From 287d42512927d9bb8bfa3fbe6d99304a6e6a171a Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 17 Jul 2022 10:52:38 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...re-bhb-avoid-pr_info-every-time-a-cp.patch | 58 +++++++ ...-the-fdt_fixed-sections-as-shareable.patch | 153 ++++++++++++++++++ ...s-at91-sama5d2-fix-typo-in-i2s1-node.patch | 40 +++++ ...6qdl-ts7970-fix-ngpio-typo-and-count.patch | 39 +++++ ...x-spi-nor-campatible-on-orange-pi-ze.patch | 40 +++++ ...gtl5000-fix-noise-on-shutdown-remove.patch | 79 +++++++++ .../cipso-fix-data-races-around-sysctl.patch | 95 +++++++++++ ...ossible-refcount-leak-in-intel_dp_ad.patch | 44 +++++ ...alize-tlb-invalidates-with-gt-resets.patch | 76 +++++++++ ...ta-race-around-sysctl_icmp_ratelimit.patch | 37 +++++ ...ata-race-around-sysctl_icmp_ratemask.patch | 36 +++++ .../icmp-fix-data-races-around-sysctl.patch | 42 +++++ ...ial-integer-overflow-in-ima_appraise.patch | 37 +++++ ...netpeer-fix-data-races-around-sysctl.patch | 52 ++++++ ...data-race-around-sysctl_fib_sync_mem.patch | 36 +++++ ...-data-races-around-sysctl_ip_dynaddr.patch | 59 +++++++ ...ssing-numa_stat-when-config_hugetlb_.patch | 66 ++++++++ ...net-fix-data-races-around-sysctl_mem.patch | 36 +++++ ...ld-reference-returned-by-of_get_chil.patch | 57 +++++++ ...os-disable-split-header-for-tegra194.patch | 47 ++++++ ...race-around-sysctl_raw_l3mdev_accept.patch | 36 +++++ ...-skb-checksum-in-bpf_push_seg6_encap.patch | 44 +++++ ...cksum-evaluation-in-srh-encapsulatio.patch | 73 +++++++++ ...cksum-in-srv6-end.b6-and-end.b6.enca.patch | 51 ++++++ queue-5.4/series | 26 +++ ...fc-fix-kernel-panic-when-creating-vf.patch | 71 ++++++++ ...-use-after-free-when-disabling-sriov.patch | 113 +++++++++++++ 27 files changed, 1543 insertions(+) create mode 100644 queue-5.4/arm-9209-1-spectre-bhb-avoid-pr_info-every-time-a-cp.patch create mode 100644 queue-5.4/arm-9210-1-mark-the-fdt_fixed-sections-as-shareable.patch create mode 100644 queue-5.4/arm-dts-at91-sama5d2-fix-typo-in-i2s1-node.patch create mode 100644 queue-5.4/arm-dts-imx6qdl-ts7970-fix-ngpio-typo-and-count.patch create mode 100644 queue-5.4/arm-dts-sunxi-fix-spi-nor-campatible-on-orange-pi-ze.patch create mode 100644 queue-5.4/asoc-sgtl5000-fix-noise-on-shutdown-remove.patch create mode 100644 queue-5.4/cipso-fix-data-races-around-sysctl.patch create mode 100644 queue-5.4/drm-i915-fix-a-possible-refcount-leak-in-intel_dp_ad.patch create mode 100644 queue-5.4/drm-i915-gt-serialize-tlb-invalidates-with-gt-resets.patch create mode 100644 queue-5.4/icmp-fix-a-data-race-around-sysctl_icmp_ratelimit.patch create mode 100644 queue-5.4/icmp-fix-a-data-race-around-sysctl_icmp_ratemask.patch create mode 100644 queue-5.4/icmp-fix-data-races-around-sysctl.patch create mode 100644 queue-5.4/ima-fix-a-potential-integer-overflow-in-ima_appraise.patch create mode 100644 queue-5.4/inetpeer-fix-data-races-around-sysctl.patch create mode 100644 queue-5.4/ipv4-fix-a-data-race-around-sysctl_fib_sync_mem.patch create mode 100644 queue-5.4/ipv4-fix-data-races-around-sysctl_ip_dynaddr.patch create mode 100644 queue-5.4/mm-sysctl-fix-missing-numa_stat-when-config_hugetlb_.patch create mode 100644 queue-5.4/net-fix-data-races-around-sysctl_mem.patch create mode 100644 queue-5.4/net-ftgmac100-hold-reference-returned-by-of_get_chil.patch create mode 100644 queue-5.4/net-stmmac-dwc-qos-disable-split-header-for-tegra194.patch create mode 100644 queue-5.4/raw-fix-a-data-race-around-sysctl_raw_l3mdev_accept.patch create mode 100644 queue-5.4/seg6-bpf-fix-skb-checksum-in-bpf_push_seg6_encap.patch create mode 100644 queue-5.4/seg6-fix-skb-checksum-evaluation-in-srh-encapsulatio.patch create mode 100644 queue-5.4/seg6-fix-skb-checksum-in-srv6-end.b6-and-end.b6.enca.patch create mode 100644 queue-5.4/sfc-fix-kernel-panic-when-creating-vf.patch create mode 100644 queue-5.4/sfc-fix-use-after-free-when-disabling-sriov.patch diff --git a/queue-5.4/arm-9209-1-spectre-bhb-avoid-pr_info-every-time-a-cp.patch b/queue-5.4/arm-9209-1-spectre-bhb-avoid-pr_info-every-time-a-cp.patch new file mode 100644 index 00000000000..42880935a89 --- /dev/null +++ b/queue-5.4/arm-9209-1-spectre-bhb-avoid-pr_info-every-time-a-cp.patch @@ -0,0 +1,58 @@ +From 8914d493e121905ea2dbbb8ca3e1d5f5885265f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 May 2022 09:53:42 +0100 +Subject: ARM: 9209/1: Spectre-BHB: avoid pr_info() every time a CPU comes out + of idle + +From: Ard Biesheuvel + +[ Upstream commit 0609e200246bfd3b7516091c491bec4308349055 ] + +Jon reports that the Spectre-BHB init code is filling up the kernel log +with spurious notifications about which mitigation has been enabled, +every time any CPU comes out of a low power state. + +Given that Spectre-BHB mitigations are system wide, only a single +mitigation can be enabled, and we already print an error if two types of +CPUs coexist in a single system that require different Spectre-BHB +mitigations. + +This means that the pr_info() that describes the selected mitigation +does not need to be emitted for each CPU anyway, and so we can simply +emit it only once. + +In order to clarify the above in the log message, update it to describe +that the selected mitigation will be enabled on all CPUs, including ones +that are unaffected. If another CPU comes up later that is affected and +requires a different mitigation, we report an error as before. + +Fixes: b9baf5c8c5c3 ("ARM: Spectre-BHB workaround") +Tested-by: Jon Hunter +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/mm/proc-v7-bugs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/mm/proc-v7-bugs.c b/arch/arm/mm/proc-v7-bugs.c +index f2c8ff0683fd..b09c54499f95 100644 +--- a/arch/arm/mm/proc-v7-bugs.c ++++ b/arch/arm/mm/proc-v7-bugs.c +@@ -221,10 +221,10 @@ static int spectre_bhb_install_workaround(int method) + return SPECTRE_VULNERABLE; + + spectre_bhb_method = method; +- } + +- pr_info("CPU%u: Spectre BHB: using %s workaround\n", +- smp_processor_id(), spectre_bhb_method_name(method)); ++ pr_info("CPU%u: Spectre BHB: enabling %s workaround for all CPUs\n", ++ smp_processor_id(), spectre_bhb_method_name(method)); ++ } + + return SPECTRE_MITIGATED; + } +-- +2.35.1 + diff --git a/queue-5.4/arm-9210-1-mark-the-fdt_fixed-sections-as-shareable.patch b/queue-5.4/arm-9210-1-mark-the-fdt_fixed-sections-as-shareable.patch new file mode 100644 index 00000000000..730cdfcbffc --- /dev/null +++ b/queue-5.4/arm-9210-1-mark-the-fdt_fixed-sections-as-shareable.patch @@ -0,0 +1,153 @@ +From e0d80f295134dd26e379420d3e38025f3706c168 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jun 2022 15:05:41 +0100 +Subject: ARM: 9210/1: Mark the FDT_FIXED sections as shareable + +From: Zhen Lei + +[ Upstream commit 598f0a99fa8a35be44b27106b43ddc66417af3b1 ] + +commit 7a1be318f579 ("ARM: 9012/1: move device tree mapping out of linear +region") use FDT_FIXED_BASE to map the whole FDT_FIXED_SIZE memory area +which contains fdt. But it only reserves the exact physical memory that +fdt occupied. Unfortunately, this mapping is non-shareable. An illegal or +speculative read access can bring the RAM content from non-fdt zone into +cache, PIPT makes it to be hit by subsequently read access through +shareable mapping(such as linear mapping), and the cache consistency +between cores is lost due to non-shareable property. + +|<---------FDT_FIXED_SIZE------>| +| | + ------------------------------- +| | | | + ------------------------------- + +1. CoreA read through MT_ROM mapping, the old data is loaded + into the cache. +2. CoreB write to update data through linear mapping. CoreA + received the notification to invalid the corresponding cachelines, but + the property non-shareable makes it to be ignored. +3. CoreA read through linear mapping, cache hit, the old data + is read. + +To eliminate this risk, add a new memory type