From: Sasha Levin Date: Mon, 20 Nov 2023 14:23:30 +0000 (-0500) Subject: Fixes for 5.10 X-Git-Tag: v4.14.331~151 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=311adf7d1485f8faaab5f214eb7df69fba2608de;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/9p-trans_fd-annotate-data-racy-writes-to-file-f_flag.patch b/queue-5.10/9p-trans_fd-annotate-data-racy-writes-to-file-f_flag.patch new file mode 100644 index 00000000000..811ef5db230 --- /dev/null +++ b/queue-5.10/9p-trans_fd-annotate-data-racy-writes-to-file-f_flag.patch @@ -0,0 +1,94 @@ +From 159223cd50299d537d7243b358535bca92d342ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Oct 2023 19:34:43 +0900 +Subject: 9p/trans_fd: Annotate data-racy writes to file::f_flags + +From: Marco Elver + +[ Upstream commit 355f074609dbf3042900ea9d30fcd2b0c323a365 ] + +syzbot reported: + + | BUG: KCSAN: data-race in p9_fd_create / p9_fd_create + | + | read-write to 0xffff888130fb3d48 of 4 bytes by task 15599 on cpu 0: + | p9_fd_open net/9p/trans_fd.c:842 [inline] + | p9_fd_create+0x210/0x250 net/9p/trans_fd.c:1092 + | p9_client_create+0x595/0xa70 net/9p/client.c:1010 + | v9fs_session_init+0xf9/0xd90 fs/9p/v9fs.c:410 + | v9fs_mount+0x69/0x630 fs/9p/vfs_super.c:123 + | legacy_get_tree+0x74/0xd0 fs/fs_context.c:611 + | vfs_get_tree+0x51/0x190 fs/super.c:1519 + | do_new_mount+0x203/0x660 fs/namespace.c:3335 + | path_mount+0x496/0xb30 fs/namespace.c:3662 + | do_mount fs/namespace.c:3675 [inline] + | __do_sys_mount fs/namespace.c:3884 [inline] + | [...] + | + | read-write to 0xffff888130fb3d48 of 4 bytes by task 15563 on cpu 1: + | p9_fd_open net/9p/trans_fd.c:842 [inline] + | p9_fd_create+0x210/0x250 net/9p/trans_fd.c:1092 + | p9_client_create+0x595/0xa70 net/9p/client.c:1010 + | v9fs_session_init+0xf9/0xd90 fs/9p/v9fs.c:410 + | v9fs_mount+0x69/0x630 fs/9p/vfs_super.c:123 + | legacy_get_tree+0x74/0xd0 fs/fs_context.c:611 + | vfs_get_tree+0x51/0x190 fs/super.c:1519 + | do_new_mount+0x203/0x660 fs/namespace.c:3335 + | path_mount+0x496/0xb30 fs/namespace.c:3662 + | do_mount fs/namespace.c:3675 [inline] + | __do_sys_mount fs/namespace.c:3884 [inline] + | [...] + | + | value changed: 0x00008002 -> 0x00008802 + +Within p9_fd_open(), O_NONBLOCK is added to f_flags of the read and +write files. This may happen concurrently if e.g. mounting process +modifies the fd in another thread. + +Mark the plain read-modify-writes as intentional data-races, with the +assumption that the result of executing the accesses concurrently will +always result in the same result despite the accesses themselves not +being atomic. + +Reported-by: syzbot+e441aeeb422763cc5511@syzkaller.appspotmail.com +Signed-off-by: Marco Elver +Link: https://lore.kernel.org/r/ZO38mqkS0TYUlpFp@elver.google.com +Signed-off-by: Dominique Martinet +Message-ID: <20231025103445.1248103-1-asmadeus@codewreck.org> +Signed-off-by: Sasha Levin +--- + net/9p/trans_fd.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c +index e070a0b8e5ca3..63f4d2067059e 100644 +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -823,14 +823,21 @@ static int p9_fd_open(struct p9_client *client, int rfd, int wfd) + goto out_free_ts; + if (!(ts->rd->f_mode & FMODE_READ)) + goto out_put_rd; +- /* prevent workers from hanging on IO when fd is a pipe */ +- ts->rd->f_flags |= O_NONBLOCK; ++ /* Prevent workers from hanging on IO when fd is a pipe. ++ * It's technically possible for userspace or concurrent mounts to ++ * modify this flag concurrently, which will likely result in a ++ * broken filesystem. However, just having bad flags here should ++ * not crash the kernel or cause any other sort of bug, so mark this ++ * particular data race as intentional so that tooling (like KCSAN) ++ * can allow it and detect further problems. ++ */ ++ data_race(ts->rd->f_flags |= O_NONBLOCK); + ts->wr = fget(wfd); + if (!ts->wr) + goto out_put_rd; + if (!(ts->wr->f_mode & FMODE_WRITE)) + goto out_put_wr; +- ts->wr->f_flags |= O_NONBLOCK; ++ data_race(ts->wr->f_flags |= O_NONBLOCK); + + client->trans = ts; + client->status = Connected; +-- +2.42.0 + diff --git a/queue-5.10/alsa-hda-fix-possible-null-ptr-deref-when-assigning-.patch b/queue-5.10/alsa-hda-fix-possible-null-ptr-deref-when-assigning-.patch new file mode 100644 index 00000000000..b116058fd9e --- /dev/null +++ b/queue-5.10/alsa-hda-fix-possible-null-ptr-deref-when-assigning-.patch @@ -0,0 +1,42 @@ +From fd68cd57790fcac14594aa366b183123cb81769b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Oct 2023 12:28:55 +0200 +Subject: ALSA: hda: Fix possible null-ptr-deref when assigning a stream + +From: Cezary Rojewski + +[ Upstream commit f93dc90c2e8ed664985e366aa6459ac83cdab236 ] + +While AudioDSP drivers assign streams exclusively of HOST or LINK type, +nothing blocks a user to attempt to assign a COUPLED stream. As +supplied substream instance may be a stub, what is the case when +code-loading, such scenario ends with null-ptr-deref. + +Signed-off-by: Cezary Rojewski +Link: https://lore.kernel.org/r/20231006102857.749143-2-cezary.rojewski@intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/hdac_stream.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/sound/hda/hdac_stream.c b/sound/hda/hdac_stream.c +index 1e0f61affd979..5570722458caf 100644 +--- a/sound/hda/hdac_stream.c ++++ b/sound/hda/hdac_stream.c +@@ -320,8 +320,10 @@ struct hdac_stream *snd_hdac_stream_assign(struct hdac_bus *bus, + struct hdac_stream *res = NULL; + + /* make a non-zero unique key for the substream */ +- int key = (substream->pcm->device << 16) | (substream->number << 2) | +- (substream->stream + 1); ++ int key = (substream->number << 2) | (substream->stream + 1); ++ ++ if (substream->pcm) ++ key |= (substream->pcm->device << 16); + + spin_lock_irq(&bus->reg_lock); + list_for_each_entry(azx_dev, &bus->stream_list, list) { +-- +2.42.0 + diff --git a/queue-5.10/arm-9320-1-fix-stack-depot-irq-stack-filter.patch b/queue-5.10/arm-9320-1-fix-stack-depot-irq-stack-filter.patch new file mode 100644 index 00000000000..df59d97d160 --- /dev/null +++ b/queue-5.10/arm-9320-1-fix-stack-depot-irq-stack-filter.patch @@ -0,0 +1,45 @@ +From 9be28ee713ada8954949ee771843869f606553b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Aug 2023 08:45:21 +0100 +Subject: ARM: 9320/1: fix stack depot IRQ stack filter + +From: Vincent Whitchurch + +[ Upstream commit b0150014878c32197cfa66e3e2f79e57f66babc0 ] + +Place IRQ handlers such as gic_handle_irq() in the irqentry section even +if FUNCTION_GRAPH_TRACER is not enabled. Without this, the stack +depot's filter_irq_stacks() does not correctly filter out IRQ stacks in +those configurations, which hampers deduplication and eventually leads +to "Stack depot reached limit capacity" splats with KASAN. + +A similar fix was done for arm64 in commit f6794950f0e5ba37e3bbed +("arm64: set __exception_irq_entry with __irq_entry as a default"). + +Link: https://lore.kernel.org/r/20230803-arm-irqentry-v1-1-8aad8e260b1c@axis.com + +Signed-off-by: Vincent Whitchurch +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/exception.h | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/arch/arm/include/asm/exception.h b/arch/arm/include/asm/exception.h +index 58e039a851af0..3c82975d46db3 100644 +--- a/arch/arm/include/asm/exception.h ++++ b/arch/arm/include/asm/exception.h +@@ -10,10 +10,6 @@ + + #include + +-#ifdef CONFIG_FUNCTION_GRAPH_TRACER + #define __exception_irq_entry __irq_entry +-#else +-#define __exception_irq_entry +-#endif + + #endif /* __ASM_ARM_EXCEPTION_H */ +-- +2.42.0 + diff --git a/queue-5.10/asoc-soc-card-add-storage-for-pci-ssid.patch b/queue-5.10/asoc-soc-card-add-storage-for-pci-ssid.patch new file mode 100644 index 00000000000..9e93cb302a5 --- /dev/null +++ b/queue-5.10/asoc-soc-card-add-storage-for-pci-ssid.patch @@ -0,0 +1,122 @@ +From d73b1d669c4f41822396f58b714dccf9a10d379a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Sep 2023 17:32:04 +0100 +Subject: ASoC: soc-card: Add storage for PCI SSID + +From: Richard Fitzgerald + +[ Upstream commit 47f56e38a199bd45514b8e0142399cba4feeaf1a ] + +Add members to struct snd_soc_card to store the PCI subsystem ID (SSID) +of the soundcard. + +The PCI specification provides two registers to store a vendor-specific +SSID that can be read by drivers to uniquely identify a particular +"soundcard". This is defined in the PCI specification to distinguish +products that use the same silicon (and therefore have the same silicon +ID) so that product-specific differences can be applied. + +PCI only defines 0xFFFF as an invalid value. 0x0000 is not defined as +invalid. So the usual pattern of zero-filling the struct and then +assuming a zero value unset will not work. A flag is included to +indicate when the SSID information has been filled in. + +Unlike DMI information, which has a free-format entirely up to the vendor, +the PCI SSID has a strictly defined format and a registry of vendor IDs. + +It is usual in Windows drivers that the SSID is used as the sole identifier +of the specific end-product and the Windows driver contains tables mapping +that to information about the hardware setup, rather than using ACPI +properties. + +This SSID is important information for ASoC components that need to apply +hardware-specific configuration on PCI-based systems. + +As the SSID is a generic part of the PCI specification and is treated as +identifying the "soundcard", it is reasonable to include this information +in struct snd_soc_card, instead of components inventing their own custom +ways to pass this information around. + +Signed-off-by: Richard Fitzgerald +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20230912163207.3498161-2-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + include/sound/soc-card.h | 37 +++++++++++++++++++++++++++++++++++++ + include/sound/soc.h | 11 +++++++++++ + 2 files changed, 48 insertions(+) + +diff --git a/include/sound/soc-card.h b/include/sound/soc-card.h +index 4f2cc4fb56b7f..9a5429260ece5 100644 +--- a/include/sound/soc-card.h ++++ b/include/sound/soc-card.h +@@ -40,6 +40,43 @@ int snd_soc_card_add_dai_link(struct snd_soc_card *card, + void snd_soc_card_remove_dai_link(struct snd_soc_card *card, + struct snd_soc_dai_link *dai_link); + ++#ifdef CONFIG_PCI ++static inline void snd_soc_card_set_pci_ssid(struct snd_soc_card *card, ++ unsigned short vendor, ++ unsigned short device) ++{ ++ card->pci_subsystem_vendor = vendor; ++ card->pci_subsystem_device = device; ++ card->pci_subsystem_set = true; ++} ++ ++static inline int snd_soc_card_get_pci_ssid(struct snd_soc_card *card, ++ unsigned short *vendor, ++ unsigned short *device) ++{ ++ if (!card->pci_subsystem_set) ++ return -ENOENT; ++ ++ *vendor = card->pci_subsystem_vendor; ++ *device = card->pci_subsystem_device; ++ ++ return 0; ++} ++#else /* !CONFIG_PCI */ ++static inline void snd_soc_card_set_pci_ssid(struct snd_soc_card *card, ++ unsigned short vendor, ++ unsigned short device) ++{ ++} ++ ++static inline int snd_soc_card_get_pci_ssid(struct snd_soc_card *card, ++ unsigned short *vendor, ++ unsigned short *device) ++{ ++ return -ENOENT; ++} ++#endif /* CONFIG_PCI */ ++ + /* device driver data */ + static inline void snd_soc_card_set_drvdata(struct snd_soc_card *card, + void *data) +diff --git a/include/sound/soc.h b/include/sound/soc.h +index 3b038c563ae14..e973044143bc9 100644 +--- a/include/sound/soc.h ++++ b/include/sound/soc.h +@@ -977,6 +977,17 @@ struct snd_soc_card { + #ifdef CONFIG_DMI + char dmi_longname[80]; + #endif /* CONFIG_DMI */ ++ ++#ifdef CONFIG_PCI ++ /* ++ * PCI does not define 0 as invalid, so pci_subsystem_set indicates ++ * whether a value has been written to these fields. ++ */ ++ unsigned short pci_subsystem_vendor; ++ unsigned short pci_subsystem_device; ++ bool pci_subsystem_set; ++#endif /* CONFIG_PCI */ ++ + char topology_shortname[32]; + + struct device *dev; +-- +2.42.0 + diff --git a/queue-5.10/asoc-ti-omap-mcbsp-fix-runtime-pm-underflow-warnings.patch b/queue-5.10/asoc-ti-omap-mcbsp-fix-runtime-pm-underflow-warnings.patch new file mode 100644 index 00000000000..4a7ad8f2e23 --- /dev/null +++ b/queue-5.10/asoc-ti-omap-mcbsp-fix-runtime-pm-underflow-warnings.patch @@ -0,0 +1,47 @@ +From e27231d67bda42f00561b8103acc1fbc6ab59f96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Oct 2023 07:23:38 +0200 +Subject: ASoC: ti: omap-mcbsp: Fix runtime PM underflow warnings + +From: Tony Lindgren + +[ Upstream commit fbb74e56378d8306f214658e3d525a8b3f000c5a ] + +We need to check for an active device as otherwise we get warnings +for some mcbsp instances for "Runtime PM usage count underflow!". + +Reported-by: Andreas Kemnade +Signed-off-by: Tony Lindgren +Link: https://lore.kernel.org/r/20231030052340.13415-1-tony@atomide.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/ti/omap-mcbsp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/ti/omap-mcbsp.c b/sound/soc/ti/omap-mcbsp.c +index 6025b30bbe77e..9a88992ac5f33 100644 +--- a/sound/soc/ti/omap-mcbsp.c ++++ b/sound/soc/ti/omap-mcbsp.c +@@ -74,14 +74,16 @@ static int omap2_mcbsp_set_clks_src(struct omap_mcbsp *mcbsp, u8 fck_src_id) + return -EINVAL; + } + +- pm_runtime_put_sync(mcbsp->dev); ++ if (mcbsp->active) ++ pm_runtime_put_sync(mcbsp->dev); + + r = clk_set_parent(mcbsp->fclk, fck_src); + if (r) + dev_err(mcbsp->dev, "CLKS: could not clk_set_parent() to %s\n", + src); + +- pm_runtime_get_sync(mcbsp->dev); ++ if (mcbsp->active) ++ pm_runtime_get_sync(mcbsp->dev); + + clk_put(fck_src); + +-- +2.42.0 + diff --git a/queue-5.10/atm-iphase-do-pci-error-checks-on-own-line.patch b/queue-5.10/atm-iphase-do-pci-error-checks-on-own-line.patch new file mode 100644 index 00000000000..519e24d9216 --- /dev/null +++ b/queue-5.10/atm-iphase-do-pci-error-checks-on-own-line.patch @@ -0,0 +1,68 @@ +From d4c49221efddd7e7ccdbcff49c0596d44794e4f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Sep 2023 15:53:51 +0300 +Subject: atm: iphase: Do PCI error checks on own line +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit c28742447ca9879b52fbaf022ad844f0ffcd749c ] + +In get_esi() PCI errors are checked inside line-split "if" conditions (in +addition to the file not following the coding style). To make the code in +get_esi() more readable, fix the coding style and use the usual error +handling pattern with a separate variable. + +In addition, initialization of 'error' variable at declaration is not +needed. + +No functional changes intended. + +Link: https://lore.kernel.org/r/20230911125354.25501-4-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/atm/iphase.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/atm/iphase.c b/drivers/atm/iphase.c +index a59554e5b8b0f..cc90f550ab75a 100644 +--- a/drivers/atm/iphase.c ++++ b/drivers/atm/iphase.c +@@ -2290,19 +2290,21 @@ static int get_esi(struct atm_dev *dev) + static int reset_sar(struct atm_dev *dev) + { + IADEV *iadev; +- int i, error = 1; ++ int i, error; + unsigned int pci[64]; + + iadev = INPH_IA_DEV(dev); +- for(i=0; i<64; i++) +- if ((error = pci_read_config_dword(iadev->pci, +- i*4, &pci[i])) != PCIBIOS_SUCCESSFUL) +- return error; ++ for (i = 0; i < 64; i++) { ++ error = pci_read_config_dword(iadev->pci, i * 4, &pci[i]); ++ if (error != PCIBIOS_SUCCESSFUL) ++ return error; ++ } + writel(0, iadev->reg+IPHASE5575_EXT_RESET); +- for(i=0; i<64; i++) +- if ((error = pci_write_config_dword(iadev->pci, +- i*4, pci[i])) != PCIBIOS_SUCCESSFUL) +- return error; ++ for (i = 0; i < 64; i++) { ++ error = pci_write_config_dword(iadev->pci, i * 4, pci[i]); ++ if (error != PCIBIOS_SUCCESSFUL) ++ return error; ++ } + udelay(5); + return 0; + } +-- +2.42.0 + diff --git a/queue-5.10/bluetooth-btusb-add-date-evt_skb-is-null-check.patch b/queue-5.10/bluetooth-btusb-add-date-evt_skb-is-null-check.patch new file mode 100644 index 00000000000..1a322e29a8d --- /dev/null +++ b/queue-5.10/bluetooth-btusb-add-date-evt_skb-is-null-check.patch @@ -0,0 +1,71 @@ +From ab4113a780c946127eabd31d57a01db043afb76d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Oct 2023 13:14:47 +0800 +Subject: Bluetooth: btusb: Add date->evt_skb is NULL check + +From: youwan Wang + +[ Upstream commit 624820f7c8826dd010e8b1963303c145f99816e9 ] + +fix crash because of null pointers + +[ 6104.969662] BUG: kernel NULL pointer dereference, address: 00000000000000c8 +[ 6104.969667] #PF: supervisor read access in kernel mode +[ 6104.969668] #PF: error_code(0x0000) - not-present page +[ 6104.969670] PGD 0 P4D 0 +[ 6104.969673] Oops: 0000 [#1] SMP NOPTI +[ 6104.969684] RIP: 0010:btusb_mtk_hci_wmt_sync+0x144/0x220 [btusb] +[ 6104.969688] RSP: 0018:ffffb8d681533d48 EFLAGS: 00010246 +[ 6104.969689] RAX: 0000000000000000 RBX: ffff8ad560bb2000 RCX: 0000000000000006 +[ 6104.969691] RDX: 0000000000000000 RSI: ffffb8d681533d08 RDI: 0000000000000000 +[ 6104.969692] RBP: ffffb8d681533d70 R08: 0000000000000001 R09: 0000000000000001 +[ 6104.969694] R10: 0000000000000001 R11: 00000000fa83b2da R12: ffff8ad461d1d7c0 +[ 6104.969695] R13: 0000000000000000 R14: ffff8ad459618c18 R15: ffffb8d681533d90 +[ 6104.969697] FS: 00007f5a1cab9d40(0000) GS:ffff8ad578200000(0000) knlGS:00000 +[ 6104.969699] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 6104.969700] CR2: 00000000000000c8 CR3: 000000018620c001 CR4: 0000000000760ef0 +[ 6104.969701] PKRU: 55555554 +[ 6104.969702] Call Trace: +[ 6104.969708] btusb_mtk_shutdown+0x44/0x80 [btusb] +[ 6104.969732] hci_dev_do_close+0x470/0x5c0 [bluetooth] +[ 6104.969748] hci_rfkill_set_block+0x56/0xa0 [bluetooth] +[ 6104.969753] rfkill_set_block+0x92/0x160 +[ 6104.969755] rfkill_fop_write+0x136/0x1e0 +[ 6104.969759] __vfs_write+0x18/0x40 +[ 6104.969761] vfs_write+0xdf/0x1c0 +[ 6104.969763] ksys_write+0xb1/0xe0 +[ 6104.969765] __x64_sys_write+0x1a/0x20 +[ 6104.969769] do_syscall_64+0x51/0x180 +[ 6104.969771] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 6104.969773] RIP: 0033:0x7f5a21f18fef +[ 6104.9] RSP: 002b:00007ffeefe39010 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 +[ 6104.969780] RAX: ffffffffffffffda RBX: 000055c10a7560a0 RCX: 00007f5a21f18fef +[ 6104.969781] RDX: 0000000000000008 RSI: 00007ffeefe39060 RDI: 0000000000000012 +[ 6104.969782] RBP: 00007ffeefe39060 R08: 0000000000000000 R09: 0000000000000017 +[ 6104.969784] R10: 00007ffeefe38d97 R11: 0000000000000293 R12: 0000000000000002 +[ 6104.969785] R13: 00007ffeefe39220 R14: 00007ffeefe391a0 R15: 000055c10a72acf0 + +Signed-off-by: youwan Wang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index f99d190770204..cc210fb790d89 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -3095,6 +3095,9 @@ static int btusb_mtk_hci_wmt_sync(struct hci_dev *hdev, + goto err_free_wc; + } + ++ if (data->evt_skb == NULL) ++ goto err_free_wc; ++ + /* Parse and handle the return WMT event */ + wmt_evt = (struct btmtk_hci_wmt_evt *)data->evt_skb->data; + if (wmt_evt->whdr.op != hdr->op) { +-- +2.42.0 + diff --git a/queue-5.10/bluetooth-fix-double-free-in-hci_conn_cleanup.patch b/queue-5.10/bluetooth-fix-double-free-in-hci_conn_cleanup.patch new file mode 100644 index 00000000000..fcd1f407590 --- /dev/null +++ b/queue-5.10/bluetooth-fix-double-free-in-hci_conn_cleanup.patch @@ -0,0 +1,139 @@ +From 31b24b7884a04fdefbf0a3a8eae30d1d9835cf8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 12:30:55 +0200 +Subject: Bluetooth: Fix double free in hci_conn_cleanup + +From: ZhengHan Wang + +[ Upstream commit a85fb91e3d728bdfc80833167e8162cce8bc7004 ] + +syzbot reports a slab use-after-free in hci_conn_hash_flush [1]. +After releasing an object using hci_conn_del_sysfs in the +hci_conn_cleanup function, releasing the same object again +using the hci_dev_put and hci_conn_put functions causes a double free. +Here's a simplified flow: + +hci_conn_del_sysfs: + hci_dev_put + put_device + kobject_put + kref_put + kobject_release + kobject_cleanup + kfree_const + kfree(name) + +hci_dev_put: + ... + kfree(name) + +hci_conn_put: + put_device + ... + kfree(name) + +This patch drop the hci_dev_put and hci_conn_put function +call in hci_conn_cleanup function, because the object is +freed in hci_conn_del_sysfs function. + +This patch also fixes the refcounting in hci_conn_add_sysfs() and +hci_conn_del_sysfs() to take into account device_add() failures. + +This fixes CVE-2023-28464. + +Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1] + +Signed-off-by: ZhengHan Wang +Co-developed-by: Luiz Augusto von Dentz +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_conn.c | 6 ++---- + net/bluetooth/hci_sysfs.c | 23 ++++++++++++----------- + 2 files changed, 14 insertions(+), 15 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index a9f6089a2ae2a..74721c3e49b34 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -135,13 +135,11 @@ static void hci_conn_cleanup(struct hci_conn *conn) + hdev->notify(hdev, HCI_NOTIFY_CONN_DEL); + } + +- hci_conn_del_sysfs(conn); +- + debugfs_remove_recursive(conn->debugfs); + +- hci_dev_put(hdev); ++ hci_conn_del_sysfs(conn); + +- hci_conn_put(conn); ++ hci_dev_put(hdev); + } + + static void le_scan_cleanup(struct work_struct *work) +diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c +index ccd2c377bf83c..266112c960ee8 100644 +--- a/net/bluetooth/hci_sysfs.c ++++ b/net/bluetooth/hci_sysfs.c +@@ -33,7 +33,7 @@ void hci_conn_init_sysfs(struct hci_conn *conn) + { + struct hci_dev *hdev = conn->hdev; + +- BT_DBG("conn %p", conn); ++ bt_dev_dbg(hdev, "conn %p", conn); + + conn->dev.type = &bt_link; + conn->dev.class = bt_class; +@@ -46,27 +46,30 @@ void hci_conn_add_sysfs(struct hci_conn *conn) + { + struct hci_dev *hdev = conn->hdev; + +- BT_DBG("conn %p", conn); ++ bt_dev_dbg(hdev, "conn %p", conn); + + if (device_is_registered(&conn->dev)) + return; + + dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle); + +- if (device_add(&conn->dev) < 0) { ++ if (device_add(&conn->dev) < 0) + bt_dev_err(hdev, "failed to register connection device"); +- return; +- } +- +- hci_dev_hold(hdev); + } + + void hci_conn_del_sysfs(struct hci_conn *conn) + { + struct hci_dev *hdev = conn->hdev; + +- if (!device_is_registered(&conn->dev)) ++ bt_dev_dbg(hdev, "conn %p", conn); ++ ++ if (!device_is_registered(&conn->dev)) { ++ /* If device_add() has *not* succeeded, use *only* put_device() ++ * to drop the reference count. ++ */ ++ put_device(&conn->dev); + return; ++ } + + while (1) { + struct device *dev; +@@ -78,9 +81,7 @@ void hci_conn_del_sysfs(struct hci_conn *conn) + put_device(dev); + } + +- device_del(&conn->dev); +- +- hci_dev_put(hdev); ++ device_unregister(&conn->dev); + } + + static void bt_host_release(struct device *dev) +-- +2.42.0 + diff --git a/queue-5.10/bonding-stop-the-device-in-bond_setup_by_slave.patch b/queue-5.10/bonding-stop-the-device-in-bond_setup_by_slave.patch new file mode 100644 index 00000000000..980135ccae5 --- /dev/null +++ b/queue-5.10/bonding-stop-the-device-in-bond_setup_by_slave.patch @@ -0,0 +1,133 @@ +From 1a1a066208ca48247dc58a3cc6bf3e22085aaecd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Nov 2023 18:01:02 +0000 +Subject: bonding: stop the device in bond_setup_by_slave() + +From: Eric Dumazet + +[ Upstream commit 3cffa2ddc4d3fcf70cde361236f5a614f81a09b2 ] + +Commit 9eed321cde22 ("net: lapbether: only support ethernet devices") +has been able to keep syzbot away from net/lapb, until today. + +In the following splat [1], the issue is that a lapbether device has +been created on a bonding device without members. Then adding a non +ARPHRD_ETHER member forced the bonding master to change its type. + +The fix is to make sure we call dev_close() in bond_setup_by_slave() +so that the potential linked lapbether devices (or any other devices +having assumptions on the physical device) are removed. + +A similar bug has been addressed in commit 40baec225765 +("bonding: fix panic on non-ARPHRD_ETHER enslave failure") + +[1] +skbuff: skb_under_panic: text:ffff800089508810 len:44 put:40 head:ffff0000c78e7c00 data:ffff0000c78e7bea tail:0x16 end:0x140 dev:bond0 +kernel BUG at net/core/skbuff.c:192 ! +Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP +Modules linked in: +CPU: 0 PID: 6007 Comm: syz-executor383 Not tainted 6.6.0-rc3-syzkaller-gbf6547d8715b #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 +pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : skb_panic net/core/skbuff.c:188 [inline] +pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 +lr : skb_panic net/core/skbuff.c:188 [inline] +lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 +sp : ffff800096a06aa0 +x29: ffff800096a06ab0 x28: ffff800096a06ba0 x27: dfff800000000000 +x26: ffff0000ce9b9b50 x25: 0000000000000016 x24: ffff0000c78e7bea +x23: ffff0000c78e7c00 x22: 000000000000002c x21: 0000000000000140 +x20: 0000000000000028 x19: ffff800089508810 x18: ffff800096a06100 +x17: 0000000000000000 x16: ffff80008a629a3c x15: 0000000000000001 +x14: 1fffe00036837a32 x13: 0000000000000000 x12: 0000000000000000 +x11: 0000000000000201 x10: 0000000000000000 x9 : cb50b496c519aa00 +x8 : cb50b496c519aa00 x7 : 0000000000000001 x6 : 0000000000000001 +x5 : ffff800096a063b8 x4 : ffff80008e280f80 x3 : ffff8000805ad11c +x2 : 0000000000000001 x1 : 0000000100000201 x0 : 0000000000000086 +Call trace: +skb_panic net/core/skbuff.c:188 [inline] +skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 +skb_push+0xf0/0x108 net/core/skbuff.c:2446 +ip6gre_header+0xbc/0x738 net/ipv6/ip6_gre.c:1384 +dev_hard_header include/linux/netdevice.h:3136 [inline] +lapbeth_data_transmit+0x1c4/0x298 drivers/net/wan/lapbether.c:257 +lapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447 +lapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149 +lapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251 +__lapb_disconnect_request+0x9c/0x17c net/lapb/lapb_iface.c:326 +lapb_device_event+0x288/0x4e0 net/lapb/lapb_iface.c:492 +notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93 +raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461 +call_netdevice_notifiers_info net/core/dev.c:1970 [inline] +call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] +call_netdevice_notifiers net/core/dev.c:2022 [inline] +__dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508 +dev_close_many+0x1e0/0x470 net/core/dev.c:1559 +dev_close+0x174/0x250 net/core/dev.c:1585 +lapbeth_device_event+0x2e4/0x958 drivers/net/wan/lapbether.c:466 +notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93 +raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461 +call_netdevice_notifiers_info net/core/dev.c:1970 [inline] +call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] +call_netdevice_notifiers net/core/dev.c:2022 [inline] +__dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508 +dev_close_many+0x1e0/0x470 net/core/dev.c:1559 +dev_close+0x174/0x250 net/core/dev.c:1585 +bond_enslave+0x2298/0x30cc drivers/net/bonding/bond_main.c:2332 +bond_do_ioctl+0x268/0xc64 drivers/net/bonding/bond_main.c:4539 +dev_ifsioc+0x754/0x9ac +dev_ioctl+0x4d8/0xd34 net/core/dev_ioctl.c:786 +sock_do_ioctl+0x1d4/0x2d0 net/socket.c:1217 +sock_ioctl+0x4e8/0x834 net/socket.c:1322 +vfs_ioctl fs/ioctl.c:51 [inline] +__do_sys_ioctl fs/ioctl.c:871 [inline] +__se_sys_ioctl fs/ioctl.c:857 [inline] +__arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:857 +__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] +invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51 +el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136 +do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155 +el0_svc+0x58/0x16c arch/arm64/kernel/entry-common.c:678 +el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 +el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591 +Code: aa1803e6 aa1903e7 a90023f5 94785b8b (d4210000) + +Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Acked-by: Jay Vosburgh +Reviewed-by: Hangbin Liu +Link: https://lore.kernel.org/r/20231109180102.4085183-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index bcb019121d835..50fabba042488 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1433,6 +1433,10 @@ static void bond_compute_features(struct bonding *bond) + static void bond_setup_by_slave(struct net_device *bond_dev, + struct net_device *slave_dev) + { ++ bool was_up = !!(bond_dev->flags & IFF_UP); ++ ++ dev_close(bond_dev); ++ + bond_dev->header_ops = slave_dev->header_ops; + + bond_dev->type = slave_dev->type; +@@ -1447,6 +1451,8 @@ static void bond_setup_by_slave(struct net_device *bond_dev, + bond_dev->flags &= ~(IFF_BROADCAST | IFF_MULTICAST); + bond_dev->flags |= (IFF_POINTOPOINT | IFF_NOARP); + } ++ if (was_up) ++ dev_open(bond_dev, NULL); + } + + /* On bonding slaves other than the currently active slave, suppress +-- +2.42.0 + diff --git a/queue-5.10/bpf-detect-ip-ksym.end-as-part-of-bpf-program.patch b/queue-5.10/bpf-detect-ip-ksym.end-as-part-of-bpf-program.patch new file mode 100644 index 00000000000..577e9bf428c --- /dev/null +++ b/queue-5.10/bpf-detect-ip-ksym.end-as-part-of-bpf-program.patch @@ -0,0 +1,97 @@ +From 6e03108fc803fa8d662c39fbc715d64841248230 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Sep 2023 01:32:08 +0200 +Subject: bpf: Detect IP == ksym.end as part of BPF program + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit 66d9111f3517f85ef2af0337ece02683ce0faf21 ] + +Now that bpf_throw kfunc is the first such call instruction that has +noreturn semantics within the verifier, this also kicks in dead code +elimination in unprecedented ways. For one, any instruction following +a bpf_throw call will never be marked as seen. Moreover, if a callchain +ends up throwing, any instructions after the call instruction to the +eventually throwing subprog in callers will also never be marked as +seen. + +The tempting way to fix this would be to emit extra 'int3' instructions +which bump the jited_len of a program, and ensure that during runtime +when a program throws, we can discover its boundaries even if the call +instruction to bpf_throw (or to subprogs that always throw) is emitted +as the final instruction in the program. + +An example of such a program would be this: + +do_something(): + ... + r0 = 0 + exit + +foo(): + r1 = 0 + call bpf_throw + r0 = 0 + exit + +bar(cond): + if r1 != 0 goto pc+2 + call do_something + exit + call foo + r0 = 0 // Never seen by verifier + exit // + +main(ctx): + r1 = ... + call bar + r0 = 0 + exit + +Here, if we do end up throwing, the stacktrace would be the following: + +bpf_throw +foo +bar +main + +In bar, the final instruction emitted will be the call to foo, as such, +the return address will be the subsequent instruction (which the JIT +emits as int3 on x86). This will end up lying outside the jited_len of +the program, thus, when unwinding, we will fail to discover the return +address as belonging to any program and end up in a panic due to the +unreliable stack unwinding of BPF programs that we never expect. + +To remedy this case, make bpf_prog_ksym_find treat IP == ksym.end as +part of the BPF program, so that is_bpf_text_address returns true when +such a case occurs, and we are able to unwind reliably when the final +instruction ends up being a call instruction. + +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20230912233214.1518551-12-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/core.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index d3f6a070875cb..33ea6ab12f47c 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -602,7 +602,11 @@ static __always_inline int bpf_tree_comp(void *key, struct latch_tree_node *n) + + if (val < ksym->start) + return -1; +- if (val >= ksym->end) ++ /* Ensure that we detect return addresses as part of the program, when ++ * the final instruction is a call for a program part of the stack ++ * trace. Therefore, do val > ksym->end instead of val >= ksym->end. ++ */ ++ if (val > ksym->end) + return 1; + + return 0; +-- +2.42.0 + diff --git a/queue-5.10/cifs-fix-check-of-rc-in-function-generate_smb3signin.patch b/queue-5.10/cifs-fix-check-of-rc-in-function-generate_smb3signin.patch new file mode 100644 index 00000000000..4ac9dc1803d --- /dev/null +++ b/queue-5.10/cifs-fix-check-of-rc-in-function-generate_smb3signin.patch @@ -0,0 +1,52 @@ +From 3198fbdb877f55030a686c617cff92cca76bd2eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Nov 2023 19:42:41 +0300 +Subject: cifs: fix check of rc in function generate_smb3signingkey + +From: Ekaterina Esina + +[ Upstream commit 181724fc72486dec2bec8803459be05b5162aaa8 ] + +Remove extra check after condition, add check after generating key +for encryption. The check is needed to return non zero rc before +rewriting it with generating key for decryption. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Reviewed-by: Paulo Alcantara (SUSE) +Fixes: d70e9fa55884 ("cifs: try opening channels after mounting") +Signed-off-by: Ekaterina Esina +Co-developed-by: Anastasia Belova +Signed-off-by: Anastasia Belova +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2transport.