From: Greg Kroah-Hartman Date: Sat, 9 Sep 2023 12:46:09 +0000 (+0100) Subject: 6.5-stable patches X-Git-Tag: v6.1.53~91 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e744f5f75918a65be48b233df8a5a42db863dfd6;p=thirdparty%2Fkernel%2Fstable-queue.git 6.5-stable patches added patches: alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch arm64-dts-qcom-sdm845-db845c-mark-cont-splash-memory-region-as-reserved.patch cpu-hotplug-prevent-self-deadlock-on-cpu-hot-unplug.patch drbd-swap-bvec_set_page-len-and-offset.patch gpio-zynq-restore-zynq_gpio_irq_reqres-zynq_gpio_irq_relres-callbacks.patch igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch ipmi_si-fix-a-memleak-in-try_smi_init.patch media-i2c-add-a-camera-sensor-top-level-menu.patch media-i2c-ccs-check-rules-is-non-null.patch mm-vmalloc-add-a-safer-version-of-find_vm_area-for-debug.patch multi-gen-lru-fix-per-zone-reclaim.patch netfilter-nft_exthdr-fix-non-linear-header-modification.patch netfilter-xt_sctp-validate-the-flag_info-count.patch netfilter-xt_u32-validate-user-space-input.patch parisc-ccio-dma-create-private-runway-procfs-root-entry.patch pci-rockchip-use-64-bit-mask-on-msi-64-bit-pci-address.patch pm-devfreq-fix-leak-in-devfreq_dev_release.patch printk-ringbuffer-fix-truncating-buffer-size-min_t-cast.patch rcu-dump-vmalloc-memory-info-safely.patch riscv-mark-kasan-tmp-page-tables-variables-as-static.patch riscv-move-create_tmp_mapping-to-init-sections.patch scsi-core-fix-the-scsi_set_resid-documentation.patch skbuff-skb_segment-call-zero-copy-functions-before-using-skbuff-frags.patch virtio_pmem-add-the-missing-req_op_write-for-flush-bio.patch --- diff --git a/queue-6.5/alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch b/queue-6.5/alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch new file mode 100644 index 00000000000..22f80343830 --- /dev/null +++ b/queue-6.5/alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch @@ -0,0 +1,49 @@ +From 358040e3807754944dbddf948a23c6d914297ed7 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 29 Aug 2023 15:43:44 +0200 +Subject: ALSA: pcm: Fix missing fixup call in compat hw_refine ioctl + +From: Takashi Iwai + +commit 358040e3807754944dbddf948a23c6d914297ed7 upstream. + +The update of rate_num/den and msbits were factored out to +fixup_unreferenced_params() function to be called explicitly after the +hw_refine or hw_params procedure. It's called from +snd_pcm_hw_refine_user(), but it's forgotten in the PCM compat ioctl. +This ended up with the incomplete rate_num/den and msbits parameters +when 32bit compat ioctl is used. + +This patch adds the missing call in snd_pcm_ioctl_hw_params_compat(). + +Reported-by: Meng_Cai@novatek.com.cn +Fixes: f9a076bff053 ("ALSA: pcm: calculate non-mask/non-interval parameters always when possible") +Reviewed-by: Takashi Sakamoto +Reviewed-by: Jaroslav Kysela +Cc: +Link: https://lore.kernel.org/r/20230829134344.31588-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/pcm_compat.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/sound/core/pcm_compat.c ++++ b/sound/core/pcm_compat.c +@@ -253,10 +253,14 @@ static int snd_pcm_ioctl_hw_params_compa + goto error; + } + +- if (refine) ++ if (refine) { + err = snd_pcm_hw_refine(substream, data); +- else ++ if (err < 0) ++ goto error; ++ err = fixup_unreferenced_params(substream, data); ++ } else { + err = snd_pcm_hw_params(substream, data); ++ } + if (err < 0) + goto error; + if (copy_to_user(data32, data, sizeof(*data32)) || diff --git a/queue-6.5/arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch b/queue-6.5/arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch new file mode 100644 index 00000000000..367243285b5 --- /dev/null +++ b/queue-6.5/arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch @@ -0,0 +1,45 @@ +From 847fb80cc01a54bc827b02547bb8743bdb59ddab Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Wed, 7 Jun 2023 22:12:11 -0600 +Subject: ARM: OMAP2+: Fix -Warray-bounds warning in _pwrdm_state_switch() + +From: Gustavo A. R. Silva + +commit 847fb80cc01a54bc827b02547bb8743bdb59ddab upstream. + +If function pwrdm_read_prev_pwrst() returns -EINVAL, we will end +up accessing array pwrdm->state_counter through negative index +-22. This is wrong and the compiler is legitimately warning us +about this potential problem. + +Fix this by sanity checking the value stored in variable _prev_ +before accessing array pwrdm->state_counter. + +Address the following -Warray-bounds warning: +arch/arm/mach-omap2/powerdomain.c:178:45: warning: array subscript -22 is below array bounds of 'unsigned int[4]' [-Warray-bounds] + +Link: https://github.com/KSPP/linux/issues/307 +Fixes: ba20bb126940 ("OMAP: PM counter infrastructure.") +Cc: stable@vger.kernel.org +Reported-by: kernel test robot +Link: https://lore.kernel.org/lkml/20230607050639.LzbPn%25lkp@intel.com/ +Signed-off-by: Gustavo A. R. Silva +Message-ID: +Acked-by: Ard Biesheuvel +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap2/powerdomain.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mach-omap2/powerdomain.c ++++ b/arch/arm/mach-omap2/powerdomain.c +@@ -174,7 +174,7 @@ static int _pwrdm_state_switch(struct po + break; + case PWRDM_STATE_PREV: + prev = pwrdm_read_prev_pwrst(pwrdm); +- if (pwrdm->state != prev) ++ if (prev >= 0 && pwrdm->state != prev) + pwrdm->state_counter[prev]++; + if (prev == PWRDM_POWER_RET) + _update_logic_membank_counters(pwrdm); diff --git a/queue-6.5/arm64-dts-qcom-sdm845-db845c-mark-cont-splash-memory-region-as-reserved.patch b/queue-6.5/arm64-dts-qcom-sdm845-db845c-mark-cont-splash-memory-region-as-reserved.patch new file mode 100644 index 00000000000..f321875598c --- /dev/null +++ b/queue-6.5/arm64-dts-qcom-sdm845-db845c-mark-cont-splash-memory-region-as-reserved.patch @@ -0,0 +1,52 @@ +From 110e70fccce4f22b53986ae797d665ffb1950aa6 Mon Sep 17 00:00:00 2001 +From: Amit Pundir +Date: Wed, 26 Jul 2023 18:57:19 +0530 +Subject: arm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved + +From: Amit Pundir + +commit 110e70fccce4f22b53986ae797d665ffb1950aa6 upstream. + +Adding a reserved memory region for the framebuffer memory +(the splash memory region set up by the bootloader). + +It fixes a kernel panic (arm-smmu: Unhandled context fault +at this particular memory region) reported on DB845c running +v5.10.y. + +Cc: stable@vger.kernel.org # v5.10+ +Reviewed-by: Caleb Connolly +Signed-off-by: Amit Pundir +Acked-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20230726132719.2117369-2-amit.pundir@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sdm845-db845c.dts | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/arch/arm64/boot/dts/qcom/sdm845-db845c.dts ++++ b/arch/arm64/boot/dts/qcom/sdm845-db845c.dts +@@ -101,6 +101,14 @@ + }; + }; + ++ reserved-memory { ++ /* Cont splash region set up by the bootloader */ ++ cont_splash_mem: framebuffer@9d400000 { ++ reg = <0x0 0x9d400000 0x0 0x2400000>; ++ no-map; ++ }; ++ }; ++ + lt9611_1v8: lt9611-vdd18-regulator { + compatible = "regulator-fixed"; + regulator-name = "LT9611_1V8"; +@@ -506,6 +514,7 @@ + }; + + &mdss { ++ memory-region = <&cont_splash_mem>; + status = "okay"; + }; + diff --git a/queue-6.5/cpu-hotplug-prevent-self-deadlock-on-cpu-hot-unplug.patch b/queue-6.5/cpu-hotplug-prevent-self-deadlock-on-cpu-hot-unplug.patch new file mode 100644 index 00000000000..ab65ba66c31 --- /dev/null +++ b/queue-6.5/cpu-hotplug-prevent-self-deadlock-on-cpu-hot-unplug.patch @@ -0,0 +1,92 @@ +From 2b8272ff4a70b866106ae13c36be7ecbef5d5da2 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Wed, 23 Aug 2023 10:47:02 +0200 +Subject: cpu/hotplug: Prevent self deadlock on CPU hot-unplug + +From: Thomas Gleixner + +commit 2b8272ff4a70b866106ae13c36be7ecbef5d5da2 upstream. + +Xiongfeng reported and debugged a self deadlock of the task which initiates +and controls a CPU hot-unplug operation vs. the CFS bandwidth timer. + + CPU1 CPU2 + +T1 sets cfs_quota + starts hrtimer cfs_bandwidth 'period_timer' +T1 is migrated to CPU2 + T1 initiates offlining of CPU1 +Hotplug operation starts + ... +'period_timer' expires and is re-enqueued on CPU1 + ... +take_cpu_down() + CPU1 shuts down and does not handle timers + anymore. They have to be migrated in the + post dead hotplug steps by the control task. + + T1 runs the post dead offline operation + T1 is scheduled out + T1 waits for 'period_timer' to expire + +T1 waits there forever if it is scheduled out before it can execute the hrtimer +offline callback hrtimers_dead_cpu(). + +Cure this by delegating the hotplug control operation to a worker thread on +an online CPU. This takes the initiating user space task, which might be +affected by the bandwidth timer, completely out of the picture. + +Reported-by: Xiongfeng Wang +Signed-off-by: Thomas Gleixner +Tested-by: Yu Liao +Acked-by: Vincent Guittot +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/lkml/8e785777-03aa-99e1-d20e-e956f5685be6@huawei.com +Link: https://lore.kernel.org/r/87h6oqdq0i.ffs@tglx +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cpu.