MT_MEMORY_RO. Compared to +MT_ROM, it is shareable and non-executable. + +Here's an example: + list_del corruption. prev->next should be c0ecbf74, but was c08410dc + kernel BUG at lib/list_debug.c:53! + ... ... + PC is at __list_del_entry_valid+0x58/0x98 + LR is at __list_del_entry_valid+0x58/0x98 + psr: 60000093 + sp : c0ecbf30 ip : 00000000 fp : 00000001 + r10: c08410d0 r9 : 00000001 r8 : c0825e0c + r7 : 20000013 r6 : c08410d0 r5 : c0ecbf74 r4 : c0ecbf74 + r3 : c0825d08 r2 : 00000000 r1 : df7ce6f4 r0 : 00000044 + ... ... + Stack: (0xc0ecbf30 to 0xc0ecc000) + bf20: c0ecbf74 c0164fd0 c0ecbf70 c0165170 + bf40: c0eca000 c0840c00 c0840c00 c0824500 c0825e0c c0189bbc c088f404 60000013 + bf60: 60000013 c0e85100 000004ec 00000000 c0ebcdc0 c0ecbf74 c0ecbf74 c0825d08 + ... ... < next prev > + (__list_del_entry_valid) from (__list_del_entry+0xc/0x20) + (__list_del_entry) from (finish_swait+0x60/0x7c) + (finish_swait) from (rcu_gp_kthread+0x560/0xa20) + (rcu_gp_kthread) from (kthread+0x14c/0x15c) + (kthread) from (ret_from_fork+0x14/0x24) + +The faulty list node to be deleted is a local variable, its address is +c0ecbf74. The dumped stack shows that 'prev' = c0ecbf74, but its value +before lib/list_debug.c:53 is c08410dc. A large amount of printing results +in swapping out the cacheline containing the old data(MT_ROM mapping is +read only, so the cacheline cannot be dirty), and the subsequent dump +operation obtains new data from the DDR. + +Fixes: 7a1be318f579 ("ARM: 9012/1: move device tree mapping out of linear region") +Suggested-by: Ard Biesheuvel +Signed-off-by: Zhen Lei +Reviewed-by: Ard Biesheuvel +Reviewed-by: Kefeng Wang +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/mach/map.h | 1 + + arch/arm/mm/mmu.c | 15 ++++++++++++++- + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/include/asm/mach/map.h b/arch/arm/include/asm/mach/map.h +index 92282558caf7..2b8970d8e5a2 100644 +--- a/arch/arm/include/asm/mach/map.h ++++ b/arch/arm/include/asm/mach/map.h +@@ -27,6 +27,7 @@ enum { + MT_HIGH_VECTORS, + MT_MEMORY_RWX, + MT_MEMORY_RW, ++ MT_MEMORY_RO, + MT_ROM, + MT_MEMORY_RWX_NONCACHED, + MT_MEMORY_RW_DTCM, +diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c +index 6e7f841f67ff..463cbb0631be 100644 +--- a/arch/arm/mm/mmu.c ++++ b/arch/arm/mm/mmu.c +@@ -316,6 +316,13 @@ static struct mem_type mem_types[] __ro_after_init = { + .prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE, + .domain = DOMAIN_KERNEL, + }, ++ [MT_MEMORY_RO] = { ++ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | ++ L_PTE_XN | L_PTE_RDONLY, ++ .prot_l1 = PMD_TYPE_TABLE, ++ .prot_sect = PMD_TYPE_SECT, ++ .domain = DOMAIN_KERNEL, ++ }, + [MT_ROM] = { + .prot_sect = PMD_TYPE_SECT, + .domain = DOMAIN_KERNEL, +@@ -515,6 +522,7 @@ static void __init build_mem_type_table(void) + + /* Also setup NX memory mapping */ + mem_types[MT_MEMORY_RW].prot_sect |= PMD_SECT_XN; ++ mem_types[MT_MEMORY_RO].prot_sect |= PMD_SECT_XN; + } + if (cpu_arch >= CPU_ARCH_ARMv7 && (cr & CR_TRE)) { + /* +@@ -597,6 +605,7 @@ static void __init build_mem_type_table(void) + mem_types[MT_ROM].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; + mem_types[MT_MINICLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; + mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; ++ mem_types[MT_MEMORY_RO].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; + #endif + + /* +@@ -617,6 +626,8 @@ static void __init build_mem_type_table(void) + mem_types[MT_MEMORY_RWX].prot_pte |= L_PTE_SHARED; + mem_types[MT_MEMORY_RW].prot_sect |= PMD_SECT_S; + mem_types[MT_MEMORY_RW].prot_pte |= L_PTE_SHARED; ++ mem_types[MT_MEMORY_RO].prot_sect |= PMD_SECT_S; ++ mem_types[MT_MEMORY_RO].prot_pte |= L_PTE_SHARED; + mem_types[MT_MEMORY_DMA_READY].prot_pte |= L_PTE_SHARED; + mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |= PMD_SECT_S; + mem_types[MT_MEMORY_RWX_NONCACHED].prot_pte |= L_PTE_SHARED; +@@ -680,6 +691,8 @@ static void __init build_mem_type_table(void) + mem_types[MT_MEMORY_RWX].prot_pte |= kern_pgprot; + mem_types[MT_MEMORY_RW].prot_sect |= ecc_mask | cp->pmd; + mem_types[MT_MEMORY_RW].prot_pte |= kern_pgprot; ++ mem_types[MT_MEMORY_RO].prot_sect |= ecc_mask | cp->pmd; ++ mem_types[MT_MEMORY_RO].prot_pte |= kern_pgprot; + mem_types[MT_MEMORY_DMA_READY].prot_pte |= kern_pgprot; + mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |= ecc_mask; + mem_types[MT_ROM].prot_sect |= cp->pmd; +@@ -1361,7 +1374,7 @@ static void __init devicemaps_init(const struct machine_desc *mdesc) + map.pfn = __phys_to_pfn(__atags_pointer & SECTION_MASK); + map.virtual = FDT_FIXED_BASE; + map.length = FDT_FIXED_SIZE; +- map.type = MT_ROM; ++ map.type = MT_MEMORY_RO; + create_mapping(&map); + } + +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-at91-sama5d2-fix-typo-in-i2s1-node.patch b/queue-5.4/arm-dts-at91-sama5d2-fix-typo-in-i2s1-node.patch new file mode 100644 index 00000000000..ad60d99d725 --- /dev/null +++ b/queue-5.4/arm-dts-at91-sama5d2-fix-typo-in-i2s1-node.patch @@ -0,0 +1,40 @@ +From 8476265182a4287ccac5d8503a706d48ec0745a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jul 2022 14:58:12 -0700 +Subject: ARM: dts: at91: sama5d2: Fix typo in i2s1 node + +From: Ryan Wanner + +[ Upstream commit 2fdf15b50a46e366740df4cccbe2343269b4ff55 ] + +Fix typo in i2s1 causing errors in dt binding validation. +Change assigned-parrents to assigned-clock-parents +to match i2s0 node formatting. + +Fixes: 1ca81883c557 ("ARM: dts: at91: sama5d2: add nodes for I2S controllers") +Signed-off-by: Ryan Wanner +[claudiu.beznea: use imperative addressing in commit description, remove + blank line after fixes tag, fix typo in commit message] +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220707215812.193008-1-Ryan.Wanner@microchip.com +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/sama5d2.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/sama5d2.dtsi b/arch/arm/boot/dts/sama5d2.dtsi +index 09816a2ee367..dbfdffd54003 100644 +--- a/arch/arm/boot/dts/sama5d2.dtsi ++++ b/arch/arm/boot/dts/sama5d2.dtsi +@@ -933,7 +933,7 @@ AT91_XDMAC_DT_PERID(33))>, + clocks = <&pmc PMC_TYPE_PERIPHERAL 55>, <&pmc PMC_TYPE_GCK 55>; + clock-names = "pclk", "gclk"; + assigned-clocks = <&pmc PMC_TYPE_CORE PMC_I2S1_MUX>; +- assigned-parrents = <&pmc PMC_TYPE_GCK 55>; ++ assigned-clock-parents = <&pmc PMC_TYPE_GCK 55>; + status = "disabled"; + }; + +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-imx6qdl-ts7970-fix-ngpio-typo-and-count.patch b/queue-5.4/arm-dts-imx6qdl-ts7970-fix-ngpio-typo-and-count.patch new file mode 100644 index 00000000000..c548ba47b96 --- /dev/null +++ b/queue-5.4/arm-dts-imx6qdl-ts7970-fix-ngpio-typo-and-count.patch @@ -0,0 +1,39 @@ +From a82e524e7ab4f07db1445d1323d9cae7a2fc7a7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jun 2022 14:03:27 -0700 +Subject: ARM: dts: imx6qdl-ts7970: Fix ngpio typo and count + +From: Kris Bahnsen + +[ Upstream commit e95ea0f687e679fcb0a3a67d0755b81ee7d60db0 ] + +Device-tree incorrectly used "ngpio" which caused the driver to +fallback to 32 ngpios. + +This platform has 62 GPIO registers. + +Fixes: 9ff8e9fccef9 ("ARM: dts: TS-7970: add basic device tree") +Signed-off-by: Kris Bahnsen +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6qdl-ts7970.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6qdl-ts7970.dtsi b/arch/arm/boot/dts/imx6qdl-ts7970.dtsi +index f0be516dc28e..9181fbeb833d 100644 +--- a/arch/arm/boot/dts/imx6qdl-ts7970.