From 8176483c1bb19ef87262bf3d05aabcacbc2bcfa8 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 4 Jul 2022 15:25:30 +0200 Subject: [PATCH] 5.15-stable patches added patches: caif_virtio-fix-race-between-virtio_device_ready-and-ndo_open.patch epic100-fix-use-after-free-on-rmmod.patch io_uring-ensure-that-send-sendmsg-and-recv-recvmsg-check-sqe-ioprio.patch net-asix-fix-can-t-send-until-first-packet-is-send-issue.patch net-bonding-fix-possible-null-deref-in-rlb-code.patch net-bonding-fix-use-after-free-after-802.3ad-slave-unbind.patch net-dsa-hirschmann-add-missing-of_node_get-in-hellcreek_led_setup.patch net-phy-ax88772a-fix-lost-pause-advertisement-configuration.patch net-sched-act_api-notify-user-space-if-any-actions-were-flushed-before-error.patch netfilter-nft_dynset-restore-set-element-counter-when-failing-to-update.patch nfc-nfcmrvl-fix-irq_of_parse_and_map-return-value.patch nfc-nxp-nci-don-t-issue-a-zero-length-i2c_master_read.patch pm-devfreq-exynos-ppmu-fix-refcount-leak-in-of_get_devfreq_events.patch powerpc-memhotplug-add-add_pages-override-for-ppc.patch s390-remove-unneeded-select-build_bin2c.patch tipc-move-bc-link-creation-back-to-tipc_node_create.patch vdpa-mlx5-update-control-vq-callback-information.patch vfs-fix-copy_file_range-regression-in-cross-fs-copies.patch --- ...een-virtio_device_ready-and-ndo_open.patch | 54 ++++ .../epic100-fix-use-after-free-on-rmmod.patch | 50 ++++ ...ap-command-overwriting-poll-response.patch | 154 ----------- ...sg-and-recv-recvmsg-check-sqe-ioprio.patch | 44 +++ ...end-until-first-packet-is-send-issue.patch | 41 +++ ...-fix-possible-null-deref-in-rlb-code.patch | 140 ++++++++++ ...fter-free-after-802.3ad-slave-unbind.patch | 63 +++++ ...g-of_node_get-in-hellcreek_led_setup.patch | 31 +++ ...st-pause-advertisement-configuration.patch | 44 +++ ...ny-actions-were-flushed-before-error.patch | 81 ++++++ ...ement-counter-when-failing-to-update.patch | 44 +++ ...ix-irq_of_parse_and_map-return-value.patch | 52 ++++ ...-issue-a-zero-length-i2c_master_read.patch | 36 +++ ...fcount-leak-in-of_get_devfreq_events.patch | 47 ++++ ...tplug-add-add_pages-override-for-ppc.patch | 114 ++++++++ ...0-remove-unneeded-select-build_bin2c.patch | 33 +++ queue-5.15/series | 19 +- ...nk-creation-back-to-tipc_node_create.patch | 123 +++++++++ ...date-control-vq-callback-information.patch | 34 +++ ..._range-regression-in-cross-fs-copies.patch | 251 ++++++++++++++++++ 20 files changed, 1300 insertions(+), 155 deletions(-) create mode 100644 queue-5.15/caif_virtio-fix-race-between-virtio_device_ready-and-ndo_open.patch create mode 100644 queue-5.15/epic100-fix-use-after-free-on-rmmod.patch delete mode 100644 queue-5.15/hwmon-occ-prevent-power-cap-command-overwriting-poll-response.patch create mode 100644 queue-5.15/io_uring-ensure-that-send-sendmsg-and-recv-recvmsg-check-sqe-ioprio.patch create mode 100644 queue-5.15/net-asix-fix-can-t-send-until-first-packet-is-send-issue.patch create mode 100644 queue-5.15/net-bonding-fix-possible-null-deref-in-rlb-code.patch create mode 100644 queue-5.15/net-bonding-fix-use-after-free-after-802.3ad-slave-unbind.patch create mode 100644 queue-5.15/net-dsa-hirschmann-add-missing-of_node_get-in-hellcreek_led_setup.patch create mode 100644 queue-5.15/net-phy-ax88772a-fix-lost-pause-advertisement-configuration.patch create mode 100644 queue-5.15/net-sched-act_api-notify-user-space-if-any-actions-were-flushed-before-error.patch create mode 100644 queue-5.15/netfilter-nft_dynset-restore-set-element-counter-when-failing-to-update.patch create mode 100644 queue-5.15/nfc-nfcmrvl-fix-irq_of_parse_and_map-return-value.patch create mode 100644 queue-5.15/nfc-nxp-nci-don-t-issue-a-zero-length-i2c_master_read.patch create mode 100644 queue-5.15/pm-devfreq-exynos-ppmu-fix-refcount-leak-in-of_get_devfreq_events.patch create mode 100644 queue-5.15/powerpc-memhotplug-add-add_pages-override-for-ppc.patch create mode 100644 queue-5.15/s390-remove-unneeded-select-build_bin2c.patch create mode 100644 queue-5.15/tipc-move-bc-link-creation-back-to-tipc_node_create.patch create mode 100644 queue-5.15/vdpa-mlx5-update-control-vq-callback-information.patch create mode 100644 queue-5.15/vfs-fix-copy_file_range-regression-in-cross-fs-copies.patch diff --git a/queue-5.15/caif_virtio-fix-race-between-virtio_device_ready-and-ndo_open.patch b/queue-5.15/caif_virtio-fix-race-between-virtio_device_ready-and-ndo_open.patch new file mode 100644 index 00000000000..558e31edbd9 --- /dev/null +++ b/queue-5.15/caif_virtio-fix-race-between-virtio_device_ready-and-ndo_open.patch @@ -0,0 +1,54 @@ +From 11a37eb66812ce6a06b79223ad530eb0e1d7294d Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Mon, 20 Jun 2022 13:11:14 +0800 +Subject: caif_virtio: fix race between virtio_device_ready() and ndo_open() + +From: Jason Wang + +commit 11a37eb66812ce6a06b79223ad530eb0e1d7294d upstream. + +We currently depend on probe() calling virtio_device_ready() - +which happens after netdev +registration. Since ndo_open() can be called immediately +after register_netdev, this means there exists a race between +ndo_open() and virtio_device_ready(): the driver may start to use the +device (e.g. TX) before DRIVER_OK which violates the spec. + +Fix this by switching to use register_netdevice() and protect the +virtio_device_ready() with rtnl_lock() to make sure ndo_open() can +only be called after virtio_device_ready(). + +Fixes: 0d2e1a2926b18 ("caif_virtio: Introduce caif over virtio") +Signed-off-by: Jason Wang +Message-Id: <20220620051115.3142-3-jasowang@redhat.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/caif/caif_virtio.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/net/caif/caif_virtio.c ++++ b/drivers/net/caif/caif_virtio.c +@@ -721,13 +721,21 @@ static int cfv_probe(struct virtio_devic + /* Carrier is off until netdevice is opened */ + netif_carrier_off(netdev); + ++ /* serialize netdev register + virtio_device_ready() with ndo_open() */ ++ rtnl_lock(); ++ + /* register Netdev */ +- err = register_netdev(netdev); ++ err = register_netdevice(netdev); + if (err) { ++ rtnl_unlock(); + dev_err(&vdev->dev, "Unable to register netdev (%d)\n", err); + goto err; + } + ++ virtio_device_ready(vdev); ++ ++ rtnl_unlock(); ++ + debugfs_init(cfv); + + return 0; diff --git a/queue-5.15/epic100-fix-use-after-free-on-rmmod.patch b/queue-5.15/epic100-fix-use-after-free-on-rmmod.patch new file mode 100644 index 00000000000..3e44f716680 --- /dev/null +++ b/queue-5.15/epic100-fix-use-after-free-on-rmmod.patch @@ -0,0 +1,50 @@ +From 8ee9d82cd0a45e7d050ade598c9f33032a0f2891 Mon Sep 17 00:00:00 2001 +From: Tong Zhang +Date: Sun, 26 Jun 2022 21:33:48 -0700 +Subject: epic100: fix use after free on rmmod + +From: Tong Zhang + +commit 8ee9d82cd0a45e7d050ade598c9f33032a0f2891 upstream. + +epic_close() calls epic_rx() and uses dma buffer, but in epic_remove_one() +we already freed the dma buffer. To fix this issue, reorder function calls +like in the .probe function. + +BUG: KASAN: use-after-free in epic_rx+0xa6/0x7e0 [epic100] +Call Trace: + epic_rx+0xa6/0x7e0 [epic100] + epic_close+0xec/0x2f0 [epic100] + unregister_netdev+0x18/0x20 + epic_remove_one+0xaa/0xf0 [epic100] + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Yilun Wu +Signed-off-by: Tong Zhang +Reviewed-by: Francois Romieu +Link: https://lore.kernel.org/r/20220627043351.25615-1-ztong0001@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/smsc/epic100.