From: Sasha Levin Date: Tue, 30 Jul 2024 13:55:24 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v6.1.103~15^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=367114849fb5da1f69cad7abd1cfdf87d604935d;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/apparmor-fix-null-pointer-deref-when-receiving-skb-d.patch b/queue-5.4/apparmor-fix-null-pointer-deref-when-receiving-skb-d.patch new file mode 100644 index 00000000000..2d148494544 --- /dev/null +++ b/queue-5.4/apparmor-fix-null-pointer-deref-when-receiving-skb-d.patch @@ -0,0 +1,111 @@ +From fdbb6228d0f7f33df1f645afe7e655797a047520 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Sep 2023 08:48:38 +0800 +Subject: apparmor: Fix null pointer deref when receiving skb during sock + creation + +From: Xiao Liang + +[ Upstream commit fce09ea314505a52f2436397608fa0a5d0934fb1 ] + +The panic below is observed when receiving ICMP packets with secmark set +while an ICMP raw socket is being created. SK_CTX(sk)->label is updated +in apparmor_socket_post_create(), but the packet is delivered to the +socket before that, causing the null pointer dereference. +Drop the packet if label context is not set. + + BUG: kernel NULL pointer dereference, address: 000000000000004c + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df + Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020 + RIP: 0010:aa_label_next_confined+0xb/0x40 + Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 <8b> 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2 + RSP: 0018:ffffa92940003b08 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e + RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000 + RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002 + R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400 + R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000 + FS: 00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0 + PKRU: 55555554 + Call Trace: + + ? __die+0x23/0x70 + ? page_fault_oops+0x171/0x4e0 + ? exc_page_fault+0x7f/0x180 + ? asm_exc_page_fault+0x26/0x30 + ? aa_label_next_confined+0xb/0x40 + apparmor_secmark_check+0xec/0x330 + security_sock_rcv_skb+0x35/0x50 + sk_filter_trim_cap+0x47/0x250 + sock_queue_rcv_skb_reason+0x20/0x60 + raw_rcv+0x13c/0x210 + raw_local_deliver+0x1f3/0x250 + ip_protocol_deliver_rcu+0x4f/0x2f0 + ip_local_deliver_finish+0x76/0xa0 + __netif_receive_skb_one_core+0x89/0xa0 + netif_receive_skb+0x119/0x170 + ? __netdev_alloc_skb+0x3d/0x140 + vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a] + vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a] + __napi_poll+0x28/0x1b0 + net_rx_action+0x2a4/0x380 + __do_softirq+0xd1/0x2c8 + __irq_exit_rcu+0xbb/0xf0 + common_interrupt+0x86/0xa0 + + + asm_common_interrupt+0x26/0x40 + RIP: 0010:apparmor_socket_post_create+0xb/0x200 + Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 <55> 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48 + RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286 + RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001 + RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740 + RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 + R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003 + R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748 + ? __pfx_apparmor_socket_post_create+0x10/0x10 + security_socket_post_create+0x4b/0x80 + __sock_create+0x176/0x1f0 + __sys_socket+0x89/0x100 + __x64_sys_socket+0x17/0x20 + do_syscall_64+0x5d/0x90 + ? do_syscall_64+0x6c/0x90 + ? do_syscall_64+0x6c/0x90 + ? do_syscall_64+0x6c/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Fixes: ab9f2115081a ("apparmor: Allow filtering based on secmark policy") +Signed-off-by: Xiao Liang +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/lsm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c +index 21e03380dd86d..4c69259b62f11 100644 +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c +@@ -1035,6 +1035,13 @@ static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) + if (!skb->secmark) + return 0; + ++ /* ++ * If reach here before socket_post_create hook is called, in which ++ * case label is null, drop the packet. ++ */ ++ if (!ctx->label) ++ return -EACCES; ++ + return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE, + skb->secmark, sk); + } +-- +2.43.0 + diff --git a/queue-5.4/asoc-intel-convert-to-new-x86-cpu-match-macros.patch b/queue-5.4/asoc-intel-convert-to-new-x86-cpu-match-macros.patch new file mode 100644 index 00000000000..fe20e14f0c9 --- /dev/null +++ b/queue-5.4/asoc-intel-convert-to-new-x86-cpu-match-macros.patch @@ -0,0 +1,63 @@ +From 8c54cca56d36add4e3baf35b2d2c6bcbeb76083b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Mar 2020 14:14:04 +0100 +Subject: ASoC: Intel: Convert to new X86 CPU match macros + +From: Thomas Gleixner + +[ Upstream commit d51ba9c6663d7171681be357f672503f4e2ccdc1 ] + +The new macro set has a consistent namespace and uses C99 initializers +instead of the grufty C89 ones. + +Get rid the of the local macro wrappers for consistency. + +Signed-off-by: Thomas Gleixner +Signed-off-by: Borislav Petkov +Reviewed-by: Greg Kroah-Hartman +Link: https://lkml.kernel.org/r/20200320131510.594671507@linutronix.de +Stable-dep-of: 9931f7d5d251 ("ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable") +Signed-off-by: Sasha Levin +--- + sound/soc/intel/common/soc-intel-quirks.h | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/intel/common/soc-intel-quirks.h b/sound/soc/intel/common/soc-intel-quirks.h +index 645baf0ed3dd1..a88a91995ce1a 100644 +--- a/sound/soc/intel/common/soc-intel-quirks.h ++++ b/sound/soc/intel/common/soc-intel-quirks.h +@@ -16,13 +16,11 @@ + #include + #include + +-#define ICPU(model) { X86_VENDOR_INTEL, 6, model, X86_FEATURE_ANY, } +- + #define SOC_INTEL_IS_CPU(soc, type) \ + static inline bool soc_intel_is_##soc(void) \ + { \ + static const struct x86_cpu_id soc##_cpu_ids[] = { \ +- ICPU(type), \ ++ X86_MATCH_INTEL_FAM6_MODEL(type, NULL), \ + {} \ + }; \ + const struct x86_cpu_id *id; \ +@@ -33,11 +31,11 @@ static inline bool soc_intel_is_##soc(void) \ + return false; \ + } + +-SOC_INTEL_IS_CPU(byt, INTEL_FAM6_ATOM_SILVERMONT); +-SOC_INTEL_IS_CPU(cht, INTEL_FAM6_ATOM_AIRMONT); +-SOC_INTEL_IS_CPU(apl, INTEL_FAM6_ATOM_GOLDMONT); +-SOC_INTEL_IS_CPU(glk, INTEL_FAM6_ATOM_GOLDMONT_PLUS); +-SOC_INTEL_IS_CPU(cml, INTEL_FAM6_KABYLAKE_L); ++SOC_INTEL_IS_CPU(byt, ATOM_SILVERMONT); ++SOC_INTEL_IS_CPU(cht, ATOM_AIRMONT); ++SOC_INTEL_IS_CPU(apl, ATOM_GOLDMONT); ++SOC_INTEL_IS_CPU(glk, ATOM_GOLDMONT_PLUS); ++SOC_INTEL_IS_CPU(cml, KABYLAKE_L); + + static inline bool soc_intel_is_byt_cr(struct platform_device *pdev) + { +-- +2.43.0 + diff --git a/queue-5.4/asoc-intel-move-soc_intel_is_foo-helpers-to-a-generi.patch b/queue-5.4/asoc-intel-move-soc_intel_is_foo-helpers-to-a-generi.patch new file mode 100644 index 00000000000..5947705e200 --- /dev/null +++ b/queue-5.4/asoc-intel-move-soc_intel_is_foo-helpers-to-a-generi.patch @@ -0,0 +1,176 @@ +From f98aca20b2de4ead684bcbac546069851706b165 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 16:33:22 +0200 +Subject: ASoC: Intel: Move soc_intel_is_foo() helpers to a generic header + +From: Hans de Goede + +[ Upstream commit cd45c9bf8b43cd387e167cf166ae5c517f56d658 ] + +The soc_intel_is_foo() helpers from +sound/soc/intel/common/soc-intel-quirks.h are useful outside of the +sound subsystem too. + +Move these to include/linux/platform_data/x86/soc.h, so that +other code can use them too. + +Suggested-by: Andy Shevchenko +Reviewed-by: Andy Shevchenko +Acked-by: Mark Brown +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20211018143324.296961-2-hdegoede@redhat.com +Stable-dep-of: 9931f7d5d251 ("ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable") +Signed-off-by: Sasha Levin +--- + include/linux/platform_data/x86/soc.h | 65 +++++++++++++++++++++++ + sound/soc/intel/common/soc-intel-quirks.h | 51 ++---------------- + 2 files changed, 68 insertions(+), 48 deletions(-) + create mode 100644 include/linux/platform_data/x86/soc.h + +diff --git a/include/linux/platform_data/x86/soc.h b/include/linux/platform_data/x86/soc.h +new file mode 100644 +index 0000000000000..da05f425587a0 +--- /dev/null ++++ b/include/linux/platform_data/x86/soc.h +@@ -0,0 +1,65 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++/* ++ * Helpers for Intel SoC model detection ++ * ++ * Copyright (c) 2019, Intel Corporation. ++ */ ++ ++#ifndef __PLATFORM_DATA_X86_SOC_H ++#define __PLATFORM_DATA_X86_SOC_H ++ ++#if IS_ENABLED(CONFIG_X86) ++ ++#include ++#include ++ ++#define SOC_INTEL_IS_CPU(soc, type) \ ++static inline bool soc_intel_is_##soc(void) \ ++{ \ ++ static const struct x86_cpu_id soc##_cpu_ids[] = { \ ++ X86_MATCH_INTEL_FAM6_MODEL(type, NULL), \ ++ {} \ ++ }; \ ++ const struct x86_cpu_id *id; \ ++ \ ++ id = x86_match_cpu(soc##_cpu_ids); \ ++ if (id) \ ++ return true; \ ++ return false; \ ++} ++ ++SOC_INTEL_IS_CPU(byt, ATOM_SILVERMONT); ++SOC_INTEL_IS_CPU(cht, ATOM_AIRMONT); ++SOC_INTEL_IS_CPU(apl, ATOM_GOLDMONT); ++SOC_INTEL_IS_CPU(glk, ATOM_GOLDMONT_PLUS); ++SOC_INTEL_IS_CPU(cml, KABYLAKE_L); ++ ++#else /* IS_ENABLED(CONFIG_X86) */ ++ ++static inline bool soc_intel_is_byt(void) ++{ ++ return false; ++} ++ ++static inline bool soc_intel_is_cht(void) ++{ ++ return false; ++} ++ ++static inline bool soc_intel_is_apl(void) ++{ ++ return false; ++} ++ ++static inline bool soc_intel_is_glk(void) ++{ ++ return false; ++} ++ ++static inline bool soc_intel_is_cml(void) ++{ ++ return false; ++} ++#endif /* IS_ENABLED(CONFIG_X86) */ ++ ++#endif /* __PLATFORM_DATA_X86_SOC_H */ +diff --git a/sound/soc/intel/common/soc-intel-quirks.h b/sound/soc/intel/common/soc-intel-quirks.h +index a88a91995ce1a..a46be331c178e 100644 +--- a/sound/soc/intel/common/soc-intel-quirks.h ++++ b/sound/soc/intel/common/soc-intel-quirks.h +@@ -9,34 +9,13 @@ + #ifndef _SND_SOC_INTEL_QUIRKS_H + #define _SND_SOC_INTEL_QUIRKS_H + ++#include ++ + #if IS_ENABLED(CONFIG_X86) + + #include +-#include +-#include + #include + +-#define SOC_INTEL_IS_CPU(soc, type) \ +-static inline bool soc_intel_is_##soc(void) \ +-{ \ +- static const struct x86_cpu_id soc##_cpu_ids[] = { \ +- X86_MATCH_INTEL_FAM6_MODEL(type, NULL), \ +- {} \ +- }; \ +- const struct x86_cpu_id *id; \ +- \ +- id = x86_match_cpu(soc##_cpu_ids); \ +- if (id) \ +- return true; \ +- return false; \ +-} +- +-SOC_INTEL_IS_CPU(byt, ATOM_SILVERMONT); +-SOC_INTEL_IS_CPU(cht, ATOM_AIRMONT); +-SOC_INTEL_IS_CPU(apl, ATOM_GOLDMONT); +-SOC_INTEL_IS_CPU(glk, ATOM_GOLDMONT_PLUS); +-SOC_INTEL_IS_CPU(cml, KABYLAKE_L); +- + static inline bool soc_intel_is_byt_cr(struct platform_device *pdev) + { + /* +@@ -114,30 +93,6 @@ static inline bool soc_intel_is_byt_cr(struct platform_device *pdev) + return false; + } + +-static inline bool soc_intel_is_byt(void) +-{ +- return false; +-} +- +-static inline bool soc_intel_is_cht(void) +-{ +- return false; +-} +- +-static inline bool soc_intel_is_apl(void) +-{ +- return false; +-} +- +-static inline bool soc_intel_is_glk(void) +-{ +- return false; +-} +- +-static inline bool soc_intel_is_cml(void) +-{ +- return false; +-} + #endif + +- #endif /* _SND_SOC_INTEL_QUIRKS_H */ ++#endif /* _SND_SOC_INTEL_QUIRKS_H */ +-- +2.43.0 + diff --git a/queue-5.4/asoc-intel-use-soc_intel_is_byt_cr-only-when-iosf_mb.patch b/queue-5.4/asoc-intel-use-soc_intel_is_byt_cr-only-when-iosf_mb.patch new file mode 100644 index 00000000000..61ca24fa29f --- /dev/null +++ b/queue-5.4/asoc-intel-use-soc_intel_is_byt_cr-only-when-iosf_mb.patch @@ -0,0 +1,54 @@ +From deddb15405bb06112b2fd7d8218706a12c796085 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 10:30:02 +0200 +Subject: ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is + reachable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierre-Louis Bossart + +[ Upstream commit 9931f7d5d251882a147cc5811060097df43e79f5 ] + +the Intel kbuild bot reports a link failure when IOSF_MBI is built-in +but the Merrifield driver is configured as a module. The +soc-intel-quirks.h is included for Merrifield platforms, but IOSF_MBI +is not selected for that platform. + +ld.lld: error: undefined symbol: iosf_mbi_read +>>> referenced by atom.c +>>> sound/soc/sof/intel/atom.o:(atom_machine_select) in archive vmlinux.a + +This patch forces the use of the fallback static inline when IOSF_MBI is not reachable. + +Fixes: 536cfd2f375d ("ASoC: Intel: use common helpers to detect CPUs") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202407160704.zpdhJ8da-lkp@intel.com/ +Suggested-by: Takashi Iwai +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Péter Ujfalusi +Reviewed-by: Bard Liao +Link: https://patch.msgid.link/20240722083002.10800-1-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/common/soc-intel-quirks.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/intel/common/soc-intel-quirks.h b/sound/soc/intel/common/soc-intel-quirks.h +index a46be331c178e..a7960b41a6a34 100644 +--- a/sound/soc/intel/common/soc-intel-quirks.h ++++ b/sound/soc/intel/common/soc-intel-quirks.h +@@ -11,7 +11,7 @@ + + #include + +-#if IS_ENABLED(CONFIG_X86) ++#if IS_REACHABLE(CONFIG_IOSF_MBI) + + #include + #include +-- +2.43.0 + diff --git a/queue-5.4/bpf-fix-a-segment-issue-when-downgrading-gso_size.patch b/queue-5.4/bpf-fix-a-segment-issue-when-downgrading-gso_size.patch new file mode 100644 index 00000000000..99f5fc9914d --- /dev/null +++ b/queue-5.4/bpf-fix-a-segment-issue-when-downgrading-gso_size.patch @@ -0,0 +1,57 @@ +From e734eba261f13b17ce99bf99e458504667856567 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jul 2024 10:46:53 +0800 +Subject: bpf: Fix a segment issue when downgrading gso_size + +From: Fred Li + +[ Upstream commit fa5ef655615a01533035c6139248c5b33aa27028 ] + +Linearize the skb when downgrading gso_size because it may trigger a +BUG_ON() later when the skb is segmented as described in [1,2]. + +Fixes: 2be7e212d5419 ("bpf: add bpf_skb_adjust_room helper") +Signed-off-by: Fred Li +Signed-off-by: Daniel Borkmann +Reviewed-by: Willem de Bruijn +Acked-by: Daniel Borkmann +Link: https://lore.kernel.org/all/20240626065555.35460-2-dracodingfly@gmail.com [1] +Link: https://lore.kernel.org/all/668d5cf1ec330_1c18c32947@willemb.c.googlers.com.notmuch [2] +Link: https://lore.kernel.org/bpf/20240719024653.77006-1-dracodingfly@gmail.com +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index 3c4dcdc7217e0..f82c27668623c 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -3126,13 +3126,20 @@ static int bpf_skb_net_grow(struct sk_buff *skb, u32 off, u32 len_diff, + if (skb_is_gso(skb)) { + struct skb_shared_info *shinfo = skb_shinfo(skb); + +- /* Due to header grow, MSS needs to be downgraded. */ +- if (!(flags & BPF_F_ADJ_ROOM_FIXED_GSO)) +- skb_decrease_gso_size(shinfo, len_diff); +- + /* Header must be checked, and gso_segs recomputed. */ + shinfo->gso_type |= gso_type; + shinfo->gso_segs = 0; ++ ++ /* Due to header growth, MSS needs to be downgraded. ++ * There is a BUG_ON() when segmenting the frag_list with ++ * head_frag true, so linearize the skb after downgrading ++ * the MSS. ++ */ ++ if (!