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/fs/cifs/smb2transport.c b/fs/cifs/smb2transport.c +index e6fa76ab70be7..d659eb70df76d 100644 +--- a/fs/cifs/smb2transport.c ++++ b/fs/cifs/smb2transport.c +@@ -433,6 +433,8 @@ generate_smb3signingkey(struct cifs_ses *ses, + ptriplet->encryption.context, + ses->smb3encryptionkey, + SMB3_ENC_DEC_KEY_SIZE); ++ if (rc) ++ return rc; + rc = generate_key(ses, ptriplet->decryption.label, + ptriplet->decryption.context, + ses->smb3decryptionkey, +@@ -441,9 +443,6 @@ generate_smb3signingkey(struct cifs_ses *ses, + return rc; + } + +- if (rc) +- return rc; +- + #ifdef CONFIG_CIFS_DEBUG_DUMP_KEYS + cifs_dbg(VFS, "%s: dumping generated AES session keys\n", __func__); + /* +-- +2.42.0 + diff --git a/queue-5.10/cifs-spnego-add-in-host_key_len.patch b/queue-5.10/cifs-spnego-add-in-host_key_len.patch new file mode 100644 index 00000000000..feca0346130 --- /dev/null +++ b/queue-5.10/cifs-spnego-add-in-host_key_len.patch @@ -0,0 +1,43 @@ +From 83bf597a21e57448d845ef87e27df98fea5b7da1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Nov 2023 17:52:32 +0300 +Subject: cifs: spnego: add ';' in HOST_KEY_LEN + +From: Anastasia Belova + +[ Upstream commit ff31ba19d732efb9aca3633935d71085e68d5076 ] + +"host=" should start with ';' (as in cifs_get_spnego_key) +So its length should be 6. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Reviewed-by: Paulo Alcantara (SUSE) +Fixes: 7c9c3760b3a5 ("[CIFS] add constants for string lengths of keynames in SPNEGO upcall string") +Signed-off-by: Anastasia Belova +Co-developed-by: Ekaterina Esina +Signed-off-by: Ekaterina Esina +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/cifs_spnego.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c +index 7b9b876b513bd..4f9d08ac9dde5 100644 +--- a/fs/cifs/cifs_spnego.c ++++ b/fs/cifs/cifs_spnego.c +@@ -76,8 +76,8 @@ struct key_type cifs_spnego_key_type = { + * strlen(";sec=ntlmsspi") */ + #define MAX_MECH_STR_LEN 13 + +-/* strlen of "host=" */ +-#define HOST_KEY_LEN 5 ++/* strlen of ";host=" */ ++#define HOST_KEY_LEN 6 + + /* strlen of ";ip4=" or ";ip6=" */ + #define IP_KEY_LEN 5 +-- +2.42.0 + diff --git a/queue-5.10/clocksource-drivers-timer-atmel-tcb-fix-initializati.patch b/queue-5.10/clocksource-drivers-timer-atmel-tcb-fix-initializati.patch new file mode 100644 index 00000000000..a77e7d72a3e --- /dev/null +++ b/queue-5.10/clocksource-drivers-timer-atmel-tcb-fix-initializati.patch @@ -0,0 +1,56 @@ +From 7c1cb4165b4a0c164b1ed737396161be0dba9de8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Oct 2023 18:17:13 +0200 +Subject: clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 + hardware + +From: Ronald Wahl + +[ Upstream commit 6d3bc4c02d59996d1d3180d8ed409a9d7d5900e0 ] + +On SAM9 hardware two cascaded 16 bit timers are used to form a 32 bit +high resolution timer that is used as scheduler clock when the kernel +has been configured that way (CONFIG_ATMEL_CLOCKSOURCE_TCB). + +The driver initially triggers a reset-to-zero of the two timers but this +reset is only performed on the next rising clock. For the first timer +this is ok - it will be in the next 60ns (16MHz clock). For the chained +second timer this will only happen after the first timer overflows, i.e. +after 2^16 clocks (~4ms with a 16MHz clock). So with other words the +scheduler clock resets to 0 after the first 2^16 clock cycles. + +It looks like that the scheduler does not like this and behaves wrongly +over its lifetime, e.g. some tasks are scheduled with a long delay. Why +that is and if there are additional requirements for this behaviour has +not been further analysed. + +There is a simple fix for resetting the second timer as well when the +first timer is reset and this is to set the ATMEL_TC_ASWTRG_SET bit in +the Channel Mode register (CMR) of the first timer. This will also rise +the TIOA line (clock input of the second timer) when a software trigger +respective SYNC is issued. + +Signed-off-by: Ronald Wahl +Acked-by: Alexandre Belloni +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20231007161803.31342-1-rwahl@gmx.de +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-atmel-tcb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clocksource/timer-atmel-tcb.c b/drivers/clocksource/timer-atmel-tcb.c +index 787dbebbb4324..5ea1efd87f580 100644 +--- a/drivers/clocksource/timer-atmel-tcb.c ++++ b/drivers/clocksource/timer-atmel-tcb.c +@@ -315,6 +315,7 @@ static void __init tcb_setup_dual_chan(struct atmel_tc *tc, int mck_divisor_idx) + writel(mck_divisor_idx /* likely divide-by-8 */ + | ATMEL_TC_WAVE + | ATMEL_TC_WAVESEL_UP /* free-run */ ++ | ATMEL_TC_ASWTRG_SET /* TIOA0 rises at software trigger */ + | ATMEL_TC_ACPA_SET /* TIOA0 rises at 0 */ + | ATMEL_TC_ACPC_CLEAR, /* (duty cycle 50%) */ + tcaddr + ATMEL_TC_REG(0, CMR)); +-- +2.42.0 + diff --git a/queue-5.10/clocksource-drivers-timer-imx-gpt-fix-potential-memo.patch b/queue-5.10/clocksource-drivers-timer-imx-gpt-fix-potential-memo.patch new file mode 100644 index 00000000000..8534dff61a3 --- /dev/null +++ b/queue-5.10/clocksource-drivers-timer-imx-gpt-fix-potential-memo.patch @@ -0,0 +1,66 @@ +From 7b9ffafdb0771e2c962bfbab59f7ece70d7e97f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 16:39:22 +0800 +Subject: clocksource/drivers/timer-imx-gpt: Fix potential memory leak + +From: Jacky Bai + +[ Upstream commit 8051a993ce222a5158bccc6ac22ace9253dd71cb ] + +Fix coverity Issue CID 250382: Resource leak (RESOURCE_LEAK). +Add kfree when error return. + +Signed-off-by: Jacky Bai +Reviewed-by: Peng Fan +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20231009083922.1942971-1-ping.bai@nxp.com +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-imx-gpt.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/clocksource/timer-imx-gpt.c b/drivers/clocksource/timer-imx-gpt.c +index 7b2c70f2f353b..fabff69e52e58 100644 +--- a/drivers/clocksource/timer-imx-gpt.c ++++ b/drivers/clocksource/timer-imx-gpt.c +@@ -454,12 +454,16 @@ static int __init mxc_timer_init_dt(struct device_node *np, enum imx_gpt_type t + return -ENOMEM; + + imxtm->base = of_iomap(np, 0); +- if (!imxtm->base) +- return -ENXIO; ++ if (!imxtm->base) { ++ ret = -ENXIO; ++ goto err_kfree; ++ } + + imxtm->irq = irq_of_parse_and_map(np, 0); +- if (imxtm->irq <= 0) +- return -EINVAL; ++ if (imxtm->irq <= 0) { ++ ret = -EINVAL; ++ goto err_kfree; ++ } + + imxtm->clk_ipg = of_clk_get_by_name(np, "ipg"); + +@@ -472,11 +476,15 @@ static int __init mxc_timer_init_dt(struct device_node *np, enum imx_gpt_type t + + ret = _mxc_timer_init(imxtm); + if (ret) +- return ret; ++ goto err_kfree; + + initialized = 1; + + return 0; ++ ++err_kfree: ++ kfree(imxtm); ++ return ret; + } + + static int __init imx1_timer_init_dt(struct device_node *np) +-- +2.42.0 + diff --git a/queue-5.10/crypto-pcrypt-fix-hungtask-for-padata_reset.patch b/queue-5.10/crypto-pcrypt-fix-hungtask-for-padata_reset.patch new file mode 100644 index 00000000000..aeeafcbec37 --- /dev/null +++ b/queue-5.10/crypto-pcrypt-fix-hungtask-for-padata_reset.patch @@ -0,0 +1,106 @@ +From b5f5714d1a3fcfab92fb619e75d2882aef85a6a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Sep 2023 13:33:41 +0000 +Subject: crypto: pcrypt - Fix hungtask for PADATA_RESET + +From: Lu Jialin + +[ Upstream commit 8f4f68e788c3a7a696546291258bfa5fdb215523 ] + +We found a hungtask bug in test_aead_vec_cfg as follows: + +INFO: task cryptomgr_test:391009 blocked for more than 120 seconds. +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +Call trace: + __switch_to+0x98/0xe0 + __schedule+0x6c4/0xf40 + schedule+0xd8/0x1b4 + schedule_timeout+0x474/0x560 + wait_for_common+0x368/0x4e0 + wait_for_completion+0x20/0x30 + wait_for_completion+0x20/0x30 + test_aead_vec_cfg+0xab4/0xd50 + test_aead+0x144/0x1f0 + alg_test_aead+0xd8/0x1e0 + alg_test+0x634/0x890 + cryptomgr_test+0x40/0x70 + kthread+0x1e0/0x220 + ret_from_fork+0x10/0x18 + Kernel panic - not syncing: hung_task: blocked tasks + +For padata_do_parallel, when the return err is 0 or -EBUSY, it will call +wait_for_completion(&wait->completion) in test_aead_vec_cfg. In normal +case, aead_request_complete() will be called in pcrypt_aead_serial and the +return err is 0 for padata_do_parallel. But, when pinst->flags is +PADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it +won't call aead_request_complete(). Therefore, test_aead_vec_cfg will +hung at wait_for_completion(&wait->completion), which will cause +hungtask. + +The problem comes as following: +(padata_do_parallel) | + rcu_read_lock_bh(); | + err = -EINVAL; | (padata_replace) + | pinst->flags |= PADATA_RESET; + err = -EBUSY | + if (pinst->flags & PADATA_RESET) | + rcu_read_unlock_bh() | + return err + +In order to resolve the problem, we replace the return err -EBUSY with +-EAGAIN, which means parallel_data is changing, and the caller should call +it again. + +v3: +remove retry and just change the return err. +v2: +introduce padata_try_do_parallel() in pcrypt_aead_encrypt and +pcrypt_aead_decrypt to solve the hungtask. + +Signed-off-by: Lu Jialin +Signed-off-by: Guo Zihua +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/pcrypt.c | 4 ++++ + kernel/padata.c | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c +index 9d10b846ccf73..005a36cb21bc4 100644 +--- a/crypto/pcrypt.c ++++ b/crypto/pcrypt.c +@@ -117,6 +117,8 @@ static int pcrypt_aead_encrypt(struct aead_request *req) + err = padata_do_parallel(ictx->psenc, padata, &ctx->cb_cpu); + if (!err) + return -EINPROGRESS; ++ if (err == -EBUSY) ++ return -EAGAIN; + + return err; + } +@@ -164,6 +166,8 @@ static int pcrypt_aead_decrypt(struct aead_request *req) + err = padata_do_parallel(ictx->psdec, padata, &ctx->cb_cpu); + if (!err) + return -EINPROGRESS; ++ if (err == -EBUSY) ++ return -EAGAIN; + + return err; + } +diff --git a/kernel/padata.c b/kernel/padata.c +index 7d500219f96bd..fdcd78302cd72 100644 +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -207,7 +207,7 @@ int padata_do_parallel(struct padata_shell *ps, + *cb_cpu = cpu; + } + +- err = -EBUSY; ++ err = -EBUSY; + if ((pinst->flags & PADATA_RESET)) + goto out; + +-- +2.42.0 + diff --git a/queue-5.10/drm-amd-display-avoid-null-dereference-of-timing-gen.patch b/queue-5.10/drm-amd-display-avoid-null-dereference-of-timing-gen.patch new file mode 100644 index 00000000000..4c9ab42d69d --- /dev/null +++ b/queue-5.10/drm-amd-display-avoid-null-dereference-of-timing-gen.patch @@ -0,0 +1,48 @@ +From 60c53489d87dd78f54cd75f47568c263b9e66ac8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 10:14:49 +0800 +Subject: drm/amd/display: Avoid NULL dereference of timing generator + +From: Wayne Lin + +[ Upstream commit b1904ed480cee3f9f4036ea0e36d139cb5fee2d6 ] + +[Why & How] +Check whether assigned timing generator is NULL or not before +accessing its funcs to prevent NULL dereference. + +Reviewed-by: Jun Lei +Acked-by: Hersen Wu +Signed-off-by: Wayne Lin +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c +index d48fd87d3b953..8206c6edba746 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c +@@ -534,7 +534,7 @@ uint32_t dc_stream_get_vblank_counter(const struct dc_stream_state *stream) + for (i = 0; i < MAX_PIPES; i++) { + struct timing_generator *tg = res_ctx->pipe_ctx[i].stream_res.tg; + +- if (res_ctx->pipe_ctx[i].stream != stream) ++ if (res_ctx->pipe_ctx[i].stream != stream || !tg) + continue; + + return tg->funcs->get_frame_count(tg); +@@ -593,7 +593,7 @@ bool dc_stream_get_scanoutpos(const struct dc_stream_state *stream, + for (i = 0; i < MAX_PIPES; i++) { + struct timing_generator *tg = res_ctx->pipe_ctx[i].stream_res.tg; + +- if (res_ctx->pipe_ctx[i].stream != stream) ++ if (res_ctx->pipe_ctx[i].stream != stream || !tg) + continue; + + tg->funcs->get_scanoutpos(tg, +-- +2.42.0 + diff --git a/queue-5.10/drm-amd-fix-ubsan-array-index-out-of-bounds-for-pola.patch b/queue-5.10/drm-amd-fix-ubsan-array-index-out-of-bounds-for-pola.patch new file mode 100644 index 00000000000..7cfd5b4bc33 --- /dev/null +++ b/queue-5.10/drm-amd-fix-ubsan-array-index-out-of-bounds-for-pola.patch @@ -0,0 +1,81 @@ +From 79cb96a60c9be3512fbaab99e07df6042282ffac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 15:46:44 -0500 +Subject: drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga + +From: Mario Limonciello + +[ Upstream commit 0f0e59075b5c22f1e871fbd508d6e4f495048356 ] + +For pptable structs that use flexible array sizes, use flexible arrays. + +Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2036742 +Signed-off-by: Mario Limonciello +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h +index d5a4a08c6d392..0c61e2bc14cde 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h +@@ -164,7 +164,7 @@ typedef struct _ATOM_Tonga_State { + typedef struct _ATOM_Tonga_State_Array { + UCHAR ucRevId; + UCHAR ucNumEntries; /* Number of entries. */ +- ATOM_Tonga_State entries[1]; /* Dynamically allocate entries. */ ++ ATOM_Tonga_State entries[]; /* Dynamically allocate entries. */ + } ATOM_Tonga_State_Array; + + typedef struct _ATOM_Tonga_MCLK_Dependency_Record { +@@ -210,7 +210,7 @@ typedef struct _ATOM_Polaris_SCLK_Dependency_Record { + typedef struct _ATOM_Polaris_SCLK_Dependency_Table { + UCHAR ucRevId; + UCHAR ucNumEntries; /* Number of entries. */ +- ATOM_Polaris_SCLK_Dependency_Record entries[1]; /* Dynamically allocate entries. */ ++ ATOM_Polaris_SCLK_Dependency_Record entries[]; /* Dynamically allocate entries. */ + } ATOM_Polaris_SCLK_Dependency_Table; + + typedef struct _ATOM_Tonga_PCIE_Record { +@@ -222,7 +222,7 @@ typedef struct _ATOM_Tonga_PCIE_Record { + typedef struct _ATOM_Tonga_PCIE_Table { + UCHAR ucRevId; + UCHAR ucNumEntries; /* Number of entries. */ +- ATOM_Tonga_PCIE_Record entries[1]; /* Dynamically allocate entries. */ ++ ATOM_Tonga_PCIE_Record entries[]; /* Dynamically allocate entries. */ + } ATOM_Tonga_PCIE_Table; + + typedef struct _ATOM_Polaris10_PCIE_Record { +@@ -235,7 +235,7 @@ typedef struct _ATOM_Polaris10_PCIE_Record { + typedef struct _ATOM_Polaris10_PCIE_Table { + UCHAR ucRevId; + UCHAR ucNumEntries; /* Number of entries. */ +- ATOM_Polaris10_PCIE_Record entries[1]; /* Dynamically allocate entries. */ ++ ATOM_Polaris10_PCIE_Record entries[]; /* Dynamically allocate entries. */ + } ATOM_Polaris10_PCIE_Table; + + +@@ -252,7 +252,7 @@ typedef struct _ATOM_Tonga_MM_Dependency_Record { + typedef struct _ATOM_Tonga_MM_Dependency_Table { + UCHAR ucRevId; + UCHAR ucNumEntries; /* Number of entries. */ +- ATOM_Tonga_MM_Dependency_Record entries[1]; /* Dynamically allocate entries. */ ++ ATOM_Tonga_MM_Dependency_Record entries[]; /* Dynamically allocate entries. */ + } ATOM_Tonga_MM_Dependency_Table; + + typedef struct _ATOM_Tonga_Voltage_Lookup_Record { +@@ -265,7 +265,7 @@ typedef struct _ATOM_Tonga_Voltage_Lookup_Record { + typedef struct _ATOM_Tonga_Voltage_Lookup_Table { + UCHAR ucRevId; + UCHAR ucNumEntries; /* Number of entries. */ +- ATOM_Tonga_Voltage_Lookup_Record entries[1]; /* Dynamically allocate entries. */ ++ ATOM_Tonga_Voltage_Lookup_Record entries[]; /* Dynamically allocate entries. */ + } ATOM_Tonga_Voltage_Lookup_Table; + + typedef struct _ATOM_Tonga_Fan_Table { +-- +2.42.0 + diff --git a/queue-5.10/drm-amd-fix-ubsan-array-index-out-of-bounds-for-smu7.patch b/queue-5.10/drm-amd-fix-ubsan-array-index-out-of-bounds-for-smu7.patch new file mode 100644 index 00000000000..7f26025f03e --- /dev/null +++ b/queue-5.10/drm-amd-fix-ubsan-array-index-out-of-bounds-for-smu7.patch @@ -0,0 +1,69 @@ +From 46891e39cfc88d908102159ad0ba9dd16b734f05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 15:22:52 -0500 +Subject: drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 + +From: Mario Limonciello + +[ Upstream commit 760efbca74a405dc439a013a5efaa9fadc95a8c3 ] + +For pptable structs that use flexible array sizes, use flexible arrays. + +Suggested-by: Felix Held +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2874 +Signed-off-by: Mario Limonciello +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/include/pptable.h | 4 ++-- + drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/include/pptable.h b/drivers/gpu/drm/amd/include/pptable.h +index 0b6a057e0a4c4..5aac8d545bdc6 100644 +--- a/drivers/gpu/drm/amd/include/pptable.h ++++ b/drivers/gpu/drm/amd/include/pptable.h +@@ -78,7 +78,7 @@ typedef struct _ATOM_PPLIB_THERMALCONTROLLER + typedef struct _ATOM_PPLIB_STATE + { + UCHAR ucNonClockStateIndex; +- UCHAR ucClockStateIndices[1]; // variable-sized ++ UCHAR ucClockStateIndices[]; // variable-sized + } ATOM_PPLIB_STATE; + + +@@ -473,7 +473,7 @@ typedef struct _ATOM_PPLIB_STATE_V2 + /** + * Driver will read the first ucNumDPMLevels in this array + */ +- UCHAR clockInfoIndex[1]; ++ UCHAR clockInfoIndex[]; + } ATOM_PPLIB_STATE_V2; + + typedef struct _StateArray{ +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h +index 1e870f58dd12a..d5a4a08c6d392 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h +@@ -179,7 +179,7 @@ typedef struct _ATOM_Tonga_MCLK_Dependency_Record { + typedef struct _ATOM_Tonga_MCLK_Dependency_Table { + UCHAR ucRevId; + UCHAR ucNumEntries; /* Number of entries. */ +- ATOM_Tonga_MCLK_Dependency_Record entries[1]; /* Dynamically allocate entries. */ ++ ATOM_Tonga_MCLK_Dependency_Record entries[]; /* Dynamically allocate entries. */ + } ATOM_Tonga_MCLK_Dependency_Table; + + typedef struct _ATOM_Tonga_SCLK_Dependency_Record { +@@ -194,7 +194,7 @@ typedef struct _ATOM_Tonga_SCLK_Dependency_Record { + typedef struct _ATOM_Tonga_SCLK_Dependency_Table { + UCHAR ucRevId; + UCHAR ucNumEntries; /* Number of entries. */ +- ATOM_Tonga_SCLK_Dependency_Record entries[1]; /* Dynamically allocate entries. */ ++ ATOM_Tonga_SCLK_Dependency_Record entries[]; /* Dynamically allocate entries. */ + } ATOM_Tonga_SCLK_Dependency_Table; + + typedef struct _ATOM_Polaris_SCLK_Dependency_Record { +-- +2.42.0 + diff --git a/queue-5.10/drm-amdgpu-fix-a-null-pointer-access-when-the-smc_rr.patch b/queue-5.10/drm-amdgpu-fix-a-null-pointer-access-when-the-smc_rr.patch new file mode 100644 index 00000000000..ff5d9d1f7ae --- /dev/null +++ b/queue-5.10/drm-amdgpu-fix-a-null-pointer-access-when-the-smc_rr.patch @@ -0,0 +1,105 @@ +From 1af13d767fa851d7bc31c4991997c17e31e8b680 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Oct 2023 12:56:37 +0000 +Subject: drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is + NULL + +From: Qu Huang + +[ Upstream commit 5104fdf50d326db2c1a994f8b35dcd46e63ae4ad ] + +In certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log: + +1. Navigate to the directory: /sys/kernel/debug/dri/0 +2. Execute command: cat amdgpu_regs_smc +3. Exception Log:: +[4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[4005007.702562] #PF: supervisor instruction fetch in kernel mode +[4005007.702567] #PF: error_code(0x0010) - not-present page +[4005007.702570] PGD 0 P4D 0 +[4005007.702576] Oops: 0010 [#1] SMP NOPTI +[4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G OE 5.15.0-43-generic #46-Ubunt u +[4005007.702590] RIP: 0010:0x0 +[4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. +[4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206 +[4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68 +[4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000 +[4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980 +[4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000 +[4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000 +[4005007.702622] FS: 00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000 +[4005007.702626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0 +[4005007.702633] Call Trace: +[4005007.702636] +[4005007.702640] amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu] +[4005007.703002] full_proxy_read+0x5c/0x80 +[4005007.703011] vfs_read+0x9f/0x1a0 +[4005007.703019] ksys_read+0x67/0xe0 +[4005007.703023] __x64_sys_read+0x19/0x20 +[4005007.703028] do_syscall_64+0x5c/0xc0 +[4005007.703034] ? do_user_addr_fault+0x1e3/0x670 +[4005007.703040] ? exit_to_user_mode_prepare+0x37/0xb0 +[4005007.703047] ? irqentry_exit_to_user_mode+0x9/0x20 +[4005007.703052] ? irqentry_exit+0x19/0x30 +[4005007.703057] ? exc_page_fault+0x89/0x160 +[4005007.703062] ? asm_exc_page_fault+0x8/0x30 +[4005007.703068] entry_SYSCALL_64_after_hwframe+0x44/0xae +[4005007.703075] RIP: 0033:0x7f5e07672992 +[4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e c 28 48 89 54 24 +[4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 +[4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992 +[4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003 +[4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010 +[4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000 +[4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000 +[4005007.703105] +[4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_ iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v 2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca +[4005007.703184] CR2: 0000000000000000 +[4005007.703188] ---[ end trace ac65a538d240da39 ]--- +[4005007.800865] RIP: 0010:0x0 +[4005007.800871] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. +[4005007.800874] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206 +[4005007.800878] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68 +[4005007.800881] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000 +[4005007.800883] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980 +[4005007.800886] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000 +[4005007.800888] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000 +[4005007.800891] FS: 00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000 +[4005007.800895] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[4005007.800898] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0 + +Signed-off-by: Qu Huang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c +index 00a190929b55c..48df32dd352ed 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c +@@ -575,6 +575,9 @@ static ssize_t amdgpu_debugfs_regs_smc_read(struct file *f, char __user *buf, + ssize_t result = 0; + int r; + ++ if (!adev->smc_rreg) ++ return -EPERM; ++ + if (size & 0x3 || *pos & 0x3) + return -EINVAL; + +@@ -634,6 +637,9 @@ static ssize_t amdgpu_debugfs_regs_smc_write(struct file *f, const char __user * + ssize_t result = 0; + int r; + ++ if (!adev->smc_wreg) ++ return -EPERM; ++ + if (size & 0x3 || *pos & 0x3) + return -EINVAL; + +-- +2.42.0 + diff --git a/queue-5.10/drm-amdgpu-fix-potential-null-pointer-derefernce.patch b/queue-5.10/drm-amdgpu-fix-potential-null-pointer-derefernce.patch new file mode 100644 index 00000000000..3c8b919b0d8 --- /dev/null +++ b/queue-5.10/drm-amdgpu-fix-potential-null-pointer-derefernce.patch @@ -0,0 +1,37 @@ +From 79adf42cc80391e18368fbf4f6001dfec1d4a0a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Sep 2023 16:22:29 +0800 +Subject: drm/amdgpu: Fix potential null pointer derefernce + +From: Stanley.Yang + +[ Upstream commit 80285ae1ec8717b597b20de38866c29d84d321a1 ] + +The amdgpu_ras_get_context may return NULL if device +not support ras feature, so add check before using. + +Signed-off-by: Stanley.Yang +Reviewed-by: Tao Zhou +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index f0db9724ca85e..a093f1b277244 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -4530,7 +4530,8 @@ int amdgpu_device_gpu_recover(struct amdgpu_device *adev, + * Flush RAM to disk so that after reboot + * the user can read log and see why the system rebooted. + */ +- if (need_emergency_restart && amdgpu_ras_get_context(adev)->reboot) { ++ if (need_emergency_restart && amdgpu_ras_get_context(adev) && ++ amdgpu_ras_get_context(adev)->reboot) { + DRM_WARN("Emergency reboot."); + + ksys_sync_helper(); +-- +2.42.0 + diff --git a/queue-5.10/drm-amdgpu-fix-software-pci_unplug-on-some-chips.patch b/queue-5.10/drm-amdgpu-fix-software-pci_unplug-on-some-chips.patch new file mode 100644 index 00000000000..794ff4812cb --- /dev/null +++ b/queue-5.10/drm-amdgpu-fix-software-pci_unplug-on-some-chips.patch @@ -0,0 +1,103 @@ +From ca57dee1f0da1641a9bdaded40601af4d253a457 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Oct 2023 19:31:48 -0400 +Subject: drm/amdgpu: fix software pci_unplug on some chips + +From: Vitaly Prosyak + +[ Upstream commit 4638e0c29a3f2294d5de0d052a4b8c9f33ccb957 ] + +When software 'pci unplug' using IGT is executed we got a sysfs directory +entry is NULL for differant ras blocks like hdp, umc, etc. +Before call 'sysfs_remove_file_from_group' and 'sysfs_remove_group' +check that 'sd' is not NULL. + +[ +0.000001] RIP: 0010:sysfs_remove_group+0x83/0x90 +[ +0.000002] Code: 31 c0 31 d2 31 f6 31 ff e9 9a a8 b4 00 4c 89 e7 e8 f2 a2 ff ff eb c2 49 8b 55 00 48 8b 33 48 c7 c7 80 65 94 82 e8 cd 82 bb ff <0f> 0b eb cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 +[ +0.000001] RSP: 0018:ffffc90002067c90 EFLAGS: 00010246 +[ +0.000002] RAX: 0000000000000000 RBX: ffffffff824ea180 RCX: 0000000000000000 +[ +0.000001] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ +0.000001] RBP: ffffc90002067ca8 R08: 0000000000000000 R09: 0000000000000000 +[ +0.000001] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +[ +0.000001] R13: ffff88810a395f48 R14: ffff888101aab0d0 R15: 0000000000000000 +[ +0.000001] FS: 00007f5ddaa43a00(0000) GS:ffff88841e800000(0000) knlGS:0000000000000000 +[ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ +0.000001] CR2: 00007f8ffa61ba50 CR3: 0000000106432000 CR4: 0000000000350ef0 +[ +0.000001] Call Trace: +[ +0.000001] +[ +0.000001] ? show_regs+0x72/0x90 +[ +0.000002] ? sysfs_remove_group+0x83/0x90 +[ +0.000002] ? __warn+0x8d/0x160 +[ +0.000001] ? sysfs_remove_group+0x83/0x90 +[ +0.000001] ? report_bug+0x1bb/0x1d0 +[ +0.000003] ? handle_bug+0x46/0x90 +[ +0.000001] ? exc_invalid_op+0x19/0x80 +[ +0.000002] ? asm_exc_invalid_op+0x1b/0x20 +[ +0.000003] ? sysfs_remove_group+0x83/0x90 +[ +0.000001] dpm_sysfs_remove+0x61/0x70 +[ +0.000002] device_del+0xa3/0x3d0 +[ +0.000002] ? ktime_get_mono_fast_ns+0x46/0xb0 +[ +0.000002] device_unregister+0x18/0x70 +[ +0.000001] i2c_del_adapter+0x26d/0x330 +[ +0.000002] arcturus_i2c_control_fini+0x25/0x50 [amdgpu] +[ +0.000236] smu_sw_fini+0x38/0x260 [amdgpu] +[ +0.000241] amdgpu_device_fini_sw+0x116/0x670 [amdgpu] +[ +0.000186] ? mutex_lock+0x13/0x50 +[ +0.000003] amdgpu_driver_release_kms+0x16/0x40 [amdgpu] +[ +0.000192] drm_minor_release+0x4f/0x80 [drm] +[ +0.000025] drm_release+0xfe/0x150 [drm] +[ +0.000027] __fput+0x9f/0x290 +[ +0.000002] ____fput+0xe/0x20 +[ +0.000002] task_work_run+0x61/0xa0 +[ +0.000002] exit_to_user_mode_prepare+0x150/0x170 +[ +0.000002] syscall_exit_to_user_mode+0x2a/0x50 + +Cc: Hawking Zhang +Cc: Luben Tuikov +Cc: Alex Deucher +Cc: Christian Koenig +Signed-off-by: Vitaly Prosyak +Reviewed-by: Luben Tuikov +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c +index 3638f0e12a2b8..a8f1c4969fac7 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c +@@ -1031,7 +1031,8 @@ static void amdgpu_ras_sysfs_remove_bad_page_node(struct amdgpu_device *adev) + { + struct amdgpu_ras *con = amdgpu_ras_get_context(adev); + +- sysfs_remove_file_from_group(&adev->dev->kobj, ++ if (adev->dev->kobj.sd) ++ sysfs_remove_file_from_group(&adev->dev->kobj, + &con->badpages_attr.attr, + RAS_FS_NAME); + } +@@ -1048,7 +1049,8 @@ static int amdgpu_ras_sysfs_remove_feature_node(struct amdgpu_device *adev) + .attrs = attrs, + }; + +- sysfs_remove_group(&adev->dev->kobj, &group); ++ if (adev->dev->kobj.sd) ++ sysfs_remove_group(&adev->dev->kobj, &group); + + return 0; + } +@@ -1096,7 +1098,8 @@ int amdgpu_ras_sysfs_remove(struct amdgpu_device *adev, + if (!obj || !obj->attr_inuse) + return -EINVAL; + +- sysfs_remove_file_from_group(&adev->dev->kobj, ++ if (adev->dev->kobj.sd) ++ sysfs_remove_file_from_group(&adev->dev->kobj, + &obj->sysfs_attr.attr, + RAS_FS_NAME); + obj->attr_inuse = 0; +-- +2.42.0 + diff --git a/queue-5.10/drm-komeda-drop-all-currently-held-locks-if-deadlock.patch b/queue-5.10/drm-komeda-drop-all-currently-held-locks-if-deadlock.patch new file mode 100644 index 00000000000..70af83fafb0 --- /dev/null +++ b/queue-5.10/drm-komeda-drop-all-currently-held-locks-if-deadlock.patch @@ -0,0 +1,184 @@ +From 1e2d052287a066a9da30ac5aaffc030c9419bd70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 10:05:53 +0800 +Subject: drm/komeda: drop all currently held locks if deadlock happens + +From: baozhu.liu + +[ Upstream commit 19ecbe8325a2a7ffda5ff4790955b84eaccba49f ] + +If komeda_pipeline_unbound_components() returns -EDEADLK, +it means that a deadlock happened in the locking context. +Currently, komeda is not dealing with the deadlock properly,producing the +following output when CONFIG_DEBUG_WW_MUTEX_SLOWPATH is enabled: + + ------------[ cut here ]------------ +[ 26.103984] WARNING: CPU: 2 PID: 345 at drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c:1248 + komeda_release_unclaimed_resources+0x13c/0x170 +[ 26.117453] Modules linked in: +[ 26.120511] CPU: 2 PID: 345 Comm: composer@2.1-se Kdump: loaded Tainted: G W 5.10.110-SE-SDK1.8-dirty #16 +[ 26.131374] Hardware name: Siengine Se1000 Evaluation board (DT) +[ 26.137379] pstate: 20400009 (nzCv daif +PAN -UAO -TCO BTYPE=--) +[ 26.143385] pc : komeda_release_unclaimed_resources+0x13c/0x170 +[ 26.149301] lr : komeda_release_unclaimed_resources+0xbc/0x170 +[ 26.155130] sp : ffff800017b8b8d0 +[ 26.158442] pmr_save: 000000e0 +[ 26.161493] x29: ffff800017b8b8d0 x28: ffff000cf2f96200 +[ 26.166805] x27: ffff000c8f5a8800 x26: 0000000000000000 +[ 26.172116] x25: 0000000000000038 x24: ffff8000116a0140 +[ 26.177428] x23: 0000000000000038 x22: ffff000cf2f96200 +[ 26.182739] x21: ffff000cfc300300 x20: ffff000c8ab77080 +[ 26.188051] x19: 0000000000000003 x18: 0000000000000000 +[ 26.193362] x17: 0000000000000000 x16: 0000000000000000 +[ 26.198672] x15: b400e638f738ba38 x14: 0000000000000000 +[ 26.203983] x13: 0000000106400a00 x12: 0000000000000000 +[ 26.209294] x11: 0000000000000000 x10: 0000000000000000 +[ 26.214604] x9 : ffff800012f80000 x8 : ffff000ca3308000 +[ 26.219915] x7 : 0000000ff3000000 x6 : ffff80001084034c +[ 26.225226] x5 : ffff800017b8bc40 x4 : 000000000000000f +[ 26.230536] x3 : ffff000ca3308000 x2 : 0000000000000000 +[ 26.235847] x1 : 0000000000000000 x0 : ffffffffffffffdd +[ 26.241158] Call trace: +[ 26.243604] komeda_release_unclaimed_resources+0x13c/0x170 +[ 26.249175] komeda_crtc_atomic_check+0x68/0xf0 +[ 26.253706] drm_atomic_helper_check_planes+0x138/0x1f4 +[ 26.258929] komeda_kms_check+0x284/0x36c +[ 26.262939] drm_atomic_check_only+0x40c/0x714 +[ 26.267381] drm_atomic_nonblocking_commit+0x1c/0x60 +[ 26.272344] drm_mode_atomic_ioctl+0xa3c/0xb8c +[ 26.276787] drm_ioctl_kernel+0xc4/0x120 +[ 26.280708] drm_ioctl+0x268/0x534 +[ 26.284109] __arm64_sys_ioctl+0xa8/0xf0 +[ 26.288030] el0_svc_common.constprop.0+0x80/0x240 +[ 26.292817] do_el0_svc+0x24/0x90 +[ 26.296132] el0_svc+0x20/0x30 +[ 26.299185] el0_sync_handler+0xe8/0xf0 +[ 26.303018] el0_sync+0x1a4/0x1c0 +[ 26.306330] irq event stamp: 0 +[ 26.309384] hardirqs last enabled at (0): [<0000000000000000>] 0x0 +[ 26.315650] hardirqs last disabled at (0): [] copy_process+0x5d0/0x183c +[ 26.323825] softirqs last enabled at (0): [] copy_process+0x5d0/0x183c +[ 26.331997] softirqs last disabled at (0): [<0000000000000000>] 0x0 +[ 26.338261] ---[ end trace 20ae984fa860184a ]--- +[ 26.343021] ------------[ cut here ]------------ +[ 26.347646] WARNING: CPU: 3 PID: 345 at drivers/gpu/drm/drm_modeset_lock.c:228 drm_modeset_drop_locks+0x84/0x90 +[ 26.357727] Modules linked in: +[ 26.360783] CPU: 3 PID: 345 Comm: composer@2.1-se Kdump: loaded Tainted: G W 5.10.110-SE-SDK1.8-dirty #16 +[ 26.371645] Hardware name: Siengine Se1000 Evaluation board (DT) +[ 26.377647] pstate: 20400009 (nzCv daif +PAN -UAO -TCO BTYPE=--) +[ 26.383649] pc : drm_modeset_drop_locks+0x84/0x90 +[ 26.388351] lr : drm_mode_atomic_ioctl+0x860/0xb8c +[ 26.393137] sp : ffff800017b8bb10 +[ 26.396447] pmr_save: 000000e0 +[ 26.399497] x29: ffff800017b8bb10 x28: 0000000000000001 +[ 26.404807] x27: 0000000000000038 x26: 0000000000000002 +[ 26.410115] x25: ffff000cecbefa00 x24: ffff000cf2f96200 +[ 26.415423] x23: 0000000000000001 x22: 0000000000000018 +[ 26.420731] x21: 0000000000000001 x20: ffff800017b8bc10 +[ 26.426039] x19: 0000000000000000 x18: 0000000000000000 +[ 26.431347] x17: 0000000002e8bf2c x16: 0000000002e94c6b +[ 26.436655] x15: 0000000002ea48b9 x14: ffff8000121f0300 +[ 26.441963] x13: 0000000002ee2ca8 x12: ffff80001129cae0 +[ 26.447272] x11: ffff800012435000 x10: ffff000ed46b5e88 +[ 26.452580] x9 : ffff000c9935e600 x8 : 0000000000000000 +[ 26.457888] x7 : 000000008020001e x6 : 000000008020001f +[ 26.463196] x5 : ffff80001085fbe0 x4 : fffffe0033a59f20 +[ 26.468504] x3 : 000000008020001e x2 : 0000000000000000 +[ 26.473813] x1 : 0000000000000000 x0 : ffff000c8f596090 +[ 26.479122] Call trace: +[ 26.481566] drm_modeset_drop_locks+0x84/0x90 +[ 26.485918] drm_mode_atomic_ioctl+0x860/0xb8c +[ 26.490359] drm_ioctl_kernel+0xc4/0x120 +[ 26.494278] drm_ioctl+0x268/0x534 +[ 26.497677] __arm64_sys_ioctl+0xa8/0xf0 +[ 26.501598] el0_svc_common.constprop.0+0x80/0x240 +[ 26.506384] do_el0_svc+0x24/0x90 +[ 26.509697] el0_svc+0x20/0x30 +[ 26.512748] el0_sync_handler+0xe8/0xf0 +[ 26.516580] el0_sync+0x1a4/0x1c0 +[ 26.519891] irq event stamp: 0 +[ 26.522943] hardirqs last enabled at (0): [<0000000000000000>] 0x0 +[ 26.529207] hardirqs last disabled at (0): [] copy_process+0x5d0/0x183c +[ 26.537379] softirqs last enabled at (0): [] copy_process+0x5d0/0x183c +[ 26.545550] softirqs last disabled at (0): [<0000000000000000>] 0x0 +[ 26.551812] ---[ end trace 20ae984fa860184b ]--- + +According to the call trace information,it can be located to be +WARN_ON(IS_ERR(c_st)) in the komeda_pipeline_unbound_components function; +Then follow the function. +komeda_pipeline_unbound_components +-> komeda_component_get_state_and_set_user + -> komeda_pipeline_get_state_and_set_crtc + -> komeda_pipeline_get_state + ->drm_atomic_get_private_obj_state + -> drm_atomic_get_private_obj_state + -> drm_modeset_lock + +komeda_pipeline_unbound_components +-> komeda_component_get_state_and_set_user + -> komeda_component_get_state + -> drm_atomic_get_private_obj_state + -> drm_modeset_lock + +ret = drm_modeset_lock(&obj->lock, state->acquire_ctx); if (ret) + return ERR_PTR(ret); +Here it return -EDEADLK. + +deal with the deadlock as suggested by [1], using the +function drm_modeset_backoff(). +[1] https://docs.kernel.org/gpu/drm-kms.html?highlight=kms#kms-locking + +Therefore, handling this problem can be solved +by adding return -EDEADLK back to the drm_modeset_backoff processing flow +in the drm_mode_atomic_ioctl function. + +Signed-off-by: baozhu.liu +Signed-off-by: menghui.huang +Reviewed-by: Liviu Dudau +Signed-off-by: Liviu Dudau +Link: https://patchwork.freedesktop.org/patch/msgid/20230804013117.6870-1-menghui.huang@siengine.com +Signed-off-by: Sasha Levin +--- + .../gpu/drm/arm/display/komeda/komeda_pipeline_state.