From c02bd99955d7cbb8ba12002312673ada89bf1701 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Wed, 11 Oct 2023 10:22:55 -0400 Subject: [PATCH] Fixes for 6.1 Signed-off-by: Sasha Levin --- ...et-pipe_control_flush_l3-for-aux-inv.patch | 67 ++++++ .../mptcp-fix-delegated-action-races.patch | 201 ++++++++++++++++++ .../net-mana-fix-tx-cqe-error-handling.patch | 61 ++++++ ...-the-unhandled-overflow-status-of-co.patch | 41 ++++ ...wmi-mark-driver-struct-with-__refdat.patch | 51 +++++ ...orm-x86-think-lmi-fix-reference-leak.patch | 80 +++++++ ...ck-skb-value-for-failure-to-allocate.patch | 39 ++++ queue-6.1/series | 7 + 8 files changed, 547 insertions(+) create mode 100644 queue-6.1/drm-i915-don-t-set-pipe_control_flush_l3-for-aux-inv.patch create mode 100644 queue-6.1/mptcp-fix-delegated-action-races.patch create mode 100644 queue-6.1/net-mana-fix-tx-cqe-error-handling.patch create mode 100644 queue-6.1/perf-arm-cmn-fix-the-unhandled-overflow-status-of-co.patch create mode 100644 queue-6.1/platform-x86-hp-wmi-mark-driver-struct-with-__refdat.patch create mode 100644 queue-6.1/platform-x86-think-lmi-fix-reference-leak.patch create mode 100644 queue-6.1/rdma-cxgb4-check-skb-value-for-failure-to-allocate.patch create mode 100644 queue-6.1/series diff --git a/queue-6.1/drm-i915-don-t-set-pipe_control_flush_l3-for-aux-inv.patch b/queue-6.1/drm-i915-don-t-set-pipe_control_flush_l3-for-aux-inv.patch new file mode 100644 index 00000000000..90c3aa4026c --- /dev/null +++ b/queue-6.1/drm-i915-don-t-set-pipe_control_flush_l3-for-aux-inv.patch @@ -0,0 +1,67 @@ +From 4589ba84c92cdaaaa8a69adab5f7c8ac98435b93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Sep 2023 16:24:01 +0200 +Subject: drm/i915: Don't set PIPE_CONTROL_FLUSH_L3 for aux inval +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nirmoy Das + +[ Upstream commit 128c20eda73bd3e78505c574fb17adb46195c98b ] + +PIPE_CONTROL_FLUSH_L3 is not needed for aux invalidation +so don't set that. + +Fixes: 78a6ccd65fa3 ("drm/i915/gt: Ensure memory quiesced before invalidation") +Cc: Jonathan Cavitt +Cc: Andi Shyti +Cc: # v5.8+ +Cc: Andrzej Hajda +Cc: Tvrtko Ursulin +Cc: Matt Roper +Cc: Tejas Upadhyay +Cc: Lucas De Marchi +Cc: Prathap Kumar Valsan +Cc: Tapani Pälli +Cc: Mark Janes +Cc: Rodrigo Vivi +Signed-off-by: Nirmoy Das +Acked-by: Matt Roper +Reviewed-by: Andi Shyti +Tested-by: Tapani Pälli +Reviewed-by: Andrzej Hajda +Link: https://patchwork.freedesktop.org/patch/msgid/20230926142401.25687-1-nirmoy.das@intel.com +(cherry picked from commit 03d681412b38558aefe4fb0f46e36efa94bb21ef) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/gen8_engine_cs.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/gt/gen8_engine_cs.c b/drivers/gpu/drm/i915/gt/gen8_engine_cs.c +index cc84685368715..efc22f9b17f07 100644 +--- a/drivers/gpu/drm/i915/gt/gen8_engine_cs.c ++++ b/drivers/gpu/drm/i915/gt/gen8_engine_cs.c +@@ -235,8 +235,17 @@ int gen12_emit_flush_rcs(struct i915_request *rq, u32 mode) + u32 flags = 0; + u32 *cs; + ++ /* ++ * L3 fabric flush is needed for AUX CCS invalidation ++ * which happens as part of pipe-control so we can ++ * ignore PIPE_CONTROL_FLUSH_L3. Also PIPE_CONTROL_FLUSH_L3 ++ * deals with Protected Memory which is not needed for ++ * AUX CCS invalidation and lead to unwanted side effects. ++ */ ++ if (mode & EMIT_FLUSH) ++ flags |= PIPE_CONTROL_FLUSH_L3; ++ + flags |= PIPE_CONTROL_TILE_CACHE_FLUSH; +- flags |= PIPE_CONTROL_FLUSH_L3; + flags |= PIPE_CONTROL_RENDER_TARGET_CACHE_FLUSH; + flags |= PIPE_CONTROL_DEPTH_CACHE_FLUSH; + /* Wa_1409600907:tgl,adl-p */ +-- +2.40.1 + diff --git