From: Sasha Levin Date: Sat, 14 Oct 2023 12:58:45 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v6.1.58~10 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=43ed8bfd047adad4c67675ef97b0791629d8bfd9;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/drm-msm-dsi-skip-the-wait-for-video-mode-done-if-not.patch b/queue-5.4/drm-msm-dsi-skip-the-wait-for-video-mode-done-if-not.patch new file mode 100644 index 00000000000..678dcc30d40 --- /dev/null +++ b/queue-5.4/drm-msm-dsi-skip-the-wait-for-video-mode-done-if-not.patch @@ -0,0 +1,65 @@ +From bc664bf4a58231c91e940642c7673b6c08519f11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Sep 2023 13:44:25 -0700 +Subject: drm/msm/dsi: skip the wait for video mode done if not applicable + +From: Abhinav Kumar + +[ Upstream commit ab483e3adcc178254eb1ce0fbdfbea65f86f1006 ] + +dsi_wait4video_done() API waits for the DSI video mode engine to +become idle so that we can transmit the DCS commands in the +beginning of BLLP. However, with the current sequence, the MDP +timing engine is turned on after the panel's pre_enable() callback +which can send out the DCS commands needed to power up the panel. + +During those cases, this API will always timeout and print out the +error spam leading to long bootup times and log flooding. + +Fix this by checking if the DSI video engine was actually busy before +waiting for it to become idle otherwise this is a redundant wait. + +changes in v2: + - move the reg read below the video mode check + - minor fixes in commit text + +Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/34 +Fixes: a689554ba6ed ("drm/msm: Initial add DSI connector support") +Signed-off-by: Abhinav Kumar +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/557853/ +Link: https://lore.kernel.org/r/20230915204426.19011-1-quic_abhinavk@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index c59764f156f94..419cad31830ea 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -1051,9 +1051,21 @@ static void dsi_wait4video_done(struct msm_dsi_host *msm_host) + + static void dsi_wait4video_eng_busy(struct msm_dsi_host *msm_host) + { ++ u32 data; ++ + if (!(msm_host->mode_flags & MIPI_DSI_MODE_VIDEO)) + return; + ++ data = dsi_read(msm_host, REG_DSI_STATUS0); ++ ++ /* if video mode engine is not busy, its because ++ * either timing engine was not turned on or the ++ * DSI controller has finished transmitting the video ++ * data already, so no need to wait in those cases ++ */ ++ if (!(data & DSI_STATUS0_VIDEO_MODE_ENGINE_BUSY)) ++ return; ++ + if (msm_host->power_on && msm_host->enabled) { + dsi_wait4video_done(msm_host); + /* delay 4 ms to skip BLLP */ +-- +2.40.1 + diff --git a/queue-5.4/drm-vmwgfx-fix-typo-of-sizeof-argument.patch b/queue-5.4/drm-vmwgfx-fix-typo-of-sizeof-argument.patch new file mode 100644 index 00000000000..5c10b4dc70e --- /dev/null +++ b/queue-5.4/drm-vmwgfx-fix-typo-of-sizeof-argument.patch @@ -0,0 +1,40 @@ +From 0b087ba31ac679d8f47f6dfa97c26a0b8f328423 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 18:02:03 +0800 +Subject: drm/vmwgfx: fix typo of sizeof argument + +From: Konstantin Meskhidze + +[ Upstream commit 39465cac283702a7d4a507a558db81898029c6d3 ] + +Since size of 'header' pointer and '*header' structure is equal on 64-bit +machines issue probably didn't cause any wrong behavior. But anyway, +fixing typo is required. + +Fixes: 7a73ba7469cb ("drm/vmwgfx: Use TTM handles instead of SIDs as user-space surface handles.") +Co-developed-by: Ivanov Mikhail +Signed-off-by: Konstantin Meskhidze +Reviewed-by: Zack Rusin +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20230905100203.1716731-1-konstantin.meskhidze@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +index e3d20048075bf..8db3b3ddbb644 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -1623,7 +1623,7 @@ static int vmw_cmd_tex_state(struct vmw_private *dev_priv, + { + VMW_DECLARE_CMD_VAR(*cmd, SVGA3dCmdSetTextureState); + SVGA3dTextureState *last_state = (SVGA3dTextureState *) +- ((unsigned long) header + header->size + sizeof(header)); ++ ((unsigned long) header + header->size + sizeof(*header)); + SVGA3dTextureState *cur_state = (SVGA3dTextureState *) + ((unsigned long) header + sizeof(*cmd)); + struct vmw_resource *ctx; +-- +2.40.1 + diff --git a/queue-5.4/eth-remove-copies-of-the-napi_poll_weight-define.patch b/queue-5.4/eth-remove-copies-of-the-napi_poll_weight-define.patch new file mode 100644 index 00000000000..21d842045c2 --- /dev/null +++ b/queue-5.4/eth-remove-copies-of-the-napi_poll_weight-define.patch @@ -0,0 +1,162 @@ +From 8ebaa6f8b0f75d7e11a78076dd740fd1571ac938 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Apr 2022 14:23:09 -0700 +Subject: eth: remove copies of the NAPI_POLL_WEIGHT define + +From: Jakub Kicinski + +[ Upstream commit 5f012b40ef639343a976553bf3cc26dd0474756e ] + +Defining local versions of NAPI_POLL_WEIGHT with the same +values in the drivers just makes refactoring harder. + +Drop the special defines in a bunch of drivers where the +removal is relatively simple so grouping into one patch +does not impact reviewability. + +Signed-off-by: Jakub Kicinski +Reviewed-by: Paul Durrant +Signed-off-by: David S. Miller +Stable-dep-of: 66cf7435a269 ("xen-netback: use default TX queue size for vifs") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cortina/gemini.c | 4 +--- + drivers/net/ethernet/marvell/skge.c | 3 +-- + drivers/net/ethernet/marvell/sky2.c | 3 +-- + drivers/net/ethernet/ti/davinci_emac.c | 3 +-- + drivers/net/ethernet/ti/netcp_core.c | 5 ++--- + drivers/net/xen-netback/interface.c | 3 +-- + 6 files changed, 7 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index a8a8b77c1611e..a2b8c2a53c8e7 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -69,7 +69,6 @@ MODULE_PARM_DESC(debug, "Debug level (0=none,...,16=all)"); + #define DEFAULT_GMAC_RXQ_ORDER 9 + #define DEFAULT_GMAC_TXQ_ORDER 8 + #define DEFAULT_RX_BUF_ORDER 11 +-#define DEFAULT_NAPI_WEIGHT 64 + #define TX_MAX_FRAGS 16 + #define TX_QUEUE_NUM 1 /* max: 6 */ + #define RX_MAX_ALLOC_ORDER 2 +@@ -2483,8 +2482,7 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev) + netdev->max_mtu = 10236 - VLAN_ETH_HLEN; + + port->freeq_refill = 0; +- netif_napi_add(netdev, &port->napi, gmac_napi_poll, +- DEFAULT_NAPI_WEIGHT); ++ netif_napi_add(netdev, &port->napi, gmac_napi_poll, NAPI_POLL_WEIGHT); + + if (is_valid_ether_addr((void *)port->mac_addr)) { + memcpy(netdev->dev_addr, port->mac_addr, ETH_ALEN); +diff --git a/drivers/net/ethernet/marvell/skge.c b/drivers/net/ethernet/marvell/skge.c +index 095f6c71b4fa1..a75288e3288d2 100644 +--- a/drivers/net/ethernet/marvell/skge.c ++++ b/drivers/net/ethernet/marvell/skge.c +@@ -50,7 +50,6 @@ + #define PHY_RETRIES 1000 + #define ETH_JUMBO_MTU 9000 + #define TX_WATCHDOG (5 * HZ) +-#define NAPI_WEIGHT 64 + #define BLINK_MS 250 + #define LINK_HZ HZ + +@@ -3826,7 +3825,7 @@ static struct net_device *skge_devinit(struct skge_hw *hw, int port, + dev->features |= NETIF_F_HIGHDMA; + + skge = netdev_priv(dev); +- netif_napi_add(dev, &skge->napi, skge_poll, NAPI_WEIGHT); ++ netif_napi_add(dev, &skge->napi, skge_poll, NAPI_POLL_WEIGHT); + skge->netdev = dev; + skge->hw = hw; + skge->msg_enable = netif_msg_init(debug, default_msg); +diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c +index df7c23cd33600..01248509addeb 100644 +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -62,7 +62,6 @@ + #define TX_DEF_PENDING 63 + + #define TX_WATCHDOG (5 * HZ) +-#define NAPI_WEIGHT 64 + #define PHY_RETRIES 1000 + + #define SKY2_EEPROM_MAGIC 0x9955aabb +@@ -5064,7 +5063,7 @@ static int sky2_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + } + } + +- netif_napi_add(dev, &hw->napi, sky2_poll, NAPI_WEIGHT); ++ netif_napi_add(dev, &hw->napi, sky2_poll, NAPI_POLL_WEIGHT); + + err = register_netdev(dev); + if (err) { +diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c +index fac59032bf83a..9d7b2328a98a3 100644 +--- a/drivers/net/ethernet/ti/davinci_emac.c ++++ b/drivers/net/ethernet/ti/davinci_emac.c +@@ -113,7 +113,6 @@ static const char emac_version_string[] = "TI DaVinci EMAC Linux v6.1"; + #define EMAC_DEF_RX_NUM_DESC (128) + #define EMAC_DEF_MAX_TX_CH (1) /* Max TX channels configured */ + #define EMAC_DEF_MAX_RX_CH (1) /* Max RX channels configured */ +-#define EMAC_POLL_WEIGHT (64) /* Default NAPI poll weight */ + + /* Buffer descriptor parameters */ + #define EMAC_DEF_TX_MAX_SERVICE (32) /* TX max service BD's */ +@@ -1918,7 +1917,7 @@ static int davinci_emac_probe(struct platform_device *pdev) + + ndev->netdev_ops = &emac_netdev_ops; + ndev->ethtool_ops = ðtool_ops; +- netif_napi_add(ndev, &priv->napi, emac_poll, EMAC_POLL_WEIGHT); ++ netif_napi_add(ndev, &priv->napi, emac_poll, NAPI_POLL_WEIGHT); + + pm_runtime_enable(&pdev->dev); + rc = pm_runtime_get_sync(&pdev->dev); +diff --git a/drivers/net/ethernet/ti/netcp_core.c b/drivers/net/ethernet/ti/netcp_core.c +index 5dbb4ed1b1328..1eef4ac59c348 100644 +--- a/drivers/net/ethernet/ti/netcp_core.c ++++ b/drivers/net/ethernet/ti/netcp_core.c +@@ -24,7 +24,6 @@ + #include "netcp.h" + + #define NETCP_SOP_OFFSET (NET_IP_ALIGN + NET_SKB_PAD) +-#define NETCP_NAPI_WEIGHT 64 + #define NETCP_TX_TIMEOUT (5 * HZ) + #define NETCP_PACKET_SIZE (ETH_FRAME_LEN + ETH_FCS_LEN) + #define NETCP_MIN_PACKET_SIZE ETH_ZLEN +@@ -2099,8 +2098,8 @@ static int netcp_create_interface(struct netcp_device *netcp_device, + } + + /* NAPI register */ +- netif_napi_add(ndev, &netcp->rx_napi, netcp_rx_poll, NETCP_NAPI_WEIGHT); +- netif_tx_napi_add(ndev, &netcp->tx_napi, netcp_tx_poll, NETCP_NAPI_WEIGHT); ++ netif_napi_add(ndev, &netcp->rx_napi, netcp_rx_poll, NAPI_POLL_WEIGHT); ++ netif_tx_napi_add(ndev, &netcp->tx_napi, netcp_tx_poll, NAPI_POLL_WEIGHT); + + /* Register the network device */ + ndev->dev_id = 0; +diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c +index 6432f6e7fd548..1f735376539e7 100644 +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -42,7 +42,6 @@ + #include + + #define XENVIF_QUEUE_LENGTH 32 +-#define XENVIF_NAPI_WEIGHT 64 + + /* Number of bytes allowed on the internal guest Rx queue. */ + #define XENVIF_RX_QUEUE_BYTES (XEN_NETIF_RX_RING_SIZE/2 * PAGE_SIZE) +@@ -682,7 +681,7 @@ int xenvif_connect_data(struct xenvif_queue *queue, + atomic_set(&queue->inflight_packets, 0); + + netif_napi_add(queue->vif->dev, &queue->napi, xenvif_poll, +- XENVIF_NAPI_WEIGHT); ++ NAPI_POLL_WEIGHT); + + if (tx_evtchn == rx_evtchn) { + /* feature-split-event-channels == 0 */ +-- +2.40.1 + diff --git a/queue-5.4/ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch b/queue-5.4/ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch new file mode 100644 index 00000000000..3ee5b471e57 --- /dev/null +++ b/queue-5.4/ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch @@ -0,0 +1,75 @@ +From e9ffdde179f07900e3a5f67d9d0cf5a5ba2cdeac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Oct 2023 11:30:49 +0800 +Subject: ieee802154: ca8210: Fix a potential UAF in ca8210_probe + +From: Dinghao Liu + +[ Upstream commit f990874b1c98fe8e57ee9385669f501822979258 ] + +If of_clk_add_provider() fails in ca8210_register_ext_clock(), +it calls clk_unregister() to release priv->clk and returns an +error. However, the caller ca8210_probe() then calls ca8210_remove(), +where priv->clk is freed again in ca8210_unregister_ext_clock(). In +this case, a use-after-free may happen in the second time we call +clk_unregister(). + +Fix this by removing the first clk_unregister(). Also, priv->clk could +be an error code on failure of clk_register_fixed_rate(). Use +IS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock(). + +Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") +Signed-off-by: Dinghao Liu +Message-ID: <20231007033049.22353-1-dinghao.liu@zju.edu.cn> +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/ca8210.c | 17 +++-------------- + 1 file changed, 3 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c +index fb57e561d3e61..fdbdc22fe4e5c 100644 +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -2782,7 +2782,6 @@ static int ca8210_register_ext_clock(struct spi_device *spi) + struct device_node *np = spi->dev.of_node; + struct ca8210_priv *priv = spi_get_drvdata(spi); + struct ca8210_platform_data *pdata = spi->dev.platform_data; +- int ret = 0; + + if (!np) + return -EFAULT; +@@ -2799,18 +2798,8 @@ static int ca8210_register_ext_clock(struct spi_device *spi) + dev_crit(&spi->dev, "Failed to register external clk\n"); + return PTR_ERR(priv->clk); + } +- ret = of_clk_add_provider(np, of_clk_src_simple_get, priv->clk); +- if (ret) { +- clk_unregister(priv->clk); +- dev_crit( +- &spi->dev, +- "Failed to register external clock as clock provider\n" +- ); +- } else { +- dev_info(&spi->dev, "External clock set as clock provider\n"); +- } + +- return ret; ++ return of_clk_add_provider(np, of_clk_src_simple_get, priv->clk); + } + + /** +@@ -2822,8 +2811,8 @@ static void ca8210_unregister_ext_clock(struct spi_device *spi) + { + struct ca8210_priv *priv = spi_get_drvdata(spi); + +- if (!priv->clk) +- return ++ if (IS_ERR_OR_NULL(priv->clk)) ++ return; + + of_clk_del_provider(spi->dev.of_node); + clk_unregister(priv->clk); +-- +2.40.1 + diff --git a/queue-5.4/ixgbe-fix-crash-with-empty-vf-macvlan-list.patch b/queue-5.4/ixgbe-fix-crash-with-empty-vf-macvlan-list.patch new file mode 100644 index 00000000000..cd45f48624a --- /dev/null +++ b/queue-5.4/ixgbe-fix-crash-with-empty-vf-macvlan-list.patch @@ -0,0 +1,49 @@ +From 06958db698cc2822c684881a9fc3b419f61a4b22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Oct 2023 15:53:09 +0300 +Subject: ixgbe: fix crash with empty VF macvlan list + +From: Dan Carpenter + +[ Upstream commit 7b5add9af567c44e12196107f0fe106e194034fd ] + +The adapter->vf_mvs.l list needs to be initialized even if the list is +empty. Otherwise it will lead to crashes. + +Fixes: a1cbb15c1397 ("ixgbe: Add macvlan support for VF") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Reviewed-by: Jesse Brandeburg +Link: https://lore.kernel.org/r/ZSADNdIw8zFx1xw2@kadam +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c +index 0e73e3b1af19a..a3b1295415665 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c +@@ -28,6 +28,9 @@ static inline void ixgbe_alloc_vf_macvlans(struct ixgbe_adapter *adapter, + struct vf_macvlans *mv_list; + int num_vf_macvlans, i; + ++ /* Initialize list of VF macvlans */ ++ INIT_LIST_HEAD(&adapter->vf_mvs.l); ++ + num_vf_macvlans = hw->mac.num_rar_entries - + (IXGBE_MAX_PF_MACVLANS + 1 + num_vfs); + if (!num_vf_macvlans) +@@ -36,8 +39,6 @@ static inline void ixgbe_alloc_vf_macvlans(struct ixgbe_adapter *adapter, + mv_list = kcalloc(num_vf_macvlans, sizeof(struct vf_macvlans), + GFP_KERNEL); + if (mv_list) { +- /* Initialize list of VF macvlans */ +- INIT_LIST_HEAD(&adapter->vf_mvs.l); + for (i = 0; i < num_vf_macvlans; i++) { + mv_list[i].vf = -1; + mv_list[i].free = true; +-- +2.40.1 + diff --git a/queue-5.4/mlxsw-fix-mlxsw_sp2_nve_vxlan_learning_set-return-ty.patch b/queue-5.4/mlxsw-fix-mlxsw_sp2_nve_vxlan_learning_set-return-ty.patch new file mode 100644 index 00000000000..f6d0b593d75 --- /dev/null +++ b/queue-5.4/mlxsw-fix-mlxsw_sp2_nve_vxlan_learning_set-return-ty.patch @@ -0,0 +1,40 @@ +From 1ce8aeba74d042775e9378f6735f88d2ca8bbf40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 17:00:12 +0300 +Subject: mlxsw: fix mlxsw_sp2_nve_vxlan_learning_set() return type + +From: Dan Carpenter + +[ Upstream commit 1e0b72a2a6432c0ef67ee5ce8d9172a7c20bba25 ] + +The mlxsw_sp2_nve_vxlan_learning_set() function is supposed to return +zero on success or negative error codes. So it needs to be type int +instead of bool. + +Fixes: 4ee70efab68d ("mlxsw: spectrum_nve: Add support for VXLAN on Spectrum-2") +Signed-off-by: Dan Carpenter +Reviewed-by: Petr Machata +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c +index 05517c7feaa56..a20ba23f0ed7a 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c +@@ -294,8 +294,8 @@ const struct mlxsw_sp_nve_ops mlxsw_sp1_nve_vxlan_ops = { + .fdb_clear_offload = mlxsw_sp_nve_vxlan_clear_offload, + }; + +-static bool mlxsw_sp2_nve_vxlan_learning_set(struct mlxsw_sp *mlxsw_sp, +- bool learning_en) ++static int mlxsw_sp2_nve_vxlan_learning_set(struct mlxsw_sp *mlxsw_sp, ++ bool learning_en) + { + char tnpc_pl[MLXSW_REG_TNPC_LEN]; + +-- +2.40.1 + diff --git a/queue-5.4/net-nfc-fix-races-in-nfc_llcp_sock_get-and-nfc_llcp_.patch b/queue-5.4/net-nfc-fix-races-in-nfc_llcp_sock_get-and-nfc_llcp_.patch new file mode 100644 index 00000000000..5439dabd152 --- /dev/null +++ b/queue-5.4/net-nfc-fix-races-in-nfc_llcp_sock_get-and-nfc_llcp_.patch @@ -0,0 +1,130 @@ +From 670022d926913adbc2ddcb6e8a53a8e1f6d45971 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 12:31:10 +0000 +Subject: net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() + +From: Eric Dumazet + +[ Upstream commit 31c07dffafce914c1d1543c135382a11ff058d93 ] + +Sili Luo reported a race in nfc_llcp_sock_get(), leading to UAF. + +Getting a reference on the socket found in a lookup while +holding a lock should happen before releasing the lock. + +nfc_llcp_sock_get_sn() has a similar problem. + +Finally nfc_llcp_recv_snl() needs to make sure the socket +found by nfc_llcp_sock_from_sn() does not disappear. + +Fixes: 8f50020ed9b8 ("NFC: LLCP late binding") +Reported-by: Sili Luo +Signed-off-by: Eric Dumazet +Cc: Willy Tarreau +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20231009123110.3735515-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_core.c | 30 ++++++++++++------------------ + 1 file changed, 12 insertions(+), 18 deletions(-) + +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index b1107570eaee8..92f70686bee0a 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -205,17 +205,13 @@ static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local, + + if (tmp_sock->ssap == ssap && tmp_sock->dsap == dsap) { + llcp_sock = tmp_sock; ++ sock_hold(&llcp_sock->sk); + break; + } + } + + read_unlock(&local->sockets.lock); + +- if (llcp_sock == NULL) +- return NULL; +- +- sock_hold(&llcp_sock->sk); +- + return llcp_sock; + } + +@@ -348,7 +344,8 @@ static int nfc_llcp_wks_sap(const char *service_name, size_t service_name_len) + + static + struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local, +- const u8 *sn, size_t sn_len) ++ const u8 *sn, size_t sn_len, ++ bool needref) + { + struct sock *sk; + struct nfc_llcp_sock *llcp_sock, *tmp_sock; +@@ -384,6 +381,8 @@ struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local, + + if (memcmp(sn, tmp_sock->service_name, sn_len) == 0) { + llcp_sock = tmp_sock; ++ if (needref) ++ sock_hold(&llcp_sock->sk); + break; + } + } +@@ -425,7 +424,8 @@ u8 nfc_llcp_get_sdp_ssap(struct nfc_llcp_local *local, + * to this service name. + */ + if (nfc_llcp_sock_from_sn(local, sock->service_name, +- sock->service_name_len) != NULL) { ++ sock->service_name_len, ++ false) != NULL) { + mutex_unlock(&local->sdp_lock); + + return LLCP_SAP_MAX; +@@ -833,16 +833,7 @@ static struct nfc_llcp_sock *nfc_llcp_connecting_sock_get(struct nfc_llcp_local + static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local, + const u8 *sn, size_t sn_len) + { +- struct nfc_llcp_sock *llcp_sock; +- +- llcp_sock = nfc_llcp_sock_from_sn(local, sn, sn_len); +- +- if (llcp_sock == NULL) +- return NULL; +- +- sock_hold(&llcp_sock->sk); +- +- return llcp_sock; ++ return nfc_llcp_sock_from_sn(local, sn, sn_len, true); + } + + static const u8 *nfc_llcp_connect_sn(const struct sk_buff *skb, size_t *sn_len) +@@ -1307,7 +1298,8 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local, + } + + llcp_sock = nfc_llcp_sock_from_sn(local, service_name, +- service_name_len); ++ service_name_len, ++ true); + if (!llcp_sock) { + sap = 0; + goto add_snl; +@@ -1327,6 +1319,7 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local, + + if (sap == LLCP_SAP_MAX) { + sap = 0; ++ nfc_llcp_sock_put(llcp_sock); + goto add_snl; + } + +@@ -1344,6 +1337,7 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local, + + pr_debug("%p %d\n", llcp_sock, sap); + ++ nfc_llcp_sock_put(llcp_sock); + add_snl: + sdp = nfc_llcp_build_sdres_tlv(tid, sap); + if (sdp == NULL) +-- +2.40.1 + diff --git a/queue-5.4/nfc-nci-assert-requested-protocol-is-valid.patch b/queue-5.4/nfc-nci-assert-requested-protocol-is-valid.patch new file mode 100644 index 00000000000..a9812aeda43 --- /dev/null +++ b/queue-5.4/nfc-nci-assert-requested-protocol-is-valid.patch @@ -0,0 +1,45 @@ +From 8e7f7533ef41321089691047e90c11ad7b885e43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 16:00:54 -0400 +Subject: nfc: nci: assert requested protocol is valid + +From: Jeremy Cline + +[ Upstream commit 354a6e707e29cb0c007176ee5b8db8be7bd2dee0 ] + +The protocol is used in a bit mask to determine if the protocol is +supported. Assert the provided protocol is less than the maximum +defined so it doesn't potentially perform a shift-out-of-bounds and +provide a clearer error for undefined protocols vs unsupported ones. + +Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") +Reported-and-tested-by: syzbot+0839b78e119aae1fec78@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0839b78e119aae1fec78 +Signed-off-by: Jeremy Cline +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20231009200054.82557-1-jeremy@jcline.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/nfc/nci/core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index 57849baf9294d..54b9efb5ae821 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -894,6 +894,11 @@ static int nci_activate_target(struct nfc_dev *nfc_dev, + return -EINVAL; + } + ++ if (protocol >= NFC_PROTO_MAX) { ++ pr_err("the requested nfc protocol is invalid\n"); ++ return -EINVAL; ++ } ++ + if (!