5.15-stable patches

added patches:
	alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch
	arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch
	arm64-dts-qcom-sdm845-db845c-mark-cont-splash-memory-region-as-reserved.patch
	igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch
	ipmi_si-fix-a-memleak-in-try_smi_init.patch
	media-i2c-ccs-check-rules-is-non-null.patch
	mm-vmalloc-add-a-safer-version-of-find_vm_area-for-debug.patch
	netfilter-xt_sctp-validate-the-flag_info-count.patch
	netfilter-xt_u32-validate-user-space-input.patch
	pci-rockchip-use-64-bit-mask-on-msi-64-bit-pci-address.patch
	pm-devfreq-fix-leak-in-devfreq_dev_release.patch
	printk-ringbuffer-fix-truncating-buffer-size-min_t-cast.patch
	rcu-dump-vmalloc-memory-info-safely.patch
	scsi-core-fix-the-scsi_set_resid-documentation.patch
	skbuff-skb_segment-call-zero-copy-functions-before-using-skbuff-frags.patch

diff --git a/queue-5.15/alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch b/queue-5.15/alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch
new file mode 100644 (file)
index 0000000..22f8034
--- /dev/null
+++ b/queue-5.15/alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch
@@ -0,0 +1,49 @@
+From 358040e3807754944dbddf948a23c6d914297ed7 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 29 Aug 2023 15:43:44 +0200
+Subject: ALSA: pcm: Fix missing fixup call in compat hw_refine ioctl
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 358040e3807754944dbddf948a23c6d914297ed7 upstream.
+
+The update of rate_num/den and msbits were factored out to
+fixup_unreferenced_params() function to be called explicitly after the
+hw_refine or hw_params procedure.  It's called from
+snd_pcm_hw_refine_user(), but it's forgotten in the PCM compat ioctl.
+This ended up with the incomplete rate_num/den and msbits parameters
+when 32bit compat ioctl is used.
+
+This patch adds the missing call in snd_pcm_ioctl_hw_params_compat().
+
+Reported-by: Meng_Cai@novatek.com.cn
+Fixes: f9a076bff053 ("ALSA: pcm: calculate non-mask/non-interval parameters always when possible")
+Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Reviewed-by: Jaroslav Kysela <perex@perex.cz>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230829134344.31588-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/pcm_compat.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/sound/core/pcm_compat.c
++++ b/sound/core/pcm_compat.c
+@@ -253,10 +253,14 @@ static int snd_pcm_ioctl_hw_params_compa
+               goto error;
+       }
+ 
+-      if (refine)
++      if (refine) {
+               err = snd_pcm_hw_refine(substream, data);
+-      else
++              if (err < 0)
++                      goto error;
++              err = fixup_unreferenced_params(substream, data);
++      } else {
+               err = snd_pcm_hw_params(substream, data);
++      }
+       if (err < 0)
+               goto error;
+       if (copy_to_user(data32, data, sizeof(*data32)) ||

diff --git a/queue-5.15/arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch b/queue-5.15/arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch
new file mode 100644 (file)
index 0000000..3672432
--- /dev/null
+++ b/queue-5.15/arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch
@@ -0,0 +1,45 @@
+From 847fb80cc01a54bc827b02547bb8743bdb59ddab Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
+Date: Wed, 7 Jun 2023 22:12:11 -0600
+Subject: ARM: OMAP2+: Fix -Warray-bounds warning in _pwrdm_state_switch()
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+commit 847fb80cc01a54bc827b02547bb8743bdb59ddab upstream.
+
+If function pwrdm_read_prev_pwrst() returns -EINVAL, we will end
+up accessing array pwrdm->state_counter through negative index
+-22. This is wrong and the compiler is legitimately warning us
+about this potential problem.
+
+Fix this by sanity checking the value stored in variable _prev_
+before accessing array pwrdm->state_counter.
+
+Address the following -Warray-bounds warning:
+arch/arm/mach-omap2/powerdomain.c:178:45: warning: array subscript -22 is below array bounds of 'unsigned int[4]' [-Warray-bounds]
+
+Link: https://github.com/KSPP/linux/issues/307
+Fixes: ba20bb126940 ("OMAP: PM counter infrastructure.")
+Cc: stable@vger.kernel.org
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/lkml/20230607050639.LzbPn%25lkp@intel.com/
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Message-ID: <ZIFVGwImU3kpaGeH@work>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap2/powerdomain.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/mach-omap2/powerdomain.c
++++ b/arch/arm/mach-omap2/powerdomain.c
+@@ -174,7 +174,7 @@ static int _pwrdm_state_switch(struct po
+               break;
+       case PWRDM_STATE_PREV:
+               prev = pwrdm_read_prev_pwrst(pwrdm);
+-              if (pwrdm->state != prev)
++              if (prev >= 0 && pwrdm->state != prev)
+                       pwrdm->state_counter[prev]++;
+               if (prev == PWRDM_POWER_RET)
+                       _update_logic_membank_counters(pwrdm);

diff --git a/queue-5.15/arm64-dts-qcom-sdm845-db845c-mark-cont-splash-memory-region-as-reserved.patch b/queue-5.15/arm64-dts-qcom-sdm845-db845c-mark-cont-splash-memory-region-as-reserved.patch
new file mode 100644 (file)
index 0000000..fafa759
--- /dev/null
+++ b/queue-5.15/arm64-dts-qcom-sdm845-db845c-mark-cont-splash-memory-region-as-reserved.patch
@@ -0,0 +1,52 @@
+From 110e70fccce4f22b53986ae797d665ffb1950aa6 Mon Sep 17 00:00:00 2001
+From: Amit Pundir <amit.pundir@linaro.org>
+Date: Wed, 26 Jul 2023 18:57:19 +0530
+Subject: arm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved
+
+From: Amit Pundir <amit.pundir@linaro.org>
+
+commit 110e70fccce4f22b53986ae797d665ffb1950aa6 upstream.
+
+Adding a reserved memory region for the framebuffer memory
+(the splash memory region set up by the bootloader).
+
+It fixes a kernel panic (arm-smmu: Unhandled context fault
+at this particular memory region) reported on DB845c running
+v5.10.y.
+
+Cc: stable@vger.kernel.org # v5.10+
+Reviewed-by: Caleb Connolly <caleb.connolly@linaro.org>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20230726132719.2117369-2-amit.pundir@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/qcom/sdm845-db845c.dts |    9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/arch/arm64/boot/dts/qcom/sdm845-db845c.dts
++++ b/arch/arm64/boot/dts/qcom/sdm845-db845c.dts
+@@ -85,6 +85,14 @@
+               };
+       };
+ 
++      reserved-memory {
++              /* Cont splash region set up by the bootloader */
++              cont_splash_mem: framebuffer@9d400000 {
++                      reg = <0x0 0x9d400000 0x0 0x2400000>;
++                      no-map;
++              };
++      };
++
+       lt9611_1v8: lt9611-vdd18-regulator {
+               compatible = "regulator-fixed";
+               regulator-name = "LT9611_1V8";
+@@ -482,6 +490,7 @@
+ };
+ 
+ &mdss {
++      memory-region = <&cont_splash_mem>;
+       status = "okay";
+ };
+ 