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c b/drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c +index c3cdf283ecefa..1e922703e26b2 100644 +--- a/drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c ++++ b/drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c +@@ -1223,7 +1223,7 @@ int komeda_build_display_data_flow(struct komeda_crtc *kcrtc, + return 0; + } + +-static void ++static int + komeda_pipeline_unbound_components(struct komeda_pipeline *pipe, + struct komeda_pipeline_state *new) + { +@@ -1243,8 +1243,12 @@ komeda_pipeline_unbound_components(struct komeda_pipeline *pipe, + c = komeda_pipeline_get_component(pipe, id); + c_st = komeda_component_get_state_and_set_user(c, + drm_st, NULL, new->crtc); ++ if (PTR_ERR(c_st) == -EDEADLK) ++ return -EDEADLK; + WARN_ON(IS_ERR(c_st)); + } ++ ++ return 0; + } + + /* release unclaimed pipeline resource */ +@@ -1266,9 +1270,8 @@ int komeda_release_unclaimed_resources(struct komeda_pipeline *pipe, + if (WARN_ON(IS_ERR_OR_NULL(st))) + return -EINVAL; + +- komeda_pipeline_unbound_components(pipe, st); ++ return komeda_pipeline_unbound_components(pipe, st); + +- return 0; + } + + /* Since standalong disabled components must be disabled separately and in the +-- +2.42.0 + diff --git a/queue-5.10/drm-msm-dp-skip-validity-check-for-dp-cts-edid-check.patch b/queue-5.10/drm-msm-dp-skip-validity-check-for-dp-cts-edid-check.patch new file mode 100644 index 00000000000..17e1a8d400b --- /dev/null +++ b/queue-5.10/drm-msm-dp-skip-validity-check-for-dp-cts-edid-check.patch @@ -0,0 +1,79 @@ +From 95051539d74b6dc42e2b3e1283e4648932fded98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 17:20:34 +0300 +Subject: drm/msm/dp: skip validity check for DP CTS EDID checksum + +From: Jani Nikula + +[ Upstream commit a251c9d8e30833b260101edb9383b176ee2b7cb1 ] + +The DP CTS test for EDID last block checksum expects the checksum for +the last block, invalid or not. Skip the validity check. + +For the most part (*), the EDIDs returned by drm_get_edid() will be +valid anyway, and there's the CTS workaround to get the checksum for +completely invalid EDIDs. See commit 7948fe12d47a ("drm/msm/dp: return +correct edid checksum after corrupted edid checksum read"). + +This lets us remove one user of drm_edid_block_valid() with hopes the +function can be removed altogether in the future. + +(*) drm_get_edid() ignores checksum errors on CTA extensions. + +Cc: Abhinav Kumar +Cc: Dmitry Baryshkov +Cc: Kuogee Hsieh +Cc: Marijn Suijten +Cc: Rob Clark +Cc: Sean Paul +Cc: Stephen Boyd +Cc: linux-arm-msm@vger.kernel.org +Cc: freedreno@lists.freedesktop.org +Signed-off-by: Jani Nikula +Reviewed-by: Stephen Boyd +Reviewed-by: Abhinav Kumar +Reviewed-by: Kuogee Hsieh +Patchwork: https://patchwork.freedesktop.org/patch/555361/ +Link: https://lore.kernel.org/r/20230901142034.580802-1-jani.nikula@intel.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_panel.c | 21 ++------------------- + 1 file changed, 2 insertions(+), 19 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_panel.c b/drivers/gpu/drm/msm/dp/dp_panel.c +index 4e8a19114e87d..93a2ee0f772fc 100644 +--- a/drivers/gpu/drm/msm/dp/dp_panel.c ++++ b/drivers/gpu/drm/msm/dp/dp_panel.c +@@ -264,26 +264,9 @@ int dp_panel_get_modes(struct dp_panel *dp_panel, + + static u8 dp_panel_get_edid_checksum(struct edid *edid) + { +- struct edid *last_block; +- u8 *raw_edid; +- bool is_edid_corrupt = false; ++ edid += edid->extensions; + +- if (!edid) { +- DRM_ERROR("invalid edid input\n"); +- return 0; +- } +- +- raw_edid = (u8 *)edid; +- raw_edid += (edid->extensions * EDID_LENGTH); +- last_block = (struct edid *)raw_edid; +- +- /* block type extension */ +- drm_edid_block_valid(raw_edid, 1, false, &is_edid_corrupt); +- if (!is_edid_corrupt) +- return last_block->checksum; +- +- DRM_ERROR("Invalid block, no checksum\n"); +- return 0; ++ return edid->checksum; + } + + void dp_panel_handle_sink_request(struct dp_panel *dp_panel) +-- +2.42.0 + diff --git a/queue-5.10/drm-panel-fix-a-possible-null-pointer-dereference.patch b/queue-5.10/drm-panel-fix-a-possible-null-pointer-dereference.patch new file mode 100644 index 00000000000..d5ed00ca0bd --- /dev/null +++ b/queue-5.10/drm-panel-fix-a-possible-null-pointer-dereference.patch @@ -0,0 +1,39 @@ +From 1aae9759979e86d222a5e00b1b9f89008a47a023 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Oct 2023 11:31:05 +0800 +Subject: drm/panel: fix a possible null pointer dereference + +From: Ma Ke + +[ Upstream commit 924e5814d1f84e6fa5cb19c6eceb69f066225229 ] + +In versatile_panel_get_modes(), the return value of drm_mode_duplicate() +is assigned to mode, which will lead to a NULL pointer dereference +on failure of drm_mode_duplicate(). Add a check to avoid npd. + +Signed-off-by: Ma Ke +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20231007033105.3997998-1-make_ruc2021@163.com +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20231007033105.3997998-1-make_ruc2021@163.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-arm-versatile.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/panel/panel-arm-versatile.c b/drivers/gpu/drm/panel/panel-arm-versatile.c +index abb0788843c60..503ecea72c5ea 100644 +--- a/drivers/gpu/drm/panel/panel-arm-versatile.c ++++ b/drivers/gpu/drm/panel/panel-arm-versatile.c +@@ -267,6 +267,8 @@ static int versatile_panel_get_modes(struct drm_panel *panel, + connector->display_info.bus_flags = vpanel->panel_type->bus_flags; + + mode = drm_mode_duplicate(connector->dev, &vpanel->panel_type->mode); ++ if (!mode) ++ return -ENOMEM; + drm_mode_set_name(mode); + mode->type = DRM_MODE_TYPE_DRIVER | DRM_MODE_TYPE_PREFERRED; + +-- +2.42.0 + diff --git a/queue-5.10/drm-panel-panel-tpo-tpg110-fix-a-possible-null-point.patch b/queue-5.10/drm-panel-panel-tpo-tpg110-fix-a-possible-null-point.patch new file mode 100644 index 00000000000..26f32ed1d84 --- /dev/null +++ b/queue-5.10/drm-panel-panel-tpo-tpg110-fix-a-possible-null-point.patch @@ -0,0 +1,39 @@ +From f1f0e61488acffd263959213bc5a008180fa9de4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 17:04:46 +0800 +Subject: drm/panel/panel-tpo-tpg110: fix a possible null pointer dereference + +From: Ma Ke + +[ Upstream commit f22def5970c423ea7f87d5247bd0ef91416b0658 ] + +In tpg110_get_modes(), the return value of drm_mode_duplicate() is +assigned to mode, which will lead to a NULL pointer dereference on +failure of drm_mode_duplicate(). Add a check to avoid npd. + +Signed-off-by: Ma Ke +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20231009090446.4043798-1-make_ruc2021@163.com +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20231009090446.4043798-1-make_ruc2021@163.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-tpo-tpg110.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/panel/panel-tpo-tpg110.c b/drivers/gpu/drm/panel/panel-tpo-tpg110.c +index d57ed75a977c3..494cec50a682b 100644 +--- a/drivers/gpu/drm/panel/panel-tpo-tpg110.c ++++ b/drivers/gpu/drm/panel/panel-tpo-tpg110.c +@@ -378,6 +378,8 @@ static int tpg110_get_modes(struct drm_panel *panel, + connector->display_info.bus_flags = tpg->panel_mode->bus_flags; + + mode = drm_mode_duplicate(connector->dev, &tpg->panel_mode->mode); ++ if (!mode) ++ return -ENOMEM; + drm_mode_set_name(mode); + mode->type = DRM_MODE_TYPE_DRIVER | DRM_MODE_TYPE_PREFERRED; + +-- +2.42.0 + diff --git a/queue-5.10/drm-panel-st7703-pick-different-reset-sequence.patch b/queue-5.10/drm-panel-st7703-pick-different-reset-sequence.patch new file mode 100644 index 00000000000..68e7a2a59f4 --- /dev/null +++ b/queue-5.10/drm-panel-st7703-pick-different-reset-sequence.patch @@ -0,0 +1,86 @@ +From edb0eea1fc0d9cbad63cfc03c33a42d61c632b8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Feb 2023 18:17:48 +0100 +Subject: drm/panel: st7703: Pick different reset sequence +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ondrej Jirman + +[ Upstream commit d12d635bb03c7cb4830acb641eb176ee9ff2aa89 ] + +Switching to a different reset sequence, enabling IOVCC before enabling +VCC. + +There also needs to be a delay after enabling the supplies and before +deasserting the reset. The datasheet specifies 1ms after the supplies +reach the required voltage. Use 10-20ms to also give the power supplies +some time to reach the required voltage, too. + +This fixes intermittent panel initialization failures and screen +corruption during resume from sleep on panel xingbangda,xbd599 (e.g. +used in PinePhone). + +Signed-off-by: Ondrej Jirman +Signed-off-by: Frank Oltmanns +Reported-by: Samuel Holland +Reviewed-by: Guido Günther +Tested-by: Guido Günther +Signed-off-by: Guido Günther +Link: https://patchwork.freedesktop.org/patch/msgid/20230211171748.36692-2-frank@oltmanns.dev +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-sitronix-st7703.c | 25 ++++++++++--------- + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-sitronix-st7703.c b/drivers/gpu/drm/panel/panel-sitronix-st7703.c +index c22e7c49e0778..67e1da0a7db53 100644 +--- a/drivers/gpu/drm/panel/panel-sitronix-st7703.c ++++ b/drivers/gpu/drm/panel/panel-sitronix-st7703.c +@@ -428,29 +428,30 @@ static int st7703_prepare(struct drm_panel *panel) + return 0; + + dev_dbg(ctx->dev, "Resetting the panel\n"); +- ret = regulator_enable(ctx->vcc); ++ gpiod_set_value_cansleep(ctx->reset_gpio, 1); ++ ++ ret = regulator_enable(ctx->iovcc); + if (ret < 0) { +- dev_err(ctx->dev, "Failed to enable vcc supply: %d\n", ret); ++ dev_err(ctx->dev, "Failed to enable iovcc supply: %d\n", ret); + return ret; + } +- ret = regulator_enable(ctx->iovcc); ++ ++ ret = regulator_enable(ctx->vcc); + if (ret < 0) { +- dev_err(ctx->dev, "Failed to enable iovcc supply: %d\n", ret); +- goto disable_vcc; ++ dev_err(ctx->dev, "Failed to enable vcc supply: %d\n", ret); ++ regulator_disable(ctx->iovcc); ++ return ret; + } + +- gpiod_set_value_cansleep(ctx->reset_gpio, 1); +- usleep_range(20, 40); ++ /* Give power supplies time to stabilize before deasserting reset. */ ++ usleep_range(10000, 20000); ++ + gpiod_set_value_cansleep(ctx->reset_gpio, 0); +- msleep(20); ++ usleep_range(15000, 20000); + + ctx->prepared = true; + + return 0; +- +-disable_vcc: +- regulator_disable(ctx->vcc); +- return ret; + } + + static int st7703_get_modes(struct drm_panel *panel, +-- +2.42.0 + diff --git a/queue-5.10/exfat-support-handle-zero-size-directory.patch b/queue-5.10/exfat-support-handle-zero-size-directory.patch new file mode 100644 index 00000000000..fd3837bdcbb --- /dev/null +++ b/queue-5.10/exfat-support-handle-zero-size-directory.patch @@ -0,0 +1,103 @@ +From 4320dba42a93ebabda7d036baa5c5e94d7ed6c04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 14:23:08 +0800 +Subject: exfat: support handle zero-size directory + +From: Yuezhang Mo + +[ Upstream commit dab48b8f2fe7264d51ec9eed0adea0fe3c78830a ] + +After repairing a corrupted file system with exfatprogs' fsck.exfat, +zero-size directories may result. It is also possible to create +zero-size directories in other exFAT implementation, such as Paragon +ufsd dirver. + +As described in the specification, the lower directory size limits +is 0 bytes. + +Without this commit, sub-directories and files cannot be created +under a zero-size directory, and it cannot be removed. + +Signed-off-by: Yuezhang Mo +Reviewed-by: Andy Wu +Reviewed-by: Aoyama Wataru +Signed-off-by: Namjae Jeon +Signed-off-by: Sasha Levin +--- + fs/exfat/namei.c | 29 ++++++++++++++++++++++------- + 1 file changed, 22 insertions(+), 7 deletions(-) + +diff --git a/fs/exfat/namei.c b/fs/exfat/namei.c +index bd00afc5e4c16..d62d961e278d9 100644 +--- a/fs/exfat/namei.c ++++ b/fs/exfat/namei.c +@@ -330,14 +330,20 @@ static int exfat_find_empty_entry(struct inode *inode, + if (exfat_check_max_dentries(inode)) + return -ENOSPC; + +- /* we trust p_dir->size regardless of FAT type */ +- if (exfat_find_last_cluster(sb, p_dir, &last_clu)) +- return -EIO; +- + /* + * Allocate new cluster to this directory + */ +- exfat_chain_set(&clu, last_clu + 1, 0, p_dir->flags); ++ if (ei->start_clu != EXFAT_EOF_CLUSTER) { ++ /* we trust p_dir->size regardless of FAT type */ ++ if (exfat_find_last_cluster(sb, p_dir, &last_clu)) ++ return -EIO; ++ ++ exfat_chain_set(&clu, last_clu + 1, 0, p_dir->flags); ++ } else { ++ /* This directory is empty */ ++ exfat_chain_set(&clu, EXFAT_EOF_CLUSTER, 0, ++ ALLOC_NO_FAT_CHAIN); ++ } + + /* allocate a cluster */ + ret = exfat_alloc_cluster(inode, 1, &clu); +@@ -347,6 +353,11 @@ static int exfat_find_empty_entry(struct inode *inode, + if (exfat_zeroed_cluster(inode, clu.dir)) + return -EIO; + ++ if (ei->start_clu == EXFAT_EOF_CLUSTER) { ++ ei->start_clu = clu.dir; ++ p_dir->dir = clu.dir; ++ } ++ + /* append to the FAT chain */ + if (clu.flags != p_dir->flags) { + /* no-fat-chain bit is disabled, +@@ -644,7 +655,7 @@ static int exfat_find(struct inode *dir, struct qstr *qname, + info->type = exfat_get_entry_type(ep); + info->attr = le16_to_cpu(ep->dentry.file.attr); + info->size = le64_to_cpu(ep2->dentry.stream.valid_size); +- if ((info->type == TYPE_FILE) && (info->size == 0)) { ++ if (info->size == 0) { + info->flags = ALLOC_NO_FAT_CHAIN; + info->start_clu = EXFAT_EOF_CLUSTER; + } else { +@@ -890,6 +901,9 @@ static int exfat_check_dir_empty(struct super_block *sb, + + dentries_per_clu = sbi->dentries_per_clu; + ++ if (p_dir->dir == EXFAT_EOF_CLUSTER) ++ return 0; ++ + exfat_chain_dup(&clu, p_dir); + + while (clu.dir != EXFAT_EOF_CLUSTER) { +@@ -1296,7 +1310,8 @@ static int __exfat_rename(struct inode *old_parent_inode, + } + + /* Free the clusters if new_inode is a dir(as if exfat_rmdir) */ +- if (new_entry_type == TYPE_DIR) { ++ if (new_entry_type == TYPE_DIR && ++ new_ei->start_clu != EXFAT_EOF_CLUSTER) { + /* new_ei, new_clu_to_free */ + struct exfat_chain new_clu_to_free; + +-- +2.42.0 + diff --git a/queue-5.10/fs-jfs-add-check-for-negative-db_l2nbperpage.patch b/queue-5.10/fs-jfs-add-check-for-negative-db_l2nbperpage.patch new file mode 100644 index 00000000000..4deb266143a --- /dev/null +++ b/queue-5.10/fs-jfs-add-check-for-negative-db_l2nbperpage.patch @@ -0,0 +1,46 @@ +From 2935a2323a60f7c4a9b3235db72105910570f175 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Oct 2023 17:56:58 +0800 +Subject: fs/jfs: Add check for negative db_l2nbperpage + +From: Juntong Deng + +[ Upstream commit 525b861a008143048535011f3816d407940f4bfa ] + +l2nbperpage is log2(number of blks per page), and the minimum legal +value should be 0, not negative. + +In the case of l2nbperpage being negative, an error will occur +when subsequently used as shift exponent. + +Syzbot reported this bug: + +UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:799:12 +shift exponent -16777216 is negative + +Reported-by: syzbot+debee9ab7ae2b34b0307@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=debee9ab7ae2b34b0307 +Signed-off-by: Juntong Deng +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index a9c078fc2302a..06dda2c7a6e24 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -180,7 +180,8 @@ int dbMount(struct inode *ipbmap) + bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree); + + bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage); +- if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE) { ++ if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE || ++ bmp->db_l2nbperpage < 0) { + err = -EINVAL; + goto err_release_metapage; + } +-- +2.42.0 + diff --git a/queue-5.10/fs-jfs-add-validity-check-for-db_maxag-and-db_agpref.patch b/queue-5.10/fs-jfs-add-validity-check-for-db_maxag-and-db_agpref.patch new file mode 100644 index 00000000000..5912caf63b6 --- /dev/null +++ b/queue-5.10/fs-jfs-add-validity-check-for-db_maxag-and-db_agpref.patch @@ -0,0 +1,50 @@ +From d83f082808cdcd5b880dd303dfe906d1cb260743 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 02:06:41 +0800 +Subject: fs/jfs: Add validity check for db_maxag and db_agpref + +From: Juntong Deng + +[ Upstream commit 64933ab7b04881c6c18b21ff206c12278341c72e ] + +Both db_maxag and db_agpref are used as the index of the +db_agfree array, but there is currently no validity check for +db_maxag and db_agpref, which can lead to errors. + +The following is related bug reported by Syzbot: + +UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:639:20 +index 7936 is out of range for type 'atomic_t[128]' + +Add checking that the values of db_maxag and db_agpref are valid +indexes for the db_agfree array. + +Reported-by: syzbot+38e876a8aa44b7115c76@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=38e876a8aa44b7115c76 +Signed-off-by: Juntong Deng +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 06dda2c7a6e24..2ccb52371ceb5 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -195,6 +195,12 @@ int dbMount(struct inode *ipbmap) + bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel); + bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag); + bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref); ++ if (bmp->db_maxag >= MAXAG || bmp->db_maxag < 0 || ++ bmp->db_agpref >= MAXAG || bmp->db_agpref < 0) { ++ err = -EINVAL; ++ goto err_release_metapage; ++ } ++ + bmp->db_aglevel = le32_to_cpu(dbmp_le->dn_aglevel); + bmp->db_agheight = le32_to_cpu(dbmp_le->dn_agheight); + bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth); +-- +2.42.0 + diff --git a/queue-5.10/gfs2-fix-an-oops-in-gfs2_permission.patch b/queue-5.10/gfs2-fix-an-oops-in-gfs2_permission.patch new file mode 100644 index 00000000000..119ffaa7b60 --- /dev/null +++ b/queue-5.10/gfs2-fix-an-oops-in-gfs2_permission.patch @@ -0,0 +1,67 @@ +From c8d845428ccacac24f95d20df84c20651cda4bdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Oct 2023 03:33:44 +0100 +Subject: gfs2: fix an oops in gfs2_permission + +From: Al Viro + +[ Upstream commit 0abd1557e21c617bd13fc18f7725fc6363c05913 ] + +In RCU mode, we might race with gfs2_evict_inode(), which zeroes +->i_gl. Freeing of the object it points to is RCU-delayed, so +if we manage to fetch the pointer before it's been replaced with +NULL, we are fine. Check if we'd fetched NULL and treat that +as "bail out and tell the caller to get out of RCU mode". + +Signed-off-by: Al Viro +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/inode.c | 11 +++++++++-- + fs/gfs2/super.c | 2 +- + 2 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c +index 74a6b0800e059..963dc72e7155f 100644 +--- a/fs/gfs2/inode.c ++++ b/fs/gfs2/inode.c +@@ -1837,14 +1837,21 @@ int gfs2_permission(struct inode *inode, int mask) + { + struct gfs2_inode *ip; + struct gfs2_holder i_gh; ++ struct gfs2_glock *gl; + int error; + + gfs2_holder_mark_uninitialized(&i_gh); + ip = GFS2_I(inode); +- if (gfs2_glock_is_locked_by_me(ip->i_gl) == NULL) { ++ gl = rcu_dereference(ip->i_gl); ++ if (unlikely(!gl)) { ++ /* inode is getting torn down, must be RCU mode */ ++ WARN_ON_ONCE(!(mask & MAY_NOT_BLOCK)); ++ return -ECHILD; ++ } ++ if (gfs2_glock_is_locked_by_me(gl) == NULL) { + if (mask & MAY_NOT_BLOCK) + return -ECHILD; +- error = gfs2_glock_nq_init(ip->i_gl, LM_ST_SHARED, LM_FLAG_ANY, &i_gh); ++ error = gfs2_glock_nq_init(gl, LM_ST_SHARED, LM_FLAG_ANY, &i_gh); + if (error) + return error; + } +diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c +index b61de8dab51a0..8cf4ef61cdc41 100644 +--- a/fs/gfs2/super.c ++++ b/fs/gfs2/super.c +@@ -1471,7 +1471,7 @@ static void gfs2_evict_inode(struct inode *inode) + wait_on_bit_io(&ip->i_flags, GIF_GLOP_PENDING, TASK_UNINTERRUPTIBLE); + gfs2_glock_add_to_lru(ip->i_gl); + gfs2_glock_put_eventually(ip->i_gl); +- ip->i_gl = NULL; ++ rcu_assign_pointer(ip->i_gl, NULL); + } + } + +-- +2.42.0 + diff --git a/queue-5.10/gfs2-ignore-negated-quota-changes.patch b/queue-5.10/gfs2-ignore-negated-quota-changes.patch new file mode 100644 index 00000000000..5fe6c4a35e5 --- /dev/null +++ b/queue-5.10/gfs2-ignore-negated-quota-changes.patch @@ -0,0 +1,91 @@ +From 1d7eadb6379667a497108ac08bf4dcafb0ac5d20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 08:46:43 -0500 +Subject: gfs2: ignore negated quota changes + +From: Bob Peterson + +[ Upstream commit 4c6a08125f2249531ec01783a5f4317d7342add5 ] + +When lots of quota changes are made, there may be cases in which an +inode's quota information is increased and then decreased, such as when +blocks are added to a file, then deleted from it. If the timing is +right, function do_qc can add pending quota changes to a transaction, +then later, another call to do_qc can negate those changes, resulting +in a net gain of 0. The quota_change information is recorded in the qc +buffer (and qd element of the inode as well). The buffer is added to the +transaction by the first call to do_qc, but a subsequent call changes +the value from non-zero back to zero. At that point it's too late to +remove the buffer_head from the transaction. Later, when the quota sync +code is called, the zero-change qd element is discovered and flagged as +an assert warning. If the fs is mounted with errors=panic, the kernel +will panic. + +This is usually seen when files are truncated and the quota changes are +negated by punch_hole/truncate which uses gfs2_quota_hold and +gfs2_quota_unhold rather than block allocations that use gfs2_quota_lock +and gfs2_quota_unlock which automatically do quota sync. + +This patch solves the problem by adding a check to qd_check_sync such +that net-zero quota changes already added to the transaction are no +longer deemed necessary to be synced, and skipped. + +In this case references are taken for the qd and the slot from do_qc +so those need to be put. The normal sequence of events for a normal +non-zero quota change is as follows: + +gfs2_quota_change + do_qc + qd_hold + slot_hold + +Later, when the changes are to be synced: + +gfs2_quota_sync + qd_fish + qd_check_sync + gets qd ref via lockref_get_not_dead + do_sync + do_qc(QC_SYNC) + qd_put + lockref_put_or_lock + qd_unlock + qd_put + lockref_put_or_lock + +In the net-zero change case, we add a check to qd_check_sync so it puts +the qd and slot references acquired in gfs2_quota_change and skip the +unneeded sync. + +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/quota.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c +index ad953ecb58532..8c226aa286336 100644 +--- a/fs/gfs2/quota.c ++++ b/fs/gfs2/quota.c +@@ -431,6 +431,17 @@ static int qd_check_sync(struct gfs2_sbd *sdp, struct gfs2_quota_data *qd, + (sync_gen && (qd->qd_sync_gen >= *sync_gen))) + return 0; + ++ /* ++ * If qd_change is 0 it means a pending quota change was negated. ++ * We should not sync it, but we still have a qd reference and slot ++ * reference taken by gfs2_quota_change -> do_qc that need to be put. ++ */ ++ if (!qd->qd_change && test_and_clear_bit(QDF_CHANGE, &qd->qd_flags)) { ++ slot_put(qd); ++ qd_put(qd); ++ return 0; ++ } ++ + if (!lockref_get_not_dead(&qd->qd_lockref)) + return 0; + +-- +2.42.0 + diff --git a/queue-5.10/gfs2-silence-suspicious-rcu-usage-in-gfs2_permission.patch b/queue-5.10/gfs2-silence-suspicious-rcu-usage-in-gfs2_permission.patch new file mode 100644 index 00000000000..c92156b6d1c --- /dev/null +++ b/queue-5.10/gfs2-silence-suspicious-rcu-usage-in-gfs2_permission.patch @@ -0,0 +1,59 @@ +From d78e2a5e9a1a6f9009954e11b70b7d566ba7f1f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Oct 2023 22:06:05 +0100 +Subject: gfs2: Silence "suspicious RCU usage in gfs2_permission" warning + +From: Andreas Gruenbacher + +[ Upstream commit 074d7306a4fe22fcac0b53f699f92757ab1cee99 ] + +Commit 0abd1557e21c added rcu_dereference() for dereferencing ip->i_gl +in gfs2_permission. This now causes lockdep to complain when +gfs2_permission is called in non-RCU context: + + WARNING: suspicious RCU usage in gfs2_permission + +Switch to rcu_dereference_check() and check for the MAY_NOT_BLOCK flag +to shut up lockdep when we know that dereferencing ip->i_gl is safe. + +Fixes: 0abd1557e21c ("gfs2: fix an oops in gfs2_permission") +Reported-by: syzbot+3e5130844b0c0e2b4948@syzkaller.appspotmail.com +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/inode.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c +index 963dc72e7155f..d75d56d9ea0ca 100644 +--- a/fs/gfs2/inode.c ++++ b/fs/gfs2/inode.c +@@ -1835,6 +1835,7 @@ static const char *gfs2_get_link(struct dentry *dentry, + + int gfs2_permission(struct inode *inode, int mask) + { ++ int may_not_block = mask & MAY_NOT_BLOCK; + struct gfs2_inode *ip; + struct gfs2_holder i_gh; + struct gfs2_glock *gl; +@@ -1842,14 +1843,14 @@ int gfs2_permission(struct inode *inode, int mask) + + gfs2_holder_mark_uninitialized(&i_gh); + ip = GFS2_I(inode); +- gl = rcu_dereference(ip->i_gl); ++ gl = rcu_dereference_check(ip->i_gl, !may_not_block); + if (unlikely(!gl)) { + /* inode is getting torn down, must be RCU mode */ +- WARN_ON_ONCE(!(mask & MAY_NOT_BLOCK)); ++ WARN_ON_ONCE(!may_not_block); + return -ECHILD; + } + if (gfs2_glock_is_locked_by_me(gl) == NULL) { +- if (mask & MAY_NOT_BLOCK) ++ if (may_not_block) + return -ECHILD; + error = gfs2_glock_nq_init(gl, LM_ST_SHARED, LM_FLAG_ANY, &i_gh); + if (error) +-- +2.42.0 + diff --git a/queue-5.10/gpio-add-helpers-to-ease-the-transition-towards-immu.patch b/queue-5.10/gpio-add-helpers-to-ease-the-transition-towards-immu.patch new file mode 100644 index 00000000000..948e651a55f --- /dev/null +++ b/queue-5.10/gpio-add-helpers-to-ease-the-transition-towards-immu.patch @@ -0,0 +1,54 @@ +From 1eba62c924331931f0a4b3e6d59c433bd8131417 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Apr 2022 15:18:39 +0100 +Subject: gpio: Add helpers to ease the transition towards immutable irq_chip + +From: Marc Zyngier + +[ Upstream commit 36b78aae4bfee749bbde73be570796bfd0f56bec ] + +Add a couple of new helpers to make it slightly simpler to convert +drivers to immutable irq_chip structures: + +- GPIOCHIP_IRQ_RESOURCE_HELPERS populates the irq_chip structure + with the resource management callbacks + +- gpio_irq_chip_set_chip() populates the gpio_irq_chip.chip + structure, avoiding the proliferation of ugly casts + +Reviewed-by: Andy Shevchenko +Reviewed-by: Bartosz Golaszewski +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20220419141846.598305-4-maz@kernel.org +Stable-dep-of: dc3115e6c5d9 ("hid: cp2112: Fix IRQ shutdown stopping polling for all IRQs on chip") +Signed-off-by: Sasha Levin +--- + include/linux/gpio/driver.h | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/include/linux/gpio/driver.h b/include/linux/gpio/driver.h +index 38df53b541d53..897fc150552a2 100644 +--- a/include/linux/gpio/driver.h ++++ b/include/linux/gpio/driver.h +@@ -595,6 +595,18 @@ void gpiochip_enable_irq(struct gpio_chip *gc, unsigned int offset); + int gpiochip_irq_reqres(struct irq_data *data); + void gpiochip_irq_relres(struct irq_data *data); + ++/* Paste this in your irq_chip structure */ ++#define GPIOCHIP_IRQ_RESOURCE_HELPERS \ ++ .irq_request_resources = gpiochip_irq_reqres, \ ++ .irq_release_resources = gpiochip_irq_relres ++ ++static inline void gpio_irq_chip_set_chip(struct gpio_irq_chip *girq, ++ const struct irq_chip *chip) ++{ ++ /* Yes, dropping const is ugly, but it isn't like we have a choice */ ++ girq->chip = (struct irq_chip *)chip; ++} ++ + /* Line status inquiry for drivers */ + bool gpiochip_line_is_open_drain(struct gpio_chip *gc, unsigned int offset); + bool gpiochip_line_is_open_source(struct gpio_chip *gc, unsigned int offset); +-- +2.42.0 + diff --git a/queue-5.10/gpio-don-t-fiddle-with-irqchips-marked-as-immutable.patch b/queue-5.10/gpio-don-t-fiddle-with-irqchips-marked-as-immutable.patch new file mode 100644 index 00000000000..05659d88c21 --- /dev/null +++ b/queue-5.10/gpio-don-t-fiddle-with-irqchips-marked-as-immutable.patch @@ -0,0 +1,89 @@ +From 17498acb96a91afb269eaff98a1af5b57dc06309 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Apr 2022 15:18:37 +0100 +Subject: gpio: Don't fiddle with irqchips marked as immutable + +From: Marc Zyngier + +[ Upstream commit 6c846d026d490b2383d395bc8e7b06336219667b ] + +In order to move away from gpiolib messing with the internals of +unsuspecting irqchips, add a flag by which irqchips advertise +that they are not to be messed with, and do solemnly swear that +they correctly call into the gpiolib helpers when required. + +Also nudge the users into converting their drivers to the +new model. + +Reviewed-by: Andy Shevchenko +Reviewed-by: Bartosz Golaszewski +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20220419141846.598305-2-maz@kernel.org +Stable-dep-of: dc3115e6c5d9 ("hid: cp2112: Fix IRQ shutdown stopping polling for all IRQs on chip") +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 7 ++++++- + include/linux/irq.h | 2 ++ + kernel/irq/debugfs.c | 1 + + 3 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index d10f621085e2e..8a6510d0fe5fc 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -1491,6 +1491,11 @@ static void gpiochip_set_irq_hooks(struct gpio_chip *gc) + { + struct irq_chip *irqchip = gc->irq.chip; + ++ if (irqchip->flags & IRQCHIP_IMMUTABLE) ++ return; ++ ++ chip_warn(gc, "not an immutable chip, please consider fixing it!\n"); ++ + if (!irqchip->irq_request_resources && + !irqchip->irq_release_resources) { + irqchip->irq_request_resources = gpiochip_irq_reqres; +@@ -1667,7 +1672,7 @@ static void gpiochip_irqchip_remove(struct gpio_chip *gc) + irq_domain_remove(gc->irq.domain); + } + +- if (irqchip) { ++ if (irqchip && !