a/queue-6.1/mptcp-fix-delegated-action-races.patch b/queue-6.1/mptcp-fix-delegated-action-races.patch new file mode 100644 index 00000000000..38382d43266 --- /dev/null +++ b/queue-6.1/mptcp-fix-delegated-action-races.patch @@ -0,0 +1,201 @@ +From 1e1634bd5f804a2cbc104e2480d404867a366ef3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 13:38:11 -0700 +Subject: mptcp: fix delegated action races + +From: Paolo Abeni + +[ Upstream commit a5efdbcece83af94180e8d7c0a6e22947318499d ] + +The delegated action infrastructure is prone to the following +race: different CPUs can try to schedule different delegated +actions on the same subflow at the same time. + +Each of them will check different bits via mptcp_subflow_delegate(), +and will try to schedule the action on the related per-cpu napi +instance. + +Depending on the timing, both can observe an empty delegated list +node, causing the same entry to be added simultaneously on two different +lists. + +The root cause is that the delegated actions infra does not provide +a single synchronization point. Address the issue reserving an additional +bit to mark the subflow as scheduled for delegation. Acquiring such bit +guarantee the caller to own the delegated list node, and being able to +safely schedule the subflow. + +Clear such bit only when the subflow scheduling is completed, ensuring +proper barrier in place. + +Additionally swap the meaning of the delegated_action bitmask, to allow +the usage of the existing helper to set multiple bit at once. + +Fixes: bcd97734318d ("mptcp: use delegate action to schedule 3rd ack retrans") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Link: https://lore.kernel.org/r/20231004-send-net-20231004-v1-1-28de4ac663ae@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/protocol.c | 28 ++++++++++++++-------------- + net/mptcp/protocol.h | 35 ++++++++++++----------------------- + net/mptcp/subflow.c | 10 ++++++++-- + 3 files changed, 34 insertions(+), 39 deletions(-) + +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index b6e0579e72644..881e05193ac97 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -3456,24 +3456,21 @@ static void schedule_3rdack_retransmission(struct sock *ssk) + sk_reset_timer(ssk, &icsk->icsk_delack_timer, timeout); + } + +-void mptcp_subflow_process_delegated(struct sock *ssk) ++void mptcp_subflow_process_delegated(struct sock *ssk, long status) + { + struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk); + struct sock *sk = subflow->conn; + +- if (test_bit(MPTCP_DELEGATE_SEND, &subflow->delegated_status)) { ++ if (status & BIT(MPTCP_DELEGATE_SEND)) { + mptcp_data_lock(sk); + if (!sock_owned_by_user(sk)) + __mptcp_subflow_push_pending(sk, ssk); + else + __set_bit(MPTCP_PUSH_PENDING, &mptcp_sk(sk)->cb_flags); + mptcp_data_unlock(sk); +- mptcp_subflow_delegated_done(subflow, MPTCP_DELEGATE_SEND); + } +- if (test_bit(MPTCP_DELEGATE_ACK, &subflow->delegated_status)) { ++ if (status & BIT(MPTCP_DELEGATE_ACK)) + schedule_3rdack_retransmission(ssk); +- mptcp_subflow_delegated_done(subflow, MPTCP_DELEGATE_ACK); +- } + } + + static int mptcp_hash(struct sock *sk) +@@ -3981,14 +3978,17 @@ static int mptcp_napi_poll(struct napi_struct *napi, int budget) + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); + + bh_lock_sock_nested(ssk); +- if (!sock_owned_by_user(ssk) && +- mptcp_subflow_has_delegated_action(subflow)) +- mptcp_subflow_process_delegated(ssk); +- /* ... elsewhere tcp_release_cb_override already processed +- * the action or will do at next release_sock(). +- * In both case must dequeue the subflow here - on the same +- * CPU that scheduled it. +- */ ++ if (!sock_owned_by_user(ssk)) { ++ mptcp_subflow_process_delegated(ssk, xchg(&subflow->delegated_status, 0)); ++ } else { ++ /* tcp_release_cb_override already processed ++ * the action or will do at next release_sock(). ++ * In both case must dequeue the subflow here - on the same ++ * CPU that scheduled it. ++ */ ++ smp_wmb(); ++ clear_bit(MPTCP_DELEGATE_SCHEDULED, &subflow->delegated_status); ++ } + bh_unlock_sock(ssk); + sock_put(ssk); + +diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h +index 91d89a0aeb586..4ec8e0a81b5a4 100644 +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -430,9 +430,11 @@ struct mptcp_delegated_action { + + DECLARE_PER_CPU(struct mptcp_delegated_action, mptcp_delegated_actions); + +-#define MPTCP_DELEGATE_SEND 0 +-#define MPTCP_DELEGATE_ACK 1 ++#define MPTCP_DELEGATE_SCHEDULED 0 ++#define MPTCP_DELEGATE_SEND 1 ++#define MPTCP_DELEGATE_ACK 2 + ++#define MPTCP_DELEGATE_ACTIONS_MASK (~BIT(MPTCP_DELEGATE_SCHEDULED)) + /* MPTCP subflow context */ + struct mptcp_subflow_context { + struct list_head node;/* conn_list of subflows */ +@@ -543,23 +545,24 @@ mptcp_subflow_get_mapped_dsn(const struct mptcp_subflow_context *subflow) + return subflow->map_seq + mptcp_subflow_get_map_offset(subflow); + } + +-void mptcp_subflow_process_delegated(struct sock *ssk); ++void mptcp_subflow_process_delegated(struct sock *ssk, long actions); + + static inline void mptcp_subflow_delegate(struct mptcp_subflow_context *subflow, int action) + { ++ long old, set_bits = BIT(MPTCP_DELEGATE_SCHEDULED) | BIT(action); + struct mptcp_delegated_action *delegated; + bool schedule; + + /* the caller held the subflow bh socket lock */ + lockdep_assert_in_softirq(); + +- /* The implied barrier pairs with mptcp_subflow_delegated_done(), and +- * ensures the below list check sees list updates done prior to status +- * bit changes ++ /* The implied barrier pairs with tcp_release_cb_override() ++ * mptcp_napi_poll(), and ensures the below list check sees list ++ * updates done prior to delegated status bits changes + */ +- if (!test_and_set_bit(action, &subflow->delegated_status)) { +- /* still on delegated list from previous scheduling */ +- if (!list_empty(&subflow->delegated_node)) ++ old = set_mask_bits(&subflow->delegated_status, 0, set_bits); ++ if (!(old & BIT(MPTCP_DELEGATE_SCHEDULED))) { ++ if (WARN_ON_ONCE(!list_empty(&subflow->delegated_node))) + return; + + delegated = this_cpu_ptr(&mptcp_delegated_actions); +@@ -584,20 +587,6 @@ mptcp_subflow_delegated_next(struct mptcp_delegated_action *delegated) + return ret; + } + +-static inline bool mptcp_subflow_has_delegated_action(const struct mptcp_subflow_context *subflow) +-{ +- return !!READ_ONCE(subflow->delegated_status); +-} +- +-static inline void mptcp_subflow_delegated_done(struct mptcp_subflow_context *subflow, int action) +-{ +- /* pairs with mptcp_subflow_delegate, ensures delegate_node is updated before +- * touching the status bit +- */ +- smp_wmb(); +- clear_bit(action, &subflow->delegated_status); +-} +- + int mptcp_is_enabled(const struct net *net); + unsigned int mptcp_get_add_addr_timeout(const struct net *net); + int mptcp_is_checksum_enabled(const struct net *net); +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index b93b08a75017b..d611783c2601f 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -1886,9 +1886,15 @@ static void subflow_ulp_clone(const struct request_sock *req, + static void tcp_release_cb_override(struct sock *ssk) + { + struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk); ++ long status; + +- if (mptcp_subflow_has_delegated_action(subflow)) +- mptcp_subflow_process_delegated(ssk); ++ /* process and clear all the pending actions, but leave the subflow into ++ * the napi queue. To respect locking, only the same CPU that originated ++ * the action can touch the list. mptcp_napi_poll will take care of it. ++ */ ++ status = set_mask_bits(&subflow->delegated_status, MPTCP_DELEGATE_ACTIONS_MASK, 0); ++ if (status) ++ mptcp_subflow_process_delegated(ssk, status); + + tcp_release_cb(ssk); + } +-- +2.40.1 + diff --git a/queue-6.1/net-mana-fix-tx-cqe-error-handling.patch b/queue-6.1/net-mana-fix-tx-cqe-error-handling.patch new file mode 100644 index 00000000000..d47d5755bbc --- /dev/null +++ b/queue-6.1/net-mana-fix-tx-cqe-error-handling.patch @@ -0,0 +1,61 @@ +From b9d7c1755147aa468c09b1fc8feed2abac691954 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Sep 2023 13:42:25 -0700 +Subject: net: mana: Fix TX CQE error handling + +From: Haiyang Zhang + +[ Upstream commit b2b000069a4c307b09548dc2243f31f3ca0eac9c ] + +For an unknown TX CQE error type (probably from a newer hardware), +still free the SKB, update the queue tail, etc., otherwise the +accounting will be wrong. + +Also, TX errors can be triggered by injecting corrupted packets, so +replace the WARN_ONCE to ratelimited error logging. + +Cc: stable@vger.kernel.org +Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") +Signed-off-by: Haiyang Zhang +Reviewed-by: Simon Horman +Reviewed-by: Shradha Gupta +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microsoft/mana/mana_en.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c +index 4f4204432aaa3..23ce26b8295dc 100644 +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -1003,16 +1003,20 @@ static void mana_poll_tx_cq(struct mana_cq *cq) + case CQE_TX_VPORT_IDX_OUT_OF_RANGE: + case CQE_TX_VPORT_DISABLED: + case CQE_TX_VLAN_TAGGING_VIOLATION: +- WARN_ONCE(1, "TX: CQE error %d: ignored.\n", +- cqe_oob->cqe_hdr.cqe_type); ++ if (net_ratelimit()) ++ netdev_err(ndev, "TX: CQE error %d\n", ++ cqe_oob->cqe_hdr.cqe_type); ++ + break; + + default: +- /* If the CQE type is unexpected, log an error, assert, +- * and go through the error path. ++ /* If the CQE type is unknown, log an error, ++ * and still free the SKB, update tail, etc. + */ +- WARN_ONCE(1, "TX: Unexpected CQE type %d: HW BUG?\n", +- cqe_oob->cqe_hdr.cqe_type); ++ if (net_ratelimit()) ++ netdev_err(ndev, "TX: unknown CQE type %d\n", ++ cqe_oob->cqe_hdr.cqe_type); ++ + return; + } + +-- +2.40.1 + diff --git a/queue-6.1/perf-arm-cmn-fix-the-unhandled-overflow-status-of-co.patch b/queue-6.1/perf-arm-cmn-fix-the-unhandled-overflow-status-of-co.patch new file mode 100644 index 00000000000..4a3bc201075 --- /dev/null +++ b/queue-6.1/perf-arm-cmn-fix-the-unhandled-overflow-status-of-co.patch @@ -0,0 +1,41 @@ +From 3f47c1bab72f4a0d4dda17827fe4e0b4a8af4712 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Sep 2023 11:22:32 +0800 +Subject: perf/arm-cmn: Fix the unhandled overflow status of counter 4 to 7 + +From: Jing Zhang + +[ Upstream commit 7f949f6f54ff593123ab95b6247bfa4542a65580 ] + +The register por_dt_pmovsr Bits[7:0] indicates overflow from counters 7 +to 0. But in arm_cmn_handle_irq(), only handled the overflow status of +Bits[3:0] which results in unhandled overflow status of counters 4 to 7. + +So let the overflow status of DTC counters 4 to 7 to be handled. + +Fixes: 0ba64770a2f2 ("perf: Add Arm CMN-600 PMU driver") +Signed-off-by: Jing Zhang +Reviewed-by: Robin Murphy +Link: https://lore.kernel.org/r/1695612152-123633-1-git-send-email-renyu.zj@linux.alibaba.