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -1467,8 +1467,22 @@ out: + return ret; + } + ++struct cpu_down_work { ++ unsigned int cpu; ++ enum cpuhp_state target; ++}; ++ ++static long __cpu_down_maps_locked(void *arg) ++{ ++ struct cpu_down_work *work = arg; ++ ++ return _cpu_down(work->cpu, 0, work->target); ++} ++ + static int cpu_down_maps_locked(unsigned int cpu, enum cpuhp_state target) + { ++ struct cpu_down_work work = { .cpu = cpu, .target = target, }; ++ + /* + * If the platform does not support hotplug, report it explicitly to + * differentiate it from a transient offlining failure. +@@ -1477,7 +1491,15 @@ static int cpu_down_maps_locked(unsigned + return -EOPNOTSUPP; + if (cpu_hotplug_disabled) + return -EBUSY; +- return _cpu_down(cpu, 0, target); ++ ++ /* ++ * Ensure that the control task does not run on the to be offlined ++ * CPU to prevent a deadlock against cfs_b->period_timer. ++ */ ++ cpu = cpumask_any_but(cpu_online_mask, cpu); ++ if (cpu >= nr_cpu_ids) ++ return -EBUSY; ++ return work_on_cpu(cpu, __cpu_down_maps_locked, &work); + } + + static int cpu_down(unsigned int cpu, enum cpuhp_state target) diff --git a/queue-6.5/drbd-swap-bvec_set_page-len-and-offset.patch b/queue-6.5/drbd-swap-bvec_set_page-len-and-offset.patch new file mode 100644 index 00000000000..1dc847411e2 --- /dev/null +++ b/queue-6.5/drbd-swap-bvec_set_page-len-and-offset.patch @@ -0,0 +1,55 @@ +From 4b9c2edaf7282d60e069551b4b28abc2932cd3e3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christoph=20B=C3=B6hmwalder?= + +Date: Wed, 6 Sep 2023 15:30:34 +0200 +Subject: drbd: swap bvec_set_page len and offset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christoph Böhmwalder + +commit 4b9c2edaf7282d60e069551b4b28abc2932cd3e3 upstream. + +bvec_set_page has the following signature: + +static inline void bvec_set_page(struct bio_vec *bv, struct page *page, + unsigned int len, unsigned int offset) + +However, the usage in DRBD swaps the len and offset parameters. This +leads to a bvec with length=0 instead of the intended length=4096, which +causes sock_sendmsg to return -EIO. + +This leaves DRBD unable to transmit any pages and thus completely +broken. + +Swapping the parameters fixes the regression. + +Fixes: eeac7405c735 ("drbd: Use sendmsg(MSG_SPLICE_PAGES) rather than sendpage()") +Reported-by: Serguei Ivantsov +Link: https://lore.kernel.org/regressions/CAKH+VT3YLmAn0Y8=q37UTDShqxDLsqPcQ4hBMzY7HPn7zNx+RQ@mail.gmail.com/ +Cc: stable@vger.kernel.org +Signed-off-by: Christoph Böhmwalder +Link: https://lore.kernel.org/r/20230906133034.948817-1-christoph.boehmwalder@linbit.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/drbd/drbd_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c +index 79ab532aabaf..6bc86106c7b2 100644 +--- a/drivers/block/drbd/drbd_main.c ++++ b/drivers/block/drbd/drbd_main.c +@@ -1557,7 +1557,7 @@ static int _drbd_send_page(struct drbd_peer_device *peer_device, struct page *pa + do { + int sent; + +- bvec_set_page(&bvec, page, offset, len); ++ bvec_set_page(&bvec, page, len, offset); + iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, len); + + sent = sock_sendmsg(socket, &msg); +-- +2.42.0 + diff --git a/queue-6.5/gpio-zynq-restore-zynq_gpio_irq_reqres-zynq_gpio_irq_relres-callbacks.patch b/queue-6.5/gpio-zynq-restore-zynq_gpio_irq_reqres-zynq_gpio_irq_relres-callbacks.patch new file mode 100644 index 00000000000..201877f2a04 --- /dev/null +++ b/queue-6.5/gpio-zynq-restore-zynq_gpio_irq_reqres-zynq_gpio_irq_relres-callbacks.patch @@ -0,0 +1,83 @@ +From 180b10bd160b014448366e5bc86e0558f8acb74f Mon Sep 17 00:00:00 2001 +From: Daniel Mack +Date: Fri, 1 Sep 2023 14:24:24 +0200 +Subject: gpio: zynq: restore zynq_gpio_irq_reqres/zynq_gpio_irq_relres callbacks + +From: Daniel Mack + +commit 180b10bd160b014448366e5bc86e0558f8acb74f upstream. + +Commit f56914393537 ("gpio: zynq: fix zynqmp_gpio not an immutable chip +warning") ditched the open-coded resource allocation handlers in favor +of the generic ones. These generic handlers don't maintain the PM +runtime anymore, which causes a regression in that level IRQs are no +longer reported. + +Restore the original handlers to fix this. + +Signed-off-by: Daniel Mack +Fixes: f56914393537 ("gpio: zynq: fix zynqmp_gpio not an immutable chip warning") +Cc: stable@kernel.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-zynq.c | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-zynq.c b/drivers/gpio/gpio-zynq.c +index 0a7264aabe48..324e942c0650 100644 +--- a/drivers/gpio/gpio-zynq.c ++++ b/drivers/gpio/gpio-zynq.c +@@ -575,6 +575,26 @@ static int zynq_gpio_set_wake(struct irq_data *data, unsigned int on) + return 0; + } + ++static int zynq_gpio_irq_reqres(struct irq_data *d) ++{ ++ struct gpio_chip *chip = irq_data_get_irq_chip_data(d); ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(chip->parent); ++ if (ret < 0) ++ return ret; ++ ++ return gpiochip_reqres_irq(chip, d->hwirq); ++} ++ ++static void zynq_gpio_irq_relres(struct irq_data *d) ++{ ++ struct gpio_chip *chip = irq_data_get_irq_chip_data(d); ++ ++ gpiochip_relres_irq(chip, d->hwirq); ++ pm_runtime_put(chip->parent); ++} ++ + /* irq chip descriptor */ + static const struct irq_chip zynq_gpio_level_irqchip = { + .name = DRIVER_NAME, +@@ -584,9 +604,10 @@ static const struct irq_chip zynq_gpio_level_irqchip = { + .irq_unmask = zynq_gpio_irq_unmask, + .irq_set_type = zynq_gpio_set_irq_type, + .irq_set_wake = zynq_gpio_set_wake, ++ .irq_request_resources = zynq_gpio_irq_reqres, ++ .irq_release_resources = zynq_gpio_irq_relres, + .flags = IRQCHIP_EOI_THREADED | IRQCHIP_EOI_IF_HANDLED | + IRQCHIP_MASK_ON_SUSPEND | IRQCHIP_IMMUTABLE, +- GPIOCHIP_IRQ_RESOURCE_HELPERS, + }; + + static const struct irq_chip zynq_gpio_edge_irqchip = { +@@ -597,8 +618,9 @@ static const struct irq_chip zynq_gpio_edge_irqchip = { + .irq_unmask = zynq_gpio_irq_unmask, + .irq_set_type = zynq_gpio_set_irq_type, + .irq_set_wake = zynq_gpio_set_wake, ++ .irq_request_resources = zynq_gpio_irq_reqres, ++ .irq_release_resources = zynq_gpio_irq_relres, + .flags = IRQCHIP_MASK_ON_SUSPEND | IRQCHIP_IMMUTABLE, +- GPIOCHIP_IRQ_RESOURCE_HELPERS, + }; + + static void zynq_gpio_handle_bank_irq(struct zynq_gpio *gpio, +-- +2.42.0 + diff --git a/queue-6.5/igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch b/queue-6.5/igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch new file mode 100644 index 00000000000..56b0f584868 --- /dev/null +++ b/queue-6.5/igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch @@ -0,0 +1,52 @@ +From bb5ed01cd2428cd25b1c88a3a9cba87055eb289f Mon Sep 17 00:00:00 2001 +From: Radoslaw Tyl +Date: Thu, 24 Aug 2023 13:46:19 -0700 +Subject: igb: set max size RX buffer when store bad packet is enabled + +From: Radoslaw Tyl + +commit bb5ed01cd2428cd25b1c88a3a9cba87055eb289f upstream. + +Increase the RX buffer size to 3K when the SBP bit is on. The size of +the RX buffer determines the number of pages allocated which may not +be sufficient for receive frames larger than the set MTU size. + +Cc: stable@vger.kernel.org +Fixes: 89eaefb61dc9 ("igb: Support RX-ALL feature flag.") +Reported-by: Manfred Rudigier +Signed-off-by: Radoslaw Tyl +Tested-by: Arpana Arland (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/igb/igb_main.