From: Sasha Levin Date: Mon, 6 Feb 2023 13:35:49 +0000 (-0500) Subject: Fixes for 5.10 X-Git-Tag: v5.15.93~56 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cdf6455f035af3d84ee1d89b21f66efe6e590dd3;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch b/queue-5.10/alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch new file mode 100644 index 00000000000..9b77eda4109 --- /dev/null +++ b/queue-5.10/alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch @@ -0,0 +1,41 @@ +From f186f8c26762ceca7fd9a3f2de436c9d8132c5c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 00:22:59 -0800 +Subject: ALSA: hda/via: Avoid potential array out-of-bound in + add_secret_dac_path() + +From: Artemii Karasev + +[ Upstream commit b9cee506da2b7920b5ea02ccd8e78a907d0ee7aa ] + +snd_hda_get_connections() can return a negative error code. +It may lead to accessing 'conn' array at a negative index. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Artemii Karasev +Fixes: 30b4503378c9 ("ALSA: hda - Expose secret DAC-AA connection of some VIA codecs") +Link: https://lore.kernel.org/r/20230119082259.3634-1-karasev@ispras.ru +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_via.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/pci/hda/patch_via.c b/sound/pci/hda/patch_via.c +index a188901a83bb..29abc96dc146 100644 +--- a/sound/pci/hda/patch_via.c ++++ b/sound/pci/hda/patch_via.c +@@ -821,6 +821,9 @@ static int add_secret_dac_path(struct hda_codec *codec) + return 0; + nums = snd_hda_get_connections(codec, spec->gen.mixer_nid, conn, + ARRAY_SIZE(conn) - 1); ++ if (nums < 0) ++ return nums; ++ + for (i = 0; i < nums; i++) { + if (get_wcaps_type(get_wcaps(codec, conn[i])) == AC_WID_AUD_OUT) + return 0; +-- +2.39.0 + diff --git a/queue-5.10/arm64-dts-imx8mm-fix-pad-control-for-uart1_dte_rx.patch b/queue-5.10/arm64-dts-imx8mm-fix-pad-control-for-uart1_dte_rx.patch new file mode 100644 index 00000000000..5d780f6e8fc --- /dev/null +++ b/queue-5.10/arm64-dts-imx8mm-fix-pad-control-for-uart1_dte_rx.patch @@ -0,0 +1,43 @@ +From b67b7ef3b1498bdf6bfb648752d1a63ff4477c72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Jan 2023 22:35:03 +0100 +Subject: arm64: dts: imx8mm: Fix pad control for UART1_DTE_RX +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierluigi Passaro + +[ Upstream commit 47123900f3e4a7f769631d6ec15abf44086276f6 ] + +According section +    8.2.5.313 Select Input Register (IOMUXC_UART1_RXD_SELECT_INPUT) +of  +    i.MX 8M Mini Applications Processor Reference Manual, Rev. 3, 11/2020 +the required setting for this specific pin configuration is "1" + +Signed-off-by: Pierluigi Passaro +Reviewed-by: Fabio Estevam +Fixes: c1c9d41319c3 ("dt-bindings: imx: Add pinctrl binding doc for imx8mm") +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h b/arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h +index a003e6af3353..56271abfb7e0 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h ++++ b/arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h +@@ -601,7 +601,7 @@ + #define MX8MM_IOMUXC_UART1_RXD_GPIO5_IO22 0x234 0x49C 0x000 0x5 0x0 + #define MX8MM_IOMUXC_UART1_RXD_TPSMP_HDATA24 0x234 0x49C 0x000 0x7 0x0 + #define MX8MM_IOMUXC_UART1_TXD_UART1_DCE_TX 0x238 0x4A0 0x000 0x0 0x0 +-#define MX8MM_IOMUXC_UART1_TXD_UART1_DTE_RX 0x238 0x4A0 0x4F4 0x0 0x0 ++#define MX8MM_IOMUXC_UART1_TXD_UART1_DTE_RX 0x238 0x4A0 0x4F4 0x0 0x1 + #define MX8MM_IOMUXC_UART1_TXD_ECSPI3_MOSI 0x238 0x4A0 0x000 0x1 0x0 + #define MX8MM_IOMUXC_UART1_TXD_GPIO5_IO23 0x238 0x4A0 0x000 0x5 0x0 + #define MX8MM_IOMUXC_UART1_TXD_TPSMP_HDATA25 0x238 0x4A0 0x000 0x7 0x0 +-- +2.39.0 + diff --git a/queue-5.10/ata-libata-fix-sata_down_spd_limit-when-no-link-spee.patch b/queue-5.10/ata-libata-fix-sata_down_spd_limit-when-no-link-spee.patch new file mode 100644 index 00000000000..2c0558ce75a --- /dev/null +++ b/queue-5.10/ata-libata-fix-sata_down_spd_limit-when-no-link-spee.patch @@ -0,0 +1,57 @@ +From fd1f8f519120ec06fd5aed93146284dfbdf9b3da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 12:27:41 +0900 +Subject: ata: libata: Fix sata_down_spd_limit() when no link speed is reported + +From: Damien Le Moal + +[ Upstream commit 69f2c9346313ba3d3dfa4091ff99df26c67c9021 ] + +Commit 2dc0b46b5ea3 ("libata: sata_down_spd_limit should return if +driver has not recorded sstatus speed") changed the behavior of +sata_down_spd_limit() to return doing nothing if a drive does not report +a current link speed, to avoid reducing the link speed to the lowest 1.5 +Gbps speed. + +However, the change assumed that a speed was recorded before probing +(e.g. before a suspend/resume) and set in link->sata_spd. This causes +problems with adapters/drives combination failing to establish a link +speed during probe autonegotiation. One example reported of this problem +is an mvebu adapter with a 3Gbps port-multiplier box: autonegotiation +fails, leaving no recorded link speed and no reported current link +speed. Probe retries also fail as no action is taken by sata_set_spd() +after each retry. + +Fix this by returning early in sata_down_spd_limit() only if we do have +a recorded link speed, that is, if link->sata_spd is not 0. With this +fix, a failed probe not leading to a recorded link speed is retried at +the lower 1.5 Gbps speed, with the link speed potentially increased +later on the second revalidate of the device if the device reports +that it supports higher link speeds. + +Reported-by: Marius Dinu +Fixes: 2dc0b46b5ea3 ("libata: sata_down_spd_limit should return if driver has not recorded sstatus speed") +Reviewed-by: Niklas Cassel +Tested-by: Marius Dinu +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index d13474c6d181..14150767be44 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -3051,7 +3051,7 @@ int sata_down_spd_limit(struct ata_link *link, u32 spd_limit) + */ + if (spd > 1) + mask &= (1 << (spd - 1)) - 1; +- else ++ else if (link->sata_spd) + return -EINVAL; + + /* were we already at the bottom? */ +-- +2.39.0 + diff --git a/queue-5.10/bpf-fix-a-possible-task-gone-issue-with-bpf_send_sig.patch b/queue-5.10/bpf-fix-a-possible-task-gone-issue-with-bpf_send_sig.patch new file mode 100644 index 00000000000..01ac7179792 --- /dev/null +++ b/queue-5.10/bpf-fix-a-possible-task-gone-issue-with-bpf_send_sig.patch @@ -0,0 +1,55 @@ +From 17e35b959653408ddccee2f9eccbbcc5b02cb79b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jan 2023 12:48:15 -0800 +Subject: bpf: Fix a possible task gone issue with bpf_send_signal[_thread]() + helpers + +From: Yonghong Song + +[ Upstream commit bdb7fdb0aca8b96cef9995d3a57e251c2289322f ] + +In current bpf_send_signal() and bpf_send_signal_thread() helper +implementation, irq_work is used to handle nmi context. Hao Sun +reported in [1] that the current task at the entry of the helper +might be gone during irq_work callback processing. To fix the issue, +a reference is acquired for the current task before enqueuing into +the irq_work so that the queued task is still available during +irq_work callback processing. + + [1] https://lore.kernel.org/bpf/20230109074425.12556-1-sunhao.th@gmail.com/ + +Fixes: 8b401f9ed244 ("bpf: implement bpf_send_signal() helper") +Tested-by: Hao Sun +Reported-by: Hao Sun +Signed-off-by: Yonghong Song +Link: https://lore.kernel.org/r/20230118204815.3331855-1-yhs@fb.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index ab4f51716645..94e51d36fb49 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -1055,6 +1055,7 @@ static void do_bpf_send_signal(struct irq_work *entry) + + work = container_of(entry, struct send_signal_irq_work, irq_work); + group_send_sig_info(work->sig, SEND_SIG_PRIV, work->task, work->type); ++ put_task_struct(work->task); + } + + static int bpf_send_signal_common(u32 sig, enum pid_type type) +@@ -1091,7 +1092,7 @@ static int bpf_send_signal_common(u32 sig, enum pid_type type) + * to the irq_work. The current task may change when queued + * irq works get executed. + */ +- work->task = current; ++ work->task = get_task_struct(current); + work->sig = sig; + work->type = type; + irq_work_queue(&work->irq_work); +-- +2.39.0 + diff --git a/queue-5.10/bpf-fix-to-preserve-reg-parent-live-fields-when-copy.patch b/queue-5.10/bpf-fix-to-preserve-reg-parent-live-fields-when-copy.patch new file mode 100644 index 00000000000..8d6a898a903 --- /dev/null +++ b/queue-5.10/bpf-fix-to-preserve-reg-parent-live-fields-when-copy.patch @@ -0,0 +1,193 @@ +From 2f0d81fb6b7427579be45769fa785720234985f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jan 2023 16:22:13 +0200 +Subject: bpf: Fix to preserve reg parent/live fields when copying range info + +From: Eduard Zingerman + +[ Upstream commit 71f656a50176915d6813751188b5758daa8d012b ] + +Register range information is copied in several places. The intent is +to transfer range/id information from one register/stack spill to +another. Currently this is done using direct register assignment, e.g.: + +static void find_equal_scalars(..., struct bpf_reg_state *known_reg) +{ + ... + struct bpf_reg_state *reg; + ... + *reg = *known_reg; + ... +} + +However, such assignments also copy the following bpf_reg_state fields: + +struct bpf_reg_state { + ... + struct bpf_reg_state *parent; + ... + enum bpf_reg_liveness live; + ... +}; + +Copying of these fields is accidental and incorrect, as could be +demonstrated by the following example: + + 0: call ktime_get_ns() + 1: r6 = r0 + 2: call ktime_get_ns() + 3: r7 = r0 + 4: if r0 > r6 goto +1 ; r0 & r6 are unbound thus generated + ; branch states are identical + 5: *(u64 *)(r10 - 8) = 0xdeadbeef ; 64-bit write to fp[-8] + --- checkpoint --- + 6: r1 = 42 ; r1 marked as written + 7: *(u8 *)(r10 - 8) = r1 ; 8-bit write, fp[-8] parent & live + ; overwritten + 8: r2 = *(u64 *)(r10 - 8) + 9: r0 = 0 + 10: exit + +This example is unsafe because 64-bit write to fp[-8] at (5) is +conditional, thus not all bytes of fp[-8] are guaranteed to be set +when it is read at (8). However, currently the example passes +verification. + +First, the execution path 1-10 is examined by verifier. +Suppose that a new checkpoint is created by is_state_visited() at (6). +After checkpoint creation: +- r1.parent points to checkpoint.r1, +- fp[-8].parent points to checkpoint.fp[-8]. +At (6) the r1.live is set to REG_LIVE_WRITTEN. +At (7) the fp[-8].parent is set to r1.parent and fp[-8].live is set to +REG_LIVE_WRITTEN, because of the following code called in +check_stack_write_fixed_off(): + +static void save_register_state(struct bpf_func_state *state, + int spi, struct bpf_reg_state *reg, + int size) +{ + ... + state->stack[spi].spilled_ptr = *reg; // <--- parent & live copied + if (size == BPF_REG_SIZE) + state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN; + ... +} + +Note the intent to mark stack spill as written only if 8 bytes are +spilled to a slot, however this intent is spoiled by a 'live' field copy. +At (8) the checkpoint.fp[-8] should be marked as REG_LIVE_READ but +this does not happen: +- fp[-8] in a current state is already marked as REG_LIVE_WRITTEN; +- fp[-8].parent points to checkpoint.r1, parentage chain is used by + mark_reg_read() to mark checkpoint states. +At (10) the verification is finished for path 1-10 and jump 4-6 is +examined. The checkpoint.fp[-8] never gets REG_LIVE_READ mark and this +spill is pruned from the cached states by clean_live_states(). Hence +verifier state obtained via path 1-4,6 is deemed identical to one +obtained via path 1-6 and program marked as safe. + +Note: the example should be executed with BPF_F_TEST_STATE_FREQ flag +set to force creation of intermediate verifier states. + +This commit revisits the locations where bpf_reg_state instances are +copied and replaces the direct copies with a call to a function +copy_register_state(dst, src) that preserves 'parent' and 'live' +fields of the 'dst'. + +Fixes: 679c782de14b ("bpf/verifier: per-register parent pointers") +Signed-off-by: Eduard Zingerman +Link: https://lore.kernel.org/r/20230106142214.1040390-2-eddyz87@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index e06b84c7b890..7b461a70a0e6 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2278,13 +2278,24 @@ static bool __is_pointer_value(bool allow_ptr_leaks, + return reg->type != SCALAR_VALUE; + } + ++/* Copy src state preserving dst->parent and dst->live fields */ ++static void copy_register_state(struct bpf_reg_state *dst, const struct bpf_reg_state *src) ++{ ++ struct bpf_reg_state *parent = dst->parent; ++ enum bpf_reg_liveness live = dst->live; ++ ++ *dst = *src; ++ dst->parent = parent; ++ dst->live = live; ++} ++ + static void save_register_state(struct bpf_func_state *state, + int spi, struct bpf_reg_state *reg, + int size) + { + int i; + +- state->stack[spi].spilled_ptr = *reg; ++ copy_register_state(&state->stack[spi].spilled_ptr, reg); + if (size == BPF_REG_SIZE) + state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN; + +@@ -2612,7 +2623,7 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env, + */ + s32 subreg_def = state->regs[dst_regno].subreg_def; + +- state->regs[dst_regno] = *reg; ++ copy_register_state(&state->regs[dst_regno], reg); + state->regs[dst_regno].subreg_def = subreg_def; + } else { + for (i = 0; i < size; i++) { +@@ -2639,7 +2650,7 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env, + + if (dst_regno >= 0) { + /* restore register state from stack */ +- state->regs[dst_regno] = *reg; ++ copy_register_state(&state->regs[dst_regno], reg); + /* mark reg as written since spilled pointer state likely + * has its liveness marks cleared by is_state_visited() + * which resets stack/reg liveness for state transitions +@@ -5900,7 +5911,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, + */ + if (!ptr_is_dst_reg) { + tmp = *dst_reg; +- *dst_reg = *ptr_reg; ++ copy_register_state(dst_reg, ptr_reg); + } + ret = sanitize_speculative_path(env, NULL, env->insn_idx + 1, + env->insn_idx); +@@ -7154,7 +7165,7 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) + * to propagate min/max range. + */ + src_reg->id = ++env->id_gen; +- *dst_reg = *src_reg; ++ copy_register_state(dst_reg, src_reg); + dst_reg->live |= REG_LIVE_WRITTEN; + dst_reg->subreg_def = DEF_NOT_SUBREG; + } else { +@@ -7165,7 +7176,7 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) + insn->src_reg); + return -EACCES; + } else if (src_reg->type == SCALAR_VALUE) { +- *dst_reg = *src_reg; ++ copy_register_state(dst_reg, src_reg); + /* Make sure ID is cleared otherwise + * dst_reg min/max could be incorrectly + * propagated into src_reg by find_equal_scalars() +@@ -7985,7 +7996,7 @@ static void find_equal_scalars(struct bpf_verifier_state *vstate, + + bpf_for_each_reg_in_vstate(vstate, state, reg, ({ + if (reg->type == SCALAR_VALUE && reg->id == known_reg->id) +- *reg = *known_reg; ++ copy_register_state(reg, known_reg); + })); + } + +-- +2.39.0 + diff --git a/queue-5.10/bpf-sockmap-check-for-any-of-tcp_bpf_prots-when-clon.patch b/queue-5.10/bpf-sockmap-check-for-any-of-tcp_bpf_prots-when-clon.patch new file mode 100644 index 00000000000..d3daa128fea --- /dev/null +++ b/queue-5.10/bpf-sockmap-check-for-any-of-tcp_bpf_prots-when-clon.patch @@ -0,0 +1,102 @@ +From 15518bb104e16e2efefa52e404602b5d5fbfd0fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Jan 2023 13:41:44 +0100 +Subject: bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener + +From: Jakub Sitnicki + +[ Upstream commit ddce1e091757d0259107c6c0c7262df201de2b66 ] + +A listening socket linked to a sockmap has its sk_prot overridden. It +points to one of the struct proto variants in tcp_bpf_prots. The variant +depends on the socket's family and which sockmap programs are attached. + +A child socket cloned from a TCP listener initially inherits their sk_prot. +But before cloning is finished, we restore the child's proto to the +listener's original non-tcp_bpf_prots one. This happens in +tcp_create_openreq_child -> tcp_bpf_clone. + +Today, in tcp_bpf_clone we detect if the child's proto should be restored +by checking only for the TCP_BPF_BASE proto variant. This is not +correct. The sk_prot of listening socket linked to a sockmap can point to +to any variant in tcp_bpf_prots. + +If the listeners sk_prot happens to be not the TCP_BPF_BASE variant, then +the child socket unintentionally is left if the inherited sk_prot by +tcp_bpf_clone. + +This leads to issues like infinite recursion on close [1], because the +child state is otherwise not set up for use with tcp_bpf_prot operations. + +Adjust the check in tcp_bpf_clone to detect all of tcp_bpf_prots variants. + +Note that it wouldn't be sufficient to check the socket state when +overriding the sk_prot in tcp_bpf_update_proto in order to always use the +TCP_BPF_BASE variant for listening sockets. Since commit +b8b8315e39ff ("bpf, sockmap: Remove unhash handler for BPF sockmap usage") +it is possible for a socket to transition to TCP_LISTEN state while already +linked to a sockmap, e.g. connect() -> insert into map -> +connect(AF_UNSPEC) -> listen(). + +[1]: https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/ + +Fixes: e80251555f0b ("tcp_bpf: Don't let child socket inherit parent protocol ops on copy") +Reported-by: syzbot+04c21ed96d861dccc5cd@syzkaller.appspotmail.com +Signed-off-by: Jakub Sitnicki +Acked-by: John Fastabend +Link: https://lore.kernel.org/r/20230113-sockmap-fix-v2-2-1e0ee7ac2f90@cloudflare.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + include/linux/util_macros.h | 12 ++++++++++++ + net/ipv4/tcp_bpf.c | 4 ++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/include/linux/util_macros.h b/include/linux/util_macros.h +index 72299f261b25..43db6e47503c 100644 +--- a/include/linux/util_macros.h ++++ b/include/linux/util_macros.h +@@ -38,4 +38,16 @@ + */ + #define find_closest_descending(x, a, as) __find_closest(x, a, as, >=) + ++/** ++ * is_insidevar - check if the @ptr points inside the @var memory range. ++ * @ptr: the pointer to a memory address. ++ * @var: the variable which address and size identify the memory range. ++ * ++ * Evaluates to true if the address in @ptr lies within the memory ++ * range allocated to @var. ++ */ ++#define is_insidevar(ptr, var) \ ++ ((uintptr_t)(ptr) >= (uintptr_t)(var) && \ ++ (uintptr_t)(ptr) < (uintptr_t)(var) + sizeof(var)) ++ + #endif +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index 6a1685461f89..926e29e84b40 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -642,10 +643,9 @@ struct proto *tcp_bpf_get_proto(struct sock *sk, struct sk_psock *psock) + */ + void tcp_bpf_clone(const struct sock *sk, struct sock *newsk) + { +- int family = sk->sk_family == AF_INET6 ? TCP_BPF_IPV6 : TCP_BPF_IPV4; + struct proto *prot = newsk->sk_prot; + +- if (prot == &tcp_bpf_prots[family][TCP_BPF_BASE]) ++ if (is_insidevar(prot, tcp_bpf_prots)) + newsk->sk_prot = sk->sk_prot_creator; + } + #endif /* CONFIG_BPF_STREAM_PARSER */ +-- +2.39.0 + diff --git a/queue-5.10/bpf-support-8-byte-scalar-spill-and-refill.patch b/queue-5.10/bpf-support-8-byte-scalar-spill-and-refill.patch new file mode 100644 index 00000000000..f72b9b5efc0 --- /dev/null +++ b/queue-5.10/bpf-support-8-byte-scalar-spill-and-refill.patch @@ -0,0 +1,219 @@ +From a5aa8d471997b45bebc8e3ba04bab0d0b2294535 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Sep 2021 17:49:41 -0700 +Subject: bpf: Support <8-byte scalar spill and refill + +From: Martin KaFai Lau + +[ Upstream commit 354e8f1970f821d4952458f77b1ab6c3eb24d530 ] + +The verifier currently does not save the reg state when +spilling <8byte bounded scalar to the stack. The bpf program +will be incorrectly rejected when this scalar is refilled to +the reg and then used to offset into a packet header. +The later patch has a simplified bpf prog from a real use case +to demonstrate this case. The current work around is +to reparse the packet again such that this offset scalar +is close to where the packet data will be accessed to +avoid the spill. Thus, the header is parsed twice. + +The llvm patch [1] will align the <8bytes spill to +the 8-byte stack address. This can simplify the verifier +support by avoiding to store multiple reg states for +each 8 byte stack slot. + +This patch changes the verifier to save the reg state when +spilling <8bytes scalar to the stack. This reg state saving +is limited to spill aligned to the 8-byte stack address. +The current refill logic has already called coerce_reg_to_size(), +so coerce_reg_to_size() is not called on state->stack[spi].spilled_ptr +during spill. + +When refilling in check_stack_read_fixed_off(), it checks +the refill size is the same as the number of bytes marked with +STACK_SPILL before restoring the reg state. When restoring +the reg state to state->regs[dst_regno], it needs +to avoid the state->regs[dst_regno].subreg_def being +over written because it has been marked by the check_reg_arg() +earlier [check_mem_access() is called after check_reg_arg() in +do_check()]. Reordering check_mem_access() and check_reg_arg() +will need a lot of changes in test_verifier's tests because +of the difference in verifier's error message. Thus, the +patch here is to save the state->regs[dst_regno].subreg_def +first in check_stack_read_fixed_off(). + +There are cases that the verifier needs to scrub the spilled slot +from STACK_SPILL to STACK_MISC. After this patch the spill is not always +in 8 bytes now, so it can no longer assume the other 7 bytes are always +marked as STACK_SPILL. In particular, the scrub needs to avoid marking +an uninitialized byte from STACK_INVALID to STACK_MISC. Otherwise, the +verifier will incorrectly accept bpf program reading uninitialized bytes +from the stack. A new helper scrub_spilled_slot() is created for this +purpose. + +[1]: https://reviews.llvm.org/D109073 + +Signed-off-by: Martin KaFai Lau +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20210922004941.625398-1-kafai@fb.com +Stable-dep-of: 71f656a50176 ("bpf: Fix to preserve reg parent/live fields when copying range info") +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 67 +++++++++++++++++++++++++++++++++---------- + 1 file changed, 52 insertions(+), 15 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index a6c931fed39b..e06b84c7b890 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -570,6 +570,12 @@ static bool is_spilled_reg(const struct bpf_stack_state *stack) + return stack->slot_type[BPF_REG_SIZE - 1] == STACK_SPILL; + } + ++static void scrub_spilled_slot(u8 *stype) ++{ ++ if (*stype != STACK_INVALID) ++ *stype = STACK_MISC; ++} ++ + static void print_verifier_state(struct bpf_verifier_env *env, + const struct bpf_func_state *state) + { +@@ -2273,15 +2279,21 @@ static bool __is_pointer_value(bool allow_ptr_leaks, + } + + static void save_register_state(struct bpf_func_state *state, +- int spi, struct bpf_reg_state *reg) ++ int spi, struct bpf_reg_state *reg, ++ int size) + { + int i; + + state->stack[spi].spilled_ptr = *reg; +- state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN; ++ if (size == BPF_REG_SIZE) ++ state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN; + +- for (i = 0; i < BPF_REG_SIZE; i++) +- state->stack[spi].slot_type[i] = STACK_SPILL; ++ for (i = BPF_REG_SIZE; i > BPF_REG_SIZE - size; i--) ++ state->stack[spi].slot_type[i - 1] = STACK_SPILL; ++ ++ /* size < 8 bytes spill */ ++ for (; i; i--) ++ scrub_spilled_slot(&state->stack[spi].slot_type[i - 1]); + } + + /* check_stack_{read,write}_fixed_off functions track spill/fill of registers, +@@ -2331,7 +2343,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, + env->insn_aux_data[insn_idx].sanitize_stack_spill = true; + } + +- if (reg && size == BPF_REG_SIZE && register_is_bounded(reg) && ++ if (reg && !(off % BPF_REG_SIZE) && register_is_bounded(reg) && + !register_is_null(reg) && env->bpf_capable) { + if (dst_reg != BPF_REG_FP) { + /* The backtracking logic can only recognize explicit +@@ -2344,7 +2356,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, + if (err) + return err; + } +- save_register_state(state, spi, reg); ++ save_register_state(state, spi, reg, size); + } else if (reg && is_spillable_regtype(reg->type)) { + /* register containing pointer is being spilled into stack */ + if (size != BPF_REG_SIZE) { +@@ -2356,7 +2368,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, + verbose(env, "cannot spill pointers to stack into stack frame of the caller\n"); + return -EINVAL; + } +- save_register_state(state, spi, reg); ++ save_register_state(state, spi, reg, size); + } else { + u8 type = STACK_MISC; + +@@ -2365,7 +2377,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, + /* Mark slots as STACK_MISC if they belonged to spilled ptr. */ + if (is_spilled_reg(&state->stack[spi])) + for (i = 0; i < BPF_REG_SIZE; i++) +- state->stack[spi].slot_type[i] = STACK_MISC; ++ scrub_spilled_slot(&state->stack[spi].slot_type[i]); + + /* only mark the slot as written if all 8 bytes were written + * otherwise read propagation may incorrectly stop too soon +@@ -2572,23 +2584,50 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env, + struct bpf_func_state *state = vstate->frame[vstate->curframe]; + int i, slot = -off - 1, spi = slot / BPF_REG_SIZE; + struct bpf_reg_state *reg; +- u8 *stype; ++ u8 *stype, type; + + stype = reg_state->stack[spi].slot_type; + reg = ®_state->stack[spi].spilled_ptr; + + if (is_spilled_reg(®_state->stack[spi])) { + if (size != BPF_REG_SIZE) { ++ u8 scalar_size = 0; ++ + if (reg->type != SCALAR_VALUE) { + verbose_linfo(env, env->insn_idx, "; "); + verbose(env, "invalid size of register fill\n"); + return -EACCES; + } +- if (dst_regno >= 0) { ++ ++ mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64); ++ if (dst_regno < 0) ++ return 0; ++ ++ for (i = BPF_REG_SIZE; i > 0 && stype[i - 1] == STACK_SPILL; i--) ++ scalar_size++; ++ ++ if (!(off % BPF_REG_SIZE) && size == scalar_size) { ++ /* The earlier check_reg_arg() has decided the ++ * subreg_def for this insn. Save it first. ++ */ ++ s32 subreg_def = state->regs[dst_regno].subreg_def; ++ ++ state->regs[dst_regno] = *reg; ++ state->regs[dst_regno].subreg_def = subreg_def; ++ } else { ++ for (i = 0; i < size; i++) { ++ type = stype[(slot - i) % BPF_REG_SIZE]; ++ if (type == STACK_SPILL) ++ continue; ++ if (type == STACK_MISC) ++ continue; ++ verbose(env, "invalid read from stack off %d+%d size %d\n", ++ off, i, size); ++ return -EACCES; ++ } + mark_reg_unknown(env, state->regs, dst_regno); +- state->regs[dst_regno].live |= REG_LIVE_WRITTEN; + } +- mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64); ++ state->regs[dst_regno].live |= REG_LIVE_WRITTEN; + return 0; + } + for (i = 1; i < BPF_REG_SIZE; i++) { +@@ -2619,8 +2658,6 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env, + } + mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64); + } else { +- u8 type; +- + for (i = 0; i < size; i++) { + type = stype[(slot - i) % BPF_REG_SIZE]; + if (type == STACK_MISC) +@@ -4106,7 +4143,7 @@ static int check_stack_range_initialized( + if (clobber) { + __mark_reg_unknown(env, &state->stack[spi].spilled_ptr); + for (j = 0; j < BPF_REG_SIZE; j++) +- state->stack[spi].slot_type[j] = STACK_MISC; ++ scrub_spilled_slot(&state->stack[spi].slot_type[j]); + } + goto mark; + } +-- +2.39.0 + diff --git a/queue-5.10/bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch b/queue-5.10/bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch new file mode 100644 index 00000000000..ab237d5afaa --- /dev/null +++ b/queue-5.10/bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch @@ -0,0 +1,67 @@ +From ad954fdfb62b7541a93ce1a12da025a8f698d8a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 09:42:00 +0000 +Subject: bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() + +From: Yuan Can + +[ Upstream commit f71eaf2708be7831428eacae7db25d8ec6b8b4c5 ] + +The sunxi_rsb_init() returns the platform_driver_register() directly +without checking its return value, if platform_driver_register() failed, +the sunxi_rsb_bus is not unregistered. +Fix by unregister sunxi_rsb_bus when platform_driver_register() failed. + +Fixes: d787dcdb9c8f ("bus: sunxi-rsb: Add driver for Allwinner Reduced Serial Bus") +Signed-off-by: Yuan Can +Reviewed-by: Jernej Skrabec +Link: https://lore.kernel.org/r/20221123094200.12036-1-yuancan@huawei.com +Signed-off-by: Jernej Skrabec +Signed-off-by: Sasha Levin +--- + drivers/bus/sunxi-rsb.c | 8 +++++++- + sound/soc/intel/boards/bytcr_rt5651.c | 2 +- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/bus/sunxi-rsb.c b/drivers/bus/sunxi-rsb.c +index f8c29b888e6b..98cbb18f17fa 100644 +--- a/drivers/bus/sunxi-rsb.c ++++ b/drivers/bus/sunxi-rsb.c +@@ -781,7 +781,13 @@ static int __init sunxi_rsb_init(void) + return ret; + } + +- return platform_driver_register(&sunxi_rsb_driver); ++ ret = platform_driver_register(&sunxi_rsb_driver); ++ if (ret) { ++ bus_unregister(&sunxi_rsb_bus); ++ return ret; ++ } ++ ++ return 0; + } + module_init(sunxi_rsb_init); + +diff --git a/sound/soc/intel/boards/bytcr_rt5651.c b/sound/soc/intel/boards/bytcr_rt5651.c +index bf8b87d45cb0..2c76f0abeeca 100644 +--- a/sound/soc/intel/boards/bytcr_rt5651.c ++++ b/sound/soc/intel/boards/bytcr_rt5651.c +@@ -918,7 +918,6 @@ static int snd_byt_rt5651_mc_probe(struct platform_device *pdev) + if (adev) { + snprintf(byt_rt5651_codec_name, sizeof(byt_rt5651_codec_name), + "i2c-%s", acpi_dev_name(adev)); +- put_device(&adev->dev); + byt_rt5651_dais[dai_index].codecs->name = byt_rt5651_codec_name; + } else { + dev_err(&pdev->dev, "Error cannot find '%s' dev\n", mach->id); +@@ -927,6 +926,7 @@ static int snd_byt_rt5651_mc_probe(struct platform_device *pdev) + + codec_dev = bus_find_device_by_name(&i2c_bus_type, NULL, + byt_rt5651_codec_name); ++ acpi_dev_put(adev); + if (!codec_dev) + return -EPROBE_DEFER; + +-- +2.39.0 + diff --git a/queue-5.10/can-j1939-fix-errant-warn_on_once-in-j1939_session_d.patch b/queue-5.10/can-j1939-fix-errant-warn_on_once-in-j1939_session_d.patch new file mode 100644 index 00000000000..334dbb6dcf3 --- /dev/null +++ b/queue-5.10/can-j1939-fix-errant-warn_on_once-in-j1939_session_d.patch @@ -0,0 +1,77 @@ +From 18f1a0c51ab31aafabb1dd7384d3a76e97631648 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 17:42:00 +0800 +Subject: can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate + +From: Ziyang Xuan + +[ Upstream commit d0553680f94c49bbe0e39eb50d033ba563b4212d ] + +The conclusion "j1939_session_deactivate() should be called with a +session ref-count of at least 2" is incorrect. In some concurrent +scenarios, j1939_session_deactivate can be called with the session +ref-count less than 2. But there is not any problem because it +will check the session active state before session putting in +j1939_session_deactivate_locked(). + +Here is the concurrent scenario of the problem reported by syzbot +and my reproduction log. + + cpu0 cpu1 + j1939_xtp_rx_eoma +j1939_xtp_rx_abort_one + j1939_session_get_by_addr [kref == 2] +j1939_session_get_by_addr [kref == 3] +j1939_session_deactivate [kref == 2] +j1939_session_put [kref == 1] + j1939_session_completed + j1939_session_deactivate + WARN_ON_ONCE(kref < 2) + +===================================================== +WARNING: CPU: 1 PID: 21 at net/can/j1939/transport.c:1088 j1939_session_deactivate+0x5f/0x70 +CPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.14.0-rc7+ #32 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 +RIP: 0010:j1939_session_deactivate+0x5f/0x70 +Call Trace: + j1939_session_deactivate_activate_next+0x11/0x28 + j1939_xtp_rx_eoma+0x12a/0x180 + j1939_tp_recv+0x4a2/0x510 + j1939_can_recv+0x226/0x380 + can_rcv_filter+0xf8/0x220 + can_receive+0x102/0x220 + ? process_backlog+0xf0/0x2c0 + can_rcv+0x53/0xf0 + __netif_receive_skb_one_core+0x67/0x90 + ? process_backlog+0x97/0x2c0 + __netif_receive_skb+0x22/0x80 + +Fixes: 0c71437dd50d ("can: j1939: j1939_session_deactivate(): clarify lifetime of session object") +Reported-by: syzbot+9981a614060dcee6eeca@syzkaller.appspotmail.com +Signed-off-by: Ziyang Xuan +Acked-by: Oleksij Rempel +Link: https://lore.kernel.org/all/20210906094200.95868-1-william.xuanziyang@huawei.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/transport.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c +index 78f6a9110699..57d6aac7f435 100644 +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1087,10 +1087,6 @@ static bool j1939_session_deactivate(struct j1939_session *session) + bool active; + + j1939_session_list_lock(priv); +- /* This function should be called with a session ref-count of at +- * least 2. +- */ +- WARN_ON_ONCE(kref_read(&session->kref) < 2); + active = j1939_session_deactivate_locked(session); + j1939_session_list_unlock(priv); + +-- +2.39.0 + diff --git a/queue-5.10/drm-vc4-hdmi-make-cec-adapter-name-unique.patch b/queue-5.10/drm-vc4-hdmi-make-cec-adapter-name-unique.patch new file mode 100644 index 00000000000..9d986da2aa6 --- /dev/null +++ b/queue-5.10/drm-vc4-hdmi-make-cec-adapter-name-unique.patch @@ -0,0 +1,40 @@ +From 31542afd87005792423487c73e558756b261e858 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 10:02:19 +0100 +Subject: drm/vc4: hdmi: make CEC adapter name unique + +From: Hans Verkuil + +[ Upstream commit 51128c3f2a7c98055ea1d27e34910dc10977f618 ] + +The bcm2711 has two HDMI outputs, each with their own CEC adapter. +The CEC adapter name has to be unique, but it is currently +hardcoded to "vc4" for both outputs. Change this to use the card_name +from the variant information in order to make the adapter name unique. + +Signed-off-by: Hans Verkuil +Fixes: 15b4511a4af6 ("drm/vc4: add HDMI CEC support") +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/dcf1db75-d9cc-62cc-fa12-baf1b2b3bf31@xs4all.nl +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index 08175c3dd374..539ebf85fd7c 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -1491,7 +1491,8 @@ static int vc4_hdmi_cec_init(struct vc4_hdmi *vc4_hdmi) + return 0; + + vc4_hdmi->cec_adap = cec_allocate_adapter(&vc4_hdmi_cec_adap_ops, +- vc4_hdmi, "vc4", ++ vc4_hdmi, ++ vc4_hdmi->variant->card_name, + CEC_CAP_DEFAULTS | + CEC_CAP_CONNECTOR_INFO, 1); + ret = PTR_ERR_OR_ZERO(vc4_hdmi->cec_adap); +-- +2.39.0 + diff --git a/queue-5.10/efi-fix-potential-null-deref-in-efi_mem_reserve_pers.patch b/queue-5.10/efi-fix-potential-null-deref-in-efi_mem_reserve_pers.patch new file mode 100644 index 00000000000..ae73445acc5 --- /dev/null +++ b/queue-5.10/efi-fix-potential-null-deref-in-efi_mem_reserve_pers.patch @@ -0,0 +1,42 @@ +From 4f98fa3b85a2debdd8cb2f3bc17a03311abdaef9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Feb 2023 16:22:13 +0300 +Subject: efi: fix potential NULL deref in efi_mem_reserve_persistent + +From: Anton Gusev + +[ Upstream commit 966d47e1f27c45507c5df82b2a2157e5a4fd3909 ] + +When iterating on a linked list, a result of memremap is dereferenced +without checking it for NULL. + +This patch adds a check that falls back on allocating a new page in +case memremap doesn't succeed. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 18df7577adae ("efi/memreserve: deal with memreserve entries in unmapped memory") +Signed-off-by: Anton Gusev +[ardb: return -ENOMEM instead of breaking out of the loop] +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/efi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c +index a2765d668856..332739f3eded 100644 +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -950,6 +950,8 @@ int __ref efi_mem_reserve_persistent(phys_addr_t addr, u64 size) + /* first try to find a slot in an existing linked list entry */ + for (prsv = efi_memreserve_root->next; prsv; ) { + rsv = memremap(prsv, sizeof(*rsv), MEMREMAP_WB); ++ if (!rsv) ++ return -ENOMEM; + index = atomic_fetch_add_unless(&rsv->count, 1, rsv->size); + if (index < rsv->size) { + rsv->entry[index].base = addr; +-- +2.39.0 + diff --git a/queue-5.10/fix-direction-argument-of-iov_iter_kvec.patch b/queue-5.10/fix-direction-argument-of-iov_iter_kvec.patch new file mode 100644 index 00000000000..5ec418a6cc5 --- /dev/null +++ b/queue-5.10/fix-direction-argument-of-iov_iter_kvec.patch @@ -0,0 +1,54 @@ +From 293ddde34e695bc7da714ea01b71ff7e36703959 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 19:16:56 -0400 +Subject: fix "direction" argument of iov_iter_kvec() + +From: Al Viro + +[ Upstream commit fc02f33787d8dd227b54f263eba983d5b249c032 ] + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + drivers/xen/pvcalls-back.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/xen/pvcalls-back.c b/drivers/xen/pvcalls-back.c +index a7d293fa8d14..3b5a8e2c4d47 100644 +--- a/drivers/xen/pvcalls-back.c ++++ b/drivers/xen/pvcalls-back.c +@@ -129,13 +129,13 @@ static bool pvcalls_conn_back_read(void *opaque) + if (masked_prod < masked_cons) { + vec[0].iov_base = data->in + masked_prod; + vec[0].iov_len = wanted; +- iov_iter_kvec(&msg.msg_iter, WRITE, vec, 1, wanted); ++ iov_iter_kvec(&msg.msg_iter, READ, vec, 1, wanted); + } else { + vec[0].iov_base = data->in + masked_prod; + vec[0].iov_len = array_size - masked_prod; + vec[1].iov_base = data->in; + vec[1].iov_len = wanted - vec[0].iov_len; +- iov_iter_kvec(&msg.msg_iter, WRITE, vec, 2, wanted); ++ iov_iter_kvec(&msg.msg_iter, READ, vec, 2, wanted); + } + + atomic_set(&map->read, 0); +@@ -188,13 +188,13 @@ static bool pvcalls_conn_back_write(struct sock_mapping *map) + if (pvcalls_mask(prod, array_size) > pvcalls_mask(cons, array_size)) { + vec[0].iov_base = data->out + pvcalls_mask(cons, array_size); + vec[0].iov_len = size; +- iov_iter_kvec(&msg.msg_iter, READ, vec, 1, size); ++ iov_iter_kvec(&msg.msg_iter, WRITE, vec, 1, size); + } else { + vec[0].iov_base = data->out + pvcalls_mask(cons, array_size); + vec[0].iov_len = array_size - pvcalls_mask(cons, array_size); + vec[1].iov_base = data->out; + vec[1].iov_len = size - vec[0].iov_len; +- iov_iter_kvec(&msg.msg_iter, READ, vec, 2, size); ++ iov_iter_kvec(&msg.msg_iter, WRITE, vec, 2, size); + } + + atomic_set(&map->write, 0); +-- +2.39.0 + diff --git a/queue-5.10/fix-iov_iter_bvec-direction-argument.patch b/queue-5.10/fix-iov_iter_bvec-direction-argument.patch new file mode 100644 index 00000000000..ec25a1a9a50 --- /dev/null +++ b/queue-5.10/fix-iov_iter_bvec-direction-argument.patch @@ -0,0 +1,40 @@ +From 4ea2370cebfa2176ea7d674961e89b4e49d6980a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 19:04:18 -0400 +Subject: fix iov_iter_bvec() "direction" argument + +From: Al Viro + +[ Upstream commit b676668d99155e6859d99bbf2df18b3f03851902 ] + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_file.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/target/target_core_file.c b/drivers/target/target_core_file.c +index 7143d03f0e02..18fbbe510d01 100644 +--- a/drivers/target/target_core_file.c ++++ b/drivers/target/target_core_file.c +@@ -340,7 +340,7 @@ static int fd_do_rw(struct se_cmd *cmd, struct file *fd, + len += sg->length; + } + +- iov_iter_bvec(&iter, READ, bvec, sgl_nents, len); ++ iov_iter_bvec(&iter, is_write, bvec, sgl_nents, len); + if (is_write) + ret = vfs_iter_write(fd, &iter, &pos, 0); + else +@@ -477,7 +477,7 @@ fd_execute_write_same(struct se_cmd *cmd) + len += se_dev->dev_attrib.block_size; + } + +- iov_iter_bvec(&iter, READ, bvec, nolb, len); ++ iov_iter_bvec(&iter, WRITE, bvec, nolb, len); + ret = vfs_iter_write(fd_dev->fd_file, &iter, &pos, 0); + + kfree(bvec); +-- +2.39.0 + diff --git a/queue-5.10/i2c-mxs-suppress-probe-deferral-error-message.patch b/queue-5.10/i2c-mxs-suppress-probe-deferral-error-message.patch new file mode 100644 index 00000000000..1bd5413f70f --- /dev/null +++ b/queue-5.10/i2c-mxs-suppress-probe-deferral-error-message.patch @@ -0,0 +1,44 @@ +From af3b057c32b98cea4de3a5d34ec5f3c8677221df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Jan 2023 13:32:29 +0100 +Subject: i2c: mxs: suppress probe-deferral error message + +From: Stefan Wahren + +[ Upstream commit 78a4471fa1a76a8bef4919105de67660a89a1e9b ] + +During boot of I2SE Duckbill the kernel log contains a +confusing error: + + Failed to request dma + +This is caused by i2c-mxs tries to request a not yet available DMA +channel (-EPROBE_DEFER). So suppress this message by using +dev_err_probe(). + +Signed-off-by: Stefan Wahren +Reviewed-by: Fabio Estevam +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-mxs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-mxs.c b/drivers/i2c/busses/i2c-mxs.c +index c4b08a924461..abad24808e85 100644 +--- a/drivers/i2c/busses/i2c-mxs.c ++++ b/drivers/i2c/busses/i2c-mxs.c +@@ -842,8 +842,8 @@ static int mxs_i2c_probe(struct platform_device *pdev) + /* Setup the DMA */ + i2c->dmach = dma_request_chan(dev, "rx-tx"); + if (IS_ERR(i2c->dmach)) { +- dev_err(dev, "Failed to request dma\n"); +- return PTR_ERR(i2c->dmach); ++ return dev_err_probe(dev, PTR_ERR(i2c->dmach), ++ "Failed to request dma\n"); + } + + platform_set_drvdata(pdev, i2c); +-- +2.39.0 + diff --git a/queue-5.10/i2c-rk3x-fix-a-bunch-of-kernel-doc-warnings.patch b/queue-5.10/i2c-rk3x-fix-a-bunch-of-kernel-doc-warnings.patch new file mode 100644 index 00000000000..f1a7bd1c538 --- /dev/null +++ b/queue-5.10/i2c-rk3x-fix-a-bunch-of-kernel-doc-warnings.patch @@ -0,0 +1,180 @@ +From 62f5e47c984a3e2c2446c63dda1709079284b7cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jan 2023 22:38:05 -0800 +Subject: i2c: rk3x: fix a bunch of kernel-doc warnings + +From: Randy Dunlap + +[ Upstream commit 0582d984793d30442da88fe458674502bad1ad29 ] + +Fix multiple W=1 kernel-doc warnings in i2c-rk3x.c: + +drivers/i2c/busses/i2c-rk3x.c:83: warning: missing initial short description on line: + * struct i2c_spec_values: +drivers/i2c/busses/i2c-rk3x.c:139: warning: missing initial short description on line: + * struct rk3x_i2c_calced_timings: +drivers/i2c/busses/i2c-rk3x.c:162: warning: missing initial short description on line: + * struct rk3x_i2c_soc_data: +drivers/i2c/busses/i2c-rk3x.c:242: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Generate a START condition, which triggers a REG_INT_START interrupt. +drivers/i2c/busses/i2c-rk3x.c:261: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Generate a STOP condition, which triggers a REG_INT_STOP interrupt. +drivers/i2c/busses/i2c-rk3x.c:304: warning: expecting prototype for Setup a read according to i2c(). Prototype was for rk3x_i2c_prepare_read() instead +drivers/i2c/busses/i2c-rk3x.c:335: warning: expecting prototype for Fill the transmit buffer with data from i2c(). Prototype was for rk3x_i2c_fill_transmit_buf() instead +drivers/i2c/busses/i2c-rk3x.c:535: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Get timing values of I2C specification +drivers/i2c/busses/i2c-rk3x.c:552: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Calculate divider values for desired SCL frequency +drivers/i2c/busses/i2c-rk3x.c:713: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Calculate timing values for desired SCL frequency +drivers/i2c/busses/i2c-rk3x.c:963: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Setup I2C registers for an I2C operation specified by msgs, num. + +Signed-off-by: Randy Dunlap +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-rk3x.c | 44 +++++++++++++++++------------------ + 1 file changed, 22 insertions(+), 22 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-rk3x.c b/drivers/i2c/busses/i2c-rk3x.c +index 02ddb237f69a..13c14eb175e9 100644 +--- a/drivers/i2c/busses/i2c-rk3x.c ++++ b/drivers/i2c/busses/i2c-rk3x.c +@@ -80,7 +80,7 @@ enum { + #define DEFAULT_SCL_RATE (100 * 1000) /* Hz */ + + /** +- * struct i2c_spec_values: ++ * struct i2c_spec_values - I2C specification values for various modes + * @min_hold_start_ns: min hold time (repeated) START condition + * @min_low_ns: min LOW period of the SCL clock + * @min_high_ns: min HIGH period of the SCL cloc +@@ -136,7 +136,7 @@ static const struct i2c_spec_values fast_mode_plus_spec = { + }; + + /** +- * struct rk3x_i2c_calced_timings: ++ * struct rk3x_i2c_calced_timings - calculated V1 timings + * @div_low: Divider output for low + * @div_high: Divider output for high + * @tuning: Used to adjust setup/hold data time, +@@ -159,7 +159,7 @@ enum rk3x_i2c_state { + }; + + /** +- * struct rk3x_i2c_soc_data: ++ * struct rk3x_i2c_soc_data - SOC-specific data + * @grf_offset: offset inside the grf regmap for setting the i2c type + * @calc_timings: Callback function for i2c timing information calculated + */ +@@ -239,7 +239,8 @@ static inline void rk3x_i2c_clean_ipd(struct rk3x_i2c *i2c) + } + + /** +- * Generate a START condition, which triggers a REG_INT_START interrupt. ++ * rk3x_i2c_start - Generate a START condition, which triggers a REG_INT_START interrupt. ++ * @i2c: target controller data + */ + static void rk3x_i2c_start(struct rk3x_i2c *i2c) + { +@@ -258,8 +259,8 @@ static void rk3x_i2c_start(struct rk3x_i2c *i2c) + } + + /** +- * Generate a STOP condition, which triggers a REG_INT_STOP interrupt. +- * ++ * rk3x_i2c_stop - Generate a STOP condition, which triggers a REG_INT_STOP interrupt. ++ * @i2c: target controller data + * @error: Error code to return in rk3x_i2c_xfer + */ + static void rk3x_i2c_stop(struct rk3x_i2c *i2c, int error) +@@ -298,7 +299,8 @@ static void rk3x_i2c_stop(struct rk3x_i2c *i2c, int error) + } + + /** +- * Setup a read according to i2c->msg ++ * rk3x_i2c_prepare_read - Setup a read according to i2c->msg ++ * @i2c: target controller data + */ + static void rk3x_i2c_prepare_read(struct rk3x_i2c *i2c) + { +@@ -329,7 +331,8 @@ static void rk3x_i2c_prepare_read(struct rk3x_i2c *i2c) + } + + /** +- * Fill the transmit buffer with data from i2c->msg ++ * rk3x_i2c_fill_transmit_buf - Fill the transmit buffer with data from i2c->msg ++ * @i2c: target controller data + */ + static void rk3x_i2c_fill_transmit_buf(struct rk3x_i2c *i2c) + { +@@ -532,11 +535,10 @@ static irqreturn_t rk3x_i2c_irq(int irqno, void *dev_id) + } + + /** +- * Get timing values of I2C specification +- * ++ * rk3x_i2c_get_spec - Get timing values of I2C specification + * @speed: Desired SCL frequency + * +- * Returns: Matched i2c spec values. ++ * Return: Matched i2c_spec_values. + */ + static const struct i2c_spec_values *rk3x_i2c_get_spec(unsigned int speed) + { +@@ -549,13 +551,12 @@ static const struct i2c_spec_values *rk3x_i2c_get_spec(unsigned int speed) + } + + /** +- * Calculate divider values for desired SCL frequency +- * ++ * rk3x_i2c_v0_calc_timings - Calculate divider values for desired SCL frequency + * @clk_rate: I2C input clock rate + * @t: Known I2C timing information + * @t_calc: Caculated rk3x private timings that would be written into regs + * +- * Returns: 0 on success, -EINVAL if the goal SCL rate is too slow. In that case ++ * Return: %0 on success, -%EINVAL if the goal SCL rate is too slow. In that case + * a best-effort divider value is returned in divs. If the target rate is + * too high, we silently use the highest possible rate. + */ +@@ -710,13 +711,12 @@ static int rk3x_i2c_v0_calc_timings(unsigned long clk_rate, + } + + /** +- * Calculate timing values for desired SCL frequency +- * ++ * rk3x_i2c_v1_calc_timings - Calculate timing values for desired SCL frequency + * @clk_rate: I2C input clock rate + * @t: Known I2C timing information + * @t_calc: Caculated rk3x private timings that would be written into regs + * +- * Returns: 0 on success, -EINVAL if the goal SCL rate is too slow. In that case ++ * Return: %0 on success, -%EINVAL if the goal SCL rate is too slow. In that case + * a best-effort divider value is returned in divs. If the target rate is + * too high, we silently use the highest possible rate. + * The following formulas are v1's method to calculate timings. +@@ -960,14 +960,14 @@ static int rk3x_i2c_clk_notifier_cb(struct notifier_block *nb, unsigned long + } + + /** +- * Setup I2C registers for an I2C operation specified by msgs, num. +- * +- * Must be called with i2c->lock held. +- * ++ * rk3x_i2c_setup - Setup I2C registers for an I2C operation specified by msgs, num. ++ * @i2c: target controller data + * @msgs: I2C msgs to process + * @num: Number of msgs + * +- * returns: Number of I2C msgs processed or negative in case of error ++ * Must be called with i2c->lock held. ++ * ++ * Return: Number of I2C msgs processed or negative in case of error + */ + static int rk3x_i2c_setup(struct rk3x_i2c *i2c, struct i2c_msg *msgs, int num) + { +-- +2.39.0 + diff --git a/queue-5.10/igc-return-an-error-if-the-mac-type-is-unknown-in-ig.patch b/queue-5.10/igc-return-an-error-if-the-mac-type-is-unknown-in-ig.patch new file mode 100644 index 00000000000..c907494f75e --- /dev/null +++ b/queue-5.10/igc-return-an-error-if-the-mac-type-is-unknown-in-ig.patch @@ -0,0 +1,76 @@ +From c2e3b54d7bdce944a508fc3b38657ae087b8cae7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Jan 2023 13:54:37 -0800 +Subject: igc: return an error if the mac type is unknown in + igc_ptp_systim_to_hwtstamp() + +From: Tom Rix + +[ Upstream commit a2df8463e15c10a8a882090f3d7a760fdb7b189d ] + +clang static analysis reports +drivers/net/ethernet/intel/igc/igc_ptp.c:673:3: warning: The left operand of + '+' is a garbage value [core.UndefinedBinaryOperatorResult] + ktime_add_ns(shhwtstamps.hwtstamp, adjust); + ^ ~~~~~~~~~~~~~~~~~~~~ + +igc_ptp_systim_to_hwtstamp() silently returns without setting the hwtstamp +if the mac type is unknown. This should be treated as an error. + +Fixes: 81b055205e8b ("igc: Add support for RX timestamping") +Signed-off-by: Tom Rix +Reviewed-by: Simon Horman +Acked-by: Sasha Neftin +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20230131215437.1528994-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ptp.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c +index 4ab46eee3d93..ef53f7665b58 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ptp.c ++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c +@@ -134,10 +134,12 @@ static int igc_ptp_feature_enable_i225(struct ptp_clock_info *ptp, + * + * We need to convert the system time value stored in the RX/TXSTMP registers + * into a hwtstamp which can be used by the upper level timestamping functions. ++ * ++ * Returns 0 on success. + **/ +-static void igc_ptp_systim_to_hwtstamp(struct igc_adapter *adapter, +- struct skb_shared_hwtstamps *hwtstamps, +- u64 systim) ++static int igc_ptp_systim_to_hwtstamp(struct igc_adapter *adapter, ++ struct skb_shared_hwtstamps *hwtstamps, ++ u64 systim) + { + switch (adapter->hw.mac.type) { + case igc_i225: +@@ -147,8 +149,9 @@ static void igc_ptp_systim_to_hwtstamp(struct igc_adapter *adapter, + systim & 0xFFFFFFFF); + break; + default: +- break; ++ return -EINVAL; + } ++ return 0; + } + + /** +@@ -372,7 +375,8 @@ static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter) + + regval = rd32(IGC_TXSTMPL); + regval |= (u64)rd32(IGC_TXSTMPH) << 32; +- igc_ptp_systim_to_hwtstamp(adapter, &shhwtstamps, regval); ++ if (igc_ptp_systim_to_hwtstamp(adapter, &shhwtstamps, regval)) ++ return; + + switch (adapter->link_speed) { + case SPEED_10: +-- +2.39.0 + diff --git a/queue-5.10/net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch b/queue-5.10/net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch new file mode 100644 index 00000000000..ebff3cc6a4c --- /dev/null +++ b/queue-5.10/net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch @@ -0,0 +1,110 @@ +From 18af22eaff3133f5efd772b65f15470928d992e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Feb 2023 00:02:18 +0300 +Subject: net: openvswitch: fix flow memory leak in ovs_flow_cmd_new + +From: Fedor Pchelkin + +[ Upstream commit 0c598aed445eb45b0ee7ba405f7ece99ee349c30 ] + +Syzkaller reports a memory leak of new_flow in ovs_flow_cmd_new() as it is +not freed when an allocation of a key fails. + +BUG: memory leak +unreferenced object 0xffff888116668000 (size 632): + comm "syz-executor231", pid 1090, jiffies 4294844701 (age 18.871s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000defa3494>] kmem_cache_zalloc include/linux/slab.h:654 [inline] + [<00000000defa3494>] ovs_flow_alloc+0x19/0x180 net/openvswitch/flow_table.c:77 + [<00000000c67d8873>] ovs_flow_cmd_new+0x1de/0xd40 net/openvswitch/datapath.c:957 + [<0000000010a539a8>] genl_family_rcv_msg_doit+0x22d/0x330 net/netlink/genetlink.c:739 + [<00000000dff3302d>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] + [<00000000dff3302d>] genl_rcv_msg+0x328/0x590 net/netlink/genetlink.c:800 + [<000000000286dd87>] netlink_rcv_skb+0x153/0x430 net/netlink/af_netlink.c:2515 + [<0000000061fed410>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 + [<000000009dc0f111>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] + [<000000009dc0f111>] netlink_unicast+0x545/0x7f0 net/netlink/af_netlink.c:1339 + [<000000004a5ee816>] netlink_sendmsg+0x8e7/0xde0 net/netlink/af_netlink.c:1934 + [<00000000482b476f>] sock_sendmsg_nosec net/socket.c:651 [inline] + [<00000000482b476f>] sock_sendmsg+0x152/0x190 net/socket.c:671 + [<00000000698574ba>] ____sys_sendmsg+0x70a/0x870 net/socket.c:2356 + [<00000000d28d9e11>] ___sys_sendmsg+0xf3/0x170 net/socket.c:2410 + [<0000000083ba9120>] __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439 + [<00000000c00628f8>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 + [<000000004abfdcf4>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +To fix this the patch rearranges the goto labels to reflect the order of +object allocations and adds appropriate goto statements on the error +paths. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 68bb10101e6b ("openvswitch: Fix flow lookup to use unmasked key") +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Acked-by: Eelco Chaudron +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230201210218.361970-1-pchelkin@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/datapath.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c +index 435f7f1be614..b625ab5e9a43 100644 +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -964,14 +964,14 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + key = kzalloc(sizeof(*key), GFP_KERNEL); + if (!key) { + error = -ENOMEM; +- goto err_kfree_key; ++ goto err_kfree_flow; + } + + ovs_match_init(&match, key, false, &mask); + error = ovs_nla_get_match(net, &match, a[OVS_FLOW_ATTR_KEY], + a[OVS_FLOW_ATTR_MASK], log); + if (error) +- goto err_kfree_flow; ++ goto err_kfree_key; + + ovs_flow_mask_key(&new_flow->key, key, true, &mask); + +@@ -979,14 +979,14 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + error = ovs_nla_get_identifier(&new_flow->id, a[OVS_FLOW_ATTR_UFID], + key, log); + if (error) +- goto err_kfree_flow; ++ goto err_kfree_key; + + /* Validate actions. */ + error = ovs_nla_copy_actions(net, a[OVS_FLOW_ATTR_ACTIONS], + &new_flow->key, &acts, log); + if (error) { + OVS_NLERR(log, "Flow actions may not be safe on all matching packets."); +- goto err_kfree_flow; ++ goto err_kfree_key; + } + + reply = ovs_flow_cmd_alloc_info(acts, &new_flow->id, info, false, +@@ -1086,10 +1086,10 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + kfree_skb(reply); + err_kfree_acts: + ovs_nla_free_flow_actions(acts); +-err_kfree_flow: +- ovs_flow_free(new_flow, false); + err_kfree_key: + kfree(key); ++err_kfree_flow: ++ ovs_flow_free(new_flow, false); + error: + return error; + } +-- +2.39.0 + diff --git a/queue-5.10/net-phy-dp83822-fix-null-pointer-access-on-dp83825-d.patch b/queue-5.10/net-phy-dp83822-fix-null-pointer-access-on-dp83825-d.patch new file mode 100644 index 00000000000..3f62f72577c --- /dev/null +++ b/queue-5.10/net-phy-dp83822-fix-null-pointer-access-on-dp83825-d.patch @@ -0,0 +1,53 @@ +From f78b3286ca172f77812e5d6eaef99b4bb9b2d09a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jan 2023 19:23:26 +0100 +Subject: net: phy: dp83822: Fix null pointer access on DP83825/DP83826 devices + +From: Andre Kalb + +[ Upstream commit 422ae7d9c7221e8d4c8526d0f54106307d69d2dc ] + +The probe() function is only used for the DP83822 PHY, leaving the +private data pointer uninitialized for the smaller DP83825/26 models. +While all uses of the private data structure are hidden in 82822 specific +callbacks, configuring the interrupt is shared across all models. +This causes a NULL pointer dereference on the smaller PHYs as it accesses +the private data unchecked. Verifying the pointer avoids that. + +Fixes: 5dc39fd5ef35 ("net: phy: DP83822: Add ability to advertise Fiber connection") +Signed-off-by: Andre Kalb +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/Y9FzniUhUtbaGKU7@pc6682 +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/dp83822.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/phy/dp83822.c b/drivers/net/phy/dp83822.c +index db651649e0b8..81412999445d 100644 +--- a/drivers/net/phy/dp83822.c ++++ b/drivers/net/phy/dp83822.c +@@ -247,7 +247,8 @@ static int dp83822_config_intr(struct phy_device *phydev) + DP83822_ENERGY_DET_INT_EN | + DP83822_LINK_QUAL_INT_EN); + +- if (!dp83822->fx_enabled) ++ /* Private data pointer is NULL on DP83825/26 */ ++ if (!dp83822 || !dp83822->fx_enabled) + misr_status |= DP83822_ANEG_COMPLETE_INT_EN | + DP83822_DUP_MODE_CHANGE_INT_EN | + DP83822_SPEED_CHANGED_INT_EN; +@@ -267,7 +268,8 @@ static int dp83822_config_intr(struct phy_device *phydev) + DP83822_PAGE_RX_INT_EN | + DP83822_EEE_ERROR_CHANGE_INT_EN); + +- if (!dp83822->fx_enabled) ++ /* Private data pointer is NULL on DP83825/26 */ ++ if (!dp83822 || !dp83822->fx_enabled) + misr_status |= DP83822_ANEG_ERR_INT_EN | + DP83822_WOL_PKT_INT_EN; + +-- +2.39.0 + diff --git a/queue-5.10/net-phy-meson-gxl-add-generic-dummy-stubs-for-mmd-re.patch b/queue-5.10/net-phy-meson-gxl-add-generic-dummy-stubs-for-mmd-re.patch new file mode 100644 index 00000000000..888800ea206 --- /dev/null +++ b/queue-5.10/net-phy-meson-gxl-add-generic-dummy-stubs-for-mmd-re.patch @@ -0,0 +1,42 @@ +From b14a6eaeb3dc07afb633e51767d030652bc6014f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 15:14:02 -0800 +Subject: net: phy: meson-gxl: Add generic dummy stubs for MMD register access + +From: Chris Healy + +[ Upstream commit afc2336f89dc0fc0ef25b92366814524b0fd90fb ] + +The Meson G12A Internal PHY does not support standard IEEE MMD extended +register access, therefore add generic dummy stubs to fail the read and +write MMD calls. This is necessary to prevent the core PHY code from +erroneously believing that EEE is supported by this PHY even though this +PHY does not support EEE, as MMD register access returns all FFFFs. + +Fixes: 5c3407abb338 ("net: phy: meson-gxl: add g12a support") +Reviewed-by: Heiner Kallweit +Signed-off-by: Chris Healy +Reviewed-by: Jerome Brunet +Link: https://lore.kernel.org/r/20230130231402.471493-1-cphealy@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/meson-gxl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/phy/meson-gxl.c b/drivers/net/phy/meson-gxl.c +index e8f2ca625837..f7a9e6599a64 100644 +--- a/drivers/net/phy/meson-gxl.c ++++ b/drivers/net/phy/meson-gxl.c +@@ -245,6 +245,8 @@ static struct phy_driver meson_gxl_phy[] = { + .config_intr = meson_gxl_config_intr, + .suspend = genphy_suspend, + .resume = genphy_resume, ++ .read_mmd = genphy_read_mmd_unsupported, ++ .write_mmd = genphy_write_mmd_unsupported, + }, + }; + +-- +2.39.0 + diff --git a/queue-5.10/net-x25-fix-to-not-accept-on-connected-socket.patch b/queue-5.10/net-x25-fix-to-not-accept-on-connected-socket.patch new file mode 100644 index 00000000000..d6aaf2d03a3 --- /dev/null +++ b/queue-5.10/net-x25-fix-to-not-accept-on-connected-socket.patch @@ -0,0 +1,47 @@ +From 15ec2892624414a590418f210bc8b7f11fa0b145 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 11:43:23 -0800 +Subject: net/x25: Fix to not accept on connected socket + +From: Hyunwoo Kim + +[ Upstream commit f2b0b5210f67c56a3bcdf92ff665fb285d6e0067 ] + +When listen() and accept() are called on an x25 socket +that connect() succeeds, accept() succeeds immediately. +This is because x25_connect() queues the skb to +sk->sk_receive_queue, and x25_accept() dequeues it. + +This creates a child socket with the sk of the parent +x25 socket, which can cause confusion. + +Fix x25_listen() to return -EINVAL if the socket has +already been successfully connect()ed to avoid this issue. + +Signed-off-by: Hyunwoo Kim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/x25/af_x25.