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/arm-cmn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/perf/arm-cmn.c b/drivers/perf/arm-cmn.c +index 90008e24d1cc7..cfb36adf4eb80 100644 +--- a/drivers/perf/arm-cmn.c ++++ b/drivers/perf/arm-cmn.c +@@ -1822,7 +1822,7 @@ static irqreturn_t arm_cmn_handle_irq(int irq, void *dev_id) + u64 delta; + int i; + +- for (i = 0; i < CMN_DTM_NUM_COUNTERS; i++) { ++ for (i = 0; i < CMN_DT_NUM_COUNTERS; i++) { + if (status & (1U << i)) { + ret = IRQ_HANDLED; + if (WARN_ON(!dtc->counters[i])) +-- +2.40.1 + diff --git a/queue-6.1/platform-x86-hp-wmi-mark-driver-struct-with-__refdat.patch b/queue-6.1/platform-x86-hp-wmi-mark-driver-struct-with-__refdat.patch new file mode 100644 index 00000000000..3bacbed0b74 --- /dev/null +++ b/queue-6.1/platform-x86-hp-wmi-mark-driver-struct-with-__refdat.patch @@ -0,0 +1,51 @@ +From 91595434508587b54043d1851bb93bc02924face Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 13:16:24 +0200 +Subject: platform/x86: hp-wmi:: Mark driver struct with __refdata to prevent + section mismatch warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 5b44abbc39ca15df80d0da4756078c98c831090f ] + +As described in the added code comment, a reference to .exit.text is ok +for drivers registered via module_platform_driver_probe(). Make this +explicit to prevent a section mismatch warning: + + WARNING: modpost: drivers/platform/x86/hp/hp-wmi: section mismatch in reference: hp_wmi_driver+0x8 (section: .data) -> hp_wmi_bios_remove (section: .exit.text) + +Fixes: c165b80cfecc ("hp-wmi: fix handling of platform device") +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20231004111624.2667753-1-u.kleine-koenig@pengutronix.de +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/hp/hp-wmi.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/hp/hp-wmi.c b/drivers/platform/x86/hp/hp-wmi.c +index 3bacee2b8d521..51f23ff1f2b05 100644 +--- a/drivers/platform/x86/hp/hp-wmi.c ++++ b/drivers/platform/x86/hp/hp-wmi.c +@@ -1399,7 +1399,13 @@ static const struct dev_pm_ops hp_wmi_pm_ops = { + .restore = hp_wmi_resume_handler, + }; + +-static struct platform_driver hp_wmi_driver = { ++/* ++ * hp_wmi_bios_remove() lives in .exit.text. For drivers registered via ++ * module_platform_driver_probe() this is ok because they cannot get unbound at ++ * runtime. So mark the driver struct with __refdata to prevent modpost ++ * triggering a section mismatch warning. ++ */ ++static struct platform_driver hp_wmi_driver __refdata = { + .driver = { + .name = "hp-wmi", + .pm = &hp_wmi_pm_ops, +-- +2.40.1 + diff --git a/queue-6.1/platform-x86-think-lmi-fix-reference-leak.patch b/queue-6.1/platform-x86-think-lmi-fix-reference-leak.patch new file mode 100644 index 00000000000..3d761b1f07a --- /dev/null +++ b/queue-6.1/platform-x86-think-lmi-fix-reference-leak.patch @@ -0,0 +1,80 @@ +From bb5123b600012e0849a6415e09eee12e1f817c1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Sep 2023 16:28:18 +0200 +Subject: platform/x86: think-lmi: Fix reference leak +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit 528ab3e605cabf2f9c9bd5944d3bfe15f6e94f81 ] + +If a duplicate attribute is found using kset_find_obj(), a reference +to that attribute is returned which needs to be disposed accordingly +using kobject_put(). Move the setting name validation into a separate +function to allow for this change without having to duplicate the +cleanup code for this setting. +As a side note, a very similar bug was fixed in +commit 7295a996fdab ("platform/x86: dell-sysman: Fix reference leak"), +so it seems that the bug was copied from that driver. + +Compile-tested only. + +Fixes: 1bcad8e510b2 ("platform/x86: think-lmi: Fix issues with duplicate attributes") +Reviewed-by: Mark Pearson +Reviewed-by: Ilpo Järvinen +Signed-off-by: Armin Wolf +Link: https://lore.kernel.org/r/20230925142819.74525-2-W_Armin@gmx.de +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/think-lmi.