diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-02-20 12:36:25 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-02-20 12:36:25 +0100 |
commit | 29a418b45d60d18e9f1a1ca0163ab11b41634e50 (patch) | |
tree | 17b1847442c960b089c83c70bd2aedb4b8d72aeb | |
parent | 664e5fcb22766bf4aa17a4577c5e8ed8c0bb1d8f (diff) | |
download | vulns-29a418b45d60d18e9f1a1ca0163ab11b41634e50.tar.gz |
finish 6.7.5 first pass
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | cve/review/mbox.6.7.5 | 2043 | ||||
-rw-r--r-- | cve/review/mbox.6.7.5.cve | 1954 |
2 files changed, 2063 insertions, 1934 deletions
diff --git a/cve/review/mbox.6.7.5 b/cve/review/mbox.6.7.5 index 9c4b3d86..6fd5a9b2 100644 --- a/cve/review/mbox.6.7.5 +++ b/cve/review/mbox.6.7.5 @@ -1,73 +1,10 @@ -From 6b0d48647935e4b8c7b75d1eccb9043fcd4ee581 Mon Sep 17 00:00:00 2001 -From: Baokun Li <libaokun1@huawei.com> -Date: Thu, 4 Jan 2024 22:20:35 +0800 -Subject: [PATCH 001/129] ext4: regenerate buddy after block freeing failed if - under fc replay - -[ Upstream commit c9b528c35795b711331ed36dc3dbee90d5812d4e ] - -This mostly reverts commit 6bd97bf273bd ("ext4: remove redundant -mb_regenerate_buddy()") and reintroduces mb_regenerate_buddy(). Based on -code in mb_free_blocks(), fast commit replay can end up marking as free -blocks that are already marked as such. This causes corruption of the -buddy bitmap so we need to regenerate it in that case. - -Reported-by: Jan Kara <jack@suse.cz> -Fixes: 6bd97bf273bd ("ext4: remove redundant mb_regenerate_buddy()") -Signed-off-by: Baokun Li <libaokun1@huawei.com> -Reviewed-by: Jan Kara <jack@suse.cz> -Link: https://lore.kernel.org/r/20240104142040.2835097-4-libaokun1@huawei.com -Signed-off-by: Theodore Ts'o <tytso@mit.edu> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - fs/ext4/mballoc.c | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c -index 8408318e1d32..3c5786841c6c 100644 ---- a/fs/ext4/mballoc.c -+++ b/fs/ext4/mballoc.c -@@ -1233,6 +1233,24 @@ void ext4_mb_generate_buddy(struct super_block *sb, - atomic64_add(period, &sbi->s_mb_generation_time); - } - -+static void mb_regenerate_buddy(struct ext4_buddy *e4b) -+{ -+ int count; -+ int order = 1; -+ void *buddy; -+ -+ while ((buddy = mb_find_buddy(e4b, order++, &count))) -+ mb_set_bits(buddy, 0, count); -+ -+ e4b->bd_info->bb_fragments = 0; -+ memset(e4b->bd_info->bb_counters, 0, -+ sizeof(*e4b->bd_info->bb_counters) * -+ (e4b->bd_sb->s_blocksize_bits + 2)); -+ -+ ext4_mb_generate_buddy(e4b->bd_sb, e4b->bd_buddy, -+ e4b->bd_bitmap, e4b->bd_group, e4b->bd_info); -+} -+ - /* The buddy information is attached the buddy cache inode - * for convenience. The information regarding each group - * is loaded via ext4_mb_load_buddy. The information involve -@@ -1921,6 +1939,8 @@ static void mb_free_blocks(struct inode *inode, struct ext4_buddy *e4b, - ext4_mark_group_bitmap_corrupted( - sb, e4b->bd_group, - EXT4_GROUP_INFO_BBITMAP_CORRUPT); -+ } else { -+ mb_regenerate_buddy(e4b); - } - goto done; - } --- -2.43.2 - From 7e81c9e2f90329af279a7b2c988852c60d79ca02 Mon Sep 17 00:00:00 2001 From: Guanhua Gao <guanhua.gao@nxp.com> Date: Thu, 18 Jan 2024 11:29:16 -0500 Subject: [PATCH 002/129] dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools +Status: RO +Content-Length: 1791 +Lines: 46 [ Upstream commit b73e43dcd7a8be26880ef8ff336053b29e79dbc5 ] @@ -120,6 +57,9 @@ From d48e89f29f235cf5b620c207be6b73e86f3022bb Mon Sep 17 00:00:00 2001 From: Jai Luthra <j-luthra@ti.com> Date: Wed, 3 Jan 2024 14:37:55 +0530 Subject: [PATCH 003/129] dmaengine: ti: k3-udma: Report short packet errors +Status: RO +Content-Length: 2005 +Lines: 59 [ Upstream commit bc9847c9ba134cfe3398011e343dcf6588c1c902 ] @@ -186,6 +126,9 @@ From: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Date: Sun, 7 Jan 2024 11:02:03 +0100 Subject: [PATCH 004/129] dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA +Status: RO +Content-Length: 2226 +Lines: 62 [ Upstream commit 968bc1d7203d384e72afe34124a1801b7af76514 ] @@ -255,6 +198,9 @@ From: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Date: Sun, 7 Jan 2024 11:02:04 +0100 Subject: [PATCH 005/129] dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA +Status: RO +Content-Length: 1401 +Lines: 39 [ Upstream commit 3aa58cb51318e329d203857f7a191678e60bb714 ] @@ -492,6 +438,7 @@ From f2dfbcf3ad792339f5b87ca975cecfec18e272fb Mon Sep 17 00:00:00 2001 From: Ian Rogers <irogers@google.com> Date: Thu, 7 Dec 2023 09:40:57 -0800 Subject: [PATCH 009/129] perf tests: Add perf script test +Status: RO Content-Length: 2635 Lines: 100 @@ -600,6 +547,7 @@ From 1696ee0492df8abdcbba12a03b03e6932a92470f Mon Sep 17 00:00:00 2001 From: Thomas Richter <tmricht@linux.ibm.com> Date: Thu, 25 Jan 2024 11:03:51 +0100 Subject: [PATCH 010/129] perf test: Fix 'perf script' tests on s390 +Status: RO Content-Length: 1799 Lines: 59 @@ -668,6 +616,7 @@ From: James Clark <james.clark@arm.com> Date: Wed, 24 Jan 2024 09:43:57 +0000 Subject: [PATCH 011/129] perf evlist: Fix evlist__new_default() for > 1 core PMU +Status: RO Content-Length: 3701 Lines: 90 @@ -767,6 +716,7 @@ From: Frank Li <Frank.Li@nxp.com> Date: Tue, 23 Jan 2024 12:28:41 -0500 Subject: [PATCH 012/129] dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV +Status: RO Content-Length: 1123 Lines: 29 @@ -804,6 +754,7 @@ From 7454c0e3ec9ff2d6f12c2bccb4c70389f006ff2e Mon Sep 17 00:00:00 2001 From: Shyam Prasad N <sprasad@microsoft.com> Date: Thu, 1 Feb 2024 11:15:26 +0000 Subject: [PATCH 014/129] cifs: avoid redundant calls to disable multichannel +Status: RO Content-Length: 1281 Lines: 34 @@ -847,6 +798,7 @@ From: Shyam Prasad N <sprasad@microsoft.com> Date: Thu, 1 Feb 2024 11:15:29 +0000 Subject: [PATCH 015/129] cifs: failure to add channel on iface should bump up weight +Status: RO Content-Length: 1656 Lines: 43 @@ -899,6 +851,7 @@ From: Kuogee Hsieh <quic_khsieh@quicinc.com> Date: Wed, 10 Jan 2024 12:18:51 -0800 Subject: [PATCH 016/129] drm/msms/dp: fixed link clock divider bits be over written in BPC unknown case +Status: RO Content-Length: 2675 Lines: 71 @@ -979,6 +932,7 @@ From: Kuogee Hsieh <quic_khsieh@quicinc.com> Date: Wed, 17 Jan 2024 13:13:30 -0800 Subject: [PATCH 017/129] drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case +Status: RO Content-Length: 2904 Lines: 83 @@ -1126,6 +1080,7 @@ From: Benjamin Berg <benjamin.berg@intel.com> Date: Tue, 23 Jan 2024 20:08:19 +0200 Subject: [PATCH 019/129] wifi: iwlwifi: mvm: skip adding debugfs symlink for reconfig +Status: RO Content-Length: 2626 Lines: 58 @@ -1193,6 +1148,7 @@ From: Ard Biesheuvel <ardb@kernel.org> Date: Fri, 26 Jan 2024 12:14:30 +0100 Subject: [PATCH 020/129] x86/efistub: Give up if memory attribute protocol returns an error +Status: RO Content-Length: 3980 Lines: 112 @@ -1453,170 +1409,12 @@ index bdb17eac0cb4..1ceace956758 100644 -- 2.43.2 -From 3b48c9e258c8691c2f093ee07b1ea3764caaa1b2 Mon Sep 17 00:00:00 2001 -From: Furong Xu <0x1207@gmail.com> -Date: Wed, 31 Jan 2024 10:08:28 +0800 -Subject: [PATCH 022/129] net: stmmac: xgmac: fix handling of DPP safety error - for DMA channels -Content-Length: 5743 -Lines: 150 - -[ Upstream commit 46eba193d04f8bd717e525eb4110f3c46c12aec3 ] - -Commit 56e58d6c8a56 ("net: stmmac: Implement Safety Features in -XGMAC core") checks and reports safety errors, but leaves the -Data Path Parity Errors for each channel in DMA unhandled at all, lead to -a storm of interrupt. -Fix it by checking and clearing the DMA_DPP_Interrupt_Status register. - -Fixes: 56e58d6c8a56 ("net: stmmac: Implement Safety Features in XGMAC core") -Signed-off-by: Furong Xu <0x1207@gmail.com> -Reviewed-by: Simon Horman <horms@kernel.org> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - drivers/net/ethernet/stmicro/stmmac/common.h | 1 + - .../net/ethernet/stmicro/stmmac/dwxgmac2.h | 3 + - .../ethernet/stmicro/stmmac/dwxgmac2_core.c | 57 ++++++++++++++++++- - 3 files changed, 60 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/ethernet/stmicro/stmmac/common.h b/drivers/net/ethernet/stmicro/stmmac/common.h -index e3f650e88f82..588e44d57f29 100644 ---- a/drivers/net/ethernet/stmicro/stmmac/common.h -+++ b/drivers/net/ethernet/stmicro/stmmac/common.h -@@ -216,6 +216,7 @@ struct stmmac_safety_stats { - unsigned long mac_errors[32]; - unsigned long mtl_errors[32]; - unsigned long dma_errors[32]; -+ unsigned long dma_dpp_errors[32]; - }; - - /* Number of fields in Safety Stats */ -diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h -index a4e8b498dea9..7d7133ef4994 100644 ---- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h -+++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h -@@ -319,6 +319,8 @@ - #define XGMAC_RXCEIE BIT(4) - #define XGMAC_TXCEIE BIT(0) - #define XGMAC_MTL_ECC_INT_STATUS 0x000010cc -+#define XGMAC_MTL_DPP_CONTROL 0x000010e0 -+#define XGMAC_DDPP_DISABLE BIT(0) - #define XGMAC_MTL_TXQ_OPMODE(x) (0x00001100 + (0x80 * (x))) - #define XGMAC_TQS GENMASK(25, 16) - #define XGMAC_TQS_SHIFT 16 -@@ -401,6 +403,7 @@ - #define XGMAC_DCEIE BIT(1) - #define XGMAC_TCEIE BIT(0) - #define XGMAC_DMA_ECC_INT_STATUS 0x0000306c -+#define XGMAC_DMA_DPP_INT_STATUS 0x00003074 - #define XGMAC_DMA_CH_CONTROL(x) (0x00003100 + (0x80 * (x))) - #define XGMAC_SPH BIT(24) - #define XGMAC_PBLx8 BIT(16) -diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c -index a74e71db79f9..e7eccc0c406f 100644 ---- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c -+++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c -@@ -830,6 +830,43 @@ static const struct dwxgmac3_error_desc dwxgmac3_dma_errors[32]= { - { false, "UNKNOWN", "Unknown Error" }, /* 31 */ - }; - -+static const char * const dpp_rx_err = "Read Rx Descriptor Parity checker Error"; -+static const char * const dpp_tx_err = "Read Tx Descriptor Parity checker Error"; -+static const struct dwxgmac3_error_desc dwxgmac3_dma_dpp_errors[32] = { -+ { true, "TDPES0", dpp_tx_err }, -+ { true, "TDPES1", dpp_tx_err }, -+ { true, "TDPES2", dpp_tx_err }, -+ { true, "TDPES3", dpp_tx_err }, -+ { true, "TDPES4", dpp_tx_err }, -+ { true, "TDPES5", dpp_tx_err }, -+ { true, "TDPES6", dpp_tx_err }, -+ { true, "TDPES7", dpp_tx_err }, -+ { true, "TDPES8", dpp_tx_err }, -+ { true, "TDPES9", dpp_tx_err }, -+ { true, "TDPES10", dpp_tx_err }, -+ { true, "TDPES11", dpp_tx_err }, -+ { true, "TDPES12", dpp_tx_err }, -+ { true, "TDPES13", dpp_tx_err }, -+ { true, "TDPES14", dpp_tx_err }, -+ { true, "TDPES15", dpp_tx_err }, -+ { true, "RDPES0", dpp_rx_err }, -+ { true, "RDPES1", dpp_rx_err }, -+ { true, "RDPES2", dpp_rx_err }, -+ { true, "RDPES3", dpp_rx_err }, -+ { true, "RDPES4", dpp_rx_err }, -+ { true, "RDPES5", dpp_rx_err }, -+ { true, "RDPES6", dpp_rx_err }, -+ { true, "RDPES7", dpp_rx_err }, -+ { true, "RDPES8", dpp_rx_err }, -+ { true, "RDPES9", dpp_rx_err }, -+ { true, "RDPES10", dpp_rx_err }, -+ { true, "RDPES11", dpp_rx_err }, -+ { true, "RDPES12", dpp_rx_err }, -+ { true, "RDPES13", dpp_rx_err }, -+ { true, "RDPES14", dpp_rx_err }, -+ { true, "RDPES15", dpp_rx_err }, -+}; -+ - static void dwxgmac3_handle_dma_err(struct net_device *ndev, - void __iomem *ioaddr, bool correctable, - struct stmmac_safety_stats *stats) -@@ -841,6 +878,13 @@ static void dwxgmac3_handle_dma_err(struct net_device *ndev, - - dwxgmac3_log_error(ndev, value, correctable, "DMA", - dwxgmac3_dma_errors, STAT_OFF(dma_errors), stats); -+ -+ value = readl(ioaddr + XGMAC_DMA_DPP_INT_STATUS); -+ writel(value, ioaddr + XGMAC_DMA_DPP_INT_STATUS); -+ -+ dwxgmac3_log_error(ndev, value, false, "DMA_DPP", -+ dwxgmac3_dma_dpp_errors, -+ STAT_OFF(dma_dpp_errors), stats); - } - - static int -@@ -881,6 +925,12 @@ dwxgmac3_safety_feat_config(void __iomem *ioaddr, unsigned int asp, - value |= XGMAC_TMOUTEN; /* FSM Timeout Feature */ - writel(value, ioaddr + XGMAC_MAC_FSM_CONTROL); - -+ /* 5. Enable Data Path Parity Protection */ -+ value = readl(ioaddr + XGMAC_MTL_DPP_CONTROL); -+ /* already enabled by default, explicit enable it again */ -+ value &= ~XGMAC_DDPP_DISABLE; -+ writel(value, ioaddr + XGMAC_MTL_DPP_CONTROL); -+ - return 0; - } - -@@ -914,7 +964,11 @@ static int dwxgmac3_safety_feat_irq_status(struct net_device *ndev, - ret |= !corr; - } - -- err = dma & (XGMAC_DEUIS | XGMAC_DECIS); -+ /* DMA_DPP_Interrupt_Status is indicated by MCSIS bit in -+ * DMA_Safety_Interrupt_Status, so we handle DMA Data Path -+ * Parity Errors here -+ */ -+ err = dma & (XGMAC_DEUIS | XGMAC_DECIS | XGMAC_MCSIS); - corr = dma & XGMAC_DECIS; - if (err) { - dwxgmac3_handle_dma_err(ndev, ioaddr, corr, stats); -@@ -930,6 +984,7 @@ static const struct dwxgmac3_error { - { dwxgmac3_mac_errors }, - { dwxgmac3_mtl_errors }, - { dwxgmac3_dma_errors }, -+ { dwxgmac3_dma_dpp_errors }, - }; - - static int dwxgmac3_safety_feat_dump(struct stmmac_safety_stats *stats, --- -2.43.2 - From 7af9b4dc0bee19cf3559c24e753bb85c038118c8 Mon Sep 17 00:00:00 2001 From: Benjamin Berg <benjamin.berg@intel.com> Date: Mon, 11 Dec 2023 09:05:28 +0200 Subject: [PATCH 023/129] wifi: cfg80211: consume both probe response and beacon IEs +Status: RO Content-Length: 1272 Lines: 33 @@ -1654,340 +1452,11 @@ index b9da6f5152cb..f819ca3891fc 100644 -- 2.43.2 -From ce112c941c2b172afba3e913a90c380647d53975 Mon Sep 17 00:00:00 2001 -From: Johannes Berg <johannes.berg@intel.com> -Date: Mon, 29 Jan 2024 13:14:13 +0100 -Subject: [PATCH 024/129] wifi: cfg80211: detect stuck ECSA element in probe - resp -Content-Length: 4674 -Lines: 134 - -[ Upstream commit 177fbbcb4ed6b306c1626a277fac3fb1c495a4c7 ] - -We recently added some validation that we don't try to -connect to an AP that is currently in a channel switch -process, since that might want the channel to be quiet -or we might not be able to connect in time to hear the -switching in a beacon. This was in commit c09c4f31998b -("wifi: mac80211: don't connect to an AP while it's in -a CSA process"). - -However, we promptly got a report that this caused new -connection failures, and it turns out that the AP that -we now cannot connect to is permanently advertising an -extended channel switch announcement, even with quiet. -The AP in question was an Asus RT-AC53, with firmware -3.0.0.4.380_10760-g21a5898. - -As a first step, attempt to detect that we're dealing -with such a situation, so mac80211 can use this later. - -Reported-by: coldolt <andypalmadi@gmail.com> -Closes: https://lore.kernel.org/linux-wireless/CAJvGw+DQhBk_mHXeu6RTOds5iramMW2FbMB01VbKRA4YbHHDTA@mail.gmail.com/ -Fixes: c09c4f31998b ("wifi: mac80211: don't connect to an AP while it's in a CSA process") -Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com> -Link: https://msgid.link/20240129131413.246972c8775e.Ibf834d7f52f9951a353b6872383da710a7358338@changeid -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - include/net/cfg80211.h | 4 +++ - net/wireless/scan.c | 59 +++++++++++++++++++++++++++++++++++++++++- - 2 files changed, 62 insertions(+), 1 deletion(-) - -diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h -index 4ecfb06c413d..8f2c48761833 100644 ---- a/include/net/cfg80211.h -+++ b/include/net/cfg80211.h -@@ -2865,6 +2865,8 @@ struct cfg80211_bss_ies { - * own the beacon_ies, but they're just pointers to the ones from the - * @hidden_beacon_bss struct) - * @proberesp_ies: the information elements from the last Probe Response frame -+ * @proberesp_ecsa_stuck: ECSA element is stuck in the Probe Response frame, -+ * cannot rely on it having valid data - * @hidden_beacon_bss: in case this BSS struct represents a probe response from - * a BSS that hides the SSID in its beacon, this points to the BSS struct - * that holds the beacon data. @beacon_ies is still valid, of course, and -@@ -2900,6 +2902,8 @@ struct cfg80211_bss { - u8 chains; - s8 chain_signal[IEEE80211_MAX_CHAINS]; - -+ u8 proberesp_ecsa_stuck:1; -+ - u8 bssid_index; - u8 max_bssid_indicator; - -diff --git a/net/wireless/scan.c b/net/wireless/scan.c -index f819ca3891fc..3f49f5c69916 100644 ---- a/net/wireless/scan.c -+++ b/net/wireless/scan.c -@@ -1725,6 +1725,61 @@ static void cfg80211_update_hidden_bsses(struct cfg80211_internal_bss *known, - } - } - -+static void cfg80211_check_stuck_ecsa(struct cfg80211_registered_device *rdev, -+ struct cfg80211_internal_bss *known, -+ const struct cfg80211_bss_ies *old) -+{ -+ const struct ieee80211_ext_chansw_ie *ecsa; -+ const struct element *elem_new, *elem_old; -+ const struct cfg80211_bss_ies *new, *bcn; -+ -+ if (known->pub.proberesp_ecsa_stuck) -+ return; -+ -+ new = rcu_dereference_protected(known->pub.proberesp_ies, -+ lockdep_is_held(&rdev->bss_lock)); -+ if (WARN_ON(!new)) -+ return; -+ -+ if (new->tsf - old->tsf < USEC_PER_SEC) -+ return; -+ -+ elem_old = cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN, -+ old->data, old->len); -+ if (!elem_old) -+ return; -+ -+ elem_new = cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN, -+ new->data, new->len); -+ if (!elem_new) -+ return; -+ -+ bcn = rcu_dereference_protected(known->pub.beacon_ies, -+ lockdep_is_held(&rdev->bss_lock)); -+ if (bcn && -+ cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN, -+ bcn->data, bcn->len)) -+ return; -+ -+ if (elem_new->datalen != elem_old->datalen) -+ return; -+ if (elem_new->datalen < sizeof(struct ieee80211_ext_chansw_ie)) -+ return; -+ if (memcmp(elem_new->data, elem_old->data, elem_new->datalen)) -+ return; -+ -+ ecsa = (void *)elem_new->data; -+ -+ if (!ecsa->mode) -+ return; -+ -+ if (ecsa->new_ch_num != -+ ieee80211_frequency_to_channel(known->pub.channel->center_freq)) -+ return; -+ -+ known->pub.proberesp_ecsa_stuck = 1; -+} -+ - static bool - cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, - struct cfg80211_internal_bss *known, -@@ -1744,8 +1799,10 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, - /* Override possible earlier Beacon frame IEs */ - rcu_assign_pointer(known->pub.ies, - new->pub.proberesp_ies); -- if (old) -+ if (old) { -+ cfg80211_check_stuck_ecsa(rdev, known, old); - kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); -+ } - } - - if (rcu_access_pointer(new->pub.beacon_ies)) { --- -2.43.2 - -From ea88bde8e3fefbe4268f6991375dd629895a090a Mon Sep 17 00:00:00 2001 -From: Johannes Berg <johannes.berg@intel.com> -Date: Mon, 29 Jan 2024 13:14:14 +0100 -Subject: [PATCH 025/129] wifi: mac80211: improve CSA/ECSA connection refusal -Content-Length: 6443 -Lines: 179 - -[ Upstream commit 35e2385dbe787936c793d70755a5177d267a40aa ] - -As mentioned in the previous commit, we pretty quickly found -that some APs have ECSA elements stuck in their probe response, -so using that to not attempt to connect while CSA is happening -we never connect to such an AP. - -Improve this situation by checking more carefully and ignoring -the ECSA if cfg80211 has previously detected the ECSA element -being stuck in the probe response. - -Additionally, allow connecting to an AP that's switching to a -channel it's already using, unless it's using quiet mode. In -this case, we may just have to adjust bandwidth later. If it's -actually switching channels, it's better not to try to connect -in the middle of that. - -Reported-by: coldolt <andypalmadi@gmail.com> -Closes: https://lore.kernel.org/linux-wireless/CAJvGw+DQhBk_mHXeu6RTOds5iramMW2FbMB01VbKRA4YbHHDTA@mail.gmail.com/ -Fixes: c09c4f31998b ("wifi: mac80211: don't connect to an AP while it's in a CSA process") -Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com> -Link: https://msgid.link/20240129131413.cc2d0a26226e.I682c016af76e35b6c47007db50e8554c5a426910@changeid -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - net/mac80211/mlme.c | 103 ++++++++++++++++++++++++++++++++------------ - 1 file changed, 76 insertions(+), 27 deletions(-) - -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c -index dcdaab19efbd..bbe36d87ac59 100644 ---- a/net/mac80211/mlme.c -+++ b/net/mac80211/mlme.c -@@ -7288,6 +7288,75 @@ static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata, - return err; - } - -+static bool ieee80211_mgd_csa_present(struct ieee80211_sub_if_data *sdata, -+ const struct cfg80211_bss_ies *ies, -+ u8 cur_channel, bool ignore_ecsa) -+{ -+ const struct element *csa_elem, *ecsa_elem; -+ struct ieee80211_channel_sw_ie *csa = NULL; -+ struct ieee80211_ext_chansw_ie *ecsa = NULL; -+ -+ if (!ies) -+ return false; -+ -+ csa_elem = cfg80211_find_elem(WLAN_EID_CHANNEL_SWITCH, -+ ies->data, ies->len); -+ if (csa_elem && csa_elem->datalen == sizeof(*csa)) -+ csa = (void *)csa_elem->data; -+ -+ ecsa_elem = cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN, -+ ies->data, ies->len); -+ if (ecsa_elem && ecsa_elem->datalen == sizeof(*ecsa)) -+ ecsa = (void *)ecsa_elem->data; -+ -+ if (csa && csa->count == 0) -+ csa = NULL; -+ if (csa && !csa->mode && csa->new_ch_num == cur_channel) -+ csa = NULL; -+ -+ if (ecsa && ecsa->count == 0) -+ ecsa = NULL; -+ if (ecsa && !ecsa->mode && ecsa->new_ch_num == cur_channel) -+ ecsa = NULL; -+ -+ if (ignore_ecsa && ecsa) { -+ sdata_info(sdata, -+ "Ignoring ECSA in probe response - was considered stuck!