From: Sasha Levin Date: Mon, 22 May 2023 11:45:36 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v6.3.4~33 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6c64fbe480258a597641cb8e6d9ae6106ec468a2;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/af_key-reject-optional-tunnel-beet-mode-templates-in.patch b/queue-5.4/af_key-reject-optional-tunnel-beet-mode-templates-in.patch new file mode 100644 index 00000000000..094f01edede --- /dev/null +++ b/queue-5.4/af_key-reject-optional-tunnel-beet-mode-templates-in.patch @@ -0,0 +1,71 @@ +From e697190655edcad847bb29d30268b529030715d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 11:00:06 +0200 +Subject: af_key: Reject optional tunnel/BEET mode templates in outbound + policies + +From: Tobias Brunner + +[ Upstream commit cf3128a7aca55b2eefb68281d44749c683bdc96f ] + +xfrm_state_find() uses `encap_family` of the current template with +the passed local and remote addresses to find a matching state. +If an optional tunnel or BEET mode template is skipped in a mixed-family +scenario, there could be a mismatch causing an out-of-bounds read as +the addresses were not replaced to match the family of the next template. + +While there are theoretical use cases for optional templates in outbound +policies, the only practical one is to skip IPComp states in inbound +policies if uncompressed packets are received that are handled by an +implicitly created IPIP state instead. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Tobias Brunner +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 92f71e8f321cd..1a33c46d9c894 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1944,7 +1944,8 @@ static u32 gen_reqid(struct net *net) + } + + static int +-parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq) ++parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_policy *pol, ++ struct sadb_x_ipsecrequest *rq) + { + struct net *net = xp_net(xp); + struct xfrm_tmpl *t = xp->xfrm_vec + xp->xfrm_nr; +@@ -1962,9 +1963,12 @@ parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq) + if ((mode = pfkey_mode_to_xfrm(rq->sadb_x_ipsecrequest_mode)) < 0) + return -EINVAL; + t->mode = mode; +- if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE) ++ if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE) { ++ if ((mode == XFRM_MODE_TUNNEL || mode == XFRM_MODE_BEET) && ++ pol->sadb_x_policy_dir == IPSEC_DIR_OUTBOUND) ++ return -EINVAL; + t->optional = 1; +- else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) { ++ } else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) { + t->reqid = rq->sadb_x_ipsecrequest_reqid; + if (t->reqid > IPSEC_MANUAL_REQID_MAX) + t->reqid = 0; +@@ -2006,7 +2010,7 @@ parse_ipsecrequests(struct xfrm_policy *xp, struct sadb_x_policy *pol) + rq->sadb_x_ipsecrequest_len < sizeof(*rq)) + return -EINVAL; + +- if ((err = parse_ipsecrequest(xp, rq)) < 0) ++ if ((err = parse_ipsecrequest(xp, pol, rq)) < 0) + return err; + len -= rq->sadb_x_ipsecrequest_len; + rq = (void*)((u8*)rq + rq->sadb_x_ipsecrequest_len); +-- +2.39.2 + diff --git a/queue-5.4/alsa-firewire-digi00x-prevent-potential-use-after-fr.patch b/queue-5.4/alsa-firewire-digi00x-prevent-potential-use-after-fr.patch new file mode 100644 index 00000000000..61f957eafb5 --- /dev/null +++ b/queue-5.4/alsa-firewire-digi00x-prevent-potential-use-after-fr.patch @@ -0,0 +1,41 @@ +From 103a0e525d0358f6ccc61ab77167c6ca8b0e7bac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 12:07:11 +0300 +Subject: ALSA: firewire-digi00x: prevent potential use after free + +From: Dan Carpenter + +[ Upstream commit c0e72058d5e21982e61a29de6b098f7c1f0db498 ] + +This code was supposed to return an error code if init_stream() +failed, but it instead freed dg00x->rx_stream and returned success. +This potentially leads to a use after free. + +Fixes: 9a08067ec318 ("ALSA: firewire-digi00x: support AMDTP domain") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/c224cbd5-d9e2-4cd4-9bcf-2138eb1d35c6@kili.mountain +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/digi00x/digi00x-stream.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/firewire/digi00x/digi00x-stream.c b/sound/firewire/digi00x/digi00x-stream.c +index d6a92460060f6..1a841c858e06e 100644 +--- a/sound/firewire/digi00x/digi00x-stream.c ++++ b/sound/firewire/digi00x/digi00x-stream.c +@@ -259,8 +259,10 @@ int snd_dg00x_stream_init_duplex(struct snd_dg00x *dg00x) + return err; + + err = init_stream(dg00x, &dg00x->tx_stream); +- if (err < 0) ++ if (err < 0) { + destroy_stream(dg00x, &dg00x->rx_stream); ++ return err; ++ } + + err = amdtp_domain_init(&dg00x->domain); + if (err < 0) { +-- +2.39.2 + diff --git a/queue-5.4/asoc-fsl_micfil-register-platform-component-before-r.patch b/queue-5.4/asoc-fsl_micfil-register-platform-component-before-r.patch new file mode 100644 index 00000000000..9a274db5d3b --- /dev/null +++ b/queue-5.4/asoc-fsl_micfil-register-platform-component-before-r.patch @@ -0,0 +1,72 @@ +From fb976964f799a5e818a900d5ff9540b871743465 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Sep 2021 18:30:04 +0800 +Subject: ASoC: fsl_micfil: register platform component before registering cpu + dai + +From: Shengjiu Wang + +[ Upstream commit 0adf292069dcca8bab76a603251fcaabf77468ca ] + +There is no defer probe when adding platform component to +snd_soc_pcm_runtime(rtd), the code is in snd_soc_add_pcm_runtime() + +snd_soc_register_card() + -> snd_soc_bind_card() + -> snd_soc_add_pcm_runtime() + -> adding cpu dai + -> adding codec dai + -> adding platform component. + +So if the platform component is not ready at that time, then the +sound card still registered successfully, but platform component +is empty, the sound card can't be used. + +As there is defer probe checking for cpu dai component, then register +platform component before cpu dai to avoid such issue. + +Fixes: 47a70e6fc9a8 ("ASoC: Add MICFIL SoC Digital Audio Interface driver.") +Signed-off-by: Shengjiu Wang +Link: https://lore.kernel.org/r/1630665006-31437-4-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_micfil.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c +index b33746d586337..6285ee8f829e5 100644 +--- a/sound/soc/fsl/fsl_micfil.c ++++ b/sound/soc/fsl/fsl_micfil.c +@@ -740,18 +740,23 @@ static int fsl_micfil_probe(struct platform_device *pdev) + + pm_runtime_enable(&pdev->dev); + ++ /* ++ * Register platform component before registering cpu dai for there ++ * is not defer probe for platform component in snd_soc_add_pcm_runtime(). ++ */ ++ ret = devm_snd_dmaengine_pcm_register(&pdev->dev, NULL, 0); ++ if (ret) { ++ dev_err(&pdev->dev, "failed to pcm register\n"); ++ return ret; ++ } ++ + ret = devm_snd_soc_register_component(&pdev->dev, &fsl_micfil_component, + &fsl_micfil_dai, 1); + if (ret) { + dev_err(&pdev->dev, "failed to register component %s\n", + fsl_micfil_component.name); +- return ret; + } + +- ret = devm_snd_dmaengine_pcm_register(&pdev->dev, NULL, 0); +- if (ret) +- dev_err(&pdev->dev, "failed to pcm register\n"); +- + return ret; + } + +-- +2.39.2 + diff --git a/queue-5.4/cassini-fix-a-memory-leak-in-the-error-handling-path.patch b/queue-5.4/cassini-fix-a-memory-leak-in-the-error-handling-path.patch new file mode 100644 index 00000000000..dd5b5bbf48a --- /dev/null +++ b/queue-5.4/cassini-fix-a-memory-leak-in-the-error-handling-path.patch @@ -0,0 +1,42 @@ +From 3bdb2ebd677844adde746693a334bc823df806d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 21:09:11 +0200 +Subject: cassini: Fix a memory leak in the error handling path of + cas_init_one() + +From: Christophe JAILLET + +[ Upstream commit 412cd77a2c24b191c65ea53025222418db09817c ] + +cas_saturn_firmware_init() allocates some memory using vmalloc(). This +memory is freed in the .remove() function but not it the error handling +path of the probe. + +Add the missing vfree() to avoid a memory leak, should an error occur. + +Fixes: fcaa40669cd7 ("cassini: use request_firmware") +Signed-off-by: Christophe JAILLET +Reviewed-by: Pavan Chebbi +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/cassini.