(irqchip->flags & IRQCHIP_IMMUTABLE)) { + if (irqchip->irq_request_resources == gpiochip_irq_reqres) { + irqchip->irq_request_resources = NULL; + irqchip->irq_release_resources = NULL; +diff --git a/include/linux/irq.h b/include/linux/irq.h +index b89a8ac83d1bc..da4cd9fb3e5f3 100644 +--- a/include/linux/irq.h ++++ b/include/linux/irq.h +@@ -568,6 +568,7 @@ struct irq_chip { + * IRQCHIP_ENABLE_WAKEUP_ON_SUSPEND: Invokes __enable_irq()/__disable_irq() for wake irqs + * in the suspend path if they are in disabled state + * IRQCHIP_AFFINITY_PRE_STARTUP: Default affinity update before startup ++ * IRQCHIP_IMMUTABLE: Don't ever change anything in this chip + */ + enum { + IRQCHIP_SET_TYPE_MASKED = (1 << 0), +@@ -581,6 +582,7 @@ enum { + IRQCHIP_SUPPORTS_NMI = (1 << 8), + IRQCHIP_ENABLE_WAKEUP_ON_SUSPEND = (1 << 9), + IRQCHIP_AFFINITY_PRE_STARTUP = (1 << 10), ++ IRQCHIP_IMMUTABLE = (1 << 11), + }; + + #include +diff --git a/kernel/irq/debugfs.c b/kernel/irq/debugfs.c +index e4cff358b437e..7ff52d94b42c0 100644 +--- a/kernel/irq/debugfs.c ++++ b/kernel/irq/debugfs.c +@@ -58,6 +58,7 @@ static const struct irq_bit_descr irqchip_flags[] = { + BIT_MASK_DESCR(IRQCHIP_SUPPORTS_LEVEL_MSI), + BIT_MASK_DESCR(IRQCHIP_SUPPORTS_NMI), + BIT_MASK_DESCR(IRQCHIP_ENABLE_WAKEUP_ON_SUSPEND), ++ BIT_MASK_DESCR(IRQCHIP_IMMUTABLE), + }; + + static void +-- +2.42.0 + diff --git a/queue-5.10/gpio-expose-the-gpiochip_irq_re-ql-res-helpers.patch b/queue-5.10/gpio-expose-the-gpiochip_irq_re-ql-res-helpers.patch new file mode 100644 index 00000000000..73dae756b32 --- /dev/null +++ b/queue-5.10/gpio-expose-the-gpiochip_irq_re-ql-res-helpers.patch @@ -0,0 +1,70 @@ +From d00f266478446e8b5252d007c83fa4ff3a0fd54a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Apr 2022 15:18:38 +0100 +Subject: gpio: Expose the gpiochip_irq_re[ql]res helpers + +From: Marc Zyngier + +[ Upstream commit 704f08753b6dcd0e08c1953af0b2c7f3fac87111 ] + +The GPIO subsystem has a couple of internal helpers to manage +resources on behalf of the irqchip. Expose them so that GPIO +drivers can use them directly. + +Reviewed-by: Andy Shevchenko +Reviewed-by: Bartosz Golaszewski +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20220419141846.598305-3-maz@kernel.org +Stable-dep-of: dc3115e6c5d9 ("hid: cp2112: Fix IRQ shutdown stopping polling for all IRQs on chip") +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 6 ++++-- + include/linux/gpio/driver.h | 4 ++++ + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index 8a6510d0fe5fc..69ef51a05709a 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -1439,19 +1439,21 @@ static int gpiochip_to_irq(struct gpio_chip *gc, unsigned offset) + return irq_create_mapping(domain, offset); + } + +-static int gpiochip_irq_reqres(struct irq_data *d) ++int gpiochip_irq_reqres(struct irq_data *d) + { + struct gpio_chip *gc = irq_data_get_irq_chip_data(d); + + return gpiochip_reqres_irq(gc, d->hwirq); + } ++EXPORT_SYMBOL(gpiochip_irq_reqres); + +-static void gpiochip_irq_relres(struct irq_data *d) ++void gpiochip_irq_relres(struct irq_data *d) + { + struct gpio_chip *gc = irq_data_get_irq_chip_data(d); + + gpiochip_relres_irq(gc, d->hwirq); + } ++EXPORT_SYMBOL(gpiochip_irq_relres); + + static void gpiochip_irq_mask(struct irq_data *d) + { +diff --git a/include/linux/gpio/driver.h b/include/linux/gpio/driver.h +index 64c93a36a3a92..38df53b541d53 100644 +--- a/include/linux/gpio/driver.h ++++ b/include/linux/gpio/driver.h +@@ -591,6 +591,10 @@ void gpiochip_relres_irq(struct gpio_chip *gc, unsigned int offset); + void gpiochip_disable_irq(struct gpio_chip *gc, unsigned int offset); + void gpiochip_enable_irq(struct gpio_chip *gc, unsigned int offset); + ++/* irq_data versions of the above */ ++int gpiochip_irq_reqres(struct irq_data *data); ++void gpiochip_irq_relres(struct irq_data *data); ++ + /* Line status inquiry for drivers */ + bool gpiochip_line_is_open_drain(struct gpio_chip *gc, unsigned int offset); + bool gpiochip_line_is_open_source(struct gpio_chip *gc, unsigned int offset); +-- +2.42.0 + diff --git a/queue-5.10/hid-add-quirk-for-dell-pro-wireless-keyboard-and-mou.patch b/queue-5.10/hid-add-quirk-for-dell-pro-wireless-keyboard-and-mou.patch new file mode 100644 index 00000000000..91def00270d --- /dev/null +++ b/queue-5.10/hid-add-quirk-for-dell-pro-wireless-keyboard-and-mou.patch @@ -0,0 +1,47 @@ +From 8301613b9e299b85d0395f03dd326e79d027a5b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Oct 2023 15:32:09 +0200 +Subject: HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W + +From: Jiri Kosina + +[ Upstream commit 62cc9c3cb3ec1bf31cc116146185ed97b450836a ] + +This device needs ALWAYS_POLL quirk, otherwise it keeps reconnecting +indefinitely. + +Reported-by: Robert Ayrapetyan +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 6712d99ad80da..7c688d7f8ccff 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -345,6 +345,7 @@ + + #define USB_VENDOR_ID_DELL 0x413c + #define USB_DEVICE_ID_DELL_PIXART_USB_OPTICAL_MOUSE 0x301a ++#define USB_DEVICE_ID_DELL_PRO_WIRELESS_KM5221W 0x4503 + + #define USB_VENDOR_ID_DELORME 0x1163 + #define USB_DEVICE_ID_DELORME_EARTHMATE 0x0100 +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 4229e5de06745..787349f2de01d 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -66,6 +66,7 @@ static const struct hid_device_id hid_quirks[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_STRAFE), HID_QUIRK_NO_INIT_REPORTS | HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_CREATIVELABS, USB_DEVICE_ID_CREATIVE_SB_OMNI_SURROUND_51), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_DELL, USB_DEVICE_ID_DELL_PIXART_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_DELL, USB_DEVICE_ID_DELL_PRO_WIRELESS_KM5221W), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_DMI, USB_DEVICE_ID_DMI_ENC), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_DRACAL_RAPHNET, USB_DEVICE_ID_RAPHNET_2NES2SNES), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_DRACAL_RAPHNET, USB_DEVICE_ID_RAPHNET_4NES4SNES), HID_QUIRK_MULTI_INPUT }, +-- +2.42.0 + diff --git a/queue-5.10/hid-lenovo-detect-quirk-free-fw-on-cptkbd-and-stop-a.patch b/queue-5.10/hid-lenovo-detect-quirk-free-fw-on-cptkbd-and-stop-a.patch new file mode 100644 index 00000000000..4d818b32fb2 --- /dev/null +++ b/queue-5.10/hid-lenovo-detect-quirk-free-fw-on-cptkbd-and-stop-a.patch @@ -0,0 +1,127 @@ +From 636ebb93e926bf553c40561ae9ec468038aa3bc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Sep 2023 01:58:30 +0300 +Subject: HID: lenovo: Detect quirk-free fw on cptkbd and stop applying + workaround + +From: Mikhail Khvainitski + +[ Upstream commit 46a0a2c96f0f47628190f122c2e3d879e590bcbe ] + +Built-in firmware of cptkbd handles scrolling by itself (when middle +button is pressed) but with issues: it does not support horizontal and +hi-res scrolling and upon middle button release it sends middle button +click even if there was a scrolling event. Commit 3cb5ff0220e3 ("HID: +lenovo: Hide middle-button press until release") workarounds last +issue but it's impossible to workaround scrolling-related issues +without firmware modification. + +Likely, Dennis Schneider has reverse engineered the firmware and +provided an instruction on how to patch it [1]. However, +aforementioned workaround prevents userspace (libinput) from knowing +exact moment when middle button has been pressed down and performing +"On-Button scrolling". This commit detects correctly-behaving patched +firmware if cursor movement events has been received during middle +button being pressed and stops applying workaround for this device. + +Link: https://hohlerde.org/rauch/en/elektronik/projekte/tpkbd-fix/ [1] + +Signed-off-by: Mikhail Khvainitski +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-lenovo.c | 68 ++++++++++++++++++++++++++-------------- + 1 file changed, 45 insertions(+), 23 deletions(-) + +diff --git a/drivers/hid/hid-lenovo.c b/drivers/hid/hid-lenovo.c +index 0ff03fed97709..71f7b0d539df5 100644 +--- a/drivers/hid/hid-lenovo.c ++++ b/drivers/hid/hid-lenovo.c +@@ -50,7 +50,12 @@ struct lenovo_drvdata { + int select_right; + int sensitivity; + int press_speed; +- u8 middlebutton_state; /* 0:Up, 1:Down (undecided), 2:Scrolling */ ++ /* 0: Up ++ * 1: Down (undecided) ++ * 2: Scrolling ++ * 3: Patched firmware, disable workaround ++ */ ++ u8 middlebutton_state; + bool fn_lock; + }; + +@@ -478,31 +483,48 @@ static int lenovo_event_cptkbd(struct hid_device *hdev, + { + struct lenovo_drvdata *cptkbd_data = hid_get_drvdata(hdev); + +- /* "wheel" scroll events */ +- if (usage->type == EV_REL && (usage->code == REL_WHEEL || +- usage->code == REL_HWHEEL)) { +- /* Scroll events disable middle-click event */ +- cptkbd_data->middlebutton_state = 2; +- return 0; +- } ++ if (cptkbd_data->middlebutton_state != 3) { ++ /* REL_X and REL_Y events during middle button pressed ++ * are only possible on patched, bug-free firmware ++ * so set middlebutton_state to 3 ++ * to never apply workaround anymore ++ */ ++ if (cptkbd_data->middlebutton_state == 1 && ++ usage->type == EV_REL && ++ (usage->code == REL_X || usage->code == REL_Y)) { ++ cptkbd_data->middlebutton_state = 3; ++ /* send middle button press which was hold before */ ++ input_event(field->hidinput->input, ++ EV_KEY, BTN_MIDDLE, 1); ++ input_sync(field->hidinput->input); ++ } + +- /* Middle click events */ +- if (usage->type == EV_KEY && usage->code == BTN_MIDDLE) { +- if (value == 1) { +- cptkbd_data->middlebutton_state = 1; +- } else if (value == 0) { +- if (cptkbd_data->middlebutton_state == 1) { +- /* No scrolling inbetween, send middle-click */ +- input_event(field->hidinput->input, +- EV_KEY, BTN_MIDDLE, 1); +- input_sync(field->hidinput->input); +- input_event(field->hidinput->input, +- EV_KEY, BTN_MIDDLE, 0); +- input_sync(field->hidinput->input); ++ /* "wheel" scroll events */ ++ if (usage->type == EV_REL && (usage->code == REL_WHEEL || ++ usage->code == REL_HWHEEL)) { ++ /* Scroll events disable middle-click event */ ++ cptkbd_data->middlebutton_state = 2; ++ return 0; ++ } ++ ++ /* Middle click events */ ++ if (usage->type == EV_KEY && usage->code == BTN_MIDDLE) { ++ if (value == 1) { ++ cptkbd_data->middlebutton_state = 1; ++ } else if (value == 0) { ++ if (cptkbd_data->middlebutton_state == 1) { ++ /* No scrolling inbetween, send middle-click */ ++ input_event(field->hidinput->input, ++ EV_KEY, BTN_MIDDLE, 1); ++ input_sync(field->hidinput->input); ++ input_event(field->hidinput->input, ++ EV_KEY, BTN_MIDDLE, 0); ++ input_sync(field->hidinput->input); ++ } ++ cptkbd_data->middlebutton_state = 0; + } +- cptkbd_data->middlebutton_state = 0; ++ return 1; + } +- return 1; + } + + return 0; +-- +2.42.0 + diff --git a/queue-5.10/i2c-sun6i-p2wi-prevent-potential-division-by-zero.patch b/queue-5.10/i2c-sun6i-p2wi-prevent-potential-division-by-zero.patch new file mode 100644 index 00000000000..dad90932497 --- /dev/null +++ b/queue-5.10/i2c-sun6i-p2wi-prevent-potential-division-by-zero.patch @@ -0,0 +1,39 @@ +From 438ca9180838e3ccf3d1b389becd6496ce74a8ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Apr 2016 08:54:30 +0800 +Subject: i2c: sun6i-p2wi: Prevent potential division by zero + +From: Axel Lin + +[ Upstream commit 5ac61d26b8baff5b2e5a9f3dc1ef63297e4b53e7 ] + +Make sure we don't OOPS in case clock-frequency is set to 0 in a DT. The +variable set here is later used as a divisor. + +Signed-off-by: Axel Lin +Acked-by: Boris Brezillon +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-sun6i-p2wi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-sun6i-p2wi.c b/drivers/i2c/busses/i2c-sun6i-p2wi.c +index 2f6f6468214dd..4f7a4f5a1150a 100644 +--- a/drivers/i2c/busses/i2c-sun6i-p2wi.c ++++ b/drivers/i2c/busses/i2c-sun6i-p2wi.c +@@ -201,6 +201,11 @@ static int p2wi_probe(struct platform_device *pdev) + return -EINVAL; + } + ++ if (clk_freq == 0) { ++ dev_err(dev, "clock-frequency is set to 0 in DT\n"); ++ return -EINVAL; ++ } ++ + if (of_get_child_count(np) > 1) { + dev_err(dev, "P2WI only supports one slave device\n"); + return -EINVAL; +-- +2.42.0 + diff --git a/queue-5.10/ipvlan-add-ipvlan_route_v6_outbound-helper.patch b/queue-5.10/ipvlan-add-ipvlan_route_v6_outbound-helper.patch new file mode 100644 index 00000000000..031c5ac007a --- /dev/null +++ b/queue-5.10/ipvlan-add-ipvlan_route_v6_outbound-helper.patch @@ -0,0 +1,272 @@ +From 651dd4c74e353a0c4d4946de54c423dfa2161e45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Nov 2023 15:22:41 +0000 +Subject: ipvlan: add ipvlan_route_v6_outbound() helper + +From: Eric Dumazet + +[ Upstream commit 18f039428c7df183b09c69ebf10ffd4e521035d2 ] + +Inspired by syzbot reports using a stack of multiple ipvlan devices. + +Reduce stack size needed in ipvlan_process_v6_outbound() by moving +the flowi6 struct used for the route lookup in an non inlined +helper. ipvlan_route_v6_outbound() needs 120 bytes on the stack, +immediately reclaimed. + +Also make sure ipvlan_process_v4_outbound() is not inlined. + +We might also have to lower MAX_NEST_DEV, because only syzbot uses +setups with more than four stacked devices. + +BUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000) +stack guard page: 0000 [#1] SMP KASAN +CPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 +RIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188 +Code: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89 +RSP: 0018:ffffc9000e804000 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2 +RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568 +RBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c +R13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000 +FS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: +<#DF> + + +[] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31 +[] instrument_atomic_read include/linux/instrumented.h:72 [inline] +[] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] +[] cpumask_test_cpu include/linux/cpumask.h:506 [inline] +[] cpu_online include/linux/cpumask.h:1092 [inline] +[] trace_lock_acquire include/trace/events/lock.h:24 [inline] +[] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632 +[] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306 +[] rcu_read_lock include/linux/rcupdate.h:747 [inline] +[] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221 +[] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606 +[] pol_lookup_func include/net/ip6_fib.h:584 [inline] +[] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116 +[] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638 +[] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651 +[] ip6_route_output include/net/ip6_route.h:100 [inline] +[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline] +[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] +[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] +[] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 +[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 +[] netdev_start_xmit include/linux/netdevice.h:4966 [inline] +[] xmit_one net/core/dev.c:3644 [inline] +[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 +[] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 +[] dev_queue_xmit include/linux/netdevice.h:3067 [inline] +[] neigh_hh_output include/net/neighbour.h:529 [inline] +[] neigh_output include/net/neighbour.h:543 [inline] +[] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139 +[] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] +[] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 +[] NF_HOOK_COND include/linux/netfilter.h:298 [inline] +[] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 +[] dst_output include/net/dst.h:444 [inline] +[] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 +[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] +[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] +[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] +[] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 +[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 +[] netdev_start_xmit include/linux/netdevice.h:4966 [inline] +[] xmit_one net/core/dev.c:3644 [inline] +[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 +[] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 +[] dev_queue_xmit include/linux/netdevice.h:3067 [inline] +[] neigh_hh_output include/net/neighbour.h:529 [inline] +[] neigh_output include/net/neighbour.h:543 [inline] +[] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139 +[] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] +[] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 +[] NF_HOOK_COND include/linux/netfilter.h:298 [inline] +[] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 +[] dst_output include/net/dst.h:444 [inline] +[] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 +[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] +[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] +[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] +[] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 +[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 +[] netdev_start_xmit include/linux/netdevice.h:4966 [inline] +[] xmit_one net/core/dev.c:3644 [inline] +[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 +[] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 +[] dev_queue_xmit include/linux/netdevice.h:3067 [inline] +[] neigh_hh_output include/net/neighbour.h:529 [inline] +[] neigh_output include/net/neighbour.h:543 [inline] +[] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139 +[] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] +[] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 +[] NF_HOOK_COND include/linux/netfilter.h:298 [inline] +[] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 +[] dst_output include/net/dst.h:444 [inline] +[] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 +[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] +[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] +[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] +[] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 +[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 +[] netdev_start_xmit include/linux/netdevice.h:4966 [inline] +[] xmit_one net/core/dev.c:3644 [inline] +[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 +[] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 +[] dev_queue_xmit include/linux/netdevice.h:3067 [inline] +[] neigh_hh_output include/net/neighbour.h:529 [inline] +[] neigh_output include/net/neighbour.h:543 [inline] +[] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139 +[] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] +[] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 +[] NF_HOOK_COND include/linux/netfilter.h:298 [inline] +[] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 +[] dst_output include/net/dst.h:444 [inline] +[] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 +[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] +[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] +[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] +[] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 +[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 +[] netdev_start_xmit include/linux/netdevice.h:4966 [inline] +[] xmit_one net/core/dev.c:3644 [inline] +[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 +[] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 +[] dev_queue_xmit include/linux/netdevice.h:3067 [inline] +[] neigh_resolve_output+0x64e/0x750 net/core/neighbour.c:1560 +[] neigh_output include/net/neighbour.h:545 [inline] +[] ip6_finish_output2+0x1643/0x1ae0 net/ipv6/ip6_output.c:139 +[] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] +[] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 +[] NF_HOOK_COND include/linux/netfilter.h:298 [inline] +[] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 +[] dst_output include/net/dst.h:444 [inline] +[] NF_HOOK include/linux/netfilter.h:309 [inline] +[] ip6_xmit+0x11a4/0x1b20 net/ipv6/ip6_output.c:352 +[] sctp_v6_xmit+0x9ae/0x1230 net/sctp/ipv6.c:250 +[] sctp_packet_transmit+0x25de/0x2bc0 net/sctp/output.c:653 +[] sctp_packet_singleton+0x202/0x310 net/sctp/outqueue.c:783 +[] sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] +[] sctp_outq_flush+0x661/0x3d40 net/sctp/outqueue.c:1212 +[] sctp_outq_uncork+0x79/0xb0 net/sctp/outqueue.c:764 +[] sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline] +[] sctp_do_sm+0x55c0/0x5c30 net/sctp/sm_sideeffect.c:1170 +[] sctp_primitive_ASSOCIATE+0x97/0xc0 net/sctp/primitive.c:73 +[] sctp_sendmsg_to_asoc+0xf62/0x17b0 net/sctp/socket.c:1839 +[] sctp_sendmsg+0x212e/0x33b0 net/sctp/socket.c:2029 +[] inet_sendmsg+0x149/0x310 net/ipv4/af_inet.c:849 +[] sock_sendmsg_nosec net/socket.c:716 [inline] +[] sock_sendmsg net/socket.c:736 [inline] +[] ____sys_sendmsg+0x572/0x8c0 net/socket.c:2504 +[] ___sys_sendmsg net/socket.c:2558 [inline] +[] __sys_sendmsg+0x271/0x360 net/socket.c:2587 +[] __do_sys_sendmsg net/socket.c:2596 [inline] +[] __se_sys_sendmsg net/socket.c:2594 [inline] +[] __x64_sys_sendmsg+0x7f/0x90 net/socket.c:2594 +[] do_syscall_x64 arch/x86/entry/common.c:51 [inline] +[] do_syscall_64+0x53/0x80 arch/x86/entry/common.c:84 +[] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Mahesh Bandewar +Cc: Willem de Bruijn +Reviewed-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan_core.c | 41 +++++++++++++++++++------------- + 1 file changed, 25 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index b5a61b16a7eab..bfea28bd45027 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -412,7 +412,7 @@ struct ipvl_addr *ipvlan_addr_lookup(struct ipvl_port *port, void *lyr3h, + return addr; + } + +-static int ipvlan_process_v4_outbound(struct sk_buff *skb) ++static noinline_for_stack int ipvlan_process_v4_outbound(struct sk_buff *skb) + { + const struct iphdr *ip4h = ip_hdr(skb); + struct net_device *dev = skb->dev; +@@ -454,13 +454,11 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb) + } + + #if IS_ENABLED(CONFIG_IPV6) +-static int ipvlan_process_v6_outbound(struct sk_buff *skb) ++ ++static noinline_for_stack int ++ipvlan_route_v6_outbound(struct net_device *dev, struct sk_buff *skb) + { + const struct ipv6hdr *ip6h = ipv6_hdr(skb); +- struct net_device *dev = skb->dev; +- struct net *net = dev_net(dev); +- struct dst_entry *dst; +- int err, ret = NET_XMIT_DROP; + struct flowi6 fl6 = { + .flowi6_oif = dev->ifindex, + .daddr = ip6h->daddr, +@@ -470,27 +468,38 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb) + .flowi6_mark = skb->mark, + .flowi6_proto = ip6h->nexthdr, + }; ++ struct dst_entry *dst; ++ int err; + +- dst = ip6_route_output(net, NULL, &fl6); +- if (dst->error) { +- ret = dst->error; ++ dst = ip6_route_output(dev_net(dev), NULL, &fl6); ++ err = dst->error; ++ if (err) { + dst_release(dst); +- goto err; ++ return err; + } + skb_dst_set(skb, dst); ++ return 0; ++} ++ ++static int ipvlan_process_v6_outbound(struct sk_buff *skb) ++{ ++ struct net_device *dev = skb->dev; ++ int err, ret = NET_XMIT_DROP; ++ ++ err = ipvlan_route_v6_outbound(dev, skb); ++ if (unlikely(err)) { ++ DEV_STATS_INC(dev, tx_errors); ++ kfree_skb(skb); ++ return err; ++ } + + memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); + +- err = ip6_local_out(net, skb->sk, skb); ++ err = ip6_local_out(dev_net(dev), skb->sk, skb); + if (unlikely(net_xmit_eval(err))) + DEV_STATS_INC(dev, tx_errors); + else + ret = NET_XMIT_SUCCESS; +- goto out; +-err: +- DEV_STATS_INC(dev, tx_errors); +- kfree_skb(skb); +-out: + return ret; + } + #else +-- +2.42.0 + diff --git a/queue-5.10/jfs-fix-array-index-out-of-bounds-in-dbfindleaf.patch b/queue-5.10/jfs-fix-array-index-out-of-bounds-in-dbfindleaf.patch new file mode 100644 index 00000000000..840e62b7d14 --- /dev/null +++ b/queue-5.10/jfs-fix-array-index-out-of-bounds-in-dbfindleaf.patch @@ -0,0 +1,87 @@ +From 7b738fe41bb60e21f25aafef76165523a5e974a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 11:17:18 +0530 +Subject: jfs: fix array-index-out-of-bounds in dbFindLeaf + +From: Manas Ghandat + +[ Upstream commit 22cad8bc1d36547cdae0eef316c47d917ce3147c ] + +Currently while searching for dmtree_t for sufficient free blocks there +is an array out of bounds while getting element in tp->dm_stree. To add +the required check for out of bound we first need to determine the type +of dmtree. Thus added an extra parameter to dbFindLeaf so that the type +of tree can be determined and the required check can be applied. + +Reported-by: syzbot+aea1ad91e854d0a83e04@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=aea1ad91e854d0a83e04 +Signed-off-by: Manas Ghandat +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 2ccb52371ceb5..72eb5ed54c2ab 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -87,7 +87,7 @@ static int dbAllocCtl(struct bmap * bmp, s64 nblocks, int l2nb, s64 blkno, + static int dbExtend(struct inode *ip, s64 blkno, s64 nblocks, s64 addnblocks); + static int dbFindBits(u32 word, int l2nb); + static int dbFindCtl(struct bmap * bmp, int l2nb, int level, s64 * blkno); +-static int dbFindLeaf(dmtree_t * tp, int l2nb, int *leafidx); ++static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl); + static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno, + int nblocks); + static int dbFreeDmap(struct bmap * bmp, struct dmap * dp, s64 blkno, +@@ -1785,7 +1785,7 @@ static int dbFindCtl(struct bmap * bmp, int l2nb, int level, s64 * blkno) + * dbFindLeaf() returns the index of the leaf at which + * free space was found. + */ +- rc = dbFindLeaf((dmtree_t *) dcp, l2nb, &leafidx); ++ rc = dbFindLeaf((dmtree_t *) dcp, l2nb, &leafidx, true); + + /* release the buffer. + */ +@@ -2032,7 +2032,7 @@ dbAllocDmapLev(struct bmap * bmp, + * free space. if sufficient free space is found, dbFindLeaf() + * returns the index of the leaf at which free space was found. + */ +- if (dbFindLeaf((dmtree_t *) & dp->tree, l2nb, &leafidx)) ++ if (dbFindLeaf((dmtree_t *) &dp->tree, l2nb, &leafidx, false)) + return -ENOSPC; + + if (leafidx < 0) +@@ -2992,14 +2992,18 @@ static void dbAdjTree(dmtree_t * tp, int leafno, int newval) + * leafidx - return pointer to be set to the index of the leaf + * describing at least l2nb free blocks if sufficient + * free blocks are found. ++ * is_ctl - determines if the tree is of type ctl + * + * RETURN VALUES: + * 0 - success + * -ENOSPC - insufficient free blocks. + */ +-static int dbFindLeaf(dmtree_t * tp, int l2nb, int *leafidx) ++static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl) + { + int ti, n = 0, k, x = 0; ++ int max_size; ++ ++ max_size = is_ctl ? CTLTREESIZE : TREESIZE; + + /* first check the root of the tree to see if there is + * sufficient free space. +@@ -3020,6 +3024,8 @@ static int dbFindLeaf(dmtree_t * tp, int l2nb, int *leafidx) + /* sufficient free space found. move to the next + * level (or quit if this is the last level). + */ ++ if (x + n > max_size) ++ return -ENOSPC; + if (l2nb <= tp->dmt_stree[x + n]) + break; + } +-- +2.42.0 + diff --git a/queue-5.10/jfs-fix-array-index-out-of-bounds-in-dialloc.patch b/queue-5.10/jfs-fix-array-index-out-of-bounds-in-dialloc.patch new file mode 100644 index 00000000000..b90c9ff0063 --- /dev/null +++ b/queue-5.10/jfs-fix-array-index-out-of-bounds-in-dialloc.patch @@ -0,0 +1,48 @@ +From b5f38e78dcae6217287a763cf22201ed676c4c84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 13:10:40 +0530 +Subject: jfs: fix array-index-out-of-bounds in diAlloc + +From: Manas Ghandat + +[ Upstream commit 05d9ea1ceb62a55af6727a69269a4fd310edf483 ] + +Currently there is not check against the agno of the iag while +allocating new inodes to avoid fragmentation problem. Added the check +which is required. + +Reported-by: syzbot+79d792676d8ac050949f@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=79d792676d8ac050949f +Signed-off-by: Manas Ghandat +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_imap.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c +index 67c67604b8c85..14f918a4831d3 100644 +--- a/fs/jfs/jfs_imap.c ++++ b/fs/jfs/jfs_imap.c +@@ -1322,7 +1322,7 @@ diInitInode(struct inode *ip, int iagno, int ino, int extno, struct iag * iagp) + int diAlloc(struct inode *pip, bool dir, struct inode *ip) + { + int rc, ino, iagno, addext, extno, bitno, sword; +- int nwords, rem, i, agno; ++ int nwords, rem, i, agno, dn_numag; + u32 mask, inosmap, extsmap; + struct inode *ipimap; + struct metapage *mp; +@@ -1358,6 +1358,9 @@ int diAlloc(struct inode *pip, bool dir, struct inode *ip) + + /* get the ag number of this iag */ + agno = BLKTOAG(JFS_IP(pip)->agstart, JFS_SBI(pip->i_sb)); ++ dn_numag = JFS_SBI(pip->i_sb)->bmap->db_numag; ++ if (agno < 0 || agno > dn_numag) ++ return -EIO; + + if (atomic_read(&JFS_SBI(pip->i_sb)->bmap->db_active[agno])) { + /* +-- +2.42.0 + diff --git a/queue-5.10/kgdb-flush-console-before-entering-kgdb-on-panic.patch b/queue-5.10/kgdb-flush-console-before-entering-kgdb-on-panic.patch new file mode 100644 index 00000000000..099e00eb093 --- /dev/null +++ b/queue-5.10/kgdb-flush-console-before-entering-kgdb-on-panic.patch @@ -0,0 +1,59 @@ +From 157d282f92d126297f085998dc92c3e5c11acefb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Aug 2023 13:19:46 -0700 +Subject: kgdb: Flush console before entering kgdb on panic + +From: Douglas Anderson + +[ Upstream commit dd712d3d45807db9fcae28a522deee85c1f2fde6 ] + +When entering kdb/kgdb on a kernel panic, it was be observed that the +console isn't flushed before the `kdb` prompt came up. Specifically, +when using the buddy lockup detector on arm64 and running: + echo HARDLOCKUP > /sys/kernel/debug/provoke-crash/DIRECT + +I could see: + [ 26.161099] lkdtm: Performing direct entry HARDLOCKUP + [ 32.499881] watchdog: Watchdog detected hard LOCKUP on cpu 6 + [ 32.552865] Sending NMI from CPU 5 to CPUs 6: + [ 32.557359] NMI backtrace for cpu 6 + ... [backtrace for cpu 6] ... + [ 32.558353] NMI backtrace for cpu 5 + ... [backtrace for cpu 5] ... + [ 32.867471] Sending NMI from CPU 5 to CPUs 0-4,7: + [ 32.872321] NMI backtrace forP cpuANC: Hard LOCKUP + + Entering kdb (current=..., pid 0) on processor 5 due to Keyboard Entry + [5]kdb> + +As you can see, backtraces for the other CPUs start printing and get +interleaved with the kdb PANIC print. + +Let's replicate the commands to flush the console in the kdb panic +entry point to avoid this. + +Signed-off-by: Douglas Anderson +Link: https://lore.kernel.org/r/20230822131945.1.I5b460ae8f954e4c4f628a373d6e74713c06dd26f@changeid +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + kernel/debug/debug_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c +index 0f31b22abe8d9..ef54254a5dd13 100644 +--- a/kernel/debug/debug_core.c ++++ b/kernel/debug/debug_core.c +@@ -1022,6 +1022,9 @@ void kgdb_panic(const char *msg) + if (panic_timeout) + return; + ++ debug_locks_off(); ++ console_flush_on_panic(CONSOLE_FLUSH_PENDING); ++ + if (dbg_kdb_mode) + kdb_printf("PANIC: %s\n", msg); + +-- +2.42.0 + diff --git a/queue-5.10/locking-ww_mutex-test-fix-potential-workqueue-corrup.patch b/queue-5.10/locking-ww_mutex-test-fix-potential-workqueue-corrup.patch new file mode 100644 index 00000000000..0ac5477c107 --- /dev/null +++ b/queue-5.10/locking-ww_mutex-test-fix-potential-workqueue-corrup.patch @@ -0,0 +1,119 @@ +From cfc7659f9d25e2dbac1a0c1684c15d1785946c59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Sep 2023 04:36:00 +0000 +Subject: locking/ww_mutex/test: Fix potential workqueue corruption + +From: John Stultz + +[ Upstream commit bccdd808902f8c677317cec47c306e42b93b849e ] + +In some cases running with the test-ww_mutex code, I was seeing +odd behavior where sometimes it seemed flush_workqueue was +returning before all the work threads were finished. + +Often this would cause strange crashes as the mutexes would be +freed while they were being used. + +Looking at the code, there is a lifetime problem as the +controlling thread that spawns the work allocates the +"struct stress" structures that are passed to the workqueue +threads. Then when the workqueue threads are finished, +they free the stress struct that was passed to them. + +Unfortunately the workqueue work_struct node is in the stress +struct. Which means the work_struct is freed before the work +thread returns and while flush_workqueue is waiting. + +It seems like a better idea to have the controlling thread +both allocate and free the stress structures, so that we can +be sure we don't corrupt the workqueue by freeing the structure +prematurely. + +So this patch reworks the test to do so, and with this change +I no longer see the early flush_workqueue returns. + +Signed-off-by: John Stultz +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20230922043616.19282-3-jstultz@google.com +Signed-off-by: Sasha Levin +--- + kernel/locking/test-ww_mutex.