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/smsc/epic100.c ++++ b/drivers/net/ethernet/smsc/epic100.c +@@ -1513,14 +1513,14 @@ static void epic_remove_one(struct pci_d + struct net_device *dev = pci_get_drvdata(pdev); + struct epic_private *ep = netdev_priv(dev); + ++ unregister_netdev(dev); + dma_free_coherent(&pdev->dev, TX_TOTAL_SIZE, ep->tx_ring, + ep->tx_ring_dma); + dma_free_coherent(&pdev->dev, RX_TOTAL_SIZE, ep->rx_ring, + ep->rx_ring_dma); +- unregister_netdev(dev); + pci_iounmap(pdev, ep->ioaddr); +- pci_release_regions(pdev); + free_netdev(dev); ++ pci_release_regions(pdev); + pci_disable_device(pdev); + /* pci_power_off(pdev, -1); */ + } diff --git a/queue-5.15/hwmon-occ-prevent-power-cap-command-overwriting-poll-response.patch b/queue-5.15/hwmon-occ-prevent-power-cap-command-overwriting-poll-response.patch deleted file mode 100644 index 0ad6027f20b..00000000000 --- a/queue-5.15/hwmon-occ-prevent-power-cap-command-overwriting-poll-response.patch +++ /dev/null @@ -1,154 +0,0 @@ -From 1bbb2809040a1f9c7c53c9f06c21aa83275ed27b Mon Sep 17 00:00:00 2001 -From: Eddie James -Date: Tue, 28 Jun 2022 15:30:29 -0500 -Subject: hwmon: (occ) Prevent power cap command overwriting poll response - -From: Eddie James - -commit 1bbb2809040a1f9c7c53c9f06c21aa83275ed27b upstream. - -Currently, the response to the power cap command overwrites the -first eight bytes of the poll response, since the commands use -the same buffer. This means that user's get the wrong data between -the time of sending the power cap and the next poll response update. -Fix this by specifying a different buffer for the power cap command -response. - -Fixes: 5b5513b88002 ("hwmon: Add On-Chip Controller (OCC) hwmon driver") -Signed-off-by: Eddie James -Link: https://lore.kernel.org/r/20220628203029.51747-1-eajames@linux.ibm.com -Signed-off-by: Guenter Roeck -Signed-off-by: Greg Kroah-Hartman ---- - drivers/hwmon/occ/common.c | 5 +++-- - drivers/hwmon/occ/common.h | 3 ++- - drivers/hwmon/occ/p8_i2c.c | 13 +++++++------ - drivers/hwmon/occ/p9_sbe.c | 7 +++---- - 4 files changed, 15 insertions(+), 13 deletions(-) - -diff --git a/drivers/hwmon/occ/common.c b/drivers/hwmon/occ/common.c -index ea070b91e5b9..157b73a3da29 100644 ---- a/drivers/hwmon/occ/common.c -+++ b/drivers/hwmon/occ/common.c -@@ -145,7 +145,7 @@ static int occ_poll(struct occ *occ) - cmd[6] = 0; /* checksum lsb */ - - /* mutex should already be locked if necessary */ -- rc = occ->send_cmd(occ, cmd, sizeof(cmd)); -+ rc = occ->send_cmd(occ, cmd, sizeof(cmd), &occ->resp, sizeof(occ->resp)); - if (rc) { - occ->last_error = rc; - if (occ->error_count++ > OCC_ERROR_COUNT_THRESHOLD) -@@ -182,6 +182,7 @@ static int occ_set_user_power_cap(struct occ *occ, u16 user_power_cap) - { - int rc; - u8 cmd[8]; -+ u8 resp[8]; - __be16 user_power_cap_be = cpu_to_be16(user_power_cap); - - cmd[0] = 0; /* sequence number */ -@@ -198,7 +199,7 @@ static int occ_set_user_power_cap(struct occ *occ, u16 user_power_cap) - if (rc) - return rc; - -- rc = occ->send_cmd(occ, cmd, sizeof(cmd)); -+ rc = occ->send_cmd(occ, cmd, sizeof(cmd), resp, sizeof(resp)); - - mutex_unlock(&occ->lock); - -diff --git a/drivers/hwmon/occ/common.h b/drivers/hwmon/occ/common.h -index 64d5ec7e169b..7ac4b2febce6 100644 ---- a/drivers/hwmon/occ/common.h -+++ b/drivers/hwmon/occ/common.h -@@ -96,7 +96,8 @@ struct occ { - - int powr_sample_time_us; /* average power sample time */ - u8 poll_cmd_data; /* to perform OCC poll command */ -- int (*send_cmd)(struct occ *occ, u8 *cmd, size_t len); -+ int (*send_cmd)(struct occ *occ, u8 *cmd, size_t len, void *resp, -+ size_t resp_len); - - unsigned long next_update; - struct mutex lock; /* lock OCC access */ -diff --git a/drivers/hwmon/occ/p8_i2c.c b/drivers/hwmon/occ/p8_i2c.c -index da39ea28df31..b221be1f35f3 100644 ---- a/drivers/hwmon/occ/p8_i2c.c -+++ b/drivers/hwmon/occ/p8_i2c.c -@@ -111,7 +111,8 @@ static int p8_i2c_occ_putscom_be(struct i2c_client *client, u32 address, - be32_to_cpu(data1)); - } - --static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len) -+static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len, -+ void *resp, size_t resp_len) - { - int i, rc; - unsigned long start; -@@ -120,7 +121,7 @@ static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len) - const long wait_time = msecs_to_jiffies(OCC_CMD_IN_PRG_WAIT_MS); - struct p8_i2c_occ *ctx = to_p8_i2c_occ(occ); - struct i2c_client *client = ctx->client; -- struct occ_response *resp = &occ->resp; -+ struct occ_response *or = (struct occ_response *)resp; - - start = jiffies; - -@@ -151,7 +152,7 @@ static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len) - return rc; - - /* wait for OCC */ -- if (resp->return_status == OCC_RESP_CMD_IN_PRG) { -+ if (or->return_status == OCC_RESP_CMD_IN_PRG) { - rc = -EALREADY; - - if (time_after(jiffies, start + timeout)) -@@ -163,7 +164,7 @@ static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len) - } while (rc); - - /* check the OCC response */ -- switch (resp->return_status) { -+ switch (or->return_status) { - case OCC_RESP_CMD_IN_PRG: - rc = -ETIMEDOUT; - break; -@@ -192,8 +193,8 @@ static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len) - if (rc < 0) - return rc; - -- data_length = get_unaligned_be16(&resp->data_length); -- if (data_length > OCC_RESP_DATA_BYTES) -+ data_length = get_unaligned_be16(&or->data_length); -+ if ((data_length + 7) > resp_len) - return -EMSGSIZE; - - /* fetch the rest of the response data */ -diff --git a/drivers/hwmon/occ/p9_sbe.c b/drivers/hwmon/occ/p9_sbe.c -index 42fc7b97bb34..a91937e28e12 100644 ---- a/drivers/hwmon/occ/p9_sbe.c -+++ b/drivers/hwmon/occ/p9_sbe.c -@@ -78,11 +78,10 @@ static bool p9_sbe_occ_save_ffdc(struct p9_sbe_occ *ctx, const void *resp, - return notify; - } - --static int p9_sbe_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len) -+static int p9_sbe_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len, -+ void *resp, size_t resp_len) - { -- struct occ_response *resp = &occ->resp; - struct p9_sbe_occ *ctx = to_p9_sbe_occ(occ); -- size_t resp_len = sizeof(*resp); - int rc; - - rc = fsi_occ_submit(ctx->sbe, cmd, len, resp, &resp_len); -@@ -96,7 +95,7 @@ static int p9_sbe_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len) - return rc; - } - -- switch (resp->return_status) { -+ switch (((struct occ_response *)resp)->return_status) { - case OCC_RESP_CMD_IN_PRG: - rc = -ETIMEDOUT; - break; --- -2.37.0 - diff --git a/queue-5.15/io_uring-ensure-that-send-sendmsg-and-recv-recvmsg-check-sqe-ioprio.patch b/queue-5.15/io_uring-ensure-that-send-sendmsg-and-recv-recvmsg-check-sqe-ioprio.patch new file mode 100644 index 00000000000..8cbd5918664 --- /dev/null +++ b/queue-5.15/io_uring-ensure-that-send-sendmsg-and-recv-recvmsg-check-sqe-ioprio.patch @@ -0,0 +1,44 @@ +From foo@baz Mon Jul 4 03:23:28 PM CEST 2022 +From: Jens Axboe +Date: Thu, 30 Jun 2022 14:42:05 -0600 +Subject: io_uring: ensure that send/sendmsg and recv/recvmsg check sqe->ioprio + +From: Jens Axboe + +commit 73911426aaaadbae54fa72359b33a7b6a56947db upstream. + +All other opcodes correctly check if this is set and -EINVAL if it is +and they don't support that field, for some reason the these were +forgotten. + +This was unified a bit differently in the upstream tree, but had the +same effect as making sure we error on this field. Rather than have +a painful backport of the upstream commit, just fixup the mentioned +opcodes. + +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -4788,6 +4788,8 @@ static int io_sendmsg_prep(struct io_kio + return -EINVAL; + if (unlikely(sqe->addr2 || sqe->file_index)) + return -EINVAL; ++ if (unlikely(sqe->addr2 || sqe->file_index || sqe->ioprio)) ++ return -EINVAL; + + sr->umsg = u64_to_user_ptr(READ_ONCE(sqe->addr)); + sr->len = READ_ONCE(sqe->len); +@@ -5011,6 +5013,8 @@ static int io_recvmsg_prep(struct io_kio + return -EINVAL; + if (unlikely(sqe->addr2 || sqe->file_index)) + return -EINVAL; ++ if (unlikely(sqe->addr2 || sqe->file_index || sqe->ioprio)) ++ return -EINVAL; + + sr->umsg = u64_to_user_ptr(READ_ONCE(sqe->addr)); + sr->len = READ_ONCE(sqe->len); diff --git a/queue-5.15/net-asix-fix-can-t-send-until-first-packet-is-send-issue.patch b/queue-5.15/net-asix-fix-can-t-send-until-first-packet-is-send-issue.patch new file mode 100644 index 00000000000..ccf95bfe769 --- /dev/null +++ b/queue-5.15/net-asix-fix-can-t-send-until-first-packet-is-send-issue.patch @@ -0,0 +1,41 @@ +From 805206e66fab4ba1e0ebd19402006d62cd1d4902 Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Fri, 24 Jun 2022 09:51:38 +0200 +Subject: net: asix: fix "can't send until first packet is send" issue + +From: Oleksij Rempel + +commit 805206e66fab4ba1e0ebd19402006d62cd1d4902 upstream. + +If cable is attached after probe sequence, the usbnet framework would +not automatically start processing RX packets except at least one +packet was transmitted. + +On systems with any kind of address auto configuration this issue was +not detected, because some packets are send immediately after link state +is changed to "running". + +With this patch we will notify usbnet about link status change provided by the +PHYlib. + +Fixes: e532a096be0e ("net: usb: asix: ax88772: add phylib support") +Reported-by: Anton Lundin +Signed-off-by: Oleksij Rempel +Tested-by: Anton Lundin +Link: https://lore.kernel.org/r/20220624075139.3139300-1-o.rempel@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/asix_common.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/asix_common.c ++++ b/drivers/net/usb/asix_common.c +@@ -431,6 +431,7 @@ void asix_adjust_link(struct net_device + + asix_write_medium_mode(dev, mode, 0); + phy_print_status(phydev); ++ usbnet_link_change(dev, phydev->link, 0); + } + + int asix_write_gpio(struct usbnet *dev, u16 value, int sleep, int in_pm) diff --git a/queue-5.15/net-bonding-fix-possible-null-deref-in-rlb-code.patch b/queue-5.15/net-bonding-fix-possible-null-deref-in-rlb-code.patch new file mode 100644 index 00000000000..45e49ecbff9 --- /dev/null +++ b/queue-5.15/net-bonding-fix-possible-null-deref-in-rlb-code.patch @@ -0,0 +1,140 @@ +From ab84db251c04d38b8dc7ee86e13d4050bedb1c88 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 27 Jun 2022 10:28:13 +0000 +Subject: net: bonding: fix possible NULL deref in rlb code + +From: Eric Dumazet + +commit ab84db251c04d38b8dc7ee86e13d4050bedb1c88 upstream. + +syzbot has two reports involving the same root cause. + +bond_alb_initialize() must not set bond->alb_info.rlb_enabled +if a memory allocation error is detected. + +Report 1: + +general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] +CPU: 0 PID: 12276 Comm: kworker/u4:10 Not tainted 5.19.0-rc3-syzkaller-00132-g3b89b511ea0c #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: netns cleanup_net +RIP: 0010:rlb_clear_slave+0x10e/0x690 drivers/net/bonding/bond_alb.c:393 +Code: 8e fc 83 fb ff 0f 84 74 02 00 00 e8 cc 2a 8e fc 48 8b 44 24 08 89 dd 48 c1 e5 06 4c 8d 34 28 49 8d 7e 14 48 89 f8 48 c1 e8 03 <42> 0f b6 14 20 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 +RSP: 0018:ffffc90018a8f678 EFLAGS: 00010203 +RAX: 0000000000000002 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: ffff88803375bb00 RSI: ffffffff84ec4ac4 RDI: 0000000000000014 +RBP: 0000000000000000 R08: 0000000000000005 R09: 00000000ffffffff +R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000 +R13: ffff8880ac889000 R14: 0000000000000000 R15: ffff88815a668c80 +FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00005597077e10b0 CR3: 0000000026668000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +bond_alb_deinit_slave+0x43c/0x6b0 drivers/net/bonding/bond_alb.c:1663 +__bond_release_one.cold+0x383/0xd53 drivers/net/bonding/bond_main.c:2370 +bond_slave_netdev_event drivers/net/bonding/bond_main.c:3778 [inline] +bond_netdev_event+0x993/0xad0 drivers/net/bonding/bond_main.c:3889 +notifier_call_chain+0xb5/0x200 kernel/notifier.c:87 +call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1945 +call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] +call_netdevice_notifiers net/core/dev.c:1997 [inline] +unregister_netdevice_many+0x948/0x18b0 net/core/dev.c:10839 +default_device_exit_batch+0x449/0x590 net/core/dev.c:11333 +ops_exit_list+0x125/0x170 net/core/net_namespace.c:167 +cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:594 +process_one_work+0x996/0x1610 kernel/workqueue.c:2289 +worker_thread+0x665/0x1080 kernel/workqueue.c:2436 +kthread+0x2e9/0x3a0 kernel/kthread.c:376 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 + + +Report 2: + +general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] +CPU: 1 PID: 5206 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-12108-g58f9d52ff689 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:rlb_req_update_slave_clients+0x109/0x2f0 drivers/net/bonding/bond_alb.c:502 +Code: 5d 18 8f fc 41 80 3e 00 0f 85 a5 01 00 00 89 d8 48 c1 e0 06 49 03 84 24 68 01 00 00 48 8d 78 30 49 89 c7 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 98 01 00 00 4d 39 6f 30 75 83 e8 22 18 8f fc 49 +RSP: 0018:ffffc9000300ee80 EFLAGS: 00010206 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90016c11000 +RDX: 0000000000000006 RSI: ffffffff84eb6bf3 RDI: 0000000000000030 +RBP: dffffc0000000000 R08: 0000000000000005 R09: 00000000ffffffff +R10: 0000000000000000 R11: 0000000000000000 R12: ffff888027c80c80 +R13: ffff88807d7ff800 R14: ffffed1004f901bd R15: 0000000000000000 +FS: 00007f6f46c58700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020010000 CR3: 00000000516cc000 CR4: 00000000003506e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + alb_fasten_mac_swap+0x886/0xa80 drivers/net/bonding/bond_alb.c:1070 + bond_alb_handle_active_change+0x624/0x1050 drivers/net/bonding/bond_alb.c:1765 + bond_change_active_slave+0xfa1/0x29b0 drivers/net/bonding/bond_main.c:1173 + bond_select_active_slave+0x23f/0xa50 drivers/net/bonding/bond_main.c:1253 + bond_enslave+0x3b34/0x53b0 drivers/net/bonding/bond_main.c:2159 + do_set_master+0x1c8/0x220 net/core/rtnetlink.c:2577 + rtnl_newlink_create net/core/rtnetlink.c:3380 [inline] + __rtnl_newlink+0x13ac/0x17e0 net/core/rtnetlink.c:3580 + rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3593 + rtnetlink_rcv_msg+0x43a/0xc90 net/core/rtnetlink.c:6089 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] + netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:734 + ____sys_sendmsg+0x6eb/0x810 net/socket.c:2492 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2546 + __sys_sendmsg net/socket.c:2575 [inline] + __do_sys_sendmsg net/socket.c:2584 [inline] + __se_sys_sendmsg net/socket.c:2582 [inline] + __x64_sys_sendmsg+0x132/0x220 net/socket.c:2582 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 +RIP: 0033:0x7f6f45a89109 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f6f46c58168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007f6f45b9c030 RCX: 00007f6f45a89109 +RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000006 +RBP: 00007f6f45ae308d R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007ffed99029af R14: 00007f6f46c58300 R15: 0000000000022000 + + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Jay Vosburgh +Cc: Veaceslav Falico +Cc: Andy Gospodarek +Acked-by: Jay Vosburgh +Link: https://lore.kernel.org/r/20220627102813.126264-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_alb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_alb.c ++++ b/drivers/net/bonding/bond_alb.c +@@ -1281,12 +1281,12 @@ int bond_alb_initialize(struct bonding * + return res; + + if (rlb_enabled) { +- bond->alb_info.rlb_enabled = 1; + res = rlb_initialize(bond); + if (res) { + tlb_deinitialize(bond); + return res; + } ++ bond->alb_info.rlb_enabled = 1; + } else { + bond->alb_info.rlb_enabled = 0; + } diff --git a/queue-5.15/net-bonding-fix-use-after-free-after-802.3ad-slave-unbind.patch b/queue-5.15/net-bonding-fix-use-after-free-after-802.3ad-slave-unbind.patch new file mode 100644 index 00000000000..855c88d8227 --- /dev/null +++ b/queue-5.15/net-bonding-fix-use-after-free-after-802.3ad-slave-unbind.patch @@ -0,0 +1,63 @@ +From 050133e1aa2cb49bb17be847d48a4431598ef562 Mon Sep 17 00:00:00 2001 +From: Yevhen Orlov +Date: Wed, 29 Jun 2022 04:29:14 +0300 +Subject: net: bonding: fix use-after-free after 802.3ad slave unbind + +From: Yevhen Orlov + +commit 050133e1aa2cb49bb17be847d48a4431598ef562 upstream. + +commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection"), +resolve case, when there is several aggregation groups in the same bond. +bond_3ad_unbind_slave will invalidate (clear) aggregator when +__agg_active_ports return zero. So, ad_clear_agg can be executed even, when +num_of_ports!