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c +index f6290221d139d..6641f934f15bf 100644 +--- a/drivers/platform/x86/think-lmi.c ++++ b/drivers/platform/x86/think-lmi.c +@@ -1245,6 +1245,24 @@ static void tlmi_release_attr(void) + kset_unregister(tlmi_priv.authentication_kset); + } + ++static int tlmi_validate_setting_name(struct kset *attribute_kset, char *name) ++{ ++ struct kobject *duplicate; ++ ++ if (!strcmp(name, "Reserved")) ++ return -EINVAL; ++ ++ duplicate = kset_find_obj(attribute_kset, name); ++ if (duplicate) { ++ pr_debug("Duplicate attribute name found - %s\n", name); ++ /* kset_find_obj() returns a reference */ ++ kobject_put(duplicate); ++ return -EBUSY; ++ } ++ ++ return 0; ++} ++ + static int tlmi_sysfs_init(void) + { + int i, ret; +@@ -1273,10 +1291,8 @@ static int tlmi_sysfs_init(void) + continue; + + /* check for duplicate or reserved values */ +- if (kset_find_obj(tlmi_priv.attribute_kset, tlmi_priv.setting[i]->display_name) || +- !strcmp(tlmi_priv.setting[i]->display_name, "Reserved")) { +- pr_debug("duplicate or reserved attribute name found - %s\n", +- tlmi_priv.setting[i]->display_name); ++ if (tlmi_validate_setting_name(tlmi_priv.attribute_kset, ++ tlmi_priv.setting[i]->display_name) < 0) { + kfree(tlmi_priv.setting[i]->possible_values); + kfree(tlmi_priv.setting[i]); + tlmi_priv.setting[i] = NULL; +-- +2.40.1 + diff --git a/queue-6.1/rdma-cxgb4-check-skb-value-for-failure-to-allocate.patch b/queue-6.1/rdma-cxgb4-check-skb-value-for-failure-to-allocate.patch new file mode 100644 index 00000000000..a9589559d2b --- /dev/null +++ b/queue-6.1/rdma-cxgb4-check-skb-value-for-failure-to-allocate.patch @@ -0,0 +1,39 @@ +From ae61db5d928ecbc633f47c22c641b68ab7470181 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 15:40:48 +0300 +Subject: RDMA/cxgb4: Check skb value for failure to allocate + +From: Artem Chernyshev + +[ Upstream commit 8fb8a82086f5bda6893ea6557c5a458e4549c6d7 ] + +get_skb() can fail to allocate skb, so check it. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 5be78ee924ae ("RDMA/cxgb4: Fix LE hash collision bug for active open connection") +Signed-off-by: Artem Chernyshev +Link: https://lore.kernel.org/r/20230905124048.284165-1-artem.chernyshev@red-soft.ru +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/cm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index ced615b5ea096..040ba2224f9ff 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -1965,6 +1965,9 @@ static int send_fw_act_open_req(struct c4iw_ep *ep, unsigned int atid) + int win; + + skb = get_skb(NULL, sizeof(*req), GFP_KERNEL); ++ if (!skb) ++ return -ENOMEM; ++ + req = __skb_put_zero(skb, sizeof(*req)); + req->op_compl = htonl(WR_OP_V(FW_OFLD_CONNECTION_WR)); + req->len16_pkd = htonl(FW_WR_LEN16_V(DIV_ROUND_UP(sizeof(*req), 16))); +-- +2.40.1 + diff --git a/queue-6.1/series b/queue-6.1/series new file mode 100644 index 00000000000..43fb7f53f78 --- /dev/null +++ b/queue-6.1/series @@ -0,0 +1,7 @@ +net-mana-fix-tx-cqe-error-handling.patch +mptcp-fix-delegated-action-races.patch +drm-i915-don-t-set-pipe_control_flush_l3-for-aux-inv.patch +rdma-cxgb4-check-skb-value-for-failure-to-allocate.patch +perf-arm-cmn-fix-the-unhandled-overflow-status-of-co.patch +platform-x86-think-lmi-fix-reference-leak.patch +platform-x86-hp-wmi-mark-driver-struct-with-__refdat.patch -- 2.47.3