From: Greg Kroah-Hartman Date: Sat, 7 Oct 2023 12:36:29 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.14.327~56 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1fda076f9b395cdf7e2fe4541a2e8be41c030a43;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: arm64-add-cortex-a520-cpu-part-definition.patch btrfs-reject-unknown-mount-options-early.patch drm-amd-fix-detection-of-_pr3-on-the-pcie-root-port.patch net-prevent-rewrite-of-msg_name-in-sock_sendmsg.patch net-replace-calls-to-sock-ops-connect-with-kernel_connect.patch qed-red_ll2-fix-undefined-behavior-bug-in-struct-qed_ll2_info.patch scsi-zfcp-fix-a-double-put-in-zfcp_port_enqueue.patch vringh-don-t-use-vringh_kiov_advance-in-vringh_iov_xfer.patch wifi-mwifiex-fix-tlv_buf_left-calculation.patch --- diff --git a/queue-5.15/arm64-add-cortex-a520-cpu-part-definition.patch b/queue-5.15/arm64-add-cortex-a520-cpu-part-definition.patch new file mode 100644 index 00000000000..eff7e039d09 --- /dev/null +++ b/queue-5.15/arm64-add-cortex-a520-cpu-part-definition.patch @@ -0,0 +1,38 @@ +From a654a69b9f9c06b2e56387d0b99f0e3e6b0ff4ef Mon Sep 17 00:00:00 2001 +From: Rob Herring +Date: Thu, 21 Sep 2023 14:41:51 -0500 +Subject: arm64: Add Cortex-A520 CPU part definition + +From: Rob Herring + +commit a654a69b9f9c06b2e56387d0b99f0e3e6b0ff4ef upstream. + +Add the CPU Part number for the new Arm design. + +Cc: stable@vger.kernel.org +Signed-off-by: Rob Herring +Link: https://lore.kernel.org/r/20230921194156.1050055-1-robh@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/cputype.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -79,6 +79,7 @@ + #define ARM_CPU_PART_CORTEX_A78AE 0xD42 + #define ARM_CPU_PART_CORTEX_X1 0xD44 + #define ARM_CPU_PART_CORTEX_A510 0xD46 ++#define ARM_CPU_PART_CORTEX_A520 0xD80 + #define ARM_CPU_PART_CORTEX_A710 0xD47 + #define ARM_CPU_PART_CORTEX_X2 0xD48 + #define ARM_CPU_PART_NEOVERSE_N2 0xD49 +@@ -130,6 +131,7 @@ + #define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE) + #define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1) + #define MIDR_CORTEX_A510 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A510) ++#define MIDR_CORTEX_A520 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A520) + #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710) + #define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2) + #define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2) diff --git a/queue-5.15/btrfs-reject-unknown-mount-options-early.patch b/queue-5.15/btrfs-reject-unknown-mount-options-early.patch new file mode 100644 index 00000000000..c1c4ca93552 --- /dev/null +++ b/queue-5.15/btrfs-reject-unknown-mount-options-early.patch @@ -0,0 +1,55 @@ +From 5f521494cc73520ffac18ede0758883b9aedd018 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 27 Sep 2023 10:43:15 +0930 +Subject: btrfs: reject unknown mount options early + +From: Qu Wenruo + +commit 5f521494cc73520ffac18ede0758883b9aedd018 upstream. + +[BUG] +The following script would allow invalid mount options to be specified +(although such invalid options would just be ignored): + + # mkfs.btrfs -f $dev + # mount $dev $mnt1 <<< Successful mount expected + # mount $dev $mnt2 -o junk <<< Failed mount expected + # echo $? + 0 + +[CAUSE] +For the 2nd mount, since the fs is already mounted, we won't go through +open_ctree() thus no btrfs_parse_options(), but only through +btrfs_parse_subvol_options(). + +However we do not treat unrecognized options from valid but irrelevant +options, thus those invalid options would just be ignored by +btrfs_parse_subvol_options(). + +[FIX] +Add the handling for Opt_err to handle invalid options and error out, +while still ignore other valid options inside btrfs_parse_subvol_options(). + +Reported-by: Anand Jain +CC: stable@vger.kernel.org # 4.14+ +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/super.