diff --git a/queue-5.15/igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch b/queue-5.15/igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch
new file mode 100644 (file)
index 0000000..c07329e
--- /dev/null
+++ b/queue-5.15/igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch
@@ -0,0 +1,52 @@
+From bb5ed01cd2428cd25b1c88a3a9cba87055eb289f Mon Sep 17 00:00:00 2001
+From: Radoslaw Tyl <radoslawx.tyl@intel.com>
+Date: Thu, 24 Aug 2023 13:46:19 -0700
+Subject: igb: set max size RX buffer when store bad packet is enabled
+
+From: Radoslaw Tyl <radoslawx.tyl@intel.com>
+
+commit bb5ed01cd2428cd25b1c88a3a9cba87055eb289f upstream.
+
+Increase the RX buffer size to 3K when the SBP bit is on. The size of
+the RX buffer determines the number of pages allocated which may not
+be sufficient for receive frames larger than the set MTU size.
+
+Cc: stable@vger.kernel.org
+Fixes: 89eaefb61dc9 ("igb: Support RX-ALL feature flag.")
+Reported-by: Manfred Rudigier <manfred.rudigier@omicronenergy.com>
+Signed-off-by: Radoslaw Tyl <radoslawx.tyl@intel.com>
+Tested-by: Arpana Arland <arpanax.arland@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c |   11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -4737,6 +4737,10 @@ void igb_configure_rx_ring(struct igb_ad
+ static void igb_set_rx_buffer_len(struct igb_adapter *adapter,
+                                 struct igb_ring *rx_ring)
+ {
++#if (PAGE_SIZE < 8192)
++      struct e1000_hw *hw = &adapter->hw;
++#endif
++
+       /* set build_skb and buffer size flags */
+       clear_ring_build_skb_enabled(rx_ring);
+       clear_ring_uses_large_buffer(rx_ring);
+@@ -4747,10 +4751,9 @@ static void igb_set_rx_buffer_len(struct
+       set_ring_build_skb_enabled(rx_ring);
+ 
+ #if (PAGE_SIZE < 8192)
+-      if (adapter->max_frame_size <= IGB_MAX_FRAME_BUILD_SKB)
+-              return;
+-
+-      set_ring_uses_large_buffer(rx_ring);
++      if (adapter->max_frame_size > IGB_MAX_FRAME_BUILD_SKB ||
++          rd32(E1000_RCTL) & E1000_RCTL_SBP)
++              set_ring_uses_large_buffer(rx_ring);
+ #endif
+ }
+ 

diff --git a/queue-5.15/ipmi_si-fix-a-memleak-in-try_smi_init.patch b/queue-5.15/ipmi_si-fix-a-memleak-in-try_smi_init.patch
new file mode 100644 (file)
index 0000000..5cacb4a
--- /dev/null
+++ b/queue-5.15/ipmi_si-fix-a-memleak-in-try_smi_init.patch
@@ -0,0 +1,60 @@
+From 6cf1a126de2992b4efe1c3c4d398f8de4aed6e3f Mon Sep 17 00:00:00 2001
+From: Yi Yang <yiyang13@huawei.com>
+Date: Thu, 29 Jun 2023 20:33:28 +0800
+Subject: ipmi_si: fix a memleak in try_smi_init()
+
+From: Yi Yang <yiyang13@huawei.com>
+
+commit 6cf1a126de2992b4efe1c3c4d398f8de4aed6e3f upstream.
+
+Kmemleak reported the following leak info in try_smi_init():
+
+unreferenced object 0xffff00018ecf9400 (size 1024):
+  comm "modprobe", pid 2707763, jiffies 4300851415 (age 773.308s)
+  backtrace:
+    [<000000004ca5b312>] __kmalloc+0x4b8/0x7b0
+    [<00000000953b1072>] try_smi_init+0x148/0x5dc [ipmi_si]
+    [<000000006460d325>] 0xffff800081b10148
+    [<0000000039206ea5>] do_one_initcall+0x64/0x2a4
+    [<00000000601399ce>] do_init_module+0x50/0x300
+    [<000000003c12ba3c>] load_module+0x7a8/0x9e0
+    [<00000000c246fffe>] __se_sys_init_module+0x104/0x180
+    [<00000000eea99093>] __arm64_sys_init_module+0x24/0x30
+    [<0000000021b1ef87>] el0_svc_common.constprop.0+0x94/0x250
+    [<0000000070f4f8b7>] do_el0_svc+0x48/0xe0
+    [<000000005a05337f>] el0_svc+0x24/0x3c
+    [<000000005eb248d6>] el0_sync_handler+0x160/0x164
+    [<0000000030a59039>] el0_sync+0x160/0x180
+
+The problem was that when an error occurred before handlers registration
+and after allocating `new_smi->si_sm`, the variable wouldn't be freed in
+the error handling afterwards since `shutdown_smi()` hadn't been
+registered yet. Fix it by adding a `kfree()` in the error handling path
+in `try_smi_init()`.
+
+Cc: stable@vger.kernel.org # 4.19+
+Fixes: 7960f18a5647 ("ipmi_si: Convert over to a shutdown handler")
+Signed-off-by: Yi Yang <yiyang13@huawei.com>
+Co-developed-by: GONG, Ruiqi <gongruiqi@huaweicloud.com>
+Signed-off-by: GONG, Ruiqi <gongruiqi@huaweicloud.com>
+Message-Id: <20230629123328.2402075-1-gongruiqi@huaweicloud.com>
+Signed-off-by: Corey Minyard <minyard@acm.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_si_intf.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/char/ipmi/ipmi_si_intf.c
++++ b/drivers/char/ipmi/ipmi_si_intf.c
+@@ -2081,6 +2081,11 @@ static int try_smi_init(struct smi_info
+               new_smi->io.io_cleanup = NULL;
+       }
+ 
++      if (rv && new_smi->si_sm) {
++              kfree(new_smi->si_sm);
++              new_smi->si_sm = NULL;
++      }
++
+       return rv;
+ }
+ 