(flags & BPF_F_ADJ_ROOM_FIXED_GSO)) { ++ skb_decrease_gso_size(shinfo, len_diff); ++ if (shinfo->frag_list) ++ return skb_linearize(skb); ++ } + } + + return 0; +-- +2.43.0 + diff --git a/queue-5.4/dma-fix-call-order-in-dmam_free_coherent.patch b/queue-5.4/dma-fix-call-order-in-dmam_free_coherent.patch new file mode 100644 index 00000000000..10b73ea567d --- /dev/null +++ b/queue-5.4/dma-fix-call-order-in-dmam_free_coherent.patch @@ -0,0 +1,52 @@ +From 047e57a4b62b51751532f677901854f4f53d31b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 14:38:24 +0000 +Subject: dma: fix call order in dmam_free_coherent + +From: Lance Richardson + +[ Upstream commit 28e8b7406d3a1f5329a03aa25a43aa28e087cb20 ] + +dmam_free_coherent() frees a DMA allocation, which makes the +freed vaddr available for reuse, then calls devres_destroy() +to remove and free the data structure used to track the DMA +allocation. Between the two calls, it is possible for a +concurrent task to make an allocation with the same vaddr +and add it to the devres list. + +If this happens, there will be two entries in the devres list +with the same vaddr and devres_destroy() can free the wrong +entry, triggering the WARN_ON() in dmam_match. + +Fix by destroying the devres entry before freeing the DMA +allocation. + +Tested: + kokonut //net/encryption + http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075b03 + +Fixes: 9ac7849e35f7 ("devres: device resource management") +Signed-off-by: Lance Richardson +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + kernel/dma/mapping.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/dma/mapping.c b/kernel/dma/mapping.c +index 8682a5305cb36..942e489bc1fcb 100644 +--- a/kernel/dma/mapping.c ++++ b/kernel/dma/mapping.c +@@ -59,8 +59,8 @@ void dmam_free_coherent(struct device *dev, size_t size, void *vaddr, + { + struct dma_devres match_data = { size, vaddr, dma_handle }; + +- dma_free_coherent(dev, size, vaddr, dma_handle); + WARN_ON(devres_destroy(dev, dmam_release, dmam_match, &match_data)); ++ dma_free_coherent(dev, size, vaddr, dma_handle); + } + EXPORT_SYMBOL(dmam_free_coherent); + +-- +2.43.0 + diff --git a/queue-5.4/ipv4-fix-incorrect-source-address-in-record-route-op.patch b/queue-5.4/ipv4-fix-incorrect-source-address-in-record-route-op.patch new file mode 100644 index 00000000000..84b1a35ce10 --- /dev/null +++ b/queue-5.4/ipv4-fix-incorrect-source-address-in-record-route-op.patch @@ -0,0 +1,49 @@ +From 5fc748ea1060a3e1e3bef541f1cf8aa882aaee2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 15:34:07 +0300 +Subject: ipv4: Fix incorrect source address in Record Route option + +From: Ido Schimmel + +[ Upstream commit cc73bbab4b1fb8a4f53a24645871dafa5f81266a ] + +The Record Route IP option records the addresses of the routers that +routed the packet. In the case of forwarded packets, the kernel performs +a route lookup via fib_lookup() and fills in the preferred source +address of the matched route. + +The lookup is performed with the DS field of the forwarded packet, but +using the RT_TOS() macro which only masks one of the two ECN bits. If +the packet is ECT(0) or CE, the matched route might be different than +the route via which the packet was forwarded as the input path masks +both of the ECN bits, resulting in the wrong address being filled in the +Record Route option. + +Fix by masking both of the ECN bits. + +Fixes: 8e36360ae876 ("ipv4: Remove route key identity dependencies in ip_rt_get_source().") +Signed-off-by: Ido Schimmel +Reviewed-by: Guillaume Nault +Link: https://patch.msgid.link/20240718123407.434778-1-idosch@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 2672b71e662d3..f3e77b1e1d4b9 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1283,7 +1283,7 @@ void ip_rt_get_source(u8 *addr, struct sk_buff *skb, struct rtable *rt) + struct flowi4 fl4 = { + .daddr = iph->daddr, + .saddr = iph->saddr, +- .flowi4_tos = RT_TOS(iph->tos), ++ .flowi4_tos = iph->tos & IPTOS_RT_MASK, + .flowi4_oif = rt->dst.dev->ifindex, + .flowi4_iif = skb->dev->ifindex, + .flowi4_mark = skb->mark, +-- +2.43.0 + diff --git a/queue-5.4/jfs-fix-array-index-out-of-bounds-in-difree.patch b/queue-5.4/jfs-fix-array-index-out-of-bounds-in-difree.patch new file mode 100644 index 00000000000..2469ddc2e66 --- /dev/null +++ b/queue-5.4/jfs-fix-array-index-out-of-bounds-in-difree.patch @@ -0,0 +1,46 @@ +From fa7e2daf17c876af7bb487f29f097cc0dd83f860 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 May 2024 22:28:09 +0900 +Subject: jfs: Fix array-index-out-of-bounds in diFree + +From: Jeongjun Park + +[ Upstream commit f73f969b2eb39ad8056f6c7f3a295fa2f85e313a ] + +Reported-by: syzbot+241c815bda521982cb49@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jeongjun Park +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_imap.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c +index b0965f3ef1865..36ed756820648 100644 +--- a/fs/jfs/jfs_imap.c ++++ b/fs/jfs/jfs_imap.c +@@ -292,7 +292,7 @@ int diSync(struct inode *ipimap) + int diRead(struct inode *ip) + { + struct jfs_sb_info *sbi = JFS_SBI(ip->i_sb); +- int iagno, ino, extno, rc; ++ int iagno, ino, extno, rc, agno; + struct inode *ipimap; + struct dinode *dp; + struct iag *iagp; +@@ -341,8 +341,11 @@ int diRead(struct inode *ip) + + /* get the ag for the iag */ + agstart = le64_to_cpu(iagp->agstart); ++ agno = BLKTOAG(agstart, JFS_SBI(ip->i_sb)); + + release_metapage(mp); ++ if (agno >= MAXAG || agno < 0) ++ return -EIO; + + rel_inode = (ino & (INOSPERPAGE - 1)); + pageno = blkno >> sbi->l2nbperpage; +-- +2.43.0 + diff --git a/queue-5.4/kdb-address-wformat-security-warnings.patch b/queue-5.4/kdb-address-wformat-security-warnings.patch new file mode 100644 index 00000000000..f79a61ac33c --- /dev/null +++ b/queue-5.4/kdb-address-wformat-security-warnings.patch @@ -0,0 +1,58 @@ +From 68495d3c3d4d08952c815627cbe5bcb098be0462 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 May 2024 14:11:48 +0200 +Subject: kdb: address -Wformat-security warnings + +From: Arnd Bergmann + +[ Upstream commit 70867efacf4370b6c7cdfc7a5b11300e9ef7de64 ] + +When -Wformat-security is not disabled, using a string pointer +as a format causes a warning: + +kernel/debug/kdb/kdb_io.c: In function 'kdb_read': +kernel/debug/kdb/kdb_io.c:365:36: error: format not a string literal and no format arguments [-Werror=format-security] + 365 | kdb_printf(kdb_prompt_str); + | ^~~~~~~~~~~~~~ +kernel/debug/kdb/kdb_io.c: In function 'kdb_getstr': +kernel/debug/kdb/kdb_io.c:456:20: error: format not a string literal and no format arguments [-Werror=format-security] + 456 | kdb_printf(kdb_prompt_str); + | ^~~~~~~~~~~~~~ + +Use an explcit "%s" format instead. + +Signed-off-by: Arnd Bergmann +Fixes: 5d5314d6795f ("kdb: core for kgdb back end (1 of 2)") +Reviewed-by: Douglas Anderson +Link: https://lore.kernel.org/r/20240528121154.3662553-1-arnd@kernel.org +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + kernel/debug/kdb/kdb_io.