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/kernel/locking/test-ww_mutex.c b/kernel/locking/test-ww_mutex.c +index 3e82f449b4ff7..da36997d8742c 100644 +--- a/kernel/locking/test-ww_mutex.c ++++ b/kernel/locking/test-ww_mutex.c +@@ -426,7 +426,6 @@ static void stress_inorder_work(struct work_struct *work) + } while (!time_after(jiffies, stress->timeout)); + + kfree(order); +- kfree(stress); + } + + struct reorder_lock { +@@ -491,7 +490,6 @@ static void stress_reorder_work(struct work_struct *work) + list_for_each_entry_safe(ll, ln, &locks, link) + kfree(ll); + kfree(order); +- kfree(stress); + } + + static void stress_one_work(struct work_struct *work) +@@ -512,8 +510,6 @@ static void stress_one_work(struct work_struct *work) + break; + } + } while (!time_after(jiffies, stress->timeout)); +- +- kfree(stress); + } + + #define STRESS_INORDER BIT(0) +@@ -524,15 +520,24 @@ static void stress_one_work(struct work_struct *work) + static int stress(int nlocks, int nthreads, unsigned int flags) + { + struct ww_mutex *locks; +- int n; ++ struct stress *stress_array; ++ int n, count; + + locks = kmalloc_array(nlocks, sizeof(*locks), GFP_KERNEL); + if (!locks) + return -ENOMEM; + ++ stress_array = kmalloc_array(nthreads, sizeof(*stress_array), ++ GFP_KERNEL); ++ if (!stress_array) { ++ kfree(locks); ++ return -ENOMEM; ++ } ++ + for (n = 0; n < nlocks; n++) + ww_mutex_init(&locks[n], &ww_class); + ++ count = 0; + for (n = 0; nthreads; n++) { + struct stress *stress; + void (*fn)(struct work_struct *work); +@@ -556,9 +561,7 @@ static int stress(int nlocks, int nthreads, unsigned int flags) + if (!fn) + continue; + +- stress = kmalloc(sizeof(*stress), GFP_KERNEL); +- if (!stress) +- break; ++ stress = &stress_array[count++]; + + INIT_WORK(&stress->work, fn); + stress->locks = locks; +@@ -573,6 +576,7 @@ static int stress(int nlocks, int nthreads, unsigned int flags) + + for (n = 0; n < nlocks; n++) + ww_mutex_destroy(&locks[n]); ++ kfree(stress_array); + kfree(locks); + + return 0; +-- +2.42.0 + diff --git a/queue-5.10/macvlan-don-t-propagate-promisc-change-to-lower-dev-.patch b/queue-5.10/macvlan-don-t-propagate-promisc-change-to-lower-dev-.patch new file mode 100644 index 00000000000..2d025b7de47 --- /dev/null +++ b/queue-5.10/macvlan-don-t-propagate-promisc-change-to-lower-dev-.patch @@ -0,0 +1,61 @@ +From b796d352bd3d1603f52d5d2fcdc5c5da4e0c48e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Nov 2023 18:59:15 +0100 +Subject: macvlan: Don't propagate promisc change to lower dev in passthru + +From: Vlad Buslov + +[ Upstream commit 7e1caeace0418381f36b3aa8403dfd82fc57fc53 ] + +Macvlan device in passthru mode sets its lower device promiscuous mode +according to its MACVLAN_FLAG_NOPROMISC flag instead of synchronizing it to +its own promiscuity setting. However, macvlan_change_rx_flags() function +doesn't check the mode before propagating such changes to the lower device +which can cause net_device->promiscuity counter overflow as illustrated by +reproduction example [0] and resulting dmesg log [1]. Fix the issue by +first verifying the mode in macvlan_change_rx_flags() function before +propagating promiscuous mode change to the lower device. + +[0]: +ip link add macvlan1 link enp8s0f0 type macvlan mode passthru +ip link set macvlan1 promisc on +ip l set dev macvlan1 up +ip link set macvlan1 promisc off +ip l set dev macvlan1 down +ip l set dev macvlan1 up + +[1]: +[ 5156.281724] macvlan1: entered promiscuous mode +[ 5156.285467] mlx5_core 0000:08:00.0 enp8s0f0: entered promiscuous mode +[ 5156.287639] macvlan1: left promiscuous mode +[ 5156.288339] mlx5_core 0000:08:00.0 enp8s0f0: left promiscuous mode +[ 5156.290907] mlx5_core 0000:08:00.0 enp8s0f0: entered promiscuous mode +[ 5156.317197] mlx5_core 0000:08:00.0 enp8s0f0: promiscuity touches roof, set promiscuity failed. promiscuity feature of device might be broken. + +Fixes: efdbd2b30caa ("macvlan: Propagate promiscuity setting to lower devices.") +Reviewed-by: Gal Pressman +Signed-off-by: Vlad Buslov +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20231114175915.1649154-1-vladbu@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/macvlan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 5869bc2c3aa79..9c77e6ab2b307 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -765,7 +765,7 @@ static void macvlan_change_rx_flags(struct net_device *dev, int change) + if (dev->flags & IFF_UP) { + if (change & IFF_ALLMULTI) + dev_set_allmulti(lowerdev, dev->flags & IFF_ALLMULTI ? 1 : -1); +- if (change & IFF_PROMISC) ++ if (!macvlan_passthru(vlan->port) && change & IFF_PROMISC) + dev_set_promiscuity(lowerdev, + dev->flags & IFF_PROMISC ? 1 : -1); + +-- +2.42.0 + diff --git a/queue-5.10/media-cobalt-use-field_get-to-extract-link-width.patch b/queue-5.10/media-cobalt-use-field_get-to-extract-link-width.patch new file mode 100644 index 00000000000..0a7f3efff7b --- /dev/null +++ b/queue-5.10/media-cobalt-use-field_get-to-extract-link-width.patch @@ -0,0 +1,77 @@ +From 8594eae4a5d71b0d8f733d796a63cbe3e6c854c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Sep 2023 15:27:40 +0300 +Subject: media: cobalt: Use FIELD_GET() to extract Link Width +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit f301fedbeecfdce91cb898d6fa5e62f269801fee ] + +Use FIELD_GET() to extract PCIe Negotiated and Maximum Link Width fields +instead of custom masking and shifting. + +Signed-off-by: Ilpo Järvinen +Reviewed-by: Jonathan Cameron +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cobalt/cobalt-driver.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/pci/cobalt/cobalt-driver.c b/drivers/media/pci/cobalt/cobalt-driver.c +index 1bd8bbe57a30e..1f230b14cbfdd 100644 +--- a/drivers/media/pci/cobalt/cobalt-driver.c ++++ b/drivers/media/pci/cobalt/cobalt-driver.c +@@ -8,6 +8,7 @@ + * All rights reserved. + */ + ++#include + #include + #include + #include +@@ -210,17 +211,17 @@ void cobalt_pcie_status_show(struct cobalt *cobalt) + pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &stat); + cobalt_info("PCIe link capability 0x%08x: %s per lane and %u lanes\n", + capa, get_link_speed(capa), +- (capa & PCI_EXP_LNKCAP_MLW) >> 4); ++ FIELD_GET(PCI_EXP_LNKCAP_MLW, capa)); + cobalt_info("PCIe link control 0x%04x\n", ctrl); + cobalt_info("PCIe link status 0x%04x: %s per lane and %u lanes\n", + stat, get_link_speed(stat), +- (stat & PCI_EXP_LNKSTA_NLW) >> 4); ++ FIELD_GET(PCI_EXP_LNKSTA_NLW, stat)); + + /* Bus */ + pcie_capability_read_dword(pci_bus_dev, PCI_EXP_LNKCAP, &capa); + cobalt_info("PCIe bus link capability 0x%08x: %s per lane and %u lanes\n", + capa, get_link_speed(capa), +- (capa & PCI_EXP_LNKCAP_MLW) >> 4); ++ FIELD_GET(PCI_EXP_LNKCAP_MLW, capa)); + + /* Slot */ + pcie_capability_read_dword(pci_dev, PCI_EXP_SLTCAP, &capa); +@@ -239,7 +240,7 @@ static unsigned pcie_link_get_lanes(struct cobalt *cobalt) + if (!pci_is_pcie(pci_dev)) + return 0; + pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &link); +- return (link & PCI_EXP_LNKSTA_NLW) >> 4; ++ return FIELD_GET(PCI_EXP_LNKSTA_NLW, link); + } + + static unsigned pcie_bus_link_get_lanes(struct cobalt *cobalt) +@@ -250,7 +251,7 @@ static unsigned pcie_bus_link_get_lanes(struct cobalt *cobalt) + if (!pci_is_pcie(pci_dev)) + return 0; + pcie_capability_read_dword(pci_dev, PCI_EXP_LNKCAP, &link); +- return (link & PCI_EXP_LNKCAP_MLW) >> 4; ++ return FIELD_GET(PCI_EXP_LNKCAP_MLW, link); + } + + static void msi_config_show(struct cobalt *cobalt, struct pci_dev *pci_dev) +-- +2.42.0 + diff --git a/queue-5.10/media-gspca-cpia1-shift-out-of-bounds-in-set_flicker.patch b/queue-5.10/media-gspca-cpia1-shift-out-of-bounds-in-set_flicker.patch new file mode 100644 index 00000000000..fe6021d5ddd --- /dev/null +++ b/queue-5.10/media-gspca-cpia1-shift-out-of-bounds-in-set_flicker.patch @@ -0,0 +1,53 @@ +From 8c34af53dc69697a098e51493c1081961ad2a53c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 13:14:01 +0530 +Subject: media: gspca: cpia1: shift-out-of-bounds in set_flicker + +From: Rajeshwar R Shinde + +[ Upstream commit 099be1822d1f095433f4b08af9cc9d6308ec1953 ] + +Syzkaller reported the following issue: +UBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27 +shift exponent 245 is too large for 32-bit type 'int' + +When the value of the variable "sd->params.exposure.gain" exceeds the +number of bits in an integer, a shift-out-of-bounds error is reported. It +is triggered because the variable "currentexp" cannot be left-shifted by +more than the number of bits in an integer. In order to avoid invalid +range during left-shift, the conditional expression is added. + +Reported-by: syzbot+e27f3dbdab04e43b9f73@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/20230818164522.12806-1-coolrrsh@gmail.com +Link: https://syzkaller.appspot.com/bug?extid=e27f3dbdab04e43b9f73 +Signed-off-by: Rajeshwar R Shinde +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/gspca/cpia1.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/usb/gspca/cpia1.c b/drivers/media/usb/gspca/cpia1.c +index d93d384286c16..de945e13c7c6b 100644 +--- a/drivers/media/usb/gspca/cpia1.c ++++ b/drivers/media/usb/gspca/cpia1.c +@@ -18,6 +18,7 @@ + + #include + #include ++#include + + #include "gspca.h" + +@@ -1027,6 +1028,8 @@ static int set_flicker(struct gspca_dev *gspca_dev, int on, int apply) + sd->params.exposure.expMode = 2; + sd->exposure_status = EXPOSURE_NORMAL; + } ++ if (sd->params.exposure.gain >= BITS_PER_TYPE(currentexp)) ++ return -EINVAL; + currentexp = currentexp << sd->params.exposure.gain; + sd->params.exposure.gain = 0; + /* round down current exposure to nearest value */ +-- +2.42.0 + diff --git a/queue-5.10/media-imon-fix-access-to-invalid-resource-for-the-se.patch b/queue-5.10/media-imon-fix-access-to-invalid-resource-for-the-se.patch new file mode 100644 index 00000000000..247163353d1 --- /dev/null +++ b/queue-5.10/media-imon-fix-access-to-invalid-resource-for-the-se.patch @@ -0,0 +1,54 @@ +From 36055bc1f615cbfc2cb3a6285dc9ade4d16bc866 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Sep 2023 14:38:07 +0200 +Subject: media: imon: fix access to invalid resource for the second interface + +From: Takashi Iwai + +[ Upstream commit a1766a4fd83befa0b34d932d532e7ebb7fab1fa7 ] + +imon driver probes two USB interfaces, and at the probe of the second +interface, the driver assumes blindly that the first interface got +bound with the same imon driver. It's usually true, but it's still +possible that the first interface is bound with another driver via a +malformed descriptor. Then it may lead to a memory corruption, as +spotted by syzkaller; imon driver accesses the data from drvdata as +struct imon_context object although it's a completely different one +that was assigned by another driver. + +This patch adds a sanity check -- whether the first interface is +really bound with the imon driver or not -- for avoiding the problem +above at the probe time. + +Reported-by: syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/000000000000a838aa0603cc74d6@google.com/ +Tested-by: Ricardo B. Marliere +Link: https://lore.kernel.org/r/20230922005152.163640-1-ricardo@marliere.net +Signed-off-by: Takashi Iwai +Signed-off-by: Sean Young +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/rc/imon.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c +index 98a38755c694e..253a1d1a840a0 100644 +--- a/drivers/media/rc/imon.c ++++ b/drivers/media/rc/imon.c +@@ -2430,6 +2430,12 @@ static int imon_probe(struct usb_interface *interface, + goto fail; + } + ++ if (first_if->dev.driver != interface->dev.driver) { ++ dev_err(&interface->dev, "inconsistent driver matching\n"); ++ ret = -EINVAL; ++ goto fail; ++ } ++ + if (ifnum == 0) { + ictx = imon_init_intf0(interface, id); + if (!ictx) { +-- +2.42.0 + diff --git a/queue-5.10/media-vivid-avoid-integer-overflow.patch b/queue-5.10/media-vivid-avoid-integer-overflow.patch new file mode 100644 index 00000000000..8ef6f9adf92 --- /dev/null +++ b/queue-5.10/media-vivid-avoid-integer-overflow.patch @@ -0,0 +1,47 @@ +From d4933061e6dcbcb969b13fd5e28da3c2a2734953 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Sep 2023 17:20:48 +0200 +Subject: media: vivid: avoid integer overflow + +From: Hans Verkuil + +[ Upstream commit 4567ebf8e8f9546b373e78e3b7d584cc30b62028 ] + +Fixes these compiler warnings: + +drivers/media/test-drivers/vivid/vivid-rds-gen.c: In function 'vivid_rds_gen_fill': +drivers/media/test-drivers/vivid/vivid-rds-gen.c:147:56: warning: '.' directive output may be truncated writing 1 byte into a region of size between 0 and 3 [-Wformat-truncation=] + 147 | snprintf(rds->psname, sizeof(rds->psname), "%6d.%1d", + | ^ +drivers/media/test-drivers/vivid/vivid-rds-gen.c:147:52: note: directive argument in the range [0, 9] + 147 | snprintf(rds->psname, sizeof(rds->psname), "%6d.%1d", + | ^~~~~~~~~ +drivers/media/test-drivers/vivid/vivid-rds-gen.c:147:9: note: 'snprintf' output between 9 and 12 bytes into a destination of size 9 + 147 | snprintf(rds->psname, sizeof(rds->psname), "%6d.%1d", + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 148 | freq / 16, ((freq & 0xf) * 10) / 16); + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Hans Verkuil +Acked-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/media/test-drivers/vivid/vivid-rds-gen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/test-drivers/vivid/vivid-rds-gen.c b/drivers/media/test-drivers/vivid/vivid-rds-gen.c +index b5b104ee64c99..c57771119a34b 100644 +--- a/drivers/media/test-drivers/vivid/vivid-rds-gen.c ++++ b/drivers/media/test-drivers/vivid/vivid-rds-gen.c +@@ -145,7 +145,7 @@ void vivid_rds_gen_fill(struct vivid_rds_gen *rds, unsigned freq, + rds->ta = alt; + rds->ms = true; + snprintf(rds->psname, sizeof(rds->psname), "%6d.%1d", +- freq / 16, ((freq & 0xf) * 10) / 16); ++ (freq / 16) % 1000000, (((freq & 0xf) * 10) / 16) % 10); + if (alt) + strscpy(rds->radiotext, + " The Radio Data System can switch between different Radio Texts ", +-- +2.42.0 + diff --git a/queue-5.10/misc-pci_endpoint_test-add-device-id-for-r-car-s4-8-.patch b/queue-5.10/misc-pci_endpoint_test-add-device-id-for-r-car-s4-8-.patch new file mode 100644 index 00000000000..91541466f84 --- /dev/null +++ b/queue-5.10/misc-pci_endpoint_test-add-device-id-for-r-car-s4-8-.patch @@ -0,0 +1,49 @@ +From 9ffbf4db74f62fd02af18168ec8d8bb6fbaf495d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 17:56:31 +0900 +Subject: misc: pci_endpoint_test: Add Device ID for R-Car S4-8 PCIe controller +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yoshihiro Shimoda + +[ Upstream commit 6c4b39937f4e65688ea294725ae432b2565821ff ] + +Add Renesas R8A779F0 in pci_device_id table so that pci-epf-test +can be used for testing PCIe EP on R-Car S4-8. + +Link: https://lore.kernel.org/linux-pci/20231018085631.1121289-16-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Krzysztof Wilczyński +Acked-by: Manivannan Sadhasivam +Signed-off-by: Sasha Levin +--- + drivers/misc/pci_endpoint_test.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/misc/pci_endpoint_test.c b/drivers/misc/pci_endpoint_test.c +index 6c4c85eb71479..b4a07a166605a 100644 +--- a/drivers/misc/pci_endpoint_test.c ++++ b/drivers/misc/pci_endpoint_test.c +@@ -79,6 +79,7 @@ + #define PCI_DEVICE_ID_RENESAS_R8A774B1 0x002b + #define PCI_DEVICE_ID_RENESAS_R8A774C0 0x002d + #define PCI_DEVICE_ID_RENESAS_R8A774E1 0x0025 ++#define PCI_DEVICE_ID_RENESAS_R8A779F0 0x0031 + + static DEFINE_IDA(pci_endpoint_test_ida); + +@@ -993,6 +994,9 @@ static const struct pci_device_id pci_endpoint_test_tbl[] = { + { PCI_DEVICE(PCI_VENDOR_ID_RENESAS, PCI_DEVICE_ID_RENESAS_R8A774B1),}, + { PCI_DEVICE(PCI_VENDOR_ID_RENESAS, PCI_DEVICE_ID_RENESAS_R8A774C0),}, + { PCI_DEVICE(PCI_VENDOR_ID_RENESAS, PCI_DEVICE_ID_RENESAS_R8A774E1),}, ++ { PCI_DEVICE(PCI_VENDOR_ID_RENESAS, PCI_DEVICE_ID_RENESAS_R8A779F0), ++ .driver_data = (kernel_ulong_t)&default_data, ++ }, + { PCI_DEVICE(PCI_VENDOR_ID_TI, PCI_DEVICE_ID_TI_J721E), + .driver_data = (kernel_ulong_t)&j721e_data, + }, +-- +2.42.0 + diff --git a/queue-5.10/net-annotate-data-races-around-sk-sk_dst_pending_con.patch b/queue-5.10/net-annotate-data-races-around-sk-sk_dst_pending_con.patch new file mode 100644 index 00000000000..302d01d67e0 --- /dev/null +++ b/queue-5.10/net-annotate-data-races-around-sk-sk_dst_pending_con.patch @@ -0,0 +1,82 @@ +From f22b83cc813cbdef78e29e922ed374b496121690 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 20:28:18 +0000 +Subject: net: annotate data-races around sk->sk_dst_pending_confirm + +From: Eric Dumazet + +[ Upstream commit eb44ad4e635132754bfbcb18103f1dcb7058aedd ] + +This field can be read or written without socket lock being held. + +Add annotations to avoid load-store tearing. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 6 +++--- + net/core/sock.c | 2 +- + net/ipv4/tcp_output.c | 2 +- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 9d5e603a10f5a..87ee284ea9cb3 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -2013,7 +2013,7 @@ static inline void __dst_negative_advice(struct sock *sk) + if (ndst != dst) { + rcu_assign_pointer(sk->sk_dst_cache, ndst); + sk_tx_queue_clear(sk); +- sk->sk_dst_pending_confirm = 0; ++ WRITE_ONCE(sk->sk_dst_pending_confirm, 0); + } + } + } +@@ -2030,7 +2030,7 @@ __sk_dst_set(struct sock *sk, struct dst_entry *dst) + struct dst_entry *old_dst; + + sk_tx_queue_clear(sk); +- sk->sk_dst_pending_confirm = 0; ++ WRITE_ONCE(sk->sk_dst_pending_confirm, 0); + old_dst = rcu_dereference_protected(sk->sk_dst_cache, + lockdep_sock_is_held(sk)); + rcu_assign_pointer(sk->sk_dst_cache, dst); +@@ -2043,7 +2043,7 @@ sk_dst_set(struct sock *sk, struct dst_entry *dst) + struct dst_entry *old_dst; + + sk_tx_queue_clear(sk); +- sk->sk_dst_pending_confirm = 0; ++ WRITE_ONCE(sk->sk_dst_pending_confirm, 0); + old_dst = xchg((__force struct dst_entry **)&sk->sk_dst_cache, dst); + dst_release(old_dst); + } +diff --git a/net/core/sock.c b/net/core/sock.c +index fcb998dc2dc68..a069b5476df46 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -532,7 +532,7 @@ struct dst_entry *__sk_dst_check(struct sock *sk, u32 cookie) + + if (dst && dst->obsolete && dst->ops->check(dst, cookie) == NULL) { + sk_tx_queue_clear(sk); +- sk->sk_dst_pending_confirm = 0; ++ WRITE_ONCE(sk->sk_dst_pending_confirm, 0); + RCU_INIT_POINTER(sk->sk_dst_cache, NULL); + dst_release(dst); + return NULL; +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 4df287885dd75..f8ad8465f76cb 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -1320,7 +1320,7 @@ static int __tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, + skb_set_hash_from_sk(skb, sk); + refcount_add(skb->truesize, &sk->sk_wmem_alloc); + +- skb_set_dst_pending_confirm(skb, sk->sk_dst_pending_confirm); ++ skb_set_dst_pending_confirm(skb, READ_ONCE(sk->sk_dst_pending_confirm)); + + /* Build TCP header and checksum it. */ + th = (struct tcphdr *)skb->data; +-- +2.42.0 + diff --git a/queue-5.10/net-annotate-data-races-around-sk-sk_tx_queue_mappin.patch b/queue-5.10/net-annotate-data-races-around-sk-sk_tx_queue_mappin.patch new file mode 100644 index 00000000000..d06d65e51cf --- /dev/null +++ b/queue-5.10/net-annotate-data-races-around-sk-sk_tx_queue_mappin.patch @@ -0,0 +1,65 @@ +From 6cfef1062aa68645fa78804b62cb0dd70a781c33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 20:28:17 +0000 +Subject: net: annotate data-races around sk->sk_tx_queue_mapping + +From: Eric Dumazet + +[ Upstream commit 0bb4d124d34044179b42a769a0c76f389ae973b6 ] + +This field can be read or written without socket lock being held. + +Add annotations to avoid load-store tearing. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 234196d904238..9d5e603a10f5a 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1853,21 +1853,33 @@ static inline void sk_tx_queue_set(struct sock *sk, int tx_queue) + /* sk_tx_queue_mapping accept only upto a 16-bit value */ + if (WARN_ON_ONCE((unsigned short)tx_queue >= USHRT_MAX)) + return; +- sk->sk_tx_queue_mapping = tx_queue; ++ /* Paired with READ_ONCE() in sk_tx_queue_get() and ++ * other WRITE_ONCE() because socket lock might be not held. ++ */ ++ WRITE_ONCE(sk->sk_tx_queue_mapping, tx_queue); + } + + #define NO_QUEUE_MAPPING USHRT_MAX + + static inline void sk_tx_queue_clear(struct sock *sk) + { +- sk->sk_tx_queue_mapping = NO_QUEUE_MAPPING; ++ /* Paired with READ_ONCE() in sk_tx_queue_get() and ++ * other WRITE_ONCE() because socket lock might be not held. ++ */ ++ WRITE_ONCE(sk->sk_tx_queue_mapping, NO_QUEUE_MAPPING); + } + + static inline int sk_tx_queue_get(const struct sock *sk) + { +- if (sk && sk->sk_tx_queue_mapping != NO_QUEUE_MAPPING) +- return sk->sk_tx_queue_mapping; ++ if (sk) { ++ /* Paired with WRITE_ONCE() in sk_tx_queue_clear() ++ * and sk_tx_queue_set(). ++ */ ++ int val = READ_ONCE(sk->sk_tx_queue_mapping); + ++ if (val != NO_QUEUE_MAPPING) ++ return val; ++ } + return -1; + } + +-- +2.42.0 + diff --git a/queue-5.10/net-ethernet-cortina-fix-max-rx-frame-define.patch b/queue-5.10/net-ethernet-cortina-fix-max-rx-frame-define.patch new file mode 100644 index 00000000000..45ecf12aeac --- /dev/null +++ b/queue-5.10/net-ethernet-cortina-fix-max-rx-frame-define.patch @@ -0,0 +1,55 @@ +From addf62f18a3af9fac12e4eaf2418d832241a4606 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Nov 2023 10:03:12 +0100 +Subject: net: ethernet: cortina: Fix max RX frame define + +From: Linus Walleij + +[ Upstream commit 510e35fb931ffc3b100e5d5ae4595cd3beca9f1a ] + +Enumerator 3 is 1548 bytes according to the datasheet. +Not 1542. + +Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet") +Reviewed-by: Andrew Lunn +Signed-off-by: Linus Walleij +Reviewed-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20231109-gemini-largeframe-fix-v4-1-6e611528db08@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cortina/gemini.c | 4 ++-- + drivers/net/ethernet/cortina/gemini.h | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index 85ea073b742fb..6c735e0d1950f 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -433,8 +433,8 @@ static const struct gmac_max_framelen gmac_maxlens[] = { + .val = CONFIG0_MAXLEN_1536, + }, + { +- .max_l3_len = 1542, +- .val = CONFIG0_MAXLEN_1542, ++ .max_l3_len = 1548, ++ .val = CONFIG0_MAXLEN_1548, + }, + { + .max_l3_len = 9212, +diff --git a/drivers/net/ethernet/cortina/gemini.h b/drivers/net/ethernet/cortina/gemini.h +index 9fdf77d5eb374..99efb11557436 100644 +--- a/drivers/net/ethernet/cortina/gemini.h ++++ b/drivers/net/ethernet/cortina/gemini.h +@@ -787,7 +787,7 @@ union gmac_config0 { + #define CONFIG0_MAXLEN_1536 0 + #define CONFIG0_MAXLEN_1518 1 + #define CONFIG0_MAXLEN_1522 2 +-#define CONFIG0_MAXLEN_1542 3 ++#define CONFIG0_MAXLEN_1548 3 + #define CONFIG0_MAXLEN_9k 4 /* 9212 */ + #define CONFIG0_MAXLEN_10k 5 /* 10236 */ + #define CONFIG0_MAXLEN_1518__6 6 +-- +2.42.0 + diff --git a/queue-5.10/net-ethernet-cortina-fix-mtu-max-setting.patch b/queue-5.10/net-ethernet-cortina-fix-mtu-max-setting.patch new file mode 100644 index 00000000000..b7ec9a9267c --- /dev/null +++ b/queue-5.10/net-ethernet-cortina-fix-mtu-max-setting.patch @@ -0,0 +1,91 @@ +From ed06ee8eca765cb845fb78fc14fe06752915ddac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Nov 2023 10:03:14 +0100 +Subject: net: ethernet: cortina: Fix MTU max setting + +From: Linus Walleij + +[ Upstream commit dc6c0bfbaa947dd7976e30e8c29b10c868b6fa42 ] + +The RX max frame size is over 10000 for the Gemini ethernet, +but the TX max frame size is actually just 2047 (0x7ff after +checking the datasheet). Reflect this in what we offer to Linux, +cap the MTU at the TX max frame minus ethernet headers. + +We delete the code disabling the hardware checksum for large +MTUs as netdev->mtu can no longer be larger than +netdev->max_mtu meaning the if()-clause in gmac_fix_features() +is never true. + +Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet") +Reviewed-by: Andrew Lunn +Signed-off-by: Linus Walleij +Reviewed-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20231109-gemini-largeframe-fix-v4-3-6e611528db08@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cortina/gemini.c | 17 ++++------------- + drivers/net/ethernet/cortina/gemini.h | 2 +- + 2 files changed, 5 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index 9ed883e8155ec..c78587ddb32fd 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -2001,15 +2001,6 @@ static int gmac_change_mtu(struct net_device *netdev, int new_mtu) + return 0; + } + +-static netdev_features_t gmac_fix_features(struct net_device *netdev, +- netdev_features_t features) +-{ +- if (netdev->mtu + ETH_HLEN + VLAN_HLEN > MTU_SIZE_BIT_MASK) +- features &= ~GMAC_OFFLOAD_FEATURES; +- +- return features; +-} +- + static int gmac_set_features(struct net_device *netdev, + netdev_features_t features) + { +@@ -2227,7 +2218,6 @@ static const struct net_device_ops gmac_351x_ops = { + .ndo_set_mac_address = gmac_set_mac_address, + .ndo_get_stats64 = gmac_get_stats64, + .ndo_change_mtu = gmac_change_mtu, +- .ndo_fix_features = gmac_fix_features, + .ndo_set_features = gmac_set_features, + }; + +@@ -2485,11 +2475,12 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev) + + netdev->hw_features = GMAC_OFFLOAD_FEATURES; + netdev->features |= GMAC_OFFLOAD_FEATURES | NETIF_F_GRO; +- /* We can handle jumbo frames up to 10236 bytes so, let's accept +- * payloads of 10236 bytes minus VLAN and ethernet header ++ /* We can receive jumbo frames up to 10236 bytes but only ++ * transmit 2047 bytes so, let's accept payloads of 2047 ++ * bytes minus VLAN and ethernet header + */ + netdev->min_mtu = ETH_MIN_MTU; +- netdev->max_mtu = 10236 - VLAN_ETH_HLEN; ++ netdev->max_mtu = MTU_SIZE_BIT_MASK - VLAN_ETH_HLEN; + + port->freeq_refill = 0; + netif_napi_add(netdev, &port->napi, gmac_napi_poll, +diff --git a/drivers/net/ethernet/cortina/gemini.h b/drivers/net/ethernet/cortina/gemini.h +index 99efb11557436..24bb989981f23 100644 +--- a/drivers/net/ethernet/cortina/gemini.h ++++ b/drivers/net/ethernet/cortina/gemini.h +@@ -502,7 +502,7 @@ union gmac_txdesc_3 { + #define SOF_BIT 0x80000000 + #define EOF_BIT 0x40000000 + #define EOFIE_BIT BIT(29) +-#define MTU_SIZE_BIT_MASK 0x1fff ++#define MTU_SIZE_BIT_MASK 0x7ff /* Max MTU 2047 bytes */ + + /* GMAC Tx Descriptor */ + struct gmac_txdesc { +-- +2.42.0 + diff --git a/queue-5.10/net-ethernet-cortina-handle-large-frames.patch b/queue-5.10/net-ethernet-cortina-handle-large-frames.patch new file mode 100644 index 00000000000..57b7097d3bf --- /dev/null +++ b/queue-5.10/net-ethernet-cortina-handle-large-frames.patch @@ -0,0 +1,111 @@ +From 5f70f08974893b63421a686b9ee88370ffea59cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Nov 2023 10:03:13 +0100 +Subject: net: ethernet: cortina: Handle large frames + +From: Linus Walleij + +[ Upstream commit d4d0c5b4d279bfe3585fbd806efefd3e51c82afa ] + +The Gemini ethernet controller provides hardware checksumming +for frames up to 1514 bytes including ethernet headers but not +FCS. + +If we start sending bigger frames (after first bumping up the MTU +on both interfaces sending and receiving the frames), truncated +packets start to appear on the target such as in this tcpdump +resulting from ping -s 1474: + +23:34:17.241983 14:d6:4d:a8:3c:4f (oui Unknown) > bc:ae:c5:6b:a8:3d (oui Unknown), +ethertype IPv4 (0x0800), length 1514: truncated-ip - 2 bytes missing! +(tos 0x0, ttl 64, id 32653, offset 0, flags [DF], proto ICMP (1), length 1502) +OpenWrt.lan > Fecusia: ICMP echo request, id 1672, seq 50, length 1482 + +If we bypass the hardware checksumming and provide a software +fallback, everything starts working fine up to the max TX MTU +of 2047 bytes, for example ping -s2000 192.168.1.2: + +00:44:29.587598 bc:ae:c5:6b:a8:3d (oui Unknown) > 14:d6:4d:a8:3c:4f (oui Unknown), +ethertype IPv4 (0x0800), length 2042: +(tos 0x0, ttl 64, id 51828, offset 0, flags [none], proto ICMP (1), length 2028) +Fecusia > OpenWrt.lan: ICMP echo reply, id 1683, seq 4, length 2008 + +The bit enabling to bypass hardware checksum (or any of the +"TSS" bits) are undocumented in the hardware reference manual. +The entire hardware checksum unit appears undocumented. The +conclusion that we need to use the "bypass" bit was found by +trial-and-error. + +Since no hardware checksum will happen, we slot in a software +checksum fallback. + +Check for the condition where we need to compute checksum on the +skb with either hardware or software using == CHECKSUM_PARTIAL instead +of != CHECKSUM_NONE which is an incomplete check according to +. + +On the D-Link DIR-685 router this fixes a bug on the conduit +interface to the RTL8366RB DSA switch: as the switch needs to add +space for its tag it increases the MTU on the conduit interface +to 1504 and that means that when the router sends packages +of 1500 bytes these get an extra 4 bytes of DSA tag and the +transfer fails because of the erroneous hardware checksumming, +affecting such basic functionality as the LuCI web interface. + +Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet") +Signed-off-by: Linus Walleij +Reviewed-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20231109-gemini-largeframe-fix-v4-2-6e611528db08@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cortina/gemini.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index 6c735e0d1950f..9ed883e8155ec 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -1146,6 +1146,7 @@ static int gmac_map_tx_bufs(struct net_device *netdev, struct sk_buff *skb, + dma_addr_t mapping; + unsigned short mtu; + void *buffer; ++ int ret; + + mtu = ETH_HLEN; + mtu += netdev->mtu; +@@ -1160,9 +1161,30 @@ static int gmac_map_tx_bufs(struct net_device *netdev, struct sk_buff *skb, + word3 |= mtu; + } + +- if (skb->ip_summed != CHECKSUM_NONE) { ++ if (skb->len >= ETH_FRAME_LEN) { ++ /* Hardware offloaded checksumming isn't working on frames ++ * bigger than 1514 bytes. A hypothesis about this is that the ++ * checksum buffer is only 1518 bytes, so when the frames get ++ * bigger they get truncated, or the last few bytes get ++ * overwritten by the FCS. ++ * ++ * Just use software checksumming and bypass on bigger frames. ++ */ ++ if (skb->ip_summed == CHECKSUM_PARTIAL) { ++ ret = skb_checksum_help(skb); ++ if (ret) ++ return ret; ++ } ++ word1 |= TSS_BYPASS_BIT; ++ } else if (skb->ip_summed == CHECKSUM_PARTIAL) { + int tcp = 0; + ++ /* We do not switch off the checksumming on non TCP/UDP ++ * frames: as is shown from tests, the checksumming engine ++ * is smart enough to see that a frame is not actually TCP ++ * or UDP and then just pass it through without any changes ++ * to the frame. ++ */ + if (skb->protocol == htons(ETH_P_IP)) { + word1 |= TSS_IP_CHKSUM_BIT; + tcp = ip_hdr(skb)->protocol == IPPROTO_TCP; +-- +2.42.0 + diff --git a/queue-5.10/net-hns3-fix-variable-may-not-initialized-problem-in.patch b/queue-5.10/net-hns3-fix-variable-may-not-initialized-problem-in.patch new file mode 100644 index 00000000000..845bee7c52f --- /dev/null +++ b/queue-5.10/net-hns3-fix-variable-may-not-initialized-problem-in.patch @@ -0,0 +1,38 @@ +From f936f2fbe2ecac17e9fad0e3cc281c2d28715765 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Nov 2023 17:37:11 +0800 +Subject: net: hns3: fix variable may not initialized problem in + hns3_init_mac_addr() + +From: Yonglong Liu + +[ Upstream commit dbd2f3b20c6ae425665b6975d766e3653d453e73 ] + +When a VF is calling hns3_init_mac_addr(), get_mac_addr() may +return fail, then the value of mac_addr_temp is not initialized. + +Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC") +Signed-off-by: Yonglong Liu +Signed-off-by: Jijie Shao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index ae7cd73c823b7..4df5e91e86ce7 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -3974,7 +3974,7 @@ static int hns3_init_mac_addr(struct net_device *netdev) + { + struct hns3_nic_priv *priv = netdev_priv(netdev); + struct hnae3_handle *h = priv->ae_handle; +- u8 mac_addr_temp[ETH_ALEN]; ++ u8 mac_addr_temp[ETH_ALEN] = {0}; + int ret = 0; + + if (h->ae_algo->ops->get_mac_addr) +-- +2.42.0 + diff --git a/queue-5.10/net-hns3-fix-vf-reset-fail-issue.patch b/queue-5.10/net-hns3-fix-vf-reset-fail-issue.patch new file mode 100644 index 00000000000..5572cd5bae9 --- /dev/null +++ b/queue-5.10/net-hns3-fix-vf-reset-fail-issue.patch @@ -0,0 +1,83 @@ +From 51cdeaea2d75e0a01405ec984089068de67fecdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Nov 2023 17:37:12 +0800 +Subject: net: hns3: fix VF reset fail issue + +From: Jijie Shao + +[ Upstream commit 65e98bb56fa3ce2edb400930c05238c9b380500e ] + +Currently the reset process in hns3 and firmware watchdog init process is +asynchronous. We think firmware watchdog initialization is completed +before VF clear the interrupt source. However, firmware initialization +may not complete early. So VF will receive multiple reset interrupts +and fail to reset. + +So we add delay before VF interrupt source and 5 ms delay +is enough to avoid second reset interrupt. + +Fixes: 427900d27d86 ("net: hns3: fix the timing issue of VF clearing interrupt sources") +Signed-off-by: Jijie Shao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 14 +++++++++++++- + .