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -1182,6 +1182,10 @@ static int btrfs_parse_subvol_options(co + + *subvol_objectid = subvolid; + break; ++ case Opt_err: ++ btrfs_err(NULL, "unrecognized mount option '%s'", p); ++ error = -EINVAL; ++ goto out; + default: + break; + } diff --git a/queue-5.15/drm-amd-fix-detection-of-_pr3-on-the-pcie-root-port.patch b/queue-5.15/drm-amd-fix-detection-of-_pr3-on-the-pcie-root-port.patch new file mode 100644 index 00000000000..9623efce388 --- /dev/null +++ b/queue-5.15/drm-amd-fix-detection-of-_pr3-on-the-pcie-root-port.patch @@ -0,0 +1,41 @@ +From 134b8c5d8674e7cde380f82e9aedfd46dcdd16f7 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Tue, 26 Sep 2023 17:59:53 -0500 +Subject: drm/amd: Fix detection of _PR3 on the PCIe root port + +From: Mario Limonciello + +commit 134b8c5d8674e7cde380f82e9aedfd46dcdd16f7 upstream. + +On some systems with Navi3x dGPU will attempt to use BACO for runtime +PM but fails to resume properly. This is because on these systems +the root port goes into D3cold which is incompatible with BACO. + +This happens because in this case dGPU is connected to a bridge between +root port which causes BOCO detection logic to fail. Fix the intent of +the logic by looking at root port, not the immediate upstream bridge for +_PR3. + +Cc: stable@vger.kernel.org +Suggested-by: Jun Ma +Tested-by: David Perry +Fixes: b10c1c5b3a4e ("drm/amdgpu: add check for ACPI power resources") +Signed-off-by: Mario Limonciello +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -2225,7 +2225,7 @@ static int amdgpu_device_ip_early_init(s + adev->flags |= AMD_IS_PX; + + if (!(adev->flags & AMD_IS_APU)) { +- parent = pci_upstream_bridge(adev->pdev); ++ parent = pcie_find_root_port(adev->pdev); + adev->has_pr3 = parent ? pci_pr3_present(parent) : false; + } + diff --git a/queue-5.15/net-prevent-rewrite-of-msg_name-in-sock_sendmsg.patch b/queue-5.15/net-prevent-rewrite-of-msg_name-in-sock_sendmsg.patch new file mode 100644 index 00000000000..9a65690ff13 --- /dev/null +++ b/queue-5.15/net-prevent-rewrite-of-msg_name-in-sock_sendmsg.patch @@ -0,0 +1,105 @@ +From 86a7e0b69bd5b812e48a20c66c2161744f3caa16 Mon Sep 17 00:00:00 2001 +From: Jordan Rife +Date: Thu, 21 Sep 2023 18:46:41 -0500 +Subject: net: prevent rewrite of msg_name in sock_sendmsg() + +From: Jordan Rife + +commit 86a7e0b69bd5b812e48a20c66c2161744f3caa16 upstream. + +Callers of sock_sendmsg(), and similarly kernel_sendmsg(), in kernel +space may observe their value of msg_name change in cases where BPF +sendmsg hooks rewrite the send address. This has been confirmed to break +NFS mounts running in UDP mode and has the potential to break other +systems. + +This patch: + +1) Creates a new function called __sock_sendmsg() with same logic as the + old sock_sendmsg() function. +2) Replaces calls to sock_sendmsg() made by __sys_sendto() and + __sys_sendmsg() with __sock_sendmsg() to avoid an unnecessary copy, + as these system calls are already protected. +3) Modifies