diff --git a/queue-5.15/media-i2c-ccs-check-rules-is-non-null.patch b/queue-5.15/media-i2c-ccs-check-rules-is-non-null.patch
new file mode 100644 (file)
index 0000000..2933112
--- /dev/null
+++ b/queue-5.15/media-i2c-ccs-check-rules-is-non-null.patch
@@ -0,0 +1,146 @@
+From 607bcc4213d998d051541d8f10b5bbb7d546c0be Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Sat, 29 Jul 2023 20:59:25 +0200
+Subject: media: i2c: ccs: Check rules is non-NULL
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 607bcc4213d998d051541d8f10b5bbb7d546c0be upstream.
+
+Fix the following smatch warning:
+
+drivers/media/i2c/ccs/ccs-data.c:524 ccs_data_parse_rules() warn: address
+of NULL pointer 'rules'
+
+The CCS static data rule parser does not check an if rule has been
+obtained before checking for other rule types (which depend on the if
+rule). In practice this means parsing invalid CCS static data could lead
+to dereferencing a NULL pointer.
+
+Reported-by: Hans Verkuil <hverkuil@xs4all.nl>
+Fixes: a6b396f410b1 ("media: ccs: Add CCS static data parser library")
+Cc: stable@vger.kernel.org # for 5.11 and up
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ccs/ccs-data.c |  101 +++++++++++++++++++++------------------
+ 1 file changed, 56 insertions(+), 45 deletions(-)
+
+--- a/drivers/media/i2c/ccs/ccs-data.c
++++ b/drivers/media/i2c/ccs/ccs-data.c
+@@ -464,8 +464,7 @@ static int ccs_data_parse_rules(struct b
+               rule_payload = __rule_type + 1;
+               rule_plen2 = rule_plen - sizeof(*__rule_type);
+ 
+-              switch (*__rule_type) {
+-              case CCS_DATA_BLOCK_RULE_ID_IF: {
++              if (*__rule_type == CCS_DATA_BLOCK_RULE_ID_IF) {
+                       const struct __ccs_data_block_rule_if *__if_rules =
+                               rule_payload;
+                       const size_t __num_if_rules =
+@@ -514,49 +513,61 @@ static int ccs_data_parse_rules(struct b
+                               rules->if_rules = if_rule;
+                               rules->num_if_rules = __num_if_rules;
+                       }
+-                      break;
+-              }
+-              case CCS_DATA_BLOCK_RULE_ID_READ_ONLY_REGS:
+-                      rval = ccs_data_parse_reg_rules(bin, &rules->read_only_regs,
+-                                                      &rules->num_read_only_regs,
+-                                                      rule_payload,
+-                                                      rule_payload + rule_plen2,
+-                                                      dev);
+-                      if (rval)
+-                              return rval;
+-                      break;
+-              case CCS_DATA_BLOCK_RULE_ID_FFD:
+-                      rval = ccs_data_parse_ffd(bin, &rules->frame_format,
+-                                                rule_payload,
+-                                                rule_payload + rule_plen2,
+-                                                dev);
+-                      if (rval)
+-                              return rval;
+-                      break;
+-              case CCS_DATA_BLOCK_RULE_ID_MSR:
+-                      rval = ccs_data_parse_reg_rules(bin,
+-                                                      &rules->manufacturer_regs,
+-                                                      &rules->num_manufacturer_regs,
+-                                                      rule_payload,
+-                                                      rule_payload + rule_plen2,
+-                                                      dev);
+-                      if (rval)
+-                              return rval;
+-                      break;
+-              case CCS_DATA_BLOCK_RULE_ID_PDAF_READOUT:
+-                      rval = ccs_data_parse_pdaf_readout(bin,
+-                                                         &rules->pdaf_readout,
+-                                                         rule_payload,
+-                                                         rule_payload + rule_plen2,
+-                                                         dev);
+-                      if (rval)
+-                              return rval;
+-                      break;
+-              default:
+-                      dev_dbg(dev,
+-                              "Don't know how to handle rule type %u!\n",
+-                              *__rule_type);
+-                      return -EINVAL;
++              } else {
++                      /* Check there was an if rule before any other rules */
++                      if (bin->base && !rules)
++                              return -EINVAL;
++
++                      switch (*__rule_type) {
++                      case CCS_DATA_BLOCK_RULE_ID_READ_ONLY_REGS:
++                              rval = ccs_data_parse_reg_rules(bin,
++                                                              rules ?
++                                                              &rules->read_only_regs : NULL,
++                                                              rules ?
++                                                              &rules->num_read_only_regs : NULL,
++                                                              rule_payload,
++                                                              rule_payload + rule_plen2,
++                                                              dev);
++                              if (rval)
++                                      return rval;
++                              break;
++                      case CCS_DATA_BLOCK_RULE_ID_FFD:
++                              rval = ccs_data_parse_ffd(bin, rules ?
++                                                        &rules->frame_format : NULL,
++                                                        rule_payload,
++                                                        rule_payload + rule_plen2,
++                                                        dev);
++                              if (rval)
++                                      return rval;
++                              break;
++                      case CCS_DATA_BLOCK_RULE_ID_MSR:
++                              rval = ccs_data_parse_reg_rules(bin,
++                                                              rules ?
++                                                              &rules->manufacturer_regs : NULL,
++                                                              rules ?
++                                                              &rules->num_manufacturer_regs : NULL,
++                                                              rule_payload,
++                                                              rule_payload + rule_plen2,
++                                                              dev);
++                              if (rval)
++                                      return rval;
++                              break;
++                      case CCS_DATA_BLOCK_RULE_ID_PDAF_READOUT:
++                              rval = ccs_data_parse_pdaf_readout(bin,
++                                                                 rules ?
++                                                                 &rules->pdaf_readout : NULL,
++                                                                 rule_payload,
++                                                                 rule_payload + rule_plen2,
++                                                                 dev);
++                              if (rval)
++                                      return rval;
++                              break;
++                      default:
++                              dev_dbg(dev,
++                                      "Don't know how to handle rule type %u!\n",
++                                      *__rule_type);
++                              return -EINVAL;
++                      }
+               }
+               __next_rule = __next_rule + rule_hlen + rule_plen;
+       }

