From: Greg Kroah-Hartman Date: Sat, 9 Sep 2023 12:45:45 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.1.53~93 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1adab33c52edfbcebcf14dba7e761560fb8fa731;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch arm64-dts-qcom-sdm845-db845c-mark-cont-splash-memory-region-as-reserved.patch cpu-hotplug-prevent-self-deadlock-on-cpu-hot-unplug.patch igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch ipmi_si-fix-a-memleak-in-try_smi_init.patch media-i2c-add-a-camera-sensor-top-level-menu.patch media-i2c-ccs-check-rules-is-non-null.patch mm-vmalloc-add-a-safer-version-of-find_vm_area-for-debug.patch multi-gen-lru-fix-per-zone-reclaim.patch netfilter-nft_exthdr-fix-non-linear-header-modification.patch netfilter-xt_sctp-validate-the-flag_info-count.patch netfilter-xt_u32-validate-user-space-input.patch pci-rockchip-use-64-bit-mask-on-msi-64-bit-pci-address.patch pm-devfreq-fix-leak-in-devfreq_dev_release.patch printk-ringbuffer-fix-truncating-buffer-size-min_t-cast.patch rcu-dump-vmalloc-memory-info-safely.patch scsi-core-fix-the-scsi_set_resid-documentation.patch skbuff-skb_segment-call-zero-copy-functions-before-using-skbuff-frags.patch --- diff --git a/queue-6.1/alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch b/queue-6.1/alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch new file mode 100644 index 00000000000..22f80343830 --- /dev/null +++ b/queue-6.1/alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch @@ -0,0 +1,49 @@ +From 358040e3807754944dbddf948a23c6d914297ed7 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 29 Aug 2023 15:43:44 +0200 +Subject: ALSA: pcm: Fix missing fixup call in compat hw_refine ioctl + +From: Takashi Iwai + +commit 358040e3807754944dbddf948a23c6d914297ed7 upstream. + +The update of rate_num/den and msbits were factored out to +fixup_unreferenced_params() function to be called explicitly after the +hw_refine or hw_params procedure. It's called from +snd_pcm_hw_refine_user(), but it's forgotten in the PCM compat ioctl. +This ended up with the incomplete rate_num/den and msbits parameters +when 32bit compat ioctl is used. + +This patch adds the missing call in snd_pcm_ioctl_hw_params_compat(). + +Reported-by: Meng_Cai@novatek.com.cn +Fixes: f9a076bff053 ("ALSA: pcm: calculate non-mask/non-interval parameters always when possible") +Reviewed-by: Takashi Sakamoto +Reviewed-by: Jaroslav Kysela +Cc: +Link: https://lore.kernel.org/r/20230829134344.31588-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/pcm_compat.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/sound/core/pcm_compat.c ++++ b/sound/core/pcm_compat.c +@@ -253,10 +253,14 @@ static int snd_pcm_ioctl_hw_params_compa + goto error; + } + +- if (refine) ++ if (refine) { + err = snd_pcm_hw_refine(substream, data); +- else ++ if (err < 0) ++ goto error; ++ err = fixup_unreferenced_params(substream, data); ++ } else { + err = snd_pcm_hw_params(substream, data); ++ } + if (err < 0) + goto error; + if (copy_to_user(data32, data, sizeof(*data32)) || diff --git a/queue-6.1/arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch b/queue-6.1/arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch new file mode 100644 index 00000000000..367243285b5 --- /dev/null +++ b/queue-6.1/arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch @@ -0,0 +1,45 @@ +From 847fb80cc01a54bc827b02547bb8743bdb59ddab Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Wed, 7 Jun 2023 22:12:11 -0600 +Subject: ARM: OMAP2+: Fix -Warray-bounds warning in _pwrdm_state_switch() + +From: Gustavo A. R. Silva + +commit 847fb80cc01a54bc827b02547bb8743bdb59ddab upstream. + +If function pwrdm_read_prev_pwrst() returns -EINVAL, we will end +up accessing array pwrdm->state_counter through negative index +-22. This is wrong and the compiler is legitimately warning us +about this potential problem. + +Fix this by sanity checking the value stored in variable _prev_ +before accessing array pwrdm->state_counter. + +Address the following -Warray-bounds warning: +arch/arm/mach-omap2/powerdomain.c:178:45: warning: array subscript -22 is below array bounds of 'unsigned int[4]' [-Warray-bounds] + +Link: https://github.com/KSPP/linux/issues/307 +Fixes: ba20bb126940 ("OMAP: PM counter infrastructure.") +Cc: stable@vger.kernel.org +Reported-by: kernel test robot +Link: https://lore.kernel.org/lkml/20230607050639.LzbPn%25lkp@intel.com/ +Signed-off-by: Gustavo A. R. Silva +Message-ID: +Acked-by: Ard Biesheuvel +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap2/powerdomain.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mach-omap2/powerdomain.c ++++ b/arch/arm/mach-omap2/powerdomain.c +@@ -174,7 +174,7 @@ static int _pwrdm_state_switch(struct po + break; + case PWRDM_STATE_PREV: + prev = pwrdm_read_prev_pwrst(pwrdm); +- if (pwrdm->state != prev) ++ if (prev >= 0 && pwrdm->state != prev) + pwrdm->state_counter[prev]++; + if (prev == PWRDM_POWER_RET) + _update_logic_membank_counters(pwrdm); diff --git a/queue-6.1/arm64-dts-qcom-sdm845-db845c-mark-cont-splash-memory-region-as-reserved.patch b/queue-6.1/arm64-dts-qcom-sdm845-db845c-mark-cont-splash-memory-region-as-reserved.patch new file mode 100644 index 00000000000..c9854e693bb --- /dev/null +++ b/queue-6.1/arm64-dts-qcom-sdm845-db845c-mark-cont-splash-memory-region-as-reserved.patch @@ -0,0 +1,52 @@ +From 110e70fccce4f22b53986ae797d665ffb1950aa6 Mon Sep 17 00:00:00 2001 +From: Amit Pundir +Date: Wed, 26 Jul 2023 18:57:19 +0530 +Subject: arm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved + +From: Amit Pundir + +commit 110e70fccce4f22b53986ae797d665ffb1950aa6 upstream. + +Adding a reserved memory region for the framebuffer memory +(the splash memory region set up by the bootloader). + +It fixes a kernel panic (arm-smmu: Unhandled context fault +at this particular memory region) reported on DB845c running +v5.10.y. + +Cc: stable@vger.kernel.org # v5.10+ +Reviewed-by: Caleb Connolly +Signed-off-by: Amit Pundir +Acked-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20230726132719.2117369-2-amit.pundir@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sdm845-db845c.dts | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/arch/arm64/boot/dts/qcom/sdm845-db845c.dts ++++ b/arch/arm64/boot/dts/qcom/sdm845-db845c.dts +@@ -100,6 +100,14 @@ + }; + }; + ++ reserved-memory { ++ /* Cont splash region set up by the bootloader */ ++ cont_splash_mem: framebuffer@9d400000 { ++ reg = <0x0 0x9d400000 0x0 0x2400000>; ++ no-map; ++ }; ++ }; ++ + lt9611_1v8: lt9611-vdd18-regulator { + compatible = "regulator-fixed"; + regulator-name = "LT9611_1V8"; +@@ -512,6 +520,7 @@ + }; + + &mdss { ++ memory-region = <&cont_splash_mem>; + status = "okay"; + }; + diff --git a/queue-6.1/cpu-hotplug-prevent-self-deadlock-on-cpu-hot-unplug.patch b/queue-6.1/cpu-hotplug-prevent-self-deadlock-on-cpu-hot-unplug.patch new file mode 100644 index 00000000000..5b090fed917 --- /dev/null +++ b/queue-6.1/cpu-hotplug-prevent-self-deadlock-on-cpu-hot-unplug.patch @@ -0,0 +1,92 @@ +From 2b8272ff4a70b866106ae13c36be7ecbef5d5da2 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Wed, 23 Aug 2023 10:47:02 +0200 +Subject: cpu/hotplug: Prevent self deadlock on CPU hot-unplug + +From: Thomas Gleixner + +commit 2b8272ff4a70b866106ae13c36be7ecbef5d5da2 upstream. + +Xiongfeng reported and debugged a self deadlock of the task which initiates +and controls a CPU hot-unplug operation vs. the CFS bandwidth timer. + + CPU1 CPU2 + +T1 sets cfs_quota + starts hrtimer cfs_bandwidth 'period_timer' +T1 is migrated to CPU2 + T1 initiates offlining of CPU1 +Hotplug operation starts + ... +'period_timer' expires and is re-enqueued on CPU1 + ... +take_cpu_down() + CPU1 shuts down and does not handle timers + anymore. They have to be migrated in the + post dead hotplug steps by the control task. + + T1 runs the post dead offline operation + T1 is scheduled out + T1 waits for 'period_timer' to expire + +T1 waits there forever if it is scheduled out before it can execute the hrtimer +offline callback hrtimers_dead_cpu(). + +Cure this by delegating the hotplug control operation to a worker thread on +an online CPU. This takes the initiating user space task, which might be +affected by the bandwidth timer, completely out of the picture. + +Reported-by: Xiongfeng Wang +Signed-off-by: Thomas Gleixner +Tested-by: Yu Liao +Acked-by: Vincent Guittot +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/lkml/8e785777-03aa-99e1-d20e-e956f5685be6@huawei.com +Link: https://lore.kernel.org/r/87h6oqdq0i.ffs@tglx +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cpu.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -1215,8 +1215,22 @@ out: + return ret; + } + ++struct cpu_down_work { ++ unsigned int cpu; ++ enum cpuhp_state target; ++}; ++ ++static long __cpu_down_maps_locked(void *arg) ++{ ++ struct cpu_down_work *work = arg; ++ ++ return _cpu_down(work->cpu, 0, work->target); ++} ++ + static int cpu_down_maps_locked(unsigned int cpu, enum cpuhp_state target) + { ++ struct cpu_down_work work = { .cpu = cpu, .target = target, }; ++ + /* + * If the platform does not support hotplug, report it explicitly to + * differentiate it from a transient offlining failure. +@@ -1225,7 +1239,15 @@ static int cpu_down_maps_locked(unsigned + return -EOPNOTSUPP; + if (cpu_hotplug_disabled) + return -EBUSY; +- return _cpu_down(cpu, 0, target); ++ ++ /* ++ * Ensure that the control task does not run on the to be offlined ++ * CPU to prevent a deadlock against cfs_b->period_timer. ++ */ ++ cpu = cpumask_any_but(cpu_online_mask, cpu); ++ if (cpu >= nr_cpu_ids) ++ return -EBUSY; ++ return work_on_cpu(cpu, __cpu_down_maps_locked, &work); + } + + static int cpu_down(unsigned int cpu, enum cpuhp_state target) diff --git a/queue-6.1/igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch b/queue-6.1/igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch new file mode 100644 index 00000000000..7f92a7328bb --- /dev/null +++ b/queue-6.1/igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch @@ -0,0 +1,52 @@ +From bb5ed01cd2428cd25b1c88a3a9cba87055eb289f Mon Sep 17 00:00:00 2001 +From: Radoslaw Tyl +Date: Thu, 24 Aug 2023 13:46:19 -0700 +Subject: igb: set max size RX buffer when store bad packet is enabled + +From: Radoslaw Tyl + +commit bb5ed01cd2428cd25b1c88a3a9cba87055eb289f upstream. + +Increase the RX buffer size to 3K when the SBP bit is on. The size of +the RX buffer determines the number of pages allocated which may not +be sufficient for receive frames larger than the set MTU size. + +Cc: stable@vger.kernel.org +Fixes: 89eaefb61dc9 ("igb: Support RX-ALL feature flag.") +Reported-by: Manfred Rudigier +Signed-off-by: Radoslaw Tyl +Tested-by: Arpana Arland (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/igb/igb_main.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -4758,6 +4758,10 @@ void igb_configure_rx_ring(struct igb_ad + static void igb_set_rx_buffer_len(struct igb_adapter *adapter, + struct igb_ring *rx_ring) + { ++#if (PAGE_SIZE < 8192) ++ struct e1000_hw *hw = &adapter->hw; ++#endif ++ + /* set build_skb and buffer size flags */ + clear_ring_build_skb_enabled(rx_ring); + clear_ring_uses_large_buffer(rx_ring); +@@ -4768,10 +4772,9 @@ static void igb_set_rx_buffer_len(struct + set_ring_build_skb_enabled(rx_ring); + + #if (PAGE_SIZE < 8192) +- if (adapter->max_frame_size <= IGB_MAX_FRAME_BUILD_SKB) +- return; +- +- set_ring_uses_large_buffer(rx_ring); ++ if (adapter->max_frame_size > IGB_MAX_FRAME_BUILD_SKB || ++ rd32(E1000_RCTL) & E1000_RCTL_SBP) ++ set_ring_uses_large_buffer(rx_ring); + #endif + } + diff --git a/queue-6.1/ipmi_si-fix-a-memleak-in-try_smi_init.patch b/queue-6.1/ipmi_si-fix-a-memleak-in-try_smi_init.patch new file mode 100644 index 00000000000..987732d7d3d --- /dev/null +++ b/queue-6.1/ipmi_si-fix-a-memleak-in-try_smi_init.patch @@ -0,0 +1,60 @@ +From 6cf1a126de2992b4efe1c3c4d398f8de4aed6e3f Mon Sep 17 00:00:00 2001 +From: Yi Yang +Date: Thu, 29 Jun 2023 20:33:28 +0800 +Subject: ipmi_si: fix a memleak in try_smi_init() + +From: Yi Yang + +commit 6cf1a126de2992b4efe1c3c4d398f8de4aed6e3f upstream. + +Kmemleak reported the following leak info in try_smi_init(): + +unreferenced object 0xffff00018ecf9400 (size 1024): + comm "modprobe", pid 2707763, jiffies 4300851415 (age 773.308s) + backtrace: + [<000000004ca5b312>] __kmalloc+0x4b8/0x7b0 + [<00000000953b1072>] try_smi_init+0x148/0x5dc [ipmi_si] + [<000000006460d325>] 0xffff800081b10148 + [<0000000039206ea5>] do_one_initcall+0x64/0x2a4 + [<00000000601399ce>] do_init_module+0x50/0x300 + [<000000003c12ba3c>] load_module+0x7a8/0x9e0 + [<00000000c246fffe>] __se_sys_init_module+0x104/0x180 + [<00000000eea99093>] __arm64_sys_init_module+0x24/0x30 + [<0000000021b1ef87>] el0_svc_common.constprop.0+0x94/0x250 + [<0000000070f4f8b7>] do_el0_svc+0x48/0xe0 + [<000000005a05337f>] el0_svc+0x24/0x3c + [<000000005eb248d6>] el0_sync_handler+0x160/0x164 + [<0000000030a59039>] el0_sync+0x160/0x180 + +The problem was that when an error occurred before handlers registration +and after allocating `new_smi->si_sm`, the variable wouldn't be freed in +the error handling afterwards since `shutdown_smi()` hadn't been +registered yet. Fix it by adding a `kfree()` in the error handling path +in `try_smi_init()`. + +Cc: stable@vger.kernel.org # 4.19+ +Fixes: 7960f18a5647 ("ipmi_si: Convert over to a shutdown handler") +Signed-off-by: Yi Yang +Co-developed-by: GONG, Ruiqi +Signed-off-by: GONG, Ruiqi +Message-Id: <20230629123328.2402075-1-gongruiqi@huaweicloud.com> +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_si_intf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/char/ipmi/ipmi_si_intf.c ++++ b/drivers/char/ipmi/ipmi_si_intf.c +@@ -2082,6 +2082,11 @@ static int try_smi_init(struct smi_info + new_smi->io.io_cleanup = NULL; + } + ++ if (rv && new_smi->si_sm) { ++ kfree(new_smi->si_sm); ++ new_smi->si_sm = NULL; ++ } ++ + return rv; + } + diff --git a/queue-6.1/media-i2c-add-a-camera-sensor-top-level-menu.patch b/queue-6.1/media-i2c-add-a-camera-sensor-top-level-menu.patch new file mode 100644 index 00000000000..9c78c759e06 --- /dev/null +++ b/queue-6.1/media-i2c-add-a-camera-sensor-top-level-menu.patch @@ -0,0 +1,60 @@ +From 7d3c7d2a2914e10bec3b9cdacdadb8e1f65f715a Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Thu, 15 Jun 2023 10:29:07 +0200 +Subject: media: i2c: Add a camera sensor top level menu + +From: Sakari Ailus + +commit 7d3c7d2a2914e10bec3b9cdacdadb8e1f65f715a upstream. + +Select V4L2_FWNODE and VIDEO_V4L2_SUBDEV_API for all sensor drivers. This +also adds the options to drivers that don't specifically need them, these +are still seldom used drivers using old APIs. The upside is that these +should now all compile --- many drivers have had missing dependencies. + +The "menu" is replaced by selectable "menuconfig" to select the needed +V4L2_FWNODE and VIDEO_V4L2_SUBDEV_API options. + +Also select MEDIA_CONTROLLER which VIDEO_V4L2_SUBDEV_API effectively +depends on, and add the I2C dependency to the menu. + +Reported-by: Hans de Goede +Signed-off-by: Sakari Ailus +Reviewed-by: Hans de Goede +Reviewed-by: Laurent Pinchart +Cc: stable@vger.kernel.org # for >= 6.1 +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/Kconfig | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/media/i2c/Kconfig ++++ b/drivers/media/i2c/Kconfig +@@ -25,8 +25,15 @@ config VIDEO_IR_I2C + # V4L2 I2C drivers that are related with Camera support + # + +-menu "Camera sensor devices" +- visible if MEDIA_CAMERA_SUPPORT ++menuconfig VIDEO_CAMERA_SENSOR ++ bool "Camera sensor devices" ++ depends on MEDIA_CAMERA_SUPPORT && I2C ++ select MEDIA_CONTROLLER ++ select V4L2_FWNODE ++ select VIDEO_V4L2_SUBDEV_API ++ default y ++ ++if VIDEO_CAMERA_SENSOR + + config VIDEO_APTINA_PLL + tristate +@@ -783,7 +790,7 @@ source "drivers/media/i2c/ccs/Kconfig" + source "drivers/media/i2c/et8ek8/Kconfig" + source "drivers/media/i2c/m5mols/Kconfig" + +-endmenu ++endif + + menu "Lens drivers" + visible if MEDIA_CAMERA_SUPPORT diff --git a/queue-6.1/media-i2c-ccs-check-rules-is-non-null.patch b/queue-6.1/media-i2c-ccs-check-rules-is-non-null.patch new file mode 100644 index 00000000000..29331126349 --- /dev/null +++ b/queue-6.1/media-i2c-ccs-check-rules-is-non-null.patch @@ -0,0 +1,146 @@ +From 607bcc4213d998d051541d8f10b5bbb7d546c0be Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Sat, 29 Jul 2023 20:59:25 +0200 +Subject: media: i2c: ccs: Check rules is non-NULL + +From: Sakari Ailus + +commit 607bcc4213d998d051541d8f10b5bbb7d546c0be upstream. + +Fix the following smatch warning: + +drivers/media/i2c/ccs/ccs-data.c:524 ccs_data_parse_rules() warn: address +of NULL pointer 'rules' + +The CCS static data rule parser does not check an if rule has been +obtained before checking for other rule types (which depend on the if +rule). In practice this means parsing invalid CCS static data could lead +to dereferencing a NULL pointer. + +Reported-by: Hans Verkuil +Fixes: a6b396f410b1 ("media: ccs: Add CCS static data parser library") +Cc: stable@vger.kernel.org # for 5.11 and up +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ccs/ccs-data.c | 101 +++++++++++++++++++++------------------ + 1 file changed, 56 insertions(+), 45 deletions(-) + +--- a/drivers/media/i2c/ccs/ccs-data.c ++++ b/drivers/media/i2c/ccs/ccs-data.c +@@ -464,8 +464,7 @@ static int ccs_data_parse_rules(struct b + rule_payload = __rule_type + 1; + rule_plen2 = rule_plen - sizeof(*__rule_type); + +- switch (*__rule_type) { +- case CCS_DATA_BLOCK_RULE_ID_IF: { ++ if (*__rule_type == CCS_DATA_BLOCK_RULE_ID_IF) { + const struct __ccs_data_block_rule_if *__if_rules = + rule_payload; + const size_t __num_if_rules = +@@ -514,49 +513,61 @@ static int ccs_data_parse_rules(struct b + rules->if_rules = if_rule; + rules->num_if_rules = __num_if_rules; + } +- break; +- } +- case CCS_DATA_BLOCK_RULE_ID_READ_ONLY_REGS: +- rval = ccs_data_parse_reg_rules(bin, &rules->read_only_regs, +- &rules->num_read_only_regs, +- rule_payload, +- rule_payload + rule_plen2, +- dev); +- if (rval) +- return rval; +- break; +- case CCS_DATA_BLOCK_RULE_ID_FFD: +- rval = ccs_data_parse_ffd(bin, &rules->frame_format, +- rule_payload, +- rule_payload + rule_plen2, +- dev); +- if (rval) +- return rval; +- break; +- case CCS_DATA_BLOCK_RULE_ID_MSR: +- rval = ccs_data_parse_reg_rules(bin, +- &rules->manufacturer_regs, +- &rules->num_manufacturer_regs, +- rule_payload, +- rule_payload + rule_plen2, +- dev); +- if (rval) +- return rval; +- break; +- case CCS_DATA_BLOCK_RULE_ID_PDAF_READOUT: +- rval = ccs_data_parse_pdaf_readout(bin, +- &rules->pdaf_readout, +- rule_payload, +- rule_payload + rule_plen2, +- dev); +- if (rval) +- return rval; +- break; +- default: +- dev_dbg(dev, +- "Don't know how to handle rule type %u!