From: Greg Kroah-Hartman Date: Mon, 22 Aug 2022 09:04:10 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.9.326~67 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=76aa8d278b4ebd6ad512188ef4f629d916e3fe9f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: acpi-property-return-type-of-acpi_add_nondev_subnodes-should-be-bool.patch alsa-usb-audio-more-comprehensive-mixer-map-for-asus-rog-zenith-ii.patch apparmor-fix-aa_label_asxprint-return-check.patch apparmor-fix-absroot-causing-audited-secids-to-begin-with.patch apparmor-fix-failed-mount-permission-check-error-message.patch apparmor-fix-memleak-in-aa_simple_write_to_buffer.patch apparmor-fix-overlapping-attachment-computation.patch apparmor-fix-quiet_denied-for-file-rules.patch apparmor-fix-reference-count-leak-in-aa_pivotroot.patch apparmor-fix-setting-unconfined-mode-on-a-loaded-profile.patch bpf-acquire-map-uref-in-.init_seq_private-for-array-map-iterator.patch bpf-acquire-map-uref-in-.init_seq_private-for-hash-map-iterator.patch bpf-acquire-map-uref-in-.init_seq_private-for-sock-local-storage-map-iterator.patch bpf-acquire-map-uref-in-.init_seq_private-for-sock-map-hash-iterator.patch bpf-check-the-validity-of-max_rdwr_access-for-sock-local-storage-map-iterator.patch bpf-don-t-reinit-map-value-in-prealloc_lru_pop.patch bpf-fix-potential-bad-pointer-dereference-in-bpf_sys_bpf.patch can-ems_usb-fix-clang-s-wunaligned-access-warning.patch can-j1939-j1939_session_destroy-fix-memory-leak-of-skbs.patch can-mcp251x-fix-race-condition-on-receive-interrupt.patch devlink-fix-use-after-free-after-a-failed-reload.patch documentation-acpi-einj-fix-obsolete-example.patch dt-bindings-arm-qcom-fix-alcatel-onetouch-idol-3-compatibles.patch dt-bindings-usb-mtk-xhci-allow-wakeup-interrupt-names-to-be-optional.patch geneve-do-not-use-rt_tos-for-ipv6-flowlabel.patch input-exc3000-fix-return-value-check-of-wait_for_completion_timeout.patch ipv6-do-not-use-rt_tos-for-ipv6-flowlabel.patch m68k-coldfire-device.c-protect-flexcan-blocks.patch mlx5-do-not-use-rt_tos-for-ipv6-flowlabel.patch net-atlantic-fix-aq_vec-index-out-of-range-error.patch net-bcmgenet-indicate-mac-is-in-charge-of-phy-pm.patch net-bgmac-fix-a-bug-triggered-by-wrong-bytes_compl.patch net-phy-warn-about-incorrect-mdio_bus_phy_resume-state.patch nfsv4-fix-races-in-the-legacy-idmapper-upcall.patch nfsv4-pnfs-fix-a-use-after-free-bug-in-open.patch nfsv4.1-don-t-decrease-the-value-of-seq_nr_highest_sent.patch nfsv4.1-handle-nfs4err_delay-replies-to-op_sequence-correctly.patch nfsv4.1-reclaim_complete-must-handle-eacces.patch octeontx2-af-apply-tx-nibble-fixup-always.patch octeontx2-af-fix-key-checking-for-source-mac.patch octeontx2-af-fix-mcam-entry-resource-leak.patch octeontx2-af-suppress-external-profile-loading-warning.patch octeontx2-pf-fix-nix_af_tl3_tl2x_linkx_cfg-register-configuration.patch pinctrl-amd-don-t-save-restore-interrupt-status-and-wake-status-bits.patch pinctrl-nomadik-fix-refcount-leak-in-nmk_pinctrl_dt_subnode_to_map.patch pinctrl-qcom-msm8916-allow-camss-gp-clocks-to-be-muxed.patch pinctrl-qcom-sm8250-fix-pdc-map.patch pinctrl-sunxi-add-i-o-bias-setting-for-h6-r-pio.patch plip-avoid-rcu-debug-splat.patch selftests-forwarding-fix-failing-tests-with-old-libnet.patch sunrpc-fix-expiry-of-auth-creds.patch sunrpc-fix-xdr_encode_bool.patch sunrpc-reinitialise-the-backchannel-request-buffers-before-reuse.patch um-add-missing-apply_returns.patch virtio_net-fix-memory-leak-inside-xpd_tx-with-mergeable.patch vsock-fix-memory-leak-in-vsock_connect.patch vsock-set-socket-state-back-to-ss_unconnected-in-vsock_connect_timeout.patch --- diff --git a/queue-5.15/acpi-property-return-type-of-acpi_add_nondev_subnodes-should-be-bool.patch b/queue-5.15/acpi-property-return-type-of-acpi_add_nondev_subnodes-should-be-bool.patch new file mode 100644 index 00000000000..7eec3e76a91 --- /dev/null +++ b/queue-5.15/acpi-property-return-type-of-acpi_add_nondev_subnodes-should-be-bool.patch @@ -0,0 +1,38 @@ +From 85140ef275f577f64e8a2c5789447222dfc14fc4 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Mon, 11 Jul 2022 14:25:59 +0300 +Subject: ACPI: property: Return type of acpi_add_nondev_subnodes() should be bool + +From: Sakari Ailus + +commit 85140ef275f577f64e8a2c5789447222dfc14fc4 upstream. + +The value acpi_add_nondev_subnodes() returns is bool so change the return +type of the function to match that. + +Fixes: 445b0eb058f5 ("ACPI / property: Add support for data-only subnodes") +Signed-off-by: Sakari Ailus +Reviewed-by: Andy Shevchenko +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/property.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/acpi/property.c ++++ b/drivers/acpi/property.c +@@ -155,10 +155,10 @@ static bool acpi_nondev_subnode_ok(acpi_ + return acpi_nondev_subnode_data_ok(handle, link, list, parent); + } + +-static int acpi_add_nondev_subnodes(acpi_handle scope, +- const union acpi_object *links, +- struct list_head *list, +- struct fwnode_handle *parent) ++static bool acpi_add_nondev_subnodes(acpi_handle scope, ++ const union acpi_object *links, ++ struct list_head *list, ++ struct fwnode_handle *parent) + { + bool ret = false; + int i; diff --git a/queue-5.15/alsa-usb-audio-more-comprehensive-mixer-map-for-asus-rog-zenith-ii.patch b/queue-5.15/alsa-usb-audio-more-comprehensive-mixer-map-for-asus-rog-zenith-ii.patch new file mode 100644 index 00000000000..321a95e594f --- /dev/null +++ b/queue-5.15/alsa-usb-audio-more-comprehensive-mixer-map-for-asus-rog-zenith-ii.patch @@ -0,0 +1,95 @@ +From 6bc2906253e723d1ab1acc652b55b83e286bfec2 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 9 Aug 2022 09:32:59 +0200 +Subject: ALSA: usb-audio: More comprehensive mixer map for ASUS ROG Zenith II + +From: Takashi Iwai + +commit 6bc2906253e723d1ab1acc652b55b83e286bfec2 upstream. + +ASUS ROG Zenith II has two USB interfaces, one for the front headphone +and another for the rest I/O. Currently we provided the mixer mapping +for the latter but with an incomplete form. + +This patch corrects and provides more comprehensive mixer mapping, as +well as providing the proper device names for both the front headphone +and main audio. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=211005 +Fixes: 2a48218f8e23 ("ALSA: usb-audio: Add mixer workaround for TRX40 and co") +Link: https://lore.kernel.org/r/20220809073259.18849-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/card.c | 8 ++++++++ + sound/usb/mixer_maps.c | 34 +++++++++++++++++++++++++--------- + 2 files changed, 33 insertions(+), 9 deletions(-) + +--- a/sound/usb/card.c ++++ b/sound/usb/card.c +@@ -387,6 +387,14 @@ static const struct usb_audio_device_nam + DEVICE_NAME(0x05e1, 0x0408, "Syntek", "STK1160"), + DEVICE_NAME(0x05e1, 0x0480, "Hauppauge", "Woodbury"), + ++ /* ASUS ROG Zenith II: this machine has also two devices, one for ++ * the front headphone and another for the rest ++ */ ++ PROFILE_NAME(0x0b05, 0x1915, "ASUS", "Zenith II Front Headphone", ++ "Zenith-II-Front-Headphone"), ++ PROFILE_NAME(0x0b05, 0x1916, "ASUS", "Zenith II Main Audio", ++ "Zenith-II-Main-Audio"), ++ + /* ASUS ROG Strix */ + PROFILE_NAME(0x0b05, 0x1917, + "Realtek", "ALC1220-VB-DT", "Realtek-ALC1220-VB-Desktop"), +--- a/sound/usb/mixer_maps.c ++++ b/sound/usb/mixer_maps.c +@@ -366,13 +366,28 @@ static const struct usbmix_name_map cors + { 0 } + }; + +-/* Some mobos shipped with a dummy HD-audio show the invalid GET_MIN/GET_MAX +- * response for Input Gain Pad (id=19, control=12) and the connector status +- * for SPDIF terminal (id=18). Skip them. +- */ +-static const struct usbmix_name_map asus_rog_map[] = { +- { 18, NULL }, /* OT, connector control */ +- { 19, NULL, 12 }, /* FU, Input Gain Pad */ ++/* ASUS ROG Zenith II with Realtek ALC1220-VB */ ++static const struct usbmix_name_map asus_zenith_ii_map[] = { ++ { 19, NULL, 12 }, /* FU, Input Gain Pad - broken response, disabled */ ++ { 16, "Speaker" }, /* OT */ ++ { 22, "Speaker Playback" }, /* FU */ ++ { 7, "Line" }, /* IT */ ++ { 19, "Line Capture" }, /* FU */ ++ { 8, "Mic" }, /* IT */ ++ { 20, "Mic Capture" }, /* FU */ ++ { 9, "Front Mic" }, /* IT */ ++ { 21, "Front Mic Capture" }, /* FU */ ++ { 17, "IEC958" }, /* OT */ ++ { 23, "IEC958 Playback" }, /* FU */ ++ {} ++}; ++ ++static const struct usbmix_connector_map asus_zenith_ii_connector_map[] = { ++ { 10, 16 }, /* (Back) Speaker */ ++ { 11, 17 }, /* SPDIF */ ++ { 13, 7 }, /* Line */ ++ { 14, 8 }, /* Mic */ ++ { 15, 9 }, /* Front Mic */ + {} + }; + +@@ -568,9 +583,10 @@ static const struct usbmix_ctl_map usbmi + .map = trx40_mobo_map, + .connector_map = trx40_mobo_connector_map, + }, +- { /* ASUS ROG Zenith II */ ++ { /* ASUS ROG Zenith II (main audio) */ + .id = USB_ID(0x0b05, 0x1916), +- .map = asus_rog_map, ++ .map = asus_zenith_ii_map, ++ .connector_map = asus_zenith_ii_connector_map, + }, + { /* ASUS ROG Strix */ + .id = USB_ID(0x0b05, 0x1917), diff --git a/queue-5.15/apparmor-fix-aa_label_asxprint-return-check.patch b/queue-5.15/apparmor-fix-aa_label_asxprint-return-check.patch new file mode 100644 index 00000000000..2e721d766ea --- /dev/null +++ b/queue-5.15/apparmor-fix-aa_label_asxprint-return-check.patch @@ -0,0 +1,56 @@ +From 3e2a3a0830a2090e766d0d887d52c67de2a6f323 Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Sun, 13 Feb 2022 13:32:28 -0800 +Subject: apparmor: fix aa_label_asxprint return check + +From: Tom Rix + +commit 3e2a3a0830a2090e766d0d887d52c67de2a6f323 upstream. + +Clang static analysis reports this issue +label.c:1802:3: warning: 2nd function call argument + is an uninitialized value + pr_info("%s", str); + ^~~~~~~~~~~~~~~~~~ + +str is set from a successful call to aa_label_asxprint(&str, ...) +On failure a negative value is returned, not a -1. So change +the check. + +Fixes: f1bd904175e8 ("apparmor: add the base fns() for domain labels") +Signed-off-by: Tom Rix +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman +--- + security/apparmor/label.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/security/apparmor/label.c ++++ b/security/apparmor/label.c +@@ -1745,7 +1745,7 @@ void aa_label_xaudit(struct audit_buffer + if (!use_label_hname(ns, label, flags) || + display_mode(ns, label, flags)) { + len = aa_label_asxprint(&name, ns, label, flags, gfp); +- if (len == -1) { ++ if (len < 0) { + AA_DEBUG("label print error"); + return; + } +@@ -1773,7 +1773,7 @@ void aa_label_seq_xprint(struct seq_file + int len; + + len = aa_label_asxprint(&str, ns, label, flags, gfp); +- if (len == -1) { ++ if (len < 0) { + AA_DEBUG("label print error"); + return; + } +@@ -1796,7 +1796,7 @@ void aa_label_xprintk(struct aa_ns *ns, + int len; + + len = aa_label_asxprint(&str, ns, label, flags, gfp); +- if (len == -1) { ++ if (len < 0) { + AA_DEBUG("label print error"); + return; + } diff --git a/queue-5.15/apparmor-fix-absroot-causing-audited-secids-to-begin-with.patch b/queue-5.15/apparmor-fix-absroot-causing-audited-secids-to-begin-with.patch new file mode 100644 index 00000000000..01079fabde8 --- /dev/null +++ b/queue-5.15/apparmor-fix-absroot-causing-audited-secids-to-begin-with.patch @@ -0,0 +1,76 @@ +From 511f7b5b835726e844a5fc7444c18e4b8672edfd Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Tue, 14 Dec 2021 02:59:28 -0800 +Subject: apparmor: fix absroot causing audited secids to begin with = + +From: John Johansen + +commit 511f7b5b835726e844a5fc7444c18e4b8672edfd upstream. + +AppArmor is prefixing secids that are converted to secctx with the = +to indicate the secctx should only be parsed from an absolute root +POV. This allows catching errors where secctx are reparsed back into +internal labels. + +Unfortunately because audit is using secid to secctx conversion this +means that subject and object labels can result in a very unfortunate +== that can break audit parsing. + +eg. the subj==unconfined term in the below audit message + +type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000 +ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd" +hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success' + +Fix this by switch the prepending of = to a _. This still works as a +special character to flag this case without breaking audit. Also move +this check behind debug as it should not be needed during normal +operqation. + +Fixes: 26b7899510ae ("apparmor: add support for absolute root view based labels") +Reported-by: Casey Schaufler +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman +--- + security/apparmor/include/lib.h | 5 +++++ + security/apparmor/label.c | 7 ++++--- + 2 files changed, 9 insertions(+), 3 deletions(-) + +--- a/security/apparmor/include/lib.h ++++ b/security/apparmor/include/lib.h +@@ -22,6 +22,11 @@ + */ + + #define DEBUG_ON (aa_g_debug) ++/* ++ * split individual debug cases out in preparation for finer grained ++ * debug controls in the future. ++ */ ++#define AA_DEBUG_LABEL DEBUG_ON + #define dbg_printk(__fmt, __args...) pr_debug(__fmt, ##__args) + #define AA_DEBUG(fmt, args...) \ + do { \ +--- a/security/apparmor/label.c ++++ b/security/apparmor/label.c +@@ -1632,9 +1632,9 @@ int aa_label_snxprint(char *str, size_t + AA_BUG(!str && size != 0); + AA_BUG(!label); + +- if (flags & FLAG_ABS_ROOT) { ++ if (AA_DEBUG_LABEL && (flags & FLAG_ABS_ROOT)) { + ns = root_ns; +- len = snprintf(str, size, "="); ++ len = snprintf(str, size, "_"); + update_for_len(total, len, size, str); + } else if (!ns) { + ns = labels_ns(label); +@@ -1896,7 +1896,8 @@ struct aa_label *aa_label_strn_parse(str + AA_BUG(!str); + + str = skipn_spaces(str, n); +- if (str == NULL || (*str == '=' && base != &root_ns->unconfined->label)) ++ if (str == NULL || (AA_DEBUG_LABEL && *str == '_' && ++ base != &root_ns->unconfined->label)) + return ERR_PTR(-EINVAL); + + len = label_count_strn_entries(str, end - str); diff --git a/queue-5.15/apparmor-fix-failed-mount-permission-check-error-message.patch b/queue-5.15/apparmor-fix-failed-mount-permission-check-error-message.patch new file mode 100644 index 00000000000..d075a7ccbbc --- /dev/null +++ b/queue-5.15/apparmor-fix-failed-mount-permission-check-error-message.patch @@ -0,0 +1,45 @@ +From ec240b5905bbb09a03dccffee03062cf39e38dc2 Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Tue, 25 Jan 2022 00:37:42 -0800 +Subject: apparmor: Fix failed mount permission check error message + +From: John Johansen + +commit ec240b5905bbb09a03dccffee03062cf39e38dc2 upstream. + +When the mount check fails due to a permission check failure instead +of explicitly at one of the subcomponent checks, AppArmor is reporting +a failure in the flags match. However this is not true and AppArmor +can not attribute the error at this point to any particular component, +and should only indicate the mount failed due to missing permissions. + +Fixes: 2ea3ffb7782a ("apparmor: add mount mediation") +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman +--- + security/apparmor/mount.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/security/apparmor/mount.c ++++ b/security/apparmor/mount.c +@@ -229,7 +229,8 @@ static const char * const mnt_info_table + "failed srcname match", + "failed type match", + "failed flags match", +- "failed data match" ++ "failed data match", ++ "failed perms check" + }; + + /* +@@ -284,8 +285,8 @@ static int do_match_mnt(struct aa_dfa *d + return 0; + } + +- /* failed at end of flags match */ +- return 4; ++ /* failed at perms check, don't confuse with flags match */ ++ return 6; + } + + diff --git a/queue-5.15/apparmor-fix-memleak-in-aa_simple_write_to_buffer.patch b/queue-5.15/apparmor-fix-memleak-in-aa_simple_write_to_buffer.patch new file mode 100644 index 00000000000..1dfc2697359 --- /dev/null +++ b/queue-5.15/apparmor-fix-memleak-in-aa_simple_write_to_buffer.patch @@ -0,0 +1,33 @@ +From 417ea9fe972d2654a268ad66e89c8fcae67017c3 Mon Sep 17 00:00:00 2001 +From: Xiu Jianfeng +Date: Tue, 14 Jun 2022 17:00:01 +0800 +Subject: apparmor: Fix memleak in aa_simple_write_to_buffer() + +From: Xiu Jianfeng + +commit 417ea9fe972d2654a268ad66e89c8fcae67017c3 upstream. + +When copy_from_user failed, the memory is freed by kvfree. however the +management struct and data blob are allocated independently, so only +kvfree(data) cause a memleak issue here. Use aa_put_loaddata(data) to +fix this issue. + +Fixes: a6a52579e52b5 ("apparmor: split load data into management struct and data blob") +Signed-off-by: Xiu Jianfeng +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman +--- + security/apparmor/apparmorfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/apparmor/apparmorfs.c ++++ b/security/apparmor/apparmorfs.c +@@ -401,7 +401,7 @@ static struct aa_loaddata *aa_simple_wri + + data->size = copy_size; + if (copy_from_user(data->data, userbuf, copy_size)) { +- kvfree(data); ++ aa_put_loaddata(data); + return ERR_PTR(-EFAULT); + } + diff --git a/queue-5.15/apparmor-fix-overlapping-attachment-computation.patch b/queue-5.15/apparmor-fix-overlapping-attachment-computation.patch new file mode 100644 index 00000000000..7a13aa92005 --- /dev/null +++ b/queue-5.15/apparmor-fix-overlapping-attachment-computation.patch @@ -0,0 +1,46 @@ +From 2504db207146543736e877241f3b3de005cbe056 Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Sat, 26 Mar 2022 01:58:15 -0700 +Subject: apparmor: fix overlapping attachment computation + +From: John Johansen + +commit 2504db207146543736e877241f3b3de005cbe056 upstream. + +When finding the profile via patterned attachments, the longest left +match is being set to the static compile time value and not using the +runtime computed value. + +Fix this by setting the candidate value to the greater of the +precomputed value or runtime computed value. + +Fixes: 21f606610502 ("apparmor: improve overlapping domain attachment resolution") +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman +--- + security/apparmor/domain.c | 2 +- + security/apparmor/include/policy.