=0. Than bond_3ad_unbind_slave can be executed again for, +previously cleared aggregator. NOTE: at this time bond_3ad_unbind_slave +will not update slave ports list, because lag_ports==NULL. So, here we +got slave ports, pointing to freed aggregator memory. + +Fix with checking actual number of ports in group (as was before +commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") ), +before ad_clear_agg(). + +The KASAN logs are as follows: + +[ 767.617392] ================================================================== +[ 767.630776] BUG: KASAN: use-after-free in bond_3ad_state_machine_handler+0x13dc/0x1470 +[ 767.638764] Read of size 2 at addr ffff00011ba9d430 by task kworker/u8:7/767 +[ 767.647361] CPU: 3 PID: 767 Comm: kworker/u8:7 Tainted: G O 5.15.11 #15 +[ 767.655329] Hardware name: DNI AmazonGo1 A7040 board (DT) +[ 767.660760] Workqueue: lacp_1 bond_3ad_state_machine_handler +[ 767.666468] Call trace: +[ 767.668930] dump_backtrace+0x0/0x2d0 +[ 767.672625] show_stack+0x24/0x30 +[ 767.675965] dump_stack_lvl+0x68/0x84 +[ 767.679659] print_address_description.constprop.0+0x74/0x2b8 +[ 767.685451] kasan_report+0x1f0/0x260 +[ 767.689148] __asan_load2+0x94/0xd0 +[ 767.692667] bond_3ad_state_machine_handler+0x13dc/0x1470 + +Fixes: 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") +Co-developed-by: Maksym Glubokiy +Signed-off-by: Maksym Glubokiy +Signed-off-by: Yevhen Orlov +Acked-by: Jay Vosburgh +Link: https://lore.kernel.org/r/20220629012914.361-1-yevhen.orlov@plvision.eu +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_3ad.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_3ad.c ++++ b/drivers/net/bonding/bond_3ad.c +@@ -2228,7 +2228,8 @@ void bond_3ad_unbind_slave(struct slave + temp_aggregator->num_of_ports--; + if (__agg_active_ports(temp_aggregator) == 0) { + select_new_active_agg = temp_aggregator->is_active; +- ad_clear_agg(temp_aggregator); ++ if (temp_aggregator->num_of_ports == 0) ++ ad_clear_agg(temp_aggregator); + if (select_new_active_agg) { + slave_info(bond->dev, slave->dev, "Removing an active aggregator\n"); + /* select new active aggregator */ diff --git a/queue-5.15/net-dsa-hirschmann-add-missing-of_node_get-in-hellcreek_led_setup.patch b/queue-5.15/net-dsa-hirschmann-add-missing-of_node_get-in-hellcreek_led_setup.patch new file mode 100644 index 00000000000..e36e98f9693 --- /dev/null +++ b/queue-5.15/net-dsa-hirschmann-add-missing-of_node_get-in-hellcreek_led_setup.patch @@ -0,0 +1,31 @@ +From 16d584d2fc8f4ea36203af45a76becd7093586f1 Mon Sep 17 00:00:00 2001 +From: Liang He +Date: Wed, 22 Jun 2022 12:06:21 +0800 +Subject: net/dsa/hirschmann: Add missing of_node_get() in hellcreek_led_setup() + +From: Liang He + +commit 16d584d2fc8f4ea36203af45a76becd7093586f1 upstream. + +of_find_node_by_name() will decrease the refcount of its first arg and +we need a of_node_get() to keep refcount balance. + +Fixes: 7d9ee2e8ff15 ("net: dsa: hellcreek: Add PTP status LEDs") +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220622040621.4094304-1-windhl@126.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/hirschmann/hellcreek_ptp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/dsa/hirschmann/hellcreek_ptp.c ++++ b/drivers/net/dsa/hirschmann/hellcreek_ptp.c +@@ -300,6 +300,7 @@ static int hellcreek_led_setup(struct he + const char *label, *state; + int ret = -EINVAL; + ++ of_node_get(hellcreek->dev->of_node); + leds = of_find_node_by_name(hellcreek->dev->of_node, "leds"); + if (!leds) { + dev_err(hellcreek->dev, "No LEDs specified in device tree!\n"); diff --git a/queue-5.15/net-phy-ax88772a-fix-lost-pause-advertisement-configuration.patch b/queue-5.15/net-phy-ax88772a-fix-lost-pause-advertisement-configuration.patch new file mode 100644 index 00000000000..badfcf8b33f --- /dev/null +++ b/queue-5.15/net-phy-ax88772a-fix-lost-pause-advertisement-configuration.patch @@ -0,0 +1,44 @@ +From fa152f626b24ec2ca3489100d8c5c0a0bce4e2ef Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Tue, 28 Jun 2022 13:43:49 +0200 +Subject: net: phy: ax88772a: fix lost pause advertisement configuration + +From: Oleksij Rempel + +commit fa152f626b24ec2ca3489100d8c5c0a0bce4e2ef upstream. + +In case of asix_ax88772a_link_change_notify() workaround, we run soft +reset which will automatically clear MII_ADVERTISE configuration. The +PHYlib framework do not know about changed configuration state of the +PHY, so we need use phy_init_hw() to reinit PHY configuration. + +Fixes: dde258469257 ("net: usb/phy: asix: add support for ax88772A/C PHYs") +Signed-off-by: Oleksij Rempel +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20220628114349.3929928-1-o.rempel@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/ax88796b.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/phy/ax88796b.c b/drivers/net/phy/ax88796b.c +index 457896337505..0f1e617a26c9 100644 +--- a/drivers/net/phy/ax88796b.c ++++ b/drivers/net/phy/ax88796b.c +@@ -88,8 +88,10 @@ static void asix_ax88772a_link_change_notify(struct phy_device *phydev) + /* Reset PHY, otherwise MII_LPA will provide outdated information. + * This issue is reproducible only with some link partner PHYs + */ +- if (phydev->state == PHY_NOLINK && phydev->drv->soft_reset) +- phydev->drv->soft_reset(phydev); ++ if (phydev->state == PHY_NOLINK) { ++ phy_init_hw(phydev); ++ phy_start_aneg(phydev); ++ } + } + + static struct phy_driver asix_driver[] = { +-- +2.37.0 + diff --git a/queue-5.15/net-sched-act_api-notify-user-space-if-any-actions-were-flushed-before-error.patch b/queue-5.15/net-sched-act_api-notify-user-space-if-any-actions-were-flushed-before-error.patch new file mode 100644 index 00000000000..778f8590e73 --- /dev/null +++ b/queue-5.15/net-sched-act_api-notify-user-space-if-any-actions-were-flushed-before-error.patch @@ -0,0 +1,81 @@ +From 76b39b94382f9e0a639e1c70c3253de248cc4c83 Mon Sep 17 00:00:00 2001 +From: Victor Nogueira +Date: Thu, 23 Jun 2022 11:07:41 -0300 +Subject: net/sched: act_api: Notify user space if any actions were flushed before error + +From: Victor Nogueira + +commit 76b39b94382f9e0a639e1c70c3253de248cc4c83 upstream. + +If during an action flush operation one of the actions is still being +referenced, the flush operation is aborted and the kernel returns to +user space with an error. However, if the kernel was able to flush, for +example, 3 actions and failed on the fourth, the kernel will not notify +user space that it deleted 3 actions before failing. + +This patch fixes that behaviour by notifying user space of how many +actions were deleted before flush failed and by setting extack with a +message describing what happened. + +Fixes: 55334a5db5cd ("net_sched: act: refuse to remove bound action outside") +Signed-off-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_api.