\n", +- *__rule_type); +- return -EINVAL; ++ } else { ++ /* Check there was an if rule before any other rules */ ++ if (bin->base && !rules) ++ return -EINVAL; ++ ++ switch (*__rule_type) { ++ case CCS_DATA_BLOCK_RULE_ID_READ_ONLY_REGS: ++ rval = ccs_data_parse_reg_rules(bin, ++ rules ? ++ &rules->read_only_regs : NULL, ++ rules ? ++ &rules->num_read_only_regs : NULL, ++ rule_payload, ++ rule_payload + rule_plen2, ++ dev); ++ if (rval) ++ return rval; ++ break; ++ case CCS_DATA_BLOCK_RULE_ID_FFD: ++ rval = ccs_data_parse_ffd(bin, rules ? ++ &rules->frame_format : NULL, ++ rule_payload, ++ rule_payload + rule_plen2, ++ dev); ++ if (rval) ++ return rval; ++ break; ++ case CCS_DATA_BLOCK_RULE_ID_MSR: ++ rval = ccs_data_parse_reg_rules(bin, ++ rules ? ++ &rules->manufacturer_regs : NULL, ++ rules ? ++ &rules->num_manufacturer_regs : NULL, ++ rule_payload, ++ rule_payload + rule_plen2, ++ dev); ++ if (rval) ++ return rval; ++ break; ++ case CCS_DATA_BLOCK_RULE_ID_PDAF_READOUT: ++ rval = ccs_data_parse_pdaf_readout(bin, ++ rules ? ++ &rules->pdaf_readout : NULL, ++ rule_payload, ++ rule_payload + rule_plen2, ++ dev); ++ if (rval) ++ return rval; ++ break; ++ default: ++ dev_dbg(dev, ++ "Don't know how to handle rule type %u!\n", ++ *__rule_type); ++ return -EINVAL; ++ } + } + __next_rule = __next_rule + rule_hlen + rule_plen; + } diff --git a/queue-6.1/mm-vmalloc-add-a-safer-version-of-find_vm_area-for-debug.patch b/queue-6.1/mm-vmalloc-add-a-safer-version-of-find_vm_area-for-debug.patch new file mode 100644 index 00000000000..6acf5d0711c --- /dev/null +++ b/queue-6.1/mm-vmalloc-add-a-safer-version-of-find_vm_area-for-debug.patch @@ -0,0 +1,69 @@ +From 0818e739b5c061b0251c30152380600fb9b84c0c Mon Sep 17 00:00:00 2001 +From: "Joel Fernandes (Google)" +Date: Mon, 4 Sep 2023 18:08:04 +0000 +Subject: mm/vmalloc: add a safer version of find_vm_area() for debug + +From: Joel Fernandes (Google) + +commit 0818e739b5c061b0251c30152380600fb9b84c0c upstream. + +It is unsafe to dump vmalloc area information when trying to do so from +some contexts. Add a safer trylock version of the same function to do a +best-effort VMA finding and use it from vmalloc_dump_obj(). + +[applied test robot feedback on unused function fix.] +[applied Uladzislau feedback on locking.] +Link: https://lkml.kernel.org/r/20230904180806.1002832-1-joel@joelfernandes.org +Fixes: 98f180837a89 ("mm: Make mem_dump_obj() handle vmalloc() memory") +Signed-off-by: Joel Fernandes (Google) +Reviewed-by: Uladzislau Rezki (Sony) +Reported-by: Zhen Lei +Cc: Paul E. McKenney +Cc: Zqiang +Cc: +Cc: Matthew Wilcox (Oracle) +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/vmalloc.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -4041,14 +4041,32 @@ void pcpu_free_vm_areas(struct vm_struct + #ifdef CONFIG_PRINTK + bool vmalloc_dump_obj(void *object) + { +- struct vm_struct *vm; + void *objp = (void *)PAGE_ALIGN((unsigned long)object); ++ const void *caller; ++ struct vm_struct *vm; ++ struct vmap_area *va; ++ unsigned long addr; ++ unsigned int nr_pages; ++ ++ if (!spin_trylock(&vmap_area_lock)) ++ return false; ++ va = __find_vmap_area((unsigned long)objp, &vmap_area_root); ++ if (!va) { ++ spin_unlock(&vmap_area_lock); ++ return false; ++ } + +- vm = find_vm_area(objp); +- if (!vm) ++ vm = va->vm; ++ if (!vm) { ++ spin_unlock(&vmap_area_lock); + return false; ++ } ++ addr = (unsigned long)vm->addr; ++ caller = vm->caller; ++ nr_pages = vm->nr_pages; ++ spin_unlock(&vmap_area_lock); + pr_cont(" %u-page vmalloc region starting at %#lx allocated at %pS\n", +- vm->nr_pages, (unsigned long)vm->addr, vm->caller); ++ nr_pages, addr, caller); + return true; + } + #endif diff --git a/queue-6.1/multi-gen-lru-fix-per-zone-reclaim.patch b/queue-6.1/multi-gen-lru-fix-per-zone-reclaim.patch new file mode 100644 index 00000000000..b2778fed9d0 --- /dev/null +++ b/queue-6.1/multi-gen-lru-fix-per-zone-reclaim.patch @@ -0,0 +1,154 @@ +From 669281ee7ef731fb5204df9d948669bf32a5e68d Mon Sep 17 00:00:00 2001 +From: Kalesh Singh +Date: Tue, 1 Aug 2023 19:56:02 -0700 +Subject: Multi-gen LRU: fix per-zone reclaim + +From: Kalesh Singh + +commit 669281ee7ef731fb5204df9d948669bf32a5e68d upstream. + +MGLRU has a LRU list for each zone for each type (anon/file) in each +generation: + + long nr_pages[MAX_NR_GENS][ANON_AND_FILE][MAX_NR_ZONES]; + +The min_seq (oldest generation) can progress independently for each +type but the max_seq (youngest generation) is shared for both anon and +file. This is to maintain a common frame of reference. + +In order for eviction to advance the min_seq of a type, all the per-zone +lists in the oldest generation of that type must be empty. + +The eviction logic only considers pages from eligible zones for +eviction or promotion. + + scan_folios() { + ... + for (zone = sc->reclaim_idx; zone >= 0; zone--) { + ... + sort_folio(); // Promote + ... + isolate_folio(); // Evict + } + ... + } + +Consider the system has the movable zone configured and default 4 +generations. The current state of the system is as shown below +(only illustrating one type for simplicity): + +Type: ANON + + Zone DMA32 Normal Movable Device + + Gen 0 0 0 4GB 0 + + Gen 1 0 1GB 1MB 0 + + Gen 2 1MB 4GB 1MB 0 + + Gen 3 1MB 1MB 1MB 0 + +Now consider there is a GFP_KERNEL allocation request (eligible zone +index <= Normal), evict_folios() will return without doing any work +since there are no pages to scan in the eligible zones of the oldest +generation. Reclaim won't make progress until triggered from a ZONE_MOVABLE +allocation request; which may not happen soon if there is a lot of free +memory in the movable zone. This can lead to OOM kills, although there +is 1GB pages in the Normal zone of Gen 1 that we have not yet tried to +reclaim. + +This issue is not seen in the conventional active/inactive LRU since +there are no per-zone lists. + +If there are no (not enough) folios to scan in the eligible zones, move +folios from ineligible zone (zone_index > reclaim_index) to the next +generation. This allows for the progression of min_seq and reclaiming +from the next generation (Gen 1). + +Qualcomm, Mediatek and raspberrypi [1] discovered this issue independently. + +[1] https://github.com/raspberrypi/linux/issues/5395 + +Link: https://lkml.kernel.org/r/20230802025606.346758-1-kaleshsingh@google.com +Fixes: ac35a4902374 ("mm: multi-gen LRU: minimal implementation") +Signed-off-by: Kalesh Singh +Reported-by: Charan Teja Kalla +Reported-by: Lecopzer Chen +Tested-by: AngeloGioacchino Del Regno [mediatek] +Tested-by: Charan Teja Kalla +Cc: Yu Zhao +Cc: Barry Song +Cc: Brian Geffon +Cc: Jan Alexander Steffens (heftig) +Cc: Matthias Brugger +Cc: Oleksandr Natalenko +Cc: Qi Zheng +Cc: Steven Barrett +Cc: Suleiman Souhlal +Cc: Suren Baghdasaryan +Cc: Aneesh Kumar K V +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/vmscan.