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/security/apparmor/domain.c ++++ b/security/apparmor/domain.c +@@ -467,7 +467,7 @@ restart: + * xattrs, or a longer match + */ + candidate = profile; +- candidate_len = profile->xmatch_len; ++ candidate_len = max(count, profile->xmatch_len); + candidate_xattrs = ret; + conflict = false; + } +--- a/security/apparmor/include/policy.h ++++ b/security/apparmor/include/policy.h +@@ -135,7 +135,7 @@ struct aa_profile { + + const char *attach; + struct aa_dfa *xmatch; +- int xmatch_len; ++ unsigned int xmatch_len; + enum audit_mode audit; + long mode; + u32 path_flags; diff --git a/queue-5.15/apparmor-fix-quiet_denied-for-file-rules.patch b/queue-5.15/apparmor-fix-quiet_denied-for-file-rules.patch new file mode 100644 index 00000000000..1564040626f --- /dev/null +++ b/queue-5.15/apparmor-fix-quiet_denied-for-file-rules.patch @@ -0,0 +1,31 @@ +From 68ff8540cc9e4ab557065b3f635c1ff4c96e1f1c Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Thu, 29 Apr 2021 01:48:28 -0700 +Subject: apparmor: fix quiet_denied for file rules + +From: John Johansen + +commit 68ff8540cc9e4ab557065b3f635c1ff4c96e1f1c upstream. + +Global quieting of denied AppArmor generated file events is not +handled correctly. Unfortunately the is checking if quieting of all +audit events is set instead of just denied events. + +Fixes: 67012e8209df ("AppArmor: basic auditing infrastructure.") +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman +--- + security/apparmor/audit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/apparmor/audit.c ++++ b/security/apparmor/audit.c +@@ -137,7 +137,7 @@ int aa_audit(int type, struct aa_profile + } + if (AUDIT_MODE(profile) == AUDIT_QUIET || + (type == AUDIT_APPARMOR_DENIED && +- AUDIT_MODE(profile) == AUDIT_QUIET)) ++ AUDIT_MODE(profile) == AUDIT_QUIET_DENIED)) + return aad(sa)->error; + + if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED) diff --git a/queue-5.15/apparmor-fix-reference-count-leak-in-aa_pivotroot.patch b/queue-5.15/apparmor-fix-reference-count-leak-in-aa_pivotroot.patch new file mode 100644 index 00000000000..ccdb7947748 --- /dev/null +++ b/queue-5.15/apparmor-fix-reference-count-leak-in-aa_pivotroot.patch @@ -0,0 +1,41 @@ +From 11c3627ec6b56c1525013f336f41b79a983b4d46 Mon Sep 17 00:00:00 2001 +From: Xin Xiong +Date: Thu, 28 Apr 2022 11:39:08 +0800 +Subject: apparmor: fix reference count leak in aa_pivotroot() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xin Xiong + +commit 11c3627ec6b56c1525013f336f41b79a983b4d46 upstream. + +The aa_pivotroot() function has a reference counting bug in a specific +path. When aa_replace_current_label() returns on success, the function +forgets to decrement the reference count of “target”, which is +increased earlier by build_pivotroot(), causing a reference leak. + +Fix it by decreasing the refcount of “target” in that path. + +Fixes: 2ea3ffb7782a ("apparmor: add mount mediation") +Co-developed-by: Xiyu Yang +Signed-off-by: Xiyu Yang +Co-developed-by: Xin Tan +Signed-off-by: Xin Tan +Signed-off-by: Xin Xiong +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman +--- + security/apparmor/mount.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/security/apparmor/mount.c ++++ b/security/apparmor/mount.c +@@ -719,6 +719,7 @@ int aa_pivotroot(struct aa_label *label, + aa_put_label(target); + goto out; + } ++ aa_put_label(target); + } else + /* already audited error */ + error = PTR_ERR(target); diff --git a/queue-5.15/apparmor-fix-setting-unconfined-mode-on-a-loaded-profile.patch b/queue-5.15/apparmor-fix-setting-unconfined-mode-on-a-loaded-profile.patch new file mode 100644 index 00000000000..fea6ae50967 --- /dev/null +++ b/queue-5.15/apparmor-fix-setting-unconfined-mode-on-a-loaded-profile.patch @@ -0,0 +1,46 @@ +From 3bbb7b2e9bbcd22e539e23034da753898fe3b4dc Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Sat, 26 Mar 2022 01:52:06 -0700 +Subject: apparmor: fix setting unconfined mode on a loaded profile + +From: John Johansen + +commit 3bbb7b2e9bbcd22e539e23034da753898fe3b4dc upstream. + +When loading a profile that is set to unconfined mode, that label +flag is not set when it should be. Ensure it is set so that when +used in a label the unconfined check will be applied correctly. + +Fixes: 038165070aa5 ("apparmor: allow setting any profile into the unconfined state") +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman +--- + security/apparmor/policy_unpack.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/security/apparmor/policy_unpack.c ++++ b/security/apparmor/policy_unpack.c +@@ -746,16 +746,18 @@ static struct aa_profile *unpack_profile + profile->label.flags |= FLAG_HAT; + if (!unpack_u32(e, &tmp, NULL)) + goto fail; +- if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) ++ if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) { + profile->mode = APPARMOR_COMPLAIN; +- else if (tmp == PACKED_MODE_ENFORCE) ++ } else if (tmp == PACKED_MODE_ENFORCE) { + profile->mode = APPARMOR_ENFORCE; +- else if (tmp == PACKED_MODE_KILL) ++ } else if (tmp == PACKED_MODE_KILL) { + profile->mode = APPARMOR_KILL; +- else if (tmp == PACKED_MODE_UNCONFINED) ++ } else if (tmp == PACKED_MODE_UNCONFINED) { + profile->mode = APPARMOR_UNCONFINED; +- else ++ profile->label.flags |= FLAG_UNCONFINED; ++ } else { + goto fail; ++ } + if (!unpack_u32(e, &tmp, NULL)) + goto fail; + if (tmp) diff --git a/queue-5.15/bpf-acquire-map-uref-in-.init_seq_private-for-array-map-iterator.patch b/queue-5.15/bpf-acquire-map-uref-in-.init_seq_private-for-array-map-iterator.patch new file mode 100644 index 00000000000..a61cff17384 --- /dev/null +++ b/queue-5.15/bpf-acquire-map-uref-in-.init_seq_private-for-array-map-iterator.patch @@ -0,0 +1,54 @@ +From f76fa6b338055054f80c72b29c97fb95c1becadc Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Wed, 10 Aug 2022 16:05:30 +0800 +Subject: bpf: Acquire map uref in .init_seq_private for array map iterator + +From: Hou Tao + +commit f76fa6b338055054f80c72b29c97fb95c1becadc upstream. + +bpf_iter_attach_map() acquires a map uref, and the uref may be released +before or in the middle of iterating map elements. For example, the uref +could be released in bpf_iter_detach_map() as part of +bpf_link_release(), or could be released in bpf_map_put_with_uref() as +part of bpf_map_release(). + +Alternative fix is acquiring an extra bpf_link reference just like +a pinned map iterator does, but it introduces unnecessary dependency +on bpf_link instead of bpf_map. + +So choose another fix: acquiring an extra map uref in .init_seq_private +for array map iterator. + +Fixes: d3cc2ab546ad ("bpf: Implement bpf iterator for array maps") +Signed-off-by: Hou Tao +Acked-by: Yonghong Song +Link: https://lore.kernel.org/r/20220810080538.1845898-2-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/arraymap.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/kernel/bpf/arraymap.c ++++ b/kernel/bpf/arraymap.c +@@ -620,6 +620,11 @@ static int bpf_iter_init_array_map(void + seq_info->percpu_value_buf = value_buf; + } + ++ /* bpf_iter_attach_map() acquires a map uref, and the uref may be ++ * released before or in the middle of iterating map elements, so ++ * acquire an extra map uref for iterator. ++ */ ++ bpf_map_inc_with_uref(map); + seq_info->map = map; + return 0; + } +@@ -628,6 +633,7 @@ static void bpf_iter_fini_array_map(void + { + struct bpf_iter_seq_array_map_info *seq_info = priv_data; + ++ bpf_map_put_with_uref(seq_info->map); + kfree(seq_info->percpu_value_buf); + } + diff --git a/queue-5.15/bpf-acquire-map-uref-in-.init_seq_private-for-hash-map-iterator.patch b/queue-5.15/bpf-acquire-map-uref-in-.init_seq_private-for-hash-map-iterator.patch new file mode 100644 index 00000000000..806d67d408c --- /dev/null +++ b/queue-5.15/bpf-acquire-map-uref-in-.init_seq_private-for-hash-map-iterator.patch @@ -0,0 +1,46 @@ +From ef1e93d2eeb58a1f08c37b22a2314b94bc045f15 Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Wed, 10 Aug 2022 16:05:31 +0800 +Subject: bpf: Acquire map uref in .init_seq_private for hash map iterator + +From: Hou Tao + +commit ef1e93d2eeb58a1f08c37b22a2314b94bc045f15 upstream. + +bpf_iter_attach_map() acquires a map uref, and the uref may be released +before or in the middle of iterating map elements. For example, the uref +could be released in bpf_iter_detach_map() as part of +bpf_link_release(), or could be released in bpf_map_put_with_uref() as +part of bpf_map_release(). + +So acquiring an extra map uref in bpf_iter_init_hash_map() and +releasing it in bpf_iter_fini_hash_map(). + +Fixes: d6c4503cc296 ("bpf: Implement bpf iterator for hash maps") +Signed-off-by: Hou Tao +Acked-by: Yonghong Song +Link: https://lore.kernel.org/r/20220810080538.1845898-3-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/hashtab.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/bpf/hashtab.c ++++ b/kernel/bpf/hashtab.c +@@ -2019,6 +2019,7 @@ static int bpf_iter_init_hash_map(void * + seq_info->percpu_value_buf = value_buf; + } + ++ bpf_map_inc_with_uref(map); + seq_info->map = map; + seq_info->htab = container_of(map, struct bpf_htab, map); + return 0; +@@ -2028,6 +2029,7 @@ static void bpf_iter_fini_hash_map(void + { + struct bpf_iter_seq_hash_map_info *seq_info = priv_data; + ++ bpf_map_put_with_uref(seq_info->map); + kfree(seq_info->percpu_value_buf); + } + diff --git a/queue-5.15/bpf-acquire-map-uref-in-.init_seq_private-for-sock-local-storage-map-iterator.patch b/queue-5.15/bpf-acquire-map-uref-in-.init_seq_private-for-sock-local-storage-map-iterator.patch new file mode 100644 index 00000000000..c6a0c888ea5 --- /dev/null +++ b/queue-5.15/bpf-acquire-map-uref-in-.init_seq_private-for-sock-local-storage-map-iterator.patch @@ -0,0 +1,59 @@ +From 3c5f6e698b5c538bbb23cd453b22e1e4922cffd8 Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Wed, 10 Aug 2022 16:05:32 +0800 +Subject: bpf: Acquire map uref in .init_seq_private for sock local storage map iterator + +From: Hou Tao + +commit 3c5f6e698b5c538bbb23cd453b22e1e4922cffd8 upstream. + +bpf_iter_attach_map() acquires a map uref, and the uref may be released +before or in the middle of iterating map elements. For example, the uref +could be released in bpf_iter_detach_map() as part of +bpf_link_release(), or could be released in bpf_map_put_with_uref() as +part of bpf_map_release(). + +So acquiring an extra map uref in bpf_iter_init_sk_storage_map() and +releasing it in bpf_iter_fini_sk_storage_map(). + +Fixes: 5ce6e77c7edf ("bpf: Implement bpf iterator for sock local storage map") +Signed-off-by: Hou Tao +Acked-by: Yonghong Song +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/r/20220810080538.1845898-4-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + net/core/bpf_sk_storage.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/net/core/bpf_sk_storage.c ++++ b/net/core/bpf_sk_storage.c +@@ -865,10 +865,18 @@ static int bpf_iter_init_sk_storage_map( + { + struct bpf_iter_seq_sk_storage_map_info *seq_info = priv_data; + ++ bpf_map_inc_with_uref(aux->map); + seq_info->map = aux->map; + return 0; + } + ++static void bpf_iter_fini_sk_storage_map(void *priv_data) ++{ ++ struct bpf_iter_seq_sk_storage_map_info *seq_info = priv_data; ++ ++ bpf_map_put_with_uref(seq_info->map); ++} ++ + static int bpf_iter_attach_map(struct bpf_prog *prog, + union bpf_iter_link_info *linfo, + struct bpf_iter_aux_info *aux) +@@ -914,7 +922,7 @@ static const struct seq_operations bpf_s + static const struct bpf_iter_seq_info iter_seq_info = { + .seq_ops = &bpf_sk_storage_map_seq_ops, + .init_seq_private = bpf_iter_init_sk_storage_map, +- .fini_seq_private = NULL, ++ .fini_seq_private = bpf_iter_fini_sk_storage_map, + .seq_priv_size = sizeof(struct bpf_iter_seq_sk_storage_map_info), + }; + diff --git a/queue-5.15/bpf-acquire-map-uref-in-.init_seq_private-for-sock-map-hash-iterator.patch b/queue-5.15/bpf-acquire-map-uref-in-.init_seq_private-for-sock-map-hash-iterator.patch new file mode 100644 index 00000000000..893c53ad3cf --- /dev/null +++ b/queue-5.15/bpf-acquire-map-uref-in-.init_seq_private-for-sock-map-hash-iterator.patch @@ -0,0 +1,82 @@ +From f0d2b2716d71778d0b0c8eaa433c073287d69d93 Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Wed, 10 Aug 2022 16:05:33 +0800 +Subject: bpf: Acquire map uref in .init_seq_private for sock{map,hash} iterator + +From: Hou Tao + +commit f0d2b2716d71778d0b0c8eaa433c073287d69d93 upstream. + +sock_map_iter_attach_target() acquires a map uref, and the uref may be +released before or in the middle of iterating map elements. For example, +the uref could be released in sock_map_iter_detach_target() as part of +bpf_link_release(), or could be released in bpf_map_put_with_uref() as +part of bpf_map_release(). + +Fixing it by acquiring an extra map uref in .init_seq_private and +releasing it in .fini_seq_private. + +Fixes: 0365351524d7 ("net: Allow iterating sockmap and sockhash") +Signed-off-by: Hou Tao +Acked-by: Yonghong Song +Link: https://lore.kernel.org/r/20220810080538.1845898-5-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + net/core/sock_map.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/net/core/sock_map.c ++++ b/net/core/sock_map.c +@@ -789,13 +789,22 @@ static int sock_map_init_seq_private(voi + { + struct sock_map_seq_info *info = priv_data; + ++ bpf_map_inc_with_uref(aux->map); + info->map = aux->map; + return 0; + } + ++static void sock_map_fini_seq_private(void *priv_data) ++{ ++ struct sock_map_seq_info *info = priv_data; ++ ++ bpf_map_put_with_uref(info->map); ++} ++ + static const struct bpf_iter_seq_info sock_map_iter_seq_info = { + .seq_ops = &sock_map_seq_ops, + .init_seq_private = sock_map_init_seq_private, ++ .fini_seq_private = sock_map_fini_seq_private, + .seq_priv_size = sizeof(struct sock_map_seq_info), + }; + +@@ -1376,18 +1385,27 @@ static const struct seq_operations sock_ + }; + + static int sock_hash_init_seq_private(void *priv_data, +- struct bpf_iter_aux_info *aux) ++ struct bpf_iter_aux_info *aux) + { + struct sock_hash_seq_info *info = priv_data; + ++ bpf_map_inc_with_uref(aux->map); + info->map = aux->map; + info->htab = container_of(aux->map, struct bpf_shtab, map); + return 0; + } + ++static void sock_hash_fini_seq_private(void *priv_data) ++{ ++ struct sock_hash_seq_info *info = priv_data; ++ ++ bpf_map_put_with_uref(info->map); ++} ++ + static const struct bpf_iter_seq_info sock_hash_iter_seq_info = { + .seq_ops = &sock_hash_seq_ops, + .init_seq_private = sock_hash_init_seq_private, ++ .fini_seq_private = sock_hash_fini_seq_private, + .seq_priv_size = sizeof(struct sock_hash_seq_info), + }; + diff --git a/queue-5.15/bpf-check-the-validity-of-max_rdwr_access-for-sock-local-storage-map-iterator.patch b/queue-5.15/bpf-check-the-validity-of-max_rdwr_access-for-sock-local-storage-map-iterator.patch new file mode 100644 index 00000000000..831387a02d9 --- /dev/null +++ b/queue-5.15/bpf-check-the-validity-of-max_rdwr_access-for-sock-local-storage-map-iterator.patch @@ -0,0 +1,34 @@ +From 52bd05eb7c88e1ad8541a48873188ccebca9da26 Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Wed, 10 Aug 2022 16:05:34 +0800 +Subject: bpf: Check the validity of max_rdwr_access for sock local storage map iterator + +From: Hou Tao + +commit 52bd05eb7c88e1ad8541a48873188ccebca9da26 upstream. + +The value of sock local storage map is writable in map iterator, so check +max_rdwr_access instead of max_rdonly_access. + +Fixes: 5ce6e77c7edf ("bpf: Implement bpf iterator for sock local storage map") +Signed-off-by: Hou Tao +Acked-by: Yonghong Song +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/r/20220810080538.1845898-6-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + net/core/bpf_sk_storage.