sock_sendmsg() so that it makes a copy of msg_name if + present before passing it down the stack to insulate callers from + changes to the send address. + +Link: https://lore.kernel.org/netdev/20230912013332.2048422-1-jrife@google.com/ +Fixes: 1cedee13d25a ("bpf: Hooks for sys_sendmsg") +Cc: stable@vger.kernel.org +Reviewed-by: Willem de Bruijn +Signed-off-by: Jordan Rife +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/socket.c | 29 +++++++++++++++++++++++------ + 1 file changed, 23 insertions(+), 6 deletions(-) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -708,6 +708,14 @@ static inline int sock_sendmsg_nosec(str + return ret; + } + ++static int __sock_sendmsg(struct socket *sock, struct msghdr *msg) ++{ ++ int err = security_socket_sendmsg(sock, msg, ++ msg_data_left(msg)); ++ ++ return err ?: sock_sendmsg_nosec(sock, msg); ++} ++ + /** + * sock_sendmsg - send a message through @sock + * @sock: socket +@@ -718,10 +726,19 @@ static inline int sock_sendmsg_nosec(str + */ + int sock_sendmsg(struct socket *sock, struct msghdr *msg) + { +- int err = security_socket_sendmsg(sock, msg, +- msg_data_left(msg)); ++ struct sockaddr_storage *save_addr = (struct sockaddr_storage *)msg->msg_name; ++ struct sockaddr_storage address; ++ int ret; + +- return err ?: sock_sendmsg_nosec(sock, msg); ++ if (msg->msg_name) { ++ memcpy(&address, msg->msg_name, msg->msg_namelen); ++ msg->msg_name = &address; ++ } ++ ++ ret = __sock_sendmsg(sock, msg); ++ msg->msg_name = save_addr; ++ ++ return ret; + } + EXPORT_SYMBOL(sock_sendmsg); + +@@ -1057,7 +1074,7 @@ static ssize_t sock_write_iter(struct ki + if (sock->type == SOCK_SEQPACKET) + msg.msg_flags |= MSG_EOR; + +- res = sock_sendmsg(sock, &msg); ++ res = __sock_sendmsg(sock, &msg); + *from = msg.msg_iter; + return res; + } +@@ -2036,7 +2053,7 @@ int __sys_sendto(int fd, void __user *bu + if (sock->file->f_flags & O_NONBLOCK) + flags |= MSG_DONTWAIT; + msg.msg_flags = flags; +- err = sock_sendmsg(sock, &msg); ++ err = __sock_sendmsg(sock, &msg); + + out_put: + fput_light(sock->file, fput_needed); +@@ -2409,7 +2426,7 @@ static int ____sys_sendmsg(struct socket + err = sock_sendmsg_nosec(sock, msg_sys); + goto out_freectl; + } +- err = sock_sendmsg(sock, msg_sys); ++ err = __sock_sendmsg(sock, msg_sys); + /* + * If this is sendmmsg() and sending to current destination address was + * successful, remember it. diff --git a/queue-5.15/net-replace-calls-to-sock-ops-connect-with-kernel_connect.patch b/queue-5.15/net-replace-calls-to-sock-ops-connect-with-kernel_connect.patch new file mode 100644 index 00000000000..69d5597d2a8 --- /dev/null +++ b/queue-5.15/net-replace-calls-to-sock-ops-connect-with-kernel_connect.patch @@ -0,0 +1,52 @@ +From 26297b4ce1ce4ea40bc9a48ec99f45da3f64d2e2 Mon Sep 17 00:00:00 2001 +From: Jordan Rife +Date: Thu, 21 Sep 2023 18:46:40 -0500 +Subject: net: replace calls to sock->ops->connect() with kernel_connect() + +From: Jordan Rife + +commit 26297b4ce1ce4ea40bc9a48ec99f45da3f64d2e2 upstream. + +commit 0bdf399342c5 ("net: Avoid address overwrite in kernel_connect") +ensured that kernel_connect() will not overwrite the address parameter +in cases where BPF connect hooks perform an address rewrite. This change +replaces direct calls to sock->ops->connect() in net with kernel_connect() +to make these call safe. + +Link: https://lore.kernel.org/netdev/20230912013332.2048422-1-jrife@google.com/ +Fixes: d74bad4e74ee ("bpf: Hooks for sys_connect") +Cc: stable@vger.kernel.org +Reviewed-by: Willem de Bruijn +Signed-off-by: Jordan Rife +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/ipvs/ip_vs_sync.c | 4 ++-- + net/rds/tcp_connect.