreq_events.patch b/queue-5.18/pm-devfreq-exynos-ppmu-fix-refcount-leak-in-of_get_devfreq_events.patch new file mode 100644 index 00000000000..7dfdf9b3838 --- /dev/null +++ b/queue-5.18/pm-devfreq-exynos-ppmu-fix-refcount-leak-in-of_get_devfreq_events.patch @@ -0,0 +1,47 @@ +From f44b799603a9b5d2e375b0b2d54dd0b791eddfc2 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Thu, 26 May 2022 12:28:56 +0400 +Subject: PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events + +From: Miaoqian Lin + +commit f44b799603a9b5d2e375b0b2d54dd0b791eddfc2 upstream. + +of_get_child_by_name() returns a node pointer with refcount +incremented, we should use of_node_put() on it when done. +This function only calls of_node_put() in normal path, +missing it in error paths. +Add missing of_node_put() to avoid refcount leak. + +Fixes: f262f28c1470 ("PM / devfreq: event: Add devfreq_event class") +Signed-off-by: Miaoqian Lin +Signed-off-by: Chanwoo Choi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/devfreq/event/exynos-ppmu.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/devfreq/event/exynos-ppmu.c ++++ b/drivers/devfreq/event/exynos-ppmu.c +@@ -519,15 +519,19 @@ static int of_get_devfreq_events(struct + + count = of_get_child_count(events_np); + desc = devm_kcalloc(dev, count, sizeof(*desc), GFP_KERNEL); +- if (!desc) ++ if (!desc) { ++ of_node_put(events_np); + return -ENOMEM; ++ } + info->num_events = count; + + of_id = of_match_device(exynos_ppmu_id_match, dev); + if (of_id) + info->ppmu_type = (enum exynos_ppmu_type)of_id->data; +- else ++ else { ++ of_node_put(events_np); + return -EINVAL; ++ } + + j = 0; + for_each_child_of_node(events_np, node) { diff --git a/queue-5.18/powerpc-memhotplug-add-add_pages-override-for-ppc.patch b/queue-5.18/powerpc-memhotplug-add-add_pages-override-for-ppc.patch new file mode 100644 index 00000000000..2a7f2cb5871 --- /dev/null +++ b/queue-5.18/powerpc-memhotplug-add-add_pages-override-for-ppc.patch @@ -0,0 +1,114 @@ +From ac790d09885d36143076e7e02825c541e8eee899 Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Wed, 29 Jun 2022 10:39:25 +0530 +Subject: powerpc/memhotplug: Add add_pages override for PPC + +From: Aneesh Kumar K.V + +commit ac790d09885d36143076e7e02825c541e8eee899 upstream. + +With commit ffa0b64e3be5 ("powerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit") +the kernel now validate the addr against high_memory value. This results +in the below BUG_ON with dax pfns. + +[ 635.798741][T26531] kernel BUG at mm/page_alloc.c:5521! +1:mon> e +cpu 0x1: Vector: 700 (Program Check) at [c000000007287630] + pc: c00000000055ed48: free_pages.part.0+0x48/0x110 + lr: c00000000053ca70: tlb_finish_mmu+0x80/0xd0 + sp: c0000000072878d0 + msr: 800000000282b033 + current = 0xc00000000afabe00 + paca = 0xc00000037ffff300 irqmask: 0x03 irq_happened: 0x05 + pid = 26531, comm = 50-landscape-sy +kernel BUG at :5521! +Linux version 5.19.0-rc3-14659-g4ec05be7c2e1 (kvaneesh@ltc-boston8) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #625 SMP Thu Jun 23 00:35:43 CDT 2022 +1:mon> t +[link register ] c00000000053ca70 tlb_finish_mmu+0x80/0xd0 +[c0000000072878d0] c00000000053ca54 tlb_finish_mmu+0x64/0xd0 (unreliable) +[c000000007287900] c000000000539424 exit_mmap+0xe4/0x2a0 +[c0000000072879e0] c00000000019fc1c mmput+0xcc/0x210 +[c000000007287a20] c000000000629230 begin_new_exec+0x5e0/0xf40 +[c000000007287ae0] c00000000070b3cc load_elf_binary+0x3ac/0x1e00 +[c000000007287c10] c000000000627af0 bprm_execve+0x3b0/0xaf0 +[c000000007287cd0] c000000000628414 do_execveat_common.isra.0+0x1e4/0x310 +[c000000007287d80] c00000000062858c sys_execve+0x4c/0x60 +[c000000007287db0] c00000000002c1b0 system_call_exception+0x160/0x2c0 +[c000000007287e10] c00000000000c53c system_call_common+0xec/0x250 + +The fix is to make sure we update high_memory on memory hotplug. +This is similar to what x86 does in commit 3072e413e305 ("mm/memory_hotplug: introduce add_pages") + +Fixes: ffa0b64e3be5 ("powerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit") +Signed-off-by: Aneesh Kumar K.V +Reviewed-by: Kefeng Wang +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220629050925.31447-1-aneesh.kumar@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/Kconfig | 4 ++++ + arch/powerpc/mm/mem.c | 33 ++++++++++++++++++++++++++++++++- + 2 files changed, 36 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -358,6 +358,10 @@ config ARCH_SUSPEND_NONZERO_CPU + def_bool y + depends on PPC_POWERNV || PPC_PSERIES + ++config ARCH_HAS_ADD_PAGES ++ def_bool y ++ depends on ARCH_ENABLE_MEMORY_HOTPLUG ++ + config PPC_DCR_NATIVE + bool + +--- a/arch/powerpc/mm/mem.c ++++ b/arch/powerpc/mm/mem.c +@@ -103,6 +103,37 @@ void __ref arch_remove_linear_mapping(u6 + vm_unmap_aliases(); + } + ++/* ++ * After memory hotplug the variables max_pfn, max_low_pfn and high_memory need ++ * updating. ++ */ ++static void update_end_of_memory_vars(u64 start, u64 size) ++{ ++ unsigned long end_pfn = PFN_UP(start + size); ++ ++ if (end_pfn > max_pfn) { ++ max_pfn = end_pfn; ++ max_low_pfn = end_pfn; ++ high_memory = (void *)__va(max_pfn * PAGE_SIZE - 1) + 1; ++ } ++} ++ ++int __ref add_pages(int nid, unsigned long start_pfn, unsigned long nr_pages, ++ struct mhp_params *params) ++{ ++ int ret; ++ ++ ret = __add_pages(nid, start_pfn, nr_pages, params); ++ if (ret) ++ return ret; ++ ++ /* update max_pfn, max_low_pfn and high_memory */ ++ update_end_of_memory_vars(start_pfn << PAGE_SHIFT, ++ nr_pages << PAGE_SHIFT); ++ ++ return ret; ++} ++ + int __ref arch_add_memory(int nid, u64 start, u64 size, + struct mhp_params *params) + { +@@ -113,7 +144,7 @@ int __ref arch_add_memory(int nid, u64 s + rc = arch_create_linear_mapping(nid, start, size, params); + if (rc) + return rc; +- rc = __add_pages(nid, start_pfn, nr_pages, params); ++ rc = add_pages(nid, start_pfn, nr_pages, params); + if (rc) + arch_remove_linear_mapping(start, size); + return rc; diff --git a/queue-5.18/s390-remove-unneeded-select-build_bin2c.patch b/queue-5.18/s390-remove-unneeded-select-build_bin2c.patch new file mode 100644 index 00000000000..1aae69dcf8a --- /dev/null +++ b/queue-5.18/s390-remove-unneeded-select-build_bin2c.patch @@ -0,0 +1,33 @@ +From 25deecb21c18ee29e3be8ac6177b2a9504c33d2d Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Tue, 14 Jun 2022 02:09:00 +0900 +Subject: s390: remove unneeded 'select BUILD_BIN2C' + +From: Masahiro Yamada + +commit 25deecb21c18ee29e3be8ac6177b2a9504c33d2d upstream. + +Since commit 4c0f032d4963 ("s390/purgatory: Omit use of bin2c"), +s390 builds the purgatory without using bin2c. + +Remove 'select BUILD_BIN2C' to avoid the unneeded build of bin2c. + +Fixes: 4c0f032d4963 ("s390/purgatory: Omit use of bin2c") +Signed-off-by: Masahiro Yamada +Link: https://lore.kernel.org/r/20220613170902.1775211-1-masahiroy@kernel.org +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/s390/Kconfig ++++ b/arch/s390/Kconfig +@@ -487,7 +487,6 @@ config KEXEC + config KEXEC_FILE + bool "kexec file based system call" + select KEXEC_CORE +- select BUILD_BIN2C + depends on CRYPTO + depends on CRYPTO_SHA256 + depends on CRYPTO_SHA256_S390 diff --git a/queue-5.18/selftests-net-fix-kselftest-net-fatal-error.patch b/queue-5.18/selftests-net-fix-kselftest-net-fatal-error.patch