From: Sasha Levin Date: Mon, 5 Aug 2024 12:18:08 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v6.1.104~24 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cc89fd05d4fcdea88f6dedbca59fac7c0e1f0b04;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/alsa-hda-conexant-fix-headset-auto-detect-fail-in-th.patch b/queue-5.15/alsa-hda-conexant-fix-headset-auto-detect-fail-in-th.patch new file mode 100644 index 00000000000..7ac8d499f4d --- /dev/null +++ b/queue-5.15/alsa-hda-conexant-fix-headset-auto-detect-fail-in-th.patch @@ -0,0 +1,127 @@ +From 27923e84894bd6e88790b0d8e8f5936ef8d8f8b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 18:07:26 +0800 +Subject: ALSA: hda: conexant: Fix headset auto detect fail in the polling mode + +From: songxiebing + +[ Upstream commit e60dc98122110594d0290845160f12916192fc6d ] + +The previous fix (7aeb25908648) only handles the unsol_event reporting +during interrupts and does not include the polling mode used to set +jackroll_ms, so now we are replacing it with +snd_hda_jack_detect_enable_callback. + +Fixes: 7aeb25908648 ("ALSA: hda/conexant: Fix headset auto detect fail in cx8070 and SN6140") +Co-developed-by: bo liu +Signed-off-by: bo liu +Signed-off-by: songxiebing +Link: https://patch.msgid.link/20240726100726.50824-1-soxiebing@163.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_conexant.c | 54 ++++++---------------------------- + 1 file changed, 9 insertions(+), 45 deletions(-) + +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index 76ea4fb391fed..338f9d7462cd9 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -21,12 +21,6 @@ + #include "hda_jack.h" + #include "hda_generic.h" + +-enum { +- CX_HEADSET_NOPRESENT = 0, +- CX_HEADSET_PARTPRESENT, +- CX_HEADSET_ALLPRESENT, +-}; +- + struct conexant_spec { + struct hda_gen_spec gen; + +@@ -48,7 +42,6 @@ struct conexant_spec { + unsigned int gpio_led; + unsigned int gpio_mute_led_mask; + unsigned int gpio_mic_led_mask; +- unsigned int headset_present_flag; + bool is_cx8070_sn6140; + }; + +@@ -250,48 +243,19 @@ static void cx_process_headset_plugin(struct hda_codec *codec) + } + } + +-static void cx_update_headset_mic_vref(struct hda_codec *codec, unsigned int res) ++static void cx_update_headset_mic_vref(struct hda_codec *codec, struct hda_jack_callback *event) + { +- unsigned int phone_present, mic_persent, phone_tag, mic_tag; +- struct conexant_spec *spec = codec->spec; ++ unsigned int mic_present; + + /* In cx8070 and sn6140, the node 16 can only be config to headphone or disabled, + * the node 19 can only be config to microphone or disabled. + * Check hp&mic tag to process headset pulgin&plugout. + */ +- phone_tag = snd_hda_codec_read(codec, 0x16, 0, AC_VERB_GET_UNSOLICITED_RESPONSE, 0x0); +- mic_tag = snd_hda_codec_read(codec, 0x19, 0, AC_VERB_GET_UNSOLICITED_RESPONSE, 0x0); +- if ((phone_tag & (res >> AC_UNSOL_RES_TAG_SHIFT)) || +- (mic_tag & (res >> AC_UNSOL_RES_TAG_SHIFT))) { +- phone_present = snd_hda_codec_read(codec, 0x16, 0, AC_VERB_GET_PIN_SENSE, 0x0); +- if (!(phone_present & AC_PINSENSE_PRESENCE)) {/* headphone plugout */ +- spec->headset_present_flag = CX_HEADSET_NOPRESENT; +- snd_hda_codec_write(codec, 0x19, 0, AC_VERB_SET_PIN_WIDGET_CONTROL, 0x20); +- return; +- } +- if (spec->headset_present_flag == CX_HEADSET_NOPRESENT) { +- spec->headset_present_flag = CX_HEADSET_PARTPRESENT; +- } else if (spec->headset_present_flag == CX_HEADSET_PARTPRESENT) { +- mic_persent = snd_hda_codec_read(codec, 0x19, 0, +- AC_VERB_GET_PIN_SENSE, 0x0); +- /* headset is present */ +- if ((phone_present & AC_PINSENSE_PRESENCE) && +- (mic_persent & AC_PINSENSE_PRESENCE)) { +- cx_process_headset_plugin(codec); +- spec->headset_present_flag = CX_HEADSET_ALLPRESENT; +- } +- } +- } +-} +- +-static void cx_jack_unsol_event(struct hda_codec *codec, unsigned int res) +-{ +- struct conexant_spec *spec = codec->spec; +- +- if (spec->is_cx8070_sn6140) +- cx_update_headset_mic_vref(codec, res); +- +- snd_hda_jack_unsol_event(codec, res); ++ mic_present = snd_hda_codec_read(codec, 0x19, 0, AC_VERB_GET_PIN_SENSE, 0x0); ++ if (!(mic_present & AC_PINSENSE_PRESENCE)) /* mic plugout */ ++ snd_hda_codec_write(codec, 0x19, 0, AC_VERB_SET_PIN_WIDGET_CONTROL, 0x20); ++ else ++ cx_process_headset_plugin(codec); + } + + static int cx_auto_suspend(struct hda_codec *codec) +@@ -305,7 +269,7 @@ static const struct hda_codec_ops cx_auto_patch_ops = { + .build_pcms = snd_hda_gen_build_pcms, + .init = cx_auto_init, + .free = cx_auto_free, +- .unsol_event = cx_jack_unsol_event, ++ .unsol_event = snd_hda_jack_unsol_event, + .suspend = cx_auto_suspend, + .check_power_status = snd_hda_gen_check_power_status, + }; +@@ -1163,7 +1127,7 @@ static int patch_conexant_auto(struct hda_codec *codec) + case 0x14f11f86: + case 0x14f11f87: + spec->is_cx8070_sn6140 = true; +- spec->headset_present_flag = CX_HEADSET_NOPRESENT; ++ snd_hda_jack_detect_enable_callback(codec, 0x19, cx_update_headset_mic_vref); + break; + } + +-- +2.43.0 + diff --git a/queue-5.15/alsa-hda-conexant-reduce-config_pm-dependencies.patch b/queue-5.15/alsa-hda-conexant-reduce-config_pm-dependencies.patch new file mode 100644 index 00000000000..dda9eea1f0d --- /dev/null +++ b/queue-5.15/alsa-hda-conexant-reduce-config_pm-dependencies.patch @@ -0,0 +1,54 @@ +From c5809eddd3d1d543051688b3e0d5fe1140d96853 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 18:13:50 +0200 +Subject: ALSA: hda: conexant: Reduce CONFIG_PM dependencies + +From: Takashi Iwai + +[ Upstream commit 29d57f6dc62485ee0752767debdfa2783d162beb ] + +CONFIG_PM dependencies got reduced in HD-audio codec core driver, and +now it's time to reduce in HD-audio conexant codec driver, too. + +Simply drop CONFIG_PM ifdefs. + +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20240506161359.6960-8-tiwai@suse.de +Stable-dep-of: e60dc9812211 ("ALSA: hda: conexant: Fix headset auto detect fail in the polling mode") +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_conexant.