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/net/netfilter/ipvs/ip_vs_sync.c ++++ b/net/netfilter/ipvs/ip_vs_sync.c +@@ -1507,8 +1507,8 @@ static int make_send_sock(struct netns_i + } + + get_mcast_sockaddr(&mcast_addr, &salen, &ipvs->mcfg, id); +- result = sock->ops->connect(sock, (struct sockaddr *) &mcast_addr, +- salen, 0); ++ result = kernel_connect(sock, (struct sockaddr *)&mcast_addr, ++ salen, 0); + if (result < 0) { + pr_err("Error connecting to the multicast addr\n"); + goto error; +--- a/net/rds/tcp_connect.c ++++ b/net/rds/tcp_connect.c +@@ -170,7 +170,7 @@ int rds_tcp_conn_path_connect(struct rds + * own the socket + */ + rds_tcp_set_callbacks(sock, cp); +- ret = sock->ops->connect(sock, addr, addrlen, O_NONBLOCK); ++ ret = kernel_connect(sock, addr, addrlen, O_NONBLOCK); + + rdsdebug("connect to address %pI6c returned %d\n", &conn->c_faddr, ret); + if (ret == -EINPROGRESS) diff --git a/queue-5.15/qed-red_ll2-fix-undefined-behavior-bug-in-struct-qed_ll2_info.patch b/queue-5.15/qed-red_ll2-fix-undefined-behavior-bug-in-struct-qed_ll2_info.patch new file mode 100644 index 00000000000..df491e8713b --- /dev/null +++ b/queue-5.15/qed-red_ll2-fix-undefined-behavior-bug-in-struct-qed_ll2_info.patch @@ -0,0 +1,116 @@ +From eea03d18af9c44235865a4bc9bec4d780ef6cf21 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Sat, 23 Sep 2023 19:15:59 -0600 +Subject: qed/red_ll2: Fix undefined behavior bug in struct qed_ll2_info + +From: Gustavo A. R. Silva + +commit eea03d18af9c44235865a4bc9bec4d780ef6cf21 upstream. + +The flexible structure (a structure that contains a flexible-array member +at the end) `qed_ll2_tx_packet` is nested within the second layer of +`struct qed_ll2_info`: + +struct qed_ll2_tx_packet { + ... + /* Flexible Array of bds_set determined by max_bds_per_packet */ + struct { + struct core_tx_bd *txq_bd; + dma_addr_t tx_frag; + u16 frag_len; + } bds_set[]; +}; + +struct qed_ll2_tx_queue { + ... + struct qed_ll2_tx_packet cur_completing_packet; +}; + +struct qed_ll2_info { + ... + struct qed_ll2_tx_queue tx_queue; + struct qed_ll2_cbs cbs; +}; + +The problem is that member `cbs` in `struct qed_ll2_info` is placed just +after an object of type `struct qed_ll2_tx_queue`, which is in itself +an implicit flexible structure, which by definition ends in a flexible +array member, in this case `bds_set`. This causes an undefined behavior +bug at run-time when dynamic memory is allocated for `bds_set`, which +could lead to a serious issue if `cbs` in `struct qed_ll2_info` is +overwritten by the contents of `bds_set`. Notice that the type of `cbs` +is a structure full of function pointers (and a cookie :) ): + +include/linux/qed/qed_ll2_if.h: +107 typedef +108 void (*qed_ll2_complete_rx_packet_cb)(void *cxt, +109 struct qed_ll2_comp_rx_data *data); +110 +111 typedef +112 void (*qed_ll2_release_rx_packet_cb)(void *cxt, +113 u8 connection_handle, +114 void *cookie, +115 dma_addr_t rx_buf_addr, +116 bool b_last_packet); +117 +118 typedef +119 void (*qed_ll2_complete_tx_packet_cb)(void *cxt, +120 u8 connection_handle, +121 void *cookie, +122 dma_addr_t first_frag_addr, +123 bool b_last_fragment, +124 bool b_last_packet); +125 +126 typedef +127 void (*qed_ll2_release_tx_packet_cb)(void *cxt, +128 u8 connection_handle, +129 void *cookie, +130 dma_addr_t first_frag_addr, +131 bool b_last_fragment, bool b_last_packet); +132 +133 typedef +134 void (*qed_ll2_slowpath_cb)(void *cxt, u8 connection_handle, +135 u32 opaque_data_0, u32 opaque_data_1); +136 +137 struct qed_ll2_cbs { +138 qed_ll2_complete_rx_packet_cb rx_comp_cb; +139 qed_ll2_release_rx_packet_cb rx_release_cb; +140 qed_ll2_complete_tx_packet_cb tx_comp_cb; +141 qed_ll2_release_tx_packet_cb tx_release_cb; +142 qed_ll2_slowpath_cb slowpath_cb; +143 void *cookie; +144 }; + +Fix this by moving the declaration of `cbs` to the middle of its +containing structure `qed_ll2_info`, preventing it from being +overwritten by the contents of `bds_set` at run-time. + +This bug was introduced in 2017, when `bds_set` was converted to a +one-element array, and started to be used as a Variable Length Object +(VLO) at run-time. + +Fixes: f5823fe6897c ("qed: Add ll2 option to limit the number of bds per packet") +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Kees Cook +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/ZQ+Nz8DfPg56pIzr@work +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_ll2.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qed/qed_ll2.h ++++ b/drivers/net/ethernet/qlogic/qed/qed_ll2.h +@@ -111,9 +111,9 @@ struct qed_ll2_info { + enum core_tx_dest tx_dest; + u8 tx_stats_en; + bool main_func_queue; ++ struct qed_ll2_cbs cbs; + struct qed_ll2_rx_queue rx_queue; + struct qed_ll2_tx_queue tx_queue; +- struct qed_ll2_cbs cbs; + }; + + extern const struct qed_ll2_ops qed_ll2_ops_pass; diff --git a/queue-5.15/scsi-zfcp-fix-a-double-put-in-zfcp_port_enqueue.patch b/queue-5.15/scsi-zfcp-fix-a-double-put-in-zfcp_port_enqueue.patch new file mode 100644 index 00000000000..603f6d91b94 --- /dev/null +++ b/queue-5.15/scsi-zfcp-fix-a-double-put-in-zfcp_port_enqueue.patch @@ -0,0 +1,63 @@ +From b481f644d9174670b385c3a699617052cd2a79d3 Mon Sep 17 00:00:00 2001 +From: Dinghao Liu +Date: Sat, 23 Sep 2023 18:37:23 +0800 +Subject: scsi: zfcp: Fix a double put in zfcp_port_enqueue() + +From: Dinghao Liu + +commit b481f644d9174670b385c3a699617052cd2a79d3 upstream. + +When device_register() fails, zfcp_port_release() will be called after +put_device(). As a result, zfcp_ccw_adapter_put() will be called twice: one +in zfcp_port_release() and one in the error path after device_register(). +So the reference on the adapter object is doubly put, which may lead to a +premature free. Fix this by adjusting the error tag after +device_register(). + +Fixes: f3450c7b9172 ("[SCSI] zfcp: Replace local reference counting with common kref") +Signed-off-by: Dinghao Liu +Link: https://lore.kernel.org/r/20230923103723.10320-1-dinghao.liu@zju.edu.cn +Acked-by: Benjamin Block +Cc: stable@vger.kernel.org # v2.6.33+ +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/scsi/zfcp_aux.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/s390/scsi/zfcp_aux.c ++++ b/drivers/s390/scsi/zfcp_aux.c +@@ -518,12 +518,12 @@ struct zfcp_port *zfcp_port_enqueue(stru + if (port) { + put_device(&port->dev); + retval = -EEXIST; +- goto err_out; ++ goto err_put; + } + + port = kzalloc(sizeof(struct zfcp_port), GFP_KERNEL); + if (!port) +- goto err_out; ++ goto err_put; + + rwlock_init(&port->unit_list_lock); + INIT_LIST_HEAD(&port->unit_list); +@@ -546,7 +546,7 @@ struct zfcp_port *zfcp_port_enqueue(stru + + if (dev_set_name(&port->dev, "0x%016llx", (unsigned