From 32c99b08ecd991edac66c40392f83f3c40fa5855 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 22 Aug 2024 08:07:38 +0800 Subject: [PATCH] 6.6-stable patches added patches: gtp-pull-network-headers-in-gtp_dev_xmit.patch i2c-stm32f7-add-atomic_xfer-method-to-driver.patch jfs-define-xtree-root-and-page-independently.patch --- ...pull-network-headers-in-gtp_dev_xmit.patch | 93 ++++++++++ ...2f7-add-atomic_xfer-method-to-driver.patch | 129 ++++++++++++++ ...ne-xtree-root-and-page-independently.patch | 165 ++++++++++++++++++ queue-6.6/series | 3 + 4 files changed, 390 insertions(+) create mode 100644 queue-6.6/gtp-pull-network-headers-in-gtp_dev_xmit.patch create mode 100644 queue-6.6/i2c-stm32f7-add-atomic_xfer-method-to-driver.patch create mode 100644 queue-6.6/jfs-define-xtree-root-and-page-independently.patch diff --git a/queue-6.6/gtp-pull-network-headers-in-gtp_dev_xmit.patch b/queue-6.6/gtp-pull-network-headers-in-gtp_dev_xmit.patch new file mode 100644 index 00000000000..28558a6c4a3 --- /dev/null +++ b/queue-6.6/gtp-pull-network-headers-in-gtp_dev_xmit.patch @@ -0,0 +1,93 @@ +From 3a3be7ff9224f424e485287b54be00d2c6bd9c40 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 8 Aug 2024 13:24:55 +0000 +Subject: gtp: pull network headers in gtp_dev_xmit() + +From: Eric Dumazet + +commit 3a3be7ff9224f424e485287b54be00d2c6bd9c40 upstream. + +syzbot/KMSAN reported use of uninit-value in get_dev_xmit() [1] + +We must make sure the IPv4 or Ipv6 header is pulled in skb->head +before accessing fields in them. + +Use pskb_inet_may_pull() to fix this issue. + +[1] +BUG: KMSAN: uninit-value in ipv6_pdp_find drivers/net/gtp.c:220 [inline] + BUG: KMSAN: uninit-value in gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline] + BUG: KMSAN: uninit-value in gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281 + ipv6_pdp_find drivers/net/gtp.c:220 [inline] + gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline] + gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281 + __netdev_start_xmit include/linux/netdevice.h:4913 [inline] + netdev_start_xmit include/linux/netdevice.h:4922 [inline] + xmit_one net/core/dev.c:3580 [inline] + dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3596 + __dev_queue_xmit+0x358c/0x5610 net/core/dev.c:4423 + dev_queue_xmit include/linux/netdevice.h:3105 [inline] + packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 + packet_snd net/packet/af_packet.c:3145 [inline] + packet_sendmsg+0x90e3/0xa3a0 net/packet/af_packet.c:3177 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x30f/0x380 net/socket.c:745 + __sys_sendto+0x685/0x830 net/socket.c:2204 + __do_sys_sendto net/socket.c:2216 [inline] + __se_sys_sendto net/socket.c:2212 [inline] + __x64_sys_sendto+0x125/0x1d0 net/socket.c:2212 + x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:3994 [inline] + slab_alloc_node mm/slub.c:4037 [inline] + kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4080 + kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583 + __alloc_skb+0x363/0x7b0 net/core/skbuff.c:674 + alloc_skb include/linux/skbuff.h:1320 [inline] + alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6526 + sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2815 + packet_alloc_skb net/packet/af_packet.c:2994 [inline] + packet_snd net/packet/af_packet.c:3088 [inline] + packet_sendmsg+0x749c/0xa3a0 net/packet/af_packet.c:3177 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x30f/0x380 net/socket.c:745 + __sys_sendto+0x685/0x830 net/socket.c:2204 + __do_sys_sendto net/socket.c:2216 [inline] + __se_sys_sendto net/socket.c:2212 [inline] + __x64_sys_sendto+0x125/0x1d0 net/socket.c:2212 + x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +CPU: 0 UID: 0 PID: 7115 Comm: syz.1.515 Not tainted 6.11.0-rc1-syzkaller-00043-g94ede2a3e913 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 + +Fixes: 999cb275c807 ("gtp: add IPv6 support") +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Signed-off-by: Eric Dumazet +Cc: Harald Welte +Reviewed-by: Pablo Neira Ayuso +Link: https://patch.msgid.link/20240808132455.3413916-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/gtp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -901,6 +901,9 @@ static netdev_tx_t gtp_dev_xmit(struct s + if (skb_cow_head(skb, dev->needed_headroom)) + goto tx_err; + ++ if (!pskb_inet_may_pull(skb)) ++ goto tx_err; ++ + skb_reset_inner_headers(skb); + + /* PDP context lookups in gtp_build_skb_*() need rcu read-side lock. */ diff --git a/queue-6.6/i2c-stm32f7-add-atomic_xfer-method-to-driver.patch b/queue-6.6/i2c-stm32f7-add-atomic_xfer-method-to-driver.patch new file mode 100644 index 00000000000..a274f905098 --- /dev/null +++ b/queue-6.6/i2c-stm32f7-add-atomic_xfer-method-to-driver.patch @@ -0,0 +1,129 @@ +From 470a662688563d8f5e0fb164930d6f5507a883e4 Mon Sep 17 00:00:00 2001 +From: Sean Nyekjaer +Date: Wed, 16 Aug 2023 10:05:52 +0200 +Subject: i2c: stm32f7: Add atomic_xfer method to driver + +From: Sean Nyekjaer + +commit 470a662688563d8f5e0fb164930d6f5507a883e4 upstream. + +Add an atomic_xfer method to the driver so that it behaves correctly +when controlling a PMIC that is responsible for device shutdown. + +The atomic_xfer method added is similar to the one from the i2c-mv64xxx +driver. When running an atomic_xfer a bool flag in the driver data is +set, the interrupt is not unmasked on transfer start, and the IRQ +handler is manually invoked while waiting for pending transfers to +complete. + +Signed-off-by: Sean Nyekjaer +Acked-by: Andi Shyti +Signed-off-by: Wolfram Sang +Cc: Christoph Niedermaier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-stm32f7.c | 51 +++++++++++++++++++++++++++++++++++---- + 1 file changed, 47 insertions(+), 4 deletions(-) + +--- a/drivers/i2c/busses/i2c-stm32f7.c ++++ b/drivers/i2c/busses/i2c-stm32f7.c +@@ -357,6 +357,7 @@ struct stm32f7_i2c_dev { + u32 dnf_dt; + u32 dnf; + struct stm32f7_i2c_alert *alert; ++ bool atomic; + }; + + /* +@@ -915,7 +916,8 @@ static void stm32f7_i2c_xfer_msg(struct + + /* Configure DMA or enable RX/TX interrupt */ + i2c_dev->use_dma = false; +- if (i2c_dev->dma && f7_msg->count >= STM32F7_I2C_DMA_LEN_MIN) { ++ if (i2c_dev->dma && f7_msg->count >= STM32F7_I2C_DMA_LEN_MIN ++ && !i2c_dev->atomic) { + ret = stm32_i2c_prep_dma_xfer(i2c_dev->dev, i2c_dev->dma, + msg->flags & I2C_M_RD, + f7_msg->count, f7_msg->buf, +@@ -939,6 +941,9 @@ static void stm32f7_i2c_xfer_msg(struct + cr1 |= STM32F7_I2C_CR1_TXDMAEN; + } + ++ if (i2c_dev->atomic) ++ cr1 &= ~STM32F7_I2C_ALL_IRQ_MASK; /* Disable all interrupts */ ++ + /* Configure Start/Repeated Start */ + cr2 |= STM32F7_I2C_CR2_START; + +@@ -1673,7 +1678,22 @@ static irqreturn_t stm32f7_i2c_isr_error + return IRQ_HANDLED; + } + +-static int stm32f7_i2c_xfer(struct i2c_adapter *i2c_adap, ++static int stm32f7_i2c_wait_polling(struct stm32f7_i2c_dev *i2c_dev) ++{ ++ ktime_t timeout = ktime_add_ms(ktime_get(), i2c_dev->adap.timeout); ++ ++ while (ktime_compare(ktime_get(), timeout) < 0) { ++ udelay(5); ++ stm32f7_i2c_isr_event(0, i2c_dev); ++ ++ if (completion_done(&i2c_dev->complete)) ++ return 1; ++ } ++ ++ return 0; ++} ++ ++static int stm32f7_i2c_xfer_core(struct i2c_adapter *i2c_adap, + struct i2c_msg msgs[], int num) + { + struct stm32f7_i2c_dev *i2c_dev = i2c_get_adapdata(i2c_adap); +@@ -1697,8 +1717,12 @@ static int stm32f7_i2c_xfer(struct i2c_a + + stm32f7_i2c_xfer_msg(i2c_dev, msgs); + +- time_left = wait_for_completion_timeout(&i2c_dev->complete, +- i2c_dev->adap.timeout); ++ if (!i2c_dev->atomic) ++ time_left = wait_for_completion_timeout(&i2c_dev->complete, ++ i2c_dev->adap.timeout); ++ else ++ time_left = stm32f7_i2c_wait_polling(i2c_dev); ++ + ret = f7_msg->result; + if (ret) { + if (i2c_dev->use_dma) +@@ -1730,6 +1754,24 @@ pm_free: + return (ret < 0) ? ret : num; + } + ++static int stm32f7_i2c_xfer(struct i2c_adapter *i2c_adap, ++ struct i2c_msg msgs[], int num) ++{ ++ struct stm32f7_i2c_dev *i2c_dev = i2c_get_adapdata(i2c_adap); ++ ++ i2c_dev->atomic = false; ++ return stm32f7_i2c_xfer_core(i2c_adap, msgs, num); ++} ++ ++static int stm32f7_i2c_xfer_atomic(struct i2c_adapter *i2c_adap, ++ struct i2c_msg msgs[], int num) ++{ ++ struct stm32f7_i2c_dev *i2c_dev = i2c_get_adapdata(i2c_adap); ++ ++ i2c_dev->atomic = true; ++ return stm32f7_i2c_xfer_core(i2c_adap, msgs, num); ++} ++ + static int stm32f7_i2c_smbus_xfer(struct i2c_adapter *adapter, u16 addr, + unsigned short flags, char read_write, + u8 command, int size, +@@ -2098,6 +2140,7 @@ static u32 stm32f7_i2c_func(struct i2c_a + + static const struct i2c_algorithm stm32f7_i2c_algo = { + .master_xfer = stm32f7_i2c_xfer, ++ .master_xfer_atomic = stm32f7_i2c_xfer_atomic, + .smbus_xfer = stm32f7_i2c_smbus_xfer, + .functionality = stm32f7_i2c_func, + .reg_slave = stm32f7_i2c_reg_slave, diff --git a/queue-6.6/jfs-define-xtree-root-and-page-independently.patch b/queue-6.6/jfs-define-xtree-root-and-page-independently.patch new file mode 100644 index 00000000000..47a692385a9 --- /dev/null +++ b/queue-6.6/jfs-define-xtree-root-and-page-independently.patch @@ -0,0 +1,165 @@ +From a779ed754e52d582b8c0e17959df063108bd0656 Mon Sep 17 00:00:00 2001 +From: Dave Kleikamp +Date: Thu, 5 Oct 2023 09:16:14 -0500 +Subject: jfs: define xtree root and page independently + +From: Dave Kleikamp + +commit a779ed754e52d582b8c0e17959df063108bd0656 upstream. + +In order to make array bounds checking sane, provide a separate +definition of the in-inode xtree root and the external xtree page. + +Signed-off-by: Dave Kleikamp +Tested-by: Manas Ghandat +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/jfs_dinode.h | 2 +- + fs/jfs/jfs_imap.c | 6 +++--- + fs/jfs/jfs_incore.h | 2 +- + fs/jfs/jfs_txnmgr.c | 4 ++-- + fs/jfs/jfs_xtree.c | 4 ++-- + fs/jfs/jfs_xtree.h | 37 +++++++++++++++++++++++-------------- + 6 files changed, 32 insertions(+), 23 deletions(-) + +--- a/fs/jfs/jfs_dinode.h ++++ b/fs/jfs/jfs_dinode.h +@@ -96,7 +96,7 @@ struct dinode { + #define di_gengen u._file._u1._imap._gengen + + union { +- xtpage_t _xtroot; ++ xtroot_t _xtroot; + struct { + u8 unused[16]; /* 16: */ + dxd_t _dxd; /* 16: */ +--- a/fs/jfs/jfs_imap.c ++++ b/fs/jfs/jfs_imap.c +@@ -673,7 +673,7 @@ int diWrite(tid_t tid, struct inode *ip) + * This is the special xtree inside the directory for storing + * the directory table + */ +- xtpage_t *p, *xp; ++ xtroot_t *p, *xp; + xad_t *xad; + + jfs_ip->xtlid = 0; +@@ -687,7 +687,7 @@ int diWrite(tid_t