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/sun/cassini.c b/drivers/net/ethernet/sun/cassini.c +index 6e78a33aa5e47..ecaa9beee76eb 100644 +--- a/drivers/net/ethernet/sun/cassini.c ++++ b/drivers/net/ethernet/sun/cassini.c +@@ -5138,6 +5138,8 @@ static int cas_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + cas_shutdown(cp); + mutex_unlock(&cp->pm_mutex); + ++ vfree(cp->fw_data); ++ + pci_iounmap(pdev, cp->regs); + + +-- +2.39.2 + diff --git a/queue-5.4/cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch b/queue-5.4/cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch new file mode 100644 index 00000000000..bd694e730f1 --- /dev/null +++ b/queue-5.4/cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch @@ -0,0 +1,159 @@ +From 918b1afcca111df5f406f018a9841193c2a18817 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 06:25:44 +0000 +Subject: cpupower: Make TSC read per CPU for Mperf monitor + +From: Wyes Karny + +[ Upstream commit c2adb1877b76fc81ae041e1db1a6ed2078c6746b ] + +System-wide TSC read could cause a drift in C0 percentage calculation. +Because if first TSC is read and then one by one mperf is read for all +cpus, this introduces drift between mperf reading of later CPUs and TSC +reading. To lower this drift read TSC per CPU and also just after mperf +read. This technique improves C0 percentage calculation in Mperf monitor. + +Before fix: (System 100% busy) + + | Mperf || RAPL || Idle_Stats + PKG|CORE| CPU| C0 | Cx | Freq || pack | core || POLL | C1 | C2 + 0| 0| 0| 87.15| 12.85| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 0| 256| 84.62| 15.38| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 1| 1| 87.15| 12.85| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 1| 257| 84.08| 15.92| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 2| 2| 86.61| 13.39| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 2| 258| 83.26| 16.74| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 3| 3| 86.61| 13.39| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 3| 259| 83.60| 16.40| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 4| 4| 86.33| 13.67| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 4| 260| 83.33| 16.67| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 5| 5| 86.06| 13.94| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 5| 261| 83.05| 16.95| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 6| 6| 85.51| 14.49| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + +After fix: (System 100% busy) + + | Mperf || RAPL || Idle_Stats + PKG|CORE| CPU| C0 | Cx | Freq || pack | core || POLL | C1 | C2 + 0| 0| 0| 98.03| 1.97| 2415||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 0| 256| 98.50| 1.50| 2394||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 1| 1| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 1| 257| 99.99| 0.01| 2375||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 2| 2| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 2| 258|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 3| 3|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 3| 259| 99.99| 0.01| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 4| 4|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 4| 260|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 5| 5| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 5| 261|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 6| 6|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 6| 262|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + +Cc: Thomas Renninger +Cc: Shuah Khan +Cc: Dominik Brodowski + +Fixes: 7fe2f6399a84 ("cpupowerutils - cpufrequtils extended with quite some features") +Signed-off-by: Wyes Karny +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../utils/idle_monitor/mperf_monitor.c | 31 +++++++++---------- + 1 file changed, 14 insertions(+), 17 deletions(-) + +diff --git a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c +index 44806a6dae11a..7a76d63003748 100644 +--- a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c ++++ b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c +@@ -66,8 +66,8 @@ static int max_freq_mode; + */ + static unsigned long max_frequency; + +-static unsigned long long tsc_at_measure_start; +-static unsigned long long tsc_at_measure_end; ++static unsigned long long *tsc_at_measure_start; ++static unsigned long long *tsc_at_measure_end; + static unsigned long long *mperf_previous_count; + static unsigned long long *aperf_previous_count; + static unsigned long long *mperf_current_count; +@@ -130,7 +130,7 @@ static int mperf_get_count_percent(unsigned int id, double *percent, + aperf_diff = aperf_current_count[cpu] - aperf_previous_count[cpu]; + + if (max_freq_mode == MAX_FREQ_TSC_REF) { +- tsc_diff = tsc_at_measure_end - tsc_at_measure_start; ++ tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu]; + *percent = 100.0 * mperf_diff / tsc_diff; + dprint("%s: TSC Ref - mperf_diff: %llu, tsc_diff: %llu\n", + mperf_cstates[id].name, mperf_diff, tsc_diff); +@@ -167,7 +167,7 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count, + + if (max_freq_mode == MAX_FREQ_TSC_REF) { + /* Calculate max_freq from TSC count */ +- tsc_diff = tsc_at_measure_end - tsc_at_measure_start; ++ tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu]; + time_diff = timespec_diff_us(time_start, time_end); + max_frequency = tsc_diff / time_diff; + } +@@ -186,33 +186,27 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count, + static int mperf_start(void) + { + int cpu; +- unsigned long long dbg; + + clock_gettime(CLOCK_REALTIME, &time_start); +- mperf_get_tsc(&tsc_at_measure_start); + +- for (cpu = 0; cpu < cpu_count; cpu++) ++ for (cpu = 0; cpu < cpu_count; cpu++) { ++ mperf_get_tsc(&tsc_at_measure_start[cpu]); + mperf_init_stats(cpu); ++ } + +- mperf_get_tsc(&dbg); +- dprint("TSC diff: %llu\n", dbg - tsc_at_measure_start); + return 0; + } + + static int mperf_stop(void) + { +- unsigned long long dbg; + int cpu; + +- for (cpu = 0; cpu < cpu_count; cpu++) ++ for (cpu = 0; cpu < cpu_count; cpu++) { + mperf_measure_stats(cpu); ++ mperf_get_tsc(&tsc_at_measure_end[cpu]); ++ } + +- mperf_get_tsc(&tsc_at_measure_end); + clock_gettime(CLOCK_REALTIME, &time_end); +- +- mperf_get_tsc(&dbg); +- dprint("TSC diff: %llu\n", dbg - tsc_at_measure_end); +- + return 0; + } + +@@ -311,7 +305,8 @@ struct cpuidle_monitor *mperf_register(void) + aperf_previous_count = calloc(cpu_count, sizeof(unsigned long long)); + mperf_current_count = calloc(cpu_count, sizeof(unsigned long long)); + aperf_current_count = calloc(cpu_count, sizeof(unsigned long long)); +- ++ tsc_at_measure_start = calloc(cpu_count, sizeof(unsigned long long)); ++ tsc_at_measure_end = calloc(cpu_count, sizeof(unsigned long long)); + mperf_monitor.name_len = strlen(mperf_monitor.name); + return &mperf_monitor; + } +@@ -322,6 +317,8 @@ void mperf_unregister(void) + free(aperf_previous_count); + free(mperf_current_count); + free(aperf_current_count); ++ free(tsc_at_measure_start); ++ free(tsc_at_measure_end); + free(is_valid); + } + +-- +2.39.2 + diff --git a/queue-5.4/drm-exynos-fix-g2d_open-close-helper-function-defini.patch b/queue-5.4/drm-exynos-fix-g2d_open-close-helper-function-defini.patch new file mode 100644 index 00000000000..52978be9214 --- /dev/null +++ b/queue-5.4/drm-exynos-fix-g2d_open-close-helper-function-defini.patch @@ -0,0 +1,48 @@ +From 0b2212417d5f3ad333d751ce81a367a1eee37215 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 23:04:11 +0200 +Subject: drm/exynos: fix g2d_open/close helper function definitions + +From: Arnd Bergmann + +[ Upstream commit 2ef0785b30bd6549ddbc124979f1b6596e065ae2 ] + +The empty stub functions are defined as global functions, which +causes a warning because of missing prototypes: + +drivers/gpu/drm/exynos/exynos_drm_g2d.h:37:5: error: no previous prototype for 'g2d_open' +drivers/gpu/drm/exynos/exynos_drm_g2d.h:42:5: error: no previous prototype for 'g2d_close' + +Mark them as 'static inline' to avoid the warning and to make +them behave as intended. + +Fixes: eb4d9796fa34 ("drm/exynos: g2d: Convert to driver component API") +Signed-off-by: Arnd Bergmann +Reviewed-by: Andi Shyti +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_drm_g2d.