new file mode 100644 index 00000000000..5197c251af2 --- /dev/null +++ b/queue-5.18/selftests-net-fix-kselftest-net-fatal-error.patch @@ -0,0 +1,42 @@ +From 7b92aa9e613508cbaa29dd35bf27db4c35628b10 Mon Sep 17 00:00:00 2001 +From: Coleman Dietsch +Date: Tue, 28 Jun 2022 12:47:44 -0500 +Subject: selftests net: fix kselftest net fatal error + +From: Coleman Dietsch + +commit 7b92aa9e613508cbaa29dd35bf27db4c35628b10 upstream. + +The incorrect path is causing the following error when trying to run net +kselftests: + +In file included from bpf/nat6to4.c:43: +../../../lib/bpf/bpf_helpers.h:11:10: fatal error: 'bpf_helper_defs.h' file not found + ^~~~~~~~~~~~~~~~~~~ +1 error generated. + +Fixes: cf67838c4422 ("selftests net: fix bpf build error") +Signed-off-by: Coleman Dietsch +Link: https://lore.kernel.org/r/20220628174744.7908-1-dietschc@csp.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/bpf/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/bpf/Makefile b/tools/testing/selftests/net/bpf/Makefile +index 8a69c91fcca0..8ccaf8732eb2 100644 +--- a/tools/testing/selftests/net/bpf/Makefile ++++ b/tools/testing/selftests/net/bpf/Makefile +@@ -2,7 +2,7 @@ + + CLANG ?= clang + CCINCLUDE += -I../../bpf +-CCINCLUDE += -I../../../lib ++CCINCLUDE += -I../../../../lib + CCINCLUDE += -I../../../../../usr/include/ + + TEST_CUSTOM_PROGS = $(OUTPUT)/bpf/nat6to4.o +-- +2.37.0 + diff --git a/queue-5.18/series b/queue-5.18/series index c66ae0c1dd7..8c9c9e02ee4 100644 --- a/queue-5.18/series +++ b/queue-5.18/series @@ -44,3 +44,29 @@ net-ipv6-unexport-__init-annotated-seg6_hmac_net_init.patch nfs-restore-module-put-when-manager-exits.patch nfsd-restore-einval-error-translation-in-nfsd_commit.patch nfsv4-add-an-fattr-allocation-to-_nfs4_discover_trunking.patch +vfs-fix-copy_file_range-regression-in-cross-fs-copies.patch +caif_virtio-fix-race-between-virtio_device_ready-and-ndo_open.patch +io_uring-ensure-that-send-sendmsg-and-recv-recvmsg-check-sqe-ioprio.patch +pm-devfreq-exynos-ppmu-fix-refcount-leak-in-of_get_devfreq_events.patch +lib-sbitmap-fix-invalid-loop-in-__sbitmap_queue_get_batch.patch +vdpa-mlx5-update-control-vq-callback-information.patch +s390-remove-unneeded-select-build_bin2c.patch +netfilter-nft_dynset-restore-set-element-counter-when-failing-to-update.patch +net-dsa-hirschmann-add-missing-of_node_get-in-hellcreek_led_setup.patch +net-sched-act_api-notify-user-space-if-any-actions-were-flushed-before-error.patch +net-asix-fix-can-t-send-until-first-packet-is-send-issue.patch +net-bonding-fix-possible-null-deref-in-rlb-code.patch +net-phy-ax88772a-fix-lost-pause-advertisement-configuration.patch +selftests-net-fix-kselftest-net-fatal-error.patch +net-bonding-fix-use-after-free-after-802.3ad-slave-unbind.patch +net-dsa-felix-fix-race-between-reading-psfp-stats-and-port-stats.patch +powerpc-memhotplug-add-add_pages-override-for-ppc.patch +platform-x86-thinkpad_acpi-fix-a-memory-leak-of-efch-mmio-resource.patch +platform-x86-ideapad-laptop-add-ideapad-5-15itl05-to-ideapad_dytc_v4_allow_table.patch +nfc-nfcmrvl-fix-irq_of_parse_and_map-return-value.patch +nfc-nxp-nci-don-t-issue-a-zero-length-i2c_master_read.patch +tipc-move-bc-link-creation-back-to-tipc_node_create.patch +epic100-fix-use-after-free-on-rmmod.patch +cpufreq-qcom-hw-don-t-do-lmh-things-without-a-throttle-interrupt.patch +tcp-add-a-missing-nf_reset_ct-in-3whs-handling.patch +nvmet-tcp-fix-regression-in-data_digest-calculation.patch diff --git a/queue-5.18/tcp-add-a-missing-nf_reset_ct-in-3whs-handling.patch b/queue-5.18/tcp-add-a-missing-nf_reset_ct-in-3whs-handling.patch new file mode 100644 index 