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -4814,6 +4814,10 @@ void igb_configure_rx_ring(struct igb_ad + static void igb_set_rx_buffer_len(struct igb_adapter *adapter, + struct igb_ring *rx_ring) + { ++#if (PAGE_SIZE < 8192) ++ struct e1000_hw *hw = &adapter->hw; ++#endif ++ + /* set build_skb and buffer size flags */ + clear_ring_build_skb_enabled(rx_ring); + clear_ring_uses_large_buffer(rx_ring); +@@ -4824,10 +4828,9 @@ static void igb_set_rx_buffer_len(struct + set_ring_build_skb_enabled(rx_ring); + + #if (PAGE_SIZE < 8192) +- if (adapter->max_frame_size <= IGB_MAX_FRAME_BUILD_SKB) +- return; +- +- set_ring_uses_large_buffer(rx_ring); ++ if (adapter->max_frame_size > IGB_MAX_FRAME_BUILD_SKB || ++ rd32(E1000_RCTL) & E1000_RCTL_SBP) ++ set_ring_uses_large_buffer(rx_ring); + #endif + } + diff --git a/queue-6.5/ipmi_si-fix-a-memleak-in-try_smi_init.patch b/queue-6.5/ipmi_si-fix-a-memleak-in-try_smi_init.patch new file mode 100644 index 00000000000..987732d7d3d --- /dev/null +++ b/queue-6.5/ipmi_si-fix-a-memleak-in-try_smi_init.patch @@ -0,0 +1,60 @@ +From 6cf1a126de2992b4efe1c3c4d398f8de4aed6e3f Mon Sep 17 00:00:00 2001 +From: Yi Yang +Date: Thu, 29 Jun 2023 20:33:28 +0800 +Subject: ipmi_si: fix a memleak in try_smi_init() + +From: Yi Yang + +commit 6cf1a126de2992b4efe1c3c4d398f8de4aed6e3f upstream. + +Kmemleak reported the following leak info in try_smi_init(): + +unreferenced object 0xffff00018ecf9400 (size 1024): + comm "modprobe", pid 2707763, jiffies 4300851415 (age 773.308s) + backtrace: + [<000000004ca5b312>] __kmalloc+0x4b8/0x7b0 + [<00000000953b1072>] try_smi_init+0x148/0x5dc [ipmi_si] + [<000000006460d325>] 0xffff800081b10148 + [<0000000039206ea5>] do_one_initcall+0x64/0x2a4 + [<00000000601399ce>] do_init_module+0x50/0x300 + [<000000003c12ba3c>] load_module+0x7a8/0x9e0 + [<00000000c246fffe>] __se_sys_init_module+0x104/0x180 + [<00000000eea99093>] __arm64_sys_init_module+0x24/0x30 + [<0000000021b1ef87>] el0_svc_common.constprop.0+0x94/0x250 + [<0000000070f4f8b7>] do_el0_svc+0x48/0xe0 + [<000000005a05337f>] el0_svc+0x24/0x3c + [<000000005eb248d6>] el0_sync_handler+0x160/0x164 + [<0000000030a59039>] el0_sync+0x160/0x180 + +The problem was that when an error occurred before handlers registration +and after allocating `new_smi->si_sm`, the variable wouldn't be freed in +the error handling afterwards since `shutdown_smi()` hadn't been +registered yet. Fix it by adding a `kfree()` in the error handling path +in `try_smi_init()`. + +Cc: stable@vger.kernel.org # 4.19+ +Fixes: 7960f18a5647 ("ipmi_si: Convert over to a shutdown handler") +Signed-off-by: Yi Yang +Co-developed-by: GONG, Ruiqi +Signed-off-by: GONG, Ruiqi +Message-Id: <20230629123328.2402075-1-gongruiqi@huaweicloud.com> +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_si_intf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/char/ipmi/ipmi_si_intf.c ++++ b/drivers/char/ipmi/ipmi_si_intf.c +@@ -2082,6 +2082,11 @@ static int try_smi_init(struct smi_info + new_smi->io.io_cleanup = NULL; + } + ++ if (rv && new_smi->si_sm) { ++ kfree(new_smi->si_sm); ++ new_smi->si_sm = NULL; ++ } ++ + return rv; + } + diff --git a/queue-6.5/media-i2c-add-a-camera-sensor-top-level-menu.patch b/queue-6.5/media-i2c-add-a-camera-sensor-top-level-menu.patch new file mode 100644 index 00000000000..8d584bd7592 --- /dev/null +++ b/queue-6.5/media-i2c-add-a-camera-sensor-top-level-menu.patch @@ -0,0 +1,60 @@ +From 7d3c7d2a2914e10bec3b9cdacdadb8e1f65f715a Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Thu, 15 Jun 2023 10:29:07 +0200 +Subject: media: i2c: Add a camera sensor top level menu + +From: Sakari Ailus + +commit 7d3c7d2a2914e10bec3b9cdacdadb8e1f65f715a upstream. + +Select V4L2_FWNODE and VIDEO_V4L2_SUBDEV_API for all sensor drivers. This +also adds the options to drivers that don't specifically need them, these +are still seldom used drivers using old APIs. The upside is that these +should now all compile --- many drivers have had missing dependencies. + +The "menu" is replaced by selectable "menuconfig" to select the needed +V4L2_FWNODE and VIDEO_V4L2_SUBDEV_API options. + +Also select MEDIA_CONTROLLER which VIDEO_V4L2_SUBDEV_API effectively +depends on, and add the I2C dependency to the menu. + +Reported-by: Hans de Goede +Signed-off-by: Sakari Ailus +Reviewed-by: Hans de Goede +Reviewed-by: Laurent Pinchart +Cc: stable@vger.kernel.org # for >= 6.1 +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/Kconfig | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/media/i2c/Kconfig ++++ b/drivers/media/i2c/Kconfig +@@ -25,8 +25,15 @@ config VIDEO_IR_I2C + # V4L2 I2C drivers that are related with Camera support + # + +-menu "Camera sensor devices" +- visible if MEDIA_CAMERA_SUPPORT ++menuconfig VIDEO_CAMERA_SENSOR ++ bool "Camera sensor devices" ++ depends on MEDIA_CAMERA_SUPPORT && I2C ++ select MEDIA_CONTROLLER ++ select V4L2_FWNODE ++ select VIDEO_V4L2_SUBDEV_API ++ default y ++ ++if VIDEO_CAMERA_SENSOR + + config VIDEO_APTINA_PLL + tristate +@@ -810,7 +817,7 @@ config VIDEO_ST_VGXY61 + source "drivers/media/i2c/ccs/Kconfig" + source "drivers/media/i2c/et8ek8/Kconfig" + +-endmenu ++endif + + menu "Lens drivers" + visible if MEDIA_CAMERA_SUPPORT diff --git a/queue-6.5/media-i2c-ccs-check-rules-is-non-null.patch b/queue-6.5/media-i2c-ccs-check-rules-is-non-null.patch new file mode 100644 index 00000000000..29331126349 --- /dev/null +++ b/queue-6.5/media-i2c-ccs-check-rules-is-non-null.patch @@ -0,0 +1,146 @@ +From 607bcc4213d998d051541d8f10b5bbb7d546c0be Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Sat, 29 Jul 2023 20:59:25 +0200 +Subject: media: i2c: ccs: Check rules is non-NULL + +From: Sakari Ailus + +commit 607bcc4213d998d051541d8f10b5bbb7d546c0be upstream. + +Fix the following smatch warning: + +drivers/media/i2c/ccs/ccs-data.c:524 ccs_data_parse_rules() warn: address +of NULL pointer 'rules' + +The CCS static data rule parser does not check an if rule has been +obtained before checking for other rule types (which depend on the if +rule). In practice this means parsing invalid CCS static data could lead +to dereferencing a NULL pointer. + +Reported-by: Hans Verkuil +Fixes: a6b396f410b1 ("media: ccs: Add CCS static data parser library") +Cc: stable@vger.kernel.org # for 5.11 and up +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ccs/ccs-data.c | 101 +++++++++++++++++++++------------------ + 1 file changed, 56 insertions(+), 45 deletions(-) + +--- a/drivers/media/i2c/ccs/ccs-data.c ++++ b/drivers/media/i2c/ccs/ccs-data.c +@@ -464,8 +464,7 @@ static int ccs_data_parse_rules(struct b + rule_payload = __rule_type + 1; + rule_plen2 = rule_plen - sizeof(*__rule_type); + +- switch (*__rule_type) { +- case CCS_DATA_BLOCK_RULE_ID_IF: { ++ if (*__rule_type == CCS_DATA_BLOCK_RULE_ID_IF) { + const struct __ccs_data_block_rule_if *__if_rules = + rule_payload; + const size_t __num_if_rules = +@@ -514,49 +513,61 @@ static int ccs_data_parse_rules(struct b + rules->if_rules = if_rule; + rules->num_if_rules = __num_if_rules; + } +- break; +- } +- case CCS_DATA_BLOCK_RULE_ID_READ_ONLY_REGS: +- rval = ccs_data_parse_reg_rules(bin, &rules->read_only_regs, +- &rules->num_read_only_regs, +- rule_payload, +- rule_payload + rule_plen2, +- dev); +- if (rval) +- return rval; +- break; +- case CCS_DATA_BLOCK_RULE_ID_FFD: +- rval = ccs_data_parse_ffd(bin, &rules->frame_format, +- rule_payload, +- rule_payload + rule_plen2, +- dev); +- if (rval) +- return rval; +- break; +- case CCS_DATA_BLOCK_RULE_ID_MSR: +- rval = ccs_data_parse_reg_rules(bin, +- &rules->manufacturer_regs, +- &rules->num_manufacturer_regs, +- rule_payload, +- rule_payload + rule_plen2, +- dev); +- if (rval) +- return rval; +- break; +- case CCS_DATA_BLOCK_RULE_ID_PDAF_READOUT: +- rval = ccs_data_parse_pdaf_readout(bin, +- &rules->pdaf_readout, +- rule_payload, +- rule_payload + rule_plen2, +- dev); +- if (rval) +- return rval; +- break; +- default: +- dev_dbg(dev, +- "Don't know how to handle rule type %u!