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/exynos/exynos_drm_g2d.h b/drivers/gpu/drm/exynos/exynos_drm_g2d.h +index 74ea3c26deadc..1a5ae781b56c6 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.h ++++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.h +@@ -34,11 +34,11 @@ static inline int exynos_g2d_exec_ioctl(struct drm_device *dev, void *data, + return -ENODEV; + } + +-int g2d_open(struct drm_device *drm_dev, struct drm_file *file) ++static inline int g2d_open(struct drm_device *drm_dev, struct drm_file *file) + { + return 0; + } + +-void g2d_close(struct drm_device *drm_dev, struct drm_file *file) ++static inline void g2d_close(struct drm_device *drm_dev, struct drm_file *file) + { } + #endif +-- +2.39.2 + diff --git a/queue-5.4/erspan-get-the-proto-with-the-md-version-for-collect.patch b/queue-5.4/erspan-get-the-proto-with-the-md-version-for-collect.patch new file mode 100644 index 00000000000..1a0eec1cb4e --- /dev/null +++ b/queue-5.4/erspan-get-the-proto-with-the-md-version-for-collect.patch @@ -0,0 +1,81 @@ +From 29caf309d46f6bfadaf11293c34ea34442a77af1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 19:22:11 -0400 +Subject: erspan: get the proto with the md version for collect_md + +From: Xin Long + +[ Upstream commit d80fc101d2eb9b3188c228d61223890aeea480a4 ] + +In commit 20704bd1633d ("erspan: build the header with the right proto +according to erspan_ver"), it gets the proto with t->parms.erspan_ver, +but t->parms.erspan_ver is not used by collect_md branch, and instead +it should get the proto with md->version for collect_md. + +Thanks to Kevin for pointing this out. + +Fixes: 20704bd1633d ("erspan: build the header with the right proto according to erspan_ver") +Fixes: 94d7d8f29287 ("ip6_gre: add erspan v2 support") +Reported-by: Kevin Traynor +Signed-off-by: Xin Long +Reviewed-by: Simon Horman +Reviewed-by: William Tu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 63b5fd3742f2c..0977137b00dc4 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1003,12 +1003,14 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + ntohl(tun_id), + ntohl(md->u.index), truncate, + false); ++ proto = htons(ETH_P_ERSPAN); + } else if (md->version == 2) { + erspan_build_header_v2(skb, + ntohl(tun_id), + md->u.md2.dir, + get_hwid(&md->u.md2), + truncate, false); ++ proto = htons(ETH_P_ERSPAN2); + } else { + goto tx_err; + } +@@ -1031,24 +1033,25 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + break; + } + +- if (t->parms.erspan_ver == 1) ++ if (t->parms.erspan_ver == 1) { + erspan_build_header(skb, ntohl(t->parms.o_key), + t->parms.index, + truncate, false); +- else if (t->parms.erspan_ver == 2) ++ proto = htons(ETH_P_ERSPAN); ++ } else if (t->parms.erspan_ver == 2) { + erspan_build_header_v2(skb, ntohl(t->parms.o_key), + t->parms.dir, + t->parms.hwid, + truncate, false); +- else ++ proto = htons(ETH_P_ERSPAN2); ++ } else { + goto tx_err; ++ } + + fl6.daddr = t->parms.raddr; + } + + /* Push GRE header. */ +- proto = (t->parms.erspan_ver == 1) ? htons(ETH_P_ERSPAN) +- : htons(ETH_P_ERSPAN2); + gre_build_header(skb, 8, TUNNEL_SEQ, proto, 0, htonl(atomic_fetch_inc(&t->o_seqno))); + + /* TooBig packet may have updated dst->dev's mtu */ +-- +2.39.2 + diff --git a/queue-5.4/igb-fix-bit_shift-to-be-in-1.8-range.patch b/queue-5.4/igb-fix-bit_shift-to-be-in-1.8-range.patch new file mode 100644 index 00000000000..fbdab9b55e1 --- /dev/null +++ b/queue-5.4/igb-fix-bit_shift-to-be-in-1.8-range.patch @@ -0,0 +1,50 @@ +From e61217548174f4e1730698b6374222fc5e89e0b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 10:41:46 -0700 +Subject: igb: fix bit_shift to be in [1..8] range + +From: Aleksandr Loktionov + +[ Upstream commit 60d758659f1fb49e0d5b6ac2691ede8c0958795b ] + +In igb_hash_mc_addr() the expression: + "mc_addr[4] >> 8 - bit_shift", right shifting "mc_addr[4]" +shift by more than 7 bits always yields zero, so hash becomes not so different. +Add initialization with bit_shift = 1 and add a loop condition to ensure +bit_shift will be always in [1..8] range. + +Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver") +Signed-off-by: Aleksandr Loktionov +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/e1000_mac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/e1000_mac.c b/drivers/net/ethernet/intel/igb/e1000_mac.c +index 79ee0a7472608..4e69cb2c025fd 100644 +--- a/drivers/net/ethernet/intel/igb/e1000_mac.c ++++ b/drivers/net/ethernet/intel/igb/e1000_mac.c +@@ -425,7 +425,7 @@ void igb_mta_set(struct e1000_hw *hw, u32 hash_value) + static u32 igb_hash_mc_addr(struct e1000_hw *hw, u8 *mc_addr) + { + u32 hash_value, hash_mask; +- u8 bit_shift = 0; ++ u8 bit_shift = 1; + + /* Register count multiplied by bits per register */ + hash_mask = (hw->mac.mta_reg_count * 32) - 1; +@@ -433,7 +433,7 @@ static u32 igb_hash_mc_addr(struct e1000_hw *hw, u8 *mc_addr) + /* For a mc_filter_type of 0, bit_shift is the number of left-shifts + * where 0xFF would still fall within the hash mask. + */ +- while (hash_mask >> bit_shift != 0xFF) ++ while (hash_mask >> bit_shift != 0xFF && bit_shift < 4) + bit_shift++; + + /* The portion of the address that is used for the hash table +-- +2.39.2 + diff --git a/queue-5.4/ip6_gre-fix-skb_under_panic-in-__gre6_xmit.patch b/queue-5.4/ip6_gre-fix-skb_under_panic-in-__gre6_xmit.patch new file mode 100644 index 00000000000..45db07212e9 --- /dev/null +++ b/queue-5.4/ip6_gre-fix-skb_under_panic-in-__gre6_xmit.patch @@ -0,0 +1,129 @@ +From 557491a304c9b7bfb2b1075703cb8ad878ccd7bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Apr 2022 13:35:40 -0700 +Subject: ip6_gre: Fix skb_under_panic in __gre6_xmit() + +From: Peilin Ye + +[ Upstream commit ab198e1d0dd8dc4bc7575fb50758e2cbd51e14e1 ] + +Feng reported an skb_under_panic BUG triggered by running +test_ip6gretap() in tools/testing/selftests/bpf/test_tunnel.sh: + +[ 82.492551] skbuff: skb_under_panic: text:ffffffffb268bb8e len:403 put:12 head:ffff9997c5480000 data:ffff9997c547fff8 tail:0x18b end:0x2c0 dev:ip6gretap11 +<...> +[ 82.607380] Call Trace: +[ 82.609389] +[ 82.611136] skb_push.cold.109+0x10/0x10 +[ 82.614289] __gre6_xmit+0x41e/0x590 +[ 82.617169] ip6gre_tunnel_xmit+0x344/0x3f0 +[ 82.620526] dev_hard_start_xmit+0xf1/0x330 +[ 82.623882] sch_direct_xmit+0xe4/0x250 +[ 82.626961] __dev_queue_xmit+0x720/0xfe0 +<...> +[ 82.633431] packet_sendmsg+0x96a/0x1cb0 +[ 82.636568] sock_sendmsg+0x30/0x40 +<...