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -4728,7 +4728,8 @@ void lru_gen_look_around(struct page_vma + * the eviction + ******************************************************************************/ + +-static bool sort_folio(struct lruvec *lruvec, struct folio *folio, int tier_idx) ++static bool sort_folio(struct lruvec *lruvec, struct folio *folio, struct scan_control *sc, ++ int tier_idx) + { + bool success; + int gen = folio_lru_gen(folio); +@@ -4779,6 +4780,13 @@ static bool sort_folio(struct lruvec *lr + return true; + } + ++ /* ineligible */ ++ if (zone > sc->reclaim_idx) { ++ gen = folio_inc_gen(lruvec, folio, false); ++ list_move_tail(&folio->lru, &lrugen->folios[gen][type][zone]); ++ return true; ++ } ++ + /* waiting for writeback */ + if (folio_test_locked(folio) || folio_test_writeback(folio) || + (type == LRU_GEN_FILE && folio_test_dirty(folio))) { +@@ -4831,7 +4839,8 @@ static bool isolate_folio(struct lruvec + static int scan_folios(struct lruvec *lruvec, struct scan_control *sc, + int type, int tier, struct list_head *list) + { +- int gen, zone; ++ int i; ++ int gen; + enum vm_event_item item; + int sorted = 0; + int scanned = 0; +@@ -4847,9 +4856,10 @@ static int scan_folios(struct lruvec *lr + + gen = lru_gen_from_seq(lrugen->min_seq[type]); + +- for (zone = sc->reclaim_idx; zone >= 0; zone--) { ++ for (i = MAX_NR_ZONES; i > 0; i--) { + LIST_HEAD(moved); + int skipped = 0; ++ int zone = (sc->reclaim_idx + i) % MAX_NR_ZONES; + struct list_head *head = &lrugen->lists[gen][type][zone]; + + while (!list_empty(head)) { +@@ -4863,7 +4873,7 @@ static int scan_folios(struct lruvec *lr + + scanned += delta; + +- if (sort_folio(lruvec, folio, tier)) ++ if (sort_folio(lruvec, folio, sc, tier)) + sorted += delta; + else if (isolate_folio(lruvec, folio, sc)) { + list_add(&folio->lru, list); diff --git a/queue-6.1/netfilter-nft_exthdr-fix-non-linear-header-modification.patch b/queue-6.1/netfilter-nft_exthdr-fix-non-linear-header-modification.patch new file mode 100644 index 00000000000..fcd163f9754 --- /dev/null +++ b/queue-6.1/netfilter-nft_exthdr-fix-non-linear-header-modification.patch @@ -0,0 +1,66 @@ +From 28427f368f0e08d504ed06e74bc7cc79d6d06511 Mon Sep 17 00:00:00 2001 +From: Xiao Liang +Date: Fri, 25 Aug 2023 13:33:27 +0800 +Subject: netfilter: nft_exthdr: Fix non-linear header modification + +From: Xiao Liang + +commit 28427f368f0e08d504ed06e74bc7cc79d6d06511 upstream. + +Fix skb_ensure_writable() size. Don't use nft_tcp_header_pointer() to +make it explicit that pointers point to the packet (not local buffer). + +Fixes: 99d1712bc41c ("netfilter: exthdr: tcp option set support") +Fixes: 7890cbea66e7 ("netfilter: exthdr: add support for tcp option removal") +Cc: stable@vger.kernel.org +Signed-off-by: Xiao Liang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_exthdr.c | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +--- a/net/netfilter/nft_exthdr.c ++++ b/net/netfilter/nft_exthdr.c +@@ -238,7 +238,12 @@ static void nft_exthdr_tcp_set_eval(cons + if (!tcph) + goto err; + ++ if (skb_ensure_writable(pkt->skb, nft_thoff(pkt) + tcphdr_len)) ++ goto err; ++ ++ tcph = (struct tcphdr *)(pkt->skb->data + nft_thoff(pkt)); + opt = (u8 *)tcph; ++ + for (i = sizeof(*tcph); i < tcphdr_len - 1; i += optl) { + union { + __be16 v16; +@@ -253,15 +258,6 @@ static void nft_exthdr_tcp_set_eval(cons + if (i + optl > tcphdr_len || priv->len + priv->offset > optl) + goto err; + +- if (skb_ensure_writable(pkt->skb, +- nft_thoff(pkt) + i + priv->len)) +- goto err; +- +- tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff, +- &tcphdr_len); +- if (!tcph) +- goto err; +- + offset = i + priv->offset; + + switch (priv->len) { +@@ -325,9 +321,9 @@ static void nft_exthdr_tcp_strip_eval(co + if (skb_ensure_writable(pkt->skb, nft_thoff(pkt) + tcphdr_len)) + goto drop; + +- opt = (u8 *)nft_tcp_header_pointer(pkt, sizeof(buff), buff, &tcphdr_len); +- if (!opt) +- goto err; ++ tcph = (struct tcphdr *)(pkt->skb->data + nft_thoff(pkt)); ++ opt = (u8 *)tcph; ++ + for (i = sizeof(*tcph); i < tcphdr_len - 1; i += optl) { + unsigned int j; + diff --git a/queue-6.1/netfilter-xt_sctp-validate-the-flag_info-count.patch b/queue-6.1/netfilter-xt_sctp-validate-the-flag_info-count.patch new file mode 100644 index 00000000000..0c16583671a --- /dev/null +++ b/queue-6.1/netfilter-xt_sctp-validate-the-flag_info-count.patch @@ -0,0 +1,36 @@ +From e99476497687ef9e850748fe6d232264f30bc8f9 Mon Sep 17 00:00:00 2001 +From: Wander Lairson Costa +Date: Mon, 28 Aug 2023 19:12:55 -0300 +Subject: netfilter: xt_sctp: validate the flag_info count + +From: Wander Lairson Costa + +commit e99476497687ef9e850748fe6d232264f30bc8f9 upstream. + +sctp_mt_check doesn't validate the flag_count field. An attacker can +take advantage of that to trigger a OOB read and leak memory +information. + +Add the field validation in the checkentry function. + +Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables") +Cc: stable@vger.kernel.org +Reported-by: Lucas Leong +Signed-off-by: Wander Lairson Costa +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/xt_sctp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/netfilter/xt_sctp.c ++++ b/net/netfilter/xt_sctp.c +@@ -150,6 +150,8 @@ static int sctp_mt_check(const struct xt + { + const struct xt_sctp_info *info = par->matchinfo; + ++ if (info->flag_count > ARRAY_SIZE(info->flag_info)) ++ return -EINVAL; + if (info->flags & ~XT_SCTP_VALID_FLAGS) + return -EINVAL; + if (info->invflags & ~XT_SCTP_VALID_FLAGS) diff --git a/queue-6.1/netfilter-xt_u32-validate-user-space-input.patch b/queue-6.1/netfilter-xt_u32-validate-user-space-input.patch new file mode 100644 index 00000000000..e8a50eb0a2e --- /dev/null +++ b/queue-6.1/netfilter-xt_u32-validate-user-space-input.patch @@ -0,0 +1,61 @@ +From 69c5d284f67089b4750d28ff6ac6f52ec224b330 Mon Sep 17 00:00:00 2001 +From: Wander Lairson Costa +Date: Mon, 28 Aug 2023 10:21:07 -0300 +Subject: netfilter: xt_u32: validate user space input + +From: Wander Lairson Costa + +commit 69c5d284f67089b4750d28ff6ac6f52ec224b330 upstream. + +The xt_u32 module doesn't validate the fields in the xt_u32 structure. +An attacker may take advantage of this to trigger an OOB read by setting +the size fields with a value beyond the arrays boundaries. + +Add a checkentry function to validate the structure. + +This was originally reported by the ZDI project (ZDI-CAN-18408). + +Fixes: 1b50b8a371e9 ("[NETFILTER]: Add u32 match") +Cc: stable@vger.kernel.org +Signed-off-by: Wander Lairson Costa +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/xt_u32.