\n"); -+ return csa; -+ } -+ -+ return csa || ecsa; -+} -+ -+static bool ieee80211_mgd_csa_in_process(struct ieee80211_sub_if_data *sdata, -+ struct cfg80211_bss *bss) -+{ -+ u8 cur_channel; -+ bool ret; -+ -+ cur_channel = ieee80211_frequency_to_channel(bss->channel->center_freq); -+ -+ rcu_read_lock(); -+ if (ieee80211_mgd_csa_present(sdata, -+ rcu_dereference(bss->beacon_ies), -+ cur_channel, false)) { -+ ret = true; -+ goto out; -+ } -+ -+ if (ieee80211_mgd_csa_present(sdata, -+ rcu_dereference(bss->proberesp_ies), -+ cur_channel, bss->proberesp_ecsa_stuck)) { -+ ret = true; -+ goto out; -+ } -+ -+ ret = false; -+out: -+ rcu_read_unlock(); -+ return ret; -+} -+ - /* config hooks */ - int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata, - struct cfg80211_auth_request *req) -@@ -7296,7 +7365,6 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata, - struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; - struct ieee80211_mgd_auth_data *auth_data; - struct ieee80211_link_data *link; -- const struct element *csa_elem, *ecsa_elem; - u16 auth_alg; - int err; - bool cont_auth; -@@ -7339,21 +7407,10 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata, - if (ifmgd->assoc_data) - return -EBUSY; - -- rcu_read_lock(); -- csa_elem = ieee80211_bss_get_elem(req->bss, WLAN_EID_CHANNEL_SWITCH); -- ecsa_elem = ieee80211_bss_get_elem(req->bss, -- WLAN_EID_EXT_CHANSWITCH_ANN); -- if ((csa_elem && -- csa_elem->datalen == sizeof(struct ieee80211_channel_sw_ie) && -- ((struct ieee80211_channel_sw_ie *)csa_elem->data)->count != 0) || -- (ecsa_elem && -- ecsa_elem->datalen == sizeof(struct ieee80211_ext_chansw_ie) && -- ((struct ieee80211_ext_chansw_ie *)ecsa_elem->data)->count != 0)) { -- rcu_read_unlock(); -+ if (ieee80211_mgd_csa_in_process(sdata, req->bss)) { - sdata_info(sdata, "AP is in CSA process, reject auth\n"); - return -EINVAL; - } -- rcu_read_unlock(); - - auth_data = kzalloc(sizeof(*auth_data) + req->auth_data_len + - req->ie_len, GFP_KERNEL); -@@ -7662,7 +7719,7 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata, - struct ieee80211_local *local = sdata->local; - struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; - struct ieee80211_mgd_assoc_data *assoc_data; -- const struct element *ssid_elem, *csa_elem, *ecsa_elem; -+ const struct element *ssid_elem; - struct ieee80211_vif_cfg *vif_cfg = &sdata->vif.cfg; - ieee80211_conn_flags_t conn_flags = 0; - struct ieee80211_link_data *link; -@@ -7685,23 +7742,15 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata, - - cbss = req->link_id < 0 ? req->bss : req->links[req->link_id].bss; - -- rcu_read_lock(); -- ssid_elem = ieee80211_bss_get_elem(cbss, WLAN_EID_SSID); -- if (!ssid_elem || ssid_elem->datalen > sizeof(assoc_data->ssid)) { -- rcu_read_unlock(); -+ if (ieee80211_mgd_csa_in_process(sdata, cbss)) { -+ sdata_info(sdata, "AP is in CSA process, reject assoc\n"); - kfree(assoc_data); - return -EINVAL; - } - -- csa_elem = ieee80211_bss_get_elem(cbss, WLAN_EID_CHANNEL_SWITCH); -- ecsa_elem = ieee80211_bss_get_elem(cbss, WLAN_EID_EXT_CHANSWITCH_ANN); -- if ((csa_elem && -- csa_elem->datalen == sizeof(struct ieee80211_channel_sw_ie) && -- ((struct ieee80211_channel_sw_ie *)csa_elem->data)->count != 0) || -- (ecsa_elem && -- ecsa_elem->datalen == sizeof(struct ieee80211_ext_chansw_ie) && -- ((struct ieee80211_ext_chansw_ie *)ecsa_elem->data)->count != 0)) { -- sdata_info(sdata, "AP is in CSA process, reject assoc\n"); -+ rcu_read_lock(); -+ ssid_elem = ieee80211_bss_get_elem(cbss, WLAN_EID_SSID); -+ if (!ssid_elem || ssid_elem->datalen > sizeof(assoc_data->ssid)) { - rcu_read_unlock(); - kfree(assoc_data); - return -EINVAL; --- -2.43.2 - From c255c3b653c6e8b52ac658c305e2fece2825f7ad Mon Sep 17 00:00:00 2001 From: Johannes Berg <johannes.berg@intel.com> Date: Mon, 29 Jan 2024 15:53:48 +0100 Subject: [PATCH 026/129] wifi: mac80211: fix RCU use in TDLS fast-xmit +Status: RO Content-Length: 1216 Lines: 34 @@ -2031,6 +1500,7 @@ From: Johannes Berg <johannes.berg@intel.com> Date: Mon, 29 Jan 2024 19:57:30 +0100 Subject: [PATCH 027/129] wifi: mac80211: fix unsolicited broadcast probe config +Status: RO Content-Length: 2735 Lines: 75 @@ -2114,6 +1584,7 @@ From 1c91546bb78b59d838ae64525059d38d24c3b1e1 Mon Sep 17 00:00:00 2001 From: Johannes Berg <johannes.berg@intel.com> Date: Wed, 31 Jan 2024 16:48:56 +0100 Subject: [PATCH 028/129] wifi: mac80211: fix waiting for beacons logic +Status: RO Content-Length: 995 Lines: 29 @@ -2151,6 +1622,7 @@ From 2bedd9a21716455e6398fa3f663248688152e6cc Mon Sep 17 00:00:00 2001 From: Miri Korenblit <miriam.rachel.korenblit@intel.com> Date: Thu, 1 Feb 2024 16:17:39 +0200 Subject: [PATCH 029/129] wifi: iwlwifi: exit eSR only after the FW does +Status: RO Content-Length: 2110 Lines: 52 @@ -2212,6 +1684,7 @@ From: Kees Cook <keescook@chromium.org> Date: Fri, 26 Jan 2024 14:31:53 -0800 Subject: [PATCH 030/129] wifi: brcmfmac: Adjust n_channels usage for __counted_by +Status: RO Content-Length: 2594 Lines: 57 @@ -2273,236 +1746,11 @@ index 667462369a32..44cea18dd20e 100644 -- 2.43.2 -From d91964cdada76740811b7c621239f9c407820dbc Mon Sep 17 00:00:00 2001 -From: Eric Dumazet <edumazet@google.com> -Date: Thu, 1 Feb 2024 17:53:24 +0000 -Subject: [PATCH 031/129] netdevsim: avoid potential loop in - nsim_dev_trap_report_work() -Content-Length: 4593 -Lines: 95 - -[ Upstream commit ba5e1272142d051dcc57ca1d3225ad8a089f9858 ] - -Many syzbot reports include the following trace [1] - -If nsim_dev_trap_report_work() can not grab the mutex, -it should rearm itself at least one jiffie later. - -[1] -Sending NMI from CPU 1 to CPUs 0: -NMI backtrace for cpu 0 -CPU: 0 PID: 32383 Comm: kworker/0:2 Not tainted 6.8.0-rc2-syzkaller-00031-g861c0981648f #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 -Workqueue: events nsim_dev_trap_report_work - RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:89 [inline] - RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline] - RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline] - RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline] - RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline] - RIP: 0010:kasan_check_range+0x101/0x190 mm/kasan/generic.c:189 -Code: 07 49 39 d1 75 0a 45 3a 11 b8 01 00 00 00 7c 0b 44 89 c2 e8 21 ed ff ff 83 f0 01 5b 5d 41 5c c3 48 85 d2 74 4f 48 01 ea eb 09 <48> 83 c0 01 48 39 d0 74 41 80 38 00 74 f2 eb b6 41 bc 08 00 00 00 -RSP: 0018:ffffc90012dcf998 EFLAGS: 00000046 -RAX: fffffbfff258af1e RBX: fffffbfff258af1f RCX: ffffffff8168eda3 -RDX: fffffbfff258af1f RSI: 0000000000000004 RDI: ffffffff92c578f0 -RBP: fffffbfff258af1e R08: 0000000000000000 R09: fffffbfff258af1e -R10: ffffffff92c578f3 R11: ffffffff8acbcbc0 R12: 0000000000000002 -R13: ffff88806db38400 R14: 1ffff920025b9f42 R15: ffffffff92c578e8 -FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 000000c00994e078 CR3: 000000002c250000 CR4: 00000000003506f0 -DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -Call Trace: - <NMI> - </NMI> - <TASK> - instrument_atomic_read include/linux/instrumented.h:68 [inline] - atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] - queued_spin_is_locked include/asm-generic/qspinlock.h:57 [inline] - debug_spin_unlock kernel/locking/spinlock_debug.c:101 [inline] - do_raw_spin_unlock+0x53/0x230 kernel/locking/spinlock_debug.c:141 - __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:150 [inline] - _raw_spin_unlock_irqrestore+0x22/0x70 kernel/locking/spinlock.c:194 - debug_object_activate+0x349/0x540 lib/debugobjects.c:726 - debug_work_activate kernel/workqueue.c:578 [inline] - insert_work+0x30/0x230 kernel/workqueue.c:1650 - __queue_work+0x62e/0x11d0 kernel/workqueue.c:1802 - __queue_delayed_work+0x1bf/0x270 kernel/workqueue.c:1953 - queue_delayed_work_on+0x106/0x130 kernel/workqueue.c:1989 - queue_delayed_work include/linux/workqueue.h:563 [inline] - schedule_delayed_work include/linux/workqueue.h:677 [inline] - nsim_dev_trap_report_work+0x9c0/0xc80 drivers/net/netdevsim/dev.c:842 - process_one_work+0x886/0x15d0 kernel/workqueue.c:2633 - process_scheduled_works kernel/workqueue.c:2706 [inline] - worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787 - kthread+0x2c6/0x3a0 kernel/kthread.c:388 - ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 - ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 - </TASK> - -Fixes: 012ec02ae441 ("netdevsim: convert driver to use unlocked devlink API during init/fini") -Reported-by: syzbot <syzkaller@googlegroups.com> -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reviewed-by: Jiri Pirko <jiri@nvidia.com> -Link: https://lore.kernel.org/r/20240201175324.3752746-1-edumazet@google.com -Signed-off-by: Jakub Kicinski <kuba@kernel.org> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - drivers/net/netdevsim/dev.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c -index b4d3b9cde8bd..92a7a36b93ac 100644 ---- a/drivers/net/netdevsim/dev.c -+++ b/drivers/net/netdevsim/dev.c -@@ -835,14 +835,14 @@ static void nsim_dev_trap_report_work(struct work_struct *work) - trap_report_dw.work); - nsim_dev = nsim_trap_data->nsim_dev; - -- /* For each running port and enabled packet trap, generate a UDP -- * packet with a random 5-tuple and report it. -- */ - if (!devl_trylock(priv_to_devlink(nsim_dev))) { -- schedule_delayed_work(&nsim_dev->trap_data->trap_report_dw, 0); -+ schedule_delayed_work(&nsim_dev->trap_data->trap_report_dw, 1); - return; - } - -+ /* For each running port and enabled packet trap, generate a UDP -+ * packet with a random 5-tuple and report it. -+ */ - list_for_each_entry(nsim_dev_port, &nsim_dev->port_list, list) { - if (!netif_running(nsim_dev_port->ns->netdev)) - continue; --- -2.43.2 - -From e42e334c645575be5432adee224975d4f536fdb1 Mon Sep 17 00:00:00 2001 -From: Ivan Vecera <ivecera@redhat.com> -Date: Thu, 1 Feb 2024 10:47:51 +0100 -Subject: [PATCH 032/129] net: atlantic: Fix DMA mapping for PTP hwts ring -Content-Length: 4621 -Lines: 114 - -[ Upstream commit 2e7d3b67630dfd8f178c41fa2217aa00e79a5887 ] - -Function aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes -for PTP HWTS ring but then generic aq_ring_free() does not take this -into account. -Create and use a specific function to free HWTS ring to fix this -issue. - -Trace: -[ 215.351607] ------------[ cut here ]------------ -[ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes] -[ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360 -... -[ 215.581176] Call Trace: -[ 215.583632] <TASK> -[ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df -[ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df -[ 215.594497] ? debug_dma_free_coherent+0x196/0x210 -[ 215.599305] ? check_unmap+0xa6f/0x2360 -[ 215.603147] ? __warn+0xca/0x1d0 -[ 215.606391] ? check_unmap+0xa6f/0x2360 -[ 215.610237] ? report_bug+0x1ef/0x370 -[ 215.613921] ? handle_bug+0x3c/0x70 -[ 215.617423] ? exc_invalid_op+0x14/0x50 -[ 215.621269] ? asm_exc_invalid_op+0x16/0x20 -[ 215.625480] ? check_unmap+0xa6f/0x2360 -[ 215.629331] ? mark_lock.part.0+0xca/0xa40 -[ 215.633445] debug_dma_free_coherent+0x196/0x210 -[ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10 -[ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0 -[ 215.648060] dma_free_attrs+0x6d/0x130 -[ 215.651834] aq_ring_free+0x193/0x290 [atlantic] -[ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic] -... -[ 216.127540] ---[ end trace 6467e5964dd2640b ]--- -[ 216.132160] DMA-API: Mapped at: -[ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0 -[ 216.132165] dma_alloc_attrs+0xf5/0x1b0 -[ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic] -[ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic] -[ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic] - -Fixes: 94ad94558b0f ("net: aquantia: add PTP rings infrastructure") -Signed-off-by: Ivan Vecera <ivecera@redhat.com> -Reviewed-by: Jiri Pirko <jiri@nvidia.com> -Link: https://lore.kernel.org/r/20240201094752.883026-1-ivecera@redhat.com -Signed-off-by: Jakub Kicinski <kuba@kernel.org> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - drivers/net/ethernet/aquantia/atlantic/aq_ptp.c | 4 ++-- - drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 13 +++++++++++++ - drivers/net/ethernet/aquantia/atlantic/aq_ring.h | 1 + - 3 files changed, 16 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ptp.c b/drivers/net/ethernet/aquantia/atlantic/aq_ptp.c -index abd4832e4ed2..5acb3e16b567 100644 ---- a/drivers/net/ethernet/aquantia/atlantic/aq_ptp.c -+++ b/drivers/net/ethernet/aquantia/atlantic/aq_ptp.c -@@ -993,7 +993,7 @@ int aq_ptp_ring_alloc(struct aq_nic_s *aq_nic) - return 0; - - err_exit_hwts_rx: -- aq_ring_free(&aq_ptp->hwts_rx); -+ aq_ring_hwts_rx_free(&aq_ptp->hwts_rx); - err_exit_ptp_rx: - aq_ring_free(&aq_ptp->ptp_rx); - err_exit_ptp_tx: -@@ -1011,7 +1011,7 @@ void aq_ptp_ring_free(struct aq_nic_s *aq_nic) - - aq_ring_free(&aq_ptp->ptp_tx); - aq_ring_free(&aq_ptp->ptp_rx); -- aq_ring_free(&aq_ptp->hwts_rx); -+ aq_ring_hwts_rx_free(&aq_ptp->hwts_rx); - - aq_ptp_skb_ring_release(&aq_ptp->skb_ring); - } -diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c -index cda8597b4e14..f7433abd6591 100644 ---- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c -+++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c -@@ -919,6 +919,19 @@ void aq_ring_free(struct aq_ring_s *self) - } - } - -+void aq_ring_hwts_rx_free(struct aq_ring_s *self) -+{ -+ if (!self) -+ return; -+ -+ if (self->dx_ring) { -+ dma_free_coherent(aq_nic_get_dev(self->aq_nic), -+ self->size * self->dx_size + AQ_CFG_RXDS_DEF, -+ self->dx_ring, self->dx_ring_pa); -+ self->dx_ring = NULL; -+ } -+} -+ - unsigned int aq_ring_fill_stats_data(struct aq_ring_s *self, u64 *data) - { - unsigned int count; -diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.h b/drivers/net/ethernet/aquantia/atlantic/aq_ring.h -index 52847310740a..d627ace850ff 100644 ---- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.h -+++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.h -@@ -210,6 +210,7 @@ int aq_ring_rx_fill(struct aq_ring_s *self); - int aq_ring_hwts_rx_alloc(struct aq_ring_s *self, - struct aq_nic_s *aq_nic, unsigned int idx, - unsigned int size, unsigned int dx_size); -+void aq_ring_hwts_rx_free(struct aq_ring_s *self); - void aq_ring_hwts_rx_clean(struct aq_ring_s *self, struct aq_nic_s *aq_nic); - - unsigned int aq_ring_fill_stats_data(struct aq_ring_s *self, u64 *data); --- -2.43.2 - From ac031e564f14f5d0f28efffb05571b4ee9eefba7 Mon Sep 17 00:00:00 2001 From: Paolo Abeni <pabeni@redhat.com> Date: Thu, 1 Feb 2024 19:42:38 +0100 Subject: [PATCH 033/129] selftests: net: cut more slack for gro fwd tests. +Status: RO Content-Length: 3860 Lines: 92 @@ -2604,6 +1852,7 @@ From: Hangbin Liu <liuhangbin@gmail.com> Date: Sat, 2 Dec 2023 10:01:10 +0800 Subject: [PATCH 034/129] selftests/net: convert unicast_extensions.sh to run it in unique namespace +Status: RO Content-Length: 7127 Lines: 178 @@ -2791,6 +2040,7 @@ From: Hangbin Liu <liuhangbin@gmail.com> Date: Tue, 19 Dec 2023 17:48:55 +0800 Subject: [PATCH 035/129] selftests/net: convert pmtu.sh to run it in unique namespace +Status: RO Content-Length: 3546 Lines: 100 @@ -2900,6 +2150,7 @@ From: Yujie Liu <yujie.liu@intel.com> Date: Fri, 29 Dec 2023 21:19:31 +0800 Subject: [PATCH 036/129] selftests/net: change shebang to bash to support "source" +Status: RO Content-Length: 3194 Lines: 81 @@ -2989,6 +2240,7 @@ From 2840519e9d1c2835ac1368a38188f5dbe3db4380 Mon Sep 17 00:00:00 2001 From: Paolo Abeni <pabeni@redhat.com> Date: Thu, 1 Feb 2024 19:42:40 +0100 Subject: [PATCH 037/129] selftests: net: fix tcp listener handling in pmtu.sh +Status: RO Content-Length: 2035 Lines: 56 @@ -3053,6 +2305,7 @@ From 368909664eb604d7fc9bcccd74e25e486c1f2f37 Mon Sep 17 00:00:00 2001 From: Paolo Abeni <pabeni@redhat.com> Date: Thu, 1 Feb 2024 19:42:41 +0100 Subject: [PATCH 038/129] selftests: net: avoid just another constant wait +Status: RO Content-Length: 2024 Lines: 61 @@ -3122,6 +2375,7 @@ From f2e31907efed54a65ec4a3531896b5dba7437a5a Mon Sep 17 00:00:00 2001 From: Gerhard Engleder <gerhard@engleder-embedded.com> Date: Wed, 31 Jan 2024 21:14:13 +0100 Subject: [PATCH 039/129] tsnep: Fix mapping for zero copy XDP_TX action +Status: RO Content-Length: 2806 Lines: 76 @@ -3202,65 +2456,11 @@ index 9aeff2b37a61..64eadd320798 100644 -- 2.43.2 -From 7dc9feb8b1705cf00de20563b6bc4831f4c99dab Mon Sep 17 00:00:00 2001 -From: Antoine Tenart <atenart@kernel.org> -Date: Thu, 1 Feb 2024 09:38:15 +0100 -Subject: [PATCH 040/129] tunnels: fix out of bounds access when building IPv6 - PMTU error -Content-Length: 1576 -Lines: 46 - -[ Upstream commit d75abeec401f8c86b470e7028a13fcdc87e5dd06 ] - -If the ICMPv6 error is built from a non-linear skb we get the following -splat, - - BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240 - Read of size 4 at addr ffff88811d402c80 by task netperf/820 - CPU: 0 PID: 820 Comm: netperf Not tainted 6.8.0-rc1+ #543 - ... - kasan_report+0xd8/0x110 - do_csum+0x220/0x240 - csum_partial+0xc/0x20 - skb_tunnel_check_pmtu+0xeb9/0x3280 - vxlan_xmit_one+0x14c2/0x4080 - vxlan_xmit+0xf61/0x5c00 - dev_hard_start_xmit+0xfb/0x510 - __dev_queue_xmit+0x7cd/0x32a0 - br_dev_queue_push_xmit+0x39d/0x6a0 - -Use skb_checksum instead of csum_partial who cannot deal with non-linear -SKBs. - -Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets") -Signed-off-by: Antoine Tenart <atenart@kernel.org> -Reviewed-by: Jiri Pirko <jiri@nvidia.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - net/ipv4/ip_tunnel_core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c -index 586b1b3e35b8..80ccd6661aa3 100644 ---- a/net/ipv4/ip_tunnel_core.c -+++ b/net/ipv4/ip_tunnel_core.c -@@ -332,7 +332,7 @@ static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu) - }; - skb_reset_network_header(skb); - -- csum = csum_partial(icmp6h, len, 0); -+ csum = skb_checksum(skb, skb_transport_offset(skb), len, 0); - icmp6h->icmp6_cksum = csum_ipv6_magic(&nip6h->saddr, &nip6h->daddr, len, - IPPROTO_ICMPV6, csum); - --- -2.43.2 - From c267f6347b19b860f72897f0ca655b6b5bd1e6ac Mon Sep 17 00:00:00 2001 From: Zhipeng Lu <alexious@zju.edu.cn> Date: Thu, 1 Feb 2024 20:41:05 +0800 Subject: [PATCH 041/129] atm: idt77252: fix a memleak in open_card_ubr0 +Status: RO Content-Length: 1080 Lines: 38 @@ -3307,6 +2507,7 @@ From 1731cb9650d2a21136a336c5d99359991fb4bfb9 Mon Sep 17 00:00:00 2001 From: Zhipeng Lu <alexious@zju.edu.cn> Date: Thu, 1 Feb 2024 20:47:13 +0800 Subject: [PATCH 042/129] octeontx2-pf: Fix a memleak otx2_sq_init +Status: RO Content-Length: 1511 Lines: 49 @@ -3364,6 +2565,7 @@ From 8083fdfaa543802beccd768a02c9d0456e6ec7f7 Mon Sep 17 00:00:00 2001 From: Loic Prylli <lprylli@netflix.com> Date: Fri, 3 Nov 2023 11:30:55 +0100 Subject: [PATCH 043/129] hwmon: (aspeed-pwm-tacho) mutex for tach reading +Status: RO Content-Length: 2093 Lines: 57 @@ -3425,63 +2627,12 @@ index 997df4b40509..b2ae2176f11f 100644 -- 2.43.2 -From 3a7753bda55985dc26fae17795cb10d825453ad1 Mon Sep 17 00:00:00 2001 -From: Zhang Rui <rui.zhang@intel.com> -Date: Fri, 2 Feb 2024 17:21:34 +0800 -Subject: [PATCH 044/129] hwmon: (coretemp) Fix out-of-bounds memory access -Content-Length: 1451 -Lines: 44 - -[ Upstream commit 4e440abc894585a34c2904a32cd54af1742311b3 ] - -Fix a bug that pdata->cpu_map[] is set before out-of-bounds check. -The problem might be triggered on systems with more than 128 cores per -package. - -Fixes: 7108b80a542b ("hwmon/coretemp: Handle large core ID value") -Signed-off-by: Zhang Rui <rui.zhang@intel.com> -Cc: <stable@vger.kernel.org> -Link: https://lore.kernel.org/r/20240202092144.71180-2-rui.zhang@intel.com -Signed-off-by: Guenter Roeck <linux@roeck-us.net> -Stable-dep-of: fdaf0c8629d4 ("hwmon: (coretemp) Fix bogus core_id to attr name mapping") -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - drivers/hwmon/coretemp.c | 8 ++------ - 1 file changed, 2 insertions(+), 6 deletions(-) - -diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c -index ba82d1e79c13..e78c76919111 100644 ---- a/drivers/hwmon/coretemp.c -+++ b/drivers/hwmon/coretemp.c -@@ -509,18 +509,14 @@ static int create_core_data(struct platform_device *pdev, unsigned int cpu, - if (pkg_flag) { - attr_no = PKG_SYSFS_ATTR_NO; - } else { -- index = ida_alloc(&pdata->ida, GFP_KERNEL); -+ index = ida_alloc_max(&pdata->ida, NUM_REAL_CORES - 1, GFP_KERNEL); - if (index < 0) - return index; -+ - pdata->cpu_map[index] = topology_core_id(cpu); - attr_no = index + BASE_SYSFS_ATTR_NO; - } - -- if (attr_no > MAX_CORE_DATA - 1) { -- err = -ERANGE; -- goto ida_free; -- } -- - tdata = init_temp_data(cpu, pkg_flag); - if (!tdata) { - err = -ENOMEM; --- -2.43.2 - From 8b8cbb0659ab055ebfa6f05bd9f658288dac84af Mon Sep 17 00:00:00 2001 From: Zhang Rui <rui.zhang@intel.com> Date: Fri, 2 Feb 2024 17:21:35 +0800 Subject: [PATCH 045/129] hwmon: (coretemp) Fix bogus core_id to attr name mapping +Status: RO Content-Length: 4974 Lines: 143 @@ -3629,57 +2780,12 @@ index e78c76919111..95f4c0b00b2d 100644 -- 2.43.2 -From 307fa8a75ab7423fa5c73573ec3d192de5027830 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet <edumazet@google.com> -Date: Fri, 2 Feb 2024 09:54:04 +0000 -Subject: [PATCH 046/129] inet: read sk->sk_family once in inet_recv_error() -Content-Length: 1282 -Lines: 38 - -[ Upstream commit eef00a82c568944f113f2de738156ac591bbd5cd ] - -inet_recv_error() is called without holding the socket lock. - -IPv6 socket could mutate to IPv4 with IPV6_ADDRFORM -socket option and trigger a KCSAN warning. - -Fixes: f4713a3dfad0 ("net-timestamp: make tcp_recvmsg call ipv6_recv_error for AF_INET6 socks") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Cc: Willem de Bruijn <willemb@google.com> -Reviewed-by: Willem de Bruijn <willemb@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - net/ipv4/af_inet.