> + +The following sequence of events caused the BUG: + +1. During ip6gretap device initialization, tunnel->tun_hlen (e.g. 4) is + calculated based on old flags (see ip6gre_calc_hlen()); +2. packet_snd() reserves header room for skb A, assuming + tunnel->tun_hlen is 4; +3. Later (in clsact Qdisc), the eBPF program sets a new tunnel key for + skb A using bpf_skb_set_tunnel_key() (see _ip6gretap_set_tunnel()); +4. __gre6_xmit() detects the new tunnel key, and recalculates + "tun_hlen" (e.g. 12) based on new flags (e.g. TUNNEL_KEY and + TUNNEL_SEQ); +5. gre_build_header() calls skb_push() with insufficient reserved header + room, triggering the BUG. + +As sugguested by Cong, fix it by moving the call to skb_cow_head() after +the recalculation of tun_hlen. + +Reproducer: + + OBJ=$LINUX/tools/testing/selftests/bpf/test_tunnel_kern.o + + ip netns add at_ns0 + ip link add veth0 type veth peer name veth1 + ip link set veth0 netns at_ns0 + ip netns exec at_ns0 ip addr add 172.16.1.100/24 dev veth0 + ip netns exec at_ns0 ip link set dev veth0 up + ip link set dev veth1 up mtu 1500 + ip addr add dev veth1 172.16.1.200/24 + + ip netns exec at_ns0 ip addr add ::11/96 dev veth0 + ip netns exec at_ns0 ip link set dev veth0 up + ip addr add dev veth1 ::22/96 + ip link set dev veth1 up + + ip netns exec at_ns0 \ + ip link add dev ip6gretap00 type ip6gretap seq flowlabel 0xbcdef key 2 \ + local ::11 remote ::22 + + ip netns exec at_ns0 ip addr add dev ip6gretap00 10.1.1.100/24 + ip netns exec at_ns0 ip addr add dev ip6gretap00 fc80::100/96 + ip netns exec at_ns0 ip link set dev ip6gretap00 up + + ip link add dev ip6gretap11 type ip6gretap external + ip addr add dev ip6gretap11 10.1.1.200/24 + ip addr add dev ip6gretap11 fc80::200/24 + ip link set dev ip6gretap11 up + + tc qdisc add dev ip6gretap11 clsact + tc filter add dev ip6gretap11 egress bpf da obj $OBJ sec ip6gretap_set_tunnel + tc filter add dev ip6gretap11 ingress bpf da obj $OBJ sec ip6gretap_get_tunnel + + ping6 -c 3 -w 10 -q ::11 + +Fixes: 6712abc168eb ("ip6_gre: add ip6 gre and gretap collect_md mode") +Reported-by: Feng Zhou +Co-developed-by: Cong Wang +Signed-off-by: Cong Wang +Signed-off-by: Peilin Ye +Signed-off-by: David S. Miller +Stable-dep-of: d80fc101d2eb ("erspan: get the proto with the md version for collect_md") +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 85ec466b5735e..a1fd3c9c1da3e 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -720,9 +720,6 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + else + fl6->daddr = tunnel->parms.raddr; + +- if (skb_cow_head(skb, dev->needed_headroom ?: tunnel->hlen)) +- return -ENOMEM; +- + /* Push GRE header. */ + protocol = (dev->type == ARPHRD_ETHER) ? htons(ETH_P_TEB) : proto; + +@@ -751,6 +748,9 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + (TUNNEL_CSUM | TUNNEL_KEY | TUNNEL_SEQ); + tun_hlen = gre_calc_hlen(flags); + ++ if (skb_cow_head(skb, dev->needed_headroom ?: tun_hlen + tunnel->encap_hlen)) ++ return -ENOMEM; ++ + gre_build_header(skb, tun_hlen, + flags, protocol, + tunnel_id_to_key32(tun_info->key.tun_id), +@@ -761,6 +761,9 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + if (tunnel->parms.o_flags & TUNNEL_SEQ) + tunnel->o_seqno++; + ++ if (skb_cow_head(skb, dev->needed_headroom ?: tunnel->hlen)) ++ return -ENOMEM; ++ + gre_build_header(skb, tunnel->tun_hlen, tunnel->parms.o_flags, + protocol, tunnel->parms.o_key, + htonl(tunnel->o_seqno)); +-- +2.39.2 + diff --git a/queue-5.4/ip6_gre-make-o_seqno-start-from-0-in-native-mode.patch b/queue-5.4/ip6_gre-make-o_seqno-start-from-0-in-native-mode.patch new file mode 100644 index 00000000000..fc7a411bdfd --- /dev/null +++ b/queue-5.4/ip6_gre-make-o_seqno-start-from-0-in-native-mode.patch @@ -0,0 +1,71 @@ +From 3246d91e01c1ce08d4ee55dae6ca9a536dbdf1af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Apr 2022 15:08:38 -0700 +Subject: ip6_gre: Make o_seqno start from 0 in native mode + +From: Peilin Ye + +[ Upstream commit fde98ae91f79cab4e020f40c35ed23cbdc59661c ] + +For IP6GRE and IP6GRETAP devices, currently o_seqno starts from 1 in +native mode. According to RFC 2890 2.2., "The first datagram is sent +with a sequence number of 0." Fix it. + +It is worth mentioning that o_seqno already starts from 0 in collect_md +mode, see the "if (tunnel->parms.collect_md)" clause in __gre6_xmit(), +where tunnel->o_seqno is passed to gre_build_header() before getting +incremented. + +Fixes: c12b395a4664 ("gre: Support GRE over IPv6") +Signed-off-by: Peilin Ye +Acked-by: William Tu +Signed-off-by: David S. Miller +Stable-dep-of: d80fc101d2eb ("erspan: get the proto with the md version for collect_md") +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index a1fd3c9c1da3e..e3c65e7681ad4 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -711,6 +711,7 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + { + struct ip6_tnl *tunnel = netdev_priv(dev); + __be16 protocol; ++ __be16 flags; + + if (dev->type == ARPHRD_ETHER) + IPCB(skb)->flags = 0; +@@ -726,7 +727,6 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + if (tunnel->parms.collect_md) { + struct ip_tunnel_info *tun_info; + const struct ip_tunnel_key *key; +- __be16 flags; + int tun_hlen; + + tun_info = skb_tunnel_info(skb); +@@ -758,15 +758,14 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + : 0); + + } else { +- if (tunnel->parms.o_flags & TUNNEL_SEQ) +- tunnel->o_seqno++; +- + if (skb_cow_head(skb, dev->needed_headroom ?: tunnel->hlen)) + return -ENOMEM; + +- gre_build_header(skb, tunnel->tun_hlen, tunnel->parms.o_flags, ++ flags = tunnel->parms.o_flags; ++ ++ gre_build_header(skb, tunnel->tun_hlen, flags, + protocol, tunnel->parms.o_key, +- htonl(tunnel->o_seqno)); ++ (flags & TUNNEL_SEQ) ? htonl(tunnel->o_seqno++) : 0); + } + + return ip6_tnl_xmit(skb, dev, dsfield, fl6, encap_limit, pmtu, +-- +2.39.2 + diff --git a/queue-5.4/ip_gre-ip6_gre-fix-race-condition-on-o_seqno-in-coll.patch b/queue-5.4/ip_gre-ip6_gre-fix-race-condition-on-o_seqno-in-coll.patch new file mode 100644 index 00000000000..038dbf06b17 --- /dev/null +++ b/queue-5.4/ip_gre-ip6_gre-fix-race-condition-on-o_seqno-in-coll.patch @@ -0,0 +1,153 @@ +From 83000bd5041d5566fe5aa2a172e671a872935f8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Apr 2022 15:09:02 -0700 +Subject: ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode + +From: Peilin Ye + +[ Upstream commit 31c417c948d7f6909cb63f0ac3298f3c38f8ce20 ] + +As pointed out by Jakub Kicinski, currently using TUNNEL_SEQ in +collect_md mode is racy for [IP6]GRE[TAP] devices. Consider the +following sequence of events: + +1. An [IP6]GRE[TAP] device is created in collect_md mode using "ip link + add ... external". "ip" ignores "[o]seq" if "external" is specified, + so TUNNEL_SEQ is off, and the device is marked as NETIF_F_LLTX (i.e. + it uses lockless TX); +2. Someone sets TUNNEL_SEQ on outgoing skb's, using e.g. + bpf_skb_set_tunnel_key() in an eBPF program attached to this device; +3. gre_fb_xmit() or __gre6_xmit() processes these skb's: + + gre_build_header(skb, tun_hlen, + flags, protocol, + tunnel_id_to_key32(tun_info->key.tun_id), + (flags & TUNNEL_SEQ) ? htonl(tunnel->o_seqno++) + : 0); ^^^^^^^^^^^^^^^^^ + +Since we are not using the TX lock (&txq->_xmit_lock), multiple CPUs may +try to do this tunnel->o_seqno++ in parallel, which is racy. Fix it by +making o_seqno atomic_t. + +As mentioned by Eric Dumazet in commit b790e01aee74 ("ip_gre: lockless +xmit"), making o_seqno atomic_t increases "chance for packets being out +of order at receiver" when NETIF_F_LLTX is on. + +Maybe a better fix would be: + +1. Do not ignore "oseq" in external mode. Users MUST specify "oseq" if + they want the kernel to allow sequencing of outgoing packets; +2. Reject all outgoing TUNNEL_SEQ packets if the device was not created + with "oseq". + +Unfortunately, that would break userspace. + +We could now make [IP6]GRE[TAP] devices always NETIF_F_LLTX, but let us +do it in separate patches to keep this fix minimal. + +Suggested-by: Jakub Kicinski +Fixes: 77a5196a804e ("gre: add sequence number for collect md mode.") +Signed-off-by: Peilin Ye +Acked-by: William Tu +Signed-off-by: David S. Miller +Stable-dep-of: d80fc101d2eb ("erspan: get the proto with the md version for collect_md") +Signed-off-by: Sasha Levin +--- + include/net/ip6_tunnel.h | 2 +- + include/net/ip_tunnels.h | 2 +- + net/ipv4/ip_gre.c | 6 +++--- + net/ipv6/ip6_gre.c | 7 ++++--- + 4 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h +index 028eaea1c8544..42d50856fcf24 100644 +--- a/include/net/ip6_tunnel.h ++++ b/include/net/ip6_tunnel.h +@@ -57,7 +57,7 @@ struct ip6_tnl { + + /* These fields used only by GRE */ + __u32 i_seqno; /* The last seen seqno */ +- __u32 o_seqno; /* The last output seqno */ ++ atomic_t o_seqno; /* The last output seqno */ + int hlen; /* tun_hlen + encap_hlen */ + int tun_hlen; /* Precalculated header length */ + int encap_hlen; /* Encap header length (FOU,GUE) */ +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h +index 56deb2501e962..6f75a84b47de5 100644 +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -113,7 +113,7 @@ struct ip_tunnel { + + /* These four fields used only by GRE */ + u32 i_seqno; /* The last seen seqno */ +- u32 o_seqno; /* The last output seqno */ ++ atomic_t o_seqno; /* The last output seqno */ + int tun_hlen; /* Precalculated header length */ + + /* These four fields used only by ERSPAN */ +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index 317fdb9f47e88..f8f008344273e 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -437,7 +437,7 @@ static void __gre_xmit(struct sk_buff *skb, struct net_device *dev, + /* Push GRE header. */ + gre_build_header(skb, tunnel->tun_hlen, + flags, proto, tunnel->parms.o_key, +- (flags & TUNNEL_SEQ) ? htonl(tunnel->o_seqno++) : 0); ++ (flags & TUNNEL_SEQ) ? htonl(atomic_fetch_inc(&tunnel->o_seqno)) : 0); + + ip_tunnel_xmit(skb, dev, tnl_params, tnl_params->protocol); + } +@@ -475,7 +475,7 @@ static void gre_fb_xmit(struct sk_buff *skb, struct net_device *dev, + (TUNNEL_CSUM | TUNNEL_KEY | TUNNEL_SEQ); + gre_build_header(skb, tunnel_hlen, flags, proto, + tunnel_id_to_key32(tun_info->key.tun_id), +- (flags & TUNNEL_SEQ) ? htonl(tunnel->o_seqno++) : 0); ++ (flags & TUNNEL_SEQ) ? htonl(atomic_fetch_inc(&tunnel->o_seqno)) : 0); + + ip_md_tunnel_xmit(skb, dev, IPPROTO_GRE, tunnel_hlen); + +@@ -557,7 +557,7 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev) + } + + gre_build_header(skb, 8, TUNNEL_SEQ, +- proto, 0, htonl(tunnel->o_seqno++)); ++ proto, 0, htonl(atomic_fetch_inc(&tunnel->o_seqno))); + + ip_md_tunnel_xmit(skb, dev, IPPROTO_GRE, tunnel_hlen); + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index e3c65e7681ad4..63b5fd3742f2c 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -754,7 +754,7 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + gre_build_header(skb, tun_hlen, + flags, protocol, + tunnel_id_to_key32(tun_info->key.tun_id), +- (flags & TUNNEL_SEQ) ? htonl(tunnel->o_seqno++) ++ (flags & TUNNEL_SEQ) ? htonl(atomic_fetch_inc(&tunnel->o_seqno)) + : 0); + + } else { +@@ -765,7 +765,8 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + + gre_build_header(skb, tunnel->tun_hlen, flags, + protocol, tunnel->parms.o_key, +- (flags & TUNNEL_SEQ) ? htonl(tunnel->o_seqno++) : 0); ++ (flags & TUNNEL_SEQ) ? htonl(atomic_fetch_inc(&tunnel->o_seqno)) ++ : 0); + } + + return ip6_tnl_xmit(skb, dev, dsfield, fl6, encap_limit, pmtu, +@@ -1048,7 +1049,7 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + /* Push GRE header. */ + proto = (t->parms.erspan_ver == 1) ? htons(ETH_P_ERSPAN) + : htons(ETH_P_ERSPAN2); +- gre_build_header(skb, 8, TUNNEL_SEQ, proto, 0, htonl(t->o_seqno++)); ++ gre_build_header(skb, 8, TUNNEL_SEQ, proto, 0, htonl(atomic_fetch_inc(&t->o_seqno))); + + /* TooBig packet may have updated dst->dev's mtu */ + if (!t->parms.collect_md && dst && dst_mtu(dst) > dst->dev->mtu) +-- +2.39.2 + diff --git a/queue-5.4/media-netup_unidvb-fix-use-after-free-at-del_timer.patch b/queue-5.4/media-netup_unidvb-fix-use-after-free-at-del_timer.patch new file mode 100644 index 00000000000..b0e83467a37 --- /dev/null +++ b/queue-5.4/media-netup_unidvb-fix-use-after-free-at-del_timer.patch @@ -0,0 +1,49 @@ +From f81d036dd5cc2db30b2e131e845fae8d50eb408a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 12:55:14 +0000 +Subject: media: netup_unidvb: fix use-after-free at del_timer() + +From: Duoming Zhou + +[ Upstream commit 0f5bb36bf9b39a2a96e730bf4455095b50713f63 ] + +When Universal DVB card is detaching, netup_unidvb_dma_fini() +uses del_timer() to stop dma->timeout timer. But when timer +handler netup_unidvb_dma_timeout() is running, del_timer() +could not stop it. As a result, the use-after-free bug could +happen. The process is shown below: + + (cleanup routine) | (timer routine) + | mod_timer(&dev->tx_sim_timer, ..) +netup_unidvb_finidev() | (wait a time) + netup_unidvb_dma_fini() | netup_unidvb_dma_timeout() + del_timer(&dma->timeout); | + | ndev->pci_dev->dev //USE + +Fix by changing del_timer() to del_timer_sync(). + +Link: https://lore.kernel.org/linux-media/20230308125514.4208-1-duoming@zju.edu.cn +Fixes: 52b1eaf4c59a ("[media] netup_unidvb: NetUP Universal DVB-S/S2/T/T2/C PCI-E card driver") +Signed-off-by: Duoming Zhou +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/netup_unidvb/netup_unidvb_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +index eb5621c9ebf85..129acf595410d 100644 +--- a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c ++++ b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +@@ -697,7 +697,7 @@ static void netup_unidvb_dma_fini(struct netup_unidvb_dev *ndev, int num) + netup_unidvb_dma_enable(dma, 0); + msleep(50); + cancel_work_sync(&dma->work); +- del_timer(&dma->timeout); ++ del_timer_sync(&dma->timeout); + } + + static int netup_unidvb_dma_setup(struct netup_unidvb_dev *ndev) +-- +2.39.2 + diff --git a/queue-5.4/net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch b/queue-5.4/net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch new file mode 100644 index 00000000000..b8017c296d9 --- /dev/null +++ b/queue-5.4/net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch @@ -0,0 +1,37 @@ +From 65f7ce2f4cffcc24c926970ff2470f7067831ab3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 16:07:27 -0700 +Subject: net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop() + +From: Florian Fainelli + +[ Upstream commit 93e0401e0fc0c54b0ac05b687cd135c2ac38187c ] + +The call to phy_stop() races with the later call to phy_disconnect(), +resulting in concurrent phy_suspend() calls being run from different +CPUs. The final call to phy_disconnect() ensures that the PHY is +stopped and suspended, too. + +Fixes: c96e731c93ff ("net: bcmgenet: connect and disconnect from the PHY state machine") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index 1b725a021455b..468f79c270ac3 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -2988,7 +2988,6 @@ static void bcmgenet_netif_stop(struct net_device *dev) + /* Disable MAC transmit. TX DMA disabled must be done before this */ + umac_enable_set(priv, CMD_TX_EN, false); + +- phy_stop(dev->phydev); + bcmgenet_disable_rx_napi(priv); + bcmgenet_intr_disable(priv); + +-- +2.39.2 + diff --git a/queue-5.4/net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch b/queue-5.4/net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch new file mode 100644 index 00000000000..2cd045ecdb0 --- /dev/null +++ b/queue-5.4/net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch @@ -0,0 +1,71 @@ +From b009c7458b076e7597027f165c75d4a6dbd478f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 19:56:07 -0700 +Subject: net: bcmgenet: Restore phy_stop() depending upon suspend/close + +From: Florian Fainelli + +[ Upstream commit 225c657945c4a6307741cb3cc89467eadcc26e9b ] + +Removing the phy_stop() from bcmgenet_netif_stop() ended up causing +warnings from the PHY library that phy_start() is called from the +RUNNING state since we are no longer stopping the PHY state machine +during bcmgenet_suspend(). + +Restore the call to phy_stop() but make it conditional on being called +from the close or suspend path. + +Fixes: c96e731c93ff ("net: bcmgenet: connect and disconnect from the PHY state machine") +Fixes: 