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c +index 5358e8a8b6f11..9ce4e52532b77 100644 +--- a/kernel/debug/kdb/kdb_io.c ++++ b/kernel/debug/kdb/kdb_io.c +@@ -368,7 +368,7 @@ static char *kdb_read(char *buffer, size_t bufsize) + if (i >= dtab_count) + kdb_printf("..."); + kdb_printf("\n"); +- kdb_printf(kdb_prompt_str); ++ kdb_printf("%s", kdb_prompt_str); + kdb_printf("%s", buffer); + if (cp != lastchar) + kdb_position_cursor(kdb_prompt_str, buffer, cp); +@@ -460,7 +460,7 @@ char *kdb_getstr(char *buffer, size_t bufsize, const char *prompt) + { + if (prompt && kdb_prompt_str != prompt) + strscpy(kdb_prompt_str, prompt, CMD_BUFLEN); +- kdb_printf(kdb_prompt_str); ++ kdb_printf("%s", kdb_prompt_str); + kdb_nextline = 1; /* Prompt and input resets line number */ + return kdb_read(buffer, bufsize); + } +-- +2.43.0 + diff --git a/queue-5.4/kdb-use-the-passed-prompt-in-kdb_position_cursor.patch b/queue-5.4/kdb-use-the-passed-prompt-in-kdb_position_cursor.patch new file mode 100644 index 00000000000..14e99e31587 --- /dev/null +++ b/queue-5.4/kdb-use-the-passed-prompt-in-kdb_position_cursor.patch @@ -0,0 +1,42 @@ +From fe3961a8cc7afb8d6c538a909f2ae5f898b815f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 May 2024 07:11:48 -0700 +Subject: kdb: Use the passed prompt in kdb_position_cursor() + +From: Douglas Anderson + +[ Upstream commit e2e821095949cde46256034975a90f88626a2a73 ] + +The function kdb_position_cursor() takes in a "prompt" parameter but +never uses it. This doesn't _really_ matter since all current callers +of the function pass the same value and it's a global variable, but +it's a bit ugly. Let's clean it up. + +Found by code inspection. This patch is expected to functionally be a +no-op. + +Fixes: 09b35989421d ("kdb: Use format-strings rather than '\0' injection in kdb_read()") +Signed-off-by: Douglas Anderson +Link: https://lore.kernel.org/r/20240528071144.1.I0feb49839c6b6f4f2c4bf34764f5e95de3f55a66@changeid +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + kernel/debug/kdb/kdb_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c +index 9ce4e52532b77..bfce77a0daac8 100644 +--- a/kernel/debug/kdb/kdb_io.c ++++ b/kernel/debug/kdb/kdb_io.c +@@ -192,7 +192,7 @@ static int kdb_read_get_key(char *buffer, size_t bufsize) + */ + static void kdb_position_cursor(char *prompt, char *buffer, char *cp) + { +- kdb_printf("\r%s", kdb_prompt_str); ++ kdb_printf("\r%s", prompt); + if (cp > buffer) + kdb_printf("%.*s", (int)(cp - buffer), buffer); + } +-- +2.43.0 + diff --git a/queue-5.4/libbpf-fix-no-args-func-prototype-btf-dumping-syntax.patch b/queue-5.4/libbpf-fix-no-args-func-prototype-btf-dumping-syntax.patch new file mode 100644 index 00000000000..7435b367481 --- /dev/null +++ b/queue-5.4/libbpf-fix-no-args-func-prototype-btf-dumping-syntax.patch @@ -0,0 +1,96 @@ +From 37e55d54112c1b9dde67859ba9e4f080de1ab905 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jul 2024 15:44:42 -0700 +Subject: libbpf: Fix no-args func prototype BTF dumping syntax + +From: Andrii Nakryiko + +[ Upstream commit 189f1a976e426011e6a5588f1d3ceedf71fe2965 ] + +For all these years libbpf's BTF dumper has been emitting not strictly +valid syntax for function prototypes that have no input arguments. + +Instead of `int (*blah)()` we should emit `int (*blah)(void)`. + +This is not normally a problem, but it manifests when we get kfuncs in +vmlinux.h that have no input arguments. Due to compiler internal +specifics, we get no BTF information for such kfuncs, if they are not +declared with proper `(void)`. + +The fix is trivial. We also need to adjust a few ancient tests that +happily assumed `()` is correct. + +Fixes: 351131b51c7a ("libbpf: add btf_dump API for BTF-to-C conversion") +Reported-by: Tejun Heo +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Acked-by: Stanislav Fomichev +Link: https://lore.kernel.org/bpf/20240712224442.282823-1-andrii@kernel.org +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/btf_dump.c | 8 +++++--- + .../selftests/bpf/progs/btf_dump_test_case_multidim.c | 4 ++-- + .../selftests/bpf/progs/btf_dump_test_case_syntax.c | 4 ++-- + 3 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/tools/lib/bpf/btf_dump.c b/tools/lib/bpf/btf_dump.c +index a1176a9e8430a..1391f6c292054 100644 +--- a/tools/lib/bpf/btf_dump.c ++++ b/tools/lib/bpf/btf_dump.c +@@ -1302,10 +1302,12 @@ static void btf_dump_emit_type_chain(struct btf_dump *d, + * Clang for BPF target generates func_proto with no + * args as a func_proto with a single void arg (e.g., + * `int (*f)(void)` vs just `int (*f)()`). We are +- * going to pretend there are no args for such case. ++ * going to emit valid empty args (void) syntax for ++ * such case. Similarly and conveniently, valid ++ * no args case can be special-cased here as well. + */ +- if (vlen == 1 && p->type == 0) { +- btf_dump_printf(d, ")"); ++ if (vlen == 0 || (vlen == 1 && p->type == 0)) { ++ btf_dump_printf(d, "void)"); + return; + } + +diff --git a/tools/testing/selftests/bpf/progs/btf_dump_test_case_multidim.c b/tools/testing/selftests/bpf/progs/btf_dump_test_case_multidim.c +index ba97165bdb282..a657651eba523 100644 +--- a/tools/testing/selftests/bpf/progs/btf_dump_test_case_multidim.c ++++ b/tools/testing/selftests/bpf/progs/btf_dump_test_case_multidim.c +@@ -14,9 +14,9 @@ typedef int *ptr_arr_t[6]; + + typedef int *ptr_multiarr_t[7][8][9][10]; + +-typedef int * (*fn_ptr_arr_t[11])(); ++typedef int * (*fn_ptr_arr_t[11])(void); + +-typedef int * (*fn_ptr_multiarr_t[12][13])(); ++typedef int * (*fn_ptr_multiarr_t[12][13])(void); + + struct root_struct { + arr_t _1; +diff --git a/tools/testing/selftests/bpf/progs/btf_dump_test_case_syntax.c b/tools/testing/selftests/bpf/progs/btf_dump_test_case_syntax.c +index 0620580a5c16c..1fcca43ab342d 100644 +--- a/tools/testing/selftests/bpf/progs/btf_dump_test_case_syntax.c ++++ b/tools/testing/selftests/bpf/progs/btf_dump_test_case_syntax.c +@@ -67,7 +67,7 @@ typedef void (*printf_fn_t)(const char *, ...); + * `int -> char *` function and returns pointer to a char. Equivalent: + * typedef char * (*fn_input_t)(int); + * typedef char * (*fn_output_outer_t)(fn_input_t); +- * typedef const fn_output_outer_t (* fn_output_inner_t)(); ++ * typedef const fn_output_outer_t (* fn_output_inner_t)(void); + * typedef const fn_output_inner_t fn_ptr_arr2_t[5]; + */ + /* ----- START-EXPECTED-OUTPUT ----- */ +@@ -94,7 +94,7 @@ typedef void (* (*signal_t)(int, void (*)(int)))(int); + + typedef char * (*fn_ptr_arr1_t[10])(int **); + +-typedef char * (* (* const fn_ptr_arr2_t[5])())(char * (*)(int)); ++typedef char * (* (* const fn_ptr_arr2_t[5])(void))(char * (*)(int)); + + struct struct_w_typedefs { + int_t a; +-- +2.43.0 + diff --git a/queue-5.4/mips-smp-cps-fix-address-for-gcr_access-register-for.patch b/queue-5.4/mips-smp-cps-fix-address-for-gcr_access-register-for.patch new file mode 100644 index 00000000000..e89491f2582 --- /dev/null +++ b/queue-5.4/mips-smp-cps-fix-address-for-gcr_access-register-for.patch @@ -0,0 +1,66 @@ +From 1c51fd73490149923bcf08d8c6a54076d0548a7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 15:15:39 +0200 +Subject: MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later + +From: Gregory CLEMENT + +[ Upstream commit a263e5f309f32301e1f3ad113293f4e68a82a646 ] + +When the CM block migrated from CM2.5 to CM3.0, the address offset for +the Global CSR Access Privilege register was modified. We saw this in +the "MIPS64 I6500 Multiprocessing System Programmer's Guide," it is +stated that "the Global CSR Access Privilege register is located at +offset 0x0120" in section 5.4. It is at least the same for I6400. + +This fix allows to use the VP cores in SMP mode if the reset values +were modified by the bootloader. + +Based on the work of Vladimir Kondratiev + and the feedback from Jiaxun Yang +. + +Fixes: 197e89e0984a ("MIPS: mips-cm: Implement mips_cm_revision") +Signed-off-by: Gregory CLEMENT +Reviewed-by: Jiaxun Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/mips-cm.h | 4 ++++ + arch/mips/kernel/smp-cps.c | 5 ++++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/include/asm/mips-cm.h b/arch/mips/include/asm/mips-cm.h +index 23c67c0871b17..696b40beb774f 100644 +--- a/arch/mips/include/asm/mips-cm.h ++++ b/arch/mips/include/asm/mips-cm.h +@@ -228,6 +228,10 @@ GCR_ACCESSOR_RO(32, 0x0d0, gic_status) + GCR_ACCESSOR_RO(32, 0x0f0, cpc_status) + #define CM_GCR_CPC_STATUS_EX BIT(0) + ++/* GCR_ACCESS - Controls core/IOCU access to GCRs */ ++GCR_ACCESSOR_RW(32, 0x120, access_cm3) ++#define CM_GCR_ACCESS_ACCESSEN GENMASK(7, 0) ++ + /* GCR_L2_CONFIG - Indicates L2 cache configuration when Config5.L2C=1 */ + GCR_ACCESSOR_RW(32, 0x130, l2_config) + #define