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h | 1 + + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +index 7d05915c35e38..2bb0ce1761fb0 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -2363,8 +2363,18 @@ static enum hclgevf_evt_cause hclgevf_check_evt_cause(struct hclgevf_dev *hdev, + return HCLGEVF_VECTOR0_EVENT_OTHER; + } + ++static void hclgevf_reset_timer(struct timer_list *t) ++{ ++ struct hclgevf_dev *hdev = from_timer(hdev, t, reset_timer); ++ ++ hclgevf_clear_event_cause(hdev, HCLGEVF_VECTOR0_EVENT_RST); ++ hclgevf_reset_task_schedule(hdev); ++} ++ + static irqreturn_t hclgevf_misc_irq_handle(int irq, void *data) + { ++#define HCLGEVF_RESET_DELAY 5 ++ + enum hclgevf_evt_cause event_cause; + struct hclgevf_dev *hdev = data; + u32 clearval; +@@ -2376,7 +2386,8 @@ static irqreturn_t hclgevf_misc_irq_handle(int irq, void *data) + + switch (event_cause) { + case HCLGEVF_VECTOR0_EVENT_RST: +- hclgevf_reset_task_schedule(hdev); ++ mod_timer(&hdev->reset_timer, ++ jiffies + msecs_to_jiffies(HCLGEVF_RESET_DELAY)); + break; + case HCLGEVF_VECTOR0_EVENT_MBX: + hclgevf_mbx_handler(hdev); +@@ -3269,6 +3280,7 @@ static int hclgevf_init_hdev(struct hclgevf_dev *hdev) + HCLGEVF_DRIVER_NAME); + + hclgevf_task_schedule(hdev, round_jiffies_relative(HZ)); ++ timer_setup(&hdev->reset_timer, hclgevf_reset_timer, 0); + + return 0; + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h +index c9b0fa5e8589d..9469af8c49ace 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h +@@ -274,6 +274,7 @@ struct hclgevf_dev { + enum hnae3_reset_type reset_level; + unsigned long reset_pending; + enum hnae3_reset_type reset_type; ++ struct timer_list reset_timer; + + #define HCLGEVF_RESET_REQUESTED 0 + #define HCLGEVF_RESET_PENDING 1 +-- +2.42.0 + diff --git a/queue-5.10/net-mlx5_core-clean-driver-version-and-name.patch b/queue-5.10/net-mlx5_core-clean-driver-version-and-name.patch new file mode 100644 index 00000000000..fb2a0a39e52 --- /dev/null +++ b/queue-5.10/net-mlx5_core-clean-driver-version-and-name.patch @@ -0,0 +1,163 @@ +From 68c6b47813db032918e134fe407ba47c3ddd9e74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Oct 2020 14:30:58 +0300 +Subject: net/mlx5_core: Clean driver version and name + +From: Leon Romanovsky + +[ Upstream commit 17a7612b99e66d2539341ab4f888f970c2c7f76d ] + +Remove exposed driver version as it was done in other drivers, +so module version will work correctly by displaying the kernel +version for which it is compiled. + +And move mlx5_core module name to general include, so auxiliary drivers +will be able to use it as a basis for a name in their device ID tables. + +Reviewed-by: Parav Pandit +Reviewed-by: Roi Dayan +Signed-off-by: Leon Romanovsky +Stable-dep-of: 1b2bd0c0264f ("net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/devlink.c | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 4 +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 1 - + .../net/ethernet/mellanox/mlx5/core/ipoib/ethtool.c | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 10 ++++++---- + drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h | 3 --- + include/linux/mlx5/driver.h | 2 ++ + 7 files changed, 11 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/devlink.c b/drivers/net/ethernet/mellanox/mlx5/core/devlink.c +index 0e699330ae77c..060561f633114 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/devlink.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/devlink.c +@@ -52,7 +52,7 @@ mlx5_devlink_info_get(struct devlink *devlink, struct devlink_info_req *req, + u32 running_fw, stored_fw; + int err; + +- err = devlink_info_driver_name_put(req, DRIVER_NAME); ++ err = devlink_info_driver_name_put(req, KBUILD_MODNAME); + if (err) + return err; + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index 6a1b1363ac16a..d3817dd07e3dc 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -40,9 +40,7 @@ void mlx5e_ethtool_get_drvinfo(struct mlx5e_priv *priv, + { + struct mlx5_core_dev *mdev = priv->mdev; + +- strlcpy(drvinfo->driver, DRIVER_NAME, sizeof(drvinfo->driver)); +- strlcpy(drvinfo->version, DRIVER_VERSION, +- sizeof(drvinfo->version)); ++ strlcpy(drvinfo->driver, KBUILD_MODNAME, sizeof(drvinfo->driver)); + snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version), + "%d.%d.%04d (%.16s)", + fw_rev_maj(mdev), fw_rev_min(mdev), fw_rev_sub(mdev), +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index b991f03c7e991..5a13d47d2c09d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -64,7 +64,6 @@ static void mlx5e_rep_get_drvinfo(struct net_device *dev, + + strlcpy(drvinfo->driver, mlx5e_rep_driver_name, + sizeof(drvinfo->driver)); +- strlcpy(drvinfo->version, UTS_RELEASE, sizeof(drvinfo->version)); + snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version), + "%d.%d.%04d (%.16s)", + fw_rev_maj(mdev), fw_rev_min(mdev), +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ethtool.c +index 2cf7f0fc170b8..d7bda76507673 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ethtool.c +@@ -39,7 +39,7 @@ static void mlx5i_get_drvinfo(struct net_device *dev, + struct mlx5e_priv *priv = mlx5i_epriv(dev); + + mlx5e_ethtool_get_drvinfo(priv, drvinfo); +- strlcpy(drvinfo->driver, DRIVER_NAME "[ib_ipoib]", ++ strlcpy(drvinfo->driver, KBUILD_MODNAME "[ib_ipoib]", + sizeof(drvinfo->driver)); + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index 22907f6364f54..35e11cb883c97 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -77,7 +77,6 @@ + MODULE_AUTHOR("Eli Cohen "); + MODULE_DESCRIPTION("Mellanox 5th generation network adapters (ConnectX series) core driver"); + MODULE_LICENSE("Dual BSD/GPL"); +-MODULE_VERSION(DRIVER_VERSION); + + unsigned int mlx5_core_debug_mask; + module_param_named(debug_mask, mlx5_core_debug_mask, uint, 0644); +@@ -228,7 +227,7 @@ static void mlx5_set_driver_version(struct mlx5_core_dev *dev) + strncat(string, ",", remaining_size); + + remaining_size = max_t(int, 0, driver_ver_sz - strlen(string)); +- strncat(string, DRIVER_NAME, remaining_size); ++ strncat(string, KBUILD_MODNAME, remaining_size); + + remaining_size = max_t(int, 0, driver_ver_sz - strlen(string)); + strncat(string, ",", remaining_size); +@@ -313,7 +312,7 @@ static int request_bar(struct pci_dev *pdev) + return -ENODEV; + } + +- err = pci_request_regions(pdev, DRIVER_NAME); ++ err = pci_request_regions(pdev, KBUILD_MODNAME); + if (err) + dev_err(&pdev->dev, "Couldn't get PCI resources, aborting\n"); + +@@ -1620,7 +1619,7 @@ void mlx5_recover_device(struct mlx5_core_dev *dev) + } + + static struct pci_driver mlx5_core_driver = { +- .name = DRIVER_NAME, ++ .name = KBUILD_MODNAME, + .id_table = mlx5_core_pci_table, + .probe = init_one, + .remove = remove_one, +@@ -1646,6 +1645,9 @@ static int __init mlx5_init(void) + { + int err; + ++ WARN_ONCE(strcmp(MLX5_ADEV_NAME, KBUILD_MODNAME), ++ "mlx5_core name not in sync with kernel module name"); ++ + get_random_bytes(&sw_owner_id, sizeof(sw_owner_id)); + + mlx5_core_verify_params(); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h b/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h +index 8cec85ab419d0..b285f1515e4e8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h +@@ -42,9 +42,6 @@ + #include + #include + +-#define DRIVER_NAME "mlx5_core" +-#define DRIVER_VERSION "5.0-0" +- + extern uint mlx5_core_debug_mask; + + #define mlx5_core_dbg(__dev, format, ...) \ +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index 4f95b98215d81..2cd89af4dbf62 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -56,6 +56,8 @@ + #include + #include + ++#define MLX5_ADEV_NAME "mlx5_core" ++ + enum { + MLX5_BOARD_ID_LEN = 64, + }; +-- +2.42.0 + diff --git a/queue-5.10/net-mlx5e-check-return-value-of-snprintf-writing-to-.patch b/queue-5.10/net-mlx5e-check-return-value-of-snprintf-writing-to-.patch new file mode 100644 index 00000000000..44e29b59150 --- /dev/null +++ b/queue-5.10/net-mlx5e-check-return-value-of-snprintf-writing-to-.patch @@ -0,0 +1,74 @@ +From 12e972423f396c462ab31c3ceb0da130942df6d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Nov 2023 13:58:46 -0800 +Subject: net/mlx5e: Check return value of snprintf writing to fw_version + buffer for representors + +From: Rahul Rameshbabu + +[ Upstream commit 1b2bd0c0264febcd8d47209079a6671c38e6558b ] + +Treat the operation as an error case when the return value is equivalent to +the size of the name buffer. Failed to write null terminator to the name +buffer, making the string malformed and should not be used. Provide a +string with only the firmware version when forming the string with the +board id fails. This logic for representors is identical to normal flow +with ethtool. + +Without check, will trigger -Wformat-truncation with W=1. + + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c: In function 'mlx5e_rep_get_drvinfo': + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c:78:31: warning: '%.16s' directive output may be truncated writing up to 16 bytes into a region of size between 13 and 22 [-Wformat-truncation=] + 78 | "%d.%d.%04d (%.16s)", + | ^~~~~ + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c:77:9: note: 'snprintf' output between 12 and 37 bytes into a destination of size 32 + 77 | snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version), + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 78 | "%d.%d.%04d (%.16s)", + | ~~~~~~~~~~~~~~~~~~~~~ + 79 | fw_rev_maj(mdev), fw_rev_min(mdev), + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 80 | fw_rev_sub(mdev), mdev->board_id); + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Fixes: cf83c8fdcd47 ("net/mlx5e: Add missing ethtool driver info for representors") +Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6d4ab2e97dcfbcd748ae71761a9d8e5e41cc732c +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Dragos Tatulea +Signed-off-by: Saeed Mahameed +Link: https://lore.kernel.org/r/20231114215846.5902-16-saeed@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index 5a13d47d2c09d..f9f1a79d6bddb 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -61,13 +61,17 @@ static void mlx5e_rep_get_drvinfo(struct net_device *dev, + { + struct mlx5e_priv *priv = netdev_priv(dev); + struct mlx5_core_dev *mdev = priv->mdev; ++ int count; + + strlcpy(drvinfo->driver, mlx5e_rep_driver_name, + sizeof(drvinfo->driver)); +- snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version), +- "%d.%d.%04d (%.16s)", +- fw_rev_maj(mdev), fw_rev_min(mdev), +- fw_rev_sub(mdev), mdev->board_id); ++ count = snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version), ++ "%d.%d.%04d (%.16s)", fw_rev_maj(mdev), ++ fw_rev_min(mdev), fw_rev_sub(mdev), mdev->board_id); ++ if (count == sizeof(drvinfo->fw_version)) ++ snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version), ++ "%d.%d.%04d", fw_rev_maj(mdev), ++ fw_rev_min(mdev), fw_rev_sub(mdev)); + } + + static void mlx5e_uplink_rep_get_drvinfo(struct net_device *dev, +-- +2.42.0 + diff --git a/queue-5.10/net-mlx5e-fix-double-free-of-encap_header.patch b/queue-5.10/net-mlx5e-fix-double-free-of-encap_header.patch new file mode 100644 index 00000000000..2715a7dfe63 --- /dev/null +++ b/queue-5.10/net-mlx5e-fix-double-free-of-encap_header.patch @@ -0,0 +1,82 @@ +From e4f26f1e12bbec8a4b9920f93a7ed4ccf70fa018 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Nov 2023 13:58:36 -0800 +Subject: net/mlx5e: fix double free of encap_header + +From: Dust Li + +[ Upstream commit 6f9b1a0731662648949a1c0587f6acb3b7f8acf1 ] + +When mlx5_packet_reformat_alloc() fails, the encap_header allocated in +mlx5e_tc_tun_create_header_ipv4{6} will be released within it. However, +e->encap_header is already set to the previously freed encap_header +before mlx5_packet_reformat_alloc(). As a result, the later +mlx5e_encap_put() will free e->encap_header again, causing a double free +issue. + +mlx5e_encap_put() + --> mlx5e_encap_dealloc() + --> kfree(e->encap_header) + +This happens when cmd: MLX5_CMD_OP_ALLOC_PACKET_REFORMAT_CONTEXT fail. + +This patch fix it by not setting e->encap_header until +mlx5_packet_reformat_alloc() success. + +Fixes: d589e785baf5e ("net/mlx5e: Allow concurrent creation of encap entries") +Reported-by: Cruz Zhao +Reported-by: Tianchen Ding +Signed-off-by: Dust Li +Reviewed-by: Wojciech Drewek +Signed-off-by: Saeed Mahameed +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c +index 90930e54b6f28..05bcd69994eca 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c +@@ -267,9 +267,6 @@ int mlx5e_tc_tun_create_header_ipv4(struct mlx5e_priv *priv, + if (err) + goto destroy_neigh_entry; + +- e->encap_size = ipv4_encap_size; +- e->encap_header = encap_header; +- + if (!(nud_state & NUD_VALID)) { + neigh_event_send(n, NULL); + /* the encap entry will be made valid on neigh update event +@@ -286,6 +283,8 @@ int mlx5e_tc_tun_create_header_ipv4(struct mlx5e_priv *priv, + goto destroy_neigh_entry; + } + ++ e->encap_size = ipv4_encap_size; ++ e->encap_header = encap_header; + e->flags |= MLX5_ENCAP_ENTRY_VALID; + mlx5e_rep_queue_neigh_stats_work(netdev_priv(out_dev)); + mlx5e_route_lookup_ipv4_put(route_dev, n); +@@ -431,9 +430,6 @@ int mlx5e_tc_tun_create_header_ipv6(struct mlx5e_priv *priv, + if (err) + goto destroy_neigh_entry; + +- e->encap_size = ipv6_encap_size; +- e->encap_header = encap_header; +- + if (!(nud_state & NUD_VALID)) { + neigh_event_send(n, NULL); + /* the encap entry will be made valid on neigh update event +@@ -451,6 +447,8 @@ int mlx5e_tc_tun_create_header_ipv6(struct mlx5e_priv *priv, + goto destroy_neigh_entry; + } + ++ e->encap_size = ipv6_encap_size; ++ e->encap_header = encap_header; + e->flags |= MLX5_ENCAP_ENTRY_VALID; + mlx5e_rep_queue_neigh_stats_work(netdev_priv(out_dev)); + mlx5e_route_lookup_ipv6_put(route_dev, n); +-- +2.42.0 + diff --git a/queue-5.10/net-stmmac-fix-rx-budget-limit-check.patch b/queue-5.10/net-stmmac-fix-rx-budget-limit-check.patch new file mode 100644 index 00000000000..4f445c07a6e --- /dev/null +++ b/queue-5.10/net-stmmac-fix-rx-budget-limit-check.patch @@ -0,0 +1,46 @@ +From 58817889e408e727b6601ffe7fedb6088e60920d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Nov 2023 19:42:49 +0200 +Subject: net: stmmac: fix rx budget limit check + +From: Baruch Siach + +[ Upstream commit fa02de9e75889915b554eda1964a631fd019973b ] + +The while loop condition verifies 'count < limit'. Neither value change +before the 'count >= limit' check. As is this check is dead code. But +code inspection reveals a code path that modifies 'count' and then goto +'drain_data' and back to 'read_again'. So there is a need to verify +count value sanity after 'read_again'. + +Move 'read_again' up to fix the count limit check. + +Fixes: ec222003bd94 ("net: stmmac: Prepare to add Split Header support") +Signed-off-by: Baruch Siach +Reviewed-by: Serge Semin +Link: https://lore.kernel.org/r/d9486296c3b6b12ab3a0515fcd47d56447a07bfc.1699897370.git.baruch@tkos.co.il +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 83e9a4d019c16..59a07a01e80ca 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -3858,10 +3858,10 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + len = 0; + } + ++read_again: + if (count >= limit) + break; + +-read_again: + buf1_len = 0; + buf2_len = 0; + entry = next_entry; +-- +2.42.0 + diff --git a/queue-5.10/netfilter-nf_conntrack_bridge-initialize-err-to-0.patch b/queue-5.10/netfilter-nf_conntrack_bridge-initialize-err-to-0.patch new file mode 100644 index 00000000000..d7adda44175 --- /dev/null +++ b/queue-5.10/netfilter-nf_conntrack_bridge-initialize-err-to-0.patch @@ -0,0 +1,43 @@ +From 1805e809eeaea73a21fd8314ebd2f222b844002a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Nov 2023 11:20:18 +0800 +Subject: netfilter: nf_conntrack_bridge: initialize err to 0 + +From: Linkui Xiao + +[ Upstream commit a44af08e3d4d7566eeea98d7a29fe06e7b9de944 ] + +K2CI reported a problem: + + consume_skb(skb); + return err; +[nf_br_ip_fragment() error] uninitialized symbol 'err'. + +err is not initialized, because returning 0 is expected, initialize err +to 0. + +Fixes: 3c171f496ef5 ("netfilter: bridge: add connection tracking system") +Reported-by: k2ci +Signed-off-by: Linkui Xiao +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/bridge/netfilter/nf_conntrack_bridge.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c +index fdbed31585553..d14b2dbbd1dfb 100644 +--- a/net/bridge/netfilter/nf_conntrack_bridge.c ++++ b/net/bridge/netfilter/nf_conntrack_bridge.c +@@ -36,7 +36,7 @@ static int nf_br_ip_fragment(struct net *net, struct sock *sk, + ktime_t tstamp = skb->tstamp; + struct ip_frag_state state; + struct iphdr *iph; +- int err; ++ int err = 0; + + /* for offloaded checksums cleanup checksum before fragmentation */ + if (skb->ip_summed == CHECKSUM_PARTIAL && +-- +2.42.0 + diff --git a/queue-5.10/nfsv4.1-fix-sp4_mach_cred-protection-for-pnfs-io.patch b/queue-5.10/nfsv4.1-fix-sp4_mach_cred-protection-for-pnfs-io.patch new file mode 100644 index 00000000000..83eb5f707e0 --- /dev/null +++ b/queue-5.10/nfsv4.1-fix-sp4_mach_cred-protection-for-pnfs-io.patch @@ -0,0 +1,48 @@ +From e0d1c77a9ca6a1940aeb5390e9d5fe775004f906 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Oct 2023 11:04:10 -0400 +Subject: NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO + +From: Olga Kornievskaia + +[ Upstream commit 5cc7688bae7f0757c39c1d3dfdd827b724061067 ] + +If the client is doing pnfs IO and Kerberos is configured and EXCHANGEID +successfully negotiated SP4_MACH_CRED and WRITE/COMMIT are on the +list of state protected operations, then we need to make sure to +choose the DS's rpc_client structure instead of the MDS's one. + +Fixes: fb91fb0ee7b2 ("NFS: Move call to nfs4_state_protect_write() to nfs4_write_setup()") +Signed-off-by: Olga Kornievskaia +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 1c2ed14bccef2..f3f41027f6977 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -5508,7 +5508,7 @@ static void nfs4_proc_write_setup(struct nfs_pgio_header *hdr, + + msg->rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_WRITE]; + nfs4_init_sequence(&hdr->args.seq_args, &hdr->res.seq_res, 0, 0); +- nfs4_state_protect_write(server->nfs_client, clnt, msg, hdr); ++ nfs4_state_protect_write(hdr->ds_clp ? hdr->ds_clp : server->nfs_client, clnt, msg, hdr); + } + + static void nfs4_proc_commit_rpc_prepare(struct rpc_task *task, struct nfs_commit_data *data) +@@ -5549,7 +5549,8 @@ static void nfs4_proc_commit_setup(struct nfs_commit_data *data, struct rpc_mess + data->res.server = server; + msg->rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_COMMIT]; + nfs4_init_sequence(&data->args.seq_args, &data->res.seq_res, 1, 0); +- nfs4_state_protect(server->nfs_client, NFS_SP4_MACH_CRED_COMMIT, clnt, msg); ++ nfs4_state_protect(data->ds_clp ? data->ds_clp : server->nfs_client, ++ NFS_SP4_MACH_CRED_COMMIT, clnt, msg); + } + + static int _nfs4_proc_commit(struct file *dst, struct nfs_commitargs *args, +-- +2.42.0 + diff --git a/queue-5.10/pci-tegra194-use-field_get-field_prep-with-link-widt.patch b/queue-5.10/pci-tegra194-use-field_get-field_prep-with-link-widt.patch new file mode 100644 index 00000000000..0aa4b8b5e8a --- /dev/null +++ b/queue-5.10/pci-tegra194-use-field_get-field_prep-with-link-widt.patch @@ -0,0 +1,72 @@ +From b10e0b32e3a3c3d134eed979c5fbde2558e131d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Sep 2023 15:56:44 +0300 +Subject: PCI: tegra194: Use FIELD_GET()/FIELD_PREP() with Link Width fields +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 759574abd78e3b47ec45bbd31a64e8832cf73f97 ] + +Use FIELD_GET() to extract PCIe Negotiated Link Width field instead of +custom masking and shifting. + +Similarly, change custom code that misleadingly used +PCI_EXP_LNKSTA_NLW_SHIFT to prepare value for PCI_EXP_LNKCAP write +to use FIELD_PREP() with correct field define (PCI_EXP_LNKCAP_MLW). + +Link: https://lore.kernel.org/r/20230919125648.1920-5-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Reviewed-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/dwc/pcie-tegra194.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c +index a215777df96c7..80c2015b49d8f 100644 +--- a/drivers/pci/controller/dwc/pcie-tegra194.c ++++ b/drivers/pci/controller/dwc/pcie-tegra194.c +@@ -7,6 +7,7 @@ + * Author: Vidya Sagar + */ + ++#include + #include + #include + #include +@@ -346,8 +347,7 @@ static void apply_bad_link_workaround(struct pcie_port *pp) + */ + val = dw_pcie_readw_dbi(pci, pcie->pcie_cap_base + PCI_EXP_LNKSTA); + if (val & PCI_EXP_LNKSTA_LBMS) { +- current_link_width = (val & PCI_EXP_LNKSTA_NLW) >> +- PCI_EXP_LNKSTA_NLW_SHIFT; ++ current_link_width = FIELD_GET(PCI_EXP_LNKSTA_NLW, val); + if (pcie->init_link_width > current_link_width) { + dev_warn(pci->dev, "PCIe link is bad, width reduced\n"); + val = dw_pcie_readw_dbi(pci, pcie->pcie_cap_base + +@@ -731,8 +731,7 @@ static void tegra_pcie_enable_system_interrupts(struct pcie_port *pp) + + val_w = dw_pcie_readw_dbi(&pcie->pci, pcie->pcie_cap_base + + PCI_EXP_LNKSTA); +- pcie->init_link_width = (val_w & PCI_EXP_LNKSTA_NLW) >> +- PCI_EXP_LNKSTA_NLW_SHIFT; ++ pcie->init_link_width = FIELD_GET(PCI_EXP_LNKSTA_NLW, val_w); + + val_w = dw_pcie_readw_dbi(&pcie->pci, pcie->pcie_cap_base + + PCI_EXP_LNKCTL); +@@ -885,7 +884,7 @@ static void tegra_pcie_prepare_host(struct pcie_port *pp) + /* Configure Max lane width from DT */ + val = dw_pcie_readl_dbi(pci, pcie->pcie_cap_base + PCI_EXP_LNKCAP); + val &= ~PCI_EXP_LNKCAP_MLW; +- val |= (pcie->num_lanes << PCI_EXP_LNKSTA_NLW_SHIFT); ++ val |= FIELD_PREP(PCI_EXP_LNKCAP_MLW, pcie->num_lanes); + dw_pcie_writel_dbi(pci, pcie->pcie_cap_base + PCI_EXP_LNKCAP, val); + + config_gen3_gen4_eq_presets(pcie); +-- +2.42.0 + diff --git a/queue-5.10/perf-core-bail-out-early-if-the-request-aux-area-is-.patch b/queue-5.10/perf-core-bail-out-early-if-the-request-aux-area-is-.patch new file mode 100644 index 00000000000..1ba2cc4263b --- /dev/null +++ b/queue-5.10/perf-core-bail-out-early-if-the-request-aux-area-is-.patch @@ -0,0 +1,76 @@ +From 8f5cceb2dd9f76c07f3f08b0b141d8ec22acf8ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Sep 2023 08:43:07 +0800 +Subject: perf/core: Bail out early if the request AUX area is out of bound + +From: Shuai Xue + +[ Upstream commit 54aee5f15b83437f23b2b2469bcf21bdd9823916 ] + +When perf-record with a large AUX area, e.g 4GB, it fails with: + + #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1 + failed to mmap with 12 (Cannot allocate memory) + +and it reveals a WARNING with __alloc_pages(): + + ------------[ cut here ]------------ + WARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248 + Call trace: + __alloc_pages+0x1ec/0x248 + __kmalloc_large_node+0xc0/0x1f8 + __kmalloc_node+0x134/0x1e8 + rb_alloc_aux+0xe0/0x298 + perf_mmap+0x440/0x660 + mmap_region+0x308/0x8a8 + do_mmap+0x3c0/0x528 + vm_mmap_pgoff+0xf4/0x1b8 + ksys_mmap_pgoff+0x18c/0x218 + __arm64_sys_mmap+0x38/0x58 + invoke_syscall+0x50/0x128 + el0_svc_common.constprop.0+0x58/0x188 + do_el0_svc+0x34/0x50 + el0_svc+0x34/0x108 + el0t_64_sync_handler+0xb8/0xc0 + el0t_64_sync+0x1a4/0x1a8 + +'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to +maintains AUX trace pages. The allocated page for this array is physically +contiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the +size of pointer array crosses the limitation set by MAX_ORDER, it reveals a +WARNING. + +So bail out early with -ENOMEM if the request AUX area is out of bound, +e.g.: + + #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1 + failed to mmap with 12 (Cannot allocate memory) + +Signed-off-by: Shuai Xue +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/events/ring_buffer.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c +index 4032cd4750001..01351e7e25435 100644 +--- a/kernel/events/ring_buffer.c ++++ b/kernel/events/ring_buffer.c +@@ -691,6 +691,12 @@ int rb_alloc_aux(struct perf_buffer *rb, struct perf_event *event, + max_order--; + } + ++ /* ++ * kcalloc_node() is unable to allocate buffer if the size is larger ++ * than: PAGE_SIZE << MAX_ORDER; directly bail out in this case. ++ */ ++ if (get_order((unsigned long)nr_pages * sizeof(void *)) > MAX_ORDER) ++ return -ENOMEM; + rb->aux_pages = kcalloc_node(nr_pages, sizeof(void *), GFP_KERNEL, + node); + if (!rb->aux_pages) +-- +2.42.0 + diff --git a/queue-5.10/platform-x86-thinkpad_acpi-add-battery-quirk-for-thi.patch b/queue-5.10/platform-x86-thinkpad_acpi-add-battery-quirk-for-thi.patch new file mode 100644 index 00000000000..dc34ee0dd89 --- /dev/null +++ b/queue-5.10/platform-x86-thinkpad_acpi-add-battery-quirk-for-thi.patch @@ -0,0 +1,38 @@ +From 04946bf2d58fd3b27e84bc1530e2b1e0e2411413 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Oct 2023 22:09:21 +0300 +Subject: platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Olli Asikainen + +[ Upstream commit 916646758aea81a143ce89103910f715ed923346 ] + +Thinkpad X120e also needs this battery quirk. + +Signed-off-by: Olli Asikainen +Link: https://lore.kernel.org/r/20231024190922.2742-1-olli.asikainen@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/thinkpad_acpi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c +index d8d241344d22d..00ca996b4d4b9 100644 +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -9718,6 +9718,7 @@ static const struct tpacpi_quirk battery_quirk_table[] __initconst = { + * Individual addressing is broken on models that expose the + * primary battery as BAT1. + */ ++ TPACPI_Q_LNV('8', 'F', true), /* Thinkpad X120e */ + TPACPI_Q_LNV('J', '7', true), /* B5400 */ + TPACPI_Q_LNV('J', 'I', true), /* Thinkpad 11e */ + TPACPI_Q_LNV3('R', '0', 'B', true), /* Thinkpad 11e gen 3 */ +-- +2.42.0 + diff --git a/queue-5.10/ppp-limit-mru-to-64k.patch b/queue-5.10/ppp-limit-mru-to-64k.patch new file mode 100644 index 00000000000..a031e1a50ec --- /dev/null +++ b/queue-5.10/ppp-limit-mru-to-64k.patch @@ -0,0 +1,76 @@ +From 94fd5a27adefade6ef3d15e7d87ecf6fd137fcec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Nov 2023 22:16:32 -0500 +Subject: ppp: limit MRU to 64K + +From: Willem de Bruijn + +[ Upstream commit c0a2a1b0d631fc460d830f52d06211838874d655 ] + +ppp_sync_ioctl allows setting device MRU, but does not sanity check +this input. + +Limit to a sane upper bound of 64KB. + +No implementation I could find generates larger than 64KB frames. +RFC 2823 mentions an upper bound of PPP over SDL of 64KB based on the +16-bit length field. Other protocols will be smaller, such as PPPoE +(9KB jumbo frame) and PPPoA (18190 maximum CPCS-SDU size, RFC 2364). +PPTP and L2TP encapsulate in IP. + +Syzbot managed to trigger alloc warning in __alloc_pages: + + if (WARN_ON_ONCE_GFP(order > MAX_ORDER, gfp)) + + WARNING: CPU: 1 PID: 37 at mm/page_alloc.c:4544 __alloc_pages+0x3ab/0x4a0 mm/page_alloc.c:4544 + + __alloc_skb+0x12b/0x330 net/core/skbuff.c:651 + __netdev_alloc_skb+0x72/0x3f0 net/core/skbuff.c:715 + netdev_alloc_skb include/linux/skbuff.h:3225 [inline] + dev_alloc_skb include/linux/skbuff.h:3238 [inline] + ppp_sync_input drivers/net/ppp/ppp_synctty.c:669 [inline] + ppp_sync_receive+0xff/0x680 drivers/net/ppp/ppp_synctty.c:334 + tty_ldisc_receive_buf+0x14c/0x180 drivers/tty/tty_buffer.c:390 + tty_port_default_receive_buf+0x70/0xb0 drivers/tty/tty_port.c:37 + receive_buf drivers/tty/tty_buffer.c:444 [inline] + flush_to_ldisc+0x261/0x780 drivers/tty/tty_buffer.c:494 + process_one_work+0x884/0x15c0 kernel/workqueue.c:2630 + +With call + + ioctl$PPPIOCSMRU1(r1, 0x40047452, &(0x7f0000000100)=0x5e6417a8) + +Similar code exists in other drivers that implement ppp_channel_ops +ioctl PPPIOCSMRU. Those might also be in scope. Notably excluded from +this are pppol2tp_ioctl and pppoe_ioctl. + +This code goes back to the start of git history. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+6177e1f90d92583bcc58@syzkaller.appspotmail.com +Signed-off-by: Willem de Bruijn +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_synctty.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c +index e37d9a05f3077..7174316362758 100644 +--- a/drivers/net/ppp/ppp_synctty.c ++++ b/drivers/net/ppp/ppp_synctty.c +@@ -464,6 +464,10 @@ ppp_sync_ioctl(struct ppp_channel *chan, unsigned int cmd, unsigned long arg) + case PPPIOCSMRU: + if (get_user(val, (int __user *) argp)) + break; ++ if (val > U16_MAX) { ++ err = -EINVAL; ++ break; ++ } + if (val < PPP_MRU) + val = PPP_MRU; + ap->mru = val; +-- +2.42.0 + diff --git a/queue-5.10/ptp-annotate-data-race-around-q-head-and-q-tail.patch b/queue-5.10/ptp-annotate-data-race-around-q-head-and-q-tail.patch new file mode 100644 index 00000000000..8002e203fb5 --- /dev/null +++ b/queue-5.10/ptp-annotate-data-race-around-q-head-and-q-tail.patch @@ -0,0 +1,98 @@ +From 0f4f8dd3b50b73a4ce8520fa2066e2387f93a817 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Nov 2023 17:48:59 +0000 +Subject: ptp: annotate data-race around q->head and q->tail + +From: Eric Dumazet + +[ Upstream commit 73bde5a3294853947252cd9092a3517c7cb0cd2d ] + +As I was working on a syzbot report, I found that KCSAN would +probably complain that reading q->head or q->tail without +barriers could lead to invalid results. + +Add corresponding READ_ONCE() and WRITE_ONCE() to avoid +load-store tearing. + +Fixes: d94ba80ebbea ("ptp: Added a brand new class driver for ptp clocks.") +Signed-off-by: Eric Dumazet +Acked-by: Richard Cochran +Link: https://lore.kernel.org/r/20231109174859.3995880-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/ptp/ptp_chardev.c | 3 ++- + drivers/ptp/ptp_clock.c | 5 +++-- + drivers/ptp/ptp_private.h | 8 ++++++-- + drivers/ptp/ptp_sysfs.c | 3 ++- + 4 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c +index af3bc65c4595d..9311f3d09c8fc 100644 +--- a/drivers/ptp/ptp_chardev.c ++++ b/drivers/ptp/ptp_chardev.c +@@ -487,7 +487,8 @@ ssize_t ptp_read(struct posix_clock *pc, + + for (i = 0; i < cnt; i++) { + event[i] = queue->buf[queue->head]; +- queue->head = (queue->head + 1) % PTP_MAX_TIMESTAMPS; ++ /* Paired with READ_ONCE() in queue_cnt() */ ++ WRITE_ONCE(queue->head, (queue->head + 1) % PTP_MAX_TIMESTAMPS); + } + + spin_unlock_irqrestore(&queue->lock, flags); +diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c +index 21c4c34c52d8d..ed766943a3563 100644 +--- a/drivers/ptp/ptp_clock.c ++++ b/drivers/ptp/ptp_clock.c +@@ -55,10 +55,11 @@ static void enqueue_external_timestamp(struct timestamp_event_queue *queue, + dst->t.sec = seconds; + dst->t.nsec = remainder; + ++ /* Both WRITE_ONCE() are paired with READ_ONCE() in queue_cnt() */ + if (!queue_free(queue)) +- queue->head = (queue->head + 1) % PTP_MAX_TIMESTAMPS; ++ WRITE_ONCE(queue->head, (queue->head + 1) % PTP_MAX_TIMESTAMPS); + +- queue->tail = (queue->tail + 1) % PTP_MAX_TIMESTAMPS; ++ WRITE_ONCE(queue->tail, (queue->tail + 1) % PTP_MAX_TIMESTAMPS); + + spin_unlock_irqrestore(&queue->lock, flags); + } +diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h +index 6b97155148f11..d2cb956706763 100644 +--- a/drivers/ptp/ptp_private.h ++++ b/drivers/ptp/ptp_private.h +@@ -55,9 +55,13 @@ struct ptp_clock { + * that a writer might concurrently increment the tail does not + * matter, since the queue remains nonempty nonetheless. + */ +-static inline int queue_cnt(struct timestamp_event_queue *q) ++static inline int queue_cnt(const struct timestamp_event_queue *q) + { +- int cnt = q->tail - q->head; ++ /* ++ * Paired with WRITE_ONCE() in enqueue_external_timestamp(), ++ * ptp_read(), extts_fifo_show(). ++ */ ++ int cnt = READ_ONCE(q->tail) - READ_ONCE(q->head); + return cnt < 0 ? PTP_MAX_TIMESTAMPS + cnt : cnt; + } + +diff --git a/drivers/ptp/ptp_sysfs.c b/drivers/ptp/ptp_sysfs.c +index 8cd59e8481631..8d52815e05b31 100644 +--- a/drivers/ptp/ptp_sysfs.c ++++ b/drivers/ptp/ptp_sysfs.c +@@ -78,7 +78,8 @@ static ssize_t extts_fifo_show(struct device *dev, + qcnt = queue_cnt(queue); + if (qcnt) { + event = queue->buf[queue->head]; +- queue->head = (queue->head + 1) % PTP_MAX_TIMESTAMPS; ++ /* Paired with READ_ONCE() in queue_cnt() */ ++ WRITE_ONCE(queue->head, (queue->head + 1) % PTP_MAX_TIMESTAMPS); + } + spin_unlock_irqrestore(&queue->lock, flags); + +-- +2.42.0 + diff --git a/queue-5.10/pwm-fix-double-shift-bug.patch b/queue-5.10/pwm-fix-double-shift-bug.patch new file mode 100644 index 00000000000..3c97122cbde --- /dev/null +++ b/queue-5.10/pwm-fix-double-shift-bug.patch @@ -0,0 +1,45 @@ +From 078c6f9464731c9636eb1f5e4039874576f37278 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Oct 2023 14:58:18 +0300 +Subject: pwm: Fix double shift bug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +[ Upstream commit d27abbfd4888d79dd24baf50e774631046ac4732 ] + +These enums are passed to set/test_bit(). The set/test_bit() functions +take a bit number instead of a shifted value. Passing a shifted value +is a double shift bug like doing BIT(BIT(1)). The double shift bug +doesn't cause a problem here because we are only checking 0 and 1 but +if the value was 5 or above then it can lead to a buffer overflow. + +Signed-off-by: Dan Carpenter +Reviewed-by: Uwe Kleine-König +Reviewed-by: Sam Protsenko +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + include/linux/pwm.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/pwm.h b/include/linux/pwm.h +index a13ff383fa1d5..c0cf6613373f9 100644 +--- a/include/linux/pwm.h ++++ b/include/linux/pwm.h +@@ -44,8 +44,8 @@ struct pwm_args { + }; + + enum { +- PWMF_REQUESTED = 1 << 0, +- PWMF_EXPORTED = 1 << 1, ++ PWMF_REQUESTED = 0, ++ PWMF_EXPORTED = 1, + }; + + /* +-- +2.42.0 + diff --git a/queue-5.10/rdma-hfi1-use-field_get-to-extract-link-width.patch b/queue-5.10/rdma-hfi1-use-field_get-to-extract-link-width.patch new file mode 100644 index 00000000000..98dd88a6cfd --- /dev/null +++ b/queue-5.10/rdma-hfi1-use-field_get-to-extract-link-width.patch @@ -0,0 +1,63 @@ +From f4e79f12067bac1069811ecd6c5eb56f8a047db9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Sep 2023 15:56:41 +0300 +Subject: RDMA/hfi1: Use FIELD_GET() to extract Link Width +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 8bf7187d978610b9e327a3d92728c8864a575ebd ] + +Use FIELD_GET() to extract PCIe Negotiated Link Width field instead of +custom masking and shifting, and remove extract_width() which only +wraps that FIELD_GET(). + +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20230919125648.1920-2-ilpo.jarvinen@linux.intel.com +Reviewed-by: Jonathan Cameron +Reviewed-by: Dean Luick +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/pcie.