00000000000..75242757db6 --- /dev/null +++ b/queue-5.18/tcp-add-a-missing-nf_reset_ct-in-3whs-handling.patch @@ -0,0 +1,72 @@ +From 6f0012e35160cd08a53e46e3b3bbf724b92dfe68 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 23 Jun 2022 05:04:36 +0000 +Subject: tcp: add a missing nf_reset_ct() in 3WHS handling + +From: Eric Dumazet + +commit 6f0012e35160cd08a53e46e3b3bbf724b92dfe68 upstream. + +When the third packet of 3WHS connection establishment +contains payload, it is added into socket receive queue +without the XFRM check and the drop of connection tracking +context. + +This means that if the data is left unread in the socket +receive queue, conntrack module can not be unloaded. + +As most applications usually reads the incoming data +immediately after accept(), bug has been hiding for +quite a long time. + +Commit 68822bdf76f1 ("net: generalize skb freeing +deferral to per-cpu lists") exposed this bug because +even if the application reads this data, the skb +with nfct state could stay in a per-cpu cache for +an arbitrary time, if said cpu no longer process RX softirqs. + +Many thanks to Ilya Maximets for reporting this issue, +and for testing various patches: +https://lore.kernel.org/netdev/20220619003919.394622-1-i.maximets@ovn.org/ + +Note that I also added a missing xfrm4_policy_check() call, +although this is probably not a big issue, as the SYN +packet should have been dropped earlier. + +Fixes: b59c270104f0 ("[NETFILTER]: Keep conntrack reference until IPsec policy checks are done") +Reported-by: Ilya Maximets +Signed-off-by: Eric Dumazet +Cc: Florian Westphal +Cc: Pablo Neira Ayuso +Cc: Steffen Klassert +Tested-by: Ilya Maximets +Reviewed-by: Ilya Maximets +Link: https://lore.kernel.org/r/20220623050436.1290307-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_ipv4.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1965,7 +1965,10 @@ process: + struct sock *nsk; + + sk = req->rsk_listener; +- drop_reason = tcp_inbound_md5_hash(sk, skb, ++ if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) ++ drop_reason = SKB_DROP_REASON_XFRM_POLICY; ++ else ++ drop_reason = tcp_inbound_md5_hash(sk, skb, + &iph->saddr, &iph->daddr, + AF_INET, dif, sdif); + if (unlikely(drop_reason)) { +@@ -2017,6 +2020,7 @@ process: + } + goto discard_and_relse; + } ++ nf_reset_ct(skb); + if (nsk == sk) { + reqsk_put(req); + tcp_v4_restore_cb(skb); diff --git a/queue-5.18/tipc-move-bc-link-creation-back-to-tipc_node_create.patch b/queue-5.18/tipc-move-bc-link-creation-back-to-tipc_node_create.patch new file mode 100644 index 00000000000..36386020959 --- /dev/null +++ b/queue-5.18/tipc-move-bc-link-creation-back-to-tipc_node_create.patch @@ -0,0 +1,123 @@ +From cb8092d70a6f5f01ec1490fce4d35efed3ed996c Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Fri, 24 Jun 2022 12:24:31 -0400 +Subject: tipc: move bc link creation back to tipc_node_create + +From: Xin Long + +commit cb8092d70a6f5f01ec1490fce4d35efed3ed996c upstream. + +Shuang Li reported a NULL pointer dereference crash: + + [] BUG: kernel NULL pointer dereference, address: 0000000000000068 + [] RIP: 0010:tipc_link_is_up+0x5/0x10 [tipc] + [] Call Trace: + [] + [] tipc_bcast_rcv+0xa2/0x190 [tipc] + [] tipc_node_bc_rcv+0x8b/0x200 [tipc] + [] tipc_rcv+0x3af/0x5b0 [tipc] + [] tipc_udp_recv+0xc7/0x1e0 [tipc] + +It was caused by the 'l' passed into tipc_bcast_rcv() is NULL. When it +creates a node in tipc_node_check_dest(), after inserting the new node +into hashtable in tipc_node_create(), it creates the bc link. However, +there is a gap between this insert and bc link creation, a bc packet +may come in and get the node