long long)wwpn)) { + kfree(port); +- goto err_out; ++ goto err_put; + } + retval = -EINVAL; + +@@ -563,7 +563,8 @@ struct zfcp_port *zfcp_port_enqueue(stru + + return port; + +-err_out: ++err_put: + zfcp_ccw_adapter_put(adapter); ++err_out: + return ERR_PTR(retval); + } diff --git a/queue-5.15/series b/queue-5.15/series index 06e4d74079b..db2c7cabf55 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -16,3 +16,12 @@ rbd-decouple-parent-info-read-in-from-updating-rbd_d.patch rbd-take-header_rwsem-in-rbd_dev_refresh-only-when-u.patch block-fix-use-after-free-of-q-q_usage_counter.patch revert-clk-imx-pll14xx-dynamically-configure-pll-for-393216000-361267200hz.patch +scsi-zfcp-fix-a-double-put-in-zfcp_port_enqueue.patch +vringh-don-t-use-vringh_kiov_advance-in-vringh_iov_xfer.patch +qed-red_ll2-fix-undefined-behavior-bug-in-struct-qed_ll2_info.patch +wifi-mwifiex-fix-tlv_buf_left-calculation.patch +net-replace-calls-to-sock-ops-connect-with-kernel_connect.patch +btrfs-reject-unknown-mount-options-early.patch +net-prevent-rewrite-of-msg_name-in-sock_sendmsg.patch +drm-amd-fix-detection-of-_pr3-on-the-pcie-root-port.patch +arm64-add-cortex-a520-cpu-part-definition.patch diff --git a/queue-5.15/vringh-don-t-use-vringh_kiov_advance-in-vringh_iov_xfer.patch b/queue-5.15/vringh-don-t-use-vringh_kiov_advance-in-vringh_iov_xfer.patch new file mode 100644 index 00000000000..396c64283af --- /dev/null +++ b/queue-5.15/vringh-don-t-use-vringh_kiov_advance-in-vringh_iov_xfer.patch @@ -0,0 +1,52 @@ +From 7aed44babc7f97e82b38e9a68515e699692cc100 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Mon, 25 Sep 2023 12:30:57 +0200 +Subject: vringh: don't use vringh_kiov_advance() in vringh_iov_xfer() + +From: Stefano Garzarella + +commit 7aed44babc7f97e82b38e9a68515e699692cc100 upstream. + +In the while loop of vringh_iov_xfer(), `partlen` could be 0 if one of +the `iov` has 0 lenght. +In this case, we should skip the iov and go to the next one. +But calling vringh_kiov_advance() with 0 lenght does not cause the +advancement, since it returns immediately if asked to advance by 0 bytes. + +Let's restore the code that was there before commit b8c06ad4d67d +("vringh: implement vringh_kiov_advance()"), avoiding using +vringh_kiov_advance(). + +Fixes: b8c06ad4d67d ("vringh: implement vringh_kiov_advance()") +Cc: stable@vger.kernel.org +Reported-by: Jason Wang +Signed-off-by: Stefano Garzarella +Acked-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vringh.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/vhost/vringh.c ++++ b/drivers/vhost/vringh.c +@@ -123,8 +123,18 @@ static inline ssize_t vringh_iov_xfer(st + done += partlen; + len -= partlen; + ptr += partlen; ++ iov->consumed += partlen; ++ iov->iov[iov->i].iov_len -= partlen; ++ iov->iov[iov->i].iov_base += partlen; + +- vringh_kiov_advance(iov, partlen); ++ if (!iov->iov[iov->i].iov_len) { ++ /* Fix up old iov element then increment. */ ++ iov->iov[iov->i].iov_len = iov->consumed; ++ iov->iov[iov->i].iov_base -= iov->consumed; ++ ++ iov->consumed = 0; ++ iov->i++; ++ } + } + return done; + } diff --git a/queue-5.15/wifi-mwifiex-fix-tlv_buf_left-calculation.patch b/queue-5.15/wifi-mwifiex-fix-tlv_buf_left-calculation.patch new file mode 100644 index 00000000000..353118c2992 --- /dev/null +++ b/queue-5.15/wifi-mwifiex-fix-tlv_buf_left-calculation.patch @@ -0,0 +1,103 @@ +From eec679e4ac5f47507774956fb3479c206e761af7 