From c3f49af4548eddcd8cc822cf8d85c777b4e7b774 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 3 Dec 2022 04:21:44 -0500 Subject: [PATCH] Fixes for 5.10 Signed-off-by: Sasha Levin --- ...fs-fix-fileserver-probe-rtt-handling.patch | 50 +++ ...purge-addresses-when-setting-the-num.patch | 91 +++++ ...-at91-rm9200-fix-usb-device-clock-id.patch | 64 ++++ ...spin-lock-field-from-user-in-bpf_sel.patch | 42 +++ ...prog-name-when-reporting-subprog-ksy.patch | 57 +++ ..._path-before-copying-inodes-to-users.patch | 68 ++++ ..._enabled-check-to-rescan_should_stop.patch | 66 ++++ ...-sleep-from-invalid-context-bug-in-b.patch | 65 ++++ ...tor-parameter-to-btrfs_ioctl_logical.patch | 124 ++++++ ..._isa_probe-add-missing-free_cc770dev.patch | 59 +++ ...sja1000_isa_probe-add-missing-free_s.patch | 59 +++ ...ally-revert-drm-amdgpu-update-drm_di.patch | 42 +++ ...e-drm_display_info-correctly-when-th.patch | 71 ++++ ...st-fix-drm_dp_mst_add_affected_dsc_c.patch | 42 +++ .../dsa-lan9303-correct-stat-name.patch | 43 +++ ...e-use-after-free-in-e100_xmit_prepar.patch | 45 +++ .../e100-switch-from-pci_-to-dma_-api.patch | 356 ++++++++++++++++++ ...-error-handling-in-fm10k_init_module.patch | 76 ++++ ...heck-for-null-before-removing-sysfs-.patch | 64 ++++ ...ix-pci-device-refcount-leak-in-nv1a_.patch | 45 +++ ..._temp-fix-missing-pci_disable_device.patch | 37 ++ ...-possible-uaf-when-ibmpex_register_b.patch | 44 +++ ...1-fix-shunt-sum-critical-calculation.patch | 47 +++ ...wmon-ltc2947-fix-temperature-scaling.patch | 43 +++ ...x-error-handling-in-i40e_init_module.patch | 59 +++ ...x-error-handling-in-iavf_init_module.patch | 55 +++ .../iavf-remove-redundant-ret-variable.patch | 68 ++++ ...403-fix-oob-read-in-afe4403_read_raw.patch | 72 ++++ ...04-fix-oob-read-in-afe4404_-read-wri.patch | 102 +++++ ...521-add-missing-kconfig-dependencies.patch | 47 +++ ...resource-leak-in-ixgbevf_init_module.patch | 57 +++ ...icit-function-declaration-in-license.patch | 50 +++ ...andle-size-overflow-for-ringbuf-mmap.patch | 67 ++++ ...ential-socket-leak-in-p9_socket_open.patch | 45 +++ ...-ethernet-nixge-fix-null-dereference.patch | 75 ++++ ...esas-ravb-fix-promiscuous-mode-after.patch | 41 ++ ...net-hsr-fix-potential-use-after-free.patch | 49 +++ ...lx5-dr-fix-uninitialized-var-warning.patch | 51 +++ ...nitialized-variable-bug-in-outlen_wr.patch | 39 ++ ...e-after-free-when-reverting-terminat.patch | 40 ++ ...ix-error-handling-in-ntb_netdev_init.patch | 48 +++ ...ix-null-ptr-deref-while-probe-failed.patch | 73 ++++ ...tun-fix-use-after-free-in-tun_detach.patch | 90 +++++ ...ement-node-refcount-in-of_fwnode_get.patch | 47 +++ ...t-tp_status_csum_valid-on-checksum_c.patch | 49 +++ ...-in-atomic-context-bugs-caused-by-ms.patch | 70 ++++ ...ne-fix-regression-in-name-resolution.patch | 79 ++++ ...ory-leak-in-sctp_stream_outq_migrate.patch | 202 ++++++++++ queue-5.10/series | 53 +++ ...spi_bus_clk-if-requested-clock-is-hi.patch | 65 ++++ ...fetch-skb-cb-after-tipc_msg_validate.patch | 65 ++++ ...80211-don-t-allow-multi-bssid-in-s1g.patch | 52 +++ ...x-buffer-overflow-in-elem-comparison.patch | 41 ++ ...-possible-oob-access-in-ieee80211_ge.patch | 67 ++++ 54 files changed, 3618 insertions(+) create mode 100644 queue-5.10/afs-fix-fileserver-probe-rtt-handling.patch create mode 100644 queue-5.10/aquantia-do-not-purge-addresses-when-setting-the-num.patch create mode 100644 queue-5.10/arm-at91-rm9200-fix-usb-device-clock-id.patch create mode 100644 queue-5.10/bpf-do-not-copy-spin-lock-field-from-user-in-bpf_sel.patch create mode 100644 queue-5.10/bpf-perf-use-subprog-name-when-reporting-subprog-ksy.patch create mode 100644 queue-5.10/btrfs-free-btrfs_path-before-copying-inodes-to-users.patch create mode 100644 queue-5.10/btrfs-move-quota_enabled-check-to-rescan_should_stop.patch create mode 100644 queue-5.10/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch create mode 100644 queue-5.10/btrfs-sink-iterator-parameter-to-btrfs_ioctl_logical.patch create mode 100644 queue-5.10/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch create mode 100644 queue-5.10/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch create mode 100644 queue-5.10/drm-amdgpu-partially-revert-drm-amdgpu-update-drm_di.patch create mode 100644 queue-5.10/drm-amdgpu-update-drm_display_info-correctly-when-th.patch create mode 100644 queue-5.10/drm-display-dp_mst-fix-drm_dp_mst_add_affected_dsc_c.patch create mode 100644 queue-5.10/dsa-lan9303-correct-stat-name.patch create mode 100644 queue-5.10/e100-fix-possible-use-after-free-in-e100_xmit_prepar.patch create mode 100644 queue-5.10/e100-switch-from-pci_-to-dma_-api.patch create mode 100644 queue-5.10/fm10k-fix-error-handling-in-fm10k_init_module.patch create mode 100644 queue-5.10/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch create mode 100644 queue-5.10/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch create mode 100644 queue-5.10/hwmon-i5500_temp-fix-missing-pci_disable_device.patch create mode 100644 queue-5.10/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch create mode 100644 queue-5.10/hwmon-ina3221-fix-shunt-sum-critical-calculation.patch create mode 100644 queue-5.10/hwmon-ltc2947-fix-temperature-scaling.patch create mode 100644 queue-5.10/i40e-fix-error-handling-in-i40e_init_module.patch create mode 100644 queue-5.10/iavf-fix-error-handling-in-iavf_init_module.patch create mode 100644 queue-5.10/iavf-remove-redundant-ret-variable.patch create mode 100644 queue-5.10/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch create mode 100644 queue-5.10/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch create mode 100644 queue-5.10/iio-light-rpr0521-add-missing-kconfig-dependencies.patch create mode 100644 queue-5.10/ixgbevf-fix-resource-leak-in-ixgbevf_init_module.patch create mode 100644 queue-5.10/kbuild-fix-wimplicit-function-declaration-in-license.patch create mode 100644 queue-5.10/libbpf-handle-size-overflow-for-ringbuf-mmap.patch create mode 100644 queue-5.10/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch create mode 100644 queue-5.10/net-ethernet-nixge-fix-null-dereference.patch create mode 100644 queue-5.10/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch create mode 100644 queue-5.10/net-hsr-fix-potential-use-after-free.patch create mode 100644 queue-5.10/net-mlx5-dr-fix-uninitialized-var-warning.patch create mode 100644 queue-5.10/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch create mode 100644 queue-5.10/net-mlx5e-fix-use-after-free-when-reverting-terminat.patch create mode 100644 queue-5.10/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch create mode 100644 queue-5.10/net-phy-fix-null-ptr-deref-while-probe-failed.patch create mode 100644 queue-5.10/net-tun-fix-use-after-free-in-tun_detach.patch create mode 100644 queue-5.10/of-property-decrement-node-refcount-in-of_fwnode_get.patch create mode 100644 queue-5.10/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch create mode 100644 queue-5.10/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch create mode 100644 queue-5.10/scripts-faddr2line-fix-regression-in-name-resolution.patch create mode 100644 queue-5.10/sctp-fix-memory-leak-in-sctp_stream_outq_migrate.patch create mode 100644 queue-5.10/series create mode 100644 queue-5.10/spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-hi.patch create mode 100644 queue-5.10/tipc-re-fetch-skb-cb-after-tipc_msg_validate.patch create mode 100644 queue-5.10/wifi-cfg80211-don-t-allow-multi-bssid-in-s1g.patch create mode 100644 queue-5.10/wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch create mode 100644 queue-5.10/wifi-mac8021-fix-possible-oob-access-in-ieee80211_ge.patch diff --git a/queue-5.10/afs-fix-fileserver-probe-rtt-handling.patch b/queue-5.10/afs-fix-fileserver-probe-rtt-handling.patch new file mode 100644 index 00000000000..dc209889563 --- /dev/null +++ b/queue-5.10/afs-fix-fileserver-probe-rtt-handling.patch @@ -0,0 +1,50 @@ +From edd8723c537501fe4015d189efe901fc0433180c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 22:02:56 +0000 +Subject: afs: Fix fileserver probe RTT handling + +From: David Howells + +[ Upstream commit ca57f02295f188d6c65ec02202402979880fa6d8 ] + +The fileserver probing code attempts to work out the best fileserver to +use for a volume by retrieving the RTT calculated by AF_RXRPC for the +probe call sent to each server and comparing them. Sometimes, however, +no RTT estimate is available and rxrpc_kernel_get_srtt() returns false, +leading good fileservers to be given an RTT of UINT_MAX and thus causing +the rotation algorithm to ignore them. + +Fix afs_select_fileserver() to ignore rxrpc_kernel_get_srtt()'s return +value and just take the estimated RTT it provides - which will be capped +at 1 second. + +Fixes: 1d4adfaf6574 ("rxrpc: Make rxrpc_kernel_get_srtt() indicate validity") +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +Tested-by: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/166965503999.3392585.13954054113218099395.stgit@warthog.procyon.org.uk/ +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/fs_probe.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/afs/fs_probe.c b/fs/afs/fs_probe.c +index e7e98ad63a91..04d42e49fc59 100644 +--- a/fs/afs/fs_probe.c ++++ b/fs/afs/fs_probe.c +@@ -161,8 +161,8 @@ void afs_fileserver_probe_result(struct afs_call *call) + } + } + +- if (rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us) && +- rtt_us < server->probe.rtt) { ++ rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us); ++ if (rtt_us < server->probe.rtt) { + server->probe.rtt = rtt_us; + server->rtt = rtt_us; + alist->preferred = index; +-- +2.35.1 + diff --git a/queue-5.10/aquantia-do-not-purge-addresses-when-setting-the-num.patch b/queue-5.10/aquantia-do-not-purge-addresses-when-setting-the-num.patch new file mode 100644 index 00000000000..ca2f4c5b27c --- /dev/null +++ b/queue-5.10/aquantia-do-not-purge-addresses-when-setting-the-num.patch @@ -0,0 +1,91 @@ +From 069134b6fef1ea66a70c7a931ac99ed9614628df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 11:10:08 +0100 +Subject: aquantia: Do not purge addresses when setting the number of rings + +From: Izabela Bakollari + +[ Upstream commit 2a83891130512dafb321418a8e7c9c09268d8c59 ] + +IPV6 addresses are purged when setting the number of rx/tx +rings using ethtool -G. The function aq_set_ringparam +calls dev_close, which removes the addresses. As a solution, +call an internal function (aq_ndev_close). + +Fixes: c1af5427954b ("net: aquantia: Ethtool based ring size configuration") +Signed-off-by: Izabela Bakollari +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c | 5 +++-- + drivers/net/ethernet/aquantia/atlantic/aq_main.c | 4 ++-- + drivers/net/ethernet/aquantia/atlantic/aq_main.h | 2 ++ + 3 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c b/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c +index de2a9348bc3f..1d512e6a89f5 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c +@@ -13,6 +13,7 @@ + #include "aq_ptp.h" + #include "aq_filters.h" + #include "aq_macsec.h" ++#include "aq_main.h" + + #include + +@@ -841,7 +842,7 @@ static int aq_set_ringparam(struct net_device *ndev, + + if (netif_running(ndev)) { + ndev_running = true; +- dev_close(ndev); ++ aq_ndev_close(ndev); + } + + cfg->rxds = max(ring->rx_pending, hw_caps->rxds_min); +@@ -857,7 +858,7 @@ static int aq_set_ringparam(struct net_device *ndev, + goto err_exit; + + if (ndev_running) +- err = dev_open(ndev, NULL); ++ err = aq_ndev_open(ndev); + + err_exit: + return err; +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_main.c b/drivers/net/ethernet/aquantia/atlantic/aq_main.c +index ff245f75fa3d..1401fc4632b5 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_main.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_main.c +@@ -53,7 +53,7 @@ struct net_device *aq_ndev_alloc(void) + return ndev; + } + +-static int aq_ndev_open(struct net_device *ndev) ++int aq_ndev_open(struct net_device *ndev) + { + struct aq_nic_s *aq_nic = netdev_priv(ndev); + int err = 0; +@@ -83,7 +83,7 @@ static int aq_ndev_open(struct net_device *ndev) + return err; + } + +-static int aq_ndev_close(struct net_device *ndev) ++int aq_ndev_close(struct net_device *ndev) + { + struct aq_nic_s *aq_nic = netdev_priv(ndev); + int err = 0; +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_main.h b/drivers/net/ethernet/aquantia/atlantic/aq_main.h +index a5a624b9ce73..2a562ab7a5af 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_main.h ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_main.h +@@ -14,5 +14,7 @@ + + void aq_ndev_schedule_work(struct work_struct *work); + struct net_device *aq_ndev_alloc(void); ++int aq_ndev_open(struct net_device *ndev); ++int aq_ndev_close(struct net_device *ndev); + + #endif /* AQ_MAIN_H */ +-- +2.35.1 + diff --git a/queue-5.10/arm-at91-rm9200-fix-usb-device-clock-id.patch b/queue-5.10/arm-at91-rm9200-fix-usb-device-clock-id.patch new file mode 100644 index 00000000000..0d38acf24f0 --- /dev/null +++ b/queue-5.10/arm-at91-rm9200-fix-usb-device-clock-id.patch @@ -0,0 +1,64 @@ +From bf03ff51561dedb2524f299909ce1415e4d81a0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 19:59:22 +0100 +Subject: ARM: at91: rm9200: fix usb device clock id + +From: Michael Grzeschik + +[ Upstream commit 57976762428675f259339385d3324d28ee53ec02 ] + +Referring to the datasheet the index 2 is the MCKUDP. When enabled, it +"Enables the automatic disable of the Master Clock of the USB Device +Port when a suspend condition occurs". We fix the index to the real UDP +id which "Enables the 48 MHz clock of the USB Device Port". + +Cc: nicolas.ferre@microchip.com +Cc: ludovic.desroches@microchip.com +Cc: alexandre.belloni@bootlin.com +Cc: mturquette@baylibre.com +Cc: sboyd@kernel.org +Cc: claudiu.beznea@microchip.com +Cc: linux-clk@vger.kernel.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: kernel@pengutronix.de +Fixes: 02ff48e4d7f7 ("clk: at91: add at91rm9200 pmc driver") +Fixes: 0e0e528d8260 ("ARM: dts: at91: rm9200: switch to new clock bindings") +Reviewed-by: Claudiu Beznea +Signed-off-by: Michael Grzeschik +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20221114185923.1023249-2-m.grzeschik@pengutronix.de +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/at91rm9200.dtsi | 2 +- + drivers/clk/at91/at91rm9200.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/at91rm9200.dtsi b/arch/arm/boot/dts/at91rm9200.dtsi +index d1181ead18e5..21344fbc89e5 100644 +--- a/arch/arm/boot/dts/at91rm9200.dtsi ++++ b/arch/arm/boot/dts/at91rm9200.dtsi +@@ -660,7 +660,7 @@ usb1: gadget@fffb0000 { + compatible = "atmel,at91rm9200-udc"; + reg = <0xfffb0000 0x4000>; + interrupts = <11 IRQ_TYPE_LEVEL_HIGH 2>; +- clocks = <&pmc PMC_TYPE_PERIPHERAL 11>, <&pmc PMC_TYPE_SYSTEM 2>; ++ clocks = <&pmc PMC_TYPE_PERIPHERAL 11>, <&pmc PMC_TYPE_SYSTEM 1>; + clock-names = "pclk", "hclk"; + status = "disabled"; + }; +diff --git a/drivers/clk/at91/at91rm9200.c b/drivers/clk/at91/at91rm9200.c +index 2c3d8e6ca63c..7cc20c0f8865 100644 +--- a/drivers/clk/at91/at91rm9200.c ++++ b/drivers/clk/at91/at91rm9200.c +@@ -38,7 +38,7 @@ static const struct clk_pll_characteristics rm9200_pll_characteristics = { + }; + + static const struct sck at91rm9200_systemck[] = { +- { .n = "udpck", .p = "usbck", .id = 2 }, ++ { .n = "udpck", .p = "usbck", .id = 1 }, + { .n = "uhpck", .p = "usbck", .id = 4 }, + { .n = "pck0", .p = "prog0", .id = 8 }, + { .n = "pck1", .p = "prog1", .id = 9 }, +-- +2.35.1 + diff --git a/queue-5.10/bpf-do-not-copy-spin-lock-field-from-user-in-bpf_sel.patch b/queue-5.10/bpf-do-not-copy-spin-lock-field-from-user-in-bpf_sel.patch new file mode 100644 index 00000000000..61c17c4f5ca --- /dev/null +++ b/queue-5.10/bpf-do-not-copy-spin-lock-field-from-user-in-bpf_sel.patch @@ -0,0 +1,42 @@ +From 69800504036e8d7dbcabbd7a9c7868c3c560d0e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 08:47:19 -0500 +Subject: bpf: Do not copy spin lock field from user in bpf_selem_alloc + +From: Xu Kuohai + +[ Upstream commit 836e49e103dfeeff670c934b7d563cbd982fce87 ] + +bpf_selem_alloc function is used by inode_storage, sk_storage and +task_storage maps to set map value, for these map types, there may +be a spin lock in the map value, so if we use memcpy to copy the whole +map value from user, the spin lock field may be initialized incorrectly. + +Since the spin lock field is zeroed by kzalloc, call copy_map_value +instead of memcpy to skip copying the spin lock field to fix it. + +Fixes: 6ac99e8f23d4 ("bpf: Introduce bpf sk local storage") +Signed-off-by: Xu Kuohai +Link: https://lore.kernel.org/r/20221114134720.1057939-2-xukuohai@huawei.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/bpf_local_storage.