From f81d90a4e2e007d54634585a659b1f7d3593cd48 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 5 Aug 2024 08:18:09 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...nouveau-prime-fix-refcount-underflow.patch | 47 ++++++++++ ...ix-overlay-when-using-screen-targets.patch | 41 +++++++++ ...ix-ndisc_is_useropt-handling-for-pio.patch | 92 +++++++++++++++++++ ...ix-use-after-free-in-iucv_sock_close.patch | 75 +++++++++++++++ ...check-for-the-return-value-from-mlx5.patch | 48 ++++++++++ queue-5.4/series | 5 + 6 files changed, 308 insertions(+) create mode 100644 queue-5.4/drm-nouveau-prime-fix-refcount-underflow.patch create mode 100644 queue-5.4/drm-vmwgfx-fix-overlay-when-using-screen-targets.patch create mode 100644 queue-5.4/ipv6-fix-ndisc_is_useropt-handling-for-pio.patch create mode 100644 queue-5.4/net-iucv-fix-use-after-free-in-iucv_sock_close.patch create mode 100644 queue-5.4/net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch diff --git a/queue-5.4/drm-nouveau-prime-fix-refcount-underflow.patch b/queue-5.4/drm-nouveau-prime-fix-refcount-underflow.patch new file mode 100644 index 00000000000..33716e6b6a0 --- /dev/null +++ b/queue-5.4/drm-nouveau-prime-fix-refcount-underflow.patch @@ -0,0 +1,47 @@ +From 21dedfd718a3b28db67206ae78d7e0f1dab5ee48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 18:58:46 +0200 +Subject: drm/nouveau: prime: fix refcount underflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Danilo Krummrich + +[ Upstream commit a9bf3efc33f1fbf88787a277f7349459283c9b95 ] + +Calling nouveau_bo_ref() on a nouveau_bo without initializing it (and +hence the backing ttm_bo) leads to a refcount underflow. + +Instead of calling nouveau_bo_ref() in the unwind path of +drm_gem_object_init(), clean things up manually. + +Fixes: ab9ccb96a6e6 ("drm/nouveau: use prime helpers") +Reviewed-by: Ben Skeggs +Reviewed-by: Christian König +Signed-off-by: Danilo Krummrich +Link: https://patchwork.freedesktop.org/patch/msgid/20240718165959.3983-2-dakr@kernel.org +(cherry picked from commit 1b93f3e89d03cfc576636e195466a0d728ad8de5) +Signed-off-by: Danilo Krummrich +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_prime.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_prime.c b/drivers/gpu/drm/nouveau/nouveau_prime.c +index 25cbe4ef383bd..ea7cd8aee68f6 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_prime.c ++++ b/drivers/gpu/drm/nouveau/nouveau_prime.c +@@ -83,7 +83,8 @@ struct drm_gem_object *nouveau_gem_prime_import_sg_table(struct drm_device *dev, + * to the caller, instead of a normal nouveau_bo ttm reference. */ + ret = drm_gem_object_init(dev, &nvbo->bo.base, size); + if (ret) { +- nouveau_bo_ref(NULL, &nvbo); ++ drm_gem_object_release(&nvbo->bo.base); ++ kfree(nvbo); + obj = ERR_PTR(-ENOMEM); + goto unlock; + } +-- +2.43.0 + diff --git a/queue-5.4/drm-vmwgfx-fix-overlay-when-using-screen-targets.patch b/queue-5.4/drm-vmwgfx-fix-overlay-when-using-screen-targets.patch new file mode 100644 index 00000000000..6cfb7243a82 --- /dev/null +++ b/queue-5.4/drm-vmwgfx-fix-overlay-when-using-screen-targets.patch @@ -0,0 +1,41 @@ +From 8e49e42fd998a17bb80f3a8d872ffe3aaa67fb65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jul 2024 11:36:27 -0500 +Subject: drm/vmwgfx: Fix overlay when using Screen Targets + +From: Ian Forbes + +[ Upstream commit cb372a505a994cb39aa75acfb8b3bcf94787cf94 ] + +This code was never updated to support Screen Targets. +Fixes a bug where Xv playback displays a green screen instead of actual +video contents when 3D acceleration is disabled in the guest. + +Fixes: c8261a961ece ("vmwgfx: Major KMS refactoring / cleanup in preparation of screen targets") +Reported-by: Doug Brown +Closes: https://lore.kernel.org/all/bd9cb3c7-90e8-435d-bc28-0e38fee58977@schmorgal.com +Signed-off-by: Ian Forbes +Tested-by: Doug Brown +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20240719163627.20888-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c b/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c +index fdb52f6d29fb1..395614f2b7bd4 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c +@@ -98,7 +98,7 @@ static int vmw_overlay_send_put(struct vmw_private *dev_priv, + { + struct vmw_escape_video_flush *flush; + size_t fifo_size; +- bool have_so = (dev_priv->active_display_unit == vmw_du_screen_object); ++ bool have_so = (dev_priv->active_display_unit != vmw_du_legacy); + int i, num_items; + SVGAGuestPtr ptr; + +-- +2.43.0 + diff --git a/queue-5.4/ipv6-fix-ndisc_is_useropt-handling-for-pio.patch b/queue-5.4/ipv6-fix-ndisc_is_useropt-handling-for-pio.patch new file mode 100644 index 00000000000..dcc6171e28f --- /dev/null +++ b/queue-5.4/ipv6-fix-ndisc_is_useropt-handling-for-pio.patch @@ -0,0 +1,92 @@ +From b26af7e7d712f9203d2fbd2d3d3a1dbaf1d9508a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 17:17:48 -0700 +Subject: ipv6: fix ndisc_is_useropt() handling for PIO +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +[ Upstream commit a46c68debf3be3a477a69ccbf0a1d050df841676 ] + +The current logic only works if the PIO is between two +other ND user options. This fixes it so that the PIO +can also be either before or after other ND user options +(for example the first or last option in the RA). + +side note: there's actually Android tests verifying +a portion of the old broken behaviour, so: + https://android-review.googlesource.com/c/kernel/tests/+/3196704 +fixes those up. + +Cc: Jen Linkova +Cc: Lorenzo Colitti +Cc: Patrick Rohr +Cc: David Ahern +Cc: YOSHIFUJI Hideaki / 吉藤英明 +Cc: Jakub Kicinski +Signed-off-by: Maciej Żenczykowski +Fixes: 048c796beb6e ("ipv6: adjust ndisc_is_useropt() to also return true for PIO") +Link: https://patch.msgid.link/20240730001748.147636-1-maze@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/ndisc.c | 34 ++++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c +index 74977ec77c576..64729e7e6a866 100644 +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -225,6 +225,7 @@ struct ndisc_options *ndisc_parse_options(const struct net_device *dev, + return NULL; + memset(ndopts, 0, sizeof(*ndopts)); + while (opt_len) { ++ bool unknown = false; + int l; + if (opt_len < sizeof(struct nd_opt_hdr)) + return NULL; +@@ -260,22 +261,23 @@ struct ndisc_options *ndisc_parse_options(const struct net_device *dev, + break; + #endif + default: +- if (ndisc_is_useropt(dev, nd_opt)) { +- ndopts->nd_useropts_end = nd_opt; +- if (!ndopts->nd_useropts) +- ndopts->nd_useropts = nd_opt; +- } else { +- /* +- * Unknown options must be silently ignored, +- * to accommodate future extension to the +- * protocol. +- */ +- ND_PRINTK(2, notice, +- "%s: ignored unsupported option; type=%d, len=%d\n", +- __func__, +- nd_opt->nd_opt_type, +- nd_opt->nd_opt_len); +- } ++ unknown = true; ++ } ++ if (ndisc_is_useropt(dev, nd_opt)) { ++ ndopts->nd_useropts_end = nd_opt; ++ if (!ndopts->nd_useropts) ++ ndopts->nd_useropts = nd_opt; ++ } else if (unknown) { ++ /* ++ * Unknown options must be silently ignored, ++ * to accommodate future extension to the ++ * protocol. ++ */ ++ ND_PRINTK(2, notice, ++ "%s: ignored unsupported option; type=%d, len=%d\n", ++ __func__, ++ nd_opt->nd_opt_type, ++ nd_opt->nd_opt_len); + } + next_opt: + opt_len -= l; +-- +2.43.0 + diff --git a/queue-5.4/net-iucv-fix-use-after-free-in-iucv_sock_close.patch b/queue-5.4/net-iucv-fix-use-after-free-in-iucv_sock_close.patch new file mode 100644 index 00000000000..f70960f6705 --- /dev/null +++ b/queue-5.4/net-iucv-fix-use-after-free-in-iucv_sock_close.patch @@ -0,0 +1,75 @@ +From 1397547707af8d8e47a1138c858a0cc8bfafa5ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 14:28:16 +0200 +Subject: net/iucv: fix use after free in iucv_sock_close() + +From: Alexandra Winter + +[ Upstream commit f558120cd709682b739207b48cf7479fd9568431 ] + +iucv_sever_path() is called from process context and from bh context. +iucv->path is used as indicator whether somebody else is taking care of +severing the path (or it is already removed / never existed). +This needs to be done with atomic compare and swap, otherwise there is a +small window where iucv_sock_close() will try to work with a path that has +already been severed and freed by iucv_callback_connrej() called by +iucv_tasklet_fn(). + +Example: +[452744.123844] Call Trace: +[452744.123845] ([<0000001e87f03880>] 0x1e87f03880) +[452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138 +[452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv] +[452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv] +[452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv] +[452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8 +[452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48 +[452744.124820] [<00000000d5421642>] __fput+0xba/0x268 +[452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0 +[452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90 +[452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8 +[452744.125319] Last Breaking-Event-Address: +[452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138 +[452744.125324] +[452744.125325] Kernel panic - not syncing: Fatal exception in interrupt + +Note that bh_lock_sock() is not serializing the tasklet context against +process context, because the check for sock_owned_by_user() and +corresponding handling is missing. + +Ideas for a future clean-up patch: +A) Correct usage of bh_lock_sock() in tasklet context, as described in +Link: https://lore.kernel.org/netdev/1280155406.2899.407.camel@edumazet-laptop/ +Re-enqueue, if needed. This may require adding return values to the +tasklet functions and thus changes to all users of iucv. + +B) Change iucv tasklet into worker and use only lock_sock() in af_iucv. + +Fixes: 7d316b945352 ("af_iucv: remove IUCV-pathes completely") +Reviewed-by: Halil Pasic +Signed-off-by: Alexandra Winter +Link: https://patch.msgid.link/20240729122818.947756-1-wintera@linux.ibm.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/iucv/af_iucv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c +index 652285191da1e..74cf37f17ea90 100644 +--- a/net/iucv/af_iucv.c ++++ b/net/iucv/af_iucv.c +@@ -453,8 +453,8 @@ static void iucv_sever_path(struct sock *sk, int with_user_data) + struct iucv_sock *iucv = iucv_sk(sk); + struct iucv_path *path = iucv->path; + +- if (iucv->path) { +- iucv->path = NULL; ++ /* Whoever resets the path pointer, must sever and free it. */ ++ if (xchg(&iucv->path, NULL)) { + if (with_user_data) { + low_nmcpy(user_data, iucv->src_name); + high_nmcpy(user_data, iucv->dst_name); +-- +2.43.0 + diff --git a/queue-5.4/net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch b/queue-5.4/net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch new file mode 100644 index 00000000000..64947526c7d --- /dev/null +++ b/queue-5.4/net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch @@ -0,0 +1,48 @@ +From 20d7180af76dc886e87873665cfd5923964e00b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 09:16:37 +0300 +Subject: net/mlx5e: Add a check for the return value from + mlx5_port_set_eth_ptys + +From: Shahar Shitrit + +[ Upstream commit 3f8e82a020a5c22f9b791f4ac499b8e18007fbda ] + +Since the documentation for mlx5_toggle_port_link states that it should +only be used after setting the port register, we add a check for the +return value from mlx5_port_set_eth_ptys to ensure the register was +successfully set before calling it. + +Fixes: 667daedaecd1 ("net/mlx5e: Toggle link only after modifying port parameters") +Signed-off-by: Shahar Shitrit +Reviewed-by: Carolina Jubran +Signed-off-by: Tariq Toukan +Reviewed-by: Wojciech Drewek +Link: https://patch.msgid.link/20240730061638.1831002-9-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index 18e0cb02aee18..10411ab89e1cf 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -1104,7 +1104,12 @@ int mlx5e_ethtool_set_link_ksettings(struct mlx5e_priv *priv, + if (!an_changes && link_modes == eproto.admin) + goto out; + +- mlx5_port_set_eth_ptys(mdev, an_disable, link_modes, ext); ++ err = mlx5_port_set_eth_ptys(mdev, an_disable, link_modes, ext); ++ if (err) { ++ netdev_err(priv->netdev, "%s: failed to set ptys reg: %d\n", __func__, err); ++ goto out; ++ } ++ + mlx5_toggle_port_link(mdev); + + out: +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 76701cebc7a..f6bad591bf9 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -171,3 +171,8 @@ irqchip-imx-irqsteer-handle-runtime-power-management.patch remoteproc-imx_rproc-ignore-mapping-vdev-regions.patch remoteproc-imx_rproc-fix-ignoring-mapping-vdev-regio.patch remoteproc-imx_rproc-skip-over-memory-region-when-no.patch +drm-nouveau-prime-fix-refcount-underflow.patch +drm-vmwgfx-fix-overlay-when-using-screen-targets.patch +net-iucv-fix-use-after-free-in-iucv_sock_close.patch +net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch +ipv6-fix-ndisc_is_useropt-handling-for-pio.patch -- 2.47.3