\n", +- *__rule_type); +- return -EINVAL; ++ } else { ++ /* Check there was an if rule before any other rules */ ++ if (bin->base && !rules) ++ return -EINVAL; ++ ++ switch (*__rule_type) { ++ case CCS_DATA_BLOCK_RULE_ID_READ_ONLY_REGS: ++ rval = ccs_data_parse_reg_rules(bin, ++ rules ? ++ &rules->read_only_regs : NULL, ++ rules ? ++ &rules->num_read_only_regs : NULL, ++ rule_payload, ++ rule_payload + rule_plen2, ++ dev); ++ if (rval) ++ return rval; ++ break; ++ case CCS_DATA_BLOCK_RULE_ID_FFD: ++ rval = ccs_data_parse_ffd(bin, rules ? ++ &rules->frame_format : NULL, ++ rule_payload, ++ rule_payload + rule_plen2, ++ dev); ++ if (rval) ++ return rval; ++ break; ++ case CCS_DATA_BLOCK_RULE_ID_MSR: ++ rval = ccs_data_parse_reg_rules(bin, ++ rules ? ++ &rules->manufacturer_regs : NULL, ++ rules ? ++ &rules->num_manufacturer_regs : NULL, ++ rule_payload, ++ rule_payload + rule_plen2, ++ dev); ++ if (rval) ++ return rval; ++ break; ++ case CCS_DATA_BLOCK_RULE_ID_PDAF_READOUT: ++ rval = ccs_data_parse_pdaf_readout(bin, ++ rules ? ++ &rules->pdaf_readout : NULL, ++ rule_payload, ++ rule_payload + rule_plen2, ++ dev); ++ if (rval) ++ return rval; ++ break; ++ default: ++ dev_dbg(dev, ++ "Don't know how to handle rule type %u!\n", ++ *__rule_type); ++ return -EINVAL; ++ } + } + __next_rule = __next_rule + rule_hlen + rule_plen; + } diff --git a/queue-6.5/mm-vmalloc-add-a-safer-version-of-find_vm_area-for-debug.patch b/queue-6.5/mm-vmalloc-add-a-safer-version-of-find_vm_area-for-debug.patch new file mode 100644 index 00000000000..147400abf50 --- /dev/null +++ b/queue-6.5/mm-vmalloc-add-a-safer-version-of-find_vm_area-for-debug.patch @@ -0,0 +1,69 @@ +From 0818e739b5c061b0251c30152380600fb9b84c0c Mon Sep 17 00:00:00 2001 +From: "Joel Fernandes (Google)" +Date: Mon, 4 Sep 2023 18:08:04 +0000 +Subject: mm/vmalloc: add a safer version of find_vm_area() for debug + +From: Joel Fernandes (Google) + +commit 0818e739b5c061b0251c30152380600fb9b84c0c upstream. + +It is unsafe to dump vmalloc area information when trying to do so from +some contexts. Add a safer trylock version of the same function to do a +best-effort VMA finding and use it from vmalloc_dump_obj(). + +[applied test robot feedback on unused function fix.] +[applied Uladzislau feedback on locking.] +Link: https://lkml.kernel.org/r/20230904180806.1002832-1-joel@joelfernandes.org +Fixes: 98f180837a89 ("mm: Make mem_dump_obj() handle vmalloc() memory") +Signed-off-by: Joel Fernandes (Google) +Reviewed-by: Uladzislau Rezki (Sony) +Reported-by: Zhen Lei +Cc: Paul E. McKenney +Cc: Zqiang +Cc: +Cc: Matthew Wilcox (Oracle) +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/vmalloc.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -4278,14 +4278,32 @@ void pcpu_free_vm_areas(struct vm_struct + #ifdef CONFIG_PRINTK + bool vmalloc_dump_obj(void *object) + { +- struct vm_struct *vm; + void *objp = (void *)PAGE_ALIGN((unsigned long)object); ++ const void *caller; ++ struct vm_struct *vm; ++ struct vmap_area *va; ++ unsigned long addr; ++ unsigned int nr_pages; ++ ++ if (!spin_trylock(&vmap_area_lock)) ++ return false; ++ va = __find_vmap_area((unsigned long)objp, &vmap_area_root); ++ if (!va) { ++ spin_unlock(&vmap_area_lock); ++ return false; ++ } + +- vm = find_vm_area(objp); +- if (!vm) ++ vm = va->vm; ++ if (!vm) { ++ spin_unlock(&vmap_area_lock); + return false; ++ } ++ addr = (unsigned long)vm->addr; ++ caller = vm->caller; ++ nr_pages = vm->nr_pages; ++ spin_unlock(&vmap_area_lock); + pr_cont(" %u-page vmalloc region starting at %#lx allocated at %pS\n", +- vm->nr_pages, (unsigned long)vm->addr, vm->caller); ++ nr_pages, addr, caller); + return true; + } + #endif diff --git a/queue-6.5/multi-gen-lru-fix-per-zone-reclaim.patch b/queue-6.5/multi-gen-lru-fix-per-zone-reclaim.patch new file mode 100644 index 00000000000..e2e3c094d6b --- /dev/null +++ b/queue-6.5/multi-gen-lru-fix-per-zone-reclaim.patch @@ -0,0 +1,154 @@ +From 669281ee7ef731fb5204df9d948669bf32a5e68d Mon Sep 17 00:00:00 2001 +From: Kalesh Singh +Date: Tue, 1 Aug 2023 19:56:02 -0700 +Subject: Multi-gen LRU: fix per-zone reclaim + +From: Kalesh Singh + +commit 669281ee7ef731fb5204df9d948669bf32a5e68d upstream. + +MGLRU has a LRU list for each zone for each type (anon/file) in each +generation: + + long nr_pages[MAX_NR_GENS][ANON_AND_FILE][MAX_NR_ZONES]; + +The min_seq (oldest generation) can progress independently for each +type but the max_seq (youngest generation) is shared for both anon and +file. This is to maintain a common frame of reference. + +In order for eviction to advance the min_seq of a type, all the per-zone +lists in the oldest generation of that type must be empty. + +The eviction logic only considers pages from eligible zones for +eviction or promotion. + + scan_folios() { + ... + for (zone = sc->reclaim_idx; zone >= 0; zone--) { + ... + sort_folio(); // Promote + ... + isolate_folio(); // Evict + } + ... + } + +Consider the system has the movable zone configured and default 4 +generations. The current state of the system is as shown below +(only illustrating one type for simplicity): + +Type: ANON + + Zone DMA32 Normal Movable Device + + Gen 0 0 0 4GB 0 + + Gen 1 0 1GB 1MB 0 + + Gen 2 1MB 4GB 1MB 0 + + Gen 3 1MB 1MB 1MB 0 + +Now consider there is a GFP_KERNEL allocation request (eligible zone +index <= Normal), evict_folios() will return without doing any work +since there are no pages to scan in the eligible zones of the oldest +generation. Reclaim won't make progress until triggered from a ZONE_MOVABLE +allocation request; which may not happen soon if there is a lot of free +memory in the movable zone. This can lead to OOM kills, although there +is 1GB pages in the Normal zone of Gen 1 that we have not yet tried to +reclaim. + +This issue is not seen in the conventional active/inactive LRU since +there are no per-zone lists. + +If there are no (not enough) folios to scan in the eligible zones, move +folios from ineligible zone (zone_index > reclaim_index) to the next +generation. This allows for the progression of min_seq and reclaiming +from the next generation (Gen 1). + +Qualcomm, Mediatek and raspberrypi [1] discovered this issue independently. + +[1] https://github.com/raspberrypi/linux/issues/5395 + +Link: https://lkml.kernel.org/r/20230802025606.346758-1-kaleshsingh@google.com +Fixes: ac35a4902374 ("mm: multi-gen LRU: minimal implementation") +Signed-off-by: Kalesh Singh +Reported-by: Charan Teja Kalla +Reported-by: Lecopzer Chen +Tested-by: AngeloGioacchino Del Regno [mediatek] +Tested-by: Charan Teja Kalla +Cc: Yu Zhao +Cc: Barry Song +Cc: Brian Geffon +Cc: Jan Alexander Steffens (heftig) +Cc: Matthias Brugger +Cc: Oleksandr Natalenko +Cc: Qi Zheng +Cc: Steven Barrett +Cc: Suleiman Souhlal +Cc: Suren Baghdasaryan +Cc: Aneesh Kumar K V +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/vmscan.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -4891,7 +4891,8 @@ static int lru_gen_memcg_seg(struct lruv + * the eviction + ******************************************************************************/ + +-static bool sort_folio(struct lruvec *lruvec, struct folio *folio, int tier_idx) ++static bool sort_folio(struct lruvec *lruvec, struct folio *folio, struct scan_control *sc, ++ int tier_idx) + { + bool success; + int gen = folio_lru_gen(folio); +@@ -4941,6 +4942,13 @@ static bool sort_folio(struct lruvec *lr + return true; + } + ++ /* ineligible */ ++ if (zone > sc->reclaim_idx) { ++ gen = folio_inc_gen(lruvec, folio, false); ++ list_move_tail(&folio->lru, &lrugen->folios[gen][type][zone]); ++ return true; ++ } ++ + /* waiting for writeback */ + if (folio_test_locked(folio) || folio_test_writeback(folio) || + (type == LRU_GEN_FILE && folio_test_dirty(folio))) { +@@ -4989,7 +4997,8 @@ static bool isolate_folio(struct lruvec + static int scan_folios(struct lruvec *lruvec, struct scan_control *sc, + int type, int tier, struct list_head *list) + { +- int gen, zone; ++ int i; ++ int gen; + enum vm_event_item item; + int sorted = 0; + int scanned = 0; +@@ -5005,9 +5014,10 @@ static int scan_folios(struct lruvec *lr + + gen = lru_gen_from_seq(lrugen->min_seq[type]); + +- for (zone = sc->reclaim_idx; zone >= 0; zone--) { ++ for (i = MAX_NR_ZONES; i > 0; i--) { + LIST_HEAD(moved); + int skipped = 0; ++ int zone = (sc->reclaim_idx + i) % MAX_NR_ZONES; + struct