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/bpf_local_storage.c b/kernel/bpf/bpf_local_storage.c +index 5d3a7af9ba9b..8aaaaef99f09 100644 +--- a/kernel/bpf/bpf_local_storage.c ++++ b/kernel/bpf/bpf_local_storage.c +@@ -70,7 +70,7 @@ bpf_selem_alloc(struct bpf_local_storage_map *smap, void *owner, + selem = kzalloc(smap->elem_size, GFP_ATOMIC | __GFP_NOWARN); + if (selem) { + if (value) +- memcpy(SDATA(selem)->data, value, smap->map.value_size); ++ copy_map_value(&smap->map, SDATA(selem)->data, value); + return selem; + } + +-- +2.35.1 + diff --git a/queue-5.10/bpf-perf-use-subprog-name-when-reporting-subprog-ksy.patch b/queue-5.10/bpf-perf-use-subprog-name-when-reporting-subprog-ksy.patch new file mode 100644 index 00000000000..7ee144d4665 --- /dev/null +++ b/queue-5.10/bpf-perf-use-subprog-name-when-reporting-subprog-ksy.patch @@ -0,0 +1,57 @@ +From bd643f8b1d8962cb417ca693c5618ca3504c82ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 17:57:33 +0800 +Subject: bpf, perf: Use subprog name when reporting subprog ksymbol + +From: Hou Tao + +[ Upstream commit 47df8a2f78bc34ff170d147d05b121f84e252b85 ] + +Since commit bfea9a8574f3 ("bpf: Add name to struct bpf_ksym"), when +reporting subprog ksymbol to perf, prog name instead of subprog name is +used. The backtrace of bpf program with subprogs will be incorrect as +shown below: + + ffffffffc02deace bpf_prog_e44a3057dcb151f8_overwrite+0x66 + ffffffffc02de9f7 bpf_prog_e44a3057dcb151f8_overwrite+0x9f + ffffffffa71d8d4e trace_call_bpf+0xce + ffffffffa71c2938 perf_call_bpf_enter.isra.0+0x48 + +overwrite is the entry program and it invokes the overwrite_htab subprog +through bpf_loop, but in above backtrace, overwrite program just jumps +inside itself. + +Fixing it by using subprog name when reporting subprog ksymbol. After +the fix, the output of perf script will be correct as shown below: + + ffffffffc031aad2 bpf_prog_37c0bec7d7c764a4_overwrite_htab+0x66 + ffffffffc031a9e7 bpf_prog_c7eb827ef4f23e71_overwrite+0x9f + ffffffffa3dd8d4e trace_call_bpf+0xce + ffffffffa3dc2938 perf_call_bpf_enter.isra.0+0x48 + +Fixes: bfea9a8574f3 ("bpf: Add name to struct bpf_ksym") +Signed-off-by: Hou Tao +Signed-off-by: Daniel Borkmann +Acked-by: Jiri Olsa +Link: https://lore.kernel.org/bpf/20221114095733.158588-1-houtao@huaweicloud.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 0e01216f4e5a..e9b354d521a3 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -8740,7 +8740,7 @@ static void perf_event_bpf_emit_ksymbols(struct bpf_prog *prog, + PERF_RECORD_KSYMBOL_TYPE_BPF, + (u64)(unsigned long)subprog->bpf_func, + subprog->jited_len, unregister, +- prog->aux->ksym.name); ++ subprog->aux->ksym.name); + } + } + } +-- +2.35.1 + diff --git a/queue-5.10/btrfs-free-btrfs_path-before-copying-inodes-to-users.patch b/queue-5.10/btrfs-free-btrfs_path-before-copying-inodes-to-users.patch new file mode 100644 index 00000000000..8c7f9d31bee --- /dev/null +++ b/queue-5.10/btrfs-free-btrfs_path-before-copying-inodes-to-users.patch @@ -0,0 +1,68 @@ +From 398fd19f4a81715215254322a95a9031d24fcd50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 11:36:28 +0530 +Subject: btrfs: free btrfs_path before copying inodes to userspace + +From: Anand Jain + +[ Upstream commit 418ffb9e3cf6c4e2574d3a732b724916684bd133 ] + +btrfs_ioctl_logical_to_ino() frees the search path after the userspace +copy from the temp buffer @inodes. Which potentially can lead to a lock +splat. + +Fix this by freeing the path before we copy @inodes to userspace. + +CC: stable@vger.kernel.org # 4.19+ +Signed-off-by: Anand Jain +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ioctl.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index 58fe58b929d2..a17076a05c4d 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3933,21 +3933,20 @@ static long btrfs_ioctl_logical_to_ino(struct btrfs_fs_info *fs_info, + size = min_t(u32, loi->size, SZ_16M); + } + +- path = btrfs_alloc_path(); +- if (!path) { +- ret = -ENOMEM; +- goto out; +- } +- + inodes = init_data_container(size); + if (IS_ERR(inodes)) { + ret = PTR_ERR(inodes); +- inodes = NULL; +- goto out; ++ goto out_loi; + } + ++ path = btrfs_alloc_path(); ++ if (!path) { ++ ret = -ENOMEM; ++ goto out; ++ } + ret = iterate_inodes_from_logical(loi->logical, fs_info, path, + inodes, ignore_offset); ++ btrfs_free_path(path); + if (ret == -EINVAL) + ret = -ENOENT; + if (ret < 0) +@@ -3959,7 +3958,6 @@ static long btrfs_ioctl_logical_to_ino(struct btrfs_fs_info *fs_info, + ret = -EFAULT; + + out: +- btrfs_free_path(path); + kvfree(inodes); + out_loi: + kfree(loi); +-- +2.35.1 + diff --git a/queue-5.10/btrfs-move-quota_enabled-check-to-rescan_should_stop.patch b/queue-5.10/btrfs-move-quota_enabled-check-to-rescan_should_stop.patch new file mode 100644 index 00000000000..a0c4c9492c3 --- /dev/null +++ b/queue-5.10/btrfs-move-quota_enabled-check-to-rescan_should_stop.patch @@ -0,0 +1,66 @@ +From e607c00d7218bb5002f69ad980d23df1930feee7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jan 2022 17:16:18 +0200 +Subject: btrfs: move QUOTA_ENABLED check to rescan_should_stop from + btrfs_qgroup_rescan_worker + +From: Nikolay Borisov + +[ Upstream commit db5df254120004471e1c957957ab2f1e612dcbd6 ] + +Instead of having 2 places that short circuit the qgroup leaf scan have +everything in the qgroup_rescan_leaf function. In addition to that, also +ensure that the inconsistent qgroup flag is set when rescan_should_stop +returns true. This both retains the old behavior when -EINTR was set in +the body of the loop and at the same time also extends this behavior +when scanning is interrupted due to remount or unmount operations. + +Signed-off-by: Nikolay Borisov +Signed-off-by: David Sterba +Stable-dep-of: f7e942b5bb35 ("btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()") +Signed-off-by: Sasha Levin +--- + fs/btrfs/qgroup.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c +index 36da77534076..81bbb7532eb9 100644 +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -3290,7 +3290,8 @@ static int qgroup_rescan_leaf(struct btrfs_trans_handle *trans, + static bool rescan_should_stop(struct btrfs_fs_info *fs_info) + { + return btrfs_fs_closing(fs_info) || +- test_bit(BTRFS_FS_STATE_REMOUNTING, &fs_info->fs_state); ++ test_bit(BTRFS_FS_STATE_REMOUNTING, &fs_info->fs_state) || ++ !test_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags); + } + + static void btrfs_qgroup_rescan_worker(struct btrfs_work *work) +@@ -3320,11 +3321,9 @@ static void btrfs_qgroup_rescan_worker(struct btrfs_work *work) + err = PTR_ERR(trans); + break; + } +- if (!test_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags)) { +- err = -EINTR; +- } else { +- err = qgroup_rescan_leaf(trans, path); +- } ++ ++ err = qgroup_rescan_leaf(trans, path); ++ + if (err > 0) + btrfs_commit_transaction(trans); + else +@@ -3338,7 +3337,7 @@ static void btrfs_qgroup_rescan_worker(struct btrfs_work *work) + if (err > 0 && + fs_info->qgroup_flags & BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT) { + fs_info->qgroup_flags &= ~BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT; +- } else if (err < 0) { ++ } else if (err < 0 || stopped) { + fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT; + } + mutex_unlock(&fs_info->qgroup_rescan_lock); +-- +2.35.1 + diff --git a/queue-5.10/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch b/queue-5.10/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch new file mode 100644 index 00000000000..4e4db4e5884 --- /dev/null +++ b/queue-5.10/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch @@ -0,0 +1,65 @@ +From 0c5490f7941e693b6adccbe44ad0ed0ac578042d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 22:23:54 +0800 +Subject: btrfs: qgroup: fix sleep from invalid context bug in + btrfs_qgroup_inherit() + +From: ChenXiaoSong + +[ Upstream commit f7e942b5bb35d8e3af54053d19a6bf04143a3955 ] + +Syzkaller reported BUG as follows: + + BUG: sleeping function called from invalid context at + include/linux/sched/mm.h:274 + Call Trace: + + dump_stack_lvl+0xcd/0x134 + __might_resched.cold+0x222/0x26b + kmem_cache_alloc+0x2e7/0x3c0 + update_qgroup_limit_item+0xe1/0x390 + btrfs_qgroup_inherit+0x147b/0x1ee0 + create_subvol+0x4eb/0x1710 + btrfs_mksubvol+0xfe5/0x13f0 + __btrfs_ioctl_snap_create+0x2b0/0x430 + btrfs_ioctl_snap_create_v2+0x25a/0x520 + btrfs_ioctl+0x2a1c/0x5ce0 + __x64_sys_ioctl+0x193/0x200 + do_syscall_64+0x35/0x80 + +Fix this by calling qgroup_dirty() on @dstqgroup, and update limit item in +btrfs_run_qgroups() later outside of the spinlock context. + +CC: stable@vger.kernel.org # 4.9+ +Reviewed-by: Qu Wenruo +Signed-off-by: ChenXiaoSong +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/qgroup.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c +index 81bbb7532eb9..74cbbb5d8897 100644 +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -2913,14 +2913,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, + dstgroup->rsv_rfer = inherit->lim.rsv_rfer; + dstgroup->rsv_excl = inherit->lim.rsv_excl; + +- ret = update_qgroup_limit_item(trans, dstgroup); +- if (ret) { +- fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT; +- btrfs_info(fs_info, +- "unable to update quota limit for %llu", +- dstgroup->qgroupid); +- goto unlock; +- } ++ qgroup_dirty(fs_info, dstgroup); + } + + if (srcid) { +-- +2.35.1 + diff --git a/queue-5.10/btrfs-sink-iterator-parameter-to-btrfs_ioctl_logical.patch b/queue-5.10/btrfs-sink-iterator-parameter-to-btrfs_ioctl_logical.patch new file mode 100644 index 00000000000..ee6042c5cb0 --- /dev/null +++ b/queue-5.10/btrfs-sink-iterator-parameter-to-btrfs_ioctl_logical.patch @@ -0,0 +1,124 @@ +From d03d8f87461b507f68219cb41dea264a7186bfb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 19:32:59 +0200 +Subject: btrfs: sink iterator parameter to btrfs_ioctl_logical_to_ino + +From: David Sterba + +[ Upstream commit e3059ec06b9f1a96826cc2bb6ed131aac0942446 ] + +There's only one function we pass to iterate_inodes_from_logical as +iterator, so we can drop the indirection and call it directly, after +moving the function to backref.c + +Signed-off-by: David Sterba +Stable-dep-of: 418ffb9e3cf6 ("btrfs: free btrfs_path before copying inodes to userspace") +Signed-off-by: Sasha Levin +--- + fs/btrfs/backref.c | 25 ++++++++++++++++++++++--- + fs/btrfs/backref.h | 3 +-- + fs/btrfs/ioctl.c | 22 +--------------------- + 3 files changed, 24 insertions(+), 26 deletions(-) + +diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c +index 6942707f8b03..7208ba22e734 100644 +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -2060,10 +2060,29 @@ int iterate_extent_inodes(struct btrfs_fs_info *fs_info, + return ret; + } + ++static int build_ino_list(u64 inum, u64 offset, u64 root, void *ctx) ++{ ++ struct btrfs_data_container *inodes = ctx; ++ const size_t c = 3 * sizeof(u64); ++ ++ if (inodes->bytes_left >= c) { ++ inodes->bytes_left -= c; ++ inodes->val[inodes->elem_cnt] = inum; ++ inodes->val[inodes->elem_cnt + 1] = offset; ++ inodes->val[inodes->elem_cnt + 2] = root; ++ inodes->elem_cnt += 3; ++ } else { ++ inodes->bytes_missing += c - inodes->bytes_left; ++ inodes->bytes_left = 0; ++ inodes->elem_missed += 3; ++ } ++ ++ return 0; ++} ++ + int iterate_inodes_from_logical(u64 logical, struct btrfs_fs_info *fs_info, + struct btrfs_path *path, +- iterate_extent_inodes_t *iterate, void *ctx, +- bool ignore_offset) ++ void *ctx, bool ignore_offset) + { + int ret; + u64 extent_item_pos; +@@ -2081,7 +2100,7 @@ int iterate_inodes_from_logical(u64 logical, struct btrfs_fs_info *fs_info, + extent_item_pos = logical - found_key.objectid; + ret = iterate_extent_inodes(fs_info, found_key.objectid, + extent_item_pos, search_commit_root, +- iterate, ctx, ignore_offset); ++ build_ino_list, ctx, ignore_offset); + + return ret; + } +diff --git a/fs/btrfs/backref.h b/fs/btrfs/backref.h +index 17abde7f794c..6ed18b807b64 100644 +--- a/fs/btrfs/backref.h ++++ b/fs/btrfs/backref.h +@@ -35,8 +35,7 @@ int iterate_extent_inodes(struct btrfs_fs_info *fs_info, + bool ignore_offset); + + int iterate_inodes_from_logical(u64 logical, struct btrfs_fs_info *fs_info, +- struct btrfs_path *path, +- iterate_extent_inodes_t *iterate, void *ctx, ++ struct btrfs_path *path, void *ctx, + bool ignore_offset); + + int paths_from_inode(u64 inum, struct inode_fs_paths *ipath); +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index d0c31651ec80..58fe58b929d2 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3898,26 +3898,6 @@ static long btrfs_ioctl_ino_to_path(struct btrfs_root *root, void __user *arg) + return ret; + } + +-static int build_ino_list(u64 inum, u64 offset, u64 root, void *ctx) +-{ +- struct btrfs_data_container *inodes = ctx; +- const size_t c = 3 * sizeof(u64); +- +- if (inodes->bytes_left >= c) { +- inodes->bytes_left -= c; +- inodes->val[inodes->elem_cnt] = inum; +- inodes->val[inodes->elem_cnt + 1] = offset; +- inodes->val[inodes->elem_cnt + 2] = root; +- inodes->elem_cnt += 3; +- } else { +- inodes->bytes_missing += c - inodes->bytes_left; +- inodes->bytes_left = 0; +- inodes->elem_missed += 3; +- } +- +- return 0; +-} +- + static long btrfs_ioctl_logical_to_ino(struct btrfs_fs_info *fs_info, + void __user *arg, int version) + { +@@ -3967,7 +3947,7 @@ static long btrfs_ioctl_logical_to_ino(struct btrfs_fs_info *fs_info, + } + + ret = iterate_inodes_from_logical(loi->logical, fs_info, path, +- build_ino_list, inodes, ignore_offset); ++ inodes, ignore_offset); + if (ret == -EINVAL) + ret = -ENOENT; + if (ret < 0) +-- +2.35.1 + diff --git a/queue-5.10/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch b/queue-5.10/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch new file mode 100644 index 00000000000..1988ed9cfc1 --- /dev/null +++ b/queue-5.10/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch @@ -0,0 +1,59 @@ +From 233bc50ddc49aeb183f47144e1940bc9f2203ca0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 20:09:16 +0800 +Subject: can: cc770: cc770_isa_probe(): add missing free_cc770dev() + +From: Zhang Changzhong + +[ Upstream commit 62ec89e74099a3d6995988ed9f2f996b368417ec ] + +Add the missing free_cc770dev() before return from cc770_isa_probe() +in the register_cc770dev() error handling case. + +In addition, remove blanks before goto labels. + +Fixes: 7e02e5433e00 ("can: cc770: legacy CC770 ISA bus driver") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/all/1668168557-6024-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/cc770/cc770_isa.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/can/cc770/cc770_isa.c b/drivers/net/can/cc770/cc770_isa.c +index 194c86e0f340..8f6dccd5a587 100644 +--- a/drivers/net/can/cc770/cc770_isa.c ++++ b/drivers/net/can/cc770/cc770_isa.c +@@ -264,22 +264,24 @@ static int cc770_isa_probe(struct platform_device *pdev) + if (err) { + dev_err(&pdev->dev, + "couldn't register device (err=%d)\n", err); +- goto exit_unmap; ++ goto exit_free; + } + + dev_info(&pdev->dev, "device registered (reg_base=0x%p, irq=%d)\n", + priv->reg_base, dev->irq); + return 0; + +- exit_unmap: ++exit_free: ++ free_cc770dev(dev); ++exit_unmap: + if (mem[idx]) + iounmap(base); +- exit_release: ++exit_release: + if (mem[idx]) + release_mem_region(mem[idx], iosize); + else + release_region(port[idx], iosize); +- exit: ++exit: + return err; + } + +-- +2.35.1 + diff --git a/queue-5.10/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch b/queue-5.10/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch new file mode 100644 index 00000000000..cf8b1464ee5 --- /dev/null +++ b/queue-5.10/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch @@ -0,0 +1,59 @@ +From 6322698a9414d724472e3dbae2e2ba1de0d3639d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 20:08:41 +0800 +Subject: can: sja1000_isa: sja1000_isa_probe(): add missing free_sja1000dev() + +From: Zhang Changzhong + +[ Upstream commit 92dfd9310a71d28cefe6a2d5174d43fab240e631 ] + +Add the missing free_sja1000dev() before return from +sja1000_isa_probe() in the register_sja1000dev() error handling case. + +In addition, remove blanks before goto labels. + +Fixes: 2a6ba39ad6a2 ("can: sja1000: legacy SJA1000 ISA bus driver") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/all/1668168521-5540-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/sja1000/sja1000_isa.