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/pcie.c b/drivers/infiniband/hw/hfi1/pcie.c +index 18d32f053d26e..3aa0215fca419 100644 +--- a/drivers/infiniband/hw/hfi1/pcie.c ++++ b/drivers/infiniband/hw/hfi1/pcie.c +@@ -45,6 +45,7 @@ + * + */ + ++#include + #include + #include + #include +@@ -261,12 +262,6 @@ static u32 extract_speed(u16 linkstat) + return speed; + } + +-/* return the PCIe link speed from the given link status */ +-static u32 extract_width(u16 linkstat) +-{ +- return (linkstat & PCI_EXP_LNKSTA_NLW) >> PCI_EXP_LNKSTA_NLW_SHIFT; +-} +- + /* read the link status and set dd->{lbus_width,lbus_speed,lbus_info} */ + static void update_lbus_info(struct hfi1_devdata *dd) + { +@@ -279,7 +274,7 @@ static void update_lbus_info(struct hfi1_devdata *dd) + return; + } + +- dd->lbus_width = extract_width(linkstat); ++ dd->lbus_width = FIELD_GET(PCI_EXP_LNKSTA_NLW, linkstat); + dd->lbus_speed = extract_speed(linkstat); + snprintf(dd->lbus_info, sizeof(dd->lbus_info), + "PCIe,%uMHz,x%u", dd->lbus_speed, dd->lbus_width); +-- +2.42.0 + diff --git a/queue-5.10/scsi-libfc-fix-potential-null-pointer-dereference-in.patch b/queue-5.10/scsi-libfc-fix-potential-null-pointer-dereference-in.patch new file mode 100644 index 00000000000..7d12f2f83f6 --- /dev/null +++ b/queue-5.10/scsi-libfc-fix-potential-null-pointer-dereference-in.patch @@ -0,0 +1,44 @@ +From 42a5bfd733e7f80dfef2c208dd4b5f547633cce0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Oct 2023 21:03:50 +0800 +Subject: scsi: libfc: Fix potential NULL pointer dereference in + fc_lport_ptp_setup() + +From: Wenchao Hao + +[ Upstream commit 4df105f0ce9f6f30cda4e99f577150d23f0c9c5f ] + +fc_lport_ptp_setup() did not check the return value of fc_rport_create() +which can return NULL and would cause a NULL pointer dereference. Address +this issue by checking return value of fc_rport_create() and log error +message on fc_rport_create() failed. + +Signed-off-by: Wenchao Hao +Link: https://lore.kernel.org/r/20231011130350.819571-1-haowenchao2@huawei.com +Reviewed-by: Simon Horman +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libfc/fc_lport.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/scsi/libfc/fc_lport.c b/drivers/scsi/libfc/fc_lport.c +index abb14b206be04..82b8477c7d737 100644 +--- a/drivers/scsi/libfc/fc_lport.c ++++ b/drivers/scsi/libfc/fc_lport.c +@@ -238,6 +238,12 @@ static void fc_lport_ptp_setup(struct fc_lport *lport, + } + mutex_lock(&lport->disc.disc_mutex); + lport->ptp_rdata = fc_rport_create(lport, remote_fid); ++ if (!lport->ptp_rdata) { ++ printk(KERN_WARNING "libfc: Failed to setup lport 0x%x\n", ++ lport->port_id); ++ mutex_unlock(&lport->disc.disc_mutex); ++ return; ++ } + kref_get(&lport->ptp_rdata->kref); + lport->ptp_rdata->ids.port_name = remote_wwpn; + lport->ptp_rdata->ids.node_name = remote_wwnn; +-- +2.42.0 + diff --git a/queue-5.10/selftests-efivarfs-create-read-fix-a-resource-leak.patch b/queue-5.10/selftests-efivarfs-create-read-fix-a-resource-leak.patch new file mode 100644 index 00000000000..4e2f55790da --- /dev/null +++ b/queue-5.10/selftests-efivarfs-create-read-fix-a-resource-leak.patch @@ -0,0 +1,37 @@ +From 0601c6b861eac00996c1d36ed40308d295fd7bcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Oct 2023 18:59:21 -0700 +Subject: selftests/efivarfs: create-read: fix a resource leak + +From: zhujun2 + +[ Upstream commit 3f6f8a8c5e11a9b384a36df4f40f0c9a653b6975 ] + +The opened file should be closed in main(), otherwise resource +leak will occur that this problem was discovered by code reading + +Signed-off-by: zhujun2 +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/efivarfs/create-read.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/testing/selftests/efivarfs/create-read.c b/tools/testing/selftests/efivarfs/create-read.c +index 9674a19396a32..7bc7af4eb2c17 100644 +--- a/tools/testing/selftests/efivarfs/create-read.c ++++ b/tools/testing/selftests/efivarfs/create-read.c +@@ -32,8 +32,10 @@ int main(int argc, char **argv) + rc = read(fd, buf, sizeof(buf)); + if (rc != 0) { + fprintf(stderr, "Reading a new var should return EOF\n"); ++ close(fd); + return EXIT_FAILURE; + } + ++ close(fd); + return EXIT_SUCCESS; + } +-- +2.42.0 + diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 00000000000..fc7de5914b5 --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,88 @@ +locking-ww_mutex-test-fix-potential-workqueue-corrup.patch +perf-core-bail-out-early-if-the-request-aux-area-is-.patch +clocksource-drivers-timer-imx-gpt-fix-potential-memo.patch +clocksource-drivers-timer-atmel-tcb-fix-initializati.patch +x86-mm-drop-the-4-mb-restriction-on-minimal-numa-nod.patch +wifi-mac80211_hwsim-fix-clang-specific-fortify-warni.patch +wifi-mac80211-don-t-return-unset-power-in-ieee80211_.patch +bpf-detect-ip-ksym.end-as-part-of-bpf-program.patch +wifi-ath9k-fix-clang-specific-fortify-warnings.patch +wifi-ath10k-fix-clang-specific-fortify-warning.patch +net-annotate-data-races-around-sk-sk_tx_queue_mappin.patch +net-annotate-data-races-around-sk-sk_dst_pending_con.patch +wifi-ath10k-don-t-touch-the-ce-interrupt-registers-a.patch +bluetooth-btusb-add-date-evt_skb-is-null-check.patch +bluetooth-fix-double-free-in-hci_conn_cleanup.patch +platform-x86-thinkpad_acpi-add-battery-quirk-for-thi.patch +drm-komeda-drop-all-currently-held-locks-if-deadlock.patch +drm-msm-dp-skip-validity-check-for-dp-cts-edid-check.patch +drm-amd-fix-ubsan-array-index-out-of-bounds-for-smu7.patch +drm-amd-fix-ubsan-array-index-out-of-bounds-for-pola.patch +drm-amdgpu-fix-potential-null-pointer-derefernce.patch +drm-panel-fix-a-possible-null-pointer-dereference.patch +drm-panel-panel-tpo-tpg110-fix-a-possible-null-point.patch +drm-panel-st7703-pick-different-reset-sequence.patch +drm-amdgpu-fix-a-null-pointer-access-when-the-smc_rr.patch +selftests-efivarfs-create-read-fix-a-resource-leak.patch +asoc-soc-card-add-storage-for-pci-ssid.patch +crypto-pcrypt-fix-hungtask-for-padata_reset.patch +rdma-hfi1-use-field_get-to-extract-link-width.patch +fs-jfs-add-check-for-negative-db_l2nbperpage.patch +fs-jfs-add-validity-check-for-db_maxag-and-db_agpref.patch +jfs-fix-array-index-out-of-bounds-in-dbfindleaf.patch +jfs-fix-array-index-out-of-bounds-in-dialloc.patch +hid-lenovo-detect-quirk-free-fw-on-cptkbd-and-stop-a.patch +arm-9320-1-fix-stack-depot-irq-stack-filter.patch +alsa-hda-fix-possible-null-ptr-deref-when-assigning-.patch +pci-tegra194-use-field_get-field_prep-with-link-widt.patch +atm-iphase-do-pci-error-checks-on-own-line.patch +scsi-libfc-fix-potential-null-pointer-dereference-in.patch +misc-pci_endpoint_test-add-device-id-for-r-car-s4-8-.patch +hid-add-quirk-for-dell-pro-wireless-keyboard-and-mou.patch +exfat-support-handle-zero-size-directory.patch +tty-vcc-add-check-for-kstrdup-in-vcc_probe.patch +usb-gadget-f_ncm-always-set-current-gadget-in-ncm_bi.patch +9p-trans_fd-annotate-data-racy-writes-to-file-f_flag.patch +i2c-sun6i-p2wi-prevent-potential-division-by-zero.patch +media-gspca-cpia1-shift-out-of-bounds-in-set_flicker.patch +media-vivid-avoid-integer-overflow.patch +gfs2-ignore-negated-quota-changes.patch +gfs2-fix-an-oops-in-gfs2_permission.patch +media-cobalt-use-field_get-to-extract-link-width.patch +media-imon-fix-access-to-invalid-resource-for-the-se.patch +drm-amd-display-avoid-null-dereference-of-timing-gen.patch +kgdb-flush-console-before-entering-kgdb-on-panic.patch +asoc-ti-omap-mcbsp-fix-runtime-pm-underflow-warnings.patch +drm-amdgpu-fix-software-pci_unplug-on-some-chips.patch +pwm-fix-double-shift-bug.patch +wifi-iwlwifi-use-fw-rate-for-non-data-frames.patch +xhci-turn-cancelled-td-cleanup-to-its-own-function.patch +sunrpc-econnreset-might-require-a-rebind.patch +gpio-don-t-fiddle-with-irqchips-marked-as-immutable.patch +gpio-expose-the-gpiochip_irq_re-ql-res-helpers.patch +gpio-add-helpers-to-ease-the-transition-towards-immu.patch +sunrpc-add-an-is_err-check-back-to-where-it-was.patch +nfsv4.1-fix-sp4_mach_cred-protection-for-pnfs-io.patch +sunrpc-fix-rpc-client-cleaned-up-the-freed-pipefs-de.patch +gfs2-silence-suspicious-rcu-usage-in-gfs2_permission.patch +ipvlan-add-ipvlan_route_v6_outbound-helper.patch +tty-fix-uninit-value-access-in-ppp_sync_receive.patch +net-hns3-fix-variable-may-not-initialized-problem-in.patch +net-hns3-fix-vf-reset-fail-issue.patch +tipc-fix-kernel-infoleak-due-to-uninitialized-tlv-va.patch +ppp-limit-mru-to-64k.patch +xen-events-fix-delayed-eoi-list-handling.patch +ptp-annotate-data-race-around-q-head-and-q-tail.patch +bonding-stop-the-device-in-bond_setup_by_slave.patch +net-ethernet-cortina-fix-max-rx-frame-define.patch +net-ethernet-cortina-handle-large-frames.patch +net-ethernet-cortina-fix-mtu-max-setting.patch +netfilter-nf_conntrack_bridge-initialize-err-to-0.patch +net-stmmac-fix-rx-budget-limit-check.patch +net-mlx5e-fix-double-free-of-encap_header.patch +net-mlx5_core-clean-driver-version-and-name.patch +net-mlx5e-check-return-value-of-snprintf-writing-to-.patch +macvlan-don-t-propagate-promisc-change-to-lower-dev-.patch +tools-power-turbostat-fix-a-knl-bug.patch +cifs-spnego-add-in-host_key_len.patch +cifs-fix-check-of-rc-in-function-generate_smb3signin.patch diff --git a/queue-5.10/sunrpc-add-an-is_err-check-back-to-where-it-was.patch b/queue-5.10/sunrpc-add-an-is_err-check-back-to-where-it-was.patch new file mode 100644 index 00000000000..9935f0801c3 --- /dev/null +++ b/queue-5.10/sunrpc-add-an-is_err-check-back-to-where-it-was.patch @@ -0,0 +1,44 @@ +From 167184a78300d8dfa22803cb9741a54506012928 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Oct 2023 11:00:22 +0300 +Subject: SUNRPC: Add an IS_ERR() check back to where it was + +From: Dan Carpenter + +[ Upstream commit 4f3ed837186fc0d2722ba8d2457a594322e9c2ef ] + +This IS_ERR() check was deleted during in a cleanup because, at the time, +the rpcb_call_async() function could not return an error pointer. That +changed in commit 25cf32ad5dba ("SUNRPC: Handle allocation failure in +rpc_new_task()") and now it can return an error pointer. Put the check +back. + +A related revert was done in commit 13bd90141804 ("Revert "SUNRPC: +Remove unreachable error condition""). + +Fixes: 037e910b52b0 ("SUNRPC: Remove unreachable error condition in rpcb_getport_async()") +Signed-off-by: Dan Carpenter +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/rpcb_clnt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sunrpc/rpcb_clnt.c b/net/sunrpc/rpcb_clnt.c +index 38fe2ce8a5aa1..8fad45320e1b9 100644 +--- a/net/sunrpc/rpcb_clnt.c ++++ b/net/sunrpc/rpcb_clnt.c +@@ -743,6 +743,10 @@ void rpcb_getport_async(struct rpc_task *task) + + child = rpcb_call_async(rpcb_clnt, map, proc); + rpc_release_client(rpcb_clnt); ++ if (IS_ERR(child)) { ++ /* rpcb_map_release() has freed the arguments */ ++ return; ++ } + + xprt->stat.bind_count++; + rpc_put_task(child); +-- +2.42.0 + diff --git a/queue-5.10/sunrpc-econnreset-might-require-a-rebind.patch b/queue-5.10/sunrpc-econnreset-might-require-a-rebind.patch new file mode 100644 index 00000000000..ff85b6d16b9 --- /dev/null +++ b/queue-5.10/sunrpc-econnreset-might-require-a-rebind.patch @@ -0,0 +1,43 @@ +From f558b69c7713855203615b673ae6d3fc4b0ffb16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Sep 2023 09:06:05 -0400 +Subject: SUNRPC: ECONNRESET might require a rebind + +From: Trond Myklebust + +[ Upstream commit 4b09ca1508a60be30b2e3940264e93d7aeb5c97e ] + +If connect() is returning ECONNRESET, it usually means that nothing is +listening on that port. If so, a rebind might be required in order to +obtain the new port on which the RPC service is listening. + +Fixes: fd01b2597941 ("SUNRPC: ECONNREFUSED should cause a rebind.") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/clnt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index c7c1754f87440..da34b23a66dbd 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -2074,6 +2074,7 @@ call_connect_status(struct rpc_task *task) + task->tk_status = 0; + switch (status) { + case -ECONNREFUSED: ++ case -ECONNRESET: + /* A positive refusal suggests a rebind is needed. */ + if (RPC_IS_SOFTCONN(task)) + break; +@@ -2082,7 +2083,6 @@ call_connect_status(struct rpc_task *task) + goto out_retry; + } + fallthrough; +- case -ECONNRESET: + case -ECONNABORTED: + case -ENETDOWN: + case -ENETUNREACH: +-- +2.42.0 + diff --git a/queue-5.10/sunrpc-fix-rpc-client-cleaned-up-the-freed-pipefs-de.patch b/queue-5.10/sunrpc-fix-rpc-client-cleaned-up-the-freed-pipefs-de.patch new file mode 100644 index 00000000000..de967846517 --- /dev/null +++ b/queue-5.10/sunrpc-fix-rpc-client-cleaned-up-the-freed-pipefs-de.patch @@ -0,0 +1,121 @@ +From abdcddf957ba5245e9a97456dac5471cd7a29e81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Oct 2023 09:40:19 +0800 +Subject: SUNRPC: Fix RPC client cleaned up the freed pipefs dentries + +From: felix + +[ Upstream commit bfca5fb4e97c46503ddfc582335917b0cc228264 ] + +RPC client pipefs dentries cleanup is in separated rpc_remove_pipedir() +workqueue,which takes care about pipefs superblock locking. +In some special scenarios, when kernel frees the pipefs sb of the +current client and immediately alloctes a new pipefs sb, +rpc_remove_pipedir function would misjudge the existence of pipefs +sb which is not the one it used to hold. As a result, +the rpc_remove_pipedir would clean the released freed pipefs dentries. + +To fix this issue, rpc_remove_pipedir should check whether the +current pipefs sb is consistent with the original pipefs sb. + +This error can be catched by KASAN: +========================================================= +[ 250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200 +[ 250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503 +[ 250.500549] Workqueue: events rpc_free_client_work +[ 250.501001] Call Trace: +[ 250.502880] kasan_report+0xb6/0xf0 +[ 250.503209] ? dget_parent+0x195/0x200 +[ 250.503561] dget_parent+0x195/0x200 +[ 250.503897] ? __pfx_rpc_clntdir_depopulate+0x10/0x10 +[ 250.504384] rpc_rmdir_depopulate+0x1b/0x90 +[ 250.504781] rpc_remove_client_dir+0xf5/0x150 +[ 250.505195] rpc_free_client_work+0xe4/0x230 +[ 250.505598] process_one_work+0x8ee/0x13b0 +... +[ 22.039056] Allocated by task 244: +[ 22.039390] kasan_save_stack+0x22/0x50 +[ 22.039758] kasan_set_track+0x25/0x30 +[ 22.040109] __kasan_slab_alloc+0x59/0x70 +[ 22.040487] kmem_cache_alloc_lru+0xf0/0x240 +[ 22.040889] __d_alloc+0x31/0x8e0 +[ 22.041207] d_alloc+0x44/0x1f0 +[ 22.041514] __rpc_lookup_create_exclusive+0x11c/0x140 +[ 22.041987] rpc_mkdir_populate.constprop.0+0x5f/0x110 +[ 22.042459] rpc_create_client_dir+0x34/0x150 +[ 22.042874] rpc_setup_pipedir_sb+0x102/0x1c0 +[ 22.043284] rpc_client_register+0x136/0x4e0 +[ 22.043689] rpc_new_client+0x911/0x1020 +[ 22.044057] rpc_create_xprt+0xcb/0x370 +[ 22.044417] rpc_create+0x36b/0x6c0 +... +[ 22.049524] Freed by task 0: +[ 22.049803] kasan_save_stack+0x22/0x50 +[ 22.050165] kasan_set_track+0x25/0x30 +[ 22.050520] kasan_save_free_info+0x2b/0x50 +[ 22.050921] __kasan_slab_free+0x10e/0x1a0 +[ 22.051306] kmem_cache_free+0xa5/0x390 +[ 22.051667] rcu_core+0x62c/0x1930 +[ 22.051995] __do_softirq+0x165/0x52a +[ 22.052347] +[ 22.052503] Last potentially related work creation: +[ 22.052952] kasan_save_stack+0x22/0x50 +[ 22.053313] __kasan_record_aux_stack+0x8e/0xa0 +[ 22.053739] __call_rcu_common.constprop.0+0x6b/0x8b0 +[ 22.054209] dentry_free+0xb2/0x140 +[ 22.054540] __dentry_kill+0x3be/0x540 +[ 22.054900] shrink_dentry_list+0x199/0x510 +[ 22.055293] shrink_dcache_parent+0x190/0x240 +[ 22.055703] do_one_tree+0x11/0x40 +[ 22.056028] shrink_dcache_for_umount+0x61/0x140 +[ 22.056461] generic_shutdown_super+0x70/0x590 +[ 22.056879] kill_anon_super+0x3a/0x60 +[ 22.057234] rpc_kill_sb+0x121/0x200 + +Fixes: 0157d021d23a ("SUNRPC: handle RPC client pipefs dentries by network namespace aware routines") +Signed-off-by: felix +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + include/linux/sunrpc/clnt.h | 1 + + net/sunrpc/clnt.c | 5 ++++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/include/linux/sunrpc/clnt.h b/include/linux/sunrpc/clnt.h +index 02e7a5863d289..41ed614e69209 100644 +--- a/include/linux/sunrpc/clnt.h ++++ b/include/linux/sunrpc/clnt.h +@@ -79,6 +79,7 @@ struct rpc_clnt { + struct work_struct cl_work; + }; + const struct cred *cl_cred; ++ struct super_block *pipefs_sb; + }; + + /* +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index da34b23a66dbd..360a3bcd91fe1 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -109,7 +109,8 @@ static void rpc_clnt_remove_pipedir(struct rpc_clnt *clnt) + + pipefs_sb = rpc_get_sb_net(net); + if (pipefs_sb) { +- __rpc_clnt_remove_pipedir(clnt); ++ if (pipefs_sb == clnt->pipefs_sb) ++ __rpc_clnt_remove_pipedir(clnt); + rpc_put_sb_net(net); + } + } +@@ -149,6 +150,8 @@ rpc_setup_pipedir(struct super_block *pipefs_sb, struct rpc_clnt *clnt) + { + struct dentry *dentry; + ++ clnt->pipefs_sb = pipefs_sb; ++ + if (clnt->cl_program->pipe_dir_name != NULL) { + dentry = rpc_setup_pipedir_sb(pipefs_sb, clnt); + if (IS_ERR(dentry)) +-- +2.42.0 + diff --git a/queue-5.10/tipc-fix-kernel-infoleak-due-to-uninitialized-tlv-va.patch b/queue-5.10/tipc-fix-kernel-infoleak-due-to-uninitialized-tlv-va.patch new file mode 100644 index 00000000000..ab492bd8170 --- /dev/null +++ b/queue-5.10/tipc-fix-kernel-infoleak-due-to-uninitialized-tlv-va.patch @@ -0,0 +1,113 @@ +From a67c55b152e65907f94789f4235e0b7b7bcbfbd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Nov 2023 01:39:47 +0900 +Subject: tipc: Fix kernel-infoleak due to uninitialized TLV value + +From: Shigeru Yoshida + +[ Upstream commit fb317eb23b5ee4c37b0656a9a52a3db58d9dd072 ] + +KMSAN reported the following kernel-infoleak issue: + +===================================================== +BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] +BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline] +BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline] +BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] +BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline] +BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186 + instrument_copy_to_user include/linux/instrumented.h:114 [inline] + copy_to_user_iter lib/iov_iter.c:24 [inline] + iterate_ubuf include/linux/iov_iter.h:29 [inline] + iterate_and_advance2 include/linux/iov_iter.h:245 [inline] + iterate_and_advance include/linux/iov_iter.h:271 [inline] + _copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186 + copy_to_iter include/linux/uio.h:197 [inline] + simple_copy_to_iter net/core/datagram.c:532 [inline] + __skb_datagram_iter.5+0x148/0xe30 net/core/datagram.c:420 + skb_copy_datagram_iter+0x52/0x210 net/core/datagram.c:546 + skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] + netlink_recvmsg+0x43d/0x1630 net/netlink/af_netlink.c:1967 + sock_recvmsg_nosec net/socket.c:1044 [inline] + sock_recvmsg net/socket.c:1066 [inline] + __sys_recvfrom+0x476/0x860 net/socket.c:2246 + __do_sys_recvfrom net/socket.c:2264 [inline] + __se_sys_recvfrom net/socket.c:2260 [inline] + __x64_sys_recvfrom+0x130/0x200 net/socket.c:2260 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Uninit was created at: + slab_post_alloc_hook+0x103/0x9e0 mm/slab.h:768 + slab_alloc_node mm/slub.c:3478 [inline] + kmem_cache_alloc_node+0x5f7/0xb50 mm/slub.c:3523 + kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:560 + __alloc_skb+0x2fd/0x770 net/core/skbuff.c:651 + alloc_skb include/linux/skbuff.h:1286 [inline] + tipc_tlv_alloc net/tipc/netlink_compat.c:156 [inline] + tipc_get_err_tlv+0x90/0x5d0 net/tipc/netlink_compat.c:170 + tipc_nl_compat_recv+0x1042/0x15d0 net/tipc/netlink_compat.c:1324 + genl_family_rcv_msg_doit net/netlink/genetlink.c:972 [inline] + genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline] + genl_rcv_msg+0x1220/0x12c0 net/netlink/genetlink.c:1067 + netlink_rcv_skb+0x4a4/0x6a0 net/netlink/af_netlink.c:2545 + genl_rcv+0x41/0x60 net/netlink/genetlink.c:1076 + netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] + netlink_unicast+0xf4b/0x1230 net/netlink/af_netlink.c:1368 + netlink_sendmsg+0x1242/0x1420 net/netlink/af_netlink.c:1910 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + ____sys_sendmsg+0x997/0xd60 net/socket.c:2588 + ___sys_sendmsg+0x271/0x3b0 net/socket.c:2642 + __sys_sendmsg net/socket.c:2671 [inline] + __do_sys_sendmsg net/socket.c:2680 [inline] + __se_sys_sendmsg net/socket.c:2678 [inline] + __x64_sys_sendmsg+0x2fa/0x4a0 net/socket.c:2678 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Bytes 34-35 of 36 are uninitialized +Memory access of size 36 starts at ffff88802d464a00 +Data copied to user address 00007ff55033c0a0 + +CPU: 0 PID: 30322 Comm: syz-executor.0 Not tainted 6.6.0-14500-g1c41041124bd #10 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014 +===================================================== + +tipc_add_tlv() puts TLV descriptor and value onto `skb`. This size is +calculated with TLV_SPACE() macro. It adds the size of struct tlv_desc and +the length of TLV value passed as an argument, and aligns the result to a +multiple of TLV_ALIGNTO, i.e., a multiple of 4 bytes. + +If the size of struct tlv_desc plus the length of TLV value is not aligned, +the current implementation leaves the remaining bytes uninitialized. This +is the cause of the above kernel-infoleak issue. + +This patch resolves this issue by clearing data up to an aligned size. + +Fixes: d0796d1ef63d ("tipc: convert legacy nl bearer dump to nl compat") +Signed-off-by: Shigeru Yoshida +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/netlink_compat.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c +index 2d62932b59878..6f0c09b6a1531 100644 +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -101,6 +101,7 @@ static int tipc_add_tlv(struct sk_buff *skb, u16 type, void *data, u16 len) + return -EMSGSIZE; + + skb_put(skb, TLV_SPACE(len)); ++ memset(tlv, 0, TLV_SPACE(len)); + tlv->tlv_type = htons(type); + tlv->tlv_len = htons(TLV_LENGTH(len)); + if (len && data) +-- +2.42.0 + diff --git a/queue-5.10/tools-power-turbostat-fix-a-knl-bug.patch b/queue-5.10/tools-power-turbostat-fix-a-knl-bug.patch new file mode 100644 index 00000000000..ed76803dcca --- /dev/null +++ b/queue-5.10/tools-power-turbostat-fix-a-knl-bug.patch @@ -0,0 +1,41 @@ +From 7d6815bb8c82bef964e731ae32803ef5d48529c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Mar 2023 21:57:07 +0800 +Subject: tools/power/turbostat: Fix a knl bug + +From: Zhang Rui + +[ Upstream commit 137f01b3529d292a68d22e9681e2f903c768f790 ] + +MSR_KNL_CORE_C6_RESIDENCY should be evaluated only if +1. this is KNL platform +AND +2. need to get C6 residency or need to calculate C1 residency + +Fix the broken logic introduced by commit 1e9042b9c8d4 ("tools/power +turbostat: Fix CPU%C1 display value"). + +Fixes: 1e9042b9c8d4 ("tools/power turbostat: Fix CPU%C1 display value") +Signed-off-by: Zhang Rui +Reviewed-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index d33c9d427e573..9d4a249cc98bb 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -1995,7 +1995,7 @@ int get_counters(struct thread_data *t, struct core_data *c, struct pkg_data *p) + if ((DO_BIC(BIC_CPU_c6) || soft_c1_residency_display(BIC_CPU_c6)) && !do_knl_cstates) { + if (get_msr(cpu, MSR_CORE_C6_RESIDENCY, &c->c6)) + return -7; +- } else if (do_knl_cstates || soft_c1_residency_display(BIC_CPU_c6)) { ++ } else if (do_knl_cstates && soft_c1_residency_display(BIC_CPU_c6)) { + if (get_msr(cpu, MSR_KNL_CORE_C6_RESIDENCY, &c->c6)) + return -7; + } +-- +2.42.0 + diff --git a/queue-5.10/tty-fix-uninit-value-access-in-ppp_sync_receive.patch b/queue-5.10/tty-fix-uninit-value-access-in-ppp_sync_receive.patch new file mode 100644 index 00000000000..a657664a6ff --- /dev/null +++ b/queue-5.10/tty-fix-uninit-value-access-in-ppp_sync_receive.patch @@ -0,0 +1,82 @@ +From 6442334977ef97b799fb799688acfa65f473b292 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Nov 2023 00:44:20 +0900 +Subject: tty: Fix uninit-value access in ppp_sync_receive() + +From: Shigeru Yoshida + +[ Upstream commit 719639853d88071dfdfd8d9971eca9c283ff314c ] + +KMSAN reported the following uninit-value access issue: + +===================================================== +BUG: KMSAN: uninit-value in ppp_sync_input drivers/net/ppp/ppp_synctty.c:690 [inline] +BUG: KMSAN: uninit-value in ppp_sync_receive+0xdc9/0xe70 drivers/net/ppp/ppp_synctty.c:334 + ppp_sync_input drivers/net/ppp/ppp_synctty.c:690 [inline] + ppp_sync_receive+0xdc9/0xe70 drivers/net/ppp/ppp_synctty.c:334 + tiocsti+0x328/0x450 drivers/tty/tty_io.c:2295 + tty_ioctl+0x808/0x1920 drivers/tty/tty_io.c:2694 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:871 [inline] + __se_sys_ioctl+0x211/0x400 fs/ioctl.c:857 + __x64_sys_ioctl+0x97/0xe0 fs/ioctl.c:857 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Uninit was created at: + __alloc_pages+0x75d/0xe80 mm/page_alloc.c:4591 + __alloc_pages_node include/linux/gfp.h:238 [inline] + alloc_pages_node include/linux/gfp.h:261 [inline] + __page_frag_cache_refill+0x9a/0x2c0 mm/page_alloc.c:4691 + page_frag_alloc_align+0x91/0x5d0 mm/page_alloc.c:4722 + page_frag_alloc include/linux/gfp.h:322 [inline] + __netdev_alloc_skb+0x215/0x6d0 net/core/skbuff.c:728 + netdev_alloc_skb include/linux/skbuff.h:3225 [inline] + dev_alloc_skb include/linux/skbuff.h:3238 [inline] + ppp_sync_input drivers/net/ppp/ppp_synctty.c:669 [inline] + ppp_sync_receive+0x237/0xe70 drivers/net/ppp/ppp_synctty.c:334 + tiocsti+0x328/0x450 drivers/tty/tty_io.c:2295 + tty_ioctl+0x808/0x1920 drivers/tty/tty_io.c:2694 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:871 [inline] + __se_sys_ioctl+0x211/0x400 fs/ioctl.c:857 + __x64_sys_ioctl+0x97/0xe0 fs/ioctl.c:857 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +CPU: 0 PID: 12950 Comm: syz-executor.1 Not tainted 6.6.0-14500-g1c41041124bd #10 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014 +===================================================== + +ppp_sync_input() checks the first 2 bytes of the data are PPP_ALLSTATIONS +and PPP_UI. However, if the data length is 1 and the first byte is +PPP_ALLSTATIONS, an access to an uninitialized value occurs when checking +PPP_UI. This patch resolves this issue by checking the data length. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Shigeru Yoshida +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_synctty.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c +index f774b7e52da44..e37d9a05f3077 100644 +--- a/drivers/net/ppp/ppp_synctty.c ++++ b/drivers/net/ppp/ppp_synctty.c +@@ -699,7 +699,7 @@ ppp_sync_input(struct syncppp *ap, const unsigned char *buf, + + /* strip address/control field if present */ + p = skb->data; +- if (p[0] == PPP_ALLSTATIONS && p[1] == PPP_UI) { ++ if (skb->len >= 2 && p[0] == PPP_ALLSTATIONS && p[1] == PPP_UI) { + /* chop off address/control */ + if (skb->len < 3) + goto err; +-- +2.42.0 + diff --git a/queue-5.10/tty-vcc-add-check-for-kstrdup-in-vcc_probe.patch b/queue-5.10/tty-vcc-add-check-for-kstrdup-in-vcc_probe.patch new file mode 100644 index 00000000000..2d1966b46ad --- /dev/null +++ b/queue-5.10/tty-vcc-add-check-for-kstrdup-in-vcc_probe.patch @@ -0,0 +1,76 @@ +From 90d606f385ae40a321b4bdb989e60795a3925379 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Sep 2023 11:52:20 +0800 +Subject: tty: vcc: Add check for kstrdup() in vcc_probe() + +From: Yi Yang + +[ Upstream commit d81ffb87aaa75f842cd7aa57091810353755b3e6 ] + +Add check for the return value of kstrdup() and return the error, if it +fails in order to avoid NULL pointer dereference. + +Signed-off-by: Yi Yang +Reviewed-by: Jiri Slaby +Link: https://lore.kernel.org/r/20230904035220.48164-1-yiyang13@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/vcc.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/vcc.c b/drivers/tty/vcc.c +index 9ffd42e333b83..6b2d35ac6e3b3 100644 +--- a/drivers/tty/vcc.c ++++ b/drivers/tty/vcc.c +@@ -587,18 +587,22 @@ static int vcc_probe(struct vio_dev *vdev, const struct vio_device_id *id) + return -ENOMEM; + + name = kstrdup(dev_name(&vdev->dev), GFP_KERNEL); ++ if (!name) { ++ rv = -ENOMEM; ++ goto free_port; ++ } + + rv = vio_driver_init(&port->vio, vdev, VDEV_CONSOLE_CON, vcc_versions, + ARRAY_SIZE(vcc_versions), NULL, name); + if (rv) +- goto free_port; ++ goto free_name; + + port->vio.debug = vcc_dbg_vio; + vcc_ldc_cfg.debug = vcc_dbg_ldc; + + rv = vio_ldc_alloc(&port->vio, &vcc_ldc_cfg, port); + if (rv) +- goto free_port; ++ goto free_name; + + spin_lock_init(&port->lock); + +@@ -632,6 +636,11 @@ static int vcc_probe(struct vio_dev *vdev, const struct vio_device_id *id) + goto unreg_tty; + } + port->domain = kstrdup(domain, GFP_KERNEL); ++ if (!port->domain) { ++ rv = -ENOMEM; ++ goto unreg_tty; ++ } ++ + + mdesc_release(hp); + +@@ -661,8 +670,9 @@ static int vcc_probe(struct vio_dev *vdev, const struct vio_device_id *id) + vcc_table_remove(port->index); + free_ldc: + vio_ldc_free(&port->vio); +-free_port: ++free_name: + kfree(name); ++free_port: + kfree(port); + + return rv; +-- +2.42.0 + diff --git a/queue-5.10/usb-gadget-f_ncm-always-set-current-gadget-in-ncm_bi.patch b/queue-5.10/usb-gadget-f_ncm-always-set-current-gadget-in-ncm_bi.patch new file mode 100644 index 00000000000..8b44527410d --- /dev/null +++ b/queue-5.10/usb-gadget-f_ncm-always-set-current-gadget-in-ncm_bi.patch @@ -0,0 +1,137 @@ +From ef9b6b8293b002fb0e6991f9ebe2b14d7c8fff5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 17:33:24 +0200 +Subject: usb: gadget: f_ncm: Always set current gadget in ncm_bind() + +From: Hardik Gajjar + +[ Upstream commit a04224da1f3424b2c607b12a3bd1f0e302fb8231 ] + +Previously, gadget assignment to the net device occurred exclusively +during the initial binding attempt. + +Nevertheless, the gadget pointer could change during bind/unbind +cycles due to various conditions, including the unloading/loading +of the UDC device driver or the detachment/reconnection of an +OTG-capable USB hub device. + +This patch relocates the gether_set_gadget() function out from +ncm_opts->bound condition check, ensuring that the correct gadget +is assigned during each bind request. + +The provided logs demonstrate the consistency of ncm_opts throughout +the power cycle, while the gadget may change. + +* OTG hub connected during boot up and assignment of gadget and + ncm_opts pointer + +[ 2.366301] usb 2-1.5: New USB device found, idVendor=2996, idProduct=0105 +[ 2.366304] usb 2-1.5: New USB device strings: Mfr=1, Product=2, SerialNumber=3 +[ 2.366306] usb 2-1.5: Product: H2H Bridge +[ 2.366308] usb 2-1.5: Manufacturer: Aptiv +[ 2.366309] usb 2-1.5: SerialNumber: 13FEB2021 +[ 2.427989] usb 2-1.5: New USB device found, VID=2996, PID=0105 +[ 2.428959] dabridge 2-1.5:1.0: dabridge 2-4 total endpoints=5, 0000000093a8d681 +[ 2.429710] dabridge 2-1.5:1.0: P(0105) D(22.06.22) F(17.3.16) H(1.1) high-speed +[ 2.429714] dabridge 2-1.5:1.0: Hub 2-2 P(0151) V(06.87) +[ 2.429956] dabridge 2-1.5:1.0: All downstream ports in host mode + +[ 2.430093] gadget 000000003c414d59 ------> gadget pointer + +* NCM opts and associated gadget pointer during First ncm_bind + +[ 34.763929] NCM opts 00000000aa304ac9 +[ 34.763930] NCM gadget 000000003c414d59 + +* OTG capable hub disconnecte or assume driver unload. + +[ 97.203114] usb 2-1: USB disconnect, device number 2 +[ 97.203118] usb 2-1.1: USB disconnect, device number 3 +[ 97.209217] usb 2-1.5: USB disconnect, device number 4 +[ 97.230990] dabr_udc deleted + +* Reconnect the OTG hub or load driver assaign new gadget pointer. + +[ 111.534035] usb 2-1.1: New USB device found, idVendor=2996, idProduct=0120, bcdDevice= 6.87 +[ 111.534038] usb 2-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 +[ 111.534040] usb 2-1.1: Product: Vendor +[ 111.534041] usb 2-1.1: Manufacturer: Aptiv +[ 111.534042] usb 2-1.1: SerialNumber: Superior +[ 111.535175] usb 2-1.1: New USB device found, VID=2996, PID=0120 +[ 111.610995] usb 2-1.5: new high-speed USB device number 8 using xhci-hcd +[ 111.630052] usb 2-1.5: New USB device found, idVendor=2996, idProduct=0105, bcdDevice=21.02 +[ 111.630055] usb 2-1.5: New USB device strings: Mfr=1, Product=2, SerialNumber=3 +[ 111.630057] usb 2-1.5: Product: H2H Bridge +[ 111.630058] usb 2-1.5: Manufacturer: Aptiv +[ 111.630059] usb 2-1.5: SerialNumber: 13FEB2021 +[ 111.687464] usb 2-1.5: New USB device found, VID=2996, PID=0105 +[ 111.690375] dabridge 2-1.5:1.0: dabridge 2-8 total endpoints=5, 000000000d87c961 +[ 111.691172] dabridge 2-1.5:1.0: P(0105) D(22.06.22) F(17.3.16) H(1.1) high-speed +[ 111.691176] dabridge 2-1.5:1.0: Hub 2-6 P(0151) V(06.87) +[ 111.691646] dabridge 2-1.5:1.0: All downstream ports in host mode + +[ 111.692298] gadget 00000000dc72f7a9 --------> new gadget ptr on connect + +* NCM opts and associated gadget pointer during second ncm_bind + +[ 113.271786] NCM opts 00000000aa304ac9 -----> same opts ptr used during first bind +[ 113.271788] NCM gadget 00000000dc72f7a9 ----> however new gaget ptr, that will not set + in net_device due to ncm_opts->bound = true + +Signed-off-by: Hardik Gajjar +Link: https://lore.kernel.org/r/20231020153324.82794-1-hgajjar@de.adit-jv.