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index 876380ad2ed13..76ea4fb391fed 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -294,13 +294,11 @@ static void cx_jack_unsol_event(struct hda_codec *codec, unsigned int res) + snd_hda_jack_unsol_event(codec, res); + } + +-#ifdef CONFIG_PM + static int cx_auto_suspend(struct hda_codec *codec) + { + cx_auto_shutdown(codec); + return 0; + } +-#endif + + static const struct hda_codec_ops cx_auto_patch_ops = { + .build_controls = snd_hda_gen_build_controls, +@@ -308,10 +306,8 @@ static const struct hda_codec_ops cx_auto_patch_ops = { + .init = cx_auto_init, + .free = cx_auto_free, + .unsol_event = cx_jack_unsol_event, +-#ifdef CONFIG_PM + .suspend = cx_auto_suspend, + .check_power_status = snd_hda_gen_check_power_status, +-#endif + }; + + /* +-- +2.43.0 + diff --git a/queue-5.15/drm-nouveau-prime-fix-refcount-underflow.patch b/queue-5.15/drm-nouveau-prime-fix-refcount-underflow.patch new file mode 100644 index 00000000000..6d97c389568 --- /dev/null +++ b/queue-5.15/drm-nouveau-prime-fix-refcount-underflow.patch @@ -0,0 +1,47 @@ +From 0fc4bbb491ac1fbf6ce23de23afbac02e77794d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 18:58:46 +0200 +Subject: drm/nouveau: prime: fix refcount underflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Danilo Krummrich + +[ Upstream commit a9bf3efc33f1fbf88787a277f7349459283c9b95 ] + +Calling nouveau_bo_ref() on a nouveau_bo without initializing it (and +hence the backing ttm_bo) leads to a refcount underflow. + +Instead of calling nouveau_bo_ref() in the unwind path of +drm_gem_object_init(), clean things up manually. + +Fixes: ab9ccb96a6e6 ("drm/nouveau: use prime helpers") +Reviewed-by: Ben Skeggs +Reviewed-by: Christian König +Signed-off-by: Danilo Krummrich +Link: https://patchwork.freedesktop.org/patch/msgid/20240718165959.3983-2-dakr@kernel.org +(cherry picked from commit 1b93f3e89d03cfc576636e195466a0d728ad8de5) +Signed-off-by: Danilo Krummrich +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_prime.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_prime.c b/drivers/gpu/drm/nouveau/nouveau_prime.c +index 531615719f6da..89fcbfdb5f0af 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_prime.c ++++ b/drivers/gpu/drm/nouveau/nouveau_prime.c +@@ -63,7 +63,8 @@ struct drm_gem_object *nouveau_gem_prime_import_sg_table(struct drm_device *dev, + * to the caller, instead of a normal nouveau_bo ttm reference. */ + ret = drm_gem_object_init(dev, &nvbo->bo.base, size); + if (ret) { +- nouveau_bo_ref(NULL, &nvbo); ++ drm_gem_object_release(&nvbo->bo.base); ++ kfree(nvbo); + obj = ERR_PTR(-ENOMEM); + goto unlock; + } +-- +2.43.0 + diff --git a/queue-5.15/drm-vmwgfx-fix-overlay-when-using-screen-targets.patch b/queue-5.15/drm-vmwgfx-fix-overlay-when-using-screen-targets.patch new file mode 100644 index 00000000000..2a58bf97a4b --- /dev/null +++ b/queue-5.15/drm-vmwgfx-fix-overlay-when-using-screen-targets.patch @@ -0,0 +1,41 @@ +From 66422c9433f44caf4be3e289af3c0e069d7c84bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jul 2024 11:36:27 -0500 +Subject: drm/vmwgfx: Fix overlay when using Screen Targets + +From: Ian Forbes + +[ Upstream commit cb372a505a994cb39aa75acfb8b3bcf94787cf94 ] + +This code was never updated to support Screen Targets. +Fixes a bug where Xv playback displays a green screen instead of actual +video contents when 3D acceleration is disabled in the guest. + +Fixes: c8261a961ece ("vmwgfx: Major KMS refactoring / cleanup in preparation of screen targets") +Reported-by: Doug Brown +Closes: https://lore.kernel.org/all/bd9cb3c7-90e8-435d-bc28-0e38fee58977@schmorgal.com +Signed-off-by: Ian Forbes +Tested-by: Doug Brown +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20240719163627.20888-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c b/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c +index 54c5d16eb3b79..ec46b3b70d04d 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c +@@ -98,7 +98,7 @@ static int vmw_overlay_send_put(struct vmw_private *dev_priv, + { + struct vmw_escape_video_flush *flush; + size_t fifo_size; +- bool have_so = (dev_priv->active_display_unit == vmw_du_screen_object); ++ bool have_so = (dev_priv->active_display_unit != vmw_du_legacy); + int i, num_items; + SVGAGuestPtr ptr; + +-- +2.43.0 + diff --git a/queue-5.15/ipv6-fix-ndisc_is_useropt-handling-for-pio.patch b/queue-5.15/ipv6-fix-ndisc_is_useropt-handling-for-pio.patch new file mode 100644 index 00000000000..b47f3c9371f --- /dev/null +++ b/queue-5.15/ipv6-fix-ndisc_is_useropt-handling-for-pio.patch @@ -0,0 +1,92 @@ +From 4246f4ab42246a8ac8743501e667acc5deae74b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 17:17:48 -0700 +Subject: ipv6: fix ndisc_is_useropt() handling for PIO +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +[ Upstream commit a46c68debf3be3a477a69ccbf0a1d050df841676 ] + +The current logic only works if the PIO is between two +other ND user options. This fixes it so that the PIO +can also be either before or after other ND user options +(for example the first or last option in the RA). + +side note: there's actually Android tests verifying +a portion of the old broken behaviour, so: + https://android-review.googlesource.com/c/kernel/tests/+/3196704 +fixes those up. + +Cc: Jen Linkova +Cc: Lorenzo Colitti +Cc: Patrick Rohr +Cc: David Ahern +Cc: YOSHIFUJI Hideaki / 吉藤英明 +Cc: Jakub Kicinski +Signed-off-by: Maciej Żenczykowski +Fixes: 048c796beb6e ("ipv6: adjust ndisc_is_useropt() to also return true for PIO") +Link: https://patch.msgid.link/20240730001748.147636-1-maze@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/ndisc.c | 34 ++++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c +index 856edbe81e11a..d56e80741c5ba 100644 +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -226,6 +226,7 @@ struct ndisc_options *ndisc_parse_options(const struct net_device *dev, + return NULL; + memset(ndopts, 0, sizeof(*ndopts)); + while (opt_len) { ++ bool unknown = false; + int l; + if (opt_len < sizeof(struct nd_opt_hdr)) + return NULL; +@@ -261,22 +262,23 @@ struct ndisc_options *ndisc_parse_options(const struct net_device *dev, + break; + #endif + default: +- if (ndisc_is_useropt(dev, nd_opt)) { +- ndopts->nd_useropts_end = nd_opt; +- if (!ndopts->nd_useropts) +- ndopts->nd_useropts = nd_opt; +- } else { +- /* +- * Unknown options must be silently ignored, +- * to accommodate future extension to the +- * protocol. +- */ +- ND_PRINTK(2, notice, +- "%s: ignored unsupported option; type=%d, len=%d\n", +- __func__, +- nd_opt->nd_opt_type, +- nd_opt->nd_opt_len); +- } ++ unknown = true; ++ } ++ if (ndisc_is_useropt(dev, nd_opt)) { ++ ndopts->nd_useropts_end = nd_opt; ++ if (!ndopts->nd_useropts) ++ ndopts->nd_useropts = nd_opt; ++ } else if (unknown) { ++ /* ++ * Unknown options must be silently ignored, ++ * to accommodate future extension to the ++ * protocol. ++ */ ++ ND_PRINTK(2, notice, ++ "%s: ignored unsupported option; type=%d, len=%d\n", ++ __func__, ++ nd_opt->nd_opt_type, ++ nd_opt->nd_opt_len); + } + next_opt: + opt_len -= l; +-- +2.43.0 + diff --git a/queue-5.15/net-iucv-fix-use-after-free-in-iucv_sock_close.patch b/queue-5.15/net-iucv-fix-use-after-free-in-iucv_sock_close.patch new file mode 100644 index 00000000000..d0f2ddc6687 --- /dev/null +++ b/queue-5.15/net-iucv-fix-use-after-free-in-iucv_sock_close.patch @@ -0,0 +1,75 @@ +From 88a6fe29e280d7588fd408a8890b4d472114736b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 14:28:16 +0200 +Subject: net/iucv: fix use after free in iucv_sock_close() + +From: Alexandra Winter + +[ Upstream commit f558120cd709682b739207b48cf7479fd9568431 ] + +iucv_sever_path() is called from process context and from bh context. +iucv->path is used as indicator whether somebody else is taking care of +severing the path (or it is already removed / never existed). +This needs to be done with atomic compare and swap, otherwise there is a +small window where iucv_sock_close() will try to work with a path that has +already been severed and freed by iucv_callback_connrej() called by +iucv_tasklet_fn(). + +Example: +[452744.123844] Call Trace: +[452744.123845] ([<0000001e87f03880>] 0x1e87f03880) +[452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138 +[452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv] +[452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv] +[452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv] +[452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8 +[452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48 +[452744.124820] [<00000000d5421642>] __fput+0xba/0x268 +[452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0 +[452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90 +[452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8 +[452744.125319] Last Breaking-Event-Address: +[452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138 +[452744.125324] +[452744.125325] Kernel panic - not syncing: Fatal exception in interrupt + +Note that bh_lock_sock() is not serializing the tasklet context against +process context, because the check for sock_owned_by_user() and +corresponding handling is missing. + +Ideas for a future clean-up patch: +A) Correct usage of bh_lock_sock() in tasklet context, as described in +Link: https://lore.kernel.org/netdev/1280155406.2899.407.camel@edumazet-laptop/ +Re-enqueue, if needed. This may require adding return values to the +tasklet functions and thus changes to all users of iucv. + +B) Change iucv tasklet into worker and use only lock_sock() in af_iucv. + +Fixes: 7d316b945352 ("af_iucv: remove IUCV-pathes completely") +Reviewed-by: Halil Pasic +Signed-off-by: Alexandra Winter +Link: https://patch.msgid.link/20240729122818.947756-1-wintera@linux.ibm.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/iucv/af_iucv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c +index 18316ee3c6921..e6cb3e1cbbf9b 100644 +--- a/net/iucv/af_iucv.c ++++ b/net/iucv/af_iucv.c +@@ -336,8 +336,8 @@ static void iucv_sever_path(struct sock *sk, int with_user_data) + struct iucv_sock *iucv = iucv_sk(sk); + struct iucv_path *path = iucv->path; + +- if (iucv->path) { +- iucv->path = NULL; ++ /* Whoever resets the path pointer, must sever and free it. */ ++ if (xchg(&iucv->path, NULL)) { + if (with_user_data) { + low_nmcpy(user_data, iucv->src_name); + high_nmcpy(user_data, iucv->dst_name); +-- +2.43.0 + diff --git a/queue-5.15/net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch b/queue-5.15/net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch new file mode 100644 index 00000000000..3f5a19387e8 --- /dev/null +++ b/queue-5.15/net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch @@ -0,0 +1,48 @@ +From 503051e10eb3da6f60dc5586cd95987e79404967 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 09:16:37 +0300 +Subject: net/mlx5e: Add a check for the return value from + mlx5_port_set_eth_ptys + +From: Shahar Shitrit + +[ Upstream commit 3f8e82a020a5c22f9b791f4ac499b8e18007fbda ] + +Since the documentation for mlx5_toggle_port_link states that it should +only be used after setting the port register, we add a check for the +return value from mlx5_port_set_eth_ptys to ensure the register was +successfully set before calling it. + +Fixes: 667daedaecd1 ("net/mlx5e: Toggle link only after modifying port parameters") +Signed-off-by: Shahar Shitrit +Reviewed-by: Carolina Jubran +Signed-off-by: Tariq Toukan +Reviewed-by: Wojciech Drewek +Link: https://patch.msgid.link/20240730061638.1831002-9-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index 2d3cd237355a6..06f6809b1c2b7 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -1181,7 +1181,12 @@ int mlx5e_ethtool_set_link_ksettings(struct mlx5e_priv *priv, + if (!an_changes && link_modes == eproto.admin) + goto out; + +- mlx5_port_set_eth_ptys(mdev, an_disable, link_modes, ext); ++ err = mlx5_port_set_eth_ptys(mdev, an_disable, link_modes, ext); ++ if (err) { ++ netdev_err(priv->netdev, "%s: failed to set ptys reg: %d\n", __func__, err); ++ goto out; ++ } ++ + mlx5_toggle_port_link(mdev); + + out: +-- +2.43.0 + diff --git a/queue-5.15/net-mvpp2-don-t-re-use-loop-iterator.patch b/queue-5.15/net-mvpp2-don-t-re-use-loop-iterator.patch new file mode 100644 index 00000000000..1049572e462 --- /dev/null +++ b/queue-5.15/net-mvpp2-don-t-re-use-loop-iterator.patch @@ -0,0 +1,48 @@ +From d7fb064aae3f5a157878224221d88ac2b0189027 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jul 2024 11:06:56 -0500 +Subject: net: mvpp2: Don't re-use loop iterator + +From: Dan Carpenter + +[ Upstream commit 0aa3ca956c46d849775eae1816cef8fe4bc8b50e ] + +This function has a nested loop. The problem is that both the inside +and outside loop use the same variable as an iterator. I found this +via static analysis so I'm not sure the impact. It could be that it +loops forever or, more likely, the loop exits early. + +Fixes: 3a616b92a9d1 ("net: mvpp2: Add TX flow control support for jumbo frames") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/eaa8f403-7779-4d81-973d-a9ecddc0bf6f@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index ba44d1d9cfcd4..2a60f949d9532 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -953,13 +953,13 @@ static void mvpp2_bm_pool_update_fc(struct mvpp2_port *port, + static void mvpp2_bm_pool_update_priv_fc(struct mvpp2 *priv, bool en) + { + struct mvpp2_port *port; +- int i; ++ int i, j; + + for (i = 0; i < priv->port_count; i++) { + port = priv->port_list[i]; + if (port->priv->percpu_pools) { +- for (i = 0; i < port->nrxqs; i++) +- mvpp2_bm_pool_update_fc(port, &port->priv->bm_pools[i], ++ for (j = 0; j < port->nrxqs; j++) ++ mvpp2_bm_pool_update_fc(port, &port->priv->bm_pools[j], + port->tx_fc & en); + } else { + mvpp2_bm_pool_update_fc(port, port->pool_long, port->tx_fc & en); +-- +2.43.0 + diff --git a/queue-5.15/netfilter-iptables-fix-null-ptr-deref-in-iptable_nat.patch b/queue-5.15/netfilter-iptables-fix-null-ptr-deref-in-iptable_nat.patch new file mode 100644 index 00000000000..fd92dbba8e1 --- /dev/null +++ b/queue-5.15/netfilter-iptables-fix-null-ptr-deref-in-iptable_nat.patch @@ -0,0 +1,133 @@ +From ec11bf2a5686e809b90273466bf894a67156b9b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2024 12:28:20 -0700 +Subject: netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init(). + +From: Kuniyuki Iwashima + +[ Upstream commit 5830aa863981d43560748aa93589c0695191d95d ] + +We had a report that iptables-restore sometimes triggered null-ptr-deref +at boot time. [0] + +The problem is that iptable_nat_table_init() is exposed to user space +before the kernel fully initialises netns. + +In the small race window, a user could call iptable_nat_table_init() +that accesses net_generic(net, iptable_nat_net_id), which is available +only after registering iptable_nat_net_ops. + +Let's call register_pernet_subsys() before xt_register_template(). + +[0]: +bpfilter: Loaded bpfilter_umh pid 11702 +Started bpfilter +BUG: kernel NULL pointer dereference, address: 0000000000000013 + PF: supervisor write access in kernel mode + PF: error_code(0x0002) - not-present page +PGD 0 P4D 0 +PREEMPT SMP NOPTI +CPU: 2 PID: 11879 Comm: iptables-restor Not tainted 6.1.92-99.174.amzn2023.x86_64 #1 +Hardware name: Amazon EC2 c6i.4xlarge/, BIOS 1.0 10/16/2017 +RIP: 0010:iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat +Code: 10 4c 89 f6 48 89 ef e8 0b 19 bb ff 41 89 c4 85 c0 75 38 41 83 c7 01 49 83 c6 28 41 83 ff 04 75 dc 48 8b 44 24 08 48 8b 0c 24 <48> 89 08 4c 89 ef e8 a2 3b a2 cf 48 83 c4 10 44 89 e0 5b 5d 41 5c +RSP: 0018:ffffbef902843cd0 EFLAGS: 00010246 +RAX: 0000000000000013 RBX: ffff9f4b052caa20 RCX: ffff9f4b20988d80 +RDX: 0000000000000000 RSI: 0000000000000064 RDI: ffffffffc04201c0 +RBP: ffff9f4b29394000 R08: ffff9f4b07f77258 R09: ffff9f4b07f77240 +R10: 0000000000000000 R11: ffff9f4b09635388 R12: 0000000000000000 +R13: ffff9f4b1a3c6c00 R14: ffff9f4b20988e20 R15: 0000000000000004 +FS: 00007f6284340000(0000) GS:ffff9f51fe280000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000013 CR3: 00000001d10a6005 CR4: 00000000007706e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + + ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) + ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) + ? xt_find_table_lock (net/netfilter/x_tables.c:1259) + ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420) + ? page_fault_oops (arch/x86/mm/fault.c:727) + ? exc_page_fault (./arch/x86/include/asm/irqflags.h:40 ./arch/x86/include/asm/irqflags.h:75 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518) + ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:570) + ? iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat + xt_find_table_lock (net/netfilter/x_tables.c:1259) + xt_request_find_table_lock (net/netfilter/x_tables.c:1287) + get_info (net/ipv4/netfilter/ip_tables.c:965) + ? security_capable (security/security.c:809 (discriminator 13)) + ? ns_capable (kernel/capability.c:376 kernel/capability.c:397) + ? do_ipt_get_ctl (net/ipv4/netfilter/ip_tables.c:1656) + ? bpfilter_send_req (net/bpfilter/bpfilter_kern.c:52) bpfilter + nf_getsockopt (net/netfilter/nf_sockopt.c:116) + ip_getsockopt (net/ipv4/ip_sockglue.c:1827) + __sys_getsockopt (net/socket.c:2327) + __x64_sys_getsockopt (net/socket.c:2342 net/socket.c:2339 net/socket.c:2339) + do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:81) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121) +RIP: 0033:0x7f62844685ee +Code: 48 8b 0d 45 28 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 09 +RSP: 002b:00007ffd1f83d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000037 +RAX: ffffffffffffffda RBX: 00007ffd1f83d680 RCX: 00007f62844685ee +RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004 +RBP: 0000000000000004 R08: 00007ffd1f83d670 R09: 0000558798ffa2a0 +R10: 00007ffd1f83d680 R11: 0000000000000246 R12: 00007ffd1f83e3b2 +R13: 00007f628455baa0 R14: 00007ffd1f83d7b0 R15: 00007f628457a008 + +Modules linked in: iptable_nat(+) bpfilter rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache veth xt_state xt_connmark xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 vfat fat ghash_clmulni_intel aesni_intel ena crypto_simd ptp cryptd i8042 pps_core serio button sunrpc sch_fq_codel configfs loop dm_mod fuse dax dmi_sysfs crc32_pclmul crc32c_intel efivarfs +CR2: 0000000000000013 + +Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default") +Reported-by: Takahiro Kawahara +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/iptable_nat.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c +index 45d7e072e6a54..226000a740860 100644 +--- a/net/ipv4/netfilter/iptable_nat.c ++++ b/net/ipv4/netfilter/iptable_nat.c +@@ -152,25 +152,27 @@ static struct pernet_operations iptable_nat_net_ops = { + + static int __init iptable_nat_init(void) + { +- int ret = xt_register_template(&nf_nat_ipv4_table, +- iptable_nat_table_init); ++ int ret; + ++ /* net->gen->ptr[iptable_nat_net_id] must be allocated ++ * before calling iptable_nat_table_init(). ++ */ ++ ret = register_pernet_subsys(&iptable_nat_net_ops); + if (ret < 0) + return ret; + +- ret = register_pernet_subsys(&iptable_nat_net_ops); +- if (ret < 0) { +- xt_unregister_template(&nf_nat_ipv4_table); +- return ret; +- } ++ ret = xt_register_template(&nf_nat_ipv4_table, ++ iptable_nat_table_init); ++ if (ret < 0) ++ unregister_pernet_subsys(&iptable_nat_net_ops); + + return ret; + } + + static void __exit iptable_nat_exit(void) + { +- unregister_pernet_subsys(&iptable_nat_net_ops); + xt_unregister_template(&nf_nat_ipv4_table); ++ unregister_pernet_subsys(&iptable_nat_net_ops); + } + + module_init(iptable_nat_init); +-- +2.43.0 + diff --git a/queue-5.15/netfilter-iptables-fix-potential-null-ptr-deref-in-i.patch b/queue-5.15/netfilter-iptables-fix-potential-null-ptr-deref-in-i.patch new file mode 100644 index 00000000000..2ec0f36b835 --- /dev/null +++ b/queue-5.15/netfilter-iptables-fix-potential-null-ptr-deref-in-i.patch @@ -0,0 +1,65 @@ +From 22501eb1fad7d44bc929c4a4ba9d26ce8ac7e39d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2024 12:28:21 -0700 +Subject: netfilter: iptables: Fix potential null-ptr-deref in + ip6table_nat_table_init(). + +From: Kuniyuki Iwashima + +[ Upstream commit c22921df777de5606f1047b1345b8d22ef1c0b34 ] + +ip6table_nat_table_init() accesses net->gen->ptr[ip6table_nat_net_ops.id], +but the function is exposed to user space before the entry is allocated +via register_pernet_subsys(). + +Let's call register_pernet_subsys() before xt_register_template(). + +Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/ip6table_nat.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c +index 921c1723a01e4..229a81cf1a729 100644 +--- a/net/ipv6/netfilter/ip6table_nat.c ++++ b/net/ipv6/netfilter/ip6table_nat.c +@@ -154,23 +154,27 @@ static struct pernet_operations ip6table_nat_net_ops = { + + static int __init ip6table_nat_init(void) + { +- int ret = xt_register_template(&nf_nat_ipv6_table, +- ip6table_nat_table_init); ++ int ret; + ++ /* net->gen->ptr[ip6table_nat_net_id] must be allocated ++ * before calling ip6t_nat_register_lookups(). ++ */ ++ ret = register_pernet_subsys(&ip6table_nat_net_ops); + if (ret < 0) + return ret; + +- ret = register_pernet_subsys(&ip6table_nat_net_ops); ++ ret = xt_register_template(&nf_nat_ipv6_table, ++ ip6table_nat_table_init); + if (ret) +- xt_unregister_template(&nf_nat_ipv6_table); ++ unregister_pernet_subsys(&ip6table_nat_net_ops); + + return ret; + } + + static void __exit ip6table_nat_exit(void) + { +- unregister_pernet_subsys(&ip6table_nat_net_ops); + xt_unregister_template(&nf_nat_ipv6_table); ++ unregister_pernet_subsys(&ip6table_nat_net_ops); + } + + module_init(ip6table_nat_init); +-- +2.43.0 + diff --git a/queue-5.15/power-supply-bq24190_charger-replace-deprecated-strn.patch b/queue-5.15/power-supply-bq24190_charger-replace-deprecated-strn.patch new file mode 100644 index 00000000000..2fd826f55ea --- /dev/null +++ b/queue-5.15/power-supply-bq24190_charger-replace-deprecated-strn.patch @@ -0,0 +1,71 @@ +From 24bbb68193b1d0275fa60045da0c24cdfb77bd2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 18:14:47 +0000 +Subject: power: supply: bq24190_charger: replace deprecated strncpy with + strscpy + +From: Justin Stitt + +[ Upstream commit b0009b8bed98bd5d59449af48781703df261c247 ] + +strncpy() is deprecated for use on NUL-terminated destination strings +[1] and as such we should prefer more robust and less ambiguous string +interfaces. + +We expect bdi->model_name to be NUL-terminated based on its usage with +sysfs_emit and format strings: + +val->strval is assigned to bdi->model_name in +bq24190_charger_get_property(): +1186 | val->strval = bdi->model_name; + +... then in power_supply_sysfs.c we use value.strval with a format string: +311 | ret = sysfs_emit(buf, "%s\n", value.strval); + +we assigned value.strval via: +285 | ret = power_supply_get_property(psy, psp, &value); +... which invokes psy->desc->get_property(): +1210 | return psy->desc->get_property(psy, psp, val); + +with bq24190_charger_get_property(): +1320 | static const struct power_supply_desc bq24190_charger_desc = { +... +1325 | .get_property = bq24190_charger_get_property, + +Moreover, no NUL-padding is required as bdi is zero-allocated in +bq24190_charger.c: +1798 | bdi = devm_kzalloc(dev, sizeof(*bdi), GFP_KERNEL); + +Considering the above, a suitable replacement is `strscpy` [2] due to +the fact that it guarantees NUL-termination on the destination buffer +without unnecessarily NUL-padding. + +Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] +Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] +Link: https://github.com/KSPP/linux/issues/90 +Cc: linux-hardening@vger.kernel.org +Signed-off-by: Justin Stitt +Reviewed-by: Kees Cook +Link: https://lore.kernel.org/r/20231020-strncpy-drivers-power-supply-bq24190_charger-c-v1-1-e896223cb795@google.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/bq24190_charger.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/supply/bq24190_charger.c b/drivers/power/supply/bq24190_charger.c +index 90ac5e59a5d6f..8a4729ee1ab19 100644 +--- a/drivers/power/supply/bq24190_charger.c ++++ b/drivers/power/supply/bq24190_charger.c +@@ -1727,7 +1727,7 @@ static int bq24190_probe(struct i2c_client *client, + + bdi->client = client; + bdi->dev = dev; +- strncpy(bdi->model_name, id->name, I2C_NAME_SIZE); ++ strscpy(bdi->model_name, id->name, sizeof(bdi->model_name)); + mutex_init(&bdi->f_reg_lock); + bdi->f_reg = 0; + bdi->ss_reg = BQ24190_REG_SS_VBUS_STAT_MASK; /* impossible state */ +-- +2.43.0 + diff --git a/queue-5.15/riscv-mm-add-handling-for-vm_fault_sigsegv-in-mm_fau.patch b/queue-5.15/riscv-mm-add-handling-for-vm_fault_sigsegv-in-mm_fau.patch new file mode 100644 index 00000000000..10bb7e59273 --- /dev/null +++ b/queue-5.15/riscv-mm-add-handling-for-vm_fault_sigsegv-in-mm_fau.patch @@ -0,0 +1,65 @@ +From 9bbf8af32e823cee67fe3cee73bbac1f69e6f189 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jul 2024 16:45:47 +0800 +Subject: riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error() + +From: Zhe Qiao + +[ Upstream commit 0c710050c47d45eb77b28c271cddefc5c785cb40 ] + +Handle VM_FAULT_SIGSEGV in the page fault path so that we correctly +kill the process and we don't BUG() the kernel. + +Fixes: 07037db5d479 ("RISC-V: Paging and MMU") +Signed-off-by: Zhe Qiao +Reviewed-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20240731084547.85380-1-qiaozhe@iscas.ac.cn +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/mm/fault.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c +index 884a3c76573cf..3fc62e05bac11 100644 +--- a/arch/riscv/mm/fault.c ++++ b/arch/riscv/mm/fault.c +@@ -60,26 +60,27 @@ static inline void no_context(struct pt_regs *regs, unsigned long addr) + + static inline void mm_fault_error(struct pt_regs *regs, unsigned long addr, vm_fault_t fault) + { ++ if (!user_mode(regs)) { ++ no_context(regs, addr); ++ return; ++ } ++ + if (fault & VM_FAULT_OOM) { + /* + * We ran out of memory, call the OOM killer, and return the userspace + * (which will retry the fault, or kill us if we got oom-killed). + */ +- if (!user_mode(regs)) { +- no_context(regs, addr); +- return; +- } + pagefault_out_of_memory(); + return; + } else if (fault & VM_FAULT_SIGBUS) { + /* Kernel mode? Handle exceptions or die */ +- if (!user_mode(regs)) { +- no_context(regs, addr); +- return; +- } + do_trap(regs, SIGBUS, BUS_ADRERR, addr); + return; ++ } else if (fault & VM_FAULT_SIGSEGV) { ++ do_trap(regs, SIGSEGV, SEGV_MAPERR, addr); ++ return; + } ++ + BUG(); + } + +-- +2.43.0 + diff --git a/queue-5.15/rtnetlink-don-t-ignore-ifla_target_netnsid-when-ifna.patch b/queue-5.15/rtnetlink-don-t-ignore-ifla_target_netnsid-when-ifna.patch new file mode 100644 index 00000000000..887ffc99967 --- /dev/null +++ b/queue-5.15/rtnetlink-don-t-ignore-ifla_target_netnsid-when-ifna.patch @@ -0,0 +1,42 @@ +From 8e70b6983c7f1a37dcea4c7aada8555f04799286 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 17:19:53 -0700 +Subject: rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified + in rtnl_dellink(). + +From: Kuniyuki Iwashima + +[ Upstream commit 9415d375d8520e0ed55f0c0b058928da9a5b5b3d ] + +The cited commit accidentally replaced tgt_net with net in rtnl_dellink(). + +As a result, IFLA_TARGET_NETNSID is ignored if the interface is specified +with IFLA_IFNAME or IFLA_ALT_IFNAME. + +Let's pass tgt_net to rtnl_dev_get(). + +Fixes: cc6090e985d7 ("net: rtnetlink: introduce helper to get net_device instance by ifname") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 4284406740932..eca7f6f4a52f5 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -3115,7 +3115,7 @@ static int rtnl_dellink(struct sk_buff *skb, struct nlmsghdr *nlh, + if (ifm->ifi_index > 0) + dev = __dev_get_by_index(tgt_net, ifm->ifi_index); + else if (tb[IFLA_IFNAME] || tb[IFLA_ALT_IFNAME]) +- dev = rtnl_dev_get(net, tb); ++ dev = rtnl_dev_get(tgt_net, tb); + else if (tb[IFLA_GROUP]) + err = rtnl_group_dellink(tgt_net, nla_get_u32(tb[IFLA_GROUP])); + else +-- +2.43.0 + diff --git a/queue-5.15/rtnetlink-enable-alt_ifname-for-setlink-newlink.patch b/queue-5.15/rtnetlink-enable-alt_ifname-for-setlink-newlink.patch new file mode 100644 index 00000000000..3607440288b --- /dev/null +++ b/queue-5.15/rtnetlink-enable-alt_ifname-for-setlink-newlink.patch @@ -0,0 +1,213 @@ +From 4de8851015ad8024e8dd09fbeebf6294e38016d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Apr 2022 18:53:28 +0200 +Subject: rtnetlink: enable alt_ifname for