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/bpf_sk_storage.c ++++ b/net/core/bpf_sk_storage.c +@@ -894,7 +894,7 @@ static int bpf_iter_attach_map(struct bp + if (map->map_type != BPF_MAP_TYPE_SK_STORAGE) + goto put_map; + +- if (prog->aux->max_rdonly_access > map->value_size) { ++ if (prog->aux->max_rdwr_access > map->value_size) { + err = -EACCES; + goto put_map; + } diff --git a/queue-5.15/bpf-don-t-reinit-map-value-in-prealloc_lru_pop.patch b/queue-5.15/bpf-don-t-reinit-map-value-in-prealloc_lru_pop.patch new file mode 100644 index 00000000000..725948b52a9 --- /dev/null +++ b/queue-5.15/bpf-don-t-reinit-map-value-in-prealloc_lru_pop.patch @@ -0,0 +1,65 @@ +From 275c30bcee66a27d1aa97a215d607ad6d49804cb Mon Sep 17 00:00:00 2001 +From: Kumar Kartikeya Dwivedi +Date: Tue, 9 Aug 2022 23:30:32 +0200 +Subject: bpf: Don't reinit map value in prealloc_lru_pop + +From: Kumar Kartikeya Dwivedi + +commit 275c30bcee66a27d1aa97a215d607ad6d49804cb upstream. + +The LRU map that is preallocated may have its elements reused while +another program holds a pointer to it from bpf_map_lookup_elem. Hence, +only check_and_free_fields is appropriate when the element is being +deleted, as it ensures proper synchronization against concurrent access +of the map value. After that, we cannot call check_and_init_map_value +again as it may rewrite bpf_spin_lock, bpf_timer, and kptr fields while +they can be concurrently accessed from a BPF program. + +This is safe to do as when the map entry is deleted, concurrent access +is protected against by check_and_free_fields, i.e. an existing timer +would be freed, and any existing kptr will be released by it. The +program can create further timers and kptrs after check_and_free_fields, +but they will eventually be released once the preallocated items are +freed on map destruction, even if the item is never reused again. Hence, +the deleted item sitting in the free list can still have resources +attached to it, and they would never leak. + +With spin_lock, we never touch the field at all on delete or update, as +we may end up modifying the state of the lock. Since the verifier +ensures that a bpf_spin_lock call is always paired with bpf_spin_unlock +call, the program will eventually release the lock so that on reuse the +new user of the value can take the lock. + +Essentially, for the preallocated case, we must assume that the map +value may always be in use by the program, even when it is sitting in +the freelist, and handle things accordingly, i.e. use proper +synchronization inside check_and_free_fields, and never reinitialize the +special fields when it is reused on update. + +Fixes: 68134668c17f ("bpf: Add map side support for bpf timers.") +Acked-by: Yonghong Song +Signed-off-by: Kumar Kartikeya Dwivedi +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/r/20220809213033.24147-3-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/hashtab.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/kernel/bpf/hashtab.c ++++ b/kernel/bpf/hashtab.c +@@ -291,12 +291,8 @@ static struct htab_elem *prealloc_lru_po + struct htab_elem *l; + + if (node) { +- u32 key_size = htab->map.key_size; +- + l = container_of(node, struct htab_elem, lru_node); +- memcpy(l->key, key, key_size); +- check_and_init_map_value(&htab->map, +- l->key + round_up(key_size, 8)); ++ memcpy(l->key, key, htab->map.key_size); + return l; + } + diff --git a/queue-5.15/bpf-fix-potential-bad-pointer-dereference-in-bpf_sys_bpf.patch b/queue-5.15/bpf-fix-potential-bad-pointer-dereference-in-bpf_sys_bpf.patch new file mode 100644 index 00000000000..2163a4bec79 --- /dev/null +++ b/queue-5.15/bpf-fix-potential-bad-pointer-dereference-in-bpf_sys_bpf.patch @@ -0,0 +1,126 @@ +From e2dcac2f58f5a95ab092d1da237ffdc0da1832cf Mon Sep 17 00:00:00 2001 +From: Jinghao Jia +Date: Fri, 29 Jul 2022 20:17:13 +0000 +Subject: BPF: Fix potential bad pointer dereference in bpf_sys_bpf() + +From: Jinghao Jia + +commit e2dcac2f58f5a95ab092d1da237ffdc0da1832cf upstream. + +The bpf_sys_bpf() helper function allows an eBPF program to load another +eBPF program from within the kernel. In this case the argument union +bpf_attr pointer (as well as the insns and license pointers inside) is a +kernel address instead of a userspace address (which is the case of a +usual bpf() syscall). To make the memory copying process in the syscall +work in both cases, bpfptr_t was introduced to wrap around the pointer +and distinguish its origin. Specifically, when copying memory contents +from a bpfptr_t, a copy_from_user() is performed in case of a userspace +address and a memcpy() is performed for a kernel address. + +This can lead to problems because the in-kernel pointer is never checked +for validity. The problem happens when an eBPF syscall program tries to +call bpf_sys_bpf() to load a program but provides a bad insns pointer -- +say 0xdeadbeef -- in the bpf_attr union. The helper calls __sys_bpf() +which would then call bpf_prog_load() to load the program. +bpf_prog_load() is responsible for copying the eBPF instructions to the +newly allocated memory for the program; it creates a kernel bpfptr_t for +insns and invokes copy_from_bpfptr(). Internally, all bpfptr_t +operations are backed by the corresponding sockptr_t operations, which +performs direct memcpy() on kernel pointers for copy_from/strncpy_from +operations. Therefore, the code is always happy to dereference the bad +pointer to trigger a un-handle-able page fault and in turn an oops. +However, this is not supposed to happen because at that point the eBPF +program is already verified and should not cause a memory error. + +Sample KASAN trace: + +[ 25.685056][ T228] ================================================================== +[ 25.685680][ T228] BUG: KASAN: user-memory-access in copy_from_bpfptr+0x21/0x30 +[ 25.686210][ T228] Read of size 80 at addr 00000000deadbeef by task poc/228 +[ 25.686732][ T228] +[ 25.686893][ T228] CPU: 3 PID: 228 Comm: poc Not tainted 5.19.0-rc7 #7 +[ 25.687375][ T228] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS d55cb5a 04/01/2014 +[ 25.687991][ T228] Call Trace: +[ 25.688223][ T228] +[ 25.688429][ T228] dump_stack_lvl+0x73/0x9e +[ 25.688747][ T228] print_report+0xea/0x200 +[ 25.689061][ T228] ? copy_from_bpfptr+0x21/0x30 +[ 25.689401][ T228] ? _printk+0x54/0x6e +[ 25.689693][ T228] ? _raw_spin_lock_irqsave+0x70/0xd0 +[ 25.690071][ T228] ? copy_from_bpfptr+0x21/0x30 +[ 25.690412][ T228] kasan_report+0xb5/0xe0 +[ 25.690716][ T228] ? copy_from_bpfptr+0x21/0x30 +[ 25.691059][ T228] kasan_check_range+0x2bd/0x2e0 +[ 25.691405][ T228] ? copy_from_bpfptr+0x21/0x30 +[ 25.691734][ T228] memcpy+0x25/0x60 +[ 25.692000][ T228] copy_from_bpfptr+0x21/0x30 +[ 25.692328][ T228] bpf_prog_load+0x604/0x9e0 +[ 25.692653][ T228] ? cap_capable+0xb4/0xe0 +[ 25.692956][ T228] ? security_capable+0x4f/0x70 +[ 25.693324][ T228] __sys_bpf+0x3af/0x580 +[ 25.693635][ T228] bpf_sys_bpf+0x45/0x240 +[ 25.693937][ T228] bpf_prog_f0ec79a5a3caca46_bpf_func1+0xa2/0xbd +[ 25.694394][ T228] bpf_prog_run_pin_on_cpu+0x2f/0xb0 +[ 25.694756][ T228] bpf_prog_test_run_syscall+0x146/0x1c0 +[ 25.695144][ T228] bpf_prog_test_run+0x172/0x190 +[ 25.695487][ T228] __sys_bpf+0x2c5/0x580 +[ 25.695776][ T228] __x64_sys_bpf+0x3a/0x50 +[ 25.696084][ T228] do_syscall_64+0x60/0x90 +[ 25.696393][ T228] ? fpregs_assert_state_consistent+0x50/0x60 +[ 25.696815][ T228] ? exit_to_user_mode_prepare+0x36/0xa0 +[ 25.697202][ T228] ? syscall_exit_to_user_mode+0x20/0x40 +[ 25.697586][ T228] ? do_syscall_64+0x6e/0x90 +[ 25.697899][ T228] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 25.698312][ T228] RIP: 0033:0x7f6d543fb759 +[ 25.698624][ T228] Code: 08 5b 89 e8 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 a6 0e 00 f7 d8 64 89 01 48 +[ 25.699946][ T228] RSP: 002b:00007ffc3df78468 EFLAGS: 00000287 ORIG_RAX: 0000000000000141 +[ 25.700526][ T228] RAX: ffffffffffffffda RBX: 00007ffc3df78628 RCX: 00007f6d543fb759 +[ 25.701071][ T228] RDX: 0000000000000090 RSI: 00007ffc3df78478 RDI: 000000000000000a +[ 25.701636][ T228] RBP: 00007ffc3df78510 R08: 0000000000000000 R09: 0000000000300000 +[ 25.702191][ T228] R10: 0000000000000005 R11: 0000000000000287 R12: 0000000000000000 +[ 25.702736][ T228] R13: 00007ffc3df78638 R14: 000055a1584aca68 R15: 00007f6d5456a000 +[ 25.703282][ T228] +[ 25.703490][ T228] ================================================================== +[ 25.704050][ T228] Disabling lock debugging due to kernel taint + +Update copy_from_bpfptr() and strncpy_from_bpfptr() so that: + - for a kernel pointer, it uses the safe copy_from_kernel_nofault() and + strncpy_from_kernel_nofault() functions. + - for a userspace pointer, it performs copy_from_user() and + strncpy_from_user(). + +Fixes: af2ac3e13e45 ("bpf: Prepare bpf syscall to be used from kernel and user space.") +Link: https://lore.kernel.org/bpf/20220727132905.45166-1-jinghao@linux.ibm.com/ +Signed-off-by: Jinghao Jia +Acked-by: Yonghong Song +Link: https://lore.kernel.org/r/20220729201713.88688-1-jinghao@linux.ibm.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/bpfptr.h | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/include/linux/bpfptr.h ++++ b/include/linux/bpfptr.h +@@ -48,7 +48,9 @@ static inline void bpfptr_add(bpfptr_t * + static inline int copy_from_bpfptr_offset(void *dst, bpfptr_t src, + size_t offset, size_t size) + { +- return copy_from_sockptr_offset(dst, (sockptr_t) src, offset, size); ++ if (!bpfptr_is_kernel(src)) ++ return copy_from_user(dst, src.user + offset, size); ++ return copy_from_kernel_nofault(dst, src.kernel + offset, size); + } + + static inline int copy_from_bpfptr(void *dst, bpfptr_t src, size_t size) +@@ -77,7 +79,9 @@ static inline void *kvmemdup_bpfptr(bpfp + + static inline long strncpy_from_bpfptr(char *dst, bpfptr_t src, size_t count) + { +- return strncpy_from_sockptr(dst, (sockptr_t) src, count); ++ if (bpfptr_is_kernel(src)) ++ return strncpy_from_kernel_nofault(dst, src.kernel, count); ++ return strncpy_from_user(dst, src.user, count); + } + + #endif /* _LINUX_BPFPTR_H */ diff --git a/queue-5.15/can-ems_usb-fix-clang-s-wunaligned-access-warning.patch b/queue-5.15/can-ems_usb-fix-clang-s-wunaligned-access-warning.patch new file mode 100644 index 00000000000..a52e8a864d8 --- /dev/null +++ b/queue-5.15/can-ems_usb-fix-clang-s-wunaligned-access-warning.patch @@ -0,0 +1,65 @@ +From a4cb6e62ea4d36e53fb3c0f18ea4503d7b76674f Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Mon, 1 Aug 2022 22:47:16 +0200 +Subject: can: ems_usb: fix clang's -Wunaligned-access warning + +From: Marc Kleine-Budde + +commit a4cb6e62ea4d36e53fb3c0f18ea4503d7b76674f upstream. + +clang emits a -Wunaligned-access warning on struct __packed +ems_cpc_msg. + +The reason is that the anonymous union msg (not declared as packed) is +being packed right after some non naturally aligned variables (3*8 +bits + 2*32) inside a packed struct: + +| struct __packed ems_cpc_msg { +| u8 type; /* type of message */ +| u8 length; /* length of data within union 'msg' */ +| u8 msgid; /* confirmation handle */ +| __le32 ts_sec; /* timestamp in seconds */ +| __le32 ts_nsec; /* timestamp in nano seconds */ +| /* ^ not naturally aligned */ +| +| union { +| /* ^ not declared as packed */ +| u8 generic[64]; +| struct cpc_can_msg can_msg; +| struct cpc_can_params can_params; +| struct cpc_confirm confirmation; +| struct cpc_overrun overrun; +| struct cpc_can_error error; +| struct cpc_can_err_counter err_counter; +| u8 can_state; +| } msg; +| }; + +Starting from LLVM 14, having an unpacked struct nested in a packed +struct triggers a warning. c.f. [1]. + +Fix the warning by marking the anonymous union as packed. + +[1] https://github.com/llvm/llvm-project/issues/55520 + +Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface") +Link: https://lore.kernel.org/all/20220802094021.959858-1-mkl@pengutronix.de +Cc: Gerhard Uttenthaler +Cc: Sebastian Haas +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/ems_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/ems_usb.c ++++ b/drivers/net/can/usb/ems_usb.c +@@ -194,7 +194,7 @@ struct __packed ems_cpc_msg { + __le32 ts_sec; /* timestamp in seconds */ + __le32 ts_nsec; /* timestamp in nano seconds */ + +- union { ++ union __packed { + u8 generic[64]; + struct cpc_can_msg can_msg; + struct cpc_can_params can_params; diff --git a/queue-5.15/can-j1939-j1939_session_destroy-fix-memory-leak-of-skbs.patch b/queue-5.15/can-j1939-j1939_session_destroy-fix-memory-leak-of-skbs.patch new file mode 100644 index 00000000000..bffc066e664 --- /dev/null +++ b/queue-5.15/can-j1939-j1939_session_destroy-fix-memory-leak-of-skbs.patch @@ -0,0 +1,55 @@ +From 8c21c54a53ab21842f5050fa090f26b03c0313d6 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Fri, 5 Aug 2022 18:02:16 +0300 +Subject: can: j1939: j1939_session_destroy(): fix memory leak of skbs + +From: Fedor Pchelkin + +commit 8c21c54a53ab21842f5050fa090f26b03c0313d6 upstream. + +We need to drop skb references taken in j1939_session_skb_queue() when +destroying a session in j1939_session_destroy(). Otherwise those skbs +would be lost. + +Link to Syzkaller info and repro: https://forge.ispras.ru/issues/11743. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +V1: https://lore.kernel.org/all/20220708175949.539064-1-pchelkin@ispras.ru + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Suggested-by: Oleksij Rempel +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Acked-by: Oleksij Rempel +Link: https://lore.kernel.org/all/20220805150216.66313-1-pchelkin@ispras.ru +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/transport.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -260,6 +260,8 @@ static void __j1939_session_drop(struct + + static void j1939_session_destroy(struct j1939_session *session) + { ++ struct sk_buff *skb; ++ + if (session->transmission) { + if (session->err) + j1939_sk_errqueue(session, J1939_ERRQUEUE_TX_ABORT); +@@ -274,7 +276,11 @@ static void j1939_session_destroy(struct + WARN_ON_ONCE(!list_empty(&session->sk_session_queue_entry)); + WARN_ON_ONCE(!list_empty(&session->active_session_list_entry)); + +- skb_queue_purge(&session->skb_queue); ++ while ((skb = skb_dequeue(&session->skb_queue)) != NULL) { ++ /* drop ref taken in j1939_session_skb_queue() */ ++ skb_unref(skb); ++ kfree_skb(skb); ++ } + __j1939_session_drop(session); + j1939_priv_put(session->priv); + kfree(session); diff --git a/queue-5.15/can-mcp251x-fix-race-condition-on-receive-interrupt.patch b/queue-5.15/can-mcp251x-fix-race-condition-on-receive-interrupt.patch new file mode 100644 index 00000000000..e6011c59ba0 --- /dev/null +++ b/queue-5.15/can-mcp251x-fix-race-condition-on-receive-interrupt.patch @@ -0,0 +1,88 @@ +From d80d60b0db6ff3dd2e29247cc2a5166d7e9ae37e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20W=C3=BCrl?= +Date: Thu, 4 Aug 2022 10:14:11 +0200 +Subject: can: mcp251x: Fix race condition on receive interrupt +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sebastian Würl + +commit d80d60b0db6ff3dd2e29247cc2a5166d7e9ae37e upstream. + +The mcp251x driver uses both receiving mailboxes of the CAN controller +chips. For retrieving the CAN frames from the controller via SPI, it checks +once per interrupt which mailboxes have been filled and will retrieve the +messages accordingly. + +This introduces a race condition, as another CAN frame can enter mailbox 1 +while mailbox 0 is emptied. If now another CAN frame enters mailbox 0 until +the interrupt handler is called next, mailbox 0 is emptied before +mailbox 1, leading to out-of-order CAN frames in the network device. + +This is fixed by checking the interrupt flags once again after freeing +mailbox 0, to correctly also empty mailbox 1 before leaving the handler. + +For reproducing the bug I created the following setup: + - Two CAN devices, one Raspberry Pi with MCP2515, the other can be any. + - Setup CAN to 1 MHz + - Spam bursts of 5 CAN-messages with increasing CAN-ids + - Continue sending the bursts while sleeping a second between the bursts + - Check on the RPi whether the received messages have increasing CAN-ids + - Without this patch, every burst of messages will contain a flipped pair + +v3: https://lore.kernel.org/all/20220804075914.67569-1-sebastian.wuerl@ororatech.com +v2: https://lore.kernel.org/all/20220804064803.63157-1-sebastian.wuerl@ororatech.com +v1: https://lore.kernel.org/all/20220803153300.58732-1-sebastian.wuerl@ororatech.com + +Fixes: bf66f3736a94 ("can: mcp251x: Move to threaded interrupts instead of workqueues.") +Signed-off-by: Sebastian Würl +Link: https://lore.kernel.org/all/20220804081411.68567-1-sebastian.wuerl@ororatech.com +[mkl: reduce scope of intf1, eflag1] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/spi/mcp251x.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/drivers/net/can/spi/mcp251x.c ++++ b/drivers/net/can/spi/mcp251x.c +@@ -1074,9 +1074,6 @@ static irqreturn_t mcp251x_can_ist(int i + + mcp251x_read_2regs(spi, CANINTF, &intf, &eflag); + +- /* mask out flags we don't care about */ +- intf &= CANINTF_RX | CANINTF_TX | CANINTF_ERR; +- + /* receive buffer 0 */ + if (intf & CANINTF_RX0IF) { + mcp251x_hw_rx(spi, 0); +@@ -1086,6 +1083,18 @@ static irqreturn_t mcp251x_can_ist(int i + if (mcp251x_is_2510(spi)) + mcp251x_write_bits(spi, CANINTF, + CANINTF_RX0IF, 0x00); ++ ++ /* check if buffer 1 is already known to be full, no need to re-read */ ++ if (!