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-ts7970.dtsi +@@ -226,7 +226,7 @@ gpio8: gpio@28 { + reg = <0x28>; + #gpio-cells = <2>; + gpio-controller; +- ngpio = <32>; ++ ngpios = <62>; + }; + + sgtl5000: codec@a { +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-sunxi-fix-spi-nor-campatible-on-orange-pi-ze.patch b/queue-5.4/arm-dts-sunxi-fix-spi-nor-campatible-on-orange-pi-ze.patch new file mode 100644 index 00000000000..899e8b629fc --- /dev/null +++ b/queue-5.4/arm-dts-sunxi-fix-spi-nor-campatible-on-orange-pi-ze.patch @@ -0,0 +1,40 @@ +From 43ae91ecb5bad56515bda4e1d42bdc98e07a1c72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Jul 2022 19:45:29 +0200 +Subject: ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero + +From: Michal Suchanek + +[ Upstream commit 884b66976a7279ee889ba885fe364244d50b79e7 ] + +The device tree should include generic "jedec,spi-nor" compatible, and a +manufacturer-specific one. +The macronix part is what is shipped on the boards that come with a +flash chip. + +Fixes: 45857ae95478 ("ARM: dts: orange-pi-zero: add node for SPI NOR") +Signed-off-by: Michal Suchanek +Acked-by: Jernej Skrabec +Signed-off-by: Jernej Skrabec +Link: https://lore.kernel.org/r/20220708174529.3360-1-msuchanek@suse.de +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/sun8i-h2-plus-orangepi-zero.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/sun8i-h2-plus-orangepi-zero.dts b/arch/arm/boot/dts/sun8i-h2-plus-orangepi-zero.dts +index f19ed981da9d..3706216ffb40 100644 +--- a/arch/arm/boot/dts/sun8i-h2-plus-orangepi-zero.dts ++++ b/arch/arm/boot/dts/sun8i-h2-plus-orangepi-zero.dts +@@ -169,7 +169,7 @@ &spi0 { + flash@0 { + #address-cells = <1>; + #size-cells = <1>; +- compatible = "mxicy,mx25l1606e", "winbond,w25q128"; ++ compatible = "mxicy,mx25l1606e", "jedec,spi-nor"; + reg = <0>; + spi-max-frequency = <40000000>; + }; +-- +2.35.1 + diff --git a/queue-5.4/asoc-sgtl5000-fix-noise-on-shutdown-remove.patch b/queue-5.4/asoc-sgtl5000-fix-noise-on-shutdown-remove.patch new file mode 100644 index 00000000000..adfcf75a4ef --- /dev/null +++ b/queue-5.4/asoc-sgtl5000-fix-noise-on-shutdown-remove.patch @@ -0,0 +1,79 @@ +From 815b349b9192d8b6711b627077702db1a848a257 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jun 2022 12:13:01 +0200 +Subject: ASoC: sgtl5000: Fix noise on shutdown/remove + +From: Francesco Dolcini + +[ Upstream commit 040e3360af3736348112d29425bf5d0be5b93115 ] + +Put the SGTL5000 in a silent/safe state on shutdown/remove, this is +required since the SGTL5000 produces a constant noise on its output +after it is configured and its clock is removed. Without this change +this is happening every time the module is unbound/removed or from +reboot till the clock is enabled again. + +The issue was experienced on both a Toradex Colibri/Apalis iMX6, but can +be easily reproduced everywhere just playing something on the codec and +after that removing/unbinding the driver. + +Fixes: 9b34e6cc3bc2 ("ASoC: Add Freescale SGTL5000 codec support") +Signed-off-by: Francesco Dolcini +Reviewed-by: Fabio Estevam +Link: https://lore.kernel.org/r/20220624101301.441314-1-francesco.dolcini@toradex.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/sgtl5000.c | 9 +++++++++ + sound/soc/codecs/sgtl5000.h | 1 + + 2 files changed, 10 insertions(+) + +diff --git a/sound/soc/codecs/sgtl5000.c b/sound/soc/codecs/sgtl5000.c +index 8a1e485982d8..76d3c0681f37 100644 +--- a/sound/soc/codecs/sgtl5000.c ++++ b/sound/soc/codecs/sgtl5000.c +@@ -1788,6 +1788,9 @@ static int sgtl5000_i2c_remove(struct i2c_client *client) + { + struct sgtl5000_priv *sgtl5000 = i2c_get_clientdata(client); + ++ regmap_write(sgtl5000->regmap, SGTL5000_CHIP_DIG_POWER, SGTL5000_DIG_POWER_DEFAULT); ++ regmap_write(sgtl5000->regmap, SGTL5000_CHIP_ANA_POWER, SGTL5000_ANA_POWER_DEFAULT); ++ + clk_disable_unprepare(sgtl5000->mclk); + regulator_bulk_disable(sgtl5000->num_supplies, sgtl5000->supplies); + regulator_bulk_free(sgtl5000->num_supplies, sgtl5000->supplies); +@@ -1795,6 +1798,11 @@ static int sgtl5000_i2c_remove(struct i2c_client *client) + return 0; + } + ++static void sgtl5000_i2c_shutdown(struct i2c_client *client) ++{ ++ sgtl5000_i2c_remove(client); ++} ++ + static const struct i2c_device_id sgtl5000_id[] = { + {"sgtl5000", 0}, + {}, +@@ -1815,6 +1823,7 @@ static struct i2c_driver sgtl5000_i2c_driver = { + }, + .probe = sgtl5000_i2c_probe, + .remove = sgtl5000_i2c_remove, ++ .shutdown = sgtl5000_i2c_shutdown, + .id_table = sgtl5000_id, + }; + +diff --git a/sound/soc/codecs/sgtl5000.h b/sound/soc/codecs/sgtl5000.h +index 56ec5863f250..3a808c762299 100644 +--- a/sound/soc/codecs/sgtl5000.h ++++ b/sound/soc/codecs/sgtl5000.h +@@ -80,6 +80,7 @@ + /* + * SGTL5000_CHIP_DIG_POWER + */ ++#define SGTL5000_DIG_POWER_DEFAULT 0x0000 + #define SGTL5000_ADC_EN 0x0040 + #define SGTL5000_DAC_EN 0x0020 + #define SGTL5000_DAP_POWERUP 0x0010 +-- +2.35.1 + diff --git a/queue-5.4/cipso-fix-data-races-around-sysctl.patch b/queue-5.4/cipso-fix-data-races-around-sysctl.patch new file mode 100644 index 00000000000..1e50a5ca275 --- /dev/null +++ b/queue-5.4/cipso-fix-data-races-around-sysctl.patch @@ -0,0 +1,95 @@ +From 245bc67b506e0c399eb64ef209fac1acf14f3458 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Jul 2022 16:40:01 -0700 +Subject: cipso: Fix data-races around sysctl. + +From: Kuniyuki Iwashima + +[ Upstream commit dd44f04b9214adb68ef5684ae87a81ba03632250 ] + +While reading cipso sysctl variables, they can be changed concurrently. +So, we need to add READ_ONCE() to avoid data-races. + +Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine") +Signed-off-by: Kuniyuki Iwashima +Acked-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + Documentation/networking/ip-sysctl.txt | 2 +- + net/ipv4/cipso_ipv4.c | 12 +++++++----- + 2 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt +index 8af3771a3ebf..f60d4159fff4 100644 +--- a/Documentation/networking/ip-sysctl.txt ++++ b/Documentation/networking/ip-sysctl.txt +@@ -876,7 +876,7 @@ cipso_cache_enable - BOOLEAN + cipso_cache_bucket_size - INTEGER + The CIPSO label cache consists of a fixed size hash table with each + hash bucket containing a number of cache entries. This variable limits +- the number of entries in each hash bucket; the larger the value the ++ the number of entries in each hash bucket; the larger the value is, the + more CIPSO label mappings that can be cached. When the number of + entries in a given hash bucket reaches this limit adding new entries + causes the oldest entry in the bucket to be removed to make room. +diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c +index c1ac802d6894..42eaad5e515f 100644 +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -240,7 +240,7 @@ static int cipso_v4_cache_check(const unsigned char *key, + struct cipso_v4_map_cache_entry *prev_entry = NULL; + u32 hash; + +- if (!cipso_v4_cache_enabled) ++ if (!READ_ONCE(cipso_v4_cache_enabled)) + return -ENOENT; + + hash = cipso_v4_map_cache_hash(key, key_len); +@@ -297,13 +297,14 @@ static int cipso_v4_cache_check(const unsigned char *key, + int cipso_v4_cache_add(const unsigned char *cipso_ptr, + const struct netlbl_lsm_secattr *secattr) + { ++ int bkt_size = READ_ONCE(cipso_v4_cache_bucketsize); + int ret_val = -EPERM; + u32 bkt; + struct cipso_v4_map_cache_entry *entry = NULL; + struct cipso_v4_map_cache_entry *old_entry = NULL; + u32 cipso_ptr_len; + +- if (!cipso_v4_cache_enabled || cipso_v4_cache_bucketsize <= 0) ++ if (!READ_ONCE(cipso_v4_cache_enabled) || bkt_size <= 0) + return 0; + + cipso_ptr_len = cipso_ptr[1]; +@@ -323,7 +324,7 @@ int cipso_v4_cache_add(const unsigned char *cipso_ptr, + + bkt = entry->hash & (CIPSO_V4_CACHE_BUCKETS - 1); + spin_lock_bh(&cipso_v4_cache[bkt].lock); +- if (cipso_v4_cache[bkt].size < cipso_v4_cache_bucketsize) { ++ if (cipso_v4_cache[bkt].size < bkt_size) { + list_add(&entry->list, &cipso_v4_cache[bkt].list); + cipso_v4_cache[bkt].size += 1; + } else { +@@ -1200,7 +1201,8 @@ static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def, + /* This will send packets using the "optimized" format when + * possible as specified in section 3.4.2.6 of the + * CIPSO draft. */ +- if (cipso_v4_rbm_optfmt && ret_val > 0 && ret_val <= 10) ++ if (READ_ONCE(cipso_v4_rbm_optfmt) && ret_val > 0 && ++ ret_val <= 10) + tag_len = 14; + else + tag_len = 4 + ret_val; +@@ -1603,7 +1605,7 @@ int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option) + * all the CIPSO validations here but it doesn't + * really specify _exactly_ what we need to validate + * ... so, just make it a sysctl tunable. */ +- if (cipso_v4_rbm_strictvalid) { ++ if (READ_ONCE(cipso_v4_rbm_strictvalid)) { + if (cipso_v4_map_lvl_valid(doi_def, + tag[3]) < 0) { + err_offset = opt_iter + 3; +-- +2.35.1 + diff --git a/queue-5.4/drm-i915-fix-a-possible-refcount-leak-in-intel_dp_ad.patch b/queue-5.4/drm-i915-fix-a-possible-refcount-leak-in-intel_dp_ad.patch new file mode 100644 index 00000000000..bd393a20cef --- /dev/null +++ b/queue-5.4/drm-i915-fix-a-possible-refcount-leak-in-intel_dp_ad.patch @@ -0,0 +1,44 @@ +From 5d14187b4735b393de476ad086052c6c5d44d31c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jun 2022 06:04:06 -0700 +Subject: drm/i915: fix a possible refcount leak in + intel_dp_add_mst_connector() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hangyu Hua + +[ Upstream commit 85144df9ff4652816448369de76897c57cbb1b93 ] + +If drm_connector_init fails, intel_connector_free will be called to take +care of proper free. So it is necessary to drop the refcount of port +before intel_connector_free. + +Fixes: 091a4f91942a ("drm/i915: Handle drm-layer errors in intel_dp_add_mst_connector") +Signed-off-by: Hangyu Hua +Reviewed-by: José Roberto de Souza +Link: https://patchwork.freedesktop.org/patch/msgid/20220624130406.17996-1-jose.souza@intel.com +Signed-off-by: José Roberto de Souza +(cherry picked from commit cea9ed611e85d36a05db52b6457bf584b7d969e2) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_dp_mst.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/i915/display/intel_dp_mst.c b/drivers/gpu/drm/i915/display/intel_dp_mst.c +index 74d45a0eecb8..c59b43fb34a8 100644 +--- a/drivers/gpu/drm/i915/display/intel_dp_mst.c ++++ b/drivers/gpu/drm/i915/display/intel_dp_mst.c +@@ -520,6 +520,7 @@ static struct drm_connector *intel_dp_add_mst_connector(struct drm_dp_mst_topolo + ret = drm_connector_init(dev, connector, &intel_dp_mst_connector_funcs, + DRM_MODE_CONNECTOR_DisplayPort); + if (ret) { ++ drm_dp_mst_put_port_malloc(port); + intel_connector_free(intel_connector); + return NULL; + } +-- +2.35.1 + diff --git a/queue-5.4/drm-i915-gt-serialize-tlb-invalidates-with-gt-resets.patch b/queue-5.4/drm-i915-gt-serialize-tlb-invalidates-with-gt-resets.patch new file mode 100644 index 00000000000..7e5cb18fe68 --- /dev/null +++ b/queue-5.4/drm-i915-gt-serialize-tlb-invalidates-with-gt-resets.patch @@ -0,0 +1,76 @@ +From 6afa936a01b6f3c452c9a8fc409cdcd5ae1bf90a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jul 2022 16:21:33 +0100 +Subject: drm/i915/gt: Serialize TLB invalidates with GT resets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chris Wilson + +[ Upstream commit a1c5a7bf79c1faa5633b918b5c0666545e84c4d1 ] + +Avoid trying to invalidate the TLB in the middle of performing an +engine reset, as this may result in the reset timing out. Currently, +the TLB invalidate is only serialised by its own mutex, forgoing the +uncore lock, but we can take the uncore->lock as well to serialise +the mmio access, thereby serialising with the GDRST. + +Tested on a NUC5i7RYB, BIOS RYBDWi35.86A.0380.2019.0517.1530 with +i915 selftest/hangcheck. + +Cc: stable@vger.kernel.org # v4.4 and upper +Fixes: 7938d61591d3 ("drm/i915: Flush TLBs before releasing backing store") +Reported-by: Mauro Carvalho Chehab +Tested-by: Mauro Carvalho Chehab +Reviewed-by: Mauro Carvalho Chehab +Signed-off-by: Chris Wilson +Cc: Tvrtko Ursulin +Reviewed-by: Andi Shyti +Acked-by: Thomas Hellström +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Rodrigo Vivi +Link: https://patchwork.freedesktop.org/patch/msgid/1e59a7c45dd919a530256b9ac721ac6ea86c0677.1657639152.git.mchehab@kernel.org +(cherry picked from commit 33da97894758737895e90c909f16786052680ef4) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/intel_gt.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/gt/intel_gt.c b/drivers/gpu/drm/i915/gt/intel_gt.c +index c8c070375d29..f6d7f5d307d7 100644 +--- a/drivers/gpu/drm/i915/gt/intel_gt.c ++++ b/drivers/gpu/drm/i915/gt/intel_gt.c +@@ -339,6 +339,20 @@ void intel_gt_invalidate_tlbs(struct intel_gt *gt) + mutex_lock(>->tlb_invalidate_lock); + intel_uncore_forcewake_get(uncore, FORCEWAKE_ALL); + ++ spin_lock_irq(&uncore->lock); /* serialise invalidate with GT reset */ ++ ++ for_each_engine(engine, gt, id) { ++ struct reg_and_bit rb; ++ ++ rb = get_reg_and_bit(engine, regs == gen8_regs, regs, num); ++ if (!i915_mmio_reg_offset(rb.reg)) ++ continue; ++ ++ intel_uncore_write_fw(uncore, rb.reg, rb.bit); ++ } ++ ++ spin_unlock_irq(&uncore->lock); ++ + for_each_engine(engine, gt, id) { + /* + * HW architecture suggest typical invalidation time at 40us, +@@ -353,7 +367,6 @@ void intel_gt_invalidate_tlbs(struct intel_gt *gt) + if (!i915_mmio_reg_offset(rb.reg)) + continue; + +- intel_uncore_write_fw(uncore, rb.reg, rb.bit); + if (__intel_wait_for_register_fw(uncore, + rb.reg, rb.bit, 0, + timeout_us, timeout_ms, +-- +2.35.1 + diff --git a/queue-5.4/icmp-fix-a-data-race-around-sysctl_icmp_ratelimit.patch b/queue-5.4/icmp-fix-a-data-race-around-sysctl_icmp_ratelimit.patch new file mode 100644 index 00000000000..1acc366099f --- /dev/null +++ b/queue-5.4/icmp-fix-a-data-race-around-sysctl_icmp_ratelimit.patch @@ -0,0 +1,37 @@ +From 9d71b3341ec58b0bc0f611a6f2773f3529d4fc26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 17:15:27 -0700 +Subject: icmp: Fix a data-race around sysctl_icmp_ratelimit. + +From: Kuniyuki Iwashima + +[ Upstream commit 2a4eb714841f288cf51c7d942d98af6a8c6e4b01 ] + +While reading sysctl_icmp_ratelimit, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index a590ff81e5f8..e05e972445fe 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -328,7 +328,8 @@ static bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt, + + vif = l3mdev_master_ifindex(dst->dev); + peer = inet_getpeer_v4(net->ipv4.peers, fl4->daddr, vif, 1); +- rc = inet_peer_xrlim_allow(peer, net->ipv4.sysctl_icmp_ratelimit); ++ rc = inet_peer_xrlim_allow(peer, ++ READ_ONCE(net->ipv4.sysctl_icmp_ratelimit)); + if (peer) + inet_putpeer(peer); + out: +-- +2.35.1 + diff --git a/queue-5.4/icmp-fix-a-data-race-around-sysctl_icmp_ratemask.patch b/queue-5.4/icmp-fix-a-data-race-around-sysctl_icmp_ratemask.patch new file mode 100644 index 00000000000..44396c09104 --- /dev/null +++ b/queue-5.4/icmp-fix-a-data-race-around-sysctl_icmp_ratemask.patch @@ -0,0 +1,36 @@ +From 325e1e928b0c93b8bfb1257fabe43434fd841e08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 17:15:28 -0700 +Subject: icmp: Fix a data-race around sysctl_icmp_ratemask. + +From: Kuniyuki Iwashima + +[ Upstream commit 1ebcb25ad6fc3d50fca87350acf451b9a66dd31e ] + +While reading sysctl_icmp_ratemask, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index e05e972445fe..9bc01411be4c 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -290,7 +290,7 @@ static bool icmpv4_mask_allow(struct net *net, int type, int code) + return true; + + /* Limit if icmp type is enabled in ratemask. */ +- if (!((1 << type) & net->ipv4.sysctl_icmp_ratemask)) ++ if (!