list_head *head = &lrugen->folios[gen][type][zone]; + + while (!list_empty(head)) { +@@ -5021,7 +5031,7 @@ static int scan_folios(struct lruvec *lr + + scanned += delta; + +- if (sort_folio(lruvec, folio, tier)) ++ if (sort_folio(lruvec, folio, sc, tier)) + sorted += delta; + else if (isolate_folio(lruvec, folio, sc)) { + list_add(&folio->lru, list); diff --git a/queue-6.5/netfilter-nft_exthdr-fix-non-linear-header-modification.patch b/queue-6.5/netfilter-nft_exthdr-fix-non-linear-header-modification.patch new file mode 100644 index 00000000000..fcd163f9754 --- /dev/null +++ b/queue-6.5/netfilter-nft_exthdr-fix-non-linear-header-modification.patch @@ -0,0 +1,66 @@ +From 28427f368f0e08d504ed06e74bc7cc79d6d06511 Mon Sep 17 00:00:00 2001 +From: Xiao Liang +Date: Fri, 25 Aug 2023 13:33:27 +0800 +Subject: netfilter: nft_exthdr: Fix non-linear header modification + +From: Xiao Liang + +commit 28427f368f0e08d504ed06e74bc7cc79d6d06511 upstream. + +Fix skb_ensure_writable() size. Don't use nft_tcp_header_pointer() to +make it explicit that pointers point to the packet (not local buffer). + +Fixes: 99d1712bc41c ("netfilter: exthdr: tcp option set support") +Fixes: 7890cbea66e7 ("netfilter: exthdr: add support for tcp option removal") +Cc: stable@vger.kernel.org +Signed-off-by: Xiao Liang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_exthdr.c | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +--- a/net/netfilter/nft_exthdr.c ++++ b/net/netfilter/nft_exthdr.c +@@ -238,7 +238,12 @@ static void nft_exthdr_tcp_set_eval(cons + if (!tcph) + goto err; + ++ if (skb_ensure_writable(pkt->skb, nft_thoff(pkt) + tcphdr_len)) ++ goto err; ++ ++ tcph = (struct tcphdr *)(pkt->skb->data + nft_thoff(pkt)); + opt = (u8 *)tcph; ++ + for (i = sizeof(*tcph); i < tcphdr_len - 1; i += optl) { + union { + __be16 v16; +@@ -253,15 +258,6 @@ static void nft_exthdr_tcp_set_eval(cons + if (i + optl > tcphdr_len || priv->len + priv->offset > optl) + goto err; + +- if (skb_ensure_writable(pkt->skb, +- nft_thoff(pkt) + i + priv->len)) +- goto err; +- +- tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff, +- &tcphdr_len); +- if (!tcph) +- goto err; +- + offset = i + priv->offset; + + switch (priv->len) { +@@ -325,9 +321,9 @@ static void nft_exthdr_tcp_strip_eval(co + if (skb_ensure_writable(pkt->skb, nft_thoff(pkt) + tcphdr_len)) + goto drop; + +- opt = (u8 *)nft_tcp_header_pointer(pkt, sizeof(buff), buff, &tcphdr_len); +- if (!opt) +- goto err; ++ tcph = (struct tcphdr *)(pkt->skb->data + nft_thoff(pkt)); ++ opt = (u8 *)tcph; ++ + for (i = sizeof(*tcph); i < tcphdr_len - 1; i += optl) { + unsigned int j; + diff --git a/queue-6.5/netfilter-xt_sctp-validate-the-flag_info-count.patch b/queue-6.5/netfilter-xt_sctp-validate-the-flag_info-count.patch new file mode 100644 index 00000000000..68fc69456f8 --- /dev/null +++ b/queue-6.5/netfilter-xt_sctp-validate-the-flag_info-count.patch @@ -0,0 +1,36 @@ +From e99476497687ef9e850748fe6d232264f30bc8f9 Mon Sep 17 00:00:00 2001 +From: Wander Lairson Costa +Date: Mon, 28 Aug 2023 19:12:55 -0300 +Subject: netfilter: xt_sctp: validate the flag_info count + +From: Wander Lairson Costa + +commit e99476497687ef9e850748fe6d232264f30bc8f9 upstream. + +sctp_mt_check doesn't validate the flag_count field. An attacker can +take advantage of that to trigger a OOB read and leak memory +information. + +Add the field validation in the checkentry function. + +Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables") +Cc: stable@vger.kernel.org +Reported-by: Lucas Leong +Signed-off-by: Wander Lairson Costa +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/xt_sctp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/netfilter/xt_sctp.c ++++ b/net/netfilter/xt_sctp.c +@@ -149,6 +149,8 @@ static int sctp_mt_check(const struct xt + { + const struct xt_sctp_info *info = par->matchinfo; + ++ if (info->flag_count > ARRAY_SIZE(info->flag_info)) ++ return -EINVAL; + if (info->flags & ~XT_SCTP_VALID_FLAGS) + return -EINVAL; + if (info->invflags & ~XT_SCTP_VALID_FLAGS) diff --git a/queue-6.5/netfilter-xt_u32-validate-user-space-input.patch b/queue-6.5/netfilter-xt_u32-validate-user-space-input.patch new file mode 100644 index 00000000000..e8a50eb0a2e --- /dev/null +++ b/queue-6.5/netfilter-xt_u32-validate-user-space-input.patch @@ -0,0 +1,61 @@ +From 69c5d284f67089b4750d28ff6ac6f52ec224b330 Mon Sep 17 00:00:00 2001 +From: Wander Lairson Costa +Date: Mon, 28 Aug 2023 10:21:07 -0300 +Subject: netfilter: xt_u32: validate user space input + +From: Wander Lairson Costa + +commit 69c5d284f67089b4750d28ff6ac6f52ec224b330 upstream. + +The xt_u32 module doesn't validate the fields in the xt_u32 structure. +An attacker may take advantage of this to trigger an OOB read by setting +the size fields with a value beyond the arrays boundaries. + +Add a checkentry function to validate the structure. + +This was originally reported by the ZDI project (ZDI-CAN-18408). + +Fixes: 1b50b8a371e9 ("[NETFILTER]: Add u32 match") +Cc: stable@vger.kernel.org +Signed-off-by: Wander Lairson Costa +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/xt_u32.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/net/netfilter/xt_u32.c ++++ b/net/netfilter/xt_u32.c +@@ -96,11 +96,32 @@ static bool u32_mt(const struct sk_buff + return ret ^ data->invert; + } + ++static int u32_mt_checkentry(const struct xt_mtchk_param *par) ++{ ++ const struct xt_u32 *data = par->matchinfo; ++ const struct xt_u32_test *ct; ++ unsigned int i; ++ ++ if (data->ntests > ARRAY_SIZE(data->tests)) ++ return -EINVAL; ++ ++ for (i = 0; i < data->ntests; ++i) { ++ ct = &data->tests[i]; ++ ++ if (ct->nnums > ARRAY_SIZE(ct->location) || ++ ct->nvalues > ARRAY_SIZE(ct->value)) ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + static struct xt_match xt_u32_mt_reg __read_mostly = { + .name = "u32", + .revision = 0, + .family = NFPROTO_UNSPEC, + .match = u32_mt, ++ .checkentry = u32_mt_checkentry, + .matchsize = sizeof(struct xt_u32), + .me = THIS_MODULE, + }; diff --git a/queue-6.5/parisc-ccio-dma-create-private-runway-procfs-root-entry.patch b/queue-6.5/parisc-ccio-dma-create-private-runway-procfs-root-entry.patch new file mode 100644 index 00000000000..cc31c1f35cc --- /dev/null +++ b/queue-6.5/parisc-ccio-dma-create-private-runway-procfs-root-entry.patch @@ -0,0 +1,76 @@ +From 77e0ddf097d6d4ceaf898e088b133b99e0a97fa0 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Mon, 28 Aug 2023 17:29:46 +0200 +Subject: parisc: ccio-dma: Create private runway procfs root entry + +From: Helge Deller + +commit 77e0ddf097d6d4ceaf898e088b133b99e0a97fa0 upstream. + +Create an own procfs "runway" root entry for the CCIO driver. +No need to share it with the sba_iommu driver, as only one +of those busses can be active in one machine anyway. + +Signed-off-by: Helge Deller +Reported-by: kernel test robot +Fixes: 547259580dfa ("parisc: Move proc_mckinley_root and proc_runway_root to sba_iommu") +Cc: # v6.5 +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/asm/runway.h | 3 --- + drivers/parisc/ccio-dma.c | 11 +++++++---- + drivers/parisc/sba_iommu.c | 2 +- + 3 files changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/parisc/include/asm/runway.h ++++ b/arch/parisc/include/asm/runway.h +@@ -2,9 +2,6 @@ + #ifndef ASM_PARISC_RUNWAY_H + #define ASM_PARISC_RUNWAY_H + +-/* declared in arch/parisc/kernel/setup.c */ +-extern struct proc_dir_entry * proc_runway_root; +- + #define RUNWAY_STATUS 0x10 + #define RUNWAY_DEBUG 0x40 + +--- a/drivers/parisc/ccio-dma.c ++++ b/drivers/parisc/ccio-dma.c +@@ -71,8 +71,6 @@ + #undef CCIO_COLLECT_STATS + #endif + +-#include /* for proc_runway_root */ +- + #ifdef DEBUG_CCIO_INIT + #define DBG_INIT(x...) printk(x) + #else +@@ -1567,10 +1565,15 @@ static int __init ccio_probe(struct pari + + #ifdef CONFIG_PROC_FS + if (ioc_count == 0) { +- proc_create_single(MODULE_NAME, 0, proc_runway_root, ++ struct proc_dir_entry *runway; ++ ++ runway = proc_mkdir("bus/runway", NULL); ++ if (runway) { ++ proc_create_single(MODULE_NAME, 0, runway, + ccio_proc_info); +- proc_create_single(MODULE_NAME"-bitmap", 0, proc_runway_root, ++ proc_create_single(MODULE_NAME"-bitmap", 