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index d231d4620c38..161dc194e634 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -492,6 +492,12 @@ static int x25_listen(struct socket *sock, int backlog) + int rc = -EOPNOTSUPP; + + lock_sock(sk); ++ if (sock->state != SS_UNCONNECTED) { ++ rc = -EINVAL; ++ release_sock(sk); ++ return rc; ++ } ++ + if (sk->sk_state != TCP_LISTEN) { + memset(&x25_sk(sk)->dest_addr, 0, X25_ADDR_LEN); + sk->sk_max_ack_backlog = backlog; +-- +2.39.0 + diff --git a/queue-5.10/netfilter-br_netfilter-disable-sabotage_in-hook-afte.patch b/queue-5.10/netfilter-br_netfilter-disable-sabotage_in-hook-afte.patch new file mode 100644 index 00000000000..ac28a13ee93 --- /dev/null +++ b/queue-5.10/netfilter-br_netfilter-disable-sabotage_in-hook-afte.patch @@ -0,0 +1,66 @@ +From 14a2976a15387526c6cb06819046b75f4f3fa5c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 11:39:29 +0100 +Subject: netfilter: br_netfilter: disable sabotage_in hook after first + suppression + +From: Florian Westphal + +[ Upstream commit 2b272bb558f1d3a5aa95ed8a82253786fd1a48ba ] + +When using a xfrm interface in a bridged setup (the outgoing device is +bridged), the incoming packets in the xfrm interface are only tracked +in the outgoing direction. + +$ brctl show +bridge name interfaces +br_eth1 eth1 + +$ conntrack -L +tcp 115 SYN_SENT src=192... dst=192... [UNREPLIED] ... + +If br_netfilter is enabled, the first (encrypted) packet is received onR +eth1, conntrack hooks are called from br_netfilter emulation which +allocates nf_bridge info for this skb. + +If the packet is for local machine, skb gets passed up the ip stack. +The skb passes through ip prerouting a second time. br_netfilter +ip_sabotage_in supresses the re-invocation of the hooks. + +After this, skb gets decrypted in xfrm layer and appears in +network stack a second time (after decryption). + +Then, ip_sabotage_in is called again and suppresses netfilter +hook invocation, even though the bridge layer never called them +for the plaintext incarnation of the packet. + +Free the bridge info after the first suppression to avoid this. + +I was unable to figure out where the regression comes from, as far as i +can see br_netfilter always had this problem; i did not expect that skb +is looped again with different headers. + +Fixes: c4b0e771f906 ("netfilter: avoid using skb->nf_bridge directly") +Reported-and-tested-by: Wolfgang Nothdurft +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/bridge/br_netfilter_hooks.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index a718204c4bfd..f3c7cfba31e1 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -871,6 +871,7 @@ static unsigned int ip_sabotage_in(void *priv, + if (nf_bridge && !nf_bridge->in_prerouting && + !netif_is_l3_master(skb->dev) && + !netif_is_l3_slave(skb->dev)) { ++ nf_bridge_info_free(skb); + state->okfn(state->net, state->sk, skb); + return NF_STOLEN; + } +-- +2.39.0 + diff --git a/queue-5.10/netrom-fix-use-after-free-caused-by-accept-on-alread.patch b/queue-5.10/netrom-fix-use-after-free-caused-by-accept-on-alread.patch new file mode 100644 index 00000000000..23ea808b0bf --- /dev/null +++ b/queue-5.10/netrom-fix-use-after-free-caused-by-accept-on-alread.patch @@ -0,0 +1,211 @@ +From e63c04123cdad28488f005a4d8635850653146fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 18:32:50 -0800 +Subject: netrom: Fix use-after-free caused by accept on already connected + socket + +From: Hyunwoo Kim + +[ Upstream commit 611792920925fb088ddccbe2783c7f92fdfb6b64 ] + +If you call listen() and accept() on an already connect()ed +AF_NETROM socket, accept() can successfully connect. +This is because when the peer socket sends data to sendmsg, +the skb with its own sk stored in the connected socket's +sk->sk_receive_queue is connected, and nr_accept() dequeues +the skb waiting in the sk->sk_receive_queue. + +As a result, nr_accept() allocates and returns a sock with +the sk of the parent AF_NETROM socket. + +And here use-after-free can happen through complex race conditions: +``` + cpu0 cpu1 + 1. socket_2 = socket(AF_NETROM) + . + . + listen(socket_2) + accepted_socket = accept(socket_2) + 2. socket_1 = socket(AF_NETROM) + nr_create() // sk refcount : 1 + connect(socket_1) + 3. write(accepted_socket) + nr_sendmsg() + nr_output() + nr_kick() + nr_send_iframe() + nr_transmit_buffer() + nr_route_frame() + nr_loopback_queue() + nr_loopback_timer() + nr_rx_frame() + nr_process_rx_frame(sk, skb); // sk : socket_1's sk + nr_state3_machine() + nr_queue_rx_frame() + sock_queue_rcv_skb() + sock_queue_rcv_skb_reason() + __sock_queue_rcv_skb() + __skb_queue_tail(list, skb); // list : socket_1's sk->sk_receive_queue + 4. listen(socket_1) + nr_listen() + uaf_socket = accept(socket_1) + nr_accept() + skb_dequeue(&sk->sk_receive_queue); + 5. close(accepted_socket) + nr_release() + nr_write_internal(sk, NR_DISCREQ) + nr_transmit_buffer() // NR_DISCREQ + nr_route_frame() + nr_loopback_queue() + nr_loopback_timer() + nr_rx_frame() // sk : socket_1's sk + nr_process_rx_frame() // NR_STATE_3 + nr_state3_machine() // NR_DISCREQ + nr_disconnect() + nr_sk(sk)->state = NR_STATE_0; + 6. close(socket_1) // sk refcount : 3 + nr_release() // NR_STATE_0 + sock_put(sk); // sk refcount : 0 + sk_free(sk); + close(uaf_socket) + nr_release() + sock_hold(sk); // UAF +``` + +KASAN report by syzbot: +``` +BUG: KASAN: use-after-free in nr_release+0x66/0x460 net/netrom/af_netrom.c:520 +Write of size 4 at addr ffff8880235d8080 by task syz-executor564/5128 + +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:306 [inline] + print_report+0x15e/0x461 mm/kasan/report.c:417 + kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 + check_region_inline mm/kasan/generic.c:183 [inline] + kasan_check_range+0x141/0x190 mm/kasan/generic.c:189 + instrument_atomic_read_write include/linux/instrumented.h:102 [inline] + atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline] + __refcount_add include/linux/refcount.h:193 [inline] + __refcount_inc include/linux/refcount.h:250 [inline] + refcount_inc include/linux/refcount.h:267 [inline] + sock_hold include/net/sock.h:775 [inline] + nr_release+0x66/0x460 net/netrom/af_netrom.c:520 + __sock_release+0xcd/0x280 net/socket.c:650 + sock_close+0x1c/0x20 net/socket.c:1365 + __fput+0x27c/0xa90 fs/file_table.c:320 + task_work_run+0x16f/0x270 kernel/task_work.c:179 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0xaa8/0x2950 kernel/exit.c:867 + do_group_exit+0xd4/0x2a0 kernel/exit.c:1012 + get_signal+0x21c3/0x2450 kernel/signal.c:2859 + arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306 + exit_to_user_mode_loop kernel/entry/common.c:168 [inline] + exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 + __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] + syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 + do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f6c19e3c9b9 +Code: Unable to access opcode bytes at 0x7f6c19e3c98f. +RSP: 002b:00007fffd4ba2ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 +RAX: 0000000000000116 RBX: 0000000000000003 RCX: 00007f6c19e3c9b9 +RDX: 0000000000000318 RSI: 00000000200bd000 RDI: 0000000000000006 +RBP: 0000000000000003 R08: 000000000000000d R09: 000000000000000d +R10: 0000000000000000 R11: 0000000000000246 R12: 000055555566a2c0 +R13: 0000000000000011 R14: 0000000000000000 R15: 0000000000000000 + + +Allocated by task 5128: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + ____kasan_kmalloc mm/kasan/common.c:371 [inline] + ____kasan_kmalloc mm/kasan/common.c:330 [inline] + __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380 + kasan_kmalloc include/linux/kasan.h:211 [inline] + __do_kmalloc_node mm/slab_common.c:968 [inline] + __kmalloc+0x5a/0xd0 mm/slab_common.c:981 + kmalloc include/linux/slab.h:584 [inline] + sk_prot_alloc+0x140/0x290 net/core/sock.c:2038 + sk_alloc+0x3a/0x7a0 net/core/sock.c:2091 + nr_create+0xb6/0x5f0 net/netrom/af_netrom.c:433 + __sock_create+0x359/0x790 net/socket.c:1515 + sock_create net/socket.c:1566 [inline] + __sys_socket_create net/socket.c:1603 [inline] + __sys_socket_create net/socket.c:1588 [inline] + __sys_socket+0x133/0x250 net/socket.c:1636 + __do_sys_socket net/socket.c:1649 [inline] + __se_sys_socket net/socket.c:1647 [inline] + __x64_sys_socket+0x73/0xb0 net/socket.c:1647 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 5128: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:518 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200 + kasan_slab_free include/linux/kasan.h:177 [inline] + __cache_free mm/slab.c:3394 [inline] + __do_kmem_cache_free mm/slab.c:3580 [inline] + __kmem_cache_free+0xcd/0x3b0 mm/slab.c:3587 + sk_prot_free net/core/sock.c:2074 [inline] + __sk_destruct+0x5df/0x750 net/core/sock.c:2166 + sk_destruct net/core/sock.c:2181 [inline] + __sk_free+0x175/0x460 net/core/sock.c:2192 + sk_free+0x7c/0xa0 net/core/sock.c:2203 + sock_put include/net/sock.h:1991 [inline] + nr_release+0x39e/0x460 net/netrom/af_netrom.c:554 + __sock_release+0xcd/0x280 net/socket.c:650 + sock_close+0x1c/0x20 net/socket.c:1365 + __fput+0x27c/0xa90 fs/file_table.c:320 + task_work_run+0x16f/0x270 kernel/task_work.c:179 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0xaa8/0x2950 kernel/exit.c:867 + do_group_exit+0xd4/0x2a0 kernel/exit.c:1012 + get_signal+0x21c3/0x2450 kernel/signal.c:2859 + arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306 + exit_to_user_mode_loop kernel/entry/common.c:168 [inline] + exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 + __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] + syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 + do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +``` + +To fix this issue, nr_listen() returns -EINVAL for sockets that +successfully nr_connect(). + +Reported-by: syzbot+caa188bdfc1eeafeb418@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Hyunwoo Kim +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netrom/af_netrom.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index e5c8a295e640..5c04da4cfbad 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -400,6 +400,11 @@ static int nr_listen(struct socket *sock, int backlog) + struct sock *sk = sock->sk; + + lock_sock(sk); ++ if (sock->state != SS_UNCONNECTED) { ++ release_sock(sk); ++ return -EINVAL; ++ } ++ + if (sk->sk_state != TCP_LISTEN) { + memset(&nr_sk(sk)->user_addr, 0, AX25_ADDR_LEN); + sk->sk_max_ack_backlog = backlog; +-- +2.39.0 + diff --git a/queue-5.10/platform-x86-dell-wmi-add-a-keymap-for-key_mute-in-t.patch b/queue-5.10/platform-x86-dell-wmi-add-a-keymap-for-key_mute-in-t.patch new file mode 100644 index 00000000000..0d491a2fc55 --- /dev/null +++ b/queue-5.10/platform-x86-dell-wmi-add-a-keymap-for-key_mute-in-t.patch @@ -0,0 +1,41 @@ +From 03b58dfc499cc8a79d4c6fb77455a3fa89a45378 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 20:34:36 +0800 +Subject: platform/x86: dell-wmi: Add a keymap for KEY_MUTE in type 0x0010 + table + +From: Koba Ko + +[ Upstream commit 83bcf3e52e9cfc727df33f1055ef0618c91719d0 ] + +Some platforms send the speaker-mute key from EC. dell-wmi can't +recognize it. + +Add a new keymap for KEY_MUTE in type 0x0010 table. + +Signed-off-by: Koba Ko +Link: https://lore.kernel.org/r/20230117123436.200440-1-koba.ko@canonical.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell-wmi.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/dell-wmi.c +index bbdb3e860892..6ef327a80ccf 100644 +--- a/drivers/platform/x86/dell-wmi.c ++++ b/drivers/platform/x86/dell-wmi.c +@@ -259,6 +259,9 @@ static const struct key_entry dell_wmi_keymap_type_0010[] = { + { KE_KEY, 0x57, { KEY_BRIGHTNESSDOWN } }, + { KE_KEY, 0x58, { KEY_BRIGHTNESSUP } }, + ++ /*Speaker Mute*/ ++ { KE_KEY, 0x109, { KEY_MUTE} }, ++ + /* Mic mute */ + { KE_KEY, 0x150, { KEY_MICMUTE } }, + +-- +2.39.0 + diff --git a/queue-5.10/powerpc-bpf-change-register-numbering-for-bpf_set-is.patch b/queue-5.10/powerpc-bpf-change-register-numbering-for-bpf_set-is.patch new file mode 100644 index 00000000000..770a9ce535f --- /dev/null +++ b/queue-5.10/powerpc-bpf-change-register-numbering-for-bpf_set-is.patch @@ -0,0 +1,88 @@ +From 0f7d250ec1e70929e4fed459f46722bf7c500439 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Mar 2021 16:37:47 +0000 +Subject: powerpc/bpf: Change register numbering for bpf_set/is_seen_register() + +From: Christophe Leroy + +[ Upstream commit ed573b57e77a7860fe4026e1700faa2f6938caf1 ] + +Instead of using BPF register number as input in functions +bpf_set_seen_register() and bpf_is_seen_register(), use +CPU register number directly. + +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/0cd2506f598e7095ea43e62dca1f472de5474a0d.1616430991.git.christophe.leroy@csgroup.eu +Stable-dep-of: 71f656a50176 ("bpf: Fix to preserve reg parent/live fields when copying range info") +Signed-off-by: Sasha Levin +--- + arch/powerpc/net/bpf_jit_comp64.