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/can/sja1000/sja1000_isa.c b/drivers/net/can/sja1000/sja1000_isa.c +index d513fac50718..db3e767d5320 100644 +--- a/drivers/net/can/sja1000/sja1000_isa.c ++++ b/drivers/net/can/sja1000/sja1000_isa.c +@@ -202,22 +202,24 @@ static int sja1000_isa_probe(struct platform_device *pdev) + if (err) { + dev_err(&pdev->dev, "registering %s failed (err=%d)\n", + DRV_NAME, err); +- goto exit_unmap; ++ goto exit_free; + } + + dev_info(&pdev->dev, "%s device registered (reg_base=0x%p, irq=%d)\n", + DRV_NAME, priv->reg_base, dev->irq); + return 0; + +- exit_unmap: ++exit_free: ++ free_sja1000dev(dev); ++exit_unmap: + if (mem[idx]) + iounmap(base); +- exit_release: ++exit_release: + if (mem[idx]) + release_mem_region(mem[idx], iosize); + else + release_region(port[idx], iosize); +- exit: ++exit: + return err; + } + +-- +2.35.1 + diff --git a/queue-5.10/drm-amdgpu-partially-revert-drm-amdgpu-update-drm_di.patch b/queue-5.10/drm-amdgpu-partially-revert-drm-amdgpu-update-drm_di.patch new file mode 100644 index 00000000000..f4600cd9700 --- /dev/null +++ b/queue-5.10/drm-amdgpu-partially-revert-drm-amdgpu-update-drm_di.patch @@ -0,0 +1,42 @@ +From e7e95050eb1ce1450ae728fab3ff710bf6c0de63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 12:34:14 -0500 +Subject: drm/amdgpu: Partially revert "drm/amdgpu: update drm_display_info + correctly when the edid is read" + +From: Alex Deucher + +[ Upstream commit 602ad43c3cd8f15cbb25ce9bb494129edb2024ed ] + +This partially reverts 20543be93ca45968f344261c1a997177e51bd7e1. + +Calling drm_connector_update_edid_property() in +amdgpu_connector_free_edid() causes a noticeable pause in +the system every 10 seconds on polled outputs so revert this +part of the change. + +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2257 +Cc: Claudio Suarez +Acked-by: Luben Tuikov +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +index b352c4eb5bbd..aabfe5705bb8 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +@@ -328,7 +328,6 @@ static void amdgpu_connector_free_edid(struct drm_connector *connector) + + kfree(amdgpu_connector->edid); + amdgpu_connector->edid = NULL; +- drm_connector_update_edid_property(connector, NULL); + } + + static int amdgpu_connector_ddc_get_modes(struct drm_connector *connector) +-- +2.35.1 + diff --git a/queue-5.10/drm-amdgpu-update-drm_display_info-correctly-when-th.patch b/queue-5.10/drm-amdgpu-update-drm_display_info-correctly-when-th.patch new file mode 100644 index 00000000000..8479c3e046c --- /dev/null +++ b/queue-5.10/drm-amdgpu-update-drm_display_info-correctly-when-th.patch @@ -0,0 +1,71 @@ +From 5a641374b0dc7636c4e9ab40784f5261ac18bcb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Oct 2021 13:34:58 +0200 +Subject: drm/amdgpu: update drm_display_info correctly when the edid is read + +From: Claudio Suarez + +[ Upstream commit 20543be93ca45968f344261c1a997177e51bd7e1 ] + +drm_display_info is updated by drm_get_edid() or +drm_connector_update_edid_property(). In the amdgpu driver it is almost +always updated when the edid is read in amdgpu_connector_get_edid(), +but not always. Change amdgpu_connector_get_edid() and +amdgpu_connector_free_edid() to keep drm_display_info updated. + +Reviewed-by: Harry Wentland +Signed-off-by: Claudio Suarez +Signed-off-by: Alex Deucher +Stable-dep-of: 602ad43c3cd8 ("drm/amdgpu: Partially revert "drm/amdgpu: update drm_display_info correctly when the edid is read"") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 5 ++++- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +-- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +index 98d3661336a4..b352c4eb5bbd 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +@@ -315,8 +315,10 @@ static void amdgpu_connector_get_edid(struct drm_connector *connector) + if (!amdgpu_connector->edid) { + /* some laptops provide a hardcoded edid in rom for LCDs */ + if (((connector->connector_type == DRM_MODE_CONNECTOR_LVDS) || +- (connector->connector_type == DRM_MODE_CONNECTOR_eDP))) ++ (connector->connector_type == DRM_MODE_CONNECTOR_eDP))) { + amdgpu_connector->edid = amdgpu_connector_get_hardcoded_edid(adev); ++ drm_connector_update_edid_property(connector, amdgpu_connector->edid); ++ } + } + } + +@@ -326,6 +328,7 @@ static void amdgpu_connector_free_edid(struct drm_connector *connector) + + kfree(amdgpu_connector->edid); + amdgpu_connector->edid = NULL; ++ drm_connector_update_edid_property(connector, NULL); + } + + static int amdgpu_connector_ddc_get_modes(struct drm_connector *connector) +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 55ecc67592eb..167a1ee518a8 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -2348,13 +2348,12 @@ void amdgpu_dm_update_connector_after_detect( + aconnector->edid = + (struct edid *)sink->dc_edid.raw_edid; + +- drm_connector_update_edid_property(connector, +- aconnector->edid); + if (aconnector->dc_link->aux_mode) + drm_dp_cec_set_edid(&aconnector->dm_dp_aux.aux, + aconnector->edid); + } + ++ drm_connector_update_edid_property(connector, aconnector->edid); + amdgpu_dm_update_freesync_caps(connector, aconnector->edid); + update_connector_ext_caps(aconnector); + } else { +-- +2.35.1 + diff --git a/queue-5.10/drm-display-dp_mst-fix-drm_dp_mst_add_affected_dsc_c.patch b/queue-5.10/drm-display-dp_mst-fix-drm_dp_mst_add_affected_dsc_c.patch new file mode 100644 index 00000000000..9b2b78a3593 --- /dev/null +++ b/queue-5.10/drm-display-dp_mst-fix-drm_dp_mst_add_affected_dsc_c.patch @@ -0,0 +1,42 @@ +From a7e499e22048e054a36f4b1d2abbf1d142291558 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 17:17:53 -0500 +Subject: drm/display/dp_mst: Fix drm_dp_mst_add_affected_dsc_crtcs() return + code + +From: Lyude Paul + +[ Upstream commit 2f3a1273862cb82cca227630cc7f04ce0c94b6bb ] + +Looks like that we're accidentally dropping a pretty important return code +here. For some reason, we just return -EINVAL if we fail to get the MST +topology state. This is wrong: error codes are important and should never +be squashed without being handled, which here seems to have the potential +to cause a deadlock. + +Signed-off-by: Lyude Paul +Reviewed-by: Wayne Lin +Fixes: 8ec046716ca8 ("drm/dp_mst: Add helper to trigger modeset on affected DSC MST CRTCs") +Cc: # v5.6+ +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c +index 4272cd3622f8..0feeac52e4eb 100644 +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -5238,7 +5238,7 @@ int drm_dp_mst_add_affected_dsc_crtcs(struct drm_atomic_state *state, struct drm + mst_state = drm_atomic_get_mst_topology_state(state, mgr); + + if (IS_ERR(mst_state)) +- return -EINVAL; ++ return PTR_ERR(mst_state); + + list_for_each_entry(pos, &mst_state->vcpis, next) { + +-- +2.35.1 + diff --git a/queue-5.10/dsa-lan9303-correct-stat-name.patch b/queue-5.10/dsa-lan9303-correct-stat-name.patch new file mode 100644 index 00000000000..08c6124223a --- /dev/null +++ b/queue-5.10/dsa-lan9303-correct-stat-name.patch @@ -0,0 +1,43 @@ +From 749074f7faffbcdefec9d349727a525a84267cbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 13:35:59 -0600 +Subject: dsa: lan9303: Correct stat name + +From: Jerry Ray + +[ Upstream commit 39f59bca275d2d819a8788c0f962e9e89843efc9 ] + +This patch changes the reported ethtool statistics for the lan9303 +family of parts covered by this driver. + +The TxUnderRun statistic label is renamed to RxShort to accurately +reflect what stat the device is reporting. I did not reorder the +statistics as that might cause problems with existing user code that +are expecting the stats at a certain offset. + +Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303") +Signed-off-by: Jerry Ray +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20221128193559.6572-1-jerry.ray@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/lan9303-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/lan9303-core.c b/drivers/net/dsa/lan9303-core.c +index 2044d440d7de..c79bb8cf962c 100644 +--- a/drivers/net/dsa/lan9303-core.c ++++ b/drivers/net/dsa/lan9303-core.c +@@ -958,7 +958,7 @@ static const struct lan9303_mib_desc lan9303_mib[] = { + { .offset = LAN9303_MAC_TX_BRDCST_CNT_0, .name = "TxBroad", }, + { .offset = LAN9303_MAC_TX_PAUSE_CNT_0, .name = "TxPause", }, + { .offset = LAN9303_MAC_TX_MULCST_CNT_0, .name = "TxMulti", }, +- { .offset = LAN9303_MAC_RX_UNDSZE_CNT_0, .name = "TxUnderRun", }, ++ { .offset = LAN9303_MAC_RX_UNDSZE_CNT_0, .name = "RxShort", }, + { .offset = LAN9303_MAC_TX_64_CNT_0, .name = "Tx64Byte", }, + { .offset = LAN9303_MAC_TX_127_CNT_0, .name = "Tx128Byte", }, + { .offset = LAN9303_MAC_TX_255_CNT_0, .name = "Tx256Byte", }, +-- +2.35.1 + diff --git a/queue-5.10/e100-fix-possible-use-after-free-in-e100_xmit_prepar.patch b/queue-5.10/e100-fix-possible-use-after-free-in-e100_xmit_prepar.patch new file mode 100644 index 00000000000..be3d6b415f8 --- /dev/null +++ b/queue-5.10/e100-fix-possible-use-after-free-in-e100_xmit_prepar.patch @@ -0,0 +1,45 @@ +From 7b47fbb571aa418b2dca8ae531378ef2593cae4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 01:24:07 +0800 +Subject: e100: Fix possible use after free in e100_xmit_prepare + +From: Wang Hai + +[ Upstream commit 45605c75c52c7ae7bfe902214343aabcfe5ba0ff ] + +In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so +e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will +resend the skb. But the skb is already freed, which will cause UAF bug +when the upper layer resends the skb. + +Remove the harmful free. + +Fixes: 5e5d49422dfb ("e100: Release skb when DMA mapping is failed in e100_xmit_prepare") +Signed-off-by: Wang Hai +Reviewed-by: Alexander Duyck +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e100.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c +index 7ccf890ee735..001850d578e8 100644 +--- a/drivers/net/ethernet/intel/e100.c ++++ b/drivers/net/ethernet/intel/e100.c +@@ -1742,11 +1742,8 @@ static int e100_xmit_prepare(struct nic *nic, struct cb *cb, + dma_addr = dma_map_single(&nic->pdev->dev, skb->data, skb->len, + DMA_TO_DEVICE); + /* If we can't map the skb, have the upper layer try later */ +- if (dma_mapping_error(&nic->pdev->dev, dma_addr)) { +- dev_kfree_skb_any(skb); +- skb = NULL; ++ if (dma_mapping_error(&nic->pdev->dev, dma_addr)) + return -ENOMEM; +- } + + /* + * Use the last 4 bytes of the SKB payload packet as the CRC, used for +-- +2.35.1 + diff --git a/queue-5.10/e100-switch-from-pci_-to-dma_-api.patch b/queue-5.10/e100-switch-from-pci_-to-dma_-api.patch new file mode 100644 index 00000000000..28d4881700c --- /dev/null +++ b/queue-5.10/e100-switch-from-pci_-to-dma_-api.patch @@ -0,0 +1,356 @@ +From f5ffe74baa744a3b5f511844ed9f55d3623f8f04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jan 2021 22:07:36 +0100 +Subject: e100: switch from 'pci_' to 'dma_' API + +From: Christophe JAILLET + +[ Upstream commit 4140ff1ba06d3fc16afd518736940ab742886317 ] + +The wrappers in include/linux/pci-dma-compat.h should go away. + +The patch has been generated with the coccinelle script below and has been +hand modified to replace GFP_ with a correct flag. +It has been compile tested. + +When memory is allocated in 'e100_alloc()', GFP_KERNEL can be used because +it is only called from the probe function and no lock is acquired. + +@@ +@@ +- PCI_DMA_BIDIRECTIONAL ++ DMA_BIDIRECTIONAL + +@@ +@@ +- PCI_DMA_TODEVICE ++ DMA_TO_DEVICE + +@@ +@@ +- PCI_DMA_FROMDEVICE ++ DMA_FROM_DEVICE + +@@ +@@ +- PCI_DMA_NONE ++ DMA_NONE + +@@ +expression e1, e2, e3; +@@ +- pci_alloc_consistent(e1, e2, e3) ++ dma_alloc_coherent(&e1->dev, e2, e3, GFP_) + +@@ +expression e1, e2, e3; +@@ +- pci_zalloc_consistent(e1, e2, e3) ++ dma_alloc_coherent(&e1->dev, e2, e3, GFP_) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_free_consistent(e1, e2, e3, e4) ++ dma_free_coherent(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_map_single(e1, e2, e3, e4) ++ dma_map_single(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_unmap_single(e1, e2, e3, e4) ++ dma_unmap_single(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4, e5; +@@ +- pci_map_page(e1, e2, e3, e4, e5) ++ dma_map_page(&e1->dev, e2, e3, e4, e5) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_unmap_page(e1, e2, e3, e4) ++ dma_unmap_page(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_map_sg(e1, e2, e3, e4) ++ dma_map_sg(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_unmap_sg(e1, e2, e3, e4) ++ dma_unmap_sg(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_single_for_cpu(e1, e2, e3, e4) ++ dma_sync_single_for_cpu(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_single_for_device(e1, e2, e3, e4) ++ dma_sync_single_for_device(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_sg_for_cpu(e1, e2, e3, e4) ++ dma_sync_sg_for_cpu(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_sg_for_device(e1, e2, e3, e4) ++ dma_sync_sg_for_device(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2; +@@ +- pci_dma_mapping_error(e1, e2) ++ dma_mapping_error(&e1->dev, e2) + +@@ +expression e1, e2; +@@ +- pci_set_dma_mask(e1, e2) ++ dma_set_mask(&e1->dev, e2) + +@@ +expression e1, e2; +@@ +- pci_set_consistent_dma_mask(e1, e2) ++ dma_set_coherent_mask(&e1->dev, e2) + +Signed-off-by: Christophe JAILLET +Tested-by: Aaron Brown +Link: https://lore.kernel.org/r/20210128210736.749724-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Jakub Kicinski +Stable-dep-of: 45605c75c52c ("e100: Fix possible use after free in e100_xmit_prepare") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e100.c | 92 ++++++++++++++++--------------- + 1 file changed, 49 insertions(+), 43 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c +index 9295a9a1efc7..7ccf890ee735 100644 +--- a/drivers/net/ethernet/intel/e100.c ++++ b/drivers/net/ethernet/intel/e100.c +@@ -1739,10 +1739,10 @@ static int e100_xmit_prepare(struct nic *nic, struct cb *cb, + dma_addr_t dma_addr; + cb->command = nic->tx_command; + +- dma_addr = pci_map_single(nic->pdev, +- skb->data, skb->len, PCI_DMA_TODEVICE); ++ dma_addr = dma_map_single(&nic->pdev->dev, skb->data, skb->len, ++ DMA_TO_DEVICE); + /* If we can't map the skb, have the upper layer try later */ +- if (pci_dma_mapping_error(nic->pdev, dma_addr)) { ++ if (dma_mapping_error(&nic->pdev->dev, dma_addr)) { + dev_kfree_skb_any(skb); + skb = NULL; + return -ENOMEM; +@@ -1828,10 +1828,10 @@ static int e100_tx_clean(struct nic *nic) + dev->stats.tx_packets++; + dev->stats.tx_bytes += cb->skb->len; + +- pci_unmap_single(nic->pdev, +- le32_to_cpu(cb->u.tcb.tbd.buf_addr), +- le16_to_cpu(cb->u.tcb.tbd.size), +- PCI_DMA_TODEVICE); ++ dma_unmap_single(&nic->pdev->dev, ++ le32_to_cpu(cb->u.tcb.tbd.buf_addr), ++ le16_to_cpu(cb->u.tcb.tbd.size), ++ DMA_TO_DEVICE); + dev_kfree_skb_any(cb->skb); + cb->skb = NULL; + tx_cleaned = 1; +@@ -1855,10 +1855,10 @@ static void e100_clean_cbs(struct nic *nic) + while (nic->cbs_avail != nic->params.cbs.count) { + struct cb *cb = nic->cb_to_clean; + if (cb->skb) { +- pci_unmap_single(nic->pdev, +- le32_to_cpu(cb->u.tcb.tbd.buf_addr), +- le16_to_cpu(cb->u.tcb.tbd.size), +- PCI_DMA_TODEVICE); ++ dma_unmap_single(&nic->pdev->dev, ++ le32_to_cpu(cb->u.tcb.tbd.buf_addr), ++ le16_to_cpu(cb->u.tcb.tbd.size), ++ DMA_TO_DEVICE); + dev_kfree_skb(cb->skb); + } + nic->cb_to_clean = nic->cb_to_clean->next; +@@ -1925,10 +1925,10 @@ static int e100_rx_alloc_skb(struct nic *nic, struct rx *rx) + + /* Init, and map the RFD. */ + skb_copy_to_linear_data(rx->skb, &nic->blank_rfd, sizeof(struct rfd)); +- rx->dma_addr = pci_map_single(nic->pdev, rx->skb->data, +- RFD_BUF_LEN, PCI_DMA_BIDIRECTIONAL); ++ rx->dma_addr = dma_map_single(&nic->pdev->dev, rx->skb->data, ++ RFD_BUF_LEN, DMA_BIDIRECTIONAL); + +- if (pci_dma_mapping_error(nic->pdev, rx->dma_addr)) { ++ if (dma_mapping_error(&nic->pdev->dev, rx->dma_addr)) { + dev_kfree_skb_any(rx->skb); + rx->skb = NULL; + rx->dma_addr = 0; +@@ -1941,8 +1941,10 @@ static int e100_rx_alloc_skb(struct nic *nic, struct rx *rx) + if (rx->prev->skb) { + struct rfd *prev_rfd = (struct rfd *)rx->prev->skb->data; + put_unaligned_le32(rx->dma_addr, &prev_rfd->link); +- pci_dma_sync_single_for_device(nic->pdev, rx->prev->dma_addr, +- sizeof(struct rfd), PCI_DMA_BIDIRECTIONAL); ++ dma_sync_single_for_device(&nic->pdev->dev, ++ rx->prev->dma_addr, ++ sizeof(struct rfd), ++ DMA_BIDIRECTIONAL); + } + + return 0; +@@ -1961,8 +1963,8 @@ static int e100_rx_indicate(struct nic *nic, struct rx *rx, + return -EAGAIN; + + /* Need to sync before taking a peek at cb_complete bit */ +- pci_dma_sync_single_for_cpu(nic->pdev, rx->dma_addr, +- sizeof(struct rfd), PCI_DMA_BIDIRECTIONAL); ++ dma_sync_single_for_cpu(&nic->pdev->dev, rx->dma_addr, ++ sizeof(struct rfd), DMA_BIDIRECTIONAL); + rfd_status = le16_to_cpu(rfd->status); + + netif_printk(nic, rx_status, KERN_DEBUG, nic->netdev, +@@ -1981,9 +1983,9 @@ static int e100_rx_indicate(struct nic *nic, struct rx *rx, + + if (ioread8(&nic->csr->scb.status) & rus_no_res) + nic->ru_running = RU_SUSPENDED; +- pci_dma_sync_single_for_device(nic->pdev, rx->dma_addr, +- sizeof(struct rfd), +- PCI_DMA_FROMDEVICE); ++ dma_sync_single_for_device(&nic->pdev->dev, rx->dma_addr, ++ sizeof(struct rfd), ++ DMA_FROM_DEVICE); + return -ENODATA; + } + +@@ -1995,8 +1997,8 @@ static int e100_rx_indicate(struct nic *nic, struct rx *rx, + actual_size = RFD_BUF_LEN - sizeof(struct rfd); + + /* Get data */ +- pci_unmap_single(nic->pdev, rx->dma_addr, +- RFD_BUF_LEN, PCI_DMA_BIDIRECTIONAL); ++ dma_unmap_single(&nic->pdev->dev, rx->dma_addr, RFD_BUF_LEN, ++ DMA_BIDIRECTIONAL); + + /* If this buffer has the el bit, but we think the receiver + * is still running, check to see if it really stopped while +@@ -2097,22 +2099,25 @@ static void e100_rx_clean(struct nic *nic, unsigned int *work_done, + (struct rfd *)new_before_last_rx->skb->data; + new_before_last_rfd->size = 0; + new_before_last_rfd->command |= cpu_to_le16(cb_el); +- pci_dma_sync_single_for_device(nic->pdev, +- new_before_last_rx->dma_addr, sizeof(struct rfd), +- PCI_DMA_BIDIRECTIONAL); ++ dma_sync_single_for_device(&nic->pdev->dev, ++ new_before_last_rx->dma_addr, ++ sizeof(struct rfd), ++ DMA_BIDIRECTIONAL); + + /* Now that we have a new stopping point, we can clear the old + * stopping point. We must sync twice to get the proper + * ordering on the hardware side of things. */ + old_before_last_rfd->command &= ~cpu_to_le16(cb_el); +- pci_dma_sync_single_for_device(nic->pdev, +- old_before_last_rx->dma_addr, sizeof(struct rfd), +- PCI_DMA_BIDIRECTIONAL); ++ dma_sync_single_for_device(&nic->pdev->dev, ++ old_before_last_rx->dma_addr, ++ sizeof(struct rfd), ++ DMA_BIDIRECTIONAL); + old_before_last_rfd->size = cpu_to_le16(VLAN_ETH_FRAME_LEN + + ETH_FCS_LEN); +- pci_dma_sync_single_for_device(nic->pdev, +- old_before_last_rx->dma_addr, sizeof(struct rfd), +- PCI_DMA_BIDIRECTIONAL); ++ dma_sync_single_for_device(&nic->pdev->dev, ++ old_before_last_rx->dma_addr, ++ sizeof(struct rfd), ++ DMA_BIDIRECTIONAL); + } + + if (restart_required) { +@@ -2134,8 +2139,9 @@ static void e100_rx_clean_list(struct nic *nic) + if (nic->rxs) { + for (rx = nic->rxs, i = 0; i < count; rx++, i++) { + if (rx->skb) { +- pci_unmap_single(nic->pdev, rx->dma_addr, +- RFD_BUF_LEN, PCI_DMA_BIDIRECTIONAL); ++ dma_unmap_single(&nic->pdev->dev, ++ rx->dma_addr, RFD_BUF_LEN, ++ DMA_BIDIRECTIONAL); + dev_kfree_skb(rx->skb); + } + } +@@ -2177,8 +2183,8 @@ static int e100_rx_alloc_list(struct nic *nic) + before_last = (struct rfd *)rx->skb->data; + before_last->command |= cpu_to_le16(cb_el); + before_last->size = 0; +- pci_dma_sync_single_for_device(nic->pdev, rx->dma_addr, +- sizeof(struct rfd), PCI_DMA_BIDIRECTIONAL); ++ dma_sync_single_for_device(&nic->pdev->dev, rx->dma_addr, ++ sizeof(struct rfd), DMA_BIDIRECTIONAL); + + nic->rx_to_use = nic->rx_to_clean = nic->rxs; + nic->ru_running = RU_SUSPENDED; +@@ -2377,8 +2383,8 @@ static int e100_loopback_test(struct nic *nic, enum loopback loopback_mode) + + msleep(10); + +- pci_dma_sync_single_for_cpu(nic->pdev, nic->rx_to_clean->dma_addr, +- RFD_BUF_LEN, PCI_DMA_BIDIRECTIONAL); ++ dma_sync_single_for_cpu(&nic->pdev->dev, nic->rx_to_clean->dma_addr, ++ RFD_BUF_LEN, DMA_BIDIRECTIONAL); + + if (memcmp(nic->rx_to_clean->skb->data + sizeof(struct rfd), + skb->data, ETH_DATA_LEN)) +@@ -2759,16 +2765,16 @@ static int e100_do_ioctl(struct net_device *netdev, struct ifreq *ifr, int cmd) + + static int e100_alloc(struct nic *nic) + { +- nic->mem = pci_alloc_consistent(nic->pdev, sizeof(struct mem), +- &nic->dma_addr); ++ nic->mem = dma_alloc_coherent(&nic->pdev->dev, sizeof(struct mem), ++ &nic->dma_addr, GFP_KERNEL); + return nic->mem ? 0 : -ENOMEM; + } + + static void e100_free(struct nic *nic) + { + if (nic->mem) { +- pci_free_consistent(nic->pdev, sizeof(struct mem), +- nic->mem, nic->dma_addr); ++ dma_free_coherent(&nic->pdev->dev, sizeof(struct mem), ++ nic->mem, nic->dma_addr); + nic->mem = NULL; + } + } +@@ -2861,7 +2867,7 @@ static int e100_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + goto err_out_disable_pdev; + } + +- if ((err = pci_set_dma_mask(pdev, DMA_BIT_MASK(32)))) { ++ if ((err = dma_set_mask(&pdev->dev, DMA_BIT_MASK(32)))) { + netif_err(nic, probe, nic->netdev, "No usable DMA configuration, aborting\n"); + goto err_out_free_res; + } +-- +2.35.1 + diff --git a/queue-5.10/fm10k-fix-error-handling-in-fm10k_init_module.patch b/queue-5.10/fm10k-fix-error-handling-in-fm10k_init_module.patch new file mode 100644 index 00000000000..c9289b17a9a --- /dev/null +++ b/queue-5.10/fm10k-fix-error-handling-in-fm10k_init_module.patch @@ -0,0 +1,76 @@ +From 4f2ab668daf4824a82831958877e8e16bf20c213 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 08:26:39 +0000 +Subject: fm10k: Fix error handling in fm10k_init_module() + +From: Yuan Can + +[ Upstream commit 771a794c0a3c3e7f0d86cc34be4f9537e8c0a20c ] + +A problem about modprobe fm10k failed is triggered with the following log +given: + + Intel(R) Ethernet Switch Host Interface Driver + Copyright(c) 2013 - 2019 Intel Corporation. + debugfs: Directory 'fm10k' with parent '/' already present! + +The reason is that fm10k_init_module() returns fm10k_register_pci_driver() +directly without checking its return value, if fm10k_register_pci_driver() +failed, it returns without removing debugfs and destroy workqueue, +resulting the debugfs of fm10k can never be created later and leaks the +workqueue. + + fm10k_init_module() + alloc_workqueue() + fm10k_dbg_init() # create debugfs + fm10k_register_pci_driver() + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without remove debugfs and destroy workqueue + +Fix by remove debugfs and destroy workqueue when +fm10k_register_pci_driver() returns error. + +Fixes: 7461fd913afe ("fm10k: Add support for debugfs") +Fixes: b382bb1b3e2d ("fm10k: use separate workqueue for fm10k driver") +Signed-off-by: Yuan Can +Reviewed-by: Jacob Keller +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/fm10k/fm10k_main.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_main.c b/drivers/net/ethernet/intel/fm10k/fm10k_main.c +index 99b8252eb969..a388a0fcbeed 100644 +--- a/drivers/net/ethernet/intel/fm10k/fm10k_main.c ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_main.c +@@ -32,6 +32,8 @@ struct workqueue_struct *fm10k_workqueue; + **/ + static int __init fm10k_init_module(void) + { ++ int ret; ++ + pr_info("%s\n", fm10k_driver_string); + pr_info("%s\n", fm10k_copyright); + +@@ -43,7 +45,13 @@ static int __init fm10k_init_module(void) + + fm10k_dbg_init(); + +- return fm10k_register_pci_driver(); ++ ret = fm10k_register_pci_driver(); ++ if (ret) { ++ fm10k_dbg_exit(); ++ destroy_workqueue(fm10k_workqueue); ++ } ++ ++ return ret; + } + module_init(fm10k_init_module); + +-- +2.35.1 + diff --git a/queue-5.10/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch b/queue-5.10/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch new file mode 100644 index 00000000000..01bbf39e91c --- /dev/null +++ b/queue-5.10/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch @@ -0,0 +1,64 @@ +From af656791b3495c9fe9e14924e3c21fdbe7ace524 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 11:23:13 -0500 +Subject: hwmon: (coretemp) Check for null before removing sysfs attrs + +From: Phil Auld + +[ Upstream commit a89ff5f5cc64b9fe7a992cf56988fd36f56ca82a ] + +If coretemp_add_core() gets an error then pdata->core_data[indx] +is already NULL and has been kfreed. Don't pass that to +sysfs_remove_group() as that will crash in sysfs_remove_group(). + +[Shortened for readability] +[91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label' + +[91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188 +[91855.165103] #PF: supervisor read access in kernel mode +[91855.194506] #PF: error_code(0x0000) - not-present page +[91855.224445] PGD 0 P4D 0 +[91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI +... +[91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80 +... +[91855.796571] Call Trace: +[91855.810524] coretemp_cpu_offline+0x12b/0x1dd [coretemp] +[91855.841738] ? coretemp_cpu_online+0x180/0x180 [coretemp] +[91855.871107] cpuhp_invoke_callback+0x105/0x4b0 +[91855.893432] cpuhp_thread_fun+0x8e/0x150 +... + +Fix this by checking for NULL first. + +Signed-off-by: Phil Auld +Cc: linux-hwmon@vger.kernel.org +Cc: Fenghua Yu +Cc: Jean Delvare +Cc: Guenter Roeck +Link: https://lore.kernel.org/r/20221117162313.3164803-1-pauld@redhat.com +Fixes: 199e0de7f5df3 ("hwmon: (coretemp) Merge pkgtemp with coretemp") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/coretemp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c +index 032129292957..9b49bfc63ffc 100644 +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -533,6 +533,10 @@ static void coretemp_remove_core(struct platform_data *pdata, int indx) + { + struct temp_data *tdata = pdata->core_data[indx]; + ++ /* if we errored on add then this is already gone */ ++ if (!tdata) ++ return; ++ + /* Remove the sysfs attributes */ + sysfs_remove_group(&pdata->hwmon_dev->kobj, &tdata->attr_group); + +-- +2.35.1 + diff --git a/queue-5.10/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch b/queue-5.10/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch new file mode 100644 index 00000000000..4fc5ca8e688 --- /dev/null +++ b/queue-5.10/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch @@ -0,0 +1,45 @@ +From f8eeb64d29df55e1c567f21aa4d59aabe72f03f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 17:33:03 +0800 +Subject: hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new() + +From: Yang Yingliang + +[ Upstream commit 7dec14537c5906b8bf40fd6fd6d9c3850f8df11d ] + +As comment of pci_get_domain_bus_and_slot() says, it returns +a pci device with refcount increment, when finish using it, +the caller must decrement the reference count by calling +pci_dev_put(). So call it after using to avoid refcount leak. + +Fixes: 14513ee696a0 ("hwmon: (coretemp) Use PCI host bridge ID to identify CPU if necessary") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221118093303.214163-1-yangyingliang@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/coretemp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c +index 9b49bfc63ffc..42b84ebff057 100644 +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -242,10 +242,13 @@ static int adjust_tjmax(struct cpuinfo_x86 *c, u32 id, struct device *dev) + */ + if (host_bridge && host_bridge->vendor == PCI_VENDOR_ID_INTEL) { + for (i = 0; i < ARRAY_SIZE(tjmax_pci_table); i++) { +- if (host_bridge->device == tjmax_pci_table[i].device) ++ if (host_bridge->device == tjmax_pci_table[i].device) { ++ pci_dev_put(host_bridge); + return tjmax_pci_table[i].tjmax; ++ } + } + } ++ pci_dev_put(host_bridge); + + for (i = 0; i < ARRAY_SIZE(tjmax_table); i++) { + if (strstr(c->x86_model_id, tjmax_table[i].id)) +-- +2.35.1 + diff --git a/queue-5.10/hwmon-i5500_temp-fix-missing-pci_disable_device.patch b/queue-5.10/hwmon-i5500_temp-fix-missing-pci_disable_device.patch new file mode 100644 index 00000000000..69070b18743 --- /dev/null +++ b/queue-5.10/hwmon-i5500_temp-fix-missing-pci_disable_device.patch @@ -0,0 +1,37 @@ +From e2e5edd9871961df75a813785589f3d5ab98f646 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Nov 2022 20:56:06 +0800 +Subject: hwmon: (i5500_temp) fix missing pci_disable_device() + +From: Yang Yingliang + +[ Upstream commit 3b7f98f237528c496ea0b689bace0e35eec3e060 ] + +pci_disable_device() need be called while module exiting, switch to use +pcim_enable(), pci_disable_device() will be called in pcim_release(). + +Fixes: ada072816be1 ("hwmon: (i5500_temp) New driver for the Intel 5500/5520/X58 chipsets") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221112125606.3751430-1-yangyingliang@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/i5500_temp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/i5500_temp.c b/drivers/hwmon/i5500_temp.c +index 360f5aee1394..d4be03f43fb4 100644 +--- a/drivers/hwmon/i5500_temp.c ++++ b/drivers/hwmon/i5500_temp.c +@@ -108,7 +108,7 @@ static int i5500_temp_probe(struct pci_dev *pdev, + u32 tstimer; + s8 tsfsc; + +- err = pci_enable_device(pdev); ++ err = pcim_enable_device(pdev); + if (err) { + dev_err(&pdev->dev, "Failed to enable device\n"); + return err; +-- +2.35.1 + diff --git a/queue-5.10/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch b/queue-5.10/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch new file mode 100644 index 00000000000..862bb8fc561 --- /dev/null +++ b/queue-5.10/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch @@ -0,0 +1,44 @@ +From abe30a3f126170b33b7514d29723359da00b0600 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 11:44:23 +0800 +Subject: hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails + +From: Gaosheng Cui + +[ Upstream commit e2a87785aab0dac190ac89be6a9ba955e2c634f2 ] + +Smatch report warning as follows: + +drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn: + '&data->list' not removed from list + +If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will +be freed, but data->list will not be removed from driver_data.bmc_data, +then list traversal may cause UAF. + +Fix by removeing it from driver_data.bmc_data before free(). + +Fixes: 57c7c3a0fdea ("hwmon: IBM power meter driver") +Signed-off-by: Gaosheng Cui +Link: https://lore.kernel.org/r/20221117034423.2935739-1-cuigaosheng1@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ibmpex.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/ibmpex.c b/drivers/hwmon/ibmpex.c +index b2ab83c9fd9a..fe90f0536d76 100644 +--- a/drivers/hwmon/ibmpex.c ++++ b/drivers/hwmon/ibmpex.c +@@ -502,6 +502,7 @@ static void ibmpex_register_bmc(int iface, struct device *dev) + return; + + out_register: ++ list_del(&data->list); + hwmon_device_unregister(data->hwmon_dev); + out_user: + ipmi_destroy_user(data->user); +-- +2.35.1 + diff --git a/queue-5.10/hwmon-ina3221-fix-shunt-sum-critical-calculation.patch b/queue-5.10/hwmon-ina3221-fix-shunt-sum-critical-calculation.patch new file mode 100644 index 00000000000..b5a74c3ec0a --- /dev/null +++ b/queue-5.10/hwmon-ina3221-fix-shunt-sum-critical-calculation.patch @@ -0,0 +1,47 @@ +From b5a93d353c5e0c57961d8c999493edf59dac4857 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 12:45:08 +0800 +Subject: hwmon: (ina3221) Fix shunt sum critical calculation + +From: Ninad Malwade + +[ Upstream commit b8d27d2ce8dfc207e4b67b929a86f2be76fbc6ef ] + +The shunt sum critical limit register value should be left shifted +by one bit as its LSB-0 is a reserved bit. + +Fixes: 2057bdfb7184 ("hwmon: (ina3221) Add summation feature support") +Signed-off-by: Ninad Malwade +Reviewed-by: Thierry Reding +Link: https://lore.kernel.org/r/20221108044508.23463-1-nmalwade@nvidia.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ina3221.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/ina3221.c b/drivers/hwmon/ina3221.c +index ad11cbddc3a7..d3c98115042b 100644 +--- a/drivers/hwmon/ina3221.c ++++ b/drivers/hwmon/ina3221.c +@@ -230,7 +230,7 @@ static int ina3221_read_value(struct ina3221_data *ina, unsigned int reg, + * Shunt Voltage Sum register has 14-bit value with 1-bit shift + * Other Shunt Voltage registers have 12 bits with 3-bit shift + */ +- if (reg == INA3221_SHUNT_SUM) ++ if (reg == INA3221_SHUNT_SUM || reg == INA3221_CRIT_SUM) + *val = sign_extend32(regval >> 1, 14); + else + *val = sign_extend32(regval >> 3, 12); +@@ -465,7 +465,7 @@ static int ina3221_write_curr(struct device *dev, u32 attr, + * SHUNT_SUM: (1 / 40uV) << 1 = 1 / 20uV + * SHUNT[1-3]: (1 / 40uV) << 3 = 1 / 5uV + */ +- if (reg == INA3221_SHUNT_SUM) ++ if (reg == INA3221_SHUNT_SUM || reg == INA3221_CRIT_SUM) + regval = DIV_ROUND_CLOSEST(voltage_uv, 20) & 0xfffe; + else + regval = DIV_ROUND_CLOSEST(voltage_uv, 5) & 0xfff8; +-- +2.35.1 + diff --git a/queue-5.10/hwmon-ltc2947-fix-temperature-scaling.patch b/queue-5.10/hwmon-ltc2947-fix-temperature-scaling.patch new file mode 100644 index 00000000000..98a73fbfe16 --- /dev/null +++ b/queue-5.10/hwmon-ltc2947-fix-temperature-scaling.patch @@ -0,0 +1,43 @@ +From 1038d2997199e24657a05d20700efad73a047a8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 13:21:08 -0600 +Subject: hwmon: (ltc2947) fix temperature scaling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Derek Nguyen + +[ Upstream commit 07e06193ead86d4812f431b4d87bbd4161222e3f ] + +The LTC2947 datasheet (Rev. B) calls out in the section "Register +Description: Non-Accumulated Result Registers" (pg. 30) that "To +calculate temperature, multiply the TEMP register value by 0.204°C +and add 5.5°C". Fix to add 5.5C and not 0.55C. + +Fixes: 9f90fd652bed ("hwmon: Add support for ltc2947") +Signed-off-by: Derek Nguyen +Signed-off-by: Brandon Maier +Link: https://lore.kernel.org/r/20221110192108.20624-1-brandon.maier@collins.