from the hashtable then try to dereference +its bc link, which is NULL. + +This patch is to fix it by moving the bc link creation before inserting +into the hashtable. + +Note that for a preliminary node becoming "real", the bc link creation +should also be called before it's rehashed, as we don't create it for +preliminary nodes. + +Fixes: 4cbf8ac2fe5a ("tipc: enable creating a "preliminary" node") +Reported-by: Shuang Li +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/node.c | 41 ++++++++++++++++++++++------------------- + 1 file changed, 22 insertions(+), 19 deletions(-) + +--- a/net/tipc/node.c ++++ b/net/tipc/node.c +@@ -472,8 +472,8 @@ struct tipc_node *tipc_node_create(struc + bool preliminary) + { + struct tipc_net *tn = net_generic(net, tipc_net_id); ++ struct tipc_link *l, *snd_l = tipc_bc_sndlink(net); + struct tipc_node *n, *temp_node; +- struct tipc_link *l; + unsigned long intv; + int bearer_id; + int i; +@@ -488,6 +488,16 @@ struct tipc_node *tipc_node_create(struc + goto exit; + /* A preliminary node becomes "real" now, refresh its data */ + tipc_node_write_lock(n); ++ if (!tipc_link_bc_create(net, tipc_own_addr(net), addr, peer_id, U16_MAX, ++ tipc_link_min_win(snd_l), tipc_link_max_win(snd_l), ++ n->capabilities, &n->bc_entry.inputq1, ++ &n->bc_entry.namedq, snd_l, &n->bc_entry.link)) { ++ pr_warn("Broadcast rcv link refresh failed, no memory\n"); ++ tipc_node_write_unlock_fast(n); ++ tipc_node_put(n); ++ n = NULL; ++ goto exit; ++ } + n->preliminary = false; + n->addr = addr; + hlist_del_rcu(&n->hash); +@@ -567,7 +577,16 @@ update: + n->signature = INVALID_NODE_SIG; + n->active_links[0] = INVALID_BEARER_ID; + n->active_links[1] = INVALID_BEARER_ID; +- n->bc_entry.link = NULL; ++ if (!preliminary && ++ !tipc_link_bc_create(net, tipc_own_addr(net), addr, peer_id, U16_MAX, ++ tipc_link_min_win(snd_l), tipc_link_max_win(snd_l), ++ n->capabilities, &n->bc_entry.inputq1, ++ &n->bc_entry.namedq, snd_l, &n->bc_entry.link)) { ++ pr_warn("Broadcast rcv link creation failed, no memory\n"); ++ kfree(n); ++ n = NULL; ++ goto exit; ++ } + tipc_node_get(n); + timer_setup(&n->timer, tipc_node_timeout, 0); + /* Start a slow timer anyway, crypto needs it */ +@@ -1155,7 +1174,7 @@ void tipc_node_check_dest(struct net *ne + bool *respond, bool *dupl_addr) + { + struct tipc_node *n; +- struct tipc_link *l, *snd_l; ++ struct tipc_link *l; + struct tipc_link_entry *le; + bool addr_match = false; + bool sign_match = false; +@@ -1175,22 +1194,6 @@ void tipc_node_check_dest(struct net *ne + return; + + tipc_node_write_lock(n); +- if (unlikely(!n->bc_entry.link)) { +- snd_l = tipc_bc_sndlink(net); +- if (!tipc_link_bc_create(net, tipc_own_addr(net), +- addr, peer_id, U16_MAX, +- tipc_link_min_win(snd_l), +- tipc_link_max_win(snd_l), +- n->capabilities, +- &n->bc_entry.inputq1, +- &n->bc_entry.namedq, snd_l, +- &n->bc_entry.link)) { +- pr_warn("Broadcast rcv link creation failed, no mem\n"); +- tipc_node_write_unlock_fast(n); +- tipc_node_put(n); +- return; +- } +- } + + le = &n->links[b->identity]; + diff --git a/queue-5.18/vdpa-mlx5-update-control-vq-callback-information.patch b/queue-5.18/vdpa-mlx5-update-control-vq-callback-information.patch new file mode 100644 index 00000000000..c2b3afd34e0 --- /dev/null +++ b/queue-5.18/vdpa-mlx5-update-control-vq-callback-information.patch @@ -0,0 +1,34 @@ +From 40f2f3e94178d45e4ee6078effba2dfc76f6f5ba Mon Sep 17 00:00:00 2001 +From: Eli Cohen +Date: Mon, 13 Jun 2022 10:59:57 +0300 +Subject: vdpa/mlx5: Update Control VQ callback information + +From: Eli Cohen + +commit 40f2f3e94178d45e4ee6078effba2dfc76f6f5ba upstream. + +The