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c -index 1c58bd72e124..e59962f34caa 100644 ---- a/net/ipv4/af_inet.c -+++ b/net/ipv4/af_inet.c -@@ -1628,10 +1628,12 @@ EXPORT_SYMBOL(inet_current_timestamp); - - int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) - { -- if (sk->sk_family == AF_INET) -+ unsigned int family = READ_ONCE(sk->sk_family); -+ -+ if (family == AF_INET) - return ip_recv_error(sk, msg, len, addr_len); - #if IS_ENABLED(CONFIG_IPV6) -- if (sk->sk_family == AF_INET6) -+ if (family == AF_INET6) - return pingv6_ops.ipv6_recv_error(sk, msg, len, addr_len); - #endif - return -EINVAL; --- -2.43.2 - From 86e0a0975ff731992a66f6bdb6cfc02eb11d6700 Mon Sep 17 00:00:00 2001 From: Dan Carpenter <dan.carpenter@linaro.org> Date: Fri, 26 Jan 2024 11:41:47 +0300 Subject: [PATCH 047/129] drm/i915/gvt: Fix uninitialized variable in handle_mmio() +Status: RO Content-Length: 1446 Lines: 33 @@ -3717,376 +2823,12 @@ index a9f7fa9b90bd..d30f8814d9b1 100644 -- 2.43.2 -From 4adeeff8c12321cd453412a659c3c0eeb9bb2397 Mon Sep 17 00:00:00 2001 -From: Ard Biesheuvel <ardb@kernel.org> -Date: Mon, 5 Feb 2024 09:11:07 +0100 -Subject: [PATCH 048/129] x86/efistub: Use 1:1 file:memory mapping for PE/COFF - .compat section -Content-Length: 3711 -Lines: 112 - -[ Upstream commit 1ad55cecf22f05f1c884adf63cc09d3c3e609ebf ] - -The .compat section is a dummy PE section that contains the address of -the 32-bit entrypoint of the 64-bit kernel image if it is bootable from -32-bit firmware (i.e., CONFIG_EFI_MIXED=y) - -This section is only 8 bytes in size and is only referenced from the -loader, and so it is placed at the end of the memory view of the image, -to avoid the need for padding it to 4k, which is required for sections -appearing in the middle of the image. - -Unfortunately, this violates the PE/COFF spec, and even if most EFI -loaders will work correctly (including the Tianocore reference -implementation), PE loaders do exist that reject such images, on the -basis that both the file and memory views of the file contents should be -described by the section headers in a monotonically increasing manner -without leaving any gaps. - -So reorganize the sections to avoid this issue. This results in a slight -padding overhead (< 4k) which can be avoided if desired by disabling -CONFIG_EFI_MIXED (which is only needed in rare cases these days) - -Fixes: 3e3eabe26dc8 ("x86/boot: Increase section and file alignment to 4k/512") -Reported-by: Mike Beaton <mjsbeaton@gmail.com> -Link: https://lkml.kernel.org/r/CAHzAAWQ6srV6LVNdmfbJhOwhBw5ZzxxZZ07aHt9oKkfYAdvuQQ%40mail.gmail.com -Signed-off-by: Ard Biesheuvel <ardb@kernel.org> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - arch/x86/boot/header.S | 14 ++++++-------- - arch/x86/boot/setup.ld | 6 +++--- - 2 files changed, 9 insertions(+), 11 deletions(-) - -diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S -index b2771710ed98..a1bbedd989e4 100644 ---- a/arch/x86/boot/header.S -+++ b/arch/x86/boot/header.S -@@ -106,8 +106,7 @@ extra_header_fields: - .word 0 # MinorSubsystemVersion - .long 0 # Win32VersionValue - -- .long setup_size + ZO__end + pecompat_vsize -- # SizeOfImage -+ .long setup_size + ZO__end # SizeOfImage - - .long salign # SizeOfHeaders - .long 0 # CheckSum -@@ -143,7 +142,7 @@ section_table: - .ascii ".setup" - .byte 0 - .byte 0 -- .long setup_size - salign # VirtualSize -+ .long pecompat_fstart - salign # VirtualSize - .long salign # VirtualAddress - .long pecompat_fstart - salign # SizeOfRawData - .long salign # PointerToRawData -@@ -156,8 +155,8 @@ section_table: - #ifdef CONFIG_EFI_MIXED - .asciz ".compat" - -- .long 8 # VirtualSize -- .long setup_size + ZO__end # VirtualAddress -+ .long pecompat_fsize # VirtualSize -+ .long pecompat_fstart # VirtualAddress - .long pecompat_fsize # SizeOfRawData - .long pecompat_fstart # PointerToRawData - -@@ -172,17 +171,16 @@ section_table: - * modes this image supports. - */ - .pushsection ".pecompat", "a", @progbits -- .balign falign -- .set pecompat_vsize, salign -+ .balign salign - .globl pecompat_fstart - pecompat_fstart: - .byte 0x1 # Version - .byte 8 # Size - .word IMAGE_FILE_MACHINE_I386 # PE machine type - .long setup_size + ZO_efi32_pe_entry # Entrypoint -+ .byte 0x0 # Sentinel - .popsection - #else -- .set pecompat_vsize, 0 - .set pecompat_fstart, setup_size - #endif - .ascii ".text" -diff --git a/arch/x86/boot/setup.ld b/arch/x86/boot/setup.ld -index 83bb7efad8ae..3a2d1360abb0 100644 ---- a/arch/x86/boot/setup.ld -+++ b/arch/x86/boot/setup.ld -@@ -24,6 +24,9 @@ SECTIONS - .text : { *(.text .text.*) } - .text32 : { *(.text32) } - -+ .pecompat : { *(.pecompat) } -+ PROVIDE(pecompat_fsize = setup_size - pecompat_fstart); -+ - . = ALIGN(16); - .rodata : { *(.rodata*) } - -@@ -36,9 +39,6 @@ SECTIONS - . = ALIGN(16); - .data : { *(.data*) } - -- .pecompat : { *(.pecompat) } -- PROVIDE(pecompat_fsize = setup_size - pecompat_fstart); -- - .signature : { - setup_sig = .; - LONG(0x5a5aaa55) --- -2.43.2 - -From edc8201823e93db7d17726c335a725815aa7d551 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Fri, 2 Feb 2024 15:19:13 +0000 -Subject: [PATCH 049/129] rxrpc: Fix generation of serial numbers to skip zero -Content-Length: 5951 -Lines: 161 - -[ Upstream commit f31041417bf7f4a4df8b3bfb52cb31bbe805b934 ] - -In the Rx protocol, every packet generated is marked with a per-connection -monotonically increasing serial number. This number can be referenced in -an ACK packet generated in response to an incoming packet - thereby -allowing the sender to use this for RTT determination, amongst other -things. - -However, if the reference field in the ACK is zero, it doesn't refer to any -incoming packet (it could be a ping to find out if a packet got lost, for -example) - so we shouldn't generate zero serial numbers. - -Fix the generation of serial numbers to retry if it comes up with a zero. - -Furthermore, since the serial numbers are only ever allocated within the -I/O thread this connection is bound to, there's no need for atomics so -remove that too. - -Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") -Signed-off-by: David Howells <dhowells@redhat.com> -cc: Marc Dionne <marc.dionne@auristor.com> -cc: "David S. Miller" <davem@davemloft.net> -cc: Eric Dumazet <edumazet@google.com> -cc: Jakub Kicinski <kuba@kernel.org> -cc: Paolo Abeni <pabeni@redhat.com> -cc: linux-afs@lists.infradead.org -cc: netdev@vger.kernel.org -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - net/rxrpc/ar-internal.h | 16 +++++++++++++++- - net/rxrpc/conn_event.c | 2 +- - net/rxrpc/output.c | 8 ++++---- - net/rxrpc/proc.c | 2 +- - net/rxrpc/rxkad.c | 4 ++-- - 5 files changed, 23 insertions(+), 9 deletions(-) - -diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h -index 5d5b19f20d1e..efbe82926769 100644 ---- a/net/rxrpc/ar-internal.h -+++ b/net/rxrpc/ar-internal.h -@@ -507,7 +507,7 @@ struct rxrpc_connection { - enum rxrpc_call_completion completion; /* Completion condition */ - s32 abort_code; /* Abort code of connection abort */ - int debug_id; /* debug ID for printks */ -- atomic_t serial; /* packet serial number counter */ -+ rxrpc_serial_t tx_serial; /* Outgoing packet serial number counter */ - unsigned int hi_serial; /* highest serial number received */ - u32 service_id; /* Service ID, possibly upgraded */ - u32 security_level; /* Security level selected */ -@@ -819,6 +819,20 @@ static inline bool rxrpc_sending_to_client(const struct rxrpc_txbuf *txb) - - #include <trace/events/rxrpc.h> - -+/* -+ * Allocate the next serial number on a connection. 0 must be skipped. -+ */ -+static inline rxrpc_serial_t rxrpc_get_next_serial(struct rxrpc_connection *conn) -+{ -+ rxrpc_serial_t serial; -+ -+ serial = conn->tx_serial; -+ if (serial == 0) -+ serial = 1; -+ conn->tx_serial = serial + 1; -+ return serial; -+} -+ - /* - * af_rxrpc.c - */ -diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c -index 95f4bc206b3d..ec5eae60ab0c 100644 ---- a/net/rxrpc/conn_event.c -+++ b/net/rxrpc/conn_event.c -@@ -117,7 +117,7 @@ void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn, - iov[2].iov_base = &ack_info; - iov[2].iov_len = sizeof(ack_info); - -- serial = atomic_inc_return(&conn->serial); -+ serial = rxrpc_get_next_serial(conn); - - pkt.whdr.epoch = htonl(conn->proto.epoch); - pkt.whdr.cid = htonl(conn->proto.cid | channel); -diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c -index a0906145e829..4a292f860ae3 100644 ---- a/net/rxrpc/output.c -+++ b/net/rxrpc/output.c -@@ -216,7 +216,7 @@ int rxrpc_send_ack_packet(struct rxrpc_call *call, struct rxrpc_txbuf *txb) - iov[0].iov_len = sizeof(txb->wire) + sizeof(txb->ack) + n; - len = iov[0].iov_len; - -- serial = atomic_inc_return(&conn->serial); -+ serial = rxrpc_get_next_serial(conn); - txb->wire.serial = htonl(serial); - trace_rxrpc_tx_ack(call->debug_id, serial, - ntohl(txb->ack.firstPacket), -@@ -302,7 +302,7 @@ int rxrpc_send_abort_packet(struct rxrpc_call *call) - iov[0].iov_base = &pkt; - iov[0].iov_len = sizeof(pkt); - -- serial = atomic_inc_return(&conn->serial); -+ serial = rxrpc_get_next_serial(conn); - pkt.whdr.serial = htonl(serial); - - iov_iter_kvec(&msg.msg_iter, WRITE, iov, 1, sizeof(pkt)); -@@ -334,7 +334,7 @@ int rxrpc_send_data_packet(struct rxrpc_call *call, struct rxrpc_txbuf *txb) - _enter("%x,{%d}", txb->seq, txb->len); - - /* Each transmission of a Tx packet needs a new serial number */ -- serial = atomic_inc_return(&conn->serial); -+ serial = rxrpc_get_next_serial(conn); - txb->wire.serial = htonl(serial); - - if (test_bit(RXRPC_CONN_PROBING_FOR_UPGRADE, &conn->flags) && -@@ -558,7 +558,7 @@ void rxrpc_send_conn_abort(struct rxrpc_connection *conn) - - len = iov[0].iov_len + iov[1].iov_len; - -- serial = atomic_inc_return(&conn->serial); -+ serial = rxrpc_get_next_serial(conn); - whdr.serial = htonl(serial); - - iov_iter_kvec(&msg.msg_iter, WRITE, iov, 2, len); -diff --git a/net/rxrpc/proc.c b/net/rxrpc/proc.c -index 682636d3b060..208312c244f6 100644 ---- a/net/rxrpc/proc.c -+++ b/net/rxrpc/proc.c -@@ -181,7 +181,7 @@ static int rxrpc_connection_seq_show(struct seq_file *seq, void *v) - atomic_read(&conn->active), - state, - key_serial(conn->key), -- atomic_read(&conn->serial), -+ conn->tx_serial, - conn->hi_serial, - conn->channels[0].call_id, - conn->channels[1].call_id, -diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c -index b52dedcebce0..6b32d61d4cdc 100644 ---- a/net/rxrpc/rxkad.c -+++ b/net/rxrpc/rxkad.c -@@ -664,7 +664,7 @@ static int rxkad_issue_challenge(struct rxrpc_connection *conn) - - len = iov[0].iov_len + iov[1].iov_len; - -- serial = atomic_inc_return(&conn->serial); -+ serial = rxrpc_get_next_serial(conn); - whdr.serial = htonl(serial); - - ret = kernel_sendmsg(conn->local->socket, &msg, iov, 2, len); -@@ -721,7 +721,7 @@ static int rxkad_send_response(struct rxrpc_connection *conn, - - len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len; - -- serial = atomic_inc_return(&conn->serial); -+ serial = rxrpc_get_next_serial(conn); - whdr.serial = htonl(serial); - - rxrpc_local_dont_fragment(conn->local, false); --- -2.43.2 - -From 63719f490e6a89896e9a463d2b45e8203eab23ae Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Fri, 2 Feb 2024 15:19:14 +0000 -Subject: [PATCH 050/129] rxrpc: Fix delayed ACKs to not set the reference - serial number -Content-Length: 2617 -Lines: 66 - -[ Upstream commit e7870cf13d20f56bfc19f9c3e89707c69cf104ef ] - -Fix the construction of delayed ACKs to not set the reference serial number -as they can't be used as an RTT reference. - -Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") -Signed-off-by: David Howells <dhowells@redhat.com> -cc: Marc Dionne <marc.dionne@auristor.com> -cc: "David S. Miller" <davem@davemloft.net> -cc: Eric Dumazet <edumazet@google.com> -cc: Jakub Kicinski <kuba@kernel.org> -cc: Paolo Abeni <pabeni@redhat.com> -cc: linux-afs@lists.infradead.org -cc: netdev@vger.kernel.org -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - net/rxrpc/ar-internal.h | 1 - - net/rxrpc/call_event.c | 6 +----- - 2 files changed, 1 insertion(+), 6 deletions(-) - -diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h -index efbe82926769..041add7654b2 100644 ---- a/net/rxrpc/ar-internal.h -+++ b/net/rxrpc/ar-internal.h -@@ -693,7 +693,6 @@ struct rxrpc_call { - /* Receive-phase ACK management (ACKs we send). */ - u8 ackr_reason; /* reason to ACK */ - u16 ackr_sack_base; /* Starting slot in SACK table ring */ -- rxrpc_serial_t ackr_serial; /* serial of packet being ACK'd */ - rxrpc_seq_t ackr_window; /* Base of SACK window */ - rxrpc_seq_t ackr_wtop; /* Base of SACK window */ - unsigned int ackr_nr_unacked; /* Number of unacked packets */ -diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c -index e363f21a2014..c61efe08695d 100644 ---- a/net/rxrpc/call_event.c -+++ b/net/rxrpc/call_event.c -@@ -43,8 +43,6 @@ void rxrpc_propose_delay_ACK(struct rxrpc_call *call, rxrpc_serial_t serial, - unsigned long expiry = rxrpc_soft_ack_delay; - unsigned long now = jiffies, ack_at; - -- call->ackr_serial = serial; -- - if (rxrpc_soft_ack_delay < expiry) - expiry = rxrpc_soft_ack_delay; - if (call->peer->srtt_us != 0) -@@ -373,7 +371,6 @@ static void rxrpc_send_initial_ping(struct rxrpc_call *call) - bool rxrpc_input_call_event(struct rxrpc_call *call, struct sk_buff *skb) - { - unsigned long now, next, t; -- rxrpc_serial_t ackr_serial; - bool resend = false, expired = false; - s32 abort_code; - -@@ -423,8 +420,7 @@ bool rxrpc_input_call_event(struct rxrpc_call *call, struct sk_buff *skb) - if (time_after_eq(now, t)) { - trace_rxrpc_timer(call, rxrpc_timer_exp_ack, now); - cmpxchg(&call->delay_ack_at, t, now + MAX_JIFFY_OFFSET); -- ackr_serial = xchg(&call->ackr_serial, 0); -- rxrpc_send_ACK(call, RXRPC_ACK_DELAY, ackr_serial, -+ rxrpc_send_ACK(call, RXRPC_ACK_DELAY, 0, - rxrpc_propose_ack_ping_for_lost_ack); - } - --- -2.43.2 - From 033edcf322939033927e7e72d0be4a7389552491 Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> Date: Fri, 2 Feb 2024 15:19:15 +0000 Subject: [PATCH 051/129] rxrpc: Fix response to PING RESPONSE ACKs to a dead call +Status: RO Content-Length: 1449 Lines: 42 @@ -4137,6 +2879,7 @@ From 2fb1d2b6cbd021e7597156f1571289e4cf3ec8a7 Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> Date: Fri, 2 Feb 2024 15:19:16 +0000 Subject: [PATCH 052/129] rxrpc: Fix counting of new acks and nacks +Status: RO Content-Length: 13950 Lines: 377 @@ -4522,6 +3265,7 @@ From c44e8d43075f2c1bb71c48398a5dec4592d3f375 Mon Sep 17 00:00:00 2001 From: Paolo Abeni <pabeni@redhat.com> Date: Fri, 2 Feb 2024 17:06:59 +0100 Subject: [PATCH 053/129] selftests: net: let big_tcp test cope with slow env +Status: RO Content-Length: 1534 Lines: 41 @@ -4567,205 +3311,12 @@ index cde9a91c4797..2db9d15cd45f 100755 -- 2.43.2 -From 0cd331dfd6023640c9669d0592bc0fd491205f87 Mon Sep 17 00:00:00 2001 -From: Shigeru Yoshida <syoshida@redhat.com> -Date: Thu, 1 Feb 2024 00:23:09 +0900 -Subject: [PATCH 054/129] tipc: Check the bearer type before calling - tipc_udp_nl_bearer_add() -Content-Length: 2975 -Lines: 72 - -[ Upstream commit 3871aa01e1a779d866fa9dfdd5a836f342f4eb87 ] - -syzbot reported the following general protection fault [1]: - -general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN -KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087] -... -RIP: 0010:tipc_udp_is_known_peer+0x9c/0x250 net/tipc/udp_media.c:291 -... -Call Trace: - <TASK> - tipc_udp_nl_bearer_add+0x212/0x2f0 net/tipc/udp_media.c:646 - tipc_nl_bearer_add+0x21e/0x360 net/tipc/bearer.c:1089 - genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972 - genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline] - genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067 - netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2544 - genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 - netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] - netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367 - netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1909 - sock_sendmsg_nosec net/socket.c:730 [inline] - __sock_sendmsg+0xd5/0x180 net/socket.c:745 - ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 - ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 - __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 - do_syscall_x64 arch/x86/entry/common.c:52 [inline] - do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 - entry_SYSCALL_64_after_hwframe+0x63/0x6b - -The cause of this issue is that when tipc_nl_bearer_add() is called with -the TIPC_NLA_BEARER_UDP_OPTS attribute, tipc_udp_nl_bearer_add() is called -even if the bearer is not UDP. - -tipc_udp_is_known_peer() called by tipc_udp_nl_bearer_add() assumes that -the media_ptr field of the tipc_bearer has an udp_bearer type object, so -the function goes crazy for non-UDP bearers. - -This patch fixes the issue by checking the bearer type before calling -tipc_udp_nl_bearer_add() in tipc_nl_bearer_add(). - -Fixes: ef20cd4dd163 ("tipc: introduce UDP replicast") -Reported-and-tested-by: syzbot+5142b87a9abc510e14fa@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=5142b87a9abc510e14fa [1] -Signed-off-by: Shigeru Yoshida <syoshida@redhat.com> -Reviewed-by: Tung Nguyen <tung.q.nguyen@dektech.com.au> -Link: https://lore.kernel.org/r/20240131152310.4089541-1-syoshida@redhat.com -Signed-off-by: Paolo Abeni <pabeni@redhat.com> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - net/tipc/bearer.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c -index 2cde375477e3..878415c43527 100644 ---- a/net/tipc/bearer.c -+++ b/net/tipc/bearer.c -@@ -1086,6 +1086,12 @@ int tipc_nl_bearer_add(struct sk_buff *skb, struct genl_info *info) - - #ifdef CONFIG_TIPC_MEDIA_UDP - if (attrs[TIPC_NLA_BEARER_UDP_OPTS]) { -+ if (b->media->type_id != TIPC_MEDIA_TYPE_UDP) { -+ rtnl_unlock(); -+ NL_SET_ERR_MSG(info->extack, "UDP option is unsupported"); -+ return -EINVAL; -+ } -+ - err = tipc_udp_nl_bearer_add(b, - attrs[TIPC_NLA_BEARER_UDP_OPTS]); - if (err) { --- -2.43.2 - -From 82ae47c5c3a6b27fdc0f9e83c1499cb439c56140 Mon Sep 17 00:00:00 2001 -From: Kuniyuki Iwashima <kuniyu@amazon.com> -Date: Sat, 3 Feb 2024 10:31:49 -0800 -Subject: [PATCH 055/129] af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb - in GC. -Content-Length: 4551 -Lines: 104 - -[ Upstream commit 1279f9d9dec2d7462823a18c29ad61359e0a007d ] - -syzbot reported a warning [0] in __unix_gc() with a repro, which -creates a socketpair and sends one socket's fd to itself using the -peer. - - socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0 - sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\360", iov_len=1}], - msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET, - cmsg_type=SCM_RIGHTS, cmsg_data=[3]}], - msg_controllen=24, msg_flags=0}, MSG_OOB|MSG_PROBE|MSG_DONTWAIT|MSG_ZEROCOPY) = 1 - -This forms a self-cyclic reference that GC should finally untangle -but does not due to lack of MSG_OOB handling, resulting in memory -leak. - -Recently, commit 11498715f266 ("af_unix: Remove io_uring code for -GC.") removed io_uring's dead code in GC and revealed the problem. - -The code was executed at the final stage of GC and unconditionally -moved all GC candidates from gc_candidates to gc_inflight_list. -That papered over the reported problem by always making the following -WARN_ON_ONCE(!list_empty(&gc_candidates)) false. - -The problem has been there since commit 2aab4b969002 ("af_unix: fix -struct pid leaks in OOB support") added full scm support for MSG_OOB -while fixing another bug. - -To fix this problem, we must call kfree_skb() for unix_sk(sk)->oob_skb -if the socket still exists in gc_candidates after purging collected skb. - -Then, we need to set NULL to oob_skb before calling kfree_skb() because -it calls last fput() and triggers unix_release_sock(), where we call -duplicate kfree_skb(u->oob_skb) if not NULL. - -Note that the leaked socket remained being linked to a global list, so -kmemleak also could not detect it. We need to check /proc/net/protocol -to notice the unfreed socket. - -[0]: -WARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345 -Modules linked in: -CPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 -Workqueue: events_unbound __unix_gc -RIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345 -Code: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8 -RSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293 -RAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e -RDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30 -RBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66 -R10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000 -R13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001 -FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0 -DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -Call Trace: - <TASK> - process_one_work+0x889/0x15e0 kernel/workqueue.c:2633 - process_scheduled_works kernel/workqueue.c:2706 [inline] - worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787 - kthread+0x2c6/0x3b0 kernel/kthread.c:388 - ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 - ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242 - </TASK> - -Reported-by: syzbot+fa3ef895554bdbfd1183@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=fa3ef895554bdbfd1183 -Fixes: 2aab4b969002 ("af_unix: fix struct pid leaks in OOB support") -Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> -Reviewed-by: Eric Dumazet <edumazet@google.com> -Link: https://lore.kernel.org/r/20240203183149.63573-1-kuniyu@amazon.com -Signed-off-by: Jakub Kicinski <kuba@kernel.org> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - net/unix/garbage.