(nci_target->supported_protocols & (1 << protocol))) { + pr_err("target does not support the requested protocol 0x%x\n", + protocol); +-- +2.40.1 + diff --git a/queue-5.4/ravb-fix-up-dma_free_coherent-call-in-ravb_remove.patch b/queue-5.4/ravb-fix-up-dma_free_coherent-call-in-ravb_remove.patch new file mode 100644 index 00000000000..bb07d527f8d --- /dev/null +++ b/queue-5.4/ravb-fix-up-dma_free_coherent-call-in-ravb_remove.patch @@ -0,0 +1,47 @@ +From 2feccfa51c8c28089f1a694c9ff5291561583fec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 10:12:00 +0900 +Subject: ravb: Fix up dma_free_coherent() call in ravb_remove() + +From: Yoshihiro Shimoda + +[ Upstream commit e6864af61493113558c502b5cd0d754c19b93277 ] + +In ravb_remove(), dma_free_coherent() should be call after +unregister_netdev(). Otherwise, this controller is possible to use +the freed buffer. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20231005011201.14368-2-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 231a1295c4700..4698fbde7fb74 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -2212,14 +2212,14 @@ static int ravb_remove(struct platform_device *pdev) + if (priv->chip_id != RCAR_GEN2) + ravb_ptp_stop(ndev); + +- dma_free_coherent(ndev->dev.parent, priv->desc_bat_size, priv->desc_bat, +- priv->desc_bat_dma); + /* Set reset mode */ + ravb_write(ndev, CCC_OPC_RESET, CCC); + unregister_netdev(ndev); + netif_napi_del(&priv->napi[RAVB_NC]); + netif_napi_del(&priv->napi[RAVB_BE]); + ravb_mdio_release(priv); ++ dma_free_coherent(ndev->dev.parent, priv->desc_bat_size, priv->desc_bat, ++ priv->desc_bat_dma); + pm_runtime_put_sync(&pdev->dev); + pm_runtime_disable(&pdev->dev); + free_netdev(ndev); +-- +2.40.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 19ebec718dd..879e070f357 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -6,3 +6,14 @@ hid-logitech-hidpp-fix-kernel-crash-on-receiver-usb-disconnect.patch quota-fix-slow-quotaoff.patch net-prevent-address-rewrite-in-kernel_bind.patch drm-etvnaviv-fix-bad-backport-leading-to-warning.patch +drm-msm-dsi-skip-the-wait-for-video-mode-done-if-not.patch +ravb-fix-up-dma_free_coherent-call-in-ravb_remove.patch +ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch +mlxsw-fix-mlxsw_sp2_nve_vxlan_learning_set-return-ty.patch +eth-remove-copies-of-the-napi_poll_weight-define.patch +xen-netback-use-default-tx-queue-size-for-vifs.patch +drm-vmwgfx-fix-typo-of-sizeof-argument.patch +ixgbe-fix-crash-with-empty-vf-macvlan-list.patch +net-nfc-fix-races-in-nfc_llcp_sock_get-and-nfc_llcp_.patch +nfc-nci-assert-requested-protocol-is-valid.patch +workqueue-override-implicit-ordered-attribute-in-wor.patch diff --git a/queue-5.4/workqueue-override-implicit-ordered-attribute-in-wor.patch b/queue-5.4/workqueue-override-implicit-ordered-attribute-in-wor.patch new file mode 100644 index 00000000000..4e2b31161aa --- /dev/null +++ b/queue-5.4/workqueue-override-implicit-ordered-attribute-in-wor.patch @@ -0,0 +1,58 @@ +From d28cfff4757993869bf18962f54bf3bfc1328242 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Oct 2023 22:48:42 -0400 +Subject: workqueue: Override implicit ordered attribute in + workqueue_apply_unbound_cpumask() + +From: Waiman Long + +[ Upstream commit ca10d851b9ad0338c19e8e3089e24d565ebfffd7 ] + +Commit 5c0338c68706 ("workqueue: restore WQ_UNBOUND/max_active==1 +to be ordered") enabled