From: Greg Kroah-Hartman Date: Mon, 19 Feb 2024 19:02:21 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.19.307~103 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c2df90a688722a3e06f8fa680ec8ff699bf8d487;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: can-j1939-fix-uaf-in-j1939_sk_match_filter-during-setsockopt-so_j1939_filter.patch can-j1939-prevent-deadlock-by-changing-j1939_socks_lock-to-rwlock.patch ceph-prevent-use-after-free-in-encode_cap_msg.patch crypto-ccp-fix-null-pointer-dereference-in-__sev_platform_shutdown_locked.patch irqchip-gic-v3-its-fix-gicv4.1-vpe-affinity-update.patch irqchip-irq-brcmstb-l2-add-write-memory-barrier-before-exit.patch mm-hugetlb-pages-should-not-be-reserved-by-shmat-if-shm_noreserve.patch net-ethernet-ti-cpsw-enable-mac_managed_pm-to-fix-mdio.patch net-ethernet-ti-cpsw_new-enable-mac_managed_pm-to-fix-mdio.patch nfp-flower-prevent-re-adding-mac-index-for-bonded-port.patch nfp-use-correct-macro-for-lengthselect-in-bar-config.patch of-property-fix-typo-in-io-channels.patch pmdomain-core-move-the-unused-cleanup-to-a-_sync-initcall.patch s390-qeth-fix-potential-loss-of-l3-ip-in-case-of-network-issues.patch wifi-mac80211-reload-info-pointer-in-ieee80211_tx_dequeue.patch --- diff --git a/queue-5.15/can-j1939-fix-uaf-in-j1939_sk_match_filter-during-setsockopt-so_j1939_filter.patch b/queue-5.15/can-j1939-fix-uaf-in-j1939_sk_match_filter-during-setsockopt-so_j1939_filter.patch new file mode 100644 index 00000000000..f740f983827 --- /dev/null +++ b/queue-5.15/can-j1939-fix-uaf-in-j1939_sk_match_filter-during-setsockopt-so_j1939_filter.patch @@ -0,0 +1,194 @@ +From efe7cf828039aedb297c1f9920b638fffee6aabc Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Fri, 20 Oct 2023 15:38:14 +0200 +Subject: can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER) + +From: Oleksij Rempel + +commit efe7cf828039aedb297c1f9920b638fffee6aabc upstream. + +Lock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...) +modifies jsk->filters while receiving packets. + +Following trace was seen on affected system: + ================================================================== + BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] + Read of size 4 at addr ffff888012144014 by task j1939/350 + + CPU: 0 PID: 350 Comm: j1939 Tainted: G W OE 6.5.0-rc5 #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 + Call Trace: + print_report+0xd3/0x620 + ? kasan_complete_mode_report_info+0x7d/0x200 + ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] + kasan_report+0xc2/0x100 + ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] + __asan_load4+0x84/0xb0 + j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] + j1939_sk_recv+0x20b/0x320 [can_j1939] + ? __kasan_check_write+0x18/0x20 + ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939] + ? j1939_simple_recv+0x69/0x280 [can_j1939] + ? j1939_ac_recv+0x5e/0x310 [can_j1939] + j1939_can_recv+0x43f/0x580 [can_j1939] + ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939] + ? raw_rcv+0x42/0x3c0 [can_raw] + ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939] + can_rcv_filter+0x11f/0x350 [can] + can_receive+0x12f/0x190 [can] + ? __pfx_can_rcv+0x10/0x10 [can] + can_rcv+0xdd/0x130 [can] + ? __pfx_can_rcv+0x10/0x10 [can] + __netif_receive_skb_one_core+0x13d/0x150 + ? __pfx___netif_receive_skb_one_core+0x10/0x10 + ? __kasan_check_write+0x18/0x20 + ? _raw_spin_lock_irq+0x8c/0xe0 + __netif_receive_skb+0x23/0xb0 + process_backlog+0x107/0x260 + __napi_poll+0x69/0x310 + net_rx_action+0x2a1/0x580 + ? __pfx_net_rx_action+0x10/0x10 + ? __pfx__raw_spin_lock+0x10/0x10 + ? handle_irq_event+0x7d/0xa0 + __do_softirq+0xf3/0x3f8 + do_softirq+0x53/0x80 + + + __local_bh_enable_ip+0x6e/0x70 + netif_rx+0x16b/0x180 + can_send+0x32b/0x520 [can] + ? __pfx_can_send+0x10/0x10 [can] + ? __check_object_size+0x299/0x410 + raw_sendmsg+0x572/0x6d0 [can_raw] + ? __pfx_raw_sendmsg+0x10/0x10 [can_raw] + ? apparmor_socket_sendmsg+0x2f/0x40 + ? __pfx_raw_sendmsg+0x10/0x10 [can_raw] + sock_sendmsg+0xef/0x100 + sock_write_iter+0x162/0x220 + ? __pfx_sock_write_iter+0x10/0x10 + ? __rtnl_unlock+0x47/0x80 + ? security_file_permission+0x54/0x320 + vfs_write+0x6ba/0x750 + ? __pfx_vfs_write+0x10/0x10 + ? __fget_light+0x1ca/0x1f0 + ? __rcu_read_unlock+0x5b/0x280 + ksys_write+0x143/0x170 + ? __pfx_ksys_write+0x10/0x10 + ? __kasan_check_read+0x15/0x20 + ? fpregs_assert_state_consistent+0x62/0x70 + __x64_sys_write+0x47/0x60 + do_syscall_64+0x60/0x90 + ? do_syscall_64+0x6d/0x90 + ? irqentry_exit+0x3f/0x50 + ? exc_page_fault+0x79/0xf0 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + + Allocated by task 348: + kasan_save_stack+0x2a/0x50 + kasan_set_track+0x29/0x40 + kasan_save_alloc_info+0x1f/0x30 + __kasan_kmalloc+0xb5/0xc0 + __kmalloc_node_track_caller+0x67/0x160 + j1939_sk_setsockopt+0x284/0x450 [can_j1939] + __sys_setsockopt+0x15c/0x2f0 + __x64_sys_setsockopt+0x6b/0x80 + do_syscall_64+0x60/0x90 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + + Freed by task 349: + kasan_save_stack+0x2a/0x50 + kasan_set_track+0x29/0x40 + kasan_save_free_info+0x2f/0x50 + __kasan_slab_free+0x12e/0x1c0 + __kmem_cache_free+0x1b9/0x380 + kfree+0x7a/0x120 + j1939_sk_setsockopt+0x3b2/0x450 [can_j1939] + __sys_setsockopt+0x15c/0x2f0 + __x64_sys_setsockopt+0x6b/0x80 + do_syscall_64+0x60/0x90 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +Fixes: 9d71dd0c70099 ("can: add support of SAE J1939 protocol") +Reported-by: Sili Luo +Suggested-by: Sili Luo +Acked-by: Oleksij Rempel +Cc: stable@vger.kernel.org +Signed-off-by: Oleksij Rempel +Link: https://lore.kernel.org/all/20231020133814.383996-1-o.rempel@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/j1939-priv.h | 1 + + net/can/j1939/socket.c | 22 ++++++++++++++++++---- + 2 files changed, 19 insertions(+), 4 deletions(-) + +--- a/net/can/j1939/j1939-priv.h ++++ b/net/can/j1939/j1939-priv.h +@@ -301,6 +301,7 @@ struct j1939_sock { + + int ifindex; + struct j1939_addr addr; ++ spinlock_t filters_lock; + struct