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/net/unix/garbage.c b/net/unix/garbage.c -index 2405f0f9af31..8f63f0b4bf01 100644 ---- a/net/unix/garbage.c -+++ b/net/unix/garbage.c -@@ -314,6 +314,17 @@ void unix_gc(void) - /* Here we are. Hitlist is filled. Die. */ - __skb_queue_purge(&hitlist); - -+#if IS_ENABLED(CONFIG_AF_UNIX_OOB) -+ list_for_each_entry_safe(u, next, &gc_candidates, link) { -+ struct sk_buff *skb = u->oob_skb; -+ -+ if (skb) { -+ u->oob_skb = NULL; -+ kfree_skb(skb); -+ } -+ } -+#endif -+ - spin_lock(&unix_gc_lock); - - /* There could be io_uring registered files, just push them back to --- -2.43.2 - From 319d215a11265819516925f3b4cdee2b5adcbe6c Mon Sep 17 00:00:00 2001 From: Jiri Pirko <jiri@nvidia.com> Date: Mon, 5 Feb 2024 18:11:14 +0100 Subject: [PATCH 056/129] devlink: avoid potential loop in devlink_rel_nested_in_notify_work() +Status: RO Content-Length: 2261 Lines: 67 @@ -4837,101 +3388,11 @@ index 6984877e9f10..cbf8560c9375 100644 -- 2.43.2 -From 210d938f963dddc543b07e66a79b7d8d4bd00bd8 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet <edumazet@google.com> -Date: Mon, 5 Feb 2024 17:10:04 +0000 -Subject: [PATCH 057/129] ppp_async: limit MRU to 64K -Content-Length: 3634 -Lines: 83 - -[ Upstream commit cb88cb53badb8aeb3955ad6ce80b07b598e310b8 ] - -syzbot triggered a warning [1] in __alloc_pages(): - -WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp) - -Willem fixed a similar issue in commit c0a2a1b0d631 ("ppp: limit MRU to 64K") - -Adopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU) - -[1]: - - WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 -Modules linked in: -CPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 -Workqueue: events_unbound flush_to_ldisc -pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) - pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 - lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537 -sp : ffff800093967580 -x29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000 -x26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0 -x23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8 -x20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120 -x17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005 -x14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000 -x11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001 -x8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f -x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020 -x2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0 -Call trace: - __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 - __alloc_pages_node include/linux/gfp.h:238 [inline] - alloc_pages_node include/linux/gfp.h:261 [inline] - __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926 - __do_kmalloc_node mm/slub.c:3969 [inline] - __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001 - kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590 - __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651 - __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715 - netdev_alloc_skb include/linux/skbuff.h:3235 [inline] - dev_alloc_skb include/linux/skbuff.h:3248 [inline] - ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline] - ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341 - tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390 - tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37 - receive_buf drivers/tty/tty_buffer.c:444 [inline] - flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494 - process_one_work+0x694/0x1204 kernel/workqueue.c:2633 - process_scheduled_works kernel/workqueue.c:2706 [inline] - worker_thread+0x938/0xef4 kernel/workqueue.c:2787 - kthread+0x288/0x310 kernel/kthread.c:388 - ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Reported-and-tested-by: syzbot+c5da1f087c9e4ec6c933@syzkaller.appspotmail.com -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reviewed-by: Willem de Bruijn <willemb@google.com> -Link: https://lore.kernel.org/r/20240205171004.1059724-1-edumazet@google.com -Signed-off-by: Jakub Kicinski <kuba@kernel.org> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - drivers/net/ppp/ppp_async.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/net/ppp/ppp_async.c b/drivers/net/ppp/ppp_async.c -index fbaaa8c102a1..e94a4b08fd63 100644 ---- a/drivers/net/ppp/ppp_async.c -+++ b/drivers/net/ppp/ppp_async.c -@@ -460,6 +460,10 @@ ppp_async_ioctl(struct ppp_channel *chan, unsigned int cmd, unsigned long arg) - case PPPIOCSMRU: - if (get_user(val, p)) - break; -+ if (val > U16_MAX) { -+ err = -EINVAL; -+ break; -+ } - if (val < PPP_MRU) - val = PPP_MRU; - ap->mru = val; --- -2.43.2 - From 972d0ddbaeed94662a70c6e1bbf5d0028c3dd061 Mon Sep 17 00:00:00 2001 From: Jakub Kicinski <kuba@kernel.org> Date: Sun, 4 Feb 2024 08:56:18 -0800 Subject: [PATCH 058/129] selftests: cmsg_ipv6: repeat the exact packet +Status: RO Content-Length: 1768 Lines: 48 @@ -4989,6 +3450,7 @@ From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Thu, 1 Feb 2024 22:58:36 +0100 Subject: [PATCH 059/129] netfilter: nft_compat: narrow down revision to unsigned 8-bits +Status: RO Content-Length: 1682 Lines: 44 @@ -5041,6 +3503,7 @@ From af12244ecf92547aab00f0a40d006515b1628632 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Thu, 1 Feb 2024 23:33:29 +0100 Subject: [PATCH 060/129] netfilter: nft_compat: reject unused compat flag +Status: RO Content-Length: 1639 Lines: 45 @@ -5095,6 +3558,7 @@ From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Fri, 2 Feb 2024 00:05:23 +0100 Subject: [PATCH 061/129] netfilter: nft_compat: restrict match/target protocol to u16 +Status: RO Content-Length: 1383 Lines: 43 @@ -5147,6 +3611,7 @@ From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com> Date: Sat, 27 Jan 2024 18:34:01 +0530 Subject: [PATCH 062/129] drm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()' +Status: RO Content-Length: 2827 Lines: 82 @@ -5238,6 +3703,7 @@ From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com> Date: Wed, 31 Jan 2024 08:49:41 +0530 Subject: [PATCH 063/129] drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()' +Status: RO Content-Length: 2273 Lines: 68 @@ -5315,6 +3781,7 @@ From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com> Date: Wed, 7 Feb 2024 10:20:57 +0530 Subject: [PATCH 064/129] drm/amd/display: Implement bounds check for stream encoder creation in DCN301 +Status: RO Content-Length: 2102 Lines: 46 @@ -5370,6 +3837,7 @@ From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Fri, 2 Feb 2024 10:09:34 +0100 Subject: [PATCH 065/129] netfilter: nft_set_pipapo: remove static in nft_pipapo_get() +Status: RO Content-Length: 1024 Lines: 28 @@ -5406,6 +3874,7 @@ From fc46e23da74588753676e58ca5d3100a68a5632a Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Mon, 5 Feb 2024 14:59:24 +0100 Subject: [PATCH 066/129] netfilter: nft_ct: reject direction for ct id +Status: RO Content-Length: 753 Lines: 28 @@ -5443,6 +3912,7 @@ From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Tue, 6 Feb 2024 00:11:40 +0100 Subject: [PATCH 067/129] netfilter: nf_tables: use timestamp to check for set element timeout +Status: RO Content-Length: 11801 Lines: 312 @@ -5763,6 +4233,7 @@ From 3c0c0cf930aa802ab2b4e4206e7307de17d64634 Mon Sep 17 00:00:00 2001 From: Florian Westphal <fw@strlen.de> Date: Tue, 6 Feb 2024 17:54:18 +0100 Subject: [PATCH 068/129] netfilter: nfnetlink_queue: un-break NF_REPEAT +Status: RO Content-Length: 1624 Lines: 52 @@ -5824,6 +4295,7 @@ From: Florian Westphal <fw@strlen.de> Date: Wed, 7 Feb 2024 21:52:46 +0100 Subject: [PATCH 069/129] netfilter: nft_set_pipapo: store index in scratch maps +Status: RO Content-Length: 9395 Lines: 258 @@ -6091,6 +4563,7 @@ From: Florian Westphal <fw@strlen.de> Date: Wed, 7 Feb 2024 21:52:47 +0100 Subject: [PATCH 070/129] netfilter: nft_set_pipapo: add helper to release pcpu scratch area +Status: RO Content-Length: 2794 Lines: 90 @@ -6190,6 +4663,7 @@ From: Florian Westphal <fw@strlen.de> Date: Thu, 8 Feb 2024 10:31:29 +0100 Subject: [PATCH 071/129] netfilter: nft_set_pipapo: remove scratch_aligned pointer +Status: RO Content-Length: 6364 Lines: 194 @@ -6388,50 +4862,11 @@ index 78213c73af2e..90e275bb3e5d 100644 -- 2.43.2 -From 686820fe141ea0220fc6fdfc7e5694f915cf64b2 Mon Sep 17 00:00:00 2001 -From: Dan Carpenter <dan.carpenter@linaro.org> -Date: Tue, 17 Oct 2023 17:04:39 +0300 -Subject: [PATCH 072/129] fs/ntfs3: Fix an NULL dereference bug -Content-Length: 1214 -Lines: 32 - -[ Upstream commit b2dd7b953c25ffd5912dda17e980e7168bebcf6c ] - -The issue here is when this is called from ntfs_load_attr_list(). The -"size" comes from le32_to_cpu(attr->res.data_size) so it can't overflow -on a 64bit systems but on 32bit systems the "+ 1023" can overflow and -the result is zero. This means that the kmalloc will succeed by -returning the ZERO_SIZE_PTR and then the memcpy() will crash with an -Oops on the next line. - -Fixes: be71b5cba2e6 ("fs/ntfs3: Add attrib operations") -Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> -Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - fs/ntfs3/ntfs_fs.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fs/ntfs3/ntfs_fs.h b/fs/ntfs3/ntfs_fs.h -index f6706143d14b..a46d30b84bf3 100644 ---- a/fs/ntfs3/ntfs_fs.h -+++ b/fs/ntfs3/ntfs_fs.h -@@ -473,7 +473,7 @@ bool al_delete_le(struct ntfs_inode *ni, enum ATTR_TYPE type, CLST vcn, - int al_update(struct ntfs_inode *ni, int sync); - static inline size_t al_aligned(size_t size) - { -- return (size + 1023) & ~(size_t)1023; -+ return size_add(size, 1023) & ~(size_t)1023; - } - - /* Globals from bitfunc.c */ --- -2.43.2 - From 2b89c3f9d3d069924dc1bedd400cd6e93435980c Mon Sep 17 00:00:00 2001 From: Alexandre Ghiti <alexghiti@rivosinc.com> Date: Tue, 12 Dec 2023 22:34:56 +0100 Subject: [PATCH 073/129] mm: Introduce flush_cache_vmap_early() +Status: RO Content-Length: 12569 Lines: 280 @@ -6721,6 +5156,7 @@ From: Vincent Chen <vincent.chen@sifive.com> Date: Wed, 17 Jan 2024 22:03:33 +0800 Subject: [PATCH 074/129] riscv: mm: execute local TLB flush after populating vmemmap +Status: RO Content-Length: 3167 Lines: 72 @@ -6801,6 +5237,7 @@ From ee0948ba7820205524c7fff39249b55761c48012 Mon Sep 17 00:00:00 2001 From: Alexandre Ghiti <alexghiti@rivosinc.com> Date: Wed, 17 Jan 2024 20:57:40 +0100 Subject: [PATCH 075/129] riscv: Fix set_huge_pte_at() for NAPOT mapping +Status: RO Content-Length: 2579 Lines: 82 @@ -6892,6 +5329,7 @@ From: Alexandre Ghiti <alexghiti@rivosinc.com> Date: Wed, 17 Jan 2024 20:57:41 +0100 Subject: [PATCH 076/129] riscv: Fix hugetlb_mask_last_page() when NAPOT is enabled +Status: RO Content-Length: 1376 Lines: 47 @@ -6948,6 +5386,7 @@ From: Ming Lei <ming.lei@redhat.com> Date: Sat, 3 Feb 2024 10:45:21 +0800 Subject: [PATCH 077/129] scsi: core: Move scsi_host_busy() out of host lock if it is for per-command +Status: RO Content-Length: 2476 Lines: 60 @@ -7016,6 +5455,7 @@ From d3607acc4fc08acea4b7e76abc2bfbe6b2be064e Mon Sep 17 00:00:00 2001 From: Alexandre Ghiti <alexghiti@rivosinc.com> Date: Sun, 28 Jan 2024 13:04:05 +0100 Subject: [PATCH 078/129] riscv: Flush the tlb when a page directory is freed +Status: RO Content-Length: 1142 Lines: 30 @@ -7055,6 +5495,7 @@ From: Xiubo Li <xiubli@redhat.com> Date: Thu, 14 Dec 2023 09:21:15 +0800 Subject: [PATCH 079/129] libceph: rename read_sparse_msg_*() to read_partial_sparse_msg_*() +Status: RO Content-Length: 2339 Lines: 60 @@ -7119,186 +5560,12 @@ index f9a50d7f0d20..4cb60bacf5f5 100644 -- 2.43.2 -From bd9442e553ab8bf74b8be3b3c0a43bf4af4dc9b8 Mon Sep 17 00:00:00 2001 -From: Xiubo Li <xiubli@redhat.com> -Date: Thu, 14 Dec 2023 16:01:03 +0800 -Subject: [PATCH 080/129] libceph: just wait for more data to be available on - the socket -Content-Length: 5624 -Lines: 166 - -[ Upstream commit 8e46a2d068c92a905d01cbb018b00d66991585ab ] - -A short read may occur while reading the message footer from the -socket. Later, when the socket is ready for another read, the -messenger invokes all read_partial_*() handlers, including -read_partial_sparse_msg_data(). The expectation is that -read_partial_sparse_msg_data() would bail, allowing the messenger to -invoke read_partial() for the footer and pick up where it left off. - -However read_partial_sparse_msg_data() violates that and ends up -calling into the state machine in the OSD client. The sparse-read -state machine assumes that it's a new op and interprets some piece of -the footer as the sparse-read header and returns bogus extents/data -length, etc. - -To determine whether read_partial_sparse_msg_data() should bail, let's -reuse cursor->total_resid. Because once it reaches to zero that means -all the extents and data have been successfully received in last read, -else it could break out when partially reading any of the extents and -data. And then osd_sparse_read() could continue where it left off. - -[ idryomov: changelog ] - -Link: https://tracker.ceph.com/issues/63586 -Fixes: d396f89db39a ("libceph: add sparse read support to msgr1") -Signed-off-by: Xiubo Li <xiubli@redhat.com> -Reviewed-by: Jeff Layton <jlayton@kernel.org> -Signed-off-by: Ilya Dryomov <idryomov@gmail.com> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - include/linux/ceph/messenger.h | 2 +- - net/ceph/messenger_v1.c | 25 +++++++++++++------------ - net/ceph/messenger_v2.c | 4 ++-- - net/ceph/osd_client.c | 9 +++------ - 4 files changed, 19 insertions(+), 21 deletions(-) - -diff --git a/include/linux/ceph/messenger.h b/include/linux/ceph/messenger.h -index 2eaaabbe98cb..1717cc57cdac 100644 ---- a/include/linux/ceph/messenger.h -+++ b/include/linux/ceph/messenger.h -@@ -283,7 +283,7 @@ struct ceph_msg { - struct kref kref; - bool more_to_follow; - bool needs_out_seq; -- bool sparse_read; -+ u64 sparse_read_total; - int front_alloc_len; - - struct ceph_msgpool *pool; -diff --git a/net/ceph/messenger_v1.c b/net/ceph/messenger_v1.c -index 4cb60bacf5f5..0cb61c76b9b8 100644 ---- a/net/ceph/messenger_v1.c -+++ b/net/ceph/messenger_v1.c -@@ -160,8 +160,9 @@ static size_t sizeof_footer(struct ceph_connection *con) - static void prepare_message_data(struct ceph_msg *msg, u32 data_len) - { - /* Initialize data cursor if it's not a sparse read */ -- if (!msg->sparse_read) -- ceph_msg_data_cursor_init(&msg->cursor, msg, data_len); -+ u64 len = msg->sparse_read_total ? : data_len; -+ -+ ceph_msg_data_cursor_init(&msg->cursor, msg, len); - } - - /* -@@ -1036,7 +1037,7 @@ static int read_partial_sparse_msg_data(struct ceph_connection *con) - if (do_datacrc) - crc = con->in_data_crc; - -- do { -+ while (cursor->total_resid) { - if (con->v1.in_sr_kvec.iov_base) - ret = read_partial_message_chunk(con, - &con->v1.in_sr_kvec, -@@ -1044,23 +1045,23 @@ static int read_partial_sparse_msg_data(struct ceph_connection *con) - &crc); - else if (cursor->sr_resid > 0) - ret = read_partial_sparse_msg_extent(con, &crc); -- -- if (ret <= 0) { -- if (do_datacrc) -- con->in_data_crc = crc; -- return ret; -- } -+ if (ret <= 0) -+ break; - - memset(&con->v1.in_sr_kvec, 0, sizeof(con->v1.in_sr_kvec)); - ret = con->ops->sparse_read(con, cursor, - (char **)&con->v1.in_sr_kvec.iov_base); -+ if (ret <= 0) { -+ ret = ret ? ret : 1; /* must return > 0 to indicate success */ -+ break; -+ } - con->v1.in_sr_len = ret; -- } while (ret > 0); -+ } - - if (do_datacrc) - con->in_data_crc = crc; - -- return ret < 0 ? ret : 1; /* must return > 0 to indicate success */ -+ return ret; - } - - static int read_partial_msg_data(struct ceph_connection *con) -@@ -1253,7 +1254,7 @@ static int read_partial_message(struct ceph_connection *con) - if (!m->num_data_items) - return -EIO; - -- if (m->sparse_read) -+ if (m->sparse_read_total) - ret = read_partial_sparse_msg_data(con); - else if (ceph_test_opt(from_msgr(con->msgr), RXBOUNCE)) - ret = read_partial_msg_data_bounce(con); -diff --git a/net/ceph/messenger_v2.c b/net/ceph/messenger_v2.c -index f8ec60e1aba3..a0ca5414b333 100644 ---- a/net/ceph/messenger_v2.c -+++ b/net/ceph/messenger_v2.c -@@ -1128,7 +1128,7 @@ static int decrypt_tail(struct ceph_connection *con) - struct sg_table enc_sgt = {}; - struct sg_table sgt = {}; - struct page **pages = NULL; -- bool sparse = con->in_msg->sparse_read; -+ bool sparse = !!con->in_msg->sparse_read_total; - int dpos = 0; - int tail_len; - int ret; -@@ -2060,7 +2060,7 @@ static int prepare_read_tail_plain(struct ceph_connection *con) - } - - if (data_len(msg)) { -- if (msg->sparse_read) -+ if (msg->sparse_read_total) - con->v2.in_state = IN_S_PREPARE_SPARSE_DATA; - else - con->v2.in_state = IN_S_PREPARE_READ_DATA; -diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c -index d3a759e052c8..8d9760397b88 100644 ---- a/net/ceph/osd_client.c -+++ b/net/ceph/osd_client.c -@@ -5510,7 +5510,7 @@ static struct ceph_msg *get_reply(struct ceph_connection *con, - } - - m = ceph_msg_get(req->r_reply); -- m->sparse_read = (bool)srlen; -+ m->sparse_read_total = srlen; - - dout("get_reply tid %lld %p\n", tid, m); - -@@ -5777,11 +5777,8 @@ static int prep_next_sparse_read(struct ceph_connection *con, - } - - if (o->o_sparse_op_idx < 0) { -- u64 srlen = sparse_data_requested(req); -- -- dout("%s: [%d] starting new sparse read req. srlen=0x%llx\n", -- __func__, o->o_osd, srlen); -- ceph_msg_data_cursor_init(cursor, con->in_msg, srlen); -+ dout("%s: [%d] starting new sparse read req\n", -+ __func__, o->o_osd); - } else { - u64 end; - --- -2.43.2 - From 524b78875804bc905efdb84b181178c8be54f908 Mon Sep 17 00:00:00 2001 From: Xiubo Li <xiubli@redhat.com> Date: Thu, 18 Jan 2024 14:24:41 +0800 Subject: [PATCH 081/129] ceph: always set initial i_blkbits to CEPH_FSCRYPT_BLOCK_SHIFT +Status: RO Content-Length: 1170 Lines: 33 @@ -7341,6 +5608,7 @@ From: Alexandre Ghiti <alexghiti@rivosinc.com> Date: Tue, 30 Jan 2024 13:01:14 +0100 Subject: [PATCH 082/129] riscv: Fix arch_hugetlb_migration_supported() for NAPOT +Status: RO Content-Length: 2477 Lines: 79 @@ -7429,6 +5697,7 @@ From: Ben Dooks <ben.dooks@codethink.co.uk> Date: Thu, 23 Nov 2023 13:42:14 +0000 Subject: [PATCH 083/129] riscv: declare overflow_stack as exported from traps.c +Status: RO Content-Length: 1584 Lines: 39 @@ -7476,6 +5745,7 @@ From dc1fc14047bd6cc7801f69e60aa36c8e44031bba Mon Sep 17 00:00:00 2001 From: Maurizio Lombardi <mlombard@redhat.com> Date: Thu, 18 Jan 2024 12:48:54 +0100 Subject: [PATCH 084/129] nvme-host: fix the updating of the firmware version +Status: RO Content-Length: 2392 Lines: 66 @@ -7551,6 +5821,7 @@ From: Muhammad Usama Anjum <usama.anjum@collabora.com> Date: Tue, 24 Oct 2023 20:51:25 +0500 Subject: [PATCH 085/129] selftests: core: include linux/close_range.h for CLOSE_RANGE_* macros +Status: RO Content-Length: 1279 Lines: 32 @@ -7594,6 +5865,7 @@ Subject: [PATCH 086/129] blk-iocost: Fix an UBSAN shift-out-of-bounds warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +Status: RO Content-Length: 2238 Lines: 61 @@ -7664,6 +5936,7 @@ From: Alexander Tsoy <alexander@tsoy.me> Date: Wed, 24 Jan 2024 16:02:39 +0300 Subject: [PATCH 087/129] ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision +Status: RO Content-Length: 1221 Lines: 30 @@ -7703,6 +5976,7 @@ From: Julian Sikorski <belegdol+github@gmail.com> Date: Tue, 23 Jan 2024 09:49:35 +0100 Subject: [PATCH 088/129] ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter +Status: RO Content-Length: 1168 Lines: 29 @@ -7743,6 +6017,7 @@ Subject: [PATCH 089/129] ALSA: usb-audio: add quirk for RODE NT-USB+ MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +Status: RO Content-Length: 1830 Lines: 44 @@ -7796,6 +6071,7 @@ From: JackBB Wu <wojackbb@gmail.com> Date: Tue, 23 Jan 2024 17:39:48 +0800 Subject: [PATCH 090/129] USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e +Status: RO Content-Length: 2912 Lines: 68 @@ -7872,6 +6148,7 @@ From 9eb61d85411eaadaa809121c1ccd5868f4141b56 