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +--- a/net/sched/act_api.c ++++ b/net/sched/act_api.c +@@ -350,7 +350,8 @@ static int tcf_idr_release_unsafe(struct + } + + static int tcf_del_walker(struct tcf_idrinfo *idrinfo, struct sk_buff *skb, +- const struct tc_action_ops *ops) ++ const struct tc_action_ops *ops, ++ struct netlink_ext_ack *extack) + { + struct nlattr *nest; + int n_i = 0; +@@ -366,20 +367,25 @@ static int tcf_del_walker(struct tcf_idr + if (nla_put_string(skb, TCA_KIND, ops->kind)) + goto nla_put_failure; + ++ ret = 0; + mutex_lock(&idrinfo->lock); + idr_for_each_entry_ul(idr, p, tmp, id) { + if (IS_ERR(p)) + continue; + ret = tcf_idr_release_unsafe(p); +- if (ret == ACT_P_DELETED) { ++ if (ret == ACT_P_DELETED) + module_put(ops->owner); +- n_i++; +- } else if (ret < 0) { +- mutex_unlock(&idrinfo->lock); +- goto nla_put_failure; +- } ++ else if (ret < 0) ++ break; ++ n_i++; + } + mutex_unlock(&idrinfo->lock); ++ if (ret < 0) { ++ if (n_i) ++ NL_SET_ERR_MSG(extack, "Unable to flush all TC actions"); ++ else ++ goto nla_put_failure; ++ } + + ret = nla_put_u32(skb, TCA_FCNT, n_i); + if (ret) +@@ -400,7 +406,7 @@ int tcf_generic_walker(struct tc_action_ + struct tcf_idrinfo *idrinfo = tn->idrinfo; + + if (type == RTM_DELACTION) { +- return tcf_del_walker(idrinfo, skb, ops); ++ return tcf_del_walker(idrinfo, skb, ops, extack); + } else if (type == RTM_GETACTION) { + return tcf_dump_walker(idrinfo, skb, cb); + } else { diff --git a/queue-5.15/netfilter-nft_dynset-restore-set-element-counter-when-failing-to-update.patch b/queue-5.15/netfilter-nft_dynset-restore-set-element-counter-when-failing-to-update.patch new file mode 100644 index 00000000000..73c6da09a08 --- /dev/null +++ b/queue-5.15/netfilter-nft_dynset-restore-set-element-counter-when-failing-to-update.patch @@ -0,0 +1,44 @@ +From 05907f10e235680cc7fb196810e4ad3215d5e648 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 21 Jun 2022 14:01:41 +0200 +Subject: netfilter: nft_dynset: restore set element counter when failing to update + +From: Pablo Neira Ayuso + +commit 05907f10e235680cc7fb196810e4ad3215d5e648 upstream. + +This patch fixes a race condition. + +nft_rhash_update() might fail for two reasons: + +- Element already exists in the hashtable. +- Another packet won race to insert an entry in the hashtable. + +In both cases, new() has already bumped the counter via atomic_add_unless(), +therefore, decrement the set element counter. + +Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_set_hash.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/netfilter/nft_set_hash.c ++++ b/net/netfilter/nft_set_hash.c +@@ -143,6 +143,7 @@ static bool nft_rhash_update(struct nft_ + /* Another cpu may race to insert the element with the same key */ + if (prev) { + nft_set_elem_destroy(set, he, true); ++ atomic_dec(&set->nelems); + he = prev; + } + +@@ -152,6 +153,7 @@ out: + + err2: + nft_set_elem_destroy(set, he, true); ++ atomic_dec(&set->nelems); + err1: + return false; + } diff --git a/queue-5.15/nfc-nfcmrvl-fix-irq_of_parse_and_map-return-value.patch b/queue-5.15/nfc-nfcmrvl-fix-irq_of_parse_and_map-return-value.patch new file mode 100644 index 00000000000..bf5de40a877 --- /dev/null +++ b/queue-5.15/nfc-nfcmrvl-fix-irq_of_parse_and_map-return-value.patch @@ -0,0 +1,52 @@ +From 5a478a653b4cca148d5c89832f007ec0809d7e6d Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 27 Jun 2022 14:40:48 +0200 +Subject: nfc: nfcmrvl: Fix irq_of_parse_and_map() return value + +From: Krzysztof Kozlowski + +commit 5a478a653b4cca148d5c89832f007ec0809d7e6d upstream. + +The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO. + +Reported-by: Lv Ruyi +Fixes: caf6e49bf6d0 ("NFC: nfcmrvl: add spi driver") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220627124048.296253-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/nfcmrvl/i2c.c | 6 +++--- + drivers/nfc/nfcmrvl/spi.c | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/nfc/nfcmrvl/i2c.c ++++ b/drivers/nfc/nfcmrvl/i2c.c +@@ -167,9 +167,9 @@ static int nfcmrvl_i2c_parse_dt(struct d + pdata->irq_polarity = IRQF_TRIGGER_RISING; + + ret = irq_of_parse_and_map(node, 0); +- if (ret < 0) { +- pr_err("Unable to get irq, error: %d\n", ret); +- return ret; ++ if (!ret) { ++ pr_err("Unable to get irq\n"); ++ return -EINVAL; + } + pdata->irq = ret; + +--- a/drivers/nfc/nfcmrvl/spi.c ++++ b/drivers/nfc/nfcmrvl/spi.c +@@ -115,9 +115,9 @@ static int nfcmrvl_spi_parse_dt(struct d + } + + ret = irq_of_parse_and_map(node, 0); +- if (ret < 0) { +- pr_err("Unable to get irq, error: %d\n", ret); +- return ret; ++ if (!ret) { ++ pr_err("Unable to get irq\n"); ++ return -EINVAL; + } + pdata->irq = ret; + diff --git a/queue-5.15/nfc-nxp-nci-don-t-issue-a-zero-length-i2c_master_read.patch b/queue-5.15/nfc-nxp-nci-don-t-issue-a-zero-length-i2c_master_read.patch new file mode 100644 index 00000000000..8386b25761d --- /dev/null +++ b/queue-5.15/nfc-nxp-nci-don-t-issue-a-zero-length-i2c_master_read.patch @@ -0,0 +1,36 @@ +From eddd95b9423946aaacb55cac6a9b2cea8ab944fc Mon Sep 17 00:00:00 2001 +From: Michael Walle +Date: Mon, 27 Jun 2022 19:06:42 +0200 +Subject: NFC: nxp-nci: Don't issue a zero length i2c_master_read() + +From: Michael Walle + +commit eddd95b9423946aaacb55cac6a9b2cea8ab944fc upstream. + +There are packets which doesn't have a payload. In that case, the second +i2c_master_read() will have a zero length. But because the NFC +controller doesn't have any data left, it will NACK the I2C read and +-ENXIO will be returned. In case there is no payload, just skip the +second i2c master read. + +Fixes: 6be88670fc59 ("NFC: nxp-nci_i2c: Add I2C support to NXP NCI driver") +Signed-off-by: Michael Walle +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/nxp-nci/i2c.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/nfc/nxp-nci/i2c.c ++++ b/drivers/nfc/nxp-nci/i2c.c +@@ -162,6 +162,9 @@ static int nxp_nci_i2c_nci_read(struct n + + skb_put_data(*skb, (void *)&header, NCI_CTRL_HDR_SIZE); + ++ if (!header.plen) ++ return 0; ++ + r = i2c_master_recv(client, skb_put(*skb, header.plen), header.plen); + if (r != header.plen) { + nfc_err(&client->dev, diff --git a/queue-5.15/pm-devfreq-exynos-ppmu-fix-refcount-leak-in-of_get_devfreq_events.patch b/queue-5.15/pm-devfreq-exynos-ppmu-fix-refcount-leak-in-of_get_devfreq_events.patch new file mode 100644 index 00000000000..300dde30f30 --- /dev/null +++ b/queue-5.15/pm-devfreq-exynos-ppmu-fix-refcount-leak-in-of_get_devfreq_events.patch @@ -0,0 +1,47 @@ +From f44b799603a9b5d2e375b0b2d54dd0b791eddfc2 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Thu, 26 May 2022 12:28:56 +0400 +Subject: PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events + +From: Miaoqian Lin + +commit f44b799603a9b5d2e375b0b2d54dd0b791eddfc2 upstream. + +of_get_child_by_name() returns a node pointer with refcount +incremented, we should use of_node_put() on it when done. +This function only calls of_node_put() in normal path, +missing it in error paths. +Add missing of_node_put() to avoid refcount leak. + +Fixes: f262f28c1470 ("PM / devfreq: event: Add devfreq_event class") +Signed-off-by: Miaoqian Lin +Signed-off-by: Chanwoo Choi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/devfreq/event/exynos-ppmu.