j1939_filter *filters; + int nfilters; + pgn_t pgn_rx_filter; +--- a/net/can/j1939/socket.c ++++ b/net/can/j1939/socket.c +@@ -262,12 +262,17 @@ static bool j1939_sk_match_dst(struct j1 + static bool j1939_sk_match_filter(struct j1939_sock *jsk, + const struct j1939_sk_buff_cb *skcb) + { +- const struct j1939_filter *f = jsk->filters; +- int nfilter = jsk->nfilters; ++ const struct j1939_filter *f; ++ int nfilter; ++ ++ spin_lock_bh(&jsk->filters_lock); ++ ++ f = jsk->filters; ++ nfilter = jsk->nfilters; + + if (!nfilter) + /* receive all when no filters are assigned */ +- return true; ++ goto filter_match_found; + + for (; nfilter; ++f, --nfilter) { + if ((skcb->addr.pgn & f->pgn_mask) != f->pgn) +@@ -276,9 +281,15 @@ static bool j1939_sk_match_filter(struct + continue; + if ((skcb->addr.src_name & f->name_mask) != f->name) + continue; +- return true; ++ goto filter_match_found; + } ++ ++ spin_unlock_bh(&jsk->filters_lock); + return false; ++ ++filter_match_found: ++ spin_unlock_bh(&jsk->filters_lock); ++ return true; + } + + static bool j1939_sk_recv_match_one(struct j1939_sock *jsk, +@@ -401,6 +412,7 @@ static int j1939_sk_init(struct sock *sk + atomic_set(&jsk->skb_pending, 0); + spin_lock_init(&jsk->sk_session_queue_lock); + INIT_LIST_HEAD(&jsk->sk_session_queue); ++ spin_lock_init(&jsk->filters_lock); + + /* j1939_sk_sock_destruct() depends on SOCK_RCU_FREE flag */ + sock_set_flag(sk, SOCK_RCU_FREE); +@@ -703,9 +715,11 @@ static int j1939_sk_setsockopt(struct so + } + + lock_sock(&jsk->sk); ++ spin_lock_bh(&jsk->filters_lock); + ofilters = jsk->filters; + jsk->filters = filters; + jsk->nfilters = count; ++ spin_unlock_bh(&jsk->filters_lock); + release_sock(&jsk->sk); + kfree(ofilters); + return 0; diff --git a/queue-5.15/can-j1939-prevent-deadlock-by-changing-j1939_socks_lock-to-rwlock.patch b/queue-5.15/can-j1939-prevent-deadlock-by-changing-j1939_socks_lock-to-rwlock.patch new file mode 100644 index 00000000000..1d1da2b9501 --- /dev/null +++ b/queue-5.15/can-j1939-prevent-deadlock-by-changing-j1939_socks_lock-to-rwlock.patch @@ -0,0 +1,153 @@ +From 6cdedc18ba7b9dacc36466e27e3267d201948c8d Mon Sep 17 00:00:00 2001 +From: Ziqi Zhao +Date: Fri, 21 Jul 2023 09:22:26 -0700 +Subject: can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock + +From: Ziqi Zhao + +commit 6cdedc18ba7b9dacc36466e27e3267d201948c8d upstream. + +The following 3 locks would race against each other, causing the +deadlock situation in the Syzbot bug report: + +- j1939_socks_lock +- active_session_list_lock +- sk_session_queue_lock + +A reasonable fix is to change j1939_socks_lock to an rwlock, since in +the rare situations where a write lock is required for the linked list +that j1939_socks_lock is protecting, the code does not attempt to +acquire any more locks. This would break the circular lock dependency, +where, for example, the current thread already locks j1939_socks_lock +and attempts to acquire sk_session_queue_lock, and at the same time, +another thread attempts to acquire j1939_socks_lock while holding +sk_session_queue_lock. + +NOTE: This patch along does not fix the unregister_netdevice bug +reported by Syzbot; instead, it solves a deadlock situation to prepare +for one or more further patches to actually fix the Syzbot bug, which +appears to be a reference counting problem within the j1939 codebase. + +Reported-by: +Signed-off-by: Ziqi Zhao +Reviewed-by: Oleksij Rempel +Acked-by: Oleksij Rempel +Link: https://lore.kernel.org/all/20230721162226.8639-1-astrajoan@yahoo.com +[mkl: remove unrelated newline change] +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/j1939-priv.h | 2 +- + net/can/j1939/main.c | 2 +- + net/can/j1939/socket.c | 24 ++++++++++++------------ + 3 files changed, 14 insertions(+), 14 deletions(-) + +--- a/net/can/j1939/j1939-priv.h ++++ b/net/can/j1939/j1939-priv.h +@@ -86,7 +86,7 @@ struct j1939_priv { + unsigned int tp_max_packet_size; + + /* lock for j1939_socks list */ +- spinlock_t j1939_socks_lock; ++ rwlock_t j1939_socks_lock; + struct list_head j1939_socks; + + struct kref rx_kref; +--- a/net/can/j1939/main.c ++++ b/net/can/j1939/main.c +@@ -270,7 +270,7 @@ struct j1939_priv *j1939_netdev_start(st + return ERR_PTR(-ENOMEM); + + j1939_tp_init(priv); +- spin_lock_init(&priv->j1939_socks_lock); ++ rwlock_init(&priv->j1939_socks_lock); + INIT_LIST_HEAD(&priv->j1939_socks); + + mutex_lock(&j1939_netdev_lock); +--- a/net/can/j1939/socket.c ++++ b/net/can/j1939/socket.c +@@ -80,16 +80,16 @@ static void j1939_jsk_add(struct j1939_p + jsk->state |= J1939_SOCK_BOUND; + j1939_priv_get(priv); + +- spin_lock_bh(&priv->j1939_socks_lock); ++ write_lock_bh(&priv->j1939_socks_lock); + list_add_tail(&jsk->list, &priv->j1939_socks); +- spin_unlock_bh(&priv->j1939_socks_lock); ++ write_unlock_bh(&priv->j1939_socks_lock); + } + + static void j1939_jsk_del(struct j1939_priv *priv, struct j1939_sock *jsk) + { +- spin_lock_bh(&priv->j1939_socks_lock); ++ write_lock_bh(&priv->j1939_socks_lock); + list_del_init(&jsk->list); +- spin_unlock_bh(&priv->j1939_socks_lock); ++ write_unlock_bh(&priv->j1939_socks_lock); + + j1939_priv_put(priv); + jsk->state &= ~J1939_SOCK_BOUND; +@@ -329,13 +329,13 @@ bool j1939_sk_recv_match(struct j1939_pr + struct j1939_sock *jsk; + bool match = false; + +- spin_lock_bh(&priv->j1939_socks_lock); ++ read_lock_bh(&priv->j1939_socks_lock); + list_for_each_entry(jsk, &priv->j1939_socks, list) { + match = j1939_sk_recv_match_one(jsk, skcb); + if (match) + break; + } +- spin_unlock_bh(&priv->j1939_socks_lock); ++ read_unlock_bh(&priv->j1939_socks_lock); + + return match; + } +@@ -344,11 +344,11 @@ void j1939_sk_recv(struct j1939_priv *pr + { + struct j1939_sock *jsk; + +- spin_lock_bh(&priv->j1939_socks_lock); ++ read_lock_bh(&priv->j1939_socks_lock); + list_for_each_entry(jsk, &priv->j1939_socks, list) { + j1939_sk_recv_one(jsk, skb); + } +- spin_unlock_bh(&priv->j1939_socks_lock); ++ read_unlock_bh(&priv->j1939_socks_lock); + } + + static void j1939_sk_sock_destruct(struct sock *sk) +@@ -1078,12 +1078,12 @@ void j1939_sk_errqueue(struct j1939_sess + } + + /* spread RX notifications to all sockets subscribed to this session */ +- spin_lock_bh(&priv->j1939_socks_lock); ++ read_lock_bh(&priv->j1939_socks_lock); + list_for_each_entry(jsk, &priv->j1939_socks, list) { + if (j1939_sk_recv_match_one(jsk, &session->skcb)) + __j1939_sk_errqueue(session, &jsk->sk, type); + } +- spin_unlock_bh(&priv->j1939_socks_lock); ++ read_unlock_bh(&priv->j1939_socks_lock); + }; + + void j1939_sk_send_loop_abort(struct sock *sk, int err) +@@ -1271,7 +1271,7 @@ void j1939_sk_netdev_event_netdown(struc + struct j1939_sock *jsk; + int error_code = ENETDOWN; + +- spin_lock_bh(&priv->j1939_socks_lock); ++ read_lock_bh(&priv->j1939_socks_lock); + list_for_each_entry(jsk, &priv->j1939_socks, list) { + jsk->sk.sk_err = error_code; + if (!sock_flag(&jsk->sk, SOCK_DEAD)) +@@ -1279,7 +1279,7 @@ void j1939_sk_netdev_event_netdown(struc + + j1939_sk_queue_drop_all(priv, jsk, error_code); + } +- spin_unlock_bh(&priv->j1939_socks_lock); ++ read_unlock_bh(&priv->j1939_socks_lock); + } + + static int j1939_sk_no_ioctlcmd(struct socket *sock, unsigned int cmd, diff --git a/queue-5.15/ceph-prevent-use-after-free-in-encode_cap_msg.patch b/queue-5.15/ceph-prevent-use-after-free-in-encode_cap_msg.patch new file mode 100644 index 00000000000..16fdbd5c610 --- /dev/null +++ b/queue-5.15/ceph-prevent-use-after-free-in-encode_cap_msg.patch @@ -0,0 +1,53 @@ +From cda4672da1c26835dcbd7aec2bfed954eda9b5ef Mon Sep 17 00:00:00 2001 +From: Rishabh Dave +Date: Thu, 1 Feb 2024 17:07:16 +0530 +Subject: ceph: prevent use-after-free in encode_cap_msg() + +From: Rishabh Dave + +commit cda4672da1c26835dcbd7aec2bfed954eda9b5ef upstream. + +In fs/ceph/caps.c, in encode_cap_msg(), "use after free" error was +caught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This +implies before the refcount could be increment here, it was freed. + +In same file, in "handle_cap_grant()" refcount is decremented by this +line - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race +occurred and resource was freed by the latter line before the former +line could increment it. + +encode_cap_msg() is called by __send_cap() and __send_cap() is called by +ceph_check_caps() after calling __prep_cap(). __prep_cap() is where +arg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where +the refcount must be increased to prevent "use after free" error. + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/59259 +Signed-off-by: Rishabh Dave +Reviewed-by: Jeff Layton +Reviewed-by: Xiubo Li +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/caps.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -1390,7 +1390,7 @@ static void __prep_cap(struct cap_msg_ar + if (flushing & CEPH_CAP_XATTR_EXCL) { + arg->old_xattr_buf = __ceph_build_xattrs_blob(ci); + arg->xattr_version = ci->i_xattrs.version; +- arg->xattr_buf = ci->i_xattrs.blob; ++ arg->xattr_buf = ceph_buffer_get(ci->i_xattrs.blob); + } else { + arg->xattr_buf = NULL; + arg->old_xattr_buf = NULL; +@@ -1456,6 +1456,7 @@ static void __send_cap(struct cap_msg_ar + encode_cap_msg(msg, arg); + ceph_con_send(&arg->session->s_con, msg); + ceph_buffer_put(arg->old_xattr_buf); ++ ceph_buffer_put(arg->xattr_buf); + if (arg->wake) + wake_up_all(&ci->i_cap_wq); + } diff --git a/queue-5.15/crypto-ccp-fix-null-pointer-dereference-in-__sev_platform_shutdown_locked.patch b/queue-5.15/crypto-ccp-fix-null-pointer-dereference-in-__sev_platform_shutdown_locked.patch new file mode 100644 index 00000000000..be9562af0fb --- /dev/null +++ b/queue-5.15/crypto-ccp-fix-null-pointer-dereference-in-__sev_platform_shutdown_locked.patch @@ -0,0 +1,118 @@ +From ccb88e9549e7cfd8bcd511c538f437e20026e983 Mon Sep 17 00:00:00 2001 +From: Kim Phillips +Date: Thu, 25 Jan 2024 17:12:53 -0600 +Subject: crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked + +From: Kim Phillips + +commit ccb88e9549e7cfd8bcd511c538f437e20026e983 upstream. + +The SEV platform device can be shutdown with a null psp_master, +e.g., using DEBUG_TEST_DRIVER_REMOVE. Found using KASAN: + +[ 137.148210] ccp 0000:23:00.1: enabling device (0000 -> 0002) +[ 137.162647] ccp 0000:23:00.1: no command queues available +[ 137.170598] ccp 0000:23:00.1: sev enabled +[ 137.174645] ccp 0000:23:00.1: psp enabled +[ 137.178890] general protection fault, probably for non-canonical address 0xdffffc000000001e: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI +[ 137.182693] KASAN: null-ptr-deref in range [0x00000000000000f0-0x00000000000000f7] +[ 137.182693] CPU: 93 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc1+ #311 +[ 137.182693] RIP: 0010:__sev_platform_shutdown_locked+0x51/0x180 +[ 137.182693] Code: 08 80 3c 08 00 0f 85 0e 01 00 00 48 8b 1d 67 b6 01 08 48 b8 00 00 00 00 00 fc ff df 48 8d bb f0 00 00 00 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 fe 00 00 00 48 8b 9b f0 00 00 00 48 85 db 74 2c +[ 137.182693] RSP: 0018:ffffc900000cf9b0 EFLAGS: 00010216 +[ 137.182693] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 000000000000001e +[ 137.182693] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 00000000000000f0 +[ 137.182693] RBP: ffffc900000cf9c8 R08: 0000000000000000 R09: fffffbfff58f5a66 +[ 137.182693] R10: ffffc900000cf9c8 R11: ffffffffac7ad32f R12: ffff8881e5052c28 +[ 137.182693] R13: ffff8881e5052c28 R14: ffff8881758e43e8 R15: ffffffffac64abf8 +[ 137.182693] FS: 0000000000000000(0000) GS:ffff889de7000000(0000) knlGS:0000000000000000 +[ 137.182693] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 137.182693] CR2: 0000000000000000 CR3: 0000001cf7c7e000 CR4: 0000000000350ef0 +[ 137.182693] Call Trace: +[ 137.182693] +[ 137.182693] ? show_regs+0x6c/0x80 +[ 137.182693] ? __die_body+0x24/0x70 +[ 137.182693] ? die_addr+0x4b/0x80 +[ 137.182693] ? exc_general_protection+0x126/0x230 +[ 137.182693] ? asm_exc_general_protection+0x2b/0x30 +[ 137.182693] ? __sev_platform_shutdown_locked+0x51/0x180 +[ 137.182693] sev_firmware_shutdown.isra.0+0x1e/0x80 +[ 137.182693] sev_dev_destroy+0x49/0x100 +[ 137.182693] psp_dev_destroy+0x47/0xb0 +[ 137.182693] sp_destroy+0xbb/0x240 +[ 137.182693] sp_pci_remove+0x45/0x60 +[ 137.182693] pci_device_remove+0xaa/0x1d0 +[ 137.182693] device_remove+0xc7/0x170 +[ 137.182693] really_probe+0x374/0xbe0 +[ 137.182693] ? srso_return_thunk+0x5/0x5f +[ 137.182693] __driver_probe_device+0x199/0x460 +[ 137.182693] driver_probe_device+0x4e/0xd0 +[ 137.182693] __driver_attach+0x191/0x3d0 +[ 137.182693] ? __pfx___driver_attach+0x10/0x10 +[ 137.182693] bus_for_each_dev+0x100/0x190 +[ 137.182693] ? __pfx_bus_for_each_dev+0x10/0x10 +[ 137.182693] ? __kasan_check_read+0x15/0x20 +[ 137.182693] ? srso_return_thunk+0x5/0x5f +[ 137.182693] ? _raw_spin_unlock+0x27/0x50 +[ 137.182693] driver_attach+0x41/0x60 +[ 137.182693] bus_add_driver+0x2a8/0x580 +[ 137.182693] driver_register+0x141/0x480 +[ 137.182693] __pci_register_driver+0x1d6/0x2a0 +[ 137.182693] ? srso_return_thunk+0x5/0x5f +[ 137.182693] ? esrt_sysfs_init+0x1cd/0x5d0 +[ 137.182693] ? __pfx_sp_mod_init+0x10/0x10 +[ 137.182693] sp_pci_init+0x22/0x30 +[ 137.182693] sp_mod_init+0x14/0x30 +[ 137.182693] ? __pfx_sp_mod_init+0x10/0x10 +[ 137.182693] do_one_initcall+0xd1/0x470 +[ 137.182693] ? __pfx_do_one_initcall+0x10/0x10 +[ 137.182693] ? parameq+0x80/0xf0 +[ 137.182693] ? srso_return_thunk+0x5/0x5f +[ 137.182693] ? __kmalloc+0x3b0/0x4e0 +[ 137.182693] ? kernel_init_freeable+0x92d/0x1050 +[ 137.182693] ? kasan_populate_vmalloc_pte+0x171/0x190 +[ 137.182693] ? srso_return_thunk+0x5/0x5f +[ 137.182693] kernel_init_freeable+0xa64/0x1050 +[ 137.182693] ? __pfx_kernel_init+0x10/0x10 +[ 137.182693] kernel_init+0x24/0x160 +[ 137.182693] ? __switch_to_asm+0x3e/0x70 +[ 137.182693] ret_from_fork+0x40/0x80 +[ 137.182693] ? __pfx_kernel_init+0x10/0x10 +[ 137.182693] ret_from_fork_asm+0x1b/0x30 +[ 137.182693] +[ 137.182693] Modules linked in: +[ 137.538483] ---[ end trace 0000000000000000 ]--- + +Fixes: 1b05ece0c931 ("crypto: ccp - During shutdown, check SEV data pointer before using") +Cc: stable@vger.kernel.org +Reviewed-by: Mario Limonciello +Signed-off-by: Kim Phillips +Reviewed-by: Liam Merwick +Acked-by: John Allen +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/ccp/sev-dev.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/ccp/sev-dev.c ++++ b/drivers/crypto/ccp/sev-dev.c +@@ -323,10 +323,16 @@ EXPORT_SYMBOL_GPL(sev_platform_init); + + static int __sev_platform_shutdown_locked(int *error) + { +- struct sev_device *sev = psp_master->sev_data; ++ struct psp_device *psp = psp_master; ++ struct sev_device *sev; + int ret; + +- if (!sev || sev->state == SEV_STATE_UNINIT) ++ if (!psp || !psp->sev_data) ++ return 0; ++ ++ sev = psp->sev_data; ++ ++ if (sev->state == SEV_STATE_UNINIT) + return 0; + + ret = __sev_do_cmd_locked(SEV_CMD_SHUTDOWN, NULL, error); diff --git a/queue-5.15/irqchip-gic-v3-its-fix-gicv4.1-vpe-affinity-update.patch b/queue-5.15/irqchip-gic-v3-its-fix-gicv4.1-vpe-affinity-update.patch new file mode 100644 index 00000000000..5c4790dba60 --- /dev/null +++ b/queue-5.15/irqchip-gic-v3-its-fix-gicv4.1-vpe-affinity-update.patch @@ -0,0 +1,80 @@ +From af9acbfc2c4b72c378d0b9a2ee023ed01055d3e2 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 13 Feb 2024 10:12:06 +0000 +Subject: irqchip/gic-v3-its: Fix GICv4.1 VPE affinity update + +From: Marc Zyngier + +commit af9acbfc2c4b72c378d0b9a2ee023ed01055d3e2 upstream. + +When updating the affinity of a VPE, the VMOVP command is currently skipped +if the two CPUs are part of the same VPE affinity. + +But this is wrong, as the doorbell corresponding to this VPE is still +delivered on the 'old' CPU, which screws up the balancing. Furthermore, +offlining that 'old' CPU results in doorbell interrupts generated for this +VPE being discarded. + +The harsh reality is that VMOVP cannot be elided when a set_affinity() +request occurs. It needs to be obeyed, and if an optimisation is to be +made, it is at the point where the affinity change request is made (such as +in KVM). + +Drop the VMOVP elision altogether, and only use the vpe_table_mask +to try and stay within the same ITS affinity group if at all possible. + +Fixes: dd3f050a216e (irqchip/gic-v4.1: Implement the v4.1 flavour of VMOVP) +Reported-by: Kunkun Jiang +Signed-off-by: Marc Zyngier +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240213101206.2137483-4-maz@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-gic-v3-its.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -3800,8 +3800,9 @@ static int its_vpe_set_affinity(struct i + bool force) + { + struct its_vpe *vpe = irq_data_get_irq_chip_data(d); +- int from, cpu = cpumask_first(mask_val); ++ struct cpumask common, *table_mask; + unsigned long flags; ++ int from, cpu; + + /* + * Changing affinity is mega expensive, so let's be as lazy as +@@ -3817,19 +3818,22 @@ static int its_vpe_set_affinity(struct i + * taken on any vLPI handling path that evaluates vpe->col_idx. + */ + from = vpe_to_cpuid_lock(vpe, &flags); +- if (from == cpu) +- goto out; +- +- vpe->col_idx = cpu; ++ table_mask = gic_data_rdist_cpu(from)->vpe_table_mask; + + /* +- * GICv4.1 allows us to skip VMOVP if moving to a cpu whose RD +- * is sharing its VPE table with the current one. ++ * If we are offered another CPU in the same GICv4.1 ITS ++ * affinity, pick this one. Otherwise, any CPU will do. + */ +- if (gic_data_rdist_cpu(cpu)->vpe_table_mask && +- cpumask_test_cpu(from, gic_data_rdist_cpu(cpu)->vpe_table_mask)) ++ if (table_mask && cpumask_and(&common, mask_val, table_mask)) ++ cpu = cpumask_test_cpu(from, &common) ? from : cpumask_first(&common); ++ else ++ cpu = cpumask_first(mask_val); ++ ++ if (from == cpu) + goto out; + ++ vpe->col_idx = cpu; ++ + its_send_vmovp(vpe); + its_vpe_db_proxy_move(vpe, from, cpu); + diff --git a/queue-5.15/irqchip-irq-brcmstb-l2-add-write-memory-barrier-before-exit.patch b/queue-5.15/irqchip-irq-brcmstb-l2-add-write-memory-barrier-before-exit.patch new file mode 100644 index 00000000000..2b3360b39c2 --- /dev/null +++ b/queue-5.15/irqchip-irq-brcmstb-l2-add-write-memory-barrier-before-exit.patch @@ -0,0 +1,63 @@ +From b0344d6854d25a8b3b901c778b1728885dd99007 Mon Sep 17 00:00:00 2001 +From: Doug Berger +Date: Fri, 9 Feb 2024 17:24:49 -0800 +Subject: irqchip/irq-brcmstb-l2: Add write memory barrier before exit + +From: Doug Berger + +commit b0344d6854d25a8b3b901c778b1728885dd99007 upstream. + +It was observed on Broadcom devices that use GIC v3 architecture L1 +interrupt controllers as the parent of brcmstb-l2 interrupt controllers +that the deactivation of the parent interrupt could happen before the +brcmstb-l2 deasserted its output. This would lead the GIC to reactivate the +interrupt only to find that no L2 interrupt was pending. The result was a +spurious interrupt invoking handle_bad_irq() with its associated +messaging. While this did not create a functional problem it is a waste of +cycles. + +The hazard exists because the memory mapped bus writes to the brcmstb-l2 +registers are buffered and the GIC v3 architecture uses a very efficient +system register write to deactivate the interrupt. + +Add a write memory barrier prior to invoking chained_irq_exit() to +introduce a dsb(st) on those systems to ensure the system register write +cannot be executed until the memory mapped writes are visible to the +system. + +[ florian: Added Fixes tag ] + +Fixes: 7f646e92766e ("irqchip: brcmstb-l2: Add Broadcom Set Top Box Level-2 interrupt controller") +Signed-off-by: Doug Berger +Signed-off-by: Florian Fainelli +Signed-off-by: Thomas Gleixner +Acked-by: Florian Fainelli +Acked-by: Marc Zyngier +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240210012449.3009125-1-florian.fainelli@broadcom.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-brcmstb-l2.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-brcmstb-l2.c ++++ b/drivers/irqchip/irq-brcmstb-l2.c +@@ -2,7 +2,7 @@ + /* + * Generic Broadcom Set Top Box Level 2 Interrupt controller driver + * +- * Copyright (C) 2014-2017 Broadcom ++ * Copyright (C) 2014-2024 Broadcom + */ + + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt +@@ -113,6 +113,9 @@ static void brcmstb_l2_intc_irq_handle(s + generic_handle_domain_irq(b->domain, irq); + } while (status); + out: ++ /* Don't ack parent before all device writes are done */ ++ wmb(); ++ + chained_irq_exit(chip, desc); + } + diff --git a/queue-5.15/mm-hugetlb-pages-should-not-be-reserved-by-shmat-if-shm_noreserve.patch b/queue-5.15/mm-hugetlb-pages-should-not-be-reserved-by-shmat-if-shm_noreserve.patch new file mode 100644 index 00000000000..fb9cac2992c --- /dev/null +++ b/queue-5.15/mm-hugetlb-pages-should-not-be-reserved-by-shmat-if-shm_noreserve.patch @@ -0,0 +1,103 @@ +From e656c7a9e59607d1672d85ffa9a89031876ffe67 Mon Sep 17 00:00:00 2001 +From: Prakash Sangappa +Date: Tue, 23 Jan 2024 12:04:42 -0800 +Subject: mm: hugetlb pages should not be reserved by shmat() if SHM_NORESERVE + +From: Prakash Sangappa + +commit e656c7a9e59607d1672d85ffa9a89031876ffe67 upstream. + +For shared memory of type SHM_HUGETLB, hugetlb pages are reserved in +shmget() call. If SHM_NORESERVE flags is specified then the hugetlb pages +are not reserved. However when the shared memory is attached with the +shmat() call the hugetlb pages are getting reserved incorrectly for +SHM_HUGETLB shared memory created with SHM_NORESERVE which is a bug. + +------------------------------- +Following test shows the issue. + +$cat shmhtb.c + +int main() +{ + int shmflags = 0660 | IPC_CREAT | SHM_HUGETLB | SHM_NORESERVE; + int shmid; + + shmid = shmget(SKEY, SHMSZ, shmflags); + if (shmid < 0) + { + printf("shmat: shmget() failed, %d\n", errno); + return 1; + } + printf("After shmget()\n"); + system("cat /proc/meminfo | grep -i hugepages_"); + + shmat(shmid, NULL, 0); + printf("\nAfter shmat()\n"); + system("cat /proc/meminfo | grep -i hugepages_"); + + shmctl(shmid, IPC_RMID, NULL); + return 0; +} + + #sysctl -w vm.nr_hugepages=20 + #./shmhtb + +After shmget() +HugePages_Total: 20 +HugePages_Free: 20 +HugePages_Rsvd: 0 +HugePages_Surp: 0 + +After shmat() +HugePages_Total: 20 +HugePages_Free: 20 +HugePages_Rsvd: 5 <-- +HugePages_Surp: 0 +-------------------------------- + +Fix is to ensure that hugetlb pages are not reserved for SHM_HUGETLB shared +memory in the shmat() call. + +Link: https://lkml.kernel.org/r/1706040282-12388-1-git-send-email-prakash.sangappa@oracle.com +Signed-off-by: Prakash Sangappa +Acked-by: Muchun Song +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/hugetlbfs/inode.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -135,6 +135,7 @@ static int hugetlbfs_file_mmap(struct fi + loff_t len, vma_len; + int ret; + struct hstate *h = hstate_file(file); ++ vm_flags_t vm_flags; + + /* + * vma address alignment (but not the pgoff alignment) has +@@ -176,10 +177,20 @@ static int hugetlbfs_file_mmap(struct fi + file_accessed(file); + + ret = -ENOMEM; ++ ++ vm_flags = vma->vm_flags; ++ /* ++ * for SHM_HUGETLB, the pages are reserved in the shmget() call so skip ++ * reserving here. Note: only for SHM hugetlbfs file, the inode ++ * flag S_PRIVATE is set. ++ */ ++ if (inode->i_flags & S_PRIVATE) ++ vm_flags |= VM_NORESERVE; ++ + if (!hugetlb_reserve_pages(inode, + vma->vm_pgoff >> huge_page_order(h), + len >> huge_page_shift(h), vma, +- vma->vm_flags)) ++ vm_flags)) + goto out; + + ret = 0; diff --git a/queue-5.15/net-ethernet-ti-cpsw-enable-mac_managed_pm-to-fix-mdio.patch b/queue-5.15/net-ethernet-ti-cpsw-enable-mac_managed_pm-to-fix-mdio.patch new file mode 100644 index 00000000000..fa26bb60648 --- /dev/null +++ b/queue-5.15/net-ethernet-ti-cpsw-enable-mac_managed_pm-to-fix-mdio.patch @@ -0,0 +1,67 @@ +From bc4ce46b1e3d1da4309405cd4afc7c0fcddd0b90 Mon Sep 17 00:00:00 2001 +From: Sinthu Raja +Date: Tue, 6 Feb 2024 06:29:28 +0530 +Subject: net: ethernet: ti: cpsw: enable mac_managed_pm to fix mdio + +From: Sinthu Raja + +commit bc4ce46b1e3d1da4309405cd4afc7c0fcddd0b90 upstream. + +The below commit introduced a WARN