0, runway, + ccio_proc_bitmap_info); ++ } + } + #endif + ioc_count++; +--- a/drivers/parisc/sba_iommu.c ++++ b/drivers/parisc/sba_iommu.c +@@ -121,7 +121,7 @@ module_param(sba_reserve_agpgart, int, 0 + MODULE_PARM_DESC(sba_reserve_agpgart, "Reserve half of IO pdir as AGPGART"); + #endif + +-struct proc_dir_entry *proc_runway_root __ro_after_init; ++static struct proc_dir_entry *proc_runway_root __ro_after_init; + struct proc_dir_entry *proc_mckinley_root __ro_after_init; + + /************************************ diff --git a/queue-6.5/pci-rockchip-use-64-bit-mask-on-msi-64-bit-pci-address.patch b/queue-6.5/pci-rockchip-use-64-bit-mask-on-msi-64-bit-pci-address.patch new file mode 100644 index 00000000000..3db49779b53 --- /dev/null +++ b/queue-6.5/pci-rockchip-use-64-bit-mask-on-msi-64-bit-pci-address.patch @@ -0,0 +1,55 @@ +From cdb50033dd6dfcf02ae3d4ee56bc1a9555be6d36 Mon Sep 17 00:00:00 2001 +From: Rick Wertenbroek +Date: Mon, 3 Jul 2023 10:58:45 +0200 +Subject: PCI: rockchip: Use 64-bit mask on MSI 64-bit PCI address +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rick Wertenbroek + +commit cdb50033dd6dfcf02ae3d4ee56bc1a9555be6d36 upstream. + +A 32-bit mask was used on the 64-bit PCI address used for mapping MSIs. +This would result in the upper 32 bits being unintentionally zeroed and +MSIs getting mapped to incorrect PCI addresses if the address had any +of the upper bits set. + +Replace 32-bit mask by appropriate 64-bit mask. + +[kwilczynski: use GENMASK_ULL() over GENMASK() for 32-bit compatibility] +Fixes: dc73ed0f1b8b ("PCI: rockchip: Fix window mapping and address translation for endpoint") +Closes: https://lore.kernel.org/linux-pci/8d19e5b7-8fa0-44a4-90e2-9bb06f5eb694@moroto.mountain +Link: https://lore.kernel.org/linux-pci/20230703085845.2052008-1-rick.wertenbroek@gmail.com +Reported-by: Dan Carpenter +Signed-off-by: Rick Wertenbroek +Signed-off-by: Krzysztof Wilczyński +Reviewed-by: Damien Le Moal +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/pci/controller/pcie-rockchip.h ++++ b/drivers/pci/controller/pcie-rockchip.h +@@ -158,7 +158,9 @@ + #define PCIE_RC_CONFIG_THP_CAP (PCIE_RC_CONFIG_BASE + 0x274) + #define PCIE_RC_CONFIG_THP_CAP_NEXT_MASK GENMASK(31, 20) + +-#define PCIE_ADDR_MASK 0xffffff00 ++#define MAX_AXI_IB_ROOTPORT_REGION_NUM 3 ++#define MIN_AXI_ADDR_BITS_PASSED 8 ++#define PCIE_ADDR_MASK GENMASK_ULL(63, MIN_AXI_ADDR_BITS_PASSED) + #define PCIE_CORE_AXI_CONF_BASE 0xc00000 + #define PCIE_CORE_OB_REGION_ADDR0 (PCIE_CORE_AXI_CONF_BASE + 0x0) + #define PCIE_CORE_OB_REGION_ADDR0_NUM_BITS 0x3f +@@ -185,8 +187,6 @@ + #define AXI_WRAPPER_TYPE1_CFG 0xb + #define AXI_WRAPPER_NOR_MSG 0xc + +-#define MAX_AXI_IB_ROOTPORT_REGION_NUM 3 +-#define MIN_AXI_ADDR_BITS_PASSED 8 + #define PCIE_RC_SEND_PME_OFF 0x11960 + #define ROCKCHIP_VENDOR_ID 0x1d87 + #define PCIE_LINK_IS_L2(x) \ diff --git a/queue-6.5/pm-devfreq-fix-leak-in-devfreq_dev_release.patch b/queue-6.5/pm-devfreq-fix-leak-in-devfreq_dev_release.patch new file mode 100644 index 00000000000..8d9f9aa9bcc --- /dev/null +++ b/queue-6.5/pm-devfreq-fix-leak-in-devfreq_dev_release.patch @@ -0,0 +1,34 @@ +From 5693d077595de721f9ddbf9d37f40e5409707dfe Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Wed, 9 Aug 2023 13:31:08 +0200 +Subject: PM / devfreq: Fix leak in devfreq_dev_release() + +From: Boris Brezillon + +commit 5693d077595de721f9ddbf9d37f40e5409707dfe upstream. + +srcu_init_notifier_head() allocates resources that need to be released +with a srcu_cleanup_notifier_head() call. + +Reported by kmemleak. + +Fixes: 0fe3a66410a3 ("PM / devfreq: Add new DEVFREQ_TRANSITION_NOTIFIER notifier") +Cc: +Signed-off-by: Boris Brezillon +Reviewed-by: Dhruva Gole +Signed-off-by: Chanwoo Choi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/devfreq/devfreq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -763,6 +763,7 @@ static void devfreq_dev_release(struct d + dev_pm_opp_put_opp_table(devfreq->opp_table); + + mutex_destroy(&devfreq->lock); ++ srcu_cleanup_notifier_head(&devfreq->transition_notifier_list); + kfree(devfreq); + } + diff --git a/queue-6.5/printk-ringbuffer-fix-truncating-buffer-size-min_t-cast.patch b/queue-6.5/printk-ringbuffer-fix-truncating-buffer-size-min_t-cast.patch new file mode 100644 index 00000000000..3999dd7ddeb --- /dev/null +++ b/queue-6.5/printk-ringbuffer-fix-truncating-buffer-size-min_t-cast.patch @@ -0,0 +1,49 @@ +From 53e9e33ede37a247d926db5e4a9e56b55204e66c Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 10 Aug 2023 22:45:32 -0700 +Subject: printk: ringbuffer: Fix truncating buffer size min_t cast + +From: Kees Cook + +commit 53e9e33ede37a247d926db5e4a9e56b55204e66c upstream. + +If an output buffer size exceeded U16_MAX, the min_t(u16, ...) cast in +copy_data() was causing writes to truncate. This manifested as output +bytes being skipped, seen as %NUL bytes in pstore dumps when the available +record size was larger than 65536. Fix the cast to no longer truncate +the calculation. + +Cc: Petr Mladek +Cc: Sergey Senozhatsky +Cc: Steven Rostedt +Cc: John Ogness +Reported-by: Vijay Balakrishna +Link: https://lore.kernel.org/lkml/d8bb1ec7-a4c5-43a2-9de0-9643a70b899f@linux.microsoft.com/ +Fixes: b6cf8b3f3312 ("printk: add lockless ringbuffer") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Tested-by: Vijay Balakrishna +Tested-by: Guilherme G. Piccoli # Steam Deck +Reviewed-by: Tyler Hicks (Microsoft) +Tested-by: Tyler Hicks (Microsoft) +Reviewed-by: John Ogness +Reviewed-by: Sergey Senozhatsky +Reviewed-by: Petr Mladek +Signed-off-by: Petr Mladek +Link: https://lore.kernel.org/r/20230811054528.never.165-kees@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/printk/printk_ringbuffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/printk/printk_ringbuffer.c ++++ b/kernel/printk/printk_ringbuffer.c +@@ -1735,7 +1735,7 @@ static bool copy_data(struct prb_data_ri + if (!buf || !buf_size) + return true; + +- data_size = min_t(u16, buf_size, len); ++ data_size = min_t(unsigned int, buf_size, len); + + memcpy(&buf[0], data, data_size); /* LMM(copy_data:A) */ + return true; diff --git a/queue-6.5/rcu-dump-vmalloc-memory-info-safely.patch b/queue-6.5/rcu-dump-vmalloc-memory-info-safely.patch new file mode 100644 index 00000000000..456c83995a2 --- /dev/null +++ b/queue-6.5/rcu-dump-vmalloc-memory-info-safely.patch @@ -0,0 +1,95 @@ +From c83ad36a18c02c0f51280b50272327807916987f Mon Sep 17 00:00:00 2001 +From: Zqiang +Date: Mon, 4 Sep 2023 18:08:05 +0000 +Subject: rcu: dump vmalloc memory info safely + +From: Zqiang + +commit c83ad36a18c02c0f51280b50272327807916987f upstream. + +Currently, for double invoke call_rcu(), will dump rcu_head objects memory +info, if the objects is not allocated from the slab allocator, the +vmalloc_dump_obj() will be invoke and the vmap_area_lock spinlock need to +be held, since the call_rcu() can be invoked in interrupt context, +therefore, there is a possibility of spinlock deadlock scenarios. + +And in Preempt-RT kernel, the rcutorture test also trigger the following +lockdep warning: + +BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 +in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0 +preempt_count: 1, expected: 0 +RCU nest depth: 1, expected: 1 +3 locks held by swapper/0/1: + #0: ffffffffb534ee80 (fullstop_mutex){+.+.}-{4:4}, at: torture_init_begin+0x24/0xa0 + #1: ffffffffb5307940 (rcu_read_lock){....}-{1:3}, at: rcu_torture_init+0x1ec7/0x2370 + #2: ffffffffb536af40 (vmap_area_lock){+.+.