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/devfreq/event/exynos-ppmu.c ++++ b/drivers/devfreq/event/exynos-ppmu.c +@@ -514,15 +514,19 @@ static int of_get_devfreq_events(struct + + count = of_get_child_count(events_np); + desc = devm_kcalloc(dev, count, sizeof(*desc), GFP_KERNEL); +- if (!desc) ++ if (!desc) { ++ of_node_put(events_np); + return -ENOMEM; ++ } + info->num_events = count; + + of_id = of_match_device(exynos_ppmu_id_match, dev); + if (of_id) + info->ppmu_type = (enum exynos_ppmu_type)of_id->data; +- else ++ else { ++ of_node_put(events_np); + return -EINVAL; ++ } + + j = 0; + for_each_child_of_node(events_np, node) { diff --git a/queue-5.15/powerpc-memhotplug-add-add_pages-override-for-ppc.patch b/queue-5.15/powerpc-memhotplug-add-add_pages-override-for-ppc.patch new file mode 100644 index 00000000000..fc71bf63f7c --- /dev/null +++ b/queue-5.15/powerpc-memhotplug-add-add_pages-override-for-ppc.patch @@ -0,0 +1,114 @@ +From ac790d09885d36143076e7e02825c541e8eee899 Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Wed, 29 Jun 2022 10:39:25 +0530 +Subject: powerpc/memhotplug: Add add_pages override for PPC + +From: Aneesh Kumar K.V + +commit ac790d09885d36143076e7e02825c541e8eee899 upstream. + +With commit ffa0b64e3be5 ("powerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit") +the kernel now validate the addr against high_memory value. This results +in the below BUG_ON with dax pfns. + +[ 635.798741][T26531] kernel BUG at mm/page_alloc.c:5521! +1:mon> e +cpu 0x1: Vector: 700 (Program Check) at [c000000007287630] + pc: c00000000055ed48: free_pages.part.0+0x48/0x110 + lr: c00000000053ca70: tlb_finish_mmu+0x80/0xd0 + sp: c0000000072878d0 + msr: 800000000282b033 + current = 0xc00000000afabe00 + paca = 0xc00000037ffff300 irqmask: 0x03 irq_happened: 0x05 + pid = 26531, comm = 50-landscape-sy +kernel BUG at :5521! +Linux version 5.19.0-rc3-14659-g4ec05be7c2e1 (kvaneesh@ltc-boston8) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #625 SMP Thu Jun 23 00:35:43 CDT 2022 +1:mon> t +[link register ] c00000000053ca70 tlb_finish_mmu+0x80/0xd0 +[c0000000072878d0] c00000000053ca54 tlb_finish_mmu+0x64/0xd0 (unreliable) +[c000000007287900] c000000000539424 exit_mmap+0xe4/0x2a0 +[c0000000072879e0] c00000000019fc1c mmput+0xcc/0x210 +[c000000007287a20] c000000000629230 begin_new_exec+0x5e0/0xf40 +[c000000007287ae0] c00000000070b3cc load_elf_binary+0x3ac/0x1e00 +[c000000007287c10] c000000000627af0 bprm_execve+0x3b0/0xaf0 +[c000000007287cd0] c000000000628414 do_execveat_common.isra.0+0x1e4/0x310 +[c000000007287d80] c00000000062858c sys_execve+0x4c/0x60 +[c000000007287db0] c00000000002c1b0 system_call_exception+0x160/0x2c0 +[c000000007287e10] c00000000000c53c system_call_common+0xec/0x250 + +The fix is to make sure we update high_memory on memory hotplug. +This is similar to what x86 does in commit 3072e413e305 ("mm/memory_hotplug: introduce add_pages") + +Fixes: ffa0b64e3be5 ("powerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit") +Signed-off-by: Aneesh Kumar K.V +Reviewed-by: Kefeng Wang +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220629050925.31447-1-aneesh.kumar@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/Kconfig | 4 ++++ + arch/powerpc/mm/mem.c | 33 ++++++++++++++++++++++++++++++++- + 2 files changed, 36 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -353,6 +353,10 @@ config ARCH_SUSPEND_NONZERO_CPU + def_bool y + depends on PPC_POWERNV || PPC_PSERIES + ++config ARCH_HAS_ADD_PAGES ++ def_bool y ++ depends on ARCH_ENABLE_MEMORY_HOTPLUG ++ + config PPC_DCR_NATIVE + bool + +--- a/arch/powerpc/mm/mem.c ++++ b/arch/powerpc/mm/mem.c +@@ -104,6 +104,37 @@ void __ref arch_remove_linear_mapping(u6 + vm_unmap_aliases(); + } + ++/* ++ * After memory hotplug the variables max_pfn, max_low_pfn and high_memory need ++ * updating. ++ */ ++static void update_end_of_memory_vars(u64 start, u64 size) ++{ ++ unsigned long end_pfn = PFN_UP(start + size); ++ ++ if (end_pfn > max_pfn) { ++ max_pfn = end_pfn; ++ max_low_pfn = end_pfn; ++ high_memory = (void *)__va(max_pfn * PAGE_SIZE - 1) + 1; ++ } ++} ++ ++int __ref add_pages(int nid, unsigned long start_pfn, unsigned long nr_pages, ++ struct mhp_params *params) ++{ ++ int ret; ++ ++ ret = __add_pages(nid, start_pfn, nr_pages, params); ++ if (ret) ++ return ret; ++ ++ /* update max_pfn, max_low_pfn and high_memory */ ++ update_end_of_memory_vars(start_pfn << PAGE_SHIFT, ++ nr_pages << PAGE_SHIFT); ++ ++ return ret; ++} ++ + int __ref arch_add_memory(int nid, u64 start, u64 size, + struct mhp_params *params) + { +@@ -114,7 +145,7 @@ int __ref arch_add_memory(int nid, u64 s + rc = arch_create_linear_mapping(nid, start, size, params); + if (rc) + return rc; +- rc = __add_pages(nid, start_pfn, nr_pages, params); ++ rc = add_pages(nid, start_pfn, nr_pages, params); + if (rc) + arch_remove_linear_mapping(start, size); + return rc; diff --git a/queue-5.15/s390-remove-unneeded-select-build_bin2c.patch b/queue-5.15/s390-remove-unneeded-select-build_bin2c.patch new file mode 100644 index 00000000000..a424d1f0202 --- /dev/null +++ b/queue-5.15/s390-remove-unneeded-select-build_bin2c.patch @@ -0,0 +1,33 @@ +From 25deecb21c18ee29e3be8ac6177b2a9504c33d2d Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Tue, 14 Jun 2022 02:09:00 +0900 +Subject: s390: remove unneeded 'select BUILD_BIN2C' + +From: Masahiro Yamada + +commit 25deecb21c18ee29e3be8ac6177b2a9504c33d2d upstream. + +Since commit 4c0f032d4963 ("s390/purgatory: Omit use of bin2c"), +s390 builds the purgatory without using bin2c. + +Remove 'select BUILD_BIN2C' to avoid the unneeded build of bin2c. + +Fixes: 4c0f032d4963 ("s390/purgatory: Omit use of bin2c") +Signed-off-by: Masahiro Yamada +Link: https://lore.kernel.org/r/20220613170902.1775211-1-masahiroy@kernel.org +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/s390/Kconfig ++++ b/arch/s390/Kconfig +@@ -516,7 +516,6 @@ config KEXEC + config KEXEC_FILE + bool "kexec file based system call" + select KEXEC_CORE +- select BUILD_BIN2C + depends on CRYPTO + depends on CRYPTO_SHA256 + depends on CRYPTO_SHA256_S390 diff --git a/queue-5.15/series b/queue-5.15/series index 530934cf14e..57c5aa199f9 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -32,4 +32,21 @@ usbnet-fix-memory-allocation-in-helpers.patch selftests-mptcp-more-stable-diag-tests.patch net-ipv6-unexport-__init-annotated-seg6_hmac_net_init.patch nfsd-restore-einval-error-translation-in-nfsd_commit.patch -hwmon-occ-prevent-power-cap-command-overwriting-poll-response.patch +vfs-fix-copy_file_range-regression-in-cross-fs-copies.patch +caif_virtio-fix-race-between-virtio_device_ready-and-ndo_open.patch +pm-devfreq-exynos-ppmu-fix-refcount-leak-in-of_get_devfreq_events.patch +vdpa-mlx5-update-control-vq-callback-information.patch +s390-remove-unneeded-select-build_bin2c.patch +netfilter-nft_dynset-restore-set-element-counter-when-failing-to-update.patch +net-dsa-hirschmann-add-missing-of_node_get-in-hellcreek_led_setup.patch +net-sched-act_api-notify-user-space-if-any-actions-were-flushed-before-error.patch +net-asix-fix-can-t-send-until-first-packet-is-send-issue.patch +net-bonding-fix-possible-null-deref-in-rlb-code.patch +net-phy-ax88772a-fix-lost-pause-advertisement-configuration.patch +net-bonding-fix-use-after-free-after-802.3ad-slave-unbind.patch +powerpc-memhotplug-add-add_pages-override-for-ppc.patch +nfc-nfcmrvl-fix-irq_of_parse_and_map-return-value.patch +nfc-nxp-nci-don-t-issue-a-zero-length-i2c_master_read.patch +tipc-move-bc-link-creation-back-to-tipc_node_create.patch +epic100-fix-use-after-free-on-rmmod.patch +io_uring-ensure-that-send-sendmsg-and-recv-recvmsg-check-sqe-ioprio.patch diff --git a/queue-5.15/tipc-move-bc-link-creation-back-to-tipc_node_create.patch b/queue-5.15/tipc-move-bc-link-creation-back-to-tipc_node_create.patch new file mode 100644 index 00000000000..36386020959 --- /dev/null +++ b/queue-5.15/tipc-move-bc-link-creation-back-to-tipc_node_create.patch @@ -0,0 +1,123 @@ +From