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/net/netfilter/xt_u32.c ++++ b/net/netfilter/xt_u32.c +@@ -96,11 +96,32 @@ static bool u32_mt(const struct sk_buff + return ret ^ data->invert; + } + ++static int u32_mt_checkentry(const struct xt_mtchk_param *par) ++{ ++ const struct xt_u32 *data = par->matchinfo; ++ const struct xt_u32_test *ct; ++ unsigned int i; ++ ++ if (data->ntests > ARRAY_SIZE(data->tests)) ++ return -EINVAL; ++ ++ for (i = 0; i < data->ntests; ++i) { ++ ct = &data->tests[i]; ++ ++ if (ct->nnums > ARRAY_SIZE(ct->location) || ++ ct->nvalues > ARRAY_SIZE(ct->value)) ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + static struct xt_match xt_u32_mt_reg __read_mostly = { + .name = "u32", + .revision = 0, + .family = NFPROTO_UNSPEC, + .match = u32_mt, ++ .checkentry = u32_mt_checkentry, + .matchsize = sizeof(struct xt_u32), + .me = THIS_MODULE, + }; diff --git a/queue-6.1/pci-rockchip-use-64-bit-mask-on-msi-64-bit-pci-address.patch b/queue-6.1/pci-rockchip-use-64-bit-mask-on-msi-64-bit-pci-address.patch new file mode 100644 index 00000000000..3db49779b53 --- /dev/null +++ b/queue-6.1/pci-rockchip-use-64-bit-mask-on-msi-64-bit-pci-address.patch @@ -0,0 +1,55 @@ +From cdb50033dd6dfcf02ae3d4ee56bc1a9555be6d36 Mon Sep 17 00:00:00 2001 +From: Rick Wertenbroek +Date: Mon, 3 Jul 2023 10:58:45 +0200 +Subject: PCI: rockchip: Use 64-bit mask on MSI 64-bit PCI address +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rick Wertenbroek + +commit cdb50033dd6dfcf02ae3d4ee56bc1a9555be6d36 upstream. + +A 32-bit mask was used on the 64-bit PCI address used for mapping MSIs. +This would result in the upper 32 bits being unintentionally zeroed and +MSIs getting mapped to incorrect PCI addresses if the address had any +of the upper bits set. + +Replace 32-bit mask by appropriate 64-bit mask. + +[kwilczynski: use GENMASK_ULL() over GENMASK() for 32-bit compatibility] +Fixes: dc73ed0f1b8b ("PCI: rockchip: Fix window mapping and address translation for endpoint") +Closes: https://lore.kernel.org/linux-pci/8d19e5b7-8fa0-44a4-90e2-9bb06f5eb694@moroto.mountain +Link: https://lore.kernel.org/linux-pci/20230703085845.2052008-1-rick.wertenbroek@gmail.com +Reported-by: Dan Carpenter +Signed-off-by: Rick Wertenbroek +Signed-off-by: Krzysztof Wilczyński +Reviewed-by: Damien Le Moal +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/pci/controller/pcie-rockchip.h ++++ b/drivers/pci/controller/pcie-rockchip.h +@@ -158,7 +158,9 @@ + #define PCIE_RC_CONFIG_THP_CAP (PCIE_RC_CONFIG_BASE + 0x274) + #define PCIE_RC_CONFIG_THP_CAP_NEXT_MASK GENMASK(31, 20) + +-#define PCIE_ADDR_MASK 0xffffff00 ++#define MAX_AXI_IB_ROOTPORT_REGION_NUM 3 ++#define MIN_AXI_ADDR_BITS_PASSED 8 ++#define PCIE_ADDR_MASK GENMASK_ULL(63, MIN_AXI_ADDR_BITS_PASSED) + #define PCIE_CORE_AXI_CONF_BASE 0xc00000 + #define PCIE_CORE_OB_REGION_ADDR0 (PCIE_CORE_AXI_CONF_BASE + 0x0) + #define PCIE_CORE_OB_REGION_ADDR0_NUM_BITS 0x3f +@@ -185,8 +187,6 @@ + #define AXI_WRAPPER_TYPE1_CFG 0xb + #define AXI_WRAPPER_NOR_MSG 0xc + +-#define MAX_AXI_IB_ROOTPORT_REGION_NUM 3 +-#define MIN_AXI_ADDR_BITS_PASSED 8 + #define PCIE_RC_SEND_PME_OFF 0x11960 + #define ROCKCHIP_VENDOR_ID 0x1d87 + #define PCIE_LINK_IS_L2(x) \ diff --git a/queue-6.1/pm-devfreq-fix-leak-in-devfreq_dev_release.patch b/queue-6.1/pm-devfreq-fix-leak-in-devfreq_dev_release.patch new file mode 100644 index 00000000000..8d9f9aa9bcc --- /dev/null +++ b/queue-6.1/pm-devfreq-fix-leak-in-devfreq_dev_release.patch @@ -0,0 +1,34 @@ +From 5693d077595de721f9ddbf9d37f40e5409707dfe Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Wed, 9 Aug 2023 13:31:08 +0200 +Subject: PM / devfreq: Fix leak in devfreq_dev_release() + +From: Boris Brezillon + +commit 5693d077595de721f9ddbf9d37f40e5409707dfe upstream. + +srcu_init_notifier_head() allocates resources that need to be released +with a srcu_cleanup_notifier_head() call. + +Reported by kmemleak. + +Fixes: 0fe3a66410a3 ("PM / devfreq: Add new DEVFREQ_TRANSITION_NOTIFIER notifier") +Cc: +Signed-off-by: Boris Brezillon +Reviewed-by: Dhruva Gole +Signed-off-by: Chanwoo Choi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/devfreq/devfreq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -763,6 +763,7 @@ static void devfreq_dev_release(struct d + dev_pm_opp_put_opp_table(devfreq->opp_table); + + mutex_destroy(&devfreq->lock); ++ srcu_cleanup_notifier_head(&devfreq->transition_notifier_list); + kfree(devfreq); + } + diff --git a/queue-6.1/printk-ringbuffer-fix-truncating-buffer-size-min_t-cast.patch b/queue-6.1/printk-ringbuffer-fix-truncating-buffer-size-min_t-cast.patch new file mode 100644 index 00000000000..3999dd7ddeb --- /dev/null +++ b/queue-6.1/printk-ringbuffer-fix-truncating-buffer-size-min_t-cast.patch @@ -0,0 +1,49 @@ +From 53e9e33ede37a247d926db5e4a9e56b55204e66c Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 10 Aug 2023 22:45:32 -0700 +Subject: printk: ringbuffer: Fix truncating buffer size min_t cast + +From: Kees Cook + +commit 53e9e33ede37a247d926db5e4a9e56b55204e66c upstream. + +If an output buffer size exceeded U16_MAX, the min_t(u16, ...) cast in +copy_data() was causing writes to truncate. This manifested as output +bytes being skipped, seen as %NUL bytes in pstore dumps when the available +record size was larger than 65536. Fix the cast to no longer truncate +the calculation. + +Cc: Petr Mladek +Cc: Sergey Senozhatsky +Cc: Steven Rostedt +Cc: John Ogness +Reported-by: Vijay Balakrishna +Link: https://lore.kernel.org/lkml/d8bb1ec7-a4c5-43a2-9de0-9643a70b899f@linux.microsoft.com/ +Fixes: b6cf8b3f3312 ("printk: add lockless ringbuffer") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Tested-by: Vijay Balakrishna +Tested-by: Guilherme G. Piccoli # Steam Deck +Reviewed-by: Tyler Hicks (Microsoft) +Tested-by: Tyler Hicks (Microsoft) +Reviewed-by: John Ogness +Reviewed-by: Sergey Senozhatsky +Reviewed-by: Petr Mladek +Signed-off-by: Petr Mladek +Link: https://lore.kernel.org/r/20230811054528.never.165-kees@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/printk/printk_ringbuffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/printk/printk_ringbuffer.c ++++ b/kernel/printk/printk_ringbuffer.c +@@ -1735,7 +1735,7 @@ static bool copy_data(struct prb_data_ri + if (!buf || !buf_size) + return