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/arch/powerpc/net/bpf_jit_comp64.c b/arch/powerpc/net/bpf_jit_comp64.c +index 0d47514e8870..7da59ddc90dd 100644 +--- a/arch/powerpc/net/bpf_jit_comp64.c ++++ b/arch/powerpc/net/bpf_jit_comp64.c +@@ -32,12 +32,12 @@ static inline void bpf_flush_icache(void *start, void *end) + + static inline bool bpf_is_seen_register(struct codegen_context *ctx, int i) + { +- return (ctx->seen & (1 << (31 - b2p[i]))); ++ return ctx->seen & (1 << (31 - i)); + } + + static inline void bpf_set_seen_register(struct codegen_context *ctx, int i) + { +- ctx->seen |= (1 << (31 - b2p[i])); ++ ctx->seen |= 1 << (31 - i); + } + + static inline bool bpf_has_stack_frame(struct codegen_context *ctx) +@@ -48,7 +48,7 @@ static inline bool bpf_has_stack_frame(struct codegen_context *ctx) + * - the bpf program uses its stack area + * The latter condition is deduced from the usage of BPF_REG_FP + */ +- return ctx->seen & SEEN_FUNC || bpf_is_seen_register(ctx, BPF_REG_FP); ++ return ctx->seen & SEEN_FUNC || bpf_is_seen_register(ctx, b2p[BPF_REG_FP]); + } + + /* +@@ -125,11 +125,11 @@ static void bpf_jit_build_prologue(u32 *image, struct codegen_context *ctx) + * in the protected zone below the previous stack frame + */ + for (i = BPF_REG_6; i <= BPF_REG_10; i++) +- if (bpf_is_seen_register(ctx, i)) ++ if (bpf_is_seen_register(ctx, b2p[i])) + PPC_BPF_STL(b2p[i], 1, bpf_jit_stack_offsetof(ctx, b2p[i])); + + /* Setup frame pointer to point to the bpf stack area */ +- if (bpf_is_seen_register(ctx, BPF_REG_FP)) ++ if (bpf_is_seen_register(ctx, b2p[BPF_REG_FP])) + EMIT(PPC_RAW_ADDI(b2p[BPF_REG_FP], 1, + STACK_FRAME_MIN_SIZE + ctx->stack_size)); + } +@@ -140,7 +140,7 @@ static void bpf_jit_emit_common_epilogue(u32 *image, struct codegen_context *ctx + + /* Restore NVRs */ + for (i = BPF_REG_6; i <= BPF_REG_10; i++) +- if (bpf_is_seen_register(ctx, i)) ++ if (bpf_is_seen_register(ctx, b2p[i])) + PPC_BPF_LL(b2p[i], 1, bpf_jit_stack_offsetof(ctx, b2p[i])); + + /* Tear down our stack frame */ +@@ -356,9 +356,9 @@ static int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, + * any issues. + */ + if (dst_reg >= BPF_PPC_NVR_MIN && dst_reg < 32) +- bpf_set_seen_register(ctx, insn[i].dst_reg); ++ bpf_set_seen_register(ctx, dst_reg); + if (src_reg >= BPF_PPC_NVR_MIN && src_reg < 32) +- bpf_set_seen_register(ctx, insn[i].src_reg); ++ bpf_set_seen_register(ctx, src_reg); + + switch (code) { + /* +-- +2.39.0 + diff --git a/queue-5.10/powerpc-bpf-move-common-helpers-into-bpf_jit.h.patch b/queue-5.10/powerpc-bpf-move-common-helpers-into-bpf_jit.h.patch new file mode 100644 index 00000000000..5ad20d1d07f --- /dev/null +++ b/queue-5.10/powerpc-bpf-move-common-helpers-into-bpf_jit.h.patch @@ -0,0 +1,130 @@ +From 76f74e69efb95e4add82e5b687e062f2c989739f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Mar 2021 16:37:48 +0000 +Subject: powerpc/bpf: Move common helpers into bpf_jit.h + +From: Christophe Leroy + +[ Upstream commit f1b1583d5faa86cb3dcb7b740594868debad7c30 ] + +Move functions bpf_flush_icache(), bpf_is_seen_register() and +bpf_set_seen_register() in order to reuse them in future +bpf_jit_comp32.c + +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/28e8d5a75e64807d7e9d39a4b52658755e259f8c.1616430991.git.christophe.leroy@csgroup.eu +Stable-dep-of: 71f656a50176 ("bpf: Fix to preserve reg parent/live fields when copying range info") +Signed-off-by: Sasha Levin +--- + arch/powerpc/net/bpf_jit.h | 35 +++++++++++++++++++++++++++++++ + arch/powerpc/net/bpf_jit64.h | 19 ----------------- + arch/powerpc/net/bpf_jit_comp64.c | 16 -------------- + 3 files changed, 35 insertions(+), 35 deletions(-) + +diff --git a/arch/powerpc/net/bpf_jit.h b/arch/powerpc/net/bpf_jit.h +index 1a5b4da8a235..cd9aab6ec2c5 100644 +--- a/arch/powerpc/net/bpf_jit.h ++++ b/arch/powerpc/net/bpf_jit.h +@@ -117,6 +117,41 @@ + #define COND_LT (CR0_LT | COND_CMP_TRUE) + #define COND_LE (CR0_GT | COND_CMP_FALSE) + ++#define SEEN_FUNC 0x1000 /* might call external helpers */ ++#define SEEN_STACK 0x2000 /* uses BPF stack */ ++#define SEEN_TAILCALL 0x4000 /* uses tail calls */ ++ ++struct codegen_context { ++ /* ++ * This is used to track register usage as well ++ * as calls to external helpers. ++ * - register usage is tracked with corresponding ++ * bits (r3-r10 and r27-r31) ++ * - rest of the bits can be used to track other ++ * things -- for now, we use bits 16 to 23 ++ * encoded in SEEN_* macros above ++ */ ++ unsigned int seen; ++ unsigned int idx; ++ unsigned int stack_size; ++}; ++ ++static inline void bpf_flush_icache(void *start, void *end) ++{ ++ smp_wmb(); /* smp write barrier */ ++ flush_icache_range((unsigned long)start, (unsigned long)end); ++} ++ ++static inline bool bpf_is_seen_register(struct codegen_context *ctx, int i) ++{ ++ return ctx->seen & (1 << (31 - i)); ++} ++ ++static inline void bpf_set_seen_register(struct codegen_context *ctx, int i) ++{ ++ ctx->seen |= 1 << (31 - i); ++} ++ + #endif + + #endif +diff --git a/arch/powerpc/net/bpf_jit64.h b/arch/powerpc/net/bpf_jit64.h +index 4d164e865b39..201b83bfa869 100644 +--- a/arch/powerpc/net/bpf_jit64.h ++++ b/arch/powerpc/net/bpf_jit64.h +@@ -86,25 +86,6 @@ static const int b2p[] = { + } while(0) + #define PPC_BPF_STLU(r, base, i) do { EMIT(PPC_RAW_STDU(r, base, i)); } while(0) + +-#define SEEN_FUNC 0x1000 /* might call external helpers */ +-#define SEEN_STACK 0x2000 /* uses BPF stack */ +-#define SEEN_TAILCALL 0x4000 /* uses tail calls */ +- +-struct codegen_context { +- /* +- * This is used to track register usage as well +- * as calls to external helpers. +- * - register usage is tracked with corresponding +- * bits (r3-r10 and r27-r31) +- * - rest of the bits can be used to track other +- * things -- for now, we use bits 16 to 23 +- * encoded in SEEN_* macros above +- */ +- unsigned int seen; +- unsigned int idx; +- unsigned int stack_size; +-}; +- + #endif /* !__ASSEMBLY__ */ + + #endif +diff --git a/arch/powerpc/net/bpf_jit_comp64.c b/arch/powerpc/net/bpf_jit_comp64.c +index 7da59ddc90dd..ebad2c79cd6f 100644 +--- a/arch/powerpc/net/bpf_jit_comp64.c ++++ b/arch/powerpc/net/bpf_jit_comp64.c +@@ -24,22 +24,6 @@ static void bpf_jit_fill_ill_insns(void *area, unsigned int size) + memset32(area, BREAKPOINT_INSTRUCTION, size/4); + } + +-static inline void bpf_flush_icache(void *start, void *end) +-{ +- smp_wmb(); +- flush_icache_range((unsigned long)start, (unsigned long)end); +-} +- +-static inline bool bpf_is_seen_register(struct codegen_context *ctx, int i) +-{ +- return ctx->seen & (1 << (31 - i)); +-} +- +-static inline void bpf_set_seen_register(struct codegen_context *ctx, int i) +-{ +- ctx->seen |= 1 << (31 - i); +-} +- + static inline bool bpf_has_stack_frame(struct codegen_context *ctx) + { + /* +-- +2.39.0 + diff --git a/queue-5.10/qede-add-netpoll-support-for-qede-driver.patch b/queue-5.10/qede-add-netpoll-support-for-qede-driver.patch new file mode 100644 index 00000000000..c5d4496645d --- /dev/null +++ b/queue-5.10/qede-add-netpoll-support-for-qede-driver.patch @@ -0,0 +1,39 @@ +From 8770a685eb6aa0d38c23fd18f7724ca969bac539 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Feb 2021 12:28:29 -0800 +Subject: qede: add netpoll support for qede driver + +From: Bhaskar Upadhaya + +[ Upstream commit 961aa716235f58088e99acafbe66027d678061ce ] + +handle netpoll case when qede_poll is called by +netpoll layer with budget 0 + +Signed-off-by: Bhaskar Upadhaya +Signed-off-by: Igor Russkikh +Signed-off-by: Ariel Elior +Signed-off-by: David S. Miller +Stable-dep-of: 2ccce20d51fa ("qede: execute xdp_do_flush() before napi_complete_done()") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qede/qede_fp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qede/qede_fp.c b/drivers/net/ethernet/qlogic/qede/qede_fp.c +index d210632676d3..5b1885c0a8bd 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c +@@ -1456,7 +1456,8 @@ int qede_poll(struct napi_struct *napi, int budget) + rx_work_done = (likely(fp->type & QEDE_FASTPATH_RX) && + qede_has_rx_work(fp->rxq)) ? + qede_rx_int(fp, budget) : 0; +- if (rx_work_done < budget) { ++ /* Handle case where we are called by netpoll with a budget of 0 */ ++ if (rx_work_done < budget || !budget) { + if (!qede_poll_is_more_work(fp)) { + napi_complete_done(napi, rx_work_done); + +-- +2.39.0 + diff --git a/queue-5.10/qede-execute-xdp_do_flush-before-napi_complete_done.patch b/queue-5.10/qede-execute-xdp_do_flush-before-napi_complete_done.patch new file mode 100644 index 00000000000..929988f4809 --- /dev/null +++ b/queue-5.10/qede-execute-xdp_do_flush-before-napi_complete_done.patch @@ -0,0 +1,66 @@ +From 636b6e7272e80d4c0bf5356ba1fa94c8a29bc852 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jan 2023 08:48:57 +0100 +Subject: qede: execute xdp_do_flush() before napi_complete_done() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Magnus Karlsson + +[ Upstream commit 2ccce20d51faa0178086163ccb6c84a099a87ab4 ] + +Make sure that xdp_do_flush() is always executed before +napi_complete_done(). This is important for two reasons. First, a +redirect to an XSKMAP assumes that a call to xdp_do_redirect() from +napi context X on CPU Y will be followed by a xdp_do_flush() from the +same napi context and CPU. This is not guaranteed if the +napi_complete_done() is executed before xdp_do_flush(), as it tells +the napi logic that it is fine to schedule napi context X on another +CPU. Details from a production system triggering this bug using the +veth driver can be found following the first link below. + +The second reason is that the XDP_REDIRECT logic in itself relies on +being inside a single NAPI instance through to the xdp_do_flush() call +for RCU protection of all in-kernel data structures. Details can be +found in the second link below. + +Fixes: d1b25b79e162b ("qede: add .ndo_xdp_xmit() and XDP_REDIRECT support") +Signed-off-by: Magnus Karlsson +Acked-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/r/20221220185903.1105011-1-sbohrer@cloudflare.com +Link: https://lore.kernel.org/all/20210624160609.292325-1-toke@redhat.com/ +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qede/qede_fp.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qede/qede_fp.c b/drivers/net/ethernet/qlogic/qede/qede_fp.c +index 5b1885c0a8bd..a632de208a7d 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c +@@ -1456,6 +1456,10 @@ int qede_poll(struct napi_struct *napi, int budget) + rx_work_done = (likely(fp->type & QEDE_FASTPATH_RX) && + qede_has_rx_work(fp->rxq)) ? + qede_rx_int(fp, budget) : 0; ++ ++ if (fp->xdp_xmit & QEDE_XDP_REDIRECT) ++ xdp_do_flush(); ++ + /* Handle case where we are called by netpoll with a budget of 0 */ + if (rx_work_done < budget || !budget) { + if (!qede_poll_is_more_work(fp)) { +@@ -1475,9 +1479,6 @@ int qede_poll(struct napi_struct *napi, int budget) + qede_update_tx_producer(fp->xdp_tx); + } + +- if (fp->xdp_xmit & QEDE_XDP_REDIRECT) +- xdp_do_flush_map(); +- + return rx_work_done; + } + +-- +2.39.0 + diff --git a/queue-5.10/read-is-data-destination-not-source.patch b/queue-5.10/read-is-data-destination-not-source.patch new file mode 100644 index 00000000000..e0b2b31c0f8 --- /dev/null +++ b/queue-5.10/read-is-data-destination-not-source.patch @@ -0,0 +1,31 @@ +From 7c90b9c70118a40a4af3f4e01d6912a99c6db5e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 19:01:10 -0400 +Subject: READ is "data destination", not source... + +From: Al Viro + +[ Upstream commit 355d2c2798e9dc39f6714fa7ef8902c0d4c5350b ] + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/rtrs/rtrs-clt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +index 5c39e4c4bef7..1a5805260778 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c ++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +@@ -902,7 +902,7 @@ static void rtrs_clt_init_req(struct rtrs_clt_io_req *req, + req->need_inv_comp = false; + req->inv_errno = 0; + +- iov_iter_kvec(&iter, READ, vec, 1, usr_len); ++ iov_iter_kvec(&iter, WRITE, vec, 1, usr_len); + len = _copy_from_iter(req->iu->buf, usr_len, &iter); + WARN_ON(len != usr_len); + +-- +2.39.0 + diff --git a/queue-5.10/scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch b/queue-5.10/scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch new file mode 100644 index 00000000000..7c9ecdb6f58 --- /dev/null +++ b/queue-5.10/scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch @@ -0,0 +1,69 @@ +From 3c72b4243b44f3f35fdcdb8059b65903cf438495 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 13:39:37 -0600 +Subject: scsi: iscsi_tcp: Fix UAF during login when accessing the shost + ipaddress + +From: Mike Christie + +[ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ] + +If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails, +userspace could be accessing the host's ipaddress attr. If we then free the +session via iscsi_session_teardown() while userspace is still accessing the +session we will hit a use after free bug. + +Set the tcp_sw_host->session after we have completed session creation and +can no longer fail. + +Link: https://lore.kernel.org/r/20230117193937.21244-3-michael.christie@oracle.com +Signed-off-by: Mike Christie +Reviewed-by: Lee Duncan +Acked-by: Ding Hui +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/iscsi_tcp.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c +index 6485c1aa9e74..252d7881f99c 100644 +--- a/drivers/scsi/iscsi_tcp.c ++++ b/drivers/scsi/iscsi_tcp.c +@@ -802,7 +802,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost, + enum iscsi_host_param param, char *buf) + { + struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost); +- struct iscsi_session *session = tcp_sw_host->session; ++ struct iscsi_session *session; + struct iscsi_conn *conn; + struct iscsi_tcp_conn *tcp_conn; + struct iscsi_sw_tcp_conn *tcp_sw_conn; +@@ -812,6 +812,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost, + + switch (param) { + case ISCSI_HOST_PARAM_IPADDRESS: ++ session = tcp_sw_host->session; + if (!session) + return -ENOTCONN; + +@@ -906,12 +907,14 @@ iscsi_sw_tcp_session_create(struct iscsi_endpoint *ep, uint16_t cmds_max, + if (!cls_session) + goto remove_host; + session = cls_session->dd_data; +- tcp_sw_host = iscsi_host_priv(shost); +- tcp_sw_host->session = session; + + shost->can_queue = session->scsi_cmds_max; + if (iscsi_tcp_r2tpool_alloc(session)) + goto remove_session; ++ ++ /* We are now fully setup so expose the session to sysfs. */ ++ tcp_sw_host = iscsi_host_priv(shost); ++ tcp_sw_host->session = session; + return cls_session; + + remove_session: +-- +2.39.0 + diff --git a/queue-5.10/scsi-revert-scsi-core-map-pq-1-pdt-other-values-to-s.patch b/queue-5.10/scsi-revert-scsi-core-map-pq-1-pdt-other-values-to-s.patch new file mode 100644 index 00000000000..b50bb30c190 --- /dev/null +++ b/queue-5.10/scsi-revert-scsi-core-map-pq-1-pdt-other-values-to-s.patch @@ -0,0 +1,56 @@ +From 646f4b84d7848ec2357c026b17fa4cf8ea10df99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 22:06:08 -0500 +Subject: scsi: Revert "scsi: core: map PQ=1, PDT=other values to + SCSI_SCAN_TARGET_PRESENT" + +From: Martin K. Petersen + +[ Upstream commit 15600159bcc6abbeae6b33a849bef90dca28b78f ] + +This reverts commit 948e922fc44611ee2de0c89583ca958cb5307d36. + +Not all targets that return PQ=1 and PDT=0 should be ignored. While +the SCSI spec is vague in this department, there appears to be a +critical mass of devices which rely on devices being accessible with +this combination of reported values. + +Fixes: 948e922fc446 ("scsi: core: map PQ=1, PDT=other values to SCSI_SCAN_TARGET_PRESENT") +Link: https://lore.kernel.org/r/yq1lelrleqr.fsf@ca-mkp.ca.oracle.com +Acked-by: Bart Van Assche +Acked-by: Martin Wilck +Acked-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_scan.