CM_GCR_L2_CONFIG_BYPASS BIT(20) +diff --git a/arch/mips/kernel/smp-cps.c b/arch/mips/kernel/smp-cps.c +index f659adb681bc3..02ae0b29e6888 100644 +--- a/arch/mips/kernel/smp-cps.c ++++ b/arch/mips/kernel/smp-cps.c +@@ -229,7 +229,10 @@ static void boot_core(unsigned int core, unsigned int vpe_id) + write_gcr_co_reset_ext_base(CM_GCR_Cx_RESET_EXT_BASE_UEB); + + /* Ensure the core can access the GCRs */ +- set_gcr_access(1 << core); ++ if (mips_cm_revision() < CM_REV_CM3) ++ set_gcr_access(1 << core); ++ else ++ set_gcr_access_cm3(1 << core); + + if (mips_cpc_present()) { + /* Reset the core */ +-- +2.43.0 + diff --git a/queue-5.4/misdn-fix-a-use-after-free-in-hfcmulti_tx.patch b/queue-5.4/misdn-fix-a-use-after-free-in-hfcmulti_tx.patch new file mode 100644 index 00000000000..eb228efb550 --- /dev/null +++ b/queue-5.4/misdn-fix-a-use-after-free-in-hfcmulti_tx.patch @@ -0,0 +1,55 @@ +From d821b2eb81c1e849278f5b1cd0ec54c4ab676938 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jul 2024 11:08:18 -0500 +Subject: mISDN: Fix a use after free in hfcmulti_tx() + +From: Dan Carpenter + +[ Upstream commit 61ab751451f5ebd0b98e02276a44e23a10110402 ] + +Don't dereference *sp after calling dev_kfree_skb(*sp). + +Fixes: af69fb3a8ffa ("Add mISDN HFC multiport driver") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/8be65f5a-c2dd-4ba0-8a10-bfe5980b8cfb@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/hardware/mISDN/hfcmulti.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/isdn/hardware/mISDN/hfcmulti.c b/drivers/isdn/hardware/mISDN/hfcmulti.c +index 2c74064652334..6e09975613300 100644 +--- a/drivers/isdn/hardware/mISDN/hfcmulti.c ++++ b/drivers/isdn/hardware/mISDN/hfcmulti.c +@@ -1931,7 +1931,7 @@ hfcmulti_dtmf(struct hfc_multi *hc) + static void + hfcmulti_tx(struct hfc_multi *hc, int ch) + { +- int i, ii, temp, len = 0; ++ int i, ii, temp, tmp_len, len = 0; + int Zspace, z1, z2; /* must be int for calculation */ + int Fspace, f1, f2; + u_char *d; +@@ -2152,14 +2152,15 @@ hfcmulti_tx(struct hfc_multi *hc, int ch) + HFC_wait_nodebug(hc); + } + ++ tmp_len = (*sp)->len; + dev_kfree_skb(*sp); + /* check for next frame */ + if (bch && get_next_bframe(bch)) { +- len = (*sp)->len; ++ len = tmp_len; + goto next_frame; + } + if (dch && get_next_dframe(dch)) { +- len = (*sp)->len; ++ len = tmp_len; + goto next_frame; + } + +-- +2.43.0 + diff --git a/queue-5.4/net-bonding-correctly-annotate-rcu-in-bond_should_no.patch b/queue-5.4/net-bonding-correctly-annotate-rcu-in-bond_should_no.patch new file mode 100644 index 00000000000..a8c14eb0d00 --- /dev/null +++ b/queue-5.4/net-bonding-correctly-annotate-rcu-in-bond_should_no.patch @@ -0,0 +1,53 @@ +From 5f85dd82f5db72211992a3ef42aaac1a9f601a56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jul 2024 09:41:18 -0700 +Subject: net: bonding: correctly annotate RCU in bond_should_notify_peers() + +From: Johannes Berg + +[ Upstream commit 3ba359c0cd6eb5ea772125a7aededb4a2d516684 ] + +RCU use in bond_should_notify_peers() looks wrong, since it does +rcu_dereference(), leaves the critical section, and uses the +pointer after that. + +Luckily, it's called either inside a nested RCU critical section +or with the RTNL held. + +Annotate it with rcu_dereference_rtnl() instead, and remove the +inner RCU critical section. + +Fixes: 4cb4f97b7e36 ("bonding: rebuild the lock use for bond_mii_monitor()") +Reviewed-by: Jiri Pirko +Signed-off-by: Johannes Berg +Acked-by: Jay Vosburgh +Link: https://patch.msgid.link/20240719094119.35c62455087d.I68eb9c0f02545b364b79a59f2110f2cf5682a8e2@changeid +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index bb1c6743222e5..89797b2575733 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -784,13 +784,10 @@ static struct slave *bond_find_best_slave(struct bonding *bond) + return bestslave; + } + ++/* must be called in RCU critical section or with RTNL held */ + static bool bond_should_notify_peers(struct bonding *bond) + { +- struct slave *slave; +- +- rcu_read_lock(); +- slave = rcu_dereference(bond->curr_active_slave); +- rcu_read_unlock(); ++ struct slave *slave = rcu_dereference_rtnl(bond->curr_active_slave); + + if (!slave || !bond->send_peer_notif || + bond->send_peer_notif % +-- +2.43.0 + diff --git a/queue-5.4/net-nexthop-initialize-all-fields-in-dumped-nexthops.patch b/queue-5.4/net-nexthop-initialize-all-fields-in-dumped-nexthops.patch new file mode 100644 index 00000000000..cd6374de4d4 --- /dev/null +++ b/queue-5.4/net-nexthop-initialize-all-fields-in-dumped-nexthops.patch @@ -0,0 +1,55 @@ +From 7fe21c8111bb7e29a86a08fb059677be1ccd07bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jul 2024 18:04:16 +0200 +Subject: net: nexthop: Initialize all fields in dumped nexthops + +From: Petr Machata + +[ Upstream commit 6d745cd0e9720282cd291d36b9db528aea18add2 ] + +struct nexthop_grp contains two reserved fields that are not initialized by +nla_put_nh_group(), and carry garbage. This can be observed e.g. with +strace (edited for clarity): + + # ip nexthop add id 1 dev lo + # ip nexthop add id 101 group 1 + # strace -e recvmsg ip nexthop get id 101 + ... + recvmsg(... [{nla_len=12, nla_type=NHA_GROUP}, + [{id=1, weight=0, resvd1=0x69, resvd2=0x67}]] ...) = 52 + +The fields are reserved and therefore not currently used. But as they are, they +leak kernel memory, and the fact they are not just zero complicates repurposing +of the fields for new ends. Initialize the full structure. + +Fixes: 430a049190de ("nexthop: Add support for nexthop groups") +Signed-off-by: Petr Machata +Reviewed-by: Ido Schimmel +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/nexthop.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c +index 0137854a7faaa..388f5773b88d2 100644 +--- a/net/ipv4/nexthop.c ++++ b/net/ipv4/nexthop.c +@@ -201,9 +201,10 @@ static int nla_put_nh_group(struct sk_buff *skb, struct nh_group *nhg) + + p = nla_data(nla); + for (i = 0; i < nhg->num_nh; ++i) { +- p->id = nhg->nh_entries[i].nh->id; +- p->weight = nhg->nh_entries[i].weight - 1; +- p += 1; ++ *p++ = (struct nexthop_grp) { ++ .id = nhg->nh_entries[i].nh->id, ++ .weight = nhg->nh_entries[i].weight - 1, ++ }; + } + + return 0; +-- +2.43.0 + diff --git a/queue-5.4/nvme-pci-add-missing-condition-check-for-existence-o.patch b/queue-5.4/nvme-pci-add-missing-condition-check-for-existence-o.patch new file mode 100644 index 00000000000..6ab929932c6 --- /dev/null +++ b/queue-5.4/nvme-pci-add-missing-condition-check-for-existence-o.patch @@ -0,0 +1,39 @@ +From bac41444d9b662115ed579bbf295883ea361266b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jul 2024 13:31:14 +0300 +Subject: nvme-pci: add missing condition check for existence of mapped data + +From: Leon Romanovsky + +[ Upstream commit c31fad1470389666ac7169fe43aa65bf5b7e2cfd ] + +nvme_map_data() is called when request has physical segments, hence +the nvme_unmap_data() should have same condition to avoid dereference. + +Fixes: 4aedb705437f ("nvme-pci: split metadata handling from nvme_map_data / nvme_unmap_data") +Signed-off-by: Leon Romanovsky +Reviewed-by: Christoph Hellwig +Reviewed-by: Nitesh Shetty +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 486e44d20b430..1a6a628bb6f9f 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -938,7 +938,8 @@ static blk_status_t nvme_queue_rq(struct blk_mq_hw_ctx *hctx, + nvme_submit_cmd(nvmeq, &cmnd, bd->last); + return BLK_STS_OK; + out_unmap_data: +- nvme_unmap_data(dev, req); ++ if (blk_rq_nr_phys_segments(req)) ++ nvme_unmap_data(dev, req); + out_free_cmd: + nvme_cleanup_cmd(req); + return ret; +-- +2.43.0 + diff --git a/queue-5.4/powerpc-fix-a-file-leak-in-kvm_vcpu_ioctl_enable_cap.patch