true; + +- data_size = min_t(u16, buf_size, len); ++ data_size = min_t(unsigned int, buf_size, len); + + memcpy(&buf[0], data, data_size); /* LMM(copy_data:A) */ + return true; diff --git a/queue-6.1/rcu-dump-vmalloc-memory-info-safely.patch b/queue-6.1/rcu-dump-vmalloc-memory-info-safely.patch new file mode 100644 index 00000000000..4ceabfcefe2 --- /dev/null +++ b/queue-6.1/rcu-dump-vmalloc-memory-info-safely.patch @@ -0,0 +1,95 @@ +From c83ad36a18c02c0f51280b50272327807916987f Mon Sep 17 00:00:00 2001 +From: Zqiang +Date: Mon, 4 Sep 2023 18:08:05 +0000 +Subject: rcu: dump vmalloc memory info safely + +From: Zqiang + +commit c83ad36a18c02c0f51280b50272327807916987f upstream. + +Currently, for double invoke call_rcu(), will dump rcu_head objects memory +info, if the objects is not allocated from the slab allocator, the +vmalloc_dump_obj() will be invoke and the vmap_area_lock spinlock need to +be held, since the call_rcu() can be invoked in interrupt context, +therefore, there is a possibility of spinlock deadlock scenarios. + +And in Preempt-RT kernel, the rcutorture test also trigger the following +lockdep warning: + +BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 +in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0 +preempt_count: 1, expected: 0 +RCU nest depth: 1, expected: 1 +3 locks held by swapper/0/1: + #0: ffffffffb534ee80 (fullstop_mutex){+.+.}-{4:4}, at: torture_init_begin+0x24/0xa0 + #1: ffffffffb5307940 (rcu_read_lock){....}-{1:3}, at: rcu_torture_init+0x1ec7/0x2370 + #2: ffffffffb536af40 (vmap_area_lock){+.+.}-{3:3}, at: find_vmap_area+0x1f/0x70 +irq event stamp: 565512 +hardirqs last enabled at (565511): [] __call_rcu_common+0x218/0x940 +hardirqs last disabled at (565512): [] rcu_torture_init+0x20b2/0x2370 +softirqs last enabled at (399112): [] __local_bh_enable_ip+0x126/0x170 +softirqs last disabled at (399106): [] inet_register_protosw+0x9/0x1d0 +Preemption disabled at: +[] rcu_torture_init+0x1f13/0x2370 +CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.5.0-rc4-rt2-yocto-preempt-rt+ #15 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 +Call Trace: + + dump_stack_lvl+0x68/0xb0 + dump_stack+0x14/0x20 + __might_resched+0x1aa/0x280 + ? __pfx_rcu_torture_err_cb+0x10/0x10 + rt_spin_lock+0x53/0x130 + ? find_vmap_area+0x1f/0x70 + find_vmap_area+0x1f/0x70 + vmalloc_dump_obj+0x20/0x60 + mem_dump_obj+0x22/0x90 + __call_rcu_common+0x5bf/0x940 + ? debug_smp_processor_id+0x1b/0x30 + call_rcu_hurry+0x14/0x20 + rcu_torture_init+0x1f82/0x2370 + ? __pfx_rcu_torture_leak_cb+0x10/0x10 + ? __pfx_rcu_torture_leak_cb+0x10/0x10 + ? __pfx_rcu_torture_init+0x10/0x10 + do_one_initcall+0x6c/0x300 + ? debug_smp_processor_id+0x1b/0x30 + kernel_init_freeable+0x2b9/0x540 + ? __pfx_kernel_init+0x10/0x10 + kernel_init+0x1f/0x150 + ret_from_fork+0x40/0x50 + ? __pfx_kernel_init+0x10/0x10 + ret_from_fork_asm+0x1b/0x30 + + +The previous patch fixes this by using the deadlock-safe best-effort +version of find_vm_area. However, in case of failure print the fact that +the pointer was a vmalloc pointer so that we print at least something. + +Link: https://lkml.kernel.org/r/20230904180806.1002832-2-joel@joelfernandes.org +Fixes: 98f180837a89 ("mm: Make mem_dump_obj() handle vmalloc() memory") +Signed-off-by: Zqiang +Signed-off-by: Joel Fernandes (Google) +Reported-by: Zhen Lei +Reviewed-by: Matthew Wilcox (Oracle) +Cc: Paul E. McKenney +Cc: Uladzislau Rezki (Sony) +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/util.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/mm/util.c ++++ b/mm/util.c +@@ -1127,7 +1127,9 @@ void mem_dump_obj(void *object) + if (vmalloc_dump_obj(object)) + return; + +- if (virt_addr_valid(object)) ++ if (is_vmalloc_addr(object)) ++ type = "vmalloc memory"; ++ else if (virt_addr_valid(object)) + type = "non-slab/vmalloc memory"; + else if (object == NULL) + type = "NULL pointer"; diff --git a/queue-6.1/scsi-core-fix-the-scsi_set_resid-documentation.patch b/queue-6.1/scsi-core-fix-the-scsi_set_resid-documentation.patch new file mode 100644 index 00000000000..13dbab57056 --- /dev/null +++ b/queue-6.1/scsi-core-fix-the-scsi_set_resid-documentation.patch @@ -0,0 +1,42 @@ +From f669b8a683e4ee26fa5cafe19d71cec1786b556a Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Fri, 21 Jul 2023 09:01:32 -0700 +Subject: scsi: core: Fix the scsi_set_resid() documentation + +From: Bart Van Assche + +commit f669b8a683e4ee26fa5cafe19d71cec1786b556a upstream. + +Because scsi_finish_command() subtracts the residual from the buffer +length, residual overflows must not be reported. Reflect this in the SCSI +documentation. See also commit 9237f04e12cc ("scsi: core: Fix +scsi_get/set_resid() interface") + +Cc: Damien Le Moal +Cc: Hannes Reinecke +Cc: Douglas Gilbert +Cc: stable@vger.kernel.org +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20230721160154.874010-2-bvanassche@acm.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/scsi/scsi_mid_low_api.rst | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/Documentation/scsi/scsi_mid_low_api.rst ++++ b/Documentation/scsi/scsi_mid_low_api.rst +@@ -1190,11 +1190,11 @@ Members of interest: + - pointer to scsi_device object that this command is + associated with. + resid +- - an LLD should set this signed integer to the requested ++ - an LLD should set this unsigned integer to the requested + transfer length (i.e. 'request_bufflen') less the number + of bytes that are actually transferred. 'resid' is + preset to 0 so an LLD can ignore it if it cannot detect +- underruns (overruns should be rare). If possible an LLD ++ underruns (overruns should not be reported). An LLD + should set 'resid' prior to invoking 'done'. The most + interesting case is data transfers from a SCSI target + device (e.g. READs) that underrun. diff --git a/queue-6.1/series b/queue-6.1/series index 3ddfdd63460..3fadfd37d2b 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -516,3 +516,22 @@ cpufreq-fix-the-race-condition-while-updating-the-tr.patch virtio_ring-fix-avail_wrap_counter-in-virtqueue_add_.patch igmp-limit-igmpv3_newpack-packet-size-to-ip_max_mtu.patch netfilter-ipset-add-the-missing-ip_set_hash_with_net0-macro-for-ip_set_hash_netportnet.c.patch +netfilter-nft_exthdr-fix-non-linear-header-modification.patch +netfilter-xt_u32-validate-user-space-input.patch +netfilter-xt_sctp-validate-the-flag_info-count.patch +skbuff-skb_segment-call-zero-copy-functions-before-using-skbuff-frags.patch +igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch +pm-devfreq-fix-leak-in-devfreq_dev_release.patch +multi-gen-lru-fix-per-zone-reclaim.patch +alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch +arm64-dts-qcom-sdm845-db845c-mark-cont-splash-memory-region-as-reserved.patch +rcu-dump-vmalloc-memory-info-safely.patch +printk-ringbuffer-fix-truncating-buffer-size-min_t-cast.patch +scsi-core-fix-the-scsi_set_resid-documentation.patch +mm-vmalloc-add-a-safer-version-of-find_vm_area-for-debug.patch +cpu-hotplug-prevent-self-deadlock-on-cpu-hot-unplug.patch +media-i2c-ccs-check-rules-is-non-null.patch +media-i2c-add-a-camera-sensor-top-level-menu.patch +pci-rockchip-use-64-bit-mask-on-msi-64-bit-pci-address.patch +ipmi_si-fix-a-memleak-in-try_smi_init.patch +arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch diff --git a/queue-6.1/skbuff-skb_segment-call-zero-copy-functions-before-using-skbuff-frags.patch b/queue-6.1/skbuff-skb_segment-call-zero-copy-functions-before-using-skbuff-frags.patch new file mode 100644 index 00000000000..7d228740ac5 --- /dev/null +++ b/queue-6.1/skbuff-skb_segment-call-zero-copy-functions-before-using-skbuff-frags.patch @@ -0,0 +1,156 @@ +From 2ea35288c83b3d501a88bc17f2df8f176b5cc96f Mon Sep 17 00:00:00 2001 +From: Mohamed Khalfella +Date: Thu, 31 Aug 2023 02:17:02 -0600 +Subject: skbuff: skb_segment, Call zero copy functions before using skbuff frags + +From: Mohamed Khalfella + +commit 2ea35288c83b3d501a88bc17f2df8f176b5cc96f upstream. + +Commit bf5c25d60861 ("skbuff: in skb_segment, call zerocopy functions +once per nskb") added the call to zero copy functions in skb_segment(). +The change introduced a bug in skb_segment() because skb_orphan_frags() +may possibly change the number of fragments or allocate new fragments +altogether leaving nrfrags and frag to point to the old values. This can +cause a panic with stacktrace like the one below. + +[ 193.894380] BUG: kernel NULL pointer dereference, address: 00000000000000bc +[ 193.895273] CPU: 13 PID: 18164 Comm: vh-net-17428 Kdump: loaded Tainted: G O 5.15.123+ #26 +[ 193.903919] RIP: 0010:skb_segment+0xb0e/0x12f0 +[ 194.021892] Call Trace: +[ 194.027422] +[ 194.072861] tcp_gso_segment+0x107/0x540 +[ 194.082031] inet_gso_segment+0x15c/0x3d0 +[ 194.090783] skb_mac_gso_segment+0x9f/0x110 +[ 194.095016] __skb_gso_segment+0xc1/0x190 +[ 194.103131] netem_enqueue+0x290/0xb10 [sch_netem] +[ 194.107071] dev_qdisc_enqueue+0x16/0x70 +[ 194.110884] __dev_queue_xmit+0x63b/0xb30 +[ 194.121670] bond_start_xmit+0x159/0x380 [bonding] +[ 194.128506] dev_hard_start_xmit+0xc3/0x1e0 +[ 194.131787] __dev_queue_xmit+0x8a0/0xb30 +[ 194.138225] macvlan_start_xmit+0x4f/0x100 [macvlan] +[ 194.141477] dev_hard_start_xmit+0xc3/0x1e0 +[ 194.144622] sch_direct_xmit+0xe3/0x280 +[ 194.147748] __dev_queue_xmit+0x54a/0xb30 +[ 194.154131] tap_get_user+0x2a8/0x9c0 [tap] +[ 194.157358] tap_sendmsg+0x52/0x8e0 [tap] +[ 194.167049] handle_tx_zerocopy+0x14e/0x4c0 [vhost_net] +[ 194.173631] handle_tx+0xcd/0xe0 [vhost_net] +[ 194.176959] vhost_worker+0x76/0xb0 [vhost] +[ 194.183667] kthread+0x118/0x140 +[ 194.190358] ret_from_fork+0x1f/0x30 +[ 194.193670] + +In this case calling skb_orphan_frags() updated nr_frags leaving nrfrags +local variable in skb_segment() stale. This resulted in the code hitting +i >= nrfrags prematurely and trying to move to next frag_skb using +list_skb pointer, which was NULL, and caused kernel panic. Move the call +to zero copy functions before using frags and nr_frags. + +Fixes: bf5c25d60861 ("skbuff: in skb_segment, call zerocopy functions once per nskb") +Signed-off-by: Mohamed Khalfella +Reported-by: Amit Goyal +Cc: stable@vger.kernel.org +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 34 ++++++++++++++++++++-------------- + 1 file changed, 20 insertions(+), 14 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4135,21 +4135,20 @@ struct sk_buff *skb_segment(struct sk_bu + struct sk_buff *segs = NULL; + struct sk_buff *tail = NULL; + struct sk_buff *list_skb = skb_shinfo(head_skb)->frag_list; +- skb_frag_t *frag = skb_shinfo(head_skb)->frags; + unsigned int mss = skb_shinfo(head_skb)->gso_size; + unsigned int doffset = head_skb->data - skb_mac_header(head_skb); +- struct sk_buff *frag_skb = head_skb; + unsigned int offset = doffset; + unsigned int tnl_hlen = skb_tnl_header_len(head_skb); + unsigned int partial_segs = 0; + unsigned int headroom; + unsigned int len = head_skb->len; ++ struct sk_buff *frag_skb; ++ skb_frag_t *frag; + __be16 proto; + bool csum, sg; +- int nfrags = skb_shinfo(head_skb)->nr_frags; + int err = -ENOMEM; + int i = 0; +- int pos; ++ int nfrags, pos; + + if ((skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY) && + mss != GSO_BY_FRAGS && mss != skb_headlen(head_skb)) { +@@ -4226,6 +4225,13 @@ normal: + headroom = skb_headroom(head_skb); + pos = skb_headlen(head_skb); + ++ if (skb_orphan_frags(head_skb, GFP_ATOMIC)) ++ return ERR_PTR(-ENOMEM); ++ ++ nfrags = skb_shinfo(head_skb)->nr_frags; ++ frag = skb_shinfo(head_skb)->frags; ++ frag_skb = head_skb; ++ + do { + struct sk_buff *nskb; + skb_frag_t *nskb_frag; +@@ -4246,6 +4252,10 @@ normal: + (skb_headlen(list_skb) == len || sg)) { + BUG_ON(skb_headlen(list_skb) > len); + ++ nskb = skb_clone(list_skb, GFP_ATOMIC); ++ if (unlikely(!nskb)) ++ goto err; ++ + i = 0; + nfrags = skb_shinfo(list_skb)->nr_frags; + frag = skb_shinfo(list_skb)->frags; +@@ -4264,12 +4274,8 @@ normal: + frag++; + } + +- nskb = skb_clone(list_skb, GFP_ATOMIC); + list_skb = list_skb->next; + +- if (unlikely(!nskb)) +- goto err; +- + if (unlikely(pskb_trim(nskb, len))) { + kfree_skb(nskb); + goto err; +@@ -4345,12 +4351,16 @@ normal: + skb_shinfo(nskb)->flags |= skb_shinfo(head_skb)->flags & + SKBFL_SHARED_FRAG; + +- if (skb_orphan_frags(frag_skb, GFP_ATOMIC) || +- skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC)) ++ if (skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC)) + goto err; + + while (pos < offset + len) { + if (i >= nfrags) { ++ if (skb_orphan_frags(list_skb, GFP_ATOMIC) || ++ skb_zerocopy_clone(nskb, list_skb, ++ GFP_ATOMIC)) ++ goto err; ++ + i = 0; + nfrags = skb_shinfo(list_skb)->nr_frags; + frag = skb_shinfo(list_skb)->frags; +@@ -4364,10 +4374,6 @@ normal: + i--; + frag--; + } +- if (skb_orphan_frags(frag_skb, GFP_ATOMIC) || +- skb_zerocopy_clone(nskb, frag_skb, +- GFP_ATOMIC)) +- goto err; + + list_skb = list_skb->next; + }