tid, struct inode *ip) + * copy xtree root from inode to dinode: + */ + p = &jfs_ip->i_xtroot; +- xp = (xtpage_t *) &dp->di_dirtable; ++ xp = (xtroot_t *) &dp->di_dirtable; + lv = ilinelock->lv; + for (n = 0; n < ilinelock->index; n++, lv++) { + memcpy(&xp->xad[lv->offset], &p->xad[lv->offset], +@@ -716,7 +716,7 @@ int diWrite(tid_t tid, struct inode *ip) + * regular file: 16 byte (XAD slot) granularity + */ + if (type & tlckXTREE) { +- xtpage_t *p, *xp; ++ xtroot_t *p, *xp; + xad_t *xad; + + /* +--- a/fs/jfs/jfs_incore.h ++++ b/fs/jfs/jfs_incore.h +@@ -66,7 +66,7 @@ struct jfs_inode_info { + lid_t xtlid; /* lid of xtree lock on directory */ + union { + struct { +- xtpage_t _xtroot; /* 288: xtree root */ ++ xtroot_t _xtroot; /* 288: xtree root */ + struct inomap *_imap; /* 4: inode map header */ + } file; + struct { +--- a/fs/jfs/jfs_txnmgr.c ++++ b/fs/jfs/jfs_txnmgr.c +@@ -783,7 +783,7 @@ struct tlock *txLock(tid_t tid, struct i + if (mp->xflag & COMMIT_PAGE) + p = (xtpage_t *) mp->data; + else +- p = &jfs_ip->i_xtroot; ++ p = (xtpage_t *) &jfs_ip->i_xtroot; + xtlck->lwm.offset = + le16_to_cpu(p->header.nextindex); + } +@@ -1676,7 +1676,7 @@ static void xtLog(struct jfs_log * log, + + if (tlck->type & tlckBTROOT) { + lrd->log.redopage.type |= cpu_to_le16(LOG_BTROOT); +- p = &JFS_IP(ip)->i_xtroot; ++ p = (xtpage_t *) &JFS_IP(ip)->i_xtroot; + if (S_ISDIR(ip->i_mode)) + lrd->log.redopage.type |= + cpu_to_le16(LOG_DIR_XTREE); +--- a/fs/jfs/jfs_xtree.c ++++ b/fs/jfs/jfs_xtree.c +@@ -1213,7 +1213,7 @@ xtSplitRoot(tid_t tid, + struct xtlock *xtlck; + int rc; + +- sp = &JFS_IP(ip)->i_xtroot; ++ sp = (xtpage_t *) &JFS_IP(ip)->i_xtroot; + + INCREMENT(xtStat.split); + +@@ -2098,7 +2098,7 @@ int xtAppend(tid_t tid, /* transaction + */ + void xtInitRoot(tid_t tid, struct inode *ip) + { +- xtpage_t *p; ++ xtroot_t *p; + + /* + * acquire a transaction lock on the root +--- a/fs/jfs/jfs_xtree.h ++++ b/fs/jfs/jfs_xtree.h +@@ -65,24 +65,33 @@ struct xadlist { + #define XTPAGEMAXSLOT 256 + #define XTENTRYSTART 2 + ++struct xtheader { ++ __le64 next; /* 8: */ ++ __le64 prev; /* 8: */ ++ ++ u8 flag; /* 1: */ ++ u8 rsrvd1; /* 1: */ ++ __le16 nextindex; /* 2: next index = number of entries */ ++ __le16 maxentry; /* 2: max number of entries */ ++ __le16 rsrvd2; /* 2: */ ++ ++ pxd_t self; /* 8: self */ ++}; ++ + /* +- * xtree page: ++ * xtree root (in inode): + */ + typedef union { +- struct xtheader { +- __le64 next; /* 8: */ +- __le64 prev; /* 8: */ +- +- u8 flag; /* 1: */ +- u8 rsrvd1; /* 1: */ +- __le16 nextindex; /* 2: next index = number of entries */ +- __le16 maxentry; /* 2: max number of entries */ +- __le16 rsrvd2; /* 2: */ +- +- pxd_t self; /* 8: self */ +- } header; /* (32) */ +- ++ struct xtheader header; + xad_t xad[XTROOTMAXSLOT]; /* 16 * maxentry: xad array */ ++} xtroot_t; ++ ++/* ++ * xtree page: ++ */ ++typedef union { ++ struct xtheader header; ++ xad_t xad[XTPAGEMAXSLOT]; /* 16 * maxentry: xad array */ + } xtpage_t; + + /* diff --git a/queue-6.6/series b/queue-6.6/series index ed74732a205..d1df0bfa156 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -220,3 +220,6 @@ ionic-use-pci_is_enabled-not-open-code.patch ionic-check-cmd_regs-before-copying-in-or-out.patch edac-skx_common-allow-decoding-of-sgx-addresses.patch nvme-fix-namespace-removal-list.patch +gtp-pull-network-headers-in-gtp_dev_xmit.patch +jfs-define-xtree-root-and-page-independently.patch +i2c-stm32f7-add-atomic_xfer-method-to-driver.patch -- 2.47.3