implicit ordered attribute to be added to +WQ_UNBOUND workqueues with max_active of 1. This prevented the changing +of attributes to these workqueues leading to fix commit 0a94efb5acbb +("workqueue: implicit ordered attribute should be overridable"). + +However, workqueue_apply_unbound_cpumask() was not updated at that time. +So sysfs changes to wq_unbound_cpumask has no effect on WQ_UNBOUND +workqueues with implicit ordered attribute. Since not all WQ_UNBOUND +workqueues are visible on sysfs, we are not able to make all the +necessary cpumask changes even if we iterates all the workqueue cpumasks +in sysfs and changing them one by one. + +Fix this problem by applying the corresponding change made +to apply_workqueue_attrs_locked() in the fix commit to +workqueue_apply_unbound_cpumask(). + +Fixes: 5c0338c68706 ("workqueue: restore WQ_UNBOUND/max_active==1 to be ordered") +Signed-off-by: Waiman Long +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/workqueue.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 856188b0681af..a2c4de2a11327 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -5273,9 +5273,13 @@ static int workqueue_apply_unbound_cpumask(void) + list_for_each_entry(wq, &workqueues, list) { + if (!(wq->flags & WQ_UNBOUND)) + continue; ++ + /* creating multiple pwqs breaks ordering guarantee */ +- if (wq->flags & __WQ_ORDERED) +- continue; ++ if (!list_empty(&wq->pwqs)) { ++ if (wq->flags & __WQ_ORDERED_EXPLICIT) ++ continue; ++ wq->flags &= ~__WQ_ORDERED; ++ } + + ctx = apply_wqattrs_prepare(wq, wq->unbound_attrs); + if (!ctx) { +-- +2.40.1 + diff --git a/queue-5.4/xen-netback-use-default-tx-queue-size-for-vifs.patch b/queue-5.4/xen-netback-use-default-tx-queue-size-for-vifs.patch new file mode 100644 index 00000000000..5c0bbaf7786 --- /dev/null +++ b/queue-5.4/xen-netback-use-default-tx-queue-size-for-vifs.patch @@ -0,0 +1,57 @@ +From b98b5917f345f4c07d7c84f6d709fc8b08148e26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 16:08:31 +0200 +Subject: xen-netback: use default TX queue size for vifs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Roger Pau Monne + +[ Upstream commit 66cf7435a26917c0c4d6245ad9137e7606e84fdf ] + +Do not set netback interfaces (vifs) default TX queue size to the ring size. +The TX queue size is not related to the ring size, and using the ring size (32) +as the queue size can lead to packet drops. Note the TX side of the vif +interface in the netback domain is the one receiving packets to be injected +to the guest. + +Do not explicitly set the TX queue length to any value when creating the +interface, and instead use the system default. Note that the queue length can +also be adjusted at runtime. + +Fixes: f942dc2552b8 ('xen network backend driver') +Signed-off-by: Roger Pau Monné +Reviewed-by: Ross Lagerwall +Acked-by: Wei Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netback/interface.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c +index 1f735376539e7..df803f0cc7d57 100644 +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -41,8 +41,6 @@ + #include + #include + +-#define XENVIF_QUEUE_LENGTH 32 +- + /* Number of bytes allowed on the internal guest Rx queue. */ + #define XENVIF_RX_QUEUE_BYTES (XEN_NETIF_RX_RING_SIZE/2 * PAGE_SIZE) + +@@ -525,8 +523,6 @@ struct xenvif *xenvif_alloc(struct device *parent, domid_t domid, + dev->features = dev->hw_features | NETIF_F_RXCSUM; + dev->ethtool_ops = &xenvif_ethtool_ops; + +- dev->tx_queue_len = XENVIF_QUEUE_LENGTH; +- + dev->min_mtu = ETH_MIN_MTU; + dev->max_mtu = ETH_MAX_MTU - VLAN_ETH_HLEN; + +-- +2.40.1 +