when phy state is not in the states: +PHY_HALTED, PHY_READY and PHY_UP. +commit 744d23c71af3 ("net: phy: Warn about incorrect mdio_bus_phy_resume() state") + +When cpsw resumes, there have port in PHY_NOLINK state, so the below +warning comes out. Set mac_managed_pm be true to tell mdio that the phy +resume/suspend is managed by the mac, to fix the following warning: + +WARNING: CPU: 0 PID: 965 at drivers/net/phy/phy_device.c:326 mdio_bus_phy_resume+0x140/0x144 +CPU: 0 PID: 965 Comm: sh Tainted: G O 6.1.46-g247b2535b2 #1 +Hardware name: Generic AM33XX (Flattened Device Tree) + unwind_backtrace from show_stack+0x18/0x1c + show_stack from dump_stack_lvl+0x24/0x2c + dump_stack_lvl from __warn+0x84/0x15c + __warn from warn_slowpath_fmt+0x1a8/0x1c8 + warn_slowpath_fmt from mdio_bus_phy_resume+0x140/0x144 + mdio_bus_phy_resume from dpm_run_callback+0x3c/0x140 + dpm_run_callback from device_resume+0xb8/0x2b8 + device_resume from dpm_resume+0x144/0x314 + dpm_resume from dpm_resume_end+0x14/0x20 + dpm_resume_end from suspend_devices_and_enter+0xd0/0x924 + suspend_devices_and_enter from pm_suspend+0x2e0/0x33c + pm_suspend from state_store+0x74/0xd0 + state_store from kernfs_fop_write_iter+0x104/0x1ec + kernfs_fop_write_iter from vfs_write+0x1b8/0x358 + vfs_write from ksys_write+0x78/0xf8 + ksys_write from ret_fast_syscall+0x0/0x54 +Exception stack(0xe094dfa8 to 0xe094dff0) +dfa0: 00000004 005c3fb8 00000001 005c3fb8 00000004 00000001 +dfc0: 00000004 005c3fb8 b6f6bba0 00000004 00000004 0059edb8 00000000 00000000 +dfe0: 00000004 bed918f0 b6f09bd3 b6e89a66 + +Cc: # v6.0+ +Fixes: 744d23c71af3 ("net: phy: Warn about incorrect mdio_bus_phy_resume() state") +Fixes: fba863b81604 ("net: phy: make PHY PM ops a no-op if MAC driver manages PHY PM") +Signed-off-by: Sinthu Raja +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/cpsw.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c +index ea85c6dd5484..c0a5abd8d9a8 100644 +--- a/drivers/net/ethernet/ti/cpsw.c ++++ b/drivers/net/ethernet/ti/cpsw.c +@@ -631,6 +631,8 @@ static void cpsw_slave_open(struct cpsw_slave *slave, struct cpsw_priv *priv) + } + } + ++ phy->mac_managed_pm = true; ++ + slave->phy = phy; + + phy_attached_info(slave->phy); +-- +2.43.2 + diff --git a/queue-5.15/net-ethernet-ti-cpsw_new-enable-mac_managed_pm-to-fix-mdio.patch b/queue-5.15/net-ethernet-ti-cpsw_new-enable-mac_managed_pm-to-fix-mdio.patch new file mode 100644 index 00000000000..1153d8b20fe --- /dev/null +++ b/queue-5.15/net-ethernet-ti-cpsw_new-enable-mac_managed_pm-to-fix-mdio.patch @@ -0,0 +1,63 @@ +From 9def04e759caa5a3d741891037ae99f81e2fff01 Mon Sep 17 00:00:00 2001 +From: Sinthu Raja +Date: Tue, 6 Feb 2024 06:29:27 +0530 +Subject: net: ethernet: ti: cpsw_new: enable mac_managed_pm to fix mdio + +From: Sinthu Raja + +commit 9def04e759caa5a3d741891037ae99f81e2fff01 upstream. + +The below commit introduced a WARN when phy state is not in the states: +PHY_HALTED, PHY_READY and PHY_UP. +commit 744d23c71af3 ("net: phy: Warn about incorrect mdio_bus_phy_resume() state") + +When cpsw_new resumes, there have port in PHY_NOLINK state, so the below +warning comes out. Set mac_managed_pm be true to tell mdio that the phy +resume/suspend is managed by the mac, to fix the following warning: + +WARNING: CPU: 0 PID: 965 at drivers/net/phy/phy_device.c:326 mdio_bus_phy_resume+0x140/0x144 +CPU: 0 PID: 965 Comm: sh Tainted: G O 6.1.46-g247b2535b2 #1 +Hardware name: Generic AM33XX (Flattened Device Tree) + unwind_backtrace from show_stack+0x18/0x1c + show_stack from dump_stack_lvl+0x24/0x2c + dump_stack_lvl from __warn+0x84/0x15c + __warn from warn_slowpath_fmt+0x1a8/0x1c8 + warn_slowpath_fmt from mdio_bus_phy_resume+0x140/0x144 + mdio_bus_phy_resume from dpm_run_callback+0x3c/0x140 + dpm_run_callback from device_resume+0xb8/0x2b8 + device_resume from dpm_resume+0x144/0x314 + dpm_resume from dpm_resume_end+0x14/0x20 + dpm_resume_end from suspend_devices_and_enter+0xd0/0x924 + suspend_devices_and_enter from pm_suspend+0x2e0/0x33c + pm_suspend from state_store+0x74/0xd0 + state_store from kernfs_fop_write_iter+0x104/0x1ec + kernfs_fop_write_iter from vfs_write+0x1b8/0x358 + vfs_write from ksys_write+0x78/0xf8 + ksys_write from ret_fast_syscall+0x0/0x54 +Exception stack(0xe094dfa8 to 0xe094dff0) +dfa0: 00000004 005c3fb8 00000001 005c3fb8 00000004 00000001 +dfc0: 00000004 005c3fb8 b6f6bba0 00000004 00000004 0059edb8 00000000 00000000 +dfe0: 00000004 bed918f0 b6f09bd3 b6e89a66 + +Cc: # v6.0+ +Fixes: 744d23c71af3 ("net: phy: Warn about incorrect mdio_bus_phy_resume() state") +Fixes: fba863b81604 ("net: phy: make PHY PM ops a no-op if MAC driver manages PHY PM") +Signed-off-by: Sinthu Raja +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/cpsw_new.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/ti/cpsw_new.c ++++ b/drivers/net/ethernet/ti/cpsw_new.c +@@ -772,6 +772,9 @@ static void cpsw_slave_open(struct cpsw_ + slave->slave_num); + return; + } ++ ++ phy->mac_managed_pm = true; ++ + slave->phy = phy; + + phy_attached_info(slave->phy); diff --git a/queue-5.15/nfp-flower-prevent-re-adding-mac-index-for-bonded-port.patch b/queue-5.15/nfp-flower-prevent-re-adding-mac-index-for-bonded-port.patch new file mode 100644 index 00000000000..3ad1aa86d51 --- /dev/null +++ b/queue-5.15/nfp-flower-prevent-re-adding-mac-index-for-bonded-port.patch @@ -0,0 +1,50 @@ +From 1a1c13303ff6d64e6f718dc8aa614e580ca8d9b4 Mon Sep 17 00:00:00 2001 +From: Daniel de Villiers +Date: Fri, 2 Feb 2024 13:37:18 +0200 +Subject: nfp: flower: prevent re-adding mac index for bonded port + +From: Daniel de Villiers + +commit 1a1c13303ff6d64e6f718dc8aa614e580ca8d9b4 upstream. + +When physical ports are reset (either through link failure or manually +toggled down and up again) that are slaved to a Linux bond with a tunnel +endpoint IP address on the bond device, not all tunnel packets arriving +on the bond port are decapped as expected. + +The bond dev assigns the same MAC address to itself and each of its +slaves. When toggling a