((1 << type) & READ_ONCE(net->ipv4.sysctl_icmp_ratemask))) + return true; + + return false; +-- +2.35.1 + diff --git a/queue-5.4/icmp-fix-data-races-around-sysctl.patch b/queue-5.4/icmp-fix-data-races-around-sysctl.patch new file mode 100644 index 00000000000..b3724602a43 --- /dev/null +++ b/queue-5.4/icmp-fix-data-races-around-sysctl.patch @@ -0,0 +1,42 @@ +From 172ae47823d9476e52828a00b22daa397d2a8d2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Jul 2022 16:40:02 -0700 +Subject: icmp: Fix data-races around sysctl. + +From: Kuniyuki Iwashima + +[ Upstream commit 48d7ee321ea5182c6a70782aa186422a70e67e22 ] + +While reading icmp sysctl variables, they can be changed concurrently. +So, we need to add READ_ONCE() to avoid data-races. + +Fixes: 4cdf507d5452 ("icmp: add a global rate limitation") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index f86f948a4b4c..a590ff81e5f8 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -261,11 +261,12 @@ bool icmp_global_allow(void) + spin_lock(&icmp_global.lock); + delta = min_t(u32, now - icmp_global.stamp, HZ); + if (delta >= HZ / 50) { +- incr = sysctl_icmp_msgs_per_sec * delta / HZ ; ++ incr = READ_ONCE(sysctl_icmp_msgs_per_sec) * delta / HZ; + if (incr) + WRITE_ONCE(icmp_global.stamp, now); + } +- credit = min_t(u32, icmp_global.credit + incr, sysctl_icmp_msgs_burst); ++ credit = min_t(u32, icmp_global.credit + incr, ++ READ_ONCE(sysctl_icmp_msgs_burst)); + if (credit) { + /* We want to use a credit of one in average, but need to randomize + * it for security reasons. +-- +2.35.1 + diff --git a/queue-5.4/ima-fix-a-potential-integer-overflow-in-ima_appraise.patch b/queue-5.4/ima-fix-a-potential-integer-overflow-in-ima_appraise.patch new file mode 100644 index 00000000000..34d02d787ad --- /dev/null +++ b/queue-5.4/ima-fix-a-potential-integer-overflow-in-ima_appraise.patch @@ -0,0 +1,37 @@ +From 9af302376e65ef8a384a88c1e2cd1ef848c245b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jul 2022 13:14:17 +0800 +Subject: ima: Fix a potential integer overflow in ima_appraise_measurement + +From: Huaxin Lu + +[ Upstream commit d2ee2cfc4aa85ff6a2a3b198a3a524ec54e3d999 ] + +When the ima-modsig is enabled, the rc passed to evm_verifyxattr() may be +negative, which may cause the integer overflow problem. + +Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures") +Signed-off-by: Huaxin Lu +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/ima_appraise.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 23b04c6521b2..9368688449b0 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -352,7 +352,8 @@ int ima_appraise_measurement(enum ima_hooks func, + goto out; + } + +- status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint); ++ status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, ++ rc < 0 ? 0 : rc, iint); + switch (status) { + case INTEGRITY_PASS: + case INTEGRITY_PASS_IMMUTABLE: +-- +2.35.1 + diff --git a/queue-5.4/inetpeer-fix-data-races-around-sysctl.patch b/queue-5.4/inetpeer-fix-data-races-around-sysctl.patch new file mode 100644 index 00000000000..9c25c46098a --- /dev/null +++ b/queue-5.4/inetpeer-fix-data-races-around-sysctl.patch @@ -0,0 +1,52 @@ +From 847b5820992342c7396004457d1b59f5531453fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Jul 2022 16:39:59 -0700 +Subject: inetpeer: Fix data-races around sysctl. + +From: Kuniyuki Iwashima + +[ Upstream commit 3d32edf1f3c38d3301f6434e56316f293466d7fb ] + +While reading inetpeer sysctl variables, they can be changed +concurrently. So, we need to add READ_ONCE() to avoid data-races. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/inetpeer.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c +index ff327a62c9ce..a18668552d33 100644 +--- a/net/ipv4/inetpeer.c ++++ b/net/ipv4/inetpeer.c +@@ -148,16 +148,20 @@ static void inet_peer_gc(struct inet_peer_base *base, + struct inet_peer *gc_stack[], + unsigned int gc_cnt) + { ++ int peer_threshold, peer_maxttl, peer_minttl; + struct inet_peer *p; + __u32 delta, ttl; + int i; + +- if (base->total >= inet_peer_threshold) ++ peer_threshold = READ_ONCE(inet_peer_threshold); ++ peer_maxttl = READ_ONCE(inet_peer_maxttl); ++ peer_minttl = READ_ONCE(inet_peer_minttl); ++ ++ if (base->total >= peer_threshold) + ttl = 0; /* be aggressive */ + else +- ttl = inet_peer_maxttl +- - (inet_peer_maxttl - inet_peer_minttl) / HZ * +- base->total / inet_peer_threshold * HZ; ++ ttl = peer_maxttl - (peer_maxttl - peer_minttl) / HZ * ++ base->total / peer_threshold * HZ; + for (i = 0; i < gc_cnt; i++) { + p = gc_stack[i]; + +-- +2.35.1 + diff --git a/queue-5.4/ipv4-fix-a-data-race-around-sysctl_fib_sync_mem.patch b/queue-5.4/ipv4-fix-a-data-race-around-sysctl_fib_sync_mem.patch new file mode 100644 index 00000000000..d27a4a1e96f --- /dev/null +++ b/queue-5.4/ipv4-fix-a-data-race-around-sysctl_fib_sync_mem.patch @@ -0,0 +1,36 @@ +From 007a3f783cf7e406af252d77310e7a793e852e09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Jul 2022 16:40:03 -0700 +Subject: ipv4: Fix a data-race around sysctl_fib_sync_mem. + +From: Kuniyuki Iwashima + +[ Upstream commit 73318c4b7dbd0e781aaababff17376b2894745c0 ] + +While reading sysctl_fib_sync_mem, it can be changed concurrently. +So, we need to add READ_ONCE() to avoid a data-race. + +Fixes: 9ab948a91b2c ("ipv4: Allow amount of dirty memory from fib resizing to be controllable") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_trie.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index 51673d00bbea..a1f830da4ad3 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -500,7 +500,7 @@ static void tnode_free(struct key_vector *tn) + tn = container_of(head, struct tnode, rcu)->kv; + } + +- if (tnode_free_size >= sysctl_fib_sync_mem) { ++ if (tnode_free_size >= READ_ONCE(sysctl_fib_sync_mem)) { + tnode_free_size = 0; + synchronize_rcu(); + } +-- +2.35.1 + diff --git a/queue-5.4/ipv4-fix-data-races-around-sysctl_ip_dynaddr.patch b/queue-5.4/ipv4-fix-data-races-around-sysctl_ip_dynaddr.patch new file mode 100644 index 00000000000..38ba6162caa --- /dev/null +++ b/queue-5.4/ipv4-fix-data-races-around-sysctl_ip_dynaddr.patch @@ -0,0 +1,59 @@ +From 2f2a7d4d278d60d621d9c66c4e6029144ee09fab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 17:15:32 -0700 +Subject: ipv4: Fix data-races around sysctl_ip_dynaddr. + +From: Kuniyuki Iwashima + +[ Upstream commit e49e4aff7ec19b2d0d0957ee30e93dade57dab9e ] + +While reading sysctl_ip_dynaddr, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its readers. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + Documentation/networking/ip-sysctl.txt | 2 +- + net/ipv4/af_inet.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt +index f60d4159fff4..787a9c077ef1 100644 +--- a/Documentation/networking/ip-sysctl.txt ++++ b/Documentation/networking/ip-sysctl.txt +@@ -953,7 +953,7 @@ ip_nonlocal_bind - BOOLEAN + which can be quite useful - but may break some applications. + Default: 0 + +-ip_dynaddr - BOOLEAN ++ip_dynaddr - INTEGER + If set non-zero, enables support for dynamic addresses. + If set to a non-zero value larger than 1, a kernel log + message will be printed when dynamic address rewriting +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index a7a6b1adb698..9ab73fcc7411 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -1215,7 +1215,7 @@ static int inet_sk_reselect_saddr(struct sock *sk) + if (new_saddr == old_saddr) + return 0; + +- if (sock_net(sk)->ipv4.sysctl_ip_dynaddr > 1) { ++ if (READ_ONCE(sock_net(sk)->ipv4.sysctl_ip_dynaddr) > 1) { + pr_info("%s(): shifting inet->saddr from %pI4 to %pI4\n", + __func__, &old_saddr, &new_saddr); + } +@@ -1270,7 +1270,7 @@ int inet_sk_rebuild_header(struct sock *sk) + * Other protocols have to map its equivalent state to TCP_SYN_SENT. + * DCCP maps its DCCP_REQUESTING state to TCP_SYN_SENT. -acme + */ +- if (!sock_net(sk)->ipv4.sysctl_ip_dynaddr || ++ if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_ip_dynaddr) || + sk->sk_state != TCP_SYN_SENT || + (sk->sk_userlocks & SOCK_BINDADDR_LOCK) || + (err = inet_sk_reselect_saddr(sk)) != 0) +-- +2.35.1 + diff --git a/queue-5.4/mm-sysctl-fix-missing-numa_stat-when-config_hugetlb_.patch b/queue-5.4/mm-sysctl-fix-missing-numa_stat-when-config_hugetlb_.patch new file mode 100644 index 00000000000..26bcc86ab30 --- /dev/null +++ b/queue-5.4/mm-sysctl-fix-missing-numa_stat-when-config_hugetlb_.patch @@ -0,0 +1,66 @@ +From 55f04d336b57321d22607afed71e1022c5b03b16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jun 2022 18:40:32 +0800 +Subject: mm: sysctl: fix missing numa_stat when !CONFIG_HUGETLB_PAGE + +From: Muchun Song + +[ Upstream commit 43b5240ca6b33108998810593248186b1e3ae34a ] + +"numa_stat" should not be included in the scope of CONFIG_HUGETLB_PAGE, if +CONFIG_HUGETLB_PAGE is not configured even if CONFIG_NUMA is configured, +"numa_stat" is missed form /proc. Move it out of CONFIG_HUGETLB_PAGE to +fix it. + +Fixes: 4518085e127d ("mm, sysctl: make NUMA stats configurable") +Signed-off-by: Muchun Song +Cc: +Acked-by: Michal Hocko +Acked-by: Mel Gorman +Signed-off-by: Luis Chamberlain +Signed-off-by: Sasha Levin +--- + kernel/sysctl.