(intf & CANINTF_RX1IF)) { ++ u8 intf1, eflag1; ++ ++ /* intf needs to be read again to avoid a race condition */ ++ mcp251x_read_2regs(spi, CANINTF, &intf1, &eflag1); ++ ++ /* combine flags from both operations for error handling */ ++ intf |= intf1; ++ eflag |= eflag1; ++ } + } + + /* receive buffer 1 */ +@@ -1096,6 +1105,9 @@ static irqreturn_t mcp251x_can_ist(int i + clear_intf |= CANINTF_RX1IF; + } + ++ /* mask out flags we don't care about */ ++ intf &= CANINTF_RX | CANINTF_TX | CANINTF_ERR; ++ + /* any error or tx interrupt we need to clear? */ + if (intf & (CANINTF_ERR | CANINTF_TX)) + clear_intf |= intf & (CANINTF_ERR | CANINTF_TX); diff --git a/queue-5.15/devlink-fix-use-after-free-after-a-failed-reload.patch b/queue-5.15/devlink-fix-use-after-free-after-a-failed-reload.patch new file mode 100644 index 00000000000..34a6f14db2a --- /dev/null +++ b/queue-5.15/devlink-fix-use-after-free-after-a-failed-reload.patch @@ -0,0 +1,105 @@ +From 6b4db2e528f650c7fb712961aac36455468d5902 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Tue, 9 Aug 2022 14:35:06 +0300 +Subject: devlink: Fix use-after-free after a failed reload + +From: Ido Schimmel + +commit 6b4db2e528f650c7fb712961aac36455468d5902 upstream. + +After a failed devlink reload, devlink parameters are still registered, +which means user space can set and get their values. In the case of the +mlxsw "acl_region_rehash_interval" parameter, these operations will +trigger a use-after-free [1]. + +Fix this by rejecting set and get operations while in the failed state. +Return the "-EOPNOTSUPP" error code which does not abort the parameters +dump, but instead causes it to skip over the problematic parameter. + +Another possible fix is to perform these checks in the mlxsw parameter +callbacks, but other drivers might be affected by the same problem and I +am not aware of scenarios where these stricter checks will cause a +regression. + +[1] +mlxsw_spectrum3 0000:00:10.0: Port 125: Failed to register netdev +mlxsw_spectrum3 0000:00:10.0: Failed to create ports + +================================================================== +BUG: KASAN: use-after-free in mlxsw_sp_acl_tcam_vregion_rehash_intrvl_get+0xbd/0xd0 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:904 +Read of size 4 at addr ffff8880099dcfd8 by task kworker/u4:4/777 + +CPU: 1 PID: 777 Comm: kworker/u4:4 Not tainted 5.19.0-rc7-custom-126601-gfe26f28c586d #1 +Hardware name: QEMU MSN4700, BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +Workqueue: netns cleanup_net +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x92/0xbd lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:313 [inline] + print_report.cold+0x5e/0x5cf mm/kasan/report.c:429 + kasan_report+0xb9/0xf0 mm/kasan/report.c:491 + __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:306 + mlxsw_sp_acl_tcam_vregion_rehash_intrvl_get+0xbd/0xd0 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:904 + mlxsw_sp_acl_region_rehash_intrvl_get+0x49/0x60 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c:1106 + mlxsw_sp_params_acl_region_rehash_intrvl_get+0x33/0x80 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:3854 + devlink_param_get net/core/devlink.c:4981 [inline] + devlink_nl_param_fill+0x238/0x12d0 net/core/devlink.c:5089 + devlink_param_notify+0xe5/0x230 net/core/devlink.c:5168 + devlink_ns_change_notify net/core/devlink.c:4417 [inline] + devlink_ns_change_notify net/core/devlink.c:4396 [inline] + devlink_reload+0x15f/0x700 net/core/devlink.c:4507 + devlink_pernet_pre_exit+0x112/0x1d0 net/core/devlink.c:12272 + ops_pre_exit_list net/core/net_namespace.c:152 [inline] + cleanup_net+0x494/0xc00 net/core/net_namespace.c:582 + process_one_work+0x9fc/0x1710 kernel/workqueue.c:2289 + worker_thread+0x675/0x10b0 kernel/workqueue.c:2436 + kthread+0x30c/0x3d0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 + + +The buggy address belongs to the physical page: +page:ffffea0000267700 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99dc +flags: 0x100000000000000(node=0|zone=1) +raw: 0100000000000000 0000000000000000 dead000000000122 0000000000000000 +raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8880099dce80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ffff8880099dcf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +>ffff8880099dcf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ^ + ffff8880099dd000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ffff8880099dd080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +================================================================== + +Fixes: 98bbf70c1c41 ("mlxsw: spectrum: add "acl_region_rehash_interval" devlink param") +Signed-off-by: Ido Schimmel +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/devlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/core/devlink.c ++++ b/net/core/devlink.c +@@ -4413,7 +4413,7 @@ static int devlink_param_get(struct devl + const struct devlink_param *param, + struct devlink_param_gset_ctx *ctx) + { +- if (!param->get) ++ if (!param->get || devlink->reload_failed) + return -EOPNOTSUPP; + return param->get(devlink, param->id, ctx); + } +@@ -4422,7 +4422,7 @@ static int devlink_param_set(struct devl + const struct devlink_param *param, + struct devlink_param_gset_ctx *ctx) + { +- if (!param->set) ++ if (!param->set || devlink->reload_failed) + return -EOPNOTSUPP; + return param->set(devlink, param->id, ctx); + } diff --git a/queue-5.15/documentation-acpi-einj-fix-obsolete-example.patch b/queue-5.15/documentation-acpi-einj-fix-obsolete-example.patch new file mode 100644 index 00000000000..549691e6de6 --- /dev/null +++ b/queue-5.15/documentation-acpi-einj-fix-obsolete-example.patch @@ -0,0 +1,33 @@ +From 9066e151c37950af92c3be6a7270daa8e8063db9 Mon Sep 17 00:00:00 2001 +From: Qifu Zhang +Date: Tue, 19 Jul 2022 19:50:13 +0800 +Subject: Documentation: ACPI: EINJ: Fix obsolete example + +From: Qifu Zhang + +commit 9066e151c37950af92c3be6a7270daa8e8063db9 upstream. + +Since commit 488dac0c9237 ("libfs: fix error cast of negative value in +simple_attr_write()"), the EINJ debugfs interface no longer accepts +negative values as input. Attempt to do so will result in EINVAL. + +Fixes: 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()") +Signed-off-by: Qifu Zhang +Reviewed-by: Tony Luck +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/firmware-guide/acpi/apei/einj.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/firmware-guide/acpi/apei/einj.rst ++++ b/Documentation/firmware-guide/acpi/apei/einj.rst +@@ -168,7 +168,7 @@ An error injection example:: + 0x00000008 Memory Correctable + 0x00000010 Memory Uncorrectable non-fatal + # echo 0x12345000 > param1 # Set memory address for injection +- # echo $((-1 << 12)) > param2 # Mask 0xfffffffffffff000 - anywhere in this page ++ # echo 0xfffffffffffff000 > param2 # Mask - anywhere in this page + # echo 0x8 > error_type # Choose correctable memory error + # echo 1 > error_inject # Inject now + diff --git a/queue-5.15/dt-bindings-arm-qcom-fix-alcatel-onetouch-idol-3-compatibles.patch b/queue-5.15/dt-bindings-arm-qcom-fix-alcatel-onetouch-idol-3-compatibles.patch new file mode 100644 index 00000000000..603caddf29d --- /dev/null +++ b/queue-5.15/dt-bindings-arm-qcom-fix-alcatel-onetouch-idol-3-compatibles.patch @@ -0,0 +1,45 @@ +From 944de5182f0269e72ffe0a8880c8dbeb30f473d8 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 20 May 2022 14:32:44 +0200 +Subject: dt-bindings: arm: qcom: fix Alcatel OneTouch Idol 3 compatibles + +From: Krzysztof Kozlowski + +commit 944de5182f0269e72ffe0a8880c8dbeb30f473d8 upstream. + +The MSM8916 Alcatel OneTouch Idol 3 does not use MTP fallbacks in +compatibles: + + msm8916-alcatel-idol347.dtb: /: compatible: 'oneOf' conditional failed, one must be fixed: + ['alcatel,idol347', 'qcom,msm8916'] is too short + +Reported-by: Rob Herring +Fixes: e9dd2f7204ed ("dt-bindings: arm: qcom: Document alcatel,idol347 board") +Signed-off-by: Krzysztof Kozlowski +Acked-by: Rob Herring +Reviewed-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20220520123252.365762-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/arm/qcom.yaml | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/Documentation/devicetree/bindings/arm/qcom.yaml ++++ b/Documentation/devicetree/bindings/arm/qcom.yaml +@@ -135,14 +135,13 @@ properties: + - const: qcom,msm8974 + + - items: +- - enum: +- - alcatel,idol347 + - const: qcom,msm8916-mtp/1 + - const: qcom,msm8916-mtp + - const: qcom,msm8916 + + - items: + - enum: ++ - alcatel,idol347 + - longcheer,l8150 + - samsung,a3u-eur + - samsung,a5u-eur diff --git a/queue-5.15/dt-bindings-usb-mtk-xhci-allow-wakeup-interrupt-names-to-be-optional.patch b/queue-5.15/dt-bindings-usb-mtk-xhci-allow-wakeup-interrupt-names-to-be-optional.patch new file mode 100644 index 00000000000..0f1f96aa470 --- /dev/null +++ b/queue-5.15/dt-bindings-usb-mtk-xhci-allow-wakeup-interrupt-names-to-be-optional.patch @@ -0,0 +1,36 @@ +From b2c510ffe29f20a5f6ff31ae28d32ffa494b8cfb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?N=C3=ADcolas=20F=2E=20R=2E=20A=2E=20Prado?= + +Date: Thu, 23 Jun 2022 15:36:59 -0400 +Subject: dt-bindings: usb: mtk-xhci: Allow wakeup interrupt-names to be optional +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +commit b2c510ffe29f20a5f6ff31ae28d32ffa494b8cfb upstream. + +Add missing "minItems: 1" to the interrupt-names property to allow the +second interrupt-names, "wakeup", to be optional. + +Fixes: fe8e488058c4 ("dt-bindings: usb: mtk-xhci: add wakeup interrupt") +Signed-off-by: Nícolas F. R. A. Prado +Reviewed-by: Krzysztof Kozlowski +Acked-by: Chunfeng Yun +Link: https://lore.kernel.org/r/20220623193702.817996-2-nfraprado@collabora.com +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/usb/mediatek,mtk-xhci.yaml | 1 + + 1 file changed, 1 insertion(+) + +--- a/Documentation/devicetree/bindings/usb/mediatek,mtk-xhci.yaml ++++ b/Documentation/devicetree/bindings/usb/mediatek,mtk-xhci.yaml +@@ -56,6 +56,7 @@ properties: + - description: optional, wakeup interrupt used to support runtime PM + + interrupt-names: ++ minItems: 1 + items: + - const: host + - const: wakeup diff --git a/queue-5.15/geneve-do-not-use-rt_tos-for-ipv6-flowlabel.patch b/queue-5.15/geneve-do-not-use-rt_tos-for-ipv6-flowlabel.patch new file mode 100644 index 00000000000..5721595d7f9 --- /dev/null +++ b/queue-5.15/geneve-do-not-use-rt_tos-for-ipv6-flowlabel.patch @@ -0,0 +1,42 @@ +From ca2bb69514a8bc7f83914122f0d596371352416c Mon Sep 17 00:00:00 2001 +From: Matthias May +Date: Fri, 5 Aug 2022 21:19:03 +0200 +Subject: geneve: do not use RT_TOS for IPv6 flowlabel + +From: Matthias May + +commit ca2bb69514a8bc7f83914122f0d596371352416c upstream. + +According to Guillaume Nault RT_TOS should never be used for IPv6. + +Quote: +RT_TOS() is an old macro used to interprete IPv4 TOS as described in +the obsolete RFC 1349. It's conceptually wrong to use it even in IPv4 +code, although, given the current state of the code, most of the +existing calls have no consequence. + +But using RT_TOS() in IPv6 code is always a bug: IPv6 never had a "TOS" +field to be interpreted the RFC 1349 way. There's no historical +compatibility to worry about. + +Fixes: 3a56f86f1be6 ("geneve: handle ipv6 priority like ipv4 tos") +Acked-by: Guillaume Nault +Signed-off-by: Matthias May +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/geneve.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -852,8 +852,7 @@ static struct dst_entry *geneve_get_v6_d + use_cache = false; + } + +- fl6->flowlabel = ip6_make_flowinfo(RT_TOS(prio), +- info->key.label); ++ fl6->flowlabel = ip6_make_flowinfo(prio, info->key.label); + dst_cache = (struct dst_cache *)&info->dst_cache; + if (use_cache) { + dst = dst_cache_get_ip6(dst_cache, &fl6->saddr); diff --git a/queue-5.15/input-exc3000-fix-return-value-check-of-wait_for_completion_timeout.patch b/queue-5.15/input-exc3000-fix-return-value-check-of-wait_for_completion_timeout.patch new file mode 100644 index 00000000000..2da5ce844a5 --- /dev/null +++ b/queue-5.15/input-exc3000-fix-return-value-check-of-wait_for_completion_timeout.patch @@ -0,0 +1,46 @@ +From 6bb7144c3fa16a5efb54a8e2aff1817b4168018e Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Tue, 28 Jun 2022 22:42:35 -0700 +Subject: Input: exc3000 - fix return value check of wait_for_completion_timeout + +From: Miaoqian Lin + +commit 6bb7144c3fa16a5efb54a8e2aff1817b4168018e upstream. + +wait_for_completion_timeout() returns unsigned long not int. +It returns 0 if timed out, and positive if completed. +The check for <= 0 is ambiguous and should be == 0 here +indicating timeout which is the only error case. + +Fixes: 102feb1ddfd0 ("Input: exc3000 - factor out vendor data request") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220411105828.22140-1-linmq006@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/exc3000.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/input/touchscreen/exc3000.c ++++ b/drivers/input/touchscreen/exc3000.c +@@ -220,6 +220,7 @@ static int exc3000_vendor_data_request(s + { + u8 buf[EXC3000_LEN_VENDOR_REQUEST] = { 0x67, 0x00, 0x42, 0x00, 0x03 }; + int ret; ++ unsigned long time_left; + + mutex_lock(&data->query_lock); + +@@ -233,9 +234,9 @@ static int exc3000_vendor_data_request(s + goto out_unlock; + + if (response) { +- ret = wait_for_completion_timeout(&data->wait_event, +- timeout * HZ); +- if (ret <= 0) { ++ time_left = wait_for_completion_timeout(&data->wait_event, ++ timeout * HZ); ++ if (time_left == 0) { + ret = -ETIMEDOUT; + goto out_unlock; + } diff --git a/queue-5.15/ipv6-do-not-use-rt_tos-for-ipv6-flowlabel.patch b/queue-5.15/ipv6-do-not-use-rt_tos-for-ipv6-flowlabel.patch new file mode 100644 index 00000000000..3a4c537c101 --- /dev/null +++ b/queue-5.15/ipv6-do-not-use-rt_tos-for-ipv6-flowlabel.patch @@ -0,0 +1,42 @@ +From ab7e2e0dfa5d37540ab1dc5376e9a2cb9188925d Mon Sep 17 00:00:00 2001 +From: Matthias May +Date: Fri, 5 Aug 2022 21:19:06 +0200 +Subject: ipv6: do not use RT_TOS for IPv6 flowlabel + +From: Matthias May + +commit ab7e2e0dfa5d37540ab1dc5376e9a2cb9188925d upstream. + +According to Guillaume Nault RT_TOS should never be used for IPv6. + +Quote: +RT_TOS() is an old macro used to interprete IPv4 TOS as described in +the obsolete RFC 1349. It's conceptually wrong to use it even in IPv4 +code, although, given the current state of the code, most of the +existing calls have no consequence. + +But using RT_TOS() in IPv6 code is always a bug: IPv6 never had a "TOS" +field to be interpreted the RFC 1349 way. There's no historical +compatibility to worry about. + +Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.") +Acked-by: Guillaume Nault +Signed-off-by: Matthias May +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1289,8 +1289,7 @@ struct dst_entry *ip6_dst_lookup_tunnel( + fl6.daddr = info->key.u.ipv6.dst; + fl6.saddr = info->key.u.ipv6.src; + prio = info->key.tos; +- fl6.flowlabel = ip6_make_flowinfo(RT_TOS(prio), +- info->key.label); ++ fl6.flowlabel = ip6_make_flowinfo(prio, info->key.label); + + dst = ipv6_stub->ipv6_dst_lookup_flow(net, sock->sk, &fl6, + NULL); diff --git a/queue-5.15/m68k-coldfire-device.c-protect-flexcan-blocks.patch b/queue-5.15/m68k-coldfire-device.c-protect-flexcan-blocks.patch new file mode 100644 index 00000000000..12896b40995 --- /dev/null +++ b/queue-5.15/m68k-coldfire-device.c-protect-flexcan-blocks.patch @@ -0,0 +1,73 @@ +From 3c2bf173501652fced1d058834e9c983d295b126 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Mon, 30 May 2022 19:17:12 -0700 +Subject: m68k: coldfire/device.c: protect FLEXCAN blocks + +From: Randy Dunlap + +commit 3c2bf173501652fced1d058834e9c983d295b126 upstream. + +When CAN_FLEXCAN=y and M5441x is not set/enabled, there are build +errors in coldfire/device.c: + +../arch/m68k/coldfire/device.c:595:26: error: 'MCFFLEXCAN_BASE0' undeclared here (not in a function); did you mean 'MCFDMA_BASE0'? + 595 | .start = MCFFLEXCAN_BASE0, +../arch/m68k/coldfire/device.c:596:43: error: 'MCFFLEXCAN_SIZE' undeclared here (not in a function) + 596 | .end = MCFFLEXCAN_BASE0 + MCFFLEXCAN_SIZE, +../arch/m68k/coldfire/device.c:600:26: error: 'MCF_IRQ_IFL0' undeclared here (not in a function); did you mean 'MCF_IRQ_I2C0'? + 600 | .start = MCF_IRQ_IFL0, +../arch/m68k/coldfire/device.c:605:26: error: 'MCF_IRQ_BOFF0' undeclared here (not in a function); did you mean 'MCF_IRQ_I2C0'? + 605 | .start = MCF_IRQ_BOFF0, +../arch/m68k/coldfire/device.c:610:26: error: 'MCF_IRQ_ERR0' undeclared here (not in a function); did you mean 'MCF_IRQ_I2C0'? + 610 | .start = MCF_IRQ_ERR0, + +Protect the FLEXCAN code blocks by checking if MCFFLEXCAN_SIZE +is defined. + +Fixes: 35a9f9363a89 ("m68k: m5441x: add flexcan support") +Signed-off-by: Randy Dunlap +Cc: Greg Ungerer +Cc: Geert Uytterhoeven +Cc: linux-m68k@lists.linux-m68k.org +Cc: uclinux-dev@uclinux.org +Cc: Angelo Dureghello +Signed-off-by: Greg Ungerer +Signed-off-by: Greg Kroah-Hartman +--- + arch/m68k/coldfire/device.