Mon Sep 17 00:00:00 2001 From: Puliang Lu <puliang.lu@fibocom.com> Date: Wed, 31 Jan 2024 17:12:24 +0800 Subject: [PATCH 091/129] USB: serial: option: add Fibocom FM101-GL variant +Status: RO Content-Length: 2235 Lines: 51 @@ -7931,6 +6208,7 @@ From f81f4d9bab3a318556df8cae4a42939e13263544 Mon Sep 17 00:00:00 2001 From: Leonard Dallmayr <leonard.dallmayr@mailbox.org> Date: Fri, 5 Jan 2024 13:35:51 +0100 Subject: [PATCH 092/129] USB: serial: cp210x: add ID for IMST iM871A-USB +Status: RO Content-Length: 1211 Lines: 28 @@ -7967,6 +6245,7 @@ From a87cc08c312cd97b97c8f95541ff9854ec219a66 Mon Sep 17 00:00:00 2001 From: Badhri Jagan Sridharan <badhri@google.com> Date: Wed, 17 Jan 2024 11:47:42 +0000 Subject: [PATCH 093/129] Revert "usb: typec: tcpm: fix cc role at port reset" +Status: RO Content-Length: 1790 Lines: 47 @@ -8023,6 +6302,7 @@ From: Mario Limonciello <mario.limonciello@amd.com> Date: Fri, 19 Jan 2024 03:08:37 -0600 Subject: [PATCH 094/129] Revert "drm/amd/pm: fix the high voltage and temperature issue" +Status: RO Content-Length: 5751 Lines: 170 @@ -8197,145 +6477,11 @@ index d380a53e8f77..bc5891c3f648 100644 -- 2.43.2 -From 2da241c5ed78d0978228a1150735539fe1a60eca Mon Sep 17 00:00:00 2001 -From: Qiuxu Zhuo <qiuxu.zhuo@intel.com> -Date: Mon, 29 Jan 2024 14:38:42 +0800 -Subject: [PATCH 095/129] x86/lib: Revert to _ASM_EXTABLE_UA() for - {get,put}_user() fixups -Content-Length: 5256 -Lines: 126 - -commit 8eed4e00a370b37b4e5985ed983dccedd555ea9d upstream. - -During memory error injection test on kernels >= v6.4, the kernel panics -like below. However, this issue couldn't be reproduced on kernels <= v6.3. - - mce: [Hardware Error]: CPU 296: Machine Check Exception: f Bank 1: bd80000000100134 - mce: [Hardware Error]: RIP 10:<ffffffff821b9776> {__get_user_nocheck_4+0x6/0x20} - mce: [Hardware Error]: TSC 411a93533ed ADDR 346a8730040 MISC 86 - mce: [Hardware Error]: PROCESSOR 0:a06d0 TIME 1706000767 SOCKET 1 APIC 211 microcode 80001490 - mce: [Hardware Error]: Run the above through 'mcelog --ascii' - mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel - Kernel panic - not syncing: Fatal local machine check - -The MCA code can recover from an in-kernel #MC if the fixup type is -EX_TYPE_UACCESS, explicitly indicating that the kernel is attempting to -access userspace memory. However, if the fixup type is EX_TYPE_DEFAULT -the only thing that is raised for an in-kernel #MC is a panic. - -ex_handler_uaccess() would warn if users gave a non-canonical addresses -(with bit 63 clear) to {get, put}_user(), which was unexpected. - -Therefore, commit - - b19b74bc99b1 ("x86/mm: Rework address range check in get_user() and put_user()") - -replaced _ASM_EXTABLE_UA() with _ASM_EXTABLE() for {get, put}_user() -fixups. However, the new fixup type EX_TYPE_DEFAULT results in a panic. - -Commit - - 6014bc27561f ("x86-64: make access_ok() independent of LAM") - -added the check gp_fault_address_ok() right before the WARN_ONCE() in -ex_handler_uaccess() to not warn about non-canonical user addresses due -to LAM. - -With that in place, revert back to _ASM_EXTABLE_UA() for {get,put}_user() -exception fixups in order to be able to handle in-kernel MCEs correctly -again. - - [ bp: Massage commit message. ] - -Fixes: b19b74bc99b1 ("x86/mm: Rework address range check in get_user() and put_user()") -Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com> -Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> -Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> -Cc: <stable@kernel.org> -Link: https://lore.kernel.org/r/20240129063842.61584-1-qiuxu.zhuo@intel.com -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - arch/x86/lib/getuser.S | 24 ++++++++++++------------ - arch/x86/lib/putuser.S | 20 ++++++++++---------- - 2 files changed, 22 insertions(+), 22 deletions(-) - -diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S -index 20ef350a60fb..10d5ed8b5990 100644 ---- a/arch/x86/lib/getuser.S -+++ b/arch/x86/lib/getuser.S -@@ -163,23 +163,23 @@ SYM_CODE_END(__get_user_8_handle_exception) - #endif - - /* get_user */ -- _ASM_EXTABLE(1b, __get_user_handle_exception) -- _ASM_EXTABLE(2b, __get_user_handle_exception) -- _ASM_EXTABLE(3b, __get_user_handle_exception) -+ _ASM_EXTABLE_UA(1b, __get_user_handle_exception) -+ _ASM_EXTABLE_UA(2b, __get_user_handle_exception) -+ _ASM_EXTABLE_UA(3b, __get_user_handle_exception) - #ifdef CONFIG_X86_64 -- _ASM_EXTABLE(4b, __get_user_handle_exception) -+ _ASM_EXTABLE_UA(4b, __get_user_handle_exception) - #else -- _ASM_EXTABLE(4b, __get_user_8_handle_exception) -- _ASM_EXTABLE(5b, __get_user_8_handle_exception) -+ _ASM_EXTABLE_UA(4b, __get_user_8_handle_exception) -+ _ASM_EXTABLE_UA(5b, __get_user_8_handle_exception) - #endif - - /* __get_user */ -- _ASM_EXTABLE(6b, __get_user_handle_exception) -- _ASM_EXTABLE(7b, __get_user_handle_exception) -- _ASM_EXTABLE(8b, __get_user_handle_exception) -+ _ASM_EXTABLE_UA(6b, __get_user_handle_exception) -+ _ASM_EXTABLE_UA(7b, __get_user_handle_exception) -+ _ASM_EXTABLE_UA(8b, __get_user_handle_exception) - #ifdef CONFIG_X86_64 -- _ASM_EXTABLE(9b, __get_user_handle_exception) -+ _ASM_EXTABLE_UA(9b, __get_user_handle_exception) - #else -- _ASM_EXTABLE(9b, __get_user_8_handle_exception) -- _ASM_EXTABLE(10b, __get_user_8_handle_exception) -+ _ASM_EXTABLE_UA(9b, __get_user_8_handle_exception) -+ _ASM_EXTABLE_UA(10b, __get_user_8_handle_exception) - #endif -diff --git a/arch/x86/lib/putuser.S b/arch/x86/lib/putuser.S -index 2877f5934177..975c9c18263d 100644 ---- a/arch/x86/lib/putuser.S -+++ b/arch/x86/lib/putuser.S -@@ -133,15 +133,15 @@ SYM_CODE_START_LOCAL(__put_user_handle_exception) - RET - SYM_CODE_END(__put_user_handle_exception) - -- _ASM_EXTABLE(1b, __put_user_handle_exception) -- _ASM_EXTABLE(2b, __put_user_handle_exception) -- _ASM_EXTABLE(3b, __put_user_handle_exception) -- _ASM_EXTABLE(4b, __put_user_handle_exception) -- _ASM_EXTABLE(5b, __put_user_handle_exception) -- _ASM_EXTABLE(6b, __put_user_handle_exception) -- _ASM_EXTABLE(7b, __put_user_handle_exception) -- _ASM_EXTABLE(9b, __put_user_handle_exception) -+ _ASM_EXTABLE_UA(1b, __put_user_handle_exception) -+ _ASM_EXTABLE_UA(2b, __put_user_handle_exception) -+ _ASM_EXTABLE_UA(3b, __put_user_handle_exception) -+ _ASM_EXTABLE_UA(4b, __put_user_handle_exception) -+ _ASM_EXTABLE_UA(5b, __put_user_handle_exception) -+ _ASM_EXTABLE_UA(6b, __put_user_handle_exception) -+ _ASM_EXTABLE_UA(7b, __put_user_handle_exception) -+ _ASM_EXTABLE_UA(9b, __put_user_handle_exception) - #ifdef CONFIG_X86_32 -- _ASM_EXTABLE(8b, __put_user_handle_exception) -- _ASM_EXTABLE(10b, __put_user_handle_exception) -+ _ASM_EXTABLE_UA(8b, __put_user_handle_exception) -+ _ASM_EXTABLE_UA(10b, __put_user_handle_exception) - #endif --- -2.43.2 - From c5a2550ab297471a0de2b1d4c51a026e28912422 Mon Sep 17 00:00:00 2001 From: Prashanth K <quic_prashk@quicinc.com> Date: Tue, 16 Jan 2024 11:28:15 +0530 Subject: [PATCH 096/129] usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK +Status: RO Content-Length: 2013 Lines: 54 @@ -8399,6 +6545,7 @@ From: Prashanth K <quic_prashk@quicinc.com> Date: Tue, 16 Jan 2024 11:28:16 +0530 Subject: [PATCH 097/129] usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK +Status: RO Content-Length: 1495 Lines: 35 @@ -8446,6 +6593,7 @@ Subject: [PATCH 098/129] xhci: process isoc TD properly when there was a MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +Status: RO Content-Length: 6099 Lines: 173 @@ -8628,6 +6776,7 @@ From: Michal Pecio <michal.pecio@gmail.com> Date: Thu, 25 Jan 2024 17:27:37 +0200 Subject: [PATCH 099/129] xhci: handle isoc Babble and Buffer Overrun events properly +Status: RO Content-Length: 1947 Lines: 48 @@ -8685,6 +6834,7 @@ From: Heikki Krogerus <heikki.krogerus@linux.intel.com> Date: Mon, 15 Jan 2024 11:28:20 +0200 Subject: [PATCH 100/129] usb: dwc3: pci: add support for the Intel Arrow Lake-H +Status: RO Content-Length: 1505 Lines: 38 @@ -8731,6 +6881,7 @@ From 6424f6ebde6a876f262d0ab5afb1240a231ec896 Mon Sep 17 00:00:00 2001 From: Frederic Weisbecker <frederic@kernel.org> Date: Mon, 29 Jan 2024 15:56:36 -0800 Subject: [PATCH 101/129] hrtimer: Report offline hrtimer enqueue +Status: RO Content-Length: 2943 Lines: 77 @@ -8817,6 +6968,7 @@ From: Werner Sembach <wse@tuxedocomputers.com> Date: Tue, 5 Dec 2023 17:36:01 +0100 Subject: [PATCH 102/129] Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU +Status: RO Content-Length: 1702 Lines: 44 @@ -8870,6 +7022,7 @@ From: Hans de Goede <hdegoede@redhat.com> Date: Fri, 26 Jan 2024 17:07:23 +0100 Subject: [PATCH 103/129] Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID +Status: RO Content-Length: 3030 Lines: 79 @@ -8957,6 +7110,7 @@ From 30f3841215b7ebc350e123609bff696e8b5f96bc Mon Sep 17 00:00:00 2001 From: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Date: Sun, 28 Jan 2024 08:53:57 +0200 Subject: [PATCH 104/129] wifi: iwlwifi: mvm: fix a battery life regression +Status: RO Content-Length: 1411 Lines: 33 @@ -8999,6 +7153,7 @@ From: Jens Axboe <axboe@kernel.dk> Date: Thu, 1 Feb 2024 06:42:36 -0700 Subject: [PATCH 105/129] io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers +Status: RO Content-Length: 1256 Lines: 34 @@ -9041,6 +7196,7 @@ From 995d0204d94cea447184f5d1ab52a5fc2570a031 Mon Sep 17 00:00:00 2001 From: Jens Axboe <axboe@kernel.dk> Date: Mon, 29 Jan 2024 11:52:54 -0700 Subject: [PATCH 106/129] io_uring/poll: move poll execution helpers higher up +Status: RO Content-Length: 1865 Lines: 73 @@ -9123,6 +7279,7 @@ From: Jens Axboe <axboe@kernel.dk> Date: Mon, 29 Jan 2024 11:54:18 -0700 Subject: [PATCH 107/129] io_uring/net: un-indent mshot retry path in io_recv_finish() +Status: RO Content-Length: 1928 Lines: 64 @@ -9196,6 +7353,7 @@ From: Jens Axboe <axboe@kernel.dk> Date: Sat, 27 Jan 2024 13:44:58 -0700 Subject: [PATCH 108/129] io_uring/rw: ensure poll based multishot read retries appropriately +Status: RO Content-Length: 3207 Lines: 88 @@ -9292,6 +7450,7 @@ From ef90508574d7af48420bdc5f7b9a4f1cdd26bc70 Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan+linaro@kernel.org> Date: Tue, 30 Jan 2024 11:02:43 +0100 Subject: [PATCH 109/129] PCI/ASPM: Fix deadlock when enabling ASPM +Status: RO Content-Length: 14886 Lines: 400 @@ -9700,6 +7859,7 @@ From 9b9a2f1a67f26a3ed66e672b7bad8f369a4b4a02 Mon Sep 17 00:00:00 2001 From: Al Viro <viro@zeniv.linux.org.uk> Date: Wed, 15 Nov 2023 22:41:27 -0500 Subject: [PATCH 110/129] new helper: user_path_locked_at() +Status: RO Content-Length: 2658 Lines: 70 @@ -9778,6 +7938,7 @@ From dc610c441b0e072ee01abf8910fda350df5136fa Mon Sep 17 00:00:00 2001 From: Al Viro <viro@zeniv.linux.org.uk> Date: Tue, 14 Nov 2023 18:52:42 -0500 Subject: [PATCH 111/129] bch2_ioctl_subvolume_destroy(): fix locking +Status: RO Content-Length: 1827 Lines: 68 @@ -9854,6 +8015,7 @@ From f114cfc8083a50f457c94eea43de4e56bab98cb0 Mon Sep 17 00:00:00 2001 From: Kent Overstreet <kent.overstreet@linux.dev> Date: Mon, 15 Jan 2024 14:12:43 -0500 Subject: [PATCH 112/129] bcachefs: Don't pass memcmp() as a pointer +Status: RO Content-Length: 1607 Lines: 48 @@ -9911,6 +8073,7 @@ From: Daniel Hill <daniel@gluo.nz> Date: Sun, 26 Nov 2023 19:33:31 +1300 Subject: [PATCH 113/129] bcachefs: rebalance should wakeup on shutdown if disabled +Status: RO Content-Length: 2245 Lines: 61 @@ -9980,6 +8143,7 @@ From 9a269387a0a962f9eb7c5974409ec6cdb390fc50 Mon Sep 17 00:00:00 2001 From: Kent Overstreet <kent.overstreet@linux.dev> Date: Mon, 15 Jan 2024 15:06:43 -0500 Subject: [PATCH 114/129] bcachefs: Add missing bch2_moving_ctxt_flush_all() +Status: RO Content-Length: 835 Lines: 25 @@ -10014,6 +8178,7 @@ From: Kent Overstreet <kent.overstreet@linux.dev> Date: Mon, 15 Jan 2024 14:15:26 -0500 Subject: [PATCH 115/129] bcachefs: bch2_kthread_io_clock_wait() no longer sleeps until full amount +Status: RO Content-Length: 1228 Lines: 39 @@ -10062,6 +8227,7 @@ From: Su Yue <glass.su@suse.com> Date: Tue, 16 Jan 2024 19:05:37 +0800 Subject: [PATCH 116/129] bcachefs: kvfree bch_fs::snapshots in bch2_fs_snapshots_exit +Status: RO Content-Length: 3226 Lines: 66 @@ -10136,6 +8302,7 @@ From 5b41d3fd04c6757b9c2a60a0c5b2609cae9999df Mon Sep 17 00:00:00 2001 From: Su Yue <glass.su@suse.com> Date: Mon, 15 Jan 2024 10:21:25 +0800 Subject: [PATCH 117/129] bcachefs: grab s_umount only if snapshotting +Status: RO Content-Length: 7225 Lines: 181 @@ -10325,6 +8492,7 @@ From 4571eb9bead1116305cb4910b224836770dce4bb Mon Sep 17 00:00:00 2001 From: Christoph Hellwig <hch@lst.de> Date: Thu, 11 Jan 2024 08:36:55 +0100 Subject: [PATCH 118/129] bcachefs: fix incorrect usage of REQ_OP_FLUSH +Status: RO Content-Length: 2150 Lines: 61 @@ -10395,6 +8563,7 @@ From: Guoyu Ou <benogy@gmail.com> Date: Sun, 28 Jan 2024 16:46:17 +0800 Subject: [PATCH 119/129] bcachefs: unlock parent dir if entry is not found in subvolume deletion +Status: RO Content-Length: 1510 Lines: 52 @@ -10456,6 +8625,7 @@ From: Kent Overstreet <kent.overstreet@linux.dev> Date: Thu, 1 Feb 2024 21:01:02 -0500 Subject: [PATCH 120/129] bcachefs: time_stats: Check for last_event == 0 when updating freq stats +Status: RO Content-Length: 1155 Lines: 34 @@ -10499,6 +8669,7 @@ From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Date: Tue, 13 Feb 2024 15:44:48 +0100 Subject: [PATCH 121/129] Revert "ASoC: amd: Add new dmi entries for acp5x platform" +Status: RO Content-Length: 1529 Lines: 49 @@ -10557,6 +8728,7 @@ From: Jens Axboe <axboe@kernel.dk> Date: Mon, 29 Jan 2024 11:57:11 -0700 Subject: [PATCH 122/129] io_uring/poll: add requeue return code from poll multishot handling +Status: RO Content-Length: 2433 Lines: 75 @@ -10640,6 +8812,7 @@ From 3438de322e549183126d9bafe131e9dd80348811 Mon Sep 17 00:00:00 2001 From: Jens Axboe <axboe@kernel.dk> Date: Mon, 29 Jan 2024 12:00:58 -0700 Subject: [PATCH 123/129] io_uring/net: limit inline multishot retries +Status: RO Content-Length: 3172 Lines: 86 @@ -10734,6 +8907,7 @@ From 50d0dff3f706ff4a71df99b7526341ae9fa83e09 Mon Sep 17 00:00:00 2001 From: Michael Lass <bevan@bi-co.net> Date: Wed, 31 Jan 2024 16:52:20 +0100 Subject: [PATCH 124/129] net: Fix from address in memcpy_to_iter_csum() +Status: RO Content-Length: 1316 Lines: 35 @@ -10777,6 +8951,7 @@ From 9b16230a81aaa0b93734ad7c8b9f9c5b97b27920 Mon Sep 17 00:00:00 2001 From: Simon Horman <horms@kernel.org> Date: Thu, 8 Feb 2024 09:48:27 +0000 Subject: [PATCH 125/129] net: stmmac: xgmac: use #define for string constants +Status: RO Content-Length: 4667 Lines: 121 diff --git a/cve/review/mbox.6.7.5.cve b/cve/review/mbox.6.7.5.cve index e3a1fcf6..4f0be9f1 100644 --- a/cve/review/mbox.6.7.5.cve +++ b/cve/review/mbox.6.7.5.cve @@ -133,3 +133,1957 @@ index dd2913ac0fa2..78e19b128962 100644 -- 2.43.2 +From 6b0d48647935e4b8c7b75d1eccb9043fcd4ee581 Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Thu, 4 Jan 2024 22:20:35 +0800 +Subject: [PATCH 001/129] ext4: regenerate buddy after block freeing failed if + under fc replay +Status: RO +Content-Length: 2024 +Lines: 59 + +[ Upstream commit c9b528c35795b711331ed36dc3dbee90d5812d4e ] + +This mostly reverts commit 6bd97bf273bd ("ext4: remove redundant +mb_regenerate_buddy()") and reintroduces mb_regenerate_buddy(). Based on +code in mb_free_blocks(), fast commit replay can end up marking as free +blocks that are already marked as such. This causes corruption of the +buddy bitmap so we need to regenerate it in that case. + +Reported-by: Jan Kara <jack@suse.cz> +Fixes: 6bd97bf273bd ("ext4: remove redundant mb_regenerate_buddy()") +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20240104142040.2835097-4-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/ext4/mballoc.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 8408318e1d32..3c5786841c6c 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -1233,6 +1233,24 @@ void ext4_mb_generate_buddy(struct super_block *sb, + atomic64_add(period, &sbi->s_mb_generation_time); + } + ++static void mb_regenerate_buddy(struct ext4_buddy *e4b) ++{ ++ int count; ++ int order = 1; ++ void *buddy; ++ ++ while ((buddy = mb_find_buddy(e4b, order++, &count))) ++ mb_set_bits(buddy, 0, count); ++ ++ e4b->bd_info->bb_fragments = 0; ++ memset(e4b->bd_info->bb_counters, 0, ++ sizeof(*e4b->bd_info->bb_counters) * ++ (e4b->bd_sb->s_blocksize_bits + 2)); ++ ++ ext4_mb_generate_buddy(e4b->bd_sb, e4b->bd_buddy, ++ e4b->bd_bitmap, e4b->bd_group, e4b->bd_info); ++} ++ + /* The buddy information is attached the buddy cache inode + * for convenience. The information regarding each group + * is loaded via ext4_mb_load_buddy. The information involve +@@ -1921,6 +1939,8 @@ static void mb_free_blocks(struct inode *inode, struct ext4_buddy *e4b, + ext4_mark_group_bitmap_corrupted( + sb, e4b->bd_group, + EXT4_GROUP_INFO_BBITMAP_CORRUPT); ++ } else { ++ mb_regenerate_buddy(e4b); + } + goto done; + } +-- +2.43.2 + +From 3b48c9e258c8691c2f093ee07b1ea3764caaa1b2 Mon Sep 17 00:00:00 2001 +From: Furong Xu <0x1207@gmail.com> +Date: Wed, 31 Jan 2024 10:08:28 +0800 +Subject: [PATCH 022/129] net: stmmac: xgmac: fix handling of DPP safety error + for DMA channels +Status: RO +Content-Length: 5743 +Lines: 150 + +[ Upstream commit 46eba193d04f8bd717e525eb4110f3c46c12aec3 ] + +Commit 56e58d6c8a56 ("net: stmmac: Implement Safety Features in +XGMAC core") checks and reports safety errors, but leaves the +Data Path Parity Errors for each channel in DMA unhandled at all, lead to +a storm of interrupt. +Fix it by checking and clearing the DMA_DPP_Interrupt_Status register. + +Fixes: 56e58d6c8a56 ("net: stmmac: Implement Safety Features in XGMAC core") +Signed-off-by: Furong Xu <0x1207@gmail.com> +Reviewed-by: Simon Horman <horms@kernel.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/net/ethernet/stmicro/stmmac/common.h | 1 + + .../net/ethernet/stmicro/stmmac/dwxgmac2.h | 3 + + .../ethernet/stmicro/stmmac/dwxgmac2_core.c | 57 ++++++++++++++++++- + 3 files changed, 60 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/common.h b/drivers/net/ethernet/stmicro/stmmac/common.h +index e3f650e88f82..588e44d57f29 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/common.h ++++ b/drivers/net/ethernet/stmicro/stmmac/common.h +@@ -216,6 +216,7 @@ struct stmmac_safety_stats { + unsigned long mac_errors[32]; + unsigned long mtl_errors[32]; + unsigned long dma_errors[32]; ++ unsigned long dma_dpp_errors[32]; + }; + + /* Number of fields in Safety Stats */ +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h +index a4e8b498dea9..7d7133ef4994 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h ++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h +@@ -319,6 +319,8 @@ + #define XGMAC_RXCEIE BIT(4) + #define XGMAC_TXCEIE BIT(0) + #define XGMAC_MTL_ECC_INT_STATUS 0x000010cc ++#define XGMAC_MTL_DPP_CONTROL 0x000010e0 ++#define XGMAC_DDPP_DISABLE BIT(0) + #define XGMAC_MTL_TXQ_OPMODE(x) (0x00001100 + (0x80 * (x))) + #define XGMAC_TQS GENMASK(25, 16) + #define XGMAC_TQS_SHIFT 16 +@@ -401,6 +403,7 @@ + #define XGMAC_DCEIE BIT(1) + #define XGMAC_TCEIE BIT(0) + #define XGMAC_DMA_ECC_INT_STATUS 0x0000306c ++#define XGMAC_DMA_DPP_INT_STATUS 0x00003074 + #define XGMAC_DMA_CH_CONTROL(x) (0x00003100 + (0x80 * (x))) + #define XGMAC_SPH BIT(24) + #define XGMAC_PBLx8 BIT(16) +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c +index a74e71db79f9..e7eccc0c406f 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c +@@ -830,6 +830,43 @@ static const struct dwxgmac3_error_desc dwxgmac3_dma_errors[32]= { + { false, "UNKNOWN", "Unknown Error" }, /* 31 */ + }; + ++static const char * const dpp_rx_err = "Read Rx Descriptor Parity checker Error"; ++static const char * const dpp_tx_err = "Read Tx Descriptor Parity checker Error"; ++static const struct dwxgmac3_error_desc dwxgmac3_dma_dpp_errors[32] = { ++ { true, "TDPES0", dpp_tx_err }, ++ { true, "TDPES1", dpp_tx_err }, ++ { true, "TDPES2", dpp_tx_err }, ++ { true, "TDPES3", dpp_tx_err }, ++ { true, "TDPES4", dpp_tx_err }, ++ { true, "TDPES5", dpp_tx_err }, ++ { true, "TDPES6", dpp_tx_err }, ++ { true, "TDPES7", dpp_tx_err }, ++ { true, "TDPES8", dpp_tx_err }, ++ { true, "TDPES9", dpp_tx_err }, ++ { true, "TDPES10", dpp_tx_err }, ++ { true, "TDPES11", dpp_tx_err }, ++ { true, "TDPES12", dpp_tx_err }, ++ { true, "TDPES13", dpp_tx_err }, ++ { true, "TDPES14", dpp_tx_err }, ++ { true, "TDPES15", dpp_tx_err }, ++ { true, "RDPES0", dpp_rx_err }, ++ { true, "RDPES1", dpp_rx_err }, ++ { true, "RDPES2", dpp_rx_err }, ++ { true, "RDPES3", dpp_rx_err }, ++ { true, "RDPES4", dpp_rx_err }, ++ { true, "RDPES5", dpp_rx_err }, ++ { true, "RDPES6", dpp_rx_err }, ++ { true, "RDPES7", dpp_rx_err }, ++ { true, "RDPES8", dpp_rx_err }, ++ { true, "RDPES9", dpp_rx_err }, ++ { true, "RDPES10", dpp_rx_err }, ++ { true, "RDPES11", dpp_rx_err }, ++ { true, "RDPES12", dpp_rx_err }, ++ { true, "RDPES13", dpp_rx_err }, ++ { true, "RDPES14", dpp_rx_err }, ++ { true, "RDPES15", dpp_rx_err }, ++}; ++ + static void dwxgmac3_handle_dma_err(struct net_device *ndev, + void __iomem *ioaddr, bool correctable, + struct stmmac_safety_stats *stats) +@@ -841,6 +878,13 @@ static void