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 0457d36540e3..6f971807bf79 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -1443,6 +1443,17 @@ static struct ctl_table vm_table[] = { + .extra1 = SYSCTL_ZERO, + .extra2 = &one_hundred, + }, ++#ifdef CONFIG_NUMA ++ { ++ .procname = "numa_stat", ++ .data = &sysctl_vm_numa_stat, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = sysctl_vm_numa_stat_handler, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, ++#endif + #ifdef CONFIG_HUGETLB_PAGE + { + .procname = "nr_hugepages", +@@ -1459,15 +1470,6 @@ static struct ctl_table vm_table[] = { + .mode = 0644, + .proc_handler = &hugetlb_mempolicy_sysctl_handler, + }, +- { +- .procname = "numa_stat", +- .data = &sysctl_vm_numa_stat, +- .maxlen = sizeof(int), +- .mode = 0644, +- .proc_handler = sysctl_vm_numa_stat_handler, +- .extra1 = SYSCTL_ZERO, +- .extra2 = SYSCTL_ONE, +- }, + #endif + { + .procname = "hugetlb_shm_group", +-- +2.35.1 + diff --git a/queue-5.4/net-fix-data-races-around-sysctl_mem.patch b/queue-5.4/net-fix-data-races-around-sysctl_mem.patch new file mode 100644 index 00000000000..a514de7f0c9 --- /dev/null +++ b/queue-5.4/net-fix-data-races-around-sysctl_mem.patch @@ -0,0 +1,36 @@ +From 48d7d10b64d91ea1b5081ea6b65ed62f9bb793e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Jul 2022 16:40:00 -0700 +Subject: net: Fix data-races around sysctl_mem. + +From: Kuniyuki Iwashima + +[ Upstream commit 310731e2f1611d1d13aae237abcf8e66d33345d5 ] + +While reading .sysctl_mem, it can be changed concurrently. +So, we need to add READ_ONCE() to avoid data-races. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 7f213cfcb3cc..9d687070d272 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1400,7 +1400,7 @@ void __sk_mem_reclaim(struct sock *sk, int amount); + /* sysctl_mem values are in pages, we convert them in SK_MEM_QUANTUM units */ + static inline long sk_prot_mem_limits(const struct sock *sk, int index) + { +- long val = sk->sk_prot->sysctl_mem[index]; ++ long val = READ_ONCE(sk->sk_prot->sysctl_mem[index]); + + #if PAGE_SIZE > SK_MEM_QUANTUM + val <<= PAGE_SHIFT - SK_MEM_QUANTUM_SHIFT; +-- +2.35.1 + diff --git a/queue-5.4/net-ftgmac100-hold-reference-returned-by-of_get_chil.patch b/queue-5.4/net-ftgmac100-hold-reference-returned-by-of_get_chil.patch new file mode 100644 index 00000000000..93011fe0b52 --- /dev/null +++ b/queue-5.4/net-ftgmac100-hold-reference-returned-by-of_get_chil.patch @@ -0,0 +1,57 @@ +From 0323c2e17c7434a2f239ff5228bec3e9d9f2d1cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jul 2022 14:14:17 +0800 +Subject: net: ftgmac100: Hold reference returned by of_get_child_by_name() + +From: Liang He + +[ Upstream commit 49b9f431ff0d845a36be0b3ede35ec324f2e5fee ] + +In ftgmac100_probe(), we should hold the refernece returned by +of_get_child_by_name() and use it to call of_node_put() for +reference balance. + +Fixes: 39bfab8844a0 ("net: ftgmac100: Add support for DT phy-handle property") +Signed-off-by: Liang He +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/faraday/ftgmac100.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/faraday/ftgmac100.c b/drivers/net/ethernet/faraday/ftgmac100.c +index d7478d332820..98e94d914597 100644 +--- a/drivers/net/ethernet/faraday/ftgmac100.c ++++ b/drivers/net/ethernet/faraday/ftgmac100.c +@@ -1734,6 +1734,19 @@ static void ftgmac100_setup_clk(struct ftgmac100 *priv) + FTGMAC_100MHZ); + } + ++static bool ftgmac100_has_child_node(struct device_node *np, const char *name) ++{ ++ struct device_node *child_np = of_get_child_by_name(np, name); ++ bool ret = false; ++ ++ if (child_np) { ++ ret = true; ++ of_node_put(child_np); ++ } ++ ++ return ret; ++} ++ + static int ftgmac100_probe(struct platform_device *pdev) + { + struct resource *res; +@@ -1850,7 +1863,7 @@ static int ftgmac100_probe(struct platform_device *pdev) + + /* Display what we found */ + phy_attached_info(phy); +- } else if (np && !of_get_child_by_name(np, "mdio")) { ++ } else if (np && !ftgmac100_has_child_node(np, "mdio")) { + /* Support legacy ASPEED devicetree descriptions that decribe a + * MAC with an embedded MDIO controller but have no "mdio" + * child node. Automatically scan the MDIO bus for available +-- +2.35.1 + diff --git a/queue-5.4/net-stmmac-dwc-qos-disable-split-header-for-tegra194.patch b/queue-5.4/net-stmmac-dwc-qos-disable-split-header-for-tegra194.patch new file mode 100644 index 00000000000..45881ac1d97 --- /dev/null +++ b/queue-5.4/net-stmmac-dwc-qos-disable-split-header-for-tegra194.patch @@ -0,0 +1,47 @@ +From 26162c1f6e50aa5951ec491267fd4f1f5b548ca3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Jul 2022 09:39:13 +0100 +Subject: net: stmmac: dwc-qos: Disable split header for Tegra194 + +From: Jon Hunter + +[ Upstream commit 029c1c2059e9c4b38f97a06204cdecd10cfbeb8a ] + +There is a long-standing issue with the Synopsys DWC Ethernet driver +for Tegra194 where random system crashes have been observed [0]. The +problem occurs when the split header feature is enabled in the stmmac +driver. In the bad case, a larger than expected buffer length is +received and causes the calculation of the total buffer length to +overflow. This results in a very large buffer length that causes the +kernel to crash. Why this larger buffer length is received is not clear, +however, the feedback from the NVIDIA design team is that the split +header feature is not supported for Tegra194. Therefore, disable split +header support for Tegra194 to prevent these random crashes from +occurring. + +[0] https://lore.kernel.org/linux-tegra/b0b17697-f23e-8fa5-3757-604a86f3a095@nvidia.com/ + +Fixes: 67afd6d1cfdf ("net: stmmac: Add Split Header support and enable it in XGMAC cores") +Signed-off-by: Jon Hunter +Link: https://lore.kernel.org/r/20220706083913.13750-1-jonathanh@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-dwc-qos-eth.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-dwc-qos-eth.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-dwc-qos-eth.c +index dd9967aeda22..0f0094ced776 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-dwc-qos-eth.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-dwc-qos-eth.c +@@ -357,6 +357,7 @@ static void *tegra_eqos_probe(struct platform_device *pdev, + data->fix_mac_speed = tegra_eqos_fix_speed; + data->init = tegra_eqos_init; + data->bsp_priv = eqos; ++ data->sph_disable = 1; + + err = tegra_eqos_init(pdev, eqos); + if (err < 0) +-- +2.35.1 + diff --git a/queue-5.4/raw-fix-a-data-race-around-sysctl_raw_l3mdev_accept.patch b/queue-5.4/raw-fix-a-data-race-around-sysctl_raw_l3mdev_accept.patch new file mode 100644 index 00000000000..fba8dc57ddc --- /dev/null +++ b/queue-5.4/raw-fix-a-data-race-around-sysctl_raw_l3mdev_accept.patch @@ -0,0 +1,36 @@ +From 85560a8db4144bb66fdc6272f12b69c863a36cfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 17:15:29 -0700 +Subject: raw: Fix a data-race around sysctl_raw_l3mdev_accept. + +From: Kuniyuki Iwashima + +[ Upstream commit 1dace014928e6e385363032d359a04dee9158af0 ] + +While reading sysctl_raw_l3mdev_accept, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 6897445fb194 ("net: provide a sysctl raw_l3mdev_accept for raw socket lookup with VRFs") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/raw.