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c +index 8e474b145249..6f7c4d41c51d 100644 +--- a/drivers/scsi/scsi_scan.c ++++ b/drivers/scsi/scsi_scan.c +@@ -1129,8 +1129,7 @@ static int scsi_probe_and_add_lun(struct scsi_target *starget, + * that no LUN is present, so don't add sdev in these cases. + * Two specific examples are: + * 1) NetApp targets: return PQ=1, PDT=0x1f +- * 2) IBM/2145 targets: return PQ=1, PDT=0 +- * 3) USB UFI: returns PDT=0x1f, with the PQ bits being "reserved" ++ * 2) USB UFI: returns PDT=0x1f, with the PQ bits being "reserved" + * in the UFI 1.0 spec (we cannot rely on reserved bits). + * + * References: +@@ -1144,8 +1143,8 @@ static int scsi_probe_and_add_lun(struct scsi_target *starget, + * PDT=00h Direct-access device (floppy) + * PDT=1Fh none (no FDD connected to the requested logical unit) + */ +- if (((result[0] >> 5) == 1 || +- (starget->pdt_1f_for_no_lun && (result[0] & 0x1f) == 0x1f)) && ++ if (((result[0] >> 5) == 1 || starget->pdt_1f_for_no_lun) && ++ (result[0] & 0x1f) == 0x1f && + !scsi_is_wlun(lun)) { + SCSI_LOG_SCAN_BUS(3, sdev_printk(KERN_INFO, sdev, + "scsi scan: peripheral device type" +-- +2.39.0 + diff --git a/queue-5.10/scsi-target-core-fix-warning-on-rt-kernels.patch b/queue-5.10/scsi-target-core-fix-warning-on-rt-kernels.patch new file mode 100644 index 00000000000..c01047cb3ad --- /dev/null +++ b/queue-5.10/scsi-target-core-fix-warning-on-rt-kernels.patch @@ -0,0 +1,40 @@ +From b773a91411357c1f783f8249981d27866f113396 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jan 2023 13:53:10 +0100 +Subject: scsi: target: core: Fix warning on RT kernels + +From: Maurizio Lombardi + +[ Upstream commit 84ed64b1a7a7fcd507598dee7708c1f225123711 ] + +Calling spin_lock_irqsave() does not disable the interrupts on realtime +kernels, remove the warning and replace assert_spin_locked() with +lockdep_assert_held(). + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230110125310.55884-1-mlombard@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_tmr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c +index e4513ef09159..3efd5a3bd69d 100644 +--- a/drivers/target/target_core_tmr.c ++++ b/drivers/target/target_core_tmr.c +@@ -82,8 +82,8 @@ static bool __target_check_io_state(struct se_cmd *se_cmd, + { + struct se_session *sess = se_cmd->se_sess; + +- assert_spin_locked(&sess->sess_cmd_lock); +- WARN_ON_ONCE(!irqs_disabled()); ++ lockdep_assert_held(&sess->sess_cmd_lock); ++ + /* + * If command already reached CMD_T_COMPLETE state within + * target_complete_cmd() or CMD_T_FABRIC_STOP due to shutdown, +-- +2.39.0 + diff --git a/queue-5.10/selftests-net-udpgso_bench-fix-racing-bug-between-th.patch b/queue-5.10/selftests-net-udpgso_bench-fix-racing-bug-between-th.patch new file mode 100644 index 00000000000..6798a613a19 --- /dev/null +++ b/queue-5.10/selftests-net-udpgso_bench-fix-racing-bug-between-th.patch @@ -0,0 +1,80 @@ +From e936dfe5ae9fda4cca8fbec58c4cd23edebb8fae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Feb 2023 00:16:14 +0000 +Subject: selftests: net: udpgso_bench: Fix racing bug between the rx/tx + programs + +From: Andrei Gherzan + +[ Upstream commit dafe93b9ee21028d625dce347118b82659652eff ] + +"udpgro_bench.sh" invokes udpgso_bench_rx/udpgso_bench_tx programs +subsequently and while doing so, there is a chance that the rx one is not +ready to accept socket connections. This racing bug could fail the test +with at least one of the following: + +./udpgso_bench_tx: connect: Connection refused +./udpgso_bench_tx: sendmsg: Connection refused +./udpgso_bench_tx: write: Connection refused + +This change addresses this by making udpgro_bench.sh wait for the rx +program to be ready before firing off the tx one - up to a 10s timeout. + +Fixes: 3a687bef148d ("selftests: udp gso benchmark") +Signed-off-by: Andrei Gherzan +Cc: Paolo Abeni +Cc: Willem de Bruijn +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20230201001612.515730-3-andrei.gherzan@canonical.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/udpgso_bench.sh | 24 +++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/net/udpgso_bench.sh b/tools/testing/selftests/net/udpgso_bench.sh +index dc932fd65363..640bc43452fa 100755 +--- a/tools/testing/selftests/net/udpgso_bench.sh ++++ b/tools/testing/selftests/net/udpgso_bench.sh +@@ -7,6 +7,7 @@ readonly GREEN='\033[0;92m' + readonly YELLOW='\033[0;33m' + readonly RED='\033[0;31m' + readonly NC='\033[0m' # No Color ++readonly TESTPORT=8000 + + readonly KSFT_PASS=0 + readonly KSFT_FAIL=1 +@@ -56,11 +57,26 @@ trap wake_children EXIT + + run_one() { + local -r args=$@ ++ local nr_socks=0 ++ local i=0 ++ local -r timeout=10 ++ ++ ./udpgso_bench_rx -p "$TESTPORT" & ++ ./udpgso_bench_rx -p "$TESTPORT" -t & ++ ++ # Wait for the above test program to get ready to receive connections. ++ while [ "$i" -lt "$timeout" ]; do ++ nr_socks="$(ss -lnHi | grep -c "\*:${TESTPORT}")" ++ [ "$nr_socks" -eq 2 ] && break ++ i=$((i + 1)) ++ sleep 1 ++ done ++ if [ "$nr_socks" -ne 2 ]; then ++ echo "timed out while waiting for udpgso_bench_rx" ++ exit 1 ++ fi + +- ./udpgso_bench_rx & +- ./udpgso_bench_rx -t & +- +- ./udpgso_bench_tx ${args} ++ ./udpgso_bench_tx -p "$TESTPORT" ${args} + } + + run_in_netns() { +-- +2.39.0 + diff --git a/queue-5.10/selftests-net-udpgso_bench_rx-fix-used-uninitialized.patch b/queue-5.10/selftests-net-udpgso_bench_rx-fix-used-uninitialized.patch new file mode 100644 index 00000000000..dfab172e64f --- /dev/null +++ b/queue-5.10/selftests-net-udpgso_bench_rx-fix-used-uninitialized.patch @@ -0,0 +1,51 @@ +From 53e846910da76bf68bdb4e3e0c650e7169a081a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Feb 2023 00:16:10 +0000 +Subject: selftests: net: udpgso_bench_rx: Fix 'used uninitialized' compiler + warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrei Gherzan + +[ Upstream commit c03c80e3a03ffb4f790901d60797e9810539d946 ] + +This change fixes the following compiler warning: + +/usr/include/x86_64-linux-gnu/bits/error.h:40:5: warning: ‘gso_size’ may +be used uninitialized [-Wmaybe-uninitialized] + 40 | __error_noreturn (__status, __errnum, __format, + __va_arg_pack ()); + | + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + udpgso_bench_rx.c: In function ‘main’: + udpgso_bench_rx.c:253:23: note: ‘gso_size’ was declared here + 253 | int ret, len, gso_size, budget = 256; + +Fixes: 3327a9c46352 ("selftests: add functionals test for UDP GRO") +Signed-off-by: Andrei Gherzan +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20230201001612.515730-1-andrei.gherzan@canonical.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/udpgso_bench_rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/udpgso_bench_rx.c b/tools/testing/selftests/net/udpgso_bench_rx.c +index 6a193425c367..d0895bd1933f 100644 +--- a/tools/testing/selftests/net/udpgso_bench_rx.c ++++ b/tools/testing/selftests/net/udpgso_bench_rx.c +@@ -250,7 +250,7 @@ static int recv_msg(int fd, char *buf, int len, int *gso_size) + static void do_flush_udp(int fd) + { + static char rbuf[ETH_MAX_MTU]; +- int ret, len, gso_size, budget = 256; ++ int ret, len, gso_size = 0, budget = 256; + + len = cfg_read_all ? sizeof(rbuf) : 0; + while (budget--) { +-- +2.39.0 + diff --git a/queue-5.10/selftests-net-udpgso_bench_rx-tx-stop-when-wrong-cli.patch b/queue-5.10/selftests-net-udpgso_bench_rx-tx-stop-when-wrong-cli.patch new file mode 100644 index 00000000000..0e429f2fcee --- /dev/null +++ b/queue-5.10/selftests-net-udpgso_bench_rx-tx-stop-when-wrong-cli.patch @@ -0,0 +1,55 @@ +From a75b623ae79d260a3412f2f583fbdac73f0ed56e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Feb 2023 00:16:12 +0000 +Subject: selftests: net: udpgso_bench_rx/tx: Stop when wrong CLI args are + provided + +From: Andrei Gherzan + +[ Upstream commit db9b47ee9f5f375ab0c5daeb20321c75b4fa657d ] + +Leaving unrecognized arguments buried in the output, can easily hide a +CLI/script typo. Avoid this by exiting when wrong arguments are provided to +the udpgso_bench test programs. + +Fixes: 3a687bef148d ("selftests: udp gso benchmark") +Signed-off-by: Andrei Gherzan +Cc: Willem de Bruijn +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20230201001612.515730-2-andrei.gherzan@canonical.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/udpgso_bench_rx.c | 2 ++ + tools/testing/selftests/net/udpgso_bench_tx.c | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/tools/testing/selftests/net/udpgso_bench_rx.c b/tools/testing/selftests/net/udpgso_bench_rx.c +index d0895bd1933f..4058c7451e70 100644 +--- a/tools/testing/selftests/net/udpgso_bench_rx.c ++++ b/tools/testing/selftests/net/udpgso_bench_rx.c +@@ -336,6 +336,8 @@ static void parse_opts(int argc, char **argv) + cfg_verify = true; + cfg_read_all = true; + break; ++ default: ++ exit(1); + } + } + +diff --git a/tools/testing/selftests/net/udpgso_bench_tx.c b/tools/testing/selftests/net/udpgso_bench_tx.c +index f1fdaa270291..b47b5c32039f 100644 +--- a/tools/testing/selftests/net/udpgso_bench_tx.c ++++ b/tools/testing/selftests/net/udpgso_bench_tx.c +@@ -490,6 +490,8 @@ static void parse_opts(int argc, char **argv) + case 'z': + cfg_zerocopy = true; + break; ++ default: ++ exit(1); + } + } + +-- +2.39.0 + diff --git a/queue-5.10/selftests-net-udpgso_bench_tx-cater-for-pending-data.patch b/queue-5.10/selftests-net-udpgso_bench_tx-cater-for-pending-data.patch new file mode 100644 index 00000000000..883fe624be5 --- /dev/null +++ b/queue-5.10/selftests-net-udpgso_bench_tx-cater-for-pending-data.patch @@ -0,0 +1,135 @@ +From f13b7529d9e19d49ef2482f6f8c6579b32270ca0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Feb 2023 00:16:16 +0000 +Subject: selftests: net: udpgso_bench_tx: Cater for pending datagrams zerocopy + benchmarking + +From: Andrei Gherzan + +[ Upstream commit 329c9cd769c2e306957df031efff656c40922c76 ] + +The test tool can check that the zerocopy number of completions value is +valid taking into consideration the number of datagram send calls. This can +catch the system into a state where the datagrams are still in the system +(for example in a qdisk, waiting for the network interface to return a +completion notification, etc). + +This change adds a retry logic of computing the number of completions up to +a configurable (via CLI) timeout (default: 2 seconds). + +Fixes: 79ebc3c26010 ("net/udpgso_bench_tx: options to exercise TX CMSG") +Signed-off-by: Andrei Gherzan +Cc: Willem de Bruijn +Cc: Paolo Abeni +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20230201001612.515730-4-andrei.gherzan@canonical.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/udpgso_bench_tx.c | 34 +++++++++++++++---- + 1 file changed, 27 insertions(+), 7 deletions(-) + +diff --git a/tools/testing/selftests/net/udpgso_bench_tx.c b/tools/testing/selftests/net/udpgso_bench_tx.c +index b47b5c32039f..477392715a9a 100644 +--- a/tools/testing/selftests/net/udpgso_bench_tx.c ++++ b/tools/testing/selftests/net/udpgso_bench_tx.c +@@ -62,6 +62,7 @@ static int cfg_payload_len = (1472 * 42); + static int cfg_port = 8000; + static int cfg_runtime_ms = -1; + static bool cfg_poll; ++static int cfg_poll_loop_timeout_ms = 2000; + static bool cfg_segment; + static bool cfg_sendmmsg; + static bool cfg_tcp; +@@ -235,16 +236,17 @@ static void flush_errqueue_recv(int fd) + } + } + +-static void flush_errqueue(int fd, const bool do_poll) ++static void flush_errqueue(int fd, const bool do_poll, ++ unsigned long poll_timeout, const bool poll_err) + { + if (do_poll) { + struct pollfd fds = {0}; + int ret; + + fds.fd = fd; +- ret = poll(&fds, 1, 500); ++ ret = poll(&fds, 1, poll_timeout); + if (ret == 0) { +- if (cfg_verbose) ++ if ((cfg_verbose) && (poll_err)) + fprintf(stderr, "poll timeout\n"); + } else if (ret < 0) { + error(1, errno, "poll"); +@@ -254,6 +256,20 @@ static void flush_errqueue(int fd, const bool do_poll) + flush_errqueue_recv(fd); + } + ++static void flush_errqueue_retry(int fd, unsigned long num_sends) ++{ ++ unsigned long tnow, tstop; ++ bool first_try = true; ++ ++ tnow = gettimeofday_ms(); ++ tstop = tnow + cfg_poll_loop_timeout_ms; ++ do { ++ flush_errqueue(fd, true, tstop - tnow, first_try); ++ first_try = false; ++ tnow = gettimeofday_ms(); ++ } while ((stat_zcopies != num_sends) && (tnow < tstop)); ++} ++ + static int send_tcp(int fd, char *data) + { + int ret, done = 0, count = 0; +@@ -413,7 +429,8 @@ static int send_udp_segment(int fd, char *data) + + static void usage(const char *filepath) + { +- error(1, 0, "Usage: %s [-46acmHPtTuvz] [-C cpu] [-D dst ip] [-l secs] [-M messagenr] [-p port] [-s sendsize] [-S gsosize]", ++ error(1, 0, "Usage: %s [-46acmHPtTuvz] [-C cpu] [-D dst ip] [-l secs] " ++ "[-L secs] [-M messagenr] [-p port] [-s sendsize] [-S gsosize]", + filepath); + } + +@@ -423,7 +440,7 @@ static void parse_opts(int argc, char **argv) + int max_len, hdrlen; + int c; + +- while ((c = getopt(argc, argv, "46acC:D:Hl:mM:p:s:PS:tTuvz")) != -1) { ++ while ((c = getopt(argc, argv, "46acC:D:Hl:L:mM:p:s:PS:tTuvz")) != -1) { + switch (c) { + case '4': + if (cfg_family != PF_UNSPEC) +@@ -452,6 +469,9 @@ static void parse_opts(int argc, char **argv) + case 'l': + cfg_runtime_ms = strtoul(optarg, NULL, 10) * 1000; + break; ++ case 'L': ++ cfg_poll_loop_timeout_ms = strtoul(optarg, NULL, 10) * 1000; ++ break; + case 'm': + cfg_sendmmsg = true; + break; +@@ -679,7 +699,7 @@ int main(int argc, char **argv) + num_sends += send_udp(fd, buf[i]); + num_msgs++; + if ((cfg_zerocopy && ((num_msgs & 0xF) == 0)) || cfg_tx_tstamp) +- flush_errqueue(fd, cfg_poll); ++ flush_errqueue(fd, cfg_poll, 500, true); + + if (cfg_msg_nr && num_msgs >= cfg_msg_nr) + break; +@@ -698,7 +718,7 @@ int main(int argc, char **argv) + } while (!interrupted && (cfg_runtime_ms == -1 || tnow < tstop)); + + if (cfg_zerocopy || cfg_tx_tstamp) +- flush_errqueue(fd, true); ++ flush_errqueue_retry(fd, num_sends); + + if (close(fd)) + error(1, errno, "close"); +-- +2.39.0 + diff --git a/queue-5.10/series b/queue-5.10/series index e8e31cc7adc..083285c4e88 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -1 +1,42 @@ firewire-fix-memory-leak-for-payload-of-request-subaction-to-iec-61883-1-fcp-region.patch +bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch +bpf-fix-a-possible-task-gone-issue-with-bpf_send_sig.patch +alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch +powerpc-bpf-change-register-numbering-for-bpf_set-is.patch +powerpc-bpf-move-common-helpers-into-bpf_jit.h.patch +bpf-support-8-byte-scalar-spill-and-refill.patch +bpf-fix-to-preserve-reg-parent-live-fields-when-copy.patch +bpf-sockmap-check-for-any-of-tcp_bpf_prots-when-clon.patch +arm64-dts-imx8mm-fix-pad-control-for-uart1_dte_rx.patch +drm-vc4-hdmi-make-cec-adapter-name-unique.patch +scsi-revert-scsi-core-map-pq-1-pdt-other-values-to-s.patch +vhost-net-clear-the-pending-messages-when-the-backen.patch +write-is-data-source-not-destination.patch +read-is-data-destination-not-source.patch +fix-iov_iter_bvec-direction-argument.patch +fix-direction-argument-of-iov_iter_kvec.patch +virtio-net-execute-xdp_do_flush-before-napi_complete.patch +sfc-correctly-advertise-tunneled-ipv6-segmentation.patch +net-phy-dp83822-fix-null-pointer-access-on-dp83825-d.patch +netrom-fix-use-after-free-caused-by-accept-on-alread.patch +netfilter-br_netfilter-disable-sabotage_in-hook-afte.patch +squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch +net-phy-meson-gxl-add-generic-dummy-stubs-for-mmd-re.patch +igc-return-an-error-if-the-mac-type-is-unknown-in-ig.patch +can-j1939-fix-errant-warn_on_once-in-j1939_session_d.patch +ata-libata-fix-sata_down_spd_limit-when-no-link-spee.patch +selftests-net-udpgso_bench_rx-fix-used-uninitialized.patch +selftests-net-udpgso_bench_rx-tx-stop-when-wrong-cli.patch +selftests-net-udpgso_bench-fix-racing-bug-between-th.patch +selftests-net-udpgso_bench_tx-cater-for-pending-data.patch +virtio-net-keep-stop-to-follow-mirror-sequence-of-op.patch +net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch +efi-fix-potential-null-deref-in-efi_mem_reserve_pers.patch +qede-add-netpoll-support-for-qede-driver.patch +qede-execute-xdp_do_flush-before-napi_complete_done.patch +i2c-mxs-suppress-probe-deferral-error-message.patch +scsi-target-core-fix-warning-on-rt-kernels.patch +scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch +i2c-rk3x-fix-a-bunch-of-kernel-doc-warnings.patch +platform-x86-dell-wmi-add-a-keymap-for-key_mute-in-t.patch +net-x25-fix-to-not-accept-on-connected-socket.patch diff --git a/queue-5.10/sfc-correctly-advertise-tunneled-ipv6-segmentation.patch b/queue-5.10/sfc-correctly-advertise-tunneled-ipv6-segmentation.patch new file mode 100644 index 00000000000..ed435b52ce8 --- /dev/null +++ b/queue-5.10/sfc-correctly-advertise-tunneled-ipv6-segmentation.patch @@ -0,0 +1,53 @@ +From 1a634bd223a08ecd24c68a40e6af2130dbb91fb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jan 2023 15:35:13 +0100 +Subject: sfc: correctly advertise tunneled IPv6 segmentation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Íñigo Huguet + +[ Upstream commit ffffd2454a7a1bc9f7242b12c4cc0b05c12692b4 ] + +Recent sfc NICs are TSO capable for some tunnel protocols. However, it +was not working properly because the feature was not advertised in +hw_enc_features, but in hw_features only. + +Setting up a GENEVE tunnel and using iperf3 to send IPv4 and IPv6 traffic +to the tunnel show, with tcpdump, that the IPv4 packets still had ~64k +size but the IPv6 ones had only ~1500 bytes (they had been segmented by +software, not offloaded). With this patch segmentation is offloaded as +expected and the traffic is correctly received at the other end. + +Fixes: 24b2c3751aa3 ("sfc: advertise encapsulated offloads on EF10") +Reported-by: Tianhao Zhao +Signed-off-by: Íñigo Huguet +Acked-by: Martin Habets +Link: https://lore.kernel.org/r/20230125143513.25841-1-ihuguet@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/efx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sfc/efx.c b/drivers/net/ethernet/sfc/efx.c +index 718308076341..29c8d2c99004 100644 +--- a/drivers/net/ethernet/sfc/efx.c ++++ b/drivers/net/ethernet/sfc/efx.c +@@ -1047,8 +1047,11 @@ static int efx_pci_probe_post_io(struct efx_nic *efx) + /* Determine netdevice features */ + net_dev->features |= (efx->type->offload_features | NETIF_F_SG | + NETIF_F_TSO | NETIF_F_RXCSUM | NETIF_F_RXALL); +- if (efx->type->offload_features & (NETIF_F_IPV6_CSUM | NETIF_F_HW_CSUM)) ++ if (efx->type->offload_features & (NETIF_F_IPV6_CSUM | NETIF_F_HW_CSUM)) { + net_dev->features |= NETIF_F_TSO6; ++ if (efx_has_cap(efx, TX_TSO_V2_ENCAP)) ++ net_dev->hw_enc_features |= NETIF_F_TSO6; ++ } + /* Check whether device supports TSO */ + if (!efx->type->tso_versions || !efx->type->tso_versions(efx)) + net_dev->features &= ~NETIF_F_ALL_TSO; +-- +2.39.0 + diff --git a/queue-5.10/squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch b/queue-5.10/squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch new file mode 100644 index 00000000000..0a18e604eed --- /dev/null +++ b/queue-5.10/squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch @@ -0,0 +1,45 @@ +From 71b8f2fedad4c51d660871af995574c3f563fac6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 13:52:26 +0300 +Subject: squashfs: harden sanity check in squashfs_read_xattr_id_table + +From: Fedor Pchelkin + +[ Upstream commit 72e544b1b28325fe78a4687b980871a7e4101f76 ] + +While mounting a corrupted filesystem, a signed integer '*xattr_ids' can +become less than zero. This leads to the incorrect computation of 'len' +and 'indexes' values which can cause null-ptr-deref in copy_bio_to_actor() +or out-of-bounds accesses in the next sanity checks inside +squashfs_read_xattr_id_table(). + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Link: https://lkml.kernel.org/r/20230117105226.329303-2-pchelkin@ispras.ru +Fixes: 506220d2ba21 ("squashfs: add more sanity checks in xattr id lookup") +Reported-by: +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Cc: Phillip Lougher +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/squashfs/xattr_id.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/squashfs/xattr_id.c b/fs/squashfs/xattr_id.c +index 087cab8c78f4..f6d78cbc3e74 100644 +--- a/fs/squashfs/xattr_id.c ++++ b/fs/squashfs/xattr_id.c +@@ -76,7 +76,7 @@ __le64 *squashfs_read_xattr_id_table(struct super_block *sb, u64 table_start, + /* Sanity check values */ + + /* there is always at least one xattr id */ +- if (*xattr_ids == 0) ++ if (*xattr_ids <= 0) + return ERR_PTR(-EINVAL); + + len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids); +-- +2.39.0 + diff --git a/queue-5.10/vhost-net-clear-the-pending-messages-when-the-backen.patch b/queue-5.10/vhost-net-clear-the-pending-messages-when-the-backen.patch new file mode 100644 index 00000000000..cc3ea484e7e --- /dev/null +++ b/queue-5.10/vhost-net-clear-the-pending-messages-when-the-backen.patch @@ -0,0 +1,83 @@ +From 199b66fe1964f31af8fd016251c7ca6de4a11570 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 10:15:18 -0500 +Subject: vhost/net: Clear the pending messages when the backend is removed + +From: Eric Auger + +[ Upstream commit 9526f9a2b762af16be94a72aca5d65c677d28f50 ] + +When the vhost iotlb is used along with a guest virtual iommu +and the guest gets rebooted, some MISS messages may have been +recorded just before the reboot and spuriously executed by +the virtual iommu after the reboot. + +As vhost does not have any explicit reset user API, +VHOST_NET_SET_BACKEND looks a reasonable point where to clear +the pending messages, in case the backend is removed. + +Export vhost_clear_msg() and call it in vhost_net_set_backend() +when fd == -1. + +Signed-off-by: Eric Auger +Suggested-by: Jason Wang +Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API") +Message-Id: <20230117151518.44725-3-eric.auger@redhat.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vhost/net.c | 3 +++ + drivers/vhost/vhost.c | 3 ++- + drivers/vhost/vhost.h | 1 + + 3 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c +index 5beb20768b20..b9c8e4025214 100644 +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -1517,6 +1517,9 @@ static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd) + nvq = &n->vqs[index]; + mutex_lock(&vq->mutex); + ++ if (fd == -1) ++ vhost_clear_msg(&n->dev); ++ + /* Verify that ring has been setup correctly. */ + if (!vhost_vq_access_ok(vq)) { + r = -EFAULT; +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index da00a5c57db6..1f9a1554ce5f 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -669,7 +669,7 @@ void vhost_dev_stop(struct vhost_dev *dev) + } + EXPORT_SYMBOL_GPL(vhost_dev_stop); + +-static void vhost_clear_msg(struct vhost_dev *dev) ++void vhost_clear_msg(struct vhost_dev *dev) + { + struct vhost_msg_node *node, *n; + +@@ -687,6 +687,7 @@ static void vhost_clear_msg(struct vhost_dev *dev) + + spin_unlock(&dev->iotlb_lock); + } ++EXPORT_SYMBOL_GPL(vhost_clear_msg); + + void vhost_dev_cleanup(struct vhost_dev *dev) + { +diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h +index b063324c7669..8f80d6b0d843 100644 +--- a/drivers/vhost/vhost.h ++++ b/drivers/vhost/vhost.h +@@ -183,6 +183,7 @@ long vhost_dev_ioctl(struct vhost_dev *, unsigned int ioctl, void __user *argp); + long vhost_vring_ioctl(struct vhost_dev *d, unsigned int ioctl, void __user *argp); + bool vhost_vq_access_ok(struct vhost_virtqueue *vq); + bool vhost_log_access_ok(struct vhost_dev *); ++void vhost_clear_msg(struct vhost_dev *dev); + + int vhost_get_vq_desc(struct vhost_virtqueue *, + struct iovec iov[], unsigned int iov_count, +-- +2.39.0 + diff --git a/queue-5.10/virtio-net-execute-xdp_do_flush-before-napi_complete.patch b/queue-5.10/virtio-net-execute-xdp_do_flush-before-napi_complete.patch new file mode 100644 index 00000000000..41da6b2b1ee --- /dev/null +++ b/queue-5.10/virtio-net-execute-xdp_do_flush-before-napi_complete.patch @@ -0,0 +1,63 @@ +From 840d3ce1fdaa05874c6ea40d8362eafec4a3884d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jan 2023 08:48:59 +0100 +Subject: virtio-net: execute xdp_do_flush() before napi_complete_done() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Magnus Karlsson + +[ Upstream commit ad7e615f646c9b5b2cf655cdfb9d91a28db4f25a ] + +Make sure that xdp_do_flush() is always executed before +napi_complete_done(). This is important for two reasons. First, a +redirect to an XSKMAP assumes that a call to xdp_do_redirect() from +napi context X on CPU Y will be followed by a xdp_do_flush() from the +same napi context and CPU. This is not guaranteed if the +napi_complete_done() is executed before xdp_do_flush(), as it tells +the napi logic that it is fine to schedule napi context X on another +CPU. Details from a production system triggering this bug using the +veth driver can be found following the first link below. + +The second reason is that the XDP_REDIRECT logic in itself relies on +being inside a single NAPI instance through to the xdp_do_flush() call +for RCU protection of all in-kernel data structures. Details can be +found in the second link below. + +Fixes: 186b3c998c50 ("virtio-net: support XDP_REDIRECT") +Signed-off-by: Magnus Karlsson +Acked-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/r/20221220185903.1105011-1-sbohrer@cloudflare.com +Link: https://lore.kernel.org/all/20210624160609.292325-1-toke@redhat.com/ +Acked-by: Michael S. Tsirkin +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index c942cd6a2c65..0605c28c684b 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1525,13 +1525,13 @@ static int virtnet_poll(struct napi_struct *napi, int budget) + + received = virtnet_receive(rq, budget, &xdp_xmit); + ++ if (xdp_xmit & VIRTIO_XDP_REDIR) ++ xdp_do_flush(); ++ + /* Out of packets? */ + if (received < budget) + virtqueue_napi_complete(napi, rq->vq, received); + +- if (xdp_xmit & VIRTIO_XDP_REDIR) +- xdp_do_flush(); +- + if (xdp_xmit & VIRTIO_XDP_TX) { + sq = virtnet_xdp_get_sq(vi); + if (virtqueue_kick_prepare(sq->vq) && virtqueue_notify(sq->vq)) { +-- +2.39.0 + diff --git a/queue-5.10/virtio-net-keep-stop-to-follow-mirror-sequence-of-op.patch b/queue-5.10/virtio-net-keep-stop-to-follow-mirror-sequence-of-op.patch new file mode 100644 index 00000000000..01d4264a842 --- /dev/null +++ b/queue-5.10/virtio-net-keep-stop-to-follow-mirror-sequence-of-op.patch @@ -0,0 +1,44 @@ +From 30db76b82617e23936675d86477186eb348efead Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Feb 2023 18:35:16 +0200 +Subject: virtio-net: Keep stop() to follow mirror sequence of open() + +From: Parav Pandit + +[ Upstream commit 63b114042d8a9c02d9939889177c36dbdb17a588 ] + +Cited commit in fixes tag frees rxq xdp info while RQ NAPI is +still enabled and packet processing may be ongoing. + +Follow the mirror sequence of open() in the stop() callback. +This ensures that when rxq info is unregistered, no rx +packet processing is ongoing. + +Fixes: 754b8a21a96d ("virtio_net: setup xdp_rxq_info") +Acked-by: Michael S. Tsirkin +Reviewed-by: Jiri Pirko +Signed-off-by: Parav Pandit +Link: https://lore.kernel.org/r/20230202163516.12559-1-parav@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 0605c28c684b..d53321116136 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1928,8 +1928,8 @@ static int virtnet_close(struct net_device *dev) + cancel_delayed_work_sync(&vi->refill); + + for (i = 0; i < vi->max_queue_pairs; i++) { +- xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq); + napi_disable(&vi->rq[i].napi); ++ xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq); + virtnet_napi_tx_disable(&vi->sq[i].napi); + } + +-- +2.39.0 + diff --git a/queue-5.10/write-is-data-source-not-destination.patch b/queue-5.10/write-is-data-source-not-destination.patch new file mode 100644 index 00000000000..4447936e474 --- /dev/null +++ b/queue-5.10/write-is-data-source-not-destination.patch @@ -0,0 +1,49 @@ +From 683b6b5694f44715f3472909f1882042b43d3b88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 18:59:12 -0400 +Subject: WRITE is "data source", not destination... + +From: Al Viro + +[ Upstream commit 974c36fb828aeae7b4f9063f94860ae6c5633efd ] + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + drivers/fsi/fsi-sbefifo.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/fsi/fsi-sbefifo.c b/drivers/fsi/fsi-sbefifo.c +index 84cb965bfed5..97045a8d9422 100644 +--- a/drivers/fsi/fsi-sbefifo.c ++++ b/drivers/fsi/fsi-sbefifo.c +@@ -640,7 +640,7 @@ static void sbefifo_collect_async_ffdc(struct sbefifo *sbefifo) + } + ffdc_iov.iov_base = ffdc; + ffdc_iov.iov_len = SBEFIFO_MAX_FFDC_SIZE; +- iov_iter_kvec(&ffdc_iter, WRITE, &ffdc_iov, 1, SBEFIFO_MAX_FFDC_SIZE); ++ iov_iter_kvec(&ffdc_iter, READ, &ffdc_iov, 1, SBEFIFO_MAX_FFDC_SIZE); + cmd[0] = cpu_to_be32(2); + cmd[1] = cpu_to_be32(SBEFIFO_CMD_GET_SBE_FFDC); + rc = sbefifo_do_command(sbefifo, cmd, 2, &ffdc_iter); +@@ -737,7 +737,7 @@ int sbefifo_submit(struct device *dev, const __be32 *command, size_t cmd_len, + rbytes = (*resp_len) * sizeof(__be32); + resp_iov.iov_base = response; + resp_iov.iov_len = rbytes; +- iov_iter_kvec(&resp_iter, WRITE, &resp_iov, 1, rbytes); ++ iov_iter_kvec(&resp_iter, READ, &resp_iov, 1, rbytes); + + /* Perform the command */ + mutex_lock(&sbefifo->lock); +@@ -817,7 +817,7 @@ static ssize_t sbefifo_user_read(struct file *file, char __user *buf, + /* Prepare iov iterator */ + resp_iov.iov_base = buf; + resp_iov.iov_len = len; +- iov_iter_init(&resp_iter, WRITE, &resp_iov, 1, len); ++ iov_iter_init(&resp_iter, READ, &resp_iov, 1, len); + + /* Perform the command */ + mutex_lock(&sbefifo->lock); +-- +2.39.0 +