dwxgmac3_handle_dma_err(struct net_device *ndev, + + dwxgmac3_log_error(ndev, value, correctable, "DMA", + dwxgmac3_dma_errors, STAT_OFF(dma_errors), stats); ++ ++ value = readl(ioaddr + XGMAC_DMA_DPP_INT_STATUS); ++ writel(value, ioaddr + XGMAC_DMA_DPP_INT_STATUS); ++ ++ dwxgmac3_log_error(ndev, value, false, "DMA_DPP", ++ dwxgmac3_dma_dpp_errors, ++ STAT_OFF(dma_dpp_errors), stats); + } + + static int +@@ -881,6 +925,12 @@ dwxgmac3_safety_feat_config(void __iomem *ioaddr, unsigned int asp, + value |= XGMAC_TMOUTEN; /* FSM Timeout Feature */ + writel(value, ioaddr + XGMAC_MAC_FSM_CONTROL); + ++ /* 5. Enable Data Path Parity Protection */ ++ value = readl(ioaddr + XGMAC_MTL_DPP_CONTROL); ++ /* already enabled by default, explicit enable it again */ ++ value &= ~XGMAC_DDPP_DISABLE; ++ writel(value, ioaddr + XGMAC_MTL_DPP_CONTROL); ++ + return 0; + } + +@@ -914,7 +964,11 @@ static int dwxgmac3_safety_feat_irq_status(struct net_device *ndev, + ret |= !corr; + } + +- err = dma & (XGMAC_DEUIS | XGMAC_DECIS); ++ /* DMA_DPP_Interrupt_Status is indicated by MCSIS bit in ++ * DMA_Safety_Interrupt_Status, so we handle DMA Data Path ++ * Parity Errors here ++ */ ++ err = dma & (XGMAC_DEUIS | XGMAC_DECIS | XGMAC_MCSIS); + corr = dma & XGMAC_DECIS; + if (err) { + dwxgmac3_handle_dma_err(ndev, ioaddr, corr, stats); +@@ -930,6 +984,7 @@ static const struct dwxgmac3_error { + { dwxgmac3_mac_errors }, + { dwxgmac3_mtl_errors }, + { dwxgmac3_dma_errors }, ++ { dwxgmac3_dma_dpp_errors }, + }; + + static int dwxgmac3_safety_feat_dump(struct stmmac_safety_stats *stats, +-- +2.43.2 + +From ce112c941c2b172afba3e913a90c380647d53975 Mon Sep 17 00:00:00 2001 +From: Johannes Berg <johannes.berg@intel.com> +Date: Mon, 29 Jan 2024 13:14:13 +0100 +Subject: [PATCH 024/129] wifi: cfg80211: detect stuck ECSA element in probe + resp +Status: RO +Content-Length: 4674 +Lines: 134 + +[ Upstream commit 177fbbcb4ed6b306c1626a277fac3fb1c495a4c7 ] + +We recently added some validation that we don't try to +connect to an AP that is currently in a channel switch +process, since that might want the channel to be quiet +or we might not be able to connect in time to hear the +switching in a beacon. This was in commit c09c4f31998b +("wifi: mac80211: don't connect to an AP while it's in +a CSA process"). + +However, we promptly got a report that this caused new +connection failures, and it turns out that the AP that +we now cannot connect to is permanently advertising an +extended channel switch announcement, even with quiet. +The AP in question was an Asus RT-AC53, with firmware +3.0.0.4.380_10760-g21a5898. + +As a first step, attempt to detect that we're dealing +with such a situation, so mac80211 can use this later. + +Reported-by: coldolt <andypalmadi@gmail.com> +Closes: https://lore.kernel.org/linux-wireless/CAJvGw+DQhBk_mHXeu6RTOds5iramMW2FbMB01VbKRA4YbHHDTA@mail.gmail.com/ +Fixes: c09c4f31998b ("wifi: mac80211: don't connect to an AP while it's in a CSA process") +Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com> +Link: https://msgid.link/20240129131413.246972c8775e.Ibf834d7f52f9951a353b6872383da710a7358338@changeid +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + include/net/cfg80211.h | 4 +++ + net/wireless/scan.c | 59 +++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 62 insertions(+), 1 deletion(-) + +diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h +index 4ecfb06c413d..8f2c48761833 100644 +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -2865,6 +2865,8 @@ struct cfg80211_bss_ies { + * own the beacon_ies, but they're just pointers to the ones from the + * @hidden_beacon_bss struct) + * @proberesp_ies: the information elements from the last Probe Response frame ++ * @proberesp_ecsa_stuck: ECSA element is stuck in the Probe Response frame, ++ * cannot rely on it having valid data + * @hidden_beacon_bss: in case this BSS struct represents a probe response from + * a BSS that hides the SSID in its beacon, this points to the BSS struct + * that holds the beacon data. @beacon_ies is still valid, of course, and +@@ -2900,6 +2902,8 @@ struct cfg80211_bss { + u8 chains; + s8 chain_signal[IEEE80211_MAX_CHAINS]; + ++ u8 proberesp_ecsa_stuck:1; ++ + u8 bssid_index; + u8 max_bssid_indicator; + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index f819ca3891fc..3f49f5c69916 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -1725,6 +1725,61 @@ static void cfg80211_update_hidden_bsses(struct cfg80211_internal_bss *known, + } + } + ++static void cfg80211_check_stuck_ecsa(struct cfg80211_registered_device *rdev, ++ struct cfg80211_internal_bss *known, ++ const struct cfg80211_bss_ies *old) ++{ ++ const struct ieee80211_ext_chansw_ie *ecsa; ++ const struct element *elem_new, *elem_old; ++ const struct cfg80211_bss_ies *new, *bcn; ++ ++ if (known->pub.proberesp_ecsa_stuck) ++ return; ++ ++ new = rcu_dereference_protected(known->pub.proberesp_ies, ++ lockdep_is_held(&rdev->bss_lock)); ++ if (WARN_ON(!new)) ++ return; ++ ++ if (new->tsf - old->tsf < USEC_PER_SEC) ++ return; ++ ++ elem_old = cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN, ++ old->data, old->len); ++ if (!elem_old) ++ return; ++ ++ elem_new = cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN, ++ new->data, new->len); ++ if (!elem_new) ++ return; ++ ++ bcn = rcu_dereference_protected(known->pub.beacon_ies, ++ lockdep_is_held(&rdev->bss_lock)); ++ if (bcn && ++ cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN, ++ bcn->data, bcn->len)) ++ return; ++ ++ if (elem_new->datalen != elem_old->datalen) ++ return; ++ if (elem_new->datalen < sizeof(struct ieee80211_ext_chansw_ie)) ++ return; ++ if (memcmp(elem_new->data, elem_old->data, elem_new->datalen)) ++ return; ++ ++ ecsa = (void *)elem_new->data; ++ ++ if (!ecsa->mode) ++ return; ++ ++ if (ecsa->new_ch_num != ++ ieee80211_frequency_to_channel(known->pub.channel->center_freq)) ++ return; ++ ++ known->pub.proberesp_ecsa_stuck = 1; ++} ++ + static bool + cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, + struct cfg80211_internal_bss *known, +@@ -1744,8 +1799,10 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, + /* Override possible earlier Beacon frame IEs */ + rcu_assign_pointer(known->pub.ies, + new->pub.proberesp_ies); +- if (old) ++ if (old) { ++ cfg80211_check_stuck_ecsa(rdev, known, old); + kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); ++ } + } + + if (rcu_access_pointer(new->pub.beacon_ies)) { +-- +2.43.2 + +From ea88bde8e3fefbe4268f6991375dd629895a090a Mon Sep 17 00:00:00 2001 +From: Johannes Berg <johannes.berg@intel.com> +Date: Mon, 29 Jan 2024 13:14:14 +0100 +Subject: [PATCH 025/129] wifi: mac80211: improve CSA/ECSA connection refusal +Status: RO +Content-Length: 6443 +Lines: 179 + +[ Upstream commit 35e2385dbe787936c793d70755a5177d267a40aa ] + +As mentioned in the previous commit, we pretty quickly found +that some APs have ECSA elements stuck in their probe response, +so using that to not attempt to connect while CSA is happening +we never connect to such an AP. + +Improve this situation by checking more carefully and ignoring +the ECSA if cfg80211 has previously detected the ECSA element +being stuck in the probe response. + +Additionally, allow connecting to an AP that's switching to a +channel it's already using, unless it's using quiet mode. In +this case, we may just have to adjust bandwidth later. If it's +actually switching channels, it's better not to try to connect +in the middle of that. + +Reported-by: coldolt <andypalmadi@gmail.com> +Closes: https://lore.kernel.org/linux-wireless/CAJvGw+DQhBk_mHXeu6RTOds5iramMW2FbMB01VbKRA4YbHHDTA@mail.gmail.com/ +Fixes: c09c4f31998b ("wifi: mac80211: don't connect to an AP while it's in a CSA process") +Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com> +Link: https://msgid.link/20240129131413.cc2d0a26226e.I682c016af76e35b6c47007db50e8554c5a426910@changeid +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/mac80211/mlme.c | 103 ++++++++++++++++++++++++++++++++------------ + 1 file changed, 76 insertions(+), 27 deletions(-) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index dcdaab19efbd..bbe36d87ac59 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -7288,6 +7288,75 @@ static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata, + return err; + } + ++static bool ieee80211_mgd_csa_present(struct ieee80211_sub_if_data *sdata, ++ const struct cfg80211_bss_ies *ies, ++ u8 cur_channel, bool ignore_ecsa) ++{ ++ const struct element *csa_elem, *ecsa_elem; ++ struct ieee80211_channel_sw_ie *csa = NULL; ++ struct ieee80211_ext_chansw_ie *ecsa = NULL; ++ ++ if (!ies) ++ return false; ++ ++ csa_elem = cfg80211_find_elem(WLAN_EID_CHANNEL_SWITCH, ++ ies->data, ies->len); ++ if (csa_elem && csa_elem->datalen == sizeof(*csa)) ++ csa = (void *)csa_elem->data; ++ ++ ecsa_elem = cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN, ++ ies->data, ies->len); ++ if (ecsa_elem && ecsa_elem->datalen == sizeof(*ecsa)) ++ ecsa = (void *)ecsa_elem->data; ++ ++ if (csa && csa->count == 0) ++ csa = NULL; ++ if (csa && !csa->mode && csa->new_ch_num == cur_channel) ++ csa = NULL; ++ ++ if (ecsa && ecsa->count == 0) ++ ecsa = NULL; ++ if (ecsa && !ecsa->mode && ecsa->new_ch_num == cur_channel) ++ ecsa = NULL; ++ ++ if (ignore_ecsa && ecsa) { ++ sdata_info(sdata, ++ "Ignoring ECSA in probe response - was considered stuck!\n"); ++ return csa; ++ } ++ ++ return csa || ecsa; ++} ++ ++static bool ieee80211_mgd_csa_in_process(struct ieee80211_sub_if_data *sdata, ++ struct cfg80211_bss *bss) ++{ ++ u8 cur_channel; ++ bool ret; ++ ++ cur_channel = ieee80211_frequency_to_channel(bss->channel->center_freq); ++ ++ rcu_read_lock(); ++ if (ieee80211_mgd_csa_present(sdata, ++ rcu_dereference(bss->beacon_ies), ++ cur_channel, false)) { ++ ret = true; ++ goto out; ++ } ++ ++ if (ieee80211_mgd_csa_present(sdata, ++ rcu_dereference(bss->proberesp_ies), ++ cur_channel, bss->proberesp_ecsa_stuck)) { ++ ret = true; ++ goto out; ++ } ++ ++ ret = false; ++out: ++ rcu_read_unlock(); ++ return ret; ++} ++ + /* config hooks */ + int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata, + struct cfg80211_auth_request *req) +@@ -7296,7 +7365,6 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata, + struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; + struct ieee80211_mgd_auth_data *auth_data; + struct ieee80211_link_data *link; +- const struct element *csa_elem, *ecsa_elem; + u16 auth_alg; + int err; + bool cont_auth; +@@ -7339,21 +7407,10 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata, + if (ifmgd->assoc_data) + return -EBUSY; + +- rcu_read_lock(); +- csa_elem = ieee80211_bss_get_elem(req->bss, WLAN_EID_CHANNEL_SWITCH); +- ecsa_elem = ieee80211_bss_get_elem(req->bss, +- WLAN_EID_EXT_CHANSWITCH_ANN); +- if ((csa_elem && +- csa_elem->datalen == sizeof(struct ieee80211_channel_sw_ie) && +- ((struct ieee80211_channel_sw_ie *)csa_elem->data)->count != 0) || +- (ecsa_elem && +- ecsa_elem->datalen == sizeof(struct ieee80211_ext_chansw_ie) && +- ((struct ieee80211_ext_chansw_ie *)ecsa_elem->data)->count != 0)) { +- rcu_read_unlock(); ++ if (ieee80211_mgd_csa_in_process(sdata, req->bss)) { + sdata_info(sdata, "AP is in CSA process, reject auth\n"); + return -EINVAL; + } +- rcu_read_unlock(); + + auth_data = kzalloc(sizeof(*auth_data) + req->auth_data_len + + req->ie_len, GFP_KERNEL); +@@ -7662,7 +7719,7 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata, + struct ieee80211_local *local = sdata->local; + struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; + struct ieee80211_mgd_assoc_data *assoc_data; +- const struct element *ssid_elem, *csa_elem, *ecsa_elem; ++ const struct element *ssid_elem; + struct ieee80211_vif_cfg *vif_cfg = &sdata->vif.cfg; + ieee80211_conn_flags_t conn_flags = 0; + struct ieee80211_link_data *link; +@@ -7685,23 +7742,15 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata, + + cbss = req->link_id < 0 ? req->bss : req->links[req->link_id].bss; + +- rcu_read_lock(); +- ssid_elem = ieee80211_bss_get_elem(cbss, WLAN_EID_SSID); +- if (!ssid_elem || ssid_elem->datalen > sizeof(assoc_data->ssid)) { +- rcu_read_unlock(); ++ if (ieee80211_mgd_csa_in_process(sdata, cbss)) { ++ sdata_info(sdata, "AP is in CSA process, reject assoc\n"); + kfree(assoc_data); + return -EINVAL; + } + +- csa_elem = ieee80211_bss_get_elem(cbss, WLAN_EID_CHANNEL_SWITCH); +- ecsa_elem = ieee80211_bss_get_elem(cbss, WLAN_EID_EXT_CHANSWITCH_ANN); +- if ((csa_elem && +- csa_elem->datalen == sizeof(struct ieee80211_channel_sw_ie) && +- ((struct ieee80211_channel_sw_ie *)csa_elem->data)->count != 0) || +- (ecsa_elem && +- ecsa_elem->datalen == sizeof(struct ieee80211_ext_chansw_ie) && +- ((struct ieee80211_ext_chansw_ie *)ecsa_elem->data)->count != 0)) { +- sdata_info(sdata, "AP is in CSA process, reject assoc\n"); ++ rcu_read_lock(); ++ ssid_elem = ieee80211_bss_get_elem(cbss, WLAN_EID_SSID); ++ if (!ssid_elem || ssid_elem->datalen > sizeof(assoc_data->ssid)) { + rcu_read_unlock(); + kfree(assoc_data); + return -EINVAL; +-- +2.43.2 + +From d91964cdada76740811b7c621239f9c407820dbc Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Thu, 1 Feb 2024 17:53:24 +0000 +Subject: [PATCH 031/129] netdevsim: avoid potential loop in + nsim_dev_trap_report_work() +Status: RO +Content-Length: 4593 +Lines: 95 + +[ Upstream commit ba5e1272142d051dcc57ca1d3225ad8a089f9858 ] + +Many syzbot reports include the following trace [1] + +If nsim_dev_trap_report_work() can not grab the mutex, +it should rearm itself at least one jiffie later. + +[1] +Sending NMI from CPU 1 to CPUs 0: +NMI backtrace for cpu 0 +CPU: 0 PID: 32383 Comm: kworker/0:2 Not tainted 6.8.0-rc2-syzkaller-00031-g861c0981648f #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 +Workqueue: events nsim_dev_trap_report_work + RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:89 [inline] + RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline] + RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline] + RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline] + RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline] + RIP: 0010:kasan_check_range+0x101/0x190 mm/kasan/generic.c:189 +Code: 07 49 39 d1 75 0a 45 3a 11 b8 01 00 00 00 7c 0b 44 89 c2 e8 21 ed ff ff 83 f0 01 5b 5d 41 5c c3 48 85 d2 74 4f 48 01 ea eb 09 <48> 83 c0 01 48 39 d0 74 41 80 38 00 74 f2 eb b6 41 bc 08 00 00 00 +RSP: 0018:ffffc90012dcf998 EFLAGS: 00000046 +RAX: fffffbfff258af1e RBX: fffffbfff258af1f RCX: ffffffff8168eda3 +RDX: fffffbfff258af1f RSI: 0000000000000004 RDI: ffffffff92c578f0 +RBP: fffffbfff258af1e R08: 0000000000000000 R09: fffffbfff258af1e +R10: ffffffff92c578f3 R11: ffffffff8acbcbc0 R12: 0000000000000002 +R13: ffff88806db38400 R14: 1ffff920025b9f42 R15: ffffffff92c578e8 +FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000c00994e078 CR3: 000000002c250000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + <NMI> + </NMI> + <TASK> + instrument_atomic_read include/linux/instrumented.h:68 [inline] + atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] + queued_spin_is_locked include/asm-generic/qspinlock.h:57 [inline] + debug_spin_unlock kernel/locking/spinlock_debug.c:101 [inline] + do_raw_spin_unlock+0x53/0x230 kernel/locking/spinlock_debug.c:141 + __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:150 [inline] + _raw_spin_unlock_irqrestore+0x22/0x70 kernel/locking/spinlock.c:194 + debug_object_activate+0x349/0x540 lib/debugobjects.c:726 + debug_work_activate kernel/workqueue.c:578 [inline] + insert_work+0x30/0x230 kernel/workqueue.c:1650 + __queue_work+0x62e/0x11d0 kernel/workqueue.c:1802 + __queue_delayed_work+0x1bf/0x270 kernel/workqueue.c:1953 + queue_delayed_work_on+0x106/0x130 kernel/workqueue.c:1989 + queue_delayed_work include/linux/workqueue.h:563 [inline] + schedule_delayed_work include/linux/workqueue.h:677 [inline] + nsim_dev_trap_report_work+0x9c0/0xc80 drivers/net/netdevsim/dev.c:842 + process_one_work+0x886/0x15d0 kernel/workqueue.c:2633 + process_scheduled_works kernel/workqueue.c:2706 [inline] + worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787 + kthread+0x2c6/0x3a0 kernel/kthread.c:388 + ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 + </TASK> + +Fixes: 012ec02ae441 ("netdevsim: convert driver to use unlocked devlink API during init/fini") +Reported-by: syzbot <syzkaller@googlegroups.com> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reviewed-by: Jiri Pirko <jiri@nvidia.com> +Link: https://lore.kernel.org/r/20240201175324.3752746-1-edumazet@google.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/net/netdevsim/dev.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c +index b4d3b9cde8bd..92a7a36b93ac 100644 +--- a/drivers/net/netdevsim/dev.c ++++ b/drivers/net/netdevsim/dev.c +@@ -835,14 +835,14 @@ static void nsim_dev_trap_report_work(struct work_struct *work) + trap_report_dw.work); + nsim_dev = nsim_trap_data->nsim_dev; + +- /* For each running port and enabled packet trap, generate a UDP +- * packet with a random 5-tuple and report it. +- */ + if (!devl_trylock(priv_to_devlink(nsim_dev))) { +- schedule_delayed_work(&nsim_dev->trap_data->trap_report_dw, 0); ++ schedule_delayed_work(&nsim_dev->trap_data->trap_report_dw, 1); + return; + } + ++ /* For each running port and enabled packet trap, generate a UDP ++ * packet with a random 5-tuple and report it. ++ */ + list_for_each_entry(nsim_dev_port, &nsim_dev->port_list, list) { + if (!netif_running(nsim_dev_port->ns->netdev)) + continue; +-- +2.43.2 + +From e42e334c645575be5432adee224975d4f536fdb1 Mon Sep 17 00:00:00 2001 +From: Ivan Vecera <ivecera@redhat.com> +Date: Thu, 1 Feb 2024 10:47:51 +0100 +Subject: [PATCH 032/129] net: atlantic: Fix DMA mapping for PTP hwts ring +Status: RO +Content-Length: 4621 +Lines: 114 + +[ Upstream commit 2e7d3b67630dfd8f178c41fa2217aa00e79a5887 ] + +Function aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes +for PTP HWTS ring but then generic aq_ring_free() does not take this +into account. +Create and use a specific function to free HWTS ring to fix this +issue. + +Trace: +[ 215.351607] ------------[ cut here ]------------ +[ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes] +[ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360 +... +[ 215.581176] Call Trace: +[ 215.583632] <TASK> +[ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df +[ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df +[ 215.594497] ? debug_dma_free_coherent+0x196/0x210 +[ 215.599305] ? check_unmap+0xa6f/0x2360 +[ 215.603147] ? __warn+0xca/0x1d0 +[ 215.606391] ? check_unmap+0xa6f/0x2360 +[ 215.610237] ? report_bug+0x1ef/0x370 +[ 215.613921] ? handle_bug+0x3c/0x70 +[ 215.617423] ? exc_invalid_op+0x14/0x50 +[ 215.621269] ? asm_exc_invalid_op+0x16/0x20 +[ 215.625480] ? check_unmap+0xa6f/0x2360 +[ 215.629331] ? mark_lock.part.0+0xca/0xa40 +[ 215.633445] debug_dma_free_coherent+0x196/0x210 +[ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10 +[ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0 +[ 215.648060] dma_free_attrs+0x6d/0x130 +[ 215.651834] aq_ring_free+0x193/0x290 [atlantic] +[ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic] +... +[ 216.127540] ---[ end trace 6467e5964dd2640b ]--- +[ 216.132160] DMA-API: Mapped at: +[ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0 +[ 216.132165] dma_alloc_attrs+0xf5/0x1b0 +[ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic] +[ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic] +[ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic] + +Fixes: 94ad94558b0f ("net: aquantia: add PTP rings infrastructure") +Signed-off-by: Ivan Vecera <ivecera@redhat.com> +Reviewed-by: Jiri Pirko <jiri@nvidia.com> +Link: https://lore.kernel.org/r/20240201094752.883026-1-ivecera@redhat.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/net/ethernet/aquantia/atlantic/aq_ptp.c | 4 ++-- + drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 13 +++++++++++++ + drivers/net/ethernet/aquantia/atlantic/aq_ring.h | 1 + + 3 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ptp.c b/drivers/net/ethernet/aquantia/atlantic/aq_ptp.c +index abd4832e4ed2..5acb3e16b567 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ptp.