control VQ specific information is stored in the dedicated struct +mlx5_control_vq. When the callback is updated through +mlx5_vdpa_set_vq_cb(), make sure to update the control VQ struct. + +Fixes: 5262912ef3cf ("vdpa/mlx5: Add support for control VQ and MAC setting") +Signed-off-by: Eli Cohen +Message-Id: <20220613075958.511064-1-elic@nvidia.com> +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +--- + drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c ++++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c +@@ -1757,6 +1757,8 @@ static void mlx5_vdpa_set_vq_cb(struct v + struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev); + + ndev->event_cbs[idx] = *cb; ++ if (is_ctrl_vq_idx(mvdev, idx)) ++ mvdev->cvq.event_cb = *cb; + } + + static void mlx5_cvq_notify(struct vringh *vring) diff --git a/queue-5.18/vfs-fix-copy_file_range-regression-in-cross-fs-copies.patch b/queue-5.18/vfs-fix-copy_file_range-regression-in-cross-fs-copies.patch new file mode 100644 index 00000000000..068e30d2eb9 --- /dev/null +++ b/queue-5.18/vfs-fix-copy_file_range-regression-in-cross-fs-copies.patch @@ -0,0 +1,251 @@ +From 868f9f2f8e004bfe0d3935b1976f625b2924893b Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Thu, 30 Jun 2022 22:58:49 +0300 +Subject: vfs: fix copy_file_range() regression in cross-fs copies + +From: Amir Goldstein + +commit 868f9f2f8e004bfe0d3935b1976f625b2924893b upstream. + +A regression has been reported by Nicolas Boichat, found while using the +copy_file_range syscall to copy a tracefs file. + +Before commit 5dae222a5ff0 ("vfs: allow copy_file_range to copy across +devices") the kernel would return -EXDEV to userspace when trying to +copy a file across different filesystems. After this commit, the +syscall doesn't fail anymore and instead returns zero (zero bytes +copied), as this file's content is generated on-the-fly and thus reports +a size of zero. + +Another regression has been reported by He Zhe - the assertion of +WARN_ON_ONCE(ret == -EOPNOTSUPP) can be triggered from userspace when +copying from a sysfs file whose read operation may return -EOPNOTSUPP. + +Since we do not have test coverage for copy_file_range() between any two +types of filesystems, the best way to avoid these sort of issues in the +future is for the kernel to be more picky about filesystems that are +allowed to do copy_file_range(). + +This patch restores some cross-filesystem copy restrictions that existed +prior to commit 5dae222a5ff0 ("vfs: allow copy_file_range to copy across +devices"), namely, cross-sb copy is not allowed for filesystems that do +not implement ->copy_file_range(). + +Filesystems that do implement ->copy_file_range() have full control of +the result - if this method returns an error, the error is returned to +the user. Before this change this was only true for fs that did not +implement the ->remap_file_range() operation (i.e. nfsv3). + +Filesystems that do not implement ->copy_file_range() still fall-back to +the generic_copy_file_range() implementation when the copy is within the +same sb. This helps the kernel can maintain a more consistent story +about which filesystems support copy_file_range(). + +nfsd and ksmbd servers are modified to fall-back to the +generic_copy_file_range() implementation in case vfs_copy_file_range() +fails with -EOPNOTSUPP or -EXDEV, which preserves behavior of +server-side-copy. + +fall-back to generic_copy_file_range() is not implemented for the smb +operation FSCTL_DUPLICATE_EXTENTS_TO_FILE, which is arguably a correct +change of behavior. + +Fixes: 5dae222a5ff0 ("vfs: allow copy_file_range to copy across