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/raw.h b/include/net/raw.h +index 8ad8df594853..c51a635671a7 100644 +--- a/include/net/raw.h ++++ b/include/net/raw.h +@@ -75,7 +75,7 @@ static inline bool raw_sk_bound_dev_eq(struct net *net, int bound_dev_if, + int dif, int sdif) + { + #if IS_ENABLED(CONFIG_NET_L3_MASTER_DEV) +- return inet_bound_dev_eq(!!net->ipv4.sysctl_raw_l3mdev_accept, ++ return inet_bound_dev_eq(READ_ONCE(net->ipv4.sysctl_raw_l3mdev_accept), + bound_dev_if, dif, sdif); + #else + return inet_bound_dev_eq(true, bound_dev_if, dif, sdif); +-- +2.35.1 + diff --git a/queue-5.4/seg6-bpf-fix-skb-checksum-in-bpf_push_seg6_encap.patch b/queue-5.4/seg6-bpf-fix-skb-checksum-in-bpf_push_seg6_encap.patch new file mode 100644 index 00000000000..c7ea91b96a5 --- /dev/null +++ b/queue-5.4/seg6-bpf-fix-skb-checksum-in-bpf_push_seg6_encap.patch @@ -0,0 +1,44 @@ +From 1ceaee6e3a96e24fd7eb886e6e76f1c8fcb0405e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jul 2022 19:58:37 +0200 +Subject: seg6: bpf: fix skb checksum in bpf_push_seg6_encap() + +From: Andrea Mayer + +[ Upstream commit 4889fbd98deaf243c3baadc54e296d71c6af1eb0 ] + +Both helper functions bpf_lwt_seg6_action() and bpf_lwt_push_encap() use +the bpf_push_seg6_encap() to encapsulate the packet in an IPv6 with Segment +Routing Header (SRH) or insert an SRH between the IPv6 header and the +payload. +To achieve this result, such helper functions rely on bpf_push_seg6_encap() +which, in turn, leverages seg6_do_srh_{encap,inline}() to perform the +required operation (i.e. encap/inline). + +This patch removes the initialization of the IPv6 header payload length +from bpf_push_seg6_encap(), as it is now handled properly by +seg6_do_srh_{encap,inline}() to prevent corruption of the skb checksum. + +Fixes: fe94cc290f53 ("bpf: Add IPv6 Segment Routing helpers") +Signed-off-by: Andrea Mayer +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index eba96343c7af..75f53b5e6389 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -4955,7 +4955,6 @@ static int bpf_push_seg6_encap(struct sk_buff *skb, u32 type, void *hdr, u32 len + if (err) + return err; + +- ipv6_hdr(skb)->payload_len = htons(skb->len - sizeof(struct ipv6hdr)); + skb_set_transport_header(skb, sizeof(struct ipv6hdr)); + + return seg6_lookup_nexthop(skb, NULL, 0); +-- +2.35.1 + diff --git a/queue-5.4/seg6-fix-skb-checksum-evaluation-in-srh-encapsulatio.patch b/queue-5.4/seg6-fix-skb-checksum-evaluation-in-srh-encapsulatio.patch new file mode 100644 index 00000000000..697b0f7695d --- /dev/null +++ b/queue-5.4/seg6-fix-skb-checksum-evaluation-in-srh-encapsulatio.patch @@ -0,0 +1,73 @@ +From c5bfb3a903e91fe0c06367da56331931a4047233 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jul 2022 19:58:35 +0200 +Subject: seg6: fix skb checksum evaluation in SRH encapsulation/insertion + +From: Andrea Mayer + +[ Upstream commit df8386d13ea280d55beee1b95f61a59234a3798b ] + +Support for SRH encapsulation and insertion was introduced with +commit 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and +injection with lwtunnels"), through the seg6_do_srh_encap() and +seg6_do_srh_inline() functions, respectively. +The former encapsulates the packet in an outer IPv6 header along with +the SRH, while the latter inserts the SRH between the IPv6 header and +the payload. Then, the headers are initialized/updated according to the +operating mode (i.e., encap/inline). +Finally, the skb checksum is calculated to reflect the changes applied +to the headers. + +The IPv6 payload length ('payload_len') is not initialized +within seg6_do_srh_{inline,encap}() but is deferred in seg6_do_srh(), i.e. +the caller of seg6_do_srh_{inline,encap}(). +However, this operation invalidates the skb checksum, since the +'payload_len' is updated only after the checksum is evaluated. + +To solve this issue, the initialization of the IPv6 payload length is +moved from seg6_do_srh() directly into the seg6_do_srh_{inline,encap}() +functions and before the skb checksum update takes place. + +Fixes: 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels") +Reported-by: Paolo Abeni +Link: https://lore.kernel.org/all/20220705190727.69d532417be7438b15404ee1@uniroma2.it +Signed-off-by: Andrea Mayer +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6_iptunnel.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c +index 6954db1fd26e..b626e0b62a54 100644 +--- a/net/ipv6/seg6_iptunnel.c ++++ b/net/ipv6/seg6_iptunnel.c +@@ -171,6 +171,8 @@ int seg6_do_srh_encap(struct sk_buff *skb, struct ipv6_sr_hdr *osrh, int proto) + } + #endif + ++ hdr->payload_len = htons(skb->len - sizeof(struct ipv6hdr)); ++ + skb_postpush_rcsum(skb, hdr, tot_len); + + return 0; +@@ -223,6 +225,8 @@ int seg6_do_srh_inline(struct sk_buff *skb, struct ipv6_sr_hdr *osrh) + } + #endif + ++ hdr->payload_len = htons(skb->len - sizeof(struct ipv6hdr)); ++ + skb_postpush_rcsum(skb, hdr, sizeof(struct ipv6hdr) + hdrlen); + + return 0; +@@ -284,7 +288,6 @@ static int seg6_do_srh(struct sk_buff *skb) + break; + } + +- ipv6_hdr(skb)->payload_len = htons(skb->len - sizeof(struct ipv6hdr)); + skb_set_transport_header(skb, sizeof(struct ipv6hdr)); + + return 0; +-- +2.35.1 + diff --git a/queue-5.4/seg6-fix-skb-checksum-in-srv6-end.b6-and-end.b6.enca.patch b/queue-5.4/seg6-fix-skb-checksum-in-srv6-end.b6-and-end.b6.enca.patch new file mode 100644 index 00000000000..0ffa37fa84a --- /dev/null +++ b/queue-5.4/seg6-fix-skb-checksum-in-srv6-end.b6-and-end.b6.enca.patch @@ -0,0 +1,51 @@ +From b0589dd89374e709c8145149292158b977f646d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jul 2022 19:58:36 +0200 +Subject: seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors + +From: Andrea Mayer + +[ Upstream commit f048880fc77058d864aff5c674af7918b30f312a ] + +The SRv6 End.B6 and End.B6.Encaps behaviors rely on functions +seg6_do_srh_{encap,inline}() to, respectively: i) encapsulate the +packet within an outer IPv6 header with the specified Segment Routing +Header (SRH); ii) insert the specified SRH directly after the IPv6 +header of the packet. + +This patch removes the initialization of the IPv6 header payload length +from the input_action_end_b6{_encap}() functions, as it is now handled +properly by seg6_do_srh_{encap,inline}() to avoid corruption of the skb +checksum. + +Fixes: 140f04c33bbc ("ipv6: sr: implement several seg6local actions") +Signed-off-by: Andrea Mayer +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6_local.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/ipv6/seg6_local.c b/net/ipv6/seg6_local.c +index 802eebf8ac4b..ef5b5cee2201 100644 +--- a/net/ipv6/seg6_local.c ++++ b/net/ipv6/seg6_local.c +@@ -421,7 +421,6 @@ static int input_action_end_b6(struct sk_buff *skb, struct seg6_local_lwt *slwt) + if (err) + goto drop; + +- ipv6_hdr(skb)->payload_len = htons(skb->len - sizeof(struct ipv6hdr)); + skb_set_transport_header(skb, sizeof(struct ipv6hdr)); + + seg6_lookup_nexthop(skb, NULL, 0); +@@ -453,7 +452,6 @@ static int input_action_end_b6_encap(struct sk_buff *skb, + if (err) + goto drop; + +- ipv6_hdr(skb)->payload_len = htons(skb->len - sizeof(struct ipv6hdr)); + skb_set_transport_header(skb, sizeof(struct ipv6hdr)); + + seg6_lookup_nexthop(skb, NULL, 0); +-- +2.35.