slave device, the same MAC address is therefore +offloaded to the NFP multiple times with different indexes. + +The issue only occurs when re-adding the shared mac. The +nfp_tunnel_add_shared_mac() function has a conditional check early on +that checks if a mac entry already exists and if that mac entry is +global: (entry && nfp_tunnel_is_mac_idx_global(entry->index)). In the +case of a bonded device (For example br-ex), the mac index is obtained, +and no new index is assigned. + +We therefore modify the conditional in nfp_tunnel_add_shared_mac() to +check if the port belongs to the LAG along with the existing checks to +prevent a new global mac index from being re-assigned to the slave port. + +Fixes: 20cce8865098 ("nfp: flower: enable MAC address sharing for offloadable devs") +CC: stable@vger.kernel.org # 5.1+ +Signed-off-by: Daniel de Villiers +Signed-off-by: Louis Peens +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c +@@ -927,7 +927,7 @@ nfp_tunnel_add_shared_mac(struct nfp_app + u16 nfp_mac_idx = 0; + + entry = nfp_tunnel_lookup_offloaded_macs(app, netdev->dev_addr); +- if (entry && nfp_tunnel_is_mac_idx_global(entry->index)) { ++ if (entry && (nfp_tunnel_is_mac_idx_global(entry->index) || netif_is_lag_port(netdev))) { + if (entry->bridge_count || + !nfp_flower_is_supported_bridge(netdev)) { + nfp_tunnel_offloaded_macs_inc_ref_and_link(entry, diff --git a/queue-5.15/nfp-use-correct-macro-for-lengthselect-in-bar-config.patch b/queue-5.15/nfp-use-correct-macro-for-lengthselect-in-bar-config.patch new file mode 100644 index 00000000000..9089978253a --- /dev/null +++ b/queue-5.15/nfp-use-correct-macro-for-lengthselect-in-bar-config.patch @@ -0,0 +1,46 @@ +From b3d4f7f2288901ed2392695919b3c0e24c1b4084 Mon Sep 17 00:00:00 2001 +From: Daniel Basilio +Date: Fri, 2 Feb 2024 13:37:17 +0200 +Subject: nfp: use correct macro for LengthSelect in BAR config + +From: Daniel Basilio + +commit b3d4f7f2288901ed2392695919b3c0e24c1b4084 upstream. + +The 1st and 2nd expansion BAR configuration registers are configured, +when the driver starts up, in variables 'barcfg_msix_general' and +'barcfg_msix_xpb', respectively. The 'LengthSelect' field is ORed in +from bit 0, which is incorrect. The 'LengthSelect' field should +start from bit 27. + +This has largely gone un-noticed because +NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT happens to be 0. + +Fixes: 4cb584e0ee7d ("nfp: add CPP access core") +Cc: stable@vger.kernel.org # 4.11+ +Signed-off-by: Daniel Basilio +Signed-off-by: Louis Peens +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c ++++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c +@@ -542,11 +542,13 @@ static int enable_bars(struct nfp6000_pc + const u32 barcfg_msix_general = + NFP_PCIE_BAR_PCIE2CPP_MapType( + NFP_PCIE_BAR_PCIE2CPP_MapType_GENERAL) | +- NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT; ++ NFP_PCIE_BAR_PCIE2CPP_LengthSelect( ++ NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT); + const u32 barcfg_msix_xpb = + NFP_PCIE_BAR_PCIE2CPP_MapType( + NFP_PCIE_BAR_PCIE2CPP_MapType_BULK) | +- NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT | ++ NFP_PCIE_BAR_PCIE2CPP_LengthSelect( ++ NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT) | + NFP_PCIE_BAR_PCIE2CPP_Target_BaseAddress( + NFP_CPP_TARGET_ISLAND_XPB); + const u32 barcfg_explicit[4] = { diff --git a/queue-5.15/of-property-fix-typo-in-io-channels.patch b/queue-5.15/of-property-fix-typo-in-io-channels.patch new file mode 100644 index 00000000000..2d6b86062d8 --- /dev/null +++ b/queue-5.15/of-property-fix-typo-in-io-channels.patch @@ -0,0 +1,35 @@ +From 8f7e917907385e112a845d668ae2832f41e64bf5 Mon Sep 17 00:00:00 2001 +From: Nuno Sa +Date: Tue, 23 Jan 2024 16:14:22 +0100 +Subject: of: property: fix typo in io-channels + +From: Nuno Sa + +commit 8f7e917907385e112a845d668ae2832f41e64bf5 upstream. + +The property is io-channels and not io-channel. This was effectively +preventing the devlink creation. + +Fixes: 8e12257dead7 ("of: property: Add device link support for iommus, mboxes and io-channels") +Cc: stable@vger.kernel.org +Signed-off-by: Nuno Sa +Reviewed-by: Saravana Kannan +Acked-by: Jonathan Cameron +Link: https://lore.kernel.org/r/20240123-iio-backend-v7-1-1bff236b8693@analog.com +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/property.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/of/property.c ++++ b/drivers/of/property.c +@@ -1270,7 +1270,7 @@ DEFINE_SIMPLE_PROP(clocks, "clocks", "#c + DEFINE_SIMPLE_PROP(interconnects, "interconnects", "#interconnect-cells") + DEFINE_SIMPLE_PROP(iommus, "iommus", "#iommu-cells") + DEFINE_SIMPLE_PROP(mboxes, "mboxes", "#mbox-cells") +-DEFINE_SIMPLE_PROP(io_channels, "io-channel", "#io-channel-cells") ++DEFINE_SIMPLE_PROP(io_channels, "io-channels", "#io-channel-cells") + DEFINE_SIMPLE_PROP(interrupt_parent, "interrupt-parent", NULL) + DEFINE_SIMPLE_PROP(dmas, "dmas", "#dma-cells") + DEFINE_SIMPLE_PROP(power_domains, "power-domains", "#power-domain-cells") diff --git a/queue-5.15/pmdomain-core-move-the-unused-cleanup-to-a-_sync-initcall.patch b/queue-5.15/pmdomain-core-move-the-unused-cleanup-to-a-_sync-initcall.patch new file mode 100644 index 00000000000..a59cb52de24 --- /dev/null +++ b/queue-5.15/pmdomain-core-move-the-unused-cleanup-to-a-_sync-initcall.patch @@ -0,0 +1,34 @@ +From 741ba0134fa7822fcf4e4a0a537a5c4cfd706b20 Mon Sep 17 00:00:00 2001 +From: Konrad Dybcio +Date: Wed, 27 Dec 2023 16:21:24 +0100 +Subject: pmdomain: core: Move the unused cleanup to a _sync initcall + +From: Konrad Dybcio + +commit 741ba0134fa7822fcf4e4a0a537a5c4cfd706b20 upstream. + +The unused clock cleanup uses the _sync initcall to give all users at +earlier initcalls time to probe. Do the same to avoid leaving some PDs +dangling at "on" (which actually happened on qcom!). + +Fixes: 2fe71dcdfd10 ("PM / domains: Add late_initcall to disable unused PM domains") +Signed-off-by: Konrad Dybcio +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231227-topic-pmdomain_sync_cleanup-v1-1-5f36769d538b@linaro.