diff --git a/queue-5.15/mm-vmalloc-add-a-safer-version-of-find_vm_area-for-debug.patch b/queue-5.15/mm-vmalloc-add-a-safer-version-of-find_vm_area-for-debug.patch
new file mode 100644 (file)
index 0000000..ec1177b
--- /dev/null
+++ b/queue-5.15/mm-vmalloc-add-a-safer-version-of-find_vm_area-for-debug.patch
@@ -0,0 +1,69 @@
+From 0818e739b5c061b0251c30152380600fb9b84c0c Mon Sep 17 00:00:00 2001
+From: "Joel Fernandes (Google)" <joel@joelfernandes.org>
+Date: Mon, 4 Sep 2023 18:08:04 +0000
+Subject: mm/vmalloc: add a safer version of find_vm_area() for debug
+
+From: Joel Fernandes (Google) <joel@joelfernandes.org>
+
+commit 0818e739b5c061b0251c30152380600fb9b84c0c upstream.
+
+It is unsafe to dump vmalloc area information when trying to do so from
+some contexts.  Add a safer trylock version of the same function to do a
+best-effort VMA finding and use it from vmalloc_dump_obj().
+
+[applied test robot feedback on unused function fix.]
+[applied Uladzislau feedback on locking.]
+Link: https://lkml.kernel.org/r/20230904180806.1002832-1-joel@joelfernandes.org
+Fixes: 98f180837a89 ("mm: Make mem_dump_obj() handle vmalloc() memory")
+Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Reviewed-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
+Reported-by: Zhen Lei <thunder.leizhen@huaweicloud.com>
+Cc: Paul E. McKenney <paulmck@kernel.org>
+Cc: Zqiang <qiang.zhang1211@gmail.com>
+Cc: <stable@vger.kernel.org>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/vmalloc.c |   26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+--- a/mm/vmalloc.c
++++ b/mm/vmalloc.c
+@@ -3823,14 +3823,32 @@ void pcpu_free_vm_areas(struct vm_struct
+ #ifdef CONFIG_PRINTK
+ bool vmalloc_dump_obj(void *object)
+ {
+-      struct vm_struct *vm;
+       void *objp = (void *)PAGE_ALIGN((unsigned long)object);
++      const void *caller;
++      struct vm_struct *vm;
++      struct vmap_area *va;
++      unsigned long addr;
++      unsigned int nr_pages;
++
++      if (!spin_trylock(&vmap_area_lock))
++              return false;
++      va = __find_vmap_area((unsigned long)objp, &vmap_area_root);
++      if (!va) {
++              spin_unlock(&vmap_area_lock);
++              return false;
++      }
+ 
+-      vm = find_vm_area(objp);
+-      if (!vm)
++      vm = va->vm;
++      if (!vm) {
++              spin_unlock(&vmap_area_lock);
+               return false;
++      }
++      addr = (unsigned long)vm->addr;
++      caller = vm->caller;
++      nr_pages = vm->nr_pages;
++      spin_unlock(&vmap_area_lock);
+       pr_cont(" %u-page vmalloc region starting at %#lx allocated at %pS\n",
+-              vm->nr_pages, (unsigned long)vm->addr, vm->caller);
++              nr_pages, addr, caller);
+       return true;
+ }
+ #endif

diff --git a/queue-5.15/netfilter-xt_sctp-validate-the-flag_info-count.patch b/queue-5.15/netfilter-xt_sctp-validate-the-flag_info-count.patch
new file mode 100644 (file)
index 0000000..0c16583
--- /dev/null
+++ b/queue-5.15/netfilter-xt_sctp-validate-the-flag_info-count.patch
@@ -0,0 +1,36 @@
+From e99476497687ef9e850748fe6d232264f30bc8f9 Mon Sep 17 00:00:00 2001
+From: Wander Lairson Costa <wander@redhat.com>
+Date: Mon, 28 Aug 2023 19:12:55 -0300
+Subject: netfilter: xt_sctp: validate the flag_info count
+
+From: Wander Lairson Costa <wander@redhat.com>
+
+commit e99476497687ef9e850748fe6d232264f30bc8f9 upstream.
+
+sctp_mt_check doesn't validate the flag_count field. An attacker can
+take advantage of that to trigger a OOB read and leak memory
+information.
+
+Add the field validation in the checkentry function.
+
+Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables")
+Cc: stable@vger.kernel.org
+Reported-by: Lucas Leong <wmliang@infosec.exchange>
+Signed-off-by: Wander Lairson Costa <wander@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/xt_sctp.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/netfilter/xt_sctp.c
++++ b/net/netfilter/xt_sctp.c
+@@ -150,6 +150,8 @@ static int sctp_mt_check(const struct xt
+ {
+       const struct xt_sctp_info *info = par->matchinfo;
+ 
++      if (info->flag_count > ARRAY_SIZE(info->flag_info))
++              return -EINVAL;
+       if (info->flags & ~XT_SCTP_VALID_FLAGS)
+               return -EINVAL;
+       if (info->invflags & ~XT_SCTP_VALID_FLAGS)