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/m68k/coldfire/device.c b/arch/m68k/coldfire/device.c +index 4218750414bb..7dab46728aed 100644 +--- a/arch/m68k/coldfire/device.c ++++ b/arch/m68k/coldfire/device.c +@@ -581,7 +581,7 @@ static struct platform_device mcf_esdhc = { + }; + #endif /* MCFSDHC_BASE */ + +-#if IS_ENABLED(CONFIG_CAN_FLEXCAN) ++#ifdef MCFFLEXCAN_SIZE + + #include + +@@ -620,7 +620,7 @@ static struct platform_device mcf_flexcan0 = { + .resource = mcf5441x_flexcan0_resource, + .dev.platform_data = &mcf5441x_flexcan_info, + }; +-#endif /* IS_ENABLED(CONFIG_CAN_FLEXCAN) */ ++#endif /* MCFFLEXCAN_SIZE */ + + static struct platform_device *mcf_devices[] __initdata = { + &mcf_uart, +@@ -657,7 +657,7 @@ static struct platform_device *mcf_devices[] __initdata = { + #ifdef MCFSDHC_BASE + &mcf_esdhc, + #endif +-#if IS_ENABLED(CONFIG_CAN_FLEXCAN) ++#ifdef MCFFLEXCAN_SIZE + &mcf_flexcan0, + #endif + }; +-- +2.37.2 + diff --git a/queue-5.15/mlx5-do-not-use-rt_tos-for-ipv6-flowlabel.patch b/queue-5.15/mlx5-do-not-use-rt_tos-for-ipv6-flowlabel.patch new file mode 100644 index 00000000000..df6705f3c03 --- /dev/null +++ b/queue-5.15/mlx5-do-not-use-rt_tos-for-ipv6-flowlabel.patch @@ -0,0 +1,50 @@ +From bcb0da7fffee9464073998b267ce5543da2356d2 Mon Sep 17 00:00:00 2001 +From: Matthias May +Date: Fri, 5 Aug 2022 21:19:05 +0200 +Subject: mlx5: do not use RT_TOS for IPv6 flowlabel + +From: Matthias May + +commit bcb0da7fffee9464073998b267ce5543da2356d2 upstream. + +According to Guillaume Nault RT_TOS should never be used for IPv6. + +Quote: +RT_TOS() is an old macro used to interprete IPv4 TOS as described in +the obsolete RFC 1349. It's conceptually wrong to use it even in IPv4 +code, although, given the current state of the code, most of the +existing calls have no consequence. + +But using RT_TOS() in IPv6 code is always a bug: IPv6 never had a "TOS" +field to be interpreted the RFC 1349 way. There's no historical +compatibility to worry about. + +Fixes: ce99f6b97fcd ("net/mlx5e: Support SRIOV TC encapsulation offloads for IPv6 tunnels") +Acked-by: Guillaume Nault +Signed-off-by: Matthias May +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c +@@ -497,7 +497,7 @@ int mlx5e_tc_tun_create_header_ipv6(stru + int err; + + attr.ttl = tun_key->ttl; +- attr.fl.fl6.flowlabel = ip6_make_flowinfo(RT_TOS(tun_key->tos), tun_key->label); ++ attr.fl.fl6.flowlabel = ip6_make_flowinfo(tun_key->tos, tun_key->label); + attr.fl.fl6.daddr = tun_key->u.ipv6.dst; + attr.fl.fl6.saddr = tun_key->u.ipv6.src; + +@@ -611,7 +611,7 @@ int mlx5e_tc_tun_update_header_ipv6(stru + + attr.ttl = tun_key->ttl; + +- attr.fl.fl6.flowlabel = ip6_make_flowinfo(RT_TOS(tun_key->tos), tun_key->label); ++ attr.fl.fl6.flowlabel = ip6_make_flowinfo(tun_key->tos, tun_key->label); + attr.fl.fl6.daddr = tun_key->u.ipv6.dst; + attr.fl.fl6.saddr = tun_key->u.ipv6.src; + diff --git a/queue-5.15/net-atlantic-fix-aq_vec-index-out-of-range-error.patch b/queue-5.15/net-atlantic-fix-aq_vec-index-out-of-range-error.patch new file mode 100644 index 00000000000..92a00921db6 --- /dev/null +++ b/queue-5.15/net-atlantic-fix-aq_vec-index-out-of-range-error.patch @@ -0,0 +1,119 @@ +From 2ba5e47fb75fbb8fab45f5c1bc8d5c33d8834bd3 Mon Sep 17 00:00:00 2001 +From: "Chia-Lin Kao (AceLan)" +Date: Mon, 8 Aug 2022 16:18:45 +0800 +Subject: net: atlantic: fix aq_vec index out of range error + +From: Chia-Lin Kao (AceLan) + +commit 2ba5e47fb75fbb8fab45f5c1bc8d5c33d8834bd3 upstream. + +The final update statement of the for loop exceeds the array range, the +dereference of self->aq_vec[i] is not checked and then leads to the +index out of range error. +Also fixed this kind of coding style in other for loop. + +[ 97.937604] UBSAN: array-index-out-of-bounds in drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1404:48 +[ 97.937607] index 8 is out of range for type 'aq_vec_s *[8]' +[ 97.937608] CPU: 38 PID: 3767 Comm: kworker/u256:18 Not tainted 5.19.0+ #2 +[ 97.937610] Hardware name: Dell Inc. Precision 7865 Tower/, BIOS 1.0.0 06/12/2022 +[ 97.937611] Workqueue: events_unbound async_run_entry_fn +[ 97.937616] Call Trace: +[ 97.937617] +[ 97.937619] dump_stack_lvl+0x49/0x63 +[ 97.937624] dump_stack+0x10/0x16 +[ 97.937626] ubsan_epilogue+0x9/0x3f +[ 97.937627] __ubsan_handle_out_of_bounds.cold+0x44/0x49 +[ 97.937629] ? __scm_send+0x348/0x440 +[ 97.937632] ? aq_vec_stop+0x72/0x80 [atlantic] +[ 97.937639] aq_nic_stop+0x1b6/0x1c0 [atlantic] +[ 97.937644] aq_suspend_common+0x88/0x90 [atlantic] +[ 97.937648] aq_pm_suspend_poweroff+0xe/0x20 [atlantic] +[ 97.937653] pci_pm_suspend+0x7e/0x1a0 +[ 97.937655] ? pci_pm_suspend_noirq+0x2b0/0x2b0 +[ 97.937657] dpm_run_callback+0x54/0x190 +[ 97.937660] __device_suspend+0x14c/0x4d0 +[ 97.937661] async_suspend+0x23/0x70 +[ 97.937663] async_run_entry_fn+0x33/0x120 +[ 97.937664] process_one_work+0x21f/0x3f0 +[ 97.937666] worker_thread+0x4a/0x3c0 +[ 97.937668] ? process_one_work+0x3f0/0x3f0 +[ 97.937669] kthread+0xf0/0x120 +[ 97.937671] ? kthread_complete_and_exit+0x20/0x20 +[ 97.937672] ret_from_fork+0x22/0x30 +[ 97.937676] + +v2. fixed "warning: variable 'aq_vec' set but not used" + +v3. simplified a for loop + +Fixes: 97bde5c4f909 ("net: ethernet: aquantia: Support for NIC-specific code") +Signed-off-by: Chia-Lin Kao (AceLan) +Acked-by: Sudarsana Reddy Kalluru +Link: https://lore.kernel.org/r/20220808081845.42005-1-acelan.kao@canonical.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 21 ++++++++------------- + 1 file changed, 8 insertions(+), 13 deletions(-) + +--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c +@@ -265,12 +265,10 @@ static void aq_nic_service_timer_cb(stru + static void aq_nic_polling_timer_cb(struct timer_list *t) + { + struct aq_nic_s *self = from_timer(self, t, polling_timer); +- struct aq_vec_s *aq_vec = NULL; + unsigned int i = 0U; + +- for (i = 0U, aq_vec = self->aq_vec[0]; +- self->aq_vecs > i; ++i, aq_vec = self->aq_vec[i]) +- aq_vec_isr(i, (void *)aq_vec); ++ for (i = 0U; self->aq_vecs > i; ++i) ++ aq_vec_isr(i, (void *)self->aq_vec[i]); + + mod_timer(&self->polling_timer, jiffies + + AQ_CFG_POLLING_TIMER_INTERVAL); +@@ -872,7 +870,6 @@ int aq_nic_get_regs_count(struct aq_nic_ + + u64 *aq_nic_get_stats(struct aq_nic_s *self, u64 *data) + { +- struct aq_vec_s *aq_vec = NULL; + struct aq_stats_s *stats; + unsigned int count = 0U; + unsigned int i = 0U; +@@ -922,11 +919,11 @@ u64 *aq_nic_get_stats(struct aq_nic_s *s + data += i; + + for (tc = 0U; tc < self->aq_nic_cfg.tcs; tc++) { +- for (i = 0U, aq_vec = self->aq_vec[0]; +- aq_vec && self->aq_vecs > i; +- ++i, aq_vec = self->aq_vec[i]) { ++ for (i = 0U; self->aq_vecs > i; ++i) { ++ if (!self->aq_vec[i]) ++ break; + data += count; +- count = aq_vec_get_sw_stats(aq_vec, tc, data); ++ count = aq_vec_get_sw_stats(self->aq_vec[i], tc, data); + } + } + +@@ -1240,7 +1237,6 @@ int aq_nic_set_loopback(struct aq_nic_s + + int aq_nic_stop(struct aq_nic_s *self) + { +- struct aq_vec_s *aq_vec = NULL; + unsigned int i = 0U; + + netif_tx_disable(self->ndev); +@@ -1258,9 +1254,8 @@ int aq_nic_stop(struct aq_nic_s *self) + + aq_ptp_irq_free(self); + +- for (i = 0U, aq_vec = self->aq_vec[0]; +- self->aq_vecs > i; ++i, aq_vec = self->aq_vec[i]) +- aq_vec_stop(aq_vec); ++ for (i = 0U; self->aq_vecs > i; ++i) ++ aq_vec_stop(self->aq_vec[i]); + + aq_ptp_ring_stop(self); + diff --git a/queue-5.15/net-bcmgenet-indicate-mac-is-in-charge-of-phy-pm.patch b/queue-5.15/net-bcmgenet-indicate-mac-is-in-charge-of-phy-pm.patch new file mode 100644 index 00000000000..97a80dacb74 --- /dev/null +++ b/queue-5.15/net-bcmgenet-indicate-mac-is-in-charge-of-phy-pm.patch @@ -0,0 +1,35 @@ +From bc3410f250219660a7be032c01c954a53b2c26ab Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Thu, 4 Aug 2022 10:36:04 -0700 +Subject: net: bcmgenet: Indicate MAC is in charge of PHY PM + +From: Florian Fainelli + +commit bc3410f250219660a7be032c01c954a53b2c26ab upstream. + +Avoid the PHY library call unnecessarily into the suspend/resume functions by +setting phydev->mac_managed_pm to true. The GENET driver essentially does +exactly what mdio_bus_phy_resume() does by calling phy_init_hw() plus +phy_resume(). + +Fixes: fba863b81604 ("net: phy: make PHY PM ops a no-op if MAC driver manages PHY PM") +Signed-off-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220804173605.1266574-1-f.fainelli@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmmii.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c +@@ -361,6 +361,9 @@ int bcmgenet_mii_probe(struct net_device + if (priv->internal_phy && !GENET_IS_V5(priv)) + dev->phydev->irq = PHY_MAC_INTERRUPT; + ++ /* Indicate that the MAC is responsible for PHY PM */ ++ dev->phydev->mac_managed_pm = true; ++ + return 0; + } + diff --git a/queue-5.15/net-bgmac-fix-a-bug-triggered-by-wrong-bytes_compl.patch b/queue-5.15/net-bgmac-fix-a-bug-triggered-by-wrong-bytes_compl.patch new file mode 100644 index 00000000000..a6fa9c17e75 --- /dev/null +++ b/queue-5.15/net-bgmac-fix-a-bug-triggered-by-wrong-bytes_compl.patch @@ -0,0 +1,86 @@ +From 1b7680c6c1f6de9904f1d9b05c952f0c64a03350 Mon Sep 17 00:00:00 2001 +From: Sandor Bodo-Merle +Date: Mon, 8 Aug 2022 19:39:39 +0200 +Subject: net: bgmac: Fix a BUG triggered by wrong bytes_compl + +From: Sandor Bodo-Merle + +commit 1b7680c6c1f6de9904f1d9b05c952f0c64a03350 upstream. + +On one of our machines we got: + +kernel BUG at lib/dynamic_queue_limits.c:27! +Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM +CPU: 0 PID: 1166 Comm: irq/41-bgmac Tainted: G W O 4.14.275-rt132 #1 +Hardware name: BRCM XGS iProc +task: ee3415c0 task.stack: ee32a000 +PC is at dql_completed+0x168/0x178 +LR is at bgmac_poll+0x18c/0x6d8 +pc : [] lr : [] psr: 800a0313 +sp : ee32be14 ip : 000005ea fp : 00000bd4 +r10: ee558500 r9 : c0116298 r8 : 00000002 +r7 : 00000000 r6 : ef128810 r5 : 01993267 r4 : 01993851 +r3 : ee558000 r2 : 000070e1 r1 : 00000bd4 r0 : ee52c180 +Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +Control: 12c5387d Table: 8e88c04a DAC: 00000051 +Process irq/41-bgmac (pid: 1166, stack limit = 0xee32a210) +Stack: (0xee32be14 to 0xee32c000) +be00: ee558520 ee52c100 ef128810 +be20: 00000000 00000002 c0116298 c04b5a18 00000000 c0a0c8c4 c0951780 00000040 +be40: c0701780 ee558500 ee55d520 ef05b340 ef6f9780 ee558520 00000001 00000040 +be60: ffffe000 c0a56878 ef6fa040 c0952040 0000012c c0528744 ef6f97b0 fffcfb6a +be80: c0a04104 2eda8000 c0a0c4ec c0a0d368 ee32bf44 c0153534 ee32be98 ee32be98 +bea0: ee32bea0 ee32bea0 ee32bea8 ee32bea8 00000000 c01462e4 ffffe000 ef6f22a8 +bec0: ffffe000 00000008 ee32bee4 c0147430 ffffe000 c094a2a8 00000003 ffffe000 +bee0: c0a54528 00208040 0000000c c0a0c8c4 c0a65980 c0124d3c 00000008 ee558520 +bf00: c094a23c c0a02080 00000000 c07a9910 ef136970 ef136970 ee30a440 ef136900 +bf20: ee30a440 00000001 ef136900 ee30a440 c016d990 00000000 c0108db0 c012500c +bf40: ef136900 c016da14 ee30a464 ffffe000 00000001 c016dd14 00000000 c016db28 +bf60: ffffe000 ee21a080 ee30a400 00000000 ee32a000 ee30a440 c016dbfc ee25fd70 +bf80: ee21a09c c013edcc ee32a000 ee30a400 c013ec7c 00000000 00000000 00000000 +bfa0: 00000000 00000000 00000000 c0108470 00000000 00000000 00000000 00000000 +bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 +[] (dql_completed) from [] (bgmac_poll+0x18c/0x6d8) +[] (bgmac_poll) from [] (net_rx_action+0x1c4/0x494) +[] (net_rx_action) from [] (do_current_softirqs+0x1ec/0x43c) +[] (do_current_softirqs) from [] (__local_bh_enable+0x80/0x98) +[] (__local_bh_enable) from [] (irq_forced_thread_fn+0x84/0x98) +[] (irq_forced_thread_fn) from [] (irq_thread+0x118/0x1c0) +[] (irq_thread) from [] (kthread+0x150/0x158) +[] (kthread) from [] (ret_from_fork+0x14/0x24) +Code: a83f15e0 0200001a 0630a0e1 c3ffffea (f201f0e7) + +The issue seems similar to commit 90b3b339364c ("net: hisilicon: Fix a BUG +trigered by wrong bytes_compl") and potentially introduced by commit +b38c83dd0866 ("bgmac: simplify tx ring index handling"). + +If there is an RX interrupt between setting ring->end +and netdev_sent_queue() we can hit the BUG_ON as bgmac_dma_tx_free() +can miscalculate the queue size while called from bgmac_poll(). + +The machine which triggered the BUG runs a v4.14 RT kernel - but the issue +seems present in mainline too. + +Fixes: b38c83dd0866 ("bgmac: simplify tx ring index handling") +Signed-off-by: Sandor Bodo-Merle +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220808173939.193804-1-sbodomerle@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bgmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bgmac.c ++++ b/drivers/net/ethernet/broadcom/bgmac.c +@@ -189,8 +189,8 @@ static netdev_tx_t bgmac_dma_tx_add(stru + } + + slot->skb = skb; +- ring->end += nr_frags + 1; + netdev_sent_queue(net_dev, skb->len); ++ ring->end += nr_frags + 1; + + wmb(); + diff --git a/queue-5.15/net-phy-warn-about-incorrect-mdio_bus_phy_resume-state.patch b/queue-5.15/net-phy-warn-about-incorrect-mdio_bus_phy_resume-state.patch new file mode 100644 index 00000000000..f5a8ee633a1 --- /dev/null +++ b/queue-5.15/net-phy-warn-about-incorrect-mdio_bus_phy_resume-state.patch @@ -0,0 +1,54 @@ +From 744d23c71af39c7dc77ac7c3cac87ae86a181a85 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Mon, 1 Aug 2022 16:34:03 -0700 +Subject: net: phy: Warn about incorrect mdio_bus_phy_resume() state + +From: Florian Fainelli + +commit 744d23c71af39c7dc77ac7c3cac87ae86a181a85 upstream. + +Calling mdio_bus_phy_resume() with neither the PHY state machine set to +PHY_HALTED nor phydev->mac_managed_pm set to true is a good indication +that we can produce a race condition looking like this: + +CPU0 CPU1 +bcmgenet_resume + -> phy_resume + -> phy_init_hw + -> phy_start + -> phy_resume + phy_start_aneg() +mdio_bus_phy_resume + -> phy_resume + -> phy_write(..., BMCR_RESET) + -> usleep() -> phy_read() + +with the phy_resume() function triggering a PHY behavior that might have +to be worked around with (see bf8bfc4336f7 ("net: phy: broadcom: Fix +brcm_fet_config_init()") for instance) that ultimately leads to an error +reading from the PHY. + +Fixes: fba863b81604 ("net: phy: make PHY PM ops a no-op if MAC driver manages PHY PM") +Signed-off-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220801233403.258871-1-f.fainelli@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy_device.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -315,6 +315,12 @@ static __maybe_unused int mdio_bus_phy_r + + phydev->suspended_by_mdio_bus = 0; + ++ /* If we managed to get here with the PHY state machine in a state other ++ * than PHY_HALTED this is an indication that something went wrong and ++ * we should most likely be using MAC managed PM and we are not. ++ */ ++ WARN_ON(phydev->state != PHY_HALTED && !phydev->mac_managed_pm); ++ + ret = phy_init_hw(phydev); + if (ret < 0) + return ret; diff --git a/queue-5.15/nfsv4-fix-races-in-the-legacy-idmapper-upcall.patch b/queue-5.15/nfsv4-fix-races-in-the-legacy-idmapper-upcall.patch new file mode 100644 index 00000000000..d2d89f09df0 --- /dev/null +++ b/queue-5.15/nfsv4-fix-races-in-the-legacy-idmapper-upcall.patch @@ -0,0 +1,138 @@ +From 51fd2eb52c0ca8275a906eed81878ef50ae94eb0 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Wed, 13 Jul 2022 17:46:52 -0400 +Subject: NFSv4: Fix races in the legacy idmapper upcall + +From: Trond Myklebust + +commit 51fd2eb52c0ca8275a906eed81878ef50ae94eb0 upstream. + +nfs_idmap_instantiate() will cause the process that is waiting in +request_key_with_auxdata() to wake up and exit. If there is a second +process waiting for the idmap->idmap_mutex, then it may wake up and +start a new call to request_key_with_auxdata(). If the call to +idmap_pipe_downcall() from the first process has not yet finished +calling nfs_idmap_complete_pipe_upcall_locked(), then we may end up +triggering the WARN_ON_ONCE() in nfs_idmap_prepare_pipe_upcall(). + +The fix is to ensure that we clear idmap->idmap_upcall_data before +calling nfs_idmap_instantiate(). + +Fixes: e9ab41b620e4 ("NFSv4: Clean up the legacy idmapper upcall") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4idmap.c | 46 ++++++++++++++++++++++++---------------------- + 1 file changed, 24 insertions(+), 22 deletions(-) + +--- a/fs/nfs/nfs4idmap.c ++++ b/fs/nfs/nfs4idmap.c +@@ -561,22 +561,20 @@ nfs_idmap_prepare_pipe_upcall(struct idm + return true; + } + +-static void +-nfs_idmap_complete_pipe_upcall_locked(struct idmap *idmap, int ret) ++static void nfs_idmap_complete_pipe_upcall(struct idmap_legacy_upcalldata *data, ++ int ret) + { +- struct key *authkey = idmap->idmap_upcall_data->authkey; +- +- kfree(idmap->idmap_upcall_data); +- idmap->idmap_upcall_data = NULL; +- complete_request_key(authkey, ret); +- key_put(authkey); ++ complete_request_key(data->authkey, ret); ++ key_put(data->authkey); ++ kfree(data); + } + +-static void +-nfs_idmap_abort_pipe_upcall(struct idmap *idmap, int ret) ++static void nfs_idmap_abort_pipe_upcall(struct idmap *idmap, ++ struct idmap_legacy_upcalldata *data, ++ int ret) + { +- if (idmap->idmap_upcall_data != NULL) +- nfs_idmap_complete_pipe_upcall_locked(idmap, ret); ++ if (cmpxchg(&idmap->idmap_upcall_data, data, NULL) == data) ++ nfs_idmap_complete_pipe_upcall(data, ret); + } + + static int nfs_idmap_legacy_upcall(struct key *authkey, void *aux) +@@ -613,7 +611,7 @@ static int nfs_idmap_legacy_upcall(struc + + ret = rpc_queue_upcall(idmap->idmap_pipe, msg); + if (ret < 0) +- nfs_idmap_abort_pipe_upcall(idmap, ret); ++ nfs_idmap_abort_pipe_upcall(idmap, data, ret); + + return ret; + out2: +@@ -669,6 +667,7 @@ idmap_pipe_downcall(struct file *filp, c + struct request_key_auth *rka; + struct rpc_inode *rpci = RPC_I(file_inode(filp)); + struct idmap *idmap = (struct idmap *)rpci->private; ++ struct idmap_legacy_upcalldata *data; + struct key *authkey; + struct idmap_msg im; + size_t namelen_in; +@@ -678,10 +677,11 @@ idmap_pipe_downcall(struct file *filp, c + * will have been woken up and someone else may now have used + * idmap_key_cons - so after this point we may no longer touch it. + */ +- if (idmap->idmap_upcall_data == NULL) ++ data = xchg(&idmap->idmap_upcall_data, NULL); ++ if (data == NULL) + goto out_noupcall; + +- authkey = idmap->idmap_upcall_data->authkey; ++ authkey = data->authkey; + rka = get_request_key_auth(authkey); + + if (mlen != sizeof(im)) { +@@ -703,18 +703,17 @@ idmap_pipe_downcall(struct file *filp, c + if (namelen_in == 0 || namelen_in == IDMAP_NAMESZ) { + ret = -EINVAL; + goto out; +-} ++ } + +- ret = nfs_idmap_read_and_verify_message(&im, +- &idmap->idmap_upcall_data->idmap_msg, +- rka->target_key, authkey); ++ ret = nfs_idmap_read_and_verify_message(&im, &data->idmap_msg, ++ rka->target_key, authkey); + if (ret >= 0) { + key_set_timeout(rka->target_key, nfs_idmap_cache_timeout); + ret = mlen; + } + + out: +- nfs_idmap_complete_pipe_upcall_locked(idmap, ret); ++ nfs_idmap_complete_pipe_upcall(data, ret); + out_noupcall: + return ret; + } +@@ -728,7 +727,7 @@ idmap_pipe_destroy_msg(struct rpc_pipe_m + struct idmap *idmap = data->idmap; + + if (msg->errno) +- nfs_idmap_abort_pipe_upcall(idmap, msg->errno); ++ nfs_idmap_abort_pipe_upcall(idmap, data, msg->errno); + } + + static void +@@ -736,8 +735,11 @@ idmap_release_pipe(struct inode *inode) + { + struct rpc_inode *rpci = RPC_I(inode); + struct idmap *idmap = (struct idmap *)rpci->private; ++ struct idmap_legacy_upcalldata *data; + +- nfs_idmap_abort_pipe_upcall(idmap, -EPIPE); ++ data = xchg(&idmap->idmap_upcall_data, NULL); ++ if (data) ++ nfs_idmap_complete_pipe_upcall(data, -EPIPE); + } + + int nfs_map_name_to_uid(const struct nfs_server *server, const char *name, size_t namelen, kuid_t *uid) diff --git a/queue-5.15/nfsv4-pnfs-fix-a-use-after-free-bug-in-open.patch b/queue-5.15/nfsv4-pnfs-fix-a-use-after-free-bug-in-open.patch new file mode 100644 index 00000000000..42b6e90335f --- /dev/null +++ b/queue-5.15/nfsv4-pnfs-fix-a-use-after-free-bug-in-open.patch @@ -0,0 +1,41 @@ +From 2135e5d56278ffdb1c2e6d325dc6b87f669b9dac Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 2 Aug 2022 15:48:50 -0400 +Subject: NFSv4/pnfs: Fix a use-after-free bug in open + +From: Trond Myklebust + +commit 2135e5d56278ffdb1c2e6d325dc6b87f669b9dac upstream. + +If someone cancels the open RPC call, then we must not try to free +either the open slot or the layoutget operation arguments, since they +are likely still in use by the hung RPC call. + +Fixes: 6949493884fe ("NFSv4: Don't hold the layoutget locks across multiple RPC calls") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3106,12 +3106,13 @@ static int _nfs4_open_and_get_state(stru + } + + out: +- if (opendata->lgp) { +- nfs4_lgopen_release(opendata->lgp); +- opendata->lgp = NULL; +- } +- if (!opendata->cancelled) ++ if (!opendata->cancelled) { ++ if (opendata->lgp) { ++ nfs4_lgopen_release(opendata->lgp); ++ opendata->lgp = NULL; ++ } + nfs4_sequence_free_slot(&opendata->o_res.seq_res); ++ } + return ret; + } + diff --git a/queue-5.15/nfsv4.1-don-t-decrease-the-value-of-seq_nr_highest_sent.patch b/queue-5.15/nfsv4.1-don-t-decrease-the-value-of-seq_nr_highest_sent.patch new file mode 100644 index 00000000000..5b15c153585 --- /dev/null +++ b/queue-5.15/nfsv4.1-don-t-decrease-the-value-of-seq_nr_highest_sent.patch @@ -0,0 +1,36 @@ +From f07a5d2427fc113dc50c5c818eba8929bc27b8ca Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 12 Jul 2022 09:16:04 -0400 +Subject: NFSv4.1: Don't decrease the value of seq_nr_highest_sent + +From: Trond Myklebust + +commit f07a5d2427fc113dc50c5c818eba8929bc27b8ca upstream. + +When we're trying to figure out what the server may or may not have seen +in terms of request numbers, do not assume that requests with a larger +number were missed, just because we saw a reply to a request with a +smaller number. + +Fixes: 3453d5708b33 ("NFSv4.1: Avoid false retries when RPC calls are interrupted") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -787,10 +787,9 @@ static void nfs4_slot_sequence_record_se + if ((s32)(seqnr - slot->seq_nr_highest_sent) > 0) + slot->seq_nr_highest_sent = seqnr; + } +-static void nfs4_slot_sequence_acked(struct nfs4_slot *slot, +- u32 seqnr) ++static void nfs4_slot_sequence_acked(struct nfs4_slot *slot, u32 seqnr) + { +- slot->seq_nr_highest_sent = seqnr; ++ nfs4_slot_sequence_record_sent(slot, seqnr); + slot->seq_nr_last_acked = seqnr; + } + diff --git a/queue-5.15/nfsv4.1-handle-nfs4err_delay-replies-to-op_sequence-correctly.patch b/queue-5.15/nfsv4.1-handle-nfs4err_delay-replies-to-op_sequence-correctly.patch new file mode 100644 index 00000000000..7bc20741a81 --- /dev/null +++ b/queue-5.15/nfsv4.1-handle-nfs4err_delay-replies-to-op_sequence-correctly.patch @@ -0,0 +1,29 @@ +From 7ccafd4b2b9f34e6d8185f796f151c47424e273e Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 12 Jul 2022 09:22:40 -0400 +Subject: NFSv4.1: Handle NFS4ERR_DELAY replies to OP_SEQUENCE correctly + +From: Trond Myklebust + +commit 7ccafd4b2b9f34e6d8185f796f151c47424e273e upstream. + +Don't assume that the NFS4ERR_DELAY means that the server is processing +this slot id. + +Fixes: 3453d5708b33 ("NFSv4.1: Avoid false retries when RPC calls are interrupted") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -856,7 +856,6 @@ static int nfs41_sequence_process(struct + __func__, + slot->slot_nr, + slot->seq_nr); +- nfs4_slot_sequence_acked(slot, slot->seq_nr); + goto out_retry; + case -NFS4ERR_RETRY_UNCACHED_REP: + case -NFS4ERR_SEQ_FALSE_RETRY: diff --git a/queue-5.15/nfsv4.1-reclaim_complete-must-handle-eacces.patch b/queue-5.15/nfsv4.1-reclaim_complete-must-handle-eacces.patch new file mode 100644 index 00000000000..fac5fd633e1 --- /dev/null +++ b/queue-5.15/nfsv4.1-reclaim_complete-must-handle-eacces.patch @@ -0,0 +1,38 @@ +From e35a5e782f67ed76a65ad0f23a484444a95f000f Mon Sep 17 00:00:00 2001 +From: Zhang Xianwei +Date: Wed, 27 Jul 2022 18:01:07 +0800 +Subject: NFSv4.1: RECLAIM_COMPLETE must handle EACCES + +From: Zhang Xianwei + +commit e35a5e782f67ed76a65ad0f23a484444a95f000f upstream. + +A client should be able to handle getting an EACCES error while doing +a mount operation to reclaim state due to NFS4CLNT_RECLAIM_REBOOT +being set. If the server returns RPC_AUTH_BADCRED because authentication +failed when we execute "exportfs -au", then RECLAIM_COMPLETE will go a +wrong way. After mount succeeds, all OPEN call will fail due to an +NFS4ERR_GRACE error being returned. This patch is to fix it by resending +a RPC request. + +Signed-off-by: Zhang Xianwei +Signed-off-by: Yi Wang +Fixes: aa5190d0ed7d ("NFSv4: Kill nfs4_async_handle_error() abuses by NFSv4.1") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -9408,6 +9408,9 @@ static int nfs41_reclaim_complete_handle + rpc_delay(task, NFS4_POLL_RETRY_MAX); + fallthrough; + case -NFS4ERR_RETRY_UNCACHED_REP: ++ case -EACCES: ++ dprintk("%s: failed to reclaim complete error %d for server %s, retrying\n", ++ __func__, task->tk_status, clp->cl_hostname); + return -EAGAIN; + case -NFS4ERR_BADSESSION: + case -NFS4ERR_DEADSESSION: diff --git a/queue-5.15/octeontx2-af-apply-tx-nibble-fixup-always.patch b/queue-5.15/octeontx2-af-apply-tx-nibble-fixup-always.patch new file mode 100644 index 00000000000..1b7d6023147 --- /dev/null +++ b/queue-5.15/octeontx2-af-apply-tx-nibble-fixup-always.patch @@ -0,0 +1,52 @@ +From dd1d1a8a6b29b6b472fd0d449b29eb806c411dd2 Mon Sep 17 00:00:00 2001 +From: Stanislaw Kardach +Date: Wed, 3 Aug 2022 13:24:12 +0530 +Subject: octeontx2-af: Apply tx nibble fixup always + +From: Stanislaw Kardach + +commit dd1d1a8a6b29b6b472fd0d449b29eb806c411dd2 upstream. + +NPC_PARSE_NIBBLE for TX interface has to be equal to the RX one for some +silicon revisions. Mistakenly this fixup was only applied to the default +MKEX profile while it should also be applied to any loaded profile. + +Fixes: 1c1935c9945d ("octeontx2-af: Add NIX1 interfaces to NPC") +Signed-off-by: Stanislaw Kardach +Signed-off-by: Subbaraya Sundeep +Signed-off-by: Sunil Goutham +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c +@@ -1915,6 +1915,7 @@ static void rvu_npc_hw_init(struct rvu * + + static void rvu_npc_setup_interfaces(struct rvu *rvu, int blkaddr) + { ++ struct npc_mcam_kex *mkex = rvu->kpu.mkex; + struct npc_mcam *mcam = &rvu->hw->mcam; + struct rvu_hwinfo *hw = rvu->hw; + u64 nibble_ena, rx_kex, tx_kex; +@@ -1927,15 +1928,15 @@ static void rvu_npc_setup_interfaces(str + mcam->counters.max--; + mcam->rx_miss_act_cntr = mcam->counters.max; + +- rx_kex = npc_mkex_default.keyx_cfg[NIX_INTF_RX]; +- tx_kex = npc_mkex_default.keyx_cfg[NIX_INTF_TX]; ++ rx_kex = mkex->keyx_cfg[NIX_INTF_RX]; ++ tx_kex = mkex->keyx_cfg[NIX_INTF_TX]; + nibble_ena = FIELD_GET(NPC_PARSE_NIBBLE, rx_kex); + + nibble_ena = rvu_npc_get_tx_nibble_cfg(rvu, nibble_ena); + if (nibble_ena) { + tx_kex &= ~NPC_PARSE_NIBBLE; + tx_kex |= FIELD_PREP(NPC_PARSE_NIBBLE, nibble_ena); +- npc_mkex_default.keyx_cfg[NIX_INTF_TX] = tx_kex; ++ mkex->keyx_cfg[NIX_INTF_TX] = tx_kex; + } + + /* Configure RX interfaces */ diff --git a/queue-5.15/octeontx2-af-fix-key-checking-for-source-mac.patch b/queue-5.15/octeontx2-af-fix-key-checking-for-source-mac.patch new file mode 100644 index 00000000000..f39f4657f44 --- /dev/null +++ b/queue-5.15/octeontx2-af-fix-key-checking-for-source-mac.patch @@ -0,0 +1,36 @@ +From c3c290276927a3ae79342a4e17ec0500c138c63a Mon Sep 17 00:00:00 2001 +From: Subbaraya Sundeep +Date: Wed, 3 Aug 2022 13:24:15 +0530 +Subject: octeontx2-af: Fix key checking for source mac + +From: Subbaraya Sundeep + +commit c3c290276927a3ae79342a4e17ec0500c138c63a upstream. + +Given a field with its location/offset in input packet, +the key checking logic verifies whether extracting the +field can be supported or not based on the mkex profile +loaded in hardware. This logic is wrong wrt source mac +and this patch fixes that. + +Fixes: 9b179a960a96 ("octeontx2-af: Generate key field bit mask from KEX profile") +Signed-off-by: Subbaraya Sundeep +Signed-off-by: Sunil Goutham +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c +@@ -445,7 +445,8 @@ do { \ + NPC_SCAN_HDR(NPC_VLAN_TAG1, NPC_LID_LB, NPC_LT_LB_CTAG, 2, 2); + NPC_SCAN_HDR(NPC_VLAN_TAG2, NPC_LID_LB, NPC_LT_LB_STAG_QINQ, 2, 2); + NPC_SCAN_HDR(NPC_DMAC, NPC_LID_LA, la_ltype, la_start, 6); +- NPC_SCAN_HDR(NPC_SMAC, NPC_LID_LA, la_ltype, la_start, 6); ++ /* SMAC follows the DMAC(which is 6 bytes) */ ++ NPC_SCAN_HDR(NPC_SMAC, NPC_LID_LA, la_ltype, la_start + 6, 6); + /* PF_FUNC is 2 bytes at 0th byte of NPC_LT_LA_IH_NIX_ETHER */ + NPC_SCAN_HDR(NPC_PF_FUNC, NPC_LID_LA, NPC_LT_LA_IH_NIX_ETHER, 0, 2); + } diff --git a/queue-5.15/octeontx2-af-fix-mcam-entry-resource-leak.patch b/queue-5.15/octeontx2-af-fix-mcam-entry-resource-leak.patch new file mode 100644 index 00000000000..434161bdc06 --- /dev/null +++ b/queue-5.15/octeontx2-af-fix-mcam-entry-resource-leak.patch @@ -0,0 +1,62 @@ +From 3f8fe40ab7730cf8eb6f8b8ff412012f7f6f8f48 Mon Sep 17 00:00:00 2001 +From: Subbaraya Sundeep +Date: Wed, 3 Aug 2022 13:24:14 +0530 +Subject: octeontx2-af: Fix mcam entry resource leak + +From: Subbaraya Sundeep + +commit 3f8fe40ab7730cf8eb6f8b8ff412012f7f6f8f48 upstream. + +The teardown sequence in FLR handler returns if no NIX LF +is attached to PF/VF because it indicates that graceful +shutdown of resources already happened. But there is a +chance of all allocated MCAM entries not being freed by +PF/VF. Hence free mcam entries even in case of detached LF. + +Fixes: c554f9c1574e ("octeontx2-af: Teardown NPA, NIX LF upon receiving FLR") +Signed-off-by: Subbaraya Sundeep +Signed-off-by: Sunil Goutham +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 6 ++++++ + drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c | 6 ++++++ + 2 files changed, 12 insertions(+) + +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +@@ -2504,6 +2504,12 @@ static void __rvu_flr_handler(struct rvu + rvu_blklf_teardown(rvu, pcifunc, BLKADDR_NPA); + rvu_reset_lmt_map_tbl(rvu, pcifunc); + rvu_detach_rsrcs(rvu, NULL, pcifunc); ++ /* In scenarios where PF/VF drivers detach NIXLF without freeing MCAM ++ * entries, check and free the MCAM entries explicitly to avoid leak. ++ * Since LF is detached use LF number as -1. ++ */ ++ rvu_npc_free_mcam_entries(rvu, pcifunc, -1); ++ + mutex_unlock(&rvu->flr_lock); + } + +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c +@@ -1096,6 +1096,9 @@ static void npc_enadis_default_entries(s + + void rvu_npc_disable_default_entries(struct rvu *rvu, u16 pcifunc, int nixlf) + { ++ if (nixlf < 0) ++ return; ++ + npc_enadis_default_entries(rvu, pcifunc, nixlf, false); + + /* Delete multicast and promisc MCAM entries */ +@@ -1107,6 +1110,9 @@ void rvu_npc_disable_default_entries(str + + void rvu_npc_enable_default_entries(struct rvu *rvu, u16 pcifunc, int nixlf) + { ++ if (nixlf < 0) ++ return; ++ + /* Enables only broadcast match entry. Promisc/Allmulti are enabled + * in set_rx_mode mbox handler. + */ diff --git a/queue-5.15/octeontx2-af-suppress-external-profile-loading-warning.patch b/queue-5.15/octeontx2-af-suppress-external-profile-loading-warning.patch new file mode 100644 index 00000000000..177587e48f6 --- /dev/null +++ b/queue-5.15/octeontx2-af-suppress-external-profile-loading-warning.patch @@ -0,0 +1,35 @@ +From cf2437626502b5271d19686b03dea306efe17ea0 Mon Sep 17 00:00:00 2001 +From: Harman Kalra +Date: Wed, 3 Aug 2022 13:24:13 +0530 +Subject: octeontx2-af: suppress external profile loading warning + +From: Harman Kalra + +commit cf2437626502b5271d19686b03dea306efe17ea0 upstream. + +The packet parser profile supplied as firmware may not +be present all the time and default profile is used mostly. +Hence suppress firmware loading warning from kernel due to +absence of firmware in kernel image. + +Fixes: 3a7244152f9c ("octeontx2-af: add support for custom KPU entries") +Signed-off-by: Harman Kalra +Signed-off-by: Subbaraya Sundeep +Signed-off-by: Sunil Goutham +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c +@@ -1650,7 +1650,7 @@ static void npc_load_kpu_profile(struct + * Firmware database method. + * Default KPU profile. + */ +- if (!request_firmware(&fw, kpu_profile, rvu->dev)) { ++ if (!request_firmware_direct(&fw, kpu_profile, rvu->dev)) { + dev_info(rvu->dev, "Loading KPU profile from firmware: %s\n", + kpu_profile); + rvu->kpu_fwdata = kzalloc(fw->size, GFP_KERNEL); diff --git a/queue-5.15/octeontx2-pf-fix-nix_af_tl3_tl2x_linkx_cfg-register-configuration.patch b/queue-5.15/octeontx2-pf-fix-nix_af_tl3_tl2x_linkx_cfg-register-configuration.patch new file mode 100644 index 00000000000..e1a1f85b080 --- /dev/null +++ b/queue-5.15/octeontx2-pf-fix-nix_af_tl3_tl2x_linkx_cfg-register-configuration.patch @@ -0,0 +1,86 @@ +From 13c9f4dc102f2856e80b92486c41841e25e23772 Mon Sep 17 00:00:00 2001 +From: Naveen Mamindlapalli +Date: Tue, 2 Aug 2022 19:58:13 +0530 +Subject: octeontx2-pf: Fix NIX_AF_TL3_TL2X_LINKX_CFG register configuration + +From: Naveen Mamindlapalli + +commit 13c9f4dc102f2856e80b92486c41841e25e23772 upstream. + +For packets scheduled to RPM and LBK, NIX_AF_PSE_CHANNEL_LEVEL[BP_LEVEL] +selects the TL3 or TL2 scheduling level as the one used for link/channel +selection and backpressure. For each scheduling queue at the selected +level: Setting NIX_AF_TL3_TL2(0..255)_LINK(0..12)_CFG[ENA] = 1 allows +the TL3/TL2 queue to schedule packets to a specified RPM or LBK link +and channel. + +There is an issue in the code where NIX_AF_PSE_CHANNEL_LEVEL[BP_LEVEL] +is set to TL3 where as the NIX_AF_TL3_TL2(0..255)_LINK(0..12)_CFG is +configured for TL2 queue in some cases. As a result packets will not +transmit on that link/channel. This patch fixes the issue by configuring +the NIX_AF_TL3_TL2(0..255)_LINK(0..12)_CFG register depending on the +NIX_AF_PSE_CHANNEL_LEVEL[BP_LEVEL] value. + +Fixes: caa2da34fd25a ("octeontx2-pf: Initialize and config queues") +Signed-off-by: Naveen Mamindlapalli +Signed-off-by: Sunil Kovvuri Goutham +Link: https://lore.kernel.org/r/20220802142813.25031-1-naveenm@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 19 +++++++++++---- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h | 1 + 2 files changed, 15 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c +@@ -631,6 +631,12 @@ int otx2_txschq_config(struct otx2_nic * + req->num_regs++; + req->reg[1] = NIX_AF_TL3X_SCHEDULE(schq); + req->regval[1] = dwrr_val; ++ if (lvl == hw->txschq_link_cfg_lvl) { ++ req->num_regs++; ++ req->reg[2] = NIX_AF_TL3_TL2X_LINKX_CFG(schq, hw->tx_link); ++ /* Enable this queue and backpressure */ ++ req->regval[2] = BIT_ULL(13) | BIT_ULL(12); ++ } + } else if (lvl == NIX_TXSCH_LVL_TL2) { + parent = hw->txschq_list[NIX_TXSCH_LVL_TL1][0]; + req->reg[0] = NIX_AF_TL2X_PARENT(schq); +@@ -640,11 +646,12 @@ int otx2_txschq_config(struct otx2_nic * + req->reg[1] = NIX_AF_TL2X_SCHEDULE(schq); + req->regval[1] = TXSCH_TL1_DFLT_RR_PRIO << 24 | dwrr_val; + +- req->num_regs++; +- req->reg[2] = NIX_AF_TL3_TL2X_LINKX_CFG(schq, hw->tx_link); +- /* Enable this queue and backpressure */ +- req->regval[2] = BIT_ULL(13) | BIT_ULL(12); +- ++ if (lvl == hw->txschq_link_cfg_lvl) { ++ req->num_regs++; ++ req->reg[2] = NIX_AF_TL3_TL2X_LINKX_CFG(schq, hw->tx_link); ++ /* Enable this queue and backpressure */ ++ req->regval[2] = BIT_ULL(13) | BIT_ULL(12); ++ } + } else if (lvl == NIX_TXSCH_LVL_TL1) { + /* Default config for TL1. + * For VF this is always ignored. +@@ -1563,6 +1570,8 @@ void mbox_handler_nix_txsch_alloc(struct + for (schq = 0; schq < rsp->schq[lvl]; schq++) + pf->hw.txschq_list[lvl][schq] = + rsp->schq_list[lvl][schq]; ++ ++ pf->hw.txschq_link_cfg_lvl = rsp->link_cfg_lvl; + } + EXPORT_SYMBOL(mbox_handler_nix_txsch_alloc); + +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h +@@ -182,6 +182,7 @@ struct otx2_hw { + u16 sqb_size; + + /* NIX */ ++ u8 txschq_link_cfg_lvl; + u16 txschq_list[NIX_TXSCH_LVL_CNT][MAX_TXSCHQ_PER_FUNC]; + u16 matchall_ipolicer; + u32 dwrr_mtu; diff --git a/queue-5.15/pinctrl-amd-don-t-save-restore-interrupt-status-and-wake-status-bits.patch b/queue-5.15/pinctrl-amd-don-t-save-restore-interrupt-status-and-wake-status-bits.patch new file mode 100644 index 00000000000..ebacd127bf5 --- /dev/null +++ b/queue-5.15/pinctrl-amd-don-t-save-restore-interrupt-status-and-wake-status-bits.patch @@ -0,0 +1,64 @@ +From b8c824a869f220c6b46df724f85794349bafbf23 Mon Sep 17 00:00:00 2001 +From: Basavaraj Natikar +Date: Mon, 13 Jun 2022 12:11:26 +0530 +Subject: pinctrl: amd: Don't save/restore interrupt status and wake status bits + +From: Basavaraj Natikar + +commit b8c824a869f220c6b46df724f85794349bafbf23 upstream. + +Saving/restoring interrupt and wake status bits across suspend can +cause the suspend to fail if an IRQ is serviced across the +suspend cycle. + +Signed-off-by: Mario Limonciello +Signed-off-by: Basavaraj Natikar +Fixes: 79d2c8bede2c ("pinctrl/amd: save pin registers over suspend/resume") +Link: https://lore.kernel.org/r/20220613064127.220416-3-Basavaraj.Natikar@amd.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-amd.