setlink/newlink + +From: Florent Fourcot + +[ Upstream commit 5ea08b5286f66ee5ac0150668c92d1718e83e1ad ] + +buffer called "ifname" given in function rtnl_dev_get +is always valid when called by setlink/newlink, +but contains only empty string when IFLA_IFNAME is not given. So +IFLA_ALT_IFNAME is always ignored + +This patch fixes rtnl_dev_get function with a remove of ifname argument, +and move ifname copy in do_setlink when required. + +It extends feature of commit 76c9ac0ee878, +"net: rtnetlink: add possibility to use alternative names as message +handle"" + +CC: Jiri Pirko +Signed-off-by: Florent Fourcot +Signed-off-by: Brian Baboch +Reviewed-by: Jakub Kicinski +Signed-off-by: Paolo Abeni +Stable-dep-of: 9415d375d852 ("rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified in rtnl_dellink().") +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 69 +++++++++++++++++++------------------------- + 1 file changed, 29 insertions(+), 40 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index d25632fbfa892..4284406740932 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -2617,17 +2617,23 @@ static int do_set_proto_down(struct net_device *dev, + static int do_setlink(const struct sk_buff *skb, + struct net_device *dev, struct ifinfomsg *ifm, + struct netlink_ext_ack *extack, +- struct nlattr **tb, char *ifname, int status) ++ struct nlattr **tb, int status) + { + const struct net_device_ops *ops = dev->netdev_ops; ++ char ifname[IFNAMSIZ]; + int err; + + err = validate_linkmsg(dev, tb, extack); + if (err < 0) + return err; + ++ if (tb[IFLA_IFNAME]) ++ nla_strscpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ); ++ else ++ ifname[0] = '\0'; ++ + if (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD] || tb[IFLA_TARGET_NETNSID]) { +- const char *pat = ifname && ifname[0] ? ifname : NULL; ++ const char *pat = ifname[0] ? ifname : NULL; + struct net *net; + int new_ifindex; + +@@ -2974,21 +2980,16 @@ static int do_setlink(const struct sk_buff *skb, + } + + static struct net_device *rtnl_dev_get(struct net *net, +- struct nlattr *ifname_attr, +- struct nlattr *altifname_attr, +- char *ifname) +-{ +- char buffer[ALTIFNAMSIZ]; +- +- if (!ifname) { +- ifname = buffer; +- if (ifname_attr) +- nla_strscpy(ifname, ifname_attr, IFNAMSIZ); +- else if (altifname_attr) +- nla_strscpy(ifname, altifname_attr, ALTIFNAMSIZ); +- else +- return NULL; +- } ++ struct nlattr *tb[]) ++{ ++ char ifname[ALTIFNAMSIZ]; ++ ++ if (tb[IFLA_IFNAME]) ++ nla_strscpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ); ++ else if (tb[IFLA_ALT_IFNAME]) ++ nla_strscpy(ifname, tb[IFLA_ALT_IFNAME], ALTIFNAMSIZ); ++ else ++ return NULL; + + return __dev_get_by_name(net, ifname); + } +@@ -3001,7 +3002,6 @@ static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, + struct net_device *dev; + int err; + struct nlattr *tb[IFLA_MAX+1]; +- char ifname[IFNAMSIZ]; + + err = nlmsg_parse_deprecated(nlh, sizeof(*ifm), tb, IFLA_MAX, + ifla_policy, extack); +@@ -3012,17 +3012,12 @@ static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, + if (err < 0) + goto errout; + +- if (tb[IFLA_IFNAME]) +- nla_strscpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ); +- else +- ifname[0] = '\0'; +- + err = -EINVAL; + ifm = nlmsg_data(nlh); + if (ifm->ifi_index > 0) + dev = __dev_get_by_index(net, ifm->ifi_index); + else if (tb[IFLA_IFNAME] || tb[IFLA_ALT_IFNAME]) +- dev = rtnl_dev_get(net, NULL, tb[IFLA_ALT_IFNAME], ifname); ++ dev = rtnl_dev_get(net, tb); + else + goto errout; + +@@ -3031,7 +3026,7 @@ static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, + goto errout; + } + +- err = do_setlink(skb, dev, ifm, extack, tb, ifname, 0); ++ err = do_setlink(skb, dev, ifm, extack, tb, 0); + errout: + return err; + } +@@ -3120,8 +3115,7 @@ static int rtnl_dellink(struct sk_buff *skb, struct nlmsghdr *nlh, + if (ifm->ifi_index > 0) + dev = __dev_get_by_index(tgt_net, ifm->ifi_index); + else if (tb[IFLA_IFNAME] || tb[IFLA_ALT_IFNAME]) +- dev = rtnl_dev_get(net, tb[IFLA_IFNAME], +- tb[IFLA_ALT_IFNAME], NULL); ++ dev = rtnl_dev_get(net, tb); + else if (tb[IFLA_GROUP]) + err = rtnl_group_dellink(tgt_net, nla_get_u32(tb[IFLA_GROUP])); + else +@@ -3267,7 +3261,7 @@ static int rtnl_group_changelink(const struct sk_buff *skb, + + for_each_netdev_safe(net, dev, aux) { + if (dev->group == group) { +- err = do_setlink(skb, dev, ifm, extack, tb, NULL, 0); ++ err = do_setlink(skb, dev, ifm, extack, tb, 0); + if (err < 0) + return err; + } +@@ -3309,11 +3303,6 @@ static int __rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh, + if (err < 0) + return err; + +- if (tb[IFLA_IFNAME]) +- nla_strscpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ); +- else +- ifname[0] = '\0'; +- + ifm = nlmsg_data(nlh); + if (ifm->ifi_index > 0) { + link_specified = true; +@@ -3323,7 +3312,7 @@ static int __rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh, + return -EINVAL; + } else if (tb[IFLA_IFNAME] || tb[IFLA_ALT_IFNAME]) { + link_specified = true; +- dev = rtnl_dev_get(net, NULL, tb[IFLA_ALT_IFNAME], ifname); ++ dev = rtnl_dev_get(net, tb); + } else { + link_specified = false; + dev = NULL; +@@ -3426,7 +3415,7 @@ static int __rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh, + status |= DO_SETLINK_NOTIFY; + } + +- return do_setlink(skb, dev, ifm, extack, tb, ifname, status); ++ return do_setlink(skb, dev, ifm, extack, tb, status); + } + + if (!