diff --git a/queue-5.15/netfilter-xt_u32-validate-user-space-input.patch b/queue-5.15/netfilter-xt_u32-validate-user-space-input.patch
new file mode 100644 (file)
index 0000000..e8a50eb
--- /dev/null
+++ b/queue-5.15/netfilter-xt_u32-validate-user-space-input.patch
@@ -0,0 +1,61 @@
+From 69c5d284f67089b4750d28ff6ac6f52ec224b330 Mon Sep 17 00:00:00 2001
+From: Wander Lairson Costa <wander@redhat.com>
+Date: Mon, 28 Aug 2023 10:21:07 -0300
+Subject: netfilter: xt_u32: validate user space input
+
+From: Wander Lairson Costa <wander@redhat.com>
+
+commit 69c5d284f67089b4750d28ff6ac6f52ec224b330 upstream.
+
+The xt_u32 module doesn't validate the fields in the xt_u32 structure.
+An attacker may take advantage of this to trigger an OOB read by setting
+the size fields with a value beyond the arrays boundaries.
+
+Add a checkentry function to validate the structure.
+
+This was originally reported by the ZDI project (ZDI-CAN-18408).
+
+Fixes: 1b50b8a371e9 ("[NETFILTER]: Add u32 match")
+Cc: stable@vger.kernel.org
+Signed-off-by: Wander Lairson Costa <wander@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/xt_u32.c |   21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/net/netfilter/xt_u32.c
++++ b/net/netfilter/xt_u32.c
+@@ -96,11 +96,32 @@ static bool u32_mt(const struct sk_buff
+       return ret ^ data->invert;
+ }
+ 
++static int u32_mt_checkentry(const struct xt_mtchk_param *par)
++{
++      const struct xt_u32 *data = par->matchinfo;
++      const struct xt_u32_test *ct;
++      unsigned int i;
++
++      if (data->ntests > ARRAY_SIZE(data->tests))
++              return -EINVAL;
++
++      for (i = 0; i < data->ntests; ++i) {
++              ct = &data->tests[i];
++
++              if (ct->nnums > ARRAY_SIZE(ct->location) ||
++                  ct->nvalues > ARRAY_SIZE(ct->value))
++                      return -EINVAL;
++      }
++
++      return 0;
++}
++
+ static struct xt_match xt_u32_mt_reg __read_mostly = {
+       .name       = "u32",
+       .revision   = 0,
+       .family     = NFPROTO_UNSPEC,
+       .match      = u32_mt,
++      .checkentry = u32_mt_checkentry,
+       .matchsize  = sizeof(struct xt_u32),
+       .me         = THIS_MODULE,
+ };

diff --git a/queue-5.15/pci-rockchip-use-64-bit-mask-on-msi-64-bit-pci-address.patch b/queue-5.15/pci-rockchip-use-64-bit-mask-on-msi-64-bit-pci-address.patch
new file mode 100644 (file)
index 0000000..22c8e40
--- /dev/null
+++ b/queue-5.15/pci-rockchip-use-64-bit-mask-on-msi-64-bit-pci-address.patch
@@ -0,0 +1,55 @@
+From cdb50033dd6dfcf02ae3d4ee56bc1a9555be6d36 Mon Sep 17 00:00:00 2001
+From: Rick Wertenbroek <rick.wertenbroek@gmail.com>
+Date: Mon, 3 Jul 2023 10:58:45 +0200
+Subject: PCI: rockchip: Use 64-bit mask on MSI 64-bit PCI address
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rick Wertenbroek <rick.wertenbroek@gmail.com>
+
+commit cdb50033dd6dfcf02ae3d4ee56bc1a9555be6d36 upstream.
+
+A 32-bit mask was used on the 64-bit PCI address used for mapping MSIs.
+This would result in the upper 32 bits being unintentionally zeroed and
+MSIs getting mapped to incorrect PCI addresses if the address had any
+of the upper bits set.
+
+Replace 32-bit mask by appropriate 64-bit mask.
+
+[kwilczynski: use GENMASK_ULL() over GENMASK() for 32-bit compatibility]
+Fixes: dc73ed0f1b8b ("PCI: rockchip: Fix window mapping and address translation for endpoint")
+Closes: https://lore.kernel.org/linux-pci/8d19e5b7-8fa0-44a4-90e2-9bb06f5eb694@moroto.mountain
+Link: https://lore.kernel.org/linux-pci/20230703085845.2052008-1-rick.wertenbroek@gmail.com
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Rick Wertenbroek <rick.wertenbroek@gmail.com>
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/pcie-rockchip.h |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/pci/controller/pcie-rockchip.h
++++ b/drivers/pci/controller/pcie-rockchip.h
+@@ -159,7 +159,9 @@
+ #define PCIE_RC_CONFIG_THP_CAP                (PCIE_RC_CONFIG_BASE + 0x274)
+ #define   PCIE_RC_CONFIG_THP_CAP_NEXT_MASK    GENMASK(31, 20)
+ 
+-#define PCIE_ADDR_MASK                        0xffffff00
++#define MAX_AXI_IB_ROOTPORT_REGION_NUM                3
++#define MIN_AXI_ADDR_BITS_PASSED              8
++#define PCIE_ADDR_MASK                        GENMASK_ULL(63, MIN_AXI_ADDR_BITS_PASSED)
+ #define PCIE_CORE_AXI_CONF_BASE               0xc00000
+ #define PCIE_CORE_OB_REGION_ADDR0     (PCIE_CORE_AXI_CONF_BASE + 0x0)
+ #define   PCIE_CORE_OB_REGION_ADDR0_NUM_BITS  0x3f
+@@ -186,8 +188,6 @@
+ #define AXI_WRAPPER_TYPE1_CFG                 0xb
+ #define AXI_WRAPPER_NOR_MSG                   0xc
+ 
+-#define MAX_AXI_IB_ROOTPORT_REGION_NUM                3
+-#define MIN_AXI_ADDR_BITS_PASSED              8
+ #define PCIE_RC_SEND_PME_OFF                  0x11960
+ #define ROCKCHIP_VENDOR_ID                    0x1d87
+ #define PCIE_LINK_IS_L2(x) \

diff --git a/queue-5.15/pm-devfreq-fix-leak-in-devfreq_dev_release.patch b/queue-5.15/pm-devfreq-fix-leak-in-devfreq_dev_release.patch
new file mode 100644 (file)
index 0000000..3344899
--- /dev/null
+++ b/queue-5.15/pm-devfreq-fix-leak-in-devfreq_dev_release.patch
@@ -0,0 +1,34 @@
+From 5693d077595de721f9ddbf9d37f40e5409707dfe Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@collabora.com>
+Date: Wed, 9 Aug 2023 13:31:08 +0200
+Subject: PM / devfreq: Fix leak in devfreq_dev_release()
+
+From: Boris Brezillon <boris.brezillon@collabora.com>
+
+commit 5693d077595de721f9ddbf9d37f40e5409707dfe upstream.
+
+srcu_init_notifier_head() allocates resources that need to be released
+with a srcu_cleanup_notifier_head() call.
+
+Reported by kmemleak.
+
+Fixes: 0fe3a66410a3 ("PM / devfreq: Add new DEVFREQ_TRANSITION_NOTIFIER notifier")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
+Reviewed-by: Dhruva Gole <d-gole@ti.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/devfreq/devfreq.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/devfreq/devfreq.c
++++ b/drivers/devfreq/devfreq.c
+@@ -762,6 +762,7 @@ static void devfreq_dev_release(struct d
+               dev_pm_opp_put_opp_table(devfreq->opp_table);
+ 
+       mutex_destroy(&devfreq->lock);
++      srcu_cleanup_notifier_head(&devfreq->transition_notifier_list);
+       kfree(devfreq);
+ }
+ 