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ptp.c +@@ -993,7 +993,7 @@ int aq_ptp_ring_alloc(struct aq_nic_s *aq_nic) + return 0; + + err_exit_hwts_rx: +- aq_ring_free(&aq_ptp->hwts_rx); ++ aq_ring_hwts_rx_free(&aq_ptp->hwts_rx); + err_exit_ptp_rx: + aq_ring_free(&aq_ptp->ptp_rx); + err_exit_ptp_tx: +@@ -1011,7 +1011,7 @@ void aq_ptp_ring_free(struct aq_nic_s *aq_nic) + + aq_ring_free(&aq_ptp->ptp_tx); + aq_ring_free(&aq_ptp->ptp_rx); +- aq_ring_free(&aq_ptp->hwts_rx); ++ aq_ring_hwts_rx_free(&aq_ptp->hwts_rx); + + aq_ptp_skb_ring_release(&aq_ptp->skb_ring); + } +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +index cda8597b4e14..f7433abd6591 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +@@ -919,6 +919,19 @@ void aq_ring_free(struct aq_ring_s *self) + } + } + ++void aq_ring_hwts_rx_free(struct aq_ring_s *self) ++{ ++ if (!self) ++ return; ++ ++ if (self->dx_ring) { ++ dma_free_coherent(aq_nic_get_dev(self->aq_nic), ++ self->size * self->dx_size + AQ_CFG_RXDS_DEF, ++ self->dx_ring, self->dx_ring_pa); ++ self->dx_ring = NULL; ++ } ++} ++ + unsigned int aq_ring_fill_stats_data(struct aq_ring_s *self, u64 *data) + { + unsigned int count; +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.h b/drivers/net/ethernet/aquantia/atlantic/aq_ring.h +index 52847310740a..d627ace850ff 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.h ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.h +@@ -210,6 +210,7 @@ int aq_ring_rx_fill(struct aq_ring_s *self); + int aq_ring_hwts_rx_alloc(struct aq_ring_s *self, + struct aq_nic_s *aq_nic, unsigned int idx, + unsigned int size, unsigned int dx_size); ++void aq_ring_hwts_rx_free(struct aq_ring_s *self); + void aq_ring_hwts_rx_clean(struct aq_ring_s *self, struct aq_nic_s *aq_nic); + + unsigned int aq_ring_fill_stats_data(struct aq_ring_s *self, u64 *data); +-- +2.43.2 + +From 7dc9feb8b1705cf00de20563b6bc4831f4c99dab Mon Sep 17 00:00:00 2001 +From: Antoine Tenart <atenart@kernel.org> +Date: Thu, 1 Feb 2024 09:38:15 +0100 +Subject: [PATCH 040/129] tunnels: fix out of bounds access when building IPv6 + PMTU error +Status: RO +Content-Length: 1576 +Lines: 46 + +[ Upstream commit d75abeec401f8c86b470e7028a13fcdc87e5dd06 ] + +If the ICMPv6 error is built from a non-linear skb we get the following +splat, + + BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240 + Read of size 4 at addr ffff88811d402c80 by task netperf/820 + CPU: 0 PID: 820 Comm: netperf Not tainted 6.8.0-rc1+ #543 + ... + kasan_report+0xd8/0x110 + do_csum+0x220/0x240 + csum_partial+0xc/0x20 + skb_tunnel_check_pmtu+0xeb9/0x3280 + vxlan_xmit_one+0x14c2/0x4080 + vxlan_xmit+0xf61/0x5c00 + dev_hard_start_xmit+0xfb/0x510 + __dev_queue_xmit+0x7cd/0x32a0 + br_dev_queue_push_xmit+0x39d/0x6a0 + +Use skb_checksum instead of csum_partial who cannot deal with non-linear +SKBs. + +Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets") +Signed-off-by: Antoine Tenart <atenart@kernel.org> +Reviewed-by: Jiri Pirko <jiri@nvidia.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/ipv4/ip_tunnel_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c +index 586b1b3e35b8..80ccd6661aa3 100644 +--- a/net/ipv4/ip_tunnel_core.c ++++ b/net/ipv4/ip_tunnel_core.c +@@ -332,7 +332,7 @@ static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu) + }; + skb_reset_network_header(skb); + +- csum = csum_partial(icmp6h, len, 0); ++ csum = skb_checksum(skb, skb_transport_offset(skb), len, 0); + icmp6h->icmp6_cksum = csum_ipv6_magic(&nip6h->saddr, &nip6h->daddr, len, + IPPROTO_ICMPV6, csum); + +-- +2.43.2 + +From 3a7753bda55985dc26fae17795cb10d825453ad1 Mon Sep 17 00:00:00 2001 +From: Zhang Rui <rui.zhang@intel.com> +Date: Fri, 2 Feb 2024 17:21:34 +0800 +Subject: [PATCH 044/129] hwmon: (coretemp) Fix out-of-bounds memory access +Status: RO +Content-Length: 1451 +Lines: 44 + +[ Upstream commit 4e440abc894585a34c2904a32cd54af1742311b3 ] + +Fix a bug that pdata->cpu_map[] is set before out-of-bounds check. +The problem might be triggered on systems with more than 128 cores per +package. + +Fixes: 7108b80a542b ("hwmon/coretemp: Handle large core ID value") +Signed-off-by: Zhang Rui <rui.zhang@intel.com> +Cc: <stable@vger.kernel.org> +Link: https://lore.kernel.org/r/20240202092144.71180-2-rui.zhang@intel.com +Signed-off-by: Guenter Roeck <linux@roeck-us.net> +Stable-dep-of: fdaf0c8629d4 ("hwmon: (coretemp) Fix bogus core_id to attr name mapping") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/hwmon/coretemp.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c +index ba82d1e79c13..e78c76919111 100644 +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -509,18 +509,14 @@ static int create_core_data(struct platform_device *pdev, unsigned int cpu, + if (pkg_flag) { + attr_no = PKG_SYSFS_ATTR_NO; + } else { +- index = ida_alloc(&pdata->ida, GFP_KERNEL); ++ index = ida_alloc_max(&pdata->ida, NUM_REAL_CORES - 1, GFP_KERNEL); + if (index < 0) + return index; ++ + pdata->cpu_map[index] = topology_core_id(cpu); + attr_no = index + BASE_SYSFS_ATTR_NO; + } + +- if (attr_no > MAX_CORE_DATA - 1) { +- err = -ERANGE; +- goto ida_free; +- } +- + tdata = init_temp_data(cpu, pkg_flag); + if (!tdata) { + err = -ENOMEM; +-- +2.43.2 + +From 307fa8a75ab7423fa5c73573ec3d192de5027830 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Fri, 2 Feb 2024 09:54:04 +0000 +Subject: [PATCH 046/129] inet: read sk->sk_family once in inet_recv_error() +Status: RO +Content-Length: 1282 +Lines: 38 + +[ Upstream commit eef00a82c568944f113f2de738156ac591bbd5cd ] + +inet_recv_error() is called without holding the socket lock. + +IPv6 socket could mutate to IPv4 with IPV6_ADDRFORM +socket option and trigger a KCSAN warning. + +Fixes: f4713a3dfad0 ("net-timestamp: make tcp_recvmsg call ipv6_recv_error for AF_INET6 socks") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: Willem de Bruijn <willemb@google.com> +Reviewed-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/ipv4/af_inet.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index 1c58bd72e124..e59962f34caa 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -1628,10 +1628,12 @@ EXPORT_SYMBOL(inet_current_timestamp); + + int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + { +- if (sk->sk_family == AF_INET) ++ unsigned int family = READ_ONCE(sk->sk_family); ++ ++ if (family == AF_INET) + return ip_recv_error(sk, msg, len, addr_len); + #if IS_ENABLED(CONFIG_IPV6) +- if (sk->sk_family == AF_INET6) ++ if (family == AF_INET6) + return pingv6_ops.ipv6_recv_error(sk, msg, len, addr_len); + #endif + return -EINVAL; +-- +2.43.2 + +From 4adeeff8c12321cd453412a659c3c0eeb9bb2397 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel <ardb@kernel.org> +Date: Mon, 5 Feb 2024 09:11:07 +0100 +Subject: [PATCH 048/129] x86/efistub: Use 1:1 file:memory mapping for PE/COFF + .compat section +Status: RO +Content-Length: 3711 +Lines: 112 + +[ Upstream commit 1ad55cecf22f05f1c884adf63cc09d3c3e609ebf ] + +The .compat section is a dummy PE section that contains the address of +the 32-bit entrypoint of the 64-bit kernel image if it is bootable from +32-bit firmware (i.e., CONFIG_EFI_MIXED=y) + +This section is only 8 bytes in size and is only referenced from the +loader, and so it is placed at the end of the memory view of the image, +to avoid the need for padding it to 4k, which is required for sections +appearing in the middle of the image. + +Unfortunately, this violates the PE/COFF spec, and even if most EFI +loaders will work correctly (including the Tianocore reference +implementation), PE loaders do exist that reject such images, on the +basis that both the file and memory views of the file contents should be +described by the section headers in a monotonically increasing manner +without leaving any gaps. + +So reorganize the sections to avoid this issue. This results in a slight +padding overhead (< 4k) which can be avoided if desired by disabling +CONFIG_EFI_MIXED (which is only needed in rare cases these days) + +Fixes: 3e3eabe26dc8 ("x86/boot: Increase section and file alignment to 4k/512") +Reported-by: Mike Beaton <mjsbeaton@gmail.com> +Link: https://lkml.kernel.org/r/CAHzAAWQ6srV6LVNdmfbJhOwhBw5ZzxxZZ07aHt9oKkfYAdvuQQ%40mail.gmail.com +Signed-off-by: Ard Biesheuvel <ardb@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + arch/x86/boot/header.S | 14 ++++++-------- + arch/x86/boot/setup.ld | 6 +++--- + 2 files changed, 9 insertions(+), 11 deletions(-) + +diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S +index b2771710ed98..a1bbedd989e4 100644 +--- a/arch/x86/boot/header.S ++++ b/arch/x86/boot/header.S +@@ -106,8 +106,7 @@ extra_header_fields: + .word 0 # MinorSubsystemVersion + .long 0 # Win32VersionValue + +- .long setup_size + ZO__end + pecompat_vsize +- # SizeOfImage ++ .long setup_size + ZO__end # SizeOfImage + + .long salign # SizeOfHeaders + .long 0 # CheckSum +@@ -143,7 +142,7 @@ section_table: + .ascii ".setup" + .byte 0 + .byte 0 +- .long setup_size - salign # VirtualSize ++ .long pecompat_fstart - salign # VirtualSize + .long salign # VirtualAddress + .long pecompat_fstart - salign # SizeOfRawData + .long salign # PointerToRawData +@@ -156,8 +155,8 @@ section_table: + #ifdef CONFIG_EFI_MIXED + .asciz ".compat" + +- .long 8 # VirtualSize +- .long setup_size + ZO__end # VirtualAddress ++ .long pecompat_fsize # VirtualSize ++ .long pecompat_fstart # VirtualAddress + .long pecompat_fsize # SizeOfRawData + .long pecompat_fstart # PointerToRawData + +@@ -172,17 +171,16 @@ section_table: + * modes this image supports. + */ + .pushsection ".pecompat", "a", @progbits +- .balign falign +- .set pecompat_vsize, salign ++ .balign salign + .globl pecompat_fstart + pecompat_fstart: + .byte 0x1 # Version + .byte 8 # Size + .word IMAGE_FILE_MACHINE_I386 # PE machine type + .long setup_size + ZO_efi32_pe_entry # Entrypoint ++ .byte 0x0 # Sentinel + .popsection + #else +- .set pecompat_vsize, 0 + .set pecompat_fstart, setup_size + #endif + .ascii ".text" +diff --git a/arch/x86/boot/setup.ld b/arch/x86/boot/setup.ld +index 83bb7efad8ae..3a2d1360abb0 100644 +--- a/arch/x86/boot/setup.ld ++++ b/arch/x86/boot/setup.ld +@@ -24,6 +24,9 @@ SECTIONS + .text : { *(.text .text.*) } + .text32 : { *(.text32) } + ++ .pecompat : { *(.pecompat) } ++ PROVIDE(pecompat_fsize = setup_size - pecompat_fstart); ++ + . = ALIGN(16); + .rodata : { *(.rodata*) } + +@@ -36,9 +39,6 @@ SECTIONS + . = ALIGN(16); + .data : { *(.data*) } + +- .pecompat : { *(.pecompat) } +- PROVIDE(pecompat_fsize = setup_size - pecompat_fstart); +- + .signature : { + setup_sig = .; + LONG(0x5a5aaa55) +-- +2.43.2 + +From edc8201823e93db7d17726c335a725815aa7d551 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Fri, 2 Feb 2024 15:19:13 +0000 +Subject: [PATCH 049/129] rxrpc: Fix generation of serial numbers to skip zero +Status: RO +Content-Length: 5951 +Lines: 161 + +[ Upstream commit f31041417bf7f4a4df8b3bfb52cb31bbe805b934 ] + +In the Rx protocol, every packet generated is marked with a per-connection +monotonically increasing serial number. This number can be referenced in +an ACK packet generated in response to an incoming packet - thereby +allowing the sender to use this for RTT determination, amongst other +things. + +However, if the reference field in the ACK is zero, it doesn't refer to any +incoming packet (it could be a ping to find out if a packet got lost, for +example) - so we shouldn't generate zero serial numbers. + +Fix the generation of serial numbers to retry if it comes up with a zero. + +Furthermore, since the serial numbers are only ever allocated within the +I/O thread this connection is bound to, there's no need for atomics so +remove that too. + +Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") +Signed-off-by: David Howells <dhowells@redhat.com> +cc: Marc Dionne <marc.dionne@auristor.com> +cc: "David S. Miller" <davem@davemloft.net> +cc: Eric Dumazet <edumazet@google.com> +cc: Jakub Kicinski <kuba@kernel.org> +cc: Paolo Abeni <pabeni@redhat.com> +cc: linux-afs@lists.infradead.org +cc: netdev@vger.kernel.org +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/rxrpc/ar-internal.h | 16 +++++++++++++++- + net/rxrpc/conn_event.c | 2 +- + net/rxrpc/output.c | 8 ++++---- + net/rxrpc/proc.c | 2 +- + net/rxrpc/rxkad.c | 4 ++-- + 5 files changed, 23 insertions(+), 9 deletions(-) + +diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h +index 5d5b19f20d1e..efbe82926769 100644 +--- a/net/rxrpc/ar-internal.h ++++ b/net/rxrpc/ar-internal.h +@@ -507,7 +507,7 @@ struct rxrpc_connection { + enum rxrpc_call_completion completion; /* Completion condition */ + s32 abort_code; /* Abort code of connection abort */ + int debug_id; /* debug ID for printks */ +- atomic_t serial; /* packet serial number counter */ ++ rxrpc_serial_t tx_serial; /* Outgoing packet serial number counter */ + unsigned int hi_serial; /* highest serial number received */ + u32 service_id; /* Service ID, possibly upgraded */ + u32 security_level; /* Security level selected */ +@@ -819,6 +819,20 @@ static inline bool rxrpc_sending_to_client(const struct rxrpc_txbuf *txb) + + #include <trace/events/rxrpc.h> + ++/* ++ * Allocate the next serial number on a connection. 0 must be skipped. ++ */ ++static inline rxrpc_serial_t rxrpc_get_next_serial(struct rxrpc_connection *conn) ++{ ++ rxrpc_serial_t serial; ++ ++ serial = conn->tx_serial; ++ if (serial == 0) ++ serial = 1; ++ conn->tx_serial = serial + 1; ++ return serial; ++} ++ + /* + * af_rxrpc.c + */ +diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c +index 95f4bc206b3d..ec5eae60ab0c 100644 +--- a/net/rxrpc/conn_event.c ++++ b/net/rxrpc/conn_event.c +@@ -117,7 +117,7 @@ void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn, + iov[2].iov_base = &ack_info; + iov[2].iov_len = sizeof(ack_info); + +- serial = atomic_inc_return(&conn->serial); ++ serial = rxrpc_get_next_serial(conn); + + pkt.whdr.epoch = htonl(conn->proto.epoch); + pkt.whdr.cid = htonl(conn->proto.cid | channel); +diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c +index a0906145e829..4a292f860ae3 100644 +--- a/net/rxrpc/output.c ++++ b/net/rxrpc/output.c +@@ -216,7 +216,7 @@ int rxrpc_send_ack_packet(struct rxrpc_call *call, struct rxrpc_txbuf *txb) + iov[0].iov_len = sizeof(txb->wire) + sizeof(txb->ack) + n; + len = iov[0].iov_len; + +- serial = atomic_inc_return(&conn->serial); ++ serial = rxrpc_get_next_serial(conn); + txb->wire.serial = htonl(serial); + trace_rxrpc_tx_ack(call->debug_id, serial, + ntohl(txb->ack.firstPacket), +@@ -302,7 +302,7 @@ int rxrpc_send_abort_packet(struct rxrpc_call *call) + iov[0].iov_base = &pkt; + iov[0].iov_len = sizeof(pkt); + +- serial = atomic_inc_return(&conn->serial); ++ serial = rxrpc_get_next_serial(conn); + pkt.whdr.serial = htonl(serial); + + iov_iter_kvec(&msg.msg_iter, WRITE, iov, 1, sizeof(pkt)); +@@ -334,7 +334,7 @@ int rxrpc_send_data_packet(struct rxrpc_call *call, struct rxrpc_txbuf *txb) + _enter("%x,{%d}", txb->seq, txb->len); + + /* Each transmission of a Tx packet needs a new serial number */ +- serial = atomic_inc_return(&conn->serial); ++ serial = rxrpc_get_next_serial(conn); + txb->wire.serial = htonl(serial); + + if (test_bit(RXRPC_CONN_PROBING_FOR_UPGRADE, &conn->flags) && +@@ -558,7 +558,7 @@ void rxrpc_send_conn_abort(struct rxrpc_connection *conn) + + len = iov[0].iov_len + iov[1].iov_len; + +- serial = atomic_inc_return(&conn->serial); ++ serial = rxrpc_get_next_serial(conn); + whdr.serial = htonl(serial); + + iov_iter_kvec(&msg.msg_iter, WRITE, iov, 2, len); +diff --git a/net/rxrpc/proc.c b/net/rxrpc/proc.c +index 682636d3b060..208312c244f6 100644 +--- a/net/rxrpc/proc.c ++++ b/net/rxrpc/proc.c +@@ -181,7 +181,7 @@ static int rxrpc_connection_seq_show(struct seq_file *seq, void *v) + atomic_read(&conn->active), + state, + key_serial(conn->key), +- atomic_read(&conn->serial), ++ conn->tx_serial, + conn->hi_serial, + conn->channels[0].call_id, + conn->channels[1].call_id, +diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c +index b52dedcebce0..6b32d61d4cdc 100644 +--- a/net/rxrpc/rxkad.c ++++ b/net/rxrpc/rxkad.c +@@ -664,7 +664,7 @@ static int rxkad_issue_challenge(struct rxrpc_connection *conn) + + len = iov[0].iov_len + iov[1].iov_len; + +- serial = atomic_inc_return(&conn->serial); ++ serial = rxrpc_get_next_serial(conn); + whdr.serial = htonl(serial); + + ret = kernel_sendmsg(conn->local->socket, &msg, iov, 2, len); +@@ -721,7 +721,7 @@ static int rxkad_send_response(struct rxrpc_connection *conn, + + len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len; + +- serial = atomic_inc_return(&conn->serial); ++ serial = rxrpc_get_next_serial(conn); + whdr.serial = htonl(serial); + + rxrpc_local_dont_fragment(conn->local, false); +-- +2.43.2 + +From 63719f490e6a89896e9a463d2b45e8203eab23ae Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Fri, 2 Feb 2024 15:19:14 +0000 +Subject: [PATCH 050/129] rxrpc: Fix delayed ACKs to not set the reference + serial number +Status: RO +Content-Length: 2617 +Lines: 66 + +[ Upstream commit e7870cf13d20f56bfc19f9c3e89707c69cf104ef ] + +Fix the construction of delayed ACKs to not set the reference serial number +as they can't be used as an RTT reference. + +Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") +Signed-off-by: David Howells <dhowells@redhat.com> +cc: Marc Dionne <marc.dionne@auristor.com> +cc: "David S. Miller" <davem@davemloft.net> +cc: Eric Dumazet <edumazet@google.com> +cc: Jakub Kicinski <kuba@kernel.org> +cc: Paolo Abeni <pabeni@redhat.com> +cc: linux-afs@lists.infradead.org +cc: netdev@vger.kernel.org +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/rxrpc/ar-internal.h | 1 - + net/rxrpc/call_event.c | 6 +----- + 2 files changed, 1 insertion(+), 6 deletions(-) + +diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h +index efbe82926769..041add7654b2 100644 +--- a/net/rxrpc/ar-internal.h ++++ b/net/rxrpc/ar-internal.h +@@ -693,7 +693,6 @@ struct rxrpc_call { + /* Receive-phase ACK management (ACKs we send). */ + u8 ackr_reason; /* reason to ACK */ + u16 ackr_sack_base; /* Starting slot in SACK table ring */ +- rxrpc_serial_t ackr_serial; /* serial of packet being ACK'd */ + rxrpc_seq_t ackr_window; /* Base of SACK window */ + rxrpc_seq_t ackr_wtop; /* Base of SACK window */ + unsigned int ackr_nr_unacked; /* Number of unacked packets */ +diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c +index e363f21a2014..c61efe08695d 100644 +--- a/net/rxrpc/call_event.c ++++ b/net/rxrpc/call_event.c +@@ -43,8 +43,6 @@ void rxrpc_propose_delay_ACK(struct rxrpc_call *call, rxrpc_serial_t serial, + unsigned long expiry = rxrpc_soft_ack_delay; + unsigned long now = jiffies, ack_at; + +- call->ackr_serial = serial; +- + if (rxrpc_soft_ack_delay < expiry) + expiry = rxrpc_soft_ack_delay; + if (call->peer->srtt_us != 0) +@@ -373,7 +371,6 @@ static void rxrpc_send_initial_ping(struct rxrpc_call *call) + bool rxrpc_input_call_event(struct rxrpc_call *call, struct sk_buff *skb) + { + unsigned long now, next, t; +- rxrpc_serial_t ackr_serial; + bool resend = false, expired = false; + s32 abort_code; + +@@ -423,8 +420,7 @@ bool rxrpc_input_call_event(struct rxrpc_call *call, struct sk_buff *skb) + if (time_after_eq(now, t)) { + trace_rxrpc_timer(call, rxrpc_timer_exp_ack, now); + cmpxchg(&call->delay_ack_at, t, now + MAX_JIFFY_OFFSET); +- ackr_serial = xchg(&call->ackr_serial, 0); +- rxrpc_send_ACK(call, RXRPC_ACK_DELAY, ackr_serial, ++ rxrpc_send_ACK(call, RXRPC_ACK_DELAY, 0, + rxrpc_propose_ack_ping_for_lost_ack); + } + +-- +2.43.2 + +From 0cd331dfd6023640c9669d0592bc0fd491205f87 Mon Sep 17 00:00:00 2001 +From: Shigeru Yoshida <syoshida@redhat.com> +Date: Thu, 1 Feb 2024 00:23:09 +0900 +Subject: [PATCH 054/129] tipc: Check the bearer type before calling + tipc_udp_nl_bearer_add() +Status: RO +Content-Length: 2975 +Lines: 72 + +[ Upstream commit 3871aa01e1a779d866fa9dfdd5a836f342f4eb87 ] + +syzbot reported the following general protection fault [1]: + +general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087] +... +RIP: 0010:tipc_udp_is_known_peer+0x9c/0x250 net/tipc/udp_media.c:291 +... +Call Trace: + <TASK> + tipc_udp_nl_bearer_add+0x212/0x2f0 net/tipc/udp_media.c:646 + tipc_nl_bearer_add+0x21e/0x360 net/tipc/bearer.c:1089 + genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972 + genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline] + genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067 + netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2544 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 + netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] + netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367 + netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1909 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0xd5/0x180 net/socket.c:745 + ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 + ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 + __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +The cause of this issue is that when tipc_nl_bearer_add() is called with +the TIPC_NLA_BEARER_UDP_OPTS attribute, tipc_udp_nl_bearer_add() is called +even if the bearer is not UDP. + +tipc_udp_is_known_peer() called by tipc_udp_nl_bearer_add() assumes that +the media_ptr field of the tipc_bearer has an udp_bearer type object, so +the function goes crazy for non-UDP bearers. + +This patch fixes the issue by checking the bearer type before calling +tipc_udp_nl_bearer_add() in tipc_nl_bearer_add(). + +Fixes: ef20cd4dd163 ("tipc: introduce UDP replicast") +Reported-and-tested-by: syzbot+5142b87a9abc510e14fa@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=5142b87a9abc510e14fa [1] +Signed-off-by: Shigeru Yoshida <syoshida@redhat.com> +Reviewed-by: Tung Nguyen <tung.q.nguyen@dektech.com.au> +Link: https://lore.kernel.org/r/20240131152310.4089541-1-syoshida@redhat.com +Signed-off-by: Paolo Abeni <pabeni@redhat.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/tipc/bearer.