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 22135fe847f..8ce8eff53cb 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -16,3 +16,29 @@ nilfs2-fix-incorrect-masking-of-permission-flags-for-symlinks.patch revert-evm-fix-memleak-in-init_desc.patch sched-rt-disable-rt_runtime_share-by-default.patch ext4-fix-race-condition-between-ext4_write-and-ext4_convert_inline_data.patch +arm-dts-imx6qdl-ts7970-fix-ngpio-typo-and-count.patch +arm-9209-1-spectre-bhb-avoid-pr_info-every-time-a-cp.patch +arm-9210-1-mark-the-fdt_fixed-sections-as-shareable.patch +drm-i915-fix-a-possible-refcount-leak-in-intel_dp_ad.patch +ima-fix-a-potential-integer-overflow-in-ima_appraise.patch +asoc-sgtl5000-fix-noise-on-shutdown-remove.patch +net-stmmac-dwc-qos-disable-split-header-for-tegra194.patch +inetpeer-fix-data-races-around-sysctl.patch +net-fix-data-races-around-sysctl_mem.patch +cipso-fix-data-races-around-sysctl.patch +icmp-fix-data-races-around-sysctl.patch +ipv4-fix-a-data-race-around-sysctl_fib_sync_mem.patch +arm-dts-at91-sama5d2-fix-typo-in-i2s1-node.patch +arm-dts-sunxi-fix-spi-nor-campatible-on-orange-pi-ze.patch +drm-i915-gt-serialize-tlb-invalidates-with-gt-resets.patch +icmp-fix-a-data-race-around-sysctl_icmp_ratelimit.patch +icmp-fix-a-data-race-around-sysctl_icmp_ratemask.patch +raw-fix-a-data-race-around-sysctl_raw_l3mdev_accept.patch +ipv4-fix-data-races-around-sysctl_ip_dynaddr.patch +net-ftgmac100-hold-reference-returned-by-of_get_chil.patch +sfc-fix-use-after-free-when-disabling-sriov.patch +seg6-fix-skb-checksum-evaluation-in-srh-encapsulatio.patch +seg6-fix-skb-checksum-in-srv6-end.b6-and-end.b6.enca.patch +seg6-bpf-fix-skb-checksum-in-bpf_push_seg6_encap.patch +sfc-fix-kernel-panic-when-creating-vf.patch +mm-sysctl-fix-missing-numa_stat-when-config_hugetlb_.patch diff --git a/queue-5.4/sfc-fix-kernel-panic-when-creating-vf.patch b/queue-5.4/sfc-fix-kernel-panic-when-creating-vf.patch new file mode 100644 index 00000000000..d235db441ce --- /dev/null +++ b/queue-5.4/sfc-fix-kernel-panic-when-creating-vf.patch @@ -0,0 +1,71 @@ +From b4f57365645f3d56a8a8db27a853b1a368efeb54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jul 2022 11:21:16 +0200 +Subject: sfc: fix kernel panic when creating VF +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Íñigo Huguet + +[ Upstream commit ada74c5539eba06cf8b47d068f92e0b3963a9a6e ] + +When creating VFs a kernel panic can happen when calling to +efx_ef10_try_update_nic_stats_vf. + +When releasing a DMA coherent buffer, sometimes, I don't know in what +specific circumstances, it has to unmap memory with vunmap. It is +disallowed to do that in IRQ context or with BH disabled. Otherwise, we +hit this line in vunmap, causing the crash: + BUG_ON(in_interrupt()); + +This patch reenables BH to release the buffer. + +Log messages when the bug is hit: + kernel BUG at mm/vmalloc.c:2727! + invalid opcode: 0000 [#1] PREEMPT SMP NOPTI + CPU: 6 PID: 1462 Comm: NetworkManager Kdump: loaded Tainted: G I --------- --- 5.14.0-119.el9.x86_64 #1 + Hardware name: Dell Inc. PowerEdge R740/06WXJT, BIOS 2.8.2 08/27/2020 + RIP: 0010:vunmap+0x2e/0x30 + ...skip... + Call Trace: + __iommu_dma_free+0x96/0x100 + efx_nic_free_buffer+0x2b/0x40 [sfc] + efx_ef10_try_update_nic_stats_vf+0x14a/0x1c0 [sfc] + efx_ef10_update_stats_vf+0x18/0x40 [sfc] + efx_start_all+0x15e/0x1d0 [sfc] + efx_net_open+0x5a/0xe0 [sfc] + __dev_open+0xe7/0x1a0 + __dev_change_flags+0x1d7/0x240 + dev_change_flags+0x21/0x60 + ...skip... + +Fixes: d778819609a2 ("sfc: DMA the VF stats only when requested") +Reported-by: Ma Yuying +Signed-off-by: Íñigo Huguet +Acked-by: Edward Cree +Link: https://lore.kernel.org/r/20220713092116.21238-1-ihuguet@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef10.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c +index 936e64dd81b5..b23741d3c9be 100644 +--- a/drivers/net/ethernet/sfc/ef10.c ++++ b/drivers/net/ethernet/sfc/ef10.c +@@ -2056,7 +2056,10 @@ static int efx_ef10_try_update_nic_stats_vf(struct efx_nic *efx) + + efx_update_sw_stats(efx, stats); + out: ++ /* releasing a DMA coherent buffer with BH disabled can panic */ ++ spin_unlock_bh(&efx->stats_lock); + efx_nic_free_buffer(efx, &stats_buf); ++ spin_lock_bh(&efx->stats_lock); + return rc; + } + +-- +2.35.1 + diff --git a/queue-5.4/sfc-fix-use-after-free-when-disabling-sriov.patch b/queue-5.4/sfc-fix-use-after-free-when-disabling-sriov.patch new file mode 100644 index 00000000000..3ef86b9dc89 --- /dev/null +++ b/queue-5.4/sfc-fix-use-after-free-when-disabling-sriov.patch @@ -0,0 +1,113 @@ +From df254a48327b6a3857f101c64f3bc32ec1452669 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jul 2022 08:26:42 +0200 +Subject: sfc: fix use after free when disabling sriov +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Íñigo Huguet + +[ Upstream commit ebe41da5d47ac0fff877e57bd14c54dccf168827 ] + +Use after free is detected by kfence when disabling sriov. What was read +after being freed was vf->pci_dev: it was freed from pci_disable_sriov +and later read in efx_ef10_sriov_free_vf_vports, called from +efx_ef10_sriov_free_vf_vswitching. + +Set the pointer to NULL at release time to not trying to read it later. + +Reproducer and dmesg log (note that kfence doesn't detect it every time): +$ echo 1 > /sys/class/net/enp65s0f0np0/device/sriov_numvfs +$ echo 0 > /sys/class/net/enp65s0f0np0/device/sriov_numvfs + + BUG: KFENCE: use-after-free read in efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc] + + Use-after-free read at 0x00000000ff3c1ba5 (in kfence-#224): + efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc] + efx_ef10_pci_sriov_disable+0x38/0x70 [sfc] + efx_pci_sriov_configure+0x24/0x40 [sfc] + sriov_numvfs_store+0xfe/0x140 + kernfs_fop_write_iter+0x11c/0x1b0 + new_sync_write+0x11f/0x1b0 + vfs_write+0x1eb/0x280 + ksys_write+0x5f/0xe0 + do_syscall_64+0x5c/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + kfence-#224: 0x00000000edb8ef95-0x00000000671f5ce1, size=2792, cache=kmalloc-4k + + allocated by task 6771 on cpu 10 at 3137.860196s: + pci_alloc_dev+0x21/0x60 + pci_iov_add_virtfn+0x2a2/0x320 + sriov_enable+0x212/0x3e0 + efx_ef10_sriov_configure+0x67/0x80 [sfc] + efx_pci_sriov_configure+0x24/0x40 [sfc] + sriov_numvfs_store+0xba/0x140 + kernfs_fop_write_iter+0x11c/0x1b0 + new_sync_write+0x11f/0x1b0 + vfs_write+0x1eb/0x280 + ksys_write+0x5f/0xe0 + do_syscall_64+0x5c/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + freed by task 6771 on cpu 12 at 3170.991309s: + device_release+0x34/0x90 + kobject_cleanup+0x3a/0x130 + pci_iov_remove_virtfn+0xd9/0x120 + sriov_disable+0x30/0xe0 + efx_ef10_pci_sriov_disable+0x57/0x70 [sfc] + efx_pci_sriov_configure+0x24/0x40 [sfc] + sriov_numvfs_store+0xfe/0x140 + kernfs_fop_write_iter+0x11c/0x1b0 + new_sync_write+0x11f/0x1b0 + vfs_write+0x1eb/0x280 + ksys_write+0x5f/0xe0 + do_syscall_64+0x5c/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 3c5eb87605e85 ("sfc: create vports for VFs and assign random MAC addresses") +Reported-by: Yanghang Liu +Signed-off-by: Íñigo Huguet +Acked-by: Martin Habets +Link: https://lore.kernel.org/r/20220712062642.6915-1-ihuguet@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef10_sriov.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/sfc/ef10_sriov.c b/drivers/net/ethernet/sfc/ef10_sriov.c +index e7c6aa29d323..b318ce83f5bf 100644 +--- a/drivers/net/ethernet/sfc/ef10_sriov.c ++++ b/drivers/net/ethernet/sfc/ef10_sriov.c +@@ -412,8 +412,9 @@ static int efx_ef10_pci_sriov_enable(struct efx_nic *efx, int num_vfs) + static int efx_ef10_pci_sriov_disable(struct efx_nic *efx, bool force) + { + struct pci_dev *dev = efx->pci_dev; ++ struct efx_ef10_nic_data *nic_data = efx->nic_data; + unsigned int vfs_assigned = pci_vfs_assigned(dev); +- int rc = 0; ++ int i, rc = 0; + + if (vfs_assigned && !force) { + netif_info(efx, drv, efx->net_dev, "VFs are assigned to guests; " +@@ -421,10 +422,13 @@ static int efx_ef10_pci_sriov_disable(struct efx_nic *efx, bool force) + return -EBUSY; + } + +- if (!vfs_assigned) ++ if (!vfs_assigned) { ++ for (i = 0; i < efx->vf_count; i++) ++ nic_data->vf[i].pci_dev = NULL; + pci_disable_sriov(dev); +- else ++ } else { + rc = -EBUSY; ++ } + + efx_ef10_sriov_free_vf_vswitching(efx); + efx->vf_count = 0; +-- +2.35.1 + -- 2.47.3