devices") +Link: https://lore.kernel.org/linux-fsdevel/20210212044405.4120619-1-drinkcat@chromium.org/ +Link: https://lore.kernel.org/linux-fsdevel/CANMq1KDZuxir2LM5jOTm0xx+BnvW=ZmpsG47CyHFJwnw7zSX6Q@mail.gmail.com/ +Link: https://lore.kernel.org/linux-fsdevel/20210126135012.1.If45b7cdc3ff707bc1efa17f5366057d60603c45f@changeid/ +Link: https://lore.kernel.org/linux-fsdevel/20210630161320.29006-1-lhenriques@suse.de/ +Reported-by: Nicolas Boichat +Reported-by: kernel test robot +Signed-off-by: Luis Henriques +Fixes: 64bf5ff58dff ("vfs: no fallback for ->copy_file_range") +Link: https://lore.kernel.org/linux-fsdevel/20f17f64-88cb-4e80-07c1-85cb96c83619@windriver.com/ +Reported-by: He Zhe +Tested-by: Namjae Jeon +Tested-by: Luis Henriques +Signed-off-by: Amir Goldstein +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2pdu.c | 16 ++++++++--- + fs/ksmbd/vfs.c | 4 ++ + fs/nfsd/vfs.c | 8 ++++- + fs/read_write.c | 77 ++++++++++++++++++++++++++++++----------------------- + 4 files changed, 68 insertions(+), 37 deletions(-) + +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -7815,14 +7815,24 @@ int smb2_ioctl(struct ksmbd_work *work) + src_off = le64_to_cpu(dup_ext->SourceFileOffset); + dst_off = le64_to_cpu(dup_ext->TargetFileOffset); + length = le64_to_cpu(dup_ext->ByteCount); +- cloned = vfs_clone_file_range(fp_in->filp, src_off, fp_out->filp, +- dst_off, length, 0); ++ /* ++ * XXX: It is not clear if FSCTL_DUPLICATE_EXTENTS_TO_FILE ++ * should fall back to vfs_copy_file_range(). This could be ++ * beneficial when re-exporting nfs/smb mount, but note that ++ * this can result in partial copy that returns an error status. ++ * If/when FSCTL_DUPLICATE_EXTENTS_TO_FILE_EX is implemented, ++ * fall back to vfs_copy_file_range(), should be avoided when ++ * the flag DUPLICATE_EXTENTS_DATA_EX_SOURCE_ATOMIC is set. ++ */ ++ cloned = vfs_clone_file_range(fp_in->filp, src_off, ++ fp_out->filp, dst_off, length, 0); + if (cloned == -EXDEV || cloned == -EOPNOTSUPP) { + ret = -EOPNOTSUPP; + goto dup_ext_out; + } else if (cloned != length) { + cloned = vfs_copy_file_range(fp_in->filp, src_off, +- fp_out->filp, dst_off, length, 0); ++ fp_out->filp, dst_off, ++ length, 0); + if (cloned != length) { + if (cloned < 0) + ret = cloned; +--- a/fs/ksmbd/vfs.c ++++ b/fs/ksmbd/vfs.c +@@ -1779,6 +1779,10 @@ int ksmbd_vfs_copy_file_ranges(struct ks + + ret = vfs_copy_file_range(src_fp->filp, src_off, + dst_fp->filp, dst_off, len, 0); ++ if (ret == -EOPNOTSUPP || ret == -EXDEV) ++ ret = generic_copy_file_range(src_fp->filp, src_off, ++ dst_fp->filp, dst_off, ++ len, 0); + if (ret < 0) + return ret; + +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -577,6 +577,7 @@ out_err: + ssize_t nfsd_copy_file_range(struct file *src, u64 src_pos, struct file *dst, + u64 dst_pos, u64 count) + { ++ ssize_t ret; + + /* + * Limit copy to 4MB to prevent indefinitely blocking an nfsd +@@ -587,7 +588,12 @@ ssize_t nfsd_copy_file_range(struct file + * limit like this and pipeline multiple COPY requests. + */ + count = min_t(u64, count, 1 << 22); +- return vfs_copy_file_range(src, src_pos, dst, dst_pos, count, 0); ++ ret = vfs_copy_file_range(src, src_pos, dst, dst_pos, count, 0); ++ ++ if (ret == -EOPNOTSUPP || ret == -EXDEV) ++ ret = generic_copy_file_range(src, src_pos, dst, dst_pos, ++ count, 0); ++ return ret; + } + + __be32 nfsd4_vfs_fallocate(struct svc_rqst *rqstp, struct svc_fh *fhp, +--- a/fs/read_write.c ++++ b/fs/read_write.c +@@ -1381,28 +1381,6 @@ ssize_t generic_copy_file_range(struct f + } + EXPORT_SYMBOL(generic_copy_file_range); + +-static ssize_t do_copy_file_range(struct file *file_in, loff_t