93e0401e0fc0 ("net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop()") +Signed-off-by: Florian Fainelli +Reviewed-by: Pavan Chebbi +Link: https://lore.kernel.org/r/20230515025608.2587012-1-f.fainelli@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index 468f79c270ac3..750acbf294640 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -2973,7 +2973,7 @@ static int bcmgenet_open(struct net_device *dev) + return ret; + } + +-static void bcmgenet_netif_stop(struct net_device *dev) ++static void bcmgenet_netif_stop(struct net_device *dev, bool stop_phy) + { + struct bcmgenet_priv *priv = netdev_priv(dev); + +@@ -2988,6 +2988,8 @@ static void bcmgenet_netif_stop(struct net_device *dev) + /* Disable MAC transmit. TX DMA disabled must be done before this */ + umac_enable_set(priv, CMD_TX_EN, false); + ++ if (stop_phy) ++ phy_stop(dev->phydev); + bcmgenet_disable_rx_napi(priv); + bcmgenet_intr_disable(priv); + +@@ -3013,7 +3015,7 @@ static int bcmgenet_close(struct net_device *dev) + + netif_dbg(priv, ifdown, dev, "bcmgenet_close\n"); + +- bcmgenet_netif_stop(dev); ++ bcmgenet_netif_stop(dev, false); + + /* Really kill the PHY state machine and disconnect from it */ + phy_disconnect(dev->phydev); +@@ -3711,7 +3713,7 @@ static int bcmgenet_suspend(struct device *d) + + netif_device_detach(dev); + +- bcmgenet_netif_stop(dev); ++ bcmgenet_netif_stop(dev, true); + + if (!device_may_wakeup(d)) + phy_suspend(dev->phydev); +-- +2.39.2 + diff --git a/queue-5.4/net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch b/queue-5.4/net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch new file mode 100644 index 00000000000..25bb06ff833 --- /dev/null +++ b/queue-5.4/net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch @@ -0,0 +1,64 @@ +From e0f44322c56b2fedafc87f53e0c09e52ba3b83d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 22:00:20 +0200 +Subject: net: fec: Better handle pm_runtime_get() failing in .remove() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit f816b9829b19394d318e01953aa3b2721bca040d ] + +In the (unlikely) event that pm_runtime_get() (disguised as +pm_runtime_resume_and_get()) fails, the remove callback returned an +error early. The problem with this is that the driver core ignores the +error value and continues removing the device. This results in a +resource leak. Worse the devm allocated resources are freed and so if a +callback of the driver is called later the register mapping is already +gone which probably results in a crash. + +Fixes: a31eda65ba21 ("net: fec: fix clock count mis-match") +Signed-off-by: Uwe Kleine-König +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230510200020.1534610-1-u.kleine-koenig@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index e1b8c58c4d6b2..f67f104049dba 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3769,7 +3769,9 @@ fec_drv_remove(struct platform_device *pdev) + + ret = pm_runtime_get_sync(&pdev->dev); + if (ret < 0) +- return ret; ++ dev_err(&pdev->dev, ++ "Failed to resume device in remove callback (%pe)\n", ++ ERR_PTR(ret)); + + cancel_work_sync(&fep->tx_timeout_work); + fec_ptp_stop(pdev); +@@ -3782,8 +3784,13 @@ fec_drv_remove(struct platform_device *pdev) + of_phy_deregister_fixed_link(np); + of_node_put(fep->phy_node); + +- clk_disable_unprepare(fep->clk_ahb); +- clk_disable_unprepare(fep->clk_ipg); ++ /* After pm_runtime_get_sync() failed, the clks are still off, so skip ++ * disabling them again. ++ */ ++ if (ret >= 0) { ++ clk_disable_unprepare(fep->clk_ahb); ++ clk_disable_unprepare(fep->clk_ipg); ++ } + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_disable(&pdev->dev); + +-- +2.39.2 + diff --git a/queue-5.4/net-hns3-fix-reset-delay-time-to-avoid-configuration.patch b/queue-5.4/net-hns3-fix-reset-delay-time-to-avoid-configuration.patch new file mode 100644 index 00000000000..c6512615122 --- /dev/null +++ b/queue-5.4/net-hns3-fix-reset-delay-time-to-avoid-configuration.patch @@ -0,0 +1,44 @@ +From 605f0a6b24706a3ae4f21209c1b132681555f090 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 18:00:13 +0800 +Subject: net: hns3: fix reset delay time to avoid configuration timeout + +From: Jie Wang + +[ Upstream commit 814d0c786068e858d889ada3153bff82f64223ad ] + +Currently the hns3 vf function reset delays 5000ms before vf rebuild +process. In product applications, this delay is too long for application +configurations and causes configuration timeout. + +According to the tests, 500ms delay is enough for reset process except PF +FLR. So this patch modifies delay to 500ms in these scenarios. + +Fixes: 6988eb2a9b77 ("net: hns3: Add support to reset the enet/ring mgmt layer") +Signed-off-by: Jie Wang +Signed-off-by: Hao Lan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +index 48956c30d2eee..ec3d98595198e 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -1432,7 +1432,10 @@ static int hclgevf_reset_wait(struct hclgevf_dev *hdev) + * might happen in case reset assertion was made by PF. Yes, this also + * means we might end up waiting bit more even for VF reset. + */ +- msleep(5000); ++ if (hdev->reset_type == HNAE3_VF_FULL_RESET) ++ msleep(5000); ++ else ++ msleep(500); + + return 0; + } +-- +2.39.2 + diff --git a/queue-5.4/net-hns3-fix-sending-pfc-frames-after-reset-issue.patch b/queue-5.4/net-hns3-fix-sending-pfc-frames-after-reset-issue.patch new file mode 100644 index 00000000000..33b132c1324 --- /dev/null +++ b/queue-5.4/net-hns3-fix-sending-pfc-frames-after-reset-issue.patch @@ -0,0 +1,91 @@ +From 989dcca7505901d14b14d27a9cb4657b89e2a538 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 18:00:12 +0800 +Subject: net: hns3: fix sending pfc frames after reset issue + +From: Jijie Shao + +[ Upstream commit f14db07064727dd3bc0906c77a6d2759c1bbb395 ] + +To prevent the system from abnormally sending PFC frames after an +abnormal reset. The hns3 driver notifies the firmware to disable pfc +before reset. + +Fixes: 35d93a30040c ("net: hns3: adjust the process of PF reset") +Signed-off-by: Jijie Shao +Signed-off-by: Hao Lan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 15 +++++++++------ + .../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 4 ++-- + .../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h | 5 +++++ + 3 files changed, 16 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index d58abdfdb9b7b..08277c3cf2806 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -6688,12 +6688,15 @@ static void hclge_ae_stop(struct hnae3_handle *handle) + /* If it is not PF reset or FLR, the firmware will disable the MAC, + * so it only need to stop phy here. + */ +- if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state) && +- hdev->reset_type != HNAE3_FUNC_RESET && +- hdev->reset_type != HNAE3_FLR_RESET) { +- hclge_mac_stop_phy(hdev); +- hclge_update_link_status(hdev); +- return; ++ if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state)) { ++ hclge_pfc_pause_en_cfg(hdev, HCLGE_PFC_TX_RX_DISABLE, ++ HCLGE_PFC_DISABLE); ++ if (hdev->reset_type != HNAE3_FUNC_RESET && ++ hdev->reset_type != HNAE3_FLR_RESET) { ++ hclge_mac_stop_phy(hdev); ++ hclge_update_link_status(hdev); ++ return; ++ } + } + + for (i = 0; i < handle->kinfo.num_tqps; i++) +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c +index 8448607742a6b..2183e700f9d96 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c +@@ -170,8 +170,8 @@ int hclge_mac_pause_en_cfg(struct hclge_dev *hdev, bool tx, bool rx) + return hclge_cmd_send(&hdev->hw, &desc, 1); + } + +-static int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap, +- u8 pfc_bitmap) ++int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap, ++ u8 pfc_bitmap) + { + struct hclge_desc desc; + struct hclge_pfc_en_cmd *pfc = (struct hclge_pfc_en_cmd *)desc.data; +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h +index 260f22d19d81a..406084bb23072 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h +@@ -109,6 +109,9 @@ struct hclge_bp_to_qs_map_cmd { + u32 rsvd1; + }; + ++#define HCLGE_PFC_DISABLE 0 ++#define HCLGE_PFC_TX_RX_DISABLE 0 ++ + struct hclge_pfc_en_cmd { + u8 tx_rx_en_bitmap; + u8 pri_en_bitmap; +@@ -150,6 +153,8 @@ void hclge_tm_schd_info_update(struct hclge_dev *hdev, u8 num_tc); + void hclge_tm_pfc_info_update(struct hclge_dev *hdev); + int hclge_tm_dwrr_cfg(struct hclge_dev *hdev); + int hclge_tm_init_hw(struct hclge_dev *hdev, bool init); ++int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap, ++ u8 pfc_bitmap); + int hclge_mac_pause_en_cfg(struct hclge_dev *hdev, bool tx, bool rx); + int hclge_pause_addr_cfg(struct hclge_dev *hdev, const u8 *mac_addr); + int hclge_pfc_rx_stats_get(struct hclge_dev *hdev, u64 *stats); +-- +2.39.2 + diff --git a/queue-5.4/net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch b/queue-5.4/net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch new file mode 100644 index 00000000000..e086cab23d1 --- /dev/null +++ b/queue-5.4/net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch @@ -0,0 +1,101 @@ +From 987205fae34b2ff8b19861a3ee497710a0039f1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 20:54:40 +0800 +Subject: net: nsh: Use correct mac_offset to unwind gso skb in + nsh_gso_segment() + +From: Dong Chenchen + +[ Upstream commit c83b49383b595be50647f0c764a48c78b5f3c4f8 ] + +As the call trace shows, skb_panic was caused by wrong skb->mac_header +in nsh_gso_segment(): + +invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1 +RIP: 0010:skb_panic+0xda/0xe0 +call Trace: + skb_push+0x91/0xa0 + nsh_gso_segment+0x4f3/0x570 + skb_mac_gso_segment+0x19e/0x270 + __skb_gso_segment+0x1e8/0x3c0 + validate_xmit_skb+0x452/0x890 + validate_xmit_skb_list+0x99/0xd0 + sch_direct_xmit+0x294/0x7c0 + __dev_queue_xmit+0x16f0/0x1d70 + packet_xmit+0x185/0x210 + packet_snd+0xc15/0x1170 + packet_sendmsg+0x7b/0xa0 + sock_sendmsg+0x14f/0x160 + +The root cause is: +nsh_gso_segment() use skb->network_header - nhoff to reset mac_header +in skb_gso_error_unwind() if inner-layer protocol gso fails. +However, skb->network_header may be reset by inner-layer protocol +gso function e.g. mpls_gso_segment. skb->mac_header reset by the +inaccurate network_header will be larger than skb headroom. + +nsh_gso_segment + nhoff = skb->network_header - skb->mac_header; + __skb_pull(skb,nsh_len) + skb_mac_gso_segment + mpls_gso_segment + skb_reset_network_header(skb);//skb->network_header+=nsh_len + return -EINVAL; + skb_gso_error_unwind + skb_push(skb, nsh_len); + skb->mac_header = skb->network_header - nhoff; + // skb->mac_header > skb->headroom, cause skb_push panic + +Use correct mac_offset to restore mac_header and get rid of nhoff. + +Fixes: c411ed854584 ("nsh: add GSO support") +Reported-by: syzbot+632b5d9964208bfef8c0@syzkaller.appspotmail.com +Suggested-by: Eric Dumazet +Signed-off-by: Dong Chenchen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nsh/nsh.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c +index e9ca007718b7e..0f23e5e8e03eb 100644 +--- a/net/nsh/nsh.c ++++ b/net/nsh/nsh.c +@@ -77,13 +77,12 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb, + netdev_features_t features) + { + struct sk_buff *segs = ERR_PTR(-EINVAL); ++ u16 mac_offset = skb->mac_header; + unsigned int nsh_len, mac_len; + __be16 proto; +- int nhoff; + + skb_reset_network_header(skb); + +- nhoff = skb->network_header - skb->mac_header; + mac_len = skb->mac_len; + + if (unlikely(!pskb_may_pull(skb, NSH_BASE_HDR_LEN))) +@@ -108,15 +107,14 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb, + segs = skb_mac_gso_segment(skb, features); + if (IS_ERR_OR_NULL(segs)) { + skb_gso_error_unwind(skb, htons(ETH_P_NSH), nsh_len, +- skb->network_header - nhoff, +- mac_len); ++ mac_offset, mac_len); + goto out; + } + + for (skb = segs; skb; skb = skb->next) { + skb->protocol = htons(ETH_P_NSH); + __skb_push(skb, nsh_len); +- skb_set_mac_header(skb, -nhoff); ++ skb->mac_header = mac_offset; + skb->network_header = skb->mac_header + mac_len; + skb->mac_len = mac_len; + } +-- +2.39.2 + diff --git a/queue-5.4/serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch b/queue-5.4/serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch new file mode 100644 index 00000000000..170c87ba53a --- /dev/null +++ b/queue-5.4/serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch @@ -0,0 +1,51 @@ +From 942042cf2b6aa2d27af63e6f6a08e1282420e4eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Apr 2023 11:16:36 +0800 +Subject: serial: arc_uart: fix of_iomap leak in `arc_serial_probe` + +From: Ke Zhang + +[ Upstream commit 8ab5fc55d7f65d58a3c3aeadf11bdf60267cd2bd ] + +Smatch reports: + +drivers/tty/serial/arc_uart.c:631 arc_serial_probe() warn: +'port->membase' from of_iomap() not released on lines: 631. + +In arc_serial_probe(), if uart_add_one_port() fails, +port->membase is not released, which would cause a resource leak. + +To fix this, I replace of_iomap with devm_platform_ioremap_resource. + +Fixes: 8dbe1d5e09a7 ("serial/arc: inline the probe helper") +Signed-off-by: Ke Zhang +Reviewed-by: Dongliang Mu +Link: https://lore.kernel.org/r/20230428031636.44642-1-m202171830@hust.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/arc_uart.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/serial/arc_uart.c b/drivers/tty/serial/arc_uart.c +index d904a3a345e74..dd4be3c8c049c 100644 +--- a/drivers/tty/serial/arc_uart.c ++++ b/drivers/tty/serial/arc_uart.c +@@ -613,10 +613,11 @@ static int arc_serial_probe(struct platform_device *pdev) + } + uart->baud = val; + +- port->membase = of_iomap(np, 0); +- if (!port->membase) ++ port->membase = devm_platform_ioremap_resource(pdev, 0); ++ if (IS_ERR(port->membase)) { + /* No point of dev_err since UART itself is hosed here */ +- return -ENXIO; ++ return PTR_ERR(port->membase); ++ } + + port->irq = irq_of_parse_and_map(np, 0); + +-- +2.39.2 + diff --git a/queue-5.4/series b/queue-5.4/series index 07885bf90c8..f0965ed56f0 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -56,3 +56,25 @@ phy-st-miphy28lp-use-_poll_timeout-functions-for-wai.patch mfd-dln2-fix-memory-leak-in-dln2_probe.patch btrfs-replace-calls-to-btrfs_find_free_ino-with-btrf.patch btrfs-fix-space-cache-inconsistency-after-error-load.patch +asoc-fsl_micfil-register-platform-component-before-r.patch +cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch +af_key-reject-optional-tunnel-beet-mode-templates-in.patch +net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch +alsa-firewire-digi00x-prevent-potential-use-after-fr.patch +vsock-avoid-to-close-connected-socket-after-the-time.patch +serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch +ip6_gre-fix-skb_under_panic-in-__gre6_xmit.patch +ip6_gre-make-o_seqno-start-from-0-in-native-mode.patch +ip_gre-ip6_gre-fix-race-condition-on-o_seqno-in-coll.patch +erspan-get-the-proto-with-the-md-version-for-collect.patch +net-hns3-fix-sending-pfc-frames-after-reset-issue.patch +net-hns3-fix-reset-delay-time-to-avoid-configuration.patch +media-netup_unidvb-fix-use-after-free-at-del_timer.patch +drm-exynos-fix-g2d_open-close-helper-function-defini.patch +net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch +net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch +net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch +wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch +cassini-fix-a-memory-leak-in-the-error-handling-path.patch +igb-fix-bit_shift-to-be-in-1.8-range.patch +vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch diff --git a/queue-5.4/vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch b/queue-5.4/vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch new file mode 100644 index 00000000000..fc67d923754 --- /dev/null +++ b/queue-5.4/vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch @@ -0,0 +1,93 @@ +From cc84b6e7b6d7ed904775e606ff3996c34712d3d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 14:23:42 +0000 +Subject: vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit() + +From: Eric Dumazet + +[ Upstream commit dacab578c7c6cd06c50c89dfa36b0e0f10decd4e ] + +syzbot triggered the following splat [1], sending an empty message +through pppoe_sendmsg(). + +When VLAN_FLAG_REORDER_HDR flag is set, vlan_dev_hard_header() +does not push extra bytes for the VLAN header, because vlan is offloaded. + +Unfortunately vlan_dev_hard_start_xmit() first reads veth->h_vlan_proto +before testing (vlan->flags & VLAN_FLAG_REORDER_HDR). + +We need to swap the two conditions. + +[1] +BUG: KMSAN: uninit-value in vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111 +vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111 +__netdev_start_xmit include/linux/netdevice.h:4883 [inline] +netdev_start_xmit include/linux/netdevice.h:4897 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x253/0xa20 net/core/dev.c:3596 +__dev_queue_xmit+0x3c7f/0x5ac0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3053 [inline] +pppoe_sendmsg+0xa93/0xb80 drivers/net/ppp/pppoe.c:900 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +____sys_sendmsg+0xa24/0xe40 net/socket.c:2501 +___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555 +__sys_sendmmsg+0x411/0xa50 net/socket.c:2641 +__do_sys_sendmmsg net/socket.c:2670 [inline] +__se_sys_sendmmsg net/socket.c:2667 [inline] +__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: +slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:774 +slab_alloc_node mm/slub.c:3452 [inline] +kmem_cache_alloc_node+0x543/0xab0 mm/slub.c:3497 +kmalloc_reserve+0x148/0x470 net/core/skbuff.c:520 +__alloc_skb+0x3a7/0x850 net/core/skbuff.c:606 +alloc_skb include/linux/skbuff.h:1277 [inline] +sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2583 +pppoe_sendmsg+0x3af/0xb80 drivers/net/ppp/pppoe.c:867 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +____sys_sendmsg+0xa24/0xe40 net/socket.c:2501 +___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555 +__sys_sendmmsg+0x411/0xa50 net/socket.c:2641 +__do_sys_sendmmsg net/socket.c:2670 [inline] +__se_sys_sendmmsg net/socket.c:2667 [inline] +__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +CPU: 0 PID: 29770 Comm: syz-executor.0 Not tainted 6.3.0-rc6-syzkaller-gc478e5b17829 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/8021q/vlan_dev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c +index b10f31f98cb87..0a3a167916218 100644 +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -109,8 +109,8 @@ static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb, + * NOTE: THIS ASSUMES DIX ETHERNET, SPECIFICALLY NOT SUPPORTING + * OTHER THINGS LIKE FDDI/TokenRing/802.3 SNAPs... + */ +- if (veth->h_vlan_proto != vlan->vlan_proto || +- vlan->flags & VLAN_FLAG_REORDER_HDR) { ++ if (vlan->flags & VLAN_FLAG_REORDER_HDR || ++ veth->h_vlan_proto != vlan->vlan_proto) { + u16 vlan_tci; + vlan_tci = vlan->vlan_id; + vlan_tci |= vlan_dev_get_egress_qos_mask(dev, skb->priority); +-- +2.39.2 + diff --git a/queue-5.4/vsock-avoid-to-close-connected-socket-after-the-time.patch b/queue-5.4/vsock-avoid-to-close-connected-socket-after-the-time.patch new file mode 100644 index 00000000000..9e3ac6d0f2d --- /dev/null +++ b/queue-5.4/vsock-avoid-to-close-connected-socket-after-the-time.patch @@ -0,0 +1,54 @@ +From d5397111bfb69c13011c89710fe9d6ca72e3cc0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 19:34:30 +0800 +Subject: vsock: avoid to close connected socket after the timeout +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zhuang Shengen + +[ Upstream commit 6d4486efe9c69626cab423456169e250a5cd3af5 ] + +When client and server establish a connection through vsock, +the client send a request to the server to initiate the connection, +then start a timer to wait for the server's response. When the server's +RESPONSE message arrives, the timer also times out and exits. The +server's RESPONSE message is processed first, and the connection is +established. However, the client's timer also times out, the original +processing logic of the client is to directly set the state of this vsock +to CLOSE and return ETIMEDOUT. It will not notify the server when the port +is released, causing the server port remain. +when client's vsock_connect timeout,it should check sk state is +ESTABLISHED or not. if sk state is ESTABLISHED, it means the connection +is established, the client should not set the sk state to CLOSE + +Note: I encountered this issue on kernel-4.18, which can be fixed by +this patch. Then I checked the latest code in the community +and found similar issue. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: Zhuang Shengen +Reviewed-by: Stefano Garzarella +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 28f6188458c42..4cd65a1a07f97 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1232,7 +1232,7 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr, + vsock_transport_cancel_pkt(vsk); + vsock_remove_connected(vsk); + goto out_wait; +- } else if (timeout == 0) { ++ } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) { + err = -ETIMEDOUT; + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; +-- +2.39.2 + diff --git a/queue-5.4/wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch b/queue-5.4/wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch new file mode 100644 index 00000000000..28c712a3d62 --- /dev/null +++ b/queue-5.4/wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch @@ -0,0 +1,60 @@ +From e6fcb1d7404df4c40b52b7a3e357149f0ff0a54b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 12:15:53 +0300 +Subject: wifi: iwlwifi: mvm: don't trust firmware n_channels + +From: Johannes Berg + +[ Upstream commit 682b6dc29d98e857e6ca4bbc077c7dc2899b7473 ] + +If the firmware sends us a corrupted MCC response with +n_channels much larger than the command response can be, +we might copy far too much (uninitialized) memory and +even crash if the n_channels is large enough to make it +run out of the one page allocated for the FW response. + +Fix that by checking the lengths. Doing a < comparison +would be sufficient, but the firmware should be doing +it correctly, so check more strictly. + +Fixes: dcaf9f5ecb6f ("iwlwifi: mvm: add MCC update FW API") +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230514120631.d7b233139eb4.I51fd319df8e9d41881fc8450e83d78049518a79a@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/nvm.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c +index f49887379c43f..f485c0dd75d60 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c +@@ -508,6 +508,11 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm, const char *alpha2, + struct iwl_mcc_update_resp *mcc_resp = (void *)pkt->data; + + n_channels = __le32_to_cpu(mcc_resp->n_channels); ++ if (iwl_rx_packet_payload_len(pkt) != ++ struct_size(mcc_resp, channels, n_channels)) { ++ resp_cp = ERR_PTR(-EINVAL); ++ goto exit; ++ } + resp_len = sizeof(struct iwl_mcc_update_resp) + + n_channels * sizeof(__le32); + resp_cp = kmemdup(mcc_resp, resp_len, GFP_KERNEL); +@@ -519,6 +524,11 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm, const char *alpha2, + struct iwl_mcc_update_resp_v3 *mcc_resp_v3 = (void *)pkt->data; + + n_channels = __le32_to_cpu(mcc_resp_v3->n_channels); ++ if (iwl_rx_packet_payload_len(pkt) != ++ struct_size(mcc_resp_v3, channels, n_channels)) { ++ resp_cp = ERR_PTR(-EINVAL); ++ goto exit; ++ } + resp_len = sizeof(struct iwl_mcc_update_resp) + + n_channels * sizeof(__le32); + resp_cp = kzalloc(resp_len, GFP_KERNEL); +-- +2.39.2 +