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ltc2947-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/ltc2947-core.c b/drivers/hwmon/ltc2947-core.c +index 5423466de697..e918490f3ff7 100644 +--- a/drivers/hwmon/ltc2947-core.c ++++ b/drivers/hwmon/ltc2947-core.c +@@ -396,7 +396,7 @@ static int ltc2947_read_temp(struct device *dev, const u32 attr, long *val, + return ret; + + /* in milidegrees celcius, temp is given by: */ +- *val = (__val * 204) + 550; ++ *val = (__val * 204) + 5500; + + return 0; + } +-- +2.35.1 + diff --git a/queue-5.10/i40e-fix-error-handling-in-i40e_init_module.patch b/queue-5.10/i40e-fix-error-handling-in-i40e_init_module.patch new file mode 100644 index 00000000000..b8caaeb43f5 --- /dev/null +++ b/queue-5.10/i40e-fix-error-handling-in-i40e_init_module.patch @@ -0,0 +1,59 @@ +From c5d2e3f9c28a5e273422214dba0d4436cf6b5f65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 09:27:25 +0800 +Subject: i40e: Fix error handling in i40e_init_module() + +From: Shang XiaoJing + +[ Upstream commit 479dd06149425b9e00477f52200872587af76a48 ] + +i40e_init_module() won't free the debugfs directory created by +i40e_dbg_init() when pci_register_driver() failed. Add fail path to +call i40e_dbg_exit() to remove the debugfs entries to prevent the bug. + +i40e: Intel(R) Ethernet Connection XL710 Network Driver +i40e: Copyright (c) 2013 - 2019 Intel Corporation. +debugfs: Directory 'i40e' with parent '/' already present! + +Fixes: 41c445ff0f48 ("i40e: main driver core") +Signed-off-by: Shang XiaoJing +Reviewed-by: Leon Romanovsky +Tested-by: Gurucharan G (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index ea6a984c6d12..d7ddf9239e51 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -15972,6 +15972,8 @@ static struct pci_driver i40e_driver = { + **/ + static int __init i40e_init_module(void) + { ++ int err; ++ + pr_info("%s: %s\n", i40e_driver_name, i40e_driver_string); + pr_info("%s: %s\n", i40e_driver_name, i40e_copyright); + +@@ -15989,7 +15991,14 @@ static int __init i40e_init_module(void) + } + + i40e_dbg_init(); +- return pci_register_driver(&i40e_driver); ++ err = pci_register_driver(&i40e_driver); ++ if (err) { ++ destroy_workqueue(i40e_wq); ++ i40e_dbg_exit(); ++ return err; ++ } ++ ++ return 0; + } + module_init(i40e_init_module); + +-- +2.35.1 + diff --git a/queue-5.10/iavf-fix-error-handling-in-iavf_init_module.patch b/queue-5.10/iavf-fix-error-handling-in-iavf_init_module.patch new file mode 100644 index 00000000000..c0ab32e568a --- /dev/null +++ b/queue-5.10/iavf-fix-error-handling-in-iavf_init_module.patch @@ -0,0 +1,55 @@ +From 6c858d9a53c513653e452310720a225dbf031b25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 08:26:40 +0000 +Subject: iavf: Fix error handling in iavf_init_module() + +From: Yuan Can + +[ Upstream commit 227d8d2f7f2278b8468c5531b0cd0f2a905b4486 ] + +The iavf_init_module() won't destroy workqueue when pci_register_driver() +failed. Call destroy_workqueue() when pci_register_driver() failed to +prevent the resource leak. + +Similar to the handling of u132_hcd_init in commit f276e002793c +("usb: u132-hcd: fix resource leak") + +Fixes: 2803b16c10ea ("i40e/i40evf: Use private workqueue") +Signed-off-by: Yuan Can +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index af515c3ccd5c..ae96b552a3bb 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -4026,6 +4026,8 @@ static struct pci_driver iavf_driver = { + **/ + static int __init iavf_init_module(void) + { ++ int ret; ++ + pr_info("iavf: %s\n", iavf_driver_string); + + pr_info("%s\n", iavf_copyright); +@@ -4036,7 +4038,12 @@ static int __init iavf_init_module(void) + pr_err("%s: Failed to create workqueue\n", iavf_driver_name); + return -ENOMEM; + } +- return pci_register_driver(&iavf_driver); ++ ++ ret = pci_register_driver(&iavf_driver); ++ if (ret) ++ destroy_workqueue(iavf_wq); ++ ++ return ret; + } + + module_init(iavf_init_module); +-- +2.35.1 + diff --git a/queue-5.10/iavf-remove-redundant-ret-variable.patch b/queue-5.10/iavf-remove-redundant-ret-variable.patch new file mode 100644 index 00000000000..59bc1ecb817 --- /dev/null +++ b/queue-5.10/iavf-remove-redundant-ret-variable.patch @@ -0,0 +1,68 @@ +From 948f76af9ab0ef9bb21c2a151de29c140ba93bab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jan 2022 10:46:56 +0000 +Subject: iavf: remove redundant ret variable + +From: Minghao Chi + +[ Upstream commit c3fec56e12678c3ad68084048a73818a7968d6b8 ] + +Return value directly instead of taking this in another redundant +variable. + +Reported-by: Zeal Robot +Signed-off-by: Minghao Chi +Signed-off-by: CGEL ZTE +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Stable-dep-of: 227d8d2f7f22 ("iavf: Fix error handling in iavf_init_module()") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index a9cea7ccdd86..af515c3ccd5c 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1318,7 +1318,6 @@ static void iavf_fill_rss_lut(struct iavf_adapter *adapter) + static int iavf_init_rss(struct iavf_adapter *adapter) + { + struct iavf_hw *hw = &adapter->hw; +- int ret; + + if (!RSS_PF(adapter)) { + /* Enable PCTYPES for RSS, TCP/UDP with IPv4/IPv6 */ +@@ -1334,9 +1333,8 @@ static int iavf_init_rss(struct iavf_adapter *adapter) + + iavf_fill_rss_lut(adapter); + netdev_rss_key_fill((void *)adapter->rss_key, adapter->rss_key_size); +- ret = iavf_config_rss(adapter); + +- return ret; ++ return iavf_config_rss(adapter); + } + + /** +@@ -4028,8 +4026,6 @@ static struct pci_driver iavf_driver = { + **/ + static int __init iavf_init_module(void) + { +- int ret; +- + pr_info("iavf: %s\n", iavf_driver_string); + + pr_info("%s\n", iavf_copyright); +@@ -4040,8 +4036,7 @@ static int __init iavf_init_module(void) + pr_err("%s: Failed to create workqueue\n", iavf_driver_name); + return -ENOMEM; + } +- ret = pci_register_driver(&iavf_driver); +- return ret; ++ return pci_register_driver(&iavf_driver); + } + + module_init(iavf_init_module); +-- +2.35.1 + diff --git a/queue-5.10/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch b/queue-5.10/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch new file mode 100644 index 00000000000..0dd4b32fbc9 --- /dev/null +++ b/queue-5.10/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch @@ -0,0 +1,72 @@ +From 0d55549c160538bee50437a1e4e8a3ffc6a8a237 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 15:19:46 +0000 +Subject: iio: health: afe4403: Fix oob read in afe4403_read_raw + +From: Wei Yongjun + +[ Upstream commit 58143c1ed5882c138a3cd2251a336fc8755f23d9 ] + +KASAN report out-of-bounds read as follows: + +BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0 +Read of size 4 at addr ffffffffc02ac638 by task cat/279 + +Call Trace: + afe4403_read_raw + iio_read_channel_info + dev_attr_show + +The buggy address belongs to the variable: + afe4403_channel_leds+0x18/0xffffffffffffe9e0 + +This issue can be reproduced by singe command: + + $ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw + +The array size of afe4403_channel_leds is less than channels, so access +with chan->address cause OOB read in afe4403_read_raw. Fix it by moving +access before use it. + +Fixes: b36e8257641a ("iio: health/afe440x: Use regmap fields") +Signed-off-by: Wei Yongjun +Acked-by: Andrew Davis +Link: https://lore.kernel.org/r/20221107151946.89260-1-weiyongjun@huaweicloud.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/health/afe4403.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/health/afe4403.c b/drivers/iio/health/afe4403.c +index 38734e4ce360..82d01ac36128 100644 +--- a/drivers/iio/health/afe4403.c ++++ b/drivers/iio/health/afe4403.c +@@ -245,14 +245,14 @@ static int afe4403_read_raw(struct iio_dev *indio_dev, + int *val, int *val2, long mask) + { + struct afe4403_data *afe = iio_priv(indio_dev); +- unsigned int reg = afe4403_channel_values[chan->address]; +- unsigned int field = afe4403_channel_leds[chan->address]; ++ unsigned int reg, field; + int ret; + + switch (chan->type) { + case IIO_INTENSITY: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ reg = afe4403_channel_values[chan->address]; + ret = afe4403_read(afe, reg, val); + if (ret) + return ret; +@@ -262,6 +262,7 @@ static int afe4403_read_raw(struct iio_dev *indio_dev, + case IIO_CURRENT: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ field = afe4403_channel_leds[chan->address]; + ret = regmap_field_read(afe->fields[field], val); + if (ret) + return ret; +-- +2.35.1 + diff --git a/queue-5.10/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch b/queue-5.10/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch new file mode 100644 index 00000000000..126ab7eef73 --- /dev/null +++ b/queue-5.10/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch @@ -0,0 +1,102 @@ +From 62278e6e079a0522318a6ceac94504daf65536bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 15:20:10 +0000 +Subject: iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw + +From: Wei Yongjun + +[ Upstream commit fc92d9e3de0b2d30a3ccc08048a5fad533e4672b ] + +KASAN report out-of-bounds read as follows: + +BUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380 +Read of size 4 at addr ffffffffc00e4658 by task cat/278 + +Call Trace: + afe4404_read_raw + iio_read_channel_info + dev_attr_show + +The buggy address belongs to the variable: + afe4404_channel_leds+0x18/0xffffffffffffe9c0 + +This issue can be reproduce by singe command: + + $ cat /sys/bus/i2c/devices/0-0058/iio\:device0/in_intensity6_raw + +The array size of afe4404_channel_leds and afe4404_channel_offdacs +are less than channels, so access with chan->address cause OOB read +in afe4404_[read|write]_raw. Fix it by moving access before use them. + +Fixes: b36e8257641a ("iio: health/afe440x: Use regmap fields") +Signed-off-by: Wei Yongjun +Acked-by: Andrew Davis +Link: https://lore.kernel.org/r/20221107152010.95937-1-weiyongjun@huaweicloud.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/health/afe4404.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/iio/health/afe4404.c b/drivers/iio/health/afe4404.c +index 61fe4932d81d..0eaa34da59a8 100644 +--- a/drivers/iio/health/afe4404.c ++++ b/drivers/iio/health/afe4404.c +@@ -250,20 +250,20 @@ static int afe4404_read_raw(struct iio_dev *indio_dev, + int *val, int *val2, long mask) + { + struct afe4404_data *afe = iio_priv(indio_dev); +- unsigned int value_reg = afe4404_channel_values[chan->address]; +- unsigned int led_field = afe4404_channel_leds[chan->address]; +- unsigned int offdac_field = afe4404_channel_offdacs[chan->address]; ++ unsigned int value_reg, led_field, offdac_field; + int ret; + + switch (chan->type) { + case IIO_INTENSITY: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ value_reg = afe4404_channel_values[chan->address]; + ret = regmap_read(afe->regmap, value_reg, val); + if (ret) + return ret; + return IIO_VAL_INT; + case IIO_CHAN_INFO_OFFSET: ++ offdac_field = afe4404_channel_offdacs[chan->address]; + ret = regmap_field_read(afe->fields[offdac_field], val); + if (ret) + return ret; +@@ -273,6 +273,7 @@ static int afe4404_read_raw(struct iio_dev *indio_dev, + case IIO_CURRENT: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ led_field = afe4404_channel_leds[chan->address]; + ret = regmap_field_read(afe->fields[led_field], val); + if (ret) + return ret; +@@ -295,19 +296,20 @@ static int afe4404_write_raw(struct iio_dev *indio_dev, + int val, int val2, long mask) + { + struct afe4404_data *afe = iio_priv(indio_dev); +- unsigned int led_field = afe4404_channel_leds[chan->address]; +- unsigned int offdac_field = afe4404_channel_offdacs[chan->address]; ++ unsigned int led_field, offdac_field; + + switch (chan->type) { + case IIO_INTENSITY: + switch (mask) { + case IIO_CHAN_INFO_OFFSET: ++ offdac_field = afe4404_channel_offdacs[chan->address]; + return regmap_field_write(afe->fields[offdac_field], val); + } + break; + case IIO_CURRENT: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ led_field = afe4404_channel_leds[chan->address]; + return regmap_field_write(afe->fields[led_field], val); + } + break; +-- +2.35.1 + diff --git a/queue-5.10/iio-light-rpr0521-add-missing-kconfig-dependencies.patch b/queue-5.10/iio-light-rpr0521-add-missing-kconfig-dependencies.patch new file mode 100644 index 00000000000..d3ca0a4f15a --- /dev/null +++ b/queue-5.10/iio-light-rpr0521-add-missing-kconfig-dependencies.patch @@ -0,0 +1,47 @@ +From 69d4ed0a5b05bc891590fd8db792467fc086fe5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 16:47:29 -0500 +Subject: iio: light: rpr0521: add missing Kconfig dependencies + +From: Paul Gazzillo + +[ Upstream commit 6ac12303572ef9ace5603c2c07f5f1b00a33f580 ] + +Fix an implicit declaration of function error for rpr0521 under some configs + +When CONFIG_RPR0521 is enabled without CONFIG_IIO_TRIGGERED_BUFFER, +the build results in "implicit declaration of function" errors, e.g., + drivers/iio/light/rpr0521.c:434:3: error: implicit declaration of function + 'iio_trigger_poll_chained' [-Werror=implicit-function-declaration] + 434 | iio_trigger_poll_chained(data->drdy_trigger0); + | ^~~~~~~~~~~~~~~~~~~~~~~~ + +This fix adds select dependencies to RPR0521's configuration declaration. + +Fixes: e12ffd241c00 ("iio: light: rpr0521 triggered buffer") +Signed-off-by: Paul Gazzillo +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216678 +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20221110214729.ls5ixav5kxpeftk7@device +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/light/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/iio/light/Kconfig b/drivers/iio/light/Kconfig +index 917f9becf9c7..dd52eff9ba2a 100644 +--- a/drivers/iio/light/Kconfig ++++ b/drivers/iio/light/Kconfig +@@ -294,6 +294,8 @@ config RPR0521 + tristate "ROHM RPR0521 ALS and proximity sensor driver" + depends on I2C + select REGMAP_I2C ++ select IIO_BUFFER ++ select IIO_TRIGGERED_BUFFER + help + Say Y here if you want to build support for ROHM's RPR0521 + ambient light and proximity sensor device. +-- +2.35.1 + diff --git a/queue-5.10/ixgbevf-fix-resource-leak-in-ixgbevf_init_module.patch b/queue-5.10/ixgbevf-fix-resource-leak-in-ixgbevf_init_module.patch new file mode 100644 index 00000000000..c4fb4b5e09f --- /dev/null +++ b/queue-5.10/ixgbevf-fix-resource-leak-in-ixgbevf_init_module.patch @@ -0,0 +1,57 @@ +From 05d14bdb046143f0248b08461dc21b7abacfa25e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 10:57:58 +0800 +Subject: ixgbevf: Fix resource leak in ixgbevf_init_module() + +From: Shang XiaoJing + +[ Upstream commit 8cfa238a48f34038464b99d0b4825238c2687181 ] + +ixgbevf_init_module() won't destroy the workqueue created by +create_singlethread_workqueue() when pci_register_driver() failed. Add +destroy_workqueue() in fail path to prevent the resource leak. + +Similar to the handling of u132_hcd_init in commit f276e002793c +("usb: u132-hcd: fix resource leak") + +Fixes: 40a13e2493c9 ("ixgbevf: Use a private workqueue to avoid certain possible hangs") +Signed-off-by: Shang XiaoJing +Reviewed-by: Saeed Mahameed +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +index 2d6ac61d7a3e..4510a84514fa 100644 +--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c ++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +@@ -4878,6 +4878,8 @@ static struct pci_driver ixgbevf_driver = { + **/ + static int __init ixgbevf_init_module(void) + { ++ int err; ++ + pr_info("%s\n", ixgbevf_driver_string); + pr_info("%s\n", ixgbevf_copyright); + ixgbevf_wq = create_singlethread_workqueue(ixgbevf_driver_name); +@@ -4886,7 +4888,13 @@ static int __init ixgbevf_init_module(void) + return -ENOMEM; + } + +- return pci_register_driver(&ixgbevf_driver); ++ err = pci_register_driver(&ixgbevf_driver); ++ if (err) { ++ destroy_workqueue(ixgbevf_wq); ++ return err; ++ } ++ ++ return 0; + } + + module_init(ixgbevf_init_module); +-- +2.35.1 + diff --git a/queue-5.10/kbuild-fix-wimplicit-function-declaration-in-license.patch b/queue-5.10/kbuild-fix-wimplicit-function-declaration-in-license.patch new file mode 100644 index 00000000000..06b66ef0834 --- /dev/null +++ b/queue-5.10/kbuild-fix-wimplicit-function-declaration-in-license.patch @@ -0,0 +1,50 @@ +From 0298fa6497ce601de8191455d581e69b141e51bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 18:26:34 +0000 +Subject: kbuild: fix -Wimplicit-function-declaration in + license_is_gpl_compatible + +From: Sam James + +[ Upstream commit 50c697215a8cc22f0e58c88f06f2716c05a26e85 ] + +Add missing include for strcmp. + +Clang 16 makes -Wimplicit-function-declaration an error by default. +Unfortunately, out of tree modules may use this in configure scripts, +which means failure might cause silent miscompilation or misconfiguration. + +For more information, see LWN.net [0] or LLVM's Discourse [1], gentoo-dev@ [2], +or the (new) c-std-porting mailing list [3]. + +[0] https://lwn.net/Articles/913505/ +[1] https://discourse.llvm.org/t/configure-script-breakage-with-the-new-werror-implicit-function-declaration/65213 +[2] https://archives.gentoo.org/gentoo-dev/message/dd9f2d3082b8b6f8dfbccb0639e6e240 +[3] hosted at lists.linux.dev. + +[akpm@linux-foundation.org: remember "linux/"] +Link: https://lkml.kernel.org/r/20221116182634.2823136-1-sam@gentoo.org +Signed-off-by: Sam James +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/license.