pos_in, +- struct file *file_out, loff_t pos_out, +- size_t len, unsigned int flags) +-{ +- /* +- * Although we now allow filesystems to handle cross sb copy, passing +- * a file of the wrong filesystem type to filesystem driver can result +- * in an attempt to dereference the wrong type of ->private_data, so +- * avoid doing that until we really have a good reason. NFS defines +- * several different file_system_type structures, but they all end up +- * using the same ->copy_file_range() function pointer. +- */ +- if (file_out->f_op->copy_file_range && +- file_out->f_op->copy_file_range == file_in->f_op->copy_file_range) +- return file_out->f_op->copy_file_range(file_in, pos_in, +- file_out, pos_out, +- len, flags); +- +- return generic_copy_file_range(file_in, pos_in, file_out, pos_out, len, +- flags); +-} +- + /* + * Performs necessary checks before doing a file copy + * +@@ -1424,6 +1402,24 @@ static int generic_copy_file_checks(stru + if (ret) + return ret; + ++ /* ++ * We allow some filesystems to handle cross sb copy, but passing ++ * a file of the wrong filesystem type to filesystem driver can result ++ * in an attempt to dereference the wrong type of ->private_data, so ++ * avoid doing that until we really have a good reason. ++ * ++ * nfs and cifs define several different file_system_type structures ++ * and several different sets of file_operations, but they all end up ++ * using the same ->copy_file_range() function pointer. ++ */ ++ if (file_out->f_op->copy_file_range) { ++ if (file_in->f_op->copy_file_range != ++ file_out->f_op->copy_file_range) ++ return -EXDEV; ++ } else if (file_inode(file_in)->i_sb != file_inode(file_out)->i_sb) { ++ return -EXDEV; ++ } ++ + /* Don't touch certain kinds of inodes */ + if (IS_IMMUTABLE(inode_out)) + return -EPERM; +@@ -1489,26 +1485,41 @@ ssize_t vfs_copy_file_range(struct file + file_start_write(file_out); + + /* +- * Try cloning first, this is supported by more file systems, and +- * more efficient if both clone and copy are supported (e.g. NFS). ++ * Cloning is supported by more file systems, so we implement copy on ++ * same sb using clone, but for filesystems where both clone and copy ++ * are supported (e.g. nfs,cifs), we only call the copy method. + */ ++ if (file_out->f_op->copy_file_range) { ++ ret = file_out->f_op->copy_file_range(file_in, pos_in, ++ file_out, pos_out, ++ len, flags); ++ goto done; ++ } ++ + if (file_in->f_op->remap_file_range && + file_inode(file_in)->i_sb == file_inode(file_out)->i_sb) { +- loff_t cloned; +- +- cloned = file_in->f_op->remap_file_range(file_in, pos_in, ++ ret = file_in->f_op->remap_file_range(file_in, pos_in, + file_out, pos_out, + min_t(loff_t, MAX_RW_COUNT, len), + REMAP_FILE_CAN_SHORTEN); +- if (cloned > 0) { +- ret = cloned; ++ if (ret > 0) + goto done; +- } + } + +- ret = do_copy_file_range(file_in, pos_in, file_out, pos_out, len, +- flags); +- WARN_ON_ONCE(ret == -EOPNOTSUPP); ++ /* ++ * We can get here for same sb copy of filesystems that do not implement ++ * ->copy_file_range() in case filesystem does not support clone or in ++ * case filesystem supports clone but rejected the clone request (e.g. ++ * because it was not block aligned). ++ * ++ * In both cases, fall back to kernel copy so we are able to maintain a ++ * consistent story about which filesystems support copy_file_range() ++ * and which filesystems do not, that will allow userspace tools to ++ * make consistent desicions w.r.t using copy_file_range(). ++ */ ++ ret = generic_copy_file_range(file_in, pos_in, file_out, pos_out, len, ++ flags); ++ + done: + if (ret > 0) { + fsnotify_access(file_in);