(nlh->nlmsg_flags & NLM_F_CREATE)) { +@@ -3463,7 +3452,9 @@ static int __rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh, + if (!ops->alloc && !ops->setup) + return -EOPNOTSUPP; + +- if (!ifname[0]) { ++ if (tb[IFLA_IFNAME]) { ++ nla_strscpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ); ++ } else { + snprintf(ifname, IFNAMSIZ, "%s%%d", ops->kind); + name_assign_type = NET_NAME_ENUM; + } +@@ -3635,8 +3626,7 @@ static int rtnl_getlink(struct sk_buff *skb, struct nlmsghdr *nlh, + if (ifm->ifi_index > 0) + dev = __dev_get_by_index(tgt_net, ifm->ifi_index); + else if (tb[IFLA_IFNAME] || tb[IFLA_ALT_IFNAME]) +- dev = rtnl_dev_get(tgt_net, tb[IFLA_IFNAME], +- tb[IFLA_ALT_IFNAME], NULL); ++ dev = rtnl_dev_get(tgt_net, tb); + else + goto out; + +@@ -3731,8 +3721,7 @@ static int rtnl_linkprop(int cmd, struct sk_buff *skb, struct nlmsghdr *nlh, + if (ifm->ifi_index > 0) + dev = __dev_get_by_index(net, ifm->ifi_index); + else if (tb[IFLA_IFNAME] || tb[IFLA_ALT_IFNAME]) +- dev = rtnl_dev_get(net, tb[IFLA_IFNAME], +- tb[IFLA_ALT_IFNAME], NULL); ++ dev = rtnl_dev_get(net, tb); + else + return -EINVAL; + +-- +2.43.0 + diff --git a/queue-5.15/sched-act_ct-take-care-of-padding-in-struct-zones_ht.patch b/queue-5.15/sched-act_ct-take-care-of-padding-in-struct-zones_ht.patch new file mode 100644 index 00000000000..6a7d13fadf0 --- /dev/null +++ b/queue-5.15/sched-act_ct-take-care-of-padding-in-struct-zones_ht.patch @@ -0,0 +1,90 @@ +From 6ce4d8b51197b14abe7402f04a34a031e134ba6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2024 09:27:45 +0000 +Subject: sched: act_ct: take care of padding in struct zones_ht_key + +From: Eric Dumazet + +[ Upstream commit 2191a54f63225b548fd8346be3611c3219a24738 ] + +Blamed commit increased lookup key size from 2 bytes to 16 bytes, +because zones_ht_key got a struct net pointer. + +Make sure rhashtable_lookup() is not using the padding bytes +which are not initialized. + + BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:376 [inline] + BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:607 [inline] + BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:646 [inline] + BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] + BUG: KMSAN: uninit-value in tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329 + rht_ptr_rcu include/linux/rhashtable.h:376 [inline] + __rhashtable_lookup include/linux/rhashtable.h:607 [inline] + rhashtable_lookup include/linux/rhashtable.h:646 [inline] + rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] + tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329 + tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408 + tcf_action_init_1+0x6cc/0xb30 net/sched/act_api.c:1425 + tcf_action_init+0x458/0xf00 net/sched/act_api.c:1488 + tcf_action_add net/sched/act_api.c:2061 [inline] + tc_ctl_action+0x4be/0x19d0 net/sched/act_api.c:2118 + rtnetlink_rcv_msg+0x12fc/0x1410 net/core/rtnetlink.c:6647 + netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2550 + rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6665 + netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] + netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1357 + netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1901 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x30f/0x380 net/socket.c:745 + ____sys_sendmsg+0x877/0xb60 net/socket.c:2597 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2651 + __sys_sendmsg net/socket.c:2680 [inline] + __do_sys_sendmsg net/socket.c:2689 [inline] + __se_sys_sendmsg net/socket.c:2687 [inline] + __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2687 + x64_sys_call+0x2dd6/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:47 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Local variable key created at: + tcf_ct_flow_table_get+0x4a/0x2260 net/sched/act_ct.c:324 + tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408 + +Fixes: 88c67aeb1407 ("sched: act_ct: add netns into the key of tcf_ct_flow_table") +Reported-by: syzbot+1b5e4e187cc586d05ea0@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Cc: Xin Long +Reviewed-by: Simon Horman +Reviewed-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/act_ct.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c +index c602b0d698f29..a6c3b7145a105 100644 +--- a/net/sched/act_ct.c ++++ b/net/sched/act_ct.c +@@ -41,6 +41,8 @@ static DEFINE_MUTEX(zones_mutex); + struct zones_ht_key { + struct net *net; + u16 zone; ++ /* Note : pad[] must be the last field. */ ++ u8 pad[]; + }; + + struct tcf_ct_flow_table { +@@ -57,7 +59,7 @@ struct tcf_ct_flow_table { + static const struct rhashtable_params zones_params = { + .head_offset = offsetof(struct tcf_ct_flow_table, node), + .key_offset = offsetof(struct tcf_ct_flow_table, key), +- .key_len = sizeof_field(struct tcf_ct_flow_table, key), ++ .key_len = offsetof(struct zones_ht_key, pad), + .automatic_shrinking = true, + }; + +-- +2.43.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 2e3d4da5100..1f9d2724e0b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -346,3 +346,18 @@ mips-loongson64-dts-add-rtc-support-to-loongson-2k10.patch mips-loongson64-dts-fix-pcie-port-nodes-for-ls7a.patch mips-dts-loongson-fix-liointc-irq-polarity.patch mips-dts-loongson-fix-ls2k1000-rtc-interrupt.patch +drm-nouveau-prime-fix-refcount-underflow.patch +drm-vmwgfx-fix-overlay-when-using-screen-targets.patch +sched-act_ct-take-care-of-padding-in-struct-zones_ht.patch +alsa-hda-conexant-reduce-config_pm-dependencies.patch +alsa-hda-conexant-fix-headset-auto-detect-fail-in-th.patch +rtnetlink-enable-alt_ifname-for-setlink-newlink.patch +rtnetlink-don-t-ignore-ifla_target_netnsid-when-ifna.patch +net-iucv-fix-use-after-free-in-iucv_sock_close.patch +net-mvpp2-don-t-re-use-loop-iterator.patch +netfilter-iptables-fix-null-ptr-deref-in-iptable_nat.patch +netfilter-iptables-fix-potential-null-ptr-deref-in-i.patch +net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch +ipv6-fix-ndisc_is_useropt-handling-for-pio.patch +riscv-mm-add-handling-for-vm_fault_sigsegv-in-mm_fau.patch +power-supply-bq24190_charger-replace-deprecated-strn.patch