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/license.h b/include/linux/license.h +index 7cce390f120b..ad937f57f2cb 100644 +--- a/include/linux/license.h ++++ b/include/linux/license.h +@@ -2,6 +2,8 @@ + #ifndef __LICENSE_H + #define __LICENSE_H + ++#include ++ + static inline int license_is_gpl_compatible(const char *license) + { + return (strcmp(license, "GPL") == 0 +-- +2.35.1 + diff --git a/queue-5.10/libbpf-handle-size-overflow-for-ringbuf-mmap.patch b/queue-5.10/libbpf-handle-size-overflow-for-ringbuf-mmap.patch new file mode 100644 index 00000000000..ca0d676ba65 --- /dev/null +++ b/queue-5.10/libbpf-handle-size-overflow-for-ringbuf-mmap.patch @@ -0,0 +1,67 @@ +From 17e6987448385baa7747845d66da6c0669609cb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 15:23:49 +0800 +Subject: libbpf: Handle size overflow for ringbuf mmap + +From: Hou Tao + +[ Upstream commit 927cbb478adf917e0a142b94baa37f06279cc466 ] + +The maximum size of ringbuf is 2GB on x86-64 host, so 2 * max_entries +will overflow u32 when mapping producer page and data pages. Only +casting max_entries to size_t is not enough, because for 32-bits +application on 64-bits kernel the size of read-only mmap region +also could overflow size_t. + +So fixing it by casting the size of read-only mmap region into a __u64 +and checking whether or not there will be overflow during mmap. + +Fixes: bf99c936f947 ("libbpf: Add BPF ring buffer support") +Signed-off-by: Hou Tao +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20221116072351.1168938-3-houtao@huaweicloud.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/ringbuf.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/tools/lib/bpf/ringbuf.c b/tools/lib/bpf/ringbuf.c +index 86c31c787fb9..141dbaf6e828 100644 +--- a/tools/lib/bpf/ringbuf.c ++++ b/tools/lib/bpf/ringbuf.c +@@ -59,6 +59,7 @@ int ring_buffer__add(struct ring_buffer *rb, int map_fd, + __u32 len = sizeof(info); + struct epoll_event *e; + struct ring *r; ++ __u64 mmap_sz; + void *tmp; + int err; + +@@ -97,8 +98,7 @@ int ring_buffer__add(struct ring_buffer *rb, int map_fd, + r->mask = info.max_entries - 1; + + /* Map writable consumer page */ +- tmp = mmap(NULL, rb->page_size, PROT_READ | PROT_WRITE, MAP_SHARED, +- map_fd, 0); ++ tmp = mmap(NULL, rb->page_size, PROT_READ | PROT_WRITE, MAP_SHARED, map_fd, 0); + if (tmp == MAP_FAILED) { + err = -errno; + pr_warn("ringbuf: failed to mmap consumer page for map fd=%d: %d\n", +@@ -111,8 +111,12 @@ int ring_buffer__add(struct ring_buffer *rb, int map_fd, + * data size to allow simple reading of samples that wrap around the + * end of a ring buffer. See kernel implementation for details. + * */ +- tmp = mmap(NULL, rb->page_size + 2 * info.max_entries, PROT_READ, +- MAP_SHARED, map_fd, rb->page_size); ++ mmap_sz = rb->page_size + 2 * (__u64)info.max_entries; ++ if (mmap_sz != (__u64)(size_t)mmap_sz) { ++ pr_warn("ringbuf: ring buffer size (%u) is too big\n", info.max_entries); ++ return libbpf_err(-E2BIG); ++ } ++ tmp = mmap(NULL, (size_t)mmap_sz, PROT_READ, MAP_SHARED, map_fd, rb->page_size); + if (tmp == MAP_FAILED) { + err = -errno; + ringbuf_unmap_ring(rb, r); +-- +2.35.1 + diff --git a/queue-5.10/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch b/queue-5.10/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch new file mode 100644 index 00000000000..782bec37528 --- /dev/null +++ b/queue-5.10/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch @@ -0,0 +1,45 @@ +From 1d6869dc255760503f36e4271265a63bffed7149 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 16:10:05 +0800 +Subject: net/9p: Fix a potential socket leak in p9_socket_open + +From: Wang Hai + +[ Upstream commit dcc14cfd7debe11b825cb077e75d91d2575b4cb8 ] + +Both p9_fd_create_tcp() and p9_fd_create_unix() will call +p9_socket_open(). If the creation of p9_trans_fd fails, +p9_fd_create_tcp() and p9_fd_create_unix() will return an +error directly instead of releasing the cscoket, which will +result in a socket leak. + +This patch adds sock_release() to fix the leak issue. + +Fixes: 6b18662e239a ("9p connect fixes") +Signed-off-by: Wang Hai +ACKed-by: Al Viro +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/9p/trans_fd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c +index 400219801e63..deb66635f0f3 100644 +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -852,8 +852,10 @@ static int p9_socket_open(struct p9_client *client, struct socket *csocket) + struct file *file; + + p = kzalloc(sizeof(struct p9_trans_fd), GFP_KERNEL); +- if (!p) ++ if (!p) { ++ sock_release(csocket); + return -ENOMEM; ++ } + + csocket->sk->sk_allocation = GFP_NOIO; + file = sock_alloc_file(csocket, 0, NULL); +-- +2.35.1 + diff --git a/queue-5.10/net-ethernet-nixge-fix-null-dereference.patch b/queue-5.10/net-ethernet-nixge-fix-null-dereference.patch new file mode 100644 index 00000000000..e615546f4a3 --- /dev/null +++ b/queue-5.10/net-ethernet-nixge-fix-null-dereference.patch @@ -0,0 +1,75 @@ +From 24f87589332fd3a850af002c2da5e93c019fc1e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 11:43:03 +0300 +Subject: net: ethernet: nixge: fix NULL dereference + +From: Yuri Karpov + +[ Upstream commit 9256db4e45e8b497b0e993cc3ed4ad08eb2389b6 ] + +In function nixge_hw_dma_bd_release() dereference of NULL pointer +priv->rx_bd_v is possible for the case of its allocation failure in +nixge_hw_dma_bd_init(). + +Move for() loop with priv->rx_bd_v dereference under the check for +its validity. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 492caffa8a1a ("net: ethernet: nixge: Add support for National Instruments XGE netdev") +Signed-off-by: Yuri Karpov +Reviewed-by: Maciej Fijalkowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ni/nixge.c | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/ni/nixge.c b/drivers/net/ethernet/ni/nixge.c +index 9c48fd85c418..07fbd329fe93 100644 +--- a/drivers/net/ethernet/ni/nixge.c ++++ b/drivers/net/ethernet/ni/nixge.c +@@ -249,25 +249,26 @@ static void nixge_hw_dma_bd_release(struct net_device *ndev) + struct sk_buff *skb; + int i; + +- for (i = 0; i < RX_BD_NUM; i++) { +- phys_addr = nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i], +- phys); +- +- dma_unmap_single(ndev->dev.parent, phys_addr, +- NIXGE_MAX_JUMBO_FRAME_SIZE, +- DMA_FROM_DEVICE); +- +- skb = (struct sk_buff *)(uintptr_t) +- nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i], +- sw_id_offset); +- dev_kfree_skb(skb); +- } ++ if (priv->rx_bd_v) { ++ for (i = 0; i < RX_BD_NUM; i++) { ++ phys_addr = nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i], ++ phys); ++ ++ dma_unmap_single(ndev->dev.parent, phys_addr, ++ NIXGE_MAX_JUMBO_FRAME_SIZE, ++ DMA_FROM_DEVICE); ++ ++ skb = (struct sk_buff *)(uintptr_t) ++ nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i], ++ sw_id_offset); ++ dev_kfree_skb(skb); ++ } + +- if (priv->rx_bd_v) + dma_free_coherent(ndev->dev.parent, + sizeof(*priv->rx_bd_v) * RX_BD_NUM, + priv->rx_bd_v, + priv->rx_bd_p); ++ } + + if (priv->tx_skb) + devm_kfree(ndev->dev.parent, priv->tx_skb); +-- +2.35.1 + diff --git a/queue-5.10/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch b/queue-5.10/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch new file mode 100644 index 00000000000..30d803b4997 --- /dev/null +++ b/queue-5.10/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch @@ -0,0 +1,41 @@ +From 0c6d0297f3acd1567830f97598b12ff49903640d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 15:56:04 +0900 +Subject: net: ethernet: renesas: ravb: Fix promiscuous mode after system + resumed + +From: Yoshihiro Shimoda + +[ Upstream commit d66233a312ec9013af3e37e4030b479a20811ec3 ] + +After system resumed on some environment board, the promiscuous mode +is disabled because the SoC turned off. So, call ravb_set_rx_mode() in +the ravb_resume() to fix the issue. + +Reported-by: Tho Vu +Fixes: 0184165b2f42 ("ravb: add sleep PM suspend/resume support") +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Pavan Chebbi +Reviewed-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20221128065604.1864391-1-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index f96eed67e1a2..9e7b85e178fd 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -2364,6 +2364,7 @@ static int __maybe_unused ravb_resume(struct device *dev) + ret = ravb_open(ndev); + if (ret < 0) + return ret; ++ ravb_set_rx_mode(ndev); + netif_device_attach(ndev); + } + +-- +2.35.1 + diff --git a/queue-5.10/net-hsr-fix-potential-use-after-free.patch b/queue-5.10/net-hsr-fix-potential-use-after-free.patch new file mode 100644 index 00000000000..52913f26e06 --- /dev/null +++ b/queue-5.10/net-hsr-fix-potential-use-after-free.patch @@ -0,0 +1,49 @@ +From 95e029da6d0d8e8ef56bb7d0cc4611044b87b0f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 15:57:24 +0800 +Subject: net: hsr: Fix potential use-after-free + +From: YueHaibing + +[ Upstream commit 7e177d32442b7ed08a9fa61b61724abc548cb248 ] + +The skb is delivered to netif_rx() which may free it, after calling this, +dereferencing skb may trigger use-after-free. + +Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)") +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20221125075724.27912-1-yuehaibing@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/hsr/hsr_forward.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c +index 908324b46328..cb9b54a7abd2 100644 +--- a/net/hsr/hsr_forward.c ++++ b/net/hsr/hsr_forward.c +@@ -303,17 +303,18 @@ static void hsr_deliver_master(struct sk_buff *skb, struct net_device *dev, + struct hsr_node *node_src) + { + bool was_multicast_frame; +- int res; ++ int res, recv_len; + + was_multicast_frame = (skb->pkt_type == PACKET_MULTICAST); + hsr_addr_subst_source(node_src, skb); + skb_pull(skb, ETH_HLEN); ++ recv_len = skb->len; + res = netif_rx(skb); + if (res == NET_RX_DROP) { + dev->stats.rx_dropped++; + } else { + dev->stats.rx_packets++; +- dev->stats.rx_bytes += skb->len; ++ dev->stats.rx_bytes += recv_len; + if (was_multicast_frame) + dev->stats.multicast++; + } +-- +2.35.1 + diff --git a/queue-5.10/net-mlx5-dr-fix-uninitialized-var-warning.patch b/queue-5.10/net-mlx5-dr-fix-uninitialized-var-warning.patch new file mode 100644 index 00000000000..18249a73eb6 --- /dev/null +++ b/queue-5.10/net-mlx5-dr-fix-uninitialized-var-warning.patch @@ -0,0 +1,51 @@ +From 1a3a5cad5912e709ded166fd6b307e939230517a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 21:47:07 +0800 +Subject: net/mlx5: DR, Fix uninitialized var warning + +From: YueHaibing + +[ Upstream commit 52f7cf70eb8fac6111786c59ae9dfc5cf2bee710 ] + +Smatch warns this: + +drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c:81 + mlx5dr_table_set_miss_action() error: uninitialized symbol 'ret'. + +Initializing ret with -EOPNOTSUPP and fix missing action case. + +Fixes: 7838e1725394 ("net/mlx5: DR, Expose steering table functionality") +Signed-off-by: YueHaibing +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c +index b599b6beb5b9..6a4b997c258a 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c +@@ -9,7 +9,7 @@ int mlx5dr_table_set_miss_action(struct mlx5dr_table *tbl, + struct mlx5dr_matcher *last_matcher = NULL; + struct mlx5dr_htbl_connect_info info; + struct mlx5dr_ste_htbl *last_htbl; +- int ret; ++ int ret = -EOPNOTSUPP; + + if (action && action->action_type != DR_ACTION_TYP_FT) + return -EOPNOTSUPP; +@@ -68,6 +68,9 @@ int mlx5dr_table_set_miss_action(struct mlx5dr_table *tbl, + } + } + ++ if (ret) ++ goto out; ++ + /* Release old action */ + if (tbl->miss_action) + refcount_dec(&tbl->miss_action->refcount); +-- +2.35.1 + diff --git a/queue-5.10/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch b/queue-5.10/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch new file mode 100644 index 00000000000..6feb14797c6 --- /dev/null +++ b/queue-5.10/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch @@ -0,0 +1,39 @@ +From c7c511924f881ebe80edfb066286a2ee38d7a859 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 19:22:04 +0800 +Subject: net/mlx5: Fix uninitialized variable bug in outlen_write() + +From: YueHaibing + +[ Upstream commit 3f5769a074c13d8f08455e40586600419e02a880 ] + +If sscanf() return 0, outlen is uninitialized and used in kzalloc(), +this is unexpected. We should return -EINVAL if the string is invalid. + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Signed-off-by: YueHaibing +Reviewed-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index c838d8698eab..39c17e903915 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -1422,8 +1422,8 @@ static ssize_t outlen_write(struct file *filp, const char __user *buf, + return -EFAULT; + + err = sscanf(outlen_str, "%d", &outlen); +- if (err < 0) +- return err; ++ if (err != 1) ++ return -EINVAL; + + ptr = kzalloc(outlen, GFP_KERNEL); + if (!ptr) +-- +2.35.1 + diff --git a/queue-5.10/net-mlx5e-fix-use-after-free-when-reverting-terminat.patch b/queue-5.10/net-mlx5e-fix-use-after-free-when-reverting-terminat.patch new file mode 100644 index 00000000000..ab027ba9444 --- /dev/null +++ b/queue-5.10/net-mlx5e-fix-use-after-free-when-reverting-terminat.patch @@ -0,0 +1,40 @@ +From 5e810c7a3703ea7f7e4e2b669a31bfec8ead0d80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 20:04:29 +0200 +Subject: net/mlx5e: Fix use-after-free when reverting termination table + +From: Roi Dayan + +[ Upstream commit 52c795af04441d76f565c4634f893e5b553df2ae ] + +When having multiple dests with termination tables and second one +or afterwards fails the driver reverts usage of term tables but +doesn't reset the assignment in attr->dests[num_vport_dests].termtbl +which case a use-after-free when releasing the rule. +Fix by resetting the assignment of termtbl to null. + +Fixes: 10caabdaad5a ("net/mlx5e: Use termination table for VLAN push actions") +Signed-off-by: Roi Dayan +Reviewed-by: Maor Dickman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c +index 6c865cb7f445..132ea9997676 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c +@@ -308,6 +308,8 @@ mlx5_eswitch_add_termtbl_rule(struct mlx5_eswitch *esw, + for (curr_dest = 0; curr_dest < num_vport_dests; curr_dest++) { + struct mlx5_termtbl_handle *tt = attr->dests[curr_dest].termtbl; + ++ attr->dests[curr_dest].termtbl = NULL; ++ + /* search for the destination associated with the + * current term table + */ +-- +2.35.1 + diff --git a/queue-5.10/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch b/queue-5.10/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch new file mode 100644 index 00000000000..acbc1cad9ab --- /dev/null +++ b/queue-5.10/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch @@ -0,0 +1,48 @@ +From 6fdef43d0d8bde3b1df41e3af298e5a10315c8dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 07:09:17 +0000 +Subject: net: net_netdev: Fix error handling in ntb_netdev_init_module() + +From: Yuan Can + +[ Upstream commit b8f79dccd38edf7db4911c353d9cd792ab13a327 ] + +The ntb_netdev_init_module() returns the ntb_transport_register_client() +directly without checking its return value, if +ntb_transport_register_client() failed, the NTB client device is not +unregistered. + +Fix by unregister NTB client device when ntb_transport_register_client() +failed. + +Fixes: 548c237c0a99 ("net: Add support for NTB virtual ethernet device") +Signed-off-by: Yuan Can +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ntb_netdev.