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_ncm.c | 27 +++++++++++---------------- + 1 file changed, 11 insertions(+), 16 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c +index 00aea45a04e95..d42cd1d036bdf 100644 +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -1435,7 +1435,7 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f) + struct usb_composite_dev *cdev = c->cdev; + struct f_ncm *ncm = func_to_ncm(f); + struct usb_string *us; +- int status; ++ int status = 0; + struct usb_ep *ep; + struct f_ncm_opts *ncm_opts; + +@@ -1453,22 +1453,17 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f) + f->os_desc_table[0].os_desc = &ncm_opts->ncm_os_desc; + } + +- /* +- * in drivers/usb/gadget/configfs.c:configfs_composite_bind() +- * configurations are bound in sequence with list_for_each_entry, +- * in each configuration its functions are bound in sequence +- * with list_for_each_entry, so we assume no race condition +- * with regard to ncm_opts->bound access +- */ +- if (!ncm_opts->bound) { +- mutex_lock(&ncm_opts->lock); +- gether_set_gadget(ncm_opts->net, cdev->gadget); ++ mutex_lock(&ncm_opts->lock); ++ gether_set_gadget(ncm_opts->net, cdev->gadget); ++ if (!ncm_opts->bound) + status = gether_register_netdev(ncm_opts->net); +- mutex_unlock(&ncm_opts->lock); +- if (status) +- goto fail; +- ncm_opts->bound = true; +- } ++ mutex_unlock(&ncm_opts->lock); ++ ++ if (status) ++ goto fail; ++ ++ ncm_opts->bound = true; ++ + us = usb_gstrings_attach(cdev, ncm_strings, + ARRAY_SIZE(ncm_string_defs)); + if (IS_ERR(us)) { +-- +2.42.0 + diff --git a/queue-5.10/wifi-ath10k-don-t-touch-the-ce-interrupt-registers-a.patch b/queue-5.10/wifi-ath10k-don-t-touch-the-ce-interrupt-registers-a.patch new file mode 100644 index 00000000000..4d02d02a80f --- /dev/null +++ b/queue-5.10/wifi-ath10k-don-t-touch-the-ce-interrupt-registers-a.patch @@ -0,0 +1,122 @@ +From 20a143ed5bc849fd62d43e5fbff22048c10549d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Sep 2023 07:54:48 +0300 +Subject: wifi: ath10k: Don't touch the CE interrupt registers after power up + +From: Douglas Anderson + +[ Upstream commit 170c75d43a77dc937c58f07ecf847ba1b42ab74e ] + +As talked about in commit d66d24ac300c ("ath10k: Keep track of which +interrupts fired, don't poll them"), if we access the copy engine +register at a bad time then ath10k can go boom. However, it's not +necessarily easy to know when it's safe to access them. + +The ChromeOS test labs saw a crash that looked like this at +shutdown/reboot time (on a chromeos-5.15 kernel, but likely the +problem could also reproduce upstream): + +Internal error: synchronous external abort: 96000010 [#1] PREEMPT SMP +... +CPU: 4 PID: 6168 Comm: reboot Not tainted 5.15.111-lockdep-19350-g1d624fe6758f #1 010b9b233ab055c27c6dc88efb0be2f4e9e86f51 +Hardware name: Google Kingoftown (DT) +... +pc : ath10k_snoc_read32+0x50/0x74 [ath10k_snoc] +lr : ath10k_snoc_read32+0x24/0x74 [ath10k_snoc] +... +Call trace: +ath10k_snoc_read32+0x50/0x74 [ath10k_snoc ...] +ath10k_ce_disable_interrupt+0x190/0x65c [ath10k_core ...] +ath10k_ce_disable_interrupts+0x8c/0x120 [ath10k_core ...] +ath10k_snoc_hif_stop+0x78/0x660 [ath10k_snoc ...] +ath10k_core_stop+0x13c/0x1ec [ath10k_core ...] +ath10k_halt+0x398/0x5b0 [ath10k_core ...] +ath10k_stop+0xfc/0x1a8 [ath10k_core ...] +drv_stop+0x148/0x6b4 [mac80211 ...] +ieee80211_stop_device+0x70/0x80 [mac80211 ...] +ieee80211_do_stop+0x10d8/0x15b0 [mac80211 ...] +ieee80211_stop+0x144/0x1a0 [mac80211 ...] +__dev_close_many+0x1e8/0x2c0 +dev_close_many+0x198/0x33c +dev_close+0x140/0x210 +cfg80211_shutdown_all_interfaces+0xc8/0x1e0 [cfg80211 ...] +ieee80211_remove_interfaces+0x118/0x5c4 [mac80211 ...] +ieee80211_unregister_hw+0x64/0x1f4 [mac80211 ...] +ath10k_mac_unregister+0x4c/0xf0 [ath10k_core ...] +ath10k_core_unregister+0x80/0xb0 [ath10k_core ...] +ath10k_snoc_free_resources+0xb8/0x1ec [ath10k_snoc ...] +ath10k_snoc_shutdown+0x98/0xd0 [ath10k_snoc ...] +platform_shutdown+0x7c/0xa0 +device_shutdown+0x3e0/0x58c +kernel_restart_prepare+0x68/0xa0 +kernel_restart+0x28/0x7c + +Though there's no known way to reproduce the problem, it makes sense +that it would be the same issue where we're trying to access copy +engine registers when it's not allowed. + +Let's fix this by changing how we "disable" the interrupts. Instead of +tweaking the copy engine registers we'll just use disable_irq() and +enable_irq(). Then we'll configure the interrupts once at power up +time. + +Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.3.2.2.c10-00754-QCAHLSWMTPL-1 + +Signed-off-by: Douglas Anderson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230630151842.1.If764ede23c4e09a43a842771c2ddf99608f25f8e@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/snoc.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/snoc.c b/drivers/net/wireless/ath/ath10k/snoc.c +index 4870a3dab0ded..f7ee1032b1729 100644 +--- a/drivers/net/wireless/ath/ath10k/snoc.c ++++ b/drivers/net/wireless/ath/ath10k/snoc.c +@@ -827,12 +827,20 @@ static void ath10k_snoc_hif_get_default_pipe(struct ath10k *ar, + + static inline void ath10k_snoc_irq_disable(struct ath10k *ar) + { +- ath10k_ce_disable_interrupts(ar); ++ struct ath10k_snoc *ar_snoc = ath10k_snoc_priv(ar); ++ int id; ++ ++ for (id = 0; id < CE_COUNT_MAX; id++) ++ disable_irq(ar_snoc->ce_irqs[id].irq_line); + } + + static inline void ath10k_snoc_irq_enable(struct ath10k *ar) + { +- ath10k_ce_enable_interrupts(ar); ++ struct ath10k_snoc *ar_snoc = ath10k_snoc_priv(ar); ++ int id; ++ ++ for (id = 0; id < CE_COUNT_MAX; id++) ++ enable_irq(ar_snoc->ce_irqs[id].irq_line); + } + + static void ath10k_snoc_rx_pipe_cleanup(struct ath10k_snoc_pipe *snoc_pipe) +@@ -1048,6 +1056,8 @@ static int ath10k_snoc_hif_power_up(struct ath10k *ar, + goto err_free_rri; + } + ++ ath10k_ce_enable_interrupts(ar); ++ + return 0; + + err_free_rri: +@@ -1209,8 +1219,8 @@ static int ath10k_snoc_request_irq(struct ath10k *ar) + + for (id = 0; id < CE_COUNT_MAX; id++) { + ret = request_irq(ar_snoc->ce_irqs[id].irq_line, +- ath10k_snoc_per_engine_handler, 0, +- ce_name[id], ar); ++ ath10k_snoc_per_engine_handler, ++ IRQF_NO_AUTOEN, ce_name[id], ar); + if (ret) { + ath10k_err(ar, + "failed to register IRQ handler for CE %d: %d\n", +-- +2.42.0 + diff --git a/queue-5.10/wifi-ath10k-fix-clang-specific-fortify-warning.patch b/queue-5.10/wifi-ath10k-fix-clang-specific-fortify-warning.patch new file mode 100644 index 00000000000..3902bc903a8 --- /dev/null +++ b/queue-5.10/wifi-ath10k-fix-clang-specific-fortify-warning.patch @@ -0,0 +1,62 @@ +From e1dd16c7570c725198d3bded1d204face1e0f596 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Aug 2023 12:36:02 +0300 +Subject: wifi: ath10k: fix clang-specific fortify warning + +From: Dmitry Antipov + +[ Upstream commit cb4c132ebfeac5962f7258ffc831caa0c4dada1a ] + +When compiling with clang 16.0.6 and CONFIG_FORTIFY_SOURCE=y, I've +noticed the following (somewhat confusing due to absence of an actual +source code location): + +In file included from drivers/net/wireless/ath/ath10k/debug.c:8: +In file included from ./include/linux/module.h:13: +In file included from ./include/linux/stat.h:19: +In file included from ./include/linux/time.h:60: +In file included from ./include/linux/time32.h:13: +In file included from ./include/linux/timex.h:67: +In file included from ./arch/x86/include/asm/timex.h:5: +In file included from ./arch/x86/include/asm/processor.h:23: +In file included from ./arch/x86/include/asm/msr.h:11: +In file included from ./arch/x86/include/asm/cpumask.h:5: +In file included from ./include/linux/cpumask.h:12: +In file included from ./include/linux/bitmap.h:11: +In file included from ./include/linux/string.h:254: +./include/linux/fortify-string.h:592:4: warning: call to '__read_overflow2_field' +declared with 'warning' attribute: detected read beyond size of field (2nd +parameter); maybe use struct_group()? [-Wattribute-warning] + __read_overflow2_field(q_size_field, size); + +The compiler actually complains on 'ath10k_debug_get_et_strings()' where +fortification logic inteprets call to 'memcpy()' as an attempt to copy +the whole 'ath10k_gstrings_stats' array from it's first member and so +issues an overread warning. This warning may be silenced by passing +an address of the whole array and not the first member to 'memcpy()'. + +Signed-off-by: Dmitry Antipov +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230829093652.234537-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless/ath/ath10k/debug.c +index e8250a6654338..ab737177a86bf 100644 +--- a/drivers/net/wireless/ath/ath10k/debug.c ++++ b/drivers/net/wireless/ath/ath10k/debug.c +@@ -1139,7 +1139,7 @@ void ath10k_debug_get_et_strings(struct ieee80211_hw *hw, + u32 sset, u8 *data) + { + if (sset == ETH_SS_STATS) +- memcpy(data, *ath10k_gstrings_stats, ++ memcpy(data, ath10k_gstrings_stats, + sizeof(ath10k_gstrings_stats)); + } + +-- +2.42.0 + diff --git a/queue-5.10/wifi-ath9k-fix-clang-specific-fortify-warnings.patch b/queue-5.10/wifi-ath9k-fix-clang-specific-fortify-warnings.patch new file mode 100644 index 00000000000..08f5871244e --- /dev/null +++ b/queue-5.10/wifi-ath9k-fix-clang-specific-fortify-warnings.patch @@ -0,0 +1,102 @@ +From 05d271f12c2e9128bab56f0cd70c086ccca782a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Aug 2023 12:38:12 +0300 +Subject: wifi: ath9k: fix clang-specific fortify warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Antipov + +[ Upstream commit 95f97fe0ac974467ab4da215985a32b2fdf48af0 ] + +When compiling with clang 16.0.6 and CONFIG_FORTIFY_SOURCE=y, I've +noticed the following (somewhat confusing due to absence of an actual +source code location): + +In file included from drivers/net/wireless/ath/ath9k/debug.c:17: +In file included from ./include/linux/slab.h:16: +In file included from ./include/linux/gfp.h:7: +In file included from ./include/linux/mmzone.h:8: +In file included from ./include/linux/spinlock.h:56: +In file included from ./include/linux/preempt.h:79: +In file included from ./arch/x86/include/asm/preempt.h:9: +In file included from ./include/linux/thread_info.h:60: +In file included from ./arch/x86/include/asm/thread_info.h:53: +In file included from ./arch/x86/include/asm/cpufeature.h:5: +In file included from ./arch/x86/include/asm/processor.h:23: +In file included from ./arch/x86/include/asm/msr.h:11: +In file included from ./arch/x86/include/asm/cpumask.h:5: +In file included from ./include/linux/cpumask.h:12: +In file included from ./include/linux/bitmap.h:11: +In file included from ./include/linux/string.h:254: +./include/linux/fortify-string.h:592:4: warning: call to '__read_overflow2_field' +declared with 'warning' attribute: detected read beyond size of field (2nd +parameter); maybe use struct_group()? [-Wattribute-warning] + __read_overflow2_field(q_size_field, size); + +In file included from drivers/net/wireless/ath/ath9k/htc_drv_debug.c:17: +In file included from drivers/net/wireless/ath/ath9k/htc.h:20: +In file included from ./include/linux/module.h:13: +In file included from ./include/linux/stat.h:19: +In file included from ./include/linux/time.h:60: +In file included from ./include/linux/time32.h:13: +In file included from ./include/linux/timex.h:67: +In file included from ./arch/x86/include/asm/timex.h:5: +In file included from ./arch/x86/include/asm/processor.h:23: +In file included from ./arch/x86/include/asm/msr.h:11: +In file included from ./arch/x86/include/asm/cpumask.h:5: +In file included from ./include/linux/cpumask.h:12: +In file included from ./include/linux/bitmap.h:11: +In file included from ./include/linux/string.h:254: +./include/linux/fortify-string.h:592:4: warning: call to '__read_overflow2_field' +declared with 'warning' attribute: detected read beyond size of field (2nd +parameter); maybe use struct_group()? [-Wattribute-warning] + __read_overflow2_field(q_size_field, size); + +The compiler actually complains on 'ath9k_get_et_strings()' and +'ath9k_htc_get_et_strings()' due to the same reason: fortification logic +inteprets call to 'memcpy()' as an attempt to copy the whole array from +it's first member and so issues an overread warning. These warnings may +be silenced by passing an address of the whole array and not the first +member to 'memcpy()'. + +Signed-off-by: Dmitry Antipov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230829093856.234584-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/debug.c | 2 +- + drivers/net/wireless/ath/ath9k/htc_drv_debug.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/debug.c b/drivers/net/wireless/ath/ath9k/debug.c +index 859a865c59950..8d98347e0ddff 100644 +--- a/drivers/net/wireless/ath/ath9k/debug.c ++++ b/drivers/net/wireless/ath/ath9k/debug.c +@@ -1284,7 +1284,7 @@ void ath9k_get_et_strings(struct ieee80211_hw *hw, + u32 sset, u8 *data) + { + if (sset == ETH_SS_STATS) +- memcpy(data, *ath9k_gstrings_stats, ++ memcpy(data, ath9k_gstrings_stats, + sizeof(ath9k_gstrings_stats)); + } + +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c +index c55aab01fff5d..e79bbcd3279af 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c +@@ -428,7 +428,7 @@ void ath9k_htc_get_et_strings(struct ieee80211_hw *hw, + u32 sset, u8 *data) + { + if (sset == ETH_SS_STATS) +- memcpy(data, *ath9k_htc_gstrings_stats, ++ memcpy(data, ath9k_htc_gstrings_stats, + sizeof(ath9k_htc_gstrings_stats)); + } + +-- +2.42.0 + diff --git a/queue-5.10/wifi-iwlwifi-use-fw-rate-for-non-data-frames.patch b/queue-5.10/wifi-iwlwifi-use-fw-rate-for-non-data-frames.patch new file mode 100644 index 00000000000..49143efeb5e --- /dev/null +++ b/queue-5.10/wifi-iwlwifi-use-fw-rate-for-non-data-frames.patch @@ -0,0 +1,64 @@ +From 4b4b81dced256280378d07cb039591b2d0ee9fc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Sep 2023 14:56:45 +0300 +Subject: wifi: iwlwifi: Use FW rate for non-data frames + +From: Miri Korenblit + +[ Upstream commit 499d02790495958506a64f37ceda7e97345a50a8 ] + +Currently we are setting the rate in the tx cmd for +mgmt frames (e.g. during connection establishment). +This was problematic when sending mgmt frames in eSR mode, +as we don't know what link this frame will be sent on +(This is decided by the FW), so we don't know what is the +lowest rate. +Fix this by not setting the rate in tx cmd and rely +on FW to choose the right one. +Set rate only for injected frames with fixed rate, +or when no sta is given. +Also set for important frames (EAPOL etc.) the High Priority flag. + +Fixes: 055b22e770dd ("iwlwifi: mvm: Set Tx rate and flags when there is not station") +Signed-off-by: Miri Korenblit +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230913145231.6c7e59620ee0.I6eaed3ccdd6dd62b9e664facc484081fc5275843@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +index d310337b16251..99150fec151b8 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -532,16 +532,20 @@ iwl_mvm_set_tx_params(struct iwl_mvm *mvm, struct sk_buff *skb, + flags |= IWL_TX_FLAGS_ENCRYPT_DIS; + + /* +- * For data packets rate info comes from the fw. Only +- * set rate/antenna during connection establishment or in case +- * no station is given. ++ * For data and mgmt packets rate info comes from the fw. Only ++ * set rate/antenna for injected frames with fixed rate, or ++ * when no sta is given. + */ +- if (!sta || !ieee80211_is_data(hdr->frame_control) || +- mvmsta->sta_state < IEEE80211_STA_AUTHORIZED) { ++ if (unlikely(!sta || ++ info->control.flags & IEEE80211_TX_CTRL_RATE_INJECT)) { + flags |= IWL_TX_FLAGS_CMD_RATE; + rate_n_flags = + iwl_mvm_get_tx_rate_n_flags(mvm, info, sta, + hdr->frame_control); ++ } else if (!ieee80211_is_data(hdr->frame_control) || ++ mvmsta->sta_state < IEEE80211_STA_AUTHORIZED) { ++ /* These are important frames */ ++ flags |= IWL_TX_FLAGS_HIGH_PRI; + } + + if (mvm->trans->trans_cfg->device_family >= +-- +2.42.0 + diff --git a/queue-5.10/wifi-mac80211-don-t-return-unset-power-in-ieee80211_.patch b/queue-5.10/wifi-mac80211-don-t-return-unset-power-in-ieee80211_.patch new file mode 100644 index 00000000000..2e24bb14c07 --- /dev/null +++ b/queue-5.10/wifi-mac80211-don-t-return-unset-power-in-ieee80211_.patch @@ -0,0 +1,58 @@ +From a1e594561a1dcbb5b4a972938a0ebe704f532a13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Feb 2023 10:36:36 +0800 +Subject: wifi: mac80211: don't return unset power in ieee80211_get_tx_power() + +From: Ping-Ke Shih + +[ Upstream commit e160ab85166e77347d0cbe5149045cb25e83937f ] + +We can get a UBSAN warning if ieee80211_get_tx_power() returns the +INT_MIN value mac80211 internally uses for "unset power level". + + UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5 + -2147483648 * 100 cannot be represented in type 'int' + CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE + Call Trace: + dump_stack+0x74/0x92 + ubsan_epilogue+0x9/0x50 + handle_overflow+0x8d/0xd0 + __ubsan_handle_mul_overflow+0xe/0x10 + nl80211_send_iface+0x688/0x6b0 [cfg80211] + [...] + cfg80211_register_wdev+0x78/0xb0 [cfg80211] + cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211] + [...] + ieee80211_if_add+0x60e/0x8f0 [mac80211] + ieee80211_register_hw+0xda5/0x1170 [mac80211] + +In this case, simply return an error instead, to indicate +that no data is available. + +Cc: Zong-Zhe Yang +Signed-off-by: Ping-Ke Shih +Link: https://lore.kernel.org/r/20230203023636.4418-1-pkshih@realtek.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index c6a7f1c99abc5..45bb6f2755987 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -2726,6 +2726,10 @@ static int ieee80211_get_tx_power(struct wiphy *wiphy, + else + *dbm = sdata->vif.bss_conf.txpower; + ++ /* INT_MIN indicates no power level was set yet */ ++ if (*dbm == INT_MIN) ++ return -EINVAL; ++ + return 0; + } + +-- +2.42.0 + diff --git a/queue-5.10/wifi-mac80211_hwsim-fix-clang-specific-fortify-warni.patch b/queue-5.10/wifi-mac80211_hwsim-fix-clang-specific-fortify-warni.patch new file mode 100644 index 00000000000..463179ae074 --- /dev/null +++ b/queue-5.10/wifi-mac80211_hwsim-fix-clang-specific-fortify-warni.patch @@ -0,0 +1,64 @@ +From 7c3ac208fcb86f9655da096c8375805da9383480 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Aug 2023 12:41:01 +0300 +Subject: wifi: mac80211_hwsim: fix clang-specific fortify warning + +From: Dmitry Antipov + +[ Upstream commit cbaccdc42483c65016f1bae89128c08dc17cfb2a ] + +When compiling with clang 16.0.6 and CONFIG_FORTIFY_SOURCE=y, I've +noticed the following (somewhat confusing due to absence of an actual +source code location): + +In file included from drivers/net/wireless/virtual/mac80211_hwsim.c:18: +In file included from ./include/linux/slab.h:16: +In file included from ./include/linux/gfp.h:7: +In file included from ./include/linux/mmzone.h:8: +In file included from ./include/linux/spinlock.h:56: +In file included from ./include/linux/preempt.h:79: +In file included from ./arch/x86/include/asm/preempt.h:9: +In file included from ./include/linux/thread_info.h:60: +In file included from ./arch/x86/include/asm/thread_info.h:53: +In file included from ./arch/x86/include/asm/cpufeature.h:5: +In file included from ./arch/x86/include/asm/processor.h:23: +In file included from ./arch/x86/include/asm/msr.h:11: +In file included from ./arch/x86/include/asm/cpumask.h:5: +In file included from ./include/linux/cpumask.h:12: +In file included from ./include/linux/bitmap.h:11: +In file included from ./include/linux/string.h:254: +./include/linux/fortify-string.h:592:4: warning: call to '__read_overflow2_field' +declared with 'warning' attribute: detected read beyond size of field (2nd +parameter); maybe use struct_group()? [-Wattribute-warning] + __read_overflow2_field(q_size_field, size); + +The compiler actually complains on 'mac80211_hwsim_get_et_strings()' where +fortification logic inteprets call to 'memcpy()' as an attempt to copy the +whole 'mac80211_hwsim_gstrings_stats' array from its first member and so +issues an overread warning. This warning may be silenced by passing +an address of the whole array and not the first member to 'memcpy()'. + +Signed-off-by: Dmitry Antipov +Link: https://lore.kernel.org/r/20230829094140.234636-1-dmantipov@yandex.ru +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index 0d41f172a1dc2..037358606a51a 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -2543,7 +2543,7 @@ static void mac80211_hwsim_get_et_strings(struct ieee80211_hw *hw, + u32 sset, u8 *data) + { + if (sset == ETH_SS_STATS) +- memcpy(data, *mac80211_hwsim_gstrings_stats, ++ memcpy(data, mac80211_hwsim_gstrings_stats, + sizeof(mac80211_hwsim_gstrings_stats)); + } + +-- +2.42.0 + diff --git a/queue-5.10/x86-mm-drop-the-4-mb-restriction-on-minimal-numa-nod.patch b/queue-5.10/x86-mm-drop-the-4-mb-restriction-on-minimal-numa-nod.patch new file mode 100644 index 00000000000..f9626f1f446 --- /dev/null +++ b/queue-5.10/x86-mm-drop-the-4-mb-restriction-on-minimal-numa-nod.patch @@ -0,0 +1,112 @@ +From 57bc39f919ef7d84ec14cee638fd0ea6760499fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 12:42:50 +0200 +Subject: x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size + +From: Mike Rapoport (IBM) + +[ Upstream commit a1e2b8b36820d8c91275f207e77e91645b7c6836 ] + +Qi Zheng reported crashes in a production environment and provided a +simplified example as a reproducer: + + | For example, if we use Qemu to start a two NUMA node kernel, + | one of the nodes has 2M memory (less than NODE_MIN_SIZE), + | and the other node has 2G, then we will encounter the + | following panic: + | + | BUG: kernel NULL pointer dereference, address: 0000000000000000 + | <...> + | RIP: 0010:_raw_spin_lock_irqsave+0x22/0x40 + | <...> + | Call Trace: + | + | deactivate_slab() + | bootstrap() + | kmem_cache_init() + | start_kernel() + | secondary_startup_64_no_verify() + +The crashes happen because of inconsistency between the nodemask that +has nodes with less than 4MB as memoryless, and the actual memory fed +into the core mm. + +The commit: + + 9391a3f9c7f1 ("[PATCH] x86_64: Clear more state when ignoring empty node in SRAT parsing") + +... that introduced minimal size of a NUMA node does not explain why +a node size cannot be less than 4MB and what boot failures this +restriction might fix. + +Fixes have been submitted to the core MM code to tighten up the +memory topologies it accepts and to not crash on weird input: + + mm: page_alloc: skip memoryless nodes entirely + mm: memory_hotplug: drop memoryless node from fallback lists + +Andrew has accepted them into the -mm tree, but there are no +stable SHA1's yet. + +This patch drops the limitation for minimal node size on x86: + + - which works around the crash without the fixes to the core MM. + - makes x86 topologies less weird, + - removes an arbitrary and undocumented limitation on NUMA topologies. + +[ mingo: Improved changelog clarity. ] + +Reported-by: Qi Zheng +Tested-by: Mario Casquero +Signed-off-by: Mike Rapoport (IBM) +Signed-off-by: Ingo Molnar +Acked-by: David Hildenbrand +Acked-by: Michal Hocko +Cc: Dave Hansen +Cc: Rik van Riel +Link: https://lore.kernel.org/r/ZS+2qqjEO5/867br@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/numa.h | 7 ------- + arch/x86/mm/numa.c | 7 ------- + 2 files changed, 14 deletions(-) + +diff --git a/arch/x86/include/asm/numa.h b/arch/x86/include/asm/numa.h +index e3bae2b60a0db..ef2844d691735 100644 +--- a/arch/x86/include/asm/numa.h ++++ b/arch/x86/include/asm/numa.h +@@ -12,13 +12,6 @@ + + #define NR_NODE_MEMBLKS (MAX_NUMNODES*2) + +-/* +- * Too small node sizes may confuse the VM badly. Usually they +- * result from BIOS bugs. So dont recognize nodes as standalone +- * NUMA entities that have less than this amount of RAM listed: +- */ +-#define NODE_MIN_SIZE (4*1024*1024) +- + extern int numa_off; + + /* +diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c +index 9dc31996c7edb..62a119170376b 100644 +--- a/arch/x86/mm/numa.c ++++ b/arch/x86/mm/numa.c +@@ -602,13 +602,6 @@ static int __init numa_register_memblks(struct numa_meminfo *mi) + if (start >= end) + continue; + +- /* +- * Don't confuse VM with a node that doesn't have the +- * minimum amount of memory: +- */ +- if (end && (end - start) < NODE_MIN_SIZE) +- continue; +- + alloc_node_data(nid); + } + +-- +2.42.0 + diff --git a/queue-5.10/xen-events-fix-delayed-eoi-list-handling.patch b/queue-5.10/xen-events-fix-delayed-eoi-list-handling.patch new file mode 100644 index 00000000000..2d09e3de214 --- /dev/null +++ b/queue-5.10/xen-events-fix-delayed-eoi-list-handling.patch @@ -0,0 +1,47 @@ +From b0f3ea748821403e8cc09e95413ed548d31c82a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Sep 2023 17:54:13 +0200 +Subject: xen/events: fix delayed eoi list handling + +From: Juergen Gross + +[ Upstream commit 47d970204054f859f35a2237baa75c2d84fcf436 ] + +When delaying eoi handling of events, the related elements are queued +into the percpu lateeoi list. In case the list isn't empty, the +elements should be sorted by the time when eoi handling is to happen. + +Unfortunately a new element will never be queued at the start of the +list, even if it has a handling time lower than all other list +elements. + +Fix that by handling that case the same way as for an empty list. + +Fixes: e99502f76271 ("xen/events: defer eoi in case of excessive number of events") +Reported-by: Jan Beulich +Signed-off-by: Juergen Gross +Reviewed-by: Oleksandr Tyshchenko +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/events/events_base.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c +index 52891546e6973..24e39984914fe 100644 +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -551,7 +551,9 @@ static void lateeoi_list_add(struct irq_info *info) + + spin_lock_irqsave(&eoi->eoi_list_lock, flags); + +- if (list_empty(&eoi->eoi_list)) { ++ elem = list_first_entry_or_null(&eoi->eoi_list, struct irq_info, ++ eoi_list); ++ if (!elem || info->eoi_time < elem->eoi_time) { + list_add(&info->eoi_list, &eoi->eoi_list); + mod_delayed_work_on(info->eoi_cpu, system_wq, + &eoi->delayed, delay); +-- +2.42.0 + diff --git a/queue-5.10/xhci-turn-cancelled-td-cleanup-to-its-own-function.patch b/queue-5.10/xhci-turn-cancelled-td-cleanup-to-its-own-function.patch new file mode 100644 index 00000000000..15db51345d4 --- /dev/null +++ b/queue-5.10/xhci-turn-cancelled-td-cleanup-to-its-own-function.patch @@ -0,0 +1,162 @@ +From 3a9ca4096588d0674feb24d8d78b8385a5eab81f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jan 2021 15:00:36 +0200 +Subject: xhci: turn cancelled td cleanup to its own function + +From: Mathias Nyman + +[ Upstream commit 4db356924a50f72a00834ae04f11202d9703faeb ] + +Refactor handler for stop endpoint command completion. Yank out the part +that invalidates cancelled TDs and turn it into a separate function. + +Invalidating cancelled TDs should be done while the ring is stopped, +but not exclusively in the stop endpoint command completeion handler. + +We will need to invalidate TDs after resetting endpoints as well. + +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20210129130044.206855-20-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: a5f928db5951 ("usb: host: xhci-plat: fix possible kernel oops while resuming") +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-ring.c | 108 +++++++++++++++++------------------ + 1 file changed, 53 insertions(+), 55 deletions(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 5ee095a5d38aa..eb70f07e3623a 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -868,6 +868,58 @@ static void xhci_handle_halted_endpoint(struct xhci_hcd *xhci, + xhci_ring_cmd_db(xhci); + } + ++/* ++ * Fix up the ep ring first, so HW stops executing cancelled TDs. ++ * We have the xHCI lock, so nothing can modify this list until we drop it. ++ * We're also in the event handler, so we can't get re-interrupted if another ++ * Stop Endpoint command completes. ++ */ ++ ++static int xhci_invalidate_cancelled_tds(struct xhci_virt_ep *ep, ++ struct xhci_dequeue_state *deq_state) ++{ ++ struct xhci_hcd *xhci; ++ struct xhci_td *td = NULL; ++ struct xhci_td *tmp_td = NULL; ++ struct xhci_ring *ring; ++ u64 hw_deq; ++ ++ xhci = ep->xhci; ++ ++ list_for_each_entry_safe(td, tmp_td, &ep->cancelled_td_list, cancelled_td_list) { ++ xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, ++ "Removing canceled TD starting at 0x%llx (dma).", ++ (unsigned long long)xhci_trb_virt_to_dma( ++ td->start_seg, td->first_trb)); ++ list_del_init(&td->td_list); ++ ring = xhci_urb_to_transfer_ring(xhci, td->urb); ++ if (!ring) { ++ xhci_warn(xhci, "WARN Cancelled URB %p has invalid stream ID %u.\n", ++ td->urb, td->urb->stream_id); ++ continue; ++ } ++ /* ++ * If ring stopped on the TD we need to cancel, then we have to ++ * move the xHC endpoint ring dequeue pointer past this TD. ++ */ ++ hw_deq = xhci_get_hw_deq(xhci, ep->vdev, ep->ep_index, ++ td->urb->stream_id); ++ hw_deq &= ~0xf; ++ ++ if (trb_in_td(xhci, td->start_seg, td->first_trb, ++ td->last_trb, hw_deq, false)) { ++ xhci_find_new_dequeue_state(xhci, ep->vdev->slot_id, ++ ep->ep_index, ++ td->urb->stream_id, ++ td, deq_state); ++ } else { ++ td_to_noop(xhci, ring, td, false); ++ } ++ ++ } ++ return 0; ++} ++ + /* + * When we get a command completion for a Stop Endpoint Command, we need to + * unlink any cancelled TDs from the ring. There are two ways to do that: +@@ -888,7 +940,6 @@ static void xhci_handle_cmd_stop_ep(struct xhci_hcd *xhci, int slot_id, + struct xhci_td *last_unlinked_td; + struct xhci_ep_ctx *ep_ctx; + struct xhci_virt_device *vdev; +- u64 hw_deq; + struct xhci_dequeue_state deq_state; + + if (unlikely(TRB_TO_SUSPEND_PORT(le32_to_cpu(trb->generic.field[3])))) { +@@ -919,60 +970,7 @@ static void xhci_handle_cmd_stop_ep(struct xhci_hcd *xhci, int slot_id, + return; + } + +- /* Fix up the ep ring first, so HW stops executing cancelled TDs. +- * We have the xHCI lock, so nothing can modify this list until we drop +- * it. We're also in the event handler, so we can't get re-interrupted +- * if another Stop Endpoint command completes +- */ +- list_for_each_entry(cur_td, &ep->cancelled_td_list, cancelled_td_list) { +- xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, +- "Removing canceled TD starting at 0x%llx (dma).", +- (unsigned long long)xhci_trb_virt_to_dma( +- cur_td->start_seg, cur_td->first_trb)); +- ep_ring = xhci_urb_to_transfer_ring(xhci, cur_td->urb); +- if (!ep_ring) { +- /* This shouldn't happen unless a driver is mucking +- * with the stream ID after submission. This will +- * leave the TD on the hardware ring, and the hardware +- * will try to execute it, and may access a buffer +- * that has already been freed. In the best case, the +- * hardware will execute it, and the event handler will +- * ignore the completion event for that TD, since it was +- * removed from the td_list for that endpoint. In +- * short, don't muck with the stream ID after +- * submission. +- */ +- xhci_warn(xhci, "WARN Cancelled URB %p " +- "has invalid stream ID %u.\n", +- cur_td->urb, +- cur_td->urb->stream_id); +- goto remove_finished_td; +- } +- /* +- * If we stopped on the TD we need to cancel, then we have to +- * move the xHC endpoint ring dequeue pointer past this TD. +- */ +- hw_deq = xhci_get_hw_deq(xhci, vdev, ep_index, +- cur_td->urb->stream_id); +- hw_deq &= ~0xf; +- +- if (trb_in_td(xhci, cur_td->start_seg, cur_td->first_trb, +- cur_td->last_trb, hw_deq, false)) { +- xhci_find_new_dequeue_state(xhci, slot_id, ep_index, +- cur_td->urb->stream_id, +- cur_td, &deq_state); +- } else { +- td_to_noop(xhci, ep_ring, cur_td, false); +- } +- +-remove_finished_td: +- /* +- * The event handler won't see a completion for this TD anymore, +- * so remove it from the endpoint ring's TD list. Keep it in +- * the cancelled TD list for URB completion later. +- */ +- list_del_init(&cur_td->td_list); +- } ++ xhci_invalidate_cancelled_tds(ep, &deq_state); + + xhci_stop_watchdog_timer_in_irq(xhci, ep); + +-- +2.42.0 +