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c +index 2cde375477e3..878415c43527 100644 +--- a/net/tipc/bearer.c ++++ b/net/tipc/bearer.c +@@ -1086,6 +1086,12 @@ int tipc_nl_bearer_add(struct sk_buff *skb, struct genl_info *info) + + #ifdef CONFIG_TIPC_MEDIA_UDP + if (attrs[TIPC_NLA_BEARER_UDP_OPTS]) { ++ if (b->media->type_id != TIPC_MEDIA_TYPE_UDP) { ++ rtnl_unlock(); ++ NL_SET_ERR_MSG(info->extack, "UDP option is unsupported"); ++ return -EINVAL; ++ } ++ + err = tipc_udp_nl_bearer_add(b, + attrs[TIPC_NLA_BEARER_UDP_OPTS]); + if (err) { +-- +2.43.2 + +From 82ae47c5c3a6b27fdc0f9e83c1499cb439c56140 Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima <kuniyu@amazon.com> +Date: Sat, 3 Feb 2024 10:31:49 -0800 +Subject: [PATCH 055/129] af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb + in GC. +Status: RO +Content-Length: 4551 +Lines: 104 + +[ Upstream commit 1279f9d9dec2d7462823a18c29ad61359e0a007d ] + +syzbot reported a warning [0] in __unix_gc() with a repro, which +creates a socketpair and sends one socket's fd to itself using the +peer. + + socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0 + sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\360", iov_len=1}], + msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET, + cmsg_type=SCM_RIGHTS, cmsg_data=[3]}], + msg_controllen=24, msg_flags=0}, MSG_OOB|MSG_PROBE|MSG_DONTWAIT|MSG_ZEROCOPY) = 1 + +This forms a self-cyclic reference that GC should finally untangle +but does not due to lack of MSG_OOB handling, resulting in memory +leak. + +Recently, commit 11498715f266 ("af_unix: Remove io_uring code for +GC.") removed io_uring's dead code in GC and revealed the problem. + +The code was executed at the final stage of GC and unconditionally +moved all GC candidates from gc_candidates to gc_inflight_list. +That papered over the reported problem by always making the following +WARN_ON_ONCE(!list_empty(&gc_candidates)) false. + +The problem has been there since commit 2aab4b969002 ("af_unix: fix +struct pid leaks in OOB support") added full scm support for MSG_OOB +while fixing another bug. + +To fix this problem, we must call kfree_skb() for unix_sk(sk)->oob_skb +if the socket still exists in gc_candidates after purging collected skb. + +Then, we need to set NULL to oob_skb before calling kfree_skb() because +it calls last fput() and triggers unix_release_sock(), where we call +duplicate kfree_skb(u->oob_skb) if not NULL. + +Note that the leaked socket remained being linked to a global list, so +kmemleak also could not detect it. We need to check /proc/net/protocol +to notice the unfreed socket. + +[0]: +WARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345 +Modules linked in: +CPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 +Workqueue: events_unbound __unix_gc +RIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345 +Code: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8 +RSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e +RDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30 +RBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66 +R10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000 +R13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001 +FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + <TASK> + process_one_work+0x889/0x15e0 kernel/workqueue.c:2633 + process_scheduled_works kernel/workqueue.c:2706 [inline] + worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787 + kthread+0x2c6/0x3b0 kernel/kthread.c:388 + ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242 + </TASK> + +Reported-by: syzbot+fa3ef895554bdbfd1183@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=fa3ef895554bdbfd1183 +Fixes: 2aab4b969002 ("af_unix: fix struct pid leaks in OOB support") +Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> +Reviewed-by: Eric Dumazet <edumazet@google.com> +Link: https://lore.kernel.org/r/20240203183149.63573-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/unix/garbage.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/net/unix/garbage.c b/net/unix/garbage.c +index 2405f0f9af31..8f63f0b4bf01 100644 +--- a/net/unix/garbage.c ++++ b/net/unix/garbage.c +@@ -314,6 +314,17 @@ void unix_gc(void) + /* Here we are. Hitlist is filled. Die. */ + __skb_queue_purge(&hitlist); + ++#if IS_ENABLED(CONFIG_AF_UNIX_OOB) ++ list_for_each_entry_safe(u, next, &gc_candidates, link) { ++ struct sk_buff *skb = u->oob_skb; ++ ++ if (skb) { ++ u->oob_skb = NULL; ++ kfree_skb(skb); ++ } ++ } ++#endif ++ + spin_lock(&unix_gc_lock); + + /* There could be io_uring registered files, just push them back to +-- +2.43.2 + +From 210d938f963dddc543b07e66a79b7d8d4bd00bd8 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Mon, 5 Feb 2024 17:10:04 +0000 +Subject: [PATCH 057/129] ppp_async: limit MRU to 64K +Status: RO +Content-Length: 3634 +Lines: 83 + +[ Upstream commit cb88cb53badb8aeb3955ad6ce80b07b598e310b8 ] + +syzbot triggered a warning [1] in __alloc_pages(): + +WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp) + +Willem fixed a similar issue in commit c0a2a1b0d631 ("ppp: limit MRU to 64K") + +Adopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU) + +[1]: + + WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 +Modules linked in: +CPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 +Workqueue: events_unbound flush_to_ldisc +pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 + lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537 +sp : ffff800093967580 +x29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000 +x26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0 +x23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8 +x20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120 +x17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005 +x14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000 +x11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001 +x8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f +x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020 +x2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0 +Call trace: + __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 + __alloc_pages_node include/linux/gfp.h:238 [inline] + alloc_pages_node include/linux/gfp.h:261 [inline] + __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926 + __do_kmalloc_node mm/slub.c:3969 [inline] + __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001 + kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590 + __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651 + __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715 + netdev_alloc_skb include/linux/skbuff.h:3235 [inline] + dev_alloc_skb include/linux/skbuff.h:3248 [inline] + ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline] + ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341 + tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390 + tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37 + receive_buf drivers/tty/tty_buffer.c:444 [inline] + flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494 + process_one_work+0x694/0x1204 kernel/workqueue.c:2633 + process_scheduled_works kernel/workqueue.c:2706 [inline] + worker_thread+0x938/0xef4 kernel/workqueue.c:2787 + kthread+0x288/0x310 kernel/kthread.c:388 + ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: syzbot+c5da1f087c9e4ec6c933@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reviewed-by: Willem de Bruijn <willemb@google.com> +Link: https://lore.kernel.org/r/20240205171004.1059724-1-edumazet@google.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/net/ppp/ppp_async.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ppp/ppp_async.c b/drivers/net/ppp/ppp_async.c +index fbaaa8c102a1..e94a4b08fd63 100644 +--- a/drivers/net/ppp/ppp_async.c ++++ b/drivers/net/ppp/ppp_async.c +@@ -460,6 +460,10 @@ ppp_async_ioctl(struct ppp_channel *chan, unsigned int cmd, unsigned long arg) + case PPPIOCSMRU: + if (get_user(val, p)) + break; ++ if (val > U16_MAX) { ++ err = -EINVAL; ++ break; ++ } + if (val < PPP_MRU) + val = PPP_MRU; + ap->mru = val; +-- +2.43.2 + +From 686820fe141ea0220fc6fdfc7e5694f915cf64b2 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@linaro.org> +Date: Tue, 17 Oct 2023 17:04:39 +0300 +Subject: [PATCH 072/129] fs/ntfs3: Fix an NULL dereference bug +Status: RO +Content-Length: 1214 +Lines: 32 + +[ Upstream commit b2dd7b953c25ffd5912dda17e980e7168bebcf6c ] + +The issue here is when this is called from ntfs_load_attr_list(). The +"size" comes from le32_to_cpu(attr->res.data_size) so it can't overflow +on a 64bit systems but on 32bit systems the "+ 1023" can overflow and +the result is zero. This means that the kmalloc will succeed by +returning the ZERO_SIZE_PTR and then the memcpy() will crash with an +Oops on the next line. + +Fixes: be71b5cba2e6 ("fs/ntfs3: Add attrib operations") +Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> +Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/ntfs3/ntfs_fs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ntfs3/ntfs_fs.h b/fs/ntfs3/ntfs_fs.h +index f6706143d14b..a46d30b84bf3 100644 +--- a/fs/ntfs3/ntfs_fs.h ++++ b/fs/ntfs3/ntfs_fs.h +@@ -473,7 +473,7 @@ bool al_delete_le(struct ntfs_inode *ni, enum ATTR_TYPE type, CLST vcn, + int al_update(struct ntfs_inode *ni, int sync); + static inline size_t al_aligned(size_t size) + { +- return (size + 1023) & ~(size_t)1023; ++ return size_add(size, 1023) & ~(size_t)1023; + } + + /* Globals from bitfunc.c */ +-- +2.43.2 + +From bd9442e553ab8bf74b8be3b3c0a43bf4af4dc9b8 Mon Sep 17 00:00:00 2001 +From: Xiubo Li <xiubli@redhat.com> +Date: Thu, 14 Dec 2023 16:01:03 +0800 +Subject: [PATCH 080/129] libceph: just wait for more data to be available on + the socket +Status: RO +Content-Length: 5624 +Lines: 166 + +[ Upstream commit 8e46a2d068c92a905d01cbb018b00d66991585ab ] + +A short read may occur while reading the message footer from the +socket. Later, when the socket is ready for another read, the +messenger invokes all read_partial_*() handlers, including +read_partial_sparse_msg_data(). The expectation is that +read_partial_sparse_msg_data() would bail, allowing the messenger to +invoke read_partial() for the footer and pick up where it left off. + +However read_partial_sparse_msg_data() violates that and ends up +calling into the state machine in the OSD client. The sparse-read +state machine assumes that it's a new op and interprets some piece of +the footer as the sparse-read header and returns bogus extents/data +length, etc. + +To determine whether read_partial_sparse_msg_data() should bail, let's +reuse cursor->total_resid. Because once it reaches to zero that means +all the extents and data have been successfully received in last read, +else it could break out when partially reading any of the extents and +data. And then osd_sparse_read() could continue where it left off. + +[ idryomov: changelog ] + +Link: https://tracker.ceph.com/issues/63586 +Fixes: d396f89db39a ("libceph: add sparse read support to msgr1") +Signed-off-by: Xiubo Li <xiubli@redhat.com> +Reviewed-by: Jeff Layton <jlayton@kernel.org> +Signed-off-by: Ilya Dryomov <idryomov@gmail.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + include/linux/ceph/messenger.h | 2 +- + net/ceph/messenger_v1.c | 25 +++++++++++++------------ + net/ceph/messenger_v2.c | 4 ++-- + net/ceph/osd_client.c | 9 +++------ + 4 files changed, 19 insertions(+), 21 deletions(-) + +diff --git a/include/linux/ceph/messenger.h b/include/linux/ceph/messenger.h +index 2eaaabbe98cb..1717cc57cdac 100644 +--- a/include/linux/ceph/messenger.h ++++ b/include/linux/ceph/messenger.h +@@ -283,7 +283,7 @@ struct ceph_msg { + struct kref kref; + bool more_to_follow; + bool needs_out_seq; +- bool sparse_read; ++ u64 sparse_read_total; + int front_alloc_len; + + struct ceph_msgpool *pool; +diff --git a/net/ceph/messenger_v1.c b/net/ceph/messenger_v1.c +index 4cb60bacf5f5..0cb61c76b9b8 100644 +--- a/net/ceph/messenger_v1.c ++++ b/net/ceph/messenger_v1.c +@@ -160,8 +160,9 @@ static size_t sizeof_footer(struct ceph_connection *con) + static void prepare_message_data(struct ceph_msg *msg, u32 data_len) + { + /* Initialize data cursor if it's not a sparse read */ +- if (!msg->sparse_read) +- ceph_msg_data_cursor_init(&msg->cursor, msg, data_len); ++ u64 len = msg->sparse_read_total ? : data_len; ++ ++ ceph_msg_data_cursor_init(&msg->cursor, msg, len); + } + + /* +@@ -1036,7 +1037,7 @@ static int read_partial_sparse_msg_data(struct ceph_connection *con) + if (do_datacrc) + crc = con->in_data_crc; + +- do { ++ while (cursor->total_resid) { + if (con->v1.in_sr_kvec.iov_base) + ret = read_partial_message_chunk(con, + &con->v1.in_sr_kvec, +@@ -1044,23 +1045,23 @@ static int read_partial_sparse_msg_data(struct ceph_connection *con) + &crc); + else if (cursor->sr_resid > 0) + ret = read_partial_sparse_msg_extent(con, &crc); +- +- if (ret <= 0) { +- if (do_datacrc) +- con->in_data_crc = crc; +- return ret; +- } ++ if (ret <= 0) ++ break; + + memset(&con->v1.in_sr_kvec, 0, sizeof(con->v1.in_sr_kvec)); + ret = con->ops->sparse_read(con, cursor, + (char **)&con->v1.in_sr_kvec.iov_base); ++ if (ret <= 0) { ++ ret = ret ? ret : 1; /* must return > 0 to indicate success */ ++ break; ++ } + con->v1.in_sr_len = ret; +- } while (ret > 0); ++ } + + if (do_datacrc) + con->in_data_crc = crc; + +- return ret < 0 ? ret : 1; /* must return > 0 to indicate success */ ++ return ret; + } + + static int read_partial_msg_data(struct ceph_connection *con) +@@ -1253,7 +1254,7 @@ static int read_partial_message(struct ceph_connection *con) + if (!m->num_data_items) + return -EIO; + +- if (m->sparse_read) ++ if (m->sparse_read_total) + ret = read_partial_sparse_msg_data(con); + else if (ceph_test_opt(from_msgr(con->msgr), RXBOUNCE)) + ret = read_partial_msg_data_bounce(con); +diff --git a/net/ceph/messenger_v2.c b/net/ceph/messenger_v2.c +index f8ec60e1aba3..a0ca5414b333 100644 +--- a/net/ceph/messenger_v2.c ++++ b/net/ceph/messenger_v2.c +@@ -1128,7 +1128,7 @@ static int decrypt_tail(struct ceph_connection *con) + struct sg_table enc_sgt = {}; + struct sg_table sgt = {}; + struct page **pages = NULL; +- bool sparse = con->in_msg->sparse_read; ++ bool sparse = !!con->in_msg->sparse_read_total; + int dpos = 0; + int tail_len; + int ret; +@@ -2060,7 +2060,7 @@ static int prepare_read_tail_plain(struct ceph_connection *con) + } + + if (data_len(msg)) { +- if (msg->sparse_read) ++ if (msg->sparse_read_total) + con->v2.in_state = IN_S_PREPARE_SPARSE_DATA; + else + con->v2.in_state = IN_S_PREPARE_READ_DATA; +diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c +index d3a759e052c8..8d9760397b88 100644 +--- a/net/ceph/osd_client.c ++++ b/net/ceph/osd_client.c +@@ -5510,7 +5510,7 @@ static struct ceph_msg *get_reply(struct ceph_connection *con, + } + + m = ceph_msg_get(req->r_reply); +- m->sparse_read = (bool)srlen; ++ m->sparse_read_total = srlen; + + dout("get_reply tid %lld %p\n", tid, m); + +@@ -5777,11 +5777,8 @@ static int prep_next_sparse_read(struct ceph_connection *con, + } + + if (o->o_sparse_op_idx < 0) { +- u64 srlen = sparse_data_requested(req); +- +- dout("%s: [%d] starting new sparse read req. srlen=0x%llx\n", +- __func__, o->o_osd, srlen); +- ceph_msg_data_cursor_init(cursor, con->in_msg, srlen); ++ dout("%s: [%d] starting new sparse read req\n", ++ __func__, o->o_osd); + } else { + u64 end; + +-- +2.43.2 + +From 2da241c5ed78d0978228a1150735539fe1a60eca Mon Sep 17 00:00:00 2001 +From: Qiuxu Zhuo <qiuxu.zhuo@intel.com> +Date: Mon, 29 Jan 2024 14:38:42 +0800 +Subject: [PATCH 095/129] x86/lib: Revert to _ASM_EXTABLE_UA() for + {get,put}_user() fixups +Status: RO +Content-Length: 5256 +Lines: 126 + +commit 8eed4e00a370b37b4e5985ed983dccedd555ea9d upstream. + +During memory error injection test on kernels >= v6.4, the kernel panics +like below. However, this issue couldn't be reproduced on kernels <= v6.3. + + mce: [Hardware Error]: CPU 296: Machine Check Exception: f Bank 1: bd80000000100134 + mce: [Hardware Error]: RIP 10:<ffffffff821b9776> {__get_user_nocheck_4+0x6/0x20} + mce: [Hardware Error]: TSC 411a93533ed ADDR 346a8730040 MISC 86 + mce: [Hardware Error]: PROCESSOR 0:a06d0 TIME 1706000767 SOCKET 1 APIC 211 microcode 80001490 + mce: [Hardware Error]: Run the above through 'mcelog --ascii' + mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel + Kernel panic - not syncing: Fatal local machine check + +The MCA code can recover from an in-kernel #MC if the fixup type is +EX_TYPE_UACCESS, explicitly indicating that the kernel is attempting to +access userspace memory. However, if the fixup type is EX_TYPE_DEFAULT +the only thing that is raised for an in-kernel #MC is a panic. + +ex_handler_uaccess() would warn if users gave a non-canonical addresses +(with bit 63 clear) to {get, put}_user(), which was unexpected. + +Therefore, commit + + b19b74bc99b1 ("x86/mm: Rework address range check in get_user() and put_user()") + +replaced _ASM_EXTABLE_UA() with _ASM_EXTABLE() for {get, put}_user() +fixups. However, the new fixup type EX_TYPE_DEFAULT results in a panic. + +Commit + + 6014bc27561f ("x86-64: make access_ok() independent of LAM") + +added the check gp_fault_address_ok() right before the WARN_ONCE() in +ex_handler_uaccess() to not warn about non-canonical user addresses due +to LAM. + +With that in place, revert back to _ASM_EXTABLE_UA() for {get,put}_user() +exception fixups in order to be able to handle in-kernel MCEs correctly +again. + + [ bp: Massage commit message. ] + +Fixes: b19b74bc99b1 ("x86/mm: Rework address range check in get_user() and put_user()") +Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com> +Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> +Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> +Cc: <stable@kernel.org> +Link: https://lore.kernel.org/r/20240129063842.61584-1-qiuxu.zhuo@intel.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/x86/lib/getuser.S | 24 ++++++++++++------------ + arch/x86/lib/putuser.S | 20 ++++++++++---------- + 2 files changed, 22 insertions(+), 22 deletions(-) + +diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S +index 20ef350a60fb..10d5ed8b5990 100644 +--- a/arch/x86/lib/getuser.S ++++ b/arch/x86/lib/getuser.S +@@ -163,23 +163,23 @@ SYM_CODE_END(__get_user_8_handle_exception) + #endif + + /* get_user */ +- _ASM_EXTABLE(1b, __get_user_handle_exception) +- _ASM_EXTABLE(2b, __get_user_handle_exception) +- _ASM_EXTABLE(3b, __get_user_handle_exception) ++ _ASM_EXTABLE_UA(1b, __get_user_handle_exception) ++ _ASM_EXTABLE_UA(2b, __get_user_handle_exception) ++ _ASM_EXTABLE_UA(3b, __get_user_handle_exception) + #ifdef CONFIG_X86_64 +- _ASM_EXTABLE(4b, __get_user_handle_exception) ++ _ASM_EXTABLE_UA(4b, __get_user_handle_exception) + #else +- _ASM_EXTABLE(4b, __get_user_8_handle_exception) +- _ASM_EXTABLE(5b, __get_user_8_handle_exception) ++ _ASM_EXTABLE_UA(4b, __get_user_8_handle_exception) ++ _ASM_EXTABLE_UA(5b, __get_user_8_handle_exception) + #endif + + /* __get_user */ +- _ASM_EXTABLE(6b, __get_user_handle_exception) +- _ASM_EXTABLE(7b, __get_user_handle_exception) +- _ASM_EXTABLE(8b, __get_user_handle_exception) ++ _ASM_EXTABLE_UA(6b, __get_user_handle_exception) ++ _ASM_EXTABLE_UA(7b, __get_user_handle_exception) ++ _ASM_EXTABLE_UA(8b, __get_user_handle_exception) + #ifdef CONFIG_X86_64 +- _ASM_EXTABLE(9b, __get_user_handle_exception) ++ _ASM_EXTABLE_UA(9b, __get_user_handle_exception) + #else +- _ASM_EXTABLE(9b, __get_user_8_handle_exception) +- _ASM_EXTABLE(10b, __get_user_8_handle_exception) ++ _ASM_EXTABLE_UA(9b, __get_user_8_handle_exception) ++ _ASM_EXTABLE_UA(10b, __get_user_8_handle_exception) + #endif +diff --git a/arch/x86/lib/putuser.S b/arch/x86/lib/putuser.S +index 2877f5934177..975c9c18263d 100644 +--- a/arch/x86/lib/putuser.S ++++ b/arch/x86/lib/putuser.S +@@ -133,15 +133,15 @@ SYM_CODE_START_LOCAL(__put_user_handle_exception) + RET + SYM_CODE_END(__put_user_handle_exception) + +- _ASM_EXTABLE(1b, __put_user_handle_exception) +- _ASM_EXTABLE(2b, __put_user_handle_exception) +- _ASM_EXTABLE(3b, __put_user_handle_exception) +- _ASM_EXTABLE(4b, __put_user_handle_exception) +- _ASM_EXTABLE(5b, __put_user_handle_exception) +- _ASM_EXTABLE(6b, __put_user_handle_exception) +- _ASM_EXTABLE(7b, __put_user_handle_exception) +- _ASM_EXTABLE(9b, __put_user_handle_exception) ++ _ASM_EXTABLE_UA(1b, __put_user_handle_exception) ++ _ASM_EXTABLE_UA(2b, __put_user_handle_exception) ++ _ASM_EXTABLE_UA(3b, __put_user_handle_exception) ++ _ASM_EXTABLE_UA(4b, __put_user_handle_exception) ++ _ASM_EXTABLE_UA(5b, __put_user_handle_exception) ++ _ASM_EXTABLE_UA(6b, __put_user_handle_exception) ++ _ASM_EXTABLE_UA(7b, __put_user_handle_exception) ++ _ASM_EXTABLE_UA(9b, __put_user_handle_exception) + #ifdef CONFIG_X86_32 +- _ASM_EXTABLE(8b, __put_user_handle_exception) +- _ASM_EXTABLE(10b, __put_user_handle_exception) ++ _ASM_EXTABLE_UA(8b, __put_user_handle_exception) ++ _ASM_EXTABLE_UA(10b, __put_user_handle_exception) + #endif +-- +2.43.2 + |