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 24 Aug 2023 21:06:51 -0600 +Subject: wifi: mwifiex: Fix tlv_buf_left calculation + +From: Gustavo A. R. Silva + +commit eec679e4ac5f47507774956fb3479c206e761af7 upstream. + +In a TLV encoding scheme, the Length part represents the length after +the header containing the values for type and length. In this case, +`tlv_len` should be: + +tlv_len == (sizeof(*tlv_rxba) - 1) - sizeof(tlv_rxba->header) + tlv_bitmap_len + +Notice that the `- 1` accounts for the one-element array `bitmap`, which +1-byte size is already included in `sizeof(*tlv_rxba)`. + +So, if the above is correct, there is a double-counting of some members +in `struct mwifiex_ie_types_rxba_sync`, when `tlv_buf_left` and `tmp` +are calculated: + +968 tlv_buf_left -= (sizeof(*tlv_rxba) + tlv_len); +969 tmp = (u8 *)tlv_rxba + tlv_len + sizeof(*tlv_rxba); + +in specific, members: + +drivers/net/wireless/marvell/mwifiex/fw.h:777 + 777 u8 mac[ETH_ALEN]; + 778 u8 tid; + 779 u8 reserved; + 780 __le16 seq_num; + 781 __le16 bitmap_len; + +This is clearly wrong, and affects the subsequent decoding of data in +`event_buf` through `tlv_rxba`: + +970 tlv_rxba = (struct mwifiex_ie_types_rxba_sync *)tmp; + +Fix this by using `sizeof(tlv_rxba->header)` instead of `sizeof(*tlv_rxba)` +in the calculation of `tlv_buf_left` and `tmp`. + +This results in the following binary differences before/after changes: + +| drivers/net/wireless/marvell/mwifiex/11n_rxreorder.o +| @@ -4698,11 +4698,11 @@ +| drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c:968 +| tlv_buf_left -= (sizeof(tlv_rxba->header) + tlv_len); +| - 1da7: lea -0x11(%rbx),%edx +| + 1da7: lea -0x4(%rbx),%edx +| 1daa: movzwl %bp,%eax +| drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c:969 +| tmp = (u8 *)tlv_rxba + sizeof(tlv_rxba->header) + tlv_len; +| - 1dad: lea 0x11(%r15,%rbp,1),%r15 +| + 1dad: lea 0x4(%r15,%rbp,1),%r15 + +The above reflects the desired change: avoid counting 13 too many bytes; +which is the total size of the double-counted members in +`struct mwifiex_ie_types_rxba_sync`: + +$ pahole -C mwifiex_ie_types_rxba_sync drivers/net/wireless/marvell/mwifiex/11n_rxreorder.o +struct mwifiex_ie_types_rxba_sync { + struct mwifiex_ie_types_header header; /* 0 4 */ + + |----------------------------------------------------------------------- + | u8 mac[6]; /* 4 6 */ | + | u8 tid; /* 10 1 */ | + | u8 reserved; /* 11 1 */ | + | __le16 seq_num; /* 12 2 */ | + | __le16 bitmap_len; /* 14 2 */ | + | u8 bitmap[1]; /* 16 1 */ | + |----------------------------------------------------------------------| + | 13 bytes| + ----------- + + /* size: 17, cachelines: 1, members: 7 */ + /* last cacheline: 17 bytes */ +} __attribute__((__packed__)); + +Fixes: 99ffe72cdae4 ("mwifiex: process rxba_sync event") +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Kees Cook +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/06668edd68e7a26bbfeebd1201ae077a2a7a8bce.1692931954.git.gustavoars@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c ++++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c +@@ -977,8 +977,8 @@ void mwifiex_11n_rxba_sync_event(struct + } + } + +- tlv_buf_left -= (sizeof(*tlv_rxba) + tlv_len); +- tmp = (u8 *)tlv_rxba + tlv_len + sizeof(*tlv_rxba); ++ tlv_buf_left -= (sizeof(tlv_rxba->header) + tlv_len); ++ tmp = (u8 *)tlv_rxba + sizeof(tlv_rxba->header) + tlv_len; + tlv_rxba = (struct mwifiex_ie_types_rxba_sync *)tmp; + } + }