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/power/domain.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -1044,7 +1044,7 @@ static int __init genpd_power_off_unused + + return 0; + } +-late_initcall(genpd_power_off_unused); ++late_initcall_sync(genpd_power_off_unused); + + #ifdef CONFIG_PM_SLEEP + diff --git a/queue-5.15/s390-qeth-fix-potential-loss-of-l3-ip-in-case-of-network-issues.patch b/queue-5.15/s390-qeth-fix-potential-loss-of-l3-ip-in-case-of-network-issues.patch new file mode 100644 index 00000000000..568cc2869e6 --- /dev/null +++ b/queue-5.15/s390-qeth-fix-potential-loss-of-l3-ip-in-case-of-network-issues.patch @@ -0,0 +1,70 @@ +From 2fe8a236436fe40d8d26a1af8d150fc80f04ee1a Mon Sep 17 00:00:00 2001 +From: Alexandra Winter +Date: Tue, 6 Feb 2024 09:58:49 +0100 +Subject: s390/qeth: Fix potential loss of L3-IP@ in case of network issues + +From: Alexandra Winter + +commit 2fe8a236436fe40d8d26a1af8d150fc80f04ee1a upstream. + +Symptom: +In case of a bad cable connection (e.g. dirty optics) a fast sequence of +network DOWN-UP-DOWN-UP could happen. UP triggers recovery of the qeth +interface. In case of a second DOWN while recovery is still ongoing, it +can happen that the IP@ of a Layer3 qeth interface is lost and will not +be recovered by the second UP. + +Problem: +When registration of IP addresses with Layer 3 qeth devices fails, (e.g. +because of bad address format) the respective IP address is deleted from +its hash-table in the driver. If registration fails because of a ENETDOWN +condition, the address should stay in the hashtable, so a subsequent +recovery can restore it. + +3caa4af834df ("qeth: keep ip-address after LAN_OFFLINE failure") +fixes this for registration failures during normal operation, but not +during recovery. + +Solution: +Keep L3-IP address in case of ENETDOWN in qeth_l3_recover_ip(). For +consistency with qeth_l3_add_ip() we also keep it in case of EADDRINUSE, +i.e. for some reason the card already/still has this address registered. + +Fixes: 4a71df50047f ("qeth: new qeth device driver") +Cc: stable@vger.kernel.org +Signed-off-by: Alexandra Winter +Link: https://lore.kernel.org/r/20240206085849.2902775-1-wintera@linux.ibm.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_l3_main.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/s390/net/qeth_l3_main.c ++++ b/drivers/s390/net/qeth_l3_main.c +@@ -254,9 +254,10 @@ static void qeth_l3_clear_ip_htable(stru + if (!recover) { + hash_del(&addr->hnode); + kfree(addr); +- continue; ++ } else { ++ /* prepare for recovery */ ++ addr->disp_flag = QETH_DISP_ADDR_ADD; + } +- addr->disp_flag = QETH_DISP_ADDR_ADD; + } + + mutex_unlock(&card->ip_lock); +@@ -277,9 +278,11 @@ static void qeth_l3_recover_ip(struct qe + if (addr->disp_flag == QETH_DISP_ADDR_ADD) { + rc = qeth_l3_register_addr_entry(card, addr); + +- if (!rc) { ++ if (!rc || rc == -EADDRINUSE || rc == -ENETDOWN) { ++ /* keep it in the records */ + addr->disp_flag = QETH_DISP_ADDR_DO_NOTHING; + } else { ++ /* bad address */ + hash_del(&addr->hnode); + kfree(addr); + } diff --git a/queue-5.15/series b/queue-5.15/series index f2524850be1..aba77c34a1f 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -417,3 +417,18 @@ mmc-slot-gpio-allow-non-sleeping-gpio-ro.patch alsa-hda-conexant-add-quirk-for-sws-js201d.patch nilfs2-fix-data-corruption-in-dsync-block-recovery-for-small-block-sizes.patch nilfs2-fix-hang-in-nilfs_lookup_dirty_data_buffers.patch +crypto-ccp-fix-null-pointer-dereference-in-__sev_platform_shutdown_locked.patch +nfp-use-correct-macro-for-lengthselect-in-bar-config.patch +nfp-flower-prevent-re-adding-mac-index-for-bonded-port.patch +wifi-mac80211-reload-info-pointer-in-ieee80211_tx_dequeue.patch +irqchip-irq-brcmstb-l2-add-write-memory-barrier-before-exit.patch +irqchip-gic-v3-its-fix-gicv4.1-vpe-affinity-update.patch +net-ethernet-ti-cpsw-enable-mac_managed_pm-to-fix-mdio.patch +s390-qeth-fix-potential-loss-of-l3-ip-in-case-of-network-issues.patch +net-ethernet-ti-cpsw_new-enable-mac_managed_pm-to-fix-mdio.patch +ceph-prevent-use-after-free-in-encode_cap_msg.patch +mm-hugetlb-pages-should-not-be-reserved-by-shmat-if-shm_noreserve.patch +of-property-fix-typo-in-io-channels.patch +can-j1939-prevent-deadlock-by-changing-j1939_socks_lock-to-rwlock.patch +can-j1939-fix-uaf-in-j1939_sk_match_filter-during-setsockopt-so_j1939_filter.patch +pmdomain-core-move-the-unused-cleanup-to-a-_sync-initcall.patch diff --git a/queue-5.15/wifi-mac80211-reload-info-pointer-in-ieee80211_tx_dequeue.patch b/queue-5.15/wifi-mac80211-reload-info-pointer-in-ieee80211_tx_dequeue.patch new file mode 100644 index 00000000000..2d5cbcab4d6 --- /dev/null +++ b/queue-5.15/wifi-mac80211-reload-info-pointer-in-ieee80211_tx_dequeue.patch @@ -0,0 +1,42 @@ +From c98d8836b817d11fdff4ca7749cbbe04ff7f0c64 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 31 Jan 2024 16:49:10 +0100 +Subject: wifi: mac80211: reload info pointer in ieee80211_tx_dequeue() + +From: Johannes Berg + +commit c98d8836b817d11fdff4ca7749cbbe04ff7f0c64 upstream. + +This pointer can change here since the SKB can change, so we +actually later open-coded IEEE80211_SKB_CB() again. Reload +the pointer where needed, so the monitor-mode case using it +gets fixed, and then use info-> later as well. + +Cc: stable@vger.kernel.org +Fixes: 531682159092 ("mac80211: fix VLAN handling with TXQs") +Link: https://msgid.link/20240131164910.b54c28d583bc.I29450cec84ea6773cff5d9c16ff92b836c331471@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/tx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3746,6 +3746,7 @@ begin: + goto begin; + + skb = __skb_dequeue(&tx.skbs); ++ info = IEEE80211_SKB_CB(skb); + + if (!skb_queue_empty(&tx.skbs)) { + spin_lock_bh(&fq->lock); +@@ -3790,7 +3791,7 @@ begin: + } + + encap_out: +- IEEE80211_SKB_CB(skb)->control.vif = vif; ++ info->control.vif = vif; + + if (vif && + wiphy_ext_feature_isset(local->hw.wiphy, NL80211_EXT_FEATURE_AQL)) {