cb8092d70a6f5f01ec1490fce4d35efed3ed996c Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Fri, 24 Jun 2022 12:24:31 -0400 +Subject: tipc: move bc link creation back to tipc_node_create + +From: Xin Long + +commit cb8092d70a6f5f01ec1490fce4d35efed3ed996c upstream. + +Shuang Li reported a NULL pointer dereference crash: + + [] BUG: kernel NULL pointer dereference, address: 0000000000000068 + [] RIP: 0010:tipc_link_is_up+0x5/0x10 [tipc] + [] Call Trace: + [] + [] tipc_bcast_rcv+0xa2/0x190 [tipc] + [] tipc_node_bc_rcv+0x8b/0x200 [tipc] + [] tipc_rcv+0x3af/0x5b0 [tipc] + [] tipc_udp_recv+0xc7/0x1e0 [tipc] + +It was caused by the 'l' passed into tipc_bcast_rcv() is NULL. When it +creates a node in tipc_node_check_dest(), after inserting the new node +into hashtable in tipc_node_create(), it creates the bc link. However, +there is a gap between this insert and bc link creation, a bc packet +may come in and get the node from the hashtable then try to dereference +its bc link, which is NULL. + +This patch is to fix it by moving the bc link creation before inserting +into the hashtable. + +Note that for a preliminary node becoming "real", the bc link creation +should also be called before it's rehashed, as we don't create it for +preliminary nodes. + +Fixes: 4cbf8ac2fe5a ("tipc: enable creating a "preliminary" node") +Reported-by: Shuang Li +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/node.c | 41 ++++++++++++++++++++++------------------- + 1 file changed, 22 insertions(+), 19 deletions(-) + +--- a/net/tipc/node.c ++++ b/net/tipc/node.c +@@ -472,8 +472,8 @@ struct tipc_node *tipc_node_create(struc + bool preliminary) + { + struct tipc_net *tn = net_generic(net, tipc_net_id); ++ struct tipc_link *l, *snd_l = tipc_bc_sndlink(net); + struct tipc_node *n, *temp_node; +- struct tipc_link *l; + unsigned long intv; + int bearer_id; + int i; +@@ -488,6 +488,16 @@ struct tipc_node *tipc_node_create(struc + goto exit; + /* A preliminary node becomes "real" now, refresh its data */ + tipc_node_write_lock(n); ++ if (!tipc_link_bc_create(net, tipc_own_addr(net), addr, peer_id, U16_MAX, ++ tipc_link_min_win(snd_l), tipc_link_max_win(snd_l), ++ n->capabilities, &n->bc_entry.inputq1, ++ &n->bc_entry.namedq, snd_l, &n->bc_entry.link)) { ++ pr_warn("Broadcast rcv link refresh failed, no memory\n"); ++ tipc_node_write_unlock_fast(n); ++ tipc_node_put(n); ++ n = NULL; ++ goto exit; ++ } + n->preliminary = false; + n->addr = addr; + hlist_del_rcu(&n->hash); +@@ -567,7 +577,16 @@ update: + n->signature = INVALID_NODE_SIG; + n->active_links[0] = INVALID_BEARER_ID; + n->active_links[1] = INVALID_BEARER_ID; +- n->bc_entry.link = NULL; ++ if (!preliminary && ++ !tipc_link_bc_create(net, tipc_own_addr(net), addr, peer_id, U16_MAX, ++ tipc_link_min_win(snd_l), tipc_link_max_win(snd_l), ++ n->capabilities, &n->bc_entry.inputq1, ++ &n->bc_entry.namedq, snd_l, &n->bc_entry.link)) { ++ pr_warn("Broadcast rcv link creation failed, no memory\n"); ++ kfree(n); ++ n = NULL; ++ goto exit; ++ } + tipc_node_get(n); + timer_setup(&n->timer, tipc_node_timeout, 0); + /* Start a slow timer anyway, crypto needs it */ +@@ -1155,7 +1174,7 @@ void tipc_node_check_dest(struct net *ne + bool *respond, bool *dupl_addr) + { + struct tipc_node *n; +- struct tipc_link *l, *snd_l; ++ struct tipc_link *l; + struct tipc_link_entry *le; + bool addr_match = false; + bool sign_match = false; +@@ -1175,22 +1194,6 @@ void tipc_node_check_dest(struct net *ne + return; + + tipc_node_write_lock(n); +- if (unlikely(!n->bc_entry.link)) { +- snd_l = tipc_bc_sndlink(net); +- if (!tipc_link_bc_create(net, tipc_own_addr(net), +- addr, peer_id, U16_MAX, +- tipc_link_min_win(snd_l), +- tipc_link_max_win(snd_l), +- n->capabilities, +- &n->bc_entry.inputq1, +- &n->bc_entry.namedq, snd_l, +- &n->bc_entry.link)) { +- pr_warn("Broadcast rcv link creation failed, no mem\n"); +- tipc_node_write_unlock_fast(n); +- tipc_node_put(n); +- return; +- } +- } + + le = &n->links[b->identity]; + diff --git a/queue-5.15/vdpa-mlx5-update-control-vq-callback-information.patch b/queue-5.15/vdpa-mlx5-update-control-vq-callback-information.patch new file mode 100644 index 00000000000..62f60842303 --- /dev/null +++ b/queue-5.15/vdpa-mlx5-update-control-vq-callback-information.patch @@ -0,0 +1,34 @@ +From 40f2f3e94178d45e4ee6078effba2dfc76f6f5ba Mon Sep 17 00:00:00 2001 +From: Eli Cohen +Date: Mon, 13 Jun 2022 10:59:57 +0300 +Subject: vdpa/mlx5: Update Control VQ callback information + +From: Eli Cohen + +commit 40f2f3e94178d45e4ee6078effba2dfc76f6f5ba upstream. + +The control VQ specific information is stored in the dedicated struct +mlx5_control_vq. When the callback is updated through +mlx5_vdpa_set_vq_cb(), make sure to update the control VQ struct. + +Fixes: 5262912ef3cf ("vdpa/mlx5: Add support for control VQ and MAC setting") +Signed-off-by: Eli Cohen +Message-Id: <20220613075958.511064-1-elic@nvidia.com> +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +--- + drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c ++++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c +@@ -1698,6 +1698,8 @@ static void mlx5_vdpa_set_vq_cb(struct v + struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev); + + ndev->event_cbs[idx] = *cb; ++ if (is_ctrl_vq_idx(mvdev, idx)) ++ mvdev->cvq.event_cb = *cb; + } + + static void mlx5_cvq_notify(struct vringh *vring) diff --git a/queue-5.15/vfs-fix-copy_file_range-regression-in-cross-fs-copies.patch b/queue-5.15/vfs-fix-copy_file_range-regression-in-cross-fs-copies.patch new file mode 100644 index 00000000000..653a7740230 --- /dev/null +++ b/queue-5.15/vfs-fix-copy_file_range-regression-in-cross-fs-copies.patch @@ -0,0 +1,251 @@ +From 868f9f2f8e004bfe0d3935b1976f625b2924893b Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Thu, 30 Jun 2022 22:58:49 +0300 +Subject: vfs: fix copy_file_range() regression in cross-fs copies + +From: Amir Goldstein + +commit 868f9f2f8e004bfe0d3935b1976f625b2924893b upstream. + +A regression has been reported by Nicolas Boichat, found while using the +copy_file_range syscall to copy a tracefs file. + +Before commit 5dae222a5ff0 ("vfs: allow copy_file_range to copy across +devices") the kernel would return -EXDEV to userspace when trying to +copy a file across different filesystems. After this commit, the +syscall doesn't fail anymore and instead returns zero (zero bytes +copied), as this file's content is generated on-the-fly and thus reports +a size of zero. + +Another regression has been reported by He Zhe - the assertion of +WARN_ON_ONCE(ret == -EOPNOTSUPP) can be triggered from userspace when +copying from a sysfs file whose read operation may return -EOPNOTSUPP. + +Since we do not have test coverage for copy_file_range() between any two +types of filesystems, the best way to avoid these sort of issues in the +future is for the kernel to be more picky about filesystems that are +allowed to do copy_file_range(). + +This patch restores some cross-filesystem copy restrictions that existed +prior to commit 5dae222a5ff0 ("vfs: allow copy_file_range to copy across +devices"), namely, cross-sb copy is not allowed for filesystems that do +not implement ->copy_file_range(). + +Filesystems that do implement ->copy_file_range() have full control of +the result - if this method returns an error, the error is returned to +the user. Before this change this was only true for fs that did not +implement the ->remap_file_range() operation (i.e. nfsv3). + +Filesystems that do not implement ->copy_file_range() still fall-back to +the generic_copy_file_range() implementation when the copy is within the +same sb. This helps the kernel can maintain a more consistent story +about which filesystems support copy_file_range(). + +nfsd and