b/queue-5.4/powerpc-fix-a-file-leak-in-kvm_vcpu_ioctl_enable_cap.patch new file mode 100644 index 00000000000..aa29dbd0741 --- /dev/null +++ b/queue-5.4/powerpc-fix-a-file-leak-in-kvm_vcpu_ioctl_enable_cap.patch @@ -0,0 +1,37 @@ +From 9db685eb50108da50dce99cc310f709da1b08f86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 May 2024 23:54:55 -0400 +Subject: powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap() + +From: Al Viro + +[ Upstream commit b4cf5fc01ce83e5c0bcf3dbb9f929428646b9098 ] + +missing fdput() on one of the failure exits + +Fixes: eacc56bb9de3e # v5.2 +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/powerpc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c +index eb8c72846b7fc..7c5986aec64e2 100644 +--- a/arch/powerpc/kvm/powerpc.c ++++ b/arch/powerpc/kvm/powerpc.c +@@ -1950,8 +1950,10 @@ static int kvm_vcpu_ioctl_enable_cap(struct kvm_vcpu *vcpu, + break; + + r = -ENXIO; +- if (!xive_enabled()) ++ if (!xive_enabled()) { ++ fdput(f); + break; ++ } + + r = -EPERM; + dev = kvm_device_from_filp(f.file); +-- +2.43.0 + diff --git a/queue-5.4/s390-pci-allow-allocation-of-more-than-1-msi-interru.patch b/queue-5.4/s390-pci-allow-allocation-of-more-than-1-msi-interru.patch new file mode 100644 index 00000000000..44bed44038e --- /dev/null +++ b/queue-5.4/s390-pci-allow-allocation-of-more-than-1-msi-interru.patch @@ -0,0 +1,170 @@ +From a4b03f82e4bd552b03b5be90dd9585d8454a138c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jul 2024 15:45:27 +0200 +Subject: s390/pci: Allow allocation of more than 1 MSI interrupt + +From: Gerd Bayer + +[ Upstream commit ab42fcb511fd9d241bbab7cc3ca04e34e9fc0666 ] + +On a PCI adapter that provides up to 8 MSI interrupt sources the s390 +implementation of PCI interrupts rejected to accommodate them, although +the underlying hardware is able to support that. + +For MSI-X it is sufficient to allocate a single irq_desc per msi_desc, +but for MSI multiple irq descriptors are attached to and controlled by +a single msi descriptor. Add the appropriate loops to maintain multiple +irq descriptors and tie/untie them to/from the appropriate AIBV bit, if +a device driver allocates more than 1 MSI interrupt. + +Common PCI code passes on requests to allocate a number of interrupt +vectors based on the device drivers' demand and the PCI functions' +capabilities. However, the root-complex of s390 systems support just a +limited number of interrupt vectors per PCI function. +Produce a kernel log message to inform about any architecture-specific +capping that might be done. + +With this change, we had a PCI adapter successfully raising +interrupts to its device driver via all 8 sources. + +Fixes: a384c8924a8b ("s390/PCI: Fix single MSI only check") +Signed-off-by: Gerd Bayer +Reviewed-by: Niklas Schnelle +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/pci/pci_irq.c | 62 ++++++++++++++++++++++++++++------------- + 1 file changed, 42 insertions(+), 20 deletions(-) + +diff --git a/arch/s390/pci/pci_irq.c b/arch/s390/pci/pci_irq.c +index b36f5ef34a6c1..690f6999287bc 100644 +--- a/arch/s390/pci/pci_irq.c ++++ b/arch/s390/pci/pci_irq.c +@@ -262,8 +262,8 @@ static int __alloc_airq(struct zpci_dev *zdev, int msi_vecs, + + int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type) + { ++ unsigned int hwirq, msi_vecs, irqs_per_msi, i, cpu; + struct zpci_dev *zdev = to_zpci(pdev); +- unsigned int hwirq, msi_vecs, cpu; + struct msi_desc *msi; + struct msi_msg msg; + unsigned long bit; +@@ -273,30 +273,46 @@ int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type) + zdev->aisb = -1UL; + zdev->msi_first_bit = -1U; + +- if (type == PCI_CAP_ID_MSI && nvec > 1) +- return 1; + msi_vecs = min_t(unsigned int, nvec, zdev->max_msi); ++ if (msi_vecs < nvec) { ++ pr_info("%s requested %d irqs, allocate system limit of %d", ++ pci_name(pdev), nvec, zdev->max_msi); ++ } + + rc = __alloc_airq(zdev, msi_vecs, &bit); + if (rc < 0) + return rc; + +- /* Request MSI interrupts */ ++ /* ++ * Request MSI interrupts: ++ * When using MSI, nvec_used interrupt sources and their irq ++ * descriptors are controlled through one msi descriptor. ++ * Thus the outer loop over msi descriptors shall run only once, ++ * while two inner loops iterate over the interrupt vectors. ++ * When using MSI-X, each interrupt vector/irq descriptor ++ * is bound to exactly one msi descriptor (nvec_used is one). ++ * So the inner loops are executed once, while the outer iterates ++ * over the MSI-X descriptors. ++ */ + hwirq = bit; + msi_for_each_desc(msi, &pdev->dev, MSI_DESC_NOTASSOCIATED) { +- rc = -EIO; + if (hwirq - bit >= msi_vecs) + break; +- irq = __irq_alloc_descs(-1, 0, 1, 0, THIS_MODULE, +- (irq_delivery == DIRECTED) ? +- msi->affinity : NULL); ++ irqs_per_msi = min_t(unsigned int, msi_vecs, msi->nvec_used); ++ irq = __irq_alloc_descs(-1, 0, irqs_per_msi, 0, THIS_MODULE, ++ (irq_delivery == DIRECTED) ? ++ msi->affinity : NULL); + if (irq < 0) + return -ENOMEM; +- rc = irq_set_msi_desc(irq, msi); +- if (rc) +- return rc; +- irq_set_chip_and_handler(irq, &zpci_irq_chip, +- handle_percpu_irq); ++ ++ for (i = 0; i < irqs_per_msi; i++) { ++ rc = irq_set_msi_desc_off(irq, i, msi); ++ if (rc) ++ return rc; ++ irq_set_chip_and_handler(irq + i, &zpci_irq_chip, ++ handle_percpu_irq); ++ } ++ + msg.data = hwirq - bit; + if (irq_delivery == DIRECTED) { + if (msi->affinity) +@@ -309,19 +325,22 @@ int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type) + msg.address_lo |= (cpu_addr << 8); + + for_each_possible_cpu(cpu) { +- airq_iv_set_data(zpci_ibv[cpu], hwirq, irq); ++ for (i = 0; i < irqs_per_msi; i++) ++ airq_iv_set_data(zpci_ibv[cpu], ++ hwirq + i, irq + i); + } + } else { + msg.address_lo = zdev->msi_addr & 0xffffffff; +- airq_iv_set_data(zdev->aibv, hwirq, irq); ++ for (i = 0; i < irqs_per_msi; i++) ++ airq_iv_set_data(zdev->aibv, hwirq + i, irq + i); + } + msg.address_hi = zdev->msi_addr >> 32; + pci_write_msi_msg(irq, &msg); +- hwirq++; ++ hwirq += irqs_per_msi; + } + + zdev->msi_first_bit = bit; +- zdev->msi_nr_irqs = msi_vecs; ++ zdev->msi_nr_irqs = hwirq - bit; + + if (irq_delivery == DIRECTED) + rc = zpci_set_directed_irq(zdev); +@@ -330,13 +349,14 @@ int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type) + if (rc) + return rc; + +- return (msi_vecs == nvec) ? 0 : msi_vecs; ++ return (zdev->msi_nr_irqs == nvec) ? 0 : zdev->msi_nr_irqs; + } + + void arch_teardown_msi_irqs(struct pci_dev *pdev) + { + struct zpci_dev *zdev = to_zpci(pdev); + struct msi_desc *msi; ++ unsigned int i; + int rc; + + /* Disable interrupts */ +@@ -349,8 +369,10 @@ void arch_teardown_msi_irqs(struct pci_dev *pdev) + + /* Release MSI interrupts */ + msi_for_each_desc(msi, &pdev->dev, MSI_DESC_ASSOCIATED) { +- irq_set_msi_desc(msi->irq, NULL); +- irq_free_desc(msi->irq); ++ for (i = 0; i < msi->nvec_used; i++) { ++ irq_set_msi_desc(msi->irq + i, NULL); ++ irq_free_desc(msi->irq + i); ++ } + msi->msg.address_lo = 0; + msi->msg.address_hi = 0; + msi->msg.data = 0; +-- +2.43.0 + diff --git a/queue-5.4/s390-pci-do-not-mask-msi-x-entries-on-teardown.patch b/queue-5.4/s390-pci-do-not-mask-msi-x-entries-on-teardown.patch new file mode 100644 index 00000000000..d3b639476b1 --- /dev/null +++ b/queue-5.4/s390-pci-do-not-mask-msi-x-entries-on-teardown.patch @@ -0,0 +1,83 @@ +From 5639e6dc7a8ec92b75a3234c92fd9825cb0dfc96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jul 2021 23:51:51 +0200 +Subject: s390/pci: Do not mask MSI[-X] entries on teardown + +From: Thomas Gleixner + +[ Upstream commit 3998527d2e3ee2bfdf710a45b7b90968ff87babc ] + +The PCI core already ensures that the MSI[-X] state is correct when MSI[-X] +is disabled. For MSI the reset state is all entries unmasked and for MSI-X +all vectors are masked. + +S390 masks all MSI entries and masks the already masked MSI-X entries +again. Remove it and let the device in the correct state. + +Signed-off-by: Thomas Gleixner +Tested-by: Niklas Schnelle +Tested-by: Marc Zyngier +Reviewed-by: Marc Zyngier +Acked-by: Niklas Schnelle +Link: https://lore.kernel.org/r/20210729222542.939798136@linutronix.de +Stable-dep-of: ab42fcb511fd ("s390/pci: Allow allocation of more than 1 MSI interrupt") +Signed-off-by: Sasha Levin +--- + arch/s390/pci/pci_irq.c | 4 ---- + drivers/pci/msi.c | 4 ++-- + include/linux/msi.h | 2 -- + 3 files changed, 2 insertions(+), 8 deletions(-) + +diff --git a/arch/s390/pci/pci_irq.c b/arch/s390/pci/pci_irq.c +index 75217fb63d7b3..5036e00b7ec1b 100644 +--- a/arch/s390/pci/pci_irq.c ++++ b/arch/s390/pci/pci_irq.c +@@ -341,10 +341,6 @@ void arch_teardown_msi_irqs(struct pci_dev *pdev) + for_each_pci_msi_entry(msi, pdev) { + if (!msi->irq) + continue; +- if (msi->msi_attrib.is_msix) +- __pci_msix_desc_mask_irq(msi, 1); +- else +- __pci_msi_desc_mask_irq(msi, 1, 1); + irq_set_msi_desc(msi->irq, NULL); + irq_free_desc(msi->irq); + msi->msg.address_lo = 0; +diff --git a/drivers/pci/msi.c b/drivers/pci/msi.c +index 1701d3de24da7..a37e3541c9377 100644 +--- a/drivers/pci/msi.c ++++ b/drivers/pci/msi.c +@@ -170,7 +170,7 @@ static inline __attribute_const__ u32 msi_mask(unsigned x) + * reliably as devices without an INTx disable bit will then generate a + * level IRQ which will never be cleared. + */ +-void __pci_msi_desc_mask_irq(struct msi_desc *desc, u32 mask, u32 flag) ++static void __pci_msi_desc_mask_irq(struct msi_desc *desc, u32 mask, u32 flag) + { + raw_spinlock_t *lock = &desc->dev->msi_lock; + unsigned long flags; +@@ -207,7 +207,7 @@ static void __iomem *pci_msix_desc_addr(struct msi_desc *desc) + * file. This saves a few milliseconds when initialising devices with lots + * of MSI-X interrupts. + */ +-u32 __pci_msix_desc_mask_irq(struct msi_desc *desc, u32 flag) ++static u32 __pci_msix_desc_mask_irq(struct msi_desc *desc, u32 flag) + { + u32 mask_bits = desc->masked; + void __iomem *desc_addr; +diff --git a/include/linux/msi.h b/include/linux/msi.h +index 758e32f0d4434..31193305807d0 100644 +--- a/include/linux/msi.h ++++ b/include/linux/msi.h +@@ -193,8 +193,6 @@ void free_msi_entry(struct msi_desc *entry); + void __pci_read_msi_msg(struct msi_desc *entry, struct msi_msg *msg); + void __pci_write_msi_msg(struct msi_desc *entry, struct msi_msg *msg); + +-u32 __pci_msix_desc_mask_irq(struct msi_desc *desc, u32 flag); +-void __pci_msi_desc_mask_irq(struct msi_desc *desc, u32 mask, u32 flag); + void pci_msi_mask_irq(struct irq_data *data); + void pci_msi_unmask_irq(struct irq_data *data); + +-- +2.43.0 + diff --git a/queue-5.4/s390-pci-fix-cpu-address-in-msi-for-directed-irq.patch b/queue-5.4/s390-pci-fix-cpu-address-in-msi-for-directed-irq.patch new file mode 100644 index 00000000000..f93662b13f2 --- /dev/null +++ b/queue-5.4/s390-pci-fix-cpu-address-in-msi-for-directed-irq.patch @@ -0,0 +1,77 @@ +From eb1570b580a005bd5c3a2e2076b4919d5b482af9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Nov 2020 18:00:37 +0100 +Subject: s390/pci: fix CPU address in MSI for directed IRQ + +From: Alexander Gordeev + +[ Upstream commit a2bd4097b3ec242f4de4924db463a9c94530e03a ] + +The directed MSIs are delivered to CPUs whose address is +written to the MSI message address. The current code assumes +that a CPU logical number (as it is seen by the kernel) +is also the CPU address. + +The above assumption is not correct, as the CPU address +is rather the value returned by STAP instruction. That +value does not necessarily match the kernel logical CPU +number. + +Fixes: e979ce7bced2 ("s390/pci: provide support for CPU directed interrupts") +Cc: # v5.2+ +Signed-off-by: Alexander Gordeev +Reviewed-by: Halil Pasic +Reviewed-by: Niklas Schnelle +Signed-off-by: Niklas Schnelle +Signed-off-by: Heiko Carstens +Stable-dep-of: ab42fcb511fd ("s390/pci: Allow allocation of more than 1 MSI interrupt") +Signed-off-by: Sasha Levin +--- + arch/s390/pci/pci_irq.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/arch/s390/pci/pci_irq.c b/arch/s390/pci/pci_irq.c +index 743f257cf2cbd..75217fb63d7b3 100644 +--- a/arch/s390/pci/pci_irq.c ++++ b/arch/s390/pci/pci_irq.c +@@ -103,9 +103,10 @@ static int zpci_set_irq_affinity(struct irq_data *data, const struct cpumask *de + { + struct msi_desc *entry = irq_get_msi_desc(data->irq); + struct msi_msg msg = entry->msg; ++ int cpu_addr = smp_cpu_get_cpu_address(cpumask_first(dest)); + + msg.address_lo &= 0xff0000ff; +- msg.address_lo |= (cpumask_first(dest) << 8); ++ msg.address_lo |= (cpu_addr << 8); + pci_write_msi_msg(data->irq, &msg); + + return IRQ_SET_MASK_OK; +@@ -238,6 +239,7 @@ int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type) + unsigned long bit; + struct msi_desc *msi; + struct msi_msg msg; ++ int cpu_addr; + int rc, irq; + + zdev->aisb = -1UL; +@@ -287,9 +289,15 @@ int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type) + handle_percpu_irq); + msg.data = hwirq - bit; + if (irq_delivery == DIRECTED) { ++ if (msi->affinity) ++ cpu = cpumask_first(&msi->affinity->mask); ++ else ++ cpu = 0; ++ cpu_addr = smp_cpu_get_cpu_address(cpu); ++ + msg.address_lo = zdev->msi_addr & 0xff0000ff; +- msg.address_lo |= msi->affinity ? +- (cpumask_first(&msi->affinity->mask) << 8) : 0; ++ msg.address_lo |= (cpu_addr << 8); ++ + for_each_possible_cpu(cpu) { + airq_iv_set_data(zpci_ibv[cpu], hwirq, irq); + } +-- +2.43.0 + diff --git a/queue-5.4/s390-pci-refactor-arch_setup_msi_irqs.patch b/queue-5.4/s390-pci-refactor-arch_setup_msi_irqs.patch new file mode 100644 index 00000000000..31b2158fe32 --- /dev/null +++ b/queue-5.4/s390-pci-refactor-arch_setup_msi_irqs.patch @@ -0,0 +1,106 @@ +From 712d01b388700377d93ded50ada7eeb7d69a9530 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jul 2024 15:45:26 +0200 +Subject: s390/pci: Refactor arch_setup_msi_irqs() + +From: Gerd Bayer + +[ Upstream commit 5fd11b96b43708f2f6e3964412c301c1bd20ec0f ] + +Factor out adapter interrupt allocation from arch_setup_msi_irqs() in +preparation for enabling registration of multiple MSIs. Code movement +only, no change of functionality intended. + +Signed-off-by: Gerd Bayer +Reviewed-by: Niklas Schnelle +Signed-off-by: Vasily Gorbik +Stable-dep-of: ab42fcb511fd ("s390/pci: Allow allocation of more than 1 MSI interrupt") +Signed-off-by: Sasha Levin +--- + arch/s390/pci/pci_irq.c | 54 ++++++++++++++++++++++++----------------- + 1 file changed, 32 insertions(+), 22 deletions(-) + +diff --git a/arch/s390/pci/pci_irq.c b/arch/s390/pci/pci_irq.c +index 9ed76fa9391cb..b36f5ef34a6c1 100644 +--- a/arch/s390/pci/pci_irq.c ++++ b/arch/s390/pci/pci_irq.c +@@ -232,33 +232,20 @@ static void zpci_floating_irq_handler(struct airq_struct *airq, bool floating) + } + } + +-int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type) ++static int __alloc_airq(struct zpci_dev *zdev, int msi_vecs, ++ unsigned long *bit) + { +- struct zpci_dev *zdev = to_zpci(pdev); +- unsigned int hwirq, msi_vecs, cpu; +- unsigned long bit; +- struct msi_desc *msi; +- struct msi_msg msg; +- int cpu_addr; +- int rc, irq; +- +- zdev->aisb = -1UL; +- zdev->msi_first_bit = -1U; +- if (type == PCI_CAP_ID_MSI && nvec > 1) +- return 1; +- msi_vecs = min_t(unsigned int, nvec, zdev->max_msi); +- + if (irq_delivery == DIRECTED) { + /* Allocate cpu vector bits */ +- bit = airq_iv_alloc(zpci_ibv[0], msi_vecs); +- if (bit == -1UL) ++ *bit = airq_iv_alloc(zpci_ibv[0], msi_vecs); ++ if (*bit == -1UL) + return -EIO; + } else { + /* Allocate adapter summary indicator bit */ +- bit = airq_iv_alloc_bit(zpci_sbv); +- if (bit == -1UL) ++ *bit = airq_iv_alloc_bit(zpci_sbv); ++ if (*bit == -1UL) + return -EIO; +- zdev->aisb = bit; ++ zdev->aisb = *bit; + + /* Create adapter interrupt vector */ + zdev->aibv = airq_iv_create(msi_vecs, AIRQ_IV_DATA | AIRQ_IV_BITLOCK); +@@ -266,10 +253,33 @@ int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type) + return -ENOMEM; + + /* Wire up shortcut pointer */ +- zpci_ibv[bit] = zdev->aibv; ++ zpci_ibv[*bit] = zdev->aibv; + /* Each function has its own interrupt vector */ +- bit = 0; ++ *bit = 0; + } ++ return 0; ++} ++ ++int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type) ++{ ++ struct zpci_dev *zdev = to_zpci(pdev); ++ unsigned int hwirq, msi_vecs, cpu; ++ struct msi_desc *msi; ++ struct msi_msg msg; ++ unsigned long bit; ++ int cpu_addr; ++ int rc, irq; ++ ++ zdev->aisb = -1UL; ++ zdev->msi_first_bit = -1U; ++ ++ if (type == PCI_CAP_ID_MSI && nvec > 1) ++ return 1; ++ msi_vecs = min_t(unsigned int, nvec, zdev->max_msi); ++ ++ rc = __alloc_airq(zdev, msi_vecs, &bit); ++ if (rc < 0) ++ return rc; + + /* Request MSI interrupts */ + hwirq = bit; +-- +2.43.0 + diff --git a/queue-5.4/s390-pci-rework-msi-descriptor-walk.patch b/queue-5.4/s390-pci-rework-msi-descriptor-walk.patch new file mode 100644 index 00000000000..3afd5a93b38 --- /dev/null +++ b/queue-5.4/s390-pci-rework-msi-descriptor-walk.patch @@ -0,0 +1,49 @@ +From 099f3562e9d7e56da6367d64319cca12107afdae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Dec 2021 23:51:23 +0100 +Subject: s390/pci: Rework MSI descriptor walk + +From: Thomas Gleixner + +[ Upstream commit 2ca5e908d0f4cde61d9d3595e8314adca5d914a1 ] + +Replace the about to vanish iterators and make use of the filtering. + +Signed-off-by: Thomas Gleixner +Tested-by: Niklas Schnelle +Reviewed-by: Jason Gunthorpe +Acked-by: Niklas Schnelle +Link: https://lore.kernel.org/r/20211206210748.305656158@linutronix.de +Stable-dep-of: ab42fcb511fd ("s390/pci: Allow allocation of more than 1 MSI interrupt") +Signed-off-by: Sasha Levin +--- + arch/s390/pci/pci_irq.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/arch/s390/pci/pci_irq.c b/arch/s390/pci/pci_irq.c +index 5036e00b7ec1b..9ed76fa9391cb 100644 +--- a/arch/s390/pci/pci_irq.c ++++ b/arch/s390/pci/pci_irq.c +@@ -273,7 +273,7 @@ int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type) + + /* Request MSI interrupts */ + hwirq = bit; +- for_each_pci_msi_entry(msi, pdev) { ++ msi_for_each_desc(msi, &pdev->dev, MSI_DESC_NOTASSOCIATED) { + rc = -EIO; + if (hwirq - bit >= msi_vecs) + break; +@@ -338,9 +338,7 @@ void arch_teardown_msi_irqs(struct pci_dev *pdev) + return; + + /* Release MSI interrupts */ +- for_each_pci_msi_entry(msi, pdev) { +- if (!msi->irq) +- continue; ++ msi_for_each_desc(msi, &pdev->dev, MSI_DESC_ASSOCIATED) { + irq_set_msi_desc(msi->irq, NULL); + irq_free_desc(msi->irq); + msi->msg.address_lo = 0; +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index e236e64f626..34bfe7e47f8 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -132,3 +132,27 @@ rbd-don-t-assume-rbd_lock_state_locked-for-exclusive-mappings.patch bluetooth-btusb-add-rtl8852be-device-0489-e125-to-device-tables.patch bluetooth-btusb-add-realtek-rtl8852be-support-id-0x13d3-0x3591.patch nilfs2-handle-inconsistent-state-in-nilfs_btnode_create_block.patch +kdb-address-wformat-security-warnings.patch +kdb-use-the-passed-prompt-in-kdb_position_cursor.patch +jfs-fix-array-index-out-of-bounds-in-difree.patch +um-time-travel-fix-time-travel-start-option.patch +libbpf-fix-no-args-func-prototype-btf-dumping-syntax.patch +dma-fix-call-order-in-dmam_free_coherent.patch +mips-smp-cps-fix-address-for-gcr_access-register-for.patch +ipv4-fix-incorrect-source-address-in-record-route-op.patch +net-bonding-correctly-annotate-rcu-in-bond_should_no.patch +tipc-return-non-zero-value-from-tipc_udp_addr2str-on.patch +net-nexthop-initialize-all-fields-in-dumped-nexthops.patch +bpf-fix-a-segment-issue-when-downgrading-gso_size.patch +misdn-fix-a-use-after-free-in-hfcmulti_tx.patch +apparmor-fix-null-pointer-deref-when-receiving-skb-d.patch +powerpc-fix-a-file-leak-in-kvm_vcpu_ioctl_enable_cap.patch +asoc-intel-convert-to-new-x86-cpu-match-macros.patch +asoc-intel-move-soc_intel_is_foo-helpers-to-a-generi.patch +asoc-intel-use-soc_intel_is_byt_cr-only-when-iosf_mb.patch +s390-pci-fix-cpu-address-in-msi-for-directed-irq.patch +s390-pci-do-not-mask-msi-x-entries-on-teardown.patch +s390-pci-rework-msi-descriptor-walk.patch +s390-pci-refactor-arch_setup_msi_irqs.patch +s390-pci-allow-allocation-of-more-than-1-msi-interru.patch +nvme-pci-add-missing-condition-check-for-existence-o.patch diff --git a/queue-5.4/tipc-return-non-zero-value-from-tipc_udp_addr2str-on.patch b/queue-5.4/tipc-return-non-zero-value-from-tipc_udp_addr2str-on.patch new file mode 100644 index 00000000000..663867c34b2 --- /dev/null +++ b/queue-5.4/tipc-return-non-zero-value-from-tipc_udp_addr2str-on.patch @@ -0,0 +1,43 @@ +From 12e9bbd55f910746322b2521d3091f162ce6305f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jul 2024 11:09:05 +0900 +Subject: tipc: Return non-zero value from tipc_udp_addr2str() on error + +From: Shigeru Yoshida + +[ Upstream commit fa96c6baef1b5385e2f0c0677b32b3839e716076 ] + +tipc_udp_addr2str() should return non-zero value if the UDP media +address is invalid. Otherwise, a buffer overflow access can occur in +tipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP +media address. + +Fixes: d0f91938bede ("tipc: add ip/udp media type") +Signed-off-by: Shigeru Yoshida +Reviewed-by: Tung Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/udp_media.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c +index 1fb0535e2eb47..4db2185a32aec 100644 +--- a/net/tipc/udp_media.c ++++ b/net/tipc/udp_media.c +@@ -128,8 +128,11 @@ static int tipc_udp_addr2str(struct tipc_media_addr *a, char *buf, int size) + snprintf(buf, size, "%pI4:%u", &ua->ipv4, ntohs(ua->port)); + else if (ntohs(ua->proto) == ETH_P_IPV6) + snprintf(buf, size, "%pI6:%u", &ua->ipv6, ntohs(ua->port)); +- else ++ else { + pr_err("Invalid UDP media address\n"); ++ return 1; ++ } ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-5.4/um-time-travel-fix-time-travel-start-option.patch b/queue-5.4/um-time-travel-fix-time-travel-start-option.patch new file mode 100644 index 00000000000..934d8f4550d --- /dev/null +++ b/queue-5.4/um-time-travel-fix-time-travel-start-option.patch @@ -0,0 +1,40 @@ +From b0f4b15f4a170753444ce46d23fa384b15b87ccd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Apr 2024 10:27:45 +0200 +Subject: um: time-travel: fix time-travel-start option + +From: Johannes Berg + +[ Upstream commit 7d0a8a490aa3a2a82de8826aaf1dfa38575cb77a ] + +We need to have the = as part of the option so that the +value can be parsed properly. Also document that it must +be given in nanoseconds, not seconds. + +Fixes: 065038706f77 ("um: Support time travel mode") +Link: https://patch.msgid.link/20240417102744.14b9a9d4eba0.Ib22e9136513126b2099d932650f55f193120cd97@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/kernel/time.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/um/kernel/time.c b/arch/um/kernel/time.c +index 94ea87bd231cb..3ccbb42c171c6 100644 +--- a/arch/um/kernel/time.c ++++ b/arch/um/kernel/time.c +@@ -256,9 +256,9 @@ int setup_time_travel_start(char *str) + return 1; + } + +-__setup("time-travel-start", setup_time_travel_start); ++__setup("time-travel-start=", setup_time_travel_start); + __uml_help(setup_time_travel_start, +-"time-travel-start=\n" ++"time-travel-start=\n" + "Configure the UML instance's wall clock to start at this value rather than\n" + "the host's wall clock at the time of UML boot.\n"); + #endif +-- +2.43.0 +