}-{3:3}, at: find_vmap_area+0x1f/0x70 +irq event stamp: 565512 +hardirqs last enabled at (565511): [] __call_rcu_common+0x218/0x940 +hardirqs last disabled at (565512): [] rcu_torture_init+0x20b2/0x2370 +softirqs last enabled at (399112): [] __local_bh_enable_ip+0x126/0x170 +softirqs last disabled at (399106): [] inet_register_protosw+0x9/0x1d0 +Preemption disabled at: +[] rcu_torture_init+0x1f13/0x2370 +CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.5.0-rc4-rt2-yocto-preempt-rt+ #15 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 +Call Trace: + + dump_stack_lvl+0x68/0xb0 + dump_stack+0x14/0x20 + __might_resched+0x1aa/0x280 + ? __pfx_rcu_torture_err_cb+0x10/0x10 + rt_spin_lock+0x53/0x130 + ? find_vmap_area+0x1f/0x70 + find_vmap_area+0x1f/0x70 + vmalloc_dump_obj+0x20/0x60 + mem_dump_obj+0x22/0x90 + __call_rcu_common+0x5bf/0x940 + ? debug_smp_processor_id+0x1b/0x30 + call_rcu_hurry+0x14/0x20 + rcu_torture_init+0x1f82/0x2370 + ? __pfx_rcu_torture_leak_cb+0x10/0x10 + ? __pfx_rcu_torture_leak_cb+0x10/0x10 + ? __pfx_rcu_torture_init+0x10/0x10 + do_one_initcall+0x6c/0x300 + ? debug_smp_processor_id+0x1b/0x30 + kernel_init_freeable+0x2b9/0x540 + ? __pfx_kernel_init+0x10/0x10 + kernel_init+0x1f/0x150 + ret_from_fork+0x40/0x50 + ? __pfx_kernel_init+0x10/0x10 + ret_from_fork_asm+0x1b/0x30 + + +The previous patch fixes this by using the deadlock-safe best-effort +version of find_vm_area. However, in case of failure print the fact that +the pointer was a vmalloc pointer so that we print at least something. + +Link: https://lkml.kernel.org/r/20230904180806.1002832-2-joel@joelfernandes.org +Fixes: 98f180837a89 ("mm: Make mem_dump_obj() handle vmalloc() memory") +Signed-off-by: Zqiang +Signed-off-by: Joel Fernandes (Google) +Reported-by: Zhen Lei +Reviewed-by: Matthew Wilcox (Oracle) +Cc: Paul E. McKenney +Cc: Uladzislau Rezki (Sony) +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/util.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/mm/util.c ++++ b/mm/util.c +@@ -1071,7 +1071,9 @@ void mem_dump_obj(void *object) + if (vmalloc_dump_obj(object)) + return; + +- if (virt_addr_valid(object)) ++ if (is_vmalloc_addr(object)) ++ type = "vmalloc memory"; ++ else if (virt_addr_valid(object)) + type = "non-slab/vmalloc memory"; + else if (object == NULL) + type = "NULL pointer"; diff --git a/queue-6.5/riscv-mark-kasan-tmp-page-tables-variables-as-static.patch b/queue-6.5/riscv-mark-kasan-tmp-page-tables-variables-as-static.patch new file mode 100644 index 00000000000..323a7bd98ca --- /dev/null +++ b/queue-6.5/riscv-mark-kasan-tmp-page-tables-variables-as-static.patch @@ -0,0 +1,39 @@ +From dd7664d67b478afeb79a89e4586c2cd7707d17d6 Mon Sep 17 00:00:00 2001 +From: Alexandre Ghiti +Date: Tue, 4 Jul 2023 09:43:56 +0200 +Subject: riscv: Mark KASAN tmp* page tables variables as static + +From: Alexandre Ghiti + +commit dd7664d67b478afeb79a89e4586c2cd7707d17d6 upstream. + +tmp_pg_dir, tmp_p4d and tmp_pud are only used in kasan_init.c so they +should be declared as static. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202306282202.bODptiGE-lkp@intel.com/ +Fixes: 96f9d4daf745 ("riscv: Rework kasan population functions") +Signed-off-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20230704074357.233982-1-alexghiti@rivosinc.com +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/mm/kasan_init.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/riscv/mm/kasan_init.c ++++ b/arch/riscv/mm/kasan_init.c +@@ -22,9 +22,9 @@ + * region is not and then we have to go down to the PUD level. + */ + +-pgd_t tmp_pg_dir[PTRS_PER_PGD] __page_aligned_bss; +-p4d_t tmp_p4d[PTRS_PER_P4D] __page_aligned_bss; +-pud_t tmp_pud[PTRS_PER_PUD] __page_aligned_bss; ++static pgd_t tmp_pg_dir[PTRS_PER_PGD] __page_aligned_bss; ++static p4d_t tmp_p4d[PTRS_PER_P4D] __page_aligned_bss; ++static pud_t tmp_pud[PTRS_PER_PUD] __page_aligned_bss; + + static void __init kasan_populate_pte(pmd_t *pmd, unsigned long vaddr, unsigned long end) + { diff --git a/queue-6.5/riscv-move-create_tmp_mapping-to-init-sections.patch b/queue-6.5/riscv-move-create_tmp_mapping-to-init-sections.patch new file mode 100644 index 00000000000..9069df165f7 --- /dev/null +++ b/queue-6.5/riscv-move-create_tmp_mapping-to-init-sections.patch @@ -0,0 +1,32 @@ +From 9bdd924803787ceeb10f1ea399e91d75fb05d3a7 Mon Sep 17 00:00:00 2001 +From: Alexandre Ghiti +Date: Tue, 4 Jul 2023 09:43:57 +0200 +Subject: riscv: Move create_tmp_mapping() to init sections + +From: Alexandre Ghiti + +commit 9bdd924803787ceeb10f1ea399e91d75fb05d3a7 upstream. + +This function is only used at boot time so mark it as __init. + +Fixes: 96f9d4daf745 ("riscv: Rework kasan population functions") +Signed-off-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20230704074357.233982-2-alexghiti@rivosinc.com +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/mm/kasan_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/riscv/mm/kasan_init.c ++++ b/arch/riscv/mm/kasan_init.c +@@ -438,7 +438,7 @@ static void __init kasan_shallow_populat + kasan_shallow_populate_pgd(vaddr, vend); + } + +-static void create_tmp_mapping(void) ++static void __init create_tmp_mapping(void) + { + void *ptr; + p4d_t *base_p4d; diff --git a/queue-6.5/scsi-core-fix-the-scsi_set_resid-documentation.patch b/queue-6.5/scsi-core-fix-the-scsi_set_resid-documentation.patch new file mode 100644 index 00000000000..13dbab57056 --- /dev/null +++ b/queue-6.5/scsi-core-fix-the-scsi_set_resid-documentation.patch @@ -0,0 +1,42 @@ +From f669b8a683e4ee26fa5cafe19d71cec1786b556a Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Fri, 21 Jul 2023 09:01:32 -0700 +Subject: scsi: core: Fix the scsi_set_resid() documentation + +From: Bart Van Assche + +commit f669b8a683e4ee26fa5cafe19d71cec1786b556a upstream. + +Because scsi_finish_command() subtracts the residual from the buffer +length, residual overflows must not be reported. Reflect this in the SCSI +documentation. See also commit 9237f04e12cc ("scsi: core: Fix +scsi_get/set_resid() interface") + +Cc: Damien Le Moal +Cc: Hannes Reinecke +Cc: Douglas Gilbert +Cc: stable@vger.kernel.org +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20230721160154.874010-2-bvanassche@acm.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/scsi/scsi_mid_low_api.rst | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/Documentation/scsi/scsi_mid_low_api.rst ++++ b/Documentation/scsi/scsi_mid_low_api.rst +@@ -1190,11 +1190,11 @@ Members of interest: + - pointer to scsi_device object that this command is + associated with. + resid +- - an LLD should set this signed integer to the requested ++ - an LLD should set this unsigned integer to the requested + transfer length (i.e. 'request_bufflen') less the number + of bytes that are actually transferred. 'resid' is + preset to 0 so an LLD can ignore it if it cannot detect +- underruns (overruns should be rare). If possible an LLD ++ underruns (overruns should not be reported). An LLD + should set 'resid' prior to invoking 'done'. The most + interesting case is data transfers from a SCSI target + device (e.g. READs) that underrun. diff --git a/queue-6.5/series b/queue-6.5/series index 94e7baa9312..807d543c21d 100644 --- a/queue-6.5/series +++ b/queue-6.5/series @@ -625,3 +625,28 @@ virtio_ring-fix-avail_wrap_counter-in-virtqueue_add_.patch net-deal-with-integer-overflows-in-kmalloc_reserve.patch igmp-limit-igmpv3_newpack-packet-size-to-ip_max_mtu.patch netfilter-ipset-add-the-missing-ip_set_hash_with_net0-macro-for-ip_set_hash_netportnet.c.patch +netfilter-nft_exthdr-fix-non-linear-header-modification.patch +netfilter-xt_u32-validate-user-space-input.patch +netfilter-xt_sctp-validate-the-flag_info-count.patch +skbuff-skb_segment-call-zero-copy-functions-before-using-skbuff-frags.patch +drbd-swap-bvec_set_page-len-and-offset.patch +gpio-zynq-restore-zynq_gpio_irq_reqres-zynq_gpio_irq_relres-callbacks.patch +igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch +parisc-ccio-dma-create-private-runway-procfs-root-entry.patch +pm-devfreq-fix-leak-in-devfreq_dev_release.patch +multi-gen-lru-fix-per-zone-reclaim.patch +alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch +arm64-dts-qcom-sdm845-db845c-mark-cont-splash-memory-region-as-reserved.patch +virtio_pmem-add-the-missing-req_op_write-for-flush-bio.patch +rcu-dump-vmalloc-memory-info-safely.patch +printk-ringbuffer-fix-truncating-buffer-size-min_t-cast.patch +scsi-core-fix-the-scsi_set_resid-documentation.patch +mm-vmalloc-add-a-safer-version-of-find_vm_area-for-debug.patch +cpu-hotplug-prevent-self-deadlock-on-cpu-hot-unplug.patch +media-i2c-ccs-check-rules-is-non-null.patch +media-i2c-add-a-camera-sensor-top-level-menu.patch +pci-rockchip-use-64-bit-mask-on-msi-64-bit-pci-address.patch +ipmi_si-fix-a-memleak-in-try_smi_init.patch +arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch +riscv-move-create_tmp_mapping-to-init-sections.patch +riscv-mark-kasan-tmp-page-tables-variables-as-static.patch diff --git a/queue-6.5/skbuff-skb_segment-call-zero-copy-functions-before-using-skbuff-frags.patch b/queue-6.5/skbuff-skb_segment-call-zero-copy-functions-before-using-skbuff-frags.patch new file mode 100644 index 00000000000..a2aaff49db0 --- /dev/null +++ b/queue-6.5/skbuff-skb_segment-call-zero-copy-functions-before-using-skbuff-frags.patch @@ -0,0 +1,156 @@ +From 2ea35288c83b3d501a88bc17f2df8f176b5cc96f Mon Sep 17 00:00:00 2001 +From: Mohamed Khalfella +Date: Thu, 31 Aug 2023 02:17:02 -0600 +Subject: skbuff: skb_segment, Call zero copy functions before using skbuff frags + +From: Mohamed Khalfella + +commit 2ea35288c83b3d501a88bc17f2df8f176b5cc96f upstream. + +Commit bf5c25d60861 ("skbuff: in skb_segment, call zerocopy functions +once per nskb") added the call to zero copy functions in skb_segment(). +The change introduced a bug in skb_segment() because skb_orphan_frags() +may possibly change the number of fragments or allocate new fragments +altogether leaving nrfrags and frag to point to the old values. This can +cause a panic with stacktrace like the one below. + +[ 193.894380] BUG: kernel NULL pointer dereference, address: 00000000000000bc +[ 193.895273] CPU: 13 PID: 18164 Comm: vh-net-17428 Kdump: loaded Tainted: G O 5.15.123+ #26 +[ 193.903919] RIP: 0010:skb_segment+0xb0e/0x12f0 +[ 194.021892] Call Trace: +[ 194.027422] +[ 194.072861] tcp_gso_segment+0x107/0x540 +[ 194.082031] inet_gso_segment+0x15c/0x3d0 +[ 194.090783] skb_mac_gso_segment+0x9f/0x110 +[ 194.095016] __skb_gso_segment+0xc1/0x190 +[ 194.103131] netem_enqueue+0x290/0xb10 [sch_netem] +[ 194.107071] dev_qdisc_enqueue+0x16/0x70 +[ 194.110884] __dev_queue_xmit+0x63b/0xb30 +[ 194.121670] bond_start_xmit+0x159/0x380 [bonding] +[ 194.128506] dev_hard_start_xmit+0xc3/0x1e0 +[ 194.131787] __dev_queue_xmit+0x8a0/0xb30 +[ 194.138225] macvlan_start_xmit+0x4f/0x100 [macvlan] +[ 194.141477] dev_hard_start_xmit+0xc3/0x1e0 +[ 194.144622] sch_direct_xmit+0xe3/0x280 +[ 194.147748] __dev_queue_xmit+0x54a/0xb30 +[ 194.154131] tap_get_user+0x2a8/0x9c0 [tap] +[ 194.157358] tap_sendmsg+0x52/0x8e0 [tap] +[ 194.167049] handle_tx_zerocopy+0x14e/0x4c0 [vhost_net] +[ 194.173631] handle_tx+0xcd/0xe0 [vhost_net] +[ 194.176959] vhost_worker+0x76/0xb0 [vhost] +[ 194.183667] kthread+0x118/0x140 +[ 194.190358] ret_from_fork+0x1f/0x30 +[ 194.193670] + +In this case calling skb_orphan_frags() updated nr_frags leaving nrfrags +local variable in skb_segment() stale. This resulted in the code hitting +i >= nrfrags prematurely and trying to move to next frag_skb using +list_skb pointer, which was NULL, and caused kernel panic. Move the call +to zero copy functions before using frags and nr_frags. + +Fixes: bf5c25d60861 ("skbuff: in skb_segment, call zerocopy functions once per nskb") +Signed-off-by: Mohamed Khalfella +Reported-by: Amit Goyal +Cc: stable@vger.kernel.org +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 34 ++++++++++++++++++++-------------- + 1 file changed, 20 insertions(+), 14 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4360,21 +4360,20 @@ struct sk_buff *skb_segment(struct sk_bu + struct sk_buff *segs = NULL; + struct sk_buff *tail = NULL; + struct sk_buff *list_skb = skb_shinfo(head_skb)->frag_list; +- skb_frag_t *frag = skb_shinfo(head_skb)->frags; + unsigned int mss = skb_shinfo(head_skb)->gso_size; + unsigned int doffset = head_skb->data - skb_mac_header(head_skb); +- struct sk_buff *frag_skb = head_skb; + unsigned int offset = doffset; + unsigned int tnl_hlen = skb_tnl_header_len(head_skb); + unsigned int partial_segs = 0; + unsigned int headroom; + unsigned int len = head_skb->len; ++ struct sk_buff *frag_skb; ++ skb_frag_t *frag; + __be16 proto; + bool csum, sg; +- int nfrags = skb_shinfo(head_skb)->nr_frags; + int err = -ENOMEM; + int i = 0; +- int pos; ++ int nfrags, pos; + + if ((skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY) && + mss != GSO_BY_FRAGS && mss != skb_headlen(head_skb)) { +@@ -4451,6 +4450,13 @@ normal: + headroom = skb_headroom(head_skb); + pos = skb_headlen(head_skb); + ++ if (skb_orphan_frags(head_skb, GFP_ATOMIC)) ++ return ERR_PTR(-ENOMEM); ++ ++ nfrags = skb_shinfo(head_skb)->nr_frags; ++ frag = skb_shinfo(head_skb)->frags; ++ frag_skb = head_skb; ++ + do { + struct sk_buff *nskb; + skb_frag_t *nskb_frag; +@@ -4471,6 +4477,10 @@ normal: + (skb_headlen(list_skb) == len || sg)) { + BUG_ON(skb_headlen(list_skb) > len); + ++ nskb = skb_clone(list_skb, GFP_ATOMIC); ++ if (unlikely(!nskb)) ++ goto err; ++ + i = 0; + nfrags = skb_shinfo(list_skb)->nr_frags; + frag = skb_shinfo(list_skb)->frags; +@@ -4489,12 +4499,8 @@ normal: + frag++; + } + +- nskb = skb_clone(list_skb, GFP_ATOMIC); + list_skb = list_skb->next; + +- if (unlikely(!nskb)) +- goto err; +- + if (unlikely(pskb_trim(nskb, len))) { + kfree_skb(nskb); + goto err; +@@ -4570,12 +4576,16 @@ normal: + skb_shinfo(nskb)->flags |= skb_shinfo(head_skb)->flags & + SKBFL_SHARED_FRAG; + +- if (skb_orphan_frags(frag_skb, GFP_ATOMIC) || +- skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC)) ++ if (skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC)) + goto err; + + while (pos < offset + len) { + if (i >= nfrags) { ++ if (skb_orphan_frags(list_skb, GFP_ATOMIC) || ++ skb_zerocopy_clone(nskb, list_skb, ++ GFP_ATOMIC)) ++ goto err; ++ + i = 0; + nfrags = skb_shinfo(list_skb)->nr_frags; + frag = skb_shinfo(list_skb)->frags; +@@ -4589,10 +4599,6 @@ normal: + i--; + frag--; + } +- if (skb_orphan_frags(frag_skb, GFP_ATOMIC) || +- skb_zerocopy_clone(nskb, frag_skb, +- GFP_ATOMIC)) +- goto err; + + list_skb = list_skb->next; + } diff --git a/queue-6.5/virtio_pmem-add-the-missing-req_op_write-for-flush-bio.patch b/queue-6.5/virtio_pmem-add-the-missing-req_op_write-for-flush-bio.patch new file mode 100644 index 00000000000..cfa9b14ea34 --- /dev/null +++ b/queue-6.5/virtio_pmem-add-the-missing-req_op_write-for-flush-bio.patch @@ -0,0 +1,66 @@ +From c1dbd8a849183b9c12d257ad3043ecec50db50b3 Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Thu, 13 Jul 2023 21:54:13 +0800 +Subject: virtio_pmem: add the missing REQ_OP_WRITE for flush bio + +From: Hou Tao + +commit c1dbd8a849183b9c12d257ad3043ecec50db50b3 upstream. + +When doing mkfs.xfs on a pmem device, the following warning was +reported: + + ------------[ cut here ]------------ + WARNING: CPU: 2 PID: 384 at block/blk-core.c:751 submit_bio_noacct + Modules linked in: + CPU: 2 PID: 384 Comm: mkfs.xfs Not tainted 6.4.0-rc7+ #154 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) + RIP: 0010:submit_bio_noacct+0x340/0x520 + ...... + Call Trace: + + ? submit_bio_noacct+0xd5/0x520 + submit_bio+0x37/0x60 + async_pmem_flush+0x79/0xa0 + nvdimm_flush+0x17/0x40 + pmem_submit_bio+0x370/0x390 + __submit_bio+0xbc/0x190 + submit_bio_noacct_nocheck+0x14d/0x370 + submit_bio_noacct+0x1ef/0x520 + submit_bio+0x55/0x60 + submit_bio_wait+0x5a/0xc0 + blkdev_issue_flush+0x44/0x60 + +The root cause is that submit_bio_noacct() needs bio_op() is either +WRITE or ZONE_APPEND for flush bio and async_pmem_flush() doesn't assign +REQ_OP_WRITE when allocating flush bio, so submit_bio_noacct just fail +the flush bio. + +Simply fix it by adding the missing REQ_OP_WRITE for flush bio. And we +could fix the flush order issue and do flush optimization later. + +Cc: stable@vger.kernel.org # 6.3+ +Fixes: b4a6bb3a67aa ("block: add a sanity check for non-write flush/fua bios") +Reviewed-by: Christoph Hellwig +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Pankaj Gupta +Tested-by: Pankaj Gupta +Signed-off-by: Hou Tao +Signed-off-by: Dave Jiang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvdimm/nd_virtio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/nvdimm/nd_virtio.c ++++ b/drivers/nvdimm/nd_virtio.c +@@ -105,7 +105,8 @@ int async_pmem_flush(struct nd_region *n + * parent bio. Otherwise directly call nd_region flush. + */ + if (bio && bio->bi_iter.bi_sector != -1) { +- struct bio *child = bio_alloc(bio->bi_bdev, 0, REQ_PREFLUSH, ++ struct bio *child = bio_alloc(bio->bi_bdev, 0, ++ REQ_OP_WRITE | REQ_PREFLUSH, + GFP_ATOMIC); + + if (!child)