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ntb_netdev.c b/drivers/net/ntb_netdev.c +index a5bab614ff84..1b7d588ff3c5 100644 +--- a/drivers/net/ntb_netdev.c ++++ b/drivers/net/ntb_netdev.c +@@ -484,7 +484,14 @@ static int __init ntb_netdev_init_module(void) + rc = ntb_transport_register_client_dev(KBUILD_MODNAME); + if (rc) + return rc; +- return ntb_transport_register_client(&ntb_netdev_client); ++ ++ rc = ntb_transport_register_client(&ntb_netdev_client); ++ if (rc) { ++ ntb_transport_unregister_client_dev(KBUILD_MODNAME); ++ return rc; ++ } ++ ++ return 0; + } + module_init(ntb_netdev_init_module); + +-- +2.35.1 + diff --git a/queue-5.10/net-phy-fix-null-ptr-deref-while-probe-failed.patch b/queue-5.10/net-phy-fix-null-ptr-deref-while-probe-failed.patch new file mode 100644 index 00000000000..3d118e15c09 --- /dev/null +++ b/queue-5.10/net-phy-fix-null-ptr-deref-while-probe-failed.patch @@ -0,0 +1,73 @@ +From ec6c6e37668e96080e30424017502793ddf60155 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 21:28:08 +0800 +Subject: net: phy: fix null-ptr-deref while probe() failed + +From: Yang Yingliang + +[ Upstream commit 369eb2c9f1f72adbe91e0ea8efb130f0a2ba11a6 ] + +I got a null-ptr-deref report as following when doing fault injection test: + +BUG: kernel NULL pointer dereference, address: 0000000000000058 +Oops: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+ +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 +RIP: 0010:klist_put+0x2d/0xd0 +Call Trace: + + klist_remove+0xf1/0x1c0 + device_release_driver_internal+0x23e/0x2d0 + bus_remove_device+0x1bd/0x240 + device_del+0x357/0x770 + phy_device_remove+0x11/0x30 + mdiobus_unregister+0xa5/0x140 + release_nodes+0x6a/0xa0 + devres_release_all+0xf8/0x150 + device_unbind_cleanup+0x19/0xd0 + +//probe path: +phy_device_register() + device_add() + +phy_connect + phy_attach_direct() //set device driver + probe() //it's failed, driver is not bound + device_bind_driver() // probe failed, it's not called + +//remove path: +phy_device_remove() + device_del() + device_release_driver_internal() + __device_release_driver() //dev->drv is not NULL + klist_remove() <- knode_driver is not added yet, cause null-ptr-deref + +In phy_attach_direct(), after setting the 'dev->driver', probe() fails, +device_bind_driver() is not called, so the knode_driver->n_klist is not +set, then it causes null-ptr-deref in __device_release_driver() while +deleting device. Fix this by setting dev->driver to NULL in the error +path in phy_attach_direct(). + +Fixes: e13934563db0 ("[PATCH] PHY Layer fixup") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index d2f6d8107595..3ef5aa6b72a7 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -1423,6 +1423,7 @@ int phy_attach_direct(struct net_device *dev, struct phy_device *phydev, + + error_module_put: + module_put(d->driver->owner); ++ d->driver = NULL; + error_put_device: + put_device(d); + if (ndev_owner != bus->owner) +-- +2.35.1 + diff --git a/queue-5.10/net-tun-fix-use-after-free-in-tun_detach.patch b/queue-5.10/net-tun-fix-use-after-free-in-tun_detach.patch new file mode 100644 index 00000000000..6f9ac9caa81 --- /dev/null +++ b/queue-5.10/net-tun-fix-use-after-free-in-tun_detach.patch @@ -0,0 +1,90 @@ +From 7eaaac819722d4ab0074fa10d2832d3641fa7144 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 02:51:34 +0900 +Subject: net: tun: Fix use-after-free in tun_detach() + +From: Shigeru Yoshida + +[ Upstream commit 5daadc86f27ea4d691e2131c04310d0418c6cd12 ] + +syzbot reported use-after-free in tun_detach() [1]. This causes call +trace like below: + +================================================================== +BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 +Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673 + +CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:284 [inline] + print_report+0x15e/0x461 mm/kasan/report.c:395 + kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 + notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 + call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942 + call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] + call_netdevice_notifiers net/core/dev.c:1997 [inline] + netdev_wait_allrefs_any net/core/dev.c:10237 [inline] + netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351 + tun_detach drivers/net/tun.c:704 [inline] + tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467 + __fput+0x27c/0xa90 fs/file_table.c:320 + task_work_run+0x16f/0x270 kernel/task_work.c:179 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0xb3d/0x2a30 kernel/exit.c:820 + do_group_exit+0xd4/0x2a0 kernel/exit.c:950 + get_signal+0x21b1/0x2440 kernel/signal.c:2858 + arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869 + exit_to_user_mode_loop kernel/entry/common.c:168 [inline] + exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 + __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] + syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 + do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The cause of the issue is that sock_put() from __tun_detach() drops +last reference count for struct net, and then notifier_call_chain() +from netdev_state_change() accesses that struct net. + +This patch fixes the issue by calling sock_put() from tun_detach() +after all necessary accesses for the struct net has done. + +Fixes: 83c1f36f9880 ("tun: send netlink notification when the device is modified") +Reported-by: syzbot+106f9b687cd64ee70cd1@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=96eb7f1ce75ef933697f24eeab928c4a716edefe [1] +Signed-off-by: Shigeru Yoshida +Link: https://lore.kernel.org/r/20221124175134.1589053-1-syoshida@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/tun.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index cb42fdbfeb32..67ce7b779af6 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -698,7 +698,6 @@ static void __tun_detach(struct tun_file *tfile, bool clean) + if (tun) + xdp_rxq_info_unreg(&tfile->xdp_rxq); + ptr_ring_cleanup(&tfile->tx_ring, tun_ptr_free); +- sock_put(&tfile->sk); + } + } + +@@ -714,6 +713,9 @@ static void tun_detach(struct tun_file *tfile, bool clean) + if (dev) + netdev_state_change(dev); + rtnl_unlock(); ++ ++ if (clean) ++ sock_put(&tfile->sk); + } + + static void tun_detach_all(struct net_device *dev) +-- +2.35.1 + diff --git a/queue-5.10/of-property-decrement-node-refcount-in-of_fwnode_get.patch b/queue-5.10/of-property-decrement-node-refcount-in-of_fwnode_get.patch new file mode 100644 index 00000000000..743c89d691f --- /dev/null +++ b/queue-5.10/of-property-decrement-node-refcount-in-of_fwnode_get.patch @@ -0,0 +1,47 @@ +From 22c7426018f0e65ef8cf393ed1de8c9eff79ee12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 10:32:09 +0800 +Subject: of: property: decrement node refcount in + of_fwnode_get_reference_args() + +From: Yang Yingliang + +[ Upstream commit 60d865bd5a9b15a3961eb1c08bd4155682a3c81e ] + +In of_fwnode_get_reference_args(), the refcount of of_args.np has +been incremented in the case of successful return from +of_parse_phandle_with_args() or of_parse_phandle_with_fixed_args(). + +Decrement the refcount if of_args is not returned to the caller of +of_fwnode_get_reference_args(). + +Fixes: 3e3119d3088f ("device property: Introduce fwnode_property_get_reference_args") +Signed-off-by: Yang Yingliang +Reviewed-by: Sakari Ailus +Reviewed-by: Frank Rowand +Link: https://lore.kernel.org/r/20221121023209.3909759-1-yangyingliang@huawei.com +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/property.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/of/property.c b/drivers/of/property.c +index 1d7d24e7094b..8f998351bf4f 100644 +--- a/drivers/of/property.c ++++ b/drivers/of/property.c +@@ -956,8 +956,10 @@ of_fwnode_get_reference_args(const struct fwnode_handle *fwnode, + nargs, index, &of_args); + if (ret < 0) + return ret; +- if (!args) ++ if (!args) { ++ of_node_put(of_args.np); + return 0; ++ } + + args->nargs = of_args.args_count; + args->fwnode = of_fwnode_handle(of_args.np); +-- +2.35.1 + diff --git a/queue-5.10/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch b/queue-5.10/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch new file mode 100644 index 00000000000..a7aa4485976 --- /dev/null +++ b/queue-5.10/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch @@ -0,0 +1,49 @@ +From d23bfa02572bc72b0fb359cfcd33ad83b57de280 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 11:18:12 -0500 +Subject: packet: do not set TP_STATUS_CSUM_VALID on CHECKSUM_COMPLETE + +From: Willem de Bruijn + +[ Upstream commit b85f628aa158a653c006e9c1405a117baef8c868 ] + +CHECKSUM_COMPLETE signals that skb->csum stores the sum over the +entire packet. It does not imply that an embedded l4 checksum +field has been validated. + +Fixes: 682f048bd494 ("af_packet: pass checksum validation status to the user") +Signed-off-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20221128161812.640098-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index b70b06e312bd..eaa030e2ad55 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2243,8 +2243,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + if (skb->ip_summed == CHECKSUM_PARTIAL) + status |= TP_STATUS_CSUMNOTREADY; + else if (skb->pkt_type != PACKET_OUTGOING && +- (skb->ip_summed == CHECKSUM_COMPLETE || +- skb_csum_unnecessary(skb))) ++ skb_csum_unnecessary(skb)) + status |= TP_STATUS_CSUM_VALID; + + if (snaplen > res) +@@ -3480,8 +3479,7 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + if (skb->ip_summed == CHECKSUM_PARTIAL) + aux.tp_status |= TP_STATUS_CSUMNOTREADY; + else if (skb->pkt_type != PACKET_OUTGOING && +- (skb->ip_summed == CHECKSUM_COMPLETE || +- skb_csum_unnecessary(skb))) ++ skb_csum_unnecessary(skb)) + aux.tp_status |= TP_STATUS_CSUM_VALID; + + aux.tp_len = origlen; +-- +2.35.1 + diff --git a/queue-5.10/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch b/queue-5.10/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch new file mode 100644 index 00000000000..85368c475e4 --- /dev/null +++ b/queue-5.10/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch @@ -0,0 +1,70 @@ +From 4314c57ea67facc9fd0f1b51a1a09124b4880da7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 18:06:42 +0800 +Subject: qlcnic: fix sleep-in-atomic-context bugs caused by msleep + +From: Duoming Zhou + +[ Upstream commit 8dbd6e4ce1b9c527921643d9e34f188a10d4e893 ] + +The watchdog timer is used to monitor whether the process +of transmitting data is timeout. If we use qlcnic driver, +the dev_watchdog() that is the timer handler of watchdog +timer will call qlcnic_tx_timeout() to process the timeout. +But the qlcnic_tx_timeout() calls msleep(), as a result, +the sleep-in-atomic-context bugs will happen. The processes +are shown below: + + (atomic context) +dev_watchdog + qlcnic_tx_timeout + qlcnic_83xx_idc_request_reset + qlcnic_83xx_lock_driver + msleep + +--------------------------- + + (atomic context) +dev_watchdog + qlcnic_tx_timeout + qlcnic_83xx_idc_request_reset + qlcnic_83xx_lock_driver + qlcnic_83xx_recover_driver_lock + msleep + +Fix by changing msleep() to mdelay(), the mdelay() is +busy-waiting and the bugs could be mitigated. + +Fixes: 629263acaea3 ("qlcnic: 83xx CNA inter driver communication mechanism") +Signed-off-by: Duoming Zhou +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +index bd0607680329..2fd5c6fdb500 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +@@ -2991,7 +2991,7 @@ static void qlcnic_83xx_recover_driver_lock(struct qlcnic_adapter *adapter) + QLCWRX(adapter->ahw, QLC_83XX_RECOVER_DRV_LOCK, val); + dev_info(&adapter->pdev->dev, + "%s: lock recovery initiated\n", __func__); +- msleep(QLC_83XX_DRV_LOCK_RECOVERY_DELAY); ++ mdelay(QLC_83XX_DRV_LOCK_RECOVERY_DELAY); + val = QLCRDX(adapter->ahw, QLC_83XX_RECOVER_DRV_LOCK); + id = ((val >> 2) & 0xF); + if (id == adapter->portnum) { +@@ -3027,7 +3027,7 @@ int qlcnic_83xx_lock_driver(struct qlcnic_adapter *adapter) + if (status) + break; + +- msleep(QLC_83XX_DRV_LOCK_WAIT_DELAY); ++ mdelay(QLC_83XX_DRV_LOCK_WAIT_DELAY); + i++; + + if (i == 1) +-- +2.35.1 + diff --git a/queue-5.10/scripts-faddr2line-fix-regression-in-name-resolution.patch b/queue-5.10/scripts-faddr2line-fix-regression-in-name-resolution.patch new file mode 100644 index 00000000000..f9c97c5ec18 --- /dev/null +++ b/queue-5.10/scripts-faddr2line-fix-regression-in-name-resolution.patch @@ -0,0 +1,79 @@ +From 82885740021fa321aa856175af28e689d2025cee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 13:22:11 +0530 +Subject: scripts/faddr2line: Fix regression in name resolution on ppc64le + +From: Srikar Dronamraju + +[ Upstream commit 2d77de1581bb5b470486edaf17a7d70151131afd ] + +Commit 1d1a0e7c5100 ("scripts/faddr2line: Fix overlapping text section +failures") can cause faddr2line to fail on ppc64le on some +distributions, while it works fine on other distributions. The failure +can be attributed to differences in the readelf output. + + $ ./scripts/faddr2line vmlinux find_busiest_group+0x00 + no match for find_busiest_group+0x00 + +On ppc64le, readelf adds the localentry tag before the symbol name on +some distributions, and adds the localentry tag after the symbol name on +other distributions. This problem has been discussed previously: + + https://lore.kernel.org/bpf/20191211160133.GB4580@calabresa/ + +This problem can be overcome by filtering out the localentry tags in the +readelf output. Similar fixes are already present in the kernel by way +of the following commits: + + 1fd6cee127e2 ("libbpf: Fix VERSIONED_SYM_COUNT number parsing") + aa915931ac3e ("libbpf: Fix readelf output parsing for Fedora") + +[jpoimboe: rework commit log] + +Fixes: 1d1a0e7c5100 ("scripts/faddr2line: Fix overlapping text section failures") +Signed-off-by: Srikar Dronamraju +Acked-by: Naveen N. Rao +Reviewed-by: Thadeu Lima de Souza Cascardo +Link: https://lore.kernel.org/r/20220927075211.897152-1-srikar@linux.vnet.ibm.com +Signed-off-by: Josh Poimboeuf +Signed-off-by: Peter Zijlstra +Signed-off-by: Sasha Levin +--- + scripts/faddr2line | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/scripts/faddr2line b/scripts/faddr2line +index 57099687e5e1..9e730b805e87 100755 +--- a/scripts/faddr2line ++++ b/scripts/faddr2line +@@ -73,7 +73,8 @@ command -v ${ADDR2LINE} >/dev/null 2>&1 || die "${ADDR2LINE} isn't installed" + find_dir_prefix() { + local objfile=$1 + +- local start_kernel_addr=$(${READELF} --symbols --wide $objfile | ${AWK} '$8 == "start_kernel" {printf "0x%s", $2}') ++ local start_kernel_addr=$(${READELF} --symbols --wide $objfile | sed 's/\[.*\]//' | ++ ${AWK} '$8 == "start_kernel" {printf "0x%s", $2}') + [[ -z $start_kernel_addr ]] && return + + local file_line=$(${ADDR2LINE} -e $objfile $start_kernel_addr) +@@ -177,7 +178,7 @@ __faddr2line() { + found=2 + break + fi +- done < <(${READELF} --symbols --wide $objfile | ${AWK} -v sec=$sym_sec '$7 == sec' | sort --key=2) ++ done < <(${READELF} --symbols --wide $objfile | sed 's/\[.*\]//' | ${AWK} -v sec=$sym_sec '$7 == sec' | sort --key=2) + + if [[ $found = 0 ]]; then + warn "can't find symbol: sym_name: $sym_name sym_sec: $sym_sec sym_addr: $sym_addr sym_elf_size: $sym_elf_size" +@@ -258,7 +259,7 @@ __faddr2line() { + + DONE=1 + +- done < <(${READELF} --symbols --wide $objfile | ${AWK} -v fn=$sym_name '$4 == "FUNC" && $8 == fn') ++ done < <(${READELF} --symbols --wide $objfile | sed 's/\[.*\]//' | ${AWK} -v fn=$sym_name '$4 == "FUNC" && $8 == fn') + } + + [[ $# -lt 2 ]] && usage +-- +2.35.1 + diff --git a/queue-5.10/sctp-fix-memory-leak-in-sctp_stream_outq_migrate.patch b/queue-5.10/sctp-fix-memory-leak-in-sctp_stream_outq_migrate.patch new file mode 100644 index 00000000000..564b4a28c9d --- /dev/null +++ b/queue-5.10/sctp-fix-memory-leak-in-sctp_stream_outq_migrate.patch @@ -0,0 +1,202 @@ +From e7d9d400236bd4bd306b314ab90983ad503070f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Nov 2022 11:17:20 +0800 +Subject: sctp: fix memory leak in sctp_stream_outq_migrate() + +From: Zhengchao Shao + +[ Upstream commit 9ed7bfc79542119ac0a9e1ce8a2a5285e43433e9 ] + +When sctp_stream_outq_migrate() is called to release stream out resources, +the memory pointed to by prio_head in stream out is not released. + +The memory leak information is as follows: + unreferenced object 0xffff88801fe79f80 (size 64): + comm "sctp_repo", pid 7957, jiffies 4294951704 (age 36.480s) + hex dump (first 32 bytes): + 80 9f e7 1f 80 88 ff ff 80 9f e7 1f 80 88 ff ff ................ + 90 9f e7 1f 80 88 ff ff 90 9f e7 1f 80 88 ff ff ................ + backtrace: + [] kmalloc_trace+0x26/0x60 + [] sctp_sched_prio_set+0x4cc/0x770 + [] sctp_stream_init_ext+0xd2/0x1b0 + [] sctp_sendmsg_to_asoc+0x1614/0x1a30 + [] sctp_sendmsg+0xda1/0x1ef0 + [] inet_sendmsg+0x9d/0xe0 + [] sock_sendmsg+0xd3/0x120 + [] __sys_sendto+0x23a/0x340 + [] __x64_sys_sendto+0xe1/0x1b0 + [] do_syscall_64+0x39/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Link: https://syzkaller.appspot.com/bug?exrid=29c402e56c4760763cc0 +Fixes: 637784ade221 ("sctp: introduce priority based stream scheduler") +Reported-by: syzbot+29c402e56c4760763cc0@syzkaller.appspotmail.com +Signed-off-by: Zhengchao Shao +Reviewed-by: Xin Long +Link: https://lore.kernel.org/r/20221126031720.378562-1-shaozhengchao@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sctp/stream_sched.h | 2 ++ + net/sctp/stream.c | 25 ++++++++++++++++++------- + net/sctp/stream_sched.c | 5 +++++ + net/sctp/stream_sched_prio.c | 19 +++++++++++++++++++ + net/sctp/stream_sched_rr.c | 5 +++++ + 5 files changed, 49 insertions(+), 7 deletions(-) + +diff --git a/include/net/sctp/stream_sched.h b/include/net/sctp/stream_sched.h +index 01a70b27e026..65058faea4db 100644 +--- a/include/net/sctp/stream_sched.h ++++ b/include/net/sctp/stream_sched.h +@@ -26,6 +26,8 @@ struct sctp_sched_ops { + int (*init)(struct sctp_stream *stream); + /* Init a stream */ + int (*init_sid)(struct sctp_stream *stream, __u16 sid, gfp_t gfp); ++ /* free a stream */ ++ void (*free_sid)(struct sctp_stream *stream, __u16 sid); + /* Frees the entire thing */ + void (*free)(struct sctp_stream *stream); + +diff --git a/net/sctp/stream.c b/net/sctp/stream.c +index ef9fceadef8d..ee6514af830f 100644 +--- a/net/sctp/stream.c ++++ b/net/sctp/stream.c +@@ -52,6 +52,19 @@ static void sctp_stream_shrink_out(struct sctp_stream *stream, __u16 outcnt) + } + } + ++static void sctp_stream_free_ext(struct sctp_stream *stream, __u16 sid) ++{ ++ struct sctp_sched_ops *sched; ++ ++ if (!SCTP_SO(stream, sid)->ext) ++ return; ++ ++ sched = sctp_sched_ops_from_stream(stream); ++ sched->free_sid(stream, sid); ++ kfree(SCTP_SO(stream, sid)->ext); ++ SCTP_SO(stream, sid)->ext = NULL; ++} ++ + /* Migrates chunks from stream queues to new stream queues if needed, + * but not across associations. Also, removes those chunks to streams + * higher than the new max. +@@ -70,16 +83,14 @@ static void sctp_stream_outq_migrate(struct sctp_stream *stream, + * sctp_stream_update will swap ->out pointers. + */ + for (i = 0; i < outcnt; i++) { +- kfree(SCTP_SO(new, i)->ext); ++ sctp_stream_free_ext(new, i); + SCTP_SO(new, i)->ext = SCTP_SO(stream, i)->ext; + SCTP_SO(stream, i)->ext = NULL; + } + } + +- for (i = outcnt; i < stream->outcnt; i++) { +- kfree(SCTP_SO(stream, i)->ext); +- SCTP_SO(stream, i)->ext = NULL; +- } ++ for (i = outcnt; i < stream->outcnt; i++) ++ sctp_stream_free_ext(stream, i); + } + + static int sctp_stream_alloc_out(struct sctp_stream *stream, __u16 outcnt, +@@ -174,9 +185,9 @@ void sctp_stream_free(struct sctp_stream *stream) + struct sctp_sched_ops *sched = sctp_sched_ops_from_stream(stream); + int i; + +- sched->free(stream); ++ sched->unsched_all(stream); + for (i = 0; i < stream->outcnt; i++) +- kfree(SCTP_SO(stream, i)->ext); ++ sctp_stream_free_ext(stream, i); + genradix_free(&stream->out); + genradix_free(&stream->in); + } +diff --git a/net/sctp/stream_sched.c b/net/sctp/stream_sched.c +index a2e1d34f52c5..33c2630c2496 100644 +--- a/net/sctp/stream_sched.c ++++ b/net/sctp/stream_sched.c +@@ -46,6 +46,10 @@ static int sctp_sched_fcfs_init_sid(struct sctp_stream *stream, __u16 sid, + return 0; + } + ++static void sctp_sched_fcfs_free_sid(struct sctp_stream *stream, __u16 sid) ++{ ++} ++ + static void sctp_sched_fcfs_free(struct sctp_stream *stream) + { + } +@@ -96,6 +100,7 @@ static struct sctp_sched_ops sctp_sched_fcfs = { + .get = sctp_sched_fcfs_get, + .init = sctp_sched_fcfs_init, + .init_sid = sctp_sched_fcfs_init_sid, ++ .free_sid = sctp_sched_fcfs_free_sid, + .free = sctp_sched_fcfs_free, + .enqueue = sctp_sched_fcfs_enqueue, + .dequeue = sctp_sched_fcfs_dequeue, +diff --git a/net/sctp/stream_sched_prio.c b/net/sctp/stream_sched_prio.c +index 80b5a2c4cbc7..4fc9f2923ed1 100644 +--- a/net/sctp/stream_sched_prio.c ++++ b/net/sctp/stream_sched_prio.c +@@ -204,6 +204,24 @@ static int sctp_sched_prio_init_sid(struct sctp_stream *stream, __u16 sid, + return sctp_sched_prio_set(stream, sid, 0, gfp); + } + ++static void sctp_sched_prio_free_sid(struct sctp_stream *stream, __u16 sid) ++{ ++ struct sctp_stream_priorities *prio = SCTP_SO(stream, sid)->ext->prio_head; ++ int i; ++ ++ if (!prio) ++ return; ++ ++ SCTP_SO(stream, sid)->ext->prio_head = NULL; ++ for (i = 0; i < stream->outcnt; i++) { ++ if (SCTP_SO(stream, i)->ext && ++ SCTP_SO(stream, i)->ext->prio_head == prio) ++ return; ++ } ++ ++ kfree(prio); ++} ++ + static void sctp_sched_prio_free(struct sctp_stream *stream) + { + struct sctp_stream_priorities *prio, *n; +@@ -323,6 +341,7 @@ static struct sctp_sched_ops sctp_sched_prio = { + .get = sctp_sched_prio_get, + .init = sctp_sched_prio_init, + .init_sid = sctp_sched_prio_init_sid, ++ .free_sid = sctp_sched_prio_free_sid, + .free = sctp_sched_prio_free, + .enqueue = sctp_sched_prio_enqueue, + .dequeue = sctp_sched_prio_dequeue, +diff --git a/net/sctp/stream_sched_rr.c b/net/sctp/stream_sched_rr.c +index ff425aed62c7..cc444fe0d67c 100644 +--- a/net/sctp/stream_sched_rr.c ++++ b/net/sctp/stream_sched_rr.c +@@ -90,6 +90,10 @@ static int sctp_sched_rr_init_sid(struct sctp_stream *stream, __u16 sid, + return 0; + } + ++static void sctp_sched_rr_free_sid(struct sctp_stream *stream, __u16 sid) ++{ ++} ++ + static void sctp_sched_rr_free(struct sctp_stream *stream) + { + sctp_sched_rr_unsched_all(stream); +@@ -177,6 +181,7 @@ static struct sctp_sched_ops sctp_sched_rr = { + .get = sctp_sched_rr_get, + .init = sctp_sched_rr_init, + .init_sid = sctp_sched_rr_init_sid, ++ .free_sid = sctp_sched_rr_free_sid, + .free = sctp_sched_rr_free, + .enqueue = sctp_sched_rr_enqueue, + .dequeue = sctp_sched_rr_dequeue, +-- +2.35.1 + diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 00000000000..6aff6910b71 --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,53 @@ +btrfs-sink-iterator-parameter-to-btrfs_ioctl_logical.patch +btrfs-free-btrfs_path-before-copying-inodes-to-users.patch +spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-hi.patch +btrfs-move-quota_enabled-check-to-rescan_should_stop.patch +drm-display-dp_mst-fix-drm_dp_mst_add_affected_dsc_c.patch +kbuild-fix-wimplicit-function-declaration-in-license.patch +drm-amdgpu-update-drm_display_info-correctly-when-th.patch +drm-amdgpu-partially-revert-drm-amdgpu-update-drm_di.patch +btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch +iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch +iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch +iio-light-rpr0521-add-missing-kconfig-dependencies.patch +bpf-perf-use-subprog-name-when-reporting-subprog-ksy.patch +scripts-faddr2line-fix-regression-in-name-resolution.patch +arm-at91-rm9200-fix-usb-device-clock-id.patch +libbpf-handle-size-overflow-for-ringbuf-mmap.patch +hwmon-ltc2947-fix-temperature-scaling.patch +hwmon-ina3221-fix-shunt-sum-critical-calculation.patch +hwmon-i5500_temp-fix-missing-pci_disable_device.patch +hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch +bpf-do-not-copy-spin-lock-field-from-user-in-bpf_sel.patch +of-property-decrement-node-refcount-in-of_fwnode_get.patch +ixgbevf-fix-resource-leak-in-ixgbevf_init_module.patch +i40e-fix-error-handling-in-i40e_init_module.patch +fm10k-fix-error-handling-in-fm10k_init_module.patch +iavf-remove-redundant-ret-variable.patch +iavf-fix-error-handling-in-iavf_init_module.patch +e100-switch-from-pci_-to-dma_-api.patch +e100-fix-possible-use-after-free-in-e100_xmit_prepar.patch +net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch +net-mlx5e-fix-use-after-free-when-reverting-terminat.patch +can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch +can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch +qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch +aquantia-do-not-purge-addresses-when-setting-the-num.patch +wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch +wifi-cfg80211-don-t-allow-multi-bssid-in-s1g.patch +wifi-mac8021-fix-possible-oob-access-in-ieee80211_ge.patch +net-phy-fix-null-ptr-deref-while-probe-failed.patch +net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch +net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch +net-ethernet-nixge-fix-null-dereference.patch +dsa-lan9303-correct-stat-name.patch +tipc-re-fetch-skb-cb-after-tipc_msg_validate.patch +net-hsr-fix-potential-use-after-free.patch +afs-fix-fileserver-probe-rtt-handling.patch +net-tun-fix-use-after-free-in-tun_detach.patch +packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch +sctp-fix-memory-leak-in-sctp_stream_outq_migrate.patch +net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch +hwmon-coretemp-check-for-null-before-removing-sysfs-.patch +hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch +net-mlx5-dr-fix-uninitialized-var-warning.patch diff --git a/queue-5.10/spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-hi.patch b/queue-5.10/spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-hi.patch new file mode 100644 index 00000000000..c84659f02f8 --- /dev/null +++ b/queue-5.10/spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-hi.patch @@ -0,0 +1,65 @@ +From 1bf190d0480db9dbd01564caa684ef529f14b3b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 19:10:00 +0100 +Subject: spi: spi-imx: Fix spi_bus_clk if requested clock is higher than input + clock + +From: Frieder Schrempf + +[ Upstream commit db2d2dc9a0b58c6faefb6b002fdbed4f0362d1a4 ] + +In case the requested bus clock is higher than the input clock, the correct +dividers (pre = 0, post = 0) are returned from mx51_ecspi_clkdiv(), but +*fres is left uninitialized and therefore contains an arbitrary value. + +This causes trouble for the recently introduced PIO polling feature as the +value in spi_imx->spi_bus_clk is used there to calculate for which +transfers to enable PIO polling. + +Fix this by setting *fres even if no clock dividers are in use. + +This issue was observed on Kontron BL i.MX8MM with an SPI peripheral clock set +to 50 MHz by default and a requested SPI bus clock of 80 MHz for the SPI NOR +flash. + +With the fix applied the debug message from mx51_ecspi_clkdiv() now prints the +following: + +spi_imx 30820000.spi: mx51_ecspi_clkdiv: fin: 50000000, fspi: 50000000, +post: 0, pre: 0 + +Fixes: 6fd8b8503a0d ("spi: spi-imx: Fix out-of-order CS/SCLK operation at low speeds") +Fixes: 07e759387788 ("spi: spi-imx: add PIO polling support") +Cc: Marc Kleine-Budde +Cc: David Jander +Cc: Fabio Estevam +Cc: Mark Brown +Cc: Marek Vasut +Cc: stable@vger.kernel.org +Signed-off-by: Frieder Schrempf +Tested-by: Fabio Estevam +Acked-by: Marek Vasut +Link: https://lore.kernel.org/r/20221115181002.2068270-1-frieder@fris.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-imx.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c +index 0e3bc0b0a526..74b3b6ca15ef 100644 +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -434,8 +434,7 @@ static unsigned int mx51_ecspi_clkdiv(struct spi_imx_data *spi_imx, + unsigned int pre, post; + unsigned int fin = spi_imx->spi_clk; + +- if (unlikely(fspi > fin)) +- return 0; ++ fspi = min(fspi, fin); + + post = fls(fin) - fls(fspi); + if (fin > fspi << post) +-- +2.35.1 + diff --git a/queue-5.10/tipc-re-fetch-skb-cb-after-tipc_msg_validate.patch b/queue-5.10/tipc-re-fetch-skb-cb-after-tipc_msg_validate.patch new file mode 100644 index 00000000000..f838fe574da --- /dev/null +++ b/queue-5.10/tipc-re-fetch-skb-cb-after-tipc_msg_validate.patch @@ -0,0 +1,65 @@ +From 9715b0e2e4fe5ad20311f6c338b0d36e33011582 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 12:46:43 -0500 +Subject: tipc: re-fetch skb cb after tipc_msg_validate + +From: Xin Long + +[ Upstream commit 3067bc61fcfe3081bf4807ce65560f499e895e77 ] + +As the call trace shows, the original skb was freed in tipc_msg_validate(), +and dereferencing the old skb cb would cause an use-after-free crash. + + BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] + Call Trace: + + tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] + tipc_crypto_rcv+0xd32/0x1ec0 [tipc] + tipc_rcv+0x744/0x1150 [tipc] + ... + Allocated by task 47078: + kmem_cache_alloc_node+0x158/0x4d0 + __alloc_skb+0x1c1/0x270 + tipc_buf_acquire+0x1e/0xe0 [tipc] + tipc_msg_create+0x33/0x1c0 [tipc] + tipc_link_build_proto_msg+0x38a/0x2100 [tipc] + tipc_link_timeout+0x8b8/0xef0 [tipc] + tipc_node_timeout+0x2a1/0x960 [tipc] + call_timer_fn+0x2d/0x1c0 + ... + Freed by task 47078: + tipc_msg_validate+0x7b/0x440 [tipc] + tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc] + tipc_crypto_rcv+0xd32/0x1ec0 [tipc] + tipc_rcv+0x744/0x1150 [tipc] + +This patch fixes it by re-fetching the skb cb from the new allocated skb +after calling tipc_msg_validate(). + +Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication") +Reported-by: Shuang Li +Signed-off-by: Xin Long +Link: https://lore.kernel.org/r/1b1cdba762915325bd8ef9a98d0276eb673df2a5.1669398403.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/crypto.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c +index 6f91b9a306dc..de63d6d41645 100644 +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -1975,6 +1975,9 @@ static void tipc_crypto_rcv_complete(struct net *net, struct tipc_aead *aead, + /* Ok, everything's fine, try to synch own keys according to peers' */ + tipc_crypto_key_synch(rx, *skb); + ++ /* Re-fetch skb cb as skb might be changed in tipc_msg_validate */ ++ skb_cb = TIPC_SKB_CB(*skb); ++ + /* Mark skb decrypted */ + skb_cb->decrypted = 1; + +-- +2.35.1 + diff --git a/queue-5.10/wifi-cfg80211-don-t-allow-multi-bssid-in-s1g.patch b/queue-5.10/wifi-cfg80211-don-t-allow-multi-bssid-in-s1g.patch new file mode 100644 index 00000000000..74aa0c087be --- /dev/null +++ b/queue-5.10/wifi-cfg80211-don-t-allow-multi-bssid-in-s1g.patch @@ -0,0 +1,52 @@ +From 87b92a816d573791bfe7381a6a47ba1f72a41f12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 12:36:58 +0100 +Subject: wifi: cfg80211: don't allow multi-BSSID in S1G +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Johannes Berg + +[ Upstream commit acd3c92acc7aaec50a94d0a7faf7ccd74e952493 ] + +In S1G beacon frames there shouldn't be multi-BSSID elements +since that's not supported, remove that to avoid a potential +integer underflow and/or misparsing the frames due to the +different length of the fixed part of the frame. + +While at it, initialize non_tx_data so we don't send garbage +values to the user (even if it doesn't seem to matter now.) + +Reported-and-tested-by: Sönke Huster +Fixes: 9eaffe5078ca ("cfg80211: convert S1G beacon to scan results") +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 8102ee7b2047..d09dabae5627 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -2467,10 +2467,15 @@ cfg80211_inform_bss_frame_data(struct wiphy *wiphy, + const struct cfg80211_bss_ies *ies1, *ies2; + size_t ielen = len - offsetof(struct ieee80211_mgmt, + u.probe_resp.variable); +- struct cfg80211_non_tx_bss non_tx_data; ++ struct cfg80211_non_tx_bss non_tx_data = {}; + + res = cfg80211_inform_single_bss_frame_data(wiphy, data, mgmt, + len, gfp); ++ ++ /* don't do any further MBSSID handling for S1G */ ++ if (ieee80211_is_s1g_beacon(mgmt->frame_control)) ++ return res; ++ + if (!res || !wiphy->support_mbssid || + !cfg80211_find_ie(WLAN_EID_MULTIPLE_BSSID, ie, ielen)) + return res; +-- +2.35.1 + diff --git a/queue-5.10/wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch b/queue-5.10/wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch new file mode 100644 index 00000000000..cf65fe45d82 --- /dev/null +++ b/queue-5.10/wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch @@ -0,0 +1,41 @@ +From a4d4baf182cff84a3c75cc6fa04d857dc35a9be1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 12:36:57 +0100 +Subject: wifi: cfg80211: fix buffer overflow in elem comparison +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Johannes Berg + +[ Upstream commit 9f16b5c82a025cd4c864737409234ddc44fb166a ] + +For vendor elements, the code here assumes that 5 octets +are present without checking. Since the element itself is +already checked to fit, we only need to check the length. + +Reported-and-tested-by: Sönke Huster +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 15119c49c093..8102ee7b2047 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -330,7 +330,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen, + * determine if they are the same ie. + */ + if (tmp_old[0] == WLAN_EID_VENDOR_SPECIFIC) { +- if (!memcmp(tmp_old + 2, tmp + 2, 5)) { ++ if (tmp_old[1] >= 5 && tmp[1] >= 5 && ++ !memcmp(tmp_old + 2, tmp + 2, 5)) { + /* same vendor ie, copy from + * subelement + */ +-- +2.35.1 + diff --git a/queue-5.10/wifi-mac8021-fix-possible-oob-access-in-ieee80211_ge.patch b/queue-5.10/wifi-mac8021-fix-possible-oob-access-in-ieee80211_ge.patch new file mode 100644 index 00000000000..960c418ebb4 --- /dev/null +++ b/queue-5.10/wifi-mac8021-fix-possible-oob-access-in-ieee80211_ge.patch @@ -0,0 +1,67 @@ +From 5e97690e4f4fe3122e7b2acf58e260164a471ec4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 16:19:26 +0100 +Subject: wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lorenzo Bianconi + +[ Upstream commit 3e8f7abcc3473bc9603323803aeaed4ffcc3a2ab ] + +Fix possible out-of-bound access in ieee80211_get_rate_duration routine +as reported by the following UBSAN report: + +UBSAN: array-index-out-of-bounds in net/mac80211/airtime.c:455:47 +index 15 is out of range for type 'u16 [12]' +CPU: 2 PID: 217 Comm: kworker/u32:10 Not tainted 6.1.0-060100rc3-generic +Hardware name: Acer Aspire TC-281/Aspire TC-281, BIOS R01-A2 07/18/2017 +Workqueue: mt76 mt76u_tx_status_data [mt76_usb] +Call Trace: + + show_stack+0x4e/0x61 + dump_stack_lvl+0x4a/0x6f + dump_stack+0x10/0x18 + ubsan_epilogue+0x9/0x43 + __ubsan_handle_out_of_bounds.cold+0x42/0x47 +ieee80211_get_rate_duration.constprop.0+0x22f/0x2a0 [mac80211] + ? ieee80211_tx_status_ext+0x32e/0x640 [mac80211] + ieee80211_calc_rx_airtime+0xda/0x120 [mac80211] + ieee80211_calc_tx_airtime+0xb4/0x100 [mac80211] + mt76x02_send_tx_status+0x266/0x480 [mt76x02_lib] + mt76x02_tx_status_data+0x52/0x80 [mt76x02_lib] + mt76u_tx_status_data+0x67/0xd0 [mt76_usb] + process_one_work+0x225/0x400 + worker_thread+0x50/0x3e0 + ? process_one_work+0x400/0x400 + kthread+0xe9/0x110 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x22/0x30 + +Fixes: db3e1c40cf2f ("mac80211: Import airtime calculation code from mt76") +Signed-off-by: Lorenzo Bianconi +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/airtime.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/airtime.c b/net/mac80211/airtime.c +index 26d2f8ba7029..758ef63669e7 100644 +--- a/net/mac80211/airtime.c ++++ b/net/mac80211/airtime.c +@@ -457,6 +457,9 @@ static u32 ieee80211_get_rate_duration(struct ieee80211_hw *hw, + (status->encoding == RX_ENC_HE && streams > 8))) + return 0; + ++ if (idx >= MCS_GROUP_RATES) ++ return 0; ++ + duration = airtime_mcs_groups[group].duration[idx]; + duration <<= airtime_mcs_groups[group].shift; + *overhead = 36 + (streams << 2); +-- +2.35.1 + -- 2.47.3