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -912,6 +912,7 @@ static int amd_gpio_suspend(struct devic + { + struct amd_gpio *gpio_dev = dev_get_drvdata(dev); + struct pinctrl_desc *desc = gpio_dev->pctrl->desc; ++ unsigned long flags; + int i; + + for (i = 0; i < desc->npins; i++) { +@@ -920,7 +921,9 @@ static int amd_gpio_suspend(struct devic + if (!amd_gpio_should_save(gpio_dev, pin)) + continue; + +- gpio_dev->saved_regs[i] = readl(gpio_dev->base + pin*4); ++ raw_spin_lock_irqsave(&gpio_dev->lock, flags); ++ gpio_dev->saved_regs[i] = readl(gpio_dev->base + pin * 4) & ~PIN_IRQ_PENDING; ++ raw_spin_unlock_irqrestore(&gpio_dev->lock, flags); + } + + return 0; +@@ -930,6 +933,7 @@ static int amd_gpio_resume(struct device + { + struct amd_gpio *gpio_dev = dev_get_drvdata(dev); + struct pinctrl_desc *desc = gpio_dev->pctrl->desc; ++ unsigned long flags; + int i; + + for (i = 0; i < desc->npins; i++) { +@@ -938,7 +942,10 @@ static int amd_gpio_resume(struct device + if (!amd_gpio_should_save(gpio_dev, pin)) + continue; + +- writel(gpio_dev->saved_regs[i], gpio_dev->base + pin*4); ++ raw_spin_lock_irqsave(&gpio_dev->lock, flags); ++ gpio_dev->saved_regs[i] |= readl(gpio_dev->base + pin * 4) & PIN_IRQ_PENDING; ++ writel(gpio_dev->saved_regs[i], gpio_dev->base + pin * 4); ++ raw_spin_unlock_irqrestore(&gpio_dev->lock, flags); + } + + return 0; diff --git a/queue-5.15/pinctrl-nomadik-fix-refcount-leak-in-nmk_pinctrl_dt_subnode_to_map.patch b/queue-5.15/pinctrl-nomadik-fix-refcount-leak-in-nmk_pinctrl_dt_subnode_to_map.patch new file mode 100644 index 00000000000..13ad475c077 --- /dev/null +++ b/queue-5.15/pinctrl-nomadik-fix-refcount-leak-in-nmk_pinctrl_dt_subnode_to_map.patch @@ -0,0 +1,36 @@ +From 4b32e054335ea0ce50967f63a7bfd4db058b14b9 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Tue, 7 Jun 2022 15:16:01 +0400 +Subject: pinctrl: nomadik: Fix refcount leak in nmk_pinctrl_dt_subnode_to_map + +From: Miaoqian Lin + +commit 4b32e054335ea0ce50967f63a7bfd4db058b14b9 upstream. + +of_parse_phandle() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak." + +Fixes: c2f6d059abfc ("pinctrl: nomadik: refactor DT parser to take two paths") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220607111602.57355-1-linmq006@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/nomadik/pinctrl-nomadik.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/pinctrl/nomadik/pinctrl-nomadik.c ++++ b/drivers/pinctrl/nomadik/pinctrl-nomadik.c +@@ -1421,8 +1421,10 @@ static int nmk_pinctrl_dt_subnode_to_map + + has_config = nmk_pinctrl_dt_get_config(np, &configs); + np_config = of_parse_phandle(np, "ste,config", 0); +- if (np_config) ++ if (np_config) { + has_config |= nmk_pinctrl_dt_get_config(np_config, &configs); ++ of_node_put(np_config); ++ } + if (has_config) { + const char *gpio_name; + const char *pin; diff --git a/queue-5.15/pinctrl-qcom-msm8916-allow-camss-gp-clocks-to-be-muxed.patch b/queue-5.15/pinctrl-qcom-msm8916-allow-camss-gp-clocks-to-be-muxed.patch new file mode 100644 index 00000000000..d1360376d48 --- /dev/null +++ b/queue-5.15/pinctrl-qcom-msm8916-allow-camss-gp-clocks-to-be-muxed.patch @@ -0,0 +1,37 @@ +From 44339391c666e46cba522d19c65a6ad1071c68b7 Mon Sep 17 00:00:00 2001 +From: Nikita Travkin +Date: Sun, 12 Jun 2022 19:59:54 +0500 +Subject: pinctrl: qcom: msm8916: Allow CAMSS GP clocks to be muxed + +From: Nikita Travkin + +commit 44339391c666e46cba522d19c65a6ad1071c68b7 upstream. + +GPIO 31, 32 can be muxed to GCC_CAMSS_GP(1,2)_CLK respectively but the +function was never assigned to the pingroup (even though the function +exists already). + +Add this mode to the related pins. + +Fixes: 5373a2c5abb6 ("pinctrl: qcom: Add msm8916 pinctrl driver") +Signed-off-by: Nikita Travkin +Link: https://lore.kernel.org/r/20220612145955.385787-4-nikita@trvn.ru +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/qcom/pinctrl-msm8916.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/qcom/pinctrl-msm8916.c ++++ b/drivers/pinctrl/qcom/pinctrl-msm8916.c +@@ -844,8 +844,8 @@ static const struct msm_pingroup msm8916 + PINGROUP(28, pwr_modem_enabled_a, NA, NA, NA, NA, NA, qdss_tracedata_b, NA, atest_combodac), + PINGROUP(29, cci_i2c, NA, NA, NA, NA, NA, qdss_tracedata_b, NA, atest_combodac), + PINGROUP(30, cci_i2c, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b), +- PINGROUP(31, cci_timer0, NA, NA, NA, NA, NA, NA, NA, NA), +- PINGROUP(32, cci_timer1, NA, NA, NA, NA, NA, NA, NA, NA), ++ PINGROUP(31, cci_timer0, flash_strobe, NA, NA, NA, NA, NA, NA, NA), ++ PINGROUP(32, cci_timer1, flash_strobe, NA, NA, NA, NA, NA, NA, NA), + PINGROUP(33, cci_async, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b), + PINGROUP(34, pwr_nav_enabled_a, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b), + PINGROUP(35, pwr_crypto_enabled_a, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b), diff --git a/queue-5.15/pinctrl-qcom-sm8250-fix-pdc-map.patch b/queue-5.15/pinctrl-qcom-sm8250-fix-pdc-map.patch new file mode 100644 index 00000000000..9688bdcf78f --- /dev/null +++ b/queue-5.15/pinctrl-qcom-sm8250-fix-pdc-map.patch @@ -0,0 +1,32 @@ +From 4b759ca15a4914f96ea204ea9200ceeb01d70666 Mon Sep 17 00:00:00 2001 +From: Jianhua Lu +Date: Wed, 3 Aug 2022 09:56:45 +0800 +Subject: pinctrl: qcom: sm8250: Fix PDC map + +From: Jianhua Lu + +commit 4b759ca15a4914f96ea204ea9200ceeb01d70666 upstream. + +Fix the PDC mapping for SM8250, gpio39 is mapped to irq73(not irq37). + +Fixes: b41efeed507a("pinctrl: qcom: sm8250: Specify PDC map.") +Signed-off-by: Jianhua Lu +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20220803015645.22388-1-lujianhua000@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/qcom/pinctrl-sm8250.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/qcom/pinctrl-sm8250.c ++++ b/drivers/pinctrl/qcom/pinctrl-sm8250.c +@@ -1316,7 +1316,7 @@ static const struct msm_pingroup sm8250_ + static const struct msm_gpio_wakeirq_map sm8250_pdc_map[] = { + { 0, 79 }, { 1, 84 }, { 2, 80 }, { 3, 82 }, { 4, 107 }, { 7, 43 }, + { 11, 42 }, { 14, 44 }, { 15, 52 }, { 19, 67 }, { 23, 68 }, { 24, 105 }, +- { 27, 92 }, { 28, 106 }, { 31, 69 }, { 35, 70 }, { 39, 37 }, ++ { 27, 92 }, { 28, 106 }, { 31, 69 }, { 35, 70 }, { 39, 73 }, + { 40, 108 }, { 43, 71 }, { 45, 72 }, { 47, 83 }, { 51, 74 }, { 55, 77 }, + { 59, 78 }, { 63, 75 }, { 64, 81 }, { 65, 87 }, { 66, 88 }, { 67, 89 }, + { 68, 54 }, { 70, 85 }, { 77, 46 }, { 80, 90 }, { 81, 91 }, { 83, 97 }, diff --git a/queue-5.15/pinctrl-sunxi-add-i-o-bias-setting-for-h6-r-pio.patch b/queue-5.15/pinctrl-sunxi-add-i-o-bias-setting-for-h6-r-pio.patch new file mode 100644 index 00000000000..6c94fd6a209 --- /dev/null +++ b/queue-5.15/pinctrl-sunxi-add-i-o-bias-setting-for-h6-r-pio.patch @@ -0,0 +1,67 @@ +From fc153c8f283bf5925615195fc9d4056414d7b168 Mon Sep 17 00:00:00 2001 +From: Samuel Holland +Date: Tue, 12 Jul 2022 21:52:29 -0500 +Subject: pinctrl: sunxi: Add I/O bias setting for H6 R-PIO + +From: Samuel Holland + +commit fc153c8f283bf5925615195fc9d4056414d7b168 upstream. + +H6 requires I/O bias configuration on both of its PIO devices. +Previously it was only done for the main PIO. + +The setting for Port L is at bit 0, so the bank calculation needs to +account for the pin base. Otherwise the wrong bit is used. + +Fixes: cc62383fcebe ("pinctrl: sunxi: Support I/O bias voltage setting on H6") +Reviewed-by: Jernej Skrabec +Tested-by: Heiko Stuebner +Signed-off-by: Samuel Holland +Link: https://lore.kernel.org/r/20220713025233.27248-3-samuel@sholland.org +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/sunxi/pinctrl-sun50i-h6-r.c | 1 + + drivers/pinctrl/sunxi/pinctrl-sunxi.c | 7 ++++--- + 2 files changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/pinctrl/sunxi/pinctrl-sun50i-h6-r.c ++++ b/drivers/pinctrl/sunxi/pinctrl-sun50i-h6-r.c +@@ -107,6 +107,7 @@ static const struct sunxi_pinctrl_desc s + .npins = ARRAY_SIZE(sun50i_h6_r_pins), + .pin_base = PL_BASE, + .irq_banks = 2, ++ .io_bias_cfg_variant = BIAS_VOLTAGE_PIO_POW_MODE_SEL, + }; + + static int sun50i_h6_r_pinctrl_probe(struct platform_device *pdev) +--- a/drivers/pinctrl/sunxi/pinctrl-sunxi.c ++++ b/drivers/pinctrl/sunxi/pinctrl-sunxi.c +@@ -624,7 +624,7 @@ static int sunxi_pinctrl_set_io_bias_cfg + unsigned pin, + struct regulator *supply) + { +- unsigned short bank = pin / PINS_PER_BANK; ++ unsigned short bank; + unsigned long flags; + u32 val, reg; + int uV; +@@ -640,6 +640,9 @@ static int sunxi_pinctrl_set_io_bias_cfg + if (uV == 0) + return 0; + ++ pin -= pctl->desc->pin_base; ++ bank = pin / PINS_PER_BANK; ++ + switch (pctl->desc->io_bias_cfg_variant) { + case BIAS_VOLTAGE_GRP_CONFIG: + /* +@@ -657,8 +660,6 @@ static int sunxi_pinctrl_set_io_bias_cfg + else + val = 0xD; /* 3.3V */ + +- pin -= pctl->desc->pin_base; +- + reg = readl(pctl->membase + sunxi_grp_config_reg(pin)); + reg &= ~IO_BIAS_MASK; + writel(reg | val, pctl->membase + sunxi_grp_config_reg(pin)); diff --git a/queue-5.15/plip-avoid-rcu-debug-splat.patch b/queue-5.15/plip-avoid-rcu-debug-splat.patch new file mode 100644 index 00000000000..42808410a90 --- /dev/null +++ b/queue-5.15/plip-avoid-rcu-debug-splat.patch @@ -0,0 +1,36 @@ +From bc3c8fe3c79bcdae4d90e3726054fac5cca8ac32 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Sun, 7 Aug 2022 13:53:04 +0200 +Subject: plip: avoid rcu debug splat + +From: Florian Westphal + +commit bc3c8fe3c79bcdae4d90e3726054fac5cca8ac32 upstream. + +WARNING: suspicious RCU usage +5.2.0-rc2-00605-g2638eb8b50cfc #1 Not tainted +drivers/net/plip/plip.c:1110 suspicious rcu_dereference_check() usage! + +plip_open is called with RTNL held, switch to the correct helper. + +Fixes: 2638eb8b50cf ("net: ipv4: provide __rcu annotation for ifa_list") +Reported-by: kernel test robot +Signed-off-by: Florian Westphal +Link: https://lore.kernel.org/r/20220807115304.13257-1-fw@strlen.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/plip/plip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/plip/plip.c ++++ b/drivers/net/plip/plip.c +@@ -1107,7 +1107,7 @@ plip_open(struct net_device *dev) + /* Any address will do - we take the first. We already + have the first two bytes filled with 0xfc, from + plip_init_dev(). */ +- const struct in_ifaddr *ifa = rcu_dereference(in_dev->ifa_list); ++ const struct in_ifaddr *ifa = rtnl_dereference(in_dev->ifa_list); + if (ifa != NULL) { + memcpy(dev->dev_addr+2, &ifa->ifa_local, 4); + } diff --git a/queue-5.15/selftests-forwarding-fix-failing-tests-with-old-libnet.patch b/queue-5.15/selftests-forwarding-fix-failing-tests-with-old-libnet.patch new file mode 100644 index 00000000000..0407bd873de --- /dev/null +++ b/queue-5.15/selftests-forwarding-fix-failing-tests-with-old-libnet.patch @@ -0,0 +1,260 @@ +From 8bcfb4ae4d970b9a9724ddfbac26c387934e0e94 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Tue, 9 Aug 2022 14:33:20 +0300 +Subject: selftests: forwarding: Fix failing tests with old libnet + +From: Ido Schimmel + +commit 8bcfb4ae4d970b9a9724ddfbac26c387934e0e94 upstream. + +The custom multipath hash tests use mausezahn in order to test how +changes in various packet fields affect the packet distribution across +the available nexthops. + +The tool uses the libnet library for various low-level packet +construction and injection. The library started using the +"SO_BINDTODEVICE" socket option for IPv6 sockets in version 1.1.6 and +for IPv4 sockets in version 1.2. + +When the option is not set, packets are not routed according to the +table associated with the VRF master device and tests fail. + +Fix this by prefixing the command with "ip vrf exec", which will cause +the route lookup to occur in the VRF routing table. This makes the tests +pass regardless of the libnet library version. + +Fixes: 511e8db54036 ("selftests: forwarding: Add test for custom multipath hash") +Fixes: 185b0c190bb6 ("selftests: forwarding: Add test for custom multipath hash with IPv4 GRE") +Fixes: b7715acba4d3 ("selftests: forwarding: Add test for custom multipath hash with IPv6 GRE") +Reported-by: Ivan Vecera +Tested-by: Ivan Vecera +Signed-off-by: Ido Schimmel +Reviewed-by: Amit Cohen +Link: https://lore.kernel.org/r/20220809113320.751413-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + .../net/forwarding/custom_multipath_hash.sh | 24 ++++++++++++------- + .../forwarding/gre_custom_multipath_hash.sh | 24 ++++++++++++------- + .../ip6gre_custom_multipath_hash.sh | 24 ++++++++++++------- + 3 files changed, 48 insertions(+), 24 deletions(-) + +diff --git a/tools/testing/selftests/net/forwarding/custom_multipath_hash.sh b/tools/testing/selftests/net/forwarding/custom_multipath_hash.sh +index a15d21dc035a..56eb83d1a3bd 100755 +--- a/tools/testing/selftests/net/forwarding/custom_multipath_hash.sh ++++ b/tools/testing/selftests/net/forwarding/custom_multipath_hash.sh +@@ -181,37 +181,43 @@ ping_ipv6() + + send_src_ipv4() + { +- $MZ $h1 -q -p 64 -A "198.51.100.2-198.51.100.253" -B 203.0.113.2 \ ++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \ ++ -A "198.51.100.2-198.51.100.253" -B 203.0.113.2 \ + -d 1msec -c 50 -t udp "sp=20000,dp=30000" + } + + send_dst_ipv4() + { +- $MZ $h1 -q -p 64 -A 198.51.100.2 -B "203.0.113.2-203.0.113.253" \ ++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \ ++ -A 198.51.100.2 -B "203.0.113.2-203.0.113.253" \ + -d 1msec -c 50 -t udp "sp=20000,dp=30000" + } + + send_src_udp4() + { +- $MZ $h1 -q -p 64 -A 198.51.100.2 -B 203.0.113.2 \ ++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \ ++ -A 198.51.100.2 -B 203.0.113.2 \ + -d 1msec -t udp "sp=0-32768,dp=30000" + } + + send_dst_udp4() + { +- $MZ $h1 -q -p 64 -A 198.51.100.2 -B 203.0.113.2 \ ++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \ ++ -A 198.51.100.2 -B 203.0.113.2 \ + -d 1msec -t udp "sp=20000,dp=0-32768" + } + + send_src_ipv6() + { +- $MZ -6 $h1 -q -p 64 -A "2001:db8:1::2-2001:db8:1::fd" -B 2001:db8:4::2 \ ++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \ ++ -A "2001:db8:1::2-2001:db8:1::fd" -B 2001:db8:4::2 \ + -d 1msec -c 50 -t udp "sp=20000,dp=30000" + } + + send_dst_ipv6() + { +- $MZ -6 $h1 -q -p 64 -A 2001:db8:1::2 -B "2001:db8:4::2-2001:db8:4::fd" \ ++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \ ++ -A 2001:db8:1::2 -B "2001:db8:4::2-2001:db8:4::fd" \ + -d 1msec -c 50 -t udp "sp=20000,dp=30000" + } + +@@ -226,13 +232,15 @@ send_flowlabel() + + send_src_udp6() + { +- $MZ -6 $h1 -q -p 64 -A 2001:db8:1::2 -B 2001:db8:4::2 \ ++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \ ++ -A 2001:db8:1::2 -B 2001:db8:4::2 \ + -d 1msec -t udp "sp=0-32768,dp=30000" + } + + send_dst_udp6() + { +- $MZ -6 $h1 -q -p 64 -A 2001:db8:1::2 -B 2001:db8:4::2 \ ++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \ ++ -A 2001:db8:1::2 -B 2001:db8:4::2 \ + -d 1msec -t udp "sp=20000,dp=0-32768" + } + +diff --git a/tools/testing/selftests/net/forwarding/gre_custom_multipath_hash.sh b/tools/testing/selftests/net/forwarding/gre_custom_multipath_hash.sh +index a73f52efcb6c..0446db9c6f74 100755 +--- a/tools/testing/selftests/net/forwarding/gre_custom_multipath_hash.sh ++++ b/tools/testing/selftests/net/forwarding/gre_custom_multipath_hash.sh +@@ -276,37 +276,43 @@ ping_ipv6() + + send_src_ipv4() + { +- $MZ $h1 -q -p 64 -A "198.51.100.2-198.51.100.253" -B 203.0.113.2 \ ++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \ ++ -A "198.51.100.2-198.51.100.253" -B 203.0.113.2 \ + -d 1msec -c 50 -t udp "sp=20000,dp=30000" + } + + send_dst_ipv4() + { +- $MZ $h1 -q -p 64 -A 198.51.100.2 -B "203.0.113.2-203.0.113.253" \ ++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \ ++ -A 198.51.100.2 -B "203.0.113.2-203.0.113.253" \ + -d 1msec -c 50 -t udp "sp=20000,dp=30000" + } + + send_src_udp4() + { +- $MZ $h1 -q -p 64 -A 198.51.100.2 -B 203.0.113.2 \ ++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \ ++ -A 198.51.100.2 -B 203.0.113.2 \ + -d 1msec -t udp "sp=0-32768,dp=30000" + } + + send_dst_udp4() + { +- $MZ $h1 -q -p 64 -A 198.51.100.2 -B 203.0.113.2 \ ++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \ ++ -A 198.51.100.2 -B 203.0.113.2 \ + -d 1msec -t udp "sp=20000,dp=0-32768" + } + + send_src_ipv6() + { +- $MZ -6 $h1 -q -p 64 -A "2001:db8:1::2-2001:db8:1::fd" -B 2001:db8:2::2 \ ++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \ ++ -A "2001:db8:1::2-2001:db8:1::fd" -B 2001:db8:2::2 \ + -d 1msec -c 50 -t udp "sp=20000,dp=30000" + } + + send_dst_ipv6() + { +- $MZ -6 $h1 -q -p 64 -A 2001:db8:1::2 -B "2001:db8:2::2-2001:db8:2::fd" \ ++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \ ++ -A 2001:db8:1::2 -B "2001:db8:2::2-2001:db8:2::fd" \ + -d 1msec -c 50 -t udp "sp=20000,dp=30000" + } + +@@ -321,13 +327,15 @@ send_flowlabel() + + send_src_udp6() + { +- $MZ -6 $h1 -q -p 64 -A 2001:db8:1::2 -B 2001:db8:2::2 \ ++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \ ++ -A 2001:db8:1::2 -B 2001:db8:2::2 \ + -d 1msec -t udp "sp=0-32768,dp=30000" + } + + send_dst_udp6() + { +- $MZ -6 $h1 -q -p 64 -A 2001:db8:1::2 -B 2001:db8:2::2 \ ++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \ ++ -A 2001:db8:1::2 -B 2001:db8:2::2 \ + -d 1msec -t udp "sp=20000,dp=0-32768" + } + +diff --git a/tools/testing/selftests/net/forwarding/ip6gre_custom_multipath_hash.sh b/tools/testing/selftests/net/forwarding/ip6gre_custom_multipath_hash.sh +index 8fea2c2e0b25..d40183b4eccc 100755 +--- a/tools/testing/selftests/net/forwarding/ip6gre_custom_multipath_hash.sh ++++ b/tools/testing/selftests/net/forwarding/ip6gre_custom_multipath_hash.sh +@@ -278,37 +278,43 @@ ping_ipv6() + + send_src_ipv4() + { +- $MZ $h1 -q -p 64 -A "198.51.100.2-198.51.100.253" -B 