diff --git a/queue-5.15/printk-ringbuffer-fix-truncating-buffer-size-min_t-cast.patch b/queue-5.15/printk-ringbuffer-fix-truncating-buffer-size-min_t-cast.patch
new file mode 100644 (file)
index 0000000..8bf5d7a
--- /dev/null
+++ b/queue-5.15/printk-ringbuffer-fix-truncating-buffer-size-min_t-cast.patch
@@ -0,0 +1,49 @@
+From 53e9e33ede37a247d926db5e4a9e56b55204e66c Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 10 Aug 2023 22:45:32 -0700
+Subject: printk: ringbuffer: Fix truncating buffer size min_t cast
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 53e9e33ede37a247d926db5e4a9e56b55204e66c upstream.
+
+If an output buffer size exceeded U16_MAX, the min_t(u16, ...) cast in
+copy_data() was causing writes to truncate. This manifested as output
+bytes being skipped, seen as %NUL bytes in pstore dumps when the available
+record size was larger than 65536. Fix the cast to no longer truncate
+the calculation.
+
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: John Ogness <john.ogness@linutronix.de>
+Reported-by: Vijay Balakrishna <vijayb@linux.microsoft.com>
+Link: https://lore.kernel.org/lkml/d8bb1ec7-a4c5-43a2-9de0-9643a70b899f@linux.microsoft.com/
+Fixes: b6cf8b3f3312 ("printk: add lockless ringbuffer")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Tested-by: Vijay Balakrishna <vijayb@linux.microsoft.com>
+Tested-by: Guilherme G. Piccoli <gpiccoli@igalia.com> # Steam Deck
+Reviewed-by: Tyler Hicks (Microsoft) <code@tyhicks.com>
+Tested-by: Tyler Hicks (Microsoft) <code@tyhicks.com>
+Reviewed-by: John Ogness <john.ogness@linutronix.de>
+Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Link: https://lore.kernel.org/r/20230811054528.never.165-kees@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/printk/printk_ringbuffer.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/printk/printk_ringbuffer.c
++++ b/kernel/printk/printk_ringbuffer.c
+@@ -1724,7 +1724,7 @@ static bool copy_data(struct prb_data_ri
+       if (!buf || !buf_size)
+               return true;
+ 
+-      data_size = min_t(u16, buf_size, len);
++      data_size = min_t(unsigned int, buf_size, len);
+ 
+       memcpy(&buf[0], data, data_size); /* LMM(copy_data:A) */
+       return true;

diff --git a/queue-5.15/rcu-dump-vmalloc-memory-info-safely.patch b/queue-5.15/rcu-dump-vmalloc-memory-info-safely.patch
new file mode 100644 (file)
index 0000000..4c86ef0
--- /dev/null
+++ b/queue-5.15/rcu-dump-vmalloc-memory-info-safely.patch
@@ -0,0 +1,95 @@
+From c83ad36a18c02c0f51280b50272327807916987f Mon Sep 17 00:00:00 2001
+From: Zqiang <qiang.zhang1211@gmail.com>
+Date: Mon, 4 Sep 2023 18:08:05 +0000
+Subject: rcu: dump vmalloc memory info safely
+
+From: Zqiang <qiang.zhang1211@gmail.com>
+
+commit c83ad36a18c02c0f51280b50272327807916987f upstream.
+
+Currently, for double invoke call_rcu(), will dump rcu_head objects memory
+info, if the objects is not allocated from the slab allocator, the
+vmalloc_dump_obj() will be invoke and the vmap_area_lock spinlock need to
+be held, since the call_rcu() can be invoked in interrupt context,
+therefore, there is a possibility of spinlock deadlock scenarios.
+
+And in Preempt-RT kernel, the rcutorture test also trigger the following
+lockdep warning:
+
+BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
+in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0
+preempt_count: 1, expected: 0
+RCU nest depth: 1, expected: 1
+3 locks held by swapper/0/1:
+ #0: ffffffffb534ee80 (fullstop_mutex){+.+.}-{4:4}, at: torture_init_begin+0x24/0xa0
+ #1: ffffffffb5307940 (rcu_read_lock){....}-{1:3}, at: rcu_torture_init+0x1ec7/0x2370
+ #2: ffffffffb536af40 (vmap_area_lock){+.+.}-{3:3}, at: find_vmap_area+0x1f/0x70
+irq event stamp: 565512
+hardirqs last  enabled at (565511): [<ffffffffb379b138>] __call_rcu_common+0x218/0x940
+hardirqs last disabled at (565512): [<ffffffffb5804262>] rcu_torture_init+0x20b2/0x2370
+softirqs last  enabled at (399112): [<ffffffffb36b2586>] __local_bh_enable_ip+0x126/0x170
+softirqs last disabled at (399106): [<ffffffffb43fef59>] inet_register_protosw+0x9/0x1d0
+Preemption disabled at:
+[<ffffffffb58040c3>] rcu_torture_init+0x1f13/0x2370
+CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W          6.5.0-rc4-rt2-yocto-preempt-rt+ #15
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x68/0xb0
+ dump_stack+0x14/0x20
+ __might_resched+0x1aa/0x280
+ ? __pfx_rcu_torture_err_cb+0x10/0x10
+ rt_spin_lock+0x53/0x130
+ ? find_vmap_area+0x1f/0x70
+ find_vmap_area+0x1f/0x70
+ vmalloc_dump_obj+0x20/0x60
+ mem_dump_obj+0x22/0x90
+ __call_rcu_common+0x5bf/0x940
+ ? debug_smp_processor_id+0x1b/0x30
+ call_rcu_hurry+0x14/0x20
+ rcu_torture_init+0x1f82/0x2370
+ ? __pfx_rcu_torture_leak_cb+0x10/0x10
+ ? __pfx_rcu_torture_leak_cb+0x10/0x10
+ ? __pfx_rcu_torture_init+0x10/0x10
+ do_one_initcall+0x6c/0x300
+ ? debug_smp_processor_id+0x1b/0x30
+ kernel_init_freeable+0x2b9/0x540
+ ? __pfx_kernel_init+0x10/0x10
+ kernel_init+0x1f/0x150
+ ret_from_fork+0x40/0x50
+ ? __pfx_kernel_init+0x10/0x10
+ ret_from_fork_asm+0x1b/0x30
+ </TASK>
+
+The previous patch fixes this by using the deadlock-safe best-effort
+version of find_vm_area.  However, in case of failure print the fact that
+the pointer was a vmalloc pointer so that we print at least something.
+
+Link: https://lkml.kernel.org/r/20230904180806.1002832-2-joel@joelfernandes.org
+Fixes: 98f180837a89 ("mm: Make mem_dump_obj() handle vmalloc() memory")
+Signed-off-by: Zqiang <qiang.zhang1211@gmail.com>
+Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Reported-by: Zhen Lei <thunder.leizhen@huaweicloud.com>
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Paul E. McKenney <paulmck@kernel.org>
+Cc: Uladzislau Rezki (Sony) <urezki@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/util.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/mm/util.c
++++ b/mm/util.c
+@@ -1110,7 +1110,9 @@ void mem_dump_obj(void *object)
+       if (vmalloc_dump_obj(object))
+               return;
+ 
+-      if (virt_addr_valid(object))
++      if (is_vmalloc_addr(object))
++              type = "vmalloc memory";
++      else if (virt_addr_valid(object))
+               type = "non-slab/vmalloc memory";
+       else if (object == NULL)
+               type = "NULL pointer";