ksmbd servers are modified to fall-back to the +generic_copy_file_range() implementation in case vfs_copy_file_range() +fails with -EOPNOTSUPP or -EXDEV, which preserves behavior of +server-side-copy. + +fall-back to generic_copy_file_range() is not implemented for the smb +operation FSCTL_DUPLICATE_EXTENTS_TO_FILE, which is arguably a correct +change of behavior. + +Fixes: 5dae222a5ff0 ("vfs: allow copy_file_range to copy across devices") +Link: https://lore.kernel.org/linux-fsdevel/20210212044405.4120619-1-drinkcat@chromium.org/ +Link: https://lore.kernel.org/linux-fsdevel/CANMq1KDZuxir2LM5jOTm0xx+BnvW=ZmpsG47CyHFJwnw7zSX6Q@mail.gmail.com/ +Link: https://lore.kernel.org/linux-fsdevel/20210126135012.1.If45b7cdc3ff707bc1efa17f5366057d60603c45f@changeid/ +Link: https://lore.kernel.org/linux-fsdevel/20210630161320.29006-1-lhenriques@suse.de/ +Reported-by: Nicolas Boichat +Reported-by: kernel test robot +Signed-off-by: Luis Henriques +Fixes: 64bf5ff58dff ("vfs: no fallback for ->copy_file_range") +Link: https://lore.kernel.org/linux-fsdevel/20f17f64-88cb-4e80-07c1-85cb96c83619@windriver.com/ +Reported-by: He Zhe +Tested-by: Namjae Jeon +Tested-by: Luis Henriques +Signed-off-by: Amir Goldstein +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2pdu.c | 16 ++++++++--- + fs/ksmbd/vfs.c | 4 ++ + fs/nfsd/vfs.c | 8 ++++- + fs/read_write.c | 77 ++++++++++++++++++++++++++++++----------------------- + 4 files changed, 68 insertions(+), 37 deletions(-) + +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -7794,14 +7794,24 @@ int smb2_ioctl(struct ksmbd_work *work) + src_off = le64_to_cpu(dup_ext->SourceFileOffset); + dst_off = le64_to_cpu(dup_ext->TargetFileOffset); + length = le64_to_cpu(dup_ext->ByteCount); +- cloned = vfs_clone_file_range(fp_in->filp, src_off, fp_out->filp, +- dst_off, length, 0); ++ /* ++ * XXX: It is not clear if FSCTL_DUPLICATE_EXTENTS_TO_FILE ++ * should fall back to vfs_copy_file_range(). This could be ++ * beneficial when re-exporting nfs/smb mount, but note that ++ * this can result in partial copy that returns an error status. ++ * If/when FSCTL_DUPLICATE_EXTENTS_TO_FILE_EX is implemented, ++ * fall back to vfs_copy_file_range(), should be avoided when ++ * the flag DUPLICATE_EXTENTS_DATA_EX_SOURCE_ATOMIC is set. ++ */ ++ cloned = vfs_clone_file_range(fp_in->filp, src_off, ++ fp_out->filp, dst_off, length, 0); + if (cloned == -EXDEV || cloned == -EOPNOTSUPP) { + ret = -EOPNOTSUPP; + goto dup_ext_out; + } else if (cloned != length) { + cloned = vfs_copy_file_range(fp_in->filp, src_off, +- fp_out->filp, dst_off, length, 0); ++ fp_out->filp, dst_off, ++ length, 0); + if (cloned != length) { + if (cloned < 0) + ret = cloned; +--- a/fs/ksmbd/vfs.c ++++ b/fs/ksmbd/vfs.c +@@ -1782,6 +1782,10 @@ int ksmbd_vfs_copy_file_ranges(struct ks + + ret = vfs_copy_file_range(src_fp->filp, src_off, + dst_fp->filp, dst_off, len, 0); ++ if (ret == -EOPNOTSUPP || ret == -EXDEV) ++ ret = generic_copy_file_range(src_fp->filp, src_off, ++ dst_fp->filp, dst_off, ++ len, 0); + if (ret < 0) + return ret; + +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -560,6 +560,7 @@ out_err: + ssize_t nfsd_copy_file_range(struct file *src, u64 src_pos, struct file *dst, + u64 dst_pos, u64 count) + { ++ ssize_t ret; + + /* + * Limit copy to 4MB to prevent indefinitely blocking an nfsd +@@ -570,7 +571,12 @@ ssize_t nfsd_copy_file_range(struct file + * limit like this and pipeline multiple COPY requests. + */ + count = min_t(u64, count, 1 << 22); +- return vfs_copy_file_range(src, src_pos, dst, dst_pos, count, 0); ++ ret = vfs_copy_file_range(src, src_pos, dst, dst_pos, count, 0); ++ ++ if (ret == -EOPNOTSUPP || ret == -EXDEV) ++ ret = generic_copy_file_range(src, src_pos, dst, dst_pos, ++ count, 0); ++ return ret; + } + + __be32 nfsd4_vfs_fallocate(struct svc_rqst *rqstp, struct svc_fh *fhp, +--- a/fs/read_write.c ++++ b/fs/read_write.c +@@ -1384,28 +1384,6 @@ ssize_t generic_copy_file_range(struct f + } + EXPORT_SYMBOL(generic_copy_file_range); + +-static ssize_t do_copy_file_range(struct file *file_in, loff_t pos_in, +- struct file *file_out, loff_t pos_out, +- size_t len, unsigned int flags) +-{ +- /* +- * Although we now allow filesystems to handle cross sb copy, passing +- * a file of the wrong filesystem type to filesystem driver can result +- * in an attempt to dereference the wrong type of ->private_data, so +- * avoid doing that until we really have a good reason. NFS defines +- * several different file_system_type structures, but they all end up +- * using the same ->copy_file_range() function pointer. +- */ +- if (file_out->f_op->copy_file_range && +- file_out->f_op->copy_file_range == file_in->f_op->copy_file_range) +- return file_out->f_op->copy_file_range(file_in, pos_in, +- file_out, pos_out, +- len, flags); +- +- return generic_copy_file_range(file_in, pos_in, file_out, pos_out, len, +- flags); +-} +- + /* + * Performs necessary checks before doing a file copy + * +@@ -1427,6 +1405,24 @@ static int generic_copy_file_checks(stru + if (ret) + return ret; + ++ /* ++ * We allow some filesystems to handle cross sb copy, but passing ++ * a file of the wrong filesystem type to filesystem driver can result ++ * in an attempt to dereference the wrong type of ->private_data, so ++ * avoid doing that until we really have a good reason. ++ * ++ * nfs and cifs define several different file_system_type structures ++ * and several different sets of file_operations, but they all end up ++ * using the same ->copy_file_range() function pointer. ++ */ ++ if (file_out->f_op->copy_file_range) { ++ if (file_in->f_op->copy_file_range != ++ file_out->f_op->copy_file_range) ++ return -EXDEV; ++ } else if (file_inode(file_in)->i_sb != file_inode(file_out)->i_sb) { ++ return -EXDEV; ++ } ++ + /* Don't touch certain kinds of inodes */ + if (IS_IMMUTABLE(inode_out)) + return -EPERM; +@@ -1492,26 +1488,41 @@ ssize_t vfs_copy_file_range(struct file + file_start_write(file_out); + + /* +- * Try cloning first, this is supported by more file systems, and +- * more efficient if both clone and copy are supported (e.g. NFS). ++ * Cloning is supported by more file systems, so we implement copy on ++ * same sb using clone, but for filesystems where both clone and copy ++ * are supported (e.g. nfs,cifs), we only call the copy method. + */ ++ if (file_out->f_op->copy_file_range) { ++ ret = file_out->f_op->copy_file_range(file_in, pos_in, ++ file_out, pos_out, ++ len, flags); ++ goto done; ++ } ++ + if (file_in->f_op->remap_file_range && + file_inode(file_in)->i_sb == file_inode(file_out)->i_sb) { +- loff_t cloned; +- +- cloned = file_in->f_op->remap_file_range(file_in, pos_in, ++ ret = file_in->f_op->remap_file_range(file_in, pos_in, + file_out, pos_out, + min_t(loff_t, MAX_RW_COUNT, len), + REMAP_FILE_CAN_SHORTEN); +- if (cloned > 0) { +- ret = cloned; ++ if (ret > 0) + goto done; +- } + } + +- ret = do_copy_file_range(file_in, pos_in, file_out, pos_out, len, +- flags); +- WARN_ON_ONCE(ret == -EOPNOTSUPP); ++ /* ++ * We can get here for same sb copy of filesystems that do not implement ++ * ->copy_file_range() in case filesystem does not support clone or in ++ * case filesystem supports clone but rejected the clone request (e.g. ++ * because it was not block aligned). ++ * ++ * In both cases, fall back to kernel copy so we are able to maintain a ++ * consistent story about which filesystems support copy_file_range() ++ * and which filesystems do not, that will allow userspace tools to ++ * make consistent desicions w.r.t using copy_file_range(). ++ */ ++ ret = generic_copy_file_range(file_in, pos_in, file_out, pos_out, len, ++ flags); ++ + done: + if (ret > 0) { + fsnotify_access(file_in); -- 2.47.3