203.0.113.2 \ ++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \ ++ -A "198.51.100.2-198.51.100.253" -B 203.0.113.2 \ + -d 1msec -c 50 -t udp "sp=20000,dp=30000" + } + + send_dst_ipv4() + { +- $MZ $h1 -q -p 64 -A 198.51.100.2 -B "203.0.113.2-203.0.113.253" \ ++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \ ++ -A 198.51.100.2 -B "203.0.113.2-203.0.113.253" \ + -d 1msec -c 50 -t udp "sp=20000,dp=30000" + } + + send_src_udp4() + { +- $MZ $h1 -q -p 64 -A 198.51.100.2 -B 203.0.113.2 \ ++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \ ++ -A 198.51.100.2 -B 203.0.113.2 \ + -d 1msec -t udp "sp=0-32768,dp=30000" + } + + send_dst_udp4() + { +- $MZ $h1 -q -p 64 -A 198.51.100.2 -B 203.0.113.2 \ ++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \ ++ -A 198.51.100.2 -B 203.0.113.2 \ + -d 1msec -t udp "sp=20000,dp=0-32768" + } + + send_src_ipv6() + { +- $MZ -6 $h1 -q -p 64 -A "2001:db8:1::2-2001:db8:1::fd" -B 2001:db8:2::2 \ ++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \ ++ -A "2001:db8:1::2-2001:db8:1::fd" -B 2001:db8:2::2 \ + -d 1msec -c 50 -t udp "sp=20000,dp=30000" + } + + send_dst_ipv6() + { +- $MZ -6 $h1 -q -p 64 -A 2001:db8:1::2 -B "2001:db8:2::2-2001:db8:2::fd" \ ++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \ ++ -A 2001:db8:1::2 -B "2001:db8:2::2-2001:db8:2::fd" \ + -d 1msec -c 50 -t udp "sp=20000,dp=30000" + } + +@@ -323,13 +329,15 @@ send_flowlabel() + + send_src_udp6() + { +- $MZ -6 $h1 -q -p 64 -A 2001:db8:1::2 -B 2001:db8:2::2 \ ++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \ ++ -A 2001:db8:1::2 -B 2001:db8:2::2 \ + -d 1msec -t udp "sp=0-32768,dp=30000" + } + + send_dst_udp6() + { +- $MZ -6 $h1 -q -p 64 -A 2001:db8:1::2 -B 2001:db8:2::2 \ ++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \ ++ -A 2001:db8:1::2 -B 2001:db8:2::2 \ + -d 1msec -t udp "sp=20000,dp=0-32768" + } + +-- +2.37.2 + diff --git a/queue-5.15/series b/queue-5.15/series index 9e10308adcb..4088729e49a 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -22,3 +22,60 @@ tracing-eprobes-do-not-hardcode-comm-as-a-string.patch tracing-eprobes-have-event-probes-be-consistent-with-kprobes-and-uprobes.patch tracing-probes-have-kprobes-and-uprobes-use-comm-too.patch tracing-have-filter-accept-common_cpu-to-be-consistent.patch +alsa-usb-audio-more-comprehensive-mixer-map-for-asus-rog-zenith-ii.patch +dt-bindings-usb-mtk-xhci-allow-wakeup-interrupt-names-to-be-optional.patch +can-ems_usb-fix-clang-s-wunaligned-access-warning.patch +apparmor-fix-quiet_denied-for-file-rules.patch +apparmor-fix-absroot-causing-audited-secids-to-begin-with.patch +apparmor-fix-failed-mount-permission-check-error-message.patch +apparmor-fix-aa_label_asxprint-return-check.patch +apparmor-fix-setting-unconfined-mode-on-a-loaded-profile.patch +apparmor-fix-overlapping-attachment-computation.patch +apparmor-fix-reference-count-leak-in-aa_pivotroot.patch +apparmor-fix-memleak-in-aa_simple_write_to_buffer.patch +documentation-acpi-einj-fix-obsolete-example.patch +nfsv4.1-don-t-decrease-the-value-of-seq_nr_highest_sent.patch +nfsv4.1-handle-nfs4err_delay-replies-to-op_sequence-correctly.patch +nfsv4-fix-races-in-the-legacy-idmapper-upcall.patch +nfsv4.1-reclaim_complete-must-handle-eacces.patch +nfsv4-pnfs-fix-a-use-after-free-bug-in-open.patch +bpf-fix-potential-bad-pointer-dereference-in-bpf_sys_bpf.patch +bpf-don-t-reinit-map-value-in-prealloc_lru_pop.patch +bpf-acquire-map-uref-in-.init_seq_private-for-array-map-iterator.patch +bpf-acquire-map-uref-in-.init_seq_private-for-hash-map-iterator.patch +bpf-acquire-map-uref-in-.init_seq_private-for-sock-local-storage-map-iterator.patch +bpf-acquire-map-uref-in-.init_seq_private-for-sock-map-hash-iterator.patch +bpf-check-the-validity-of-max_rdwr_access-for-sock-local-storage-map-iterator.patch +can-mcp251x-fix-race-condition-on-receive-interrupt.patch +can-j1939-j1939_session_destroy-fix-memory-leak-of-skbs.patch +net-atlantic-fix-aq_vec-index-out-of-range-error.patch +m68k-coldfire-device.c-protect-flexcan-blocks.patch +sunrpc-fix-expiry-of-auth-creds.patch +sunrpc-fix-xdr_encode_bool.patch +sunrpc-reinitialise-the-backchannel-request-buffers-before-reuse.patch +virtio_net-fix-memory-leak-inside-xpd_tx-with-mergeable.patch +devlink-fix-use-after-free-after-a-failed-reload.patch +net-phy-warn-about-incorrect-mdio_bus_phy_resume-state.patch +net-bcmgenet-indicate-mac-is-in-charge-of-phy-pm.patch +net-bgmac-fix-a-bug-triggered-by-wrong-bytes_compl.patch +selftests-forwarding-fix-failing-tests-with-old-libnet.patch +dt-bindings-arm-qcom-fix-alcatel-onetouch-idol-3-compatibles.patch +pinctrl-nomadik-fix-refcount-leak-in-nmk_pinctrl_dt_subnode_to_map.patch +pinctrl-qcom-msm8916-allow-camss-gp-clocks-to-be-muxed.patch +pinctrl-amd-don-t-save-restore-interrupt-status-and-wake-status-bits.patch +pinctrl-sunxi-add-i-o-bias-setting-for-h6-r-pio.patch +pinctrl-qcom-sm8250-fix-pdc-map.patch +input-exc3000-fix-return-value-check-of-wait_for_completion_timeout.patch +um-add-missing-apply_returns.patch +octeontx2-pf-fix-nix_af_tl3_tl2x_linkx_cfg-register-configuration.patch +octeontx2-af-apply-tx-nibble-fixup-always.patch +octeontx2-af-suppress-external-profile-loading-warning.patch +octeontx2-af-fix-mcam-entry-resource-leak.patch +octeontx2-af-fix-key-checking-for-source-mac.patch +acpi-property-return-type-of-acpi_add_nondev_subnodes-should-be-bool.patch +geneve-do-not-use-rt_tos-for-ipv6-flowlabel.patch +mlx5-do-not-use-rt_tos-for-ipv6-flowlabel.patch +ipv6-do-not-use-rt_tos-for-ipv6-flowlabel.patch +plip-avoid-rcu-debug-splat.patch +vsock-fix-memory-leak-in-vsock_connect.patch +vsock-set-socket-state-back-to-ss_unconnected-in-vsock_connect_timeout.patch diff --git a/queue-5.15/sunrpc-fix-expiry-of-auth-creds.patch b/queue-5.15/sunrpc-fix-expiry-of-auth-creds.patch new file mode 100644 index 00000000000..53f7984c4d7 --- /dev/null +++ b/queue-5.15/sunrpc-fix-expiry-of-auth-creds.patch @@ -0,0 +1,32 @@ +From f1bafa7375c01ff71fb7cb97c06caadfcfe815f3 Mon Sep 17 00:00:00 2001 +From: Dan Aloni +Date: Mon, 4 Jul 2022 15:56:57 +0300 +Subject: sunrpc: fix expiry of auth creds + +From: Dan Aloni + +commit f1bafa7375c01ff71fb7cb97c06caadfcfe815f3 upstream. + +Before this commit, with a large enough LRU of expired items (100), the +loop skipped all the expired items and was entirely ineffectual in +trimming the LRU list. + +Fixes: 95cd623250ad ('SUNRPC: Clean up the AUTH cache code') +Signed-off-by: Dan Aloni +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/auth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/auth.c ++++ b/net/sunrpc/auth.c +@@ -445,7 +445,7 @@ rpcauth_prune_expired(struct list_head * + * Enforce a 60 second garbage collection moratorium + * Note that the cred_unused list must be time-ordered. + */ +- if (!time_in_range(cred->cr_expire, expired, jiffies)) ++ if (time_in_range(cred->cr_expire, expired, jiffies)) + continue; + if (!rpcauth_unhash_cred(cred)) + continue; diff --git a/queue-5.15/sunrpc-fix-xdr_encode_bool.patch b/queue-5.15/sunrpc-fix-xdr_encode_bool.patch new file mode 100644 index 00000000000..0612e36f13d --- /dev/null +++ b/queue-5.15/sunrpc-fix-xdr_encode_bool.patch @@ -0,0 +1,38 @@ +From c770f31d8f580ed4b965c64f924ec1cc50e41734 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Tue, 19 Jul 2022 09:18:35 -0400 +Subject: SUNRPC: Fix xdr_encode_bool() + +From: Chuck Lever + +commit c770f31d8f580ed4b965c64f924ec1cc50e41734 upstream. + +I discovered that xdr_encode_bool() was returning the same address +that was passed in the @p parameter. The documenting comment states +that the intent is to return the address of the next buffer +location, just like the other "xdr_encode_*" helpers. + +The result was the encoded results of NFSv3 PATHCONF operations were +not formed correctly. + +Fixes: ded04a587f6c ("NFSD: Update the NFSv3 PATHCONF3res encoder to use struct xdr_stream") +Signed-off-by: Chuck Lever +Reviewed-by: Jeff Layton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sunrpc/xdr.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/sunrpc/xdr.h ++++ b/include/linux/sunrpc/xdr.h +@@ -405,8 +405,8 @@ static inline int xdr_stream_encode_item + */ + static inline __be32 *xdr_encode_bool(__be32 *p, u32 n) + { +- *p = n ? xdr_one : xdr_zero; +- return p++; ++ *p++ = n ? xdr_one : xdr_zero; ++ return p; + } + + /** diff --git a/queue-5.15/sunrpc-reinitialise-the-backchannel-request-buffers-before-reuse.patch b/queue-5.15/sunrpc-reinitialise-the-backchannel-request-buffers-before-reuse.patch new file mode 100644 index 00000000000..aaf33a3033f --- /dev/null +++ b/queue-5.15/sunrpc-reinitialise-the-backchannel-request-buffers-before-reuse.patch @@ -0,0 +1,50 @@ +From 6622e3a73112fc336c1c2c582428fb5ef18e456a Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Wed, 27 Jul 2022 12:27:54 -0400 +Subject: SUNRPC: Reinitialise the backchannel request buffers before reuse + +From: Trond Myklebust + +commit 6622e3a73112fc336c1c2c582428fb5ef18e456a upstream. + +When we're reusing the backchannel requests instead of freeing them, +then we should reinitialise any values of the send/receive xdr_bufs so +that they reflect the available space. + +Fixes: 0d2a970d0ae5 ("SUNRPC: Fix a backchannel race") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/backchannel_rqst.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/net/sunrpc/backchannel_rqst.c ++++ b/net/sunrpc/backchannel_rqst.c +@@ -64,6 +64,17 @@ static void xprt_free_allocation(struct + kfree(req); + } + ++static void xprt_bc_reinit_xdr_buf(struct xdr_buf *buf) ++{ ++ buf->head[0].iov_len = PAGE_SIZE; ++ buf->tail[0].iov_len = 0; ++ buf->pages = NULL; ++ buf->page_len = 0; ++ buf->flags = 0; ++ buf->len = 0; ++ buf->buflen = PAGE_SIZE; ++} ++ + static int xprt_alloc_xdr_buf(struct xdr_buf *buf, gfp_t gfp_flags) + { + struct page *page; +@@ -292,6 +303,9 @@ void xprt_free_bc_rqst(struct rpc_rqst * + */ + spin_lock_bh(&xprt->bc_pa_lock); + if (xprt_need_to_requeue(xprt)) { ++ xprt_bc_reinit_xdr_buf(&req->rq_snd_buf); ++ xprt_bc_reinit_xdr_buf(&req->rq_rcv_buf); ++ req->rq_rcv_buf.len = PAGE_SIZE; + list_add_tail(&req->rq_bc_pa_list, &xprt->bc_pa_list); + xprt->bc_alloc_count++; + atomic_inc(&xprt->bc_slot_count); diff --git a/queue-5.15/um-add-missing-apply_returns.patch b/queue-5.15/um-add-missing-apply_returns.patch new file mode 100644 index 00000000000..1560966e3a4 --- /dev/null +++ b/queue-5.15/um-add-missing-apply_returns.patch @@ -0,0 +1,34 @@ +From 637285e7f8d6da70a70c64e7895cb0672357a1f7 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 14 Jul 2022 12:20:19 +0200 +Subject: um: Add missing apply_returns() + +From: Peter Zijlstra + +commit 637285e7f8d6da70a70c64e7895cb0672357a1f7 upstream. + +Implement apply_returns() stub for UM, just like all the other patching +routines. + +Fixes: 15e67227c49a ("x86: Undo return-thunk damage") +Reported-by: Randy Dunlap +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + arch/um/kernel/um_arch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/um/kernel/um_arch.c ++++ b/arch/um/kernel/um_arch.c +@@ -437,6 +437,10 @@ void apply_returns(s32 *start, s32 *end) + { + } + ++void apply_returns(s32 *start, s32 *end) ++{ ++} ++ + void apply_alternatives(struct alt_instr *start, struct alt_instr *end) + { + } diff --git a/queue-5.15/virtio_net-fix-memory-leak-inside-xpd_tx-with-mergeable.patch b/queue-5.15/virtio_net-fix-memory-leak-inside-xpd_tx-with-mergeable.patch new file mode 100644 index 00000000000..e10e5c11118 --- /dev/null +++ b/queue-5.15/virtio_net-fix-memory-leak-inside-xpd_tx-with-mergeable.patch @@ -0,0 +1,38 @@ +From 7a542bee27c6a57e45c33cbbdc963325fd6493af Mon Sep 17 00:00:00 2001 +From: Xuan Zhuo +Date: Thu, 4 Aug 2022 14:32:48 +0800 +Subject: virtio_net: fix memory leak inside XPD_TX with mergeable + +From: Xuan Zhuo + +commit 7a542bee27c6a57e45c33cbbdc963325fd6493af upstream. + +When we call xdp_convert_buff_to_frame() to get xdpf, if it returns +NULL, we should check if xdp_page was allocated by xdp_linearize_page(). +If it is newly allocated, it should be freed here alone. Just like any +other "goto err_xdp". + +Fixes: 44fa2dbd4759 ("xdp: transition into using xdp_frame for ndo_xdp_xmit") +Signed-off-by: Xuan Zhuo +Acked-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1017,8 +1017,11 @@ static struct sk_buff *receive_mergeable + case XDP_TX: + stats->xdp_tx++; + xdpf = xdp_convert_buff_to_frame(&xdp); +- if (unlikely(!xdpf)) ++ if (unlikely(!xdpf)) { ++ if (unlikely(xdp_page != page)) ++ put_page(xdp_page); + goto err_xdp; ++ } + err = virtnet_xdp_xmit(dev, 1, &xdpf, 0); + if (unlikely(!err)) { + xdp_return_frame_rx_napi(xdpf); diff --git a/queue-5.15/vsock-fix-memory-leak-in-vsock_connect.patch b/queue-5.15/vsock-fix-memory-leak-in-vsock_connect.patch new file mode 100644 index 00000000000..24a7ee4557c --- /dev/null +++ b/queue-5.15/vsock-fix-memory-leak-in-vsock_connect.patch @@ -0,0 +1,83 @@ +From 7e97cfed9929eaabc41829c395eb0d1350fccb9d Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Mon, 8 Aug 2022 11:04:47 -0700 +Subject: vsock: Fix memory leak in vsock_connect() + +From: Peilin Ye + +commit 7e97cfed9929eaabc41829c395eb0d1350fccb9d upstream. + +An O_NONBLOCK vsock_connect() request may try to reschedule +@connect_work. Imagine the following sequence of vsock_connect() +requests: + + 1. The 1st, non-blocking request schedules @connect_work, which will + expire after 200 jiffies. Socket state is now SS_CONNECTING; + + 2. Later, the 2nd, blocking request gets interrupted by a signal after + a few jiffies while waiting for the connection to be established. + Socket state is back to SS_UNCONNECTED, but @connect_work is still + pending, and will expire after 100 jiffies. + + 3. Now, the 3rd, non-blocking request tries to schedule @connect_work + again. Since @connect_work is already scheduled, + schedule_delayed_work() silently returns. sock_hold() is called + twice, but sock_put() will only be called once in + vsock_connect_timeout(), causing a memory leak reported by syzbot: + + BUG: memory leak + unreferenced object 0xffff88810ea56a40 (size 1232): + comm "syz-executor756", pid 3604, jiffies 4294947681 (age 12.350s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 28 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............ + backtrace: + [] sk_prot_alloc+0x3e/0x1b0 net/core/sock.c:1930 + [] sk_alloc+0x32/0x2e0 net/core/sock.c:1989 + [] __vsock_create.constprop.0+0x38/0x320 net/vmw_vsock/af_vsock.c:734 + [] vsock_create+0xc1/0x2d0 net/vmw_vsock/af_vsock.c:2203 + [] __sock_create+0x1ab/0x2b0 net/socket.c:1468 + [] sock_create net/socket.c:1519 [inline] + [] __sys_socket+0x6f/0x140 net/socket.c:1561 + [] __do_sys_socket net/socket.c:1570 [inline] + [] __se_sys_socket net/socket.c:1568 [inline] + [] __x64_sys_socket+0x1a/0x20 net/socket.c:1568 + [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + <...> + +Use mod_delayed_work() instead: if @connect_work is already scheduled, +reschedule it, and undo sock_hold() to keep the reference count +balanced. + +Reported-and-tested-by: syzbot+b03f55bf128f9a38f064@syzkaller.appspotmail.com +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Co-developed-by: Stefano Garzarella +Signed-off-by: Stefano Garzarella +Reviewed-by: Stefano Garzarella +Signed-off-by: Peilin Ye +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1390,7 +1390,14 @@ static int vsock_connect(struct socket * + * timeout fires. + */ + sock_hold(sk); +- schedule_delayed_work(&vsk->connect_work, timeout); ++ ++ /* If the timeout function is already scheduled, ++ * reschedule it, then ungrab the socket refcount to ++ * keep it balanced. ++ */ ++ if (mod_delayed_work(system_wq, &vsk->connect_work, ++ timeout)) ++ sock_put(sk); + + /* Skip ahead to preserve error code set above. */ + goto out_wait; diff --git a/queue-5.15/vsock-set-socket-state-back-to-ss_unconnected-in-vsock_connect_timeout.patch b/queue-5.15/vsock-set-socket-state-back-to-ss_unconnected-in-vsock_connect_timeout.patch new file mode 100644 index 00000000000..0657bd5a766 --- /dev/null +++ b/queue-5.15/vsock-set-socket-state-back-to-ss_unconnected-in-vsock_connect_timeout.patch @@ -0,0 +1,41 @@ +From a3e7b29e30854ed67be0d17687e744ad0c769c4b Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Mon, 8 Aug 2022 11:05:25 -0700 +Subject: vsock: Set socket state back to SS_UNCONNECTED in vsock_connect_timeout() + +From: Peilin Ye + +commit a3e7b29e30854ed67be0d17687e744ad0c769c4b upstream. + +Imagine two non-blocking vsock_connect() requests on the same socket. +The first request schedules @connect_work, and after it times out, +vsock_connect_timeout() sets *sock* state back to TCP_CLOSE, but keeps +*socket* state as SS_CONNECTING. + +Later, the second request returns -EALREADY, meaning the socket "already +has a pending connection in progress", even though the first request has +already timed out. + +As suggested by Stefano, fix it by setting *socket* state back to +SS_UNCONNECTED, so that the second request will return -ETIMEDOUT. + +Suggested-by: Stefano Garzarella +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Reviewed-by: Stefano Garzarella +Signed-off-by: Peilin Ye +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1285,6 +1285,7 @@ static void vsock_connect_timeout(struct + if (sk->sk_state == TCP_SYN_SENT && + (sk->sk_shutdown != SHUTDOWN_MASK)) { + sk->sk_state = TCP_CLOSE; ++ sk->sk_socket->state = SS_UNCONNECTED; + sk->sk_err = ETIMEDOUT; + sk_error_report(sk); + vsock_transport_cancel_pkt(vsk);