diff --git a/queue-5.15/scsi-core-fix-the-scsi_set_resid-documentation.patch b/queue-5.15/scsi-core-fix-the-scsi_set_resid-documentation.patch
new file mode 100644 (file)
index 0000000..13dbab5
--- /dev/null
+++ b/queue-5.15/scsi-core-fix-the-scsi_set_resid-documentation.patch
@@ -0,0 +1,42 @@
+From f669b8a683e4ee26fa5cafe19d71cec1786b556a Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Fri, 21 Jul 2023 09:01:32 -0700
+Subject: scsi: core: Fix the scsi_set_resid() documentation
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit f669b8a683e4ee26fa5cafe19d71cec1786b556a upstream.
+
+Because scsi_finish_command() subtracts the residual from the buffer
+length, residual overflows must not be reported. Reflect this in the SCSI
+documentation. See also commit 9237f04e12cc ("scsi: core: Fix
+scsi_get/set_resid() interface")
+
+Cc: Damien Le Moal <dlemoal@kernel.org>
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: Douglas Gilbert <dgilbert@interlog.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20230721160154.874010-2-bvanassche@acm.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/scsi/scsi_mid_low_api.rst |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/Documentation/scsi/scsi_mid_low_api.rst
++++ b/Documentation/scsi/scsi_mid_low_api.rst
+@@ -1190,11 +1190,11 @@ Members of interest:
+                - pointer to scsi_device object that this command is
+                    associated with.
+     resid
+-               - an LLD should set this signed integer to the requested
++               - an LLD should set this unsigned integer to the requested
+                    transfer length (i.e. 'request_bufflen') less the number
+                    of bytes that are actually transferred. 'resid' is
+                    preset to 0 so an LLD can ignore it if it cannot detect
+-                   underruns (overruns should be rare). If possible an LLD
++                   underruns (overruns should not be reported). An LLD
+                    should set 'resid' prior to invoking 'done'. The most
+                    interesting case is data transfers from a SCSI target
+                    device (e.g. READs) that underrun.

diff --git a/queue-5.15/series b/queue-5.15/series
index 9f16e02200a7ff2e54d2828eb381de0e3d15662b..c03c52a988cfa2a1a794536ebd57c749f7b84f73 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -322,3 +322,18 @@ cpufreq-fix-the-race-condition-while-updating-the-tr.patch
 virtio_ring-fix-avail_wrap_counter-in-virtqueue_add_.patch
 igmp-limit-igmpv3_newpack-packet-size-to-ip_max_mtu.patch
 netfilter-ipset-add-the-missing-ip_set_hash_with_net0-macro-for-ip_set_hash_netportnet.c.patch
+netfilter-xt_u32-validate-user-space-input.patch
+netfilter-xt_sctp-validate-the-flag_info-count.patch
+skbuff-skb_segment-call-zero-copy-functions-before-using-skbuff-frags.patch
+igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch
+pm-devfreq-fix-leak-in-devfreq_dev_release.patch
+alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch
+arm64-dts-qcom-sdm845-db845c-mark-cont-splash-memory-region-as-reserved.patch
+rcu-dump-vmalloc-memory-info-safely.patch
+printk-ringbuffer-fix-truncating-buffer-size-min_t-cast.patch
+scsi-core-fix-the-scsi_set_resid-documentation.patch
+mm-vmalloc-add-a-safer-version-of-find_vm_area-for-debug.patch
+media-i2c-ccs-check-rules-is-non-null.patch
+pci-rockchip-use-64-bit-mask-on-msi-64-bit-pci-address.patch
+ipmi_si-fix-a-memleak-in-try_smi_init.patch
+arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch

diff --git a/queue-5.15/skbuff-skb_segment-call-zero-copy-functions-before-using-skbuff-frags.patch b/queue-5.15/skbuff-skb_segment-call-zero-copy-functions-before-using-skbuff-frags.patch
new file mode 100644 (file)
index 0000000..0b8c43b
--- /dev/null
+++ b/queue-5.15/skbuff-skb_segment-call-zero-copy-functions-before-using-skbuff-frags.patch
@@ -0,0 +1,156 @@
+From 2ea35288c83b3d501a88bc17f2df8f176b5cc96f Mon Sep 17 00:00:00 2001
+From: Mohamed Khalfella <mkhalfella@purestorage.com>
+Date: Thu, 31 Aug 2023 02:17:02 -0600
+Subject: skbuff: skb_segment, Call zero copy functions before using skbuff frags
+
+From: Mohamed Khalfella <mkhalfella@purestorage.com>
+
+commit 2ea35288c83b3d501a88bc17f2df8f176b5cc96f upstream.
+
+Commit bf5c25d60861 ("skbuff: in skb_segment, call zerocopy functions
+once per nskb") added the call to zero copy functions in skb_segment().
+The change introduced a bug in skb_segment() because skb_orphan_frags()
+may possibly change the number of fragments or allocate new fragments
+altogether leaving nrfrags and frag to point to the old values. This can
+cause a panic with stacktrace like the one below.
+
+[  193.894380] BUG: kernel NULL pointer dereference, address: 00000000000000bc
+[  193.895273] CPU: 13 PID: 18164 Comm: vh-net-17428 Kdump: loaded Tainted: G           O      5.15.123+ #26
+[  193.903919] RIP: 0010:skb_segment+0xb0e/0x12f0
+[  194.021892] Call Trace:
+[  194.027422]  <TASK>
+[  194.072861]  tcp_gso_segment+0x107/0x540
+[  194.082031]  inet_gso_segment+0x15c/0x3d0
+[  194.090783]  skb_mac_gso_segment+0x9f/0x110
+[  194.095016]  __skb_gso_segment+0xc1/0x190
+[  194.103131]  netem_enqueue+0x290/0xb10 [sch_netem]
+[  194.107071]  dev_qdisc_enqueue+0x16/0x70
+[  194.110884]  __dev_queue_xmit+0x63b/0xb30
+[  194.121670]  bond_start_xmit+0x159/0x380 [bonding]
+[  194.128506]  dev_hard_start_xmit+0xc3/0x1e0
+[  194.131787]  __dev_queue_xmit+0x8a0/0xb30
+[  194.138225]  macvlan_start_xmit+0x4f/0x100 [macvlan]
+[  194.141477]  dev_hard_start_xmit+0xc3/0x1e0
+[  194.144622]  sch_direct_xmit+0xe3/0x280
+[  194.147748]  __dev_queue_xmit+0x54a/0xb30
+[  194.154131]  tap_get_user+0x2a8/0x9c0 [tap]
+[  194.157358]  tap_sendmsg+0x52/0x8e0 [tap]
+[  194.167049]  handle_tx_zerocopy+0x14e/0x4c0 [vhost_net]
+[  194.173631]  handle_tx+0xcd/0xe0 [vhost_net]
+[  194.176959]  vhost_worker+0x76/0xb0 [vhost]
+[  194.183667]  kthread+0x118/0x140
+[  194.190358]  ret_from_fork+0x1f/0x30
+[  194.193670]  </TASK>
+
+In this case calling skb_orphan_frags() updated nr_frags leaving nrfrags
+local variable in skb_segment() stale. This resulted in the code hitting
+i >= nrfrags prematurely and trying to move to next frag_skb using
+list_skb pointer, which was NULL, and caused kernel panic. Move the call
+to zero copy functions before using frags and nr_frags.
+
+Fixes: bf5c25d60861 ("skbuff: in skb_segment, call zerocopy functions once per nskb")
+Signed-off-by: Mohamed Khalfella <mkhalfella@purestorage.com>
+Reported-by: Amit Goyal <agoyal@purestorage.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c |   34 ++++++++++++++++++++--------------
+ 1 file changed, 20 insertions(+), 14 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -4001,21 +4001,20 @@ struct sk_buff *skb_segment(struct sk_bu
+       struct sk_buff *segs = NULL;
+       struct sk_buff *tail = NULL;
+       struct sk_buff *list_skb = skb_shinfo(head_skb)->frag_list;
+-      skb_frag_t *frag = skb_shinfo(head_skb)->frags;
+       unsigned int mss = skb_shinfo(head_skb)->gso_size;
+       unsigned int doffset = head_skb->data - skb_mac_header(head_skb);
+-      struct sk_buff *frag_skb = head_skb;
+       unsigned int offset = doffset;
+       unsigned int tnl_hlen = skb_tnl_header_len(head_skb);
+       unsigned int partial_segs = 0;
+       unsigned int headroom;
+       unsigned int len = head_skb->len;
++      struct sk_buff *frag_skb;
++      skb_frag_t *frag;
+       __be16 proto;
+       bool csum, sg;
+-      int nfrags = skb_shinfo(head_skb)->nr_frags;
+       int err = -ENOMEM;
+       int i = 0;
+-      int pos;
++      int nfrags, pos;
+ 
+       if ((skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY) &&
+           mss != GSO_BY_FRAGS && mss != skb_headlen(head_skb)) {
+@@ -4092,6 +4091,13 @@ normal:
+       headroom = skb_headroom(head_skb);
+       pos = skb_headlen(head_skb);
+ 
++      if (skb_orphan_frags(head_skb, GFP_ATOMIC))
++              return ERR_PTR(-ENOMEM);
++
++      nfrags = skb_shinfo(head_skb)->nr_frags;
++      frag = skb_shinfo(head_skb)->frags;
++      frag_skb = head_skb;
++
+       do {
+               struct sk_buff *nskb;
+               skb_frag_t *nskb_frag;
+@@ -4112,6 +4118,10 @@ normal:
+                   (skb_headlen(list_skb) == len || sg)) {
+                       BUG_ON(skb_headlen(list_skb) > len);
+ 
++                      nskb = skb_clone(list_skb, GFP_ATOMIC);
++                      if (unlikely(!nskb))
++                              goto err;
++
+                       i = 0;
+                       nfrags = skb_shinfo(list_skb)->nr_frags;
+                       frag = skb_shinfo(list_skb)->frags;
+@@ -4130,12 +4140,8 @@ normal:
+                               frag++;
+                       }
+ 
+-                      nskb = skb_clone(list_skb, GFP_ATOMIC);
+                       list_skb = list_skb->next;
+ 
+-                      if (unlikely(!nskb))
+-                              goto err;
+-
+                       if (unlikely(pskb_trim(nskb, len))) {
+                               kfree_skb(nskb);
+                               goto err;
+@@ -4211,12 +4217,16 @@ normal:
+               skb_shinfo(nskb)->flags |= skb_shinfo(head_skb)->flags &
+                                          SKBFL_SHARED_FRAG;
+ 
+-              if (skb_orphan_frags(frag_skb, GFP_ATOMIC) ||
+-                  skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC))
++              if (skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC))
+                       goto err;
+ 
+               while (pos < offset + len) {
+                       if (i >= nfrags) {
++                              if (skb_orphan_frags(list_skb, GFP_ATOMIC) ||
++                                  skb_zerocopy_clone(nskb, list_skb,
++                                                     GFP_ATOMIC))
++                                      goto err;
++
+                               i = 0;
+                               nfrags = skb_shinfo(list_skb)->nr_frags;
+                               frag = skb_shinfo(list_skb)->frags;
+@@ -4230,10 +4240,6 @@ normal:
+                                       i--;
+                                       frag--;
+                               }
+-                              if (skb_orphan_frags(frag_skb, GFP_ATOMIC) ||
+-                                  skb_zerocopy_clone(nskb, frag_skb,
+-                                                     GFP_ATOMIC))
+-                                      goto err;
+ 
+                               list_skb = list_skb->next;
+                       }